From 66df8ad7597c096f38cf55474041dccecec9c835 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 27 Jun 2024 16:36:52 +0200 Subject: [PATCH 001/298] dcap: Add stubs to build kbs without installing DCAP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **THIS IS A HACK!!!**, but this is a needed hack in order to build kbs on an offline environment, where Intel DCAP packages cannot be installed. sgx_dcap_quoteverify_stubs brings in all the headers needed to build everything we need from kbs side, and it also brings a very simple .cpp file that is just a stub, returns an error, nothing else than that. The expected usage of this is: * A downstream would using such stubs * During Trustee deployment, Intel DCAP libraries would be downloaded, installed into the kbs container, becoming then available to be used during runtime. As already mentioned, this is not a proper solution, the proper solution would be using the DCAP packages provided either by Intel (if possible), or by the distros (when that's the requirement). A new Dockerfile.fidencio was added, so whoever ends up using this, can confirm that the project can be built, and also check how to build the sgx_dcap_quoteverify_stubs itself. Signed-off-by: Fabiano Fidêncio --- kbs/docker/Dockerfile.fidencio | 30 ++ sgx_dcap_quoteverify_stubs/meson.build | 41 ++ sgx_dcap_quoteverify_stubs/sgx_attributes.h | 75 ++++ sgx_dcap_quoteverify_stubs/sgx_dcap_qal.h | 122 ++++++ .../sgx_dcap_quoteverify.h | 379 ++++++++++++++++++ .../sgx_dcap_quoteverify_stub.cpp | 247 ++++++++++++ sgx_dcap_quoteverify_stubs/sgx_defs.h | 56 +++ sgx_dcap_quoteverify_stubs/sgx_eid.h | 39 ++ sgx_dcap_quoteverify_stubs/sgx_error.h | 129 ++++++ sgx_dcap_quoteverify_stubs/sgx_key.h | 97 +++++ sgx_dcap_quoteverify_stubs/sgx_pce.h | 133 ++++++ .../sgx_ql_lib_common.h | 267 ++++++++++++ sgx_dcap_quoteverify_stubs/sgx_ql_quote.h | 109 +++++ sgx_dcap_quoteverify_stubs/sgx_quote.h | 143 +++++++ sgx_dcap_quoteverify_stubs/sgx_quote_3.h | 194 +++++++++ sgx_dcap_quoteverify_stubs/sgx_quote_4.h | 159 ++++++++ sgx_dcap_quoteverify_stubs/sgx_quote_5.h | 132 ++++++ sgx_dcap_quoteverify_stubs/sgx_qve_header.h | 159 ++++++++ sgx_dcap_quoteverify_stubs/sgx_report.h | 120 ++++++ sgx_dcap_quoteverify_stubs/sgx_report2.h | 113 ++++++ sgx_dcap_quoteverify_stubs/sgx_urts.h | 140 +++++++ 21 files changed, 2884 insertions(+) create mode 100644 kbs/docker/Dockerfile.fidencio create mode 100644 sgx_dcap_quoteverify_stubs/meson.build create mode 100644 sgx_dcap_quoteverify_stubs/sgx_attributes.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_dcap_qal.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_dcap_quoteverify.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_dcap_quoteverify_stub.cpp create mode 100644 sgx_dcap_quoteverify_stubs/sgx_defs.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_eid.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_error.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_key.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_pce.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_ql_lib_common.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_ql_quote.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_quote.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_quote_3.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_quote_4.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_quote_5.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_qve_header.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_report.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_report2.h create mode 100644 sgx_dcap_quoteverify_stubs/sgx_urts.h diff --git a/kbs/docker/Dockerfile.fidencio b/kbs/docker/Dockerfile.fidencio new file mode 100644 index 0000000000..fc050728d9 --- /dev/null +++ b/kbs/docker/Dockerfile.fidencio @@ -0,0 +1,30 @@ +# Use CentOS Stream to build. +FROM quay.io/centos/centos:stream9 as builder + +# Install build dependencies from CentOS repos. +RUN dnf -y --setopt=install_weak_deps=0 --enablerepo=crb install \ +cargo pkg-config perl-FindBin openssl-devel perl-lib perl-IPC-Cmd perl-File-Compare perl-File-Copy tpm2-tss-devel clang-devel protobuf-compiler \ +tar gzip meson + +WORKDIR /usr/src/kbs +COPY . . + +# Build sgx_dcap_quoteverify stub +RUN \ +pushd sgx_dcap_quoteverify_stubs && \ +meson setup build --prefix=/usr && \ +meson compile -C build && \ +meson install -C build + +# Build KBS +ARG KBS_FEATURES=coco-as-builtin,rustls,resource,opa +RUN \ +cargo install --locked --root /usr/local/ --path kbs/src/kbs --no-default-features --features ${KBS_FEATURES} && \ +# Collect linked files necessary for the binary to run. +mkdir -p /root/trustee/lib64 && \ +ldd /usr/local/bin/kbs | sed 's@.*\s/@/@' | sed 's/\s.*//' | xargs -I {} cp {} /root/trustee/lib64 + +# Package UBI image. +FROM registry.access.redhat.com/ubi9 + +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/sgx_dcap_quoteverify_stubs/meson.build b/sgx_dcap_quoteverify_stubs/meson.build new file mode 100644 index 0000000000..81045fd8ab --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/meson.build @@ -0,0 +1,41 @@ +project( + 'sgx_dcap_quoteverify_stubs', 'cpp', + default_options: ['warning_level=everything'], +) + +stub_headers = files([ + 'sgx_attributes.h', + 'sgx_dcap_qal.h', + 'sgx_dcap_quoteverify.h', + 'sgx_defs.h', + 'sgx_eid.h', + 'sgx_error.h', + 'sgx_key.h', + 'sgx_pce.h', + 'sgx_ql_lib_common.h', + 'sgx_ql_quote.h', + 'sgx_quote.h', + 'sgx_quote_3.h', + 'sgx_quote_4.h', + 'sgx_quote_5.h', + 'sgx_qve_header.h', + 'sgx_report.h', + 'sgx_report2.h', + 'sgx_urts.h', +]) + +install_headers(stub_headers) + +extra_args = [ + '-Werror', + '-Wno-pedantic', + '-Wno-padded', +] + +library( + 'sgx_dcap_quoteverify', + 'sgx_dcap_quoteverify_stub.cpp', + cpp_args: extra_args, + soversion: '1', + install: true, +) diff --git a/sgx_dcap_quoteverify_stubs/sgx_attributes.h b/sgx_dcap_quoteverify_stubs/sgx_attributes.h new file mode 100644 index 0000000000..5de45376fd --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_attributes.h @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _SGX_ATTRIBUTES_H_ +#define _SGX_ATTRIBUTES_H_ + +#include + +/* Enclave Flags Bit Masks */ +#define SGX_FLAGS_INITTED 0x0000000000000001ULL /* If set, then the enclave is initialized */ +#define SGX_FLAGS_DEBUG 0x0000000000000002ULL /* If set, then the enclave is debug */ +#define SGX_FLAGS_MODE64BIT 0x0000000000000004ULL /* If set, then the enclave is 64 bit */ +#define SGX_FLAGS_PROVISION_KEY 0x0000000000000010ULL /* If set, then the enclave has access to provision key */ +#define SGX_FLAGS_EINITTOKEN_KEY 0x0000000000000020ULL /* If set, then the enclave has access to EINITTOKEN key */ +#define SGX_FLAGS_KSS 0x0000000000000080ULL /* If set, then the enclave uses KSS */ +#define SGX_FLAGS_AEX_NOTIFY 0x0000000000000400ULL /* If set, then the enclave enables AEX Notify */ + + +#define SGX_FLAGS_NON_CHECK_BITS 0x00FF000000000000ULL /* BIT[55-48] will not be checked */ + +/* XSAVE Feature Request Mask */ +#define SGX_XFRM_LEGACY 0x0000000000000003ULL /* Legacy XFRM which includes the basic feature bits required by SGX, x87 state(0x01) and SSE state(0x02) */ +#define SGX_XFRM_AVX 0x0000000000000006ULL /* AVX XFRM which includes AVX state(0x04) and SSE state(0x02) required by AVX */ +#define SGX_XFRM_AVX512 0x00000000000000E6ULL /* AVX-512 XFRM */ +#define SGX_XFRM_MPX 0x0000000000000018ULL /* MPX XFRM - not supported */ +#define SGX_XFRM_PKRU 0x0000000000000200ULL /* PKRU state */ +#define SGX_XFRM_AMX 0x0000000000060000ULL /* AMX XFRM, including XTILEDATA(0x40000) and XTILECFG(0x20000) */ + +#define SGX_XFRM_RESERVED (~(SGX_XFRM_LEGACY | SGX_XFRM_AVX | SGX_XFRM_AVX512 | SGX_XFRM_PKRU | SGX_XFRM_AMX)) + +typedef struct _attributes_t +{ + uint64_t flags; + uint64_t xfrm; +} sgx_attributes_t; + +/* Define MISCSELECT + * bit 0: EXINFO + * bit 31-1: reserved(0) */ +typedef uint32_t sgx_misc_select_t; + +typedef struct _sgx_misc_attribute_t { + sgx_attributes_t secs_attr; + sgx_misc_select_t misc_select; +} sgx_misc_attribute_t; + +#endif/* _SGX_ATTRIBUTES_H_ */ diff --git a/sgx_dcap_quoteverify_stubs/sgx_dcap_qal.h b/sgx_dcap_quoteverify_stubs/sgx_dcap_qal.h new file mode 100644 index 0000000000..68992fd6ad --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_dcap_qal.h @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _SGX_DCAP_QAL_H_ +#define _SGX_DCAP_QAL_H_ + +#include "sgx_report.h" +#include "sgx_ql_lib_common.h" +#include "sgx_ql_quote.h" +#include + +typedef enum _tee_platform_policy_type_t +{ + DEFAULT_STRICT = 0, + CUSTOMIZED +} tee_platform_policy_type_t; + +typedef struct _tee_platform_policy_t +{ + tee_platform_policy_type_t pt; + const uint8_t* p_policy; +} tee_platform_policy_t; + +typedef struct _tee_policy_bundle_t +{ + const uint8_t *p_tenant_identity_policy; + tee_platform_policy_t platform_policy; + + tee_platform_policy_t tdqe_policy; /* For tdqe. Only for TDX and only need to be set when user uses a seperate tdqe_policy + * instead of an integrated platform_policy including both TDX platform policy and TDQE. */ + + tee_platform_policy_t reserved[2]; /* Reserved for future usage */ +} tee_policy_bundle_t; + +typedef enum _tee_policy_auth_result_t +{ + TEE_AUTH_INCOMPLET = -1, /* Only part of the policies are provided and authenticated successfully. For example, you only input + * SGX platform policy for an SGX appraisal token, and the platform policy is authenticated successfully */ + TEE_AUTH_SUCCESS = 0, /* All the policies are authenticated successfully. For SGX, both SGX platform policies are provided and successfully */ + TEE_AUTH_FAILURE = 1, /* At least one of the input policies are authenticated failed */ +} tee_policy_auth_result_t; + +#if defined(__cplusplus) +extern "C" { +#endif + + +/** + * Appraise a Verification Result JWT against one or more Quote Appraisal Policies + * + * @param p_verification_result_token[IN] - Points to a null-terminated string containing the input Verification Result JWT. + * @param p_qaps[IN] - Points to an array of pointers, with each pointer pointing to a buffer holding a quote appraisal policy JWT token. + * Each token is a null-terminated string holding a JWT. + * @param qaps_count[IN] - The number of pointers in the p_qaps array. + * @param appraisal_check_date[IN] - - User input, used by the appraisal engine as its “current time” for expiration dates check. + * @param p_qae_report_info[IN, OUT] - The parameter is optional. + * @param p_appraisal_result_token_buffer_size[OUT] - Points to hold the size of the p_appraisal_result_token buffer. + * @param p_appraisal_result_token[OUT] - Points to the output Appraisal result JWT. + * + * @return Status code of the operation. SGX_QL_SUCCESS or failure as defined in sgx_ql_lib_common.h + **/ +quote3_error_t tee_appraise_verification_token( + const uint8_t *p_verification_result_token, + uint8_t **p_qaps, + uint8_t qaps_count, + const time_t appraisal_check_date, + sgx_ql_qe_report_info_t *p_qae_report_info, + uint32_t *p_appraisal_result_token_buffer_size, + uint8_t **p_appraisal_result_token); + +/** + * Free the appraisal result token that allocated in the "tee_appraise_verification_token" API + * @param p_appraisal_result_token[IN] - Points to the output Appraisal result JWT. + * + * @return Status code of the operation. SGX_QL_SUCCESS or failure as defined in sgx_ql_lib_common.h +**/ +quote3_error_t tee_free_appraisal_token(uint8_t *p_appraisal_result_token); + +/** + * Check whether the input policies are used in the appraisal process by comparing the policies with the appraisal result + * + * @param p_appraisal_result_token[IN] - Points to the Appraisal result JWT that generated by the "tee_appraise_verification_token" API + * @param p_policies[IN] - A structure that contains the target policies + * @param result[OUT] - the authentication result + * + * @return Status code of the operation. SGX_QL_SUCCESS or failure as defined in sgx_ql_lib_common.h +**/ +quote3_error_t tee_authenticate_appraisal_result(const uint8_t *p_appraisal_result_token, const tee_policy_bundle_t *p_policies, tee_policy_auth_result_t *result); + +#if defined(__cplusplus) +} +#endif + +#endif \ No newline at end of file diff --git a/sgx_dcap_quoteverify_stubs/sgx_dcap_quoteverify.h b/sgx_dcap_quoteverify_stubs/sgx_dcap_quoteverify.h new file mode 100644 index 0000000000..e39332a895 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_dcap_quoteverify.h @@ -0,0 +1,379 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +/** + * File: sgx_dcap_quoteverify.h + * + * Description: Definitions and prototypes for Intel(R) SGX/TDX DCAP Quote Verification Library + * + */ + +#ifndef _SGX_DCAP_QV_H_ +#define _SGX_DCAP_QV_H_ + +#include "sgx_qve_header.h" +#include "sgx_ql_quote.h" + +#if defined(__cplusplus) +extern "C" { +#endif + +/** + * When the Quoting Verification Library is linked to a process, it needs to know the proper enclave loading policy. + * The library may be linked with a long lived process, such as a service, where it can load the enclaves and leave + * them loaded (persistent). This better ensures that the enclaves will be available upon quote requests and not subject + * to EPC limitations if loaded on demand. However, if the QVL is linked with an application process, there may be many + * applications with the QVL and a better utilization of EPC is to load and unloaded the quote verification enclaves on + * demand (ephemeral). The library will be shipped with a default policy of loading enclaves and leaving + * them loaded until the library is unloaded (PERSISTENT). If the policy is set to EPHEMERAL, then the QvE will + * be loaded and unloaded on-demand. + * Supported policies: + * SGX_QL_EPHEMERAL - Default policy. QvE is initialized and terminated on every quote verification function call. + * SGX_QL_PERSISTENT - All the threads will share single QvE instance, and QvE is initialized on first use and reused until process ends. + * SGX_QL_EPHEMERAL_QVE_MULTI_THREAD - QvE is loaded per thread and be unloaded before function exit. + * SGX_QL_PERSISTENT_QVE_MULTI_THREAD - QvE is loaded per thread and only be unloaded before thread exit. + * + * NOTE: QvE load policy should be only set once in one process, otherwise, this function will return error SGX_QL_UNSUPPORTED_LOADING_POLICY. + * + * @param policy Sets the requested enclave loading policy to either SGX_QL_PERSISTENT, SGX_QL_EPHEMERAL or SGX_QL_DEFAULT. + * + * @return SGX_QL_SUCCESS Successfully set the enclave loading policy for the quoting library's enclaves. + * @return SGX_QL_UNSUPPORTED_LOADING_POLICY The selected policy is not supported or it has been set once. + * + **/ +quote3_error_t sgx_qv_set_enclave_load_policy(sgx_ql_request_policy_t policy); + + +/** + * Get supplemental data required size. + * @param p_data_size[OUT] - Pointer to hold the size of the buffer in bytes required to contain all of the supplemental data. + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_ERROR_QVL_QVE_MISMATCH + * - SGX_QL_ENCLAVE_LOAD_ERROR + **/ +quote3_error_t sgx_qv_get_quote_supplemental_data_size(uint32_t *p_data_size); + + +/** + * Perform ECDSA quote verification. + * + * @param p_quote[IN] - Pointer to SGX Quote. + * @param quote_size[IN] - Size of the buffer pointed to by p_quote (in bytes). + * @param p_quote_collateral[IN] - This is a pointer to the Quote Certification Collateral provided by the caller. + * @param expiration_check_date[IN] - This is the date that the QvE will use to determine if any of the inputted collateral have expired. + * @param p_collateral_expiration_status[OUT] - Address of the outputted expiration status. This input must not be NULL. + * @param p_quote_verification_result[OUT] - Address of the outputted quote verification result. + * @param p_qve_report_info[IN/OUT] - This parameter can be used in 2 ways. + * If p_qve_report_info is NOT NULL, the API will use Intel QvE to perform quote verification, and QvE will generate a report using the target_info in sgx_ql_qe_report_info_t structure. + * if p_qve_report_info is NULL, the API will use QVL library to perform quote verification, note that the results can not be cryptographically authenticated in this mode. + * @param supplemental_data_size[IN] - Size of the buffer pointed to by p_quote (in bytes). + * @param p_supplemental_data[OUT] - The parameter is optional. If it is NULL, supplemental_data_size must be 0. + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_QUOTE_FORMAT_UNSUPPORTED + * - SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED + * - SGX_QL_UNABLE_TO_GENERATE_REPORT + * - SGX_QL_CRL_UNSUPPORTED_FORMAT + * - SGX_QL_ERROR_UNEXPECTED + **/ +quote3_error_t sgx_qv_verify_quote( + const uint8_t *p_quote, + uint32_t quote_size, + const sgx_ql_qve_collateral_t *p_quote_collateral, + const time_t expiration_check_date, + uint32_t *p_collateral_expiration_status, + sgx_ql_qv_result_t *p_quote_verification_result, + sgx_ql_qe_report_info_t *p_qve_report_info, + uint32_t supplemental_data_size, + uint8_t *p_supplemental_data); + + +/** + * Call quote provider library to get QvE identity. + * + * @param pp_qveid[OUT] - Pointer to the pointer of QvE identity + * @param p_qveid_size[OUT] - Pointer to the size of QvE identity + * @param pp_qveid_issue_chain[OUT] - Pointer to the pointer QvE identity certificate chain + * @param p_qveid_issue_chain_size[OUT] - Pointer to the QvE identity certificate chain size + * @param pp_root_ca_crl[OUT] - Pointer to the pointer of Intel Root CA CRL + * @param p_root_ca_crl_size[OUT] - Pointer to the Intel Root CA CRL size + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_NO_QVE_IDENTITY_DATA + * - SGX_QL_ERROR_OUT_OF_MEMORY + * - SGX_QL_NETWORK_ERROR + * - SGX_QL_MESSAGE_ERROR + * - SGX_QL_ERROR_UNEXPECTED + **/ +quote3_error_t sgx_qv_get_qve_identity( + uint8_t **pp_qveid, + uint32_t *p_qveid_size, + uint8_t **pp_qveid_issue_chain, + uint32_t *p_qveid_issue_chain_size, + uint8_t **pp_root_ca_crl, + uint16_t *p_root_ca_crl_size); + +/** + * Call quote provider library to free the p_qve_id, p_qveid_issuer_chain buffer and p_root_ca_crl allocated by sgx_qv_get_qve_identity + **/ +quote3_error_t sgx_qv_free_qve_identity(uint8_t *p_qveid, + uint8_t *p_qveid_issue_chain, + uint8_t *p_root_ca_crl); + + +#ifndef _MSC_VER +typedef enum +{ + SGX_QV_QVE_PATH, + SGX_QV_QPL_PATH +} sgx_qv_path_type_t; + +quote3_error_t sgx_qv_set_path(sgx_qv_path_type_t path_type, + const char *p_path); + +/** + * Perform ECDSA quote verification and get quote verification result token. + * + * @param p_quote[IN] - Pointer to SGX or TDX Quote. + * @param quote_size[IN] - Size of the buffer pointed to by p_quote (in bytes). + * @param p_quote_collateral[IN] - The parameter is optional. This is a pointer to the Quote Certification Collateral provided by the caller. + * @param p_qve_report_info[IN/OUT] - This parameter can be used in 2 ways. + * If p_qve_report_info is NOT NULL, the API will use Intel QvE to perform quote verification, and QvE will generate a report using the target_info in sgx_ql_qe_report_info_t structure. + * if p_qve_report_info is NULL, the API will use QVL library to perform quote verification, note that the results can not be cryptographically authenticated in this mode. + * @param p_user_data[IN] - User data. + * @param p_verification_result_token_buffer_size[OUT] - Size of the buffer pointed to by verification_result_token (in bytes). + * @param p_verification_result_token[OUT] - Pointer to the verification_result_token. + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_QUOTE_FORMAT_UNSUPPORTED + * - SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED + * - SGX_QL_UNABLE_TO_GENERATE_REPORT + * - SGX_QL_CRL_UNSUPPORTED_FORMAT + * - SGX_QL_ERROR_UNEXPECTED + **/ +quote3_error_t tee_verify_quote_qvt( + const uint8_t *p_quote, + uint32_t quote_size, + const sgx_ql_qve_collateral_t *p_quote_collateral, + sgx_ql_qe_report_info_t *p_qve_report_info, + const uint8_t *p_user_data, + uint32_t *p_verification_result_token_buffer_size, + uint8_t **p_verification_result_token); + +/** + * Free quote verification result token buffer, which returned by `tee_verify_quote_qvt` + * + * @param p_verification_result_token[IN] - Pointer to verification result token + * @param p_verification_result_token_buffer_size[IN] - Pointer to verification result token size + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + **/ +quote3_error_t tee_free_verify_quote_qvt( + uint8_t *p_verification_result_token, + uint32_t *p_verification_result_token_buffer_size); +#endif + + +/** + * Get TDX supplemental data required size. + * @param p_data_size[OUT] - Pointer to hold the size of the buffer in bytes required to contain all of the supplemental data. + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_ERROR_QVL_QVE_MISMATCH + * - SGX_QL_ENCLAVE_LOAD_ERROR + **/ +quote3_error_t tdx_qv_get_quote_supplemental_data_size(uint32_t *p_data_size); + + +/** + * Perform TDX ECDSA quote verification. + * + * @param p_quote[IN] - Pointer to TDX Quote. + * @param quote_size[IN] - Size of the buffer pointed to by p_quote (in bytes). + * @param p_quote_collateral[IN] - This is a pointer to the Quote Certification Collateral provided by the caller. + * @param expiration_check_date[IN] - This is the date that the QvE will use to determine if any of the inputted collateral have expired. + * @param p_collateral_expiration_status[OUT] - Address of the outputted expiration status. This input must not be NULL. + * @param p_quote_verification_result[OUT] - Address of the outputted quote verification result. + * @param p_qve_report_info[IN/OUT] - This parameter can be used in 2 ways. + * If p_qve_report_info is NOT NULL, the API will use Intel QvE to perform quote verification, and QvE will generate a report using the target_info in sgx_ql_qe_report_info_t structure. + * if p_qve_report_info is NULL, the API will use QVL library to perform quote verification, note that the results can not be cryptographically authenticated in this mode. + * @param supplemental_data_size[IN] - Size of the buffer pointed to by p_quote (in bytes). + * @param p_supplemental_data[OUT] - The parameter is optional. If it is NULL, supplemental_data_size must be 0. + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_QUOTE_FORMAT_UNSUPPORTED + * - SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED + * - SGX_QL_UNABLE_TO_GENERATE_REPORT + * - SGX_QL_CRL_UNSUPPORTED_FORMAT + * - SGX_QL_ERROR_UNEXPECTED + **/ +quote3_error_t tdx_qv_verify_quote( + const uint8_t *p_quote, + uint32_t quote_size, + const tdx_ql_qv_collateral_t *p_quote_collateral, + const time_t expiration_check_date, + uint32_t *p_collateral_expiration_status, + sgx_ql_qv_result_t *p_quote_verification_result, + sgx_ql_qe_report_info_t *p_qve_report_info, + uint32_t supplemental_data_size, + uint8_t *p_supplemental_data); + + +/** + * Get quote verification collateral. + * + * @param p_quote[IN] - Pointer to TDX/SGX Quote. + * @param quote_size[IN] - Size of the buffer pointed to by p_quote (in bytes). + * @param p_quote_collateral[OUT] - This is a pointer to the Quote Certification Collateral retrieved based on Quote + * @param p_collateral_size[OUT] - This is the sizeof collateral including the size of nested fileds + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_PLATFORM_LIB_UNAVAILABLE + * - SGX_QL_PCK_CERT_CHAIN_ERROR + * - SGX_QL_PCK_CERT_UNSUPPORTED_FORMAT + * - SGX_QL_QUOTE_FORMAT_UNSUPPORTED + * - SGX_QL_OUT_OF_MEMORY + * - SGX_QL_NO_QUOTE_COLLATERAL_DATA + * - SGX_QL_ERROR_UNEXPECTED + **/ +quote3_error_t tee_qv_get_collateral( + const uint8_t *p_quote, + uint32_t quote_size, + uint8_t **pp_quote_collateral, + uint32_t *p_collateral_size); + + +/** + * Free quote verification collateral buffer, which returned by `tee_qv_get_collateral` + * + * @param p_quote_collateral[IN] - Pointer to collateral + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_QUOTE_FORMAT_UNSUPPORTED + **/ +quote3_error_t tee_qv_free_collateral(uint8_t *p_quote_collateral); + + +/** + * Get supplemental data latest version and required size, support both SGX and TDX + * + * @param p_quote[IN] - Pointer to SGX or TDX Quote. + * @param quote_size[IN] - Size of the buffer pointed to by p_quote (in bytes). + * @param p_version[OUT] - Optional. Pointer to hold latest version of the supplemental data. + * @param p_data_size[OUT] - Optional. Pointer to hold the size of the buffer in bytes required to contain all of the supplemental data. + **/ +quote3_error_t tee_get_supplemental_data_version_and_size( + const uint8_t *p_quote, + uint32_t quote_size, + uint32_t *p_version, + uint32_t *p_data_size); + + +/** + * Perform quote verification for SGX and TDX + * This API works the same as the old one, but takes a new parameter to describe the supplemental data (p_supp_data_descriptor) + * + * @param p_quote[IN] - Pointer to SGX or TDX Quote. + * @param quote_size[IN] - Size of the buffer pointed to by p_quote (in bytes). + * @param p_quote_collateral[IN] - This is a pointer to the Quote Certification Collateral provided by the caller. + * @param expiration_check_date[IN] - This is the date that the QvE will use to determine if any of the inputted collateral have expired. + * @param p_collateral_expiration_status[OUT] - Address of the outputted expiration status. This input must not be NULL. + * @param p_quote_verification_result[OUT] - Address of the outputted quote verification result. + * @param p_qve_report_info[IN/OUT] - This parameter can be used in 2 ways. + * If p_qve_report_info is NOT NULL, the API will use Intel QvE to perform quote verification, and QvE will generate a report using the target_info in sgx_ql_qe_report_info_t structure. + * if p_qve_report_info is NULL, the API will use QVL library to perform quote verification, not that the results can not be cryptographically authenticated in this mode. + * @param p_supp_datal_descriptor[IN/OUT] - Pointer to tee_supp_data_descriptor_t structure + * You can specify the major version of supplemental data by setting p_supp_datal_descriptor->major_version + * If p_supp_datal_descriptor == NULL, no supplemental data is returned + * If p_supp_datal_descriptor->major_version == 0, then return the latest version of the sgx_ql_qv_supplemental_t structure + * If p_supp_datal_descriptor <= latest supported version, return the latest minor version associated with that major version + * If p_supp_datal_descriptor > latest supported version, return an error SGX_QL_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_QUOTE_FORMAT_UNSUPPORTED + * - SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED + * - SGX_QL_UNABLE_TO_GENERATE_REPORT + * - SGX_QL_CRL_UNSUPPORTED_FORMAT + * - SGX_QL_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED + * - SGX_QL_ERROR_UNEXPECTED + **/ +quote3_error_t tee_verify_quote( + const uint8_t *p_quote, + uint32_t quote_size, + const uint8_t *p_quote_collateral, + const time_t expiration_check_date, + uint32_t *p_collateral_expiration_status, + sgx_ql_qv_result_t *p_quote_verification_result, + sgx_ql_qe_report_info_t *p_qve_report_info, + tee_supp_data_descriptor_t *p_supp_data_descriptor); + +/** + * Extrace FMSPC from a given quote + * @param p_quote[IN] - Pointer to a quote buffer. + * @param quote_size[IN] - Size of input quote buffer. + * @param p_fmspc_from_quote[IN/OUT] - Pointer to a buffer to write fmspc to. + * @param fmspc_from_quote_size[IN] - Size of fmspc buffer. + * + * @return Status code of the operation, one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_ERROR_UNEXPECTED + * - SGX_QL_PCK_CERT_CHAIN_ERROR + * - SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED + */ +quote3_error_t tee_get_fmspc_from_quote(const uint8_t* p_quote, uint32_t quote_size, + uint8_t* p_fmspc_from_quote, uint32_t fmspc_from_quote_size); + +#if defined(__cplusplus) +} +#endif + +#endif /* !_SGX_DCAP_QV_H_*/ diff --git a/sgx_dcap_quoteverify_stubs/sgx_dcap_quoteverify_stub.cpp b/sgx_dcap_quoteverify_stubs/sgx_dcap_quoteverify_stub.cpp new file mode 100644 index 0000000000..a9905df511 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_dcap_quoteverify_stub.cpp @@ -0,0 +1,247 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + /** + * File: sgx_dcap_quoteverify.cpp + * + * Description: Quote Verification Library + */ + +#include +#include "sgx_dcap_quoteverify.h" + +quote3_error_t sgx_qv_set_enclave_load_policy( + sgx_ql_request_policy_t policy __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * Get supplemental data latest version and required size. + **/ +quote3_error_t tee_get_supplemental_data_version_and_size( + const uint8_t *p_quote __attribute__((unused)), + uint32_t quote_size __attribute__((unused)), + uint32_t *p_version __attribute__((unused)), + uint32_t *p_data_size __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * Get SGX QvE identity and Root CA CRL + **/ +quote3_error_t sgx_qv_get_qve_identity( + uint8_t **pp_qveid __attribute__((unused)), + uint32_t *p_qveid_size __attribute__((unused)), + uint8_t **pp_qveid_issue_chain __attribute__((unused)), + uint32_t *p_qveid_issue_chain_size __attribute__((unused)), + uint8_t **pp_root_ca_crl __attribute__((unused)), + uint16_t *p_root_ca_crl_size __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + + +/** + * Free SGX QvE identity and Root CA CRL + **/ +quote3_error_t sgx_qv_free_qve_identity( + uint8_t *p_qveid __attribute__((unused)), + uint8_t *p_qveid_issue_chain __attribute__((unused)), + uint8_t *p_root_ca_crl __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * Get SGX supplemental data required size. + **/ +quote3_error_t sgx_qv_get_quote_supplemental_data_size(uint32_t *p_data_size __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * Perform SGX ECDSA quote verification + **/ +quote3_error_t sgx_qv_verify_quote( + const uint8_t *p_quote __attribute__((unused)), + uint32_t quote_size __attribute__((unused)), + const sgx_ql_qve_collateral_t *p_quote_collateral __attribute__((unused)), + const time_t expiration_check_date __attribute__((unused)), + uint32_t *p_collateral_expiration_status __attribute__((unused)), + sgx_ql_qv_result_t *p_quote_verification_result __attribute__((unused)), + sgx_ql_qe_report_info_t *p_qve_report_info __attribute__((unused)), + uint32_t supplemental_data_size __attribute__((unused)), + uint8_t *p_supplemental_data __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * Get TDX supplemental data required size. + **/ +quote3_error_t tdx_qv_get_quote_supplemental_data_size(uint32_t *p_data_size __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * Perform TDX ECDSA quote verification + **/ +quote3_error_t tdx_qv_verify_quote( + const uint8_t *p_quote __attribute__((unused)), + uint32_t quote_size __attribute__((unused)), + const tdx_ql_qv_collateral_t *p_quote_collateral __attribute__((unused)), + const time_t expiration_check_date __attribute__((unused)), + uint32_t *p_collateral_expiration_status __attribute__((unused)), + sgx_ql_qv_result_t *p_quote_verification_result __attribute__((unused)), + sgx_ql_qe_report_info_t *p_qve_report_info __attribute__((unused)), + uint32_t supplemental_data_size __attribute__((unused)), + uint8_t *p_supplemental_data __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * @brief retrieve verification colloateral + * + */ +quote3_error_t tee_qv_get_collateral( + const uint8_t *p_quote __attribute__((unused)), + uint32_t quote_size __attribute__((unused)), + uint8_t **pp_quote_collateral __attribute__((unused)), + uint32_t *p_collateral_size __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * @brief free verification colloateral + * + */ +quote3_error_t tee_qv_free_collateral(uint8_t *p_quote_collateral __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * Perform quote verification for SGX and TDX + * This API works the same as the old one __attribute__((unused)), but takes a new parameter to describe the supplemental data (p_supp_data_descriptor) + **/ +quote3_error_t tee_verify_quote( + const uint8_t *p_quote __attribute__((unused)), + uint32_t quote_size __attribute__((unused)), + const uint8_t *p_quote_collateral __attribute__((unused)), + const time_t expiration_check_date __attribute__((unused)), + uint32_t *p_collateral_expiration_status __attribute__((unused)), + sgx_ql_qv_result_t *p_quote_verification_result __attribute__((unused)), + sgx_ql_qe_report_info_t *p_qve_report_info __attribute__((unused)), + tee_supp_data_descriptor_t *p_supp_data_descriptor __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +/** + * @brief Extrace FMSPC from a given quote with cert type 5 + * @param p_quote[IN] - Pointer to a quote buffer. + * @param quote_size[IN] - Size of input quote buffer. + * @param p_fmspc_from_quote[IN/OUT] - Pointer to a buffer to write fmspc to. + * @param fmspc_from_quote_size[IN] - Size of fmspc buffer. + * + * @return Status code of the operation __attribute__((unused)), one of: + * - SGX_QL_SUCCESS + * - SGX_QL_ERROR_INVALID_PARAMETER + * - SGX_QL_ERROR_UNEXPECTED + * - SGX_QL_PCK_CERT_CHAIN_ERROR + * - SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED + */ +quote3_error_t tee_get_fmspc_from_quote(const uint8_t *p_quote __attribute__((unused)), + uint32_t quote_size __attribute__((unused)), + uint8_t *p_fmspc_from_quote __attribute__((unused)), + uint32_t fmspc_from_quote_size __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + + +/** + * This API can be used to set the full path of QVE and QPL library. + * + * The function takes the enum and the corresponding full path. + * + * @param path_type The type of binary being passed in. + * @param p_path It should be a valid full path. + * + * @return SGX_QL_SUCCESS Successfully set the full path. + * @return SGX_QL_ERROR_INVALID_PARAMETER p_path is not a valid full path or the path is too long. + */ + +quote3_error_t sgx_qv_set_path( + sgx_qv_path_type_t path_type __attribute__((unused)), + const char *p_path __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +quote3_error_t tee_verify_quote_qvt( + const uint8_t *p_quote __attribute__((unused)), + uint32_t quote_size __attribute__((unused)), + const sgx_ql_qve_collateral_t *p_quote_collateral __attribute__((unused)), + sgx_ql_qe_report_info_t *p_qve_report_info __attribute__((unused)), + const uint8_t *p_user_data __attribute__((unused)), + uint32_t *p_verification_result_token_buffer_size __attribute__((unused)), + uint8_t **p_verification_result_token __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} + +quote3_error_t tee_free_verify_quote_qvt( + uint8_t *p_verification_result_token __attribute__((unused)), + uint32_t *p_verification_result_token_buffer_size __attribute__((unused))) +{ + std::cout << "Not implemented" << std::endl; + return SGX_QL_ERROR_UNEXPECTED; +} diff --git a/sgx_dcap_quoteverify_stubs/sgx_defs.h b/sgx_dcap_quoteverify_stubs/sgx_defs.h new file mode 100644 index 0000000000..b3e3a532be --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_defs.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _SGX_DEFS_H_ +#define _SGX_DEFS_H_ + +/* The following macros are for GCC only */ + +#define SGXAPI + +#ifdef linux + #undef linux +#endif +#define SGX_CXX_NATIVE_HEADER(header) + +#define SGX_CDECL +#define SGX_STDCALL +#define SGX_FASTCALL + +#define SGX_DLLIMPORT +#define SGX_UBRIDGE(attr, fname, args...) attr fname args + +#define SGX_DEPRECATED __attribute__((deprecated)) + + +#define SGX_NOCONVENTION /* Empty. No calling convention specified. */ + +#endif /* !_SGX_DEFS_H_ */ diff --git a/sgx_dcap_quoteverify_stubs/sgx_eid.h b/sgx_dcap_quoteverify_stubs/sgx_eid.h new file mode 100644 index 0000000000..12de3d7466 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_eid.h @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _SGX_EID_H_ +#define _SGX_EID_H_ + +#include + +typedef uint64_t sgx_enclave_id_t; + +#endif diff --git a/sgx_dcap_quoteverify_stubs/sgx_error.h b/sgx_dcap_quoteverify_stubs/sgx_error.h new file mode 100644 index 0000000000..725f8aab11 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_error.h @@ -0,0 +1,129 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _SGX_ERROR_H_ +#define _SGX_ERROR_H_ + +#define SGX_MK_ERROR(x) (0x00000000|(x)) + +typedef enum _status_t +{ + SGX_SUCCESS = SGX_MK_ERROR(0x0000), + + SGX_ERROR_UNEXPECTED = SGX_MK_ERROR(0x0001), /* Unexpected error */ + SGX_ERROR_INVALID_PARAMETER = SGX_MK_ERROR(0x0002), /* The parameter is incorrect */ + SGX_ERROR_OUT_OF_MEMORY = SGX_MK_ERROR(0x0003), /* Not enough memory is available to complete this operation */ + SGX_ERROR_ENCLAVE_LOST = SGX_MK_ERROR(0x0004), /* Enclave lost after power transition or used in child process created by linux:fork() */ + SGX_ERROR_INVALID_STATE = SGX_MK_ERROR(0x0005), /* SGX API is invoked in incorrect order or state */ + SGX_ERROR_FEATURE_NOT_SUPPORTED = SGX_MK_ERROR(0x0008), /* Feature is not supported on this platform */ + SGX_PTHREAD_EXIT = SGX_MK_ERROR(0x0009), /* Enclave is exited with pthread_exit() */ + SGX_ERROR_MEMORY_MAP_FAILURE = SGX_MK_ERROR(0x000a), /* Failed to reserve memory for the enclave */ + + SGX_ERROR_INVALID_FUNCTION = SGX_MK_ERROR(0x1001), /* The ecall/ocall index is invalid */ + SGX_ERROR_OUT_OF_TCS = SGX_MK_ERROR(0x1003), /* The enclave is out of TCS */ + SGX_ERROR_ENCLAVE_CRASHED = SGX_MK_ERROR(0x1006), /* The enclave is crashed */ + SGX_ERROR_ECALL_NOT_ALLOWED = SGX_MK_ERROR(0x1007), /* The ECALL is not allowed at this time, e.g. ecall is blocked by the dynamic entry table, or nested ecall is not allowed during initialization */ + SGX_ERROR_OCALL_NOT_ALLOWED = SGX_MK_ERROR(0x1008), /* The OCALL is not allowed at this time, e.g. ocall is not allowed during exception handling */ + SGX_ERROR_STACK_OVERRUN = SGX_MK_ERROR(0x1009), /* The enclave is running out of stack */ + + SGX_ERROR_UNDEFINED_SYMBOL = SGX_MK_ERROR(0x2000), /* The enclave image has undefined symbol. */ + SGX_ERROR_INVALID_ENCLAVE = SGX_MK_ERROR(0x2001), /* The enclave image is not correct. */ + SGX_ERROR_INVALID_ENCLAVE_ID = SGX_MK_ERROR(0x2002), /* The enclave id is invalid */ + SGX_ERROR_INVALID_SIGNATURE = SGX_MK_ERROR(0x2003), /* The signature is invalid */ + SGX_ERROR_NDEBUG_ENCLAVE = SGX_MK_ERROR(0x2004), /* The enclave is signed as product enclave, and can not be created as debuggable enclave. */ + SGX_ERROR_OUT_OF_EPC = SGX_MK_ERROR(0x2005), /* Not enough EPC is available to load the enclave */ + SGX_ERROR_NO_DEVICE = SGX_MK_ERROR(0x2006), /* Can't open SGX device */ + SGX_ERROR_MEMORY_MAP_CONFLICT= SGX_MK_ERROR(0x2007), /* Page mapping failed in driver. Deprecated */ + SGX_ERROR_INVALID_METADATA = SGX_MK_ERROR(0x2009), /* The metadata is incorrect. */ + SGX_ERROR_DEVICE_BUSY = SGX_MK_ERROR(0x200c), /* Device is busy, mostly EINIT failed. */ + SGX_ERROR_INVALID_VERSION = SGX_MK_ERROR(0x200d), /* Metadata version is inconsistent between uRTS and sgx_sign or uRTS is incompatible with current platform. */ + SGX_ERROR_MODE_INCOMPATIBLE = SGX_MK_ERROR(0x200e), /* The target enclave 32/64 bit mode or sim/hw mode is incompatible with the mode of current uRTS. */ + SGX_ERROR_ENCLAVE_FILE_ACCESS = SGX_MK_ERROR(0x200f), /* Can't open enclave file. */ + SGX_ERROR_INVALID_MISC = SGX_MK_ERROR(0x2010), /* The MiscSelct/MiscMask settings are not correct.*/ + SGX_ERROR_INVALID_LAUNCH_TOKEN = SGX_MK_ERROR(0x2011), /* The launch token is not correct.*/ + + SGX_ERROR_MAC_MISMATCH = SGX_MK_ERROR(0x3001), /* Indicates verification error for reports, sealed datas, etc */ + SGX_ERROR_INVALID_ATTRIBUTE = SGX_MK_ERROR(0x3002), /* The enclave is not authorized, e.g., requesting invalid attribute or launch key access on legacy SGX platform without FLC */ + SGX_ERROR_INVALID_CPUSVN = SGX_MK_ERROR(0x3003), /* The cpu svn is beyond platform's cpu svn value */ + SGX_ERROR_INVALID_ISVSVN = SGX_MK_ERROR(0x3004), /* The isv svn is greater than the enclave's isv svn */ + SGX_ERROR_INVALID_KEYNAME = SGX_MK_ERROR(0x3005), /* The key name is an unsupported value */ + SGX_ERROR_UNSUPPORTED_FUNCTION = SGX_MK_ERROR(0x3006), /* The functionality is not supported */ + + SGX_ERROR_SERVICE_UNAVAILABLE = SGX_MK_ERROR(0x4001), /* Indicates aesm didn't respond or the requested service is not supported */ + SGX_ERROR_SERVICE_TIMEOUT = SGX_MK_ERROR(0x4002), /* The request to aesm timed out */ + SGX_ERROR_AE_INVALID_EPIDBLOB = SGX_MK_ERROR(0x4003), /* Indicates epid blob verification error */ + SGX_ERROR_SERVICE_INVALID_PRIVILEGE = SGX_MK_ERROR(0x4004), /* Enclave not authorized to run, .e.g. provisioning enclave hosted in an app without access rights to /dev/sgx_provision */ + SGX_ERROR_EPID_MEMBER_REVOKED = SGX_MK_ERROR(0x4005), /* The EPID group membership is revoked. */ + SGX_ERROR_UPDATE_NEEDED = SGX_MK_ERROR(0x4006), /* SGX needs to be updated */ + SGX_ERROR_NETWORK_FAILURE = SGX_MK_ERROR(0x4007), /* Network connecting or proxy setting issue is encountered */ + SGX_ERROR_AE_SESSION_INVALID = SGX_MK_ERROR(0x4008), /* Session is invalid or ended by server */ + SGX_ERROR_BUSY = SGX_MK_ERROR(0x400a), /* The requested service is temporarily not available */ + SGX_ERROR_MC_NOT_FOUND = SGX_MK_ERROR(0x400c), /* The Monotonic Counter doesn't exist or has been invalided */ + SGX_ERROR_MC_NO_ACCESS_RIGHT = SGX_MK_ERROR(0x400d), /* Caller doesn't have the access right to specified VMC */ + SGX_ERROR_MC_USED_UP = SGX_MK_ERROR(0x400e), /* Monotonic counters are used out */ + SGX_ERROR_MC_OVER_QUOTA = SGX_MK_ERROR(0x400f), /* Monotonic counters exceeds quota limitation */ + SGX_ERROR_KDF_MISMATCH = SGX_MK_ERROR(0x4011), /* Key derivation function doesn't match during key exchange */ + SGX_ERROR_UNRECOGNIZED_PLATFORM = SGX_MK_ERROR(0x4012), /* EPID Provisioning failed due to platform not recognized by backend server*/ + SGX_ERROR_UNSUPPORTED_CONFIG = SGX_MK_ERROR(0x4013), /* The config for trigging EPID Provisiong or PSE Provisiong<P is invalid*/ + + SGX_ERROR_NO_PRIVILEGE = SGX_MK_ERROR(0x5002), /* Not enough privilege to perform the operation */ + + /* SGX Protected Code Loader Error codes*/ + SGX_ERROR_PCL_ENCRYPTED = SGX_MK_ERROR(0x6001), /* trying to encrypt an already encrypted enclave */ + SGX_ERROR_PCL_NOT_ENCRYPTED = SGX_MK_ERROR(0x6002), /* trying to load a plain enclave using sgx_create_encrypted_enclave */ + SGX_ERROR_PCL_MAC_MISMATCH = SGX_MK_ERROR(0x6003), /* section mac result does not match build time mac */ + SGX_ERROR_PCL_SHA_MISMATCH = SGX_MK_ERROR(0x6004), /* Unsealed key MAC does not match MAC of key hardcoded in enclave binary */ + SGX_ERROR_PCL_GUID_MISMATCH = SGX_MK_ERROR(0x6005), /* GUID in sealed blob does not match GUID hardcoded in enclave binary */ + + /* SGX errors are only used in the file API when there is no appropriate EXXX (EINVAL, EIO etc.) error code */ + SGX_ERROR_FILE_BAD_STATUS = SGX_MK_ERROR(0x7001), /* The file is in bad status, run sgx_clearerr to try and fix it */ + SGX_ERROR_FILE_NO_KEY_ID = SGX_MK_ERROR(0x7002), /* The Key ID field is all zeros, can't re-generate the encryption key */ + SGX_ERROR_FILE_NAME_MISMATCH = SGX_MK_ERROR(0x7003), /* The current file name is different then the original file name (not allowed, substitution attack) */ + SGX_ERROR_FILE_NOT_SGX_FILE = SGX_MK_ERROR(0x7004), /* The file is not an SGX file */ + SGX_ERROR_FILE_CANT_OPEN_RECOVERY_FILE = SGX_MK_ERROR(0x7005), /* A recovery file can't be opened, so flush operation can't continue (only used when no EXXX is returned) */ + SGX_ERROR_FILE_CANT_WRITE_RECOVERY_FILE = SGX_MK_ERROR(0x7006), /* A recovery file can't be written, so flush operation can't continue (only used when no EXXX is returned) */ + SGX_ERROR_FILE_RECOVERY_NEEDED = SGX_MK_ERROR(0x7007), /* When openeing the file, recovery is needed, but the recovery process failed */ + SGX_ERROR_FILE_FLUSH_FAILED = SGX_MK_ERROR(0x7008), /* fflush operation (to disk) failed (only used when no EXXX is returned) */ + SGX_ERROR_FILE_CLOSE_FAILED = SGX_MK_ERROR(0x7009), /* fclose operation (to disk) failed (only used when no EXXX is returned) */ + + + SGX_ERROR_UNSUPPORTED_ATT_KEY_ID = SGX_MK_ERROR(0x8001), /* platform quoting infrastructure does not support the key.*/ + SGX_ERROR_ATT_KEY_CERTIFICATION_FAILURE = SGX_MK_ERROR(0x8002), /* Failed to generate and certify the attestation key.*/ + SGX_ERROR_ATT_KEY_UNINITIALIZED = SGX_MK_ERROR(0x8003), /* The platform quoting infrastructure does not have the attestation key available to generate quote.*/ + SGX_ERROR_INVALID_ATT_KEY_CERT_DATA = SGX_MK_ERROR(0x8004), /* TThe data returned by the platform library's sgx_get_quote_config() is invalid.*/ + SGX_ERROR_PLATFORM_CERT_UNAVAILABLE = SGX_MK_ERROR(0x8005), /* The PCK Cert for the platform is not available.*/ + + SGX_ERROR_TLS_X509_INVALID_EXTENSION = SGX_MK_ERROR(0x9001), /* error of RA-TLS x509 invalid extension */ + SGX_INTERNAL_ERROR_ENCLAVE_CREATE_INTERRUPTED = SGX_MK_ERROR(0xF001), /* The ioctl for enclave_create unexpectedly failed with EINTR. */ + +} sgx_status_t; + +#endif diff --git a/sgx_dcap_quoteverify_stubs/sgx_key.h b/sgx_dcap_quoteverify_stubs/sgx_key.h new file mode 100644 index 0000000000..6be442113d --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_key.h @@ -0,0 +1,97 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + + +/* + * This file is to define Enclave's keys +*/ + +#ifndef _SGX_KEY_H_ +#define _SGX_KEY_H_ + +#include +#include "sgx_attributes.h" + +/* Key Name */ +#define SGX_KEYSELECT_EINITTOKEN 0x0000 +#define SGX_KEYSELECT_PROVISION 0x0001 +#define SGX_KEYSELECT_PROVISION_SEAL 0x0002 +#define SGX_KEYSELECT_REPORT 0x0003 +#define SGX_KEYSELECT_SEAL 0x0004 + +/* Key Policy */ +#define SGX_KEYPOLICY_MRENCLAVE 0x0001 /* Derive key using the enclave's ENCLAVE measurement register */ +#define SGX_KEYPOLICY_MRSIGNER 0x0002 /* Derive key using the enclave's SIGNER measurement register */ +#define SGX_KEYPOLICY_NOISVPRODID 0x0004 /* Derive key without the enclave's ISVPRODID */ +#define SGX_KEYPOLICY_CONFIGID 0x0008 /* Derive key with the enclave's CONFIGID */ +#define SGX_KEYPOLICY_ISVFAMILYID 0x0010 /* Derive key with the enclave's ISVFAMILYID */ +#define SGX_KEYPOLICY_ISVEXTPRODID 0x0020 /* Derive key with the enclave's ISVEXTPRODID */ + +#define SGX_KEYID_SIZE 32 +#define SGX_CPUSVN_SIZE 16 +#define SGX_CONFIGID_SIZE 64 + +typedef uint8_t sgx_key_128bit_t[16]; +typedef uint16_t sgx_isv_svn_t; +typedef uint16_t sgx_config_svn_t; +typedef uint8_t sgx_config_id_t[SGX_CONFIGID_SIZE]; + + +typedef struct _sgx_cpu_svn_t +{ + uint8_t svn[SGX_CPUSVN_SIZE]; +} sgx_cpu_svn_t; + +typedef struct _sgx_key_id_t +{ + uint8_t id[SGX_KEYID_SIZE]; +} sgx_key_id_t; + +#define SGX_KEY_REQUEST_RESERVED2_BYTES 434 + +typedef struct _key_request_t +{ + uint16_t key_name; /* Identifies the key required */ + uint16_t key_policy; /* Identifies which inputs should be used in the key derivation */ + sgx_isv_svn_t isv_svn; /* Security Version of the Enclave */ + uint16_t reserved1; /* Must be 0 */ + sgx_cpu_svn_t cpu_svn; /* Security Version of the CPU */ + sgx_attributes_t attribute_mask; /* Mask which ATTRIBUTES Seal keys should be bound to */ + sgx_key_id_t key_id; /* Value for key wear-out protection */ + sgx_misc_select_t misc_mask; /* Mask what MISCSELECT Seal keys bound to */ + sgx_config_svn_t config_svn; /* CONFIGSVN */ + uint8_t reserved2[SGX_KEY_REQUEST_RESERVED2_BYTES]; /* Struct size is 512 bytes */ +} sgx_key_request_t; + + +#endif diff --git a/sgx_dcap_quoteverify_stubs/sgx_pce.h b/sgx_dcap_quoteverify_stubs/sgx_pce.h new file mode 100644 index 0000000000..467aaceec5 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_pce.h @@ -0,0 +1,133 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/** + * File: sgx_pce.h + * Description: Definition for pce interface. + * + * PCE interface and supporting structure definitions. + */ +#ifndef _SGX_PCE_H_ +#define _SGX_PCE_H_ + +#include "sgx_key.h" +#include "sgx_report.h" + +#define SGX_PCE_MK_ERROR(x) (0x0000F000|(x)) +typedef enum _sgx_pce_error_t +{ + SGX_PCE_SUCCESS = SGX_PCE_MK_ERROR(0x0000), + SGX_PCE_UNEXPECTED = SGX_PCE_MK_ERROR(0x0001), /* Unexpected error */ + SGX_PCE_INVALID_PARAMETER = SGX_PCE_MK_ERROR(0x0002), /* The parameter is incorrect */ + SGX_PCE_OUT_OF_EPC = SGX_PCE_MK_ERROR(0x0003), /* Not enough memory is available to complete this operation */ + SGX_PCE_INTERFACE_UNAVAILABLE = SGX_PCE_MK_ERROR(0x0004), /* SGX API is unavailable */ + SGX_PCE_INVALID_REPORT = SGX_PCE_MK_ERROR(0x0005), /* the report cannot be verified */ + SGX_PCE_CRYPTO_ERROR = SGX_PCE_MK_ERROR(0x0006), /* Cannot decrypt or verify ciphertext */ + SGX_PCE_INVALID_PRIVILEGE = SGX_PCE_MK_ERROR(0x0007), /* Not enough privilege to perform the operation */ + SGX_PCE_INVALID_TCB = SGX_PCE_MK_ERROR(0x0008), /* PCE could not sign at the requested TCB */ +} sgx_pce_error_t; + + +/* PCE ID for the PCE in this library */ +#define PCE_ID 0 + +/* Crypto_suite */ +#define PCE_ALG_RSA_OAEP_3072 1 + +/* Signature_scheme */ +#define PCE_NIST_P256_ECDSA_SHA256 0 + + +//TODO: in qe pce common header +/** Typedef enum _sgx_ql_request_policy */ +typedef enum _sgx_ql_request_policy +{ + SGX_QL_PERSISTENT, ///< QE is initialized on first use and reused until process ends. + SGX_QL_EPHEMERAL, ///< QE is initialized and terminated on every quote. + ///< If a previous QE exists, it is stopped & restarted before quoting. + SGX_QL_EPHEMERAL_QVE_MULTI_THREAD, ///< Only used for quote verification, QvE is loaded per thread and be unloaded before function exit. + SGX_QL_PERSISTENT_QVE_MULTI_THREAD, ///< Only used for quote verification, QvE is loaded per thread and be unloaded before thread exit. + + SGX_QL_DEFAULT = SGX_QL_PERSISTENT +} sgx_ql_request_policy_t; + +#pragma pack(push, 1) +/** Structure for the Platform Certificate Enclave identity information */ +typedef struct _sgx_pce_info_t { + sgx_isv_svn_t pce_isv_svn; ///< PCE ISVSVN + uint16_t pce_id; ///< PCE ID. It will change when something in the PCE would cause the PPID generation to change on the same platform +}sgx_pce_info_t; +#pragma pack(pop) + +#if defined(__cplusplus) +extern "C" { +#endif + +sgx_pce_error_t sgx_set_pce_enclave_load_policy( + sgx_ql_request_policy_t policy); + +sgx_pce_error_t sgx_pce_get_target( + sgx_target_info_t *p_pce_target, + sgx_isv_svn_t *p_pce_isv_svn); + +sgx_pce_error_t sgx_get_pce_info( + const sgx_report_t* p_report, + const uint8_t *p_public_key, + uint32_t key_size, + uint8_t crypto_suite, + uint8_t *p_encrypted_ppid, + uint32_t encrypted_ppid_buf_size, + uint32_t *p_encrypted_ppid_out_size, + sgx_isv_svn_t* p_pce_isvn, + uint16_t* p_pce_id, + uint8_t *p_signature_scheme); + +sgx_pce_error_t sgx_pce_sign_report( + const sgx_isv_svn_t* isv_svn, + const sgx_cpu_svn_t* cpu_svn, + const sgx_report_t* p_report, + uint8_t *p_signature, + uint32_t signature_buf_size, + uint32_t *p_signature_out_size); + +sgx_pce_error_t sgx_get_pce_info_without_ppid( + sgx_isv_svn_t* p_pce_isvsvn, + uint16_t* p_pce_id); + +sgx_pce_error_t sgx_set_pce_path( + const char* p_path); +#if defined(__cplusplus) +} +#endif + +#endif + + diff --git a/sgx_dcap_quoteverify_stubs/sgx_ql_lib_common.h b/sgx_dcap_quoteverify_stubs/sgx_ql_lib_common.h new file mode 100644 index 0000000000..10338a8ee7 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_ql_lib_common.h @@ -0,0 +1,267 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +/** +* File: sgx_ql_lib_common.h +* +* Description: Common defintions for high-level quote APIs +* +*/ + +/* User defined types */ +#ifndef _SGX_QL_LIB_COMMON_H_ +#define _SGX_QL_LIB_COMMON_H_ + +#include "sgx_key.h" + +#define TEE_MK_ERROR(x) (0x0000E000|(x)) + +/** Possible errors generated by the quote interface. */ +typedef enum _quote3_error_t { + SGX_QL_SUCCESS = 0x0000, TEE_SUCCESS = 0x0000, ///< Success + SGX_QL_ERROR_MIN = TEE_MK_ERROR(0x0001), TEE_ERROR_MIN = TEE_MK_ERROR(0x0001), ///< Indicate min error to allow better translation. + SGX_QL_ERROR_UNEXPECTED = TEE_MK_ERROR(0x0001), TEE_ERROR_UNEXPECTED = TEE_MK_ERROR(0x0001), ///< Unexpected error + SGX_QL_ERROR_INVALID_PARAMETER = TEE_MK_ERROR(0x0002), TEE_ERROR_INVALID_PARAMETER = TEE_MK_ERROR(0x0002), ///< The parameter is incorrect + SGX_QL_ERROR_OUT_OF_MEMORY = TEE_MK_ERROR(0x0003), TEE_ERROR_OUT_OF_MEMORY = TEE_MK_ERROR(0x0003), ///< Not enough memory is available to complete this operation + SGX_QL_ERROR_ECDSA_ID_MISMATCH = TEE_MK_ERROR(0x0004), TEE_ERROR_ECDSA_ID_MISMATCH = TEE_MK_ERROR(0x0004), ///< Expected ECDSA_ID does not match the value stored in the ECDSA Blob + SGX_QL_PATHNAME_BUFFER_OVERFLOW_ERROR = TEE_MK_ERROR(0x0005), TEE_PATHNAME_BUFFER_OVERFLOW_ERROR = TEE_MK_ERROR(0x0005), ///< The ECDSA blob pathname is too large + SGX_QL_FILE_ACCESS_ERROR = TEE_MK_ERROR(0x0006), TEE_FILE_ACCESS_ERROR = TEE_MK_ERROR(0x0006), ///< Error accessing ECDSA blob + SGX_QL_ERROR_STORED_KEY = TEE_MK_ERROR(0x0007), TEE_ERROR_STORED_KEY = TEE_MK_ERROR(0x0007), ///< Cached ECDSA key is invalid + SGX_QL_ERROR_PUB_KEY_ID_MISMATCH = TEE_MK_ERROR(0x0008), TEE_ERROR_PUB_KEY_ID_MISMATCH = TEE_MK_ERROR(0x0008), ///< Cached ECDSA key does not match requested key + SGX_QL_ERROR_INVALID_PCE_SIG_SCHEME = TEE_MK_ERROR(0x0009), TEE_ERROR_INVALID_PCE_SIG_SCHEME = TEE_MK_ERROR(0x0009), ///< PCE use the incorrect signature scheme + SGX_QL_ATT_KEY_BLOB_ERROR = TEE_MK_ERROR(0x000a), TEE_ATT_KEY_BLOB_ERROR = TEE_MK_ERROR(0x000a), ///< There is a problem with the attestation key blob. + SGX_QL_UNSUPPORTED_ATT_KEY_ID = TEE_MK_ERROR(0x000b), TEE_UNSUPPORTED_ATT_KEY_ID = TEE_MK_ERROR(0x000b), ///< Unsupported attestation key ID. + SGX_QL_UNSUPPORTED_LOADING_POLICY = TEE_MK_ERROR(0x000c), TEE_UNSUPPORTED_LOADING_POLICY = TEE_MK_ERROR(0x000c), ///< Unsupported enclave loading policy. + SGX_QL_INTERFACE_UNAVAILABLE = TEE_MK_ERROR(0x000d), TEE_INTERFACE_UNAVAILABLE = TEE_MK_ERROR(0x000d), ///< Unable to load the PCE enclave + SGX_QL_PLATFORM_LIB_UNAVAILABLE = TEE_MK_ERROR(0x000e), TEE_PLATFORM_LIB_UNAVAILABLE = TEE_MK_ERROR(0x000e), ///< Unable to find the platform library with the dependent APIs. Not fatal. + SGX_QL_ATT_KEY_NOT_INITIALIZED = TEE_MK_ERROR(0x000f), TEE_ATT_KEY_NOT_INITIALIZED = TEE_MK_ERROR(0x000f), ///< The attestation key doesn't exist or has not been certified. + SGX_QL_ATT_KEY_CERT_DATA_INVALID = TEE_MK_ERROR(0x0010), TEE_ATT_KEY_CERT_DATA_INVALID = TEE_MK_ERROR(0x0010), ///< The certification data retrieved from the platform library is invalid. + SGX_QL_NO_PLATFORM_CERT_DATA = TEE_MK_ERROR(0x0011), TEE_NO_PLATFORM_CERT_DATA = TEE_MK_ERROR(0x0011), ///< The platform library doesn't have any platfrom cert data. + SGX_QL_OUT_OF_EPC = TEE_MK_ERROR(0x0012), TEE_OUT_OF_EPC = TEE_MK_ERROR(0x0012), ///< Not enough memory in the EPC to load the enclave. + SGX_QL_ERROR_REPORT = TEE_MK_ERROR(0x0013), TEE_ERROR_REPORT = TEE_MK_ERROR(0x0013), ///< There was a problem verifying an SGX REPORT. + SGX_QL_ENCLAVE_LOST = TEE_MK_ERROR(0x0014), TEE_ENCLAVE_LOST = TEE_MK_ERROR(0x0014), ///< Interfacing to the enclave failed due to a power transition. + SGX_QL_INVALID_REPORT = TEE_MK_ERROR(0x0015), TEE_INVALID_REPORT = TEE_MK_ERROR(0x0015), ///< Error verifying the application enclave's report. + SGX_QL_ENCLAVE_LOAD_ERROR = TEE_MK_ERROR(0x0016), TEE_ENCLAVE_LOAD_ERROR = TEE_MK_ERROR(0x0016), ///< Unable to load the enclaves. Could be due to file I/O error, loading infrastructure error, or non-SGX capable system + SGX_QL_UNABLE_TO_GENERATE_QE_REPORT = TEE_MK_ERROR(0x0017), TEE_UNABLE_TO_GENERATE_QE_REPORT = TEE_MK_ERROR(0x0017), ///< The QE was unable to generate its own report targeting the application enclave either + ///< because the QE doesn't support this feature there is an enclave compatibility issue. + ///< Please call again with the p_qe_report_info to NULL. + SGX_QL_KEY_CERTIFCATION_ERROR = TEE_MK_ERROR(0x0018), TEE_KEY_CERTIFCATION_ERROR = TEE_MK_ERROR(0x0018), ///< Caused when the provider library returns an invalid TCB (too high). + SGX_QL_NETWORK_ERROR = TEE_MK_ERROR(0x0019), TEE_NETWORK_ERROR = TEE_MK_ERROR(0x0019), ///< Network error when retrieving PCK certs + SGX_QL_MESSAGE_ERROR = TEE_MK_ERROR(0x001a), TEE_MESSAGE_ERROR = TEE_MK_ERROR(0x001a), ///< Message error when retrieving PCK certs + SGX_QL_NO_QUOTE_COLLATERAL_DATA = TEE_MK_ERROR(0x001b), TEE_NO_QUOTE_COLLATERAL_DATA = TEE_MK_ERROR(0x001b), ///< The platform does not have the quote verification collateral data available. + SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED = TEE_MK_ERROR(0x001c), TEE_QUOTE_CERTIFICATION_DATA_UNSUPPORTED = TEE_MK_ERROR(0x001c), + SGX_QL_QUOTE_FORMAT_UNSUPPORTED = TEE_MK_ERROR(0x001d), TEE_QUOTE_FORMAT_UNSUPPORTED = TEE_MK_ERROR(0x001d), + SGX_QL_UNABLE_TO_GENERATE_REPORT = TEE_MK_ERROR(0x001e), TEE_UNABLE_TO_GENERATE_REPORT = TEE_MK_ERROR(0x001e), + SGX_QL_QE_REPORT_INVALID_SIGNATURE = TEE_MK_ERROR(0x001f), TEE_QE_REPORT_INVALID_SIGNATURE = TEE_MK_ERROR(0x001f), + SGX_QL_QE_REPORT_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0020), TEE_QE_REPORT_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0020), + SGX_QL_PCK_CERT_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0021), TEE_PCK_CERT_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0021), + SGX_QL_PCK_CERT_CHAIN_ERROR = TEE_MK_ERROR(0x0022), TEE_PCK_CERT_CHAIN_ERROR = TEE_MK_ERROR(0x0022), + SGX_QL_TCBINFO_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0023), TEE_TCBINFO_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0023), + SGX_QL_TCBINFO_MISMATCH = TEE_MK_ERROR(0x0024), TEE_TCBINFO_MISMATCH = TEE_MK_ERROR(0x0024), + SGX_QL_QEIDENTITY_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0025), TEE_QEIDENTITY_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0025), + SGX_QL_QEIDENTITY_MISMATCH = TEE_MK_ERROR(0x0026), TEE_QEIDENTITY_MISMATCH = TEE_MK_ERROR(0x0026), + SGX_QL_TCB_OUT_OF_DATE = TEE_MK_ERROR(0x0027), TEE_TCB_OUT_OF_DATE = TEE_MK_ERROR(0x0027), + SGX_QL_TCB_OUT_OF_DATE_CONFIGURATION_NEEDED = TEE_MK_ERROR(0x0028), TEE_TCB_OUT_OF_DATE_CONFIGURATION_NEEDED = TEE_MK_ERROR(0x0028), ///< TCB out of date and Configuration needed + SGX_QL_SGX_ENCLAVE_IDENTITY_OUT_OF_DATE = TEE_MK_ERROR(0x0029), TEE_SGX_ENCLAVE_IDENTITY_OUT_OF_DATE = TEE_MK_ERROR(0x0029), + SGX_QL_SGX_ENCLAVE_REPORT_ISVSVN_OUT_OF_DATE = TEE_MK_ERROR(0x002a), TEE_SGX_ENCLAVE_REPORT_ISVSVN_OUT_OF_DATE = TEE_MK_ERROR(0x002a), + SGX_QL_QE_IDENTITY_OUT_OF_DATE = TEE_MK_ERROR(0x002b), TEE_QE_IDENTITY_OUT_OF_DATE = TEE_MK_ERROR(0x002b), + SGX_QL_SGX_TCB_INFO_EXPIRED = TEE_MK_ERROR(0x002c), TEE_SGX_TCB_INFO_EXPIRED = TEE_MK_ERROR(0x002c), + SGX_QL_SGX_PCK_CERT_CHAIN_EXPIRED = TEE_MK_ERROR(0x002d), TEE_SGX_PCK_CERT_CHAIN_EXPIRED = TEE_MK_ERROR(0x002d), + SGX_QL_SGX_CRL_EXPIRED = TEE_MK_ERROR(0x002e), TEE_SGX_CRL_EXPIRED = TEE_MK_ERROR(0x002e), + SGX_QL_SGX_SIGNING_CERT_CHAIN_EXPIRED = TEE_MK_ERROR(0x002f), TEE_SGX_SIGNING_CERT_CHAIN_EXPIRED = TEE_MK_ERROR(0x002f), + SGX_QL_SGX_ENCLAVE_IDENTITY_EXPIRED = TEE_MK_ERROR(0x0030), TEE_SGX_ENCLAVE_IDENTITY_EXPIRED = TEE_MK_ERROR(0x0030), + SGX_QL_PCK_REVOKED = TEE_MK_ERROR(0x0031), TEE_PCK_REVOKED = TEE_MK_ERROR(0x0031), + SGX_QL_TCB_REVOKED = TEE_MK_ERROR(0x0032), TEE_TCB_REVOKED = TEE_MK_ERROR(0x0032), + SGX_QL_TCB_CONFIGURATION_NEEDED = TEE_MK_ERROR(0x0033), TEE_TCB_CONFIGURATION_NEEDED = TEE_MK_ERROR(0x0033), + SGX_QL_UNABLE_TO_GET_COLLATERAL = TEE_MK_ERROR(0x0034), TEE_UNABLE_TO_GET_COLLATERAL = TEE_MK_ERROR(0x0034), + SGX_QL_ERROR_INVALID_PRIVILEGE = TEE_MK_ERROR(0x0035), TEE_ERROR_INVALID_PRIVILEGE = TEE_MK_ERROR(0x0035), ///< No enough privilege to perform the operation + SGX_QL_NO_QVE_IDENTITY_DATA = TEE_MK_ERROR(0x0037), TEE_NO_QVE_IDENTITY_DATA = TEE_MK_ERROR(0x0037), ///< The platform does not have the QVE identity data available. + SGX_QL_CRL_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0038), TEE_CRL_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0038), + SGX_QL_QEIDENTITY_CHAIN_ERROR = TEE_MK_ERROR(0x0039), TEE_QEIDENTITY_CHAIN_ERROR = TEE_MK_ERROR(0x0039), + SGX_QL_TCBINFO_CHAIN_ERROR = TEE_MK_ERROR(0x003a), TEE_TCBINFO_CHAIN_ERROR = TEE_MK_ERROR(0x003a), + SGX_QL_ERROR_QVL_QVE_MISMATCH = TEE_MK_ERROR(0x003b), TEE_ERROR_QVL_QVE_MISMATCH = TEE_MK_ERROR(0x003b), ///< Supplemental data size and version mismatched between QVL and QvE + ///< Please make sure to use QVL and QvE from same release package + SGX_QL_TCB_SW_HARDENING_NEEDED = TEE_MK_ERROR(0x003c), TEE_TCB_SW_HARDENING_NEEDED = TEE_MK_ERROR(0x003c), ///< TCB up to date but SW Hardening needed + SGX_QL_TCB_CONFIGURATION_AND_SW_HARDENING_NEEDED = TEE_MK_ERROR(0x003d), TEE_TCB_CONFIGURATION_AND_SW_HARDENING_NEEDED = TEE_MK_ERROR(0x003d), ///< TCB up to date but Configuration and SW Hardening needed + + SGX_QL_UNSUPPORTED_MODE = TEE_MK_ERROR(0x003e), TEE_UNSUPPORTED_MODE = TEE_MK_ERROR(0x003e), + + SGX_QL_NO_DEVICE = TEE_MK_ERROR(0x003f), TEE_NO_DEVICE = TEE_MK_ERROR(0x003f), + SGX_QL_SERVICE_UNAVAILABLE = TEE_MK_ERROR(0x0040), TEE_SERVICE_UNAVAILABLE = TEE_MK_ERROR(0x0040), + SGX_QL_NETWORK_FAILURE = TEE_MK_ERROR(0x0041), TEE_NETWORK_FAILURE = TEE_MK_ERROR(0x0041), + SGX_QL_SERVICE_TIMEOUT = TEE_MK_ERROR(0x0042), TEE_SERVICE_TIMEOUT = TEE_MK_ERROR(0x0042), + SGX_QL_ERROR_BUSY = TEE_MK_ERROR(0x0043), TEE_ERROR_BUSY = TEE_MK_ERROR(0x0043), + + SGX_QL_UNKNOWN_MESSAGE_RESPONSE = TEE_MK_ERROR(0x0044), TEE_UNKNOWN_MESSAGE_RESPONSE = TEE_MK_ERROR(0x0044), ///< Unexpected error from the cache service + SGX_QL_PERSISTENT_STORAGE_ERROR = TEE_MK_ERROR(0x0045), TEE_PERSISTENT_STORAGE_ERROR = TEE_MK_ERROR(0x0045), ///< Error storing the retrieved cached data in persistent memory + SGX_QL_ERROR_MESSAGE_PARSING_ERROR = TEE_MK_ERROR(0x0046), TEE_ERROR_MESSAGE_PARSING_ERROR = TEE_MK_ERROR(0x0046), /// Message parsing error + SGX_QL_PLATFORM_UNKNOWN = TEE_MK_ERROR(0x0047), TEE_PLATFORM_UNKNOWN = TEE_MK_ERROR(0x0047), ///< Platform was not found in the cache + SGX_QL_UNKNOWN_API_VERSION = TEE_MK_ERROR(0x0048), TEE_UNKNOWN_API_VERSION = TEE_MK_ERROR(0x0048), ///< The current PCS API version configured is unknown + SGX_QL_CERTS_UNAVAILABLE = TEE_MK_ERROR(0x0049), TEE_CERTS_UNAVAILABLE = TEE_MK_ERROR(0x0049), ///< Certificates are not available for this platform + + SGX_QL_QVEIDENTITY_MISMATCH = TEE_MK_ERROR(0x0050), TEE_QVEIDENTITY_MISMATCH = TEE_MK_ERROR(0x0050), ///< QvE Identity is NOT match to Intel signed QvE identity + SGX_QL_QVE_OUT_OF_DATE = TEE_MK_ERROR(0x0051), TEE_QVE_OUT_OF_DATE = TEE_MK_ERROR(0x0051), ///< QvE ISVSVN is smaller than the ISVSVN threshold, or input QvE ISVSVN is too small + SGX_QL_PSW_NOT_AVAILABLE = TEE_MK_ERROR(0x0052), TEE_PSW_NOT_AVAILABLE = TEE_MK_ERROR(0x0052), ///< SGX PSW library cannot be loaded, could be due to file I/O error + SGX_QL_COLLATERAL_VERSION_NOT_SUPPORTED = TEE_MK_ERROR(0x0053), TEE_COLLATERAL_VERSION_NOT_SUPPORTED = TEE_MK_ERROR(0x0053), ///< SGX quote verification collateral version not supported by QVL/QvE + SGX_QL_TDX_MODULE_MISMATCH = TEE_MK_ERROR(0x0060), TEE_TDX_MODULE_MISMATCH = TEE_MK_ERROR(0x0060), ///< TDX SEAM module identity is NOT match to Intel signed TDX SEAM module + + SGX_QL_QEIDENTITY_NOT_FOUND = TEE_MK_ERROR(0x0061), TEE_QEIDENTITY_NOT_FOUND = TEE_MK_ERROR(0x0061), ///< QE identity was not found + SGX_QL_TCBINFO_NOT_FOUND = TEE_MK_ERROR(0x0062), TEE_TCBINFO_NOT_FOUND = TEE_MK_ERROR(0x0062), ///< TCB Info was not found + SGX_QL_INTERNAL_SERVER_ERROR = TEE_MK_ERROR(0x0063), TEE_INTERNAL_SERVER_ERROR = TEE_MK_ERROR(0x0063), ///< Internal server error + + SGX_QL_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED = TEE_MK_ERROR(0x0064), TEE_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED = TEE_MK_ERROR(0x0064), ///< The supplemental data version is not supported + + SGX_QL_ROOT_CA_UNTRUSTED = TEE_MK_ERROR(0x0065), TEE_ROOT_CA_UNTRUSTED = TEE_MK_ERROR(0x0065), ///< The certificate used to establish SSL session is untrusted + + SGX_QL_TCB_NOT_SUPPORTED = TEE_MK_ERROR(0x0066), TEE_TCB_NOT_SUPPORTED = TEE_MK_ERROR(0x0066), ///< Current TCB level cannot be found in platform/enclave TCB info + + SGX_QL_CONFIG_INVALID_JSON = TEE_MK_ERROR(0x0067), TEE_CONFIG_INVALID_JSON = TEE_MK_ERROR(0x0067), ///< The QPL's config file is in JSON format but has a format error + + SGX_QL_RESULT_INVALID_SIGNATURE = TEE_MK_ERROR(0x0068), TEE_RESULT_INVALID_SIGNATURE = TEE_MK_ERROR(0x0068), ///< Invalid signature during quote verification + + SGX_QL_ERROR_MAX = TEE_MK_ERROR(0x00FF), TEE_ERROR_MAX = TEE_MK_ERROR(0x00FF), ///< Indicate max error to allow better translation. + +} quote3_error_t, tee_error_t; + + +#pragma pack(push, 1) +/** */ +typedef struct _sgx_ql_qe3_id_t { + uint8_t id[16]; ///< Contains the 16-byte QE_ID +} sgx_ql_qe3_id_t; + +/** Used to describe the PCK Cert for a platform */ +typedef struct _sgx_ql_pck_cert_id_t +{ + uint8_t *p_qe3_id; ///< The QE_ID used to identify the platform for PCK Cert Retrieval + uint32_t qe3_id_size; ///< The Size of hte QE_ID (currenlty 16 bytes) + sgx_cpu_svn_t *p_platform_cpu_svn; ///< Pointer to the platform's raw CPUSVN + sgx_isv_svn_t *p_platform_pce_isv_svn; ///< Pointer to the platform's raw PCE ISVSVN + uint8_t *p_encrypted_ppid; ///< Pointer to the encrypted PPID (Optional) + uint32_t encrypted_ppid_size; ///< Size of encrytped PPID. + uint8_t crypto_suite; ///< Crypto algorithm used to encrypt the PPID + uint16_t pce_id; ///< Identifies the PCE-Version used to generate the encrypted PPID. +}sgx_ql_pck_cert_id_t; + +/** Contains the valid versions of the sgx_ql_config_t data structure. */ +typedef enum _sgx_ql_config_version_t +{ + SGX_QL_CONFIG_VERSION_1 = 1, +}sgx_ql_config_version_t; + +/** Contains the certification data used to certify the attestation key and in generating a quote. */ +typedef struct _sgx_ql_config_t +{ + sgx_ql_config_version_t version; + sgx_cpu_svn_t cert_cpu_svn; ///< The CPUSVN used to generate the PCK Signature used to certify the attestation key. + sgx_isv_svn_t cert_pce_isv_svn; ///< The PCE ISVSVN used to generate the PCK Signature used to certify the attestation key. + uint32_t cert_data_size; ///< The size of the buffer pointed to by p_cert_data + uint8_t *p_cert_data; ///< The certification data used for the quote. + ///todo: It is the assumed to be the PCK Cert Chain. May want to change to support other cert types. +} sgx_ql_config_t; + +#pragma pack(pop) + +#define MAX_PARAM_STRING_SIZE (256) +typedef struct _sgx_ql_qve_collateral_param_t { + uint8_t key[MAX_PARAM_STRING_SIZE + 1]; + uint8_t value[MAX_PARAM_STRING_SIZE + 1]; +} sgx_ql_qve_collateral_param_t; + +// Nameless struct generates C4201 warning in MS compiler, but it is allowed in c++ 11 standard +// Should remove the pragma after Microsoft fixes this issue +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning(disable : 4201) +#endif + +#ifndef __sgx_ql_qve_collateral_t // The __sgx_ql_qve_collateral_t can also be defined in QvE _t/_u.h +#define __sgx_ql_qve_collateral_t +typedef struct _sgx_ql_qve_collateral_t +{ + union { + uint32_t version; ///< 'version' is the backward compatible legacy representation + struct { ///< For PCS V1 and V2 APIs, the major_version = 1 and minor_version = 0 and + uint16_t major_version; ///< the CRLs will be formatted in PEM. For PCS V3 APIs, the major_version = 3 and the + uint16_t minor_version; ///< minor_version can be either 0 or 1. minor_verion of 0 indicates the CRL’s are formatted + ///< in Base16 encoded DER. A minor version of 1 indicates the CRL’s are formatted in raw binary DER. + }; + }; + uint32_t tee_type; ///< 0x00000000: SGX or 0x00000081: TDX + char *pck_crl_issuer_chain; + uint32_t pck_crl_issuer_chain_size; + char *root_ca_crl; /// Root CA CRL + uint32_t root_ca_crl_size; + char *pck_crl; /// PCK Cert CRL + uint32_t pck_crl_size; + char *tcb_info_issuer_chain; + uint32_t tcb_info_issuer_chain_size; + char *tcb_info; /// TCB Info structure + uint32_t tcb_info_size; + char *qe_identity_issuer_chain; + uint32_t qe_identity_issuer_chain_size; + char *qe_identity; /// QE Identity Structure + uint32_t qe_identity_size; +} sgx_ql_qve_collateral_t; +#endif //__sgx_ql_qve_collateral_t + +#ifdef _MSC_VER +#pragma warning(pop) +#endif + +typedef enum _sgx_ql_log_level_t +{ + SGX_QL_LOG_ERROR, + SGX_QL_LOG_INFO, + SGX_QL_LOG_DEBUG, + SGX_QL_LOG_TRACE, +} sgx_ql_log_level_t; + +typedef void (*sgx_ql_logging_callback_t)(sgx_ql_log_level_t level, const char* message); + +typedef enum _sgx_prod_type_t { + SGX_PROD_TYPE_SGX = 0, + SGX_PROD_TYPE_TDX = 1, +} sgx_prod_type_t; + +typedef enum _sgx_qpl_cache_type_t { + SGX_QPL_CACHE_CERTIFICATE = 1 << 0, + SGX_QPL_CACHE_QV_COLLATERAL = 1 << 1, + SGX_QPL_CACHE_MULTICERTS = 1 << 2, +} sgx_qpl_cache_type_t; + +#ifndef tdx_ql_qve_collateral_t +typedef sgx_ql_qve_collateral_t tdx_ql_qve_collateral_t; + +// Deprecate structure name tdx_ql_qve_collateral_t +typedef tdx_ql_qve_collateral_t tdx_ql_qv_collateral_t; +#endif + +#endif //_SGX_QL_LIB_COMMON_H_ diff --git a/sgx_dcap_quoteverify_stubs/sgx_ql_quote.h b/sgx_dcap_quoteverify_stubs/sgx_ql_quote.h new file mode 100644 index 0000000000..46a9e5817c --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_ql_quote.h @@ -0,0 +1,109 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +/** +* File: sgx_ql_quote.h +* +* Description: Generic SGX quote reference code definitions. +* +*/ + +/* User defined types */ +#ifndef _SGX_QL_QUOTE_H_ +#define _SGX_QL_QUOTE_H_ +#include +#include "sgx_ql_lib_common.h" +#include "sgx_quote.h" +#include "sgx_quote_3.h" + + +#pragma pack(push, 1) +/** Describes the algorithm parameters needed to generate the given algorithm's signature. Used for quote generation + * APIs. */ +typedef struct _sgx_ql_att_key_id_param_t { + uint32_t algorithm_param_size; ///< Size of additional attestation key information. 0 is valid. +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + uint8_t algorithm_param[]; ///< Additional attestation algorithm information.For example, SigRL for EPID. +#ifdef _MSC_VER +#pragma warning(pop) +#endif +}sgx_ql_att_key_id_param_t; + +/** The full data structure passed to the platform by the verifier. It will list all of the attestation algorithms and + * QE's supported by the verifier */ +typedef struct _sgx_ql_att_id_list_t { + sgx_ql_att_key_id_list_header_t header; ///< Header for the attestation key ID list provided by the quote verifier. +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + sgx_att_key_id_ext_t ext_id_list[];///< Place holder for the extended attestation ID list. +#ifdef _MSC_VER +#pragma warning(pop) +#endif +}sgx_ql_att_key_id_list_t; + +typedef struct _sgx_ql_qe_report_info_t { + sgx_quote_nonce_t nonce; + sgx_target_info_t app_enclave_target_info; + sgx_report_t qe_report; +}sgx_ql_qe_report_info_t; + +#pragma pack(pop) + +#ifdef __cplusplus +/** Describes the generic Quoting API used by all attestation keys/algorithms. A particular quoting implementer will implement this interface. + Application can use this interface to remain agnostic to the attestation key used to generate a quote. */ +class IQuote { +public: + virtual ~IQuote() {} + + virtual quote3_error_t init_quote(sgx_ql_att_key_id_t* p_att_key_id, + sgx_ql_cert_key_type_t certification_key_type, + sgx_target_info_t *p_target_info, + bool refresh_att_key, + size_t* p_pub_key_id_size, + uint8_t* p_pub_key_id) = 0; + + virtual quote3_error_t get_quote_size(sgx_ql_att_key_id_t* p_att_key_id, + sgx_ql_cert_key_type_t certification_key_type, + uint32_t* p_quote_size) = 0; + + virtual quote3_error_t get_quote(const sgx_report_t *p_app_report, + sgx_ql_att_key_id_t* p_att_key_id, + sgx_ql_qe_report_info_t *p_qe_report_info, + sgx_quote3_t *p_quote, + uint32_t quote_size) = 0; +}; +#endif //#ifdef __cplusplus +#endif //_SGX_QL_QUOTE_H_ diff --git a/sgx_dcap_quoteverify_stubs/sgx_quote.h b/sgx_dcap_quoteverify_stubs/sgx_quote.h new file mode 100644 index 0000000000..40f54a2ca8 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_quote.h @@ -0,0 +1,143 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + + /** + * File: sgx_quote.h + * Description: Definition for quote structure. + * + * Quote structure and all relative structure will be defined in this file. + */ + +#ifndef _SGX_QUOTE_H_ +#define _SGX_QUOTE_H_ + +#include "sgx_report.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#pragma pack(push, 1) +typedef uint8_t sgx_epid_group_id_t[4]; + +typedef struct _spid_t +{ + uint8_t id[16]; +} sgx_spid_t; + +typedef struct _basename_t +{ + uint8_t name[32]; +} sgx_basename_t; + + +typedef struct _quote_nonce +{ + uint8_t rand[16]; +} sgx_quote_nonce_t; + +typedef enum +{ + SGX_UNLINKABLE_SIGNATURE, + SGX_LINKABLE_SIGNATURE +} sgx_quote_sign_type_t; + +typedef struct _quote_t +{ + uint16_t version; /* 0 */ + uint16_t sign_type; /* 2 */ + sgx_epid_group_id_t epid_group_id; /* 4 */ + sgx_isv_svn_t qe_svn; /* 8 */ + sgx_isv_svn_t pce_svn; /* 10 */ + uint32_t xeid; /* 12 */ + sgx_basename_t basename; /* 16 */ + sgx_report_body_t report_body; /* 48 */ + uint32_t signature_len; /* 432 */ + uint8_t signature[]; /* 436 */ +} sgx_quote_t; + +#define SGX_PLATFORM_INFO_SIZE 101 +typedef struct _platform_info +{ + uint8_t platform_info[SGX_PLATFORM_INFO_SIZE]; +} sgx_platform_info_t; + +typedef struct _update_info_bit +{ + int ucodeUpdate; + int csmeFwUpdate; + int pswUpdate; +} sgx_update_info_bit_t; + +typedef struct _att_key_id_t { + uint8_t att_key_id[256]; +}sgx_att_key_id_t; + +/** Describes a single attestation key. Contains both QE identity and the attestation algorithm ID. */ +typedef struct _sgx_ql_att_key_id_t { + uint16_t id; ///< Structure ID + uint16_t version; ///< Structure version + uint16_t mrsigner_length; ///< Number of valid bytes in MRSIGNER. + uint8_t mrsigner[48]; ///< SHA256 or SHA384 hash of the Public key that signed the QE. + ///< The lower bytes contain MRSIGNER. Bytes beyond mrsigner_length '0' + uint32_t prod_id; ///< Legacy Product ID of the QE + uint8_t extended_prod_id[16]; ///< Extended Product ID or the QE. All 0's for legacy format enclaves. + uint8_t config_id[64]; ///< Config ID of the QE. + uint8_t family_id[16]; ///< Family ID of the QE. + uint32_t algorithm_id; ///< Identity of the attestation key algorithm. +}sgx_ql_att_key_id_t; + +/** Describes an extended attestation key. Contains sgx_ql_att_key_id_t, spid and quote_type */ +typedef struct _sgx_att_key_id_ext_t { + sgx_ql_att_key_id_t base; + uint8_t spid[16]; ///< Service Provider ID, should be 0s for ECDSA quote + uint16_t att_key_type; ///< For non-EPID quote, it should be 0 + ///< For EPID quote, it equals to sgx_quote_sign_type_t + uint8_t reserved[80]; ///< It should have the same size of sgx_att_key_id_t +}sgx_att_key_id_ext_t; + +typedef struct _qe_report_info_t { + sgx_quote_nonce_t nonce; + sgx_target_info_t app_enclave_target_info; + sgx_report_t qe_report; +}sgx_qe_report_info_t; + +#pragma pack(pop) + + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/sgx_dcap_quoteverify_stubs/sgx_quote_3.h b/sgx_dcap_quoteverify_stubs/sgx_quote_3.h new file mode 100644 index 0000000000..9fc35aed0d --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_quote_3.h @@ -0,0 +1,194 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/** + * File: sgx_quote_3.h + * Description: Definition for quote structure. + * + * Quote structure and all relative structure will be defined in this file. + */ + +#ifndef _SGX_QUOTE_3_H_ +#define _SGX_QUOTE_3_H_ + +#include "sgx_quote.h" +#include "sgx_pce.h" + +#define REF_QUOTE_MAX_AUTHENTICATON_DATA_SIZE 64 +#define USE_PCEID + +/** Enumerates the different attestation key algorithms */ +typedef enum { + SGX_QL_ALG_EPID = 0, ///< EPID 2.0 - Anonymous + SGX_QL_ALG_RESERVED_1 = 1, ///< Reserved + SGX_QL_ALG_ECDSA_P256 = 2, ///< ECDSA-256-with-P-256 curve, Non - Anonymous + SGX_QL_ALG_ECDSA_P384 = 3, ///< ECDSA-384-with-P-384 curve (Note: currently not supported), Non-Anonymous + SGX_QL_ALG_MAX = 4 +} sgx_ql_attestation_algorithm_id_t; + +/** Enumerates the different certification data types used to describe the signer of the attestation key */ +typedef enum { + PPID_CLEARTEXT = 1, ///< Clear PPID + CPU_SVN, PvE_SVN, PCE_SVN, PCE_ID + PPID_RSA2048_ENCRYPTED = 2, ///< RSA-2048-OAEP Encrypted PPID + CPU_SVN, PvE_SVN, PCE_SVN, PCE_ID + PPID_RSA3072_ENCRYPTED = 3, ///< RSA-3072-OAEP Encrypted PPID + CPU_SVN, PvE_SVN, PCE_SVN, PCE_ID + PCK_CLEARTEXT = 4, ///< Clear PCK Leaf Cert + PCK_CERT_CHAIN = 5, ///< Full PCK Cert chain (PCK Leaf Cert|| Intermediate CA Cert || Root CA Cert) + ECDSA_SIG_AUX_DATA = 6, ///< Indicates the contents of the CERTIFICATION_INFO_DATA contains the ECDSA_SIG_AUX_DATA of another Quote. + QL_CERT_KEY_TYPE_MAX = 16, +} sgx_ql_cert_key_type_t; + +#pragma pack(push, 1) + +#ifndef USE_PCEID +/** TEMP!!! Structure for the Platform Certificate Enclave identity information. The first release of the reference + * does not contain the PCEID in the quote. */ +typedef struct _sgx_pce_info_no_pce_id_t { + sgx_isv_svn_t pce_isv_svn; ///< PCE ISVSVN +}sgx_pce_info_no_pce_id_t; +#endif + +/** Describes the header that contains the list of attestation keys supported by a given verifier */ +typedef struct _sgx_ql_att_key_id_list_header_t { + uint16_t id; ///< Structure ID + uint16_t version; ///< Structure version + uint32_t num_att_ids; ///< Number of 'Attestation Key Identifier' Elements +}sgx_ql_att_key_id_list_header_t; + +/** This is the data structure of the CERTIFICATION_INFO_DATA in the Quote when the certification type is + * PPID_CLEARTTEXT. It identifies the PCK Cert required to verify the certification signature. */ +typedef struct _sgx_ql_ppid_cleartext_cert_info_t { + uint8_t ppid[16]; ///< PPID of this platform + sgx_cpu_svn_t cpu_svn; ///< The CPUSVN TCB used to generate the PCK signature. + #ifdef USE_PCEID + sgx_pce_info_t pce_info; ///< The PCE ISVSVN used to generate the PCK signature. + #else + sgx_pce_info_no_pce_id_t pce_info; + #endif +}sgx_ql_ppid_cleartext_cert_info_t; + +/** This is the data structure of the CERTIFICATION_INFO_DATA in the Quote when the certification type is + * PPID_RSA2048_ENCRYPTED. It identifies the PCK Cert required to verify the certification signature. */ +typedef struct _sgx_ql_ppid_rsa2048_encrypted_cert_info_t { + uint8_t enc_ppid[256]; ///< Encrypted PPID of this platform + sgx_cpu_svn_t cpu_svn; ///< The CPUSVN TCB used to generate the PCK signature. + #ifdef USE_PCEID + sgx_pce_info_t pce_info; ///< The PCE ISVSVN used to generate the PCK signature. + #else + sgx_pce_info_no_pce_id_t pce_info; + #endif +}sgx_ql_ppid_rsa2048_encrypted_cert_info_t; + +/** This is the data structure of the CERTIFICATION_INFO_DATA in the Quote when the certification type is + * PPID_RSA2072_ENCRYPTED. It identifies the PCK Cert required to verify the certification signature. */ +typedef struct _sgx_ql_ppid_rsa3072_encrypted_cert_info_t { + uint8_t enc_ppid[384]; ///< Encrypted PPID of this platform + sgx_cpu_svn_t cpu_svn; ///< The CPUSVN TCB used to generate the PCK signature. + sgx_pce_info_t pce_info; ///< The PCE ISVSVN used to generate the PCK signature. +}sgx_ql_ppid_rsa3072_encrypted_cert_info_t; + +/** Structure to hold the size of the authentication data and the place holder for + the authentication data itself.*/ +typedef struct _sgx_ql_auth_data_t { + uint16_t size; ///< Size in bytes contained the auth_data buffer. +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + uint8_t auth_data[]; ///< Additional data provided by Att key owner to be signed by the certification key +#ifdef _MSC_VER +#pragma warning(pop) +#endif +} sgx_ql_auth_data_t; + +/** Data that will be signed by the ECDSA described in the CERTIFICATION_* fields. + This will be SHA256 hashed along with the ECDSA PUBLIC KEY and put in + QE3_REPORT.ReportData. */ +typedef struct _sgx_ql_certification_data_t { + uint16_t cert_key_type; ///< The type of certification key used to sign the QE3 Report and Att key hash (ECDSA_ID+Authentication Data). + uint32_t size; ///< Size of the data structure for the cert_key_type information. +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + uint8_t certification_data[]; ///< Certification data associated with the cert_key_type +#ifdef _MSC_VER +#pragma warning(pop) +#endif +} sgx_ql_certification_data_t; + +/** The SGX_QL_SGX_QL_ALG_ECDSA_P256 specific data structure. Appears in the signature_data[] of the sgx_quote3_t + * structure. */ +typedef struct _sgx_ql_ecdsa_sig_data_t { + uint8_t sig[32*2]; ///< Signature over the Quote using the ECDSA Att key. Big Endian. + uint8_t attest_pub_key[32*2]; ///< ECDSA Att Public Key. Hash in QE3Report.ReportData. Big Endian + sgx_report_body_t qe_report; ///< QE3 Report of the QE when the Att key was generated. The ReportData will contain the ECDSA_ID + uint8_t qe_report_sig[32*2]; ///< Signature of QE Report using the Certification Key (PCK for root signing). Big Endian +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + uint8_t auth_certification_data[]; ///< Place holder for both the auth_data_t and certification_data_t. Concatenated in that order. +#ifdef _MSC_VER +#pragma warning(pop) +#endif +} sgx_ql_ecdsa_sig_data_t; + +/** The quote header. It is designed to compatible with earlier versions of the quote. */ +typedef struct _sgx_quote_header_t { + uint16_t version; ///< 0: The version this quote structure. + uint16_t att_key_type; ///< 2: sgx_attestation_algorithm_id_t. Describes the type of signature in the signature_data[] field. + uint32_t att_key_data_0; ///< 4: Optionally stores additional data associated with the att_key_type. + sgx_isv_svn_t qe_svn; ///< 8: The ISV_SVN of the Quoting Enclave when the quote was generated. + sgx_isv_svn_t pce_svn; ///< 10: The ISV_SVN of the PCE when the quote was generated. + uint8_t vendor_id[16]; ///< 12: Unique identifier of QE Vendor. + uint8_t user_data[20]; ///< 28: Custom attestation key owner data. +} sgx_quote_header_t; + +/** The generic quote data structure. This is the common part of the quote. The signature_data[] contains the signature and supporting + * information of the key used to sign the quote and the contents depend on the sgx_quote_sign_type_t value. */ +typedef struct _sgx_quote3_t { + sgx_quote_header_t header; ///< 0: The quote header. + sgx_report_body_t report_body; ///< 48: The REPORT of the app that is attesting remotely. + uint32_t signature_data_len; ///< 432: The length of the signature_data. Varies depending on the type of sign_type. +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + uint8_t signature_data[]; ///< 436: Contains the variable length containing the quote signature and support data for the signature. +#ifdef _MSC_VER +#pragma warning(pop) +#endif +} sgx_quote3_t; + +#pragma pack(pop) + +#endif //_SGX_QUOTE_3_H_ + diff --git a/sgx_dcap_quoteverify_stubs/sgx_quote_4.h b/sgx_dcap_quoteverify_stubs/sgx_quote_4.h new file mode 100644 index 0000000000..cbfbe007fe --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_quote_4.h @@ -0,0 +1,159 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/** + * File: sgx_quote_4.h + * Description: Definition for quote structure. + * + * Quote structure and all relative structure will be defined in this file. + */ + +#ifndef _SGX_QUOTE_4_H_ +#define _SGX_QUOTE_4_H_ + +#include "sgx_quote_3.h" +#include "sgx_report2.h" +#include "sgx_quote.h" + + +#pragma pack(push, 1) + +#define TD_INFO_RESERVED_BYTES_V1 112 +typedef struct _tee_info_t /* 512 bytes */ +{ + tee_attributes_t attributes; /* ( 0) TD's attributes */ + tee_attributes_t xfam; /* ( 8) TD's XFAM */ + tee_measurement_t mr_td; /* ( 16) Measurement of the initial contents of the TD */ + tee_measurement_t mr_config_id; /* ( 64) Software defined ID for non-owner-defined configuration on the guest TD. e.g., runtime or OS configuration */ + tee_measurement_t mr_owner; /* (112) Software defined ID for the guest TD's owner */ + tee_measurement_t mr_owner_config; /* (160) Software defined ID for owner-defined configuration of the guest TD, e.g., specific to the workload rather than the runtime or OS */ + tee_measurement_t rt_mr[4]; /* (208) Array of 4(TDX1: NUM_RTMRS is 4) runtime extendable measurement registers */ + uint8_t reserved[TD_INFO_RESERVED_BYTES_V1]; /* (400) Reserved, must be zero */ +} tee_info_t; + + +#define TEE_TCB_SVN_SIZE 16 +typedef struct _tee_tcb_svn_t +{ + uint8_t tcb_svn[TEE_TCB_SVN_SIZE]; +} tee_tcb_svn_t; + +#define TD_TEE_TCB_INFO_RESERVED_BYTES_V1 111 +typedef struct _tee_tcb_info_t +{ + uint8_t valid[8]; /* ( 0) Indicates TEE_TCB_INFO fields which are valid + - 1 in the i-th significant bit reflects that the field starting at byte offset(8*i) + - 0 in the i-th significant bit reflects that either no field start by byte offset(8*i) or that + field is not populated and is set to zero. */ + tee_tcb_svn_t tee_tcb_svn; /* ( 8) TEE_TCB_SVN Array */ + tee_measurement_t mr_seam; /* ( 24) Measurement of the SEAM module */ + tee_measurement_t mr_seam_signer; /* ( 72) Measurement of SEAM module signer. (Not populated for Intel SEAM modules) */ + tee_attributes_t attributes; /* (120) Additional configuration attributes.(Not populated for Intel SEAM modules) */ + uint8_t reserved[TD_TEE_TCB_INFO_RESERVED_BYTES_V1];/* (128) Reserved, must be zero */ +} tee_tcb_info_t; + +/** The SGX_QL_SGX_QL_ALG_ECDSA_P256 specific data structure. Appears in the signature_data[] of the sgx_quote3_t + * structure. */ +typedef struct _sgx_qe_report_certification_data_t { + sgx_report_body_t qe_report; ///< QE Report of the QE when the Att key was generated. The ReportData will contain the ECDSA_ID + uint8_t qe_report_sig[32*2]; ///< Signature of QE Report using the Certification Key (PCK for root signing). Big Endian +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + uint8_t auth_certification_data[]; ///< Place holder for both the auth_data_t and certification_data_t. Concatenated in that order. +#ifdef _MSC_VER +#pragma warning(pop) +#endif +} sgx_qe_report_certification_data_t; + +typedef struct _sgx_ecdsa_sig_data_v4_t { + uint8_t sig[32*2]; ///< Signature over the Quote using the ECDSA Att key. Big Endian. + uint8_t attest_pub_key[32*2]; ///< ECDSA Att Public Key. Hash in QE Report.ReportData. Big Endian +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + uint8_t certification_data[]; ///< Certification data associated with the cert_key_type +#ifdef _MSC_VER +#pragma warning(pop) +#endif +} sgx_ecdsa_sig_data_v4_t; + +/** The quote header. It is designed to compatible with earlier versions of the quote. */ +typedef struct _sgx_quote4_header_t { + uint16_t version; ///< 0: The version this quote structure. + uint16_t att_key_type; ///< 2: sgx_attestation_algorithm_id_t. Describes the type of signature in the signature_data[] field. + uint32_t tee_type; ///< 4: Type of Trusted Execution Environment for which the Quote has been generated. + /// Supported values: 0 (SGX), 0x81(TDX) + uint32_t reserved; ///< 8: Reserved field. + uint8_t vendor_id[16]; ///< 12: Unique identifier of QE Vendor. + uint8_t user_data[20]; ///< 28: Custom attestation key owner data. +} sgx_quote4_header_t; + +/** SGX Report2 body */ +typedef struct _sgx_report2_body_t { + tee_tcb_svn_t tee_tcb_svn; ///< 0: TEE_TCB_SVN Array + tee_measurement_t mr_seam; ///< 16: Measurement of the SEAM module + tee_measurement_t mrsigner_seam; ///< 64: Measurement of a 3rd party SEAM module’s signer (SHA384 hash). + /// The value is 0’ed for Intel SEAM module + tee_attributes_t seam_attributes; ///< 112: MBZ: TDX 1.0 + tee_attributes_t td_attributes; ///< 120: TD's attributes + tee_attributes_t xfam; ///< 128: TD's XFAM + tee_measurement_t mr_td; ///< 136: Measurement of the initial contents of the TD + tee_measurement_t mr_config_id; ///< 184: Software defined ID for non-owner-defined configuration on the guest TD. e.g., runtime or OS configuration + tee_measurement_t mr_owner; ///< 232: Software defined ID for the guest TD's owner + tee_measurement_t mr_owner_config; ///< 280: Software defined ID for owner-defined configuration of the guest TD, e.g., specific to the workload rather than the runtime or OS + tee_measurement_t rt_mr[4]; ///< 328: Array of 4(TDX1: NUM_RTMRS is 4) runtime extendable measurement registers + tee_report_data_t report_data; ///< 520: Additional report data +}sgx_report2_body_t; + +/** The generic TD quote data structure. This is the common part of the quote. The signature_data[] contains the signature and supporting + * information of the key used to sign the quote and the contents depend on the sgx_quote_sign_type_t value. */ +typedef struct _sgx_quote4_t { + sgx_quote4_header_t header; ///< 0: The quote header. + sgx_report2_body_t report_body; ///< 48: The REPORT of the TD that is attesting remotely. + uint32_t signature_data_len; ///< 632: The length of the signature_data. Varies depending on the type of sign_type. +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning ( disable:4200 ) +#endif + uint8_t signature_data[]; ///< 636: Contains the variable length containing the quote signature and support data for the signature. +#ifdef _MSC_VER +#pragma warning(pop) +#endif +} sgx_quote4_t; + +typedef sgx_att_key_id_ext_t tee_att_att_key_id_t; + +#pragma pack(pop) + +#endif //_SGX_QUOTE_4_H_ diff --git a/sgx_dcap_quoteverify_stubs/sgx_quote_5.h b/sgx_dcap_quoteverify_stubs/sgx_quote_5.h new file mode 100644 index 0000000000..673ddca348 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_quote_5.h @@ -0,0 +1,132 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/** + * File: sgx_quote_5.h + * Description: Definition for quote structure. + * + * Quote structure and all relative structure will be defined in this file. + */ + +#ifndef _SGX_QUOTE_5_H_ +#define _SGX_QUOTE_5_H_ + +#include "sgx_quote_4.h" + + +#pragma pack(push, 1) + +#define QE_QUOTE_VERSION_V5 5 +#define TD_INFO_RESERVED_BYTES_V1_5 64 +typedef struct _tee_info_v1_5_t /* 512 bytes */ +{ + tee_attributes_t attributes; /* ( 0) TD's attributes */ + tee_attributes_t xfam; /* ( 8) TD's XFAM */ + tee_measurement_t mr_td; /* ( 16) Measurement of the initial contents of the TD */ + tee_measurement_t mr_config_id; /* ( 64) Software defined ID for non-owner-defined configuration on the guest TD. e.g., runtime or OS configuration */ + tee_measurement_t mr_owner; /* (112) Software defined ID for the guest TD's owner */ + tee_measurement_t mr_owner_config; /* (160) Software defined ID for owner-defined configuration of the guest TD, e.g., specific to the workload rather than the runtime or OS */ + tee_measurement_t rt_mr[4]; /* (208) Array of 4(TDX1: NUM_RTMRS is 4) runtime extendable measurement registers */ + tee_measurement_t mr_servicetd; /* (400) If is one or more bound or pre-bound service TDs, SERVTD_HASH is the SHA384 hash of the TDINFO_STRUCTs of those service TDs bound. + Else, SERVTD_HASH is 0. */ + uint8_t reserved[TD_INFO_RESERVED_BYTES_V1_5]; /* (448) Reserved, must be zero */ +} tee_info_v1_5_t; + + +#define TD_TEE_TCB_INFO_RESERVED_BYTES_V1_5 95 +typedef struct _tee_tcb_info_v1_5_t +{ + uint8_t valid[8]; /* ( 0) Indicates TEE_TCB_INFO fields which are valid */ + /* - 1 in the i-th significant bit reflects that the field starting at byte offset(8*i) */ + /* - 0 in the i-th significant bit reflects that either no field start by byte offset(8*i) or that */ + /* field is not populated and is set to zero. */ + /* the accepted value of a TDX 1.5 tee_tcb_info_v2 is 0x013ff. (Note: Set to 0x301FF if */ + /* SEAMDB_ENABLED == ‘1, otherwise set to 0x1FF. (SEAMDB_ENABLED is introduced for TDX1.4 TD Preserving)*/ + tee_tcb_svn_t tee_tcb_svn; /* ( 8) TEE_TCB_SVN Array */ + tee_measurement_t mr_seam; /* ( 24) Measurement of the SEAM module */ + tee_measurement_t mr_seam_signer; /* ( 72) Measurement of SEAM module signer. (Not populated for Intel SEAM modules) */ + tee_attributes_t attributes; /* (120) Additional configuration attributes.(Not populated for Intel SEAM modules) */ + tee_tcb_svn_t tee_tcb_svn2; /* (128) Array of TEE TCB SVNs (for TD preserving). */ + uint8_t reserved[TD_TEE_TCB_INFO_RESERVED_BYTES_V1_5];/* (144) Reserved, must be zero */ +} tee_tcb_info_v1_5_t; + +/** The quote header. It is designed to compatible with earlier versions of the quote. */ +typedef sgx_quote4_header_t sgx_quote5_header_t; + +/** SGX Report2 body for quote v5 */ +typedef struct _sgx_report2_body_v1_5_t { + tee_tcb_svn_t tee_tcb_svn; ///< 0: TEE_TCB_SVN Array + tee_measurement_t mr_seam; ///< 16: Measurement of the SEAM module + tee_measurement_t mrsigner_seam; ///< 64: Measurement of a 3rd party SEAM module’s signer (SHA384 hash). + /// The value is 0’ed for Intel SEAM module + tee_attributes_t seam_attributes; ///< 112: MBZ: TDX 1.0 + tee_attributes_t td_attributes; ///< 120: TD's attributes + tee_attributes_t xfam; ///< 128: TD's XFAM + tee_measurement_t mr_td; ///< 136: Measurement of the initial contents of the TD + tee_measurement_t mr_config_id; ///< 184: Software defined ID for non-owner-defined configuration on the guest TD. e.g., runtime or OS configuration + tee_measurement_t mr_owner; ///< 232: Software defined ID for the guest TD's owner + tee_measurement_t mr_owner_config; ///< 280: Software defined ID for owner-defined configuration of the guest TD, e.g., specific to the workload rather than the runtime or OS + tee_measurement_t rt_mr[4]; ///< 328: Array of 4(TDX1: NUM_RTMRS is 4) runtime extendable measurement registers + tee_report_data_t report_data; ///< 520: Additional report data + tee_tcb_svn_t tee_tcb_svn2; ///< 584: Array of TEE TCB SVNs (for TD preserving). + tee_measurement_t mr_servicetd; ///< 600: If is one or more bound or pre-bound service TDs, SERVTD_HASH is the SHA384 hash of the TDINFO_STRUCTs of those service TDs bound. + /// Else, SERVTD_HASH is 0.. +}sgx_report2_body_v1_5_t; + +/** The generic TD quote data structure. This is the common part of the quote. The signature_data[] contains the signature and supporting + * information of the key used to sign the quote and the contents depend on the sgx_quote_sign_type_t value. */ +typedef struct _sgx_quote5_t { + sgx_quote5_header_t header; ///< 0: The quote header. + uint16_t type; ///< 48: Determines type of Quote body (TEE report) + /// Architecturally supported values: + /// 1 (SGX Enclave Report) + /// 2 (TD Report for TDX 1.0) + /// 3 (TD Report for TDX 1.5) + uint32_t size; ///< 50: Size of Quote Body field. +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning(disable : 4200) +#endif + uint8_t body[]; ///< 54: Data conveyed as Quote Body. Its content depends on the value of Quote Body Type + /// 1 Byte array that contains SGX Enclave Report. + /// sgx_report_body_t + (uint32_t)signature_data_len + signature + /// 2 Byte array that contains TD Report for TDX 1.0. + /// sgx_report2_body_t + (uint32_t)signature_data_len + signature + /// 3 Byte array that contains TD Report for TDX 1.5. + /// sgx_report2_body_v1_5_t + (uint32_t)signature_data_len + signature +#ifdef _MSC_VER +#pragma warning(pop) +#endif +} sgx_quote5_t; + +#pragma pack(pop) + +#endif //_SGX_QUOTE_5_H_ diff --git a/sgx_dcap_quoteverify_stubs/sgx_qve_header.h b/sgx_dcap_quoteverify_stubs/sgx_qve_header.h new file mode 100644 index 0000000000..76904153e8 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_qve_header.h @@ -0,0 +1,159 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _SGX_QVE_HEADER_H_ +#define _SGX_QVE_HEADER_H_ + +#include "sgx_key.h" +#include "time.h" + +#ifndef TEE_QV_MK_ERROR +#define TEE_QV_MK_ERROR(x) (0x0000A000|(x)) +#endif //TEE_QV_MK_ERROR +/** Contains the possible values of the quote verification result. */ +typedef enum _sgx_ql_qv_result_t +{ + // Quote verification passed and is at the latest TCB level + SGX_QL_QV_RESULT_OK = 0x0000, TEE_QV_RESULT_OK = 0x0000, + + SGX_QL_QV_RESULT_MIN = TEE_QV_MK_ERROR(0x0001), TEE_QV_RESULT_MIN = TEE_QV_MK_ERROR(0x0001), + + // The Quote verification passed, but further actions are required: + SGX_QL_QV_RESULT_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x0001), TEE_QV_RESULT_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x0001), // Additional configuration of the platform needed + SGX_QL_QV_RESULT_OUT_OF_DATE = TEE_QV_MK_ERROR(0x0002), TEE_QV_RESULT_OUT_OF_DATE = TEE_QV_MK_ERROR(0x0002), // TCB level out of date, platform patching required + SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x0003), TEE_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x0003), // Both patching and additional configuration needed + + // Errors + SGX_QL_QV_RESULT_INVALID_SIGNATURE = TEE_QV_MK_ERROR(0x0004), TEE_QV_RESULT_INVALID_SIGNATURE = TEE_QV_MK_ERROR(0x0004), + SGX_QL_QV_RESULT_REVOKED = TEE_QV_MK_ERROR(0x0005), TEE_QV_RESULT_REVOKED = TEE_QV_MK_ERROR(0x0005), + SGX_QL_QV_RESULT_UNSPECIFIED = TEE_QV_MK_ERROR(0x0006), TEE_QV_RESULT_UNSPECIFIED = TEE_QV_MK_ERROR(0x0006), + + // Requires Software or Configuration Hardening + SGX_QL_QV_RESULT_SW_HARDENING_NEEDED = TEE_QV_MK_ERROR(0x0007), TEE_QV_RESULT_SW_HARDENING_NEEDED = TEE_QV_MK_ERROR(0x0007), // TCB level is up to date, but SGX SW Hardening is needed + SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED = TEE_QV_MK_ERROR(0x0008), TEE_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED = TEE_QV_MK_ERROR(0x0008), //TCB level is up to date, but both SW Hardening and additional configuration are needed + + // TDX specific results + SGX_QL_QV_RESULT_TD_RELAUNCH_ADVISED = TEE_QV_MK_ERROR(0x0009), TEE_QV_RESULT_TD_RELAUNCH_ADVISED = TEE_QV_MK_ERROR(0x0009), // All components in the TD’s TCB are latest, including the TD preserving loaded TDX, but the TD was launched + // and ran for some time with out-of-date TDX Module. Relaunching or re-provisioning your TD is advised + SGX_QL_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x000A), TEE_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x000A), // Same as above, relaunching or re-provisioning your TD is advised. In the meantime, + // additional configuration of the platform is needed + + // Maximum result value + SGX_QL_QV_RESULT_MAX = TEE_QV_MK_ERROR(0x00FF), TEE_QV_RESULT_MAX = TEE_QV_MK_ERROR(0x00FF), + +} sgx_ql_qv_result_t, tee_qv_result_t; + +typedef enum _pck_cert_flag_enum_t { + PCK_FLAG_FALSE = 0, + PCK_FLAG_TRUE, + PCK_FLAG_UNDEFINED +} pck_cert_flag_enum_t; + + +#define ROOT_KEY_ID_SIZE 48 +#define PLATFORM_INSTANCE_ID_SIZE 16 + +// Each Intel Advisory size is ~16 bytes +// Assume each TCB level has 20 advisoryIDs at the very most +#define MAX_SA_SIZE 20 +#define MAX_SA_NUMBER_PER_TCB 20 +#define MAX_SA_LIST_SIZE 320 + +// Nameless struct generates C4201 warning in MS compiler, but it is allowed in c++ 11 standard +// Should remove the pragma after Microsoft fixes this issue +#ifdef _MSC_VER +#pragma warning(push) +#pragma warning(disable : 4201) +#endif + +/** Contains data that will allow an alternative quote verification policy. */ +typedef struct _sgx_ql_qv_supplemental_t +{ + union { + uint32_t version; ///< 'version' is the backward compatible legacy representation + struct { + uint16_t major_version; ///< If this major version doesn't change, the size of the structure may change and new fields appended to the end but old minor version structure can still be 'cast' + ///< If this major version does change, then the structure has been modified in a way that makes the older definitions non-backwards compatible. i.e. You cannot 'cast' older definitions + uint16_t minor_version; ///< If this version changes, new fields have been appended to the end of the previous minor version definition of the structure + ///< Set to 1 to support SA_List. Set to 0 to support everything except the SA List + }; + }; + time_t earliest_issue_date; ///< Earliest issue date of all the collateral (UTC) + time_t latest_issue_date; ///< Latest issue date of all the collateral (UTC) + time_t earliest_expiration_date; ///< Earliest expiration date of all the collateral (UTC) + time_t tcb_level_date_tag; ///< The SGX TCB of the platform that generated the quote is not vulnerable + ///< to any Security Advisory with an SGX TCB impact released on or before this date. + ///< See Intel Security Center Advisories + uint32_t pck_crl_num; ///< CRL Num from PCK Cert CRL + uint32_t root_ca_crl_num; ///< CRL Num from Root CA CRL + uint32_t tcb_eval_ref_num; ///< Lower number of the TCBInfo and QEIdentity + uint8_t root_key_id[ROOT_KEY_ID_SIZE]; ///< ID of the collateral's root signer (hash of Root CA's public key SHA-384) + sgx_key_128bit_t pck_ppid; ///< PPID from remote platform. Can be used for platform ownership checks + sgx_cpu_svn_t tcb_cpusvn; ///< CPUSVN of the remote platform's PCK Cert + sgx_isv_svn_t tcb_pce_isvsvn; ///< PCE_ISVNSVN of the remote platform's PCK Cert + uint16_t pce_id; ///< PCE_ID of the remote platform + uint32_t tee_type; ///< 0x00000000: SGX or 0x00000081: TDX + uint8_t sgx_type; ///< Indicate the type of memory protection available on the platform, it should be one of + ///< Standard (0), Scalable (1) and Scalable with Integrity (2) + + // Multi-Package PCK cert related flags, they are only relevant to PCK Certificates issued by PCK Platform CA + uint8_t platform_instance_id[PLATFORM_INSTANCE_ID_SIZE]; ///< Value of Platform Instance ID, 16 bytes + pck_cert_flag_enum_t dynamic_platform; ///< Indicate whether a platform can be extended with additional packages - via Package Add calls to SGX Registration Backend + pck_cert_flag_enum_t cached_keys; ///< Indicate whether platform root keys are cached by SGX Registration Backend + pck_cert_flag_enum_t smt_enabled; ///< Indicate whether a plat form has SMT (simultaneous multithreading) enabled + + char sa_list[MAX_SA_LIST_SIZE]; ///< String of comma separated list of Security Advisory IDs + time_t qe_iden_earliest_issue_date; ///< Earliest issue date of QEIdentity (UTC) + time_t qe_iden_latest_issue_date; ///< Latest issue date of QEIdentity (UTC) + time_t qe_iden_earliest_expiration_date; ///< Earliest expiration date of QEIdentity (UTC) + time_t qe_iden_tcb_level_date_tag; ///< The SGX TCB of the platform that generated the quote is not vulnerable + uint32_t qe_iden_tcb_eval_ref_num; ///< Lower number of the QEIdentity + sgx_ql_qv_result_t qe_iden_status; /// QEIdentity status +} sgx_ql_qv_supplemental_t; + +#ifdef _MSC_VER +#pragma warning(pop) +#endif + +/** Descriptor of the supplemental data requestor structure. Used when requesting supplemental data from the DCAP quote verification API */ +typedef struct _tee_supp_data_descriptor_t +{ + uint16_t major_version; ///< Input. Major version of supplemental data + ///< If == 0, then return latest version of the sgx_ql_qv_supplemental_t structure + ///< If <= latest supported, return the latest minor version associated with that major version + ///< > latest supported, return an error (SGX_QL_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED) + + uint32_t data_size; ///< Input. Supplemental data size of `p_data`, which returned by API `tee_get_supplemental_data_version_and_size()` + uint8_t *p_data; ///< Output. Pointer to supplemental data +}tee_supp_data_descriptor_t; + + +#endif //_QVE_HEADER_H_ diff --git a/sgx_dcap_quoteverify_stubs/sgx_report.h b/sgx_dcap_quoteverify_stubs/sgx_report.h new file mode 100644 index 0000000000..eb2745a24b --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_report.h @@ -0,0 +1,120 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +/* + * This file is to define Enclave's Report +*/ + +#ifndef _SGX_REPORT_H_ +#define _SGX_REPORT_H_ + +#include "sgx_attributes.h" +#include "sgx_key.h" + +#define SGX_HASH_SIZE 32 /* SHA256 */ +#define SGX_MAC_SIZE 16 /* Message Authentication Code - 16 bytes */ + +#define SGX_REPORT_DATA_SIZE 64 + +#define SGX_ISVEXT_PROD_ID_SIZE 16 +#define SGX_ISV_FAMILY_ID_SIZE 16 + +typedef struct _sgx_measurement_t +{ + uint8_t m[SGX_HASH_SIZE]; +} sgx_measurement_t; + +typedef uint8_t sgx_mac_t[SGX_MAC_SIZE]; + +typedef struct _sgx_report_data_t +{ + uint8_t d[SGX_REPORT_DATA_SIZE]; +} sgx_report_data_t; + +typedef uint16_t sgx_prod_id_t; + +typedef uint8_t sgx_isvext_prod_id_t[SGX_ISVEXT_PROD_ID_SIZE]; +typedef uint8_t sgx_isvfamily_id_t[SGX_ISV_FAMILY_ID_SIZE]; + +#define SGX_TARGET_INFO_RESERVED1_BYTES 2 +#define SGX_TARGET_INFO_RESERVED2_BYTES 8 +#define SGX_TARGET_INFO_RESERVED3_BYTES 384 + + +typedef struct _target_info_t +{ + sgx_measurement_t mr_enclave; /* ( 0) The MRENCLAVE of the target enclave */ + sgx_attributes_t attributes; /* ( 32) The ATTRIBUTES field of the target enclave */ + uint8_t reserved1[SGX_TARGET_INFO_RESERVED1_BYTES]; /* ( 48) Reserved */ + sgx_config_svn_t config_svn; /* ( 50) CONFIGSVN field */ + sgx_misc_select_t misc_select; /* ( 52) The MISCSELECT of the target enclave */ + uint8_t reserved2[SGX_TARGET_INFO_RESERVED2_BYTES]; /* ( 56) Reserved */ + sgx_config_id_t config_id; /* ( 64) CONFIGID */ + uint8_t reserved3[SGX_TARGET_INFO_RESERVED3_BYTES]; /* (128) Struct size is 512 bytes */ +} sgx_target_info_t; + + +#define SGX_REPORT_BODY_RESERVED1_BYTES 12 +#define SGX_REPORT_BODY_RESERVED2_BYTES 32 +#define SGX_REPORT_BODY_RESERVED3_BYTES 32 +#define SGX_REPORT_BODY_RESERVED4_BYTES 42 + + +typedef struct _report_body_t +{ + sgx_cpu_svn_t cpu_svn; /* ( 0) Security Version of the CPU */ + sgx_misc_select_t misc_select; /* ( 16) Which fields defined in SSA.MISC */ + uint8_t reserved1[SGX_REPORT_BODY_RESERVED1_BYTES]; /* ( 20) */ + sgx_isvext_prod_id_t isv_ext_prod_id;/* ( 32) ISV assigned Extended Product ID */ + sgx_attributes_t attributes; /* ( 48) Any special Capabilities the Enclave possess */ + sgx_measurement_t mr_enclave; /* ( 64) The value of the enclave's ENCLAVE measurement */ + uint8_t reserved2[SGX_REPORT_BODY_RESERVED2_BYTES]; /* ( 96) */ + sgx_measurement_t mr_signer; /* (128) The value of the enclave's SIGNER measurement */ + uint8_t reserved3[SGX_REPORT_BODY_RESERVED3_BYTES]; /* (160) */ + sgx_config_id_t config_id; /* (192) CONFIGID */ + sgx_prod_id_t isv_prod_id; /* (256) Product ID of the Enclave */ + sgx_isv_svn_t isv_svn; /* (258) Security Version of the Enclave */ + sgx_config_svn_t config_svn; /* (260) CONFIGSVN */ + uint8_t reserved4[SGX_REPORT_BODY_RESERVED4_BYTES]; /* (262) */ + sgx_isvfamily_id_t isv_family_id; /* (304) ISV assigned Family ID */ + sgx_report_data_t report_data; /* (320) Data provided by the user */ +} sgx_report_body_t; + +typedef struct _report_t /* 432 bytes */ +{ + sgx_report_body_t body; + sgx_key_id_t key_id; /* (384) KeyID used for diversifying the key tree */ + sgx_mac_t mac; /* (416) The Message Authentication Code over this structure. */ +} sgx_report_t; + +#endif diff --git a/sgx_dcap_quoteverify_stubs/sgx_report2.h b/sgx_dcap_quoteverify_stubs/sgx_report2.h new file mode 100644 index 0000000000..355bee8a99 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_report2.h @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/* + * This file is to define Report Type2 + */ + +#ifndef _SGX_REPORT2_H_ +#define _SGX_REPORT2_H_ + +#include + +#define TEE_HASH_384_SIZE 48 /* SHA384 */ +#define TEE_MAC_SIZE 32 /* Message SHA 256 HASH Code - 32 bytes */ + +#define SGX_REPORT2_DATA_SIZE 64 +#define TEE_CPU_SVN_SIZE 16 + +#pragma pack(push, 1) + +typedef uint8_t tee_mac_t[TEE_MAC_SIZE]; + +typedef struct _tee_cpu_svn_t { + uint8_t svn[TEE_CPU_SVN_SIZE]; +} tee_cpu_svn_t; + +typedef struct _tee_measurement_t { + uint8_t m[TEE_HASH_384_SIZE]; +} tee_measurement_t; + +typedef struct _tee_report_data_t { + uint8_t d[SGX_REPORT2_DATA_SIZE]; +} tee_report_data_t; + +typedef struct _tee_attributes_t +{ + uint32_t a[2]; +} tee_attributes_t; + +#define SGX_LEGACY_REPORT_TYPE 0x0 /* SGX Legacy Report Type */ +#define TEE_REPORT2_TYPE 0x81 /* TEE Report Type2 */ +#define TEE_REPORT2_SUBTYPE 0x0 /* SUBTYPE for Report Type2 is 0 */ +#define TEE_REPORT2_VERSION 0x0 /* VERSION for Report Type2 is 0 */ +#define TEE_REPORT2_VERSION_SERVICETD 0x1 /* VERSION for Report Type2 which mr_servicetd is used */ + +typedef struct _tee_report_type_t { + uint8_t type; /* Trusted Execution Environment(TEE) type: + 0x00: SGX Legacy REPORT TYPE + 0x7F-0x01: Reserved + 0x80: Reserved + 0x81: TEE Report type 2 + 0xFF-0x82: Reserved + */ + uint8_t subtype; /* TYPE-specific subtype, Stage1: value is 0 */ + uint8_t version; /* TYPE-specific version, Stage1: value is 0 */ + uint8_t reserved; /* Reserved, must be zero */ +} tee_report_type_t; + +#define SGX_REPORT2_MAC_STRUCT_RESERVED1_BYTES 12 +#define SGX_REPORT2_MAC_STRUCT_RESERVED2_BYTES 32 +typedef struct _sgx_report2_mac_struct_t /* 256 bytes */ +{ + tee_report_type_t report_type; /* ( 0) TEE Report type.*/ + uint8_t reserved1[SGX_REPORT2_MAC_STRUCT_RESERVED1_BYTES]; /* ( 4) Reserved, must be zero */ + tee_cpu_svn_t cpu_svn; /* ( 16) Security Version of the CPU */ + tee_measurement_t tee_tcb_info_hash; /* ( 32) SHA384 of TEE_TCB_INFO for TEEs */ + tee_measurement_t tee_info_hash; /* ( 80) SHA384 of TEE_INFO */ + tee_report_data_t report_data; /* (128) Data provided by the user */ + uint8_t reserved2[SGX_REPORT2_MAC_STRUCT_RESERVED2_BYTES]; /* (192) Reserved, must be zero */ + tee_mac_t mac; /* (224) The Message Authentication Code over this structure */ +} sgx_report2_mac_struct_t; + +#define TEE_TCB_INFO_SIZE 239 +#define SGX_REPORT2_RESERVED_BYTES 17 +#define TEE_INFO_SIZE 512 +typedef struct _sgx_report2_t /* 1024 bytes */ +{ + sgx_report2_mac_struct_t report_mac_struct; /* ( 0) Report mac struct for SGX report type 2 */ + uint8_t tee_tcb_info[TEE_TCB_INFO_SIZE]; /* (256) Struct contains details about extra TCB elements not found in CPUSVN */ + uint8_t reserved[SGX_REPORT2_RESERVED_BYTES]; /* (495) Reserved, must be zero */ + uint8_t tee_info[TEE_INFO_SIZE]; /* (512) Struct contains the TEE Info */ +} sgx_report2_t; +#pragma pack(pop) + +#endif diff --git a/sgx_dcap_quoteverify_stubs/sgx_urts.h b/sgx_dcap_quoteverify_stubs/sgx_urts.h new file mode 100644 index 0000000000..691efbc937 --- /dev/null +++ b/sgx_dcap_quoteverify_stubs/sgx_urts.h @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +#ifndef _SGX_URTS_H_ +#define _SGX_URTS_H_ + +#include "sgx_attributes.h" +#include "sgx_error.h" +#include "sgx_eid.h" +#include "sgx_defs.h" +#include "sgx_key.h" +#include "sgx_report.h" + +#include + + +#define MAX_EX_FEATURES_COUNT 32 + +#define SGX_CREATE_ENCLAVE_EX_PCL_BIT_IDX 0 +#define SGX_CREATE_ENCLAVE_EX_PCL (1 << SGX_CREATE_ENCLAVE_EX_PCL_BIT_IDX) // Reserve Bit 0 for the protected code loader +#define SGX_CREATE_ENCLAVE_EX_SWITCHLESS_BIT_IDX 1 +#define SGX_CREATE_ENCLAVE_EX_SWITCHLESS (1 << SGX_CREATE_ENCLAVE_EX_SWITCHLESS_BIT_IDX) // Reserve Bit 1 for Switchless Runtime System + + +#define SGX_CREATE_ENCLAVE_EX_KSS_BIT_IDX 2U +#define SGX_CREATE_ENCLAVE_EX_KSS (1U << SGX_CREATE_ENCLAVE_EX_KSS_BIT_IDX) // Bit 2 for Key Separation & Sharing + +#pragma pack(push, 1) + +/* Structure for KSS feature */ +typedef struct _sgx_kss_config_t +{ + sgx_config_id_t config_id; + sgx_config_svn_t config_svn; +} sgx_kss_config_t; + +#pragma pack(pop) + + +//update the following when adding new extended feature +#define _SGX_LAST_EX_FEATURE_IDX_ SGX_CREATE_ENCLAVE_EX_KSS_BIT_IDX + +#define _SGX_EX_FEATURES_MASK_ (((uint32_t)-1) >> (MAX_EX_FEATURES_COUNT - 1 - _SGX_LAST_EX_FEATURE_IDX_)) + +#ifdef __cplusplus +extern "C" { +#endif + +typedef uint8_t sgx_launch_token_t[1024]; + +/* Convenient macro to be passed to sgx_create_enclave(). */ +#if !defined(NDEBUG) || defined(EDEBUG) +#define SGX_DEBUG_FLAG 1 +#else +#define SGX_DEBUG_FLAG 0 +#endif + +sgx_status_t SGXAPI sgx_create_enclave(const char *file_name, + const int debug, + sgx_launch_token_t *launch_token, + int *launch_token_updated, + sgx_enclave_id_t *enclave_id, + sgx_misc_attribute_t *misc_attr); + + + +sgx_status_t SGXAPI sgx_create_enclave_ex(const char * file_name, + const int debug, + sgx_launch_token_t * launch_token, + int * launch_token_updated, + sgx_enclave_id_t * enclave_id, + sgx_misc_attribute_t * misc_attr, + const uint32_t ex_features, + const void* ex_features_p[32]); + + +sgx_status_t SGXAPI sgx_create_enclave_from_buffer_ex( + uint8_t *buffer, + size_t buffer_size, + const int debug, + sgx_enclave_id_t * enclave_id, + sgx_misc_attribute_t * misc_attr, + const uint32_t ex_features, + const void* ex_features_p[32]); + + + + + +sgx_status_t SGXAPI sgx_create_encrypted_enclave( + const char *file_name, + const int debug, + sgx_launch_token_t *launch_token, + int *launch_token_updated, + sgx_enclave_id_t *enclave_id, + sgx_misc_attribute_t *misc_attr, + uint8_t* sealed_key); + +sgx_status_t SGXAPI sgx_destroy_enclave(const sgx_enclave_id_t enclave_id); + +sgx_status_t SGXAPI sgx_get_target_info( + const sgx_enclave_id_t enclave_id, + sgx_target_info_t* target_info); + +#ifdef __cplusplus +} +#endif + + +#endif From 7cba9bd708ac4547273e51a9392becd25ee6ffac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 23 Jul 2024 17:27:26 +0200 Subject: [PATCH 002/298] docker: Remove Dockerfile.fidencio MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was present in order to show folks how to build the stubs, but it's not needed for any part of Red Hat's internal processes. Signed-off-by: Fabiano Fidêncio --- kbs/docker/Dockerfile.fidencio | 30 ------------------------------ 1 file changed, 30 deletions(-) delete mode 100644 kbs/docker/Dockerfile.fidencio diff --git a/kbs/docker/Dockerfile.fidencio b/kbs/docker/Dockerfile.fidencio deleted file mode 100644 index fc050728d9..0000000000 --- a/kbs/docker/Dockerfile.fidencio +++ /dev/null @@ -1,30 +0,0 @@ -# Use CentOS Stream to build. -FROM quay.io/centos/centos:stream9 as builder - -# Install build dependencies from CentOS repos. -RUN dnf -y --setopt=install_weak_deps=0 --enablerepo=crb install \ -cargo pkg-config perl-FindBin openssl-devel perl-lib perl-IPC-Cmd perl-File-Compare perl-File-Copy tpm2-tss-devel clang-devel protobuf-compiler \ -tar gzip meson - -WORKDIR /usr/src/kbs -COPY . . - -# Build sgx_dcap_quoteverify stub -RUN \ -pushd sgx_dcap_quoteverify_stubs && \ -meson setup build --prefix=/usr && \ -meson compile -C build && \ -meson install -C build - -# Build KBS -ARG KBS_FEATURES=coco-as-builtin,rustls,resource,opa -RUN \ -cargo install --locked --root /usr/local/ --path kbs/src/kbs --no-default-features --features ${KBS_FEATURES} && \ -# Collect linked files necessary for the binary to run. -mkdir -p /root/trustee/lib64 && \ -ldd /usr/local/bin/kbs | sed 's@.*\s/@/@' | sed 's/\s.*//' | xargs -I {} cp {} /root/trustee/lib64 - -# Package UBI image. -FROM registry.access.redhat.com/ubi9 - -COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs From d8640d074006b304825d2ff7aa916269f78087b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 23 Jul 2024 17:41:09 +0200 Subject: [PATCH 003/298] intel: Add the RPMs needed during runtime MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the RPMs needed during runtime, only the RPMs needed during runtime, and make sure those are installed in the image. Signed-off-by: Fabiano Fidêncio --- ...ap-default-qpl-1.21.100.3-1.el9.x86_64.rpm | Bin 0 -> 1707719 bytes ...p-quote-verify-1.21.100.3-1.el9.x86_64.rpm | Bin 0 -> 1565679 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 sgx_dcap_quoteverify_stubs/libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm create mode 100644 sgx_dcap_quoteverify_stubs/libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm diff --git a/sgx_dcap_quoteverify_stubs/libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm b/sgx_dcap_quoteverify_stubs/libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm new file mode 100644 index 0000000000000000000000000000000000000000..c4e05be5b83116d10e7d294dca7c1af87d21a275 GIT binary patch literal 1707719 zcmeFXcUV-*vIjckoKd2ZGeepg7*NSsCFeX$Am^M#K{A3!4oU_AL4pL4ELoJCB`6sI z6%a)9t=XG>&OZ0veeQYhd*P3_`J`GZkN zggY38#vpv0y}=&t&R}s732_l|F)@*rv@6P05~B)*aYa}&;T5Z1%AhPn*hfL$oT^A0vxChat8>gkGBtSto#l@Kz+Oe zfMewmfS6qx4n?97(kK)LA|WL%27#iXlF~>xTmmH_jgdgZ#l^*?A<}RN2nmz4MImgZ z#Gx3JBw8Gf6qAODp)qKf6bcPTAmJ!+1YBB5N?cr0Od2XJjg*8VrI83Y8Y%@rNr^$l zfCfQK=c3-G0|%voImAJ|^MPJZ>jOZjj7qHN@AP*B{*J)k5%@a-e@Ec&2>cy^za#K> z1pbb|-x2sb0)I!~?+E<=J_5g;iTwKYD+!1MaHatQ{psA~ItWA?02Ijq1e|NoIshE2 zg93;cAZ)^(dtlE=u;(VY7kKLeGhg8C3(RwYvF9ix00~{-PZ!wb0`CDFd#+M*fwAW- zSo_#B9Bg}^0gjbp+r{EzfMexYyI6bzaIAeS$KoFV2jn=E7x?@FYhK`=7g*^;s}B%1J~#^(nEZE)yK#ZB=T3k=-XHo@ zzsvFd(5L<#f;Ar$Qb|*w1-~?aNryapYeA&!7YFTF~?{6 zT~4rkfwBDp=#%~-=LaxgpEL*HK)mqb00-=oV(nou_T&w#UwMILE^xyIRs}e=e%}RF z12|Bh45;&4Jk&2R^a5)D9FUROTwrXRvHH#c$NFyyaIE~!1-1YPHX;}qW(;DA3A_5jEFkNO=`V&jj+=nK4ifiV{tJFc*DtRFyq%EJrn4RD}+ zDsq5h+xNM^*f?RaFTeqRsIcu|{rCG_PW|XY?tg(hE-?0)0_;&^+m`~efdB{mrs)Sb z(D!sHzsqT601o&=*9&mK9~$iVz~YYp2il{--Y*uf0UWSL%YA{jewWkoW3dwGFV0s% z|2$s>ve@%g4OefpGryhyyS^L7+YjN1W>@n;c%s-<{JqhxUJh=qUhK-hpU<-E`nY+c z*>ybKd>v3|Pxf05ww?&jfd3mTfG}6-6_wDg-rD+LeQ!@R!UZf1R=lYMR`hXj2ATrj zG`bDeP%;6FiHmsIi#T9i7D2iJQwJ*fiK4zT;0h9O77bEH`=XuQ++6@uqQAT6fc65} zdwaWk$%u;DIe6Rq*kUV+{$@f{U(G}r;f=tyjP_LU_C|YoBfNoI*70<3aqxEV1?oCG zxcc~m{Na+;lGu?9qGQKiFA{c+#3mR(Y#@<{B!CNmU|)d#B;pP)Quw6sDgPIi@_&T` z*YHo_MOgL!p0M{1kkbD^f0X}&L!oFm3@QylO2fq^pth1|F|-&GDh?BaLXoy&KoQCo zEeS(HF$ggPS_(*#7$^)T357##F_M7(Me9&Fa2yST0#cMTS`rS2Ny0HwVsIoH21iIk zq~PKRm^fMtf`Z$Mp%4fZR9XxLM~gub7;(Tl8U;K~;%GQh+*S%D2}L8&NHL6*l!O=* z36l_$mP9~o;nHFdDGWjqAr2LjLcyfOQ4(kv0wFC9N24VX5(sfPNKD)oj)KF1gKk?W z1R@QA!!SsgEd~ZfK;gF1QZNJrA_hYtq@^)vDHv4TR!mw<3@(Pih+*JjNR0Gv{UIVE z`j4NFm!~K&?j@nvEAVx}`r^ZawFlDG+1k$&;qH$16!CHs0lqLmfR7At5eNwMkJ>=y zUkqSBO;~$ihrBy5;{QuEpn-oYzj*%sBM*M>5a5}{z5@O${kO4#>*?m^4f=oW@_Quz z_wO_!UYW+JsedDs5czjiCH|cd@^8#SME;$-5Q%?R_21h4cV_>c>|bJFheTR? z{WeGZOT_&pN-2I};Ni3jY$;zfcho7yl0o{g*-fm$v@W@jp2w zA`bsgT9o*gKK!c|CH^DtCH|9OiTqOum|%hDm|w}w#oZI_<%LG6Iyj@X5H4sh0nmjE zTcYe>2P|d&S*C*saCSrdrtGDT@I~u*qA?Es|EO{y*6=a|?gl9Jc1H25X&G9pE9k2W z{AtDbzkZSb?PUcFauFz490V1S6cPK4W3Mm~C=g#D1C)zP0&ig8)e8byVMIHCMHssQ zu;c@Q*)?2&RTsjUT@USyMgYsX{|ie(c5x|jhy+whLK?eJ2NE!K{+}XTKp*=T1z>Ic z+y4uIHTZAe_knl7Z~IH^z7MAg2x(i4xHty*i-9dvTv}Wj00^k01V#)c29!x*U=WN1 z^e^7We^LC;Mb_`{_rHGKUc9gWTH&9jl(cnBHMG<~qG)fVDCmzB+n;j(2*CeXh7$W9 zi_!3Z76Z%2-|c$Y1G^znlpFG5Ir-lfL82hAwgfvEgyLp1Wygl7q z0iXX@I|x@-H(LkS-^{RsT_mBv1>uRbzw!He3+xNH>Ei9O5xnj5N|2AQtFKqgQWAlH^8Q8Kvo<(dPJ1<~4_IU&;=qqVxuzREZy+J4k zpjUy20egIvTdM4mP%yAMWxu7b$o|_HLb3lo9E90_kB2b3FWM8kwPqJ*=hrvYHxdwL zM+LYdTpW571SB7y-hz%LEX%-Ae#5 z1N2AxBtZT@_2Iv@f2B6%=ot%dNd+-84DE3<{h;VQpb-r4iCF zC|nFBDF%^{M4}`mAsBH z)7qQVpUMsvKHr&^j2F*t7->6Z-&((Y?ANY>nD&ilL&l~JB*#V{wC-EPK4s;gIDND9 zvvSNgSaNNr>S23@V__P#vr)#doki~cR%YSHD7z7+=Hv0iQP{Tu-BT$(OVRV8)(xi= zK3K}PgNeocEV+bF6RF=Tr;Y+38g|F4T6aU_j%A0~y1&*fm3aZ=tR+UxKew5y5bR$6Vm22_ibIUZx znO+gK(e~7AnCvia`{dS3$Gq=bJDHD6x2B9TcQ_im5RDSYuzfYp>B`~u;s*bgU%hN8 z`(e`WYZ63Vo6kcMEW$$94ymjUtlx{b{nX<3%b7OvOl%DDKU00h*YN1k(~}LiwzkQ} zZ(f>xn($J3p|qAJS7{+*zn__Np$2ja=E#gxx_JXZ^`M|`t*hR(r*VN=`yUevkL)yy zHy*4N<>#kOo$qMQ9KQN!%Q-D;tq2j-T>Vdm1) zmr6b=B=W>1)24Cq@Nl?|6~&b5?ZL0g6F0||V)jw7^Pvxen6s^9VBboilM4nFxtHP^ z&Zoxf%1u1abX}glQM)8OLKLm`#aZwf-_f-N%03r80z>Fp9Ue!~5lO?5mxF+DLwTiK znq$<@UbB_p&eK}6d>w18d53GSQ-Yo#ujhLcP3>&+p??X=}O$ z-#DGN)>G+oEi1<@mC^4{#RINPernWij6$Zl+0|biTw@9|_B}$HzHAE8I1e>7o{-f& zx0RWF`wVtJ|6!T^=ggt4o$aqiZ~bGPM4gW|Se6RYE>9cSRvc;PymAX2e=A_QB={-| zUHK9|JrhDQFL7$t<}z?Fnq1<*Uc{|D;Yf0YgaR!+CgH3wxZ^vhtFEeCC8TLwYY<}) z-Nf%^NqpnY~@BdxtHn4ZeI}+rf)r#IwG;xR=Dr^ zX8*$vtGpknr`W6;O9Z>3ciVJtF?|>fR+T z;R0^*W2Iu;+m$zI65{9cJMfTq9{Q`x7{HV6szbE25cbXwpA;nNqJ}G-Xzx->83^*N z&Mc@>6s3+N(11~ao6b4j;cAZ2*Vzm2iTspDi+NcZvU}hzJS5a-($v|AVS#l~FwXov=7Q zK8GxygzJ53P!}f`^>Z~AZgp<7WKvfgt;L-?;W2Ur)HZRM!o#3$5F_;rhh#LN+Awbq zLr0ENUrpiao&Yg;{OE84%^3g?Jg#>$}_}9ymmE-m#A38pv?I(z!yjK>kY#e!T`A zk7h=ugHx;(m;J(HDWYF6BE}B?$r6LM_F$W3UHmzfGzh)#LbZPKC2RLw z=A@;!YFk#|dVeOf7wfgS#=`q}C#S@GKHaP!x3+smD*QB8&yqQsV;8?3{G$F3BnFM52o zHeT;vX_8|#_3TaX7|Gr{J6^9^ah?u&Jauv_i+sy!nw`SlqtdfOE|tKFUDp_$OL27xKB1zLFoKBHvU~J| zS_9NsOf(O92fV*3a#T$8NgO4wjKguCx*$OrND5|2^fJ5p=0@yS z5^)qKKj}X$skU8Tl9rLh#f*rE<#Zm`e#^1a^WDSAvUhEBJL2q0#!dqUG}>+D(FT)7Ie>Q374^%kzIH#n+Tj&^Ty%eK< z&mZ#Y7`T=O+C!VC)y859Q@S|)nrj*@_g^u}PX3kc z+2>2IwtADbe=+_Z)x%|h;ecxzZI>AnOJ&`@Q!Sq+L*H8Qc2WczTUA~)zXhRg>ZuM_ z*^Ef_mG8a#3jdNwWqy>SL`(n;%8!C?^!07I zwRL&n_fy`MWE=+<2Ma0$JK!!Vk{PBSW?!*Uy$Vk7(pamW{iT8<+81?4p5^g1ra(o` z&!?+?w+hw?S683)=X|1iZ4}hsFXgci^>OPfTX?;elm8VZ)$?UoQGNB1emsBl#$7y$ z+%$Vv!z8&>o!qEc+^cr$D>8uzSy644g4y!tzrH!si5 zkf4_%oXX?Zedo|?v*hNttC9=eNj?oO(KXUhbmX_O;|gXMTB;6e*ZVGX^vNx>6XUy2I5^tem;; zM9@zNB&`x2gko^o`M2qh-!2+fE~m@*`O}=}jySB`-m^cQnG~L{6rN|HOI)Abd}nR8 z-fp})X%ZK5PyWm7WW=*hHAw~Wck9E&wJp`g&j#8ipZO$wYB0TA`y%a9jq9(5@4VU& zIjfn}-qR1SPeb6ZTWZ+aKe{(v`#NMkE_b;9lI7R5+vL*5r|N_Kk@K_C+?R$+=Wd_@kU37u&Kom=>Z*@cBQw~z=|aQ#3m9E+Y+?F*mxm@j|e4Gn97oPGHAk=LK^ zN7VK6MbU4e<8D9L%I1Ham$!c2NtfO+{~BaP6!z;w8&}&ajj)}@jhWoVS8~RbOTt8H zlcVk3?(DTY08-QNyN=+q+0?)2skP8=9%nh_a{yE z@IFn0Ds{vBapJC~)om!Ju4k@WO44hJPnlg9grUt`^+!bxlic?BgE6W35l-fp_c&mm zIXb5@=UNoQHw``FsTUI2SjRVvbRT|i--FP*SWi4p|J5_RO!?k1NPuQ0uu~;kYwGI$ z`$+$@yZM{yuELg+lkGaerDkHWM%9h+mJ2mtIv)nshsJ!;dJno!KI9w8>g zd(bMvIq9W}hc~i`Y)LuaU(=frS1civDKg%@!68AG*K(6Vto(_Y$1POz?L}lJUZCza z9wvrxPrT6#*Th@rRReJ`$7nr;`=*~I<6-{+*$i52nf$Ci&X2o-PH0^uMVh+~Z2#`~ zay~mG>jU^^=b&IZztrubAW%ISVohfypOTCt$eNtNrA;=T+5ISh`gIJH6GLBl5XxcP z_27{lqq4!yl*FTWDQ{*xW(UJTqfzJ+!VLNsEivXEsBl3FRp!(y8|J0%QC(tecY3^o ztpdO6U8fY?D3Y}}vVGOGbMkyWIsfj#cI_y8U!Bf} z9%bU>sk(QB)cpCSw5Kk%6jPh0@~P^XJZ^HLnF5bD}~FROm@B>|ct1 z!E;lM)j@&Hn8U`OCYsp$`CUfq?R9HD|_WLStRH@_mTH;TO^)rkD(D5n=$gfnJHHgRI{Exed2&qm z{KVCpu&W?DzW;#>aTlRgst$vU-2&~ioc7Dz%|t2NiU(|GIhov`ih9D2R7Ok@p4p&< zotW#|AG`v#9W;ugYvV(w9z9PtSohc4@|nz@QRevo8@Si>Gt{CSI)A(L(_AW{Yd;QI z277#`C5_a8Sby)U_Y@p2Z484-A@xo%b~^OE4jXGgj&k>#uAd9X)M9;f}-njg!n%U{KiJtb8q4=d$z4Y>)@| z2I-+L@+7D7-m~OFVX5%B6+a5I%kqUu)nR70wYEc4^c-U2$(wQrrPnt3pAp})q#y=G zcSz-?gz7d2{IaCMs#m!6ZPx0^#&nhPtD>MYdm6JtOvA@!cP%e(npE(ug$mNkdXK+B zR2i5OObL3VL4o?tba1h!1XSv;aqu;(@GJGi(!WiKH2pl={wm8gL@($G^J5hyCii@MIh?4j&Fbj;Zr^=Mvg>O$)wC!L+n|UK0%zd4t&<$9DZK z0oTH^Qd@zhq2dl1lg6>@)StZ96JnKx1>b3hMfv5AcfMWls>@;Bh;>*TYk0g`ulFUr zA5w$`V3-XdVO( zi+$VH7}>L3{+L>GfO{oAUh&e>0^8hI$?HkCk(u9m+_K`LVAT^ecMJt~h+OK1eJ6smXol|psZpRwI*9J9kd$l=pNMyG^`J1+T z!2Qf!Frg_89Yz)c;JGZ`Q*Esm6CacWY1BA8ml^3F(}dpA9_n^wZn*sEsRYSMcMu}= z$&_`c#*;^f33*+&_+-_B8?W|Z^!r{*>_)z>Z7J4!ckC?GC!T!s@=VlcN12~K$ns{4 zP%|m{OO84Iod|;;7&|5v2^z9H8H6?=H~qC_vNk5;?5~+|x+VvknwIS?33Rv|0#D*c9a zH(qcLGfZCU2J3@u3-|h$Pca*8Ur7A#pB1Pi-#yW{GiW9OH7h*A=lyO?U{yVIWubwM zIh=e+G!^v8vEp3LA%#|8kb{evZ3!*+XsP-^KD`&yxq}?PtSfvvOJHPu!1BqlI?k_)adPK zQ#}a;jZ}J$`t#`xfVzW2M$+GHxJ&v)wYZFMn&0vA)7+6S(dU)J32*U?&%x!{1~t5B zyOF2KmTcF;GLa=8_>i2WH;AP{h{Nz#Df@V04&92PyqWcI-6!LZ0?$(}lbC-bQaH-6 zK~3B91=D$GZd?t4$`dGj#cKag=W#(%mfcP#|NuGd4q-u(G13;evnJKtAjhkveP{BQDQw)fbIW>oZsUJ|Ohnr>n#`2g*J?!?{A@>cy;6 z=e5wSYH^GkPFs;gPgUi;&A-zd@u7?hv`>V0Q=67&i!Mq2uDK1(7k}A1D@+`Y%%(w` zzU)yp+c?fNq!TQ)zSA=LCbu*)sKKo290ds?GLW9v?B|Re9FZ(#BEE_pD){v+Otvw2 zG~s*#cIwNOSDw7@pVQB!1o4Ox*(=M|rs)=n*cPZ#c19TPuBPRPudt&WT}1|2;b?VfD^ zmBYA>n3=1auih4pXm)2qLOfhJ)V_dCBIMqmXc<>-5R|#$q{#08XGbr7e?cC%~$5Z?fj&- zTsh6^n-5Y%VmwI*Vye3cpe0@|W1n0yiPSte>{;3*I$XZadL(`ghnOAZ%{$B{ZGrfn zd)`Au43Nk)H^qRg;y!bo`B77)89XR`9->R8)#Q$I{N)4@WH=;1TU$HjGkU_9dsz0J zfqmjUmOHj9ZWQvbb$4 z$%b7)gGItTs_bb_{+<?oM{=f!dwvp!62;8rl~D<#}yXHmgc`YHuB1J8 zq}5Zqm!n)XFa5P`i%B$DHh4L6Lg{XuU}gv#GiVm6n4Fqb!L3IrQ@lSOk9@LAbqbp znR4e&k~>dE_OW=_KutpW5IXshQB|U>O#Y(}S@r~h$_HFIL@duLFs53!j#?b%${W5J zYztQ;>2j8Rytm4lBw(HpsJh%2y@b;m=WFT!$V|F`@_mJ+j zhGPwTyW+LpW8GIp#yU56FAt#V=|UO(eOf5)@|zQWR~o?7Fm!;Clk{L2=850}R+erh zcE)P1yLk6%Pv6N5TLJM}^E8#JFj6yw=RZOUnuS|kmh1AVfs|EXnBvQ=jKh5$KSA}% z>lOt1`Dsvx3LYXce1LC1zao3~cP#5GGUt-V#^bl5>0d|0$-aN7yk_KF%k!M{koj|xS1rjT<*;WSJbe1d1;J;Z*R-Jt$3Sg(U%oRIcG|G7=%Uf+hdYpt{B zg#Va*E!*Sp*TEIFmbdGknBJmw+9hr0u`+6;=&Zf@U3-9~Lv|3{^;GKyvEvwjr#K3i z;h=>yXa zbKr~Dk0+0qyD2;PtM$7SOlQ55o9~lrAN0DLvQ@+-s^%h+29x6w<*Dv~PB>j7ET>~I zOuEjSur7jvPuC2uz0#x7P%pxJaVksH9aBT0`&NVdhur75wIF*@ldv+sv9FM~{mi!U z@4_rJ%CqyG3U}By{ga5YPZ?lLp322 zP_n0e+!gV@UD}$VBehgaaW<4oS4SF7MAGr;{aRj<9`(zieyt7j7{MgpWa`S{`lSVJ=K0A|kK4{P zl2zqkTc}H#Uh;WfP%y{m`H$VcsricM$$9l84_B!Xcx+KGMV%|qPyBwEQ0$&c#=p)l zvEr8+s2mmeA$ic^N=AzrdLl=adGDOUFUAnry2;|GsQZjjN$E+;s}ZUV;^C5|<}^f| zaq>`}=~iN(G)*d3I{e;yI;-fj+P?2^Yw@2`SD!U}nakIcvl9TR^>UtU&UZ^U&`CDs zg`C)bHoq4(f0PiImWRHj9eX3^s|PrDzOjXrVxv!Yd8$zZ2#hAaCGw$sFBFkjJ)ku1 zB6e#==p0Y|;ZTQDsPF3;dB+9AM+x?;0^O}5M0;`Rx3k{>GyQRBbLF&*qFTd99cy~D z+43gM3a@e3p04#9i3iE8uKG@$bJ8Wy>o?VksAvq%eBDL%YMFH2O8pQCUGp#Tbt#NB zP0o9IiZ5_C@~}@~bE4x#774iLK~#rB+gfLr zfBlhn#?Ozi0<*>H=$ksvXd8~4-+9)Q^`_*(a6Nh4{%)=O)Y9nHQj0|5Xz@*Hj|`!C zoQZv5h9vs4X_tu>r_%9b;Ro!dG~|a>IUl;aN~R!l`#?Wv&%+X9OYAZO9dEpgjNijWM#7edzJ!z@@Fucpi;PkLQ| zGCDgM(^xi+ne9zHZQU#IeH*L%%fT#0bqw_4G4seUsrk&pnt4E7Yl@FSxfWXq<)}bJ zXRbk#PuzCq`<0EDQJejxdOH&t!L&n?EF9@h`y;~uj}{lAtWWpvf4}{Od1e~aVHs}7 za0DqUH%entVq*Q^19wLVI)9Hm#b+{FA@FLh*@!I`Rfx$k(j-#F>j5Wy%`$KYi;QMo zDa(@>y56I0<#+$Zz?`XiD)45}!=q{a!nDGg>O;3PyG<4o)B1#J9v1bTi${LTy9-}~ zMt7#8FKn}o{)G%tVBdq4jy$)48u-Kn*&1&qOeXSi>a>qJ0p0~XXixHN>(9Dd zg(|{5I}(m-4GfxiF}-EV@~v!mvD&~tnAmYBvIv}&ybpfh+)Xnv4Fa7~+{@D%aZ{l} z7uHui&+I#z?&pfH7@k=7#~k;3!1L8_UUO(_SQE~D^7&3dLNp&OJ?LRV94=4CD}r$O zNRa*=FC#81Mu)OnFDvS}e;Tnn7+uIi-ps~)wP(Lu^F`cD2)*@ zk_F@H?>in##=46_rU?@A zD%5=-W-P65ey=b^-SWn9$XOf2<01P4>EgiDX7eJl_}lk~LuYYsu6f4U*BbiA&S;|* z>|1T5Qd#ouo14EKD~{a2EIzxt7ZIr2=OKaF@YIarPfvY5lD&0FiEa>i2h{z1W&|pg zYUy}Y2{ZM}x*j3GzikndsFy_}cTaKK)~M8& z=NjZ(;N`^R6@kDkds$U4@D>L~_0Ypz$-93|pU)V#X0 zg(@5t9acF?o-A;UPnnJft@6y0KOV6VPyAUVS6mPmiRWMxDA9!ch@2e#0?*3M2fw3f zndM(}Y;`yYG&uHW*d-2Xkj#yEq#@j^wN2aa19g#hYU69=jw?KllXdXrnFrYFWfDfVz1$^Za0V7VD+WJi zEc@w9K73dCnaBOTMOHM=&L=@{J}aMC!I+k?p5FA4fy(uqN9C&(eKs6dnTOpSm3S(? zj(Hx(v5Uzm6;Bzpd>Hw)VV!p*!tCxv!*Gf3_EfgR(`D`#d|e@pmyb3?uXixtkTgtM zOsY7j7)y-|k+8oaV~{XX4oO$C(|)#V`0$%`$dz}sU#(CBZ_^29I-B+*y??+v-ih13 z%Iu)&J^LO*^7^cf6E?d)o3a6#Tje~a+oSN6U)Jew)`%Tn;3U zaci%VEFa>RI{}Z%Vnc^#);n5zM?rz7^k@d3>WYf2Oqa?wlM(p0MPi;-pOT2CB6g9w z^r`Wf&TOH{`o;0`ReoFF2d_v}HoYFuY%91o2KAz*s5pqrOy9vK1QZOmvI0c>!(uRe zDRy2tcxLPgL((H`RRsBEQw#9}AD?$kZre;m60^U`L{!x%Cs}8|Ry7;!*&<*3qRtE# z3~Ghtw5sOx%CmhE+20SNYaITGN(F(W6}a%DFU<}u7FNqJ@t<-ib~|wo`-f-WDRstR z{J2ZGBzz#j>9g&^Qbi<>4jHO&gX@y%IR~=Ue*X74^5d(TT27Wa&e1+=qcbO;O93LFi2|UofYYol6 z*7r1kc}rMDjGK$*@Ns_g*_C#e>ak!{({7-}F?rK_jkj*kk_)KD+n8Ela@{UX7^NYV z)uxv&=9t^M^uxj$%!Q-~+{cWo!(RultbB7(%#FfiU&~3aFszF$H`BQ^e6=_=S*QnB zQ~YbrM-|yeFQ2|&$sR@uuXi%F`muBm+m@G2I25tw_mIlJ)wu84-)@~$6LP{t%tZ7< z(6i74CK4$#biIfaSYu?p_x?rEhB}j|C*?rRRA_sef}M&EBWxu&UvuT>zrC%Nir4k& zd1&EUX;alp5v_X9sY9Z}VQ#zxC&fm$ssumYzWD|4M6N92GM)L>t@ol;FYi7{yfY={ zP|vT#_`FNV{pRs-&bHm6^fv$7&IL~2yXlXJ<8^pvqSf1qvXc_N`?;nhbcmO^vH0O$ zHhQJUv61!#Z!9VUzuxTYrxVcw-X+BtUwoo%f0KHjU2bF`O=$$YjbgB+;yS6QOF46_ z6$hk-zGBnMwcv%rr<6H`^x;fpNGu6E>(>C?4;q7w?!1i!S;Xhaylse8St>S=g&2g;tuquA9Q!0&1>GREy!Ee5I;$1pd23598 zi78r1@PvO0k)*n9Mf}a{rOtl-BIdF!{Cs!^IK!Nv(eb(&fF^%j8Gh4~Gfe%)nnRE9 z@{tRLO>UX4rhSo@Mu7bx7co^uyov z=4wY$EPe|wt+_$T97!(c!<(M_ygp0)tpR|lNabW-F3KqTFM44d=L9KCfhMFo7Sz?+>$bMYbqV+Wi(@5cH$#J;uk7){K1qtk1X1i0d=h+E&gVGCgO6mqC%^0;a2But+jaw9 z4Qj7&93IsLhod;}I=?%+x#G2A&`QUQH}mw&rg*CKD=0;cSXVFlh=X+E^_sE2%iHqX z-)~)wD-X=rnOrwfQ7?a@TcXLyWFA2uEC&kEI;HsWI;22LLG%rNkG^Hp;awk>{L}}6 zBrcFiP1V9|9dd5^jic6`U(JmZdacZ*VuUU0ZgULdhmd+wI-_la^>a>MrBYe#=v z*GOAYtL89{KQC-K)!6v~Z^{%c9O^)RClO9>7-V|w%qd6`bGS8}GdQJtbHMh;N129O z4kV8ZI71kjLhhaTyPxC+B_u+!k7~aSlU5L9C@4O{^iq=tcOH9+w=Y>Z3d%+X+&dxN z3!Eo15ji3p?8q#}SG&T~Bd|<$m2z6)G|W{hJEjye#LgAoXC>iElV;FaWVG?<3yCR@ z9*A`I>(L3t^7UN?E1d5jcwcm0UE~zq2z|)O)M(N?s)79SOY6CMGEE~UIer;`X-_hD z4!;DMSR?Vb(br-w*TI;3MJ^TyoMt|qxEQ}1wj?F0v3mO@5dE$&2} z5bFQ(98x^4w%iJCStl-n3y`ne+P~!t2eP(qtlSGcgXx37QrV^5f^MFNF9f!mjEKIojgW9;_!l=2Q2d zb4`fQ4>c=-iix-ce}X7KyDo2C4I$j4ljL;6yCeOvU^L2;ZGmf_@|kaY{^+pH;*O!y zO_Sy_yRu9A70wV@lI%Ok#MYdCQLkwO*k--jG0&K2N9FZSzcneOjgZgQS;OwD_4suJr6KN8<=`@-Dx#<2Uz znndWf#e#4Zt`m!xD?B9<;mC?uz^z%;BkXClsYIj=NOw(1EBlUXMF9T1dY6OqhKl^F-1WO}30?j{bp= z4T&1+eP-JCC^BUzSiv#IzG*cGT2?WbeIO&5&;pXVrNvIEzpZD%hFdRJdA;baj#>!| zlUH(3`cstHy&B-ZhX`- zkdi4BedWN0{{2U*&|jkzrL5qtvnDy|XC zig{he&HjTbB~JSeh+dv}9`|_V+I6{D&z?JIXIpwN_EdZd1ajyTv!SVwF@FDpTFDkg zWt#hRICYhgKZWn)ylP>FswyymO{B+LVie9>?rw@Xn^Nxi4{fB@iKg->gP+{?HU=JW z>B`uO=c0Ftys5jxxbOW)SF*6zxqswy4yvT9jb>jHkV`%{?i*DZ&|0|n;B_`JRT+AD!Zj)q8|xAlkC3K zqI&6&m7?bR`yS#kTw?5^9a9^J<8gR+ghY$nQ0LVS$(0}>T$oUscL^(8rFf1$s2)yB4|tO z)A&1V&Ws?onMN#f;cMS;KM5#qt+SUDGREhw^uIeGCQv*Ol|QuMjHN_Wy`}0?oOxq0 zj{}m>CRwI^R-JBS>oL|rUfAJM8>axu3I8-3ryCC%(r7Ff-o!CJpdb1!jr*uRrWfZ| z<&*U%*5ABMehtqZ6n;nPQ0eO0j+tEK+Iy4&h#JO|#BV>K4 z)lB*-@Z>u20CtPMqPJNq=l=O7503y2nrzw^tZ%;UDMf zvxH}#j+r6sC@$*#_B zMT@7&&q&OyLs+>M1GOA(3G<2n(i;mgS2E0sRPWE)eOSvM5#rsLk`g>WO|at3vJ$sc zW%4!hctcFPU&@a-(`F8ia>30aSrWd2seV*#5^!k=d}77lEqvKkbIbPLc2Tx2dD3`g z+*f?~>oN1HG(3=JUa~8LZimWd@z|0Qb-%JfN}SH*lVhIaNQIFV{>m8Y=~9Y5?*9JVQ^wunAa~4(g(PDxZb!^BsdGWS8#6MImdxRWf++s zx|}a3ZAKlE8xiacp7kqlX7`wxS0dd)Y9$=Tr=Z~x0X_^%1u?z0-m%-9H#;MZ^wJ+Z zjX$F6Di4rn**vE{+T{0W-^$>$_o{`NT)J^J71disj!lO2>pV?Lb+>pU`yRZaE-j)6 zN+Ntze2`ah_e%a<`89v{CMk%v(Vl-PkFI4LZ`=LhdeiHNMPNH!5@d2`0u=bwgeP!k+PZ9DnxeaTOe`Jn2$ z`>a9ZJ}Wb?TSpb^F>ep-0rTbzagby(3p7Xxl(cpdil?!5^!gjgwbwzsZ$FodUJa9p zBN9fND?SR!9DOX@_gPyP^9v_2_Wz*k8^bGWf^}otwryj_wryi#CllM4Xky#8ZQHgz zb2HyL&;51p-@SIP?owC1)z!5`+=V;SStvL#xX}1!_~F z{|LB-0^#5&F1n23WRhSc;~}vxjm}Hy?=HBC<`qt(A!+ndnCZe@yP_jBMODDP>sOHF zn<&E+g|u3LFjHx~V|+x@jh5!E;`D~Lqu@k|&@5}$6ipGnJ({(XG|#(y64VdSHA}@O z%c+{cs%iCd5vf%}#yYw1+Fh0Xoz)9be7rO)78-Pzas^~FISL*Q1qtCyyGAR_u#3EN zD&_d|7zSsN{4%6OW$!R^8Px_YDP@;8pj>h_K*=SX5^OkS0}&oZ+%$%h46qY;Cu@d7 z$HI18!KD0Dc-ly@ILb4z^loG_&uuD_k3%a|&cCcI7T|ZQc7A?rW-fJbf^DF$Ax(Xl zq|YLaf~pDLCZ{F?l#9MYTTyN7BvJ~^b0~IZxU#x<7QN|Wc)O0f{}SFU3Bj# z0`q5eXBqi6bI}HX*QM(kNclN-AGslJ8Otv2P~X;cHsr}0)58`4W4 zc2&(MTLggbBYB|ZC3W|{k_26S74Fw-`Q16>w0=NIF-E%t!kKIsDBW4(-qXYeagPGm z!>6IiuvZnk)QdmV7D=RH$9-s+{OPKE|Gb_&0W|ETR91ZtToa-t7`UI(6}hge=JpEG z@sY6gL#rVlOrqPv2Hs~~X47tn zER-aY(m2bndpTH(fW` zA6F+fIsE4S$TvXJWDC~rjqJohhFLMfUfui6?2UNav4(a~>1J@@oQH2R0UJB)p6cd! zWjYX(c7rDP0QLl1+j;A2v2X+UNaHSv+o@+pQm=8Mguq3LI%#y1*4S8O z-29Xo+en?}#Dy;^L96%v)Kz3aM&Qp(Rjy$pWy>NC2(nCs&a1J6rR$PEOD>%TlOBTB zSa~UyeeJm_LiP%@^0=JN=80HL|Mor^O(3-hOF^ZS$0IPs<8s*T4N#$-4$#o-0Wk$V zP20=l{IS{UxKJ#I%V8_bfmfKot?6u4y|$ZTr?|1I2Fh6t!Jahq!-d^plf52pzECLW zcoLh{9DoE0H=f+K3&LVrTs$0&Od6^TOD9=4K-G`F2q%mB9)-FDODZkoyYK$h?s7IC z0*lF@Yh5t1DnD1V+iW?PPpnOEeIrY;9m-SC0D_ML&8>cd9k2)eg(q%1^+Z1NIZ;TD?^axg<_mnf zg z{Btg*^jUh#L|6T4qKK@LPb>Me!y|!jo5!CNq;5!h?%cLz@y zpN96v2T>Is^SOaPlfK?qO!Hxqi-d!5e)5#9+2YnXN*os>t7uwJ(exIVi{;KFBIvhO ze-5MpV90Xm-CB!lZEA!&bMWQJLEnct))SpJ1J;+qBsjnWgZ=c<>;r)YpG^~++1G-; zqT*pe07nS)bfKCNw^(Hfr~NcGeA{Y%{Md6C^%B}KBUO|?s(&78j;d}j*TgqbjL3#W zV}6Ym#g{dkh!g)1^Vxg}MwK5;qC_O%^SIAsa-!I5b3U1#9;ImgGZ%s4L|(USLW07A zs{1!Bd;-Ig7bp$iyiFwO)@K(=PGAjxY2wWC6%%E`K0m^gO5hgvMGE`5j6%r&&zZeHS?TC1BD7QL zFI{$GGKsCHI-w5q;cZxkT&Hy46X)?B%Tu*U5VENHj)dEA6kDiwzcAlr_GiIN*%+~M zWC$>J&@&qvBoYV4)`(%DP;;g?^!0PIUng$d!%~3^tZPjY-?#Z}somm`>Nyg9Ec{qm zCd*AS^#IL!cFg%Tci}ppaIe&V^`8Ot;o^%k5A@cT=3N=Ux>6)`>WaJSrz@%@#2x;y z#@9-YR+kaHIeWiKsrd;IB5OXU-(4HH!=48!>PK0anY|M~JJt|yFh^O`mf7DfSmMU<~v)1J4Tx|h73EJRGwK-69sF-6X9kP^H zh`%iqMECAJV*ndH+-uEw0#pHi*5S*9Uxc^7|H9+Nid&6X{Y2E`V0&~fjU;qfdyZ27dPltOwASk5BkA>kD zQF=14(Z*U~TF#qbKSlo(F347|8@y_2 zE=87!s#ei${|m}3pPdc@5Xl_lx9x7AVVoo-ZzXj8sa!J-f=WSAkgRKT-UVCKcrBOp z1*={&cQPA_HD3kJk{Fl2hCPJak zm$L?u@R!pH6aoRJu_dimgu|+3M2g+178i@?L)KmklNb!yIwgWB7(o~1p|b=UzI6x> zhXns!f|@LsmtMaMrrt+;2FGRS%+r22?2lEiqEr;B+7Wo_b0y6sZCJmk3|v+RMC&%} z|C?Lgnck2@c_EQlDluUR*K1fvON37@#1|}EEM$}R#x6m$4}PYuJGP1UiU3N0K`ScF zOeBkvq*b9DOsn_+oki*=xTsImXrWY+_0k|7jFP7s&WNz&9J6S&*%joUq(iMst)>sK zv&pHcB%{sDary6~9;s9OP|_gRnA%7DBX9IUQ%?~`vG%{ryFn>G4!Pz6=X17i`)SO) zFlGN5};r^-Fo3bUnC z6_;W8kPf>f7n+$3V1{9@hDv-kntjR*x`b~h)?OwHvk7f1Yu`bV5B(bd`UR;>!)DD( zuSuH%6n6fHt_-&gY#XO?Y;jj?7(cyrka6(gGkZAlM`F(zfunCjdMJksqZr1ca$O!S z6liPb7*7n1;(ffCa>h|pD%fCpB>E1!P@T~-zD>MEGfP1a{hlA@Q?h$xaNf z#HMgqJGVfnM%RiJRoIZ>bg08Lh$U$M&O-(oH!7outEB99Th@w00KF*mJ5KFKl*m5k9D0cjD0lM;Dc^I^8h)cZ)C8J%@Bzy|dEjQmx9| z#jcWur+Qx~IAoJk(%>fu8v4(!7#(e`8Q0SETiwQ@0iR2%_5j#M@y-^q=c0CQ$_jva z%q}#@70AyJ`^nqh!d`uwO0yw$7pCl z+874NPDR|%fFhY)tm0{!teqNtBA=*IJ{A_nQ4`dA6YR)lSqKlSO+(|v*kKuy=aV!h z7cbMObhC{2b&9y>TH5T4gV2x|*1wnG`dmD2*zj-Zz$-Bm%z|u5d z>ek)5Th78}swxiDY{%SKTwEfV&g0^Rv$N;14ybnOWi|CNa65eQz@byt634i}=^^Vz ze0F9YJ!od|YGH+xesk3oN2`L~RglWWK^2^o$yP~ltFcX>pK$TJ}lX==l+;+o29${k!K_4?hAxZ_E*+BzP;GK8ELI)C$ zS&BIuk*t^-b>)Etpdz8Tp_j3xeBXTz`x+py{uJmBomBIGpoht8AEJ?xvLb+BQBLBUth&8=wuV?}ox27$mdbq3W~-6Zrjt8NVeZIhT3MhWlvVPo7-v zils>i?=7CEvhm~soC^x)0i4H^J?E8q-KdH0>n*5ovp$V|tk;m5Gq6J@WD% zQBM9=0LRR5AIBjhf2$RGDOXf3>PNmMsu!U4+c!x6gIHc5@LUX0^HJC(kyfILcLgk(9x-nRh#5`CW(o%=|Y_{{asZKgs)&L?~4gCV!8gB=gA7yQJ`H^ za0X%MCqZ!2WRlNT{^AKKJ^U_q-IwQY#Yw%ZcCj)A+}{{{2b4SCQ$=V^6kaTr%t)vK z%^>{s#9d}lICZ5}L7#*n(e7jY1=!57VE#8%k$@U2(2OPJ&8%PAg8D@J_ZYcrpWq0H z-Ug95KZ0O(EUB+xabeaxG}pp>!1#JGwde#n#_ru!6?vfw!IYhCHR^1|j*lUl;Xr&B zda<}QF@GX;4Jn1Okvm5GABYoW6&P0$-Gh%N5;2RdG|RMIyI=<%j*N_R2mLdMYiCn^I27HNHYA81F`!8g?*%2Uw>0CuL|jFuVXq~9X>r@=y&C);f*YvHoT&j@h)v9F0P)crg|v~3Yzb| zZs(ut6sI1gGWndhQV<2dyTGu&(r11WS8Ep)XA7vK(>I6iB<^ykm#!)~R0$-7BR4@a zuba&ycnJ&x^4W0_r$M>yx)vQ@)jB1q1djK7B>I0HdyXzO2$sq?3Fqp@7~S@I%8EXg z^bN)W*toY54-VZ^JJcbb$CYvzSOZ3}dLV&w`f5iwE*5dmlm`yqJVFF4yAH10;ILMz z1TCS-s0S}DJ4%lI2I>uDR7+NT8ho`}C>7I&8~P$JEew>*omz3C0<@jgrYt_y2} z%mE3gy#B`aj@B+2mrPY5pBcFb+OA8*Zr)&eOhi+mflTywSxQ{~on==0uyWYV2l)~jpK++enis(CfL({7d?QpI_ zJ&$aO*K^}PLn7er9SwDXhF^wU79r5uWg^|Ih+-BJq;hWKmNClP)j^*h3w=0bFb2Up^HGd=ZNQ9o>EGvI=N~^ZyESIitV#DHI{R z>@?xtpzpTN(tjsaK714D{PXpExl*w(BN6erKk)O$uZF)NuR9VnWY=AgjsIqT%$N$5rs z*vz&?=d=hL{@xI|=E(hK{0qaZM?Y)(jVg+$r?u!KYn_$uDdo374IqGT9WiIeafRX8 zTFeiL%})h5htQ`Q#QU<%^?bevi^xMj`8_w~3Zva#DK9k}D!v5dTO95;FFMaM(dUiH zh@bmde>xVvBG*~v&MWwR3EmHWJd4o1=~1s7d?v{*!N|%8x<;GV=G_ z=UDtT`+*B}l1CJ*yF1-Z`-d&(-Y;<}*YXomiF?M-y&lna14ZxWck6ds(5pM1x2+Mq z4^Z!^#S*?kf_P3pLZ9hdZludPp82DbfRh8lcf;q{hgJKoi{-N-y77atK^vay7KRV< z5}u(4B|JXAyU@SeUmSV-v?>O3z;m80gyUm3Oz!ju&t7E;srdfGHx#`mESJpFJm8@& zZJskDobS2E_&+P=BCw#(Xhsh3~!drFAO+`+{ZqOpQB18m0_au&WEl5 z(XZpn_2O~9fO}@>;^&KB5C2D#kZYvaG~@W~PRcdse706uP43x4Jnjx+-=Vu|?Mm3Y zYQP~7n}6I+k^cy#3# z%BWg`QWwPJ;)W{erPRCU;p@XAY)g51s9gpI4qIi+`iUEbbTEzhk zT@HK-qZB0X;s#n6E~8!y0Q>?rO6Wz;t%(HYxdPENT4g&N2^wi>VaU7F-T8Qy>B*VF z=XDMJ^tgR}UM6SFwz*ORokbuezqE_>*s}P6vLkn-{*6c zs2pB58rZkHZ)Zx0v9f<4Mt9l${C);=`ti0|r=l*&@XZFDGZf+|6gfN8tY0p3_7BO1 zxDOasX@XZ$(PP6>AlAy1eLQ_sXXUvB|L7kR-kCXx%_{f*eEGOsqD24sdcA&u7FX>L z$Id18)nD5gzu(sVa3=m>1Om1rsZtKIc{A)}2# z`@!ea@AYQ;uB|cwVEzn3FDW0uHot~ChL4KOi9s{(8zsqD=mCbiVnvjuCw@pgk5q?z zhBStR1S3gfNthSmVnF<~fI9o)3|vb^lY6WPsAe|f^Pr2kx{t^R9)-5fz7VnPDpyl- z={G0hK>^F?U5E)9)ssYkE+af5lN&!=3Tr$KPbSE@1tMq4p~Qeif<~bv5M{%^iHVW< zZ6h5ihWYnPI=!!TuOS9mdYfZ?>GpQykF5-<{5GG&=f;QHaZF1E(Muaz`nyPLu=w(KWzIu@f5DmY)1A z%7S>^%B5{9Kf>rMyNQWv!VrRfBc^Z!%YvFCgY0a#lR)2@dc}Ur?yP`_fNjI01%c<2 z56*ncwOE_cv^>Lf)jpn8l_;Ch<+@^q@Xu}5vB=XNmybpmg)qXC3gWCAS!P?>!nbVI zs4)cywPq|^;0#_ZLiZ=?X06oBYcL9rfModh_pse1Z#2vg>Wc%@*nzZ-ATbUR7F}nB zAn{$|HR>VosIbUTMGnN^3c4)Mi~&r!(DN?LYFOSzW5Dh8?4u`uJ|d-F4CGy+xIAau^*r=t()k?72^<8DOQ>kf*B^9xC#IqA4TJ0pQ zF8i!|pbWNpi)=@ovhH)eNvi}8En1Zvfr{1JO=cjku$)OQ=aqU`;9nsA*@r%=1E@>* z{$Y5k0Kuy)ph1e#dM~|;@Y|{~BK?i9LmzX_YDKgvqRTEKtpu zlq{OwG(PnJ^=s;5h#v=xZl!+ybA>1d5SuK$iDs#HAum5Q_DENb!n z2aS z#zL@1Mi_P$25?UQEoT*oo<4&oK%V~aZFG|LTJaiR10hu2`}ty-TCQEvdaum{VhceK zF^VTCwJEUlU-*vTK~R?WHE4P@fl!S*qi~bgyN#WUp85eujGk#k<=n>J6FbV{9hu<_c zgN@&-(G!z>)06-+1Ec5B!?Y|ydiM{0+3}mzJp@Z|CwmU#`?Vc3tJ+0R2hM)8Bxh6> zAmI1byoY%I59x)dE*D)74rIkCdkp)AAF4$M9($Gk2lU86#IQpsL*lqjzh}}HwU}qL zIdUjd$cZbq0OMTTap9NQcV5Z(MCx9Sb_J(W))MFPG8 zEPL3bVb2}eYX6awbr&Iz51iM>cYx4C%fnz}oUQiqZ>vi!6Ds)Cp)hKM@E%bSE&-FUa*myFu+xyHQ!#aE1dm=%^oDT7jCh1(XG~T?nhdHR3 zR?6Hix)B4muz~*=7ulhNj!Z!7xhV9_IwtVmN&UtBJmnk#LL<-eR--??sx|)!$V>S5 zb>|#HBJj7))kI8ARi?)`;9k3aLq()x*AbNNzC)y_|A<0fDtDr$^_tI{mVosbh6lc| zqT^=M{!hKh+e^p8Vg>$bg1qs>HMqErpyfCJNWu9u5w0xy`SHjE+`q{u@3or84i)FL zMEcGy7=Ti_H=)^52)lk;(piv{;4wc%Sn{jq>n1yI<OtzcdK?C+lrpTD${D>@?)PY&;JH6SsvC$xBI#STsz9=qG|}J7?U*jqNO4>v;ImTW5K?ZF zZ40c7E#Y$eFMDb)1;Qb<#M36j;u0cU(<1vdzaQ=lzZIba3)ApieJi>A`YEL@%Af;MkQN-y3m~aN#P;79nE z#?psXlXklM*iR1y@Qf&%=wpi!Hhcw-7&#m?MJ)B%76zSq$KP_nxf>b!ZXrP;k+H&qitdEi?m1Ha zCR>55WC)Svf&qlUq&S3omk5Wzpwp=4!^CDr-+F*t7nRt&+W=W#00PH?&5B4x_X;!xLIv5-99?ca z0sb8_eWjN#?du;#CiZF7s8WrvCBWlieecBVAd&2a;DDQ>ac6q0RPYUq|X z!tw#Kei2w9tFP?800Eq)qFR8Bb?IGVNMrdtW_IKP4P=h%Xltqg>>0WXBbiQ!iL&7W z3C;@R;9}BH*2&8BD{pQ%C78?ZZBU&5TwVAvw$29nE_qCpplcO*HX93~JMic-6-6by zG#Fd{7O4IM>TgzNL0Q7y_nsrYw$amaNpx`fc3Pzm#GU(-TJ6a^*s?hRXnmv$Z++ z_vSJ-#oF6<8W&tM)~lJrO_sA>)MESNwBuF7`)`p3w2gKJ6~$_%RwAC@^~EG7)Td@i zR~fo_qpEVhcvSceA$WYuL0E5+6aU?{$ko!OJ6RTIbaC4`4-++17Bt{_Xg9TM*^dAdC92iy@=Afrj*C?ZQc zOB{k&#iPi`Wbv)2X;M`(;!4Uo-0Sj8kq~6cO*KIuiL!NbTsM%@aHzykF!tI35vTt? zXHBX&0}3dh50LU@T?Zy8Fxsfi@F%UK?kf-vGpeZFjo)0Atew*;oEcD`V4x=oNl;`= zSH3j8fRVmGlCj6!7p-2jJ_hz!lGFym>Ng)NJOID%S2vHnc%1t!ogKIH4J4KBbq&0~ z*q{fGHUghQ$i|%Idd{_cxXaec>Sc2;!1Bp~!pi}_o8L|&4$pvaFF1-|p@IBn_`{81 z*-C(y@_`N4s5V06a^fDpoioZuz`w}tJ9KK~l`Lla7d*6~SXQBof>6seODRx$9j1%o zk&k^m|MT6oQh}05yVxy{TTx*B(Tei(EE4S(3FGsbq>DqGJ2f2aAYE&MLKR5la!Z5x z3Z{p|hp{;vg*u{erm%gEPyo?VB9_fwJLI!?+CXUKnBBgtFE~Uy>dJ0jCWXOY4I(xK zr}cvEQPbvc31w1o)*v8an0=riJlDkb0=8*aD%GMB)f~Lxn-AE_Oc1MXl zw)MQlz~21?+%Ff2{|9G7650WG48u5!u^hI2h zjvVBE5l=YhkpS#*fPUZnF&q~73wRt!>85TA<8I`j*J_o~@O4jukk^)5k!?n3zFNdx z?bmfc{@Qz*ONQk@`{0OkRadl7Y^Zz%@VIUKN|Svl8p5jT8DG?E_iP)_OF+rSA zel^^$byKdTDS%ln+wXBNMZ_IF@2^AP{~^ZnKVp99^&k8PfT^=i_j`6MY6N&4V7QQj zf@ubm2(XU)O$|AlquG}!n%WMO3gT`nFEo3blg&+s}!Jb($zjG4YWNdzdpYAvR0RnrW#S#VlvAf=QiE_@zEml%vmXr%N z4Etk$?ns{;P_PRnhXoIuhx86dJnz^s4lzR@_Ee0hyaR9Dt)aJQh zyRg6I?%xq(gTc!8F+jeG&w&sy&J#vMh|%GRZ^EimB80hqFRhLtQ=|-M$Q&y;UB>xu ziC84oaHH_o>O+#2!-*J)pC7K;p`dn+jtU#$-`R(d0VU1QgbGYszLgn$U;Ewvc-8ow zTKRmZM))tmLe2g!!2-n7C-}x>89JzdY zkL2lMV?_LF>;0dpct1bnI{4kXy7T23wHjbO6>@!jc|W}UIQMrp${IH|(pN6Z7G@?y z+}gvU4A9P&A$v~TUtcoayf3|c#j?5+wkJ97;UAAZAEG|qcV9jc{`yTcZkY7w8)Wfx zJ$ibUdNsd_@j71w?WgYSeaJP8_;q#PQ+b`Kv;}50MNU9eHB0WTC+laQd6kN_zw@49Yt0NoP$z3CJJbU z=e|HaPoN~lH)%0)oR^_oCqMR)L~UzdwutEq9Y-V9LkM@BQ-g0(pP|p7EB|1@Fzlgo zgwiqreE&+f63J|6Th|{s0>j{X@l%hXTlFD-<)xxnAXtDj*OmNiCGj%H? z7wGH@Fdg6T)pHCT%H_}ut2#Em8$QXkfFX9fe6XRh6@TZZ<)~Sd>(vv-;(aeCR2?sZ z4Al4BMpErpE@5y!p4NeM)X-AMJt(GTUsU}=XsmU9F3bS8;4;JS0PG;5_Ab;kh{#1! zn9!LuM+HHQ&e^Kxf0fB07r zl9WWYhy9Jn-RhL=#E#)`8yiO`sL4XmEULMHxyplf7KI0{?BREWuYN^VaYSm5CE7@j z3fmHJ%n(I++0bBD4t}s)-4^ZIuU|3C6jv-;tDpgCy(a^QgGBB}>|?f6?@ELMIfc>3 zZ(uQ14&9;y>FJ^2CQIj_R|YJ{bDK<6kI~w^pB#qx`{44n)_2-Kx z>nXkKTbsZraqF+>e4ukVr<5->x^~sSjZ2NCq;l3TmkUB`P)8+Um%YifEo+V{p)b~< z24%QZVV3eT+^vv$f5RdxIijey^Mf!8E-^PzE|65Qz&yVYmVB-EfUmrw+~v=lF-VVk zP?*b11pX|F2M4uIIbX!7=i~Wx>jNUCyl&VY)E0?$Esq0>b_wh|kD{Rxp0TC`_!UwU zvu%@jQ7;sqapo6e=!{@SWb)b3SgfRRAIWiP$-<0bDxn5(6X^lN%a8m zQ=);F0ibOHkr}p7(g_^%!IF=zr5{moemZt3$^>2}lc2#!A|#47g6@gP=s_4kDs)t} z2;2bnouX$`#sBcTrz=rQwb>*JMGDW-BnS8CeLQ)+LxUiKRZBoKM~`JKu_S82#4|{Y z^2LTX(@O|u?&*C5;MUUsi(nZIvh{~&&JF)eK7@r%We!w}RAh~jb>`i+6k%Hj;;q~w zak{9|5=H)t<+sa=Xebw3Wv+<=L4mA*A^PbRP2KN}x@Z4vgx>_YMe+$$dd<>!`297i zm1YJy(JoIBMw>_9FQ1!D&WNoxc`a@@@!0H3`6A~dvt02Z5cWxaZqI*W$g zu!~t^mFuep4dr%LUk{(xfeE8AR}>o=#GLbRvc=n+6uPF56gCE1h>;o&rYPklRYt=- zmt|0YyH5xa+IbBzZ)_K=!&oa0)L!a+F(FqetFi@-2Ezmha(_O)RrMEmxi^i-Q@d5C zH1!6R@`{FhR6uf8vu6QAJAO8={RfC5l&@oBY9GeP$)R`?Uai-f7d@6`w(#6MCH5)e z(w^%gPvhr<7G?D~qPJ`UP#%~gMWr|pPTJjG6f+sP?Y`-jhQs!D3-xEK^8$uXDNg&z^Q!;)G_d3RlmYk(4t}(N z!i)`g<(=+}^!~V1CZNEbGlY2ODB#4CMqhz#qBgCOpOQ3%&2bsNk)a6Cr{8QquB}dt zA`{+%4s_`ibXx-`F}*rb73wmwC1*|HjFV!f0gn@Hr_lwYfM8I;(>EWiTP)_Ir<@id z@{?!?Ue=mlR4KR=LI9j`Zf(ChL&L(iFD)^%yl_Su`xgSx1uC*p?J+@h-70z5)#8=# zWkWXZhGDiDEf@heu%$ucNI;-%vJ}{sN%6{p5nN_%h|uGo??z9C14+S#A=UE2;bO<8 zWa&RY@%qTT^IkS9pjV`Yv=f9~T*(xIU$%XnQA;#R3n{X{Kv}I23`4`szZ4NtTx5gK+_ciZ)x6mUY6!NIc)wY2dN#Mat@iNpuSK7JK357&9Uv^#I8 zn$!7@;DZPZHHdPgS0y~=_s82vCX#6dB d^p-Jd>1e`Y34`cr=7Ytgi-VET*v_ z-nN9E1;K8s!BECg#6=Av2?=b+g<#|SSh#zYic>bt=u*$u(PpJ6aGdrjBEBmlWtg4v zj7T55zs{K8i?7jWCRvoS$2HXf%!AJ=L6sKuoxYqLC z{;#~`ELfP^23j^ubss@asF@0cb0jh8^i-85g)FVs7$2gYQmvAX5A!2obF01iG$N+I zdAA}BP#;ZWnZmc#40x1dHz^0_bdgPi!6 zVF5nB8gMdsq=`kT3Vf~q5AstzB>#{mFaYHM&2p@#GEN=qw|OzGa^hQWAlZP&aC zMxNpnNu0H_8M1SvmY@NKeDKg(D~Mq_)DFJ#FV=u-Q53w9?7X+tNgx;Iydn zi*n9OUq9`5rygX*P3w7H>6koM91j>&=`*7pQ`!g9_P^-QW$;Z0zozhNlOU86hVE?9 z@9pO3eE=z=&yX`!+;kM|u5V_If2ejwr;!kc!nc=8Y|%9M!>XA{&hjFb z$&fO4s)+DvqRZN)^3X69OQwIz-eII>_YaJAJZf0i;UAV3x09ow8+B_=0^HCv7O?F+ z4xvCPbnTejiFpzx0&Q7?dspydZXxwMR}D@@8!n zabRW9-XPDx);u~02!wrb<2Wqe<2O)+@`9kNqFDoQ+0?zP; zr{LqNYj-V4X2D-3SSj|O`vJ)d zDyU~Lc;MPrQ3{|#ePt*KpjME*uX&KQPZGve-aN>Y^weKUO8LVSQiEIyYOq3%-#KPv z9<6$!@vTyc%tIumu-q0|_k*W458=QqY4||d$nP83)3<;7`RZ%ZuRI0+|}t?&yQI-mg*RlXStvi>#1iJ<4b-vqv6KGH%hTVnc>y=q0t?sDflrhYgkZo>0h10 z9zubz*DGbs9$nG5+lJ6Lk~LS>!`{F}b-lWmdY_s;Z8eFu`o1}y%VlO(kVI{L9t^1J z1Y2zn$W@b(6S)UclpBEnlYcZb&)rttlLBD988DW_L%bT(}pt5O-}C_yZ3zlTnQWM<4aA?RldC=-wrfTwJy z6wx;$Gut z4XqVmKJg>k^vXJ>2XF?n$&Dd*UZ5<0YtSV4=zoKt3MY%lY49V=NRHg*Y~CKXL-IbV z6ja@ZvO^MqnYq~YPMDJaZyI0I)`nSmz;lxDocY`CLE9Qx2>MBAq+=tTTt0;Ju{_D3 zqq(4QUI-#---S5fA{uvT)Lq^+M<_sEclWdr# zcKER*VRxY-Ylx&=d7J&{t*bkEqjKpLsDx{l1oC20t^E`QuM6ukojy#6HTht&jEr?%6wK3(gL53 zc_5)F!QZ;pAb4in8q?f?V!lv~nuNeXucT{M;Z`xEOwL8tzrnO{2FX#jI8v|O^Y`!i z1V^nwlt?Nz__*weOd3>JI5Xt7L>`|Cxj`by#U43Hwz-uj>hc{ibh#9ye8~PO=Ce~NRJHlhQB#;wtz%&^)vL)Hg z>eQ$DIu?Z=HizC^0(CEA3ga2VavHx6&+4q!%K$2Iyr=m}4)j+bj}fiKWH~$yO-fBS zNG2p{{Y~95DDhHO=yS2%hkqQ-NA`wY*zb?MT6$w4DsM;&Fw(mZOFOg*mZI$INwL%c z^UR-nLo9EjJ8d(g5sRziH2sw}{!;sIUa#{Q|KRR%=kS3W& zz>r-{x?2WAgk{FUq3if>iAPUOni0BUfC&av$on#CF}|Q^<3zLJP5^D9U+q>p546vN znw6Xll+6s0Qm6n5qtDIy{oe;BV)5`PEZ0J+hl$~teRbF~yLCEE4y;K>Guh#RD4SkV zINnqKc9v7s<{qg}7**5?<%`E1csN}3>hqrB$EEdvaETrSV*?^G@lscNyDRgKQR$>L zS@Z25ElWyZ+8y4$!)e@%YL;iim$=FzbLC@RVz#;+_oJ#|(xUROGs| z=LfE1aIgUgO}aI*Y}|}5MfUAzT|f+V#G(XSs;6-Ldc|;4O#gC1Ogs<7koeIGsqUNp@N~^pj9!H-Tu@ zoneCP4`WHKc$-WNs^A=kq^r3+VQ6It^&1*dz41)6$hR zR;3d@Io_$6xsR;HNfca4IGu&m>Lw|fgiDqnBRqO&5pyZLmN)uM)QnCX8&pMS(Jo7# zPA8<$H48d5GFOUWQV=y75gLj9=+>u_yQiG?N$tGzjaIks6`}~EF{FG;`yM85{@(Dp zJaY(Kvv18I>4`m}Ad}6&b=2lil_DZXN@mT^+j%CtMWRv_LvTO9h(Y^dqs*6c=#s68)e+WWNN(*^A-N z+Pyv=8$({Hjp}OC5iqfdmd$7wMNNqEZWDZNB8v(){P?Z%$A^b&mz&>WSJAlhbYU;w z{*RyRi12GuUlC~F7E>QLa>U!ddAs^;uJKWmhH>$J=v$XngH0DMFF^+ zsJzF9pquO*0Wg^y)kGgsO!!W|-o2mbYL%&oT&Nmcri~Z@DiM3S(v4t|WMWGb#um>2xv!l&BE9Gm@T`dcOZ@v;o!DO(aYEwQ6>glP|MO z<2X`gj98bC(aq5~{`nGHWF`cEwReq1zxN>+kwd_QbtpU?5+agaZqo||ND+*+=t=Bx2J{$i!PlU;GvYJsCll}#c zTuWIZ0P;^lcj5(sog;&lNNw9bktVLrw` zk^RqLHg2{`kw}ZgcUvJ%ZOpJ)S=2au7r=uUxPu*DdEgh`CajkWZtSx3J;5kP?wq#A z9NB)cIaTlaukZo*DR~=C*`ZkqmLw;jdbU?Wnw15FRoT64CaR@avbtzSozN!`BIo9L zyK=9P0AOZ$1NGofqg2McoJoMTPVV$+P)%AO0q*V5bP$0M;*%KT%?~_OpDHX*fHgK~ zP>#J?-V^ek=LK71Kn$}pa~Y4?K8rtzeh#~+vNA#J5r+^dYgW3Ixi?Ky;}HJ+nr5?R zD?KT$7cqp!zRl3F8w#H{xZUtl@O-K|TAB~khi!OEBeyw&oH(;b7&t`5_m@_#!rQj% zdjAh$?-*T4^9B5#*v7>6#I|kQ_QbYrPHa09+fF97Cz#mIxtZtxet7S?AMWqN*>$S- z>a(kMt?KU6yK3{0QfCa)$K5-+Xsy0D`&SNs--JMm)D7ao3WcEfIBXD8yyNC~wQ2j*n#1ts$7e3jyxf}k(hbIi*9hY0Tv zJb{@1#^**>cQ{4y@~uWFJ_?rLqQUBR{el!KE`els^S|)5@hRAFCN- z9(Ajeo-=qsi$9-VXb8$)XDbBRQAGt72XX+G@)(>2ngfg7on179o_EZ-}wAOsCeN?c*T+J zTHW6i0ZohjA1{2iZ#7=TgACDX-LuO`_XPFo|&5L!xSJ(4?wJ*$8 zg_=Vk)m9#B23m~0QfYv#$iCu(Fa~MN8AHu2D0C$bjfT1Pq6eal8VJAcIsUBYse;zu zKOKE$T5Hz3iczBETro}c5M@8h#nTNBqV7nb5bW{ka;`cP zZvAEtAo4mS+F9W`OlJ6*D%pJl4%H;Z+Ei9@iJKgrK1cBeQm7vx=<%4tjkh&w;JJVW#RTF&J@SC14`|Iq+>>N<&b2bRgjvign<5puh$ z#?`ji1-v8dt42A%CRWw*r?gpBme2y#LN-5Z7S zW3ii@_0Vyr@`7XlwBURA0Zk2a#w@J7+CRX3b^mgw#;B+E5e_v9rO>fB8{@a{Qxu(H zY1^zszZP|~)5r|c$(rWa#QJy0oL>iFRm0d3XD>neE zeJd=VTrbaAOUn+|0HSTK>t@!#2>b%IszC$}>4xTt$qSbs5pmV*j#BUIRf%IB})P;;@==jq)v2>B3T~9tmsl*lp*73?p7XbGEcy zhM=xedA>gfp=b+KdV~;RcxhaQoHH7-$GP}XH%nZopE6|eY%pT#jY#UxG<<6x$LA?WJmVCW3|3jT zbd}_5naS4Nnl9p|m;L#mZJ&a0h#`ux5`SP+y1mmPHxeo}CKt?r%I7D%vLgyAd(N)U zVRegvVNS?Bhipx#hFB$T>vtRcQNU+ycH~dPg+ci+Dhwv{YoDfZj_P+Fv9l?55IO=uTx&0>R=T5Wj)Nenl4+Jj7ikcR=sJu)`%}G6)hinjT>@ zCc4F$37jAjCh1J0#1?jiD~RVT%|U8xQY^lG>#EX5CqC?0BhwBWkqk-x^FmZgdV1#= zO4DRO5LM3#L{PlbnyRORuERc>x#a}?W_(1lUKV^r3l@lfkZWnG{&vk-wnT}d4aU-W z`d)rev(OTiAyrj#ZyHCpr&Z&+B)!ElIg{4NWO)}Eo{I_wpEO13=Cy&(M6m!ihhFa* ztcZG+IzTlrw`G8=Lc4!ck7!Vh$Gg!|U*U4leekP2*_fyozB;IFkdcva6cZ^MZjaPs z;#-UHehBo#YE||U<@Z#Ys86(VM7M@FIIsJNR=!&<|n?$ z%Q@Bm_9|*kHATeMz}akfs8a9%t(@?P%uHr+I2(-oHcsdxd%7M1}N*VZ_wW(xy8j8O95N>MPAjF=_LTbj9@kvS)M z`-LNlE||$xQwv;aBClC!o`;%hywuJp)k#(Nq}}|B$gwZ)UGna6Q>Ou zuEL(mCyp9+*F>PPrP>+9Km~DMi`Ro-OfA*al;>BsBjj^`B*4Re19n0QE$+!Rug9)n zQo|t{iblR8gq}A)FF#0EU~-xpN!bQUGHAa35fQl&npvzTngn#3~$*s^QsNsAe~4Jq~}PDpTD-cxKP|@A7R3V+1f-tR=&Xy8A@@}@`hXaB@lmbga8Ti zS2JGQVV5Q;XhUoojaQpkQpr@Lx^0LL*04@Vx(}K85MxFiStncH6uVqOP8D7ffO|rgT3Yca z#Tq`EnnjqBNZ3f>kA`i>_n$msK3T$Ha23uq9 z9w~TEZ(oGaPbV%e3e1(s4X~MHH z#=9Ti_OUOT$10&H$KEV%xh16j>bKSgN$O_uYBZd;J$&{#Je$d>U+Xg;jY~HCT0;!R zgec;s6D#J#_Ax_TMER9wfN~VTj9?DU@3@;x?5>+42bFDvzN=H09dd&y+iJ#f*9E%) zZv>cS?Juj()J;ThvC6&HGA}XhdD~P^h{BjS;R1JY(oMoxCB_;}4_I^L!v*C612aJl z3cN7fdZblf_`%EWwViTs$SJ%ntT?U#wc)t4$}p(PDSHY3}a=u$dJLh<6@FuOHGqa%{_tNSY&nqZ<3Im%Zm$b*e)Jd zsPZZ^YEQ>(c=*bX&ii3_{;KHGDtGbVZV=w@it}=#DP~Vc_t)?hr17uwCAJTK>)azL z2OmFZNl3pd{jbBZdpag1!&hz>YgLN1_irb&S(F0&0=&;xTkSt) z+=V+wzAU*V$MPTd5+eU`P{7LakDu9@|MB}e=09L`#Q(z_LYd+p;yO(KW8K8?ANP=8 z|4|gm$nXztAJ6|_8tAdC`L$fStZh@ncCr5jXz<^EVt;>Nz>O(WmSVv@dEAsaQ&!vD z+Ug6Ye!G9-i+)?9fBen}{SUDw&HAg0j>jrEVz|;vX;Q*&`S+sy{_ry<#6o9$P~7_1JTcPS4v-HeSa@^#F(R>#@C|a(P(`j>>C4X(%9p$%6Q~ zE|9d?qHn}*C4~9&PlZwcO*cJ26L++<^h*E6s`5{hN0?K+etJ8XTNuJPBffd+$XaXM zRBf^KXxZ<}E)!A-XnQkW#^;J{#O-G0h5nTqq*$6^dmU&@DJjW+lp?~wG$+Jto+Tu# zx7ckY+3M8WY_!jIu6AvQI`$Ibi?<9!_LU*-Re2C;w8wv~^WVqmwgU|^v9 zqhSvfB@q8#NomQ~s`d7?0X*IocL#Nz1=UGRc3N#*Q3i>vXGDI%;a6%n&N)?X?9AY1 zsnHG&SA4-2#N>bH{zoc;n)Kt}QoS<&p7*w4N;kvD#<4aA;Tp0A`l)ERq?+|Qg*t!c zy);4wf-d(r@LaMpos-{1R?RjVbh96kDdpbT!4|4@DG$)MGW+R6b~W7e$nBe2m$_& zlp*#o{iBHI7|yvR5H(LiBjOt}MY5^v)DypdI2ro;{EvXu|0MmSgxVKN%u?*;1V^Mh8CDBl3<2#^c=}*>Ts}nvEZ;g*iZ-aIr9Yyn{@}9G(UK+_f^Lf zYAe$9$_J^4LKB($O3s^`T!1X#%ziQ|p+>A6Cot->zUdh%3!mo`Lz`U((EHOqHp#>f z+E0R?;oPAGo2w;ml?EZ8*B&lZ^y>stE?rD_oz5aH#On#R(CkAvx1Dq{rsQg@e0C|& zQ*yTlkyFMVS8EO5uj_QU4*eeh+4>D^ueZd{Ti)r78+0U{3B8wI_pCCg57c@fgis^w zVp&Oaz7v01szEB-X&S7pH+u8EFh#C&Q)FQ&AY|H$HI-?o|Jjsl0`2#-onzAQjk!ft zQ~0yP@9^Qoiay~tDtY>1VnAlj4-jknUdW2i7Mn_cecp&}=dT`nEmXDXIKBHb8trVW zxD@A`PPDX9%jx@XES~3dx}9tIRk3w{TKzY~B%mfgV2iyrx=U9C4Ezor+1*FW@O9R{ zgDHRf0&8{J{S}upa+7*8=6tjJ=pi|?$ZZR8CtRSq_Vcp7Nrwb$lB&6_u-yvKfj}U5C3FJ(UJLpOR9Y z)BL&_os_6^co|HwQf>%k&QNn!Y`6E~*SE*B1^mBxoSnA8_;QX-`O-%PnBo3gPPZ#& z8m=}nMMrSjNn9hSOV>OF`mMiBwZp!43A2IRI#~BI6MmBU!mOnk-0fdMM*1JJ{N&^b zs>)yd_m#$388!N6N(y>3Y&jWu%_qpgdYrhqI2ic9kVNih@P8qRwIF~%sduo%cIDs1 zyCz(pjr+7X%r#ui?HM>$9q5w%Z~1n;BeKkLDL97ASfI%d!k<3!72ZNnG@cWzu2b1I ziOtCj%IxXhrwJc)&dg%CvM3lmuZ$YF%tW^~AJbNLlRjvMCZ)|iAUPK4^K zjOy%Dbb3{U+p{dDQxjBh;}(D6eNOg8a{x}v2T}apy?M0Nr6+dEyX(iE+!e4K*p)Ij z31l1FPi`W~IP+w1OP_a#82K*FM-IMK(;qj84Ma@LFk)Wvi3Ks3af6?79x<=$i6fLo z+S-i=Pv{F$mt^6LZKU}X`9{YRwdST1Q_BaL;ucKm@68%PsiI`pzmLPg%;*foUA?uP z+S+-EiKU@yQ&aqZfiK>q%5K9on^VSAL+vk+^^MnIoWO@rm=>4KWW8kU4YM;L)ThS! zByGTBS@5dVSyv;P|*x{J{e1&<{y;3xQs&Kf|gu zLN}|zakKhh)W^6Y>z2uX4v(3U6!EPo6`}O4A3nHL++^JvIzdvfoCY>Hk3mwZ2O_#f zBR_BcXNd(yS0cdGV&kbN>yC`u_TjG#CTW`AY60JLv3HLJ1NrqhQ=*R2zpOc|A>0T=(lBvr|8C$H_XlC_0f+C*NT z6QeXH`{a|-yR`apxR>HtMje!<4i!iadN+J2+*O1$}^x-f1BSze`v9S!+32>R>!^GE5>3vX`(ja`=#Ozt6nO&c+9Q2b%!>b!szj=7G zR&l0&*e0NQ0F_fa6*3SC60^)pHB~fzZVsgWNOwwf-`W}bw1co5RS)>~(bMv+Hdv1- zVOIWFJQVd=D@Wh&ip1f1=bCe+RrWi9V4BHEJUr()pmXOB8L7nifL*J=&)yl5)&$y?({nmqxwF5QRvQ2O@6UI_i%V) zAGY-OUEq6xcUu`3@eyS`TkLz^=HE2u;Yg5Q4D)imWr1kfgUH%D zr>$K-8`-3U|o;7$;9+NhvML%jp0R96Ik4N|9^Uq95!278^2B5xiyQG1}&U zQ==FxW(>scLAbcSQ2rp|XiqS5NiyT7T`=xq{O`)pPUC0%#a;HrA9)@MeF>g#d&94E zI#c7A6yN3-*CpEM53qf@JK$tF*RLEa^-Pohq|6+4RFQJ=CjasbP8J;;h`dl0*DTz{ zLcg!)M%$`cNAvE3Mgx!hq-9>Rei?pW#+5d{%rLS>gK(obCg z>H}&WlI#SOFH?&xEvw`R3LvVhFI*3=If=Hb0Bk+ zp2s0$;T5yhrs1ZOrapa{gUMX_!zrbW{w8vXi5jTJqL6it5r>@RTEQk$saUgMM$T^8 zpiZOsJ$r77E`f-QWWX18wH4P>1Ln86Bsf+}$mjHAWQq3RF4QlO=}kVUC~!H%y4xC~ zJD3>eV?9kjSaU(kfVGCy4bBEdT|*{A8O9Yn;tci^DKoy84Rc2EmSOQph@QzotDZ23;>u`-P_NIQo6f zmbj+a6Olg(uE7n%ryQxC$$JO7_D)|xzOGkpXVM64LE5K*3^uDe-=pd;t1pv}FzMk} zG0O-1is8$2g(SbB0$7CxyR*K_nJ`s}+a;&>BTj_7=O)fgfBc5V#ZMH4Ixr{+#Dk*U z=OrnRnm{AGqSu1JzmhQ0PVg(z)sRCEMpE;H%~#chaXnH1B|00>ezuj8>LZRQW@ioT z9{ZD070MXe*Wg7-;e@3ZFc{HAYl6Wor(Y>l>B+oY$HAEah4qKsT8QM>gG#{}4Zd~| zgeay@A*C#8a*;azNJl=oA0I4RKSH&g5>!%5AFOy7}#Ik^ZU*ZTAgAZ@`XwFZtLj zym;Jr0^@1eX$_Xc1tn4w`fU;7cs%q90uu+O5WC2ep$P(^lpeW$RgI)FTV&Yh^Pazc z_uGZw(e%yWmEYt;Z5{uF0+exP9OlrqfPMbk%RzXrv<0JIwJqlzOY~?TXmGUs3YVvVuX*Ap zN$u-k#`G`kS)X^@^Yk9h;s6#^dHh~K1@t{NwlLg(=~?-H{uS5)rymh=>Ink4OQaDt z#~pAoU4Wiof)4R`bf#ip$R5raM4%p0+^o2bKDQKjH55mo1b?!7=;Dl~`c}JcPf!<1 zw0lt}BYi%t6+;8JLdR8uFokbgSOp8S{3M0v`b0Tkv;3Y910h45OCqfD^9Iz{2tb{k z^JDjqKb8f*8_qzBV*BZ+%PBacf1EQQpO|^VH*1CM0KO6diK&%Q(=4+=zrgp)+_H>* zo31}ISUs}>bi&Wt?KVR6h6ZK{+)XopL>zdNl&);#93dy_P}C3} zPFGJwMB{dMC&2u8)tGl9Ow`?uVqHqeAlauXTSH@YeK93=+)RnO3XkNi_YYx38pz+u zg#FBEr5*9bfa%O_W=|a}G+t3U;{Tp)7%tWjUywqhJ=vCw1+Y(3b`*lC^CIuRC%azz}U3b_TrFEkbT7rcp(dXNs_ctX4 z7VsT}F{q0J+%51QB5rd6mANSLoe{c&y|&N1`nqEW{G!0kCL0)R;TH5ipSN(l4!eaR z(Bx46gc}oKeS>WA-CWA^uNs~~2|6({8zX}lyQb|Txvh8g4m&Y{{T)qK_BPSu=l;C1 zQ@69qm6wQsJZQ3dq~0z9(vrEfO<$nB% z)`8`RiW^x$Bt}Qu-GjFbO3opEC{PP(On}jM5|8W|#KJ{enK(7ZWFKn;Amf9>TRXXL z*u`s*gfi^yg_kjvHS8;2yAKKHb32dzAlrS6x8Tz!p01hCdE4K8s)&2gbUH3Q_3V9& z`@jnG8A;jIxQLO2E+*yi+wr*-?8IwMH>MSqbrM3i{dwE#0Ym}c(gn;lSm0ONX{f*J z?_x~1N&oCS=bug@;_?DVva)J@pH0J}B@ZIrWgFKW0P1!?kp6nV>|gL%3&pXxE~DI+E*n_6-J zT?K~tOM59gi#1G+j~Ryvno6SUG}OK{h@tFNt~GTHzB*Dt&q1eqlNiXJE^Ft zF+8$ukQE1$W(#$UztGKtFKX&o#39-{fcgc~M`>D#1gDx2f_&0CFU<$JCT7bZO{lH= zg48-LrEpyw^j?m<19T5u*qWj-&6k7F&~g^xDuIO;IA~#M>H?HRAG8F3lxl#GA>y5; zcZ#8J7zXUt&?JiL3Ur`dF2?Oaxgu^3^Fc^+1IFgQiB8(A6zB80{2PO#w+uHnikR*c z9D=>`ks%>;He-MNFPIajiF?MZ@OZ>rx_CkaLOwjgBJ9tEbkN-x zP}btb-OQ115FHX2S7qD>pp6#X97E^Uhvr*ve-vqca0T_dUaDTlj<<=9Qoc(g6HhG^ zm4~B$8l6Z!Re~5bNy^Jc!9=*0>1a`TZw6oYF>zt=2>AszdJF6u4kur#vB72}b4sn@ zBm?X9ZO;JsIl`W8>(LVhxHl|UDTeydT2}dqh*>ezM}YM{o*a+|5vsYa7?gLu+ie|b zOK^w<>(xvdTM27uJ9^NqzZXR+Az6mtGF-n4BLs?x$0n9k8AHu(wOvN|kLiPh`}i%% zdsN~{UBUZs(+X{o^^ryA5_!TX41EZadG+(Lpq?uDM+Fs;YvlNT%=6A6g?0$vTZcDu zg|}ma5Ev^su~l)J&L9zHl4b@J4mN|Lhd1UsJMfzB&Q926j~Zd}j>xh<8S$bcB5aZ8 z=Ab0`9bppT5@rwMfvUP@(lSer1dduvL%wT4Vt3IYPeEz=VAhx;);zC|J*A46$KLaB zx5lp3l_;3r!9+c}>vh*(r1u5*I6}gZ0*R%Uhtnq5DifZf#H^=o4v}& ziodh)M$gptIldtdHBd=V1Zr|s9kD8?WzUZRwC$HAbUN|lu??7>H7oVRpJr>T4NG%WD6Qn zjF;58_T^-mg@b`bzK${-g%%F&vDV&2Z+meBdBp|Ww0>Z~Umm~CPfc@Sdj5PTk9Eq| zY)Wj#k`;(Yp;e{BpelW7#p2;*=IwWG+;C*K)0VKjklV$->#e$C;A~SaW5S)2sRT0^ ztjRC|o0HXKoQw&UymOhA^oX!VkV{*m3Rs5|Sktd6P_^;2GfuyMAnUu)xhX zGlb8_wEUN>+*Hs*jy1z!>BfI07@?PDeW(-xdMdSQgy?2MRTBk(#VQoT^hnj(sP-Td zwJq~wbM-CFXLjryD{n_jDA~}2Ri-NP)bD3kb=}(g35Y7G>e3)2W{^ZFm;g6iD=~oUI^;acoHw4MtO-tXB!Tapjd^s@6d^03?||u%m1bNp zgvD-Pk+q4swGZD*GVk|LelES+VmKH>WTK-wK=9ygc^0TTKnQZQC4F|2Bh-iDj=RbEflYmEeBD zV@k;mW(D_(i{ub(VoWf0dJtybJ0KoEtF2rFyV)-rigmg}nU8 zLoztuo&9x8LuwBLpE4!cFX|IqKmv`rl-m4ecy-Ua#4rKkttGE*p0N(wsNzSN#Vq)8 z_0&NVui$)YNY3l@KDy31&ZM%g8IXmKs!dl?^yXP52C;0D4Si!arz+HcaE9F_zFWyl z4mTQw7%2+QkqXXab_~JEjAqN(BDhW03VBa=U$Vc~A_b$7H`G(Gy-+yQpP;$`PnkAy zIpaCXN=H+tWke^mx`&N1$bUtFNBqKbH@YEfV+}|T3SwIZY=Q=L-X!66TI2pO+%N3V z^}B%7ujJ|DhD)h#^~lS>9%&;}_2E9p0>w$l^h$(AK=35F)0iXxb={-e)ninYDOB56 zMx2A=>%h(O>u*Zj!^0y`SN2DtvPf9oXjLE^&?0 zP2qrqYH$K)6om!2z%w%9a5CZw_F+rbE6$;4<{S1|=F>u{(OQ`g{n` zzCeD!0-K{kW+bo#IP6ac03xz8cJnRkzqfIZ0p^5vWlofzH32%t$ktdslEsSkhC!Bz z9(e&Z2^|?T<$Lw#eNSVE?W?4_tk+%7Q_#Ai$eKhpRGt6XK#Ps*ZN0eHy+f9eb#k!P$T-=Dg1kTKmGha0vPY6kNY{oz-hDi zxN8dX!rk7_s{B2@iDoyreOu5$m`(XevJ)U_ApxRLAdwMbB!b*f07+0qa7_q9$ggHY zd%y(1M!+S&XCUMwmLt_8x1sc*j-kz=uVUcb#0r2wj@e2?M3JHq{ii(L#7)nY7G?dT1Uzbc1 z3Cn__FVhl z5E)V#8Jh^2nkkxF7+P6c+t>!!**iGqJ2}_8w7K@Vjk(WxcQmbS>Q@2Cx&=O`UyYWH zfp@liIo1Xjv%>D=_P8*8Avn$r)UpttFE~!HyfFQ}Ua-o{h^VFOg$D~LhEMBDAIq4_ zT+Q0eImx}wd(H>kArZVv2A@MqMnm)qPyr-E`&>YQbCSVB(1SoWSZ*r7Esz}UOCS+i z0&Y+DzS4^&fcysS2WtQ?fJlT4gmQ#7f>DAMf@6XwMnFLXLAv?0MBYRBjoOdafL?%+ zh#C0J5z7c$2}cN*36B^bg#d)`=EIU`kN7u9KWPJ50eK=tAf+Rf5w#MH(03+UVmcIh z5Qdv~%de(=xs#papF96K^Ud;~H~%?PQc7CptJ}XE+HiPoYX=!H>p%=HYYXnu_UR8< ztqH4~5QJV#1VJq+^uHpOlMDq%g_NANa`Ml`VhXnZQxsOHNxXnrr5i{`(Y3F`Tm2cd zL-d?IH~c8we+J_bI}i^u<0mRA+qAe*t(l9@nub=;uWk6t1a7gIaMiY@y z(J`@c@sE}XiAl*RscGr2Vr-%SfZnhgqnsEY8yz`51_Hzf!^6d&t)=PV?q4+}IjOP# z#_%(wV7EJwXn@olGdCx!d0+)2Y%61bl>>VQg&fgz>RFU*pE&@8CJjbbuNa_vAFILLAVU3N~cUseUzUyvmyWh0MINELTZ znuEuHr%>)70H(e{p)L>r0B{-^00Iae0O4A8eL+IqM?yUf*aI_{MDp9eL<*r*0SBBG zs)7R~P3}5~ztm$TK_sbfg}7#s;`*RPLG~JAB|$~GUXWr-zBGS=#RY@A+d>$sK}zvM zF;fQjK?`w>BE{kEBA>#2xte&cm|DuL4lEyo6<-iM5k^$_1+Z8B3efTSwlmB@clo3} zoMsFqCt0Qpzq_FZwej}~J1Odh@8aNA*D#_pOO4G2YpA+POAS|aZTdSiN!J1BUnY%CIb`HAa@Vl>W0BCV zml{i=ffU`OoNKg)GS&zEt6xj%IvYD zDN%h3|0jFhJ{F_2b94o`Qn+n6^^mqsUYo4f+*xY;1q55x7TzKqC5KFG2&RGtv>`4B zSG5Do%Oyt;J&H@??=-5%Ph&C9mwX5KtVw&-S#egQZGj$hZg7JMd3zi`3|3)dThq05 zBVf9MYiBj(UT9nT5=jRVa63A#jj5(vFyh*8jecTx?(TDTfp01#ECe$Pnm*+TD-K0&hRu}XD2*t~vL_(Y}8&UZY z5Jzt2+a!1bfeRN^zCl(9T*=U5S%07@(}4thhK6&3pdSY(9H=An zT6z^uxNLzMB20QH$#C?ACS2JOC!<2iA20K)S_bhoxg$w-`lIEt1a%6~2LhQWC(AP5fd)mFK!4m< z1Nf{@AkHdpG>}jzv-ueqDgi{%)TbG$EACH6y8C=e5(EM}GktON*eTrqToRTFynh&I zg*4bq)3<8Ik_L9ed(z!R>cE?8Vt47KPW`xodHTxFmF)Y|2?Lg#G~^7vr&AV}w@vl+wqhKkbzsw<6X%H-PpO6+$+}EnnO$93CiZnYkd5Gl5`*E2`Q1D zuEka8J6ex{6xiWHS97q~U?s~r@Mmza{=MLCeWm5Im)6p-$f7av<&o9GtGh^mEh5WR zRREH5TLDl0O~(vawG)?*&RS^xuot@W5FogcF#G0}0X3}8g^xgG4OGZ4~5bD{f zXkgeqHC3qi$-C>I`_C1{>33l(91`D7tLN88;EJ8mQp|?c^E}Gk?q7-G`aoaK;42#c z*d%jzIf;Qnk~`n7dE41d3Wy1ijv|V^VT^r1vC((ie>j56Q!Tlz%6t|lTl)Daz=C0MALf& zh5W|i61r02dPLrt9}cq&j@H|9-rM+L*VrwVFd+nsz>+gw7tT&-VTXLn5u-kw`k&bsu-&uEm%Bt$lC9rnrUukKCqvBrCTRrNiJ*|MLwHA^=!^bA z8<%6n7wx;B@ZLW-K|<(Sc;PY-2^~x&D+nzs9_fO>STD1!pXSQ2P!;6G*HL>zbON-; zTWkh}zNd-<^hLyyB58n_eywS7dhOd>HLP?IHNIB)%A9AkEv*BE7q#J!>J`wlPEE3y z>1Yahw6GS|3Ivvoe%;BaXmBUkY^sdroSJ zJB2#nTZtnp^#6d{^xyBuh5W>n_QyQi{~lWpfai!S9tZ`W!^k%yKA0@afL}-#wPLyC zDSgV@#U9nkgY8IwD|6r`K)ap6evBJ`9VCR?iX;uTI5$2-Ws0vR-0|{{s>GJiJFb~a z50ia1g}N9n>=>6${6Cn5WLxT4iiJ%SM_va^wL{VKB1f_e^Z=w z{F>x|+mS{rHMJm_bD?sQgfVFaRzG(PuT(T|KkB)3j3&GxR?sX=9f`r9foK-jWgY_2 zK)(I@ady=^yj;NnMsT<=oEQZ1YaG8o=EH%Z&!;f>EZK7uKlX+&-O@0*&r9O;gKL?( z!v)~>tQ;XUCugUEjHrs%E@cE8hq^+&z<5f%2M4N) z7R2&{uby`{0M;#=+8k%%`u}PSu-m^#Gu;9DH?kZ6Vek*1KL-wkTqq4#KHIMUkiUCy>Rk5U;$;bDJ>xFa|#c zw=C->#($bjd>{26XRU>{C6W2K0S>PFT-5cAH?E3-ssRoMH%)xf*N5m~MGnsqEye=c zvi7~HGEQZ{e7?;D=7YHPw`GON9$v75lMuqF0P_b8g;)wtzH95Q1i^aj|5!jC(=Akh zNj}OMc}g%!eEBf=`}=~5V^bN0(=>>FG*HV_gG=T%FS)Fg{b}q>l}! z6<8HV(RnmXP^u#0;df??+Sc-WF8=BsxWg(c{xlCHq}Gw?5~P!kwi)&ZTfArK303O( z^ZZG;e4^9?Om+CkgMfJjk~S1zp1mg2qs2ZWici036*G&Xs=OcSk-^V>TZ-2dgfZFH z$ZHMBWkJ|}K0sxp+2-=%9fj=C=~KjYM%n4dy;}x>YBjapP3wZV`Lp6m#P*RoHRkb? z1AKw?6182(T^qggG-gAig*rc2g*TVBbIz(NYvgI8fAZx!p8Ad6=nj1=vxX#Y@sf3< z-9Eml6LmhOd)~O7uqn3#^qt;aE0``%$@Oy00Bc)`s$mDyC6e?s4=39X68N!`M{30E zeI85lE215L-hRX~rP39|9f$W1kWTE9wE82y7F{D8UMIs~_T2hlbweCxd-%pwPZ)KU z9^boeQ_QOpi>|=_=|30?f>kyVQc-bNJfFht=*X)xR1ZS9R)RD>Kp>c%ChPTarl{XlquAV@SI$#1LtW$oSUve|9z%eKZp@9bki-0wKU zXG`4an;~P##3sqebu~+JWk9e`59eXM2|0#KCAzJuu4Y$Y>`&gv2%0fbekS~ze)I{~ zKUmQRtjOn$^Xt+I8h+h%cg^Q!+yQlTkirc%Z*2y#G4!VKK5q+1eNQzgs#o}Fq{gU$ zeJgGl&4=FEXN2+zYV1_er+Q2gR5F7Pj{bwUrvmoIjxD@X?Elp41$BX9DEW;Jn2*Es?lW3n@L`ouYqKj3aWB)Tkr67o6{3P>^Oa{WhTEethN9G z^(i%5Un3$xNj&`nE@Hrur-#ct{guI0He;w=^+t>RJwU_L@Ic6OuQPaWMj+{r?3Q@@ zG3$MhiS<32E1_=s;~aw5l@_>_X{XzLi zcZj|ZXm5x4cD(T`TG6gu_L&_jjo0s*X#2$+AguiaM16#z^2ko07b?WME9m$1;j%)% z=HVQxL|oeHSJ<%Ad(?|5v|169T({bAZG(9S_LkXg`|~!toq2MdlGlRIpK(X;OOa)R z$!8+MgqqOy?evBYfCQq~V%w06B`%7q%Klc!g>Tu~Mi~kW0b|{eTkOA%T&NPw{0pmh zcVl!PISLCM!e5O@ZIpym5aL{F#x3xCe)w+Rqevs~|3Dd+3D z8y8P13OVL@`1bdf8wZKTHBS%l>fUe{aPR9Ds*LQ!1QvK!L7@Bn{{cflyuUu3lRZ?W z>N8}f2j36hRx_I9uWJoT=yg<}026tGM1@RT^}!Pg?c+<}6S{mKp+H9+Y00*L(#DLe z{y|!R?Ywb00%KOHt>_?*d4U4Yen+EUp{*wT=;3ZwF9KGJ^teOPAej^$3oV5r0rM9e zV(GwF=n%E|Ko8!a|Azpe_t?DBlqMK65}MCH60!d!Mg(B`tqw($`V#Kh#qY!OVg>(t zaQ|Kk)FN3sFTEk>3bdp{44aJAcBU-fJhbqYSqm=L1D~N zA`XV_@x3As&y$$tflVnb3U}0OQS1ilkh@3_v*|4&To`&n!gepZN!hcwqktwW6(qUw zP#TF2vFVYtxP_mXs?;i}fXmAC!xy418m#t68KaT^PL_1!(@WWsq5}F{;gJNd7wNks zGh!BM+{*1H2_SmVn4YKSWRKj%NALr`clX5sc5)YgS6#n--SHj?Mq4;AEp*{{Ofz)~tjN{@0@zo3w$Dl%A(c2%R?@XgE-axpBah^)7XtPZfS~PfPMui=EFWi@o2LlbZwSl(y*3+dHQ`GK zq;%_|1}@=`7*}k|_<5uMp|JI5QCd{mc$(dO$m(Ou;q>do|Bs|>Z8BDTl7$cxXK%Z( z!KAEQ%l1s|M3Id}F*Bv(CBc)VHIiax+;;fCug^*1s(}ALER1c#rlM zH^lOVfqJATY2#TKfCez1S^wob`cD%>EE=Ii1`hi2-+?sr)r{n9$nRO4GvHE&h7ygl zUO@2|M|s21<@v*wZM5!Z%oh_7ck3$7|1mgFnDd50HSZ&r-G}a!Q<679$wcDP z5>gq>gHTO4VFzB3cN}-ScGd(Xl6Wn^ajkf8&Ay)qkvYtk$rPu0tX1hi=M?l%-tpL1K=hZKX`130;V>P3A}jmN&cdB`!l2G0hXQdorH(G z8!BmvcZj=Lzo9s=Zv1`DvCAnNQs{r^w)bZ)i&diZ|Ub(*PuM#RL>=lvVLe1PVE zmJ&{foNXOC6*X2bo-*L*UZ#P%n)aCt7?Xg(T^$ZHk5Koe{Rx(yo@EhYO5)*d3D}p` z0&{A7Prw-JD_-kayo+3O$NmCwT4;6o6qAGau9eJ4EyO69%H1zY`(Kg%pIXn)=(d|8 z$567R_|Np}YsD%0y|}z}J^=0(p#V$w)c+4wrj>=Xqg1jXTi_cm3dGsC>xAh<1-^w> zLg0=^`3Wtb#jMYwKQLFj*h*igvC_1S*U7=wG16`JOJo6(Vt$>^Vi|Nv0u+j;Bc}=I zD{xuLtoV33KB>+zQNq~M76%zE-%=I%4dvtN|w&LPMIC^h*5y4}Vc% zn-Woss6bE!>_eCTFJqM~Dzs$8$gn`WndzEo+@rmNfkyJcjo>?E!I+5@Hl+XeirG0( zpump@!oOPpILdy0Vfi?vp2Z$rPp64PUoH?JN*{3CHhPoC)1;&`y5flNw5Cmc^s$uw zUPVxS#<=kMjT|%^hu~usC43`H!7zo;aK4uaCmZht@e!PgsVI1&g(SF#Z>uJ|CM6@6 zY^+uYTmApOvaRRMoCK?UnjqzCM{M|{*Gua0;C1JN*1(4Vh;2X@bJn4fWHUefSCGDD z`VU6*ERMOcmGtt#*I1vMp3zZ>GJuRX0~gf@7E>SJOk7gfj5~uADRYdj*Z-qIGLf(c zc^kbwpCpkfBmZB7_c`}URtPW^#J3z?-2@QuhPx~RkjGa%ZpxYnpjUQ0@stCG2J{v_ zRLZt`JUN;4JJk{YRmwz|pVVZ~YY-;tupqu>pv?xRj{Wpa4}W}1iM2twJ7lZtiRD^z zN~tNqrp^|$9**omJA-Z3t|TBCE$o?5gO49trh2py{Qs9Gdnc$RzeB9nJxp4f3iP(% ziY19j899YZ>SW_)df^_%EKGzglDN>|_N%_?>;@SW|ookP=qM$5Yn++O^{tp4J ziy@%Kh<>F1xkUL72%dx`(8vB)V*3xZ(xpYX*TX$KP4Ut>gAP07s^n_jh|Jvdh{eQeB`)6nR@W;do z0mXxI82SG&Hc%$)vZ|F9qi~$Cdui2&2L6Z~5fIJ$gC|&|>3=e<#h|Mje|6ypj#y9Q zyU!{$$LBhS141vf${$2<#W~%SZ;$qn<6~4)VO(*&F}rBot#Won2aYw%yw`NO8Ie)e zHt`lV&iEdot$WPwJ<0Beft+zf`R3zH{#pQt9jI{Vm@Ezv{I2eqg>VU^;Ek8DD)Bgs#{EMOJ zuSCI$4?lb8?+=RycN^~hN5}gA3)$dtxfs%-7EqZMq)Ur*xYdu~LFifhl`NR#n{5~j zTD^T0P=%oXqBwAhygkUj8}cA7LE*w&DmwFOdFbdBf&8vxFDit%CvM3ELb7 zX#ibHw7lQ~l2<{P!$gi4V6O^VRFJjI$l*i>2ps@8JN^tJ?Av%U>|s*{47jM_QSw03 z1U+kCqgoY_0?(i^ARVT}aR-fRwR!?r3oshbA{ZxF7%(2gDvxB9zjf-=X>;Gyk&+T~ z zd8;W2z2h7%vO5O=YV3+Izr2{GJ-UsK--dl<-TJRL7I1=A{U36US4Dm zcgkKHecc)QwS0Z$y+B9l42Whsw3tF|>J$Q$q$(|H`CimUv`zzD_lLmh4YE7-|8oO0 zwNQUJSvF&nw`@6BvZ;BC-1=Sw6;DHduc)**z!Df84kwd$4dxZy(&F((l!f2yve1nB zz^G$OVeiXG%J*7i;P6-X=6gO#u0=kA<6Nq9L+@CEyp`a%=-$HH|M&Wm-#VljPmg*g zX?E$9n~jNei`iBZf1nSTIoVzjRm_W7gdGzNvzbwh-2VHTUUGCT&rKJe@fQwv2YET8 zTC|g0o!}-Wn#@?!HvBhWXw03xr&Dd2-k_3jWWoQ3P<28*5mT6!FuR)~wV3>WlBNIq z!q~isI|0V{d|Xa@TuY#Z4}KG~JI32Xge`@9IfT z0X(Z)|DTKsW?MoeYjNmo7~pZd7arK`NTIROPfNJz2T zl03aI72zd>-awWSQ%ZlI9JLpWoB=$YUvv}JbZ4g~v|8QR+;Go+l zBVnW-!4MYX{$Fv%?kV0+Nm4^kGKLH z_l~|F^ZY+ffQ&}H{{NfN-8=qIA=KA*L5;jS!0UhSCumad6sde1=Aa?sYagQM6ocvi z|F4*Hh$wobBR$D`4KqlT<3)G#%pl_XKg^!~bdVpov=~&yff}v zN7xD_?6?sy!vf8)ck3$r%J{ZlrI;PzR9$Pw5^oZ(jPo9MslMV*w0v)`ID2WsBM1 zmT|`{ozY0%Zc`ck3JPN%bQAC@Oj3hPc_$h5DOcCL-Z7N*fvfbdA=KOKur1vwi`=GM(xFqTepL4Vz;7D9U#*^} zGs#$xs|-G?Yo|6Ur`!_P+jxwc28OK|`%PKvc#X!rZKt4P{uc%_2mt@cgk3l4xT#A@ z9oMxSG(Cz0>0u3;3*Cbcb*4zVQuTTt;;hKfQ( zpNLZA4=uW65?MhfDCJ%`(e6M6Gf6d007g=cGjwP*{*|o76;EOwRpbAMHd$abw$g>6 z8rSGTs>Z>lKSo8PqMtT>2k31xNML{@MUnY`r(^WL_f7jN=&nlmCV+3?559q}ygA7G zxaIuBv(UrS-hBSXeD2lM_rrEwbCT@m}P$UJnkX|jQrTm7jt{XB;JT?vRQB& zWydR2$H^YIC|Ez{s!^TK_|f{Dmbw1 ziYIw^G#huns(}vb7`{eExYY3H{vS#8x*I5nR5DYG1mq=juno4dyYk(cHgEyHJ9p*Q zy~^(Y&*8%UF>bT<{eQPGc1(le3*Z#rz#g&-g1bR^1I4TmLf%9;&G-Uu$Wkz%_@e0}Jd^=5#OYDsG3o+e5hq|3u+({cBJUPg@)6jV_V3}B z#-@BD$D}jvBiM{%s8=jrE7=NV21?29=6X8Ka(TDYQly8Axz_ z$aFg-yP-ID*pC79wcG0WJ_Ny&E`SdPr~vU809RjX05hlyJCX3Wyuihr$FHDaRlU9P z)0fPwDle)gLMBH^h@G!)@ryuXCuffL6k1huR4!m?=|?z(sp};AkrMF81}>^@DriFj zR^Pf(g~W%3egsa87OM`bz9@M?(i8$yg8$%`5q%7?8l)se0#{9;n7t=|e#HO>rPuX> z7O)|qQQI}RZpa*x*n9Ki05B^vKeBp~r7>*X>P>{6BwWrWizSBZdEAF4==8rNBq0${ z4+>Uv6g+IX;$VbRNskEn)MZ}b>9OWy_`n`uk3u5|DY?KZtBj0wtgk(#cewZGyn1t51m`AVzJ{<-Pr#}Nlb^xLFCC(*dS+E$Z z6*wL7@dk@bORFx% zNU-Hc2tFP#F{X*tkY?3-G=>zOvET_u_r+aVy*M{`GslN;a1RzI`#Ym*XdcoEcz)dd zkDL7key7-#JNVTu?2+9Ou~zbxsPp`x(B#mwlTUW-rPP}p1}>~s$xX_53{QPpo_%?<9ZfPO^>*`@r*llKfbpx z9599T7d>)ktNHs$`2|YJZx0MQ+B@^Q+!h>zg7;Ej>%XAz>M`U^HP`z1AqUE(cC@dg zYFf3#4vs|sJt%bW<-NRt(6t!J@#>vg^Z>S`FFN4`wLuTZk|1B7F8DDIA5D8EyMKr>tnz)wxU*f1YvGL%IZL$x{67Ok? z3^UTYu*q&=n~sJd^dNA^5D9`M)^V3ts~|pv79KgUP&ZE4ork#9j8%=igzZ6UWzkYt z;96AXr>MV(5Bm6ieDM0ybs2INmNvYp1E(yIr$OBaTsz4dYKuc&%uKODr;<~;SGpY( z@Jxm*WsC(_^G-hXEFa%1ItRZ0NX3*+^(Rb_DKYl-Bj+dz*j57^+(8^N0xg(eHse=d zW`h-BC|(j2+wnWjM#oGT;xjrYmERfm4$-`8p`cj(z z_0_aQ;JSINQN})tRxuoAohJuK*kt6+;f0h^H>j*}PpE1ra+vj@xCO?=?i`)kNw&j3 z5J|{5ihO;bE+C~;OJxNVx56VbQpn3Y3$8>RSc?4ma+I z2Ijdt==J#0-%62ag~K6`qL}X6Eih4w1K@vn4A`ps{6KfKgcnAB)1HdhX3-{R*8>^3X*{y@K6wWF7gyJltV5}Hq;r51<4(&n=m!VLRX zd;=A!(~RrLz+7YHx*3Q>|GHMR!?f&D_ktEaajODv#n?3;efEWYs@}<44W&UN-Ld5C z%+gt4$Dh`&4IEnRgT6tV!rCSpct>sBGy@u6^%gM0o*lJqNfoSPbe(*F=`*9Yd8%*# z`|kdHcoEZjt(v!)(q+Nb#D$zV1R}2$*EM47nXwDvK^9X!X4qt#qxSiw4H&jvb0)z) zD3yo+XOK87vLe@tc$iut%sb9IOgP59-F}8w2VriQS}AYW=Z2;uwMC#;+7Kn0y)cWC z!dmFJ>B8196mtN_csINl1m@FSpt|}+$BoR4!dPk3s!o#~wlKa;;G>~BdGalA3NOFL@beGOKXEO=VKG>N^Zx(JI`3sn+@K~`?MQ>3y2Zq08Kx_vc{;fauG zD>PQ)NKn-F$)UWi?>^{-_{QTd@M_)}_z`o>*~ZGR#Ljt|(adssohjWT_EsVbgF0G9rIc^83DUBzMzPhkehT@+N zS*V2-72U7oVFDs~Yw8IHcFM`|2nY7KY-$R!bj5*P>XE~!sObgT1pxS^O3IUJB7g?yda8wsb{LC5%W2wy}+R+NU7sU*Fgw$ol;iReRqSgNo z;7M)oRCzYn|I^$`%t13esKqUcY2AD0{ZzXDs{mrG&n~vZk#~y8&Rl!ku4eHTGTqh_ zRG!VA8Fq)*>mexv4fCtUTS43%TQgm+iueu@#v#cJ+u_LT9*`(13oC)}qG5L3*no1#1)-jg zLD$?ZqyJxQc@a+rtk7%4HexiNdW<%-N?pOimkA%GRFM6p*-(K?xlyvYXk3J8WNkGX zgu%vl@b_hFP~{kxsn`Fn@KuN-W9IKo28nxd@MTLL%v*)m*^ButboBQ5^7GY(=mXtZ z;9g$*zbJ=4!xE3pDJb`^Y3=_Cb>#ra>2>k$SEG}yon}xpfZ2V;%}3*W=Ou3Pyb-)vM&=v%c)~(aH1nJz3F*UbEIn1hYm5YT?X=M`dhB`I?ODhYzsLm)%sq^?%CEG|- zzCmENj%C1ABb0A4Sz|khm(=Mc23d?c zUVrq8{<_9R{=kd6<~(lM%TLCOh*r6n_m~SRWN`KzxgN)maRzwI=<^y=?gCW65vHF3 znFI8uAKyzG2=wDNZ2t2}cnf~)y`T)MnAjo1mx-MkBAHkO;AeBc$JeQfZ{iRJ^c91i zK|!BjHA-`vA>)`q(`tn3IG}f=NuR8K#~PE5%yb5S_q^aaJm_w}C=M~sB_mz}nBOjN z+IpEO(h!UC9n11cN^^?HzA%9{s$}=e6a(zy;ZJUpQT}@XK<@EqaOqVfw^P0^!j165 zyw{3JP%{)PNJAhp&Q=GQ5Fo$9UzN`VK4UZf7SKzota0%fXY*md=xT!enjq69%{`o~ z?=JSe#bHUZ*i6DYBo3c0Y+?F8{hj@ydo0b6-IxP%{A;FE84fcmctV8x>$5#qmD+ zlWemFcQZWAKgY$cF~@2jIs45x9_*|s<5&S~xFrCOWFkX~j?!grd7~(tsA$`7xwC~D zLQmTlsqZ3%!uM?#8N&wd!lBmDp`q;r>ILzO8OKxk($TFX zY-Di!`|__Fuz8a4DtE?KLaXwWX`ZHF?j$+BWe$%AV|CkU{#~qk5sy?V7t^@|%OVqpJnn<=x`{^|l zJ>S@*;2gQ6n~w357=A_MImX%hIut-EhkV|`9a)rHhF6(!?)m?=o+=&1@n=QIU%nWl zX#&zRxI(%qX|1T1SQG1;k>)YQl%2yQ2rH zWCb7%1b7Q=M4bL!qFtRv#vW+&koioL&1~q3KB*%>egnqI8g&M+GROt=U;HJ|;?vxZ zY1cPZOZut5hH=PB!DW{W3t#wPHIzmr%$XOhUBkIgsRdOYIvt7U@8v9|l zMU0-7uza%7@aEFJz7+hA2WsVj%!w{sV~dT0YBLerV#{^&NGDd#&%S)qw2HUdq-SO` zhR01v>_AGZyYXY+%}(&WZn~vjA>lys&2|(q;&DEUqvsEOeljk66GDxr(oLXh)~+xz z65-j+nVX;%#Bw~2(ov3G%BSn`q;=oqYVvihf{G-Ggc=C6LnG6n8#gm|yZ)2|$a)>49L3JzB1TYTq&z>TXM*+-3J z-bZ%_G+2erBQ7q>saS1wW5*-rs=`v#TC*2TwS&keUR5iQl@jz3_8_2^N`LI&Z_6ax+it z#zU7M*{wpECJYS7A$51RQBJL(myBOgr%&nU09XEytj!ScdDP$4X!6zf4&Og>pP>HJ{2bA7ctARDDF5 zNM?^X`+uq&UAA?+VHP6iWSx1pVSXe6YY*tL9#F0c)JZ>DQE}74ij2=np@cN`pyD_= zA39v(wq`t#&);nkS@ytFS1sAR9WJ*z|9nv#@AE3dvTmR8u}omvk;NAn#cq!V$VEqb zlO;r3f(KO8;7>%`!iV_)Quttgc2U-8S1Yn4%%!l?jEg_!^b-_(NCR2M|3Oqbn{s z$JWeG%X{H<$PGhKRsfCJk5AR#CN^XZJCu z(DYn`#`pV#?mLcO6`;`#Jk<0)49a@F=Ts&8;E2@G7yK0j5ZCQFzi8l)fAks-c`r|7 zz0nylr${FbCdI83p88xEH3o+1WNyYEdq>VsVV6*8E&}TqKR}xQ-Iau;rzhq}=G(hu z2zx5k`vUKZ)a44cUzg98vsNd$cReq3TYu}^@TZ_$Gq^dpmsr3$35&&2-kiKeh~j8O z)GrmC*n0d`83dk4v9D9LY$+uG6CD3e6zSvB=<|9@|Qq*!2L1QZPM)d8q=d`dp-4vn|KDx9X}b&t-r0hFz4sejqL zT+OeE`-OP8_t^hTv2VFyQZ~I zAfw&>DZNj3H}qEyPY>tLN*B}-FcVsG^N=S>2E>%SQ>s=~>ug&$)$402+CT??4%48i z2jyDC@Mo4^!wd z*~wJjv_=tz1QiNf0iYi~G9>3i`CC%04`Sa+mn3SgUG>cM8=Upm>p+Y-gA1Wrm>Q{>*CuR`XmZJN=^l0zV+H=XUrS$YfHem&QPfpjR>?4rU$X;= z1|Wo48u-UVMY1!mNQ7LB&JFaY>WxcRnRTm{c#HKe6hc|^BCR^L2^ALz-4?*NdyLc& zh8E`!hD(StmZAgM96(%&ZwzB00c3i|mfwvaD21u03lARpnGiSJ6iN+zx9$cqe%zLFr)&#a#{rekAV)ruO)>B@UPm!w>Dre zWfoGa3UMMPP4fs%Ge5J4`~bwC6sp?z_}5f!Q`*BS*p)ANAlrVcBafzu7S%8oW56WI zI56Yk^+v74il4O+OJvIkY6%Vgfd8E?#anVQ{qcm4Ei7Nhgb3qF6Xt9kfgt&NXohw~ zcvJ}swp3B)=)sjlt=7H?J*oH;IQeU6U%E!*7KG}`Uqw!HC0=XW={jQ_N`TgUo0zI* z;+lkrg8UAk0DZ@z05OO@T&LnTwc`R}g_!!fS1lK%XX%AfLz79iswr*H34JgXjJxyT zewXl*=`h|gNa-=Cf@=?nSXfBxkwLM%GE9qxog(=Ss%*cWy+?!Mf_GoN`i3=M=rUdI zWN*PH%_pxu7ZeGmXI_^qMPvgWCk6&VM@j)-%@>?a3y^avkW4i|v-2hu%V_Q_;_kDL zQq{P`-98nF(Clrfa4o08Gfpp%yif2Nc%1jk3jMTd;>Tdk?KwwuC@dXWbG^$*SbHn( zi2ED|MCZ}zf`qs3#0^HXXFw0>GQ2Mtwf^L1|m|^g9%-QG!Pm?rzk{dv*QZ}pYZ>Nz0OfH zXI8%={kfR2$zVAMf$YS!-ZmK{Awz~ev!!>i5Hf|2p`ATgH}#P-Tc|3gToN28{0uEA zytRWV^%Uu4qV5+~fk%n^;Av8z=Z-bg6o=qo0bBpH(L9!|t7HUVJ~es z#Cc&`|1aXBUYqxL+P&U>PI8;H%1zBrcq;li$OPp1M#Wq5Ucek3fX#{R2r7Emw?mK_ z9)!CEaM4}|p3dF5fdI<9`K%*2QFcvd>>P#-L$N`*4m_!VC@iMDUj^&Jp^PlddyXMt zUc{H$Df`R}GU5b{x$(}`T*LkLu9*`QZtM%?sL%wX@kkfLcA}2SEi`Y{;`SLE;l2_d>kW*tW)rv3voE>&cyC0Aq<1L&jakSX2XxFBIw%H` zkk8V;;=rYJ|6b;KiyVKembuy24r7C7PwGi&qc*68!*q)x0MDk%(32Xh6Nj__<#}%eMWI1KUW_b?!0mZdxcIpWFD;h;N!Lg0 zuk9s&!-#K|>i!2@o;Iei$^y^nk7zgdJLq2kk($_ioUzi%%J{c{v{fCsplP3JNG-&< z16F9Od$#KMtiWkbpAKV}=tdITWOLpdmrQQ|eP$N23Y6}OoV7&qh%vudx`CT~0)D7WN z+PP2@H~zj(@{i0*I>-=NL{LbtLV#%FR5LrSh1)BTuF!EV_gF$-HUM~f_hT;V^A<|v zXh;fq-wM5>dv$n}`Z!r;iJ>HuaPDPrSuM1yemn{m7G0X6ksKnGoTQnq5A_WfAOTPk zvUQ|S3_es-uqzAtT#3c_|CPfkhSe-mNn6RIm8@xMvXt4F2)3MbojNaNrpe$%@0eq9 zm#iQuv+E$~D51hgNfbqCDhZ#W`!o)!m%Rrn9q+^tq_Jj?+mJRX`bYyd>W;%W~ zO@7mUfa9f|#(?C$KBlL-hiyJXf_?5MG7CBzJi4$&AntDg_+T`M>?;L~Zs>tx(a~ojTl(Yh!9gvni_}=g}Q?(RCcT=#hEq-sEM3l9UZ4CkmC9C-JkcCxHzQW z?1@V3<{HH*zsr_}WOLMU!~*m%O0wN(Rul&)+Fj8Wh2ipq)2ye0vbS=w0TIXK;;~xE zcE@^Ik&Lu7P4tzjHa}`;_|->=k8lS@ozOB(mCY6*rhWaMu4f{e_GoaDP!yIWW|M4$ zAh0)mt!mAJ;ucV&6?vVP;;&GmQ|>i9R5{QPdZq{xZY`KzMex6eLz5UlIO1y{^EB5^ z!)Bm-xNTbNh&=&Sibqw_(L5Vu9@%Tc7@a77AfMD9S93^=Pt1P6X)O2a0bm8B-)~-J%*_0gNt{WwwJ=@5G zaE`>&eRDoS%l4TzQF zGG|t0DwHd}w6q;StlRC^+84q8egSZ0l8#;7|8?LJ@R)f81?#RTVv7t7j?kvaSd|FS zWM@?-q9poP7=!QNticix^$R#r+nZ%yMM#sRyPiQ0_VdVFohc#<8kA1UKNg*rEEmTC zb(2O)p}4Cn{nIFQ~`uiCt(zopvwAUn)WE6PeD!$$#poEc$ksPm_A zU|PHN640mv1^^=xU1p7*h7S9%WuZ6r>#DR6*Vxw<4(WM3K?xFMK?N$a#nU~Eg*%^O zcxJ5@{klG;O`FCHu}l7ixh=N!NSjs6%Y0EjSueb$DS?R5`-jK#cRPA|VfUT13c#*q zegb(JAqY8|1mHgzS2$g73nxA|O>RPBD4jPZ!DXbqiTuZ z3|-?=sMG7%4oDu|N!$6yc%Z^tvq7D3_BLK=L23aYWlwZc1P{g}fDK#iggK=u-b5Q3 zT%mNOx8A&;na@A*n8F5GQPE5&v3=i)L5O2`DGUffAbQQIQ_$ix4{q(KHgDKWWWvCV%NRizZ5yV`IuTxD83pdRI3P3VfAaMs z-}kKj!rUey!iQ~Gq4VkVhYu~fI&vfHD1j-+MU&bFp-8+bz?{^ZSBZKZ>nTFUO)^&9 ztYU!G+5G&+3E!zX>UimD!0AU~QTFEz=1wnK2Q95V0!yH*u3n%~ehwXbH>j@IToor> zQD9*bC}9(}MbW9ai$K~2hHakvPd$Vmk5_umsen5QuZ!$nt}6*ZZ4qQ5#<%p)RI=-Y z`{01`tpcw%gxlLMCwV*@HDvlQLd1ZQBd7kv`!+(|A|nI9#iqn2(B!EGXAK}l33g~; zymXs2dZHVNl*p15eWe`B)9Op#Ym{JLM; z24rFJ4WKy7H(Bp9VuCFub88&~KEBc_OgTtrE%>7(F@%p(cmGbPo_!-R8zg{~SHG!= zKx!*wCyHkYzNK$yXh;>(a**FiJE^wY22N6gQ1(fEclRIr_{DmH$+kn1w$JK*?xv8= zMwZE1Tt6TeBs!Y<%Ufhjx8x}R7X!sKY}Jw)G<^S)v2~#fsY8^H2TK~|)(m@-23jBO zbM_#g-N3xj3dg)+<`Oy-8Vx!GHH3qVnBiSr%1D8*AW6F}5z#G%Q&J;>cEi=k+*zf8 zN`U(vqlH^=VIhmGS8KpR{Q+19$E%}KD2U+{AI40a&SwBAhzI)lMthcohc?mj zZ8cmUaI)!$)}>pKKa#esKv3&%ht$c?StN^G{FA>H(h) z1_u@`&D(yHL!=Je@2o85r6h}NpKGg1W@J~w>tjD1g+FblL z1>dv!kd_1_wvzsB;AoX)t@IfhO!{jGjx9Ssum*qHT^VZ?Ed7vZ0P5ygh>Q1~Cy^Ft zPZ{2=>71Z6YR<@RIB(J6HhjH}Q)9%0;n>Ud>lVhvQCh%vDzs*m=cr+yd2yPIAA8>8 zZA}>SwHga`?=TmYMQ9){1mkG^jxr`TN>gDl+eATpXf`xt=`F~GV#px|PyeB(Mc;tt zK53!~hQqV8k8Cp?mLWmX!OAKWb5UpOx#TN8PJz7f5YIYFQ?DRu-G>+8{`33cPlDTO zC0rbZu$uG#a^E8%^F{+6J%r0KQ~A0Z*-$#LjjuiZN+UE9%hH-|)z!K%=nVqE^=vB@ zeG`|s)b}1~H|vUOqI*Utoe`)L6FkBt%3nIaJFlfoidNoWwl|=xd<}kTX!;)cRx?5L zTF#xo1m?402;kK*>xdZgvQT`NHBUg3OySTbcY`!gGv_O*gABCiehjv?>aim*uFi#v z+$`lgH+g)V=5U6RJ$rk}+$8|=Nkv;S+;MNw8Zln(rPRu-F~DXf_;WLu;e5deFNH*; zsJZ(7;T39_7xnhGTlYT!xevqG=M83)5fpdNYC9}`=#1P%(3xGcmt5i7=R}hGC{oN| zK3bg-*rv?zMn^6n_~t+AfSCFCOb(}DAK5EF?wW&$tv6YI&{?&<-qz@$OqF zL5EzhUM@ISr9C@Gy8tUwNke9N*6(Z%?ZAbHm@c`*tREMJ5Hh{^3FWh;0}=c)Dh*dm zFbuf#0i`pr{kds5KnATU6H89b7kY|Fu$Ij53z&|PKo*V4Qq0t%nKlZQheGuCf-RWK z6=c}#=}x&^0kD;bEU3H1Iqg%|4dr1nF?=39UI%0Yq1BcwXpb--!Y{cg7@pv?rU~^c z0SvzG%MlwP>;@P>h2@-&AST074=pxXqJ8U`#R3BbI%f+F1{$=LTmVY8#wNv#XM&^2 zAhfU26Ek5oXMCgH7A%e12UA3k zjiR%_rSI7Md97(mLY|V>Ele#~jRrq3SrN__c6njs(|?np9ZKXC z(}mgwa-!@E022eE?xF-j>1xv2ZXtLO+qM+qH{8VPS*SG|s>s1kT_JTd)QI65uwaD$ z`lE~e>xg;Cv*u6^!~i&lDR)>dtw^FkPKk`=a0IhR^7$|R4=So}lnQcGn6x!m`WC?M zOmTLTtmwN3p*8p89r{Vl5$Xo2Ys9&~WCA=lvS|E3EU$-4NdGKln(PhP3Uh>e?Xsr6h?1#BC;qvN?;cXDPrec587RGEty=7#_<%&{Gbt-;#JC{i}V@ zmrz(PWMv^U@+ofE3XRL{QHDeASn6#W+|yY#zPvWUOvM#9Zzix@P}=uo0w4q!s5PDM zbhI7sgTJ+ycl{EFjhN<75k1wMvp|nB`vy=$N2m{=&PPeS)h+E&HKQl9hfxKrizyFE zb(A?aYo3J=3G!h9Oc=>K&nW|Gh8w+f%;qzZ!?k-JgF2iQ&oNunV;RLyk6gas9xYo0 z=r4B%xboN@_&8eReQ!4uJ~#r(HnWjBc>4hw@l3gVAb0S$&hF!h>_xnnH6tMM;GlA$ z?|W6srx3WM-PS=-$~+iCIf-1?`$bfSH+KERRuMfGveX_I(F*uZ#&d>B!1Vpp0;y&3 zGH$4@GGQ%@=9WFr47S*ZDh4GUu}OD`;&=;>v7J;$E_@hAk#NyOBYL}J;s$WHeuR37 z9H|>3F2X9vB>dQ=`^`-*I*c3q9FS8N|ndJ zs22AB96im@oaPBqlF$s@GNsbp7f6FW*=*i_;vzl }a&!Qc+Dou_;#ql(>N!FwXg z#m$rXRGZxRy0zBF01Y@ud-Qk{+-o49=*OW@mAKl}%>YJCIBU05jNtb}xel#r-f78{JS1C7L!+Qo{kf_u}T+Lm7vY9MqwQ zFOzXp8ig#{0BbYck#iu&unv!pRRKQ&A(mFq5KUie1FY;Pn-s;x@^Y#!_8Kf$Vu%(; zu$w!XZ44MGu&0%G|HESx-@H%MC)R{A zrhWJabAI9Fl%Aha8F)+7rC_073_mq0T^MGfxTkMx!ap*bkHNk`FeNf%vM>;DvE&}G zAp?&-W6CVrWOpx8uhiP=i0YrAt096{1ZjwLpt)39Sg3!3B(e}OI<&00cnJSIm$#1Klj_|K^YWM_A~-$DIK)*66_-R+he&j2|n5plfaz`kS8)L z&WTL~vpWXGbWFPU*s*Uov6_+(Myr&$J%}}(+b^C=MesA*$hee%HqAIKpQ49>Cm>R)5oQCSo&?SePmPXAiKJJL z9gG?rf>dyH$;A*&Ws>qZYM^P6!SudrfU*wqTL~aU`v8{ZfzE=eZ#jia3%WoT?wV!n zfIO;K^nNZLs6(f?y*)e1!m%5O!_~@@KpgkcdR&>E&S6?FCsM*Rd>M|upS7T|&mQt3 z0DiR9T5hD-`2PQYvgp+O;)&v-*)(>B_j)47JFb6BXh=Mqd=Rz{(TW=#u9*~lTi;&< znDk1dFZ^ea+^Z^!;#{n({UKdpCgt6RreauaFoDqPO~){0Lo!3s4Whv`DlsG>r|>DX zE*DIdfTr}29;#0mqkWY%Soe@rIB;PGj+)aBkhFDSz0p^Rw@-d#86Xh-J5V1gc~hl9 z)|ik*3unV5X#x!4zh`bCv-#PO`w!q*#5Uo^aD9I0lRpa3eP@_aNWD1~#O_EF-Dvc3xAU@nz_FWgQSPiCo??d_ z{rO)Ji15C|G`LP@wpVt-uzT!KN5;IM&&;e^Y2}=6fZx>&13E4 zL&?sMrT^%Mt%cF8tL^a)6{geAJm^T;S_&>`tF@Somf6dKQx<>J_9&7lO76LiQq5s;F8p42J5hY+$@v0r|Enmjmwn7TFl=7Md*SH zYo;MDNKmSbJ5yL6TRHjq~axr6cXeADT zr)WnH6|c^QhW%@G-ckHJWaDB_yT?P!4Ed?g7#MLb7Kq)7YLf9Ltkh+tYL2k`YtBoK zOLoSeloH2AU?>9)lK6K6>UQSF-F?14eTl<6&gB6}wt;(Gn|jo$qVmQ6G} zR#Z8-+A97ZP+yS>woRUBx9UC-Yl-my*0_*92O^C&AP1Tavq57fM(B+!HjAw@t>^X! zHOJb<OJvh_^~PTxu=tBWn_dw zGL=oiSxFnv)*KgP1n^_SIkW;j`aW}ljS2SP4%`Lw+DNEAIFbuuoj3_~OZ5Ml6YA5! zXx#YBe&D9?Yy|Zu0IV(2kyvk>#Kd?s6(D}a%v7OmVL9!|f_J%5PP9G@>4ESLFv=b9 zr!Ng*O5O|8g-g4Hn9yFAb{9ckic=h>5DBr~V}nspG3djr_>Li7DdMy$pw?BD9N_IX z!Q}Ce{*P$MEv$fQ+u;`x*tSzSag5m?JM1ZHEt`QBw((ThD>Il_;Q;b1_;?_#alv}> z=GqD;DEkIeedR7i8l9lw0JRdI7a_E){V2^QzO4B*=R&z2fq5YXa)0(h&}1vbIQe*S zGirXIIa-HDsO9q{2Mp#t9uRj_+(MUvF?_KXo0gSC2n4nAV%fB1^f+rg1(oJ7oZ;zd ziIHsyzgck3rrtr*KT@n>^U#6lQ2D`0s+w^VE<=Cy}4oY4UQx%~3sYSZ-? zFoYXMTzQDE%0x{}t7an+Ad0n|6IeKpqbLd2?NKor<^h7VgJ_EL>fOE&)p<^<9?y}>dMZP6T!?KQ^43>o@QUNv*eSGytE zhF{MgQv=U>R@B)1bV?!GhibmL@G+G9aRY*f^t(iLHZ^noTJ#IB7e95QH(eExB&zPLaRbZ{5X5fDzI49Ia(g02R}6$M z4WdRrnZ=1l1*tJ&wQnoHJggr4!KGl#EvFZ&4yAOd{HVwS+*ffQ)Ig$ag#9O>NKX%m zW7r1t;s`++$gEQn>f<&!f!!upRKz?lidjd&?2%! z!ozq0&XGKltgUQ%FV2(PgSgHX%~n1Mv{EEE70E-us6}mfe?E&un-3=Dq0PvsheX7}cS+o-H1Rcv`0S+e0JRz?iLO5!2~!ge>Gik8Axxou|7!r`(SS3&?Cd z1I*`QBGczs{xaQ~GMoSgy8~_8o?d$rAB(-_#_|crt)Hi_+uX_`3gNKQN}n@8fIrpq#>jLx)`s+qo?c= zCDSe=W(!`SvQ}3fv2Uh3DKoJJYdjV;zD(ogb1Hq8loafUPt|$weKK=<=bnEtUSpE=NkSp`}qT9rC60KH`ZM&OSh8g%&zu zWnx1vG(FdJWj$IlYRsS2GIvoqGv<5#4s0qwI9e*aJ2v=oTt0!$FSY84RKO)Rq}Dts z_OYEXWi?Pd?-wBP~n=-%lumf2vjTmT?=yZ1C1D^KDqphqI%bRIVUGhFSDh0-t9xNWW~l8IEvw6 z59WU_p?`J?elTD?J{S|$-`<==JG|J#?5Xg|jhpb;IKFADC!Of!65x(*{6?HDtgXn; zm!SMZe@r9?{>6m`7C;aXkEsI|I#?wcFC=j=fL;`1w5V`$c)$9dZm_Ezao63vxINR}==n zlu~UhXjFM_6-ZTwAmekXZG$ut7?eWZcO1c5k~FN$WuH(mkh4ApJByhpHb-Z|oO??0 zu}A}1jbt_IWE5>hrZ_V9!vVBHCGxUiQZu@P*N|>3|0ui_81W zXgz&zrk>|`6$$vRm&mB4vt5Y=5vT}S58wm3*3+F6caeN28uC*QGXYkfP6+A2bm~>- z(whV-T7$M&!uc**Vb~b8F12$6KQm?EHG<0xVmD~m8Srv!`%vfn8{;QgTGS5mxITd! zbnN85%G&B4^KzL+=4U}H0ZBrv!_IsSZ7Q2ORn5cAm3B{MlUTn=CC2Ja>l+lmV06CD9NFd<~wA^`A zx}o=^$M{JAWh|&f2f`iZ$^Pk}hp8mxRQXvHq@Xy4#T!{Z6W*ZW`hPfClCrc2<^ze0 z#lDOsT~hP5#O7>qvOht^2%PRZ>W7;B{E5~2@gbYlXC%=cWvY>esmGU$Mg}bh9;(MN z9(?D|?2zO2ec{ce`_dPPRPAHXarmBn?V<*exVPOw-440FnlrzCF>}R-?jtk~3IA3F z=5|qNv4Mf zDJe8M)L@8pC3U=!`Uh(AXhm!952#Q!m_llmG)H6V(gsRt+*;VUD+SO7!cdXZfiuhC zcc&o$Jt`>X#f?wrwD;vHsjFQ1s$#C#NcBAx$VZR7ln!_DQ!C#@7hd`A{~B(MC#fZ?ddUSp*Ly()ey`@dO1!s;$J>1RHSvUdUx>*dsWKX?+BwCV^Lwf0pLNVRvL?|d#Z zhy2VpMn8&fWIY5mgyyad5&LX8^$I5VNh~tYmhY+9VD@0^>j$9p5x^hWJ!pLYLZQ58 zGShQmd{gop>&A#6Qsa)ndxC%P{^?T2nv>UOJy=|Rq%`28M4j2d5o~glfwJ>Qbg69y zc(#C68qs>n1LsMKnF;|zpBpzSp3Zov?oZIIDZ9@LsUB+d*mX&vWVL8kNm&{2lk&IO zbrOp#^GNQ;#ttTg77xbxY-R`Dr($^8Yu&I{8nfV&h!*skKh) zzkUjd+W{aifdu9P^K~$aH+!%AyxHF5QYOdA%hDyrcVj%)Q+{f7VeWmQSF4GfmTxM} zj?B3Dd!DmlG`YE^qdUrNJomQKLQTTGHhYD8?^b;Cd!6c}Wg1=p=Zm~9dGFA?n-RPZ z-{elY#BmNZH}iQ1J!Jdcd7NqlO!>q;iZ9OW-9gV%yL;=vscn$j$>?Y1=J5OP zjM=LlbI=_yy+=2$?6H|SwRL$*fD9vL7*ptgx>S7^%v?BVJk~HTH@zoFh@Bm8AJ*HP zK?4&Orf zZ$V)}%jrL?s9L*H&7U~mb)z_iI;Q{?Q6!d13!ui|JAmm5UmD$;OSQNjY6|a|?z76| zqc85dL4sRBcVpw*I`?)FE6$c8QL=j!NHp-B0stRralz>tNiheCvQp5Q?Jr$j_DwtP;q_tVO(sQi7ecfx5vRH>(jaeYZ0yy`P5AYUMDeikFHeN!y6m<3>VEE zc~GnGXgn;pBKLY{x^S%7NUZIoT5TuM%+!aYFjS-87Lf|Qb&9=xZY;}NuM4(}wQUM# zr_?d}ZT&Rh+@pTQdNY=Ksd1UQ&Ps1z5H~?r8S7L-AWHke%5E@3*z z89rw`_HLSTw7#^W34uLJVR)m`YnNWdMAX_F1p|yaWpV6tj-QC@ z(q`)c{&k7YuuA{tx<45?iq&cdaz$k?WR6_2OIxAq$UH%{U-OQffg*3pCi$b4#`(MO zA9)u(p-tN&S&sn)kw$qW-LQR^&Omvo1(T}YqT-#{cc*U;mhEWWR?w46>Y$& ztuj;%KELgEIzBpq-OF@$1;%4hvZIlbC}Sxd4v-_JjgvWC`I3t`Y-q|~UNock`F+hl zCkY$IjJZOMv9)p8MYj8fZA=WW$Z4d7?gNi$Lq*|E+}4Y~uVhw^cc)N+;ss*?nYkwx z9&qkl@myb@;SFX!;AP3>S_^GpD314;_c^0l$fN-p1ltO0K-2Xri+R99K+Ewy8~d7m z(x{bZ7msxF+}tu49+ojEyDgKWD+!WA_klUSMwmOx&_dJMF~aq0 zp#iXOMLrr^ee%(Lidfb{Uun4t<-2RYig?6wneDs1>+Wxg$p*C6b%Zg3ZsJ&D9>6oj zxh|6>xxV+oI!X2#Yh4z@o5kK4a5`SZDpQE7DaWSIK{+;ejr8FVhkClbdPm!TQRAY@ zyS8u?#$u%lPjE+QA(3N+b983Tec=BkiW!5&gWSJc!af-i_JB=+1Yf8{}| zA*0{aST&qE*;D$JyrbnB$mnH3ki{eo52~y#XdtgyWzL`=%c7HJ%OXr4G>>z3n0Abe z_ulesux23%?49?I>^Z{{07TMmWXgD zY=t!}4he5Y#qJ=R#^3qU%-dtXo9-aY4w^4*g#xDgShwQ29z0x7A5zwgiDT;K6cWy* z;n<+F39d-EwXPc!co+oS3XdisH+v1lfuZ>PUJhaCS`IpZC@m44HuGtUaBzg;2B3Ib z1F76sJuMY=i1w}mDs};)+W~8+!k8Ry%H>GN8j^Zs1?&!VxDKgQ^`$U_AjF}aD~FV6 z`smCIu~|UJqj21Ji&2SPnAapW<_Tbz>;_dYnpg|+<@oiSq@CKm=&jWUnEp^qEXF66 zMJx&s4zV&)yIdAK(-u{OYo#arOLYR2vF7~CJOEU@;?>@=@ENa6&RqIFEXJD7_Pqf5 zz(cfP<|iEjxSX|kL9Iwxzq3Zz5Q^79g*Rpgj(jwnyh-rWcOmw4-%Od_XT>jl z0ebh%5g<@5aJp;7E-?MtW)lZ3&Ga&X=`{=L@&>LOGTc;@fKDZj@j;KYH3A1?l2Le> z#XzzwI%Zg$>C=YKF3W(VkF2NqfUN2mJ~Ux&p4dq2a)aLb-AT_#4Uma-oWyP96jlru z9;Ss0SG*I*0@EGM+Q*R#0#Bc(CqwEyz?Whu6w!~j8!&nc_(j)a>)+hI#%rPHH@Z}` zHOcVprCb*aG1?&EYu-SlxEr(>sv+4P>DwV$B@%vZMw^y=;L7Yw2GfaFE`p;lSB>F< zTIh{%3C%?S7iI|^hBb3zftqGLUc#A6sTKOtg7a2Pg{}z~)MhB_@}IcQ@2eZMVVt>7 z{=XG2a{~=LYU;@ZRCGMx#A#e11OPAk%y7=SXb8Cwc2Fk;B#hw(Sy|vb(NZ*I+yNFt zJNv|X&Ha7gzcz4YfaFM@NA{bk=dqWoJ3BcVJ0ZN~u@c@O$|b_J-xLcdKBOW`hnH4k zt)-64+8`h?gM;FFHjDtR0pe_00|kyA4y?)rRz?<3bbqEHL`-1QTiaq3@t5Tx&Z8PO zYmA9F@UWr5m^N4Ou9OSZP~J(bt#Exa_ksw>FH5ipJC(PHN);oF4)5)pvEm z!)MqH5?v0u(mJ9Jv=PW{v0MN+>&S+XHdEiHatz>6k>dRYS$HF}gs!i&(3NxTd_ON? zoDm{xowfbuT23Oj_Z(pQ4_ucY6M;afY9?8Dy+)Vk?helSkhJPFYL$0AV{Q`6Sf2E1 zgc>l;Mj?Sk>%Dt@nyLEETzPZRI^+@RwE{7M`tQzS-}G4P-pBy^xTmo*Er9mozWeW+ z5`MNocb!&X1=8M)EFfI>R5lNapK<$>DVK{pXqh^OM>6^> zXDkod-9c9wR7=}ckms&@j43;XsT|Ioj@>m?r)Hn8#tl4OHMiC7(&A1-EMnPcL&K$O zBlB9QJ9Ln7G_xTpj)@OY9CAVRr`>^xZn@8u>Wu(YYkl#JT?7Ah1|RsUZW@uDWv^MYPoHuKSc`3+e_2fM9K9STf}%xwr>GmpmFK73o#W z71jg6)gd)Ohjbvpl37 zXPED3Qw1t)7*PPw!AS5#GoWG&OiuX7a$*SJ*G6}6Vh>Xi3eC1`CF@B=Zwi@90lPe8 z{HFKk_`3^4tjn8gW!$y5-ho`O3mxNfu<2~OQ8cZs*3<Yia z7LuSTqJ9t`x47nfbPnf2U3`^*-bXey`t@zlrsuq482$tUpm(&&kCjkB3nnI&d4dNE znISKBr=XnPvlLL~SdTY%j83?e3n|Kz2;4l1y#K7Ad^IXkKw9Q;KqsDfPzaW6QNcPu z#MfaAO3V_NhHH6TUboCQV4HP`d1r?dnl(8pveqJ<@Smv~8g*1T&T=DV31gnJR8uD7 zMVo3vqydf+T;8hS46Lyt1VGoOBvtH{v61O#^gYC28c{`#WWa1M1*+;04pv` zNE%E}hGjK(psPHdJUvY_N_U@EQ^ z4`gH}=5OFUF9blsi_{1~6O9Z&7uf}|$8Ylk^sIm+!fPJn7+0}pgr?I#^h2Mo7r^vg zQ$jOJeHKs$rklObW?*_2oV*grAvrzSQC5B8gx6JQSo~ea2ogm>1T0AD?G9LEcR-l7 z6@A}Y|AHC{$+oKS0z!BSb&7s@V%b@sc;?*(WR1zVJH-~)^azRHos(uwQU;Loy-xu8 z4m8%G0xKxaz~%R!xbF97l85qxXrlwgyOYfKSH9lB6@Kt4SYTV=XmP&*G^29=E(v*q zum}!xqWTt$P#X~w2``X_2)Aru2YUBDEH^HepyJxeYL5%72QI8o@lyo32a#2PfbT(8 zeE&7K_6Fc`9%L8RyGb1)d2oUx^EU!2pT{71Lu+ zTO1Am9$pzgE}Q~D#eIexv-5(Cz)BAgMh2*OGAoDdNtIh_$lN)`QL?BqlybE-lSR<< z>7*XT@tE;ak;|+w*2CpaAC+L>!L-zYx_{pBGh%kBR`>p36tzWkALJY!E?x_EC8;6G zSRuUeu7NuA!7%}6V0WsWcRN){1Lsa>JIsAD`qgDCX&0QxCV|&OZMtu)*vKumQY-gT z1@t7A7Qejo2C3ibh&x8`4JpW}TF=<~h`e-24xD3R9rA>yoEyHDr5bye?Gr(eXnQwJLmxF-1sd}S}@p%k$7c&yz-!+NO6H=buRrXsMAg>Xoe zLG8b^*N~oOF0TtMV0@+9Wb~VZ=1NE%SLX;O8t(~t>C@v>v}}Mm3AD30-KoaiiCS_*xJIFYNg0Xl;mcTy99x*2K?={81Q+dWO`QlU zwq00wp!D(v9Hn`h0`A=b^-$;u#*-OPLlEeVkP?NDYIrks!pYbgu;&TjN-}mbMzK|c zkcMCqsV)E_CYf4Jcdk02Wz;D)$t*Dbk`^AYVWjcPGZciCu2h(T4;Km7>F?(Dsd2mX zaSOW$o^w+Sn@D&jcuk@YDJKNi?+tXJpvcT6K(0QdnC?&2i>Ax9$6EIX&_&0NSZPjT z-pZ327mHlxse1sCIv{eR$NH}8-x;8Q?qicQ_yEctUr(V@7`!D8Fx0p|cml4}M)0ij zR2wOieK|V8a041{*yiL+}d>!DtcG{5~x=0h0VZ zEn^ISPP9orFUP{29N)`dgF^DU8*~mDE&RmBK;;gb9_7PFR%L~;SFn`aLGJaVZ;@Ip zv~5>yQQ>~(`HKSHUy$Mhrlnprz7hZ?-{L#l_^~n$(ERj~7$N-{lV*|1@c~-!WqRp_42NSI`YBVVS>UoMXH)(H(|QTax+S_W zP;_5ZdX?@d{jQ0ay6!fN-QE(fg)Dl=P01boTT6qk}NY*}F$BFu2epT~FT&LMDa z2~ra+VqA(1GWbb@l?lSeGif6tn{o4O9AbmS#e@S;RR1QoHYHIQK(uK*+|T_vgi`M; zfd}W2d?^QLB}C{Rq8Y4S(5xik6{Ab1YjJMf1!=yPe^Z-n(cP=9*+3VRt1_+}qI55X>1LjOUXU8T3VM}s}5Q1UfY z87>ediRe&QP41XSc%1qpgMo;JIhThKI;8}h|7B@MI}n<2yg|l+`IV)aGE?4{J+UH9 z87X`!rW`p*4^C5H2x#AM&9MQ`~VY}=?7Xa=?jf- ztmHiy7>oUoqxVYRWkcw6cOITjwlJAQ8?N9zK(kToJxFbJ4Ia#t+^{t%RNY`}f_~Vw z&M1RL_Mdh9YA3-UY@c*&q3NEdM{jplZ;kKiB?G>inXI;5>~;%VcXaHA#Oj`8Z|1GR z-f-lFGacDd>6;q&>i@=4C$?Ff$hT+X!yel2vmB}e(rXa4&br?h#6d6=` zKNWPJm0mIcS>GfEqDZozNbqAX@G*IeiRK{Qc!_1sn5DJg7;jLPiNi@)FC>SHs(D{O6oOj8$t$_A+&!U8`8#WY~igcvg(6r$oxQ0hrce zf6dtq9*)tMtZ-A@R@;4`b+_cRbQVVhM+vdi9$+CUAL0ebv1(LgN zRmqLmBGXm0Az0qIi3{2~^a|67Q`*A57tS5yOSb_$FrFjZe4X=GxDH`8%ecdWX{x61 z1}>f5q|F>QdkAmwOl9-Ci6xpWmkpV1hmdug3L7)U9dn0e&RlC485-EF^Bm*Fs=z|< z%CYre#xst$PH>>T8Fc*1UKQh5al8s@Z**Ufz;TjVZ{HQ-ZCx!?&F;H(^&^nqW20gxF`{c#39C zu*8?KveXVxAaQ+;2Xy4hyhtrx%h;&SfHBw!fd)+sMLeCXGdl;5<1tQ{4d(O#k9ag) zTM$d)#cLGsI$!ucOpTYW+2hsk)IA<=uJ^7tGQKC>*^U?6yLgt702W!k&H)He^B_#2 zNKkkH=3dWMe!*^13CcxeIOL~dXuKM-2ncFZla6Q<*iu4Aa4oT{q{*~}zYjS%Saka(J^ zk^!c(1DF^)QbxPH(G-CH6yIT!^A@NfIu%c;wl%!DkW}Db+r_&Me|J@9nUE3xP#k(x((%S`ZZkRhw?@m6`2$XmBGDTDtLH(G! zfMvjo##z)j#_^4709b`7=V~cDRAk!^^ zj4Ixj!{lfZUWHv+exs-trs)HK{qt=z(cMG-7R%A?bQrJb93u>u@UermtJ5i1P0YDq@|F(xkN<+`_fD1ZD@rCgu8Wl ze{LZBY2l8Bxa-KfD_PAY$wkTDK{MkmQli$37F3aXv=3cN>xButgYju1rCiP`QWMU# zjR+-($TyW7bhPqE3kVm}(GYss%#u!dw2Rk3ZI8t#L!Vzv=J<)PxV$4oS&oT|uQxJi zSndhv3%rFqrUy3ngDm951acvc5ac;}cgk50UL=Z;@uLi5LfHn}Xu45YT~FHN?d}9@ zVeIHQU|`Ql)5WjwMU|bsAjqsh`cf5mkv(^LhqPO48>kn&tC`2Zwc!coP8L=jA}~Bm z>-96C4L0g|R8gQaMS%Nk(pxhuHw|^ePb5n$+6`~{kZ^;lD_CjGvf)W6>J;rj0lj)_ zEF$B=+eYvglW1%-mGeL<4j4P3+WTxIuhIQ!04gFAeNaY9KAkqt(%YOoTO25l+K&P9 zc%QCLo+ohLJZrv;%UNxiLtR9B6+~Nr%0}Ig1p%Xh#1*9D;1jlHxAu zRzGT_o1+VNs!PUBt)?)TH<$&v;01j-%aJ;EyoS2~+ZBP4PEj{pM3{6g=Q6d<-sl`& z(a%mWJRKo1J^J^wliFYT0PexN+_>UzYLG2^Y(V$KE!mSN=Htx#JeqcM=Pq_`m;&Y;$^<<7Ve^<4$olOTZ*AQ(+9logmrtD&RyuXeMr*EOA%)WP@c(F@O)Ww znXJQl!7%zJC}n{U5%*|*k@7#vF5jCnuH=4{`Bnfk&nL&ZmHCP)T(D{wJ%PtcmGY;Bxs?i>5(<_|KVHVX^Df8g({Omrv z2-AX)Ode9n2@a%UiYI3!j0bOQv(G!_I*)v85y6q_i3&eTariwrV;-#~qVJX}Z4vtT zu;s!~)TBximP@y9{iaw$yFxHFF$!2$YbdXmE+%x#lck z(rQ^8=$qdV@co8U0hjPASUTWH6mDX}*=PnTX8e*^&;eSjOjRhI2rB!q2B0t=iZ-=j zEQ9ZJb1@{z+E@f9fYVn2=hkTUg!8^+GzKCvINtj^iQPMP9G(Vo-Z2WdU_8RCJCiQo z!;=@<)DX^&of+Ojvbs`NkjNY$t_*;PB_1K*)!{NqZ^*LA&vD_uCB+twRJdy0m9g4v z#|+NjU|%uZ^=1$UIU3yKb^DqKe8_p&?NRfyT-i^+>-1P7rGeK)>>j1zt*3xQ<3Oiy zlnt-R?9A0MTC*LV&(HVj0vm&On+A-F@~-vjK3|=9>70YEv+RYk=d$+)*Z%m{c>-ra z0UI#@P>0g8vWP9n&q4X|1llO5mO!JQg$jv>77WtJc*Q^=UnTZl4`GlUoeB5m5` z)n<(B!#GaOsgGA5YZ5al5MHK2zP84$L`D(BQ(%n>Iy^iJqO`%2g~I~|#p$H1criRN zEQg4Ac&*P$^P8I{%MB1=UP}rWJY;a$REaVhNJjK!uoVh4Z)ur_i3r9rxTOzTvNk+2 z9Qn|&F!OfMOt7cuIab1G;3%VdnLyUINp5BALh@-4cIoa|tMD66kn_9_kc*8*{L)l> zJe~~@hSw7gJpZ~w?4HjAJ{nDTL7Xm(%rD)*?diKxhD^ORG23iT(_e_i2PBavVu4c! z(_=PczyQUqq-WQ*xv6y zE?pm5yMrIKEr%ldr#b@#K_f$jp-6l39C9QRLtcP!pI*gv7wZA`fm5rk2>yu1)`@R$ zzUV=K1{-fFDhQd0m7l~q8%k1h9QWN^pxf|?b3@=#Al!lBIL$bUSX9oa>j0;NCDzRm z0sH9XN%#R!zQ=ej0@)SYW)6($l<85lLv9s1W-}ctPvHcu^`D@3?piOlXRPy7UsfJEVZ~ZBZLaJ7hi*E#(#u>cWtgnL?8qfwmbTb z&j^B^p%p@C_udy;T_x3y(6qiNa%n*8a}PmN*o57n^>8W)55Z+BH+`Xkg{9S+5Q-}x zdxsEnooAkedW)3mfKSQQw6QQ7;EXIs$OxU85Eea#m`rexi?z*(@Mp$i@nN*M64Cbb zeMTO**Y+X@P3FwJed6*4*=Qxs-$@HJpvuPM)glBMa$;*C*o^cG&(g(_anN;xj{H7O z7eKlru;72yHgnq$c%$Wv(ue`a;>8bEowF7ldXO1{lM0~)C56W84sUO*52w&j)zmAx z7l2BRytwtg0)|t991t+LHU}hZ_0Dg!lmH8aHk1fj1;#2GFeSJ+H&K@4M;QjO$SVcf!9(m zJ(Yl-tSypHG|2s9VWL{iRN18iZ3vO0or%LNh}xs!%UB4!0eg>)GL{7yA-atZ2>=~? z@w;BFHsyy~2Xc|FZBry%1Lyv+L(_#b2s4=Crd$Z0XwhBr*Zzk^OR+A0M4t^VDfw`M z1n(}#oEux3nOJ>wRjopyx_Jg!VFTAZ&0Q0D4J1I;a`*+SiMRX?WI+$#V|xLpj)fj2Lg) zn57f%NiYX&RPI(J>SAt^!gWqL->dj>Q)*!U}lRUgSnL3;=t1hrC{r@r`e7_vWqU)plFEGhgd? z4mfU0c1QlUedALL2n+I5Di?xamxGKyDLhha9xWxOz<4SL#*WbH;PEGaM0k+7-w?6W z1MfQKW@8qoI#GSqy390>4Vn4a%nJBs`N)9|2%G@4+#+!jbshJ@4~GZdV1vg;!>8s; zBf&FZ2pB*#JWK7s8^`r&##D26s8qbv4!`t9?aE*{WlS2m4lOcLylnti;O*fiay4`0 z|7}pB3f5VKsux9>`QX=km$63JcdiYO&9|K}!7tw8cdiFjgr?v%&?5*lu=5vOr3c=x zx?&1j-MOlSs3&QPz{7)V#%m20%G$h0L|nk}3zty{t_s6>bos!1YyQf#5DN_bK?lnG z0@6SNy9gJED0R?Io?2N)wYtoAaANcls@QNb5fifnAP>SpoME2x9=0N~9s%Jh4?;OC zbu4&0ISav#{hLcOZuHhLpOKews$2zr6fHQGu}taKqXzM%?@kPv@p;Re+Izzz zzm)vI2am-bD>p2G$|@uCzr-<{J`?g1PPQI6dbV<^7hX1xX9U7eqTmR_s`UB^zM$O# zJG{6?pH+alZ_Xj%@SlU*aaH%(1ZYKfc5>z#g#95HZjj(yuy2mJT*DJGQ2u@EDN|lF zsqJ|p$tY_P33FLD$PKm|vM0ZVFI2u*f}35}iuJ|PBQl3|z@4lKK8H?z3+7Y9qXj9{ zRbu8nubhrb-u$%2!&@LYSDu)&isajuwcy(mWZZnSQ=F92JbG`)>J=u$x%7A_D6Uql zY7V!Nld$Z|(qoxu>E!a!J7nkX%a%zhXOK}U$-g2lmB@fSRD#RIE^QbXLHUI;^Kwj| zzmC=ij|CrIns#)V(%{U)AO}l3c>_H^En|H8bo&g{e+K(cCY87SSQ7Ihg~vVsB(z{$EAzTBCk=l zwzz<(z60#oQhOjXAONba_!iuQXA5~$7utG@&;+WRW|QC{XI$Qua$$8OU)m8X z@TQ}K?u`BErONR>N9>>nt@Yu2)D@pp?HC$5U`wCGcWtRo(0U=S@1MQWfZczjO(MMT zmMRyvVsJ(qzrb4K9#FpX^vMNGKQ(`-Qm>>h8VPli`qD*nFOp;9?~dZh0rcjJ!2a@< zI_*DPKYW5O{eclh$oZwL0}e6vMy!lt?i0FASRw#o#LWvYI zwrsJBk0&a76IJ~o`5M|9iXV|5u!b3L2 z=29Brmhxe_EEU2GjE)U#AK?8+@P3#>ob~%hy)`LR&nn+Ub>_c$qg?9l9ZPLSy>3xH zfls+0Zwkrf7M$#7!Q67^WLj_2=;&2%UBCw8^^3eofIJS*qiHy#VQEpY;BRD3F!SlN zrq^iIqV+U=0-iASb;6uv88|N-Sq|)H!fQ2}KP7qA%7`Eh$ z)D17h{NkmO&tg1lKn*Y`hhPbObiP$!!7v?+>jS@tHG*ys`e|gK65umey;LWzcPFL_ z+s{3#UIOscI-1#B+AU|+Y~C^3Tob0n^_l-dW%NF?_f<^GzzLKalh@`J{0o#7R)j6+WY1d;Blp8FmZJc&g|l_vF^);y!+HA!tcfTPj5@9;3^6UoyeznKrHZK*uu2hg=)0p6)4Iv1j+_RL<39k@6QxeP(tAQeAUz8fd(j1<`>2piU*I~1p zPPmRy`J|wjj!ZI0R6}BLUQAC`E;#)g&mBg75yp~m(52*|O9L5Stn}`A}c`sx(vZ(sX-6z;q*#2)N@s5tlu{M7RTH9O5D->*36pCf=_X zZyfya25=@klYFNn_od?S`GA)qTJk01t{h2z#fk-tU<^-*E%1Zfh|tIjF1`o9YI%|2 z7O8wZ2FCWGVzkr3is*p#dJF2bupo&1w0m=_v~#6aY`{}nknpE&pzY2D%XWkbHPy2X;me3T})w#M_iirP-843k(7WpLDH7Gg5;$0GbyOxL&)vkrh`sUWU8gz2gbRxFM!5+O%sYdf?>IQtjYrO}%GslywGGp7c* zF9-;?pCKV{>Es-57yS3_JMu?_ezaz%UGmPD&rxNv7=L5On3qkBAwIux?DoJ27;v_X z$Q(It?5qv@pn_xTyja_3?y1XCNK*30JFC|OT?4(|O=UUe9enl^@N15cKQGkHKAPZK zu)n;&I-`9@e{~~u()m$-J&o?|HAERp?K#9-@^wcaqk|qI(e`ER)WiK`^eWyv3iIk# zP!^~B$0Rn4OnSuxmG^QW z?LnC;i(5&n@h(bW!Dwd&dKksr6&!$E15ppu1Lp;n+}sFcJ2Le2^qjN|G9>vXy9dn} z7^6VB^;qk$n2_-ogh<(VD|qyi{Kvcl40M}LqTDewP&I$&LOwJD(C3Gah~}gb?D@r* z-%)K}`RI-)H*4H68I#o{{&Y(VtyIUxS{4gG)wT!{yF^{ysRWzu@)ocFhL1%668a(I zKFcBgQ2!1e2!!2frT5BCs`Ng!xRk8VZCNV&idJMC7{#v(oFIX4AB8v5qNuwFUSLzf zlNanU2E@#~cp>98FYur!U(0NX$etJX$-WLLwe!Nl9H92gMPE52$6!w%=B2$SRQA@|`GEBPg@NsT0_?04ZPu}}pCnLRA#(1_#v&sABN)#`5cEeoR%DFd7f$8Yd zbuw=UT~5oxFo&gpJz4=`!Cxm*5#TVs&_f#&$g?1@2 zco$;fRuK5#0sH=`?`(}nV!+&Sp6CE4r}IQVIO5@wYxXTD6Q|M`z)ce(id%hdOd;~!iMYS4j2wT>g+J|9FZ;C zS#6&l9JDK?eZpk)0{Ml}msV(>7uxhIRO%oI??p;(RT*9lbB`He`6}bSabJ=+%8p*m zd8O9`Kt6mG3yOSG?Isw<z8Vmz9`0oYw0B72jt%+)C0rGU%=ld*^|BPs#$VJ6Nv3d!zTor#w; zOA;##fFx!QBGo%$brV}q7=$yxaZ6_%!9O+L8neyZ7#4u*b zWRntnupoFNVaouKvZ9ptSq2d`od|Xvt5$1lV6M*hVa+GPSv0#W!z!svZX&;T&4+1> zn3ib+$M=+%MvIUihX>F=aWn1`_q<71AV;GO+P+#o6TtCp$Gg%aT&F4C;dKilSZ(>C zkRDmh5U;>A{U-n$ znjAUARLZJ&$@|cwmL~%m0=u&v?zNfGJ9NdRH+D!Ytmux4Nw}YGI26O(Re6W&G&44_ zpGz}acwnk?10Q`k669ie`PGq%ZtS(jELiIVdF=&5ekJyDh4P>-rB#7b+|+6yH9Y_a zY>~|oE@!H2IwOr7Ox&Z%0kCf4I$(FXqNV^hUOsFn+&~T-t0hE= z{!_oh0v8&y>%x-fB=yegEzh-(?tO% zyq58#HstI?LU3KK8w}Oc6pR&oq1|DHhVBz@Gs*oUau8<$uX{y$$4)gJ5W%kRwK9*q0jkil4S8w&Xz~Z2UV!~ zuGEB0|6+#7DHt$#rsE0uTpTd~35kk7!a=8r6C7>O%pvlKSmGTsx6VRkg>X1xS07n% zKNOM+W54RMMqt{>m^=HzGzBPID_hR>%v&KNoST^6UAjehBz^{gx>T2WuvFwqRC*bK z?%0SvK=@g=WDa=cGQ1(o40m?z2wSMu`y7cqY#%=hWxlgqxaI;HEHiTp)won&->JaQ zu;HDZ>8w{#HYd()@=zk4RKs4Svm3GvtQ3W?wpkz>&Oq2rlYuVL=kEFEo!`RL+#S`4dDXUDdDk(bIbWK|QpFCsOM5Tdz&^$BDxUSbxA=n`Ts1eB zP7TKRUwR7}09+pZ0eHVUg`>o=d?ofo(4BcGbSD(5dszT;Di-e%jHf;&PJlb0mQ%H; zdT(-P#ck%9e2FoSM)qR6!*$auId9nB$C zCo6JkRQ=66`5I-n&dGP^siBZ(dbf3KV9m^gyn!&_?VyknzL<`i9+3P`%Vp(mo$+FG z2#STj^a14PGr76i$I64I>ISBbX1rLBi5;@qe;6OmBKV&29wa04lhdNeI#kBE0Ml~| z?yS=;tnO_%T45us37uhgC)8G3?=2q52)H3)SFnSKltWKqcTL+wI(slpcOHnmrB17!*Nnz=&qT8h?P`kLzL|ZCH(M+Bg$BPiU3ZYh6qA# z<^GfLj3wJ;PWAuZ%9+x@)oMK{42chFX!J0xLle=aR0t;Q^142fU)jaE$*-<3%pqMB zel#vDB7@E4$083IW-|QUcwT}QwM!kN`nx~OAx44hG!?d_owq09Q8}c^$BGLP9y;Vb z)9fQ~GgDb`g)<==XY36+p2yxTyIIEzc-OhJDuT@Uu_YCdj;Q`jw-1abJ`{y}h%28? zLJ2@?H#rd^Qz~_tK8hjpK^#vG9-*;Svf^qy-dgQo-q5q5Y$9TLb)$-QLTYF&YKh9S zpMR5RZmjdK?mK%ow=Q0vv0JP$N2XQJjdc-!;C)_vCiD(zRe3L2!nG85606ZWIfKZ+ z&4&U@6IJm8(Mn??5ge&E;U<40WVt(!Hae29Y{g-6Z=%poFaX5O?DWu0@;_mJ@!MI zy4+JT_E3G3uvLq+}{G@J~!fz3*53IM>zcAvy1U<%kEV8zOi2A z&7F43XLcw|`Jr)xu8OeO2}BsXP5LS<76m?#m<2rL%&k-t8C=-KF+^>5%wN2o!ZbX*N zZT6F8?1-nrFJLdoVufp|88Q^n*y=RHjlE9(G;k!`VxWKpG(1N$SZVuyvN7Om0Xr{}AisiZrxbQ6mK*co55bC_09C>}}-ZCW+AkD3SfhxVvOYigN zIqrkPZpAlMpv!?DW5z4HH+9{qL?KlY>>NPFP+i1e?*tZW=B(<6EE?x``7^o9F2d4I zWk;Edh9WU%1#h!Y8n1mbA4q<`8}}%?NjF^KNG2#2i&p>@i*IS~;*|*jtiLszPQ0$t zHg!ZbrOKHU#O|bU0Y35C*`rq?Rou;2@i{50H8FZ(gJ-%_)VdsqAiUBb{F1ScZjX1; z{R4bD9s)Rk7nk77&e~xk&^+bzmS#>j;L{C-Qxa3X0Df$F$>O;?jF(ufM~9%LIlM_n z%R6Cji8RTY&SDhqbjdjobW)>&!hu4S91y{ujT_;*KwiQ6VaX@Rq&$*hyx7b~C=Vw8 zjt_UxeOlBG?4z%|G6rH?%DWTXOPHcB;u7EI+ z;_{FcHe*K3vS&(HiBb_G6|$w~-YZ{hO5*#E9xpYWqm_zcY~sGScM{HEoHB!x75)_k zf{}S{cH^?=K+V<`un0dUNZ?WdMtP-;nlm9wCNy(N9f%p_^|q9C%ABwdkI6V+&b-7w zvoe8~%%nblnUqF9_joU@W8tOHEHFJ=nS7N%o!cD3%+I&mSDJ!P>+}2wWIWiw7Q;i5 zr638nFEGI+w=XO#@5Uzgg)nUv0rqKC4!*EJ8wQwAXUbavyJZ3wY>dK>84o5La8@Q8 zvG57>fGlKDr(WeuufS)b*JbQB9i-y9+K_4~Uj3!-O&b!3o0`b^1B; zRbvWaf10WWIyfK7xCzed0%$va5x$_>*K7Mju$wBqRA|#aMao#1LqI+#!WaWV;3(7s z{!cc@XP$YLaal`z*{e|s`okk~-alHe|6$<5%+ifm<<}L+Y4W~DZ`&MToS;MChAV;z z)b&sRXT#`EeEQEP+m_557c%|i{BwtmX#pZc;hqMe#twn)sD?@Cv#{qb3HgV?C(~7i zzNSM8l3}5z6qA6{z&aFAN{J3d+E;yHZT49E~VkEznVnd%DPYAqR(IyHBJBt zm`Zm_ho)Yqh%rkxXs?|(pCzO*gOB-YM%2@!n;%Wtg*>?4S_ z57v>2FkxwsDU77FsH+$gq@Z=6IHEgk`av))A(x`c2xTVVlE5#6Bgk?e1`tKgP=P}zJvZ8z=ehy z)Ll-$E^}59>Ocv;oSdv6IB9jrPe`-fyQ_l=XLuKkeb&t+!r1JhCnzVdOylmYP?=NQ zZ-lMdYWJxD2~D$b-K%#NB1~dssi4Z`!Kbn(SZfb!c;97A<}(19d`rbf{}7N=gXIFe z+L}oyGCq6AD{pQA>@PSB(6btA0YL}&OK*R;-(Cnb5AFUCjD9d@9pf7ZIiUbwcxYX)aVL^B)Z43}d* zLo<7TBLU*hq}~cKk7LZHMDAd^QmX+Tq9?mMB^Z2RVE+_|o>NZ@YB}3-N6VK0p6ZJ0 zk$QD}jm0PCZC6)Vb1T-3(89`V zGVCcz%MU0hDBrJin7|&m6+qI!wQ@hLwAi?M=66z<8`y z$01*d#NN3nM_`AC0SP93)NberCdP8l&z002Wuua^IR!8aL-?5obTft2-l?(! z`rP&ArF8f<+Ljf>@3oT3QGZLnoM*n|!33&tz+QrlSANwhIc;85%VaT5zK@MY=9O0y z%w!`%jU1%nf#p;jq^a?%&0ko;YRdyGq_EZ}Ni*#neiV5O`32#;6e3pGDOUTUX83sD z0f4*{751_nBb3Qx`hH{?%H?wcO&_gs2U#VWtVNXzoB@`taCgdMb#i66UlS|~A)!_- zOu=VOkgn{(1+i!7y9K^Y-isddavV#}Y05l`sU=|t9c03?2nzvu=94dNdClicYm`QA zOY<)=2EELi%b{C_ytmCoo6F2ZcJ4EfwuJQc5%iDxu&8IVo{GQW!-%-RhvA$Uv*O7f z5Ni%jENNJ%=is4)2V$4lW`~YT8+7+DI^y!u1_mP{xB%}f05FwhV`MWtWwqJ8+Y#Lf zm>nHH*+vN_E)44n;=yej=c~ioC6gG7^m*J`Ni6m;hPjii;Tm zJ-HPDka8s7!zxh-NVke&tb`@dG;%(v3IZojNFtHw31LBNDj||WeWiZP>hj&E63QTu zqs!jD1~^yh&P&26(krfAaESaZcTJ{3aSPeSv`>;|cLth-23lcMXi{)MLGq_;MRYW+ zi=iHjkV3SqA%yES;xsw9?z%Dx3j)s{Rm@7BJ@k z#F$8#GuxHS7|_f+NF-QtFuld5u_g@}yH7s%d81Ny{d1^g0m>H!Ag8MauOLOmrF{AzLnY3_ z%lqULU{`uyfIv#FUXv-Hu$+&tDL~9ru~GVyVe#F|`JTtSP)B=*ksT79fsOJ7;b+9w z!-J8yaxVq{8-Mvp?p%{*tGX-LR4hI8xd0nq;zEr+Ppd$q+I*SkBC|9XHE~z2q%N+W zG^C6kmt>EAo}JrGlkP`cW4}jE@lTIi@rq#~uwo6qZ?L(#bna38sLxlD-Jur5YBf}^ zVcBJ5bwYO`0^As$a|?{~f)pDnYEfrfna=WShiz2TDPMqNkFohKAzAv#i_p%FjS029 zHy7EOb->hFcHPzKesw|R-q=VXCum~{@&=k7cP;QEBMXkDmuyMK55^mUVrb@KoVl@C z(9QsR7~#$GWP=PE56WPz2E8xiMXVqe(HY|&M0Mn^q}meTbqBI9A0afz3~^|UEWt+) zz*$1Dsex1=2lPUx)5>9SB`oSJ=0W%zo!;-=wPX+=DXEwIsXsdq+5P)S_917U*fO2vYXlHS9vLf{avMkg{~xB8wRs zeqB~AtA5SqCgR(>-QaZv;P+=|n_2W(ud@}Ba6X?hxE};{#A9328CrVtj}Vw9F?$Fh+Hb`PFE5F4MCPIYC6?(2v|-SoyB9t!lB~Xr|F-V zD@z1>(8oh%?=C{%Oe{bQm3hCg$pk-zEis;|hUFHlD&xqnLt>WKK~uaPGY6GdzFq$@n^5fSO<*n6w{21gA_T6a*1GAM$oPjbwF+#J0p7vLjOAWgU0qj zl7E5zvyF_!#%3C}{UZ$`AsHH^L3Ibj+%=M2;>uYD1yLbJXnl7Y8sKMS3JXb2287IC zdiBOZ%A@K0GkbBm+tjDn2JSCh*K@KwCo6oG3jwPV2j+tLwmE+ROE-E4aW4a9OV@!^%c zU!h5r_jGQG`6&%S#4%3xRL=T0CpR+_d)dIkSJkN$wM)5+&SF}zoM(ooV0L%^&7H(X zCYQqTm{YwHTjFZPt|xr~BmGG=~bif&TKImL~qva==7(uhPiz zX7?)@dD?r1i-tuvc>gA!jNU5DA-inpmFnJAW4PsamLz+n)KJN8ZI+0PnaRkOM#ZcY zGaIW`fxv&EsY;_jmbY`ge$`FKglYz0>NHc1;gsyI0jtK=NNxCg5uK@H_!FEd%^>8| zLQzFVTjx9CETSKfnn=P%YT$E>{uLtkS9gt z3O2Z$O)iX!WgH>Pk;fP?vo>=RbIJ~4VWULM7XZMv##nvkXoZJQT}LQ7U}IYAHJn>z zPhR!D+`{!wEg&Bg}J>9t#S7xM~bU&z!W)+`EI^hdQl<3DwC9eCo}2slXnFI?Jp9zg;-*^@DW+i zi=|rxzi(#+`&C&F&2aE<2plvUhzF%p@+q-F)jV<5-6+;1B zDca;WWDaQ21MKQ*tskfMy`#aL8g{>M5LNgqJH55$w1c+?j^$8sbEa|&>NJ#7pu0iJ zJHxxkpffTU4_0G*vbb!@7y&#OvK!QNMFeOW>ws3u%HsA1V5Suio7QJXiWO=(ES9sp ziU6;005FK0V97C%8Nc&AY04 ziTp=*0hI1odGN~X^+fQr^5IV08drPi=;J> zioeobb%(%==gfxqUbt1cp#-KiP2kyT1gMrRsdQ{IF1gs));TzE)=-}nXxM6#hit&b za2_XC&^Vxo%TN0qxZ`k}o7vpb*sMUBrDchk)neK?f7dHPYIRWR+N1QCfM)6Xs@7)d zDt8VHV`Ze`A)%AL7X;jygt?e1UQ&!xiF!sFC258fh71JujhGUGclxp#=iK$F62=WBvzKxv+WFrdI0WQY_1 z000000002cahpfRV_DZb2IPX{$>D&8OwfpFg&CtYgIFw9JYyei<5gv(?)p)idVMos z{$I5i!kB9X4LhLL}FQf?K&a%NWw!e z&N|ee9}NEX(%8z2*?`CbsGu=eDGqKw0P$yyU7;TfugDOLPJKZh?y-Qhx@S3M_M_() z+)T`>v#=az4w=coki)~4J=PbWC%!lbq`0fxPi_X^6S@k+Yxr)CCzx$=4mW2?n3c4| zpwst8L^5Aoj3FbA4{QJYXijmdR1MijLJ!pw%~wS$SPNo|IIK@)qOI=BJe$qnIw!Yt znuE`DbrDq$E0RI+W<{~B7(je`QmA#kAyg``6BvFZsp*(nikqp7>8BYsng-##pIvVz z!-xQLIvFc#jAsA+eDzg-tv@EcHoSC!_Yl(nG&TV(Gagy|d#5A61T%J|HUo>7&$OGv z0Q)OrQchLK&&y(P9C%&D1=Mr3$!~VNcgUy?iSEe%9H!Sq=1xQu75@XT>@LhekHez7 zhUk(^gAIcpu1v7@Qy`~|rZ!Tb=er+Ui@dBUCrs(9Q%uX!m-I{-g$B_H-sJqH!U|J7 zwy9hMhT0wQ2T4pJ5l^()o+B1b;&GzizdNLCW*{n6x#28}~rWbIrg+sepJ zBhRgzyCWG^Q_Gt3B8QbO(&a9E$cB{#BtT5r zY=*JIXSgX(q&7APcmL2#=||GnI1a|7I&buZ3ps&Iz^}9fh=QFXlSd~LF83Ksqw74X zxu^}f*&~ll3%mEB2P?g=nNbh@TxJ7sC(d!Vb+xAkq{v3XMnX#yzJWk^G&=|Q^cp@Y zI32l;Q1$)^tQ_+^V;ptpfYGm_1-}#~eC+%=rZCO|OvxtIRjz5AC=>fpFYR$NP3Z~T zyq%mdBii;yh|5nLqrw@tT43a#{WpBFJBX9VoyPEltU=tY6Kye44B+X|W3DLJP)RG? zX&t59EVIWXc4jBj5@Q3_Xg;(mmi;x3%+{!J`l$;DS>h^+FK(<0II-LkDcamR_5d(+u{7M0JHxE?{JFe7yQ0o9X`$c4;Y;zL-U*cmGEyg z?_>Vi!+!UqC5>l|)G%G$CET>|B^=h2&Nv=sKRtSlruIH==lC;e*7|>bcsXHPA`+~9 z*Dl6H*}L{}rFlRbUd)WGW&6-v2SUBVP79->05hg)Q2^f336 z5&v*WWe=JSIPnoM6S_cLed-BMdE>5Eb>V8FyaEQO)gt_faOTwU!9kQ9X!UtV?y>J# z5vVs*Ok>D&4W9=eyYLjGp9!Ba0dz;fIVAjqRnMtxQpMa*M8)HtfME6yzW~vU1SJ9e zxIx|zExu{-dl$Lv`vYZg?xnx@iyE`THp{MI1`WyNgW#_GR`aa$SiumdH8|l9YCMF_ ztIx!n){#+)FNH3TqG8Yqgil)`=oEbKBV8Hp31gIQkl6`A*h`%K*^ z5nA4CMy<3xSk#VszG3gu7{O#O0muHH-6{T2iZwfei0yQAOK9GJW?5x%bmx zsQtCH;IX=N6h9EA^OUP$d9Gmvy<`<_wimC_;b^Dmrf=C{rDitmx)}*f2~*gRD!2Al z@1k!RGz^HmtR3Ic2F!B+m(vMf$;R000&qZ0WF^JodkX4opu*DpIU-|GfUC1HV}e&# zm~1}X&ocXy}*JA)|+cQm@HR@Y& zUqW;*LrLWa6o+D$dmHS1J`ejFkZ|E75iU*SAOi&7Gb6cfj|;D0`@kTGx0xv1`;BGF zrAWWOg!qt2ibV?<8qvtIaeK&NKbm%wG4$9~OO~!BgDZj;7KqOQk*MSWM0A<&EX$@| z-J5V??RAZABo4cF<$OihiPH`tp3+$5GgHQMwxK+88kGj`=KcCn*XQ9=?ywx`rhVg` z!kQ3Q0Bp536D7w5l+&)2Twpnb5lTo~^wb}(zV#R+A_)l`8?1SR3C|^)qe(WUxPTGiM^uZH&09sh*xjvXChLOwKaWXqt zT`Tixo)@%iYEvtGk-y>_azjJYpX4s%daWa*7^9AOM&0Pt0ewUBNk<)*rfYLEfZ({t zbFc8hAd;f(rFF}SlYHeuI`8Io%j}Q1xL9rnmgoiX8VJPnZl@9YvhkuI(#PUXp&sK* z@Y3)vLEFYs%~0|Gxy+cmlPkfjNhY@>*#edq_bQ}%DaYNWOzTSg^g&*vk=;Ns4i&%W zSB+H2%B_*+PJ3h-E?jHD+v!LRB(R;$DL{I@oYggJmM2T)jgCFMoSL_=lDz zJ~X%&Eq3cy!iSr!VC2k;qq;j{*|h0_hS|{HGM^vz*TMH;4oCWo=mQ_nnL)={U*tum z`icsk^LWBh-e1}+$~!|I@N#kkWjY-SoB>y{JWmU{>iQd~rM^maG-)hD!Z0uzTT=7z|Rw-P@A}=tj;O%045vvj}StphTyo!zaYcudxo3 z0Tdj65C8dlTP_Yq-5`CRZdrGPfudzD;-AklRkV>Uu%$zRRuu8966j39Z{>7DbhNs9 zn0MomM-!rl-_>X}SH4Vto{gS%MPce`=!%zmsUJfoj$!JpMr*$HGNlss+glDLnwfYC z=P^M0m+Z!}x!`X9GyoD5YVU}*J%w-Yc9G}~7|m{h;j9?$fDU3#XMtl8YKk z^0=(sQUfVrOt;2&o8$LDVm#1*ZreFQ+dgDBCEdX8iCBN|&-VKvXueU1b^`tppofLx z9KrKGZgu}ojRpz#G?p8COK-q0Xc)WMJLRK4H!vbPA^CI{9%Hj49-dr&t!%X}^#tY( zAQ1~G^{p^;3=2+VLA_kI1C&B(0f95ts|YxpTdCeb7($b(meAp>0*WF@5?O+wa_*)~ zfUnFvYYVJ4=p>geM}Rq~C%Vf)xiD^rn3o4fA=z;MhI8h_Q)lSH5m<$~fxlmqvvkQY zJu8QSSx4SP+5C&ob;zX~N2?hz!!}2PmWH3ZImcJ{%2(nh?TW)~yT%-{8BL!#DsCAy ztz(?Ne*{F6jYgr+nV$1X3i)Y9|I;l-8(WFjP;B>Yx?-jA0Y)df_1y$Ae)Me>TM-O3 zIG_3X@44q@DhLm3s;LYlz)iIFU^K+&8a07VBX{LHD%Qs2lGYWy%uX z;O*cML@FaE{~lTgmYMi^K@R)F!n^d)raBI2x4AYTJL7>tpr)_+CuHU1 zusEIod?wBY01hmT?4ooFc6$Z*{Lb{7rad2`3ear&zELrR=X*RytYyL~MonV1vf$dm|xQJ0B0fh4duzM`;T{m*xP7-^ft*-8gEKeL zDgAKHtlt=nu;6+R7x194ecWi#WC51?0|kFIL>`kFW8Y-u@SAQ+@LR=XY#d$37p4s2 z&*GD;eB2oIl$+i@`px%d`6l6Cj{U?`BV=S>F@0^wN_AeO z*3)`%^^E0$wGtw6SzUB7BT4G)7!lbj;mHYbyHL?}T9fC;nJNHJsC^GrJcP=*%Yh3; z4=iW0q$a%5i}T2aId z^MwU!3o23cUS|^P?MEBnrue?L0{=Lh84fgGKyT-RX+pS#t-L#Ofkhc}(;l}!CNMV< zN8_08jSB5Cl<3(BUM&3cfGW&}3!#7qS!NU&hdgIPInm)oYep~PawY|RijBubZ`PfK zue*{5p0xT>@8yQPJX~|gKPsbrz;akNE6X^VO3<~wKABV){A|2 zgKh8-ctl&YA7mroJRYURiPgt0)^EqO^G#wZlNSW0A5g(f=7YgdSC?G?GwDP{9?y>k z`5ut5rXltgg8jgVEQaZum1ENF<2n{RoCM84S7KhY8{1IX+$H5MR?LSekkMj$1rDrg zO^oqvE|!y{hC1RQq)OHeE02~+j%9d<5bh=26__zLcIxlx=B)S%0n}A$xDOQ+eD@6n z-ty>W$J(Zs6E3}!xw$qQus7$-y&FxRR=0#FgDo9$|IS<$y+s^iHN*ij#5LGAX->_O zfN4ISZgJDgE1#VEi84oBxwg;VY%8DQ^q;m~10}v1UvU@q&{{lB(*Ntzusgt5GJO0k z<=V>(oDwECNx-jSkSfVm;#K^8a_>6aXtiIu>>#vmJ|W`v``pne*OuMQ|-Pvd6adR4K#Z{ zd=pP;R-C4E?c+TNE%(Neo^5ZS*RI@7O=(~1t1g*76rCUDg&mOnZ)LCeclhQ_LlIg_ zDSTtT_6NJ>k`-#}PPOMLm(XHrTJED^zer#vnTV1}!b!Q|NP;4>|{r@v>?l(XLVMn1aA;NH!Bc5^RQsLk1( zy9_G`a?U&p`m1lrqT3!j)C86+=oQMSh9XHqZb!hranP${fN=SVSdes8$~-^ra_D{k9>|Ki2^MDDK|4-5+EW4E9pqs(k@va|*%ujL4ocEYO*wLu z$jjAbAdqn)%4_?fE6JZ<0Vd`_%0xIfR$$$hVKk1Bd+aaFc=Ny`1iu2Z;W|sxH zNtb$?2`Z*$SeB1xu-+X`rs;4Z{^{r2#R54oPChP z%W0?70BFhX#jKoB2w8GaUnMS|1k|>hRG>Nfl5alUl>CRqC>eLrVyLDj!l6)Yn)@W!GfNTo%2FYbzVkK#cR^Ytf5Yv=*#B)IEgoNGG(N8#G_0^h z8!fpG+;3W)rGW3*P>eFDXez+9d2uYrP;$HOrh)2}@}DFy!gg^60s&8o%KB=7WjJg3 z5R=(Is@XrnCOQw!SC zGmTwt8L&b+Mrl>~gd_WEDap-XbbLHTn(0qR%rc`CPdHQwQZ)qlBPsrM->_lQK73%~ z*T~O?Ua?IGYKyy)yB9swjz!AxRbYaE^ap0fuvYpuZ@D4b;*5eiO7YU^dl#ar& z)Y1*4mEBW3Zvv`3vQ?;b&4^fRlonHAL8`<+1V&=dtn;9Je1qy3#9hNU`Tjl-v%^U( zx^nZd^*bHn#ad8wIjoGdb1E+?4mj>!HD;!a+rRCxZgq1=Om&K(WuZR|Yz)Y*Uc@bI z-@1s=&|MsR(q{rh0xOPr76D(zLRT9e&h1wrzALT11ANSFi|ktyQa^>Z!pSbGbIfh! z*OBhy7WeY=d@nnM&Gtqn^2Q6(b~!Td0!8Uv1ZUXdt$FLASR&6{c+y!Rycfcx{1Y=6j z=MYk(bt^h6@1n?W-{07RA^<}`yuUtyc2I=*s+6!wud9YRbYl%gqoF=G_q5Ul2D9r# z-eekENO}0dr=8u06k^)i$H5udDSf18|Bd7bRTy>>eco59H4ZezRiGtI^O4pQDCzit zrZzz|OZFh}GwpCywd?KRDgTRC)q-eGBVPl)sM_r_UW({4NCNm_?nD6qU z6!lY&Q1uq~3X@XqSl)Oc7%WCRUOPbz!tm0^s{a8AYzF&lnq3pS96gr>6h})e`|Ur+GZgGcyN` z&if{zXGZ&>56tB+G^yEdU54Ds-N7+Xo6&Q`_jb$Wv(t*e^RhpegIyVRS(^5a}Acs-n5vda=m0&(yS3JAA@EKil zfS~3#_Tr2Z^voz5m6TMzsT2o;6{h@-jic+_JG=(n20hv9Gg#2}9`EJ9x3ae>4JH}E z41xW~(3BIjEnI5kERiaC7Kr%x3H{Abu-?6@>` zE>$Rn>gFm|8cgU;6it{v8gG?SHZ=Xh!Iy_<2KEij=$=U)I}!JPd=Z#S$pg?YL~300 zUfaUc4bn4_e*kS4 z)%173{67s*=1*cCtGBw#2e?*vb#H~-q=g$_)GOl`KPY!$RMWW7Q)(}n|0lkGO3kvF zN+%7q`_jfkBo)7m8cs^~G794XF2)uX4Ylg9b#z~NeGH#UB_$@j>j*b$;cgx_d*hGVTD#nP-cRe+3ARYX z>yk1_N0|TEM}}o?_fC{&zg@lG25cguoFFsrxO_B&+VQ}x)`eqKrzt|5}JUJ>rH zY_P`ff(=l-x#O`B2&Eq1Q`x13%8^6aXo$TDQ7{62^;ni_VqWxtU=e@#pts03B(XmI z%k0)vh?o(U6NK;pm0!)FoBL0m=;)m$T?Gtok|defft|8oO;dD+3P&u zFj9=OGV0WY01uMq=6LqN!xbCcUVH-12 z?s8F1F$-)*aJkWj__kbwF}9HvPI0Np<=oe2oYjMlQV5WhuYGn#&Q_z-7|vbP%ZeMS zieZr=B*)3Y!cZO{+p(EZ!-8P~=XZ!U!FgP68>7)fL2w`EGx!YTznFc?9v@R={vuT# zF^LB3A0?biW5+aJcADdnqq!Bt!tQez`bz!P8`UGdGTrm&$O@2Llf3JkFi`G8|E@jU9FL} z^s37nwZJC8Ae5lhkYLEw?P0*BNhQ&>S)c>3AAnJs`q1oVo3+GICg1W23Wo^QS*xoe zRUV_fo$6sjBi)8;3?@8^hz8uZ(r?9ql_17qMJJ+({*69(m_RKj##T?|l=Zuft1BtTNjcyMfZQH3a#e)IcU>vIyb2qWZIz*>&Pwh>T0sB%nGZxq-=p zi`3>!tFhiKyS)H()W3%f8Xaq66nH&j8t|OHV`V7CH&AYYyxar9SJLp8zQ2XXx5GG2 zno7--7Z5skII&F3@lv!&x`$wp_wsI{;Z)==c0r!5n?Fm<@~rc7@POq6{rqFPLcd9g z{|4HoD>qIU`f6roY!tN3W{}b000GKkdf1y85D6B&%sBQ5btE0TETxkI*~)3w6^`Cz zYK4m{aqwb>X80d!Vo!xR88t2 zFu&YtpzxPtUwIFP7qvT&M9->2l(0s;320;cqw-960L4$HH8i}Mr|?;sx7TQB2lT!< zdl1|Ft`#^T-X3BOJK$FR#qej%ANs&g`Xatk832Y&0K?e}1D=?cJ&1Nz=Y88g>qFQ$ ztPj_tLl|+*0|mj*@dB)l(6LnkZP_mOLQ zLM-Mo&G?L^*$CY8q3^9o;BJOgwPtY%-v>m6YP(9L$XN0(Gl#txOfn~8AilHsgUIScMB-DAr_Bc<^1a>>xKq{+qV-vIu9? zF@iWgJVeI|3s83zCG`WN`|HYZxu2$8AJTJqs)TgQZxd2@jmqCUw`&?J$9}^O<$MLWg!-^iQNIF{HmkkHkFbJRJ+4{DNey zU%Aa*uWeWwuc6bfYlN?94%v*yP^$PYD`o@F4bwK$Vt0g^WFQrw6&o^bl;~Ps(`c^9 z^aUiFF*OFnhRrk3&Bh{n2qASl9{5rTBIyu2<3gJ~qoW_;7z4s}NWCB6$HjFk+-U*r zpojE@v=i1#(GAI`shBAJ1wGqGE?fyXC^-Zr-z?|oKj6?&j48?`Kkl@LUjP^ADDdbm z0S9zT{k>BJTZN%34nWN9@2#X}uXzGf4$Bf3xhA6z{1kER$?wa)d1rrCsHMpTbwHvw zOk5T^MDnW`ryx6K1<@ubYy~o!ZvxAD3nyR!V0M)pgEUFBI%$*vt)2uSH1m!#Mnn#p ze6tuJ!jFjc7#sJUgy>Rvv4i_1za$`B%DATk6^@|92?QO0nMckNAM5G2nKRmt%|J!p`_>3P}cYx<>!BM_G-JlU~?bwa@VMVFZsxr#@C(AzZ_IhKue}`P}g6u|Z!U zNBs1ef)V#S3K^XBNo@eUin7Gio0h)lY2W2@YPF?#FK-=9SVH9cAoUU3C&1L5OPV8Y z4w4{JpDcAq$Z#ZB17_&l^G-R4bDCQAMzM0xI3wwY+%p0v1(I*ju)ZB-9qDq2!H4QX zHS2e9bpA5OSl0XHpo+`<~ML=0w=!`VpY`io1wGnL}(%&GnN zjO!B~{!=nl44!y$FX+lWn-n}8wCT)wHdfa;BVg`Kx9_XTsFK0LP|cZoEg{0Zx;nqt z?n|49E;DKU%Z?ntf&J(iAs_uFFp)B_e}GQRK_lS@Utj$t+8%(7&(~np^ndJ|@A!#j7J<*I@vWv3 zkUX3sZax%reR+J-JZ3m>#SfT=LmEe_Ax@3aZ(n8|Lo`72oe!E9E$qWhFn4=_|dLXrPd zp7y&OJ+oUaYT5>lcm?+$qifZXPjp9=8A+;lwM4@QgMvf28HJ-e;cd@8<9(aKBK{-p ztFb47@^E_(65&;0W?MEe#c4lRmmuq9{dn}$cfdpWHSSJd<2NWvUm^T;zQQR}m${pI ztT60%%)CMgjxda9c3|6tJA!$~<8Ac|Dy%EDRa|2zxpktyj36=>zSzAK?tcp>&UlIf?a zM9FN*O{$~Utsk25=OLbPLY3jIr#})jpvv^c$W+S{uLfi@W`ktNnFbQCUd9I;JS2bK zWTKnjqu2WXXed%^`o5pRiug)!gYqmoQCrZf%gaHXYR2Fy@* zVtw7+imgEvF=Gi>?u7RJC+_gYXv6V9>^~`+l;9>&O4I&RZthx%Ay3A%rCMIA8N!cMPcn=gNqy`}DLTLc_U$)35aNNUGMMqF+BLw$n zbJA+Trj8O8=Ow6q@UDMfJ=cd-VoI}-$Nv3IA7~&1_;n+E-8+DW+>g9R$a#I8A3FK{ z??Jh4d*cQ;%&BC?c>ijl^a%~cUVoMGyRoCZX=z zniE@^W3_caFC(Hd4SO+^QIqkWL>cF+5tO}NJEEYSJu#M-h)esJDcPjUZh(m-!!E@- z$i+pxv<^LKE1dkn=JaZ4jHg3+lWc1kO{ONH;8fs`Av-2PWc=0RNS`YM7BeIZ^Np+V zMlMsvPNb(|o-xpM@@D>{u6YIh4Xi9vt%n%y-r6Qna0m%w9{B|5rdzTmxWr(V*PKv; ze@-^_w)wx~L7gK2oP?BC2qD98upE@M1w)n8-N?uOM*W*%_Zi&oAuxE(^+2bnw`NTS z@d3&nvQa`^J!5R6<}A{n&VLp4;~lM>8Vk9bOGDxuzSIm%LER#A@!G+`Osm*}&f6^8 zP61dIH(LDL%rks<64_b;1F>}m>xVfQLHWsZMi8TazL1ST$6Uz&ChYXm;MfyM$|P5= zk_CWu^Ty{sS8E9mnApj6?HjcqDpHqT4ul)m)p9l;FJ3)rC{0}Z z{ukJ}Q~g}|ha)9Xc;?v+Kgmm2oJ!srMY>~5`Q5nZrvLJ5xM83~bnZeQ-w$CSLS~DZ zgX+U2K|l|8JF|SycX6QiFd7Ah1v8y{ecj&<#r}Zvx03RVav~xSL{y3WkYwMSZ}N7E zbnxJW6QaR*E$?9;E!+hn7xRQ;N1?G&3>@IUzk7N{gH(ITKe`ltj{jPwqqs9?aB3_= zTN&P_L!!@#wPWs|M$?%DDT(1peRkBE&n|y5YQYZAj@M}R;+$xf!#!cbfxJJi#F8s{ zlhL0PYEwRf7cLEo=-|v^Zm*rdoC{{W$ICTm-C98=qQ~wv{`j$Q3vvYD| z>y&Af-?*7R7q~q83Ji3cYtDY}sbwXs4hg>&F}FHs$L4OEmBkl0inUPN$kow8T%L$OERy^v^A;GoFzg<~#S!PK|SwH%5)whe^88&-EO zJ(L!f-Fx}T%aVtLuHK^QkbpLf9*kBFx9>fpmkvxz81N7)@N?IC!F;M>7KiR+MavXB zGx{W|62CAL#v3x^I#U$0Z!+Ieaeo`P^}2}g4*^{)LjVRmv?9VRz8$^s_PE6ce5 zp^6ZF2MQ{RNv=t)4&)YLWgHPbi@e0dml`dw=Rni|yR3a7;yTyh2 zRF1YuVO8y`5M*E(Dh)P9xA<8FRKq+2cUHv1{3fh0?{E>=mm&J$H#)G)BnnI52axwiLq~hj5A6qV4xvr&hBNjs*g*8yYCp% z94sRh18Ai>$$mwguc8xLQ$YlUKGLb0(+@9jBf35;)t2ll!-gLX0QI?)0^M+0oE`%G zxiC&?GqC`mDv$Jg`rdj4i}>g-HE_RoBD_I@X^=pWc4~w8{?~)*e|atH-}zFcuX|ie zyqkD2$-J(py(IE1P4qyx40gyzrWL1I*{yy_*+|jR%wtBF%_~@#*QkRXKU0Mx5;=?Z zCKax5AdHJkqa6qvo=^AiiOycriiYIC6u{<{f5WWr3f%WBlTV`4c$y2@;e`?9u4+Qg z0QCk;#`RXPDPmzUb05=c9S!E6WgNP&N=3yzN~$rS_Uttb-dr3hFx<$oO1@3Ztb@aL z($>dYR()?OIZrW^>=4>l2EaBe{ziEpvy`e(pY-5Ds`4vx$0p?`&%rFf#&?v3lt)$% z1lnf2;CN=AC!o_vGw7mLT>F7#YDMTV;Rq9Iav8oHcu%;MLi*~@9bAZ8XE1cJk08)M zsm`gC86BfFJE~?50t^NTCMiP48&L?q=qB){WYc9RYbck{t}Rly;93F5ht2bNzmch- zZOybHb!E^Hw^hNwuPLr82Um9x=+FlNs2eWKQG5wHMVMlEAi)k#?kZKgH9*^LT%Sws zm&5@O(LS;=W@=htX>|Ey4wLyfZBYJhlJF*c6E*!9;6>Auc43aZ0AL0?w3TUvQ#97X z);sPyMhrR8k@QjLi-kHMHdgF$dNPC6E&pZ6N9J=ClMKKg+E5SP5K^-8z7KC2!E%Ve zo!ls9r*F|6WdlQ-B8zDz~3lWqUwnK z*Z#_E<2Jqm7nvup>Ha~6x9|wx2A2(xR^^{YFS+b8O{JUH^Lf-VpFA$Y{+!k@Fr+1d zzG#KTsPgQHYs~^}yHx`X3)&hHdW!AnB6`0eFYO+9>84l9Z`dtR4tf?3#jOMKQAT{vGH%}i?%ko3DR~B?NDA|spdFnj4Vu| zddmu_FB7X;xKukSy>>sLQqS1vXR@37i(&}@=Cy)OR1kz}v>^^`ULig5%@q!%qTu*h zW^tL^{Vbq*94FA6Q_f{zQ5j_)i`!B$^#F9G^Xi0Ta_>*!XNgiC_Ob=j1I3?M>-=6P&Vvkcd8&sU2lO*1K(IV6XiAdNBJVK|^1%t=b zBis?UX&~++NLuD6qL8w>HNK(`2g3zZEo1!ifBK5rX_@FHX{(o%UG#5t%RRv$y^P57q1YZg3XsEpUQ+0|KQ;RI& ziVcs@@1AJka7O>sU$?X2dji|(q6#3|(Zm3=XrUX|CfL!DoQQCDa83eRRrueqbL`FQ zBqAZskfUZOy?}OnU-Arzm-VRYkto?b-AXtVTXURdJl>lPbd!Uf9(6OCm<`+~CjP?r znl%#iKODv#DqdK&oA>kc8s-tEJ)Gf=3OwswiG%0nSul{FavTy_F&jjE=)1~F_4Jlax4biE)`-ND-cPqGjT%z0sC#04X#_7*ym*jb*5D(vwQH;lXB ziE{^TPT5Ok)a=*>^NS1>FnyAEbjN=>p8c5Ka1*vk>zYFcegfpB@;Z4KS=!WDW3&o| z@&ox}M?Quq$z@_0@Qe?XQIDH*OIL<1okSc4xjV+Ik_bPY)f`~-rfB0$FtvU&ndev- z=GSd&d!dE`H-F}LAgBnXE@(($Efm7070)Rmd^}>G&4hIQLR!NGv1Opi6vcqMutu#) z8R=TDgD?h@!^1f{KwqW8h+?sZyYbPk>8`{Sr5BAlWVg5hTFU2=)XvPU|IFlq&~ro@ zhW!(#$7=}XMrSX6~n!(9Q_J@d9++}N)hjCa=wL7sE^dXQlsDx5AX!oUDkZVZ-wfJT_79Oi` zDe8SDe>Ax%gcO8CYRv0X4hWW9oams?d^EAId`fN|_xS}z*9yTlaSLZd7;pisQVSm} z%Q~p~)&j*(xqh&7&p?=;{uRNXsVT+mXRB#8Yoh(^JH)U}&k*p8du||KUN;-P4PGJp zDt58>Y-bomI<@kyljjTRF)76}@g_70Yr^)(_21r7v@iOWQ!xH8g! zATn>JTZUu^d&?7fe!7n3wq`8PrS@|vP4c{sqzgqK69V)cXmhT8I!M#{8Z!{%d|P_U z6bf@$O9``lnIq=C94f1(2|RZ|27G4`D&EfgCax>U#tTpLl_?~9akeaPOx5f)e-)p{ zt?T!**-YVPzK;m%AHkBXI(?LEe1g7_^5VRm%QC)Zc9dwIkO3?PWoPjvcfHN6gqF^w z+<}&=L{FvlgZBB#ORc@GYn{EoBTYJSIj@bDeE7N^BWVZs zwD77k--Q-V`Hc;!LmG-}C9768AW`wfl;Qz$0Zy}@=R*=fkW$1HjiB)d%vtM?vAk!oDne<|w3x}3*2VP+nq^piMLVd*!_@wWxpym3M-(xH{VjU;0*TZfPh3a zc}B59g06FV8IHaq@)Su^Oud<*u!yhulX26#*>%)i`n)RgyDY4bVWN8b5Ok5tRE1#09Z%EyCPe?h195kj4MQGZNP7;Op}I8s;fJ zy#vSZjxpIQcZRNGad`u&spM{or_lZ9M`oW(Zzlx~rc=BH2_MLsiQwe@9keE}ZxFnp z4Oko#4ZhqLBX~6KTA)*l$%;30SSwY1d%Oqe8Sp00zvGR2xZDR3VaxW|*drU#TV_Xr z(2#A!@+2B>tI%%{JQ76A*zk^Sf>Q4(izsO4S2_2CNR4&#L1H?R~eOD333bS^ObvK);9BFNO=o4nwk&X8+l%4 zbx~_Z<2PkU4(^6qdflGh3w$q1@L0QJ7hPWDd5|2x{<%%wiBW|elrD$lNXCe8{c{+b zvros-IZRM*dEc!ePWTU!coS7mKm!xoag~|Z82mI66ZiR5$Pjxem{c~ivn15 zEBplOck$ul`ph5RTBfD!qH_zsu?bhKOE{rg1K5e>O{Aqa+1&>RrTfGDAx29XN?w#| zkI|Zj;b=lgn##v*hBkn!1Xx=<$kQm5E2H=w4Uu(d38#yVl5bpec{|!%qv4b;Q!jIy zD=$jBc;UP6=;nH*Cr|d{z1vo5tIs0Xdn3`7!Rpn>DM@W$c<%k}YZbWwz@uRTog*&5Zi}mTN2aiA%QLvG=mwgi%kslJa13^7u5e zFHTtk!12yT;RLfB34!|dX5XH>dFCB5{|HBprog|z0DvkU=#ASdhz{`igsieC&Wci( z(d(7(`N*atQG#bIyZ4-DIcjDvK-(t14(8{yZb$UPV~z~8U>VdvM1)VEulzBeMBWUv z_SA(%rt^Y%PJ~SRuPrFbIl12FdRkq5>bMuD zQQQhIMCRq{MMJ%;B#`NVxQGuz;t;5punAh?mxQPxCD^c8R3NjLU!oki{HH+gtBQzk zCa-|)Nqz%d$2|jQ*8a?O;)$Q6+<}oD)~@S#kzK2)Jwo32Q`CA8!65~jO8W@=*UTno znb#rID;CCNyy>FtF2d>8b(v&o_c*hq9CakGy2y;sIJ-ZaHTO8chzPKekyl^^XzU`r zjz%ZBr8tS6XPN(72Bc4I_oD)TxejjWdR3r~k{OvX=FxpZlj4-B7@C@XMERiirQ@U_ zM$izbQ#K@4o~z_R(UxLm?~#DU7!p2~*ZyM?WrY;Q&d5=t>J$4d(pmv=$q%gh|Hj!TMK9VG3X@pz**Xb z9sym7$vGWP3G8)*Ad9hP1~lWBA_X zdc`r!-lT5p!Re+y*8hj)r_w*35oY1PiH3XZlvwz$2kytFpKq<^3@-c01OwI_k}c7` z$Ep_c*Vd06aKxEA(y*G{|3sq~kQhgUdJ;`|T`gq%fT0Ns+rf(XSZX=ZX!!~)A0%F^ zc~NF1F|(k$3Ljix@LwcKX{P09zuF)0DhT0gaR40~WWSS9>$p`}k}ZcZ0$uLynyR^m=^E9V zN;MV$MEKnS)KM9FsJ`CK1MNC+S@uWqb09KQ zE*ZV_`9SY9#=#MtwRYw;%cpSf(iF`KVdT$|D`+q5$3yK+#w__+|8@RPK%CsvV*Sa` zt|2wPh=Ja~23`e%0hgT3y9}QLB$-n9pWoQ}rn;qUxjIfpy^v4R;-)=?PU}mev}QSX zsQaOUfT~I*;oN{QnLZm!{Qa3v3^>erI}@P9-qq3W6m}C*DrJ6k+~h zImdLA()&hIqBhQ_1yBpLQOQ4Ss2qoB=N=i!!&b;@l?CR$$e`UG)!JD#-i?Q*=*t7X zGg+8Mx+fqS>}Ok3ltMkxcLe6_D$)l`H_8}|o6bgU%`J+OCLJ2W&=clZ_1GN?10%Nu zD1m)=Jyab*5zY9MN8m)vX2I+)qovKfsyAeG?FAB+@Wqaz??%~vldZOiDyX8`6mImw zz22ryt!fHAqlh!t13m+a>{ev8+lzlTlWq8J?bfb3L=GI( zV2kM`^uX|P9P61k-CYfzKj6B09j;G*rJ$L zhmO&(`r=TkEc=%+k@`Z?t^d=Iu@yY$=vH{esDNYpH|wKlby%2>r;G@aIWIS!!M13u zBs+Z%`lb}MWM(U&=Sl zydJl9c zO7kHzLbAFVaM*(-dG*{l-y-;C^#Qh?;B^YK_%!N&HpjMFK0%$|dn*@O*y&F(M@$L7 zlxfg8J4JHx4ov}r2Xis(GNe0bI}_bYhUVle9>#&|A3mKJ|Di6=U^!hnDgOtYo_$ni zJDniR0BGKP6`|JWcG>uIAj2U$=U6-YgnL45>e=-8;=IZ($0d;3Yl&d;W#44H&m@X@ z{2RE)k7XDDoU+ITte4{Wt0mxq{u9^BMDVQml&+a8+%%Jcz%4zC~_t93^na@zc1etOp%ugUR)AStjV1RES1z58+Zp!>` zm6goU^02@j%KxZgQ7F*BV1yVdL~sJADwe6JRa25yWR+F>vJh z<7subBQUq#AV`DW&3@rVlil{65N{nm#x0_YcmY>-1Ygcw-1iHRgI&@!Xm|qIzN{=@ zap`$IR3bS81>mv(Fp3ep2XO#bSW;f~eOh9e5AAYxX+ZRVW`XeWv|;Ekom{=O&vcyT znXxG@wc%&e9AUT2Q)N7`_#8W1ll&Rs8?I>`lt^zk$1}r#`ub4;#WDl~K`(O! z4Q=$5*hIT&QZ@9w^wv_NA8F<~c-tR;*0_H@1~Wtb60@R(Ce!(eL;N~b)Zr4} z8Gt$keZzTS|JGoL@&O6IaY=g-4kUQ=OShWVod~#kQ(jx8D4cNKxvSx9Pdz-*>+g=v zq}tXzZuU;5YQ*;2Dn3(fo!s&fRLZ$F{RKVqq{gl2_x~YN>m~+*Dbz}Qmg;`}oHT_6 zH=QvLO%-d!d_OS@3B4P`)rSmgNiNd}f8%4DL1QDOcXB}7N$)~{hBYQ#ZN;msSErKg z`bRhv%R!?p#H&uRJPX?j8B;J5yiEC$&JWax~8UK>ugeXqxt-?0Y7z&=dTax06$~3_&juonpwA;*zOXqOe;oAA_ux_kvw^A7E^|etx!wSV9HlFI;MQT z7yk@!E(f6W3PE%@0cr1uxqY+%jEo7!%1pp(WWq}71Y;CKS6Jp{ozSfdZkWA(`#Zf# z(H0EiZiTVAYdKdf`sWq2yJ?d%qOew~c{5lAyZGBw!>Az}z?Iw^^R#+M{pfFirP^LOEPcB4w?YJly)OFqf4JkqjV^bksv4Mx2><7o@|1Jm0E%(6meoYpZ7Y7xBmQ8q&sR~;1qf+n7gOmtn# zRP)qU`acUH)~aO{ZLrZ8K;gXhUov}4ojI!+r7bseJL=!%pKcPVco8cGGeA)?Atn9z zO5AmcH~iZNwlbMUFF+gV`yYDPh%LDc9)ZGDqjm}1jHVBZ%0D#IsEMCwjCNCXA)LAeZ)}f9THa-HvkC!$^cgcZ{;H16c zL%?N*No;aA47-G7c$TUtDP`2@d-L-@skrs9Qbsd|YESSCDsmVWM^7YI^CS~Aafy?+ z2>J&2cyrTz)kuu=@K;1;^jn=4Fu5c@u1|aVinGTSXxh%Hm(eS+J@_o_-&Ksm3-txxm2Mfw zF;;%mWjGC~dOiWVHTa0(f1Bjc_s}efbY*a1*oT1|gxHY={CN%8V>AkgBc(tiwGNZ5 zxpjJrm-Ry;*Wt4svr|uiav298KwD{X9&;0BpvvY`JQugZpK`|>n9cw(2Mdtmn0lPY zc;DPTyc1hSqCk0{KCHF*+EK3HzvyDa=_oOnmUda0v-Hx7*R9RW;r_B<+;%9wm96|;AV3?o98rXga+!JgK{#C+Wo^J);#y&#s|#8M%wXE z4$x?tNNg5{fa(CphUFOfMWO4L21p=HMr_i6pWDxhk^GZ=BSHHlaaj5f21jEAGCR^k z7|!W?Y^oWbqi|3RCyG4OC z-wbN6OtN`-AvIUUDYsz%1QzV0g(yB^pp2U(ZR}2#2;#IPQU<2m)uRZIJS`|AI|1}X z&;;=CSM<@3r~@|!u_JSLCPc#pUnbWC3nXhI!eT@&nwmPr!cHI}QS6{xe}oj%Rqi`V zaKONf7`Pg*x-*%pDrHg&ty_IIs2J$1{!KTYInK6BGEZxkoT91$VB9p2Xxp;6xcWyX zDFW(PZORgbMOQ(Ax4Snq=pM}F`|Oo((*?{1I>|aoR|4ysp<&T zxs5ShJ2iX$x2Rfr}J!g&{K@yLmyKRTl_N5oVf2sHc=X-k7VNyBGyVejh_H!cq})z z&%JnyCPBgf_-g6woiYeWlaG7Mf1ATng~D*2MuF`i|CU&1+dUv$uDRqn;_utWt<1>$ zY{mx@swuN0%Pnecsy`ylsbdGcGi{77v1b)AIA(-3V0Ri;kvf;0eE4m^D046FxA5c1 zWCW$=Yz#sbbVMs0#XJ7VOe#s1-%^$X4^BnsqmQie#Rwv*RbBOzu(Tr0(bKdC#zuF# z0y*UOqmmiqiy0#tAzZE2WiuN0AU%V#0ZlC%)dhbDrOJ|J`Lp^9=xk>oP-8MUd zw`$fsoqzDVhcoRS+{nmkt0Q=vc zoDQvGP3(;$QTc7@S4)0_V7JE-xcO%8*m9dRlIr1b`nuaYvv-Wz;4lnSc+^JJpOoSH zLZ_jIm)AGDPts{nodJ?zc8Eb1PWA_6dT{^?j>;gj6ORyIO`UV34$qnU{}AhEcoMZ- zlh{tR)rNuY>&;!-jo)5ZvZywRNF1nUjIDH`#j%@w>$9)8V9!)jy^5w|F5Yj67SK}Ma>-nfHo*E6tR(cl44q3p)BhGW z8z~B50|4djT8Sm%8Y7FsjIOTGbpZ?sZu%OMphSIV%a9G4>|tJw+VP^(x`M_c2UlBc zt#qs163e}L@R89@_9A*8I!)^HnWX#4eN=6u^daoDoyQ@|HsO@)&D4(anZpdYE!gE!; z5rz-yDu9KaYyezJ(BHwJKtq@!Rh~^6Lm%KLiEQnZ!s-=|GosAvagFz6f%A{}Gf0`K zQ5FTu9qe4gPfARV2Gt!mVl3Y>xJCTg#!n9H#YV|Gvf!rDRjQI&sh}Qy(FW7H6 z3|DHU?a4j2bl{+EpHLNKVc9JnFFcnXe3RJ6N8=~nve2e;kryrS3`|l>njvd{_MSe@ ztG!85$fay<24rd#m$5h|HFKYKmEw{^MGXMvHeJJ#%yLF}KuX0Y)=a|R|qF7~GM^Q}gy z%@fYc1XVKDUYQllDBvF;KW+P*@K})^XDTt_zSP9ldP+XS8>ExD3MYlMg{g%0+*x)0 z-tXJ!TXt_NG6^)J(lljPb9RT!+!uUpKI%Xmo5+QRworz!N{0`h2Afc|OZi(S9~a?N zyERT=R9mmMWv3?l%mMf>XA%bk!1EgKAiUr(7b&488;WQzMJBx9X&a0IIxe5AYd~3U2Y-B8C{_!txsdMe zIYRX|vcg4HW2MlJ#K-7BTI^LluyE9f0YK0xZdd+LJQ9_h%n{>k&7j$-OewtlC+Gw; z7)3~6KOvSLw)npFB3nH^^E1f4r>+uDD>$RWcCO_7aS5bYZx9>F-9ZC;(V%L{-b-&+ zZ((O@E0&5kU|OOB!to#!PoYr@x26ve`+GQDo?*J?06vRr%e)LClEbA>$mAjWkCdE{+|Nk_^$b#Xl9>OFyS^ps zI75M>{u{}wFR>*pf<_V)E4Q_n1r{KX9d(|YWmb2MBuT@6M2?J`U#Q3s@@sc{|NYvCja zfi?yJhca(dS|u41z@U^r)1Z*saEn_tdh;Vc$XnzvIX~%)j;qsIisb>g`hkjYl2f zVyh_H6lELsKZH!EkeJ3xm#lD;oOXM;=eXGH*SA)u}MtcPgGkFpt6kM8^LzD$WCB<=l?w%$PnRktzp)YJpWY6uO z;p-S{S~WO3{P+5Vy?1J1=4B|$wOr~H6PVzvZ4QE zwBJe$K{6#PGZg_o?ul$3%e#(EbDwov6OtreMxpmo%>bRdY1>x3wYoIZ`0X$6dLs8O zXs!>cDnDhM2*q{$gE8p9_nuWXaJYXBPqa5O*Tcn=Gxm8>&gDs9^_k0U1DDezyy(4$-}!-%scFL>nj&C%*Z!uhhh1RkbSh5^e*X#SMaoc(Eu?(&c6e18V6M` z+#7t@+xFwzjpd>g2Dy-3YhH}}vdZMvcQM@9MRYxOLlmR=d6LEky^%AEHXG9Ybqx6Y zc3o!`d3OELXg>}MJc_gOI4GN17EXAT)*W_Bp3m&q2oY4#z#sr5s&>(R(1c3WZSFU= zhrXtw4G*Kg1RA>wXngSheP1;&uBTgCUGp_Pe*i7^h)MQdY(9PqgX5ac>)^8xUIDvO zX1wMeY@Iy&^ZlN=Rq0TY`-YSniBby+v?HKepC)awchCs=4r5Une&kUU9jTz%ZF=Mn!FxEW!MQ? z2DSxq2B7?6C5Go9vS0NJi1GfHpdf00guUuzn4WH*n3X*V3G;{eBh-$B{edeJfqG2@ zKpgWSb<~E|PTMT{|Jv%skp)Il2r*au~2R@lDfg^E5}eRi8|!n1xAnVI8?a~+^Z+=Ppibz@`0bA zYO>-CaQpr9d)Jsn1zWi(9D@&x`?9oI(&I?9>oT9GM59;Uj9gTeT*ZlI`y0?yx_w_l zwSo#~m3P-yuZKYC-c;z;UihE_1HNXnyU8DU69+t`@fBvo-9k>jIFbc;{meN>Z~F!_ z(Z`|kNzBRHmdF=F22K<@Gq{X0)W((J(;;hdq9Sb7Nx`!x`Ip&Q=*Bx*E-%ni(;I#G zOZlGt0p1$%KaJfiXRJAD(v;*3Qgl&%g9;)E36#7tf^z@d4y?mH4F!HE#?C~owiAt5 z-{!hXh>-jCMr5oQa8JCK z`}k-=@gGnuw06Atwe)~BLjqy0)lrEpkPd}o@f59LLsKrWMkoni=uaPU1Wj)0`w0L7 zP;O&UXAx4-jJN|?dsCrG(rfp&gAnB?M?H2$7|(Ze1>C^VCIOF`$0VJ0CaipyWS%?} zO4sOtakP-7uJ>!zgmE>PP*C(o^>o~ui|28;Mc6D6E)0V(=A^e@%R@LA?W?+R92*obr*6lWcEMZu|tu+{4)e`zxEPf&PCf zC1k0riF_%EHZAi9pX?Frm%4m1AI@ak2okWaRp?=%Xv+?-xVZ*!8^^O*jjPW#kcQYADh>OL&Gx{x{fW=@)T#C)(fI0m70YyjMB;vNLtH%-`_!zT-v!8!uKZ{hr-E>rBCS9L>fAkK33Y?)WoC zM}96?-!6m>sS+dfYB=wP>ov+E^RgCVy+Ye7w3CmQx7fS-5CK|H0kw9UVK{O4R6EOx zTIib?dawC+C}*DT4Wsnt^!~5g?#=tovrrp5kv1fK0Vd~F2)d)E`yeK6a-a~RJQ&N< zWdk`oK#C|Oo5J)5Tmk{unJOR;+2Sgowpd)MOa5D85Nggfh^SwQl;M+ZI~iY}g4b(E zQ)bRZB$wth(LcaYzX$xICxp9K20Z&Y7GDnC85ELg&DMd@t+FuO57wzRP&JU8;HXg5Jd=p<2Gve`!6C!A$RWAc*2gRcXR~Kmjf+ z8rO)_|0%7H&q7^C;jBP}t$h-K;mwtE2FYjwBRQ`?wHv1iPf3_4;aT&yy)7acDp;M2 zwol%sN(h}eNJ@8`C~-1U=LDzSWGK2AvQ6&)p=d~ECK;9mdaQRrZ~osSn?=Ghr>2Gc z>)Z9X6(A&`1s|C{v$b@*Ct%pBr1XAk<-~w*aMvFnSH#iQqb=Sxo;~upFin^UV!|}f z(BfKO%Y()m$Gw8ZqY;&%&AcO zSVxX-XeXvDz6=NFI-zISdcvV1Y{DSYpC!XA>iI}r7M;Q>FcV7UuLs0#OEZ8J{CO;( z0EbQBoDXQ?g8>`bn&ZC1o2>7zJ{wuNChU@ZO7pt(Y+BMVjRAvXB0vKB=5Lc2I0LRm zZ2Kz9vR|MqJa^wcE4^LMsQ@_P9BE?YcZlEK3>>K34-R(T=6gNalBS`k(}vd+Nl*{6 zV~GERW?D3oj2V)|U%2N`&Ycq7+StTuOJktR8b|Bmo#;IAMxI3kFN@d$)(egA6~#Y_ z8~4}vd2Vi{?wKB5qlu*3#nRJzuGC0CUkW@tzJ^??9k1=~CapiwKq{h2k*66yDU4xW zuvZn=h@RtH%|>a8t&Q}I-*rY0KNWIcEQd@T=oXDky|NWf2fJAbN$66N*S5FPrJT z4zw4NnDx_xagLS_9$~30)yAgz^Xoi8n@M6i=#Txnp`FbKaSK90muLc2C(sqn2g*vo2k?Tk*MQv!`J7(@K6XOk0fmg zofJ4fn2T$y0;=K;yssDy%1@{5cITHLURE6*JN8el68tBG zLAg((061e4ZwYQrx0&D9#JoYVX2^$GZt3?MZWp7QKpdf(9I7a;{y~`W!pLi8v(_Wr zCfgsA8}m4rA4mgA5YD0a7DP~HRLLL!tqmil8I;&h7d(xHEVuasD9N})mGR&Pr(QIE zAwt3l*GL|z`?O$s)^juk9tDtSGABn;K}ui?@=3{(RP!zuaJV7udEiwvJO@!ZKScD} zxQt|xqqVr~c{W67b_`~6${>jED{+7~4m=71J~})>L!Gh5oJ+jnOfw6=`JrYT4CbUH zDzEiN33TetxzlsS>)|T4_wHQvk?;gjItG+%aqFc6G6r)3v_Rq@-*dWFu7VKm@Y@?7 zlDS8dIhZ+&S*Zypnm2saTviXbmW9lboF&v-qE)}O0( zF_>j!Q<|b^B`@0_tDw{uzTB*qr5H;8*ySmzfXE$KVMR&1_C;TtcEp$1&=?_g)*vXo z6SCl$6?G{zzySR-CQzb7Qf70p|1}U;tPXjQ0fl z>3OGL03f<{MNe!*@U@7_tE}|*4}kZ=rBzTQCgS)AK*XT3oJaykdLuFm{Z-Z_=Ywns zk|XNlO6$|gRbvXR*wLz9*p1sdabO>M=?CX2Gl<^pS_qHq8491V^Pg<1YpeBDGb9y_ zF?F)nnW@81E_twFjh;Eydu!Uo04W`#T-pZm$=jB z;1_K40*04-)*@8N6gZQIJu+Qq$j9%I7e5?LtiJ)Q<#})mS!+ZG{5t=uo(d%m5C7q{ zd%&gKWTXE;M`ILypx5*PV@vy3TM@9qH3lqfp?BgtOCM1zO!O9}U<>@b(xbHv{bsdkZorG5^czpIb#A>zANx02Dbk;zN7(e)HJcNU z=7EX|*?b54Mx*`nK%dQD>dTQ1mgDik^I_O~`nI2VgjMP&YqPb1otSdX?<)%TOn?Y# zo0w_yWP)-kuj91sn8Un6IO=@sDQ6X5h_gB%cGJ3en9>Z+bjG*ftTy${5!zHx!m~~9F z4FN2(Rjp`WHVbSN1DrA|V8=)?Y^%Q}Dr1Xl0dP3|OFn}Q=8iFt1eIu5N?w;($TXaD zlnkGx_zt9D#rW%1of2@UTEIO~q@tjx6(C^RadcB?a~dO$y!ybOTJ;~X6!F}#4}@|V zD8;sYRvo}K11%jVJEJXi_@D_w75gx>GBJ>vPm$zdV~?ORP>Fpn=Wa;gFu#wOv6h)a z6;lc`bX`T%rekGIs!7`OV6>+a+65=DtBxGjyL!U zadd}dKw6IV#d^U9(2D{|7!=+;L2W;03@o?UwL__1h=4=JVKE&28OTn-T8zHW35fFe z*Ruc71lcS6k;zQT!*$)R2$_;&QX;VVaetJ|_;|;WcWI|wj6^v?mO8Rl2MPYa(M97Q z?VwTZjO9v$%Qof;r>j8*m{NU$kE{{!ts&t|ts+<)-2Q3gwqB0)&iA<_Je(XF6&W!q zW@k+N@@Ns7P9|jh%_fH0(U8tijt|G*hHD;)p&QrXwylbC?h-eFZC{W>s#G>Hdw*$W zRK^d`2>7D<0~YGLLjx~TD!yEmo>hf(c{pB(AQL)&eWX*VW?b7Q4G(sH0u6XVR_lZ#C*mK)aR_z zNw@YsK@7>b#dIo|_#)0hM9hGM_Gg@N;%_Hc_o+~5kxxeQ(;$<;`nTQ&X~hh9iWG!g zY9n|uOHZW}rRxcpt)tL;jSNdJ!UD{KgV-bxKFl*rR~d?SamaybKS>kn({r1`nRe(73brhWI2gXyd1RtZcdX|R8MeJEz?GxiVtDGF9B zI4xaBR17}og0X9cd;Y-e_D;j+K0DyT6Kf*LGdz?B;D`k>^SM1tolza_%JhhtHGW5pIIfIHsz~Hd&193JbRr|81?Owz)J0&2Z5&?BCBVxt zXTJTd0qE7?ubtTxI1J#71ONNY&GzPWj{`L{XD zPqHWBGy~-V>H)PpV$%JVA+y^~?SZ4yR@*FtG+7?wF8v2yb(<;8o*|+VSodMVnAa@e zoJ`S?f6g&n;i52(qem|YGqTt(OYv1jbPO%S_Y&02bj#Y1p*X0i*7#1W;9`KdwZF`Q z@@)Wf1+$D`@Q^5wUkvW;>H=cgm#fe*FW(s8jy3>%pcga+E$?prSHQv}gLSi@_8aB) zZfgfxvL`A=l$Ed_-f0c;kLesU8RbJwBhPSuj<5rQG`bG_Uo=ZUe&9=%j8ZVso~d*F z4|nu+41+I9WzEgU{8s_muynEThYMw%v&~(V$eP*3h+m>bbn$RW^ALtlNalul>-!(r zS=zMeD?9WQFW_PK!kCz^^a!1~0B8Y~-ziC&Q)aL%EZFBWyusa}T*G;^G%_)&JChGf zqjJEaJ+cd8H)*C;39$w`3E7r2(}7PPa_1;M4ElF}fNOrzE2od4hitJ!{Rh2kK-C(~ zbvA&0$xjx3GIinfy(1FmtX>CBH9=y`BH|*%c@Egvewkt8TY&bKiXE?<32}2x|29*P z5)xjEx2Rh*KGZ}17D!HixARJ7-@Y{Vu1>-|#XxG99t2y_gDaUPe^USNexZDGQn}dk zL96b6S>?abZhuAnAUE^J)I78qn(i1~z9PNy1u8!(lY<7hd$4cBUB~azzN{ihU6|OK zfg01n!PjA{7SIa|2A69GH-PeU1~vA$`sX@q(L7#_rgdqF%UIw1$z(L&O6o!T zjAcSWSW?1EEQ2h(!<^4L)HS;4_H}n?Gl&m4DY-D)Ds!TrD=Q1WMJxxA`I?ff*Ch$U zMqS0eHC{M8`;_S`-S{H455%&xh#A6&G3;c|f5rWqYJU-w%BXIaD3q#b#sD-e0fxYF zAAo|BSS`frRo$2uI9RQVtYpkWK<_>+y&F^+vlICcQ2dD6eQBaT8g0Dtlo?odw!jt- zO=&aK0ozUOyF5`_R&O!BPq-ny<6I_(xFE~0I!t7I)=$}u_T~KvfZ)XW3iPbul?0Sx zQHz;s-Q3}tO;8etV+BaZ^~Myci3Fr(hd;vp80wTRgv4NxHn4gTx7I);)!-iaB9C&UFZnR+8M z3TKCV1}C9HJKTCQ3r}|@ zElN}Ua3Z$6vYiO5!|+DSb*crerHElHReejWFd7GMsVoGMjQl8l-Y(9vF|+~}GJAvw zXVQn~{Te^E($(JZg8@;Bb2Qq|-QFd~>v+;iQ-G;TZBR>Nhwf1Iwyte~r||-&ys~au zRh~HWzG=8;#((Jk72&>nHkh?X0qBzw46lEG%9AR|H{9J~OMLyejg%R&>q`hdz)Wx5 z;s6(mH%y9C*zSvgHm6E3!d+D@89Z}PH~Q}4k0P0w_yI%67fe2~)Qp*M^+K-e6Wfx+ zvJ8ANz5mZ6Y{V&4d4>|Qc9*^3(8`af)=3l0rFll(;+PidW;5p*#S@vU-ociLj*_wN z-l5vzCoAJ*j?}7SE_vB+q#9#Nq=}nI!<`*eyd|V>I*($N)~`H1`6~WoSG#v zk4>?gOeZnE@s1NS6KNEh97+a6z1i~A;~$`X6~r4L8DJLQX39$bCl1*JK|kj61kNkJc1+M!`Fx%PeWNKwZn#q9Y_v} zl1A6p@ijQY87q~n8c3)M0QG}i^6?YhN}~ec%t}`AfvlJ4a6c>zV`dle|2wVYGUSGj zOsn|TzT6E7)r48}Ro6D9WlqPQQRSZ5QOqp;7XAQhd$Ruy_i*8xl+OX6dbMa(`>&=Jy zMXay!$cdR5?a3mz1e&bERHAM{Cl!)nz`PJ<{4j`O#dOE%P_i#l-nEUpk1+^tc zUvz;)P16}&b4u6d;C-Pq%_oCd%GrBzCJf#`Fy#T_!yuRQs#*G<>27%s@THRLVl`f{ z%v7a?e=;q#<0v`FhGLs*avU&~+tVuk<~1B%{Zvn4`l>Gfc!S$|^H9`F6LW44PHy!@ zZmZQ`K4>|uUi$1$t;t$G|to<=f5Rk&id#^Mbm`vr;28q{@WU^cY28qFUE@AzAfjC5zQ_imKL9r}+*xmB3f~jdOXOw?OBm zrBBgJ`uEP+qMTyRM z6ggcz2;U*=x5ug_Fd6|lA4mD5nk7Zzp$?V*)c|TvA9WTpTL5APz2JZnR}*t9;Bt_@ zictgLgqurW8&!Ql)U-W!o_yfnXLsHd#u~sp`3kB&@Jd?C0VB@gUX}<|cE|-4#~y;N z*^_o7406jW^Ul#?-ZA%3GC!dr^@FYbb70vu4b*J1Wm(dLxpfpWH?E4)#xv+lGLO>M z_j(vO@-t`#XOwaRfRuOPhPNffY65^@&%wCvNE9Czyk+4(*4o^?9KlU4Wd|U?9tT04 zq5(ZDbUf#--wWKYe$cg%Y7s9Z=%!k zZIKZVa$iiopgo;>}=3UfzIt2xn^hVrDD>uw8HR| z#Db~46wM{aOpln6z209!>8kp0xj?*w>(x*Tarw_2CiN*MpKrFceb#s}1e z*iwB}a7lit2)M`X{Fe~rFdHl5W554EJ^F9^QY1m9=qW{2oYP1-xZsN&=6Iwm*=vSp ze`*DzM5V~;aKP?iSB!ki3Hn+NL0fJl*yxoIcF>{WOJ@Ha;bg5%rs6H#-F-BF+ojWcnEfb)TD%i5P!=5w6kz#%#mOe4S_0#H=^E>v(VUd zPte7@S_pT?fzzm=L(pPtPSsge_Sv~{7_0dTIF**MWdE5^h?J*N$<^OTD2Gl_6*4IK zrnhjBPCiK)YfR*EK%X55=?TKwev~-UYDSns&@*Op+MnQ$3$-|{vNlkNXa+Fm<4Q>0 z3=BhHs~cItY7Z}*I7&0#;YSaKLj#aoyJj$bu}|UOHekDZFO>?cXgc>W-WmczFDJ9v zXaYR{mFK%7E{)J;8ae#Jy0GTM6tmaSz6S)vrTHKApn`-vlhH{1$brW>r_zL670nS_ z=Nlam(`)%1rrLVRn`^jcKvh;Uk-u^9hV^ESGIND~r}WA1>T?1)31ZrIM~QMy`rp|` z+Z}01Pw5-?d(4Y7&7!zX$X#5NVs+y%`O$s@DXwC7LxB73DyPFl9G6N*CXP?{JZQ1d zc07Gj85Ete9y2Cs?gB*kNBv68=^2%f3x2(h?#d2K?OXcx$XXI@o#sVEZcW#U<%dRu zADxd~hjQ~getmRDz0f84wj4d3-cbfU6D*{AqGsD{5>1ZyF1dhJ0-_L`iiCM`AV|p# z>MdF{+2TQbTW1Ps>?}){3PspfHUaK_LHB|Kkp)Vu9P;};b?6MZTqq^fcR{w(Z}R8v zy`WO5k31@HT0o*pJf1d3IBixDt>qefm4wM@IWxizu-?j>qVGL&NSr=Y46@Zm#DBfd z@{oxv>yNI$DRG-s){!PKf+AMI&BUxHt;28_dM0JJ@*P2UpC2WeC;O?8sJ*hx+;Pjp zVfqAxvar5B;>2~ZKK{5yS%>do2S=0xV-ff_x7d^c#*G$tL>hV;a-DM>Z|G-8k3^ma z<;inY#_)`uhyETBc$ezwHUH&zcc?ZoQCG0hkc-X+!MZ!r)A*3ODcQlp09{qroKp0o$d;dwf52O`AVP(uks)tNq1 zrN}5$mly(P8-7XX`0xhyi-=HsjJAVE$Y4Q8vIENsQKelwb&=#Wnp4U=oDZmoX&`PZ zjnoH&FNU3NCsLF~VT6w>L5%DNbNt?{E2OO9=(#@xuAz^`efhN-iy4lQtONZ|3>_B` znAD06Me4+w98M0uNeCj$Z{2ur^s!MhyG;p6_4wUV27Qx7GTA(e`M#31F~8(nr#E%L zPcGq#9khCcOrAZguSl_|@J|osNFh=tj*R}hT!7I(c_)Gr(}mr{&p$!K=;moo&D!c) z*~vnbqwHnc<7gIt;8^)t51KzdSuwFkdJ?E_AIVCd;KZYO; z_|N=03z6*)cJTFiO>!H+XQ~eI-(nSx8eYOk!-P%;__cje?b4C`805p+nq{OmlWNT{ zP3b>HuEk6c4{j|?h~0pVNQ^i$xLZFuxu|;O)9gZYWG<8gOoY=yasPn9^lBJ7lW zgi#sRTCDU~9rFYk_ZD)s371f+M^d_x*xOJW7HU6)1u||nMKG8k@|Q!8#)V&1n_75+ zscEje5vSh6^jkh`{ipw6u7c)ZvbJc}+YY4TTJ(mP^Jr8tg&!!XGy>(rPGhXa?bTg5 zZI@z+6UJTrSbn^7#L1sAII>DCg8weyp8m3?L3&vxB%5r}TFWi%K|iWSl1^fmrgeA%ZV9sB zWnkQ0a0^p`ts1Qr%9`B+&}G*a7}$dZz)9n!Gg;{F=HfEIIm#pKM+lir+h`aLo53_N zE2p;5NqFcNX&mez6;N=W?T%DQ)pe|rQahuzU6#Q9N4SSY6mz1?58AhItJcZBL&Z(>=0vaNp@2)$YJm~$IZM)!01tZ-g5>VW2%S|&7g*pXx?>$fLV;+U% z@K_>@o(a`_W*nsY#;*Gr-A6ai!RAH$8P<2{_mJBrL!e`>42dwjx`$(Qf=xEvf&jd<@MvbXV$J+cEm!czCnuj`%KIIX$(pWsgbG7tdjHr&09 z5_Oe3aYz)s2@;W<Gnjdxy;1>mcAw`Maqvh&z zH1mK=*$-^LbWa_20(`qJV?j#PF^pnYMRi_XlSPrvs+kJqp`H!XVMgxedNpsnRL_rw zv4M5*x`xQkf%ob3RNE{hj!S77Z>KQ+;MEhDnYKtt;$7^q*3$VyWa;QC)NWpYou-D{ zN73ksZf1cEF2ELWIsIks>`qcXjvH77LO0mcBw`Dgmk=X3+m+H=mvs)Xf4wo-GlqAOW6gp;1*B1rq$O~IgxU2U(F?`W zV!nh8oapjtdmC_dK-cNm4Qhc+(43J>t2r&A==e+<-Ax)sCVrLG-y~xOq(!gK0`iGt zch^!nW|0hV@?0y+=G>Ygyi@p`v@ovCSpfXQGgf3mtm}M=^9RVs1Nxe7TKG7&p=71p zRpQ1wV_ACqfM-<;=@R`*QY%);i@WHCff5?}4UeUzr88*1E%^DZRfz z+tb5*dom$B5YPM@+oq1{kl>g11%mK$IWC?7>KsQ+q&Ex&WFeK98@PP1_u<>!0Q_TI z04tL3WYjZkl_UMp0{$mhpm!&irGmzv;+bQHo#Z)W#)oQI7QE9R2(*%)Q680V-|!2o z*g>72E?NGtE{_?G6nWniOgWi}YcK5J%Njkf-3YPHOJHj^3m}h8G`sB!CB8@*{>P?A z(|(zkIdZw_9Vtp>DE3Y1b ItY_Fe5rYB1{=x&}h$MeM-_LmBk71AU~+; zD(>ou8#@`~u%hOt7JhY~qYnDH=bzb1m_{x`4Iq9r&(ry$$eX0~ z1GXNPwh$SHudac-h$LUj1LT`~A%N&@ct14w!A%`JrDLHQ$OG`IR0N{RE8Oz%08O?S>9#dO%v z%k!A~b}d6F6pHU5TjRX;-Uw|~!YCBd!?5QoD&yEffqAVjfDhy2C-fh4NqM5Zu z+gS}R&<%6n4i*=qxl|42pjhenBkE*%LD`JYa)lUb zH06oFqHny*i`FFTe~BR$O!)2s!$eZpMCy>9XO~jfq^^5GbiINeQb^LAtVMB=S6RXa zn^#IU2B3T377@M&U$kvIcdDH*jE=yOVA3P`<#-O^^;`-0Hlbg5#i_1(vCGZ9bMhVt zIe)T2(DhS+CYG1uO~Tf5%N)1oqQZjF`Xns%9lP$7 zAa!mX7(lPRi*iWZ1#-m)Fs;Bhy&}J>!ybED`NQDLlW!IqxR0$RP)<+gFV5MZ6GLOd zsX;jXL;gb(4h`@rnDvL%*Ui>!c$exI7x=2ieyrzc8QaO-Znpv89V%O#r5VCs*xN@6bNEI z@azXE#BPP_XKD=xRo@2v%ksewIV=oOWeqLm1E{>>mvFo=M1b-S$Wd9RlH?dB-&i1`Arve$E~2nDo_6OidETqIL+^ z$d9%~)d!ktGd%ohRq$n&ygtfe2W}+~;Eg zn_vs}vlBZzH5eYwk6$nscp$5e37iJ;%;~&=>2W3k3PbkG7#}DO6-c>X6EYIC96+(* zM4AS>t&pnA80Vsa`7Hz@3J=W)Y?gjp6`na&GM)~I6#^eWLBWttXm6jKNMjMn|L@vctcc#@`x(649|z!(S>eC6BtMhNCgOpk7Fl$ zmfHLp^zG}6JXfoQP!oeC0IJnU08%~V)SW;W(2J(FDR}^}xTHhdLVmF%Wwz}j2Z7yp zxK);PNqDZS7rst{H6yIC>WpLWE~?y7<0yv(3lC1q@rL(DfY8>$-CgD@a)Kgic~bT9 z>S;F(&I^-NVKwb;3SMcN6eea2`dmK97tdE5g&95ax>X!T8z#8(kYE>{8$D>|rI*nB zDh*RVgxVibb9lQafq?_s+7lZwv*IZ0{OcXpkRJF7?9cArF!~ZmwgUDInu9MZ+(rRu zX{yt}X!5yso=pHx^9|+3Oywy}0CXjF14|hJoU#LY#0siC5D-!8gqtiyTie@)pPGg` zBwCRA|F5gRy6;A;gO<7KU_K$RB&JekKKT^SD;QmBn7M!z+5$8BxQV2dGLQ<63Xuxm zX$dcu*MG1|L@%`*VvUY+&GuyT_`24aYBvP38NFMnxcXZjx5O3Um&H|6qZ(l1CYMK< z3d$vZJv@k=LSt6nof@+=plk~lxBq1KmbT=lZ}b6p2e!DzZmT3Z^qbRU1S+OwWr&w1+OZ0JZ^kQNEK zyC1l^9g)<+RL`nvC&wH%jun-U))NbLK1L{&Pnk@!MuhfuhSAJ=zYlYbhudz1k(z$xQHVv^4;$62je)?k9gXVIE-afvOrv^H*Ws3)k z0vh8k&nrqc`Y=(F1|UgDM@B_NOJx#i*GCOfHda*{1d&vO?d`G0%U8p6{)DS!YJ|e= zpD*7oWIlY+nMZ7`MackIFKn`Gf7I{8>juP@b!jbXK35)Lmq`VC5-GJKZ4bL$pV;f; z*M9VSj_vf*Hnj8isO7cJ-)067XQ>3fT(^L41cLFP<@-enmkT%ufJxgD<@WTZr3lQF ziy)3OVLohmlYp(rO{pzEN`f)$!Xs=eOd*#VZEc!zw26(N6&2$9a`HV*5X5jyvkqA- zY?dJuMG3AHiRm+z!Yb^KIq=1c4kBb`c%d=|>`S8#J7l_eDKtjP1p;;ynHkKH9XiUy z__8f3qZP)_-o}gtFoSMlp0GzVdl&>tA4?;%z&W5W`4_f?LSV&U;{XV=_*C|zO6p@3 zJz%-_F#|Z}i^nwXPfQnH5;GGTy!casQ?FfqE4$ewE1g75jxXrL;@mI%CNWl##bU;% zk9?{E!Y&aLvt^jX4$0Y(G5TlZL`0CgqvV-gxFA$czFc9MF*N&_jGofNG7jm+j}51; ziv|(paQ1i`FqwamBx z!T-**fh#-USDLS~Y267lUEfW|(Ed0}%xgytpFS)PU42$) zrv^w*=5t0s-}FaMj=OwwEzqv)daN<=wP+_)n2&Zek3|A7eV#3eL`fF*B%}mLM-z^W zu#AeTMMN!#mIEx6WIU8fE^>-(rrtZ^p)CLzB;;-^BeHN6wxWh5zL@c1hT9xJ+1!tO zEc}thy)K^R`O;g^)B?`_v^dnax4;#INRL_8TEz~og}t-~hl*;N36Nhh7D_Z z_v0W`xVzPH1A)g~mme=RKv$XUHSd&^Cd^7D*Q6V$S!!^6Fu`|ls)C7-+l(>G$5W}S z_WMfh8r0h9VlqUtU2L^5DE4%k`c4T}?}^=ZUc>FEf{J#$S8vBW=V6mn>$7Lq_yv1E zqNL`DxEm=6X#vvF)R9q^QPEZrkqn|`4<1Y9yj3RWDM{pf25HZ4?0Pn=kMrV@ZtAy? zd(TRzLvVFHBB?ZvRaLO;{<3KkT&m!gx)j_|y`#hWS><)~+SvU!-}~!u#*6!_FTe}z zW(@N=pFutwLhd9o&dtSO%U625{&y_Dmuauzdi35@^Qe!`7kqEI1edBLccXhy9gpsg zUU=j0GL@^-AS@*EDUM}}JR#mf+?{xZ!?GfE#Jd|prOCIC+o-XUp9G4?#%Q2=;OpjT zZ7sNw;)&q!c1L2*=b&bZR#IAxJn|Ng8$P^3dm^4sAI?4=o2{_#0W41k{zH1W06ii{ zc~#^iCC~%9&8RQSY7M}Cz2hO&Jnum)WKcd)eQy4SfYQHnA{t-uN(qeIM&CKlH^6gpciLuI zsU3UV6yU-QtMAZ_){4G-J8g4&%?~3HHz!VK9et*g6h1T1RCL~}f~z7WV(X#lw>K`} zLJO$&9tz-YI}(W*Q1FQDR5!yj%vY!!t7ILpcAb)a=K^2E3Z z7!dKpvCRRXNr5^s0;7`pKfCV)E0I6*gJ%WG3EdXt(^?Kc??iXi#%Q_rw&D;KA}9i% z+UY&nKsslH>StNJJc{q63!<}5RK+>e52Xsq z8Sue_Q+d7D37U8^HF!n`#Aku^{v64@mzHLh>*61Pdve#YQ0eF;JFuE#?i+z?9FHT)2f^eLeM4v4M>Dh9e%y=IgpGG%1* z4A(<{+CG3y!JWr1=r$ ziG^9cO_pcUU~RW@F{{VV)wr92hY{4mwj9tzbnlbhIXn$XIENRp6X$R!b$AZvaum<0 z`OajneyKxBYAp%^JT;#s=C@oo4NW=jM*U>*_%vq1aDmg-*qizgcYnKS3ZzRhvZ;Y@ z8HbZp51l_zzn$e;A3zZFl`B>5$zJ!R7tADaXu&mK9FG7I;;kdT@RZ6n6J_=Pkq^;BOE;VPJ*0i_Uhb;&@07Se^pzSPX|Tc*q@2}BHt-Z zUr>4z^7&vMFU7I^_;bF5K3*72)d3%1Ksv|A_u4D-y~3zwDoiVQP^k+~30XqRL9HQruccsA@V~M({hs&G<)pPZ z`vh{PeLUuX?b8@Bx%Fv)9+pic1@n`#$$CpL-w9*eM5U$TI$kwXY`IZDwC>`zhIK-^ zu~%WW2;9qT|C_#MKviE|QHj8o3H)|?7BbBC%ptZ?TEn42dbCSsATI`Kx6SIqvV_SY zBXEgGu>PzKKjZqqH(*b!{x9_jtRRS0#{&HiHF|`MmwbnubMlaI@Xy!3CkZ6qzEF> zm)^M`<{cWZ(`d>3D3nzEbxw`Ba{_{f(_AHGI~Lv+)nu|zOYZ>55QM-?>y&|Ed4HWE z(!3miq0-~*#}ANz$Mcn!%<_So#rJZ~sDg5Cuwa)Z7iRx}SdU;XM&xx98}{ZztKC@n z?0`uqh@=|sfx_0Z`2h9<4IE{K)CRL&+>#w(R6KCJ5hMnS#aXB#WT8V0 zr6Jx8BKiV7IIO_%+3W}&pgsO@*m9Fbx7b6m0-uL49Tyr|r$$49vFAQl^~6Wxjxk@X zqOP&V>f@svZG<77k|i}HOq(}T$S#&2NRBFq3f#f#>H!1WXk`b8)t(6LN{UEg@ER+6 znJ}2PEm6JSq6HlSfrOPgvj&<1_b_=9`;oc}KblGDcIwn1Wx2=i-E>OZzrNBLXv>&hEg0qG+E|JR8PU&&y)G`F905 z)S6|pU}(K%V^QKIW4}7LqOCJ(>>}3V)P@`3+;@s!X}5^}C??wwq95n%RC}|y5^M7m zzsA`#0(EF-T%<#U^k!0i+MOKtEt6C{%PwEKzz77igS4B);+LItFxJo)$&gZ%#sD1x ztM;ZOrt90#RQ@e*12v;z?ju@lYz^loat5bdJ=3VuAi#fBbIr?0PrGNTFB*NGDjpft!mIS9#SD)9yrR#qqutd(u?B}F>nP*Jf&+&D%F>m zpZ4La0DRfDpR9fVLHqjZ;qwsTz{lq+(&n?MQhVmcwNeB$1sNo0>i8IB$hFGOs$b|~ z;Nhyd^gu#d<&=``fY0J#Bo7>g5AVIO+uVOND_rPSRvr=xkMac5u|?QzoV zlH7s{vx!!2U17Fs<<3NqxE|xLbL6{KN0jl~&j!GdJ-0GG&Hq9Z`G35gI~1#vM1%U8 zSLt&^>!|qc?@i_32!D%UpK~N115=x@Mw^!vkUky{hQuQBowm~Q-29h6Yz0cV_I7-$ z?uFOH&llun{ns}C3$k`|JeTsr=n}6VvGcknt!dH<-;0Zm(p>r$)t9tJ>XAR*L4`Z` zkGv^?N5ro`H2B9A#znGhn81~A0YekE9UqARCR}i9d^t zljx7Q`GKxmCq{IAatfyQ-cBv~vh1@fk{Zi7=|)zP*e2-9*mI__=x&5R)A@hZk#!6? z?M(r1jbWgnz*7{ob=6Y79ZXZ=`1X&m5;^BBF4Fl4c4UVvaxV)>yK~q-vN{+)+8Nql zYEJ#hHs>Po=e}&1eY`GUxg_M7>9P8oy4vC@$_8M#gOziGHM^P>07hK`^PMJ}d!~YC%*!FRG#rejuv-p33Ka#zP)VmJjcD40( zrtx~S+NxY)jrJZWQ*Ou}*YcXHtX>>s)txHb@%Z_8b(U1-wX(a%CKkvUf(d1NdF=&j zHQh1E!8yTyzmnWlksGu6(}K|P^q%6=F4E;pcOmZP^DTeimO0%Zm1p|#vgzR8A?-dS zyS(TAcY`XvgXH6V#eA9YUx@(~VJB)ylJ>dTNohG{g-wcK=^x+Es)w?6&tT~j)cE#b<> zt4={W082Y9_e8TL`1&y$V;^8|n;L6kOPyGh_>Lb|goTQ<{+3&-Ci;4X^rXhmebapo~2w5 zhgiHbzAW7jh`Z;|54GandkO7#|4}k&%MpqRAcKrSi zOUntK(cSTRXc64CrZ1kZN5N7l)6eth?1Yi%gmbq^0=rTZwmbJikBeR}?bLg7Bh=@S zy%|Y5NZZ!}Y3$KU@KJY#LIO%$7$IUqsZWQmz0CAlA;F}N$2XaFI6o=ZpJyddj1kBv zT>%5WjP#tV&18u0r$o7-h5>#cY@VXg(b%>C?EF+i*3$WXuy3qzXTFWv9Tc!Ot*Js@ ztMinanZb)YGUEOcnk+)gp;!|~Gb(L%h5;+>a5e#pr!20~DN_r`?WK{-yJ%U1|s8e`+zZ3vLTr0fq-BK&Dn## zFgc104D&0fDh^2%MMlgA2UUPJG=AyDZ;elwO$>OuY)wq@BS8mM=v{+Ar--j>0@P?X zfH7K!#>A9W7{vdQa0t2BJV@oyD1j3Uif30x}hcFT1Acol>2E|kR)@TlHvx!K?P$mwRU2`%m zbxs{&z2w+f;v%``PJVf7qez3|QT0)K<2`|MUaRG_yUGt=b+6yY(_bRn8(WUL!UT~9 zvI$0-z|Eof=@Jg-#c+m}YH4>9C=&vlpDe9>X0Oga8V4dq=`MkyJ4$pAQ5Xjr`C;~4 z+dXwe6z!pwc*ld;X2vk&(KdLe3P;Ez*bN8CYfJ(ib4kzP#7`&~Cd(P#O)V^HCBf%h zORtoj69_*EN*$IIc_A72q;*tetYTnLln$c$zsaQP)eFvXngC$x;I*n`jKdC`S4QX! zyT5|e^`#Kg#(4v<$vAjpk4q5X6ufRFFT?~9R&I4>i7l1sR4(x?H7Uj0IktEPerk(L z#bspW2;;#!e-F!pf@fbJJ4ou(*n-v6W#Q*;ST-0Y$yD(WZ-Fq9p~hTiM+N`GPW_(H z)2&&bzvU~a^a-W495KKTdu}ZTv2B2qzgRg}x8(QGRlmW-{k%5Z$EhqPQ&EJ~b4Tfu zyEfRCz)mltV7H?0p8m@qF>csO$tGbmm&f|{3qZM ztQpll-`S4hGN)C@2>`P#fk4$3UiLqab5FKoz7vb9L$e$acN-4>6a*srBz1JP5O5Fy zCOWR&xXQL;L0DLRZ**5~Dv)tt>VgHFG}(ymtCxjDVFMHVPhPfqV*siz2Q<~}u?m)$ z-?n^%$T+82HPghx=nH7eXhl<6X>rf2cec&BuvD)dcdP9l5STR_ef(l8f%g9~*+ZuZ z&B*+Xjoi|smq$7V)zDw|h65VZPP9eX+D{GsVG4k1WTXU40iZxr6qg}LF;HJ=`~6*f zDE=dCSKADv7bf*s_#C7e>zb$!B|HEZsiNM0zR0jH+jN@f0_oSv)ylo{x1R z0T^XE#AYU);s|1`Lt&PX?-(cKHp0zGh}De-mV)zyS?|rA=Gq(uvDREW)5~`GvWMR2 zjHY%2z=LLS!Vj#xLtI8CkL8ZwPDZrZjhkQKL5Ro?8l5w@A20S;#S-FaAZ15#me4Us zSlRu9mi*(@(sF4TdOJ@DR_-_7T?dRrd6LkZ$lDRkf6xlij{bNF6nb+%b#!j*CWbM| zXVI>oESaarq-=Lh&L)QcWa;pPiG+-Cw;xaQ&M~F%;t#Hz|3^kJrNYET6gVtd#UC-7 z6$@jUNhvYJZCPS8XsC#ZY-s)g+R!)cvL7I3FHe8W!9|}}J%D9$$ku%c*I=`KPBBh? z2j+qfR2e&x@Lk!^?QZ!YY6+s-7ih32udp7-g&zE;H02Vzcy8}g*msOs`MTk;rU-Sv1Sl zcQ&c8@<9(f`hnxJ7>NLS1SqtD>bCSH4-VAsWNb1r zW(mOh^wnMsF5Vecdg=6#Ht$Mx8e2_07-Gjb^0EcK^%T#Q+Jo&jOPkh>M4-^Fp#2;t zi^t)oZYl=c%n}1`sS>PL`~ASk6{LJ&R6e=FG3PGb9bR(@wH5&jEIxd03 zy-j*-V*yo0LxUgtyagKFc=1L)4~=n#5^e%CIM`0VErhdFJyH@$f}aqhTSI!?#pY;Q zADudU>vKX-JSY`65$Z=feX_SZ!;X1^>qj#}$xsMgTIzu8J%+st%3kn{+>Yu;4LWX-rS0@;Zpz3*;2{eXyE*tuzG)gyKaW7dgIK zjFs#;`XyD0pLVgn&IVYNo?tIXI>sUvm3EWOmrgJy*jUvbi~7-eAj+0Gi7j4$I849r zR=~%rd-6dSDK5dv=He?$ew8g|TWEfg5DkBU-0EY#^D|ElnY0fC8qOTBb*)y&OzWKwCVR4F2}J2d zSiaSZCfo(BcYKc2rNn;7Z290ov2eq;gGNzlJSaD2Q?Fu$6N<7HzTwXWJS#B@#eA=O zhF~m#VIzf&QhGg1icrY-;q$=(Q+UHS)F0jWT8mZGtlqD@m!ltk*tX76xERGSOf=(z z_*LZ;xQ!Xl6ZC@@JyTmBEn3!?7^i%o{30c>WPTZDfYFTR~&i z`2p;d1F7JTr_#_7<|O12ktEiYy83v8xhLbsF+T#upwlaQnSG2Q#;emu}{X`IR`2|l?Q)GJr~o)<2sU=TmqTlLw!vh zlan<@*<}2502&)GUW9E@Fe8Chn1TP+ zJa(qCw}jIE7MRA-2pLYm23sKX5Gq9yX^ildQ@!KyNA-wrLdjiK@k)p zYnHJan|;@qC_`R}g^&o!J4e#4qb+t=Y;KlG(eruL!~pgs!D!~yp*d4Ag520 z&84n=A;?P3cV#HzFeLv5k&7sef_z(w&|NZ6+?PQ%dO&DiNbB}u*Qe?3+Aqi*hP%Jy zZm}YIdK{PU#1z~rFE1gw&8K)&d{R0R=3Kdy0{0(G*DBN4+Df3sX#Gs-%u2{fE&B?6 z__*StAtK8%1?0rUh0+pmC1{sbK03|kDIS$n0E|D6GIc*ACq2^WeQRkU8lG=mbE&N@ z)z&sT-7dFgn~!aVEw5T8>%>`H9M1OfNGqfc=sid2b)QttFD2QA$ykvho1UyF;5lZf z4!QXSdhkbSzBK4hWsf@PN~n=Cit^zJ_3Su;>()c{JOD*PI@s`kg^!XG6qVx8M_4gF z9U2a^`&^2v`UIFwTUT8U96ArGM|-7dH?lE{Vt2}t(=nobjH%z}P+`7Wc7_|_1Edn@ zOlhvDil3Eban78XW7y5t_Du2E4Iv#?(vU?hr7LvWBsq&tK9ld1Eq<9?!=Fl`;~HMQ z*Km57qQ)yCKl?dO#EmoR@;ix`(Zye4yX~xWK4z9vi(iW1(X#MCw>lKRrE9#W6X9<< z%AlrMm4RBrBE?7RPN%1xwcT*$qHlwgCpyu#n%hNat6(&>+;RQ$|BV>O3+9h14k-^I z;y$74&4#a5r%Dn_GW3~{#jUFRKu3BJg;Q^-ghx~G(?#YWSFGV!W_B-aRVWN{dMJM)yjLRIKhyJqV=!enh@VA7(itCA0V%7$AYH`V+p~tY(_k&PeEq83`o_!apjL*5bF>a%Z{x zhf`R_vT@2%19EHSalNNy(BpybU$8ndf>So#97t06VjLQoH5?o<0Jgf>4nA&ksA`H4 zc)oLL2Wmiep^b8b%mVa=1pvE@&Vj1E{{En{LOaw>FKO?un6_MV`F$rG$_g$7PJOOl zG`HpN^w!nna0J^ZRQ|MKMktjBtcaciBse6`9FtQ*`o$pKXu@eGpfM)u;A9nM%1`q; zh!>N2iA(A;f}x;D8lq{#$#)yyD2)0(Jq1O1eiCe%(VwGMGGbFRMQT;k?`ndJ23!4W z!?)szHU7@yT1P%nA1G(a4>kfyQ+v3GG9U}0MrrT}_-t#wkrH{`KSZ`-BlaGv4}C`t zEPA&^Dg$%6jM@9CHX?mY%|JPHSkQNZI&`DT8;0-uO>Yt#nAF48IV*%PRJ(6h1^sI6s*L-O&GqrIDv}p@H9YHtW0o!e*`}GUVpqfn_3ARsPN*xPN zXPU%&NM1Z;3G>Wnk7UhnK6P;s)?v&IIB6smx$RlP<7h^VQ+19VyQMtGaPvDi4V*|o zhCbpc%8F>=U`0nCWfWtQh1?q%@OA~s)#BzS`t9{c8@|DBI?%#+_f*7GD9jLV0pWi9 zsp)t_g)(QP%1(SHJ%nC4;7Ho1>#WF^TdHcF2hqo7_eLPdKjluxU6^q<)RfJomC$$5 z5w_9;p;SB2+>Y`2fe`Z3I(JoqstCF9Smm@ASK5cx+4OuhQ1{}d0_URp)~8;79{+<< z3*(H~QCRfF!&h-}#}KQ!R21zJ>ewZToL^sjId7w9nh@prL@1Ij5{Rb$pydh4 zTJtJ5FDceFB4JbKHp%VTrGS)6rJxL><S_hxnPo&h+$w%z`?Ga#C#y;QX}vD^Cl*{qoY+*oXuKd1yC#oH*xM z(T4(PN=NX4nm+JNstj|pX$giFXZShB?7a;y(b5;$@z{Bmyyzb(WayV^bV5DK`AYe6Z{E*u6dO?#_QNUX#A0hZHWSUHkGJ9_38Qscz� zcrs?7hfVY5nMP3UjG?e?R1GqL8Uu#tyyn<^Eg5G4@%RxNDE^^(AgDCV>mRG(YRv0& ztOB8^sH94?ZG@==0ssI2^Fsg(5Q&AO;czq!G){()kFQ1u6{oHMv7+Dn#f%<#fn#6K#YI~p!r9xndx|f z45;drG#aAS8gg=5)x^z;sU4G<@mLkzb144NfFSm@Jc{f+e) z*R)EpYD=`1^)6bk+(LrTRp04i*uk&DH-(7U7?W{U3oD*+5s!Nm-Z9C5pvqr`PYS<7 zf1vFcA%e2;#tX#m_jfxTt1|qAQEpu2b;XoC;Qyj_4%kW`3d-=|o3uIiIjEZ!&e;(M zEOu(~WOfOtZ@e`_9*x(bt;OlK=Rt8v$MT5I;uOuRDS4#G6)L3AeX)!~uI?NbTU;)U zhY7uJhPhB&PP&G0pOlgZtOxEh{h|^Gq#yzwsJs^rP3!!W6YTLdC8S+y4H@6$!O3k0 zbb(2{w+x1EwX@SWLeN z9H3~)vGP5`qJ*w;6IJF?)B{W;m9#u*5+gS_X^~KOc^bj3%J0#UCLQuwsKhY5I{)}xK;T(*5j7RsD~R_b^xGng~azz;>y z3F1u&Z*$y9os|dd{d(Su2|W_kQo=a>GT%LC5+GqN;$Wul$VzKQt)Zmd&$Q)aDX;(n zZ7_B#Ohi%51pdFhU|vIFga4Tw)pE^Wpq6q(2Jaqb#*`YDFANfXtzBz{l*d32oJ9WO zkayZ5He1TK$_9D<3K?I3O3Nxh-dDyro{oS4OZ-Z~u&n<`F}tk64~s#nQ090x*iMH< zA#F0EY(ffr?vYrWTsMEXt_Sy6=yR1U>irU(fITq(q9l@Fa3`Y9BB(O(fF`Q#{&?dC%fQKqCIz9_YQXgMOW^7 z&2CW05j=QIz@U(@`nJam_bg+IJ!#zouFEd)o@|^AP}2Ud)+)Z(x*x+E8AT|WIvXrG z76${PyeX!osG*R8Og+8m3*yJ6UpzY?+9*5|KqNcebC` z?%o59R*iZ}h#=~KJR=gGiV%u4-MH*G?Ouav&RK)V52{%Mg@VLnX9N2O1B zJ5sHv@)-$v`)72L3!_f+;E0XF=Lsreut@BccLp;Ah>?!Etb^1t@eVEw>g7I~l8nKN z#Mw62d1Jq{F$fk7Ep3=-2Wjl9m>+{{cm|5RP~Fr_68QX7x40J+j?##2$v!osrQiXj zTr=Gt2@&{ZG-?s*$y)1zxN=4F3T-#-v-#$!03IT0f}@tvDTRCJ>yUg4n}&H+9bg^Y z!JMmz`>@JoM@_=#HwQwbRX9^v>Ksd`BarpBTZRTOR%RP-e>Y$(XBm-MV@b==vGA-8 z0kSU%y^6+-=QUN|CIN2JjN!iS`pQgVICy16!s7 zY;~<%4gt9>FMR7bd@Y-Bt}OHnaMP4Zr@?L|<)$k-x>bL{wvPF#s<$MgIQoLsu_8WT zA1JyGNS`KJADlJ=)!lfQ*bK*wEOv_c>Nnpb&`9jx&*JxE$5upUYvw>5pK|*#S|Ugu zHZ7DL#xduRI(r;&N#vXiHAXl^-9N3cy_D)08lZZG;Z$LK$jdaTC3DiBsDaR(cfRZL z89trDeoqpabG9~}k*+fu=^szQJiI>E#aWoIjYO4NV@Vv+6Rv&vCM!+fmdG? zH6xVE7HbAem`ASrxaS1eA21=-4|)AO7w1t6s9R-g*kq@G-1_* z2-1JUX8SU`IH-+Nag(pq!oP?Cm&Oy{q@RsF>O-_;a}UUc(#5a-<<-{c3x->xKQM=1 z!%A(Pp8*CQ7lP>;xvbzKz_%Ot%o2Lb_H;WB<5QjnsGEt&Gc+F&t5ydK*wW_VX*zP# zDTqNL><;S&2v^YKI8Ylkqfh%DAj-15|7--&xa3GiQG6f|n>(~{d#*M+BV z5I*`5S-i|*yw+rRCs=CIZJdh~cs3jXVY37wRZPPF@=#D`CWQo+%WM!bZ>NQLT&9;b zjx)rn$9pkj%IH!uq;hOGRr@i@vaiSZN?bxu2`e*Z6m(+=0pg`&DAXxz;_pe47<~J@ z2tj!QuyS9%cV93R3EB>5{IB~Tx`SVO*vt@8N8glx$*+;lM^-T1@b(6rsnW5a_!$4c z>#13;-~5xO6zKH6JS9@miHvkde>#L@bHZT5v$X@cSfj!mU_9gSPibrFf^tlT%m7aF zDsbHr^GnEeG7BQ20iCtTvYAKH3A}M9+o;b)yXq=B1OSj@axdm}P?S-(^f;2_@|ini zTa&%O+rkE*)ju3ZnCLNO1M9eWYRqcXo*`=HprunGKgA=VBvqN`0Gz>& zMKQYt_A4EzgdSr=Ov%7qEOF76M>*^B8RV>&$sJ!_Ech{NGHT+!HG4orFTDqWvRIJ1JtP{H z$^8FYg}x;+eQ?3|?${JVD_wcIv-&anFtMiClHK))2XBnZHeP9%)4WK_)3fC}$HW;?$|#V7M3R zpX$N7HjB_`ZNiU5$Vtv$wUT?s@5IWIt zalSqA4v4{4nG53$r1C_8Q_Vkfl;cFVccrIP97rHz7;PLy5S4$1zC&!a_X8mw_|8bN5%86r6}0A$YoGIY!xQbfKCCle1@U&)!UD%6X)g8s)xG6`EPHcem+Eib!-cG zhJJN-CdMMUEb1`oRCpYmN`}Mznq9Kk32KY>NaE{5;HQW8!t(~c24+?F;4BY89T27m zR$TvkGrf`UZvr5}#1BK!2nozouGC5}cSfhu{utSQDz9U43JUZv1TX|ztIDz)JEti~ zi)dNx!YkM1tCV?rNaJ4*z$00hQ4CoxfZVa2Vnk07_Zlb;bR;aYt&wbl2ju9GTSN<) zhN;ZL^rskN3gSrELs1SCNIVQ#dAYm44Ak}Lq&4fXq#qRr3X%@dKF(=%u28~`yWMh5 z3+ z)~;^wvgIs`1~iF+HA0Y+BDfN;t!y~Zl5{RmIq*A_4#-4_*h>FGFIhF2KXi-b@TZmN zGKpo2#hAGwI;l}hJP4%L_EgT8DnM1O=T4w!$Q>CLo%#QAbC`hWAb-{ z6E#NqUfVpfJih#3pkvHT7_%le?_=&hWU&5sR~^=12hUKxKXSUxU_UPk?qkRA92kL6 z)z4U|eqA~IobR@eo9DG7?H(wTLtp!IZI0k*P+Ffpu}&=q*M4<~M{!E`LT#Hpr(ij7 zcAw&7?Tacc>3gHqy7DMw`iWqP>G3nMeMTVB@8j~xz4C~Fbaf{@60Eg0cfa^|ncSS@ zOtQ|7y_Bk0%VZyK3DU{wVf#M&^@WdSl)(rg9=KT=B*slU5aJ_dHM$X;8rtXvLK7}1 zkixJj6BEZ~Tpe&sS@lT-&BsTsPH(&hmwgiifd_DsVr9H3#Q6ZUWFlAO0@~8j`+b%htPR<1jsTgbtIZ zUDDa;e%E<|5K%R72qNqiG-h`kE(MZXL~W8IX%&Pq^mT8r(8oC7Qq^9Q=KZHF|*v90c_rfZh{EvH5mN*8Kq}BADMt`vA zRW=5+$4DqE-Iu;i!>nHyx~Fl(ul}VIxUlH%SHxy{s%O*XV^K(S*op9ns41R)lQ9U- z1+?r;Zgx0!o^_~6!ye4_s<+&;A67#1BUsz)Sr}8s7iy0LxVCk`|6G#5j`x13EMQ`5^ z{=@;)gZl?#s->^Q_I!)w*b6hHdD3kIGM;Q3^;;#G!Nqv%UeE+%pfgs};1TvaHp|dv z(}S`BuF?okKpga8uaq{l-12GuC0p0CyUGp9w&~bm3$(|Q*cyJwAJKzkv^%4E`x}9f z7P!nG-YKmZo+GhO+sAypS;5rf^A)HPM}VDlP+rD&$r!*i8_IDCe_?xO+_2_Ui}h0u zdo;;F?`NRS>qw|JB2L52iWHlXAQK7oM0Y8Gcc!jEYJa#Q)iKw=rX0_?)*brJL+AF*)4JdhQ8+5^Qp|wCt3PKAu`C_?^=hzwcU=~TF+9YY z?7lahI{w61Y$m(GK%Ltn+PnzQt+@Qwj=VV2j@ES-d5$h3{texrwKq(au*8=a?Wpm| zgd1;Zn033cSJ1%FDRhpHr*Q!8D{;r593>TO06E>)R^bY&FSsv%HQVs#^fTq6o@w>Z zSOG!X4NZ^%D3k$rKFNP`v>m$4_|c%p;`CZJdr@$@AZ>6)bm)k!IAQA)Pi<<~Z(q@OpX@bu4`)vyp!hGU0Y3KI`cw2ki0Uuh&6S8d-=<4u z87KjhePsF+xodZWL?Q&`(u8yE*l2?rU8&@BRbYlKs+|+zV_J%7#2GNy5^La--h`;r zt4t0>x%VMW z`>csDp!C4q=tbP=2YM6}NPLnp5&Q#pZkYd8cPqr{Wi4>$r6M7Ev%>)8ISspOpEy7w z=M$KJ%!9l6$N|`aY2#S=DLlTeK6Z;mpt+{uO|NQ=F)BxsYQ3n3-5YdJ(!eQz;b=$3 zS){f8006KlqMg?})Ur(!$XN*!{E@8;sQfeXVV1KUhY_o+OoPG~%OVfkD2VU_b*y4p zl_p4X&VAJ@2Tj71c|4O{%irVkKB49ZjN8xukY~ug+n;m}9sj#A1B$<+JySB%f$s1X zu0T>hWK%WQh;FNEKPR!_m)^6c<%emw2Rxr@u?L3->YV@$J)eSwrwO#i*d3ciK>mJe zHPv2~$ctjq`K0^-^X~vx^l%1kZVWUN^Cj!Rtt=TNG+(8-W1r-nrR|;v6)5m!T0psv z4CtXe6N^*I?G6%oUNoeg_-eAQ`$Ai=YaoK0h@Zz=A?Ky6(t9&pp-4C&095CR#2Y0`Y?_uf;1@T({SQRWb1x$Q_QGDJqS8uz`Ip zsEE2>grX@;@8_;ZTdHt7GK?-ACK)!8Y#?D-zX*CH$+|zc^obvQSik>|x)8*yV$kCC z4DrX?ByDXoBMIM+S;^cs7+3QTW3QUc4}dn7cjB6IVy}D+Q;i*Pgn0IRz){#x{V4h` z;lH+c;j5!bZDQh(MnWGXIUZtkCFyV;%47c{rdlw!@EYSoGvCh-Eh)j5BjpyMUC51%&NWR^FDRCrQCBE zo(0P@iaZDx)+K!ktv(k>95QJusyspf)01 zA?Q|IMoU5tk^@)5WtS_5 z&Wb!%t@$fD;zfv79F}3l&GK1ZI$Q={4&LMAd>H(fHNdY0jNjg;Xzc{PAVn~v=>NrBA+Snlf>h|~W>jFnG-;q(W)BPy_K&|hLe?sR|sjc?ln zQk*^U15T?k9LF8yA;Y$WbW{RXxH_elRN8%)W2ikdtoXSd#bpH8%d#n<{Y0>^jHfi% zDI7rQ$2(SqkA7jkmq1lmt_N50q|YT(q%D~3@7zu9Flgk4dPE99eR^VK z^&)VQQuW34(&a0Oc+K-yWi;Yt=W(7a){ti3zd0I=_9bvY11=|c{;Xs!$4OWX3w}{X z=eG(NoM^oEl^j}lM;>JAH%Q~#w&vS5JPxX?qhG`M=uMV+pyu?fy3A0!Kr;s^2@@rz z(ZLkH4pNN&m+PzRK}qt|0^pN_ApCDl1 zUc+n^CjpSgoD|pq4|Fh#iFKNvB1U9Zj;Zi~2ceG;6k7nnx@nd`itu20UV|lr3YK!9 z0e|Besj*pZ<~TT-Vrod}^Sd&unh8=^p>8z<0ThM75v+K@$wbFCIhgjtQv6jU$^jWg z1VLr){pVy#G(qgSoF`u%ssBmde@KhRWZQf4k8(R?nRg5}+wctsMYYprl+#z3Cb1bf zXh&=@IWro3a(SS>^97wMhIDo;SjD0|MazOwC$%@Hhs9LPgI6(|2aLOaaW+U{VnT$J z>RXTOzlNATkW;sVDv=7@pihC>Rg06hA*L3|tdYZRiUIVH%j#Sa-8BW?bC$6^;>YI1 za~f$H#R~Ib(}^S~zx5j(PAtao^TCuiI z7^Jym2Y5kp$?7?y3?tR<%;9!%(wmuekzs)VujjCmFQz9SFx~AR%pTa~w1I1LH^9RoNlTArg|j6PSJ3psx$vD$q!5^+{Ll%WoxLclmJ@eiQjH`5BK}AqiL*!uA-I((o_g=&4)z}2|0m;JhCiB+3aKbP8Qu{v zAB$ss^xwRvmKQCKL))N3Cpo%IGyFmm4DW=W~0Rl04q&6PGn2;#td^v5#%vp zM~dDF4_OSPsbjroDJKff%be@(Td-Qf%b5J3?Rt1!F~sK)jvdMUvQ$jdY<#cua`cxv z>aH46ppZ3}rc_pW$3I5fZ|2 zx~hZ78I!fFUWJ;Z(bZuVtCu|Sth4w+662|CPZ|v?Xk+0A>ZwMwDf$TW(T-4T3R%Nv z_yS+OKYOxPV4#t`(atY+n+kKFhw!RI%v41rQT2h-C$+NIhnNa>xdTHQDf5$1D! zVvpISgU*L8c32PQAs0zN_nn&!c@Xe)EesgXBTC~Mr|_E&M>mRi0kVeYi*=pnE9)I? z#Uu(yc%$3{PFK|hdq(bCR(`IEP$J^NR4I(?r2ETcKw1&fc{%_F0`6>vpW~*}ir&Ai z;sg4-+6-fHnZDsdH8dm7 z#fITclH&+pz9A`zEMgjt#R|=6`pZWu6*I=`fJ4KhjQx>4aDMt1$vxb(z}_@xaV?1M z!@M!Jk!r-_g#g2_3T#QfntQ-u(>l4g(= z@Mwx>Gy*4Ezqyqgv>3OrjAT*K0}JgaeOt!GYx$UsBb%C;eQlt#H zBZP5tuEztI7R`^0oCZstl9a{F#k*%!wHI91cYU)-5AhW-&F$gWMyODzb*NoR1G{Wg^vvXEciuj!Io@&ABd6Z4`Jw zY6`N-<;XEuzzFkuE;ik&xxLHOa1O0~P-aN#SMkqUw2~ZD5bY9|PWGm(F8ncBy3i*b=%bUxOjshp6BfdSjRFwTgB0rr;0Y(fZf zH1!!0`-0N5%a;=%W$bvn$cD&?Vba?djg9*ZW1Jz-!1naFrt1l= zs8aQX?G(#@%DpSxT;A-(C}P8qp55*+T|ly;xF?e~M5AfDw5TgByUk!spP@xc=>cMt zf!NY|Y1{1fewkA6@3;b&G3(%&P?_T7Hs|_Dvn$jk1e0@!ngRB^!*i=bEij2pp_Gk2ed>(rMF+k40XdQf!p=IiO1J)-oVnxx`$%v@3 zxQ1;$S(}#=r1&OKLJx0$PnS*Gd3%kH+@1US-UhKKwU*uw_YBbw>32V8a;Fc|gvm`m z;S(Lgqo#9hmB55U|&Y1IDn2bYM62l`q(Z} z(7a7=>6LhYm9?oBJY9y@P=lLN4P5?NwmmTmg@KQfm;Q}-G->4x%xdh^(R?%7*E2UFj4p&y@uwaMM*ZGi>q+RJ zf6=Zvyk1RxC;xW(B}#3nQMJbDG^f?Wru#)?A%qDYLB<9+v*`o-$9?$LXs{%(-&xH@exHVsT$F+v`z+vvyEM&LYJEw z8crCgh4ARRcA68}yf`OD&-HHGgggp0%@S+T0|26f!9qizX@hM_iGFqg9cEhJg0fEiMaVq5z}Wb)V$GYt4*YIw zsrj_~RGrlY3s~ah&NXtn8Q}nNQVtipjvE_bXdf9UgyCuqlGquIe~awdj@C7`aHWGt z5D(>PA${FjDI_qp7*dLJ)Mg{mKMZ;QXYRD`uL`(C37$=6~ zIH;RjE?EvFy8X24u#O*&n1I+QBKHlCL>;W943_VWWnf(<9dw5CNorxYQf%~b^w%4Z z-R_tI-_jgC!)s8KEaRq{Tr+lcv?pkBR(j;72}1hc!I8MBO}+X}Ifi|YH4_2jYDtuk zZ*$L%+prJFdA?#f51!|F6-5}=eInq6@2T3Cr7sLiV_^IoBq}G)w#Fs_Uw%;0@M4Ug zaw=LmR1Kz35QeR%ESK`Gbt)DTylYnW^|yx;z`U;JD^KK4H;`n*U&khrj60f^S5NYf zKa)a#x=sO;r#nZbR0(s1F^{FQ5A8V^$DDu4-|ugJFXxUFe?QfI(gp*^qbBZ)fcPSH zw3idk_6O}0O}(A& zV`;jQV}(^P*5K~uW7|g*hS@sq<%rJszD}+rM*5g$;U_qJ`J(mF5STY6=}pkwi2YBT ztHrDhQF2#vNLz-oR09Bx)w1uK%di=bb*xHOMeO=#oLWe)mV4H(;ObW+S?ZuYAZ0qWpOV9$1qHL zb^sME_-%%Qf9w*|)v=q3xtO8da2TKOR^=EiLLl4JoTMvHQpk4bI~Jup7vP+CU%ad_ z2gH^aa#)Uc?MkobyBWxnd}^S$jF_0(VUNucM>lM}O0#cKPdR4Id1M~CVM38`tVN7@ zZ3g~Ps|v~-?Z{tl2J52X$9Zv8uk%6sl5mRfcdpm#`Wf(P;Ffd#(isD1{NxH83}7%$ z6o-W`XR(;rp#dE@8f1d!#~bxp!%14psZyW8bIu5g)gp@~!dnu1>tJ0)v>PHQ(P#}2 z+_2gf87(W~?y_k!9u*IkrmPQ}ru=T2Lf7j6ZskE3zT5yn3esuMEE=-dmW zxsa2iy@cENAE5Jc&U>=$`v`bCn2npx;^KC|R)t;E{y@CYt;_13|F`n_PSDq;TR8=uBb)U!xD`vq|uC={+ z?GaD>T-Sc9rB@GQ;0_TdBbU1@QagCn8qsfDP?)f@N;DURpt?3ts8}6COubo!up#uu z)K_G*stoI88c&Ecrjf%KXSImD9{gC!9e#Qvs<8?&rnyJz!B}aGs*6`G8V25})(#Up zWtK;_Zeqpc8en~g5yxMQ(wH59^d7lw4HgddG6~^7YGA@)VQ!IX7n&G)>2LS60Ry>M zIC!;7E+v!b)k~(AHhv(7cNs@fr7k^#>cTx(?n;TNlVl$#<{hjh0fo9?D>?5+!AmF0 zaW#JTW+zqLYNu`lNewe1U^5o^tbHds9-$%RlTz1;(>5YYbfaCOytR5Ijb0x?-irf? z4Nx{1&`oI<8&0K{I-%0wImjXri$I5HgGv)XEE=2`;o*?n8i+8F)hlcIk5&OfJb~eg zrEdII+qcR@1nMg1x-KY4 zru16(+)Xg2H4KS>tE}%C)}H`2z+u!5`h=ajWY~#~sp22( z!S)SpZo^;v_$ineBp>YVn+DON8?Q2jXkVG|}IvEh% zk8%X-c|(MFae|hreW<~Br^@F8TgdiO2J0wxpZ9n1X|DwnsSO#Poo zO-wJx^ZNYEj5p@nQ{0Y3@2;e+Ka=fX;>X#qao+%gf09 z0{avXtCWhrek0Oj-2^C52SZKkOH!Na;-z#n#89t!)2Z-aIESMoC+C;X?gnrU>$ds% zIVPO{y%h|sY{EVaN0BrkJbq#07JBvhfk+xS%sFkdiGqRU z)6o7|zhK>Ahj}^D;t+{utTjhU3*mDiw7H-ck>VJwT`3o zly`%ZK8>KE)LoR_v zS@jTwQMH@fTPRiEB*6BTGG6=9vKLfg?g>LKOgHtJm6ohOh3F(ev`J7&PlXIO6iC<$ z3u#LYg1#oqepC8l#WbY2W1Y{hC-O)Bsg(0edD?Bpqy2aGwHW~vI+u4EGVOZ(z%nxR68(V*H_@GV4I-z01p<$|93p) zwH~x)=x{{Y9@lf7aeq#}4hd;v;5&fTm${K>s0)vPVj7BA3}}qX==d_W7?sZKxfYKb zk5N#2S|Wjb=k>s0Bpz`N@xTa2Uf>Qj3qH@`&`WcR2Ru4Xx|7u8iF| znOLSD0#ANjI_vW)Gx-KB8RIX<*z5HL(trN$6A-ukVM7J^-AD%r`Fvikeyu3<_ZM%g z$lmNXMds*lp!y7>(}Se?KpFzlfb7utSyW4s$_ZORTx^t#W1kms2M@R;#@a+}nc&@v zYu;%WO7=fwvd+kN2F|yG%*e*$l81=Gu~tJ!Sojrj(z4Cn6%>Us=(G|M6Zja+h}(C9 z&5y{0@oUGph<)MJvU2lg=8LE796JfF$9q5|r9tb?gRGxB<&~X5==n4J^63?6ur|-& z%nDTQ?{DbzQun}Tkl4>!d$wVlOi%V4Z<{C>hSxQN0mT=O8$f>zc|> zZf8OWCl18_Y1yS>5)tui&!e~pED=n$3(EEq^KabURot7$w8m#kM}lA|P^6Q!a|Jhx=6p*s_>GKBxT%5wp|wY@S)Z#q1t313P*P*MCi^e)w> z7?Jedo=yiU+X3nvR3s-ZQS1y5pU03(+w6g~W+yAz0#^OrM@d05IQqT;9oGhF=N;<3 zrjy|(N1#Zge+&(I!sJr8Np&IveJw%^$*uH{Tbgob#@aT@j(ksS&L_I*e2!>% zHKTSt&Swl*h_@T83FS?jmvsu=S+zjSz8{-_WAXKfrm9e!B^LF}E!VnEJ{T~KI#Lec zL$q1QxUXZ_+}p3+&{c05Gr$hwh^5HlJ3;#c7FL35cC>Hg(vL<4&PTz}H^}-h16Hhq zVJ*ys&tB1)MS3gf?bz=~>$2Bd+>2pre4ED^iWIv>8P=9_Lz$O$h2ZFD1ClTOxV|Pt zTOBqsnfaHWZR)YASeL9g~)Y~ubj7xdj zL*tP8K9})#Ov;KeVA zN`^NEiRfsYk$@w&vOmO>vpm!kXv^jrAy0WaHMXJEl0TzfV`}IIJLGY#-Q)Ys(Ti8p zLG9!tTEumxc3rqC02nw?y*cl9PPk_8ADI%J>01aZset*1TP_vYfhX8RoHE}@3$JNU|sx<5S+arg7X^sI7k6lzKl8J z#3=qnj7@c7a|+-@F$*Hn!`!vL%f}+3NU|Ba0adTYpu`4Nfag^BC-)p^xqF9NCA6pG z%O!ba<)QRLDhdTdU^$l7ifWB3USLdYu`4Ck$`g@FDs$0N3!kM(svB}tD<<`qNM-A; zYJT$VM#mnO9V1)z6vFA$0BDYQthQ8emZ#F7!)eG4V}{Y~$|0;yxzV&w>t%y#-Yl+l z(kv@7_d_o!z_z4h<~G5?oMCK5)m=XUa+W79qF59KJo%FyGJo`>K}y=tHJ#EU5faS7 z46|f)Hc?+5whe%EiHQ5Z0q+KJ(bw@8@-wiZN(pOZvQ&hb{vo%K1)Z_yl%gxqar#m^ zh3REG@j22pNx7o{%;zurlY%18Pq&o*#rNmP;qIQ!Hb{h;nHzMKSobM$L zsLoEWA2=sYjGWcYCdFBm@OI^_4lW^X^d7XmJwJvGxnz8bveSGJWaY^ER@3iS=y%^l z!B@d=C7Fp=W3prX?+Q zigQo-rG3)fu!YsOu6ZLJTiCh%*SYW$yhx>$Eez5xbP~e$A)lUp^-;*+)c1PQL+H*l zcEtvd$m0V37JG&rfKE#TmnhmTc3PZOASxn3983Sa7^{Zau!z|pz%U>pd|Q^=6xJ~P z_G#q?bs`14k0h~p|FfjVrjP%>ne)!^ml*u1)Dc{_1AlNLXX1wi-M^ctr#B^=S(=2+ z=CLwT3H!U$|Fv-?TF+5_2IH8ULa+;)iRl4B(r!(NkbF$=kWb6?gs>blIom${S(UhK zY!O%~D2W+fa_7CKMci^U=r>QI6T=6`_68NmX>R7?fgri&2T{MIvBSB!cTkXC|-`$HK8Z|a^5%MXnm4?Tbl#w(|&^9isQI}sW8X<(u>!!ejxYsZ@v@u z*{UQmvHjx_7r_p!UIqH+{_C`t$WNr=4od4%`r!)$fuZdX+H9XKb_A~7Nau;z+7Q5d zy-ndyWzf`M_@h=kjHU^O-_2v12kpQNR1~VcCJrP+y0GJgi?nJo;ta>cQs4(5ud0$2 zhxX!u!5Bb5^j5}+rUw=r01_ojd~SQgc`)g_KeZpIP(962hoh`_xK&%@RBX&x5%|II7aVTd)SW-Qm<_v z(!U!7+(O8atugA*oHLXmbQo&$7DE#JCvoQ_Ug`=^+GkrG6Mq7Q>n#3onJp8g|`L7B0KSVZzV2PVy7L<7f$i=|F^rE+@;E{HYUQSH5k!=cc_Kg`L z#?b_6-*4te4~dPdfxd?x^HpP+tnXd7^-pKM??`LLpeeIrB7#*6dxt(X>p;j3$<9vU zecObRQ3E*YqgSPzf~P~)mq-jC3fyxJH6Tv`V(b8Sw$l$>!-W z4KO=q5l&jn^57;zbDhM4dHZP6Fcf4tQzk5Un=}i~5oJ0Q z&3SX*XI9|=UXD{(fVFcQ{MD8Ap#UV7nm|{MJ+HZe8nPL>`SbFVls~DOh;Q05$;3S+ zMcHqF*o5lL+0ejX(<5Y6F@^d|yP#&t;Pn6twhj7xymz=v4H{K#a z4IDGzTo!CIIeBBekq-{zD@XR{`=UvZs`99R{WY<~?m9@bVeJf|Q9q6s(ItyzdwJZ5 zoZkTE^ba8ta$lg{iB00~DX)W6BWF1i^?`=pXci0cnoeV+jY@tDS7a%c7N-!K@ssxC zlU%_Qg&xvdPHb4sWl*1JaAL1PjohK*#o#B3n@rxqWv)hh0^eBD7P%D_)oFHLoNfXg zJRO-=UT)yC{tERjQ#ZUC{6;_f(g+nbe}UI29zstVJ63Tz$(#JC*~4&v_WcPm;o@v@ z*L1$l%i=mm=kUF67p&}T(I|YP!{$|bEr-{#_bRfLJ1VB|v0GX~uF&;45vCgShzGPn zVdV+W*>yKhkQhfw&8Ht*sj=_~kqyAQ=4{7XmYt!7UTccX4>4$dZ8`nM_>L2&1?B-> zr|zOT8_NJvvXpcb*~~*0pm6`Bf0Thr2nxWri${}yuhMRfr| zC+O(%C)AoB3N&`&v;SEJZ&3MX^>LELlhSAed)q|bIm|$)78IfVmb|5nBv8ZvYPFua zKB!XMY~9i|ZI$D8>(sVwLso`Zj0fR7OF<+RlWCA7;FMtj98D7-34jsjDZM$w~Uo8HFU(oPO=91~Cx+|Up;xuUc*S)tTcAPacEV`U!(t`5l_KjqEl-Hu+(u~wIX!AJI z_Z_*Ue+t8!2#rUpY||Ol`?g|(9vbg8m+(>QPm=P3BXk94QZtON!Zb?e#FEFgSr-@} z!J3@4pYp<-nb_elHC{uRc>~`_gCD2}E|KP;Lj(JKRP^m-M7KK9PEwBVMl8Z#6?apCz~D%%K{ z(M6Y#r&tI3ywvQ8^1zFWfs`(#hM+=i(l8HbX@YWGlsCX?EkPLC-Lwlv4c;eq)Y_(I z`IdaF|2yJ`d{Q+7xz-Qq0)DL+MeG9C$pdcUUX_m^n$HL)GC>flwu9BO>?Gg&HurOO z57iSR)!;kuRpVV2aoKxaj?tmTG19B97_eS#ahB?sbWyvJKtEUkTsUyfj(;p|t;?pO z#KQ&eIPEht$Nk%HK`G!|RTzlXe2P3j&q!e{68l}DU`{v9qqzyo+;ZR4cQT(#V7lhY z+nLeIb6Iyo6v)ZxMF=&PLAmNojS!#Bqa1`mlAvSLZkm-@WnX#-MU|gk0z;2CD9!A6 zO=@-9A0ML~2kfD`)0*x^ci%;`qzJ5@F>QMAH+eK{>VOuWtE0T=%zVOg3UQU;!Svh!BgfQqDj+B2gJg$UT2y0V{qFQ`KM z!n}rh!Yk+^6rMi$WkbkwC8Uxt2g7iaU+tBE!U535y^09Ib)q^E|D{|z@j+iKhRFTE+4oX?C%_EtzJ@mU;KZWg0cyXCRXK~5K{?mA4ze^!cdy29 zuGKd1@$N01MI>_bgxygBV%A=oL`|xRv~htsrrObhj@5?vuoKs8T0iXxs*iU2zFSsh zy_M^(Y}aPt!w{ipEo*z*GqMs&wIYv&G4aoY$Z5noWpi15bBHe+cF4Sy0Ijqwc-qtr zCvsgHVR($Zt%dGYdw#;t$(Q(r#{q`qix&rt zt@#3J^zOYyN{kZ?nqsF>Hrh?6(tvYpAToS2Y(3?8mF*eGtT~tExtWhZ8+M*olkHe( zn_OM<=buBnE(c(aB^(-_Q5O}P*G7QDHIgP~+r)>zIw^$(_60MfOUY8`gsurSenbo& zBjc=QEYNl;;V!Ljo*mC_`|Ld67mgN}Hp`%kP^hh0Y=wPWFY9i-3(#t-LN-&%^p$Qf zp6NFAUJ|DKIK+;HnH-2sNi0$7viK_&hJJyIJosi1R)-aN^WQfop+uYv_@8ZHMg>&< zx}&kV=(X*d(b)X|#H2_2NSL(k9x(Q-7Oh}@G^}ioN;<*(p0|2}` zU)}1EDfMyjfYPIhyc{Nm_4T785m_{Q(c@u2xR6V!KMj&d}5{KB^--zRxirA)gLDhHLx&nWb4h-O*jBHSalF@i@`GFr1tq+pM16Ja0x zDnsubs$zYGU!aqNfoWxx{hs~9Syk0nA6%iyIAesJ^Z~DVrj_Tr*>iBWQP%yPg^v#k z?Sipus`38Je1?HFp-S@nmqDs#0;U!EU zpsALGW$6>MI{PT>U+7GRR02Cbto<5s?(^^E@V zogx^#%YY-_FqR=a$Q#SJ#oq0{S9>p!Yppoib`e)@tDq}pzAq8DLZU*bvyMywKK2pv|ov>41gFW0zyUB-PeLHTWW8$(w3Ox&2i8S(i>&QVzxNGeTCwQ+L6Y-(<&|M6w|7F{WV{JD=o; z5Xgf|*Wxg>VMuXi#W*h|;tgic%W+Abkq>*quPLnK{71rxRpI_C@c2?iuppP*Bq zs-eSc`#CJi;h(Q*n5-EE2}+Qe?Wp5mu9p^?Anb2xHch!N^@_#43hI%PIb$r?BDHCE zupf=u^e1ssY8&!Q%U<8q`Xe<5wJ?Gxo3z}dB)_k+ZYjECcbi@*luA05Z0n1fbYNT# zgU`y7*@F#d7?3l>)ZHTW-QFCB+iCs6!~)8}{DXviP+-f9{bCE6=RrU)rn{IjFDta~ zo<(nq=|qIm7Z^T$R=E(So+vKVwsaB@ZY|f-57cF>hOw#I{V>W#DeK)lL0eXJq*j1( z3YCt90%k?8s7$gpZQ<%W+3Yw%G&B=oJj`3(AG^a8^tCZH2F5e+oVx0skdhM{O>>0E z7g4oc*mlpfwl7K>%7|?~df8i6S~eHq2OqzIl$ssz_ebGM_GoeroaRf8yAj1<3fcAg zV}O!N_j=UH`QIsb^I?G&>m+Ts)m5`t4IdB7tEYzZo04$YT$tRg%H^20P$+)VO={ro zt#_#iu(wvhnB{WN(;H zoncn_=f#8xBr8}Oh@jYF`$Yd(ZLNe!uTJ7vLONSo5}^uRPNmx zrL`&v#rPpdw)aYh*=@m4A&bQgEmKhiN6~FPTwJdUH?6R`~TprB`E-LwZju*>ZBg|3I%ZUK7 z(ElyNj(}EcuxQOC5lO#ZVXdh^6S&ZdZxk7HZIP8}FEQoHVlq3^E#^irPDK{1tT4F2 zg0X!=GI#F`jr>UZ7z7#Y;%LxM-9G&xS7G8>;r(n+-+) z_I?z4d8DNqg0@X&Hb#%GqRDq(br=GE>kQzia|rc0I|R_6I8|-IBE#La>M{gtT5fX- z6zLHh$I$#tuL1e9A_rwk zOps})#EnB}D3RQJX_|431iS-UhPs+Y5Fk(M9Bf2AQ~UO-=3rN&i1}t#XvR-Eqq|DJ z7MLPyi7hi*%arkxIlwB(VStIE+A@u_$9p=>-$~ysF|ttN2f{b8v;o2irwNe>D%iO5 zwP@jKjKC8Y4s0m^hH(%2MI~jupWALJ-k=Kf3flS>L<`|!Hp(WaS=YV%b|QBofBP7Z zJd;l%!Nx{JO`8Q4Sh|E%H*@kJ0I{ab!W%n17k+*o-0JY$KKCu}%U+nTm;UNoHwWcw zxOD@A#<=KyXqM%b(*Q3{jk-8!T1*mj_q9kT)Lc{>q$mpeW^8Q3Y4y z_NQ~KCkx_@i5{!2Ql;#`6Xupu&%p2EWCs>9Vdg0qF_OOaR#Cn`Sol32!nE?D1w2yx zpw>9F2$9LtGe8t8!1*hu*dn{aR#Ba$F68Ctz|`{ksL^BoM`jKfMc^<=dWwErROI$+ zH@9H>s86#r;V8-tavn+JWWTkbhhjfykDQ#?W-q)cP z)b9&Y#q?ySxRo7lmjp`4tyL7isKqX~ILcJP4tpM5GYmLDfUCQ}*RL+G)e=oIcx?w? z_wMvip1`DGsp`(dBuX2gUPAV?a&^p7mo zi0hcBBYS)dQ01o8MEWyqm_Fc~Y3dqxCUyD&;H+giW?)ha6=BIxs3pS>>uC$Tkdq_8 z0-;J(0ut#%=>DD?{fV$4&I_8XxWQ)pI&-<60h(uNMGrni;|<`pA@h&8s(dznXQC1q zk3~;d+yC8OK72t|C(B#8pxY88O==?PogeF$u&5sp3|I;SVoOsJwXA%ar+1}Q|7=T6 zu4Kxg1g7+U@Fv5QWbAUgohrNekaBiu4(WCYP5#K^zJRD6FJmrF@*i;7EqSD~5i<`2bV}X>j$8|hiprDK#U5{|OWKe7 zGUlRtA>?Y)bAmOgRi$kLeKRci)%>Dxg^S6hVZs>k7lYxR{Q6QB5ywzR200uEQd|gD zYN5v6+34O2bh4P)*RftDt)!YItaOCApexVI8Lg69#n!8o`}-1&=WAdp6Bi?UhjS#yK6(DAr zeS~{n2>s%!PHONi8`Rym(kXa%2|z z(5jj?0`V-v{W7M)NsR$j9HnehY%NKR7Q93rNHFjLA-|^< z8{#l7ST*&3RThhH^}0RJl2Seo@ik0lD#ax8a;M3)?NH5zxo=3N$psgds4dN&cB_nf zr#7N5U-e)PTM)|aaq#l_Zs#AALn_k$mQ+g4X8H)_anwoijytlw0rmy+r_JES^#Gt_ zn&W)4Kgn%*p4j6a15b27QzrEr=^B_tdAfzA5Br6T0k4C+ff{ePr>gk1mW9K+YbAiHV?$$5Wn^?hFP8{(S>hZ7V z!D~Eu_~j-9O)Vv=1p z9_Xw{)>`DV`Vb1-YTkPK9=xTD<4+FEn?05U2~SSODSVXVaL8ElVt^xb8|BX)V-Xqm5rN+uZuH4Zqg2l5%G4>qftfU?pKa;*UZ|akT2D&< zxDqk*{3vYZpwPLwFJypy8Cg5BY!&~m-)1>28=m0M$4T6HTKel0`BMSbz>H_%3 zCjF4EgaGE3^vj?~zGayTz$5GDSyrpb8GC`FYX=FFq9Nbe=cU)9BElQP4)Cuifi9al zKQ2q|j%C5|EGZ~E#)pzhtKl|q!!L}zODf9E(u zA%af@@5zN82NJ-T&>&THNIrV--;7-;b;$0hKy>9Ir~~HC%r_uEGr}W*JU2`!fI!_f zSYJrFojbpI)&woi3@1h)`1M=Z+_KY&v#MA^&+tu_N{>JzZt$t*b@ox#1^#SiEc{P^ zCUH6Smq0Wx>I@aCGz>O2WpU;`%6fBPQV6L)lXakgL6pZfY;?}!6h z&Ab8rtOT21h~1FYGU`Z_{~#1jHAtZ!94Q=z2G8g{#Z;#xiLid|Q&voAm?O@GJuy|H z;Bld+CCN&ml8cjiP-<<$tqk$R$-*Qm0-n33Z$Gd=NFVl1yBsKdR`TrOeJ6d7zz=az zJMH#)a&5K;2;g{wqZw4ycE;s^!DOn$9~O78CcFlt)&fuus>y)V&BTUW zc6@dU#7)FVaZya8iLurZMOvT|%PuRB&o})3Fd~17fAkzOtyXFaGSzsG4Q#Dd3MK17 z0I+q09;zM}T*n`xBi=QBmy%3M>Mn;NGbLWL=ev39*eYkY{wP*p5VkOjfWr#|7GGby z02w*DlM#{dm@U6R64PYW9A^h zP)Z%##Z%0DV$<<{d%ITm2z2@ynHrTELLqkTNo^=?pfs~>FxU<|W%Ll2UN1N-88In{ z=VQ^Vp7Mp)s+$=Uw7Pul#i-JNNIk^XPi0iKY}N1oeITdCY5jn8Brd7mb%mA17T zE{#yhG_q6#%4|VmHwmJo8TZJ+?cKZA`?A00bRxG~Z^(VCh!!||&B*Ztz4;kCo@XU5 zC(zXBe#0A*eb7Zv0xwpQxw4JpZ z$Sjbp=?hA5r_<@PrC?3Z6>E3YTX0+TRxwaZTz<(Z0>TzV&5pNqQgf5kYgjcV>ZFit zq0}ytuaV+#W;eF0kqvvqp#ckw4>?T}9B)Wb`Yvo4dVHib;u1_v(h)d2)o8D)vdtdb zx~F7Nc1=nxC*^Lb4Z-%FG?Kj&zyre-kt(v?y$)Juf=$Y{vsG)hUCo5lRaSii@_UfQb$5_+SpPyIpgel@fTo>zashKCf`9>tu(cp;3J|q zc#hL8aVC$c*brx-F1h+Ffw%7nRxbO`V-+2!Xa&i60rUxyF9J}o*9bdvYmvA(tCm<2 z;~O8&wi+OoX#nZxREVH!#gQYQ8Q8>#UuRTTIUp5`?x)P~l$rsNdI`Yf$c8W!Bg>ND zO-5SP7>+hy$hOXW9!rqqn6NZ1Tf*Vs`$4hn%skeNh$lEJi?s;;G`rT6SQCN1TSo3H z`KaTh^QmYik!xd;6Y@FeiqAlwu^E+W$f$5u7IT^FnV=sFut|I#Rj!PGER~2UnET%i zc4iTDc>DecWko6KObqsnFHH{%2QsrWI~4eYWbqT3FtwAq2hf-GXzm_({QN5sr04=f zspZExkDrOu@tC?M32+?2i1GY_PBHd&7NdfW2O4i(YHdVwCckCJCM%ejsrC4ScxPur zp&ZBvt(g}M(U@e&(c%_6PhrCVJ)rF$LvCG)O?tD8O)JqyAlYLX+lM|uR0H|!TS*|a zX9F(6ata4MtQWb$JM^o!zxUj<7&@g z#nYgX6-HENfla%J>M2(fkRMJQM749Pd9~L>^^gxyeN&Tipa)yXFtxGQ2GL>*p*W4J zuq;}hDj4U^agb#b3}Yb7u>?Sv9*Qt1i_wUG3m7H+i~ucWzv+V!?hwV+oDJ$W&*H%> z2%14QP&r90N@PXjUfw?;a-={~WZX|@b6ez+r?n+?xG=XA{um0d9CrTzW_-(e5p)s=bA z)9ZuQd&Fr>1PTUT4?c3Y%G#SRZl&ESm5cdwQ8Jk+;;Vsvt9Mb7!Rveyi^}U!d51Xg z#;(186LqD|jLjfNGxC{+@YMZgex#?5(iF^TUP2>gQ#cT~pvae(+%^zbo7^wT z-}E4cuiA;}8{1ar{aKWwJI4R@Uv>}~9X$}Rq5>F>;2G-xb3{H+)@I5lK9^8pSukH_ zP9MkX;Xuae z^Ti_#xx6u+nk{R*W)MCg@w5 zvD-5~3VG|Rkl|!Ts|-$6t;&ouUNKykZrPq!wuMqIGeMeEfA7_KQV_%X#JT_n-{+?h z5E!QeL93sn`CPQ;10QFSXcJ<69!WUsiO-{`h&14?5;Z$8L$IiEqYXp1#?4xox+(3$ zbFbdqv7xaMbHUvog@g#oPbz&gT*|);81%oD4Y_z#{6iU9Xh|Y!pgDc)zg}$QKb?q( z(wf5uo=5}165`QpsUJEzK;?mPU zo;oO|#`G_hn_fBO0y*i+_}d-HD%^PP-D3zbkX7y zu!R&KLyq8YuDn)N)fpeQ84ubp{XQM>cv)y|U_QkjJEkbAx-Hd?uouu?4B2 zF@Y(=h{UKpU8|;yMypmewJ2LMiVsC`xhS6G)n@D4OoA*YI3=pv1ZfD8AgbZk@anBI zKBXlox_?ABNjH^A3VrsrAlK>ulid z;3Yy2kC5KH;q}+u*&Tq8Qhe?SUkZ8hn*XrTBWc3u7Ev=CvO}Jw&|&hEdHil zWbsz!Zl$kI@HKB$w%`SKT8U$iNnt9Gu(ALtN;%zXnOV}g(bUj$_2fd~=DR!J-1#ob z!P;w4Yj~#P_+h))nOvx?x&c?UQESm@^FnTQs zh~2ZY{b=zxuj?P7OaphFpOQ)bu8F{cx}t1kkSyOZOC^m_RxPGM83oQcFJwyM2lm*R z0HYeD$nu=!yMqTcmWWV6iAyXNg3!N5Vbe#za+|ABW_T?XVTH@&L3ikTY01{YaZe+D z$$qF+%BunSM%Uf51-wp9zZ@lz!Gr-&BVX`AlCcdcTS9e;>a2i4w1s}as~gn9p%&*M z7Xc4oSo^Pd4;!{vm1Ucub5;}y4$h1$42s5mvdXWYyRDCldeb#+KDM9@x( zjy7(;gJm|i`$)3DvSsC$ulUhVi$p`V3z3{SjMK`5{DB_w6c1TOEPXGrupZxbnvkM! zfCawVn++A6~fsI>q(4vhWEgZ#?*TiUC!Afz_3JNZ=_+VHu1a4aBni2VhWs39wj9 zgan-r<@of(TT<_0+=KUc zW|e3fik_~pxnj#-*9#8yR6UJDt}Z-V;<0yZz`- zE5|GCTvjJL-2}Z9Juc|Zn4XZ?kGb;v_2PY6!VUPSZzkX5!iI9^V7_5E}%3*ofB$ln{f^t~@$i)DOhIhLuYH?5d~}N}tMHW22b`y9 zraqDtlgA7*db+4~uX=YcgmP5O5fae26S2Tg(bHC64?R`_N~&VA`G2EMe3in9yoZP)Qv_kHW!3^m1|3{Bn;}6tfGh;B7jy-%@q3 zkV48n^uFPcPRNjy{hg@G*k5`Rg;r#%;Lyluq2;j?FLwo9nK4F^xAH{(K59Ai#GVN~ zNqU5o)jv&YC6TwfSX!-Nxjj-0vCF~`64?A?5}Iw*k1h1GF)Y*z89#}h)>`jT98*Zt z5BkmcO*jymtrvLBki#2R9!$evA+Grg!-MZ-LXnxyl}IEwN5d1|lH zNf68#<`sD)-4lV58p+#Wyi1CD2ig>oRS>6)#aw#YxFcVDjlKOKi_{|#Ysq-5TK4=_ zJ7jf|9-191f+#gf!*c@7WpeV8!vLyGuv-aE~Tix)aK{Usi z=7#gmfHjDyUy^FFN)M@bZ2|S4w46n#yrX;36 zY{V$CXTNvTr&b|Ikn4mxhf7{z5*a>KZ4QHlEfi&GBK+dvh$=j$=L1||E5q9WNPYz? zdcZr+zDs;eF|0rf*5USB0v}amh)XnC`lyMJNTU39fgs_6($cpJ6;=Z%?$H-jjc^q$ zVWE1n?*w49<&Or6=)Qr4(q~Z9051CDlR65BQ;D7hekfT2$r7QrQ%>r+P&lZTfjW*z zrRXACuEXeTWHuWEwf#fJuKhfjeXsZ)^v0X1Vn*4!%`OP75aw2ah$$S>$GxZr<>Y?w zzd8I)*jO*4PlTj!=EbcfR{q@&9ObRv_<-p^0uXW0J6}eP_qvP)iCy#!#1r`%j$}S~ zA=KqcGKgbI_Q0#m)kx&FA(MWJJZ6qtreLJkl9knYa%ur^$qjbFk&D2!_o+p@OCj8( z`9qQ#ZaIXiPLkTr(8nD+WT{y})$E<5vf1mo$1cf%yN_^6$LY~(NzJyQ-qPzeBzwq; zT+OsHPtVimv%zPoUp|eN^mMV*N+Q4T%U4I5{^uTLo>j;D1;(uLHj1w>PNVT>85-IfejQVRvSUU^;issLDM?yaN#*ZLm)XyK=cbRtE3{3$# zn-ouh3_GqZpw3{#*D!e1uGKE84mT`+g3i?&amAd0Lg$^Kdz&-6j!;gt&k3X0X)Trl z7fxg+c~kRswk=*XY;3+IZW_2Bx~TI{E4PD#zSkyZb&RgIZBlP{Acp6TR3X@G^t=ei z{SJ!bWnzti$d4e!3%W(W``#4?!0YW=4V(B-8?2p{u?eeybZcdps{8_~b*2#9A%`9K zbn5Pi^$QICHw%a_UvUNRq;?;hQ;sxWyfYKZ+Z-2(PL5f8a8lPsjy;H`jIvdDw${;x zoWth>-i3dBIV+V|$I#RJ3VoTp)6sh+q9GAxEDp!)RZ`BzbY}<3XDodB`1j7Z8nK2H zf6Ym)7Plp7)a1KX?M@hCdBZvEPOYI&E5n-4w?X;;?lPHuUEYzs9UKF>c&oNlNZx-@T@!I=yhi>R4YpH5>~wTjtZsO)`(yRiRr`>_ zcf>`tG_p;V@>RGcPpw`FYSV?Bx3&F!Y7SNpthZ0e!LEU_6>8(RxD`j64zOB zAtJijL!!@qzICQ>XKg4QyD+#Pz`DX+Fj{VLL=ya|#!a~ahwE~_I^~DOGLl0bvnHxM zRZf@5-i#D$-&E_V7};`pF2w)Y3va`071}^;1E%O`w@-80tBI^_=R>|k84u7|nejgH z-bgoif4AZG@G*-8N8j#MH9z>&k2dIskp+M2Z%BMSw!tjpAhX{c7 z=niAN(C&F$$nvy*|ISU~AFqJAX{R>%gJc?yPposR0fEUXCnFlG*A_%u6&C%Z8q_IT zF5Ibl6h1iT2lt$cepAoKtwj|w_{SFB~nkYfEnz{8pPM<@oIsVT%l;GlLK)YkjbN(<-u z`9A8kX{2b{{$3wqf5Pf(eoN>g83*r$h+GJ?eU8{foM)8hWdx01B3?&~ZnjB?--fbSSXV^xA zSnox(troY|s#>(HLrF#N9K4aGCl*F2Ec4g>=2L8)VaD_Du1ObIbWr=nof4n&R+>yq zSu8QcnraOP+-vllp}e?{Q~4Dq|J;hYN=8q_>jQvs;oF%r_q&b9_|CF5PHc;r$}ARJ z6bVN;^pH+3EdYQ#7WtOnDL7ldN#^Zzf;{3YJX6@yJyR+W*j00{n2P#%Cj9yr08|06uadfQKv#Dw*9 ze@#*b?(?-}6-HlOshy-EnTA#ig33>Ps%9Zu@OA(|{$2!7E5di+z;w*s1q#1OO9VJg z3o)gJ1lRRr*lT@B9)B@u#+4 zqt6loJx-3MPMk@~p_NrdRD=0YX1>!1+|OgdSH1f%uYfR{@zbnnLzqItr_tz6Aw?mS zND%podP%(-eKp$%YBSx!sAThYhf;jH;Jr4{{D0I1h`(%Yqp#Qpqd1$=O)UzwTj7wZ z+-TLvvsuXRj6pp&QT_I2Joe#WidCNN_9XL0s&>B?4k|=5 z^S9jsn46UOgj7`necPvUquX~n-nsOx^-Z~KV-X4%2awxZpC1EZkm3*Zy#k?l~krk04kO4(TYoYk#YK@klsi+-Z{O)70zKW#OGk;A7ZWX zmc=oWz7ual2!pD?0?p&DdGN<@k@ndp@$#db(7yvWb0rviTf3KdY9WcyS7Xe)8>H(LgJ2Pw|vB54VNb_T|a))t|t zsDy0tYka9j0ssJ$LI4mF42Q$fXfPTPb!8sJr)%ow^^latD2gIRi~&FZ00000000{h z0KSaM=Bi!b!byf+d$s0fnzX4bGoJVetj8gK%!%2AXT^YU59l?5CZ$*=HA{`yh-73ERk!0np;q ztw_hG8T6u4IoWiA^Mwoy(s)W3{oz|K;^iiEI~eKb}fiQXHA zmgn>3+(wRRex{PeFTDnW4(xH=4g2(DY4UBbHllfqk16GjWpL&_H=f}WkuVWazZL9$ z8g>fqTkm14(e!x)nw%76etrv&BF3mccQ0OkQSU|2wr%xg$UKKVc5+;9_D3;XvDck_ zF!E9?TuBJc_0!2pf|AxzV3@eo9ZutsCgI-R*Lcmm%3^LRb@h5Sf8skP0j%}1qVQM8 zYCk!z<|Zr}mvmLgf_8zXfIKSWx07L*4Qa?fr8(eH(EF;~W9#+y$}XXw;}^B|R_Ih0 z#tQTYoZyVcRJ<Ao_)^QPY zynKVfe}L?bgRjQ<2u)HMnd_iK4A+38T#9YJ+l4<3?cowRt-U#v2t?fH-xaT&LNu^O`l$2jnHFnj)2cWkXS{T5o zyms)v1zwUS=sI{n*GDDs2;&pj&$mauCFs^URq`%t>6J920y}<52g_v!D`iwX-c-4B z#y`s~P*Q`39XA)LHsu(;8~;#TLwSYV+Sa#GiNmo;xuTO6$f)t^Ied++a~^Pd(Y67g zPOfRcIy{$nz#9~(c?68G0!W{7R+?NuGo{c(1H21$(_McX`%yeIFNm{u*NA4BuYiBH zH37-*Cvs6FUp6H)d56JVFg)_eZTA5AN2u3BuBx-Pq#v&gXstkJNjmv6G?*HUNEW!yI2tiWG{9SVHW%VfhDsReXR9^_{?SXoKuiXlQ0tEEwbSdUSk|B8k0eY0&S6 zl-N}ybMo&4ePBX8;i4iUHE@JWig{?{;J|wRCO#?GG_C}qP8xYgsb;x`IU2$G-wUAL zR;knV5=V2!z&9Dyp)t~3Jg}xZX&q5($$uKCKqw14wV^WnP2f>n@%jMOTyWE@9bxx- z*ng!|R|FkI>|B0sws^+U1K-TMkW3!?4iX(av|VILOH5u$uiaTrCn3=alV_{E$TqIh zCA^Htq%10W{*&&+NEji?>Xwjys~8)WfV3SgVDUp?uAq?;&yT-|E6vEg`*&5o1|(-t zvkQ|W-C`m&W)|z?@`l%GfvQOu7nZ=8gA(zWFs#eW{+r158yTJkXgyJ&Nki0&4e!;m zw3M=uaCZ_!+g{LEKIc7ZZ47nP{^2}K|KTr+a$RsWK46tQs)IPk4q1F7tGE$2%A0U? z(DKT;`pGWOXyeVfLHW=+Hyo$8)ky^--~SR*s!n#B&~z-V_w`~L(87Su`_uG<9m(-0 zcRLa`XT`*@cxCRtU2ZmRro0WXt@z9VN0MmCfAp(&0vnq6f%7dYgVnSZAx6_lwGgC= zgAuM<<@@Q2SeTXndnsYgE^VW`)`e+i#xRU_$51H~^xuBUzMZo8Qwe zN!JncUV4vrxtC+-YM#`i#{TnS{6S0Im5@q_s&)&mWMqf5bRM0vVSjI&?(s5I(d*Wv z?A&So3|iR{1-KA^!I|Q#X&y?pnQ4Z^IQ%Fo%F= z=8lv{G>hg;g|+EX2ZqL_JDjE@DA|B-B!e)ki6n6&Mho$vk})=%%VMSBnK*L^S>}(r zkR$^x$=GV~8pUR|2oc59=>%l87i*~xqK@I2irNP!Jli;dx17S35=J`%8uUsPYpEB+Kz|m1 z3$}?>Q@P;{X3{%A5O-FSx0x55{cVWND{U50q8f`EXC1_1(wM<)z(iW`3y}TjRWVMQ z=!vX~{-XmCR1I5k=7`W1h$b-g_=w%Om0;W_;`l^?4U(r>4BRY3oR=q^*(y^y2DL=( zAG-kw=dqB?7`zbwi(;Pk-(`dxVkU=iTiap z5^FuQh7@@V*l+a2MM;9gjFQ8hOEzF&z#=|~S`an6G#C$|iRAovL2CQ}Cyd3jhf_Wwj-Hu~ElXnL^iD{tgMo|#mPY3(%8 z)02}-5|=^{TdVCzB>>knP$K+VFXtd4HrTQ+!Mvr-%8-?{Lj%Mlrrb`5MQ~u( zxZR7(Pc81*>`KemSnbOWl@tmhV3Z%YVWkc|wuf9LRDiN`88kY31)^2vuY9C6gBGxk z4WcHOz1Qx50(2s4UYolcLqmf?j~V`LYJEVDnLrCWZfs^5VjOXUpwDJdtUr(v8&CK}D$Qeb?iA%RLK6ojXGU2S^uWL^v04lMF~klTSf;JGsBUMv zxTygl!9LrvcAaA=A1I*KISa~}%1?GU4ktqoG&j%uA26EK0dKyUYVB$O+Iu#7$vHCQ z!l7e!yK2Xn0pF|*!fdH?S2C{YYiLlkzdFOtFEEP#uolY158KL*U;DAzDtQ$SnGC7U$e3^lBl7IZXjKfhZ_>`c;f6?JbMMyG~osmfqRf54geKHbz~ z{TCTjm@*^ci1n-UZ4u7LNL_=s@CqJ?T!8*;DKIy(j+2lif;Mcf_8cY7_$5#GW@Glc zlL)(Agu!);IkhIyOfeYvTB{qJoS%w)P+sHfb3AFS8Ed-kkOr0>w#mWiV>**m&zzu? zz4nbFGa(qacMFaU$dlN8QrJB)o;41K?6#;@9hKg9+!NR=J_QCiplaHPkAdO!-t3fQ zbTuEip=ExI$J{Vm3U>@>>D{UP3|&9@H98eN1_zW;vG1;jeng*QXu9*^)End~9$~jJ z4e-ASk4Vgy&*W53&g%w>dj|`^wF>LS1u~k&;b8F*brj4ZrX*DyO{O<1<8rA)-pe&# zB!UWQJz0b!c!P6mPlP}!TUKVdI(qkO>CIbHGPWNg>M*Eoxf#evFp!hFIy!0GpM?zf zxrpqs(-Ib2l^=g$nKi_tk2)(|nf|!*0u~kan3wPrc#_R#lHy5n73x?ojXS75XSO;g zVLN0`M^Gxc{!Z1bL{^4v>kzO}aZnn6v#!B?p87}8xEgX|OB^6G%GgulKkL3PI>UxD z>3(#D3%{a0JpFV!!^5Phb&A=f`D1XI-${Z?N&bPn0 z3T%zY?L82T1~#uB;$uySd-=>Myk0HxzBE-*)cey3dd~9TJ1l8}aKaEFF4 zp>OQ=hr|3^RJfE=0}q4TA5my-``BebLc#^M8pusv0k|;_nLZy8tfya^8w(Wi;JkI8hw5nx9oEW`H+`D z>CT(b@#L<{LBTpAS4h&xAfwbz#%l_0J>5T=K3+q`sqoXSvlb|urGHREcAChIzu{$x z8J(O0j;RiT822_2=YB2%zki=QE;$b-fZ)U#AxxUE#}yR{qw#ccY&3#0F+<`G1s>1G zFA!NacjZj)FJLY|!zkeB;4;xk>0e?fI4D*#dxPD~HGl2c4(~Tqk(JOcYfvkoPjPz; z$10vzf>;AGx%|^TX7k_^)VUVrZQG?0W{g^;Zg7AXtEhx_6t8ww#{jrZ(<>6w;74gp zyyxL+s4O1$+2k5INSx0!mxeID+~zcpaBOdIU2)ANT;BT8L&&$EdC6A9F>8H4h9xyz$0#xCzD!tz6{p=W-y-%*u zAcV3i$dkW|YZZX>64fwBKz0dWIZY`7Ljzo+91@`-`PFWNlZ69=C|1BYxKGeMUzrL7 zo$;*$;t}yT!Ib-k@qjg=Pqgx{FsIwpEKRmlbnpWW6t(pz-~TTO5oTxGSV?FsKkM8% z;dW5{y;Mt26$`K7`%W=e4aVxNYrvUqlS}8QpE`N{q^yI70H44%PrL8E#R#|`y+wK{ z?y+3M?+drIO!bMtSW^)5TcOUY@)zpr$g<;(w^7!?%Egrh@RwPfvg326BY(Q%@YrNg zp65bD?}SD0+!x_=mpsH-zVylsOwF}l2}@mU_3oi3O(%9Z$CD4+(UExDQhrlCn|l-) z>g6Y#)W?k#M=6rr4ndFp%mz-Ap|iO$-2dC&BC zAjpY2;Mfzpi#gNWTCbSwZqQ8|y?AzXD#eZ4PI3&ZdpW2LYZ%78?w%PG6SN@CxoDCu zcAj&465e7BcwUiUwxNCIXho24$XW5cV>%{!FQ111qp}>;5C@H566=uiHXx>;GAxpf zuJGSa<-v#NebduG=5A>Y2yzt8C+`1fx@uoEK}$SY68&?t%PD_RifxgK^&n7ntcTg3 zvSz@<96ozsI1*0PKADzztjR7?Y>EH4oc<|l?dj%OZcHJY(#vdGGgqIlntnbG28AO_ zVHf#Rcq~yXI^u@AnpZM`4uV(gLN@M5B6R>>@1Sz zhXISyMUjpf7|zQx-S#-;`yLUmMb+EayR&^j)U^+n5TjYA_)fxy%VUT~w+-QfAr8ZB zby9~&@A~>r^*CwJ&w!{N)1ARXj?QuQ0|@}_w{VRit>=emKXL3!z;F>z%Wn_tC3;^q zCutcLS1jH*V=Qiz|00FiRR;$tLjZ1~v2GUx(c~3t3oufJ%iy?E?L;O7RffgUZus61 zMg*J-Yo195UM*^pyQ~NR45B(e1fHB@QwIxO)w%>vY#pP<_F7)3mZiCt@rDHITziMcoVwHGg>IAD>qj+Ei!ibl_ z`@Gsgd%311nOQAArqzQymfQ%UlepO&MhBT}6nq{DKB}q6y(#DWkInIDA`i^)_0<-l zRA1}hZq5qbEja3SDmR=!g=W4qreS?r1NN0QQTyAarfm@x1F|Wiw`I+J(AkAnkIXb; zeftPXsWdwenV`O?JweqBraT<*;uAXw-b(j>rt&VOhFuR8`-=ZJ`zJ8ZPG`^CHnm5KQg%)(qO+O97O(L#M(2F$g}DIsi37O(O&v| znUWwE93X!gm}oiCZ*3xXyJutVh>XK()OPXKDt~I{fW@-pR&2anRM<;{t&!r|`pPes z{jX#U=QpP6CAuYG|1?879@M{vk6;?{LZmKjce;biZ+I6*kHXB0B7D=g#xNSq7VS(5 z(a_l`4euEh8u1&ZB1dV%tgVm{xE4yM*Iw|q;L0IKGZFZ%58EfZ;Ak{?w?-@RYq-Wu z6aL5SQ(B5xVqOeb0*i?V9>*#?M|}v0P|mZlQduo`LqOUqjQ8=Ux7F2o%{nZ{r9hkM zDu!?(C>yOyIWHbG@=dZc#EquKtkg>ULf;GG6pe8&z?_#%LdC3@Oq^KuVV4dt+zlmn zY$+;ATW{j%S!&7S3(1&Q>F0+*l?>?CMzPJQ+vZ_x#8;@vPpV2G`g7+c~FI#Egyb zKEWNc8Bg)Q0`y|+*6uE|-5#0KC$FLSt~2{T#d5PPc?7iGGe^iD_?S+8eXdufnsjFQ zDG?C~hw7+ba4B|p1WuLVw$`IbYnq&9P4v{nQHs~+m+-M#joGYbzk?^#tA4QA$O2VqWW+GRi8&^AD zer^m1>s2f<%yv!&CICJZ&*S{Z$~bEZt0_vhTr27P`kIhMU>O&&n83Hy zAJ(8CIJ7HvRYSkX6-@|lfRa4Y=KGNWiK^LmEoxH9U;Ka`MfFIHO-Z(Cpc{5Ho2-7d z9k?P*mQ9}JDCOL{aj@;m#?D4>Xh;oi?(mRZZnEO=M20sHxrZ~4*z97$ser>3j)HtZ z*dpN$$!WVP)6m6YW&P#Oo8v7A4chq;76vl4oMjs===ee9;#=FVEM1`DyNHdDi^5~0 zO7Q6g9n!S5mQ41Gu5j!Ptte(dtukQq*riDv1G0{x%g^^OXNtojsMtxpSc^_x#yf6D z1LuB!tN*HJ*d4B&zsEkn>h5H@6~=y@OQS8_vY-I|+lkk`5KIJ$MnGZpS;d7(hD=EdtXU$}q~t4quP$o5pv%#Zh&ja1!)0x~*OOs|mQ zH)E9xe#WBt13qL@L*dc&9cWDAU34Z+Ra;JBY_c-O9D5dh7%}9H2ix-hg8xP2K*vi?!6nKKO;hx z*=?fx#}*b?l;GVQmfG-WY%v%6C5Z3N1P!o-M}Xmmhg%$w)SQ*sV4BUR2Xs>fs;1~y z)UbQP*!Aek{Xjpo(7J$>WPG~o(C2jc)hbUyFb0~dzv@ZS7Iyzn0}<79w}TrFP8FsT zd{FsyCnyY>C*6dx^S*zjl!@awiZ^f*2DbI~(kv~}cF zB;SXblE!ajb3?KL87+KE?%*3J*wdOIGt~sCjC$xsfILo%!)3u7-#Z2foBR+J>Sm6Y2$j)Kpg&rr*kwK8N&mCgl z_r205?Rs~2TKBYy5$D6cEj(YU`xh|uu)!JzaYhSCRLnx`TYn;Ujk_MtF^WQ<)Kokw z9>pH1x)LFKGL+NsJNOWrh!iq2|uK-Th*a%?cVU<<}Z7zlILa0p;{5yzO9 z307F?X}qP9DoXYgd}N(6QSsr_JahOXY2AO7SVpS7ik!`pu(iF`#&^^Xy9}TCmuWo8 zC8LP2CY*08o?hHmcvtzT)#2SIx3bsM-l7*Rf8Eq^?P6palwx0@Lm25{FSC@U!y}{k zl$GKNMA3};3zn5;l#-{jO4YhBoviC0U03|LKN8y?RMd&zLMoUS@bFq*1{-QfQVDHO zjh3R)f}w>=aES*jR~Hgt7A<1Bkwb|mVGV_6ACZdSy_%;*RkPd(;&v4f&bXMea7t>7 zL*GY{7rk-N9q=qrd^}sAOT0bu2&2#$n}d;>9L?F?PDUN3EK-yQKp+b5JDJfL+mf~?g)pDeH_ncS&a*f;yD)m0}KTE>1Q1y_GpBV)YX*jfdlUL{^21Zm!E%?gcBtkM;_-T_Z$T@Q1Q!*V z;BALpRb7sZjloE6J^#-VQWRNO4BWY9jXe6H&nC*efmC2Q|DYHvO=p(R>5=CJAA;N& ze4%Y;oykqAGACm*z;}C`$k5^QBsB}}F{&w7FiuXsisTkSRTawGMnN7K)|8r%;O((| z-_B#5ycmBmt`g-ZK_B5UM0+wN5f-}E%TPk=^LVfdY9S)0lYkBQ=;5m@TpV|64N5du zZm1*%pQ&lLt<`Srzmzmpl92T_Ljw=7*6&al8qgSMGiQ(_yewR08Z7SxEz_7zTU=$k z-?KT$VsoxFL z{fCT8KRn6!r2!~(xfC|@l1AJf$W?ZYH8|alj1ea4(^iV?1RiD|is5eg zqMut66DFhe+iEKYvC0LPYa7X;9SWQL59OiAHpe<`BP(N{QSp~VOvA{)?eZn92vivl z;Q2Vr4_XoL+BwjyA$coHy1lhhp`vegE!qY zamLXDRxwmDuaxJ$;Nyy65)}O+X=vKZ$2l;84P_{SLpP)Rrp5aXt-~tnIRY+lxTP(7 zrmow&1`ZaiJS}ifYs5f|d}Job<$-KR4~RAlnA-$Gq|+c*das7*B!^P-t-xLza^En$ zzb#?RiA-_@!6HVQV4fmtnU5pB>Lwh{QLFHgcsgK(g&g>LFpN(-6F%Zk2~IVq`MI9X zlmh3~9>O-@h|{B3NGox${BMl(`yG7nP41|aDXONJN+L7kpwbWbYt!;Z^zNuk2Of&@ zGFY9QuG{PT8@(wPP*!2$rWIi!PBvj3xJ2Y)yHzBreNR(|mPXtvj(dkshlE1|!?4RO z?2j)CckY-Ca{#1Nfx{2#Hfa8M0)dKy6lmXdXQ!mX9#4Q@>Msw!eb%IHOQQ=lm3qIE z(yk6bw*e%E&9YJfhWA}7L%q*OW7xT1ds&@2zZtRy_cY25|GJYX|4z#*9Kvbzu`|AF z)Npe%*5?oOZRx@q!vie?XMAd=F(7bsnXN5#r|J-8lz2-WG&SL=HE_`!!i=>^(|*85llEyg zt?k63jbXN3E)@cCCLVKvht$kw``y|$@NzGZk1L}Ec|ik0MjMacDBEgNtOY$Nv_H1$ z4ZS$*{Wkc_+aRtwRl3x;S*fRbXS8tL=OyU@P|c2LadVJg9kjWY(X0oQmS0NkwdT-R zaB2OgqrYDDZO=_61p0^18UE^)=TMjOWeOs3Y`z|D7=Kzzcg;{kTZ1M1GR zma=V)eRZ+GfjmpSieZ8mr(ya*=q$avGRAp3qUuBx^?w*HKs|@Ts3$FKhkXD+0Id>* z!JjVrhlT;4{-luMpcA48K0~K8)PB<&fu3GmPnutw3xogA*j5fnYdP^$w`VuC19f|b zRlmmccpoSLCICy?IpX+7yn0V}cY_^(K2bGGyVQsWl-InhxQmRvGxj0K6uT1}1h+Qz z?oYeTJYCI5E;An>uxxY|Rk^OBA=8Eg$|QH9z~O1b#V%R$8P%ZNZpHenGe9OaE?88^ z_IU`ow%C5m+|%TLNx!Ctpp;fFyFmgWte6@VzyNwir=F5NGJQz0ST%s zb?;b&6cNI~Yz%uhi_{2}OG~ksny4!oX>eX(kA@A1xO7|lTR@q~l|G9o^lv%psUE!q zlLZI$scDyb8Hbmy&WKw%c+HI1Hh(YqWcw{cpa_5g;=;JL3o!zEI5`tWl`*z8iR{#9 z9wV#_uoUOLzc^})D^D6i4?`%3)9_!xuM`RS2Uyg7h$oyspS9kO;5oZ~TxHsYi>JXT z4gU{9+3u}OlsP>C)Aj(xzW;NB{js;EhyBYOxLbfciC@?yN3_3Gu7y}f?2Hf#@!Fg%`U-m^|jWNB?1 z(enn1Fo&$5aSW@o7MD9fPT`y^954-26t{icn^Gk@D}pQ;Cp*8P>i_$&fHH{EJm<*kN`ypSf5oKULO7v*EwMc*xt4{%#!#dC-iNJM-?|)qXBdRHWF)zxT*Y5t^A= z&w9h^D{HAJ5GnMj3r1t7u(2J`{HFIkfVCOdrewn%n~c&a_&UN3Pz6_UJj6sw8Unkb z1S_M1rC{D+wVWCMN6Xiot24D;1vb42u<6&rh>D2l$aETAiyFdXMuC3>2 z(OTF;bBv>>RaY6;-l=70RcsM1hwGM=lW3-IL7@mNjqY2C7o10aFqKHkkD2kSvu$nT z=*q@a6(`7v8{yD`(Xn|BTVl!;wD#OSO&&riQF>41S>%%fA(M6)=nPJ4F3HuTuwjRl ze&>YzRZ=%b`1YOkBz!gDroHxA=lE--RH-KIP%1Hiq($dO%ZHZ7RDj#58Hj(ym;`@n zojxbzSW}8Wb@Qz7MZctDmxNxdrn?*;0B&VOy^4Nz8_3@~7Q0ovRCoL9;@U1rY@Ws{ z84x!(nKzwI6uOGi{mxoI_xuqTpL)lm1V1O}p~1f@1o8nzeP(MLm{WZ+xhT;=yn$c% zdgCmo_&`;sB`1>QVT`po_a_b%uwpB~tCbZ3DW8y6tpi!$+_=vPOpu$or8@wv>0xyO z`%)}01k%nmc>S~&)3KnK0%yHq-+O;#xCu5n%+*pHf&7)Aif6r=@plzys4=YKwUh%u z#$ex$rp`@BvsTk>3i)p^W9lf6k(raMsP?PxkIfvTlQC~SQ;(9UWwIEuIgRxw5a1S1 zLXn8m$fESI`5PMbYnY`}SMMWbDD1S)pXrNFoZG$#fpGQLwJw9E+(Sn<3o#5K!p!>R zLd+Q6z2+VN#XiuuIu|=gcrHpI)Cse(eS~ZeIDDK<_K-g-R6c(RFZL>=l3wDsCg!>{ z7x|m4NSbpZ^RQGNqs^e|_GS-w$Zvv&H06^>l(i2Xyg>y1a>GDi!TkNW07hgQMd#rkbGCz!<-- z8_fxxM5rcbPE+F$Xsz}D-dRSboPVjuZBBu{ZHUc=U+Sgr zU-{dAm&J|6&n8cNNnZz!4@Uhgpgc z!s6v35bUkfAqPCBo9GbJ_~zUR+dqp(PD?dZ4`5UU=kb#SM_FT##S|i|R59!ssV%W( zB(Fyog(Sm=(wf)p(2pqodXBi+xaC#^4YRuq7f$yfk*mA(f+`e@=4+ty(RMr4ysT~z zF#&ykiG#YMaeVm7+B0+6Zu#Q^W~n<^W8}y>on_C0KLyx~vICQTClo-uv6RZNzUE=~ z-;4_*?aKK{^M^~V&A*StRf5$KS)J*UOIilxhgXFC`6?f2DVa^HJF=LbZqrMsZj5(2tn*oBU|q zJ$EJaclZ=0Dvy>4SzlzYLd%%euv~`$LSe!=bNv|G-r7<^l%{_cH>L;@o;+@V#j@?VU`QN93>$+ zjahi*EI2x@lu+8enAb=RCSh^Q^ps*O7Vp2uB39t>EgQul zR^x_XPlPt2389Vp-@k*%2ZNpl-BXNNRw~=LBXnm*Z&e*fZ25K;wpV{QJe0e`Q66CaOvgd-=^9VmvZ%*;D-nZ_xVW(APs161x zRx6rxO`YNOc_D)2>wM190G7k*qRIZaV*6!OCBN$`*B|r+ygBHd0Fpk}KFA0+n@@xZ z@R+^q?WtcJU`RQy>TQgp!v$d+xxU62;w?q$rO05EIpTPa!tR7FeZRVcX1oF&$faTW zzWo1J`ly0Md~^y`g!LGvhHZ5blZh%!-VJm-23BS>WErU$bfGN|!pRE07(B1_U#~)a zI@7=X1pi2*JUO1&wpg?8Cyyi?*|XZ1PVX zTjRVO2~a2V`q76Up(Tv6@*cP?_K(kQKWYuDbhj1rRI!*Nq_$i539d5MrBc=l%(D&uNKIj83_EUfa@$XC6s8`fQZyn&m6 z(4ZsFv=6wu`-U0E_00f^7bS@Fd_X9Vr?W7LXr;F;ncf4Jd7ii7xTz#bmsXQJ&sbN* z0C5VjcP#swz!~+1Vgt^}Xylv)v-9Sw1D8*m2g(Bo`?)u#lG2eaoc+niy}#g*dL|skwS>S zcRr&K!Be;eBXp;|P|_^~k+ObD14Jl+Gke{Juc5Mw+(GMw8M^H$$b=iy=t5{Irh*U? z9{EGWct9P(F~2!q;e6r(uBb?jERl%V%Wl9!07%bb13?jG=ZmlD zYKe$x_FK4ep}y{Ohx4T!$7qK2A$Q)rC3}7Svs%Akb`6-#Vyl0b)og_J5j++*B*SNj zVPkm`#XIh;-l3?&AF(LO(dF!2xtzvvC)b9TYv%O6^r=4!n0bTiO?X9vFiBoZb8e}M zZDMLCC?@i|nnIupIQcdEZH+MKfR=-&)3lSF71OMWg1AwjcvOp1R~i8^@mNze(`9lM zA>eqMwv;l}XC+W=yoUDV?f z`O0a1lA=uH1|IG zP=*egX=<)q;E)n)yf-36(d~)DB_Qx|HOqAy@|XQ?PBHqP9VxQd3MVK59iR}nhvb;t za>(Qm^r&%i&ftR?^2KUiQ#g@m3uQna?K~WkpaX^m)l@6x*Yxk}enMac^?+hz=d+24 z;!g_;rds@(Yx- zDlU{`0h}7f%^%IZYJ81^rJSi1$_`(LE1O40NB=x}RINBj9CnE6x!VOY^F(;c!YA56i zOaOQ+1WRaobD;b5-eN4nC?Ycfbq+xMXOfi3;u5bv!O~9lQg2VftypJk5=P&x${}pX zNv#@LuD5y54_e^lJL=r@;}(JXug5cn;#Wo`n|Hv21DAbVs`%M77Q!{;xhx=;j01>r zVlLouGQs;e--cdi?VZwYpYR#_WY4S|`x3v=XKDjZBpyj~BmRU^oi>ME#O^c3^C{_b zK)5G^Hti4i78&s%=&%mOU3+ZV}4)E{OF1vi~@V&wY$|2~TSGwIIV z1aK+4)MURk-Pxsqx;JYiI$D*#ciJQdmuFatbEMSp?3>X(AC~)8?{oqdH?OJJB=wl@ zVO{MGJJWA2S*m~mW!vqk%*L)>^i{?5DNmTZ|MG}S?wipGkGR$aO#2QHO0% z!6>G41X`vmB4-EDaDSQ+LjCP-j)pyQsKVh*8a~t$B?*$eAT4Kbdzc5~u@m!{IFxfP zDPd?2o(hqb93s|sfJ`=L>~*HO43iF>9DGB^@sD(*d3~IdgBVt~sayl#(I>m*91XSQ9u*YKWMq$K&7hytoekG+ zdZWqS>wO#wF$W_B#fL0*6ifqBAePUy;SQ+S6J<%BW1;00pPaA7C>c5)Gg{A&^pP>;S9`i8)V00g2;tCj zan2$xT#pKF%Mi3<4(AJEB03|^3lyh#!b_UeKVRMrf9?VpwAJ`-=uFEr1FR3}H}C%` zMfN-$bSCU4PJ78cHjt^634W-{LydTf&x#L~V>d=PeK=%@$DW>4-6-q`{%H3V zz23s_U}x}XFlHi+6R@j>!4i)B{EVeVLetm=DCUPS*&%J}9nTnuL;X%HeqikD`Hh~X zCzZ1MgYQUB(R)TKJ_d{!IJ-hcPOk&%S&EgW-1wj&N~YL%Bc;4G)PDkZgF8S{zq65( zrH80?`mMJpX=M=sB7N0c)I_}rVoBfX84Ihep*-HSdPSYMmmn(Xt6s5YwjIjGo2%!j zh7tMu}RM2q4m5J)%n3t2mT5s$Q|M+9pNE8>-hR33?Gkk{;_F zD@I$POuV^zj*7UqAR_5o^n?k|vZW2ml)Cy<3Hau~!kMGnBM~&gff2(WzbpK_ zHTwJ6G04+%o@w_`^FFl8G-iAlDYXilB%NLrB#31=s%8KJd(_Q*$;(Q065nL5h*#c( z7=!i92v+(_Oe_yKoh%+E)tYCO9PRl@bC2_8(!Ft0TB_rKf}%GM*s0!=ywZLGiL#b)yw5Jp;M$A@-t3>Ry;~QS#Y9%n0rt|)kban;g#}K~+<(;qyH%Gd z=we2|+i3}Ms*m%4G@!pP!{a?IWBA6N%(5At1j)rJeGd#AmuJayqr+VH=5S`fh54(0 zQ^P`I8@F(g743y1C4l;X3YIU$`gUQP1rnnmw&hQ(m{%rIkbk|yJzS=wTQ|B23j7J- z(26hD;?6d`M!C0}>|JfmBuB!Xq7*-qK|;ncV<>uHacc7$XP%FxIMuGf6!JsPS-50b zq{oGk3<(=wUM2HIvo%ybkSpzho)JXQ`AkuR3!LRJam?&YW(tta@l)KlRW>x&){sQB z;cIG}TfmJf(j_)+f!r`FVupu~*e zn|D05kN}5GrAp<7q70PV8g^Q3tvqgqJa03?pWsEmzcC&B8w6ahz+d!+D_7)cY!V>u zk9|STww_$2!yR8F03KJOeB`+C!CtOPvW=-2qrw!ushKxIAHWfY ztZ0#0Od}?KTj)?rbd=20&M$3=vza8ZgZLM{YsE9W(WC%kG7SV_QxM66*kE}mbk+EU zzbB7*UMb1*CDGiAYyEG~(pZ3>GDo2hkL>Db>6Jo2a9WC~On-AqG z`S(iu&Bo40JA_-Ag*F!i`_<$lIc9*sNT8ci`3H7opr{4|eDtN}x=0ikAjkPZDBY*1 zpEB;j?#{+^O;9WUT$*nwXZB;#^iukF!wA9;kN@m-Ph=RIg0RTBqLZMY(T>Te#$*l1 zy`7xN=u7@&kDXCyyq7*(K8AJ2d_iwO*3L}w!E}#>StYU+%bdoeOMjQ+zeU}UQKed= z2qnnr03^h{|J%L?S`X=>t?jYi@d_Z}+iS!D3VNFSb6TB=h9aoBoL@GlK=pRshK-RQ zu+HI;0~JaZ#Eb{RTQ`Ge0Oqh^RS=n(;$;^#j9Y75Pjj8|RBTNQR4;~9437}J3In0e zErIEI?V}JLBpCO;6C}f%3JvVi&Pc(krt%=c7OQBeO&e|jBY#=&Q{d!=sLuZ2dWMg8 zQ=kpVM}2%Yalq@;(oX*r$J*l&2&5&$2(iYISc1r#@SprDM=7pO!b5uu}+jKyfY!u^rR_uk9ZF)Zp{hw@`os9cT56az} zve}j0CK5QAavmjch)M1Z=sB+OsXV2y1@P@DBD2?Nyw$ndp?!v6?$I&}&Rkork$Yr3 zca%`wAoKw>{lH0mW@~@4vxeV39N4&F9MK!AGg^DuBQ(;)3`4k12sZGBXFD9a2zF+5 zEZB`D%LpSInebme*yVcX(~q3d*Bzi3YS@f1!yB=pHj+LRYf#|+S=tK;zTx_od3!(j{=wXlDh%JZ185vVhUn|RXMR83DAoneP)a~P>wESnuf?q?KzgPqFOUPxjLKv_GNvIoH@GAXj9iI8%Bb%%YmdXQW}gv5 zA3q=?8VwFG?omaSKfRewUd5On1)9UQ9LFeL^VrX;Sioj96bOI%qy#TJNCRJeI*v&f zApzb`CEB&@p3K1(Yc6}f0&-@nuD8N9kI@jhjQhYI$hguGC)tY&`2 zQr$;wN;xVY zqb4TqzZ`;9vn?L)i?2#(@RRbNMnwl7Z!?c@BPQ<|R4!65yN80N%jzu&EousW8@^9c?Tn5~iGTJnN^1dqG9;EuNk(*?Fj>`%5Gfj#^SdS=s` zEoXd6hc(OwKlpGAnd{E)=V1g>8n|+R(~4n} zLN(yy@~`b)&!4wT4+00D+dRtHrqkQcybr`jRv2IJU@-B45o@`E^W4hkV-7}O9?S=P ziN^k7S+Kr|a$zn*26ynN3HSVe{Sf}4flS!jHE*^C0sg_tK-~b6iLSY%0W0$~GipW- zr$$@5FWVM~cpOG$A9ZOr9rdb{4FV{_1N|Dn6aPxk)n18s9p{D&`_k36o9dWc6_vpD-U()cHD!s$Z$&^%@__Ts{r)^g-&I%-!|x>jDk?@)pNmR{*f!=V5vA zkMNiXhPjX<$PaXM6D8x^n03~tUw(5Aa3Trr_H}}l5AB2&jyjM1F+A<>!jLxDf7 zpkrB2_luXYg+>W~Ns}|H{_I*a^ER;cT~VZ(rK@|Ihn{@HpZE1d`MJWWN|elLY3hVt zTr(+-BVC(*v2wEw=pmuMwz#@Mx=7k-6nmRs0F!>r+bGAA{&px#@Y25wibVIWRFu7A z);7uyy3^(h17~O$c=@JEhI)$}1Pk4t3!Awi;}tDnzm$5S^PNeotz*YRoLNBbqew%; z@uh@4K_GVrzRGelcBk_*aIYV|Z}rO%^IJ6?azHfOcn>pmsKkf@v46 zThgWVyqH<>X~C?eyCOSex&XOCBco%49Bb4Qk7pWcR7408lglCjEHkYH;IDJ^GfR8c z)AwP+efE?s-buRlAlt(+Pd;8auCJ4YZ^cqEhmvH`DQZqpkQXUU?XlB!-5=7vLGgW) zZ(s}X&s%~g&UAx^=*$p49F*$1lT&FwVAvluLPU4ShQIM8GSaL&mjwCTxf34HygUQS z4&p`Lx`I78F``nw9;VS<+iJ9529AZH>9be-XDO0J-i6rStga7!XGq_UCSpt48?5_JV>D6)rj@fU-L#Lm+9aCaWN5n1-;~B+{yp@(7IB%9EhQ3YoGD@2>KX z{}U(*`I|*lvJ<4{w=4Q8fLUX>n>qZ}0hfZq z)!ciuoEf~}&IMJevI1gUpMa56BzSJW)92c@g6C+!yomvPs5^8G_RM0+Ak>M6k)JmwrvmFkk-C@ zjJ?lnY%HR5*7Wi&LR+L5bkXVR*04C~TC3~4<~Ud5CEcJdZ`Ip1floYwGKP}mQGmQF zBa%7X3lqzO0Bf>SNtkFqIB9ZQpIImO6S~D8cSiIJGeER=7;GE!VXd*-v=~U@lt+kG zPARcHK?JmdPf%otnHz8>+SL>rV81am{O04N#oFdZN9{tDK$Jl~3Wj5&*d6AcHDz}Y zrsY{al36g->hmvu$vMTe7b($DfnFZQtfl|cHHLC_>ww_jzB?&8tighPen&u!RBb2d z?P%coX>Q+qCjgEpx10@>Tk5<01YZr zSvDWX^b~JBG<;PV&{9==M-JRcpJLWgKIc*ttGJP=kiqF(EgH^PIWJgD<;XqA$D=%X z7q1$9n@9D%$B(*+=_Cj}Ms#VtG4Wne;EHTNCJdOe9gpWRQk{WWSQYsj6T0@7ft$@a zN5mvNQ8~%_GG*WfLy$q;!zed5T^!ubIdlSPno%1p$}lJm330H}}HIFEVwL}LoUFC)N1;T6b~Sxk{R#z5l9{LYVqs*%BMBzkSe zct{N1N+^4W2g-x^_ozxdhcn8~&-mS-7-Y}YD$!&>o8r!Oc<6*q`TM_&Fm}R<^@+$I z#daRI6&OOcN;{o+{nlF>&vCXH%b^6vtL|?(Jwor!ZSNA8VJ0OvEf;*2iB#TbN66)1 zY5m#xCW`hZ!4s>37|mB-JN%+%w-$Skg8`Z9s9PuM_E`wz(1d+GMkE&7W~d3DRQZZm zBLL3&Og)aU>{H%}MLY+i4hz8xS_+ii^p{v(qk_LhCPXuc(a4Uh{fuBnJ+KH9UD42Wh9$nzdO|P5s9!h9H6Mh4 zBHgs5p0XIq;dmJgO9VM<+_i9d&fI_tmJSzX_rh{|igt&=u&8iEdgo;@6x`FWhSBwJ zs7nieo@3;gL0B4JM<|>?x)=j^*`aW~UnNHbBJ)sDb8r#_az5_px~X`;&?JHs!}wAP zj=`nwvani}-f{y{mKOZ48f5izn{NfLUjB=S3s&E0{7y43^&vy^5B_87{2ht-b2(1>1*k z>8FcJU2!s-ZkU@S&Bs@X z#%mf2p5^;A$IPA)R)qhzDgc z1Oo>xTtXb8Az_f2swp2$wWP;?wWsG-!#WQ@ zzHNI4-w@&u>=0}!@GXDi#GEf-5E>sp3&UUl$UH3o#l@EbUc?T+PAtWz!Js0A8b2t} zAY#A7iG_)YPgpJD#J#;ey|>Ky7RIr+F}eUZpw3ykx|f4=46#YlD>`1l!zVp}B4Psa z2#PkHW%9N$VqczXkG%vB5Zj{rK#h`8~GXa%`>$3BcLpp|sp5c^4 z`WTmP?}#V&dV|5}>zMbIK%M=qWsXcu*90f&MB_x@9K+;y^*z8JB?{W0{K)6TzVt~B zQC;WZ3+qJuNT1C}Qz66qtrLhh4I<)L%w^z+F0z&JgTT*F4Ryja6FhSYQ?gNjmEvZH zPHK(zy=NlQiXyW^PmM5K>L|-}%ZO$!B=BRF49Gdcij&xZFZ+roi3v4+&w7L zcLr))#MupaZQF<086#-HlC+$>p>ZwU8Tt!2*=}ofDC@biWj-(n`&kJ>t@u{y?3uSwbl{vay4E9Yf68!&BkZfvS~T*gj0D@wUsS@GdMAa@KYvf;%9cU}im>ckfAkj9ju8s!6uaL^-LJ{_Gb9Kle zd9P0RtRatM#tQgOwF1(z8t5ZX_=HXFY5Rc##J!a&Fa+H|`_AH)0R-C&%_I5H#Ec#2 zFdU6QO>C0dGM6^6U#{D#B@Hs5J)NPkAiRS37QORqO^S`!0G{ z7cF_k-02D}h7mwGq;BuKcY(t1@zu52)phsk2-99|YFxB!UzEO?S31}0#%y7Y=)}#2 zAjy(V^#&>&Rd})AyZ}G#n1G0JAC`NZ(`SuhYk+2GYhWz}4(+E_7Nq%G@o>L3)V|my z{}J?40_Kyg@@TMLdp*&taAvGw)^3T+bjaFRwvry z+j>ePhJiH(brvVw;wQOq1;Yl8OhB0aS43k7E(ZgM{1{&S&Oym*o?~nflwlZRE=U|0 z$CaOx{rmxhvE7lx`jl%AtnJ1F#e=nD0m~sLRU6_uKYYg--{m{pxqBqM9=)uYY@#5lp>N~A@SK=1%h#{s`R zrT3@gcYo|HNaAn>PGPF&!R?W+Mo>yOaY^IIsu3+7-pm6oSS8>perQ;b#Ni67!qkJ? zBcD{>iAx%it43Dfp_qZdWfIE-d<7#4Ew!Ra{e%=23#;uLyk25;uxDZMGq@d#H@M>@ zD!9nWgtMa{2WpqQ$JXQHj`hSYxPyuT54dDqt=feP)h?c%`U&EQ57#TFiZ==6$`oVQ z32%EZD8WGXIK1~n6)rnMIXmANOs*{scRG0en1|}$q2HH>-l$)6K;nhOU=rBg3M`OJ zDmXE;`-~>U<$S)9#Tf-E%N1b1nxw9v{;N^imeU~N&qE0G+^wrMY)#$?n4`f#NE7VYsK5?vr*^I~FKoN%M6P};#g zM&jaWe1EBcT|Ax0x&{WfyEMeVp29psY0kSBZxza!30zG0FHmz`bcMvrPX*!LW6xi3 z&rrW|S$`niuP&g&T>7 z6%fenfh0?2-b{eHLm9`!2bjNi9ACn{Hf)DzGY|PQ!F}3ukOo1PJB_uvHLNpznpVpO zVMZHrFBqcBTApBmtuz34FcjNHX#Z38fVs#%1o`r$8=Jzqn2&y-==do~K>w%qT1^LY z46)GQV!N?N-2ZS1qia{GfWDot<8*8QGF)~bbl|VUI)M-%K`4ua*B3eK+UePVdNP=T z&IyYrJAq6brZ(1b6`)*e>?w$w_O0WfZuWJ323k7A{O(a0{H42(3{<{A&XZSxJzex= zLd&*<$!~Fok_9HQ&I1@IWKd!h_{%ZlhSXfoW{<_N6%>Ma7w}sfU1q<`GxLEWp@ww= z%K^5niyaODo9Zqj?7D1jE-~P!W7m+ziAwk8s6PmL-3}Z;bWzG~P}#z@5`}%Zb8efH zPE+cV3%VqT^Y@qrFJ$CEbT7wEXVPhw%3X7&-phaEg=>xjzH!G@`|A2=x>hc!0k&2X zMoG}z_0H8rpqIGeqfUYAA(|a8r5{P1zsXeni=#OqCMX%-Q%y&yT@%lD4$=9|zD?hG zrA)zfkZ{-B{NAN2Nk`o(X$~kI_w>tesP0&ssrx#MKK?NH+>M!{^JID#{C@4zRWcm+ zF#`@Wf1j59iG69sX&dJr>2BNd0Kyvp-_c?~`+v;XHX_iyRCri-lp*-&64}}2$BOHd zBwzighj@JR_x8HlGUnglJ(p`WaLdPY)PxxLb$fMnMJ)CV>kJpfmjrhSqDD6~G;Jm< zPs9qR^9`u=njqT_KJq?$7zyoldTn#ot@uxEpVc>$;sARNqs zr1W`;vm0v8N0+38Y%ORb6K6$G*UmtaAIUWi7a6+%=}tgzq=;|ZqaOkXvRJs1^Z{3> ztO8&mxbT+)vJ!;DKej;@Xh_1M2;}M!B}6He@KyVutv!uuk>)Vg$UUkrS`7eRste4~ zOSQ*9g@j%+7}Jly>!rzdv`8e-&Ir3!n9J$tueDr<=!^U;ZEu#fW0BAyc6?)?Lf#${ z620~J@ghidcy07v+l02542Bw{mSqbE=u`Pqi}5&q!=C%EgdF99i@!LsKHkSU8mhP+!|x9 zp3|hz;TMnLY)(mgCS1gPSTaKmzH$D4-eerQ`A@fRP z^0|f)L>S*k&4tJhx-IWg*O{S{?8k4k@p6EI{YH>AVWM1`W#t};`eOwAju~H&L_K?0az^3DQVt|B>Z<8yB+12 zH0@n#5(|8%4>2BEj3OgYD%_4R3g||O=NU;oqssIY8J%nC<<+-l6Zh7lF{r_7@WW!^}Z1So7spZn%yx^}{>-5VMW(#(}q zk=@MG_nC{VL;~Vn;ON4)HD`E|z{@XSEN9;RYgTNV8L>l_ke!?_tdX@jsKVR65?P$k zxvEveo+r6b*k;PE^}Rh#X7IVw8+~cx98ti42)8MmtQ_)Sw81h^v_t^`2ZH9UUA7Z9 zl&f%3ezJz#P#_gRhH?jJbbHfJ>vRZD$fba#juod#5n1h3FpQ%$Al)*O$d9`;jC1^i z5-o2*Pko?nSfFFUPYHX_wItJf!*H4flo8otvPHRYHQVT3gIvMs_2#^0%*yHo#c!Ig z&S^iy)eO?zL`et>Nx&Y_%O0{_74XA)Q~}8rvm4d+T3%z^xIh42(K7HJ&LF8Mc(=fR z(@WroRmPx|m|DqAgj1Qc5#daitRK#$MEy%H9DQ17IQ=n~X=Z71C!&FABa;hHKVX0J zIrWw8&?KwyAImS|o#b?I0;8~l9{YJIFMFp zLCtLQoQuz4NWUDS#p!lwD!TB2;6I1zBEB)nS5;S-#c^<&@)B22H#}jKi!9sEVN^^_ ztq1!7@?Wp_5h8tl>BazLqDbfFiBvMyZcwKVSop*WRY52}&Zk$>8C^UVX|9C2zVhTy zAl*7}P9PL-E1O2Zt`VAM_;@p`7cSKKV;gbVE>7VOM4^na$2lZC#ZL!AXHN<-@Q*@+ zXy)SU>YYAUjA+4EN*K?md&t4xwRvEr&KVWFlZyK?3;y9W?%5o*$q}8EZC6X}t@EFw z4A*VtE{A_ZpY|v2-qG103?C^qSPaGyr2Y{b{Z*hCg(QIi2y-_+mrR+^B1?`1mr|PG z(unJ-40}^w&D&ZL1`zEMvQqJ#O?r>+D_JWzkPCGQ_>}e(zpr}y(T7$!oL1T#ZK=Ov zOcYi-TrF?vI@yCa1bnUDIcSs7&bV488;WLZeDRS32ix`xC6`a!)=)s}^`~^y+ZGC? zVszXk?RuC6ReaI4R#{JP#z=~7Duzf<$$Poz$`$a5wdxP)3i%gC!+ESoIP0#JZ!ZwS zE#pPk4hoTO>(3Y$PTUr-xaklTC9#EHl0aFl0Z>BngvVaXV=rHAx=_l#&7vTME0Pc7*$JCW=0T0f$C_>Y6UL zfWf(3CdPn)12P%|Jv!iBWf<%ksBBA49i}-6%j$tYYhIvXoM9XTJa)QTda5us|IXXl z!7u~4_{U~Fu7uBmb+LZ&RHDusf(YOCc2^s?>S~a>2H;kL8bHBgc19Xej15yhhy|X3 zoAd9jEJUfc-pBelX~{0qg;1BzwYWFUv02u|{aq7zVVWVqqbSx33%(3xQuy@a7x4Z= z#|WaIXM7xY;-|r|G{Ks}bdu|uJ965?GtO43Mq0X~NfCry6oos4TL2I12mrt162tE4 zX0z(Rd2Pm?C8E$iac51EM-k~55f%V=ReHSC4;&@+Ep_%|FPuIOLAdp78h4{h_uLIs z1p=@6hxo#whgtwEFL>`pz+=K^R3?Y*75LZ&IrR(?9w1Kf}b+xN}-3tgmwBJBLu0$TMUc0y$sX` z;A$BECp(&Sxc{oZQ;6S9>#%v31q$(V_*huw@!0I?sr*+7v?c~i+lSR*C=z}`8WLfzo8wu$yNUA^YD=#^NS`uR33Rs@y zdsuZO(^H_3T5Yv!s5k0M+A%Y{R+y3xhBo5m*IYs?HEgSbQxO$%(5yVK2rK?K1*ml> zl_|2cvw8zSiXaf-o1Dh))uB{=C|2EL?&O7W{=4DP04f~*se>-e0Ei@m9H>aiwTi&k z5mLcCI>|xZva|nKnLep;q3Vm~^x9QJx*V%paUj(jkcCT_sW*c=H#X2kNIwu%e8sxo z){zfy&A4w8PwT&6IvmoPSS5q5gso4i0O?~T!nn7%S-F(O0CcECN5Z((A zuZefk#S*ignfV$h0Qe2dF2NcgZR}@K#8{LAD%8rlcn{$4@^s&D7r`<;kV0j*X3erY z+S3KeNMU|sAbk#K^*+I{0+r?=Iju z6v$9>JnzRPZ%7Om*w{j)JhV*;kc09iaJ)j?52NH?t}b=Swns-85leKgnDg}nt=d9J3nyaof!NPUFnid3P`ImCJcv2@jO;!vjyJ$+* z-#c;=s3~>3M>+289b6Zm%I*1^!_iZ+yTH7)JVSKn^&2(z$?G(J!u)nn>?&SX5;+MvtN zlvN2lAhyWWYQ2i$r*y}ou;31tBy*^}O|2XrolUJAIT`?n^TI4K1NDJgY1AT>^JN6vX=3_+)9PwYxX=^2+eufdq%?FEqRdZUnc`p9|&s@nWG z@_=<3Aa}Ve>z--Y0VKU6iUm5_4!x(HfI>xEE*K6pPfn2ELk z>7dB^`Jk1Db%^!IS{GC__PLuhu8z!6%I=}>+De5pPtYFTuO+w*=$BlWIw`K;F07Ik zxd8bzLE#y{!yO(aRv~8`<#RSLXY+Xa0SyH~9u2-tk^+O5kFKAD?9fcIy24BT>pt{LCpZDHlvVA4VrB)ds)9Z;c`2V{fz)rdQS3lJYOD%IM_inQL0 zJ9yn-ZVO!iKC1(inD05H3g9vg-T_9_-0{l6ul&zu$L9Os>A_anD!_pRE?}@RHq#s` zjPwQyqqsmp3NyiNJ}FVE$Y`m(w}mlK`&A=5mjqdd(LMof1$%-4O30oFU<(e0GmwU1 z%rFJl0r*uHckdE7ehd-7bPcSK3wMvhM?y`;Ymt<_#9n*b#HXy}Z;u4yA-4Ql60NmS zIPZBSY^{gM@6tAMBka%3(oC-7M!(a<+-aTR2V!6R46fe}$F2^7nG?C~0X z28pyJPM|=b)w>_re2X~Pb1@VMqqH_m(n;}l{19~IhCkksk*18r5s%_7@cWrF5Dk82 zZdF@?TQ!K{gd9*y;;jy&;)d-gVRUttRC{4Mv)G=_8vW>oc(Iv4lfsj0Ac07u8yF-j zL*tg}Y4>IUx~a>7UO+BX+W_k(bAitlf?|~Lf2OvykSvoq9<-pLA9vO_F=K&Nd2z0i=3Vmd>%x#Uo$AWI2y2!=_e15z5IcCIS=uL%bQdkOa!@)VFTB z8)NqgHKFt8hz8tgp*Bvtn!tn^MmQymuz*x*@DvCdAQ}g}zDG3;53$6sNx=q~H?=mj zl?+=BjY|rl-+6>C5A$!NB%jF0L`^sV)=mGt(IX?nmd#+M-qr9hUP=oFwD;M#r${{SFP$VxCF7V}y zk|4l}dU6U0rQ|8Ri*S}!wgrI8up?-nt?I}@_%0B({8^v(QP{P5a4NK5k4?m~W&>EW zVF|RjyIvY}BPKK*R%oc;D51q(qg%s%YcYkXF{x16z*1ez-#tDlA5IH}igj%>sow)@=9R?2RKGauX=j6+@nXkg+h}Um%bP3*! zMZbn6_O8AmNdNu0w^z&^?VS}Rd`SPQCEnGbQR;nwYpYbc{yFx=$@Hl7r3!vhyKmFv7^Fo z9Wj2v--b<}@ z8Rf~Hj;<3wk__ar(@>ow-3TJmvKSTY+5nXkyef*(a~l z0RzleT~2h^RkFa7o8fY?dvnP-8SAu)qHfF=^56nkDEkm`SEI|uyV)d*Cpxdn8yRd1 z96w99j``MR4u=D-I%tqMZU+<1GegI{A^>v^oVGg9E5@^b&}x3X+Nu;#>0gItJKUKS zA{s6iVlMB_ytZ^dopWU5nT=?OGAE9(PD9Nopwm{zEdsO$9wBvJW!74}LtIDwcIZ^TMO@dh7oLZ+AVyudV) z+J+AMf4_5doswqRR9f&eIsLNg{5{%XJUZ8rNLGybV$G!|vIvi*M-Jg7t4>UQJ>A_M zYz?>`p*C;akHgNUnJKSKM1%k)>2bvpSR>QN5CrY4i=#w$8JUWHr|DXNP11-s|VU2M*#eh^pI73~bL=-zyZn5-OiIM4j2k_9<$hx9X5c zLJ0s5ygYH|OJOH7VnwNl^}RThL|#BlSRLliucC-*Bk|UI2E?~3TV3qp0~@nS05Sl} z93QgB4f(XB?nnahZ@G!oY#?^Ns%j8VS1q+M%)>Gho?g_4qHX9(tEvv?fT;a7S{QUGnk`XHk_fr~g*#2_kLiSHRF>1oA#h(y;WGfz> zDp{z|Od(kNuG?8lk8aon&3RamIk~~t>{HvADwojUEhNxgv-w$J5VQ6 z@!L@VJ3z$05}*}g=Nfe-p3kdl{;ll4V{YGNBj?flx6o}Uz#A#GNnM0B@KzxPwX`?! zTQXiu8=6U+ZvEcrXQw^h_Mpcr`Fqd6@l5usEI@QdL*rJ&obzx4F=!CdDB9=ip4X{Z zJ1mPW3dYKAVSQsm0X4S0h z#=h8Z127r+g}dpE!sQW-wv`D+y0E11Hp4X~q%8<63fik5mt0rKOte>% zhvZ8AI3PJE>j-Gq(3`R?znV`(HLM~0?TM|qSW`c9&je+oE(>L{@`OJkOV)vjeO(%i zEnSyRORm@E5=DAf^DO09_=B=@AG*-?KE$lx&SCMkVTH34wo8Hg1Wt)cOEYlNUN#o0 zJSt+2wk2QYDe=rH$nzi!&omYinE@IHf;AS0!%l0J;~3G+el-CW(#4$M?thxMUcy4YaZ z&w@TjvG61{+~a*C`;%KrtvNLmfEkQ6V5T)ggZRrCvj@(O8T%{<#P1|R{z=RIS`p~L zRuMw>>C_ZEiWztY%G?dT=Otq*Ts22Y;FKJyML2v~Hwsd3>DRRt!gCWhiX}WR`9Yl| zgci!Y6y{VYKkcvUx@@CgnRlq1PO`(=$Q}4-UMf@7*B+H4lv<+V&OOaGbm5M93VTv> zUZx7yS-UIMN}!af&iUG0MD7i-yLt@qPM3i>21raQ-Yac z*QC6bX)f3?qoSTupsB-TRoDFsCRbxZA8{vvQoLF%)XLN(}cB71Mauu-lD?p2E*`|i8#9Uor!7as?FXjK;dlgT;d zcZ!Dr?kQN7scDjAD`skVREUdJ-LKceJ;LA*zaJrx%=vX$f8<1uRbuNMaTcBWa@VkM zlTXg5JpJIP8Kr^-zpHjg0CtN-jK>9o?=W2kc%^(8_SO9EZGW=xx7J>=+^S}~* z1g>)LzM;R_({*MV4PPETv#N_!!R|=sSH928M1m1((Bj^XKe)f)8i6AbEhc48j`WpjbH3Ee2EZpU;BZD1Tc1eMGWb)vPu@id0Hpu%WJnowvKPQl>rf4^=>dR;Pf z+*AeOsGtUO+6?L1?uT|53eA8o?Qm(MI6=Aj3Ju)a^vMbb&x(hIROG-up=hiKPQhZ; zq3J#`*RjP0wVWrpf>KTgHA|#WT(W8LZ#L*1o&)Znb@M|24?ey`)EEugc+)FDKe+f8 zUI4|G6wsyF6(&=G!RDR){hp=OzD*K}ytAKO9+MjfGMOv6!C*LG(OVR1@3d{#L@ikz zf8hm~;0RZ~cXy^=So2^RNB@1ydL*qU8aV4^?y-35=aP;2G2D_I!%jG7TSovvrPGh; zq@{&^%5nL5T?fi359E5?gRy0y+C2qS=+`Vnh5u&wF3uEK!FOx|Snlh$;n5(#E53`J zFSa$?6`R`~o0~UqTN}DLttVaI_KA}lyQqTq+QW>2jd5J;s^1Bl)GT~Za@WR z3J5T&QHZ>beep^Nz*C4f2jv_?vXn3@QgCoKx!TmAWbeQ_)#3U@Neo|aTgL+b$SYH>3`3qdmrv-7Jl&#Uug_XdqBZh(fsE~mm-4QuPmNGI;IpEKT)Cf z?BJyYmp!zzxp$y%XDE$8eQqRZGO|KNBiX(d5h{5E(epo;SRa~o$vB0WQ@PWFh^>B( zyt40&8iRr?#)~7I=-|mAq7v@j@n+7r@Q8rNeOR@Mh@`&IO52}+iwH3%XSMV2_9(uw zYr&l>0a8JEDVl`znQ4^m&^voc4ga5mRj}eCKamHVD47L_a=0q_dQ2LhG8#U|niRg> zKAu#%d)yQx43)M%C5G^z;bJL!GXDwHHNk$6{<%=1@3l6S1Ij#RkK9=2o3;EHOwcM2 z64r~(kK;ZVn&i)6?4#1^PxTx{B4&GNxY&{6swHf4jSB^;>||t(`({-vUoXVX!>a~_ z53}kRZ8_ir z{UcRVIcKlTQ;6DNpJUwiC$|>$Ud2{_a@E=<)Y&TY6SdD@psLWM^d&Vu)L-0mZ5$b^ zFb>=3jN&f@zv{#c7~Zx34qj-1p}t&lZkKiRPYN>_wTc2fO1)UWUY#j%+6>sr8uZO6 zh>F=0YH$>cwjx?0sf8rqLKs;z3!A6_;}{_0SExsSwB?n8ER>-BkRXm;M{$e><7h5Z zzQPo;)PQ7;r<9T)S8=3;yB$2nUKPf4a1f^%`;p z?DJQsfrV+Vr^f_E9b)V>4^ZaVAB($8qZ|?SzfFycVii-?FM>(O+J+*cPSDfNi`D-9 z?7uxqc^mDmIbY)CU+a$}M*f?rA_g9jFFH`?0|0cKwr?aJLUNr7Mf1uY@#C=wMgRd^ zVRd3hr-`l_>8b2TqEwI8(CxVagKmzZ;xQoz=Z0E-B7xV1#wt3IC`KNe?^WWaXKaaH zosThFJTk?msL{-Kg!(!Fw8`LLei<^3sa?bH z+VUfe+gGtD~+g?1-yA(2)5J`gBiGr!huK z0Iw+s+Ip*y_bw$I{4We1VIb#k^adl{b=J$5O&hn1NErer_7lRzve+PgB=I)DBpz|6 z4RP}+!4V=lHZ~`B$u^4N@TISK;DE3DwaA&J26rLan z5Gm3@#g*BShZqt?5d&9Ihzz}0g6cdE%J54Cy?sbXdhBs~49SAe`kf3zz%&902 z+GsIF2UJII;23wq`pS1r8#9k-*gRp~D4^8z*qZqX+)eG-dAMBjx^9eZUaP|!OUJFX zrKydPmAUL4dDCQ&EEQ}L;fSc*%n>PRl@2!&BQYi!eACvWB$rr*{Jn#CoO3N!5OU=X zfY-JjCKb~PVVnhZ`(cOggquLO$Zt(DzGZvq=c9^;m1IgED-N?QX|J8SVvatxRXrmw zk+g_oLZ>g*vDT9vN=sv_Fne#Igf$E_1G>5hP%vgddAn^3;PPs%r#Eq*4LcJ{3jgy) zLbjwYV2VHfDVs!&dhk!7HlZY;_;lD`6j*sDakPRN05JYZHKpQ$x*teNE606s~mA|1K!>ODdJYZXp=>D7o( z^DGM3!CX8$b08)Hs9{acZxptA^Yj*smfO&J6#C-T|Cs#30L0FRh!Gq26Y7RubHIfc z5-X(OO!*EcA^Hv_DLEY1Q>pVMKR~Cm-|XC{8BHH1H4q2ST9&X-P$r03`ANH#qlt(w zoypR3frQXnsyz3tPn|?bg+PoA@ zx2_HD5oP>ydLI~Hpw5XeV^y;M=h?{BVDsuZ^H7*IP_P-dgcei5*uw~g%-7mhhEO2B z`Pd+ovLwoc6j=_wILX@khrJYF6rX^we@OnguE_l7t*^q&Q4k2Z;}lVvE+h#@7S#nd z#GTsaKxJ!0=cbAtWRg)Z->QR#el!x&Nei=Va#2Rd7ZUN(oxPq=m&s^X@mx`6rL${n zNFM-M6@JTe(;0vnGveI(Ra28v%AyI8r|2gMrR`bSkOuu~CQ{mh-D9||yr+0uph*$h z!(2kze#$k?g=5yH(sj1iVbXor^tT}w8_)2m-Q9si?6tz1NP!Qwih>2OK=M*a9IQh$ zj?QUm*K3|S3l~|RsWQW_RIYQo(4KJEvOi0x540M?IJd)L4fAGp| zl|1WEkl^JKV~e&XhPsjt=MKz0g&ip1a;M2-cY}g9CR5a0xT-EJYNNI`4YuOggbhY| zGz|OlL&O@OiWE!ysuM!RQ@oApXe=F;U@@)c+oEb6Gi+Ht%lXOl3JU)Uc+9JHuIte| zmZV-q8q2kgnW5acgWlR7su+&&EA1rwngJAh0lmF}BNw%lDsw8RS&aSWc7h+T9kVBv zQ-dN|3bb3^Ttm5~KsqI{y&O7aNFHdD_rPWFO9NF%j^@tg@`3mVmBHiOWM6c^B5|`_ z@EP2+q}GsfBJ|6jj%q#F8!G-84F9cygf#$46p0N+AUQ3SNn_hCh&EYW#xAMF9w0JH z--O=mlKS4#{`ulvkd)|$_gj3hk0O*xp4%kKe=YQVQ|3!Scj-$IVlBQwI4Ra2#Uv(n zi4KcjbaLQ;g6N{MrL4ulj?fLeI8Yj$W5(iK9!!j3%;Pt{yibjCjuj`g(eO;U33aCd ztgG~fBTx>>PmNI)Ags8tOj0@Ap6nX47LV0kSrt%K6|m;e%b4is2p*A28kYr93xv_> z;&!oZ?vhMSCV~2DU}Lv|ki?+Uc53K3`QFO9+75!t&yBh*;+!3@=#Lq8P-nqrm0~cm zHpAJ3qN8~@%zn7UJp?>0>>&LPKBg7qMFY~r4^lmLVn)M1=C^2qP`I;QPB5x}?o>zH zZ{2w`p^xEPmN3|ws9w6mNHO5<^7b2YJiuG*l3`BMl$7CduqDPv<{;y21v8l^g0S}f zkq?dz5U~SzJXD(-HdLZRVT8As66!}Jx7K&K)4k;Dqeqb z4C*81ix5$jdh#&bN5>l{xuaJVQ$@9O?ni^7 z>X!*hZ8(hFMP9+fjG^*ou;Im(>&iLcCzOOapxYcUn{~*8x&A>T9-l&ycp+rX^6Xu{ z0iWK0;x}MVTNQ!g|AY|0_tx_^eyC|m+}C59DjC%`v>aJw1 zV-&J>L_BA6SvDg^8T0>8qC9RdW~#Mwnk#X1e>8jz2>4DZH{f83q; zRnk&x2zI>5`UX&t_k(XID-6PLQ5j3S`7z>yXw!#dAp@cNeE@K|>(C`zcE>_?#BZn;EB+#%!qiYA)H_&R9#l|CU;4)H=_*3v4 z(bs1y36%HzTB+$p-y9`JW?#BrCEyNaa;D1r7A*4}G8QyDmPH{aF!Hmf4q(OACaYhH zz(7@CBtYTog26blDfX!GD@`x%$~OyW_-+{bOsjH>R*6=dTMYNYyb*6j9cgV=;86fNuKNZVbK?d`EOu+Z3EatwPk?;EIE}In{T&m zn{;)wMDgLrs^drOF>>1CHJQ8F3yTNWt&Z8l<~S)41cOZ9^Bc_IO*OmD0zSLK<@CKw zwZpzwG85A7*E9^a&^8NZ!=$|2O+9Mr=7J74%CW%3B(B}m?JfqhF57fpQFXnsq-4HY z6p({8M=*tl5nxik4qkA-b#LQcU>ITFzc+?*^=(>Lpd?^Vd8s zy7)};b{(}A-c_-1L?H}JFoHX#SI#mU8YN|Z4rgu#w={*@+FfiPUia`W9OGp2k&Q_R zhKZWOhF{Po+rz9BnX6*r1C|}&xE5U}v``4)gP9uK1t!Noi$OOe!~_G@vI9k08bvnB z1py<+TY{kcK#IkpxrHlUY#3T*$ruAFgF)h@5h7{qmvuj~Y@#6W>c5re&7EGmL zXn}H9^^`Eq2|7rVGOl)qO&3GW8H^rxG8dbnyNJg=A zeT7|_{1}xtkG}ZHO5!VGj7>3)a0aKyORIvwfb&Y$`&*dN?<3CU0LNW{8jO?(T#Q2^ zy1-D@Iv9@8nlmD@#1QM?nCsLaSso|vqC*sdwYyy5Bw646`Y_rF3nf4lav+zxHhjID zgcnD7f7f21DP>;#{M=v&+RqZGT)sTXmQKPgmn(slW1v-Kr`IWa;eVSJLJ*vRmmNQg%TE> zD&jAoh>(Vm&=pk~3jpi{aaD}T!4gEZ?7M>8qN*x$OxERH0`4ER3onZ}BsmIR9Q7*( zAXMuM#?v%oeg7`B!#vasiCwvZ`aL|?>rsQ{WQ3&ic0#F2QM+?9G(S936D9OC5VI4V z$s}5CrU{c5bSo%Wtq{iQ!GC1ZP>5N5M6Y7uu7>ISpe|nmaEERSAdZ@zrln%>F=Ked z><>OL>fmlphDc`dNxL0*j3HdoJ%i0m1$~y3OiA6C$6|9k)EjBU8%{8F7T;yY7Oa*s z7W;}>Lrc&_Lz>FdPifA6?eC`eFO3H)`uIylNEuw-GE0u(mQ_wLnlc!WR6VSg<5M|h za_AS$-Pm@+b-wIaWT{J}CRn8em@;`G7uJ4Y;k$A|4s=|0Vo76}FT=6LaADIgK z>AR>+4wQDu-PrpkxJ&#jXJ6oTerYmW5wbK$}U;@pVZI25%`uj z3~dC-=6tQGjoG#Idz#HVc&RbWH9&jy-aQK){^E7*e7=I@LySyy1+reW^dJELu)G{* zwvuWo<;*RN%^WzcL39zv$gf0Md_0S9G%_x3`CdV%_O5qQhg$bi&hdUQ%})TvKu@u$ z`4?cy^>ii;bKnVfe0_f?GI5^~ygvN{eMx@>VZqEXT$b2@{3oWLFhY2iGUcR}jA3#d z{+v*X4z|jEq<+iMEhCOr(089TGIQmBHNSi1d6*8t#{~AVPWHWzdDc66FMYJsQP#kS zdw^OGz~NQS4#l+7ZpLJ3r-M^#(4Yu@toG{JeLVMhel2S7VA|CXY<(B8^1*{|faYDO z|5|;Qi^;AAz!N~02cY_C?5_!_eT(?kX(+!|<;Oarl29MqmN}Db#j3{0oE~^T=2$r8 z5Xo_rdevlb$c}nsL5PVd#xMd4Z&9eHo<*R%ya*RVhE8URnkLBj>k^vS| z(<|Q>ONArktI*e`s~HYi9%NW}oqKBmys(-i?*gdFhQbze?h&%XnPjfs0bIj-ns4QL zPU_hyVE#_{cw4MV)uyUItG2YC0HTGcSthFbLUJ6H>J`W-)A!jE5&XO%sg`nrOc~;) zUabnVBFD9q`P86QNUlk`;g{-$x+z4;-3! z5&@RhQi zX29hnuzg+wGOW|E;%Y^lqbArZrxa;n2sy|DioVkw*9UIOejiN4cuey18@e15($HrFZhEXly?wYBDoTZW;NET!sHemQnZCC^V>^PKy zUts|i8eDQTU`ZSmu)SPqMU7A|TF{kxPM;PrOE0Fk%NwaBaPE&p_h8l!Q6*AWRwfc~ zQ=z$wyM$}WbDO4UVZo`Jko=Y`e_8XFX1M?_mq@tb>jW()BU}N*U5xm7(RK-DwY{w) zzqiNbmHJwvSzv0j$plE*9VveMJOPYU12ScMQ;lbLFH0t)i#k40*zn$fdGaULfg=MA z0h}qCT#`9cDUU<&d4HPRwX4i>B`$;jR%0}rwLa`ubhEtO5dHZzl57W-%rGhsmXjYi z#zathjQ(6K<_7f9hKCHCgpeXgCWP2SgC|FVn~)e(yTnxJfJyiG_|e3nY9n&xbItIW zYxZo%c4@DcR2YPNEMqI9Q>9`xtiB5r#com(Skzw@$Wmc2$_gu8L|SK}^J(ufM=%4M zR?vb24(F_t?%n;066-AlNrJw+`;iF!dDl{gKo%6Hx0ddA9kC?cwRGkyJwUTR|$a5)}BS+*x zXkHy!C?{Ff6as!U+Xf^5PRYLfQHUZ}r>|LKnmi_mS%S{7byq^6A64_%PTHJ9gEDx7 z5ObYT)|)}t&AFMLjdxFv&DX{-++znK%b#b~xg~A`5swf>ivNRb6v(o{r~8ZqnNrZ! zvxI}8p0OMfQdHBmJ0J?_=Lw_cJcyx~tC@wKBfLdQr+_tmgWZMH*QAO}ZVw>0KNXd% zf{BJ~m|68@QWAkhP@)U+85eoPxPs%Rb zFX;9#lP5!Ug_Za6J`6Gh1g)D5%Ke**NoJ+X{f1Rx7_EBd7)bPUGLe%eMTi?3lP(uT zEwb$0ha{FP%E}h7IBA5`HXPCVr5;?;NHc=9ODHOl245jz@k;2+6(&+Ub_vf10SE8M z?pTfjnqY?TX;cKu1J19J!Ax0z26T-X0?ADFPS{!1NhjwWn#;A0*{};eM&6}bzUF+| zpixq(W!fk^g`mKl7ojG=XMrI9shPpQ>sEsTlUmMYJ>Ike$sn|4nA!YXO=2nQ#d{a} ziBf>12@{2I0hs(eudr1u|oD~omjZyzaqcZ0~wzpigc?);`^@*qkKk;NtgQy97n?X?c%B@}ELKoKeWZD$l62VDFaNhQnH?Rq!gYE%_sF zeJ|R0l){WcR+#zDzz3iUPIvCO%}nOSu=HIzh;4}ov9l##aEiI;gJon~F*rFG=HZc$ zL%f2S&w@n(Bg)6wLx~SRAM8royDUiQvfAdsowWc@3Xis#zWkha`v?}^=}$Zt6D-6% zk42LPA;C3~&t_8+jji=|cD#2B# zA{9e`h@1lrH2E!<2Y`IXB2bvUfxrZ{9*b_1gv*o3mKFt@GTXitjYn(TP z>d?lBwsUJSYHbuF``5;uSOne|o##=zOz{j9l8zy^@M@C{MXHe2EHM+)jO@T3&CQ# zn-1=`M6pitq>lis{s79Hyi^9H1~q{1;OH*wZmFr4bbn#OOJJiEKHnipdw~aort1Xk z4AG;vjmWdaHa&9%6s7q~?Qn*deZz~vV?7OYhrn<$&anSOkj3UP4dI;B!Xs1YifVPa zR$FQ&Gn6Yp7p%citLj@j6kTctjd^u+ANBL%@?`3qVOA3`%tddDQ7n$Cyx zghoK3NynEP*qZO;kp!-4P`O=Xc@IgHkC5h(PHZgtJfwUqRO|%O&rhwKsDLxRbq8m+ z8D8UU@g2VhwrroNG6GF-xf2sj|FFo%Bg_tFq>7&{(>UlR;?nV|Gsa2A>Wa?bVRQX* zI3u6C2LK-^ZlugYWZeLcY>7QnT?xhtrQ*c&{#%H<%|g_r(iaqvgOO3X{bgXf>II zhX6#D58&PGxh{_TN6=|T$;Kq<=SuH?RH9*4Q*I!eQtGkI}JzG-zz0i>J&{B;43V4Oz7C;AN7e%0mTR?IE zL%cR05=QP^eV5MbUw%}-5;kUq8@F#MINjf()O^6hp%I$90@gXBbz@kDjw8*OpRvvj zm=*I2e=NCjR-_PgQIuzd3S_lWKopWL1Q)Cd**y!n{LoPmjeZOj+@V^|rjV+Y;X6Jw z&X;sn$8_5SZinZmD7gAaR0IQF1cQx#B6ya_j&2jqWyo0_my8i^x0gXvWF&hET z^oQCv&& z_m9O=O+^y)Cx0*hvi@f`K>4eUFc4?x7ey#_+ohEhji{9(=h4_&PeE{9dD6L{6*z|+6+jXC52&=k*^hO>w6Ju%^&78U09FKhiO#FR;B^-UoYyZQ#v>voKrGyxaI3Pl`8a6wgXw!}WFP}kU3qNdrRBFq^SbLcl7ZX(^?=EN zeYD2dUX3VH3nRKD)o6RPYRbdK7gPqQz$DmeZQM-5;2{mYIR|JL(-MU&5`T;;dc_yw zStenc`G_JWzWJ8p&j7!L8&kp5qjOu>TW)8V%F1Rhj4ND7pgw9xwT6t(y@X;290P|2 zHJjcFM?(mHLMGM`udwHlL(qpIH!}$xG#%N_rrIt!qn@C7nn0wVfz*f$0cU_e%fTC6 zxeCqT6k<4>OkkpfKF3y7z2k>;ITC+J8*i0zO@V@jGI!u5YPJZ*mSdBZ1X;lbSxfksBX)k$B|!G z<&3Epge%@lN8)cYsx^g)VxQoJ-x_G6;UM%_^?z~yPS&elyhsMpSb|}(Dz;EC-Jt!x z-`e9UjwM^THMCekFwpA5l}M8@OIso)rk)z2SszXxCI@rbgvg5k-mR0(F^4ocHe1h8 zB^vVKQA`HOO%`O~&x{Gq&pT9P2mlzb3Sc4mf^}Wm3&TG|dcr`CUsK6i)-Cuo6;!g8 z#Nq^3)MsBF;Dnu%J9#*X$|}DJLs)?6!Wyizi#>MnQ^abR zUS3rTgAeClM2IQXkMFF@V7rV(n^6&If#@WNc?gmc@aJCI>`#6Muk_#l!ZSoYtz=R*@`Qq-yLd8oDJ(%HSEk8OXc=M`#2e;qOU4n zsF~~UYne>HV`E&MhH9q^f(@Bd|u@? z?`ZLu^kC5fAYTv*d8B^@16m@d`<0ocN0izL%4v=kr`5`MA13hM*;#d+H3uE+>fCxaK=A;~dEk&L-?0g4m zp!{vQ~ZaMCCuK<(4^=N+57z5%^C#%r_{!%26rt^pZ zht=9Ous^=?oUR#NR;A~#PRe+MK{qZyF7$1^SI+@X=NQRKZw~t(_|Y6IjFoxAUAs89 zhB5UllLs#5Z*r5eafs%N5i!mmiHAurRguFxtXuNo&8w|Oz)F5?zxhBNDdbn z7SxeCJloU_NgfhIprX-WqGh?RRlb$$OuvD-%JAz@D>W3+hhby z4(1apB`$rNWLF~LoFkDi9>UozZ%hX=2XWHc)tedyz_$bq*)8c)=XQ-|2)M}hFz<;- zgYux7Pfgcv!F%aMViVy^a4rk77r2CGcQxhj1YCakZ^(7N9+w%;tkzuNY9}nc)}AS{ zR;HPTrcWL|`8LedV>JQdEr&{iEZ-Mg))O+qfB=yR@u&b9wP8fp55r`e)1U>S*2D4o zxy!Ex^LPnr>N3g`urfP6^B{guEF9PwgB4SlHA{bOO*wF3Uf!+YNv=wSx@@1(=wos- z;n`b?dQdgYp*p)^qs0xYOBA4h(UK1> zuw~yO3#*8Wybaj!A=9^yqj_k*Y{2xRwKR!@PUzIT!Ret1dw0iz{wwp{>sOJ8EZv@) zy=HhI7JcNT3z+b-tUH%)F*0M7qhjezwWTwHhI*7ov9`yirzkOJH3oc@R1CtnXL53H zDP3lf#C^9P1Vw3ph?NsFH*P*Dbsjs4;&`7(yy;HVMg5fYgezSzhGfHIwK(!0E=Dos zQ$Zf-oLhVi`6@F>jN#uFQ6)YlkwJJ%yB+1vi1}H+FJEr<#SM6sS^x1miLm;1DeUR^ zQ~%@oSvmxAWKa}gQ=6`1JH=nKO*i6!k!iDe_IL&cPi18b%N)wsabpwTaX3Qg1NE-B z+bDW7f(q!*k~kbmoYAGeWhfYI`#7KGG!GDuBq4>zu;LcXEIc0#f8=0uVjD{T9 zq;|&A-aIeh%g~J_-7c}s1rVQw&Dxre!3|YPWDkQ^7m40ALTiy+@fEjtq#`CiM)s7T z$B;{&NEH^<3ugy1Omt0cCw(S`mEd*W-@IX3FQYnJfKH9zlIv3#-RK)|8=zO8C8)1( z$jEnZbz_?*3fE#edP!=FNyXVY!Lo?f{iSd=R*&U|X^|3qIM?65lZQIGX< zeKib@ZHH3dwrnJm0F#72@yhOvTlrJh> zSV3F|(W7ZRMh5MwRI7grpj#hb!hNBVG!3o?5CB^E;O|hNLwLsy%Hkd_LxgJ;@xVQl z_yA*kh-)E1z#x&tLxw#-YA9AF_%sFQCf8eUudlgh1vL^NJ zjJpI6jZ!AM*^FfsAwiDY$^4)EAi|Ch7343BLH}8uhYSvVu;`i_;_JE4b)mO!1580LlBKaqt9DLBo-K< z+vV@ z7b=grapo+3{p9!ybqNFxKU~u_gmb=LgJfF0>b9e#i3=7I0-&Sv`EPHsIAY``n6`sI zEG)W|w7Kl10WQ#kj^aslhL3um5Vu!WnoKc!IYgQB_Z1?1kXv&8c4k z!%oVv;De#^Rezf2BpT@0u>zkNIyslTGfQh6v`ZXeS$XeX8tV5D?^o-%xi9oMC&L(f zX6QJ8^VDH+{wkh^^PB;h2<~!eZ&kH%m{E&)!rWNw`NbJ6PQSlcl9FfyYIekh;sG#} zNcBs##>zQl;8@#ELEeo_=>W5^2>rC4bgMPz@F8S>3c-VqH(g#-0tv*2XwX6k9PoSRL$af&17`i|qR1bEbQ=2ynq+~`cy&974FCw^#N1b$D9EbLo z=zMGAq8{yvmU--&2rI$c@v;`H6$^9B&hOY!RSmAYT+yl-N6g;u->g-W9VqqZ!0l>O zd}y2$X+cDg!4!;*t+HCbq=lPa5RvFnLT~ZseZ(OY-}cAey72|$4j3{kd3UW6N(>dx+YNX1j)u!UV?(=s3-DS$wfewJK6rrH#Ys56+e4=uWo5kh11-dJ2Az zX`5WkAZBhy+}R`5dfo9TGTP}k;(*rs7VG47LW3j8Cf#5_K-O)h17b~8&!evgr!Woe z7^xU?X?df4&=-VD8Nf3y(je`Z?wH91FC4Q1(<~2Tz3mncO9r@k;zFu@nOAcLl*x0= zwAKq;90m67&Ul;z!x^9B{bQ+2k;e@_>=KYK`f*Y89Npz6xTWDJOallsNnzwwiveaf zOcgGwWCIdxv88|SA)w3J;6d=qJh3&F>0&8v#H|#h+%>drDs_T$FCP!=w@MR<2JF)O z+v}@t5AeumY|aBDCD-m2P_?ulcq@mEh8ghi#MKYJF5zDz5UOM-35f+W?sW@ck#}$$ zQN|%qp%yTSZ8(1YUp`+B&(VCdp8kIX|){v|<)9ut7uvRU)wddD3 za2h)_;~w`ttZeDfXA*aT1Sd#%3Hk;BJ?E@^N0BRiYMHSC;}d7&8a=*5`#iGm6(;90 z61C2}YUwcFbs|S%E?junJtUuzmoxoDA$vmGN>o{Q`^QB3qLH@I`p4RwY3%CM^T_nG ztaQnEl7CA*LPi}cvuOyVd;$G9ZzO1Tkk);CpU%*`J?25sa#|29V~TA;OjJW4{G223 zMHv`HK7hmQ5;-rN&h*U2^68ob>Txe#n;|L^A=+&1aHRAp7$@LUMfA z6kYDDgp?4)kKaOFHd~2_qsUhQn=Bm$K*m=l9}CcSSpcVmtv5>gc5s_lmQH?8Tefrr z7eq`;91GT=AWhh@ABRUhww5qRy~9?8-2zMJ+j)%h4*@D*puj>B-m#Xl`FkMR*{TY` zIprnm>L7IUcP=)^H37vIrZf~xsLPD+^yTa&*8h2mccu8@?lyp6^ev_sJd5O#DO1a& z6$K9B?N0g-gVMi`RqRPX;DEzpaN5R=Dp zSd11^q`d%G*_|(h=QGhO_fBC>tZB+lPe0DtERZ(N8?%%v#w)5s%)pv;e<}Z2hi!V} zXmWV>EVd!x`(Y7s0U)TL^2E?q)u=GB(3cPQ>k~IY%4acL%xM9 z9}Pctg=}10DHGs=^I8(H-KVXEG*$^sMRifO;pKIP+cP4_9==Zemx-);qaipS*pdCO zAvk^ygj`?H_u+w4x;Q_AQ>rD(K!Lg#ii&$cBItp!j}1&Y<>nb$iV~-#lj}{LLU6s8 zWjn?mXxr{eOmj*IbM;O^N$0n7t5jS_FwO1Dl|%_o<$ac1+KHQ8p9fo#gv6&Wd2LTPxmd*SD;dG{8s_dnPN z4ie9ECD@I{&!Ql*lo^TjhPa$c$cR#n-}wY7=ABr()aY^t*NSVS94)moZ`yS%iMFG9 zMzf$bCOafK^Br{P0_GRtfJ6euoUkS4(!F4@2{rVi2Wwq;BB|w&YvioiSOq^UhWVzH zjA$4c8ass^i7RqQD)Kt5j4NcsTv0Xowc6G%sGHMs%4z6}dD7f2=`l4JAR)ISfLmfp7qz zs$gAZB4LKYkvAHw8B_)ufjpc~vR}7K2!ZQATTqHADS|L_VZmb)pX^y4+h0{7{KLpv z>;s>0#>PWUjxk7``6hgA^RBOJ$yDPlFgfuxY;-tKm!b_<+JVErWfQza762jM*c47c zQi;_9QhpCSp~m_;(KwoaH!@+c5~(|3q)2SyM+n&7vKj1ecRn;fD`sDhpwLi(`3)+u zqu4^iypHd(+9+NstU|0fx6Wy`~HbhHJTK8WDGz%P+zHGP#A!lAxML`WZj%4%xsebVqQ!%*icJTPl})y_SJT5 zXcw43uKHpps(}*?D(0;)FbWjh>Jv(vBsk^DU;w_$Z6em^(oEl4CFy;e_bf%Gz z)DQS(3N1-DFDSJ{J8AiV)ix&1`XIrdP1FpECi;+W*I6n7+y~FdU(b2?1oGFZ$ibK{ zB&Ou^dpcpo`^M7+S>5Q~1BW623|=N~oNg+U9BRz_?ocu;7H3H5-j;+1XQ0S+h~-5? zw+@bt;7q((Rt?Ap>mZHt=~55dtXD@g4w(eO^``OZ8=_Yv35SYO2kqb^hv9Wz>gha^ zNh&}JS%!~{MuAR!rhwGO7YJ`!B>wKsgUed5R>-RdWRNv@IlKnyC~c6m*`l9}k%Y~R z+RwMhm@G4vKB}1rpy|T%t|na#R_dN5lKDrZxfvN+uUJ)E0?=OUEIt6=%qpTmjs&!6 zWL&u&65fUlWx&{si0@xcL|q36%|>hD^$HAK4;e&(F0$JWhao1bHgY5iud2*7nI&dN zxEfh`WhS9@h+KdVIi0>m54Jq83hON>$SnD-|}f7=0c^(mTO@%atFqp=km~{jzy2 zyL1Es5yi{Mo6Z-K8;%O28VCiJ6&_fj!(h~ETpt;a`IA|a%h0J^%06hYQbRL0Ee}Cp zqQbD0F;jKjBu$hJ->ZIWJQ=z6Vz2isv0|QhQ6r%FhPUTYC;KYNL()gG(`Fp6F~P8o z`gs@lEpRyw)?k5vJA@cxc?9~}s%+WiFZwRG!zHyZ(TE`2iHj-hJJG zn6B0UElg%4k~@UKHp zneHp2AWJ7-_kA{|jPE6l4SdE3{NfG7GDcFlA?$@nz?fdtEuR<4r*MC7df%LUD>QSY zbXdnxC8>FZLJQ*S@g_#w4BrWcBHl&{szph&PcYf1wEq@06m~={kIIi zE=NN!=ZPmc*$NRU1BQw`9-qw32W@rD4nghK4fOuQXDU;1Ukhe~dsrJH2=?!{1dnX& z%XP)Hkmgn&c$$hie5!$)QIhUN7yF=Js%9&myNBa16tqqoH0NAa%YXKg%AO4(NJ&C8 zaSwJS3^-f%CRGEQ|o|R1fdb&})n>=T`u`lLG?*MG_JD7E9Zs<=C!D?K<<`Y~! z_SXFf?Wu(`LY}^8Z`Gxl1Yuodw`M{OY%w3FnFMWf0up?#B9Y;sI|=;2nb-h%@DH4 z%5u?cO=L5n36cx@QEFT;U4rjp;(+U30;hj25B##vh)`5FGo7hio)gX1YYPT#Qjr1k zcRTkuF?>$m^jP`ORWBg!NSow3yYnD(-3I=8W^ROEPjkS(z1u zpCIco#zZ=W^{sPKvyP@keNAAWq$}vj*U3)M1RgFQB`@ zAS}IhaHAk^yL9Rt!l9r)+Vlm$zCXgUlgb3pc9covgQrIz;^Rml#hNx|pI}%5lrY@G#~R@u2tji> z{zsPWvNOBPPlnr!Dbd323HFKfsL=b0K8V6(FF;_N5b?30_nYMVDO<>R37~ujbc9rJz{*A? z0r562&iJtP#{Fx4mFF$O;ffxHit8%0R3Q#=)Nv!Y%yS+P$BI@X^L$I<01`=gJ)^w!h~OyUmF z5Q4Ra?|?TKM#o;2x0`3J7wcngMd<`15sx)T3j>M{@wTUvcJj+Vfsu!k0h6f%ScqJR ziUP`^E*94f1$#cIRVN?`bWTYibB8*C(`T=i{W1e)qJfCaUKvKRzN@ zxux@5z*tPWa%^@tV_M6Yg>>V6iT}`bRza$CSUNvw&Cx4Zk+iPd_!`Mia`v!NUc0^c zpC+U7_d4(N0L1A4$vcu&MNXapDW??P1w?~~^N2U_zGA2-TpVJqyTWBm^wdz<3V2jv zvOdCX1FJ;Hw)`n`JOAKd=MPjQsx6va5uh4>Ul4=*%x+zD+0`DS zka}TxqwvHNayk7NFgvsfk(6$6h>>A2`f3pD2G|g3AIVcGqWP`aP0hi!!B{tzO+2^4 zeR=?-JLr31*cpIq85i8>@rSaQWPYJ+OBI&m!g?dzD?G{t*&DNPD`P?@I=ebE1E;jr zJr5wzBZrcM^ZOexz_{FDJ}A>7iV_smr>jYGuXk@_j9NeKg_6C?O9vS_Rv;BG)SyLD zD*gTj*qoV=E_{Z8JQx5I3Y;Q5FLMon;F(%4gBY$*-mf=6AKCktaGx*>fte@Oq=lLC zQZArQBO{NL`u?{#Jsov20?T0}9L*rzR(ixQ8@7*u1E`dIQ-L67L zY-(;XOE?_06g!vDUML=mC#ejCcm&IvxvPJi&KIJF-tU7kr!gK92vip`^{#G~qz;M{ zJ~WYlfGb$~*_zm$g9007B=d&qJhEA{(PFE9=pS*O+-YHVTp=Pj_P1@R|YW zEpg~vsQET(HUXN_fQGQN1f=paZMW~m*4^qfpCZNaXrJ9CnMy2xNDe1kr7?qPA97kG zK+OZ2W||DF#j6u%xRlDhC2+}pC7|o^)2U+4d~Yx5$XJAaj0d}Z zzbYbCio!lP;Y7+NBY=ttrxX4D*aj|$jXDU6JBsrAs=vu0(CjFAHpDG(Q}V#YCohb! z7<{+wiDMpAD+CGL6J&^9GiP;XzL$-^X5w#_y)i$>^U1Z8CiL#V0RCmA4%QVe=H5QC zIT2qyw^RKvi`E1<)5JL}QyhiSPB~LI*bv3L{os$$i~I{yXwRc2Pv~#*qywBcqdtyoQwW0%kc}SK zgmw=gyQ)OO0jb6Ge^}Qjq{oEB*lxdL&TnVa7-~cq`!v~^T!MaJfHW`;$_nH}=1ocO zY1ThrnO!DryiE}aSufSI|C(~W%ubs+bt9Wis}g^&6~S6p~!dpFU`>_o*m1%MQ+o%?+gWvaK%a7^#uzsm6Cuh0DkG9q{Mi#cf>( zQ}NOG+Tt`cIt;I;$6W}ZsDVuh*Mo|24Z#i!%RjIUxr}6ia>9gBbk70x{ot0{>qgW5 z;05iimQm1R;Yi|&vMnrtRhb~zQj};*ugraOrFMYzwf)cagQoz-8M~BJ7jRkz$xeR| zj3G((!ddZCjFa$~u&CPldZ1kw2nkl779cT#!E|qHh1kA-nm$-y!2Mb1!aHN0*Zx{zGAv z@P=I>=L~J_dTA)u@kpSHj_=E%@*j?+rUoDrfVCgVQ{_TZ|FQ^GLI981J)oH`4BY14 z)A>o@aZndv{RkPzVwlcSYs=%7U|UyjfSnye8AFC0W&`{mEbY#WP~}xS@UsjPr&QLX zP@+NGJMWal`0h%8r-1XbQ+<`4{R6)G(q>*Zuvx$VSY(ZI(=3XDHjMi=UKqZE#<+?F zxL!zRE#RZBS&R263&O&?dXx+_N}&u?8@3vW|K)8yij}!o~8s1gt7%89 z6$OYOON9ZQs9(6vB8|A2T8!4|h+1I;uvAY{zo%80VY~Seb*a#qS>T zN(nRTZ{^oox$9*Qw;Fts`i{+YbS#EJg!D+6ePe33uDr&W4Xv~#Ghqeh7WsP#$+MSC zW$@6&0CjWlTU3{M{3Z9r{E1gyJHq+0^JtmGI##UX%-I-Lz-9u>-@gQvd6I#C@jVUg zNw2_5(N;W4Mb@l*;QW4~aLm@|VsfO=`@H5>aWia*_mlw^_Zc2m%j$v8OIi#trIlij@8&ap_j*uHwp`8N13qu$bfVDsidr4|EN%Dmf6FBL?~qG zpS%Ra-^`fmBsy>hp`O%@I~6@}d*gH|g?O|;jjJ1R_$P=XR#fV+-{YJK?H;JAwffJa zXAp)OTHY$I<1u-Bf>#Yowpw~)@%OX3qA4(_*y?dS*yF2FLXa_tYHS|lJw?%uDKArE zR!tq0qwrE^_gfm*5PnK$2OC%@%Y9(L0VS-C&O+wrd4I3f08QnS)hzkp?$A7&0wysa zyr2Rv55sLW8oXK#%H1Z;$t}Ym-B5^sle5UKlI9O>au#dy0PoVmSC4Rk1>XXXfic%w z2mbe#;y7yzU%>JelWnOq^_o~_A@#SKaU#u>3mG=?T1;{{qKD?*22L6DZo+oZ+upqk zrf~1g=x=2=Db%C0nY##(^tV9}xNK#Bh*ZIu6wuHc+4Tajr#6Msga_Nr=mtCcIs&x8 zkNnG2zP81)3~Q^sy_q9!+1j_FU9rWoADS$lI!ztLke-sW(-)l`+*nYw&OM%sNjRwm zRPJAqOI8s~bCo34h6Gy4}>UYW=2nSm)3(aH` zhY~IvI+ILQO}jV-Na8h!4OvB(Md4ENisUDI$G^qn9&kxqx%0SS3T!5v56gBTS5GlL7bYP3pL%b3MF9d3iq8G*h(AA|oW$Py|KVzwhWa?s-9 zGT<96TPN+&M!LQlC3QK@UO0hT0WX#O4Hg;ocq^`6L&lueKRvi0p^nHGQ~qBq<#RR5 z07!_6!86K#1!(tC?j89=T07G|=EN)#g;q8kv|2z4-ec94(F=BhF*nTHDlOVuT}oXj zf1R6Q%3}-B!uVt>;bOkKzrLD5Aa9Y-6VZDHbO|5P-?0%{Whi?EBJD*M#R z50?2d)p%;BB;O>#TnP9oQUd8r(NpG&lCeH|jONWfnF4;I`|QTN6#hll%3Rv_Nj++s z_#lTX*0;_vTf=nwt!}8>bO8k^1WOu-Y(gLK4H0&OUC0*XsNM$=i=*z`#tfx&s(#G@ z(AvLk>WTZYfCv!7E<*A9r9up$RhWvSES5?U6_6D2ubx7}`HxxLbqD7KRkjDhp+=-} zxs#)waRO~Y@rd(2j!0~K*88q1E#e@I8NhcE zkt@W5- zUMK0zV03bAjf4>>Ljj!12;E|Y;qdAMt1*Q`ZE6t&jCabU)D>7PAOiCnU z!n4VtO>+QPZmk*~LwiR0sg>ZPBS`d*%jU**Jic~Gwk8JsF7v1!a=om95@C6g%tGS9 z3pKEw_&UR>yW*AuVc&TYWXK~tXKLj1SU;0#I>}M+@KQ7vwLr|RCu!6xI;PJ>&XV|= zOVPM>os&~BI0P!dFqY=R0Gvav#)V26Ou_Su!D2e#3vfyeQN4ixza zHeW}B_!!e7DxPBWeX-%5FdA59pXy#xXOel33Ft5=D1Hts!A*Y=PELOtap=+KxI*SL zwj7edND?Q|KvwF_p<4!S>SEn>TONz_@wXn>ev*0iPYY+j+s4yqsf{rR5)czF+j7fv ze#j^+Rv7-Jf~ae#zuWZPFuy9Gq(0HwT-G5tt95T9ob66D)n&pxTY#kWut{ zr0wid@MJ@*R_E3D0-D5N1^{kv%0Srb3Zpi42d}{Bhxg#ZzbliB)bq6TT-9-B>lObo zqvW`4b#_Oz_ISGcwi~_T3AFV|@R%^EHC}`7#mN6BUM>t#3Dp%GcrSFi}%hzzsJfe)EYTx^^Nj@>0FprChc1sI*(b1 zusSo+ZUj|&PrtIAzE^R^ZTNIgl39+Pl%jkSn0+7O(DgJ;5l_=J5Voxs5)}=qqf7t= zoSsZ=SM_iIgsLzBS;M=PWv<{+n_=>lIiHWSh8!6jZ)&JX#|H2td9}=gcVH)pvyzz< z^XXDtN(;``dHPOngIEwM!1l+NQ~Y@jljxJ1dGrLFn9j*72`PWS-9lqLXS8U*F*8XNH{j#wsj;-ZVdwr!7czF z1UX0r3gnDfI)fK0LoB!Flsqd!l&JQ%_e?)G znw=LDpea!o%#tS|$uzMh0)P}NBcRk>ML`N@9`)>0fIq9IV>N}Y*7@pD(Ft;%+7s&s zw;EvJZ=|ZIFn_$I75QpYQ5u+2*2V+o#8b19x9witYW#b4&ZV2_<_W4Ot)=c|wiysV1=M)OFgT8FiJbQ(vc`Bk~WZj2Xpd zjO$WfUiye3l7Dx7MmJ6j<>T@=9X)tUS3jDBiREGQlf%jtSfO;Si--dDXo-}jumrISiKm9&MM8~W(-)<5LuMoh(l^# z&5C=}%r9BQL^G^x5&^jw*032n^z%sB?hWNiVWJw`s=bFHm|;u7*sx!uegGh!80KLJ zDX_xJhw<-BUgQAz<#{!v+~uf_({i zQ8F**qIF&p#U2`bG`LVR?>0k&GgzNeTOM-NzT^a}aZiVyl5Gv|jajt zAkeDI5_3E+JSUJ)78|=L;%L=lYvh{SAoQYCq%AJL0Dcyz%lwx^ZGosT^fwrd5&W)5 z+eRccLSPVhSBo^*c2hSH27Hn{d!~X$(f1$zdj@i_+#W(H8WfBwlp6K?&R0qR83^wh zLSmm`*W?BV!-H8mmY%uriFyn_KP2Ba;%HIO8^fCh)FNyPVy~dH8J;=sCBT5r;e1%K zR*a3%i@W{9B-nfjT?`vPcJ;>c)@YJY1RDYfbF}f z+~@HZnlnEfWO?>8a)Dg+3lbRdt}F>Q^{V{`ctmLbhRv0pyC&AR27R#t(A!A1u_1br zLG_Jf^o+Z`{&$^<9Qa1F=w=Q;gT2LZB+y1J0tBVsc(x(I2dHcyoJzzD>>VJbm>u9{ z4i4WVuyzsxlh1~}H04kS-~Z^5&AnuP$8p=kFC_`4o^fh3K~MK-lIZqb<%i$BBLo*WYYc;bVGnlWxp zi$jZ;;m2d_0rJ+$?}`7RDl0c7O)`29@SoaCX}1c&2O`;yp|TH2Oc*Bn*WElV!xNe4 z6?>^_Tu5X4S>+l~&bVJlaZHQ4)$D>_m&%Xg+9M2tkG%s6UB34`Ezg^JtpN3>nfqBb;jLe^xC2}qM)dh{Szxe5o|Q%l9NpI-S2N1Ty}oAU7{)K ztu9Dt+Y2vinhZI-pPw*GLv|*qgpQ&z^ZNy!X7&AnO<_hqTzs^<k)Q+_XgnJ?faY(++Q?m2M2?eTV35G6nGiIM zNJBp^ADhSQb{BHEe;A|>oy9w%Lk^vG)rz)bKwu3wzBl+z6=V)pJ-gqqM;|mn(}?0( zy4n15Cm#%;6TSLIPrU3qszUX`#R4;1DCnwVG+J4={NhE3!XD5LY2P*^3E=@oLdBwh zp561>k>!^IYG*62x%4;?tBLS_Uyc-5=!PmbY5dqgvh-zuTax-siecG&B*%YW(wxIdO_WLIIdo`*ljyUGVbFbW1^J}>4u47%PLE3(3Uj1mP;(2tk_BBMsc zcN^>B1dvzEQ#yzX6Le!h#4MP%L(@^;MQ(z0=%)r3H`&z`!f^4~u+tcixZa5$yiG4$ z!>2Er&-IZlpwQVrXP~4&!*=k<#E!9Q(?6okaBP-FC-4#zW5-^QHftKHLwA{qI)NO1 zl|`$ZN9tG;RQt}L)S#&J8D2@prQ}U6;YN-<>K4Ey`HJX#G1`LSgC{tOr@|$EoY_Zk zols*Jw?Pq85ZxMe8ztAk!KNNJ2{-|6Zdy?^RfE80nxmf<8~<2$!qLNoNl+QE7_+jj z(&G%<_&rYYH_XbqFuZ^BW+MZUxZ>-+857tSg9N}9*}G<2q=G)y^b~mudAnqcSO^fT zGCWo9#Z~Ox4CBy)MT?ysxp&^5*@Vr(^eFn?gt4v*Hg^jY(iFZ@`Wg{U=bayTm{tMo zPE^+hKvf6!qI#r`G9Jr+$pS$r5S^(7<>-{{E9NL;dhWNy2Dd^82K+PhS)(dcB)-DdE zQw=Ol$_B21QNmIJi@lA8YIG)(b44X9L-K56F~%GeeRGC$n*mFY$2CJcLj7U#yE}Oc z4I`$Tk6pE~-&c#832|0`tLj{*F`D1KyICxCtNiC1=z6I2m~h!KJN(t&N$;u;|6VmE zPMC!2N~M7i{E(YGSW%A=72kMJY+eXZfKLW?!QhN=^R{hB6D@_9a^b5O>DbP57O?JS zXCHSDD&zRScS2zd5bJoV<2QtBZWeQ%6k2A%#l|P$JaF0r=mswoAE_T{Dvc*U>3lAzzUttpr zrVgRkPkSx{p?k@MR)n|<1;ahh8(b^aQL&w{yrF%2mjt$NCCQli&6lKnMo^A(%rxr& zMHJtYy?LXyVo%`57#_T^zsD(3TEXoS(yR(Rr~c`irp3~=A+WvdiP5Rf-?ddpLb{wA z$*C(_z1P(iW>XQ>&4u3WSX+(fPSpEE*2b}Pe;s4V(L~D80FH)RDU@)##LXu^ z=k@{Lu%XyKCi|?w<8`jIci{VQ$8-mZwL-UTj+BO`mM2J?L~vku<}8vF{*s5!;3VG8 z_!KFz=hzaie1UTq z%kh`lr4SLXyuCVE0Wo&j;(@dxw@2dUD7iav4X|V2w8;c+Aj%DkJ)AIYNN`$yMQx*7 zU~6{C!HP`49+baKr3x&br-uA(WR<^1kZ)1WgVtSj|?CA#Pw$WXuCjVX(ljlc>fRsc{csz{23*Bn>Yr z6v&CQ>F(P?XctFTot!<&b)%eaT1bxw=M> zD1?Ea{9&yT=e%sM4fMa7LQ@@EEKBx73=-{oDAl0BlGu-#DQ2FPLa&im%`QbxlwI4I zfn6vT^BNa$GKw51b3K7@?Gy)gWB#SiGOl1!?=$TjSuLkRGNJiI%o!8B18-(Pd$dn! zzBtaNkj%IZMvLjX=m?#;sh}mt$ox*2gwxEo1KPA6e9jO0W!fY-JvRDt$gX=T=4B|( zsy3AS`sdkkceHS->PP;Rznc@1okjC zFMD~hDBZ~9Qb96sS40kn0lIQb2+(T%$B=z-Qpv@#{LS7_6_q-GQD1 z95j2MTBeb*$A6#m>Q(9xDZ2Jg{%%GtqAngRpvN^z(UI!@WC`+^J#WmZH>XY=vzxiuM+57Pv zPT}$J2iMuXigQ9X%ofE7K6BWB%MWTb;wJ^%_R)c&xlk*-CTO}h6Z#_TWb_59pVdYY~O?sRm}6^Mq#qyI`rOgpZlKrV6ycQdluGUu^u{Un9uUPP={>@j;*K@xc?EOHCwPMewrN zYcrYjHl6q?NR+_hX?SZr**+;-Vqw-g9OGmO|9WIqqGuo4tkChPXjv1JI~l5g+UoqQ9!f#{)8a zhsnY2%YwS4%U>*ei67cGah^3fohnoU_DFl>_sqJ*14t$$`AzaqFT^|9kozee4;i6I zpSbvs>AD|}MVcoW6;;C0PK4E37P_q7g(Pk-vt#HZ-MkAC%spbkU0rCh|GQDAH@1n> z0L;Zx$Q?euZWX3qwRDcrgRfKV<)skMp><5YUBhQmF{=$nCKMILECI)b+j zBYg3F-sPn48XTaNVU5Q1s zON1#@nTWR3%o&NrK6UDcN*yRJmtXm$v=C5krKS=T zoG1_t>0&*Zl z<8$rGe-tVka|j#0IEkI{_zW{y9^b~#5S?PUj*Qi?arpIqzQP%mBVuf^ME}gzh!{Ag zP8QFS{e0%oGn;JQ!(eAl1iSIdr=cNJ)2_ylhp>q+***91l7Z6BJB|ys2@Xno|BW?D za(zLxOT%V3Ox*N0;SR~b>{e|p_ktJSggxaCw(H?*xL4w7h zvkqT|@<5ZPhqi>Zi&$62%gEAgei1A6dl&!UTy9E;F!gV?W7G*TeSzn3 z6ku4Wo=5~3LC1?~Go~vSj&F*A#8*Q|6W6wS%z(ngN6iM_RRY0yTL%$->L|f_zI!76 zXX}lcd;||^00sc=@qs6Pg1kW6*FUD-^qJnLnCQsHA?cS@DHtzW%dvhqLj@h#idX2X z_&!S__%as74QveOM54PCcf5osj54SVNkkhrDK3GhcAx`ggRKkG&f*EOuG{L}xqtR# z8A@2?%-k>O<&S=&>|I;b+4Kf;n$ zr|S_hPHCcmB)Usupm|^~*J-FQOMk^@+%FlE?r3SHX}v^ucCtrw*ss%!4ZfJTIgLCn z^T6eVWdC#havG)NX;>I$dLwCK1CZG?fPB@UqZ{Yiy(?t3e_Pm{#TfU_DQ$-yq8d^* z3a%M3y1^9AJwr-m#IVd8blNYQ#GXre`m~M&&#bQjqyJr5{2K8&63~Old0gZStzAXgA^fSvd zNP`@>4c%*DOxxf$**X6|wR%SleA`rmVF%XfV0rSbc18w1QJGBdY)+7rBhuyQbooMV zVZlYRQ%64#jD1V&f2xTNUnPyn3^!aYi3HQJ6=yJzMHQ&>)Kla>*D(9QHUa1_Z+v71 z$1brQK`|CG45Ql@N$4ps>V}qnvTcOIgO(8gxI@72s?JQQ=q#W%qvZ#KG0mcSY6TUfCB`?g z0IviR3@nUOMK)+n_l)j(2N9m}qykGv6lXPcj3N|BB+dHT*FMo9&SoK^o9)O)#IF4N z(R<^}vl)G`4I$+POTP#PP3Y522$e5SgO^n8N4kZuVa!O|f?wgXlye@c-e?e$(1I+a z#gxZj&;0hI3czFwL>D-vL+NBW4OHeH5*v7w=63gpnqost3)3>|D90>yH>6&=p;fv7 z*ZjZXj3DgQ4HO;?Dgq&c3dEvu<&`Brf9_j|31D zIsAhm+Q=6)`S~UGVze|-+FLf>sfYA%?Q`o0`EL|RMJ2>{{^RD8e|wl(gs>$v2etB` zab?mK$%z;{h@@)_d6XTBLj%sbAAKmRx^h@wT z>ytF%#Yd0}{9_n6?%&)NaMr#mT1s!W!Qt$Orbna=4|_mV^aG*s0gr$H`@o}LqTuPd z2qZziK?Lp6(9aoqG>pRL_sfFt9xeybxECawux$*La(vBCQTVu7qt%v%dG+8mAj}3Z zni_#Xd!7v}wh|)<)NBXL8k9bRtCj-1@yLMA(H^9SLI#DjrV!5U9%He>xW(%HkP*+s z@#h4A(dT`v8E8e~7Q30SFQb1OBdZy>9{MAG8-8pkux=75dBPc9nr-Qc`f`WzZ@n)) zXshA=M7+hEN?0OHYR)q6EN&dv8mliR#(V5QgtLC@%0T!9$Vtj@;R@NNh~XiT020Yn z7#har%!U8~Pm+gZGg?bD`d~^h?BE zMg{F!Y8GT6#DNk)5i}*nAvHj(TW5f^NeW`*EmR(@V3}dxaMDdS%9@^{?;wZ~WN{~; zz#o4F!CF@x9}TA4Z|0Yh6q!N9i)2IX)#CCz7o_IpG;7@P)0u&VDwT{ROE}O3Oj2W%e+U>*KMF?czP8 zkD=f-`$@*vU_@DTNkQNA7b)9Xgh*$Rdt5Igz1Dc z*wJ~(hTEpsWa6mThGM&EwND2ktGoH5i8Qp;+>C`?CY^FI7BpLxA4Q-b=3GC+hYIFw z@}-UCv{MIJml=&@U_oY|7<5PAt!#_hC&JU`}ndc#>~**l%g1U25s=)P*#ie5rGydO#+R(h4e z>U1Xbd$7pIVH`5E8#WT&!T?+?zkiZ|2XA$87lM%8m7(Ye|F%_rPH^hU7HK`CiHJVo{igBDE2z1AT z$S7zgI>Di&(bi=gcS#qW%OVY2!VYwOl6M@x zR0GlH9f`V6VPsnGH|~q7i>nIpob>gDYIk~5(gA~nk0-#5Q;04iYjV0L`mktnVDs49 z8Rl}*g);a$k7w@5K(k1)CbPfuN7i6F{tb&hYFdL=MGWvvpv^<;AJO=DILCrdWPp(4 zsIoGNg|7MVEc-&Ab9%}Vt&9^}Admlm&h(ElOLTBi{asAQXho!Q&U;I9Urtp1hh^d= zQ9!#NYr~S@UI;v3F#`C`8TVsPU#kN&#KvmYQS_0$hOJ1GSoe|x9}RK!gfyXVYFPWv zF%Dpf6uSrYX%&suH4}?w(|bM<4pae(O$LYV>S^p&&%H0as^QV24SNY}A7#HQI)!I&8@enkB zPdDoh0K(ded(}%^Ruj1h+;^aF2MH;_%O`Tj3{TvKZ%NfAdDS6_aGP4XQp zd)FdB5McP53rctz^8;ABmA!9Mk8fBoPqQnj0dxj1HnVBRu99c* zWRP1np+~z;P3A_}6aYL3Mhhu4z8}vS10xpy4YcmmX!$jJ!l#uk2*L$3K{hy6?zc$J zO>~?q*o4>|43nlY_&i2Q&IAdy5mQbV${xsSnRjQA7oSPEn+pb;KIaDAyyS0H5;ETf zI(d*x?ji3hzkiArTIxr>|D`}B6R2e=g9s>=kTE8ra6WI3eO?O9( zQepah6q3!YAQFV|v9w(f1~yek)F9AVC?J4VN(9q5BT*NwfC%6eru}jUO^NJjBEURU zi{GqYFp_Qmlr?ofx5cA!wGDtj6p#W?53 z$e9b&A!n+=y_$=57+|$4k}BrXE=F~AI4aAe*^Ub@{oHQ@<(Bd-F3jR@e|2Y|r<6<1 zaHPw4op8jRZ3$XC-bDa52MkpfL#*-xjxE^tgyh;CUP9#;Fh(Jx+9k7+%TA(R9Qf*- z*NClb0C>L>w3&N4S~Vu%Vz7^*U!WLl<-H4imBykIQd5X#mJdO=9!V$kzasDt(UVSPe5Oecz$TTc9448F>4=6ai7 z_CtMN@QA65=!St8geuy=vJ{O@-lHu_pn!CmGU?Tta)b(groO z@d5hE)S!{Uv`wgQB1tU_=!i(sLuL9ch|^^kvOZ(M_N7C_o&sP14gpLgW;xh>?DB%7 zzDmB>itA4#TpIZ?g8cZ4ueS5kd)@1v9Sut2<_(=`>deA;pCqx{?`}3mo_8CU$oTkp zuhoXKp8oB}c(oOn!>vkZmh?3PAo-R7{@JHEddgR&o}oN)sJ>1JsSiI!D|fy_*9QZB z;c)1NkTOALAEc~xDh8nfMp-jIh|i!t>!eNGDH(*YDq|Ob(dWb+K+~dG4AG1e-}}Tb z0B2xe!6_Z$^X&yAM)6n3 zR&Yl&0OF9Am!B1#Qd$Ftfg4&#`{uiLvv3~IxIDplJ-WBWhiJFn#i?cInhM_qEv;v? zeu{13N053FYqxkpqEn~|;HkX zmb|m@;lesTB~N-{a{37u~|w8GLR-<+IU9=e9SiiObqP=b2Mlsm6^$O%(JBa z-{Qt1^LA>j(x_B}s|tv*070=zUr=pnzQWACivSJ=KQVx!;5ARne&;a^zWRP6$Obt9jAkpI7;5$7n<~+#h4991O3Ufb$V+y3} z%)mfEG^n3$RIy zdmApUHn-?)BpWMY;s5NypD}uYqKS_&K0_M-L-#!1GAa`X@2{G?SaWdpa@-7#n=?I) zp~m&88{iO|5Dcgr>v+c!5}R2rGS|ioSPh7fya=$O*%Xe(V4?tB4w(%OaRHEE01P2# zm=noaGNBO!D`*X$J3CySeeu}^!ytzSYAev$sy=Gt(mT>6uFREeeA6F}lpWQ}G!2Q) zG~;Dq!L_<0swsss!y2V<4CLH`b$}(inaPJUqCZNj$+KDDFgxmYE0r>IWZ~Lxt((%j zCn!GF)g4?S0PrI04DmrwshW-fXv`8FPK4a!h=j`FpNbDi6fh@06&Y-H5Q2~7r3eNv zoo!D?X+CUjBcqT9VvH6Qc$`iTGngQ=Qk>3cm!NNzMG)}h0{`)QI4Xylh@(oMvJ`zS z?e7Wwu_DnBDYB;Ic$#9=Za^Es>1kC=KuRxGR{h|`Koy7u2y4sJ{S`Sh$ZG&pz>Fev z4)(Lq??%d}BI{Yr90`@uq)r9Idn}ri8H4K{A$&!|U14tU&{)$+O5F5dMJw%V^%~Yg zqLnJNwtBZdUw<48aOAn@C`sU}fA)SCm_Yn3^meZ@`8wV+P}t&$QVh_3>iLi%k#KL= z)VeGJY&z#5&XJ?Qs2OBLnNK5 z{ZXYUiS`(>e2+L&4QH4{XpN8b=lZMS%O8-(eNAOdr%sU;mFdQrm_4KEd`qZ%6yZg&VyV|CZ(=_Io$7+{|3LkK!pvKFzzu> z>{s`KFJ!^Vp`@BVggb!uldFd#2R1%C&!J+#?FP#Nl99)`RUI`T0Huc9;5CqVor8rp zmB#q1b8H{on}a}B{9x{JU|gp9Kx&y_=>#-(lh?vl!OuF&x7|Z#qCJmlFMrlt9=Mq8 zoti(oN{_j;Ox|Bd>K>S%N1C7v`hBaPuz8+BVaz(HG=oo^bW6%)1vAVB1(@oSjuut_e15FX{Z1+H^Kkd` z@2Hdmpn!8cr{<5xe~L>euVP%uv<87Ow$LKSsqZDnIzlZ$oyII{H{Z+_Ky!5?UcY!si&R0f)=}bnB@w7o?=MGV2{*y30W7`v%xCuKMWQ^IX)? zHJFC+OfOU$#4LbID<}>nWI%EIc@jmsi((bqC?qc z!`?)#5zY?uEi5z^PYX1G&<4^9uNk5NFQdqA*bpsvPQdM)0^~W;ilrD#oHw!Rl82#! zv;jRD?F1t!lN5dwBR|1zjA{@Jz`exhYaBJayisd>MFn@+qG?M7=-_j}lw>OfNb_jm zOi8}JVUL_#cOyW(*LObO8-y1G@mdx8SR5jTU z&qgd!kSgkJ*Ju0(+Voq=CWM=|LZHM1?%!%68kVFk4}Yu;KxoJ|9eVcS76Jcrfy3}d z-X0l*Zc9OrYJOot1xQ=pSgtzyv5lXy>}xp0BHI-O;G3_VfJdqkDxwhfcFv zOA&k{sef5hO%O6MM4h@hgZ9cT++f>Ghdfk3WZHer!u49X|DQ1~_jO7&Y;wlP8X#hTUP2$FYV}WP zAaluq$FHD=5e}DB^o6_Qeqww959XhMO3xX!adJ=cD`@s^6(oOn4C0U5bT@I%$&%~_ zozfeQdpUp*nxJ2v2q%QhNd*r{VJ9#xLL~OM0iX^YwgUMu_mJa6;i>!3V+UtJI#rsS z6vI}jIJ?+j6RtcSpz`W zQrLMUCWJBtwo0Xeg#1~v*;kPK`&v_V$CW^QNgkBQ?LIa(Eo-)^f_+?Q=B09NZ4LI0 z=G^}${Cg6^gc@@>=R%n>8}b!rU2mi>BwY#Vb*G?+qx^*J4AjNJ9!_s1j;#F@PBa~w@Ruo#}VZf5*|*{Ee|+{_3mdcb(!q70iY6;bL}tk86C9c zM`yHPZz7&Intsg98Z9fqGRC12=rc$l8Yzf?v%GidDB3j!a@7B}!7%KqZ!E7&Jst-%dPX|-nU?qR^;1I)l1CX$vD?<1>k-orv^io;YUdoHaxf3h3i*|xC zxlxCCJmF384e`4-a2)ItTb+XRf zSv(7*crKQjEI>N`s6CoFDo51yg7ocb2U4}j7`Xjl-Y2m&m&qv0J>l$H1GE{d&Tl=^-H)vEtW)7O}P4E<%3xFsLuz~=mf z1LQK# zDcFLdC1C>LF7w>H`L`8H!(Icm#a2F}d6l#@2Jq(PHhodrTC^h9%mm6TkN)}(KGERl ziDtaA=62>Z_6W!MqZrDVRCk1lvSRs}MMsv~TM-F7>w`szX$rDa7^lMWC6zNdv69na zzN&%dz~YWPKj*EQb_E+Q++#4{|8rBmJ&&`kuT(g3v~-P^Rm+S7r*0m>#$Pd(qrhSm z1ql7nV(AxKdQm}M(-l8tf-BM$UtiXwYog)ro9~_;F&M zy-9)`-AXLNspc|`5-JEH_eCOk6-INJU>atM+BZb|vg9oD_NRnyD$0lNv}wp8 z%Uxa}X4bE$D9QuBU>0WwQd03N<*bk-|l58Zt&cH&}at`a(-rzpW>mJJTq4^hStCmA3?&wLO}JyEUU)Sl-*sDbE>7X zv}6c9(ZgJ^9+#5fe(^{mguH7eH&EPQE*LW6s#CK^^yg*WztpX_Q=4D-on|ESt2-u$ z&5U-cT@RWFMw=sDg9`$Dg9A|3)IA|0x^TkEz~Sr8@D~7d$cE&aeZ}Vloq|kRWKzau zIWg@HaR~bB$mV3U0O5o3fL|luEX~3?-aXDkq zGzyNk#)>TFrtmsq_WWqE&7)#j`RIg$;G_FvYeN}b5dI986OluMRAYeE!|8$q@e79^ z%Hh%0xK<_po%tMnCebsSiYnX8tQX&rhSS`>=ejlY{^*p9bHkbD9QIe*1#tlq|6L~y znvCTV>_B>Yisu_9EB;4*DTB<#Hv)adJ85?fDGIClwcy!1vXdw_kv$JaHYC#y;h{1- zdN}$R;|`SvjcjJ-aw8VTDI+esycItz93Wc@n`|`fPBA0v->b27S-?K?nxKxKlDiGj z`Z?JiFgte9Dx!#)@{8u@g%FJ`X+I`3%m!LOmX4!1mllAoVTm-WaSVA@N~amhl#miKq~JLr z1h$nEO#p(m8;pk}Y`~X z<3{L-nv^!*B+v76v^S_^LUFNIXSp-dVxW1Qz$ns*u5$p})^3%=m*C-TdAP;ZTgV@k zFE@hMsSB*;M;r93o=1W=vR(9L#Ka^>7J+6Cdtvko3qvs(bejv*-fdoqBWE~?IjY;( z%wbZMQ;B^9xpSkD90Vba>d?LHbluQB^WJXa@s7$vp#Y+K1g{U9V0LIk&Uut5%O6gc zikxQy9RgpkiSL*+PEp3}%}!f#ErXJ4pa6U<yeYyzv4a46B0^y)=ER8eyhRmOnHngJ3~FGv>F1x+sdweHr1Fg{JaI>8d|+1f z*L|1e`!+D{Px`9D!oKw7+O2djNZ<*coRpe~W+xKyML~_ve04sum_T|I>g$=~205et zIZXIE1fYddAuSV+LqqA6CsnnG9;^M<0Z}=><7p8Wn#oBM((LMBdVUjw(l->>0cL{l zv&*s~m~Gr#>5saWe0;x$0Q4;w{qSPwVh7y$`f;}n5fR$V+4IqT)lgJ&MemR&LyNB= z7ajR*8Wn%76g#Ao4}1LBcCUxrq(*v-C(a& zN9aDxv95+tx0+k}wgvIXOK3CQ^wqD(YDXFr8^7suZifr>qFF`Y5A;y2X@hImel24e zK;)QOX$As4)PPeA$g4-#|G^Xugs`<45oU%7f-W^-5y<^FV#KsmaqUB@OvZCPq!rA@ z3^4N^2bR2|AG#F3Y{gNhAkV*oZjKE(+S(<{0SkoYP+N`C`d91=OY0>-t%AXCrL~g<=!() zsW+t5F#(ceBgUB&Bt3Ec2_G$BjHVq$p-PKbBE}t@T1S!cGwIk%_LQC{U>Yb2dG}#P0) zX@ENX?ts~$D+jh&on7LYKH>)%{xvyE<~z2}^B+LC%kX8Le?VnF|3_f8-Alm)9T5LT z?B)E{Xkcq@@1yYA$W!WB89-)DIKxtQyo*hvYs@autKa+z?-t6C&~RjC;dVzFCoVB$ zqpU`NzdGjH+f~^>mS%7h$v*TBC7^2wZ$AsS%FKjuBHAprLWkxYresJ8_XRZ{P$*fT z?oWmt=NVBq_JhYQyod5bbitj8KEegXfe}^1{a8;3=)LO?nJGuB%=x&Db_>S2^(_QB~kzqgxD zOuc1R4~ek@bhzULtg-vwB;p$b;+8FM9+KU5lZsJul!5fkR~rQRLXGahuWy%YhRKH0 z*<9k~!a1L%Hdj|B0Uv2b6XA2lnru&uRvh=JBEfnRS(f_edZqOYn;r~B=ACKgZAVD# zptOv^4)Knyh)88XUe&F|Fm4ulF^`46&SwNWVd=9W!s%hw?15#j;S zkB1&HaT^2>r2ZVbKvOk~mc{QnJxO3ydkQC`ucao-G7-Y&&KL`z1w5VjF7TcCL z4ym{|80@Yd@B7eb1tB}rYNfK=cR+yBesaYiLuX^1e`2@Y-Q#U`>0y9mPY+kQr*;$t z)&%877jFN#S$2`N{c(jbyJyi{16gkJ^r2cj$RN%I$QglWiUs<2g{Wwh74jUlB@bI3 z%_8vv`8kMMuW-bZc^xW7e`mGx{%4uQAG$A!#ZfjbQtrHwc61Aq-pbYR}t^uNuX*M>|k3ibld^U&%}+2(AJ2sI;Y$phE&$=GyVvJ-Z(mN7{aHN`n&GZ3%6y(>S#WA04~v>Et@1wvyyQtZOI7LXCuRHj!$ z!)$_ZENab^b>2R#*9fqF(dj^R=0H&zpnV{8@18L}Yeu23K&~#FRA?St*vTs`@goH6 zu{85q7ZYD5{1nX4b4@>OqASYij`W~GoFgW=R?6(*ujC4CP%={(C%{BKOMD~R#U+6r z;}nY`X{dF$zskC^G}-k+RDysOGH` z&aili4_!paK-QXf%cmz}YY2M`!)>d1w0({jyX9`$i5s`~sN5u0 z83s}h#7gIJ_>AU>xNSM&Er8qc?1Z#J`%Lb;fAbFAXhx%j-oU6&~L*p+1~= zIMgzo-X+QuqPjxpMH67}$0|CS_MbE`?8s zv0hAZno`YK*tO`Zr+#i)Xu}yNonLo=@@Z*hQp1=*wU$V@6mCdZbiG4x+ zHm(&6$ok?|ZF%eEV+*nkzXb$G*_kiDn_CL3R#Hgo7iuJy>vR`CX0pF(x8>_>xY?J{ z8;#YjBIUN7X6aY)2uy{9^Xs1VMB)E}kIYjb^u0*Nev=AH(6-4Ws~tVLeg~hHDJ{I) zBip^BTWM;*eEDY)tGXv6FX8tXW1fiKSK~JZS=M<13R=ZjmBvOqZTD=%5xzc6YM%yi zFNiflrXp5s-dKBKTsp+K0dV>O74FCeqtN z?OY7@(~WRzo-WdUqJErM+Y(w>?7MV_hz|JI<$7bm-Ii?b%|ihQ+>1Uq<;-qpUtvzC zE&Ys@OH!te#EkNOjc|4}w}Lkaa+b4+gz|a{w;mTUj)XF_;NzG<5=5u*e7oK2Pp7k* zoiWfPd?;T!bEJ3LRG{GJ>Mq+}rylTk>n>PSHX3#^FSUnPBAufUWk+7fJV!37zeC`D zSE}Ke+r>Gd1*#=#mH9yZy97IE2jD}DzK=cZv!D1WFV@JH8f zDO_0t6w;_c1`?dHW?4ySzegkBHY|!=r>Artlcl7=nL7H3=&yc zV}6?p54-O}lL{}{^y50t*#;fWuTc}fQUixYg*}XgmLuJZoJ`Y5Dwsr4Ycs$-?L!DZ zhNNbiG&fz0u3DQ>GxnQG-+(%`+SmKv^iUuT!ARA5DZcAEKWbk{dYt*;=nm2VnxCqCOc?&rABsNdh*0B!N zaiguoR|H+yi}|+wyR~I%{?!F(#|J;M{F@s9>PI;Bdf-!FLAw_FZB&?^d~sFxlw(FK z_;&xq=MgpSeA_9z=hSr3H#6v}2l?dgBC*w)C863{0-9v-<{=o4T2rLn)haF=nEgD= zLUz$*iPFKNWVpOE8Mbg?{BBixv|)n{;y3ssr(~dUEh8j10V;?nGZ9+V@1QhsNSGpq z7icg5z`$^w(Hl$0RD`$~dmqnDlm9NMcMfE$(< zz;H6x&bLdiQwj{Cf_mf9o@1?N*oJG#jQX$^VaL}n`k7hGz{K^ZgTP|0Nnio1>&8+) z0GKZEkBlW#W%q=|Bk=<6=5Xs2B9=OWYJbFr%X1^fdiF^rt~W$9P2nZX*{k@?;oknc zH`Kr3@rghzc6BrnnGokMq9|P2h{I}D`9zFv;C;1rpT;wK0Dmg4BSGUqED$R!H#qi4 zZVP3SX>jX^OUXDEl3xW%BOgA312bW1h+k!yh0!mfm<8?7Ns2wSqKqN9-bK&=pNK_1 zL^Q!na#o>amK|eEGlg?CW^aleORb;-W3?5rplYG5NW=lw3|@$LgPaTi3hdI66l>MV zQw<8grLWoT{fg-`emu>i+zNk=S+zMo+Thbbsztm?xg!mg4n_ew#c8!LvX%%@4bXU7 z#6kHaI2hPIv1&9JMKrGvX8`W$cPH#}(?R*E0?`RCEvq z?#%04!*BhxtV_P^jzslYdvu-*ETfQDHc;xgRMt0nC3awX=Qk)bp1&RiH&KR*8ek) zp--!{@*%D$CXJvjf$2C57w^IP7W|0o9BI-jGyY*B4xl_S?GhI-v}&^phu+V_+yJpZ z!J5!?R0s)kDV7k_cZmTu#fDEGMb`_U)2i#)k>^@Yr$%=+)@8jG zDU^Vb<+D0OmBd4p9;;26Y)uK`nyU1nd#&HYZ+fHb+cw=ME?^@Es6)xnIN!z5#neo* zKospw%`V!ZEKds#Ipf3Efhmgy?}+vpCBImiqqV;*1mD|*^6#G2K zAmGW!18m;wgPka<7Z249^M(;>+E4)6zH;cm--Nre%sDUU`NqM|B5 z6N+dXGUt+H!L+&u*Y7fRImS4bZp2R8X|V^Ug>-gA257#ZvNh&F;_=C?+if%E6P#y) zVgI&Jb(}>V`yP@>3-$P@B?H6GOt-9w_^m=w$MC zTE`SgF@5bbzSH9aG_^CggMv8hIWL3;^1>eUV2e z>^{CBEaGw=?riQT!=S6h*=J@J-d+bR~863*{+R)*|9jl#;B( z>lV{C!y6@uDEJ!As5y)XcMQt5Bc~)_&EYqp;0ng1oN{cOtdMJCqE8t}cPn4-5EoVt zlLcWBgtIf~TK2quW)YECo?MCRopw_9&0E_mO+1DbwpKV zR&znnxKA~QJ%i+$o6yPj`>}sDL9!sbkpfu*^J;rNQ3Kmod1AsxqNGDOo^YR zRDGlAW0G&0IrQH26-OwFasJss7;|;*M%ANK1uwbWfycf`Ago>8qXRu*yk~41eaD zeSN@KVTLTPkKk$N(oNGg&lMtdAq$BR2=4%_cNZe}AN%sVDU01yL9 zjH{K4mEty8+Dc}~0ql_fP^f;J$8clPFDxF|hK^oFZF}LhUH%f_MVhn> zb5VV&mJq7m#VQZ>x)&~MPllMy5+wk^sY_JPz$fGweYgFyvBxb8L?mc8ITe~5e0i9ECXHnG5x}b;GYhmgB_&_p- z(N&Usm(5zxAN`qk|1igJ92wq@iEa0VK^`(SNvXec<*#?R=3qp+_%reV?Dpt%MoMjO zFoAk941IPUphZ+*NFVLwr-NLQxwd``@Y`t98D*77iZ{3sd<#rQJ$`Z$Y7t_=N%X^1rYutHmH;1GkB5=ePjK%VkJ zvEmp0iRX;YX3=lw(Yk}il>U6)Rt83kV5;7yH06Vhd6t5$QejKYbD}Pq`O>3s(FR~i zfX9W2LY?uNaS9HQH+N!9HKa?5)$Y0K>5fCZ!AWIsd_~ zW|Sa$%30-dzwHNvPn#h!ij!pgq4_c7Hwn!573xbF>dkL7y;;EG(frw$BAn2ndKWyy ze@RLq4((8U25mI3fI8(8dB^tEQm|$`^H6&{sUrzOaV_gb&Fr^fsM;0(!yQ%!M0O0>(wl-!OUI0$fuXN0YSMRz2MgI);7YqNbgKiTNzP|6pGtp6dP z?v`5MnPY3Z4?(wn_XfSV$}HupPYdZr^psQAx#}GI*i`{y`pz8YHlTNXyZFZ`L7t6d zdAMT?C}@sDaXNeLwQVhbadRB=I$AKJ!EZqNncnn}PE9=2gAZ;m?@ayV$(e$)-gI^E zW&0Tbg==Tw@DDqy3lKtW8{!?Pki))10!rCCs|U2=)DAIsuwq@HEk#a($U_@*qiolB z5RORBaT|4Z!C2>~ku#7jI;?`>R+L6#Hh2>b=7q}b4beM3f}rNz;~s@biuO2e%o{i* zPL!otPnzt!Dn%)F6Q)ZJ6hOPMumDwsDeIN$bozEb_2A(0xoZli;0`iFV@9Qom>CFj znY{zVq|;OrX?12eisr_a<5KHCl=FlWzm(-~1|hZJuy;S$qQ{04uhAX`Np_BRTWT{v z04*neG6txeYo{Z+X!6BoLDz8Sm-LEqfJLf+0{L z_}UM<1b+<*?bF6YX~c;k zwIS9LeoJe=GXi$Xf1@~(vl_v{+xJRW9x`VZmGx3XgT%$kf_GVM`Ii|44m`vAZ)#kJ z=ulzPe=%w^Pp}#R;Rb}uEzv#->>Gb0nf~L8h76QGkIfAcG)zX2Xm}#TqXG(wk)Uxl zJ-IMf-}uzV@+f;$uEj&(ID8x8mddot2;qE-BaJYou!XI)&X0kGt(|Z#Zz8X3hH2RC zvq{e}VTjZj$CBAoAsJq5A4nabrehIw0#L-Kr>N^Gi_1OH@{gl zyUDi{i|pcMZeQm8D}CE(liqumo3&Po`Ry(X+Yy|-6LWsvy7pIZxa4AusN?ehqQVZr zTYne0ejbd|G0R9TB#$}2&%<10^o?Cn(6yA#Mopd{AXGZgv_Dr7a3(i3XOMp+O*AN3 zN7`%+_BvFjzoOx>Y5n0}CWqRKNJ()(IjmN220jbpPp7BCL3w=>&m00K(#=}W$&fF_ zrgk7w#%mku5)fMTfmU4KBGo;5#8u@P#Ee5ff~1!B+&pJI5Ol)0PvXYlaq&=*!EDGk z<2PT6H+F5yt3qY0Bs-FeT>i<5Vke#}Ap)SVw9;u@KP?uABtZGpVKhs1xG>-1!Qh>0 z{;UNK3j$B!C3P4l>fabSl0VLvX8b}l2#Vx+|BO-Xn=d(9!6mczAPeUd*>3NP=tzempL0Cm_ev23x z@-}tPbpi&+hi#ckWH9($a2fP|q&L8UGfT^3&C#4=%hxzt9b|JVMY}( zUADZ|9OM752yjZ$gYbd6y43KG0?9W26G2Usi%p}S9i8t?%ZTu?RrGN*KH$4p=X8ZU zdTlhjNDoi<8KDC+Smcac(vc|5G{#R@?@C&?5$y~Z5l9t*Y0bKb$U@9LB@LTr>1fEkz?gM*5Nhn5bKxcqTB|iAZ8%z**OTT} zRcc4adLMMSG$Oi~!DFt%1CuqMVec?!iOzh9wBw7v9#L{4aL)ve_$DxA9k)^`NVii3 zI{`u*gDZ-L$}mzlgU4zaA!`={z8dKa(|hL#sJmC{LlRU<^k#8$6`Xy$U8CbU(o?j( zoY>;YKl6`gdTeOh#P*C6;sb*15e6#L;58=$!e?!_Ac~spR09Jm6~XO&uE{hpj)^xS zra0!5yoA=Vaxx4;TD$Uxjrd_NPgTt8uTj?161@{kZsT2~a0JKG!I>A!4sx&Ep0QU} zD!FAVhe!6rAY+R89NPH8`io}*son=y54NUp}=2z-=fq#1~8l`~(Zsq43cm40M1 z?rqkbvoo1aSEP|8)2A4$V1X|bCQZaxfhZKm`B#q+C_Uhns(~0mCIQf|&PJ*UU%7FA z^EFb!`E19@bRI54l|TqzUlkVD4sDTk#tzHy6I^3ytH%a1^^F;UFb7jM&zrG+9labv zLS}`pcUNV^JnU)u-?GldL1*hqzR2N6Afb|4H$peyDZ@I*%BYblZY>hOxg;*B;3vdR z55p8JQy{+rPM;Cy@k|AYG?Lz*s-*KYfhRyoVam_}>NQ|*po?<43t3jpce1AmYl_7E z)002Jo=Uqv+^9-jb*Es7FstPpXv^-;v%B05KWKDwD|2Qc2ih1lb$?a^$Za<(71ZF` zi;JY8nT6@?1Z)OoOhWpJBmgoUhp)-Oa~k}I^}nct=GF&{cG$~VGEuQun5cDQx* z1R@)hlA4FT9q4Y`g2ZIu)QF>Qh=s)VKn6n_i?a!+E@VS2-{sRLo42b6a+yzUg}f5P zVyfoBEpjBKu?)bDyi0|5e+k_cgj26*--jq6xu?;sIjo!24DwBZ9%zJz;>!2=2;h(z z!Ym{UkO>zWxXjejJhO*B9;^yMI0$}%RaY%BTt`1+ss^_h4*Zr8n$--08aqWD!EKNdAoJR~1S^7m?_^D9ovtbWwqDh=wb48VukHYAPT z1hJnGGNx*GwTm|5$b$NJWQva#Cg3MD(HAq0M1mC`8C#dtKgyoV?MBS^5rN?sFhd{< z+JiR~T#Z9$eFQ&u!DJ528sx{9(EX{2@NrOPI;DiodkmS9v2eGDIxWFe;OgpI_F#x+ zqACcZCwu>hj@|^dQ(i*zv8NMkazqdF9N9%^{&v&0XzW=U*3)JFcF8ABY)JyF>M&7d z%h@v+zf6%wBfgNdspD5~sE2MyVRf+F9u`th z%t*pW9)xs!f_F{YM~qD9na^G3v@g1QVjG6#y4u~Y{!vZXgwP){tw*sEc{PYwi?Iiw zzEqIF{wTM{5*5T+?**3pya&9weg0ze2sA}bX1N#U8fMJAF{|R}G2E7cTUx`JnyQ%e z+9)oai=r`!JPHR7<=Mi8uv)fc;Q6sszmW*%XZl%VY0X7*p4V>DQt)LB%nI)oS9Hx# zVJ3p)O$ztV`7$=pB{Q35du|J?4ns)XsX{SD7QckX=?dx8W)Xpoo1DiPBQH~e<{~%3 z^uf>>kbTLd1`e=%!%KDbKma|j4YOKxI#%SI8On% zf&si3&FZp>afIJ3=vljqwoOGQU)%~hJxma|-KNQ@sw?ge`-!d+pAsy(r9SxaG=rZ8 zMGGJt?w@bx#_w5gWxc+cO2gJbk+GRDY(AfU>Qdn@|?5ZASM!`0w{qlj1 zAhn-0nfCBFEff?UGmby{Vqi-A-<9`xHTXv1<3e>22TxgaT>Hm+gGaDwEK(4LKbP5s{i#iN8Zm+=B1xmwRW5%6P)L4ofMgRFMJD$?@Jn_f4M1)_5Ps7bn zKeJC0WuHWPDpq)pihYR!rWi*64hE8>g4ScI z%ceFIXwkLo&K)CjTx8EgQ+Rge0Qlnq0dz3zGPKwtP`5whR~!UOCPl(ObfEi`vcrB; zRY7yXB+GC4f$*ymG}ht`qsSlEi8$t#-^L?GRd^Lp_8T6mcxLmAp;^k4UT7(T1|S25 zF%(QGzy9XAZ+EiWige^LhAh$bAU=@zV?=g{;Feda__1%dF{wsZ4FCm}#8gQ9Phg4+ z$qh=3KCl=6WQ`>JMs7N})};ekbIT5PWp#zRzm?M=)j-K4^IFkRZDv83XhqrrFqJ62 zj^k#_X&1CEDgSq|NI@LkX%vmXSV^ExBZ(tF;3#@zD4*^mxi?39D-9P{S_ghR#V7|k zEdHzwqc>AaGT4tH$CtgCKE|A-lQqS7obmYl4i;*iM^HS;htzGd!fr5d3T$8-}wJd2WP7(MUwiVGZ?2#I4nnbRL&su?4$ zg)uQI5iEW=7touf@*Uf{zO5Pya1`mK^*9&LpJPKs6FJcbt@I0agwptmMKc%uQAr-- zCYv0VTz?D@>#X!->752V^eByhjAM@eJsw}0!WLwK&^~x*5SQaT#>Tz=;uQcOC+xT9 zioIH!i^^7jKu7MV$1^$nJ0DMWkq#Jv2IV@~et4`%vmm}lZ&|?e+Dq8la>E(t=ZtNX zO;G=#LtPh+DuZzy((0;K2q zO?Xa)@)1g@P*Ji-pF5p)&vJO6y5COo>T2$2c z0-+>9hOh?$!H>Tj+9Y~rcsOCbQr%r$Os2Vk@W}%#{NWY(Z7c}#AQit0Ug%Qh4|k6s zI1)s-;&qs>#RaKTYq+S-FXTm-!*l#=7fO7&kU1a+#%Ltu1^u>+P_PKHE3Hm92s!69^`r_ZAWY3Ayu1LSYu z$oWsAk)C`_y5`r3RIg{YV{tiv*A|`GF(^MB+HhaL<%9tHI5f&H&CB|i$#gyBN2rEm zPS~<%<)1*)7y-7rvZ9qs&fn_~3iX%DQz;Jye@EgJyY&Kd=Rww9anVLtzA0_!l;O9E z<@^9D0K+UU&XD>aNu*t25LN6)xm4F zo$a3>e<#=C08K!$zb@+>#!C5gP)7Mt^y^gezJ6UQMaGliX_FDU;p&SW=Qv^c-wiU# z_991U0o$hw*(Ui|%bS+-m;VlZR#0fwWMqAAgb81k|0c2gn(ifNYh+yjl6u`ThZUb@ zrTXtUJt`%cS+JbXirk$=gLcXA5!Z!ThmWH$>sm9eAO6j1Y3Wq7i&jt5o_{SIwAB@u z3e2DK`?6+GOSGmigV0UO6#dS=@tD1CD4A=P*_dQ@GX$}-Ju?*930FwQj*-)h?)A)} zQn8;)zdKY!o${$w@&|uV!lVLCme4p0v64+$coAbVfkSzM0cl)8`*(GM*MjW=VG|s` z&-OS}-)Icgh8a$NQSF01gX1VZe}5!@Ptc;6IGKN*<*xTJXk2JLXXb&}=x z{6s;?q_GoymNG*-<2*t-AksBEe(I<7sNc?_k0D*Zpn%vd-*myAW{)l$o^N8hBc?jI z#aHUh^ux)%Q5NzahEg%lfT-;Hf;J9uL+~+i1m!a{1NvfZqOZ$$v!5kzen%~*bokt^ z`waNoDXUf%`s2}OrFaqq2C0RXu>i4SB(PE>{6h!q&#Ko!wc?VYW5$HjdDgg%T{Gb! zOHRn7(n_J`lx}Sy7cB920>Mj{HjrjVdR(&ur z0)($F7p9*XfdLJ&Z^TAQWMH0CFVn@*Fyd=D+tyQg0DL2%%Slg26W4lx&&5y5IK;q( z7AcZuAc3le>|Cj}QLVqI#xXGg%GLGyd)R!!p2o+Vg?B~S`_OHDVUCl5=~O^eBGf<> z<-!(CHGUiGshOLY>61ya=wY(DfV!5hW8$$2XB+ObA86^>0SMUsMVfpDYK_$n%4+bg zK(eLT(L(Xay)Y#Y_%PLykCLU-9~wTT8vCKcjv&6@74W4r+0RF5HjWCnjD%ikPxSHv z(ocaNEb&xJ_BrYQ9WsT`j)IEEHFW`~N%4tPw*JV{{RvWRi}ZL8P0bmU4k>A~#Hfj$ zFf7%bxTMqoHYHp%8Q%DPDneQ*68h~KE9z#ya}Ct3DyVfil?*SAo{Q|LC3A&3D`rHkK&i|`MY%v zSW!BIS6=dDv~~E=Sof*y+CENQo&yCIK$Zjl1Eq;G>B)PEn&zYK6_Tq0qC4DQx+DPX6^i=$|kWvY>oaB#CSH0A$C)1DFUeP~Y)Qos@6COXyfr(Ma z55U7#){L>b+^zcC+(lIWR^n*c5&ju^4(}S;u5a+4%6;$fW1)s6&$nM|^@dwx;oR3j=NCg4T+e))vTQWiQ-4Dk_->l%dM-6ml^(+!n%JnZ{%5 z!>&Vh-Azy3I7@4mQ~>G2l`K)Gp(`k-aqQQXcim(NEAFrLCNEan{YAJx2_|dcc5Q@A z5Rm17n*|PI#22GlS4$KYEjplpjVGyWLt6;wc>;teGpbYmR@IY!J&7`F7lvg8UpEjo zr}=)~s`}y_9+3wwJ}ijavQk=EVh08>GG*7-hN9JkqMc|vfH8_N(1znfDLS}C2z5dQ z1;5_3DZsk(4B9|bBar_6D1UCJsXR-Thlo*ma_k>`6}vivqgsyeq>fN36_pS##*ApIc*u>Lr%i)s!i~P#R(uV zodrFpp)h7y&0Ux=FiX)egaDE%PF>YI2@fpu%Ze+v5=BnvNFWyZ^3~;?H(8>3>E2G}c^ymx>BTkC z`IofLDX6cw{yEsI=_G45mbbQVJ?1S3eMOD+Td&DDK}N^u$?!P2pzmRN#x>KKQ*0W# z8llX3!-~t->txBb{hTv7HWE>ct09w>Cs&>946Yx~Vq1U{tGuy(Db#uVIayAwH+0Na zGZqI1u6R#JS}Dzp8%2Cq;ougx+q$+1?hM=4P>;(n9T|>gv_0YAb}ZaajTAI+3cx$N zHHcb#WQKY5Q>0<0aplcTZQJ>D&q^rnw^WqRODBSJ;dq&;GPB)jg@t##2A8iQ1*2a* z&cywGfa~~9tw1QUO)1XnRlrjxcDM&u`rnK( z>6m(|ray#-u%b_U&~t0WZ1k@;aB`*NWAW)lc~WB)EwY)u%&g$s(74b9MLjOseF8uH zb>O$(-`5D;wD6=jM$?N>=q~urI+ILG=#QpUWj+I*P5n9|LEVa4ps3{}8*K%SjsBF# zxvz2AyP4JHPirOKFyDHs`|3Ap7K4vA6(9xNJ4i}L=hk5r)5y*>*VjJ4{;S|R@^cRd zb4dAzJzb0rRDN|%}y#8|+rxW=S&|~Odh{4GiAeUl zyK4FI5y0%|&Pqx>9>w=#jHnv&>(*DeRZ^&61;0?fr*>xf2H_v>jRA+;Xj<|^#*pa` zPO{fG>$JIvcnyWUOjY554XKnWS%BV&u6k&r1x@23;R%I*?Qd*mFN5yoE@d+oSm!GR z68XCmW}%ZGne5~)jIfmsVtG_cY5i=3r8aX_gYk|cctF@?>W_ykF29o+L%?UE^JxT1 zuff+WqpORN5*Si4U+X-a=@dx#Z{4Tt4rc=2qjY)G0pUcY2_gUL?c2*O~RQ@HJ2gZ&b zq;JBnNG6G|hoQ5Y+S`pk@+;!cLo)RjmvB7&PWjlWZ(?+FX*~IIsqtW^`p*ZizGZ~` zFAuhUBoMWYnd0&o_MFX6MuXcW-eXJ~Ss1V&FNl+ZajyxuxZ zgU8++W(9*h7WByhgedemgT)G;S5I$d@W>t!w{~G$G&8VHR9-hg^vqq--IasA5qmJe z_5m3PkkYpAm zec$Zj4l0PYD;A!zDu3fLZZUQ&FPP;AGEovhh(yB4gppNGpARn+`j=+cjEtvElD<%^ifN>DX=Tv>AmU@=qyh8)7PK)`t+$$_;Wkrb5#n2^gIfI^ zYcjPjl8?ijgsg~(-LyVmZ}RiQ1<~#k7z?ocn@>QskiX1UOyPHbxM$ z;F|--zTVgO?<6jIX!>)8pr(!I-~6j+TZ6!nmntBX(11_rrUx2@Fw^E+ckxBu1&H5P zGi#h-=xWm!tm&6-`Oi$_?*Z&zg>SUh;eoKz2z+Z)aS;|RX}85L?cybkIc7gixmZ^C z`Y>uXXN&!r7RiQRwZkr(HPEoXU=f}HnLYSI@(v(qJnL~WFK!>Iz7chM0}Oi5sK7e1 zUZE}4gkPZeWk}gdXBx%n3%cVHew{P#tYwy^%%d~3~>i-y$@pAd4a~K0Ga=!=AnQUts*w!_KZzYvl zIr#@v`dEi^;wbcpE8Jvp6cqlPTWYR$%W7P6HQWPZXcQ4B-Jr)_v;^ogOEs%@Ps-~b zp!Ho5^&rv#=v_e6d&?tOAc*wC`LpQdp7C^VgUP z=M)L$@7lr_N0e7P)S{|!44JkpXi}t`5vpTAH=#z<467I+)F`-OXk~I|x+8c*lEnQ$ zw-4o4RefQsB9t|Pf*gU8Un7Gm-px@8_9D!F3!I=60fkYce?#=eel)gVL{fnQfJQqQ zUocEm_{ur|v_u#UWW->Q$GpnBFliM&Gw7h=kai@|*lzH4T(86HsVa9D;|X(E ziyCoP8(V$|Kmq{phcScacXH<}$&~dt+ zAnA{ALq{s`E$A~A`V~a~g49QhX9b(9!U|3c1C|#gW>O5*;HJ!Jxj6tzfhWlsr1Au6 z3kf$Y#4lv0m7VtM)#%~?b&8awwW$>g6Cp;Rh=8_rC`U*qh^He-2@!!xjY(g+hq-*V zkg!-ZFUKyRoM#{&b*50jR@PBQILmyTF{KcT#zTt>>?3El>jEzToB<0TkYOq+hK zSF|tyxkzQ+b-~3a%`63N$HI6#MsxJ`EnScwRZ&uE8mlc$!IJ~Juye6AMRL4l&+= z$SZGcm$OR%YKD?jlPt7pI@&xXk9^nup7Q1a2}!NVM>8E!B@Z%}V@jK#rvugp{9y1^qG2 zS9Pt<8Y_J>svDPI%s;4M{3PxRWnoY?HDNBnq91IuRCoL_K>G(aXfU)s6gB7;ulWxN z-<;Uj{02Yp3WM=4@k*KIDCw0g$mMTMDLu^FVUuD#?$c`cipxRr=BhefND}#{;{+$* zwbvQjOTqLZ2QNUk=mi-#C%otoW1w)M3J#x_E@H)xS?{CtsDH2yJ0E*l%C^fP4LdAv zVvCw`Bs27|!I_$qsdPcKE+(}%ZqgZG0)mu#{6dH8i;<|ZJFUqzA-~LH;O}~P(UKZ+ z@Jo|Q0A>f&r%^To7xshp$=My9v3#lonoQr}5@u}XTmBkuj(K%HUIV;79Yy%d2`oVv zw9VrDzwLTM=<|}=e&X)ztp4SA^e=#NYiDUa*BI(2NxPzFW1pzeBp?J(kW)5(Y)zq( zKLZGdp7(Qk^Pdcmq#-~3M=}vEdHL^*bPrx1e>OR#?=XqunLbl!m8Gw7j;eZHxl6Bq42@cIPT*@?-t1wZ?THvrd2+~b40+KV zldg8c;|&qU2ET0nCSUdb#VOkd4=!=zs1vVjH#KS23ON4_g8*jKG+-dmc#+b4!6Dsk z(q9@#vq&TKt1Pzt#Q7G2l%Kec8jMD}Ih*|v<0+?#OM7Yn0+ae}tFbyDGj|X(`>SXV z(R;fhtwDV09xKuKt;4yW?*rLqqt1s$USpE>TTO}37!x;-+j#4_=PD|IOim4=A9TjA zY^TX*P+w9#*R!$l*sImE{f@!q&FUN6g^p|lWIffO7ebF|pD`H2#x>G4CWq&iEr(yU z6P<-(@N|QLM$Le;!%o(fww%M{DyowOkoR*LadqyL1Ih~cz`&}+5fHyg$Y;QyX_AnQ z?I-8Q9(VFU1Ng`sKs-mdkZJD)I(TwOdk#Qxh4wp-7`&xDi{QAg=wV{~&J+aNMN_vR zte`TG9KMoxD01?1I1tgILV=a}^O+5j!a>WI0=C)Z0R1)+SdV@9dbXa1@($jtMdX-5)x>bFcP)3gPzCQ)wlCZ^wikmTpRw7>KyW|FdT&!4rq5K)p$Y^ z^+*>4H6zkapNg5=QF(DQGy>=nI&QiNw3FYo*yPCBm<0L7XK6r4$ieAhVKw>O%(lhe ziT43D$Y&3aQe-H~?j#8Tq##Ic22>+AWy0JIAW%4NNXvu=mie1sJ7bt5Iu@9E!61iH z0tuQN)mW)@xxe|AF@c$pnMu{y(jLzmJO2|-Br<&PfDq~)qE=O%yDKi(9jQz^EPlo6 z*wCq!P|?0CM-8*=yJ7nSZA?stwIUZk-!0lGc=V^OojX8d6;!1#4GauLRKrCFw~RSY ztNf{DyQUp0@0pqE>blPQBV?#7ei54dHTkqrWTbq;6J9p4c#oEdgK zX~^g9g@8WmC;o;))XIzvjg~#(^#?;=8~Z)$=~Eg}7&^wN@9CGg1CLoyi#y&n`y+Di zo<1d1PxrWGa$jxPXcfwo%9X<5clbi}j#f%e0F9K&nQl8&^TNjZS!5hbiMRxWv^{4S2br|CzJ3fF&_zzz>^6#kv8E zk^U$MxKb(`0h6toE7PY0LFoN_6LiDFGt*ye)O$aFseO^DGp70^tifc;&QeWn8P@xy z4O5O0s$yd#Sah-vEcamUZhu*Em1J0=4woeIy=UmDc;cenQ3o0t;Mia^96spA$ns;D zt<|3I+sk{#+wlMt>}zs9cXgS~-*30O-D0spR|!a&)))QS;LnCnu$&*SK^C9!Q}qL3 zM_dMZkFi}3GAH_2!F5{wHg`wYUborlGg=zjT;fCz*A-T3#?LbP?J8kCfQ|(H;|5pDj-Z=kbJ46AH+- zflzLLW@G~F+t(?FqXM~0`qcRxodl@)Yg|?YuxRtr#&!^C0 zvB^U|rWH#%{dRGJugOkwo1-MaMNcHCMuPNSQBd^%CYW@5xOYX653VeHY73qFOnC4k zk?yX3L2+~oY%N+(U36Hq_3P@~(841M7<~=}Bw-hPUA))?Mgg&cbP9zQFC0@4_XS}B zOaWhoGAc#A6V*)@bEd^9Mw1gF0WS;5pV?&Xf_I^`;L5j$l9@9%H{KAZASfb9zll80 z^QV3Me1(k|_py>6C<8m<^7l0SD#JC;{3~|?(Aax@-=+o@hM+v>l)Znfz-b|jK`>q1O9mLO%ahQm;-1Lwr9 z!OmDqky}XQmxZj>&k5|2M#hk*wFhL3lbkoV&Qh)4N7eCKaPf?a;|GaR7A!5(^Ut`z zBpVSb)%W$dV0%1C0>BLtJzb2>6n@g89|e!r;hadn%X~C)k6(G|d(lx}) z3CRq5?r&5j(kFsFklL72QKteMvi|KKNFWeVM4?AjV+ddsh0_53k)35PGvg)qYK#|u zjS%fkqxR1Qt1@fAWm>Z{B<{Mcrum37!I_dtPke1s zKmH2-tP(3CQB=D_%}OJ2t8f%L@};S0Y8CYBE0#Rk`0!*^Rgd>c1(VE`so=CiM6&)q zRrb)d<31Hd@~h1FHSQW$&1>ly5$7A0Y$_RF#IoU#-^z0BM80MnF62!sQ{|}1CtiKV zlUO3?+e+CqbvSEi2WMcyrvwUZ;3v-4^l!Kfsga=RinOSih!TmvxNa#sd30C7>v*rq zMqU~hU%S_gOQJ%g@FiT$3XJJ-^1B7zIc?!H=pmj`dw>LYa@vqi3$xF zZwhe`*0{ov;$yP-nWb$(nlnr@^MCRQOI;qhr{Jq zU%HGPKe`;h9qt=HB5oyaKX(+jq7?TP%S?CQb%qG?tj@N8_rcZ(x93=MXpICD& zMj;$7&Y!)_T9eDFk;Nlxj5kXH(dG3;BSEY~hYouP9uFbBXuLZ-gqWsi7vS;rMWq!) zD}@)AGa4WWUyp|Aa|^|mcc_qNLfGO~m@U34RWoOK69U29oF+EQx<}_|>r2mW1fLWyHONuFFv9Uc z7_>GB#$IvLh%-(hV#-AcyF8rycTZ>W^a_4LTne2N=;LDr#DP`$Mywv1a3xM^h1mk7 z0XkX|UxlITah>=VqsA`9PoR1F-THrs8Z>>!Dn(5gi9aHM#1k!N@E}r`?}O6x(BYTb zg-3rVf$?Q$9B%a2i+nM=wd|MiEW2WJGL`4zdp`N z7rR;JPQCxtw-N}K2(Ky8>>^3NiH(6h zwPr_cIKg!Sg$eoR#kN=Pi3z-)(BU(K!`pN1k?bq30yKxXDXBTGQikb_8J*l03nziheu1iiE2z+Yq|_v$Gq9Kb8WR!F_ThkU-(fPnZu z#(Kz_%6Z;Q4Mf7}R^nE?QAWIzb(I$s!t#}w*@qtivoLO<3Y^+mNbV9r0w))WEmz>B zQnn+ymko!U2xM6%jUr8n%{G~)s%Kwk3?R1$J`6Vwcjmu=9UcoPKbn{_(9}_eB`UG`N<-KNbk&;`-IX4PCRmAC zlO4i%0NtYD0{Us)R3k~)bMkl5xqRCj|h)EJ*N`RiAK>zEn|2qjW5rxpOa|X?d-2EISb#n1OC~E-z=%`JP zdVOF^2*4mP>YBJ0At0h`m_MCXr+OA4<4p?oIDQSUrS>VKU%b8y8|()XKmFSCsKxZ% zN-ajWu>!zP_j=?4?BGIao;(f4>bc&yIH=2Rb3$Fv#2^5F(xWFHt8YHRBuQjn&o)GjE$ixi}(G=|Sv-U0jYj7TtoT4*>HF%1rJ z{!r3$29!H_5-FbG=8$bF?iz|D4U|EF3aa-v_dZO(FS=mU#G|Rw94SgW z?6TC8wOoxC7Qb@^+UD?07t2Y?9r;$ZUYhfl;~VD@*HYysALTFtiK!vsQ-%5dMs34^ z8u>`Nc;-KvY1n=1Eb6u9oK=I{6^2z(;0J?dgr=v?h5G4ez5Ky~nHqp!Hy36c)rl<7lDs0z}iG8`qnFTsZ=C_zZ)PP#GOBZv*JZ{*D1-I{IMl z(~3C84mt4a((48Nex}VzxW;Cm6@;Z;H$plc7+vCKc2XZJ=$EIfh%7x)S~=EBN80fA z9f11Ri^zx-=LBAR)2V0@FTX;VM<*YiW{B}p=QT5Zg0zjitoz&; zf_7{72;pBLw$PIV-({Sz#+`ocWt?a0a1J3q7DFlt)U`o!DXbvO+J^tC9bh!~5^L1> z!gb~{YU+-DLpApY+zSh;x?YpS9f?+Iv1|2MrM#4Z@ibxis`<_&mly~#G!=>H)yPul zLqE-ZKzDtPvzC=^wR4^)UmN!J;chkfW|6rsTywGKLEG4@sX%y$j(*LjI)_s1a|TUr zQ?$trW_93xa`khitMzRbzmZU8HhiL=!P9H~H5j{%>AD932sIKoVPIm6^V)%`taS_U zq|GEeN*n$Z)i`A2{*(YY17rYx-bvLc8?;#bBj~lgtoIrDrY6WL+PVs#<4-|RGioV| z(qurOAaiO|vYy1lQ^i`VC3h_|a!Y)TcBJ&E>?KXNHMr}l01Y8P?^0=Fl_{>N zB{X#0=sUca;!}=X^RijtUhqG3clk8jiG|!J3=u%kkKSRUMl5nKtb0uv8S9s~oS7ge zp*%)Ee|};k_m?f*9EAYde38JL>)p1g*jr2tx0h)slM#GaZ_NYx?Omiy6@l}e3P4Q5 zLYAhnjd9O{K#@RU-x)cRS0IeV?@~AX{o;@7#|}6s9kP?2x0Ydue|re(HnDy2mLQb& z54#Nw+`(^!Q{eG?GE|EEP#P&!{*GWgEAd-BiCT$^iSr()fqkpCQSFU*kw6%EW8isz z+)D|+LNA0?j;`fHfpZ`p;-P?B;p@1mhd}6-B3W5|e?9uaqVN&9wOOQL`=#CF;2tN` zXOJINFux2q+_gEma;qR@V$I(-7itTn z?XT6?G0*0*eyA%JtGn`zvem z=7jEvo?jCviGP!TVFE!1X`%oT3Ka?&E>Q^s)FI+94iHFzov)HBnN%=^PvIqcft!#v zlz~=&0wXsCAK{OSUsbMPNWl{96Cr2?Nupq=5}P6=rS3j!U`+f@g5_a3cI)jO<~ z@#OM1z05zZTB|$GAmP4+_D~{2Gaj43Bg_{qaASuJM`EdNpzr#`xE6rIgB1l@;Wm0> zY)OAUpB0XtjjpZ9$<5pI4rLOPKYhMd3Xn32wWdPPr9dm_(*wbZ zZaCCbz>hc%u(RLeo$h!MzTAysH;{9z`}CzggJVGcx24j>wR4yG+r{ouPt1Mq?oyv9 zIHXc;bR;lT;}HHrE+L8Pu^q%v90z3}E^2c9Y=CH302wEI2mz%35jy+kQa%Og@?%{v zpp!{)NGKssb#ab?D9=OVLMOrmNVjw`L=gb=*Kh-BuLk-lhGm$Z4C#J*=pi7z;f2gJuYEK5l~n7~ya zQ78*jLZW8S)SsXsLeCe~_jAiRm6evzM(Dd=>DTpjLUjB%U|T(OMZRC^qxe^(>~D#J zMJBM3a}W4pewVfnLK;W+&rni4ad_$CP7X0Ex_s;cFPk%ZU`*Y*!p=}kQC~Y|8f!CD z$4u1>o?RoxM6kf(_UedppbbTTTTsXu7JF8Q$$ZwAujvCOumjJ5mjqvi#Sr!AEmQf! z84~Yiy1Ko7)fXN2jl75_{t{ck4T&Dh7?vavHx>gUG{*yoLVOx%#Ws-NZ_*Ne3RnEw zLz!Ocqv(7>OW>1tKa5gy#Z^MoT^oDSkylFlQLp z9R#T4CdQ9^dY>si;zrr50y=(O6J?y3VE9fxRIDe0{1|Q>?!+-vYcK7waT6$!Mx20T zL!U={4O5*MexE7~HY0n$WyvlxIJ_nn6M;tz02W&fSjXn_g8_&?RxzD6GiGMKKFid- zSW(xYZJqKJwCj3q+8W3PZfg7ja*|iRc7(`!4H+tyUQdej`OHRmVADWHc>UXPF~3AJ z2b4@0h|;;W73QotR({!9oc2VEfvcR~aDB}9g@u!#wOrJ4K!3}{LG8?##~~jwn)xG+ z)J#{r5mKO3gf--GH1aa}9$%XDd2i!MR<-k&1c|N_SS&9@*nsf^hr|-Q2w@N6mV#j~ zM3i4-;EmQvf7+wN0(p$6ptmhH72xiV&XCX{4#8(j`~jVet2q2a#ka|KH1fxIG|X5! zTEz@x{&x4QD6lvSY^e*~6@zPx#~2hC=S3;!{_iYmK0i~V&)4D}tYs)5=Oy=os$HXv zM6J$H^T{1O^lptlW-snRhQ0uwSCqFKXlcAa)o2<(`t)|4YhIW^MMww6R%z6Fq&{8T z;v(8E*@ZQbs2!~xB^Ae!vB^%{s2NN@o`OUa9qrW?-BwSfKDKHZ)0jyOkXN*bmYt(+M04yns#a4;KA; z5|$UG+WiO8DQ$`wWSuA+)Qq6|-!W>Rn3*|gjfi%Y4+)ro!2~FJnF?mwaA7Kt6s#EJ zL8R;JRl^BXdIgM^CNZA}S~;=DR`Aor-%*HCz}qH00ongzRbgM;n-gId**nRN44%3S z!OFJ$^|PNpeIu_B^pJG}3KJu6MSYk>`K!Uo!v%2K+cwJD>MwZQ-7 zD233xMza(R%8ukkVeOE{PKM$Q-S74u((Y$B6NBUCG~h+Pm{>4{g>~2yj*Aj6Ouf4M4GTBSV!^x z!=_|P9q)|s9GpLkkUg%H{tWm5g~NFAc|_%fBUpia+)!rAF)=_HE;mQ48U2d5>0`h- zafTZPW5Q5mEnRomZ}dU}{nIh5oIo3voxoovs(PJ#Tz9wDG)2<=8{d3p# ziLWnmFR}>X9bq0{9iQD@`);l+*Iuu!rO#(Ss%Gmh3p9M|hH@AzVwIE@E8d@4>dBtz zD<`Oi(XkHmBnt_cj~WC?V$>EVA0JWb+AbyIO2j`+eY}<6>6KTh&5@bBpMFY} za1Ppu)12}gHNcKjLb=OqJyqU9AM28?^>BvxK!=E@lb~s&(nCM6W42|nCY~TqmsMMYU!9l!aTtVwuV2CNe#O#x-|krP>a%*d)z zuWgDBVC`@pTb~lZ8bX^UC>DF%CGYhyQo=jT-_}7Z$^X~f?Mioix%NKx!)^)6G;qp< zS0aL%8iPx{DT`CZIUC-zhFkRjKhI7Alxm(WK4U9RKqzMR06|W5#Qeglv+tCN^L@s81+8il}v>3O>}#X z0uxbdowKv9aSehxTuA-n;A__*+x03p*=+}HVfcDeWy{l3Q;q7(Eep`z3PY@}SSdD7 z?!P%P1#2pa_4|&$kZV}Rotvs+SO-dNe)21SSI*YwBh2oolXL5V@hww%?lKD8%|AGS zPT75IWasusne&?W?T+2036x^Qzfp{w5M8J8{uz&y_FVRa7w}YmudXIcmJk@bS9AMY>4&h3Xs-J*d``mxs^j zPAvLN7!2^1j$*@)#Ks@;0)PTgu)ZJsKMQz7n6U2bc#h#MVB;Yp0*BNKm9ET}JxB_w z9sTpWrM{E@a^($oDyfR?M5*-OT{ypuSQbO0CWBy4w2%xIO@^IHPpC`vw=icXlSXXH zJBbJXzSlr)qyyl(T?ffvq$JT(K&;}w3zRVN$x1lrF+!q1Fa2>K`pKd=L6Ay`0~yi% zhDAYl*JBWMTRv4Uc;!2$Wr9psiVtLoFL~z^Nk7%N2?@Q{52V2#)Ikw{Q9$sAV+10{ zu&AHZidVw0R2?t=+|HfiizJE_53aH&N_=V*ChrVXz&G`W6@)-7p9<5MPu31XbNu}` zOs7J##-^~GoGFtJ`DXAF{+n^AJj@`fzevAvY@YUYxZe&SjQ^BkDZn|h4%VydOPAWI z^BE)iVc+l3i~lFU6re0Z|NrcA>aic~i+^R!y+TEV#GiNyOSS$`y_0bf-xZ}-!Xzsp z-Tv4$+Y)}gm_dAa^6P|JB!ta=Bwv^68^yL#VX>rhMXZrgi&XiUH{r}exE6H;`qPED zYgm*`iyfvS3OV(9ySZMC!gM=qAfdvmQY={s%~)b+yQQe)OSJ7%H2@F*0#j4~3=WG0 zgP}+$l%{zm%mcLLh$<;Y$uO2-90^&36qx}L5C8!H0000Jax&9ZD@MY=vxSX;bVb`u zG1P>P+$>$+P=R@S^i|r#&>hW<7qK6fv3t(B>}JZ8kfvZ$4eGOs!(?<-@!#d;8Qml{ z1LH{lATyK2eRLM-yqeS$->@;q0i}hi8N4_}?3-04g}~VVAtU6^F(*I~^ywLNQg3?E zV(Y_E274T5VW!gpS=Vn5L~j3b-iFyW=H~j>o7p&ZjznL{kz3$Ptz!KHj_FcglRv_Q zP(h3+lTxOKIc?3$-mWK^6!SOjbeiSc(SK2}+5W)0I?dlzE%(VO>kpi5Kzz^jTv=YI zmYZ*H4pK~xW&vmqmj&TeeZ+?|e}SOkLHfbqcr%e&$aB2HIVZwU#v`*weQY#?Zij2P zdGQUVdDaPGS>Z&D9kLBlS_ zNxflmx``U~2>>|$ySia*BzGpEEMX_$IG6-C%~K4x7qhgFH#j|^yv2MeK43U3&b=Oa;JHBnNCui$8 zY-pv;Bb20@-_+NFDSz)qWa-V%(93UXeGBH)+pyvs=^tL;^i1$@j_BIP)H6nQ^f?9= zqh`O5@`4SM9z0F@u`^-s|Os;Be5nShS!jXFJ@cHJCOfk=-f-_&K-S}ab z>LlKD+dmZ8A?D*EDT!+sCPAWfGsC7`%I)KkA^mbU{1rSliBIUA%D&m)Hrn1fr{>dU z3)OP2aGL{PYNTM04&6ZH=ow~(%vr}*!T5Q^NKURkl;Ur@%q2Fimzo}aH|TX|uz8{5 z4Gd=)H4;pv1ec#$KDApf;WH=A?B%P3EfqBtQ4hi-jW*62`w zJvTS4KFy-NiSJ-K@i@Ln&;Cw-GCHvZhH9c>HmE9W%Y*-wq-X9_<(O-!!7rchXkY3B zXy|Pm4{s=gcB-B_y4n`6h6y1Gct75inEf~|RY#NcTj6>;*q&=qm3p8G!`_Qc9AZ3( z8vE|K6P7vg`i7_G7}YZK#6%kAKYp7XUb$e{{eZ#v)s^{tmFxfcy~xRfRwLeG$-vNz zjoXcTjRji6jr(CVDBZwp04|Y`P2_jRV^>C++pGhI^@Q==Qs+JM8Wd$%Cn9tpo9P;~ z0N;}+d`mt$DXCo2$;p?v2+Ax|B|fwIVf?;X;-u~Alf*jGR5;WoY=z*qet9c|R=U#* zexT$n+pr1-WXx4BOO~o+g)EqZK6e`cYK*}T^lwIm8ZlgYE?1IfLX#-J6SpU`KJKSG z2qrpahB&}hRmpDdd_api3a_8E5!&+F~i_Wxmv)FBc z*>F^{+ulH^)w?j6Iyh0`@wKAxyg=vq(3WIBi@TeO9Uzy?5=(LW=;6ZkTUMqTxQEUT z_0E*tCyjd#snpwpF>j6=iW-Z;$w~9hfbs-Bv@)=U?nQ+T4F$#|u5UE&3NOMzMQM*k zbw2VggjmRCPuCU87*nY0(&p~DwAk)4?FgW^Y_YpKQ>sr-tU);^o@s|74;NgZ(!v?B z$Tj!83DgH-Z4`lot^W(1*LTR8jPhMct4AJaASqf|4T``q2D-4Nb_tGx{=5?NXx+51 z%UlYaoFeLO2oDD0|t9Nm{Py8I=$!+h$IIhxau1!z43 zGGId!VbI&EPnK%%sjthpxRzQoIF?uy4qnSND^(^ahIZQqWpJa5)S!qOzJ#FKs9Xf& zrN|Tu_ly2kam%s84s4j2UsRIQS;XX6X?4+>y}ycawRn^oRwW5Rl@h4%fj$S(75y5l zxNm3I2X`THI29c{hr-N{ofLXSCq4(9BDSy(Y5Nm!gp2z>R#r8@U^m_F_6kU?fE~PF znwG`b9i6-N1Ty9X+g$p(+MvRai4AHBEfcu^xZNDUl`0TQ&C{I84IQ&kWt+C>Bmt@2 z`s}(G6V_=s;v0ekE0HN9Ot^O6i;5siq_9H5X{hJEkf*bq`U3k??okVYR zG9;W=A!*U9?8HOXZ1bURso`NZChA!u8?Ysgh*e@k@NsJFt_L?570psF@$+lQIq?PW z0hwIBUvbSv?_3}-jolSaw|9gh*?$I0t$b>B-CfqErS;&JizO~zQS z9TDtQTF#>TLgOq!!JAlW*ty>6qe*;pR0Dq$9Hz+~`*G#oUxnXhPnGI`PylK(3q4J- zmP@zQ!@a=~s|@I=QP~Ssl)gMm=)9>CLr9rnNgZ^3PRd7VBn=E9LajH62C5f z=ltZtbI$RXv+_l48qXi?fsi=sK)eSP%TN9b=fg|-iWWc5%vGcS~B-sbHHs4 zZpG9`w16WEmT2W22YkJCB8+K;^L!+L{uxWe`<3Ri4{@>>1wsoQTzmjGK*+ytoh|tY z0aVEo6Kro|;(bErEYlQ8=$OrCM$i#>lRNC5=h^VQ0CE{bb1<2*3cc(L1b(2v$824r@So4t8Ik`h7Yz zM?QzF-QA2p^%G)_0Okol%dq}hYoFVpIE7&urX_@OW^AESMkaD7`9 z)-W>Pj%LJV(l-cVc`t#HiYU0+M$riF_GkF5muP{l&egjllXrst7UIYh^V05!L z8=$~VN^L&EQk`DGlD9|T)MF}XMh4-S;4mJg$^O0af#~4()Lo78R(q;04i@0|b5_pp zc1=4HFtkSiLze@yMK-IvPlm?z0&Np?BL$}7IT}pUeU62|l&Kj&|Efp&>E8Nc0wZ@KZ>JaN{MolgG3=8I$J0maj6@fsO@WjF&*gv~EXyySPP^ zguWGxYBSYCpZK6m(3wz`lHFU;L`K@yE(=<$?0XUGBeha?jL@U~=&L*Lr#MKb6Yat! zy{WQ@vg@>{-IxttcH~U%-b?q9nm}1!+rI2$l%b&; z*O5n7QOtLT=C=`rxvGrYlFTfiE=6vIg>=h3ODE45#880GXjWi55U<7&bzJvik3Glc zdDlM{>Nsa-mTB|l#hA-AK?OnUOMkfe?U~U(I>9HZF5$3 zx2sYQ+Z}J>M*Kx<~X4O z=2z^-<<^tCE#@xhm>wWo<6Z!DTZkwN%Tg2rk8y`Y)CsG5m=^f`GB)&ILW#&p@vGo81Bka z+Ir}OxJAu(9CqhUIUx8!D`t!ra zI_=}?+t#q|k*QA`Jd-2!trQTz_z%L%CPQ*ZXl!NS#I<26vI!V-z-78nh|BVGq>bY) z2JuOFS>i45v=hX7x1pE5J#G;N|H>_pAT0iRmqlaSgbEv`1-qNk$9E(2#K3h!i`Rod z#!dwHR)T=qcRQMo`O2g4r3hhgpGS-ymJP#=m;}ln3Xay*jCC9!$1eW+-xd)%iU~+e zG4rj}A@Z~J64|CZciG!NdnDD$LR(6-jQjRYvG35F+I&r-S2reCgNL`O&)$!2mewEvDHp}TL za8Y9$alakrv4iJ|?$pITJQrutd}N!SL9yWycRe!CtR4Q{jFL(;ZuG4wJmG_!imt(R z2a^Da%X(%w#+=8`QVpSYw_*T9@mzwv8^N&sp>K3Xhr|BhPyGuN zSkPfub4sbDCa)ZThYCg@2A?lsS<`wn3yj&HtA=ld5nZnw4oz@7)Jfu9-iH;y#Y-9k zDQ|>oLGm}+Xp7R>To1%!s{}cTxSQHO6uSwe{??et_0I-54e!SO@m~-5fDpMT_}pMR zYt|ymW|`S}K2Kb|YT5!7$Ha?C>oO;j>l`=ztOE=wrRSH2GP!AaRX3+{pz%z-Qw(G7 z{Iy0^?$I{h9-X!G8>sci{bn=Q zs3hBpQ4RPH)G?bq$kS{bV2?5ftl@nh7?aOP%o0p94%A?)nH!a|axm-tFMGlQ+0jmZ z@X9$$wX+iKO88CsTWQ{ZH=<-lz2*av1q2&R)U{pE8aJvNcU!4SmyU zQvj%sWH`2aPv@>vkkQ^Z!ToZyei+gLafyq3EWIQo?c?RkpoaLTDVvNj%c z`%M@3ET(n0ck}x?z@_dYDoXUgDn304AL<^B>4ik4Zbw98dQu@-Hs$?totEG@BE9x{ zaW0r99s`m+8jN>v&pFh3+^0R^Nup|~=$#*QsM7)!Nn<3ms4gMmALtH_F}sbcj_nqtgm+#JQ3BuBcxt4iazB`2ZEm`kqJg%9A^Mys75I;UnEuB7@DI#$Lh!0 zWG<$ixgXw_&-e*3CwQplz1a9p?>P?u_!9lX`L7*6&qrPbVXYd9p6dk|moN#4zBZ2~ zp##c+T8R5$OU4~G6wZGN>IkZz&p8nPU}YIJ)f+@LSljz7G%@DAWw00)zGw_K#TlqK zHHKW+njCRE1+d#0NZVyE09cq(4cq5%te>XMuR5N65#uj_m_H2z9YFPnzAT-e8-$S& z?6UQgM_6-y@8pVaYvE90?(5qQB+fao^$*?*M$DzOt7gyt;7G!b{mRaa&q~1Q=f45ot1$t#QRdnQcY)r_R(7D15Lb5gDwr_ya;OmYhyO<;Us=PJdGXirikv%NI~`j=^86x2n%iH>A4mVK&=VEoeFWQuqQ~UA zKPbq7D0G7fC=nl)I99fMD29W}-iKzyr^xV`NZqqU_w0j0nKAeEdHL-gr3d>!f8Yjp zEU`VHQRqoeObOO}x@f~itqot^#W2hN@OS>H%?%C(Q!;Xc)55<_wN8fT%@)J4JFaH; zES|) zNB&KeUwoLO6n~XvS7SWhR0%0r&JzNg3-_IdF{5IkOamxsI1y7;&sVm> z&=rJe)x-eJVRFC{@v4*E;esk^Rp>)0C9SXSCGgyYK0VSAeZH@S1NUAn@9u>{b~{uZ*IY$)qhjD$z>uFQ)3C*m#?lLUd) zoQs>uYLc`ehQZ%eonN^mTZ=$tE*inZk~0NFs2T9z8aSS`7v%nOOP271rFJ)3pz5ro zAX<0~)9+odKuXisGVs&O+Rbe;T}jR);HNPJ^L&BB_xUV@yOOZ<04!7T*S~HnE!Vp~ zykol;>+=dl1xO1CshEU4TZ0D6QO9K@`7MZ=7KKZ$$E7|0pZC(mcWpDD`fQhDNTHn> z=J?nmKG(?jbw8FplC1fr%;vviE0BMaD!70R1&~+FzYgI2Q@GsEU4NPhaU{sHWqHz*+wp%#I$Y0r5H?P|Hgk=^)h6FIT zb*?xv1Vwr$XmN-hCiFmi=oEHE#eaR@`tPlte(mGd$bC%#t14+KIPv_{auwOqS>Rvt z_rC%n0eg&KUO`7MCtHy=1SL*T%!&5SQ9g}QFZuRU!Z-dq1^yl>3S^}@(wptB`_vZL zi5Jl?mDwWJ=$XneGE0m zu>RNuA(vLy1=4>t9ffC>biMffhHT8kWo!)eqr2#cfL@0z1eb8EbB5OO{HB>vu=3RY zp<*AC(f*~;IoTh@#A_{USInUP51ZOoXQLJu)lHF9e{q7k=}sO!wV!Yb<1|2Wg1JT} z1X=UbWSUASa_`Vl^Joo~GOOocD{MSCr_u{CXDG{6LAf_K;}95EzYr}eH5|I8W&v~V zuu5j886^*(+yiO9lP=p#H0Gx+B2WRn%PS#=j_EyHSB3`a?qbmjCh;WQgOYAU*TJo2 zQEhF|VOvG&QuZ;?ud>FnYhg||@ZUt#mL@Yd%As05%qH=;E@!AgT}E;3v5VI=`C^iE z?%Y=@11L+y^mp1g57}PF=XGv~J!=4hGmV~VA7+jrNo%^F^C&vSL(U95tM2JzCqSsV z4=pBX&bcw$^o4T+kl{E(W{e-fGpP?BnUyW8b(z6&S%L6a5g{Q+3OF*V?p8}Ivd`nh zI@8(l9Z(mlQL{?7YkJDOu=!;Nt9AOZrW7toqE#mbR151A_vFxN&afw-!ke!PSxA~W zU0`k5A~UB5El$2#^4ey3M37O*yro+rLuJRdilQ6&OGg+t>2Dwlz|QcB;6f==mSrK~ z4h8W|VuLrN()*RDp9t~(%@vAiw%JU@0sj^w`X0({`P%7BffOm|DyEOD|9{ju*Lt04 zT_?bFD+BV;eU?#$UTx1zi`1Nq>_ARhk7Ypk>?+MC)6D?@V`tA4&Uydo^+hG&jHWLd zDu-Tu@;F-8X+P~|SLY^@(atH*XPIohqG+eBxIs3mf7592PrG5hP;17SXW~zaV}c6c zqQ&zxpQze9=`f>UErG~@s~Tp05@Z+?&jyI+^I$QULbKar$5h5~-y6v-avM%&JgYHY zX;sbp8U2)rv}hzk1C2ygZNM1GQ|p-Fh|(AfGSS%k(h7x4?+VO>UN8CWZN=!JO%f!v zGUR^J_oO29HoSwLD76tU1g6r}gV*+m`ou=@5h39K@g%#qv|^vDPViL;b_d;ZL&v3V zZJ9N_n(5+;z=3;8 zhgXez!}|cm&aBOq&kUUx(W^uiYVe&nd8WN)-}PO737 z$?RPy{*LpASTG<-q7E#u*`v)- ze6=pBjzkeusO**@&tzKsOLDXJHcKQ|rt1=P1E~&C>Zjw*L&;Hdvi?MF(A%CH&#P0p zI|ufuIaM%L7+5CC$wqiwOc&e27PK;7B0c{+esMoQa{mE{Lx1EHSi-S?uo5h*8h#(W zw-^6<;{YR4E4?xC1Wnzj67fykEBpL=A7P~G4$tUO6eUw{Xi-l$|6ogV+pHwmzPlCi z#^66-7c5|)|A4!n*Wr-O2#erMYq@RiiGIaq;w5luvrHoz?&@eQiD3?3| z9KcE-LI~e#TH=^_;Hpw`UnKEQ@nwY81JTm~xKs*|3L5s-vSOWHqfFC%OK8ZwzQ0D{ zjDTmMtQJ+&dQ6c%j>o*tSkq({Ekg;T$3Ql0SfO`8?>_dNwOw)6j#Qf?Mcr>JEp)q3 z5N_5Or2KtRMQl^XP*|yRtNpMGmuUWNVZmlKnj@@<;+kKvJ+e$y_dql-qkOO&dWYB! za1bh@HQalg98IFD@?~_LFmawcD>nk6@f`-O9Z0pG^A145&P79e2k$eTIQbsydkUZo zq*e0K{#3bmh2sS(yG*Kr{j!=jZ7K$fW$|zQLW4NNX|7lif{YBRxf{grv%s{|0vRoe zQfJ4C8MmK}3UO(zU{I~s`~(B})09i8VlA-?PE1^TOp@yuf^$4kbd>MQDRv!hAj!jR zF_mnm3pg4iFmM*B zBLrNbXB8n6;E7{>-Kh+S!4^K7)z`tJgZHa?5cp@pjtF-m5Q^VW5BYHC@iD~Fna4j5 zN8*pcs|-M-eK`t`;TMNSrS(Jj0`o?ca=>d4CA=7ulBV)m!XZ@tlGk>yD5gJ`#Oi?) zryX_}1}BC?U>`{BO`XS)aG7E`ZYD9vx!MOoj_%OfUp#Jz2Or7Z#lG~i~u-q0GLgrK!+)68s@H7qrPTyn|$UJ-^T)OYpzd$KFXao6wlNj8GUtU#M zqjwUT7hrnKKuscu0JPkm#$*NS3v>qzCE0m%)gb>Zmk$$tOqRgKp@u3+n}3dqjZNPn zpDL_YNN;$hmi(fXE<8zCkvH;Mk=z-*P5=1;MOw0DiT*Agz)MC3M#yekjXw$s#@kzG zj<3u+O>%P^IRM|lqNaRt<}`m_R}2hbhz8ytd#AV^G0Hr%$pg+?Yt-<=q@q_ie&ypm z^po6M%&oHuJ)l7tMdJWuM6)Xb z4glaB4|vdPWMGa?5HP;RBMC|Ja(rU@(bfM!7I7~+M_Z;dW@y~Btji}5B;%F>SRTN% zx2;VL;Ylq7`4Mp+iK(PcAH;8r#2>RS2{f2})2ymnhAT3x{RxUea=0YsPHz>-eQRxf zPZW#z`cH*!riZufEWAm9IqXDhF03178*1aiQSfYz!N7Q;i39O2vPGSc&X?3!b)#Ri zZdw_|;OR1(!Rdyrj+V?c=og7{Qr9Tun_+3Y{6X|;hVo!D*7x+-w`mEAvFsT&J7x3q z#R)K-Mz=S!Cbflt-x_v5^rAhGBfHU+F0efeF%F{S7MswOxoC6h$be~3aL_BLHO2OH z;=7iG`LME-O#h2m&>kFwdhjW{K$|;N2&|}S2LAuHPAfgaP3$wY!8Ooe+@u~OZ^mo# zdfsoeu0!kO^*DPJ7fn6ZO&O_HviFqaQG<~04Jr!|s68-DpI_cV zc$%I0jHxxVYXzT!t2HymM*j&0QcaBIogNq%%%x%YwO4WIKi!~k^VkJ=r5f_PtFacY zBKSDR)4)*8bp;H=7sT9z%1cMvc>?<&W#GZ8(Kh+qv=$RgIi%ADe2CzQ z6G_b!4vDux$aC$acZ=$iX^pK%e}SlCyvcE@ZCmd~uW%cejzFdAC^ozX!iwOPwx$MN zk%_7s0SmZV7ADetVPQyU&j67lp1A9W0ssC#4@vsdIU$QT_o@Rg4MpIDqgx?kW1g@r ze-bnMACNz3R%b$>Mbu81SFs+i+Y01B#kBmW1St#x{4(SHzh+A!Md+832BS;qZ_w(8 zEssdZUh?q)*(1y2I2Xs{U9<5u&>k~XB}9OwS%I?x!HitR6qZB&Q7_olkyV_dS92{t zE~}KlZy^+;e_MV8Q^QY1i#q|ZiUVB(dm6gp3H<*0cNSC?qY+&PD1kNW4vKK$LghQY znGjXFjIi-4A*VWHZ8fQHc_10jA-yVr5p z#$z4y27b>2Vq>^I9}#EkGKw1F!iZ2+fFL%r-xmnSSvSmI(JeS-GIrNd1&@NC?dg!@ z8EPMi0vT-p&`7E1e^`@OT@}iIRZnF*;(|?-{8Rs{h91SNvejP^u-HSh=kr?TZ_U+y zG>OPwq{;cTM7M`LvPBj}6PWtFm8@{fwBHfa)jAX z1(*a~a=bOlksl24Z#8vW9@}~ky_+Cu2pM~bs8x+%VYo5vY{MLA6mF($4uJ^xxGt6{ z(wP0kYxIlF7gEnx!hl7?uRUWc!3GTM-EU!^QI}e!=YBni0^&9x@X z#XbxFzMSG_dg}OU|2a)azp*{Ab7L3_Xq_YjVrOL=;?6w!8V}AUJfrcl;AzM{2cFe4 z{kG{`$S2~@_;nMn`P9L12TYY{$fA?@Yyv~_47>mYGXmyvKRkJPP1e{kO=`z!ouNtv z9PZ*Pw`Z3`x1sl4yLsY>XaOxcnOO%KU&B_$=d*3ynC)%HpZ~eEqTu>S$Z&gM( zUUM2zc#tyM#Qsstc4RiMsd#2`N@O1!38u}CC4oT}W{FT}=od06?7{ZaFr`wt@LDIS z?T6p>>sYA4%iI(_?u>2FPZG&=WEE3%bN-I(IRJC8xGSC9UIv^Ch3@!56#CD!YEG`+ z!Mj_WnWHm4R>T#;9Jrz~oOAFj@<#IouF<-P#n1}dM8hBtd=sXrVYcKf2>wX+Pcv5) z8(B(8o&h%g_5!$`_tRT%x1Tw zHP2K9<5~s5|9Rx*(j1iKIbzDk=P0~nJD%jCm!maZsSdt+Ey1JUa43@-cXSZpeiT`C z0B_K+kvNWR{4wFM++a-Q`=H;!PP`ZsG351&mg@NX=44<`m>TX7O~SLg+Frwa4@{U6 z(Oh%_{P!cHFENZPFai1fwZLU}e~E`PO;r!g>v<$MJ7a;QHQ_id-p>tu?tDIZZfgdq z+D6O_(tdF`Rl3?msKoNMw-#>*?G_;31?hF6*~!~m`)5s(=aCAObz$~TKv*t+9$Hkh5Pmm`zTnScDf3-=exN#n4uKQDu;cX(A9&&hB5+Z zR=^%c$}l&FPQQB{JcYCJ+eecoJ5pN;ClX1BE;d%$QxR z&n*3;@ru++3?Xd~*Z%YGANtda#_st*kRF%r+u+Rd1QCyb(AwOVhogCUs-By-$hDm? z|3nEka*J~<_=hLAkyhFXx(-zd)ulp^Os8_$Ns~Nfk?uyr`#*5b#hbDLN>;HYMhZxP z!7swS-&te@b+@a*y^_kMdx%)VS7ARGa69V4DpRji9+~cEuH=496JWmL=fWYPjw1l7 zLXRrEDAX_y$CoCI6K8lxdXg6fPn5gpB%@ZwEe+B_Zar)20nzHt^pxz@U ziVR4-LFVCZ7Pa9ZWw=>a12>Z2W%apM1`$x98}RMNfc^vhIqdR3U|fuZ2(7+zG`Mbh zV?Tb52Dg(uqsjH4-_N=9uCUaUBap#hR6x$JID!I#KAmV7?4S*0g$`7f`y_;9(I^DSm(RpDh<7ec zG(v?&{e)-EUJ*%ue4Bb!W>%WOZFL#Lv2(@vGKRqlv?kA|(RlW)_FFi+@QV*V)bOX+dCJF#=9+;{Q;xP~0|2*66q3 z-69&iYO27J95qLVV^|I8Xo$uUgf)CHMizh*=8IZ zc$FJwN(ZvO){sG$d9+=#>C2+=96ip<&tC?2Z^#>#7eQs<@X~}aF(d4*f#d70%@prJ zbRmWEH@^zagI5@-D8RPIRXJI@Zjhc%LayY1(bs82qJj+EV=sb+bDwD0AYZHQFAQ#Soowgm8YFc0X;_JbQ z7YX_k)^|rU$jH>)gP8H%vv^&REpEpYU9?S4&IjiO7~r{&p3=9_9M^2`+J}@FRTGBf zKCq*@S7(XlzV6v45o_7b7?&gNIn@TMhEf%jEb^s9oGDY3cW9l(qJy$9xjq3(0z=V; zhW=|K(`-dj^%eg~s*c>4beXKA(F-;M=v!&O^TId-b=c zZ)2408%D{1a?h-mkuq}&BSjvVItxCtCR^7WD?Z|6yRkjlAQ)3sr)j+DP{?2`lq>Uy7bBJQ;bGvplg*y;{-Sw)e-w%2nPWd47=LDHKO8xUx@pZ&mTg`Z z`vIz)Ayp*&q<6z;ozwINnWz>^C-WbQPXG#(w3cGBeH6e>B(1|SHXasaWj>tp=ESbI3v0(H%v1Rx4Km4HFD^^SlYa4r?Q#2k@t zR2}Pz;khOKhZ79~wqjWNbbaj1ZaKCkHVQ|vxe6heO0i|bm7wcIc;C4Ox38YA>lkVA znU6^mL_l3Cq0uTz9`NXH>hY)*c`q| z;(O*fxBim9-N8M>Mc&+8DUAwMI7JV6rd|l4M%K=~-7XPidatK1wG&4n)KBu@(OCe2_@c z)IjF16yo&C5(cp5_AluYb&xwIBVi1JXYcFyU3*XmbnI5w<|oA7 zkqDZ5zS<Hi!ZyHpNSTA#<~DW93OdMmQ>r*q4cBkFy>| zT+RXJe$)i% zQ(R4Ap!2Z-&VnpwKKu>v;7oItmlUG;M<2PTwJHfY_(XQK-rU6RTNwI+mDQ(tiU$5DpG zj;e1o9EZUmU@C^k7@E$>a8pkJdjFgx4AL6!V1q`2vPC4Eu=$6#;$Ir=o49#U%M-BN zw@B*#UB>V+XqI;Mw)TV3E21~w8F`yGKiweB6GPMImd-Zu^W=_vz*1M{=EOl?-7)PF zFyMsx118S8SR=QX)!_VRS(>yWC4T+xlC^ivp5&MIap@mziukg~XkFd2q!mO|tZPj`Kh-`WAb5Xaim!WN zucw6$vC~(8bhl@Q1~kS{EhR9FBzB63T40hreGSdrBsLw70;*}wvP+Ubys~-(&UcI6 z9P=jy%zOin9tbddqv}s8wql>jfG;|`S3Z~>&HK*z$o~PL-q;xaVSj+NeHvN1tzm3? zOAc_Pa-M;?byD?3dla_A1)F{Y(UT$v4}F_jSo=LA`tcGhCUy?4St zvuDCnnhrP2e6VmoiFcncPxv6?CffZg&;l6uig59HTMRL>Zy35-t_;^5O$=K`Vy7w~ zB6EY(3*GE1md8hjx(0&;@?T5VacOt9Z9xsTNC=IAR@C`x}l+hue{tac201tiYiY;)=gT3q; zsRT@1Ai>oSb%5gx1}3H1#|Eu{vxuJwD19PMIE5X@J#Oj{6rF)T12K_uK2=`s% z;p&|+u!c<7RL+d@+{?paP6auGu^?LC#WTexlGCJ~W4s#9d23Jk8UM+My^!-)|9sXy zuzN64u|}s+guL-gm(-LUH{|tOq3M`{6>YB7@jVu0WWd;wkcT;}SRaX^69^Ut8Im&1 zGgz}e<%JqA0^J~q7D39)w1nn4fM5&tOuT6LjUvknb)&Sm!I6Heohs4v6BSfjoB-`a z{XGCnH&|!FIzJ{u)Df@ML>Xnv|JlrJP&TD9NMhyTW`IM8L7Zfu=)B{uR{Fr54DlPP zjkMR|wL#V0mu5K|iN>?5>sL2R>BbHr+a!J$N9*M3HL@dp5Gn;m)P+pH*2g5FBoK|5 z=SE<-Ha&3s1*I5p-BfhA1S_i4teTcgdG*8Ce%K!Dp**cu^Zv$%_UVm@%=xcHDg0X= zCMp$zSe;2GNCN1F{6+OXQrO8Wf)Az%zx}BG!X}8@G2uf-jx_ah$QiH=O0dM>vat#i zZC`Pk>H#l#VQx;axI`0SVSqmB)laGBhX3tF2akGSQv#889 zgHus{{u4_5e*l1kTm3GniZyc5)8923vI%2{dxslgYtKs)=Uj~@lQ9mHx8tm%=$JwO z*DrqC^IE!Uec@FTFC>gE^!iyY+tA$Wvk&f0s}MWMl*%0%7TxTeL$zJLBtIn^Xod7X zsshG0jI>ErSP(X7BU(S)yuiOk88lN&r+gIAhM#Y^#m9jtZ=MUR`jcRW67ky%>Gw{$ zY@J~LM9A2o$;F0CzgkQPdKXZ+E?2*iCMl-i!(<-#YLh=^lEzumH5SPzwmli;i&x&F zVT}Jz7^^{*V9j26$(%<0YqSTM<;6tf0quTiDyIC6bt5ZFUkm&`xtO^Ko%p)?Pa=={ z4~rRtAH)(lBX-a-ch=zat8O>!)0T;VgR^xjEC4Zl_~?6aZ4hxU;kVbz1@L4w2h?A5 zzGnF`Tp74MQ`}R%MiXdaJOkme71;;hP zOJ164)La`4jjJ(&LbD87wZ0$anavE3hgsUqVinuxro--6`rqEZzP%DKYbeKwd6%`zW?fCV?(Jl@X53UkIY3KfQ^`EJ-(kHSzo0v|~ z$b8dvH^7~N46D?tEZdJ&Uf0pZ}r;GF@2XdfvF`8f_fz?X&c#oBe zHKK#1)PKA5!Ldl5YX(U&kQWH|^3%>o_f0`k`E(S(-nEB}fLB5n@Pnu#jqE}Shohqd#Y zpI|Qr(65ojW4Qpidh*~o@yjDl`SVZ;S|r#)3+Z;M9xvGu%hdMw);b-$D%=^(%@FhH zQzD+Z)x`+=aLK5rdL5_X_Pd1_OpV-MPvrMNTv|Kwa3O|$;wH^jJkluK8PP8Uhkf_KUYCc`EEKO!0WlE-X z;=^lle37WsCM?%RTyQlun*z9DeNLWEMav@d)*r*@VQ+xXFw2pO)!bM<62(2x(1;JDrKBzQ}&tTs;5ae#e(5 zj3C5w+yJ|~CPk%xOj|YvpLv?~aU{i3FI@V-L4lay8;DraK<^VI)IE1p4<5*CK2HV> zI;~(U>Dk-`7cdV$1XBr;C(*jnLi3C386|Qc368F^PCZ~KPi~GS8|S2;NdwqZaEB0d zzWln8BAec=m^!}bhVgyEhv661Qi}Rz$pcjVMAf3rIMlU^-c22ZQ+FW zqWW%8xdmzZi;-+%#T(d>n5-LLZ6+1I4CAh$sQ?^Cb@OrNX%TYO5lZf34qLurVa{e2 z?fs)jPi;e7!sCJ#j9pz8T8_!FW6L)Tr=l8Gwz&EE7;-~U5xV`c(Nzou;*6`#4rl!3 zsN66{9*q^qtj4r=Gt>vBj-Bf%(#q8SH1*=11IzO6JJ^elXU{j=dJw+!cR{bvD82Gf z3a-h=CIfYK{)SNINsz`jO(oi%a68HEjEM-9&WstdvFK`#jm&TH@~!Eh^FPtKhl$9( zc0Fa>oWxFol;j_INtIu-Yx|&eAEsC5oemWbL8Tp~*JjL2k_fZb=NqJAM=UcFOWl=7 zE8T94^Noy|P!B0RB18EWkEV<_M~Ti%nNfb&HBe?sBNB9~Bxh>23t%|)P|nm#H5LM9 zU~2hOYn0No`M7q>;_F;D{E5~Sd3=t5#RPC73UeT+03LcaWhkO|YDYQ->IUH^)+}rj zJhtQ~t|eMDHkxZQg#&)js1U{J`NiM}uw~=T95CC4bFv~>P*kP?(jKecTYIb}vVFl? ztF1y80K2g>n5u^R@DeH_s;8_~+-V0AQxmS-l8tY7f*OzyT{IVE_sSjz^RTK1N*Y?_ zZMo)jmG#D16FY312i|>78yO_q5qTHS^SY`3#+|n_k3apVyTWCzJx}OJG`*I+lGq7! zv&+B7!OJK{bwVwbnpNsg$6JP|VS=^Bdf(as;^qB!E$ zw9Sq-R1hrI{(D_=an~WYIGm}kluZn4S30np_B6;`;PF!&OBk$P=hh(>8R6ZnqzzX- zU4Zv$ZirE>)tZrJ)Tm-MYdB1mA;0M;+%jG1V>!)WpN}M47(RK-CGT^=-U<* zTJyG;g6$v#Fg08usD>HS=p1oDWpme%Ive)Hm8)W(F9Gx2Dy&g7)3z&eJlhReuRGZA zSOsp+=D3OoXXNB0PaF(-BUysnBaaURM_0%q8l{+1`^lSdmQ5i@mxZFtjIY4tVvlGP zsm)=TjpdN$3+n~j&(u#J?k>6aHT$-GjQ(8%ihk9xxNh2I)XE{mK+KcRg6bt=Vx(YA z62e8rWT#hR^`AXiK~&!h+Z?=mGNih^Ut5nCt4e*RiuFa0|4d2}Dok2jrcHoN--S34 z8c{n;h5)t}mQkmOlda3~j=YNHXk}k{$B6OhST+S!-lP4t{bpWb-RZC|a}|s&gZsG0 zMSPn_F>p8V=Z$|``4{2^H7cqf>LA4V$a0MUEC9nxxg-ofi{tVzVetjC(1h6!27cga zWB?-r3z8iacst*;Y)JHqJ0U*}AzuC_r(U`jS22BPa40XXGzra~m;1c(+=rg7f6~HWu?Jw z3i=vs7~BB*018iS#2Zd_@NqOjDAoDud|09kArx=N`~-v|Ceue*F7#*gof9Pjv(?bF z-(ZdBh$R-Pj_k3y)T%?kBOHxsaz1r*rn)@yC&DR7{LtI-96p4bI%@V~+tRUP%xelA zY(L|B741Ga^4$92`TddAH-Bo_^ljsTWT)LrY0S z)ONngc{Vs}(pgc9pg;RTg~%wx*K{b?cN;W&w7!>>7_HgT!_H380lq(5UxIew@5!=4j5-$O)93XOkh_!$G$dmfNaKrO_a{^%PMbYGNxm8Ir(lw>MuEYB%)aGt3Dvu039Cx|CPNFL&fOFfiK6nsN{b*tAr z-UYUNm2pmhd~IZzVWJ*HWky)g7D{m20UQosf|z(dKd$_T*=)%udyV!|!@zq%GMg99_;=fa}SK8*I?0OBeP^7nU#hr173}c?{Eol(|kz^xYaLXWn3abZI#yz zENAc@oXjQ)bm$f*J0Y}spr5y?e{c#ax)6@{J<`WtvX93d2%FZaWu>Zq=*hK_F<;*5 zw|3eLPgtS-S{39HfrWb$#dik60d178VV!Uv?I(y^Va-Ewv*n>8^wOoZL~*~{d@5(p z5B)q1{SvPV3vx#ROM*Vg(uJz&T9?JJix!13ke#C2!QfUouJ5Z3ZzYCSW~FyI#|m%^-;r_UgnBrAX?G642; zi^`VU&Xub|e6=D3QRNmVX3RpqvVJaNTi%mo&xLq*h3oql3I+GwIqkC#!sfL=vk?A1 zr~A(?ev7VuhXZ3{q~5kPNET)1BV39PZpw6bmD+9r2B)AQkD(8e z9L|FYd`Fg;{czGE1mqqbydh62=3Ox2y^;DdrCcLdFiM;$oEEdKVKs~$bN?Hg1)o>w{G1q|@Q;vT zTtJQmZD_YhCTT7M!#RZvC)B0tC{8uqYzD-v+_MyKHoa7d5`h+x$r zu?=$X8f?bmWr+*_o$5c9Ukq3yL&>?LgPKC0i#F^ z@>q7goSI*O`~DZB)jEh+GhRbHJ>L$fCguYB6Z!Mp3YQ8$n`iwVBf9Dc{ZOzbT#saU zG_b}gE=kx_!Ve#u;;OI)j?jT}^RVp1Rf&V8cJfaLMZE+QsO1lU#UL9opjZw}PsXRt zTIH?4g@qkiTqe%uWBWacm&|29quL?z$Di|<@kD27Vz?H8MxK2@w~Anx>A4LP&t9#M zYeQqIIvTWdAVm$27s|Yb3Xmt5$CaXHXz2$y$!LFFxb+*hP-v(SJHqu-u~jQ}oh`E( zX`BF3K&`*a2XtdibO;!YvWi!)Dz4a(B{mqko0+_wd|q^n6UDTqK+d!cE<39wdhZr`+cC%d^f}!S0sTaYtYsFGA|IwQZs%v-DnCZWcJF zC?UGt@3u>s^*;Lm=k_0c=Bo#u_dFOf3293lE`~l0_hZiUDTQ_@$AnXS$f`kXuxz(j zz&36|7z8!JDHIg*HB1m~|2ype17^%}VoND7^q!QCl3=^7X{2m<9}A)t@WK%X>+sE? zw0HETbbe7sKXlL_s6zb%1qppa@PGq;L2H&{!l-@_CUli*b~6bBt{_vdR?6VE{8@0# zmKc7&A?^lTD%kKL(SCG9I&s@~RzTtrY-!#^1Mv4dC#~+gry4hVhoyx^8+m5WGXl*jyT;3;eH;NyHDDZZc`#pz7TS%>l4fW$c(mGzXwxWtm^9l9#BrV5p|+p$+0BfISRH;aw+2J@R}#B4_O*_dzkzjHwARcv>V=1RZu<$w!h#3E_kM&_K?`>r=O z`7~KTNKa*xx9RT6fM@BotFu>oAk4)MoJ(al`hSucE{3uxcFY5=FznXk)su}6fLUHI%lrpg&=eK`I}-r$2-z3( z-T_?xM6qFILxJbAnf^Jf4osyMTSKpl;iKAZP!TNFMTBxieH>fuDt`74}@1FxxmZG5r#^o%{;iQBY(w;O6`#F2w`I~q|_L-$zCCI5; z&a041J5toyzO`Va*~jg;!$x&29}87`#dUpS7-ECw*ktg~naE_uD;MKoI4R&PR5whr zTCq&lMojv6DsFK}tk4Ot#HZVk%$3~rl)lQV%~fYcf|+4vHhgHsdY?b4nzfnJS!LWw zI)0>aLmfV+jmp5TB^q1pgG+4MlSbhHyT=ucb4PjE;Q(^Y!wBM93xb@UQKVqT<90Nd z9*9eHo}u^7a37-poHFLHM0|K8f9h9g_*BAF4soTB(L;Yt{lOR`_D)3cH)_I(XLBp}c*P;q^;!8~lg})cpVWii58BVbx?+A5_yIma6t7 zrl_{h=;p|4J`zv20E{P9D4q3IqhwKP-Z11vm4?n92dMc@RELY$K#fEJRqkRlu=()j zG`opA6=OY@Sg=NNVklc7i;L=6qP8J(#nG|Vzuo5cI;`1XO}0Q|bO)^APFM2MySL9% zjXZY*fWg`WQUGIFfrQAMPZdZol=GGHaDmSaos+EE4}(Jk^8f>s%EN;4M=R4o+YK+3 z$&{9SLs#BZUWKlv38>5CPv_h_!$+Y;)pXR@c?>ObC_ga2(&^{$H8oq*@e9^-mu4&c za$F=3!T{WH?zSeF$xual%nR)gxd-rGa=z%c@#lr*1sX34=M{*wb1x2MjK++(@^nRZ zI(w-B_C|gx-BblV>c=-rM}yjLBN?s+aZvWH`t5|=AF42tBJ2Ayib>26-7LC>7bNC2 zi{0)DTz!L1F`|G$5G=o2FMqW;A;JK9~r!1wOkRSP?z)kpC$E`LhG&!VC0kD+gu6+~Ff z8&czgph|K1W+UYgK#e%<_D5F6i$hgvd$6>_3fK(reLAb}il`7Q zG6If-XPKyED&Mdi_vjchcHamnL_5dC9>E6OqIOLUqx$M$$<#(~7G|Xr=|m|-kw-*e z1PO)&kJg+O)bgjCQgWDQmXPu0LGyW@s0s!Qi+<-s5Hx^n6w)nHlD$oC?=00!fi2MS z&Fsw~L&@+A&maY5hv;BZGSTVp8OyfZ_IN6Sai6_zxrsyax!(Zjn57h&)i_cQ2M`Bf zp-}WXt~!1m&v7%Z!ngiJ>WCzO8HlN)%*isF)B6CkS~OVlTP>tB*Srn4R&54k>s)uD zLX{<4c{jZdQ-zEp|8^$qK1UN8R-8uR)T0wlNJSv}Ve{+6sU|m>vqm|QdA`sf{JAIE zQ`-_T?=p#j=$5L7e@%Za-%2hfiV2IF8bQB6TnaJ{${CPg_S7IW!0+IRZCM|oiWf_r z-38s#m#Swk7_iM$vs^}XNP=gz&w(1gr;}%ZxUW-DpFr6*8jM6+MjZp<|E>{#M9?F~ zz*UXL1#+uxJ)`8F`a-bT*2V1^#+7Fv9CV1?QWqISs9l=K6w!luhp40lE*t^~==NvCvFNb7#F>et~0GlVXA$Jqv?QvtM6|7)(xns#cCaf@Ls}p!e z$E)^#+lnTkuT4c&V_ZKNrILEJQn6r?@K7=0T>6I94h-cR_dYq_RCRsz|A$x7`*cjD zBHLf|Ke*R7d0N?p&#T%o3svSW^Qd)6g3XpczM(eOHLweH3(HT-7(4TbGkj_$aCbU@ zgeU=&kpX!453L@t>407Of!Q9rrYUJsjQzK5l$kJm6|ZGgP;|TeyzE%3gggQu`{-OI zmB2W%xztrVhcYQyXZZX~GBu}?wUlxq3)R+8ZfWJ1PsuBw6BKL$74T)VXM^VV9}#GPGMS#ul< zc|6>qm%!YF!Ky>Gf9-(b2{B+xpa4M_pFWesh^%NShbd7Sp(t(UX=YvYezm69imEBx zfr`{*WFOWXs5IW#%bPtESFk2YD12Qj%{oH|@RVkSGgN{|JUKmIT4~J-^J!E0MrinE z^wx}WO-C^y5Au6}J|U(MdjOUv!vOvuiGtC&Ay zyhsG)7J?Eljf#Y?MNJru3n%vr==hC3gPO4Px{pse2Bypeq%aufT))&2q2uvjkDl#f z)OH{WI#+Ro^)S4sMOr{Ot~bfa%!bhLsUbT|)bNtXz;~b%E~`O=+d(`vX(@QCDjjI| zmSx1K+@@ggbI>7ovi4(%>G?G1Enjod5b^YC(t>&ASu^cN`dI)$P zhd!kUg1;T`cDPS21PjLW9Y5_MW;GLVsrN{ra*zvZHus+BmqQt-_4=9?@^YVoZDa2+ zUyga!Nl|>4pXZJ~0A*pDH#i1ea43|LUD?Y}zpkj*8;W46_>$-dY}Qu*h9r5!TX$p0KD#*6iE=H)sdsgZ%iD$vNH*9iT`YPM~wXmYO#-#!!Nnd;`N7$nA~l z=X3=Yw<#-9Jnd$cLLJF1Jn`+JCB)teiQYyFe`YULX27(5d4jUK)$AqK+|jumh< z@vhPN+ut3-RsRx3H!w-Ji}#rFJ+75x*3WCydUT=OVy8;JaVkv`Z;Lb)O5Zs?5%Pe& zVpSMKxB*@t$e`eK6~KrHI0G12HBG1Wh5#6ogGY1uMe@cQKv$1ZK&7yCX6Q8XmQ7QB zcZm~Hq-7I(-UkNp6UoLdHs*M*q?qT-J^zZ-FVp{wGkB;#CWHfWL1r;&{^Os(OZbT-P_3KX2gUyUwB~dP5=#me7n4F0?9KZaE5L<~GlKdt5EVN1U zuYT7@V*4gjZ$tS^d_()obU{+6NqqHNZd2ty{i>&(J)0K2kHOZOxFa=)rR1L&x*$e~ z_TcFE7<^?<##0WLIEx>w*}Z?$+y2raX@|dxUwVaX6G`~s_dI)yj2P2uddi<93lvyI z+by)|@}K^xr9Y1BuTbn6l9RXQGp4J_R6ju$C|I>%x3EpiZ~CRaJ{vZrcb0BHs07gA z6Q}@GGlOh{D3cr4n#0aV9Z4H}ReaN%DBDOxgx|C2X-3NR%HxNov9UnDWe|KOQivW7 zGbfJn)6D=4Na6+Q!StL;XpNx%xm7907kIkp6-8fU#SSK6)m~amkt!JHQ#~_VLo!Dt zmT+P;6&QuU@3gUXjc#~1yy^cIRaXjrGQR3LG6i3kNZ~VS*oit48*%5!oj^6isI1w` z5UL-T6lVMzYoC zw(v}%@J3ICUwn(D0E|lX*b@s{xSv>#u>rHjPz3Mut=QN2cuNVE5Pp{0CG^+*Q+{=l zaZEy!v#CVKCc%x8Q|rsp3s$JKyrHW^Al$8Ei*~@crgZ#54`Rwk>C9XAm1VlaIT>GM zsY@Crii;X=CBfjA(Vrc;8SI#9Y~L#H)t=C~_XjPLJd#5}lbDoQx@AGLLNDe)-yh@I z$jQwc(#h8&q^pS~AYza7w23Ag@y+eIu*x&mel$7|O$lsT@Sz)II{%<4TnMk1$-nY1 zDm*!xbCwjH)L4#?cO^l3#7YkWBnmV4P_?!pO#-K}>#kc^kul3E%e_wA|Jp~UC%Ir2 znK?2-4R{Qqpo)2Mc609#nU(qK9cr-B;?ibFA@<))#+L1y#cb^u!&fKi92iBp2FA(1 zHx$pOJL{DkhZOi5kq~c8edRsxbhg~z;cQsF?=SG}+;?u`y%{JlH;P`QIjmvRV<@|Z zfdOWwnSWTiGw+by4|Kr7L+A}yn$Z?xhs_bE=w*J6BOVS{3_0#Rmx+@7S%bhQxW3{( zxv`XWSVaIMz0QDP-hM3BzgOibTLi!>W3)Sox?_}S97yM!@yaMSLa0hUR$(TF1s}@b zWrV`9iX|nx{@HVQw?t!C^xONk`?^VZIJD@M^Fj7D%pk9gf!8WgFK2`BbEW(v`bw~W zsp?xIijC>+1Y(|r?)o%q^F1H=ieMiLDIUFmxgU-7g~Et{^yYQkKq41|9PfamI9t19 z-5LRK_xkk4il}%E_d-u*^t4=#`qMcfHbl7b((FDYSgjiV9tD^+3G+6>u3Xv*ZA7eM z;u{_!Z6YS|B-Ao41+N6A=B{HQ71l;UfFAK3t2IQGb)O*Z1v6@v@`hr1#mY$NE{y?^tTQr{%{Au>E>E$J8)s!;41byZk!n<-zxf`Wi*K+qU+sz|ft zAg5o`(pBC8^SRr8$bI-G&r29RP>}f1!3mGXim+w@UjyVA)~rI4epsiBFw;=jT(T(M zQj-=K)8QHGMRfi?G-4GQ-81?$v0O$O!3}4QCOnzI&M<>}@F4w?DIm-X{4qJ8Oi#;5 z<5R>)ry#bU+uHJ>;aJqD6Djue&Qc*hKQi?}n2MO^EE!{BuaZk+x{*k7PcTW?{ihuL z0J)-+HdE^1D8w~Ku_Ev+V!Fn31EgkjF|1Z22ZH7h0?8?{*guF2bu>zPT5*s`sBK+w zn-?RmHSKKZ#i4i+cd-2F`2=`NBZ; z9KgUSA61-nx`enS%Z2Eu518;a`h*u?fih!)Z$)sWYISPdC#8m;#YAbS3S28VpEnsdOp zHslxbDbI7O{?BHht<8$X%rk}toO@w1N5M^z-Flj{z^FAg3vZY_Q4c|?n=>yB3DV>^ z*5wFLFQu44^En=V?_!`uihpeXm`Td_#dftaMOOF8FzrU`%FP`f8*S8K2J~?&*p0(+ z{-=hSwqzFogTtNaIK8uD0}o4Yxke}`MHkvr4N%d*0?I?^Y>&|yPoTc1C@gy1W`6uL zXHi!AjNa{9`L4j+old~T;{WdD+>JG4i8P@$);Y4o(> z=5bLt=nZYWH;yIEu}L3F9C;4Oax)wR9#df#6LGd_P1r2ah|e!0oC?bp6pL?g1hd<8$cAWK-fq(m8l&0XmLYPg6}UhI5f?t%ZZ3oF=Qkz00t=iK z&a*MpKfKeY_7br05$EjEK@;Cvpwsx5;2LpnJZR(yWz+Mvu(RMy~<1FX%vf67&p zk1dAxsIW!ro7#}jo$-c8n1oD%H*$!V8$6qM;RJ4wJQ$_dIqiRp7h_wbhif138SBNR z0en!+fwfjRa!2i7e~d@zl?cBEmBfDowFYqzNaKS z3wf-nB8z$~VvAJN+5JF~T(9vv)p14hu1RX1;k0JMJhUX*G}RPhAVHp;huhWwfN7yR zO*Tlqq_SQN%6a!p6wPE}hQyd`<#W)nKitDKVx+zb_i=5DU zqm7EchNziyPEosy_=&!gwS2rwFS%?yRnFNaD{(Va&2{v~sAh?(3C`T~Ma?D+Gkbxv zdCC)kkDS;3KJenH&hYL9`#n<0#?8na$kr~RNFct?@kEJ_k?OH3sT@Wob5D^g7rKXy zCq^0b@wgFRngg-t)Ukr=L2u)PHQNP5>dKkpWZy6q3>8EOhNRO)onWUse&Mg0PgEQP zhfd%;77oVRi`czCA)4NH2g?2%K30b`@*sR!euagVk}YsC${+?VoOqZ!R?;_j!s+yqCZnR z263wt1K4l+#L?20Wgr?w_V4UIE7r$kZ7onY+n3eY%w7y0*JWCW%l0BrPn0Py-WxrS zv^sT(U53DMX~gyO7-JSvJta;^`YNj@po1HNo>Y;TGowPWS(qoYzzwITpz{5wtFw+up{4p`I3$%=}5k@^az|6rDj{_2rN~>0& zwWO%qjSV`0d~&nSDAKD`&-KN7Dydfjmt&q03ic4b)@ z)~Pc2%yEeWtC!0UgWEG|UdZvCt`g;rSoQ=R=;gZ_$`#w=pqF%W1+v#7OXIUWnv%L3 zzGOf3JL|H6bz6xoPBCKklYnc{lPs7^1&bTDGsB42{)=?U<&dFBWYLhR9y8|hC6Uv z>54?wD9w+*Go=3aUf*^ai&T#Fz6VDSd*FDyQ9u#_kL8Ie2OFZJ8f9z;Ti@x>&?|Ga7U?PPt#Zim7%M+2R>GjkZGLJ?) ziM*w$bRw57eg%kQYI;if)$=|Mu9UmITB`tB3N>VW2HCd`6VOv&Ui{&j^oav?O9zr$ z*14mlHtDF1dvAX9HQmm1!Z>A6vckfrNjO$gWg6fhW;NKMb3ODFT_qS|?jI-g+a`C> zb5wQU$uenQ3wl@VV?U_UY?rsX zVIsa+9+ic#>J1Wqb4T=h%d-fLWVw@C@N#ReO7O6-VMQjHFvIg-e5LU1{}trz<3-pu zPJ?u-Q+-bbrxjqr+&D5I?WH&!>b!}kee_ZJ3ub6%RI;TOP`t?br#aLFu4UZc?wr*m z)ZKD@DJH_0p;$fe5UDvAo6zBfracTK$eo#jX5Q?reXKR}qT`KbP)Fp>QYuevlX}PE zw_f*=TuwZ(hRXm{NX{MP4muMfUr?ubB|pRoaYNg%lXbA%JDh=a$7V`WnW$h%D4dFd zL+jBxZYqvNn{4oZ4AgCg?g>bx?-?x<^Rs2eAL@AwkoZ>2N?C(HXz3*PoiydK9QgY^ z%3;}zq`A=GZ=?8%hRXgoYI4Ay%ju0f(Li9^`+_-uV2*^{jz{1~>3Hf_FO!lYg;7M! zQAK3`h1>gOkj`L%GfvHqzW0VB0|!Yt z>w8jArl>-1Xc|Dl<`*{O8P`zI>TJR>u&{R(Mxt{(h(BRyKxhvxRGzD@gU&O#aJef) z-AB`kD8jpzN7qw$(3~?rp5C|Q7ySr_y9;<~hHbq6TfVsY%meS8a=8A~?OFRe@x;}s zy6_c8c?S|41pbhbik=9H4U7&UQ3dLjmqRKgR6$pPF-{EahA3s0&f$pxt2-&yLIXlY zVvT8yqY-JslWUDq2TzLa$^!QjX-sVr@W^*x`wjaeTV!NNgfeZ+s+946v;jRsua9PialD2 zH+AYDc1H&a$ruM#e3h*7XL^9OIv)V_N-~P(L|NE3I|)NeOIk=%6DQwLaZH$ncEH?_*)v_p_ z*-pychmqz-vj0;r0J|4D&|$;}0GgVbsgO27j^hl_f!z421)8cqsZoX^-dVg=B+sjr zQoj|bALgwk@H@fQ&V%kYe19W=a{?`Dzp9H5N?bL%zo2hc?f951=TitxR$sz`DHkSd ze%&&#h$mD$l^)<+Hv6;nX>e#>tt`>A3<&c*iaq9U{ygH_e$t$8(<~{ z(wx?b1WG+};m&aw>EYT))bT{=sOmNoRV=Et9^0xPB=~V0{&;tjM_BCLjGcR6`WZ0F z>bBbFQ)$x;bJj`B?^kI&SnP>MdUvE2hB+*x<~04!Y2?fy;CXD|!9(wLRglKalQk02on% z#G!>nn5lhcRJAs@L2&BG4lm<8i^QWYB2$YNF!$t&XAJxf7+85MS1^$dwRfP+*5WwR zIbbujoBaTM4J}UUj&lGJ@uS9}t59Ww5B;GA)Tx!(OohOF)NYb#fm0<3Lyf5>UdCDo zu^s3yp_}36-3S#Sg5hA*D)!vaw33^Jja$fP-CRlg@U9DNqS*;?lR@BDbaCVQ&(Wbn zWzrDhXIf$!Asfvhge5;X3Sf8+CZWe9`IB!}vH4s#9vN%eAMh%!GXLmKbrUPqzB|l? zoiGgPK!3>8NrXAnJ6jh=4!$pqYBI92Zj^)11m zt2T$Exi)sFX>Sde`z`@PTlo)c#-aIBq?gh7;BsDx1_+H!xZbZW8e;Er9?dieRD;k; z&_G6;1)_rjJSIvwMH>o161!0mx@*T8JS`Di+j zs2Nk5IHLkkYgaMHeQGc-S5M>Pmipo&kEWy1ckYWK>?@iDSAvO~yoV9}?TgsNW1nCLKhLVC$Mp0RG%J09Bt_pl*YQ`ra1_+76VSvc@5PyG{ zZssSdYLO7rmQ~rQb8PIzz~--aCTTzzHNu9_H#0dZ0nEtjZJ*JL-4-+6NA-t&>sz|q z;_`E=l6OSs(xr~l5hj7$6+je6wJUIbMr|M`J{+}r?+A0Zr+GI;D5O;~AaBns4o>Kv ziSEGaMYUrS`h1#mS*+TSlfGzUg~qzD7U`BLyO3zO?QQXkLb?2_lMZ-ql-gB){R4c% zl~DvS0W<*hasH<_{P?~(p&7?y0dA=F*Z+4|8;SIy#rWXFq4~;e;!xhYh~L$$%9- z*xKfw-fdy67$uGaft&qC2YG8{HyOoy?T|q1ffd zkaecUBY%u>dU#lmq;1uw5TN+4{u4#G&$0*L?97ZY(-u=E4AHJ2*-6VB)J5UX#0{C} zl4!pTz;qH_$CF^m)3|94tFEPM@zSR-bPF48-+`kO{xMH6z9Guq!D>x2%TFKf7Uxxizv+399?`d#wQ#scRvhS)0P#Og?M`1T7t{Rb(56a4n{mM zJ~tAxGGW-Ix49t)*J6qwDKfL1dcRd$u^MLPbhH z?x9;o27(W6(PW8kB)AdZaQAioJD!35J1P@74a?+9j&*Ef|fK zTOhSiX=_{6Yq^u}jT17zw0&x?E4cbY#O(59hKE9br1gLzNl6LYDT7xoB?Ft1qSQNF z07wY4jjOAm>~8bltZq4)JCE(`$gIalNImZKjK1)hXx}4>i;S~wGtJUKE3fho)7m6}u`cU}770D9Wb1g~rN}D;2W-MC)-lK< z)EJaC;BM2y0DMz4Ti5VOYd-m;k6I<-v^o*e+G#QER*3f8(|Y|)GY6BW zKe$zrEF5nF9l9*|wsb-7yM>&`vlMYpPdciimnsUUFq2I$M!+6Mo7WbliJgL_wXV7` zlMwctEt2NM<(j&7X^os=fq;H9PCMzdEKMqG;|4=m?^{G8wF5g>)Aule1e1h^9Pic` zmI4CGu9+{22N(!JsMtV`nBSO3y_)KD=LQxN+(Vixcz6P%T_^wB&q1H3%N$nYWj;a0cf&@0`-xTV08TvYKx3tJ4Ij}d+Rkl zw;G0SOJ04qTDbPP%k;Ag5rS5S$Awd`JH`y0hJm=bU3HiG78xDa*2#!$6^H^7NRa5j zi65&sTfQqrAIDJACkv7%|Jpf!U-+CthEd0?y8Hp;fneZM8{xoIlXKLSn4y1wl`o0xmR~kt<%6(&C-Xv6d3^bqOnvWMGfLN7?@e*v0W;(jRC`kCFM@=BEMvV&>5b^`63QkjUCq5>dl zQZaua*Ya^Eis|)dQZPv@W&Wyo!YH)RgL%F(Cu|$8#0lD*|81Bs#uFD7 zqcTk@#?~`JU+CTCZDwcqdVV5Q$@;9czcuR^0nB!RkYnaDYWw(!mQoNG;e2Jsh0c4o zLyveXa0U(>sd-@e#4D!X7{>5%CyHgL6%4_mRmB=Ce;rhyy!WTdlB3^eh?8hUA)ULk zl*=nOB%V7xwY}Wt=u8oobQ{4~`8C^eJv0IL6S0B9oS)nO8`~LGfPakI&0uB;_4p4s zIzGaFoXstav`JPhhj?Gn5qO>N@=Zo#jai!)IUX*aQg`^~ViYirc*_mkPsmlIz6FeDUUU#PsTVT7jFifg z6T@T)z|(HHg41lUR1-=+_qN)9Hsi=-r;-HE?4jawQ~Cef*<@qLAHyrpU~j1nD@zDu z@Tz6VIO~CzZhtysxk@EXf4}`Bc9`|RYk%ow^vg`=3Q#gz$3R=_J*XoDl=A?+zd zpB?CMfPSg-^n85Y`I}Tj8~cH7;8$i0v{B%o;)Y&F8$x0lDB{VtqyRAjf$Z2*a--ufSXJC2C2rMIjFDIJHOOG%yeK zfQ)XoM(q0!yJs_I=j0Sk$b}yfYuxr82*CmaXffF`Z;$GuW`VTg=m|Y=s}IgS0!8$laJZ;ih$l8)2r8hmB#_r)@wwdat20o?x!Q@GhAA zz5FWQx5>YE$bOvOMIGq@UMU%xAQ`Yq@8N->ZPPLZ&bNhT;#dMQ!)V_4ot{Y&5)^Rn zfsh0_O5LAi_BVF|7lWqoV0V zp;DVH54Rl^uokX2eb3ExF#RXtJc2`9<#r}?>R`6~ksKtv%~z7d%K8f1HC~huXg4Li z^4piL{R=VOJe>J&piBC6tq)(=>A{zA|BA*D9}e@HP)p=&O=miS_gt3(m*6BCw$;B_ zgAD4ElxQ$~BtdwZ5{)zBxv(`&mpD-uMVb|e4lkcs90)n;=PPyxJrg5`nP5+^%)3IU zS+jwO+dA;k|D=`}^iCC!q{aG#;+khu?c#pREZy1f=10f%ob8NShb+rmv~DuV=u4mV zlO^PC58=uY6|v!-IWS=09X^9DaK7xa=nReN*D0OfO~8+v7VTRY59MB6y7xckgLj_v zbjp`DV$Gvu7PMK4bM~IRSY{=(oi<;EE`Bd%Zv z&g-5K)>WO*NozUp)3lhjg9#gubMK?cGql0)C@2CtvE9gxgS+je%ycp>s< zEMbtD*m$W4Pdxz`@J(DGW%f&Z>qHMMHG-sh{es z%mPVfW3MPtxImBn6>1qP~Zc_;<{OSC>m7EAY znk5dfk;*oT z{WsbL!TwVNNW{fP4P9xHz`%hFDkTRl$@@k^y|i&n+9b*JVL1N2gq{`b4iNPkU~}^{ zOCRazD<4OVr-Tpi?tr!u!3=nTxQq`*3Cn*jut+vhh;$hHGR&tFJXA%&RWtHzVx#<=g@!8a7-`8TvH|&S`g5bVDGn`=ZJ>0l zV&KnTj5IHc{x69&$0>}__7g`c5M2J8n+SN@&*$bklvt;xCzVs@Ltfj)t}BCI-bD?} zf!$+Akoc3+J6bOXM`I~!_lBHuctvTWI9S-orZ}6g2V@ZXy&>Y8-J1wf87H3qkL$WD z6bda(u*QZ%X_L6@j<0ApIh+tN1i6$5L`o@1vy2xYDHT0pEBIQD^S~WdRKC_}i^|kL z4a&27z~yGqX^vp(VC896UX^W1oJ6d(3T^ zyv?&Qne+`npga8;?5)5(@d!b$GkAWF>BkA5^mXPt-;4YmJ}vvG)Q?hyfqnH9)xZOkhhh&NfC1vEpT~0Pr)<=G)`(Rot{^>;j7Kqb?Bx{V}+a-Yo z2al`LDYO#%zZ;lOx;&$~LRL^fxPe^_eOA@D=Cp}!_5iO{^ zjEnQP7+_lQ<6#smDq`YeW8saq`-l-*1{tQPDay2YX>d8(%j&|xpD{5)2W4nT$V0xY z##9U1NI!Gs^$ZlRL7!W>Q-w2%P(=Kk%JHOGS6ppbBZyG40Scn03cgXuK!56 zPOLw?BLIwBKjg0gi5J*%oR5obrveE?f`;{SUbpKQcK^o6w6G){$0bPmP#mqM8Ky@| zZPL^pB{!;OL#rMnCwYt)JHQ#H2Hy#X&DMIU)wmT9;PCO|7|g9yL=C=>a(q<6Q8B(M2&+kx{g77q%mIwQxvHhk2vBXQSrw+1tBpy$ zFM7Lq?B)SmrbX&UiJ3|Bdi7B}{3X22Yx|$m=W0QD>DI}#p3kE(l zsNu}{T;_J31k&}*VNDGaLmb!mHEYbH`Q6^&*f41otscCzPZ`p1CaeM+iM82)ZPrS; z-fvb0j59ZkuBN}}%s{|*;NMNlCGWK*dG@_x^?WZbel>zy7&2{@9{zVtIt0pU5-^!g z4N!vl?brLR>2tf*sikTey~|FlfUoSPv>dq(QzR>Rdb7KUM@fe%7Ud2)F6!qCqsQMUg;0}Y&O0IjOv9q=gs$+fhP8>d)U;wO8E?qxv4*w{-wL-J5!Bc| zzZN65=%=8i_zI@XJ^jU&6~(d_V5uBtAn3%HvUrhDB@_xK=WvS|tfHyHEf-cyLGY3& zr^!uH4-%%;$~129d>4$?Ni#YgTtEXVAo7Ga5OA&zSRM3K65}T#FsjSdf(8pC4r{E- zLYLyIwC2si!YpZR8|n+jhFc!Poymwqu)W?+wkLN-2s{Wu2qVrypbsUpdvE#8kQ32e zg1JeDOO{{hCK41nFd8`pM)2Wto*VRKaqnF&zmA@3ZTE61 zI99}=yt0Krprb6`h$N1`dmo*}hQue3%5H zd;u|f8a1LMEEBZ4C+EBops@Z|8D9mgYo?xP9|`^_h5rry`C3I$WvORyD&px<74GWkaLEKGO(;Y8ExMS9YM?D1+|-{qJ|~onEY-{K2xCvZtTIP^o7`J%P$jS zC}@gxg+?6VpXK|Qw4ZHn0m(R)qfQy-#9rwi+FHsaOKT_9m*Poc_UY_iw$0fiYV4k3 z;k5s?pOf`N3CyVrwT`=C?MT9LqcN=pSEmgL=$l^f$-JYn%K?$r4;*JX6UsQicyKHm z-pE`kMH7y^$C4alP@9*(40j_$c@fybd^F%Wv%p(q2BD1pUhcGbEUn(#R) z2&oD~LT`S)$6a>~jjcDG@cFj;2+;WyUYL&{JJz~Fb!7Hz&))8@VE{Kk$iM2YYd7OQ zZ^lsI{f>eV(gs1}J%I6z&ais6A+7xDA>TU<6cT>Oz@xnAMaOTS#WfmybEFR=y5FbT z3qsQmnHi$+2<@-vuh@YrNy7lbs&B@yR?2%kg1Di9P?3q4wR9ISc;O9N+(tXOCy1$M z7+C?xA|o%;*tLciOgcS7V47z7d+RPqU|LOVMWzaWX~FlVjl!E@ zXh5y0%rDgbAc{|*3*cG?7}Qpc%wI&o+;&RhT_#lX?DX{g2l2Gj9)E6wdZRYyCl%yy zYx14g2Er7&$7^hS(0;L;&6AZ{2aCMXZw>-~g0Gpc)~1{vcHZp^=>T*C;&0y5rardN zK9NY{m=on%MUu)mq!zIX?8||qAizZEaM}~FPd0066u0l9#_zI47Mpv)0XZ#dFv*gn zU)qu8i&1Z3I)UZ5fA+j4^KdZ0=m~AZqKuEumIDr&)mus_37h^NVb2Nw zGOWosU13aPsQO_Ef!{>4QA6H?506X8pWmWi6gk*|4to-XZL-Q9lJv|~7jn?6DK_*k zXaXh>4g(V#2$YPO3F8jTZ*m{*H~GvCC>QHW z`hPav%|DD>wMTZ`aP=91&VfYzwBIu>`jls9M-u5fmH*GZ6j-H0o^9YmGJc<-%~ujo z*f0-DH|u&6O(atEr_lX z!bQ*;u*?KdZDf1YMArby5@M5> zf1E1;+*E&Ee5j<7g3^QERf(P_VmN7=Z>v>J=B12Le)>r%VdKgFHoyI@WP7r%spl19 zvSP@r_fZajRb7J%S>O6Y#UZWGG?{c011zZgEwu+~Smr9O7BRzbZ2RZ8wOOu^{mJU4 zoJHAJRFUHWrSs!)nor!cX;r!^d7m?dq<=O(C!>&;&Tmcd+qD%j28XyzLP5?8RC(+> z@t9a%3XDHjx$gPT!$0PhmvYerJ2-ACbpO%_mf7(2q{zpzwgx4|1S0~j{tf=4*poR> zB1hkQ_(Z1oC|S4=pcQl-{STc2{0A#gmqEw$3iU%N*4*K< z+*?<{@pKRe($AjJSpuoX5x1f=eY3Hs0S(5W#rjwT>{@8uRT&^a`zDLEskvIKKr^hM z(Xn_|L7*NF46wi35GEGx@5uT)4!Kuux4y@WQ4ntBu%Y}em+i# zJ?rO0@ufXfwc!0pm}%lQV3?Q9gq=4GWDo)ppUtp)!-~tF+t5o9jvBrZT?jO}!?WhV z&v}^zg33t`Ytitq#_z&8NNe#z{v*XxjD0rQOQoVs3SIza!0QSSAdS`QLQZI)RmYZg zjly^!Rs$+P42)0>V7%bG7_Nq0Y-x5X84spLNJ$|qVlDiLvs4*gW?)qqto$6Y@uI{L z$I#r8)OQcnbc4?mP?pHgb_ej(PW*EOm&F!Tw1}>y;ge@Qf z89oEypqW8x?@1j~MBPr|&|>PY&-WTK9IXF>fKH=&eos2KwLugkbeD1g>ni}_<_GUN zg|DdxmNc>e{lW76ZUezLBlFq7BPc};n2i4dvaJag1w3eCRWe>=FT8<|ROq7_JOGD9 zv2TtNtGC=&B?qx@&SjX~r|Tkg1;U%%up}SDhKc_06<=86lcELvF#|ecVZVZxUQ6br z?rmbT4x9YrEAO7v2ZH9DWq;W03!HSCP#rh*Vz(eN86vsX4 z9VaC=TWm0SGW^();@>y}VYV3(qvazj{aXF51FTD@BbG(->}qv5WhpxGpu(u(!8VPV z{0q_0l%+t>fqTF#_f4RS@^|HpimU-H?nFxXbKLJehD>z-bmX1E_(a@kRlkdwm7*iv zGRikmI-DmrTxz$A1V&G)sAX#A*2!Z)-4Dt*2B6yBwKLJfs*iNHd+|XJKA2}JCnui&It9bTg{K!0t6*8rRBovQs z93BLH@lvrK=Rg;t&rqr`wdca#vw=IR7B38AB8bh{)I;}65U%`Ktj95M{K$`>lWe&8 zpiei&Mi8nSxZ|?WR&`oYYLBXTUEbnkulX)9N?nwwrv|yPdRP~=mjG~Bo=&?a2wD4@ zHCY1OO^<`q=xq|c-h8q*lMdFRjZF!tj0sxkD$2vhDZ2IfH#bZ~LNx}8fPOKjxhIbH z!;JzE*#3SJUCZqQm}krUU!ec{C5WWyZ>qnI>C?+SDyMHAGxk)90rd_iART`771pcp zw!s4;iidnL#QS^Sq3=Z>@1Op1XU9Y;OGs614v*k#40G*q$F>Ie9Q3IxSE<^A?6^2F zx`q%a9S&0yt2*8RI(!rd`)R|YM5t6p@A8~R`Fp*-PLD6YlgXMSN6O#XlLUS-&3uml z6R80z>%37!SCfMSI&Mx*6?sJ1IKU;wt;H{MhD=sIA}=&Cgk=QV0}4YT`f|{FRLQvf zOI`Ux=>e7~9dvXaxf01ki$X5DQkCH&wHM8JzO2mEfH-k5%tHxYsu;X@WsCe*7iW`teG-}ffYaHSEnBtU=uIrLZ^ z)l|=4snSQa&Wg+0%85Qeei?gCRwAM79ZjY|Bw<>BX%Zwq|WpTO5}XCA3B@n zr|O+1?z%`|zQop6)`;oPN_bQEtBzRv1idY?<3A+vnUgtaoGjigm|{tWe~j=}5R!X% zQspB!2GCaVtE(K+4JYlS*EL_X+gs1ha@Fz}4<2b9AT@M+FPUvOJKef{r1nGR?arJ? zQ=u_{nltg8q_H}!`rFH9NGV2wEhT&pfMEBBSVL>O2KJrSki_-x3F({>p?Vk(fwY#6 zvCIP_$j+3mubmd@H&#w;ch~J8gHiAKxk;en@E-V%Thp=naNbac4QD!gj>^JYWR5Eu{Xd@jiESkEf_S;Ywc66gy;_twGyb|xRQ*9K7 zQ@dD6c2BUs(H)5vEdnx1@>=#E5^LCG1^B*N2#9pCJLckO{7MNxwCo2RR3cK%6`+6( zENU-OfZn_A!mf>WN-}$x=``_Djy$6@A+XLs=p=&9cr`o4H>+n#kp?j5CBO!p0K!oZ zB&3h&)U2yW(WTIo?j6&7@;py+K*Aa{i``4#YpFmzOD!P}9%QYO+bh4Ta=Syl@!%yV zsK8*8&-YhpKMuLB_cNS1Hxf@;0i|!FEQCxj0HG0rspHkEccEsnCBo^ur+3<|PT^Uq zeQlSz%oe2+jJ+>E&~0Ra?E{JmDJ~!Mm47&Z+sn5$hZ-GEayq zsGrMLy=dXH^AmrE{Y7($?A2V(;vB=et4_%X?N}w}XIWI;JdH4{GaEdx!S3RA6JKQ+ z2o&J@vF*mTmN%iGtV?%pz)p57tk<2q4nMHV$FJzS5XDCNJdBPsDvjdQ?i@dZrm9tv z$M8=9^GozuseUYu+uYS(%UkuCi2>05v53E577F}yr9wgE-#+WMrrNE1;ky#nK=e3v zIgxB0Gzt${B;9i-d4YilNn@u_D{r3pEaZC^EM}qo_l_mUfA?_VRrBIoJhI4;p(#9J zg;r0S%6_9z@Y~RNnQyfYZmT+{y9A7~p>Y24`^5q0Z`Ajh@3k33l2vNIYw7!bZmN|J zJ2u*f4s9e3O|xjlW#}NZX%o7?14PJuXqH>vjF-;J5|_q#(wSQRrZ(bGEiI`72(=Mz zhhwqQz{qb|epc_9j2}Zk7GMBdS{qFl1VZcZ_U4^bpu1rT$)UPvqpA6%@t{YTl{nwM zy&Y~l1Y6qzT*yRQJ(T2p$x%+p{EbL8Y_5_BDRw3d{#KM-O@(XeIGdGB9PMtd97f3U zJbeyV3ir_tXOA)Uy;V}cxPg|d`teQ}?Bkg=_%h+cTZOkqQaXy3Fq%NgIpS7ag158S zyu8?GJ4JUUDRnjXG1Uo@*mqrCML&pp=WVc#O7LrTH*whF&vS7^>~NSA0G^Pe77c!hkMB+aR<`vCJW_4XRUkLzd~Qb;@z`amdkg< ztO@S#T7#n+oAR71NS<|BVW9eGLMf@5@~CWM0}WJdhbwr)tZXk7^4T3N%Q z!9H9U7w|OpRy$3ClB}-27GPjI44#kYgcpbspEs|}%Yy-WP(VgD^=cPH#&}_t-(a}x z=CO^rsxyf?!qca8X}QqxJ!q{v_ynaxJ%56)B)7J~*~3>D@NF{SGD>UBC12VEYprq6 zf*B&;KODL$KD|zKl4e^CGpKZ6EKVumXd1EnP&A}zd;Rq!`K{x$YDfWhmHLYc ztR>Z9!*B9t#B;g-xYH|`iM;|f@Mfu;pPN;bM}~wS;X&2Pt2B)x{QRLVq%WCpH5knH z$Dd*nLst0DnVQgmk=0j_%JdT(;6EzUNknqDy>n(sev{VOIE_J%=Tp(?`e#Bwh^i2y$fc@yQe{UdB)h6p9I7 z*+e-JT+XDwLpSz!a7+3-5{&&_oRa>o#A1JEVy(ZEQ|s^M&i!4RhyKni@9#bycHKnt zfWJ8(M^xa)<5|VW>VJKT#ZX=g@i^**UJ0kG2(MW5t|PueHXWH%e{2Av0$O@H25=~Y zkoIP)=D-lX8qg>%Bc_aYBpea^Z+8giixJ=+8h$RR-kFAK0$Np0uSI%CD4%y610XN_ zlH~zbY!H#cHMK{r0lfS+;=om%@q3;8?d8sv3^`qqGA;`FkpLg+Y>lHag3QDxBFm!` zKe{Lho+HH~E;311ejuniw{g$ru-`rymULeOUBCh0`$#SlaNSvo9>3Jr6#(!9^mhtx zL>=G$dLi+FD%8Anf9*Dkp$H>u$X|3vrnxX0ErTUN=U))xh{4~{Vl?!%)h9s_pzSdy z)ypz2+G z_{7fzAW2-%sK4L7a(8h-A-(9izd<<|C;h=3j7})<@pr7($J!7L&_(=Du1}y{{fhg3 zMd3BZ4Zy-9nSIF~a+)uI2UUy{F|KB9zitCP$dGEE4}G`)76aIlnv&_yRrr*K1eGIT0+)WfAzO2L$dj;(sxr+h&FV)~k(o4wNVGajHD4#P&%DW;mHpnKQ$ zPkVu2BbDISpxWRZ;p2+aK_WvS4^Oik;*CB>PNFPWqG2h4g-d^w9vzZzKf?lFD3ZLczMfC9KJBg_i0Il@^RJQiIc>>>%Wiy6y1-1;r)&m zgtrn5Up=Qb8R(1#`V1oeSP#ih5~*&-J@F;1YOb2-s36%|d^1o{H3s#2`oR(zUGLj& zi_hpa&S2{?ypYF!m%b9%;fLQiRf94utqPhZ;GMhq&vU{P9; zWu-!+s=7=?>}XL?ro^Ttn$IVcl_REcb0W>0)!!)*oXj;dh+(!-Kz25Vufk2?3TIyw zV?w?`br3(#w)miSj#9;xsaz3aYNDRuH})-Rjdet^mh{CMGJ$ar9kwVGEF4`pd=`4{ zP|+rDW$lcX89%zoH(P}iB=8jAl8R+5dGS00^?8{zw_*zyC7IM*SD7u@3Q$^=S|Fum zC_H|tLqmDSOljy34MMq#JZ1}ddezG8M6&@>e%#8yZQ`DiwSEyW)ihja#K5(&qg=7O z5nve$nIX3L&OFOpFKBUf=_=vAO}8+^`0bf#MmPWpoaPF|b*91K?5xDx={PG8$&MWCaM5<_%bZZzAmA zok-6D6|b|KvdeiRk%XrKoZzm7K(UQ`5~%aIFZed6fCX6B3Fe+&0w?vGE6! z*chrhQPf7ur%yOM{9~!!3Revm?;!gOQ21dnO?iz}t>_>CHu)RjsRoZpjUVP@m#s2F z`PMMITDS*k=(AzW+OolJHHmyEYrv?)+UpK`#Q@$X6Ab>9;|Gf@O+z{^SX&!hhyYwv z-L`;}zCf*LwDMQjZ;=G^)7Sxlx$DlxNoWU5=-gEy`Jb$MplL%jc`uG;Z$aW! z2RqRkMVO|)-y(zx9YFw1t4VtPhy1Sj;zCpX$t?d+w3X>*w_a&h^-`vReAhNJga5~RQjLyJw~gIpDgp znPSzRnMRE}u|z|1GtRhyL&gXU9jFE(6Mc_>5YihTcK4{B!e`8spLL6qLlgPbd?$Vp zPVjy~@=kwt#G1Tyz{SiM(Os_Kr!{U;|MC`FEp}?766PYG|Jcs%3Er-6eiEgipk-!4 ziD2ds+sn9*^wDnyCn-mdGz|?hO1JS7RzA;K=c>8!wPU*E-7Tt7gho*jBn6&)2S4Ac zfeoe}8JIVBXF%CJ^UidX>1@QwdsEi0piWDL8hPwbea4$MCUL~j9dBywEu$k3&&V*) zXfJ_-R;A(yU77&`WcY>1R>XFuKyMP(%2%zB{_3%{bRUv#P)6`QkMLgO@EFN}Ag3=i zIL^%{EIH>k^9l90Xi*tjZYo%_=)HwDE#4cGpHNYHAd~8$rEA|$+igC$XZAj!TPY2V zV-g!aB%Dd|(Z=8Pn*4Q^L)~floT5uBq9qogp_Kj)H|fxY@7T|s`CnFF(4?PJNXS`& z5vvG6R20r7+6m&$%mEH>s4WeW7J!AKhgi``HaNyJ97O%c5ADzVj3P>rkrYsI>7zX+ zWyozF(P%d!-aN5VBZY5U3vwoWwMjA?iwO!i#>epnjNZDF}bj?}!8^hDMRJ04$8u_tOzIO2P~QBTD)U*L`nz-yB50qM(8E zPgN3q+p04Sde%Zu5Tt%Geb!oIww*|Avw(17)PkvzeNBXX6WtARA%_%qa05WAvB_N$ zygsKml1R^xm{Sr~XD7%uOT-k(L5h}u2@-9U2_7evn`{^+S$!D?MWVGfZPC+Oqk1ZK zU1?EYn~u$!kEz@g7{)eQo`r3dk`>1<#7VsA-jIcq=n&L zjl{Hi_}0MvE;!0`BLI(ijWxj76C0?Y+$ig7bqyspGL4mzXGE2VlW0^V?IDc^-u3Vp zY!vw>sES$F)xdoM;0_}%pynKTjjLLR;(XA_cI8oRlw{HPzKOof!y&c1$#+QYjB*y~ zsxur4Z(9WwC9UGCrt4^9-P4Q`msC{#08M#T zsW5(jq&V4y&so`kUYlK^Pb+0zuL&Ob%3=5Yv$?V#_qM)5Z=38odXhQWw(l3o=D`h! z@ou8ibb)}VD!+0|f2?L`LbLWe1?~)YcIb-4Nee}5;U5o{SP&QI)-`~a0wTNJVb@#8 zGja|2Y3T1*cpnf=4*#9M39IRxjIy|S1+&8a6@m?{LhQ@TriO|$5afrh2EF&Cv0kfE z{ceX>ia>N1KqEf0efB%u(IB3K$FYJ{qZ~7umHjYuPu_)N$3XhnWd1gvv(5%lo-V=m z0BYHiI91%_dkP=!l_jBlz2MKKxr&u>H#tzqn8_y5335Xf<=Z$T`{3uWN)|a_#BNT} zX?-98a;1FVf?9kMo*1Z<3-s<|GysEC00<0;Mq;5rAe6;{BCHQY1!!qXX0u_cqc{-K zkWs)GFaQ8B0D!>+0DeQ;bwpgWh-nuS6NE~M0TyjUgIUrEIuV5Ayyz8;&^_^SA_3pl z-D9Zh{gpcdHHopAY-88z;^|rDA=ZI{q1lYG1vP2vj0lFtCba=I6r$*7dq}pS>wVm< zCvmb!U0B<}9jk`0+lD7~a@18vzm!j^x*z^Xgt~`rDOCt6JPAotNO!|J{EvHfKiC7> zSz{bqhC|G;Yr8&zIADHszFDi?7{48V*W_$?!Ub@W58BQ&pkQNn1@tTZ^3+6Pm)WJr zdRlYxC~BaQ32?*VvJDqXn0iH^tTT7163Y1bQz@`wlMp!ToqgIn|MPXi;G`rAOL^;* zp@AGt>pYWBkYZDS%ZvMjbCaMT|Cnh&iDV&kD(7#OK`~Oo_1H*mYtM7ZqVmeQ)NlC- zL-u-XE0K|z2z_eYHyTH6?cyUUVF|k*Otn$j$VKnYF%ib)cG){fT zwoFXjTY98nE-Kbb^ScGV3K!Z1ur>I~Q}pCiPvI)fD)0o2VkOaY0RCkjl$d)SCrG}m zo!TZhyGB`xw2rDh#K`(yyUPrLGwnSu(i%MXi8dhv@>-xB&ths}A#A|UrNXE5n!(>J z5dsEd(;=a{2m4~@8eOJfk__}$o}hMnJKG(?;3qSIY-yZ|n;fTXX0V06Gy2rAg&)7r zYhtZ&IKw!j4E<$@lM<+e<<%U!xNE`nE$ih}=c-*jLKLC#eN6~W)g2Ol2HJT@KXoux z=0o=(Dkh?(k9DQ2wu{yiwuF}7yoZSiVm$yu@fFbB5MGG|v@&6&%&5Ao!!w&66C)wx z5!W;{o7vi#A$D$2&Ya1$o{LXFV?=q5A6E>nBsUkZ-rai(eT#-MQw#0p--zO|pFS%p zyF3Kl%eJ~9N%Wc~1+CCb(@Yo)G^`x*o#K|0qwyaP69YS;QOu`Z_eqjXG(1H;@t>0Ffv%};55#q5wM;7RtDJHW7E!3 z?uzKs_aMl$F(RwZx}TnEdO>edJz&pVkm90@{*&)ZMl5`8Y|`_f9#1sTYKD^RWi6mu zU@fRDlz7whb}22EzUD$U{f%NvX~djI{xWabu~XJ)uVSN?px&-6C7rT>>mB=L!+ z^zKa0q$f`6z&{JkM~T|tfDJg;*zgz82{>k}aB$Cqbati&Jh|DRLF&q^oA4!DYKdv7 zAX4p`7OWu=yPtO$$XfYrQKPqAJE#Nd{e?BFC`vv~4DLQNMOdoXEYro16J&n(E#qS7 z_!DxYygxgH!l|eD1LTow4rsQc2AGnDtpJ8*Hd&5wd!B(jPqk#yn9Mb&4t@L}_Zf>L zn4zYZV+!DfXCmD=8;`2Drwq39+Y4Q|h;aQ;5et#VBV8z9euwtuPhby%%y~qplLDbm zz{}kw1hEFT@SX`;PKvKc88R0YsZiEz|e?98lA^dF;_ke-Z_%UR^Ob6|}h5_rWI!zSTzJ(}6 zhfcoohFjpPZ=vPLPzCf=Z9|#QD!tStbWR%Ajq~|`QrplnIBo7SVGO()q!9->qG)$M z#ioE@`iak?1EL&Biuh7qj4a@m(ANPN{;@LL1Y@yGG=8 z%;S45uJ4MW!$H$o`sN$k2R}_2ti|lF0@Jwx@=MyWBkNbalXD2X9P9&7vI>%^Am-*h&hH z&X%u)k1hmFHbwKin}RV2%OjE@Yip!hU!95qyZw{^ymSj%Jr>K0F{F3qLsPI*W)1A0 zBJ}*$V`hawaS9?b@a9KNa_W8!h`R}0Vjh-w#9i-(CN1bs! zG{n^gn+jNR;mA#P%$H*w4W;`R=6`piaH;3dxyV&?zE-8>$e^j2Q(ep}b(6%? z;RiJK23(r+dzq;N>|qlc*Xasvwq($dmWJbNaAZ!8rJ_U3XjV6z28?I% zYm_vnDVV$Cxz-{O5%<|@O06V$FUcab_n>(wjA8SCpQ(%lfO<7>G^a>ojd9@MC?^5D zg6qEf&HJF&dlor9XErgv_whja8I%ZdM)yUaeiZQ3dOQPA+;Z3a@iB((f}t+kW(2_l zS*m$QKV!BdGMXA!oWjqPL@=)Bdtxa_E+ODzv$&x!%sNC@a*mB+1I}TYi<2SjT~n)7 zvXX$j;T4Z)&2jOckvACnP0FlgSfacRCLT7u`j-pY(Q(K+oJid~r%kVJ1C^p$6t1;N zF|6l#K$tE+g_hP>Y4+CuJyL<%8s-}z+Khl`vBa45{_dlUKE?P46PWb49v3vGMd|5J zo|PwAiV=|mV0)etwAgb9Jr4-8O%Kf=u!d^I_W(Ca9_HV=?qSA(=vO@i0)Pja`dr;) z$qM~)>?~9pc>SPpSJc;~ga$w-4N-M%3b@euQRzt(Ct9C2cIgk@aax?V3~HpJSR;csh#j{3_EVo zkX@tTQKCF*M?cWbU9S4mQ@7#aYCIw|qqUmy#z!fb>39^;Fg_=8O7L?=Z7%;9V*Zi7 zVPGn8i-~pvRU_^ZSwJ#XcVozPpZ;1;YG;k4i5ffq)?pW+_(zE3eJdoRdqiv<7xwe@ zz>X0)jxYa)v_BYpg{NY6cUI0}1cur_$F(*eruSdlStJ`v`mG?7YnU=5r`dPh)t_7O z3I;s11hqzHtEJI8RFEUXz$*t^&Vo@*ftg_d(jr^B6vX;Cejw(W7mH!+vnBq2D{j`R z>~P))9-eDK$5BZ$+AL3vs|PU>IM}c%)XzY{f8LY09a22M8P~Gyl9TtX3cLlPQI`KP zHp>N)4z%VBwLtd{BU!-xkW5bZm4%n<$S`}~-oiDr^0R{4BOkr!4itFVkY9|Tlg<#n zo~ANC+~=HKZ{^*i$D>*!QpqHW>pl_NAKbhG&V2!w;bV0Lx5VVukh+l$g0_0Krp_ zlmfuxZxc|<#C@>B!{cW&)A{nm_5Z(^-n7|ou^LRBH)XB0yMk3Q&V8=-?spuLu+>W} z`HrA#ubg{zXpOKNpT?&;HS6`9!jzJU0T34GmhcmRZC+uDLq~jUhLah}Xhd^{l{s31 zeN&Nmy58VB>bc6KHt8}AE>r9p&om2q>%kKHbMpEgS`3)kr4u&rwQ;T0u(aKZU|^|{ z&l+$Bym^ZR$j782l_tBhDadzy@`u)!FTF5o6obf}t0i6u#o6_>nC2W|7k?y<^EQ35 z1v+%N0W>!AaLKR{44GD|3;2gCW1>F*cveTrzU0qb0rI6DzF^h80$ZR2%PYDoWnqZ- z1uiu`n)`9dQ;g4|n>yk*6O-sPK;1ZgT$=tvJHLj8Sk0f1JxR%#Qri<*l^YwERWhaE zo0kbBchJQ8@Qr?qYg%GV=(^Pp*tN$-HSb4&oGs+dU1X4a@-9SWf7YIU`L-Tf0TJ}> zuINroG$s%$!uK7F#%a3aBbN$h`n-!PY5Mie;ReD`U5QPn2Y`ZpWe}_#=5Q(*SD9Ug z1(LDdMha480zn@wood*8mTJq3I&z|8qXETSmyskeq;z+{=9@AMNU|KbpdW}g0<^Q; zb!1)OzmJUpivRp*z9N0(=!nt6(S~YZ6YsjJi9#%E5e_HZA6Rk!=;P<4V{>yKK~H30 zhS5tXT35O{;()lc02-+2hCTQ#*%k&$Bos|_(a4+$R*E^J9v`2&@x@Z~&ubj$*Uau# zm$R0sEH6SkhM(@*tJ4>U9)R4A;PA|5N`Fb_;&JS1_mrkClFWxLj4@a`|9zclhq|KB z%h&DtNzEZ{yUD;bod&@;;fw*f-FQ@>SOe2;B)Y00 zN%X1&HupSgTLYMopa=ePdso#Z7j9Bw`ixGi4G|4#Uv&#(HavtnB8eW z$OX5q8K43;&5XFv<5BWWDh5j=)0W_AHGA2RIoU*9a>+CL=;!lRkPk(V4OY7MVl=yh z%jr3EEm8rh3H&I0!ua%;;U|CD=x4T!Js2N+V8|f{sKaj`$-&1t>km9XF4dZk zJ{)z1hNDWXITn{NOO$>C*)AQ8tk^)FPBK~M(u#A@9h4)aWqwO7raOHxS4>J;>Hh-bh@D9T^hr1!BLGY!Mw020)C zP-btYc;o2KFW_Ffqw`LPENc?Q$nh7uCNE*Y-o6G|`>Ws&M^Z>1mBPT8EVXrmqq+JTw>Ekg;MY&k?%IKq zk@&@S4W8zz1#Qm6cP}!fLiSY5!|SV(0OcPJvyZv-n1T>D{IiaO-w1yH39r{cXFm1vb!ViS*x9Q>J#2Z|I-D94-*heH1sP#zmg3_Na0r)6`sLT}J2qj@ABAYhB z&X>{P)N(u!{!yf^f{AK1j}X|VBYE7p)fsmEqh>b2ZY=ZvcxJmZPm|!VBIM;jA6;O9 z{UDAE_-WDMMwn6tWa9g|Q0JV5!cpcr!y-4-rwk-BI!41`KnXpA$A`pWT?||9IP07P z8EbT(hj3GDYrJR;aH40Wk(}q-T=DXep|Q{gT(lEmoXefLFj)gHs#?IgizG`XXL>@3 z%_UtXN@N-eD9QOlm$T>IrcLUAN#3tnc+m-C3^pS07)LW21gL`tB7L~N<0bgs?ZJ;E5+qeZzWIsf8f6|!OA zh6&Q^u$MGLV|QAFV(kM+x)C$2Q=nN{*pMSOd8I&IMYSiP=l+MTNRa_TWYzu80C*a^ ztF*DZT!{Wti`#1SF%!-T9MWVhjX*@Wfrn3DJkc?|>p+kb8@~Z=38zY%my&&JNYBme z_U=75<@naLPLVyy=ic-xw-6+RaGh91r^EySwTXtDba}J8iml_o5~0x}Y~R@4B1ADy zbx>O;w9*W+MqFUEsHGX>7s|eXkFd^o zjz1nNpdeMc);*|&%i;V$UT`fDKfhXxO25g`2{Po~WNY`-ndVKTP?QZa+`$9?PKJ&= zGlnXITo2R!qIRRBHlOMR%Qk?){09u9It`h;tm^@JNJ@bmux6%`^-S!6v|W{-laT5w zM1N2>pQ@~rX&+hh4o>X=x;NMgB%Bx}5i@sdj=)+~AC7)dW$a)eSqhRR(%*P=I3@jPP=Hn1Zcwx!R_AX1(*8+mN zw7En3s6%cO0<42{FHZux2zahNj2?v^*SK^cpltx#`;8QW#{5{u+CNXi>Y~rYg1Sgg z3>2(~K&mdb52X?j=4HVVa6NqjKI5W77w`0&h0Pddz%)Ee$BNtIh-CIJjW$|{Z0USe zFlB$1f#yp(4(EgQPb4!Kqz+5xcx-YhsGbcN;g3<7R0bNVO;_+ev=^0X8seX{wbrnjCRB5e zFK178ED4M^-0&Ym$YTDo2s9AAJEgYy9FOU*55VG$T#P4y!awnyYKx&t%;EoBRUR^h z7X#4t+@ZA{ZH5JoPQ%E+BtN`2BB7c-FvwA*DB zoib=@0=>@R)E?fNdI$oyKwpW$ISqqsclP3!&VTr^{0KafPgavpv(qS(phoETh{fD0 zKh^OmCG#uZiB)h1YL6Ei?^1jjrnd$w6cRfws=mERsT~ORi0xRrHx8L{)_?|qv(Y&W zY&(w}4s9biheDW!T)g-Nrqjq*7JHD9s@j10rFwMg7YEKq{j4p~?yos{FVZtsh1Yd> zb6n0F+$02ES|ztMu~Ka(wEXFvy{6Cp_!;><6v^%`w8a3i_QlQ8AW1Hze^dR~d^q0s zaIUmpT-gvOi>3riYG{faFU^HFx)x!Jg8e9HNaA5z(EmJ4=p9QL*#sJ80I)ooT)o21 zp5%kAL19pRy`_n^CGcd^|9^kU)cZTm(@+lE_zd9%w^hhab_#{wO9b4U7QjAbklg&cl3O$){8 z3YfXz(_e!zJJ@fTU_`L%xSg%kUuMaeA;6O~Tvz<@3Vu339ICwhYi;Y|3BalVTZ@Dx(8sxpvcVgknLJA7yVQu0m&H{q7D)-W2^rd3*3N6v9e4Y_JhCd! zXm08m-gxw;lpz&0R+KswHgMSjN@Fx;=wVsx8wC0kqD@oC=gSAZPd6F2txjw}BW@m= zogUG+ZeDZEU6@2%%z8jvcHe6DO9{-(md|R+>u@z1PmrY~X$vq#<3)ALI;INT5K8WV z_`D%Pur&U`KaC=t*IrbR@A5z3K5f^2jq(TXb3S2|&9nSQ>{ce8=p?DCJjSy<8Y@?B z?eZB_dsIuedoy@X_@bp}c*ZT2_d9dOo*SRML+Y7?fJdce_cq;N82$Wl+$i3|0}w}4 z4KsCR4KCHqG2!WyZgeq8%|!iRX={f%2{vnivPjQ&O3e+ji81O< znb{6;niia4YuP?P**eNoy>7;2;YqqtgOuDPQW3rP1uXc=X>DHKdIU=bsC3>#Asm1` zB<}lolRsO0jSF8W&na=fbSFd6I1a%AOAm19L@T~&tL znSl=Qvr^D^2?j_yun_q1L;oz?e*@j2vkpp9tzHunj&LtX1>9`{HWxt!=pQPMYJ+Rp zJs2GV$6leWRKVSKvr}A$oiqHlwDu10e}X@~qOA6DE>o;Hq0CHnw>G zQI?sXmb_r;dX&5mok2sp%HFqQ#6IL$`V0?dyq-F*^IaQfGpOXd;Ta&^G!aH-x$-A# zjw=kCv+?-w3un4*mmGKfyAd#G5RjKSu92ynTkC`jUyztI#s4PQtST0q&Bnj;Vmh_s z0;_^~F1ibx#v|jQ9S{Gho|OLHy$oa}H^v}(u1@r~m|tzdF!&khyU;FM^7gjtxuoyb z$U!CjEoyEdkps4Si27C!ckP}_84dzv_8;(H*XIS&i<;oZZEq~1LEt_gN0^X@t&I%i zNeG9F&5{*h>Zh29>vF^`Ci|*LXKEZ+`EYMbhRygH2j4?Ja3DO8vm2M|2eaYJep7M5 zqps0#Ry070_(T*a$uM73lkle>(+>`TxQgaIU`ww7GsA_OoWXDW0EMMw@6M=Ib}M>2 zA&d;*sWz!b5Q(BR!&T65JY`?mN~{R1^jL`IQ}9lP@E{XBkTE{MS+B=Pf!=bufg(tl zTbVf`qV-r-A1ACFo3B<2(R~o#km7@cj}21pq54?FXPL|I(=va3h*@D}R(!^=kqYPY z3awyeuyTN7GUz1G%9}9S*&Vo#HyEOY9Rmp-2^3uhwuxIW zB|?`e*3N$x`9^bD2+C483AeUE(|On!LS-O}&S|C;`Vjcd;c_RnAdITqkB&pb3*FjH zRY5zIU|7?wo~()QJ%~<2NSz3edpFAB=AD6bKh)JW)trmHw_fRvrS2U55uW{zE2bejhFdt@Uy(ggTe4wr8 zI|C+pUX#jiu7)HAsKMZvhwW?|lfFWC#;;TC5ftWb+K{zD(#%Q-e1Z>N(hArdXE-d$ zU6`?kJb+rp0R+r?FyFqzoFv)#u)22W@t$ravcHx4)xGbLJ&sYK>2aY991Q9V{dzB;c>?vf14D5E4po@-=`X!A{TllB!@>Xw zM^v9h=4c7AvoR^#~Ef z;zan^&X5c9A2RfT(1OTfF|?I*qR#XaEzOq?OgNS)fnH&N333ngD<<%Iwe_UJ05I$T z<3MiC{{NF6;6QFzU63#2`5WoQGV}Ee8TA~HVI$Mr0em>m ze!Z%YwMZ?=aQR$CP2>+qD4Q|WgS zn;Cb3n-%D~*sFGB2hv6Y{-Pz;1+!P@%7Bv^YzwdUE+u1Zc~2F9Ad?leAlooiL9*86 zF08)EBpp1i+2xE9z3cuxEU)!F)RhuXAyO zIeI*AM=99}1rUg-ek`fFn9vyD`B&jOWKQ4P5k7jN@*UkK33nQ$N3B}s8nfTkD!*7L z*A3x8*h~C5iOR`)n5MGa>NJ?U?%b>pvOgVfFOQbmY>En z!ttVKnhunnI~nY(l88?QnwwwuBYgSvhKC3BtO4Xu2Uadl*=pu>j6`Gg{MpW#)y!`s zkY?F9l_hFIx%KDVbZ;eHasJ+gudQK;-Q#WO0CM}F;WzSP;FX{O7d;EFrX3+VuR+5k z1_cpG1l<;sA7iZ?BToMrts8pW&|z&-M~~3_^M8$Aqj|*hUmo^cIGB5GW`FXT!9$RK zkU<2&TPLJ$z(a^*P3)AUCzY1yhC%iH_{_xY-q~Ab$voWF4y_<-g7uG(zn>z(;8T66 zIAEuH*4KepcOF1o4A8ODT8nrQ6v5Q&|1Vm7YCafkA@oK&ErFCobR*KOSRx@ zeJ70nC?xX4gP$MO89Y5qL-t}upB%vv$bn_?a#tqqMU1?in>X3%0(6UrIqvV;_1hYS z!=p-n>=BV*B6!Hhp7+E40LDXVi6#bMzt%oOa}=kD>R8LDu8KVsk^j2!EDn@0T>jBa_4T16*kWCWyre!wemh+(XsDDV zhKwE@yMcKy3tq>$a(FZQMl_UL94cnlaU2HJH`xeWz=7)>cMtYSNex7+kEx*YP1nwg}b8Gr1d9J6o7X3>BS%#SH%*NjxZ z-mqt*Oc(Gn052!JfA4sy`{7%vmj2OJqVjMxUq5c?+OkQ<baGT~jx zf%#0d#Q=&qp1}uh7#sL2J(6-TSE1rWX(}cSy!Fai@aSJA_c(*1=yNI3a5=#^w(Jn9e{=fi{+aBSek~Q5e27d-;!gaT7=`ZB*$c z6xh5338dPXb+1h7w-r{e+BC3-L=+-Nl7C|_mo-G>$3X zq%@XS5GaP)vyx4Rjqd@U8D?88Q!~r|+?tz~mJyE`6B<9QC*uHO0!MW?4d&2JRv0U= z4B^0f+Iw|P8BIwh7w$A!$uJ|fjcww`bJVE!MAX~9y#F)1(|eWn$qLTg9jHY=8LQ-4 zfUg$ei#Dh{fm374IdT}Z34jk&p??VM-RAWf^Blth$k~ne8({9jCVFXDJ^Ddb^KJG) zZwXP+L!SIfM{SX@)oB6IHAdkx)0kj=dR_)7wFiU8qUVLjnh%K~z@z(HLds=yiqTf39Q=ka)q|V!@(g2x zYrd8AEDXCU)!rgN&sa1D4@uuOg~H^3_c6RW|XSbe#!jKKLhTZA=Gs z(QNv%^8&|fG7Z-aJwpQ^kh7w;YI$h&qH&q&@E0$jn*`0c97B*h%(wJ;@rtj^uu?lB+Y2l7JIFHrB-J)^vf<@UJ7ydFY zsB4lz(~rRZ!>8&KhiZJ0Q6h0pJ`5mp7u!pb2Z1ylnc#iogh6`P|8u1vLiN{8LH>rK z@it$PJ9AdVjrBMe@W39+r{?rbP-SehH#To#&m+{D0^+*6L*jnWeI?FTbo2iK^Kid9 zy}sT13ZMGm0a5W=4i;JtQa<;eAsP2UL+gGJ3%-GVQ^0ll}*7gqR4lg5`@Ffj6DYE8WGx%S|%5s6>8efGrO1(fKX~~jc0@ge&%%j|Il{I3ry|k zfL>4Pt^t(@Ugr+u#~0kL2{w_C2_#%h6pw)+L9(R)n3(gChU4~nspye!X$V1dlH%@% z$Us~tz#K7TNH^JJ=c?(Nh3|R}0xxFoDza@+tnPXv#xoMW_MC7GA18Gu2 zQWttH{XNDK5F_dDL-+y$(NXl(zoDD5G`&V<4$4J06rU(7g`oG;liRUu-n=)1Ch5&; zn|s7tM7iq;cYjk z?=D9v3`xOm7KI*`|)+sc~0v(z*lGKgObt@*=FOVIzZ!|?kdZgdP}~J)gFg) zN5ofv!CQBRbKW?z5v1;Lz-zLSCOIRgZuyhjNu(le8aD2q%4rfd3}Y>#^$f{n$pU+s ztlV!EYqqrNx#7CXRFBuwacEkH>;^;x{29^(kH#4W^}(M9QpDhoa6%b06XO4TEKN*Q z5#FB&P?rUs14AP4tL%{U-r6Q>r#zQPrEw#$pY zSdrxJp0S!-!wUdh8)sKkF)!P~=tg-Lm%=?s9k=kKa2s$Dk9^HY+w3F&tZ*C&4u|x= zYOv`EEQwS-`E(;ht(cDRrz9UJD#r&@BK3X0*w`Dx;X8ch=AEOGV1|E3uh@aGapo6_ z0|5-jWha0=|MN2fi$km5Jg}4wVA!+gz$SP2zzfkjcw6&=2NsimuO@fjNz2mOW@~{M zGqQtm&0{k8FlZ2gSeHkKJJn+~9uKwtu($L*fBJk%9wi6x0?qbPG9lSB4#Kk&65at` z8=CI1>A?_8fl$mq2+W2lAq(HtOl?^VulzDkl-hu!8}Q0n9l&%Y3;CQYQp*8Ww$Fi; zG50A&QXx%KN*q1+n5#T|X-Y&t2Tu4TAc|2?>PqgTxLWIgLzdGdhN)9%$CT}36c2gz zD)gUv&lHPcI^iM@g?hHAL5|aPc@y9-JAGbq^fF_H6UY86!>+0kIF}FRU@B@=kxf*F zSE{+Phcx*`P}xE(8RKL~NwJaAH()*XykGLT=~nB9OG}`vG~5$Gp#iEfXk?Gkdc?KCo4pZ;=rrpRpF%(TpdUXz z@za?W>BJ8Ma4i**O(p7)TnvY$A!Jn+03&mR&^+AjN326c!D|xivOg&k+|o&F8*b=NuF>IIyUultZt!eS)f6?2Sf z#&=nCL;yZrJ-MDkQBhjMgz4jq&8FpfCyjb#_5Sw#q!S6w#02$y?xfFsLd##1(UFuM zdYJmNdwQLJ48~G%!vpZIWJ}ax-%;JQQ2CM$xSL}`&;(AyTlL%5P{jUWNI%_Dxz;g+ zPJr(}u&h01#(ry7P=7UmcEkD`m-)br`8Y~xAaOri%U_p+KbZdKaE5nut4?1aK=$G_ zRYfKpjKKC#cCVtrR*Lx4s&{+dFeYWxMXlda5GND3dv-SzV>QuQ4Oun!3y*oN3SOBz zALR4*x@+x3E?93&*+S5qxc5O^9P?^ik-qb&ed1m2j-KIBP{ziv5u=^$b& zb*BMgAi5;m@LbKVfFp$$(wVgEFz>Zdu|D(`UV(3)rD9JO^%7T z)$sH-^Q5ca8LoZYyXlyhNESHZaE5ZKsMgIh1(AT636e)DJv>_00ERh{-5$L0g%)Prx zmJAm z;DG(I*ecmyj!VTZM1qF{G!Cie%NAlwq}Nw~*QcSt+4iQm1C(U^2;cUt5_L_9^?;bc?7*N*>Z)ai$c~F?TLVo9Eiou=s}~xdqc&wd4R!SAsH$1|DB^ zL1eb5cO+e+H$c}VysnvLUfFOJK2AS~K^q9^eC^J412sCdpyfr8C?JV&yC~ir7UM>q z#(7|@zil?iwr$LWaICeNYPpLY`#x+W4|F%6+=tl4r++LAoB~NX56HY~tL0YDQ{=(0 zLabxdE0M7EB^(xBZBpenOY&?}owgY6P`J29`wJW_ckbZPOaSuWK2&o1__;v=S~(wB z@Nt0rXdcP%)YzR6^X0u1jsYIocBJssp`bXMB!1M-xl)NpH##2~Ed)k_Rg+asU>pKv z@IbO*W@BEj=tmP=pk6R=NX4-*K6_BDU=Nq&~ z?3B!C+K6!o^G6%+RRFka=!erH9{cP9fUDuy{lcG3_#&lB&7pAFQ~{|ti+ z$_O8Av+YH)7X6lVD_H-D2FgnjzG%k72xmAJnD*Uug`=X@Mr~_};hoWVYGi z)&Sdvq1`V+$0T{2q2-05C-oay)x^EUqwLu{OL#SI>@6By#_tOWdozI2CFo+`rw3|M zCcv&WpDx7<7|Z~&IDLez0*H_lPq@CCJ2IrBh6@(!$BGgf7Zvi3W$pWVLCEu!CsL_H8?G{0 zM1f^vMlwHsE$)fLC}V;me>z|FRS=_k&JgCaG3q(cvBuSFU!*Oo@2Qv(4T*6$U3>5C zDcd3@kBPjsR3~Un-l92Qq8vk)9h2h;}%PQ8+5m?_gC+hpdgMy^n0}Udxaz>$*|07em)< zz@1~tRpl4*tE&n8%Z?;Y%qS>DtREIw!H%TeD5j8t48_^C`{Si+7o^Azo6ZxDnD zY`&AGoow(7*v$e=r6e=+*a5fR1hDlu4F`A2Lu*>_HqfU%t)%*8dSX%!j9xzQh?#aPtc#>P#>FT|hVkC^w1GTfdY4Jyy&t zWBg}=wxh1KH7CUqS^Rm+v;Z4EgAqapI;Ju}`|d#jqcUv%lxFi#^S`XsmXSe|oS$)NLDV0fV^x=8 zbPtReN=#OnH=K}jn@*Ra4%LoR+nGF@#3h)P<08-vY~-SNf>@_I91te#yru(XX6}_6 ztl>dzO`zf41C*JMfru}7=f`ejCYo0EoLwM?j!_p&^x1yiZe0Y=_+Y!I*ivPW+HnU^ zntxd7+ew=jnmD@Ag#gYV(}2znlDg#QjZeXZdH_PPEN~K$2Hwf>*9xE)+C#1wF$GG3 zj$IuAQYSW5Quwi(I!y~rcP~+9ECS=yr<`5DkXt1Z9!zi@3J)iphfFeMr2iGI40V~l z%0e7Mg6|nkwdCY;T8x8V(BEp4IgbH0)P>C&}QYND5h(>47nndFV(8}RB+RCKOvX-5g}JbVQG3{)SNf-4)02t6;{ zu<(2N&ebMjvt21X9ncse!h(_9Svs8OQ3mtr~h@XF>bFH=%mWnI=|qm~VGZ zpA(dQqudgiJ|Tt9&Nv=^sSExK;}z#Is-K+c!cA_>d>$*rd}uu}Wr_v+WOJiKo$$q~ zzmj#s{5Xl2>T6#?+W-Mf6q4;67+{$%q%4w&{tpC0jvhn=ALx&CS&Wa(|c-ee~ z4F`z(p?F@Wz{o1W&Pak$j{#U_zgf({W-<2zgP&;(=g9X~O7ZoKTTK%Q8o_+@cGFH& zC0_Zzw{|V-7+9wGv(wGYO(*>DD0HA_b$G$%;4F(wW#fGb3_<4HRH-ir! zt5Y0rE;~oV)Qa=|+YL!QjQYxs&i`IFAr51kW74N41^5dP-o}Niloo;U?XbwHwaw^x zrVnm$7A=iY!OraOjGtV3ESA0MO<)YB^!tR#>l6-#VME&8(7TwlPABAYidx?3RE`%c zyd1Lw!66B6$YXM`${|#%l+_JGpqfRojvTs1hU>2f^vD@n?rE1vbQZY0K8+vkbrVQm_L*tBArp_I32{mfR z)SIY7mJ3%7%+C5c<^Zk~2XC4?q87d_j+wr^N5;v?F^Q0R5&_cVQX$tOVDu0 zK37uOo$3BZ1f*Z8r4T)s8jdS6Cw6}9Y36XlzgwUklfI39{lEbTC2b%8*tu?LI(9R- z2bbxOKd%s+@hi1oeaK}5s!9$EiMxEdM^Bf|3xofJ43i-oi)4J>0f|CAz+R|=D*SCf z%#HOuDU^Y2FT;wmQKdzec=`-(l{1%cT7fPW#{O}7X~+%eniM-cd+UxrVp}J}e+G(i zV(#-k=^&%$T~xI>%S*{|Hvrn|AI>_j{rp))*%|jR;A+4$7V%)JY3rjPH)G^p~eOBeNnwMk%$~l+6 z?%`2yu>95iD5B0elidz~nx^*n4Wcui zxFOV|7W02Q$)BCi2#qAj;Rc^ag?7|*q^Is&Kw2;$kacXPa+%1|B9=BmfU);HI`7EI z{dC6WA+d`ybas5nkjc^MVhx)~LI9~G7(EhFfb*H@gbYAGQ@AVz0PZF@`GyqIL*Bnlr_VEe{p0Or~mO*PggTfvxVTfK{=m(|HX%Yd467) zNn4qywRHFZ_zr$Ni^y-g(mU|8UJZ?MpP}M5zj2#jJQ0XZg3cPRA?JvwsL8g^8G{kqkbTsKOq4B&8R(m@@&4QECfd_ zd(Fc`-sHp@*+LVnN%J$2In&&5GFi@0x=Kfs;jHfF?N)lQn@8UIA4aIb<7bDt*m>E^Br89J zVvWH9muIk^P~8r?-*_C4X3&AMwhv%KBBr?|z%vJ?4TNLDeTK2cS~~%xvOx2jbHb_7 z6amy#1|~FkGh)P)2L;`O916pBs;E(-K^1_t*?JIe?CfV;=Q`V3ZH;gRP9L0O<8|Q z2uPDK(OXPW5=QscF#;0{%%Di^3%{0Kd=(Ujd0|%B-(R@`&OF3D?q>LIBgaB!fl zTlIzg*BI3Qs)wWrSW*X4vkGGi=l4~^!{VR%u^RYXZ?O$5fc;YLNu86)=V zXxl2V18>SS=od=5Jw+g;<{4DB*;(wRGmmP9c(ey>cA||ryN1G$Wh@0^^lF*q@AnhZ-z;j7QL9FJ^C69+;wpfA3hJkOu`Ao>IM5tdttrtU-wLGVhV%|>u znBwm;1E9Lyx^^Of7p!;iXk+|pcgJWNE!}MVs4czrKGLiXf3K-5wbT{WrQ=Q*uO2a1 zdTl9Hk57t z565C$J9LD(MXge>GWM1(ju@9{rHf*%SZp5IwM^8it=cwNfR`#`n<-PbHcQc_ffIg8 z4?9H{wQ8&Uy1a7+me|Tgn6@T~**V+Fp~&5`<}|{0o4rM{w3H%R<)U?6-kL|2EiuGn z%h1&cl{FXOv3NFict)#&$BSaqw6u9NvTJY(K0Aj-69WE64N&6A(V{fnmA5)kpb%%x zfnq$wu@ndzT@!R;=CYXm&GtJDX#rlFEf>v=YG_uy7&5lxbVkrW9POy^e-fsL0=0e>to8qsf-79k;D4Q4>J1BRpgL)YHjd=XwUu>_dD`^a5=w+Z+Hz znyjz6ZONw}tj*t|TjqV{Mx)BsM)Mp9-6LziLFTvQ$Ki$v=xE$=#s% zOB);W8a9@A-WE3pJ`or@L)y4g7BXsnr5 zJRJ=oCHn}UwIjDB7cH`Y=0}46(h;-Ka1{BW7AxCM#5=pq=1{!aN`BD*Dn{@n)9^`; z^ACXIIL~a`861h|)s~$4>A*3=X;Y4;Si8)Iy<^yU1tPe|2a^PlgciP&-WAiv9V2FS zh3~xv%XLNDT5$AVp7v~HKe)$2(9I`=GED3d8{&!5g)v3uY z_5r*R)Kc736l|TUe|>d=V2cd&Nq=oY@3vC2fT#t1b~OLl_tNL5K}(I5&iZe!2!r1g zHY7F)M*u}?B!kMI7T{|HLmRuZw#zBq{`d;O0QBd$W*375^e_j2z3|5D zuaVW>VD;*$4hxcwPs;31<*&2E=N`3~ShxErfnRZ)Iv|Wy%XZtv866oy1 z1oZHt+P-Xg9^PkYl`3BaaH&xsgfzXBS@GuNLHTQ9|ovLEBi})wUD=mV}p~FQAIxapj$g|Jl2qxVf(FR z)WsLHLH~@i{a)_F?7}^BxE|Z z;FGrg9snJi8cPtcxKQfO6@#~PG`2{m3#o;lz68oe8xUGXye3!cKD;J#8Gw$9Y5i6oHDs zG+>eW#RuNaln9yN7(dDqSW3a}Qi^P8q!h(XFP3lTFQv?w!JmPTh`CG!l@al|>Mdsd z>upCk+b4703RQ$7x+SDfBX0<$g2GvrjT?5uiZO= z%{g;uDn%U$DSD$=X$X3!%i>$X%~YX_?4p`;CW8U5LmH#_2!c{YKWIR)*Rv8ehD}@m zOiN<&xzDl&l`}AI@V~6p`N;??)PR>BWIuH-L)jfAj$Ylu2Ljy}>ep-LkO0_iHq0!{ zOrzNo))*nngK>}0qMJ3FSwRYiLO@L*_!lz|H4A*Zjpql6^oY)aM0b*l7fPVS`!hto696T>oHZeCqRbaEiJT{7QKEL1tx^Fft;pp>ksb=a&36xfJ#X zm9@Y4>F-bluyxNs`kA0r*>Tiu^%$&d z_eMned+$55f;&m&<&30jIE-%P>?&lB*Bg}6TXah->v)4AiokMz@X}_zKz8V9F>8q( zbYodzz5{{aiknUT?iHJGWXwy=5}mOI%dnf!%LciYOr=Wm<-b1!|O&i#%t8mkb5LNFCJ9brz4~*rN2Zv zH2qETHUn_x?4gB!6iOP;4n6ugDZkEy1_m6k)XOnBS0H4PJyFV`dGn{J4LXm}0Z6=4 z!jQ1=!!&4$xCD#;w7I8u)ml_{LmCmXplP6uAD9%>ewEscv4OBDV0jR2&}_A@5d;#R?3@AYd*pp!YOy!F zcF3npI+I9ON$l>&vaOE%B4oeEvcmgrl|N@%ww0d6`NaY|+}K+q z-nD+Mya&gU2fBJPYirkk3JgBGrp{5hnxYINYHPNT)GeISgAZ}Vix;tW)f!UyKf{RH zYMRTh?O4iUsC{On{lLG{sQ7+L-c`tJgdSgCl?A5vh&Ek7Pd+7hkw{Bv zIFEirn;KOVvvBQL3D=kdujf_vN!SOX=+upRwm-rovSIL5;;!;8WrVZ{^|Ax?w?yp6nfoeXw?;22b>cI3 zdg^JPzlsA0j~I@t&B##GQKA<7(#u2cwyLij3kPZ&8g+md$pCG8XvC^{Qu>f6IAkDx zB6H`;H0VO+0};mY0^T_uaTPC#RUKF1j7TZvjCdcWc@AtiG{(47YvP zk>Rp&AE9e(Ytd?{p*Ax%B~XH0?$PaAXh*k9mNOvxybzSdkl+Qh>o&`a5l>T?FA z`;9a2zN-U0nbhJ<1`Y{4)5^E36#c=;{f9e7SNP}fZS~ufGB0a@4n>o$JUJR)+|76M==6mL=n_E zUu;pfPv0OnF`W$@3l6~N72Io}?Ux&CLoZQ*(1g7Qs#uK;ojj9NY=F!qJ33yTwGeZ^ z_h;pXo||5$GDW^+4J=tpFSTzhdX2?AB`ixl#)h=WaBit(4V?Y-0{h!78orw7mNT8S;*!^6`hv3I`$M-QtJzwu9J_%rFdb^Z zgjXDgia$9)t00`=3oZlPKkKeWCF>;gCl^g{Bef`%(DSvKx39=^9;L90E zZ);Nh`l$4>7(M5)odXr;qGnboE`tI6{8S&q=pj7o*E-V!jo1$OOall{Qs)gY&=4GG z&G=(b<^Y1HjIO5)DCGBp#!-L`>&FEO$7?2_;$)Uyf(GYpQchp4-TTSHvYp@dyM50@ z-XqV+%Ogzh2J|KK@pPKf_fRTu9v^>y!My$(M*txl;#M`+jz992??QkC%tI@fowNo` z|3J!-lR}#h%~qjDexIzwYmu%0(ir%8@~`;8Id}!Uc8vI{1iVlIo+e0Okw9UQ){}K;V(wt=h$T;q#fiE2Xbxt+U0#b;-jj(jvmCy0TM^bDX=^Vmxh!z`cnhO& zt>O9DlJx$mMn&oZJ!nYqRR9(#nZ} z{VaDl=5a2Q^XQrh! zhz0)vDJ3%K3L>NX_sOii6p<9FX=#5XSptI7H$ud)uR?A;C|d|1cy2u2*XbH)(4@Hn z_+zf5h_6R_{sZq345AxjHq33A$W=HF_JxombE!n29lyMr8I!+@K z@x-Ht3@PqB$YvGBFcF|;B3Xn@jAF`eNQg8oq$f=QtR0QOGlGBxDkl%rn4(`9rfYv( zC}lE;q;p+-CR(7f%WEXS2yo)xv{)is*6M;Z%&{3zB1aZcz{!itO}0sJoR%b$Z7{UY z0>&7r0isQjEVeEsEKdRq-7<846tgE~8-AS-R*WQFr7(7Eb4kc2+Dje=1G3J&+k+zE2VoW|%=!uaI2n#=6DZ!OtS}(V zi91jZ0Ap5F091s9fFU zgKOO5x;^fpRpPiTD5hasTh-H>GzW*4dCB5`;l5R*Ah%f=1!pNj-XS*aaCDko_-h#G z)d-p+4{3$Jwy|M3;Y5VTE5fP`J+-D-JcJm#?255~J2pMV7Q4h{#Mmxl_9GfKT|S8S zmQ`#KON<3%-e}VlIS&{GuP0)hM0~b)qbL%BoBJsC2!oKPsi4|YD z1x3820D>yI1n55lOY23R6@;gVS|`W~lFQyha0>=|)`U0ruSA%S8GnW3^4qZfqIyP90RB$_)Q(}(doJ0w;NavW| z7ObH!C^a;mx^y}$=LSqUBzT=~_gA5qlrry9P7s+TNdP9o01-z3TY@G-YPk4W&XBCx zL_Cp)2 zDq_U^5aYFRF7O@%eHJu7DeO##v-8IUTxf5i;5~I)Ro`n;qIXdDfnt=&-VGaUp%Udk z@n(Nn%h+ZbyAsau(KbFc#cR#h9rih`hr6Nx-i;>@aFE5R6Do5yhP?OV&Vx;I7+(rW zyjEA5SSi$me}6~$3XChE+e1;35b|t4)|dXAo;RjKMFsbB``?(+PZksWCLw+Xuf~(h z?EKIP><}>I06&A1QR<&$^q-cG=H25+wg!taOluca>@ z(vqeE`i1n=WX@hapnkfi6?sxF)X#TV|Iffnp9nyAL zJ(ljp-C%|Gz%;pPJ=UPG8hqsmskmR`aL(YJ<0hiH<^$~WY~j~yw*iiorEu87|{rvjvmn{U}f$>H|gudJhIJh;Y1= zHGg2!An8YV8>0yzDj0!PC@{ju)_*E#eJD#dP~1G&#QbE7Qzc5F#&;u@_4Ovw75tat zag-2wA*6t|aa3lmHgy(aCrx|^w`mZMi{65rj5lVoKGMunm9{u1k*Lt-1AqeFPwJ6y zI92)zO`Z?UtJuh3IjE;@mCEdb(Alq7;t~CkGv^}_{nWYE*Z4KZ*dj-3=R;7qpM)>{ z4bQKfuMLw`R;9(wL%IOUs^CV)lZvP>$03PR0uUMh3H^Uko(4Y3{xBc$?Jl`s%RHxV z&P5tJbjskazrWL`W}_i-TM8{J0Ax91XeK#8hMz4Y`3h*g)d|A}0=UTsqoJq^I&r+ye&I$=`}CPWMx8qm3r!d$##H-WAA zX||vPV1sBNz63;mS;zC*S>(uBndCh}esJN^{hZ`5Ws!!cBg9bs>%Xt9u%4Ed^T8?y zSy%`iyaONZvQt0?EDTiAZ05d~Gly&+CPTq&l>zR_otbVnrTJGxlER}Yk3FfhNX8{5 zpr^sWPqQYDoiLrAQ_XWoRfyMY%e&z7i{kgwBuG5C?0*0MG2zZhf1y942@8&qdiSqP zC-6aJ!ttKZ?oJ&IT$qrmm{g!S^gW=K_$<<9oUhH;(+cmI5Agxw27VI7P)U*d&M%9s zx6wF$n`g2K)GTTxr;dWujMtdY%-}ln=>WsRXz<${VA=eOg=9wAnE+-nJLYz#qPS?2 z;K}GE;h`8X!WUAwg!{!Aisi_7hSHAwA^RjY%wUr_zF|EXF_u@n?dmbSQU^g_UNe=VR;prM$q0c-@ap3B`b9& z4xsxR9-z`2g3K+zCYa%bYdB&|dtXjeaDw_Le^=%$RP;UoAB_YvnQYZ-#tPNZ0q#%o zXX2R$9z1M-B7ZhJ9eP$h-qT7&@gxcy<>PA;aAzQWml3vmH#?>M5M%R6@4X{%e4YOD z5oksNL&_oMz{1=|UEMHq=|uE1J%ay%DMaFCL4E81ZbIuaS5{7h%9WxRX*lz-Phti_ zu_w_ConX$TUGo!CSr=+zz2+nA518=7T(g{kYLq7{V6Ie~LTY?41_Zc#5f`lE!xP0! zK8PL+pF5z;XV(4KAW`uC_%$3M$sbxCL5Io;h+smDuLVosC*l@KyK5Cl%s-7QY|HNo z9}v?Zm_3j}aipR;>%lrLJf67g=np;yMLKILIc0D$iHb>Y&4J`ffV8$5$KtR90$-ft$Ok&)bq?=XE zjDrx%o&Ssc6+rmp5Ogq#b`Q+?0ZVUDtX5~Rm2FL2e!qp06e8t--$-?CDqA}MLV%zc zh#D94FQ($Ffe3|o?U1Xbby#EOf&0{9!1&9=6fewIebpKeUOy&|+O2P%@|(LH zQN*0D9l%18-OHS>ymz2P}ypAh07+kAFNirVV zqFbGu62kcd5aA`Wz>gcmL3SsR0(qY@7yew!KV3d*AyEp+iEXxE&_ib;QLDcQnTlm5 zqnt6UVAKi++$D>iTbFw$B&@2oKO~+r&jV*|fy=;jAWxt&h)Y$k0OC?L92;<{Wlk=& zso3OF$qcwuDw9i{+G&Pysx$=$9_*fgU0z~8vGuaTZ1&COG27d%Sj;-Y50~oU_TCV< z)DA|v&k&c&0ZLy!;8LSR=siMQssk<+%ZQ6zJpchvklZlR3CxijK5Do#a>K?9bBf$>v8hPphKWo>HPwk59@^8ek&|kbii40y zpktK=MmA?LuSp~_7&7e#_*pFhZK{AibTa%fB!f@!DZgWJZ)2cmW9>w>60mF_b|5yn z!Vfq6;~~g<`*6cP9W3ZR96IRB9&WfNimUhVaKk(sv~(UNH>`y6N^--=ry_UvbKAv+ zvFbd+50CeT;3K5_3@t6_%LhFh^d2D|5ITMc=T#NAMXS|Qyd(mUqS^@b6 ztlo`!K&Qakx^{zO=u2P8Hjj&wGFcOtg5B#JCye{%k0Qg7DgALqiVz!b40_I4D zV5;h2f*KX~j#wd&Byw!PNI`Lph&KdchJ`*^2WjJ0iMzb^oZz9M?2$BDsf{p=eNiVt zIuOZf*;~6sf}TWn!${Q@i^Oi2 zNW4-f5Q)QXcsRULB@FFu*tW0KBKu4;EF@B)LZT2cd}q7ipY@e`U--Fwx?vxmD|N|d z#j+b-F0WLjC6AtNxTohzP3l3y(+%_RT&Wg#c$D3+QhB9Dm2}B&IGMask%+{wA-uLR zWLwb@Z;Qg=SEk>j9$5<>DkBUShkppo! z9Cn9x4>oM`V5#=9hSwStPm#JTDz$)v+{(dlQi^I#fXEZ}mh)4vAaL&?aQ^`2Hs0+9 zoMtoOZ^mSA6wV!!@Sg!h!@f3MJTW()w_pIf$nB9w4qPR{~>vOMudf=_DWLj>2 zQWJ7N+27|8TgI9aKV$TC>KN)HK`B8gbO1sPk4qqM>@gLNuwoEMy(>3+ z7EMh6K9QFciesV0K&Sa`Y&99aUecwQR&M*Y#U{S$Z;I@RwY6hEP_J({YzXEtn)7Nu zcHvY+=apE@k{Vl$FwI5Yn7z0(+uFrwYm4RfbC5a$h8D)qagm}KS=nAT^krDS?btml zx*GB0+ciR0`zpoEP8+Ec>Wa%5vF=IrgdjvXJK0HiSxgWgkKuzxY=yF3=N3!0rl!70%^W4<{h*|w8%WWo~;=;PJG z8UY`&640hYE8BECQ3+V$8jGw>NnSxEZFW zYMZ>1v6F-1A;O!vD^J;MxV;#LV5A=5aW*UQ7@KVxH*K@4BPHuW zxN+c)lq9U2Oxx-yP9DR>^{|bz^q)6+n^Zxj*o9Y@i{O67(7kJoHD?^5NPv#vOS(E z@$FEgQ_Z5Z{Wc{R?b&_Px1CBz*@A^GJfJN%-7A8#+on8lV0A-nCNmA58K_h&a|@J+W*`6n07Fv%3=#?lgTY`R5{m;x*M9Uy z>ZvGYu`H2c7>BSihz!jD06+i$0M*sv5Lb2PiOFT-z^kK7zNDG2uj%y^*E>2N}|Lj3*f%@%2Abh1qbKji5E}8yCMM9N;2Oe6nG$$r`M0TvOxe83&nWCv)eh z0z#H6>rj;5*#R!^9TOU$EfJtL0~DIcVjUl?A`WYHUwTckkz(kPEsOY6}I6^(`HdOV)t_(lzaCakER5~Z!6RX9w znI$6!g`&VqEUsFqc1ZU}^K2a?|0P&60hZq{8-s8JL0c>QkI29|K-lJ}h@Mhe3wvf7 zvEHyiBt6rY5XgEEzOZeWD-gK4Ns08-m&y3?rE!5drN=;~Opk8(VX}i4I#PW!B$yK+ zKgP23$nPA&K-al$THBbl7yEGRGMr`0^fj>*s7Y|)A14V2E24rbg3FU4Gg&u z0HOO^HS_??4!N64djm(=KCTnNRP&em9Ao&tXjb}X!rlNG>G%Unq4-p3?J$GE)T~3I zDv!Ptkt7}#o4E#q4RSe~1fax4ai<{WvrxdS<><7)h)bX*CY8IEaKMa%8BN5JT+UXt z!ucO~=a?;jaKVi3O;F)@3HG1jLrSxaH(%y!PqSx}U8`Gk_pZ@e_ zP3%YNvN;H#5g_8h9H&vRo=DbD{b6rcJEGGKu!Db#9*S|R7aT;L1l`ebPK8)r`6K2X zfJ+Nw1W8aRLU3$Nb)Ipg`1Dpw^8Mrn)PLt%lW~aC|4kA57V5Mk;9KWh>#eaw+$aGj zNI^=>WdV|P(#_=U;|>CnDkX~su$+x_mVpm3mM42Xr3{z@o$*+gh{C?1;R=%-?m++H zE?t`j3y^!<&F2*HUPzI9GZhyvlRqi?YVVXK%ilJF0qXi(c;wB8q(|DF?8 zP)0A!@QL4L-25Zz(;uNiYaN)QM%7DoZzkum4?rMObVooZ?XS!uK}Y|}i5TEJW!`m< z(35yqqu)v@pGpvBO0KtC&}Y*NV(n>4%MXC!T&F9D!dmRVg8s3Ax$MX+ssK+O z;I+5h*U2xiRtQI9*j1&`gh*OWz^O!N2MavQm;lAY0E|D&2v?s|G1kUK)KTxxfZL#F zac~mk`pL9mF@TE9lsR!3l=8SecY|g%*M-oTN*cMw;t~E@dGvL}H_WfkoLTOw9J=#P zN@&e0f?nUMDXvy|d0_0CP!CW7ZMS zoD30gq7wVLb^ZA6EnCq*X8q0T4?Vrp27r(kF3baauTJR&-T3x7L7|Ov3>vG6(coC< z3Ec|sMLZ{qIXzmm%}&LKp(6VCS7aizMbC+=b%72_8ohWN?8>$$7Z?X&;PnM z%RUDU+i{NSsLuatz`$Hv_0Bv8)T?EB@(!bE#IxTOS1>%SZ!h#1drmQwh5%P5(xzx6hGN~axH1~kDwcUQj*yZ* z_`LVrYCnUl-It*DYjg{4KTj7+Gl=t?Zq;Z$ILD z7+4c|WB^;Jr^HQb{sOwel=BQmuWkab>-nF)GZSJU*prUSQV?enpg+kHGusTsI0a1@ zCZLX=hP#VaQ?7B2!&z2`Ehhv(B1_-ckxaUYKn@#}(LT}55jEW0yysWq=X zQVcB??RL|&_fYgBy2pNvsD2}?!V34Z%!EsYB%+RR#iWy8jFZFC$`#PPC|D42NwZS& zP1~F33K#B2xZn+UaL+~OS0}{@Jq_rADnRFj_n(%Cb-@8dx+ZXW@SXFl*Jp3*bQiq` z)(edSbrq@=`M(XeLg-+}c&QKoZs@^D4!&>^@oRL>N&QKtmgr`SD|*LisN3B0^R?uhmg~?7^UDg57Y19 z@E_aoo>ay?_}#&(zDrhJZ^>X~`5eD1dFTID2HenV&&BWRFHti zvHoH_QtQ6qlXiDiKayMOZu47Tas#p5~s|H=XEyYMS>3d;_TGKTu?1fs3Uw=kF z;Y#9VoEoSlnT~8qI&HqoI!51%)r!lK17|K!>)R%O+*`qX#n-}m0u7S=_FOL6sm#nk zNIt7v2*79kTO&e|q$8TWL3c1{EgKl*;Re>Ybqr=;4KYQ|!=KzQ%=(oqO*hD;;cP@T zUkV*#nY0=wuUDC)eOzrHccj)>j+z!sRm(aeZR{knK;I!mOG6|2*W@I%`Je?sIVWd0 z;`DRA-9KgiCekdDE`J$3^Xsf<4(87Ka*!{Q}KcDJTeNI6wDv$Dy8O+BF!iX13F{MqbMumAsbx4$Qu zIe74FeZPg*t>Mkw2GLL_B>xfHNgBjBs9xV8f^t@M0cN9oRaaU_qNmN=3gRx={hSF=KPAeTEAKfqeuHtEHx zI&*_4Zen5JLG|2n#>*$~+Np?jB9Gn{q%gCp$qq+4S+YW31}zv&7SN)2MVV~_K%JgC_^{yu<9H^P%#t&uF?pVBs| z=h(RWZf!$w9Wk5KC;R z)~WN3!CxaZlPFkMujEwD051=xbpc5r5_YY9~QgaurQwogmq!+cV%! zl2{Dy!D{T(FCb*ADo1*S4Rvc9mM-Ms!2maONig0U3p!SbvIH4mJmgmmZQ5G*7B=9kX1?LUR zu}J9*K3(Eo^>rA4ug<`AM^_X4zf{9x0L9t5 z*4})x$P^DnT022BTvSOhz`T`sxSTj&*LG2~3{c zy*M%xre#9!T*k+!$c3i78D3O#<(x6ckJulOn^%r&{U;Ag=Y)Ov{Q%QT({7kJ2t5kI zSc<;IH+JR3#LnV?)mSy(&ARFNqu*nfmLP!PPS6)%UC?pO&lJ24`TbtU!NXGxQg4N0k zpJOv2ZVFgA*;x)~@r{QJY|0z+xO#g}o6PF+Y1t!?IHb7&3)?Qmbuac3)#tY7255DDwAgFhdS#R+!rVq zW73aV(nyzSPmuX(mX_lLB235mr|n*~pYXg^&p7&aE&%r2|G$vnB6xmiKtFXS8V;aP zYe~5Kl_yQfdu&4T#^v~yz!wd?^m`$^_cW2$bvo3R_?2?&pLQfpL=sWjD|-O&Ix>y@ z!I-BrGq2tgui!h`uSazx9=0_a4}4;D7EXt&m(KwZ#N`E<(z$iazn8#}q8{sfcQQQ; zHd}TKPyj1ablAK?F^~aYo*;F zq?^?PC!8R)7o?fJxSYGf21o-n2T4-aPL?&K=@RDwkuZ}buM&F0(H`R|XyMf=@A{#q zRVLt;(iqhMfjNB4=x#h9D+-221oeZeBlloDnT>AT9xW8&cs}ag%4iswYa_=M{jla` zp8zko?XgXKY!5iK8evX$<^=~l4qJj2BZeE|*M?A8K zU838N8(`-E#Zn=z6=yk4$==SFgQorCw^Qb{$~NgI@dy{K(b>Mvi!#XJf-{pysdH1U zA@1=3HCp;g;nVc!P5H@aB5-JnEJWzAU}t`Ta}#MQ^$kdb@1H-;a4fuii?E;#n@rV3 zJ1`#p2LMLWw0`}LpbrC2_t?x%9@H1r)V|)Lo$;!nhqGs}0~UhZ;q%^%MKz&ujrtU{ zL{SL~5=Ttg{eEk#y1lTXmRPOe8{$w}o=X0OKLGdmwEVu};+a;34>0_*Td1_6DgPM* z{sCF>%XGj|`;3$pJvyCaw<>^@zf}5LVUR$`>En35;y*ouH46FRVB!> z43~4(<0Wvz9Kr^L0^^q9#%EzXwO9mGMR!f0!t}^tP9r3kp4-@=UhFJDv%im3)-1bc ziw1{7PUZt4Ozlf&rT&1^r0afhf**#Cp?j0#*YoD@RbRn&_9wA(sBbz|=0q2o*2arPL(d)G zm};9dq-Q9mzF{xIiG|)Av7Eah+chssTridyk%ko!YKv(6eBGX~Lr-opY1 z114@$j2_mK zey)xQWzsih@cYVT?bh||K{ioYe``1g+g(7}23T?Q1jtc|t48#$ZSq>Wu(@Dg#F6+P z0!jyYL{=F%rjv?$(sXsVhQ|RT{Sq(w z0X-)#`;equ*mnRxz8ekByyP~G?><{DlBQ~bapK2ikO9I>`88&r?^de@d5Z84x3vP* zh6>H>zQ`xG&jwCUT2v4FjJm@EY1h6)$4dMYz@{3V=JLPB^H(%Pd&WsL>=XwNk1D~4 zMoC<;1L~&M37(%n@J`vREx~W=m@)*;-Y9-z>;j9XW6{3=;D2~) z36L_~rrU+OLIzpKy3zE)Nlh&paIARIxaFbVEo72ytfrZ!^HEO&iS{)d`xse9lQbU{#i zjQ1%z4BkWkUu3FSC~@`&M?)V=Zokq8pABDjY&eLBkTf@!ZGj*~`0Wyt?;%qh}qTyJ$TwVn7U?z}@jD-k# zROqxbbZ$(ZXtE)UbX5^H7kK4UnkbuB>TfUXLmXL^BhQH}Bp#@J7A$qWymq(%84>37 zzGnRpB1FV3DA-sSheu9N5Ul*eI1E~t0(t{U2b5&x&CPJTInt;Xrq;N1FF3x;m*;be zgh)VcXt%YBo2@zoTZObHe$eYDV{F0O!xd@nC+VnMCd%Q ziiJ=amHK^hUr*M=GQ8p_=(~92=%ck$*IkH6u5>WG)p)bEg#;+CB1IC*Z*~C7xa
    I7@y#R81Zi3!8ILsYib8P2H9atk)by~P zz;u~I4`Bmmp0&TyIFTP87$wZOYN3&iBH*!KOWqUcSNl(_w{s;T*IhFR>I}<^GsGZs zp4Pr~N0WePLN1!7-*{9)<1KACaf@eA%qO!!__F2bSp{Q}VN9fzM5ns@wvkjI zsBChGQ?t_q+yJVm>NS?SiMvgrtxhYGZb8IuD!MuI9_r_bReH{R-aZd*zjI(Uk`Jf< z(gqogany`Km;<+ksj>UNWS0?knKm1A&nx4WO7P4%erbR^NH`oMRS*SuVR~OF&M7Ap$-Pz57o~)Qk{z;4TWJcl4_J8XX(vcGP8J7#!25fAcQL8w#{`m|OA_dbFN;(U?CZ@d|+zk$Bsq%sAFIO)DvC#_9TRx1#I zcCrOxo)b+S6w7m>RxmlusmLO6Pab0Ohs=Gs$?FC$sfo$<%IC&Y}r^RCNn{m#ZmqClgs?QP6-K*2RrcVwroXz#U=C(9xIC@)7 zi0|Wa4#G?vNd&$pBC)--Xs~-K^T5MF41&}HA!xGwtk;WRJMQHK4IcdXviI+3!TJcn z{2s{L;_)+MK280cb9A!YFwU}iE{%lvqn z+-h=#IquXQ3R@Sc5E%z?M_x7WwqcEG%%aj4xjLP;E{yPK|FV+!fzzo;Z7XawMy!M3*-ay);yK|rn>BB zl0!3Pb69pcW%GAUeA%Pt<{=`-n~bx>^alKgL(jE{*HlM6!w~Sv`n1XuEsiwE7<(bD zdvezKA$fR>rOr~Q*i5UcP!5g8At)VLOq*ih(+%qk^tujpqywVHrerY;mP#xbMt|;) z>~cQI|EG5MU1;f+y_LBs5=U}Sw#eo)6-NVByRM8y_8upFGK{V|sVBfoc;v1;H|Jlw zJsWeFq7sC@TX8}lnI%$gC(Qt!DR;#!F{vivBH9ds^WijWL6q@wAqA*URDb&mus{DS z)3uiY7&Qdu7}1OAtH5KbMh50>19=0<8vlcM1R>i1-^7AI9!ljAQG|5YaEvxmw-?7} z`M{u~Dz7)8Wxd`};+>8T)3h+sJ>R)k#3T2Ht;H*DYlDqKX_ULBgGRWUs znLkuB)t-={5;bg_1nftVZqCNLPhvh```~((VvuWz7?mFgEhkXHT{V> z@|>6fh$^MzS;oU7W!WBRE#x{?H$5^8J?ILF9-q@BREhONJ*!IL&dE++3Ssnhp=v$v zhh<-F7{DyY1Ez>0R_TDL)C;}B04CXC)r2tx|KnZ>1+LfPS9PtYa0kT@N|Q!e>3{OC zfnrXDo-{;Bt1b4+;bkrN5$1Vj=q8h5H*hl$6Iajd^#}7FPDu~sW~r8 z2PV|{QDD*o30{2qJg`>cnU>{q{F&lq4e4XhCK{ad)arAEFrH9yKX?)nhU@^R{Ew)$ zvThgsnb?V2hWVBL-Wr!kY&^bHfVBzsK-4!rOZrEn-dv0yQXq;)GmCT4F~muW2JqaC zgysBTbi25aoJtYV`mt5&eQHIZik-Xc9L`;uX+LwFO6)+zuVQo=j2*v*Lo7njabIJX zyFDkYEK!LdQkit!2Ta|GT?mt&H9M@2{SK(~HXuHAT{`_@K7L&zJZou32)9}z2IGsI zTMUsB!brAv*GY&+H-VZryaU&Uz&>UC*{jWG%+tUz>OptHbsDk_=_ZXLRw1iX8N`If z19o_n&J;I94`J*G9>e6&%Qe)o>4i>J7%z?DH!!>YHz9;?aU+FBUR6lUdPQ?BvChSoNNAuoC)69 z{~(#FUg|@UWKt~2^ZX8AX zKIkk>iiuv=a;*lHqXO@REq1Z)*@MMeELlo&g@%eM*$mFFCYEAkHIIkeqIf0hECl(xCsW<+n>p(frB$OuRG#2x_xCD4P{pc0wLoSS#_(DqY-LTf9$XdI8dk|hz3 zs03dK@H9t`!U-jDc&EYH!VM>UWIBM`Pwv&S|2sQ>iKoHj!HNXlg5d*&ZtP7zE~II$ zOy3qw7OF9)u7T1`h1KdeW1P95u$dEarDK|KAUKD17g~he$qhgpIG0>4n^RSq2J<8#8H#Z% z&d|XfC5U^eI{x>048}f(L_j-`Q@o|B9dKV{;Pf>DvO^!CSZ`o6GT3B4l0yJypqJ1( z7b+3XKes7=>J+RXX3#EEK}HZ0s2P9Ul8y_kGa9T!-u^%0bjCGyWA5LReTfEiJ|d*X zyClt_kzKB~4Z$}_FE=3R!wh1c?wE@Eozf$`qt2X|Tdt#LIT5Y=KUrK+`*Tehu^S2! zhVnFj?brAwT}G9W39Bo6K|(N?e322mBj9X9#sKQEq*}oA1vMOhbT&#w|7*5u4Heoi zDzxq;7weMjoER(Nfa`OB(7h9>k*+e66p9JV)BB`+KCmE%pSibSz<{u*WIkXc$69bQ z(gUd8|D9xi@C2QC48klLmNcqCCd8M1(K=a7vsySelzn(I><5D0+)DX2MvPZP2kRqri7&)j z1U+K(R&n5?)J{CHkhjg_2K3rk_y}r3gaACfGMAH_M?Vwp#nO-zY@(Ph)vgU}*tLBf z5#!dfAR1}cI3<)BKl^O|NGoiq{*trM)4(T_nQ>9n9=t@hcnyJ>SOaY3Vz-I}x!PwN zg3eW*O)*Vh;7mXo$g2BW@c2}Yz)iMxDbR!90cg5~3y~kHz_gFGb?weRCD44XLo=%; z`$)HDZhFc?k=VrZ(h!B^DeV!m4yAaTkkdD%{cV7qC3ypDjAlfMxo)(`CtmENEFIZ% zkwId{Zx3+>dv5qLi3NH2XIqLnCl$ALk%k=nN-2#W%lsWL7fJd7+B{iWh2UM-_-w5r zokB2?m;o(3>3Xe`sr-{S%6?KnF=Jk^P!beGV36iAJcq|x-lLRfHo$s%av0p+a#lt)dnl|l{?8H0 zNnXi3Zg`fV7k~kE!ke!{Y*2V$%N<0_6p;rZ#k7o*X9762OYUbaEX%R&@Du98l9ACi z#kW~z_H=TA9lg*ls=a(oI7q7@LAdI@^DR?}nVcF3RPUA;x8y&^q=Gj;UX;4Yj*wkJ zvn|~xH~xOsoNPE+N&|?;Q#yY??B_Ib+KX>;tnk<+i1f3nZQCO94GqSEDs6yJ2GvA~QhT(%>tB@p=!dAfh2e$6T-5bRnICp;`(Mbh6rF zJrm%M*%M3?#{hb2bXog4|XNqGEm0h(VGLEZp|$?YJNwZM0B7tS2UW94>gD| zrfIpuFpe6Tyl&t|lf~Q1tl>Z{lz$Jl_8MJ&>jHOK@*-=zuz`P&uyYmEM9g(~s_JWh zpc-WK$H&nG!iSqTdu%U9$TCDYvCMfI_d#sshM+=b5zTgB@S8Ha~8Rh6XB|2`0edEgCZdCoqX1*BCPZVfz(wTYrSd3L_^$ixo5Xiy%aZzHXyt|z&ba# zuW+>s{2%NoBennPR?Q@X$3Th4_sGppeL3=9=2>A){*LFC_N@h~|Mz9y$pAs`xZpkT z&zBIuSLv|;h`|HHE)qyti!9`egn8KrXw39RI0>*7W{y+Slbj{{PUd>;q_>`}!DoN8 zhUF0)+V371EA%$3uZwI9OwV`kNq#v(%g2{mffG*2;8U>+8NE3SB*q6j?ie3~g=UKx zdkiDPM66TOXpOjs)M|qko`kFtWZBzy`hBK#{660(fp#tx;o@65P;8KF1OpZ5q}1@a z&Af}m2$B}Q6`6@BCVmj@2w_QhXuc@s=iJxC92?)hweF=CnwgG)E{x;8@{xNC@64_5>xBYoKfjS~&G84D8a7VCq2g zs;V!Q=f+~jeS~3@B*v;H=F)Yn#2m&4mkcRwL;fv4$PZ^QK#-f()itP3ixFHQ0x74s z#rTTiXX?j*NoTJixHgb^nn7h5+zQ#?1G|1#ZBMnpC!4Vs4)JiFtSsOrF@EQZH{=kg zNwy}1!P+}Lh6s-(GIw6($5^V!I!t(LfcEyfUTyo)vjpg^2 zMThV@*mk)#PuG^%-U82^=N`D)SBq&!7&w&4Ew-$+h3Z4?<-8kSIkjBK24zMk4g6fZ zau{|E{`7h>?-`wure^C4vU$c-*G^{To=Z3HqvIZ~PN7>-A5IX!gO0f|8WUekE;do0 zR$ezE4U&9q?(nd!s>SmU$!mYXJr`f>iT9u1P3ab?G}EvlhB2W+(P$kAvUlEs|S;iQNy$H;M6Y6Vr;c&=1<-NsP`m{NWMu5;J#UqHei5h zBKo`66U&NgSqc^yd(81$%EvQ(tjFd%CPLFhi0#PjKqVC@QwBuTQ*L6sPgVgDi zcnoyPg4Y4K^UTkbP=h>WRE4c@=||0iJ{R`FC-2iQC84&cAdknu#dBwqTP3Cl;FKUd zt`J*;Zg0E7?7|ykisk)LCd}E@1q&0bQ^y6cG0Tn4TqX4U&kE(ab;URCGz*CsRrsa* zycq}#lHN<(&vJ6CGYyiF4BB=h z{yO_H*|jy9qqXC6mgM1nEG_2_WwYt9o(0Chl$ZZ)-T21Abf|CjB*JN+KjFPtO2j8 z*|@ve&3lt?L49L$67_f!9~m-TYeXg!zmAZg2X&{EO*_C!mjd4~OE11|319y%eKJ|p zvY$#Y5ux<#GV6RetTmOJw$AqS2XtrkacJW3OUmo6#Tfe`W;_FG03K2-{{u}_=vrpm zbWSc4%Gn7UaB1xJO~3cbwPsB_1-n+_*_HVF9TvtVI_6I=XzCvvfio+jw=0Y@~2 zKedb1QYHm}JyT>GMkxRJ3kHUPs9&P+G+PSNF*x$rbX*o)2$3HwHJ%)~M|agNB(zMm zd<)fCAWz!-EpXgf=?8bPq0sCt&BWLa6xn+Vv%0p8qziJ$^uXe(_5XJXTCd#DjPSDu z(cvO3&L1Ug&WWoh^7S)i)?|DIWi!S5XguFJsQU?K&?QgBK)8Qz-rK0~Xz(d&C5DZ( zGIhq_*s0NN1&|EQlY`0(Q%~K(0ga|#gEhZ_bdGUsp`R0p5hELR_gYuNtf}1OuzLvt|)-Zt-12V{dmvzk~08^>h#8? z1fx}vJ&$XwnlD&YH=ePa1OOh1HQDC`s+9> zHXTX=1`pA#<)F%iuvt>?RyZvU9bfNbA5%A*^$9Q`bRdSF~OogBy% zHy^o-P&&hVY;)%4$oHnnGSK=DTyMjVG{kH2WjV`s#||2_9Sp`%4MJ}0Uz*oaGzG^8 zor)J-iz~q+i?k!5pS(fJ4Id^3YBX2}HT$)5^_i)h<-C=;q4U?%&uFt&a0V*IKydkz*fj=uuUKVGq0U$=P38iUGLgvuTr$w@lZ~~81^CfSobdX6>iEs zadM9!Sdh3s`-iJGkg?0|e)3!yxvfifU=2H)2GOuCCor3dv6<|sfU`K{r0SG~lDwvW z7^s=k6o=dnV*No2{Fg>kyb^1HxJFKN}P;*w_uUIFLQ>FZYAM$nnJT3PfS-vK>? z@7??&>2dCdKHgh;96z~v&F$zd8A@4vrri7MFvl-N_@2%!m>ASO1+?hO-HeUsHKn*%(T&3;(amcF^3uA>b#3D2IZh1Z zZ9*m1HV^6om+6{JIMb47Mn-{LnEUAJcg256dM&brkTiOa*Q%D$ZGM`22 zM59!+%s$%?=mF2yVzxV<;oGFMm_e9$5ZFPJ$j+W;mn zGj6xha5)VC13#b>eeIMS_>?FQ8Biz2l6Z?YXC#3n8JBoQZ=$bbN4rLDqY$o&g)Pn#g{LH3}>ElmBpy|TOVa~Ewwlxv=A_@mEq^v|I> zwfBBJ4-!{cJ}u~o`F7N8ssPQcG}Vw8`d(CWFSY?F@f~^S{HMJKw69cBRgwn-Du7Ds z&Xn3c&4U8Be>n+$A*h{{klPQRo;`q0YL}Q9^~`q=eVi&&Hq2`uK9oGCbPtlZrpCw- zF#+L_mwSh<9ouES06X`p$OfHLAmREZ$SZ12-4>o=gRHvvc z1?I1p08c=$zx|-Uj1<__bD*WnOO`P=4Oc5&=EGw1$7YkOLkyh01aS$0q4P<@9f|ue zV`c!@WcGfprPvjMdYs^&-1gF2goVig=uQW%xN@o66c>{E<2^H|<)vv6dxlR+RnH>{ zPkn%o7chLt?DLoXTs;^VR5ZG{Kq3}?$mOo>wLDCgVJfMMfw&?BKojG{u^G7Yl@@$bRREmRWy6R1Do+ZWvsu|V7IH9@K3;+EoRUn zv4ixR6fs3k!k=HYGhB+`G{UF}BokQ?gRi2L_4jX}V|TW6Hvt|@8PMJ7ap8*Ou-oaT z|J90ZGAS2dO&`}SglOvIq%yY^9f~3!)P&JG2k%0|dnQZJWA+h=-hu}9#!r`%MHL*P zz{zMHYl=5_e-m?aMsWH)^=w@z;{v~akIV)hYf#}e2&BIvA zRJA7SWs5zDq5c)*;g)O82{Z~`1L zK)9#M({x^1s3`^?PgRRJ>DpyN;8R3j@$z^(JdV5{IlyFZgcw_q(IJVsoOHe2A_Xdk zZdd*ua4ck(tuO|rZB|{L)6w%^^}a_In@pQD#VFwVWI048RKTUIRyUGpa@iR(c4&s9 z#s*AY3c3t7oIyQ7vsP>?Tovta)?%@W`p;l!fIExHNf7S*-+irTH!xG%{TLqMU~zoB zF|ir+BLrSUc=zK^6XuayJWZD-Fr`aFB{UN2#FH~dRFFnY#k5rDx_`ZM6y13*fiYX> zzcZtx(B+W=&?Ib-{spvP)?%ei4D$Xz)|qzw&s^1^G=Q_1iR-}1rClN5En)|rKn}A6 z!{13}*Dkr0+uaG*^`$ce%_&6@|( z=oERj`v}bt9H8?x<4XbM3UDnlG1nmHG|0T&}fY77PHSs_`^C- zP#6h>5Ug^v$A#417(-=Ed;}A!sE))Pz!O37AU>pkldLF)DZEh=G3vNe3`292{)Z&7 zk-QeJ8`&S=ai_Z{Jd8Xu>i}z9zi1AF%0ruBl(y*(Fh#lWX=TzHa5+-CPK3ci&th7; z+;;Lj$8E1%*5IR^mF_&Kxh_`y>9sk{8)a)sr5^1O*cr2Kb=b4sq?ZJAMA{$_IOzy) znRgnVu?&{1&?g|9itN?N>|s5R+ITGVoJijrqi2hAmrnL8p7|)Gg=WeveBdl~mF4A? zsr#nU3m0yro^yu8u79wG^usXt;pYo78G8-97T=^6&j90wqNFdsyICAxS$dK^7kZS9!7b^XMv=(CbN zd^h$EmJ(y{g3~$@Z>-C^8k(+w8IKmj1`;Otqx|Sm zBRpMM&YVJKQ93aM$N)I)1y;oX1dbO6CsSz zTs5U+>&LvXP2@N~mcxGUCg?fKocjjc-D3%dZiZ1&kfv<*JeFl!W;NDMUPQDo5OR9jQN)MQAmPx}7}^SQz-uUVt+s1MsFSr)IR^ zCc7JS%&pVzadsAh8#ZE~`jo@1;w173j;NK-#B`+9f1D$0T>2q-7LI=yiG75v!Gb;# zhUupCURx(}=JQ~x4k~aToHvsk zO&);dSTJ147TCMD=!u?$b-XoGfF)!$u`wR(qMixaCwenPLEP@92z@@HwYE;;*`MYX zK1Ix9!2v((NoP@@w-GhBMJ0dah9za4B18i@xp9jWC zZidK=;Vj}cDSKk?AyDD@^v`(DAZ*#i&ovGtrb~Hnu;OoSI{6&L;5Vkt^LH;Y?E|r1 z%%`Uw%vIJ(t?-mhtRUV@z_(u66F)j_=J|F;uYk(o#L9Ba!cO^rkO{Weu+`wd(~4Zd zVb*wwFxTRMLGK>o^jo5$>gMHYyi`)l(EhajuB}bEWQRklORJ`oEa-1wTVyYWt3J*K z+K_ez9zy(ENx{{eV0;t<5`m+A&-^pX3+<9;Mi((LXL{Mjq;75t)4R-Lw)QJV@h>A5 z-GFJq-BZ2Jrrk1fG4H)hKwjQMwlXH(q1Q=@dZ+!ciU1=c;^5ss7wt8a{-sDBG6KzXh8L7*AGKiCaPz#3Bc7v3p&op3OmxyKb<;hlG|RTzbDG9 zQJjc8`9+2}XZPIJdN8sHDZJ}SQCkcmVix!DFy8|Npvk*xz(pji7KId3S^*Ysk(3iG zwe$zx2@#X0(L;CM<5}l`?>MlN)m(3vtdO-McCE8oBQN)3FW-+ z>@;@JsndmlvzNkdU?w5q+W6oq9ml8SDKhPjm@H1maNR~Kgl`H1_F-Y9@{T#LeA$(2 z#U>`0+LiX~HivXMq*gM+f%&pP+y!?=I*g7*P2dv#GIKMN^R;frI?FuLL7*N2t=RN9 z(Kd>p0^obJ_(WlVvu#s0KA;B|jtGhy4mzJ&_05f|o!X8WC%H&8U>nEOU7HR?tl&V# zvDTRPAHwNpkCX6;L6Y^U%@vA2Anu)ggQk+tP72trdDhB zT9PD@-uNYvbfWokXL4btGqRFeQmO;?exjbgw{0pM8Z$PcLxoR+DdXI^v>&xRZXoW) zvd6uNQO!8W*l9!cw+*jKV}~UUA+_>QVl9ECNAq&F1?Yo5$+IYzFlGlp{vVUr`;R3n zJu7YC=By?H+4>Q#S|?&4Cc|1_0QuP@uUPPC6bFCO50`7P-FQJu31!%Afl%`YA%->kQ(air5#TI^<(|(tz_(7-!%^EH{t2etICSq7ak z`7;l<4)575l`yc4#!3u;&_#uS>zJecvpLhI)|6|80BoB~WLVA(+uJGd+1GWtiLIzJcSw zdUeEXju%&tJXjKMA;T`$3f&&M)v!rm&N*aLij>8_jsvj)RPt7SW4rkd5N55 zs86d8Tp}47{Qzw@={=q%y_?bZuUhOMunX`%ycZMBXhKjMZ3Aaknc(~EForaw<( z`$@2OKf7%%?%;eRootZcxY8guAX4W|;s{k9G74r3A*Nqu3-=Ung>{}Y#FCHo>r~V} zeU?MVbDsI2LE>uqgy&oXxU8^3r(~`}#Oo7vSC=?wG5~j=Ip324OOP1)p`xwH)oV48 zx>moiJl8g_DZhT(rkZRDQmBypz#&ALp4f!ALtD~gl|6fS)z@*rCbDA9^z6z!-e$ko zF$41tGi0n=fQCCga0!M1-rTIxH#mBRAW$&5-k+i!renv$$`2#Sp6kSMQU#tc#oX9+ zK4vy52do93D6=OeCtG66*lJfZptUG!M z<`>^_B%x?|R~t5j1jqNg!2ff}wn`z%y*Ao2W)v*ondLAQe=}}6M#BooTZ#H~40-^{ zZ7_LjjvYA6Wyriv$4RgR8?P(!{>mM4}oJMDey0^}#004m7l|*Qrd&04Jv5Bf! zj2B7}bVURF;|)IPM8G)$*Z@~jw+=e4cAoe4W%>z}@j%+fA&W3lwwszBY}}j-{TEZQ ze6SoFeVzVLI-wgN~daK4huSxJ`)d2>4V|$gkwVdQ9apu zYoaj{Sk8uU=$Yw~)J+fm%q!M19Jxft$c$7x}bYly@;y zMKyq6R37Vqo7O)Nh;)z%uxHjyX0=W9+|nc)IA`Vq8rIfRClan%9dPKcsg=AK@}3Nj zbaMQYaXgs}E;w6P)u^LUP>Dv5wT0vx^YoIYJH0hAd7&0`%b79LoIX3S9_N4jb7q9* zb#Pg-7Z)3}mbXz%H72m+IBgbN(-W!^@)-7xj2Z&LdrFF|J&L3@1QZ;?HX;pj4UTU} z;E^8=No`Rf4q!{l6nSfG(|@iV$>T@a#DVwW=WuS_c=i?{Vci!@L~A=+Vm5k5){X8| zE}@tS=s6)Ir0mtI*PTv$3g>@DUqX1lHU*KmIkXB-86dZ&VH|wX%EMFUjdk^BDlJ%km7nJu{G1|q9W9}Z#JX_wTfx8PWmLaOyZh0`9c(*fbR90vHh7Qu12o2n*Ln+-*4HKx-vses658jd^!?+!y| z-UX3GK*pz4-oMG*`i5xZf^2#@|ITvn5=8sQBib%x+LjGN898uy=ku5g>w19k#Ijh@ zBAKS2wXxSzziV)vuEle?8(&uf;5eMqO;x8-n+-*4wevJh8$5?!9u20+VVV~{`ySaM zDTlog9q#45*9VDH0UR)lFMc#`r3nJ$^XvCl!wBN(ciIN=Eq(BToL{n>Hisvbh&;w(K^%EX#_@L?BB9TNWu7VudQ2NCaEqD`VCPw!$|?j+|gS91(1V zx`<#ayoCt1!WT%z3AREjy7ba=s5`1+hR!B+VGZkk{#d|wVg z1Y0lM1zR&E5;g=f_40NZ1z(IcQkjslCS^yZSqL#SoirI>o?t$8F|lq9x}sK}J4_=> zv>Lnx^6(dkf)X|hsNPY4w?p2BzVpd}Z4YikgZ<^@E^p85&Rva--12}+=+cL7U%7(A z=lVioo@kN5CTjxf$fPhKWh=u}lc`cCus}c5cY?`(dnFPxpQHpXPrESbfK4$0`I~AY z^6V_ZNJQ;0kWCQg0TgE_Fo0y|TXeXz3_p$XsWe9 z;q)nU@+*saee%0SiFapNhb$4dEK4G8bt-h?HYb!5w`+|Naf=fXx3^)4xK*8S;x_HY zt<825w`dJEaa*Ipi`(<8iCeRbn3^VTX>(bv1`)S@7Hh41Y7E+qst%u9-h*@EJ6nO2 z(YneBv&;o&n%FTNkQ~Un;>o;jND9@Huyu>Ty#ciwPAb80J2plJckOxm$j1lrZe?MzL`nHTdmTg?{1OtBO~)Q9>K z+JI`Svv?kr*vB0Dy>sGZ!+;YTCTP-6Y*e0&quBrS$a7c1#1?{R5fu>?twkR`MlntK zUn=Oicg((koMMC#zz*fePVorcfiX3R;fN`12!FIvNUT@kr((HMDR2)nOgkC~TxU=y znz4Ik>_8)WT{l3lC&00qRxGh_u7D%E>yd(iYf;fzV*#u70@PLq%=$P23r@ru>pct7 zLT33#!j?^jO|m*g8Rq;ri$X(Are(+&axOGA2z&v$0#>W22~nDw5ivo+;k@ zo>&Y}g{{w+U}*+BD|7fYkQV$2bxC1sePprbQf3Dh(Tgsgq=c3s4-WK2lVr$kJgw(135AZNg~93>b9{I@pc@V_?ksqa7Iw>_gYHZo8MefoRgW~l_<``<`);|VDp;;!-|L* zzQ7@)Jk0&V!5ob61;+VKiqR2EV}lz5osUQ^+jE?g<#-*Mfsl{m5Zwj>t^P{(gU2HQuSi*ixwaUUmP(P#wWF-K^c1C&C_8i&x0YfurLeM%OT5zf3Qm2M5@)?ajRZ!Z^%4OcEb^+O7bTT^jwtSXld0rXvfef96Os$2e##|bU2^$L;y33SWU(rHF`{>dpY^7Axhe8(BT4>8y?^idl zG!;whn4!J_1U?(#1rxk)LClD5b+o!VMj6%mXG`k`V|}IGR8Q;`7vvF(`a^MRH^RFu zPplSC)|3y&PAlc>K&V`L3@PYWpI^6Mord7+ts^iFDqUv%)h80_-$wR)i;B`3Ke~+n z(LplUEgz2PIsmgqUe?GHyF&m_N4Ib1aaXEzy(f2`y-RI(zGg1p-gR}&?LPCs<7MxB z!TG|)%b3H5sXVdz(CaGaXOzOf5JA71_N&Q!U5|M>i)zDNj$EC;`mF6G>5ZQ~mGi5! z)EehU2kl_2wTK|vx*vKSJh_A{ml8!1%>sRLVqXF?u=g~YX`W}ThN3o`Yts`0-~f1@ zKEX0GhMiz8(&3{9UNteOPo%GYzPuxY{XGIJOqC;kggC)a#7I&WnOVe0Z{(%6C5ePmbo z$`EJ2(4?5e-uZ_pN1-y?0EzQ&IXPUXg8oc)8~b`9ML|g(|EkswrS0HPotUUdDdzuYO|%Os@`rm+`8s+P+vFe=Df&6 zh83RKA82tsQ#%TLHXhl}yS*{wwy`C-Lvy18)qoOefF*zjBd~8}KY=am4jm!oZ~T*e z<`zUQieAt^HPDO-j9}P7_o~yN^B7=SB%l!8?zlooxrz704+0-w3luIQcp0@$pdDL~tWPj|V43hzUecFrp_%h0Y435+#uG z9i4+wr#uKxL*~+IOx|fzyFq(4oHT?g;x+=8Gq&o`xiLpVbrGcR=pQVdkGZ=%jEd!H zU(;roMyFl7Q5v?R6iKadvj8dxd9dm2Opvbn=s!Ut2zEC3 z=|QKk_S%e-nI=0nNbQ7Ws*<##uy#*laDq{3wMu1I&ZVQbZ6r|5&d6zbedWqxYSGVl z8qGA%vsOb)MI)-?x04&>t0g()W_gj@$zww)PmOQR4^mtExi5c0$-XKvqt zlGX+j%QNKy$R|2E+yJwog#AX3rsNrqvmMqivyp$}Sk?6mgTmo7UD z>crMNATZ8h$bJQit*5Ybi{mB`Z%_hZdHfXFI)XWqZl9gdfGr!;WFPVqWENAFcU+D; z5FM(Dk_Yo?jLDz^K9(qcn~Him66~yNk<-!TY^*uC6$IRf6}Nz!2;5B#aZ|6PIBF_p z>!r34=#34HQL{m7I!<2gL}J#QrV2C~DX)~jy0`J=Cdc5*aF>fDY?dOFBe2zy#Ll&2 z=RxjLMMDNSgf&cMpjMI!OTxn>)ny31gOYvbg+EITeYllBFS)>ck4t*}41;~xg&w_z zEfIX#5IC!2h5Ae)`08{yolfx0CE>X>mlJ%~1K=xe9T9wSxEoGH@Vz-vZy|!Os-`MV z@J&-&+6%rm8`O3ad{HGAHMC}P%=@2++(~pJ_BSn3+uSTj>SS1;-@s4Rv@I zd~enbzO2KJhQilAq@*x2@ ze8sIJa5#>;;Y8eS>Mew-rYcTqOM5mOYP&&Ww1(Ogy+dd1!Jhm|h9baNOeUH{AjNY;Je=fgn6 z+j8d1%k%z`$s-<#^*{jQtB^S&>|N&8ZxUv*njm4P0M%1kglQ3joGH5hGx;&;ow`?RgT(QN*4_ z2S=rX*sPBwcX#gbfE_9jE&tT_Bb2#&CjfInY`VUGPCocal!*Ts-!qO zc1#qNvDjlh@G;(WOhbfsTOM584Z18XQ?joebAc8bk(zv>H2iiMAf7cgjXT! zM!=ri+>KU16-!Dodq>i3xEKyyWlA{jx|O_Z}!>I^|J7;wlOPQYGJcOo~;=;Dr@3ly3e+UCiJqonTj!pCwM@vkZWC;VHb{-ONkR(Zt z9JL%HwZgm(+1yNGZs(yn37>i3GZ8+cB0#y?m4r#6B&k8j0f`-$hD+E>=YU?{v)P5h z7L5yhRY9sRW#6r!fYik#cx-Xrv)Rx%zd_MjoZHlDXPom+B5_`0E+EcnXe-1y2=DWE zW=2Yh-H@J$(GTN!1fwoRiSuhHNg*b#gg) zZjJMtRRzA{;(P>729CSMxro~lepBN-gsKCN^EaL68J1KxOIV7MC%XOPqX&Q+9=N36 zN>6%CgIM?Qa)HdyN9FMS%0^Ps>(P4{q55N{%%n!x4M9cu;o!&o)r5y=$Ru296-CgZ zVa0^^?uQWfE$mlQN*0i?Vt{NhzRmh$s$#e&z$A-hE&1UipV-P;%23?5)T@8QLA9l% zJ`11O&TWO5x`TI7rsOW_97Ue;<)jMl?C@vfm$#B1W^u(zty1UTB@4=*wbZSwsy}Dp zDw736`7johYX`1>^?fUls+X*>UzP=L`Lh=u%(7H3Dtb`o9zA5i1L(jLuBlSDJ1pX4$-c8+us(U<)AIe3^8V6nvBf`F00q^1EZA2H?z9RZN8sPwBC?xSZU z00;`>!vGW%j0IxBkT8wJFskVTl&VVz_;Hv7Ig&WU2*D7506;(h0s;gH#5b50O%*lI zUB~X|(e`~AFOpldWk&x!46u}fbxmGH^^N_rs(N4+UETu@2&+=ZnsQ_Mo;{b$gtVhe zvj0FAP+_Af`K9RCrTb(vHPyt<1xpV^=fM=I>D6`5^+;~j*sa(Ve?RVcETED*n4kw} zJDVv`ItD;s71f%t=sJ0P^m)S7aR6Ij>MeSu4HZ=>wMxvAndqnuEAz1S* zR}mPM`*2U;ha6=oiF%UN&I}Rnt7o-6)Vl4*w;OM>rjgsx=yH!$xq>+SLnO;CzMi5lmBYFY;Q=K~P(C|6P%hI_Gi7(s zB`f4X=dlPq`igS?Kg64_y98=o1X@#kTHeKT4jIa?yl8Ky$Mj0Ct}B~}`4t`-h9Au3 zBc3`(4^Ty~AuhMGgT_Eb5)cPz7WwF$QzgNDI~6_^q&vhPg^Z(IuHCvuTTl_w^E-+s9%`OBxJS+;UO@V|pW|c=Xc;k>qAn z5Jg$!J|)xslD_E-YggNyd*p|SS8^KYP-?MaRQ&E`2kBY*>{e{IWrgBILz+|o?%DXF zBt59Pk3eFYL+Z&Rv49j9ppqzG_t`TdL4h^EXbPaAZXK>EEK#kiQbkuALYSQsGV~%P zv<84lnl?Zt&`-AmCFYPO0(?&?{SC$lCK(U9;}iq>Ugt6t;R7eeI-C+wz&Bl$tkfW6 zXPL*O5822^oK*MbdI|WZkHf!xItr;9pDGm3%m43m(TUZ3-t?$QL0%LTrby zSiexinZ$)s$lS^$eAduzH1km&Fj4y!#Lnvg&s$PL`&>nX6-r*MNwb~BrGt)=y$@j= z09u`z^z`w6NZ-lqc<429Q5Q3ZG8zT7B1%ymyYlk_v6=!dF!Vh5UHr(UG{0cS{=n1V zJ&i2W(FaGM3W@% zQsxQJZ`eS9*axQfu886-NK}`hiJo5DJsbc!uoVMGF^D|>&mh1aU>u&Bq+i(+0{17n zmTgh%bj?2@W#*;zp7mJh%m7_EE2_Xww}PK@Wk`quA2&OEwbIN&WkmVFRKP)r@jC@mbEa6g?UZU+$an?m)+J$iMbFX1VahZNK2y%(S zt*!Oza+ypWYlyU_`*HJIwasFg^ShQFOqF#(fc2>tEpe%Kjf$g!i5`C*1KPW}^scnrVgSn zS}8ney70R$`J@k)!u@LaCz`=@ECJ#A3R-Wx6{#*X3CJ@O$#FV`VeKuMi?_;#hkio? zok2@Qc~n@1?YI|+C@JJ|Fsy_(7dPPo5Y#|Wcc)2|@WFpG21Wlp*evf`QQ8jvR=rFVL}70> zV4#n@fh{3(==uRTC>*wb6l7qhS&)Lg6Q_L3Wx&gIE|-?W!fCJzZ{w_kN-xxsQLE1S z<(GLH-uL{n4!C!&N+%Fw^@6-u1i;YRtSr=HuO{dUwPC-5coo;V8Wd1{8kJbaL7wB( z-}OF1Ot1`%JQlMFkZ#q>zjwbrlg0Y^4?tM>0P) zySAL~%?*ESgLP*Qp@biB^1hqZ^WEl)te*{X5qSzDo9v-(hvEr?a<_j~k!Ldbj%tG( zU=TFtwZ$zd%6%9WG{9wX+cmU~puB5s(rfMB+M(Z2-NY=XXW0hz1Jq*4SAaGKFHp#H z-@lOxw`)cx-s4g&Jc^pgKwX)Y6wz7Q&?LP{iRr;^Lr~C?7`vA%H5qA8Y3YHY1b`?Y zubw=5C*--*1Rpb}5tJt09azph*bs>6W7tGO%tulGBj)Z*!l?A<@lC~JAZ#&r(5cCPPz%h2k+$7ydhtmpp?qJ?t)**h9 z2?C&>U3r7{Y=|$F_O4F;+-a;?x4SfWPF?6rlvtJ{l3Mtl8EiuNa=7tQV`aXBT)1h@ z#n&D2eo_;jy<1Gl^OcHNTo-3u#ga)%)>EuBMVkY_<}Ab?{?MB!ft@!Atc&3@kWlSx zBns(%j^Tea5)c=^&{v%us7)k3!2Kv-5vSZqcipJZqhZ`_%WOXf9*P;JGkU*f=BV`4Dvm0C z_7^KXpI!izfRU};fpG2UAfTucx!fmvto8|6MMX`@!n*3u|81JRq{lX8qH3lVas=kt zMu3xLIeeB#BHJ7UJ#@M{`9olsBuLRTjsgIQlWvrh3a zaR|(rA35wg1e(<=NAVv+T}r}AVam4WBAzlhVUc{RkWlHW$LPhoCdqKuQb%$JaW6q1 zV9`ND4E=5p4H&AiQ;e2?kHGM}bJ3Jx9O*ZG!@j*cuQ|J}+Ry$DX0LZn0WxF6GNT)d zC6*yo)S2)j6j9#cY_E|=AiJ#IXWtHY(D!XjG(MaOK)WD3gk#Z)h9FVwp)B(68GH3| z=6AS*yzlSkH!!9@pnsgm=zV zQ6p#Wjx*T%=53xaolHQ2(;W*_=faA`KEVr~=|bNj&+a*_QWx=HUbu=j94%;V1)ehz zNZ}{Iy*EQ>&kBw*`#l`jo=VDOQS?T_tGq{ZUUiaoPL8dud1mKt@^w(OPs?qiSuuH=`7n}_*v}T%0{YV{!FCo z(h07v%svI6c~8iR%DZw=F}xbkY#;OlAw$PhpYCk^%tR5DkuEp;Ux>&j@v%HnS+8_t zTww-R=NGVaEu*oCAgWXq6ADIC0!9cGtc%Cq{NQ;>F|M{@Kf;~hrkW8+68Mg0&#I7( z1sYZY4tGwR|0+yTFJ@y58_~2+_*UuS2XAyYv0wE6!=~%F2SdF>v?dW=`BoW1 zW29WXX=rJ7U7-q2LYI**=kN=Hy%FeZ>|kV6K(9oupT$={^tW+wPOy0hna(d9fp`+TKahThfDSo@TEA2gQO-9vTLQ+rN{O9nSp^T806_^MG!1q_7M-z!OqCpjxw`53*RGQbn+crq} z6+w%8`V>gOZ749X>49zZGdN7e<5LqjS(f2&n(=hr`du+zk-0BD z&b@C#G{1|Jd7kY_fSR)o6fk*`ol2}1sU;44$WGGs9F`Mw!0TGObHy;#w2j`?sE6*O z%}YQ4ShE4X@q2D(G_)bbP=ZIm0EUIzg>lC?_$~ySq@h8#Pnx#|hVYKK_ zbaK_ROUJ4ZEp#y);#|-1O6a&bNqKz&jh})FNr%F9ZRJ4zFw=mWs+w)I4)?XqH`rJJ zoB2kOGfY8`LD1WbUGtL2d=rSrP-)>-6nzROLqj7p)XwH zigEeVIo-q|{5pBHBahJaeF0@#ya8eS5vd!jpA807Op%3rU*f0AMj3poY=^pHcvcY>D2zKP)Z%Eu6a3mNoQ%RWtwTQ)2H571x_3gv)cXn- zT2ncX-k7|OlrnVa;j9Ax21XwD=TPr=04GFsfxB7r5*(f!|gdcdaflFIt{J;{nppEsBvjc-4I z4VWlje4>RxjN3CR-DLL2JDGGtKNyMt$ZQENVy;gy4ay)rBWNJGY-W&1GfRV)yt>Bm zYKSugEwzn_!_CkLt4r!l)AP{9;OMq6Eb_ z?_vqW;0(4EYt-1}H=zkHjRU0C7m4elQ>yM@-jNcD7Uh%uwLBu5F+*%ywV&WAc&NMt zoS)Q9C60&szr#%vj!y|#9NF4O?n|Jrr3A28p*A#@Z>Odak=V@KTRYV1G7QCZ(aT7^ z8{hc`v#@p09+3Z`ik)!<+31c$nZ;j>xN{J@0wI)Ond+^61supAgU?h<-Hi9twUEa( zxc7_Zx28HW55qrbD&8K1lXGwsz&w(jrV2ThBBBodM$_=+gsSr@m5?-afR6R%i8>*4 zt!qd7f)t!luc6a-CtaeaY`CzEqYK-aWV3RAF8>KhsZXsYt~8Osyg@V+QBJQvhi2TC zp?_>#=*K_FMqR4Z6I&e;I50ALx!9Ni~DJg7SExu?v zGun;vT+d^}Yl*K5d0xY^Vj>pEfIv5-ECAyi3N6c2DRj{zz z%^bnZ_S+jneSWwTXIN$CxuxVx^ZL@{;3xX^!r922UuNJ@E_3xJI&%ieyXP^a1I^4k zN;gI}*y#7AbGhX>GE1J6)%ft;gsR;kfFIstHp-RHWHz5c`Y5bif4@M>j_Cp|ZL?w4 zZnp9AiXSP=GBAtS_(6^gzr4q)d{)4vXs*bby$)GT6JpF}_Ut%8WU)J)tv_mftc zBVB<>36&q+Sc(uOb#f`$u2#Z~GV$ESi6ebn58SGo%TuJ<0J=P0cfF5?;!f2yz*5~~Ia=bSD$o>L#ot<*<-!<4U9r5L#wld`NOpL?tVh|< z`(halpOo=Rd^bNi-#F5guZM%=oz)#l-xn=0<8)C4G!xtM30uOYP1s4l_H+~&V*hB; zR6Y!!8w5}%sf(^RMiq`RwVdu|3mBw8SLVHq0Qg5Xb+x6R+eQvjJbfQ=6zv?)p3!n~ ze!Vc}5y-)dvYkLqj|f)<@^uB6Tp%myKQiW?X^iMc0}gkDXti<*zd|jG$%31 zVCZ=uTc(GhG4+2uY!1kJ$Q?pRQ%bYL@kBi9CVwZQN!`)nmt!`CfjRsRh)!DoNYL*< z-`T~W0U4d8^Filax-)PIO%-(`IIhr{t?nCxHikB3;jAK6NSVj44U4P&7Ynhb9ct8Q z3!9-ouT`dEzyYmNOv_DVK}XdpLt4B4siIq<1+Nt=Pq7#Avo+E2s7B0^8e>hBI#xtV2endwi^e3t8ZrsZFHD{M+1)mYV(KQuj zxYYwjX-7T?XyrHmsW_1e2SFCgbYgQ5%MFLDuo{F(=lM}Ysh^kU>(e7RpXREbEF_bg zE+YyCIp~aLc5vX0*cxxMjV3!PF^1~~f+)zIh9ZR5$$b>*Rw5g*CxBx^G zY&{NF>nl}Ra{@J)e^fsR9K<>Yw=)>QdX6T?3ZkDpg|B2*(u4!X2cauK)zFb;AnWN_ z_^zWVQ_-ACCTPSx$lNCT)ecUXB{vmUCsAEG zycY*a>dz?-d9kd(BN)TgBwKQ}-!}Oka2Z2QM9GKJ?=2CuCY}To5jKV=N)_1D#KQ2= z#Xd)!3?=oDb?@H9_3c<&txw`&5jM5;pzM%@%0U9AFQ(1tpVexcAr|fZ+A9!}Fx+cV z(x62Ndk=E<<$p;sOMxRN-eyGRCM_g$jK=VLF4f!jNw;LQ1bJvwxp8;R;z-?{`0I@T zn0tBWv{{+@?CwWCK)d!vK3{MUh#Roc+z}o)chH@5!{~$3^ihlib#WCBq*rWanIfg3 z;di4qtBM6K58dJ>2HcM8VXvlVZ`D%l(|YF@A#21?S~IKBy9-&_RNYqfJ5P@OR-hBo z^!>FtJDsIo%+=)igODHBJRL{>?Qo0?`G`SNtn z3AB~+qmD7p*za8h9FCJjg`aCDXYjQqod}I||30=l<0hFW{+Oi@w%itZ5EP#`+-rET zZNIOj_v3Em&Su2AR0KX@$NFbS#;P>`ITW9jMM6EJr~1e6Gtvewslh56kHL2@tsw>= z*8hY`l>0;=(tx?A)B<6j6kiIZSg`6t(eX8cV+``P>rk+?YW)xjs0ObKPq4>s?)*|L z6q`zeHez3r9pwgFsS&r6ejLy(CtN7;XN;w@aGvv*OLkJ1OoXe9N;tXu8!4bzNQoyT z=#b`og`SC}WxV<#K<{5yKJ1^*-|yeYyvo7Zz_)Fw7DuFOfW@qAo{8H`Lfne46voB2c zoU?40hd=IEeMnVy(GmEv0Xb*ZNwcO|>kq3?I}h&IQcemFuajH(o4r8i_3*hR=Tsgy zmrE_CZm173p3cy}p&}qzTqBJ%K%&GEyVf3wPw`GTV1<%A=$WTK)>t;WO8>o zwQ&g=f}i`*(ZPCie(Xj@hx@JZxg8lF?wKOX`7c4lts(K$;<#+tgtgB5!25w|( zn3bhf6s5QW8ba=UJBC-1`XJLj<6nw07SP`@4sEXQf)kuLx{et0Uc_dJRmsNA9f3on3O?wwbo1jK|IWf)OTT``cgz8L%g-JKS$-h_B z36NO$C^m{*CsloAmqsx~az7h{Fxnxstb&;=gL{u5rqRgshm90&P2FP?fMR|tG${l2 zdw8Z)Lgs+d1^VrsqegdH)H_FOvHX$wSXMGfPlc$59IxUp4RuCXYTTdNKk}^q(wvX( z`U0*&+psALbJ)nDtcXfa{p!&}vb=5!6Tn{2+hWh_F!dN8s` zEtwI#A0w*B;;)2_t*F2j_^H1)>mjh1RyosSa!Irch%k}5DKBe97N z$4WAiqc0=u;4Zp^&*WyDt%n5AOGR#;Nd5T5N<-rFfwM65=iD2d?q`MtM&Yd17R|p9 z81{#(qSfF-l`>@1tG-#kZ z%%7X|RI~AyfJy3nq!*{Ssdl3N>CGpTX1BlZ!F!pf) z=IG5V4S*VHbxSy#BxXd9UqGaq3n%%$$M<*$B+XMDB{U@W$YWuyRx!azLY|5;y$WaO zBd_k&QsC9g16m~K%a!+CAK{n0 zC!BF;V#-&{{deJVyKncOIKQ<_F^3QFKotVnB64|(4j2RHZh&Qt|`0iiJW zW_q<&k=6KsfF~?HkAZkVvuBW=*8y}u^Jk2nn_JrsG$VSfGPl7fHB(y6P0@0Rg&-F6I%jW?2U^Co>OQ80XOSIGe1rJJ zj|fh``qq2-75pV-IoEq@&s&}JI-UFb>W`iu?Im84Q~U-tDO zu~4RvJc4M-o*NsEwq-;aXThS#_%Hs;!d>x@CFG!%_hjv#9m$@WQ@W&qL=_C~gNlXE zdeZ&*QqqD-bu$2~>nOf?kUiK5VD@`-V!uJgWGv4;+@)6O8O!q^Z$~%*t9O0{47JB# zfz~CnR0lVW!8q&%{volrzzV9}+^n zYp5IaDOw`OIUGdSE4LNc6SCE{C69#ORS;s7@q)`p(VA*IQZR0eK1@Zw*>Hule>-f+ zm4nACS(t1n0e0xh9^C?TZ~d6A%Y-OFK}3Wko6k*~MK+a6%6PA6 zKpcaOvqPr^lN_Ot8QmK=2$Phg$xEFDQfZ|(u&ikr~NBGV1>Q1Olb7?Uuh~F{py!;imA{NiHfX}|12rCDFH_gYd6u6w?P2+mZ zX&Uu+p-yPfzC~=f1b;3}a7g72_?& z=6mEM0rD{?#OFut%Hul_5MWjX^52yC4|`eAL;Iv`OTNri_(NyUFxT|@sJBjEQW92P z;H!IN^9$^B#rx<%Y=b#8K|FS!-jxfNUOeWIx0y%!w()U>5Z`kE`Jh56`4XCiYK&bDd8dk)~vZppM~I;j_ab&2`uQS5;5wRPXc z;I^PO>6HzKLNgcQ-shAnW4-8ZJGGkyQIg@M5mR|rSx-$3M==Jr@=ZaWId~MBkKg+; z9RrW#mtk4Y&@~D6?V+oy5w?!^pRY+kUF0uVp2!yxM#}h}b(P)E0pMK?q+0Bz z#8ETil#kGo)+8+Y9}Y*}95LL!-qgFMHr}Mz&~a3EHKUIIoU4lgGK$cC4&_(tsN|oa zNrnOJ$N@?p0Y*g-5QDWE10sp7l{?#FF?1@<_8$lKL_yVS`TqYO`v2+fS#2&#KGPB{ z022bCoQXJi8}e)nmA+}#2m`Uppp8>tnWl*iNd!d%R|MF?-I_+K*|V@Vb`5_oekKfV zO`gRln7J$C@Dt1vOhrZZ83u{}=uCtQ;(Xdb!P%&UVrI|9@7x{c)+W?&C;mdbM+J+| zKiW`#iS~IGYXrxz26!ep+u)j@;0T@J6g>}Y2-Ps4WTBeTeT5KBF6UWD;zz;Xak$3> zA))3C2Pr2$L}eef9twB;i9St`KmI1%u(x%To&GGKCDh=3W$}%pun)(I={b0}fL>kf zYvB(31d3ZqD0(8gch%7BT-ToNLuJWRtRUYE%zQ&irfNtoZFACVIfDJ5sj)$B8K9^$ww89z4NA>*mPY3cU zH3XQzFa+lC^)r4b{~7rtf@2PD;$&#oU_T+2nnsk&o^No1WiG^(cqR#*s|w3#3gEL>J2mu1(UMec z;&5HdTx@|!?k&blefZBhC@yG=;7M!J!s9y859F;j*5&KzVtYh#L z_X&{ocN@z2E*IEgq8bA+s&!KX(SCbOm5n6hjIvDRQD}L1?d1K#kcBWQsc)4OZUitR zkeaVNB*`{#%lN*K-YTI7>_t%9`6x-qZbd?^-!&^v;;Z=5Qb1Bf#`U$WcmwwNXp66- zi|t9$4=mAc=6@IWa` zN(SPucF0cC|D1txQRZFBTParFZ1 z$J5{5x7Yig_T)&Hka|u6Zh}jAb!a;@gd?OCinU$D19ic~+z9TjGy=grIrW*N)3Ta;ijkU!6vqhfmhLt>ZpheLhU1qLiR?g|Oxf!?hxw`Ha=G z7)dn+1JbjzvgVC&sDGoW%#z&iT(xJM3d13Qbx*KOdWc0&xTvlt^I}l=(!iC&wf8jlE}gt zEFHPU>&EUdggScf3Wr!G8_BojsHj4>qavL`>Zv2>PeS1kVSa^$#CyxwZAd2D6>b6f z>5GjDO6ceS9G^OiY0BDo8(dIX-8O=dFZ_Uo0~A56f9r-SieXZQU5@O(KG%7pAg2J2JNpk(8?5s&r_ zp|gLTFGdOP?lfy|4Z?p;AMJ;#%JafUh50JVVJ_R}d;7sUoH2$xe9 zL?5D!jQYG_cWAHw(oXuez(VIX-vu#G^28)duDiiBfo27-hxKRTcMW`)8)<{x43=~n zdJ)(_BL>jT+oWvQre}Wf;(>0+IS@)-vy%#qFCd6^pQRtBV7kQQ{M$g-5v*1-fX&`_ z>;Vg(sw4~#82UALQsEm$ zj5q&aUgjGO)4(_vy#Lke5_j8QwpY>cLQe5mj(f$fop0J|``rFnz`aiC>H2lvu`*n9 z zMsad&;miymN}~t8dAjj?S4g>Wd<2 zU?VI5p3nn4%BA3d<#HyXW*a6rT6ax&|*%6=Q><3YU^GBdpY%*-DN8Hc_x(sS$h#FZU!Yhv1(866SHuHa%s6 z8m5vS?t(2R&F1D|P%Ur2v0BOUepXu1aGF*g(1O8c&lC3@F%tIj+6rxY*T)kJIQ#H> z3QnjI^=5;&)sfw2bWF&CQm<><9z1L7_R84s(f0$ z@xW)m)~hRZS#8e(>>Y>%M*~#6C*&8$Va7V=*_)67c#RJ;1U+a42zrE#ya#|X00X{O-kt)~%nxcM zh=DELl=b3y1!%A{zJS=0rd-)2JP!b2y}x#|(|M6Q_bV#a zE{kPjF*U5cDQ7|2Xma{P3FGaExZ1;Y|G_+yIReW4UYF$5rqvVa02+)A4`TvqydaKz6q;Je~rMXFFEs*;VW{(_^#Ay2JjjkIcKtIXnk13a>E} z8mY9xwy@P0uxC&avJpW@vc-s{fDV9u5FQs0!mh36(|(}^)((WW^&{vQk|L>9mEWZb z5r>yA2)O*)+HvW?RLuwzMP%$Lu$Yw?%sv{-zcLw^i(HVHm>K3AjC)K8Fy>I_KA^}A z*d{^cUUXZw31ILBYKsZqRqU*H8^rs7BxxZE2_*9&96Q>H56_|fAdP5@SoJZN#n+eI0^%@;>9(jbdSOyr>cUBLLjjriWKNUgToiEF)dq%HcB zOkhkCQIHvLOi3YFG?XmSV^1gr#(hcFbPaNzVjehbZ)JQUS`tu1D{1<{aTGjv1jJ#3BiyNZu!pMtwj9;i{tT!6%*PBw9l8v;@5CzZaCc|~y>A)#%m=zO#^i`+dU*p|HGbjt6}c;cxJ1TW z@=*fvc}eY37{lpb(@8XE*#Y?YwUlBXcHE14*X@a1%2WunF_uHF93i6r zgOPvQS2DtQVfQHAX}mHMV_H1azc#Uq^&t`qmYWGN;NH{NmpXjQe2b;d95%i2VW>-jr zOg5zvQ0gc$hs1HR@3T~|dl}#+0&d2WCf?y)xYv9`m?|nN<`8Wh1xlGq!dN7L6k9}; zQU5IhQl|e#hxAH$WDWTxOF^(oEG0m(GLT(HoLU${CXTDL9ZWiLQF@|xb2-eu;f6__ zS2u~Eq3}b7vciPg43zH2I@)wVF!RJO@DYoiW@g<$mdYHRFN}M{Du|^v!yqrjh!=C2 zspa*v!f*4enYn5Q+5MQvCFgs(7u{i4)R9>Z9eFE(vMa|u@TAJo)!55^2N%fQ$1B_5 zbhPsK>zw_dL*_vCt({sgVPZoR9ZNZ*zmVPnY~15~>c!#va^mTpV8U9q-sD_Uds@Q%6_2VcuW z^-(FP1Q_e306>qKA~lt>AG%Coe@7EN>BLRR-I$hY0^($dUJ5fenHgek zF~lLRd=suu2v9o1ry?=~nEXM=1aRq~13*$B?iZHu!*_yw_}fDSUa7igYH)`u6HZvT$+bkqe+iVat+Nsk#!&Ucg{*(r>nrP|{&?;k>bTI9=jIWwQ;6jS+cma^FsATLj?PDbXf&kM~2rxh}7>$Obp(u@!L=*RP=V(dl zRH;0afyN2g*KI2SvmB?u-=s~gcmi8#$_GuYqU-jVkpm~X z!a)!9^pfBW7V|7S{vRNZQYFvvvn4rJ@B6uqs1CVNZR3wM)y~$J(4OREcWjWF@8Xx| zuZiEm_K^R~R3~=1aTnC|@@+7>*=12vN|1xnhCo4wz*c1mHzD=Tqf9 zTT~B0n@|H#!PM}~EM4)`2hM@Ncq(<8LG@lme+9iNj9FaR>??u^?5VWrNS^*4QM+m1 zIj0IB+Dtrx*rQI^5$T~0vR6mO9?vldl$aTWmP3=oXpQ?i*GZ}FRn(V_8B_Nl=IR)c zo=Kc#yc(=)|3|{I#!5A93@F^(v*-I7vPaD%!??g_y0eETqDvtv%UBqb{4ikT+OX2w zVSUL2f=xl^j@OCbv94_Dl6W93c);|*!-s)nk_?My4X&$qwPqE5f(=VI0r-GrY{}OTI2=z{(Z!$F{{0nT}u4v88Yf(axJyKOSU= zErE>?By20kq+Fih@j$g8DmF6E(ewIBZo=t<8Bv+aC~LJwBKe-hl&Y|o*WbCC4590X zmVeKNH&MfMGW)t2$;*aVO&%JzzF*2Tm$mw9jaj1JeJ^Lo>(ab2$b6!Z^BU0l)*hyXRRNGhWY*LsaW|4 zm_TN`VKr;^k_YOIqI1J>qC}V|IAjC+k1jAAT*jQyJ~&!QK0!yXQ;5R(&N`C2R3C8+ zuEj|M3qI$-Rr=3uPEK6(;izWN2%*j&3aW$jFL`LZn3H!GcQpxjitA}ysU@TvJIE8C zR#EgR@|;YT=tH}gHgW+6xUH^*a8O#85fr@AHsHN!`g-MStPx7=aR24s^Zcy&o zPCQE0#tepzQL^D-GjMN8Fkubg&0#W~P*@!Q!LeZ}ok39hiT222b;u0%5HayrgqY~$ z7E{3oD=7&c)PPf1&`vk0+N3Yzu|&lp!L_7@e2U+3gAni`FT6<<;>`toPH{c;g_ji{ z!Wwpz9}_iyT5X_Fr9ApeZ^T`A4GA;gSyCyuDt&-5D}k2f66q);{?{Xnx&j?>m8+cn zx@VkbK05qys?1X4GoWEW*dtn9>2q%b|51~&o0n|bN)fY02n9T z07YbE(6=yE>%dfF#Xy!=yxGrjdc^x_Y?@;(d?*vubr?ap{$eIm%SfMVuO$CKP_Kau zFR~Lgcz%_^TKDU?xYc>dl;CCbxvmqw=|#PfAS`0)hOp;j$YHjNoD=Pmw>PgWLWDym zfI?>gBfrX2dPrJ#y9#`MI{&?_gv6oGH$KHUI2G4<;2D4w^PSsz^79{DPrl4LmpZNr zXE^MPwKgiZFfSf-DhPqbadaTCoVO0s{qSgnO$HJFsl#c`G(!AR+MRq|6rlUZl!M=v z3fnI6Mx`6f%>ZSr(GlAFP}Ix2>zv(1vfqJEx21|S#=NW$pDEnnE|X`wfsO{(D39nB z&hegSK{F$3Cv2D8)X`}xzY8c9J5pVXk8dS_YWS``Rk}#4viPSw)OQ)Z!{#u*2qf&q zR`8Tdx9U`@H>+56Fg;3KIO88UyC&Bj1W#?%#ut3bw6#2@nDKR=u?%j@(j<&a*VPh#~-Eh11cOG;^==s zZe6U8`rO}B`sWvT^VoBzE)RliW4!+};JJ_w?x5O`Mty8||8zPxBv2k)JiJu_q|E6E zD}BVtzLDQkxlAZVJt2xZgpty^sL5C+m9{wHWnT~iE+rs!0lgw^xQWglB zfl}9+m{ZnG+*d>Z_KvAZLlmmJ0OlA+U&R1umpRV=uWI_{xy*e!G|pc0e!_ z%CKG)+c4dN4$~0S`v-}}n$ZB>7Pe{&(ufdy#{x#zg$jt?Y=|PZ(*K#EyQ%)p2s4(w z*+wEpJSXn~UwoLN9o34gYgrKa1N&od00@!zpqk4nkJ;zuN?Niv_UIL2*l5x3JK?=oGe3x$JS8!}(`N4{JJfz?jlJj2ueV ziUUeL%3svy5_vKs-^2*doD&k=O-=t0X*DJLaSFMsq1r4%JIInZGEk2P1jbf_+W_Fe zv^5Ekp;^hagIo_!4(>>M0$!LyyWZpKZKG<7E9ltctJJ!WT=z+- zlw&jIvZ1D{u`{Ku;Fd{zO+va!3P2*tXHG%O?_gX{8oq4(T2A>e%|O;xNi43bJ-zDB zrqK_;xV5h8Hp>BaD~va6*3XCml=vA(YYGz5%txyN-N+|#d|>b!p5kLMk5T+jh-;Wh z7RJ#PbWw&TvcbkV)-0Sa0n=f-6M?aOeI04~{-+%}#b2BT)8SsCsy6p%9lP;D1CLLm zNV$36T7E}O;R1n>e(lGuN{~<5JMq~farR(7KWZ?2RzZ;Hz(wIKo<^5rj0*S1?KZLC z!+J>+(6X7fF@P!?tNCsq-)Orj6+j8DlciArZ+SjGOJxga*)TH4JAH=~8H@AuC~$TB zqiGk#_Su)1@s55k9h%N+|LQ`w-@Wuh8ZqBo)B4l4> zrEod28=L(oV=w7^@H{@_RLaA&x2gww)tGFYsJzrz_(+jj)XMD6;rne}=X^T`#;Lpl zc2O0z+s7tSHEewj)X~XeL7=p%W|(iZeYZR&qKIw~A`M$@Gy z+YK1dcX*i~iNuCAuOZLJhDIRaCTc(Md-B&@yQ7{v_!b(7Vz@_)Z|nw>jcOJ8^N>-FtXgU0f1K0%32|!-3q0u>2j(U@+g7JHlH32YN0$ISJb#{%$;w?*f^( z=r^A;@z-kqYz<}A$b+166yp85JXd0%E`yypCqT761skc)9whihgNp~yb*iGt!WQ=D z)SSYa=fczT(@orp!n*Ftk(uz@$eD{o0h8Xx;+d?x$4nA!guDeIqoF`xQ096a@5a*w z4MBkLl!njN8}8M4G&{I(+ZyJ?H1VG>pviGZ!J$u7@61umYK4IDwq5PdXIw3w>^%j5)+k@$J62*kVf6AExlv@POb6ZV0y;YkHKJ zrGEBxnB%>Ir|=w~mDBHsq51Yi`blQq+|xR7U~|Wk$KfSbiQReNz0N9f+ZtaWZ8V|u z85Afb0`y-M5{ZaGnj9`PL5j$&KxD!%sI2q-SVhnsNgaS0>FMt2^jFI#6x}BXx`uDh zgDyPh+qO-EyDQtHFpZ8kxS<&X-f1`&h=%-afl_=MY_wam^Zka_tN| z0c9)T8{r_WNASw5PR+5!>!J+rJ99A~=PA=sh>lAyyRkfNdNdmp)p#_A`2a!|<{V9V{e4W1l zx8{>CIxbxBp=6RKL3{0D6johNYxoHfiPJ}8*uN6V3fd6`5b<-?|}D7WFSVO0#GB9 z1S{w;)gz)hOZv&=%202sYApO&(F6gev79~5UQi@SM!HI4NlD8OB0y{edRQg z=yGkg$+s5Tc)6O|uEa?8SIfrUk~EmEDGa-8V^sxW*y$3nD?ofoD1*O>!zaw-{Z9^hm9}Xcw)gz zzZjz^tb)uA`n;x4cwFG}IQRqn2^fK{bcix1ViW2%77i2^C!W|JB8S)tE!#~iu?$#_ z3gK`sO+uPud^BisVpi(d3;;Y_A|3F!7YD@zQxyXQhOS3IPqi0@Cm|3g*dNLaO|@)h zVZ}f*f*djv?=a2^FV2mk<=;+vFj9P~jbXwz<7slsjD%|0%yOWUIfyeeg+YkV^)MDr z)ZJhqyVhkX9G-dwl%qradrT7z6|sl2g%ZIl7y_iTweu0^0Pd_;MtAvqTHy?IV-_zr3`o-^uf4dER|*y%#$*^lFBHGNZR>N!sqMg zbe}$1$HNmQc--KKS|z>4R9e!qEZhu34X4?3HF%ZYEe>62>Y!5He#gUVViRm0zf5}%A`4VO`N7d} zo$<`IX|ZHSwxX>6oNKIIdRWOC-SOG@FA$p1X(?F5BdpLoV`8H>Iw^|uq-P)+Hynjvqa(o5WpJrn zxrt%90V|g`V0f~8P@TrxzqurZxE=N*MmDV~ZO}~YL-2s~Da7gGZ=RL=HH&hLboH_l zQdU(_p2u_y(VjaFJK8K*nOp$N(!fBtX?5$(C7yZ11-?KSh(7#@;aSg!=lqUu1m6}9 ze_NG216$9NZWSDjR6=kNsrmJ8?qIb~IE&mP;3Ehk$e7;a72M|>j}3c}%Ag0C#B z+M$A`WJ%g8;9*i^18l>Cq(UPk`{#e{NgE%4*3pb@jQoMf+K3(XbYq zFI5ls88nLw)s4)$6A9mw;j>uxgi5$kr4sF+6&EDudgr$~(#hcpMFI}x?>CQXxjCzFHrb|yyj|tW%c;AvSVw{}G zC6uyuIm-|L$0zK;87NtDLusAIp;I3T2B%*##}$Wq#x}l5eb-Vj<>It=v9Z1k*Cb>l zMxoPD7~2@#RW<@9EZ8Xz-Z^wNjP9?RogAd4NEb)~FdWs^Q8QqR6YjM&sqjt0L5m%m zO&=TgX~R)1X~9-7{Dz{8%V;w7^?zK5XWvBf^=F=B^)G840oWT^Oiq=Ces(m}bHBT; zC5l<96IPDcp`C? zxpY&vLY2{UL(JcQY#99DdP}ZPL4)OFvM9K7(rfG};m{}15=G58#GT@4&u(VQKg}t? zV}uQ4F&(tmM6vsRpOFSCt=>+#aF9Jktod@WzO(rVdCk%^ymuzWpFW3A?aL3KW5K=# zCF)^KED*@_xo&RL`<fy#a_ zT}D~^JR?a>vo+a?C;-UxZ%n4>s!R zUFTX&UX#GJE_R_@5e9{2E8A&58R6oo`KW{nXfA$lh~Vn#A_a_T3~9B!2A~$B4}|oA zs3&%gK?X%^n4K3AnbC!wu(lo#7ZZRvfjO{FK%m5%JrQ4%A)(zk&b@gHY&_Lb(Y4NKKT|kFwaxfWoIo8`lE`cb=sXX=o5(2&LGtQX+-zRA3>J@ z=DiO%)Tlkq=Rg9tQ62B_%>h*#k&a!;=^+p5s@f2DF30EM`d^h~fM@6bWN6u!*yrXS)}<7?H_b43#s=m738~4<8|vptVFz`n4;Qh-ZCj~kkl8C+ zf9vl2PTu2gvvKvxl2n{$^&X`CN8)_z7-``{LSn_lcM{0``7y_q|d90|D1QQOa~2FQcN zM_^W<*ga9`Heg9351T2g{oz)~O`L;>C1!^i@3K?r1{>_DX9bYHo`qr-GzXW=P2^KL0 zR4Mn2XA&-1{o$C8hNoPJOgboD2qvJ6{9p!H^!RBbWYTpmbt?miaUKe@-k-z3kHupY zxPIB6`9Yx100ilf&mz_bCJ@(q6?Pr) z3#krkBj1xgc~CL*jwj^VCHx9W)TBR@mPdJg#w zS%#${0g}cnae9>Dl>IwcQIQlI=ui=A`SoeqEb5${Br!9LO#4y7122W40pVkN4Ab<8 zyQFDaGWBKi+3xsuoGF&uW(056OaKaQ(jXp9#B|P-ss|`}t+nX0b}5!1#QAJvk1%SpJcJ-55wGyYRS% znH%xLd)XQhIdI~BoHH=N#yQ(J!C##FT0wo}EQ^J>7ZL&g#6O-ctxXz@Zgwxwlq`UHJDq(Ef53GuZiy(xL=gSH{Mj2!mv~ zR0Z!ra;fOlb^V~elo3XB@}lB?{ZyQVpSw;V!c!*yP$7Q@Mp@kR&?P&vD%{k!YCP{x z8-t5rn(E1ZzvrXwWu;JP#K~z!q_L1vTE`>>a$2*caZ&UaiR@KF4}0fAc6lxS5sg$X zk0%L3Cz4ws)^IeoB@k`XPuJ}hWz<6Ca>R>X80e6w#h;9d5U@93QJ{X<-KNbMEl+)x4H_%h)(nrC_4b=Q zk7ri8ixc+Yx3sQ*2yZvd@?0t;*0o1ALf7}N5%{?9u;qZICyZwGIQ%Fer-~dFEl2~< z4*$li;e5vq(cSjWxd=-T`GAMcf6_-3U2eug4}XOxdj&rt!xK7q=JEe!uh+RcR; zXqDFKKrcV%M0$SDYG`H(hEvfKlqX+zsb55ku+9T@MX<}yN1MZqI_CtkW#;8n7TSd6 zt){Cg8hj9U5|1JC`dt9FGg)PMsC_rH&#&bdGSS+Tf9df<(PU5pu}rbDqaQaf)E~bn z{)9DdJw$a5g*9=g2G9_NH~Z!SwA#hhjpzu{-^aa^hKqz3%Z5H!Owk_vJI|B)Bub{h ztj*A-xiwcCV@Y_r0*33_`C0_u@1aN#>a6eRK(s)Ckft%SmdKpI_BGE@5PUEhNA4)j z!2KmfZR()=CE!+v3=x0c@kJkio2uy5TSe#hRJ0)NZ(*)s#74t6>`=P7Q~AWj$n|9Gk0%FHa6;f&L9hxyHFw8K82i$39a z3YfiMWM!>5zou_N(0ei(V8){kF%FheDt7h-i$~?4nu-r|-f3Gg1o)dTl{jJ<5*4y8+QW}M z6(!6)0+BgnHW={6v!N>Zp<`tmPa0Jm0NqQ?b}%bxqgE1*I!gZ&U#)5X=yO6hIBOywr_g=IQ)y$nof$W;o*2Nt3XKsIje1T~gixj%OE zTrGv_@#oSnQw)GgWwEVufbPrah73xhY96T^V&d_gcU?CaVW})R*M1WRZY{r}SoC}5@u4^as9?!`V25RE?d>sia8 z2!)(P`ogOmeR(CRqSzsR@R64aC-~`mQ*(e4G-P$bN8w5=@aNAe?@A4OZx>XDDHp0n=@w=*Cs16VT4!YG>~J;N)3yaWJi8Hm?uQ$~ zg>MEAYfQ)vg%sv9M0C#`lv?wTH(b-T++`~{c6|v9T-$R1Hc^9mN-H*S*tHkIUEZPJ3j+poGg4e)8(9T}7%JHJqW5wS}RyA;@b{>8ySq z{ixRD4x?ef@>LaZC=SOz)|c>-RUH$KxsKF2F}iv$EJl*~Xbo#rq6Jbj5tt2G^pI=t zkNk}dL7Z+|T6<=@1#;8w{4}r_egrwpxbS_|M?9E&Ey+6DEPvtmPb$-a7IxeL^*ax> z;Cwj8C6xgGkCks|x_01e(sMhbX_6AZi1KX>VrfKl$b5olXO7JQ@)`#t-^Lh6r2SJL z_=4+_sH&jtcHMF|^TWuK%|`)gRxJpceeqyW^#s~0;MN&HdOml0+%(!x@I*#&*S+QF zG3jY|O3DTJSK%0Azj7lX>q?rSf+LI^z=zWC)I|VFJZHo4vShynOGtPY@zb8`W=Pn~ ztWi^+oYJpddWW0?x#3z^74|hLG$5sa)h#c?%iSVq+9WjVoe+C63j%Dn67G%`-3dol zbI=hEMzZ$vB)%>sC>}>T<}gd)Ym1KOlez$}LD&Lec3;@Y+fu3rdmk2N6M3b}d?IGR zBKsY{7dH&k#42Gvwx9!KF;TVy3whJTJ~AOzsYDkVzk|s``hTsA>nOw?Y<{YH<{l@2 z`?i-qC2-)|-XDl6tiWe=k@BB>OpyAS-ERFU)`VIV1e{c@QCFMD`1M;C^uf)!Qe;(M zl#%oGTnVHwsFcL8>Ui&0MebaUYc7_K_!Am$6Bto7#X2FlIw4fnF*YK(oZRK-4+hTPR#z+5rR%v?3(9ko-1}Pr@Q^`&QqS-X z^6kKvsQj>KlJ)79D5jBV*wWkkS+df893Q^nkZ>m==g(QD=G-oy@{u7NJWZIInpESo zQHxhGXl3x9A@9<+VE}yZYL&@+!I{}D?13__%sHr0+WQ7iuqCrn-?xoJ)(if6da|ky zQ}f?DLHu4h0YzjB<#rP6IO|PKku)Jl*^d4fjo6rDDaw#2ohfUmM_9q+DUM7)5UBft zP}L!cct4S*Y8Z>9ojI3;=H19$K{nYJ6ng)S3)wAJGJ2B=7Fa)Te&%X zNe7DAlrKezc>Zvt#Lfi0HIe$jb|XX40wJ#^BT4;B}2vMA&gK@^MzRje{{im-;V zs%FTIGn#gj1_I0kYb!~%j!XJnTl!~LtJrlLLZDS#k;(;1j3bm zXF$3@bq>I|lp?5$9lQVrgCsN+c%sC&tTQY1W;{dyM7aMHeMDOUm=|9bW{qZ2#Qo(E zUjU&EOw%{MJY7wSt|2ylClsUw)F+LTi}tF8HM)#Tr0aHE(hq)qG^PR8LiOK*#9YGU z#C#}`Co&&&2;n)*!wu)1_7*uqw!8UD;^JND?vYO5gcOc@T zASi$k^ad7fq|6v7BW78}gCq9m`+Hcb^L!x>{0-kTRV#B3EhPyO2?7Zo31c(@2474g zKPgVxjvYf|&sFHH$C(o>`t`T&DZ*V?Yw3#^PRWT+QZr9!Z z#8^`lcq-!HGE!8rCUX z03Ak5{2C*u(HF-1B3C(sI)$TFQLAW&oT^p^{lR%)zG#~4mWEPK$LT*fF%t#M6rkY= z)9Iav#9{>iLo#et~K+m&bm!V1G1s(UC&dXNBz zw#%VO^Fk%7NF*JXA?o}?`oaEO5I@SETe*rEhG5IgQBP?;WWFvBUiC_gViWY)tBi6N zJ289CxdY>~G4&p5w*A1IS}Q6h-ylO}A>`z>rimNRCppibZanC`>j%x7*4%wPY^YhV zA$>KX?>y-gX2Dz$l$dZ4-69F7togxq&``RlM3j`i(4HcOt~2e{@D&Dp*B(t^aip<@ z?aCD}kIkZl4Qpy;M%0!7+q7d)=X%eU?j$U$l(FE^AroofDE77w>IWK!Z`$$ga>VmS zmcO_fby{*>xbf(qMY>IKZovl4$a-*-;{j26W#8e+A}&Gh7u=St(DInp7bFWFT2D&B zwj)xz(X}Ax@M}nqi`Y5sS3%r->|GQJRzFo_VS&{y%IsJlFhZP=iF9Ccz6RGZtvbV~T_zPdLM9323Gh5S~q zCn!IioM;@Lj~k03-=K5s0x}Wut%~Qgqy;^mJ z*Ge;G@1hl-pr`>}U9yyBU39bV z73a0!qUtSig>03X%m%O)S)Tnx?yxO~xd_w>MAW%L)fI$i32-=P?vYO9xtzUDU{*j< ztyrX9a{tVBr4n zR*11T!{;6AZETZ1&#$mMV>1x5ZCAR*2*gC%;3*rWK;X?GlUK%A+%=N>0_+ zv(qHKmRl5}dS-I~+x6i~u??@AmD+zf-EM)p3eVGVdFsUD8Fit{7}6b)3Dj_WQuE`% zVF}eSwkDS$pB$TjiuDd(d62>K7I|?8*DQ=zaA}nG4xH5(XrI;DvZW%N^VTCxVkCg~Kl( zV|&2>RM8!e?wbMgRfDrTE$rd7MWF+q@7@R%SqluX` z9gICiESY4Lnf^G6jDok2$2!<`6sbi@>d}1cLgx~kp{e^#Sk9z(G;WQ=n}lHec{q-3 zQv1WziUB%|EFw@hMX%PM)Q22uO)TD6C^@t^{twA5B{$tr0}Z*IN@^#Ck=kOL;N>0j zW>=RCXZMz2#YBC_V?sNQz=0`9L}LT8XUSIh3Djwncs*TMYzU}F{tP>j#DatU^tafv zxPeu?lw<~RMl#OJ6-pPj88lN%c1$|CuQVai%uwPXfvz(y9xCXwe`+$PoG8&Vn$L3? z;fkB!Qd{B4i*~sM_!ZI&E`cH?1e(3?qW+iXEP#aZ&GQd>=B;G7v2M7-xS5f0Kyurn z%hNJBg&IvJW2We7C|`Uv9@2G#KK5vGp0Y+w95Vs)88JHBmCi;ISt>w9?~)a>my~LD zY@MWf3jizDC4TKKW9m z2OCn2lJ7c6nDPZ_Z28!(pDk==3GM>CG|&q=)TslcD-%(ItVgUcApz(L;XJAhjDB`f zY0UpAg}n%P+;n#w_%##6-{Wz(L!aIb4NSg^}@doKXr4iocWS>!79&0+LyCaE0X1>(k##F?b>j_RDF zz~F;9>LqDfM&uOYH*ND*CftDLaaIq9zipBa3msj}N(b8zX0U4_pd`y1$?H54j);m_eqrv$T)24Uo_z z<+trc$IlLZi&W&!F_pJG=T=NXPM1`&d=xb_f#Wj_Ucu)5ikea(<40tIi3Y$WzLqQU zQq*|47{|y*HNB-U!TQ-RUDY1lVOA%077NpTH`lgtU1MHp=}jRhiR-3y5DY5+=BL#sK;b7MF7LxLQJ>AQa6twatEB=}s#@<86G3%f zBwGqL$QIUXwzDlOYsn+Ot@72bNb-JcGD+L4me1PRImx`>+VVsyPKle=d^%2SoUI&q zOoeqQ|GeX6vl#7|MfRpdHE4U|AN;gg=o+6|IA3~CT7T^0;W@hNi>qYwW|s&M3f}wY_Ueu~PmumhF#2s6km#S7 zsw5xkRA-lkt2KG85Ty8aU2228>-TZ)OZw5`h}c3!!<{K#NrE^!DQxF)rxG7_vicHobfMqIC-cAxg# z0YurmVYwpO3vo>~yBGE z-8imlKP9BY4&I)#_ja7%RLnl7P9iLt6bGkNfG6ZKx7OK)YlkuzhppoW?G)x+}u5LF3X z1)RM8$bI7;O664Rp*5$2w6$T7zn*n6CE)JD{N3>Y@jj4{Qb!`;=kH|-D+-Uwej3SUp^z&9$pm859aaNI2T5++NP7BBK$e;J^xvu&zGWFR|bk`9bam z?lW3|cp&VC_k8BpD~U=Yx&Y!rj4!Hqd6oIGX_37M^ZllX^rG1y{&KAh}GP1E?_uwEp24f>VF@v%S1yt25J zRi6?${(X#pq2*Pk*`@K6|9gy%p~V)^n&B{XoOJ_UmIDFxa^f!5!y0@gtfel^AAJwd z;4Jy61R8}V<5fO_{itKVyh8GrJ?vzj`2W9gbzJL3y2;J!_RW6?(~T)k_-uB2DY4%JWOYUuU<|pL;fznF?fPICtpT)=;yh0dEHZ6aTg6P>yXV*%VR6pu?rWB z*ft7B!ARgut|OM~)iG~PA=u3&Z0i}p{fwp=kidrAu;6nys)C_lK&~Sb=(trPO3M zmaCZ_Wjn4n^7Kk4gE*j*52=RwA{+$tl<1&7rJATu@nO_&rf8vHuoETq<}pv_@vvMe zbH+iPG9TnpcXlsK=|C*k%6!ub>X(?vrCKBNn9_z=u9mqw3)*JXEptY$pT4GEB{8vF z8FR_}F%PplKohx%?Jig>*D+YG4}fmwz+71pr(R^^Ad6mgVM#z38zd1Xaap>2prmZK z{W|*oG(O%@j03$x2<(+G!W2XeEShGo3FN5H1N~(`Vq_xVGm=$UKy3eS;VccM{J-taeYyR zZG?uBvx~=4S7a9Np_v1!6V$Z)xvDFgjK7Cy1`-;?q6yrTYYHk^Y?XbA2P_YpPL2Cg zSy`+a8D5EX!mf+4HDhV{AFPj~Cvhbi*zXbFh-Oz|TR-DjSPf@%htAn28UVZ`ylXb( z_HiKCqDO1t3F8*ChU>egdM>b5jQBT(T%2pyvAV_=AY70v!=(h!W~0Ef{KUNC6?V9r zL2Y~>m6^{8O!<79KR$cMbQN~|K518csAJe@*L-w&U15iDb|uLv))|3IF6CM{HOJcZZm`m0s+lE4pLq0^W#jEyW*7(wDoN-7T(R-`S^|Z zg;N%1S8*#!$blK*HMJTE9Pzc|o>U)Lg5CkpLW%pAmDb}OIUnpoBMM*3n z>5>?kLscc_Xci&N=oh7z+*F2&8W2t3OXfHCMEF#Qp!A}GG-W@UAA zeo_n*sr&)S-||7?;8=^|tqDD^(77FHkwzUVXXkl@`GU8uj1^{N!IQE3CeK7s7)-Gj zutAi`pWPBs{mJ6^A*_&J%AtIfJHKO#kg`Im5%O3iQbI)SP&ZnUU@Ty(7?1^=#o1%$8+--fb=*GH@qGvOlDBbRqbzc!II8$$8qjg&>I(*s@ku}oV z2C>0iSDTYn0w4=Ls6ov>BTZn_99qo0y?9~7{2Fg)@#KpqAtVG_=O4YX0<4XoT}X(i`N;$r8aP00#{2Nnnh zOeJE|)j0!hFHH2$`ImU+tmJJ(fM8uiA81jtfJGr_Ly-y&2h0J_vjr+JVy@4uV_(@7 z2L%vO1kCJyV;H65$0Qvh>+(E^FezCtZ^CTvk1nXLcKoe4WasfY;r#L^#dYPx;`B3= zp`FkZAr7+*r-~8~FOOr6?1;&AV2Q89d<{T_02?_(O4|k&fJyHna6ohe*{(U}H4UE! z631?065_5gUD7e9Ve<>)hZyo910==J3KK(P*iyu=*!*2O!vpjvXt>!`=ATwY0Cs2e z2hJSc8LMLmTa4Wu5;95-C!0Kfq#$-R`O-XTQh3v3p;I>@Xm2ZfarQQsHjCBC#ULYd z+cto07%WU<;V!wfc$F5-`rIVwN z-FbJ{K%AMK8fxuopZ2ApVLL*2zqQzBYevCK#q_;6bQOIU(OIkN4aD#Q?4r`qic;n5 zCUTFz0>^jl4MS4 zJgNr%LU$ivJOBlFcWKU~>gkKQAI@rA4FD~62`@MzhHBObtQ2p;vQa=3V4H;jHOaDp zjIF|Bo=s(8TVVa}f`y1Jz6uIgc*>>?U}z7gL9>S(K&InVi3)^l1d@n6V55aOa?hl4 zEaU-7wRpkXgMNWn`*zv);(piBYc2g4>c3v`Hzn|1Hv~dLb{H9|(@I2hn{6ul?H6r` zi0uPqTJ3r!4kli&s|Om_1|&TmFV=;yN+W>WQ?*1e*7+rvfY>!I4I=d)igGa$C@27W zTy8pqAO-XR7Xgj;D=>!>mp8o$XYM5+DPMtKf<`O3y-EWV$$7t)NV`Y{FG1*O)wbiB zQ<@h7FKdO}W~W~9Ech_qM&g3ywNSwoBxZD{Vu2Ji$U4+f1`{jbyMXzlWpJeAg9p%x z8D=}!H7cI(c9j}dL`k5uB+t~mgc`@*OS&|&9Iy?NA_Tw^tV*ws0meG%f{T{l^z25Y?8-D`6(UL-r5EOK$k@3C-s*l$R|=03$qwoNzQS07g3W9 zblD$82eziX*X%*F%|E(r>SD$3n8Nf!*B8f@xcjN=bMRG`0{~LQt2;{`J6wGu8#N1%B^|iu{K;!2yAijo>M+XE(Yz`#c z!c>EFk%AZA)1kMij^9UJV`flApbU)41b!^Y@hme0`PM_$yxb<0Gnz6AEE@F~aCC4S zhQE-+!;6vu5Fy#92h;wV#a@{#!5$H1e@OacQy|jT{$k;48iywxxec(xMz;ypMW4HB z04t%gDE4OJv*B63?3Uuf*vsnGb<~xnHKp}q{9!EREA|Dn8sM)5*fkERYjpaIJQ9*M zG?ogDef1{TEENSr9aqa&E8-%HSm>Oc{@l$6!k4*d_| zb~mSHX9&SEL&d73;$hI{IEJcXJc961t9${u(fq2o0CgqJ`R8l&jrtJVp6-M4!+{FQPfy`Zn_pNwWmG1#Rlil@ z+BFMs@mkuP2n_Id*5)bOEoww}DI;M)yy0=It!8Mwy$(o|&oXo78?!_m593&W2eR=V zCo)+i*-Q}rvO|YR{zp-_yhi#7Zim&ci=@yH;7a(zM^^htVtvNas>Nrm8D}Ht`Z#OW zP~wA(0ctcA0}!6eIoF~+OI&}1h~VPN;k#C7EN>QCyv_20lO+V0geDKnchb|jG&cpi znnJ%J4dfjaO_QK|78+}ug(eGS0dlq4wgEkr z+;I04he45%8f(=l$JK z>3P}?HrLPkq=uq8%Xw~-TNi^31`=VIN((*V906UnC8)0Q&YZFBm*ufqjDVrF2@zCp zdVGA-Yl{Z*neWgdNsmYWP=YSEA%j2?@6|?w9yW+UP*mB4xY8*TQe%&;Lv1P&OckVE za8AaFY65Bi^53C+g?dQ%ZPgkDNp}J0Fg`PBU!ulZnG>A4OB5#yBJ&;-F3YYtxQEd- z&rB{svZjKR1ARHv-Z#%17KD9F&hmDvXl%cmX>A_Xc8c5Ca}G|VW(0Cnd>U^jTDfgf zN`_#m2VBPAsw*2@6(T<_F`?$pyOvl=Z zKz#TLL9wsxmf#w%~nES|e{GD8L4hfwh13-%slR+of zp3tPuNd9!qBW`eNap|Rs9+hw_Wvqg0O7Om=@?KDY7WMIcMoHp+q&bn3be@4=9`bzQ zgSV#D((?i~q@UBWEq0O>4^rPY`nA=I*AmP7$jzB+h{8Clsc@Te769LcWx58#gN1n% zmnS*d{Pt^Gv>KXVnQJLf%QppfzbG|u3K_g)c`0J`(=9l?qiakn-4`?a!4B>6hvaQE z$RK_P#)f%jJ`1!9*}y?i@7489p~VILI$Ra`M+uN0L$V33R#v7#h-VO}63#4JV1i*R zaw8RaF?MY98y#u`go5#m(#VIw2{SQ2vGYko)-RbAkm}Y?2Lj7{*WNBSl)#Be zU^f>`*am~+N{Vd>W=e3Ogff^b*SG{KGI@S}TtIGOe4I{fC+bhiwJ&GsyoTBo77QC# z2$?pnPv~%&`fSA&B2Bs z@A-JJX9Ay95ARup@<30(!?MrA7GPpF5D!IQC4s$kVi)+4X9LTf#X?}qbCdbUtofIN zt!8X?|MoKy^Fi9h*q!&HI8K4tpRa%UNpiM-X1UV>R zRu*bq)-28Oj6ar?2^-WHKc*KTn+0$a$PRn!_;ePUe-0^4Q z#0vAGQ~*s8P~r8}hpy^3fUq}v_xilO)~JiPp(JyTqT$==_WlLhm-w>@>lPM42+rA9 z{LXCzhX`z-aa|4w?2JG3_I_yCQkq8|v$IP}h-l~R1_cN@9i)*~Ml;SC$fykHgf=Ez z)>%6fJDC%QnhnOWNNnhkG`eG9hJ2#lKSD4z+hxsm4TdLlmEK~}?Kxd*M!`Umquw=` zf@bB-ENwB(++pH`ay$azt%GDC>Z+|ReQaxmoIx`ZsCgd+a1C!u>Q;sQ4Ke{=QsJBO zro3v0z9E-h!qV-`6nk->c9 z^IUUmuh(5L`=FPYt~6Sc<0v!LdAlTS2@e$SgVhZZlRTwU6{9Fg1cOLPuC1|fZPZH3D_8{G(r!5I7)p?$F!w9j{KCbN+I&{-wS=W zyImQWaqp?WoL13>6()=1M84Oj6N z6Ja})*aD-kwB)>3%WZ{ugG84H+ykLqsMM>}Y-}|G0DuP5QveVW3&z61P$0>&JkW$6 zWQOU;s-?Ls(P0oX(ja3HfB^si01yBG003jp)k;eWj{Y;au^VIt(r{aiT1294h?RCm z%(m1i`*dMzW~12k>;e+`Neb#{d(ccCozteK=$MqoxvdWOi{cyE3g*CI<(=r@mlSm_cShX0zL04`O z7yzJ@HXdcvZ^#~~Ac*>%50GEYT$3-3e6*%;t=p`@D`zHowuU^$SZ43jLfiDamH9d0 zWD?L3r8)>g0k~;+Qp#zfFx>*=XvDQ#1bb5X9rj@G^c1z~{ET|lGJI_&1RA=`teYMZ zJ5sO8rsk~qO`5^bRLUB?Ig0do)aUwYb0&1ZyTB||jqxuc#cE72YjTmeh64Hk4t(YL ziP!Ty)OH?=w>tws6wX!AGfGkblrcqOt?eQkIx~1M^I%S?@D`J|dKa0`Z5q-=wSfq6*=lD(B z9R5&B_1yD!=5IZhD-WOQpE&RVLmHLu}`{nryJy(J)_f z1Y?*C3uRN^&Mx*r&dpr4Q88lM+@?HmMq(Qr1oefr6Dl_~e1(#uIt+)`8mrL|Jwl1E z@uY}%62I-{IBr~|3WR)%mL^y|t`Ip}{X~5ZHS^qx#d{P(0O_slb+eefx$n=XqRWOgT}n^vLbyN41Gg`Zl15|IvG^Y^=__lkRrmJ0lhX7y3@Rl zw$)?pGt`)ty*W>~_q>DDu}Yu}{#qBGQNOE(;-vvcTma&GarGix(7)e%Pbk;+pwj8d z#GKTZL(>FeZe`SHz3%AH=*OCkqUsOiRc&e2w568?$M?pDZVzDJd)4!mqM7AkmT`Kc z0C|+$sJR>Vh!_(UmM+nm2%$Cy;*7KQ1vxRJ3k5YBr%uz|k)0GaE-b zW%%~LakM8YI%B_L$)^tQP=K#DLWsnD!5h$G)2Q)bk_hW{805GSwaX(bjJJ{xj~VW* zdYcM~kQC~JNvqFHF91aYm^qz!!U!6j*T8LRG|2-q!K}h-nN@}=|xo`-(f!M#Yrw$v2T1iIPAT5kR3D$Ue>a344 z28~q^|J6w(?ES!#)Kx8dbGQ5Y(u zUt`aGqDQhW@fuY2pS80kg{nkVC$z!z& zgL49Uv>z@1Coy&o{|xO4*`hH_wB6_)5!>h`C()CnMpSqiW+qc2THqv=rmxPGI3N|H zWQYe9KDz=#CFdbZuux(;_+weXx)d&zb!BGy0-t%7;F53+BWKk}MuCP0L1c*2A0!R3 zP8HLVDpwldbMVc&@8pIH%RrG5EFV%-n}1fg^+@uw9wiou(FcPrhH%GKlo!?N=LX^+ zM95TKmyhLf8Xv;FP0{XR{%x{O-Xn&=#I-htz`)%Fy*0 zVSae5o4PvQ3<@5Af{SwYlhJKcP@YsR$Iwi(c*lYt>{eYR8Ww)7kg4tfKwse_6o_W# z`zu{6xJg+`R@1K}(}}r{Yr~;k``i93$47D3g;I7U?;b{eZpjR08(ADLvQC<5&>P6U zW6VsfkO>r@CbTe)ebwtx{33eMa;YyvirM5HV51AXq;~oMN8fK#(+BAs;F4juy3G0b z_%kew_oN4G;;Tf))S3)7`9ZC#ue;-_WvKbM-D{9X*9BtGjc~)UJ_R zBZlLbI0nWf8{b=^*T`09*MY`G5kqu zcFE4LYN&`PB9rh5zQF#spD+qm4x3g1i(KCyEiA<|5Dv4A|72`$2VH>0In%I> z62dszWU4i5HHx&Y^Mf4~Bj_(8lrj#j#MFj0!H`kXHFcpoQ9kZE$!(lq&(v|TBXI^? z;)Fp_vjh@JE?79?4aAy0$>8;)8XO9Qg$#||Ed(sWt1j)WD6t6Tt~$78K~0T$M*^!y z%{(0d536P*m?k2z7R}?C!?a1fB8(sod3($y?qr#z)lbU@;p2C*bP_11$F=^zxXG!m zyIUui3|{9qb+Z1>duVNDra(`!1$OO{o%i5u_uZfVFMQ%!3!vNfmZ2arZ#7w{#zhx5 zJ68(b3xFpy;5cKrmU!%I3(r*gb0QbBWz8ssIXX_X=%Q45WCP%nF6aaBoKU&gup2dX z_GCFRFx{Pe9&8x_OyIo+JL}kM%0nH1(8n`d>1Lj4g}pH1uu4ZCb*oG4YDO;X!jIi# z5YWI~@qR8@X3ryByURfw!16_~EGdxhfc2#sV$?~Hm_BVuk0N>;GYZCUtf6QRz3kR0 zB6#M|EeucGZ<--Nc>=cRLkkmqELgYBFWg2R2K;JsoWB7Azt~WMOZ)%88tp(H# z4T_kno$8NG9|3?S%5MSwOWJ6wd2agMt9Ee4qV5W)DU9<28}T7L^>fr4DdIZ<35`Vc zFjk(H1!V(myeP33``!_aH&JcuM+uBFUloW; z#VvDQd5_>=pz_DBs)aeWxL&=8$Smdu<&Pg1=nX>{*<5NMBV}|b zc4`61hskM0h!$@V!9GM-uxh#72y0UY_B>&J17OTaz2h=Z7bX^g+_hN>Iwi&O(6^Zd zq2l`_(mc*5v>{91vJ~@MJ|pCtUHXgwyr9UC7<1Q$Oz+hI*imzl|3_^=Cr?lU&KTb7A6gs2zJn|Fs5)f5U(wMba3(y(v6KbfV{{G|6-n!irD5=$Gi660%HV{^A#B zGH+-WZugmE>-(o}%d15b%1ukHiFA`ObZO=sG%6;a*wsmpf8`^>mr2$a)-*Ckd&pX$ zw3-n&Pc1vwIe@VwXy?v#v?G`G(peUwjGUs)4(M!YZMDajApjvz?4Y-|(oSe%hi4+`<{3vIH>c%V$5iU-N z;%qZub7KfyrnF7rgF{EbNeHoO`GT&2V9HyXj^VkE4@KM79Lj;H*7h3Y-^xHX$*Lj8}?We{{ z4l5kc6?h$RNyvnv(VWISHLPHqWOt6gE}wUTJKqco{lqHczp`bJ^N`7lP~(#J^8v^^ zxkjeN(ssBBzeRpUo}TQ)jG+JuY3lShoHccJXVkOQppS3n)TEaC1+b?yL^+4Cw$IZu zNSBt3U+6GxnZQt+A`OIDDV?BaCQKP>z(JaDbcuztAy*NP=Dgh7f+?A!qihL$Vk{iq zz8^rSN)>35C)kRQAwRBz3cPh9Pu~I} za$tGdkC_qaik(NnV8jMgQ3Zy^j(;q#wO6>_FH^-uTc>`h!r4C9}G5IG5 z*YHO?R59u$JlXQZ7IY1VZ)2IVjVOy@$2ib+&TfRd6|R+&&O~ z_iSW_6RL+J^f_oe$j4OFZ!&@}c{NGo-xvL%Mb}UufsGG+r-os1dZXi)g1jalgxkM< zH`s+F1D;tWR1B^RXieuN?638LEm)j7^|}GCDxq6>(mk@4kx(Fq8+5_8>wa)5wsC{U ztk0(($E_cQ#0hdVEKF=RNlzCQyHry%d4p1oqAgo@p)^y%LV^AZE*AeV^)cvfmN@C? ze89fO926pnr52vDGxxl*f0^(1^208g9+PX8Zvk1`;Mn4X|DQ^WT>Zw3Ar#dQ5CA!P zF;h_v>`VrJT%kZn2Zv~?5brE#4xI`&P;@+|>svJwe;$1O&Suo`f~alvjGy`Ek0CX& zH31BI-1=))1OnIBA(8LS--Vc%UV~_=N9^h`ES z;(If+dge1bw<{uz0*)Z#n4;VK$Qph9NqZQu#D-weNjIoj4cuqh_37^rf6u(o!j(Nm zgu`Gnm9MY5F);aWzf-;13pV7>RIyQ!ww9AYgP?5D&k#Y|vQIXud=Q--I-NmaEOnAI z%-O;0Puu5v{Zc&Xw%I>Q=S4z);;KcaulGiXX9OUjZHxLZ-F$15n&AdjPp4%3?$)$7 zdS#g@5uSj z+BruK7soj)1Sq(oQh;V@RDSh?+uscY1CXrWJT;WU>>tenjULQ@((-p+H>;>*`{0>U zM)QvQCak2}BIl2aj_oL2Cmi*Z-Bk*3p`XZ_xiD2ft50)D6ZF0UfhVU9JyB)tHK5_h zvxgst%S0@4G6+jk+SQ`XpVs|P--Awwm(wlrpp1< zG2tA4%`HG&@mFVAH(QCPH)urm@6*853;m7Nr4V9EXiPLt$>S7Sk)XzY)@ZF2I2S%@ zay9kH1pP#IWe!fz>M-M4&vZj9Hs=OCMOvs8a?@{nS}m1-hOIBR1E}z`i5tT9ApzqX>xTJ7^t9QI*si_>G*wU4&$O z2vZ{@ht;qA-!(c@NL82A-<&lYJ%T?-Bum^hwm@taUwVU?M-a|fX%>mHKr?H&};mN z_6!11s`Y720rLjdIC=l^sw63Aw7+4AE-&Ay_+W4(5NakPwM5ch8nAj?IFk6P#Bnnh zx@aAlGq&ezQSru0&Qt_g`;8QN|APuejPGYE7vQEgM0wv@C)cKnN6N?0_I8ZJ7(#mA zGJFWodpP63Bw+l`PUf+$;zT`TaAA1|(O*+vL)H(g%VFIxPb4Bjfe0Ni=O*>EAT(8i z?LS(W{K>YZh-72X^sd23_0dfG4t<5F=l}uV{<;eJlaTbRI?FoBv|ux@4leNql^8Am zrqA8beGo|!9|COx>X{0!0oXurNZEyVW7%1xgu41;$+@iX7b&0nia3V^N+STVVHF)d zHZ?IuM%pQMU^X&?*usr|MMsSf7k9fk{{Jr40B*6)z3fmGojKL)?&k5m@x$7LCH z_ueYF78Od(h?D>|g}zzDGLsVDl$;DpbyYh2W9&F*lmk>bck+>f-38U5|Jz%_kc3DB zva$^kKdhQP7y}ZdD5&n4a4~0~_gdRv*!mWSuH?$VnV~D|=_M;Wx{4LhK$VX29n^l( z%ISamzYQZ-QObWIZuf@01U=n`{txWyH}+h{^GQ>iHJsAzMiGV6_%onT+#h;U0LliN zssV$_{u)6gPYiLJWMp-0zQc9>choWyey0VS%Bgnq;7niCZ@}|Wjf8DQjREBPL!6)~ zo;FyVrf0@>LDB-7LVAGuIHNL!5$8RD7P7^oW391Y?yf>QD;maa@h4i zE*Q!luqHFG`WJiJSY~7J(UV3J-3hg8K~@KGzX>;2H?(Ktyhi}>G3^JmHG3W-&uyZV z1iMqRm6rO)It+6t4$Pg}{mdahR{(Sacs;Y-70%>I@{#z0N?S>6f^8ON#+vPsOBiF*d$sS@YWbN@bnw42KY^3A|ix!3MBW?;7j@%n)mk+;8 z68>RRo#zeQxW#YRAELh4=<=K@(Fdk}whWc9ZfBS>1xDhQr_|^2sir*ry`HchHrgZr z1L<6;Kvzw30T?Hs0(yJ(kKKwF$JA4iy7Gj(^QqFBb>l}{pOaVw$D=q0AwR) zi)^nT%E#QN3CAN}h=uE*@9~#OQ?c^ESrX6{d4SiWnPe;8baF_GIP){$cBVPffiKfY zPW0|gE$@TxUDMdaQHMPk0Hf8y=G8(Y63eWBG8#LH}dh;16ZVV7j zqpr6BEnIoqBe8L>;z9?lka1{(SfYm-KlWfmvCNhTXKdAW9ak1|^${RonkSDI0xoj_ zS=7fev=kj|icw$Ia&6Dl3xwaepcgf@`**--Nz?-*{(Q7=u1UN+W#o0MiyxcGBLa~! zxA9eE2s-Tybv{?bjrsP0GYG>ZL zo#~vQCvG?v%SNk5Rd#_2j_ugc)uFqO2IC%7J5qS;-C6{gKItJrWLS!L&kP0%v0l*X zWe;mC8*KAkF@j0@^ZfykzwoSR$NUg9mm+~%j3=KE{wO`jr#4) zpiJiGv6E@2_AuQRM{6+Y`5$?RB5z=rwMczBEFiQf{{jF#K*GPjZt}&K2D!Q;EDLmA z{GI}mS96{%(C)c`*>eDf`g#fJjQ=qqj3{r6|B^ld3K0bmIkE+Gu<3o^=7)tQQ83hD zl!%^2ml$>$e`YcKvSuJai86ocf7cNo4G+q4lWfEy8K~P;cKREp!jCfHozG17lpR9~ zd5*BuTIR!CL(_JDX;jr6=)BO4xn0|6Fr8`B7%^r3 zHU=yBR%RAqk$^pvLeHbdQ!y0fj`REg~7AH}oM+UT2DH z7HZZ<50e=^%(~4W&LKAh46fal5Qx%h=~g>q;LGWukC2NxIi^&IkxOdy;risnGwyHpf(^Tk788l!v;$|UTd<4}Il>zhpEEm0OGU3-*^Okg-o!MAxh zFdUu1$xS0sPq6cY-5rd)2r5-0?S{Xd^ySZ50}$RwS_-(=3UH?FHWy@1W|L2Gb!O&# z)7d+gu8Q?_(2BZ4!6}g_4A`}@u*-hTJRK~nB#IF)&Yq&0(38$YGrmDV z;&#)o2U0{j){Gk@;MokzmiY^lXRlavDqf}YG^-Lw^qgd=pl}i2Y!+dj2TY6?%eMJ? zxnb&(1idOS3TfgEpT{5zTsPb&Kq4_I?=K_m9i)N1Vmc?0*^+_?9%^xv01GJHn)qTc z)bpM}c5gp<=I{EVtsnILzdD$E+OvqeMIU+?Vlrb$MfD@1##$RV@qFoGAwGs6qIq2Cz<%6;O;FIY+m$ zffPmoIH%P)RgDQ*$AAzPz}^3xYn9h>2ViiSB9BRlRfI*tdNTh!y{9}zYXNbm5>4Eb zWH$?ic-;GjADH8WL|clEV&F()OA$01@*^!FSz6UB87ar^kQb^At(lkE8Vv7j4n-DY z&teY_#hPZK)YE{Wc6PMaOg_w$<=bBgsK*P_F}fT&VACj~F$@yX>}+R=V3&86k0pf4 z9nx13&e5`&J{@VFSJbO@cb~AI>lA-)Q;(WnWz2j@NBaE=VloitC-7L4Rpr$DVL(F!u4aN|3-xQ20|NO|L(x53Q?UGHb?MGdG7P;RIa z8qI!DdLpCp4WeZ>ndx@dHL~5g>0^A!y$pthx6h#IEyXtVG2jQKeLT)ShF-e`uJo(v z`E>XElO+8{#=&H|>*@b1qP^$O+ExiELs4s!0%5EATy< zQvYN=U|f~rtgp&O=w5(%WK&XmdSzoz7b=Qo8HLF1Tii!inVb#?bDUNen{Lu;L*Aex zzVn2>Wduc*n+}A9li*>VX53%pAALpDICvnef&>v-a2d3S2545sZ^TSUgkS< z=p{4G7I2VWvsjV1S?c?S8V%F+FnkX`i;fkSf2|fwm8GcuranU-I7JW>Ll+vXO2}cT zsQnrUOKx z6Q4;FIxNvOy(>usuUe9LT!tk={cQ!n>@S_9B$Kq3c^+#VjI%Kt2@>q$KKMX5PQT zYW_x0>Kq^l40g9$VMcH&;y^44DSDR^6Hc9>sdmz1H$JN&A;QZGqE(PTtEO1f1iQyi zgd}hlLGZ#s$97n@)hNEtJ9&5l*G{E*(A7$1d542c3;E7|xcC>wcBCLBcnaA<>ydc3 zqY~%mhBb^RYyv0VYtY}RGdtMt>%X-GP{O#ZP4|sG!gO8j>+GS4<==z^V;tVOuqpPR z0JX(vqWi|=w2ruc9r1w~Rs4Cg(~xNp3iLV4_E2;L1qHy9L^<>skr?I)Q)MiT@{8zs z$L1jAm3uC`vfz?LE=@S%g-Iy!L*Iy2CE3yVlU2H!n9a2p5zGk~TN{x;9ymr_6p}u3rqMrgh@V6r~q~SgZ;;Xx{t(%&!-@%wl z&jPW2x$ukroGVR7RZ#h8dOs9ZbKovv%JAL7aYn4b2Y|2JNJ^?>ul^y9)L#W!#gzAn zNnVzt4J@8rS!_b=tV|l`metc=jpR{A=!g*d3IP|oAFs<)mmwv%n(7J#x@SXq;=CV;^` zX`XFxYmMy0H>y>8K}VW6XD>17r2NB)+OkgsXwR=j3p|dk^U42Nouet29P9GH}{L-LHt#a$h7@v!^#Hy^cco;0hItHcG z3>B6ws|qZyE+a5u$z*Nex>a_bYW`GL?1aNFi@>E`zNha`8Y8WL7~lz;;I_*D0fUVp zxkUyt5!YV-?`la^Y=E_u7K>JJq3+={Oar4ebSjib1()3pA_VebSQuau}1Y z^dpqBiQY~tuD)!Hw3XN_=02Sg%K_IGn*aAqOuM1kP(dE!hxBCl<~EL4@cx{k^}1&b z7%Rz3J$F-SSKlx+t=eIM9#P1cK-xcpfh~}4JD_up`{(OF!rx?_MKsS#a$jJyfrJoc zH+3ktD>j^p)_cfW(N&%Qh7)S`F5QF8QmTrAAr;}&&7}BG6f@`ZTPjz;qLiSe4p69W z?Llu|uR+|Uw$UeBZ3W9^=jICDCa2>OzFCHKgp6Z)z|P90yUf?=Bv$>p=Oi(`>y!+z?ZmRE}8CG#odAOU-266hW=c@b> z;dp>~JQ#svO8o_V=(OOF`JdUzK{+d7Xr&*F-}Z;e`A38%Oc^3c?PIu(99 ze9bg70jrmuveizVYgc~rAwlL#8t;rGc_=-bhrXb)`FXnw-T?QxCH94q}2L|Q!GC4upH-${MRg-A89YOkiY zI=Q#glCH(PDrgl0t4Y;Zbwj!znp%g+1SJMbYBTzZKo6TXkO3d^rj$WvGmZBQ&m+s- zuqEW8?LQ)eMlij~%B}>aUVl=v+`W)>S4(ordd}+)8&%IBcfstv@s4T>15tJ~`BD!P ztSL7FlDQ`)Qanen!>x|cmdp?w(0o{C)*pn8q>)BSn!KFAz*=iz3#CtnG0;a5nX3lh%Lp^tHGjm!@_pkk?uJh8`#S=L4F+VYVD;U9S4jtr&Rb;<7X@c?-8^+ zi$!08&zmC$g5C%*VY{2rgZq}8Z#}ltj(Xj!sy!cSyhsGKc^T_BD&~Lpdv}r)z z#{2*l&px459ffRsuy!@&Bl-UJb4Fpb;DEF)+9^>6o2LQje{7g-(dH=@kQ2)O0G&z` z!wQ}m5E6!67akqdi8RVrSVbWU@@w{+@u&1`@6UAmtp~Ote(36~={sF4 zWB$?8b+#-ddM`0hz$5qm!JWXJ?esyxpkc% zSiqR^x(nhS2+@}rUdcZB(@ks!``wE}d8QhPAuTj=3Spy*F-(03MCb6@I_Oi%*ZMFA z4ayYXA7f^VpSe#teLd2A2T;GBjR_hr-{irhXTSrrc=;4E3eh**ifi%JLZLpt_f3OA z8*lVp@TISw^}P^9MVn~MUJ-i+Vx+7g4OOCDPjYdexi~5WSGXq*MvJzAPntmhmJCZZMbG3Wmk3C|9gjKJ+nCL7u4aqpIMQ! z1F(JN}ZXFAtpGix&X9TtEYCJ=cn~yA{1$oRr@a_}FbpG3B!KE3@)4BN&<2N<{ zW4?Wp+5Tt$-68Iu9@K!S!4}@kiwioytvkG8wD@RWLsl99yUo(VxH?EuGz^KKiE5)c z=OIZDB`v(6dEa&`;aK}q_Y*uv6=?xaAwP~m6SFTi|I{XJ4Urd>t!lb6VoGrfTTJ#A zfjp)PX92U=v!FoIz^Bom2ag^AP+A7h(tV+c*KUQz=oUovA5}Kc3Ok738!h$vTBl{7 zt{oxQw$|Ma6Wq-nj5_po`qxm+4^x#BQA2DP=0+k#*v47-T|Pu^*!_gXw zT9_dLiZ8_;Y+i>MYZ8~hj(i6Aa5C-$Nw2_s>Y+oc7GtjS=4H!Eu%-HAgq^=u}cA z2<$lXxgD{d>{3%c?b+A4qW3{i%O<2AaR;&ttY5BSA`%S2N-b#W+H4GtNJ?8!!hkAd zQ+j{}>2pAsI4*FDdReK!ait$L5pN~_T5u26SHnQex|!?<{x2+f#3^4ay^m+IqUB_$x}70UdGR+1;WDKjZ6a8g=9 zvZcQKi|sTw5|N9K!%QNW^VrViZj4`!>FdEHokIFB>{(}#S2Z!z1bnzzD#vPpP3SOROg0Hy!mepGiHU{F^`h&8n>|>O)BBE(A6hF zg#sCtHa*#~3);7)H4OY}%>}`E8BY$nEppT(t!@^PgITlP^ybXk+Y9whY1cB{k$v!{ zMo3S`&Y0GPiGqQ#fXVOyaLYDrQsEFKW+KlR)1RYY#JT?$f~^Gd16$k9={x}$6WVLO z!y*+|(><{DXQP`6_Qg_A`O;Mu+`nAn0F}yEBPSbrh)RMLI5Iy4Zsh7YEGc31W}{O+ zpg-y0eIq0@1=y&7kpJNR>wF@inOv=!*?Hskm4JH2&N0ZlcS02GL>(3CnE^!r`D_M{x(Bw(G@(%2e1a$ zN}vo!%5CM6F#T6V@BhYynl5Vh91KdFM}~ZT%&x2L(|B~aPz=Y1?f6!pwtTQHr|67g}^0#lR{XN z*SgYhZ!n1ek`>UJe+FRDvl4ZzU|7U3-C(?9Fn;fhD25UQY3_5qE+RU$SNdTH_xHca)n3N=%MLMRU_=h74`t3 z9eVUnQTI$y%v`3IW@mdRw_t~ROuS}i@Npo<=GzgN&vDA=S{H0AkE43$lcNhpq4<-K zJ1Q${<6zrL%(}V}hsn~?5D#)fO<{<$*fn_=1LOTCsiY7%l8JKm62bUYfn@C5-JA%F zOQcw%oh*)QC$e|{ziI^PhLU9HGZY1V!=eyLs2W;N);K{FBbEGK8b%`@U#Z~#*+Bke zcmIUiI`rV$pkW4>#;sZasXp|K3K;@pUkf%#oHgb81G41uzZXX}N>+`KhpEgdebWY%(T^o+98;K(qjYVv zrk`Ce>Vp``U(4pr$tXL(2dFN2aj)zOhjI|hb`hmQDZGtm!jyA|D*s2!Uk&FWz?3aR zMhPzJ^n+Gp9M%SG_$vaAqMP51Uiqd!T+VT8n6#K2947pe=9kBtrCa=&UAOa2fH!pc zRSTLu0o{HomIvMScY88u#TU@iLoS2#k+Z+LF)1F3j`57-=Hz z1mA#cfDf{Hu4U{_sIGQFJdsX)A10TLREv4rxfOXg!S)yMr_~D9z1#(FGsjDT+~ir9cx8g@JENdNeB+!!F3B z@T$8C;;tNLuQem(6E&>^AoaEeY>Nb_-wofw;69_iXaHzsrsL7u<^5m%$+I21pZ5sw zeFNY!>(%=F%f5~GD~?+SK*GKIT$MGmnI(!FLi7h0b{P5C!eexEreP~M{(~p-@NsZ| zKoFFgNuSr^CxKHlRNleR$;;&tW!AU(w2v1HU!Gy=r(;wJdHLMGSK;uUmGjHxJ7$K2 zN!}ELKGBalX~juYXr6gjNn;ieg+D3>63;&fSJVQWn#eHE^%E1@!C4(Pj~AwAPH-c$ z)Q^$qESU$S*oiTe*M?xKD&pcA)SQYzwtnng@{$!ZX=Bt=KzEbV`GbLRr~+6x@i`=o zZKfe`Zb6B(HGFG9T6pgJzaIQlNb5{AT|nk^t>O1FR+P! z*N*g7P9}5^S$J`|Im>SKfJX!Ro@AeaB&Pwa>}1VbHQQ!61XwgP^W<2vW~cS(B^E7c zOAqWBO++^Jt;y0s2jw-ZOMlZ`<4iIwx|!+=>WpExk#G2Yw=38m5@UIz5Mg5VMnW)q zVt{xVI!vg8KWic=4vo{s3If}`%h6E(xWKr8kfuRwS&M^M$!&ZSd)WQ5^F`xN|4r-n zV=z7XY%`sAq}RPH{753!!%S*~$_h*zd~K+SIHeD;nkElEt?&!!u+$pWvt2a~h);Y{gO@|r{Gc;l6Tu$J#yxyF>8e7#Dsk?L-3KZz*1J{LFhABcYN8-AGA z?h3i94t^T9$H?B#sAk0CGdAVmhUjG_}9l!YPPNc?zIlGx1PrYcy-MP?Svl#dgy=S6$zerm!Pn;8p&xbhuS~*hg5(WA4VM=Wb zy;@4yIP$kTaxWU4^7)p;3D-^1Y;?44YrUdNk)NE%h<#!wwl+6Hz%iM_y~e&TYW7Iq z3LG3a8qOs2bk+!W-R*JAb8f9Dd1Ee$do--S;Xhnt>r3Z*?vhp$Hd3#q&M$a1rtPS< z0aQJSUl%%9rsR;@q)ZBDg7sEV9qfO?%)deRe6ZPv4yc(JKxM=cB!QS);5uOFjyF1B zzhyOwKhzO;OcPrsqsepVAHSkaeq1BxY4mhFvE!IWFz1h~(5PA(rx^08pu=)257t@* z-Z(A%=+T}Yn~bekrCzU8HEkwm02PczVfw@jqAnibe9WIdeM6{=>iA6j$}CRKvP8qG z!AcUN5xqZ_H5N#uX#AU#LxVyNIbz<{;}|gsV}*)?9xH^nt~ zfqpB0+gNdM>^;_hk}_8}KTFck;^iPa$LnRJwLK|9#!EDb0nfk;R=g1DMd3qG5A^ST zJWwVpFB~k%nBb{eI>s!HIjuK8S29+fHP9vnSFd)Jhjp5buzMrh< ztmlG>M8Og=7nS=XynwEYlSFd0VTLu0c}$(p-Fu8?_F)WfqHni~Tm- z(;w|Kx_Yj^9j;mF%KTit?q7|oXKvtxc}$d7%(AV~Q_VJk#{v`-s6Csde~BkMR9jF8 z3K~i`$%Tw&z_TGZ#=T`S00`YoPj2w&#(=f~3?h4nQrp=i>}7E%y&&mwqCm5B=C+ca znb(AA%t-w6c;UGcY=4OIY_%>}p2I*$V5PnPHlYN!QeUr%N!xOY7(hekM50+Row`O& z8&uUBD?X=d9(sfh7fBTv!LIh^I{r2w>x)N-!8`nE1p1&T@CWKHII$%3Gm2fhn$wKB z!MhE*A2+KZZkxy)z#WGBxj;BhN$ zIr?(-Y6(t*CIjZ*Ty9Th8-a=j;~IQzC3}Dlq>-{Bb0n;AB871%7?uztjzlmUbGz_9 zy;Bqm75Ni4gUAnU-X{k=Xs$oEp_zB4HOIN7yw;bDRqQoTsF^nZu>(jIAHuL<&A7Wc z#HfadUhz@W6%T77=BE@oUqJJ@Qy2p7uh#8tY(gd!%%xR6qPMbkzW16I11>ziBylt8ZaB_AQub>F2rO>Tcq;+Oh|%z)$>7D^yM4B+1oR7 zFOHL(`;l$Cn-4wEeg0Zew)GU^^eF;=3S&!&xgP9hucaP6HLidLea8M&d1bHDGoWe^ zSTEv4n0>G_LeH=khuMKyU z(1krT^FNk>*Qx_u(JWSDTMBK-+=T!B|qAX;_`4Q#OWI(9Uk5vQ2dc=DMOSu}1j!<*q)wKUkQ&cowb zs|2PtN-S>aa5mQ60ymoXtU%D{^BHh2keaNR$Lxz~K>KfFol*z1kqjtkcyeF{#Vqq? zJq*228Bq*Z8eH&Oj!sR>CPQqVm(-6C-3lNWK9ipEr2+6WhqnHl#nl~IsV ziE`GdcsvTyZ;~>fa$86(*3K*!LK0?H@s7k~xN-bJ3lw)L#+`}mCJqxqrHdadcp0oIOv+{e{D4jjMPJ@c=8(;> zrBFk{APNqeIoTojj0B1!%s= zq`Ufa?C4sN4{Ev>rL(LOa*EwEHcI64i;#Z4@y0}%JovyuH|=~#l= zot#@!C4JuzC(2O{z#G^_VIclQr6`uTufS0}y&`w=T4C!Z1?lRHh;}C$O-vhOr-=s0 z(@p|Fya4og&p%HX@lyrr-On5Ds5ubjwiR1tBzBHbi{KVl?H_-aF2+IH&fE#-L5U)F z96?y>!}J9t(Ag2?AsmPWDjBqFEeR@vb&Lu~;j7XORb$~#VYF_9{DxH90~`y9@!fmJ z`ud(1F`;2Ou=ZL@QU_&a(||NKN8_BE6~eu2Lfqo5g$BJBAj{lHHGl$&MMzl8t>~J_ z6rbBc{{)&=UTec?l~)Z2gu_^|445Zuc8EkcdV6Sb>gYdW*W?ZN{hD@*N^gr*<0I=^ z+=#*H*>AOQGmKZCamYT%%EG4ttqqekqbXYVZdCX!8_%??{f^@}wXxCUYmCIj1o0+#C+=F#dXx>NiA3fKUg3w+HiwKpdN zFl*%!c=8>8Us7O4QEH^wv6wMFu6W#4o!L-!gq>8WF76su)W|R66U&IwJ}GNhG=n-m zD^PEmhx}JunNRIz_(nLmG)a(FvJ*@7jQ=Sf#~PH+aTOw_IWDFc0^DeelNemP8p_>h zLRpP@TpG@|PGo{sypSp@;Y7ij=WeXPrgS61Pn>5m1`9%+-Yh(HjyPiNcs0hs-BBpv z=AaL`ESE$!(kv*Z9ZCGWWNBb}P&}RUODq1p(O7SX=^m-0U8sP^?IPHkb}zQg@$o2$^8btDVH_>M(sN@eOA$W+yVB}`Iw9D$L;P|`&ElL>st05`V0YBKxOsuSnBXzu z-Y4Jx+>i^6qy;@KFsAes1dj;Y?AFk-#SGDFW;C+r5gb64%*tM}#tr`SoCGuDcQ+zD zkjO}R-S+CdA3OlS);PUDE-w&GVKpn!C_Ur7ffF_8c|)l~i^)p7&FHWh5sI+dpZ1Da zD0r~JZ!v(jIU{r#Zk%EI#t+`M`gF9ylf|{SI>h!h2PTdpx*gu-z%4i&$T~E(miet1 zC06;Aj@$8xiE_6syTVYNxE1n(8S5To16TU9T390bGlOoL&wyTXRVU4CzJ0S?vmh#Or& zqxI2}HG3bgdE##FW0%_Px*+6(Q(z$D7~Z)3wxZ%+B(h@fHV?gboY%#A@GMY9 z?3nb0nNTaqUpg_B@*vGTOaJHHoH?#}1k7b@A?H+Azu@P$Sz?CMka|?ck5`thlB&x9 zii%Rga7p8b+-rb=3D#fO2Aq<>`L&o%Ws~K^=l^^at~s8enNOfYdCk+GNNy z^#3r~hFnMAR^z2@pPGO4UT}JQ;H}uzB1K)ZSdKb0-lG}hN#ip2N~Qj7V_=$-FodpCQo2A=7iLipP%d>_*w?t>^jqvIYkjxN)^Q5U`h9RiKdkZO zmo4_WVkUHe1l9Bnhvnx(0r!uGl_Nm2&P)Tkqu2atnG;S+*%`NOxwF z^Ov{aG%E_kyEu;_*SIO%w`ftH4ccW+VAGSmw#JZra9LsmlZ9qf8w`)#TZhGTCAI=c zY!AXcmm|U_rpv`%Kk}sA9ac3LcNjyO{}fDU49u6(^|ut+%DV- z%ofB#Ln5pel===5yEJ_&U2p+jNqN!8jb2P+eq15F<1<~T@sJLQn3N+39}0tb7_FAj z8}BLC+o;C;q&agOPpJtaBd5HPK|xFTZ!&g$NMU2uNCuL7?#53oY8tQB1YpeJZgBc& z1A?OR1KC;_7^kbP6VX^#2}`I$o(Rg0~*)zJE$t7)@&Y-Z4aM70a+@Y9}GY$!n z%KsSsh@-0EXv5niO}{7_9#nQrLbz7?ZjQi>##Qk>KpzuRf{qrXeI9fVyr)50Ye$uH zjguGz(}`>X9%P^5tr%36UFyvI)-WN5G0_^EG)r?rb?q_5w19z1@lluh{$>zl6Kz^m zjuq^c!t83{j_b|l_MaWu3f$0#?(LaoA7uImR?y*LmM@pT;PEu1HBavYw?OgsJ6!q0 z?d5(jC4EN^fO{l7&N=!)_cNe%v<|Z@cipu!!uc@qP)@qqopWL&`;pN>vT66mJT>kz zVGc}NIOxw9UG%p^G7XDhtJypA*jh+TiKJ4IQj&%vZE{|2XIctkmq)E=9UKcDAfEb$ z>*<9+{k^>TZ+7kP)9FVy<#xuL66D#(obVpqX#(=GfL1o5ZiE5`e5foF6>~{s;^=JTp*Q z*N14R!{hgatcECaf26<}hZaGxxktK#_bNORgI<*B=}3jCkAGd8*vhQ|k;22GB&|2c zGBx^Zr=6xk#t1$SF8K%#?44^}nshP4cvDpNn)DqHJ_HLT1&7u%fZo^Q>58^*04Dml zRkgVTfE$nyw+#9n`+?gbjcF+Go1WDXuU(Mnq>nYN0UHs&14T%v5n06?MZWWn@ieuR zNCt7agm?iiLQ!K8OTT%2Jl@xtGB??xnh)`9aVQhdM|BC7&ifcd%vqi-5AM`>0_9Ty zCx@gR&)M4NWc#bFz=Lz|=_ zFd~sZ3E=i};WOz35{xMn=D|klG6OFz+03q@qzm?!UDVBcm*=24WmEZVx~Sn(fw;G^ z6Slmin=3x@Q8qGVEF0br4A{bT7C?{ashGKR>bdlTCL2qR-VdI4z6tmSzF`<2MVg;2Im2tfktP3a+T(^t@a-eA+pd-_W$TrQLRtHZ;v zp=M~t_tQ|Pktl*(q79mj!@zM=G*25bjS=NX;$7j?+gt<%4pD zD$@N#I^Sv$ieirI-7~j~HK6-oe78D{{Ft9_2eOTguu(1Gol!3)7@$gGOz1Y6_Co`; zn=$dS->yh_-Jk7hSP)Cy*5QRlJ%G_2!J9}?bPL!=w9{~c#d+7L#r-}Q`x=h8y^ZF0 z|6fteov-mIq`OnCnuZ}zbqsF8cBFDv%pFPw-eAbj>?@zu6E^gPikL6bsKFx0m1t5E z4~Kxt5r#ImyZKRo16;yVE1b_nC1}QhTu0YH%FHdiw(u9`I2i%NVxge-^V{8^J@(mR znNqg2^|nxu5knHOo)3>2q>*nQ<0#OnNg^Rqb;i^F*?jT#5qmh+;9@m;v9J)ytEHs9 zy+_}IusU%JyCn%1KA^x});u881URszjy5hIa94Vxm?+$b9#}&d@z8-MAS?k}-X^48P8k*p9XW%yFqcX3#z9$|28Pj@d-Qlo-w0HkyUn*nI%9KL0YmHO_pY}kHWB^ih zkE7WtI0UT0`{|TXrBgXyLlg4&HqMpV4ULnLxE6qbZ1ZMFV`|+63(k0#H^vp^4Bv?2 zxdE=`C-#mz%%LVrignrN-A8LchQUd`LtVZ_OnftN-U1df7a^XkOJ#xt8BAGN8@xzh z0uOaeS4es2NMwsSHFUjxI^Lb67VlOa6a=_?^+oj4@3SLhr(&6V-F8HeoKtgaY=CDX zHz4@b@8&c;r(lB$*H1$xeo|%6X2ccOE)3Fj_|b1nO`+P~JZa@9Oiu=-W9c>4`Azk@ z6ciMgCq%xToL*A9+(R?5VK$oj^El*3ceZ>TBa^f(H5@PPsddhDnv_U?94}k3YdKG@ zV-8I8w>0kIPx{IPtb~4iC71KPi!r(^(^9Hqy|6dh@G}BPj-Ziw<1K4qZm#aRghtw$ zr80*l;UWJqcJyHo#aqbH8mfm1~X1t%e=YB z=yB~za_OzmCuc)`Ktf$CtbSdx96SJul?Jwt^nXOB{FaS>SEY;{4D_3JG(9dC^x&)@ z)FiN6#sipHaD6hMCm)-hTR^igP1|I$*mRWjp&B|@Q$F*)#I@3f=g$1p4llW-l5Hu7 zq5)$$Yk^~xcns4pdR=AEOh0HmRDyGtoT1=498HErG7Md1-G4l{OgZDOlHjHuLFuiHvo_Symu!I! zgh6=Bz#~C=>+ATd3dSG})y!(B6fl4X^&xT)ty6#ZKK*qGoe0hderiRk0dD_*1e?yM zb!nXE+8u50u4nU5Jw7xnFI`s}T%89tZe?HCG(~;6a8`YwUvELih%WT9kKo*WN#ZOW zm>6nrs~ipM^PAi)&wz9C{5@Z7{Z&(x)sWL_Wy2vEvc>-9m4)50XcA*X8K+hN#@JF> zO;ORM`FRA($oc2d()ug}$tuW@xz4>bAGL7HXT!QX4wEh&U|@3v`e~Q#x|GyV&OL;4 zOa0t}-AyKCtWzfrO^<1clDkYeXCZQzR};OJk|LT_I6aNA_wLNxZT-;BmseAi87C(d zETIZkH(d4{m!`9UW$J?im1-ppM(igS|{$kD_H9uhm zgt>JPd^87+jL=n|9MVMITcYz|ONK>*5m%~9EEsU6+2_N?*JU(4G`YZ^VMQTC9?ief z!f1w`zkp79Vw99 zhsD}p=x2f|S<0p-XVpJ?jXCO1Cx-(6PRJFK8(P5sMvvm}F_rYEj{P5>qP$!3l3^%a zewc%y3HnL67QYA%9kLD;N%;Y-By3?#+@`QoQH2d}9hgA^ zPu&G*s9<0?laM^qwqy;|3D+V{4P?;(4GAVaSgOu+_&kyxkT5xEYG4I+JNZc+Vq$(% zR>hEe>jRA)6Dw8$XX2D;a@8ir3rUkD78(cs-*SQme$p>w11Qr4Uo>Cl^^RLlBb-Tw z__q%kUr0d~0#8|_Kf@8n3oamsZ)4%Y6J|<}5fs1_ym9gBemOHh1`W*Av_XJm=>P|@ z^D_VdUNTrCMJCN!1z#IffCBd0{W$56_alOnpQYu8t$_POuZ%4;I$S(pIzrhB^H)q? zDA=;(iIuMf%MWkiciJ6c0+c&~c$t8LI0V=c&_dY42=#P9-tzIEuw7q8Mo}_^Cu+oy zOb>P$lwK`Ercgn&RcoGsKWr3Dg0-dxOFjytUL7D?n!eFR0v#N{Rn*}p3XBxUFlWXO zFYFd;O*1;9pQn~==jR2Gf4xTeY)iA4mo6}z%92VnVe7eZq!qZRQ@UikebeZ~bN=|z?eFi+7tvxOb{0x{KymVdFNwuFC zVYWO7vxTGSWy4}b0{<@x@P^?bhBSlm{a&u&^*?`ne!d9XARZk}I*e5;aLLhalen;5ScYLDlEefJC1W@;9vP3#E0B&R9Y(Atx67C=3vpy5267S8mkh#( zCuO*vNMBO4catp@PbJH`r8i%VYI3qpulNcRUyOKf+A9Mh{ejrS|aFhDi zNx3UD^m}e}&#x50{fwY5R$%nQ zS*B3HCo2t8tib(NSpkyZF~(dn7oi@7iTO<}Uw*fz*(CzOOWO8R zxM2Qq+&ILe8*ajvWKJG_Ng4nXRGh;ygP;Q?loTQ&SkR(p6#}qV?%FUQn?;~JL7~G^ zXb@3s*GR$0R!B=DS4P{%-JWp7C8}Y@+#?m1A|r&blqe9wQe>{M6c)^|lqM!JT;(I^ zq|^L!LUq&y>YHFKf%>8zYs&r&>WbSTB2+J6z;wqp_%E1Uq9Hb_BPbo-CHqeRCCse# z$`L#oFk`coB=f_bTY3%d%`9N z^fELhMeGoDg}+kht^>4p%^xGCun!HpsWsCpyYel7K|q<6Nt>uu(1Z=_$o|@B*ZiLD z6~_;g5SRtyMHyfkEx3pMqfHVR#U^~5!-7eDSra}olLjKKBnV-Y-Gd?sgQo_Mtd&&Y zNfe4RLBo9C%%W$=ndIw|dU0QPalK;O{e;+otF~(U$ z0Sld|E#dj&7y2Xf+IoWuAFVdBYj}$#dgkvP<0c$x^T#?=?)L=2yTJ2?hu#rZw%a0%eKBf;K8(BQ~v- zi~z0711@dOzOY?cNee+_hNz3?;qzGehS{NY0fI%et{(#VYA$w9VBs@8nwX<8BDnm-c{e04e<*Z-p@I?{SZ?&*$R)X$Iu1Q z5?F7-hVzcG)|kG%8!n&So>-<`qtoN2lzNpm{i^Ja^Kx0S&eP#@noy9K4A|*1KNI`7 zH_dw|_q^@C2kS*uKDeHL3MpARUY~=A*FLMo@>Ev)DM3pJZ0&xc#dOw9zH)jx^`rI> zgQUROkqXtHA@R8mTg>LMZ1cRP+{9t>=R}$s(`V8fET*A$Kz*o~$*i}Kr;SXUbW@Kl z73Fkb9N49IlxV%i^jT~@^P@$dZgarD;{u{`YMZ%ltt zc>a|g`_FxMYB7y-C^ratM`Ic47t^<=cDyt$jpqqi%vn}s{fOPvPFD08o6Y={Ga1=E zFV+U#H*xId=F!DuyzA*G3{q%;$m&OsKiAo3dJ9o+56<~pGda0&w1BfVTELk!BAd9# z!R1LGZW+IS7VduG``$Jl_>7EAKX!=(xSLu25 z&)pvFZ{B!do&VBoQmqfqfol!>?>IJTJTc^zyQv*2{dL7sGm|DcIQE`K=x7 zi_(rrLpYu^{NzdYc26VOh4}=#7#(_XqCM_JBc}}PI;y|wrk_5H~6zJ<{)paVD`+8{{ zU)eIsxE~h-lJCG*pjjG|#nYG$^YfX1HtF@bjthmxSDFe$_43x0O%vUfKl^}qUp(E( zvY*(mzJ7DRvg-yspsSbM)z3F~1DdgUF}>E;#(-wO_*Uxxbo(2-rR{4zOUB=z0nKPJ zG=>7nU#1*})tWQ+ar(*?KU?@*aX{V}3nZ5TrTIQC=6|-Tv0T>U#nTyDRG_Ih1Dd}; z-x$l~7O-5nvS&Q8W}dFA<$1Q=owVE-8uxL-7Voik${5i8p4)=LP2gA-<`s~D&EhWXuoVL<&de3jUQIw(J>h zQ#xw*n=6=H?J}6tcQfwN(mLJ7zvwp}w(KZxS#O%>Kt9Wn{fsv+#Y+2L|I(@>#|Vr~ z?_s?HJJ(iSTbJuHy!AgR_OH`mZ+kv+Aok3E|FoX@E!R@|;pT4o^Ya_`5{|LAUCl?a z)t>G19LN8HTedKI%Xe5Bud})Kt)IcbJT3P$Qn6*dPD8QZ?&f8{PJf+o>m8J3-`IPt zyRC6JeC}6v7*-~m_js!Jo44aIyll5Fi($dKoYv_`xBj@*^K5tPG?KL~2tRD>D5>B2 zz)oBHQ|&*m{>i7Yj3*EA?z8QSGIJx9|_7sh9;8SJ~AeuDUlVxykk zQkt9QzD}!oFs>gev=-jXg>_dcUC2%uuFKg@L;050lL5Cp-EvY2@9t%Tq4_CUk!b>_ zFzlXk8tmgmUptry*-4A>8LN!XPfxG1A~u%CxKQk#@;NOA6+7yABb{ThoY!S6etVkA z=czHv_Ukea*`0^&b1{jBQ^xW!enam&rnz2#D?7@s-+ru!WW!0uv0WD4w_hyZv6mf{ zcO-$6{+vehcswjV>vu;gHf=4+UM}@A5A{Z~3&F+~N^fhI!JTL9CX3J96s6N!HX7oj z@%(%t(92N1^=?>Dv1M@Mn}0h`Szk|J3I!bmuWT95hgpj~GMv%kkP&BB&}n827%VI^ zZpL)|o&}s>LO3f(z=L%H>J=az(7cf9iljvVxL0?{P@jSgQGE8GNHky9k<85$ZHk&cv-OdMT2 z&B!{LY)e5Q8l9QUOvjF)W{*>~OMWWz*!f?ljx7W%V6~ zuziLycQjG$a8mm=_}8X4kv1>eHlYt&YhyvCv=_#t^baogsAAEsaVj_QO6vY&(;PSI zp>F)kaCIH|*{tE;gwEZQ+` zzx!LCtDPRI;jHp$FLTv&1&QU&A0gQ?u$0+qn!O-7rL2Co$G~1_lQnsAYC~Du!VoUSc*2@^d zBqz?IrG&*8d(E!f7}#V!P>xj^C(6r9ZZAv(+c}9vwnV4TXnyOt-MZx0-&h3^ z@_}bA4jH?v^+$h5=awV0(w0$al8Vyfl#=Fg*>vBMJgaCbX2A1*Zq6-&0|zS) zsScZ$)919_#LAY3aB}AEGd?@J*^AV=0KuN|uuEBnuE5TgZa=3V%^?d?>Q@92?}d$N zH;7g}LX{J=pjuci@EjL7uZySaf*BE5{VVFJq{H1#qkAHLGEvr|`3(9pQYMfMVVERG zg`_nUWg<;HZRM1sT#<>UsQj{9h3H9y=gZtPbaY%0I8^t&SB5MRyGz|GEdr-5crxry z;qVar1IU{P_!%A)cmnu#1bsYFBup_Xd42*42!etKvH|COGzJNqVw;_#AR14O<=4+o zfK@YK6tE8!SjK}1=L}K{2sku5Wf@Qgl!soHwfuXnl83oWYH&~8HMEkIy2N-eaY!Dz zA;YS>Q%398Fo6P<}A6xF`ZJ?Ruwgr|z-)rev7y<#h?_kuqM~pz}i| z$Qi*jEm%YCg+w&~$|2%YGz@EW&|&3)wmK$#4mzxubXY-sjX83PynwcV@@*x<{ppE` z>3B?Xpov5t9T|;7I>?c9FkyOAHD}Aej>*AMV&{}>OdqIbQnsZjkLrNvF{(d)CE1mR ziXj`k} zU`CNlPm(H_LS*8C3sqV~VS18!;`svH2s_6%%dqtuPoBAnm2=eg-iqY(rggZcc4TujAl1Jb zEB`ns-+B!~ieznz>oc#?%IB`x=#`E8EQ4--?peQagOv-a^5q>X0b{_f)T{Po955uX zzSPD_H~+>9XNrMSd5`h>Yx=cT^B#M7?d!^GH};c@muvBq*H6A&7TrIlN*ilt)|Stp znc)~#xiNmtSgK!)IEoTF9ixcbUO6!6K~p zR3EGAt@WKh+M7yEQu&;gE2CE4zh@n*`y#22S`bUl`LkBVCbeGcj_WlIf=an)UYvB} z)|GE{Fu4KjRswn=YY<;T$*%RRu6ue|aXJRUBv`zxzJXBV5>&c5^KK}5i>F)e)9ax0 zP6lFdb1Q%9?&Y>8hgNJdjup`WaJn*|I%3Mopf@bu`IMLU~P7Nzg`3vU)4Wl2M*~tH-6zRvdKUySwo z@%l@UC+aKt7S~VZpS35|;(FTaCxC-I*Bc`K*cm?x`J zd>b1TuC-RQ?7qg!G__t|<0O|)ds0kHEX^zNcpqOrd0l7OA_WU-YGOrXH(Xy&PJ7Lv zC$n4`b|=Zw;+ib3pK;CieEoTH#N7i{XipYV?o!1oTe!U3>Dw#Whbm zk`d9yncVQa`_$KJVSRB;G50 zmP=#TZNO~pxKhqijm3TZFlBz&R*a{U8?odJN=en6u|!CYuj?!=xmxf(m@n&a<@d{! z;@5>u!)~fkUB6(H68tJFF;++*dp>wovgE~+<4F2an=-wnd|e6r`d|g}(S-;)!FEC< zq$MGaG%WF8q_kv%iX|A3ONup?2>n>{bHsuw2$($oW-|Foayudei?sg<{ zJb*|S;ff;>365Lzkw_8|B_$4$wnU96NKJ7+IQvD-J1kY8kb3wWIp!my9{xsc?BVO7 z9=?al&%++x1=A7EXD5F``c=t6F6=xG?sH;0;}wpbQBv@S){}KRpXIez!Kk|)bXR2K zyb9hKc#Pd2s{G#dxcIK@4gYqdc=pD#kqgk{Mo?yx<%iIxc8+6Yw$1Wtv{!$|yapwE z&Qmi^v)(%gj-ZU^qx9yWHxbOtW8h)SM9@1}N9V^leTck40yw#eWig)@(^gK$#c5vZ z9LVK7Ha?1b!^kkM6Vt@lwwyCq5fqz9EYSay-E^o3uhUr8i}kLIL16cjlReAP#r4lq z{@!_2qrHMsREp1gOAqm|x8|xY_?hT=|4{4Pb6}iOH}A=dvGF&Swfq{-Yq69g39fl6 ze!jYLO36YtY+{gIaf+R#!en~-<#6I3`#FpYaVkE_&-0F;c7D!Y!7VSR6kajx4r1a( zrHH-Ca?V94&+ElFRWe+j??GXmhzCaA2o9-zgqc?xU;ETky_a{AaWo$EZzA+A-e~>) z;S1Pw5bJ3+RH$S*sW_!Hh*im1S55-9T(dqC)kwkC>A2?nxER^o4>(iYc#bpkYUzyb zE_uu&9agC9j^24d8_xNHl0Cy&G+{^4)x|TLSuC4*X-=!I_C?22Z0WDXmIYOU_${EDNnrnWdf~&T;k)wgb}2Kunpr}USL8G7L-px zHv#x?gf0?P*Hh24`eSr;ES1>tzox$Pt^)@d-uMhd2eg1Krcf%v{1be@b^Y;+U)!(E+Se~SWT>|m{qx{{_|v5 z$b^zVzp;XRz_voJ$Px6-t`TB}`F~G+lnk6v)?~Lxb-WIXzmn3JuFI1{6~-0VDDj{$ zU0mr%k=5e96K@{~8G+U8oLS6$Wouq#7c#>UD?X!O@`5=;g0ppLayYBx;!acKLrU%v z?X_VqkqQW*2n=&k$oYSK{`xi@VJXTG;in2hDUgJ@DPXXbEh*>pVB!a*yuI2IGJ-E1 zO;x<5FT5C>bvAtq$AX@!McFyj@y;Ssiqh=0JF*ly_jx3MY#rp;M-#6zH)8=0@z?0CPNPa+e}) z4w5i%TCiWN&;{TGD?pNtj$pU28e?*j(5O&`Er_%e&Pwa-2%VraK=9;j3T+jE%Vak4 z8|fa_9h(4j`P?%cI$^B)Ka6c~n212=xw;6&Xe`7q_E`0zR^gz766qH^)|)(W*>ZlQ zV279J-5h?%K=jynW;}`Q0Wol501IBI_+-U3T12jsanI?M0%7h$y_zd!GSG7pwJ$F0 zO{v_&-kO+?ZMvx7OTYj+wnH&3l(4ixf&HTsMG{!-W}z?ofR#mvWy8veCnT19z#?nYYq_t*} zmQ z`Fod(tjF);uNgOWZk&=05}5Ifk&6Z&U|4e*3wJ44JA8JaeZbodLrK%-zTS|Y%W z5LRY+LM{xhrxr=>P6r9(2s>nbU-%8wn(IQt)JYID9@u>A{EQa>r4O_LG!aBbR07;U zB0msTh++q&Ps`Vk1mwho5vVXXhEVH3oy1-hP1Jxo)_}5lG3F5z%qlN5cuKLY9Z(9p z;K>r6uLcuGCLZawgds1GRD5upza={Gz21Ivs6zvN=3QiZzPI3T}(+JOKm34J-L_RTpYlfWcM) z4?GkZk}H594ROy5e0-p42dJiC4z36AXv71l6FwD$1bo;k9f^EUaaBg(;DVMjD1P{D zUBi(W6g4OtUAkeAnzn6xiRM!i^izZ|(|~EC76-BaN!K@CPL(wjUWj zLzAcL$Sokr_Yoxe@krUG!0|?cNy~o=XpIoHo1@9U;DXo_#9o?Cxyd;RR20e}2EZs53xEU1Y@>=qHHoqk^+8k^(FQ^Qd?61qpi4(x4;(Wc1k65Q z*_fRU+GJ>Dc&(bVP;uzWBShmzXR090aEvk|LYU3WZHCZ>X7C>}mQa7YF+DqC7o^^> zS4tt;AH+MFY)H;kh~Qt56pJ60n)8UL^bnh0g@427hLiNioVyit{FuQZt%;ck2Z0#y z=VXs0_VT!3&G=x(7z1X2C2>+*+WBEHlrcv6Y!#ch$sb$LU`T3^m7Xqb8fX;3p{)Sq;zHJmMh^-q&>(If>x<^N$BSs_gmi3m5ui$dZ z5^MRvGR+b$3K|VWwjnUx3<#iU@=@_7Id1H57O?cZe{3LZutCB`6OzUcA*iKE)N_6; zHV-W}khPgWq#@d5L$8a4)EY4YJU!iz8Y*Bnyio^mv;l>-f26&7H1YFrs>1<7(ui+I z9D)X9Alj}06$D^BGP50W>~i=Thjfp&9}BvTcYHU^I67J^&9RjMbSIcn<|%5O`G=-lic&96h8dGIki@AK}Pi z*$Qz`2B2i2DI=BL91qZZKe&=M#okqO_U)9$DJ1RX;E-xZkt7RT%QnrXHc4pR4-xz> zQUX8Bok}u^h;W=#dz&Jk)W;Y%NDpE1gE?Nv(*w-b$P)!jSFX*VmvDDSh9*bu5a+C6 zz#(B0fggaHTp>Lo?0yJh93l)oT@YP0z%^CPjAB~d6xhe3g7*jYn*i?UNr+dH*a8D% zJqVQ=l$dw@arcGk{&sPAbA&StrVU*pGN6`J)9`Z&iU=b-5^+fk$UrrO%0yQLaSoA& zoo=kdNdi5NA!{my4SO8RHq0#oKmf)OL^|{a5nYmWh&CwDM&?5x0Uu%XfW(0*;@mTm z)JB`+Cy{$jVvxrz9AGSyIQSl*BXNXPDgaP|DPP-0`#=ZHIziZyba_>dByhwVqgtgZ zmR8p^6Xb)^&}~B6hQ8w74Co%z6D{Z45aveP+;vNsAZ}YA>hgJM1QM|RD>s66)F4UY zXANzPTwERyQ|S8n8mSq8*MKRc-k-u-Kmiiw02bLn{9<9)UBW7lP!n@eIY+EZBYwz2 z9Kum0%s`Z`y5EHAkAw_$Li|Clrlv}fM{|NES1m3LZK#M)0mea)ElgE#^qE%pl0fx` zruH`kN{e5qzoAs9#0)gr#Z)8!06+i(V*nf$jz?q?ku=J2EX=D8B&y5Er;!|lG0HFl z2?2uu0000000000C1ZSg95RxlUeX*IteEJCD8qA26E3LSJ1YEJ=V_&|n?6x~C$}VF z)~JdTt3-l>5S>oV3sYzy(*^N6_IuIZBEYCK2>xnIe7GC}T!Ivl!A2Ew8Yz`6;dP`9 zYR01G@daeOs^GW~(-!PqWf&J)1=9&*Nb0;)utC;_i=MkuS-WjN9m=30!D#s3CYoin6p%e1djsc6B;C z8*``~uIkA^x9pjiDgso%3(h9`I(a}WD~G)51JgP?cBtCh;7F$z0C=bC095Wddnl+WAf)(r9Tz_l;g3Qo~Nc^iD+2ToE&!p#f8 z9wX2#wZ&=Wuj4gisqVKF7UT9Xhj{d>aOpvO`60<;Vd1;|9O9!A5tDxNzi;)ZZ=qhM!GaVhRx)E8B$T4HEck1C$IkYd)uWLyxR#m{dV*Cg*z>m-J z945xdIF2zCc$|&;W>?AhLkW0n0=8k|u83K(=pvhJSn(a+8;It`HG1kZc)6miWc_6Y%36TadXx>}jA%E2n z>xnW08Nmc4?649JRqHN6DBtX8!$0w&CGa%E4gvxNui=;50*)V%6HO-Pg?=GwrB+Z zzS4JaD@dN&@WpNp)?vx;G0boLcyhmYuvzLh${{ifpVJChqOA4PNa3M1%Wq47Q^nENowZgI!l zh=GnAmDIiklGIbmR|4^x z<*KaFXX^l9igP8A=D0G*_%;6@ig}NpC;h`wd(yM!wY7=-9Lz-58+)d>o+D*hnG^EP zo-}WJEy6*eu_OYD0I!VYusSZHfGr;{QS++whhuc)UJgzNQLm4v&*Qtf4}){k`Nc_@ zkJ2{J=v-x>m2t`#iwGGGzjf4glVII@H5wDpH2@OGm4(M3{P4WASn6P!uaUR{I21^o zpo)g*ux{ZT^Fur3Okl@Y#zr(Br!$ve{H_xXbe|%z=&ECL4V3=*y)2!b7OS_&L{cun zbuJF)Y=q)Z+%qjTZTha+dArj$+vM8aA}5)*jDG9^gqb4CBKvC!zlCi-G6`de!h{!K z1c(pvZ)~2ifO>b79sr^+pj#8;e`9Z`P-s9{a&O0s>}f|157~?iM3{rLBSImQ?mt;0 z@#%r1QzPA!q_HO!Y^HnMb~17FA2?9=6HguWvPBV3-e(B`GP1EtSbMNG;ROj~0xRG{ zE!s@>TIX?WJUoJG>gpJA?n32CI399Ek)93ix5A+b2X?m!=iU^6554n*7p45DQNS{O z-U@&Q(?Y`I*awx6piPRC^MG^{D(x7aB};iPS(L&G!t}L>kP`zAQsds0R10j2Zy2qV zHl-C6=sT+VE{kzHFN4O3pUdqtPSeDpqrhM0pxa2@3IUplZ#YlbWuCw)7R{1PK8nM} z-{%Mv9pF_B72*8GfGqF<{P2E6!<%UchjC+{((yU$J^rZkQUEozlu#hl39xsmef`W) zviI~q#hVqFMa(#?FTc+D-QEuU0Y1!+ptt%rE=`x$KmTpvNo1BD*1L87AU3J86wL-; z1|UMf?GWG+Ma!g_UeRz*s6fsew)J?(u5Q$bd)fOcBWMc%BBN?L?r%@%x|tC)QYJO# zG$xnlNOK+BGx>xLw2iXScRG{)7o!ByKJgYLXYN^H=^Z?4$Q9^gsGIi*5DjZz##>tn z06lGzT4=QA0N7Mj{#-w27LbfjTU4ffQ&eWO2!9E(ic3Nrd27ZHKQe<;Gh%#Ir7%?l zcaQZ+K&%%`mWz^4z^r1(7;!Fu^CtpaZpJ9K@`Z5+x1zT*QmrrwGa7Tht?kD`aIh^> zCE30e9l%4Q^!5q2$7q+&wqgkP{Nv;_lf$jk>Z$q;GpJ`UH!Js?nDJ`XfYzG@0nrf| zKYy1==1gud<8wMNqXVJ`Kh^Sv9)O=iF4VaHAtV#t}d0gY>! zvM5>{)fnkSB{^%^knXrC#w@=~a?I~tlbnom6)fdgM(n^~1NMe;w&(PNE+nH)lxN;C zrT0@w`HsrGZ!WHm;|Vs3@?7mklS($iE{?Bnw1@QNBkj9=kA2)?77)?m0Tfn|W!k)B z>3(m#;ncRdLkDnnWltBF8ay2!r3nMZ9zZ=EU$qAu3{XLxCNK2st-dd>(;E8z#0H45 z&hMB|n+@pu<`P!IPU867#M7aR5MGK+XEkb{w77gJc-=^?X&Qil*0gyPP+}RUG++j` zpbHulO~f%Xg+>gr=h8Oe#%5n!06ccahwp$iQ2eN9MgOjMT~TdOk_D(8NLehlh+mV4 zFPpg1jo0p5K)s}KaNkjn29}SLLzQ*T?f#~_&7fUPE4NJ_UHHMzDY8NGTP>|D^Sor2 zmjl5eOJ9(#+o7?y?BxF!rUMK&yUnAfQKhqSX7ifgTneLUvsNVZ+>6uQ@dgyP#_ZyI zX;*+kP(X*dW1;qOfC{>!x-k)s*t~b#HkLmquc6mm^}=mfREch8NI4aq0avI-*-s}> zV(&u~7JY*1>;<4u!r={c)7@*Q*QjpMubg3IR_r!q?(Zi8TUQpT+d2U!FP;XsD=waH zj*uT~#OK{9%aGF?G&{Yu55CoB9-hcbj)RmxVE~;jkpjs51^`Ds6gC~PyWAv2T-s9v zkuPJ6nVUa!*8738D5hqpZMyYA^Qmgnto_iFp-QxybS$uk-LZZd(Rt|v*WiR0PLfAV z<=Qwe>a5VxPr*1-W!cp{{)a;0yOomBowB!n?_j58dNr&HcRTYwBB0juB6y4z~v6oEFnOOJl;wIm+9pKs>&c|1_M z!j$xQ@z3sU!f!4T^k4W!_?iFX7A9c%-3?mN>78L0BhTLQe|n^82ZH(ye*A=cg|CeN zTX}-sz1+>^#;$22ne444{j-5Dtaf)i1Ls^X6FeS7tDj-3DJUDW-nRHVboQge8AmKL z8dVf7L-f?f%RG?0iSSRKk`{qfv!u7}$ozywpC*FSd}nYH_yYB$k8{;bXWtkOO4Le4!T_pZ8OSnPs(a+5+Kt+Vi|db#8=dO0qTco0h-?q#dX> zlO+H9!-Vv}^=}K<72%{0=5$UGs%k?NyhZA#!|*#s+Q*q@A;a8C!$=193!h<9D{7J0 z%uQ9zZ6|M|f*lT5mBxI^hZ3|Z0DzLcpc{cXBbh+|H_|EY^R;r#7)%9TEcdfqc)SCM z*K^GP3((t?TxKSA=oY_6%1PFt5Z&If5)QEA#z?PbzY=r#M@a>UNuJ`y{;+V#gt-=@RPLH!$w z;{#KaSQz|=HGpA;;Af;stUiSDhx@yy<$vRKJ`NLY`X;Mb=NOpLMwaZvq6SmDpi%64 z=6M{`eFs7F25)?qAXKBH2Ab5eE%a*K2;`wRz&yz&;?;y*SDiL(p8@_v)=jF<<(l#J z#$q)9@ss2U85QW@=hd<6zJTl@Gfdu;^`_N0Z}{S~YWG3Q70>+QHSK)#zJ!apO!<*-Tam-hO~?q>!rb-nzCJdWo^v)5SXv}S`MaT4J1tW>Z*fw^hl zaE&H_d@;WHjI&K*ME=ArbY}JT3~;5|#}Z*{X1#kH?@RYv`p0adH9)~g%qR1HuL-v^ z9g7YQbuJQLYrCo~84f^Kh#_5v{n&Y|%fWb`A0uu?16oV*>10~UEV*MLzW&PF#$6Q+ z2f^7GRyl&i1(B4SF$iQhETrExJqD+P7A|Fc4D1ub`ouFnWOR`)B^1&S1SZ>0_XJ(n zXb6kRz~2Ux;zd-E6BMGK;XOd+B2O;y z%?b2F4Hg0Zq`;6Z&S2HeQK)4iRd*%mmEgPhCW43w-0viA1KaN+KvnPp}tsNh#r$3;d_!zOsS8kRQOOy2^P*5@>NdSibkl1HE9)LEK`yFn%=j9iqIDp zS;bK*>%CTI&yKIuD`%V@_HYpny*GnKKe>6(HokV5L{67q;uqozB$bF`fjF0$c+g8c zNv;7$T#>_g#yVj!Wwp(3IvQaNGprfZmD6X)4jJh8r{wXYCW8|pjBYInl7~mWB&A}+f$ElxXcAN{xZm7OJ#9qmR+>d$(9Fr<+TEzO9mAvBt3^`8KVCaI=2VbIDC&t8B zHJpJccAFZ%M)(`3N>hv1@kuSKG=g30Wd&h4N2`5gAZ)qs86XHmzLJj>;jI6`nsTAG z4`JVvg6k>vsq{cT~&#A)G#HlviHQ>f_Of&`51kRC?xAhwHYwkNma;A@3{D39b8~?ldy|%Y zEX_zu6Yc9A!514*LoHKHE--HlIqOmw^ie9pCk0uLC;}^YYkcqkBCHvkE;^bg8KSlv zhR6)Emn09QJbWS)7j$Jx^<0^1nUpCdz%k-mMYGy6mFl=j+s)9u1T3f1N75t zLMTY`aJkXk8J0qM*fX)8;L^I$f+@D4|okTQ)x z2)2m_28EXJEPeR!y46-40fdHYA&WUlGS9PcLmu4OUM<^8uM5z*?1w)J1H~(efM>MK zOfV@Cx!0MAksFC7QIbR@%#&?0`Xv z`+TB5cD$KZX^FdjczTK=s<0!%>0K!@X}q<-NAgY@Hk&v zLk$6ZYD8(imeKhx2cqZfdcyNlzBr_MCPIC~bu>vh+`)ev7B_wa)o(+fd`FAAgG8W|M290`s|mw4}9en-lM5vjwCz|Bg;j!VoGTZxh@cD zUTjp*9dYu!yj3EBIkjLSi{YDfSv^N=Jr&>da(Bgg=-jIEW~fPy+|vLPe$ zzU2G(Gw+PW!05yaep1nhpV>*nY1X@G{$zN!hCFWFW`*hLi>I7~n58_+6h$7u1^J^N z{`moLlUvsn4fKo>8U#2;9aI51l@#Ajn5kXg*g!ZZN_am1h^KbcL&nI9A7nCL{XYozIfYYEA(T)E#6ZYq0$nE66}vw%irPDq18d4hb5D- zUhNSK3iahKriaQUqi5OLJ3cWi50YC>t&Arp-CC#ZsO!TJMjV{5)_Qweqs$I+yiH)R zIkpo_=#%y^TPo}g+*b{K40PDI(giX(RMkFhQ5)_$e9=9H95{P)Igwjug~TUbYop&T3lTDEw~To8R> z^f~zwBM7OgnlLB>4l$sm`xpNo`urYisYT*)O!smMV?Ldif#pHQv2wpPlYuV?#>&8h zv3(IAV)S4K5Q%@fe%{$`N_a-btycR%p%_^e~Z4ACkGrSlX6jrc@uh z&<+rJFZ&)b4xjv&c|Wv$POII1wV838THMYAh;Hu6R;Y}HZHpJVoNtbgi@fcuj?RKo zf!hDkgq+EGQRjo%Arg*O96%JeD2fp{c@*Suh+AvLb%n({f=}?9ZuKL ze2znFPAo#%Lu`{j^GR6Q3U9=Iw2waOBB9^l&&&`un^+)U6(PC6*8>egE&y}|CK~cq z1mfcMX7QUS<+RRrHif3T%s#OBT3l)A$X|U5)9AqfkuK1BlnG-y1DbqQ(Q0BdfQs^g z0)>KJ;I+m^HV9gsneR=ry^bh?fmm90OfAFE3xF%6V*3 zk!pLCusaL8xDFEDT#AaTlqfb7;!UK-vnC%9dVZ&W@Sdv~>Wd$i*a2HN916K)0EOki z(auYffoqD@7G3$9Bq!p(jrYLhwkbPGImBlQae44k7bX!B|CNe)Nn}xew4LGyT2*Du zvGaSNhjup%*Gk#HV%6;#ppu90j|!ycJ^7234O%vs&A5XePeqh#`9hOe27{;elH_ z^tT4|MLD|yPltB=^g4C766CNvn&Z1U^fHmMf=0=`b-JhF-6e*UvwLNr5|?!#+X<)z_bChb*iZ#+RMo zjpK_-=))Kb?$cKD6_aKEU4bHua4Z&kY-RBhS}-)$#Ui7qkbk{j}^Gv^ix6_mx+Wl!D0ff zh}HAhiaRLaC_NOIo?8t0uFVeoK~1yKtbZe9qr`DOjD9EOJE0`XWoj-iXxI_p##(2? zr7Z7&lK!ZJ2k)0!xSbxws~d^PDvADEXa8Y=ZqM&dWASGsU|7dS+ufemJ2e$aLn(+b$+7kho+dAS9?@KlK5q{oCs#*Z-2yB}+0=;lL|+-NcwwVgAx zR2ZF7rQK@G_5oJao6B37NZ~5xu*d;a?A{wh$HivWtIU)G6ovb`joV$UB|@+m=z>@| zN8ocHsi778a@XMuJ_g^nJTV(ZsOg~3D^wvQB z=j>7#fN#E;YGk0;L<7RP!(Rl6nPB!e_&*A>$O7Vxy;q`});LJ6kyct=N4uSzvt{g`&o1;atFejxm z8q8kkE_ikIw(nR6+*g>E&+3pyZbdGPdDB7*f3g}EuS9uvJf@K$DMv+67Lum;H#36_ zr5Ob(ri<ElWw|jV3}gpMv(9QX~SHoPx0WGTgz$TVD3G+LEA|@xOrvL5f3CTb)RobXvh& z9wEaiPazKZmrjOhu3vA7TS&hWW^dHdAZ{*0lh#yMs8m8SNDrmOXrdqVpzxv~gqm1S*c^74VK`fMh#7_H0 z-@O$gF&mMn*cs)de)Ix6V^;i8y53B%JCZ8XraQB>mDGXU^V(?<1;<`P$|s$7S(M^x zuF8w?J$gsagd%bqB7+5vlM9w*GYAB!4EsRxTqGa5_ZW=XI`cK3x(9*?I>U`T1aCD` zyJ>JJAZ=6##`=t>P{YAO7=Q^ej(@;c&RYefdiN@=fUk^b>gF|*)o2(M*St5U3~qMN z1z$`f-t~jtuancnb`bQyU~y-vSFqU34RV%fi9}dj!jTd-@+hj3rUV6+aC z?Da&^6B6B*f{o_?jr(Znz#I5D#D1X6&!*T!9~UH^vEfGhkqNe@4aJYSA5J+}{{+ywb&Sw@hXw%6oEl)RJk>DOb@^et7f zMYw(Tj{+0azUF+P%R5Bz3YszCTTsQPsv_c3CcOZ?mRF2*Kz_y#9ZmY7ZBsH`*=~0E zo*?3|5N_ezmn%4KLF47$K;8M4&nmG_B)q!EII0_re16A{jxx4-VKO_qd~Laj$8h>h z&<&2C-A$Wy&)G?VWk$#`?8Ri~x6Y?}O?hZn^bz%Zhd^os?Xbzs^0V~JU=e1h%2JAs zj=1O(Yg#z0b?E?$glMA2i3rsmSCO^m#QDxy0Et^(r`AfAq-QI}r{$4@@piUcq~JjtovfbDRdk&yi7u zd`UKdWZxMuJH(Uq+n_*CW@o&!d~K$?lKtWk&k@AQ(-&3;e~_2_MH*v491wX^^xrjX zG6f-{B_yNZT40!d*MEC^V@pLO$a!f*P-`Mv)RPqmq}?Uy9{WfrO|oy2OJOBw!;`J9-7q4u zq0kJ(`GRUtJoUu#vkUq^;C>?jIY7q0&07FKR&l~Ab8}M2Bst*T0-*Fd7@+8ew9$3` zdggqmWp^Wm(1Gd-Bfg%oz&^IgAdRrnNY!FKqWlR3ui)){Bdokh@n{$;gr}=qH@MuN z78%J`rzek<8Z%v)X0q;&T?FkzQV%PSf=t^)Pa2xdD_pN^r+OO!4Zek$4};mmSfE4r z4V_cj36C2{E*I_Uvn(m2{4A2JXRnfIxUk;{Im-Zl4uc0aZI`-Yx!ilV`!_&KVax92 zv{Tnn;jXa&f?QoPE7TY}Q5zS^j|gl1B$H7IMxc=gn+*WNpF$pm+}Sf^H*qgy1xn zwKI;gt>VsDPZ_$uQr{V};SKonTVpac7Z? zH7fM4P zGv}ZzL?W`Z`rO`6!B+j!XFAiM4Zvbta-z_~6^mehY9o5VHrT`oMLb$F3}_|7JS2Mo z9ZHZ?BXz5786e1K2S7mOjWdt6hk01H0D?K$z;s1kf`d*lRagR3ik3`4fp=2;>xlz+eGLlzC7Wr? z-xy#mZRNube(J~o!45}y22QIj?wLEnRzR1ojFS8wl&XH;qq(OnCt%AbxKUzz?BZm` z`uc*oaeM_Y7ks_wl`7+O+`)UwQgdZL?$7b;AVcOR>1!Mz&MGUZdTfse$RVMZ0by2H zrlD!flZjqPpHrFpS7QLAWTn&i57SQ=7w=*$>&jvLr&Z41GZiR2_rmh=+Q9-bkTQ7s zc`&=KO8$F76mF0U1UnOaoJloH${GOTmHj8&y5z4S2FOs>Ey$J!bo;yCCYWnU|GKOK zvfuTX2}TwFCxBV(X2@@EQ4P$H>)JI?w}kaE6^Q6y&LHF(T=2f;Yw^4jb$>%X8&_-K zOWiHam9t?m#Xw-$AC>B43onnlsE$l;l;kK$r215%ZGqphBBE`J7xkpKiIy5_fP#2tj3<3CH<_4Jr%e0YL)`9QCFTH&boUCQ`P@T@OC6U48{uXaTAosY6~J?gW$y)t zr6l>tSb$BAwrpXV;xoYh*nr0<{?%7J0c+>(UzQn;IvB2@8Vl-husQ9k?amZM~-i3_)q}TM0pUnz^T=nX<{Q75i^-6Jg;V-V)q!wWXxyN#B1#d?*B0I z&}0<0?JOCW7mmd}3;xstYHiN&FlW)?q7NCEu>(|b)&$=Q0;%%kZa?R58|PRt8=Vtt zOaR`S-1a-+nRKucu!L@PMWehC)B+2cpmuU0sFBrR%C41`9lgC>!_OwVwTsQow(k==uEu>CEdJi3M;TCt+`W9ubjT*7v@}TMQi&(n9 z#ZAu6*jdHN_2H=y;E)yrAg78TA<@)a@Fh4w$cc!+EHSkmRs}Qb7W_cBVBv70s40GX zGcHRqz%Z^+N~o~QV7}zf1?-7=w%;%5x*0gkFxRi(NETZrG2f{^%??OESmuwsoo-uL zUE?$|=}c3uYC{etX%uAA^#_IE%%_r)XG0ncxkK6k_@B`9V2r#oiE8?vR}%WKhs!)U zX+#TQa@Q^=xiVFU|KubSd%AeXdK-9O!8mENRGegHY$8s&njL!fZ10^eINSBBHG<=N zR>0O+U$EDfp9?|9!AYYGCn0ptQ}@}9svXfk%E#eL4o;f3GdGth(RCz!Q*%A%o>gEl zj0%&?E8-~S332=lbfL&AL`kazSGQCNx>Ap5qr*lOhHmCquYZ+7WJA3KZ5;S?+qgUj z{VR-Fu7;s?Lq7JJ+V{6T*rNmf!P%QYKd~R`6_$f%*0E71W0QCxd%i1fCyni*0?Pt9 zO}3?~599EGAj?p!6M`&Dd9vD|Ba?rezf>U{KrJB@i(Lu(&%RXOV|L{1ZE}@`>ER$q zkMN|Lgqs9_noCQEBt;n0dgjaoEQ03EbAvYjsmXM#soYS0fEQ|>nN&6Fcu}vssm~>p zGcmr^#WPLNmd`ITWdvFCy+sxNd|j2Ih1{#n25w7Vk&7H9I%5CqC>iq>S7r{%Ltw6@ za3JMPBdxQ^ouVEyDTdSg==Fe!ZWHQ6cKN!>)9o6=>q#1+tRGZrn&gB#E^!IF zl-#TT47R{J>tUSfVTQRVe@I<97E3c9x#4w|f@7vbKS&ygv7hg2rX!P^VdTThWw}iT zyf4an=hJ-b62$4;wqKKdA_}_kyV<$-C8(_;CEOD!DH0@YTU@7uQm@)aw?#!QAGq6a zO03EF@~J8B&@PE~|MxKg|5ilxZVYpz@X!xfDzVdG(>_z>61=~PjR%IY-YN-%AM7-x z3~reU5M9M4X`*G7B#wEb4oplhNS!rfi2L@%;A&DEmOrw6Zz_Ot-LjBk$!o7IUQF61(@qWHf! z9*k(1$3<2^)D1=?cMk>ed|S3wJ5dWFT^gk%RIz#{+L?G2=Pc4n4k>tLcc zLWD>fI`yWA@Y7jz$GgbQhb;S)7&G^xk&8=CA*Qp_mi;N8@!NH+j++kA+XMUJ%>x5b zi~B&i)B#*NFdj8Jz7cPY)y*Dfd7ysqCOK;3%VbcW6 zevfHRznH!91reaRy&&T>qsH9x_gC_4h;?5G8g~2(*^Z^(fGq`!YtO~{tRojjNth^W z?7KO=6CXT0)@3Y8i9sL}4Y$!8QPvH$rO22Co%J{{-#+EW1TxPHy24Q7vzk7fWd58a zasCrAUIkKtA;1H7*Gje59S=eb1`jrDPPMizAZg-@VkDE+v&}c)AOH<@S`Ub=mx49$ zV`N(7NRUW%%7A9Z9|Lm5B@r={(Lr@P!xtw)dl4bxhZSs(48fA)n6ldB(?X7~&dSN5 z&y-!39%3Swdh8kw2#f zZXBA=3&P8jmQj%7(45%dofYx3=!-FYW?@P~d^lH@n#}~YADDe{DisY5W*wxj-n3xc z_F@Xhz@)wMGV@j(xUTc;rtwXY?gRK+kaBJy^eMQ9;}m+uh@i8^Ft!9jSrZ$Y3jn4< zeh8Yw$zmYk=N5fO68nRP1LxHcy!yEzh@_iJ>;~v`XU2O zN}G8GOMo82#L9 z8-!Rx@|!kT^=&C{gDMq&@V*GyV=eJ7=vex|7&)Cr@XUr>UdT*G>*UnSNs%`(;Rs}? zNI(^27RjdpwiiO-sKwtsFEJ<$tiPaYiISCnx8dHXDf(89Oa z+x-DqcJKgXBZ%Ve4A+B}l6=u?orSKxd+#hLHwJ4HoN;d-&FZNoT>(NHXe;KWmdChL zHcE{q8V+xs;;&7n;aY5TKOV~z?QlM>`wP^-_gfI)Wo&iLqZnK3U~jWLAgncL5myqx zKI$f%_=tksBmyDW!lk$Vuq7IZFbJEQS6}1(p1TJqV&%u}UT6td<^zl%pn1$UwDdB4 z(CYNy4@;w4HuTI>+Az?783*LQ6N5PjBb^vURM0!`3u;z-2IH{bw2MJ-aG7+}Vv9WaYOz0(p+ISro^`Q@p4x*zh0H@YYHd@c)sSC$b`0~z`51=t5iNyb5A-)kK>yS=*nd)qf9$ADa1Y5~0 zg=S><>8bwn2M$E3SwU{3j%K`*RO0ntRXiKCakfNUit30jWZpEY57hLi|Bg*UZEF+y zWs{Jv+X;D5CG^FbmuvQ`6+*r&68d#Np)Z<*e6c3<>p^cYYY}ahSNep6ot`DAabuuF zzRej(DaF9sqrhoA!#cs%b~kQ%+9T*jn($5_-_sCE7Mf(=KlSRA@7X&qLiPaTmVzoY z(G;N!ruhDbqCA3z5mJ|_1=TfG#k#SN5g4Pmvpc3u%EX%V>%$1 z3y)eHj07#iiTCj`LlbC7mBk>(7FG&?v>YOVAWnc0?K`0E=XePRCBjV_oVb)?B^}Zm zVvdhM+u%J0Xs#e3O73ry$9Py}zF%QkQc)Zkjf6Tg1(DtnvfXzi^&ATJ?8tBS8`!Tu z>gd{mSgp>k<0_ADdMk1kR=V#88bW$qa%h>?EugDpzhH@)ZV4OG0sg7P42c>Cz_j*| z$!N0@yl8=>RK>nP#Q#@!3LPuHf(mtVQV1NL~7{#YO z=b?|xnK*U~4RS$MxATJ;eys0V>bb;#)iG`4?rc2d^8vf_`Hb|LrJH(uLo{V2>Wz;g zaTpD}b({u1zb-~xZ6(N6y<97l7LLyL!m4&s+U>Kk+wD(Bj%$e6U*4~!+T(Z^tvBrC zS}hwj*k#6^=m{GkGkA<2)~h9(OKxP-u&OM<$C=KbFh~if2DPKpK8!V#^s{(vDe9K4 zJViyn&qLZ9qm-$Ni5f4RX&dLQU|0NWG$FRuQ`WB*cBW(pxko~q04>tam zSLXIonoSh#PTlR6PpMzj^m6?%t9G_uy2O5QkoLH;f zZEV*2BCd<{;P>zpeNnj$7XKQF512ahskyyfcYdy2 zlB#m4FMu*3UES$kkv*}E{USLmoxW&&Ld z^lyKp{TUN`Mhf&a4`7X*XpMcKla>;;NsKmc&pKC5KkdRDRcfE!D+;Bp7>s3Kd0zSC zS=6-6ORaLpn6T#{_}6}-2F00bHvyC!btOf?Qz3HGqy46u@dW){TnFYt!Om{BtN=>tsxZco-20INB-T7nf(Sa!|)a6%;*a z3xSybk@K&gCI`XQNY#!g4h+0vefW?wx%Spd*G-w108ckzL4;;r!(_H2pfmg`fgiMo ziIr#vNbdGawU;3PbEXnHOYCG)F;OSyRZ+qW00E19)#%`&iUu{E>$Ngo`hUC%WPh5H zr&21~i(r2qNYht)K0girOUIi4x&PlRL!IDSbGR9e(E7J5md+yWiAxo3 zalA!Si9&@w7Ej{em8h5ju)_9eG4&B38F z!2zQdjZPH~_OLB_T|5VN9AAe`Mg3`UX*;lbpdMN2pTb~dPRR(OXG(!+cN35f=#xfq z(sw+%r)|J{3%8?E<&P@|%Esl}i~BPxjmT^O)$-`fQM)X)I~2;&$8kUiV-?q>7RQTCTL*a#%5Pn|i*jmHRXIJVH{Kv|C^9t~R?Qy%E# z6OUDZF?wR?paMBf1)OrKPN>sMx?#jE*)JR*Y&tF`6gikj>f>p&rX*tS_kGK-mHv9B z^C;>*1uG9^34wr~sV6{5F`{Vq0(S}e78w?<64|sdgai8S&*njAXTyw~nYtapyrW zET(RL)OlgUBo6Ca>DtL-WfKe!;Qh=Z3tfg`Cci7a7iM;IDvc0J$hT{FO>JN1U3Epm zO`L~!#dQ|}2K%10{r^qX1Djf?WZ(bY^TVhOw6|n?1Uo*x15CM5>2oyW!Zn_oKXPTt z(>}uy*B;)f12RyB^Q|in*Tx|OEt`<pnH7*U(dC}pZ(kr8F3#()M1-J)}^<1dEQP#x?_p;$ZH zv2prfvW2Ol&;`vMu%oy`b);p!%{IW5;babIf@kWL0UqcCDMG7h!#i=K9L3>St!`UM z;}bOx;EYKlGM>+%9iEVcJgJljol17@oOBb(A-yzAl< zmXYV26}}0np|JZs{ zn!?B+1;W|NQ}|jKU;r1M?z|vYsADXdOZjMvcThPM_kbIS6Vv8?;;Q1lW)kJ8MybqQ zHjO4uHv1W9Y?WVK%4QZD;xzg-MPbrct}16EL`#Eft3)}8Ku3S21(&cWSzoCS;J+o5 zgKdAs&QYw~)zEI<%#dn(DpdFS1l{%lYot^0<|!c9GdDa*ZlEOCE-L)Pr7?TJr#2~l z7PLuvz{M`+(-Bkn2lufTDHFrOhwN+inmEPng<#sL6LIpw{a%pC)!^HJC9COOD*&2b zP`&C}MB~)~Ad54rC%a8%XY?`=_U^^Oe(8NoeW>Qx_cRI=GlJ_qu`#}|yX?)mo^#Ju z0&nIAVv>;cAug;-;&<@%coV)gh)G8F;Z<$hbxWa>%SEu&OOtVM_G?y3h&k04Q#T>Y%@dNO zG+C2fgnGRF8Cwhy$cxoxyUo@!P-k_Y%2&jdcu9!tuH8U#{)*Jz%bpEWpiNEt!8ZT0 z%)Xs7fGUmingY|GjWcoQMgm&QVR4~Y*SF&fv%sY`JEkyu}x`JoqjF=hHOtXf)3L;u6tZ-0e8c`HW~V{VLi zFo7Gl!!s0l7n3_Ht(99FK&WQe5ONi?U8S=Lb1++D3^xxecr{14uB!7^1MLb!Nv}E~ z`o4Z2|y0A31ljvw8o zaBylgROmc(VihBT3|4?tj#`mFK{Y(qWjK6OM}j$wj`vARK5fSEFDUA_qUerPZ6d=# zk-+rV&21>|4yOM+O$zSMqAXhTcS50V6Z)LvCjC7uNoD~}*Rg}_IicG#oa?^_))18m z{RRf-c<`}N6>fg_%= z?64FA-Vq&eF45drH-L0eC&697zS5TR9t4ku)tLkaSX{uF3*O3#nnQ4O@j2<-byp{t~8}IvI z03h6kwsveF;VF>Nm~rlX99u?n%tC#2{7KnJM^{<(sr{8z9NMXo29+NrVXE~L=@#V9 zbQmxw!T4rM2!<|6o!3JfVbmqO6V0&?8o~1oWJfrUkGG8}6DFngE4M`vIF4|NvZ^g@ zWVs5h@q=*=z8n~Mn~YWxK0ao#C)&hOyKtf}YiAAoJF;TN9|NlLq1;4=OQHb5r#=X^ z`yg4|bu*Nx=#it$n>Is#k0xWB!qmyaUM3lg+8)Ht$}fP*o30e+)b~Ff6c5spDkm zu1~h`NPIh&|J|yCvny>VD|doS17#lbR#hF;In02=nchrq57(&z%l&1+BHnK&CwR`9 zY{os^L?C5DcyqOpfj;x(^46UX?v~kP64z8M{Krun!l?1C{>^(P8G>|)ILQIY#lXLj z1qc3KfXRG1=%xf2RTYwP!plN#A!=;CXPcDJ(#-D@E{XzS?M$SIK5V3$yk~>rJJz7o z?=j(zo%&j&Iu`lSzO#?-nJS?iSe=k%7dt35>!PKMg`m^mF8@Dzip}50{K5k=5xuGf zo`Y3Wyp;M~HqmJaU3Q12xbk=k*Wyb-_3O4s7*Avo-q4*05MHVB)n&^9prr2E%^z2=DVZr^2zwwNSW|Pre*HXo#4`2 zz=fMVV3ftYAyuDlJ$pNF0$OfOmD`y+6$cv1uEw%t)VEN8-hO~iV`(;hFiLe>@_7&q zW26d0QGHrHpPBultO`D!1qOBj>EE@`>&&be-NbW`xW`XJ<%%2H5K$M9SS=*wsV7NMpNEpBy} z8p#|k7HJQ`N@<2blHq=3pxr%UX8vK_TYq*&Z($RGt#Dz>TL@x7=2=V53>qN9?1_+w zt$93qQk%eeRLj*V7M@Il#oBvlVXTFe{k8lic_j_xc%J*cO)^boudpzmMtilL-9RSu zW%Z(nLw{tw?W`g+?8WfwY3A>fVavw7#`WT?w38BdRseq^(981y@*oOC=J&^*#uE(a zdd#|bpJmu`sMaPqt}4z^YVmwlx4xnD(2!t}iZADiSJ!L8HK_*vn+N0w-L&T!o>URf zC5-r2hO%;@#n8zbm7bGc*mPhlC^U&f`4@y$ptoE@m_S}_s&<_&!6p`KYb%qbLzBiw zP%V%|N)S0HnrQfy|{tXc%nLRJ={Arh@E1f-_o$<~(mL68sY`RBA&hSz&tf&9=x zT@Wp?#Axo>V{yA^V>=o7nV=tQHfmfn9&Renhx|$myhGt;iwcmwa4B2U8z0~@N^wT6 z1~ef(`q3b-3^DKr8sUFEV1lvyT*(^|l3_X9*fsz)#f|nmHs3*pQ@4j$OzIKyhDX}q z1l|vGU(e^SnNb-1tZ{$ z5#;CywJ6N59g1v)L3kvpTl5Q}e_&W&TTl5-h2m59+uHVUgSPKXEPGNzopcUW%2P!} zFQ5KoNMLr~yOe6eNV(n3qVGwr(vC!k%7vfkSz*HpC`C{O_OoR79tCdCa8A#ACIop{kK>3((}9fdEqA+craMzl2NU<41r`fs+GNduf+wq zHjd#a%2O1DLgyCePIE8=c6uiuTQwQQRuEk=E07tY3wzPLz-xrHuKn1k`e14onDWeD?GDwwMTPb9U(XI2pt|eKLfWM z^9MT|FFhW6kz1T2I06=mpu@0Q2tCCJ8NQ4T`R3YM)tc4eAjWW0JGBgbdnG}b$Hp)Y zNv0Yb`$@v=u}$blM>z61NK$0%ek{CJZGy+F8RO=!9$tm$uHi+Tox!s^>iY^4=1&l^ zC0P~q09ZLHK91mHq;PvyAvy*~dW;fgG0p31*{S)tAxc%Qk7h86fxJwk%xj%D*yHdG z>Au~iZljjtl_3evIsZkhiI@%WM1L$(!+qC85nzFh- zbn9f019~v3h&>Px&D8Fc>*3 z$=@K4$1>oEg7#vnc)F&twUsSy2!0592;e<%7Vw-YOicm%HB@?+GvR*YVjEs2+UWw~ zIqN##5ivWl9Ozc{>n%%Er&N-*$1#bMgF1pz4u_n+$rudbr#Qh^v z$RM8+qsj5Qa72^e{HArP-GrL9x6@54Q|%@{jk2Ds`U^PgyqXs@aEZOTzHCi0-!MAH zCJpt|GY6+Cz|0!TQb75JF|vH7o7JJ}2x=`qMtOLi)MQE}Fc&X2M{^oqU=*@K)w)D7 zh{_A4FMtP(-I>1lJrsmICp!ape13qkK?H<`3K%#7=MW*H@DQdA%0X={yR)Wp{|3N; zgw{#@>R^fJvz`_lDw_Id;}GWf80I#D;oW9x&`c3Idt1?XKCb}FsK%6ky zqUKIc;~Z$N2dLylCVtwnVRq-!Z!!OkWNsxbPK(8^9eXqJuh-obWMZYXTHt*h?P z8IqHSGldFxgQdoC8b-=T+XD9X&^CH@he}AKdQGN!dWlo@B3~D-*Kn%tQq)s^eDk(( zx;gDsoNj+Q*=VSDz)h?uwACX|K-;y|?4Tx%+!q8iqMIiuX3T*W4$VsD zCeBw#s#mHfc0+UOJoBv2MFZe5n1pbEqr;d*C*4!=@S*g4TZ0zlXXg7i(^=8Ag8C#d zcTYim4qQT=XTnBqyG_Up3Es{#Rp&XU8gv%(r?@SWDZzA}2c2Y20rY3%-vugv;dm)X z#D4S~{~no)l`UIyiM55c*otr7tAkSm@?nY?oQ4R=5A2anAmg%8MDM|I?(MBmMCE^1toXU{al>G|*x;X(yi1zp4!{(sw~P9^BwLySc zy(pe^A1l1X@fk@A;^X-P$lH`VvRAL?kR84To{~i}Dz&z>IJKD3NG0z5)Zz6-$61(r zb3wo&CYhv*sse`6_^<^SC)i+1ev*vys1Tbxeqyy_zz2v8#Wnzuvh@!|?US$`5OgzM{KQv-DPbeGY#3C_5wX zbT5T&UMW(PP}9Xe4KoC#3&QouskOuJQ*27>^MhJv=va#ypbuwA8{pE`h0|e9@l?qi z3~9-TTe9#vtKSC~0OUd=T`6P&-hYzSPH0>Jc=ja-kfHu_aW<|_d7?FEcIWL9lpn4C z^%QJ;1~9$}r~d$Mmn91@YE}CP6P0w(;%lNG(LI*O7jn#AHQ2>(bQ2cm)S)CZ5KcIK z@l_47Utq_ZX>XiY!-pOlUEs$5s>wj3C+Gc8=CHS z%m$7xh_t45NQ;@QT8I4r`47_n-&O;Zya!VhRy(z@GPkiU#oq$Pr)&kr@4qeh7$8h5UVqO#t|ZOf?|tH5f%_fDV+QH-Gn|VJ?+)N|h|f!s z|3|NhFh6l^pV!ABCYXNC(H0}B<{$y)m zUrLSyI!cL%gFBin{}TgSq2P4=rgmw&Nb|dV!J3|^nW-sy)AGarQ~(?r)?G#F~LzE}3Z^*S_SR z`OoZpE#?-jYc>av_oQb=5VYV;nF@v1M7Et5JE8o>Mc)RRbw(4myFYe|O%EBT%Uoqt z@3MCqMDWGm&+1fO$?b5;7GG!dc`|I7bo2v*0nFq7NU=LuFApC|)+&U*Qo#`sMy3ro zJD{y07h?4MBS-rb`VRAb4&UZ~!nC#?ftAme=H<;|h^aw^%oxftk*-G?VMs*6eeUsF zohWu`>zf(k0>%%U=;e{rCjQ_@*L~+e8$I-GjdfpUQp^f1$UMrj4_StP8KF?WdM*!- zJRX5xjWe=2W@8MDIXyQD0X1fb^+A#%CK%#&T zKumfOkP8eWAF=EmCW;p56Rp0V-gcNx05(n9f;R(hwl|MMP?emY%1b&IcK1WP;4vVL zBTnli;1oJ5F+oYJF2~0j2n{u~{0cnukVripicIEz(u&d>1Q((y6F|%rOnvcb%B&%z z`VePJ%AQmhVA4<4&xA|bko^a;c@={^N)ZYQaJ=8mfy8<)qQ-(1Wm=fz-0ruq;T+?E=;@P$K82tGSQbdBVYR;~ zMORsWVtM%7o6^35)mDO|EyStK_tm~q+0KJ<3u$zFXp+VJeBc7Q+u*V|+t1Q}6RHh_ zFf1yDHk6c1^CZm_%JgU&eh|m)0Az)u;5urkzM2W} zR4KRb(dtkHS(7O78C>x_KeTuw;!V8m#B1|yq`i6NhZLvJ{pt;UqItFqY3nIO7nd%` z{2{on&oP|LCsO{m=1H`=klHQ~H%{|PQpf~;7kxYwH$vH~J4CyufFUPE7;oV{?S8D$ z7I?n{R|7;-as;z5SqG7qL>pGUhx9+2(qyh>_Ui?EQ|{z501v?tWs_^jUIP61S4550 zT^vk3<+xJovwmZwqkstmAi$CB3l?>0Su3S%-xK_w_fq7pu+{=mG|jhuJx`3RR#e_@ z8!C5|tOwF`jn|uyaqrCpsH;e$9T}|Xz*hfMU-}au1Lh)W@`EE7|B7p_U<-~Pp{rgF z4M}MI2hF&I0iuEB@W6&Y-!;2n5a>f*1P>0|1!RD+Qud%yNNXcwA`OZc0Eyc*#*Z&v zJ4=SK6k|vh@=z-lKW+DQvfE(n1$Lph#i&DGoihv zg25Oeb#aexkdx#uH|^QEs0aQeawnXe*2&x_^!015EX7#NHstjzHyR3-5+7wtMl=~* zM23zSo^YP?zPtIEJnX!8%=zM~I{k&Z2lN}Li+ivxtQ5rJkM<^%$t8+y8=pTv2#|#F z@0?Chb%A8nr@sd)R0>J64Q-DHs4a#K;ln>$1Oz+;k?e1@GR43BzcOg{FHAif@V zGN{q!7ms`-e05624UGFx13$(z{zNbu!C9h7rS^d*?WHi^MPL{a zAAT5zW`z5QXt1Z^cZja66T&?5@^jiTnfUtYIi@n2tY{g8jJy?#z!er&-pyqlT|@x2 z6rpP|H0}d7qVkf>q*~bE2C?#ls8=@W?i~gOqESgv@tj=GqSU&Cw%Wj`0*eF8geHTB ze=gS%n<~^?PO<>1i`5K1 z#p+HK>bY1=PLlxz_oy%A?$$SugoaBk1g$l9x+i*o9&0QGKx1VzGFTC(!JbZ>E}hW) zzBRJ_3S1TbUsQmB@*q^@F?ZOnu)r;7pjw3Bz*3_FhAFxiG`PMA47)ci4qC^gcY*qC z3z8<2g9z6UeEl3oO((!UKoNoMf!N>Cfn-DPOGh1-8hKaX9CT2!0rPD;xN4Esm*6k1 z)Yq{dORH!=wfrP-XdGW=| zuYnjDM4u{g%V8P;;R1*a<$V`p;}M2On4uBM?t*>}X(?fmyI6?Ze1MS{dUZ#=Ed@2e zT`+!ngCgg(s~VDFAnTH~YIW={W}akON-E`EzE+G3sXI-n3n@DjnIqUBda-txJHxvR zuBAzii#NfX-cBh`uKY=`OMZ-tTAl}_dETaF00mh2P1vTU{2mitxvScY5*TSR?Nigt zbisjWhBbanEk3=}N@PBeOqnzJvKCXe)MNZJ{a)E^>C}Rt7tz7@lMyWpNsa_4i139&32e^O)WtU3prgi4TaN7 zBaQ$ENJW0BE+e*8PU0s0R`k69pz3L-_~Sddw-I<`A4;~0Uuh7|tv|5tsj_|ng1~Wq zz?jy7x%6bsf!}rkgwO<<_eW%OlB8k6NtElpLNvlsp0vY+m|GqabQ1F(DNr{d)dl0c zoNiIA3FavG3@5SvK-}MGJcS^-Nc&1il88LrtVcNaOi0h!mVp1sdhT<8mvt4mRK30f z0PTH65CX^{`*S9x#WxqsZLIgyiq!8LO;4$WfbdJ{ zz2u9mf0JfNR4|TiSH*Yrq_}`*?c2{11&;AFmi;8pL!MN@B^=w z`8PjU|9T5D9{mz%EnQje=BfqC+W5u9PJeQ+Qlq{b^SFT}hwh`eB!?lm$t~J~27=w_>)!KP5=W?zqcL`AtUlCXjNox;&5F zWLepDVwoDOIAwsQ?A6iNhUhsoOg-Kmq%kz5sgg-fO8l7}J2m?5OdULSyHoX#I2mUb zYGFfJ%L$ZLQHGjQE6CX_!aoO2ze33M0*bvzJ0Le2rE4MBO+ofkm<`W96X8za4&;_9 zU&FE>W7Tznnr(IUt5Smr#NEEy73!j$kqfC;2rn3WQSqcx;T&rB{?=vhoM_EWU+3U` z+9csPkm+0c5Z=8Sb?(`2s_Y%A$~TLKjQqm`eEAL1WcLVv>xRYdU7K8}_IrIvoQaCTF4e6WU92)J!GC3VhKf=0d7P<5wEng69{s}aK>U>RyXtUR};Lvh;=7<}F_8rsH3Ku3aJXmugcEvzZ{zDFZ zBzi&5WhkhUMxUap^Bd(M_RU|MZ@Eg&_X;S^cUdE+8Qvg@@@$J}#J8Y=#V5Ls-S~bI zt~%}+&%qiHB)_jls{udo(`%s#fA%q!vwB-;1Gd`BQ)rHt>SpN|! z$|r&)1&oqrKV2x_edK0OYwnnwKFhPFOW5hC2H#BMO28rhl)DwnJHye2aU`^6s z!%gAZj5yWfe&0^;ETI{XXgtYKZkKgy(EdwMs%k1%N7kfbYm}@M2E0RH@8( z=6Go8Y}y1jnE|djKqgf~O3HR?s}-io;PJxh(e9t&BYYEUlz?%(fo`m!$<6F#lJrHF zUdwOwVXlBK&Hq#1l=|#E^=l?d0E|aRgR^r2#zQf|;Xx!{w`)Z$;jUSF6?7`23fpc_ zzw>&FQuT|gZn+J44pa)92%WBAt*Ng!?5$PK=Qbr-gHL?2+6N*K(Dao}Uvp^={P%^R zxw7)~#Q8tH*e%RM?ZIR?beA7k^|HCaDe^)F+Z!|V|ByW966gVs0V;}~4~j+rll9gf zf$%kTdJM`{uwpstO%e3Gl0TQ?R$!VWou|EP>K7eGYvpI90`z@9!STrxE{bPr(G%TxW8^mHRJEVH9Iaq?25IXxPa28~0|)ezxr$(n+H+WM|J9 z_c_|+B~po=SU>#f2kSZIBf$1vqVSnV%6eJ4!i2h;e{*U0#b3MLbkm;!lZ4Je6ar=F zdp)efntDL$sOZ;e^KDLsF>%pPdgL*s=1rsU>#c~@yM~B&56$rV1sNY`PH=-8)W|x~ zHsU&m`~d0{lo6uSa!u+PbR&Uh+*$*ZyCL(>T=eWbTTJhWaX0Z%f@NP}ZX-m$YA(E| zlNks;8UrffKY38Ag|76I^_FOk@)-#pima(P!QP@kN21b6j19`=33=%&X^0!qM#^X* z-Y8E^&3h+k(EFRNZ_D`e4^vSs>xC-Qx@U?eQn?0!V~7M%s6-sSfE%Ia_oDKxM(tCn ziTHAs`D$=aYa`}c3}9RR595~Dg-XZF1QvRLPiTFOXz_%vVGgn_ZqaKh6_&WZe6?kS z=uxZT>axrpcG+=-5ns{Z1A>Tv86oM$O@D8Qi-d2xCTH+l?K0#*!i zy;sfvp}ncC->m!Xw4o0@xP~LXY8P3&mo|*WPX$5F*>#-!Yj2dJ63$;Joa~P^gAVCC z!4~ke-vs%kvW)B+SqAu!qlW6&dH|yhhhTF7gh3Sa$N;DX7lZMESCs8z3E%2wjhn%@shNIl zWrP92z#pAu*`F!mOiKW=fqVgLqI(XG(GXJq;tKS8+5kF0#lML#E;Y^$Qlbz|eiWmG z!QrfEi-VG|6woBFbZZS;H0!g#p-WMe4mn|1KC`q{-xw4@zkWW@*k24T2Xhzr><6n{ zhag669U?j0L6dI885YMhuzMG|(nL(JTZRM0TxjZ|Xh7Os-nSx}EdYV1IGGODoa8mv za)e&*cTzpsTFflQqxW#Mg0jlnkH^`b=}^MO;@nLa34pdng5Eaf>;zN3-5XB|FGT;U zvxKT_yoqpUG5(+v49ILAJtNS(%-HOG#BAA?rbw8!?5>o3faAx`h^;EX5L--9Qkc!A zOv^=qGPit*RTy>i-!!E`*zB{L{NTJg4GIPWToF?dZ_LY{ zV}K)7g~50Zx|R@+=6l4F%aSKO3;yu8-TcJu;y`|o%5R)gI0Mem*hRtoj_(O8W)GTv};Q{p_GrowAqwOvIy!O+PRqsRoE{#O{T3 z*l3nGflFZy`A2#;Lgt>vqZQ7>t21BE;)W*d;a*_Yw!Uh-DXG29?S?pdg=`p#Wl;0O zv_=~2xwGX#Vy_x(QYMRc_zcqhf2y_oY zgQ?mY8&oPRz%N}I^`R!1cC{3|ShvqzE)9dO#z$%D!#O~6g0UoJo;uJKy)NBcad`Yp zbGrPa=tZ3Cr46)&^yQ6^LM}?GBmYgskLu`y=7^2mUMfyBX#dN}^5@X6KJWR4ohCC! z$rG-P1UFLpACd+m?i8-%82IP3E*6&t+nWDL8bAC;=>bwkJ-`KGN3lfhAJPyBYgcwz+bh11B*icQY-_=XR+oc%1~9xEd4ADUu;h@M(oY16)&9~=YaNMdqI3J;-B6|4)Rl0 zQ423vJyJbI>mxig2nk#hP2DzCw~c*-+PFBqkH?@SSyM!)1QJr>RUI_xW6n`aKtwcM z+K&*+gEE<$4`@Jcj|y_&V27j4z=oU)c$=q%xev+#g^As3W&bGyYF^T%|CSh{r#zq+ z&FGkO*$r<;$WCxV`9{ouaum=Itpma#Y<2BZK)UoIdTPnHQvn}LJ*CSCO8LG}Z?pzd zGd&<^ED$|5wWGh&4;a4cfQ#rHX}q0^$K=V*sr7yX(N$#~FEPh~sa+YrmQwb*7mKub zVzGoW6>n>5-+_M_=_%{34{hDJ1=YbF2t=^cm^jVY??$5`h*3Ih$UwIZVr#K=x}AVH<(f{G%LP)X6PE#3!_%)1%o`+IcM$i4lt>$DaSu zK>l7R^x#dh&PJEA$QmRF>5q8mF(JGa_g{@fbS!|AsB^xd&Tt}n=3Nzi?3}IE0WCm8 z70X-8`4dVHHz@qqEaO&8GU5nm8k?Wl7NRs`2TDXK*n6aXCmK zo@ed!C7RHkKyvN}Y;_2@vSkPlrFHK!J|g%ln=L78ah`D!R_0_vSekfYN;l%gYHT>3kT4ck@1_##vlAD{O~p5?fpqn15Dt6yWIas#;7^_#{V^MFFMwr ztu$TcYz-Hfq5x3L8?Yl7G{D`Z5om{(VFN)8386tCeLNW+AprFl@M$Tau?MdwFKna1 zXHiq0l2f+8RE*I}={cp_7=J(De&M5ohNk{n#)pZ|pig1eYDZ5O$S6TPSbW;nT0bYn z@)j0Yk1OsIpe(kbpU{KTGa-M2b@zeTYNTHlG$(rDU4`YQR5V%K~$!K4~ zV?*qM^BnBlD>YRn8t93F8eH_5r1(@I(HXu|s$yd7BzEh1Z9n5fYZq1_@w4_>dVijf zc9=owLG`j)PGvd>Iuz&;0f{v}XCR~6pM|fr#qNV1%^ldC*THEOZJb@OrcxNbD46pz z_r+K6)^N;-7EHj_#uicaVH_!GtCZnkf(V`MIuf9$YbJYCsb%_Nf=oOX2agJ(Z9USn zzz!k!*=3OKilJTK+6(;1=Z5FH)z5Vtp;V}ZjCA}h5&$3wvqJz35)Frgp->ZE_Juw6+lOMQs6Mw#rxag@Z0`^39e$m-egc>Q!TlAiPT6z{wn)N98%>Rf-gz z*jP>)4iKVzcFXhs2eJO9VnZL2FU@!Ji}(i@tQ!~(sQD7!blL>t4};3mcwgzhJvan8 z5F*(L$l?W@88A%zD32TCDh6OyT|`Y^i$AOvez`T65W>UDH0iuf8bYc3tF|R^Fty?V zS0560yzP|&czwo%aYBa{Rdvxqbj$GwmFD-@c2tBou(`de7Yx*!ddu6ix4%J0sP=JT zxZd0co3b$_m97P@G}aO;l3+)~!L8ojFAjMpWd{YltZ82q_%w~EXnx0(n=iNRnWg%Q zHm2~W1j!@tM5V(OPIOXa)U8R372URn#fPnSZ_&HoTvSFk+3t}VM5f>pFqDj5Znlt$XqqDkdj(iV3}_o$`B5aOspkx$Gs;MC&4};#Clb)^$!E!0u|v zvtd?!di6{UwcdKY?1nE7?1jPC?EZh zx0#5D6i4qM^4$zA=T5W0ihQ)W;e-{9=Rl|J2~V&`V{f(L1Ot!xIRQF10eeVh?o1=ek0UxLUO#)#8UL%lp8xm;NxCZS{y1-ZIDp?L6Y_yGx#7>4y(H}(!Dr2ew# zsI;3QR5}0`9)@LyA}{$t2V@cm{$wyv@LtpOAY`HS!vVj{+^Em4YS9; zWd_hpX#r>8wIVeD#8icav%?~)1`%&}t+V9f(}@`Bk5H-)knrRPscb9#xY?&qbA*Y; zrUK^m4AB8~P!HDd2mId}py4I?7|eYI?p{v2O}yBUTc9eX@LveAW57&{SU&fRy#8^M?uy>TV{)d|^3tqnY=#Mtsoj%t~WYV*}#6}*4nLsRZ zb|zE@K56ZV_3UsXpryU0YvuItb{k|Y(p|FDM@ZF}Xs!Lz*zFg(sHiF{ zt2^4@2ie)_*35`YR3e0Yj!?yoZ^Xg~QJrX0<1&Ko&ohKf`QmXk>qHx|-ZD)T70!9W zrccoUrGQU^o|%1aqk^}gGQ^Qc4xdJdtG>56q-{Kw6Jmh>ESbkxdzG;Wta&7d6eE-L z&5gket*2wdG_l%>!NO?Q(cxL}#&Ae^pqxO_WB&J^Ff+l!>7Ep={bhv`zYcZNBK;ah z3ji?Gy=+Wjsjo#zMKYk_;B$cWGp@sf44fzurA^2W8UjG!OXn5ItrONax3yY;L1!1$ zTCOnDo#Pj$*@nxJF|io&2(<3l^fA~lMEx04-VIWNQgq;vWqJ{G*iZM7b99yJCevF$1Gc@19Pz8>P zHNQET#nu3gRAiy3DKTq2oVSeZWwI$6~b$` z7}gy5refV+WwBM_FHc5$H(iNh*lpNj$A95?s`r@zTgG#P@ZFh!xo%!dx{!>%gEh|Xkdl=24_x=8 zc&lL0Vib=^a$(%V5x%tqK-$VXI6UhkiM2zYn3ZxhP_6ed^Be+GxlDyK4m^ET{E{n8 zyD$Ah;JlS4bVs*X1gt(%?%*KM;nh=mJLXiz=%}9%-?YSh@V}LFf>RN~2*G25{s~LL zdl^QfB7BS!)6F7e)yyNy77B|dRa*I{CZ#PPW)j`_HdHH1y)IzaF>^prMW^D^eQyoX zxTBF!3V3qy2KjER%t2(N1gRYgWGMnbG~R^25+P~yFe|7)WK501in%ABc2PP8X56)^ z)k@Og_>#_(;MI9<#W@CQnMO4mZD6AgaW56YiH3t$B6EWRd?~fBhQf!PR)%C#Okq+4 zMy$yL2LKc025hm`%E+*LDSmg%YdPjlQ5`RX(NMi>Dzwk=Mj&L1V|c&B0|mwCSHGpm zynT!^OLpYN+j|UGaNd-=_v&EhVGqNHWN9skGU~CV{VD_si|q} zVy$n}-=((_suVzu&J5u=q*B1AWMRMxYTPPFNbUR2pV|U4I29-&6YFS#Bm_0SQCP=* zc{G38oXF{6!tsFDFL0DjUFm)BV+{&jPVEbWT?50m|GEd>SWp(qtmd~TF!FvqRDRg`* zY8Uyd4bkS>jXP~%(GJ2!x!8DxW)oW@OVB-qvy+p0nLtz^J+HHd4tmlScmr zjQMD&hHrpny?j{?=HLm~x9yFI#AV%{2o^`Q3h zusSze%iEy6F?%Llz^DovV}wqKnHp8%+!=8u!6@={3d}zyfP2K?#1am^p_84BFr(Qb zlPd&=A(DvyP%Mz`}#;uYdgjz;AoD70f2%Ni=E=I^@#fl+@I~UqfDheCYz6s6X zzA^rl5N%bk1{)vM2xWZMMK`p40pw^LBtHC&4t<5>YCWth#_mkyns z7M}E`Ah$7@;YJW0z|8PevuxKC^CxLI?kRIv(-a!EOzCe z;}n_6oF0T%$s!}I8rEUz9Bv=h{n%`&EDGKI7NG|^v)$|{Ko7~(oM3EqTM*=b*Ev1m z;>-{bzLOjW31gp$0Xv`bfjWH1NSAXm+8p_0=dce<7}GW7Kctj21OzR$K*B)H z;%Ap@glu)QA@Uj%3H6HQ7IB3;ZM1{Oy9{NjV_4HjreOPlQ$}%+GK8Zu9~X^LsUxOn%AjFoxLlD5=lRuFez&V`WgySbcV7N-J9=tCGcM$g!RWwB{Fyi!!~R=S-MK+8aIa;SYKf&bL|eU&ogJc^AE? z`8(ObqZ*R5m}jriNdN_pGcRNUO(8Yok5C5^rIZ_y&`h8_nHPd>%aAz|VXMf8LS28& zL^3NgH7?9^s;BNyEJ0E5*Z5v5j2`A$eG4e9~W6S?!mg3+_@!h~peUaD29b|MSdy88J9 z5T4awPf;04^TEm{=#}(<6GdS^KKcuigTB&WEC8oM5TsuNt6ZLM3`RYf@MX{4Xw#Q z(bJlS=lnEn*pds&Mn{uCgvZ8-nlb0;0&gIfD;tJLhBTy12q;nN7Sfkrv z9?+f3_MRhQMXgp3;4@{M<~p{Q1FxkRLflcSvQg~IirG`99IlVHAyOs4;gg8Da z$vQ!aDw+W@i1Iec<;;EvQ{Hoz8V}t`PL2W}^?BLqR$|n~rK{uJ!kjdBQKyFFw;41i zP)oCEs5ZFCj=>MS*Qim39errDHtJ(<2R#nDgP&Hr((ED+h(}J5iWgT0lv9A-J`H?U zxOyiKCZFk<@@*9Z=`Smo!QPlX` zNffi&An%>&!}aHmN>qDKE;@`o5nGo57V7Z_;pQiAEz&Kb_pC*{u@!2+>f{^@f`RBf5`h zC|GE|SPr2%k&X($pH7ynizb?61yPWs(w47hFe-qgBLz7@FW!8n37KrUt*~QY+h(mA z@nGJ?A`14QV3H+6Dz9UAMQZJ2UfxYJHXQsaxFPb|Y8B3F9pp~WyFDGLj~FfNZUN?m z<@XWsYO{3jX_=okF`MGVgchLDd0arP|M^dixy3!;ABfqe@MxdC7>VEIc~kjLm+X66 z9zF1%u9>a+dUg#~ThT5a!8~-XC7PaT+ojJC&6_3U8|T4C0rW0%M%XZNhW-0Z%91fx zEQQ{_nx-HS6Vfh3VP8l6@vDojcqo+5dhmTr`d~K#+AYMGUy*Yye{SVxCvS|4*`qo)66VyA~7)X>28(@m#QYLC!|f9PY;GZI-*E z=f0Zka77_t9pZ4TJKBoedJ@~EiRN0;o5x6Ck|WNw zh`tRA!a1FCUXqogouq#%hx)&=d47$?@tVTfcr$|eunSMkc`+yEF_N2@edgH1?)~Ug z?2_8eJ2e#52FwjS@#CH!9^Q5~1xfn~QJ^?qB~LRm2&+gqDkSDpBFug24vkWUmY42* z1bG{hba2WVOFKFH>PL#_gO3{myxx#>D^h)*R$DGP&-9WoFt=ilgLYz5NIc?-DRpN# zn4gG;E9lR@LW9FYm}wdvVWg}N;w~&%Tbh`V$QC($qMIm-h-@ub4KT9vtorfS9U#QG zmu4J8p5a2E^&?&?ct5aloBb8u;GIxCcN0ADh#Tt1jd$|5q79muJev!WV5k?vh~Gay z6tY;gcz7aq3|P>s9*^0IyYPp(ib}hM9=R(Huuy)$CUY#q-CfhYSpf6v1Nw1x^f7fU zEeO0a?^#ej`=pfAg5b)UjKd%UC`8%&XD6e$>_gRS2=RUG8V(@yOvy4pH8M;A9`uSZ zP2k|(G-{;5+;=kV$*@4HD9ZSFHcYXin1s}2ChCOmgB@g1|GN->S}cooolW%BLw=$L z$3lf@{Fo+(b<`PqXkCIA8*Y`bIFZydbG6#cRg@*PP6Pj#VZeUrzV+*xE7Q#lBuA13 zOjW+aek0w<(oO`j?tE-`OsXYRGIm`J$vVHz>roFR&8c-RH864JN#0Xd5HpQ%)WsDU zp_$+HXPfPvm-@Su#xdqU%xwW5T}$}XpZ!wqz5Ab*ozX{O=8-ssHu}5L(*u@C>L&l{`q{LdS2d4%h7$(J-(ynlilYfI;RMCQ&m- zRmSB`N7@3iHQ!1@lmVm(?DeEG+%H?cE#PN+K!~G5DS#suiwKG+?H!%#5zgu`wNcY% zX>H1YoNIDK)7-y1Xbzgki;b2CV6jmp&}UFRM7FM;=hYa^oOr?N{sE+$;|fUXXR?Gj zg%AWNT#okZb%kUft>|(vOi5}CdzQM@Y(%qYt`2Wt9aO9!7OC2_mFZW=mPPmpW@1A~ zFHHO0YN+y|90@TM5eExcYOxgoQkG|rr!(8e%TAd;EN@CXLgZF?Ne{6?YjfXzH-gg% zM?EHHz`w}-@`U>Dk^AYmv-6{742$9gAILf&O>b(F#qAjaPM(@ly~!zxJoO2myN5Br zZ}-ZMWU5!ApbfC-E(tSvc1-Xw9&LMNZzIz4#GW1F#9@NdBvfE>+zjF=3_H}NA$T62 z{{i*#cmh`E=Te`qDFK=|S?%9pGT<*0X@)-PdM|3l-SxzX3s}k?NlN=%(qIC(a~B^| z=E<&a7l&`2^w_7YNa5M4F>63!*}i)RcflJ{ohQw9kw+Z+%Ic3L&}ZWo`Vo;^lBVsr zK&H6r$?C1lSZa$9t*RF)h9jVJW&&;d9PKsgjWx$;um~=g@325*e)DGw;jcTpYLUU= zqcL-*9$09im@QepT@TNfVzAMG&@iqB7A|%{N;38n`GFL~cMFZy`Yu#V<7KSal z#u_gcC|$ilpIXC?R(r^-)qT zo`>B-pNT{-I8DkbaV(5$D;wIG+9`&y0$0hdu5pjTn1s&@gXa0Xa_RsKS;3@oK7I0( ztN_?(gd1lvFCUIzO(_^g2CH}^(9vra7Ig%R$KCVrxkoLn7PjCtjylQ@$?&A<}`Szf>u)%zKFQ znFqja7sbknLkXeg>-gEq%DbwgB&k2NJB8W_X$i1YaM|6$6*k*Wf~{NA28Zt@|}qe4NaK+6#+v~a4<5|FV@>L>-PD|QC~y?3V_b;D2xJ20p& zK9~ELLMQcaMzsTk4Fobqj#ssxisSP@zH`qhWlQuhUFJWe8e%Vj-|5UX6F+K!+sN+_ z&lLZSs^NWLwng5M}Eatys6w;oBeJVOfZ7fIk{F@-{6ckz%OwjFLijwA0nP>^#;K zA0f_IEJr9*03SWFBfMz35h-P#-<6tlvE?_p%9K^1kV9CyN&zd({ecS1ryo;Pi_|RQ zB3_f9K*m5~#%jD^;X6dgjFZ;A7Q7(Zev=8(4A?q*i(eP`O^N7!t%P)%j?^4K#r(;o zU%*s6$X=N^JUl9E>9#`K{>eJ>Wlx@!x4DtiBu(L_(}c{rpQAxL{U2W?ucKXX=T${c zf-EYCgRAw)-IO&V%ejZ5Ki9v2So#~~!9kLey(&%Nm3?QtFscvI)C9){)kP`x|qx1A4f-Jgt05YVAJEFEt>~EKO(H1~< z-f73PV!q4)u<58Z=9^EJ67lNf{FrCE&s?@raUhWHrX4jcu?JcL<+{*OH9=DPIbR41 z{CpWDw5JKyqY6gbAxFZ^dJnME<|O^zDSmLJA5_HW@l?ts9Ox|b9DC?D$k6Vs*N#~* zFcA@l&}Cn}eDqrcMtE8qVL7D*3*CTF~-i;V`Ep677QBI`vdD$VbSig>B z|I*YJyg`lLI7)4JBocQ^K(?JD12sj%gv-%HH@|5_s5&zxrDG=LV06Y#Vbach~_>j7I-vFQ3>ppzt4xPiaxi))mkp#BBW0H8N|2mHMpwkd)R zF$RKII&}L4x1k?D7{s7E(23*xYhwiHHI{4*y)!2{w{h`y_YiQ4W=Ah^Qd(f; z%1v9L6&?%m|MfkjN3>f-GApnnzrT&AvBzSx69b|nIpc1+J&FN3$VhSR(KS!PsP(c(}NQmDUjBP7AOf(mg!$5(vyyg#GxP<6QhwOgT>B}uI-u@4NTX;w%1>wTt9Z;EEwk<$wlkNT73f1<6EU51bgY4T z&L{}EQIds8>Dp0Yden0n1Om))Q6qpdPMtf7(QoOWuKLy?e5Zzg(oSIavbY&s*5=j7n z>750Qb$28U8sQ3=5kA+AOj;QZUlzfV^~z1Zv3)a0#M~I}P%gl`wAtq!P434($!751 z#-#<~eBrQWc;zEtIEM06dd7^1MIbQ}?#m9A`U5eSfltoI zlbf~%p$3V%w>b7%{P16xX9jHUf0;&6Ozp&kc(Dp&OE)~j=Wolx`W(&_T0qAWX->LS zN}3hWnU{%8G$1QL*=G`!qq*T@?jSSOZDbgQTtV8*V`;%$!+BOYH@Xh^E70N^U$aE( zqN|hV6V6l^>jq<5&`1VzD7H0`4nc1@apt~X2uhFHyRJn~j0 z*QJ6Iz_Ov2DOe4;xVd8;T8{mto2VE_D{@pvu$jHt9JC3$WxOrg%<+^L*fr(`PHSfwo~ z@D8mijfwID^}y*AEe&g{##9_IfSUC~5}E1L?fF%`?;}n)8n~>65*M;kR3Ej1zB=1r zqEr=YIlR8Cf_rC;xIh_+%#PPZ%X0##1-eUuv{2QW!ou--+kW>n&qS*=KXg9JhrBVI zSM_x@0mOWuwY=`K(uWwAO(O!n_>WNbDD1-XM&oNZCB-zvv&ct5bwcB^4tK?KDcoa? zHQ7{Ge2#UIR5;_HHQ}w^I{m3+7|8D?u~Nj5>A%;T&w3^1vng-a%_Cwx@ondu!6Zao z@scfFU>_5v%d$aYX+V5y;x1l<=Ch(0Rx^tMwL68>%J#Y(A)pc;>Gr)M*ku&IQJIqfu&I=Gw3NoK%wTk4C=QOC z?CHHcgW`9S>8L~Lv0GMChzp(hVwL=i8%6zw?B4I05q>`ZPkyT1;_{l#bTT_6i+N$L zx@O&zrKgo~?Yf;WY5>eHMbPt^vBp7Ms1C%gPhR{v8!MMu@ zdcz)g3p4XS3XLsixUVZ8`u`}_(Yn#f4A)SHxW)evJGuyC-;)XhVh^CIS~bQ0C>&9` z+-lm9Ommg=D-RQ{h>-YIA7)P&N}d@72$SU++G)WC$tqTIA`0{_Y|tNsgnk4IZliDi z57bU;EH*9-_J5svTj=`&Td>C`pls@d3izF+llo-fI3DK|Lcz&go@d|jh8^%D6~-a* zHfkF|`N_!j4jQq#=ch&rPZ3E2(GK{6{rcOIXYXrZz8*+=MfS**E5_!$*68(e(-ZWe zpql&7$Mb1~?-x8!*3F49doeT1okQZU?rAkGLReEj|9tOZy${q3Nt8#~RlLxQs+Q3F zBFqdhF$1vI17_21z*!F;B>>8W$aPu&l*JCXV}iI}*qL8mKaV$08bM}#y46fK-Z@Kk zp@JOOzze=X8HcyEVK~FIiHcaNHSQ`;^^7jfL;{Z9A>Bf4Of9+*o zRtK(9JAM!^G*nc@@$d4Awusk zDgM*ix+oNXvS{bdxZsb;2)G0cEE)K(@0>5H+WFZS4Wub%JI1OcpWwf#N${1 zr!Q^S@4DT|N%nt{ym&1u^HVRp#}K;1Lbgdm0Q38_SV7~o2V0}CoK-O@2RW|#{BNKH z+V$zzp`#||pw1PMn-|k8NEF(0h6s-+Jfu$1P6wkD{vYv^{XA=igGKsOF*Qp2_8rFf z(VL(=XFvc4ny;QPceu_oG!!*Oc*j27qPZ#Tvswq;C9MbQdq9b{strQlm>h_V(}H$n zd@Tp^O)Espj>7=p5jx2j_s>$lyh%(=HAPLxIDt~Q7^bNck=;t^dyMM4M}y&^o$pxy z06qz@ztsfBtH+SlVHXWp^N)W{#)VnloPwZ>vWM7>=f|uJ2B&ESodyjSBN7Z=PMT_V zEGd(YPcp(k10Ovb+BeNB=5K=Pda%PetoBC`)oaBfXF?S>_4)a}U?VMQ(nAqD3~(q0 zblz$~3bTsGSXTH=jn0?^P4Agf+I?Fg-fMfuja|f_ zOmX~->X6loboQ4Jo}_MRAScjbuGpn`=mBSQ{J2IWpX4hNpgp zO7H?Lj3%Ke?|m8ip%M`eRr#2LEt9pM+rVW;U%c*Mg3K{@MCo~ST;DK2KtD`z6y0ROwAuvRdU5)@8x$7?4Q%?dk1A^SlGyG6SnE6!|+wS~rT zD>KyGQffbHAJ7{JlfCgpKfP_zzXoT0sUGvL{G6Av$uIAc*VP?a6{JifF6v3CX&#g5 zH4f=A7=NU|KEbc!P2tRlX4(}SM{#~toqU!p;%@pip;~P^RNKa=VH;D zoeCjjgJn{MAF0+i)3DNMe)^(pkSg2f`G{kcFE0UGgvO-UqFfcGV+DQ2y!DiDn?t7%ZO7uP|A*Wu_mGIljZ!0w^UNSRmjmoS2eZpl z2(_rkTD^hy#Gt2>D<@R$8{&q~Y{d?4{s^^)nFFe}$1irHg=d5NX$v>mHVkdpIUZxD z+q_46&9VrNnjEeUNTKKhr#a1GK5^k9+Z~?Dms&}9w|7@^9j?bcr;SaqBo+>+g^fQl z2N8l@-pG=Rc{=CA?ln$BV)_%&nu2O|FWd&2Pk2)}IsG*`?n98@C4~`N0amqff>@J- zw|48#jplTWOFN6mT$mejKo6_aJr}K++`2s)MU%%%F2+48Jrewd<*p&lYt6m8+~b>G z9KBOrRyr4ZnWTd*i51XJ8Rv_rLIx}R!qD<7i<}}Oy8rG3e{bSc zkJU{@V#;zY@3%|3_pjP#Ndp9;(!ioLhG&C{ZK+h8VdzU(zg#LY11se~&?Q_V9)pTF z!SUYqeKKe7MntYj)38=cme=DntcU|QxSA=n8$6zaqS29ru{rLR8->#aB+Xw#n$wbW ze{QY=?amg99EvM%iNV}?vqD;sq2}@7Gp-PfSXRuDtdpCEBOkLK+N_7s7);7c4O-w% zK?y|k_^g7+)Bey_ z-DmJm2q~IeWxNC;rEvQnm-e z;oZ;2)Otqz)ddTX>QkxOq-cVlfAKqmK!#$iS*+`UF;Gir&g^4+{UYQ#dn>)Poc@4I&7QirVm~z@!+^DSY_# zGAnQ|-Xfmhe4Iy}^ zPytKM``5k0T$TvTpaWE!)?3VO6R@=>`i#)>;}T5v0GI(7&omm1_k90dKtwc%tlCHF zG24%(AXIDm-#rX8=`{VN z$p@3eQC^mKWwDkMw`f0gKi}FWv-vbQU+~Np+0!=vF#zuew$-yVh&sKTxtX}iJ z4&^O~cL2gsFou)$l5PvP{2maUcMVG;>w&=cq0skO^wK*$4Gs3j6z|oFEuf83dJeY$ zv-vV|u#-%hZ@M%BJMp?ejnKX$2|m`~#spaeD%6}|w; z##1(sjl(1GaM^GJGsCfF@Q~?GM2v2x1eN;;4KTRNb5|dMc3!vTF*(-(dcTdzlUVgZ zCgZZ^SpQ)1b5w9>$Q&|TK9}1!lP%zLz$;f-O+>d9sZtJ4uSIz$OslVTV!7dS$z3l$ z)1Qm7*_z6Fxhf8=3wbIjb`#)C2>c*Bl^*R|^BU}?|H`s6)=M5^xnPPdE!ML~NM!JQ zGYGTsb$P?C&S|bfr)$4ycRcAx8s;ZQuRU)N>uo+g@2Vq%> zh7q^YGc&>#6GO;cd~oyMIPjSh`hPGTKqLbb8o@2lCqEboE1}?PY*n_{nF2a^MCDC0 z_!tvrDVLCxQiwR>Ocek7RlSV|(Cc zaTyhYS0pKnJaJH)Gfe><^rp!!%CRt}ZM)+8X)%$iVF}|$%RK8b8fb&jBN{TWmHfUl zuS;E@=T>K99^F&k*JA4f7H9D#r?)(@IyIYk;zE6}ZClBRWs2;Rm2f!MYq^vTPbgr^ zrtuOPuAN({)6z%A&Lj?&u$mTLSmwsFy9)&$^-em^XLd*qg6dKXCBb`l`;r|JlUv1; z<>&ICFG&6pvje3SWKw3K2S1P2!eEjqa&_qHf?NLYi;uu-%t;cj<>=r@=tS!(brX#? zKJ1nqsHMLRgk_Fakqr||BPca8KgRsZR_*evEc7I3uvh%rw${j3I}Kui^-6;f+jb7` zL7GHpeuddr$xvmflTW^d->W?M3ZvkUw!7&%1wzCh6wXI&BF10Tay3zugn|@US}?Nw z{;-916WoTjX*N>Mtz0=WwB7m1m-=UJ#P%JiR>yYXG$sHGwaKo9EVhA<5GbNA%#xxy zLr5G1Z{ytRc+xb(o+;Dx6?wV}8;&8EH_DsNsP=mVprg#d$sSgo!mQz(YV(83{SD3V z;OH-Qq^>VoTcW>+Gh1vGl$)AdKVIniy_23)0XKgJ9m^*_bF56fzRNjL}!oG!%R5g2J%*RM%j)l$2m!1NNNe8qB z|H1Q~Z;0dGC$=1^O?kDB-M${#P5uypYbgJeOylr2fs}}-wg$m??o|FNTJ#x~P?XcZ zSH=YcGMc}%#t=j6(cn)#OjefZMdYzJ&1)c-yWgA1v*puU;u=f=N{dEHV-Tv0%Zpn* znIUtY?Z2*>49j-0Zr0iaJBu>F2{7w709C`1XwlH`ar+L=pAmE@dE~SFBcDPC#9+W~ z>f?DW^S^-&h5V=eps0y%;Jw90GH*+%Sl!>?j{a}#JA(*1I|!k)_hcTQUY&VcwnR5N zv)gB8L;EY$z)rGJ@y(2aYg4Q=o}C``;JGA0+!MgVPH_ST4#wJ|4^CCf5nEmvH9j&B z5dF!?4nVX7=Rl+wDcFz-oeC&!5S}(Y;oQ*yc+(zI$jSk^Hxr%~b2l%VLUqF1k-PX^ z&hRo8a|W~}wHp+$lm(bgkL|eou#6c??Q<>+pYn9K{9XeCfg3|Nxetj~a0j?8@2nuK zaXr^$_EOS7mU+79a|uemY4tz_ig_|~I4iL1L+~`379t5MXcN!d<8XgCJVPR_BX9gq ztMeD*g5cNT9eZpM6Bs9!!e|X>iNn9)>4gOD1BGUE;==ek9o(0;q1Oxk`e3IbQ4 z?LmWfv$;jUQAsgx(Q?Bm-hkcn$)nLqc#lRbKqSDjE-L%K5rR0pr|fK#D}j5tl%jtk zd6O+oP;n|aZS+zvvugD^PQS5c>gtHn5bl>$IAVqhf^c6Li#PjAr0&haVzs*QMGy_* z5kj1(J=Z9-!pyqyrG8Lsp%m=d6+pkR1GfbO)QnlKc`p%Qcn_dA9mVByCR&#s1HlSu zn_G^7D$zgw9pKf7PANL19QlFumwv@-+_mHWJPN@a`SGNdBN>hN;DR;J`D}gm&tfq~Bh1Dqr!;dnBI7Vuk z&Ah$kpt*7aVF4;d(IeI$+Z%q^a>q3BG{&kijfLX4dF+5!vR66vG*_#!YEouG4J1Ai z^OoPQUaNG z1f#OMdtZSnj`+{$=rE!U)F9G6$~V@W`OuYjjYj=WqiyV=&#_I--yIPBUZ5$}21A(c z>bnpN3u8A&MB>Ma^U3PVde^uZQmUK=#Qs0lL1G78vMmZL*2NS}U`>YsNy|Y%@Ym-w z*8!EY-&x=!5OnmTo>v#>QSZ{sRmKwC1uPL4xWHlZCS zE_4WwA(|7rh;oQ%$idS9`5^R1iPzA9o0(-CHP!q(eLHhDk8}k%y`JJaw_s}nDJXXP zsY1yR-RJtlMk-2O_2)JaG3D~*F^b#aPmA0#wlhG%CRr#H=qsEkV4H}--N2w}urmEX zY#tJ=teala{c;Sj0lMI6BSmb_zf^ZIZ*|Va8ehW2T?9d!zN!eW(*2mxangl*kb?^J z{f#j#No2r_zrG|-!z>o)XQJ@2TXH0+q z)hv6=3aX`fm~)9Y-=)et)@!G22!C6)Wkw0zjyoxSH8A?Hr8Pl&y=N%J7ct}Nr@NqK zHOrcuyTgyz-|6E*r%^KCir{Hs_nPDeC#isiiUAC|Fk-nnM#b*&>kss6q^bkmQZcgtU5~}V!}Klip%&1K%oAG z@u7K{=~hd~FuFxluD_{i4Jd?Xd?ASR#M9eNKK$F<_+@jE@V4J4MJ_?Q(KIftIWulvJ}zGEGNgWb8WcaYqFc|(*4;@-pngQ zU*O?IbU|&v@Kv5~ppht0m~|GlGM&{fe~ZU4&LJ&(0zAI1dV_V+tU4A2Q6=-g07pQ$ zzi!NYGejI5q6Epx`STe1CpV5E1$3y2DuNmc1hr5=jG>7@oeqK;6@VJL z2#N?4MCZR$#!% zwk2a7{1HRVej4#mpmEok9XgC<8Sl|=&Kgl==jq*zg;kez!rSmzlHnbVa3bPUp(ZlJ4qOIsqrz zu%6>&Ti3S5;HoE%%}WRLb$g=U3V^!?@g7V31)3C{e(p#V9xczp{ELBjG{gKA5iiE- znpqb+B^en7;g=D{%EiSgpjl52)tFcIIXk7o_Z66-T6K4~$7CY7iU4`P_0?SE9q z$SP~2F=f=eMj*_dfg|FVpig$KHdm7E20ZRLc2D(NZ;yqwz|q+vM=bwxKy{Na%Ua&&1%mDu@41xU12tjv z3q{_j!S%4{1|!;wp3sI2En6lCY(GdW0hz*kT@uyWL7(9cS(~PiwE;iwe@YM}fT&-0 z)Y=m{?AOu$_y+8cb{36KUH|yfnuNpv%!VA$CAM)bkjA0S1KX_@sJSbXnMk|^1lHsq zhU)o0iAG~2sd08=n|!6E$L#8We~6CpTPe5NG?~9b(AXYy+|ji(kTqu>f2#xm|EnT4S(I{?xwKd@s}npU$i9 zvOLwfY9ifjR|i%i^{NyT)dhZ&B(x7qqK9#gmFfO=ICRENMagKstz$~n?k8Q8gWD&* ztD*$!nX(SB95ebehE4-zNPGu%7HRX|oVN&(cj!uX5;3O?s^}Uka~fIR!fW;#_2wwu zBR~RET)Srm9W`_=kyNf)c~9B+R1TN)Wuwt@%82}YACiiiD)&!v0+%DP1I0w5VyyG> z;vcVl*DW+N`e~F)yIeZj5d$`+`hraW`uC5WX3)22EFdwv#A7{A!fW0EB!m{RkH*Bq zo~GRj*ho)HVdE4`=X|q|*H8(W5G((IN*7 zJG=r}0T(vtAM`0i94-@*Fa0PTu;eW$2}5@{*2%BuZ(Y$hZR4yEXkUg2TzUxsEJ{t8^K@F3W2Ul;`^eSkXF>*>jjH2PHis@wbYH8r`_@M;N~IsVAO4R9C1Y&o z{!nM+?p9$H=)cUl5hyj$v-+tFw6;2Ezmy^()dPspG>)!ec#VMz46zh30|=w?RWKUP zM^dl|mH_l43~0LuhR8F#r|#u(DY^z2v!k3!GJ0t#P3CP>p)R1F|S{BfW(7=@PvplE`5Gfl*MNM)XK zh_3hL!T@X3%|V5q4X27w9g&$}i*uhQf3;2+xAxyJ`cC=>{Jb=-=>z!Av-AhD?-}+6 zJ|%_)>KBhrDEs_(xNATyhSHCya$-L9>|fwj+kYUMykmQ|HE96V7ydWP@XE2qTw2hi zezWM9;Zn5vprdx;?nW+f?=F=`8uqJWh#PN29{nWN8)Gy5pi|kumA7{vY~ek0IIA5G zkc*z0g}QE%aFnB&+XoFpyiO0yAcAXk2(+P@Q)USBb?vliz&#Kcb<(kfMbT3 z+aJ_o_9B2=0pxzZNc6g)NUq{TqquyxF=EwIvy(5Dd?Kq)ak&1x#sk=q3m&5FhEasm zhm2kqrIy~a+Ohd2CMk8fAVNQIs>^3$C+FaVf{e_izcBFg0!ZztS^vd6-5z8TmKk5H z*V6K|_f>{TWB?Qmb>tH~F00}%Irf2@Kx8P2lv~*y&CWR0^C40>`6(>e3bz&+B%qOj z*w~r%rjq>F>rGYd?Pe>xl@_2HWLmwHCWpP)`*2$@V-Af3*9>X&#B7nCJ~f2Nxte8} zUMaUIG1>Wk!O=`d*`Vv_fKgH$_a1!eLZ{ev(4$5AKoJI-GEoW(rI`rDMpP_}R=Y8_ z0HSTrgwTC`is7Vzuezr{r8M+@q~pUJ%Oef5N7p}u-bNa3pF0M1RRm2O1C)QTg8JPk z{n3zp`tev?UM8)Mn+?L?bN4iCe%z8A+6~y7h7V^@ zDK?%me?&8-g%~8n%pkj6VB;2RBx#AKZ@9qeZ*(#X`T;hCz?B0U=kx#?+taH%7CLmQ z7tY($T7%HAmUNGrNzXsYh&e!usRj$|{DwuslvkmF-=P;l2$v*a&zcCTYYPU} zRL9X8PKAq^4tr0G`4&*t$~m~ua!sM9HPRc0bsPSn0R45WUr5LJCok&3Phub^N!)=& ziU&N^iO*9WX1Mk^jWgOdVNi4Po|7tbb7=-NBII-}q%c4BU@anr>RBxTRGHcmq~#7y z7A=J9rs2a5E2#kwxB3gDryK$($~)_fs>WeTYLTaK`u<$OW9Ye%@dWl3^-w; zI6$&(#Nhu1(#(xA9aLCcfFdb12giB@F;O3ae*FYN!LHuzHOIJ#(@TA54-=_Y7;HTE zQ#WSZS<5w3gF`D-&zQItfS?UBarN@1X42NmujdM~QK9%l09=P7eHw^HaKeDeG-%>= z5S*Au0yAcO%@K{qy(ZAyJVYJcoZXJs8|$WYiN&(ZIgA7*=sQ6Xe@k!sI2LCqn2COeJL@_?*@ zoJ)vBY#ILO%o;?W+z62=;$VPV9BUP9xqOI#eS)fa6@sa)^!;p_>ywnq>rT)=AYeHP z4FRosgg7)~z)-KPweeYZ;pa7Ajqq#$xQixX` zeY!8MI>hp9MkR8u*r9Xk7%TfVy);H~&+d>d%rNi5?kInoOP0Gwl1rlSSjMWeL;j-Ux+x_81bsmp~v(?+wiE?8EPy5b*CV5SP_?TKj)w=KCD7xTMSz7q^_b z3QlJ<(S{?6tALYwx-8r+eTK2vuXm&S{P-DAXz$j6$xmC=+{?zfN#~O!Bq(ZlFhD|} z>YPa`bPe?f#2MHLWu?vEFLg1lvg#rPS;2N0YMKoilY4G0#H!&SjQL|jP%*E3svV!` zvl{sNJy!%6xD!>}cA&#W9=bC(&|@`2h_*m?gj{YyY}%9&YFI<0n;NX-J@!@Cz#wg0^@@+e7&Uxy%0i?Uxx&=EH!#?Uf8LR5ya$W=^r^9>RpMVYqQBl|scW5siQKuv z4r=D>@Sq1f!zBST-&A&*elrt6Ib|E2sPep3^(x59IfzrNG8-(+~V)ABWmv`evWf5NexeTPQSa2Pmu|TwE7;NS8e_otg z(O>of87Mwrmido?=OG=YUDVvH@d5z&IhyDH5(~g{_^5YEi1<>5&Yo7ox@$@%CVbk0 z6{3T6*P_;aa#trtq@Vw#k1p)D={t6s2wx4eQ+-LUM#4~ReP>Yb-vOEvUb+qx; znQ5^1b17pzs4Ky+JG!V-U{@*W?#x$E_(c!?lscl1qcnZgywO0$l(3R?SnL5;-kYy+ zq-sU1oEThi@;~S?W3q-o<;9dfk;@`r(ag@SbeSv~?&<7mJgplC13KRh$#DS+%`JBZ z4WN=CEu>!!A_0Zx4^~9Dr>C4$rYjdkpmVP)#G;x9V4qHIV!D+5E z%ugMv6npS@?kk2T#Xee&n=!R*0!+80-z7k@90{gxyg+a|<>PlN9!VNH@(emU0umuO zX5^2*>7hGwYDC?GdPeI5g0hOrnqS8Y87t?=gwYVCrXsf^Sqzp{$4w0k+~Zw3POR24 zgGTJ&l;6ycm^;&oC&|R$V}pcbQtN<7)`SGgF=Ap_For6!M({A>_S7#l#G9&U{*cvCxFlVa5D2Siu6ju#EWu|)-`C>*|<0o zmotpE9aOD6eTl2YL6Zi;b+PGYz;B^ws^pi`Hr6@{e*2&fYylXFbfU^lDHDZ#}h{}KRc#Z1!GFMB8-d+A6KC4ny zkGC*hjQvoDA$d|Y>jVAaI6ac*oBB=LB83*mRnO;qEEQ1Bv4A*4JyZ7yIMFwy!eOZj zO>U%$vERQ}t79OPr?VWyC{Bu{#&1<}oCg2Xa@b>lri~Bg>{ZYJ$mRZ_wG^gdI2xp= zcR?5u=LnO3tDky`8!0yCVZvSs;Fj$Zk__b?B;gQFbbKQr7k!=xmoXl&4WiRjS2mz` zXI$j3JDz1{*R~|g(C`On&G4?A*G+Z3|Nl|zir!YS3=Xf$82+u8#L)azLPO)(pvv1=n8dM;irp%P){eZ@8S>b!7^+^7ctJ6N_D^@E0~fpYu)ITpl&L@cj1(; zd=23*CKvF5Re&`z0@*8t=Gy6)WBQCJ&H}X9F5uKpuDt9ZuwCVpr^0mnH!^$8x=24b zt;)slwLQc=aIrN~Nx2XAea#h0_DAO6h?9{WaUl0wy0FzHpYPmn2%j*Mr0vTx23k1? zF}yQa92onYJeKL3O2t>1J!KvA`BRI(8J-RJENdC{>E_cErv;@hQRG|tv-qx4jS`Qz8)cN8baQ}X9?&dt5A zPSj6B{9C9{226)t2e^pJb+jDnPfuQ1TOTD{?GI{t9m%*qQkitL*fzr1DPfvJeJ zXrZ5(UDyTID%8baMa4&utn2U_zfFXR>K-UcMe-S0m(waVv9Y0vN`*>{O-o^8jg%7= z^+1wP?9Vf0=(6hL-|r2jzB`@{>RWrgfg?H54~tHMh)K8d$;p+Np3krs&so_)`RvD*lXaZLo zSluO2#x1{AG`$$~x$2n#;cqo)0Xxxcmpf492f-g0RvPR0Kzo{jL*dPQ=~=5|IxOrc zzcIssdAq2YBXeOEC@t#6Mae>nz?u2&6_N*|i>13=4sLbD#do9#^U`;Cxiu*%ZX7m< zbYFfPiqwk<+s92Z17hnQQ3wI_1H0@y>krJ3u30nwJmneQ2t*0?p<+l;5`DUD_>B(* zX#qey(?sj(DctnphU`V?!&nuUAe6*Ip@zYbcO5p^Z%{??kRb0FS-?W0Q$CiddG@jd zU!c#PSqzrcF-5QeN7;lpY^?ay{IyatYvfIBC()oyJ@NOTm(!+bf(m|A;KGt5h)Z(> z#T|m)g?$eoRlLtZ2RL`+%r|cY%G5o)S&dsx;~%ONYOnY$jw%^PsmKSIm`XMy@3%aW zvt?iU&BnwW=)(w}LVYgM5yPO0>VFDV5X<#`J5Gy+d zxOu}^ z00#R7`33i&#tNEpK&yHYg2Bs}gJ3?jo-~ zX&07(AT-^unMh;C&C3|MamvqjY(Sj)m)b|Sn1HrcBE}@Nkm)E;;o$Senj{r1+ieBqYf(Vw7 z^ddFVU8h_GF!jt_mdy#eklOob%9(EQhOA3@?@-X(Jb=GFkfDs0^GZ!RTeKb5)|Qqw z1_HV|YijLf>0djl=#T%^>y>{>QRL1KB+&IsdPd6O<2~y>&3I%p4m8&TLcRUaCQ|S&BFifHVhYUR2$V+t)QL&@)C)z}hLlj?1hcyLa zA<9_+pOsfUu_M6;mdBMtp3fmJO5_5d*~lLHoizN&3EvJ#sKOj%-}4bc){GVq)sIbC z?>ozfx>VAK>L(Z&i68$bf_)Y4?`f!0F6s!%J#w6y}SZ{k~xm& z5|W{J-|&Zwj-5prgFvF2r1JP-^KY$Z*1bVnGhQxyLHwD1*bCJ-u_8YVkVH}0N&Y~{OyK94i!*sprMjVM85xIrpa9Cy_RB^B7J!lnWYVXs|U8)l(iChQ(GY)^@6Uj>_fGZ4=YYE}5 zDg#f!@TX&N9%pbZ?~Z;vIxgQx%f5ZTSG7K?8k@V9F`eYCQpzsovAQQVwHpBZJ}+`O^y9$SdNNAc0tx zO_~C*xoJYO{w@847;REcj!_jbr9xV#2GXOJ_d|T`o4r!b6EJHv`VwD6J(x+9K;nW$ zLI}BIR>q46$*043P?5S+^u zL6E#i65!KSUGbwvkgDWF^c_LNZ6os*FqjbWWC8RM2-*2t8+E59d9Q*bFP|)2$Tg`O zG4ZcRfu7C=T71uX9LKWGK+*o1e&g%T&VWkAN~YRJIA0t-q52fEMO2Bj`NRgrf`$BJ^G3+1Uo)+K4+HlgS_K16_&?-e^4TO`p#ZU}i!~a^Lej&l$C`=-k z7MB+r;ei3p{sU-rvQEMj{)w32AKtd_Nhh}zA8+(-q}HNJ;r{GU?6b( z6&zU;<9COAV}on3Lj>aXFhDCwlc1`|NFz$ex>xS8XTV{8=$#hY!pWV5`fT4>rn;-#A; z9MsHkx;cQ5dEqY*4+~cn^f~^l)ZW!DJsteAqDw)FY=8u2cQaj9-m(jeINprbOYy69 zSx<=!VYL8vVjf(v5_TXjh@IMNl~4gGBH==qxi~9=p$1x1FW#sHG;z|FC6JciDp<_Z zq|?~o?KSP%)^&JuI2Oh=)5Os%`ORwYR}7xzT@C#=*~FZ=U=_&UQ*DOlwy^KUi8;p` z-^TO5kk&8}rU3zzFc0ay{qphSmE$MMC%6RubkKvW=QorurS-Wyj`nA0!lN@`Qs5&Q z;qalL!^CK|(7>v7_Zfs-(o7d<4XzFxYfmy5hu@*+ms7rdI**hj!-g8V;|lww4~WYV zj?n%ZhJcq>bP9SkF%5h{U=1dO zqBe9%T=+KDI_g=N)WD+mud@0{YO!~{^TB^F#!J4)^sfnZeMhy|Nk|RGv-#6G^!JZ? zTDTU#(4Nq2tGsh=o}uxNNuYoHF5h_=D$#_Gy1I7*XkLQqKHp`&)C8ysKI$9?IC|_> zEe_%*m+mZuE|MMbk8Ug(2oJf@m0B_mC;-+V77h1$#~O2p-#QJoU1i06w&q~%mp-#G zL+)B^?y5A=kZZF#G}HyF>$9YKh?P$fcrlXa5jJf;>R(-t&mVwqIN<1!Bh5rX@40}u zNIars?d(&pjPR>3WGC>gPCFXS2lc%OPGrt$w13w3itu-S7gPv zeTk=*a$in-4UG>_kz021yywpEc z!~A5GCHfnyg?m)Ms=INeSBeS@^ix&yRrITS)Sh=aw1~-%fS7vGmX6JPrzb~Cb*b|n zlU2>xav|So=zh~p+`0%TQAz?(qLhRnP$?qSMXzn?BhVnfuaIk6hWyv zQ%{lskzpd@s`Rtvjhd2R>0|f6FPBfv>P?c(H(iH~ypb#IB<LvG@}^1rvrsinBp?4lpWRm$;0}`2W^0y zNfywfBz1hw1>}4CyK*5l*A6z<_xJrPJua6?2>mE-EBA~@j0CvH4=Fs@@mY=r81e|4 zYn8`=h_TqQB3T_-;}e8+E9J)j!okaJRut&!-rzKBI71_w(B&mF)9o@vp`oaU(b|{W zC`4+8iC+{JDNMZ#aKpysomURlfAva!A-ye1W+9c*Nm9&jf7*W6XY>^W)2tRHJ?!fS z=eD%*e}gp>SEdsop+UMe8lw)2h~tjbTQcrTNeNX{F%> zJ))}2tVPqM!R4D|ytZjogo|I(eP?gR!8p)YCc#>}Y|ALRc1C@Q`oqguWiFRX;>7*R zt2F?|-?pRhNId}(vl&D5tZUOT%HLiiVS^qLNngkPjCMD3W8md28x+L@J5+B~Bt1U& z!5{pl_c2OLnHm*|*GD&R=ziYp#Gw;0M`1xjS{{6+84tN()`?@G3GK)60IRzP<{*=f zZ+pVBtU+Ubhj8xhImrKc*m{T6_kstf6!FaK-bMLqQuTzPVq`CYq`(lKbx8vwX)1(H^2Uqm?A>%I352MM}rN_zJp(3RKJp|}@)PG>lI%jwm(v!YVOR)^f@qoX(4iT*)P zn~&^)ze+t;@n?M@&lK#-o3#fflG9Ms=nVkK{~Q+*7PBN^=*m%{-eNNE>e5+K!G-m! zWI-=@Rq?)aPglIiER{~M8JtX44K{l^FSX&#boF90b|a6x-wE^cL}>mOE50(lm)P#a zDaj)_ZG_hd^YV(~x7YP~-?N`9tNg@kq8|KBG3*|9%icKa_jVUZUvB5i2K;Y?S0IZ} z9`IEnZ4$CPp?_Za?;7tiS&xo97|AY zJ{6o-6?|oDstJSA&aZBI_>(sxl}O=Pa;9hPFVbwo&NT-_WnYMjFiHZ1aIhc$9*-Zu zx@fZV?-Po=iK&6jFNVS_{H8MBjUCtknG=LBfapN>Rr4Rd}%FsVRL24tnXgI)Qrq+APum{7~QAzVAUQ05?N3Ai0ePD zq=nT+#ltwCNR1UwnX)|IXt!@z1e*fAz%XX zmz5*>wj4XR!v<4f2@7K4Dxq z7>C~t<3M``UKgxO3&P(B0sCFJ&|ffGxk2?RS1XZRiWt3xf@1y&Rb$f`r4XTv8D@@1 zGX9{TIIP;BMn{ty3Y!6T#^E>EB3&}$yri{y9ZjIJm!;B3MO2i)J;Qqdk)H4f&9AhP ziSU``-ej<;)bFuoS4nqVU9vUZF>s3%(=b02*Xfu>A%wudD@)atMy?}`5u)1B3Q{}4 zr4bevF(m{TJxbxAD|0Pt!Cb79;UK69C)6S;lQ|WJlDT3+mpp)>*UR>@i{k)N$dL~$v!%PNQgMj-3GyWwa~?nM}6lIQfYpK;VmIwdk=gLaD~V~(Z+lf*7bsmKTj z0`4;cuQpXbxA7}tD;Uu%A)3_`&@5rM69jkdSGw#rpV}dtfDE2uQ;azA8ON4?3$@*% z!O@qV`n#ELPh;3tfx@w3tE5O%vc5puUtJZTg*OVo`xaqZR~%D(OtN_ULe)jy(%U0M z^yulsyTajR9#!l!#===-Wq~- z7E1cUJ}}|nLvIZ{K|2d2eVA~$&mo*LFEX#b!UO&TUFGA%l@B1e$dUWexZDLiNGmXd z9^S=kV94pJrmE(@E_%AX-Zb{%MX{c$=4u&<+sQbHRb0pR+PPjb*wwKgJkElfv$CRK zqS0nAwU?XxP7=K;Hm!gN{OPNb_QyPf>fLBLA{<=^M~}M8RC{}u;15xcuS_=i;XL^D zoZia=YrArX*H*8boL9(-5I0D>8$Av&Muf)*wQGd8D7AULnP{Xq(ni&84O^J7Y2H(* zLfl}of!ghsn-yy_uvfTXQ)X9G(Qb#-MSL&l8;$_D6-^v|7w+Fj4>nv%VN*2@z8Z`O zJY3c?iq2PHn-n(WykWRvM0Y|z^a2ew;C>(&*uzS{dJQJSel{IKoCd#V?0l0%!^ai^ z)B3ws7ZzIOBFKG8DZen>LHs%(!+A=Zz?RpH=6DRLkkMY`psc4~K9Yny7r=-4*!27X zS)QI5<-V|b2TVwl8R`(X_5{tF%sgwYIvkxRkQ8*}eEu+1MFBKhE(OZ1!Ea-lfI55E zqN7`3lFY%d*==hU#utG(PnVJ<3p-dfbG`4~vV9@(4Hy}FpKMV^1`bBCEG_KnxW!(U z>eX_7le=%S3pXSNoB$M=T;ibHePiK065-7e>T3dTR;*-LY^s)iR%)n}#55~YT5p_9 z=Bxk(QfhCOO=j%O3fZo`G7bZ-R*l1TRyOdu1CV(gF-Z8QS2P|@=2Nq(b0SH&29AY# zMH{9fP}|9H^V#a?q@(?3Z&wR{B{-H>QTskWu)1Ha@lplvx?M+850C4gy+gC$B1(-N z9I*Bdim#a9B%91*^Cy!VFPfkmA*i4)TE%pa+d`wETd{J{>}fbwZC=81H+Jx4tGwE_ z8C2eOcrg{M(J6Q~ji22tK;X4mV);o>qqO4FfF?TZ^U3OtPIU`F|k2-q+#W4xOV%^qPqBMbqx5Ks*4>Kj{}w2$Q11isR6-A zVM`F^1qx)FOmL$7BT=c7j_JcAv;%I&6ruLk_FzxM8|?yq`e8!s?QP^gU zFdFbZiUx(AbT)_uS%qwH3{t|4SV}oSfGW)pnKBxb_2xiWF; z=>5gUW*?klMfKd2nN6By4~H2K9Q=@)RUAwZZM-* zc-vgHh`zO_vzn=_7nia3_#!Rqe2rQ~6b*-!75%Z6&AvKdn zzCm?t1=&r$B}AFg+{kHY0i!Al5MoP)pF3YR1X!?$;J!RR-c(lU{qQ@Df3dbh%sijm zm{{^omxApek%CC;f zWZo`&8%#NI9@aGpneka>WnWlRjR#!A^S-@mmc6LN>vhe`3IZdQ2tYU_7>YzfL6SsK z6v+A{WvIuAWV3Nl5CpLZXp}(^00RaDW?%-`01yB$2TEo}%UOLlHI1Ai-WUC$84@wK zQ~2f0X9SHlo|LHmfU2)D$h6ao?O5nLx!6S1qDs3LEefPV@+SwrB*u<0QYzANq_oER0i_ZgL zXwJ4@yuk=UfrI+@vZX#FRDLI7g z-tbr?xWDyj*UN%!i?&ZAPobeohj6%eR6ZC}2>EcK_%-Zx+nLvQT!%|r+RzQ3t_lQP za0}tF#4T0fAohwBEDMLz6GMKbCuZj8fbq+KCZq2&&9Dsa=c%@%4O7EY1$FTuu%38u zf;oU2#!;09hzao1s$XVO%9~3W1-iBRp3XFy%NRH}-rObOL}-}GxaqwBl$a3&e4l*= z!-4R;61kdy#II3I!!ifmK5Zgw>oYck5I4h^5q#Q+j{I(f?CLH9GIa8s1r5mCRRi)n z!dfWOx-bV|KtYfD8Q(3{KEIoq>irhEErzNe=39i%#}dK9iM2r-&azH@Pi=n4a2+Yg z9!>cjL&m|oR|ptS-H;?d`Q7)6!o4xB{}og}aj}Q-2;?hi_9jVRh)lQLRNfa7 zbRhvbls4CKhcOKo0*2`$#18)rZ&dmS?0Y0sPxgCcGi#yby>eAn_#OK&2(X>jEntaw8gKve!82!E1VY4@Pe2C($C=5oZxA)2o9Px#$RK}Y( z8<5j9*u!@c>T zP1bn!x(;ot6r6V1aWN1|xcOLmr0iv$KROJItNt9&QudHrHTa)qR`L{3#U~Fe9kBlg zUI!Zg{X-6EXnUG)8@T&kh7(znY1mS>-zzM95{IKjmlLCzXS>0PpWgkOHj$AWp8jIY zf!5Agi`xNAsI(v=VPpOYz=l|@l|IC-^RuFc`v6gaGIwIjnfJFkFjLnl{qWpQDK&lX5(^wu$lQV6uFY_plMBX)>Ywh-KYV%`XZXXM#Re0&pNhd zW`9y)wBNm*<}P3onqQm|H#sn7)`KTE!BVzHTMUNHl@Q%eH=3_8#SLuQpFq0H*$Y+| z%h=c)&>YvwJ~3iL4*MT}^9UkBZSSxm%Xg$Jz#@pFpM?nHWE*EszO8twQhl1OlYoQu z5?P(N_TgwhNyO$4WYtA1X^sCw0l%N7U$MPM02ejQA3hDN$OJO}_T1?03O;f*P7U|- z@AE>R_(bd&eB0-lTGHT(THj@W_%7xpH@fQ}#Gx@Y6t%&t``x;8&tyQTm6S)PX`fh5 z1Djc%xJ7tR3xN?1$N*zW{A4wul3viKe#1E%whCc^oC~FwtU%30y#(nI9TeiRQ|#Y> z2b;-p+?6a$q?s-e&_8U!@yL8-J(*XDYWk6CoRQfDZVm((V6yY1`1{wnR_j<5y;$c# zB`L4F*><%H8cM*pzIGxDMyetEkOD&1S%XQ+VU6lC_={(`uJIG5GO96O}rZp`iuR>l23YrP(41be{|Y`>+X??Hnblf8MQED6YDJ7#l83C-Ul>q(PG zu&;x>__Knk_|&J6?-HG+hn|f=^*XNj&(?uK6_$g)6TB20{&EcTiy4^|5{DHb#3VyY z1-=d1RVpT`j>!Nz>T=$(od+xF)?k7eO*zs2Sqge-&=0QvXFGzth+;UGpvF~y#xWU{ zF|b9ZvLW5;8$Xd2D-J;CX%%L8a!eYmp1P$-h!0s)!{X8@kN$d4t^!&FRxQags39(r%63sRRZ~VM zP%|)O&nT(F0t!4e0Cs*~5UW=_uNz_RR?yJZ@P7ax(pd*ggv@DkZ+Pqbhl5~?WfmMo zff6kHsG81-9^6#l-ZPY=DZ3NE8O)PS_@@C@`|5<>K_tkNWJAqh=j}pGIY<<0CmjR; zpc4Nn6H9%6N?Xr1-hc@cONRwS>~wuR@c{sXbFjjsV%<=9mlXk|8~BKdbiKhVZgSA` z7CqHyN-i~|B?+bRMu0QNnI+k!w&b0vYhQ41+!BYr6Rr_iXM(VDb+FeYr0($sz#%me zHTkmVP8ZF}Md}z%D@Kk`+5L_&wym?C*1!1%W5iHeWOYwt0%Doyq+tU&|n=CeexT|!|(rhAhBbT?#E-x++c`ZOG9n`E{9-e zGgs;Y!?V7y$I>7qBOoE1lRehL zxSzX_fa_`olFyGcrU&4 zkkr?LA!j7uw0#(tlD*z~=k^M}KLKmo=2Q!>dq2a2WXM!cF7;`#K)vl_%QQC~1$LSR zY3e=0;+YXX*qq{at47>9BiESmlo;o8h#=h6Vv0yOlMHBbZXn+UoOJUC@7caWxWJJV z7&_|9d=fLU;KGO!)6D2$*~U-vCOq*Gd(&~7!GJVIIkz0i<2y9EKN@Pc+FrB4aaFqL+Jnbmw9U zwFHik;hrt|tyr9b^(n@DG&J{sm-fiT@QyoMk%9wYIPgnRI~W2uH)+C;-@M~7gApye z&vl}D)CS{*``sl>B-~8>y%kpsNTU1|hlyGCI>X%SXOd|AF2=(~nYa|Wq+g@s=gF6-Gf`hKv5 z#D*?|O37F|u+BKX+Pd9By@3^vK5j%Cn8PPq3A1m$=^X2i$L@E`$zbSGcD%OZtgT7@ zY@&fRLYp(`zISB9tOKgo$Ippt)Az?1O=|bI+R_wv+63g-A_Dk z58Q{hfsSny32dh($A3N2CRJ}N7~smu4g};-LtWornf3>aWvKtK*5H5ckxm+J2mh#M zSl=7J^x51b^k-5f0z@c+{~^KQO4wGz2HFFB3cBI_I9CklQ*~IggBwqtAOOsek&JAH zG+}78<_;R=fGFQ;Bn2PKGHX|MGinLkEQADYut4V{*3x=iBGfcvEgY3ec z;oo;v#*oY8MI{)dT*`Vpr>M9m!sk7x{^ejbJq81!@r5f-&u%|-y)W93d3*y#39Kr0 z8fjdy0)&D$2_U|kH#@;Cg-nH6By~j;W=IdL{=|>Vq(ffu+j9kHHW9AWc<QAGY|4co8Es_@xXjdB>u4z(`=vBz6s-Xz25to)a9!hg6=a!Cv9=cA zMsbBr{iFgH)&xu*U4)g6n6(knm~A*DEx6@m)(lxm0rReO(mQ{JNfhrk?~! z6_K+02^!H&O>WX|4@d2BdtA%+F(XspT!w#Qs6$-2WznQWp+2TUlz>+-6ed$lNq>&^ z1w73Xrofryuyi5OSRni$l0w0SX2aJa@`GW3WTspa>+VKw!6y06hp2J2p8AUM7%=OM z8Dx+=@o4uH}-8M$%hJNXE$m7>qj z7#wdQy(*YXBMl4GO?B5d%loO?_smpA`{7~4cD3~7D-CuBX$GKi+qMDz^mzu-L>};< z$hM&gquz-4MuR97Or5gj?BWcAV&!Wh7#*-5B3UyWKx7+OQiaQSp>zwM0nS3C_cp_> z4%D&+GEx#3&S@DKcf$6!FeqnP`b8qc*Ef0a{E;ix0^iWE5>)K>F7OO7i7f!Pj7Eml zpOM@E`4Eg2cJxqA@Z_qjX`jC77!NG{plDJ3p@TwgkJpqbD>_IM_*^(7t!lF?^bDY| z;oXgO%Gx0mJJ_8}CmK_)aI8lz7+K!r^SajYY4!2+nR*zpg6=4=4emcqS|f4|t)Gq=Hlz1jhuJhHeDJwsLw#{`c=2}< zIRr9+m5z;mME5++JsP(H`u|tW*zP{z{1O$8!`g+c5Jl8%!@ta|imk@)2eS>*vsEg? zhULdHL5a@~X7(pdiu{NTWjG%Lx3ytLy2hiyJ-o}*2@f7}O}rv=>HyFvx2)8nJZEu| z-OIlz-~J7=ej`FGDgdnquQTF&=%=CKFoptrNU$SeZq^XTyIf~?xiPhDOjwf$)zFbW zWWyN>o!#TBTp_^x-#;X%HT(2^qSx`X|e2gyX2dl#$ZLys+RIm1(MYAupz! z!ct>>#-u>QnvGPO)ydkBi;PLNWlcCbBIEIFfJn~md8=&RM&51Z+eFc3QoB0T2Cd-Y zQkvqR#?3UzOwk^a_KNwc?C(DHFd1XnxrtGtXABi69P0F+p9lok|8`Y z)(jn}NY6H_T`21B1LO0?yq1g82`lgigSu4``k{l`o(!H*S5H+>AwLko_e zgT7FXzs}KPz>Ws9-hIdb)E98dy`d2<7hh=xb63{(y~pcl9Hx01@+I$5xrxHQ4e=Y3 zfM?>Rd*hpiE@yUC(syHFML3^vELRUG{~54%&J7*a+pxN)*ST~2X9L0~*YBJjYzh5$70dZ9?rXMuduaDqQkd7@{IOwQ=Q5bygnhBv(fyS zjEt1v$GQP%x=^3NG@(??96N1p29`odI77}5d|=h#SO>B~)meKcLZWIc;%IXN4tAR$ z*DYz3G{uwl<;^%Ld8SvV*tlH;W!$)jgv)Y@fB6-g z0`w`eBJ*2_=Dym%VhX$h5I|oG zu&Q?P?1y8_UMq=^YPEFMBx3fW9@honV+!d0X;{M%*jC~@-fl%|subY=F_fkI7YO9nIl_l)venvNosld35^pBPk*RQMrYW3=O-v5M88Oo5Ie~ zvNJa1gSMmwwt%hIuxWO_az6V*P7fVd;mb z5^^DuVt*!NVJ$a$X}rH4aN@RQ-X7{nCpJoK(OM%jiS1%QM0aXcw|!~*CRA|JZA+&0 zKTe(Y3uLYPA>wW701h#oXW1Y4;Xo;DzbwBc3Suvwk?kBJg|6|uN7i&ec!J0p zz4n-e4PX5bQyzK&un*;u)PeStRSs2|`Q<#KkFx{K8WiWMWY<)Z(_iSojEMN zNPZ_YQX#GOp^xt9P8FRwzKC%IfBo@B>gB{M_`M2tOdD-`stIQY9VpH1Jq#mlQ%APD zA>IxXEcm~M)2`Z2-WHEDtM(8qZ>yVwgYQeurm%gIh+g!_GG|D)tw@qTjE4!-M!Do)Alj?(kfmm zQCDzjZ@cOUy=)kWiOuje6QInOKGztK5+&j|jh%P$hpyO4__wGJ-rfNf>){o<&r0QW zE(7m}y#lC24=A)Fi`Z;T8;y9LILS)@l(?;IZ+B^~Ic3+g-Kh~Z`@Z?S<*J>50l>KX zC0wY2Ph^VNOzU7sXzWcci+&n42!81`Z4Z}p-G*EEjJL~l*%smRO(P9hv`?ADVT#gvQp!nU*n=2H`{v*Nu%0j9f2 zG80ve&BK&o&}Xk;i_AyTRh(ox=vRoY*cehm247s9?!wni1c=U1 z?X}nkyxwpWX{Mz)zrp#?4jFk}JOta1{?3aqS2#)(ke8@$5-+b}XIW@)DwWaP|vwF^8Y-S@%U7n1K*Qg0TFTh32DU8#Bm`N>}XUC2Dj`h z{GDtBI;r5O45$jsSV%Bs&QY2?Rc)9WcL|RkodFI?xIPA=oaBE5ZbIi81_Qs9VF(lOh2?nUz zE#)s^-mDanyrY+H%Ivwizqe&S&UpF;5ZyRaXWphQV7<}O3Wy6((1 zAWQ0yHqg{px9xU?p=9uMS5KJw=zOV(10Dkv0#TchiqIh|<}=C)B1kv^q=4!SY%Bad z2E>S%vS!q;^fKzFw2wU{ZC>r*2Z{T?t++3NjXY=pU}!U7Z;G|!qrK&Wr1}ub_rE@B zaB1|6s%{nu4iGpTCiS-WCspRkU@_vIe0vkc$IR*_?4d_sU;8w4_LY{r1z|c7AW;(6 zk<9fx=aoqv4gy`j={Wke-g#fl#go-EB!M-KPd*Ndo1?Yei>OjRFBB0C^%*VE*Uwb^ zV=4kpD%RTJ3-w)AliESsw?tyj3xCMK#*;7^#M_pfDXO_uxO}D0f^sSv(7QHBRh{Ln zbC5GKx&-;CTK4}7VXbw*E}jy8W8E-lJsKa6>rtFom}s-3G94{% zNxdy6k%(D=>o;{a1H6;1S%Qz9*Fno0yI-WyE_Qm6ByZSx=Sy|#=F3b>!#co!rM{Qw|P}D1>fLi>-m{eMI9k@o|Uk8h|4A|Ln{GA zM>DnS5JQhDrxL#TrfJ2q?zdj}ETSJj$_e{@wDqD@2P!e}dX5!TMFnueIoZS{;2>kR zq9&?>&L}G=2mCrZL)c}6XrmI{GLV%}EWIIEE>^Nbi|qvtp<_2;Cnl=yWtUE#^I{h^ zA2?uUASYp@p>t>7(yW8u!gO{gNePHd>V~6ZM_ub*uEXN6LgP!@f-4`49wCt{4Wg(| zPfX&+AF7vt8eh3ZFJG!McWV4=1?isAnK!y_e2Rp)t>=aauamapd!=$lN1K}~Rc{KC zBQzxdCsbyktI;^fCh7pKLoKZ3-?gL3&|sY9a14C*S^q{O?7O%^kz6GP-}`|Mn+XoA zNm8(r+YvXnEf`qobqYHxqD@1#{Su?+QLpu8;a1<#tO$&9PoHQ_g~zNXe7JlWT4a#M zt7$hhT{oc|-_nv#RmMDxaaEv;s&_udM1^$=pYn?yQ5cO>5NUmOvxtT>_Zhb|l-RCl z)xTYKs_eB}qK^9kCpPeu3nyAS#>p(^0F1*;^`K*6a7zF?A&pRq4wN*D6+XUmfh8SA z*TSf#7e8B7xp1pTEHG}$C&dycK;%0Q)NgH)KrjQ0nN>3lqsy#ndQDHHY&@iZ zlfKF|#`PDE&{7&A;;@DbwLO1FbOgxr_FO!aKcPv2PktZhy1=a6U@s^UK$5E1HP>O2 z*%)7+s4Z6*CNJu#+@8czwhbSq+P?Vk>*PjB&FP;x%>woN(IpH<+)<+=yt+l0(vveH zgD!XKKk08xA3r(pzd-bq_b(-6*K;TmDDe><`LLXCq>(Di-V)fp06sgAehK3*vIi@B zlIR^8a4bW5|*%O89!TdZwS_*TUxWN#V_gHaryWHZV1oFIasUm*8+gy zxkoSGek;+X^G#(ziGgrOI6+WZ*{MSQeU!P9E_}Q$Vau)vl4==eVroY05cmQ|zsyNE z!^_?nol6}KshRtkxiWNyLy`+VnosJyuiyMR!USdBT_Yaq!38yN(-)Yb8&u6CJ%2}B zw!==Uwtz~*^LY)5*!)WZVY>qMYN|7E=79I1^Q{1>l{C|l78{lIlZ<9q^C7|YjK&RR ze2xxM%WlWu+?|0bqfT)+?Jj$YeF#dY=+~}E)zF7G0rvI5P&piEZ-Sp)3Vx44Sd%dvIPjT2)otQ52UNH`En&AE}2mOp^ zp5YxAVg>JcRLG2NvP}m?_#vF|XHOfUflHDl`8Y!2M4*4^0X50O+tDE$zH!hrR3-C< z$!owB#I5EoFNQ|v^%=b4Ke@f)`4-z)%Nt@>v_w!cJ{mv)`rvspT%m`m(*(BJRlq`L zchZUuoyjqW+vM@EyCUV5PsW8Jg6miD{qj}? zp@%w>Z*@WV+U4a3F)C99acOiIqr*kt>YaE@W5MV*jby(Kv4I$ak>Gu_>Y>J*XhFXE z8RR*wPOnBBfx&8MCUnaS9Er(uu>qv&ZOMt-9qZm`79^&p{^6J$XszXG&ARJUE?r$P zj&I51PC8ZADLN*IecPv##aH=K-gxHFnrxt@ai{5Q7kcB~NF!Q}+OM4s2b@56*hHinHF8+V2octEOJ^XR3uzj@!`6UG#GL|%j?8DDgL9M5 z+4yPN#gJX3)T%IWa0up%$c?Zj)=E=OpEhk~u;2DccQ6eYCYb&0OQ+cYd-N!z`_7vF zZWQDiR#e$vB66PZ4ToL7zjh*DqeO5J&|dLl3gE<9i}7XFIg@`cM!>$)d5?7X5PRyu zGu@ksQJuy^d?(zOb}>Kc#s%A)8Ro!mrNm30rfa=A8PUsM7F_gJ99&*Zy*eS8mO_id7jq>fT>-Jd=(~E)1@bDC_Wa&g6Bbtw!kby0EOl0MFU@1937T}h+m>-6tMx~XikS~ zvut5gw6)*UFI>t1#YXQ|^u+`e>_n`bLuRrP4?-9hA)*@}u?NT_cU72AzNsV?gLtJZ z4iP4RHSidkFm3!;l`flvWNxNF$KD4Xp19c}xgL!+4}4%Y8@WWifr<1o z3benRvH5M1Oz2sj_U0;ic&HIjPf)K7XHVX7Yysd!rBni8sYR_#X(At7nh{~6;^jTb z>7KL@CN3Wvt`ao#8)Q+3y!e_iFyp!#($;6tU2OEbh6AyoaCQ6ypJq0b;{9F-mG1%BJnfI_JD3HES@~`#5 z@h(I+$UQrDlxcygPB_&d|MdJmCX-$j-1IS|WI60Z_66kRW7n8tG2l4S0Fb+4;h%1V-7J7HyAhfHlyh#A+QKw(-666wW3vl*m1fu zGZrBQZJnbo4{Jjmo2oSMXv1u>T80k!%y#!@lG-rOOIuDVt!aWp)`1(u2yfKV)3 z%45v2iE$GAj)oJBoB;0W7LQ0@#mR=}4oC91$^<5cVH&c?1EcOc3D?4DHZ{>(y(T0* zmW2t?IO@(1#1J637g9L_|spuSJ zCVD<23OG}3`a^i6l`<`ln^EC4J_Yt=c6c_HErzIxd*&`Sq5pUW^jy&t$k>)Xbzr1c zo_LVGX^eaF!j&-|-*1@YxAMJ&=Z|ucLwc+{_2TAE@|DDt*z|&8>7!gl^u+m~`*g5K zr-W&PxdB%8`!JO!f}(gBSFBE?fFvO^#EWRgb%tHyjkrhI${o*;f45Jz4$0;8)vcJo z+s7l>c{TldxFuEoj5e&h)l$%~*@N3G?1jNg%a$Sq1Ub7LkM(aHcw&Sz398iR;qnL# zevf9Dld_t-TpGhmHf{G14_Rf9nT~2xnlZxjC1+Q=mc>F-sCn6$-J}?Dl=(IXDL#tV ziN_sBvE0@xG2_r3Z3r1J_*YlBFx9l8)@qw)P6OseG*nsL@b#k$wQ1Yu3XW!Sux?d5 z)F^*_qoqZaXciwBSluSkeSaQGz{AG6CO7Y=d)=L6t641$zc4j1^-3ihMHDzY@OZU2 zHhqvku_5@G07V}Au$OMT@_zUtK*;%L)v= z8PMd^s8zunNU7_kmt5%lw4Ytfk7pP|#niulh1I}q7%X?okbndvCf6Kkp8zTly6hm#i)##R&DgP_1e@8>01&DveU#M zE8}1Q9T8VjOq5gRsV7y~PePf)MGt68^IEjjoE_&yp+E`qtPUF8_UM(^DI@;93WYZ; zgz|+GksPFw*Ma8%I}pcEs1nwGJ7Z)zQgX8z@jD5k8XyU zUSYLxU#l8(OC~ahvBjFgyA_=qqwSY&T)%m4&mHZV6=8RhsZ#hHZ(?Dt{N^8D?(gKh zwduhb|IN689|Sn`G+Ju*?uRj*oc2N>#)=EkgJq1z$OMz%uyJ;A&)Ew;9P@}Z>Kjdn z1V`H3qJMdDQG=9Ou(dkMKMHo#wSJ8%`)kfpDS8VebY_i|hry0LbM#Sm?s1RQ;j}VX zbCx|bm!3aHb=RZLD=e%&+!PDK(p2C_ENfHO=I3<0X2$@(on74d{3udbg z8F%mzu6z+|p?5r2M>%%Pq=xa<)Jn!4F*3>-)%}_VqJ_dOPaJY(lYE`%9UNqLz)oK@ zi5xh`?2Y$`_w$h5uWgkN}E6d(4Z>fCVtxH2k%64U|enpwkY9eu#kJ3W`jM!*g%X3<8rM6f&2vLA=0W_Tu|S<<9O40_*8@i4HaNkQn& zI5K3f(0^Xjus!K^j;HOeD;o%m_X8L5%Q~^Ao8g)>TQjcawEZ4xhM+voFvO2@Ar9B{ zl*TNJq1XyR1sVGZPZff4a1+S;hKSz!)FRnh{A-?V#(`i~0Znw9d%!<~mRMTwue|#W ztO{9hh{v2Ep>BKHK3N&%|1!$KVud>`c>Vr9G_Ou!^%8b8y7y0Yy<-$W`;t776RLN| zxBF>4ZGR0!VOFA$kMEM5@8JXT5!y*~Y?1d|c0opwXmFzkW&gy7Ly{Wl6sDJ0ywo8kZkGQ_G*D3HDPgvbFVg*flS<>=f#|sd z;FYq|L3B`!?S~J7F98lo*P$!hHv&xxdfLYqv0=3uZ1D#I3X6ul41y3-RVVJ5M#Ry8{v8!6U1KYvvz(S*UFk2p z1tJEWm2vJEOa=tKNR&%vY|szRBItzZpO9nZmvi3ulge=>4hw+ZM)R>P7r_iIV?c~{ zEzyAjq68H%v~QJdH^y@$C$Tr;o)W3b2qy#AK)ug?-^YYSB@)I-`=Bt(-9H>%y}8!W z0h{&P{G%L4Cx)=KUa~Mm{(gs!`L+T_;j(?CvW^E&LAL^t531`?FB?iot>ZX zNuJncGC}CrnYGV|)B@z>vDB@*s%+c37eRR-R<9`*Yi@^ z))O&Q^|Uj-vl-mYj%?3Q9M|9)zZUFFBlfPZr49Oq+Hc4&V=M%mdmwR;x&AZHZ+|z`J17e1db{4u} z2@+&>nx)@6B0`a6gAQL~I+7Og(yzvwor%ylEnrZofopewI^TFd5#{@KMZ<1NfKkQH zM}evGlC`o!Yq$YjGJaqQn;!&hDcd7i>>Pct$+RM&7#ikE*}hOA`9Y@3jI<~jtvKe@ z3ps;t30T+Oz{-#nhSsXt9!f189S0e%OBU6EZ74(ELS;qvVJLsKUM(^zdUj5Gui`^E z7OT|UK-H{cnQAIM8jd$JK3?r^J=htl$=j2rDYwBuBXVIpzTfAH9+dQ+ z4K59z-Cz%+xOS8w)WR!Jitoy*Ck$aD0L~DqpQ1IF;@qUAji?-k0QPGqo2j`$PH)x* zqT3$w*&Xm^_#$N7E6+|l*jR@8M!$-^q*1L`oL#Bs^M!SnQ9N`>gwE7&jm(^Yl<9VC^cSBt928S3Z~S z;V$a?g|lpr2ySwo)HVvi%d+-}lDPd4vN*`u_F^#s!_!AJ7iRm=YJXG%#}6*5L7K!k z*+(7`($<5mF4nL&ZjV!u_)3P@z9rhgI9Fa{g*Rx{T7NeMOa_!#6`LS$G1NvLm0P%% zi?CCm0Cb#*SnG}07T@47&5_ELz^va#O;j%cYzx|%W>rwcZ+8H;B< zldZ2p&i=2~i@9}8ER`jl^n5o18-*hmJSu8mq~VcRPXcZKo9Ux*3&jH*AOUN`G%x@I z{Q~#`zkxmI3WVct0Jk4S_`MVgsKaITofA7Q9rH$?K>xI)N^2Dgc#K73y{|u*>K-j5 zD16&1OA`cxD?*D*b_meRt6ui6!mh;204Jybt4PNj~uS^wDG zGV7f6^+s)%@*Y4#f3%_|Z|W_Eh)@&{dhAo|beI}pF#EsJTlt1?I1C~{6U-?o${2XF z;Q#@IY>|2Zd|W#=5qxV1ioX_q6t%goh^RVbQ8{yGi;%Y@8WP^bl1a$q1`{IEFLoaY#HpmK*cpduj$g|TYdV~zpDGlP= z+ml}WD%UoU=vh65G!796!}UcDBuwM4xBv#dSH#3JVrLp6s$SwZuK%-d-300J<}Tq` zK^+dQvO-xq5OgsaQh>`s@F|F+-~&9SS)+&3kQKlT(b+`(zj1{HEd~;()x1UhI^Zw?^?1ZAYx}GmD9cQYyYEZ}evi571w$2BxE{tB_?(4# z$rG$sW^LwV?(xHir~SI>Q11B4{>n<#A`p!T>Q}^FNN({+t=Rc{K{E8Jg0ZE)_PJCcu=r>aXQR)-JDT%h(Df*_TsZB*hk4-i zjl0>_*_!;aiFz9Vrd##@+M}ZY&;P;X1rli?V9BAF3Z)!2&jdzqyP`V5X6DQQ(1xQZ zIB{2sw7hLQ>PHEU70qdB17jPAwwe`44RpgsO zn+FyTcke2jbnF=!$@glcUM7gl-X8h%tLSC*ly%*8$Qya*x2b}@M7pgoB$Pl!27<_d z1Fyz#3mEpP)a4B43l!{-*EnpExEkXqOy%(t4mWg+w@|;20HR?)7sT4EPNd&KqF-@c zX)Kn56ann104^YeaA!nqVD@~LCXuc{T%PlQo79T?}_`TU} zmStOFZ>O<;%smMTYIu1q1a$q%(Xjgn5Vmvy=6449A4;aPXvvb;NVwF7{`%X zpwRWSDOG{tN79?h^&)k~jTe-2C_#XX8z=528$}w)DnPn~bxsXk&}`!YXVZhrii{f- zOE5fx%v^93`f7aSC`WA+Ddxyz=31A_S(H(=KEI@(BC>Sv^MOhI}%(o+n} z8axBcKN?}3fVDf!DutGxS*NA(Av(ei`A2Fpq+6%`^`fE<>@gFrF}uEgN+=Pv9@ zkXT_dfZ7uv`6wM3{g5+P%XTReu3hR6P{+XH%c$d@NllgYmZQDgcUkhxJ&WGGe?+Jk z{=}vY?~K6gj|Ko_oYm-lD4s7UB22*dd6l|3x1%#A>^-GFZ@r^t@%#Kkg1FI2Pr7+9sl0TcDbGBjqwfErUZaiWgq=`}UTeQlEVpW0WUt!=3STTZ1$Exn zHULYp+l!LM?M{k}7UJ1)*xC`rW!s0ElV@2%@NU-$?yNRSE{&iU8c_ zPO0Bu4Ru3(U{!Kubkyqq0fYBouR8XA0zz4)9N=#$)7L0Et}=kXqC|C#PPUjBR0}n} z7tl;CVi>$-^rtJIo(_WL6w91!qzxz*L`Mhz%9;o}%WbrMleYV(Vnc|0 zDpU~J+zxM3wUTHM(LMf4smG|j@iDd;>lTUzgCcc*X;TQ4JnAM_@2*@4qK#_*+>Frx z=tvADrR57A3$vVM*qw6rW37ot7V8nHluwJjPa#J#Q2LN#}54He!!$5%YHv&t|Qe|()?*0AVy(dD4s@Yll zt8aC55riO%+|ge#aYaw!DNs+K9>g#~!J)m?Eqy0GzTb?AxM~{>IL*bjfKuB zV3Fmc0}`w1k{nb5>L`2!cyXbMn2Y(EB`Lv>oyPowe);;5TBQvhDAvJ%hGr(J*k6?X zG_BCHAQ-JW0|a7*d`ooHkh>^RLsmu>qf!iij52JXDcUBf4~#m{IzkqT)0CC3gXxd= z;8+07v>d0}Kp|hPwhk{qY7nzbN=KMiFc3osR8j%_zL+amc+jby7fAvH7?N>h0JnUT z903TZjph)O+g@bVLe&9_Uby5+S6zl21$2Z-4Uz~Z#IPia!XcKT019I;lFGmU3OnL3{4v+FF~&8%#}Aoq%!T4~eb;btNKGAG<3Di- zKBOt==~;?qDeD2gd)k1&Ga|=}Z=X zAh5K@WP&^7ivZ{QyBiSf&V>>!*uf5SXy-0DngIUnf=^w~0XVF%3E1Iuwt#0-l#mNc zYX-EYQ%N3HSWIjRC0MGG5*eMOQy#NM%-?QZ;>d5E|@cSQai zty+@y&La!m42-tZUBt7-Jog%y246Q+Kp9Fz%w%=CMJvtv{xE6S#B9LYGi#st-FA!8 z%|>?mq*W(o7nPuU!|CdkREo~rZmiQ~{kFzxU~)4=7NW+C zk`Cnj!fs(wGsN$4sa)OoLmxy27%lfF8>0I76|vEghA|NA7_NBFv=FX9Sy4}n^o)s| zmCr-`AE&X~5d-ZQ=wv+NRb)au&a&UOSH>l?c{VFxl^G0AqZK?p*kQ<(oJ2aQEZyfgxP6=*IgnM8 zI2&rFQI2kw9nC8-@d_1{LDh%_K49QI?K_bPqVQOG-|K!D1^=jNruQ|T;SjCO2M8R8 zhG6Ew5S0bIhT# zN>ebKAcw@@1=A?WqVgyx20qEcpqEIH?bJQBIp^ZG$MB1~GK}e; zZJQ>PJ*%-B>J8cQStM$%|7AGty=P-msw0KN z$&Z~CH3tv8vl2>+$p#TW)OTJM|k(q=8rI?#;Gg*I>d2b?s;d9CKGBe4xKF231bU13FqTgb zDcU0G7(atY^J3u+Igbm+jzqt)QtKKV`oMCZF?6qFj>MRlh7Qoekb$GN0^FT{QHnfa zUvS+9SDFdj3KxZ+WRZ4#S-)Fo3#NFjSmaTQYG>_%44Nu{&#U-j7XrJDqz=sz)hgG_ z0fRM&FugG`wkM;Mns~J&ot2_R>9yY3s&P5_;)a24L100jIhmI(o}ln}-WM8Dnv z%R}?P;wvB=8c^+?vaCS#Q5h7K+#Mc|P+bH1)fp!hV`Fn@`#+Z+&C8rGUj>OqT!AfY z9Ztq$-C6M=3&ONNs>qb5`VujKDZv3rM%@!VSXh+)&8&io5O;zJt8*FFrvXjKG@xg} zA+8#^94f8KLAC<@s-a1#LYBl|yb0i*5j7jW!2mF;vEy(1l8KEhI1zS~`4G#hErLIb zg8dITg0(y*RPZ$BJsM@Kxy3~XhcF2Iih2Rrq8nlnQ}^uskH#Pp zC@Dnjyju;Veu+Lq?f7NrBkEXpvFrjaEQbABq#l2{Cps#^n7R}uiPu#lWTJ#Qi^~nrLb}b7h3^J*OKc2x6r)> zss&Roj64HpwM*{aeR;deqih=fV~=wN&_)ujy@qI&*I08v2)UpDgoKj6o~f=UwKW45 z(H>{(7HVZ>mTIsqqb=-$ka;cW|6*I{HK>dlR%Gy?j>4ueE(>kCwxgCs zdBBxQ2NR%?;2&*jHJa#B*;{@wd@GKwohI&)JI9A%W-aFn;xjk><5y2XNdxJG|3?M4 zmqhc#O;(-^R+ut|XzbdQAA6$2cK~IyRA9NetC<=8)tiL|GWt^4E_#vCmixQeKzYQ2 zhaK&2Q?Ex79Kqx}hGO)B>DM6Z2S}?A!`p<;I&eT+WpfpN*)NNygft!ZbQz7 zj)|xGMZ#e3UHGs(Ac77C*Yz6CwdQ8J2^1SupLZR@ z4-*J#$N3m#dn=aZJN~d7oIbH793Jsv3nTwkJERy82cWV^UyAeHEX`o(CW0CQ4ll9Q z5pjqxpO$~eFm2G;m>o+3Vt;9-9~<}6#f#99_XNlDyG2#W=zA(P3pGOHkia%wp|;(= zXcHehGmAP-`x~(7I+dkJNoV*4#*|jf2V`RHKq1d9b?xnOAp7%<159|gT!?!m2QnC6 zMJQ#ZM{ozdcMtVG6Y1i#QpBUMI#{@BF@ywzupgKz`cr~su+^$MiH8{Sev8Gqq3zfN z9Gdg^%G1eZ;H8VLOiW|Kh_#!wx17*JUpuTRasrz9T@7fzZ$SUCTp#LZ`22a(Mgpu) zYwpycql%3OoB10mWvRkhBpyjVcW>QLEcpf5ki}kFT%IG8_@DjUhMs}wV)uFNC1BQ| z8LVAK&E<{kV{a*Z(FU}@d64%#LlV`Mz~{Vg#GMOvW828Pt+-E|{Nx%`@y=~!<~?xg ziY~Ed+@*`qvWPdZ3h%L6#w4nwY3z8d_83Y!Hu&UmFJEO8Ck-B|i*s z1GpT9LO*}v4afYo64X7WCAft+uIQWgHdj!?RZ&630}fo`?;yBBGinB6-J!>5GM;7^ z;XW;gS(4KSL>UKx_U97Ty^y33f%@L$z9u$r!SSZt!pxgLxuKcHodn2VfdtT;tW{6Q zSh2*6Et}M_@`g6>ttL#I6~tViEECz1|pC%!5%h2SFc=*F%geR=;4EuJ_d})o=Xub zz~ji%12Af01C!IAvHkW-g$>Z|yS3-dh=5v1rxk_=htF?dO+{#({iJ5+23eOh<}5WZ&f+Sps(QMgim$1-MV2EdQ6+0cM!lJi9^Cvb!S&8`n(nzAZ14-M}T4Ge5YOSz)!P#HWo zg8+I!jGqRISoC7Q(R8Bv2H=Ke*V0bE21MWH#u?f+Cfy~n<Ni|%+!ZJ5Gw+h;| zr5j^M($}{?(@JSy`T=J`3~D1f?UKMSf4*A@L;l3@q|BvyMGxJF_At4&BZ!}6a{wzQ za|##=FKhA7%AdOc*{*08Dx3vNbgs>o=7_dLx>&~8xmNj!cRqZ|0mk;#IB=%rsMjs5 zwTJt0BV+29vN@wWJQH8qz+5y5NetxvL&|uvw9?fn1s^X0v_5$9e0c^5h#Ce*jj^=6qN>u$$?huf zN)1GZckzDKyPJgW<_S?y%i23f-HZ*RO!HG(-vIt!{zbt8>&|lxM)TT(?vmFP07yW$ zzvOm=WJUCDzR4-YL!ff)dF7b)EnW8>V~rNNig}A*Y>1Y2>NRGxrShSfLCcPXxI+jTC}d%J+Y~riNh$c{DC3^A!i1EGC2@_ih8-oXp~AAPv*<)x+^bA zbro^x{Xnxup3K~45#!gv@+_PG=WGLrC77#vbs z2DsSC5DawE{bUSVh_RXPdnV;Eaw#Fq!aK(#4ONS|jlyC2uMzwyW-$+~jg|Bl_1*hsSL!&8I(}|fOz&{2 z^xoi>dO6D&7XIqPsW&2U>zzU`_JnDFr0a#Ba-_G@z1PIu3xZNCzPE73;`^Q&HkvWS z|3vrDP3CB@b=+%lWn`qvG#i+8v1i#1oF~It{0LHYkVRl=Xg&9~7pu4RTRngDlNx@x zRPdP40UG zT|Di>&!?u21`hu|W(f#|6Zp3#s2M@7%84Mt0IUlqJ)KQT5ePz%1Q&B)zr$J%b=VXqV4UU?C4Yz+lYz5IZ+6g`YgtMBrR+~PSY_j!$=jU0I+57w* zgX)YS9KYNkxK4gm{=Y}P&!4b#8-I%sa@OP)h^P<`S%>P z$MDUYV-x;-iA3&{ncHaRn~Px&nKD=>iyQ$t4-~hs)$dh$?b7y=Q^wU$&&KHVn!Zf3 z3IKyc$V4}xO+-~?OJL3ZJ+>wk;EdC_fguPzhE-*TNxo+z{)SS7IiyI2G=*QCgWBKahAF^H z^A5BzJ1%Gt^7m-czC59YPSKR#o&Mz^vIABY7jIqs0y>KsP*0z|Qv?^|H2C#MK*V0p zI-fJ$BKHBd7xWZW;;7R6f%*4f64sYpwejRNv!mH2IvmBt8#?gULZ2)@M zpnYAQiH^UKE_ZtO4m(B!HbKm4k6G6cO6~Yu2I^ujrB-> zY7aB)D9bK|DI9ZIcIGH2jjsDIxFI|aBS!jJO<<+1+X1ZlxUSRcDSuGsZiCfRd%Ri+ zRfbsy6n{#e0*~dxhq;0Fw5^8$Pj>nh!P~^O)pi#*{M|_~K5=P6YII>&+CA@E-4UG| z$45W)2F{U;kr0;F`fW&@YhsY~eh}+Q*BEEbJH-8ZBGj3H5uX|V9ifRWD&S!5T*FkO zGY={5X*h?ix|YdC?R3NNGh0d@mad54CQih5)YQ9Op=NJ=2Dh$U84Q6O$MTaWS_ybf zTMXRIa1TmFN6juaJEq3E5&b}Vb1DPG2&o|Xr3+IHbH`=c788dnROWUP9YcEK95%V@ znapb7Y}^gn_~BeI7YQlr(xZjap-<_-aW*qi^Goq$TgcQfv8HT@aK25}WOZThUL0pc(200N}KNUkRv$b-q9 zZv{1rFr(=mb(At>n8wY7l~SiN3)Lydjbqp0{P1gEZv3a^;4{;0T0(9*eN&ulCNB0Q z`1X9G`4u<)`h&n04C1mg7P>S4V(_N(4Cs8JdSE;zk$NZD?fXnL1{l3OQ@+?Y#eO`N zw?YjW>^YEFPQ%Xo(qn1s7aq&Zf|D;K ziXB-boEP3SdM_b@d!D>FU+!yjh2ILshhoqs#_tN_^)Eq-cYuistBmaS3-zxR@SFBU zHH3)z2~5(pN@1EV)Ha76ykL^@7;Q`~6ak>m+yZ8dKQKo9&<#14H_iO7h(AobBVCJK z^4`G3Typ@UOSrQ+)!}QFW^*a~yo^t6k%`*RErow(;4W6u*I>wDqT-V-x$vj#B0SpWQxWc5&aXjXHp#6C53*mmjOwtxb0YQP_ROnA=n6fr4 zS82p-G65*Bi$By*N?`T#=I@^@=$)Xt-|x3I8{m9Vxlk;>2gXBZ@RGy}E$B{YyKC?Z za`h_~0E0}f8NNm6pk~RihbyRO6{q^bYOF;N=yMzU-tQT(Vlxwmx0=&NP=!j&qv zW+Q4qWht&FNVRF2(M(j1+_|(X-G{7MwiLrlWSYS>DOP2}XwPFfz_uvYWJG8h z(8^nL;vXm-oI2Ynvzy!es;s()!D14?ttZZ7J7t7;UOQ#7SDqNRecE>0UJ+~^Oj^CluQ(B_8Js)0M%U=FjXQkyH z23vDpR>lMj$3$5k;HV4XxmjEa6>mf*(c2x{SY)#2SyWvaM4XX}SlYF99hO-GU0GOd zsAyT$Tn<<_^&A#igIwri#Qv8U3Vi6-LUV5Rro>xf__yHq=x|y*O!esg7wc*@&mHg^ z3+q>dZu+(;#y5sx1kzWTEYlG8l(%gSQX6~RIXK7K#f3D zu^ClaRHRi{5>)%5`4}2ihgfF77zRKsuq&KS(vizUQ~ zzw`vRJxLePp+M2HNmcp{Up*Jf%NEN~RIArgL{qCv*jT(@Y|&y%F9`OHqPM3!P~ZicR-W*0_lNov6T+zRCf_vr7W0 zoe;iED^Oxfn@JFAOxI7gw`l!9eW!bqPR`-NlS<;JeGi^X3r{{uCz>S>MoY6!mbOIv z`3E(b4j`F7A*z{7N(HYpXTci|8%d<1CrXq}Sv1^%%SalgwGGxuLrs}Tt(d4u6-`b^ z_m(vcR!PH5qqI=^`4=;;3^tcQIH<5nJ_vQcFbpe4yr4Qrr%P`#@_$z{+eR#;!VBX^ zP)nvpx|X#^B1=Y<3r9+__@Zl$nY~4#3PwpXMca}Y3OYuoNwGNh3QeJ1jh@M|ykkVN zp-l;HMcYVU==wv0nBfQlMQ=!KAmshe=r*wax=no;=JgDMRdl$bL=24uAm~7qdL5QX z14tyg<+|ZQp9e!nuXGpv5Ot*UwUv~qitlh<=m|n{mF@5b5kr1P!2#$L&*($0-+S}( z!&4X($LP?YkVNQhEaaS_zjT$M;l@NnaQ*0-0Ux-!K-`^j1(QJlMSVsE71)_rK}3x! z^5_nE@Wh8eKam7LM6B_fAc)Sww?CW%KtriMvXPJju|FO|>f@@D@Nk_J80Zcux`mmd zHlD6Pa$NZb0Kq72wJSY*ni2vtKA=JKJmvv=mis+uK`b@2Zj2(a%y#iJ)XggQI} zk0Ajl7Nj}j=w!``|)J5C9~@~I+)e}3OheDuGFDQf=W8mj4@Kb zK8B_??5K(0kdTXQjL$nibg(tC`#4IL<^2Xab3H?>Ng|K z{0dfwKUkR1I$rqkm9J1sH{6g~ILAAWA`)l;ZmXIB+}0Hrj^OH$ppFHiL>m z`(iiGI+mhF=opoNkf4Wsh~GC)1caP;oWhI0FJC zqoDUw=G&M7gQ(3OK>_I5WwmoI^%w!4s`IBO&8tmxu-=`oUn(Dv~%UN$Ntp3~z{fleG!0q9y|w)870Ws%)8^@r^2 z8x57HTQIDRLiJ-Y&@?768TI&qE-{-l_AiBr1u=3oIvcxaCOM-WkdySBmi+#AFMEFU z3NSO9;fr^^v!*VK^9nCAE?a!_3NJF6;EHx0v864F@(M07EaQOf@d_?6Ap+>snWEl? zjo`bBPaHvh1q$weF7y4P`MWC&iK6hsEHE&<1n`Q4Lsg}n76|BU zp6!zIK@|{n7dz{y=;7;`=v8v>|5_@ed_nJGE6*;LmPXu|0eS3zp?gZ-D_x-*DQt!U z?jtIYEqEn>)q1ac6f1=Hxu49NX^)$mL65a>x+i0Mq3psaFD&+xrrCRj+<^gks`fuA zy`Fm}%!6X2G?|~ zdtr7e=AR}VoZBNTfx_tHBv2@@bLD!Kb#HdmCF6OTjFu^iTb2Qeb!sC5L*Hy&=YAvW zCen^Xwe+GfqzHwjqAz3L+)j{vaURQs~tnUTeJN-62XP zXy+o0lC$*ad!HvISwfg&k$*#&=4Z5bkA5i)S%aQ@SMmPnlON)IedL}X3naYgTf#+V z0MjEBX67C*dd=hRA6p|ri?p$BX1mjQmce~(;L9ONHF)vVXSo;$3EH);SiC9Z1dC(uacl5BV13LEJ<#CP8c z8|WVYAINnHCzKw9ah(zd>y+qChRohiX~@ookzJg2-U=EWC;wFF-x#Q4#@*)`RCNK| zNgQH7bDvbwbQ@8cl@{i6ErYDvFJ`FAW{xWsd~*`pGZ&y5&lNav+6opLA(;$< zh1w2fhss5b3l&;&_1P8{gBjBlByzgh+Z9L|e-x-)W{30`(U-h{HQBynH_7#jyAuj= zrP#(4GZ=#t)NpFpixl`5A4u3bq+yn&683L|Og(>BAeME0=<#iTh>BEo=hU zBNLDo_vqtp=+hBzz1H3m0818lS?~Xl5$IZJ)`t=mgp?H#W^S#0EY`1JD8}Z9s}THc zlGU>jAQe9lNLwk@M-j9Xfs@4#7HwU8K$8(`sE$?CR7iG*I}eO(BGf|=uoDAp^A1{U z-P8ULYZHN1j}91EdDE8<1QXGb6%J-=t$L7=VQKh`rP8EE#)XRw+-h>tlMVn9Q))vE zs%kCLP7b>f(Ny0IC|1!85s-P0XN%B8gbQiV3=j)w&`4^r<6*k{(y_X}hX zF^(H|`i;kBUWp6O3PUV{>j^q%)z0<`V-B+k1ZSGgy9y`{duD41)Mi!Ab_(MS_E7l< z!d>9a0Sayn2yhrg0rW16>*nYfb;NYYx?6ki6eDGjK~nP;=qtl4B){l`Xz=Lz3eu;; z48(uI{(}e7WNplj2>T0&O9z}}GE=}!=oW8Y03nV<1})CZWnc$T3l;M5mp>eO0k}a7=!bav0N-F< zUsvSlI9LbdO~vti3Vq!KVzSB81waX-mIUovfXSf+4hiV?cYm`+XVeI^HS+^}S=z|^ z1ZW5(Mu#tOTLIj)JPbDP?I~acB%4GeZCp52*#UM1{(9)U0$|4j2gd#aU;oDg28-xU zr&%~z#s;o+@8~OaxAR_pm^@ntRJGkyLIm=`=Xmpd0n}J$#)ty--E?w8SpO=DjRxnY%1Ez8eWA?)rgk*A~{_pHlio>fI1NMR6YK*WEaoJiOSLjcX%_ab@b!+|a zx>{AjcH;pvgjyQHJE#Hv{8v=y!3lN&UU1uQqgm`#w@!^u^8WH-%a?O4gi{wdr2vg@ z^ZV~iQ`*4$XaGxZIB#3%W^YhUZrcJ+nSSo}=!0i+{^&8SS?I)V6##67_A&76`0qv5 zz4!TKZ0K)5?}PY^Pi>3&`26qe0M>gNYgM#lm=uSVs0Yg(8_fWz~S&O*< z`tpcx`}dqwGQ3mx!282Cj#A}AP!37&=SfWY^8B{(ZS&}d_TWu!yN~z$`f2Y<_MuHQ zyH&#Jy`rTEU-G&WfOF_rDx>vGjk>G$82a{jI`xZE)M0_A3ut3d7f#|v#31*mY-{wq zQBt{c_2BqcXRc3UO)f?UM{M@o!Vzny^8ibZxUcja_ylKa^TA3~xOMd6_rhi<^M6Vb zxHI&i_lRbAW~TB_Nsza$^Bea^_&3ey*>x4@7-?S3?&wyeuK?*}Ye7vJ-`uMZ=(bD$ zlK>D0QhZB5ZsX|W$@ldakY~1|Mcf$=uMa;el(Ful_Byj$@5u6X8!Zl{N03$7*CyxaUt#aX?Hom~ve525 z@+BmT;zV_p1LzqwGwnP>vhMM00fumIStA^u1oxs}xN1og0k1`RJ{k^~HF_5)*{(H+fz4SG=4;T?$7} zLmE8rJXP%aV2kP6Ms=>1>I3ds>9RmWWYO(aVH@deMgp!Q>X7Z`=s!Tst?ubt?L%BM zTwDQJ=z>B+t?lSx>CWsq==|`{=q|4N#nR^^MPyW-=o6ZO070hYFhlS5e*6FEY&q$v zs_F7FU(e=5MB1zS=VXp%Yi=%=QfT`e88Sqn-{^AZ(+>#FD`P3W90 zn&m@2gsP(E59&^kC!+$q>fb~S+4D>t=YI{}I;1hZJW8L!{EU{=qHco#9xjP)_CsMbHSZ2+4&&g0@|1p|k8n#lLE%CBurJ;vUldC@)2#s0s%`Aq=1z$Dh||V&7=w6GWQZGvLn! z6DhikrZ#G2*cF?BAgZ87?+xZu34)E$xp1~YBF_aO0ItH=j{#VGr*q&b4>{29&E?=j z4EvKi(c+1+0xWvFKR4Eq>Y1<^h17g%Uj%6~hT&)keT{lW}gHS;M^Ide1k+bd+S-WQ=qmKcvdp^|(wE zTB%fA6f4Oyy6__bK+z*42Y{AMl2{|T9K6JrxayzC?gAZRsEI`x03`K}0c9%_=HqB{ zrlEls1a5c@*4{jFjs*ojNdl3|2dvbh5@&G{d8D#2FIFv_16$3mR@DR#R-e#Z0~;O; z#;^}V;$RA8N2X&HFwh%k!0=d?73LpqcgfWX3&c z&W!&j+?#i}9nu5A6cW}00y;&m09%~Tch}wvAkxI?o{<~yg+Q*6eA6B z_2jnH1ZhsM8Y%v!E4WJ*S@Zs^(lDtj80F6 zQ|RU$TD%RQ_+VI?fkcgXW}wbCLSDTrT=~_gm5&lya1}S5`G1gYzwexMD5BYW4aZ zjNiZn^9PJo_3WhVp+|0JbvDs&|K1xjUQBB5yZ3 zeD#oP^A`ALKrx%48!ct+!!zAj+AL(}Hx!@XbqSgr+Egl2&z7E{L*m7a|$AR2#x7?T2Bi2MA(XGb)0Z?p1*eqZ7XTV%Vzj`k);@{J#wywwuZ*hpVFZp2M64hD zgZ#nn`+;;UAvq_h$XHD);0sOhxLcO}G`LEK9tVn+i*S1IK*Sg*B+QX@90+;VP#Rn3 z@6V9xpf3wjSk(Shh?DOL#zOiD=fere`^P&dX6Oq~w15Z6^rpl~6beZ8Lsb|!iyF^J zT7+6;`kWxijk-cV13<0)2%o0*i9^?MuHeh1=&sQKm(SG_oOGAm`hviIz$FYaxP}?A zROBw_NU5}Im6LbUBSjIXf{#COW>)Rob~=~rx8`NYfl8(undzgPU3;n3_b$uq;t%gX ze!!Gs?$dX~V&az&GC=w;`cepoB`u^1OfYQ@i}1Z_Cg5p{sh}aAc*#ylJ3pI4;TFkZ z{;=S3b80iOJi^{^n3UGDZ!ng`a|Od_-Zizw!b>@NfCJ(V8$&TiYK~}+Dxtn6OCy(V zA(DmCefC6VP@Nj=c8e>;?wsQ@uw-vgKDfLgeQ%osFaJKi7`ki*Mzn+nCfD&cHO?XR zVdn~6Ni!L!fsvPr2J;=Q2Ogj;B!^N~lqc1DA9)B;snnl$^@H z&8dyRYTPp4`GCe5=)S^tZCnGpJUoA94=3ZICkP*BA9Pw2Dlu4fN|Ycixt_;bUot*Y zJ&pLHW&Yr(aJ1s7_keQ{QZrE7Z6g>d7vu>yg-a+qM0sT3yof)L=B0@L6hI&YxVErx zX-*t6{v!8a=Dmf{ zO?dBHaYYQo$=%vEW(VYTf^{Wg_b9t?1cif3Y&jb(+DFI0)VL#Y1$^Je^Gxjo;{5lJ)7 zJRS9W3rcA0gbgCMj-AmK;_&tjiSLTo$U|c*$r)b_)h4h z-KA^YaC>a1W96AcnucgOy=csE+=xWA6Wm9}tU;kC7_LZ2cw7Wmz!GT^tC>Kb6zg+) zAm2QI+6UAKUO2-v-&t@Ll0bgq#0+q>G8U5D`}!>xY$KKFvM`JG&Z7X&N$( z$G5Yy%X*z-bdcaXw`us^5CPqA^1PBm16_Lf6 zAG5>G;q9qVn>Lz9jty_nX#c(^m+`T$Trb3J=|)*#CPrUP!}Yb7<)l%cE+Xa_mz6F` zl%0zK4V&B&NS_NraT@9(tR95II#NHRX^Kyel}F9ty-X-z!(z#J6}vdg+(3J7UABLE z&;?h4(rA{a(Mj*06g!ZlmbsTZ|%*DOyV8xVca%o9n(96$o z>&K?0l|Va!n!m!9EOtRrF_U2)3WSEsy6p1dkvoVPwA287S^&26%}6W+{@tVav^2@I0&CSw+wB4D zw$4LQm1b}yzHo9Bvea>~F2J3-AFj#d#h<5T1^v`_*@5+vaO$5zY$G8y)`KP*8HTAd3>*Bj?-wZw zO;)+8P^uBj40)Hk{^1)fZgb(r&5q>Q^$M0^&1OCJOHnyWxXEhSgx%lf0VwCa2D`3Y z)txjf&L#P|18g8x5`tsDqy;9BWGnB0N(RwHuU7*B^#JC}8yI?e(_fo)l*2f;x*#T# zm>cL7`ki{DAyeGd{zkE%X1G;igC5}H*`S5#ya3KOrwe!4ta;)R2D_G^>U3K%jnf3> z*@A6pVRAg>T)>UNQ3&eztZ2QsozyB*zm=#}cbzpcQ!lWY6XB)eekcIASqTc{*T-<1w9 zTkH*9)5Y!5X2xYLXp41_QR z8FhzFy@}W-GvzjB@irOA=&TDh@lB)X@GF8pG{yuYuT@3ppuLse=ulTQ!{>15)P#El z#nnZKq-WEZfbG3_uoZ#>FgX4LGYc$Cqskh(RaP>NKX)!INVyvt&+QP!g69Vn0_4#e zjIQr2h{kw#i4XzJ-Qalqp6P%Y!D;8p?i1WTlmr_i9nz>n46tZq09!91?dAQf{2v?$ zH8k}IA6@x?l!-AF$JnFsz2qSR!x@J|a5Nn-SlqUXIaK?sYz*%XXQ59V;n^9#?rxXE zAL4hQYJjEwd5q|!V7hQ)X@UG;wO|mOx&bfc$#jsGU46b@XD{e%z)9X@D+iFS(+$tT zIyV7wJ>xW9#`{E`A2*@{OK}4C(+&-LXssXlssvu2WIrI8jBLei23?9tI)gWhIE0zq z(7+yuXEp7{eegEAXy5sPoO)lr&yG`CrLT0{|(_|%)3d{|EzaQZo=qXZqB2QzH7!0nS3 zo1JN>Lj~-?#8(t!<|h@K#mZT5c3@#KdS!oEx}I~4fzrl@M)&F@E}2=>qF#hNgkv(0 z!cPX%5nBL(e!39MjeXA_m`~>Go`2jXIiY#H6B*Xd6_RSVxOLl**;m7r21e_4FK$X2 z@3y@06NaF#lhX;aWGD)`0odOC%Q*v?YR6_j%C%sW6C-*I2=`j&h|%FOpVOG^i?-}M z!R=A#Pa4ND>%8A`lL@asM>>j9@p~Al<&Wa&GzKbGrO0dL9 zqvOp`-6C8Slyi(3oyy56{V$L=H-KMxc{!q5Yo0rG`E>dfByXYBl5DI`DU49IEt0gIATm}{HDXy?@DFLMsMG==QkhfA3 z&>O9V-Nw;`Ja&Q@RMDrvIEbPCWBg=|Hm=@hUK7jXkfBBw1PvQ<8YHd(eM32Xzk$V_ zYM}bDWtRvSD`SXd-%>40$*>CKV)tDI@IO$SmVukPHw!Vs%dfHRst?33Tzr@vz1)dc-F%@OoY z)()=+sdM7GAhxcE!(+8nBdJ{BJDQF1hS_WJY`GK6BImljwhU2?&-%x1eU+VOr*DoJ+=krNZX#wIpi{-1) zD@>4p2dx}o1O*7aTq83bW{T^pm!>q7%JtUSBxex~hPO0^=F5wevG1C@9gRFn%VMOCLS;~Bkd1sC5nMGuXclQ9WcyJ0ABeL={1EZg zAi)ly-+RZWn~cNqLNYLneov_Vf_`C_8(I8t9?dOUgwi&hQS<}eFKUo2$xB;FEb)^m z!&9ct>Y3+-RO*M&R5dW!cMRS}t;6IJQS7a;j}JfVXdBZmjO)f>dn=`1h|~t11xp1^ zvzsv+BC<$V8o?aUZ4r_&|21SQgFL3yk-IPSdoNOT4Ul}AI$)cd9qWLKM7Gr zMZz)=aRj6t=*=Fmz@9_(C*q2!kNWJgwh|1oh(}1+0ex`zUql35D|Z1d2Eu&8IJ=>l zUqMsKm!d+mP{v_H<>%JFWS8m=z|;?46R)hq+;IBR%K+pZRLJrllDqe$A)HTPXi356 zdcRO;P(w>B%Hb;%&m}bn+7|?^VvQI}e9%F(xxB;Avxzul6`U85qaTs^oDI+ll~$a& znO$%~(RWM}IL`gmM_^V;3H9l@%cXSxH%Nq!VUbI<8FmLHn(`gJKo1Pgz20JGr4Aw& z%R0YTk1FdpcsRR=#XL`fiB@IzHNa{{GxlHUT8e27fu4mrlAndXPnoMe)ODh%KKSl} zz7-ht;)A}>e)&-j;A_}xK6AfNep)I^stfEcwxXJ!Z=7>5XZY-u3?OH|;^#cc5hI}+ zvJVtd)SVr0is5ns=wE**7@2|I>Sq)PhGl@4mDPnL>l-6f;SB|lsM(xW;`y^qb){yO1ny2f)YbB|f`6nJZCP!Nb9(YAnWulLI&4g#Em zK0+C%W=lnfUI5q(uLK0irJk!1Y`pH0-SP+dq6ITQuAOPQ`)Snshn(DzzHC8w>@xMs zTD><)7?q;vJ|UI?@+8fsm2VXezR*aC{P3?_DTG5g?$_&J3JpIisTTFQPyXh@V+AG! z%sH;1e0?-EHE`qm8q>*^$N}n@F)x8^eex2A{Q?fitt|<;4Te-j=zuG4I88552AThW zn!npUw`!jMn#F7k@TpUoqvvH+!hvY#n*o5RoW)XwlIW!u9_~c6ZQh3NL(r% z-I12QuUKNZ*t%|>A#Hv@9ho_%glWXKOUQY>(J3reE?5Eomg_#szhoBFs(eiqvT7*yoS1TOhI+M#@UdD|M_Ps?B!6WT0M#Emr0KXdmkt-aM{aWTM_@*&y zT3=1XO;lW`I%n_ASwJJbtK`Oi?C+NV+)a~xb@87&1=?>e~M|S zH-Bsuz&h@Qr+J*vO~Y^LYkPYNJf1DzP6^xBVh>^gjphR8lkLst?Z(EDB0?P*I?|B<&qh&a`ZpU6~<+Rp}{X^zYpW@FWm|W{f|lOXU##!4ZH% zJOS~%RLt2!&)?8W782^dJiRTQF;R%L5(*l8|0YYtbs3_AS zJqAwrI7|APeLF&xSvrp<`V=gl@9}_)0VvZNl25ncULc~O$QXW36&fPiA(B+IhM=nN zUG;sgzI&yV?(FJQ-aZHhc7j24Z0y~Y=D4vH&xStD?W#H6THJEb+!D-q2J=B{qCtEf zm-(a#$1GPLgdZFMD@Kcg%50p{$ged#JRm&ZLZ++P{VonS(UML|{Z{ZHO^x+-yGQ71 zfZgr(O5IlNjOhu~#N54x`{vrkY}=P|4WeQ}{63yRa6D5{HF1lsC1Cmlw4$q zAk?YogR?&zBLL_HbhvvyR6KDHqGBfqP0%81ry)cYQrww0Qe``UeoLuE?(#7IyMRwA zzmLu^79dKusQnKBjN5iFdU%q(56yLe$81HqmOoKxhFql`0mrhT2(o^DB|CKhub#Wx z`npSmUeExeffjY8)uCBFQ7SVh4HjR(cl^2)F(wW)0#3PsvO^`S~gG*v)qi7t{_L7W_3 z^zq;P$56Ym!>b)->5R`J?EO`9YlUY;L8Me(T8fK zQG{fQiMu<~5hp)GUpRzW!Y7bPA_%fg11=&boK=3Tns`X^S+?bd2TA+@84ly8vI(b> zII|Bo2a>FHMrOC>_O(cGy=$M+g_AO?;Sqw-dY}!1H{DTJ7R3H@(>Cqal6jv6P08g9 z3*H`F_{^LzQOCDkmdNG2B@yGMi;inG&>ucy{XdM9;gS3ENbFQd8s8(klg1Z+cfrBG zOsi#KAA4Mwk_jQg01Q~5h-gB30y3_HiRVA}RU8IhVJQfVCU(*tMUe1^P{#pFUsJQFA>p%7Zjd}Ht-sJ)IOC#?` zS6tKZ0rj48#^XuGK@|5y#ZFS&X!~2bi@rG_jq>(%x1>REb<}M@LUJ5v;^FbQwa{Yb zhr_IHXXJy~*roQpE*6k{#(x17%{LEI)c&0BE9H+303TAly-!!CVnrJ{@WysbZ_*!< z6;#Qk60`xR+FV#mET(o=RLw85#o=O%z&mX@?GH8yYX@=N1qJ$MLj~p?uJ1~C-gIEX z(wk?E8_Jmt`|oWWk^+@z&ze)tN`Qc6#gKS!NTqp|$28%D5{)bWCl{-!;tpnnXSn zi*I{Jhk41jZrZ?S=BajpyvRX{x_}``CeWmhUk2eo=XXCnk@IQ^Y0sD8&F0?ZiL+$mOQf&102;zWF(p4B!G=6li}oI(PT{pPT!?+;y$lQ z{5+U;O0EOdjP77JmSx@w8+5f{on0#=oA2Osdxworu7esNKk z`;+Ku*g14O6&CV)hiHbh*y%V603lF>*on%PMbDs_vu4?hd=#HHs{!u0F2jA0Gs4h1 zc#2OaVRYHn(NT#sr&$+YNJMTlI`%LEnFURXpevN;6-E)|lSzQ}vTkh&^< z1UZG-A@keX5SSAPL`ZLbL{d&xwDrWIdg^aLv4M`dOo$&fBU(G^v)HdKe#vsbA_ImA zuNGfIA9Y0%1{E)$6~!@7$|Uo7wy3|7`A%f4&)jgX&o&I^<3;qHAGk#+6+`_Bf^7@I zz)=rsZ=%Xnt~FzjyrODU-YmIx(N10w1i8eW^n54n{^9S- zm_yB_gnS+lVe%|oB2VWMMYXi+#=dD&WImrx%)k4EYrOT zW*XRvs;?u~j(bY-#mrfOVO$Y}h?5Wqd?i2{KjKD#^TR1$EM-eM2xqZJB7+(@DUAO7 zJa$hP{Zxtwl1X|4{g&rGLYYp%C}NSX6||H2hB>s>ib0=VqtwW*^Tj@;e+i?ajikh1 zVUMr6S;yuzfo2DNk%)_9Az|@br#Rup4hoJDwjkQ!A(bf>Qi1%O&=iC?9xi&_n4olI zixzrE6ypycjYo(B7`36xF)MJ_9NNb)*-og^D% zfE}GniI3R(+`v>UcSGuj_6ZU%bI2?Y2buFnN(_vG18V4XaPc|I`uh-zsf=0Q4wBQ; z*%Us(c#s}OeenG(VL*J@&}FlSA`=G4H&qDpbB;~?7#9$i7@3?$`e^FX#j@%OVa|+Q zlCOS&TMw@ZA3*V`*i>NX;N)_Sqj+E>Qo|1@nj^rZB`E<2WCDzY{8@dM=&>AP%3Y?L z>a^;DB!Ec=N{Qe4i8rqqW!{%4APJskcp1L~-UdAg#F&LfzGh>++KP}N-yA@M(GSB< zZbJ>CX@0Pp2@bEK5S?OEJz#Vae0C`=1$Mw>VRJe>Xy)@~t^1bd1`alE*1APb9IL0^lw7zh{d%T3}HF|L|F83awl& zhhvpskYi$jxByR){b;i*I@h!Hi_b-yV;CcG2Q`fOC_oE2XM7pZ(7R7tITDvFB+nOc znu;?iOzjT`u0t(`?0y=%WC#*84qYi~h+_!JPu5ma0AvS7fQ1ot^Nb2=Ak;PR&QuH` zvA_q#krefu&KgnJ1P5eC_zgW37KTi|0#;o;jyR;W?M9?{_v*hHoLL$OO3^VyX|h+K zHVg9+P+P;iRj6_xZ@@NZ0t-|Z`KgSHgshXR#zooJck6e=4Q9bVonlX2oK=^DH%nb5 zZ*gc!EU!@`*J7wo73Dv!yL4W_UR}ANrs>dA_n~6(E=E6<-Jv_D8b6mcPx;2vSO4f& zYPdgoWZ!`&iv{>5nz3wLW=P`d;u3wpbgZW^5 zveDz{ldE@628DDoK^a$?qEi(-EA-+U4{}0Y>68p(fBsDA%I0PE89GPx)gkj2q2zZM zH;PS88ncP0;B+DI!NkPSkyTkbZ}W^ea9bBp$?mqNr;&@C7*c&w(=lW7kWjy~|Kp0m z-s^B80HA_`2r^DOpI^xBB-~P7qNHP{ zGP@=|D%j*X6V@#Xr3#n^+#0Y@6)x5WTODyIJ9| zSe*oq-?M?+xDwuHgnSn89m0bAe*b1h+#(2oV-V;R(;nTkcEYg$5yDXIf2e+OPZ`kh zfstU-&QD4rMo635lm$bZ^G5%hhC+w(r}}g|J=U+mx}*fF=1)$a48DgIyw|;WK3Epo zVjA!*okj!8GK0N+m}S#crUeEzy6)jd`p5_B(Kie>kHN<2E?L%?T*pSMMyQdBVxzmj z=!~Gv{V?0nQv4k?pZd$p8cOIWp(_7QGwKfWD_#s#AyHP$>h!_A1U7q=2G5m23v=-8 z4(x44>e9U6+PHLEDE{2uk>!aYL&VD5m_2642cx#y&2%Pl^#16_y_gu+F;iGBKGIHv zz+m4Yg+>7?YlfCD-pG=4noL5GD@4-h1tX?tu)FcwG)6eaErBUOGSh(KEtPDC!(CxH zLl)tsCn}L0wIi8fOT)_VmRo}ai5f`6VkayQy4xyKjl#?!rgjRWAL#c1MvX5)Y>4Fw zsU&-j)}%yV;Pvc{DN4 zUiocqEE^r>zYZ5pZ5pH^TNd_p$gw zZe~C53(PM7zgE3r!RfgvVs^K=Gv`>piBrr* zxWV3XbqO3KT6Et8{Dqho19Pg{8j5Q5&<)$3J?R|hDVDyv6yc2I)uC#%M$Epd& zt!_eXsD?w24GJ2IVpPcal8cxEHjutO!V%3@Jcq6tm4Fx3)I}@8jwCYDhtm`!n;M$8IV`9gv+C&1XHgKoeA|4=07z5$;e+=?>o4L zaNZHp_JbhosmS~K?CsF2ll+SIU__FCy^<58*`Nuv((^hdJYfRl zh8r3m70nS{jzxb>WlGD`q`gJX_Y&5^)nx@D*D`R8vvCLM!&PhIF>{y!^$LOv#?{ zL>Rr!Ys*m3%9!t;$NkMbh3|VAn_`s%GUyHG*h-@Vd>3$CWPnZ3^S3_qQa9_$Wk80I zE_FkP)v9^s@jQ#h7Nxl7y`$Od5@VA^BVZx?)ZNZuQ8)0|#~boX zaV=x2g&W{G^9Rn5Vv+%i!;*)<`$e$&uCt%QTExiY-0$N@A?eG^Ti&DgryM&}?6bx8Lym*C0e> z!fJjBFdmLJ7=L0{%?5SO+9%QNMd50~eNUJP$Hd8nsApHm&FFy-O6M5`)cS&-qg5{) znQF+NU|nMl4>+JXY_Qv)vtZtewcn$DMO6-9V3!~o=WqZszy|zFyw49{F)QCn%_aApR3xg8#KKzG=1gAUF)YW4k!KJ7p95j~aB zXxxhtTW@Rza)LqH2uS~q#N524nUQTP2s%IM=+Te1q6YDu7gn#)&U+h1i3N!n5msmo zo1~^OHEs0MnB|s5cL%r>N*eK9M6N^w9*}+ISA6fbodEDko=Q4VyKU<(_wOy1pi~|S zqi7UFkRK=8F`Pp>fA_iGF4!r3feja?V5X2*f-QCCG32Z5s!QhR0{C(>ZE1z17Drgk z7-&Xp;qjc#S&V2~m2{iCCIoLw5O5w@q&Dqi3nRvysg3yc1%K5;gr!)@h`_ER>V=5f zl(N^vCi6WE^hm$6~4dxc-!~g!uMh>>4*~clSbq>%tw50%VK0)IM#4B=~cuCv2>?x8QSNc!0E1>7A*^Z=FNNt z^A}C`rr;sq7QZixpNxu-lO_HjF9G}dGDA!vZYhH?jb*!CA@(rbXVR{a^OR5Quig z5`Kdrv}DoI`J#zM#jceQhgZZt$ZI3~nrK4%B~#-Lk>c+Pq|De~2`%|+D}$B^L!b94 zIYG^wcev2uWbPBUhg@m$&}KTY@bnNJ$)iax43TYU58v({q~Z3}kLSbOzFk4ny!op- zRdjoX(%lo(t^kjjbf2e8TkQ+;wG?(jS0?QS9fo^Qsp7nhYiDsCfMCTTkM<7ET)O8} za#}Y}HIw`EnR6}m8RPAXBH8CmLj5g@oP@l$h_=~+`S6NH<0^lp*x(UY%`(;y8$jbv z51x-lbz!b9vE`a=(u1`8^t``vB{V*T^^oAC_0i#L)<>52o1dU&Wv51<>^`>c@;4g) zddB0Moy^~%r6MhOnvi|YD)TLcKQ2V)^;zTmS1FsLoO`4l&--loeWJ`k8WPhSj#;O>CoRKDoLbZ+t=dm z6}Qq2q5ErXj|HhqZK!X6Asq%Ye(tMIdyAo4{9veEo-2`U2HibR?eVCR_~we6%Yd3T z)SnX8?G`)0g2jC#Nq)e{moJsdPD^dhLAThZ%a<9&*g!Yvx~z269?O-KmfGdbEK6+) zq)KI(p?04Y_l-`^U`Ej0wA7x^sU)`fbBnh@ZKy8R&n@oiw4uBx-Dq*o^tqR;ZSkU# zO`u!cH?}K@-%8?{K(|<&bJXS!mB==I?y9xz#`d|5tnDk)ovpU_@;(V>=uX+Cq_q6< zCCubxnDz_I7q=BFFk~O*Y?PFZR$nUFBH5mbv{sX3+ONPFk6GrLXoq1JWJkchXk9X} zZQ&R9;o97lg*X@GM}sZ||48|8KEX?fT3q!r^kE^o0m>rwGd<0MP7??PWLCz@7A)|@ zhaD&8>7Rab>EJ{P7f?{+ka5HqtRY0C76aOkKKsS>;FHuPdA^8O55yLc{H_=7z$WCm z2eC;Ff(B*>WGh5;#(Qf4-U!$Nu`}OlObH;a*_w{u&0;Ax6S*kKs|*9eNX45?Of9b{ z%dS8H>amD~@|Cu6I-6-khl&Dikt#TR^#ojL&<3TlfcfsP8|&O5FUoh(m1j0O*7ML4 zpQ7kZdzZJ-ej}9DOVimB4TjEHVHQ#ocVq&EyBQwLpGQhiu&jZP*3oZgn=MA@up?o# z2E%k)sRWN_D*ukefjLRm2Cu2?k^6S5m#&EUdaJ0F{vrp&Nb34MfP-^b@Zb@UY<&$k zJfpw?bCLy@>cXpaPTZ6J5~&HB&RXkS4q;X5E{CD?v$*rO$@bZus8pupn;2n?Uu&P| za9?0UAHHPK<{o!6GyU#BF5Ufly9a5m#gU3~KDnKa|!SLtn&G5IowPYi?Zd)Y%ea(0I4Fsb_49En7 zJlRVMVFZIH50@wPsrmQ1TcN<_>F!EV#8>%)*2l`KQR(POk%e+M#~|Y-NrW>hEMsDa zm`Z+zC$LpH+pykyCj+fAt zyIPy~0@eqokl~R^)|Jnl%P3IlK!SpK-6Ch9QU^L8I+treu+K_QA2>u=Y+#Y5Fz)OjmI}t*$MaV+b9s;+zjH>) z&4@O73nxT?4-P)WmU5^?zmS8Xj<50ptv_1rqPg4J(Os)jrd2oU)HTkr#n^pPMeB;@ z=3l>u1(8h<61|P-f|N3#zmhlF*~L|$@59zoVU*0^*BQJi&SOGp1C^NlEjkiDQS?@L zEKC|N4(e%ETAQSLij~$DMm@bsYr|Aet5<7lm#t(l#?0wer6q z=@Y7$h)@qLZiK-4iwf30gBg9`^XkYV#mlS22fBB0$P50VfXP8%i?CW|$UiiI$BXdz zerv&*o`(~}6zXG^dh36K6D;@DU)n+0X`92awYVczD(=Ic>Aig)u^?knL^ zG;U}7ukIc5VFGn4;nDYyhZ0aw8$S%{nN`)K+JsSxIAP^N>;r{JV$??b((3aftF^t( zNJ;5GJ|MaLt>MorgB@WLx8xyyz)6XyoKEzB@Ye}i=2FY;BsKrR=JkD@v(AA@Vzs-S zdF@!+!r+?IN_8^A=lI4OH^PbtERv!h7yx-{82GmY2}z!1GatxoWb z6d!yceDb{}UuML-*Zvi|pdM2RL|3}5-9_4UNVjzFaVRE!UMUhA$sP$@f;eibacHKa z5PCbJcREFk?E?2l_})4NTKd?c!U0lBDO(Ys1|UPf72|raDolp=3)gxF!qHfBW~?xe zjh5NZR6q0e;DpndOak|K6v8UAv(+4x^krlkGjDLDu7`uC#&}HJoqj;VpP^r}C78~L z41x;K7$aW*H2wRLM5ZyAHt)06yXb$p;(BC%t8P>9P8o%ab5AK^!7xhDAPYP~8Kw;^ zj9?fjpDM`5YKr1Q`WZadTzL-o^kjO=)5b)o?@f|k#Cp%4p${C8HnZ(9q>qS6I6T;3 z$z!%90l-p%Wzpx~`9CdzdN9`j*`svCXJLyMjoK+TefP2sVh0q`ZyuasaXK=2KH>Le zgvj1tcMNhhAZQMrcqW6K9Rbq2F8-a{#YX>#sj_Ir4NBellKx6`2AQMEvl4t-+NDIi zisUDR-#-Z#y^88WtqKTb@FuhhxLXz6#|*Ox-9|+$b&vPi{i+vbPfz|^FjyeZD*fQM zoW3~n;;sA4Y_&6_VIcb*HQto`%7A+5x1l)s+p8J)$=k2+WGg{W-G_Z6Hk$N{l|J~C zylXtNj+R6+ne?|m@2YlkcRTDmsQ4>LpiLW<}rSGo|kuAqeMxCO2zAh)mao0U?l7+reGPk zy7bcH&@f77=)UqIL@2%Rsa`Iph@y0N!}oiobg|^Zo~%-ZOd|m*WEwe~5jSiZ6R>T= z*6rL4|L)9a(TE=Kdu@m^Bz`zSfDWX^>Z4nPVdFTz9AReP<5KA1EQI5r(5Rjwa1fLM z%IRY{0e#Q`JAU+Z^%rc*u%%Y~fM&d&FRQD}@RFPD*EabOILya2h`_9>=o9 zoZcB?da{GXv{;5D0|-1U>t_P?N2I`XhJc`bGxq%KEjygrk+AZuka_6M4+Ql$IPn?( zDk@fB<0D#SF5F=OlI{DkKX8DKtCuoa!(``f=XoraxMbb6>rV>6`b`wG^FXa>35anbICU@-8!2DhAsHcdMPd zeDF`~m0ybgxR69uPX|vz3w3k46`=vZFq>jS;b5>oosNClWiN7KIo^GGl@})Yj2tnN ztZqcP=!SlidcajLOq!}D1`km{y1H?h5zOaWAsBOETWOKgkb&Sz20NN1kI}~vka3j) zhUyOM-TYjF@e4fQ5tPr|8QdX+b@e>```+9R&jmJ(8cpiTq;eSzKBK)_f`pNJREgKH zj^zUigHI9p6}W_dWx_J|>EJA?I+&jaZC(jJe?5`R0#SM?@Im#Fn(|2Pt?9c~PGmJZ zEEHAN$>K+$PHcQ*AQ~Ws4HLKfSi-?Pmpi<Bxel?9YeU4w(*>GDUKX%2=wK2OywQ z%f(LgU`Un_Bvmf}jJ_DL;Oz$k9)ey$u3O5&E84_u!1(M1E(IVU-Bc_ZoJfLJi zMS%!Y&{tR_0<}Uu;A6#u0!JwxOWJS}A5~!qoRlC6#8MK~mpTPb1Ou*sAt+yYkwj|Y zk1479Er1SV%4+*oK*uq;P3>PZFkHGXPZ)5^GY*{)oj1atLu&GZFieu+1Xj=mO0)g~ znD0hOEY-rU0h&^nR1kLqAAL%7SV}NlZirbB8L8hB5ue^lX7nzC1!0T8JZav&_` zCPxq;yI*xu2AJk69;K>C0AkuBLSmFE8aexHvz=6#jm}ZSA}(+IMv%ydV8^msLwNu_ zK<}Ij3e|dQ$MiJZS4FjG30=}En77BZO^qKy4mx5oYQzOO5+WmT3=E0Vi;(KC4!S8u zNSJz|zg`9l{Q(CWoJ7IDo;0eIizL{RzH(sth^QcLv{ia2)1OcHFrOuMY%eGUunCu( z!l0l&MMIXLXvvDkIEwY|1ET+OSu~&&z^jesyVUHmI0T@j%$+@~<1}Gj5rs-9@Co^L z9^_!*d7joKawKj$j7Q2wmsH{~vBT-9&Bdjh2|5NPCqNBA@y`#R+QdSV$({ysB#A!& zxqVAT6kAq`G{*Ln!;RlYwcX|a(k#oYP8CCnWrChdp(%g~2t!ycwfg`g5d?6-{NXJ* z(OdcaC=vTsAV4^L0_8asU*75j%Iz#_P!*Q^wwgKOw>gk%Bb|cyo>4cjIVh4fB!y0A zOb_6xC*T^DrIF`CU7QS}pT#^lR?64%bnzmco%-zb2Uu&LH>jJ=Ak<4SHy(9Z2aivy&tpW#Gv}2L@*~UkOgog)Bf+78nCt?h<)sI6#oE zleI>wjv2Qy|yYP>72{czqtvotac{=)e`a;X$OFs8Iei{qk=C=aWx9bxPoO!FqLDHCpO+!4k)j zvG4(WE>;lioB}$&p^mq&(NntlAbngbRp~vcBmR}Rl^;l`wi-~sfOE0ndTW;sf*{kI zut}NQqz>ds{9gAD3(8|od?gHSB_$Cn96780qxtfQ0IMi7r{<4<_`^t(apa@l=k>AG zy1T)PDkb)eXl_9M2PXFty;&mhUA@&l8O?5c4bvDu;ZC3Y{!^G-cN5=By=XFZvJp1K z2+tWw@>LT=jM4!)AQQPeuBeyyQE^;2`;F`~ekBCo+4+0+)u`Cibs#;)pV&UzqRe==?FtDuv z2EP(ir~=kDDmeiaCG3XL+FL1f! z_p699H8{>CZO<(fwi7({$DzLO`1tomo=&emLm-8wdIYOYY;WdbTGl_gf1E)wNRq8} zf-coC(is`%M(z&H`&@u_xHFl9n%*ha`6*?Q09Bke6N-j;)RTT{(y5Q=j8Ya?sj9E_)PFZV~ckipB>*w%;nOQqfW(f0V!bGs&bOAN^WM-JXm5sJ0~slzuz&IAJ3I9@%zv+=1FIPngl|}gPUVbD5^K~@KR{%E z8;WL0`Xi5oc{5U&vG3B#zTdr*PNA=&d17faZE5^HTrP+VXo>;+6d=H8&@c0aHzyu} zpaKWtacQd-54dNNdyVe@2zy6LI%*Zq9~7asQM&#sgg#5(N2OX~<=UIBJYzb1VSMnz z!y(3w>BiR%xNEvSbA|FygSBt(@*vBvqtw!;hSrqp9eY>W8650R-MFCc234Qy(UPqf zWg8QZ+;+P)Ld3YYe}K@Y#w4OwvkCY>f@cOEr1q1lkV~K&5TFNGj&oG{>AnHWe&wxH znLZ%8-8z2D99@XG6aqQ?BTZ%mQ2`R@P+$)GVzM{MM*H0_E_i1>K9>)(mA<`NM&F#c z9lV$u9 zR;nPN!Kh%r>Q$&Rb~*2E4X&D-pANNJM+Ft6ogg8mzDfqgwiial-s!C$`ai<-)*O!u z|E=F}QyqR^DS!Z|@eD=)|EvpXYF=aFFgtw@cLzs$$48!;R}D$+M{R6EiXbVL5T=Ms z@l)8O;PR#5N&&W(w&q4Yu=WpZ=uuzcu3?a4=&4wK%pi1MGnqP7KEMWSHsrt`Z~Rf& zN%zX^QpFP}CodaXRA*ZP_`M#ZW(x!lUOEeLS$N7qV6*g}p7kGytII?T6Ed=_*?6yrJJX;3o!U5;617!7BG0f5{tPZf9{%qI1&3a28Y3bZ>KySe_vXnsHzmhnG1fK zAw3j0<|2DY?I^j+pSUH>2%H~zR|em`8gYusRDkqZz^AAQw{hke3P_%`&!AFi!w^Tl zkgryfLUt&OvQI*P16=Wcm9NS!Z)DQ^9cx!gE^GWNYQDneTW0lrb0m&M;LCi`H*%L1 z)Zp1mC#O>zwzr@I182)U;WxL@N8wI^O;+|T^yBeEuL)V?w^kJS74t3$imVjxy0RP9 zZ`+@SjoWAmcMvB`j5S zk~!bJ(=eAeXtJY48aMiMfOXnPQY1#K*5={bf*v_fwCx+mNgt1!;g}94sw-5J2>JkX zn_LF8b>?W14W18eka_9R5KPL*BP@L#MqoI6G^ZX-ko}3s&_sA1#{X7sj&Iuo`Zi4(JKGs_^zXc7Gzt!HA~kPXq<)+=0hCeez^V zKyHy@Wq%w3DL25Be7Y6~CFVX(I+Vq(DVuOa_z|?i9yBn3Xo#OIT*0f2Zl_dl-~~n> z8t#H^($(~w{Z1e)Cc2O+F?;sU^6?*J{vSW~)?~I>3-wosYC{vaLWu?$mqA09lat>B zPPda)L8{I0Zfk-C41HWfPuEl0J<6}~qD_OlHAF+7hY#g0e!-U7=J-u!?itgWlWw9@ z$l6_LQpmB11^cY^<-{iuCSW+cGzJ>h0PX{WO6~aymnwaMceXl8!2;qwZ3k$vbo{;GkNkrj% zR-A-V#!Kl!7@~-eUaMfiJmaEST0}mm)>K!W-J^Ma(0A!$l-cj1f<`7{kV~CG1ZbB) zGPsYAw)YDouT+EtCh@`LsOnNRTU- z+ZqtsxlMRDu;l<6Q{sua&C3;Sodx*F2F+VfNwPRv13yTzMzlw=3IPIfsC-j@-?0^E zYG?e;;t#}FlX$7xB7AOjnPFbT6KIQb14)z|QW90PK>&eZaF0_U`!>`;*iM)j{x&-U z*ip}B!YMlo0`bL37L&Up;U7a=BmLsufH#5uyB>^Zm*?h#2=eqCi8oKYkLO7Fk@`1J z%JbLRgGY5G>B*nU27yRJRG|5S@Hln734JJ|N+*N?6)*)~i04MNiK(+ZAq#xDfdgQ6 zGm6$P!m6OmOQzwfKg$YHyKi>>z&1^^s{FJj9Sc&7*!AgtJ@7%hcK z%IsFa?^e@=er|{x+;Z_q@wc1+w1dQTkuc)J4uu)?Zm#D0>sBqYzf z{FyY*T@gyTUTt=ooNnWG2hOR+83f5+l$mRTKzT`m=6@z}@_j&SJf1c6TpzEFZR4u_ z*?WA-!QTS!^7&T%`2?Py#IouSEq$dWC*0uvu1vSA+)G=e20|JZje^hMD%aqGJC$*w zFMl5GdKhDd2`EoWs5cGylT%1qU;MMnlN7OxC>5_d`f<<^H1OI$W>4!JLUI&0h;a;6 zc>uf_6c(Jme1rFc`KYyxq!1em@Uz|qr9_SRd*=_f*QF*S$*A1sCtjlOJm-)~4A27k z9Ta?WZP#6XBc+JOreJa{8v^G?^Cf-$-h9;Bc<$reTb$~G44spwrq=dN?(}EQ9F4QP z-g{u4nQHGV-(|&fV+vp){wr!FNexzLYrMSb9eH|h=d?vMwI_HyYS_?c$;C*zFkL81 zVQscPAzdC!K9;K#Hd9UoBw_9!wo<|IbFYlQj|Yz}2da@sMHn0>9eEf4+ZiT{?7cnu zgCKHtO^+!;d`!WSOI;lU_+ToWvKp$Up1!XbpJD#FW;SMrO^cvBWi=O?%2s1sh>8k9xLc;ODKZdC=pi3@_4>uWPB!$b@MMqo@-UqQn)Ev~8mSF~V z$$#k;-2!uh){IycbMOWlu;|D6dCaA$!W}Z_L5P8MCYzFNk-7k2K#+F^ z`&=+E6YtTPPQep4+WNunaSuCxbfxo|k#vPP4CcA>6iyozHkv}N@T5?QE9wPy%@al{ z$bz1|9*jc!tRQN{8LKT-uR_WL`6Z3|Vf7(&r8o#kG^qd%;`9o=Fj1oy7kRUM0N(WO zP5UIJ6anrPYo8dZQ37U*ZfnON(VzhhFO~|tn3_qnr$a20v`P4&IeSMIoD?dR+n>Ws z7Z_Mq4Gv5w8puGw#@=bn1-Kvwg-Tu(d!_ta%%0VN6{_1_s0pwyHyu*Lg4DH$>ByXE zJxGU#p=N`^!CjUJ2)m~N)NnvnOgasLldG9JAqwJ>2+d$q4({<0TTTq1;p)RRPsQSU=4N67 z`3q1@KXG48QW-q&SX%(NI;L?F7XDms-t#=6xdzTyWajCGdi#Vq(h8b9_q*$Ba_NLQ z_u5{@U+)t%`O;GNg1N9Df3E;Vy8w#TyeXFHdHIt!j#{uuvk>m13FS9*2;96A^V$2~ z416!V5&0YEmLlqFLfzX?_mGvd=VjVrdQSNb{HEv}g!W3R4JY*RWPUzF%~FIe>Gk9!%P^p?lDG|Ohzw9AyNWa|UCVpM_hhnfHghYCig$)|* zbC_e8kGg)>d;H`6(@OO3p8`j38xaU9To| z8a>v7p~c17Krn=!tLg8dZ9=>OyOjhfgAhq~Kor1#-r&Dml9d7ikG6p@0#&VARwRZA z;e$0Io`gJFSI)bnmsCnrW2VXuG%v&T_r^$kZ;8LlJ_K($QNe0YRZ%j=cvVl}c-+%G_{+|!1BhqIj*hdP$3PB&5#sRnt1wO;8 z-EQXVmX`@&!y8w#QK}kOQBgVT*n1=2*T;dgtR-V*fpKTh@CZt$#smDHMQFO0l##k> z0gQ50SBA1f-dcBS0|T4FTxmx58A4aE%o;=g!hxGxB6V9xEI*N4U;V)1HuJ2E|OQVSyYh-df^{n#;1@qSmy( zTvQzD>p`kHFF#()Z)lT~ICSuEzt+oI^p}T;4k)Y=Yj?pgNqh|A%&FCQj<*_LjjzU7 zW2|x3IBT3?oMEhCtYNG*)*5e(x5iv!uJMNPhB1dRhjG`qYusVnVeDb-VLbNoky7A` z1K71};D(i}($g#EoYmD87FJePh71}sXlZS2adB$$-gY9;j5%Wzd7r^XOOTlJre2s_%?d1Jzfi zCj-?tCP5a}*9rlP>RU};QGKaiR#aae^h6cacLrzA`wfosfF0-Hc1=qArK05{-za>j zvOn!Ui+oP`%<}o=lap?x^U%HY2Xr)j1D%Y%f-VF6_8Nb+<(m%UuZ@VV@wY~e!}v?n z-Z1`Vvs~jZmdV!md;QZIe`gjojK4CM8OGn3(9o>$*Ghvm{#L73No1?>m&%uZldNdI`$O_uqIy2zGRSxlJ0~ zAIhUSw_s_1fj@K_BV@sJXA2HL3*DdIKs^&JJ!47`=aBDZM_mXfHlDj~!^VQ%@p%0; zUXu%q;k0S@3~hD87>^!ezf?Rn)T4Vep^EuZ8LQU8_PjJ^8`rVGygwxV+FES6;!EWY7P&sI)RvO zgE&$3Jz>_ge3QAE^X95*pSQ)Vs!DpY=|L>h&$2mVU86IwxktduzmnNYKiJriQ3 z4zW^}?z1CS%KoN*uElbD;d^mi#)O2Q1J~4{B~L#7smbWai_xDii_MkmGB=aVG}a!= z6QT5liC0z4d9hX09G3O_>T@l}vajd-HSW%enj;tT;;g8`3{-Pu4O(+#F6(jzDn-6r zMGlj-)aI_Vf;Q*ES$HfpC|a)CTsU;Sb@SBLpv7edMeCj;)xS>@n)KyCxYPZL$zv8E>5j6BF`Kl z@#$qcHhcS}BHnt{{DSa8u#gu?iP1_dPHMdf@WQ~0?~4d>tTTC47Rxs&$1wVTfFVEZ z@*?Nn-qzo66-~4rOJ3yIOnYSfbjTEYpBW9*5Tyc8kssQX z1pDB7$LEg%S^=GxsM5OvLqh34){;E#5RgSC2E3?O6Cvf~?EcFm5bVu3kRX>owyozYadB?JLMz z&SgW3h6Dq!ff)#hnCay*oFXs*9RxHoVO+LX$%E%VauEXe0eWQYGmyKS30Pna9Ve)0 zBkI0CVo)v$_o$ch6=dP!hQ7|ux5Nfc&P`?LX#;vNbQvUnfq-`op$-h7awxX;UFU%n zbh5>TmInFGE{WmRHdD=N%6Lq4$r6-UA`xMPc?^TtR@j#aGO)BZ6d}^u;MCKvw6+%N zDTuT-I`#BJT3ZeE)GMtmhkEKEtqlP6v_o3k5cRYxtu2Xq$|0@IiF&#rtxbx0%9YmE zr=D)5wF#=HT4`;D>ZyjbwnX(bLt2|-y2Pk7N|c}2YybcN6m$UNWB?EniiIMPNGwZ| zBnnh{q@~D+YPIn|j&T@BamW~>fXD~{00000006^`!S}X7j^%tK2JDISKT40D9=AKM zg|_VJH@)= zMZ_1n?9s+CPiz$ZhjpBBl;+P#soeex?e|uG-DTn9fA<9?u(Fb0btbMrdYSJfsgO>Oedb3wzlvrXd8#5fDT+sI0AfXK+2AtN$;q`PW#l=104g z8#d{A-n9U8!2x{q0gTaE&v|aO<#*i*0v#D;bQ7|UJK#VF4LGV<@hL198Pm(p&pJqv zc@&OH?;iZS#-+G@kUJh_f6^1x_w0u{v=@A9!{SlK75b1v0| zOh*h=37*KTeOB13e~qE3s}!hGm_9-0sx)l<#M>40P})W0KFws*S}#uxH58Xhb;Hl& z6{kP4k6%uPt{?Dxppbnb%>yetoIAMu)MWS!$L18iLaaXQ1t^x6c^W+XJt?kSa@Fja zL*n90LU2B9!Z9|CS$kZ94De@QCap)257ye*ga&z9sjkX5M{&+0$y4L^PdCPx*)U1`w$2FlqQ`uYNq`&-CP)E4}iaaIpQz&YkA`tVRWc*{&K@ zZiFQ(KAuw33e_AroozHufLU=q(5 zJOz60v9lJGl0`UG`$SnHMi8I?QPMGETiueRwu3ICuHFqA8to=tGurlnzOx@Bl!4L3Lr4(|zAAFeG8QsRmlLuv5kwS(l zY?&3UcQUOnR1IPIzQ7#NP-@6x=y4(~7P^ViG{M49DO&oEDq?q(q=EIT==x`i(Msr> z|I)@{zP*XrKd(?^OtPS<45>!sX_WL7zkPhm_+dOEX^)C-|ADc!^4lNQvk^YlKQD+1`X{yOxv7v;vqf#0> zbZ+EU?bk1p02Y~zM?R@7oAJUBcNDi98!kVhf z2V0xf(#Wdy67DI{`A@|(+9x3mc9n=r=+ZmhSo!}jI9ha_yrRwoGPB_Ig_!u%KSwFq zV86dqLF5!~)2d7`zBiNdS0CBCM91=}0ee*q!Ycw0DmK2u-b3|YeskofvwWkghL)!p zW0;Sd3`@~)Gu3Im%B-i1GA0zGHT7B>u|{(Lc)A0 zu5ArRQM&$ARfV@%{~NzdVxd4Zrd8>XT`{u9t(D1*;0R2)VC_XUe}@#yIB}LV(~7|Z zmeo?g`=2;*)*M^D(5No4=2A#WH(rN57bpk4(PoszN%_jOF{EDsuUyRO%vHMwd!c@q!L zqubeBrUwY`Be^w&8v{6~N=*a@aeNgyE10fXTuKGl;f0Q6_xa zC>WrSS4$1!9A=yGe23_-!`F4!n|O3SG%g=#{UV1k_WpMQ^TRH%jVZepRRi-q^r^ zXA{}R4mx!(S-QZRv<>~yLC;7g>~1}Z9MNlT&~rPqwP!^$fZIn-MPVE1clBGYBey^w z6@|qQ0}3I5v3D)xE*q7FhQus=jW0v8*;9>Nz{!z=nH(TY!n=TG=hYluVy00c0R{** z!>&^v_;QcO{yKQQb1wM8#UGpFX9k3mM1x(jH?zi=Pe*z!XT7Puoh0$+SZM^zclsdC zWBRhO@2Z!v2YR9*E8l0iVVp-MgYdvd3$=9`0IwW(vz*czH0a8G*vYCSPgW2P9pp(< zCB#T&pFv5t(RfO86s7`o=W}i6xGfNsnmS-`(;xEuFE(QpT#;)@oVev|7?!AfR#H26 z^c+ul*ZsfE$yimry8gz&p^dIB!$AFs(YP=`A`oj}t6Pmxy}zC92LMLs54$fEVIaFz zi2}pxMBW|vgF0M8MxVO7ZMha{HAd{6;h?K7v4Lu@Iqc_Sb;RL#h^ zcIAsgP5t#>JoZpr7J0>hLfWP3_-i-V2p#K_rz)t7BH!CPTIVMjMhWuMWBfX&y?{ySgdx@b)9y3y{@P5Bz{>vz&7d(d`3bB zm5HvXPZS>+Vr6!+z;r1)m%<@couL5JF^*aqtg#Z1dMVefy2>5Nnn`z@sSITW)|g~U zT2Bu92NfBJ5lxorqNk2FAMM_T($o02B7hw}4+0w~Zc z%&00Nt-m7)j`A%W>eLT0v)lsjSsXge!4+_7v)LQXRQJ6BUpJg-KG&YsM=%G{!||zZ zE&cJ`Hd};llK}bJQJv`lRhKFWNz0ca9t(| zYYttcTS|j_A&QFJW`xRZQqtC-Iwd&)E{T&2#}D6|GyZBLU(ei&v7Pab+xnQ|ksZly zs{SR-35{&J%6+i&$(NvMKqiyz#`i`5y9JMOn5kuUty>lxj6;!T)b+*-u*=W_xc3U%#*OOsJAdZBS zsOPEFsXIrQ3XcxWRz=E03+h2384!w}E@{nj>r7Lwbf91d6=9ED8?}T)mv!p`4~^+ncHpYAQ$BM_kj)@eLxh0+*E|sA7kT*?<_tB5~RG`#C^OG4r!lYYc=f8ri*qnh_bH~90x%cm6Y9{Ry-2oCb$zYW8B5h z5C?MiYG9TQnmy678*hEGsAtz`J8dDZkdu>`INq*JkAc;PS*&?An2XV!FPK;TLzNJ; zy)cN+9oPlK-XYQ(pBnSgcNzztgeHP}AX)n1YA|h^_OXPr>NHFoi4W1q1j3ZLkPk47 z{VwNy_SGWxZ=jD;qO^@KI|RumfSQ^iP90qXZ{X(LH>@jkXK@TMok06j2N;XZCnFj) zF$+v6Mua^V+4($t6vK&#Eu6!=Gta1ElAn_JYwh2i%Xv2!6qCNW35G@)s|H?`{LzqV zwE@%NCLZwjXOibL&%+YIAQ|Xcxz?3IYOJ7j2R|*A=!c$W0kasOl;nM({x@U%d zivg^XeHb7X#LP3G8QVn$ppV{?%6d-T`XWo?`7xBnR+>UW@0B~x9#RL3Rt9Gl4{O$y z2g=UHRB-nu4hJ4^j_govjW`l_Nk6P$FK!5Q*5j%QnRnOJ_FGWI2BZBRCi?*0>`Nc2 zL2e4K3rp_{vLilvoP&JrL;wbtAGEzRqch3P>}6+M2-&08Ax*+`$d| zFsf87oA60TRsVU$?BzUlLlDyjH0zMBZQ<4~QCDseUk~&e-Uba&M9J%XX_bX$ z96RLw;bBx#_+;=liRVc3#_@@xB<>(buAAghb*LVJ=y42;`Kdb{{nz7>sTT45flEvv zs=^E7<|*(T_m6qQW#saE7E7{jV|(0^5oO`v&9nDg0WRcZ405;njfgh6O}D4?l3mmI zX9J0pQwYv(ERQ7fqDI%Px&!_b)krT)M)wW{4%x<)$Y1s9P|6bBEmcBGVJL?j4YfDu z7z~p<`r2h2@hpuS5bpCh)HRcuip=rMY{FPH9}O4WURKU&)d8KTBVK~DM_!M860qQ2 z)TQC$5+f@6W%h(|le6`gEN{!p^3j4;h~BK=Wur{ zHRO`a1}^Pkupqrb2AJyge69f}!g_+#Ug2Dv0-(jwBCa|BZOTz=GSJrf`Es__#XPPQ z4MuN%Q~J|q4Hal(OhkK4`NQVP>ucbG+y)mW;<#$W41>pwKd>L{H5AjGlAvHAScQHM zy)RCG`@!t>Nf)?Yf>(*Wde(LE(76Yd>n}ha9FK2rUhrT$fH^yKtma{Z0qH(o8m*kS z;2t<Va%vyEz6ZSN-CwGax*#@|x+y){uT&|>38N_cG#$q5ah{KCc!|uL zL&0ZPVC6sEqUGemYy{?IEV8%Q zpl#yBh3mTd6F%kMQh-9$3O=UaFq@8!a4Cje_pu6((;6EON)Ya5jLMl9C?=6tXzfVM zcfxqx{hJ}@!O7`8b*QwXl=$0%7-tZfP}*%nKVZfcQH7o81!ViIc=%H_z?Ghc%~8+3 zUPbv=9?G1MB(I5PIBQiMaTbLO>@voDhtU^w#$~G5r#-zv+Xtrzx~A_CN{*7P8p&{H zDXi};T`~&mCL|`gaP1^;op@gWn@$Avid{*3OUcFl;v1)d8)EYO^efl8SlkxW%O&k^ z9WNg}SmMXt-8uqQkQ0!H2dGinikbC4IgpYlqZr~t1Y+0jYu7g22L1&M)^J-#E4Stz>~Vd7$-QRJFNsj5#aTvZ^r6u|{f}CRlJY6I(!jB-q7_IsxgffLqp#CG24Kr+dtWs=}_rswl&@ zh{^tq`%h69I1DHT-Xp@c`))be@o~sXPEiRCN9%{|o zz^5shPU~xSMP#16+H?B2Z9PvA=|dqv*v2H!xI6A~A&-5tBSl_QjcUEM^&7+&w6s`x zAjqMQH~McG?f92O>kc1LNbSIN;zC27FjO4g6cLdPL0>|+-|p}AKSioN>QSAd`jTUY zmOZA;l$QQJbU|Z;;5Oa8kevjsSd#S4u?~Q?e90^SxEg%nzeMsjYlXp_7z`iX2t|N* z33EJZ4f#{V75Q?H z*tsLYf8u`OLy%Ftz!`TKQ*cq)gZ$Kc3_znmFHGOkva||Q-IhG&o!n?mGT_mLe~eF4 zMOz2L7rhLy1bY{_v+J@hh22DGGn&6d?>?K}-8q=Ce+GJHeJ_biT%dA60Y*|mV|D^OIvs}K--m{Gg8ER+{<%_ms%|Dn*ty@@kGn0hSS!W? zkIIu8={(zQmT>(t#e1}MgN6xdsMlDnT61|9i@@m5l)jgiHTK6*&Em5>xA42FR+Qs2 ziA^@gxQ=5mb(Z!@8o{7u@sVdY6|&Nwd$&=&yk9{)-DAaK?({GDklZ&TNH3_7A##}f zxI3-gkVA3K>@<_I1F1p*i~6EK%x;r_)j3dW-zjb<4A2O1@z0L0}8Xe2rdiGx0%eFm48?S2GxVd$o^wEFL~4#p^26 zgapptJ*k5~a7u31g9Q!$*A>W(6GKH4L35ARn*!&*0oZ@q=z70rpz!WyjxFsNMp`VT z(x!|aPL6JX@vdw#Ev_a&=A2E^b9kFv(v!d(Dl@SxdU1=>KPJm1D_u?yXRX4(j4@5+ zMr~BjX0=Bnkvc|f{^JrjWR!6FNCu6;4WP!L(x2CdOy*?aQhBoDcrX0@gA=Td&6fjK zT9K4PyI6C0j^rRil(oIdo`zA-$!|zf$r;i&8RcTG$%JjP&hIXVwXqKrdO4Jg?<74U z;wNKvYzUPDIvyd79R6=v05VyeeWWmU3R1-*>R{OL8ja1P2Zv__{Rk72-Tt3(KFkBV zX)WVcY~MXP4#yE1;@-I5Q%_{9T`vgBF$@dHNB{lN+=B?jKLx?uwXAZuV3@UZt(!vpi2gqYmybuSb`3 zW9#4GdU?v*2jO~w*_F^KiF&x)xQScc@%;286M;K->gMnvonK{N4b#9xB0kgO1j3um zkWucz>5y%=UDB+!6O1WJD;*>{IlFsnwkGQmkaJBAQ0@iBhY5t1Wpd3oNg?U~br#@2 zE6f;)Hd5HTj3VR`juQJEtr|QeU?Y@pT3<7QbZosEgzGLEYF?9?Yg|K`X<9Ry&|K4+ zJs(H}Mi2p2t7vjK&g_7&`hH#qH4S#@YErE>wy3PB1m|&A10K`5Eodw#cJl~qj%>y) z&{)yaHR}ndr-M~1v!0GZ+?cFEti6<_%_wweRhT^5F#_b7w&qy46AP}okFb$R`u+a5 z(*_kZLbW?;2t0=mn!rwq_9*s^$-tPMr=?;CF&$)yoth}uAa;!~j{qEYLKVwVN4Xux zj6mO&#(y)KDP4Pi1;w(&)>7e5Mf;An!&}Q$*_A1ZmX8$!%%#`SMZ*qrw9Lq4rDG~7 zgmdB=Csr^$cUus@s?RWG2c9hyL{WQL95^|H7VQgjQr%5}(apH~LkcGA0mnYA9gL9_ zL`msg>`p%hB=L`B-{4Mh^PAHwroD``<@+&Sv{#8`&?QNmZs8bQpG!`)V6Yw}1w*|( zAfgQzC_%&)ktfqml#hy~vz+EqL|iB?&%P2|SDPz_``PcrxhtC-Lr6W~Io;UA+tMCz z^)RVFHnno%pRTuEaGfKj@lzA#(@`=C+Q%W7+gnR)BduRkh-62@x6Um<+tR>x zvH4IZRtMRwC%v!U-SRjeUI&4%So*M9#d-<+vZjq~a^%_bn(UWP5Zt!6e{M|eQ{b-G zB&7ypwtgXlq$$tC+5KuRm)!P2t5iKbq`OjKuB_!|3HZV0s}#ooi#VCa*|grp7#0LX zY&=LG>L(mYxbQn!MgGK8&@{QoPGkqS+FwC!fp978kQ7prSfk8n{8BwuaVRDi>- zT+?GL_i^J-L8Fl585i6Wunk>ln-53}k0ZfSO-Ld8HgkG__O8_BbsTx&Lcs{yy^5P9 zLS&qv^p$nqj#>=m0mclqvuM`>5i(0cDj^NAnP|OuKBCh@&rK~#jWSlDmB4srCy_oI ze&7s%TDehaF;yYLishIG`*4~&Vs)6deUOU>7HG<(hsA2eB!Vl_?(beJicPS;4*1xp zowgICTzKhZPcF`P!nMsIjWXy}jmmv`0Y8Fcxwlx21V};laCht^DzZu6Z<#U%`)V5v z6V@hvW&V-Qd15#;YFV_|cf*$=719m?uN1?b3ol`!v&)Zu&h2gyW+;qvS~Mj_Q#mrw z*&-(FVO28C!i9bg8Po~hqz;p;@zd_(3wSsog54r#Y$8$(Vuoa`Sy-S3bPhvZrmX@j zKIDuUJ8Tkvox-LdyZl~Z(8(fqDJHa!C{_vVSh=w;BBn3U*yZi135Ck`SN4rv8~RK3tcAem8`UgKUCQFM+R zV?&!C@IxzIjF(Y|!cciT-Ly*MwMXyYFB=2boMi_Y`7CJuNy}w0PNilgr0oK{Z&GjL zjs>SbSaZ-rG~VzX%-HbEQdx)-xYfuaK*y+SaQN6KrZ#77TxJ?iq5dkc&{Q^{^>eVg)ffge|S15=KZhRDX}@lL5{Wf^)nX71)p_h zR>4G;)iQq=B$KO64PQa*dl@4x7dzwC4w|#Qon>g0 zPYQVPO7&Ybds~FByiK9IpY773IrE-}+k!muJc$0)!L(h$MQR5A(%3v_<0*4%xj2}Q zZjj%=lRwpG!^2XzfdMLv04P0A|AuC}SJFKK?l!}rlI8@KmQ8z8Tg-D!IQ}O1!sSe+ z97V>>L?lo)KCD zVTfMM8Yu$Rp9}YO4*C-aeks0XIFoE`gHTOIl21sN0=Jixb?Q>siP=)(zju=;0r*U= z-;FSa`^0eyjIrA$I#Y79t%Gv$c_tP)0eaDs0)pr`UQqc5@6d{xqj;><`6gd)P7MR5 zDDzT78!*TIZCmDZn9?#Hnhi@GOxEnJV4=f$${LLxhk%c$wB-I_GRVqS%)b73uQ9ZV zs$5a_yY-CJJ1%+0MKNd~a-O$uzs~m@UF5x_61(V%sY<;vX5-RnsE=ob2Ba_T-5SRH zv4BP!I%6Oy-pT3mF;h+mY^o{AeT0(nz_yo&+4IoBJJnCYeh_xJfRiB#UX-x^8m7B`D7=1gln!4WQA9(MMHOU)R; z--Fkz&7vb@5k~`41~?^QZyxS)7KF1A;p99y4LSrqPY;3^We;GBjVr`tspN@QnRvOe z4sHPYT7;B_v3RpDr518ewigb<#DhB^^HlY0tqzn%Iy60P<$c8DtOs5j|M*wV4~54J z0S1El*t^R~6_^OqcZy^?LqfOC1L_UX7v-jzF{BXTDfJd(cHB~g4Unvj~0PEjD`et~%HOa(Oq z{dT3wF4v0JJGq}3Yyp|7csb;&;ACW_7-*e3E6h4WZiQ6mZIy9)#kt~VEQe>M_D`GQ z5S#V%*WBK8F|9mM&wU1HY>gJ)RoJc5rlf-5^gAjpVhm~6gPMS8NAU%T;?LYcgu#0c z1~9J7Qh9>DqL>(WDzid&JN$$bFRV|qj!2fGEPY~cv+mvgc>f6;gBLNWBXEi6O=7WYM5N= zBE#o962q)-Iz6v*s0r)HALk&m9FP2l(kya6x+hD_j`({4kUX_UF5SQwbian4$gdWy z0dObVIgs<}YOchOhYn)WSITe_0%=O^&5G$A zI8{H~9!@IBw_)W-=+?8z=Yf>(u##su2?U{fTiU z8rmt+2)Ae?YZ`n+JaE{9e2KeE=}z3sL@1Awa+JIsus?nw7v%w=Z|`7nzpu&+^iGi- zdpRxXf8zsD?5aM># zDB-14x##S*3L}rPSy)rUhb_A#uIJ`_L@rcu(uzVu_t4fdrP|r%OV9!RX5F{o>@n9% zunMQryvh zs{Dj@X6)=Gp1SO2Ln@0L+HrOa3p(Mq+O;$dF#nTa|Dy;mzYT-= zHm~ia-)V(Cit=eJmM*~RRpXj#34s8PvPF%lNiR6zDMA>{JP1)>b}ot&uSu}+QrJt} zyU<_YTN`IL{C?#A0cTKhcyLFGGzGPDVJ0jXM;-HHyr@SdjLUt&5=Y8U6$m2{HCSCy zqP;eCm(QvUpW5s)(Ky7Imkh4ZDs#9d-fsmWk_~pV#_$~jeYsPGnA;ujp=8wwSkhn* z?(|_oM`j3G-;7mpmp7asHnU5YOLwn40v!9&Bgo&&emxK=v6V8Gs9^!j`J`9{dsZR z%n|5eBY{q1P+&RKT78!9#D(CVteV)Fr37$@C)VasM`wIb9%Y*8@bRZvZ|Rd_Pp4A@ zVT|-FX}V^T>!KGUtiiS!hat8X7gvEd&`dp*zfy#4_xe_*2O7HY9mdX7R5 zGl`dReJ|~~IW~FIKed|1;ZiSo0ueyAsOpY{Y@@i|=X0^y5e!4pW1KSSc9iLWx7vGM z)`^0zMYbfO+9{jo=95+_7K=~$(Dt6URPQJ3vYRm0g-;7YoAOvil;aqOnn}tJ#gV%( z+VNm7btQKNx_H&CS2nmVAH8?28gr^hMv7MSgwtVw-VgRMO>Qm7TRsZx4=V2oB% zv-5>Xx_g~M#!gl=gGBpzgSaDaKKV5wk~|V0T+u?0ytKlu@%U0vBOCC5H!z4HP#l{^ zp`e!@MzVAB53cxWhH~k`z?Osid}oe+ot`88kUo5_g5b~gRphi~n*6+35SX6J&#Wo4Ny^#!fKN@QFr4iRYQv6$3Elhn3|KHTBk1r1rtl0q+S>jt z%_Vqxq)CH1c;xMD{6?O~ZN{xPQqML z&(c0@+}KMi8J^-)3`1UVMk$-Iuzl00q~RKoYcPooblq$!T>>xU6)y}^R} zO>v~x>_}hz>P#HkGPN6dub2@{XUaaxFsP7byYmukBh7x4GwLR>sL2RQTtaJgBJc}G5xx>F zX@qxU3V@Q#H7B$8)Y!$ql?4PZEK-&8R8S*=%-tEkhm)y-?qEU94@uO`c^zaU*$ysu zDy0h?jP>b5)P6lT%rhiZX5xTLpezGfV#nspy&AtK@%Ro6A=#&i4}A6MuhV?}V4TzF zP(l&$o;rZypy*(i-GkC`L@RP0luZeRM=@Fv^===cUMT?)lR!jbgXRX4=voyd);t#{ zr_Sd){HN?E{f=>>8h)nsZy)d>-=Enhx$eNNFWz4*`2G>nlEo^xIq-N!CJ|dx$(KE( zwY^3s3)-A0L3q9OI&lZ^a5lHC0c02?@oA8{#Kt`|+k5kI!k{pJYfurekp zA1y%8+4u7R@$4DxnHWRLbkhguhJ1`;x%{s2C~??^PDwfO0&siU`TB=R11>E7E8j5v zt6B8T6EcX4esT~4J9T|^@qnoJFXS9oI8xLHY8b%O(zn+RWSP^WI9$Jg?>+ncccYxG z)}%}G@Hts{d&vb(i?LqnWj}@~-4@eJCp}6t?c~YX2_yUr%;o^}r9*uZlg~t`XBNSY zT4zm6ezK?LYdKn_r^1cyw*tT-g^d<}591Zmx${W)XJ)sF2VpVE)J z^Hcj*g1;?mvqVzrX0MsM+p>NsrftXg=|*KN0hC)%D!KB7B*O@jtsAb?Y5&s)O&s%- z-DrIL(z$BfYNs+bD*_%K7!$wQalX{>>~jbpZsvDp>t&;NR$-gV#(}XzT&jw!35DcQa52(dF26j)2r$;*^Sbl#MK8ze+oI z832lRVI79FL#Lo#DJw<^_a+SuJ0(^UvCHHBjPpSww>+<1HmwQ&MSVHw0Aicj=>ncx zWK=nTv;{qAa?O~4cUXyAaDeSna*-g4bPXCVW8I6=&Jo)>*xZ!qU)$LfcWH6z3xzpOYfVyrM+*AU<7aEP$53H= zXi_CM44|pwXT){@zsX{`5-FbS-kJ!?lYKGNsQq z9c>LH-d@!=Jgd?#el-I7^U0EqJG^|;gX7aW=h=5}wzjMT#&l8ohzAy)V zn;Vbr2m+OLm;upZ%1-5m>W??{I%n~ibHUUwm%0FOEl(B~09<-ZxMk2L13282#>M|O zK;+xuqS=o*-1|L^bk8iTcH$D8F(6iLW1x)KisIVtoE2dmkiOF}jxb{UPCGjD1YsO; zZw63+3gQX@IRKQ_v@pF9kYWn8Y3C9jw|yrw(XNh3VAc`jB!pte`3E>j-jRC!h^QS- zIv5Wl)nP(oY4onXKjoIhJ@@C?!mHQ|2|OLo2b-pes21Ch&NlGFtykk{n8F89omfzgHZtJ`KW8L7lENDxQ}vOY6Har}1%mZ1+n%A!BZ&Iv z+05;!pUhzUc)U}0IE77kFZ(#j495(+0DrP_5r30-pnKxzP2S;nCvft+4=b_gI>LPJ zC0?Z$bty$F%&0Ke(H>1|uWnlARjb!>!yKU~G{7o|1GOEOqCjD5!EYnlCY-Ica*AFUZ4}&ENd`?d)HCxM(W2lZ5t#du-AxhSJh*#({NAD*+7&8eo-<+Cw zX*Bqdsa(g#5XQh5MQ6dlt}$&S1)mt(iY{2PVg85v zW&8wyrQQQ~@?XtEG+Z-d&R2O7o$|LDu`poJuel&nX*_f@AFEaB|3dEo&+GO4aen>d z`{w$Y39RaDcF#9P0_95lU+Ix>zfR2$^WQ(oS&yK^iv6M*7)f#3>-$x{MFusqYdHdr(->j{d=VU_T91#?MkFL%D;cy9dE_ z)PJy07&FNyyefPFl4V`}d=PNE*9v|BO^BW|D%>zmy8XqDvdL$S`WJkL)RAV`9D2WB zIxxs`3i8Ty(BJB;fgruQlB8~^J^$`XfP`Lp$`c@V`I)t5Rmlcyzk%W2Oc^7hKI~aH zWdS=JDxu%t1jMbOYANPl4VVXYF*lyVk%5ON3cd51>3%8Px=2mSk_VC;%!zY%#o;yy zVyBkA<>r>Y@|#FkQc#K?cB^K)R4d_S-6fxD(CPYfQICJm9(!W4t8w65?=lZ}VwlI8 z&uoV^5%NMq2XdqGEVJSc7W<8tDH@=XR%{YbfXIKaE`JeG2!Np&c4--`;e4E8)u)=P ztVWCEwQH9B>!AbvO(38#ECH70qUm{#C%m?}01-^E7I&`0!JbsACx=5Erq>j>AB+kU zorE17hhLr*-FX0Qj4G|ALoOp=bu-G(jfLZPZ!}?i66c7oyCIc)A{H5DDgMbLShKK~I0~n*jhYZQC z6Z;T&98@Z?3Dlf@d5?03tn;+cgW9b#!)r7$ZoON!A0M&soevW$DcaRSqmXNyCu%j*-~wG-3^`lNMNZtos(e zAPdMEG5vQSm9UpJSQ-~7Em$$BFXxI|>M255z&D_Gf3p)X6E}%y7|(7QCY~J^u$`5& z@`QsA?PS=385Z-uNu3qBzmB`57#-=v$RU)~17uNUF-6g_7xl2al7z?WpF~lim5?1E zkc5nsI$XYYMie6_PT9soDN+%aq-dzj;-L-bBhJb;Mz{rqLwAJpk3hnu4r>(X1wF-V zh*z6mc!8|4lZfS=vdO(#N4z#h!R#So2lbo6Du8ssppD6@g({6WywF+&i9po{itzkLnCt1pIwYrDlikxFCfa>JpF z7|09Qi`rn5q#c|DWQsz`NS7!8k@2i3oIR;XRDT-ADq-vk8gD|ROJ7UBAIsle6GlXU zdUlTbzyeA53dl^eNp(wN$5F;ggxIb=LDznJg25a|Px9EC-pJatL}OLH>aezis38^z zafM|MD3VFoh_ivB?yB4$gBvySVwOY-A)!x)-E=)wOs6m}AQ)f@))lUsr&u`7xbJl3 z5KncIg995=_oO@)i6ONB6avMRX}$76&h2aL+FC%lz<7ADNuoL&q+qJme)pG9s63A7 zKoSE%s`~c4zj!Y7eHADI^AZ&N3Hb-Sq=z=Xj1U){bqy6ZBkchyDhYF&xwGdm2&w&*K>K;yICk>}TUw!ptovK^$txJ46>oTxj9Wn>=hX(@gpQ zp>|01kEwt-08Q`$MUP=#h9dDWAOWH-6A+E{;>S^F?j-ZhZanS@qz>F>qO)E_tW)1O z0P^`l(K5V5kcB6{j$%!XaH#o}79Sy-P2H-sp62F|cF9NkGY;dPb=o*Vhl5nV{|@ov zS!K8obg&Ev;FNNm6C1S4twRME^vyrXWuz!mLyAO+*bsWAFvjy40FB@nFZLC!P#&5f z1Q1QB0_>m%GPYu?c?B@F|Ju}q-Q?o2mtxL#W#$6c(zG9M{8Li(l{KTF8omZwODmpb z%&qWVy7p#Y-KGA%3V@Cv2VE}?E-TxaETkmRE$<>Y_mb*yDW!V!&Qy=FIn`q~R6U-} zX_-R&aavlp^wk2);hl#qJ%H4uPjg;Kigw@4pvCT4_zB~g-G9+bKK4%#ZM6g3umXC$`P&7Rs+eA%BWq$$Y%$$V&~s40S~NDSiQ(T zlUewp6}SpBUZbq6B9YmY8jCKOuT?)so1lg8U*Uv0A*qb=^)=JktFrI>lpkr?i*DXM zv@Eq|nF=Nj6~+tfTB|zvmWIH6yb@4;(hvi|KL}B*c`7ake~zk2jHpM7CyG+gyzXIy zkhccNed`5Tc%)+qr=qA3@>{LyA~r^q6pRG^JhsZp}=K;hk3KRpUw_vf23aL#!2%mY76#Wk|54`rKd3GGZ@Mo91!$=(1YfoJa zbRpp78xhsxb`aCSBAx|p@|d^8T#t^4X0YuTytTFYZfb9AJNNWLm0_{PBbnE6la@dv zu<;Oxu4LFWs77e`QVPf!n2PR*CxDG8_sW0MwrZruG{rx_vhvax2LnsZXP`oY80_ z|6xJqG5`IGNNh5dt(o&UD@76#_rRgU)Q`eEGFX)NyF%ULo}iqJDwapxUY%o7!lQR6 z5aE2I+X(Gva2N?Y-&|lP0-B44U+ZV|ywU1UI60~v%2bB$0%PwF*e?tZ=vUkS=`y?S zb-O`IbZrEu;bAM!^-#DYgECqmw#X?T$@Nz{(_~l}8UMg{H(2U3eq&gB77`XK2pr%& zU?W_-WoBXpcy{m*M2iIg_0P|dbBd{BkWSxkXv*hH*%rH9eR&@Ov zO+WUV#N-ukEhuPgT((g+VmX0ngsoe6TGK54 z%;J{lRL>c+w4+BY-^x;XMukVY?Pw5yr>pqgK@NtH#4?2Uqjn0(_^gflY7SOr4(D^- zta{C2*+cP5O(TOp^DS8F;3sf2pO=u52c1`BCxqz1I9zp-ioAruW=eiWJ(9>sk;+3e zB~l?!#5>mKGIi9fGNFK9^|*fgyz_u%v<_o@pBtzN?G&JvE>NzV5Au8mL}VS{3=zzi z7$T;Lm0kU25k6eWYE;d%gI&)AUY9rAZqQv_lYs0_Rqc=&@doEXn1M(o2CdoAJ6Qfl z;+ht_QG*2hfu*tQ75f5FpWk@KJKS$3Sf5`#KKhvp<>6n$sf~jYY#}2B`kAJN&pn<{ zq5EoM!*2U7)(w$@KMR=^<%%BNs%!DLfL?5BBB{PgymgCNk1z*JR(khz0*=97a#2Ae zIU;h5OeFQcwQ5!NpCloi;EWlNOvBCAsS(LD}MfP>Ke`oJ~*k zlchExG>a{xy%<=9bx-i>a%VavGKVZ5;EI{k*m}S=I(QIcqKE08H7e6iV~>J!kl=fa z#LosG5Rx^um<@%8>6-#iC)p&z$T*<2uEUo!IYO?fzMTwNHkM(J)Sfb;oA__0p`V#P zFG8$D10#J9_&1Qhl&N>yFo$S(JT8~Y$n=-uX4jsy1*V3in^GK(<&Iq))ALCMZ`iE*1oDj zKciBy^+5x^832mj5nQDMwu*QR7pE)jNByb;X^Dr9cKc>g9V;jxg~JaOW+4;)4_lox zS=Iz7WZ?9&BP_3N?h&GLb|QaXO~$;LUkZc|5hKug6q#a4z3zzB|A6Sp!&UJ1_&rR?YLtR$%6~Wvx5zNQ`+>VR?iv zBlmMP4toB72F@`}I;`!uFJnTM)dr;T?ALkrl{;$X^k1&QPjnmJH+KlWfos87XF-MW z9Y><>D01Kf2iEr~6Fr|8dFNh;z-iK=FcH;n`s*M>or-NeFN+!I^2pTn* zB60b&;*M)HrY4ac$X?9>JbB!(i#~K^pqqMqJ%;^R?6rSK`v7euX1jXYK^APSa1s4m zkdvR#50Y3vx;TZQNr#GNg&2f(@K%82%XXjVi8Wd&ldcMn@66jfYLwr9;8Qmhx8!b+ z<}3qrH6VcT}KivB|0JafOTF4JPwY(NRv@7DCEuKdA5ss z@A^3)?dl9^?jLhbz-fX@rJxrOY|TE~j7v9CjNuHkO}GgAG)su*aF$WBBw=&GCyn;( zRyFJzR|l5S&qI$72$R=ZG(>7+!*mAa%dny+nS~%8)3$$N^Nf_k29`Ea_zv~rEJ9ZH1r{%#qq2 zz3lNpHqIFXvze$a?v^Rm$EAcbLU$-HA%}sMqx6sGSo9+z9n=g3$99Tha9n1{;r$%g zP$;dyoBRcI!f^Qpvgu$y+RM08pHw7>_%=fSkLOC##{#1zD{=((hfP;cOlv!A@yaXv zhqjf$w5-SyP?YE-7Emvx#Ui%Ti9Kv)~%@O;?r2;>)%zHe)#lQyh-RDp} z<`92)TEg*OEfDTQ4A&m$hi+EkqIxoO`Jia{!XhmEy4vsx5Sv;7NgM>&lAS?l+GvuA z33PvxAELE+&;W!aPbI58oC*vwX~=+7&391;KC*JzUc~bFw|V>QnT^=zygIx@kAoOJD7KiztepU8OJiM) z%PAg!+NJK1H>8ayre~PL6eB`gjH!KMN&-ChJ6MH@VoX?n=S$EWUlk{ssAfNLGJEQW zN(FC|<#k-(Q5S@=Ap~>evCT$V36a&)gggU6V>`xLqfAEHJiF@b334*RzJap7U1pcl zic4HXjMuk%BZt^5plkRJH1a2ZN1}bhx%AiBKo(@yjE(5dD_Rk*Zb-qz<+{A^Q|_Ws zNd1_2`V_Qo5e?aMpF_#Im}Y(i+ys;6sJd=#8pIwSJp5&(_%p5pj9#zkK!=xgJTy#a zr@sT&N4FZ33g+V^N-&Tt4dd8;&<(5c+4~3D;wJ&{B6`9uaH1?F)Gx${Aqu9|V4Gu7W{#|ApYkC2pT<&w8Y0qhI zmB%U~ac#mSQCLOjY(O$X6SVeRgZKtTSa$e`NHhu1SL{Lr<*>K)`HOSw)tFHpZaAOj zw2_qEK7w+lg zjIjx;`X@cZDdb;B{}*#2XHL89FIja)?_qAK3rs<=wBJj>2^&Mt>_j`OmbWRQlgV_g z&)}DwkK_){w77=zR}(SEs>)?LoMVS+58GJE=w}_XD7m4Rz>$a1imm*rqg8?=rgm{? z1nEnc)&3D=XrsOi_9w`Pwlmtp2igeKrwarzWIitwK7s6z(!F!ls|g zmQcpVN^)Yn=R_=R`R0`l@$y~B@vIFegJEy#tGVz0L0N`ShR?$W99(C8mw0UzJ87=; z0AN>@jqV})C`b@hq@>lQvm_ZUKV44jXsXyWXQ|nKHcY3oP^&k9Ms+{JC|)~~b)2Rg zuyM;noo1RrFR+Z+6~Op0K%9DFBvzPzzQ7#)U1dxvvyU`^`f_^z`9P{D(<9EBfX0Y` zmqZ4b{!j zQ!+5@(1F6cLYknP+WfQ~^xiuUC^r1A@rqhiKD$!s3-DeL5_0vaG<=d*3m+ZZ>-9nC zCgdiM`Dp_;uJVNP)Aq{R(?j?Wtq1~}{M)pPPnJ)bsiX=sOuj)A&vu2Ac3uF_5eo&2 zYP~Mz{2p&m(=B2LG`6Z^RlTdI#C!v1Q>@+5ZuZJ?Sb9f%|r(HPPs3C@~!`@mIFx=NDhycCqsN8+7cft z9}i((K-4R)`kty~q3EZGFwzUD)*118sLS`h2w^69W8<_h6Cj_RanQBTou(fVsv+@| z7v3xv+5W>LALM2xfnY5jKaDLO+weow^f}^HclK;_vFA+18`*|$iK(DIVuQ}%AWb~N zu*!rNy8(AO910JW#k=O2m2wT3S1#%BeF~~ny9l1&XaRo)50x8vdXCW(df^#JVTU0ee;A1yAY>5pK&34Y8|k4e+*ISo5H zD5q$hehMs~7{y6>vzsFVdO((YU?GtTnyDFKvW5TMeX&Xkx`Sja5C~#c2*A+vYMNvR zZ;Uf2%X&k$?6m&4Y1KKG*BeOqOV?&F^jF-Cv%p6YOAc++IeHBs+qZSUpW)b`DgD~I@aZP8xvJD=dU5l5VAIrbuj_0StGpE8YpU@-E2IRC`i_QSAU~ zYhkU=diM6vT~^Pambk_*=ih`a8csrqQuodNJCE`0%p%zJfRE>mk?xcxLLZT!7TQ%{ zO&cCmu((Cs+>1%Nt7Du=&Y!UNrcSIL$IOuMJM1r11I7mJD{*5zLRZ6M_Bx_yzV{ol z>w#g%bNhY(zUNh}SRLKU3ACzI#;C`I5%~p1{uZD0&*Zc(6_<3wFmV3WTwvUJYC25S zRumBtqkREvVCVF!E95Ni1QB!|_m=#o&A?jq`vIbHYhYp#0WQS-N)Ap8? zZFN;)J-b9r>$T3)RWMC#6h<-vWS&cNjvE4Ni}#8&$c5`UU7H=@^(V07r3B4zO&I;B z0{O4ULuM>dl%i|+hO3>QV#G6gIh@}W+G#1NGnL`LZ#OF{9LBd*w2j}I@|MW(?<5nG4popin5 zG<(gEvq_yjkf0Ae^`4Tr7sxAskcR05cJ#W69%y+`8NNEn7qh#5t@Jp<%r_g7YGY;% z>)Z4&d3K(&TPMRN7`HdeO)*m{!nqY1X+9I@G(QhCybwG$UPj0;rcuCC)V|S(0-cUv zTr4`B)NsYRlSDNVgY%2LJw zb5Hy?=?GZwM3KQGutCT9E*$0FCFa&>v7pT(4I}f=2 z>Z|R^Lbx7|XKzL#W-Kh%hSsk@geW^~Y#lFCB?HFhw{hff%x!**h}Unj*idmke(ZDb zRfGXyA)IlI6z@oxu?qrw#Y}K{%}GLv>q(9SmxIaatx~eb?;$l>Lj=NU_{yp5xo3Hh z;%wBXOYj=75`|`)wK>!w#Z>E_N}f2sQ#CARE5^T%A>oVbWyl;TR~ZZ zYwvtN76QlT!4RGm#;}p8O{s-NvOO7L{*8ZQm9?i(7{ACj%O99s}Bm(s`doKJWHy5-GOT$*pBt|4+s6dDnXan`gW0wbs4%~du`ku}yB zLlVI`r4p9G?M50YbR1e61&88xNrXmxB4v*?h8 z>SP;k(~ZB$rWK@wnfj;ALlOSN!xx=)t^tsE5D5--HMhr+dp()2`T-iyaQ5aOhsiY# zc{Ncdta%^ji?JnRplB~I(TS?~y(i55u!0`DS9WFykp zoYIud6O7g-7iu@whwzf3q|u#meu09o$kt;^JmqgNgqqV62zsb4hJrV8db#;-=b2Wn zII$*KVQv2C0*T%9O1Fh)43t3sIxm|?psq9m;XV?; zg5`@xz&C-SR)Fgm8bQ>@9#6WD;D7w>=M9X?ck8%9#9UOEYF1^PZ=Pb!MKxA{Y&CaO z=$qb!;*X|7KjXM`r%a9?gsp~OS|vvBiC(!VjwviA>C}v3>}EF$nS<0a9JMO6S?F$< za)ss8&}RS8{H7|FNM)xlgd;W1)EN89RLx-frM3IBvC6#EY}*hocTPUcne7uQIWKOqW$^};J5%GkT1;gpLrBSV@%C%Fccg!mJCNvW?<#x9ZYQi zMyd8kJ)MEj>l?#&(g6u8V82O%b#sJ?iMz&Q_D)6y1hk!W#4_a)kfiatibE0jC^e{C z^H~c3*Xpb_pcPC^-R)VmCF~A0PgBXFTr53`+-0wUtV_h&Y1BC$&;BO0}mnC$H?s9~C=QBP3RV^x5pp$+P@ z8W&H9*=mos=U5z2s$-7{+#NV)_^i5X-iQ~-p>6-%BiZE|9S&jDp$(H6C7&{<8pO(; zB{Ov#r(6dy9DlkFM_zcj5_e3F%w;v7K@1s#+4zVhep7s=N$E$;VbIvXeqRI+IvTlU zLIGJKiUw!Z?{~n;GAn9Q4>-);Qvi^Tov&OM6h2^fz6_}+2N2lhaYD53oPqxf@~O1e zj901A+Yks`!w=pLp<&cl#xvXh7{jzUW@9$kdS>!lYjiD(uHbWY-KMjA z^3b2DLE4E#2*+)fg<0mRH-?R%!2_4{CL}GIyRGbXU>x|=+eDVVX1-{XvPfdHZ-0ym z^Ra&YMokHNNl$=;!Y!rp6 zUNMAEIT^Whb-RX!1B{7xSM;Zk#vjrZv_)2&J92a&5;<4ILg( z>`d5z&GNLqy~~3#F)S`xvr+Q)fHvw&vHjRL#zCZ935brLx%P5(XBbb1bZIh-*y!A& z+5b<*7WdxywzT)KY6^y|_Cl@KrOd(Vw5{biWVL+vClJUD7m^!!*SRc?O&!FIgZg5uJQ?n^z+7WRG#fioc- zJ^RXRxwE!h*nV;YVc`=Zu)7X@SK?m-5wrbYXyX^ct9@(VO}0~0*S-gwUns|RK$Tr_ zt7CqpfW*Y5L}-8aly*f1^l`oq8_e2)QTO+)7VC)&n>l_OzxVf zsId7uZnFUCHvdPi{2QczN6gQjKyX3>C_J}_kIyT-(SeYdmr4TQ?Oyyq>WfS{v&x4$ zUy7k2<&)etC0ixn&&+?EZjD=!j_&=uC7`apN7y*LBWAsm_O)pwS-xY_=pE4{#Vi>E zLOr+fH?n{qW8%+R%+oL_T(L)Xnlvah{a)}zWvMa%KUba$80(YbxLeT!1Q<^ zP6;GF=S@Q%YkB>nRX;G?#S{C#z%FK}>24VZf?U$6ZoS6GyY9sP=<;lWwQC6jIawfQnpO-9Z)g~Z$*RHJa| zc6)D;@!<~!3Ev2*%fIDk`@S%I3w)*bukJeV@>f3O3M#JGGN*P+paMW3<;b9Nq>_|A z_>7$UaQ)-!5mi%+6vs1BhYts*%cQel@n5FbiC5bcf_#mJi#mVs z*SrJYn4PADx+Tzp@c$yeK4l+xJ?VKeswk)0FgYCxyK^yyWl{P#Grx&CC`tmu`AE@K zl4ieRJil!oqXQG=Cz^C7$g4tGquSp>myqhs7v_?a!2LmuotKnl8eQtv`Z7z*s>NC- zAi1-uOrNns3#*BLrAaHzLzY6+?X0eOhBX{h&Qhq$1_QYFxGuiHt3Lo*e8|D6n;5lH zVBSoy%;~W#m(6GVm%Hn`s)ZF91Q<}fmu}S}XItj7fm2d)XocpyH>(HHVqHKWuC9}r zdL=mgx$cGht)F*!m4x-x2uMP{%SrQ`CD!yGR@+hw~(}_SClN43WOd+10{LV+WP;q%3HAIMc6k)$nJ?a?FTc z`x~|SU*^TD6{zUXL1fLp#y-Wn1nRs>TH4gpDf(bfB9q%&2zQ!;rL zI2p_`wYQ6ah~oA(5Sc#EHS}}Jm{(J^I^&A8Jour!;cIqtBnyO z463b0*t<~RU@Wm(6AHP>oK8t?NR-BQVfd?^& zlehE_cqy?>&Gca=lrQzjct}VMbxgx>4BEj!%}c)u@sCf^Cb;)mH~O>5FG+fI4+zJf zE~wv2@LXaj{LI-*E#)kb`Ptha3Z^>d_()nOG*YvGl(Iln`@bfXv1+yuyyrIPQMSSN z6M1WCo=qrDs>}z^rDq=k1|cNGke-S;M_T*&I{$426OLSaQB*!a87=YWMmik1 zbLHl{8&m}d8G}C^Y1o&4{28XFKEO5*Y{V)?n<8M z*#%L_Jv9FNA^3bE4xQrg17G?__9D}I<$gJG4wO@!BbWxROl8~4`Emc{C$WnOU~ylQ z`D_lT1zf`h<$vi7WF2aE<7`J~0YZGvwweJ20geslncvr$OM36KLcC-~qJ2chFN$H= zqyG6X>u^pYTzM)kfD%Kdrvsh~d>I5Rx$6Fv6-WdlPOcvO8Rx%Aq5)&7ki7unRt`9< z`P-mi5`V3zPv?B?JnSHzSr6_OqDV~r%aM{yl_5l?@!d@J7O0d zkD8Y}qWlFkoPqWrf>%t(9TNQ#gzEAvf95|YDDq+tEn{ETG9|hJKuN2)3 zc8F%b+7k=AF~kh%M4)idnG6ebD*SMdN-`Oz=zML^sOQ#6>NZ+(U)yPP$QmKictOU| zjxMjgoUke+0ZTty5+nBI1=7YhUmiq98nzlXOmSkO6#$)uEm4x&SP98Wu{OEtIQ%zjH1)OuD-PsfFSkF`&{lK$(Qm5|E zqh6qCp1b}2C(#Mq!X?)6>Qf}r@xPEQNMnc3uRLAWVI)v>N>S5juM1>7883q1V_(yo z&YMa5w7>fRKt{U;S>xum-=#7EW@C1JyT5+8=cQAU8&$S!LquZ;9gWrJFTY8VpPIU3afH^Tc@Zy~6+o0#EIRRIX+GFl__rr6nD3lKYBBI=V?fYGW z@pEx#6*n?k_Xt`BN}1jTOK3SVbqF8gmVs!KA57y$yb}Wd3*Br5_k_sW>ZK?2{s*ZHt{AqIIb;w8$sa zJCY2rj6+Hml6kfcNqcdQDYbD8oxN4EWUQVlNI=6&hFzfVyqFllPZ%~sNC0FZiH;9~ zaL&%>Hy~Ta?lms=Y20)|ZnF|SHiU`4WYJ@057Knlu@gB(VPwUKGgBD&pa^Zz& z0NMf&1`Hqk;9%2Z zxB4~X;edH;z916CR7mL|ZoFPkO}o$Np3*SB5FBRAC073UII?LY2c96Af&(&w;w_Q3 zeVPEnj^H=jo+xPtNI^_^KfL;UBp;ioJyp7A&A2r_Bi>H(wMFoFx6x#!O>371jqV+q z5~H;=hzo}HvP1fuAGz4f%lLB^SfsmR*C1h72V|N9IouVU$YHSayU&takeq4XRf9Jn zKkK=8c#L+JB(?7Qk>@$n12PQ7WSndd!DC(+!H_i%gRt9yc*dwLeK!pl14WtfZ0u=G zb{Y4^tpa0a06DjVM{&^cza;V<(u~2WI)%_@lo7rIqBv7Duff0;07fP5&&2=cG*FKr z3zsjTfL)Ra*mkMgpyUBY@XgQ^uF+|hx*4!})UY9lHcgo!5P9vV4fQxB8rI5_*h=-_ z?a-GZ)Zi1%Bb064s%;Xs+q)B8z`SCR{u`r#FP7O52t9Dd%VeLEpOprrQfL=nQ!P_l zk=gIEJy;KT^)R~i6u4UBv62LvaXdfsUzZ4_I7ugf?xi=|qabk@5LSnF;&@(TyZ1Q##68;zFA zn^Nr=1Z8(#Rnu?m`GSw)2$PM8m1MQmA0c1+hV8YrCZYB|5;ykB?v^S^wc+bM~r*rOCFmorXkWjM{g-5c?ju2pPSOCE_L_T}JDQoONbwy;iklZXs;zM+#dy!$7{WX=VN3ZLR<9`WQfaGwH_D z!6(hf3C?3)u2OY0pn`K*507A@`3XSXFGPod+IpbM#z$hM7!Rbluk6ue`S?&8{r!>6 z=O8mGyB@%#e#*kFFvjwNzdODveznUFVe)Sdo-JgAtZhD-KlnPSgrSePh8xLyE#5fF zWx2nPIFFt9ji7%kQZZab;mGzKD@abHcWH0013`m}KO74u+WK6@6zZxB{dw}BxY}SF z1tx=^UG4Lojpg{HIUg%=EeYcCRap$?fGKYs?V!5zA zR1Cy+b*Kkp9G|F=n@iN`_I@ACd$;_$&{6qQm_kdJ{!QWcw64`mZk2kkb*-?&SzBz{=o5R zA9ag;ntWJjXe6Yl-rBi6#d2ODAZ8}eaG~=i7N+zZp@{xh#gj>U+_LxFVcA7c_l#%J zat4d-=}5%(6gK|Q*mmsKj|dpAokjfi!eq^;G!?kTmH2EV=K33DG-UkbO+%Jqw*{#3 zh=IXJl$4y)6LKFU|J?^N|8OVISw>uh2h9_{xI%wZmAT%8eDqVAcXMD6`P{ztWEc~R zWc+ECeXfNnzpj&do`zPNc}48h(k29@I_P}@9$Dg&wvQ2L zSynJ*kO2tmSCNq2>}Heo}2? zV$(TO5u(&z9JZLwGYaxK2>WX}NCuP(xSEupq(j60vG~2A&lPfWUYp4#-bjPRmuR(K zXU-SFm&LrZz;T8X>h!A|e>%ESn}S?`&y{Lp$cQ|yY%|0?w3f=|juGBQ4|hYCwvuw; z7}aJ}CY}8jG~VxOS7O3KTUqasu~Ss8_@%{3H%>5gQvQ*$o=&z=pr;rPA%oNKb5STS zczX!dZoJ$P)-q=DzUJAc1PAJiDX0ts2BZe@4wRreOhDWY(R2C`#+qlqf@MKlaF#X~ zmN6VPO^gO0Fq3}E^%_5$#$!eg}07_IsHuqU{`oG{k2=`Qha~A$iu>#BPy%J1R5xjSJDk?XkxmTuIt&+P6tEFhwy9+zL%uXm7R8wE4%O~=I(zU-HD zm^G&G=NLNV#H$}oWUn^XhOGbI*q?8zdOc4(Hgg0)(Ff3l&1B0NxEr+e1|GAfqe9+l zkD&Ffgwot>Dz}CCyW<4cv6E=cD=gYo^qd^_bf+Urcc4|%OcMLMqC_if(|T z;-?FD>AoD0vcO(+?eIuL8{t!lM)%v5D7_*GuVN^9`opEUWk$)Dm9k9O*)@<(-I@kn zj1D;JyX6m5y0O$I5wEQvP%B(V&t0@M!r`W<@E_o%)f9}01si@U>zq+lL2|S?at2U6 zvhhyrZN6|;e+tw~MT~zP9bT6S&5Ol8F?g1+tPLkm;PAIu*4+k|ug%fWtwjxoUYzlJ z*i8FJXt?EOS|5h%9{hEc0LbGqyj>P(IBm09YlzcqQo3cm&y%v<(FFxgP%UD4g)6;z zb)u|RW+bdp#U+N5{SSZvGw7^dd?|Ta!(zj8LQ@9+@;IATEDhjJ*w0W#07Uu5EjXM% zjh$=vIOF1SV2RR45;F8X=yPV#q31x_j3prFDTtb_Th_wYmc2Hm&OISwPoyOt8jstf0m zIIv#*U*H60x*(JY)fJF~qwtBRBtgyXS#6W+8VCh(izhK}4!YlcC&e1$5^lzhHP$19 zVCCcRQhUSFo-@lYgB$(vJH{3PKH|gijUlLwpaVMQjBCT(L&j`C)=Q5|0$|jPy@!t~ z{LqQJqfr`8UkHTfda&cdA+QN|WE88-hl&8CL9~qKRIN{W$_nd-*uOC9CLyt`2C;36 z>5S)Z+rfiXHk?6RAAx@@Ymw~m?-3FhLpM-&q_zaSLv=)zl%(k-7R_W#RAHP5q$$~x zNR3HYFxm^rvALRQyxOpWI6Lzy@s&1J339r0$D)8bAnlour|REMzUdLUNmeGcNr}QI zKbe(D-1%yEuvyoEA@bIryFDOD`{#rS6~bA0+0ZkD#%3OrnxXEjLi-=o^S0D3B-@?d~7Z{^s4~(T(Ww4~smfTFZ>_Lwc*)nQCe#X@dH1^quF_7s& z5mXhw1c35pv~KNupb`xfAN2vi8+#{!>Vy*bB$JdV2eR=S(SpJWl9(%aTT-mFflIj} z=$3~0fo=!r!cP%c4rG({$TQWig^>HXGH{M6kr3m{;E>yP;2>;fkGyeoEHK^vx2QJI zR!~ks-5Dz=bAvto(ca&P#A^TDX_8mGu>b0Znp}sXxS+auwou(HYhcUBBo(^@JX?m< z4}=l_$MR5wUGF8tr_5*TTK3Q~0J!qbFBuUy%%Wfh| zK3lenB=+X%>8c9NUmZ$~&%nxwSF|eJFt3biFDI%Q!PyJPvttahCmm&o07)?ZI{m_- z(?&BvTr{1&_Y&met27h4!Y0Z`Teq9pjx=GeTJS1M!wro4xW<4I&2eaZbP$q7wo=G4 z&|k_!a9d^JnT$apeE{mInh!VC^TIJ=LR00CJEd>n(Dq@Yi8mLJ^r|mu@`tx5OCB`3 z(C-z)-VVWxTx0{C z#5{}3ED#`6o1}K%xjN~;hhNXFGY1IFAwjs{>5O5@U|!yZ6D~D*5WFFq?1Pm@YF!pb z*iZHEZPSlspMr$oVC>md`xYlyS_4h?Zp2R4@Z`G9mKPfEz)DL6FzbOQ^2F<|IU& zd%!xu&)^gI!F|^E0ddhj7tq;BPxM_(A#4=VnfRO|I%lV}Lv+z}0W%(js@As76;X_R z-t#seOrNyIRT4lIN{K*S!sTV09TK*pY~ zPny+}rLyq6%vdW<4#cw7e>GzR%w=L7x}_};dn7v)hBWVWpu=eb+-p|{hj2$9ZL81z z#7aXXZj@kSu^;V%>93auudZ0sed*rBA*>k0@s)eg5asP~=U&U2ZNw#Mg=w16g&3kO z;owO;W4ux#g@3>`1M08`ymw~K^EFjL=J=sz69aCeI?_%V*N(tCq_8!!24fwsL)$vFVk^uB#2yeXK+VEYp)uy#VAznEIu9nUh_&TZ5{d)-GQa1N0c6xb(-oJ9u6)L3mLL?@F{DLQ= zG&EoN;Ic|2f$hDYrV6A(BVADKSIm374a+_}YK~&-GPB-Pfs(=RE+ z<6YgSoO$ajYHbC?quN(*(-M2cSiz?p(gL`{@lv6e~KoNQ;Xx%M7e`=BMb%FH`1=pwl+%Z@N(%V8hH%546h%3ihpc z&06HUfung)em1!|Gfk%%)(77<(?Arp@@?uL63v5=Y&C!&UacJS05kyFRn{qtza+@= zEL%HlmcTn0QMOVUxW!vUGmbr_=yoMl=L;vs4zfS4pu)3ExtvexB?vG%8%ZX*X9&)S zwh%Y%Pd4|`am{RSR8}?_c^m|7`SBEY#~&vvquKWBwpU5O;h2G&c6ez0ut+}wJ6sB^95QCbQI z76k9yZu^~p2_N?@r_P9^POPKc^&s~zz+Ng25Dad&c3YL*yDc0-VH9t;JRNdi@Zc%l zmc8-NKrr^)^-iytA@fndLcsj&lFfv$w|eUDh587(Cc__D2cR608{(Z2%8W)i@4O49 zn+NF)qBEV;T9ChA{Mzw$NyZhwZnNQ)!%P1#RYa5+hhe;^jBY9m7GrZuHHaKM3r$s) z5rQWfOJ>lFRf}0awSq_F!f;)KmxbxwTi)D6==J<+(n0pI^_3X#F6fMxcG}4`r%qN3&O}sa=Pk zHD-aqxwD>fK;TkXF$y(LMBOodniF`E?`LU^OFTw^mJEC=$2z9S+um2tw+i6rMKjmH zO4w-A)VY(n@eLpW?f~P3`+N5>e<)NNZ@blAhVAMej`%g)37O&ylpv3gv zKb1HrE5EJlnLr4Pvi5Kq+i6f_B75>$_-7G%|7ALbbTNZKPZs3RXj}HveN||+b z^~$CZGA+yCM9IB_z_x1KuS5ulL%JaRAg7fqmLXz9^yoVZt z;{{$(OGi81LGgC^#xOX}lzMj<{WFHMSwdTBNj=(H$01HQLsdPV7-5!k z_40QrKsblkKO8CWa4Dw8#o+qbsOi8|WTH5Ygo1vqdh`q&GXoPR8??LY-Bm(0PvsS~ zvIXbIFgCMB+LPsyq%%F+-b+SWJezC&o#z^i09<^2ST>FZfe-E_49sW@Nmj{J325Pe<*7zs54Svh+ybD@YL(?x+k%T<2@1PwENW~fmC}pq~;Gm0(9IUZ_&E2y!w6nyNbQ1IwV^(FDoZ>4hVbn^Ka^u>@ms7;C)}HcXyUm}98xyQqao2s zW=O{Zuf#^FUT(oX5Q9$iwPB_b?M`(zV4kg+=2eJZ`@tei58Ap&IYVYx0`%RNu0u(H z8Dc#y1920KC(j(mo7DO?<*BAIH+Iekp52| z!Io&ccQ(iW<5B#n@rHzZ^|Q}4)%H^r@=z<6C1JfIRu6Cm@P|hI#s*)ZMD_|fs-E`d zeKrg6Ts622vdqPZCJ-pQlz_aFv7~2l-vJ-o%Zph7Scg;;pG)Yor!}FKPGnQR*6r}pIcMjaP z7ye8`(>BRc#kgU&e%Y2NGztqU&JEoKOGZJRpqRlAJ{_SM;6aOsJp%xDa}%2;WRhdC z<9wvX5V79ax+Li{BZM~S1KyKvcygZbo!U{rCGC`7kY)p`B;3iw5>l5Fo`!5^nh%%z zZY62d{o$}bkRg!k=5rv{G4ZC&I!{dt|M(&W%^quG|9!k@+oXefO0W{dI2j-RM!m2G z@CS>7TFbzuBx0VS^jk7vgNfVfe!d8~jIsiN{1Oz7-(kRRFdg^cyjOkqks|>R1$APl z`x_)#vZeI8x*R%JShfVkVh&}pgN|m-o91|eTY9pEn|(Ij-xZOK%5#IBfal9;YhT4a zz-PhDtLlV{XLitUUQmbnNT}UVH;cILK|ejeM4(ZVY7VT8&=d+dDCfC^!i+91a{*64 zl&R*;3d5l}dHTBWtnsCs`nBqbL@5pXodm9zptRQ6`&)OLcj4H{H)jjNW&Z z{NE;U5eCD1D4f@Zd#0oX9Y)wraUYqJ0)i8mh*R9i7xN|&Iapzr3Kz4&a}+0e5=Aaq zA+sLgBVF#zax#ED3*f=lmFgPx_gl@O!g7vHSGE>nj6F}A`LzW98BL=e=<0wxeBv2q z`vP)Guhqgg76{l5|N5E%&;UP!=>hLWBt<8KjtsmnjqhX_p`APN1nVy(m-+3?l_7EBhXz&Fe5q070NuGP8k`P16fuOmnE?1cCwWC}-D@SiAoye;yOHjL)xkf>93kJLW#fo4|#cE`#=ch(G@WD{XxIY zGyNiZcz2qria0^O_oq=9uH$a+QdGK9ou{4=CwGtK8!Z_ct&&LE3Q(L1l?+UW9v>sf zt4$@`ImS|v1(;t!pAIYvdG>&oMCnor%=2W1KUY)>mj*WsTJbfxj%Y(ch2p1s>`#4m3 z0SM6*2vskFdoASnkHW(v;FqDg?m8J)-Q`c0*_gif&V~_|a{VF?a&&;7r{`gqDf&^A znn`sIDem;>xL&!S)sUFs84KZ=W?p{*1_kgxA`msLlFZ}5#6n|L0+T(1an)^*3QbTW zwmvr}f7LkDur0zL7SJ!31qAheCciL*CJ>C|PB!i+;pURt!gLC9@~5)MMr$h@ zPD9O=MmRiM1)0re1!H$`A|ZYv^hFr!fc`Fy><$cF6o_X~!v1ZB=(r>x5{F*AFkYE9 zjdgThEv%O1&Wzx8f>-2F;i?`xizRF~^v9tqY|d)!3UFNh<3&>WhGQzqI41w`OS1mI z74Sr3u}mo@jW;lbY8i2ocxeh5`EMXQMJGw>{cGqO(4t@v>OAQ%hK~?s=6k*Tg%{BC zUGyB3?atC*hJUuoBxM`DH|2f$xB|FNB97i2#JZ;2r+prsNIvd%$W^s+yZ!uSD+4Ag zJma7}63G2IW9NH>7`Hr$O%v7H;zdUJb~WEJ*pWJ`_9_XsLk;{R$nKT__M2p9KKXSZ z%*H(OpKrl|?FEAnANdB^@K7OsqOkM_)Oo$G@dnkr)N@?iM@k;v(6BJ?l7)V_ZR^!1 zCVsA_%~HW;_?C)b;v5Fm_{oFzo8Uwu~Xg+E-G$kvWWu&4q0xeZC+$^<|REnGhXzq9D~h?XJoO}ol&%Xe}` z-s#V8!1n|bB7CTv|3inqLAXKq{*-KfimrY3F{E zv|P?0RdT1)^CThk9B8PKhCVap1a#t1DK?)(tZj$uU(hLF8v4GA1ajN7UhYUp$|h4k zy#aRy*Z5RHg#PcQXMEV?*3?=CYX^GJZx8a^DdPQELEKFm0I(2S4GLXM zTY5Rx%c$f?E4~%1`BJInNr#Q|y|tB9SMo$1T@XwXHqNU`iU&G*sLS1_C~pVldm)4kUR& z8Uuys(elTsem;o06vw3a#_F;kKtay`mjSCR-q#LF^Mh(<*yumoY^wAwx^6(FcCe2h4*sh$v`7^C4HmhK?)FY zM;(mZpX|ZycRo8T569T_$R)QmF>TOqIlbB@@^?f#Co_1W8Ak97=t15A6gA+v8>k0n z_5~4ZAT!{Co*MQXay&6fO?=cgasKFIZ1F2bAbhqM>p~wS91Y>FV-Z-tJ6?1_f;w+E z{3s*!p5fR2)O?P%yti-N#xgUU$LIEG;Mcf+)C~ReF8qRaSlkLxFEae$51seX*SG$a z7c5~~MjG(zv~TT%0ySyA9>6T%8RMidY}=eOJ0a{9Y49o_hQ(E&LR39p#<&4lAQ!$L znGlqlzt8q{Nr_1cQ?^-;n>n>_{DAXwD!$J7i~L_ku>t)YY~a9_BbR7P?Y+R*81eV< z!OUcWR*QdM#Oh4imV#Q{tDjx?udO}q>s0*LX4=U;3<4N8z!j1wsfe_z!+F-NP4SKB zPU<;;{Cyxkk@Dn#VY{0-(hyWYY2iyZO~rm3Yi*hvVy2}eN&JwaS(}~VIiL0C?@}QR_C>#>s`0!o^7mLmtw$_Ok#06s-cFOJWj~H;^Bg&To-i zLmvixtb-k74+H0;XZpfdDkhI<^RoAH^R)P!i? z2hlVY61(&4{Kw1CqM()&`lw$Vp(Hv)no{*tCN5;ygDeHqY581FacU+QW<6Le?PQ8F zJE{SLjFFNwNwl>5>{m{hY9gCnfPfP-#EhoED1)BzEnwsDgdY>g$=e2r;QUbFGy`8) zTaHJ0gfP(m2#gpOD(n53jQ#~+oC>={3^&u2B5mE4HZ6l8kU#jO1%nF zIHo)`9H#)uj-o?%APPDfjkIC4C1cTootg?UFtDW~D1bNoE{~8E0CHCBXrX>z%PgNO zO9q6$DGrRVSaRt}6GYc@1lO5-Alr|BhY=HGOf2dMVPSZV|2# zssh*;a6~Pp23yJ*zk((}>MWoF0!k5sf}ij|v7m8njYowsW13q=EYk5Kxq)wi6o_cVy58${EY}q(iOPt2B1WF#I(xwyqR%6LM%$;)&HOg1!$PZ7@Ki1Z? zwtJCFbi7=N;zUstL{@>oY+yn1tU{r#u230yE&#{@v(Qrq5E;N7wrY6Q&XUBqsq{Hd z-BqSdsRTsEqG;9fMzJG*C|ZHYlSw`5Sm_gfS~{I3&ve>|wUcOXwON+0&f%m-$Q^Zz zRd1Xlw$4em-xR!L<)nOo3waUKVaHB~uOVx%gN&P{lz9Z+?l(t&8U^#XL#+u@2a`#B z%nxQ2CzEIS*q6e<_Iwaj{@WEIR~AHCsrp!zZy$6haL6kz;C!LF$p~R!cE-kR#8C=B8mMk!N903E*mQ(*N-e412?L zBhQ`=i0K?yI|_@4JX<2m;0zIY7I{V&_!qPnE4Aq^Q2=-?G7;fq1B4ad^#Rnh*#w*m zV7e6sz+TPNX{Xd{g_8sV>%DykK20kTrl!<|)jO&=*E#OcXw!w`^*A=rG(JRoXWNHR zbH&h~KlM+-D%zR3h~}m|JA3esUF)oriEkgGt?iJ}(>TXoyxX@!&cp6#e|g;vOzZg| z@`#2xLu4SjYkMQCFz9pZyiPc`@oIB}h#ca_fhn2LM_g;G8XFm9BFg3obvsV+rTMAsgMe;5xHbc(u6k#q{Zs zM-H)Y29X*&h2)Y$SWY2hTL! z7Cq2_WG*c-Ruc<}&smBnH-8oRkaMsXyZ7ikeon?~So-HX6Rg7}CXSpm>+7NQ(ALbh%h~!3amhJt?B1i_7HR3tY%|-e zh}}OH$9})t>T*aQA6t$zkKM?}@q9yqNP6?o-rSAM>_Ib+1Su^J?`}OJqJ48{VPp{$ zxi+H_P7@y4ZjZ*jb-Y-S!qGTH))zj>NZ5U+`T zijJTTphrmfcN!226H2OaS1R@5tZU<$&@dimnmSH7c6aQJKY)(C(J`ksOn)GZnGq?L z_L@ubtuc|j==p{&I6{u}G5(c*TJY<PjvL?wa}7e)0Ds6$X<2~;TYga^|GQ=zHQ z)WHL(RDskdL67tYXa}lupo<_XbyBNW1mfs}5@I0}y#pI!p{TwAl-Pj~l=wjq6ayRL z1yEuJQz&r|5Y&$iu}@U5080Gh10@DZ0F|JGSZbp0u_5Mx68A`<#0jDZcA`25a`Gq6 zjT1)@Eg_DYfD$9vu>pk=L!){fD6!4~DDi*B2fbr znQr$YMka)Mrlv)(_!uxPA~t72tw+p~3`gWvAiy(dfS9TcQxiMoGl^m1@9>$zU8=~& z4i~l55mt*70INw_X!wNTq*+uK0Oh|?=6LvH^$9?|HB~kpu8$A8{#AnNw3B z6r|bk;~spb)W5kQz?a&I@L1k}jjM7l*h^9mzL>sh}-VPva~R{D^&!>laWcTGBkdknj^`!nCACTJ*wGef1Mqrub((oZ499o3ThbF1T=<9EoJzSC^B{3nA>>i*t$ia_0n4PuT7rhUb& z3UQ2J9JRCvY9?oK`mD(BAI$V7(-tz{ijuRyk&08DRp)MohgFQd7j7o|zPp-BiBvZ! z(Fgu(LSzy+fbIw3VE%NAs!sFPjnU?elBWTTKL#zLdg3u|jVvgP6OhXoa&v(%2dpFp zPCLKT>L!#4Oj#ph3KdT41b-YJd17WS;R4RH`|e6Cl^-Sq68K^mN`6qEi!w95G$cLG+&<(D%)JM?Ilmz3}(*8kG6fT9>9) z$`%HOCtzl2EYOArC~_VBEozfaSgDC$rWKngJW;798<`l?Yw)jnnFmlsr53%Q<6&t< z!o0M_aE_1ILgu&tTSyRjy7398%WbA}@gx`HC<{qA81oJvPfCroO?{D=**m>xp@^v{ zfbsswBi?diRpnT0Z45SF*K4knZwbIGAVm_UScV1;Y!`sjZAg$%D)dy$Yb^B*S`AWaby zg_i@kP1f6m3l=plElCA@6`l3ewW3IuBE9!Uy+tj9z~l4YvUyCF4iFfI#8e5XW0PG# zL=-9oU5quTL~Ngk$VsLM+82p2J$AHNMK{`nOu#`>Bh;8gTI85Bb}J%tNh6ZvMW)IR zbgV%2!X^URkB|jTrkp`dZaNT!lBMn^wJE~*AAq^IN`&ANppBCkIog;>p=zlxd1B?tQ655T_`7L)s#ZWkz#^himf#K>#RsH^`zGJb3yrLk?^Z!IS&H12VQJoYv7aP z?9f2Oh@m8sfRL~ceWnn-wznmjADLtTl&28 zzCgfcLO!lRNnOaQ;QnRR+;W+tfsB^EZ^D~p$8JQvi7tO@#aknf$6@JKMlC8NLG!=E zV_BB)0d_R+tYqo8Yg8`d4=N@-l`q_pR(kgc5>J-!3}EGt;TcJs(f5-`L=qtr2SATq zGJ|_+4shcGFT*uumScuRjpv8VQ2oH3fT*N`n2A39i&G~K4IU129EwK4Sr06xA8}t} z%`g&*zC@{}JneM270X!Znrj+E=zy!`l*FKwgxf5kfIwsN4AXzcos?{#EOh35o*_n10}{UMWbKqh%J zrKI8Y!AQ3hKQvzSxVBJvCXxU`oGosg+AO1TEl}&FuJLamD>1#|r8#Kn3pK|+UMu9C z{x%=_sTTAGGjzJM446+|+i}wik=P*gVFdWelYywfpyuZ#^fpk=)hjhnhXY>>ak`w> z=;rb)Z%1|kkTw?tKM%`cK~o=}BhU4#uFRwKGDNHK`Wu$IAX8%4k^gwCW3Y0`ma>Q* zk}6s?1>^pMgRNlF$8)^gl3EnV&?8zYiDm)2r$Jjqwo`yc+ow9`nT2qL+uCM{6ffYQI43&ym zIBGr}GKjP%M07mqct-wfisl45MQ2*dOpU^XgXf}(sA0|C?VB;1M5NOeY z$qMB1zz&7UWHOmdCX>m;aU92m@LEjPu$Wz#kYkyl!foO0HU?bv;q6Ec%O`>vn z!}V1sObGMpa$Ufg;b^M@O`Muf%aJTf-8C+NUfa07BYPJQbebM87-VWdZlStQjRwh% zS3-=Cw*eNDl9Gg)DxEO)Z$c&zQDBgIiP5I>M8@Vxiu#nGMK~?-J52Hh)uIpZzo~7$ z=m}DB68uvVAqUD$?YG1f5@8lLgKGwc-z!p}`eR~l6lEUrErt2RNx?v;NB{$!2lEzq zv5m@t;&b_YJQ_Ifag0|61w5&R%r*p|;F2&>Mt^x9(Ya=pOj_{oc%6)B>#4W%qJp}` zN42aA6tye?%yCVVnZ4lr-<<$|HZjs$O3OM{&I!j5PTsr)-JblLf*kuNRw(XH@8BPtl_*Mk;_1$ z?oa9XY*>X26^wnwZSt=GC}+#dDaEIY1dfgt-RqfBkVYM~y?mJu-3PdGwT^F0xGycncg^zg-yc4prK2GHw(g6+ z^V6|3!8LFkrbdngGdEH4pr3}i>4S>)Wh+3ESh3z(Gr@4eItJ07w(%e}8Dxje8QGOp zju&Jdf(8i8C^F_io1GH`n&fmz=ior}2<7Z`eq-e6qRw6#Ipl!ZpbyRpcfXhWgLB~x zH#Y4y>lwW3gPu}@hCY)K4WmYtgcPFf7#!g( z-HkcL4_zOFM)Ky`xn#UKQl~+IlX{DA#?sW@Ez>hWcCtj6m-tn)?cH?X+~T?3B~j59 zE(C)AxvFAK2mnc`)Vlufzw_|6>G%fXw z=Ea#3Y4g~4U2U}Ur^GoY)Ii@cb%G}vD?K01IIaN4kmh}O=7oB_R4Nn<$DT{$P9gw1 z&DgB@T^q;8WxeGhQC*6A7uB6;w5?msxx@h}&kWB>)dMJgB*>u@RZznx&(4-i!5c3o zP7qEP$Ua>)39XvqukIn#N_8CHS6QL%v&UTV-ZY42J7AUSv#wMKOl7Yzd;fs*xV*GU zHXySoSo(tu$H&EGyIr1m=Z|gTT_e*r=UtS^YvpleEgZ2H2QB|vJX=c7pbn%yX*T}n zubJjgNLwce34wiN5X`+?4!gyX5|%BLvAPDR2PYuk&V{VGWjptBsNh`$?~Nn@@LxWDNv-QvzQk;Pbu@g(3uzWb0&}&`2m8Y&G1HeAn7(R z`mK{JR<2ArLTc)BBK15LFl${_LI|QdXP_)%ASq%}!AOzi8+nzNw52;?wV0 znzo;J>V7kOzveEE*9oU+#i8_Y#<%%jzo^`Yj_QPvy*Kp?pGO;zVj{n?Rac z0pde|(4Nq?%?d4$M4o^kQAk#xNO~d<1lm*A+bh2aiQA1hp?qMl25B``~0(Gikv zz)`Ogu!ju-eL_lrj$d;k={lUfo~9y%q@%H0D?&(3PK5d3t--O<@|27r|FJo7}lX_~Q6t~Q%;j^*51sJ>kc;^{SsmHMPBg^IElaR28p}ZZHq%PY?#qu40 zg$e1)5fWDm$+P(^Ok&3RKPih|e30}hU6>rDmAp!3oqqJ7tG>=)U+Hj)vx(D zp}W0KM)UfF_1wJ4+|B`J1xe5}7;hO&fQ??*#h6{U;E76q8I8)E!?y7Ta&ky!y>1>S zYbxqE8w|1`&~aN)9L?95+>t9CZA@a{uw1xGH+E};tE>iV4>FyH-AW}QVbi9CvL>(& z%dNXwiNmgu)37$v#_EJ@RK&9`e_Q1-j>-0{#?FmS3%O{l|H0IQc%#E|`=sVFYtBC} zlV8|qY?~lQeh|Avs5hbyV(khL8f34_XNqag{AW|Q7|ClN)n!3m(Q&FS&+&nRglio6 zEs`{MI`uFTyJZ3;5X)7A$aAG_&h#=;s-z#&Jon61bFHX(GkktH4dl6gS|)kDi*qo{ zc8+%x)ZMm^T&8XXI{~%w*E?UG!csr~WzOKre){%$8gozb?%ZJ3sBzBE&vu34Hr$V09 z8R1F`5JHy?5bB=*2aWJzez~O!+X_D>#p7Z5uzJ`qsUwr5zR3}-#;V_Lh4GL)R~Wwq z)8OJMv0N8YZ>)~B#pi6E>$W1jlB8IEJUkP`lGN))ipI8BLGq7W+bQgw6c@isRbjVI z$FoMBiBI38ht(&sTs3Fph_T(^-+S%gZ&` zMq(X2Xdu)M<8uZ*-$seFeHDv`pC&Ku=CjlDlR_EDDCFoEo zUJ{!lmJviHu~Nhx=wuj==70_w#Bxr4gNx_G;yn4Vhvgfm08KMimm1>hHC_oB`h^F~ zG?P3dV~EE12R#f-FoKN%Fv>(5)-oo4(fIzfc7q^-!8u_;lQX2%mIYX03=a133~u?J zF&)8pj8EdtVE;$!)CnCIPl-Lwyc+}?E*K1e;jNncV?FBip=J* zyL4|2Q*?^>*KKu^L4fVH@i{dT4aOXoKK@SQ$RV)}kO3dy=fG<~=kk!Qh05%ip&c$q z(JI#Y4u`hwp>1Cd6MBfNgqIlaNlE%P@40}hry+b&4bgO}oW9-(2$Oe0Y}XB&eir51 zy&)afj*AX+cDEt#&-s3!Eay1KP;NutJ+>F?mHV2{)-NR1s^_sI8kY_$Bj@yi5Ur2h zUP@t-MSca*Uz%2M`Ptg_%TD>-&Mxa!WBmpWdG#jCbva#h*Kt?GI%2zp*uAh@=sm>I z?+Y%pdPz-~=I=zu(v zV1VZykw`L;Z^=pRU*J>JJL&#{c%an_=05;?LvJM)fSWs;GyTsC&Y80{E#{{KgF$*f z!13WrL6Oq>Go|x3y2x*MZ~vCs9dR}{_3wtaZbie;7q;+U{C>mlaa>iw*09VZrU~ZD z&U7w|qe(QrsL;|jZlt~$>77f{w0@gZ$Hy%Iq&HM51Z}LwD?uf`@1Xf4t@}66Jz4iN zSFpRXH77711exyxj`rp^Q&do1hA40uHVNr;%GnPB8v#Q1fxve^ejs7@XuH*7RF3W* zUhmHq2hAdB)CF|HDxey3DLxftrcdFtUJf9{hJdAcWv}iD{wp|LJLu%h+2j z(tmXcLsA((3(mU;!N?TwGmPQsEoVcb zcIuMrxHSoR90*6jKvj;2$kKI!MreClLcq}}o>I~m*t z=!*F2c$MtraNFw!kxcPp>YjSB02lRFO^7c9RBv82R0sq~-n?1FMy&Jj(k{h~Q=-a| z1y+Vnea)auGJqxxr0BcVhSuGBey6F##%)njBGg3L;6eaOo;iG}Sd+?!Nr5h6g`bt* z#HCY)?=%5Z{vDNw8&WV`8#~~aI1!Fg-(0#zZtntXz8Qq;{t8gclTtr|aGOhE5b+LF zFbIDp2+y1`;s*^V2t9Z{_XT=^gXQjT9k~G+Xg+(uQYMib=_VbTA8AnSkAZAN8-urj zDxT{yZd9FdJ^^_nfsF(?of{O1sVKw*a5qqaKWD2ZK}E`gPlLKBq@P6DJt4TFF+q~Y z!!ujn(;WB|_xWBDywZ5KTvTj-s-Rz^mNl#;8mc9)6qm|AKS3fu6~-N$kfQ3ZN()RK zAZe$-{}#i8ZvTo2xz>?}2h&f-BEJv9_W_kwr%pIHagNL>C?>wlurDc$C_V#g~9xh=eV*^%GDmJK|N=-D z!(-^Zj7H%O+74DQF)-d?I!CwWe~iW?sgmVIi?#$bfh^R&5&VR55CgMWzd`Tr_zN^6 z{F6ms=o|-U<>S>bq*+fU=n&MRZgGT*cbifYKO0^Ja;I=?wY?}|&5#FbWMkzwni&4hiia4p z3wS?`lf?ABTG%Yd68bF1v=)woipFKd^n&XYZGM_P{yUZ8PA1{aYGmzAvm6MdYfVf; zD<_|E%Ni~Q%?eW&ZjTPP5AfY~u8+6gVOd7FPE<60I4j(7*T@xL_VL+i^FIv7+$!R^ z`MIyRSfAUu#{1O5vbz{^@X=)(!x$5?6{;`a#Xg}(u6QHdxGrI?_#RD##%JTTVPiFN z&!qWxxG`^p9steaW)TbhaTxf0SNuIEigQrUJicU$ingJmO#SCXn+nI!A#OwfYbM<7 z^^>7u-;426j@$Rem{B2w_QV#}2K0!%|BG?ZEipKvZRhT0?Y<+R!#xy$_p*}KZo3N< zr}NJ0YHy6+pkp&`s0a7QkDcQ4`8<#)_z7NWReKWIghxFl?G&8Q4i>`2`Ks3MV z^)2G>5T5UHiDAs=;9mmA@r3(?pw}g;fQy)xc1P=(iJ}w?1Lj@G zgdJ+2K4mx*1-J+h0Ct#&gIk0V7pLb{rv*5|YmmVz*{*4D`TG+eEq{vEV)y^TPHo_N zva^&Lk3vlxb+l5l5s~{?Zg@pWZec>btr6n_s5TkEc+*(wLlM`3!b*gZ%;wB1=Kx3m zhw3!I2Z^$%Nuo2_pA>|3mHM}(i7AtMb%=jsn-JWGAY|f0G`jE3&=vYvE-F|ud6w1B zJm2p;hU&u<8srqKW?2NEmhV%^&~$Y!xXjf?Ea<-zso28uDn5yvmEu#vS+*Rn+z=ik z9)~uUv%9f>$m>TqwCD6o1^XC?*?Zer%`Sv`Y|e2Hm7S%|`nmzxT|ssiknMe-F6#|F zK$rETx1q{Lv_Q6(a;-O{JKc@VN2Vj1jyt01e?xD48?T!fxAhS9`rO~KWVR0fUU~0c z_)PW>bqR;8J=V|1OxE{_E-Py?g;uC3vC-2>yzvNwfmZb822r?y?2sJ*FqODb`@QZS&aE&vX0>kNyJn<=D{ZtZNqdR@*ro*XZOKosfQBe`soSM2Wl(@gB4=7KAlE zdB}&eP2K@^zfAahTkpSXFW5|$jEzS6fP1Y1u(XN?-%QUq?#;t+_#v=Pq7XSaG3?HE zr5Kz%QS92BoR=Mq*>{d{&fdosgCVKPCFrU~^ZM~$Z+4xvt@>ym?~VVO@7~?Mxc!fv zWkOmNlxxSj6Os;Q^0+Wy%Ezyj+Dd!BG$TcBmdAO{UH35YseWO;Y}<)X)HB2Vz)g*J zF78-M&hh4ZU)Gmw)pguC<}&zleA$GV|JH`f@-m8>c$v)m+DUC%8ILgr|AUT^bOx8R z-5+z2H#m}3dTI$k8)lgpbD~W>Pn-CrO;33Wo~RUlSHqVU-)j_8fBN=jC1-<{$9vOT zTCC|y3!wS%8h&j;oAg;@m5ZFy=nJsW)6(>*X9}Qqn!JYbNhWwS8jt@AF}7yNxf74(i%NPi^Q$dZm;zvnI(YfZDL#_$wV97wp8;O=Vv^r2@Q&@a4GMDHOr_|IVL{> zXeOc>PuCt9fIgzmm_QACHtiX7GE+;nDhVO*(bH1(sZV+)J@s^6!bL(>ToymBc%HW9 zYgC}XfL(OO?bMl^NsCQ0VU`FXstmA-uTnRpzm#<;yi0&nAf3T+4}bv049wqxW=*T> z{BeL2^ciSS0TI^}Zi54@3#>P0b!ObrWJ&JElVzANbw_hX8twU1l$6$CWClzE$I*9B zxyjkX)Ha$_o2I@@{6^E^y+E_*oz!?(Q29w}P}XDQZ+?H3zTfKy>W~&U(`rv|gu%27 z{|g52j}O-mrN%!`okL)}-!+#4Uy6s3(wq_vCOD_Z$N-x1-PDf!^Z-xI9e)!R)#`rb zHxFI*Hn4#^O{)S}ck!G_54Mrpd?_;Srw9dtG>|65@~Q4L%PYDR>Asm3KX>Z~9$z7P zFq?H5mmkkJv^~Ub|E%6L8+7O|4H~NNH^0j2LXAORWVbnsITDQNGWWYp7n=B8sXsl@ zV%;_4e^4U#T<7?Gj@PGEG9v)}zFxyI!sXL0-yHunv-Xlvm_hW&@#Hlld9KU=ugfmW zh$ZuQ@%p@ST{ba*^F9i9?bpGW8CceXQAcedlF*Dl-K zo>%AAyA+UTZ_IOSl=9!H)S8X2Pj9LBmQ$q|3k&_`hzb$)|S_$KJn9TuBWGmmuKGd4B7J7_I2uht6m)si!Z}`#|D#LP?gucBVBN>XM~osyU5cLqw=>Xcf& zDxnzMuRPV9DxFTZUUOpEJa>hwn)}Rn)x1BmIj2ge-M+4r5BDbWopCIC=lJpw{oZ(J z=h$dhrGgFSP^aClv<>%mz1!|S-MwA!mO7m>Xp?&T;LOq~ihk$g8F{aC(3{hSe**!r zWz6h4*BiL^@qBY{*-Rb3pLwp-+wb`k-yqL-(0c~Zk&XZAjJP1bWy^YhkW&xe8*%TU z4u|i1a&GI!?Hi89yKDS=ZY-16JRQ$H0LUnnN*RFhcAn=Pz_BvjFQfW}`lxsVHaUi~IWh7jlPN!0>x!J{OE}LF1Fy$VZ zjb3*$XHjpBo>z@tU(TMQEvHLm^Sx;6exyIW9(lZH48eAclK4`EFTS0ssK|S@VK%j$ zaj{P_`{xDx!e*u8{|v2v1|0ZkN>JPWBzYcmA=f+;8=9O9=ZW6&?BuUk_b}!?q%G_G zby}q&w!d-wK9%0c@;n$KB$MNKoOGVFk%#Uu5sr=y5(~#>$44%KOFrdJ_|x1+xRd|K z$-@%oOf=zFj^cMOTe+|Axtsg&z1xR(z2&{z$2&klLIAUyr;FH)0}|ER@pf-48n`>f z@|^Swf9F!UR9*t7u# zacUy3|KWT0?~mW+D*7D{&D)0Wemq~QnsS%g1|(WH$3S%N!$bR-anPqlDcRU0(6pK5 zyfp%3A2s@|THnDE${H-UKwznirR{bt#jFyB^s1L$_0=*KU@3|vsfzU6WYYzlj{$1H z5PC!Vj9@@8u12d-1!Nq$vyzi~@0zSH(gwPotKPeG#mld36Gz)vx#=z&xQ?S{2xsGi zLYv;QQIZZ4wRH>Bdy9mSwq00$mg3lBmYa9=+uTOhzV_iLB_hE$i?_Lba{ka>nxD4R zv{_GDYvkix(gsw-e}u1jj>822`8P`<5Jk@FP}!9CAyz{$Ku6Pn?16Lw{zO~*C_r%J zGx+Jk$OD=AWnOM!jSEz*HeJuc%j;T}T68+?g61LZLnDx&r{*MPE;-GuQUH-BX2(BIyRE0a;4DUcGe`hbUZtZ&Y)rRto% zpFfA#c#4}lgP4cor}6Tx^^IERNkmEOjEJ>0JqX|tk>uy9z^4sXw2e>y2q^%)!1s(x zI6PL0(gsk8Y_E|PT2oZ8=3}A4lY3CC2X2H)5jZtWss=4`WCb{ZwTv^OAE@J3G$L7{ z0VxqBppC3I|Jv~uu%g4*sg?EBz)es^0l-qq8QZXcvlHK|Jj`{@N-vbSRc_Kbr$eiH zv-Kzb2!>9&tZ$2y(%f+3^s7^XtO^LmTuZDNJd$ov{>?8t(svrG8tqH)I+G*rvoIkr zU{`#yz|epJxzSuGq79N|xzU!&#JFXUYC~mF_in~RR}q5KK++>(q=P8mX$FM%Y#I zRA4IBC;8uLsxmNVGfs)iCrQs?_4nHA3R6V083)AyK`;03v9m$&VcAzym%9 z9zD*c9v94+P|ka1Rg`iNNg@>vQqzN27SH`}*=Bj8z>xZ@R=<;Js6h6$6C`N(uE z@LVvE`AO7zgpVlB65-ia$9S8krX*wxLJhtzve}@s%Hg=wCogLJd|}qUnB|`EamoTr zpHT5kG7HVgVE)Yp`Z~>%(39(u7M3@J8XnJL2sC?!!ep#G^-3 zek|#1&b~J)WlUC!zO89vom+?>TDf~=h1sngTvjhPi4QP!8*wh9PZ$FiMU?;U8gF?o z126_^KYvE~VWLT;=B(S^8zjs}+tj660j_)rYkjm?UqUtaS$D0=#V6O{v!H_34}ERm z%{I`I@)LmD$3ldlYV^W3OqtH=@xOL9*sO5)S`nJpCGjl zu5)HqvRFf>5qA_xAEN(*NE_Mj4z+}(WZ@&4z9E!;@lLZa`Ug0nczvqk%CkxXFuGq0 zysoC6|6+D`LS^*>WRYk6PzePpps?U$s-pJ-;ynrTaWBpimEghfPnHf}rL07{1r(}N z8(@)&rru{w<6x8C3gAzRusB}~jDm`G04eNVz&%Eqch*W@n1qV%YO+!lSps~-9WENk zvc6vLwAWuZE(e*jC}?Tq0$DkWfQ;td$%5t}!^`RvIj|*1FJCe~qc|0A@UqSrO&&~1 zd>o}igL@B1pFU$WWYMpAPmYIU%V^=&irb6AwPnb~X_4>nTFjNrYc3K`UI*j6Xf`ELDQfZD+y?LU<~?DkCj@zBkx?XHj&ZWQINWGqvT&}$!|8KW)mCjPldeCcA7FYniQDq9e0Y}wnOY5xD$5Ha+-n1P%NUDMQ=rq%uueIACpWIdiC-0^ zS|VNML2VR;%K=gij_Vrv9aWE$s*lJlpIxM2r7~kn9)6qKnUFr)Z8rPTX9qNRcH#BgqP!a$D0k1ixiqa!oY83LBIh+~ z3cslCtb{Y%)`GAOxVyV<9l&5n6tF`m!@?+JvyehQ7(0h))N~;*0xyCg47jxhR|w?c zVPz~J#6*hON3ljNrA!_ZHHI-3tQn=h^`qI4C2*yOUE{T+qT=H^J3%HuMh{2`e`nx+ z&Gfysv>j2vNHFotDY2o&P45UzcXT(%X%qBjG~HL=2wS)&D=;e)5PHHV7yU)6^aH8T zdWkb74J3CG)=q=iMPi^{kKx)#yk#o=$I-K+^`NW@rrKsVI$y*NFWR~ zl`b=$lu5kirZs1MgRTj^X!Scs5 zWEQ4V1j2OVQr~ZW5#bVk>cIwBZ=*MP`Jq zvG}HDLK+kvWt>^S?YuG!b%&+yu#Y?ZV~y7zS`eN zcbXQ9&3uES&IMH$#P!ZA#KFkDDp+72HQIzTcM>eh{lA>mQox`Naz-Rr| zw6f*#e-p%8!6CQ+=&+lnxzdULqzdGYGaL@F-{z9I{_j5;IWYXR!(Hy#uR(?JF6YII z7cbbN5l^wS3a;Zf3dgr)UtEz<*to}C* zOkx3T_lRGcV)P<3x=T2;Xk6Ft*%hQ=O-Yc+O`C#$>Cx{(A8oLzi$5w^!>YWZ(>uUR z`ywHNvzeSWNluCDhr+Al%on%D!=TSJd=x#k;}YGH2oh#YZ=q>z5>i*d1X5{Rl~fT~ zoMsaz?wMvynrU|qgRkKcH9V?vGGhX&MR5jtgdE#GE@OOEbNf)rVJee{&2DmuJ^+Jb zPkp^R07x_aRh@`0(BCb78tOEE(9D!Xp?=}Y?9SwepkXf2YK0~|-ivF^TC{BO{9%k1 zN9#oU-SHj-(|BioHHr%Oq+Cu%h^CgVIB$n!k`kcjEz5 zx_PlT&!e1kBCTbAoI0nBoU$9Cun#TH3isI#g;J9{Nz(!I3D<2bATtili;#X<726m!`0T}+;uLjV`LI0@!KMUSS$p4aDV)m@iD`dmB6z;&)xsnqFID$SdkD8wJJ1PUp6hE5MBgYg3X+` z)-P17zq7LOF5YE|Ok+jEHzwgVS`+czN@^-We}&`*XGMa4jck5N7-O!ZgE!}5127hv zs`b+Z%&&%&M3pu9eCGs0u)EGSPLYy5A%-jozY!@dkf_san-DB8dZ*GsJfkE!+<6tSxX@cRzghq3Ur!$Ko?>pY>XWa{}`y37p<5YKf(CW7G*+rJwB(1y9md?66!~NeF8&1{2 zLDQKvggQw`DVWsFfstZz&mq9aQ`sC(l$N4`D732Py1VGciVC`M>Q)u`-7BBA`l(Gg zTUMkCAG4W#zEX4VRd4kh@%_g6q}*Ym33oUhamxeO|PpPA`o=QM{_W^44nZK}WUf%v46NX?Q47X$)Fx@9!~< zy;QKw--y2%Z#>K#L)v$6GLh7|!L64`qeS^OTCl#i<<5 z7-4#|!_@QuQ5aXwJ4XNAoVbSdGw%y(iIVws;AH_Vaw=)_%UF>!+q!>jcwf1W_ioEM zAnpjow||puIS!@jckj1903G{usoyPHhKyfGXzk(vjGj^WeJG#CdSNAuF<08m{=okY zlL<$v$HdQ$1_#@28y6`L9)^2m@02-8V51r(t+t$SiC1p00$qU6cP1fUYW3o#m)Lwp;RiezGuH0ULBwTT zEeN?ngVVaSz}O=eEZ`8mD?qr)`b#Hi9<07L2%Ya6%FE2RF-GI$ z%}r!M8%*NiN_@*0&_V8suQaBsngPterjr)B<8dDyJEnbwf? zsril|j$~Som&D7#acNrekg2Q|PxR3^?qh%6C=6N&8C=vuukgprRtzF3Y236pMvG2C z2(}HSzYO{&>CgJA(c7MRcRBziIFmSxboY{UB(JRKuOiSjB#WrBd0Tb$eEmPVoW>!> zq3s|$j)&u=T&&#C1Dwdre(=ZEkpa$@@cLNbr$p36!*1q-c~k%7{MwG2)_ZhYf(3&t z8upUA#?00&sfPWz##^>M=k^*b?At9}n4NVrgO`WQ>_(?fckRTIIcA|LZ1tl=OVHj@5J`SJMo5yy zHxldvAyCWI064^zZ&)g6i&G<|>K_phoFn;|3L4N6O&v9tS|Masg$!7`l8)NON;PH( znN2Td4x&8KaSC&*NV~y@;{d9U3KDi!^FSGd!W4uhlvb)(ly41Y{6wf7B|JhFMh|A1+9kO;1r}oAnCJ6kX#R>^eQBA+O1FTHT&7v}Dey0;t#G>63)SS2! z%>pVV(ov$f!ZLygEh8wi09=b(o7>$FbVGD&bgO*J+pccze;|z4K(8Qy^TlQgq+e#Z z@@^ozF9%ssf*D4?>QI+=0sts@tsyl3TLY1hs92qj!V5+!(<(f1VnI=SxEBJD{Wm^N zNZcD3P@EHhs-%l*;MCR|-9zyFSjqHY_N7`4XG1b|cB@P1;>B7sRk@l{A78WxmH-CN zv10l)WQ*B%AX;+@=XvAR;A|RPH`;dH@TM=R&*hfoU7p`2>{aqv`CMzJ)==VM8S@h| zOrkmSD`$SChT#motPX{be91FXN~4=8Y1Nxff$oeW2_NhXWpa&%RqldEExNXjouz1O z;!r^6@zX;35RjF4`Vy|za^Hru*KHkdG{w7UiTrpK*BDU$I&~|1gllp^)cBHZno@0? zW~fzLD2pKI_;?{xObFNtUx{fU%#@iz>y0gJVoj|Oy;e)w|TgpZjD}F{6T9KoGruaV9;3U{S=%WBS+Fl+?{!pA1@s0 zjWm5$G2>T$Q8kU=Q?R9~L#pnBdGwQF(J1mz4h-PZzO8IQy7lZToflskhgBsJMqG3ie3&IKpXYS7IIoBI}m{1>K4t0IJlS^)D%E3s71OR`< z63_ls=vKTJ1L&wM0cwBx?Rd2XKf_q{o%#G(IDrx5NzBr|hPvXzPy9u9xi=emYK>->S~`*blC`Jl!He?dz<$y-M~b2z5BV1g~EiG>ne+!8o!`76L2 z)F55;0{AUi5^ANwX9z=YCH>3XtFifSIZMu?#DO_x7CmHp*NFW0`V>cVv=X2dAPm1B zUTY?t{9*cZ;;(_1tCXs{ztwixwR2S_>Z`lQ+6g7Va2uvP>+}^qAr+m&)mqS39KRi0a)8siLKn>Q5VhrK{bN1jgT@<_(Qg zCn3ViY4+hd@HIbvOErgW`_Po6-zs3;2BPR8DfRKu%&vGd{D9(@|9NgXe`>p9Ije3? z)I;NAsP~~?kz<{M^3-es6#qsdJGI z8Xj~bf%ItxC>AtrAg%d13@9A;$Yh*#`GB{&KW=%FTmgMd-rZd6Iz+8ylq0W#z~ zJS>adLOrW0BJtl^Awgs_qP+)294f`{-vXdbfP>aeA?qYz?x0CTZ4Y{`QHz=^QDw-_ z+xBy3I{iya#IE(vcNVf+v1a9S74@H z`kqKwHNBq{VH6;N9Ikq2jVHhHG}k7$*zSB;d#~$L(f*vq%>558JX^QAVi;ql!U27M z{nKp%po|W$4J_GYo*=j#1i*MXzvf>>eoz}%%VkO<;Pny)s%tM_gm^B)Dz9*$YPQH| z@-xxp8I->TtLtOOzpGJZ5bk8+Ec_tiy5yda9b3F__NUPzVBC!5hZ zUl3UOxsmf!l9VDECtZj((q#!S=7^*L(dC5*9o^hAAuyG2W+V7Dbsrom14Up*V5b8Gk zQ{B#r6NMRMoDCKfB`6)xjM25Y)uGim*LzB0%98D{zZa=~>o(Xb5?u$fz+ci3JqV!Vk& z?;IoORDjxFcFzp2P^Mf3w53mCr|^WBN8jDe0Ic~b$&nhKe^NdBq^Gm6(ELhAhfmsU<+G6;vno*OK_t&aVv+%PqO7t;}21h0! zDnA|DLDc#;B1)Q17vYCCN&n_%W=FA7gbCerI;&BWQNps>6Mw(}mRoLvM2a$E5o)^u zvTI#NtDpI{&kYFc=j**+STXviLK)F2TV|A02J$#icC}y;2Vm$0Mfw8%euOId`59i} z9;jUAe{IgEpi9kr$J%}~TL)Yiz>SRxjzYo+uA^Z7O`n$UIxZw@zHv}=S{y7jeVo3= z{+J$dkez-DnDQPOVr!J*c8CRo&h|YH#+=$US%5=km>y{qA;J#$NrsC#uGd*vbw?OA(SmTd?mo zqA0Gda9&iy+zu`VhD~8j^Z?Et&aGV80ccdBSo?9w5wdYpOug|nj#&{Xv`JJ5Rlnlz zWT5dWbU?V`B+^h(7r!4qAudkLbo0N7Z>e9cT7YUYq6JM&SxZQIsOWA01W83uzQJu# zc^ye6@la3Z@ompipcNBb^SUAIA*G zN#Yh8GLURzuPX?G|9gXbq9fLpF0fG|33Q#(XCXdOTKDsGx1NwxFhXFHPY;fo3slJ- zG?(rAvcqV35p@>+b!Q`=NuOvb4sT8lhHNq?pfV-8ahFa@J-1GDCY#h8%kI&DMUz$1 z%1*w&t+c+C$KXSru?E+zMTJ-sY`-#DA%i8+A)7k^I=Y^2eS>DCE1BDjd>3U)Zjuw* z25^9}m%6p2A|rr8d`mW_0Bv+FW0&$0gI0r(H>EIi?;@9gQZ+RmpfGkq^$Bx8^jFQxlEu z(jG~O{l?LY%UjpGV{VsS9zXC77ZdHYjK%Y!SO>tdC3sEMDVo3HDRkkq&29byK6?K> z$u&cA)`YLL_S`Wpm_=I=E@~sR47psL6(JErq7IH%V4>tlSZJo=IW-{kY+Z~Px)xJE zx~&%{pwbG>Z&;_)re$9a81T#pI3<(U#}nvX zC%=uvEcwbE?33w>^kFTq$Ndw*WkjD{iG$(ZJ&~UI*#}0OqjlhDwI|x2w&l zPCApW&5+$KZfj|A-bUKndKyPvhyHpNW*E=INrvivlz3 zJV&hL3a%}5)7=*uN{Ju{np69gr#x`JkT97i2ev+t;W1$B3%=M0vOGmyk^cuuFf3%0 zaUp~r=>Z?=RiIKZu{U5A)Ue=u=;`M&6EiobyH0zu-*x~PQ#+rFBoO|!+F(#=94o7z zRmWJ5R~=Qg{~-~?&D6xCKnWvNtJAQZjt%Yp+7YrI2O)a|ehV|5-xeL14XmgX=f62R zw(Y3O`DIcSY@i#^GGT!04OKCF4y%-O|1BC6t+1<~#UP7BSIOemJd75X7XBCeaoE|f zZK9KS5C33#nXIPS(^FUm1h$?n5(L5Ge%g9Y8wwZaN>=yCblf$z4za)7Vdxzx}(L&X;HBkMHCJzY+fYN-*?T z&AW+;On#7BP@$T18~4lFJRpg;R2(Zz4wKetGt0C;05|AQU{En2poSZkNYy&I$6NfF zmSIpkI$6C#&&p$lDzt~Pszh@ow{ zH6iz^>a#zg6ql4uCKtcb2_9JM>6K*(Oxr;K#JZh>N7*te#z%wg$aC{E|3Nt6$WA= zY(rV-EBga^=7v+t#Nrq_birN!R|;{wInEE(0cMV;ZF+EN`(I&nVj;uY62?pzNrW{H zK7ch`zURFo9~!u$J1gH&!P!{H?i1tv1|WjmOBb)cMd*3rAtNl(0g@?QsO#VG#gICz z_K6Oh3TxvhygKlkP*cior__G1&eKX}E>rH6CZX1cV$%3s`g%FVb4NJ&*PYRgr%FzRh1}J`Pdm~3#f5bNO8`~|6}a?RJC3VL zFyOk;3d%^EW!Ju<9YV<*#wiM9+~RoavIX@0H&b^PvzD{0K)5uE2#p+XtZuCB^hXTn zfIvGi8ene~Xq7uc!KMJ3CnZ&9YmSWE5LF&@Dd(`F$7<#f#V5ale7N9>Cf-6507Xo z?7Kl{&t(ij%0vX4yJ{v7F!R94PR{o3Z<@WPPc}rJj=^O9->1hx%~&@7H}0B@4KxuV zRaX$39e;6)R<$S@5-=JWM9mY!<^JlUn`bNe|CO9uq#Bjx;Hv&&)^$?z94K}SX7W!!aYgD0)5N%%JF1Lgfqou%A}tAd?qo> z)V~VAfR$BdM+El>*)w)HK#OAu>Ed=a1XS2yXT#XZ`oSyVnQPoDG;)T>IEE+6&qe)S zLS@c9ufo^2k^x6})6Nq_|{;Ukg{9^H@1M9QI6!DL)`NwYH zq{H#n>Bw|I_6z`+&wU*{^Y1Y4aoI!qCS zUEt?`1}6lgv}ky^U$2{#IIDGM@EB|0lji?rnTxzVrU}j-U7Gp+8(@(D<%TcUxkyyQ zsQwEqWV5Q%WH98E7}9mcf|!ktQMBt>R@==_AbW)z-8=nuRtMR}a|Rb(Ia&KA1KLB{ z>8a~sXMPqHuVnZT)cYU}G;~ye>qchxIF{~q22g^0?k+y{wQcUN6k?nwTrMLIH#Mm} z0oyh+LdfF3fs{U!n0BQ$Stk?0@s$HLkVYYh(rSyhp=1Ox2og-Z5anaJFeejF(Jr{5 zs*Pedzf%|qK#gk9*#ACy@)^X}3EUQp3~WR=1!TsJSRgKw(g!!tiJ3J+uFD^In0^ti z8ZF~`%Ge|#tpINaTgyjG3|tT{seZ6}ZD8Kobb+8LdNMr;KxHW)gJSSUYvcESA7vtr zr2l`kFa&6%%sSYV4GDKYqD5BOGZ=6iv6mDg-}xLq)!*KWqUYrS$iSe7_jkycV#Gfg zTxQ!@Va%5?-K1Qo5P`%j^;{a~{}{sla#> zVDV6?*b^JdyhAaY3aJ=oTv)d#093?eEAS4;l`L@}aB&NjdOYZqWPAev@Qs|wW>U|Y)ktw#@mjJ_SA zC!aIiC>N=EzLETz#p@*yc($O6g!7PByAq-gl34xjHWXR;Rs#}|a(9NO4-@!Y9-zZm zfSX`Aj*Mvq&&p5F4r8QS)^Y8#T+h%*eN{QR8%sfmNE)RDt8l%qfen(Eg)i_ZKtRC@QQ4#Mc<=B|JSm5W2 zcx0<1eq}h&LaH8FPGND35Ph80Dja(URDB!)wbzn20()`M&xKY=zwZSM9jzQe_>`}x zMrZPsbd5aU(!NT#l#3_e0^YcMQt5(CU8O393?t9r(Tn`Hw2LbbFW4~RK?haHS?3Me zgR-Gk1A8AB<-@XDd0iZR?g$egRfqW|y~LdkbK7!h708#BN0D$@e-|DxcD1z%G3 zlsV5Cz?~<8up3TZOhOp)32{Jn7;v$|xLr2_!20Ny@?>0nExeYEco%(Ux?+)Ohzm@a zsD%KU_h0EJ0c`KiuuC>@C_^HOvUBxj_~1kdb*P5NX|WSKbB{q`8Y6VP@&MFl9NxIF zoVZ4=OWCb77wzo8n4*Xj3>dM5UnZ~MjY z_1&Izp%FQx!vk8D&3bMqRnAl`gahvEx+ikRy*<8%gt;GlJ<%c57l$*#ET}nb{&1b! z$rJ4qM99Bh*`kuKXEXUK{C{sjEbu_(EeIf-f}%+BV@r=SbPJ8PGRxZh0y%FK;V=Dz zs#{)R4Qc-Nxw*gDQyEw-X3J=8Gf^!#OMZW`sM7U>u^pOvqREJssfR zyRnT3ya;oEdvRdL0C+uCf0bM?qwrV4V11Yq5$A*v4SfeVisE|6+_^x=sI@Z_d0(Dw)!f91cx9Fmjs>haeH| zs>FVP{%=jT$r!k3D8<0dK9eKYA<-DohsUvoKW|!)M<#XPY_xdLbh{AGHmNdmJAT7I z&fYu*>JU7{`Yt0V*^{)@h10qpMjw-QX%=4H#V|QW(2BKam%78&Eoq<4x!egKl%8I; ziI~TWo$I%_D8dD&tk^tPpk+VU>YW`c=3i#^%aKgFfL9s%Vk%q!pRy)#D*!2`G`7su z4@{{HlBRaty;IL>dOw(j2E*4ln(4pW`tcU`d`@enPVvD{-MIQ4oVwzDCZJwraO-#k z$r!rKYqR)+&WxW7w%WM@JDSt9KVl!hqp15;8oSZe)QYRK;qoQ#^JeI7jQ2(4+fZNE zj{GAw-sTMC$ZD5Kyd9V2wFk-8?f>@;?jsdNzD0){MMnIW+IT(}BKHPe^KvTn^@z;x zu?fJCf2xyhJ1_HALD^D+Yu-%?Q~f)k5OS!!CZ}7xqI2TpUWwD31-SDFebNBi6O!m~ zFI7Gn)DSp3G2g2fPHBe`JPYMS+;U#b;|9upK)UK6)Y9xjRl?*>tXL<0V@=+c-_he( z8?V&cghA36UM$${^aPu173@3u=eZtyjz7ztH1Ar5;z48cQM{*gEYHDOl8(PR=ecF* z>7j;UOqZ*P-~y1TEBO3vM^AWz$)QqAC*(RRB+B+I(?uFI+01fr44;ka@f*hymU<2> zjmCW%Y-f>c)03$f8L8YcD^hxPt6^ALKxWU-JyCr`ClqEP6fiQNkPxuM@v>WHsd)~4 zR+xJ>@w&iC^Gz6**$~Lp^*p8fFlLQ%v4-fZOYsq-DE%8&zM%mX(2jNyP;)YI!BzYy;NpjYx2Opa) zGV>h%$P91Uz*uN*oF!pVzxA`S$l#>&D(?u^qiF~&(oymRpY}v$bo2_6yEn>TFjHs! zH*qEDUZYnd64k_8q|>BLHCz7|Rt~>Xui)nzkPGsSB|X^D4T2yNoW~NMJH{~e24vW{ zc!IqIxY%GY!9R&LiaP?uhlf2Fu1fJ_-}G~NSo;!+!jJr&;JTrVB^>)>p6}+eq~lQx z4{@oMKq~-=>2O=-t1kMri6oDI7+Eg}$0w6_FBEuvl3e{8vP5-5U3mbolV-VT&0(>5 z#-t#|ta@`F%ShcW(l!=k1kfZK{013u-YC0+veV;}C*P?S$A*MWE9%#M$n#dMkO<)F^Uu%d3&F`zm#^l&lah0(G5Ir6*?XnRdo#bDZAwLIt#tf~FE!##X z^YBj|>{$lY9r?(%AC45&64@WP1`QhsOLrEh7XsBGu#!MD626_>gc(Th`(NK!#+Ztw zGqVL7kVBCMcwG22l=OS#W`*U?^R&=Vp@b|5e?a#k=>$|^3BxJYrT z$L3Iz5YG^s2hx-8loEHaJgnPtcGgLOY8cn!$+@E}0e0zIsNZ1KrS!n8G{^nx`d-z= z5LsLA2-X1EV;klDG75jnOr64Im*JdPlL;^XqDFG8Q~qlsoy=0Gc*m%E0uXTb9?ORZ z{^QBYkh0Kfq+mypWK4>0dV1om`oYq=JC=YaJ{=*bg$VDN+iFCC2Pnq2a7giFCP}Qi ziDvapx6_OtkrTrvHM=Yp_dFc3Eg_n0sfRpfQSqdf`{HKbE}Jl@Hp_Q$2%X{zPF(=(>jUUrEKrQ{Q5Fkq*w8izRx*mGH zi88t7Wh%;wh1#rvZjq zDlPxN0#UEIPwvc*%Cxw=Vv&6zz`Q?|XNBPn(@7H0+LZvMH^m;%d(6a~LYV~8NYj9Y za9JvXzkpaPjBAqUsAPAOQ^LaJ4hnaw9>+id`JLCtO-|wy^imG*n#Y0764rIaB&kbJ z+rR?Fgxp?a563~2$_-u0v^YD9%Skgc8TZzWf=~zqn;H*S*bionn+T`lgfg90$ZY(d zL1tDv{S0-Ar(ko;uIJ2QpL^?OIm4Gg4J^q;y0GiOCk;&fxsg0%I>i4Q%s$`atyNGY zKDf~OlWF8OA88KISdSK`J13~V=kArbQmAeT%anac-KZ7#S zeq~hXG~qUU&LS^Pb97SA{L4)Nps@ z354@hof{p>lb%r_p0=6-u7SaSt`IQoC4NGSJYqw>q+@T(V6VGNTR$za&((h?{I z%1WR=_y-CWLm!UoMlm3-B7tqPmP_gYoSzNZ_>Vfvv`K^pNKSr zTg6pLis*T~LmPLj6grjQU;P*45raHv)Hl8vg z$CmPH67IN-oSD?Jj~yc;&>MtUOktJb@7jI_WIqRYM9Tqet9>A2EWA+4e$REv zc@K^{XlWqsm;hbJZ%|<4seRH?y0=612b{v@|F6a&2UvtqvMx*-UFDTEN3f#cl!W7; z4ifIn0|Kk65D1K5Z}=RQ-*U^`Kmpd4DSOqe-XZsUKL8Cg8kSD~KLmj#^<>SnF~ivO zun%V2@Q@`Gd#W+jR_95?AXO*D-6GExvS)D&LiJ5X3&`Uc)+n{{461)b@N0OIId@WU z>swZEXeWqYAQm1-2ifnH>@XhkxYz+QR0UR-tb!dmrS9U0`Kh`{{h8zRt&vb{6g4J^ zAa0hHv3|mNK!-#v)o27#GMef-3F|zTaoAeCPeGCMlkwF+jZ#Q6j_RYDd(a7i5m{21 z@pIm@u4=w@C7Nq9P56)7+$eKBdb8?UWJh;`D4uztc|2|;f3y*_!|>TRN!zY~3QoBJ zt&|;&!Hnb#3ZHm$krW1$ZI~HdQxwr!P#E-XHJkcOoLh0q%Tm7DiI$nJH1W0HeP+rt z^UwFD^b4XDjRqqi=E4pLG$U{wo}-OgG+b~Q!OAzQd`iZ@%eYbVj9)R7W7JpdxK}1Y zByGip3gr|nhj&-)stGhfh8~U=848el8Dx`9d3XDbfmswOg&*y+po~xchYGP9)ZxcUjmOW@^u(MF7UMw~X=#r6t>KhJ@xS}VnX}d^xWj-N zZEl1y7=)C}@{>_*pqODADo7qQs9Mm86BHW_fLycRY{UWD&Fgr#ri;_=VsQR>oVO+xVv>4@tzOyN9C-pGRAD%^yh9E)GAT~Hu=z85MoS0pAtvM*+v)`0Valk z=;ed4d7_h-Xvr=+u8Ds{7ZmhJOUY~}>MAVe*>X-Y+cG~0R!}Xj)?HB9(8L|PpD9hEHv!`FINLi%O`&hPUU`I3yR4O)x%q@=Kg24Y!-x~IG6Pt0i%umGu+9IJ$ zdynK8e=yNpmMa*l-O4_yny2Ex5Y{lMov+YLS>ACruwU~PRKl^mQ61IJ$m<`6{T^Zf zh9D>z@^ME2;n=&Fh)IG1$u*plelQqa zh=dz3c_{pWP++0h3doYvt`Z#h5Gk{`jHMF=!B#w)ov}GMa^D0Yq+-BSwfNH(iZ2)umi!o_q2TPPFCP)dFa=Q*1fUJhr~%+> z8U*3+MZfNGusHL(07T-BX5_Hk$!dPxVORZ09I=)bI^;RiU0jJys74eMBGGUB4eOOKfbp77!XbbNCb3o<7i59j zHs+1yshCGV#l`i1y3F|y%6lw?Bc~_ zZ4EJv7X6%?i-H2j10<4z*0(;u1m<6XVHKR!O_rUuMdd?)hl?0WoRUS0ZbmnVkD3T1 zZ~`0(CL1+BK7yYI65OPC7&5&)EoWNV!5`F08P8KVoM?@wIj7-xR!1%7_HeEMBbp4w zI|1|keqaiRwtzRYDxU>37HA75bw;pUOVxaZgx4g=`pi9E&h)Ai!jEo-a5n((g0YGv z$!(%@JVXv)BtOL!>Pl>y&LoocaTzy!DzeoJI3J0+AmNx!h{At%nbp9bM%3`z=YE3` zK4o|0?YM&d6aR51L18s+qWzG6O>_0IT@&95;NG&xzyP;Ez{veTsvVkD+s;WP(;0e z!u;`H4g!Q8)x)ynak7Lo1(LYV%0cwpzXCJbzK>gFsuGDV*6t#g(R?*)Z)Z1TNhL03 zi8SN*KHTS?uN1_55S!IVO3kJ#8m8H2&?hlH<{ipK65=XAC?k-l6g#%qF1XL*c%?MV z%_3#8r~&EdI`6ZT*$JaYrbxqj7nTx4jFHwGy_Pt$zPJ-KPHtGkE)3x$z>Fs>Pu9IW;N8cu$szfuP6L`I`4O> zzCL^=+sS30#QExU%O{H!FJ!=!ygpE*Z8?YGQrNRsSeej?!w44Wn)_gK`{(Kn9MhAI zJ9OmCyfP5B4&H-|rI3q^{Rl?uq&lcT9zP<&b)&ODBh;0@+LQ@oC9K_N^`9F`>-XqQ3{j zdt;)82Myfty4*B8`=`qP#-`Z$Ppb(^D4I}raC>3ku6Idr06bT}TWnt0W!=DCKXoW&)OJum$&HYwM5MrU=udsrf)8SspPIe-sJiS2|FEwgESzvM@&l zeO@1gnA4izg!pEfz~~*&OYqxT#Dsn^PosN-(Wgpu=AN}ItSZ&dGlwv*2b|6;m>B&J)BIHfg z4%@#E3#APWL2{|zvA^+{(h(HwbR*n!boB)r9PuYnSujhCgkRJbR7F(JjN??l2t z|0bc(6?#bqa~@Uj2-rx#S0dEqS7Mt zc?h)W$r&4GlLAA8(pY>r!chHG={RR|#4n8Nr9`D7QG!&Jp7GUIS+o!O8+>fhkD9@# zl8hkqa>X*KsaClkj{vI3;a|=mU_m1%rWR-7Ypxh%AJD^ew<^7%QO&`n73A#3k-ZQ}XdFcAK5FVi54;>!mwg`{L&1(4-bP06+e#lsGJXDC!0j2IJdsER|@MpW8cr2-#56tKg%q zv)5Wny(PPJZn`nNEogGHc<#F*Nj={o9mLGCmE^La5qUtgpGjG#QI=4!G!dr{U# z`Uj3JflPu>xCmSho3X)k`e0k?r3tRtk}#UHIcCTJwM)}^s=Q2Ps%=jucR!{T^a&fI zKc@f3=-ujVLKCkX<&cQTrDwb*mQrwT+0&Pg-mThC!7F=htSqRWT z``Zv?UZu;xmK~TgkPL5~EVExT^oNj6IHOvPSJ)quzFkEpG|=XA4?>@fs^m2P z2Zc*SP~BZ7DP>%x<7 zXaE+tK{H-4$@$ctT{%9Snb;`NCEVNMxLov$^V2n%>pm zRvcLcRF^@0Vrs?u9`lb?=m1>(Nt6!zDE;UzDP0SSVWo*|D zvlF}=95+N7ik@9q!EtlxGCTpF56U2`*TepXvf{1Hb0lWV=>FDW(x&?OgGy-*9m!$I z9&sR?cSB&he~sVmiHm{FognMBv9*gZDPM$5B_)S=M=_IgSA=|mJ76{aZYvOHHzh{2 zuMn#VCc74Q_2tw-UGCMF>4MQp2QnZJB)PamnkPCaDYA5ou&lR|TZaP$li~X+e=mC} zEwX&acc9=~r?imX!X~jae%Jwa1nAVG4&FeF5T9rk-JF$Cei?X? z9i1lU$i3>F#SlvF3g0LC3y0|u7nf2@W&bRS1R(!6-%C@H4)Ym66_ty#Z5BHD=a0JEbggP%>UY{ty~|XI>l(L?kFv+%gupd`U5N0 zEZM%DbM_mi8V3F->~7(r70DO7@6gP@oaJ{J3;xc0=D|MBx#^+bA?sW*M7zJs6|bQt z525WaGf>~S!K|x4I4X->;7S`WwY_%nG*mE-p7(###te_K7~?RR7~hx&B~G{E<@W@0 zVQq-!k!%^A9lh<7b+2XIQIJuAJ!HE#v|yrF%za`QEO3ajf~8f%NiRT&U;a@K?1;{a zts#XTWC%?VJUwUCsf{^2Sf`G(a5;|;GLz}?+c=%qyNvqw6c_D3z1$a%C^^2S?FRQh`2)>(A zo;Z5?r*tJoqbGGS@z703qCtxldRVe`$(pSVt#^k zp1r%b91wG_rz8Sx0#34%o$3Uwga>m-6~m&9?LwqvcQsH{REtMb(tKk^RWA#G@k<eHOFign4eiTy{v7Pq(r=h!Bkn8J{mVx zAPd+~IKBVrdX=6tsL%6~Aeco?XduzL2>{-U0=3D2XdK0azhN=>!rWNaPa z3e9{ck$}t5wxye#AAE6ixv-nE<>mB@hPOueNH>AEy($JP`$2v12;oX`j-)BP@ZwfLpKKI3Zp&XO&1Fng#*=>Gz=MOl3y& z8yBkS4l~rB-c7*JbtYi;m_OPOi-Vw3Nz_lD-GlG<%N}+7oO(mU2-HPbD^KT+!pL$A z2F2ls#`{82Ic(T0ok&|MuJVh{8*I!K5Ne`R{uNyJQM+Lz4-<&(|70+3D z{~euqiZjxCLx%>5`ciO_BVOK6p~Y^uc$$nw>cZ2rEu?{YvBOx6s~F12sc3K`dB}>y z15S^?!jaQzl>ssO^jgvSL0oOOYcd&xU0i$kQE(=W76JaEi_9!3Z)@UEqDNq)+M(gh`r(U++YfIN6e%bE1_k8(A5TiSe*T`*4IbLDd>=S`276LP<(?(_BnS)&dc! zsFHe%C^L6tNCq2H0sq|PGGbMbj*>9u5;42Rw#fhm#|>Wi8JNV;@l&0f?|P=F3(44x z2{8FV8Fz;*O`{D1lkC%Q+K3V1(Oo>?7!XwYOsmNDQQkAFv3Z04EZ3MFxx86+>?yth zxO~}22*7Bqvs05Ec-H+i0p}od!}M=n9Cd|U2UqP>LGD>SHx-2p9E6qD^QMM3ai&d* zfSkF_ucxamIuM910w4C)ILowWbb*W5jV^aO{@Uv`E)Yy4s=`{@ozX+y>X1C_D-6*7LkN56R9sZwT;UWyAsYo(?%1ux6p zpWy0PVr&wlwM0DE(oUb8+R{;`8oyvoB>9X4Pz8DaBfAPJP8F)gvFS84>1cOu$tP(^T~SU0pg9=lIN zjg|i797OI)BcD8X;8>uE!j_DU-!t69~$7Fxt&2vc(bMWL^ba~ z9>tG9%_^QYZR!fdPhd)VS=eyt0fo37$sk_Xq*(;PZ%5VV^oJmy;B%cDo~(udS&z;7 zL8%1{Q6!M5BV+*0L`neT2N1s|fvy=yC&nQnJ0pfmvK+0h@?>vE6%KgbFIoq?iZLj9 zc{CjHTcDq+L&BX)my|mP+Dj%nVM&04f_gtEY$^|zv0G_+M_sjt^%UHG;e(ya&T-yX z>~Tjk0x{ydGrl`=t9U{9B)OF-RUtrOiVDJ8jlp^1j)yvn%OFeD4*~`d_@YPXfvyiX z;kS@eEGo^=d288n;V{UDJ}uiSi{v^EFXf9*u1oG<;3FMFE5>n7smwdb>^M#{tLptR zGSgozIiKo|#049O6B3CzDBy}(ysnyQk3$F$9K-w+D31K&SWAY=z>M1!E|DY;!3|3` zHw(5FNT)W&G_-1^g(ox?pOoV@87VgZ#Kx}Er^olqrbQGZl#S$j;)UgSFyBxLf!bPDpSGrOw|87zSV+>KqMA9LSD3&sxdn)Ezfg-! zI*%U5g=Tw!E9C)&W0?xVcW6kSnJW!;u=qfy!qxa4FQVHEIMdD>^po+PDTV@|ZE7j( zY#eebWGFX2she#Tw<`4m>ldYz&IvY-;Fz?c5j^QNVObf;!*cR#k5O=J_W-Q`spQ*x z@I*RcjQXf%7Ut%8nKTTMyp0iv22^h0O5?qmkD1MYYUl+g4tK8OK+K4w50mv&1*HoZ zzrZe&*iO8+9v7d-MB)g}h_}_>I#-H*g;6jM*t_1Qe>fW?3MXT3(W$+DU@5_b>Uh0z zRZk-JgMVAhI(N8RE$wPYPaQ-7s#b9y=2EYr(=ZeotF)H+ArJ;sXjWg z?!a=w{Z>wPx@E&d%AyBR5tcM>9=~o!={SZ9B8Wdoct-^bnig=Nh=*A|9_f8|i7K~* zdVWOl8e151sM#4Inz)k@synO)tUQTs-K#laY=-xpmU1>_ih2@dmX153D={cstDy=~ zzjMuh|3xd9y-@4&<(I}-Wh9n8h>F}~&7(Ok!s-3#6nw>pNpk%;s+FI5#( z1Zwv|jV+_t_kv2u!RzhSHZ%~kp@gATN16$646UqPB5K>fLq8U5G`?K~H?R!8xlKAp z>J!rQAkdvn85SZgj2}6v0o1m-fG$cBdPf??wHi9@ zJ03BTpq*qlGfXWL(_rst{%>1{GZX62v^ie57>YQ0laotm`!KPoBX9i9h3V`v;Rl(XwBZy_+A zQLL5o#a@UNfVr%IOI%wU1Y4LeW0cwT<9+*S-OYFI$F(tW7Yz?na++X`BqqOt7Gj?{m&`Q-CFxknApvr z#9;a;nuhKSdIw&F?3IpM;Yz^X+JeXv#MZ^3@u0nR#33%GQ8wQCusM5Ha9Rr<#WX4d z$Rp1;GBkbm_a)Y70(?=U5|pQi^7Qg}rpdBjob_Fp(@8@^9G__5CRX;f^bMgQtwkYX zS$mTAs*p3w&}h-gRt@!Z7whTs`&&%PI5h3);@MuZy`aB`zeL(Qv8ty&7zafLnY&=7 zJBM%oIV>2j6-2SYH|Nro$ZvZH!-z_>C$5dUBp7-D6zx%ZcZb7id$gBadr}DPOKm=Zt>WLq++D+F_yIuI-9yE!^bTY2 zOgy=_EsvEyI@dR+Vh~jO4`rcn-crmjCQu3ZoY%Ljlsk_db}Ne(D&D_UL1IP zIr#R8!v?>D3Tno0!7V985~L-Lqz=^uc2v&yWVz8}0O8{XIf8f$C$N5e=Dvo-JS%Ylv2CO~^?p`)+>q<6`l@C-_6%W(;i-b3tcVOgL^ zQb}O86Bf6`if1N1T@shLEkwMKgwt_drDm=1+3!|>{xsYE%@}(<;9bFIcWRbW~<6=+EY%H`M@ieBs+USsb;~!IK69zI~%-~TS!+D1N4M4#jjZ>i+^)Q zp)Q)Rg3!xxbrD|lFI|bJB#NP8L(_viI+wBv^?6`ud_ZqfnZzpoo9lAM`_yxHq3i0f zhQNVN5{#-Xh?3PyD)J1eJXGjU|b69B6yk#gjiqC0#}|DVjB0 z@M#J>q|P*Lp_8`K+#yfWvf7W)AQ}JAiYRGv&pycuySYfR;yE|;1iiSPMGYF@`Fuzi z@}NT%@oWr7#RjV}(#bO6Py|Fgz^*_6zf7}kXi(Mt^YegwzBFg;eqbw0e?kdXth-GN zmit;%*=MC|)}ntLX=S68aOv@q89|2zgZ3{?>FzhbEINrFBFcvtBg;98c09qNwrm>4 z6HB0Uhm+{1*!S(Ul?VvIjeb{fbF5>-bRT612Uho-+XtL8jQ1=K4wWk27V{Yl>lm|| za25_HIz5z?4eW^-093iP6`bCD0Kq|zy2G)Rm42R1o>M?I+g*$sza`{tfoc~UOi4mf zI)d0BFv2ZYlZ;d#OpU)XH!xo4lOSgJCMbR!TSla&Ct`9D0NQQzcgo+^l-b{WcgE?M(;(g$b{R- zC8DiQhUNSk0^?S~4u?@>+Zw&z1PaZ;>GMx~vlTLfwtyvMehv!F;w(S3hwUN z`EA!|Kv%kS3rm{i>Of*c#xZ$&sjgUAAV{Uec;z1Wr~L9X)^K;+Ki>v!#U%BEr>%ND z3HA=p&dGJXQ_Xxml+Yd;giAg_+2YYip7Is$L9tmw!obb?zYTYSA}u(cj-0&Pd6#@0 ztp6i^;}XsJ&)i`C*f=EfyjeJg%<(l@x7CBmAXg2xnWLbKNqQ0OfW-v)!Tf+<+^1_K zhBSQ<0_203qogqKwLaZTtdaR#1O!f{+-eYsZu(zTAP`b=IE^D&Kx?(S9^i7a%153m zZRW^EEKxmj_yw-OqByNkM`gND-*QhuMlhtzdK^B_3p$&3<{Ljj_<}tbn%csXkfFO_ za44qNFXDVT6y#*h!a49Vyplq3F2;9M$9WQSzfCsz zj^7JpGO1}0gYIe`Lf#=BZ7fi9%$2x2m9r1jB z0p{^CGC8x4&VLs7xS%EE`?%+v-cDJ-*U}RO+8b^L!=s-t>a8V-v|Wd|!n2*X_9Is$ zI~r{-<|R^r)8%(7M8|xZ(zke6v9SC@t+X3^hWISj-vKCjM+NVP4<1X=C7G1W(OpLQ zVqZ;Xn22p9v(>~wGzm!D;Sje_Vi%c##@C!H;&BKaQhzr11BVbA?g^Oin1n1r3})x; zT$5C1*(;_XFdhu_X}q$AOj0GtP)72(g!N#0vG|ors=8%`LBjOWey3H-NVy!HhS4;U z*Wn5lrYLf|p5y!TF`UZj3NAgJ@DaZu+E8q`T!E)4D%eO|Jq>iF(3+jPTZ&akVbM(m zjRxD(pyIA1jf#05eO6Yx%rIP%eE6&;pC_-LZ5`zAehey~VSuiC}^HDrL9~6k+nd$)1RZQKOHvX)rQ#@|X z=H5hM%~d$Db`+Z3l-ysal?byT{EXoCoN-Gd84ob)m^FZD9ezGtn`cYNc!$AF=uJ+z zgQQ`YaVy_+RXzf7?V02CD>I&B^%zM??LgJ?SNPCp-3hRZxQk!|KD za#~`Crlq#Hc}9&+%ulcZ?7b!BjOVk?m{&sk2UY>EIMDub59=ez#u+)2|fY$ z=!A(XC52+(D-AAcg;&-NW365?#1l&%M{he`RML7q^b;?oP0K;!7mYo^hHui!h}C_p3t{WMh%#MPKeW^3fjp_5!bA}5FU7mf-_pUQWR{D z0%yC6X`;G;xTAQ_YD@GZ%T%tT4cl?Mcel>5m5NO>5yEI>xZeNM6cWWfh*fY-Q$H@e zw~Fo-FkVzXrqnYrxtY7;kO%C$$^vlUTz>Oyj-1$Z;zZ~mJCiY{gxf^Xqs{(?_;biF zwfzRw&_TY!Kxb| z?T`5#_!2+-`T+wSqXw5dV{}i)FfiJ7v^pcP{i?D!1>pujLul?hRu@u89Gca9oIY-I z3KcsNj9QajcnL%`wGPaJ1%F$EqvlmOa5CrlRu>#{?Q?f4WD?7wzg|-K=@yMR_qC@9 zbHI~0_uR}k#%}FU-(?&Ix)Ynz`3==(gvnK9tcAqm_B9naS=j5p9i_tCWEgh$7D#D5 zFIKf46Q<--I42__FfSocHsEcG9}UM^%o?c-DBYs$qK}w(;kmovyg`w6YH7L z&1c<+dJPKy93@j8rD=4crNnoS5R6ff&&AV3PBi6b6|V zrCCC5#QELLF#qOBFB|2qeA^Bwz2W!9zFKH_$4Ip3^4Y{J@ob0SFl*39|2OmDi+Me4 ztEUmK4g2r~1W`yWvGqB1x13u%pZg)tK{EjaK`3VG^4k!6rZ&6PqY>>rc@s#4;m0n_ z%y`EPcbnH?G#;NiGQOqtv85oGpDkpV_EI-wB;e?6zIsm5_@gP2CF;iCoed%a&kqV9 zqY>Y?o8OKu8J4=eR~+LJ%U`XUDFC$%j%PWOc*fyScB(UjjoHa`aa@?C!>c4&^F8(i zZB9%fXW}zr)-lu9bg9<*sn2ClusKjt#dQ2EsdNLBZ~VLW))+Nz=hKX;{U~os49@<6 z>hA;fG;rxrEG7JbB;oeaAqbyRUVZz(barRmyCRbx&Qp_;OdOu;FO~kFjdYBPKaZkq z9MvuajXrvZSQ++=uruMp^Ni8kGE+bNK`?TuEuWDWHG_1_8$?ge%sD#Q-U;vJ4dt*v z;sa&wtJa4D44A7VZwqh^2t-&=o;dp)golOwk@3g^> z7kLk#bJA{FHYU45m|Vnb4~c8UBEo?DE^T%ql8(6NSc^arvz$h)vnvy^JWQ?y3pcLp z9M78VoHPc%-}!F7{n9(d9VAIe3I2}Dvy%gD#v(%AwR7ZYoWUd-gp}77YBBEbLeN3> z2I;{FYP&Mxa=RL^5M|TsUR9U~Ts@>tu5noS!XVb8rSB4|LDfp4uxKKJcK!$hW(zt&XreoIF!|i9#2V$So7si)PBJ=DJ zMdaF3tshplZxvhzCJ9S9V>C{Q6mP3pzvaIW$1V4~g4uKIGQCC?jp%7|N8l_a$|1?z zhDacGRG#0|X1lhr@tldKT+r_I{arU3fJ5=5{-9slC33#=uwFG?jEhT}1I+^#O*sNf ze!;Xdgj8v3)8~v5m>o~ExnT9NU*fDFI?@Fdntr*4(@TajTk)linNkc_?oFNcGImS3 z>Dhhrpbvv~RPZz~*egv&-Z;t{Q-@$0#uNq;kJNy{GwA(Po6JeXE_}g5k8UnAGqa1yY2C0Gjf%`+Duw-PkV=OErYRoiMnJ57**@ zo`4f?Dsr7(XVlDZ03+c2;Fj@w+#nNBIg+ev9OZHL?qL$)9qp4;867cBy)vc}xw)XI(`f${y4WAKei;mjM2q2R1W2Kp(^6hoqtSIp3Cida}<9 zGV8x}OCcEZ*MaoJd2O&-;v;%?C~*qRGmmP8r|mWg@%Uk{6>Gjbk@pJruFtn_crg#L z^BDncUoJtT$63Rg23=zSJaCg&dH&D{Dh>dqEBZzsoF>Nj%*k2nw+)xWqsWeh7CCm1i+ zf#+9|GTuyq&MvfFwpy*COzWC>mf>t6-+UEQ?BfZsDa8IYAjpyG*RC^EE(=J>=`mNd z$&yFsFN={1`sl91O6h}bw6G^p{}fb%qe$ z6lMd=WhleqNe-jNn8VuM!V`#aQGcC3T{W|_>zM!=#6&vL1RgiJ@L{l}jRfI;tc_nD zUvHrHdQDxXw~pgd)0m7iMwc9#yg$!&J>oKM1rO}PN1ucZA^KDO7)-C=!qU z7>%kG;?ybnAnUlY|K#|DrAG(CZ1jAM?1dCPK+jOxtD4yNG%*msh9F%v-l*~JMw!&P z;sz6VKG)|*Zl&F((dx8D$`uGW*No9I42|RrW=JSw&eIGO_#=Uj=AK%>%~LJt9wBg_ zOL;l71m@el97-aiQ&;KEFqM1!h%QQag0cXrk2tSJx5pY8e9Bv_ zl$Z%GbK2w&!EG}>$E2%{K=WVhJFFNa8h1`?5|6|gt=LKAExz%R2fLXVQ=Ze)3?u*n zMjU(Ex0VLUbc@IK?}Xv#ZA6OaMRTc|8X}+WnP$;E?0&QkW>6wq+Ij}$9f?oY4h#a< zERREKNO4#*DoBeQ1dav|jY}Tqu5&+5#^c7V#sh5_`qzRTz+0M&Nr;K?VpGfr9>FPP z{?kLW2@5_tPjJA|TO~?n_Uo8|*;_c>bqzD|9Mv{JvF#@hR_H?Q(l>=Ph85!74~pya zf?X7CuA{Sf88cNUDicJjW;4u>!DWxXQ)?^tI?rR;8eESB_}zSNMx^`>k9gqQ6yzaq znUBHa0$i$BBU*3aK8zl@l=*<0npGU@rh1l~N7y}Av6->+gb^>sQbM#^>ggn&IGq^;^=R2o}-7PLmvt`jU@UxShb z%v-=#>_J&$AAiLkWvi0Oj5~}t=UJgr$T37h9tWFm$la#CpEcv}(ygqMu!r58>NI25 zIjm!@v;|kG&zRspANS}03tSWEP#$`I|1Q~JKjW+RzZLzTnVVd3PC70pIXlT2Hl{)gy}EF1)4I_a-?XJMYs%v! zm1Et;_N39k-ZQM4#$dk|gdM=4)5StUI-CU+=mX*92V4$a>P|yJX)3Wbn^Y~a2#WVU zP0^zN#X2i2<}PS+R-hF?Rw3eY^E4cW?OB0N8-!uUx|F}hlhMPbVL$3k%-}c8fqL)H znwLuDo$~$Ow61wG=yJFY@SSi*qBc5cLrj<<>>{JO#AIs0@Y(u5_|Y!w=@MUORJR+FkLgK0 zUHUQ}Q;6bIeAFf0Cd1c3<-*)?FDE3*RwXdIvzM#9hc;KxGq%1hPeOrJ_U8vLb=WQJ z0*9A-U(eQ!_+9X9AmB~pvB`91w_$FHi-yiy7LxMXB$3t`(V^5jWp6z1AG z(Pe6Zn$WDE_Y$$=MuyrKV7}FA*G2yYIsTeBeR97?>pbCA&=B0yiS!79fkq!kz z#EOl|YMsr>NE}f;aHyLPsK-Y5ZWegsLdvfOqUa#d@Un(j1PnZm( zlepfpKjxUppjV^sb*!`WpJ& zmRuos1+)c0gfekyYsx|=PK7>1jMLjcs<1^sdJSsusa<`pq%v^94KlVni1|Fy6r_xN zZO22~#%sNvz3X!-s-hpUfx$h@>pwW*!niEy4hKukD1Au`DU&GEz5`PVOJf^X-Gy3^3=U#eo@?)1L@%fL9 zmv5YV+W`;8f$2I+L*qvX5%=xP?0bICrW^JuG%=2&T{S`w#f#@dGDUD%pq70$dd z3hf28=tKla_ujTuH>_q4FtFmmv9L^psM%IibaCao z!F?G1SH|14cN5Vm-`ZlHfxz_)4dWjXwFI;h>;++*)*!1CcM6LTH1@~s^t_+gYSjH3 zY=oo-$BBIcnGI6DsGf@<;0194EHm)30LBqX<@ePZ&P*kHFymlzX%v*0$e@OR&&&bii)PO}OU0x3u7gF4kAJtvn|52B}zgb>_Z zvwjcePcwNAumTpx2IFD;K{94 zC6$sl0m3aV)@e1@^XK41$GH77^2C)>N0qrrjo+y;9^ElQE5q0B`8i@TgB!l}*mfV4 z>OHV!9}r}3>^jsNH9q}tiGV-{*&n94UciR;_ksCNXlleXXZTlBZxoILaMa03Q^6uwTcXzP7kF3J_9 zt~VW>?x7uZwE<@<=LflHF5EPB(6KS;D`(V^wI)9ngt8FHDE9O=CDSVr{q})a=l>JW zGw%2gmWM0kNO3%O1qX*KS(eRl4B{fs^k)!)HPXK>-IxfYO>DWB5E``=p(CsJfC5P zlc=Gg3mKXhz=Z6~*?I!Q(K_Z|tRqxgzd4ejqym>ByG8Jd`O`J9U0(v*nDM3I*5mjm z0BZxe_w`~lx*)kFqbL*>+$x<};G#=^1bR;YW4gijS|ma7LP)uVe&L=OAPunZle;Yd zY3?6^YbYMct=rlaCoyXKQEj01?{Q8g_-C5+I@VnS8YVQ{I3(OkY_q(^Jjrqjdd<7x zqU^W=EOo=0;+EnX9jtBwE<>A`sl(@YKi}5420gShMl7pQo$yo61_7bn_YWL131Ku| zP7(My1{BlxEcnH<(aO^#4;=(nk|Nh>ElP?zIR&qV{b71?!n~WiTD`REIB>W}_9jsi z3Zu=SB|FgqINZp!qV~z|(h1(|`Yr-4n_H02Bpx!P5LkKPpgNUE=X^t#u^;T8*{Uxb zNeJuzL|E{JSruupnY^-iWOD>B7+mnsT@W%o1M-+3X zoN-hq=^He+_3%`d83*YE_^@sYYUiYvkp+Dya#_e;09>Jm zFYx`^@YBRza#Ja~Y;4O~DfJFa2!d@)1TjPQ8PzTz3b0&?XB@6k=6@cs45V6)@y~~(V!lyTjSX$u*-)DRR3kAlJ;_>wImijuS`G!OB376gTbgXsSWKZXKPcvWN^Lf*=B^M z4g**WzUBQ#?WTK#3Tc1q&BjEnb(R@B1z><(8{fKg|NeMWVQ`=Cx6?j8;gPF!aS_bV z?}84JXD<_k*^(Wg1VPN_7Y3KE-8_@1t(=nvi3s!({5}Ll5(4tH7~7UqT7?>{>P#s@ z{3Q8?L@p6ML*~#8qz5H}A)$=8zR4ktnJZ5m?$pBg18T8Ru(cK(8s&c`2CF0SCvRbW zx4Ry)$*Y(MHIkYE-Kc>7S&b)hi^adAm7?a%jix$58n=+DuRfMyESZk~T^M~vupdbp z@K<2aPRnw0{o}9+^NNEh--XJOXOxAKf^~izjc1Y#rU4*UJ{ZRR?*DAeORtZP|fgLCJVd`|^3SCt(>LQOs(;mW>1!iCbkdH@UPMP2~| z@Ijtj2OGBH{45X}6edDTWiumtXTb1h%k_2dS<@h)p}u~vbfMw6D1hct@WVXM^PxTr zCrUNlXeF{(!mpK>H=(Vv+T$|o2Vgh&L$Lx*k8Bj%`wiA4z{EFAj~rsrSWbc}>~p`v_cC`yK8?2N{tgllGg0W^tDSA~lG$ zP%Ca}&bj4bGNpxF^FsW1>ab@U`hh+E$VgIN4iCl1Kp#PR394zTv@L4Tk3J3YGyIKu z+8TMD@KuBktU`G0Aa#H@44_7JmFoBQQ7_fDsu@1*4Q< zIr&kFX^(4XTL{_Eo5^PzG?t4UTJ3zyKI>1&N`|mj^M_Pu z$Y3&lJQz9Ek@HHOyeo;j3Cu-2P)h!@JI^c8mYlpwsoT_+U<}3=*6=;udvf{}5%^eC ztyutK^pF)rQ1%8>f1lq2N(o8{_}7RT$ggX7ppN+)aP2_iMt7--Ji25C6S`Kq06gXM zTnY%Jn!{S4bnl<^6{eQ2r9V@B5R(0r(TKt#ixUDqQG?KN`r)M+q>@YZ z=v;AU_?G@aD4Q@aOA%lt--dQX?gd6}oJv4JO}LjPDMnDu^X&rQ|AhZfoiabIJ}&`o zB2TIIDobfR9mt_-`pG@i>*Z8AZ%D!P-XRb`_Z8@yGd=S&djKQ(cswbQ=sg4#W&aAPRiL_d3q7J#wV_U{u=R zN5{?BXTA&O{~8FKwzm@KUm*dP-eX3BGZ~HWqK&AOa-kSfmemn?m>ULz=-g(9of|(Q z$}_q4vFcnNql=P^kpe|w6v-%MO9rYK89U}^sGiRV+NkWf%YFlyz`oh3J2HjQoBQJp z?5ub@`y&G>DJT<(3wVprK?B(~bEEJRN%j?e;BXGtQk?wC;R8nt(H|4p0^rf6aqV_a zEa!(dwwGw+$Qn9d=q_01G-q2<{KjgCMNq7*%y@PrW$Bbly-9}phmZQEU-k8GW3h*3 zVl#{j8d<1|zof2O-1|Sv?&|~ns#m^UL-5+P>v_I(OU6$l?bRDG+J&PDL+R}R z_yQ`00a@|YbTufM=H?0~Ho^oMuK6V*M{K;o2Gr#;EOO}t#1}-V$pM(D8UJ`_g<$+u z5+q2fv>A2vYx*|!7c$bXIoWnsMJRA^yIz+ms{l!H=mySDNi`Z@;opo3Di`G~K7=90 z?Nxw0ywy0=1;^C}Ki#GgH~9o>6vMS*65kTVhNqZl(bS>XC@@)?irSUr4LA3+^7mK} zOlGGRi?{YKCGRl6N{>Y|-Y8DRCfAOjESl!cNZF#j_yXeiQQCi6T_{mMQ>_nG;D}~L z!d`2K{M^-da9Cqwq@@vOkMhno!86D&Pu5N`#VmjbG#n==YhogA)_7vQWVgkL6^psc zAj3PNtQ=qGbea@__5JXGqQ|p?`;* z6>x@W9|D0q$?t*TvX{-;8D_!StlqH6_Lp`B&!N*x#R)O+FF~wPA)v~RX z=-~=q*z^m9%&MOmGEn1%dY!uwcYX<`iqnGlpsXUOF7sJYw9)xw|pc=t#H6j;{ zHc3HFfIy`z)~vGu%@2~fNt?uxi-vv0eLG~5+d2+>P(0|Ak^sE`2z|xN$x@OjeR})H zoN@s(!F#`6p)Cu+F1~a7t*~B<5{y2w!y!4uU3ep1DleYf%)Ad4m$JycqitOqM)1m- za9U8k(sff6QX`@3u|XN!b-3XP%GDvKi*TZMu3ga|Zlz$IL_>Z?vLCQAxguD2|NmR` zf*=88nABn}#FN}+hAHQY_&{rXw=_^d;2#We!N$-|CgDF_7=FuMV%LL{R5`7Zvp1!0e{6iV2yC}VQIE&uie%AI)LgH1$R4cvq;Iz z@n2*52A=~4=+|p1!^$#t6;o5|fUj`V*ga}^_Q3z-dj=qn;Sj51Z_>QbS&!I7v*YBXoX+hI?HDX{ zPr&Kcx;TNhW}s32=-hd({*X-cx2+eYi|blk^H1qmD%P=+W8eu;f{*Lfb-Hi|vssLJ zyHqWc`uW8}VsV1tqJ_n(Q>c0#Xn(U2^+QUYk>47d4{@Usn8SKrbIi)nW%*pA{g}}= z{+xPfCzfQXk4Brwf{_kh0)DvML0`#EtP7(P-MHdSMVcP`3%V?c-}v#6OSZz|p1C`j z3$hD+J4uQ+PK7`aLGTrJB2v*DbRqmYnUl!KtTX7Hb&#f$+Wb2>*k?2%6@~^SKsaAq zhrQaS?Bjh?i;S48bc!n;MJccb)$qP78vV4{q3OYberA3er2dGA+Mu8PwDfZIGSH`4 zDP~S!VnJkb!icvMc4)Ua9Oq!eH52l(-T0R@`~ zF_1uMd-KS#a2S=_Lg^cvQ!vtt-N-4Gljv8*YewUi$Rp5%%`itt=VD1GlqdKXC#yCz zCh^!bde*X5G0X~sBpolEbTbKT;2>DL*ToqsHz>uaz(8&yL~(KAmLKdEhqs@gz?rUg zNvRNlzNR;UAbwD6BS7*Thg=z6&CQUs$tdD5h;f=Ya-Yut_L<=5!=B|%gBIQc@>N4z zW1ciKidkXJp08LXo~A~UcOu>*1p>m5u;J83BkjcTsV3<`o7!e>jrHBp(L%JB2jsMT z!r|mZytHG}Ke-R(-)v^*_ZAxVV~vU+2b8cT@bPA8qz*b1bedBo65tK%lTdNDxMw^Y#zr|rolETU3YMY&Ng$w3;hj2S4d;&%Nx zB4TkF-a*7 z>(l0KkPII#fvddDogTp=Yvl(n#9tJh=4BB(+|U2sNYU4tUBm4tp1;#xW3EJ z0F*c^o_6tcF9C}wDPPe_i=K~Mux!oFRAV5}v$?+ds^<_Pxj$85T`K^$3p#iSgsIoN zc*@1l@~Ninvyw$Z(Q8uqGv7!+qH(e;^RTK)D^mBm;vo8hMrV6Q73;O;+NMT^Haq&? zzEP12)SK-KI^bMb3`!0Il8CSGxJDz&(AMdn8@I`Qf;|aS`(M9{!exFo`f{0B8ZBH+( zX|R8JRDwLimng34h{WKWXd!J$5;PL`GHLT{fP$IGnBqg(PMu<({3^HO%^rbykP6an zKm+`74O`~zn`gCi`x^3;~i zTi+QbSXsYh6NiO0C~RL6yrxbuNuAg9w~er5_pv3YK@ww43I+XeV=g<`He>Lspgjr% zV(*P3$F~}vVNE|O0}Ws1acpPwy1~!TIHDZ{0jxrO-E{u_3uVZH$OAWdWW)SJksNQq z)P=vc#8$O;XaQonFo$cjN3yE8C7gVXh2eTLw^H9fe42mc<-zpC1Phv59xc-QiP#Lk zjRS2D)RbREa1-up|4#{nXFKDOwiCtp4AL?apFiBrpuzUiJ3|rYk%o3qcAgpKKL>j} zRKUXp5kn%Cs{CG?cnfb82Vu+rZ?Z>hm|_6sxBr2D_lg3eK=4>+S>&V%YXD*U%DeJc zuQ3#8+X4VT@V1q>pND7zLGaGZW$>y_KLZ}|{l}7Oq4b7yc17SB0!u232YFxagA{Ba zY)WlhrY#!1%7_iU$YA)DPnO>UGV`A3*^q%M5H!Wu7yymZkLLBkc=RLfoJ8 zL+j<7HP@SyQI}opP#4f0;u-Th1(upKm-g|7ORbt(9U-(OwWP= zJ+ynkeQ^V8@^b;i_Yc!Z#>V=QL7ILz$N29(b9o{YPprpiG)Y%ZIM1*_c}M30bs>jF zld1VUnWRE8$DUGL-+_-j!$YWXw&6*fC1m!cM z8ekIGPmc~iE)a!6(Du~TEZwbRN?l)LO~YNF#n-?xnQ$75gtHzAmKNeKCS0GYB9W-v{X*2{GP*f3h}`=Lcf7X8u+Q5l<%nUPP3N-pUy zb#SizN2~S45P-gT86ZR@T+)*4_kE=gTTJMo+_}@OVoF+VgpczN?1DMEv?Jz%M)JWH z2y{liXHO zy0J-G&um!8!#+rqqmR~+oIaa~m_2hRAYsG63vN$hEa|lld2(DUID&pDCt^U5>kC4_jHNpF*=i`i;V ze)xLaZogJ{DFcN?8n{nt$bww}(m7Zq2I8i$XU=5!u``w+T4CVPG#|BAu3>px8!LGg1mo4|YCFp(}l4o1M93`!eUL%+mR^Z=&*H^9YMnQ71X z^$MER047c5ouDy9O{5rxk#Rwl0lSB7MgQ@mB&O_#Kq7N4!G{U0AWjT z2=~djq>T5O6T?=UWel$SE?oID}vTq282(ZoXP4 zXn^{sryW2QY~8Ea{yb)n4ShPvSvv9JjG#Vy3zgPpm~49sM?yh;38iHD47ju19I{UT zf}2b8VaK!K^2H3gP-1i?ZaU~?y!U-8aWG;EBH?*9!{{^ELJzN9PLuf#GE4~C9m^Bf@pnph@F9V zZ`uptKQ&QVGt1omk&;_c4K_H5R6J1xJCk?U^$|#Tw+BD%(2SfD2N}uiMe$qUK4>Xv z_NIc!8|JN^I`HbC*bkJMAqzB1T-mdLHe8-I$kbTLvGFun5W32czRXW@jtj(k2h3mi zde15ZGb7c{(A7b>ztm(zq>y|E%zfg56Kp^agnO@r@O$0Ii7m007l)I6jIMg$A^wgS z`Gg~!R-tm3AvXYnRFW?*96#SJ;URTeoLGib1C=^XBu?MEVmAbe zIxaDn3JTd?F`a;=jvUAhwzpomjqPdPk^DPGNngL5)eq$-T+0e69n&8!O>ogJmD&D2 znfspm>;HN8wPwU0KoJHS^x$@?Ok9Wt6bvGig~@(m<)QGVxUM(O|Ie$JRblrrr@b-> z|9^kw9h+iVfxi(5|E5O>Mz>j}K}cJ6?*?ya^Wv{3a#32Di}3a6cR#gZ;g%m1(ui}M zQw;faW5V!5$@4>jrt``fcuKhSk@)tdFW1&GdH6fBHQ`(0t1CP5>xPDl@cGwB(q>DN zE87x#Kxm#Z?===b)PyiA3MR+GBM@O9=g-9Bt>*+n_MTa**Y+zV{&?TxSv0`#F0SZ4 z$0<96I803W80|y3U`Z{OBh3ie&efrWmSBOLv5rB2HY{GxBOLTWw+B1_z-wsRGxlAN zU$l#^lqz{P9UUJHRd_k8QQq>AlfVY4Ny@5zFhH*BgfekK_!hDG!&<`u4FD{r0b`CD z!;Nd=qS73WJJ5M27Tb80UHA3sDQCjHj0YHW7V*|(797P5(i*69X2}QQJwRbo0mV6@ z^T82wl-M2(h(tv=@j0*#?6$uL9a{~W9YzKU(}lU(7>{JlqJfJ4?YuCdFO{37a4Rm1 zvCvX&P+kdP6qC-ahd6t=6X@n&Z15b5cIK9h?IDDJ~5NAD>wnK?_0gg zz$ydPN%gCXu2*r*lS|^~xHsx-qPzy>LPlOu&_XwyM*;OD=%f-P@-IbyAoqskEMtog zG<(bo^VwL#{*Ylg604xUgNss?>%`%y{$YIA@#t{3gf7>-ZRBYPlRc<|w9#h3mjQiz zSwD2j3YY6d47(YtQiFM6ypspr`Z}T&(iXQ>z<`9482x9#ZM%={CEq_*doCHxK+QHy z_vK3LRs`FF!lAVLH0Vrj1l&{JXDTnwart?q9HN7iuf?3d{A0dXnsaaIfStt)zUu)A zpP;~|nj}|p_g|&l{1Yt`$UVBt#D)7B8t``?tkAf*TX{Z*FY~NKuqM?jUuPbjV5p)r zLsJI%ZPioA@%jS;w327Ul{GbSc(k%?H;l74V-G7HV)0cXSIn5WUVH={Mk``Yag!qu zwhq`w;0G^{pT=v`y0dz@u0Kr&CM80s+UW)s9tVEOB3#jXn&&me|Sd)*KA`wWZyg;;cQHKpJB*AdKtIw>-6usQRrKM<_p0pJlg4;h*F*0OieSe#w8bWj-15yjMREI5&;E$%ckv@L$0xqqt0wL>D@@ z0sSwv@fNDd0ux|d+sFos5Rvp;+kh12JnMmv1)o)qK9Fo(V(r(lwVQ)!mv(Fth@o<` z<7CT$(;!MwTO)0SI3UVdbi+Gl!dqjTE8x4M&`)aqs*H*)?kK?Pqaa0wCLrMyQC*CQ z0b`0eIXWAn&Xb3H1jT(*Hm^i0ByNHbb)q&SCjjvStmA%IsEi- zKL2uCG=!Mq!e};|5yZecTBg|S7V92O`_Ud_H!2@%rc*s&4+sDI^aK4nfQzy1t*CDg zFOBr+FuJh@C6ZchqR>S6%C{kIX8APrBUxOqB-fgMWoT?GiV>p0MZSf-;DN52GU6-x zW1Nq;cEgNZp+rD2bcSW?$AO9S2F*{H;?v|~>hvtzzO@1Ub4o>uq2j25m*yLAE;-R- z{#4QF#v*&a3_J`K?yyz`wX8uSfqE5WlYD6u!OYt@UE!0b9I08+L>KgMppoVzM{665 zMnC*64a^{cjCr2me4sZzRNjqTyBrk1O4E|eRn!*AZ$xv;pc$70{=1SUu z2j~gK>p?nK_!^fdX^1{TyasY$Qxm1gMib5Yv9h9_eMqppgb4o)?kacYAH~au zK*qVAd$T$=i7L6rV}4q&Puu@wL!*J-0U}4qEd`O#Pb%wLxC!bz)U^=JYZu_^AO}vN zV`BAMR}4{xnbw0YPJkIP%fy-g%`8gWfE#t^8nR(Pzt*&Ah=q_-G;KVNwD7Cw7bhUY ztV~t2OkeZR5?e~TkMuhA>e9#lhx9{HqmACk7WTlX=<0m4a@dq`2xd9{3!|PWb02$# zsdiyL+Z(@!6&bYu@^?74gxzj?>zs1dC<41TRyI1_Cgx~PVDjEiQ`%cN>1mVQtYHP; zFXpUC4ch3BQk*f*8SXzn)RQ4RQ~o4T>f$kJTfO~q&H{5-Q+E1;#gn3U6hyF4+3uXc z*vYKVjIx=gXQGfa=5%(m-V08M8uv_C?^#T}+%p8xI4J0uCD(Q}8?k7Ufr|Fn6+fPP}tgXE;QWx)<#iR0=@<>65 zRanLg&sYEyA^^=Zf);Cz{1A6To*rq@S6&LQ01dVn1MHVGrLM)9s**nZLK%ipWjIrp z*SsJS2i|-P=+D;z*dO_F+6>3Wz|*NjkSaku=Ec+cy1*0_G1$ayRLt61_!hk*3Mwsf zv=KrvVN{!?KgUx@?O8wC9I4Cm#HQlZzfi~#QB(janEuixbLh7ePe<$QO8%~F0P0YV z`9{92WkEA?y%g>*%QuC+$UR6ICB_xwNt2lwhzUG^n&nE>@mbFz0o&>vp~Wm#N~tWl zwR|}pV|;YQ%-k=!g`so!v9bWz z2&Pl)>}Qj_ys{kWftnA|GqnI#K&ii@!=yq=ihAQz*f`r0S-v)0S95h$85Nb611o zkjwCn6`cQSBgDeL<(8~LD#xJavuIzXtg=_#3fnViN`Q^dOPC`O(Z73CPA6KrB5^Up2BLPhp_|8?DajjEq>(}2W?Wu3 zO}Y+LP$Mx6LDM7HCs~6&hLV|+CK&i|UU(ebjp4$NYTv5i7pc{}RHKD{O4J~p=pn;( z_LZ8)4vrXEI>N z`<9reIY@}v;?c2-PAiQD3b}d<>dC}eD>Gqp%*^)_gzC#Tt>l19PlqDzF@))VIRsn` z(bvFFy#8$=Mbs~NjyOvyvt`wMJu~@-9^JS0IS#sOGCIL4tI|ySLlkp=HTyeuvo=-# zlMy86y8=a>_5=w+G=p^kxSDBcurF-K{A`2}t;v&=u=X)}TTbfwgbNP2&Q`{IoEuLj9G0-nB5fz(#4kQ}DZWF1 zsK39CEq{O;!|WAjDj~=>aRVBn5xw6Dfl2gpe808a#L(zp$vNfnLoO3bbJ%zpp|lY%y&>i_6a^EaFMU$r1tFTz$|y)9 zu@%XgVozgHd`kI~Jt^=+2rW0Xd`gbYZ0UwyHjM${2}~;T2#RDa8CV&0h+8x05LNOp zIHfxa1i49kZH-|ey%%FK%JRL8JSyj%b2pLFCxXWJ1MkrE;xow9ahfZ3LOss7DoJlB>!0e0B1xKA_MGj1RbfV+#!O0Vh{59oW9O9{;90N7o-tl;(x zYrpYtj;kWw)k)JkJj5bJEMc!=8(y?JeA;(|tDE{i`ugvh{vVniiUmJor27&6;lzmGj3#D}A{)<9&}K>AX*n`)9WQ+l zopo5IHb^0JyN>nJe3xdfs4Z?KOG^;68Yh2+7G8^R>o-y`}@-zW~^-EqWY zQHV~{E6;rCVG@|gVa|+v7WOnWUN0_jgF(Z(-ngQ;y-qi?u>33o(rylF|KA**KG{Oi zGzv{~jC0etJ6(0a=UNV7AlkUt&9wD|RyGLK&=fOuH}9kbj@siJgZ|IZFBBc>=Eutd z4CXMmtm5L~7xK)zr!68DmT6Og?@@Cq3J_N`>MkwDVxBzoX^MF<<8^p1D>9g7FH5gM z1cOq1dW@6m{_n>T34{Kl-w23=kR%|PI%OGoFw-$(v>1q}$$`z)!EnaM@X_+c$)@Hd zh%Z3Ls@=^=EhIOUzQN)&J)6X~pK{L24*znzjRb(tp8_d}4NNdw1UDb#kRMO8Qob?J z*0kLw+I&-)hgEtbBb5SOF-9%$FQ$uFHGf`0uot`-+4OO6m{FCo!}P;HNih;&RiGI; zp00OYef6Ak@@4ykeiUVIrd@D1ddAOSBEx*qVxL-N6nv?FO^43TOQsXqML6EN+H-?C z6yyne-We#bJha@;?&xhm*;b91{9@kfpWpiqvERFqVC=!zK`X`|1Z(2f}x+>n4$kBh%1KaqEvk^HQyM{+_c zx2?aNsAK)z3yopnV2*GU*I&!!WDy-d{B)Xh93IPnjqOCmM}%miAL$m!yR~W$ypp1?_ z9aXW}5NtdeF(KW`=%sNaORC(%udp9?3{-~o;i7am;QKz3OtAp>s+6NOJ^U|`J8485 z336e~d1bU})(tm7*psvm%35XXG{vZZbEudTP%;I^&-#!o3=Gz@naQxYTZHm?S-V&` zAI~?@w}%Oqe<1u`-?hg!c^t07F4@OyMcRbmu@m*5Qb@3|8B(yXGK67ZUf|S z%;qMTn5Km%s-Q~rUGva=cWnRfk| zts(8C?CUdjS$;*ZleU!#7dglIY#3a0otiwIo0*W~J@hgd4`x*8gucW#B4OsP)194^ z$Jkqtp-jt)`AwH`!s)!Ea2Rs$X>-m7@)KlK6v^q7EzCHXLjL@kG@u$brk|^&uGe!! zVv+AaW|8!U9|q|E`H7LFJiO9y7c;$+IqeG!;vIVDG9Ire!Kvph*{V+l*k?{o6RTHj zt#Q;PDR?e;SB+~cT$2*9931*SR3{Vwo8{Z|_DhF>VKZGwUUm{Ny7>FGy4a9;%*DJ) zl&nIks;STnP2ig*Jxr?Dv#X+%pp8SaPnB8=8JH^GUfD8*(<`W}w3ln-(S9Foa(~k5A&X9#?Xmx+ZwAzX@SD;|52!l6P>3M7vXc7%6K+#xRj zg~3NPNyhtkb5&lMS!0JvIv_Qs?)GoThIKZO?>R24E`)@cD3$cA(+&fAYbw(?Cn`-f z&BtVTxh~!m8JAy7DY&=`w{ewZ7spMBvrK6k;r1FIBpeOto-Xe)>8@9ilA}MX&$Z7o zKnC<0zmFb6RSG3@55sq&-Fi^;k#DOS_AD(Co-_#e5FVy?pYfegu_Xvcof>Cn0EI~= z42ZCIBAI~MmfI=k@qq{~bAFFpV|$*(ph@B<=H>~rnhV>3f$iitbqoTq_ah?U_qfL9 z?QYu(-q?KqW>_R_T8yo=)dJ^$B8!cyS7!NxX1_*m*I*KW0i?zORSVizHa((e zS`kU+5Cy@|i6ich`xzgSMSWRAzG3L3WO}d@ii|}PL4;73!%{8p6t+|1!cPIkj%Gog z3ybR-t73*-@qsEFk?4D(cs&J%pTg7?#urKr+8>pI8RP4RD!5P(L_|U2u{K4M+F+Xd z`RLH#$6G(wPs*Da;@04mM{384`QAkoq{eYP;X5Th4&iLHQ&BG4ivm zUBTnA1hf8ANY(+cO36<{ZU%I!=;^AY3AA})0=+C(&OZkyEEdZzpry?poNvIKz|xlf z`5hhXa!{cLCi5{2xOFgFE)irDxLjy83#fJ*Dc??-n1Eow$IUR{dlfF*IWyx0Ztsn- zVJ3&eF%C|uNH3eN2gos#b}%E;Isdwd%3CSnhb5+)zD8nSC7|0X)Txy)(A&yh^A^-+ z>MO6HjSgDL0_I(@H>NxQus%uZVZn6GN?0>+Mo~CycIpV0~7B-;BwY#C5&Q*X9=O4K9Rb)l<8 zk`=eG5r9!_lWBc<(hL)E(2i*=480X^uZyg^ie9nEo5;k;l-@U5x^T4HHn@yjiK*Tt z3!fl%^*JjWfHHdPTv8^H9rfi` zv8gAys_Z4}ysZ8Wy-9c{Yr^?fEkf2DsEztdTKf5iFv~Ua{BU-5h`4mJo|SNQ&ibl5 z9)A|ia6eqgWWOZZ5Ka6rRt5}MzBOIz(y>0YIJNkTJv=FqI5)4H4wvrLPR7}L7-T1l zI>+ZUq893aB2L6jPtlQB8rpt2?fn^WPvK|TNZIMquSDtcQ0B@K6DtSFS!4&*z$obT zt*nVND&O@PU?O#%ID;(ZIcO(Oi{U{K!#T!?^HB&Na)c>k5^Kj1wQ$5s#w{N2+LZKS zyJ+T>(S*RVZ`t$`y)SZ{u&$C~*D6XZ-+}=IG;p(`+o5CERV=9t$s2xrT3ik^V^FgZ zGYvXtx8SCKcJD?${MoH1X)MemzkVVIZc(EhI9r>flkiRJH}h2*4mxe!2BY7>4cR?_ zjJZ#V2m^WNyXw-+@-1$9&=_n6uxe8RiHr!A@l8aW)pca*Jpe1_wfYnQ33t6z9hNEX z6GBsmyI<4YGJQ(kz2>vZ5Gi?*&Bno=ODPFop189T>PQ2fN7MMu#wz_xbu4GbydxqB zo;$n8{Sz|Z;X+kmMDRO%6DR(B0fCN_CM}%FT}PqcRW18!{180M{)wgH3mQqbEfZC; z`|eT+Qe^}eQT)wZENdwiv+|$J6&}3KTFRg(AX#}Y z_bvHGreXF$zHMmJe& zUkrAD`={^5)4rUy2pVbQ^I&~_%*rCFN`ddjS(3#fJ--n3GrQtb@$fl|va68u#E=VV zv><7T@jgUV(e1c}tU)-q6VeDc3%|efw-S`qHDS$2HjCPX70OKFXO6pqRT552>_ZEh zyf`dIOfcTslu1RNeWb-MrBaR*Y~;wDBOoCvXGK*_$c)=DV&$F+WrG=W)6?P(`-Z`& zaNEJJskhLXJ>9WJ@^A`U-t1aFv1sYghO$Ps$|WpTXz`&7@XrFjQH?YF?gXL9SAP$X z%3v6k-60t#Q*11d;?bY-2@?#a==z9PJi;*K>$4wb(V@qG{I>;2DDI$1J~5%S@E{d5 zUIJNDpWx?dS-~Hgmu}LjnhxMYgqY8GC&UH6i=N0eiCc zXwkm{P-zs)DVTZA(WBHgIRi#QZVi>A$wbUgkzjP_+oDSyh+5i@)n&Nh`obK5u{}oa zDsSLhDhkfPj=j?ZH=wSDFe1zVHL;@!LArb^N;7s|z(>Cf)D!rfJT&|A(eji9SX*Bk zqn>hPx4mLi_VYZQuP71r$bi5huTsW%VL5@XCG(oO4{4(%$);6eTOl2d4l{Ju`6~29 z=D+sVc_M_3XgBy8%MP)w60e{yHOJp0m&MKQMxvNiqX*o}=#84#@Bj(fz5W*)CoO7FGR%+Ets%}4fQzRm;{ z@vgJCCEj%paSMf|j-z7GkYP!z`3iu#mIxLt7L_<`QU8g_-ml)VMhoQUhhd&^pNIox zI&8~0QO60t!o zo4r@SNIsnKA~@BC7F3@kU*WQz{KXCIAkra0B5CS))d*V-s?q`KDK`ir`#|r7pcp!b zkY$nvXm96msBZwZ$BcyAKSAo zB;U6Eu*zo`vRYl6Qj;xVIq+A8f^1$wI51>H{>khEF!_<2cXUW~px>Uw9T6IE#Ewx5 zq{i7)n$f^!U6fk4;7kNpdbze7Ez|NAbe~J0r(2Tab!Qul4z1kvg#|^niZ-8r$O(ks z!G`*iaJ!U^-@WA~_S186%mD1LOlqqjOkGC0&iLvvdbR02#m~BczBz&x8hSzOl+!$x*NoetukHsaRwkO zj>%Qsj2#}5-^cE>5bb#q61VnB;UwZ#% zOFZQnfhgQ@1|1A-Y@!r%=7{8lR1C9G*PcSVW4{PyXK_b_&Ow3V-x*P+J+Tp%F9R@V z#H%=dnL8phBBCg)pk=o4dYAkVHzVfkM*eGNQY9+VQ^5*amNw6K$qy4ZD};bKz0v+%9jnrDM-@27rv^5wU>&1Bs}Tz z(^-FC5%>u0Ig&bhO|a6X&}_&8YhL}zdQdEI&vd5AD6e@Mw%^!vNBQ*N@deB_xnaoD zL=FQy*1)(0#twQOHKb`X6(0Zw`688_BpfSM`fPxiy5OFos{*Y6@TWnEa+6g68{);W zxstbtZ@?iOKon_KOniY-P(?U{>f3(9mg+D%R02Gpxnc#5%gM$SgFPW*2N&4=C%iQS z4OI3O6&NT#njT5bV$i#U2O7fXc+DZOZbdqDAsr~OTBrkTUGyRa6$3*~GxTk`y|kT% z)km(NCg|u?zJI6tzq4~48iLW9c~N~&gvPd`lA!rmdqmN?#c=%+jYX{ifmv>l7 zu4m`-iZzn?J&hoFApzl3d9&2$H;?d2i=kgq7!2v5R}=N@f%F^Hc@Ty>WC1N2X#KV$ z{7n%wJt_l2F=_ZGB{pQ?&8mSRYo#p(7hs15j|^Tx#n=t#tEXNUdqnm*hCq}eHq|h@ z1_Vh6l8~X_Im>oobzOErdv-~ZQsp&`sQRgC`LFI5P~b!9=)K-N;M!tFOw+#0sEMgOn7(xLuJ)3#mzBtn}rj46H5=gc#(454j%Yfs5BukQ~&r36R zioEq^(c{$63+aax_qP4jKe!rS4E@AlNU5@}hOHGT%OZCnrAfQ1ARp{q{QgOGz%IXj z2n2Z{xl+w4w5&5%AHqnSnWsVw54{@k2f}vw)AHa0zl_4mH|PDo-c0`Jog;WO!b84B znzK)(=EWD(&$Jxr&rKvZ$S`~%$7`~j?(s3;#ri07l5SnF5dM!YK*a5btKc35T&oQ* z;v89v!er)_+_O7?OAIGk@<8Z5D?i%E6iA8D$-9$-u#)zzObX-n} z4Y9vAB(I+KSb8ivbjc4PC9D<9j-Yf(z(+SzR(vd$y@JQv`Mnm%K#dmYu-^WL zT-0Ja?D#0~2u(uT_TV{s1n-3|ZKX_5gGCM0aA^WtY!->5{<=^x%#ng89~=l%#wIDq zSD|e}mO&bX4Ij_CmJZccS*=;AbZclR-5uH@bph4en&=M(ikJk-1sz zhWd1$5l?7KkH~!$8r0#2%aCJSFvQHD(;gk70WKOJ9>Rkl7SdB`f+)PSG_W9ylHx<$ z2{zzYhgeok5GFWgj?Mg~MW7L147`wm7X?3qdrnKFk^lFh%2u2b1u*o3MA4}Vu7Ut* z`Cu67(3yFKTR0)=VnU|kGlRg`31fptQ3<4&xN7lW;exS$#R}NYVB8h9u==QFWW$z+ zZ@h;Vcv*U@fdB?!j3l?xw2)fu_3EeV*a5lY%iaZEH6oZ12J@txXOqknjj+_ zVD}h0k!+!f!6B6);+5M}c@_+*gz*wie5Ldc#rVk_e+dH#^{R@zoKhnO$^+>#eQB!n zVRa4$u&v)>t{{QGp(}zpA%=En@b;xlgKKtty-J+{crSlY4+*mSlgTi~9lZGhH1Hst zE=JzyHNfpt00ABYn#RMz+g~8fWAwh1O7yZSl@~q#&21Sh4hFm#1|P z9nkm9%yZD!+{>3rm`z+H?I{AJJq22fZ=(ZRik5>FCHSrwW8fG#z{Wz_#+aQFbv&UIAbCr_cbWGX(3`{licv-`@CPLq)=zE*a9W788woD{_+CW)q0g6YN|nrJX40S&y1n}aUCZirzo0wJf=ooFtE#s~>#p{qu)!KWG72`> z4!yDoH=h>-i8*@_C^GdJJSB|J#F=XD$+?9K z-}PI(-{F1Ct>O;r$6VV*w7%p=Z(lOZ8m`&*plwj-%JsOy*D{ua^YQFC@eUPhW@TlK z$xUb%E?o=00(&#EI{hA~N6DH{FkE4|vAn&v^Ppo*u{3UbwOy>R+j|plqubyqc{{JK zeVce!o0L{wA;xhy_!kdKt%43OYLmkL&hvNs?{fgd`u6m>J$+Bl(x+5lYwF#>IlgF5 zS)!uu=WI!km#$G#T-n})h7s>th1}0CR?zbT7HXg(4%ScJ4%J||BOH@ul%&EA3tGXv zL!ra)uBQOk8qXD`yMXyfK#sE2l(W~nxUiG=s??#~`t=l$Ko zRYAP&K<6W9qheE=Els>YR z+Oea92<4OeBt@0E*pl_RblNe;np4rcD{oJ5UV5c0t@Ec#I=6GAg-oG*Y)i*^X38Xi7N= z;+ovI47l`Z`Z7Aq4eWt6R;PWWtq@4Z0D?d^jm2h@LaZK}ZfAo?UY$D`={WjnF^8@; zmHlH+b4;3V8{6bl=}7tj8r$>|n5sxsCQgtO-M*6^QT}8`xA3N&7e?n8Z5-8&-&+>e z@jxscP&fpz{GKutGFIo$^o=Z@hOw2VrIVz41W6*Ka-|@^7Lydwd?!32>KTq9GfJm6 z4X4^DUKI7HZPSZ6w)j{lHgV=53Z(MU$A(>6bNQ#(HqEDu`dNUwr5#Ks5CXYJq z6xJD1<`l}xY4rY7o*MnkNr<$Fw3C4zZO`_9$tppANk$_lM&x5!u2~kB{uLMK+lv&GLGVES}^V5yQpEC?7lKW4^iYF`6@v_llAsH-N^I096d_BFr2etcnqR; zgr=cJ zPx*AVulN`}o7);6qjG7`wlAAq8XBKIJ_^dEnH`~Mbkd-7X;3xCusUgL5J=fzrdx&A zp+tEA366L9)+u9FRbH;1#mAiKtqjU{{L`7rQ8>D$>QUM6U4BpH-;HOzhpy4*oT-jK zV5F_tw2|yHnPlG6RU+ABvi?|tqJU5!&;)68tC5gA@i#N=+*;>o6|SsoESOcq$Zct)07G#j?F zJat-%Y#9L=lyNg?$#e^{X$5c4kDd_2QQhu8Dm^|qgKan%_3$G?v=o=6shMH=ATLL z;oJ@a%vqMq;{(7ZZ=4tw;h;EzH3|b84{HQ<-C@wvM16-w4F^7vXy5WAO)QE{Er)pR za*+|q4rqfyE5#Bb1gg3raU%cmm1JTe$)^+9Z(JhLwxIHtNZJ-dIQz5>TysshPCes8 z0w{KB)Zq&6=FoN$^ot-3omd)tati}NR6e)LgB_@VHvt;aN*Dk{bu1->ABLFsDSh1zjsev|AaSL2GIUtj$d>u9o2 z99hA6%1Nya7bZ^xOpC zl{to55i6-;m#?lw=AkO=YP`A7uO9(dUvghnnKZ75(3l)nmx8>IZN$KA3N$L|B<6^# z3FFkz3(yeEte}9Nf(SMQpv>P%AWV0#R2us6*fVyRf)H83)iKq37tWQZe09*g`LCV^ zDq;22xl+P9ML0OA%vbgAIxd{{v`g;6RU2OJ&q(Anr}bR0Y&Gd@G-?hkEr6}PMJ~OG+yg}Db%i$i;OJDhQ#%z_Lg8VSOcDE|>l_@qD zWl*O1z~|5jS1=_O4L6AkG;WJHTc&9MyN1%9G6@1`qos*9HN*7x&u6SB@sWIE z20{E8vcv(*z|&tK$`v&@=`CEBplUqN#QtqJ2`;J8#SKJ6j94h4Kx+it^Ot&bwphWS zT4*7;o*L|w^a1F!x#n?J`sRO>PeqF|tk|PGihVGpOlajtkl9G(o6DyBJ2Ua;kC_-0 zlfgpZCqbX$x4t5cZbLUFR}yr9k|K}KrX)(w(Rd8-$ue-IFnA#tpnxweN3&3dwN^8w zhi=>OWu5BV3BoYE;XvPy5)TA~??F535SAb?ff3-#5S(6!N_FTNB*@1)tNjBrJSb&7 zTu^&Z0&lq0II$7$nE3ed^&LwhJXeeJZ+8T{Hca{Q$D;D6z8)`pY(zfLnC^w~Ra`=W z3YQFi57X0|V3hNVzh^`?0Rg{9T22)*b5Dm07wS``uYQRfC<0nUU3;%fV_-e)n8aYrOQ(w z{+N~&Gb1ec7KM513U51`9(!xHjBs~l9~p|@z9)epA|8lxhb?3VtSyME9IK zVdgy$<}Kq^A}zfjjld9qgoJ7Y6=fe*$jx(=p1|+5!>fU=c!sLVoG9$ zPrA_ZNiXXo9zudE4Z)+Mu-5T^D&dda>}u6egv#71wS9yN*=z{ zIYb4aO~vn9WAYu~ix4JJc9LTY_GFtHfgs@aGl6M&hkJ&P?hThIB)lIX*Q7!#A%%gd zW&%18h=3`|v=aH^1An3bstOIv2}J5ieDQEWfD&4RIx)8qg1+g5f-zZQs4vkQ_4t*Y zy@=ZaEUwuC8ZQF4iDw9l&NwuvKkTSUNc4c!#UrSh_(z7}%uXt?iIh1JZeF44X=Q*_c@K741mOjXMng_znM{u}e%#0j$IF!Xp^uOI5trMc;%}UEkL>gF zdfI@po_-M|+2rjcQ!kGljb?RlNw+~g{p)~DMxaQa-*6@~-?s2MvjZq6q{YqGIXR$= zv!nixy|FJh!$xeHMm}KnZ=Q$IevVw7Lyw=T)blYaFc@|wrVX^qhR8 z?)o&Uhnsa?hw4Dn{W``?AHAlL5UU*`ZF`;irnjI98a8Q%TA$$zt#n8Wt!jHK6ES`8 zr|_4vLZ{h>Y)B=k-45HKJKp_#OxEq*W)bcPW!7OqBlI-M(jxzkB-c0L>M?WHVM*xs zG<~NID?+~q{U#%N(y(y#^hc!7i%aXE-$epF_9e4D8L~;Nd$9uS0-p6!HzRe%H zA3jYQq3~yJIGmsz!qA$?_ri{7f9XC5)V|)9T2#^yHs%u&6cP*JXhP-jTiILe$F^G& zANJl1=nQuI&RvGN41#nSz~J*A+hk3^;cb`4#Bejrq6_)Q_V9bXLb{N}aPtVMMt$^g zJ4)>&2tjv?6%;NE4kwfIN_XvwrD0@ z*2evvGN>=spNM2X{v7rvP2z_Q0-`pHZ?Eixju|wKyK(Zq) zg+`}mP4qGS+~$8(Ra(~a;Q!EGPx~m6?S%wM)5!9aZK@_nqmXIa!U)OuUqlaWWjIBh4nO%5+mU`=&#`I2eL9GIB7&@9S`iOI;&L$85SA z8ebDPmV0s72sfqyekObvrN!Gk?-gWlN=5eHeRk(9yv8?w(kMhml6Z zq73cQ8rPrMtdAKQRbXqD0sFe$tS*==D=RB&n5EY3cDvm!8H^@irCSV!a|ZM9HXdMK zx7+P@yWp&>tgNi8q`0(S+hg6Ju6M?F49PfSFzCYBLyrwhCiK}O?5!H2&8Jc*(~O}E zZBa|*alK*I7^=^m)%9<597o5&Iya#VwMk33jP$ZTSOe->g0yIDY&sxX6WVviYioWu za&6qy#%aQ0U9zUv4BHo1x7+Oob-_)tCK#dxw|TGa;vbZ=T}uUfP;aB_cG+|sPlF&M zZTAlUn=o{t1L=EH+#K?I$siv;?8-q^pt()b&y6RsLNwgN_an*4N6_dAu09LyIi1aT^XcToMC z?o8i?q|dK=pQz-R0LFL_1VGgg3}6gu5@a}&felz2-M_M@Y$&^W29xU=V<088nOB%h zSwRh{0(nZ=OdC>CJ3{yhdPV#o-I6~yUEHSR|I&zzFu;zu0Q!Cz{@3HF8|tp!PczaX z9iTY*``L!7%2mf>yZW@BOfMMb5=@q5G7C3JHgCN@(!#rH!(LtwZ!idc`HH(`m({vu z>GE~oVK;2swr!hhXR)V6MN~mB*?$Fi_J(&4JitW!>Q8syQZxPjZa?2m=KXPhO@LNC z|LV%3{QjaA(FxIYUbK}~Lg{CXNubsD)dg-1Gw$$F=yAQN6b1!`3Yxw#GPB4=7jX>>X^B9 zkwrR3dMEVrv0P55TuzP6@5Uh9sVS=z2vnQ!G> zMz*nvc9@2jf$-*HYsO56&|5IAa>BHiHkT}DhD!Ungfhcb5o|R(U#aGiat|O%T{Ri*x(7Yp_~tqWlr{8#Om03LutPGS@;N{p}EwI{^`r zxg3gG;R7VWcm6O`E0G-J6qib+F`2A|MkAmw29t*C-*h@5tSJ=%N1-Nhli&R993iTT zI{Oqnb@7KHg_|4gLIZ#6Zl`a}jh7PTHZ9nk!~JaasYK4{WLv-3$xg7%=O9oP0j|f+ zH%W7~hc#HDT#<$;{MVy2$Z#bhWD<%UKNBR>ew-$D(AC1LXx0{&JI-dK;j5~uuc;|8 zR%@581`T6TCZ0Z@ET5VE@{DJJnrfUX=BJy#z%Kg|X>Lp#AV9ri{rw3^+sgF33Z!z7 zc35|2a1)K)LWh0AC(1En`Y^BpktI;9Ta9U_EY|h((xB3uk3)X9Z96PLJy8E?QYf*% zf63TF!+IMfTc{Yu7RsV(i~j&(X|;Z!X1LW=Gr77RQ+8VakDJ@q4---X3svCwH@@6$ z{?->VSvqb|NYNY{fn_jhYrwyf%O64d}lwWYC>Ebj}V>E5Gh1M3C*fPk`1pkK zHhp;IZ_8Q5Wt!`JXo6L_*EIEwNg@}dRU&|3)1(?V9UTE5O5AnQzuc9~B`+i$tHaMW zzzT|_=fBrdz@hKvrY*|(y&vRWotz(Jo2+&V40()IBqe`c4(_UqS4`2CE?~50KeCwd zWiWiUE!2LP$((Y`p)IAi4jNH3-hK0Xv8HC^GHsn}wQg={_d2;Lhd~aCJ8B0yAf-OWy9ndI5 zNT#ut%7zPSPjZ?C#BOrNZgAaS*NwwtCkIQs+`0_#oYz9Nz8~Cc6Sj3R;RTr z^o-t3L(&+xR4J`uZ|O4G#VyOyD=Y$)aKNnKhuKckgr!k6xp@lNPSxh%oT{klfO9im zV*~eA=e@aocL;Yt1<9xawCYBaQNbT1)YI}Q1~bMD1=VEz!g-xF8W<_%H1A)C$$`F1 zQsmUzvx8%#RwtCQSR^eARq4#8DH%o5HyA}j*rFMGeXNI ztqIaX*@)Y^wWZs%jJq@hNNCZ>k>G{g`}?`_<4e^+9r^16$9Y4*nTSy)lE@w5Fupnh-)ub~0B8o(;Z9I$dlp%$6P!HG zzMOxTBrT4^gFao30rbt%9zUS332P;Kq|$%(7igo}roV54m-sQCeiVX~v=R;o1AyP0 zb3~sm`3U?(HKjOdBFMWWV(3EHBZ?6GNnE3lG%L$+^P3o$^c#T4(MRZO@{u4Q@Fjat zELM;pz2d{-hO{{hh3#y1L8FP4E+f$O?{r{E>3^uWuz}**&R7WZlXk@+$ifFIelaZm zwDso53eo38H>|a&De~92h##hpHL3V*VJLIfj?*#?7Udcu#>!7)Um8_bjZ&j^Nw01( zOriQ0AC||SLRtb6q~4+!t`Tbd1kS*yvb>6c;B-CH)6t>#6?pmyM7RJXQ~~RITqr!! z2QDQFK=7x^GrSZ7z$TM=F$0tc*eVaceB;IM(vvWU!2_d`sAO*Q*fkpg0Du4r(_#P= z7>Y%00a;q0000W2td%fnBFxC^1X*# z6xXW}1y7wU{@hXHr=&l=8KUFP=u@>(XYG7WX6cZqOM$~YO%u}0w#e1;xO$Rx+aCLW zmB>uk)GcIQM94Kdc%&KLyCXrrLP+sO^L_3=va-WsJ6R7N3rXFR*{^R<>Mmgnss=Ioul`B~yUh~Fu2uwpNlQPezTS;zMsLYgRsQ7hhHPCy$l5ZNjhO6PW0YHK7TV%X55rQTJ)LCCcQ zMy;*V!sS|=S2J#7VcZN6xSA!!ir(%?|C0|UtBjr?DI`#s9m3hLW&TpJo2EP-{%dYu z&`5tg`q4`LtK&_dN8SMv47Y2RLc$$E$z{2+(r~QFIXZVJm!1@xJl^T=<^G$d_r3Kv zh|VH~9t&Uala|@)fj!pX9(*d7tTN-avz!3+qOw_KD zfj_Lc6GYQd;Rly7c87#jEujO#6nMeN8^!A8!~YZ#-JERf48$-?bBN-{_W#rjsUB?P z0nlbWv*K22-Q{(7+YX_|qE;5WK{F9e@V1(3?!uMIp5vW@+t7E|b&t9G5%a`$UNkCB ze*C@cqiER`NSF)B4Ff6RABxnq3A6-oS6M%|Z4S=3rwtcWPSz=;Cx6;la z*UR4#9+vV5r;Q14;RNcg;Oea-mS0+{m1Q#`yF#G}#bKE)nQ)@^)q>~W@rna!QRh*6 zh~ol;a)ZKZveA6KrII=%#>uK`gTlLm6&OQz{fyK6aj02%QIg*v`|4w2od~R~#1&Va zxYuDqH}o_^QL+6vdBf6cZq-hSUs5I_tfW$8Q6Ax2k_@&ZD_5oRhnW+ctzPA-C$tAu778X-l>(F&o&;$Re2nfsm#OomYszH$5wn zs9I&)6q5gqX|H4zFwnYuTQqCg7dBKOsu-U*d8I#{ztL3^o$mx&YRg%!C?l`t4!5#5 zot+DEB}Vwe@lJ{;;6xCXg(z1}L7-7F&Ck!iCST1E?<=gJ+TvggiAgsMcn9Z&jM%|3 zh-;?5P#s2uTP!p!zr?7%wPM9$DUs)MniMIQOnZ4Dcr1M5%8CM@AtENl<<3mUV!6*9 zkToQ>k7@2gwkv`sH=|TQ%0m@+0ra^&g36=I)8*k?K*1CUZgEa z?$_P?wL5f_v5zUBxWv7~|IdxX6&B2HkOkH|m_qb-e`4$nZt9c{E%}(H$*a92Xa_++ z0z7!b9S2_ZKNC6(sV+o={_^?gX z<7sHZ#wS8}!t}Sb_?<-?)=4rjIHp3KuCi+gnxmX#BBpFX-pEMR=X_`~H=}S2qvU7M z=-{3gulH&UBu`F^a*rcIxpKT+Hg1cM+i-|G<4%`*UV5k`YiiPcjo>hIRhO8@gSw8CvI5BK2-TQ(H`1!e$tbV zMJbdSJ1VRqP7(cAhPHoS7~s|mSOX8Fh9KNQFmjT-%i-}PQ9PUta~nObZP*r&h zaFm?H^FDuuwinyrMY+w1c_v#FyZC2xm?9!kAFmWLU`C)a?%1>pWg^_pD;4vBf#;7i zM=*gb2kyQgW96uJnz4weS5loHUCf@j6_O{gt88p%l0L&r!P4G9->g0z?K_1LXF5s%;Ee zE^T5!Kq`RAk0@Hxth0CS2Ov4vgiWS*in6aBX1CdbXV;;L&JM33VsLZ7i)6*nneNJ# z@~#^3{g7g?r7gsFCNyj^PC8uK{?*kJH(lICZ{{^2bWf|u(Qa>_{V8-3htdj;B}fBF zIw7=$F4FeJSmy8s87uH9EmL=00*rcLm0g6O4v# zwhr3e&o%?nI0AwfW0BLk&N_fEb7?}DSYS@2mz>=tG9V2l7G~B&lk_L2_99sApiYwKRyc8D~&BdS;m#=vGY zjBDQt8(>=S6H?hrJ(h}!HYQ7HYC|ZbU zam(VbKy|}g-b>1m%hC~tZ0N_lst{y_h-Ih9njs_P#MdQ zkQq0{0hecvM1>1D;b^E}Fdwp7m5Dwo)7YPn0#@(iI%dpKEZ_+N*GCX5`jeHl2Y{q9 z4aO;_pSuFgw4&-9Iq`%QLh(%2J*!rj+=*no%6yZL3KO>2V^gx@~a4(Ug=$HZ3#- zw59hQ>P03)|I(n*(0b$(i|<>FuSG~Hj+I?4+=>Qbn(|ljlM&~$_v!`KU=qZ4U2WDf zjtIQ8bWppt8=iK%s1-7UAsmw14}Q%{q@*2-q;z?9qOW*TOFrG??jJ3{=%iUn>O*$r zMbnxH>xoJ#+Y^%GH?_;9h(=l4F61UbJJcsEpb&`x-ZZj@I^yKS&Do5&^#`gAA2f?% zSklqy6dF9Zn*bn{L8{sna_u#E600;G+e)RjQ?$XtXM@0v1(im%_>lgG4Z#q~$C23Z zJ6_qF%Rzbs*9kaT#+V2eF-PBoq}_ujP6My5nil|z6W;CYOxnz%%YGLDGb|tPen2q4 zk@0#L<4 zc&+Nh_&)E{*f}6Cn*Bp-g`P%O+k>$f6+7gLOt3u zh3By@-0>dme_4YL@wsJU$Orr&4(3VEfaZ?tkDeHqFa;}QDbRPX9$E!afQ?lTdz%jW z7oQ+AzpWh;21?W^86;A^tK^ArJAE3xxgbS`yeBkvCFu3=_B$9MJ^DV48&3Y7ZEuiT zFFc1Zcwo3OLWs>sKwL2P^n0QKZ1g;U(ym4YB6dJSfhM6D>gqFRQyY3w2~{FNU4tD?s7-#P=S!}{7;Z09_n<4 z@0r<*KC&P`9*TaN7aFVfK5~|V76w&M@X3#O>w+2em#y+0FUel`WunSiz{HP3GpzjP zYq1wJ^b(@8s6n<#KpfP};b!C$+7|-Na^QKEd=@Q~;2o_UsDL!i-v<%`Jek`9u|&-d zb4%5Dvb=LQFBWRn`coPF4qH*V%A&i+OS8sE13Z^mmn(F=Qqiy}SPUfzlU5ltwhn+Q zlQpG_f`G~b*k9m54^n*{SYRgl2BT*1I(9fAL`RXVY=Wn-)_xq^i_LdFqhjAwNp$~B ze*O01v{*@6XMs$w`bJOX19&If$mu|x$xRtQ9j>{M-_=|hUGF6JIkDbn+*X>A zdv%1uG!T?QlTjvbI2TiB4qz;!PXk)WEiWP&*HllIJ3-l&Q)qog3%@ukptZkn{5TBHTOgk2jqg^08p7K4EdiP*zG!{Jj zaOo6l(jWBLG#c9*hSN>ig8>rC?Oa#nCVEIfpcYq!Tg2tt0FEE#1*9oc`C<7dlyb8~a^GLVHz_FUR zSv86(=-$7^onyrl&op}8_3>r3M{Y#?aT-|J#7-w8l+#y}kn0h$n7gGq?Qr{uGfFeI z#u61!k93WYy`O`s3<8%auZ36ztAl~WV`^r~GATEVCG|GJ69K?+r@jj{RYmGnoDJh;6qU_iqhe(4K@ZxR4w85P!XE;J|>diCXp?6cG*48 z-9u&}e(iul6{L47bOd_sOWV%F;fm|kU7;?7pi-YNkbyqLD0T0zFaYu)_fCYg3t~Wh zd`|+?gLw5um>Up!O)%!wJ9D^F0J{;=((-K5%rr+X1=2z`GIYwCSZ3U?4EeX{|Bh90 zz{lxxt3dik0nca^!4x=r6*{YHfW&bmtI2$WY)|}`<((q>gUx1#kfGgNcKdF4c!2Bv z*U;U%6T{kWxs~|S|502^p$i&Xi()nu(BoM)t70G-$gH&khEz?QyP@8i*rJI>5C ze5GCIFR@gyS_4K5sUXs01q6^}zBZbz2iw>Rt{UvMYytKy zfq$AMZFEGC(gbPKx>_@UlXVCYc%_u0_chVR$Wl5eI95jJ8o5o^`dQHkmaR2|U>gFw z1RbaA$Nb^HEl3aWikz2F2Yhv7E4Z5yIND!c&o@+ToLeLjXU?mis4l1q#n-}$qY5x* zWT8?|ST}aeM*SCQw36H>#nAv$ z3!ivhkT??ry{e1i9VbZ3n^DEixqom9>OQGIE01Dj1Wd3nQ(GJ%8OvbTOXWL)d=o!1 zd@TLs*HC8`5h%5x^cjD29n?+8z+SvT+?%gKW6Su61mjcMxzGBy?FU~6V-(I3W^1aS zLP6OY^tUyVL&G#92*&F)DoLiH2RFjO4|abJKgk)fQpMt`3());GxXkL^b=#9=6vuMh;hRH!*N71qfFqXIp5*qU)pA8t{APQYNzj_7a8x1Seku z13KJ0@&n{^8zeH+GT)u|w<8fTM9;pa#a4*wm4U7VIgp7c4G%p(_Fn53QFI#;;{LP>pDq{UByTX|V9aOBq}v`FIqc^;9y7GY98#kvoxFg(g$Utm049w;wO|%4AU7O@DNv5Dq2bv%qM#G1HE}nV&Pq z$vlD8+F1NZpdV2}uSSX>EB`F&03BN#=r@U#fX`^mJMBJ?e)YvZQoNLO$cdJ8bxkL~ zL1T?>q~5mt-s^Phid1-_4Sgl**nQ%A!sM9_8{N<5pLd)LSP(}K+dkY`^r0rnvk-~C z?RPCPrDEvSSz~OYmhQ9^AqBkqR#S*YYWe_{gIgzZY$FkxdP;LJen(PM9MoDy4&LOLrbjW0U&#F_6H(1|X zp?h;mXc)}$w8>JWrBm8KeZ}Ty1gAG76$m9RblAl!>{he*@EJyZkmbbg(bX3sVmQpZ zGIH3OJ~2}KNqJ9g0k|ZhMGuBOIL3oUMfNfx>Nvg2oI$wJ)zppv_C!}Dy=27n&+wa{OWlZKL$KMS)*3{EeO)KQ=;`CclIJ<>ke-fTB_v!i5*aG# zwc#zGW^otRI*Mn&Kuh!nX6x}ZRi2aM}`7p+muDKIcBN`^rVbIfAcFn*{uTcM(3 z6Ppvc7XZ~VJRj|s-;i5;y*KaX6xrADzAS1%pM5IDaBZYl%tS^T91`(o!l%wjYnH}+W^*y-ZY;+fGKz}P zOBvc*XB8)eJ;ccxflm^u#abUGwx7ZAo1+BpL%AvA>cK4pMNx>Z83fkT1I=WE&+4z0=7Z z@7C}8D;tX7Zeu2hhey&}+EXRT_@rDPy6Pd55|3L^9bygKtJho!KXnS48Qw#$ex69qJ+G@}C}}tW&LfnAD@- zN%4$f#iSf2!Kp*N2?T1+mrNpQ<7I1|G*gBcN5;isX_b@_j9(fS=8z$sT0&%`hLHH0 zU})$Un1sIVK-C(SQA}()(LpZY)a&dJEY>r;yA6ni_+`|D(8UCn2@JIKxh$)|OfrPZ zT1UZjXCpTyKahe3S;rx~aho1NqR;xUD5u*jh;m8|!d=-9L?m=J``6f6lO;uRF`-8s zKT%~Q-&Ou3%j^;}bLIp5g3~yK`xx>6r#4&-vAnA2swd;IpV44q)~&u|AdE{IVsO*2e};cWv-1;x*V{;uov?hs;IJ*%>Cq7jId0w2=(P(yDE>)n#Hy8jeaFO~C=J zKk%_$JSWhrmJ-zc6?u-#WX>KaWa5(DAdSR3llx?A! zPowEt$wlYD;TRlepS%9fj>}q3V70wdBT%d-(mPmtHzmXqcO|~OG$wx20`it&JmK_~ zWy7GNvP}|E^DrIVpw_dcQzYdfW|a8r?$JZ={k4YEHKLsJ(YVtNx5sfVJ` zjDYtn=tL}h9-qPh(I43^w*jLbR?O2fL)`exSlZ1D_bOH^rkZNL5vwXT*sX72vKmkb zRC!?|nw{tVh-A`!-y2yIlW!h!(Pd8M^H&14Sq^BsA5n)>f*oLoR2l>3=uqZN9PJna z3>_G5Y61h{tCrD5Mkz6)%;$bs%veM-2(mg0#8Bz4wpPj1G`e)!?Gm9>KeATl_>ux7 zp8ZJ1L<9b@K`CsLr*c;11Ki(&M8Gk>5YvVjN~f8CUFmy$Q;^pg1?>bBODj zNx8%bMxQQu65u&xI73t5jMA{SZtRRS%M&-MGgws}Bj;?+EH9T9uyx#f=^0MNoz~A2 zMZr?5g;FwGbM(v(ssbcfekp1dTh*H-1|B9@!~-lm?npDvZC@qt&A8NKpXp$xP}P)l zAxOH(KmzOje}cQ(BMj8%K66JYA59-l@P^+7geV+GQ_;a}VjAN8MRm+{4zWn(A4{aA zOKucBl2w^|fDkXA$6!M71`{gO9QT_|k#RC-u}7K{y-?C3$3jh6bc^AbvY!K*PEZua z3SV{4Jb-ZnD1x(Dp=oVS_o_Y z2xX&1-fYZ>*%T1-XkC~Tk+%rr>~8zw;&{o0?Pn^R4(NZ+M2vxU0u3$Xcb~quE~Kfo z(A97GIP1YZ%E}b_uo5i6RL8F&?9>x~{s+ee2zXN-xHox=_Fw?SFkL9(W;TSLP9`oN zoo_+^FVeSgup{Hcx9NuCd6;tYY1NiGS5|`Zk}4Wf?*XPN2_V&yHh_(S>Zv8XN){*V zy6Crg2L3{fmINx@sva~AL9?zD0~)^HP6@(^^y#uB7eqMrtKUnVNEv-i-U^S-B+WE_ zvjn2VG=0L$&f_E5RNLnooS;=Y-xShHX$g-(JngEg$-S}vj55UVc5_Fkv129@{&OS#XmnlTb35M~m3mkv%mFU; zP|M22C|LjNYC&0L$Jr2-8GBM=b*RMeQDNh}g6GgFavTj>_rYu!!;~{of)R@G8Y9>B z`Y0wjZx$s*VG=gxL!52-(<)25qKr4@{$Bpg-XRwlSGZ-UKw|VKUW0~8?*VHI303F6-VFlw~ROo_w?!h=D zaKUgDp{qN<9ZdQ?BD@y@`@;pA>61}|R(`p2CYA(7vRjU44gZGe%I)>hza3)2H4O1d zO7YObM?4}2%m_*bTUm%mZo~mKiG$aClD!856PHfqMDpX`c#EtTB$4k-@rO1LrXB%c zQALMXYtY3&zsEXCh?1i~+gwuM?-0spPppz1h~>FxLQ*wK=b7OIoI#YS$wCxMBmhzH zSumfPWAh<+WyUtKVZIhWu`^5lu{+DaMdB=@X`r31KC+Zvw&>jo-KQlomT}0;0Hh2X zPBMfBjF%y6H}TZ0yt1b6K2800V#n8u@N0(l{!NG4wO;^t;3Ckxmd&@GUl*C%iUerL z1oR7L4y=WnR8$hu)T1kbhcy5h9;-?LHgZd&Fkh*cGO0nyd;OHJ>_thw{U2sBw8x%5 z>(6E)BR#bgkpO#ePfPknSCZ0RF9~-(ad;HKTot$MD5CnWMn-Sl(X=2b{eS;8(D!XB zhnXnVDTmA4j9}b+IDChXkJFai$%4)nr~t75EpDXexEKH++5QVd%T`v(XGIMOWzcR= z5f0be>kP(e$-}2`5(vd97Y~=P&^53BbISfV!@O-Ftm(mBj6r zEo;4N&$VBiaVx)Zkk`prtUt(ruR2?Bd;$~&OfX@7GZ)u60(}s7>)X`#&)bS4ms*#k zFgu?tO2Yt^hSAYc)#C7FqU8< z4m;DxvtMVq4|3z9IZ~9w&!xWXqZEl6&I zmqO#deGO1hiKpWyd_@!}#m#pXp%~N-tY6RNM@4S>Bd`!3#z<9q7|VvO$FA|>xwZd@ zC_4^fw8V_sAQFxvV_YRYoN|i7D<7Yn}20YEo=HUq&V-B2`B>GLr2}KRGBcPUb^Hx0pUa7q5H&~F=$VnG#6LQ@2)n#%@v$3L7^$-_Z6qqoR^$&FPzAd ze)VNP<-%^xW>2Bak}(arSMcVQb6`@5f`g+0d0po80j@+B6n>+airebZI9Y!eA3KsX z;rVM>AsFo{S71u1E?6*u7eoZKb(K1D2Kh2!yltl-0>_`k%+n8>lx4yT6U#*tz~AE# zsyo)nET}piwd=w%ssL=xASbX=x}QjVqgTY;K*5Ks=cMBRAXy#epYDX@usM~&dSr4U zpR(F@;MjqY*tlElPawbEmhui>s<0EpHB-vj5V|7pWB#?Ju!vtHF2`~kUDGd+3f08m z5lTIWiJ#Pb{NK~SMJfh}FNrtq+^AtbIoc(+5bUzG9}cQXk$%jFu~6{GXi=MohVP<5 zl*u*G_6&Hi*+>3x+PMMNI z*1he+iS2_$=iw&Zkc$SnT0&a?EHz~PUhCJQBL%c+bL=Z0zm@yXK@9hkqRObZN_Un5 zRID5f)&%1X|9ICRP!B3HiKr^6t?+60eNf176#b7{9i6Ms?Mz`3UvH&$G?AnDwDxwB z?3O=sJ|h*X4tn9&ctdSG6B|}M41k>W08ZOf%m!I5E0K3bV8wX)`lkZqnFBRZ?y$5T zsF8f0*+Bu+A$UZvW@BT{j3P*yzz9sI$Sd%DnYM_K2B9N5r1O5l$(3`e64y@fxXl0n z_bTfv?utZsP{lGg*q5W_6UJMsCV3DC)uz)_$z{xW;93})Fpo;Gk{obRB@h_02#7_C zZ4Qgm)etF&cX+>Ugp+dW9Wfp$$vdQ73CpQ)T|+&z7H+4~TTKo?-WmWl2ToC+&r^n3 z2%7xL-zLP7x4Y=o21u~!6sUh8;ob$-c&p8S1%_J>g|EsMDqU!?T(v34K*Uc!S%RVe zUntQK?2f;KDhMu6T*ZHa+ae0+Ip-astZ)9rMf%ZL#Dd_kifLxZ+z=CfzePm}r%#Zv z_l_c}Nj&qZ16LVMqQtqtCcln3$>N7dB9zT z_aGnw1-((+46!SZW16mFyfV)|INbY_A(C+G(&IoQ3Jv{w;&1s(KH?(b;{8%RU6h}t zb~Zx&W(cgGji-K#T+-$wLk+)R z!|I-;&pQC;n9{cM8s16NUrO$BlNcA9YmGiDzSX7vvBA22%0rK3zk ztny$Uf86W4Z|sT#dtY*;;Gdut!1{M7vgC2t8^3);i4UcGoz48AdO95-QW``Sq-%nd zpkh32NAu8~zfhfLya}uDospVj06Z{p7+weU(PgUx9Li#E!9Kr%& zYkJ=v37iuYJqrVU65CBul1yg_ zY?j~QAn=i(b+|P`V#Z%@J*2i#bN6CpZE=4SCW5I=@UM~sYJzh6cry$)5hB~G*WHbW zN!_)oMMK`GaOt_^sD{$um}vOoIc_k%g$i+8c%54TH?n+hs>?+B99DKfZ$%+>n-mdq zn0&GUQl89vOP<;-P@1apT9kJqMm~w9n)gr#q(IoK@$}j|iKAPT=2ylx%$k2iFC9MC z_&=wdf{9(ioG`S}`b~xz`>7F~yO~OidP2NFdK4|5ZDUDw15)-+47789k@UY%dDKu; zCsF=sQK}QiFC!cgUmW2k#n8|IDI5ZXmjy(TMEZTU4yq)BJfe0^FpDF`_ho>|JXDdM z$W@HRVp_oY#@ZI#DL0{(;M{}ow6z(wMU3b{Q`*F*L6nSankIes7ydGfL~$iM`R^1< zY?E}y>JgR=0nSidr;RHv!U-y!Pf{Lm1qMGb&Brh%Egk5Y0=u3E8sh}i9tX(*aX>3)}vxm?gmyA~-Zo`Y`0! zQyg9>yxas%tkAOw=2Y?74L{|{`%8rr{q?c@H-#)p)CcHGD$)>(m&UNyWe zm0p~tc&Zybs!Oy?^7qLB-+o3%Ma@sE_k($rqyj*jBBZ^uA6_lAlwbS)S*JI!_kym& zrKiSvIW-<*72UPcgg@V>!;;1f>#cvKR*>AKKQ)a8TI>fzf;;ltSAn8m4+*4I z&9v>=uCzS)?K;w@P!BMHVC?)9WZd4za1PS`0xK%4zxXm`yCB!^tu2m7mBgkdxZVWy zChlMT5zR0p?i$6&svp^=?YAFm{sU@y#`LGd0b#Q6!{rtWmHJ5{YbJ=D+apoN$cnQHE|itv_bd_F~8VOXQt?#)`aB4Du%wru|+yyLF~oNH5Ag5D@e3%n$Nww9@7|&P>ppIAw^PB0U1^85`&?BiIfptC8+=Z{sZ30wP_9l28sCm zkEqM6 z*H`n82np;G8=x1KPVo>qunIeIa(OanLE0UZzohVj1&R2x&)C zhnM+%zY8}+E+9=XWEA%0RH4}wE&6g3Qu>Titvf%0W;{Hk>!&Y)=Ktbjm=`HtLF4gW zW(taOWJYX1h9L2FL8BusEr}iwyoka^Lfe3pB{3|g@nl|>0sBsJ&I&^|xT1tMb1@}u zUju0U`)@h1p!X?5;b@>);WvH^EyW&8N9W~3G`Hy{vQtu+o#u1bTtnukl{gto88?BR zEl&Xf^Zkvk?ZeF|pA%SdFCefjEV>EcN*h>O*rFlE#b;oexs@!_ zNC&Iu`WURJ2(sQv35BIm07{q-SwjB|f@?*xK?_wk9j2xf@i<}uCj8&t%VYyTY%%UvK1fthsvey1a2ALvzHzPhF^ zT;U9^iK|hLMnoL1HG(6nHeJ9i7>)FLNXT5zLC`WqVM%UD&~0rP=g z5LA@qc5wvbpg@mllloG{L?^V@7=W*}Ju5{6l7S}_ejz5|C9CvBd#qu>Di}{*2wYV_ zvGWUS+H(lr@8isvTne`w#gUt8qHx}m@SOj`G>l<*R&=aeR{r%dO=+%bMPFqsmHmC> z%;lY6Np31{rqkMPR|b2T^wJTesw$0_9-|?*Nw>jvJl2FZjY5*SjSvv*xD8)N;1GFT zhVtv6TYzHZcmeP=ukp8NR#VzY$JeP*W$AO5q{^-ru0k_CjCmguWf3b7&{?MZ|Lbdd zZQ;ph!*ZP(VV??JDzXXcc5*};{eAGN2Uv@b6$*p$6M04i;ZPZgsRn`dLKrGbjXA0q zC-_TAljhx1D;0G12%xon>BU}w0{$Womg)09qcuB@)IR z2O#A|xPXDUl@S3gj7jw^T|ORd%6tn$Vrl1#8TZUtXj)TF|B(VoMr9&o3|XSqc7T*( zW9afExj+K_$iijRE$>_08vu&!CjlG%=kfErWDW5}2}zr;8kwq; znIR0|r@7aeOB}#d!*U|SS804kFz9v7HTdpX2y@)aO!nMu!EG*_V;XlPp}Wpedbhaj z5Xv#8``@Yl-w3-g#o3imLHLWHk}T)^zS}{z2otVvwj3tsQ!K}c#fPap0@i4L8D5-u z7A(Q1F?FeW?jv)^k4L3HJ;B~H3}8L_1dKirw_`u+KIMOIMhe97P79GW?IU z*H)AuBr52KaJW1FAfV^`rpMgW#C9A~+YKz|;<{4>qg^TO*MSvS=C@ydI0&X2>;qWH zFkCC79LB3}-p;Qa1f!xR2m1G=$tf=wpG0Op6q(dym#tU?UJH!m={kjF5vY(zU{J{) zRpNseQ>vKOeUUla>rfh1PIo)2BWN0%!snD)z8Wp_w_Ixd0LwrKA3ExHrkDz@~b^th@zKagr&uW{RhYQC`xw3kIn!HI zhcqCI@x7_Ye#)hA$`b5tR-a|^QzFg!!xHtWmpnJ6g_IdGF9}7dteMg*gfTez`Fha) z7*D}P&*_*+YkbI_k7FYQV~tSZzll>ppr2bXJdvIYLL4|z4<2Zo$HI?7!uW|!0H(@UtQR*kCXDXYXq5kh8h{}Ki{?v2k!t6v5~i%>p}7xHm+P7D!HjYE3eHWqKEs@vD0+nCv{0;7iuJ5 z`b5@7V7&v#C4f6dm}Bk!Awf&lBCRuT74QxC$d_jteAg~!2#Dw#w95_#*R#p&1uvHkBF{is(mR8&Ll z#=wmqHx(1q`6hkZS*6of_sU*6oE;Sh>cyIPfuYoL5aqI~QjT}?-XPkc8wSMop#4TF zgTmu{K}ZTvi7?lKew+$~q|*;9x=`a`?7sU(MQ-Ckn0jnVS9RST9Jl7^Tu%22TaWbFdEv~u2Wf?*W2ImJ;aHo$KM{~xYUV&y#+ zp?;E0&mF!1#3t)YaQ;xUI1>CY{`9QkIKL2%8EE*&$WN@0BsojIVQXbhIAfuN%6`&8 zP(aJ8xC{R?@$DQ=Fr`R7HUzm2duXByp~^ia5gb1vNupaG2xaKbB75CN;cnhYL5BYi zsG;{r_-jqhd>j^O!Tfw2_0sGVf`vWiBMTyMg%-*)v2iycWL8{b)9c-h6SD^9C*C*C z9&Jpv2QKKy3v=MFAkjL+d0N{uw%T+T${F6-L-Cy_cR)@Run4l)W!sbmBm{^G0?XC>b@=!o zt{4<4RZ8X5JvR6U1Q37}tBDXv-@h%UP-Y4R1|V?C&kk|OjX#fcL4^rwYFt0#l2Bid z95>a%0$v%%)BGTNY>e5n-3bHO5f8%8mp3Q&(`jVUx3lD@2a$8a`%HK2ZpAVOWEz2K z6ywRiCwK_jv)m3@Zp1%;QnP~tTl%pBmN|Uf=!%qK3YtistjBC)H4>EP2PP8z)K+Mu zvQkCH_)VRmhJ@Hx!BZ9?698`K z@#!z2J1&Dhh$yR8K@3F<7PpCdtE0{OKFEgu|7!E{)WTE)+jL-r5DR|!3fIHE5Eota ztMyB^h<&vqZFlfK46g69Z^fX|f_a&50M6MFHhtR|#8&OInBX$RztZ%nn?|DyehfyE zSYhUt5wE4pZBlRQa~3{U8?lZhVdL*&J?rX(H<%yALwD8;2pfT7@a6q~0glMPT* zGA%9SG{L@d=!ZT9LC&c{Mt-+;pXF}#s|SbVz~qn5gH{8Bj2 zxyHMvNQPhT@TIqHm3xo#<4T5Q!c2~6u1$PlBEG|juy|O`55BniJdp4}TcCkMxu^lY zb$=W`e{e?8N29vxBnMi0V2@WaSSCj=84>bj<$Z79WoejX&1(-RbLbm6^2~E3j#{S1V@c zrZ5?1ZmNqz>BiYh_JRAME~`uLP>V|6OFJa!e7&|$drxBBVDLoWtw99tq5>2#g}`X% z!vP_}lkO9c=r*eNaXNgwZ}iYr{t86?)-}q}uBIy{Z$9!=58$K+Y$y_txMKt^Q<3<@ zbh^%hBr|%R6^@d`e1`EHhe>KTPh8Rz8y-LeA#-wT%xJHB*yt!cs6)**6jgb~7$ZPn zs-j18z?Wv)P9v87hOTfCr7QT!rZt6PvZ$D2MZxQkikQIhvp-`GN7bfLZ+V1VrI=tG zoUK1>f7Uo_l8am+QMBXXRR1Sox+(cak`DAtcNYQI1?BYB?5&xJJ;tuotk#NII}X!! zJbLVl4Ur7m9rPVRKpf$gvXs;j*!X$8Jk$o5A?rtvV?sU=1D=Zj!o*3#atcW)&5fVr zI!>C}=lfh56A!FVGakcnu*;zeGlWcX!r{*!d?1mfY;?kZmo(%Qf)RMXDhl!zY~lb6 z>%fVfudT{X&F#2n3&1dhOdk;oag7LT1r&iQ7~Och94r7F1Q49Se&AFajf0F&zd}I~ z^4#|dIwS)G__H@kUSni0l@h2YLq9Dm2WF){gIt`8g2aBUcdk!{%7l-cKM<2W@mnA} z-ar^5xl>Qo{_wt)hsiuKCKLg6{|qXj2S1HCpm4O4=AfnqXqE1sIbO@nXn+dinbUXf zs1b*RC6O+9Udr*JgG?i-kgcO#mp{@108BG;`3p_)V5ne1yI#5uLCaMUF3%PJo6U0x z99rJg5aJq}2@K&SvGH>K=|^d19Hdlt6hyeR3TM(KtJ~Zf<*gE6%Jy884g@e?{2v4- zUX9t!`8YvuyGQrgmxIrq#gJb;s({Fhs2?U>m`65MbypN5oi51gAg54$;NHab3nYW= z6P$_$5+9Pbf;zz&-NonDi-xvDPlZ(Vg@d?4z${>jWMG!>)HT|?Ag2r?HaBU(X0!eB zK3CNilI|cm6QTrpTg@dtavQg4LF`OmBXQz&WMXs-u_FZ#sLQNg|9xaLS?lv-81mki zD>8BK*ckGe12rFslc5XEUl#9^^xKaXIQ_+YaER><09p4h_Fl1**?oq{q!^#hyT{NT z^Vtt-e-GjM03o;H}<3E8N~xx{gy4>1X$Gf(SApYh}gZUqJ&6u_i%`9uh9rhxai}*t>dNGouVcka3F#*wQ%^w z0Ao=Ej2x(^@)%LGya@$nL7G`pEWANDS3J!7@^>&i>#!UZBj^qj)`eEX8sX?%T z*I0HDxr!`kD&S(xFJ%Ur+Mrb6H^2rD`y)A|Esl8qjcj~^MLsd*dPN&;c3o;PD5|cO z+WBe5H*E7N31H;2pQ&fD_nG73mc$CaYoZ#>F9#0^T<1EwrdjpLehbZ%bry}mka^Dm zz0uN?PoaX1uwFvOcdlMGyj%npcGv=LnB)wGgo^yl@9v=RdDR6V#oLE{y>X>fw9rYo22|;j*A#)vdR|)nK^ys%n>A zI~ka9>>cd%+|#R;y5mmklG7aJIXJGVH@GLYzUUqi0IpN@AlDl*UMg!oBfkzE?b3_>9?cA?MXJb!u z^98T!MT6$?~WXxdZYGnYwpQLhj8glJl%v;yp%Q!r3O zzQmAg=`?H$LYWCE@lGcptHAkufoQzX-f-RcjMoApbNex9-ajW zyB3OyBHDGuE_qT;5pdN+F6&wo32Hb{*7w=!p?&u8R-!dS*04d_Ha{z;hpq`YPe7Mm z3)YuNBVh1rRBV>a;e;jg~2|7 z%LNWx!#j^gQi}u6#O102oPO;8QmCjKKZ~AGp3wClj*{fB{UyX8gj{b$_94}yn6Ba4 z$G0a{{s~y$M7=z7*+&Gj@(d9NF`rm}0q-z3c3o2wM%WX5g0ETzd(8mg#qKsa8#Dp1 zXt}@0jj9-%_=!{6*SD*q5iS7D%z_9ITm*+&9q*MaJ~se?SIE&?f@`VD?GTRQtO7Se zb?I}YElKB6h{Bk28UpWev=0)%Oz8D*xO+!MIjR~D5$CF zsMphCE2!w-oQgvYgcz|h^zWW8b)ve>o7V<89&K%3hjy>NLS;&`jBM2StHbcZum9$y z$3@x}weFG<>fS=^KZ-+#2knt`BqEu&II6GFsZ8(@l<=Vy2Pr6FnZ7}-Zm^M@ja*$f zznLQUuy0-mRAttLO1sp)4Rlv^T#nb~!TGp$cIXg*R$+)_@O>>H#cV5-U>mLT;4k=^`9p&8Ihoy#5LZ6C z!lwY^gtiZa`{;_MSU{?GQ$iOVj?s<bRT6QF8LvHW;sa~=a>4+dt!u+M6~G&5B5NNHHQ!q) znZ|m}m=WmrsE<{)9B3D3YFQ>`R%hRc5%u{7FIaz~m_}s=p@d6HqNMy|R674r_V78~ zeo2Z5yNHSdP&xw&qNvkI>`qu+jG0S=%Q#*Ce;(2`?YJxyFcP#BMH; z4AMFf;Xkw)z;8T$9psT6RGK$Ojc-%q-T5}X6DsLi$J5wA%Gb^k^#=}Nu6Y;PIU)`u z&*2H9$~M^P6^-mg>bn+x34IB>#KH7MDBJp__I(HJS~xD}rvrCF<^V@PxWC7s%Ep~H zaT%%fUtC$GypI)tyjXZ74f1RaF?GfrWfXa6C}-$9dzzX2P+luOTT|X`A#e%U?5ATn zjtx>v`_w{8ym;VLql9b;iWA-$|6Y3uLPfe{@pWX8TbW^nj+1B5784R^_Ref8KPZMw z5xwDwxbCRzhd^b`#hI5>H&aCyz2iUpc4%~lUl2B{hk119PE?O3Ugxrd2ZVz$%(aNk z0W-lC1FS9XM%9+RPgDm2h>-~#cVrJ!fautJgUCu6jFUKFw6^kI~s4m(=ykEbPOR%w$V)hkrIOsq?nFk2u25|fZZ;P z{MCf+ECj2#HlaK``zNtGOg|FW9lLfsrgLH+XDn&qIyAVF(>WcU;pm+)Asvt+pfYJBTjYNc&o8n!7?)|JZvLV zYj{or`Yp)3@BGBVR-q&!KzH5@=Qx^=EPcFvBat-Qh?PSue?%adWL0qW^+Y`}Zt+X}ed3hvGrqFsTICiwD?~Dx`~shz zr%kx{JaE&RqV;(y`yUG2MH*!JMn*vz1=yd0_vgKHU+SyMN=+z^(#jg8F*8VremWR?ue>YD zP7s_bksBt5Dp>`LjUcd!-7zc`cc06O)&5C+`gUDe#`FLz&!YCUA4(`>9l$-&bnm!3 z)>R>=5LH0_e6?mjBnZk`?ERFk^02`OL+UZ=h$vgOzHe zZsB5N7#@L&`;UrPv>*$H)2#3ky$t3(=KQ>>rU#Qkew~4hhVTEs#hexTkJe^_9sz^c zVmXN#B#Eo@=k@%VzNipi9p8kHn9(KNpM;s35oW;N9&+OTkr2V3X9r+4CSCeh?#`ko zd+n{2qjqpIj03QGY>(RcAyC|O4jg*&kb}fKd3Y_wXWDhf=M92JvLY)=G5cj+tJT|z zC;|*mQgdpf9rMRCW-FFQe4(2MF(^Bt}g!44P~7=yVq}$?4t?3mpT#`$)N|WaU}OxH%MQVL%RkR2ig;T zOR}F53TT6vkz`aVv^;PHq8Y(m9G|yfVdG&kl~FSw={G^6OOr~h##v`FY|AInSjlTi zR=``o5*zGXv8u?t}n#rZw- zq03A%4}RUVuAD&+H}{OUF}^W96G#-fcO-{zA^2+lcDlxqZHj2ediHXvoE$|XK0IWW z8F12)`GFH6mue_;^YW6M1Td&V`DNpYX6uPsEi)$T=6bu9EvjKYtVa_4;;=_u61D-H zSDj&;6P@Mj7&q6bVM0Df-gsxL&*og}ll(w@XA-acV!)bg%Fb+~1z4s##1nf44Xp>5 zm4K8zLbfQHV|kTYOBmMak|c6L;mG?4=q>H+J^h=~AsCjJ9vUtNM&_J-WIVyggLs6` z2SeI{^U}$eNKEyOf&%!g<-Q%UZ{_#|Pgyrz?pAQOeb)wTZBF}12zVi<0ugm&7?8L0IZD=lAmVDw_kGv@E? z2+|HiWc(}F(s3R5Ov-wvP#DZ3aXO>2wjmU4;-b4TAWc%nwJGVqIyeJGeR8C(>@)Au zfx5H#lrX;RnQzMUXZh;k#6vm_K@u^_d^@e*iv0)YV4g%$^5$ziM{?Rq}p>_{*ZOM&*@JF*ho;m*1~ikHXkRpGz)Ll71 z&DI;-161-dFajacO9pLe&WC?wa@n7#9hvxWm6kGO-HX8RI7~1WQ<0IL))n1;@kF{{!Uer_ z@ysGw)7pn9iX|Sj@zJ>upEgT1BZE`Ncy*hpa$|f)EKyh|y(AP}!sQ&g2ZqXndkpsg z4c)_4!k6H8B70uq5KH#5R=2$zGY%e>FqbhOXViwoz|MP^Zjr+zSXPX`{MKY5xxF)dc=YFdF$JUQio)e0r=uB9fL4(Vuf(g;sU_d{13{g^ zPJV0MJv{yNLdD2N=#8pT^7Rq<6D8Yhavapx>e!{DCaOEYIXGx^#=s_px58S6GCne8x;JUp~!qg{CSFOjtkcWL}Cg_mS=Z=ko zvvX6|UO;K+Gj|y;pzAPn+cbYVw*yxJ*;X>t1Yfsa&}c-!)_}j|*feU#WH~gGTD4&L zO6N5ay<#0aZ29pcgyuKXwlIgCy!%Jr7Irrd@zGcinLO`=iWp$}1eFjlPP(hfFtXYmLFNs4JANQ+}P6&8&7lI;!)td95c0-N@m}mrg z-zrTCn{9g@;8vH$=kvf}B~1+WpNpvg=Dje$VRxZ}DKX1-`mc@s6$ODh2Eu@dEz zb!aCVQ&;*>cHbN-f(r^cP?$X>@>awjneN%&q==kB(l`#SJ=sDbC?-S(#tb_yV7~X$R5D-V@IsBgHjMn`$ zapwQ`t`76#cs$su^!HG!2#kk9GB-wOP$ZI~yKO=NvPxi&l9E?;QRpZ_T}#g>nwU&< zeE{b%TkCagj}QL=`$!h|2fGK`2RygYDZ^eK@8ZzIa7qSTmaUcjc5xV`JC?V~VLf3* zJUJumYyUhSn!OF95i`3C4_;Pe0eMGB#7iXa}v2_=yv0YX;-ObA^~lt2nykwN?bBzTA%M+jXGsPL!m1Np(}?V7={~agswF~yoL-yB0-@m zQ0U7130;>oLf52E=z8o4U5z{;o5=9WK^&g>>I?<+9mGc>4~%dc(Gpy3d2*+{c+ELu zhG~U=%%Lx_4B$h~Vk&@civY6)D=0x+u{HdH({!mXp3|?z>0pqgm=-mr`W`}dxicwsi zT|H1wZ^au=OYQk`?p!3Z@m*(=E8e=UfZ25PGiCaSgU`!!a-&t5XRYaU^0JbMcY{%7y146ErJmL~Ho)V7JoFFg zQYdSidAj?!Sj@%IZI^1Lk3v=5usd4;#~` zZth+T&|wNxcra3EEN5@|$?^Zc6U#+Yet=~MM zqp(k2PRImqn$*r+Y!naWbe%zCnNQ1QR5FP@9=S#$@fw`5-#qMEY(~K5AAv$73`*bt zfRQCmDM?0PBC^5N23#AE!JzvhLx&Q?8aV_Y{ZW`g$g;s0OqF1ob=)KutOCcA;)Qg_ zk0AA%VBR<2B{>Y@2!z@j3ImA+cC{!cIO9VC^mO-a;%04=cH_;w%dGhfa zS2}1U7TdR&Z0aO=90Nk_hFXr)Ds%zqc!Dbn=Z(^_kS0 zwWq(`><;PECeDe8cWCWpkT9Xp8Y3c%EOl}^L?yG|hG6Kq9^2<{zEU*dkLBt%xHtll z2>Mvyw*34xh}+1Vo8TX#GRQy)g=>`vW*B&Js?SzDH2wkM;2*Pqk< zwF=!A|2)*dO>F=KTc>oHkGKfuXK~rWbiijOCJ}g0U|~@>Pj==IvLB4k02J0X2>U@L zS#d2|_%M#hec-V?wkzRFnOK`wu<~Ha2=4}Ai%S#vyM2*@S`zqPR&@!emIDBME!Hmd zPbPbiynuc$8RYX`QU)X@EzM6A#ABNJAv0m^Aj;5uLYD=Y41S1Reavf*Btxc;kB{gB zRUA=cA3m-@h`nA%efi5C4kx(+>rxgf#I+3>XgS=)MnOF}Iggf0tU{8GjIy9bSL2)? z*f|9kXs|OAlq$UxLYTQ3ew;jmBZuSzi6!jhAE|sPo|AT|%h>&c-f()7X2m7|$1mmd z0#gbkD2GodCnj5Irl*1&mZ_(uYC%zYp~uZU&$uV+2X9MnLKx8wX;=6eWxODfR4N+` zs9SyjjBn4(@9R@yg_^(aAVJaR(c>g~`7h08$BncX=`)gJUGcFYu+~NS(_7D;3qedc zC-5MEvYwWrpA(5*zK1o=lQ+T%b6k9(QZ>U`5ND4C7epm>juzKi8fUHJ{YIQG-lwTj z5;}Qw!C?0!z{Q3B!;Oy>&KN)VOhKow{ACLk4VSwRXwe&tKuDG znAh1`?#+cbB`#;*XC;?Df3efU&_N9hid**u28=QXLh17kJu_SHfF}0(m@r7?s{Ur{ z-0Ii<)vb?viL1Dc5cgJf{KkQbt2c9V)jZCvdXu}VYE^YLw|l>Ok7;e$Iv2Q_lWA4U z)f~b2aag zaTqLwINtMI(mYe(K1FyYoA*XRVoLZVl4-(2`kE2&J@|*`h$_ExBE@P77PFCax_Ewgs*tO%*$7zI7e{%J;e`bc-C&yde@ zh)*Himnnu)B!{9{fRygY9qE4D8QQ^-?nWHxj#DGui8VttKItCx4e`Xco;1%}PmzCd z`<62Cn|YL+;u9Q&y24!HM;%#Yd{`WYE!|k;FqoKx z0AVn_gPr%FPn9k(F<(a_4h<8i5nyE|snt+Zpj!YV3KS?%;6zb0QPf0H_@F?6A_=u% zoD=nsL_AS%N5>8&>g^EmMjgA8sAnYNadhlWq8<(rPt>t9iF!mLzDCFHL)5Dw+LuH< zpN>5RQ7>mt67@VR9r48>v&n9W~=GXjJ;0hyjd zy5q>_{-mToPT$+KwQ5Ned!%s;x`Bu^h(nlFY5)Lnkj|0ziDO8S|Ln+UFOTwf?~d}& zpM59VgGPB{wAW+yqP?16w6~1%DSmcew3lKg+B@#(664;~G2U!-1OlAKQ5>e>yl6xl zQ|Td8dfdT;N<9T~^dtQl08YfeZ~e$*5`WZ578SgelO`w*eL1+$L9Q(AP_H^7C6suX zSban*dr^H7*UW*qtzAY(o6_TVQs;Z!HrCkbg|hUzE&;L^>Y%?NrquBvx_St*53;KS zF{!g%8}!m8(kDoq!q+y|*4J#k$kxkAtaeP+jC<5ddS%P7I~ZF_>@se-Ni92S#5K0b zaze+lo6%mz-KCj#botG->n3~%0RnYH-;wPkb4Eroiqv4IO}7=&2W!(X(FNq0T-#%Q zY>Ynfi^me)hcp45+C`l%$wAGJ^d8jQ2a=VCKKW8Bnu?g}#JAZ3(%F=KGgJtG$w&`s z26QH5&_gFCh75Fa=DVBQfV)MPG7uzg4NSS;rf>cD?&7vhd;fVIhKhP}`bsus*e$km zwR@@8r)=GK-9eExWj~+`-qTCcB~`N4h4hOpe5 zICSbN?dI zu9j2YxZQ;5f)cm8&B&TAB&0CZ)sA=dqn%@^XroQ{vxv*Cee^b!uU$-Gr!LahRYF8J zsXr4MOb3;Qi?P$=;4)eG3TEo+c^I;Z)!}x%MpRDro4`4k&1vk03gM$)3x|Iba!0M3 zin2(8#(&!_|GP^VX=|^)q

    pdAy}(Wnq~xCaI}_|s@33YMr9ssh zX!bLRPij76y#uD|O*e?{6jh%AZ3^Pl{7EB49_3Q?Ws!Qk8bi&apu$k|r=1(TQ375J zHFv@>!XvS$I+G82t*L>47gBZP5Fb50`KJ#8^Zv9?`Iy3{J#C@Ek%1H9U-)dh%f1Qo zU)V=X!{VT|LTHt+LmJxb)xw~iah(OK%l4ryhTe|t8*0klJ$e`QEE9JI7Or`9Hs~^8 z+HWlzcT<<`&1r!CgwPG^4tH7d{!|O29@bGaVbnOs;V!L7xJfjv40nI}QuH)v(pmfY z!LAI}7#d}!6BO%}0dljWI<^fhf!=A*(3SE zWgE)1(O|o4e?VuCL_Boo2M^`iP$P~GI$Ohpx1aP+=#P(x=K#b*^{VLA_szbET4cH9 z-Cx%6ZrYh!{`&qW~mOI1ek9NjEfR8}E4HI2%S+<`*+L-5V zfh8uR%G$#}JLb7tgekVT>SfDoKViQ9f%5k%8iD5a+{aD+w8fV{@qsf9?Aq7c=-u>g zuAB;N<1^7VXiw(6cE-7=(9Q*XAxrYC*qh8caV^)DQRWIZo~u8I(CY-yb>P0OYw2&D zb@pflwGy}O)SB=_n0H@@=!hjBc9wuB8{s_QPzmwg*#_&72JM#vtsx50Spv+#K>)!H z8LTf1gFQO1U|8lDfzr2WgG8&zBiAH>B(6zQ(?n96H;_2cEMe1h z07Q*@Oy)bIlVXNL4Tlp@~8(1s%GnLW-4athwTf6{mUA zT*1oWX2RI;!Y~GF%?;xRbVI&@7qJ9sIRxWgK6?t15SubI9BD8T7s>i0i2t$%vIY+6 zLrh*R%~@CB4;9jRuUTQ#Ob5=mLVrvS;U0<9dO?HT&6yAyrCFzi8_K$PHgv{YT9=_{ z8YeXRzVH@TCNk%MM#HqwW?F-z_6hGgFJ4@W38PY=(D}R3gd_O$>WDPmJ#24*)sNVF z$vwY~*};-%$~oK13=UkizdbF!>~Xs{HGOw0?X~1`t7Wv(oVB%6SlK4qqz0e<+MCaH z_X@of8QmH8%E9RvaP}QG7iSjXgRA0YwGt(2JG$ktrmw;5ao$#3B9Vy&-Da`JBQaaO ztEh-ur4OfPiqcD!cioo$w$tm@UB=K&>GQ0fn%xu1+G-uEto+EwnCi_Zz8zLG{_ zRsGxj8hxv{6vy%7vCC_Vh*RnJ{FWN=UZwe{$T{uuYM{LD4rwje6jg7hpHkw+R z_I$ks{hdA5^islLBkbOtG8JKIZtR_7vr0Xlh0^hx*K&KRt1Y9hyPPk>H?tc~E}dvM zli2Ku$>lbjAJ^*kCi?Fn^m^|EL(be4T<$CuU z>mJiBni7+aMoZ~cZnnW;rgu_u>15(*yKddIC@Hyg(wv!?MR3U_lXH%HPCAl?<;%A? zEL_qN*zt|{BS$5Vh;3vjHz^s|_ceaP!DUW1n9N#}8kyK`;~LDE&g5>O7akWc%q~tE z7|4V!1ed-4f)*B9__=v;6t+U$3qJxLTuT9ZQ~^o?O}PZ&?SsKK!4|;|0mv&K&_ZP@>wAP$SY}- z<|P6rSeQouzjDa4GSdS=JjKg4jsS99M`7?qptCl2A%3oZ-}$+gh0rC4pKA>|i}T^< z>O*IBey(64lxV~FbM>N`Jqqyv(T&E&L?ZXfp5bc^&L(RWJc~_(`hFU zoo9CqTH#IJi+Xpg9lGHwTIVHv(wO~(P@~gH49YFVc4*uFY_n4&)#^QZ?5bti(YY&u zg+8NFdQje)mEPJ*@4WYjs9)PbIx?R zUae2-ipZ46_8N7=d?Qu_@xXz}v=%o}0b0W`d?u1Ji)h3wnmYOCEj>C)&yv(`Cy(3c z-ChB7fp1Ge^V0MB;}w-a6W;o4BQr9+n-+Y(YR{8yka`=(Km9OboR$8Lw8X1>OMPPP zF3$*bR%-Zz0V;%dE$$#{e1Y~ChtM+kEG*2CY-{Jv7y8`9=bB%FMR_MdfUp1=#o-BG z7};zaen=bBc+?9I!SfQ9_^oACjC*Hz2IB@aIV)B}wUTc5G0kHv(}r8=iPe4W`^MJv zP)|<1n;HF=tOZ}4-JpZ43p7+QWXB4iB184Ip~H#jTGtA(&Vh--L%{_w+He}o2g6}p zLx2J47V0g|BZh6Lv=_=0m3s<=@jk#&Yswd0jctZlHbcAP`N)>lhLNV|u~`3Ww|9DQ zxkVcfPA-P+cwX$njk>enX4qvjw8Lgdt=HV85@#!ujpeD-t^M69Y+ahzMWMB^3|MWU zOkuPzWR%pm7&AC0t!#M8JR5=2uYJ#KtrD&72sM6%x5UU`Q)y#xW<b# za{SBwKEcE1mdMQQgSOB_0oz^fFo{*_)r$&JY452yq8AkR+!(Yg?EzXXd^-Ks=;Zs#1-Zgm@NS%;L&Aa z5{*TP$Yd$SxxqsZ;QI|Tc<9eZ^n8--Q$q4q6PHjAlF7GPJ)zDM-g$4kIQ->gp@y5o zI!h+J$v~tr(+Z(aG-{jl1}v8=|H3G+H~jaz8^ew;_$1VEU{@3@)Q3N_YgiaY2(_u{ zg}^m9co!EVjQYrMg+;owJ1?%`3!^^{Xu{}C-BWpo0?A~9)PzwnG-7wknG$wsc3HK! z@>^H_hMUV~xU!rQhqK+To?|Y2>ud|x>S}3ub)|DJ-0S^z)9S3M&fQk^DYB|QhOfgq z*#L5}91Kj)Iq3DWF%bG(j0`Lv1N%UkmwC`+kM%mRYLm8lRn_tDm$^!|zp8Xq9sBLF z@u)K0>RGy)qqSA+TQ#4{#R9)C4e)~M6-k5!ldD36 z01$nxs-rdvtl9nPz>O}C=UiIc#%-a4G4}#OMqPlhpEwQf3z4w@V?cC42a^yk=O7-J z_l_+=jH@I!*4yfc)fEUS+6h`P4XA;?7&R|@)E__%^P&S=^2xKYG3h~$L0*f?IK}^) zMavdRycPxtLD7$`7_ZX%K@1{)2`_|HqyQsWkY#3!O`IWj&{cHZh+<5_n@RaHfo%Nd z#2hx-7~+H+-^)c%-;u+{_drP5jH)Nk#S%~l6Uo~HkSb7aM{N;_%L{peggU$5WzHi& zAVW=Xe$^3lSwW$U3P7u|TAaZFWeQEsKu=F0R(di}__{%~!r(m&IZDE5gedZRpxj8z zwL1tB_TNr172>{@8S$74N`+f82npYyE;s2hCj!9xNuy2w?(FzRqffLVae`#R+p`9# zgBt$}Iq&h4R~tlBT1)H(9fm;e$d()8I3NoUX#-n^ae&Cuwzbv*@{e>e9ScBQN^C*p zV*Kd0_?u(JY}wy-kmOqVR$BlzR1%{}N57uYaxA-jL*9h0)s7(@zFeGv6q+Zh?h z3o!v)bP$U}!5sI}W|B}5{l*LsuY;(u@Q@WqdxNugrVJMtVe_Ein@$;AZp| z0hpt|)?3Lr{?DSGq|`W(eHzJ5>32@-oo$p%TR79|t1 zu1)nYUTrA4Z~WariSdtXyrzmg+JACRow+lj@mbCN&Yo<)@Sq4pK<t}su-Tg=80WH|BlQ8)O+ygfL5dv1Wq}b>eZHq~anrr4Z#x7SWnaKpX zZHHXxza2i^#;(YS1bOW^BT=ZCQ;TamJX=EHh=i$wz_3uZ?GUP#9!7)UwoGehv?)|c z8p4-if0B*V-@PYtUz#SjJtwo@prEhqkSynHy4}ibhvxG3FVS9T-FEmR=xsaf+C;k% zKil10pbkS&hX9oP>pz?lvC8_Qe6Qo=!xVqq~0W)kbc~E+>py^xS$u;Q9 zkFf1|uhs587Jjd(L}WX=1}h?e0{9 zL3Geq4g$MDXYhU_M@bT8kJ5n&1UO+Cr3*9y76FrhQXrEO(0K)1Isu>JR`4(IT>gs} zV;M6^8FHh3;UClw{44*QeoVj_U{Fqo6uBPQ8~Y>)%5op{Oa6>M;*a^0{+z!Vn(}Y@ zGn&hCfzJg%7wCAP1S9DMJwt)VT1h?$P=3L7%@0lCw=$@ct;1a6n@K@Zk( zyS%9%A||7gs8o*icd?oQ01!Y2vvL3!B9+PG;b;_vQ543KJ9I}5sLC`&i$Vx7g8&E& z00000ARqux5CCKIsbT1}sc@9658BiQr1OIkRBH9KU+2X4r>J%%Ss1RuX-^k176)1Y zA9NUTGp!M(*)qUVD`L{QQsR5XH*$EGu^1|}S~T;GeBcH4(ZH+A{aIE2p-jc8Bs@>r znKWQ$?u0xP4kH;H*Ca0Rr;Q4(V;(+xc>;n`j&~BZ1FL#y$m&srP;%@8K=ec zn=v~|5FZ|Y=PLAb{M;jgHlh(@YbJumfDuA!)I`!zdKmvNaFC37D#C!#{Jz8Bye^ zus3Nfavuy{!z@SxIsfPidxzspFf|_e^#Yu6d)NZ*9pBY~kCi8Tq}qmKY6t}8106Yq!+?;9wdP8v?@T3TSWsalh^*md*!r*Ju$%c)*BESx`zl6l7@xoyq8u zxW|q|7}qYKrwTK?*QHPcS?WIEmmy1~h^Qhie2Bu|WVs4j+5ewiG+ zM%2eaQi4n-THrZCPDU{+u;m(UhY_Na@B|WTNRu46tW@zZA*p)`6GH;P%sRueA7%AT zvC?UG_sNhFX(*JpHKz8`x0W<0sUQ|OErcCf@-NH_yOi+(u6tPEQ5_a%Lk(9s)KA1|2ymijN{D_~@RhG{AY?$nQ{;#GiXbu-q@^WDluZQeiqYUseq<1Ijl ztUMbHudyt?-Fog5dO?wEfbPCvnN@8GL`1eWrK#!$Y;F(^^8@0OIEs-)7a6E6cH%KU zHTBkb#rsb1fSoS>GI59 z!&il|YLUOe0hhqeGN7CsVt_2)bAdVO-~5&ntI({uw`NPGIEif8+y&xi?a~q~gx}|* zi=P>~`0Cnel#JB;3kpxc0``62Wd$Kz8S=hzJ z3+YHiZ#dCCBMPHn&BJtpd4saN=jt@-?VKJ&&6qt(T9C@hBAyiJsgaUREiu1p<=>0S$Q-y{j>wQ9@KxtDi$%F}T$FE3h4WrE zlCZ8mK9e#ioGO8}JCTS%QCfijwQDp`9E2A%s7%cSKAExjwrD02l3-0(I_0w*UP)9J z>cYw@@qYXTbmzv>4j6TrS?F!mtgE#6$hYdqB;k!!`j--NR1U9CqWb8nL4N2LcvPbk z9Jc}!3WXa5=mkMtS!`^#h>PLZ?OZ&1 z7IWed8D!kkX+a1@ZZq#t;J=*G`9@kQm~oIYEl=|AZCZAP6Q3ia6UyjFxB(#^;BMbK z3R`Dl9C?my%IlfvJ$JZ}GXgSftUtXPL*RIb3Sxv~1DfXvmx!^9{z zfxeIhw+UxrhtrI}Vrw`csOBv;yg2NXK($nBENcIF3l`N=$#1AX(mj%tz4u18xtFIP=&iJln#BUn&i(rVGJj z2}Nq7W^#JLC4s}XlYrn@%yHYY^?=QYR$0DQpGIbakQH`DXpyZ;6>?eEeF{MDtVtM% zJ*(Y5^3*oqoqV;ih2io;G!Q*gblX})c5)h=HMg3>0S?jMSmEC`hn{sb$W`ZIYx~if z6XOHRN{=?I-s9%c)F6TM?gMD7@h(rS>D&iUuW`#(u=0K8gGmqQe!w~S#%UnVpN?>L z=;s)vfffQIFlm>5x-TX7)-d3?M|>0`28Kk0^}*mjh4VD$^FrXJqHDlmYWtf#nVYxw zKqgXi$?eiIYnm&&T;Q!i*moq6K^ag7Et!S4$c$h&mc~n1i!TnN zAxVwGwTcW@_+U>@va|I71y<0WB&!w^MZ(CmSrIJ583e1J32P(SZ+$+cFXsxSd%-pwZ*f&}m zxFVkr1tHFh9W!vy$Ytsw`Arvb>ROdk7BY+I8#%y;(|y5@GSIIY0t#Dh(L;bAT=3Op zh~DXz81$!<500^lPv^pI^x>^A=&8{|8Mu@u4jYh|g|4ze8PFcu9H)ZYWa?qhBrq}U zCDFQTMibbN2U+}&$u9Q2Fi>00es3XeGA8qKv(Uh~pLPJzc+Uf183g#PPA!>-Y3M*K z)bzY5CNOY@wl0+HoWB44H1|&ABZM zlN%<-jQAlT&6gab15BZ98zo02A-vy-31K>VwT}95GR4+Ny92gHrWZU-J38cHc4NM~ z%~?d1AcKspL1)Wn#%vdaIh`nSh(9#qzCwOzZ{6%E zR6^hKj0iSBiWHZ_r{aXVizqfOES*bLkAd z9p?GaX8K}&1{%`AAo>G|wI+uzuRyBX78mXB+RfE9#E^Fs$%EJcg_gp!3*qrG#2Q1t zJY-+gNA)oeHIQW$eaz>0>i#&kQXnU-#aPMuSV(5U-#@qrt=;>LJH6+j?siJjOuEK< z;+{LhC-?{AjM8fbB5-cQszt$;_KJHGkI115lA850VZ)SG=YW!t?dhERBR_^V1wOx) zfBRBHp98FX#npHhnQsU9QNHw`m9}J9(K`d-*i$9Z>2-XdieXpVQ3hwLGvKmK2=bNEfii2B^1vo$RO#J=b;2PlUY+!{ULE;Ks7@ z>`>A(2I4-xw#D-fn8id8PA+D{aWVjuh@>@R;NyzekK@UZP|SWzN{pX$iceG4h4vhl9KGMO3_Ut%dip} z<3>y!p>Z2b)vCaZnP>5Qi7pZ4G{qkv%5~KbJ!`c9C~diHH{?xsXWB&Pg3;z_6A3b8 zo2XZjZ5eHFP**%B9|SApFinEzb#E~v62aD2@F!#FR(s_&oY%8};PiG~2A4`IZgEf; zw`BlKuC(m*K`(dK5@yzc?Ea&^S1@Xwzfc#PR-Lm(?|cbS!`KgM_Oe0clOZ|xYVvci zOc9F4_1CG#xXOV=2&o{0=g2@F9|b~n&ic<|NGvf7T<$NBtadN3LIsV~9&uxWt(JmV zXh)RUvM3aMLDzOm>&t%@f*T1L#Tij5!yokmbmE4D1`*bBdUsk>2L_v*hWErRQq0d` z|6&DuinPyFZy}7?uJymq+IBaw9Cj8(>i%lZiAD$kM|?Z0s*dow{lkgBH~Zv&9MivU zjt^PAR`0W7fOA`P437f1YQd%1OOL&3&7hiQmy!=~;3&LJ_@{lpVm71RJdJ&ybF=_g zn52}5t_)qIY+SEkXLDP%UfC(BU}MNxSpQQXUw9tB&ieF$A^EqA1ngg=!^w4|X}Vhu zj^P(c1wBaDIx-Mrs>+rqX0tY$0r}+>W zj8DPm^tu{9rJtdRL!YJcPZN&~I_~%I3D%iy5ey-tm6BVHkz>A&5~~Dqztjz<7Uq21 z=p8@^w7>i`-RW+yFt4ym?&{jgTRV$fujM>KTRsvD3Fua6o2(t!mhj5yq$7)m&{=1sSA!msp8sV3O)amvZ^H>UqbS^J3KCpcDB zy5&Oc5u=8fMhq*EN6y_ok{1U=>D@m*cdB zqJT1G@o`(VfT#|J-KJs!RL1s6@`p^iq)8^t z4^Q4utr;rq59xk-uke3}94#FJ-`|)uCK0qg<-l3FRXo{B+gdMUEuJHqg;UvMLG#kp z#4Z}5!jBP`nMI?XOVF^$KmbBOy}w`t7Xg>jr%4=J1q3!K04>^7$mUFdNg`czuh%@f z+~w)9=LZ^rKtIpQmgWwF%`_1yrO?cjaH?KRW>33Z?U^M#IP5w43U<)WRXahI3;vxobMTI5JsiT?6dlpwp z))+?pNJtZ__sjQM2WF&aV1bhrw|Q1I+C0&8t`hnTT;_b;xOF$yMMU9G5o>a6MBij9 z#+9s?)XJ5m`J`5WboRV|zq$=I#xZ-w&SYjIT2UXBE0@XT+0V7F$ThzJI6e#UK9&?T zIY33vfGWVex7XVsh6cjf!*xv`$jW05AMvge}Lq;GFgZl<#&7` z>1A-fl|ZZIoqR|*Le0BI)4%Lw`elxPSJ#fE@lZJ6zh$bz*<28(R`HfK&=@#1p zve08_YW5QZCdNc%tOB=$vac&>M$um;+fI3UGb5%Xq_(q^gOro9M=M|$KRQ$8b0mNc z4(i6Z61ogI8Q^#i++7wsGlT%|K2np$!}*8rwnvGTK0eih1;Nf(Kyi+8AJY#gVm(9~ z&7zOrf)55giJE0=z@-Wu0R%eOllAMb;6aQcYNwZMAR(ZwY)-jy%9Dz#6O|IB@d=QW(6kvX>Zwl z!#w}lfNLWck?7SqPPgyG=^vB?x3Fc_CdV2Pb46$RB7o>9_g7q%IQr4l6;TCu#=@_n zJ&uEJDSmH^-xEjBwmKMWB2kXb4 zsBabsB28|ddWnaNtFfhHFNwkti@rd&XT-U1O71u2WQJ}_m*lgMRuc}l4_U%;U}+(d zGEydqD^G*laTmnZc!M&9Op@nN;s;R+=eA9|NAus2uaGBOt%ZhaTHmL!m;&lhc#0YW zX{CLrNrIrMs&+;AS6oe?V-#3B#AhZrk|M7K{_LZt2Dj`aSvc6PiCN@EAu2!~>q=75 z&b|H5a98)FMCi+qckTEts23Ksu{078wZ(<@p|~axW?!_Dm}`JOkQcm+7Bgf;z-1+m zEQO+$bc@JNO(G-;rC87?wmh8}86bbna9DN+**9q7Gi<>y{)_cZSe-R;x4bm`NPkGL zUz$>N<8e~oEdZ@-a6IYRuKdPrUs6AzbOy?HsCgkNU55ri`vewpFd^_OR@2qj9J=ne z*6!^^XB&U&^)w{lJ%K}~zLr)|9JE>Zr}h-|B4|xa#8%`X^3|D$?0p=8iG(FF^584L zeetHycMFj(q59J^UHv?`?EWj|?L5yHFq$%rjNZ;0RvPt=Io!Xd**9C zPR^Czb~H1(Gf&~R~vp^lc ziz@RM9$lIU3M=HVL#zcwUqaZ{LLjc?v9~PyQ14@u7CI<>ELW{EREH4s$!h53e39Z0 zEL^tRBu4gh;A74&Bd3C-)t;};+LXEgTm36tXayVfJEJJi9g}@^_C&!x3bSg%I)swR zX#3d1CY&80l3IzF8u;^-h8*swf-w9VQZ6Lin$kMQ`K*SNFrU9l&67y-jUU9bw@k>F z5*8>IvZfUn0;W!{x~$bu3n~YoS|-%yi!AI&YHK*z=mnvxrgR?M_fZU&ajs)o-QD02 zJ?1CX^BfX<6}8#q70WqS&M2}S(MmMETJCI8}=YpH*(yc-9ebm$HzcxE1216X@+B5FQL=1lnfsf zFXvG_`s)7A&=fVz|3%~#O|Huu#gHD_q4i$?k++WFt$BH59bu*V59-e}uA0sZnlQOI zzsA%?!u%Aqlrt4DJP9)ov^zOeHCf|h~)_lkDTodz@6l(apVe+4*U?k?Ie4b;SDX( zX^(A>y>rtq`_f4opY?Qlo1_PY3td1=ce9a!EPkFwFXzd46W zjv&kKmP1Oxbs{E(+DS%MRP)OvKSgZhc*h6=wj_7I9Ge&UFxR2lR(}k2%VEJ``^CbM zoC`u&CM72!88Lw9L57Dnl6CQ8EI9zLs>Q2QW;iP}erGixHv6`X0^esfOsFkmw?KsY$s1gj2ennZZM0TH)XJRI%TIS$?cLv$^Py;W?(gmcC=*plcUkC_-j0yOWqENW zXXO7(Go7uKkL!Ow`W!^F);dv|DUT<1V1EJ)F`mqlDdA9(92J^Tp*o|UpxS`cOHWaV z1Xm9R;-*dWgdVUuOU9;#6{TB(qx?7ewUioJP%~QU^ z@G@OyA2Lx}%Y!NOYS`==;PwzQ_12W6rQR23&lWeLmrr~X`wpefa=bIl^+5;DRJE7D z>~FsA&)(aDhMT^=gJIsj1wlP?=q{W;Xplpqol7DP%JnQU;s@eE!q0wWaSuXq@%|fk zz^MvWDd-o{Gx3Ni07QO=h8}x9hE7t;x?^7V1U2DZ|2QbdR%Q&2ht4msa0sEOI(h&e zmtKzdl}ejvMm(MgyL39|v4o0>ESlt6)LfJHwK@bgFySf?K&3Jf{@wu^$#=Y4XPK{mJa5(iC4dha{;XdMwUD3=s z6pjW3{Mv{YJQSQono!*EUV)x&mi@!28Rjm3uA-myP#{ zz(~lg+nglbx6DE+JhrVWJ;(H1=>I>-^@i1`v*z~_5n2Q;t*hRAV*`YS??P$Cy4J!O zo+kXk7NG3|)A9bS&4pV5Bg%UK8jk_6pg5ci&fn$lRnS52ueu!nYJqYUm8{4cvM>7` z7Cva+3<#EYC)o??%#B{MJ2p&gF?*f7{o5^nVH2zz2&H$-_C;4i1qnfK-;=;I4O4hg zvb@;vq!%|RcE)1c?SajUrODM~RcGvM;UOR`;C3p?f5*!!w?#@Vj4Cn}0CEVJ(d!uk zmhOQkJygA6YCcBq)%0*zzQoY%`SnVH<9p0O?@f|V4Ezq&(=e~RtoP~(fF=N;cU_|= zus6gY6C!wj!u>?=4+EShu(}`p{fpHkdwL=WyGT%A;I#Kl80oSSRGUyT1KOROLS|AS z8$ZFkSH-eIz5dR$2BE`uxUAM%<7C+L&z}sl&scjL=;hZVWHWyjVOr-$Bb}?ED9e?= z-Eg`v@_;1lj?ygVvT{FZs>}`|B7wgbvxtL+1Z?xwH<6)d_@FhHpm>MiXHR3>|ty09yH4Qd^)S6`pF!e~A`itEjU7v0j zN}TKyEl#`MAHCVw~WjU37v z2qMl^S4$k9_(dxt8FKyPuO|9)i4$Y_E9p?YmFYP0$sPJXV0LS^Q0<7Nmq?sV5jZGa zKKR42BSz%090=K1K;#0dQT&G&nKc+O#Y>Gv^bvvt^UdD?J)nSON*h$e-lqtU;dSDX z31F->5`Z@?7!BoTckR-=$M&f5Y}o=u?fl7zcXyEk|2c%^hyAP?_5!Ex2GcN+yg&>j zbSgYZ&)YW0HTZR)ePePve@`~(mUS=M<5P{K&*qUR#mex2dlAI#R`#3~IsxEO!~*~P zNBU^-$-{i0+cE#jlA&Ljj|?fVQFjR-Rk0_Bi1cG?twlZDKTD2{|3^`9W6O`TK~hv= z$i1T+^yu89-5MDyKLmb(lC`=!c&6R#?STg&>6jL#^5Y1qZ#b$kf15G zXaaAW`)!hQWFRByI7*kcL@KVyS~=Iyp6pyK4$=*bdlx)T1vBuO16u#=Iz<9(*)kTJ zh)l<%%nR|Of#>1#hK{+KnXxM>db<%`2U(qlqiOF_K1q(FVVoDe5JA8YtcF^S+Tr_j zw17K-{80I3#m4#hH0vyJVvjRM0_#Q7U!0<5D^w(kfTBQX5F2gc0zs@N^7X4FR9Ff-vTRxVIjhgOIlI`~9Q7dGE+B&N7p&#~ZZexpH5 zhy}0?5#Owrm3T(-@&NX+6qc%Cy6CE5-bm>ElYeFfFU&jz!|QJq^c9(ElMJfCj0z#k zZIA}t>|MBd-fbrG%e;BJi0jk6kqK(CsL9`FD3&;9_C?|wBSEz4B3jo zEmFvRPfEDLbTkMEzhgd=9r2xl4(%?ovf8bayVM*o+pj2-ZA@n%hH@MaF*eaDRxIO? zW=ry;u0wc0oed11a}kPKYBSVfU&?3pbpclI6XEZQyP$zuIZbXrwO>}?$Q9t}fF*h8 zCFo|;4xZ{3P7&QzLeEOYvZ10Ff=U*@#A0Jc{`kTN2!FD>W}D&K_RYc? zvT#l)idk+LhY)--kRI?9qKa;j1Tn}vR@rZ`$TtHQ^Lwv_`8!2=0YG3rmT(dbC>HBq za<>|Az)Fkp-}1!1CsWKwJFoG>EabqBqJ*4u%~`?E2o{f9oU!t1n*U3_iOIX1>0y{R ziU4a|cYib!KG-#!>#-n?Y+ggc$y1c_aA4qshZ>Q+z=`aOpIB|p;xk9#Ss%hvvuh{% zuiw_3`$Vuwu)%E?27ifo6pQI}yAVlURqNXKKZLzE`u|m?#b$PV*3H2s4uYYwl;+O( zIGS38e|5QRD;5`O!=G7zO=};p=*NoN2FxP={NT5v9emLj|G`Mjt^>vFsX(Gg_?%R2 z$(`V*OeIo$PH62h8`vp?VW(6HiGmiGX8~y;WHOaz7TKQyb)G4OqA8CYsS!ZiTX~I^)TIKB3V4)eVwEna&3>V6r|NKc4d-&^0BNAfzkBOs}=H6l;4c3 zS?Qk$GSMJ(>3ky7(PXg%A0V<=ld)~$kCfoR4R8k&vdNFO2~gV+CwyOAm2qxDLkjDD zCgiBMUzW2`oI?g>mYm%>)vy&1O<*R7D4`%a|mE)aW)MR6=0Ey(il`u71&a(h=+%X7rFor zf0v43ug*sTU|OkDhGA8d$+R4lL=jon`=#>~lb;AQ<+VFKHB~47=1Z)9*jTCIG}u5@ z^kGnpWZdoAg!ILZZ+DTfOQ4w7lSO3{w+g~M-ipnClNef!GD1qU^#k$QnN_^RGzug& z{Quw1ddMM;2xC(Bfv>4Js-{7HAp$Yr5itKc*wu+>w~8M&MHcze#|iP$ z%V1Lhjqx3GI8sahxxH3-o5nRKQTcLv4lKUmfq!nT)7ftzF8`+I?M7?j5tu-7BA=#Q z02<`@GC_j#xnIF#VjPXOcOQExFXKhJszQP=fto$hIbv2vXw+|&y$60)F{m~3$$ z!8-jK!ZFR3If$cKo@w~&w4*tNgw0tN*+6c8)e^i72dAL$gTx`Y3WEDtquF8%8%`!IzK)Ap7~>X(%GPx3H&_X+z2Oq zAXT!^>~{+#aChv07koI3MvmCPF?fPDwTw^Xwv{fQriWCRJ=B;pIWTuTI>{i?UZ!Fb z8h;~Hn1{>Gdc7kq7hwXg*KTf`Em1T9mHj>IAXLJ~%s#vkqm>n5&fF_&&FlSbXm4lb z=^|UDgX)jWl{j<$$S)`8Lyx{7bl$somaD9@man@q34{xU_|`iBS{}zlZ&K3m%V17x z3)71!K&M>*ix!IrL5$N_7{!8GO(pj1sIX=VDQU@nQ@|5L5yd#*ziIal<@`(|q%KoA z-FONnReiJ=Fro)$@4!G1r`zH^7IVhm@W&wj3^PfB=W-TGqoTwK{pYhA8+?Nccn;T8 zf_|gCKILdD&2^5JrxUfJ=kS_w_y6z%gZ*X<^8~eQmZCr{r-&De6oT_q{#2qsqfY~0 zFQ&}JS*Yku7qr|3ATVkR4obi(0_N<4flqM#-||O{K!pYFW@*NRN0>;fA}(kV#c;vj z5dvGs=4o2YxUMYr%@Hw}a`6Ub;ro^Q_ylFK1L=0{UDwG@bT}NT1)>z&vYgR?aHd^X zTK`Mf0EhA;W&2#;&KT5a<~$7XGBf@~knufAiQH-JevG+s1%pM3q4M9P-MAG*=Hmiy z5E4BFjIq7Hvxqq;^i&3egoDwOv0xcCBcvg=EF`QWlpsk|i417WqmwlE)Mf?Y0%Rw zpra^%cBRXfi6fm?gBvls8`4$82)%Rg{QP&5?15TfYQnG2PE(+Gl;nH)kYVmkgG{Jla;K)xco$sN@@+DLzuhH*Q+D|SAlUDGm}tdIF!?iXbuU+M z)T`3#+gs|zy4p5P>T4ab>Rkd^+Zq3lssb!JYBvuNtIip z9;j^XLog9^HG&3&p&MzdY*1LrLskF6BvA2WH2#LXk zLa`Wt9m#*_xIMp?p0qTk6>%zX3OET2TM#uLk@@bOEJZ-_3Xcf9mXxf)j<`Nnj@KjC zAdM}M85@GGIPhdhyY)T@4&#hNDOA%AfhL?6j5;$@vI(cHy?_pt?q3!P~T?gQ}v2}K1JeI`{QECLj^cGbN3x7pB03< zm#&V+4+c&O5VU_M%cGxI*!VT&mc=0M={3h8OI0H!CED;yw+UV`Xlhu{3(MIrL!4<; zYFE|iO~a_@fFp%8j9@z}=EMG~(L%+TahK!Sw(~QPvA2=S>97=P?m4{{F|g5PWGCu; z_TCEYj`D_2m+umOI3Az&E9n-+KDyH(>;#Yj#ZNIW1yRQi&e-q3k`sXXm=tD5*|Y?d zIErxK>)HWe&zm>ziH;qc8h|`sj>2K z_iRF7+feb|K})h;|Mc}XpChiXO^i^fwazFtLk^u@l$=OEIiM$mX{E}W4xD7wa zzrt(toc^t7L$M#w-e44Ij4l)yac>9{R(70Va2ryRn-WfP_eWG#{xVyecF-jN2R9I> z+z|;s9f9Yh^p~d>aa(ig7+j*>1l%^6jck4i+>GAaC%a&>p;|fZ08Akg=ve8MClF3S zdv+esqR;7GdK>M-EHV<}oqdo;NTubrA<5Vq_}1I95q$B1})32aW))oX{N%u0fE?y{$BM17Z zPA54_sD2b%Hdd<7}yM#{M(Kk-x-}XP&IJnAJ+%kc?%UB*!VJi;yZ`G zn14(j(x_BJsWMCo~*q`UrN&v)!XVD+S==+K8GA zEmosx4IBIoTn}TI)hn@#PPnRb1K&U+leL>~94F;h7(?N$IZGl{OT|BybBKM}!yXHd zQsx!*XLTlQvz`Ex1u+0o!6FW|1vC}SPd5hGk^PB2nNz^M4MI-O87a#$Z7PI}XX;`w zTqV;)=Le9kp`j8G*jC4ft=l3Zweq5eIrwXK^SiI2@ z3-<}pqrNg+yk;csFVLBrPQ9@<4y)(rw_U8n-5!n0abXXqE%LExVmtS>Is^ua8&M6K z96mL@UJ%b-EYSCogAhPSz$^yy=}vswVQ#s6PeuXZiqO&XbaOQCD-v{wVgla^M3&zy zQj5_-5vM*Q%X2objM?U6NvHIM6ssti~##M$$dYcbNNB0eL5PfFvt?S}J#j!et$ng{?%|^qUd<%8$Z;U$w_daO9EDF^Zk!&LW>WmX3 zO7hTAT|G4Ca_L;_w4AM1$`-F;+hN&4LB+K3pxCLWzI3&GW}WAM1uxoyQF<(WS8jJA8;m-p1N)V}jd;2AOnN(#^T-|JrVUId(*#Q52J1FQ(}ToC|tVU)a_i z;4#M-XXWPhafP8S+tv_Hma2KS9WQ?AxuIqzc|}WDx*uicf3g|j05#{hCkj#^!Bg}| z|AYWbKg+gR)&!mHC$mdM3r%8a-~W++F7eBL(_~8{s{>nloJ!ls7=BP}Bt0<{xMNQ8 z_M+n5DM~D?WuVHji3b|5GYcAgIQz&5roY~Hw(4-Neyf^Byxx!}p*`BnD!lJG3l|!C zCo3YUw%Pd3yQ*LdOGh4Nv=0HY8ZCn+nYTaw&=!}JsSo!sMCS?62V9V+ShEfr&i5n8xj zV$h_4?wBr^4O!D_8od=&R{$xM7+Q7n@KLOdf>y-uq$WXo>K|Y+ws|B-01*)jSMGm; z{=Ho`#1pHGuzk?&mBc1(dH@6*=8zL3?G@ymuW-%s>QzmJMtt3NOH$I1wv;=a7-AaA z%8I^>!5TpgwlGD`90!@RZ%rj-ZZYbyk{BTqNL%6mGaMokS?!en?b^p&AIR;3G_21N zLn8gr(WbC6QRvOTVN7}0#CHL=)dV6$@jcZUYV{@Bn6#w_<*fRaZbG%peo2P^WHU3s z-8DiN-5Z4Yr+r=vPDD1S}_lc&{=F@ud8O;Xw6F)2_YMvMn~ZpXT$Z#|V2rWRgUScb%Th<3rQ|b~M-0RP<0?(K`dlvnqGa zQvprQcX>EPpX7P6mEwT2)v4{mPN$5tXerDPFDWCHnp83GuaW$jy=@Y)9Zw7&#}G6g zrCB`qSCBu7*s!}+{k55KlJYkS0 zY61jVx+YfH(ST#})9k$2Fc%W=&D)>0tJ!F#a#B}PL^6}gg zJdUaHY1TecB?DX~q_PCycIIAgr*5YIGlHfv1VzuC1;UFeJzQQ0} z@Kt<2LdANW@4{O{>o2$|d09gS9k7QQHzOL3&%jhb(xlahDNYQg|{^ga{JTj{gkUxJG1HIS0H87 z?E#7BaiRz~I0Mu0MZ941Vh1BmL#q!3;JF7=1ZSk?yBCaRV-VD!M(i*d7X@qt#?t;# z!PB2$;OM^{iHca5Fdws0du#5%=d#%@u;}OeQwnK=LTZP=W|M4?zXM!`c~o$eH7N9d zZHNfaCt|zZaoj=1RBFIc9q|YKwLKG7_=-FVwX>tZeDOR~agPpz>Hz6^EjS0EtHlB1 zf4=Ys!pWx0wQMIf4VMh`@w@soEt3w3{BC50PMh^Q7Vo&9e(dKu~yE@+TIUw<6|! z#XZF!OzlamO>x4)^+(c};r>srNW5u+UPjTrEbK0?COAx%W~AmTKFIHt`W7fok`Yl* zPb)w68To!&$5)&S;dQs+43IE!9lpT92mTM=&rM!^C27^13*wzlJUg&Y&7-{udGvnks7XEsAnD|pu2YyVrM zEubS95GHV=Unn-(4*2mRl(t+vS$A4^ah?kMmABqSW0>GO-%ELG@I9R)6=l()`FWAP zsrIH~G1eC7zPyFxKvFi)UG*AEVLjGGW~74-EhyJKk`+Z)&Ha(kJ`uJdMsKmCRYpLY zvQaBuy!rsE;lKI^a3(XS4nd)-S@|rI@__Hmt2tU1B5=Bpsf9voi7@y=9v-#W?cHI@_>$@D+d9fJuHXefs}E>SLwzp1Z_-y z(Wv{eYp&n8)ht4~AP~^6y90JEq{qWY$f60eA$Q97sP2<)?*ND{PJWaN!+c)t$H#+B zXX^uZyzS6!7CA3o#^^AILG5O(@|BiF9B=h}`uTFZr=sZ^yzAtXR08s}{Z&vl`xXHY zE3x_7r(@zk?Y#Tgpm{}SD_EPD#vJm=3{gND#4t2CCTfT@jK>hsGa8CC)PPKBF8-iR zU{3-PMvkp;Tdk7mhkgQ~dq$9*&KpZMlte#Zqs*PEl{2>vQ9dAT>TJr2?3ZB(y#$1o zhDfzjdi@1l7>y2-@P<#8k{8?UPO;bNTXI@WtM&AhejdP@wvgIPEJ z5=@=nPDI!j5LuzgWgQxmdHq5!eR{v%nEXCaoKfG9TN;^nqGauQuoFW8R{KL0y z{=}!Fs!1ZBT9=SmAl5qlza^DvXm%#~^N9o`_iP zO2;G-b#rBjdI7(pF<}4%CzQ+JbdWGmu|qdELC-qKWG1yWGiP1}MlV{&o^X?LFQ*CA z&g|)==nWJe0K9Nu2ok}NrGb8a@rn&a+>^i{|6s3L7a@HbNHnWC0As|!{dE7fXUmSM0xX{m^#5C(ZyFEX^qY1k5EfUqK!r} z#%FbF6xCr1Mx~O;_6a#*%a-dF0<}^$5kNggsBIu6v~Qqz$3qMD;D?vXDnGUqu$2v`%j%p#Ke%e z_UflyB+XB5uuoG4YTJz3E3ULmnOY9IP_|^+anH@g4jRT}09W^z^F^|5N-;xzOXNul zCv7-?q~{V|_YhxBJJG3#=W7!S2B$ubq*|}Khm4curgSg z)58-O$~36fW2BrOpgGG{H4j-eowU~CQA6Tk1&GforVNkIRIJN!3I8_Sr$*Piuu55TS3-7yoNf{T)ln7_?a`5T zhU7uRJaUzz#rDPH8aU$kEy99DIR}O}+C`KCQG%f4v~xC{j1U z9MGND*}|*>7N(gW_@)7X)bK}`ra4Q_T?^##Cu+8pg*aBW^z(#Usum*;>!r73Wy}@a za+D|?*}i9jkpQmYxhgxVm?)2dF*8nYk!IwUqG%)w^zjUA7z+#TSxr0WiS?saY27Vc zu6vi{Ztq3-tNAj)0|vESvd+V0b95d3P}~X*Ipigdn;OVGj;&GYvc>tfL=tDrys!@q zC2umVX4m}^IH-ah!Nu*;J2D1lM+e7f1V$L8Dc-iym!j_xyCOmCJw;tON0PG z{oG*o?cQM+6P$1=y%4`F8%f-{5;%=qkeF02j+?}Mik|){&OQ-j3hBzIx8*}IPrcd$ZG#vyy-XEBeVH?kcQ`C+A z+ivH;?9`)_LxT)Y1g7a?z#Ns)y>~lbfusWIzSbhY5O)B2G0qDs*}v;W74QztkR4^O zkl(#?zw8Fz4Z$&+iPA6nDT6hmQaw@FzZSpMZwAN>->F_hF7V0fk_T<$kOrh-g@=2G zPjL<>^zwp3j&o)!!*Nl5-lvtoWsX1)6gr89M>m&RDdY4ccV|{E{qXwfUEI8w%l%rD*sJ8szDy>^w$`%L z4ISW>V}LGmWwMeAihd&gikpVh`oxSlWs#b``vwwqRW~Lrog%wM^SC`#4+MY4)N4QE}w9mDz zyJ{_Np>)r05roREgFYR4N7KWW6 zb8-3@;rLD_>n$vCR3(IoXG^hP=00V)FRX9WOpZ8@zEq7aozfT!?q*SvgslYtJpIzV z!-so3^=+u0RNgTnciI=xYR;_m-}!NBPLPj#W8hO1$r$sU+<%Bs>{$@YcsmdAEh4Pu-zCuC$Yq z)aX2g0g&cE7RLu!1s;;GsIz`*(Ei(?)^Z9l8-G&Qf|-n0yuEP4ad!19<~d+YhPk~) zS-F)z{6lVQosJ;+&g#~ng2%J!v^IKK zjO^+~WwB`9U>f7%0qcHNMP$Kj^S}aYPg|g8_`#Ck5hHma-s~b^*VsXk4O!fnbe~)+dsU6ubIl{^?Y(&tY~~Y zdRnkMYSB`-Vz4)I8%yUyMb&P;;?+Dx_PqUywYyo-)~gO5y<^uPNk-JfX@KyfYUZ)iD^7#6cva1 zAy)iA)T&W$U@AsZ_qSeH4vx_>>(*s)x1u`He`2 zVLmg+zH2@td&?>mxWPFUTc~?=+u(84od+`Sjhv=L(%H^9v zI#D4o(c(cT|6ddn7$0=1@#FN43dkem1C)Q(qAz@39#;3oy8fByKQqTpvKG!3HnQW? z8uQk(Tt|;DkqWv<(`_2UjIX^*2Ft<;(2)0Bp=^gUv@|XPK%RpWR_&0&lhkHSQg{|p zP-uPJhC4cp1`Zx2Lj_4+*v`}|cCjEN%f=(%7)(;w`&iY*MC0iw(3USIo6Z2Sr#1Ou zB3Elo3!F?`z@K9MEQx&?_R)ksq%t_`B1+uzVVdlF>)`_MT%4))|#!P)AU~IUxI}!8y1iM8Y|^s!13y z1C?q8evB^-JqB)kq_ z!-<-=hZq#I({owR9D2EAR$1+OF7l+Xo&ONN6KRkM%0Hely8qm}0P9|Z26R-cSW?~| z-^s6XqF}Q3V0!@{t`=WE_vSYo4(Mx^Bi5B8dcu;$w^q3d^?FZ| zXuZ|THlkqB<3OL7f&vV%!-yPIl0wu8gx-AjJ{zW>NBIBFDt-X_pQ0@`s^i`NBkrs) zvGRbR%+~P*;XjSt`USArJr?H=33DQWuRZ$Rf=44)7u-hf@!Eo$_oBUUYQ?EA@G}sU^eHd#Mb)Us7BT!c5 z;8jJY@I3LnOe}a9KlhEItEmKqg5vF?A#dCv zq5X~OXtlfbuC4azC?KRU(|1Z*W8e!0;;|ti62FxKR3p$04OE}q`ta@hSg<*rMXE1N z{HA1c?Ke)~4IuH=e)fhyidzJQ3cOiy~v1WB8xHC2*BJjp|RJpK~10evIKAVJ@x2~1; z(@8amEh++NRJmEEiKPwO4i*pC4o-5}E35dmCO6eO7hWsqa_7k0QNz=gR@et6X+S3m z8LYU#LpRY5qDsr467YCq?ch+eX9Vf~CAs-hWI(N7ERGDFLptS|vkjrc-P&8(6gv=Y z!D17SmzX3E0 zJ)F%Cr3>jPihR~Vj0{82g!~vnpKBT_QU`xU_aF;MYy0RnNk8+Eb09(3*YuMYc5OnL z%h%(@Hp7it0VmZjcG}KskL)-)N|+2l!a)#WKobV1T!@J*g{nt#x21o>RD5JA$}bDE zfd_G*0ECci+@LJ8i>DMD)b#!m3#R6ePOmGKE42u7bl};9AJkdr9rAXPCl_7souWiakWzsT8IM zP`1y-C~!$sU`-)?h|mV%vB*?;3pjHbV7aI==a3LYuxoe&*_QEH9)({5#Eo&wLI_jw zHqyDCD7bL6nB0ThF)NCJp#2%I(pY~k%0`7cL0h|rLJ_)LcjR;L;z2xU*SM>b)e;ee z_fre!G2e*VAR_)gaC$LErY*w>D0E72jNuz%Z-}1Z>IgkHzbTNxyEd!J} z(#?4WzJyeafg(0;o+L*2PR6v=Rgn`b(e*#{Bxg^#6XM^_-4L2_jWu@z$`sNZj3t zcptqW@z(-Z5A3DJngYk6+gDVqTM=X_CUBL&EBn=S7FT;J<~g56o(3JUH_UBEY$c#T zv(@tqy!os?;&n`8JrqOH?;a-pZn$#YE-_r+a$B(3UVX0DC&ObRGb8=6XeG%~`9c8uLvSk@kjy+UpUpOPviDcBdRZ7Pa5o z^%i4%rWLZNanV^=UOm0)>)9XYWl__plam{FM`tk4?3*Zb4pn5#_%)fscH{!gWWcfD z$)*+3F~j1)a#z@fb8fQKuid*v(1IyY$TH9c;Y*n9OrP8LpBcbIR*cMx50IqMgggzY3_-;0zhvp1V6^mq?q*pSL@my)HF5{VZfGEoyk^j zR#B{?8wlB~eF3+K8wMB*ZN3uES8qpn@7&##_%*I(mocob5pNzTaZ!?7=FWH{sayg_ z#E-pVn4%i&WZW}`ZIn3s`S>?!o}D!Q{IPQ67Wl_X61Plkwd+TiIbdb{kR;?YcC5a~ z|7sEac}08&eRp%^^e*G7Um%hME;mY&lwAB=;(ir%%s~{bZWJg65^~D1tQ@*8v-Q>b zYF$Yhdt3Q29I8iyoE2X8MMuix8~5}~T5WltF+V6e0!`f;`B&1V?l0ZS7)K@>f;tTb z+qV|_3^%j?TJe#2gSZTRuSV5uhZ-HyzjC6>ncs1cT^RP zR;^%4k!TmPY+Z`293~mPZW}y@vu`Tc(R)^Xj?8qCgc3svJ$DNMA`hOKK_*|Nv0@)5 zd6py7cycVueQM>X<;{Yx_{xOT@XWa&b$~Arejcc;vU-39Psc)ED%F1y?9dm`2`QpO ztJ+83+Gc2T0KA{bqVE89Pb%~;sqSnS{?&iY;^o%5AwmmeUo_4`v4++XSQQ=@sK_6> z(Z@gOAmhBt=GbGGNpt9JUZnxb(3WWpO9121$R7wMZdC+ zlRdifsL4R8{GRAJEKHL5RrHLhzL>9Kp?rgaP*i)v*i3!Lpz+?fw>T%|+jxS$fd}ZB zlx-gBpqL$*SKfa=-gFUXgxId@SbMCfQTX9o4$ML`sNPLSaLRZ%)zm3q2c(La7@Q%9 z^+g(py&w>LSRM*a22ms2jv%v#r3d^+yYdHD)^8~H25{_RASUaD@fK)vdAgomL8$mI z*zb4RCjbHi-7pd9HBArm!wblp_@U*|Kd)HxhC!&*Qh+r0J+Z?TU?<>JFif6SNuRu{ zp5e!$aCiXu0vT-r*W_Iex342#SB8YeIm5J^^_&4fgZ4N^3qzU9`r(W&q_0r@e-6y6 zVbC|{t0|r%jPDf$olTi-p9a$sW*)n!Tg#61;F(>49iVqAmhJWM)GpaaSq$l9qGVH4 z(Tzgrab%!#7rcgSz3yasD5opPrV+VtHk!-J6!kn%)5Ub9M>Oow;&sHRFYAU~h%AP! zEwv8MKC}yzwaI7L^+GHU`JrWW6pfm*Kw;f^COO_gW+9wkOI~;CNfEE6yN;txf<7eg z5x6LJ=jEIIOUqpwidaDXLi!8*ga&419L@^wdYx8w?NJH6d%B!AK@pu@_U(L(ETz1^ z=_s5Or1noi;U?Q@!Xi~O*Jr$%7LwyjcAfk6B?Fy#%TDiY183V@=nZcEbfj{TyALnp z<4w*xR>!V9e-#-Y*wR4}L2F7gN2kuq@J;d(YU-IYm(kNG=}@9R!WGV_7LO$(YM;XK zP3VXp73J-ZzyoyC7G25}T-P&aOU4r4{&DR;k(yAV_f|FoNfJ1nlJISqps@yyz36bM zY5Cj%)}(NF!jC&Jdu|~8nRJ*kjMANjt9!%Cy(ipV1||?np!CEL0P*!H4??kOA9kUY zo(NB!r3zULQ#xv8TDAUuy~A&q@%-BG?h7%zW-kfP3qgke!;YZda<#_Dd5a%!dO32S zfmODQhj>*(Ssn-66M=4EFCMLGPZ1M|4H-NDBb0aBZ`vxnCnOdL|quiP?I2jR$m;1pUw(gfODhoz3Go_MmrFKVT)`pb@szy zd>fggq{lDNKX#>Ao9E8_h@lEux@Q(6?wJxaE~0JZ*km;FS#**#ovLn++u{l%(#Hu$ zs5>AXSB(qEUn<1s+B|ZyLC?FJlm5BuTOC^+ByjY!H)C0gGg_=D!ZHx>o#)HP3hJy1 zUyok((RNQiy1+}ZBZs5jeq20eGXw=CLBz z`vd?G_oyv2gmRRVwd<3*^`S#*t%EBngpb(r)5!}N*#f; z<-@0x4rO$mAqRe3Sf1{bpfKK8QHl6iD(EObeWgLfK(Toebe_VQu zB-lUYt;L2RWnGGz84Am21F!Rn0Iz}9Em3kk!D1hF&v2>Uh`Rmh$m zTM~}4$_E>Q4@*lJhefJbnS7uRI&2v{aj;&8l5L1BEKXq81y~!B{y%Ut6fHyi)srCW*hubztx)&Ckg8G&y4l{xXuyEs;N3|cAQOAy8wG#uqP!?z z6KO0RNP})*GPM=bHZ6Yo!RDT!yjxspymAHt=E^%A6jw&A>h(VDr7A&>#NOBNVH=fPFxmPpJf-~F z83QS$W%IqLH-&JlPO|-$pTH;`i38G`l7p3fY^sY2GnT}kM|v|;X93OSVFk@RA7S6O z^zIV}-#yK5zP!1t$RUCf%;p^BWGEFEPmq+Eu?8OLKu%IopH{(|YzKu7N>(<>xdQ28 z(;a&JjzdnN8AB$Da#B5@YGM$hWQ!4d!Gc&R+NJWvwAt+Ngpy?CvQYG0a%TmQjUi(V zN){GhIOgdKc96!4$KZvi+Ev?1zDC zsU#u5ibSCYkXk^A5Hm;$(nZh@6{x7FXCTrq1ZEEl>o~1^p|eNMo3pvFA|tQ3AMhpQ z10l(Y3!$hW5!~lA_&N*6SwCrqEtSrdtI5Fz>k+0zC4FFRVX3cc7@y#o6EquAJ_{7i$@3ILHS@!SH1ez#73)u<&of$ep6O_Xf*S>xA(b{ooMy-ZGiSgli)X3|L4))(5z|YSQM~bw zFQcS%!jhyfNTd<|=*QmlKH9*f@C}B)b+}MgO9odk?u|Lj3O*i3E2H(Ht}w#jx7{tK z?Hyt8#b7Z1j%VuMb18?t+jhiLZ@I_KPCQcxQaMMBI2Mn*1P|BKQ$@@$rKX=>I!522 zKYTLp%V=owB*yDcwSIp$KztDAG~2?5HxiPb55cC-2o_*7qzzv zwFQs*xR_&1W0@rH1*NDjcM_F|^`?GWPPm@ZbcljgYWKytQk4z@p6*XAlt6@7dDA~s zUC`ZW<2f5gUwhhW%D}DK-?B4Z z$5k|I3#y?HdU=@?f#2zZ z-{gO?P(Yqa7SKGdLA2xM>=sCeB%PLRjq$(t{f}6Na0MYjH%#K)KCj5UQ)* zWSRC8yX(2#@9eS+qUo$WvhY*zbanlYEo1MOS^<{wG^F%G`TLX0OnKhB{V8bQkX`l` za0)P4P2niUrftSfmyJ%kaw)TagABTV^W2z1U}Dfjt)CRLe+3& z@=_%Hq*onims#+PXQ~2S0K~6{*%ZORXocc=e_DJYsG6`@hPE|}V2^HbVq0{*#!4iLpdC3A=t9%Lsn zv1-dOf@0iA4>OJ=`8G+eO_FE9qQ1$9@kS5grwQ=Ul0_Tu0kRf#g~ZH=0Y(Ts&TLZ# z7IfHL8Xy?}yQ$rOMiAf$;A0cdO7#=?;Hi$>qzjQi;}#z}ZCb33he`o3p|YAk1PSP3 z1xoxuM9hmmCip69RPm`nw6Vx*Rolo+5d{%I2sfP{w9OVS3mP{dx3BwNC8 zuOZaq?l};f_;@DIggLx-eI~*8Ac|g$$LFN;Yj&^i`jnW!x>ed>_Bo+w^F$UmXbjJY z=YS6~cr&EmzyPewbsZKVE4@_O<#mNbsJ&5#A=Az*GzZwPZ+JUGB$BW;qA@ZQg&1MN zpA$70qmw9fPy%G{77#+MK8Z3BKCnSOq^>XOd`TNK5fj@i(Wm2>8!*$g59z>fZe&==gz7*mgU zLs=r4*(SPZD1{Y6)AxA!YzDqZKf_VObcXZdan|+Xej?c_bI1KA4!xNj#L_VgC!0|AgZTz(=M;QAK zWU@z=%oPu9{luj5-F)mH9{e>WaR+2*AoMc4u-$ia?<#r;Y#H_VIu4O$AS6d&{`5hO z#jP=CuhctCgoln|lP7M>XEk*?uRn6gC z95~Dwf>*by6~Msg4xi#Ps}?$Rs4LHrQMZLmY$}L=8MINUpfJ!9|GeDqb_J5EIKw5|+JUzsAP&GL=YC$Ix!G8d`)1 zv6r~bwHwID(p#2PX`8XpZq+!%%hY8xR&-%<2{hA&ogo2cYF20Vr=Fq+3Fe+{xg0ul zo~1aWW3kx8h?nN;N<+Z|rU(!s(D;Td?)cV_vo%p4CP!2l5!QEu(FND$DYsDyOF}|S zg3FJu(GKYbNqa*8gpU$TCBpv~=a>c~M-UvKC2KP{HexZ(5|}s;Wdf|BivxoRB_<{x zwJaFJd>}ysBZd=7PE0~-@y0`7K9CTpL8p%l0}3T5Cb_VfN$3Dp;V5f~&Wr|zWg+?Yh9P-R0Dx zsgjWG#(`)KZ17D&^Zp*iPxHNrkD2zuKdx+_)o~rK){W*T!oGP{#aQ6Y_n~R1SIUK&$&}B&U?O7z>lSK zzB(C_(}IQOP_ZwGjSZf@qQrOuOAK*0U}iRk086a>fgu(YZP_H$@l{SjK&O<=U43Kb zA4MVsEV0wHNSqVkW2wJ&-Z?9?bvXNyR^iMn4#?xh2cCk!pRz?J=8=MCh|H`AblFc* zX_?ICgW}ZUK6VYt@!t6>uwFPag)o!w5!TbrQ)KIyye&ryZFpjHTTPRWs3Io*%CKX- z#5gN3qcY2KBnp%#p?0=aB9o4flWLKk`_x)5QAbM$W0B#gaZ*zmI${V&m4csdB%i(MXs$6%or~NwDaLPN`e3x zIS;nb5AW5q*Hy<&yn7;4uPhGkH8o_bJfyIi+~2VL?X4D5ogE4gsQ_rH;2zO_7H*UR z7AQ!v8b`>Lh=6UkZg#I71X{Sn6|fNtQbAY`J+2`ccN#!Rt{Ai^-VIX%xvDfS8<$lM%Qsh%djcr+mgd2< zT<>AO>6(n}xlK+mW8`vBW}=?vdI$L%KAV~=xVKC;nT9ck$PzG{4whp85`GKInoUv8 zHn{k@$i3J`Pdex7!o@~b-31f|lx7_#kK%|tEGhmj|k;#gjm3j-M6dAx9 zEnzHxSv6RN?>sYFmHZh3^u^6BG2%n3L;Jc%=p)(eYaKjtxrzrOS|A2}38dw;z!f!% zbXk_YcN)yzO@kwoG?;Wy=-x`YS@!7OX)k-@8+Q~mB;C!<1RXr1k7kdYt;%az2^PxO z@|j74S{$l;?NYlYPVR}OG55lbP#6^5O-6vsthCFksz8;qk5{bn@~*wHl}nEE=AOGC z*qS(Rx`WH#lTsBeMw>dDUq#cnu$>N2ONAouUVAVBCcaA;S-u8&2iE zM2Xf+J3xC(i#bh7OPhpxyz1^y;+nNK)HoME8g|`ju{1Z-`_#(mk z^1bFZ6kNFl84pP5vqZ>BT#SDQq>h`Z&Si2|{ zmrc$?6iXZ-^mkDR7rd^kZ{kH@mol6=@VjY0mb)h^P9UgcXTn<0Z@9em%Wq7uI{8EnJQeKIltwW#Wj4?8 z+b+%BGa1xaEYiH;2nscp<;;(ovz4*0>$Sp;UN^h75yh%KSuWN+pM8>tPSg9oPV{>m z^N)Eiddalh(2}{1E&hq|FwRBUEbLm*((5InwBkW?;`mi#1J_Fk-*jIyws>x4mlBse z3sY%gEarr`ydBMimXX#qk>>jK++AKcGR^o{BV2XKJfWoz-KeE-2M`C^#xU?GndTwi z1&;0~a2_M!<+L+~5g=rK$(AfuxSYjJ$1wQz_KS;eU%~2f!#6Vqo#D#ztxf8zGP?)W zE3Ahqa5@AGF!MX%QV&pZRsU-&$x^P;E=7kXFlLcH7xmJ5z6Go8fF$XZ$ z`1?yd_G6bUVRD}#FbUE#*V+l@8$cjth*pTPP8w=n(koi<5OyNMkbFS498)#rsA+XA zsY(Hl%I-8~wcO#$k#gEvxBHT%L)#`EAZLdm=O=n(`!*-q>iN{Rrfjf>$-WcmN5^tR zp(9}C+w|hlZ-Rg+qsZ1Wg^X2*oKPG+nl4g4TR&0%HtmQw`5CxsG*P`*ic7monYWAu zz{RxzQhFF>4HW*+!lQW%oyH;!#)9^FM-3pnXHWg&jvxEY+`=6|k^e-^Qfnme_OAZg&u>2&kIS|&SyztypN|$&v zQz}zHcrcKd?};xF5m~-0*HuQH|9uKdfm5EnH1#gbFnKg6Zd!JMZ z-@e3T{?=!`ssx{u@{nj}pD+4$^LoeJ_y?mxG0M(A* z)SnxmqNCfhfLS0pNhl_5h3p8qEKt}LS8$d+20c->JuHwclOWS!E-%*rGd7%C!%*fc z*!|VU8bFefdwSN?L4IoISJa&IWa+j!>>3r9c!gy#n~Y!_uXR63Uzg#FipW1RKQ58w z3v)`g5(!A=D=!JNvGi)e_PEqzt&lnAD!uU8W6Mu=@wGXQ`J%KJ^I79 z)tz-0CJ(1`O|8Hf1=YA|E}ZhA;JKQkymf|@6OF|wAPb0=ukIWFCZM6pC$yh6=2I|; zIrekByU7pyD%)ooTwG_AyA31>-!t$9x07Cea|(FAum_@Jy3g|$Fj~?=y40sCg}2<} z{#srQcOkryfq!1^mE9>_6{5pW^iTvn%N)FS;JG2xq-kN&BKp4mBKc6A@h^Lve=V`e z6oq=FH&O9*S>*-m{gRndARC{(Ty&BAfH*Hji{Da60o4_T-6cIcsy50(5=B>dEPLG4 zM^Pv%9GM)LQR~2dpKl00+gyAAZ@&YErQLGqK!S;NXGt^FroFuPwCEh#YEpe}t^n=y zQx0ZqlOqcct{LXWbY*nl+7~sE67_5}7Kg@b^ax>iTc4!eYON@6M8 zJX}!#O_fIB4w%EyA$cjtYV-(s12brbJ;m;8Qg@LrG14l0&CWjX00W;0HccDI;)f97 zkt0Vlmw5_diU5(v2OeM`;snDkYE5hu61hY~Jd|KIy3u18<@Ql@hZ=dRZjx@JHMz?1ymyQxB@%N8Fx)E z<59qYBe|ZE%Dj=l);|GRP3>&0+*sY-6p9pP3SO`4265usUk1LbHP*6kz~#1N45U@! z2)zMus6O_V%skg|u}d1-mJcqVBz#CP`5~v*^JKG{t1H9WT_Wrmf50h5%?%(F@=V;h zj~sDlHx%jk6Tk14B*0Y3>4$jpo`lIyrj4kFu+wO~2p(X#T~kh|GJaRsh_QauzLDUq zxeotZJ$me__|N*px#3mhPe?W%JO--GFJK=fAcf7;X3OVwPffBqI%FGcc zXp#DOj!F65-)8K;WD)Qp9&km?{$2=|#|Q@@wi*+EWQ};hE`WWHZ+R?y7T5zU${5** z%Yn=C=K2*7$-HtnckaKfIqx@$)Le22cDG657d<2rB>=x-bZixmxrv*f;iQfdDlJlq zUZG(ZNGA`%?1g|9Z_Vzr{<-EAjPz7A46$L$jOw82#C5bY9ToPZGc>@x1lpMnEW41i z9ooH1*a!8mW+|Zau<)z!^zOv~u7`zV;RjT6)FAXOQO!ak-YGN+rro`CAOl7{`hI`V z1;sN?EX9w>kp)I!Kq-kBWOB)?kb85iu_~rXsn2Tri7F^e877l=z;SVXO@6ht#nDmG zE$)Sdot*)JeB1ACm?ZJa+~&<*S1=6amVCsW(y9 z=SZzhh1RL-pDWY7WLcB0kzOb+2;ArcEB8-oT7xwP#W9#Ip+Tf)TJ_61t+0X?v`({^ zJnL99AJzbO5P%7SGAisVxrfhnAo6}1SsAR^W7fO?NqEU${|Wv`Av?B&SttJE#jn=g z(*c>vcd@xX|HAOSDX%!ShGH z<-=qyMy=|Ouax3-127rv{X3qd`nfAm+$J)rrH>hj%MrwV29C~)^zEG^=G*(jC6zgO z7)eLp*6f%QNZfLNPFrPnYg}qPSv6+v5$bwj5AuNdswemycCZ>R zV~fEL5G8@pRQRSGuA)geL+FA@+G#Ge{f7daH3{)!$!FiPrmyta}}Q`~4r#6^+YNP(*m| zRgeOX(Vrvy&aw7}qsf^k7FQ=>V^{%LcsnT=-c55u6!;G;!q@UyU@!kP?Pu>MIuZl41w`kU!Y&z>It%oqoPC^N-vajGm4bkoS@a2SfIzl12h3-k!L}gO#T{ zDc;>kl)nw4^*;p%lQ>qLNwI0d-FoxSR6Td}F$jt1i39@#M(sAAQ7BJs zuL+OzH^_c*^xEum30T>m%F9i>44i8x!>%1h++}o%k|or?OD432uV8@22I`wH=K&M| z6m!gKQd75R*ls0CGi1P#e9tdbpzOh5X%O+*uANRvYyzFl0Mc(knD7v3KaV^YG8`*wh ziS&f>9FT;1d8yYk>JVRj&4DJs=!rZsZ5GNK(wkz9EaC$Kh4qYTUTURy*z7We)+a$s zF?^I6hF#msMuW0=xKCqsfvLUN37^t#PmQIk7jVa+OShrJ5vSe0_*4!*INL zjL(?A;sJfPnQ_Y~h7RJ9T>rVpzqP4kDpz3PdDQNk(=XBz1{6A63pyW)ZoLK@n>je1 z()ZCz1Y!?V;=OBEx@-E{;!5NC1vCiw>=K0r3Q(9zM@}8PB?`04jQC%#x{UPwkOp(S z0iLtMRIUM86TdOEQSy4PP;5MSyK8$-a!Z>VlWFW{XC&|m0eng;s*TLmGP&$bH$!&} zA2DGNUUFySOlbqB+=JV26J)0e^Hdpu^>3E?T=)%qMI+_p3v{1L}NWo z$@$#UK>W6&&%5QC+@PhcxZ$*T%asZq-}X|YniSe;QQ%<^GCzHA%@jg>rY7c7~xB~HFV#6 zHg8wckz&v(0>x&C62(OF^;p;SC`OPr(J7 z@2V(V(N8o>krBIU+4-`qKqcT9R1u%H=H-!iS_k?wxapV_jhM%@(%xD%3&#D4EE2P7 zLpB(cK^Xwlqa%cz*z6wf*W1|-^_oI^FWrc;1#yJ-yA0aCR;zo{E1S^SEm?l74++=L zAz7p>9b0GHlOCA{G8i~*E=`Gm)3(ZH;5k?%Mkmj;^o_{{2La)i9aPW2{;|ZtGk7!I zZ~%-+?bkpS_nJPjMb;_=MYpg8od(Zn8aSQ$3^7ppa+v$X2{YS4PP;S#8%XJ>&S6~J zrldYPz?5kW`auDb*O9#=IIx})U%1;jq1`tw+9xek7hm-jY+}^ga4eFLAbBM58d_e= zSTefh;KUPAPr;8%KsF;Z36apibP*ug>nghYT%Ck)0-&4WNfp%^9eF343vm?d#vE%R zZl5zdauVK!T~yQqDo1Fi#vgKqPa>i~MdNk}_;iu?U2C_X7L?fcTd%4WzLug`1c05O zYGyEwMA1V&Ux1EYS3y4kK|AO;cXjps;20fakR zwmXwXD!Lok!9kZgmzV@=aL^z?6;uHYW5ck3#}wV=eOF*@qRY=F>kj={r7@F9MFSZS z2FRUO?Kp`d;#u&7TKge;TQ_`oiJnh$We)t{tv@X>_AM{g*Yj#{x?PP-^v z?Qc!=ZDMk6)F;cvboVS90=}n~7t(t+ELcOSaV66d%N2I1&|Q2#`$8D|`T(xaQ&Z?a zy>IVL+L5V4jwJ&Th#C9k6$r2j+^BLsAVT)}4d)+YWF4?rM+U6IfzCKlhy;g#(UBye z<~heh;tCbHA9%9P8RAJtqz9HW#;YgcMi6c#WVqvnFo3Hr>q;A9o=VzX9tcoyY`2C6 z2xudjg#mOcJb8-=5Uh+jQ12W92-T_`yk6CpG*VvMIqAVoCYWu#fY|-@KvfL*a9F|L zxy;|Ezs^q>1aPJ@J8eJ=(}iacez-Hdua#=(1Uq1J>%sx}ZkxjPQhWQH81&N=Q=qG| zS1E?uUj@;xr;DVBsDzkPFjvWx{?BnF0ryf{6)LkAs3;4!We0*I0k(ow(}5L`KX|GT zLK@d~FDP_V@S{>!>KRR5kc~YTIeV9wRXn-LeRrH54B4g8Gm7B(q+8kba%X0+`B-#$ z$N0Y~@re{522a2G(8s(<*>%LCK^O~kw66oL|5SyjRWo_2MlWO$bP}{wqYnJcb|!0* zxDRn6oY>*8)2>V^5MZuDAq9rhhACu?qJ*z=9sJZGWp`A&tO=ewFke zS?=AQta;M!oZ52?&zqwGC&Ud38@C!f?%zz{)`zx8wh5NMQg;+bB&;iIB5H)+VKaY(^b zqf`J43=77Bu{a>efgnm0aStR#i6^SX)0s@iVHibI2oVJa00;m801O~(00CV>X60ll z(ENU?YbUKeTW_$`=ORfqie_X0<5Oqi@9o98TbP+e)S%j~lkKy%FkYg$=P)ua4LFG%hRi?L z{J&6QeB!M-p$F+uY*6B-y(1v+l$TsZw74Fg7m$_@ZC4`plC>wC-G#aKSbq=zl&BB-IX&>|U+C-#dP zjp5Y}^@3b3_DE<~=S2A8@QiR`{v+>+G%Ik|)K}|b9lswG?Tl_U_$^Wn$|BITqBQX* zYoe2r;@DTH4NGIJ#A|8TM9- zRWN2uMx5dvHe>GNI`Pfs(&9TyRg6RGiB{mV>p5&eJ8&|e=nbD*mFf)@$qUf2WiX<) zBc(YAI^*3K2?-1D;iQ^zQ(e_0RyAk}}E&vy>DCJKBpH zGtw{@gdRBBcTPuRufnewAVLvo)YY%n#m{~7@`ks1`DL!PpYK)L!E8Qune9-?Yw_$= z%Ht|zY7!aJy&*7!{cv!AI&zDz?M>VVXSh6=(NvWvo)B5YI+lren&9c!LaIcgL#^`KTlgTw4ZgCYvP{8TVAv6lKBp$gCh+f#rENl2;Av zOsV0bCC&G8@WeX)JeG<1b4*6QB+2cE(t!`BVhd~85#HaW3I$kFWX#;ywON0U+L6Y0fJ z7DF4y9$dxBRx2O%3cB~b?VfbO*w*~iHX??nwnS;@3rz$loml(@1EE5zK2x+PidxCR zdqc@;bivn6i_YgE*o;esGoWb%8E>(jM@UIBKd!ik=e@$d>IJ8A$bh4zq1t{vMdu`f zW7#(LSX3n*TSn=XaC5PMb5f$#*&P1x}e!Sz)ifo}HoKJx^_BA)%;9OL!7 z+$oJI7qeiCyV}%RMU%&e-$rflCtUQQp*k>LL)Oln99I&&Vh#d6>y;7X_jm|%nQX4XeA&(iwQ{WIv$sqn5QE~k(0}NhUw2kNW?#< z8=N*h&ta}0n=1%cVtv%15-TYnmm{-KqiWCKIXQs9g)-zjpGhdmqxXXXryN>_3`eQ;-z(*YG$~ACU&^K}u!|MhPnzPu_bgTp+aH7Fu{#{t)N3c=Fr!`Gea~;3% z7|m#KTH}s*V4H^&8}x?ah@M)B31Hk?__C&4%N&&f5A)j`p+_yI+~8p9bt`IzV`YTN zBNWxh>fr!EK)%1th=#URx;4iOFl6MgLJzf~qD(PZ^`wqasQJ-L2GKxm#zYz zIOM}nM^KifV(LUi#edCXjS6y*r@(xrX!dNxXc<*eS!2aB&&IV|e^jds%ARYXIskVc zFH;y$5sjj0dg`IloFErm*jF}Yphj4KD1s=QbId^7=7S*SH>*0YOzVpPR+2PWu~im( z6C8gDEzVrl(Z^Ms=b+|eCn5|YfN+QD<9o6QhFgoZ9jwnlhiOMF`;H(x%rodbsagN( z++{q*m<;KTv5WdNpoqg0yU#*kW8YS*2($LQIqGnDJ z06uhGkL#wkMvV?_1`DM=QVXsuI_5)-IdM4wFcItQ&J@N=aa_}J(q3le0`<}^;#dwi z9MV$oj5Zfs|Ik#@Z}!h>j?8Rnku0wne_U^vPtuv?KUsB{O8wu z#DUZIJQvET-?qJ?HNC?$OkS%3Z4Gb;=H1x(VNA$o`*w2%B71kzXijd}cgYLAekP!j z>1i?Qr9`0dS&$y7yaVxTox05wZ3IZGZT^on9 zTFH*jiA1mL%h@ofE>Y4iBkZ0R>h(;f@uWG3h!5R*q~T1kp;1$VgX8K3jwo1Ke;7$^ zdo-7#3J86u=|FuB5f+hyfycY)yS7%apLQGz9<&Rnjp<|)sAT6u%$!0Jh=3QU3Rv|E z*NSQfaQ~vi-ZOsJd?h-tXq-)wl(0y3bvMi&Izsd=ldCz15XNX7TziuFddTBDg%_~Y z4#N*@$W46=$S=yYt))58SLSbLIzej=A6%uTJ*S5!#{!0n2-F?flqjDG`U4Jpe1LsE z;p}XGfJ&LPtL7;B=554JZyc$vXCf`h08;aZE+UWK1#^~CxEmlkp~-m#bAj!f3U<>e zH5(BTt{?)4i&m5+X`jBONv!HYcbKmxNc8TIVXb7_zn&lJz@0l^O&Z?77GNrK&tv&9 z5nu!HJI9>dvAGU0BeJLPKZPySPBYz;b}rCLBhh5gtbn8Nd9A2qC(2BCjk!@jqXi$r2je{6%@4mF<$kZYouFrp{&;gW9Di@tsBRBoO z^1M;xim!rW|4i5DqX<1Y{QI5*15wbe(PjXOG>}!6Bxv$~(KC(%y`rgce)OlpSk>`?~T+rfw`W#v(g>Zi|`yc(=hW@P2FL0T^%+k-fNhKdd;~mh*Kv~AP4aP)h z=H&EunNytvGMx5JlXNeGs)B$s0GO}IB; zT(06Leux}}$ZBd%qZNcsjhXT>Mj|q5;KN3Nk<@NUhB9Mx9y$sTk#ljxzv_$Z;y~Qp zukaHjAnzVi&xTyxB);^U6+e~n#;oYY{5gS(PQ};X{K*wSPq3=7qoAP}aJgZ&v;gi( z$`I%d=}>0sd`5v*@}GvI56AY@1p>8U57%NI^@4DbeFNcva)JFdj22Fd^)*$I2D^a9 zyhMp)3S}%@N>vzGkc!s_Kvcl!*FzVxe2{jecr@!HPMk?vVN3QAM;fLv(wG&%b71Lu zXRRI#4hABPw4_AF*Q*=M)Mu8E8Q@AX81g#{X;_y+ergVJlKk93COKX^xd0npCmmKKKZ~cm z_|CZPhe?2ZA{Y&^(3`S!ChwJ-O0CIX!-2!C5RoS@#z7ucai1WE)xq6zfR&V0Td~z;`W4=Kb0$ve=acFIW_p!%9 zo27Kdzen#r5o+U?2ca(bqHWcYFqb#Fa^PZhYZ3=ySsSW07_7S#(R(!x-uMe0!FiII zCxeBnhpum}8PgnaQexEymK);e+nK2$mJwdk&J;<{C~J%W8>*{o!(E>GxmNq<-b1Qy zyGV*h;U;7x4Qb+4!wyCTlUM7s7(l>tNZqsq18Ab0G%?;LT*&7I^bZ~K#mtrH9yc(7 zc3@_LGH;7WZ5JD`3)Mf23gelGSo4i12H0Pl7IhW9Qq^wwp{|Qx6P+S#b>q;eDouQ!T2KKX^`nMF%BXGpJ+6o?!u7Sl?>f~rI213~lQ;TaFB|P_> zN7^(129?E6JLSa^i^%@aWR1w6oR*>XDK;6rujTH-bkl7!ajsazN?q95z~Zs>@q;Bw z*8QI~W2@NQRO*Zas_F~;=~B#6sF=>65Bi}A*ZC>=doNrprD8*k82@dXW&HCNoU3GD zrocTBLmiy?;P=1<^n52}Dhi1Do6I)W(v&}hb}|dgfbabYHtW5rQu&wSoW?%4qCYt1 zLG_6%a|8mfxzBL@?n;`{>OB3mo!NJzeEiyqd(&GmunPQWc@`Df{B35}0e5wMO>KVD z?)0nd4z}`UUyX%B&yf8)+$uRRUe<@?{f*QnsCX@sa1MO*<9HDVY+PU;1Tk%@v0FTU zG{e6l!)kn%UXa`DL2|8o=0P00u;SAF_Xc`W>}jg|%v7QTZpz(5)+HK@<5lRP@a^)f!qSOFc9%}E&o^eRwjK{>- zT#s(E65e6WFw%PVWTu6?IY{X?nDk_44sFkgQ*39;V3<9Vf+wMU266zPYwy~A>C~HH#R+pWX|!@C(0+eRZ*}XJ0&Xjw8hQ=4nmibw}A(KxQ_W0 za^`f=WbQ5A?_zAiG8CC`_S-Dx+quXOK3Ftrbb0W8D)XfVb&V`=700-$o>NraRQe`9 z)yM9Ny&5YVOUR?Qg?-HAh80%SfW;6##TN*Vw~kD;snY)g{qkkmLVciV2?F!_i=?9T z%LNue!mkIHAwRQGqA>6;!$o zlm8G>Aav-FZ7fWgf^Z8MY!0Jkx~p??Yb_g4jpx&_kPptpm~Aj*nT^VQoT5r4;`c@h zjRK(*ZJcd-JYc+@&K^$AKs< zhP0bK#L9yicsr&?hx+8)(4ZJT^uT51AA4a!$V5+CWA~nlUCshMi+J8J&r<1+DA8_j zNvk&@oG8O1GXTLft|P0ZZCknppptq zd5x!Wmhr&bf$2E~i*sHJJ@3{FlR1}#mEVtu8@HNbBqV^~{=^q0Z0F#FafM9bthl=j z3clykADOEmpqiAB&VvOX>wt!1eoG9ls5w082tUyj{KgfBbihVe5Q+DBI|ytNFd_gN z_Mkn+IuWe>rvV(MM{Zk5^E!TLdGsmNl2Ad|1>Hl)A`ZY);XTa&T9 zz5R@F_{1=n;U^VaAt7C0CLHcwsX*{#V=p z!RPPnMlD*duc;dIL!9we%WrCf8 z48fAx({zjg)x`%6D$Yq&9C5Yg%!#zRvFsUf3TTj2Fkzq;FrDC%ZktUob*3^W>{y2U z>7m))Nb@jZ9eneeT$l01&I#w@nk%&#+8iUiCyqun3AfAJB}Ld~wDr*)ly{>O zKrepwo4j5ofK@1S4X+S+cttP8s`UBS0ypKlVOf#Y;bx`19|4HB%j=Zn_QBaerf2gr z<`|orZ>(97Rbi`?wQV`dEZ&(lm^j=vKOjG||9LR_KOfT9wIOQT0F5V6(?9}KBL;OQ zJoVgO5Zrw~rb{dQy9=N(=g-WPOqXlck~+d3Cwbm1d+|Dy;3FumPhjXcJA3c#M-1#1 z@rO_}g(wXd}JUNnUSq9GS>2gtdy=?vdv_U$e1!vl?*S<{M!<{@h1n`QM5qkT%Iu# z0Y|gR{`gMWkQx1F`wk%wzpWbG%xE5o1-=Q;2E3nOVQ3k28lS#dvB5A;8KZn~gr@^$ z$z!6fhlV`X(8Q764b_-@3k+8;V0lLI{V_UN!kYm#u$KlCRyruAcaPCn%`jH+9`#Mj zj%LUMjjxCq17u-%8|2?sFpXydG=}a9ja~Z=z{44UkhbLOR(KB2M4&rjw6C!xruw%( z8ehQy|33-}o-t~xhk*~MvVXBSA8DH{cMi03%Oe?YZZX7O?do5)@vqGc| zv0;pifowAcE~Op=gFM0b9>Bk?F&b|IR6uX7j8jx8SqBGU0kPT;N4Caj`2s2^0YpfqslI^HeDStB6hmLE+~f8pxv@ zKeK+7kD>mWT+M;UH#O|Mm^TKGF8I7>BU|D-4RNT~oR91?rxg%8&BIzkQD#%GcW@xd z^s57R!zweMKK+zV&9cE`mlkOcf&c0@l>yOi?R4k`hrx6^)plH{rS&A|*|S@RF(854 zt`E?1#KXK3z%b}20GV^)j8U9y{{#q%qe$yqL54Lx&wH^$)r%PXYo4jorgGidG-xu$ zO#DnR@wcKX z@p>jqmEXwa;cp=ftxa@2+e)pCqlvi`AkG(@;iSlekZlYDO=&mR&c1kykR0;RAm&wZ zj3gr7g^|sYRHGUORB!+g!Z3gYVOq?4r}jC7Mu!X=N7dA1}+Lnkwc ziHU;6VFvOnOVfK@y@|mrLTqeyiJ1xz0?8(1a2u{IttG03vL%=WZQ2^Y!SQVxPY)YG zS%38MSac7Dx^S(?=D@Y7FHSBVp{&GRpP^ATj7Bt2?mmE+kb-X&f5>UHp}r;=7?c=g zQ)X<}l+woAQ$Y!m2%|_G;(6eLRJcljXMiB(K*{AqI>e7Y6iY7mx|HatCy zFl(5$>jj4`H2S(XD}&VYQF@a5a(51!pH5c+T0}n%sKZY_Q*dLAsc_o`95lpQJsFMa z+?@@5C4om3maiuwFL@5;E^fnX!?fCxjRyCa0fE~ORZS*{y|L!KE1OqCKfhmGDIh(>pExfq)>!OqDDhmPW(uO_Y1? zBb^{o^pl;9Ru>3~5?=&e#ow~d$GC@hB}%%nw#6k$f{&6dybv5^7ls`yCv0UJ@iBuB z|7m3{SwGpqbgdo?Ilb}MsE8L+|GyXyrX4_&wD>YlKIo(%!%LmW6J>(W_-l)?2gGtf=xLG?Ta^+c%<>YN9LhaeUPJvcH-puA!oJT;#EEql3ie__68kT0+ zAA|zAL0(u@`FJ1v%`pdWIw^~-@btp&?h!S&Mg>1N-h?O2acJI2_nsMDXENSu2-IAY zI3eUUJAnRpdP%x}YFY1npDh8EPz)(-ObQK1gpj}~V*SX99I^UFGvsmfpUIx8^euM? zJr>Jlxprf2Lttu+$8N&Tp`J+eo56oz0hME$+o+6ch-QtL1wPENF@l?sY?c?@`J*F(6F&nDokq;kWU zaj{_H7NgGr{rTMLivz2QxJ=w0UCB!RjeEY$Kwg#(Qp)phe#MZT${QOndb^0j6V|V5 ziDPl?woxYZ5GN^MPTF{ljIU}GW(gV$X$}z$n-5p|M}*ZWoMF~d^?770RdM|S?%=E<*Ambz@Kq8 zs=Q~PE2a-$+1vrf=0JoHGitz}_R3y_*w`&SlcKtkO<>p_j7gN;Tmc{fs7_Wv0?K4? z1yv-5J?MvQ#ZJMXI3kK;U46ODb?|sLN0Am`!~YCc$pGLzUOM#$?q9QIXerif;3*M*9n2nx)urW4Wd-7=b}DFL6CA=z3)^Lw@{qhJjuyjwCVEHj zBQuK6o7ANiRKJ@!TdyR5z4-)AV$1c{6oi+=>P$&darwku?1wGF5j~V)|M&;s+d$16 zS3&Tv;cK95a)*OhV~p7Jw4nx2QkUBwNR)AL9}~!&X%4$1*)x!Kn$f(_0XITQ&CVf>ra_;N)M!dQ zq44mACyXALL7G#Ns~9;bkct(>zawX&h)4`!1T4lsTpMv)28d>NoiYqKv5-7Ytbz_W zKSb^%>NDsze9qO{9;;P!S|KiLm0F>cVGzA{USs{#9i+$m;}l;%$utTd4gtx56S8>S zbX$z}qh(dCp(gtC%oMbtnX7jep^)Lwt^OD8mffV%%X%9kzU7cKZ=E`~c@NE`_(|Jq zYVgL=>td(}y3Xe1b|=qcxJMdl;Q3RzEUcX1p`27gmB#Z++3ATO)zf&>+EgaI&&b5I3zfL-S z*L~W%m>;Je0Ma5lv)F)C`5S%*14)t$p5O{$8J<>)xsa8is&Z@t6YPTS1~U-t$viW> z&wwrRg6qi{2&K?)aaBsnG5ccVQJ{i;eJ5NhJd-yTK$#NA++;|AG&S!b64$$|q;qW} zEkl-1^g+v<`7WO)v~0+0T|Auw1T&IToFLGSMON%|aNJgLSaXGVX2$u(02&! zvB!&Do~odp`B}KrYgxrg>KfD!XJH{D3MAHzxd(K*r1*VXvLxKA4z=Am+hw_V<#~y) zHtc3bTyon#^_t$3gUj6kb&bIJx$gq;M8BmUUet@#nxgQJIkq1^=^nRE5(_p3ZQ1>} z@SQK?(W@YU)1e;!lqOIVtN|)$F&Z|LkTmg>F;&7d( z@3snv6zxZ#zm|>gSaXva0Qm?Ui8P^yXNqV-Yw967eqa*LQ+W9gq0*gOY8a1>@`-Np zM^8bh*@%{J@YqW-%Ez(RAS|inW=o7iBc~0Q2H?Nf+{6@$)3bSGsjSGoj)VFRNm)2U=~B*ooBrD z=ptr2`OCu-T^!irE<~_huurJrJgE6Fi=A5t{c3VD`&)o!m6Br1zu|Z`w(RfmR6+E9 zJxQaFb~#bCBkMri&L|?GJezz;h>Lz1^-CYSLqA^`xR{#6Io8fs#hNCgv39Rq9iWtC zGI?`=cEKBK$Yz&C#nx0TXwkT3>5rR5jzZjrfVlwL0r(^z1JHJHSOI?;099;#=zA*b zu^4)2oNU!=(y_#@{@q+JcPnv}ZHhOay5rbwJE|#PoF6b|fNQ`>c-gp`y1Jsrw-VvDW{>%r!Nx zzYVuyH#hhsL*S?rB>65l?>K&|&x@`9&BP6h)M8)koq20fKzvSBpNSON z7XyOj&(x0H6>`5K)6M|FXZi>8!+Gvfg}zUCq$c8{-}gadez9{eZ!C`IV75G{z&-&W z=8S}^7bg4OG?ra2x)%%Zd=oleul{@oWVgFu?gb5FcV5vT&p>n3ONzr(bj1Q?$A76g_fSWQZKE$SQ3N=>n?Rln`l(s7y6V0 zIPvdd+P6m6hZJxzdNn@>ke!@@Q95L?$z&bjrCY@X29cln-Ozv%CHJ|iVX!%gX>Awv zcXgsNp!?bD27KMej3mXeoXE-5OVpse(@H4b({|a?)!oqhH+>DtSfdvb_Jky#`_H#p zr=Dk${XmnvNW?fO!(Mhf!L0hq#$+n=4?NV{%ZQ>IYLLj`_sm9?d$f^7!>te4u2$OQ zqv&|pTEkIS9Ka+H7&=IkE`PD+IK4+}>5*jO$EC_)q(@~A>QiZ-$XZuLd{O4BO#-bU zmIRYbepPc&_8()*kZ0YZnw5_b%x(%>tXM%9L@!9kzFS>LR}GgK;%WZ!<@irU2GjKJ8Fi2Ob@lXGr#q?;Zyzr#yK<;_&(F^&NmlWQ` zGA4i^`aD0;s!0#-2yIauJw%l)BShKBY;OQgy_sMN4jWP}`JxHbKc-i1FVF?c!oT12%cy%DPqJdx{JnN&e!Zv-miNvt<{ zM#g)y>FZI-PXil!XrfQ_*|Yh%jKY_*CN5)9CF-YNqp2}9R_6WC<^?ss*DG*+x6h_l z38xshowldHzC50hsAHLsyM$?w@8uyO^fl%|9l`u0e=VqAzfL-}ncaH(9tsj%->217 zWZdFZ!OpPxuLWjj>q%_%p2yw#2T7exW|6{l4<~NWiqL3n9$P*tvgf*qg5L zNFt#>W*LqP5nW_h;bpQZr+Lfag$x^L1>JU_7@84>Ysy_jR7yVv!GO}_=J0$%3_r2d zA@}q^NEFjtI=H_arKf@@q;~&iR_-mOcuHawqtRl7oM%=R4r!mNA9z}S#Qk}muF}%$ zVny09lR&1yEET>i&^_c`0*%FNiOTZ1T#3CEN(U_t@)ez@MhrXYEPXIn$AE7x(Pvg3(s%4r5+b=oChVG9@j$kZE|GkcAD{rsoKzrho&Gks=G8Imjg4K0gmZ%H0e4 z@tjUaae(&2ff5Ui=X`=f7wi78^DPHhaKN-np6qV^t+BX4!-vm}n^)EEv_-u+4RM49 zD=&BXkeK3>9<&oQr`wyH>odS0>#(V4c^1d82zJ3ZTkoH6$`4=y_IDuCWz!sMAdIJU z3tYUp#t}TiTwkbM5ORsrcYoUzfT=k_C>76i8rfN70nH| z?;qMq!FB|Ta&tsxb`XId{P4)EZ`jDW%?}$b&h{Hk9!+gN$d{o1F}vk=akZsItNwh^jo+(Hg`A90zm5 zhX?DSpvh|gDj+$9TL z35Yo4rvM_96wjh+S02V(&vldFEH|v@Y2A%o3sxu>3p{o1;;g6e4KX(N`bU0_U)h~OBmA=)xcMl*Dt za|#xJlfdEEZftnD#LjhrNHn7;W6d|VaiionNz=R;kMDy{9`%w5+(RK^m&s2Z zKGh@JF8#f^Ph&Y>pe0roFAwMdp?zU_awdIBLsrhzrlO{R8+HPlKpcyPkFpUtx<>UO zD6*y2m=5Mw(#zNIvS$AWvoQA4x&_Ov8&mDy^epW3jNx}Yk9R7J-bJyXffzso+onE= zwCx362v^Pg?Vos${1nF%W~aV0Ca~7pqY}q02ZDxbgf02LHo0WCT>ga@=KIyU`MC-e z(`;t(qI_-djdA=8gF6Pd8;h8Sc~H5c?jC4yG-kY@5=f_o@F1|0<EY!%b-Fo^AR{C^x1^8;Q zp?6@=1H*@=ht=ePhWD7H+6cy#+T){T;o)X)UWGPYrD|q;)4^k9t+{h9_L~DyFdw3G z?d+XiXORYv(TRt{6HuHh_d4#*C~tLNyZ*bvy;1u_8R!xxPi!;AaxAdW$6d+COY_)- z!THRcklJa6P*MmIpi?X4gm@iygS+F)bK%0ilO0*+*9A9`oh$OqS#IoD=eMmjxK`SJ zTf+Eo>k;E0y@5jT>qOQL#$6T;C>Uy}*4qP_C3K0yB;%>9T&PfEe~+ZVLZ*~-+(($) z&mxJ3+xw9WbCz=yNK)w;Ivw!(RT9G+=;;CmDeHqnA|_()$ty3D`c0QCEq~jrf>nj% zX?c>-?O$!gTcQ+73igj0h!#AsJv?Yjj}4qJ6pz3?S-SHd3swf+;&E&8 z=goCEV1<7Ls-dvQl>OgW*=?$+%7*!e8GESE#h44e(gHYgyy4Sp(npzd-8y2Ydo!Xm zC<|9gcBnP|^&)c$Mf20La5~vw1YUl^Ub`fh)iak|9JLmm4l=0ll`$YatgJ@W2my`; z^r@rI@e4JRb{0!zC0#fH%$N#gat-Zu3Ts)X12y%Ro$7)Q&MuL-)EByhB@Y%OCXd*u zxfqoXET)DWYT!Vi{V7oE14_6zDhoUwgI-4>vuE**4GGbgU)>}la2e3Nq#n|R2g;z_ z-w=|OWPF|wc~Qcgx9hvIXJEY(+FiinHtu_VTc4_QjdjFX2biu6-}OTl#$E!;%8$sH z#T(0eE5HQe$)8F^N9UwAYhYog@sXF>?{1U%-5a=EL zL9Ip%nr*dR8Z=V@IpEq;)?N7HAfrtuS@}62RB*Ri8cA**p41i#g5lNsRf`<2yaY_V zKKf>^iMWe;HQA0#@Kf3*jVc1a0%;O^;@=%paGEpQywI@}T&Rs1@<2c7vEj3_UEB8C zSV%Zc=(cL|Cc?${t8I7f+bb+Z$1q=SAc*!*S-T!#OfRk;0hx^B>z%@=#GxxUk!1ww zL!M2Yd-sJ_9x?Fdi-Dinc{ZJ!J4oyJW8i8JY~w<~{5UdZ2UHTXK#7PWJ)pGmTfs`W z0=~($i2m=6Kob5|Lwk0#9L|xpI`YXU9tD3cN4-4DDeORsiSXBA*D)#+oiA63kK&80 zrJOZ#w(eJnJcXx*_RBryxHB6jS1)`c(-DSFfqyh-74w4KL(P#fz(UqxGkmDTfPSfS zv~=-)^=32rjeU@GRm+y#VT@dS#yX9CB7a-^^9pTp>^hiWFWx#9-s(LlzL_PV0WMiv zlBJMn_GkzYG0z?JOx&8>%APAP?>Az!8TE}2cTmzjC|LODZgvt&(A&)LBpZOmMxtGg zKIk4ss-0yfP@UDWG}s+&8${Vtd-j!eU`h@`-gb0cM}xvwvFal)d$bX}?`phh66 zqrU~8jT_hDSH#OvMBJ*$ZGuwN;-6|w%CaSpYY?2R6R*Ml?lW_6qclQ1v>t2Ivy*Ez zB2;0A5K*#2SIPvX7qh?|)$J@Xc=l`t{6mf_88ng)!MjA4_GFeaAeWpzDHFQ3JfJ_U zG{I38Y5=$k=3eI_b6I!I70GCy5GmxfL2KZ9wE+48Wz0piTmY*1XtBqC_8|JfixxCm zg4kAZAY({V9J3VC?UfekRXR5zY6-G5Ccx6csy)D(Rkj}XrThj5D0aF;Q6 z0;Y80*rH;C{X;H*wb~-$pcEIHjQ}f4gA}U@UAdVrnCYX;$>>cP$;X$jHzlzWJgeRx4fzhPF5@7>zoZA}Yw=1iadTsVR%+DAEFD`1e zfNe)UR1DUiZ!nWF%0HY^5wyAwD!jBdki!1`s#8bf?thytwUMGn2_Oj$9!#gUoSikY zXDp`-D_M)z2%t45*#S}>fnIdtty&t=>{TOIcl9Kc6r0EKJwW7JieKvqaiJItFJPI!DZc)hp@#T{sky1mM(zdVC;8%`_#9(@fhzotyb{TF0v2kplTg z4dw~0dh+nNFtx8hv~J3DqlaLv4=~&999tg_(_Q7=pSa3CD~cCZ=o#6gh8*w|D=c~+ z!bceJ%oFGhzXlXIpmj6k`KZ$ctuTZ)^x86yOLYj~R~`)Yu8&hht>MhvLSu^ibIS0s z^odbo9^gK5UMfj(5j+%ckW-Cn6YllDHtmn0!=f(s7W0V2Qlt3Pxb*FDkJHYY5pvhP zz#*QjY&|+GxV%BlKu`mkq{^*ZIuo3HgNdBf;BYjkCc#OK(V7@gp&RV~pLeVWR7$MR z)dhbDO84u`6=CuO)hi{vCb7n3c3QKgOkG4s<-Pz;l#g%;WakIxhb0)(0ND~w8rf$M z&^{=cOcGHD^+(N5jxA@Q8k)C_Jk~JnGE8RGZ->tmdxn5hoaN#yQhh5xB_U3fZ9m!& zKUw6-wRj@*c?vfu+FS7>F@i|2(!~lokIU>nKY*8k8j?*XAF$XZA}74pbCt`IfDGY- zqW=QjXS5{}{H)gdQ+#`&84RB?99W2otDEX^x`~nUhFRdqxXTEZ#%SfbItuqbs7g#5I<__IN#gR~sb;u{WHC9>rauJ{68Xh9W%s z4hen5fGLt+2=b!3n`SeC`6!I~M*jzF4)pks>;oizu9=9F{^BniK;6CO9(Td{DM&ov9;J-d#YoXV3od>03MyqBqePmF)FHhTdB$adu<|izCuz@c5Nlq^HpQJ z3(aDGqxyzNi>dahWnX%YVRvQ|B0G7?=6K1k^Jp3AL=GDLDNOwMvSJ^vlo6c5G2Y zhX)wb3y7?qu+7r4(uPxI8203rR*ysvGF{E10#-_mgQNVJR?Wl>k_?U7jUM9n*x)Fd zWNTGZ=a1Om&AHuReJV&(&PMV0A*aVT=(HFQiWmn>2Ih77tiB!~W&5COaKv=#V>LDc z8$ngsTg|V!MIbN8mhXBU>!{xFr;z>2L04)}Ow3wCV zLWVK&g@8%(C!_-aHCpH>@#4k_WWvPU`$B9rbj6ynyb@F9e92>`zyR}4gO?qyAG@8# z+&|MP8o26g+ah|%@#(!`yD@m~w{f6nZ!ZAIDOhd}Z{g5?THY_O%VVTfaFWHHugdWa zCVIpYrUH+8MlR_MGXpWtaP<&EY{vhLF>lRo%39Qv%4y~I+#forQt`MZ_^z|m`r|23 zd(OlxfxhMUt|Kl62ORT}O2e0Fom@CYrs)dPD^Spt%w^xUwv{B=z^N7SPY~hI z&?JCC7L*zF87U6zK&=%(GgQur?T7SI1v=dgY3DAgF@p@m>vaa1kta#KNP6PPFjJ9? z!p05dNV*UVYM*`(puw*>d7Au_y*A?!jPp*{!W!8?Y*8>UjqSU9v$uTn9hs*eIz*u| zlqM>V@jUo2n@nS5D^34CkBRjUHu-MnPNO~1_L&k~KL@H5jiA+?OrP5fad2XQUw4EY zaQ3rvWBcCK!;vd*Wo{PNG8Tpf4jsypgwA~}^@7(-HQ?HyLXm|b+WEYH?;Q_+EA7A# z+K?mSi!cSptDh(PtArlzTt3|a2>y?@KHa_Xatvuh*x@#JMjCScT# zt|s7kMr+?3#}H~~RpFw>ir>YU&oV<&X_EK7)znRucuTn-vzxo82=ob}B}*wz>c_xfg(XW$xjV*mkm8i}9vupBmQ@QF8A^kDD_ zE8}n#EUDMPb=fL-n6!^Zvaf+LxK4C?bay(^I($5|k>fCya3(>q%XsoaLb53YN%BH~ zNUdZTZuKwe>!k(T2;Pu_0*r@nh45*YRe%xj)X~$`UD-UunGp<$BVxIxAlM|P_KIO1 zm4l0YU3YlOxe*H!Wb>rY!hHc};#6}Af;3T)?|b|LEN52Row5R?op2K%gRcBSZS1kc zv)lp<3CX83NJ8|tEcimWm_r!+#Se$iYF==N)E4Dz(@g+m3{T7c82u0n$Zd&YmA2r0 zc~MX56X_me@jycKR>xbIb3ODvO8AP{3(75sAOYwA3W`1%Kzj6H@q)?{dUIG9ZLs13 zwj@5GI0Scy6qrgpCP4$ZHO%Yz{g6MeWpvOKXr5Map|3Xpcji-Q4WjVU;2157unDd~?P z+XHgL)9X0NxK!WnfOi_ygiL>|hW!U`ql-cbvxXLp&1{MzvxLl>0N`C22!Fqc7c>9S zR?V0V$mYF`E`bj;;~!2do5uNx6Bz|ajQ35oWBEbzw1gYkB2VwXF*{tNqSI^$*;=yO z<~~NV$6{~%b}i;wJpQQ*&p&?azcC|XaIu^?{?GDz(X?9LbDYy7*|1F3eLPaJag*P+ zY#wUjDHji+&#sU3!lld}8y|iiFu6$S$m3R<7NFZBMHje*)#^cH+g;IEvf;a;u~$No zGW(XOg%<;C!U6|WS03?#(hl!N?!PuFcBDN)$Xg&%lrh!VDF_VAG$O$+6{ouJCtFoG zK8}CV-J9^45O5jLYXa9;+aZ3gYY*(oqI76vD!oaoFGytxz2QJ*0?Na2c0~825l!XL ze0XN~x#^l^`%C<@>EX}fII zKyDS!><}*<@IZD0S=~Gw@3Yyn1sZ)DNy@I}-Dj{0{MR>U58y%-O5VLAo<4{EgdbMF zZd|bQ-AQ;nsO^_~K*W1R*g4S8sOs}f3`o-Cc8;(ui~~c9g`<905f9a<-O>&xFv({ zSVshMaj^4|II(b=0v(S_vl+;DqFKH z&mNE#Z1oGVEryv~T+Bybw4~P&u`Swa`8GDX+POJy>Zp ztU8+LZ^C4|f-DG$a8I8M^jO2xwyvTS0zh*H{81ZxM;7IvQi~`@4RWB%?ON=yaJGNf{3Z-+QxR<-uDuI7hz?;gMn>)ni~i-OkK_$3^Xl9-`cfFaGe^9xEEh^7lpW-#M9_4jC9Y;CycX!+U&{njCDv zt7ced(4nv@d*tZO2X6EWn~irAx-;O0-h7U?gP39f*B}u)3m8wS=G*%;o}_cV3j5U; zs-hU~o22?zyA9!gd^KifAci5%Qq50Dydo@aqUgjppV7u;_y9LQAeQ*pDFb1&di}Xt zW6}2)C))8e-oJi}bTdAhs&;orNP2fX<=Ju$ z$1f%4ONojyk^`bKYh5LJOiQ}>hAQ7m~_Dr07*c$zk+~d<+xGJF=$#zu<3N6BLfHa zxq3HEi|J+<<-JYYi%q|g)b~Gb_KhPK57gbs*a*<&Y<`r#T@Zh7kN4b3*`G6dq;5Mg z>l)M@Rv%<6vP~);u z={?NZ!JOxNu=7NhS)KH&tvN8)10Y5d+pS&d#J$AKa2~FK8tD3_$srV-%~;DJS;N<` zLU@!nSDP97mSx@cCs(-K32AWkZBn^)=fD|vkOZGv(fZ$@b`Zfqe0fa`xIZrq#wgqJ z_|_TaxmpBZS`>nX06u>}$N93V;s!j*{3v8G(V!hOeCK;zvWe!uGYtsJdj62JbfOAD zC*!9}=y9czF(KtCiloLip3@)56X~C?#qSA>b#&zC_ml@@uWg)DhT;pihR2VhFsBP- zTU(~D`FlpYQy`A)SEU7LW3ZsuebS79!NkSrGWuKIzt?Jb1(Bn6967A!u*)%{O3pAS z|G-ur(XkYhLD!~^y4_taRG(Yur9Xf+^c`^y{h)^KTgg0LZ~}>#R!-8x; zGINAhgCn@M@& z9lF}x8~o^wC8uOv^TaUIYv6-=@wvskz_A$iR`l@(@?n zPZl}UGHJ0eZn5+@x_ z8?lS7G>~|1-Js!e=tj~9^DbW*OIu@n* zug$h)&z{=L({rvmGY_f%_TEzZV!-dsR!jbrl8{caAdY(Alk8H0;0w3qU%a@RF;J2+ zPPHThw=2-FT$GW@A#*M`Ae05rduOx%T16~b2*vK|wp-pUa4?UmUdTogdW_1$}6B^(lk##2d21ezU6fRWWU|<@mQ(oOUefJ5}`qAU4ZGr+bc7NsI zTP_0K_QrmMdW?lI?}!rz0K*TYsF|rt?&!Q9#LlMtMj1adfetW^Jigk-DfOf46a$HI zA{S*+$%<3nGWrZl8S*Q9TQ^(yMTUa6@{eRtt9+@6v+~iZ7z}mSG&GzdF(1S=Si{>Z z=}sO zYxS%Fb&g|c#&y4EMH2VH`%Ra$*9w5~m&Av(_S1T*1=n&B}qK&D#;3@j;O`a%xOG&+{Wn zy?(+yU21s_87&y`!Wt6BdrUnm*~Rs$#a3%e*qJ6b7#{_y-8hMRY)Va{M#B@AAKYI~ z67u+*blO5!s+*$-{fG6SC%e&et**D$&RaWZ#uyxXGt2+NhmRZ4 z7HvDUkyNAofsy3DG!cFD<7LbUVlxc>yi$E_XV4xy|NPH<1GLCoh2=X?a)xkGedMp+ ztU6I?(}W~3_#d7yo8&bNz-A|u{JDRSH_3nBMKskoxD@TmRz z%$5l$bg&wH%un^Tyf~@DqMC`MC^RJPT2Mq5H1M$i?{Nq9&=KsEthjOFn&=?-X8l{v z(cT%CV&l{{P$<57)wM56K>fNGb(-N z_?B>pv?U+}8F{U2AZ|D5xa}9~*Y?YINza$MIz_N54r8)p=L|DfOUJ12)!KvbC0D-` zJz&Wg&&6}#>=a>sX7$(WiXXOzn+1nwh4sOeWlf4{D3?Vf;i=%$hEfq zMC7NY>-?s5%c>P;Pne9JC?XdfhVL?5ujLjFSNAbZy=Lz%gl(7UVd!0&to0>>q`QSj zn-tU-LTs2`&u}Kx>7l4g5UMUUWy%Sabd$rFxQT!7QhK3CLVAHpoSmP=oKNI)gp>rit`{0 zT5<~mD~ku_=M#|uzo6??a$a+tcoDg@*q+axeCA{J=|TU-v&I8{CK~m%PFEOV>@spz z1B(-&5l_%(+0p(CfQ;a8ALCG(Jgk0`1D?0PUCHWwdu0SevKhc@R{G*A%B(a@^|3|H z6viurcE!8RR>B948dDBiD>Rj>tJv1-|ELu($wt7a(#DQs3@{*8%h$BD0={7FvEW`J zFDW0*-h2zn)5DI6+?$n>f{a|LuD`cz_XwUP?Z-hz+2T2%(c^728CLafjGW;u;2=iG z?2pOmJ$LLiGiWMPDd$WnwAbFC#!u7RHh$6>R``9JY-1#JI|K9H%;ZOwKWQ{n)454^ z%-?#n)KtEndy`9l!K9FdI%& zr5VVvJYNgb`Ex&oEsH?Us?7&7wjCp3&Kp=MyxvH6|6r|^x^vdBkauhjSE5-7W98Ds=ki8JdL#4o7qd$?Z?p}hU~>;O z z-7aIlF>XyqAU;bIROM_Q038RHeai|wh?zKFVOg%;N+!I{eS*rdMP$y^H}KH57|e~P0Om^`-ZxiwR+!Vj7=SY41$?`unP5q zsL7Pi14h1$VR2{^pFPmy)vSXrD%E5f|PJZtdKOdpI`-foR3>+Z_bDnVVJU z6bI!+{W8C$XHo=?#=AHwtMELEv(ED8%u?h?2lg@-mo@!3o`NfZ({U z*%-)FF7X&mq_1%D?V_BzJ&gBJQ&9u&;!Hn6&nM}_nD^S)$`E@ ztTFn>08^Gw)y?pmbF^)4#~zROhELYQPa;-oAfQ5mYjXwjbF;1L-_YWZAO?!DJkT(n zcxP4&kYRE;d<;Ll0S@o|;`ehQ2Gx=qsj+bR01ek8so~+1{7qvIz~NBd3~xb`>+u4a z`Ec+kVVnaj^$MXCt+x2)7vECp8hfwG;OJ1rM$yw@KUXt*d^A?BUN$nt;n>A;tPtHW zec|0}{g`Af$5OK50v*ThEpa>QQ{m0B2k_- zrEePkuJ%`*@L+($bqaJyll8{bp}uYNf5M>A$PX8JlE#*(17}d%W~)PU74LsEFZ5xmchy?1)w_z_!?v`RZh_C}QG7t~8qX1QbjqmFspgaf zr{McC?)`LhuhK4#)kw#(qEH{-R((@GTEvcbWPx_e+BFg>f@&e0&vH-%Tz28A5_Ko{ zvD^S+D#*vSyo~-OB?;A~_IU<#1ElA~07IBEsWH*4*nt&mMl;O>6Hu&Etp?!iII?X~ zANkCVljGc#G#d;Qh1E#M2=GY$FRmv{o%TPna-cdGZcRgsh_Mu~%>G<&c`qdV;*=z| z23=jhbFdD^*m~`^tlC-la-55i7Q9iNoQLtfPj_bZoEPk8H<1o?R>VQ~#eVJ)z1M-_ zBh5dFyf~#3dhd*l?u7jDgHzB6hwKIH=LoI6_CYBJmMKBy4>V2^2(!Yk z^E~xLg=a@`uoL#exiiI(@)LewpQZqT&Q-jWaE0;drS@+HnYbIvn2?bgW|m6;s}`c;pdU|hel{BsBp?fF6Q_aH-W z*=kfseYlUj?!-Xi5H(_(I6d>vr9%`@V7T*zGQv$$e|GAq`05E7x3RMB3=Ym^%OQFr zO=bdYCOL>um*Uzj^Vu+RWq>{05(e&V?rypu;78&X%`Dj$+?)a2kV^RzJ?gnQrgoP7 zY$`|Ytp#q!uKi^nTjk8XYstkiwX^JJQ#o>PEpR(_?Kg168?!QyezJHuX78lj0lw7= zdXmY-F~L#(u2^kW22lSio;8uUqrAu5b6`L75vM|u%?2RD#*1nGA7ee)ne!iQ>T^3r z?Uwo47&$Y*9^7&RcgB)%ZGj~Q>^pkj6_;y#X3f9os>jQ*wPYTT+0~XZmCGD zTi#3l^I@<0SW`=Wtbz6jTUL{CPusgtXq&%c%PKPFX?hDPZS`ktNkzsyeeXi8E&htB ztH_9_+dC+<-CwaPbs6>adIz<(`!i;#F5{kFdS_0|I7_D006~wN6GGjUyIvmpc@}?{ z;_Yc$&&NzdHl9k!Og7ta2+8ockO}m2;k`oLo78O!KTUg)_H4LS=zAb@%P9<;&i4c6 z2K;I4b92mE`|HRqw@T+Lot&AKBi=8uVxvh zAr^ch(o(PZ95&8%aW{x&;&n)vP@qOf4_L>?d8uA9-*e2b^9FVrT|5kq!OVwfo-!1= ztOUh^~+ zSpI|N&}OszYocjSAIU4)7py_{INwevYw)mQ=?mAuP{t#WB|(3~^q@Bg@nbRb0& z$+fEjS$CucY_p%P>4|*>SPXgeZQ`3%`lv=_=$8I%lsbV1p?k;}jj?hE%u&1$QMCCI z-(-gI4Tq)oqLZaR#+{ik0bdGk=0g`cg;4J{<$w!GDWl@M%8H-ZW=dqARNIdzE`O7d zCyz_Lu~Cah;!44*W@ankF|t0p*}v&$G7oNVovx*w8xh{2c+S5(lNzTdwyKc{zaYo>gwcDJ^OwD_T#hqGp=BvnF*uL7nL)FG?-Dl}TjiAj z6M3~a3mf+2N%kco8^YBKS|?}4jN~tG*&OwAsAZ2H8W*P22(@qP7&-dDBWsL|AuzdiCPp+LOMv2PT_CQMFp48V$J(Z_)grqx#3wNTTD1)uOIHT}s)B1A zj}``?K~_`l{?EETiI_f3-=VOMS|{kIYkpKqGOKd{8R5>jf!r14q+?;}2pS`-W7;4B z8}QnWi|8Y4vmyM*VtJPU>yUicxuME!n{z+Xw^{gf*^|^W;XV}%q=s5D&=*=i1#D`- zAD756%>A9;O5tLGO)FjK6E-@97h?v~%$_gO+ExZLlVqg!$F}8e=Yl6ojCg|P>N@{13(1?k2p|^K6|&4;37r*!;>*w27BYCRN&4|dv zKQ@M6pueo7;dtg(68!>eiHUO0B3M1E`g$?|){-{GExg!1bY^ZwHRcpu;w=sNloi_E z6Rl^V9}d6{HSJY;3QLR%Yi$m!?)+$UmTJrYkL`Bou%f$}U%Vdx0HY;i)d3IBm{Zhn z<_sNMlFGCz`SnT{7#Ul&%*bBb00;fh+zWB~;NiNJ!Zi!BYgo+x=TS7*>-%QgiD)b__-wYE9&*aC zi=`1vBHv{tjTM?Y=6*mckGE<_4IV9h#Y)&KRx0Z&X4$a=y$^k5)(dcvFi9`xh1z(S z2QQ17F+7*SwoRuCndFxA@Gm?(VORGc#`y8uGt_)evaD8d3EOz)M!OgfJwd?M)MRr6niEF&73mxTJOJFs zHvBBL7^wU+zQ#>Dc^0Rk3;K(YR7Fw(t}(Q7x;LTvNjOMYWWY4Dp=_z@i%ekyic+az z6Wty&sj-f1Q-ULTYI=!c9wGP?BuwT-P!A#}ye6ZSifym^^#hlh|ID!aM`2>MaMo6w zd&S!rbz=Sl!1T<1s~y)=I}yC)4~w~A?oj{?=k|ynBWx2dySsqtBqSc_dpG@&RZOja z?LWxr&+oXfWS+2wFUE-#l=H;6y1L1qnw}<2Y{pxe2JO80)lUPEuKJLYu1v2^!_7^q0{;u>hG=VkQ!M&ud8id24){1v@N-GTh_z(;%F!OGXXT1n~Mmeqs#jI$+g0 zJc#9{R?kk+ox^tK;ZZ;4Jc2Vk1=K07kW&Aj^mg2hgP0RuN z`VAd?n(`Pz<}Qn5PC`fvcJQ{y_`+w35}rJw#>>Wi=J(=sK1l*KZzm%_PM|AA0s@jW zRth`E)?^IE7oanv)BHN7%TU17%WbY^y9V-b1PF5B!ktfJLxaM7KjDh1B7q0Dt9f=R z>yvp9@L$}D>l1FAn!_=!99Lu-HQQ=N(X@=$F;fMQ?Z?$}h(rZHy|SYJu>JN6zW0JX z!_camxI(Us2YR$nFA8J)RvT62&N8l|xA}x_Z~e{)FeuNd$}C#Ig1~!V`#t zUfzZ;eFOf%JhH!uRU5`kVZf6%onSl;Z-so|RU599k3@kV+s9bPE{ymJq-pD_+4OR|F)qDbZ_Z11=hkr%(7B6exaq~4?zolM{e(qm@hNq!4fa@O;QGN< zTZPFoC*lf+zIfD?JN6KP9JAG9)teiL%H`xS-DpgEKE4eh82Ag(jVMI~9Urvg-TpvL zy_B@3N^PKu%@xryZa0YVQC6-*WP#n=CVN>bfz~9zv2jO}>)cZ7PYmF)ap4>NbKND@ ztlZ9-Vy-oV|8gV^kqw68WqQuI9@3YoDui7D6D>*4jz>eqxu*OM52c6&ucS$+q4oT& zzb!!ACs_tn_A0~QH(Nv=Fs_PdqDvr?o(k&XN~B#>OX-Q5bNFByxC}xQ1{-n&a{S5Z z@lh|K9K3=C5UhlO$q*$uL$)iE+GG#GM5`h z72Y=jN*A0YR-CD>jMKPM>T6ry+**!S*n%l66rTA5;A{cPp#VnQci5|Z9Dm>e{Jadz zv4M$pWH_B+b1?BsIXoh$v;0=4i1Wp&XgL0&_2MQ>pv#`_n3TNx>LE<(DP@5`vAd4< zgxY*rTGXAPGYry&fF}Cai%aIOgbq=j!_)jAYQEg27Bvv%omV-1JT$~i=unctF<}+h zA}wzgOq%r`-e^if$G}we8N3(eY-C2u#8RSweCkOX>zzm$`|KOU|I#=Zsw8v>*n=|1$k{bA5q{RpNt z4w-(Tw8l?2KoZ@8X%U!UIa`j+`D#M2LY*86vo3g14lGT>`WIi;W=A*7Hx{0F^Eiu5 z_U|641UM1UvlqN2OeuntCDC>#=;JSRWO}i}Tj6^OoF4C-CvPk$ITn2^tA~!~Z*?cB zuq$r4dVGLapHZT`4xL6OHnw17-ZtvyItp0G;W$yUDPpBo8e?__)*F+JXRc+o57nYI zpV!R1=msGmAyy(ZG{)C^E%V?Eo#{9z6=0D{YR*BoWa=asVjQp;@&<3~tQPoo>yDku zBg!`0z6y>Ue1UHdt$=f4`R-R6G!j+hv1BG?Z9;~qf*V?#cB7Y%3;^-ZZXPdiFt-__ zw-}>W%oy!H0KHnU=h#7yJg;9?%B4R!IMXa+R=Nv#Vqw>cJ zjD69)*+9 zkK5*6-z3TUBvJVr;h~OP+EJL}Oz{G69AoW;YKzEZp`FnKwRV( zOV-^CVP^&5Xwm{`2($@6@=$;lf$HFMiqq#3B+EB`1O1fxf1_ga&Ns8EX594U`I5jnYXuGd5Ohj?e7 z^BrU@kX@}cJY)PhmSgqo4+Q5{ZZFAmCUYE=lt(K(w{$m+c_Y;eg5j|J;qHJi96PZ< z5AF@80LbMbrw1*{D(VHN8$?`7{NoU3Gy$_$FU2EHKm|tmPGYh@v-w1#ao|ZdR%c?-~pFD_e#k9_Wst1P0p!~$H6yj;rC9roC(7LxjIHVIc zYdHyRQ+TOty}ERj^Xw{sZH$dA5Kv!LqYMow*5nYApSl5uQChQ?Ibe1bkXUiuGq|3E z$OL|{xDf()L`l#|blAD<(2^{IR+yAYHMQ4)C<0j|!|$2bl~WvWur+feHa?qc#xUj-8YOLBX8Z1(c2fSWgBT z$7m0^-cNthp7oG@md@Y#f#?!FqjY1#fPvV247?W?DUe#gMlPV}FzZydNpR$8|1r#7 z#0?f(Mj##U&iPTdPjyPwyu!X#S@6OX$4+02p8-Ikj97($-)+(deg zNgxf-I6sD%n;%&rq4pF)so_T;RpJ1W?D{m^0tdo9MoCo-VJq?p1;8h36ZYOpe)CgU zphvrPF9^_JVf4l>w_JtIeUHn@m_bYL5-Klk)!l6i?riPhbB`M3^1kaaT=$%HKRzP_ zviY&XILl5sspK(h9^wLll|;tX?EZkMbVx=7IpZlwhEe@?X*T*b6)Dd4j9!nvcPprQ)X_uiSxKORn2NV%V5Dx_?Y4U z^bvEih7me%n3Hql232$v=uKlDBS$gFRVpO{{0c>6Mlnnb3zD4hFhug^KV;4eCWG%( z%H&~)NQwIcGC-RR4NG3*bLO{7DlZ1gbMD8KX-jLV2FF2Es^d{xn? zEaXNQZrl31bf7z&`%js(kaJxLl~FjK6EGJ{*Jx?Z@|#L;gRDmFdw(jZi9q1i-tod~ znM#rql_L+ND15NCR7LKfKbq|J<0GX%Aw`0;YCz^KbLlf+-P2 ztl9j%snPt*9)siqkHAjNB7crfN35iW@Em}nrY`zG87ZVR+yT}ycQ5G8MSosKsx~`q z+fgb{W*S!JcF`q{dF2v*u3xys(dGY4Bw`&YjHRI;v{8p!NsgFPZ5(nVi{;bGm;xy$ z;H~oj_T)~zbL$4>e4nv^NYR_)V{s&j@RL|D^Ij)jQltIo4vAhpo5EG zlDPb`mkr>n0Fna|ey;be%EgYXL9yLZSl1P7gm0!*piW&!Hw;;udCrmrMc(w}=h?&r zZ!Ux?R0-(%k&avYTH9+e-OMi7Mob?__1Ymdm)NmgU}HuSO6alNwDH{BBl@7J?5TB4 zW{;%(VLOE*Nhscgqo8q|Y1i>Yn>Pe?+6 zgeZvE&(wiQ+q%y)k%e0mbCqw7sm*YRRs;JSF~PU|Hseq^et zL5!!+{|~?W?;yR6O1Oj*$XBb7 z|Lr}_m^(ncT&;=(A2lMS+}|P-KLp$}9v&*`He*vk)L8k?QYw}MtdwGWvnD=~G>13% z96y*+iAbxfLgY$C(2?}o_GeR^CW+44#mUbV%8DY@WDAPfo(^Qi$hc3#pg{1ENv6~a z&Kl0tDLfm9jR8jbgVT}XF9MS@q5JV*mXOTMzVc-=?r6Xqu#LdKZRh7e=?C@S7Mz9~4)CnqYX{r1q`ZQ7a03ht^aNnlxTD|7%@osdU9D=z+f~D< zb+lB@;F@+Zlm#@j$CQ7^gWU_lH8+ANPi_iqi&#NGt?vjbWPKkbE6mwX+fu42$?pUv zS$=h%ff1>sWmHQi9?Bli0B+|xo@^W~BOjXAq0g<>Mi9)cQ^GHzF*HI6)*?4h)!7{$ z!=u`sm(cpnO0lVrRH1*L0aI+js|Y@291(Wcu*-zK&weA5u-G=SvQkIb5Gp`);aRp* zCnvg%;bHcKk5?!@{tY|-xoT*ilWDVcubCeUI94QF!U#B4BS;O7Q$KKx(S;Dz93EUI zl#L8N6DJIAW2q!XmWQ^^(~Sca$F60e%>Ql2$Y;2h1jUjv(-dYjCT8 zs!MPn&ZZa69^b`sEh``P-~zPh*3t*v@OSC|xHnmSm?ey=YiZ)%QMwfyFfZVW8_UKPKy$X~TODpczrzg>TOBo^`oiwa8A#+wR>;SoHk*9e{KSCnl zrDEVNgN$AWPl`>#N6gGqC-eSt|1fkkxhO^_K2SOQW%foXwy`T70#HS|>EDTv)CDbH z5Jzw|m!1uSp%DZ7jWYHf>;R@PGlk-{*|-6Yi2f|a1w}YvSs|Vfg=jYtIjptob#d#M zReWb)v8;8RUkWVj47TdMg9*0-K!W7}lF_Dw&M3nk;;A+fGb{MaY7mdApb$*9-ose| zoHYn-nypS9=9jz&zB3DpJvXITa#I(0xChW&V#mVgm3KReRV2K7?I`3AsF>q?y}jg3 z?|8&KO9(cDnQb0SEVg5x#W`rP{RE=>3*yr=O>X)Gd4ELK_u zhMd~HG}UxQyh{1f{Yu(Q5%$f+A+cCe5bdV(r?^1yg#{Y4EkD)!V$-;U8VYi z&f<-=KxZ-Kwm-yTU!$b~fU^hZ3@z$|wMD+gzFKAvOzQwFe8b2+R$Qu?7|gJ**2cwa zr624oe4ae4#rOBsl9h*u%(Sr(Snzdx! zRW#AchDln1WhHs)tlE=?Sw(HAh+qR|p7u(L)MYvG8Nu?hZx~ZJe>G@vU(PQjBmqQ!^FhN_nCAG0+j`^n&b}|0_oZGk! z)T2%HvTXssrjoekP0|UyfVxAcDwa^x*)M+-);!T@H}Zv2Odg~tj5Zn^WuQXO#7AN* za{X!(SsX(ga8RC~+rggOy??#!|FLGu3x5QaH1=s6&yC5d4I&6sP|Py>XV0DKJ;{$L z2+H)W#f56l#iV!_yb;Gyb372!uRJf=smSyHBO|`Lb*OI-3|nM1>s=1Ytc--TXuPbO2E9#r((yv2L_g zjvLKMWqUw1{V@UoDB7W~ar&StOkKP0HOJEkYnM1**M%m5Pu0ezj69bLjMEv*&UeE8 zL?R?<^x7#nJx!+$m{mgvVZ6Ng%}k@bAdq656+Of0hhKpzjU;~qdp90#;U!2w0B9q= zgbe|L(1tXqd2(v`;PlpQB|JAC(4pyzjs01!KB%SXkVyj8CcdR2 zWt0%mWZE2cftJcjnWWxn0~^xK!D!by_c%d+(~(o-@Dx6G+i5O4V|71&@-7TCDEErP zFPsl|?fwh^HJ<}j6#?niZTUqA_p}N@JQA=@H#x5%r8+rx@0fwaZPjt6j7BmUC{81_ zL_5`)p3F)!+M@lmcQnh_k9of#(&A=6uxE`)k8L~0)}rBsIVR~jzwghhB-$U{IByuD zD6g{4hFWLcWjT1)wY}+9oXn`Im^aqsFv_#xBwHg%8@2ZeXJ&W^|3)x0R`o&WYMMXDERr+28HP zUJPR{SBSyO0(m{X?%6!|^TdB`hnP<;8)Nfi2qB7OHBDn9^l7)qfOt11`Q#s3Cs%0E z{R0$e@(AJvX3Ge)lq~^&yp$9hNU{sle?oR959yJ>vpt#%|9Wg~@5GgHXgHt%fC=^i z3^n=*nTgs@BzeH$ZfQ{D!Mmc_)<1Z;)g(05&&KC%``C9nluXLxHj_;6POH`2%Jbm= z_sld&8)`BvZ3s{Gus@c{hvz&Hfy)Dt}YoN z7CR{dJKWxP(Ftc^zI^z~*$$>K66mzq493N|o>$q#uJok2y<`VeV3?hHRsO|vxx+-b zQnk1ckDgdgLh?R3$`q75c^kuhUS3NZIiyNVxMwjBjXxC?o?dGAVTr8!$Q$8ad<|D; z4nEi1Ou!}B-{Mkmaz9SA%&lm8q8Z^d#YGF?sO|dVJC<9^@cUj#<3lmc0+hwf+CF38eH$yx!KLMD&5$62KvT4=r%x zv!%uBuw1lk&FqLyKie(a5xNbq<~#tTc^UD%xU|DH4w3p9DR-!=E7D+*oF^A3afHE$ z&@XZq$x7v>`9}w@GC;y%XZ$HBNdE~C_|_QEp_1}png!d}gn82moEU@-CZoHfR7sMm zo>h?Zat8+i+&Nskk=zh*Dy!G2u^?{Dt2Za61OBu|d_UzBa2uXkR}q!K|wQy z!!P`(f!;a5-*wB*=Y44%_gasG;+B%XHrT{pW)XM7jJ2)`Sa}1D5!sBFxas zg^6Ho{?UTdc^vQ}>lj_M4})M>)s1_z7{G^{pj>$Q0!5|z`VX#t}%AoBWT4klCU z33h@KjK$5(XLs9*Fh-V;Xj+>k_)m&Ji?Zy(^{~U7M1#*+0g}yhmqkIDtr2Mx&V9A1L$W-vI%;T zbbIXIlRoiD1u0vX!+;NBVA9<~pW=0YIRDu0iG^*H+AhkJMHR0IO{>)tIeGjzZl2j%KN9nO#f^R)jFpB9>Cs(Fp?ebG(dN z)WM)MKoZz|lc(f%1Dw=&LnI z?U>xw|BpH(?_uoec3WI<4%_Z(D3t`URD?L2Z-7L65k;`zTpM5z7OpC}M!~wmt#4_F zDlhnW?c~HlDdHPKYek@N1c&2nJ-xCdYX!W4%kX=@bFivtxAf0FGE&W0u84)X5C_}a ztw0X3jb!)Gf_GHEpV|Pm^$sqnqrv6#4ryYY^9{nZNF(3B>7GM>JK=ON zkE{bTZ>y0ZBGSGOBf*|bF1Y8s zIZZ^}m0ETT_h9VJ)yzJbWY!%=jr*mYOW};(SaaY>`y3%@#-uH1?;9PT4+So~+t|+` z#R_=6v4~O^fu}1X#}n1B)Um6l!b@p|=6rPZkcq;L9^MS>SOCjpfA`e3 zt<>{u7{;LHnx6`Z%efVy!vWG`2%pfO=lkLxu#KxWsU$tQj+%x zOfs5XDe-k=_9t9wa+-UZ|F)dN0HjZ!X~Ws%Hjui7jLV};3lh|jWxBm~LivF^1MPvR z4wcM^(sJ2R#CJRfdSw-l9!B;+&J}h^u!T9Mdd9U{U{oUY#(-lE$w3Kj;LULVXl6{B zzp3T{Y^<8kCs!x^coZs+r&+|~vl_sG=)@ecoz_4w2Zaf*1`p>U>}MGwQnr4~Og)m) z?A8=tvjBuj7yqImxNv^#l*HN5SZe0zwU!6@TF@ptSfZqgXSYMjzU*Al*>mZy?r%E z5lmnNZp;p6IGI~;-~LM(P7TT~Di?;37^v*i(vHuY2=V~CxpTEI7E%SpEe5 zPxtXInf@n>#aWcV@9bmb8BnD!CnaSLNxp5-5W5ET^NRzjk`NBG*ElwjXg))byxRtN z;KHOO@T$ui=_AX;L~&&cTN-k(Js{PkV9E`^6cSpIor7t{n!P$5X}Wq{Yvr*IY+d`D z2j>f37Py4a$d|v2sSRcSW{9sv>oU}16J+fnMp zy#b{u5cM3|9#z$M)Q?L~$QRW0US~Cx<p7}RvM^H4=*(iTkmhUEz>Fu3j+3$z6b0uR6CTy~Bn|EW`6GOPBUzZ4YlObQ-+s{i zkC*5am19$TRxmOp1pQGM!8>KJ!^8~t0K3DR9sj7w;n1>nvaZ@{gRyzhXl8I%cHNc* z)2`ejv5B5%UX0BgB*E|u6&zj4j+z}*t)-(-z)$pwal>V$z;_aBcT8~unnDhYLJ%0N z*#W?waqzmyq!|V&#Y)?!@O$;a1OGq2zyFJS;alm8K<+5ff=4Onr(N+OL>HdY3h)l)D`>uYg++odNL5ybYb_kvT4X zI_16c1(#e$>my2lZwU`PhZ+%_cqqi<<0C#s;Ap7n03+lYH%CJu+|GuYmXtk?Mx5_4 zmRqEta512d06rjX8aQaZ_EJ!)`~)K}|BgN3l@!tW5!f~ZP-n<#Pp7Phd);DYPLc?o zATsEq%ML)mvOvQh969fz30}Yuska`pVb73L*q5H6r@)@F6X04#{=Gr|;`4DLXltw1_bb(WzxD(o5hdI5JnsVsHq z#GW`Eu`bLV82-y2-X2d!IM_qQ0YSd(rEc&}kPeF;9-1gUh4-uDLU%sOvpXBwrO4?F zeFen}ps#qDqjL^@0dXsVI^_oNoNziIK8Ht=Fn{r!2*}X!MuZKdAq&kFR*huhqEEEa zjFeUyX7%BsKH)IO%zQI!=AF(2h8!aBZ>HFqV{H2@b$Z#TO)ndk>1ES?uo##8XEw6B zHg^(slMU#$;$9qox}IFW>-jrgu&<9z9w)!xY`(z3UdZ8$Mch(K1hV(Y{3+19ueHN>_E`8?Mopq|Ho#PMR8A9M&&mKxb zb?{`B2V(~Ys?Yu1FcK#2?i@1L525={?_cuo8R(Y<{F!Rr7wAuq9AmEUrSrl3%eSAY zMmdsy?*^gYCf_#<^qXMrY?t#46v^MbTz{qweHrv@IqzulebO%f`sHGB9*r)?qyHN7 z{cpd^^))$T&acUNs>JgjWSV?$%o^gqQ>)?^%*!?AN67lm^QwGfjt$J=@N(T<<*Rxl z)9$?IJ2UT`e~0wF>JHWGl7A_4ozRC1bhm@@4)}J#XH+lebI@lr#!Td?IAd4?VwR&foo!$-hSw zhj=L;&zL^KRt1BN87?eQpQFmbamh`kQQC}@b;dGJ#Uu(_T8ATJpM&ozWxecodGBOZ z%HX`Mau@(DK+?aN#8yq@8iARgWlJQv$kwwlvx6g($&IKpcVI`hr9k$uIY@M-n03ha zzKB+;>&iLTcTIn7r%QF%wvEucYGJioej~&c@OjX5z9wfxd{Y5-W0c3*qDF@}-WWYa zN4KBGMbY5j?O~Yr=`nk&(2UMx{BI4fgjFIurVZZ>Z*jbK3CU%F#=QNgR-lE)$Lrh+&xRb%gUg7 zT?SoqG*VpQQ=<&E3jDR66N_`5_rY1=t$d+5<~vWM-;!3sW-#`q2f*0L#DrVlh0+Q+G{iV~` z2IA)295oj+qePKv`6Kuh=jjG=4Gzw{dNqCQXzmR@8uFKstOr38-mmf+F(^7k`L5u* zi;SM_hJxQU{q{nxylyKe^k=-Pmp9IS8uP;gV|8*KW@MUgmJDncWtx zGy?CaLX)>dG@v|}9R3DFUy;Y5%>1PjZODMj;SqaskcSDC4-bxp)`5v%>9IE`I*K`gqy-vnC)fx%y-g}69374hc6*}}7rtX8Cnm_g zxZ!f;Gujr8(>OOhI4TUm4$E|L3f`#$Y|$o~uQNRi?{0hxB=S?e{ps2P)$eg0@1xzj zEg~DoyGl;8y@+o2F)!3Bcgx)jKkGaS!sahMN#5P81zTlUT<5#=q;su9-ZTRYX98bZr>eLWNhajEUc` zf8aiz4#DaJ?p@IkMSXcu+u0aATpyO5ghTeQc;Wf$2vq;UnUsu1qcl`(D`+dwYrwF7 z-UQ@rc(2b&vdGxQL>S#!>Hw(0F0$c@soloec}UBkuq4A394h=mIPAB3FxiqUWMbCu z-RMFbOp<^Hzn#^hh_zOM@}ebvx4C>W3*|h zds&POKiIDE`$&my(Ay>YbRhn zyA4ABqQH9jV_4P(DF5Hv&J~XYBG-VQNMfL}Vu!0ak8E;&e&XI&%y=6G|0LLq<#xNU zI*nRLB9T*LNz|dO3)_Fn8?mu9F2_+r?8wg?rTmRp!=Qw;NY}N-FB_~Z6jxpCd?x@Re z+=YuS1N%!?w2{41;swh5zPzRAo@cc0VHMe}*lY6CVq~o4xnaH3Md`$>_M!g@tW)7t zV!}fLBr{$h{@7A!KpR+?#bW@1WGmcCLS6^rYOiJhT7-ZK0cd1jdVI04C9guPT$v9G zF1-z|O%vJY_|sNR4YZ3x+pehTf9XRV?m!ur{1lgQKRgiTOTi(hHpQ0Y1CL?GlMl-U z0NH-8o|5KUyU@}Hm8a8Cm`&ytUDq~PtEE>=?VH1MnZ#6KEG%BRwUW?JN$>m;sW$(|~{A^VTX;iP(KbyR#*m3ld zaEM>j@Z<>9nn_eqy;_fQx!k-H`c1ero2myD6E96Z@&qTW5#?)e5q@~*q#v*)u#aqz zDY3cf-bqYtveL5VOE`;rv4F%{fh$NvuB_2mpv{oh0L!?fd%dc}^a|XI@IF^aYW1Eo z>K3t?5g$5JF`_4QV-2H1T3!qjHylAM1x0-$JSGSnFbvpfkfY$QflNrUsp4Nf zMr{4d!!-os3El=_G|FDYIq3w8PB>KVPWupZgZJlE=Wrdw#GnLih;TSfFQi_i!&9_; zC1)ZS$-%>@xd9)$f@K-*Bt*Wm+<`$EO@_6NLmn@th%880I?IUO@Y)F%QTRx2p$@qj zi(d$m=nf-yE083O#dtb(41{UZ{tXB^8epJC+>#G74Fs$h*dLq?);Fqrp>izKcT$O+ z<^3dV#+R6lxLnj*gt@o66Xjk(Wb z{0`E=ftUhb_-pkN51HP61|u-YXBahK4inxsJIr4*@d1OFSG_k?0K3R{4shmIC5a&u z9oh$FTW-h!47QoOCJ%n8^r&Ow8?&pp?YWbTms1tet*Hoh4?njN(aX#MAIiM(-(Za=|Ecs;ULnjB5TJlisR~FV@)W2Zc zqK+C%*5$VPPY=7UOJstpbV%!?0+&$IwZjxql4;+qRpzv@RH!ua{xB%^$FRX}>;cZw z4Eq|oem@r_1O$Xx|7*Tm?hR@TNDVXjC#5NT_KkmTMuiwm1~MDgYi@!L^N&sXc3;TB z_p+m=^3fFgH5jU#@HFf8xnhs;S#v|RnW=NJ!|+dW|LK?zRSAbc&xg>1`M?mVsUU4E zei&4|#io*`sJ!hmF8g7Ks1X2tJgKgF>ORr4-KeOg|1u=}r*u6Yv*j$5;PJpzADr8m zwYf?SPQ&rZ07)Yv1PQ_8Yxy_i{;uw#e=dj_P>|9-2O-;iJj26y%f2T0%pXh&`!aoB zkM93k7a(8129A@6(2m=!0#ittoXXkb!|y+gLL2Vp+YhSo5U3vIz9En}kQZfZI5Y~< zA$xE5zu^%~`3+g0PlV5n=ap`;R{Z{fc#Dy$A772_<8V5vtj}=4(=UZ#LHf+Bewl63 z6r3|OA8&U8nEf>ay9FU-Oavtyi)^ih(2e*X2>228%ODVI8L|L~0VZq^K;wsykHuzM zr7;ocnA}kq_rc8nLxUdn8Fx*>r>-fG^}TF0(-rM^9ps7sqWi0UnKcmsa4k{h2_s*C zIDV!Y=MCPLf#1Ol{Y%XFf&WOsXFjqAO*oo4{v$pUqETi71aLRWEf?mV!9)Q!x43tN*R6(ycG;-T0CWZ6~CeB|Jq#gli=#kQu8y7TP>= zN%C04Q@G}#Lf2ZY-RLDr+t9+h?ML@sx4$13fgV%K#1XgKnw*=kD?@DwhzQThE7Je$ z&Z%fn)lT38J5K9rT;fA&o5xg<^}UIHX9gQ3#Q(j3H*8W{@Y1=Y1#Y(n;l?(t;A=yh zQEOHaiGF$FQLqF&i3dk)LBSWL^K2$wIpNZUB`POJ zS7L?sf^bol93C)M3o&@kM5mKJy(Q=(&jR_10d@j_F8vzLMKB&K_)2U@z-hxY2E^(M z@yVJGHJHp4J5V(I3wCWlCpgT}5QY$jups(kzVBDLVFBj;Vw_Owm|h{ss9VS+q_h_; zjCXpw1WN{QYP3Na{E9zKdhp3x1E$9fWgBic5>46(1i<70d+oMH z06k@7>2sCb7ru0C^d%u-?PP%j)-);L&;2hKmwMHlM4zb-fPwhyO#aTCkb>ylx=fN^ zIn@FNZt-CR87A2ODe}LJpIjWWK!>>_^zAQgpo;%fgfM$4jpB-GI1{@42bcd-Y5@xs zGqX&OK2oN;DVbUgf;8VOB(BD1v3Y-aSZfwduBWZkLhV%N38zx-TpsxtMVwK4OOx0L z4#{Sc!2~)Ifs;`K`hhyB-!4OkCn?@ccY-hOE(#o_-@zxuj(`{_(EqrFS#AL3S7I5f z$wSjchx+>_67B?MbYypwfdjVNNADvOFcHRE5CH+CF@wK$OGl{155THpti>7b2jsS> zkrWD(SvEitJ-0^vIU8L~le}{Mrbj1#CUv9yqVf<^4V_PqytySIpV|nY5sLN@3mzKM zrGmLMe=Gh6@;%q7in+d9AE?azaz2|#{t}TnW3d{ngg}v0M)LQkP5w@Q4_d0T_ss6; zyv*B>)6qVq93q>J(&eq}gk{QqE8AeRv6nf&KuH6oTnB|Yg`6XTh0JqhKQ<4{ETaeJ z{1?Gor_A@k+)Mrx?8|q(98YgVa#!i{=d%TS3h9PF;h0FpnDM4w=2|A^I{QxxBFoI? z5zS%cG(@p70Xjm3`*EAHVWnkBVyt0JoccsUpO4r$)2ydo_sz)9siT<%Zt5r0W@gjJ zyy-PZcy8sO>P{_l_sP}lS(I_4IEakf{=hSyi%F#-Qtn3WuF&L%C+DTd4C+$%E?u9Y zeC0GzJ?DU0Ed*81ZV<{t^<8U5ZyAGs|FCMo-A7&{6)tl)pB2*xT?6HxI%1?e-p{$* z^wirTH4{12k7}mQwHn^ziD;?=PJSi7(ILo)(H^GZ*jF$J4Ve(a1iPo zqXvlU&~H}DADMaFibFzqtTs_iO4Ozj;!hE<+=TuyXCMsoei?|&PH!ZZFp*botZD4U z^VTh4`fu43ncud^QMigD-#@1=en0dv@_0a;EXbR=- z^V(q_bUKH4FYZMdX`}6*I|B@F4|zZ5h|{>?IC4RQ9=F9mz?=)-1;1eSYJCjzwn`kC z=XBRJ-{s{`2WL`gW{mdHQQ&lL*J&GDw2$bZQJ1+RK)W+i-w4A#2SNNlso1GjVqtG~!aOk7aqB(PEEg%!41`J9@HmuNcat&HHN^L`r@P&;|4M?LW%E}nbf*CBb;oeuzN*x zBX@+2k{m;~%9=sy;N3 z;Zwe`E2%`8n@o^2w@9`dF#8Dxz$H+bDE@5NpNb%}eH8hR%mzw$(G+0u(VEo;l$u{f zNV_n3Upijo2ah)uhipbXvCV*ok2?V%I`-)tbCMqaiaWr(ugSv;ku4ikU_==(Nr->- z0E1#oDNz#%_D@#Z5l)sLHzJB@rv7rh+)d3L_TnFyMCZ(BxVpfJBQ23ZKdC|21t3l4>bp^y?5G{@jj9$ZtcjFHndUxVMj|6&oaI z$C>yy32^Diif^_QiwfmE8x|#ZJ(K@ zXbKp1wdbDvB$YI_LTQhWZ9IxFd$kXAmE7f9vlV`+6%tFQ?sINOsqn2p-UZ;uAvj~~ z3EYw-MddXb6{ME9p&Dd~;QNK{2PxX*ZkJBS)b{5yeXc4*#X&7u6NcFHNwve{2AQdL zk@k{yTYGIs0rZ#fq$R7Z3t_2*8WL;}wz%RLpnWp#XB0M%B`?6^k4qAZ-v2=&vI_`; znV=E4m|ck5!F?(s^N$W&4aVs`qfzNJ;DH%#^4jf?tqQ^lZ-g5vo-b#HhG!SFZgQw~ zyK(+Rlet>eMuo1`TdUhQeMT<0gv%4a!3Ry{brtkrXVT$3HQl z5sAtG=W{F1NvOYLR$u5u-{MVen|RwXbJz;BwLP>) zx^M=xhbRKSz?`W2{a>1OMR33>bAAaLrl^QR_S<13cK#f9Bh-;WiT?@%w~re9d+rS-?g@8O8#I3AEFl z3M5sFuH9K{4KZOD~a*Xb{rJ+!i27)#ym~6Q?V%d&(DKH@g4oJ`qW*9fL-@ZU& z6Z(4^AF$$IfWFU9!Mt($cnuiQY?(W1C`eYqo+xo=p|##&jamPrQ6Mv7BbhLkuEW7( zE64mxAYLHmSwMvYj_NrGv``+#1Y*4qsHC`7RotC_0$X{zPF|)eZU6)ojdd;s%Ru`yOtS>DwtRSkGILvCb+HiE?0u@U|N}^(&yx=FR zEi13FF|e?4mX^j2j~Y7zGZ3!+EUCm|hu@L-fJ z>cD|$NGQh!upvl81`Jm#02eF(RiIF%PLL4c2f_mfQ=bM5dUzHnkVX^i=pe{}K5=er zoJ}Ua1d)WMPwX4}o-wgsT3JdTD+?@Rj>IEwqU^%d3vOFTw>is}kLZ2=~f>o2I`E^$~_n3-6( z%uDOVm$+-IE9(oZg&w5Ur9wql7i&yx*(Dx>eQk9KfF<@t2KL2*1+~jetfgYP90MC0 z>uQmIjcI)?y|lt%W3jRD*H{Hrti^as4694rwZx)gg)O~QKzX}QTyNJ4^~6U-J$3gf zuhY(i3=uSMNG0EvYTc#+FGuKjm~(<~3%)1C>`6 zYr%t;1?v~s7#Wz@metq$wOX3OmsUplj2smqz{nXD&nJ}5F(E*@6w?xbDnJ;RimR2n zMB*ybva+%Q>l%lRX?=Bhd5MX`R#sMESyoTG(sG3WU{+$SF*2<$D<-EMN-D}KcZ%9# zf%4NwM90~QBONF|8mhh=@h7~_CUvUP=vXdCKIsi}Z=Ml2hLQwJ5RFBWc_5KV0EnamF^+8WNILiyk-*b3;27yNv(+kUW~nKvP=&{3u%bu`WsoN?lu}A;Q3fhep^S{Wg2}iz;i<|T zS;xu-MEFz&npjfl$W`;esK>5l$3O)Yn=K3DuB;jg$B$mo!Tlz5*EwWM4pSyxwroSB znz#akr=(?_AmUOiICA_1ya>o@nS)5n_=HFUM!+dejnTk#Wdun8et-$#a#b+4P!Y`i zs*c7(W9Nq4>lpF9EvDJ7mf6+2PY9SF;(D)ue{^@qYdj3x-DLDS{5y#|xb92@$zL>X zaBOY|V-(=wUO-2XS$7*U`vv;p;hTTD0-kUVXEJw%U}lH((;38d#>hv!Q2#oFJ+clL z=-_b#2`!*egZ9$YTjc@(d@6b+CIJ28SP0`g==CMz(E%)Um3jYWIGI0ii^H)@=w$Rq>W$)GxgM$Z8XiS+41o)%%78OLeT2 zug}VteQv#X?2|9+U1ou#deeASz0vw@?%6^=Er7YC0zc}Rv8rd;d0V>VDv#(uD@!#E zznfC5R$AFLwQ|!ad4~v8urJkQy+gP#cbEJrpn6eo2lU>O_2%-4X0cRRgVgjhjF%T` zosCU_UG!7YA%_YBEN@L3A!wCfKy2}CafA3n77W1)vdA90Z6XYn6S#A6-?t|r*AX5B z={S(^AP9s5sJIu7QlCatC1Q|-GGzP%7886RIN2cM!H}r9#lbXEQbFxrL}Ji{Gcq8I zQ78N`5CDWEQd!c}Tum7*QHY_Y!J*?PMiqbvR)?2aLlq7D-oVRN_MlzmanK{oL zj~K&udy?0zNM4KjIP+cSQQ$O6^EfU6Qo@yglY65b5{InL`G_(`A<2I2w$T>vidng2 zrs{@wy#EI#Ke?V^6dIqejc>(|bnV9Lb3TE&^iJaRWG^JVUxzb#qXtGA-|$aF{6 zG;J3Nxm$_o#o+-=um+;B6Z9SMUt0C4D#nxy`3FcSG_$*6$f!Gjv}XhmOLh$4@OAWA zG2rf3SQsF?1W4@@u;}#LNN3t_w|4NEVK)@XZ>rBLa(yM!#M?$nEOh@^F5|(Cm44}? zikn5m}j{6j>=6-Wm?6(f%|)-KC{q~gT)mCFi2&93w-@L zLyWZ*cR%1^4}j*^c7?16!cQ*`H_lG<`$D)8xc%n?>u6c+O4RSAfov9RG=E}n6s_8$%$prL{O2CLe3aPMo0h#1V8`~02B!>_UJ^_Z$D8x`Sgx5v3vKX0VEM%6?bK#hYD`_K0q&rj%p z{-&)RT(#0SC#Y%9X+{2Z)&6l7W-3xYCc3vE;*x(b7R&K9^#0P4s}@`^^tQ=J*KMmb zHN%`exy)grCwB4{DWd?u^;?Xpp91?5r-0);LJfIl2-ovC)=Xp-Ey`2R7S3>bEhsaQ zsP6`f#wT}eBMIK!SYwp7w|a6$cpYm3%~6E}ZmAkO02|pqopH)H+9IlB}Ki?%Mhc!x|)(u%n0Q2CncIvbPa2rWZM z(x7(|l%j=6k4s!W^Eb<-gTlXRqc~y&zAQf#<1m8SF*3;q??tWX5yjL$bi1x1oa7++ z_?MdnMsq1a1Z*M%2REn^x#b3y(kv6M!yN&dFSqr;UL3@y0l zW_SV>c=n^^MNN`FR;f$%*iMN$nX|LUM2>-izBum(%7F?+lu-R})F`XteTixSubx^oVIWg&w0Mmi)q z9x%o5aOX(69}m&jh+s0P6`6a#Mqwb1=TMl_ZE~EV7m$)xdDg zI8{za7#c9qHA_?+*Q=1_z2L|7X@D=VMbE2lQ_*@C?=B-iZ%>ryQWtC!fH_w!g(y$f zN_mf^U{sMB6m$@_gPhKNss~(#cdJz$oP9g1M0d}JRPJB+S^k%^FK@5I*LPER*M>f(sO2CcSHXD z%Nw2~6}Pr)V+FsyPAE;=5d!N=>Zq+kuh*6{5^^gT24+MFuAU$uXs6T(!I=&bU$-I2 zT=zP1n zq25%F6G(%3%BO1gKg<{~@rY9DDnntfL?Fd7OwCQqlhJv5)?7`FwOvMoFEW3dlFlE!**usIyGPr)9xi)f&Qwfin@+GQ-9Ze!dTU?-E-F@$4n8~Z`tnK zNpn}`UEcyC4XOz4T+*FF?NLFkQ;E6LI1|M^?&W%j`|>Z#j9|FoF2s(=SwCpUbrL`| zwhOdHbwYLrlfJ{A;%!P|UeW(cX1i}BgH5Qh>!tNV_ubmy9=AbIC)nQq5AO1H?7(f} zl-FE0+cN9OoqM}`9k@4!Q}veMBThNjZ|LUQxxJLQT)x4+qv`F@5bnVJe#%`Pd$N=N zug73hzUi)(e;jaR)>1qjgeaF@!BLSXs4Mu|3=Skq}yd`v9jhUk*1HToL3u8Z~AI5L(p zHNDYmZ=md3^^gVKKNe?XDD;OuGd-nVwAXI9Z2wISULR>R=5#7Otd3R&-7_T(Usn+j zW4(>U?hopMDciOSMCb+moiVcVQKITV&d7XXg+BT4VZi@E2VnOVK=rP#YJi^54@}1c zd*CSbibM6Z$^XXEt;*-!Fg*kQ_-A0#ICJXY0|O%}(t%D1uBbkNbv#Y$fK(MbxP*Bt zM_Y7%kmi_;0lm8wrt(z4(GSe9{$@OyU#EX7jfb|xN92zf9Kj2Q#D<_BlH!NP^8wUe zE!Qdn1EyWivtGMLpXpkKir6GE17o^6k>v}Ci~Mta*Bc4YCkI^h=v`VXaIR6;wS7>s zwwZ>?%8Eaz=$dt!t1gWG#9~a8F0IG>$AiLzDs&6XP9AEYKFBfd=(c`X9P}7D@B!I4qguf5ruLvmlECl@rlqY2hSOxFbzEpHpOzem2QRz2P{{MsH?5pjvEwod-|D4#>6i;232 z=zC^ux!1ePi(J+d*&TuKzjpuF9Mv)%K#YJ?M`VAX6vnXCF|HJ}3!Rs5R&$*;|(C{V&;(!6?=KzP7j@*k? zDPzF_H9$Jb-MVSvG2Zpq<&#)yH#4WUbMz;MwLPRmy_;z5UL)TaG#Qz}>}oXRGlK1% zyBa|p!t4jkzi$ZwF4XfL-tb^Hu0FY7HSGeV2{4N(LqQJDzex@Y?y@|GIa_*xwe_k7 zb}ZkrReZ15-*ZG%{S2mJZ&d1l;hzqmuuKsEyIm`Nu|zn#am^GE^jdhlf zg{69k(xB!;D~P(3mR@pP`E?|DS(i+8(=mLFCjatQ zqL}&e5&MzY7ml>@pb_*rwhaCwO@!+Y4DU4mS~VJQaZEA*0z?tri*s6K6j1V!7t09a zNFh01EQMXm=<@;<>}b`yd1XDo;SBR4P||EFq^4Jg$)Qz6SmGqA1Qt^sxdGUJUE^Cl zZ*V!7rRmB~=S<*ig2*O)Uu)<_MIU|_Qtsekcm)~68);fC4FVBxJy;it^MM}C1P59? zEPfu~lU(1H1ksA0qRn1Pp^CjG<;g?Y(VAoMA;E}94!M3-O z&9skZdMlBUA0@CezlMVk>b7ktfqnvcIA&RKv{uFnMmGw1ohA!xv*&ZEu}+KK^>G7T z?Mw&LE1#dmVGT55w%mrEf*%CU)HA5nlbP$ec?RO|A%lS8B=1MqjBKX-Yl~TzcX9Rtu-V-D#xur~ub(pGvrTWxHTnSc2qXx%Ry67ub zLFaL6KS769>NqxcpzT}`-dbg;6ZnZ$9)#}py^`J-o2FFfvn?3`|DF%_A|RPm_^=La z#+_*GgXHGRG81+DPA;*_joZ+@=Wi87Mx7ac zQa&jRv|i{eOJTqL|9(Yh;2wd5r$qL@HyfA~`H6Sty6BliE$yyZ+rVSdyctR`#BH9* z&_Jo?24ykI_6RoTkCr%b{R*x#NZ^K0U>4iN&;{pzRI*{jFv^)t1R(<=i*oRqozt&uq;O`LqeIr&yCtE)*L(W7EM>ySL3pn?MDiIf! z%y#88MXwTeV})+flgrsIe|+@9@xUxG+d!%41ENqK`aRrBftGVFjaVs`*3@Ms5@6#U zNk<{sJswpGJ2!?pBQ1McU94!nE4R%n)=W-AVXKH!K)zQRGYqa zMv^SPB>@AO91v}4h|Cg=cQKnJjKi)|hL2D|>nD&MR2XCy#!f=lfk0~xYUN0`b15AX zRjG%mB41HbmbYin9f~d*tjI4*oJm)i@sPF$ffN&88F;ObDg2~aVaCJpdZYx0@wV|T zLf6(F&1sqD|931}L$o+;2IpM62FS8Du!7>-o~O9Y*e>oPOQ6SFl>|vA>u9+AaHqbL z5Y0S39j<&4l!OmwThG((qqAGHVbOAl>zQ3hqDz&)WH-sc-_&JMrlgJz(YqtNDFDvi z=jd9FG^Tqnz1{RVI7QHEwL(rwaf}gNRn||X3l3~-)mR{iZEE=#%QA|AW#s?WkG=MPXx!6Py-E{` zvz2lNN|Ql-BL5Q)tgimF;}S4dbK}A&^W6)B<8HNqR1* z_@G}eTF5_zGb`G=Ye;z<^HW!G&>AVumd_!OPM-c>-? zprGN=7yA63$T_(ax{-0Z5eAl-RUEkk{04~X0G^GHCkRlIz`%wK3+y}%*G*tMO-m$> z)Gdrfy9`mWRw>9YmvX3>FQ@)}Rm#{O&Pz_-(U*ke->Ko?rbJk7CWpfQBJi^V-KVj& zyG`&>G|sjT1k(Nnyrd^9LsutzRozP>;7m{pi2w1EZHLk<@HP^ztxCv!ig8^DXG8!+ zT?U8VtzT9{q8b?+UjNa_Y*Zy&lsJo}Lc~LMT!#*KLS%x)4>@PEo=$+NgQIxaxYKUF z`MOWmIkad`!w1o*7D+XO?@&Qu80)dJAKX@ozL>K~S%+zrr;*wp_??Mh01l_7Y@<=+ z^=!x)xDi7+IPW^eT0~C$aD}Zl8|}B8D*Z4)rF4B4J`Ym*a|NBTPCWNEY&Jz9JKmvwTaTak04{ypnfZ|9LuOyRNlB76uL7bF|Vh@O1HamcB>j-euo{TPM?l;~K}ON_C}^*Apb-9{u6jI0$$$(V3_ ziS9{M&VEtL21kQ0FCQkB0rqh9a?2z#?wBaDi-cgOjr)8tHnHOkjW88dRE%og_1TlT zdaQuCi6hur5qk0WK$&Fa*L+-vU^VWa0Jws;JgA|}#$`S+EY7^@P2Rk-m2L0BUTfeR zl67pGyd#7=Iln~Z-UOF>vI|P~mP@>!YDtCI z5`}n<`ouPRpN@6{2I2#n7bbm zp9F`#i><4c*EO|nsD_DG<8iw8F+5X*cs5vssXtKb_ebgDWuUIsFzp1BLiVRW94y&8 z(dPgJ=FC>!HiE76I4snMLw*;vC<>sD42q&!#<*6CzYVnrN^hR*6KG>IZx9k`UAorN zLrIM`l$Ln{3&GO>EMfVyvk&~F?{4oSH+2?vS~rah))@ia;$K|LA54{U4Skw|<+7@% z>$|M5s2c6MR8AAAHbO@xMoHVhq(cs9!rF;;rNMR_mk<*TW3e(lS%OP;ePAHF!gPcA zo_|;|jv^Kfa2#sALtGudb(lP>ZbxV z&ChroI@ocT6cS?%L@Npdw$Zm}hfFul$3vMg!+s3iyk(X=9e z$gDCDuV6E@sJ_hm9|d^=fZuhNxWiJItiJPsaC+&7opm2NNM@QRRA)-UNN^1S@#yw7 zlJRzO6&n~qP1^AU9PVnAP;)GUYyKd@&wQHyHu1hQA_|>iAp5bPCoGnKVy!EQ1Qanz z5MK3sd+4=o;SXtQq>Y9Mn+BsZ>M38OC$sFef~Tpvs8-ERD4fX$&GJ;1lCtoet&yz1 z&*9xF?yHCd@JNo+nM{y|tL5R7X#4an3ufj87@$g1M4~TD>robev7>^~WKOG3X85s% zH&q1Rlv0Aex(BveqsA+oo8@;kMen*9kRhhNu*wR<8!j`*LeLB|> z-la)lDS8`N8_p#yH>>1djJ!JU7tV_T57QL#A+VVIwLvq0Z*U%f`IZeTMCLk#K*AWb zA(~OR`<7wdSOjS%Qm$)j9g$sCPOXNS2&It0a)#D583+vnR0zhQtR?0H9oV3QpgYyaFdr!hb-4wYfa13iq5eIn3IXRx4TmVSE(sG#l zKm!?(DLy&Mpho`x=xLN-B#ZarO^BjasW>-tsJ_P#Db~5mXd~PIk?IDOSt1J#QY@yM ztZfj*Tx=93358rB-bn<6{-uQKa3t-G=fB3dfEyAVY*|~xy97=moL4La0nTnFU2$xa znd*=l!2}gt@@UZm7)>ctp^}Av4bU0;$Od&3ie9Sj{z5<~A-{H)hJc`Q~sfo+SPI^U;4LasdlL{#BwIGb!` zxQL-Hy=8liO@Zf(3RqE+VG`%@2Yt620CMhpjB%qpJhWc~iEDRVFBq^4js8>Q43YK}ZM;laubY;YmA1Dhp{>wklb0RE z5wHm6R0w{I;xF}u z+S?M&7YRf73aR#1u%-41?5&rh*3NzG z-N_{@yfd6~ym+3>HCCOtgYVrDfb-{_A5uA(1b&2n&X|hQwh}B?ei&Ul1ty&#Q+79i z!%qwF8EYWm#K5xF0p>egXv$UUpE$srvc@!BsquVa5K(fQU_R zz|`j+(F||a8G95%#;yotFH)S&Pt9NSL|vB}WmU2I$Q#A~+^g^Lef!jkKvdo3)TV>a zmmSi90zJpR3f;1_SqZ~wpQi^`wAA%ceHz_A*S=*n@hR&Mq}+iobstihDc6wM4kycY9vnKA)a6ZBk+G(#=y zf$4U2ce2NMuD0^MpU1>x zff1$ybpimF-%ji^-3=*qA%`j@l8Q#&A-l!aobwq(It^>-rI!~lpWy=4D;&e$$C}dj zl#d1ioB{(fB#rcRy5r73h9Q!lNb7J}FB=UZdSIW^Le@l^X(s#HH~J0G2<`M5@K+z~ zuGg4(jWNcp<&lMnU3mkB$;q_?SO$n$ZD+cjRl*Bdu2*}T5oT+pYq+QA{dndJ<>NvYy4il0b;Z?0 zE#QO4724Q2*9=gNreVkvk1H~D8EG7?$>U_DyH1UN&+(h{)QOls%cu3xBn(zia}W8% z9WCVl^nXv6G&7u@Vb(WTt!TaI#%149Jv5{YeBZ~>>)ruo*YSRLMux!L4u?C8oNV*z zHDmwey)o3pvpG=w^1tE_3uQft3jIbsahsSqK5&+zfhWSfzAFQVAzas?l~0HA&;+H( zp%7Woi$Z684Akd!oZ`5R{yjJI#J(;$V!e!af{{d6o`{PW_Op|mUlLj5vb*N|+=w(x zQ@j{yp`KpJgqyR4&|Ow~qsimd1`5`!j9oR0&dOg_#TkZE4=^NOc6Ti?MsEIPXaA81F?9GvfEF@-6 zu7cjg8!QBIM-h?FWy-J2>Kc_kuf257U#)wtkaiF}2gy6=$+s+XlDy zftjAAK*NOx0O{EwvUHYQC@~g{)`;{M*_XLd8d)6M@O7ix;GibOzAgx@pUx4|q8)tr zMk?R2p|(YHz@4a?C-&RkdLumy7AKf zhGTswkv2{Yyo6>qKr0&8^9)?aFgKtEX{FFIlqM~2f{b*l5@vZ`Sp;WoNa z9~@5e6ER|TA~*+6RHIyWNXlfFTSw~xl{JS)MU!{**=U|3I>BYJQ4?1$O%EZdeR-3j zzZJoE@Vn+6nDI0>uC{y{G_d)m7r8redYYI3{@N0Jy&-|n$*$t(H>J~6QNYw&B(xz# zV=)P@sYXRVHLDqpXC*F-wXxx!H92HM*!6+YG{meb7jPT%HZaQ4_&6MjFC;nVCcL#W zs~9j2&r&SZ`keblQAB`5afBs4^5@Zn#E}@&Sws+-d(SHXVfcb?zL{9*tY>)McuI`EMTB;=8lt_6zY&kQlp260`7Ry z(C1*i$H@blT2g{H!hxP1BlQW}j2xw|6y9G&Zkp1u;~ZJj=S#O@ks%UWi2>K5>Jw&y zGN>=nBYWp4z;bWoiA;KcG>mef8z&QK{Q#P9$!X*IzG*nMB0Q@8&%U!V;dUeQp9@<( z<|!T_#!K;c05d?$zjd~-mQ$O)Eca8vC*Yjuw8o9?)Hnl3vrai9KDD1`*@cJIRk^xT zEOctVy76~421lmUENT?E;e2Xy;CU?VsR7f#07bDPnmPV}3XcSYQP|WpYKx|~o+}@P zVm+e)UJ+an)&7`uHdNd|QGzoyGh?9^4jcogazM2)X938{PyS1)jJutd%_0*5)x1c^ zV0AF4R=%D!WrCt{POqG`=X%pH#+1bZ#e6v>>_$k8>OpAR?!3rVwSc}5c{WJ3GXSL8 zRhZ$^p|E1;gjBmmx$NhLU#{Yil-L_;D{+g7VsvMy#GD@A0HTQ)iSUJ9FtWxfak-t; zCgu>+vE=(lUJ9X$1|S+Zump#Bg^pyg(ap+qk+O@SC+knYOfjJUpE{#C+L5H>9V=na z-r6>Q>i9@;l+BUyOXcxJfr8UhZ)hlVl!4$&B~z1QRu=#FTb4Vmq8{i4DmOedzlV+csV%&I4-~@*p`0+z}`(ubFggA^hhG|QLpi{<~5r~D@qT}vO zDvG@F&b^&|+AS_&FH_}AReHcWbJf5UrbZJ(Wl9lm62cVO|4Au_nRQd7(J}+%?|tOSLW~{w zh|9&&E!C&UDT{Ld;yh zG=c8Ii!ltcE%Hk>rCac1dPqMG(MBN`I)+25$ELbd)1`e!JZjag%WCEP$(13=qWA8w zuDMzTnB88Cub#M;CIfRZ@AGn@6{`Vh9!@H*OVm>{3ZtM-kGT0BTffPM4ZV9BSM5*DeN38{0#Qe)BbBa|9)7;(v8ffG^kTBc#uN|7^?8v!J@55$l) zSyh}?w?$wR*{HKs3G}ysk#=&!rrN3k!Khp(Mf+qeRnitE<=oP92bgLOL8rjz?l!)e zBZPt5RIsAkz$4wS9i>buViF%W(S`-N-BHLs&itW0JlQLk`?V&wYGo{0$ zhJnzha&Sw0k8m+H5%I#0e!jZ=2hXGnm5n``^A3Y6uqR3mvmi;lu^!%T2C5O=T-{C1 z$q-2hz>Rl*^IkpO0jazdpg0P`snckgH->CSFbL4mRd9ez-^TE2Yax#LqVp3wykD)? zhs22mW&*g$69!EVhm%8H(h_Y3CpeEj`)UiqaiMzLK@5uV~xqe8VgHRn2q{qMe4bM1>%&_T!o#adsP`K;(>tu=KCzTQ>wZ# zGErwR4SRf#E-b5^EJx9G=H)ZOv($*luh-qlC^eC0c+Qti7&m!iy8O0V?&aMAEWR{I z7Y;bvRtFEd2`v%1k)^kek3X>cETpk=(0M$FQia4+znhfzVzA0NFp+P?U6dj4v2)i# zDmcIoj($007EEj@phDYJf=?*0lB-(`2fVQpu>)RCkbQ!~Bo6ws z0CJSi$Xn1m+B87nDwpm&a)zwS?6fV;du4tw4diDz`o4;;V#z>c?r4UVMaZYT^NR4# zg}tfNX=nhk{)W0J4Q9I;py77l)BvH+jQauFLlkxfYA9p3j(^))DSy11xN4?KQEMUj z8dbDLb&kPOqTaj2)fEIDV;?(ZB^)SH{yt}#*bF{w5Ue=1^l}TYEsC7LsL9@ty6IgC z4TdL2zS+;F6QIgiqIGGQqgVZPgY15UbSqMPG>>-REBhN}lI3z>Z_ffM5?G|a9SBox z-pKQ}8hCn)3;YWDM|MPtTbS{$HG;YJ>)&g!)R9b?avK1*x?YlAz5 zko)Lk(qn^>R;1h*eq53v;3mOf{q^1v{2uy@3bcM+y%Op-XKoZk;u1dAw0>#~k8` zLn<_g=+U+0NrY^E@qM>wBwCpDbA}VQj~gL3dN|H9hGb3*)(l>hOf(vvfA*teZ92O_ z;8O}=&-hx#49k}mzppYsoi#26iFI|d^H&fN!_B~^h3Kd`vpydU9 zW`V?STqqhQ8r=-=L|UDzTncMzd@|uN^B;k0Djn2Nq-P`Uo{M#QCMI+A*#_CspEdYy zm8wTwTIi31I$n)yaN zYBlL#FlUioS9HAuqH7{S5x}e&@z0P!3J5$-QF8RSY7KHi>Xd+F1e@NT^tv=~^jz|Y zwY~V(F;Z>VztpG-D~I#e#vIDtV`NQ9v%!Lx-X&dAn47bseiP$04$WMRb90hDFx*Wy z=Y5R)8b!8)l$WcDnAq5TQ3ka5IO;sW@PO*wBA(4RUc!wssGSY@H&e8c!7%h_huc6* z(B1Q(xANMkiJ!EGnB4N$*YbD9nL0pkdRAyxsVqok0F7q(Z$5i>3=_{vS?CWX2j0sj zlckLW842S%f1_70@NO@*Z61(ItLpE3E>UDa5FyC|x3uojZ**Z3OP*`Tdqo(mhhv3~ zzEW7GLe@Fiv23l6uV#>sk+HuMQ7Q?6n}=x+KT$wbx>9u*=ZQhYt+@CKeYD`LR$~f@ z_R$^`tBOp@A)OHbnIR<-cxtEOI(w9`TD@mao+NXKW1X>}-m2R;@I|LMxIZ{B`;>B2 zqCq`XHI}VX9ar9Y`W@o}>W!o#%|+_@i@wkA-ksU$Z!yius`5B(QjFl9>mR?<7e@-w zL!N7rA330zu55n3|EAj>Gl9n_jn|D|%Am6ft+J$`fZsAMi{elFy7z<0I$-qKNi z?u&!Y5}sla&28{oL(+LnUF1t-Z~Vic0_g z$I2iNGnM&t6Va<=0)3?tngdhVtRL-(hOYHK`G=bH+13sCI!C03Br1xwKixKJMsMbr z%oT0TeLmtb#e8;3_%g#aY##SZ@`yMX5>~FB@mj`ULri+X#4s|49^F2kzIWAmUN?6L zS>=Ij3U4g{N&8ea1??o(179SVBP+0JvK1DqW7FP(sZN;VB1nNovZ~+0(7;;l!VcV^ z?Z-qR-K#m2!sm&LbIPwd;Gj`AHa9N}pm&6i%@{Q7&I#2Xl6RCu+i+8N#t*pkGwOHM z(EA60N(}wV@Zm3=?l2mR{PBry31gWsAklMO5b1!XL4j0A6E}Zk{Nq9=i}!rg9THjn zJA@e;DmX1U*wmhDN(HToCTHR(x&sc&cwUwL#mN{{Z|?r|eA9iL@~P)h&P9O~B#*gx z5>H;kr4v&U6;aljli@OBWt!oS!`soB`xlx%)5;O(YUdr2aX2n-dg+QyOj%|taY05+Zxcg#$4b|WIRvWrFcIIDfn`33nZ}lqA?vZBfVvM}U=*z(2 zgvB^T?-NFqI(@_Ttz-~}a=dGtQX~2%W2*wbZ_4bVv-`yW5wkrjjTE#<(Kk+GAB60& zJvwy>I8>N$ER~WSr_RQOiCK8zh8dK+2{0r|O`JMY?5RKQzoBP=uvYhFZ$)m#qoqnYp4zS^_jM@ES zPPubts&y#63l;&A;!5!`17929a>!w+im=Gy+74D>60sy*e27qQf8I`3qiK%a3q!8u zgkl12_@Nsp&Vk)4;aBJbI1=0&eT*j#em-)2h^OUDIuXwL?5B%4t`grDt1gtF4_tI! zVsj~kq0|Cp-O%>NZw&TP)jo&oDI0<=2UoeAj6f?%oCr0&{ElPHLq_K++toem(v(P> zAE9U!i&MZ26f)M#&Z2!91Q)f|CXQV7l<9 zc60}c?bt<^AClu$V$$`}e-=SWZPH2}j8tTo_;oP356pdgRN#ebEvGUioUnI2V&GFZ zK94hr)&lSOZVraYvE7DhHEM%CHy;=poEIRIe87;o9BO}m*n@pRr=(@WnOODFW&~A( z9Mu4d#USR(7nq&1x-UhOR~b?q}Tx7=t`pBBqhAujxK-}$<2WW56%1 Hc+ zRFMsMT6LV2gW`!*3SnE)QpshWq}D!V5%n7~m_`wAkA>=9fOjBmL#M=X;#pM%HwPBk zzwfT&nr%HWAa?IJ^&}U15^8?xjqK_G@M+Bf;%d5!+#Tn$c#6CwNr{Oy?*J!0?77#` z35+*Y7PphF&s}oN!HG1a#59ZMF>;J6rxE5>@>uXiKfB#*#c}48#5v^^mSLR3ECO-U zVz(OURC$80(ma@<*IuHJPm>7bcc$encXjjZW^q$3m#`%+} z5@KmoAm+}2w!a=-H-Ld7V>)yHCSKAX4hT%Q(|SBQ55`LI*4tc`4UkO@lnA|wt^E~o zbIUZ70w<&?>u4&_mYF2lr!b#g?u4A64UUZ$DlPE75>%!037pYz<7E$!b!x6Tw;t#u zphTlUgQn?f?*A}lZZ=Est{|!-fpm!Y+q!d^JUE;8VJ2|xas(YvT5cG%`&k)S!X$_w z39nj3S8esLCjcrku!Tz_88aEDFRaa-;h1M4L0npF0XRi;8)cP8^o|-BgzkrXXgxF} ztL#%px+Rr))6MqJb~h*)fN*9;53H0VT3vcG=}t z%p|#>StUJmfFePa+|}}>*yr8hAuOxR-~i=A8r9OZl&$H(!xkmo5vZL}BJLdZzCSXX zHjM?&s#V75omvkz2K|%3N__wHDuTK3+2vmSN*=VTnQt_iB$2fgg=HMkLt|5={N)k4 zV7o*6g(R(RuygXrySWy8_UUZejJ1zeRllsrWRL6!FA+gf)Xe8vjNi~&76$*3u+4$= zU@BE%F9Ll6s15wa&anpg>~%q*jl)tPdXeMQji~7sJGve88hsi4+%6m zV;UU~BM$LWqyG174xcY%9`CKSyf9--@aJ_=H?bKm-?RV4!5cTW%nSj9Xz#IH2SIQs zwjQWGAbK5lu=mgHpf2leCUDR`;9E&GAhU2O?mFNz5Cp^LD-2QnX%8S$>A;Nmjb_76 z6>OZbHnB6%gaC$C5$zjaexrzjJYDz`taDpedFX;8c*l~vlu~H-p?+d8aXVJc&@qBw zAj_+p0tTk_2I0-w-2_Mey{{(Vi1%=Qn(Kx|;nIjtx8Z4&MP*%Lc!xsiKZKcCK=Na0?ZBFCMo zO2w-v@%VQI_V_WNA)2r@2292gpUC3yt9aVe1K~c^F}T6v52+&KJtWY?PSwrDgiFtu zvDYKfs2HsGMtQ?|UEM`)vQCVf`-21T(?v`Tjma{NY%bI~Sx&&s`{PLac+CJ_<3&5m zs_=TY8cAp*)BG`;2$IUjyfH*WDH3Q5{M3%W5+8YqL~?V3`-Kw*0NtlGGPzj@fN2)l zce!#nQm+wqZ1s2rKbYE^Tj80>m*<80JQ;)}Z4L7{ zlVZf@pn$*bH}c@zw+ws{QY5d6j7-+Y6aL-H@i(prFtZ;>RM!yDK1DWkCQ1Do?=G;E z;sWtYCyY~{W46y@lD4MRd+s#ey1B-HWQ4|>p{*(ri-65R{WNT(iyJ}`)`unMH=N8i zW^gM0g7$s&iT`9S`m=7YeuI$%Nvy*ReD3j$4BoPtV$exkFjAeNmM5GWg0aa%d9G}* z+t3QUIVhCqYXkKBl+eoQe1weef#x>Luk*fD>mt%Er@qoEG1vxLYSVI2HOQ68g(m4u zu<~P#Hc89zHeHr+{4ytmK-~SHHYYrGp9VUY81)E4%i~r}`)J!dEmmon4>%=EY$S}E zz<12b$+dwhDXa=Q2+HVwr%<0k%Qc^8E%rDthJyi~j5F`2;3Uao~f5f=ek6x%2t{H1Q_7);;H6*$b(Z9ph{)z4Wi|MU@-gPqF z{GGCzAUeK~+)3OddnDAb7JoH%+cA2PFEX+FQqeMq_3$d9s?A(G3EUG7tcs_E;`V_p zA~#_lxu1k4_^0tT{wb`6j0}h=lp+pR?*z*rvze+#MG2?ZC_heJRhCc@a zU|;DJHhAj?h7G`gqaJ0pL5){~90b=qPDWwHh1&RL@X}OnSL{f0DMcSg@xpemYEME5 zOf$lviQqtEXem0XGL!7J2ZDr#HKG>5ao)<3i#7lAAgEp**#yyM>!juc8;|J|@s=dn zWjJS*nsq%dIJ=x4ljG3Hp44*VXmmUfJ8A}V;l^Rz;8&xal@PA#@~qX8f+b-mYo-}5 zW+cjP%kfZt%%oq325SPS@_@sZCr$exrlZd(>g=KGcc9;Si}l+m5CS;`_pFw118k@P z46W!FPehY#E)RAl&g2rJ5(I#NshMsxb}EAQPoWRYWjLku5=Y_`@x+~v zj-w}670*aSmT^x{aKX@L?#@-+=3^H^F5=z~$Pmvytqj^=hN<7@yU^8SoOg~%8hn%! zF0;uVP1%Fqk_y*yV=xluH{lH81RNr z(ZE#NeS058N&G%Y=RisQ z^nO}-aowmTeCSC8u4I;w;s~AMJs#Xqbtn^v1u^^2nmQwjCDa85dF?_c;$)H-SZihp*~#)w&_TPbPsmpe!5%;! z(nVkq=?`#Lkphs#W1%h>q@;J^;8%my!&u7~tkXK#LF1LQC^Bz*n+}Jnf2xi05^hmM zr-YRpLM}xyAsNRDtT1$)hpHroZ%m7#$WVQ-wVt5U_CTXZBwAN2M z;94iyBJQ9oo}Q>?!;I?}-RZ6A3xW)SYZ%L}0^B`E0>r6#;8avrbG zZE)V~HBvjTvf3M%~UIYi&A z4HRz{%M~9?DWAGklEXzzDkg>>2`!2lq|RwO4m76-A`=c&!o24&*AXF>|c!& zi~^*?+oy!bu+FTg?1&}Cq^jEz$55%cRQLY<{4IFk8L1gZ$~b%%6N~oY*iA%o4B@DF z2qx`bW--ZhEY%9JWk!g;Cmp;2GKRvEW2a%Yt|DsJYeU&{L{4ZoW+(VK;Lj<#F&L#C z*znpq%-a=GyD#X8=tE7EJKe?jmi?(X;+KFmV_e(lvncF_XbUt0OIR2w=5eW3To?X2 zFpbtIMO>S=Rd;t8Q|T&~sqJ=-+Dd;|d>&UuJ<|QH?a^ z*(Ft);~I{djYr$xYywXu2qEDQ8)Z;RF||GHr*8ACorZu~fr20ltf*W{-9LU;wShXV zp}wucN2QzHji;B`tQ6ki(o|F|$#t zP?(_E!rIRfo2dqBu#A$41WvNQ%r{C7eA@9H@Ti3&>9i(DRP)66n-*Wq1c6aINQ`fd zu%}*fFL+(GAQ`3?9+Q+EcpBcgCZ;XQKOo$p8NVq#lIAYyyfqPYFVgq zTa4UpLLgsgqwQ|4AZ9TkPsGFn8Ii7vL26DpoX$c}D%SJ+``*6{%UdKf)Qc1uRd9Acwwao8<>G z(g{+LS5&q58Kie@L-iUa8J=Zy=eodHXpPtg>BKl9nr0STLwHZpUzXWnzvDR5X^n$$ z59~%9l}D5Hporue&PWtyAhU*YT8T;AUB2FT7JNeKuZN_Ofp zL|e9VViH7u>STjTC>^=+!2h2y%;4YfUhlYp2iIe9M^+xn4cEw0V6>(wK(~O9;6!0Jk0rfy02dXC-U<63wv%4KrlvU zFORbS9=O)r_Y)LixZOn`fBIK8`g4&!L-bL-#XbU8yF3EXI_AVMCQG8BmVwc)-Qzzu zK+{heL>S0`w1?C`07og2rlb%NsP*PEdW_~g8#$t=`sTy3>8%uv-A zf`>v@P#sXe;tJsAP`I8!ea&1$!Vi~~RaXJjgKE@}B}!4f@~fv#yjHQ>VFmzF{$YJ0 zFOStoR?ESooY`Vr=i8Wg-QTGh_W`iXM;c+P9vqa8?%Ji#J)fkSQ|(VLM{`YOu zj%t?s(o~^=YYOC`hiWf-o;H6si8z1ljA#@O)f}JEmEb@mXouGFu8|tei{c^ ziAh0$37&UjET)_W?$2{h_e*VV3sQtG_w8Su4rZJ?rejJ?j$~gbxm*Wn^}@8A2I@1z zpBKvP$8KXF{ogdF-^%#L)zH68f&zb;A$~NZ20?aWlNr-|sCL|7gpNJldzwW((t@02 zrPvpH{dW3#F*a=`?jFE6Pm0_x3xAo$FFblu`LYyuBBUOZ#b+%|&2y$wZUbw2m5Wt9 zmv+!*tSP#PoB78f4|E^`I)+z%6r^d7L9fVPO)WXF-dR7zzciY}C;g;C#!5gbX)N?#U01s7rq5tLQ23c4M?b^{8w@|$?L*vl$&?q z7RL7|M|vsNd>8>Kn!)F|xAA;^e+A4hv?-(W%@xbq2hv1D)11Xl?xH&Ug^P3GZPB2=g>a-$IQd3;Z2q&rIzKpNJ` z3WoK$j9l<=v`1}M*Bi?v$499=-n1IgSAp1H5#?s~9M_gzv!qPmM4_e3XP}`rYfJgV z#awLm5T%I3grh1V5srzVP=T(%IRI*Kr`X^HEAfrgQaPRV#-P#B8)0Oj(wEal?=4Tv z?0}Ep>FB$J_Vz3VnK**Cxb~UV;G%4cBJOXmfsS-KZf9nKa5cH~cN?IBNP z2jG@&*IoA|iQ5XXqyP=dVz#?-Pl5ZV*fTkf4MnrffNSqRmAxIdtS`jV;0J{yX|v4{ z<-;D>&(WVSnD)GE_rSA@1E1_4aN%FjF6I?lGu}3$uTUVxOOjvOp5RPTBtxLQ>xi*Q zQkx%Z)9{1i#hYT$|Cg!F6bY?dbwt);GxYKx4Z?d{_NpSS#?XAN=e4+9i1pL&KWhjK z)6i6Icy);uV%DB{(`P=wEe&Zsn>~510eA6W&`&8wAbLsZiCr7?$y-qN04;?HMlA}k zi#dqbh7GZ>q56!)&`Q)T)j+J5o`bkG8xufnG%?d*nrI1AftC%0g5 zjuomicBki00D9Nx6lBzlLVRLbY~PxNb^e(vJv=XnWNf0~yD^LPh=>^Hg^e+xeDx(k z7Gpj&$hcr>*asiLP?!wYp-S=VC|K0U>Ba$-Ok*__OqBV8=u{zpWS*PDm6+OEr{}(` z5#fL^yk1M`ul$tt?LO1Kq1?HHT>34d!Q)Xda#8->ODXB#+t$5P@vv|-Ly$v2ppvzQ z5TVM1i?QBS8OUG+$RW^RcIMrrZi`Cfm?dF?1KRdl<=U;AGk5BY`xm8%QOyW-NP+LS zI;$pW88LxPb&|8wQ}s<$;i&?hZy5Zj6?r}-z=vMnw{p}zF=xl66DhJB;Ga(p|e%?kLo97(1e;t!E1!F>kTQ_t(Y`KKM~Yh2(jGO8cR>r z`MC+O7p+>O!PT6FtOpKv;{Rp8)~4+5YT))r{6-=~WT@NE8Wy{Xq8&CX}=gfYH!rt=M?x(BF) ztVWRu!r8jRe&g}>MB70y(P5Ok-T1MD6Z*$7XHQf6DuP;3#p_Q05*>Nm`mE$wpx4w2 zBi|+(bWiN}@~A#{jaf}w|FQ&ZqyV~Q+!80?XsizNg+ikQPM;=R0GehWG69FGC}2kn zJjXCkJsKG7Fvb{T3_BnJ9RVZ(lgtVWQJF8>BG`a)unA-m zm>>dfK~qcy0>m>N1_RjQdrfi)@qM)jiaIiPd$p5oQ}{1C&MxQjsggVPxZsI%)G?Kr`FFDgVyUB-r_)s(StYMvhr9X%`>KHP zVDRq6{e@8C-vasF0AStkOuA|t&41_O+xfzTuU0$GRC{n$HT8Ga9F1FoOAO;IXtg|- zqI5*ts{=i=G5A7{jYK3CK}IZo9^cBjU;@@{4D?jlzk|nBAJT%nYt?y|zTa6R)42rH zxySLa@+|f53zY>hR#g+r)&eP!Dr^0o6%q+o$1&NNFFsH26O^l{eO>9N)m?LQ8qU1!k)D>|XpY~g;|%9WB(l1R#g^pz z2@+P}@3RCqIRs1M8SP2itd01rs2@}6LAQ7ulj~2?-QV`Tg9B`0qIm}B4vZsV@gM|n zV4TBIR7z-vM3sPJS5J_DYK=hUY<O#>l> z5LR8SGZ_ro4hM#Ljd;P=q)IcAu^P1q4KUFh7$6SJf`$hO!+~iMOiVBk{)lLpJ~0?H zF-8b6*dcQ;KpYHAJXmN95pm!VCceP|6JdohfRT+wzwofS(B5q^Mu<2x48E>9Yv;>l z)!y|@?ZUoqAZ(iZG!2BiF+E(aIKyhm&F0^K*;CM{_n_vZ8dDn3D2PswBT4i{h#sF+ zc;og+K_LfNpk1}&^YiAzw}Kz{y_EAu=UT+NR|%1d6y%!>0f*42!x_uk(Ijaz<6#ge zSSk_+WU?siNkIw+bFr(rW42et-4$ zBnU`*U@<98IuHiSttfh$c*8(WTmyDi7mq$etK|`1kSRY09n+!naz;hrY)|$cjm>BP zN}$5#qOwA)e1ZL_uxM9_JCIbi4c}suAJ{4P8BH+VH%w^#nwS|TtCFw~cViFOb)xZ@ z_Q27cr%6mgucP;BgAK z_bd?dU1MVg*mXN9B2YE9%F>0Fn=*X}g{^b-jGr_d=jSx~cCEN@6J9hb7qcH>vnxze z!~oz;8?!~DSA#tjp1Gz_lie0^+WC~mkWJ&Q?vliW!udbz=LP9(t7;KDSYZeIH>~dL z+Oe`_wYEjQJ&WNWfKLx>lCsBbZ2A__uV?SolMZ|elLJcxE>N&TUHoDRP*HQDsrK#XM=AXlg@IICiV^oN%h4A%JIL)gKb6R^6?jIkO zl9=4|jG!Z-aH2KVg7IsQo`L+zwpBtqD%f-|FV}bh2=HA>*!r~UL6$iaU}<;46G|*3NSf3VTA8z9Yn|wVJfOClaP~O1nZd>m53A&%n_}To% ztn0?s?^WN(0_NlaL73O=IJ*igoQMh1ng0*EHvm0yF?=RN>@I|}99r9B)bRj8-3l9M zu-thYF}cK|i0@&5Mn@<7v3CBq2w0S?AL0CMA1a80SQ+DZxyXV#H$p778S$HEdP1LJ zANx~S&&VKi*jXtC+9GXD@mltN%EjzAF}^7*azTKl$L4KYo+*FhTV>OzVUc7Q$&-3P zZ)%AMGM_!jniif>&Y>nz=HNn>LAI)X#rC|_HyR&CiA^Fix(5=F0@1W2+OX?+{I2)E zEab;~3d#RMMWw@56C7i;%)l8`^`-I$&>IaDzmDiQ!vj%ZY@h9jR^Di!v~otn(RozQ zEo&?qZb@g^joQ52=^ef#wWFzrDK7n#BAb^O5Zhc;HCrB!n~0QMeUqx`$>D&l22x%O z)o}C6Vxig$Gs24RI#c@Q&VI~J1s>IuK{f#kZPAAZM=h-D{#z`?;uC=~8D{=d3`FWv)G$vY0D{s3b;dkb2gEAO060Kbk2} zRICP;wK*%nT#^pMb?8~$a-#jbtLx-#!DUqie~Kv!wTeq|CZ+FYn54~WMB~(ASL{!= z^ugzEI0eh4@TFz1$e4*D@lG**7%i98Zs;J@c+GV71BBpO2qv(Kz1eTBEFFFuySRNQIzO zH@%!9t?z;bDE7k2rlkKUkdG$MFJ=ai!Y_N#< z;>&jLYdIRn3Av;@!B}G?OQdgq)wzb zb_RONRB8qqlec58Cxsf2H5T8AC==Arp$nn#6<#~u5utG}9NWtN08O|is&x{UHS7gA z>x1I>h_hB*TKk|TtZ1IgmV6*QAjYu@`rP4vQetNVPMILg(-6P@tr7%!y766Gx-3dV zr=*_5H&;;-+(_+gdp%AipNbwdYF|J%hRN8tXB?;a{JcE~E}gR^wsf3%UgH7T%hH5A z2be`>F~R~OYY5ls$Z{keZz8=ZP;YQkAlPJL2?+J-96WsjJQg=Mo{WZqJN5>hk~9iJ zICJ@9K*VK9=si0NrjoNx3`=4jB=-d>seKSny=N*fLvw|k1=)PKPVES5di<7KRYF5c z5&)a*D8&fZDRcNO1x=^gDJw8Xh^IAl^UxYDuUCU^eOg1uqP@vQu)ImG!$V3j*p$cc zG^U%+F&43k%Km5w>iK6*rRVPCKEAa{-w9SuxcFPX;$-d&`O zyE_v`tHm@F4s zbd8jb7*c+i8gokW@n?m|93!eLG(>Fvr~ADQviaHsPH~nyfKfP7`0pyLG2ty(ug({F zYp&psDZe`}Awu`1IeY@{1KR#&PX9mlPve2?cBJ)&zeOvCK}kQ1!a=(N@zJa7`trQ$A^Y>FJDuqNhwMC~>S4`&{R!w$|B-+@_1KRqs+W3q++=V-gCvNyoh zLMgFG4>CZ)CVrCR9T){GzFUjwZL^jD%&21#4=XG~2=VK&A;+#^b==gEu!s9@W+1oCAYPf!w~CJ zsYb%4!lMB8*wE`w!V1Yq^Fxqo80N30L-^Xd#2DB{!k27$diEv)BF;*K$tG5Wyff)-9h)}1#btGGtX%@Pf{tJBQyyvSduSH z)6ix#6nkaA-U&lP)$@dz6Mdq~C40Zq;pb4{MHg*e0*?Fo$E~NuAwnQ^N34GMj;`aZs~|FM)K)RWp5_0LnR#ZV2@%J&<+3){z*WMzTc$1fz6i=y$)_ z^&$iy$Q}5}^4{jx2WbpZ)Y?yItkN;nq5c~XA9oP1r_EfP>2Q`$w{5p-WA)kL*1E;c zVp;-zIg){YbW{Gu;kz6YS$_JxtPKkH4Ar3dlWc{C@Iw%m@+f>yGnyzM^_t^PMzeX! z#4~M`BY-$6&G5mR5AONyAEWdLhWNf0zT-y01H6Ydt0Hd9{>fXQ;fWTW@(9|pEttuW z{|&PM#Q{X1>~IL<1Vc7Q$`U`(K(dP05`*KPc#`0?SG~y!pxJhT#CCp<+`*|rYw?ER zBAaEiuA_NaLw_}HyQZ*0KZ%gWJ|~{WBTWaMK((z+ zhreor=y9dM@cIs0mMI5Z)>~NCN-+phMOaIL%9z?jC9A3}ZEr$M4-!1iVI$07-g!I7 z`iNf`1h?gc^zmd=%BEvL2hYSp$wFW#XKm1dU;0>r`nNa?#JJNK7soZ6rF7g_JE*P3 zs+IFiCl^lB>oTfY?c<~oY}9-3;sP=Q+4INgIDoMfx=;CTXZoG^y4AY)#eM3c0#@0- zP{412^Txe66}8B6ujw3+n7BP#Nt!|Pbcj-YV&C-c7cIF?tM94^9!fKZXZ8>$8biza z+3r#t_oh7(qGd&3J0Z2E2W~Awx0irtnMNYUhQ%po;{`&-J|P-Uk+|H%a_?0Eve3^M z5xvYUw1`V8)fkiynZ2@{pfJZWBbJ$dvGtn>Dm61_E> zi+m?2`WLy2(9K$Y#ICqV6F^XpT=0_vob?YfCNY^^s$zklPWIl_3kHAgdlMsD?vP#owoth;M>C~08d%kO}&C4TkoxN z$$T?RJ{he{xB^15qXZR=CQW%iK0XijI|wW)&!j>MXBbjbs7$1)0YKo`ix)m5^Y?{VuKZ*%jw-wMj1u}&InjScaR5uCY5;8jX#jux*0poamnIA3DipiF za`m@&5cj72KAk5&m97$u*vtGXvq`663;#=fF}$y|uJl$F(DaPoy0o3a%}p7S9_fgz zh6>cgZX!udYn^YlZ#19Wd(nI2Cr_gs?NwXLjcwjle#i3>T~F{GrI`7LHL}b;QnQel zwpPS@O>1ZN(N~ss_3LWl+T=qE#}(CO-GsG0_f z(94I@M~aSmR0ZE=-wJYT#DQ3>+r*DYga*iOXOX6tUWh0QT1<+-L6u{%I}o08?oEcl zI3ZzK6eUUSwYFA-B3X!0YI#Fpj(VLhZ^}^WO!8yoY!L2rJ8W++Qklx*w=RqmFqyPv zd-Z@5jE6gury4e=pI&E)2hTG^`ja?Fsow#99RoSb z1%v3Qg0<2nX*&Wc1OrlzbiHLzBu%$1+>N`tySuyV;O_43?l8E!!vKTB;4rwmySojp zgUiSByyx6|&KGg>M@M&bRqnO-T2+;imAQ9OO7a3v=#WS&mAbLAaERFVpVGwRSmJaU zx;`PB6!_NDPXUIHmyRRtJ5Vb3Gf z5bvBo-b0H{2ezN-1G*ySfmkPJ-OPpwwb}#{BFW)LztWm?njZr6L9!oZ(n5mCQ*j-h z3{+P>M6hUy&T%I4gcKw%6KMt=GZory`B^i>ZUrFpkBD5co`4UFcYDlw=o#D>Ofgnl zAvxxFM{HNZ5-#^Te=DebacFuKuuP$*g=?{|R6^2%ab=;;11GU~G^gtf;Xhu_=_2Um>jlhS)?vBJiZh$d=03i;a7`y}qj(wS{Dv^> z(fLE07YN>atL+@Viqz&??Oiz0XrE;+WDO%X-8Pg~yQ=C=v?_U=s{T#^_OyAl-}v2)0p(aO3EGDp(Z>pz`WZi>_$Jsb zaSR5oX+bfHux(@a8)1E8FCFvSt*8czOI)l~4&_n@n`BnIlBKUElh*Y~?13Y2u<@oF zOx`x~Pj(ATx1`VhbuaTV-3owLKoKFMww5L}9AEA(n9I;xNc8Hy`YYL0AU+UrR;JZN zly*#fu2xiT!~B-wF@Ay&Gcy~ChP>*m@of>AuYoA6Qrp`pQK4yvEhbs?jw4LXH*&ajh7fEiu{^Ua=u5s2qpGw zadJnN4X10z$1!^t0dB}Pj-&C3^Wa`Bw%ao5LnNvhR&XxZ zB*7)zAS<41{1-Kysi~Ji#f!>N*1y;g>AKBogn!+Kd5>!Ewt!vidIqH1E%JI&n&@TG zTUMhiFGXpn1UaD@&7LJ4(3@^?bXR!;>1z&jQ&QTUcH3R{i!~y4=3d@(55eBR-B|q6 zZR?CkRzbK?wTKx~4;UJCcyxJQ_r>BUU~1CxwJiN(=&4X11|%V|TJ+=oK>Mg(KD*!> zbI?s8{GCMGSSy+lDe)dX45b+_7(WhN-UPHz`4WDW8XBRJ2LmX_#Q!Lq5Himif{-|b z(H29h5`=pu#1YE@FKyUi)2w(Ki^c%>WdRA7urpt9kX1JLWWi4G_V$}HW_y9mL0{!#A0Xjw=Itti_8rBlJA(f*Q9SvG z4byf5;&`q>O#xI$XK$Dr&0w0HKuGveWoo9I&mej*L*DJyuh;0z(5%JqxztT{jILFMs~Jy42v&ryG8Sn_d@EE4F;yCdD(fWGr7^KV*Jag0>j-ZH*DyEbWmS9*7e`C8!jP^K~V}2VF*z5lWS82xozI52>ge{3f$P@x^C3-Iwp;(XI z9Hb~gCj|v9+x;U7P*{2qJ9QY<#YKF#+Uk;Nwp_1vpkbusb(#FfU$|WqM962_kThr7 z(413nOV__6(^qHKal?JE3F~@9#5vvImGyWse!j-VPQT2(Hcy6Fh8(N+Z2EPVIv%-! zrV6~#jMK+=r!`3b+s5eW{m4mYn}}F;nmE<+A7pJ{XcsG<1jhm(X$g$wEVH+=oHF<_+A}rQybN zo(>FTXC0r&1#tHn;vq~)J>eR@Z&U!>bF=a0J@}-3zfeTDF6#~n^%)P-e)OX6U!;|G zhFRx-6HF0a*Fx@vc3xsr`^FdnA94IdbplBaviEK#s4Pt|f)1lN*U^pjj@~bu?4o@2 zOZEKsQ&}bS9g&%S^@^HoX_!>t`BH|fquzFk_K6&Js|%qq@@B8Cayba5f{ zk&AS|&rP;2-IN&fR9%l#-yTa+@jVy5XeB!k1=%}(XReJz^^MVAO2SS^#-c7kgPib` z&BvIkO9vx9_1C4RljO#>;8>Q zBOB{KApc(u%q_00Z*6CT{W%E$s{sOC)6z43U}9xJK?6Ypzhd?kB_P~VTJ7r__wC2u z-oE~UyU&NgFJSkNW8+O;432mhQ`1}v0Hn#l(gG2v6o{+#sxq1Gd6nz=|t*iIn48{K=snxaY zdK+8hjZL`3B%XgTQG@-@_NBZp{iUU6X65Gl{wOH?3cuf(EdnA0WQ_24koeMse~^25 z<3Yoel~;&~7ZmJ${~Z2*t)Y;R&dsBSoRm3VBi7rQhMAlG{7Ezl4Cdt4aP~95Gnu+- zthWeq;8klb=e`(VJjfsk7*O{2$ryP1)cGTtD~vjWM?D0&5o_8tp7$+ty>W1VN6UO_ zp1H?satx2aytP{yCEQzxI8)2B@kL<*StQTa&A9#HFR~`a8aMq|dHS_UPX^S%^j)ma z1X9|X#0hTLt8H*{eKS}lGsEPgFLURHPLY}-|E(G0^6gJ7=-=w zDR?(j-tgK=w$%xy051AT$S_+}ZujcIGB7~Ji22~Dl6ETb*BCfHL-iaOawIzpXs1~4Zu-0?M_=VU3Gn7PjrsTp+u zJN!W~pnA+Xty&%mHi|L=fM*D89(GZkf8=0iFbY9=)*RdpKBUp3w!u3#;I?C`j! zfC6BYW~8hnj{-NZbacJ5lf6r0K_QejXplJAIa12bB|hzVnfZ1qzbi(>=2z)GXL%fQl_t7GD$LVK!e!8~aUxp?WRO&E=sxcL~E z*^JqF_&Hh4IQ~*$W8&cAV`1Pq>*(p~6M+$50-L%zyPZI<`aqvv2W~%x9-iMuhVMSd zUfw6}0qsD0JBMPI*B1^ie|R7Zf-Ct|eV9)|B0epj05Kguh#8Nzr{mu{Y_$(E3Siy#1k?`N5hf)eIVm;qZpNT_ zd!%C+9V4BQyb>f0=-x2eXG}>!Wt8mYV-D)(k@;g!C(vJ3{)85kVP0?x1a*h9fs z0YD-A{d@z0f&;+}9Bp0Q-CUe)tgVa;jZN`{crXx=gz=FH2>G!!859|nG}NVWP;i+z zSk)9b5tv~hp`l>WP|=lHbanJxgo}RU6ckG4u?XX3pt2 z3v_S;F@0gU+ydFl+*cGduhfVBf%qJcwTA%M&n(2R%yCO6P3e^;Ou=nSpO*9=5` zt6;DUgfJ2qF%-&$){?SH7zECDB5Y)AWM~vL^punove4aeXxXEA!`CLHA}c4(R|Kvc zW)ASh(}z4zmfYFtB&y9l>dZ11U?+oe_~gYH(GA^+{ewM>--tkA(wnY1% z?feO+#n&@FC5^VFRcy^s0q8>}&%V_RF69%&jE$cj2o2pP`hqPeH}BLA88*yMxrC=& z*6fmh`?)Lx#FIma+9Tu%n8$oP&zpY5=M>Okp;m=&Q#tYPN6dB$k}}_tJh}%Tq$9{Z zb1vlfjN0r{QLLk$Ww#q=qeGJwFXU~#i2`xFbQ%4J444#0`I?c)n?&|EitQq8HDIgab(o-VSOw39{n`e*N-3rv+j(*>(N-c-09!xZs?50_mCGSbh%B zvdHJ*&;2}JJwAB;Z1(~-y*kGbM04ub=>9O-vg;yenW(q2pfUB3eGzlZ zIZ-iu;K1BX`^#Qo;v+s6%)7jzWH|uo?z1acp!BTK`pQ)y7uC!BWtZ|KqmklwU&-ct z#bb!f7932plMmur!QBJ?cL4&Li;l_VB6&yqfjiX~{Px^!L%ajVUUTUijZqH@AqbLJ zu24tSSMW~`3J>KM9vt{7sO9y&c%hs}4?1Hs1P7D1=lA0CWuDi$TyXH#01k9a&~qU3 zBreWpmE%&M!SyvLO@2sEko*gVwt)p3OBiz}Mrfx`t$#5!B26)W=0-U8Cnx+w=+ZN* zbcww}E|Wk{4=zEozW%fxZ@SE=#_)A3m%9t8XZ1qj`h^)RLYs|Wt;Th0;VM3c4mBjd zWkop0W#*lpx#lET!5>T+hLM%ao4R);$+rH#;6u2mc!f>7$6o1zSY}tMp_CgxI(u@( zhtz!1+4Cm(Qa=iMTo2;IUz-kWQ*P~7)@?d%7QAEVBqh%Ko9_&;oDI@OTzg^k8 za={mU#7|aD!-X>Oa%n3Nz?BHje5n6Wgz!HTuiI3q)#B7%4<$>`BHuosuPSc*$Mn*!2F*er$Rxgj&ktPrJfrDh^o5rmkLS*_fY*RH z$jwoJxI%O<{~6&WdgNBss&j{RSCE3U?jM2+tm}A(WrPJ<$K`Rz zN3aQVD8%cTSA@x-=Y~je!4kNAABpXFr@V>vz(`_;BTu_~*|VO+{DSZsP6%Ud-&5fc z;~>4Km$=gWiUSY!%J{o+M8idGR7*X)0O|p1*-kzQp1F^*Rt@{93=5Yu`x z^iG)K3<;LH6Y`X=Pl9{DwBJlk0`915&-Q_cB`Pn&?=^k)0%K1% zFqM#RuMn_=TGQ`JXSx#(3$B$9b5Jrq8#rAZGne>@yBX&0RCHUE&(OnD-_D(!w#+;w zZTfx=GmHGiIN3LxMf2Hgw|dnuW0M!wi|ap2Zkm*K-g|l$ zyNOto6VmRFK%0DICh;eMu#avwoCW>?P^rBw1}km&7dGdW=xArD_C{_LW(bFN(R0k~ z=E(lszjLFG3V>>G$a!@W^QZ$@dC}hd`i--*De4>Z@S66WO$sok_=G6Aqb>(If}FGy z#1_-jD;}{45Jh%E^DK|cL`WjiYsJ_Q@5dH^VW?Nv+?@oWbF13?`276rPS1+?r_E6K zT+tV&P!~6XJ^>cLDhG=c(Y~oYebuyYH>pnZi>lysP@y*ItFg1T&v5E@2TFCt0sV*v zKkw3Mch_wb}m|m{aiO@*EK<=fq>~Gn`aS!AK#fF8{o_j?9o_ zb8rIjHBM5tI>xojmCID15B{Vuw4V|E@@i#|V*iC6>vK z#8Y#Z_(~SwMMYw0Vs*#m{ci{7jYkgrCzI>a4oA&x+Er>WZY-%Cah0y$97?uaZd10} zJL{Ls2iy#npj zlqTrs^x1zR_fPmX|NSWW`XUw=wr{YH7`#bG&njhoQ?E{QGP(KXjR6xWGn@g20OrSv zHE#NHmG!lMR!DCV=@^zG@G3+Jm-Hl$>I3UZLVf#e@ya~GCN)Stlo92`DnB4AK$V)DpkE} z!r-tNG|PmHg1V?t&4pw$cbrd_z(oapBx@KcLR2yTvpzheattZ&)6KFu7g=BbI zhzn~JI~ywtGi`$+Mo6o6Rcgi8$&B^t)^g*7Ks-^Aedq!uZ`OZ%-}Q3c$}KLq7SJn$Aq*>&xa{ z2t+TJd1pscX3gT{vm3-6#Gd@&fMJ8-{GAmhf!8^ov zvk&HgjL-4y!|hv(=bAUQ59)xF?$K`5{^QflE$3tBt*YSNP5rEv!E8>9FY2$xY;_dH zA~0-RM^nU31p*=CiOy3wYezZ*Y4lV8?E^Xs9jM@{kz9!{K22{ zq~L2J@1ri@204)D7eIl8d(g^1;Zw#%$C?P6Apc@9iSD~C4Q?Ek>ofJM*n$j3c~!9v zOebwm1)w7qt7nWLswXZ*R3_gG(Fj@*M%JmQ;-o;hiuqR@709Evf=Se(j{7!L58q9Z z0FsNn+>6pp(bz!miphY1fP8m|!H zQi)R)Qx``Rf)#)%eMd?mi$bbb<=Xve+Oj3=71YuG`5^SomVXc*+Ka?RM?d0}ZUMa7 z6pN$rkDQt^B83=pMaL^d)MNZ~y24&neKMm`Z*r$qdGFq)nIFhbhV4OPK9xD z=9@-Jq?g85MhKHja*O%FvFrFac(wv&(9PH@zr0TUqFKF~*+1ROY;4OWI4dXI@L#jA z_I%%1I=u1=>_a99bAPsQx6msw4=yt(eGM8SEzpe0Vaz}xQHvflwWu)K8x^bMaTt)l zgM2N_E+#53PlC##V*5!>Tdq1OgLkiy+zB)#mj*jEVtL%#vus~JHhVT??5#*TcwQH2 zqt`DEN14TrLR8pKo+TV16{b&i-8LnR4w=y2%SJP-G?OR&hX zYKj&RD3ls7+IzPC2XkUh_Q=_8&TgG%>Q`ko{n_*Tzjs)g z68^cV{=@alTF(yZ-t@`7)5g9bXl1mZcPM(1@(KV=EYEUrXA9jCk`xf$WN(C9DalEb*%ij z1_`I+L0hrPgR8Ecvu9An(sPW}7|LT<%qRx!vb(NFqgS}!_8ws7wcu%o8FCQ4@kv1G zqtV5HfJ0g;%Xxs&QB};vVatp8eymByL>_{Y z1N_LOpvBXKA5-}9RA7)Kx;Yd=S_&>Q>EL4}L%i+&O8p2QYV{z7gQ|(d;ef%#^=aoN z#>rhvxpw=Vw%#JUnj?@rn&_%T7?-S;K&$gWVVWLfUzvfsWGrRx;LZewGv(m|vJuxa zDUW_#J=NvL)12=^Wa>JR%r~(XJkISr&Q?)+Ty%k4xGU-M^7;aeKR?S&W-cKEvF-Tk zC-o*rwS`yw8;9+!*YO*J#ZC5ppgRoVt>aH$hlUN@0miR<%nqn>hyl?J zvOGPulSU@R#bXO^J$@(xYt+XTDJ zOly+t3cAKmD$SrdQYO004jjQJ>H#k%e=x)iE!{xR80|ewl14xMzV}VHzS(|irB|d_ zH1oXXnAtsTD(wqcxBGb{(D=5lI%G8+9iXS$Dt*`+sWJxr@dKfXYTh)3(E%y~wSg|U zF(&CA!jZVIZNKQIWZjEYQs2J4m;7E%xEx!$Ub`Imev9c1-;(f4Xq%5Tvmy4*J1Hu~ zZM#{os7EEQjxk*-JED=_ag(+_LQ7%;T}jIWE6z!0waDACa&4=SosewHRxFMs*zv`5;Q7)oh^=+{*= zsHY1re&4Jt|Mae5)&<*Qt{!NIK;U_$s>J@$m8j0r*}3=oC9XH3EG(oG>xZNzm?|(B z>pZj~0U3*k=m?+95Ksg?8kPYL)zOuat%Q93S0q&b53HIASz?%_2&)#{!zm-$LsG9k ziX!eB8WAXZ)}U!EW>hG|I9_k9W22A=7!(@C&t?E1CMv>Ol&v6>&KwrdQx;LiA%>bY zYRCpHq1hk}=EL8ad!L8&tw=yV#{$>G`jppbt+MUiWE*BN04dD}wbb1- zOSM!_EphVDiEH`>DLQT23v>uRH9N!1zclu{kX~S|7V4iEq-8m__J{+InVBSN>)%&% zoAxcy0e0KF7)i>d6o{|OZo4~}58JpK&-nG*Pit*8iJ9N~so9fH;|R?RQ{ifA*1rq} za9Itwwvr4^slyM;&gTDO_~xCL-dNAIui;^r6WfOFr>6y%DozA{FHRKAx=(Dw_ltw2 zjE-W{C4RfYfrr5lTA|N}PwktRBpv(VV*AVQd!LJtw~wWM;fH?y?lW|IZ1o8ZPUUpo z;f_d98IV5FOFGtxTvIs9prY?P686EcYL^>x#2#anXmH=XH8RF7>c`uv7vvI-f98x+g$ZFF`>}mY3Vl>N_fT>*uKzM$fJ`vSpgozd3c^H8E71l~dK= zDtWBg^VV)_NRpw7O)GDS;lhAvFYF2-Z|?k|>`};~=FcL<%P9-LO~zHf+-Qq*bW^(N zY@vh0I77Z*o(sX~z3r*}QI2C9&ah^Ktj3(}4e!=S+e?SUWUe%VWhI#5(uI8}TUob`0 zuwCxvceXHXM+0F)hAgdWY>c6@F;U3Oy{{of4ogP?0rzz64;@0A%O?PU#=h(46iqUN z@1&GWAZ7_OWN(R4g=P_jR>NlCy`@CTj%Vb`dwVvK|B&7LId3&z*=4sJS0qJ|DreHE zjGRmvHdeK_rZXps_J}k6xm>jITOPT;hiV&%l0vKXom6)_p!lF-@o`Aao>p}7<jN z%Gm#osDB{Oyb6+9rq6OUtL@eTk|2-c!kV5Bt@fx;EH~+z7YnNYvsx32ycTl0Vr=Z&sMvTujy-rPg@JbaLFAm+RR`K5QXUofZGA zqC@l|Tc<3^@u6&#+Q(15(R`NTH)z-t!B9^=C-}9oT)r}Yg;qyOiueKT&O}*Cgf_&U zZ611RGsm$*fr+6!@Q*23kK6%!jlEQuX0jKD_jdg|sYA74&I6F}*)mk_;-o|}=@NF( zc_B8MOvw-@EOX-1lGBFdOizYsXEtz>DMe8vW^*x+MC3#wHfe28(8PoqpMmvHf5z{^ zvNw$Ewa0OzGDZuCo`GkRf2WS^^A6hSqn)+yI35J~>i53mUnAM^_8dqlQ13`;I~;t3 zogCTHHY#~t^h(F4z1NNyj9Af16(Y5IxgO9vzIaaYD=B^AfI8YK8qF3DDu7R@%z^dN z#|A3*k~_qGg5;Id%H+-aN>ee@nJZJJ;Jv~Dl*2$vl(Y>S$v&P(32V>{X;HB)6ik~N zkHYe%x*x94)C=(f7`LWxZU9*|_w_qVXXJMQ4ux6O#0WJ!vp~Qh$ler}^6k?Dtc9P7 z1`R$!h8b6L>;sEf7CsE!c0v-6E#Oo5XW-=g4Zvp~RHzqvhP`5kVkWV@usRyMk(&*h zux9tlT>6JpGGU|v6FT1aR3u9DGXM@!2}((6hS=zR(<#DD_)c3N3~k$DMj;Kn#MaR> z84P?K3g8)Omx{9AoxhC`5ajCBY`5!4+5+lw@9KT2*_}c47-R|#iGqmshc+-Mr}wo3 zETYkE3;6ZC26n41Va{1^e7FB*6AspnD(DZxaDm_hBb{ct_ zbHc)#wx(4}Wg<#6&@WBMI-#gPVF+R)o6~)i7VUj%dbCGFU@>en>xNjixdkR~aigOq zb=E&uL^GoCFS=N)i4StHV-tJ;9O*y;26CuL9l?_j6j3~O7-2A)MVS!RbZe2u_gX^= zN{N#<S*!$r}POHbjAg6gZ?~8GgaT!>;k1 z`}8ZRp=~o&WM@~0fyO3%_>ZANZwi3vEFZ*4<5_#kO{ z8}ymu6)st}-0D0OV5KA6e;Rpfrz%gGf(AIJm^Zdg&!@f;)YikkWN@Qb^~s4ipU(EK zx!8BUBE;&0S9o+F+uhX88bX4PQI*Rxl4k|Y+#VHdJ1xIWz!4L0H!sdH3+U}+{5cJ? zGoZg1{v(EzK;o9eZ{j|#A?iq$7_-Hw>9j?|hAjiZ+^@!Nv4$lZA=ca0 zFDC_NJ#zd?(OwZO4qeCx_K{#R@2za^lv5~`qC9LIGw*y`G4VWqy!N`=ZJqkh-l&w4 zGRbMCet#)QT_T;)U)%;BKoG!nakojN0qv~|1VVZ6+Yn&V$G(ixpno`5fS9!fQeHzf zLwT;0MP#{E6rXf`MR5Nk(O2xHtM+w+$mAA10iRK^>?ZN8(~Cas_1;z%s!q72v&iP< zxIUvtej;&|um?PQ5b<6xYY_@niya@=?`WLh-g}1SD^HKgVM!3N#j5y^zZAS9di%A+ z1CnD#)ZNRJ^uQ`YyB_(jUz8(P2*iW$J`U7J6q>r4t4gb4^IKu6-ND=1Cq;25YQ4i|E} zF0B>I`M?_Qr$+2;H43}wm`+UXbAWlxLu8{@%RQs4q{9T~uP4X79Ra#$p3rPKwi2_1 zr3C^b0NYq@o=H}O!#Va31IIHw)FCV;y=0WN@rlE@0IbAdLChI({wq|6U6%0)b&5J> z=Mgdh4hRRrO-h4nc#n+4q<5sDEd&YUCfti{a}^lI)?19;@zcQAPIVVj{iHI_LDy9@ zqoTW&00~PgwUxp7v1O+=q|| zE;c8Ahj?oS)u{xVAYUd zg6fDJ@zh;c0xfaAwh^7MF-=Hf;bx`Wq*c}06eJB^jVrTfk;7IlC<#@U1KG+n9hU=j z&Zi&VeePCkTN`Tx2`veou-UMLt|WXPSRS6}s$HN+c8-@NkQLI%)k8uA_*H}9UFCS` zq@r*ZS?A{t%R6@;v033CbxZHAJKERtrhw3I;HTeAFKr1eWz1fkC$SXg_)l*wFV2ps zoDblD_UFkYNm_?3EN13Fku{U&0)BsXx_~;k%x=KZ?^p%a@t$Ba$Qfj0)o?&%xwua# zmn=8qRbAZGbx=*;81_$JeWZ~V_-zzQ>m#@vWICR1N=jPsv5#ytE=*(rpa8PXEIKtF z5HzxzA9iWWsEZ=~I;QY%_SHZSx|bKMHqu7AB9P9)1KE&*w>~fV$M3iPRthbFOaaFR zv$aFIv{4Vp!d!fX_z2;Hh}ui8EMoX3drZOY0H=M%kC3` zcooVtATkB8rxE%hbcUV#wNOl=4s5}(VV`Umt54KW$z)ciNl%%CR(*!H%ll2{jX*AU z2YoKq`S15lWPwQf0a#>u=;u@Ez^sgou_PHyk_uHRrn-*yDb}J3e|5YbFWJ2uZ`S+Y z*E^UhlIi`rKaPn7;3Ax2=(vOdeDvXs7G2!?C+;DJiUX(LqgRuoeM}F+^TC2=%p>NE z|1<|6Bqk1+QHjF+BFq=TKe_?MQT2GSUt?(z*6NjQu~%o7X~gz*nlT|kV&0>^9@j%U z7IFbQzfIfsoRjWpG z^@4^UCqEkmMpHd-nK0t=?U8^mxgghzf|(-p3F^Hr_hWv*n!TQYN#9=fZ+wZVxq>L& zcj;^Z6;2~V4wVYR3`Cybd5l20js1;qh#gp6*^mC?Tf(2a&w%&PxCG!Panxj*HJ=nA zF(RT1&hkrC=>|yHVlmhKB#BIwf@(&3i;Ng4m&E|IAD)P4+DjxhZ5OJ^gvunV((EFN zHxcq%3N<-v9}&9(gT3S^%Kn5&nLlUN{35mu8=vR6LakYrP2v4-W9}+3lD}bRnG=en zyIo;7)5i%7&F4BUZB~m+jmmw~GBZ;WY#jCe?Y=GJbmSrMwlZ&tHm7U2JG~IyE>e-* z>Dkc%QrRkP4=k0%xOsyvy$rF#9c-}eo(srB778?Y7}vT{i)2VETdEEc>A%Vbg^Brl zQXKD$O?98-{1mA?sU&q>L9qmgWFau-4+WmO6XY+spoTkwL4~FDK&5(xd=FoRHU~A8 zS}wE)>+?`o%yJS-_7CT?+(AigKZXYB<{V+}L9yu6gcQ05mGbw^NC*Vjul12FoI@a| zsjLaG=IMiDoQWjh4+Nb`hwfg6PFv)9_uejKKL}Z!=H~=@!<{3lDUjdQqj>af@*!9G zQs-ONl*j|j--y8(at)+qeiz47QWeOyUBr6|i9Mv){$1_1D9;vJZZ+Dyz@>1TCpq<4 z8|l4oMda?EsA37=nNJD^eGmD7jhM+lw($_?|Bgip1J|gD8vHnPVCG!Pw0I#?5|b0E zwoDKv5O~s$5NUi9mJxHa>UNVIAwIBpA4*@Z(7m&muTeQXSxRirhD$2xH`^kBO z@F2&;<$YSFVeiM3kIo82w5dkI_e69yGR0L<>{)jannQNQ)6hLbVkT9` zU=&e8!2+*qd}Jxzxzg+ZT9I9gQH*sKj;wzZV=}e<27Mma-Rgy8T_&gXCh1tPDQ)x4 zWaw8}M%A-)qbtOWmdEgITZTKG0~efZqkuQeOeUF>G`Nt@x+G0xf# z3~Wktef%r?plDFokol0020pLSWxx-*3zm><=EGPzNRF_!L3WsT&J7wdUPGdt555vu zY%@$JB5wZbRIQHl+7V&cN#X=2+)+@2r6uJaz`(C$=?4gA504*iY3?6TCCo_I_P89a z0+cRFrylju!14oWwVXJjy-*29fSiKA`tyzzoEv^7=>akYS|Q$F0%uRz9NU$e<~pwi zrDe2xw$;cydIWv+U~Umwxu5>*tKUcj|CYLOHM~g}LbNij5IdQoOvgW%^zfe5NLvOn zuo^UiVQaeSSYpkyfCvlR;y7X0QQ*_BvGWAFWhK=KjmR6AL)fz(lDAYMwiA|oKyDr} zd^c9JUm_g%r3N2w)CTTUe0$%!NAV`#M&7fU@cEt?%`8CFv|#(ph&wY?k{ef z*T?7>ud0@2Z#Z?jDFw?AT!r*VP^^Z-TF4pIl8t)H9fHE&X{PPW4VtJXX8BO%(Hvgr z9TjE8I$ zkr{&6diQ7#UO-TP&G9SrT=KiP9)n8>Hw&1Ezn6p4=Tzz(_b9up$}nrUL=(+{xA+-> z&8HaGBP6HhpBtpObi?`zz3^bLz@t}K@X3CLN1|uI7XQ58mQ&bK>6c6U{VSNIzf=H0 zYxRL>5J?;PlQ^Ef-G>k3mli4)uAnF8uN91!94D#YY%EWF-)Hh^dH1A4v7`BMXlJ3q z))81GbLa#z4+*kSOjynLx(@p0<2+gs2KIm3k#(RCKT(!)i^c2Y`GX8`#p2b9egLgX&yk7SR;Z@t}~Eozh()0I~c z9}7(h5JR3MD+~fF z0#ni3ElhVyC4(N+`;~nFxsD~_$4p!g)V8e{T@Tp9DlG3=s7I8#&ru4tHSe>sU;y{U zxA(B{?MW-W@n~WK3^gQk`%3VL0H62j@z}eetfoW$5IS+98;oghk<2_vu+>V|{a$tv z-<+lA;O4SoZM>}{@VfM*=cm5X3~N2RMXn8Nw`LskvN(DyJsOga?pO&%8_4bEKrR!P z5N(^|9InV~RA(j&qw)9Wtl^=7#i3sBjm9QCRJhuU^)xJ%c;S|TTT>BL&T`IQW5_`t z89ld@9`{@@kyz7w1y(<^hVE4qB-i>cA^yC?#YW=|VWHYP$WYKN^>ZEe4XHh*P`8(e zpV8DkMnhsO%ao7deG($&k!q2+jagBOzX(7`NSh-`g~_|gF>-V^vAh;Eo17FT(-Ml0=(m0f{LV0g zV)A`C9q(+914mGFC(zu87T`<^@Nl4$kd_rEa&#~(4=npFB(Iv&QAQ_QZotfK>n6`) zY|kPpVrBr8Q;`2!at^YywXvPB>FI3lY6}pT6<3y41*nRsNjg(e!%)AUd@>0s8af6h z*f~0wxKab0jR8dVM)INx@)8CBBNu=9QAHVU z0}d7gSutrbb#YNCQE5>FRSgAIIcZ^822%qD4+nb}S4T%1Rx1_<7AsRz8A)XYHAOQ= zGn21h^sWGU0KKi7sTn;zz`(#D4JcHxnfrVFWFT5_;pi9Z=o{oXQ*1-S=p4e5NzRxf zE0mL;Ts9zk$Wr9jWC6`lQQ#3(&?h5(@K7jKg`v78kJR0@Z+pkH7~V^ZJyybj<@eKl z;zu~xap@ps&vZqZa{-PL+Q}DEuyiw_2XR2??b@z*AGu1SnL9@$7DAy0mW7CbDZ-R4 zif1@xYi}FGcwfm!Tj+N(%|W}Z+&Z^d?jC0T;5H=}-F1PVnH3(TODR02k43izU;Ag9 za4RU%UJ}^XbW~&(Q~%Z=7LFuw+J3LvZI@@lZoy#dL1sqJ`2{+4vYJf%z3YnDW*Pr> zZ9A-llF5Gh*{(ghYB!^q0Pxhn;;1H|D=b@1fh`xi_;At2k@vliccO;A^KSDP*m08O=@t-O>6); z-gDYrKJ7{Jehd8wAS?F4`2iTzi69I@uHV>_{$?PhuQMjI5=Ck9Yj%v5vFutE!gG=U zk!J-ei7BR)Ah?LjjtWuF!C&!6cpIJ33Hm}+y%D8u4LhI(nY3!YlsW+)$0=MAfXWPc zuA&&AlviEaS%$kpv0fsXh!`W2EO8MtIV3NG(~0b6H-%5+T0y}Z5vY6N$ga)W=yZv- zl~GIIS_E-hGwIC!NE4JDSc!7Bq=HH2{xK;*Q~5dYiH)0L{k0u(rh-v80&0T165Pso z9zv-At!B{up#PK4&PHDe#&feO-ld3iXuXsEKA*ZHdo_QN=;u z6nPfTz{-X=lpd>5(YqZ04MzCnuFe|z4NrVa^ zi+$@q=W7vI@fh&CSaPbV@#CI^4OAsb=j0VwGxRDa;3u5`L=0ksszkC?fFAeX@wA*k zb@*h}cpxjpy-+r3rpLI{39cm;20M-yGPuhcCNp; zIUc2mUW#G(GEDO%EKyBIY%m#FU>{aJzOD8tWa4bWPLTI^VJSQ6-!rc@b8Lj#(9iPw zq&v5Azc7SGWvGyp-1iQV`D*MiA>Iw!v)NgLVNvB)bw~!v0nr&0E|vlmPt7KX*Fhqg_rh z+}=e^MkS941PHfoi=J8@je9-(up-J;yx?1hY!VTkd76pb#|=qrqY#cbi=fug!p#--`6k2amn;l6>2pPi`v7-AFb7{C3)RqWdJ|7zpZm@)u1&J!Vc&P|g=#hCp~^0v^x0(*Q?eU3TU*V-}-B#%`;lsJJva z-?I3Ku6)WCk2(Xiq*n!2Ngj)4r521vYiurGlsxc(Z~8!(D;yHFuAJ0rUx1i>&V0SW znafrP7CwQxn$BPMo(+n$zRYhZCQo)BQCY)kxmTR$ze?J10NF=1L1M|yKb^Wo9|=zaP1BfIF5r91VZ)a1 z1aOowFE7zX=g$pD)<9LSbt0yad)?PIsgJPG-mx8_!=WsyD+yn!iJ}c>d@u#Ew2m?V zdo+h`^3k3jrv4SpKf_gOSqE)vuM=Pxb){4|4VKWF6T+-Jb$&-1NKy4l13->E1PfoN zv*XcD^uHOnIBIPeZVy+dHmsngq8lT^d8^sj{Zi5KQM#a$^Q-WN)m6I-tjnz9&1Spm z<@PsiI|HxkGyD8ng}dYw?dywebe)O&olMk&Sb21(S}Soukys!&1Sd7e75Vxh0uwOE63Drl`>oE#&;e5U=_*|FY_ zVKFZ0jT6_;^(-lDo|A5Zv1US?4njn5f&~xwymN0gixF z4Brh$;Le1_m)RnM0L{I;e!~7tKV0l{^n}0!+{=8sIqx$;fb!Hmn?Qf>POPyzb>T3i z#0mDlhF^L^AeF5Fv$fWX3gy-zwH>IYyQ6`t?i}5GAgVpfgqTSUuyr_{G*Y$PMv~i0 zn~X)SoBc*--7ZG6EV%#ovf)q(})$^yM|qwIR~0QF;r*wJHo_N>iYFvxvOjgI=BC zC(yryN^Y1>rl)jPEzsy?Y1yTTTF92tj@-l5(J?i33Rvlf)GaKm&18t&6xi*{i7;0s z)O{r^)YNZM)qhA}G+E4%7VoI5zp5r+l$)y;Ymhnb&0zaVa|jY1|7~7})KhLw@k7;% z`Tqb;K(W81MSxv7yfjuO2$qL*D`P3=27n_Oh&&~Z^8|Ni=k4I}{i=D|?l?gy}UFah`PakadkaCocX7 z2LSyIX)#Hm81_--+~$BFg*Sd*h%FmY3q%$GbipWqcs5!CmdNIT0KMCn;S1b3ncT8G8qWUYp|CYTFNAJbx_zy?Q>lw*JFh zf7X8{-S#M2WKVPoCKLeSpT4(l4WV&Se$PM~P$--56c93qQhJ*~Y7kz4CJR)b+#8a> zJJnWKDyyu30xevT-4{QPwPD(5nHEGt1sx*>{|f+-ppo!9U%E=N%=Da2-69XLC~+-9 zzI7`sKnYE{&9#R6AOLY^@5w8&0AUEa zyDaX!_lE_F1#G?y{$ee6Bch4miU+O}?+p;qaovpo5XWg(7KI+~Yp3>yE@49Z(m}W| z|6cs8?8>lS0svj!og@176I9^io=B44ZZVv4$QBj@`bDaHnTi&Bj~-%`Asz~z2X9Si zbzxC;;U1secljVe5F>|lW@=}4ZDw}&c;jBiIF_xQw#m+1DAb5u}0N7zZ>38oRThD z4zF%r69u^dP0m~n*Zx_fRtWPrH^>&)3wiWm49u)a64KeCjc3{0X0R%bIzMX&R< zpgXOd*Iq1fsgq(>eN--5?6Svc6kH{^6uL6lCTo(@3T2CF!VBf45RZO z!-K>ks*Dy_l5m*%lP-J;mec)PaBlbI^}$x*Ykqu&1BFuQ9bwq+PGMk73eozOyW=8 zLqv(*heqcYh5=9s=59EtCf!t8ITvA;S6!G{nKo`}(@fx}eAg0t2EJho3mIq!(zm00XPY=x6B(T%vy(%YORC)D0rTM;>qK`5Eny3hGK0L^V{$jVA&x$J{_dHKicnCDxSwSxB;ad-a{^8i%2X#rRWB!+jD#p=Q+sD;Qe$dp^<`AyCO{`^WS;j@ zVrMQz?^hoHcyDL02pg1@quEqq_1+4hh3q!7+W4X}2KmJDnb)!!oHmg+^2kczsttBq z=QK03`CcJIsU82dm3q7IP5kY~t~ySb$oZV2S&+bNX>TtI!DIk?c4 zdzNrZsOiZI0A1Qg3ch3%-j2aDt|;ld*Zk}X;Q#UfjTXX&XPCAC`S6RhsOVtxDU9Gs zSC{~Aq*I(Nt=-nTwHAG0v^L?{E3s-;ERs`mm+YkW6jzznD+(FT2L2|k6;R9Z*<7jd zYBr;|2muENr6$HbJ|&`7pa*H6R7c|~qt~3D+2lW zdwf?-3*OI)BIZ&@b@`0my~_o;HCYT5UKi>}>p$~xi-|q;ng!4U|Na{86b}&!|CSR8 z08@cX1r0zS)884v7vCd{G?mat3Ft>o~7YNQ^*qGykqn9Dx=% z-yi@aCT>o(5N!&UO_Ich4kmHin{34gpJ+|rW`xDfC5t$a0vjWS-_f7N{q{}a6&l;O zj}WKQ!21<;2w>jv?(|e8MzupyG^8Tnc$RhaGRTxQ-cmvU$x(d<)g%o(|2W4>Ahyj- zZ=KZH2d`ffZrQVvb$Il9UWfBye}DOGZM z0|NjZG`LnNY!<-O4LsL%3X{>&m0zd|rSuQT+j}a#z2!Mj^uW@S&DRm5TW9+enXX_1 zh7|ERO24DD$WYlQ;pcXoj_fTN1AFpwLfT`SZOs4vw>@dsjBF>S0GzwZ8G!gxIU(q# zghD<;y0D5@Vv(&KUnym~#jP zn;2*#g&xP>ANrJPDe-q0&cgcS&~1zf*6)D_z*wjtem2k020;I zU?hM@0fZc+LvWRZld=WoN7^t=w9c@MyV1HiNk?}3n2SdjP0EPJ;*?T@pd5*E14-O~ ze^0+RPfF_EJIa+YP1TI-pD=n<|HdBt0Bwpaok@AXtVFJ-Prkdk_j0b>wji(?d#A4( zG6XQlSs8@(0nJPlKJmw+0ss>jP~q{KW8|}usN0c$K{&QB*h}TsIXE7X-n3l)caLLy z5CJqmnYE->`PQF#Aw3C9OU+F}Vj&9xfB_+;!pQEQ>s(8kbvt`UYk$^4F7fl-XGdZB znbxc)$f=>1vT}kiY}I;Is!vd^F?$nKUjbc6V90=O7V9cO|T#S zTQudD1KcHAhKdn@QC0)4t6+IfRJ(bWrvPEG&#Pj)K0pn=} z3w%yOthybnzXU0qG+=lyk&dJ%<}y)b>FN;U+Fxu!>BUkNs+^*FSYzx+*x)E@0Du4f zUxTvL>L5T4#8rJ>)8psLTT5JnxZoaN&m?!^uyb(h4}&Ug)wV7Ch|LDOguW1=duR&C zxLIwbq_2t@pfEqmm;H7{FrT8Ofk;~RCO$Dcd7||N`8g$xx80E8lTVCru;1)1?IpNX zeyp5;;^CP1&A!csu^>|eXJ}OZBorLEkLJ{}4Fa@LZ}$Q<4&AVVXL-mI@ZUwgffDrZ zkU5rM{F9217Fz@=eDAHZ2P7dsc*;bGKN>rMV)2OOQ_Ut{Bf(aB7KdpQu)?e)SV<^0 z0nFMs4;-E`jga|W2jxO<=zc}O=om(r2nE)riUk}ve72QOv222DrHp}Fg4tEF$e_lE>xS_0UQu8iRU#C ztg?0dF)Cfgw`EiC${<>K{>FT^=^q>&r~u@6r2=%-pYVTcK|KzkOEgO$qT2+UP{RTQ zW@LWeY%?r>j0q#VSRp$zJ0R)KLV^AfUww~|tpNJT-^;9n6T2Zf@w;_j?`6C>AB#5l z`0I0V{Z)$r0BQ)N83Q#2c;$sCzQ2kK@Azk@$~JLtegXIpQWNQP=P!zBA_E;J1JB^s z0dg|Bg*tw78u2OeFZ2|ZW270vYxN3Doo?@~VI~3FQ+@2{8MpTjRa$4nC#cPv@rvu4 zR^Y)9R{G|n0DuOaTe%gy)NcD4)$wzy-x(0Mv{5(6p>NRIA`xTrT2VK`&OWB?hG!WI z3&cLnX_t2baGL(U0nU^&RtLibtSRT-``O9?^_KZ3B23=TY+9>U8vs-j%+&6g)jzJscYnpP zk?$}77ln`OdYG3{Y2k7Adq9WY35v+65#M_O0R8((zvjcJpRBE_dLCQ6e8Ixy*fB?l z6an;syk8IaN_4Gk-*4XZzhQY|Q*zkA#o+)YYh3p(SNYBARB7;&Km{C z^GbJ*L^{lp4!TLn3Sb!rxXDw>6oKmyQ7?FON-_og1MusiVuqsCexR8VXw;cTH|R7z zHUQNhyliox2~VQU)kU!!Tnu@0B=G{0{&(jL5~L$cGY7VaEUNFQPnA^vgebj;;zrVV zD&hwdVJ*$vvst4DT-cD^^T$JwU0*MC?uw6L+STY|j zfCV zRH8Eko2lC32ca7Yr)yRrL_v@9|BNMYxB?fzRuG6wW4Xr1DHeG7(?I}%y7?d9m@~u= zoEQ^BV}qFojBb9Ti~t{V$P-H&PWj?0#Ae*5AOYRmT98 z>8b3SDSOnvHsDzpPXVQRYI`QiUiB}{xE4p30JE*hPSO5nOa|tay1E?!2zZ+$mamiN zBdZiv{=bjQNvSZ1B@CwL$NprT=vW~40O-Et)8ZxvL>PBl1gopWJtHT0_#2iG-X z!4CkXC@?2^Snh<;F<#Rch5*^j?20+%Z~y+Z1qy`>1hcF4K{8fQM6kElzu3Ab3pqn0 zRsXcN4h+3(w7-8c6Og$|1Hsc)!Vw}gGJw_*Tpc03H)Dvk_apmEBH!lCLv^592S;Q? z)q$CX0Dd$UqTsmjJ`>$3MO<7eJr)1_fR6wJ0s+m*is0hjS4zMA=K%ri>Qx%pH|Ze% z{x1LrdA??T`P{p#RiI*(&W8&J0-OBXEzT&}S@MBf7WfyKNIKegCZohEv*AsSkc-4z{0L1WMrzJ@eFf~ttw zUN4;{^86PMX+~;v-u;cao0+hgvm@Xq38YZ~taESxwBa<<`&sLYt5+vU1ZGWI^#h2y z08-qrG$}d}ejiWq8!-17oiRktZ2ZjjWNC?L!;85S z%lv`>Bc>=-F=&*1S=`AI1S3&5dd2%P^vL-quG7kOB3A%AOgJp#dZCh}0iJd+HuUw~ zO@6xolZ^Q_F^}BsYr=wtQx`MC@H|iMxcU~~tD4FdwzCif64>xGG5qE`i1hu|0~wgn zv%CJkS%l-LwvlRyO*-yz z2L6Cw!%IXzz5pb01{1ZT0S*lez&b>8&^CGe=yiF)5P9@H*d&=eEbd;@79aOgi;0^p z3@BiHr7T;9&sxYiTd(UAz%8PZ-R*jVb)yX%kT{_g4kuTk5mOexUJKOQd@8?U<6dTf zcD}73i(x0iOa=3b3aa*84)82d-tmE5we58L!%T(O2}`32wdj(x;bfiAl7>UA%|`Wz zE;mQs^KO-Hmp0!Duh_WPS$v@dAka$z^$P-yDFkwOKe32qp7^>1ITr5Ti4kxsA_+)x zIhk5s=WA8@!tj`=oaL{FB*3CR4iEQr0Cp(ftYu-vAjF+E2!`hblWJyo;S-%Ew}GF2 zko;Q4HQ1^;ljpPRy;XLYhP-7R2C&Riu=YF7JU%DVU`uNk(emLeLPz+#=H+9gK=OA3 zeSt0OGobXLIYro*!j@0tLgM}!f18fy>q>kNo)#<4GgoUdUe3$5Kxj9=QT4p$`mLuI zo`mzc%EJ6(B~c!Ib95Gu{xos63Wautp_FygzoP&AC07OdDlleLvGmIW)~8UT3?%^q z)R>1C*}4_0Z9Zpcu8tVHlF!coT$Gxk#@R?y(B@#f_*AjUP+#d<76;~uk2wqmyd705 zts-wbZ_nh5Zh?fEuNdR)Z1b00>p`=o1$;b1Ax2VVQRuV*76b`X1IjyqnV2i!pUax& z7GZy@Xfju9yZ+S;neZf>Kkit$OP~Xcdgx4ygD)&NuL;?QCvZ_9$sxO5o+c@3Jlyj0 zS686w{fD?P=UV|K`~lgpfij=9Ro-s&U?YA1i{!e`r|4NjchnTXI3c`P zAY(Y|JybWGn6Y1;f)=S3N%``@K6nxvH;y>*(a^3SF*lKvc?83!p|+vuGI3B5OJP z%X)EN7{qC4L^a;Cc*M3`saYN>S7Qa5F8m@AJ;FI!1AccYy%LS{c&@sqALX`GE>=OVnsV?FIpV1AF8xcO42N3Ym8pgKFBG%uzTx%ud zoDE}Sq~(|lIXa>iXxUTlqPpkdNq9o?-gjxw>B)(}a;<4^NCQe`bkQAYw(NRmE4V5M zJ@WFfgnj97vfdT3rzG5fL54`!-7!MYo`?V`9Jo`K%x4!lGK8w2+GM%`|NH<^l|H#) zjvSgFlA0l)wuM0MqS|s>nX?u1xU`9pj`0cMRv9@_?0%Db7E-{yJF&k9HFMvHJuEcw z??oTfYfwJ`0LF!m2DbzR>CK)#%Vr~$v_hO@fjI>~wITQ@uV8CUJ-VSwUU%>3St$M; z!6%~ssNOS3v%!UGLYw)1elf!3y=DOzIVoy*nmfP*T#8?`EPWf9ZF)yd$KIi0^js?-f7hsq+piv>51vBw_sAgy$6 z9Xn!+r<<5r_d(!-R4O=C0`gtIRVi#bR9-l8b_%yP7v4&iCM<7Vo|wOqlH4iy^c}q@ zniPEL+A$Ng@VLMVV6n~}eu15OLmhmO>JDGWV@-kdH!a^-8V#~Yu%~+L>=|mz#VKT>0nbpVq+(osYqq(b(YLtt`7%)YyZ^%L~WbId#DAR!;>fs@l)np+B8ReXS=MSgp zt8yeTN&dLr?7>F4u^5f04zMtg_I$q}>qDW40QCO~{eu4x5(gP8mH)`vcw-O|?Q0~> z)pPlGp&ofi5&xOq_%;-4$+5K3C{sm4M=w`YOjB=RATb~SGB`FcIZjDaR4+9)GdM3V zGj206GdMRkIWadfGcYtYIW{y32`?`rGc`3X3JD-|Q8YMGMnfPqHZwUnG5~fmUv6n~ zcWHB9aCvlXX>)0FVR>X?b4qGLaL5=j^;mk1?- zoMcf?*>VFzd2A|)MdA?2U<}PL4pGJtLX-dz5t$nqY107(bi?8&p_5Uj3&l1MY3Q8M z&T_QRi!^5pv2h>}o4sxWtY+Hjs}lzD_U9Pu$Lm ztAf#p9Af2sxMFmMf*uXcI1ev!pNoc3)5?7a3C5<_#Vn$QZB`Zal%V{G_U$Z`lHXVV zIYqX1LHA^#Iy9QypE?%}ZhE^o3<}$~G!YvMz*j>^Nl-64ZiXsu*>NrGZoMWa`2}ev zppiw6W>;ki$};GzH-0^1SA(1GFnQl}Oh`p zMwHw$_@vZpd9NVr^)Q-ghaA#j9yRkXu@clxA{eTTg$*>GMUEg;&o*a3VTZdK86DI& zIv{7G2%|hh`jh$TRLwJzzo<*(XB_|%&Bm4;GSJI}j(Fw&X4@1Kj`=WDUf3`b%SmHy-7Ca%w1}xXX&kS%c=t$m(&VV!4D)Mt--S|=rX;? z$aKRZc23Xqip&yl<1nXCVAUey-`qWW+5lrz6Z)NT95Ugl$8oUdO-3%hHQ4TE>$vi8 zBT{`>hm;B<(U`1gmdJ}4{_<#CB8k*5Ca_X?;`jth8vF-HhD__XI@({@9gn+i`I6o> z%8ZG)rGl#Ec|0>ko5j5GqXc?_@HG0w-jrz$inPkFUjkVmg(3QZ2J*e0d8|a+2XpN- zi@PV}5d)ssb7_)7V-hg*kSnJhrXx<-qS_CeDTIFHLhuixx+j!~tiX zd?&wYBZNWoM+EjeHQIyccFp((DF?B$!K;%?H~}#r_^q+kj1(p|>u|c7T*O+k0l^lC z)|*jvNU8&+Qz4ZVk-KTuFct;A3`w7O2*+E!+`AFF6wG;Os#j%9VJaedZ#*WMlSt@^ zNM6#P6Y`oO4buXO@gE8(UBeq$&~j)9+lY~?lfMj`S$sUSZY_^wO0F6I%ID)k;kbx} zqkh%-!S@E?KWzSmVhH~D@JmoH>sUDWEcIO$(}k+CZ(QnylTQgpM5u>PYv3#*%8@JoW<1n0awfKE%gPv%q z_J?j1arD8xp@pVS)A<@&w8ZLVB<{3;dL5V+#8tj(@3}BJp;u$Rf32pkRi{0Xz*zc)_5xOc8-LSc?CAteBT&y5N)9gJH8$z9P?x zv$ci5`aWjOSO|A;Mo=_uFTip9MrY>G*ki%$kzeZFlWN?0bdF#gfK#WYdFGz-h8P2L z;Ul6@l9D@U-^%U3*{jn(lL1m`_gq|BD7^xNgBFF&=gg%a6viM;m$IxAoM)So_0rGW zkKX7)91K081l-%&*sSu<_r~TO3U{zz0z=@wtwEES?)Pp?^vJN$0JFaor^MG;Bk3RN z;N4`|0rH&|Cfxy!V|GZKjV#N?aGH!a0RR2&ByQp3aX$WQ`NSn2R-|S;D8SFXEq1(1 zr-uV_6_;5L)B&r`9Y^ke5JQ*G9~Zq7&2(tg`;;l-#&p%MuTl9nY;Fhud@HRZccqEr zi^h^zqZa||))UD5gN;ntmZST>XvEP8()*crv>eUXc_Owfur7OcdPorA9LApW)~!CD zo+W_f;?b)?jh->PI64+Zq2+ok6q?Q#aTRf=J2Qh;UK#c(Rfv9xiV!C zL$s6ai$>NPbfVD00J6nA+Lk;s1S*JUd`n^u)_o?%G6@kwpl6?mC@3+%^k05Ew6NhF zM>0dj-%<19Vcgu)>^ZkW&nS@>z3CZUV)q|;e#vMKbhb~>4Tqwl3<=?C7Jf7zg)Mlh z6m${phm60Jj>~0-os$kjSt58)Saj_Gp+i1uEgBY6Jqr+p(+f<}T=kIB+sJUAU0|w6 z1u&)Pa)BO;^k|9+n5qag2M0#30S@2U@$3X)#B;+DlM10rl^QR{dOV5Y~xg=P_ZT_ zbn>EXWRT46LY0L8jLFFxeavEt{g30&ebrPu3_QdeQqJQaOCg}+1Cafg{YVBj+TDzm z3~85q4j=#HU@BrV2^f@;TFX63U?X<)pGE++G zVQw|(3Ve=aO>7x{wxBz66bWZY1kOx%h_n;oH)OR9WTBV%(_H4XI3#CiWDfQi>l>qQ~UlNJJ2w8 ziZBfYcRvwA+(EyCC^U|aThx?4!B7jbZrjZ#=`IZxYsL{FmYE%e6(4UgeSodr$zAy3 z`v-PF2Zm0qBx#A;t&MCi6^vgHjbAxxgi8?v_AzihLqlepBW~9b{%q-VwbT?3GxHr` z`7Nsin>hzn=np}q29Ro7Sc^HZ^kSw!1Q#op6?LwP#J2`&70+R`J9Ze9_wwZgRf-@ja5Of)Ks5fQ+Zs7bEU?1PK zivbob5=gCmd`OhMBbKhm`+}w{DQwF4pD-@( zIEHYY7zu0&LCtws>%}P?pbrq8QHyT_eFT`YSxtQ zkq~0XHjRwA*kb%g(E$m0=CU{s}BoYZtkj=q>Z6ye{ADg%6qW7?4IMW2Pa-Jn{&Ht%$@)m zM@{2UUfKK|xy{zm{axE#r>;0V*rmV~`yETh}iKS3-&;L>HNc&i)4K=sf> z8n$Ie0V;?d;g(sh}=`R7q!k~4$Svx#MYX`$P% zb5HUi@+3Rv8z7o1Jm{rw5BuH_#28xxbZ`JhY@tU0Z>kPlw9hV^S_!lIK%$A8=>TyR zKq^=+iaoIP5y&G`Y0kYq@z;`mCJN+WkwY3OEdH6c!(^Af1EsfusuK zhsi-drLO$G8M3v&aAEs`#T$i0?Zkv#t){PI0OB}MsN?B$9zJKISvkESR{Ic!Z4?eN zZlh#8@G%|T4g`_hIe&GotZAe9Oy*t9uH~OE`Uzg9o<-5}8UL+as2fom)l5qg?V|Fk zTV0#W5-nZ3Xg*sh>P_D?ha4XIcs2>_3Vl;G52%OOag7gAqmPjM5a?z~O&-7vXf6Il&xOh>u z<I{E@~fcngW>H zwD(l4$HSI9G=%`MmbhsGQW+bD&9^t*N)zMPPj>NI6R~rt6DKIZ67VI&h&>Y#GlAna z_Og=D0|pS4*ar_SYTh8up}uzN=%=VEA{;o=_+X|Dug| zQ8b*DI6Rjfpl*V;(;hO~W6fbqt-+TW)w1g`Z7ILn#xiB&3e+78Vmxe+YV(@5g7h zf4(TRN^61V_@HEQFs1l}Z@(1S*FD9|W$1?Q=k|nNKdV+S-8pXL^#REkj2QIH4DKT| zCtKhO`{8TED&SVXYbo&(Z7(d8!%6CCl(+F8rh;aKLZ<;S>rJQ2UL7I$CKmsDwRM`| zHHVddoZvAp4fBM1@}+jKe{8DR>koLUVU4Qj7m)A|QR8S7!9FcU1VmxTCRycUnH7Sm&|rLS`m_;^3&e(SY+HL4eP17f+r@OqQw+z9 zLd2;QqemFbVG!%%_E}tjBADa#vb_YV%+?;c?Zy-U zTxF48WDlG)&@BZv#duTYs<+u%b|?}7jq++H3#${-Ntpe8>gAZvU*3SwK?xx*JlmXM3Z9Q_ZDc*oMA z;M+dQIZ$&P|SSSxK#VUP__)d=p6Y*%YY~!yI%e933jIVVI*& zp9--gDprV>B!(laNjJ2wnV>vEu!1;Z`54^j8{o&?_5h~x7kME;NIa1->n9+cqUejB z1fCcuo~DbAFayc}$l$m1@}MMk9; z9Py!`u@^brMp}sp-@uK4r3P!fdWP}cvgQ^MQjRq$8fpqpchpvUuvnPk_J>=z{ACj` zY})^r4tTmZMCW<&DpO(!Qa=AdU88^-y?~^mUz1zD-sQwU!-!_N9x(F8h3@3tI`+M} zQ{=7e|KZ<`lmWvy@HHepSVV-4{w%Wbb(d@rU-t+2rxdNo6Gs@Lm!iExiw&~BEnxl+ zGb)so35@gD&mI;&f2kqWhNr}&tz{m4U%;8SN3!)fq;&+z&*`%k;2u zrEjpHbC`!g$JFz4f~T}`a-Cuko~=VhanQ|CtDqpbnbinfqt)Soa-{KCHx0Pt_d^i1 z)7Q@?&)V*~d#Qrg!pIB6$8R9>>(*Ah)lcd5u@3-3=QF&;p^K@w<7?I0yafJ#+4zfb z@IAIH#ezTghxPU zafkv7j8+o`R~>fx-qO-e`shT9SbdE|G#p%#2A#MViH1}WFBE2hrihsIDBi%xhhxb8 zI@_|M8<5Q#jxsaB$$4C|(AKCpEvA_SHRa$i__?X_Y;N?G%Y1eZ?iQvo8K0>M*SjpN zNgb3R3t|_`+W?#;!GNa&4rcMdhe+HcO=y-2awsr9dVpwoIlJWH1Zk3NQGOu;^E*% z5$yjDBcjQm34N0_P$KFC_&%Hy^Nkb!o6fU6KIVGcgEXXO*ucds4h!!@V2x%)k@KSN&Aa3V{xX!m6YUwT)aVmz`Sh5M<6*`VBi^XGI}zv&`OjRe zKBUHD$A~Md9AV+JI0NuiMQbNa*q{#Ik+6<<)Sc6k6uY{xFE-Hj zV3h`)pb5L};np5k+3KLdwG#$^aWCaHQjL!3NS4$I6;=&26YtArO%8_D?O!_z&RjP( z^>nzLx4&k#`H12v3Yb$)IQ9%^S;nHW1v{En9n^m`pd*PE9w$D8CMvYop zSjR;bk*a@U<=G_ioX$YKx-o>vW^6{!2pcid&6?!tjh0uOl%J(g4qBSa;qXQ2$ujQ{ zF(R=*zUJW0=O?Z!of{Z#8EXB}fp9Xh(6-YAuqhRVjiqlF8F=Svu+#<2g?Zh*Q{H&# zW7a92iZbpvy`b}a@h0u0VeBs*JZZ3UXbDXObu2MHc;)@w110*X7w}Gl1v%!b2tvgm z@_X+{G0EVK*e4o_8H^)`LnG))SB|rY2|aZ;=w`=c&SAoFU_BIUPg@usH}a9*V}epr zS*d)Ut2>9w(RE1u;u99uT;oTcayNBZFPl@1tdlC9*S$^Ip}lpN>%(+SCMoO@pZQmk zc0G?#{@9_=qhFqguY<~lPQN-1T7UI0OzpT|#wY`taWs+;nnNZdlANxRAoa zX~&-v$LJe*xB&;OFdFA9F-(noHdU)~82C|+-kgv~#=#qF4A5g6iBu8XJ@L|!xY>WO z+UrrFl2LY62Q)5(4Ib#hbwnY16JCPQz)GnD9NY#9YyH{49-qvHkmT<+ZZ{}@9om%Bz;XXoJ)m)P7!QntGS57xyhoPKQy3A0vMp%m{db8a~-g#5)))% zOGObxR#4jmF>MfVcm5kMT)xh6f4-Kg>uD!EihXZ*!WY$?8UxqL;No%cXTG*u-+zyWxtV`O3{y zFG|~9fMMcy5(?$qY$1VnBti3!wH(Q2PaH)SKNCHISApVK>?|t*n&@;nLl8ja-MFfJ zx=u^p1IKuG6H)p08345ES{p4P;)3Nhriv7i>@xB3W}2rz!20lEMP zF-qL#%4_@Eq;{13$8?uw=N*)Qps*&{#B1w(2Y4+@Pt{EF0QnKB<4o z2Q!2kr6QBcHC|y&@Bfdbw9zs{5%bWE-3tKjlmProytA z(|_#!P^Y<9%$e)i)V-n>x>w9Xec!KM*-1=NQB}0H%A~I9WOHzCuvcr9n$5wv!CtL8 z*&Li3?A2POX}h7&)OC`Sn+-KJRb{_@x0wyqQ#QNZ@2K`aRl__nNi9{Ge62Mog%(_; zw$IpVl37Oj`v*vUEmPaaK#oNXPJabXsxk^t@F{`OuBNXB2k2+mgZlnD;{!H3ask&4 zqZ3FDOH(xo2>nvNPn&|!+#+4AEm*QklQEows9RN2A zTl$6=Q;u_7=m4aaXajl?1vb#)vHkkMx`0*43n*|B%1~R27mgt4a5h8NcS}81@-nNK zxyoVSE`}ie2LT#ZkhWmMgq6A;RU`1&>tXaru0;2G2&y$@b(N;$q2OL0W2uf(uh-Ec zKgJD{W=ip0g5mMqR8ngcQ&k{3JH6MBfBjw$gcqxmzG(D!uP*_&*Yk|`dJ}3jH}Qzq#lS!2iEOV5dI~`TZ#k z5coUAF3}u~g@(%BAnpH;0ik~i5EFp3JrO7Z2{}fnQO|%z8wO`l&7F_PoX$@d*0nGSBAv0$yD07;02i72s99$ z^I`j%&W69Fvs;$mN5X+x&nn0|7_1?&Zw6Nr*ahkPZ2yhV*6sOy;#2SM6GxcZtPi&~)r^_dDb=dRGrBIjs9e2_0CiEE$K9tKQ%FUbkBo-OhgvnhRjGbK}l;8dOHrQ$STzuXRD96+hM4ar|1|$sEj1yORTJFRim!MRpZTtt}w6F zTXcj0C#h#dT%t3G({p^>Zw@`>v-77LR=MK^S>*Gw6GQG5(s0^| zg%3YiLgbp=046$<2zAF=7i@1NT%4&P<>c%;@;V$3iFJp^iw(}-Znrce(W!}%>W+(qf~C%fG(iC0`+Qlfljx9V>l@Nfi{ z_|ftCcDp^sXGyISQq6{lx#1IjjE~DYdtEXfhp&i3j~j@&ID-!t#YT>J5TBk$&EQakv+Qm%|{j6p@rDk5(|zclSg=nw6cOf$J_A- znEQ=sftH4?(>G?D)ND(#<=^mOl7hqZI$O&Dxnik4l^V4&ql@svF-Y^mY|V$m;UkzW zFEDn5h8(oQ#z1_$U+qu33TnsWd4$?4u2*gK=hJ^WUBtIe;$ia}JH^IiGU<=#QBuzU zEjdMz(VywTd7>f$xUz zHaMp<*$fFmHh0GC6*A%^r;#A;80AWAUL&NmZi%1KXS&eTNJx@Tk*=#PD!g8g0daY; zDRG(N^t9h5`V=3da)kLDJjO;8ubI4D`pcCN6O|P%FftJ(C@jsU-yC^iB{vZ?wc?~( zCL_7rEf%Zprlg~@N4ZJq4R(KlHeYCKC&?4&2(7cUY?xieyql}@@KZL*Y0>6ZGUOeH z@Cqx#(PDEO89_d0_6iSOuF&YvEt&jp)9H{rxjR!Uj%6bEhyTzeMy9;Ff?K<7b_`yj z;q>`WSMvS@t#ga|C!d`Us2Wv5d(`9em7Z5fNo` zLl)TBlrN8n{j%RUcZ-c6`u+y3Nh?*lMOQmfa@~2#;d1Ks#ty`jIY2y$5(QeKtL?1> zkh@B$RQe@fS8|vvv$PH%C@Iam{oXRSBmdj;c@Qta%KqgyXfdRb*F5HNdl}?-$tKpl zDy52oueb|NHByWNl<5r#3Cj4u@$=!c^lBIqT+1nj8nH0d#gF$xT)c7|fTy zu)`I+H4)kzP#0Ux0}7xs5Dv}4+S4qnxx5+`1~@%na=J%Qf~HW9H6Nncm<^m+DKaum zOuZ$d5G(-mxyy?%f^ftFuda-_t5xry$asj#Dtc^@fKaxH#DZhT#h^IAB)dss_6kSj4(k{Plk8P{n&!C8J^o}SQNH{91V^f40u z`V5K4k#Q2f7UHlSyo+m@R-Kt*;k+bWWcVD|^?K3qClvPkiUa<$AFP!VNEzc)py~j|)4b zT#z4^R-e+Y>E&~8Vg=>h5Sd#(^-AC`@VewaUOTt0D^~*Y(<5^C8_CPM6KZaGmE6gJ zlXc8Gkgf5S9}rXiWFoETTFk*ivXosqprJ1w_-pIxhM(5Ry&2Y`G@nAE<#$nb z`i&GmqcQ&w~)Q`9-Ssu-NmYRg5_Q(H`|XIH8j4l{TQVVJj#Z@2mJ zFvX|VZu5q*Aq&ZAx%i)0yYT;8w9nnpA6dgpHY>sM?8QGT{R(IA07PkXE3eE@>^t)R z_FtOQ6P-Z4L{Yj483&-1nOiu^Cx?#(v6|$2+KVA}?u12s$&#Nd-VEJ#)MM1gyWomL zvJv8U{K8T{zmZhrKb$25$;snbRoJjjwv~dlJ*y!}^}gd04!V6*c^|q3zU$U%AG_ks zc1+=`3hU>3qq6ne^qDQYkN-3sscH;Pj+j^ZKH+#ZI@#cyJZNMHmnJI{T(X^(zaRMH z>rPvZRQrm@H!MDAU32a1s4|9hh}gtq)uwkA_*&!Enwo9j25#B<=}VPbDmeIbOxtN3 zOUdLrf%&h!F{Lg=ZM}sU#=@~Ip>up%o-TExrtL;f>u=pTz4lfgqNle1`~K4s8}0v0TIhZ;(6`U`i#Wph{o-F8%56S(i_Bam_WKF#qg7a+ z&|t5Z+eSxCvB%sZBELxN{iA#)UprMX^>31%&Oca2>R(kvt=<3B*ZNcUQ(OJyyTx3e z#`zT=oyFxMu1|I|)udoQC6(JlPf|`^1lCVbNj*3;FgCvP*ZMMMAu<5xZ_p2bc}xzn z36eQ=TBr7B`%W6EsJFOi?Ngh?MMrep)nLM>K7) zK@RfRwog(F8?kwEI{+*HVp+Jt=qP3+qP}n zwr$(CZQHhOn{T`Oe)kVd%yuGbQ&FqTh*O(9`J8KltV{EjUR;|c5RxX|GXrnoVl65c zbSK@L%~Qw*5ez{M*>H4t43QnoGj@UR-K)WUZ2)EdNTM?60#2l9su^b-)cbb;44w2S z9BQgn%ExRZKH3Ed!|*8CTI%3ZWFwY^GT{I&BwB*l3G78+i{}fHNTc&qM@q(WPzJJ< zzOy4FNtj8qh`a*FW+7dHLgTU2$j$%4b}@m9sTg{=vLwq2w5W}*lEMv$xj~dE0*~Mi z06zLq5!H!jA`XTn7jFC*fMTziB>Tr z;#?|hkhums#N!?1rDiVsx@};xlg7y;@&|oCWSnqzmD)mh0wNKG$3RbOv$VkF3LHS{kBWgm)fp)GlIP)$j^-Ll_+Wt@;8J+FHbFKSLL2}yT9iifxC+eu z-hK-3u_p@ir8NNgXEvjL0sUc+uu$qKry$)FtmS0Lv!U`4p%;3t`#=NC#?zL^T_AkI zdF^HmHfND*Z^jgL)?bI1sMTWsq3d5qtTQ|sIsMN5stei}pNWO0bmDy^RX%eVJ80Hr zkH_uDiHSccG8A9#rKX%dNShd2uYpHK41*9&dC!o-g8}Q0ZdN>U0%e&aUsXA!9Ba7! zMsXJ0tkGhu8Z!$^q|W3Qk2_XCY0ecbWWjcs?WfBF*Jr`jWJ!Mz{{myzPSBv~S1YOb z(CV)k+cLQ&xwd@K&2SVrL_z228h{B(=S?gX*M!6X%XRN@7E1pF3Cho9 zRIl@R^aH+bq^qncg3BX^d59+8~{EjKO4nIh3NotdI_51JJjo;<* z9E+NTRRjRQ|4^*#rlCN#=S(+PG_Z2bjK`sBA1=CcHK9YLd$95YS#XqcBGZ^= zKr@>e*)PCe4kQjDNw?BeVDSe8usU=yrJVb)jlNcbVlEIm7S#6K!N5IM98mgG@HPrF zZ^8K$s7mw@xIoWVx#(ai8@CI%pheX<(2FfcKubaT8w}=dO*w-w0+=s>FF!xYKT1j$ zxIsg1JHurXfa;o$z~a%8MsTE&&OFr4t}j*d3xSH}j+mJCCYQYq+bjq)9CQ?5KKkLgh%npaGB~P{b5kvBX>g~DGE=5U18Bvs6?L{9dCc<=Nrz28X0nsU z7~O-1*@EH=qJNI(E1tuxA~=8H);$!3lF{p~V=f#}VdQj=g-~RJAOC1f<&A;=N6|*o z?vjgtz`B>E(v{8l@IfK`tzDmWM(qu>q4`mJGOkAk7%B#8gw%sXz_#cEGZ3$I5gq&j zSIvBcTot&JfsFPUYS`Q|9U$q(>D@YY1O7b0u5WHONJkGb!617+@-I3133i4&soV}Y z%YX}nV*t@qfpLRS1Y)hdNB4})2FZde6frq?hwmt{f7-yNp+3~wt(bL=-F6|9#8F@c zV#kacy6Q#rPcGVJgUbm=F#y@OrydTRwNg>-*+vsXVDg7n-GG#b!yyGcHJlzVeGG+D&Oyd=X%Mrc^tR)c>n_->X4Mz zf@9A^&chj_9W0-S+ue|T=FjrE#VM+4*S!&O^r>=+8eOaX4}7*g#N;a<+uOI%utx?< zUl|l7J(cWYkfw3{5Hy~icBGL<3C>s_l8?oS$4t=B7XpvW_OK~|Aolvx@$TFUw z+zuOUx8bYS`oK0Ta6eN`%P^K5oIJ7>cFaNVx1FM!7Uv^;{sK6Ygx1*jmwT&duAeSu%9dCI%?R$`a>N@V;Tvo4bQ|7X zeOZ7G)RvUTak$g{g&4~ zufxG`v`;p47kb~n5wHT$M@~DUPmlCVy7NcJ%4+5YR4Bank9%Ug!cM%oYD4D%!M$oi zozQ&JDlLC-OSYfC!-uIlQCHlPULK;vcLn0_3{)T6@@e_*aqd z;Ry>%0vmnScODZ^gzt}=SwO)%N>7L?xspL$pDNUsal0+6FQKhY?2VA1l-sgl)wobU zbSVSq_aCEYlNLixk;m)(+^E(-R5XQRmd&mU*4XK4w2V}KGR8S^OM^=Md{CZ7DVL_y0DHzM<#;cLGqn=jr8S<_pXtv4sBz%nrLHpA5LA5oyZEFwI4FxzKSN^yC*FCYq~}v$badd{`j%HcTHAR=W`idpT@HMVA($%>7 zwmnDj8IPK5H#~jp_2WBRf~l=1E5j&%|4u!d2SND?UTFp8lL3n<=to(t;Jj!Lsm;SW@KIbSrLNZSP7Ag~wIfwy5^awY`XUSlztF zCgHql)TcWr5+EM{As)19E`#j{@&pQ8`D3afjR1YIT38H~vS1!C)p zX{Jo4p3sA+BtCaZ#e2!4+%7-7kBfua)0efl}iz>Je|Nk97oWzqsWoBxX7Kny2+l2Bh2% zJOR!$!5v(iL(M>_w;`vZ0_k$^j38yYBgk}n5?3;PNS#1JMv9>fA#dp!*`GPZx% z;jY*sNhrYzyIbvq*HnAUm*^_AP7JL2^Ljb%wwfT*bjs5ZxY z(lV*LTvqKXnNd>4qCqIu+AbU-u%xjh z@;hEh-Oi`W#ElYPx56=jYsM*Ab~BK_abX(!6S)rbr8{=aKSlbL<7MRLlV&oQ0&6z3 zc8aIjl}+v|HnV-OD}E?crOd09h_;gq5sBG2nPPpIHkmD;q=wy)IZj%}u%5U;iY=mI zF`mdwB|)95b2)W_j`%2zb>@DA=T?!F&#a^sUE5HGKkC>K(7be_k;?4T(GPLIPoiBd zsN`utA#VCnviX}MT0OIXiA{r@>EZU z=n=wET~JuBbyGDT|CS*`NH>m{@+xn_1`8Eeb3`xFqA|sb%|zJK zjaICDlHj<}Vr`Q(>30y~cPgVD@o!ySBLSP$PJB?h#~!GvZSIhXdQ}7_IVQ!58LaE3 zOc_o;f{vnCzJuh7H>smsub?H4LPhv*06QzOH~IdTw$XIbP;9MCkXt3pE656FFND+t)Mb3*p2qc^Usc4TA_b)-sqa20efYV0 z!5R$>_IAe26PibIlasii6=EO6D5n}K;Fv(-6cLH>jbO;IR27utrKIttuZ7m2ThXwT z16CgjWqn3&c-Ilm{8v5{*!ae4z`$+j7yk-EM2U|$gZ&zq z5aYjP&b3$Mku7<-*Lf` z26%6bUpNSo{0RCubFk=k{ul}MP*ys%S_Zjq_5=SLH6Y0FlR?FE7l8eXX%MHT@-u(} zZuXtG$uSQy^O+)FxnRYH4v`R+k{Kmj{u&6H1FAr<9U=-iI~|)iA${jL^>~J6f7fXT zr!7{VPvTAY;voizmKF+2~BkC}V zg4Z<9&?7AFxEzIjLUAV4iNHtIaFBQ(kMc&O8l6(W#q2&9)pBm9^%0yvwrsKYfa_Be z1i+yO$8`5Go!)A}ky>1|V99h)pTUdx<1@)rnst%AWyKn_qAkt=0iP5RLM+4_wM6;q zVCVFl-4PwHhh^fkV852FWwh5$CvKj?^}IAR@ZyR#l*7U=0N5JR0~F-Wm(ft@Q6Y-X zN^Qnk8>OnDsWz5n(AzNL386wf*8?M;_NE932ta9o`DN|Im(h#;3n_mQNgr=Qg4yr` zmmR#}L9Sbv2;kD$V_H4b=!tN}e2z6$1|Q}hVM1~YV)1mlY-qqmdGuhTGyf8qAd3=H ziF-l8a>J=9ikOl8p}udf^lHL?qCO_WU!@0L;UzS}!JWo)mju)Dg6XGK5+Nlz&25A% zxE;x)LfuBN%*W$^N7!GFh+?EY^)4A+X>iVN;dL z5FmvHj~T+H{*ZEV5wE#TK6u-zX`kDwz2g>|Uk9xQ(OsB&5%o}}=|s>D5@^@tOa)_r z9n8vOJG0l(K_oiye;6*$0155m8Z+0s@3dQvcXA~`=6pK9H0)RKJAxD?K5-A1rYzUk z*NMPGb95(fIYJ>F*;M9Bwzd1bNPu-eTobyuVqs(*?;VCwJFyWLLwZVoYajOURU9hs zLSVk1)Ix9=nVsf)R+pNCM}98{ZxGS=YxzV7u))T5{)J8x%cW%zPwNBWxiuf#U2(rd zeyh>N2-}x4w%s++L4)15xdzBt-`HfJHII+a!!s5**@JF>SEC6VTk5dVZodNPNN-{b z2+~tLCSw<1g+{;i=dtxL>f7d@}sDQ!Z;;ZBxXmv*BWafhHt%Jc`xC zyWwn0vbiMTn=Fr>F>67^JKC3JI0S<(If>TurXm*hj;3oxhdgHASaMsvJfeGALNI*u zH4J;a(b!Ky?Ojh%%vB5x+8NaHMz}d5^%rQ{$pebDWkiHN2t!3sGmFTwPkp6q3-~1E zqTuJJ5r=_O`$i6Ca}O+Ws_{3(5tCfXRa3Ztim63tgGmm?^dW2XL|mqZ#|C`CL;z?@ zUJ!Sz61;(|RUv$s*-?eM25q|-2xU*9(|l=$#|?F~0(%F0&C^XgJYFJ6wmOM2Ux>r3yaOP4|I zBo0in=O5TJC4vmDPE8@$m*l^3FIR>GAFU1**dRD4+v#`DY-`^bG=nc@SfBYbip`&Y z@*}2PC(*;!;2I|x^$a5^wI|uVl&HEKj&Jx{O};Z5dz<|CHB_E%CqEOv7f`dnglIeTMtrF4+GGiC zQV_(s5J;3Q8cM~}0iZ!gSfi@tISr*?As6p~z*XiEaij}l@s@DanQdna17+hoW?0RH zyw7gPXIYN>aaFe@LrPOkHp3LLSb?}P(qu!ydI(s^nJRt zQu`z6C4KV#7o}U?^1G}DjAWMe7z=1@e<0TQ&uXi+K^Na=Q3@wxo(LdL--My~)B!Vo zE+KA>nMN=GmTDT?AT>x?-chs-6o#!vaTmyCR@(^Ks|XE;8D>XKP>ae|Gzny;+@ckO z@DbY9?;0*Nk_~tvHa(KcU9TvYG8AJqlvC)Ne4M%^#EKGbV>sHBi6MZ07%I5{VDCMN#Gw{%(2DpeA}QluW_eQ zkDfF+@zq{eT~Kt-5#BRtk$@4J2c9cUrrUvadNQ9=Tw`_3uu!H=Nqh_`8P76W05uCX zS;6g`Y@fI@IH~D2Q=}3xG>Htqib^l@HiqE0;v~O8$~GAr^Bl&+`9eCA7jV1mZovi2 zPJhEw*qe2A=buDLFg5&iijrIq=fHtdiGT44Z_GT@_=CCK^mn9=@?Vwbp42%J&F|Z% zts0yWhjegl8+?xtub(dAtoy0NB31E$1v}(9@(iAH6EsPM$xq&qG<=T-oJp*~cfrSG z$uPu9g>nYUH`Q4Xjbd+nU&iaP?g0{M4|PbBX$--SdE_#q_7$36K!FKpzVh!MVCpPcCAZ>UHrETJgg z<^Rx=_8J%M$S7Uq-^M+rBN#mW0Vict3>eU*(|}ob%TxaD>l;-ofA^=R}Qr5hlO`Keu9PDeEHrP|Q z03WQ{xP*3XXJzHug@Jtwi#is+%~{x_(evsjsCqRk>$)j@hu5gzv?=|@l!@;$jb^oa zGdg5yOKDMMj!(OH9&n=OhhXiuS?6(G0 zGD||Ds;U*%D>7`XJKgRbrty+Pm+w5q?4P$7ruAw$;1STJiE|x03!Az%sxQ1GiaDf=v5%+2#EvFJ5Tk&wvj#A62x2hJBM6WZK!}QHVOm!|w{uv#uX&ggM{}v^n_YyHgF71wfx`~5i7{6J%!<1u7*)cmP>^^q zy>UyU-17B`K$>PSF~6;e3||5QW?{fqah>5g-*Gq$G{z7r7?{ppU~;X86po@ok;FtPYK2Ed9)+}vs+YFQWv-7G&T&ezBe8%6R9zb!`2K*aif<-y+=gf zvgu1*pAP>EN4eA;YZ&#s^<W+{~mhzbi&xJUNE&Hm~2LQ3*In(hr`l^b%i*!L*_ z9Pi<@HIcFVAd!iPwA&&%EIr^5BHm9gQ)EGA^ zLo_Q25f~K|9>S!fV37t5MG-Pf3W|adD7w?`yGDZDTg2oFQ0-}9j*~a}dhFyp@AKSs zK=oB$jkVZs52Y{FI$k#wN$~p-D6zn*y@#&@VHcsWzd)TvDBX(gI_Y5 z?M2GH_^u{0!>f-Ux?J+*5H~PL8EQ9PWDLofa$55=PC?>9OHi7t-}eC1*iQ#TudIG6 z=~T=?s|gz>Uz}f&{AL)cFh(jj01hh%=p;814;)qW1#|fg3b)aV_|}~W=zTD0dWHXi z@dcWS+4Xg#I`IQD*+MomK>=c1xa~fU0UPM~CuHBq6jsj3hanM)gVt!6mmHsA4mZua zoX2YU5Kp9`Ds05-`Dw9VZ@TjR4bUr^)eCa2BPeMj=tD>@;UW_5We9#P!l2=S+J9rM zWfS`{L0vFgg^<2+hAKl=Y07)AwZ^9!C3rbj)Mg$og#C$i)w|DqJlRwE0zjB}UW zJy~M}ZuxCbEJLyYh%HM{qJOS&^$cZ=qw&EAdr7R`0aOcIKjgnzX^4>ABqD65O)MSp zWL=9U?DHezZmXzd=AmfV!OJ}e-O$2E#eXU{pk<{u(>EBmG=`k**_D3n2gdDKmC*)!?gu7XUDphFBFI@njbXR@y~P+voz zMp&zp8=-ArKHK`#(I6@R;LWzJ@pnp-$Pm9^+8|xyrs4`eZuvLu11?KP{a-5O1cVfa z0Fp(3;M?HSFObABCioO}+z6p=A=nPZxYouJh<9i&4OAwEJ9Iya!RxPIY8cKJ`Sw-Z zHf0wsKa3gKtiaG?SotV^*-eYSjN?@{qDI=3&M7T2WET4}X9hBUY#=ku?|#*-+={Y${eW zh*^YIm=F%-5rLEzBZ`j2@c0o2#?%#%UHf{=<<|ne2zP1HVcI4L=ZN@8Eb7wha2qmj zjqu13c*)jjPZvbav|KN|;a2KKVJi@fPz}|}0O@TL?+ph18K(wef@~HoVlI#5?0cy& zXz;8YB4;lgUy2V5523g-ZVYkTD-xKeX9q|oUUy=jRV^}$T)GI~QD$Qo`*@|zZHG+zr zhis}yxJAn`n8cM)a*K}W+P9#Ir*z#i(v1JnPB(44_Hr|V49Eud)9WOiCea)c#p{9k zLfUIiwkL?L91koi*i|WK?BIGFx?w=HrzXm%bZKE`Tc?PDW2kf=9p4A{M~Ij~S+605 zOegFQde_)KC<;isvK<~goU77gdd5N_Y+r99uIb%ZLX9Bzgk7Mx*RPUQNdtj!ju=u- zr>2(AT*`!)SQWt7or-rg#YAtco^5HIWT|~#l8Wxw`%P)tk|DDncn9F_hP7F7>clDt zGndFMPmkCHwSc&9Ei^ik)q!#QgQ6C$i3THdnqX0YBrlrfLO^w4c4YivRUd!HJklMm zd4z-Pyi#Y)&;st`C23JtsL{Hhpp>m8rQse~&kPavz}S6?Q5^9jR@^dPXk^z!x3p^S zM7Qz$K9ZcRIhROq5W zXH7cSA?Jw0(sWx&G9azEcwMt2Vpk#1Jvn-<>)?N?7J^L?j2Z}zzDucsXn!gyHULRa zI$v_soF7w;$XmO_qnKdZ6|1EDm}6C#fGzilGiBiuY3wH)ZxRF4G1x zB~2l}&b>F(O#c#We!+^L=dSzeJ=tiltS3dt11|oV2g}Rqng$DrmWn z^7s`S!qLotQn$BPM=VAvo~uC%KJ+evWKr5MjvE98Lq@{he+i-+b4)0Ev-Uo5%0R1Qu!2<*cLaOx}u*Y!MHe{pTjF)@We;QxR(&S2lpPh>Cf z-;x4(fcN|?{pJCgI?ByCCLzDk?<3eWOaRRj1Z=C-auO=(tc7* zi+8Qcg32qN>~vs^Fhhb2vxqszQJizYmmCP>gfW7N;xLZ>^B4$A5Cnn{CqhUi!(q9Y z7}^n>G-K?-sf0r?r1*!>I{{xh;St5dRp3!`TVMhl@n$g%NWQ-z-RN zYZX@q(wOAlLsPz0b0NKFq~Wnh?6WhkxtWK1-mLhvJfH_!41r>$5NK>wrzQ`Y%=0;? zU#tR1%8Zx=L+;~`A_MPG*FAs~4&=F6p*4h*w?#9i3N#*EopPWxb@n$iIgQ~;f_0fj z6+I###e%7m)axkrSEG*koX=0Dv>1IbyQSQ){$6vT6bwt3xKIR=`D#Wkah-Rax?ULi z2G>miK5&r;o=MEc;EiUfQB+JLH5*U+N7W7z%Mq&Lz8Q!!@yQZ0OwB~FY)al9R4629 zUT_PQGk1jFgrZ<17cNbVOUQ(aIb_C0dSo2v>Y1B{>$<5GoZi%2IwT^47Zm;NTt3V! zrM+GZ4M=pV@v%lTmq3objS;c|&puDO^5hCsk~|*xRBrtp30F& z#Pq4o&oKs5;GI%^Fz;OIcVsPV9bV_o)<{tsNMRlO{fmPn#(uJqB_5PfudioN$9a$h zxtp24sPjWBz`bb4yGXGm?{s%bE>?zT(B;Y4i2Zfsh7#fMgDZmw8Wdl8j}g>hMMexQ zhL`h&f8UVu2GAHVSEic8h#DP>QO}e@M0%Lg9UY~pJs)gf+nLRvVo>5yKTXdDLeE33 znB>%L1$H`jk*> zR-c*BqOY}@YX?0rYmIUlDUpo#mi7y+oKpbY)r`>Y%|v^{8JxPHSsU+mQz}Y*$CxgZpX4ZQJL<1j*L=T# z+!5X8I#_mmfR=e>&Kfpyg#wlD0pmjJ%O^;pw8o5|D;O&r3|?f)H;Uh)gB@3R2K%8f zo)ts4jyrGQ&B`yGES_>0qBJecX<8w|F%zf2F)cHYG#2A+peP!w?EDxwsWGY@(fEb^ z78qbs=ZVdXUd&OLA0cEssG);1tr>3c7Tcu-hc-Zj;v9c2fa@JG0LOTlX6Q_u8{SZ_ zpD5&`vZ9~HvDK>k7&SN)RR8$?tlPyohb4qHp;u5x%Ux{RWV)GXGC_uqsP3-i3T=<0 zrxO`>MmWs)4}D7cMTu$5M1RV~dGO(o9ylvD%P<>M$FGkhCO`&pK2Wg_H^pRtA1rnQ zXN?<5+orL}=DFx012<@x_Q*&&XXD|r2Q)CIQ=G4A9A-0bq`=lgAXs;r%V7X8*MaIi zjT)0D`*l1B$-3z{5`EBFDdEICy&&(E-14o@e||d3XRhwCkph!28m(FQs-i#0%}AIw z)f;W)&k>DDB9@^Fj-oh{S{rvGcWMN$8Wi#H%|KkOIKJ#VxeFn%A!`uDuuOcIYp!45f zhm(_`2LL^QxGaJ_8mQ=!t$ z`*z}wSdO@qqmlOQMsQUaec0b>e9~h}o&;Ij1HT@#S}*v!70eOfG*46lrqPaEI8lTe1z{dotpA5DCY~3Of-DX}%Wq{V#S zL|9wni;eaqwHisyvAaYw;I4EJ2Y!cvTa2fp3Iab;s39CQEF|JFe?(KlZT6Jf-@U7emz|xC zfTWMrt3um3@F-UJI&-5cnEW+ZeuYei+p(C zlL6}VygG@Da+_(h_6Y5T%C@AdZFll1MGR z^LE!EGJTBO7E{8D22H%91l|4pfy)!b~+$_N~DMrnOs(k#C#WE@js|- z(D)MFCoqSP%SmnyE^@^D7ENWaL9dj}2fmh4?0IdG#kKR7^w-jyy%CV5z8&*-Zd ziTV8-LXJ(i=-8msd*cjxtsl=OP(CkWlFg=?Oqw6uN6tcGBV zEWVZ%W4O-l1yiUQhw^?M$%8z1M_$>^I%#-#dy3=5(*|+YMr=7g z$yTY)_HAQR_Ds{OOV6{1jTS7MRoZw8KC*jq)Y80r+R}77AD$LX%Gk#4?o^ zH06U)x)x5t%dhZg`Db*K2Me{f>vhaVVqpe?s#oRh3n@)?;P8U_*QY1~Mb*X?t)Kx()++zArDi2)yk=|w(g zH)Y!rop8?SynF8)*~RCeYBLj;iYm=y{0+(5s$F#`Q8!&5cII$m4h9nU%yEUq&N<1| z#Ks+Dm>9W~jF{3C?2Pdac60MsI{J)=Q0P4LM?Z;%+>~{^FFGmjmq_OKnGPy6mRO

    v|rLv#P0A5Y^GW z*hQM5z<)Tz4Qy$y4k$xFvw9P*H6S!fIw@VkUQ!>hMxmGV?4VLjlnTt&vKB}JnQO7p z)=NA~otkEWgbTcy9wVD9VHq7p*bwwP4lzdC5LL-jnZt@*LHP<0hyJnr)25H{PnSg- zbUQR`cMjk6rj&sOAVHN7-Sc*q##g;=9c8EJ2S%Is1h?D*WhtY3j`|mD;Als<%Xg+S z0;Z7BE3kPHi8i`%?71@mp!oKj+9(Lgbf+phWF^2=?~~+_9aYw zd%|d(J|@-uL7CSSHrVWta{2w>%Ph$;wesrKUd!d7?-#qlIjp;|N?L=F!%e1{C7=4& zgL-bC-%!F|S|k^gP!4i4n<#rFA};=vP_w@cQOHA0Y}1v^Q3F1@-Gv zI8P{A`wj{oFYMOA>5pTTbF)l^&ip(rag;zBtBdLY9d^8;5)*va;J?p<@Eh%gJDg8o4huJaQAlMXpBpr9Al}OEjoc zVO;3i&WTW&?w|agQ5Lry3*#vS0RrE5L|f_Sn+2Q9Pofd5jr;MzU$%J)vXT?nY@?wI zz1KdU%4Y6zJ8#GrzzS18h_lVPm9=_Ch5`1n22`mxIQm#wmHlJv4u23`XF4qVd5|8gMuOj zCMQ3`eSPmyKR=tUH8tZV#l^p%A07m6YHOR#S61|Yii$+9>g$R7b8?j5N=i=BoSd?? z2L@b++S?CtetvlCl9Oeu$jEH8*x398`T1Xg-rj=cXJ#yPSXdNaN=p}6PES7|9v_dA z9UZHkH#Urv85ybgQBfgaKtNKJ#>d4>iHURdhKCs_FfiB))6$^eLI2y!$jX9)1P3Q! zLqfvN4hY!iJvy2tyS|pQBq#TuZECv8cXdU=hJ?h;3l9Fzfk4AThlRyPi;cb0WM|iM zr=_L+RZvj!Pf5v5mYciXaBayVsQ~*kmmMQ zz<_|@82|g*bE2`a?N(cRrO(PLR&09Oe6z35Nt%;0Wlu^fV?{=$;X*?rRBC>{+j?PP zlOqH1#F(ouKYFU_d|sG%7xxzcwj}uqQXyL4t$h5#;sNc)zE|eXy;q-gRqB z$e56jfB^yF2k!Z~-*#y!P-b=(0|f?#j1?JqnEvLb?@(W#wJ1G3Vn#%SjuRa{S$$+g z^{Kr4JIK$^OPrT?qQ=Ce>s(iti5e60EY;b0puoTYGb1oCZ&6;p*nek7#EghY#gB@L zyE-8OIyfRCW=c$Kobv9@dby*6f(Heq+;eZQ=SWWv4Hp`^)@^%xoBQCvM2(5bMUIOL z1rG`;XJCDcaL> zmFfIET6ki@PLrK|tKHTXFeWy((PVWsXGu;@@}RPEqs7Li=2K1W8T{pCp7iQ!s@~M} zCCgJ3LB4$Ly zrEW{hN{7u&@W{A0=JJ#j+P3U$9wIzE)THq6NrKDEaLKv3sy|g#1rG{}Qm_4e;P{vr z&G*7W$biU5EOb~{)2;sgb;h%^kTD^lg$@ggpkYBl%7)BLEq7X4JVbbS@9BnyifHQtS>{mD44^lduvX-%n zT^D@m-smU?zE(2{;D2z2tm>U%gSdHz?-_`en{g@Gc;T0GsucS%g^{rRXF?W&nY8c? zD&7D4@`K82h%Vm#s)3Knf98`!5?h7`xRD*D9tc_$2n?-plL&|<<%lvVl}?Jl09l{` zP*DHZ{rbPuuF{aqSlHf16$Ri*UreL3EYVznaMbHb=o|B&tNyn%?ID~xD=k4Fd7T#) zh-7DFei$WFJ&Hp3R!FvNUNXzseC#|II@+eYuYa8}NlxqwA_E^9W#p4Q6!9HRsf+1sRL}W`5PdQLRNs}c52B#+~Y#6CHMyE|c_2|^=P8=!zl#rhu$i5ldc9LUYg z-42oEZA3`~l7Ajv@$UiXTa05J!wv3;)8A`cwnlb3h6KVwlH#ORCQz*`@`HdgT>vs#fXqw)%m{98e+mn(Z+{T( zZ+{pH03L6D2@6nwzHfgoG=6V?Eh#G_OhHv*OCfK6+XfGTQEz_%k#Bz$@8Jvo1$9Nd z{T;kRKp-UO17;+@{S73&{W(Z1P(WO`%8A%3D60S>0R8!s5gs3Hi;7u`eUA%Dp~eH0 zGkmH9J0XVP5v_cc#9d5>^)qKY{pu?F3;!ATz;~hZuXNDC>HGR(j6VIW`dZqvD{FB6 z)d^|8kc;X%i221+FQwy`!hH{7Ja#W}Vf-m59N36V0qk6TOUY6#1T9m7{q4EhlpfJM{P)gNN% z8W5uh4t9+ilTuJU1*u=+h~&T;#DS-sG9^p$b*0xkN+G>S>JgLXnkL9Egk zg^`BBSl{o=+7*~;JywZU92;`tqtCZYTx073Dj3a>c#yNK`2~xTifEwfKIwDH9nWMu zb)c&`MM{p(y>-J4V2i_FbBKrmGbX>u&%XHh{b!&b`WO*}CFudKU{la&i=IiP6VbA= z^2L#~#J%NL_ERj70}n(@j$ao)%kj_rmpXXO3>S{03{z}ev&`>6qv`IyaWYc3EGE?! zu5!MYDIw7=B5o=rPFf!`Id5Aak#^HBXy6SPJwJfxvBMz2C&kKE8LQF=f9;mZ_<5hn z`I&?us9EUPw~9GADjq;VN8Sz`Z13o4=Hg5W2u{FShfmKjn^DGq1ZYFB3MR{Z8UTE& z+bG7CyYNXC2k#k1|5ELzFi=5YRor~zA>Di|(y;!!G_i~N_|oT{LD z-CyY^2fU+a(`A{pBW01FS5Xh)o@5xL7RO}dPza>IdYsL$fv?6G&D+Z?K8; z^$GhH1J3^gR6wi00nU7HdK%uXfsC@9tr~Cc=Z`QPp*2MPciCVQrFmo7L5se@c*o)b z5MdWy{@R_n);Fe&9sl9MKzVl=i6_VZ!NPP-f4Ru87aEji0vcd;@%!d*egRLoHU)R& z(}RVKUAeLIb}LuoAA_1n-=H6;#}-_o}LpBEACfK zrCm`hD*V<=LdM0ni;UKc_>Y5>Djoq&Vf3j6H~jU&A%Jz(y#7f_00>N>Ehf1+UUMh&U+%*Bihb4=l@N zCX;-0FI!b9h^wPQF}8;95KH#G!;A}F%+c*>>wjoNolwcnKeGK~u2I=BT0$N;$N=_C z0IfEvYV^;XG7hBF+BkU)R~@9mVKLMum8N289^0CZO5H!!fNR|OaXVWCD<{Sf7@h0` z^v=rFEzgV>kz2_%QlI3CGgP=O$X!rIsA3f{EGc4Mf9Gm+11r~zQ!Pdt3Ca1se5OZO z+vo~{7GWa6Ij6Js8z?Fxz^d+&`O0@5WyX}jyRwu^PCj?ciIDS~eBQO|@pR#{$ zqT~7h!M+OP5d}4p@D8BZKx5l3GF7+`X{o9AaU`X8wEax`M}asW1V&CiTpycp?9cpH z2CdCH9B@oCjE=KR{lKwg-FuP9BzBuJRJ1#$KK05%M7kq7DpNQteP>R3Yy(BMWc>>Q z*$rNP0E))pf|>J6KhA;qf=IyNH3D{bhW_MM!og05WuOZ9Oc;__tEP1oX5ME&$cc|*LD3=_0) zk`sjq6aKCo*@nUTu#8#m_xF(|9oc#Z$>!F{Z?s`J0-X8Y^fbI%0~uvITQ%O?&mUnp zLTiZn@3O%rO7q6DgBE>*@s7m>Ai^%Z{IxrCt#3>lJO0Cif%5J$5>Jl*gN5mw{&JCF zFEl941T?_x;`hzr`~seEZ3^zlrw0oeyK-aa?N+YzO*!79LQfrN^w(gw+G@G`%B(Oo=dCuOSn(Zl=>VnaQ zxl+)8oIB|M8@;4eEK>^owWAb&w5a(11mZQTV<_o2?StVE>y8T*H-QSbtoX<%)Z-cjTd^7pZ>V>>?=Yhl<0UX|Ry6q5MVe9>(U^`A zH0yxzzI<^|vc~qc&0uueRGpIv)E??01Qkc(ipd*N&|;^!i!{MnCnwPKN&=Y~5NUS7 z*J{?N0gzt4Qicj*e6fASQlG*Acb#*q`brF^0Uwgx@TR#CPD+BNv3bVnVLAiyv{gBT2p`@5O;Bz{*#TxGz}bp<`4}2 z-^2bng^9c{VJLw%h>>tHiodf6m&CcC-~ejAC%lU+3%bVk+cfPFjrqw3 zBEh!Mx7B(}Ik#2sj~?0hP1^76$v2P^!fLHjfj@1gpmY*ixaJ)W7@RPQXg%u{-=TXz zJesfDR$BQT6#C|M3LUnW6-%|zpF3#fWDTMp#aWf7`e4@3sUwjdeh{tYva=%VZeE2X zDt!6QO^=1hi_jQZop&vxuXB#kq+-^JqPA%P3cnpw9|?L0OroZC3ix9p4V{qTE~&ZG z*ZbG>Nhh9vRFPh4h#Ro97XlU&@&r{6X?}N0RzX}I>Tf17Z6*}|Y(Un3P^?(eO%V76 znYr&mq-AFkH2uTX%h9A$BSuM`%eQ2GPP&RG->89ysu=ZgLrN~ZvLD|Fr%i3A{fy>i z8eBHtH@`)_w8#x#uTi1E%v<$O8l(C+M`Y#t*8fg&bDANXj!2kry~L1x-OH@MgPYVm zT$dyx5eBKQwCoeWQsyom?>LwkJ)(7n;&WhOJJM3hoobrKqXzrDpUG0}R9&uK-jd!O z;DDf(j|;K?@9B2TZop))IJaCtbgK{KZ%QjWaVQv1)$}{7BXX?DBR2tl(}s-X6&&|! z7XVGfYc>v~#i0Zs$r39#yD%JMH4z#p+N4l<`e@_lnC?@EgDfX)k69>~N%CzqUtaRjQyB*#qjOVlAxy z+oFyKUqogbKfTnEdGur7zvS~QPmTr17$DSIK?Y2t7dWqKdw)7N=W9XwfeyLo3UwKH zcF85<0Oi4~Uunjh0D9avq1Wq`s3?$`r4nZIBZ|N6ja_PIT{dT;c8bmC^=%(*j6^L% z*pthP80-_s_9-=3*8rHH7o6>Khbhli1ImB=-W%N>JCC|#ZzB^hS#IiJ6F5F;TK!=g zNkRdd>M_^M(?%RLE;O@spOm*7HR4v%*lSl(-4kWk`yY3C#*K2WSxRkJu_VcYM z!_b`((P2o?CrjDPF5oq%qbxoYQ)S-|3VuhId`EABZQzRaYM%Vh)WAbp*!iUS*J_duXt2lK!aaH~6mN+DFj?cG1C;%>hFP43<03@f~Ly z7b7o78NLt}*V4~Kt^G9|_x4)@dRwmlg|+q@ z({v#wdSgE?F}vDA@*?4=wzit^ryGhd`8I_Wn2jNw=GlzO_ih3j$2-0vDHE5#G9>Z(%`g2X^e!URY zv7vtLT^UHL`5lEu2*n)pWWik}mqj*et90NFG2botL_hcwDs85CqOTG2Eb2P{BBO0hz>k|ij1Ed5lA|ly}g#5m^{o^fV zo#V?Ek0W@=@hfz+BQ$9BgIh z@-FPjR@z+E6Qi-r8SC)BABsJyQ1y1&)u9F`Z&T3G+LMI8^mh|D&AdZ{Dx=*PZ)$>&*~91D;!K&Z8X446hQa9-8+{&a56 z*Mjr|9dgkX>N4=`l1s(`%7a@$u;y%kHDso+_(RR!QGFInCi5XsamkrCy@rw97u2>cHJAeuh-(v za4BIQ?dMxjhM_wnqQj7&PnNQoUBGKjM_GI*rpmq_6#R}Z`HtQM+rqos=uFfq%ISk8 z+6xu7G-#9>JmU0f7$?J-CR@6_5Snp_*XD<(5Irg%6jreGCR&S8?i!3h&!k1cm$TWV#&Rt07gWGkQ=2 z4Hq-5EySvdT8?rR5C!^}7$(vc?cqJt-! z1BMP5EO(ycJI*#PMqZFId?6Uh2yArm1em-^PBjc?ZI+gB2PxH_yHbT9R`X&UmaU`Q zBVA>KU(Y1{s6Q5In$uMrHb~l-1;1mVxO@P@JzM1LQD!Jf<{wLZ5hS0krJspf`)fGv z?Y9Q>wp{-UYwb6t=|W8O#(rL6cD04%MZ!^SZ8hOfHxys;Z3-(e8$&wHvl*4|-2^m_ zc?e2TBAXLCroIaTbj)Xp2u=bi(Hz`>i(6$#a*5fhQtzi`DqNHeE}^>NMVNjdDM~-+MClDYFM5NIB7Xoxpg#~+&Nm=7(>E}# zl>=i&tCTOuWTI*|O-B>k$@0`O9NiR;tse$RK4iwB9QsOR3*zQ@a4J|J7MAQ<8%0cjWJy+tC!_?eQ=8nm<+>CT`x zK+D1UG_t=2wTh^x_bDxX%M{zBol7f^3Auu}whTYPK&$d#2;_LKF07oD* z`j&|%w-0WPmEQxx=;_d)o41O?VM>0~cO#Q*BCCL#^+va%K9bz00Ll{`K~O-DNb>;+ zr9sg^u(U3g&kd@&&@zyMWCIb|KtygBlo5gtOHL(6k`u{&_xrH6aMQR|+#GJ@Tll8EEpN$N z&y(?CJQ&}_Z}C|?1)hoj;d^);-iC+aTlf{8gb(38_zd2Hr{E)a2;PBT^IaaxQ+X%v z^GAN?b(@$C%+_VIV8gOm*{W<#HYFR9?a20H+p*!;Y-}pF5L<^W!-iqAuua$`Y-!us z_S>X3sLi)6Z9p5(rte`p*S@u5?Nz(f4z)k+O}o-=v=8k#`_2BcyX+;q$o{cw>=ir3 zF0n`K4|{w6?$ABC_d8!BtBuvdYF@Rg8ikrv?Wwj@GpZHUerh_koZ3xorKVCtsg=|= zY8N$%+C&Ya=1_}JOV`RZY>is;Yss3h=Bw#yyFR9W=~{Y~KBY(LP`Z=eq$BA<`j76T z^XNEwjXtBx=rDSUPNHw<7+p<{Ka4%LmiP}gxfujjNf8X0YihDDpALD8OQOtd80 z5iN+;L(`$%&}3*Xv=kZ&t%D|khC!pCMbI2*ZQ7c4rderFnv-Uv5otUcPup{{d@Kjc zz48kARZf*h)BdSGUv+bwAxrchYTi6Wu{K(7ki(+%V?q-IRB zrCHJpX*M(yn*GdpW;(N*8O>~F<}z!Ueati_W)U-oF4cMLb$c!h%7D^5s6nm*>g6gn zVAqTQlF^RumjJ4m2G%ou2{T60C%Y%x}g)7S>h=JJ4yg9LH}w2eh$#2W0mS?z~I~AAA79EfPzI zWqR3N_Dh|zOgX0PQgSJ^lv&CprINBp8Km@4<|tc~CrT2fQi3u=DWQZ=Mo|7rsPd>Z zDt*banz!&gHCQNvKfPJ>QEO~XrrOG8S7NCQPfM8iWvyP@3hH&`2}4bTQ+L*Kv~ z!;D=<3PvhplyS+3WaKg47-NhoMiirn(Zjf5v@lW_Ba9J@Y2(=VHENAmqtoac^t&PATZbmc|kt71H*t+z$f4mFbQY`90J+^X@D_67@!Ie1$YAV0CE5~fEhps;2M|) zmVsX&6(|Kdfk~hc=mX+_I)fHN7Q+;S6T=Y$5kn9|4g(HD4Z{n=2tx=12!jWM1p@>_ zn_M8V7y;5(~1NAulO)t~O^e#P1pVFK3AALv9(PQ)# zeMIljxBGSf?X5kuC-%C2|B?N!eo?=tU(yfhSM(eD3H^Y6G(VW%$*<%m@(cN8{3d=8 ze(B%$r~OfX(x3lJ{*FJLZ_Eeg>+)&&sC-erC7+Vd$H(K_@#Xkzd@nu~Uy2XJ*Wr`k z%kWwFBKX?Au+Qp)`hY&1Pw$cSzIt9gtzJ_vsb|y+>H+n3dOE$Eo=h*M$I@Hrne<9} zBE62DMDN@y_rg7D&)Hk{l09B8=aKQocwIaTJPJH1UKG!WH^dX-{qT5rI=md-3=f6p z!QC-C${U_aqX&hQ@g00(ynMnv}GZ_ zJC@zaZe$m-^VnhREOr&UhuwJB-C=joU0tN^QJ1Kj)3xc=bYZ$L-IVT0*Q86*4e5e( zH@Xttba&kSyVmZpE9~;zGOiaFiz~%#;u>**xI5e%E)6$^>%vXpesDXu61Wvy3T~VG zhJvb zt=RT!%eA$zjoLzOowiL|qOH*OXUnt2+16}dwkBJW?Z|d3VT-Y~*lv$o;TE{%wPo5c z?Ua^DtE3Im_GodmHQE?0idIDXq2kiE)M zWuvlAS*9#fwkX?^)yd9eW3nsRlWa*gB+HS#$XaA6vg7PGE6w^@UG~O`VZpFmSS_p- zwh9}Cg~BRfg|I%@9jppA1$%-W!Gd5buo74Z>;txqO=G24DAtF?VR@{6-MVUBrLIp` zrEAia=o)n0x$0bRt~6Jf>&g}7T5<)sUR*1#XY18@O1g>Qp7F3RQoqI8~V{ zOEslRQthZ(R4c0KYPj01Vyk{tSmjlDDj8Lb`bFKMYEhr4N7Nqb4poO*L#3g5 z)ClSW^-L{Of2x)WrS{XYsn>LCnl-hWK24XVM$@9{&6H;9GHscvOhu+2Q;+G!G-FCJ zjhJGm&gpU5PjBg$luK$snkA)@PDz!dNKzjuk2FVWBZZN&NL8dGQV?l}bVG_EjUYWs zed$u_lj_nu8W!b>UPY^-6rxknr07x9D2fxMiKawHq8w3;C`R-mDiL*vo}=ZcHoA-^ zqsC|-)kXJc4()NnZJ;wy6etN)1o{E>fM!4`pc7CC=oi|B z5~0E;*t6?t^_+S-J)53NPod|}6X$93gn6nwQ=TSIkY~qp<7x4ncs@MO&+)VSls=(P z;FI^nJ$0v;Gt7zQq~L^dJ~@w^K~5hhj`PMzf?Og z&zWINE@lNL7PE?Z#3W+sFmaeS%orvMbA^e*9ASzuIhYcd5zGf>n5kt_nNH@CX=L)4 zJTqU8Ey0#vOAE^iORFW-l4+T=99jx3ftEQ-n&r%LWqGm`S!OIRmKMv1v)P0hKASLm zzyumTQ_pa<8a-2@m1re;f^w#`DV1nj&t|)6w3|k|d+6DO9=bQ7H=#G1&1SRT+?K!r zLU6#01<(^f@E`?CG#+?3U<45`!OhYMK=?ogEN}v(r4}5_a_l3y024UR01Wq_#{dIl zSx|O?0@VgwKm#2pyYNzim=GvuF}T63>;g=$>_P=v5Tk+%;BX)WM%<|o$}XH_8DIe* zwBP|Mz`z9`1e9HPz={rX%_>;{yAPCIh=2zmOt1jD>;ek`$}UKNj8@|42{Sb9HoNg2 z-rN2IaHyCmXKglx0M^$9%x)ML7$VM#Ydd6!_VtUwU;z-YIB5|Y34jT3jvyY8pk=%P z0dNUBu%hzU1V13a2MUlzKTtrMscqB-YX7u#+AwXD_DP$ht&Fl-ez2z!HV!Jc4CupiiM_L)6qOW8hK$i}hxwbK65iT19=L7Ex=cFVqz33H4fyRZG>rI;keAceS1tOMj)i(pqV! zG*bE~O_cUY%cM=xBx#TIM%p5MPLI>w^q*d)foWeFm*&x8=rHsa`U+izK0*_rgU~%_ z9drzu1^t2MKx?2e&~5Y@eMW21RJ0SlL>td!XRq_t*}~cCEOmZ5Bb|TFF=v_xsJTaly4Ok^bT5SfQeLvA6jkVD8Gz!Nyr*tTEL%YV0&t8W)X;#y?}8@y-}$Y%^{dr;JU;A>)j(#du=e z9*4))u|Hmpjbq<97n6y<#9QJDVl45L_(@D8?h)^ZS;Qsc4>5;Wg7`u#A$|~R#Z)m= zoD>7ay*Lk#g}cIA;R<1^@KYEmY!ns>1BH3QIboadOgJX&5>^SHgiFF6;fpXtI2|sB zv0-W08TP}+@C_~lXMwT6R$wad6c`HJ1YQCYfqB3+U>NWTI0Os=-T-HSE5H-r2XF*% z8r%i{;3XIb*1uujudmnl>O1vq`uco(zB=ERFUoi1tMSG7MtmKXye{4kuZLH|YvG;nMtC8-W3N~1^}Rmt?$x_pU9GNFcdDxt zf~cqhZA(O?pd@7_r4Hg@j09pDWM*W9tOqhn5-AlUj7T6NA`(g2&ZOV1@tptgQ>U!P``0E$+?SdPuha~4tf0NeL4h;pLiio z1m(|L58Gk^^Wp+H3@j#=E{_O0^4Jl9WJf<=bXBIb(e-c$Y!|x$M-fHGUfoag%!MxH zuPptA{UYkU{f5B1M~!!_gd;{Jwj|61+{fuco`VCbd|*;{&7uzkr-M*YXQ z=63e` z8%44R>F%9(_jCe=cfPxzV@s2nqg2KHxTyGS8rZ^eqid7P{bd&`xnd^u#5i6ipzU81 z?g=Ts$594Rt#joMNpm<8x)&!%>b!U~PblXCnG(0ZfhV><{2e=Cy^4P2negaNx!!U* zU%m#&Ps-x?x&Fg5S2XXBnQ!l%8!_y(o&n&#(D9|eI(~41;zgzl`GMZQxRfO_fZX}j zz|{jCA0)%dnc9;z-Q?nd=nV(_l=ca+)?XkoeagA;U2U>|#53n|uGi`Im+sLx4hHrG&yvl zt3qmSDcbAai!cMyh+nYXAgh5Gi(X6UmVe$ieHQN8;D{!L4B`4Egx`iqr_L>;A_t;j zYg-jCQ&pVd*R6?EuDl*t^TN2O0yF}Qowh?r@OeVHo3KyOC_o)kbX!RC{@&E|i7(;m zsC&3x$5;&4etrU7m-fpSz^LPdm_5(Hs@zNyH0xk7rgd*0mWVSWOJmH4lVKoE74)fx z7tIvnAmhp!5{>D>j9ip|8sW%sP7zeicgs*5kZ?`}5>@~B&I3s}lbgBm_vpcA~!6qM1krtg>Z?n_zAwog?VELP2(+R>K|{wc&Fw=$-2^ z?E_gaaBS6Sb;7yoyfgrD_NPU2tWQk)bwH~UfV*(bt!MuRdI`_DcG?qytB>Sr#^fBF zbDv2*;84NN%<7sEvrvcL0XoMu-}paP`4I`)2oGnp4E$p#q21Yd>I)yF=D1O3*K4Z& zZ+~@S>&v0x3c|LZqB^!nYTYmWK)F-$8l|b zHM!;{#18=C2^0;GwQY}8JANw&kVZBNyhz+uyP~3^qOG?7|0gR%3yl5$i&lsR5g{2Q zNRYspks=c0ZQ=h%M@Ro3L`1;&ry!tTW=L{oh9rq3Nv^hyXlsE~s8MzYF(G486^&9D z4#7$hNm5WysIkWy3{Xq@p30l4Kw+IDm(`W_qhb!j@pROiN=c)D8b3JO)7*nF3C#a< zAH?a&ph1|vZVLG~W@ZfT_BZH=JM;OF!ErN2nXoy|cU}Md+n`4(iCBx(?s@=@G7mDe zs4+#LYvbeHPv<@mq0nm)bBJF82pGy0>sTIK0;;0`NiHrkjbOq}VxblZ-5Uc0c;wh;zL1@vu6Wuzo<`rN+1Q))r-N1=%y+); zKmUEGq4@Vo|M5JmD5}P16_i14OpUWYf}mwH6S8jG`y+YQ#jx>uM=qb{z4xF@upOq6 zo@+WC>n85!?LTkD;qxT?H$v(9Ify}LKT}#qeX%cWNHZJ8Uj6Wv91D4!V4_VF0g#dj zDs$aWkFJ1EU@mlQPwmd3=u@5kt&G1~V^xUL)UgXVleY2RxQ4XVbRGc&2mpeG3=Dv` zZQMGXXKPKcB?%h;BZNI|+ivo2{M(Qu*>9gD0Z9r%-pW!5(l!Nwn3>ro#B2e8s_1bM zV$zy0K zriI2PhOh%yM%zBVpy6X83(4WwxMB(k{%m0Gem5RVNS- zsG9@kiq5@lHf|nif5NW(_x)61n7#iK(UaUHX}mVf1%$F<3Sb3G1xp3ZJ#)_$F3k?c z@;Z+|9V9{qmL9d(=M*2WT6XkWe!U{vyhl}(T0@!7|eaG)yTcsyOVf;Rxlt1o)A0E!** ze)M1+Sr*9ZX*IcBO_)r+Sa_{b)`i{=L_RRq`jdOBb*c!H*1PBJokkx+gGchD>ROON z_rjO%7f!0eFLm*~I+>yL3ntx=W~gg_y3q-#wKw`>U_ZeZanKLJPQ!eg<)R6aZoFsN zcnR{FIXH00RLO(@NFFL_NcK1i!pn53~ULkq`y(*fOCvFT6e%(zYxBXlQp6 z($$KFEuf#YZ7L#wBlZvc5{$+qh&*HfepPEIPA4#RLil?V^Q%`d!=~2gZ|Tu6y9tDT zkRn+X3hMO&ei!i!?=ZX z+!of$%ETMDVc-q6vSZ~mRiL!M5gbo@b{Z|h!gg3V7Qnz!S0`nWBU7nMeXK&IJK$Oaj7Tsh;Lm zUuRz@7^#AD@9{o3ji4~gId|>BSXq`q#Q8qC93KQW-m95KYsl^D3INSKaVeWF`Y~n0 zx%~BA6_q-ZCrnRsL=!V2@O+yXs5c$t=--8&1T{iBpSkb#a@r@xts!uD-@bOe1i}dt zUS%nN%5IuoBc;9w1JiB0ioAc}vFoLpp}ErL56~aA;WbQ1v<0T{;xfc7B(vOh7a9S% zmqP>dA?>P%(0v{ydX|Q3U&wDftPa_zB|X)fOi%O`*e{jw+C2F6eh_I`ErVw1MdVl? z6`>gWr>nB`u?W+HWCyk0W`{0ReI#Hv1zE4i}buhHbkj|-9?bq0^ZV1>pvL-S(dOsfM>CB)9mma(*r_z}qBmY@PE-&ty{JQqN2B--Ft>1! zK@28)2Br>YC3q(3#P*gDkPrq^f$r0U=Hj_A=FK`G4oy%{u5)2Trd?w0-vbJaEk#H^ zkrOcn94Cx;d~kP@EGUCjTW!f=YY_q2!+C*l@Q$VlXp1}GUo1b--H(r-A3Hm?IlKeS zskOze$?@F@-Swos#TnB*cvpP!wbmzR~5k&%s!Yt)!AgP3@D7#R5Xx3?Dt3|-ya z+!rrew6L|EosEr!g>`jhWnHmCRTUNW^t7~8R5Uac6x7pmb5m0@GqXeqOw7wmOUuei zNy*4aN5{rSM#c{x5)%&(4GrIKLP9~o4I2Uj|Ni>=`1tbj@aX8~=H%oqT(Drl&24Qh zEe#FL%&e@8j4Uh+4D9R6%d4wP3kwSZ1S_kmsHmr>1`QZ6SXxq2Iw~p}8VU+RfZ)IZ zAD^C{ot>N<92^^)ni?9Km>3us7nhY46_u2flM|9@Zewnh4;7pb6>c1Eoav8g6&&ulzl)n4O5R*psX^`&_%W9~TGzCDpCdBt_=bt_0s@Ua^ODHE zcXl{BK}+!kqRV8Uz+vMBOmUfSe&{aCL<5(bHgwk@M-E&eN*4kP&b!sIc%z%VK#;WE z>rkyIk%FB(1f~+gH#QjGwugck44jXDxt{)egS}rSq6!`3>ghU|Jv`d@=uO(zsPE`( zK4Kf~f~c(X4!o+Bq@#t;2#7q**5&ivwgn$Mfs$XeWuYC#+`KF37&YN?>=DLod@_lhkuj@*8`v8`47q0l?! zmrA2!mT=|G9h~vvB@xNa#|MsQ^P_6T%JU7sbx3(zYFFNxw8cb|yfo2b4FlG5XF3|S z0qbFK4oe&?>tbk}t$>*by|&E5w8%hmH30k5)}S9KXQFRwMo~&Siu_9VX8{yKn`6He zwY>ROIAog*uD2o|O$lFoDtsyDM13COgTNL6h6~5bD!>F38u~Wr)L+q|JK)v%^a7!O%kmW#GJu>7U9wW5M0 ztvf@giIGOk_tgueE;1ntzJiBKeZddsI$Ch*_~Mv80;x_0JK@~t2$d~LsSJGW0qGuM zo&YZu?ErFBB=t2<)>M*{)qgM2jLV9_}K#j@1k0)-e}TdKxK-7KPQKk{Fxem`WI5g zZ)nd&k#}Thxo~)bPn$&xw?*&r>b)8BuzP9~HY9Dix;GK-K^vYOJpxN74HI|7f5Bl_ zSa6i|AR^>}fQ{_E&MvW!nd$1+Mn=q$0C+g0u3ZhH8rmOPPPnGVeLIh5+YDtsUf&R1 z=|c2w=@PPRXX8LDcyL_fYgGr67a!lwN;e{eBQf->$pbxDIgS) zpqY^2n4Mo)Fi0XUgRvBh8_(>ZASmGC7`48tC}$J}D!ZHcl4R|qsJsk~;A0R7rKjG| zlH*Jc=pvGGQ_P9ZFFdB)v_Km8O#uE5cT5@IyapU&j_&ZEh6IX~&_bW$6B?2Y1;!(( zZU9hJisMJPmMxOW+JCY!h+xCr-mOTKyk)|SKQ+?$*fo^$?MjsC+Q%4wmUT%m0_ymk zT7;99x^4$v`N?ihzgs+_lqO?Ao zk_puj7i#EoTL|>-evJN!82g1oJ$yI=Jm3_WFh6)9uzAYr^isl+qXSL`IYjNH_{08K|2mSGQ7w41vVu_fSq-y_+}lhl8U1 zFoC9?=M`M6>r?z5Np&wW0^bjTA`T@4Db|-|_Pn5QZM?V|4%ma#+Ls?N(bc$qaBl3> zmBt2=J0 z8nW5Vd;)IHgIdWPFQXKc(1TRQr{`>PFKL+l*pJTT!x@1~b2nAHyf{0K&$3otf!O;j zpu})gWACn}bx$t%+RmZzjh2RS_H($Tecle}j$CT`kz50M!>#7nCCDBhcK(r;(Lnb) z-~cvGFrlZBKuAlEZ15n68%uV5NPLTh=HefQpzjvmu(-|~J0cA1)E(x|zjthIaK8MN z%Q=|BY{3qfv_qPxwCKr(QP(hxxZgJ#AZ1a>`eu?%NX3}8zisa9UV5t?m!+iGK#GaK zJLrNbyP$b62h9&Ua%E2wGfJ)9m*IzQ#-&w4l6O5xd|Jk;ap@DHKp&VTA333NART1& zpC=w!I4rb-m~39rphbADYZ_6sNdnKcB@_x>EjfnI2(27?NFD~6&E*0~2UnS@z5%jh zagi-ZBxDvvFJKmGV!Lzq75Zq=R=nSi*#o@0+=~1cMp6_m2ClvUQHA1Zr}Lw9C~*?O z*f<>(j-LS3qJBV^*6R*C<+(7~YOx_af8+T<#mg6S(X|6AJ!%I}9R)W*K!nww_zTWa zV}|i(wa#?Zzy{9j(!IeLYwBuHYCJ4`1$^2Is<`J@`Bue?e=$hgXOXf4b6PU?&rh4H zb-+ePGl4||ECA~Rq=t|g6MQ-7tL9rOmG%s(r=BE&=4+~t;$qo@%5{>j29 z9A$M+LFyVE!Q1&%qpz&$gqNe4UY{s(qH))%$hPeYUJquVt!zv}^_r|O0@9NWN}mKXJoVQd3PyI} zz)nk4?c?BW$J-|54v(p2KgG?Hy<zU z)UpraTc+#58h|e;KyW+Rjl~$w&}{^a+y1OCs3EjhLJaQ9VyNck>q)&!5b9V87Nplk zRI-X*biRxcE*@Yn`FzBer=M>P!UL-CkmDjo>OEg1MP?C!-d1aRxP`mzIzGZKNV(cP zSj_5Jm|9;jle%qsnRqEz67IIfpbxD8z$rtk%Bf^oLe60Fl@2 zBs7F}p{RGS;*^CB@_hNtC6o=+jDp|LT9yursocTI2jC{K5eNC~48G8p<3!hbV~04b zzmoPD09@b9iA^vZaEb=$Ng;KG_C6Y{Pu};3#~~PWTg+l`Y%v!tPaPt@6Jk-)S4-wJTboIHIr5$Mvt^d5pn=IGk^`(Z9K{fE8p6D6Vijz&@S*Woy_c6qD zGk}j-cPgGi>H$RIS&6U0ZRNs`(aFZtT#}+svU74P;*usp{le=y$j(Vo*Nh>W_x4 zSmISKe24}W1iq|Y|IpJ0OH_>epj>GXa7fW1kZO-EwU~Hc?jp2MVedJCS9Vk{!~90_ z(+pGO>QitKQ9J>me5l3Qw-)rv$!z!l02Mj;0K){bE;qd1nf(|VtIhHx%3_v1wi{;y zA^X5{HawJ~$ebH9_B+TWm4K8ma8nmhI@iO}qF5N{G(K@Quq%MaQE%M{&yQtuvy z+372z2=28m@R%Yi1vnY-@K-H2<(++geG?H_K0EuvZL7G&6KyzjkGAmMM#BI%pAFq7 zQSD>&hdTJgC>DQJE1I4M3Cp35&G?Kq=-6WYT25ldSr2>A@!Ls7s8zB#E(WCGkNLE2 zIl%zI)@Q-swlQ@m_+jl++Q_dQ=i`%Oeo*A#?GdAfKl9*CD|vhIEx6jek2JN<?>41Q>BAIkunsh47R)as-HYt|l7CUp3 z6$u6yVdt$;I3ZOQ>{x%%s5^`zoP=+;RY*$X;Zm--D=~<@nFs9n25aH9@1CB4qHjFS zgtUcGc`owi&z3HO%MHWb<3`OcgUACpey3QV!FLq}v2In^4)C;U$?m z?~fQ?N0DP<0R~3FuN$vi08$aSp^WJl6_<)5{e7<7jF38v(UO4yM?232Br{p!qrG;k z(}oD|v6mpGQOemUev|Kqr-g^=y&S0(uVZ$c%+*D*1meN0b>|u>SfOs$bpJ#9h(QHFy6c85;T>307XE$ zzjYWDKP!lR#3_LBD`wNMkaBh$iEApb#>m8L|8i4XTH$dy)uz&4D=t#O>?wrG>Or12 zX40HK9^|Jd#aml_UxYeLmApgr5Z08AqN+}uk4yA) zaDdHWcB({tgK8YYi_fJ9mn`3_@a{?)iuqRZkPA{(>0i{?T}QnsUuNib1k_FDB#n8$ zv`xe%u&b3{{e8OPe(B-5d%)0Wc>71 z9&wX3dh7G)wa{woluk5wezR{5-@=wx`u}k#-=~KjbVrKC@9!3CC*jB;-)!rXA{lZCQ4U;QBs19bEx>`WLrL> zA+pA+D@Os;h({VG*%vbS0zTr6@dXTRh&(agXv;wSKDsF{^PFB!bRz+WqgCk2E?V)c zPHPUcN1)}LL>+=WfWF2WN5G`ZHl|r5#CvSKOXq_Q80QSL?u#y;a7o>U(U|O!VQFs* zC4jl78?6pT>XJ*S>0q<;0cQ&tl@K69(V_J_BSF$&q;%Z3tOSoGaJgFPn8<3)^R^$l z1$mN$)}h4CM$!)c?x6uQ3iMH0gpk_BO%%IfqmYlXqPTyNPxlP~)L&ADNm*K5lmO=@ zFfai$*8?v6$KM?)5O6)L0U+0lI{;KK5)$T-9+tkLjO{fG*C97X@Z5Z9?ia5A{lTWb zOaY!AkscHsh-Loa@eEOwovdeukvUM)Rr(XfKHM)`T3#yJqXo>~PpDa@5Rcoc_Q>!d z#>okLurfutz<1#|qgR|C!(Rf>L)67v=#eA=fD_=g;3{BoY$YiDS;@3oED2a}9=^Z) z)6n2SUlMerXc6Reuy`v{RC#$Sa1SnOBRCIwLU5V|Xc@j+m_R(VGeAU?n`4R{od z1rk26AiimctSGC5bsKTUzL-tMZ}dV0NQ+^C)99IGy29k;fO~$im?Lm+Oj%+$j)dD+ zuthLX#m3~ERkj>3*u}bsq?;vmld8Xh{l=v>rt+VL*{8g-mGwc`_8JRkwNDLYz?^MCR_L)e&%$!+ft{oJ?cg z7QaCXDk4KkI;oeBE1az#PY@<}C!$NtkN$98KQ-W8L*b&9t=70xe#kp>++}(-NuggO z4{@ivvKt#-+weKUp|ldY4!(dm>u-_9_4|y4VgzGBDu^_rcd74XupS#g1r> zJL_^hNz;Wo)JgetQN6$%f)|fT`QdNNQtX8plYsnUnDE{uB4&Ux;ywWf6GscV6=#aF z#;1Zw%|krlAht^&z=g!dNVE`R#A&Kd7>3ZbyqJ~_p4W;XSHyi%C1Of|dsVU!GAiZ! z0#+`A351^Dg#g}oGrxbCTdnEOtRnd6*r;#{ho2Wn`r9K$h=1})mfqjp%^W8ewoAZqlm z&w;%6Jti%Ni30L7hD%fqUKF`c+@TYyg04G(igU7ix8N08Fl{A)jeG(pfL_7|y`IBE z3DB!f@FF2>IZ zvVCwS!y+pljo)8gv;2Uh5Ip!6E|G0j@`9KUZtQFILMbO6#1KN`KA>onYz8d;KxP#e zEdiw84U;DK7WMV6q|CDzHNZUbn9^3l5(pP_RRATWG3z{gJ=lP+Ox`x|3Xol50}n=l z!t)da;oBN5g{D5c{BlBvt}#Y0r@hje@bu%zby=PKwphVE5{L%eu9Sj15HUsu+;7~$ zFfQRi&3f&Cqu>mU4}Ep`;DqJ#C}YB$@(d~`bhY=91 z^j`cWyP6|y#AVw?Z*b?oTkzmE3uZuwhsqKnW_@iq0;L?MV`G5c;HGgy&Jx30AXFo2 z^80zFEh5@6W{W8`R!+Ra{Gv+4UlKMjD$4xjc=m7%~-& z4F2TE9A(om;WN{~pi&^oeHDV8Pt)2mFYv-~(`m}91Q-H@Y6w0KbeDT$>Oam`| zfVmAGSY#=-44nW84Hq1zCU4p1B)H25;<3LH-n5=j&w_wdXOfR6N0Ixfvx_L7u}PR6 z6&gT%=}l@)maOWRqp}f$LZIj9n(>jKjmaU0d-is;q`b$*mqCCCFTR1y@I_;es0V_o zB{0K_<+w&VWVxwCx|XS!QQHX&eq>8)tb|_Q1)j|eGRCtXeelRagR0YuKuIDbsp#*t zemAn6lPm`?IV84|is6Y=GXqS(@OjZ13w~|TQanwkgFY8aoM<&xu1wO=g=kShX!fwa zNYajOK$X8Y)zC!IL(JWQM3PYvA!eS50fibnhlCFUm5Z}A_>~^HIagftY!jc7LSHctH#_oj$KO$UZTqt;X zq@V^&YjiWtXEe{i{ad>0i$^3Pd`VvmAi@#V*v=1X02{D{YGukNiD!+2v5es4IR)E9Je}X`mx{Km;P)r~t8Y3Kkd730* ziEoN)-EbknGyRb0ZKu0LAvW9c+XHRy83jF3SZfkm~~R`>ON|39VJf zT%2nHX7$T$?0D^sV5D)^5xp7?lqLA^9v+soTc?lM?VS?yV#!$fBf=>=QV@x)H?XR#p~COcqw z6jC!Eh1EQR0D2Ej)Hrji5tl;7Z>E0>ntxoRDD$cgKbuKXRue+)$ zu7nxpJBMKNHCRh~GayP`M(c4qb{+eGx&)(nsxf{fiEMyOE2TG%12yw02KGl8d^hAD z2Nw_{%LP*mMbGf+XakZi?p{Dhzsh{!x&She#43hB_$m;h%p*EVzp$f(qtKVKlSvy+ z?C?P6tG;=Tm?uQ<;mK>}tBSO%(a14&Nbq|Vc2ga=yqUQ#fXEV85E&(y_Qvx;LiB8C z472nfI$H=(N<6(vDqaQR1~LAFqb4SGBJ2Y)q|va@=kuEnU}h<9W9}n(0znh-mJd_t zf@lO2@*AuKn}E{$^Q|LSXnW7J{!A{&yui%cb*d_ypqs$tlSj8T2owqMDK01lATc8N zr&1ADHd*}y3@{jIM423ElW|F)T7nB{07e1^Ba3IP4eiJ%O7hVTQDDIYUfwH-g(8{` zfNK~Xpj9f1z7d44F4Iqd>+M)txUoxe2xJ6oG5P^_(<=*GH+fi|#j;B;mlWEIHl^mK zgvfcOkBlW;Dg{p9Za7TC;*W2ESiQnVCGtFUaI}Wlk-CL5P-21B!=KQc-S9b;ausws zCad(+IGtN=P=V1cKa6WJ1w2f2rkkE5SV=d(3h;I8B|LZ{FtmGKJ_bKz6%x-%(vZ{n zz`TNnW8hX&h-mTkV(K=ELZt+V**cgj5M7#CWj{cpL68ehz^iD)s8uqDdw0Z1!R-Qm zY8=k#MtSTGv|BYX%kQu-hL4x7=MsX(l9Z_d0woBj2+6l%Z9V0LO)+58<&*DPe4#Y@ z!Ulh?$mx|ZIIveLcI+@KMeuGI3UL^ksc{7osN{*MV&OExaIrKf(m}PMLK*!kbMk{^ zme4`aa2;MD=0BXExszaU?naC#<*KZGJ}xM0zDok*9BOcUn6a1QgtM=QNL2v*)_92m zof_&R$Z2_s5GCzqk^wfa=z=~6Qx|wj;+5AVHW*Gk)j5C&HhAwsl=W$6IPSw#x>p45 zRmas(_+Av*yid*P})=H8GX2BIvMl<}`zfl4crqV9wK}Xhx zvELeq<;55;=gmZ@ppz9lbyFut9peI6zK958?s@Ziq-ljrP$P=JonrlYD&;z6krN8P zhJGh9#!3xqnbwUBr=&#s0Q^v^0~#YNB0sWW3kXZQEGHz)OHe>Wjkf~XJ}Pyv5u%rY zO^0W30Sd-W)5aa3joG3Qs`}q#cU~S$ zze7*}Zi0`>8W7;)w|qE-_#vY>m5r}rEg>}?frbs+qt@1^NPF`FqijBt>jhQPTE}C+ z_W5`MJNvdDke0$oMs9a}1I-Y} zje#bfmXoibWcK)gM$ZGtNdU}1RQVf-;WP#g#vB+EwnLwe-0Pmf6=3GX-%S7yqUOF8 z-tG^-2OZ`KFFf59>rjgKlZpfrrwLOi=K0OVlf^ zS~vt9t$>;B3_;SDA#3vXm@9We31fcaB{&cxeOfmY~z9xWs_>`qi>QP%>~1 zcwIDFxCmWP#B3QIGhE#DF-KKZm#C{yl;nbnqxk|HXqph`Mc!9}-5@9;V%e`H>Y7th zcAP~z1ZF6E)N(E(+A=k$Y~I*rCbH0$#skpp5VwFLJX6^cmMyzVmtuq!`Z|TW0Y@|= zE@{B$c@iZE!WX%dULmc@@&oZaf;P8yD{BSo?=GUE%^Fiey) zS36tF>zlur?gY%-JjEh$VN#Mr@!Z`I^0PzfFLrj#J zo&Mthc9W8Y?ooi@+1x@AJ{AByz7eXGZ|#sGNyP=nQ_1S>9=EL>2*ZT2SGN;db_YOp zK1`^qKx#QWtd+e@9n&0TP81ID{qBiKN_vm)VFk$ztv}-7&g`h~>;}GE5vmkA^3Fa4 z0{pN%zNb;BOeUi}0$(sTf{{F21gsOGwlSWE5=?s9mlfe`f_ZjNk2KGfv<-kGj`W%| zSH6g0Nf*o;BvHe2>xz(HN`M&1oXV~h7YYX8o+*nDh8)?M4{(~X0!x~h3lVL3V8g@o zyS4$gJ7BDCMFLK!=}+Qg0gtV;)Yu+0ICIL7Btec=-1OCBtoT+Y0L(T$v2g)ITt63Y z9dI4FGSc%|%V~|$20o6Z_2Y@Cso^US)|z>P%l(XmrMRMs;azy?4Lvxp_Q@{+xWHXe zokrx(k2tvDJ9$~O;QHBk4=9j0JHKN8T9+b0hhxB_{pPWm?ismZhTtXB_VQsba)Lpm zrT@J6--F#GIl|ee1%9UQ(f)UnS~V;P41{98NI6QPKH&+yESW^AoH?!9e4J zM+%P@37Ru8`s3m(G)E)|_L26xB_f+$ILO@x3m6wfDhCVe8S1Em66_gnJd zSP4(=yX^@{3>K-6VB)3irjP4kHzY&?2rO~nA`zL1A8bx@D~1LlQ_{6^=)t)4v+xyN zz{vV=AUZCBSgGSA9j;sHq7Sjf?b)otcmOj7!;b^;I3qO0_<%8Tk1~TI&NE1Y%gCIL z*9yno5OLFRE=R0G7Ez6yiiETktzT}xMr;_Sb;sjR#>gCXB#3cABTyz6EPS3#%R*+R zYVeD<{(x8sTfPYa2{ba z1ZUC;(7(mdF{|SY?5{*$!a|_LyubytBOgttC*@Jx(#VD2QU^#WROu`4Tg6qvrB?EJ z2HZS#z6jrv1cU-ueCD&&K5l~G5c>#$IU<2{$+(yjsDw6Tpr0G`G!?4aaVCeXPC1vZ zpE9RFU7@Psa#g`LHR3Msw!sEo7sTD)A_-7rOkCr8Ls*b7xzu@m_~01;T;RAvn5Iew zgD*rDR-`G|#Zh&@2$-4x<-l(_a)aW!k711Da}Y%GLmCj5f(9XSA6aloeQbvR_ax^u zg9qB{w4G6Mvt;XXNJQuo>&iTa3Ed`LGSq%jN6(BRSHqv4N+@g{{&{4Fnh~yEa$KiW z31}6u!e==i27kLrmvI(X1fk_#Ge>C#7G&y<0KnR2+X@l~GTgnQ9HjESpCp%6&VCk& zpS}_VfSy>xZjvtsTRv9yWi2?0<*N)^;BbOe_jrf0gTFA^PK7`?xNCFpN|quls7Z1= zf(VGZh^k;0QmWy0$sB?={W2-Ui6Htxo-0Xwp~w&MBZ=?iABiKVs?6P@Vc=Z1w_S8< zxc;a{hs0nhpI?+Rq6dgJ7pFx1jZ!OH;i_C_1p|%jkkZ;E=a*gOwDRf2C37a#dU#kn zm=@yzyOTF3;_1b?A!T`>AT$jpz<|C&bM9&i`Fmj7m{m(LGxyNPBZO#*6IT-j>HtT^ zd=b?rM`R`0h1O_3e+28!G}I$PjaZ|Puo0p23FpX#F4(0&6V|$m3WZfcz@ofE4jxjS zlB*ve3kFV+A;=4fvv?c~$$TK)oDuMBgX0;FSQ;}y>6CC&92SVB5zrbUH$D-f zvO#gvQAi=eK+b{S&xD&^UHgtJL(0-JwI{7Tf#*Y$=2OVj;`Md0KK9t^OH9f05g5my32pV90SQyIGj$`r zRYUQ^{X%KW2+;Vtmk(kENoHJ*B*j<{&zj=HU|H}S5R}ENF_M<3|5v z8OXr*E>mkmWPze5AtmT-RY`{5h~t%gloD^qfwJhyizt`F!4qJCalz}V@Q@Obg!N2< zUZxyyDR2g7L4r9MG#!9E!mJjy$yxMFrp=xOUUi654i7|AI*_gsIlPBK1GR}oRkxMV zb_Z7s`o*@IKt4+NABk?8w@eK68#v!BLI4Y zxNry~R5xp`1o?+9CZ8lg=(v`Z)5$Y}M6P?hAZJ9a-etQu{zz+Wa05Gddxsd=hyDPI zaZHn3!x*gb&I_t{ChopfI#5;7XmW|~6y~DSN^{Ms07mujSy8UMV5|Y-M4Ge;;oIZ! zr{N)AY6^RNL}OiGYyuV+MAB&lg*tr8))<9|yhuJa>#Nu!1^5O>RB`kO$orA5C~}v7 zr#I5~^ply@9MBx=2y_;h;Pj~EVNJa-%_OBiHvn9_}upfJP&1klg$ zB9bLUz>4Dr=~PRkg5)t%tlkQ4&gqkJ#ns-9P@&=xdZk$D6f>S#KlJkvOXaCN z6)+;6d_re_Hn@ff+Q#{&us=vu*vbc~vLdEq7W67abQ$X2gm{jWAkw>3F;Db7!D8pJ zi-K#A5~6$Q;CbOf4azCV5+c}uJO261w3>FPde_dvu>yWRpv{g>1c<6Db{2WE(ek{C zBxiv)NF-h(cBgd#Ul+1nLbc!1IAet>2ISz4^29u~ikWYgW5cr30n$12A(0Nz-2B&0 zP#rA|oV$@YBH(A1@HGfzf+UEN_#YWHdRb{m*C1;^M@yH;UGOnoy6$55k&}tE13ixy zpifUghz6eF@vP>GhEdGy>D0?x5TDJv(Lk8;V@%*5;3!d}K?N|c^}=}xm}BHC%p7~jt~l}CxT#eipTC!~ zKticc5rxl9`C;Y6=f}e&8RRuE4CZ<>UZceBhPd9a0J7pt5I@O6U!Q!nN2L|D8%D>} zeae+1>}-HTqXqgE&msySIYQ3L#pH*B#3zU1)1j!WQhov^v&D5>h1ZH~lBLl^0Hr6N zRGQqtt|Hlv#lgSgxaHdI)cS;ZZ)pjt6A2CNv>ChOmFu`k(PX1^ z><4BswECffIfz6JwK*n`zQ0ON)Z6(H21;BA zhV)*A$_UTxR^n%k4uBH*iF(|v792gK=>81tNRim5lX3SK}jcVB-4ADtyZI&TC8X*R0I>7V=-2Lj*#{I4P!hD<<2yAFvZ8Wq7mp17lH zN{s{;ZX`H=9fP_vZ1#M5l_H9dMl>o008lljWujdW~$k_Q}Wx%m;W=gnR z0{fsZB5=0EsCw;@COl47buTL0G{%Y-&^>1?5kiC^dKR8S%q{o(kJ`20(aFKHE)X!s zppL^Yz)9gENOJWnRyIc~hOeBA=&-7AG4MfmptMIad_Lq1?oFui>a=2)uTwf`sPoI9 zrFbT(O{6$)kp8X=o8D*;(&tb#^ehU}dMg)J0R4LCorg=o(k-Fwf2c}}eGWID`^sU^ ztjWs7rtnf|WwBk9*uv#ald+FhN?wq?<$WYpERB_s#nOUy$KaZs<`lMPGAiRnN`{=C!=^lQI0Idm6Yfa zxkD51FS4H-AP1RFO8JC}tf%R9Gf?2-l%^gG;hyoFT<5cVL2Tl{NZ`Hf5I_iq*Wp1x zp~eO$!1%8c7gaSf*d0p+7w0F{?d1kG%t%?t@hLnM%Gh{QKldmkED9p$Y&Ptke3VWd z#jq?RFYA%F@N~ob6>htRE110$z??p!P17phh{C>QsDV>IU=TX>B}c>67v zD>}$+l35akgzlx`D~}Q(a|FF0W+Pdq*C`pEuMpU~1qfqqXyWOxF)ll~%=}#EoSdZ# z)Q@|j$W{)lJcy}Ewyg2@AhK9Kqj;=Ml_uv244O0$j3l!U8&=){m4XaG3&BA+WstFe zvNo%b-wSa-@kFVlk3DAT0!hluh?kw$BEp7z`M0B^9BH}`3r5HK3o~O#Og!=Nn!Mx( z7A!)}n-$O!v@ZDnuRLTt!X zQCW41kSEC%@wpJ5y@5>Wt)Vr_!-R1v&>fOoIanD8KhC0}dCx4!Pb3dC5s)KUQYLGe z#f0a$?Q~$*1X(UbmwsF7`EMduL-G2ZaR84#Q-@3T>=LHA&UAc{g<}(`5OG7+yLa`m zHC~du?iu!!A#50Saw$Sm=aEBK?@l>vx>ZJz7to^XtirMvVa@g9g$=y{(pHAtFyR-r zL>p_v<}1Xm$)ZWdjT9V3)?xK`DHSGrklZL=bBGmv6z_^y)bGNBB?x7{{j`0#*zWnD@awf z$?$7JsjtEIk(grl_PiKnMKlpA+yIh^3cGQWw^9ItZ}DsX0oEunY=k~|tgT~IUM%Rj z2GDT{S6O{*mldW!07_q$dd2Lo0^XgzCJ{@It$a8_uV17T+jaC7{R&tD=CUha=cx$4 zD^>wKd|aAx8Zd_Ld}U-lGK8*D;}8LF92VlD1el*U@{l_6A=2_DW?BFXDD&Vj4AZ<~ zEZMx202sm!48MGDu=C4Hi{*_}arxw`6`sz^TLTY1yGH_c082R-K7%UviIgBu+YCBs zJ1%K}m?}y!lW!5&AtnF^fD@U&wkkE7&YU2p(j-1R{|GC#u}uOo5Zm--zNES3Iiaaiw&0nrnVfdQj%{0J6frT!92p z;{fH8G&n)iB#7Z83|KOG@m28%FtAEwX#wV=jD@{is92t1*!aL2s*P(2)1>gl1L9*D z9eFAu(claAigG%Dg`-#@TBA5~#ut?3eZklxz7$3!73wUXKBevnnMPLz_tl|`@>=D* z*cMeB3mjYDwZOqA7xu_Wi78r+9u{Lrj=>kFZ$d&hn@7m_9aAHwlp(?8dOCPq#7Zx2 z!+1dd&{Xudpo>SEC}vTA|naN(GTbQ^W>etc1rF)sFRX0pxIaN!V~EKr}8) z7hHe+;uj@C7J_TamgOdhr1DG&s$o}rOnKEO5KtTv<2g)%Q44CVxl#{4HPxiK=P)32 z)Wu=ob4TQ05D6B!W`r#`2pJ4s@J9-V9ty;~=fq;o3Lj{{GOX2g@nz^y0Ky<>!e#Mb z8j@1v9_#q;=jtsKljx&}S(}{lf;}AoC{9;TYxgXpRb`b7&c$NAaOr^n?yZEXuO4i) zK1)n0+5;`I*ZfhDo-YR%mqghT2Ld3BiV;%O>4e0{GH|iG)mG79>=zhMVD$txDtcT=7-}=HNhu)&*-!` z*)6(3x`g361XplQnQ`?ql0cq-h9z&e_R6>!n0h6Fn+pPb3LkT7jFKvdA-+}w#O%VG z;svXOQ#0tKD?KhfG3OCnPTi+2n_PNfX3S^8^NL<<^XDNbR70jDNM6j zGGR`}%Y!R9>NxLI2Ewb{47-1psgpty(VICSa$<^&#(%mssb2M2K7Jilu4Z^Fg@JhSGhD|wm@UD*9+s>K0a%E5P7N~$CL&jVc*1JQlc(IvT_LQB zj6_c>=0F9&mU;#uB}I%d5O@|4Az(~he%&m|2t7m5pg-{~f$Hfp_%lNc!Mssn@l7ts zVkwV{A8Q@)vw$%5psZscoG{5e#sW4<5<7?-1=YXLt4Gf;3Rz&QjG=5O%;YEcR zE1Rd^G1KCw=Xz~paXU7QNWCbPo!{2?g-MHC4kK|&93i|ETJ-0keyf_U&48pol>Q@%4C2Bs;vz-Osq-9f<> z-&I^{p)~`*(<(@!2vP;d*Irb9N_7eNkE|lP__p4|C#60L95>d; z4Xh}24-&C}FO{a}Lu;fxpT=4bD#I`fD{T7&>9so_3lbWh!8nBv#USCv;#H5Q2Eb62 zN>g|#LwPQo_|W|)l`=$QMT*X|Cz(iG3p(%EpO zXaHy4zJXYW&Boljdub5DYQr_)a6`aKToL|#&>fqvm_V%)YKaj#_Hg8LpE{awNKu?r zN6HozL7Z1e9V_L#WW8K-;lZL|#T}3B9^hDF;IGA!O|ZHTE&~k-=LsluKLcV~cw?gH zN4!_;HqZRN$ymIhfF;i}ps{^v1GGD1Wf9&NXHG{e3(moW2YB2Zo~T!TlZSA3tSMz! z`a}XlDrba7J;aWvAfpCIj`m^749bSe$GPF5;5E!~2wAUZM^mAvy@dTDAPwtL9X3O?95v4HId^-i_y0J#IOOFnC>DwmmR6w)fPrQ=q|S_F{M*!T>GM@k&2I zCt(<{z9x&(u+$ELFKU^+5=VvQJ23hxY=!~8i3o*nTs->DThzFlVn&FA7%J-!;0W$r zNP%&^O6|Y7xq}j9#UD=UF>MHx%R221?mZ#-UlRqzK^nMcFy^o)fMV5`9%R4(7(nX? z5HZQrdGTr=t)C%$9@TD`}mQ3Iq)6Rsj6I@C%Xkp~}?Trm>=% zdCe1GkqeIjHrBZXm37luDiafu2JAR*ZW#bhjpZPm2Rd&t4Yip z@W7Mo;Ks^ZfQo5+Z6bM7Qz|DLm`bkeW7UW17~u0UqQDFt!Suvg$Hf6KG+c}LN{(&I zIxhyHF;$>rektQdMWUD5XNQP5s4-*o#Ct!k2#sL59vK;>FAa?U$pLUgDUsw;3Y-}F zLb`R<0e~Ii$h@wTDu4jx-;7W8RC2j69zGD_oIpKNo7YvI<@~nrH@~b%-3jsgs{mF% zA)d@Q1qBY6&@fTriaFY*c)eD51jQyXHx*IeK_aCGE2kx_YGMY1kTPT}6-kvId_hZJA^TyS?a!pv<7d88fd#-0`}>k`Oc z+-tXZd8*M}@K+fwTA9eWvDI%<%{tTT=j3J>)f~v0v_D=dVf0Fc%gc=LqWl!fFVSNR z5R2a{FSZTf12hD7%pp3cJx?nRB?^Hm4y(#}vfOAfocrQBELx|C(ik`=jWZI0Z8Tg3 zW{k}q=Q<84QK=Kcl_@rG_lO zjd#uI0_1au?t`dU=~gRT{$#ELCR_>y(31ki@3m}Pk}%OA_^Z!Os}?{UKZ62dPxQ#e zjavj;enC=sD+^c{8grn!0@xx+MBjl?1D%d#8-z|)%fmf_1BfxNA zBuuc`3)SC>s(!{S=sj-?TPYo(-UYW($TCnUy~J%-A%;YpfAKnI;xqgJ)7AJ?# zm%FGdyW(Dn1}KqoPH?&lC|1?AfKB1ERi&15Q5i( z;D!{0fboYBJSOlQv*Zi53~Yd6{X4EFj!;9}yXSo-alEBDpoM71ahLBlqPB|zos^8x zM%otRsiZ1=eIW9@gPkd08gVE-YqIH34D68S5+?W?qcD8l%^p}V7j>@Fn@L;ZD8x~S z0T0bS8J&0#3MZ9=misNC>=N9h>sTtYeA%e{ZXAHju#}bX#kf_d%5rP<8o|b#v8>0} z9Og0u7@fI8;mhxgEP|Xngcc$@L)Us zmlZIQ3xweKn@-#vlVCaqw=X?rnxIajhlW9YTYU0$L6a4-(GwC)<$>UlU=xlk=;fU4TZ%prrVO3?9w*D@0nfpGFi2PPJ+nh3|*rs-$HsV6A_r@JQSGH?S`dZ ziwPE?2Jl$?2`>mTWz0*-6rJ}$)D;B2!3%+7ZL6IDbplI#fJ&ku zF7}xjX$pn($}B_~3M}>qKF|p&sAX{uD8fq5noxd-s00ODey4vsv$AA{*57lAu@1XF zBmW3SYWjc+_%>rUEKtJ{x`9jMS9I2!E?vHCNc>}j2SANSSuRGiCRf(T#{H7!&PlS@ z3#IOa(ZqRtk^_Uj#6ticxFiUcBbgkpp}Ti#3Dd&rdr?;L--zmg{m5bTCyvd5;Z#n$aO7f2?XY& z4)8ECcjEJ3fjd!xe3cza&KH&`Lk?H!Ny6*$HuNk{v>{|C$?k-P)A5`K8m}M~r7Af1 z>%f<|FEkkFx@=_)9L^MXC$j2m2I;i_h3W)XJ+(I8q|E-0ko_hkq3U7VVjc1{U9U5c_A|xnM4wc-oR!I3^u~J-qMW_ zvS?MwbHEt8fFn)tesC*rP)0#<1i3k6e$C?ECAKZdj9u9WFCeYm)iFJp;-9U<*Byij zLd8apWuvozX$#ILvLHjkp$Oky!B9y6Od$H>2&<~lxpLdu!L~EmEf+QoA}hf4=1pWY zQDXVP@mszG)!oX9c?ht#B1u=4l@CTU5xkf)%&?%J?SmYN?CfyLaV;oTov>htzNwHh zMi{_(3`pki8UUH_nQsB1+$w<+nJSP>@U-(e+))H`t2ACBaWlA*jFJ-&GDbY&Kx!`Pj(2-6pb(PDL#>F7Yt zz7YpI-npG-iW7`hu-Ps2`JD+Brtz{NP!L_acD#*4k2o;JUT^hetTfd@cb=iP31UM- z-Zx=Mi8LKp9(=k$)c~yC-9YFD{x0d?dNGO3K%>MPHAGQqNC5XgI4d&*ud`bbijxrp zE$FqRx5jCpkLSumUA#ie_}?q1+^?n@XC$(%AQS`WZ>h8}tT+W-Mx+ZcVL15sY^B%O zYj2g;>iR^c#r2$6HPHu;)Dh2u*fH2*ydKLz1z#&2KAaP3(UlQOh*Kz1+ocD9>sx zT3BOBvA!djG@32$32-yoAyP+MviueVPZC}b=C!mSJ&8l~Iu4i}M3fwQe#9{X+MNs+ z{t94%Y=$MhGx6AzUMNwpMQHlLx~=qmsXdJ$XH0 zm-fX5TQDo^s2(#DYtjX5&|h_2YUu*v>PWX-Un8LOE(T@B9}OPC3kDcc<-(aG570o( z3(=TUTeiYDDSzCJ;Dz!7n9n&z!hM!taL2z30Kg`P-j&m;L^b(y1t<=aW@s?{8q^t6 zOAd)Al4El8%_qiBFp=@<@VU9=7T&H@C)azO2~81r`uG-6+=8!GpT5K>i&mr-?wd~1 zl8tN3Wf!%vJIr`Js3WCJk-nU0g#;@j-ZTGB2`)znbEm-KGsq1a;~(n~HtQ7pJE0C0 zs>8R%i<$}4;mP3RR1$muKBe=!=PM1WCX9&9u?z=Gv7F(KvxN$*=DeiokCYC7$J8o}-4o&SZP3$HdB%V$EEV*BTq$^AXTt4CVM-?1PK&QE}>r~ve z`sP#(!>5S6lp;Mce1WSj8h?s^PY*k)xTh%pp^@@KcOuD@0xvGuyanW|p;i>>Z41m= zX~6^TK!gyMIvrC#xdtjB(-_QqU|CYDYVzX{8e9r_#PaZl*z}nif>DGngWwCqUEH;o8u62krV|V~e?pbiEgG z!>8yH*2)=;A z%pNID@PzzTkuRugmo2_~ylbVRitiaN8z7m@Ha}FlP_~-ncf(aSLenVElPC@VDj50T zdUc;eSX>dF3=HBPrekqOrQy=Na%kaTFoBdE-B5C%%@?ITb`*GV(~>6@EOA@`tB@Qo ze!cHXMKUIV#?jM`b9rr18E*>#fanzA*L}E&P&F>%xdlN$Ba1;;iJ$R>1DLI9L}4dz%HQoCF46Addqf%dW-uC_pX<%pq$?Idwxcb0@3|mnv$A zo?C?#)K*F7xq5Q*a&(Zr_%p^3niDARfI$SV7n3TVg;H^hb^!5;Vpd%Us7O5InI#-} zHe?URCV*4jP!APJMqj!YeQ{E<1I4|S3@yQbze5LrVyq@!10)pE8vw{}eSM-{VZ%F@ zwPGN+Z9|78!{jMe#^{wlhD~m^*#68?4y#213hw19<5*Gy@wtzhLDW2W`7eajDuc5@ z4qG|~fyOMsfH zwDiD`pt4mXmEL8s)@ibgRw6=@PkaDFK)k=}Lj!>4tIHpq7mL(Z18{WjU6r;Y{B0Lv zXf&v*S#K!IBJ&&&@Gzj%&H$#`rHo;7lp->1M9%a*eIV|6q>N1CG?hw7QQk|>fsN`k!;+mdX>3P7Lco|#urDe(qgjLex(t(|8R_b?k|x+#GS z`KZ(Lbx2S&)Zgb@d!1$}RwNrm9^1@g=XTT|h=GG`g*3_){Kd^6LS_4=%1#bo z>t<%I0>_}QOlN1j0j#95mNB=+G6S@cfTsS+K#c}8n?2N2lR0QKwoeGYcH996cM1Y_ z5)sgvkrK!U37ckoh>aTuJM{91ZAAw)z?D!m32EndE=7f7jc35))Tjx##WQ|)N$5rD5Ufa zMdwUL7vF8=k>h}7o5Tw-vw|T(dh!8eKY1L`k%MODCP-jA2rltlh$H64V0UeXP4aP2 zO}a*x-~SYQbr?}Y1fO}3T*8FkURnY?<&&*kK?LuAlH3pK}$#l)8Rm9?iQ0p;4RQ}982PxKg)TVG(@lb?6JB5TPd zbRCPkh$VrS%1FOZ;7Q{JKat1O+}h=UnhHZ2^N~FtoGUO_< z#+P*M@Z(hwU3-Q00aZU5w++Kj++g@#To~C*3)zO8bsz&e!R)eC9CMKt2U_!kjVwV| z$-|7V+QkV6T$=1^@Rx`cWI`Y$oynl^gJUH+cG6T{9J=r`D-LhccjC1)v9bdw54|;} zX8r(}*KWsx?RpmBa!pJ;P*cg#E=|aCe-nBMsXPyevf7HFhL=)1*aEEdymHFwMI<@Q zY(%uj;H1puYy~gxY?&P$JD&Sr(#~nnBq^X3Z{w1wxkQ zRG>t5EbTdv11%R8#BcxtqR7T2T-=AR4tXhvhZjcK9Tpg|EfgYkfEq@A6}mXrWCDNj zfR33$gW(1x&@(@sD)y3C2QqLFD}Y(;H^POm7<8 zhXF3FWrxvB8^ugpQihpfg&?+$U$MJ5mFk+@Ke@_OWbs;Jgn9C?)4DssvYaVUh3U$*WH7sSF|D0EG1FocqGl*c%Bw)|pkeqHc&Y7Q_ql;+ zAyE1r8h6uwNhxI2A5bo$6Y~;0Sas46xPzh5)1o?bKcd9vv1G;^3drqO8Ah}eELANg z%Ht6b`OwFVoiT%;oI=#i!=U^$uwmbLrhN-1JJ4W+-yQt7;;r2jQhcWFyj!m@Ew0y<`YKr z`bZm;UnM9zCy(kZg$UfYgyov&%9##vqIA|VbJ0%^i09BH8QQbM;{2%f)@(2g^qIln z7EQBq!o?K_6UBHoijejUPL^`dkdbqVM3N8TY91UnG67@O5FdME$ z1hqqbT*#YTi2sE##SA4E$`@4WBB$~>Xd^@gWM2w!EkwcR^`tJSHj|rK+mZkx%kYfs zsaChw#Q^R_E|~{#V#v`LteB5`m^I^OiN2!buTAJuXxtkuPV|#HJ1#iLEJRw0Lwj<(b73d@NfIj zs+1v-Of;At5t&p;i~eF9<9>9U2OehY#2m&gxnRcpVUTEFf9nw2y;_*l`-i&g`i!;KMgLr}X9ywy3B2i}Q~zt#EVh(P$&_ z)Rn&gvmQ8J=uji^)Xjscqd88+Mwwf7DA2rteoxVLa}pY1-98@3t^f};3S@X3uK}}=2n${o$}3mStX+K89kj;V zA@&6P>I!Es>Y~aYG>0x%;gO@c4CQ9E%GX=*Je0v4c~9oGihMg1b{;o8ZAI4Fqn?WL z;!c7?fioiCK2TXw;QA;@w7bV`UN&`8C0M<{LDIPPha$hR!Po=nK&cd;#ge38rE*-ZJ3`X`b z8uTSZqgj(G$j_+Y@)dHOA9e!O1P1sXgAt+^W{`gM1WZ)4B0l4iV=yoX6%cJ1q35;n+8+aoS3}db_NNRny(2%}V|@8!OD} zRJ6J}1`i26CPS9{eF!1T;N3l6(a~H>g!Ee`D`Xn6Y6oUSyOs_nes+TG3ea5J!Hyy? zp_}stV_4-QI-rM=LA4Vgf;}$;($@^!90p~a3}gbXZCh864)|+WohFZa zEc#j?rfi$)qmO+I&G*4PESJca-Q-+Gkq50~yL3@2hke?j$xEEsB0HGvY79iA+-Rr8 zo$%s%1{W9o2jWJ5qCnB}2@kT4nkY?%;A`#z3h^{91lo}A@k54KWm-Gn4#q+^pFUx^ zq6oG53$N(iHcvDw;f3Y`0C*n5h1#;=s2t>h*>S~o+Qe#4mtYck5I#iD_gQ>jF1zi3 zOYyOAur-BAFP-NqbuL2ya~#r&3(+0WnnPY{O44UKv-AfP1bWhmw9hQJKB@#{zM*)e z1xV8%}>9u`EP!wz|7VlJrb za0zM(PFRD;AEMZrfsIhFT`_Di6}HY5NaSn9S@M{O0YJ^Ab)t=0b@T=l6BNvO74ljI zD*>4|kFLu+vB*EO1sVWd(;U>~@k*17eM@Vit0?A}T|7Y0STerk7pH_*1P8y!tavTeYJ0|@jx7Sj79O*Ih@H`vc{EJRXHjQM`RVjoTK_bpaymrZI2ZWv?=fPcz zYQKqN?wlyTTCeF#wXT=H$w%FH#Ri(rq^KFxL~lh&3XL$ur5 z_b`~Hw#7`*m2tS=<229|k^;YEhKEK#;pSd!jynr4%!AMvze2__uUMiz3APF|k`g2h z>XkPGN-6pkD6KLAqlm%xFg8XFNrST$ zENGh3tP(H8hjq5ltJPaUbF-8qUAjjM%IxZasOk8;WaC-B`|$Iczryf(ht5ghjl+DI zf0Xuk*Ir~VA;a;(E;r`UGMx8vr`J74K1Wb_I0tFL*rkHLvoVmYD|(U5t+R%Ekwr0Y z05rW|E}6NrO7m@1BxcgABKO*Dl$j(&{|Cp~ssLJh3kO6;&WQ3UK0G<>*R{EP@Npfo zXYbXp>9<$6E*X)nY#8zmswCbD#`f4Gk~5^)QzIeuXdXx8PO#+nTS}c17U?lJ8k=^_ zsG)4(jIc%M@N3HwQ#y(my*XEdRR>2d$qyc6{YWv38Sc#I2X+6+Ak>d#+4yQ>;up*| zWT~vvXXZHlN3Y9oX-LgbhO#fAA+5gzb2JWup%YdS>$AKhGcnn0mzA)cW&9v+4mHKS zdn=?9f&S(gqH2e*AmE<&J!qu4x6M{mfi5# zON=IEPSDMsO4YfO-vYe@z=jX89lQhsTMrVO(3xx+WFtm${wqPq53kg8jv;>MLdWHu z$1@HgZMp*$ns}7>!E|V|te{AXd95+y5b$d;2!eYj%0p*iF`4V2P9GQpcV2U|(KKXe z?dpa1Nv+2AlBDD~OPJ;{cun_>(lURMJ)H<{gQJKN+7I$3$T&H34Y&3u*+J5WS!nu2 zsNP%n5I?Yt=FNZ}wxuO%7xjL*kTJzxOL~=cQeZw*_w#r&PFseV&?$$-v>3FU{*XHV zZI+6hbO5b$cjCSvZnaS*i)W?+TyEoq5ZTUB#cL2QwOykD+z&xCa#RC*SF7RKBhu75 zhp&TnWKA*?pj5k;y-Znw05Y8#ICdGH20F^XqWl@!coTzPErJY8zc@nMe^hu+SEFKX z)md#ISl7ciYS37q(3pt`vbcgwCpko)fX-5Q`4Q(#3y?aSs|rvZtwzg|yF*%s$Ey6| zajQ4&t6bz088ozlN*tZj1-N+)JeU!q zcyC}4${mye(t~Rl`i26jCZoIUF&sn=A_tQGA?$I%%3#?z)^o<^`tpz;z1{i+KPNXEAjf_;*B7&u9XY9&Pv)54%9L^f1oC(iPtZIA8 zRo*;<0O_?}hvqogqKheTH9wgjdl3s?cc?LX7fFC}r%-%qT;p6@i=%54Pmy6r$Z@W$ zD*3~d(rZ9HBG1LB{FOE~nL&^kJ;sHAY)i=FMQmVpt0i3XKs6%UDmc(|Cw|CP5{_KQ zE{FMM#qL-4hCTU^2?s6M3wRhDHnh_y&^I6*|Ln}NV_(QK6VZZ;sf~H99#>1AX`O=r zmbFco9NB~f03A0Azvr&Zy9oCl5NYjjoRIR3+0T<8CC^4hsf~1Mf7&D;!bQpfFqXAe zyt z%>nxRuTpS3Tq=}j}80!)^oZOPSk1GG>XYQ)VHPq?NGD<2@QI5NUc9W z_PE&$AdLh?@8yUr`QKq$gE*to2HLlQR9KUJ%y_v~AM2coI(8-oSZ5JZm^{yFPTnvk zM!((=nP*ppoDPA2%Ya1j#{{9baLO z#t^cJR!8)sD~b-9;Gh%y!ssVYPa28TOWwV^&@j>x{K-aue$q%re%#YJ=u~R|EFN7i z^hgeV0^z0{*m{hLiXSk5DXW&YH5I82_npwpO)WH+a>OU)JiCxvF4@f4Y3KaVu34>MV84aoHf47D5py8gpOn)j4$9L*$BcP|9E z_y>S|8zL8eDYYn=(J>dx zbb}XIX8}Nd*&Bo7ES~s~n%^!=1k$VnP~3)=3V(}jYoN@yPVr)hyx3s+hX7L}u)*{s z5qMm~r|y+n=rs_c35PKB;5XcG+!Dz50?Ldzo@Ef3NsTl2pvhtmRD@c@5)rR- zy&)rQExiWObq)(t`W{S?^V*@&8<)l$un6qKSTvAznIQc`-)85yIq3jBGcLi)=)596e*aQ%;2~U0tPLifNrOYF)-y?eAK?8a7o+zHt0{x3V<^oM!=Tpt{K;h2b zA$*&|T*=WQAo!4Hq7fZHHdkITQ#Jz*K@I?e)(0@)a7vu2hHR|TpIH+Ma?>J*7V;}0H^}R9+MG!l22muL zxl8~at;tHFd5=|JDE#+2JV?&gxgmU*>5BORtkiqA$3`=9>bPjvTHD^F&R8fIUrWPG zZzz4xX8c5FMh`#!v<~tRJ=X?;L+v|CHBRZLp&xHQv<@a0`mFV+gGh;5f{EPcgw1Fc zMkut{X|L=emcxrEl0Ar~Mn`EKdYI5LJ$q#*Ymvxt8f6e?(I!1Q>cN|A3_+)Xtt#g$ z3(#6`^T-^aOYx2HksXVY*RE{Ul4a!JbfICD3$XF(15i#hl(4d2Q)f0p+4iIuRF0(L z@v*XupBweiwSaT82`$$4>zrmdTL7>JvRgatbndR~pN@fZfH$@~0^O6|WvO4aOsVMc;XpI1}H1 zHeZ(5S(u8%m2}NMM}sQu#lh}Faisp?7f4IpS>20+EXx^Hwa~Ab+@yzBj{tIc;~5N^ z%rVA{CPB5&GH+)oGq`*G_-P_y-Sf1Kk)xbYZ52hX%sh<6qHeb0=ZQdM%$}`r9m)Xo zFmjLn07UE@bTarTG>-=_624b^BA%km;EK2TWBHb9Wb%7W5>sq$ z5Xq%0a0O`zLY}Uu6)a2frP5g_U(7iJ0?V7jOKBQicG@@~~QGohLVkH?hO2S`7k7Ua$ z1^N>~*IYALpNS%Qt#Kg&1$ymCvj+qToqILN z{q_~=Lb*VFAo0YVWc0Y#hbM9xj2vfxRrp;9QJ0kr={+5g4R#o&-I%8I4-*12tkjF2 z9jP$C2@&xy8!tKdW~;3@XFGvh*E}PtiKjp`6&IcIub$u|bp4Py?YcYy7u`E)*!o;X z?sUE2jT_FqN*CG<&Gs&*YvV-7WZX&_rOt7Q(;+5+cHdT?+y?a7M5?+zfynH+WWeUH z#<>OfP$4rWF6hTFUVfyez*pf?%*Q#Fpe|gyr?;%(+-O>L%cd{5K^?ZH^1Z&Tau^)G zCt>m;FXF}MC9Nao6+(PG2^0jqllj_k6(;AaB>~PRqegDT^5HGac4kc0&Q9?Z)MWy- zG!@ej&0#`tx84Al_k`$vsaj*!wDfAKPU#yU10t9HwGQ%Dd0HYazurdpQ_Fc>gAG3~Bq7D>< zl=*mO-$jL!dG^dImO1E1z}u$So)A*8FHfaYdoMfbS4eXq0;C7bFwu+08Tv?>bB2<{e9KfAE#oPLG4nX=E^Cp`-Z^F-7FFpb%Gb)?)4yQ~3?BoiZ4=0u4HLI`e%R zo)E*@>?;N1VM{RNn;aT_!-+G`Jg8??vfHqAzkd=$GN13oi-SVU5kAy51RTH%UV&{P zzy=?Hr=@d#{QSpa%}t^BtDq_*{DXW%lJxY8CIyDy5KZNnwae=HNta2 zp*xb;aSQR{U`w#2MY5$hUs5n`dm4uxR^KElB)k-uNf2@qnoCJZ4E@8ViAGpx`^z#gql8fiT5l@Y$n^hfsr_PoUy z*|!Ak{t6Oj^UYc5oG5v-U?U z)+A}Zy`!7`4E0?Vt<3v@Q*mA*sO#uw9tu!t4l_%zRT=clm)t5YE=eW=O4rKr|Kix#|vK6l+=%*EPeIs?| zN5Eb_TG!gTfk`?`A6M4g`8OYo+KH$gHn&TPH`|FX&846 z6f&a-1Jxl|6gh&t7`ITwgIrg@$-Q8O=UZCcLt(6(w`wV0L-0mhz}folThn{*o^*=5 zB6DBsmCn8W?b{>|C**1&JN6a!vCR#62Ho5*<5C`a3;eDa(M;^1=UJ|x_JB<=H!-W! z6)*rbg|RRlIpp|9x^8AFK+GCP5E@72@!K_xKV}zUKY>y|VkYsOZ9=*WWdu1;25Hx* zo|&QOaB#sc1oNdB3!Nv_<3Ny1=n!0>&1v)1CTK}zN7}k)9(9i}Qu5c#19D;NYA=!= z-i~(1+gyFLg91w0$p;@@4CUEI#*C1gc>cZ$PDVHB3iBbtqgjW{k~c7{YU)m&1TtTr zU`rv}?HXuPcQQdkn~BxxJ*F$!hJiAN63N)HGLX**Zjuc+nL85})la;EX;KI@+^=0g={FW6KrM zC}pP=U4P-0JSw@^Xo2nl*pSM+5nQxR73WMP>ae9iosb>iaPc4#V&wv;IgO&!MbCF)`f$f*9$f&|XJ!ZH z+#o0&MOLmGz=wt^VqvCiAlsKz!gFJ8Xv!FKGpvgS=L^F2)J3_UAo_i8jtV~=5&596 zCQTPaK!4h5U>1~BjcJ-o=0(G+dGeUv#S)@X94areK#uL zz;H_X7!9l)Vf4I4YH^Nb-1&wc$yttV?@5e+WMLqWJtKx<(@NSNat_RY7|lBSf+yIO zls%ZuzFhU3SBhpDy72>4U~feBKxaX!$p;2+9xCC>mFy_env=3~R1nVQgj|}zcCj4D z5GUVoMc18c1>_=E_tpO-ePG3BOFc(jl( zG_Itm=XN+?mb3~j#N9*+?+>oN=EELW_mM)fuaM$3YL6sxpOo4)u>@X+&$C%vp6KF3 zxrc~#nx|rg8<5wlg|gh93&6-+mf-Hha8~mL*%f8UV$&F0;$W%{f|3Y^(m(Xjy z4gqIcmjjtToMW5eZc6-siLQ%C9BL#}e-X092Ihd+9h~%h2(jC20TJ#}as|H=6{9ER zEpr1TN}9!nB{Cyvjpr#9X(Y2L4Fxz?n5i+c;}j}S6>@kZF)@GA;paBp3UFSo@!M^A; zkT7beVmLtdJb-phMi2Ad6rgUR*!0yg4v#?-IX@w7Yg-AJvY}4h>+BTtPHx^opiatE zG_k#)_Q*V=IPFG=A7>W2tt*;AVS=V1!PSs)VqKS}_}O0E)7-*+L<+aIYV?)Y2$5QJ z^sQ@sM*DXIidIqzp%HY6m3=#e{isaej7pfHCy$SGlDP&K;;oejFMIlrF+o!(+UrCR z6Hc~*Nf#AZAa^#IyAvA#=G7lvx(SxoUuD|pT}LVN2Ly%pk$dwx7F*2xo<(GEXY~eD+ZGYOQ{+(mFyOwQ+h?$Q!wHoP4krMSqnr?*DF>pNMgsnG104 zT$2x{k)&OnFAc`ESh=*32p@S7E$=;tk~s{O`HLeTy?aK*bv z$J1%`+-fhWNlC1gkw=^u@fc@3u()o1n=-=@uhMtzM?d^bEWXe!LU!7!kC(OiUsu# zUB4HCxbZJgHs-t@2hZ_VcQajH`zj8KxBHMlkzHr|`mb!Pf2c6>U>r@^7^}%gEi9PR zvIumM5ZIi6=?mdwpV&U}0FXJ24aKtz0G*3MVClue-#&b6>cT6+7D8pAOPG1tPP#HAiK3>t6qZpfnCM|xDcR>>p*duG`PVAcPh}@`P7vs9w^ie{ zJ3KFb-Rnm*+m@RTd-OoMiP~W=nNfKIECW57*JR$ZY!owhaMK~+a~F{NLcVo{B@+$7 z%Z2#_4j+w%o7e$#6kDo@k4JvUYs?oCI&xCA6I$08prB||o%vL{ z5oEO+D1PKXmOgz2ZPF#%W-BB1o-+_VVdzQs3|_Vc6vX``L4$b7f9XkFHG(l#v_y*=i|sB zJPe|Ci9NDOrOa>ZQ-!9hdRFK zDlU}tksL01NXz6$Cs2^7sutS--j%FLK}QFHQRBBWMo%;x`63r?(<^kR`f_lp!W43Y zpyI1IMST&+$Zjw|$1J=z`J)|g?bl>X7tK6-=kk+Yd!@IE8+7cB5*?rnqC7(@_FX=#=)6h< z&E_PFjAJIGvA874gQ|w_z*Atp6LQuX3=7Dv5g4=-UD-ho)mql-cE*k*DHmM41&J`TkqAVtRL4Z#As5*_zYMxW z@9x7~p~`@x23m<7tvp7DhaPd2*KDk0XZu29j*E2CKy4Ug2R<(RE<+EQ1kag6O_7{! zBCxgJ7U21lEXTWiuE{MDb09?^=Cj`GsZ zx&|b&D;H(by-DtaUZH37G6EG&r4&pX0ZcKc2uA&Fs8);F65KYjp5!>+&1cRZ?u84m zcQV+u5dpVD+J-rnG0o;JAmUoctmrPKv8T#wI}WDbyw=8{Gvu|+Q@W7379!SsbgB;uU}Qxz zbRTg-!wdvO*nwiA%qn<{_Jpk{a+Tnl=F2M}2V2@53JuB3w7|!qIBBZTjz)5xHs$mi z%@8t(uO6*w1gZ(;szKcr1f*%>F+wOW#18X;Xi=K%#k>KKl;JqG$LU2 zC54X<$5__2od}!xNABqtdZlK+ysiG#$ueI;nS2#Mws+ojUVs*} z83}?`Gu7}g3&MTr4u@^?2QpOp>1#6&6ie^G2K&RF6kWhdploGHX6rx+$vmM`d)@a# z*?y5JWE+i*J>(;+S5YT?hL0limI_)&(Ice=Krql~Az~ag!Q&_AN?X!~%9q%kk*A`* zynrMX`Np=(dwCejQb>K&lUOw%SP@UYoYc{b-hFO}0^H z=_FA2${#j>oep@xPq83&EAMY7mYMRKnKC!UHR;YXfAa?`0@{X!ts_YaJ{34EIj+c& z51KWQ71_?Z$13K$BnytOo#r+l0=LTzp_z3V6nM`O-os$IdKnCktvUhtN@IpUFTrgs zrLI}aM-RpW=WhBDbjKUjNPEYuSyxdq;ggR%+QyrXmL!ui3pWLJ8NCPdoeHP!m1A+I zDZwWK1R;BiTKpJN?N7y$Gt?N4>m@-cy{y-?Jt0H1*N&acA(r)PHt}1b zT_|0y36mPzF(xE7jypX$MCfR5G69;UD2eo%P30YVAheTSuGtLXfQvaG;gD;N-ANVn zGI2c3_y|Cj@$;n50uP(2s7#B7$uPT+Ez&QxD42KeI{OmD(^*yHN<7L9D>oU;mCbi} z<`!dM_7H63%7iB(pOo|CD|iX~2a>&+m*};BgQhw`PSkUJ@MIOhye~3o;ZBT=E!pWR z7s0dbq_v>)UWsUVEB1$#fl8n8qVdH~R=kPuk0mtfj1Rb6gaH$6BlJoGhkj@Q3ruv` zE%0nAH04gNvIVHCsMz`z5)FTm*%PBweN#tdBPqCSGa{&&3(3(7NS$dChhh#C#b7?O zLD+OuY;x%V0IdbmQU52HPAcaPWIkHErOA(T|AX z{D#`4mH=R=ZP9>d)F!2dLYDLfU4$Mt?9+3qzdscQl3{=4ez=Gy6KJ4wLPH-FC-fg) zDsTEIcH32`)_l>^rJ9CwW`_Y?C8x(}`06gu$ZKY}eg~%Wt7YcS{gu*{i7O7Ei!2k>X0?#rbiG_m z5X@}o!pg%OjmVozN*_ws*RaK1+HD5srO2pyiy@e^>j#<+GYep*k|p^wp$Bp-l9moT zQtCb&w(~tX{%4y9-W1MaOn+Rpi%jlCLg5q4MELCIpCO#(?NIP)SW48)t-WnkAvPo`{bDoPjmrzJ}5t0^1wgA zMnO&!#qpmX0X+i>w~2 zTEv1FFYu#oej+gZJT1QR8JNvq;Qh|6P+l4b#N3zsoLcnLvX@M(L6}*$yiNq8S7s9E zBYc9W*Hy9FHka<7gnx>wTtXqgL|F|RI`R9qu)|yg)IB3*N;TS zGYqY>GdKY?8`iAoH^we`F6{}g{D6sEtAR=WhF@OY$;3Tr9$r?5-AX)_Ayut}V!p29 z3Ar||Mmre=a3GptZONl6cZPs{lg;5rS?Kg7D2*0CsMnp9Kz;*&iT3Lt<4_=!^%Wii zPD4dDP;O<=rGfClb(Xv!H=ZSwySfm&5XIh!99VVhcW>9L;8Hjgp9xx?=3Lk0!3Sxb zv=cc4?aN~~m)bCWKB7ggX)W+7pGjVIUd@h2DSr9n3Qbu|3P2sQizQM1)XOxWfUTtU z^+wi$bdC;=Oo2mb7uWETiAi+%u~U;S)Y9`BBj#q}Fd1H=Zk~0FFwu9obpM4Q+W{C2-iqQoZxJi=14k3&uOJ|r)NM%*?yL zgKPlPWN=}ci88|<5wC7@MM=w+Q8A<4cxcM6Xh$!BMOfz2r=>4k!pSaj@IKA$>pq1T zT8nMRBS_gCZZ7>85aUL|1+7CoHR(+vM>1X$(kte^ke76c`I6_0Z;FtAL)XI8`6zAW z(owWW*#gt40}{0G8MoQWhqS>se2^i)jkXOh$1~!YyXG~!`VcJ&{o=iC`i1v>Pzdko zx!{TsfaD`qLmj%Ir+F~RxrZVdWTwvAlV*8iL4x6`Pj}y%K%_4#D`gI@Se<74VV3gb zeIk*sc|m~VzVaoD3`HRFl(V)ic>>2{oT!~6n>HIu6U!OPmZYZjl6x{;ZuG0f4mGe6 zqyF-nTh)T-38@aB)Jvvykdk)or;psWl=&cEX~+7sZJ^uDAeCBy452;5Le324ruujd z^Kg2&{bB5?<5JJGks!xyHlRSadXEJ{raNPUg8VqFDU$)iK?Mw*+>7p%=B3yA)eFxJJHNo2PdIUhs!*uk1!U0_F#Y^AnDYdU~!34+9L zutC9jOo4TRE*uVnce5Xd_>e)Dmac=~Lt7T9yD^0%|H0Ln+H0ha-_SVx1xjt*)Wteu zN(uL?i57FCU(;!1&CF_cNzMx6%Pc4R)4GBH`fuy0iA}-gG{wpW>JrznN?t$e=0*0K zx;&38v|LAf-MP`Kvgmw-%geiDSe4=Uc(j%W&PBdOoz|jlc2ywTU_v$;>dmYj0GiHP zFtGdpPvVJGcDC`1BJ)?#CC5dVpfdR>&8-FloGU}7 zJ!vBkLUNQAW`B~DI}|Pu`U!=uwxe?7Xgw-sB3c95t3j7+2W0dnhDkqRLvF7{;hE=} zjGV^q>?zDtja9ioJ`jRTOOQMvhj|UsO~Jo2ToK_*6gVL7sASP!Zg^?eGFRsbQgP8O ziZ@i6Fn`9V0=owxrp;7FpxIRK9!liKeM*#Fk+W$=0tG@d{l<8f6H#8dr_>vcR{tdS zRR+5$bK;hf*G9r_y7#uW>motiszK#-ob7Z4shlSu0C*xkzZePxa+Md^-wwT)1*cM+ zvqt5yGB>=26A*J6nZ9c-FeC3)!u5wQHZtg}HR`Yj6jOX|Pq>M8}!dt#1xAe5HL2WWrJq2OAvaq`+$?iMGUc@nI zD&4FzHmT>?EjEtwTpN)nilpz=5G_>c?ZwrI-ZsS z+7U!>Ef23IWtpEb zhGCGxoi#_HjsS32J-upW_0_AQ;jdm5En=`<^*g=V<;oqMh^jfdVph#eop3s|UH(2w zQ@q?bq`h=04Q-^|f0tXgxZYk^VcD%)l|yu5w8Aq3?j>eLWd@(Zv@f0=P>QCfyjR<3 zfR$6ZX=a6Ul)=VEQ@rTx``d%)HO6;$(>t?t!)_k!L?4^%<2X|HyW0NjkF#&e zW2Q3CM`}kV?=0=c0A)?Q+eVGtYHbbRI_602HP8>irxd!?ep3hR3izI-vzolsYGwDk zGpt1(=VOkk-MRvz49t`P+CM+NDG-3Y9Khh;Tu8BmYZ!Sgi8lu;XQfO|QJe@ir&1JW7GEZ+98* zdT66VG=_ce3uEikptW_Jui&Ww32nomsbi4>&~oB1JBfs>zMA2O-+-X&AfPR+DTmcI z=+O3oz&k(T^ahW;u<``9oV^B@ueEHJzz$L4&I>H;LACRkh7w*7??b3nzR4u5b!uz0Y1G^qs1s4;@_w? z=fOSkx~3!lz_rywVJJSOH=wh`czTeC02l?{>wTCibgkW-4w361w?-jqs4yUyDomUU zUWt+$bjhCAO&yF1i`WdVAUGA^S*rG*gMQ>|XaCH;~v zYyI@1=z%Z7eACCRp$bhOH^$d;jB9!d;fRBn!iR&9;@yTU;H#hj`s&$L2ek_6vp7pw zOIB(}7$w3;P{g$zFCwlyGQn4N#nGU}x<+#iCkTh4XQn@4AoS+K^K(N2z zksMh Z4a*!Yp{s(eA4b^=~Uxt+RE9h0XLd6SbcTi@;h=>U#NI_eHor@6MBR4%gx zuK*o)iSGB1^!f^owJb#_v5%~2=&B)PZFK@jmcU`hg~)z18!oO^5JR`0u;Br9xCdRH zByB_vO*Qi#OV##LLZ)|_l-+NFQctid@T?kO*RZ23M;5v9L{F**Xx-9EM(^MRLvW`$ zjBzRlXs@^gl&;eZaC~W#EVn(IZ3mD}eFq>ACkR9K0d|&pS1`%O zrDr-0o{N@Yg>_L3a(KWi932?WthAkY&$O4FzRWji(VZ}jN0y7?*Gi^|wASD+kY;2TeKyEL zUMYJO&C|nRUq8nMC9@W#d7nwWH5OI1_Hl*Bfu71_GkJGMDgxzYv#+8500QhJVAU{! zuCmq@!^K1q0KcJ^2+qy(dgPr|W|J1>cjSXG5Z`2FvdwTo!D+O_y|)c)D}p%eo~jz{ zHI>v~HqgjfjkA-?I`NpkwfLYJ5h4$89_;LJXa zmaE6be2rvP+eATRyT^fGUMg%(_2Mkc@bF`Wdq-HchB1-3N$uRpi@j{a=dH(B5o^X= z`Zgm3;2|L>jdpt0k69pZqKZOWNMR)*6EO^JzPq>l1X4~H=uO0kW_Rs|01UiD!?c-7 zUvZF+IL*iih}SG(oVRtv+l8Der*WXc=fd#rCWGtif$o$(Cr3m^(V6%gHTlmxs7-7^4L~H zxach*cr$A3fi@6kDR(ACy@HDlc?G44z8qlyf2O(fAO*^BmJXl}#eg5HJ8BbN>|o3v zu|7fIu)VCnwBwyKTsFGYP-JL7vSYfPS|*rD8LPXsQI_ZsSt4{CCKlrQ2W@P>DZ?b6 z@xbT=f>iiQ$xXY!N|P78yf|EkHP{7TCy3Qn(r~mIU}W+p7Yh#J|{R& z=C{cq+q~%t8k+DS0JX-VU`~h6G}w)Q z4jl>;LzDeM9zzkZ+=B$(pSWGMY}A}vvM_-IcMH5%#nM~B2zhE*DSn<2x-4bK&avy+ z&CnJ2sF+_5DO}RIKUJ@xX0h)|TXPZIB#e;m$8NtDhUPvD~SR+o33pEP)+8jfq3+O?4@Jo1AV zxV^*zRVKWBdY&=)0(az`YDz8TpBRo}I3_TAQ&J8m;%L#ePISolT81tRV+gb_7=Xib zIZ|&TZ$^H@i=U7RxuW-QVTRl@>Lx_WoJ$~<^GIX!TwXi(0k)QZyM(rrAVw#v#Qo{w z40iId_$v_DI!Twu$EXz0wOAaU#-$D$*;LbCe9-70Bu_ndI+!&R^?I%`39lwV(yu0v z;1o+Ky7aZI>;}#(bP>J$IlT<$LZx~$D{&YWicWvIGi@k`zMOy1iQ-G{mVEHm=^1S4 zTr+@`zSVQ_-J;(A5`oFLL_uyvBfuBssCE{uQrF;{(?3p97`?zQ1^iSub~aJ;&IIPk z#k|J0;bCqIX-UXs%yiyJled+yRcJ{@&c5qX)?QdNwiGwKhI6Ng_s~4`4Kg?yM5&P` zfZ;1wn&oz@Uv1{}0QJQ;Sv^_c@?f%wPI5C$o~E|&!uuR-b8E;#7f zD>pr8R{}?gD1CqkZWw_Nisuj&fmifS_TTCqR^ed6)9BJ^A%0^z$d4}udb07-pb6~= zgG`6mK;{*+LhrG?XO?Z_xyYy?DG%#8f6rwJ|nn)ru^5%jF*^Kpw79Lr1`bgF{3S z`7Ki+Cga=i#uSBp*F>{mA>1yqYA4gyn0$vKLjLH(^opiUI>`#Y7cp|;STuR` zmeyeoV0fT&(ies?de_)8?MyE0U6f0dhjP{U9RVaASoxM?!y|K{F{Mc$K+Bip;aMD^GDD-uv(ZtSj2fzi?l;49b>wMU4-s9_7)V&*6RM1DtKuwgn1c6I zzTU0(hH=Y+STfFL;Yp38S(Q&Pxzkn>RZe8Wusik!zY&eqP7-}8$ z8LkDGUY%BiTM!M0gDy z(~sB`%VIo#{|R*i&r#aAV46S-WZU5!((G^@#2!rpNn{@7DeBNrv0Osws;x|ATQ~Bp zeMT7mDipKDu0-I+2R>I-{qWu@V44e81tzLs;%c~jXf8LxKHvmsd|Qb@?2)FWsyvk3 zn?63pGae{DbQA$bt5OwtNHU3s^t^-XSj63e9p79wCbPwSC_Dj86z>~t#a=$yJc5}q zymZ#)wkF(KFm_9y3DYDKND!yjs`%i{G6a5i#hXibA?qh(c6mo*-M<2-{@{|#-^AMf zf$-};a6N6hsH0PWiGi&+K|19ay=i!T*n61fsp;cReHS| z_caQ}dzJ7-HYX2LrbD|SV>~n5y~s+KHbJK0doPaQTSUE9;Rpx*NN5L0J+60op*wtn zzOTSoOI7K>Nop}%vd#)7@w%m734CQcQ_OTIlUe5N19}@K?U$6;?#A{Cr-Ah99aU7| zHZGPI>ru=}AVUk=OBQdg?{Mv5h?dAoaX#M>#l(ZY>JcNeWzqH**JCD8Y($G*7l!${*?^%Vf?~l-*m!m8l2%;Db=rZDYj6oSW8Ik~$G1AH zX-g({IVlL7)fFYb5m8PKCEXrX(uFsBwlOeMjsL%s6D0R?c>Itc6dr64W z$M}PAS`B)S!Db_07Uk=nMSkGh$4R`fy&7G$!sqd$GUXe>JiS~3DE z)>n$@Jyh6)7Fsigb^ExU21j-bx^O?>M8s+9)HWrXIeoOo;X=UhwuLfpx>tym%)kz@ zgV_}Y*lxyKDb|Gh0enoHP^}-k}Ci5!dr3jc_bvgJqb?RU$ zSu}mQ#-QT}bc>=bVkey{de?>;uJ9vBS1I$slYQqbQmML*w!=w_^vFx1tbXS6 znhLVF%iQ2>D?8UL3I)r7fbMwVyK|3t6lAZ_Kh#ePLoHZd%T{qhe5*bO(X3+ zz`8Sb9VaCKZ39iL*-iAE(Ct;A%QxaGYyPA4RxX=YmYryy`O;;c|r>qtrdi;&v;Jrqf_05&{>iHV%WHVS+9m- z6XbwI>}1&{fLEL$1;a8p>Rh3+CQYntEHWKGqp{a?l-RWbC|WNQ^>Y?8mVAl|Lqixt z+hg9S$e9`lJ4g-Bsb--RukIzzXf|a7(15CN?#X1K-xO)UN3>OKM+yyhF>;^}Pt3r2 zJco@}7X@DtVdu07hAui6bVL|TIZ6VG4iH+^by>pP2_14MAV@FhdX|4Gzc6TdC!13@ zBmmM*0w%}jB)H~8q*AeL3V5ce{x*EfVVwVQ_O%@xCilXckgJTi_M9vLa!(Zpy;S>? zbr0Beo*NKH1Ly2@OPY>UH+eWQ%yJGhuRrDE#HmAjk02xMcn2bHN6G;fIbeyxMW zO-g(^NugLy5mch5wt)Dc-tGyI**qH(*D0VT$&(PAnhjLy^MqXag((DCXiQQYj#+quPOt@k-G~uF3o0^rCVR@W;G>RI>Kh`2kDSr2h*|%xT$cwPOU~=;G!+at$A6O zXy3t1%V|m61bC6l-;05u!fze`o`h;y6h@)ou|0T>`JFW(nuiCnu5*P(W6Q9H5=EdD zHORIi3$;U%0K6HbfIgJdqdQb?y)Flx+y+iUIb1zHIc&`ddk^e9p@?;}i3lK@@yaNnuVRbcX+&J;&q`1H}DN~#=IO@42L)keTq0B@$5Jczjk zeIZY^!z^*qpEh#uc6xcizS#$AhP8se4$Wi&Ras8PS1WOo z!@E!fHZ)?5rpuC9gO{KsxrYm~_>Pyujr5FUHNQ6P_2=_8OblAX?i+l%3iTJHOd17? zpAPjCl2a29w$m48HpP6>V?3B>D_WfIg2^FU=t0yc$SUu4RiIbT;@}QHvYO6|7+6eq z>t12Ln8JzF?=bQEwmF#{$Mc4z+>k-0^#Uar&HBfVsBd8@n^(%j=WYZ48P@kR${E<_a-jng$LPNlMt?;cyBqHe?Js)1H0L%qT=QQb@CK)!)M$-Wfz-FgV zCxQ9~KVZx4heV>wyl`wVDbk!lz;09hNRtJr>>dkj(mz@Mn;%-dz#fQi&^CO-zTz!p6f(yCO4+CNQny1(aWw4Yd{o zv7ko6l;U}EoR_8C%|)wUQKZj;bOA@%yl|`~)z0k=b3_|w7}xjcK!aVm0F>=vi{zb= zH|&*GF3z|3;Vw$QvX4JB-?V-F#VSnT_>?J}NqH%+!^;V_L&l^liWrqGq`#7VTk~_q4BPeS!wtgX;3`M$~pGF>&sfG}MEJZoVZA z5}R3*pwqlXUh{CW1$$nz5Fd=|nDW9`f{GoM1UHk)xGoJ;f|q>AaVn#47zhD}%a|nk zt}xaD^R(+i7kSo8Yx!W1eJAP4hKD%~R^Q+EZY0UcGv0OvHbrIG)<;JP;q4?s8J$bR*7_J84pf>;hN%r6-WhR~d(ODX!e34Z0Il4S##=|S^`NfGlB+|AKFbKUtM3!zl zWs-MSsUBr&^g_7EGAmknI2Erq4aI==8JbFQVTYsp08;&59%$E^Lgu_R3;N4SWhWs) ze1@(WoknR%vk4l_9>Tn~tOVKI7RRnXVFY@)2vIv}?jUw4*D`^AO6^`Af#%|ua8j50 zY`f(s8SI6t=3t?87!9uC-E920Xbltx;^E75YJ9a76kc57b+C0=gn1hhJzs){hr7as zzKkXC12nE264$EXpgKA3VTAXrW?W5DRi1?v(6SoDGMWjuyW!!%W{{{gnHF>MQ0?9` zMDb-KPT7p3f0V|{?VOpxvMy@-MgX|XNr%qwY#4QJmXe3L zsmm;~)cKmJn7lS++N7C)eP(N>+w|mJ{Kz(iEaMo}^|n>a@Ebm;Q%I7QGcklY79B~s z_lTEPn{>i-ph$h;kL`+!m$#C!nrEaY=prBk*|y5}28>2r^ia*UcoN|rp1n5ieSqc3B!*zi}l(3s`i}eM)CQauTJ)M)0BmX5rX11s~Q%HWp?ZtcxVa zSKGKXCl}0)^TPx7jG*99O@-A6`RqSI54cR5>?bGP;2?iQK1T~~XCYJ37)*0-bq+ms z5=%xB6WMP?1hJ?G2Hn6HNWOw%s`FA?yYR^LuUI@giiI9u5#&df(MzUjL+Ho{D!@Lm z@)I}sMeQp=Bc67wjzB1eRk6glfF4AML}*dLT!ir3mZCZpiTJ;!TuVdkU?y1f~p zLx&jQ}Qu32U_T{bieQ7{?Kdw@YV!hz`kFbW&Q?}i>y)Yh;+ ze6%9lA*QiOc&kygtVUL)y~w5MF-;shH5W~bAlq>`IH+=tF*;!6W5&>cAN+g#Nd` zh7)I~Tl{Tl5FZ-5;6fy*Ex~q2o-)ckrwtw_acJNnyu2FEZ?9Ly5@ZZdt6dk_)of2n z-$Udwr}=C+*BVgP0jBVxeq}HK*9^TTBS}U=Bk!`Zw?ERVb~Aut8psZy7uaF?Ni4XR zk;%nUG+Xo~nVqa-?C@7uU)mcH_H;F)4B zImx$a5rn_AlxR9OvF3T@ZC*wMUEr?C(c1cQn$ZD>#=scoi0)&{=+7 zx^=g%p~kX4HU&e5l|6bBIW90Ghrt%C8oPnFcdn*^P6K4?pc5p|cBI}=g%$%faW&rp zz{|d9(M3oI;64JG?Z{vcGg>CL3&g3s7Ym{tk09V87!aOdE~yi@fV}Jy4Z!C-fn_)i zyT8>9k--c_AL9mQ>(F4~XQ(`If~n0zh!VvYfV}xpUyTM6h2h=C)?KVxeP;|-R2w8qL2JSzDS+X7F; z^~-4vjI>!#U&pop?V(W_Sog@@+qn3{agIt3iASTU)J89b^y*ZfhsQ#gpVnIDZ!dl` ziL~6ep-IyWj4bK9uijU2a@iboRq>S5mwv0zmK~jFo6f3X&Xgv;Xa)sFD{6 zJq&@UOy&iyh4h*aunBM|#VyP_qr}JDt@zXt=S_zUU0AyV&TK#8Qr@0uxJR2JXEi`J{6B?BE8n)4QD$*VohwV+c z3FRnPYP1|&p}AmEHjENuj^u=;j9kM`Q+s(@%y(Tzj|NmGXSEjSM;8=wRgqk$?g+{a zlsNqt!JWoNsM;=Q!3od+a8w{=QOz5sv^JIMPYyaY(oJq&aN8Lnk3l9w<`A^jV|OKTD{bFz zi5R%3&+BKM`g+WYH9zyqk|Fcf+{+Md?_R;`Idj0gYkfS)4cu;gZYjjfvavN|R@Q)Ch zlG{}2i>kyxGYqjhYoWkSpS7&wAD&rZejaTYZ;`!Yze1K443HZSC|4iiZJ%Uao< zL2O+WBS#}9K|b(HYAz5Nr4tjt;Tw6Kx`#f#&ON=*JUYf&)rdi+fF|}QXX3Kxtxqnj zv;Z~|o6=@@lEy2)EVAkwyrdcNj9$Z15#>=3Fxrb12PWhyZ6Vtw3tJmD zTD=92*_)i8;x1HSa^M^?Lfhz!*k7y6-nI#ejNwl9omA*r2GVWEX%i${>e*={KZ4*Q zFKUiegiD@qc%j*Jfx=tBf?9x5Bz{eTVuA_I&WyvIFWH}X$-Tc&9+7=uD$#94Sbf)hy zfC!0yk;Vg`i6M68Y*5efp82d6Q-^Zkypv~K0}3L2Dum}*Lz!B$g>K%GVy5BfP2mSp zxbGlB#?P+UoU+cl4GilAc(qyE-jmusG_g4jo(K<)!z>RwGl_%+J1d!CfQW&>Uu1e>nI zN%6aczS4S?V6URkUVV#G@ zU^n&Uj0)qEEmJFI5(kjx=GN3yG*c1LpnI(xr#^V7UTh&)4IBSyN7@C30EzMR9~T-(8` za5Z<-GVX&b-5A*UgxHg(7IW3tk5Qbo6$Szt0+%fe;EUr=bP&sgRhSKHA;jOW^|w$R@@e?#3z<8XN_x)7EaFpEk^3@uL&H^&q8K9Ij z;SUr&xMWr;S9#>{NG>&)wUqZ?SedkH2Lq=9GUKu)47b04#TnfS1e}FoDcXisQ0Q zhPccH-nVcPrk7Na8i$!J=9QG|zECaL%|VY=EY<71AYZPfbo8!cb*iF%TNu!2}%dJn(u>BSJE+5x+1^nETUxS2lDO4nh8>;Rd#&>DOS=?48Jk zWS>fr!gY71oa)1F&NFK4)J`J3*JS{NZs3&RiHHMmi#v{eVoQQ7M225ycoT!A6m{Fs zh(pHh1nVwTlen~kTHSlVV!7vl%Jbc_>DjpkJr zyle-;!n~Oa5SC>q!QaauQg}?q2aU!<4=2#=>azeqeRtGjg~@AzPDq%gbW|dAw%>)Jvt3e1Vx%_7yPAf6gZG^yqV5#6DQc)U06G$xC zI@eBICl4b|sErH?`qNiZRp3DgbVuS~MgFp<`y{b+FdU&)7ZJhUDo^iqo_N3{ygc=T zU$%VJh3%>bjBpeQ+P}-lhTBQfnrZM1>BrLyILI8qzP-G0Hk);qR3jn7$uZV);NWH` zpScgztIc#e2)i_@2c~+8>P9=MEX$grpGcZ@gS)ur8J^ydPJ=&K1kpkW<9xtXfNq>! z?J9O{K0(D&KQX+Kudw0LS&Q#9lA>CwDPvL)K3a|_FV>7P=a5#UV7AIN|B}MaW0lxw zDP|oScCqJK*aW~zd0<^CMd60CB<5s5AWsKVhN`ES`rag(dO8}y{KAqL{AFjZtMKgR zG8XE5m5|NnDCh=i)AUjiJTA!Nu<1nEor0rfjvO%Cc&Mxy4)Mn)t9r2wE*2iefHZ@6 z0$Y)D08!EcD9q*pV`Z&oCh~Dk`o1+)mGj)7zOV`D3+@8^K!nn~iKL?qZ4hXwtq4C6 z<`I86BI-jktQLD!Y6Es|+=z%|H#sQ76(~tRrHgMn7(%?H5R-<1W~7N+{$L7G_D-nz zi2V+aj>St&uG3U<3|xHkVuZH-wFJ_Bn0v%B%pQ#}ET`Y7s z#+VH)n*=laR)|)&9vwoQoQ$Rdh8`+QamZO zEq~d?(LPZ8VkJZr+Vu2Ir$CeVB8C+-|0<-1TmP)yM5_%(g9S>TnM381Wnb8|td^DL z!9)9OQQyb9nl!Eu1R=05+Uzrkk$`iknFiGq(vod5FQE$oc4Ufu7ot=MPeaA>T3mL& z#_6+XQ!Bj7$ro$^3H2u&8~fBmg%)iC0B^|g`!7=ur;Fj)cL{9ZST!?G^eO#e(AAqM z5^qISHkcJL*Yz-=S)+{NSS?^W3`ULL9hvAPOA4|Y94dbspoJBIUd)N!NQapt?XYtm zry>5Mg6e;;QRN7|Vfs^uU@K^3YaCfrpMGaE?5>&@e#FlzAFx8|#U`_VX^Zypnu7L23_n}>h_?I>FS$Dk0SWnigd3vU4Q5mz0ibBm*|6oH&enT2p;GG5~^_1SJ798G`5#1x28S) zJRWZ22LwQKAxa?H1QS)ym@~T;FHjAoh3y$T@vxXn&ZZ%Br>Q<@em7M}MtkCPIjENX zt0ll|T+ua<&DO>$vT`>{E$tWvtCRTLcBcZLoWelcO#x@9wT=#CMXVS|3d^4?vE{8d zT=yX7`cE)?4a9R6+Z{=Ap4clNLgmO!V4h+_JlzITaN%Q{h#&N^ie1;XuG;6CZ-m(G zA;Q`l;PudjnlbW}Sh5~*d3d`XV#kcL#dQ$0jzCNhb`lZ>`5iu_{ErptJ)*pIp3slZ z1j4kPFd~2h0YXViL`5o6vfIEsP$6A)~2u0XSDu-3gg4 z6=WB)wcU9t<8zHtPeM}Jw{KVdoPn$lK4TxhIUx6nNjh!xIRIPu}}-b8pbv#{3Pg{nM=rofzht zn>4mYMA+j_pN)LO>%r6bXT7qwr+4!~Baju58hqaVF zoR#QmclR=@z$)nuJzl5bDh|^(I`gXMdkG29f44D@etR!WFr_SY)p@Y%$mS?EO}`hy z0eFc9#vniTQPt|t{z4R)hL(I~(m&S0%)dkD+gY;vDrh2%dq%g-wbHu|&pTej{ixv) zvp9*lTcV3kG2PH)k`{@RCQJx*=*D&Idp*u|`3gvI=e#_9l5|On(5&VYb6?$X<4-Nl z`_J_67QDGFhMUjiktxuF0onRMhmChr;)C>@9Ni@kOmGY1YVLTB$YBbNj%%nvjPT*WdIk0CP_~0C)!br+*Oo00PlLsAC7++J&hp zE4RDmbMV3q!v!up8EbA z^SweC6MqcBb;@(l*4J+@I_*V;Gc9*(#0UWHAfQD|N0j&Ctr_xg7x`Wqrti(0@$=Si zbS{uoelhc2HQfaO0)i;0qU}zyYz9IxhysBa#4yH)fEck`17b>$MKRD&!U!TrL;?{C zl7eJw4Zv2n6I}7m0C;vlOhJbYXOwi85UfPgSF5dz!yI)ytwS?TBOv1&NZZFCKRS5N z+=hg}`uARg5)&1mPGo}eAKZ@|CGeoN}wREfag1nErzkW!aZHVJl|>qu9EdUY;y zgXHx{m>2^`2WHjB{esdFL-R=N7~{;@L-<(MjnQMGP`ti6`GYu)go6z88@y9(hp{RT z)VzB}YhO-W%)@d&rScp(@#|Q7s+$#LuDwgQN*MG(QFrI)bU7XFQErK#m}&Y%ksm+| zg03*=i*sI2Zwa8hKUaPcq2ZBQyNfDuSnS`=yrBZP7fp{rD{1EQ;iaRCof61_U2yN? zDR#a(*`hWyfXg_v&tQ#Nr;exdv)nVU*W?}yxuL}HM(^epcScecnRwx-V?syIbSu!E>`E1)B!-kv>XIZ@~VBIN0QIE{Il>Qvr_X_X<$TERRO6=B4Lf&9Q zp#=7$-yge6SO}j|a$A2sNL3G^iFAP*Yy&cx(YvxJIuH)hVldjO2;$jMLPDr#21|4T zOIQUdPUzu&G(V%KBCJ1h2k)a2L-{bj@&|5dc)xjAq|vdN4E+V&dRhX7<%+=rH>e2V z7ir{8GyXb)pz+4u2H~?G@p2tX4jg+N6mY@=#>}7odpNO+YP0Fgue|5qme`g|*;_}I z?B$qLsD%3Nv6bt*=_HlGCzGHU7;x)xI8U};X&><&+s4koNM*EB4EUt#zD*-U>fGyu|q}p^vyL!c0VG*nP=lS&qybB08#`Q$!=fb2J)&- znwPkX61a{YjXINCkF#EYQgdnN5B2K3OQLh`8^v(B8`W5)Vb<0Vkri>ZR z#M(Pxp)QG_VC9Rp;Q&=4F=&1H%>c|?_LRuRijB$`-;d79Ygc?Nv7*T{GN@tCTO-!a zf(i{+Z7z4k;X>CgG;J1K6r0Yz;C+MxVs1z#YreV?YwVlQ#9wQUUM3HE@q7`+=g8UMF8Z23V?tJ7#Ls}z<4m&BO{C>1+PXX#>PL!e)*BO=;(*&6K~D? zhleJIOraCYxVYN5sbXyr2n7NOPfsCFLT;W7Ha6Hct?q1_rlz8%Sp-r4($a6z-o3dD z_4V`h`v&(8d3pJH?||}_Z*QS*U(Vhzk&%9p{O><)Qc_h?st2U_U|^kKC;h-jyu8Z1 ziJO~No2<<%H;#@1js%PWild{pqj42m(hLkR3}8GMYzxGrs$TtiDsF-u~4mMQ-J-~OW^;ayi( zL05tnuGJM4R28T}D!q4i!FQjw?&vo++&87`Zj$BYv*mkM*PfrBMxTt?BNOoO=kU`P z{Ub_BHA-rKlpxyLPuiZ9sYF;u%gMy1IY%;kIyM7q$yR6QhW*uC<;&_6k4&d z{;}ate^8*Hx}a$qUCC=}v1@E`?mH7umhN&b@(iXFOe9X z^8@t<%gYPP7Ql<$K0f$9?Z$l51qBoZC=m)RXJ>(DALh<@CZ;Q2|r-eSPVD&y@PIm6dLl-1|34*w{zdj-Rbo`}@oL zi!keO?(U!NBXPmae0=TryJlvEW*6hkaoych-KLJGdlwg67r09EUMV_8Q zo`l>X8p_HK${xju)GaNvEp?e%SiirSI^;@-%}2gnZ3 zjm8-nWEsePGSNv%IZ1MGk~`ViL)nI!uV3==@AAVP`7z_;tK&;Z+o)Sxaa-alwz-Ii z8i+KK4ZNC~Qkta5DLy79m?ka0ObaqH$TE%kWWTVm`mpIreOc-0gXtS;&+-osJP&v? z9(UE%bJgaiw=;l%I)HS#9rV7w!oHb&VJFSa6U`>xhwC&n&@{c|Xo*NjJxF?WkTU=O z+yAR1<5YTj^?LV@^o@{^dXV($J!D^BVPC>NzMUW-fFK>9Ks{(^y=Z6E&<`3KXd2LR zG|H~7g02}XLASKD>a@vTb$wJ+O;nm0sLqpm3RaHqgtc`17*qSWo3zF5A4cny1LT3xoBwvFE6|=Ws_b? zz`!TKPUoGD-rir{zJZ}&92{^Q;A}Yj{r%JZyDsNOO-(6HQe>JRl9F?xVFjsHmE#DKbrgmX>0c#Pl&z`T4{7n>z1e#l1h=>5x6x5^X6x&V>kDAZ;5Plzfis47i@RA;-p*1NH7YYM@^Bf&=EpNCUZQB$Gqv2aZ-?|nSSQfBOET%d-=sL~PboXg#xoL0E z(gq0$Bne0@5;4*TODK{#O-uH|3x3O4?Y-DGITmYlXdC z5cJDF1!v?ZL5rt-mDv04d}iGjN1nagEN5?s4)zJ5F+IFKLcTtl%!TVK?p)X z@TE1Nrz#6T^9&{f001=a__@s zLyxSTHfAR4v3;zX~=fs?Wr7A4@r?3ZEiKOhhU z0|5yLEEoXO2qFZ0et?363K$q7Dmq})7ywTI0Xl80HW&1`(1JlBAH~Ji^B!<71KWvB>y%5e(l=&d-JuO8VARP~OHw ze=v>$^xrbc=FOCaZkPQOsrQyi&d(<2cLV2Cn0Ay>&fdy(|78ExZ?#^;CK#e#*p(4L z_j!&7hWU^n>*6@a420vJr^P_tnaClgg%@;vXs??m;d3vl9bU4N&=c&?8og|l^n3E1 z>_I}VjbC3{M*kmTcBt6qxl5VPSH4O4w+zfh==zvWh0f7$Po_)pO z5SbOd@wTWDU+hc#gnk7@I%_Gf6=5?7bY;rR=XbcClsAk3;sO4-iN=4xk$0NpZ!Z9N zpMufUOQ4q+Ju*=GMmtLhCWv`cU;_`|S*Se|1{e~-sP*^5XOG_k#(l>%g$-2)Z2o1c zxG0}XC@ZPPN*y40oZsBdg^SkX%GljxzIcqD51;^kK!LxCf8fNxEArIJ2*76uoTpAM zDw83|t~D7Lc5oOc?(`ObzTN3&g!=IfMgWK>0@|h;I9$i-rlUaRuL-QG_vp)Xk%j?w zC7H-TKvoZp$cPM)cxz=ZK}Gv*YRzrqIB~PUEqBis5X6@2Y1~JcDw6Lx#CHHJB|iin_G+c z0OCW6F%WKca5P+y=HX6Yc8+Is$p?^ma%*?x#>sWxa-m4fuU_$1{_FzfAZ0#F)TvQ>8xkyhA{FPme!Uk<)3OHnRsIVbBnQb0{lLepLXPBs&Rc-5 zx8B(Ca(Ra?_0`20j=CI8!JJIE(&KaZ%>xDzh@ z2-3;ltK~_*_l-pj+C6IuikfGE2p7XzJVEY4dt$VYPtqxdL{k4LCTrCkZ0FuL z$(J7kV1N?zb(}tLT1(83VJcV;yr++y=ck*A6kSY2@uEbEE+#m)mRVdToj^HHhs07l~fq+m<@ctA|z|Fp31AWh=`Ed4-`V6b>l z;{P1}G=NM|;{RxHQsV!FU{m7%puoW3*dSEm|LkA@|5xJwRR36@kPul=^uPe{SYTUl zn9$GwTwoZmJP=(Vh%lT$uu#Nc*sxv#U~rsaVSxCM44@#eG{8vET<~xJVi1@htT4bp z)KKVP{BRHiB#=0uOi*Rw|EPdx1!)Cq;{Uh>Za{J3|4;^q0CNX)2Y3K=aCV^Z&Fo6qfkbt0+ zz^LH7@X!E)AoxHG3?N`Ma7ch$kZ_=cu$aKC(7@o-@aO=84IF?lkVN2wK!#Aju;37g z4vOOcWI%k7nDC2?4~-y@ffcBc%o^kYv05N9M3mOyAAs%L%9(W3Z&3`s*&?T(Epf!S z*mf24%2VvJK#F}%E1Sf=6g+bV@;G8)AGl8&$c5ozpdWS!>pQLw;O($jpb|s+CI%XZoY1X(T(FV8Y5-i0rL{7=}DWZ&_)&f;n!RezazC zdZMtUtNsI&asc|8xFJCxX4M>_Y3ioKYK^;HkYeqh@2|#R4Fow z29QIcMcRIylkD?#4cyjCCr@2BH8+(!1|Sia=^xBvcQVMCQ?h$cF+!XV`nm-$$eB#` z01EVVITsYLJ?-lV@P58-02l01Unc<9y=H}GOa>4=3v@CS?)RxOO`OCY(boYGXFaxg zz7A?u1vuPqH`*zG3VQA)QIl3CyDDEosWy zj^WKTZl$xi6a(UR?aG{lA@!lSl7|#?17)@s^@b}0WF!(ciesV}9wvY30Z6nc+P{lX zsK+?Z-a#S)>WdabWPyRXrhw99wZ1i^sNZE${ z-2q1Icmp8!O+ASp?W>1!(BI{}Dys+_S%CgK0%Dy%vd8oO4uByYPt|vv?zG+*g;d+0TUpL{JWK8a?mke=<*EJQyo~T;_Uo+OO1UmJl zoiimuOwlSo36&&>NUl_d!nv#Mt$O$f5ROQ3Dr>}JBuDi(KfF<7(|pW_PwHkO7ic2V zL+^&bLNcv{TtO_9Ch{{5lqU}>8c3||;D^`8!ve zdyYwQh~tJeH?$F#wi-d&njx7y#%XL&@@@7}y;J7Z(Bf2ihn=jZM-oj0>Mj~|@RWU; zXJW1Y=$_mHO1frd`RDS?pd-hCxvsQ}Fir-YJ(Ztqo?v)AF?g7&mXTdhG8RcA^)Xv& z77RGmQ#VtLJlaGzjNRe|Fz}1NWgDj5YJX}EZMhI-l@}GYfZHqe>kY*$;N-5Kn6aQw znaLW_nwNDiEnIPJMLh`fu+Rlg;eNT)qApv3iWR1~Quqs7v3Q|~PI#9JO>8Hso7 zXT+PQ?HGQ2v7*}B9>;Ck;#gHvMvd1*)4-Xh8kSvH$qOaAa~aTfp)K#uEoV-7Xy8+4 z+D5llWs`bmpsTOCfLZE7)!a;iKwOxqWRQ_Q49|$yv;s67*6WO6Rb)H)@kP zR{z6$#>87y+sH3q5w|*adBo_*GO&ps<)GdFbEb{c_!3zft$;4Sx&m$~4V80P-!Z3@~HNqAJAZ>wQaNJUvM!wc%oNkzQ zMX|zJrc++JLs%K6cLoLYQXPutw$`_7yEI$t5AB()C!$vsgMdJI+u!vtE0IwBkuWD* zf5!q>L0)NswPDbTr)?1-O8uP%JpbLxVo=NRE`a;*Tv{y9LczZM9Tg^g{?4mAR0@t_ zdHBu}IoV$~)#>k`Ocs9G6%GE~1F+5CJ<&zi0VP&@6^po&B%H*ktz-jWc#R54qv(2q zyA9sg%d{d7TNj_>df&7S(=Hba(=I%!uulJr0@nX+xnuP|8qfXDh?oVsoOG&}KSUqw zkpIhp*RW~OwK`%1f;-Rq(*I_#GSI>EKPsy({~ru-<^lcBg&fZRQs^jP-2bpx`@bt} zUjHLOKm89j^}cB0H#f_P4&Mg zkm-L8(4zmXdUorL_`evD{-=N&KmXIgRXpl{2ka(~|7U=7wUP5boGn$M{uh9EqT2BPWTu zj--q7?9wz`QW6;DBf&50(5Zw7?9@mfQicvKWD;@*@nUEMk$}uL_J_+eEbMDe zYVVIEKkyzsN!O;#j2_YNJgg5HG2e0Rh(un-VPiyFRqL2+dK~bD!_jN*QI<*S!4X?x zQa=;h@!02d`!Xq`N2K1Q&z3HExm|5u1HCl8wqk^*tHw|<~ za4_1@=DL9{l&A^J{<$+bW+anB`6vdNon8~4*_fD&h%S7KqML;_B`_jvco5{Y?QMCN zXan7>!>ko&H&EXBhdEbe&vDJ%PK#Z)2@U&Z=xj1VgsIX$NxR0Qz#JEF12wdL{6O(S zC!pK(&A68G_SmjVJ$fkPvFE&JAC8vSm=3*W*R3E99zPq}qv5T={#?yMK2BR(_Oc2y zTVlgf-Ra}Vh7nI;pE)O4L+Q>lpzBfbNsXoks{p6#^yFCT2O0k&L&Y`yH{XhtPlMJ;GI$+lP~0y~$jwrMW9 zXqFwA^$g?Y2o_|}t;vO9-UOc_Fgj@JLi!?|=2Kj9L-X7bpIQxm2@Es`56JZ_yNde( z;CkFQ8=K>wRBqDWEb_nryEwB$QrSjWi_l#_H8VQKxZ*nl-?9BJS`@Y+r+_&TvR)Y* zl>jxV(=Lu1&ejvxh{c|NplDxnwO}%=RXnSOp!+eh@t~*+{uc>$;+&Itl(~fVg`Kdo zZkdU;psicq#qo$cS)4Hn0%efH*}xi(j}#X4d%y!$fQ2|HCs%nR`K~AFY2zm)`}jYq z6J_yMnAZqzr8l&pIR>mCmIs*3#_nS?c_OXhI$;sBjM0jQuwYngjk#@XIVlGSZgN~{ z{cEqeaEu{Ms2nrxKs0x+Wzot%80U3D_aQ77+u1IXSn6~;d#*{-L34Iz^VHHG$mSMc z;T(B0aCLOiE)Oc$IJ?1cp~=I4p?PF9GQV+%gCTiKd@+)eOA3UsY6kla+1G)8#k%9n zNOnaWPx&{j^y=~a$0CF69~kaxbG}%gC@jGy&b>L0MF&5|ssvojEu&?z3)uI_H;EC9 z{ILXQK1#*k}PY`GbDZn%|rb_AOucHshD;>)o+*o4y);B$C(B^aSA@sR>&H-Wxx_ z-p{@1Yn*MhNn0aZ{=fuwrXiGioe&;3D9a~;g|e+JuMXz450|I18QS|zXxJEwg=m8E z#$zlNmhjfHaXZ}A&~0vUtjdMsLw&H3W{y5v8C^PU7ikwJk4R}+^81-}7w-bEe=?lG zs$Sa}8^zJdHeBCD2p!_;nYKyJ)jrhY#qwmwD==i18HbN><`o(~&QX@tcc`+Ud2UkS zP0bA#YQ{h-H-}#+Zh#r|&Xl|EV?n*FIcszId!#;t1MRHx3bnWfjO%v@>m;;0la=PE zfydQb>%R9^UjVBMx*Ba<(>IEilz44&Bl(N~ybWIYDT8H4(oSFQppd@bG9}M_wjkaU zC?^c}Tx=q=<#^mpk&6Y|Fc|qUF1+haf>9S6_J0{>D>+wt;{)MMhl?`ScQp)FqTx;& z?=dB8akFxteo#H|ExYduFc)+!>-P#H>bPXS%zg*WH1A35>dj^^Z5YX!?HwAL74` zNm`@*C0x3ukJy?Q?PwV-`>3QfwisU0Ig97+TNp6dcsm=qZtr?)6XO7HdwQ=2!Zk(4 zroURYfoB!s%wt18GXMslGqyY6NkcuE=Hr=jNt$ZFa<$D5Fk}G2Z2(Z znw(hAUPvUp@GJ|l5+%U4Ea+CEJUon54IvhdTUlal3JD(SEF1ZV;siO^P4ojYAqm9< zoujLl0{a671pfourUaSW^p7M|A;V+}F)G{p5U*_@jdKjU?#j-30tqH~UQ2j6|A>SD zwDb?8ZEM_9U2ye}Ja{o9K-|HT*%ycd!@=ADYal}E+V;;s%Am%$l@L-J16kYIy2Q$F zc8qla;mM`A^$cJ7nk-oZ<$H;!PWwkyV(cHm4^;oC0t)=jKWecOc+k>wyyzbRVC#Q` ziaP%Y0-1mGKnD)op?`GJ7qk9R123q5w7};em5B<+8#K*Ro++>b8ssQZs+1H{2A_B& z-C2pTGHMs!h9L;26V!5VI~ z7g7Qz;amnq4tu)GuA(GQRY8guT^o%gLQ-KUfVOE4#YeIubhdqHBhgx0wDBsPnt%~` z+l%B`_u)EMkrpA0NZt|hX7n4Zm$s=L$Ldt1&%*iEhA+^{oZj)tjY@mf=5qG}A3LN9E zyt*+AxO^kns{-E6(p20WX}Qgtg8GcZwo9W@{3!0~+iz>vKyd-jYHDdxfg(QPnXon6 zpn~&!RszOi641uWCRD~*Tb)fL;>*viItAjK+xxVP{DD$uf9 zFKbveKn`V>XaS;+k8vDLQwpR_(+D~9K3#_wLCUET@rL->J2?l}D?@=*?4Gu>=E*RO zbE&1Nkx7WyJ#A;LgI~60rbY?kb)9b+j#U@EkwA#j(z_nYHT+|BD2>v;go5HsdkE*s zLtzs~{@@{R+MT}TnZ5HRSNQmS7v+aOWr({Pfg&& zaar4+xqAL$+3dD4sFtiYqw3Q4UYl;b3cyZoUzX?D&waRiJM)fVuOH1Ym^v zMlZmjZzMB&zEKNVX1>u1uamc;pl>9LR6h5OPUt3R);AKtla_B3Lhj(kbn@cTH%dX- zH_8CZ>Kj?PMBk`NPko~nPFnouqFez*^GcgPap~DjX0FoXy|yvNsT7w4k)jXneumF|~G zP%%HEE~MdzI{OWN%Kp0XelU#VNYY0B;XaY5v>LF6b*6=BKoWnJo*0nlBQZc&;>(8fBJU3X>Y9p$EW zQ|_)PTZFQO-vX3b%RqPnT6C`yizSOI@{-uiR?>Mq3yVphBsG#N9;u7iLu$(kLUv9L z0=bVse_fWPnS#Jhy~x&PAPk`CDrQy8s=xz7AoIjKUiI_JsDL|H?Ra%eI&$WaIgitF z;5erEnQde?{2FgYM=5+@kr%q!su9H*5nuo6Ggb_X(qT{?O&4(M7FG+)vtc@mJOf26 z^WRlbmw4jo1H4uT;zcb}w*BshC(}M)d0!NOqD->~c*A*+Iym9dZRQR5?w78~F~75+ ziBtC+_q!T44cO(HE&|{gGLe^I_UM~wn3$0;Y#Gh+EiCc;jj{lDyv;0HGo_RXkkD@; zD^yjW72n($3xfk`)9mCertoH-N5e7>uAy?Gpad$S0B>AnH!IgzNnd_vLJ}y>q&ptE zH47w5fH`>v2@*z#dGlx(#<{f8{0?R={Z0f+%R9ddA>JGz^E(hAQ5A~u{dkLj*6%(* z0K84Mqc^!>2hYdr{O%>Ui+;C(mf@az?W?k=23_g~{VoG(#Q+$@T(@9met%abul($) z0;GNib-zOvd)BWpLU#YVma2az0k8MQ&QzG+p;+*D5cvJO1!yW5l_HvS@20$5EQJVC zdeiQgDY}LTg%)9@D&tA8#pep?HRTT9ZdZ*wj1Z`s1$q)hCm9Ru`^wVgi{h|*oJ;#f-A-WJdNDqR{Kq?^ekDF6p z!Zg{3U-7^P+~eK*vUG<$WK-so24@csuhPLq-T{mH49Z??yKL;BIbFx3BLd|hM^TLf zW(fyo#Y#>76>U3{fyR?RQ27Zph3?3yb%qly4sJR9WVUFx%#A=Wvs zX`qa8?7Hl#P8qOxSJWPD1LD9*II7P7iVG3@|s>>P@H=Mz$;Qvx_$ zKXK9)Y4G)UJgnnzx@mOGj0^7OEh^y6{7%lnPRJPV0>j%&nkWlhZGUPLlnLqb!m~?2 z93@;h;?i`^JQ#KnAd~8yy#1pCz?R3!^v<+k#Pk}MS+58hSs>zdeKmnt!3W>Ny`en+ zXouUvI>?r5^KyVVsBpt1ibAmF?eJE%0oRa14V_~eA^}jC0eAmM1`SkcWDF{reGMaX>7?l96dxc(9CtMW%}} zg}m-Rd}rtAns4yTP4$!9fwS(zbv78<3r=8o7m;>_iz`|{+Ky>jWj4VA-slyuhg*Sr z7zSIKNKrc&#iMDP$pU1LP(a;ZmW9a^(e<{UbsrwnuDl{@nK{V>T*9|5Np%*H7P3FF z2$<7Z5+Fh{XJb$~V6yqQ}LyrVWq87h&Xk^$@){{qb6m6G|B zT(B~}1xV`|?@Y2n%;}zoaP0#9Bo%B590gpi#CfUUkApS`v%vK~NL=v`z zBmj1VnmZ4NZ5&NA4UV}kL$5ATqA4VG6ycE@{=xKMci_n5wV%X6BO25UtZZAUDch-g zj@vd(%lRj{;1wemz$zXtqWVb{^!}45z_6b*0i>Ho$7B~p-d(apRfy{OBX?pBtUsyc z-T0XfBLsJo?(z-qJF`AjhuYbaHcN$R-5KZjZe+kje5iI>x&A@#c~wihw+=d+e1j_{XF5L7TX2!+zME{>ptol~3_; z;(p_@jq(9~xQ@2Dg>9}()%wIe##vk4gX(CT^|*2m7v04?-uAQZ!*#T+vpBnIr}TIk zkGK7d-wA;?V`1{RLuSWh;W}<=cH&;s5oJ9_f#eGwC^<)r0|HrM9@{Rx%JZu3aD)Cx zna0>vZ{`}Zhkc~&J$9h+w8nKfz?PwFo(!0x9+4;jh+$#+*fvmEy&^i$?*+ zn@f@?3c)8{OupWLo+vx^i;M_DjU0#PWK%P1 z7p&^3F;3ZET(y0q3#Rry`HEpdtO9Qz31VDxJ`x45rE9`aeWVFsZWn2ugK*1^_C10I z$ZY7O$}vwjA_9+TSU3s1Im0)zx=gXx+Y8fLITP%)jo$}?E!VXW7&0A zbxu{xBLFAwJC55nP3O#mVHd~J5oQz*m=u>$plk^J03 zZUclhK=64FuxUUv^h-p^GoTqB+cG{NLyED(xH}RI4_xvWucm`8Iv4m(nU@r1l3F|= zu5%U;#sL+tspr5cyiT?oD1bU~n~+S@8x7zuk_mt`?{jsmi{eC?ucSmOi5{epm@d7# zv#My#;Q8(=9g$l*=PMZi)6{6C01r29(unA?MPM+*C89#SAY`io;X>sPk>@Ms zg45;U?Lc+NHWuWNnL5tmFtdhzr5hr}GxMcN&GXszm27~ryz`Z6paITcZ!-pIE11bH zU|H??N-V?`C{Q6T&HR;0s4)=cD~&M0%P`XCD~ZrsT)tAo-Os*~2eCpL2{zC`%Dz%+ zXAlAET8VgL0Duc*&{wMR>{p@ymFoUZFgK3DmbdZ}zd#^C_5(D+e-~G}n`WiUJue8APSm-Og=%fE!`Pp4$ zDiIZ%`L(av1ZjHIr@S04Wotgldks7&MR_(3ltZzSrvB0M9@lN0wtsStWzjiRGL^~+ z8arZ)za7qdKDpJ{wu^hOpny?CZgl=qd@D?NcX9_AEO_SZ&dvJ?2~ zbi?0ZC>9*AR>Nu-Vk~NN+A`;ZFyD+fv-)k%qKyw!$ES8C`eWH)C5j>sS;74 zS(7l0g9BLt#PjiZ*L5btDCzNhC)zv9ZjZh7MOibCR1zNX4lhHZ0|_WM=a6#LAMBE= zIAI(w)t$QMxE*w5wP#-WiY%C)^e;y!&a}H8%C!qr@r*?{-m1^7$|<8$ePg;Y^F8`z z7yWrOK9%LsF5X}pZ^nH#8``GGC#LawAL6x~Z4boh)DtxJl0Bo+uo)Kzkwd7&CG#6- zT>zsR1sDUeJWUY*2msXo>EKaHqeq?!#&^x2a6)QG*lEGk4e8c_lvX;~+f1FIoa&j zc{;LTowYfin$5k)E5$_Y&GnIocfh!ni=!Fl9_dve?^*IN?aEPkQpcUV5hShyw|VB( z=(dQ_Fqab_>Nu_%~!N7U3b2vRM7Qrr%dl%|nf0#as0{U*7i>`quwQ;cgX= zU+ST?!OWtIYqJ2_0%-fptJkmK9>W}{CeOzL!rp{T0aQMGT(q1Sl(UvqIVFR>TDu(x z+=eFnzj6{aX}Vt&npA__?iqR`$k>3y`P$YHE6@ZJT8GV9m-weBHs3vCJV`27bc%D zo6LaE%Y^Ia@qY=}$pR(To260L_jMiqcrn>)&baGG;cBMdalUl(FEidiJa30y?u302 zmASheE2}Fo@#E-w4CjwRrk6Xllr?)u%mQUV%3(VVD@OR+EXOd8_9BXJLd?#LhL1#B z*epl3t2(}_r@GUP=?EbKhR1odlmfs4TrsvQDiZN-6c67Z*3`)rC4_pd2u)M8}fun_;T!-_KW=nZD49-o5 zj*Vc}9Esh4#$qb0cg$kt(09LMOhApj0a<(tva)h^w)As=wr4mph9cy3Q}{etDsD!o zBd&{FwH1MYGhe1dLR&CH?LTVcG_+G>HJGv{U}kOTGM0?rVi>x$O-db8*r+t!#;-cC zwM(c2vla__W2$ookNMvmI#M?1-G6KD>7|{BVXv_+gDIWJ^%e*+kcD=GV8L(0SB<&u zP-EK$^E!L7wteqQcIM5sX=LA7?{#G--yyA(%@7f5yGjcg`a&z{ICKX=mM3s@a%*T# zQ{8nOJ()&8^0sF&hUSf@R-~QcR<;K_P(G6Qm3B3mQEu2zyKHU(b{gVqFBT>W4{pyh zmgK(J_tL*<*o@od7@r$8gC0NFY_>B`oSHR%$KlnnXTuW8FZ5DY;GOkjOrjcF)}3E ze!FtF`n_Q?mZs_z^+qi4>fRK9EEVAJW9 ziX}!9@TQ~83qD+YSIlXvZePKA-D;bz=>KV=$5uFH|}IxRBtqwk>a*X+>?Z6H?S&^v!&6BrH%b?4_| zZ9Wi|yKbmW*>;S;44VPJ#`nguEh}RBN;-M(=Oe>5@qu$>Xq)QoBuQ*)a5H&o@$D|i z_I+>+H^WnehiCH=b&YJIv&$)+?yTp}c$*KJ_bh8@os!C4JzmrClo*6yGQ!r z=bj2Xc7QO0#RK>HJbtQdF*uSTKWIn+@EO~t@9Z?_rdh3vyjgrFgjYL{s7Va$f39;O zw`#$t;hqd`lM|yN3w)#me>35BXJ@)j+sm;|m5Cad0-j7>$#020QfA3_3bFebkIsQ{$4^hJFJ$Ie=nd+Mo zCr{q7jmeYMfTUVNO4seE|4JM9vv{9xN^57u0)v#wc5V=OsS+W}< zyEc{jl2+&SJda-w`?Tu2=X>qQ?Fro-e>R9MYxS7%nWj0`w$nu)dxqwYA!`=YS25yf zsylNAhOjYR-QHWcJaD+%8$%dx08FsG;87V|7pKl2f;i_N3%1Qbjes##@82A%1|G>N z^N#=C!6a!(By=Md5Ks5*#2e4A45;amO4eAvA!q0p@B1z ztk1+R=-N3t=xy{o+=cDDKTbe8zG`%7FbC||lb)pPr*0`}Y(2iSVpuV`MW3-f{M+)? z)ug41)iW84CCT9w$~vt=%PXLZU?;W(wXA{$z31o~vt%A%P(yP$x7#@$F~yBR4`iNj zEcSb0H2eCY*NxiAoMI>bdo04uQN5k7iUQl1GX`gH_yyvYF&0AMmCZQJ`1+K`x$2@Y z>dUc)yvbb6WM*(#Y_>Z%xf8V`8Z@xFtc0<5ZC4(I4D9*ybE?~+;(1w+O+16ri zW8jyG;YRxu%x)C^LTE9Aa|eQ4<9u4+vv>73e_`%za5u%cjqx}so9DmAeRQr5#tMbI zPs@7q@E8-Zj;-&*5@1v6W$1*w!ozF?P~6x0r3N+fI;SNh^CTEY#w{Yyj&L zzTD+4^r>CeKQa@nUVu<6hj@T%3mnmnz%Q z&G9@#(B)-Mjh@9W%uMG|<&uGxbCZNtvwmJ$-0)@ECh-@?(jRY=x!%3t_#-;rhIH$A zyO)REG+YdhiPMD-v{1^j(8$3cB!^n{uu*^!^u@6R-BtBB@Tvh?zrq17SgB* zY6FWa1rFp%jP35W)i}En^W>T@JD-=rWywzE2ON7$ujd0TGb-))NWfCU^Q3GDS(~M+ zCv2&?IGUB2LFG{>P7CK}%t4HY+!fei_uCk5l3*;9FrR7p0wbH_Q8*>>W~N*}cB6{r z8>j9x4SzYBmQqKVwXrip#N85occAMUY%ME0rRMcq!xo;|RcQMUpEdi!N@TLyang-$ zvGryx2gtuwFX9|Hz)i*wVZR(_TW4SvZnEpxaj@*x`ri!chtX3G8;Oy=$v2$%>ajMm z*;1R~BO}p_;y=&k&OL#vP|#-7X=_(yW+yh7cVmy=v8U4K>p09Z8PJ3-OUj|S)#&vz-nBp7?2gjw91J6io);Key z^!3A!nEx<$@YXykc@xoD%s?-3G(>EP`-G01ZMweurohIWOcGA;`{%%FGb6MT*SNWO zV^_pu`5abCiMIU5GK>O^qR#T#Chno%XJCW)Kv$@=gBvK zQ5e79s8j2P@B{s+1ld!($aN1_!;c!+y)eHKyyO78KKVml1VaQe1fNuSIBdwA`=3-G zgZ?KI%pIMxhO|t)XHPi;`~n*c!27E z@_5%%k*GYIG-P@cJ*5IY6nIRV3GbjW0W_98?oS}8b3${*C9tVW0N%`?#PdIaNup2J z;dZYw4R)bjQbiFlIOu;v)}-J2FN~XWB!!5qM)|=8G7%$K-n-;*u}9nVC>o1TQ%g1LHZJ`y$oqO?@yqQ8|3%6GhXPS zf#4insQv`xux?~FxOhOm{R#BQoj(CID$PAZ3jGO~F&!Xr{shX{f(+aL1bFhS`)r+T zZ_C>J35=nI7B5N{RQXw6VQn{zH*otoK4Y-XR}>k0mFg;wTel_ z6*;l{6Oh9C^abQ;#pzD~is?jz;Z%AA17!XL5Rm}n97E&{7czsChyWEt@{xq(xm#5A3-Yqw!|#4+ z77}}4J!Bjv^MKUT^qBhWQk_xEZ;rqtcJ@Z^h^`)k0GGdHMr8mm|hub-e8@1GF)lHXCcqm7ghq4^89YND68G(iuj?bbrl=KYnND z;9BvEtQMTB4uG^=MiDW8iHtggd8!yRj2QDf6NU)5n{=0NcGns8i4A~Nf03nq8Nv(M zH5VC(S6LD)C*JQ)fgUM8YX zycccahudFr{jkIj3BWi}2_KNC6(7;V^azLtpsgDNXx$6I1N=)yOqSL0EUen0h*-3V z&_h5Rz0%>Ng`hxKYSZ$UeCU1mpnd+*jpgCh8E(i&Q@Ia>6WSdf>#A`7nY zUT8r5C5g9IA>J$#QY@J`z7EJIU`=s_d;xISEZo7=Rpef`@Ie`Mam7c_I=IE9j0%tq(Exg0END7ICie_orBuT)to6&3uzSB?HWuj71OV913 z+LJGSU6v^)Q zZ9V&-(6Z|4OHSS6JtpS#gW@BBQ&i*8Zk7*-t!-lo8ky@LEBm0BAumkbw5T_~KPa)@ z`k-7w{v%BrYG6o60o}wdaE}xy=WK0Ct8c z1HF+%09b!eV0iU|A`?jqeuXR_%?CvVNKiY4i^34jO`<=-BO*Yi4+;pl&lqVL_Cfi; zkq&T=Lm!lvSL;9<=h$`C)tpiFLE+$~8aZumantre*+9m&>x1HwQ?}E!JRg(@7?Js) zpk((!Ipv*2eOrQkn zB>U8H)ixP{i%3HhfkJ%2jAbIFqFVZvGBWDng8U)@QQ-&$G zBM?+(!u<}}S_PU|#v&bn%mL+iL%NpZkTN&*$0>UF#0f|Qx=8Z>2@Uc7PiW?dp?CQ9KN*0{{}Tbw7vyMRg*a&bCn{7FbO{;ee?o#BL1P*F zpTIy7;7I*XKzK3k|H%hCC$rv=$s6!oSj}KcH(YAd|HO(c@M{fb-V!IuLRQZ^q-zUgUIW@6eAMuv#|Jd-8B(a5fia))v4<9% zt7XWGUzcTPRngSVN&1L`V>}>S~ zCq^AwbnX^W9)qA4ugBlsh0VK5l#3|j_5Q)P(j2y!9oM2>e}h97uqel5Y-4eQOYioI z2g6p>Kn%28l-?x z%mqv+<|`_Iy9mHUUSjL}W0RNxiC*WWuXz9&P@Q7~#2ug0>kp*>G|(FHY#hhHf;nD< zy?uxQwD?uL)jfrP*vB}{G&c&MWd;Gc2iiE}SW0PTfbaoo|I>GP51Muw7;ZKXI;ii! zvvpAYP;6dk>3-vG4i?s1d*&Dy9=$~z;C$G}x=V%txx+Fq?S zVG;%vWNr(Xg}g!vD)bcS3k4KVP;q`WJz=&~CQQ$9+m>m!gh@|`kt9r-&z*EW^sk3xAkY~yH}X*Lk0 zddQPOkv3fhf1<$z@>1Vk=_NrVYh~Z875(^|?K_zpjiX&BQTS&_=wmEPSnTRH2 z4^lw{IF~_D5DEf$IsM1ep0-z7PTfb0RbDnW`QcEvFVbl2YetC zo_((d#K8}6;Az_TX~-Vj193FHG!*94g3owE-Hgp@AbyWy5SH1VdKow|zyrguJFfu? zK!3YmJQvl0@AS6#T6`-$%rfBp&?~EeGZhz|!`;><&-YZoDWgE8#TV@w{;@hVlFTA` zLyq9l2qRGu2q5A&CFG7lpdh}+0g?HU`PjpbJT@Nujyhzsjt4}C96k;>xEnw}yNx;6 zxNB4&In;=0$euXPz_5%=#v7xD0mlw+fd1kQoj1DRT-cVjv0KRKMvKl_EhP6rT4uA5 z*S|E&#-#KwKPZcZ?0!hs>=hFGn08q!Tr7(AZ>i0z)w&gu5%S2TipgbF{2tS zIY*m#T)Qe0af#>hfL9X$ai|h$M4kjhg06b%J7OZ>+Qm zx&}-8at2Bo0CqpbYZ?e+8>22+064vhr_4BEZ*kOyjeyznaG1uy)Y4!UX5r_TIFS~@ z+WycTSp=;9hR?`XybDL~l5@*oBKHUw}kjh->|WcWe%=(gir7Ul&-$Q z6-<>+!A=$zDR?~;CR<;W3Eu253_#(f%4N&*;jvt8O%*X;6bY(m>0aM%jsAR5B8b=H zY#Xei0!pSY3IHAv56ao zxO5z~$qB&hc{ohtU}|Y-j9hYJ>Gdsib^W2SsPw3ZX(EZ*JW|ZT)!xtWpE^IrG|ews_@M0PJ;2m6MYkeX9l-18-qQBgRnktPj99hoF%$$%(98IOiVP+ z9J0TYMOUPc(+3PG>uhp$f_b=)jLjRTYnjuC5T{K>iZV^O9XQ#Tf$l&Leqc%{1IzSi zBRJM)ZZQO1!Um~%iBuFMX^UBN^SW#OD93^vyEFr1i>+I=T0-}r((&_wn4o3izD{d( z)*+D+yH}=3Vv{lXz0Xo)!XQwZV6#$}fbY=(Ls#cog!tMR)mE^&z@}W}TO!;XZXgBz zC7%1byucO`drYsg1-8bA0}#&_ggy{y&?66N;j+DW`g0i8yro{C@2McLXUuEtym(2y18|vz?$Bxbo z?W+%uQ{Y56$DNtDg$IZLYV*Qfh28DjP}N7Ui+VWN7`r2 zZ@I!si#z8mw%%)C4L!&^$99_KX(NFy1C;NzBMDQAGY`PRZim?Itu)6stKJYr*iO|E zEm}=^2ktm+I&b!lzu-KGf&4Sd?=e6K)Sm|oryZf%=oog~s11LsXI7t~Q!t0sNDg(a zhZTUqnIV`?Yi_g`92^pt74JfB*leTRLWZfqhV_iPA;XMAmUB=8gM+wYC&FRcwQzLK z5A=+q7wMuMpMQrtNk(pTyqPfXU`MrXuP-AxV+N%|ARR`zhRLdRw>X4Gp>|81Np%a; z%&x{N14k;NNy=ddc5r~KN?83zXYEu?W>agU6Wy5*6fx_~Dbm3q*^r1EI{`Jl!>pCs*8>G3i*a14v1nrdJ4O-+?P&iPlf0V|~qD-iKBmunwg*2B4Fbff3u`jmwR02UC{(%_oX4 zl)}aDj>2m~n^^Gf=`vzEBBC~g^SXGUQm`~J7$%r~z;9>)*0!O(cA+oHSYN z3VAtINU&VnnCKm0ZMG+1i3MsdqRrgq<5br;f}T*;U7EMu*cP)*jc6{!927?z8cma> z+F&zY5{-ek$<=7s-C}iDR#awhH`sZtujQE^@pcCWM_Y#Kj^&~)sYax>uHSbvxJ*q= zlRDD}`iQ!bH-356YCJ#Y6rPgYHKjaJ7w`H-To3rXOdGa)Y$In5u&Z8P5)Lbkg_K6L zS#f~C;g2G0`#52%Sk)Ru`0mMIcOw^vbkGutplw<35I5V_xS8i^EtU~_4Ro%`4esm4 ze_N6^gf5jKW2PJxy|*0cuU(n`H(XuhrkBY(){zm(1F&)EB^P?V-V;L`-CAi8r7+_u?>@ zHa0EfOf3rD(Ax)@EtnoFPTHf?hplwQg#<*qG2CZd?!@Yep zw51qc5jL$6w$r5`ni(v9I#^u`{$Pr74nD>-W`jC63&AiB*=BMJuysuwzKhRrOE;@j zfuGBVyE;mv5rS(+apI7di=a*6#{MYTWN1iOd^e|e(4@VDYQxH4Acvq?T7{pm3|iXm zjqzIAcP*e#rgLzyOv7T4kz+ZxeT~IBpCHOUI5prLL$4HNNGKHUh-`(m`Lu>824<;)cCwm{_k?C>pi26ISc$N zC^>(9b`p|~D9Qd4hay44E=Kl11KU?&PC5(8-pN##R?d@wrR>+&;HZB{?gf4zWO<24 zW;2{c--IoMmj;)tq7yc2sI+SXVc#C2(x#k#cVi;lx3JG&0%l1UjF~eN&|w`1X+Q?` zz@25AoJ?`_Xk#Fp;HEw&gqfFLV#S-gX$d9r`|6V}vp#hWv~v_AeV>xJg!ufi3D|Oe z3|wckTcQh0Hn6ZBx|i5}=87?)KyhbKX2Gtz>wFZkuk|o5;taI0NxMqL#S&BUa|Q=K zKF;Z59{Jb}SZ5E;=`0E3=8QM0dB{yL?xn=cfAhyf3(Ohac`|cV?}Tr{_9sKzKUxbpIL<_X}r8_1#BuK@PJyQ-HYTyFkB1^ zXlBR?xvyCi8J<|V+z34hhWR)huv*5jM7@PI-4iyw`Z)hn!rTrw8rl;(0FSqiUc+?m zCw5;j^wX-kg}3YIvId2*lQ$>&A#0mmbKruqlGa*$1GU*lGI2hv)360$F^cg?dca?Y z&=g^&mE25P(&$6=xC$QduP zsMP?XA=?yQU&A@xI12bc_fzqE6%aI}DPKINcbA^+b3g~x={qMnsm(2~${D^krwjD|GnmQtox-Ee2zys%-_#vLsyJGv?FLPojRiV=Y_O5&ZCTZtPz?w>lg5+MXl_+^3(?7E zKpZdRdl4c?H3N!XmgUHNTm#bK2FasJ@jLLh?GQv~Ogq$*b>J~I7DyZ*t~Y6=5Du!A z7Gs@2GR!dTT;DnDY&eVyD+31pVuvBKg}v&us83@SeQAT?SoA7DDs+tV0FslZ0JZk= z$F-%7da{Xo+ck~kNB(l%c5S*##iGxY5t@iTgy=OsxPajHfp6IZ_9ShWPikR$GRv&H zaMsT1)yRWa+uf5`^w1fvgg0)K2M^EER_Y#i0EeE`0gs#~zc0s~y70*y>Jsdf z&zl2;u0Q#~R(i4nTr`FQ`;(w z@rmo5q@DbP*9{#neX@aSHS#BUy3vyiw88V_0(PoH;OXZ{Yp|#!OlgTBT!1d;m5BH{$&h}=Gok`%6OWfZK;4;0L2f$q3)0ngAl9`& zOH*}J)=bYIts}xf7uzxlw0g3!|X(EvZ${6%Xpyid=56cGvd)WQyaq~C; z4?A)xa5i=uX732?0Bw7whYY9#&*3qBImX%w`1vyG%7Nj?G6H-;D6F(;9+3{vmv3M< zZWw(FYXh`V(cogRQa0J2U*4Zj@1BkEO25+S^%^PFZ(V#(_<@1zSW0eMtq(`jUmM0-PW?_)8ST6ExJ9K-q*h zCA=X4UyX2QqX;zwP*y>3gv2#Y7Q>Nt+NO;&@NM;aTVFL5dM5QZ^WqtkO=O3+2X$n~mv)0Yo;G%oa|16TIT z1_E5^%lY#Pk%}CA{`9i3xc>799J+Kv}l-gV07+!xu@Qqx`+uagI`tyNH8;L}q?Z8m$Paiy`p+Y7w z{IdrJpq_$GY)v=tg5~KJJEuQ+Fim$=7^vx=3xrW4?N0?fES7&-oRp8g@6RSK?EKl{ zOlp`vmxMPh^rsRV8(l3}o+aYIr$2MN8I{Tg{@Ff z(;?y=!gKE@>}(uPW6c2ZbY*PsQzDdR%Hf-2JU>j}qw0Z6h{JQE9))X=phlh&clRS+ zy_rTuV+5FXx>NcLJS2h{xNFfXquxSj+G5DU5cTz9%FmlzbS)~Fivz>`r`1MA|@Tprg~!3gliCZn{eLhf3>2*avWnxHK9?!Ea{4S$qa!ffDrQ z6%2!D74q#}7dDj)Sje15i9s-;p7o{)m%mv8D7#Z&n+JoOaD4NF921M)+~5M9u0aUJ zg4dfET&!+^XA@tq)<;1%_2v_u-@Fw7)%4At9o3uObg~hkVCPK(#-}$6_-?i~emu5M zA@Ks;=PkP+JF8FOd`_Rf@s9Fn@#w>an~md*Xpk3)K>8I%2alg(RUWeWl(y(TU6U87 zYP9I!)Te3c=4i6;>G-D_Z?VBFeerJHrn`VS0wV;-MGF?LPqTzZx`^nD&ZjbD7(%5_ zt8`Dv+N@7os6tu_+h?>4ib86bM{`dMQUl>s_lO(a%-k{{8L!9-7Xb;z)-mrmY9uj)`yaKflg*z{b(6tQrLvV z7$6gF;-|B zf7FFBglZFI`6ccg)$Z!iDK0&A&9ql8EO6M-Iu zB1Fy}Gw#t0x*M-O3ajlr`qCAEPwXoQ9h^Sux>e$SbOJ8lqfWThqYHFPk0Jm>(4z-* zSv=~|0=(Ne)3Qei0PmwZ<5Y$MnZD4ob+aFa9&O#+qf2nnqd7jgW*QyfanRd6ioLHsAnAluB$`_m7;2bg)_`Lm8J(s~R_ z?dYhsKj*kIMvSUjl*0%PJ8~!+WTlOpHD2|nth*%qw1XO5)t_j9Vsr>Yi|HAuo8murvM)`9;$n1*Cu{k2^O z-B&*kc*D-Y9~)l>e2L2@4~*bi(~NJN#FY}%i1)1XZ{j%dM)QmB(JLD8?E&3{76NN; zD>5o^T9kt%?66Wdu_uu}v1wN~!Oht?(-m-3{R|nNJQD*M-NYF@tTC_p!>qwWwJ*5y zAX4rU@KChu?4)aFLFZy|IZ}?_S(+!cDxI_=Gw(E@6DPo zWg8uo-yZN>m~Tt4SV)#fCxF}x8C&L4YbM7>A)pu2n~qoa5BADh(PaeZE*lD$1l&H5 zIT!|=bbaP#AQ%~@YE~Hz=OC~y3yKCCeNaycM!aA4);Vo!+w)ID8@C0c>(~S;7|F+Q zaFfGczEZkQFiOhu4N#l?92T@z*=!J~5QC)TZz^an9BMj{Uf<*+o~_yI(`jc@fUl;I zIigBd`IE`m){ZM@$H_PMG!`*S;UK{`a>1>cq+|JwwLsuDXO{xaPH-zZCd)7H~2uk6k>`Y6su63(YIP#yK>az9iPZ**$Gl+%RSZ_Ao zMKpfDLTSkShoA{J*NAwoGXmEXb1}5_8yRH65vwRzL7UruV_n9s%RGj$Ch@wA zI;5^5T+G&++fQSh)5+S2Rvdztmf#QI`XK#sVN17&$kHWvWA679*dux2unt1J6_Vd2=vv^FI0asL8Ud#gPDo41=&GAPWgM}T% zf?a4_U8~kKdNN~Xyy%6xqF~4@bio9K9;dgP)Db=2xVj%$f)OmR-L=Mv$*>&i zp>DiMx&sRvqqiB@3GbMJLGDYACtF$_S%|JtaL_*Wy`^kzDci1|QJfm-Ex-};({r1> zc3tDG`u-qK95|+>O-$^wvI08Z~ZmsDr5o~I>)YnQZ<5M>280qc=32n)RP)8*|N`h49eDV z8<&MLjwP0Z;vw4pHwAZB>G<~G`dqE+7{drMx4q6eY=@%hlG)hy*rG$D&BbSyELgh| zn;*FQL(9zWZFz$Z3_V?bx5CGo-CVmg)4Xe_^O0uI_77#8B^TzVVg|^lEH6dc%)jiL z+hBf!rq}7QJ+9{1C#l>poEC&_?rVBZIHG2!$WS|{OAIT+O%bKk>3Fd z^GI$Q+(X*fbw8>{{|8~7M@}4IOxZ116zW#go$M-$V0MsE{W>N<-Ser$JgSo>O$i2= zNck8vzx88U;tk#Ml;{DjIUJtE`EmH>5ytx{Ny8_gjHC(I3v=D%JPe(VvE?w@-mReV zFdT{#1B0=IE0YeQPWDarQa#ru;E3E=hXGn)x*}@Fy61h3%zzc58PwV>a8RI=F3+fF zEbg1`(~QWW&JDluH=6;;J&2IuZY~a~uo1Nnc4c$}^fQV#7y1opbLKnNTz~0g%tzq} zO6{cPF$G_9L>L*E`e13>VbCoA%9i{2A+7 z?X>TO2;b!`2wK2{3GSp5yY&cj($ouvw&TVoZ*OxSzbA|u2^PSZ$=Cv6BR&virZ6Lo z!vI3MVYprlkpTkO5)ZFaS&GI8{$>72&QT zbztmH({wSbCwtNHuc!|W9$##J{=p&aXkuHHuy1G&jqMqKd`x6Yzp=10RE}Ue&#<6} zP0v4UEMRlU9nrK)b{2#{0DDx-5;g%V0V)Azl+jcN8DofnnZz(WFzEP#4xPOSYr2a$ zax@oLNrxGe#l-?&5oLv~0#hN!6df0(=)O3Tx+p{_o`B=ly^OMVqzNb_yTr{N5^vC>UZpK4L0pg-y65d?PsR>?%CvHgyoh56Y&1@1T|04BX72rwPcw++MfjufD!-Vp*oBru5HkygjQ zC0_pG=N(bvLFJ`)BmfQcjsQ^O-0;(^8ebTE`$rV8wekB$cDU>xNucxOa{dtnI@Nf9 zp6%}Q`A6&^tr2VIv{bnBQipWGf5d?55~THy3{bJe+&|J}Lyb%ShyYmVA5qfn1X6bg z#eXCR>k(0hMwjHE8@1uNj>$?X2FBI5z7#jY}Pg(?X&QR0fi- z^d6~4eMsXkB~!<%O{K*U%{6U?F8+o~?Ith@Hv$MOGgA9FwV$#Eul`7+T2(bdI+k62 zAkw9=hKxcx7Tzf|SoECmnM%kvNFRdK+$Ysh-7upWUIt@6`1i-?hd34X@$s?89#-nZ z-8@1m+#TJht1|9;>gu>jqsWECn0Dzw2RH|g>Pev-pwK%KM;`Ybff}bW)b~c$1|Dpz zp@!5>1C2YxIGtff^(NNB?=u6=?N=Gsl~I*=*5B83VQ+ZEG?UTkKFdMf7~Z^`4L5{*FoVIvf?8VRRhqO!t0{tUS2;s3(;SNnZ zDFnfyuPdM{pu@R`WP~Jrlwl7^2n4ir8Fp~WgTgW!c2F0ALEewfeMqKMC>abOdq`k= z?D#|Cx)~EaBu<(%kN^)K5(KW1?gV%}B({|w5+yC%v%3C}1YoB|sLsT1I`)txVUm-l z9ufd7ZOMCS$iF5WiIO-R63>x3l+&_kJ-ZnIk5^uD{F1-{-`u?0gjph%UdnrskoHz@ zC5|B?IZZWW#F12m{2wW#Bc$d)p^oDW(xsyyI*@86i}$I2WNPH&ld@F_BzK5)d}7Uy z&|&BBXj%w_IimBAjImff3g5JLP&U`0^wNif-$2~}+rUqGcCvBT0M!s@IjGxaOT5Zy z+^~bX2n_1bC|lxH#&u$>?z0@!In^DqYFu|lgi-7hngtj`(mcl&R66H(h?EsQSmj2V z7$Xl*)|8TI{HE}*T-xZu!Y91st>0^S=><-2ah0S#>-_UfN?YNG&lx6mZYNva?waB3 zO5`HOVBO8~%ZU*QgJ*|Q(#d>~y(Y)PnCx^5_+)we+}2pI3sIWsEVxAagd4W4%FTFeJH%mlR)0qfH=LHAmDV%Y zcFVRtxdpr22)@Q|91Yp~%inu&Wn0TQFP1V!w(su zrmj-v_+gwTHzRq?cqfXvJL?w_g=LpOZv}H2{jD^)FqV0Wr^aV!g!It2X&8HPecqv& zt__pVSsYu-XET?0Gxh(r)fQ1|&1jb-8jaP*dKq~co#*qu$KH<3-yS$S`- z473BMR>VErO0oNb%GI?of&Jb&vE|M}hAc{$edG%?UGDmOnV^+lT-;l0MdTU@e;t`` zFv11dXTWgtX=+e#9W(>=qK-Z33B~QRnZoHiC$HX)#Zb>|Znqw29+>PLAY%kmO^06i zu*0@FPMe=30@Dky&JG%azQ}~D0h6rdv13K{-X1*)3gXWa`pIT3f87zC{k329R; z?PSlPOvW0v9X zNL;buGH&sZQ)@yHoLkv|Mhg*TVc~UQKXiS|WS?yXo#+XGLR(2(O zw4Q?<078=$XJ5DKuM=v$o8#@I22OZd_74!hA2b*d)AU0Zw1#T$ebi1JmFP;F_eu$v z2rL``hbD=I0E+;H03a4_)W8m3&WpmIwe=kK4o~e@{Dyk_XkF2TF;GPtaMA)bEI>m@ zWM>FzpV!HtfE}&GC@_W(hMkt~;MB*2!-s^*osB~smH>|)!K&{G3*Dp9sLS>XfeK=M zQg}ZkEZo~z>q0wrfCaO@-mP%;SQCr%k8O1-T-+E&%zBnP19l#gpc|eX6|7MK8r~VV zjBpGJ#2CYpku z!a(@=aM1eT(L~&%#a?YGaDP2qBPUt9S@>rMCt|63(@qL&pipNeC1=FqQhEurc}7^x z29}q*Dt!8GxONe#od!G`EAtPkJH#4wkN;qwu>5eiTcwdEcA+bZj+f>_jbS*_F3Q;R zfzra|?beVAH8S;(+r(K0XmTN4Ao_bqs9-#cBN7M*27gpPY9ANek&jR6-eG|qUmY9i zH73=IKV*clhBHqQ{zIfxAPHPjE&##F2sO8e7{GuPcnUzl79c?Qhgh)WQ)_kA3P9Lm zqSFI_Jp!P zsLN!pD%goc+(FJadQ^B3tJG(ENXIz1Uy2o}P-7U5w2N|rD5zpF>mb>WG2%UeA*9l3 zJMz~!5HKg^`M!Gq274T|;6S-%#+p|um!O7M{1hF6mpy)sV4zHTPvKq&ot0F|wvw^# znlMZsIafSj0Qyjy#|7zqVHy^;<^IPNxH`98o^Fd?@zxiOOBj}3TcE)0Zd%___$~np z-2}=hF0Ywj{z}h~7mW0zzG{VaYrf=${r znt$14bMA^e@*0D5X1~I6F-*H@!Wx5+W=WT>9vk6~?htBvbPT?|+@WN=&&AVLNwZyH zIT?1@8Wgaeiv@=41#1jaKi+Ix4d%9Ud7bY`xEp@2S;^*b6AsGO+qp{)bg%AsKD~>0 zA`N&Nzg3u+8?RBD_7+^e;G;AT0bDfz=K9%8u#|NUbVfRq=8ULZ(&y|+D!7i4m$ zy8y`m%m6U53GiQ%_9}YKih_a^@tLTuHG91;eU_5o>sgd=cz!Jt&3|2IYxYMA<}z7m z{>&L{J;6=V!r<}N5=>Z5aS}oiONJ)GR8Yr325g|gBP zj#FX}wtjJ!>AEKO6iQ5avuW8{hl8o5bUardTudAOKJ#B3Ny>_Imw*Lic?-%8s{{m? zlx2hCD?K*#(OQ)sAyS^luNf?wGRLwsY%%>z8jM55Z2@wB0HAxXk{Rb(>hTa|(c)CHXl*iW{u?SPoZRrNy|=P+~_oi_7bXKno!6@4YI zcqj!UzF_MJKWgOMXe_zlMAl$e8&rX<+msnz)&lY0+^=C@z$&XM&9IdwyHCBZTl+N-rFd)|*ULPh{EG+!`(u zX>85&@qECEW=6t57rZi0f|96)OG8L0A|un^7o4;71i@~lyMj?=H>l@!V79ivN)t4- zOykk*d>IvoJ}u^`^hif@#$B-)it%!p*%}Og#-kP0hkncQY%QacIgNbFEKA02ir8!& zqXJ?c*m{>_hw6XInvjVcG`~i^wyto*g)8p_*M}oa=?ICU5 zj0QU#=^gp7MmjI5STH*bxmaw=>tS-~&tA_$;@l+3)SOFooGTxfZOs9tczVr<8YcGu zyB<7@N2(9O;@%!S+VhPq`bV`NHb?T9NWc}E4qNjITW?ru0aJTz&Z~h{*Bo2#{J7=2 zp_M%x`y3lnMzM8Hijv)EiQ1Wht#5e6-AqgT@ajG;ew%}>GyLG4>XM5+F~hRI#hxeA zxHzIyHRR&2xvx{*hXaBss8Y#78mmbP8MXs5O9Uc8l2S@39g;*)A%ut{GbJNQK`Mov zHHuSqXz%!x>}PZ9BaCAbk>Vo{dJlv;tTk&6x^L7TfNi4fW^AkCdPCu#w^$)yt-r;+ zFB+*e;eO-pqm83)sP)anP9o?5p(wuRtOw4=pJ#$S`AUynwgTuF?@{hi^^065MMD_{ zTqnWN8TL6i>u-YPDTWYWc?cKdRww_wIz*c09gd)Q@QkT<747%WstSA zy{{%8$YD8@+f~8(968Kr#%T!sBbZ}^xmIU@-m&^Ix2x6Ja*kDB<16yf%mK2C#~L{y zu`K0?tsZO(`EkV587xFciSUe&{zb|@4aY>#eJ*IgS>DgFskvlCj@;OCI(tj@rwzJ# z`_ldgEmy)%uwl}6PeA`WXUI*zY7wAY=+4KJi;l!aJl(v<%QjS!Ck?Y6?SLkq8NUa-@__?G>D-{CR4Zadd z0dx&L4SWr>7m@9rE---Dtv?YcfsD@3RPki)Z$A@6&2io1P{8M<1`Xksu;V~~R{wf| zIgx;eHT2QIAm(&GNNkC!hs+}!d5V0VIDl>+AwHod&ErpBD^HbJyM6tDcb>7h0f`F( zKZq!E=6Z1nxgtqixo)UFG^>~76jk$JMB%))>MTABiO>2hTzxPs9v3&Cp#aei;E86I z%SjPC4wB@gYbvgIdB(s}d#SLz$XrO4`1pqjt5?BPTq;%&Nd)n*@d9%sJ`5DWj+B!bwqIM6OSeBpxG^=BkOTe3D zg|mianTg^g%`}heKyMH$ocbUEnB1V};zPhs=hk=$0rrasDjqeI=13Oq#kRTaI75-I zgu?;I(`Hlr^Ugb;VA7PhM3tW+rR&0uQ-m)r`5iFnWS6;C!ij)WN~rc(>Z5><2g}9r z7WSmKcRHii)!9nAhNw@EO}<&8_7~jhe9gsul$6_nFTGLR&{kx1qc0Oal7t6{r>K1J zY2#cTAZG9=9X>yRm=gFet(=Dg_&1AyzWy~RCa=T)FqO!$el{%t&1p}8;TBN-C^+gU zAl6*}W5(r^BpKztK7jlV?bT%~*)@r_uTlA0m~1modqVO`SXNYa5W+3%-~LxaYgi1H z4>P;z_8%gXz!5bgOHN$ncIl3S_#e8b8aoVq^b_AhTzMpDa(_{?RIXVMD*yJtj^i^~ z>z&q1huP4sd$b6!rE~jf)?pCXaRzY0jeg*|5e;93^PFyB-lJWz{nP>@kFwxkqLi9) z9T;DD@zj##<)kI!zsNCt{*TN-843=e5(_UImc*(dKCQZ9$Kg?{C>V~1Csn1rYmM@= zn_0dNt6_dsLUvo(=Et9-aLD>J=rz{z&%eqJC1<_NufG&G=ZT~zOEuB{xhGu~@@iqn z(Zwg(C-D(0;;V8Pk8k8D!9W`9I5}MN=IP`=&dh5IsgoG3_8DgSD% z{^w`CmCRr-Wm|~Kg=4%~aoMAp8V8C$)k02-w0Xq)OIrPU5!j4`b2JASq+cr-D z!;Iun*l~Q!pjReDJ1zOo2hJnNWRIZhe-0lX+Nov)Y270biM3?Wl0{WR)1;;{P(G8$ zqwvMm#n~Mq+`c|Y^*?8i$jj~ETrT7)H)%py@6~X*4cFnv_zF~KY`C^_(l!Z8Jkks{ zy)Mi{q~!sE^6*93gT@Cp#Bt_}w9F6|US)#NSS?%qCb*t$yS*_0=yeYhb{rTWaQ#Vu zVcBtHCZ{KhkB2v^VJV#u7cB!*%fv*{oNFRA%quMD>TRc-F!DE1*&f}_=HX+&Yj2Lv zQZ(6p{dip@u9_qz>O8{>JC1AXd|y6kAE(%HS~s6>eIEXVl_s;UcC3l7BG#|g)=KkH z5HoZX3Ekd{gJ~o?K8;FosE24}(ngtORS2K5XsFadEV@K|KNnzb0w3*V$?Q0)S!#(V z9D|U9CMaUv8XjeVBJ(r2W)4Z~hHerVOcqnq>sO2jnpqST%-`lvdM;*>sdgL~K)e;C zH`jI~NXsum6HbZ;?0Er?(gNrqbCkc>C&^v8&F1=u4{m9;0f}mlsmq-BAvqidHk!Nh zIJ}nSa#*PT39ou6Hc;~K$$*%Mfoc}4ST_y>^L*C*>b&rIZ;q|VN9xd6kE}>^NUBz!{}y_6XauE zyOzLY^NtgM`}Qw(^vhr}l2zwm$1%Z;x>=?P=)EjAiL^5h0=BA>(Y)j>em49AIWj{= zj3n!kL$k7aMrYY}oDzyidS*931nCXST|SuXI3&PCFJbK@CZ;^nJe1cDoDpuimm0{w zy=0!yQD(ic$S8Ll5lUDe8r8lHM=1^ER>^P)c%ZEe8 z(*y6JYMiS9iUxvuFlf0sC$boi0IoG0MZRh;K91JMJy`5G7wGwHDH}g-bZ@caSO9Nj zFH-?QXzVyUY)AXkJ3$~U67Jlg4Tsh`Kyi#i<^ns;2(^u0S}G6lqr1)sGAZyK-4A8Q z5yio}%5!ZR(%5lcLbN#E+8Tl4^w?^8-+lS|JU4q$tLxu7% zFESgyV?20Nmm#Pa;;ZtG=_wy5^fTgzBh?`UqpiN z>K5yXp1qsMa69Fg8u_}|L-+Ua`GIn{F&pFM+Hpd3UVA_vPfUb@aU_VLwgYS9Y8m?+p9^1`?Iqxh1XsjBiTP+2jJ)aX|9VeQJq8dBM#5lFdow|NAYP08 zrVU?HqV@4lje|f?d;J4{XxT>sO(Ly6fXY+%n>E~=k|*|?4(w(y4N+wZhwSBb1iIg3 zU5IP=UJQGy23>8bWLolnRbk!LLL(bC%RKC9A2BISa0)*drGs#HluHA?zO1P41JmH~%6?k+FG%`x({bJkV8upv3j%4!m>c$Wy=#ISf zIYm4=C!iH3ia64c5q`5Cy_0k9Oa?ctj}B^7BLKLaH8LfnA(?FNoS$fvDFy4GLG>Lo zk6^EyqV4M^pHFPz`^}a)zr9QQ@j$mgdY=O5rWT33zNkv{zGl%>&KdSytRgHkP!Q3a zxQ;lBOdoL>Lt)8_uh*}S^tN@(C@8LP-ES-)Z&5ThY_rG+QzJ|bP7vh<@!fFzW;cMf zcZH_+2Ul3|&k8V@H8|A7ohg^6JO=b_QUigDf{|OHd-ttm zzZt`XIu)D2C$Zm1O;5hcBiwH)Fgw~j<`3PfU})<UDLguO1Z?Z@!V_;_Z{1^6{EP9?> zs#+ohv3e9GwHivoLSDKtM2NuI5s=c{Fsz7rFM?~=V=Uq0ivp@L>ed57uve`rq<~g^ z%ZmDo3hXz@oEKwpamCJl1BH{Mzj%1U_q3(wn`AOROs3Kus*SNgx-1#WJ zErIn;5GXV5E~G|!P?Pbzxg4`V||qwHO&TdXk-`hZF#^w>P$R} zv4M1Q_nHCQGfi1?oXM;L%t)x*muS%IQ!mzu48B=$Zz>0Zdw^9+HZQuL0w+``tf=<@Q^{Bf+-=uRBQVspRVgqf&Ip3 zAH9ESQT_NbA0^9^SxsI<4D1^D5(3rmXKeshK9L#>W1A*IQxn0CLZq2wCz0Krye6&9GKGYJhr z0)EC%qs$}&W0xp-+B!`DU8M^*h5PQpf@~ivfrldQK53pITsYka?B$SHo={$zC!g zdbG`wl8Z}5q=ZCo7HboL{U#Un9s+!H)(5uVK$)P2BZ?>1#OE1M#1mXWFrGl<4v9I6 zNKE?;4)~*nVhw8T_9`SUJW&DivS%{7)Dv(%(no~P2l-**ih8LfcO-gancjYDE;1oqW{~7Z;xkZv=Dc z+>A5;;K7_1n%zD~&2(|?eYCDfMJFm#t?SXyPGJY!P7~(jloHXU=A=}0H|EDms6AMk zwl;gpua^mUv6ORB0uxiUn%FNgtJN*@S)Q1ol<4vAW444{wrUQRV6G_gtz;APMPteo zI?6eaZ^(n7`&n);DpImK{FM=E0H7K{X$Ayng7S!?n;gAq=>2JX)SdFT)9Glq`a`N=ZF-ZGBVCUNy}ip*@~?fG z1bcdtsbPDyW-@;JS^F~2gxZUl1Ub%p-TSH^BP);^U*pe^NP|9TI2 z=~3u=9%qyM8lfyz`SUto^LPj3tu@LN-u%qhK09YaQ)iN>yFJR6ycz&AK+M0cb!iNG z-YktYMop~iR1W1OGv_W*0drE27Mg}I8lWQ9I6XRDkjW%5r2HLqZgq&wd+aUy+=me~ zE!{|r*7snq(umbs1zfApjlG&rg)iE7!FW(lI%{SK!!8FvJA&AlU!}pLvK=2={n4^l zai8z#m1m2+8gui012Ag!@*zWFufk-h|M#(fVip+v-Ctr*+G z!$+AP3bgT}SBNskX6*P__?|s-qmxG>g;@b1V(5z(}<7*_2T(t22e zbHi$w*nAbOMt+;UdPAPx;@@5cEtR_0C-PM@W`5Ho=h#PF!e0Fpy}xmHzDiaD<*#0~ zAO6dX49Cau0rSs?r=v-e_gg_&+T~bqK6{E!F%Qmd>`{Ggtnngk+Ra9#0pG3DB-poH zkKUgF(=3>9-;x1)iaO(S0|^reLH+KOj;__Xow{ZG^=9~M2Dj7&Z{|qRYzRXcKKG0= za#`KYleCC9O|<%sk(mLa+DT$h<7otB&?U($!*+9lKj!jGr?iZ-Ui7T(vchs%Kwhe_ zHTo*>weG%0Kuy$8AMxy4{id$+z#WVJxiMjO7or! z7#3VQukurB8;Wf6$jyBPAQ}u`f&ox3vk>W?xkp9xwJSR)~ytjg>KSdYwcD0UxU&9?^6#0XGh9MItK)KI$&RU@pTr z%8K~(^5%>6Tot)qXIo3=*Y+SRKEMp@Tb?i;Yha|3dhD4*?Y4NJBY4f^r&a%z*KxTl zvk&80xMx{nBA`z92>ETc-r2cA!bLg+P4ISyL-zG5g4W$0v?g|tBCkg;F_(P zj5k9|^YsgwT^~Xu86Q1-;cFF>C;VL1XRJOh%Y#wT$oM68_Q^G4;sr^z@vp_Nk;yH- zB+>P*uh%z3@uABpqQkh-#I`&&pHCU^a<;P5Rk^``N@!a}WOcpH_neY4dJj`MkwUD| zSpJnKwMPjMMBCBaRyc=8i8R?NWodjI@b5zj;$V*qpCtAjzpNPWX{oSpx!oZ;%cnmd z05)j`{4WKzNa6v6hW1EDqPY9N9~}P2189u^oA*x9$q0xUE270OSO58mDs4OAYHi?V z?Fv9!^w84{QbZAmQaS0t&LBkuWr95seDwN^eT$HvcJ@IGBt4B9Y{IU|!bU*s)x)~I zT4P@~9PM6p4!!}trhx#xZ-P=bp9XS*&PqON@OrjQ2`7V==6c&!!CR7k(rv8my>_R&v&b7B=^h( zuU(r|sy$3sQO~)kljoZ2O|~!1FASs*JjG|c3}V6%I{FW=!S?`HlTF@|it`q-w3opx zy;p`#FU+1*ATJky$onZ^;;=4lc9RZ zkbTPuxF9J2TU{%PkMHbTOt|+AIK`@vskK0>GD7|kJE84$JCCc`Qc$=y_XY!lS=qOg z5GQ9}hRv(^RWi57IC{N4N+9c7%#M|?ZxO*~ZyQ&_Y?|CAG6bcPUj@o{rmDEMl#C)% z4aJWVgHiJIG2cG0$i~$2gGOBzDJpw6w&%Rw#khv)-QgU#FqtGKGI1=(T1CsRi5}P@q z{n=Ay&87J+Av(}dGg9tvYt5vCDcwmop_CBGB`oaYsE3z9kxky=<{qLa0t*PibbRO3 zkwns+!7v-XG?AX`uy4Em^(YAyet;YlWn0pW_AX_c^AZi4MDVBxN@B-wm8ntZ5?K`f zcu2VJ4F*Gvc$&$P<9^AD-9z-`d5|*7ovWTA<05x$DsQKxr@2`|!b6eI#pklR^`4@j zrKYRg9<9V^km);auoJqto{dJc^Z3@5YN!RM!Fmss{lHsfy>R9BI=kD4pO-K(~j5c9ZJq7v2m zh&3C@Y)(9NHyUoVvW;5$Xf+$H>=BG^h!QTN4auR#!eFRT6C*Zg+cH>bryN4NhwWpk zt$)~~7#jy-(f9K=9bU`v7Y>>X`xemcy%6xpyJ{cbr=6m%PHNIs?mW&#fEtbZq(UuR z?NWer>EuO&?45j*F7_?o9|AV2qH!)Qs~1p>5#upn5cS7+=slzlmvxeb!K@?N5tB?Gw5?bGT4jf$eo44g+R zGr(S{httt+c9tP8v6}`(!fE3Nn*k)LGWecu?gM~J#z-lE50XH<(2Whz%&h@JA+jB6 zXM5&}eqLfU^@r}^d~1g9;hkJe!>TM)6Y?X4%w?X)mbqsYC0Bb#54IWapr`B@S(r93-HA~17u8(BL;XswA*Z)ID zv6qakQ8OhgX#>{~YYf^SwOlbgXs$coZdD~lWzOdl{em*3VA}f~K%yFJPj4rl%!#uf zO{dptxGi;)aj(x0L4hVM>CGC_#Wr+rK3p!RyFqX=fd9S`(3jLf(|a9!4(HXSVnzvx zl7|>D`I2~|SZ~x7<+7K24(`^f0XCXtYLC{f(Dy*NP&=3o4KJ3}1I7-1kCmGEx?S5{ zr^>IMxpEmLS?x8aMqek8D?0mUJMoXOrtsaAU1tgpB+?Jti1_qTnoNcVv}lTXBD?{? za|Adkso4}17tX~^m;={y>C?T!4#PWk0KHgvN^)}GCULw(5wyRjjs;@PjfXaT0q_(G z#xh@J*O}qAo~pE9F%5J>*z&hS;83!W)G<4$5AvCSe{}$C(4C`USKRRIIxl1v1KiID<3Kc)CjlAp3#-o!DuBCIrtJ~Q6i3?A8=7OCF4nU1*`xXj1B)qs=^?x{`bY%N# zdzf&*IJ|MacM1&ZhQliib{!Ew^UaE@-0FnDtG=!&FnnNZ(+TnQ5O$ro3dzPmorX=v zP3dDVGwjK(lfm4Ztv6!+VxUXCIxCP7yG{k6tJgm_Hk}<*Vz!RUJKZ{{gjA~kwV0%) zSx3jIuKyUk9tXS5NOya`2Q3$NozN6g1V26?m#c*)YuU@?6#R$}WAj^| zI&?{4;cDE6J?9L)hx?o6il%Oc9n19kSjF107%ix0oKjkVF3Rk8&mjZPnWA_s9RrGs z75j7vTj}j%K6uF&5Ge>)-(FO&3fOLOONN1=Erwh2p%;+)7jZsj>F`oX6o8*@{mO}6 zg>wz)?>Q2XZy75{_8jOHuAR6%uFq%B`C@M3bq)$(@p&Kd;_xCc>mC0ea%l= z;6RU>x{#OH;+q9(ckb5Kh0k4Q>IIhGp!YO!gn&)|>8Yz?t=t zS&UZ()GVq>wLY&(Y!;Yv@|UyItBP94^&hb3P(dw0`Sl#za~=={x}p#OwYF`W5jG{* z>WF+jwRn7(p8|fmln4@K7vb-MpH2#(CyGyk(4=FydL?I5)QgAD!*xR}o?ePTeI53kAmXeL))m6#3O6S%lnO~Mii3xC$%S|d72_aHLQkp}PDu@zs(HnX%&>^!sUhmM<*}uQ=-g-LL=EkKN4X z1NR>BaWL?jEbh7$ZjTd-CmpVq!*!{h%zIls@48K$qGSd+F~{sT zqUl=ts*KzAfn~oSEGsmHCQG6yF(my>bvURsml7K|K)?6Puk366Kd|S>AROMlCc=gG z7DLo_!sDVPc?w*hH;dIyVc0r-5=4w4^y_i+h@sY&u!3ksVcj_})Kr^?lO)n34hLn= zN$Gy170Y(O)}~#6dQbg&8DD0u zc=O?MIbHX{Px1zJTmhZZx>;H{$lPeG!pn4BGL{jV^*7IW7MQu0gQTv!-6cxIEM*{r zJ5p|6mev%QQQeCzMr`#t!1j^^S)!)fZg=J9xl|e=06(cK=0ULMn7}N~z5<^P-e$Jv zk>exW9zm(I$ohPwy^^q%`eq3rWDzSpX3dA61a0ygoZK7|QdP8OqojR8<{kriC=>VI z91&hv%;%s?%^|!XyE)c(6|v`pfZy=FanC7Dm8jXLJtJsub`TJW&J|vzX7y%`!Q)}!!;1C6ZRYpToBbreB1-ZRXW4JF&Sq*4k(0vtRA+w z&4%FSDtiu$5^10Z&AGrAW3>f)js$#*C3Bb$)>Fk3h6=t#` zCS8g|l@c15(@D_LUM)$U?IbW9m{}`&{&UJX@})iC=1@%5FriQ`C`aRu)p`wJuXaGM zss0QVSnmPA>svsURylh+NjV#`z|)HhW`$Ujm$Yt3p<*#LJZN@a-zdQ7d$VoFlFLn~ za`70Qi%kH z5Db8z-rKL83>!J`Cc?w>aZg(c5DyI@2>phh_Kq)>Jf6>|{s8RNoKjwY4$@FAgHL>y zYm1w!aX_GF*b@hydSBPvOpP<`#pOZa1DhtJ0Gz!_oo!k9mjVjo(VC5X=p)x`gxfv@ z@+}|!rU#|k3}JnP$~Mw*BN*GrgX5$BX&kKKuX4Gn21bj!wm+*XF(kFEjuGNPt%TUC z6{ta(x2>;uFsVH;%v45dnHf#%1`1XYlOYP{Qiwl=@ zck^+?MV=`OC{dbjf9kK#eAZ&S0T`hJu;uj zhrPNKX>Z7C6+tKx+U09$9Dx{2;=)eXW3KU_LcZT>ELR}9!lZq`{L1z)<~2GcO-DER z;2tTI-t(Hg6UibKiw5w5-sbTa@Ie7s-?}F#fMvhZJuuv)DJO7ESLfp+0cwt>8O~}b zvK}kQ$Dy9UlbV1=XFwfC09KdqJyMk19_dCQtyFYC)_ZoyzDnj|tuA#GQ)&0A5-DvG zTgSn~|FPP@hqn5@j}F)E3gO;H9|OTHnQnVq@w$Dh+Q+7*~o1T;sNRjvyoD|S>lbeq&H#8 zl>0Aow{F$DU`L)x+4ig;@fH4FT@C?!uV72O#4XvcC1BqHfqb25j98zf=LyK7JM_(X z5PY{+3#Ku#?|c9UjBEKG2t8FZaFjJ%cDL+HQ3KxYUQvX{`xVDTg&3wl#Ii_UIOo0vrKFe_S)a8^ED72N{M9mjljcKk~D6X zKjv$52Fk7%hSR(nv_wsa|=8E@a5 zi*u3=h;IF8VH-MOfX#XkrMk-JP2?mzl0euA^`7gJVRnybD3@irVUh_mC`V+4gH)lf zb$Jb8U9vnES~G&e(JnIYJ5`|xev!FA)DqR68mX+-kTae(D4&lk_CsI;zFjl4%4kwg z)-m>-=^T^|`7dle&~|mbi^&Oz;t_?2NO!_np11Fe5dxJB`;IgOugSCIgZrVB2oIa@ z`rKlG!1m(0!UO~)d-bObwJ`;7)!1rzH4ZsJ`h$5nAC+m)T4(YT_`v%*ac*Cj9|kX4 z@<9Swq>QZoc$P%sj8EF93h_UA8UlXz-8S9IACkEjmZ3!qs}A(uolE! zAUD*DE4g&Q?LxPmn{Nr(g%9pE7B^W^VXy~Vy`1<^CYckVmO(C@^ArwTM|@eyC9 zrR$iAdUjX;egGPxE3quD*4XE&yM~#ZaWsh|=TG$1L2FT5nwrY4jRH1ALS`u_QjO1} z5?M?FmAj?Qg_$>Lrz!M=IRHvxjnknMn9QI@yg>K6>GYZfIc}$v@mtDb0UjQWlot1> zmpTRfbg9W1ZySe4pNp%-G_Qhvzw_yp;1s){L?)25p|~nV30m`GP^hRVs=N<{uTd9h zO)gv5ge%B(UT0*U=I4w{Ib=vT+(G($6)RI%JJkIIuOuVlnE@Y?UR@=AOa%5FCrr*) z5KUe&ZlVWtwYNHlUvs?K%u>t*24ITJuFg}CEcP7+(8c&gWyJ5nEb^NCoh9rPJ>_*@ zz?J1~4wH3`o|vekOG-%hY#?)uRKktcC$5|aCM`XmLZ}Z8ACTofV^(R4XbnCZiR+90aSUe_2%YMpvcAcE0yy) zov5TDF)Jb-BXNo-k46LY-LtBQKI*Zm(RcgKuxi9s{^?gC`Ap^L`}h>WWjA^x;|A`P zEmki)KGA|G#ctN$LUs<&q^>j&f^_&g^75iRaZx55Sl+@dU6QSm4*DVx)LxYr*T-&e zR8Wd_S>&3ua~1ZA=A?Tf#>|*zwT`)-pftNaF97w0Z^V2u@TqYivG4SxN0=%XgjuV- z4M!UetpP2;P;^}*_s&}4MMbDFd34c*Te59YNzx}XNHQienl{EVN8=m*&W{P7LKHC< z_wX11wv-AfxrQ=gFcR2zay@7aiyw1U9^<3X1=(|>6me95r06HqlWF`xpoK_M)|SLY zcPGhlW@qOeBo>HIb&nVsyr_*ret~^-ZRENoGqOd+h_UY!q2Jh}lfklzu+f)@@>rU| z=tf9vOOUnF^e$m0sEKul?2JNmv=tMY6qI)`wZaLw0T1KeTf)gSlRckk6^LE3xc0(0 zl@W2_KYq7yp5?Ib)PVF>l!q9vE##(iV7AP?i)QW_F}tCz@aRxiJ0+!?HPRm5K0KG} zvzvy}OHtSM<7Rb5K<$M1$cH_GA))h>t%6a}u}f!_v)%%jI+lboUO$EA?F8_Gbk~gG}LZC?xiZ zI3w+7BTva#DOzfo)h5)rd>Wy_C{KEu&Zu>Dwvw(PY&J{PK3`j%J3u83_qTWV3$m#^NZ5S5WOQi~lcuM|GSVj@3^Ddl_=}X_jofw><(~o^{AORSc zOnk_U)VCHWo~y{GTbQFQ7Zwi-bkFHIZBZ~b{tGyK{G-HEx%)Gr3kW5>EN^pK6xc=dZX9Sb; z_E?l~?(85+jL_?oPs#90K6(Gj0olCB8)g#uN;@Bb^pca>hzPu};=bd-?X+1RX2n!@ zdnXOnf&({X--&%GAY$xvzyy6HK0ksdzGdz5Gme149SnlJT5W;<5)-3+C3!usBDmsw zB3Bp^LFm!E3VKe}#0bfjci8ux9afZLcdB)f(b&zI_bmzz*r5DM!fN7THU0G9}}$E5tpOC7V;#GR?7 z%zJ6tDpX#YjB{|umw47&6Bnj_@~(XSKE<{Km6!VzM&+)JDfIbNirpzhBa_x;uC`Hv zs;o=bH;HfzLJEE^P>3dXAn8}O1P~|TQTwR)*8D`2pnLVeq0+xs%i%$ z<{}CNCm@U!1hXc)G?giL07+NY`M{i|VZPz%l(kVLU0apYFF>-{ajv6{BE>@89w145 z5|5Q#XN?Br^eMHANE0Q#5Y#l7a*F7rOHD-mc9?Y8S&VP1VAoLt3Y3c`$mi`kX!tCx zonn($Aspq|t^11a_E_X;72Ey+d|I|;F83Osi?AL(5W7wWo}krO{M~P9x3nM=0L*MZo)C%3S_WK%!?APlOxxB8e9q{K-C)7Q@Q;x zmP#HZ>{cp+HgkQ;i4P1%2#ldyr^Ggu zC!jec(33i0*oLo<{p{x>XF%O|3PqQcaKEs(t`RX{9G!FSPuO+55FX(zJW|>XMP>n| zlZT;+xJm8WYzZ>~vgga^uR48x#24;H_>bVT8XquS+SiSw#Aq&_i+J`K^tbBdfIQSKsw*ljvp)dMD%` zOcm1Jya_pVrS@m+I>#XP+o-m9i8uTs>EhZFB^);_$xZA8%BkCWk*TOKigdb8hFxa? zu*rs!L=i3w^hv}`y9%70x8uxb!9nB&;3>`$TXY;yaGZbKLqHllOU_47m?Jia|E#Yx>-j=JXq_DB$9358vpOC3)mH0VM=uY(78wV#H@v*Yta3F%}8&y>&g$6OZFaM~}J za)GD^3^3ExKFdx3tcqj53oxj8#YKZHcktcwFpIJ*IunyFy0*mZ8mQD-*vcy;PS6S3>? zY|@KOQ?=@PKPvSds0+rcf>J|irqw)HHVs%x^VNTHQ^sWa4zA(TRP<=M2ROE_sD#C} z4OJ3A02B8B3?2{1I1*)PZKVNpF~Lw+7L&sUaWER884^OqL0}9rBOqWS0001=mnj}1 z9OrqXAn&}urgPo6PkKw%-5Dxq5O}<^sgjY}Sc>Dssqo=yYmLkLn?zjQXD14Ko?Tr& zOd6W3S<(irW}0wpb!otzE{uobP^ueQu|L?j1$jbA1K{1goQvQelTb-bS%aHi_M}swIkNOIdhF~n&MwbFYkk~^T>7y| zX!9DbX{_0o-V3_-Db4@CcYGzxQdGp>iFzEkd}mR_PycoH2jI3Ri;MwXpxm9l-ZWliUs-%nSAREsQz@!8lkXh8Ndi8YJ|Iu{%X4>2`?9Ohyqy6z zLknon-7^Sz8S&t68r)$B9gGuZa%bxSfthZOrv_#{jy({A%?(}?Mh~d{FbQxu{?X$% z_OI)Uh=gBC7_PRpX*ntBXMLA2i|@)JQ$C0UP>VOZ%5`o6_t#1VMArCsKi1;I{^sLT zsexr!V!4W6S8|8;Sw0?sXQ{u}gn@_K^%9Y#o8|oJPIU|2F88NMY|wgz2S10l1iJd~AK)4Ddq3%_c(S z(I5FC3H)%G`N)Q_*2f)X=g#qR7{cFXuV>Q(5{9}A@n_d?nHcO0a|xS1#{Nf>%V>X3 zGB>F|1H4=7p2WtW&%g>^J*-PeAfCV|>4SbKfgeiA#+$C=z8f}HWc(jN{$&K^_g=bv zIuB`{bgNDTEp}mfu2&UC4RIg(k#^vTwmG0~WB>W6VSEF~flN-Wk!~EQ4!wOZH?#Jh zfiCutT416jUehV&Hqf|f^Zq^Nj&YBNtzo-?)0gc;B&lL+qVZ&oZQS~;_P%)a^E}zQ{sy*@e-YiQmwX|FvrLa#{@ttCne9H4 z`f<{9E8k`(Ku*fPrawZ9quLVRira7mrhm3@(M|9AsZ+P$A&Se0G`PsekB7(S;>xW` zP^%i;a#a&nzU$1%E<$pPMw|~5bj9%V??>ndKl7aR!KA?^yu{?|frck_!pC3AhG*nV zV~y}3OPSfL<@W+pPv5kwYf9|wGd|AqBR}7t7HZ~H*|slKE7yBH?epv2Xoqa$<#~2J zw?CHMr^s$KPB{RFT6sK2^EG#YbKyEY8BbqX>PHPa|H$wcdVsIS?WB)V;h7Yi`l#9% ze_fxzS)`%RetY}DBbMSgKy9pscynwq?3l0VJ7wK z7Nmg%cbTL(#{_!_!H?o#^MB?0*(tr#jFHLSHmT@UJ!9fVt)NLr>7^O9ng7*)CgCMr z)?*)B^cF}%ad>=n)57`Y;bRwGgNhFh&4&&5)VrRqF$%G6*TK3FLVTmdo>L8cx2bWq z%u|9x;EcxEPSie{^Bh%H6Zy-12ue^#6X9#iS`TnD*N`7m^7fzbl7X2S_-_}#mvM|Z zKLf=iz#2j>1%w?3$zjrccU$KjOttw}a;#h&+XM&qGPoWhm^;vb|HUsxbPyHz+PVnR zBB#D!y=gJET}=t>K>tNyP-$p|uO20_)Sm`tMYQf{1fl|_laBi@HG$vsE=&n+cD=p^ zgY>iDs^Xj|@@p{vNo7;XH}BF9dhL?|)Z~rWoDlwrPZZAN%U{ik3A1L;7!Lm!6`ez? z{=ISg;&ebnLEJja;^j?#H@(la!?=gxyk^7WDb_MH&Rs_cGBN9elL) zq~Xxl6BMy}O(f2|MdK1TuQY>i@l_YdNmyj`f zC9VRhcP-tZPx(7lKm< zw`D-!>AM4DwT`w_70HhXZLcJ=SGF(wbMpSQ%bu_UiNm)G`Olw6Hn1le`&Afm+v+-5 z>r@W=I8J0h5j-~TVvCbEcF@6LzLC(-G~5hDdo5QM&~qa3mBVtF6QI*!DL$j2d$}>_ z0f-x@K}joL=0-!M80pi8%>=$U_zrjS-|@Wuv*K!#&)8Q3Xz>{4#iI^@x9E1!`(j+> zsz$b8YBfHz^D;C6c!-jP;h?*Ioin#Gs>{qr7KxaXxgyJ+X|Vpp=Skvj186f2D(T8} zy!|TWK2Yepnq2xIn^BtsHV&Q4X5V|AB%`IfR_ z9ntbyjs@bze|Ol`iIQhY;k!3yXki8ipzPX7lzqw4J50ZZivt4S`af$y$w{>LsXjO0 z;RNRihJxpfi82E)?r0mRh&m~LIX1st_JBpCuX!X8kZ$3WKbKK`^!OwyO7VAI%r}z` zFZ+d~?$JZxk>AD-$&<-YQ$i!RKFN;p>2 zKS?T^+E)Y5uO++2bKbDlfhr!GpykPkneL+0j@4!PqCY+la{m`RL{>QaTjODK$F?ok ztWEJsfHVm&a=nXgYhnXL0G;rIPVzpUO#<`?K44Dc*~2YwbeU(s;t>rdEYV~h?~i8w z9jNDHa_qfZ6+|#RJ2^D#ie}y%#~cg*v@hdnz+t(dP^}02k{L;b#gMx9M|J<38x8a?2m0}69`LjUmL!WT3muH?wRDmyh z=CbK>mh?~K!cqYzILng_|7KA4Y-(w^iY1x$Y6jKi&@zL{{C!%XcDB!=!akwKr9qEq z_CC0#Le%vWH^w8=MHOHBQtx?+orCOcPI!Ap#vaAq?a=)a$$L8O6kJ@kL^m9E=7Sm| z>FZ5F(*s~c`OXT<6_}#i$uiE=n7ojEznyBcISZ=b3p!# z63Va&VphQ3(J6oYd7L3k1N466~m>pN?qv$|XI#*zB#DwHMl4gs=! zjtQ`tQbg7?gUm{nmtPHNa~_45@iZ5;lkE^h6SORVF|rMD<1_&+RzY+GGp`-SAVb54n^knJPgX~MAj1DA;YiN3ztR41RLbCgb(rzzo$p}>T2m3n zzJoE0*!kmm+I(W+|J0@r(kyVw*H((>k4J{BL0e;kyH}E-DCiwWFf%wrr}p*!__&K7 z#?mhdFU3hOb>mx*m#K#VzI&74Om<`jqs6@-e+WnIfF@{gxY!a7SVw3Ltl;?-mD^GK zX{X*kcn)nk1(LOQb@QORK?&=mynq3oMR{!fH|p7%=Eim&*~29QX^|s3pSZC%fr|kI z;-v_S9Srf(U7_-N**dQ-ng=+6__KR!N+Bne#<0SjF6BxyWkEys2tZ3{)2Ody2#>{l z2hK)~pmc#i6BD`StCqRFwD7St$DQgge4db;vaCh+t+Cyxb--&&#yckNLKL9*`o0GD za$Sf2ax7?YdO4!3J-+W@bs|F?2)KV@q|I`j;9FfamGI}o{aO#FfQAkcLFb22%Inv= z>qeKdLRV6#9PAs;Kx}U%1d0wJq!Pn}o~7f=-ZKlaB|>_FyI*Dq1>cXbf5?F3BR?AN zVtt|rIw_S3i;Ku3lE*+p9_=SvoeKxTKlgwZjDB_Ax8g5jQ+ASnsE_9m)hDjelAfRO z=AD>l&7>Sg;{^Aa(eOjr2Q6AdIs_s%G}AD-vqeSe;eAjv}28Y&!V&(N7-iP|ym z62ei~GJ*dilKl|yA*x{Er5#%rDe+*`QzHL~9?!ztpR!6ikd2~TgQW!nd3xisb6Uq{ zpwf7t2(6CyctQ+!`TSqaaYJH?K9LD6q*Z%AJTP6ivgb`aEI9UL81$~s->j9qY<;kU zyl2b|x%sXh=s1i=Ld1dkR!7c+>!W1i6DByAbpNk=lzj7{Ti&Plnvzvy3}=f3vExp> z^+~4C7C;p)v#PZJxGC128@{<=*KY#eiEoN8p@?;j$z~kp*KIUQ$^I=jISn7G#^+jJ zz-%|=g99eif#YTW4@aAa^}B2}r*(Wy67V@=*?s(hT0wbV0Nm#%3uc=hKb3P{BPJe1 z^Zcg2S#Qa&v7LUHD&ZsA+H-*3Fy9((0`Nlby?oHhAzt%-ZshjM_XNH%HiOzA{dtD{ zzz@v3!?uuqkkS5Jdka3EKc9g&XzS{9{h~gHpvwek3+;!KZF_h0U7x|AJa+)d)N6dc z(K?)m7_yPFHP6JB(yd4ro1-`}Z%fJd0wh&qofGd^MP#f~Z*>4Un(TA@cbmoLonG>rt6@ORbC10;Y|k`n$>L0+|E4^!Pk>SbRr{OMvx#`}JT-SspFTRb zGZwF~#kgNJjDBqKvo?mSvR5w}vY|W!^_FiH30u~Kj~`uoeUXv*^kmO~aN7hTF5H=M zi-%GobGLH>(V>wXDjWwOE{vc8OOc`Lxh<%g4E7;kSiB64E2eRhIw6> zvNDV*n`)x1J8VgZX@vK_iNz_+eWKIHaDs0K4A`6F-D@#a#z3A75VGeLzm+6!4)0DM z2IsbPR0ft;tm&sYhx3l>sXC#gP|GHQ1{`hDZ-#m1h4|!DT)$?T^iYjF*=}q^;e9PFX;sj=bT1V zXxb@bUL_rpnmk>oIvRa1Wo&lN9K9r&LPRu9^tuZ)q#8Wm@Z)FRM?{!k`gKGjm+~!( z?M_~0TqxE}_#aWEX!c6;VKs01@-yT2=OpaOZq-<=BlDMWn3jm?Zyc4xIW-s%_@ zaXzQvGH$90Ae{49Ujw2{Y&lK*|F3=Wu(wRX^VHnGY&!r-#tztYG2Y|U&bid=WJd%J zgSq+Cif{fP8yArkuLyXoj*eltgxPD!9*bZ`^}b;M zN8C^7U-V|vbl~>5qwN~k%sVCKvLSaV-P7T+ah$a-5c9-V8Fd~4?NGHWDUk#xQZ@NZ zK|24Jng%KI-8vGO9#BRHVVJ#Z(5Ek$(jq`)e=OV!TB%FFTFV}QvDEplGqb1dQ}~fm zz!s62i&T034yC}6u(ILEj~w$z2W~8*|O&;a&y6N_e-xn2C-&wCs#i<^Qtfx_y*)9tqA!g9^~MB`eTxAT8Tw09$tZ(4+2 z@~_AGYw;yOeJmiD?slD8Go$_ROd{|zdDZvf2j28gy>lQoy$AWfByB8C%9)zZ=jmoh zEB`v&7t!CXHSZcu@46VSS_y|PFjV=PvX8d z5p}a8-C6y{-ZO=erG)i{84yJPuM`9MSa5fzQHCIk%n@nETA4gp3vUh&K$w91WXYNA z5h^sEiLjP!n`fB~$9y-Dp2PY78ynN@gA(5CBf(9T|Hk>rW@qZs;thnNU-w6(rMOi& z{zWHaKaTzzL0=EDW=ayFHK`u+LYyjo0Bf($Br~||st7I~+c4T-lTon_%gcZy`+@S2 znQqu|fpDZUdyuJ)m zKn3wyVmbE

    s!2cLE>h8JPXTb-cKtC7+z`Q~6D7)@GPR+hG)so`-j0W=hdu99y?u zP`>7MOWcj|`gnL;x)$ z^;ZRKKP`$gCO!*yHwWFmJN7020OtW;xCs9S>j43#b?6~@x+>Y@+o)=PG#2^B!oN#A zYy0QTnIV@s0DTF#NC2-K+NV-24(oUVi3gT=Prv0}r1TGhb9rez zhzgpiBm#mwyDnw2O)D_r|72qLzE8x>*t|%+{L45#k3cW{bl|k3;V#>2`Hx^IX9zjv z;d>Q$iYRIZUEO8*zGpAHXXi^wyr+#)qP-?+HAg=)m*-*qLy52jd_UcV-y2e4J&ETh zhNSVIPebjw7bX6APY6+LKt!EN;h#dkqKGkqEX*Hbc+kxWOHuno%5wY?7}v4yW5!aO zP>`*JDtWRg;C^q{q4VVz{D{(`F&r4Is=FG3u?t0Sdio^8yvw#m zV3qfO%X34ESO4$YOG-rMB|Ya!St^1%_R3p}1veZ);fxRTxz#y#2TVxs4~uUI0Cny9 z$*$dVfQj9cL1Tc+@t2BDF@c+|9!!P5!SXw$sx>i4ti_TWexqs2e_$fIkfqF zYme*ncLG~ zIVT|Z@rA4_C`6J^{4>9}Wjh@1IPcDdn56o*)KF@{w0_lY9GETn{o_gWrsF zibwIzejQzSXjh`?QH9XjR&O~RraA)QvF~&6^D}q>o3j^Zh7+pkL@V$h*eyR1{7@dX zx88Sf%Nd@t!VnP~NH}jnJvLXpxs#|vYW!w;yfV*XeSPZyc(x62fZIkf`^wwJOq~Ef zK)}CHB>!nja%UX~5}B{@_N&&A}U-Di(egsLMpe+#Im!Cs`JD_>W@_TV#Dz_?N?{ zMZUsCR&g7&^Wok;D^`yH;Tigy^ivm97e{(9%`zT1k36>&r=5!2m-wCUF>bjNImxSt zV2DZcDFYvBgB&NH!&_N`A5cHW;BIsg!@LnmnFxUk)Q zem|7qNE` zh~NQlQ;#9=PqTXd7y%EuN_rq2zCX}T->8SV#;E$jG^@ho1e@n%gk~6MnnE*w2ibD0 zbY+a8?zx&fLYwKfsdXmFfo!+SduF{YgMm!GPCxhr=a;^w__Ujoc1B*%AB7{R9RQCN zB4I2NKXO|cCTsx;**b+3`=Y$M{Abi2;o`BEXWx-K*T9fW8DLv{x$sXF^UODns~qQ9 zC>wVMly)B_dJd$0J94U_{hgG@Lbr(L39a_L$)BAFhvmQ1c_G@fNdxi;6<(KDFh72b z=gS)g@yg7X^?pCvw-LZF=Vvt6=tkX_UVA&C1H$aUw4H6VfD`m$$j{Hkd(8QRsxi+T zpp0W3tyfR+eNeuCGSKD$?%caH%_rS6zRW1y1D&`5fg61w&30YuAM=5IJsAh?FHt`% z{gD+zf1Kvo)nLzbO7eTbGe+J4aAw>M(H!gPsIN^(gq}AQ4};HQ=94Tv@q zpJz~bPY-9PQZtTdta!9|3;0Gi^!9rd{t%xq^`QA-B&qpqy3%UFnGNRqyga*%vB)C0 zi0RXV6W#>0FMO(88h)8zvI(LjuXdS`Ynf3kqL}tNAchrUAd>DuX^y~1Cie3^68e#= z?b^F=6)$$wfwRYS_jTCVXFX?-Khpg{9%t=aA+$B?LxAb29ALP(S5!vel6?Gr07)H= zlkmUY7!(IEhx5u`$faUtv4Xd$H(+VOuaDDO=Wn>)S1?#BmOOVZ#N{r)| zE}!^r$fn7Kj*`w<(fM^LeVGsBla%SwT&xE?2F3IA;1S?61D@^AxQ9PV+1xJ5jyX;$ zSpYt3z^f|-^be}|^!DG@xyjQ`R{gr{-f0$~{<}gAL^4XX2Hnllj#jnNWTDBH{eeh1 z%rS0%7>2)myEe96{2TUd&$Mjj^_V}}Hfffdw@%;%68bp_zgx_sdw-kN?Tk$JBdgzp z`5 zjsxz8GIyZkew(Ob9Lv8)zSSjonBo_OzEj?kVYk&;4hE?3?FEig5WDApsVk#I^M}5A zUJg02(b1{B2)-ZM;;mWx!$&km>(al*$(Qb}#@0~oc0|N!tj|Z$Xe8eFt->8c2C`@4& zVyemXzv63=;G}{y5#TFLLV+%R`JK1vxXE&2W_r2-hqE##{m6-?vQj8>Xc4vqk6(J+ zfV+Nx;%uJl*`38?T%8Dm*Emyyvx(8Actf5g$T4LX>51877hep1!}(RLa$^YCb-qm8 z(cN<&5%oaL0bI>S)ckVZyiGOyTcs6PaG_CJG;Kh0r0&aeA`J8E@cn}|i;LG@rr=*i zT|9m#IUf^_U-R~VT$r!4-%IuEqu)eKhlzOXitN0kXgs92KztFd#x4sv+xxt4#S=~0 zfy%cJ+MMT;*b%sxn!1!9lT04e8$TyNM!Ka;v@QZ%x8Ae9dAQsMfYVT3oy%5k7UJ~` z$v7DLbfE-&!#jLPNo>2gLWtm8fAo6LPhiAi=IaWEa$*b6BfF-o*mLOGYQ8BK3Iqo{ zY5=6qz#8-{|APR;?;3S?v{%*to8JD^a$!X}cCvQfb8m6}ib@3(+Cm3qV7)S;l1lEk zy}!0iw})YdlUc}5)|TWz+66Jzclt<|MayyZ)Ou?LK=(8P=0tG z$^I{ib850d4rFISj2&MtfMQa}-yL(lIh}cRNC6q^_y?Xos<$7UBGOdbLb>NF+zmY! z-@pRb~4BH+UGz`Wx_wWyKB_4lD2ax2{DY=;0IiGJu{fCuwutO18rR05!W>~Qt&xpx9%$tU4cfI_^&{G zd+cC}Vp3(IPUgT7+)%)4$y7PaQ`krUG-)}b?@EuQkSFR^Lg{FE#(kW%ZqniHs zv;S>g$+Mx<9yn#F*8C3*#X=3?@L1XYl2bZ-I_PaHH5Goio{hakCc7C!p|HjsjUWRh zhXK6a0{OzG8AuZYdKd!PPbBdPg5QdR)ie9|O&Hmspa$aKTG|WdxkJ9XGlUTp(OJl; zj3%cVAPI547*Pzoqpja1OS0kqV?L-_j~Q&zlf6@R2(kQvI|Sw~6Lyvz=s8=NW6?il zI*V$@c%AO347i7Si^k2jMD7wMEwL2y$*aWwj;FZ7!A)pqPgd6Ec>2<`pCpc71J4q; zajB7d1|D{b5aTzk#+15}gGNa|f5hPu$5ldQLDtq+UniU527W4;Lv&H!A)M!ImPSS0 zOndA==v44g<9()QIz3sEMTL;$u>L};^-;}AItE)=8kziU@z8E*ynR678F?h0g8z#H zxXhQ{C$%XUfUHKhzYUrj*-xsuD$M4Hw4QU{FJ+JWnjOm31loLkfZIC{RCkwc}T3K+b&+<=(4u)XYV;!YJuT3%!yA zfB6V2x50>|9Q$92r(e2g3jw^JMGpGaBi&>m`=C$xjSN7Ycz+M}5AgSB^27HbScPnB z_#)|2=DgsS;Xa?xZM;}tQcT_Bh<(#%@fqfTxh)y$V^IFkJ|_WCi3$6h=zbZ;@AHc} z@#km_65Vy>27GfozXn&rWcsr|F*mxgOF-9sTYG@M+wF$#P_Pq^Eei>i@(^q-o{Gm%JSNk9d5bsRVqo zCZFZ>Haz^YHZY^Q9+@xPUFm5R_UwvSc*LKZs$>(+t3hY;rG#z6s{l}PpF!NM;KX_> zXeQ^M<36j@aiQHm^lQ0)K{F+o0r=ea&T*`*Dtcmp0J(#>ujB0?e?qOu)(ozKDDi`@ zg@ym)TWrMw9O_38)PG#_73WgeCJ;U)W5p8Z#bBlsb4c6k5DZSl%^0cL-BMHg%GQas^Ie_RGYd|R01%5ZMKy6r#4>m`54P4Dg zR028*YL|4}R>$dVNNf=gd_F9HBAsD}?;y$Not=2@-Y0`+{ zFN$?i6N9V69x_lstNC{8G>QX`E_*NEWD0Ep_RAf=qQdsjmkWCbcI?h0kc0ztoXelT zWqsK9k4LS2w+119gE6#WQVoh*@Hghq6km8i{n_y6*_ILSxhD+#CXQk);2hg|C-Ypn zJROu{1<^TVhr~HCCG!|MU_;%n_C>q0wjX;1KK_&x`7wJ*tYHq3+GDt=s5;VaZJsOd zaf|SSSf222kR!uC(&{X;SM7u2x7C2B?BgiZyP7y0cV?jM(9w3ggYREZA^0Da!8W&% zIhLGS@&H9FGmQ$g<4w}5F)Uc{SA9}C-(4)GM{3aJf|>1*XF8eq*`k}sa7L2hhI@V? zhu)(ZD0rA=t=;`ajXW^$uV;X5L;cu!J?pU~421pl+`V=O?my3##YVS0T&Cq-x>dI% zd~lz!HDUI5x-oyuJ43ys%{A4R;PXu>8JfxcWQS1ArTLIUTsuJ$D=iZ~lF}~Jt^*A< zcULK|DYff&%m%-}0CqNcjoc9{`?#KMDb_euZxn!msf;m>xp3Rk&8>paOcX7W$5vtf6$_NRkf2P^~Jzv2M6=x zgPP69>1Z8PVL*7_(y*H)FYg7+VM>QycxP z1J0nd4&=LyuG)K@BwyqnvF-5Y z<|@g#VqUR+RUt>;@46U|qxAf$(-RT*yLq)24dDzi`Muz_-Wgn#jb*LyH40d)Ujrzh z&l`0S-d^egjmS-FA?bZGc>HBAk@6*MtCa+ouH5MnJ^ z{e?F3hE*D_kj@Y7iSyxvM3Jec>#`{UM`lv?aJv3~J-P?m1Kv-oRjgD#N|}9HzPma9 zSI+ViIZ&)bqu`BqR3E`A#xdC)mWyem`JW-j9#!As>G)gCsS^=BDm@x_RHh0e>6j`r z1!GUkV|V`jcsF#kav9B|ON~3*igtb_2a~c*n#2JpPAbhb^ktk2^023V!~n;TR}?<3 zOKf%UGm}3_0Z_g1ztn?H3!{2HvoDf?r=j+s|Cx#Rb$E28G;nqsVBx0Ws zt2kvrKv6LwZ#_73n_xRNNAqh3{Y@2CCu_Br(r!DK91`|g0C(Ot=zCH-U$Mz#W!^Ew zS>ZhcSWeCyF}*uKFkeqF>QvgH)LDekuC3asd7QW-9ynKYNPwM@+K7CUlZUg|{-p#Z(l{VFKZky#J+Q9puHqD8;$sptZ;HB>)m$1;? zz@K8WRxK~<$Kd05XCEFK$>R5LRo0{bN`Lmmz)^d+^!U<&5ZP0;$Tb$W94Mdh2rhR? z(&lH(TyZuVFts)rfRV_Tg&S!H6Z1Oow3%zgNJS1hp8tlKz%zYo~*iX83D02i#${D zKU8~jo#=jJJMhw;{TcELHQ;461XZ7{n>p!e3_vGg(+n(E7ixW41b2qGMogA`++FvH+noZ8s-_LKWIrKA|1iZ(f}I_Dc#-?e{w%SVbY|gF z*$)lKJ5n~}a50InyLt^;IzH29KS<9u6gD}{zrn(4z}~>_-}$um<}@FX7P-oW#3a4A z>vwkI^_ojMNSDoG4IL)-!aY8sj!0e&2p%3z1F;zJaP5^A7V?s4DyUox{tev!ot{Q7 z!&TBms_z2p*q06d=iBR zO4fH$e9&Wz15B+EKpuf*%2xe>ZWf|0FT=_-e<`}fQa%SpZg|rZO$K3e`uldrmkD`5 z2p|JOT??q6CsF1z+*7a}*9N}8k^QM%3XY>NxUe?ye!7p#_qj%hKBYU6Z zwcz=FFVH>J;~yS)scQhR_TNr_0-zArXUuGsS3O;(k6L;@Nl<)^FY(1P1iqPWYFR+2 z1im8dE27>B=K&zgiJbL*wUh7YlLM5BG7V?sC*~6VG2wng(Y@rYTDCwsMDU{zZk4gw z;_@)qDSmV@o`VF4Hv7eP8od#DoKPh8x|`kMOAzseF>kV+3|f*7mm5C1$BQ32tvWI~ zg8+@V`cwDdC8978#=UU%BY^Wjv!5+CgVqjgMC=eKBP1D%a0JN`xXW&G`(V}53Xac; zZXu_Tm!k7g(CLTnQbiA~G03WMX|?upYzv@*C*ZOj2=l8}1lNkiQw8Qx3CiXptD zQIufAr94!c{#NKD=-Ns0B6sv_$9rtcBKUQpq?Ps{lkpC=Ty1``L94NPta)!jO{YH- z-Ye+z?ZsZI7B-3FkEyzwIN9T`%jIzYDm0(-)FVd&`39H|WAY7kUTnDoyH>s**N?G# zJi=O)gO$B@O~bTS`ftJT@Ok1A`(O8UNaOQc?ejZKIfLl8xPcX9?97Qvj0Pc5S}XNo zhI*VS=r<=kdhX&}z@J^c@9!EIV?BnIZEu8Kb${rCWfOED*hrX!Y#Qf`i;oLkI>3n;dW{C(k>Tlk|fi2 zSpO|7#XlAIxSEPid@^q~@f|MNf80&tRUtK&3P^1FOq^a?2~|e2pYvcN1tZ1wmO%de z&1nOu_cv)QkUdOzyBo(moc<>ZrxUt=lbuBjR_crN?9dq8hfFF8kRMZA2{;t=g>;0b z8SP8-HpRV>ql$}Xc$<$GF&(wtUvRE9@6wg@mw$lIW7uQUt`B`HpEhTG8U9o~e828sj~R-R$s;N%&{p1hlW3u~Z0miu@_i8vOQKl=#s*aR{vzDt9A zkJNYL$z%L|n%AD)vnKw>(GrK8J5z7{dA6VGChwd7>qS7h@4&0LkPL22-2oEKKL)?f ze#!{_pfk*Tf*dDVZe(&5 zk*`mGA5F}t0gWMBg#~-scb+hla8s&z^k@ zT*aM($2UjU%W;Y~ZKH`J*L_`|(@#)p5pvIMFoCDS9RmflIZbJCJ$(2h^42SR!!&w= z{CoRD{mfh4zvu6JF2*0Aezh0nG8+4V(wwQPICz)u;Vm5IT!VB$v#329N@jw5h+!Z{SoFHZ( zSMf-Wi}|4z4~{Ua!iVuSPtAhJ-22q02kr!4e%;PUy%*&G4T$ivqO(!|F@oUHYe}L` zGx7Sw8w=Q4RFi!=jYBtguDFkQy%J{b1z;V=97AUe)gj@D#htjJyesA z*MT6-JabcV{10vQhN?8;JFDNy3*-h8$G8D6>~Dz)alE+F194&R_FeLk&txx_f|Whl zuFs!n*Z@A3+eq*Zoi{VuO787XY{#=b%Ai+bWs6{RbaY=)-IP>Ha9JKpK8nkR^#9Gr zSr4ZQ41_b$%TBK$^#cDqXd7e9OI?-!bdlTth+%3i4JryfKR(wfMcx zB(dv{z5(b)IN(Qw0n1n6e(vSC;$}83Q}6j5Q1(^-Y`Vg+ zN$%Sj&*gM26{Ym|S8P^Vs&|dvE>C0%9A?S&&E)76znT#P!7LCF8AOuTg#E{T_g9Ed z|7)~XdFZl-AC{&e1{$hc30w2~42+Bf_M>@PcLF~Ml8i5PNq0~?X1>%Hd=U1l>r&^I zs;U8KG1rrM`RB7(#e?tXqS+31_wCX2EQg*SwoYgB)V3~)enKPGmlvVxxODKX-?b&> z?fT(hi99aqw4G$rXGM4cB52q0Z9ptfYiAV!k*;Xe&*q>_4LASsf37L)g7h=)PF+*u zoJbsnO4Gj@>0{*by^`gf6rulf zapRl9qvvzR4RHD|i<%|0eiaS`i$m3)6L{=&WDY~5&s_D{MlLWTwSs=D?hE%m2^YBD zcFJpxy_z28Ba$*88XfL|_@l7mjbnI7)$zrrhKRyLbjU{Qq$2i85G(3T*_qKR`b2za z*}OuD3{UoqIp$@-PervQbzMi5qbjP}#+Zvp4aent~Ad1)tQtTjkzD;-=qO&^t zS5<)s#Apgc?QQ(%%P(Hw{&|z8wPm>>F&JT%8l2ENPtyBulG6q?2)e*Y^*_UK9VMft zJb?LV{<$m&Su1L^{?u7llRV+=UUTF77dIR*Gs{NLbrjzs?u2wy5vzE zyS?KB=V9r|)0bP%PJFt4N=xRM%P8JJ1M+95{%?2Vy=5~6w7pkOR@Rdh_T&@GeKY{l z7=73q$b1omW72-LNRssO;?5mf+_Iz(xDWdZ#7LP@zS#-_9ZNJ2p!YX>Eys2Ohx%z} ze9U?8`eLEoBP5^}>cV2%)7e(d37)_MPQDr(;17`?lv%ir5z50T{{-PWq~4$8xwRXc z@*Q06o7qJ@+&fJOAFlRz=uF~EX5+j$U*5Ry_Sn%Q88n*!UWbk6o@Y`9tOv_$`UM5D z_S0eNYG={|+-66NVtn6`ziam9_V1m>MYQ~3jTm8YL{>II&+qnfz&6s;BSx~2lQyS9 zicz~LO?ZSIz>_uXFx9}eWfVa{;VvQrP{yCsbR_bY)h9qrzz`B;OQ&8jgk(_HBfAa6 z;iI}XF7Qgb`jZwQIc4AonwsC$xhcVWZu6$&hk5$=J~rZM&+kDXegAn+qPeo)Y@zJD2wA;#5G2ISVh-dmkm9IBWM*rK`yqWPhLhqF^4i>Wq-J zTa@?U7*BvlYc*+KjdV9Tu_bjacMzMiv>BMT@hDs^0D$1*{bO*l>FWCE0xJDLhRlA# z{gCF*R^_P;#$F+8cV*QMC%TBnO(jDWlH^MhlR(EWqe%b-_`|IsRtmOdNKwEJmSZ@= zQDh$XQVbJ5Y(b9Krp(hXu0M8y>ro#@QZB)T4G*Sk$i!;rup#?%uaZZ;^ozmMVB2Lg zH!ux&sCZwzb;aF>YxPYUMqtQ-ccW2d6^r?SAZ?^;RNlh)WhwwF-f(;UQu;ic*4tT} zC+ikxUC^*YhpYVD4RRRZ3)#sSFJuUq!RN?4-B|0_b| zKYtfwcOjn=+buhEh#l~l@oB@-eg6D5km>Y&+tfXN_IDEef5mft#e6ZNp z+xED3?EMJ#@)-4wIeA4?n+rg0p^D?6vEZY0=%g>ZYZ20utaDe+yr#E4!&y`JSPgf1 zK}JAEH$IYIm^%I6t{})~HF%Px8 zi&?FW_cSYf219y9v=~D-G(6YaKox3?X7Y{Xgfzf$Wujyfr^N|$;PcAzt+F_0<<0p` z@_6>fRv%1106-so$?UEyrzlU`3HDvLnW9f8wsOZa+O6j?vO7JoZ6lV3s%BVo-#rxR z-M`84QYBc_zNA@XlBXX59aW12oO#RD6tSee1H-=nAF)=SeqZzx`RTm_-Z_TOJe}Lh z$gIb3Bzg05gzK%4gRiv;wTtUIRdBQU3Hm5)dFM^mP{9uNxv;f%MfDE8QieRo9^XK?lS zgvZ%kZ|)>&fS6vE&}*?@%65m+&Cgf)7wOe~m{<4t8M9H9N@tJxIzY!xa87R84Qi%>jw4u3CD8rBC?eg`_eJ?~u zMKI-|17%kAq3vAKbMFKcX+5zDqGg7x)X0BCA!{k4QVYh3{&2L+k^^e^!yb z1`T*nIj3u!)QQn%tnOU8i|;s15T2(^}eEWVaGrn#`d0B z8&O1RJS=E?iKe0dXwLEnW8{2vMwx&~F8RLr0SBVR?7`tycNi0fhVp)!pwQRQKnq=RVU6{8UL$&0s9V=ZrYNhA)T%HbJZ~Bm(G_vSB>nFLK?B z5QaU5v3Vu+aRE9xM&hQ(%m~SfK)ourugXiIQWmLK?{`q=_7)VQQrOdDK-KA;Aa}eR zGxj@ZrFpE@0Ah;u)rreYx7%=-moA{N+hjup=^nD4R=?AAksx|{OGl`PXYl0s1|$8Z ze}MQXl%J?e5av7kz(#HXUPBIGm(lw{6Z>J&XzXi`*GHOwIP(mr5!fb8H+0^%r`TUW zVAHI(eQC-eSj5WaMEcLo)1X%rXxWtb7U-oXLRL9%AHtez1N3x!PfvYL9^nA`gA`*K zGrbQm{Sx-CErA36q_Xu* za)=>n@jsFDsJCO#KV@ed_IVB54iGwvQexTun{jWJwJLyf9ed7-^*cLZB36gDl_fr7 zTu+Y&O7k#*44!S|EGddx3>t>u7o!2fI_HnPVonKF^UWBjz31y)IByg$KKKol@9AgR zwZf6E*ke=;z^tbnn$Yi`IqOA<%v*=oRj1go?*!a?;*rXMygx;86eav!=<7<-Zd>O# z7!Tpn=Qa5B@jB1$X9|mo+^_#u;J6qfEx+(aGJF5hnYcH-JsfsKhx;yNOCaFQHnN}Q zp`jqHjm?%x-om~ZOoI}U*5+8zzA2&<rlNYeo!O+82LWs&0+{QM(*6Tll9^3sMTN}1R14M1b0qt3j`|<2%Pg( z315;o&G6Fm1$R&0YA6m~Ow$~oWIq9Qu=x?0ItINtFEne41+{5UjtV~MhkclRr35mQ z5-oOm&)Kd(zw2Z2cZ791RiJ^viulOIhh+y&qm;HTqIzhp?}+c6W%E&XB{6cuqGkUv=S=t%T^H|1EmFT^jynV!*^CpLZ%O-w953~&&1bF6X; zAp6I2mUm0?uMa-}0?$v125g_MX7QybpqMZhD#Pi%U(RPQ ztVKdE022?7v!EopN&EHX^^#rRygxrsoqVU~CCRRWz559)`bketLO&Ju+wf5Z+(*V| zLHxA$bIJXen+#h1ol z|0?ejkSUPz%6f)lS%B;%N1C%AsQY2uGFAiCDn|w6sJ4)|2fti_Q)0pmv?LmE|0`}; zqUUpOo21iR@|3jNryJDy*qXj#U0P2;J&c=bPXB|~$qs5h7yN8{b%{NI?z)N9{gc;& zgAOeoc^aBp^>a|(%*ja@Vh0mccOPx2wsas@w-x& z1|*;S@HUh?D~a}B(*d3~Wu`H5u}ZzlEdcd{M2Lt>R%I(8j_YR(ZyVtJ(K(%iZwC;M zJ&vpQ?jNbOzcfgD!Qqh}Pmud$kdHm^%-F?}S+qStJ~O!U;f&CpmPBk*W6RLRgOuw+ zBFt4jHL{-6xuhER-j)`bPNw%*^uN(skMK<7{-xW4WF@A4BV7-M690E_$8ZBft#^1& zPn(Lp@6#d<=duTA82{<4ThndrRal%bW=~6Ni8wLu7Amp?1SB_stT56en7?-(sh_G@ ztUY!SUHA}&eSUK}?q0*cwWUwwGcjS&y4OZS{#(zc)#`i7ZU#19c9Cms0+iuq5iTh6 zuFuZ1Tb4CgUvNi9TBEMZjSEtsw){NhmA>;i=q<=;wDmt5|GIt(M{xhAj6b67#*1d|3^mDFsz*y!Zn37 z(*qF)ZCD;`RJQJ69{6m{INbt+H+atsc092A^-M-G1K-bTgKZMLn;@rlyJOpsN&g}g z^Lph7j4-*O>>d8gP!<{*iXUg~p-Kp5{I%5oXxC9q>`g_zd`+}bn$HVmL zZtQW0r!j5mPK@MONnakez8@4QZ+^ad?S26>P_qF%Avh##ilxBNky6iEJQjT9DH`O1 zR%iWqnWpJ)6mUOq^S>t)H0sW9=iyenT??Xg@)pB*;3Iwi-$*AqfoA6B5a+^Yz1>{{ z?@MZCCu0-Ob0hHd$2g|iK#d&`zFJ9Kn8b5@8f6R0v2XZ4YsS&arb~-KjDp-^=|sDU#{JJICf5 zp&CAd0Oi@tJk4Y9Og8h`XPeyPUF|ED=^ZRxu~$q$xlKtc?pg8;KK+6HUlf_B{bDy% znn$;5L-E)xf$$RFE8m3wIe?xGOm^59C4m;uiPapfgiC;c*EF za4&xnE5mYY3`>LUeeTz%6mmO!YkBGePy`?b!LzEYp9l>*-ZJ31oU-4Ih!z_-KdG+dmqeMr|N8_)T zcodOq#NwwujV@0O)(0Kwvo+)ZBIauGBgEZw<6KxKT3HjaEn?JxupXEcRC{*-FX*B= zC#>N*A00Qq{+|*&oFACw#iMpZ4^ANHW2rPlxmEeQiZCVSXNgvg-}^h7R^UYgLXDO% z`3e3z@>}n|(mHDjVZ3N$2~>;D_C0qQ~(+MaREg zY;+!-QdniRnk;db8c%a)Bq{XuJpe21+LCE*%kBZeF{+KfwAx={Tp_5STobFA#r!NkSMXiSc zkT=-Wb9+qk8VL8VyX(vZJye+a%k!z=eD;}=9u;KLp@Bt^E8~MN>Hzn6)8#%$G1h5g zwq)R`GV_19h$X99~FzN^_%Fi`K#oZ{qkAa&Wb_r}F487B_rc&u@df@M zJ2w_(5QT~ih0X@JaZNB8Zhr=&$4XkP?ZKbrcMkvh5UnZxzG8D&HTrOy3$)|;L%qz@ z%Sn@KVCLmfkJay-mcz2SIT5kWR(JmtjqeOkVk?gPHzeR8t2c$iw7b`+d!+C+2<~Kh zR|fi`5X`R}=NOKwf~s5m^9h}cfZfH=PioJ=?w)$?5aDcXx7~4Yn|nGgG7s+)wCCcl zj@$wA570L9!-%7dPYB{QOL-*yXfe~yYy)EleZMKF8nnluv=7ea1ZJugS%93CC*`OI zd))sS{D8}A)AcWZCSZS>+yg;f&ZM#GVURKr-{eHYn>N=$L+7P#gV+n zZ{>~Zs2MHSx*4Y<{@b?hnu&)0;)^&Prh;J0@-FoYCVMlq<-lPgXmX(fu z0C`yk;TJ&jtnSKjdGSgNzf6^9UN@pMx1|v(ln=N89}K+(II~#~Z9q~SE+)u9aW1NW ziMkKtNHHdcZ(f;$>>c{fpHr@1^`fxDkd}fj#|%{3Z}(U6NqZH!w91wD(_c<4(!enu zYl52D;Lo=lfz8qYuagesExz6SH=Ucko^}=7jmZLt_es|cUWu_i{`xSJBk(hz7VpG2 zBDS7asmCcr^=%CVyUotUvm^3Mg49)!vK$mhrUdr#)esHxEf8~_gOC@&cD~n7(*<;5 zI8aJS`X{t|lR4i{#=TnQ1~6PD)pz=RG%|5;uS1>!jol9X*8&en3{MOKwrKgd z;NO*>7|#7#LcQqm(6}kHy!kOBinKeI&pc&|F%O#!;fD3iK|-+l-`O351a;~Z8S+`?0vio{(s+@A8)>MkXZj+pCgHLg58p(< z2aLHK1+kYKrt|I%nlc;MC=H{z)78gheHz^0tR(x6r5}n2Ou{qct8PVG6PYOU^0w({p$g@{{k^t2#oS*uD zV9%N2Hl2xp@Dv1oKop8bOQ(J)pi>hxKnhSzNCg zFQ6JB$lAFI455_=FTBe5R5R0iaH?$~@hL^yrU|Kbpp8yZ>>29X#IMoaK?+J)d8!yA zEDq>oS9^1DjB-^VU-gMEAW>z^I1k*JO!NvtuV<7Xc|mmgO`+hPwqNAVd6Ell9rm0U z5U;twL4mm1wr}F2vRM8dDsQR=bnIE}~tn?Gr?6&6=i8A^+d{z#s4=g{PTmMoKF%A=XZPt(RLdZ&Q zJu^f{bzf5WOpdE3%pypP*IfJ>cFzG~zj2X2s}W_-xp|$nU%fLyl-Tg}Y_A(2_Kl8p z&|n}h$s~fO@l#fwiZjrL-mL&tK&rp6mz9tvPdxp161zM-#i|6Q>8aJj5NX;09Omfx zZ1{3IcC;aM%$DWYF`6r~lg5%`k9sQ_y@t=&+kJ-h=@}MgL?ATkhKQAR z%3+0YA^-M0{9Gm@wiZ$g5H!ld;E+eW6=g=(kw(I+Bx$uNR!JuCh2)4LQyB< zfYo#iVXKN%`xn#^-ibXY1v7!F0CAaZfh}DzS#Xs?!=5vTZmzM8WjQX;{8zHZIRA!< zJlgop`z3jAxUU2CSR&hVTA*(h2|z2TX3trH_CJZYovPmja%gi<^jTocVKAhvsw+cs zr`X$cta=K;&S9B7l0X%%9%V&^yuB&(WU$SJ)Atga6VB?H;GTs+%MU4k6i$u-V47{~ zLF2VBwypyF{67-%AioP&>WZ8rjFK~4TFl?uoDu}|u>m$~Kd4_K z*!7=3?UvjSUZW;o1X5mdJrjCN3O^9`K-l3jz|CyrUMkv(l0656+kYaiJ;j7Q$AcNu zPPH_!=K#PMq@lnYmWUHPc1bdMZTiRpfZ zMD`pFR-DZxr=|UOm3H->v%_Wd{wD7^8Q5HS3YA1`HpQK+FtC$3NcNlyURzxQG3j`n zL0yg?r=Y&RzLt&StpwC41$@YGVNroCWqb%MGpglS;8!mzS`j7;k9v@_ z_(7J#FZ9q!9Ybz|rAPtZFI{s3r;WY6gBN>_=$ZPenv{E2gA5O)E1tm{G)*})?m7t; zmQXQ%s7}Hg-Z>!JjucY^j)y|pl4FQ72|bgool^4uCY19-(ixCV4L@Y--%XHuH5U8d z_#*ZkKZN}=a4`Hi0`&Qy5490eD(dZ#X(MS|0$Jv+M$<+BA&p_n2T!;Cow!IE*#6gu z))*@{W0aFnfD=_KFZR3);;rUJmXFGQThw5cc7lK$rfA3*;@(?l&rd*8%c?)K`IsPB zt&RL5KsDe{^VMU-xBG&dmZh}+Gw_ifHtLI{5)VOG91Vduh&v!F_+oC)&8Eg-oVZ|+ z%z$jZ$o*%H=pRF^-?*bKO|P^-Z%x^%WJ#-M`z`bL?Kw})#yI?$j(fsEdb#I2o>%+3 z1?WskjgS?TBQqB8ly2oZuai~TTC_26H`fQU7+X`H@Z9xZwZ1r0DHb$Xqy&|o#)O`b zwBzM$tgXQfc0Vjn$rCfGS+6XmFAAL8oS!lhu5u{`}e? zAN9)Ix=ikbQ3pC^jO1~YG$g#sd(kiW&BvSiP*aK1EtW6vkhI(^W$FM!#o zh97-x1Z7tdD)F%ARQ#ZF7@rf6Brj7z6EH-~Xk3OYpin)u_S}h66R*X5CTgE7Geric zf;|_WZkmQtbzJsi$n-TMyTlA+pD=(pqkk0|1$!Q(nr0dwvgb-Hr$~^d!x@|^vkfZH z-mhpVGcC+rC@QlMd!B?#h|EmSo&$@Y8YILAJ=yq2l08Slm%pDPKz{&1p{}?75CJ!H zNwwDwSv`wsC3z&WQD+pu4(a?i%DqzBOssgasc@y#0aPm^Mn~o%a<=-WeIk}F4NI9* zd>nx$;x1_O#da+e?ps4((9$(kFBzf)9OC0Y>^Tt07wzei{6jqY;Y5uA0tImC_KZIG za`>>9x&}kR&f*-R*UB5!>(eEGe|tJ@+189UY{46EedRs4Y%ItH!l6XC-uaILE2Hi( zgRU;rsR}mm^;&q0!)4zwOP5XoSe^i}b+wp`!@BE~{Qr1QZo~qYSZF*#A zI1>467(mLdd2duK)eI1r{V~9v*P!=mTlId_YQ~FH0fsP~6ewHv92YauuGJD#sq9%u zXq?3u0x&S%%^=%W8QeRD)qfJ)E>-G##R<9c1yahnJc;ZUUCkz+vW(!d{E#&}XN79Z zFaTGXW@}by{cwh$vUr(dzSLsp7euDzXGZk@_3x@xSuq9A(SSXVB0YV86_m2)P(&!< zC@}ITO?|a9v*%8XMHq`e6YJ@y_^=QH{@PT(qUjsogxv`d;-iL&E_=Qt`EpX%GOz%c zOt3Fg`%n^e+OZWaQ=)`-bNLyp4dRK!a|xuEP2#Q|`TS+Pqy2O=_JQNo_%xHF%C`$jiOK>>2-H?WoFg=WUd{ON)!v|`U| zPCXS9)eQMdM!;uLfQEUS3 zEKhv76a>sf*mZvwv^r9aRf4U#&03+^^LiMwe&=go&s8I;oMMkLN@f)RQZCNvRtALy zX^Rz7@p|7CXIB}RUpeqmPIw}YJ&zIj1~Aub+uN;|y7z<$7d!AwTdY6Rv@BJoReMhKLM180}tLzRI4D zRL{(A*mD##U|krFFp*A4GbDR{!jBn4Los8|VdjtiRqS~QwG4&4}?pWFXfjKsooEgQA|Al5g-M#;d%IXIV@M z@U7Y5POb+lxOdN#GbP>T&4fdZ_h7aO(+~J_FRXI3fs3T2J{IE z6F|i%SITjC+WK4nj0;XNjYNoS&tcXnO%tJk^`2{0LeU?7V%C~FJ_=7I?7hCC~J_ z8*hcICj;OvRMF=ad*sv zioFB^)apqCJ(n_VOphX}u*Tl=xX?`W8r5semf8`Cx|X08xXT)?F@$PR%7fmTGNtQC zuQupLZ*BhS+fam_@ry_)8WmT)0(PgG#_Zb1Foj#z z%#~m0rE7M0YA@VDOaR@m{;4N>QIVO^;Puq*g#1_L!ld8P(FKPn;K#Uv0AY3cC)jty z7`--_4eH3u5B^_p7=*c*0rY<<*mppn3))ik5$~%u)lWE15=6?9re1?wU-hQ3sO!xU z*muGZy<|Md%!D+SbP|uP1x1)6j|BsHyHQ^y#*Cf&{~XPnIu!}ohnfO_U9)Xqg)#5m zX{Q;+yJlbmQe_}TE;7Ue(e#~eHrTu7vBykGhZkis9E$uL%9qlNg3+5<-awt8_DZj*3m&0x*-iK4q zo%QgNRc+fmVc@c=Wr)Np>NyXjM;fR{T4;P$t!`wwfkcz!Z9eNi7nt`fVfjJtOeyh# zFzq{1TK+d-e9KN0p!CE9kr@mt1_Q(l5MQq~d-AH0Y+%(hn41`k4JxJv!-~Nyci4Ag zb=CNrLfa+@jWAcz@s<4Onf^XpFiHf80b<`tGGoe8MT*rN{i_UHFb)d4m_)_5QHh$) zmdEGS4o>g1_%btHuUoNXR7|{TUoeqPwW%$ISZNQDGlObUN`(HJI%SQ6BWwrpUe!({yx#8xn?k+hl&o!- z7<$zR&0sbyMJwQ6k;-D!#INAcQ}&&CdTV_^G3+}m3~5+PYNs9Zg@dDl6 z0yrg& zmg0F8T|VYBib9{k_(<6`7#bM#iC$IEEHtYbSurxUUBMBc&y5P0cZ|pjw%5&(WOr(` zJPO#wlIXR((D*pPzEgq779$~Hinlv7o^%`1qV-kaELrI96dV}ozN{=jvqn9oE0Voc z*GhXJ1?Y-8gZ5*}JMV}pE#sUHKEqbK0BhGt!30k72UStEt>&v4OCs!~cO4WMYcdMF zmwdWyTDwjeu>Z)=2)ZZo#Dh6Z`c^WGxzz$UA1q{>12Mf;;nbXwB6|2z`|O+rG<*$W zf-SqF+ik6`>MO^YuwzUp>rH34EuQqr3K(U?M~zFoC)+_zxt2gyT;q?kDMP7xSm}&$ zEG79*f_k3%^{1ldt5H%r27i*f7H>BBS{qe_c+#HJm(+>=h%#9CGo-KyeDshN8)xh8 zP!XcF&^tjT4y11~6iTr60`_iCq_@Pbu3ty_%6!>%a#~~T2xP0!a2yFX%VV$Kf{ie8 z{u@X13a|XjxokfRG#lb-@Hzs!4)f%{6mqSB zm9VMTy8?X8Mxx=ZOpc9S9QrE0F5iuN!8K_u&ZgQ6!(#cgmfS8xBNpc-h!o^=lvJ*{ zKcg_f{%F?flS5H9#Ri*WSZxs;aq&XWOHBTMYH=je#28=h#Xvm)`BY;G;sK!;3%gkV zuCQg`<5txCm!W^=q$O4IqXC}^XRpxL#>>yZ5aM0>J%cAX~h zP#ngt!^Dtj@~VIPz>2d`B&a|*_O6qJ?s`8TRO9AOu(lQ}i&wJUiL3otz1$W9=^Kes zXs&gRur(p@XGXYmH4M7tqt+5zk6e%A)pd}XMXbmh)jtABBjm1wq74M!ueCneLc=;= zNc!~@O{M)KCd-Z&&*&)?%`bid(Eu)5H=5A=5Y(Rl-5uCL4?GR2jR@ z&eTMOk@`JIxjVS)=!&Nq*YSsPxMR%+NTg#!aE1X$B(u8hIy5N#55DveG&EFt&RT~q ziMtW4us}FHPZ+(#pV{cd5W`+(=0+We}w zwl`G9$SZWQyVio%c4ZV>gXA_%v%d&-9V_wL`Y$UR1~+^K>0uMI!CiDk zs4v^0#MG(69%)$hf^3_wd?A>#0E(tnXUY*F_m&lFuOnsVmAW{A_uTuv>&(}|L^VZ$ zq3eqbz5Gm6V>KPpmJF4a75D=M4%xL9=n}~Z$RX)o^2As3fnsv2KG7oLS%?t&GvGEo zDS4r9sQClv32Fc10dH#)TSdc!h&9F%#1fY^zwDU-kaLR<{r9;owZ=!vv`KIl zRkk3zju7H44x`5mCKbbfkRjgIlNa0Bv}w4Yf2%=)T_!6r;Jwq*nAk8y0rfcI$|4z9WhhtOg`rq@UW-FZ8ogdXg_v~FDL{q7r z%ze<-|A>_+>OIebz=p0(5>lG% zl}MxiJ+!Xsimj=liJ-dhKq-WIr=cL>K;=S2Tpt6B=1 z#x`QtS)t_Cj`+A);(xXvUqjDpRS4bI7*|?#Qn-cMB3*nmLu^4-k#7W~vSA~417Sgu zZ%nzfn5g!m=zyIW8(-T#75D^ z@Pd~AH(~I| zcLYQ<#G24GYub^G312N3ji1Fcxr6t$gQQbqjbs1kKaM3m`LXL%fKN#U0DT)Nm;pzS zs@^SBox>&y^syyk+Ib)V1KSf~e12_`yt)s#VWn2}{K;e{;G(y*9{H9NDd&AR%JfblG z`k@;bsly$vHB5%G9yP zbqUnvYFQ4U`xxJR9vrZ=svH=(vfkk=E`i8h(I$-jTD&=DYHRIkBZ7=Nnn7!&7+bcd~Pl#{{J+9^)8n==Ct*LFv+ibI&M zH6i$tB;K&+yMMrDFMY>QVvjOvtGbziJ;pbYu-dzM-1>z5Fk*aRPiCW*HG)eg?Xa5| z%*Zaakd2A)a8c%pfWA1%w!3;Ds`?eGMamYNP|fX&*m<%bZ+1=BV0gdE?243D1%xJb zdBmJEq^AvQK3nca!{Ip_i%z!kTNo;$jEdBCtG047qhp>N5&3LMXx5YmE3%CFf=cyBQ!Q5(w2-l7ftIglylCAF5L`!PqdYFsk-ZI9)Uv-az0s= zo7Uv!*C?HsXeaGj%U)QC_{@`1>&B_faXX8NUe9Vdkzq)@Q|RejBCP>#FxQ36nw-`c znwiM?!pRAPa1D_I=yE!4wAI^Oo;I_7=1zgFD~m}MNhhpKj+R6oDaao^`ymaatt&j( zgq`Qf1pa3SY64uwSW#le)l6y`E1RijCV(u}OJJjw289Id6~x2nqWQv;u;o$`C9C^t zBE*@~w2#HkgQON}aRiA^@u#Jee}1_Eud$xCj!_^yw?U=$#(p%|!6F z)(yFdHaoy>T*&C{ar3x{-WBo}@JU8+sVBb2cD+IXP@h^LaS7MdVPo@$#0_IUI|tK# zusGFr%10Nty1A;~L38*ipvYL$EL4_{4;pvXz??}EVky$>Wx-U0i{EBIC@lza}Vaclca48V0*H2}g8KThCPmmvYT@rxwkxS)yj2Uh?d^ zYYL*Oo_nxl&gf9{#VZ^gDfWzSd`x)&Q%?%Bfos)M(g2=^#B(N_T7VVF-1T1e8<(a+ zq(F~Boy-LU<{C-qG_TVZlXbZI}A?o=zmPzc@mN%;=h8DG<1%^B%|J8XTU z91l+m;U|b-+IqwEpqb}?zdxdtFVkY@DM4h5d!S$1c}yjmMnX-psbxN}nmY$3EZ_^y zSUq;07j{b#*?ll}9uZbF4G`$3N+DULmHBAN#DVxOH=t>W&4m78=lMWI!g&^G7fmW{ zWf1^Npv|(?q%M+T9yBS=Y+*+pF`=i87;(L9)D|Ud2cB)I&bS6frD=PiU@XYcajJ&J zLo!m06qy0%QrbKmw7L@vOq?z$z7;#q2JflGmD-pQ9s*3-x}0{BUQ4Kb?@5-mCYKAl zEsDfSMb1@&(D0@D^!BOJz`waeNbY}vnSIGs_QolvF*A4UJQ>JFHs>Q*pvz&fqun@^ zFG~`!txh#HFMyE@Se;Xpz(eR4!|MCwXIhnzC_9f0**MS8UrT_Z&i`oa1w4EO(F#ib5mjzX z{6=!~WNz#jhjGZZ7tJwCm+FyCy`in8%lHc7JlHKJleuOz4X%-F9+ZOUHpM-2N?maW z^W1MRt7`#$*%`x&WkF#_d&KeEIqco{r4SoI#2O zX`bF1&UeXb5c?GL^dCM-_1PN`pr+wR)s}4{H+)pFk7eD)sR=V9-JuyG9|(F5hmDy$^3 z97rl@MB1x14-f_r67iiBMQ{#l-CJ zXAX8<=RMWxEmNS<`pIk>mpolHV*IwceI&mNeZo-1jkVH5sca=FtrMOw#ehki3|in`r&95c3lL#8>WxQ)JU)n zU8k-p6{X3phoEUh-Js$_xo$ibqLb{y*aU%Hd%Ub#zbOg!!l~JcW+XkdQQNs@JY#?0 zprY#$zQSQLYTiZT6@Rni$+T`d22L?{id_VtbPSdYyd(Gvn<~Z($|bZ6#*AS2f;bI? z$}4udfwyeHW>Co_TiNV-7cL!&>aJVBn8RT}TLe$|X9Bv>lTzqQ3=X|{c5Tyw#@mmy ziX>^~A(}3kq@?l4GsfPTiwJtoqBbc}e|(@i?deeu!ZSBFDMQ{ynY0d}#O3OT#5U-o z`D)}ZmH}slMU^T?p|$>$S!&93hoX}EF(@Y=3K)rblH*2&k9H3f{ z0*KcP0DTzfYCoq13n{c0=hyR~iq&yjzF!sp;GQvfwcZin2 zr!h9`!|Zy{7yMWLEHk8WDqo2VR=K)DSs7GH)cVaHC7OA$Alphol6YUF7ZrYlPp0{{ zQ%jmdJYp#h+38`VDcHKC1+b^rhCf84+Y0bZs&INkLJDg~kP+i%?Up~nrLQV~N5JFhQUw=pv@hx^PL9*+$lIxoP3yCn7eNgFt#Ga0a?`WShUAcv>*qSjsF&M~o zHFV~5G2vxMnS12Y7_3sX$+S=p3c)q)0W?%dNf=$iuFvEQ{8S9vFEdGUkV5O}l4_Jv z9Zm5x67}_CDY^%J(L0i=U`&q0lMSnjlvH@@>)W||GjV7gX_#p?Dm zlQ2Of@I%KK58HdP*vWc}Bzq5*5>6E>GPf)c)oSx}Es`Zyx_a@7G|Q(4hf`_RiudoiHsgm1w3h1}j#g;aZ|e3k-= zrrOxPa3i$(@QHiR3p4Tr>*7eWz0Z{d%icr9Mk!VSsYN3S%al_MuSGZw+e1>AT`9B= ziKNt3ddNJ=GIgs40((!CTPxAa@^=7=22c63&kY>=+9&e8888pql!(q)T|*_+ zC>k5~q?v(AUVG0BDJB<@0$8GNkTDWchfw0OXhcEzT9j}ooH{hiTrw%BEN|JYUY{p{ zOJ=&VWbaY2^E)k>z|SBdK5Js$k#qoC&z-?qFzg~tMfmgv>={#zWIZVysKh-?0dmGc z2%2C(dQi7%EX2>wqWpn?R6+g>q9;n%D`xe7*n4CWxG)b^7^&|}!$N%~GrRX3phUZ+ zUUO`Ww?2aVO_y|e6=gd}0qkDt&!KqlIiY^_D0)CTvIk(KD!EZtgte^(-(a|VlskbS zdrdv8-}yL9pKw!I!-Uv-MyTmdKL;p@54y4Uh!B18*S)fU-3&n_d;=h?xje6(#h(F( z&LEJAC{>TW=L1ihf0(2#(n)7m_vt|^ELCeB=0WIQcTQ`pdMerZdUL9UvaPlE@K|wl z76CyCt%LTU5v($k7gUhFM@OiN6S^X8v-X}Gu${Zb3VRO@5zrtZwe~${s>_qs z@OAk{uO1jElGIHO|1W<%nx=pLY{GnU(2v<*@2R0DgP<7%1*Bv5gk&X6gg{Hrzd>K3 z2Aaay1{jmg=oJbNd(Q_1tf|Kv^OyCBK>g#$4H$bg1vhQxq)N4|{1f)586WU<6QG-} z*2ekukxaQVVA{Hc`aI&_wDu?&JSojuWw8Zx8^iNlA1Eja#bGDhJ<1ctYG0v23E`_> zsIo`(TA1o0Y|2hf*OPV<-2o$XT86~X6>a`!h=XHxjEi7pW9fAIgi>XxnhL@I83Em> z(je&dpD$nRS~MU(hCR9g=L_UVn?|ZBLv)O0wz(oh0FC zD67fK*M7U;KDzE;Hs+OWoOt zEnIq>1-3_XE7J8cC4l}7G(*xxD`U%+63G@PinFP$Kl?xx*3RA$2OL0d1}#bzEU{$P zHJ_~n(~>mB9t#Y-XI(o5p);L)V}>OrdL{OL2fg+vO%~&M)Tas(j#G6MQYdqJ$OCLv zpLLH?A?03JR!kUWd*}k!UR9Uhn6zU|`0CxbmY&HkQ(cPL(vvGjRjL#UT{ewQl);rn zQ{w<=7L{$+Np50=%Uj+#V`~e}cuZio87m|p!uFEm$g_gjs(Hx>4r9CM9x=WP+^*$k zv=};d$fhTs=~+Eqo;USr*P8_P?SL( z?9n(1n+JOo1>8}-clM|WPg-3<6tbySB_VW_1+c@(uTXYkkBT5yLx_g~fMK=!fR@Rh zb@u27J*RvVfIaE~amSi}OteI#J&!821KmZ>K*k;=L1C&f2W1eHc+*=_=5x(x8vZ~_T7c*{z-=^_k`a$x=UgE#@sLGrEQ}5blwN5Z$Jmq&sYVquc~M zZHni%Q(n3~ti`G@|1o*ToY2;r;b1e@%dY1*E+t?@LaxwNiX=gYO`kG%q!IC;?UQ#d z4{NO|%W-DwSPM@*80XH~*QmzA$J0_ia#EL2Ehn?NW;6_Tk!;Zw^Gaof zENHiYd;z^%!P83i&g^jqA71P{Rou|_2&4jr&BW;7(yUZq=aIk)l}Q|n4 zU{D?DA3hg5&lEa8N0E_YN33VHohJgXSiPi&ND31p%3*5Jvng8E$YE`{ddTn;N5xi= z7-ugC%?dkD6vo;NL(Wv&w2TTH8NuZYuZ5`e$zms3(R{tn1;6UI{RA_?eWDA9fGY z9D?eqlmjnY3QFgVz6X~qK;5EhGf#q!0AI?!Dn|IxvtOfb;9^d7x=);BsnInvu{Qoe z$$&H~7B2e8ZLjZyZ|SVYf8P(ze=gsE^{U3mvW#Yh#P1@3_lf3h)b;(FzOcGJP>qds%d~0JkwyU z3F>Prxz#}MeM98EvG5v*H=wXPaMB))?$HTR{b7!qZZWtW?rP$Kb0#64qa)CS^@N#h z|8m~g+a7Vu;4mG`O8~#+u|0cYdqB=@%f)6*P6U3~9PT-zEAxZR(U~t%uh43J!>-i$NR2e^mz{$`(cLk3|~u!-nQ z*}wexJiSZENB9!aO%%!Z_FH$bk zJ)ZVVU3R82bM^dmquo{h(9hY^WiG0jgaB~6q3(b@XDCL}JJv5_^y*}~`VovN`BXD*_Faibe6TRj#KGryAOYHPf)8f$M z!AgG`DSnpld=TuR5rO$BT7SH!T!Aq+@(Ex1`(*nk+E}}}St>t52q`^V){O5a+kb&o z5$@XU8px-9cX#JzH_e(d6KBMg)LR;fdq>MUv?moIN_}9kP zy>yYB#&W$Po4Mt78$-5>(*$oqFjbW`kV6T6Y?xpm3k2DljdasmZgEkdt#o>{+|~RX z$TP6R7LmTJa-X~KG9G7Sk8dD+^9c3OsLOn%j7P|PXy7}*Mk@|g0gjLxFy+k|h1*D5 zV(0_dcMo)=$U^~HC%0AGa433shD4O)2}dqhyc4qbOmnRR-}})0fRe;X|2eLj+2ni- z{B3^!TuVs_Z~Pd?<>M+IVZM<0{>s!Q;>nFUncPp(0(%`?Zocl%5nKnuIp*#>eE>tx z?X#v2!vFK;uzlW9@k3%A&>8;r^BJv+$EWseUAy_$Z1t*O@o=*;p=9zsFKs_8Qq@H> zlMTR!rvvRvMz0DdSL!Qsv&{0aNM>&rd;;^jHcWf!$ZiPhGnfQ@6c^E)EmPQSpAk}a zC=LLwzC&9O5T+Pm)2qg^d10CU_h7JwNYHWe0U6>J8)^l~E}Wqz-x0*Q6uNc)-6GzD zz3wrA%9XRbc6ug%Vt*;mX>icZOR-9q1f~1*_zr7xyqGP#e%x|Bu6)k|HE9%$2o>g4fUf>67d~j^G+E%N>??s|>q_esfMc6~|F{TqCm?w8!sFcn3 zD$vukzF_s+kc?q;NPOU%%>mf@6j*#h+&?M48>!fK*r=$#uk`RNF9o2GrnNSxLd5z- zOU}QDUHcU0S_B8=Ij(%wX?lsMw%by#hsTEbxCS#9*GN6=Sc)~RESO<1$2T)0NO3cH z$=0`LJnNx)lVldO6_=4;zJhl~1$e1D3x$rZJp-7f#!ZsDI< zJQPP}MF*eeD-Atx4)kf+abAYTf96$(h5Kzd^0P5RK+62QN;@EOi~u}6AYcM`8x%jT zYZ2QUSX%M4t^RZ6acn|M-Qn2;IVp-;*}8~7rMJTkPWdOZ9vBh#DVhOOu!8&~I}6@> z!aSB_pf`a0(T6o#gcGxw(qXuU4h!4}Kyt6Ei5~!ECd%Bhkw(TDoS=Me?x$+v%|au_ z@t@a)T0?SWXvf}!HqmkD_xqgf_G|E(UmitXhi1G&|3M(PdaS2xl`^lp?eOy(Rb;}M zkJSz8z=mc3t2eXwFozlN_ox-!rNA4niVWc14~IqZYIQH@%tg4AX$RtBMQE605aUNPN_H;-5T zFdJQAzJoWGei>g&e-MJCM7?g1Kr z?SQD;M+WRV^t>+O4VY#}|9X>7sRaoWuc-+8zScTu-sNXxD{UPVPC};!@c(5XL0E0B zm+L+NKLPkJg#!{vp_e91Y?(+~MMCopVSLT2j37UdaKS`{p}S+7l8#6J57C$UN-5Ws zz(;ipr&p=^s6~5ZfHzxU&IeUC_{K^&r=lLY8`(Ai(LUC(hD1ZoX- z###(PyZs&T0VKPZu=)}pA_*Dg0s$DF8QNLYrdSS*E4tn%k-iA%ce0^r|6MU&sK2gi zW}$)K-kt6$TzD>T&m3EL{UYC#c6R=OVlAgF*5f{%24QD*a@w@t1{PR+YMPONWc>(f zShE~!iWyf-Vc&gS1DuED%X=qYfqm)6jM}$h=*}>vS-TTR?NKAg6grSq9@8Y&dSP~u zY$u7;Nk*|;`*!JhEx|D^o^{rr=KMwdF+$n@tG&VP{Q_Q`gpIl#yFT6W8wI97XjA-KW z32kVq9=!=0A_G+~<*#=nK>WfmG17YgvpR%!9CN`37R zBKj9Zcz1n3;yyv}6PSG-K6+Y-u6b4)z8!o!WmIRd=qQ5Tge$-PAV~WD53bR^$^86Q zHn>J5G7o7D*Q3ucD0E0}0bqbeFIsoXFN}@`#6{CFqe6aVRr+DAWhX1w)KWY59Le0v zYqAea71T9FV6@&`8%<9_&h+xNnu3npYe*@TGvHldpObS}CRE`KZ^Aia;n6KC3LJI` zTd3AdGTK@i1x6DymNDMd(gyL#B&>Ofn29x-`I+$j6|zmp+sQSbnl%hk6>SYsu=dXk z*=_|qy}&&iaktePjdg)f{U6gnAnGk~Y(wgRvieAMlA`>KRs#U#h~Ithnd|*d)Q5lx z8arA1V_AUte1?GxQSU6fCSOxNU`*UfB4K)jd@;%;;X0CQdw$R04s-8TNns=3wJ0KF zID8k)z~l%Ss-2Bz4#0h*;;oN=Xjn(f^s%zNc2obCO^94=K=+@Q zcEEE4VRuh@TB1ea-@3mv)J7)&tY<_ywf!TT>I-Ruu=mBB!1>NCAX14B`t%vup3m^U zcsuvg_$O*^5|OH6AqIcOvMOUy0Nd3^|AFFcgJt3UV-2}a*^d_wP}3^`i7}90Nb_8H z-1wPL;}7}jxB&%aIBWRgF=#-24R#pd(}*&+D*uX4X?n1Q_!vmynR^V* zo3K7GR)E0APJkacp21k&am-^EU{0?7*EK-$gFLV@99Es=!l&7_U+Rqc>2pI6=pQL$ zI=}wy|1;n{Yt4qTR<9`2;+X3v8$*mg{l}N>na?YoEmOD>M%d@S^O`@TLBCZQ@;EzQ{D}RX~t+JMAzzW)# zSAKeOl0)_}#f*&@ST^_Ozwh?zXM#$TI-X~;b$g`3c9+uhG%ldgJ^Y`=$eqTyy$5DMv4{XcU{?j| z03#*p`|_{SR8riYZ^Mw{<$vS~CkC9wCKtFk&NZ_6BBM^D1mG;Liy9R z^|+kDI;R#S=0_~{pPCG)fE<9fh6A&V)G}a{{oOVliyK9Yxk|%PURV_xotWk!pR^S-6e;fW>=Df z(D!s^emZ1$gYPh2+!^)(_c)h)8u<-UJy`%fuP0VBgLf)rd-=+GQqI7>JB9I?IQR!Z zYB!i-(USpD|9v&)I9oT3np5O4k^vmZ7k}zz&NAqmn~V~g`*#G~LRcbnss1U}e9qUj zMs2{Do$jGC;Es5Rru2aU=@PdFW5?k3J^8YzHxK9bLzB+2GCe91Omi@+9N%aj>km|) z<~_GBlijn67fMM*OGuhVbJ0muS))@=2?VI_NR(#S2K^fbz508Fqeifn5-$GYx73?kq@? z7?OyBh@#*>07XE$ztpYkcoru4;l*~2lGihk3~U|krljWnnWcA1GtL%-xeDF6@$fqk z2raF2Kr-Sg${eHqd5o#|>xv`ySp)IME=-lQo|O3gu)#UdQxZ$cVF=X(EkIBXQ=gBZ(y9M~5SheBc3xAWZAA2OfBwLk@J*(epUuNe}v< zgN|_U0f*5#@^U4-;du94v~_}C+Z*O^A7N?DVu4*U4}d%-Hbwb))k}dP#3e`SVA43a ze@EC&tZv|rMeiTnKBt{z;*Jl6J5Axw)R5YUQJ+~3;OPYF(AK%2ihNmadVPJoV z@Yo}`x`CJf>>rGydW-%r;qrIWr6>c8aXRO*qnn{Nm|y_|L3>|T&b@4y`ameah}w-a zIKHP=$L>j)Ko3JZOdslaJCRFzX`k#(+w1PN%Fl%&z3)m6@;%=Tx@DLH!}-Jzo#Z70 zEipEhQBdKv`V18c{X}}UJ!y;@F2?Oa01YTBPoMice14u|SVth!ZtOLp<^S><(KafN zQAhzLVf?SO&bY5lP5?q-!L;Xf>EKk_a2#(!|_uy4jaYgeP?H=>ieI!Ko9 z>}mjhDSAPO_)#lva=>k5{*;Scymx5%8UyW+_e^|L5&zpxm1n>a(vg9ZctzFOeX=f` zjdXUfI-ZkJ5CXYOgZE?#rnlJgiyUrgQ?Nbe;^n#YUAs5TlNV#pag z565rFeZtY#^umGJ_(&?|Ghfx#czqnfmZUvP&U~vwl=(yYW(=PBOb1yZ zWf{Y$!4M>wzgo~)RI!KEE}m$$gjq{JhN?ecAA3x&)^hm4Zy_^xl~4b+Ch-oeqx9l{ zBi*!$>|L2A@Douj7Na#P`#a_`B%m|0ixgK+J_gt=clMLBV?rS}?&{&p8^G7AB_IAW z)jd#3L*+@8qA&I*u>51Z83j+YW1>NhUST$2bC~4=j_BYDI<~XB$><*??i!$daFVLU z_KV)|j;m~-$DVfoC1k@Um-;EG?Y(;+FxMzP>0`T}DKrktb2w~*qIRWnq$f)bNPwR<6_Ef>$l7>gmJ`jm;p@fH%>C#6t%T3@`vlSl7Hbcx?_lgX zXnQvlX?p;GX$nlP>in!zJxe-IjAo4Tni?fH7 zR91{8Jgi*#7~hT_Xivw#=6GpW3xNEK5$o~yYH79^XJ59QTtAph21J1X1LWBM_k0CU z!n{90gbz#k@Y>*vsocg0W#jOkXoOdLbIFH{bg%uYX`zbVhjnG}1O$GGg;{%A6$F4s{|1x(LI1r@1G=1JIjw zBu;ip2o-5)e!rV70a^l&sQ9MyT|qkT;G@`tHe2lJF9UYfy%l{Bww^Ng|J88|d-527 zHR@MmPL0kVg8n%UWqrX}8&UAn+QZ)pyW$zvRBLfdhH}vQZ4EquN+!;y(;PLA* zZyc{tgYJ*&pPM%IDpC2zG?eb>*&ql<; z`h|r*0Y)(x^}U`+b_W4Q;sdVk*>m>iKj3aAcVUSjM97{)(T*7rhj4_4a%Xux2Xk+k zePt*}5p~K~x{u@}P&--aJ0{Bht4LhVHPHIo-TagNF7mfdhv0^NnB))>j#xTe$C>OO zA%!PLgo5PFApAGl-8vh`;X1?|P+!4mfyQRA#sGI+J9$J4Yw!aD_}ViB4@bPGLOcb( zJObu!PEkWSv5AelAWpMLuTE}l{~&`+m@ZWOKc8lodj5y^T-2AgMpO%avSm68_EQ(^ z>7Gn`)tm6&I9?wtoM&)V&go%*HcSK8M`z@*Klbz_^k5{Yi_vVl=e7WS)JyvL!@wkD zp8DA5E-kSPYc^$!SWd8-lB;Gr>}IE(V%xfXrS{h;;_|_ZC;mKL=Wis7?8k0M=v^E1 zn(pPUndX>Y9=&}L%!Jx%DGUR{GvUnn8$aV7()NkWUWCa?PA7fKF7J?AGo1Pm{38j* zVXO=~PV>0zz+wG#um+c42rv}G053nkDdy^%0S1al(fWI7Q~mD1JM(3KhEI!c4yuo- zgC_sR8}720B4!aVQg{d6$<)kOWV>--!|)nN2fF7*oz1i1>%{NE5d1(q0}BFJO#a$l zg7K{%v-e&b~vZ73n5`zeE#e5S3RU>uDX3xtf4pZkt zc;98&dF~j}FtQ+eP^SZU)>YWr_wZprj^N>p{8pjk&DPXlmem1jZXqwKaFu-7Nbq;T zzA1E7$;anv7Ps62fLRMsqsI`R?qq=Kr!%A39{>*X(My2P{<>~88F#P2<7BSaU_rYl z;^nc*|EINVAIUD>~sv)+prh>s|DmK*f&JH`RQz|d)(!g5?}y#knMcxQRtowO;^ zT9Sgn*VYN9q_BbBwYHO1DooBrkY)U&ulSzX+Hq5VKwOc4vpxe4*BMHmhLzW}oo$~C z1gbms4h9eYW=HL?0jcpOaNXvSi&gqJ(f0U%nMe5Mdq_yGkpLABIb+~E&Z}L9AKLFX zzJn(9!KDA3|$nW+4-=-C_@5+`GBA!mEVxNh%@>xsL6W~d^!6$_7 ziQ(~Zgn9qTTfe;hH)o({{c>9ki66w2NWVNNoSk}BzTMN+X$nC&37gn@b+MZ zT(Ek?k1;H+VdXpk=4XICNIUS)`uNXu;r&gJLLkL#IO;7ysj`6+xzKENhW?den3SK` z$J3%X=25}+sTyAdEb!N2&N0~GrYc4Z-{nqSf9cx#W;;+6So(p+xVif0zZ=kyW|cbq zVGDeanYxXfTZ%m2*l3JLFTmUEOY@k&ys`{976O$m@64|{Hce~4D^B4+``=HT@ezT~ zo1s0BbQmL>T@)0L#y`|)PyhfhMvVpIUDlT6x!MIES$On7yO;Bct!-higKfr_AavMZ zTM@oieOaUFnn1m$6`S3I=Uws;Kpw4-bNsRhFVE7;IPf^XM6xdUzmzyz_Q7_eLvRNM zX&Ev8FXkq-I|UGE6|5N+dIkfQ?Yx)dOBjWijpKY5waYBEzeEOvJvp&56<=a49>x%v z`^#yYvUq&9D;7c0AiI232`N<>|BwPd+X6zT-;aVKB{m7W#z3T{%06;&;OV zNoaS{al6go%P-@?(tVGinPuCPct8an>=vm)SD{pYBh5HGqmF)Xmd`G2JWyv?gT*7` z6TRF64TX8yhO=oMvqcyFaa|A76VLY|NUzk6Ines6`i$SL$Q1YWl;_&%nsI-F(&Fy$ zyTZqU&~F!6Kbj|?m)!&_`F{5UXp#6F7jnahEQT#cgI|zWkRZfZxG+!0Cv^2QT3tUs z*Xs}WpnpYLv6r41>yu+PJOrs15x%P(Q;YMFbEH9W?2Av|Ao|5UFU16F794$ux^i3x zSP#t&QqvbBh%A%+I5p>dwd?nt1;HF-oJyoS=M#^^QIs8x*aU=(v*y~WOXn04S3%%@ z<2|F{M{;YY3~t}oi11=GHT7_e<%6@wo*3KfZDYfFG^Ix-c?h{OKA=HLJyM#>el-sW zd&r)scI!*Zt&7(Lndb1@4f;#Q$q&Y#V>IKMIGq&anGtq^eT4z)Ksw>>^S>5paWZ_Z zNb-JIH^GxOhY~nLeI-v`K%Ve)nL(PH2VT?OiAWX9<6Za%LzoZJW*YZ|FMjmH;*w?x z^Nc(%%ry!!--^Y}%AvF;?mRyvWu52QNZ^Ysb&c|G7x$idCs_O60Y5G+vo8+MpCkX% z%=M#CZdYRn%$0Q8(5?@h1RI#cq?vO=bgi2Hc)ncwU)*ju#mO_$-^0w z0SfL@lsT1ghBQh{#uqyJP;s$GkW6Og;Md0X||7N1w&-t(8V7l7M$^$=3Cr`ilfTbh4xaX#9)Ahs8+T z`6|J*sutsf`d?eV2c^Z26qT=_-KOzmG=O#eeI}G*`PFl-bbO4{>4B(EOyjIOw7x~C z)KIdAa9s0b*-f)lvR~WbXdv+3SJZvq;_;+s-K#XL){k*xeMkCVsB8eyPTr&irT|m@LLKU6y|G=*8m+>Ysb0uvrk+CY^6iDzk5+HQ8GVS^!&`w z{hDtAe`{qiwRl7|<1oZ*3a3;x&`#NjyoCX zo}PIiYbZkP7AoeJ=J0vrabcbFWxuJm{6vC8@D$hO3L<_(kL-B=Y^x06{MBwZ#1?Y% zE!%Kb9Q(Wca_CER2*z@Ly@c)rrup_& zd7j*R+~jd%>2a22`XU6k4`@^3 z&?%I1TjCMu1jtxl`Jsth>mbt=&WZ{1znS+Ucf2zwE)>nbI-Y-T1|v5!-XY%%#T#l;=NdQLlZ2D`O4iiFA`{e%ytw< zm2T(u0gq=@6XYs6TLsGaop5!&5q!2R|Gb@df}2Ro2Lv2g8xH@%Yl9C`Nl}z$A2^C+aF%El46kkC&!wrZ z`UAeDM`2Aoi2mvR)H^zUIBez^2mSHluzt0lZ5RdedIA5eJUr~z7R2ZE;Pw||WFIK= zOJa28oILMY+5k=+BB7t#@Eqaw@Zowmq%aqSbZmn;9P~R>7LzRBmwBFfCj$WeL29?R z=QIG>5zI)QRJH>212?aY+qW2l1F9Y#=(4qE#< zbn1#WwC{xAkJ+;w_iH1wD!%Oni98jqKVGA2+xp$qiM}(#0j;l3&BpR*HqIozPqtN6 zULWNuEws;2686O?7N!~E6HcFR_-WaGUKkp$@ci~{2D}Ko2`4u|lnKY>Q&uK$?m>44 z6Ryg??{C3}IRafmaYjd;R=FHTa_K3BRjUEcJy4{9g3sinGlj^PYjXIcx1OT!R}5jfYvn-bom z-@90k>jDbffEZw9C^m*48G*!bnqe)yWQ|>KP+y`M{VGu&?R!6Tm|`>B zosJvnr~mAG$eq5cB)lYUV1b^ih7;tfZ!zk$+;DNA+(x(|EIO>=pzl60)rmJ5wv;+p z9Nlv%t&Wr9@eFyG-+!d6m__$tY=c&3mBcr6Oon*?&d9eH7k z>&c5lfX*L0{69JK`Qg=mJ)A?obsTx2358~T`xNwppF`uqdm^DN0l@6|Xv5cgm< z?4JV(op-Q!b)V+ffh&V+`aZ2IlnuJBw`KjrG?oGV+ULLUDe!HhmqLSdJoVb;|E%Ql zC@npVG5!D*l)4J#0~%==Xx{@0H(GqqVLQiVrB-Y>;KrN+Gv)L|Zfon=l=FN;VFy{nsY2c*)Unsy+QRE#beFg@C5C@E`;vS4jiz z&3&iE@ihetfa$cGM4CSca=)G4c;FKbE$xAr-sk?Ie?WL)c9HGw{Rf-22|xRrhM4;% zNRE;{N}b#jTS|g+%uwrIv~Cv;Ubyt{dUE~FK723z<3g57&HvVB+66u(KCmL{_-=et z0)5D(SEL%#Jtq_?4DC8*r!Uk2(-79jlfb=g!vh1u4X?uIvbkN&T$ z;*Dmu$+Fi5-Sk5jfX~*s#1gl9otrXT_G=S#tS07Phr@NrI)TC6^*|d#O7m9FlYAix z)v##PvuDhqpWOAZ@P*?V`(8W-$o_OkajX3<0C6CMp9GAYlTBP9vawB;4jSW&*tUM0VYj^S31PGZWK8 zx;2PtWCu*I?$+pIuV-)R(EM@^H&B5If99xiPI=)-rA-d3Joz2DPdL}kI4$$SLcf{D z{4{tf{GJP&cB6C7GfPz`JwJsDyk@+O2u6Prb-9Tf$ezA~80CFJ?FM-e>N=5Kh>*$; zA$YFk^m)(Ejbr!Yz7D~8BAx=WkJRhH2_`@NuiH_8X=2}Z{2@hIaV2GrJ>PSxDXpBn0>>)rDa z7Pq;V47l!9$JPI^?r%Vk{+j=@YWvxi8gj{&xY=7(sPxs;myED?gv6+(`TN$tVsh+v zF_5n-@eI6o9B&-6D0lp2e?ym8wySod8r*EdbC7lGn_FY=MxFPW{fOCse+IGnZMWDT z2@4%DJM!q!UB{kZ0G;XWCK$bg3;lA*M!vbYaS+oZTEv6N4qTPXV?jp(FpDwcAFyD4 zY@R6iGzjvl;8T5YfVRFN9M161_m0>5n&N$%cv;zw$FuD@qS1~Ca!xnUTZ<)j^1cB) zIpbu=yL2pP4&Nmj<5SW8O`wuh99C*WUQNb1pzwjLoV;ELhgi9(*MZHQ-noI!Jf7DH zpM);ney&-<`ydB>9oK6#N*H5 z6ElWOY5(60E(G}*o&nR2+=YaU3wK&V)FQlev(-4xk#kX+$F3LM~7C`Vi9 zoyg_ncBUWR+P0@vPWi7;en{ZI`}(}+LE8H!)}^Qcaw&yXPWVpNkJ6qt`gu%J)?QtjqY_Q7^Q_=yrKXzlVika^AX-9BAALE05U&dUoECM57 z?U1;<{T#Y`b6ScloKg*~<)*dzA$s|bqXl&Qw4C~P{2AM~28andhPgC1^82qPK&Jl< z`l=4h*}Jg!p?9~0?orKa5Sg0^dp`8PeS&VD0XQ7K22eqc-4cPC8S=9|9x((%4BY4r zn>_pmR^MNX?dJxGy~M*~tFBCMqc~Ii&D^NU?mYnQb+;;X9;O3|JqM}{0I)V{9jx|^ zqjtZ%_4o-5^3+%4MmpU$;Oh%+X)Ryumbn8`A9sXbmO ze2rYEod}$>0lQs}Nfp4wOKIgJT};k8cqw*QF}f44=b=uWu>F&dyKov$>6w?ei-A^q z%l{7f@q|hFA}Bpy`>F4N*~HzpLW@WL2Ko#ho6p5CDCBZVS8&I;INAOjB_3SjUV6aV z6J6#15hr|1P=*Dj2jSU5qsw}nA9LEOdr6z$2$|q-6id-fD6RFWG@t5wk2sVVkH>ujT~v_-OPwS}x6ulDkG8(P*~Pj+3y0f4R9PMH!WgY~7o8&$md#`;h9r;&*9 zx02CA;eTiE%G0-Up5_4|x1D@_Li>HbF^uAO(hE0yaGi`-t@Ta;7gVNGo^AvLoYG0e zJ@W&^;ipfMA&fQUosgiV?!bS|3MHD)dQM7ZxT>#4_B^HOthz?m$3Qf}&$k`^u~no8 z?LEdoPiA!iE=7dWIsxU(`5^qtdS7aLxK*Xd0(0a8 znEKX{To$Ku1ZM@g>0Z{Dk47)|1tO3m{5!)Q0<&&=2Qp<8@bO`024$0hLq>n^?9yw>_v>HQw3bn~(4UtbN6b|^P1$5+MuUWB=@8hCiSSB2|j zJNA{4$c+fBB(S+hcDBsTe&(htCW8DgzLQ@XUN8G!nV0YE)3A@#rp&XfB<}rpH_9D% zA>gmh)A_Ty1uFu7y}s_ax*-;G^TW`-;i9r>8c$uewVWf4s>c#H)RL+x7IQZXdLVm{zSeW?BzD|UVkYy=U6Gz z_P*8DQ_4M+#J~6GD-n6G$0afzss$MN&4qdVIu^5CZHtbI496~9y#kBt(t?*`Y4|eS zScTu4#=|ciU#{pB!9F-Wxm6xI7|qkW#~&6$5AwBn*Kxz&12jmc>hXK_2kU&4`h1qI zaeTHTwEbsn!1vIBV2v*fXimjpyKsK?ea^gIM?c1=Z!2f^*`fzGvASU(st!zA}v@slI zK_qKu+}nzE$T)pB?#-p{j-4Y&Cdcw<^Z(r75#KvRBKs=g)^}{Fdlm(y8@5K>SlUls zmM(V_=5~8X2mN2^XaWAs8(M(F#R6R*MwaCO`(ZjTH!n&!LBXAnzsUa?JpeGB?3D5M zX}I4|x^FOit^qXpqEU($cd2x5sQUo(mnl1GBh-JMS(~rraCr&g43A0t;5PP`^nwT0 zc@f>{%TKlVqnIy$`hlDG9xcvtAZ8FMBGG(V>!8)p1*X{ zfn=fQHD||HsO9YDyC*!mD$L}zvF;Q`{P*^om;U|o3h(Br<{#5EXfJ@DhOiaVhqceX zUAT{;L;_#_)aIl)vh%nP&P-@LE@D*62@$B~anEV&q$A5#gID5I&|`C+uiRkdP?rSP@Sh4J41NaASN11Q=fD$mTJyBLqliBDADc{a!*_ubO4aG{$mnZB_XF5nCnywU<{;j0&wt`n zfOB7MNYqaq=6AIrhy~|O*Tz=P>145oFrev;;E$uEjMmEaiieX80O#;-7_k(8_6kKV zoJ_NK{V zGt&jEmaK^dK3+I@TptOG;ey}Q#;k|wsIEBs7(mKhs5&srgF1}SAxYDlnDyC<4=b_z z=(W&^;o~q{^rgtY^<=@e-Mp{yK<^{3e$Br=I2dIAoK?$Qd_nqd&q{d@9eqeq9%N?X zei4oXY;Ek;FkgqM@q^*KJ>Z|qZvH&a4$=zir7$?&m`>;I1I|kqwXDyIQ1FPT4$fYY zr+;cUkU4fZzXt4l%FX~p`?2X`sL#|IdG;MM5$|vM^RtJsj;2=b18v25Va+6Uz0+>J z%*~OXZ1c}WT#Sz4ZqI=SA>-Tl@R!q~0kp%}a&X_jHx~~E(!uejIhFaJbpDzm z`m?$8ht-I`a!yV`Dw-0GV<*R~Yri^YITsFd0pVz??(h&9=Zj*H@W><15&=6!+}@1C z@&Fp90P#l!$$_B3`xvR-A$QaP_y!IT~;_`aUIsRI>%c)xc7X7CG z8Qmxk&0s>%f(FzxPFEh>B=dE9iv~18R`qU!o5}tAmYQ|_NKIrD9JJ_p0=Xw(BBihS zR*B{|g#CqN&&vEh@`UoDf``viqqk7%fAJy`Y;W*4=Xwn%=dX1k5u5JZM^@l)4U>w5 zT{ts=Z#g-Fwr99Q*P+{!H(^LLKl2p5alCc4`rJq*jkVG)J#sTP7EpYAa@m$64={|l z1gZju)KY(6!(k{=d<=@fiX)`Mpd=vI7t%qGFM)OQ5CAInXgM+P z8x4WdgZ&_}JZUx1tmWlv^g?{HcyDh9%6OzJ))+p{xuGMar~5-a}j ziFDhVv5g@4Sov$7i5j?G?OX*i$feBF1o6snd)Xe7*&h%JzsB4ZWl{#5gg+169{75& zI_DVv23_1T>y-M-Jr{I$u#=O_905*{;+}DbG2?Pz4&}d z>DP%D|M8Niw6UA<3OqwQ#A}`j_y=!~SALs@81|YTMyo5B`4466VI&KTTY>OJ+?{wH zH4P!*v|Q&ITsmP7H7cWeCRey)J)KJSEJd#-^&E02p*$oVeOJ|@lTM3d)!sNtV((O0 z%=T378LTt&%FQw&GIeI0CIh8)q$&Ld4ALw%v_jML< z0*Ej3PZ@?xcXKD`IIH9<-7&uK4a@#rbS=vw`2`}%lgxgxR|-yXqZv4i<1#6lyW{Qw z23gQTun5nrpg#j1M0r9Z*j$6B_O$ow#A5dLMBN1en!l>U{q0si8o+@-9Ct*IMy8to z7^92rGZ|E27SysGB=ZH<=pEw0Pm3@Bjr4bPNx%AY^_Z(6k#tB|9?d^;QqlvAsMrHH zDK?d<^`rD?V9uk;e(Q(un5SUz`!4=Ai`qP5)MPcP$4Cmt$~~O31p)%7`;y$A_xNAy zlF56x>6R-f%()RK%yx6mr389p;CXN94fw3OEV1HO;lIAbXulmdJTGj& zCFv_c-O*J@ayUC8lKL-CYchV1R`1XdElcQySnKBi!`NoL~ z{Ks9T<_C)OcW|<$-34}ky$tI~-h<)nWzNq)hiOrN(Ly^LSdAA_^2$=Hx9@*-?$x%n zXY?6L2SUe0mFdi#er3@~R#F&3^Xn zS~rRa@it27EcAtP&94;#(Q=eznWa(Rzf|$ur-L{>qR;`?x`sSh>pT`8vn?Ko+Ov)h zN0i-5@*Z_~aEI+by51HXoj@ z;A{2c7VF4}MMJeKJCqlDj(PAkpjiHE!tGi5>wMs}p~&4~zl;Af1bZ9gr9Jg)p!!+l z*a3xCHkWHY@p5-4%=?wZRpi8?SY+`i?|)3CJYcCxxfH&;^R+Av>vMglJ~_t!5q(+l z+YJaX>x>TllRrR<=Ky)iItU9mhf>;1CI)RW!SD;NSrmbtpMYX3x!p0^Q@ICr_3X#b z{)}nSpB=j+YI`jCaEsdsbbA1TZmJrCM`lDA8T@wwrO#c|{9-U_7U(r6Qz$V}z4Xv3 zn_*~@Z7IkZ`uv+Fc^6*wj>_rJO9Wd=6K!0*G!xs^8Ed{$iMeH_v2bGDVAA9x{#zuv+2_OKw_Q({jN`MJL->1|D@HS?+u*uIXAri{zA@q^!>1R zWMT@JKrAoZ|zp z8uGZ@f%wjr$#463gpEnNT9MdRx*G|y004DJ=4)3soA(NCbjGfvu;H^Gp?tt`9GMG;mxKiOuQ;MDZ3SuZ3p2kDtMW{b*3=f_|jJw0^ zBU^mcWmNo5&FiAq%qE|>^ghZ_G0*S}CL90|vyJ^x%z0ecP5t+X|DREVjr%rTgu>m{ zVw4Df{slu{{uScT?>~XY&3%eG=>)t_W#~BF{NdYQX5XW{Ym<*tc|UZ9%ea%bIyD708J2)*XOA#gcfupYo3Ts`e?9y>xgm$2D5v(hLj&|^K6`kb7LPR* z{CQ^An|&If(SP->+~{=uQ{(}x!{m^H=R37LfJ%!!p6^ds4h|N-7|67;+(jW{`gcEq z6W?9cfqZcpIw_4jFZJ#$Qi-VdjIqThVCwVktrd^d(FJdEzHoC>UJ)-I$fa_QUhufz zVet(+kKWwuN&CcY@S1D_=Y(vh=0*vE!H)UNPkQwEU&$$u<{KAU zotzmt0jkXIU(TTlcV5uql5~^x;ZbobaD-e6eA{q;E!lG_>!HiY*^t4MX3Qngp!@VX-riHi7DocQOwQdX8hn#agF;kqk75>ps2hG^gcU9EzhFq4H zTTxMnOX_|;hx2;s-B*wh89V|9U2?D{^S7h3TOW+94ac_wl!UpE8JKzIF-i}hUcUC4 zYyF^(UXx$P=OoVNLreM)`G+&Lk8U0w$>ldVjQbxFAzo~OQ!TnyJc0nRoRqh#-0Ooi z-mQbvSe%32vUC9|Rht)K%oWF*r=l}Vrv8;-bKe|YKU;5akr==L>3KOb{psOr?eL{@C&2%8 z9bwbQPX|`-%ik2lpH`*Ib`EYN?(Hy=R1PxtW+nOKY5pMGcD*Y8nxP{}F(&I{XX?CW zh!6Z||I>S+yWda5Bw9gP4D|5!vI@j{j9K^;Wflru1soq!C78w0$*wP(*zF{5dmDmj1CF#SEm;R!m< zDos{j`zR^np`NtXo$B@s1px@X@7ZA-it5b6wZprOQ7eL1;UDvezY@=+*gSRZLIXo~ z^u6p}n~t!R2LRc6eOuqTDvPV)UFPvLL>6XyYL&DPPT*BtL7pY^fH4WawLi=r_a9yn zVoT{k*FAkd56$Y{^}*>)-G@3R`nUx1SHFmR0MP!9TRcpBC1aA zpCSBN%hcSALGiI^Au|?b#aR?drJAr)CcI=i5oE$;+Bq`_&q$`6XF_G}?1=;49xm&d z=5X3=1CagjbRyiqys7wO2I+ah{X2dpTAteWjqf$8Tj8lxOwgZ&+A^?%LRUfK#f?tVP*uhjbkESKS_w~ zef~8o9y^g4e$Uh!tJm<@dB{BAe#D>=9E-bs^@g+$H{|r`R9F zA?B>jggg1xE4^E<%|_=JnrHFt@fN|%36ef zb{P&4yW9^G1`y3wznP!d5fnqz@2tH*{;s;^-;mK8;CW%C1ayn9*F5RHYmuvVJh8&{ zGR=0qz8%i3-y8}QA63CM^KR0A(}%82?5U6HF#)4RMf<&6zvjK3xr~>UH`H7O7=!Vk zS^Yug{k$vzX;aa&I-Bc9Kq`ebi-OAf)q%#;D*b+3xQfDFM@Vzv2cY9C!#@P1@4ETI zkZJxN8wTg*vP$Z9x?yTIwI~Zo9M~b?w0QDr6W_avsWUi; zaa3X!O<+LH1W|+BMF`{xh~NG5q`bezaw))Y4^q2PUZ;toT!!Db_JGAiM0+B`fUjCg zPfi#Y{YPM*#{V2$jMA9CjBg%r8zx^M>h{i4RD836${eBYaiRCOw~Xsz-u8Ks56Lf| zj93n}1#zvBKlF}IQ(TJBJN0(|KE$$U+4d>mVoqQU1{k)F-QgJ-IIR&!*?=`!g`0g@ z2R{FX5w#NwE!DXN!$Nqvh1ptKlt5Au>Lc;u`}Y+p_~0xd#vR;Grwwgp|2Q_z=e!_d zcwh~*WmO8sc_6>#db4>N><$CZ`41N*!8knWa zSdFwcx(L$Ck&Y_@53MVMu_8>C9zb<@(3yghbjpsFj1%@&2cUJ`n&5;;J@tn|`>scq z(@FCTv=(!yb2+-l{9F#KZX4j%0tdFQ9p`yeo8GaLV3Dbqu5cM=+CUS=7;U`nB>6fz zW5_6b2S>ArACo)2=dCCMUPq3bD|uu3|C{CTuEt0EQdC3QCx-bO&ZX5jh&5w6t`zLe z>Z2_DYX!u;2xy=Sf(RkPKa?>SS&|!vfj^3uZ2{-fr+DQSrV6AU;Wy;b$EhH zzQcW8nNib$)L{|~K;~#K{*l+ehrxa5p0S>(zLEO3o)J z?fB&$#eUHKW;95@r;>>?4k-~*AB49Ls;Om$DiLD)&wK#K<|I@MNGz(j~Xz0c%Q^_DrPv!Y|jSdb?dzS0Z)F|iJoj{)M z6%#%9L?k9w6mN~hi5qUj`9Xl(DqBzMos;eKI}a;nmsv{sQY4Sj?qpmCBKifDXr|%{ zBDx0N3)5bC%@%>O=8gE3>L1IqsKM=p+;DZgxyku}C)WQde^NdE%GDgQ{HzD9G9)&*10O@;O_Y-*mP}&CMQ|85KM1(h3`VPJh^N0&nb(5V8lE9U+&&fZVYj??Mp`A#odGV6_+_iHw=keq z=ywwk+KpX8y;+&}{V_`EWZ=>8Wr7jBI@bZObQa`ZtEO+Wa&`^yGs22yiSFG+QVm*I ze*tgrH;w=^Cvf&8$GV~kaD#s!Q~hZJH#XsZg5SPd@Gep$t-O4g?~!GW-0$?v&cwn; zF}%cJFYBD#PQDMt+7#BG0fI1a=IwgI05A^NwlDC}qmN-5c1*rL(@FC{3~?n`> zdLbE$5VY-=u06e~6F7!MT?o1J)RP4q@oDrfP9Z zA#UrzL45coxJy9C|1i4bKVO1vL+2!gh#>!%$P`xYj^<6Vha<1b zH7FWPRdyzeUr+Hs!oLKHH?L+~D;We#7d?T_@52<|9rHugg>|$6EH5LE+qcnX-B{b- z)OAQ7_66E`NFHCwM^t+joTbxijN>dWaU7i+bbs_G+q~p@cK?gLc{#wcifm%12V_dI zfuL0kWQsJC*&|zgqgNzLuZlPsfjM8MPF-(jwryLJn!KfVW{o zzKs=Q{1vu6*2Sh~MQ}(G?4I*LD&vq*RUVkZmbrG)W_IQR_jF9?!H~JgVZs#go<-SnXyCupuL7 zELY3J?A|I(g!V7Lqcuzd@nPfG++{1rl-qR)=^hi!!+RT!l?4E9Eui+170lP)=X{{c zLWV4RpX{=rnrep;K23B7!!rb@o9jXvH;a8IJZ--#o3`WNU!NOfXe_mqijEDr=N3%v zDQwC+4m^R7_@n9MycskonQO9xzxl6hI4L9NI{1c%&qc4NUS8kK^S)oC6}KeX&wY!$ z)9zTfZ^sC;h==qG{2~UJe|nE#I$(U(=CX8uCye)-JrhG}=yI6Y#yoe<&NtxpFnW6I zVZS{B%fzXMi@{NMNWmY;qhcYwcp51&95vYHyM=QpX4|Y=(;ni97*PSi#8G8i%YC3s z5(S5U(rdVH5?PsN{)JEmCrAI7-o9Y&ixIAU6KcWzy(hsN_PEo~Vc=r(!(}%+!fN9* z#Rv7&I=S{y+)>LsMNz!rF+Es7np585f5(y>OObhK8~?{a+1^0bH`B?S9gVm$X#OXl z*u&IQJ2nW1UXwikg|zV4yUODPaLfvr1Hf-7UlIwd#1q^d@@1kNxeK=Wv?&5wy=i7t z5GV?%9f%L1wr!eZuo+w<>bDRJFtmL=)aqV9I;_}>p%e6N0I0dXD`B%=B0oHxc^HIy zAiswclW<6Ox-TmYR7t!O|HldR`)zL?`6Dz6EloQGQ3gu}Uk0gr10f#=B37*dQKDXb ze9Moxn}>kGwydaF%dXdkq;jxlcF|boX>{VHd`ikh)GxJD#a1kqtYrs|d;SMsG{(cW z!^eFn5o7t?hw2i7Ua^j8l>^D?y27(`sfjvuC9 z$tfR<1`{o-x-5ButSn#QQx%VAcoM}rI2nLIZDQ(*kjYXSJ5_(oM z@30L?A%S*hJvtta99!4ZVF}=n=!2qdDdA1F?RpqFLaE{7z*$M_aFV1;tWkNg>Kx5x z>b@K=i=q+ZIr93!`{?jC@#DW53n^trYck~HL}+O3ir?Zt;1BR|-%JOC+}In)vUvAi z`$qI}AHBo0`8Bi6j$U64=Jid#eY^*=$}}60PM3m-#MO4ZV11TjdoqJvI~WvYFSu4u zR_N&iC=*H7A)|Z1nwxDW(aov=q$eotv3q#q#m9N_Q5WRLd8|S;$%^;Y!3Jl!Bmr<_ zJGY+Y<8}(&`c~viu}Z@ieRBMGj_GIvg6q4Ynn(BfI8F*JIS0z@<2THyP=x949zug6 z<>U1LT2eX%KCZJKwPYQMkLO^t2lH_nI;`ysU@Y2(0(Lg;vh4RszLn{?%nlDuK;-RlE$ z?AGKK^o_D;$*M7aru&@I9B?LIG>`YzoRg?gdgVQjU%a+=rj&gNdGS4bqbjO*4E{Ey zNC17NqgN|dSHkE|s0U;l=U@itUW@?{Vk(MK8XGjEoz&1fYycZ`u}nzoy)?RjE7+3x zTJ38V_~69j8GytAQiEWf+rgvvqkZ69F;xXT=tem4Cq~y>%7hR45qjQeiWTsOjhk~F z#JpLG)biJTvJ;4DgM%($#E0{o)(t-#LX?jjp;U$cknDKta2WOsI5{lV&81G;0TcWE} zs<`NgsEAsXM#l^(@dLu1p49qAQ)7zu@r{z$;XROOE@>K+tCSgoZ*)Wk@RAz0_oQbY zu^|?(XXiiz^|JBc^c!xhOUz6qJ-~FFYePqv2EbK}^U_pTN%NqS_9=PDdU!$1mvVu5 z!D66W4Me4uuZKzGYk(^%-+YFUEhMgGjpR=5IehT=QY{YX4$m;r_(lw1b*)ITPFFIf zPwKLoG+Bv6zY3_kY77d!eRi_kH!?zq2NY%YFRD}r4^XVOqS*CQh7nuJuH?*%_yYDb z#dfZk1mDQZ1*~}I`=F102fo}i8GZ+<_U-A{Itv@nl`$*L;X z1;t$TA@|Lv+oP?pC^?j;q7z68KO}I-CFr{qjaZ=Uuzadn_`(`$IfZa37f^(}Iq{7Y zAOqHu*rb;arxU;$s_|~LV!#%0HV=oxBVuGNp2t5?6r!7}80ik-Hi8HtpuW!~s zXdztb1zqWhzwLSUYML80%>({c=LW8yk_U5$jp|mbh~Cu@9+gEA}W#9G9UgnmxS%e)1lxE z?;|pW8PovV>3CZKuAC%O{+5Q5y(u2akeVD@&KA`9D1U3C!BkY@cTKL&9qnaKW&rkx z^f3C{*@X{jG#ReW7jXE>(MOo?Q*2JbRx${w6LL#iW#bt-&(t%zM~4KzN&M{!x_mQP zlvouz=jV&moPGm;n}Sj4>pVI90J1+9kI^^D;cegF!r-e>hGdI^6$lP*gDQ0Gc5br{ z2>h*$7)~;O^)imqdQQ?fKbs2p-TkDv1LF8wm+RK;;BbUrH?jnsLS@X03A>N%Z$UuO z9|l!Q1^UHpKafcv99iS8L;h_CN2m;h-mYk1O>^@kP(jtQTIX*$Nad=Y8Ly&bQh^v8fM}p;WaOOEzy*gOv%kl3`@^&X(zCPf?IO*vn6odfq8>GxKPqsgLxbV zcYz_HxkmHnNre7%cq+a&0xhs!UH0NIus@1B3*;+5g zJ5}>}VC}7GqQpHnmRm~mgiiI3uPp*j&b9gHX`Oy$Y125?@>~Lxld9&6Rkcr5G`@4X z>}Z|DyVrSMh}$7)@U>i|IM9>c9nSM8ojX2^Oc@ixI*KPRAT`HRb}Tf1x%q3EzkAkv zZIEBP91_7Ne68}v(l{Jlz7_%aPtD~PWJ(W_9bTd2w8&;Xhw<0hM zuPGg@`;D#;YWBXbr4kj=dXRoEoQtYz3WTwXr_I;80JY+7sK&d`KXTZ`B`y1e;MX=W zUTYpi*k)Sclla4kxkW?iIF95b9iD|bBnuEyTSF+3S^P0-ksN`seUs#CjVOU@3CQ6| zHzQvwWEi9a@;tuwN6|&s)HmQLzLrO6+A%=myz%X0V#C+!NOG!`)O>(XUXLecY`yB+ zP1}Ry>HLv*KS9}Hj1BOd1`Z?Fg-)h%bWIl8n6yb5np0K#0jni>ibU%TT)nQ4E- z{-N295WiNZ)N^f+rE%91oQ@;C6#`H;$f~`elrCZY+MHN;^GAGbZDd7voBvuJ^T^wpx&;BxnvuN~oM(-pizbokmD z#3G*+KjwXvG(o<0h5XT&bS;pznHgXj-WqHzAaLOXkr#`H%ks4|hFM;&`n4#ma>v_* zh4@-|$jj$fH?QPtDF{~Y9(wz=6GV;CCPG|wEF?t(QsyevSn{2 z?g7M9Pl@5g6_`*A3Oo}?#~ReZcEZSl^$k2@hmlf-69UfWlx*g3}*VbZpH znm9i`^^wAH@f>_S2_E!jj-d+Y>TRuwURPC*xacTGK4_x*{Q{RfvSh7~%jH}d3kJ=OnGVzfuqMW7`#jDq;GV6$;X{hV~&gnTpHrzLOcOk-u!dR zm4Slxqj&tAf)de_9T=BI4HSbBGsmE%&`7cS8p#>VGvhkz>?jYNX&hmdTK(f;5!UYzZ8>^=D0 z4XA7l2s^AqzqQh4_HeH& z5rt>jl2j6(J2b?Ctj6bxkt$bGsmjjnP@=>PU>eYQH6MMm_?er}{Zb0LX$fU3L^TDhI0aQ+9EP* zr5`BV#yObU$*P!(6^n)?%NPPa$wU&ExK?84O^W>e>bWHwpbIMgiDF$j7L54Z8(u=L z2wp3G?t0~_!FiI2(8{?rsID>}9n9y_aMbw&!0@?M=w3}DN{WI@>D0_+IiDK?(dt7@ zqJKfJS&9$XuayJj`P}2F8O z(mowBLad%l1)t9aDzP(d2D;%M5e9?(hBpF4tgGP%eD07F6(;1m%(>M$JhLOpnC$Qt z_>|*$(;5pqEqt!;RHS!Q=pwclE$~o<9iI!Nh((obl0N8faBpYQer@+FfzRc^T=^vU z5pjFKAsuMggwN#>hdj_zJ~zh?EGZB^T!l$I2cOGx3Id5xeD2PN7A*TBsOzdNkNDi3 zE^SGZttXKJA+C;c7qejf+#6X=u%e?H5zNdvOGBA0c;@HYcs-hs9^@DgZcQek-j_PX_qjCOIaBd6lo(L(xf`H< zV*Jbu|G6|g6pizGdWFw@SJN6sy)X{P{`S9!9qBRn+bm)`m5GG+X8ZlERteV`yru#C zEfuP03=tRwk0}s7yiFz!_g$I?QKJ~EVuOmxk@?zc6r@mQT4cIgo>4eJ-BMP_kL?SvJ3%ZU25~x zXu57O>i{R699S_&<=n_9_^3Iw?7^;y>d}q}O+(y#rSDSyZIOg^0D|YYhv^fD4d@4? zgT6(cLrQkV+u4rY8lW`Qb=BYEfICk!M!Ynrwvv~>oxyn9L;h7_;BS!zU@^h{+bX3j z?2X`^xxOaILG|{CI>s@myfip5rhhBM;RXBmjoR?wbg=GkgF!_?-WSi&;ct)BKs6Tr z#*0_e(H4H|G zIfNr-|A9@Pj0h#1o0toqObAic7Ju73V6u{Fb!kkS4(a)p+@<257yyneq8x-T@O?nj zHdauSiCLrnXn-Xn04p$d@%Av)PO>aJz04<*L8|)2-?je9&;TCklI|rjaYtY@nF?Z{ zW|ptVU0lJO)^kg_>}ipS0Eno9v-o6Oz+lxrmPevm_{o%9%~fs5&l9=&WN4IqMgkpw zlk>^f2$LEXettAGT~d+dn8f-=-3tJtTRSV3ECVH*VpxUeW#Xz_)1q9xuXR%j>sqGa zcmURCB9Lb<^d118HCzY!4=rVrc}dRovCr6`iurJwcY{k+%wqvT>^b{+Zs#`X{ZZOR zPl3LJV==eXXH2LUz$H8#nUo@^6dgC4mT$L$X;Xcs=JXQs%^hzUgLI9y{oIJ|GcQoS znJl={0E;QRG2(+q(7h{MtWY?!BC(tmS8Qyy0vn~hyW0ofACf-aOev=8*>Xg5eDXHm zT=67-!_zoZT;@~|kFp3a?E@g#49)6g@*}zehkitQ3gD0HXQE%9X@R17JT9NW4zJ;G zDG(bHXvHH+Ky~A@++_ZF6f+I*xz)x|xe@t!1W?b{T!sGXCYXTb8aKu|r9G}iu3Dsr zfPkdm>&5u`%qygEIzDSZ;5D7G!JJKqVxRFRUa#G-o;U$O0p&dSxzseQ18~HvRoNG+ z-*j7k9tMbq4h(+jWj%JOi_7)E0|H+)>J{y(_}XVW9K|lFM`-NRlHunKa1~!A8v{OU z+Wm4n^I)&VY9+A!=J4do$zxbVy6rLp$eP3qzm;sqKQ^eFD54bLlri6 zNmuYx#ID0f{gsW2DDy1yEb}Y_RL9RUCzqYKs?SrjD`Z7Jfk~Ik11CEt!gVD=p2l4v zD-t?X`r_h@gYK?dg?hb+k`EC(UHA`G=)8gIA*)N*)CJZ}VY_tcbtz3UiSe=bgVif1 z2Trjw&haYM+5AEM6uAt6G1OMWxDH^EBBJA0=vDk&h?bOhgr^%s6%JVdvsTT^)QXHr zsOzGMy}8Md&((`$1;#LQN+_T18Kt_JzmkxYK0gnlC>tyxSJJW@h?MVj1D8eXz`eJ= zC0N}}!0fRb8xB6lU)jRM`zOx=Lk z5}isQHYAO+Pm7r9qS-%3Zos6PfoOkTr3<|cZBmUck~QayUQK~1=Y87D6!8)ff389@@BMC}fVYS4jo%_~lWB9S$!b{4i-YmH`j9y) zeeZHOY}@SxDoVSa=LE4YjmuA6yWrB;nT5iez@qzwe*EGbMVnv2e& zR8$?luF;(`{)1xngy>uVM64rh6~JDDn93gzjKv?2gPJ!ZHs>CwTCom00aJV4phx=zy6kSXV2+Fjypu_jc} ze1p|(MvF6;(|Gp01}AGwNAn;r4o(3) zk{zGK-#V9Dti)xr&Y5Ze1rzoF02&WSQ5;CZD2sx9W2E7TM`!^}C*B&sO${%$2ClAD zR5!%zZJm3u0=(Vk`m(mee_F|b2-l1q{Z+BV%MUxaQ~)yaen*GmgM9E&;KvuPvAA_& z9@Uxb!Q#GhX4_?Q*)4+E08>KQtjxS$%_Mr3ur$bs~+Ir!i2d zr$T%-Xy2Y0fN)51`A@;E9B_zW$(sPz3_di17YQL_rM$pH);H{vU=QydebtzZ6{dX) z;y|E<&)H2@3kt`M0qgP;e8J2AF8HKUZHjXb)ifo&2FNgFmAEQq%AB(Q-(l!K=A+{Y zBzd!tT(oi9JNPE6gHa(av4eLm{w&L2g$p7J5+b^L>cMW1?rV4ppX#52tjeFlw^-nx1G+n;Z(*UwC&3MM6nt)yV; z&GDPq;Bq0X5oy~{8Kbf219!Uv5?w4I?G}U`gzS;Rsx>A+{x1!O#P9OOZQ{md^BCz9 zqrHCQ6G0Ak3h%fyAs+UgZ3Ok%)y&I82&bk^OEVbWdKJRlpg60D@eP3s>*A zi+F|^oH~~80>n|Tjoy{xl~rIP1o{ZphMtQ+_R@6)jV!w9F{H&5YC&mnyIIlJ-yET9fH&QZ-f+G+1e*m^C|j^F1c zPjY9UM69`UMh$-)(6PdgufA?&B@y{g|8MrGy=I^@9n_yc4G`l#4VF=Otv6#{s{je{ zJK$GGtA#HqZ2(tihTw{9Y)ZQbw%~<+$P91Zmcvm#8Lz+@x54irlE9$sGKYKQd~JWT zO-i_QG(6i6=Ffrv`q!`$$;2=@zE=lO$NIMAtL~3UkatT_Gp8d`uQ27Px}H@SzltxS z@GS7rJCtH_Fr!{7s(*Qmk^Eub``h5782;ce;eQ)}XVLOMbp8xX5iytSaNP0j=3r#j zdDC+49XZI1|9A#d*CKz3Qg^#kMD&Kz;%%er7sdI`P}t*M55_(lIq1;`xlZgQj;^e_%TE_Tqv(*Eq@C&b4meVa-7 z^7)ic;EB#IA^#Em=g4=;=;ly}5X^C-y*bkT1GdsZq*Ap#spp-aaqy!)_B)&nN~B6u z=_YY$!o24C(SE=ZY3taRKqijFH44Q_Q(o=NhN>?&>dMs>3%QzO#OHzjhD>t8>Z@hl zfur1Vo^@u|fh$VbSc>vr#x;pB7YOEL)qYn~b>QB#@BR-mX(4h>uyTvKiZI=y+TIlV zz5HwC!LP}rnVe8vv}`>b>RQ1YN7I;=y+L64U7HWUgQ=WSYiOo{ocjn4GPW6eCw`_Z zH_Wd6!uA@>hVavd=YZF9(00X*$s|9@&$@VJj_JyGQ#LWeJ1`j(Zf`^lMXoBLsGc?Z z0L9O13JWiJfN<6^F0wJ8&fU_8%TYX*>?d%e2l^xrEO3tn`538zDN;Y8h|YUXVo@S} za--ADz}ga)v^pLS%^-cjG_BD3i47h9pz)8hkZk0yJqK`@t)gWFh6XcYkxG~l+3vFiGoweIBBR3X_k^@5<3BO?uZ; z_-xQeHeu0Vx!0Qd+5gN#2U2wY&2Y2@-=*Q7CBx(Cb0CB}(I#l*ZnDc8F>NwoB-a9} zS1%eU8ojqK%FzE)3|X7DEbmb6#>p|TSKQ`R?;U0-pLNe{(0Z}j@WC-R38eTL=K!zi z^XyMwf-9DrmvdE?&p>sRk6_K7J^Nvp*(U$`E#Lj8fq>Jx;H@F;O53@zm*8=SQ%N

    ZQ0wQ?#a5>-e=A zE0g28h|rgm0%{r!J>x?q;gK|uhMv6>(<owRgXq0uJhfvZV}soW__v?7<7yR za1^8Z>Fy=00RZ?dBPUdjsI1f7Ys@WrPl`4U_kYG!-n_q_Bxh}qH;y8)FEvBHNNM8*a0hR3AmcmMvQu4E6%S~fw-=bIA%|WYE6J9-_6}X z&|9>E^U?4&|{oM1{6+;Af2X!itJ-E_UScF zDj(uuX=>xPI<5TonSn){DKj-R6{7_J<~~G&c8|^X8HUog=Vc7EnfZdC!nR}*R?x%dh$aBw&xBy2LtCVX5^dO(f)mt(H?5?6thUVn2dZvnl?~l=1)$6qw>m=-+pjyi2kGC%jlt1VC6iTM9BV_lM7=sV&$xxgub59 zugky5D4`Ij%htCL$Jp(7F9MCdV^>?Wf6hlmT$_Tn+GX~;-e7&A$(^U3m7Gq8O_D(A zSW?0W{fh3a^=7TY)+SF@l1k=FazWHSQRrTQ=WdBqoitH_Ib^9zA}?BGOv{a#OT{01 zH1mJNATx`JKFvMoy^b>*LMmK>wETBS^%!HrL2bxfA$Ma870+#+wj)f&nFZpBd>m)3 zwogiaPc+V@pQq^Nl~eHnckxrOBR-jeohFPBe~*;(5zeJ4 z!w?%0_~Y#g+FIH5U-{^1Q(HI0)NAO^4L_( zndq~#Dq7Uc`d(q1kmXqUF}+DB_Dh!mVyhA#pnff5J7C{gRz97_sp|tc*m9HCa3uCw zzrvQ_kn35cCuh*}Q|Xz<+<_KO=A+}~9>yf=pH(vYLA_HyG&-5csrIC!9ckmFm&{_l z5kB**^R%)Tcb!h?9;`ihRBFgONQSngLi9n5(4o&0u>;hFHe8uTXla$pd zKs&2MfeG_6;eDVnRpm{U7+LSd%J;a z7S0sAcKO@|3;Hq(w%ANS;bfQV8iueG)>x$HJto`JO5hy;_wa#gFkWqQcFb&r_6xHTZpnMlGUR|&qjMuJub z)3^RgollGHUEN+Guj?ouzK2|@8ve{DOMrbQ^>L}%A5`1-PO~!IY96?S4?9ZKk9WKf zs6E`OAjT~acJ5aZ{qbq|OXMIl8Jeuk(EL{n*>Qx^x$5{}zSt1EWh+}c` zgh2|M3jDotU8^IDP=!mmZ5$V?0A*ADahq3D^u`_a23gr(c{za(0keCJcR1Zn+oci8 z1sJ_Q&=f1>U)Vd=?1)Xd6_|#I=+dp4ADCCmt=P!vTl@J3SnK%!+Unjz3w;F5|8>YW zeW1T=&k-l$qX6I+#Szw918$o&E7>W$KF${*B%xO{aF!|+~* z((SAN@_ta1M3CCis#am*zTjfRPWbFZKlomWjF@({k7-V5g?mRZoty_f{eI#b^sIZn zJ_QQxGEVF24-4@#>PSIMKRSOpF72OEc>PLWHh6;;wb-JaU9#rcWXnPMTjT^}3K$ii5UD6PcAUA}FsFB#Z9NUr1(m## z#0$#W#NzX^%km8yz$D^-DJo(PttN3iLwI72VoOg$v(mZ>xz_V%;F(ff5#BZtF6WjZ zW@&U$3JP6t;ugxEThW6J7P>5hUO1NZ`VA(Os2r1>=20&z=<116;LrFwCn#J2-$FTC zL@PWr00KyoyhFJyPzM-h8+BgFZKa*&Iid_|QrO73zw_@c-wxODidgA5W{Gn0Hmi`d1MMH0 z`=!_DVFA)Ga+rWNMdNMYaq9g(0d#VGnWKM*i$T)A~_SjUbBcH1m<8Q#eR)o zNCB7Jc5GOor1Q8z030P)AU7>R409P)wl`?f>gxLS)*JLUuR6FPv8jzeY1vBZ_sp8h zDOw3HmO|$x@K5LhSN8mHH$gx`JKfqxH;shB59$jiy3OQ!JyXuYmIIcgS)`GC?f~s4 za*SzabrMA}F2{sx$Q^olN0JpL-y7O1rp>S05sDz3|Ldw)TQr}VXAi>YOT;zYjAu3D zV#vZPJvDB`URqfcM8u7j;W4sIchrNj-y6up9Paka+2H2Ss@o4ij}HCv7X)cTUV3>P z%V?vV5`?mFc6OTMc&;@-x_wQjQASc)&Hmcp-dqYmc%>OR%~YM}PRVE?q!dX%AR`bj zl+0fD$=*#0#i%XH&_&ez0BEpu}fey##(PW;og6OG2N zyL6f6MuqYG-gZ}GPv{3V(?W3|R7x8Q1UbzkK_0NXL?O}-YSV<&=?5@?pB703K&uct z@uP7`y=?@!1<7i3;C5onY8r{p3De0KN^~t;9GLl?M9A*QEWoNLpG~P@ZQ-9H&rj!p zU`R_INJC_5e|l|Ikg-S`_Iu&8!VJ!(6EBt?mkAmus{A(hn3)bWw}&DRIn#fF-m9>6 z!s}Y~tVKNh!dzIp6M1}w6PCU)x=xrVZq~HLQ4rnvoTiNl1E}58f#04 zfL_j_3&>W-q4Wh9s&f-GWIOH@G;IEq{9-OP)Xcd&TF>GC-H%`=^&FwZ96?)=v zPU=ZiAJBuPUTa+LkyeXKmrJAW8sJ!>-ZbDRu<4VdBsmGY>lw4>pJ@to5OoNlY8eiU zb0Q<-L!w>TKhbj?!kcijR@r~vPk}?$yu@0bm@Vx)8J1P}6>cm@!A6U99~5?ECSq;` zTx?6dr%Iup?xp^)B8^`kNSrHLAA~$TSImw2hTWF|+@p>roqif(Ypy39afq%vOyeq4 zupWNrHCA+X(01v*gKVfPCvV0QgMJgw`39t#q#OQ^eMNFqe+3(_TrNMb+#|Ad1q!93 zqaP;5RV-~O1@spkm6An;Vna}5`}^OKuDnMCZmSahZL$+0H1DyiV`*K)NfK~7$n5aQ zR)x^(tHTs#Ul^p0ovrvPk^SFDJ(RF|aw%r*L4V4tOq_>yC@D5k>(x)Lo@;jub3=7B zVqioYG21|{2|_sh7|*nT(kb*J0|5u4or3gWcUdiQULwo7ZZosKd}%itM1t&4VHUQu zxUx8SO4gs#SfmOIJWTVc86h;5#kUb-wDxMl`b$Wde=1rg0MFD!j~pzvIL$caSB3#N zkVY93rv`fJwT!!47Xr z3vdnMujr8&81!t`s|)$3SGb9gUmtGS7ehwMT(> zpk*4N98s%Pv)D%opy_ra2Anq33S&6^A zp*(_|!;gD2DWb1;0Ou&h>?DPiZN=Svc?<>j>gHdT$yv0gy-JAODtuXU@v>n-)Er6F zrJR(IHT2qX1~8vAtBKe*MHS|btNhcqr;-pL-W1p;~tse!57{aie)|n1A@F8)4A&wDlWZ})Q{kBpGVQh*P zM_KucS|H!w2I^oT9OHil3z`8lIEmxtpn*;jN0NL^x4*&>b&Plz^V{N-|tOgeKheYixYiBy$kf$q%u82}22*Yx~{6lgx3y zy@hvs;G<^WK6-LZV#Ncz^Q}7%kmtd`@oum==hAGvl^=ySzp>?tkEgJ z^QA=j-LC@<5ay_y9TI2#iLAp^(Rzy~+E|WBnh9X#=d>Xjst4R_W;3a>8?%pP^htFE zh&>+=6FC*gx3qQtdHcR>l6C7*yx2-s6IM8cfb&cbSNpQhQ(qDr`}$3Ehd86#8(}zS z>3fv*Gj=u4%)9Vw1vAFiLrnOtm>+-#zn;;o!klZRds1rbJ6!Y#NjyRB}>P|Y-8 zH_OeIYgmC$QOr5p{vKtBN(xElv>RIji^b@S>FQ$VVO;Qej zR(doc6M&k(JAsoxP``b6jiyv(99DGs&I_T^8^EH6sbldpo7R(t9{-=h9e6 zcgoQ7rqhud2kwcBdH@STtI*D6RzVs5Libv(n}Ov;VmKh9xNNQKVR^^adaW{ikBr{Yg7h_Tc^x8DOIB4siy%d8Obrg`SrCL3=W&(t4r% z|D&AZk*O+SU??g9Tips0X@f3pO4=M%)H@(3J%ANWxbM&~?+^@6ng4OdbfFk6^Mam$ zO(DXJal#tmCOCONr4Oi<7272EM{Rws34jw6=0M0ceGvXhU5EQ9NN zV7xx@KsLr1GdsU4R7yHZ;77jiets9~v%WHiBE z%D5rz36hdR{vOxE>?RLrtypt$?Z0v?80+$-#HeaVI~I1nsSV@u)Dfy`E_9KM^5nw0 zL*+qFXjbr(QP@>(XOnr!{^cNixt0MKAu*wVLH$+*aA5LtfaZH&UGqo|0tuh}WI=O# z)b#*ut{3*J>pe#8)5FG=6@zNa$Q_OFs=O*~*^mrQFE!V{KRH^=uzECXdKC7WsA=}q z|KT;ZO)wy_E!CijG%`9!MF&RY2gwMT|Ca~KcOo6l?nupCi?j()+Vsv z*l#N!<<^f2Nns-kSNc^*n{T&b#S}^X*q9h=LHWTiG-8PVX(=J>b?nBi|-A7Mr=nR8XtI1%bk$EFeSkZX7&)E-R0bgc^TM$5x1E zIrCMc>87p=OK`Vd)9M5r=e?3*I%OFv!kSN^zE`;yznHs~kFuRkB%EUX3GCtDlBd(9 zswjiww7WwCyhoQ_A4L5V+rV1ycj;genbA?(dBUT*vkR%H^~w1&k$;H$QnJd?{)C{t zXLNWYoX7ru4)}|liwmAagZxCMq~M)q0!J^ej^gL6P@-_jkOy{7fuHppZO6T@XIhAr z8J$=e&}mEC-|z2%pRC3X+#eBte*U=ASwnC+TrhqGJNh#voK1^Cu1n1Lg6#wl5H|)y z9WhxlgH7Wg>zJfkRF5OY&M)s4MaZgSP-NQ!PB14XL~>*gL4Og(A{(~U_BwDXg)VM3 zXD;IyeDVwqk}`#;lgS!%f4vP2Qejy;uB(I4bJ0Rz2jv;Na)2k<+c2hD!Zob%i7W7D z4VwZQ`fMT;J-`Ttrz0Y%DfLc=#8B7Cib9PD>!d#=&N{MRlVhc|l?oyHu<=1f%dnvF z99YJSmUD*9)$PbJQ)5Fkak`(WE)Gz(A{@qRaNq#|eKmZ?gFw97@CJTf_b4BU+^1B; zkwPkM7kWQ@&6@0`@gFo&QP}?I8-RB^*I-g*K`~gJyK8`3Mnxd*@ z-D&AF91Cl>pgFC#^38k$2j*BROriesxps^wjDxE8q|;0}FX;v_Qpt9zP&}5%2%^We z2ne&#^d_Naog==3>7-3(pjVB;%5;l03Jb$03?5r%ja#5vL`LX^pE`!blagXiwL=)5 zScSZr9>=7jV|^x-(y-DHFb!q@(9iU!k{91V2CQ6Yh!nDGgqqSJq!6Ff@RtQ$?hni7 zy&W8OoKZ$nG+$ruGt%(a{a!-yX-HwAapweGFS$|MPoNWf*EpZ^M-j~dR4D-H7NW$t z67wI)*I5gNqN&(*f8#Y&weu*a4*%p`M=1gD9A@U0qRiR_u!?_?Eg;FV1s)SMx{;Fl z(s1#RPB>GN%@;bKg;53EW(VLFHVimO=A5&v={kdIBV#)Y?#hAMDaerJl~otMgR#In zpj)ek;UViS=-Cp@$1YaX7J~L4#tt;BEqSipuOp5Yjxop?P~az3_gP=@f91gDwA zlA=W;-+ti=c_ytn5yLC8P_o^24%cb(TohDA!(*F}Yye(hx)lXoKOd2t_);s}XE0r6 zXh;kgaJE&1jJAWknx4ljEWiZglbG2OXiq^hlISQJ2sWNX@urV20Zx~edVZP2@ z5%@u-8V-E?2%&azpdS@2*F<2~9g^#l^o!OK=ho&f!DbN zI!G!SMnF}-+IWJ2ks3Lc%Kj?nU@-Sd6r)VzR{aFL~a!-g`W?$6~m$NO;V$$IfN(kbg}Wp*}*B zBJ0oeE~0jiN^yd>6KT|1dddr54A-!>=Ck*a&T0Mlm|EpqM-@T9n!|S=g`PrQp}b{u z3`iK(JYvwN4?(7q%l|wQD9yG`z$eYH^9jeh%Xq`ovRG#fE5fpF3Nk1}(nYmIE?dsG zsjLh=)bNLacv_!otRXVA@DM*AB`n!u2yIPnhg`7u%gWz+jccY>XO(ffE@3GS9{w}j z{MlcSgq5rqa3`Xu<&0-r;kknvvfu+W5GkI)l3^{?iwz#}Tl)@t3;3E3xHW2p@_I zWl;ifMjDot(r!`~bOnv5eZ<|dVgvZ9=Js@mbXkwg_f^d4lb+#ss!0w+^7|tmNm)&X zwW2=Sb6=oCp*7D{BkZjY;FcM8#OdI4iP*e#wp!W&YHV5sRKw-QBHPPhM8njO=8&Z6 z#O*5vD!z`%jSx>_4f&!zH{Nr|sS?Dlg0FL*RRhL$P6nqBi*&Yg2iGqwSK{bd^(kB4 z?UhbwouLDc&0gOpr72zxe1+~q`T?c&__aNp zHF#RMbbP54$vuGckV7&zc%byO_e7Z35k013!ZDONR4s2K!bK*EiTC6THw}+9~yK50t(=1^&1`ZoD)pGO_fOiDD0z^ zlvT}lnKmPrSJPiCRW7C@@?S28LY7Ye++-wAf;qAub_;BN$ALY$Q5fZf&omYU&Zt(k{%(T(v$g4wIf#pSQ@|AT zBy4a+U_PkWhe3@W@F)CK^GR!zpR%nQ7)cX)ml6}AaQ-IR+@y3VBe&@waX1HQ zv;b`%HPgQZ*2w5ivOAZ!={>em^=$ilLWa-#NZu-j%iY?sM4}RJ@H?WU;hL9LXT2hkae_BLvst{ zF@#8J=ZP?-9WZhYeGFKpNb+1;-jZ`C(DE=+FZtMyt!x6Gamln&l10h zoX90|F_%utoh+ZHr#ZMgWlge)8SEqG{D1y;zJg1?K$b{!GXvJ1S#~znt`7G4&!u>w zl}Iw9ExITJX9^@pfP2~q5(*T+(ksk>m!cDUm1*QCN4;)K%W;NkDKhUk#^i%H|1UiTRh8tws_OPF^^@3Uuw9&DwF% zWH)<08TY;;0iMW^Om6D82_c^fi$Up&1=y096n9Cf@lB}*w6FGu=jYOA52pORqngyQ zjPM)bh~LNP--@b-$~t^qTaX7XGR)p-tiZ*kcRi$0*&(0JlH&3V%F;n3PS6KDRAIu2 zCv7vX4^6ZP^kK{$z zQtc*uMT|}AgV+lzeKDtaJYnM>W9Mxe63nnvU4!&ZIa|O1R&9Ek2J*L7VN}l>gygi4 zzdscnvYQsATB2^|mPM}0OTUGy=7>pq0y5JMd4OD+{|0a&sHaXD1b`95uJm|xnKJ&b zQ$iyil5$^csp&5z`##&u`mmJnDeJ9pW_VzXLZH)MzXlkwnMuc{BJ`t8m{$Ob{QOv# z0uySI2zSQr1}^D18Bd_@({r1yL~)4B5?ikdwjbcpuLey2b(3v=v5AMXy#t-9w$Po- zpE(gIIX?zJBU&c0&RYYdV;A{3q7^l#f5WY(knG!Wnhm&>BtlMY3aFs@ix^I14=r?j zv)YU%3>B}*ZV(FLi{0|R<$%?m=|=NBCYjw2LWf~EEMAbmMFhq>YE^_Inj)wBQI~`b zvJvbg+;snp&hK*|Yb8W$P*(HbJFnSF5M*)vCFw6>+rc#=#$B|RjGmGT$0_0ujL zAh6xo@>?CrUK<`~UeqRaZ@Wq&+5acwSLDLdaHb~u_rchBwaV<(x~!{m=O zb)hL22B*U100oaXQqC#lncy9Uj< zQSAvO=;fAm=*Uxi&QosAkmUiTi=q~+Rt*?>hABz|Vm>T&NRE78XI#$0))y!|i$sHF z;{c4Oy%*Y+j4$Y#H_v{8$4=W=^JS|m3_I{jw&~!0fQUEw52}qiVjQr02aj|m!dT06 zFlMnPfQsC%CmlC^>E|2tetMDQx+SW=ffY0>%i5SUJA|mS$JA#%>50%2WeLbTKQ(L9 zi*=X@4^}e(y|a_<`8^@5g>bOqUKKIWI_G~5wf!kE9=*UwSK=dTMK*YZzGM-g%h`LI zYi)q*>r=nwnl-{a3~D)n_r`3?fV{I-3q%`= z4gm4PG}VI8f1%%;I#UychZpX^qAos{SQ!v6@gQ%p&eFiYp=GmF2$t5Y)FRXB0g0nX zvSZkUWAzwE^9v=`?o5B7+&x_bn=^&8Bpyu{+ftaaWmZgilMxa8Ua~W~;YlNWx<0K+ zILX0DRbaqL21!?18S2$aD2v_@MVFT5#^@^;W7XZ*dZ zDb_-E3FPG@YQ-+ohx^K*$+HK*JM(f-5Qk4As0lY^v#(6|+$q4Z++U=|u`}NxC0Av7 zY0z@ux+#d3?={)skB3#`BHQ1=kX9OR(C-g!P!l2*C8yi1Po!_yqHSoPD^K;)T5H>D zIqc!xKYaqp{o%VZ!cPktMN=wZ5JzG6#&|9^(cXbDl?IW5erMy%|CTWw_BDIHlls;_k@;AEi8?+kvguv63RxwReulJV1iwiZWFL@s5kq000WYn z9Nf=P&<3YZwWg%Z5_RrI5t+qiQXu5eUe4E|domML3v31IlNihrp{d($I` zN_*`l`OOb9*_-3%GUx)uwjJ`6TVXP-m|v2IeNU@0wKA`_?oCNZMH=$6oeq!OgQZXb zEN{48sCM);ZX$m**?_lh`1naERRW-sDoG7-3J0x}ZzoGz(_Q4vJ-f#mSMoAco4KTo z*=tlhlrL_7I5H#IJm_Xm&$@xaM@yNBT-?gHF5P!&wO|~goJMHpafrRqF`V_#I}04r z#*gF&!p6{n;Y^3UzgD^7E=psq87xUscK6rAAS=$J}#Ihu>q!IR|k<5X3$xC6Okg7{H%vA+F;_v~!@k%(V8Ue?*B0iyS z0`o;qHtCBVvvKK)5 zJ@b{TIkXN>%-{ZnDyC(xL+I{(xTOe4M)Y?QU5`-OC~&mQI+Cs65ce^JDO`z1jDhu?BD} z5C~MGBhF#%Yly?5iNKi(00YVaPp^H=$r`pdI%gqw!GL_c5ly1(tYZk9fFRWv#<>#u zrw$2>H}y(vy;OxA4IA*Q7&Qr^ogpf~0}G`CZW%ns_l{24(eQgLbp4Y(=7b~%r=uR^ zNW)=w4)Ti`{r{fuz8hhIP7 zX;~BAD(bsp5z|}_A}6B7lMh%F9-RpRJw+Z)gkJGpOfLSxiJ+s!pGmAQea@Z-RWEGe zL>mz6pOr+QjE#_0zBg|XLeSPkx@4}GAIMBJ!-Gz7zp<&5XSZ^A)#2!5Z!l(KzQFrY zp*Oq|w{08MTfP9&!^8KwZy;2Rgi>9|L*@3(-pqRKX$#=@86*r0Tr|v1F40uX9`2r! zqk3=V$nY-6C(Ils1C0i3O><5xzY|SLur3W&PebN}kI(rIJ}f9trRn|Qz=!i-et6nG zlD6I>L<+50CJpcmO1La9#v`4Sr!1^%ZgMJMnnW__SZ)}VMI;kRofz)DAy2M zA?brq#*BQON39JrtAx}w=d&*AUNCv6ChrEMlX&FW73~s1DbYs_)LI@LYR*}AjV_|u z4+TfqQkYYAZpxsmHOtX4rt(;2v{V(dpeI%(u_FiAX%($V5cwl`{K7%OTb4fjP@t4; zY>V%=3;CUcar84x*)kZ{3n;On`q|W!BMFvkOz+_d2q93eP51&Ut~T|z2*;0QF}$rH za_bv^2h{^>^Kpg&nZKJA{aSry8@fp-@EfpN%R;t(Wx8v6hY-yKoc*>;?wC&+JX`AC z7)RgsO=y$fB*?=}zePJh(-_w>-I=7uLd8c4nQLVsD~-UU^saBRQN@3%oqj#X%>S+Y zh#1pK?R>CT3jd4`GQDPi2Qx^ElIK~Q*p=;G<}y++?pe5829#Y75{nu^S~TeJ=8;c+ ztt$zuZes#7Lq+_NA;@Z|Hm5nbwT#9$kE!;F2cH2yEuh0p?)suml6F`WuwHCOX*ip{ zlYyxA%DD2lu3cS8GGy9L#T|d$KQ^^+a;ulF+G2ZjH#wf&l#ed+7q+U@<C!0_7VsyLdvW_TT7T9Q`aYs=N&*Mjo55(EE)Qsp&0( zZzA^~0J(K5qq)$A%SycF-ikO9**~qJeyw_!RtbC20$!0y;}lu;Gt8|R)RI0i{V;5p zVL;8=JTiwYX7ChK+r|1xtrMwvqF>Us zR4mgrvM6l*@obf*a|P6avcUzQG|s?vkUrLTXOIfMTj3+{;49H?nUz6GAcIuEi{4nr zFUbIzX|zReY$lSv6u>|b1&)^iqsE;nEV$pMl2Z=BH*TWX0P~zNMJ17}kShFGR3G%8opxgGfSjik@Iq8#Ib;Ru$ z7ES!)nsDB&&u|inj77jEbgdSzr)g!;p8(-3Z3Y1Dm*Zz-O9{yMPWCl>&sMiufVev9 z3eR^KjHwnY?2G?R&xi(976Kx8aIQQ8MuC(jnimU$pX|u6y@7oJN%{Xc=FD z$M7Xyv@KhZ7EK>PZ}k8YoSnLz*CJ=o_5mzppvj#?`JZBSfXaylWF(YTaZ6udt^_kT zJ+a;~g>-|M5~-`#F}2Wuc|L`OCz~IxPYJk9YQYPL)+@gA+YQFuiVr^eycewd>HYDOfz z+`R4o+ZM)_yu}h=0fGDNa{n{4pa1#f zT??9moj+4w)co)E`CoCgpy2TTs;uGCcrfw(H_LN%RU9e??Hf}3=pMxTtY!0B<~(?2 zFPmR&@aLK(#uBxL@A%1xXQK@;C(08gu#y@4=|6rt*#69H}!gvW$EGR(&ND@GuTmI4G zcadDEfAKa%evSZdMvj~4q-@ z2SB%iE!^f##9-obIxmEK2^;-uF8AqwcC#E?5O873%-EgMF9j3iKF;0U~PmQ=Bx3hgr$a%iBeB(pk8cV925U{`$y-e!}w3Ky1 zm+l8-*xt$%l(-g~tN1Hm`@f-=uISEUY8U_;Ork$m9Gz`Oiml|0z3k`8`39^ax8ZFW;neL+q$Y^B};h}c*1#t}QM zCMHSQ>GZ%+3$eHaaxv;keNgCAU^2~V`c|}-Tt1O+)Dj%*=Bd2^L2#K;Yh|$L7i_xKU5GxS(K+op2UW9BEa#fFE3K#5H=40IDEKY$;R( zj|`FmBc*a9Ijg%il;aGK0=n>#gOq~p@AVi&w(S>O@KMgTD1;vY#1-Sbr+bRZOH@V3 zQ3f8^AtCx|W?U+M=>~Nz$1SytJhXL9LBsS6yQ~`EPm9+8WI@J)@_stTW#kd23ZCUl zqZ{L~TK4&94n6vn(+0tBGgOLzVk-+z?=s*jr%C3)ix7m>XkW-KC=47WxkQKOu_5`- z0&t#8mL1h;OarNLdev+(n?W1W<8 zRT`z#UqW!B%3S!kB<<8uP`BE|=DyI-F>Tab%VP4M?wK8@V5|KudSA+7)icNQWh9`$ zs89fYlTV$O>y=g#x?XDh@`oF}9jgj;JHLt;pOX@pD$TUC(Wk-=f$)%YF7gtyF>{dQ z1PZ9-W6cO0Q{);dsL|kCUG*ZUDt2%Np$d4BqZIc!F%95*u+5@QU!vLboeNX~d7z7K z)d;+fme2#D4T%P^2?9rFI@C|P&DeR61ZfR?ulvpvezo7+e6yn&0?g2}UNbd10Dz^X zY`?MQ>OIs>Y(1MyeN@0)zC9A;AIHo@#^OAV#p>CV7?CR0SP6$c@vdG;)GfB0?7e0- zrPIL=Y*Tb{g>*Z(C7XL^`}-*!6Y#V4_PiEqp}r{~)s2Pw?NJ=Wj}AV@D&g`s4QplK zjZa{$I!&!CD|>7eBpc$Hy$gCyV{$-TH#Fr`?_A?YwQ=B@Gyj>rJnN!Ap3LG+!;cow0zm38579voyAtd05P_E5l8(^%NG-_Lh$mdIEJPVZw+& zaAFjHRRz8Tq{&HK9Qy{OfL%MLn7`1;@f)kw-cvJT6@xaak{fz^OT8^&)cb^R5M;6f z#^gf!7TQnxB8Y%mN!uKU`VE~Z7T`c!>Yh3BZZ!+8doD+?)F?k+3=OFK>5nT6^NH~< z2d}G7q-Puivhgn6bC2pK^02xueeF6I-7qoG!_{872VvULTR7Ujk77P2zg%u&a{iY@ z0rY30yRW6|^A7{)eB0*k(A@r$yl(~bCS=WP6hPCP?*$Pc>#$m8kV)@e18+e!jK(4w zsMk;+9mYR|eF>j=)?;N&tva07ro)vv{h0D8`vQb$iGGA{g`PJ4?UxZP!YjE%UxDgH z-&CSQ?z>FUr@8iVEB%4=Am(Or%Hrp2qcDE51Ss^@!248tIXbc+DpW8YX3WY!18$V}Cn@Lv+hO z7;L5njb+8LL8K|Z;}=CI;?B>gI)G^VKl(TkQ9h?8iOFfI4(FbLfC!^cn=V1{xl7-z zBB^PFm77&lLkEhrILVPaMQ43~jHa(dXKfcRDVm42Ld=g=fucoFv3{&WESnV!yH?KU zd}wY{GDFsS*~42~$}~)zkLu^&KF@`2P~rczF?sb?$v)a;dK&aSred{y{~_L2kAi-# ze|F0;Q(6|V)QP~D*CHo837d$sJ3n25fjW#I#OAC`_#vW>1B^l8d7IR^aCF6^lFh_6 zP7~+pEEv&eyI+%DeDi5RbMyyZb7dq5CcX0`3sLaI_f{}wYRo?h!$K(eonqA!D#`+7 z{T(Ski*{YV3W4POAL8K(BdLmlXGa|`pEbO?YEb=r6=fK&qHC7@C%F?}#S%rc8F6Ge za75MUaleWsFQ9?+2)ABEKFt1E%XbhAS@f@T<4^cJ#9jKzmTI;jf^0Iz?TSgkllgl&kV2qWN3!X`?{|0rz-&N>$pj!W* z6d8&yXy=^d+0mKm>VgSH=tIo`C09K`0g?XeO`MIUli(utbIZ1Nwq$KI5)!#AZ=I{? za1gCf5UzH}LZMSQRi5w%Cr^6ctMX>f)kT@kD+Q0*o|iBhY(CW1AQ!3xyCjV$FRyl~ z$cqlAd4yu~Z6Hy2w- zPm+(a#>LPZijyl~D|H772D9}vaNOkCsdo6BPj)Ul0nZK!= zNXJ z(T)l@B!)0_R)Obzt`Iu)WMK>h;qL94l-wi3u$)Lp&7+RKt+F%e9B}FwjV7|1I=0En zSa0y8D){`s+}JJLjvL*47W|)DyN?RMCyDxiKo;cG>KfVtx6&8U)T_-^Z+45+y#>)_ zY7V!i`6}A0#7#@neLFn>4Xk-o6UwfofWDAy|=7_WXh6MVjjZT#O+BCwb>?KOkkh9uX9RS(UY`pkcvTQBveraaS6be|bRJa!F!2-IC>v-w_!71S8?aX@ep@~45W9g&;P(d4m18HU1gzz?- z@}j1{g~LOaqX+CfN%MS0>Hc5O6l$H2nvlyJm8+MS)Rl+TiGip_^gjZx{6_%VIX6(| z4Vi`MsF;HpSX7Lh#H^|sXW~43Qca<}Wv|p}t_+?cLBuA{k%Dx9e>T4)10qHb#1Xzj z>>Q4RN^q1B^f>0hDg*|O%=NU7Wdi*kz#gj5Z^%5HQjiqBt45DcMWJMv7YQecdVx3x z(#f0ZEOI|UO-G+6^kd?sv7ytx+x{WVwH?tI4e_5{;w5rQI6zRaVlL<+^s3|_khm|< zUl_%!U=9OfIrA8%q;|I^FIo~qBUiKb+zrnuBC{EOQl2I)hYhE1DUM^V%RW}Pq*EuH zW$bw0Oro__$D(wFL4s{eH?B#3&9FYMAuV3o;Q_S!z;)L;naTQhUH-`b1t~bYu)4tD z-O2_2-@BBwAd!NxQ#P$R!22|x1S-)tWhC;Q*_v~S3wHF=)PJkHC^jPkT?r!q*(Qus zfF0~L!QEr>Xga>=fP(S}cs+lH7_kp7>@jE= zH6cbOFWlg6$Z;E_d(Mrx`CK%nLZgofeMHUdbfX&+JR{|AB~ zfr5poMUaKib@`LQ*;$ydqk*)k4Hs#-ZwPlaU7t#)^?e=1)P0|FeuyP0f-rrJP49<5kE%Z(0;uw+I>DoHcc*-?E(n*O zdje-IsZ)fI&z?!M2b0U4hju{-fAwqzv=c>@OL0(rsgp8!>Tb7fnf zPjqkv*jg+yr;RE?7L(~qC8vE{(1tMP(3!5G7rHc4(kTYw$@0f*T&L?|^>X9XezZw@ z?^=lS!YJc$f-UPLD9*fLGMZZdadg+V8zTqWjlHgrakFib&*8spwSl$ zILDCPwAedxl$VxOvp5Qi!P0|r zpT%7Vuq>5z^PzRIitPP*=c1y=Jo9!lRu9Y*Q>c==%0C={R%A+$G%^%&p1;(Rl_+gl zvG!`pabv?9HuZyIODP!@n`Dz_$@6V)eY2ntPrVcTHnr>runD$$VN^?Y&Jr({Mq{b~ zTy4lv=hLo_WcE!)%Vk$@Yyrx{`IM%R=<-qc#hpP3zP!v2`APz>JY0LCvfHEWe*-z$ zyCt3hb-fKO@~WLf#9xKVClcv5GA_!OgT9}`gKwebD{r1}kAbA7`xY#rE|;BZBYT{M zYn}Nh^fN>}q+B|hFvV{NjYTn76=N-*lv|S$L_J2^&@jv*X3hHjH~o-;Gyv=N64t6n z6x7MN;>cV?2QjSJJavhz50oslCK^FQcqZu;noe_kw-E6Rq;NTm5H~ueUTE<(zN;P! z5R>=4X-tA)Yb+%2e`*#4vHVe|{!(cyOW|zm$4R)1Yvd8m0M72Xl`N`?SxIYJz9-GU z22)20H)#y)Md|3>NVtC#C&%$+Wc7oAb++LvUrj-k22Gh z9X1IO6!$**#J<#C3|Dx6ciiu;ehFSrIwy~s!1n>$O0ipi@*z-UJusshvlcOf~Br^VsD1PK$Libpv9^hk=EFJqPB5-wvk{34=cd7qo$@;ELc6PWzSK zybBqzY_k(!Sb2u1_^Q}|!zik*=}=uPmaiuw!m94yNT!S~Ln+x&z(0R*Q=m66!G=6} z1S#=O{-tR7NN9X7_8pDF+0BPMJp~$8cr#E1fm+dPLBuuO1*edmv)(1rf2a$*cVGG! zJEaQzq|&K?niLT@H4IE{B`dWKXD`SswY^~^N0S#fYvm=G@wVg8&tO<(@3RLWDwWBo z1de&U0~=GDG(kK;yjH;o)rr-L4U4+4d&kUWfkIEdaVcD^B1Hnf_Ivik>N0zypG?D? ziP@M`?X8ElAHX{YK(OINWe)$5?1F=DUw~E6P{|9=0m5qYQ-G|kg>3(w2Es+hc^12) zx*g8U+Z5LMr;poPw75RNN*TGgHyJTx`%E3#+t^@U@ZV zr@;pN22Dk+_yi?(bMCZ$0XVAXbpJJcf<$3#Ec%+nrEF;gLw7t99^Z<1g*GR~l-4|4 z>9a2f(@4J=f*QmvXIre@YYiaMxw3*O2eNF7TKn=%2DM$a&NLQv5VLI*eyb!OQU|;_ z0LLooEV0x0-lSN~vLTn}LnZg1xndj(S8Xd|d>q`k61Fjr;*Qy;M5WreOJTDEWMkib zMxmVZ7eSon@TfEqcwVDv?3BM7>y(_J_B_YSNO7{agF8HubFb-vwYA~;4 zvP@v61IvQ2g={MslmyTHkV8*oP@w6t_}JNAryw&r+`i$v(ssx4Jb!$33Gp* z&qxY3{@M>H0iF?xagCG4R!$Dna+sRD$Cv#{b*9%yyd-yU6d4*TQM5h78t|{WXq~;o zcmBlJ9U(VWU6~LxndhDA9A;o@ZY!NLy>+`B+Y{bnYsjAKOHLakCvThZSt(dNq5wmU zPB`S`Z3S%ekPMjGO(p_5e4C8iMD}E}E4(Lfje|T<@LxvMJV0R)k1(h82sU| zin2Lbw1CRWA0-H_LF(jNarvGvo<2Aa{(lCSHg_Xmw=aC<@rG}}FhrjL{_HA9X;4?T znlo060)Hnile7tSYQ&%1>$-JbE%s6?)oG4!o&BDYW7&D*-l8(3nsarzI2O3Alx|is zFdbbS28#ke0wG(mBM#Wqe1@HtuCqI)4l}#|97a6wsG6mO4*CfE7g&3wVA#HL|DWOh zaJC=gmXmTUL8`9B{K>VJ*%UI*Uw%;T7-)Zpxo<&~L1gLZrvLtV zkyD_c-enYYmR4gAe~xP^cJCZU`-F_Nk>@=|(XZQkzJ1xtDTh=mtiV>O{9AZV`~rz? zsHA#5K9X7#&RybrK%AOmGN>E0Y@sv~fBBe3|0Q&aUbcd=-0OR5! zWz4H`&g8d2t_#(rd(=87=HDk;wdwv%CaBDPkn}}vkqL>oH2fiJJfQ*j`GWE;I zJNu5nm;yt%@kA#;F;t=I1YeIjek=rZr3cb#KvI8wF@&EB)f>pks1pes**o6VVCCF% z?=l#TekwApXd`7lbY86i-pc>~e1RAd^JrvTY9rKi+%}(b)ks)?;)6m=F2(3fnDiTQ z=RcE?HF#`(S3MSm8n%ojk&v|gXDxNzI0c$VVM6gv5fX%1bqyfWLCta#Dc*O-CKuCDPE$E*asaHFkr!>Ia*iZ&sM_# zry|)}oy4(o<+C~^d4e(M?)+swESdohel$O-h~;LF|5hv-cWaTr&OpC@!<=XmhwZa zLy2bg9t>p$2p^?XJeaC*ksD)!9#Ds+Zjy!h{dqc<$OP0Wa;23$|8|AKGCrLNbaK&d85k7^LP#u&Kt6o+xRA=Bd% z?QKSok;cHQS0gwnZs_^v;VgVfx2eQ;4S0te3vk%QF2FvMRyz=dIpT9v@Rq@ zqzd;WpQo+F@Zu5~&3cmUR<}TWtS7tQeBd#9VkEZyD??%6ReyXl!Vk>H4UOw1BJJ~a z$@V}Mv$JTD1etEYETBBkL>*%dGWa>dWo9u94KYJsIM^EfZ%5su(G3kJ$zrO?Zxo8{#Qe zZStpCkef$%Lmn6+W5=lTd?|-t8CnK$C}kG3nA^_mi&t#C#mp>w#t=03DP@dM+j0xJ z>PoNcC55=kf3KJEA7Cf`Iy?*uIUS0j|2c&t92CVt<*$1pKuO!Ue#Bl{Cqp@H;V7_3 z!h~2wc$v&iOOC^w;+~;93dloMF0tN& z7hEUt@gkJ15oAoMrVcoKRGeV+ZLG+8whXhWMny((*Ld~~G zevsPg!Z!vhH869nClrXVU*z*i{3xvv&U%Wh)ovmD&1@C<*@Euz5|#fQ#O0MbSp=7C z)!DE2&j07mf3z_-6P5Fag4QJ#9U!lIUne}@HvmX6p;~D35YL1e=<*u-F56rUy84b< zV2*K!K=K;h;_tkGn>5PB=i#T(R|i3WPnH{_o_4Q=Yq^p0KS=!#Es1+l#Zlpn65w3= zWys;h48xU5>JjGZw%>7tl=9<~Qi!YzkTK%w6~P37yCOn)MkltqHPA`yGl%iNJ0hzO zWI8^eFsWa-4kNuUS#%+99>@EO180)!Mu};^KjYN;NL0qilv`($b87^c*8H{1(Z5{8 zobv3>J5ocZmN9JerWCmODYlMdk|`11-|fY}`MzrUAGo#i&~a6gAIH}Wygpm#R)JmI zN3dNbI?796mNB3m-CjQxAYhWG%l2(1MhDlw=ZD9P%$SF7{@+vE@e*lYi3)=16j{$G zYb8VVGBXFOg+M%ij{o`zN#gqoM@^dp(PCH-MjmVnRI{`NXdx&$EtegqL zIkqn2983buGP|9_g9B?k@BgGFIKdqMXJ$$xS=7J`#0$3^RWz;8>hWYJKxrb}9PU4X zYw5(AIr(l{ucK9Tqq07TCAWI#o+*?7$qk2-7HxhCz0{RSKriaxcLPQOaq8#t_RZh` z^+`jWo`AzMS@~i{p3-K65d$bv=Ups6YUi{7rP&wH_F8&j+TwIKv@)&D9D!z`WvXrL zLYW*jLe45_fBJX&VS`_x=IMyh zr}_^|Y0q#FCofy~Bk*8>Q{3U4Sc7Ge*J!guFN288vWm^x67k*G&95-L5c$IfX9DFJ z&@x(>HJC&^3mqL~PgX>$_YgHd-B`Mqy6nGDui(7K}_%e;;?`@ZD% zpz`Ev23h9dF~8;HLcr9E8$r4omDqBuzC@CYALXwX=b1vCrDGfGU98svL&n7hu^J{b z>@8IVbtSi#1(->I|6gSDu8F){_;;m`&I%GtWj=C?{oYlM%JK{o`Djh`oH3zE`}xRi z123&1D0CiE7$-}){32xo7advtix^}1GJdkWH9$nV9Mb9c%fgowGE^>C7+FMix0Eac$K`0WRE>MK|T57zrL!=7!5t1>iwp2Eq>4HRC|U{@wsQ}-KEu6L2x}N z7bEyIIQ$!EPoE}Vp$Zc|IK5ty$E(cTy)>mZ)4ceU3g6=&paOMNV zUh@nzsw)Jm*J#kMeZ0v|-~rceKWkq>L7O#aZ9~l$>rj+lxoFLuBm?ub|Cuc>)_;j;|mW&J71tu($YTiHsLT>?(yg7ZPPQ<5es-o7fIR~18 zHjLVxty?50f%P?uL!qFO+thmjKHvAmOiTa@x3}XqVYY_eGsAkTSf)x$1Wc$${Q^1T zyBYJq8NFatej>JkNxqtr9KP{d#Ry(5lJa~v@RkZ_6O?NL(XBpBU>>e=3LT&Yqw6D= zt23vkQw=`_;m=D+vGmakQMMmx&+Oq~r>F<2yO*E~7ja=o_+>M-A3%vU#P4OIWN!$w zaui1D0{!b^k$4>sG-6tjphaeEg-6${D_=h;F(Ok+u%Avx9PLYKop7)C>k+=%e>gAA z(>6DU6TZKq^ULCd7!fB-;8BY0{?wb0Id~HuVFgZz;Xy8SY51)VR9M>o_g;TVpS8@K zL%RB#O*nf8)C2^4kkeh?#|*u~MkTvYB7v=CEdFT|XxCy2g#LRb@vzz#1>cLpaj;G# zIuHjy4-07R@ts=U@_>kUhGuhr_2!YZaHGj2o3B*%r*@wtxY~%!X=IYBf9yT*25BEKW4jvj{r(GUVk53xK}ds{ z)ekTTjyhySYr_T0zb_$9_F275gl$#4`qwzTg6bQ?~wE7*qxJQ2R{+iaV-GzGohl?%%M5L;XJdQwyp7dBr4AR)6RkTgfZys^fzf=Ie2{(*C?oQi1rdKSBf3V z$}I0-Is6Z3k>$q2xrjfOa}m|uWLOmG|K9U5B9s<(9y9_u4{mNGEKgE57-1O)(A6Ta z&paOU!`?FUA|8>WKB79KK5H+H;kqi1wt^2ecu2&;p5ven*{gfACITfctdiAJ(C-B`s&N$niDn5 zQ?^HqJ`wtOJ#GWsd#%1~c|syl!)kr;rjUFw?KsqS!+*UB|9cP8&_huCClH{0QJ+2S zaDwgn_Gp?DaS zrJJERn6TP%-VkHjWs~6f=H@<(0=;>Q7YKWn5Yp}QEsW^Qsxy~8t}fj04!hTgntAXS zP7UgoOqSN3<)KH}x*9y(^2>>!(R5en$lfByrw7qk6}j}b?qpLhAf4V(=%{??eh2ba z>M{-+krQ56#TLoTUZg$D98fz#W&b-WYM1nS@R6U9IC@AA|zb+umHaY1MzDYkycs6wHOZNZeb z$p%Y$hX#Ukx8Ms6GtD0PfeX$N%&#~VUKd_50m!Qp_Od!dAXHjf7?NJ7bPQT@Q-Y)% zy2ERx^`eo!IPe(H#YoRae`BqS#odQ^!oU zZpa`sf!j6PvB$L#9_U1CVgR>^4`dwKO+!7&SU;RPkTzs{u`$F<38u3Uj45nHY@R21 zT4qT+_@@shvs@8C(JF8!*4(vENq+wV=nndB`h~&P&#+**r<6`cN4Ebq?sR4;rDfAX zDskC(u&)iUIVkWCG(g;#E4#KULkfnpoS>YY@Yk@%I!6N=DP$gs3y2R-iWB>!MvG8U z?fG?6Myb@G>kTykkE4#VZac2XAQ~F) zTiO{<_8DnrNA;5H%37I&(bbjvZ|QN>UJG|hJ5IPRkAYxMGpLPL1a1OY-?==461x5w zNVKSYMaEjw+Kb#rl_3Fd43DYjt3Rj4z3aAM_KJk#y!zolBi&(Vdil1gJ;K`wcgryE z#YNQ`U}uPPOhThJMrTauhOw|l$bUmN5@|;ZwaNgQBml9MWvR6g>~D84L|J%q<;6d} zb6m?+K$CF{fCr-0bFw;%;vQAjW3eCT(*PuN?QTZV6$JiMokmuQ=;-MBwQ&mIx$Uccf{P zL4bNUcs8%dn>7 z3^UUC>zTu`z~S?}_u!3h9M%!)Lq4>AM6Q?T5+?{deeH^fJh4_lsHp_r^}A{Le?VdW(s>9=HITbr45{QJy6<{dC6t zZK2GGD{jdly(2(u5qb}?wG)}Yzd*mr{FWv6Cto@UgArLNuIoh^-)) zJzvg=8|oQ`my}0_B?H8TFCbR_J!T(W0@gvVzG6s2%TU2@rFsBHlR_SL!c%#*_)hwq ze@=V$FISw~0t`+2wfn*pfP_a_GexENs*p{pZl7cb(jpsXN(RnnJ&TDQ4-Xnl5Fz-A zc~X_ceU(pS+O`32ZDG_fknOiftMiCs9pzUA6x7sA6QeIA*2^YK+gp?S-(|wA(k_`l zg7+_prpMMt{BnGiuJPHnW%>ft`O<-TU1YhKKs=7N1VI<5Gq-|f1k57o%wgo(bXy3q_ z*-v?;M78oUzxjg#kAru-Z|ljz2Uy)Qr|`<04l}GkObB&~3Ere7Vgu$W=e1Wu8__KO zHAX}t=P`LJR!qHJq@h*lYUyjY&oNB<2+<6TE;v>qQJg)SsWk3BK-I8G!r=VIGL#@i zsRMYHllB_Lzd2oUdyPyB>{Lgnb0XLzHrxl zN#)yrda{9435*o}!>$zR^saO5OCVt*o&Tmfx z@5NXcfYljS>w!(exPAVPT@9?d<<)`zwL$by{1^E;s@@oYX|LRp-^m@6vZcm?VC3h- zHm^mc6F>~M5k$_?c;F)DMn*?k^W#;p}I02Z|4 zsK6-l0COf-oZ(~%q`nk~TMsr0IpdspXgIav>%hgol3i+3p81f*f@v*bR;eGQA zq4udZm_CS(LI7099}XjWQg?XgUEi=n-cF+c`+}0(N#a5>5HXq|&dFTFA^{;-%kXR`t4d~n6Jr{&3UaOXQOC*VY^Q3O=rs%RYtu(jJ|Q`9N80?7|UHD4}B zAU6OddH^R3schvI_Z}(-4`z4-`$Y z+m!Q`uU{OLiht)z;@5A+2m~tZA|g_7kHXNJLCWUmt%6pMI#49UW8;#QKjrNWV@bW- zPupCC@C{%j)s=|acGPcjJ<%Y_v)Lfj0OQ~$eojU|C5@4wd^ z37nLH7A}A40_~FBPppYy@{4o=p!hMJ~iIQd640$!*sa`xc9B-)?-x zKtr9wzmXAaw?;Af&^PP@-MyPPFzhAQS7)(VcnPs|U$^>6kLlY=4&Iy37d*1=t7Y07 zXq*9&F_a|`|v`xTx~?dN0pQkfLW>nC`l*d~JpR==O<>}Pkk3Awa^@zNL$ zkIYF34xhXF>ut+WBQXVQVe9LZ z8oOGLPCtWEUBPF@!|=qFB1p{?ErwxNWLBs^eQM@lyp4x7-4yK1f22uhe5npJZ}1{G z^afq7JKaqk55LVEvBl1{WOaXmeVkB!*y9z!!limRSv}0szr*jJtxrBn*nmYGjDw7! zP=g;h+oTo17kFpo1yo1<_PVZnRZg}$@dpx)(_yz5z*rB8$qHurn!p%;vKY9Wee^f= z?`ot(T)%<40!w)biz`i28i&lV=sTVVPx_;KKI34p1|n0-a2z+fl>aA3@n#ed?Rwa7 z?$$o({Mk}b!pad7&413_=Y2rcm6FTzl;8%&S``56BX@&FMyWlOF0EC>54BnW{6IDf zxg`>tJ~lQBcwUGYS5r9Nj^`8>=9)xsW(-uFeHRWDD2|=Z#1RwN?i4qyrw3I^-#NPx zd<8wSy;Xs^$%-Y;s@SiXv$Vhf@Nf6QrpXPS3iUg0W3pdKOz1yjd0&a_F!ZUJuf*-n zH|T9unFMGE%{?N%O--U~Jhc7qA~Xc3eA1a3=T3xU9^=0o1{`FgCjLYY2F5E{w5P3* zaUi-s%bzd7Fa$#^jVsS425y|G!{Df7NYlsf1oTti70rb{pAB5$_!WedXvql@b3&P74KZ8MsIDjzPGrhX>(MTxjCc}M40 zbsms%%xy-N{E)dVpGV&8!1Z+~a=@wEheU}(13p0HpnR)(fv8WW$_kZDR1qHQ9c^Oj z3p7iqq?VH1P89@i?Y~PDUCVX|s_6c99yMFYQ2uuGHE1=KF;X#>YkbpCpO) zZ?(RDK=oi{yF6$aDAe-7<_1&?{`E)&!N3krpOzb&&bP0;kKy=qZW_#{CMp{J&G@*z z{*fsU9BfkXmQ<`oaU!O@u5`ChhxxxNltK)a$!K*n9SJ9zH^^Kl?D*6b|uH5+@M7E8gg=<8bOXl)fY%$;1`+Z{4>*_ZbS|qv4Qj>-8za$ z${4t*P!J%gUOS`?6x^h`6tL+vvPL%5;#TT;A9a!1!}GqWui{twh46T3ZthngU%mnp zmt!9=4p+?$UqFJ+%)^z0u^#oqC*tR^=Ez9UTU#J@MvHUZQp?=SPLddILY047zPXU1u(*yG5E`|kPdNCx{a9S6AEfzBgV>8}AUM60PH%-9&j89jcxruy856@C5}eixiD!BO znWX>+8pQknOMZOXGlKDuI~nLS~bUeW6=Tv$hF*GAA<5it#O(`9fT9Oxcxcv(~3%|3P zYpvdlY94%Xa^;IcV-u&=@v4(+$;5vY=~?ohX{QCH*3T$E4o>5gXT_||Gye5pY;p&5 zf}Jnb<0Sxpu}P(Ov#7|8^QsNuto2P{hE4uMmo*D3>@dp*iu(PgYoSCz;IdtAPRReH z5+tkwyVkH@0~61##O&z@tQqJAs!sc+cL2Y$Zs25+BfaxEuvu9WNfU|LxZ9dyUKz<4try6DTrStN_xmrTISselY zTS`Ybd-zXg$W1cEs|o+N3|LtiY0YA-bRmf7zBs7wiaZSD*3D#r2RQ=N0|4V;Yn^=@ zpP^Dz>YZVs7>kuzG( z!(09^kvdlC9pny(g(@R9;Ta~Ta1Msac!55Vez|Ytl7;fU%I9e?o;hg`$O~loG_KE0 z?{iD{AXG6F$AGUOoYBn2wgtpG9T8VHzmHKk>>m&^;Oo49)tG$Sy^=yKHSE%xl~vTD zwBi7W&dF*)eX}i3G#fy9aVe4eb{y|DprY?&9$188E~b64E=xg}dUzBW-!n29K!L~x zU#FruXX_-Rmb2+KK04B~N_oUgm&yAK3`YVDQdQ;GA=SV#qOrETV z)6UwPwh%zsnQ5il^IiSfnIhzaPv|#F;uFSUnfLy)6czGA^b`he7)0L>JrEF&>lRq? z9}8VZK3t?P;Z}%%4-4#|&m~^n0CrHm**#7#O8lcKtvR9>w2Sas7eo`HQ}{`OnI=|B zDFfOM%@5lTj*m@C2~yqNaKWOLDp0yhyD@^y-3&t+u2n3QDb<2%yJof3K0O{%UxxHw z7Bj2~p`@jZ|Ix#iH5S0kg!K(@a_9R2DB3>!u;r_e5@ z>;XfkEerjX6)Pi9!W{L4U%+6rybv04NwSekKg)Lv#{5DT9Fp`%pp`<139FlKyYpAGFlm5yEm*77YDvS=GbwhZC*y%mnfU`y^9A;r-BRL19jj|I z;VB=)*zJ7N(Hm|`I<-J4!;zz>j_t4%d0;+>b_nK_%No>z0wp58+<)RL%4Q3#l2iqX!ZrUdDZm_|w0z^jP&n*8S-hA6VOlLV`5SRak1p z->yf93#0+z^dsEaUHam>Cee6Zr(glCMz1{*q@hWU{)8M9TWd2px8z;qi8%Y6w{1iV@l%jf zFsEFeQzoq{G+TZ4Ocs+Y0?-fryYztnTrUvoG19EW;uv=vS)UdAl|9KOApYEPEc>rl zFrJ$xR~Dtr?=z=d{&s%XGHG}uJn@Fg4Q1H<1O%U12o7fp?3_}3ytdAx>J5#xS=840 z^TizEaYY*&6^~ui3yjibD%kiMysb#h9SzwasIO0(FP+$!$$=+jYnn8!*ry!mX*`i6 z0gi(fWPS}HdtV;b9|_Hj6dr&%EjKQ?ytor?pN;9*L&MP+>|7?1eGe3UfR7!XceHGz0)R*O`KCnT4?JN45PzoETCV z;}u}*7JHXw5pU8I7%NnmJ80gay-heVNh(gDbWggcv{jVqOCyrF)GJfqAiOpBfrfwS z&k2)3CMJc$HQ1tkLt->kRbSG&9+xDSK0R@W7h1&oUl?zTm(Etb>m}p}5Gi4;AjE z_MfeK!++9jq}IiG+5#+1XF3HfCYR1;uzo}I(=T$Q)55;5VE|zxvsD(-t2KK;GBRs= zVXvQ}IAp9{+(GuyxH$P4WIlGbqd&{P(vxghH)&qw+76W*t#GZPijW`W&>VqL zR6cEgHf{-p<9MFuIF5@w9Tsw_%hO`j0s+r%NLdIFD;1|XwA)x4o3#nnY3&Rrf$#VT zJcRX#loz;yULl>`8~W?)T16$6&0_H*9Eu~rjl?9hKikp@B!Xllo4`ahRvl4?T`kS9R5u{H>6B%=EWC+ryjHxM>EGq5!jXd&_~4qCQcTe#$9 z!Lsdux4kl^5akivXSJ$W(iJ?P^#*U^Yq*h4bu+Tn^jY41tEU~im#Kbs>@-^ql)CDF zS*c_s2rC`!A`MC6GKiWiDaT1|J!cWokY2!ow}8@Ta>3-CjBb^#PO`UblVv{-%P7yFX%(O9kvQy$rMCcSJ%a^~EFKe2Sll z%p~0P)hB_B7_OnM^CMl!AB7iVhqNm^0)E`^JX3pP@OUIjdh2FCm*TWERW1RQ^WF zDq%o)n0*0a4>yG5E$(b-@iwD8*C8iC1dAiF$6OD(9(6tJ0JDQ0%8&(qmHGOsVY!vF zM?gVlri1lh@-Ot{_F9LWJ3cO(foDc9PxJ(<{I!`XT0k{>6;yqHB$reW%cCF z5j{mTSxR_9Q9G=GtOwYyouFL|SOZowxP0g@k7~G48vyJX9O$r}tGMplkG#7C$ z0u*_I<B*vfir&jleuK7oX{O$H0G{;SW&$lzvxwAkXdCi3L> ze7V{ZG!}@q2<318{PmELb;(GCF@@^EY8x^^kB8tdF;p^LL+as-!nnLbB)_c(857nN z!L=)bW=BG9bSg6JF2Br<^26 z(TT3G2~uzptl2t|Y=#t<`6&(uwu``p(j8Z!;|6?Xjw&?x>MmLY&dzBVa z+)t_)WNh(l>cK~9i+RXV?DfbSTaGSds*Szg8C>i=4jtp2YH;x@jPZH^Fr^x^!wK&n zU^l9U1BZPiG;>FX_e`EccPe6&2a_smCP(2qwh%SD>~vmmj`3MQL_c>K)=4b$0{^=3 z@C-pdRwfNTz#An@NON{+-l%7GMjK;A=NI%6<% z2TZR(qU_ngbrv>EbY@L496F{J2`+zcR>KIX_`K^F)H<(U@RnI4op&+as2C+J+eqfK zElIVSp&dH%_L4?!$jl$S0c%+EkM@gf6NQl(=+_ig|I!JlX^arAk}BjI2Mmxt2ClCR zsuBOei3+FjG)v02Z5W;`r5xT_W=ge_Cx-8SOXK?$fjJJ`O}*np^r0_0Bkx(J0gwtf zv4Q~H`aBEAuh86&5`aca2Pmpth@8K!i2#*;sq+$EYvKY0TL7`tWk}D>CX&uS`n}#p^#c zidnN>hyWjqlqEI{SdI1?e;hAj00l^~3rX8g2tR^|FA0AC4O@+-SbQi(z8oLHx-U%t z6`GBEZ&VkgcsqH^WB5zoxa`stLV;|I;>3ZVCAJofp=Nqg!m>+-;G%d>|n#u;n{Ft>?Q2+ zvy6911@R6=*zI}Cwuo8IAII$u=c1u9S9*2h;4@bbr^Ack1;Yl(26+TPOtQonA~1Ad z*fkWh(&i8eUTtC$R%xO-ow0*193KJGblXx1LC4i?tnDA;wkSZ?hD1;zNNF|-#Q2jM zG#qY9S4c8Bk*>jzm65YX)YmZZb(!{hj0U;8H5oO0ZKe<#UKgJKnM5ox60uNa@ou^^ zFYQ&k@+?3pW9#@>Xb7`@Q+ zXsdvX5d#UjjZ8`s8Aab@sJJ1e1pO zHW`aYOK|5y64#*n7alfzQ7;w9NPjBKk*@WKs#lC$bt){(5BXFjErhOzzDIb%@EmS= zwms9W1{Bin4+0Z3DCHoCqm0QnWh13TNZk`{)M=qy?Sc^WbeB^hkA1L&gCb3xq(>`3e-@{$l)|FBQMO%8agtH7Eq`1q#WW*U@S3zeD6YHdL_M5gStIo zkT96{kV3ggtyNvFEH27BoMHBPFyHb5#pGOMqle<>`SiqS9`>UiNe-cALFuGO>n z-@SC#d%)oKC)ay|_ zp8w@RK`^7^hTsLqqSb^Ea*Rp1Bi#VTke&PknI(u1FYfiQD}u`rV$jGckPq9r3QlVHyb&n`=}3@U_Vr~v>NQhUZ+ z;NxSG_!oXA=8X#9DZk)a9PCWuw9_J@6(&-vZz5rhrCTh}T7ZSEF6b~|$6~8x^sEJ* zpz+gpU90bUcIT2+VZ+cKo?hSwa(O$!i)szF)dT~r;c*k2=K2BYo-lq z4N*`rH?PCBY1xDIuiqlS!v|Q)9G?DH>FSf4&~nrI~Pw0N(u}wYj`Wg}9+WIF{SE_<6CaeoKDE z!@_41FHmnOP`v~=i5K}R%SMb*A;*Y?vZ`K18|Y6XqZ>HiF;1i%$#uH-BMYEktJNea zk%GmC!uV72ui8)&#Vg^0mt)&sQ=8_L7oQ{^2~~$8Ki~r{(btgO^a_Kj}r||#tBs@~hX2l9T5G?lFPI3tZaA|8zCNQx>{-#d_ zsI$-obw>1!UI7<9OLNwz*CM7MQ#d<=>APX@>NQeQXkaypgYxwzft!BhybI75QGxA)jGtjXju83&V z&qm-#B8D7(#VQRMI(TaKtge%_#{Q5}(9>zqZ|QX*8XZ_J>lMD~fzUsRac*hU^c97O zOpoIj1JF2W)N$5JX0FZi^>EG|U8=|PCAXZdYoL@d<;bb!F!^?NivKW#l@b%2SI9@m zTwqkG%gY%i$|iU?dn;@d&Om!b{aA>1c4kK=<5dwc_+{eigcc^2D`0vvegCh_n4j3h zl1YTW)bv1+<-EZDzzD(A;949BkJy&NrgSOSpKDlK82Je~%*P@M26%*Odh1tluo$z2 zCKS1t;)fp1$yTcavOGqr(4Q?KzyyhE^Q@kuBIhv^vzblUacM3%5yu5p3P(R3yK{2M znSr%ogI}WPJoV)DglGz*JQ0nOh6Bla{0&9&@$-BwMubf&4~CR9mJLb|C|2Kj@UK{K zpjH787H|94ZJ)vAf4jV6VMq}d{Z%hYhYCa$iF~@mjK|4OL`*hBR>UX93I{dVBO5;X zh>qdEUq{=o5ktcH1I}{bR}D^d{aftFm%=Z&`Pg-vls8fxIoHm~Q|=g4{otI+D9bJn z4?Rqva1D}uK{V9_K#Zte#ChMr^l=RH3Lg)O6}mpn>p5Er^NQ~E?Iqh-@U$yCz4NJU zI`=caEjKN7&vKrUkf6;3*XX#!r z&(DM<2IjX38bpkV_hmdvt5f`i@#1MG67+`V3w| zZO7*p-{;#1j{`&^b!-jup05poL_MiR#Y=n5>&x;3C4|1k9{emL z@T%nTx}BhgPsU(eRg3Rl1~ z-qM60Umr+WC1=}+?pQFh0vP-kOlhb~zCfqL)-d}H!QxJMRaTo;#f93ia0E9M*b7V` z$xAl__8I`N(#-teD;S6mh$mrL34YB^VH|{aJseE;X`qilSPb-b-mF9!CF27>YP+g(Xx=rD5om6jpkNC6DhfE|PrpqhcRaz^t2dhSp9A zAH2-_uhPEX);|cp168*W{dJJG%F>4v!eRxt^~wC19l3>u3;}S+<@F@M<;J^g#BOYi zY^|`p?=a3@uS>{vgs!E>GDKIj^Vi5kU0s#7*Um17k^d&%k;CwhjVTeIo!#ko{x1F^ z26LD~!<_!>HSP8ZV>?VajrgEKWBYYPZzC+oi?j(Ywc0Ka)i zKM$dvp1H%qL&ZW|?`fl8Iv=dDAjOXn@Y9IcW5wG*^w-G*0R&!c{d z$%W0H{DQ;_u@_=%I9lWd6|A;12HNt;l9j7RyTj|i5)B-S2r`EdWMN>Shdhxo31m0H zprlUiaZbD1?{lj7YA2@|GI#n7o9b5D^lRI10^rx)(A?xn>Lrku=y`=J;r^#k3fmeOpT8KX@- z$(AforO3%pfN2*}n-*;)&1_-Ow0WBB^;=tu712z zAdHPxWdMm{Z4m}Hetr`{1{jR#+Xn~g;n~&k=tNgUNtxT@!(OnHkRF|T};ftBgSSD%gkvr3MBLfn>#n*Js-V%!YiF)4 zKw5BRW!C-3X@2qQzJB)VAk53>dtp`#=9Bsqi+J@H&*hJr4rCYjr-QZ7yk0!qD5hWlM z+#@a*4d`Q*Be1v)GJ6A^wDF_T1FERew-D?7pihv>SZ0JLE+iPZ1}=f{*A^hdP312q zX$J!|zYjzA;3WnB8y0iFw~?nNwnnjG8%o%*Xm6TQtxDHTgxVsk8<7~IZ@Li+A`3jd zx;eZ+ysU#>4w^J#;|%E(1h&p*kN=dC`k$vBYSr&#{S7xGicO$ohi8YEw`fpArD3E4 z&5(+t>ppZN->;5niFU(B2|Fh@2S7hgd+i{6tZ19ShPrSWW>_1_milf0Z%ohd%PJYXHV|+ zXrOqd@d;u+QCw#Xef$)LC1;dcNiM1fR}(11NV@}!iyy1V_?w_&t~`-s#ZFi4w2F;- z+96uchhWeqsNwXlBjir%EnP=i4%Fh6z^=`j_iUExUIZ*J!ZONLFe@u~^cw%Q>WNeY z2zMs2Y6w86qVwnE!pjzUmhX!6x|BX25G$ea?dKT1o@AC&_*40 zvZz&aq(3Vv4+yYQ>2-{qLWRZmE9BDSS3%s+pH1R{N?NaXmWp;b^N{KCDSTz|8Z+TV zi1GHC!i^qK$~+iNIjl}^A0IYFW&8o5sS02ma zg*g}xr;}dgRRVtr%=AotN|s#=)s`cAJWGAFLY)OG zp?K)K%$>2FyA{aW?9y+7UFAFy6U!RdNTu!{vm@6vTb|WdE4XIByzLBtSw|E{{+F2^ zs>q2PUpl~_686cuG^WFJg(8ye;9;FR=DqOQ!1l681wC&8#1vN|r-=fM_5ZDiex{j& zBrm>$lg!2_Fva3XajdaIER!85ruC-}+>EG`JG^qL>J+RSDYSYMG-A3euEr6`QaFl= zC={jOTkamhXB)2xFym1H&luF|LpisDc35B&)m(?KnS{|t4Bi@ zpx|Vz24jy??Qp>Bx`4fxj!QO|X$l{(sRCN2@{AqY285xsS0&FaYb(h`(MVOWTMIgU z)m4s70FF@hR7|3TRnbnSFdIZCs(p+qGD;nIj7&<88&Ta%D}7l2GNSm6M;>l;SA%bL zEL$|Llpg9bQu?Yl9Ddfeg(+;?Ucz@!v7tVNLH2+fH0>D`ZdZ<>Pyo17Y#@&UwGubK zy$CHW4f2d|Z3AVN|4YjkVd;wCwxIKk*^6Vt0&j;@;C!rl1#&l<18UxR6~Facfwbvm zq=E--QzNy#t2xk^%-R;cQLZ7mnZV1V&+kwtd)Og_v{YMKHla?U#h6WM{Plooc*6=G z2+({awsAs5rJM`=VMICUV5***&{cCe!D7pZ3M*t@Z)>m+Z0B~PAYgCqAy?0&&rkq+ z{1jGC^aIR?EiUrEt4yTGF&kJ=0-{#MfkV_JgsKOF79{hS;7u-BDyWy%$t{;=f|zqj zDL$4SI$-IQc@E~qdOHif_R=Ez>ZNt&?qwQvw1vW9T3dCQ2Ec#O6T0h}j?ZrD1|6%IRz z5V@?DT=c}7#s4zi9?9D(ewZ{4cIK9&h&X~i4sI=r_-^nnGtQ4S%(}$168G0rYFLks z(EtmYU+D2fcOsn!H`g)Lc5J`e2#ZMR^Wi@NWHvh;8@zHMhb7MPGRb9r6Ma1-)(#%cfq&3V3cXz4x%OX8(d*P{QlE{@&MIZO1=YCl33tf zleWS#lqKJN!*?S@GMRA3%xGGS4WG!zwMn?0c^~d4Ego6WN))=cCzf;Z19%eyE$=OO z8y)pznO1cr>LhtKNEWE9MEAhDWv1fzkk_()%L}X_e8hg-x^#=vJPFRi^#)Hie5_Aa zwzAd;ZybB!p^9O6E^x*?VkYy)45*o*1!BB(>&XF3A>XytqTt8yYwILG*#0DPEqx(Q zhnr?iXA2DiG63|m^y5?I(*y3|F~I{3r$L`Io=zanrj#Z#kf|r?`E4i1A#i(WMD?Wj zc(@R{M_FlDZ1L`GBNx9xlwKzmEmKK2xBf?LSa?DI+cMG8G~*u+72=j7aXs!+2o3&~ z%nnk0&tJXV)kBy05@9^XJ-$lbYa;2#aT)hQ=`}%Z0(eBR1BCW(NuHnyY(YRjK0Q3p zr?bh_^9fx1iibOax#yzI9-k$7rV%i!!6JU;NqRsck|8csjDCD_bcl_VXo`+#`lB5b zP=kul`R9)q>O>HBHnHI*(?Xc3bA|O>ESwjvg>fr0&2Mx2UGmW?0DR#E1#lqh6VQQx zSrq|7SOjhXIS4eV!X;$BveFXlAuzyzY>|dL0s@#YRP|gvT^O?yE3z73rU>#*iU2Pc z-guF&jJ!m8#y)&9Mhq;CxIrt7DTuAwUHurG9t<6N3UrAM3(UE~GgSBjXu%aJqP##L zh%nohfjftRCRfOq4SW%(bKnOH6j8e8J}@Ok-t>YIi7a_haB3UGkb3`Oh;w-H3T)w`gQl4Z($bU@Guw0ea^J4hGx=m^*n3ya&Tw6b$}vIKir9 zHk>y;o_WE{vxxBT@HpbO_6&W*mbHoNse=tj{-DyI95K{!5AVwr)}B{@&?{`k9g5ej zhw3Ln8WfSX$5To0UVT4h(q-?9kq^!hFeb31=KOls!(6*IM^;H8_+}uO`q*?2zX#?* zQ13oph@nnrlgZTeJkQ_;ZcC&^jViF6k|}29mJrMO)@Rj6A0(0aqq%TL9oE0N<*6rI ztg?$f9I@T>S+OmY{TA|}kAkvW20AZY2aU#%E{jzd|JLRq2|tM;{V8DMXGK?WGZEq> zsjmrL!H!2hfstPfBmxVx(6%6LPy&U)#lcVV{;&lwoU-aoiJ5aT(G-3#Cnmr=TF$q4 z{4bg}YPA}4mT169j0`M8BtZNn%m^d^E*bDG-QYTd!o)lgMg?&KTJP96nuKJdU!I^pdrYB&AMc`ii%bOvYIeGnP z)FC3|RykPrfOdwkpa+*C>P@?c>t_&95zr5VA0G)mJy$(ET|7_}(5G73(^HC)# z)js8Oe6;O7fAK2_k$jg}%G2R{By%tkM}O;D;4fa*3A1KzF$-=|WPyQwt;F}%+6~US zuP~@(=&1u>p^gzHmvo{>nf}e}H>?jFA~74kp!zImAL=-78ouqbvL`f zUA5+xlix9MBslhp9Z9>e;%i3cEOfxWPw@GkGQd$(PSyO88a=6=0o9Ze$%HJ^M3C?Y zNGJi3WZz{HDblA;a3dmJ(P4p1r-_z0Kf<^&acj1S62>=F z_prxLj=#>AOU5rhOpn?sV4c(`_aJGI2TvL8&-jgTI{wbU$ncrMR41EmONBr633U?Az{UY5SHg79kCW1sl!l&}i^TZaISZw(WBI(TKrcMGFh)hK8ASM?#vw%{ zp>hgH0i_2z@P3*Vpi$!8jUuD1*0Gind}AZ~0n7R`t89)2Ss+%jH54d;udK}cYjLm_ zR5Orqs&F^yO^_eHUxFD&rDXfZZ-n25+{p01YkfY*<;E2D-=}=C6W)SD0-f%iKOF7G z1~-_7^Z=5>T%_e;LQMyG1wq$Kx7#h?j%%%y_*o`KGz&JEA<+@+ki~qgooN9fH1V=S z%2mxw0DLISepG^>KspY;{kpQT2~hsSqu_F4qjVL@{*sd`g{66bRU~~4n32{_B3^v6 z>K$q)0WJXA)B@NL(ti)t9x{ADeUO3Ty`L`4LB1MEK6Wm}r4Hm>{G|nCX#cD+Jzzd+x{SUXVVL1B0Pu(RxfuMVNX> z6z^37CkA0_EOV(E(QMY;3_E98eJxqsVHh=C4gz`483NtwbgUXCC1O-$M(md(eRBd! zS%6R=W74mwn#g05xq+DVgtfYk#dm&@Iq8d(MOvw$6q40;LMYIp#++cHbH!PL?6Ip> z;(@8lj*dF&BUr#gct8!+1EA5?@29oo37MHzZRhq`Oo<#|j!78{A$!s)AO2VSxwhb- zpJXDXL<%WVU`RReodt?4VS6A(ZxrVI=$)WbdKK?|KEj=`~b z^_Je!A4br;=u!gIPuhIQ8;u`QlT?E&qd8Kr9OPv6JeQD%bmV*fHlmYXR^?a$vtIJs zf)I~DmP`cpMQiR5UNnDE2Ih?@Hsf&huu2rSLI$8P{Qj_$|K&HUh!7+t6<%pM{f=I;_r)C#cW~D+<=My1615Y)er|UqD zS(PC|T4QRx0G=3 zG;mg)Dm0@eEBi7Tf|^}SZ8ma1Odb^!E&p)JMxT5svT1ITik3+8K@Xm7QWWcdbSAS0 zMK0Do*-1o|qU@Tnov`(eh4Iwe@@=EivggU09yHmu$$u{-PY*8x^oB}r=HQH5if3g= zOY{eRr!N}q%N+fk$IaC_00Sre2K|z_J`Mjp&{xIyDNpJ1Aye6MPVeNy{G_e%Bw$cx ze|zR#0A4v0P$>AS&y?$f#6tzzaLX;3FW(1K<<6jycC|dWTBpUyz&uuRRF4tP3x!-5 z6Kq6Vw_=VcLOcrT31-3wO&fFq@H?{);p!-r_8m->)e-V-Aq$5q}nT`eWCj|MP)IUL#W*+S709DPWJ zd>vu5*xi+4^}s~p zrMH^M=@J_^fHgoX2$G#|#@om}z9)R^wSn8a+;O$_XAF*+qz)w=IJ5{*hQip5C_kF( z_2`qxtTF8E7JaYO-zpCIuF7-ICx#M0kk1iijynKV0Z{t4 zcNn2%SiZ-O9X+%LK;<6ehr*4>sEtJFCJM?W+1Ey(%(lN*;=sHGxzRKYj)O7Ry5$O`1n z46Vr0+bV`tZY+T5;M@E#qbCXY3s>xd`}XD+n`6m>3RZ>(evqC|$%{*kdJi9}9ok#l zsUQQ8aN(MZlC~1;VI~M9SH_%|ueW2jI_E)hz*!)q0=LJ3Z>QhNY75)p2U@V%2crgpr+;Yx*=nKfenPxBDyp zb05EByj-3*pEW%)_sOqpg1J_!Tx^bnyk&CS#e3bq!_M{jT9oF2lI7&NMou<(WGa|Y zpPs;Hl;fOlodMRc-BNpT5%Z#56+Gg$q)(4AdP2mCxOszs_&bTFlZnMf6hY;f=LxH; zESf69EvAZ7L27z;>U{sUC&-;QjROYv%#briA{7YvVkw3T#)<9-h9Op-OL)I|m)Zr4 zETYA782VHMRi}J$s{35hbY_k~h7IvDX(odwYRb{WMa2d(x+|z7mqgG5D8WjkBVXc` zJ$fhay)V$9>T@|&(D?mxRqDHf=nNJ&vUmI10rA%zkVJtLDS{+R7M2JP^t6lT;b(Yf zq6@_y4iq|t8<_Lnc^BQQv^Nlozt6S|%GuI4Qm_u~c9|d0)R~A;>3|u7?+P`U^)Bjd zkJt#zj3|P82Wl5FE%1^&TnlCbcnk-BO$N-nG-)QUv(Yy|0wq&gc1Mc%^se*b8;WVB zGvjkmt1xuRaUZdOGPyEezPQQ;X)=5_tB+r^^!ece zOJLYkdb@KlLvb)`yJj42s>tnGXxmb94Bdv|yJMPCEtH}T0`;s=Hyso>elBoyXk5W2 zX~>;j7%Ne4=Yek$r}=?Nn_nb672?Dx3WhEl3%Gd(bgu@3e+{XK`u>=h6R#+$lqyr+ zqz;N+48GrKANgnSuaR{B)*%5 zw|E<9ml&_p|Dsm3AeFl)-YO<)Xpm(2Ab1(6aq(-$}dG``fwK1 zy}1FJqGkoHmwh}jeuBoYa$Wx}HReaU1@v|{@eqi(A%(L2q<_G-s^};7pv~Nhk(>$@ zZ^TeO#qRFIlH(Xu?o&)4^H4PcZ`eegC?MVR06j6Y9b<_@<5LvD-vdDtQT2oRpzScw4g27E%8&w-|4;54G2h*4BpTY_DN)Pn(0lbuG%X$xW?4Iog_Id^q58&#>j4=Fo zxFTQ9iEXsci_D07k|Lb8Wp?0CL9v2ui{V7ZpnnRrF+a}71znOz-6zvxxHIv4kF^7n*fl6+m>;y z`(he`HUPLJ^GZqAZiJhPDXia61&g>nuLNlNc-A5t@(*G7L z2L}$ZA5#<~wyD3kRi#&IEg4(_zf=e`JVOE4_nBV2^eys{&}!)9fM>ep5xz;gZdR#P zlaJ55;s=%D$XZb_DAiqnC~p4~CzSc!D-QDLP7$bawnxEnWWxUH;x3p1s#cE+o?W$yMlxfjT9)#7J+&sjD+ z3UqqY|F%KpJ)WaBV`DMqmo7w8By@^73VW&ia&UGT-1`I| z(kX5WJNvO1zS(3lbv-Y<-*j~wQ7Gj&PFO)-)N~dE+ar0nU7T@^fjnr|^k(3X&$}oP zw|juFl{8f>_=cAR1I(S_3?~1^yBL~<$;TXcOUnr>KV_kk7guuNHWq%He5+2Wu;g(U zJ)$~N982?TMM;Y`ZhSuugVn` z$3SBz9t9B&JGobN6= zT{D~^rV^1s_#3hhber@el++QkJ#1aOKTyjO8UHGv2nz%W8kSJGGJc+^3u=+11JkM@ z`$z8#7ctw$WIS?wr7wTY0HzetZ=7t9wP*FN52t~aeYM$K4|IHJl)+z>W>vDo#0s!c9eT)IjSM)z91-ms^=)+%(a+J&V7mdR4k(gf zZ17pJXR3jCXUvB)$E7T0<4yaxhRhs_ZBh()@~3WLZR{^%IwAh3* zC(MNK{phsrBu`v~G9zDO7R*AW5AF2@l_i2nY_PpoND`D&*=C{c6nH~#!~=w~Qw7MFFi5vB1X zHMbw)MNB=X!u@-`jmlPSCsDs}jQxOnGhJ->><4W5eje)M9l`b`o!mYU;@qbrx@Dq5 zL?TDQeURRmEblD9F>HgIw~elB^Duivm0tF?l{_FEWeNe#)GJ#x-!}?DatsyO138;o zJX4q+85b<9rgd^0&-J^~pHie!AzuCLJse(Z4!sn+8J-VpcS^a=cSGkwoKlIc#6S<{ zDqtVA_xQYp_*S=Y*2B9d%#DlwI`Si9%B`6dcGxJ<2IVU zsV*N)kyQTy%Ax&WDy3iEu);YrFB%3z4MDnfsDvvutz0z#00J5S!(;#y5Q)TMu~;Zf z<3LgL0K}zBPE)KxiD-vWB*c(G29W^(000000000&7;t()G~Byc}s5$07*c$zZVO|go-n}Zv_Mz6t9pqfGJal^7An)f6Vc%v2iw$=t->w zVO8X*m)s)j8X;Fv+j|enbS=?12>8AA*o8WGedh;Y4eboIAYYjre#w9SXIg5~Ji`S# zJ84AN?wJKOB*C9=NiP-9;3R-fu{7x^NE&>oe0vd4OteMCT8B$DG^sYtE3S_=i6cKR^PsoYjJBT>ea2ott zER?OWVEa7`8uHI<+%K4Dmd=ZRAzTY({+8+NMD=&1)sG|KP*yHzy<&(~Tm=QRVnn9F zV2Y^u^WK;dI(+t2&#+GKh0;N;$=txH>ElRjIq$SRWll{7-g0ND4fDg~dk!M^>+iJe zpW~N)eL|DY>l;}?dxs-N(dUxJA0p=$Y0aT}>{v-QUe3OfBve0olHvZx=b+G5mjuC$ z`Nq;V7N&iLGjF$bv%F$A8UxaL90?#45=%w}W7L>`Oh#M})*`Vtq0g8m*y>P}FN3be z5}U0I0|QF%&f207w^oTo*Y|o}Getdk`0ORMz0tdmWUCJDfFg^=7dDjgqQHRoN zWL&|V%tjNkHG5LLPPBQzCOdq}ZE<}jr*w#`82hiB_o%!0(KIzSsj8~b{}CFtme7y` zR65gB8p;uyNUruHu@D|5rAVwem>!$gHB#;p5Mhy%LiK!yf{%p`y z>PHliw!cVtLiY*?VURK!&~8|cFeRWsbo96khsiq;dDF-Qf4aMXG_FI$VsuWk5wzW9 z-lCT*U$YlOWGb^CXvh_M&fl+M2rmDPL5M7-z-`HOD7fs2f_JXPUD1VI1P~L2TEQa* zdY76U4UzFMaU4Ab;x3#hZcjKCgr}OYucZ@BKqwH>3OzV;?AJvA%Y{n?J)j$B&^f{H0w{_yzD@#bVD$E_6Y?JYWc{7Bl z+Jh<<&sC(;U~IjC@R^Hi#NO zP)!aNdYXUbHka&?u3$WH0a3LadH8-X5{gDj8fu?@#K5{hoQEodep)A=tX*_yV7|h% zJkQZNL7}y6>Ll)!gc1~$-1yT#h=6Q`2DOq-TnXPVFi-Q$G)E2h2Xz`N!o{HB#12dG z(0sz|yx^9P^XJ!0Ck+Otnw(S%E~0Z1BbjNlTybX>5e(9>mK$^($YHS`bwp)Y1QhcC zYOmkzvo`dfP^?$jvW)P?%yj*bf$GKPw^dz|fK-%{({-diUOR9QoaW~5ibR?`Pm*}@ zKi17rw@y<@)FZ_}TH2?5;i}{0G9#qrd7$UZe!WUkWwY~KIL&G~jTV#C`ZU`KLGgN} zXu>QmA&ipPB92wIZ9deVm0P|8aElv?&&ksxkJ5QmGSZNPdk@tMk&{?C!gY#m7wm)>p zkaq~p17i!QzMgsgGuw2w0bfc2QUpkBT!D2ta9*R8BzGwx51efX0LeNEr5bs zXnpEhKZ;fr%wRH}27Gt#8i)dr%WWuHXYaLni$e3zxo|{84*4=cw@+tE4?q!)mrgQ# zz6>(>p3-EUIECG71r$aCoY7e*@*51HgIm<`dwpjJ6S79l^mQPvgFdmFzvf$P!Vzu- zmoP_YZO``dt#=-y%_0(AQ?JnFFMLS3y5(=EByOj6jafLwAaPu{Meef?u&A#`uqnK? zMGEwMd(f2w;DYy_>!75h8OM0Mrc_d#DFt;6wa$Q@L^cYIa?c&u0o0|>Nekb>b&PVa zjBz#%yI*`!agjVdwA2sGF=)AFm!Y2x@TYj~+tzqF@V*9I-T<@>sN}6vVCv#dJeTZ* zQug@U_jKWb@HZazV1p~t&*Gt24(?2u-C$G!qpc$zJ$?#S*1PSSjusA7%=;6|>V7cK z3Q#>^rnx(n5`>yW9DES2G|xI369nWpp%}uM;_~25CpNf+Q8h-1EiMi@qijE zqhwjFs1kXe3eWKD?W|51=^EF zS3i5EBS6uQvg}xTp0cOJg$vqi&Hjp{&J51;=0!9UO<0|GLDcT4vr8YWEtu#2Z~U5A z@i)?)DH~@?T}?Hs7$(y`h|I-92_fN@R-i~iPxY@exkk+0gdy}&BXLjzjm{0m%NFjt=Sc!6uG{YWn(v=FA;aFO$fw>f1&A*4U+I6A-2oC`yCWH z$`o^gM^SGcaomM1iGi%pl7$0w8$L(pIO=*nBu*UR;pgA?#uO%afT@|N`~=$R@0P&5 zL4mirI_DOvJEw&vAm>BEaWX~jt5v-7iUJH+Dw)VF5NAOoASeYd@b-|zC-qk~r)Rbz zRb^vcG)@994W=Y_E=qmsmw)px^=Hg-LQQdUo&Y76E7A~;asyR&(caGBM?yGigz)PO5~Q)kEfFa~f;=!=pQ6%7AtwuU}iE*=;(%j|X;?0;)y z2h1MrOyIUYMX*RwuA>Mr2O6&I(8ud`eeI|nl(A}HB7`{Rm3AmWVs_V7afR@X z#bRAm`4M4<#GK6ciB{E$cn|fXw9~e?;*2z$T~{X}w;2n8dq03@RZ!aRgE2)jjR=r) zRBCHK?s+0A%=D+`*XDA?dTP&5GUjsF;JkqG1yypOTlHuLEBY9|)0qTbGqRx6;!6eq z%>|>*5x!n@SPf)y|2N9Vo729Q_I8vi9GRwh7M%%V52*EBpU47w=um&Cmh?pvOBQjl zUDOv3+T_^&k;ovcd!|;?SJT$gq^qb)-Bya!?^0s{j7wrQt?rI&mFP3T<96HfCfNYdb@ei}l<~w$+1VWQ?b&33!IuaG%ICE!qI{&gMcSL* zyUYUN=5n2`BhS`r&0=VwP~$aYmO+pl8kW4H=1|6Z)tWuVQq`$n9aDHpH*>U z(pUQS_-2byuh%^k%WtL=#%&71MvCe2>fPFU^V5As?Ss8pIxtIJPYK^g2u%5HvtX34 z)gwx%ivS-<;z7G1!E0t5hPm`>lbA5LhizFy(vEP-Se~~K3AE1b4UI&jjGO^TVh#_F zPAn&3qgQmEk z-Pi*31#!PYCqe}IDC|bb=njKj#gZH?4!1$q@O<71p`C&rLlgL@nk4_@EQJYnt4VQ% z8wozvBQ+LhhQYSYfLCcrGU>r5YZ^AzWr+mf2^=~QL#fgT9+k&)DJQ-}?}Fdt6=wo4 zhenqkHRZ<{!*g@YqNT2T4a_EZ)FmH86ICIk3t-f16$lHD03cH1yn0hHQ>T&N&sH(( zl)S^O>mS6mff>@V^uVw~YxQAqm-l>dP?D{edv_Ve^a^T7OTCzuK5&E5?mDe*i3=QT%O6~vMvA(Tn^$|h*kzpS) zBqI;DofOPr}^OP}8J6-A6bv+jFr^Bjj#Lo9h7-9RCgLU8UJ;Xr^4v;FjBtK;#X1u_1)Oa=kASfD zE}vXd;zM<$?{( zx3`K7M-B+M;*t%tTPRDlxHpR?8u|tx8JYeVnVW-^e)JnQFXTSktyf1%J=7CdL{77) zYPs=&b}|-nvYQ18h~c*n8#Zr7?l&nYL+>N_Op!XS371%-%U67M#9l@`g+dIYm=Jtx z$(kyOIiyCXWau_Cnb-TCmCC?%*`Cz_&vBytdV6!j#ufA+gLK7mV?MG!+GZq(bfmD% zM3P#la@K-s`n%!AEs#Tjy5M+^{#+PxBto4waKzcMqMVco^qnwTv#h~lK~4DR>H%-F z`^1Vh#?fD7=$Cd-=T>bY$)eW$%fyCKyyk)ht__S=ztGm$P!0POB7 z2ij9prGI7!U1*gOiJV7Cd>O(0D3VIzxJhLu0){Bv;h!H-BZF^09l?~K~jc-;85z)r#V z@>JuW%Vf?P+kO6capl)AD=UknP`{Pk;(nL=!Qj{1S-6<5v_G$qqLOV)amHe|6dU?H zb4Vr_bcG#-0X+L3^Ou&Y5$@qBre^No7>;&8e^S9?6LFC3CaL^`eRjaeBHntOpDD^5 z-J)Nt2-ED*?wG%avDHeSfew<<6ln*g3YnKqC~5f^1$+Sj_&-BY7zb2U8ryrb3P*N) za=RATi)aUwbx{`;JREk(>0 zxaKb)596NdtCVF8A=jW!`HUA0Jfkxbf>sJZLo(h(Z`+P5VSSn0n+17n^v7t z!}Gv}={}S1$ZAuSxvO%IxR@C(O~c~49QC;L390{3g#B0;-UuoI^~T+$$Bk2!T00(N zC70KVV=6p%ZYzqY2lel!-#+KQsSG9DPUIw&Itn60C-O%ifG~>}tPAUQmEv9APuUk} z>4=f)OK?3|I1sfAvuNkG%Ymc~d@6j4j^PHRT%Syn8ALXTbpEBi4E)PK`#uXp(9C%b zn(`$C-6>9JJ<`~q^zF5&9{fgZvp^_NfZ_+*k?gH)lR^&n@1RFJ54^4#HCOM^we?)Z z(IoWa4AuJEw zE%6%B`E4d7zMG+Z43V090YoRCI1%JBQ|~ounhS3H7bZ!Idv41POQAkW6JtMUdq?q5 z{-OI<1nL#2xOthhTC4{+vB{qmdFTeY+cc;MAtWwV0DA!_(YHL9)hGu<@ zDZJk)H`8R)afO16M^*Vhp<&-@))mc%-qTzl-vPF|x2If^K7Fep0v0g!@ z!h;*j_$5L^L9g>{u7L=tcuB@qxg(&UF!Dw#yk4RX-{z|P2Yu>v7hnLft>W!Wwrrv+ z?}E?cLRhlFe3;nx^Ye>yxUtBr)`ae|M5##(+}%vt^ipTrLr8;d1-aOd_Gr4IIA=3H zbG<-Fnf;zHWGxu-<8M^);K_xD{x_i(tUd^J6!$5wN_QAXfdd{~&%6Cjy#?6MoUF@J z2fq!Xxqqf)uG|nJ8Bkw|Lvx3?qfE7^q*I|U&fOoIk}%Jt>?kokw5>IPan!-*@#blS0JId|2Q>dz^=lc+y&!b=f3a3x) zv*^IIK@E1DV9Tv@$dI*mPG+3lEw@l!hdHTrI(vF6UsvHI*@XYh3im7xGrrBX!L&1H zS(E3Gj9?whBV+!G@8^!$h${argR0Qs3v9WqDzloE8#_GPxhZn$i#n|$l5qq>iED8R}h}vgdyTIp@Gko zH{^G$e*s7lCV*XfEGfE=)=#etR*RJ|Qe{|uG|q2raI>uN95^yn1Y6t2hPPzR?JDy0{wivx%6DR9(fgI^qT|^B@tRTAa@)2)Z(JjRB>m_m8g@3MU8|98MH3%G)dvhvHVYmU;nt@&@{OSg&;OoF6eftst3o(>W3fVLC z!H$7dlCiq8=6TGpNTSdW$sigX3Gm*}>&xbU`za17AevXP7x-DHtPzmdz)RkL0LlZaH7+?%r_CM^8SAs8~DY8_~R2Oa7M2+;YIJUaFt z*uvg4GMLV64{AYlda8{iEWgoxm~jUi_t_UcELzLX?NYKE(JQ`HRE+CT`E zEI2gik{OepQb?c(py<|Frc|xeMU7$;3EX+1wWxP7+bbLvr|KaPiTfO2u&R@~TZ?cz zsUSI@sUZS94%Fx5G%NLJ5y)~3#U-A8)wWW6(#$0Zn`CD-vLQqzs4fAmdyp){`}4eb z4g7J4s)x(jfle5er$FwoCwh|iqMpsFR7PI~FCT}H=tzYT>!hQ0@G4Y$LNwK5L8KfK znr%)ntY@`g!sxa*8LeeF48l zrhEn<0Q^cw$Er9bID4UFiXPLJ%HRlT-%XA&*D|}stNWu<~H8n0Yv*LjyksCtP|Wue^NO?9JHu&7??P= z^uKTQX~-*JJf75N5zyVdm7Dt}?gP~d-BdIkLkTnudIwt%hKyK9c^KIy(!`NE!ysd7 zmQ6~GP5CubOkS2vtNes+9kXuaPngNm{zAzm*=@IlhvTLJJ2lB|> zNP@^~u0f_^!FJT$3syOLu$wt+L3W{4530;!gRq!h*-j7xVH7tj$JPltNp(fW%!wKp z&tt9p4)6Il$9iA7nY^5P_bT4#(HvK6Fx78ATL=;}|Lj zQc%7udUZSqetiPDxN|>HL}Q%%6C?4pd-Xcc2|L1Wz|ls0-t###0lMVsyZ{`^ zVi;w%a^z%M-ciy#v#E*B4j5t>ZhQP|k}b zhwh`p2>gL-k#>zu2yBr})wky1b(M}Oo|=isrRxXFvw$8!{>v%8J}&N#cQp8b(+w5u z*%tR&{4R_&szC-qS_3m^1EJzWgY@TgIci$}&Ad`{CW6;K25FqTCu{WsK~qAw1oBsfD1|P}y%vCYdLEX*IES*7c0-rdOX@@1z#w zYTRTj0rV~^8?z73gnj9Jr^fnd6+=p7_k@HbP3-zGH>7+A6}<|XlNkI76%uW;bdZ@2 z&(%SQHMj&<&eWy5X}D+|ky@?2S)CG~Yro&eKypg{NNJzb?_-}V9j9agCnb{KNXa#V zmXd|=?);cKW;UR-ESNC;RGo^^I7K`rxtv(~Nm(<lNI-iez6{_?;;%@2JPiz}duNi4=RPrE zRP>i~vJ+zLy7I6}>uVO}PbIn0+|pGN03@`%OaF@w?hEQ>^P9Bj-DJD5f_hcd+?9{c z=L!zK3F-)lhb#`4Sa^unV1{T49|HOzk?%RTu&7fDnHRCwFOLv>D$wgEk%hp945$ux zkr5&WY-uJ0)Dpt|)(W&Az)u6?I|E`+Q1{+`!b2qRe$m&Z8D8SzdJe5QYIsBRzK1^E zOg4W)AQAU0DyOk!>MY8(`_YED8mSfZ413JO`yd26zF{v=fTlv)4SP} z0@hg^K1VkHA$ctERnY5Xry{pM8ujs)T3J!QU*Sb2-^yNN?Ygy-rW81zw4I2?-=ByH zJpUefAt*1J2g*m97xbTJh9l=c;K@!9GIztq6a8yEmCjDRgoeRpsgQ`i_x;ER)5hJH zJV?KTfZH~(4%CJ(G|72(9P;K$(zu~Dqv>+|SZw&i!Uh4l^~8eeWm(LX%>E?l12bi_k66j3+O20h>Y9pm;BJJ3V)U zL(DQ7Bob|RR>YYO$C#H#&nf9S`!_!p0qib%Ku~&wCorwHI)PVf&P_zHyB=Rjp&KOP zAmgq)DCt}mbuHfaF;s7hsqRyY7OkIv;fxV^I3r-lLTmw@0^zkj-$A1JVWJoc_FHjg zhiq;;lAr_SYzBhi1vM+1_n(ULWI37<6Bm-1l|=dU5nRt?^S0#$$aRr)jZ?w{hHz7g zC!=$`Xx@}q-%cWKkwdtEPqdOT2pSb67W-pkEk=biYXaj9uoThFXDz4GF%T_2hk7MgH?e2kr9O0G&UuRn&b^I5^r&RYUs60$Ouovs3ea zIhS%iyrOyMwGu}5W5_cG@bi2SK-0}d!W1|dSKu|L-%dWa9VVZ<+(sLN$y)<&u;SReyc$WMdaSq5vNs9nH=Q zG6Th#SRx<0DpvCY`S zNDJIvEgnGbx|&(%+Go7Zj-&*nz&{lVGE-EwzE6YasY89A>P?jeU^EtF8}US;LoC6s zxo|X(@en4;ia@b*Tbfq@F%A}4f*4Mit(RqoQn4n`f30_aAe~)oS~;#oENItOMfsQS~tIfj?kuqj+uqA_ZEKl zO(eT&hE#7W3LddkYk^E^Ve4>MvP!m%y%xWTWmZoEIjVmOzfUR@jF!ilyTX}#@Y4js zw2fNaE5q+rNY!8#@8gWr{711>nES|fX<=U-i;vm}7Z_#}I{<6<&x-+SYD|aR*f%X+ z76q!exniKM*@;+(hCg5mDB=(jh&IMu>rRw;h*})dZ+)yo{$%PE#(;E2D%myLhdZa& zzXQk&>FdSC^Xws6Rsb|q9M z$3%^e6I&m@-L+ys{fJM+5*)<-YCO00L$hfx08_4}!v=jB53-mJA3EYtHky^pH9S_0 z2Uv+eYxW8Kd%-NZFc1v}9CvYVMb*{zK&;?Shx4Y}QpX2e#wVa`=Mr};N)#_X1M~Qb zg)GpRrgOJ7oNEUQvTDJGSddtN^qfC`TF|c^TJ|J<=M7!SdF|w8-8x z+O^A#Ys~cttvC!s9YtcJKo3&MCN!tz?R*Y>1K7)E0ak;~3oKaqd&53XtC`?+G1CEz zX~(@VO&~Nf5leW;y>fT$81V%W4-`MjTwoCAX6?G)yyX=;-3Ax+RY&P(vQ5#=pZ>bk zJ2V8>4%#Px`Wc8_fy@gBVph9*tNh)Fn+?tVWzJ5)X*xIKWX((f|1|vsA{rpih1|RS zLo28GPVPb5rl&F3sY~@Gq>zC>v5poN5g5@Uq7SDo^S%AHV&OW8()a8Bc8;6;K~2dW zxw#5)rM!h&Oz(cdh0`dWvET!)d{S7e3q(B?vO8COTzEtFO)o(Y%&ouGry1=ApOwP~ ztAUv;dBkV}2BKxB@Jtp7HSH)Y!-6({3i#^ZRPO^#2>{H3#Z&1HJeE)_M~OFVgll_H z>TnF0xrjL+o)r`Jt*~SVn$&*}&)hYm4WVNnvk^vsF1Nz!z z^cNAdyPZOh(XWX|mO2o1SR#y11Xj2-@Bwov{|%1ujCtkZ5AzVG;+N?+dDNj7?bA;+ zI>tPzaV~6YF{)jHW4jEsJ|w;kHoIT$DSP@>#QUuin&nD(jgHtunX%kp;O_KHSeK%m z=o^7%LN%ea>8(i9zay(o5_%*ex+3c{H`K7f%=LFOht@P@)7``aAcqa$V#3~{k&Uk| z*t3I`x7$1iQg+CioB<3WgPu;r*qIZeSXG%&g?h?@M`_KUB2 z8I4i&rUNQc9w4O%jD#o>e%3=NunokZF#u-RrMU6+Co1m76K%wXZLFvQ(Djxk6{0Sl zien;0>(%#vB8ub*&v=f8u3+a+!;13E;b7#^69<5^9Tzzmb|@D^e} z66E+Y0u8m$kgMJhQP8Zc0$h6qXp7?iD0UzOCu=}iEs(EC*XQweY91K0+4c@hjdv)p z9#U4}np*F{?;;WBz<^-b4*=l~?-`qA5M#IYi?fX_em*;L;0BU`pPdH>a_Z)fV>Ln0b2?QW5m$gH1t~wXXOcN` zrErthH;-d-+A=djx=l{Meb1QwzdK2&6=;loZS}l~OwDQ@rX~lcxzKF;9e#$i)Uj$e z%V1|k2A{u|?&6Kc2&OK_r;grH&Xk2g+N}$A{dg(0)F*V7=Ey6>hK%KIHQl=tLnGAq zWnX*o@6trfpcvq29=K89UfkfW;nsOS_vcnTpRpAOeR(7^(&gykSa7ZVr}+@Q&W@{P z2@oMJuMA)gC$ILErsmbg$=8Gkrhw1&R(3EqTIN)T9Y3)Ni2=|YN36B0!GPzmIa%(7 zkg}<%iVO)BRSAzz^l-v+A(Ruk_?Z$m0cTN^1;y`A?Rq(tRS!2vzU@w zyhrv+mx?5UT_%^@YcwLmS-9u`9hfKx&H@V#58k2ljb>jD2lytyx z`uQkuUvx9$iM^q#vX4DtiQW-U@HK*{OMl$T9k}R8z0*ws^j_8%sY=#~K010jJ$k8L zRHUcXYz+pL5S`g{LxK8q9%aWI7z%^>wqSjk#GTU6O;3ebc*ntJY6;{)s39i=__hD( z*`@KM%Fxe10^*FsTC+((uy}eb0xc7k!AoiH{29Rqs3n-K{3yVD54eH$`XfjRXY8|X zgwhbH-{O*NG_8npe@GM1{jx?ZPr&KP^`!-EimCtgR_Nk$4JZ`<{Bk$No5BJ>S)vTG zngx`D97Z!rU5^x??^lKd;6cRhqinntInth(aRIflm-|3ftJ0ZPzG9^U0 zW(pYa63KbKw$yuOnWQx!CEM&MX(w4)a*0e$3O7w#k~j7u2L;ALx)y-A(CO-mKrjrL z)^t9l8-QBQ=IOcCkkN&E!sLj&B!SWmo*6~EH1saadfkgY+aHZ)`neihrZ5ISq~ymT z8~XAL+(_ENY)>1R!c5{WkbiBZ)RQ3S07ja$vQ;Q~aKzg}E&P-Vmj$gr31uS< z5-Z^7a1wPz;l{b1v-_rvwmkvPCc`PYC7*+R(_K7$i9W#Qb2brvSCh()Z8CYi2}N{e z7YsD{4oxeU=hY6^JzCDcZ^e}W1Q=PX7es?xVXwqtbEf$gI&XY%y8(9eWIr2SJ@+ce zIe~7dS_qCGkz<)m2+pj@t~=@@)Y983NCe({+<{@)Hq|AX0{6vn2DJIcUUM$*dH-zz z3xGMDnY4h9M4sp&)~Kdkl(NaYEySXCG{hNow{TE5p)^W7q$o5o6TZi#hP?qVW3U}W zR1(32hHDMvwfh)J>7#K%ByKpimsW!I5l6CQDxA6w5!jxziT}HpcS%sVV+e6!^UOFT zu8-!n)9h)A9-WO_G02`D6#wCT~7 z#!3VYKpP*-QK84@VHf>A02>im$h*igkPi>Q0aT$*&qB8rzIuff5N6c!(CQklvcLd$ z$rB4+!zYn z1y}b?hOAL|6xz+qD$xS z6pw@`*5A!ZNmw;x*IVPxh6+jZZwmJ7oft|5u?6llpLecHtXaj`n?L-%xZk@c-)C4jjC1Fm`Bs zA7H~$obaclaxQKtMd$QhZ))+AJJ`HgwbP0{l3S{4aY%!6P`z%qm9WL3JkKoJ8OPit|udLsCITC@nb3 zBB_N^;wBXaLbx-)IQOJgnyw`0=3y}}!-km$p^CFbnj5z%by6@n*X$i5%z;V29@bV? zz99&*R#Y92Gk(+S&$-^{2~@u;>J9rbX2@f3H=JIF4ZfMb;+#zzYbBm^k(Nx{T7CcO z&UbvNxH@dcMLTXh=i?(=*xQIs&)ksK5t{F6+z5o&TrDe4Pg{ZBW~D&%r;>B-4QF`b z2o3E@<1#cR@FF;E!U`yl0TrVxG2|}DFSH_ps25R(l5>I{HCR6Sf5uSWJ9Dp<%N6nVAR@WCcPNW3Ss*K%4&1dO7r{;*{ zd518PGr3)_Kw~GdXE->Rt+NynHAAUL-_aN*r0So%x%A7VU>-f+JkB1|V^44fF6xy+ zmdd&WGPbiY$`3iu!phJ50l@ugr0cK?%Uj9x7_@DGz^6fOlAMB$JWuNg>ai0v3IwBr z+=wr7NygWIqx6WJ9i({d5FR&k(a9KCh#WoGtql?$k(2V8>}LObx;yaLK5Wy`$s_9T zEAA+(`Ev-Kacp+F*@nxH0pDI+TNnu3%%#T7T04^@W`yxKXK882;-Qoem$l z0y|zqXbBONyBo$Cr3Fczyj1;F#}+KgIJ~_`fW=nVex~Ja?JmZH0i^*mpDDRBq8&B) z`)**(I%JEOGm=coLH~TQ3H_qi1E1TBig54xeb8C}U6cjyl>9_uPZs6GJ#dsu_a^1E zO9G!2DOZv7@s4tZ2e9|Ui$}_xxh;mCI~;1bRp|@cr&6#-d}MB5d~QCGwti4f&X7a4 zXt@0svn1 zrzEVOn~+UiZ1sH6KgxdItEtrKY=|K!>fj(C&6j96KT)_$G_-dH)BG?n??`06{bPF% zIj~>&J#5wq;2K+nwo7vX<-g!aE}udI{-FgX9FP4*T34YuSUX2E zjvToB`n{LIk+?WiDr^+zLql9j(tR2lCm%NXflB?W^NH6E)E=O~Isq3CBY5{XhcY2$ zJD;LliJ;gc-LQ8wka_+b!$yg}UmWfRWUhWLwI75 zEh`e>lwG(ozj(lfBhm@s0wd(PGNZL4w0PYUef4HkKm!L8Dlvwp5x%~>%Kd;A7@guAlJ(a%Bq=Evu_t=~d-4 zEtecZEs_Dk@E`-%0BprUj6&o?*|>0{8!EAB4Z;Y(Jw?t8K)$U_ejXY?!ji9&*@t2% z!r4LDRHkx-X()}aB5B->loQ}RGTyKB+}lAm0}6<-qQN>I%?YKbBmha0&TOMF3N5;m zr!Sa0rN-Y;fK5DKt&kkKVZ&a+sz!CBlv)kDgi2>0-$GWj#{r<*-|X6qD=h013*u%K zSDrfYK}cZr+dMi1#}x|;5@IcJ^_9F-LF6MLTAueN6^BK^n{E-saA%Co)6!Dwhe$nc zZOWk%1r*t`c`magSDI*RFlS78vt zN90rrcsgT0RNTG{ai8rWp)n2_wiElR)fTHns|>&i;$q^_Ij1)wNPJRqG=<;(;9ymT zXGJ*$x{fFqiz&hzt!?#@MQro#>wI=A;M8Ka=^f`UU zVm(TF?Azj^?d%SZanRj{0Y{E$Ck|n)awhE&Fn&B^o`J|+&$KNBR6uj_#tWdtIAE6M zTr*X5nav>BSa$EM%*FM6*o@YuFBz6CwjsT%!;^~MUDDTc29*Iz5db0@TMOZ(pMUM0 z_^B&+@601pt(LcmG@*Ma8QQdTJmCt{u8P;#mdY}#9{KG5vQOiS;QQN%(q{W$XPg8J z)jhMTSm}I+UPI2f8&V)1CWK?U(5eHwdv>5a=dNMby|%=Z(g8*sToLvszZ-q3C4{-i z04nvQoN2L<3Zp{!P~{7x**J6JALx}I(`KUQNAdSE6>ZRgVy(VdJf;*d`4eZ#_vjC-Q?g@YKO2&Olqckfwl0BnYNz zY&C1}E#Dw0%7=Y;bENk0ntRgJf{;;qB@_GTpSL$grtWGYJ;l$7{Es>De>epL^le0F z71`1%dQk-yB!f4)HxLeZf&6%=ysRd;nnfb`m|AA}@>=e@rjWvho0xU1NH3|LMOrf0 z2--+fpFjq`r#BidP5U*~0#rBSm7E9C^I%Y}Lzkefc_#U&Zt)W*yu5eQdPTKWoHm1-J0{XuCL z|F<}2L4Qyn%Xg22vuSQcALfK(^1%A?oweR#x!gjXkn-t#hL>h=XMz;^A+EFowqaUiurFo14CIOzsdYy?b`6+2ybj$ah zh0a|=x$9P3|MeQS6SmVBDI`-6u02<^zZ)j$6PEgU^dRzo!`=VzP+rAyy_*P~T9*9r ztvWS0uA(~Ae8C_jh%m_Fl2n5gPH*56c1AjWZ=TbSaW*Ts$r6bo`v8P#_o{WV(hm#+ zqy%)C^1aL(0@lA%Y1spE$bK0oeSfZ7(S`NF)MO5;3LG%~Hwj^s69Y7f_TRCL>E(Yh zbN5uo8|Nh*QyO}v^ux~Ei(5s1kF^Q~T3z83-jfAsj;|tU_u&8oc7U&OqTH%|Us;n5 zhF>BgOl5*8@}%o`w0vW}WZ^&e7n-fD;ABLQ2)H5qc9efuiZ>DMx+;zh4ACyPXL@ra5TT1}vuznR+(zIn3`O0y2{XK1S8mGN(5>yUs@bU1%qb z-(LkPs27OSJE$Sc(;`J5%9ul^-$~2)*&% z;Y>4>Cq1U!kk1VnGA|Qa?F_{&;l4f}L){QHX-9qd4AGEQ9WMO>=|lilK&ihKmK9v} zhVD}YI(%~F9SMPQeMN4I59Y6>A9h+EG0ZmpK{j;`+$zOisyUt1^lMcw1eY;ybLXfPdLwF~e!w=!o1f9>Zq{wCwUGb#;j~!?rt!b)@Trq?sWN>O3LTWlLdr?L!eP zc1VVN*^XD~jvti?bami{-!v?# zn)*UL4`EE#5rbYN_|&bE#~ZMW;y|^)Zs`t)lRXklo22^(i6RolUkUYxg`&0jH3ER} zP>g!!AGEz`6F0JnNSLnCtg5A~zzs#0+^mU)B~ z&>t_$yftnk16Lm?oMi&D5yL2tTGn|9Y~(5b$>!OfI?8 zJb;m1jJS2?ZC`+K7%=@~R3HURxr;~)vsH96XrwL~|E7O1)6ksrplS>QqPbsc`|bgO z=cm#e%3htsWJJBDf!+#d%%jxV{fE0UXGRSfZ2|u7OZ5t3c@H7zOa@!hrANmBNqCfv ze(Ht{Fpnc;v;j{E18!q5!;&j*T6n2RvAOM@F2fy0xPh1g0{wPEC{%C2yrD^a^Rn-l z6YDoC5GL+>>+CcZUG7Llo{W2dkWUQc=N1{QM)y%Mi?}c2pXjLWPT}xszJPbl#C>`~ z-g&E?)^;ddlm(hIA%$9$jcn-R&A4n2+1;tPK)33LJ>wKGP3sBGq0qc>vDx-^NF!<2 z?c!(;FMDNQ{Ps&2?M1oZ+%8});756Yf(7-HCtQ-FUx6L~hf6Wcn5oGNT!oe-5cl=DdJh4s$kv_Wha6?uqckzW zJnSm!P0UzqX!0gy+EUIxcMAop=&sTsMZ-r%GIx1T{-5_iwoXk0Yc%NW>f4oy_W9DS z=+z*xrsT$Rrey@d!1>7W#%szOeX40bgRt3Ptc`Z_ittaM780KuA(6)792HC>?SOc? zS)ySO3t4xI-0EO()kI68Ye>?KXS{rTn;-9z7laWCWx>4l{f3rE|1Qn@q`x#U36z?U znoZdw#BIaiIlxPolj-zt}oRNz>6_Jc%m(li~PAVC4*I z#%lka-wJTZDpTPS6!&=yKev+XJA(Q<(v6_N$pfAznEyJcT#KvY+UHMsi_Z4wx=WFy z_n#+vC>K$nf2F9^LBIsxt&|*~Kp3BuiqiKL$R^X-`db^bb!h!L!=py<-}~v^+F!rh zq)ZzM9*DZ&Li~glL)MA-27*hf?-WNh_0Be$bjF z;gAx5obg(U)6s^OZ>xmr$H}3LUbiyAP?qk@i!X2h_^CA~k}4hqCam6$5~56#I`6Yi ztK3ava{fc^PD}c>O1WY5ivnW2W5kurrXRITKcfp=2&aw%{k*jvCcgLG1Gu_MMSY++A+lNm}a zjJL;3mKS%L$%R*%+?h>u-|B5$4mfOPX#IKliJS!?KU1gY;@9}o8ldk`Yy#BrbLdUN zoS2lR2Z8t8c~BBd>^W*;MdZX<{t9?k1$i9(O8V#GkjZN1A_0JM9R91&Ly6u=`nU5! zBf|NKScL>vUvJn+Wm~kl6L4Pi7OS;VSnmKDCMh95rO4lGeLqt#x>jS3rI_vy*fEF~x%?65_vaSC(Cz{Syo#3WTF=2C96qKjAh=+mPR?R4Si;3ytKmuEVwR4m$H8AR{^{qt{Z` zyZLjcRJGQ$b@^fV^aT)bz_=1BGQ|i4#T)FHRc@PhQ8Qowr+dtSabqZ#+X{V_0eE#C zqMb1VQ^_^4>(W-)2ug$1Ac#PnamNvx^qW&~1=40M_p_0z zWlo5u_`n=-0t1J@;Dpvj?-RheVR$#Ik^vJ?D22ydP;fPcwUrUxk<`DDGXh{+8hs~X zjwYAGk|!H-y9VK!%%QNK!&G7D9|wY$UVJ*aC5p><+bJ(Fn51^QZpNH~3V@RxJ)1Bo z*5H5{2EX&%F#9IqBZjk$M&2`ZY5D?zgTG_;4&I!F9W=LuLq_uF?%R8y4YS*oZcvx+ z$a?9Z$?l(-PZ9Jw1~TGLu}x?5EO5H6&jhW|!1`S|87}VuY1p_qqCmE%ZKPMf9^^0txqpi9tX>r~y45 zyI@~Hx7a;0ebP*c9|^)*Y(;u3dqYTa@tg9@QJ2MVZ`y`q4)H4{$&PuhSi5)v%p*A} z7i`Ti%WwiqBY%U~1E2K49CpCRdropJTBG@pt|GaTD`GAHhArJKDF31J9`!dxBi6KsgCi&mC|x$h&4pYQ_LpYzE!e zb}BP-q+aa)0hKdGUEGGF*o9=r$%4QiFe|nw|P4Kb1(6K0jnLyijyB zS}Kj3>e+hl)K2nkO+(Mkh_78j?`o3REvFe3o`C{j0%)`ZsmSL4hWGu}$~um92TZk& zoa}0<*H_5?@u_JB0OH%!fT$oyE>cZ-3;N4E*-)L?e8DGjdM)T&8kS$PHKT0S2*VrF zaf4#Ci@fjvtO@aQ=)(kc#`^dz!|QCYzR5I#6F^9RDs1h{;obxf(t}6_^CJ-yYI)Kq zoZ=|}3gBqHcw&5ocCm$ANrV0M1Mi^V@4=lUCkxgDfkhZgQL{15Yj2#C<2JVza;=1d zSJ)#tEHE}Mg71wE2_??-PnlUrCIBfX(m4RiL_p*uPM7bTfihWOcabv8m%W1}k&t{u z8fT6lit#xd67J~cTyhho^fP2duNb}166^T(>7CBIu-ALhcOa`o^f1*BGY zRG6H!&-t8#9u-%kGBFd<)toylA{_>yw*Uz#d*ksluvQQ{fk*b+_Hdccrh>yI|H71F z$5_)ET!IUUsTrCya-=cJ5`vZ0|4zJc&mDJu;=rZ-DoSt`t!B|3#c&qV5vj^Y`@b5X z?3G~l-WLE=A~uFB><&;o8{QsY7)jQFqQ{*6Vi>Eh6dby)!LUVJ7)D){q+-Zt=iW2e zG?3vje{A@-0bsbok%ELG8@2O^4C>>-?7uSk9ZU9fY(N~EJ`7Or`pT(Hf%&gll2ox3 z0EyWh_4eajZ*uMD*+rqxN5C)1vBrKgfA8bz5o(%iLF3#PGpCzMEaAxX3mMM4&lARS9-V1y<<7A`p> z%yv6jx#hZ)vnMKc0OM-nV8yC`D1QdG7HNUPZV1%&TMlN$7GjN}QNE{}fmbpIpgJIkivn5Glw4l%?(>b;u+&R26igoALtiMUh&6&X zfF+Hhq6p%wT*$6?L17aJcjH-Jw!x4Ig0DbeAfwsv3m*i?;F^(-DXuH2dPxfENFf62?4w<8c}X9eUayeecWdd4OBW@dHEHH@azQG&+xV6=i9#3?S3TTeLn5z~W0>hA zTEPuoa+JESG*PB+-1#*)-`9iXO_)?&yHh9I8?fMKnCxaf%K8f86XjE=6JcTKBrj5OQr4jkYK=?u6bnTe zLX^jYP=d!8Yr-z9Ej}0yd7iEkMhbhNC!QLro`@J+hINfdr>a?4@N`x~!$S zPeEzYf6Tf66FEVBmo-L{Ah_KW7ce2lTSqsfviO= z%%mTUS(0F>EhAvFY4~c(QjytvXpppMp4Io!t!HurqbtMEjOcY3s!2zq9U}uu#_q8GWbey>;IpHmt%Wg2V85doB+^nFjbWB~M`i@An10T|$ zzd7#Y*kVHJbsAG=e5}15}^u@WNIK&P_V|M=uI7gu2z zf6J`|&E*wmGX6_bZdkt)R}^KGug$yK@yd*t>DBs-1%dbuMwUEh}Whf^uwh7XK7O#BDE|zyj+0c+GXZZu|Q<}`O z8Zq;eJGL#JAIVWHAzl;u$;o-W~t>+)}|o#0_A^eghr?B;v9F&D9j zuizfTzSgbvg#&Q|0G(nH0D`{OtSdSG9HTB^^sF1Y7YV7LZma9ZPB9%5PmHQm#&1w+ zLzG!Uc27;hmu9v$W7ktUlkj{9_sey;ZA6v(p(*#ip@&myF2Kk_;U&n5vnka$M6B-=LnbkMI z`w8bCzY}QIh^ww=v_X8SFtUES)y8dr7cE3e?e4&gp9KIXf%`pwHoo=oW4Uu>C<8wT6k$5ub9R;hZxuD<2t-$JGYA2 zP&&MoN^1I#K$Jkee?H8nEsSWQ23=5Yb;f4n3ZCIgJw<@xHII=3L5stgb@f|)#+iL& zN;K)i#dFWR8C;e#-G)ebqBn3nk~cDrC(b^E{!F^Nv;(bT>*SV7trb54B$T{ zwjN?=Uuo*u+@o;4HO>}eQr{MKV3Y2Mu99D-TLbg3G=W4_K0lptFDZGmL*`SpV_`6B zshhn2J?PO~gR$%j1|PKWPmE>$F-A6Dw_*`*DN5u6^te%-YxeRDK6rZwv+Ah&#J{5V zw^cjxwjFD{$E=w*&DxGk)sBA6TEUL9#(h|~0_=8E95eu%wa;1WoEZS@G%?2j2jjtr zM3=lS`1+A~!nT7Z^oC6j*gFd$>1!90d<(_fpQ1%A)VOWq<{#?8a|6bbp0?D)*6cU+ z!LCVo+yi-QQ3MMGF@=T@)Hk$Pi8viBl#l_!>8IA#CQY+^5` z%~4<9DapouH`{*qU2i~DC7a%pUQ0FGg((sIl2@zRCtaeIO_7B=fN>tG1;7Sa>d6_u zbrDx=nBH8i46`eZqe@@+lEe{)6E?_kl%uh5fkn&%eqIfBR(+z4tPD-~wZNkJ%!tLJx&-%3ouEA4s7|`Q(7`)^LT_q|R77E>Y6! z?lmLn)t5OfmtAJ?a7{)vh0k=ippc=3XAde3ELuI;w<}AENjaLK z-&h!{ceaHV*jSeqaQn0b;r3D!VaFFLX5}rJ@O*NA{c&CD!`zN(98k`mV*g-(s>ift zGC*%&!t8At81BChX(d^pq@zacBsF%giEtdr@4Unyd3b6WsZxBT!++B>X|}TwY2iwg zV>Xsc!gceNhhP+ZW3EKww_!7+h!&}8>*7vF*pPGN$d_z@@DrziF_5KZi`_=dwN zjW_c1d2DS8iCuXrlM|akcMchZ$%EkyXL_4^SCz;GB0=&E1H*2`DeYD*a5mhu=6{5m zmM6=cE8(83o@+At{2^i|z_3|%o!L)2!rg4h;LS`0hdW!8JeO9Q$$ZR!L=%M!uz6dP zicm{p8yMR`gnJxcyvhWKc#ORJU9}jwNm-9&*w9yg);2ZU7biVI7SE)?=( zP9a0Zbb2cZJN@V%3e(B?UK@&vOJ^#MB;iZg@R`X8JgGbCazdrB-EL>9Ht{wDd=-Va zE4NSM0am>L?aRLp&bqgjgLzoq_3_=`? z+h-r|avw23o0c)SHmMOeRZ%x7X`33Dn=JS?g?v^ozp1F7YSW$`Cw7|;7hYBvp{#d5 zV*+5N6p54yIiGV-1L5`F`GSx`3OaYq%dwZ~=rw_?tGlC^HM}cIR7eO|_nRbX%#O`&#Kz<-v!`b9CxM*HTnVjh)ii^gQI7y~Hh?nl@OZ-5f0UOdRkb zlB}Fpf(!xme6x)ZrN!qu)CX5^!l3~R;ti`EX>#2i3{&rV`e`E9Z)^=zO{44ftY#&| zheq)Er3IK=Eh4Q+cQn9M;FYac9p<5oh}Gd`;CC7jHPB(7*uX3omCDBS*jYT8S{tg| zS4S+3#X{B2PFyVSd5k>erQX7d^gPAQ!#(g&&Jv+3oq)`kIE-Tqzs5m!u8cyF?_Bed zr`g!@xoERLi1dGw$?u`#E*~yGh^AePv@c0O&nn@j`mGB%#H3iD>6}e8IaK% z2|B-F>1*z_OWVo=w9vD>hb?a+`P{oHH$(@!G1;YJ zW|M3~U6lC7Y?d}xf`YarX4y8>7`q&_fUFe-*RV2DBD$Rybn#Jowr` zHqW047$sK3aKzJI=?%|c!Q}^hm!yQ%BAqqSF^tK)`^Jv&Qp}vr&3t8l>(PQUBf1$` zJ_2}Ymy@%jT@`w})R;Tm<2FDeTB-(&{P-rXt$=^vheomn$lC#o%p*mln*=RC2xBcB z9xp9Ch6vzIf15Z@&~! zMm%w1p8(tuy?O`-ghs32()LF^j%x#j+7L1NhBPv+jlFjrXDz(+(?wDg9vd{4#Tlo~ zD`bD~hL$S&=We^)(rldDWYA&CCP6-xX>Fwyg2Dx@QR;Ehd?U|zMMZ4WYB>+1|3yPA zt^4w}e^_h}eJWmLg>8N(4H;R*9jg*ZP5KaEq);-B(tK9&~N8{L1 zIj~qtFbm`1CbN50&Oglds!G%#>~X8Gz;xm|j`fR6 z<3xwEV{Lo%^f8x}%jQU!9hKRQr$C*#{4{$CGjZIk75OHle_!xIj1I)7u|Y|CS7J#= zcIREAH=-=CIpP2#LDlsHk+a9Ew$v!M>7u<2l8Tg`&y&?nrAwXElUe2y%^n0G*oP+8 zQ=M=wT2Kh;@2dZ3O)ek&D&KvTa;(UKrdS~-+);(K^~@l$Zk9cu=?*I$b+E%LXMrt_ zv%vh5_|klLqIMe~Vvj`rZPriP5qL=2;$C5&AlPuyQ{FR599n;~YP50R3XJVUeypTL zyV61ih2>kO?2$kd3BKCC=VyA}m1OvgQIq$QfNVH9);6+&dnSb21z4qzdPI&Px!UDz zDb>sR->zE7Z(;$Z17ESMa3cwJ*k|-&`I3qTC0Od8z^zo@SZPBkj=Klw7>_H);I0o# zyuG;<7w1afYjd#w0P}Q7hVx@vE!{t`B3Wj-e_l&-6Cx2jaYOW zGr$O`O_UDt{BR;kB(%ijx(-&il3@jvu}POcJVpXH-n)QI@t%Mjgi0GPK^DYbWphx-10F}dvq{H($D>h!03A-`2vIq8LU!t0%d1FvppnXS!TrL(MP{Bdrv=em5bRokDpJS7d zL9yx`X}xC;Y3M;GlSqFEC9Fp&2JYY*S3<<&WDg~&v^(r&NqOEt44K7F=A^cDi|O6| z^lcIwvyHuO{B;N}-X9Z)I&s3#)D_4hl=~RFvJWE6j@%4L#xQnwFyD7qD0VC#lQ&@c zqRtc%;*bi>K&T*Gd!R;t%(lsvybejXdO^WTU5xn+NN^~mUl+tIQ$$pX$P8W!zznrv zdo7>Yc~;b$h|A$?Ag01qIi8+Fx|;W@a5Lp3YK&NIG%<@wxtsSiQow6rYB#K3>G?yT zVXU0xi0^V89M=L&QQ&|Z^rb2s5R=kpgio#GL#`)GqGyl@uiX$uG zcv8wUC7H#Wdy`=N?c7C3mcPGVzpX95-@nJ|8KP1#&tYw;qW`aP@q@W12rRM2a3XQh zR$x|nF$|8c^!&GWi5t`!*C4HC39`FwfdJ(B4EUFeuwM&7;zZ=<`Q1~?2gVNm93ig< zS86j$UEkiw43obGi%nwS6S|!mzy>*I?H_)9&4B=zD|Kc-WAz5c`(^pDsaRuKzW}0U?4mMzK1*E*h ziXqqs6>a9m6Qt*>6I{kv!9^alVkhg2c1s7*$kLj$xUc}9e|~Qv zP+NhZr^#!@9Q#?pOTm+$gtV}3d*{YYBv9bQza9A2k0Q$*)fn`Z8+W-ckY$Ub;TG|k z6843yoJEjKWpNWrFDjQY>@*j?+>tkA11PqFjCN%aHk@h2ixOeEotauSIr8mXEDY8- z>OeF1`BG-Ud&P*Iv1VqU672g?F;aQK(MWYt90~y3@R}I=|FwfU#d64N5ifRXmAwz% z7SqZgdz!tv=X#l?>x%P`xD#i+D5H!jx2>aziH7f~`*}B`lC?LhAMSmTuo_f5;)+?n z%Iu?G0%FHjTSiAzJ-q^_amD4up~JA=fT317V(_okH{!*^-0RRDgqd|;=`CJ-fc#$@ zzyvH!R)N&t`|bLuT1(ANjRMZPmm=<-*1fFESHF)5tpjH~`ApQIU$azx#DY(oSOB%h!NE)iurn zH=8+Dtw$8uGIrOUf|_If_aN99Ysl_`*8qRhv2-i?mLKClooL7xoo>kU{$vAr5Z+97 zF^?v2eUgFKYNG}6<$;6|`kPLU2iF0;GVr2P!T+)8Y;?lsCuH+GO?M6$FI+^m?}DH^ zg*!)OH>0@Jv@ly9w<|}V!;6r<|3*Y`PFQ(*4Rroqh)qinQ32)#E`3H?o`zJG(`O=( zaRP1#RRu-_WfKBF^HuI468iS?a(?D-=zdruG5myXD-0bwy*mw)mbWwg^-At6l*^9B zewX516Sh>v^XKJ;j0Y$#9b`Zx)1)(-#ckq`E- zD?|&4v4Fyc#qVDW+9H|*Dkh^tS3kYculyZ(`ZYZuAw`< z9O0Tw93uILa<>K}Hmew_UTRZT=ld>+Eu9FXOOUY+-r7)EBH@vKa1y-g2V|LyoQD$lhGV&!T*?Cd8{23Lk3ZDzd&oeBUEX2ef zNCsI?n)vx^Ahq#x7fwCaWyuL*0|#vC=(a%7{}d3)XNQRUhYMbV2C|v2-G5V@K^9HP z@>zhc1N&6v@e0YHDUun~!M|8zy_~qX4Z$B`)3F; zZ6)oaNhSdK;NyF%9k%_^yX-&ddKmLeDTSGtxNj#QI-ki5+kNOd3tF&`#|%V44y`Ih z?Fd7x?ig5D8)GzJQ@y#@8_8z2;y!}tj=N<7EHAbeMyALAiOdyPP_f>M%()X<5MDzs zfN+-h`EpMZ;1P1UCg-<;>3yK^?V?KBUu8Rk+w#iGzo){~1Ss6b=fQ-;`|qGY3WT=B zuO?XFyi=)@(ukj`b`PG)tkO7xYgPFBt}0WJF$xR~T46f;mLh6*w|v3nk9UKrBo2&< zECQ8m1^TS~VnmXW6aPRxV%^&fnzVB;#)L^7cOTV2D&$x6Br4c>QUWiQMk;}0L#+`( zqBKx^dxKWd(YY#9s~Pz~(e3CAeB60!aG;5igLjsU6B>@}*DtI&nL$N@Erp1Hwon|= zcU=)!ZE)WC+Bg(LWr0q(jC$)P``Q<3(9z4cJGVuJHUKA7P}xA>oy++U(gkVwN1`r+ zN^66Xu^RFcBrvbo20m_63sSoZ9Z_4wi*W}gJea!d(?QA<5qqbIDm~|JAG^}rXrpPev{DBAZ4nK7zHN;jZR=z|WD0r3cx$Ma6|5dQnPte6AaFO= zy&+w$)CebM(wh7oQR#>J&CnM31bPEgoG;PFGxmg(QA`bSg^DTVHKpFp4~##; zu|&IJLHdD++~pDL$@!TX#?JW0!AUTISJi-VB(eaA2Ngd8B>InUkIFR?miM+tv|^HH zo5$&*Jd^#L(^3}e;?pQXzA~I3CYJ#leVVG)d-sx0(NZGZa1DeiRXl2~Z73@E1oy1S z=fb$VLGcE&72i$z_drtG)^aw>Gv&Ms`~)AYm9dD!ngajiE=Q+1z5p}^pO9$mU!cT9 zB8FDR?Q2yE5S~Q*rzaj>uD%4{IJ-(4=UqQ-MmPDHE3o|3Q*R1B_?)T0z@#pjn~`R2 zst{9Mb?1(2;7zJz!aC2XwXN-oUUi5F8%H^oC{vAfvuNBY?2EF_yX8ub_A;xi zi=Zrlg$5TaqpU_h{P^dZC+pyr%(Z;5qIBo){!3@LkpvDT00*L<9pTbp4<2C($5i9( zhHvBM$YFtaCYSC&p1t!Ra zbz#XM-t9&9M?}UCGx#kA0M8>%mEPo z_a~!)`we3LgQ96$5{05y>VfEGU|K0wB*%8pjTTpG9A0N6o0Qk)^F3i!2|=R5)MJ+Q zi@z3@>Ra-Q6I=zgLJ>qVh6|4VCQp%cV0g1XQjNz3Z*FjF0liEuHXpI^Hwa3u&&rE#UgRoTV<_rGO((UM$hnS@>HwLTQ+ygNtcv+wdwWv3KL-??p-bs=N5(}s|jhi%U- z6X!O%z(tP3ij0M!l5)m7^dw~ws+I4W45($XHdKK}Pm?_eOe?hEi<||NOvP|#4BVc(t*JYB!t+>KE~LDh-sqdHtd&;=2L;)eTR-GfE}QgfYVw zao7PQv=PGDR(4%E&8(O(vzBhlj5Z<4&2LO5b`Mrfk)BR7yecvQkIj6^4vaFLQKVm= ztGwyR!|O%U3pj+`D3X1S@?*k&e#qr?$iyfQF6nd?Dzb<%0bfA6KlB!0f^LW?dHhE7 zn`q)cz_r9VxP-5~WD>=W;U6VTPyY&R=MvIR2JUK*H@jt*surTackIL@1syjw?QvkF z*%#=xWRTE+2_PK1j=BGLbgEZB^NlHX#t%(@_gla~oH0qWw4d>2h-?UwC@NYc9?@fc zZL8+to=1~8K^@DK)NUFb$M*M?@}@DvH@BJYqC@}B@E!2ucAP)~Dgk5pr&S$8Hqt!MQxWu0aUoIg++87cG{aYyUX~%dr z{M5z=umw*y6riqJa_A4c;u%p;UJ@578DORxj@U%ZstlalKtFeaM&!KiCj`XTif6YA zM}O^9AxTQ4obDQ4EEPiM^TRiuIo$o;I97(=ymJkw>moAGg7MqL%Li^P%4j(6^nXSK zCz{GCj{UbzV>u|*=r;JR9JI3v1fNNMfLlJ%ZtdCkaF9MT=+MDI#Ud{>)$Q$kK*qm^ z-Vmasr|=MqdtO~*JBuDaEMQ3@(*~9ga+-2zR&?tJomkH*Ghe6EA;m{k|RVrsEIROU*FqK<*)3(DW zwYrFr|Ej=UQ3mj4DZy^p$y{JYBW(lC7MNxP?pFb-^5D9zVW^d=3h6^Hfo8G99RwqY zU|PQB%x1{OC*!_R9`H>=aG|X}p_JV2JWojr54|*++HAB!R24NyrleOISjE;ID10&B z^kL31l{bUWD&~`Ur&ARl=!iSeER#(cJ%^jHWj7E%YGy)Dz|icU<9%j8*M}6{YhOO- zGW9tT2BY#t@SxI{#^FWOC>ewEditu=XWqn>iE0tOGpos9nZ12 zjc>MOgi5{u+aSy&kK*zst84&DeW=R!c^lluhGrhI3_vMtJ z9}E_6Q@8V(3uf7yjx9gNuH(th5ysDmg^j0FaH>A**XSqdLFiVwqHvHk!G-QGw7ud$Y3~2RU6d~+d0~q@ z549`#Sk?)5j^>ngyhXEZMq_t zWjZ%xWc$ESPrRk2!3^RLY)gkJ%kiM!1~XZFj96~uRq!qfydNbjl0;%17Quo!&6ZK^ zoU;O#%VJnmk*N~iP=C+xWBLbx6f8-M=ZgB=%Dt3rZ=X(-biDuGW*+X0Mwl@tCbj5p{I>>uZ^*fdm_2ERwPETL#_JbHPlQ}NXv#V^>8)Z>Qk-}HQTv5DeQXc5UApTv% zo&}Lk1?<_+8U$b5o+_VsUSn65Z*g{DBUWv}LLWMgEgAO?&GH1L{}+Bxtdbfk?6J8I zMpAjsh{+Bx^)nb{QxFS^YjS90Wesn)S&qKYTvGK@$*$acouOo=RA=(9O<#{KAfY4b z*?Z#1DA9HF&f7XGzW}AQ&&X2o++y1?# z7=3y-5E{oVBF{s9{Tot1W|@@%&{N9%9K$oyI`FPDe86^1RXT@YzaXL=m$DK3Gxs+x zJ_|Z6D|SsWmzyrmF^1&rt`oo>oF`T!y8s_Gfyh9vvZ$(-%Yq$U8G5OK-H%p)f~?r& zgd_V2P}pFNw@eD&Yb9uOG-!~l;7s;|W>L7v)@jgJ_3m1)nMEkG1FvrtHY1Qf#>Xf= z?3g*GwbE6wjDz~O7by3hL9Gk&QG`EQ_&lvBB_rEE_GauSkKpU1JRCE0^%@?oJjw4= z@5mqR$t(Z8Iu@n0o`9GJF;R1u9!lc{VFuK(Cdz>-Q1#SJbLo8%r-Rg~9gbA)pj72; zg_i`Vbdr+aOa(?RE}5ap#tNHdhU*P8VFins8fAI@PR^JSLm8Pp&W&Csts3zZG6AtV z)C2e!Z#u%4L%Yx0niu;RqhOmpFky^b^TW%iVQma_CC$;hM)uFxGuEO*!^^~YRw36A zIDDLmK28#l*pL-ZnN`2Dy7?mr4@u(PkC2#ADMN0zx&#SXsBz3_o9V(*FWEj<7& z80>)(8NI54cqJ7mech3XI~a>nsth<8MJNj1W8>k54L* zDy@JdJ;g`h?7kXfwW1thc%Y{6iUAD9L^Lh;DYW; zcOYp&QBG-lO50x#CT>o>bB|u zBIr_D_utYIM=8sRB!`LC&^3mt0>|2?&Gh!g%(W>qQc<4Zh{ZMi4!M{XFt{(%jb7=% zs7kAbC8Y5qwCba#=sC7?0L3FeUHuUWg=$bMhB{hVp)@9DhZE8=4`(?Vh$gJshaL^M zHRPA)m1RK+x4Tthn#&O-1p#7}>1S;Rah8{R9L2x+s9sV1-nsDKk?pj%yoSp-oc|#I z-ako=Tv65R0lyHvr*Bm8$4qV{w_|k}SNw?tSQ#?ArijnF$Xq16%`YxUP%RP|hhq(9 z=dr6bCKO!>Q-R6E%ek0FBc)(<%&>2V1Dft&f_Lb-LD_^jrazAZwf+KYWx~b->i4?605$6Q>py< z#fc0zBS??Nwh>J@dJ^!%uU`ys5jYvb%^@j`nNvG-SqMMS8;mi!h|o72bHQwuYhFqR zO&QEiRAqwvy2MfoDzF9MfDEEUNB8BGa<>f3dXqXRy)u%yLI}$%gjj0+&C@KOpHhFb zWUxn@FebMM{gQGtIGqO|CnCia+Ho?l5m+3XC+qZCY5X|G|0^ce*p3)6IPDU93@ukE zW@l^`Ku2^1f$m}1Mm6+7fC)LtRne z#ir)tWEeUzTpjq0i^Sp`(jUf2RJnr?agfa@=OM5?oV$;02ROArohp1*8mARg&8rl& zK0qv#=giR5CT$+SG7Y3lCM)D|Cx3H;f6inM&3d+S+{=%7OnhK&{gySzA}akae{uuRz4uS8GuhOw5>yl6j{l z1fPlF+n--OeX!&~x+GCQ7fs=PEGsgO@tFgN<;VsL-bD_>x{Gq0Tha-%ad^^(HUM-h zW@{i!)N<3FFXo1?>CSnbd+B!^C5ZXOo`Si696Uo2CPXVvtbpdC3bu%hE25;N3xMlr z181U1F^Rz{mJIspT;U0#V5x2?0MlLS67D`H z&TWt7q5BNa*wN4M6^-X;F#rC5D;I(_P3iwRg=E zOS1NQU<+RX{-CNb+Oc6zk=)LAZM3tMWJSX0cjvsf9P7ilfZIFkK3gfj$Qm%FU!fmGo^~ znfxEpeL2H{a?hD5!22FueEk4RS$0ga%;1;#> zMXes%5HUOJ&$Cn?49?MQtly;*+#7!>y`&09+SxM49tpd1)#b2?2#DKqeuf{Tin%Z# znRBhb05rW~@Oh^RNLcF;CeNv-i1zmk1H|UvsJifiIyZlJ09whGP2U~p5wLH`k`)TB zCRT{iEINCbF>Rd$NP~57V9pqStDKb@HSx(&Ax*h-NYfA2a7aV(Whb83{$3ni{^fWm z#5OrM?_R%JlWl8v*h7Ogpgrmi{Wf|pz~0ar-ymv-$~rz`tg9r+v=sLMM)m8oYB5JN ziG-d_>$UtCq}-Gv$E(M!L|4TxT6_^x6bA0i?em(}8AFhG10v zhXK*%gH&v&1|TPL6+fr8>oH)ci%ir01roH+c2xW8l|RB>}H61j9Xmt&XB zy+LUU4rW@9`q5}w$UH0|V-PI!R&l4l#fZW0`lTRr8H_DAA%KkqnMxVj*phhN&dpH9 zd*E(eES+!3CrV*1+z5Xib6^(p^HGW<%v=0F#wB#@odPcGc-LdV{{^Qnb#Y-kRGmQd>j#TEJBwy0$cGu9MOX$jp zi&5p+lOzBW7s;hQQBpY7LY{yt+!MF<+X=3sB(@rwhe859NQnh?%g<6o@e2J3D`Oph zmE$Hl$@PB*fYlZj0&KMdI(Dj;Ne~c(Z8sWVD{3J!&aRRsEXw|ryeaa=+C8JIvwhCu zjs9s`rV`k2aa2zJ7n?fWvkj?+iB#QB*cZxRYO@>`Kv)@^Z4E`w#=24r z#>Vox*tv}>;e7Kd#~MjSy`3(`fMLv1helmylRyRnsDj9}1)Stjj?A`Hb?cy^^7+JH zBLk=2jd*A0|8268xW=8d#!mv4u|aok3APo3fA6^6Sb6%%|MLOGm|@uJrUUxO$uvDmdDgMI z38Ni=4&$2PAP)sjNwK0@R)og@KNgZ)0a23%yuh)#1*ojerytXI97+_!$SSbK^~Jae zl9XZGshiXH#CD7}pYt(392CmK4V!X!M1~=uP`5!D>UqQ?YVR^Oc{9qglFyXrdh-F1 z$yW-)Cg{IE=vxC$CuQ|;c1CInWy`_MDS*_u;*p^17k)XiV6#NbPzf7h5O zTQ0oHl1xYx7x)C=sXy$}RaS45rht$p}+QsmdGuSi3{7>|3+b>A|# zY~{NOnqm5d3PEApm9Mu2CMXt8U2rV;c(}a$yJ5SOY9m zwz(^k_etI@eRxJ<^m<<`Um0J#zARtGye)9_$dNz=z)5a$AS7t4jO3WGgT{db9yp?h zB=SSDL4jPxks=b1(rlAZk$@{a-(=YeN`MWC1wvH4I19`X8ZiV1&EA-jEDA_T;0{8J z`*1jA_e zW<(c$t;hlzbHqrzmFP~tQGsiR2AeP(HGnvK#6XmqgC{otXOVK}+>!U!nv9JavBrqB z!9a$SAM`*FGOX<%%{I!Ai2($1@t@Q;?gIQ1t=Xdo)`1#X(EwIWCEhJb)+~7AaTA;s z7$AJz6L3BpT|A6ml%Gpi>U!(yd3k?9E?#U4v|3Gxc+wz%#tk7dGla&p&|6&DS*P1? z|XILuVw{cPkl=J%QOZg|9f zx8kr(DUa7;>CXTh8*rvFJhoB=XcbbgT;=oXwd?P}XBY10lO9z8^My%#5?X-PKJKWk z$@JG2ueVu~i9emvQN@VikZ=_FJDI{pCe}egUs=_T7Z%7sd=XYt{u;Zyb$t`W`EG0| zAd*HWG``%isnph#!~7?bjt5uK1q0v4(56LJ7RNCK{pT9}NG#?EJ5vDV_dVg^+{$-8 z`BVtKMhXs`gloLGrlM!^%c7>_!LvJNV3R<~)-|-dP!GeQTAMy<9?i)wBn&?+@@T&b z0Oyec;YTz0rus{(<#eh&hXlo+QBla{4DT7QF%_DF9Z{5MjCCyeV;7FIhAQ8hrAk2? zeiXq&@ACL*z0xn#;t?l}F^a&By}!g707nvC`5|_bNpGp+2TcG;iGBn6H_kvBcEz-<3%Q; z6a^pCf;^Sp&m-(9Gknzp+*#wP1Di#1sh_?w8@)3^K+CmKyRx||4llIyv4L!P79wXH z?yOazBOB1^J$^wI#|3OxFd997`shCD@$ZI&c3;N zs&@5ilA}!7=HALvP)31^(HT%lXvm(CkCJZ~jVc2JL1zfu)y<&DZV2QF!DQ+Cmr%kKFAHWx38H zugEnwiZ2q6J}ioTpYY!Pm?j3Tv4vEMWSi=^IfY|sJFJ7L=%fqiwAmd5TEcd~%uM{0 zFA}d8=e_cXZkAnIRpF^u2}VSQp=UK@bH?z3zmsb9YOiDQ*7cO}_yoXdRz$&%$a3Jv z3$RtkUN7yhX5q^(R9qh@R{Skj8TaI*w+pp9D zigteN#3oAJvWRRU>O4=PJE!b|tILwdpStPw0Nm*FX2^*@HfAcC=7P-n*!64SQb5^0ms3WH`wIM{0>OTfa2MW<;F1(LSkC|lew7OX!h`O8gUroQq(BSKE6gb#%@DpG3_gW` zkPiOrD*+7MP#XL0rG?E1E)IaE4Psyin4l%PF;V>SI|b}EL>K-Z;m1z}c=59l8cW@d zl(yYja)WKCu22F`I7Z^T(YdJh2~Fn&>6IlyZ^^f6_4Wx}!}UM`sh^=YXX6k+F!o(x zEIeMxGaR#UDK}45!r>3uk3$&{)ZR+qwW1K7O5DY+OQ*Pl*D9^ib#E@n>JH1^)JY)I z{od5Hl#t{OKj^t3GeLgPH3pt;){v!YF`IchE%Vr=ICJxKt_nhLGc2}gdQ;P3C9fs@ zv~Nr28=D-_PnkhU#X~^jTRS3JYEuHg@W)mZ`gtuz4FH@$b5{fBZ2&~o8Qp&FP~Cv* zrf?T4H@i`$wQ#f>J!&1z*Q2SVj5XRv5bl|%l}^6u>eeuwv<71 z0nrkq^)bQ2C+jPId$f3ZkZ}4OtyZd#iN1FPz|uoqh%K`Zd_j(p0V#wfTpA ztI{`Z>*@7jl={|XsT;k!qU%E`>YKww&BmmvEQEsl7R&BP3$sjL?cw44gn} zAuw3_2DP#?glC019kp045fxoP@-ri^ris_88ve|JgWsV7lEL1H1yLP)@d_{S6lbyk ztyyEHD5>voH6Mdyt$K?A=&|Hzb0Y&v%Fh~jiZZzBO_NcfLQCtur_-pYrzfZqR7vSs zCWcS4+55wgLwP~T*R$K(OrLcuaKiiO{N>hQQe2M#OH$R+iz636{5GZ^hdV+fc6K8o z9DbKJ$By2loQEiV0d=n@#%Mg0H^0PXG3J)_)0V_C5SU<(FzJW(0+AuT3^^>*ANE@- zxnT-}NXpxRLW(msGfnxn5irrF29(B9UXccNuA>p?Muy_jhXecu93OI&?;0My=H!ED zOe0)Hhr@6Mc`We9LuhA%F(MaqXkwa>(EnHKQBKT15gIWDGAa3;-sPY3z;I9KDgfMO zq?kClhuRO6{s>CFXkAUH0|Ahb28&$kI`M353~|5q5cK8t>vYe`t!?bZLimd`*wCnz zWBSjdG4`GzaG#BRzB2Iirq43}2EdfyNLdpRSOeJ)Tf%$I*ut3WuyjUvG42->2_1?~ zp&J@ZoR6^q7|K);%eSJa`V&bk4?f)c%d*#qNO6>AtO|8kRU^ z*kI-6f(+a6caSeF80tKL`3C$6#EiFvRWJcn`vFdUH(TAlNjRYWv_{-oEWR>PtMF^@ zYhis0(C@`9MZlk1!uP>~!jpz^fHOaVIiPo|Ygq6D3=E74y8#z6vIb(Tio_9IKMJ_V z-XCv1KdW0114d>6#b-oPYs zYK^RYz>!Dpn|>AC^>t^!E8AJo6%Gghwf^(ZK$YUfO!LVqiMiV zZg0p@4R9*9B3MVFI%a34EZd%->Q0S=Po z{{EFV8WyIY66mpfvEi6xjyW<1;4(KzZ>07c^Jf6+)ob-D;Ym2!=2ejJ7Z#GD+-y zFvdUsgatbejaeo|m6@{km+k2r?4FSwm`zVzIJKA98sUMrdZE<*I+FsUwhlC^nO1wZ zx4S%Zv}lC3f11y=6Nil5mXm9cx`nz%Rm9xdwDe-M+{BzIp$yu#cTzYhMY}^C5kI=M zZJGJ_&5h~IiFQ1K=zDWYrB&;jb=#EMN$)!8-Q3^qH&}69p_oD#g>Za0ni6mr%GLRf zx2xaun84xSwQ3h?<1wx)f!Xx9&DiFacIfmsLyln-Wc4ivQTvsiiy1bh#dT+0)<+wt*kEDb}5OX?a!uO07t!wX5$LT~RH9uja3vvsTxDt8>+5;#k@>x~bMkZ#Z!k zxScdRd)wWPO(!R8c;ZZ07=QG+ELuzV4AQ$Qrc!N zSmE$cfu4KdaPK7+y6K3VNdUb-{y5iiA99cVscER|f(S7+}Bnr#!0Ed8NN$3TeFJRPkwZUNoYR|-108Fg`aP6o>XbHw& z6)#(2a0x0q0xVamqCmT&ey2T@j!kX6L!=CV{c>N^nY@Om??@CiUj73pmS10p4lyWG z2uyWBEA~W1ooY8F6Zr6n;$WSzQn)b1vCBxx9f4-K?sc#Shtqw=vRL+p z!&2f!X}8uEdThwidnu{`i!hIhvD-Zq(EO}u8&1k>$8*1vI8ti$T_#cB|EY~4JIxXf zXs#t00BFfcF7Ry<{XGeCeNma>U72i)@Fhs%CZEI7$^L;<)8M#yL+01=-%e0sQyi!a zhfbALQFcrL)~~_DgOx8B;Ytoaxd{Mf#@|9*f_ktbhsMwnLL?gn1;TW6ro<58)#Ss5 z--3Vh)dfiZb^J_#@Jn)_9A>{}Dgt#+V&YXj1l z$UQ2x{>N`3-+{=^l?{opH3qTPWDE=Dp(hc_CZIrLim`cL7JTOu&g8XkSqUjr+Tx(N zWOI1k^2x(lNIoo&Wx52ufU>ti?I+Ut6QsbvAp<)MluzUCuKRrftS^Es8{po$3$A+c zy&=~8EwwN~DS#jNBtbGz#88HSVf@yhkOnB!TSXoUiW^ad1Kz||zKvjRW`D#`-;ey^}c6a_pqASe_#hlt`wC9lCK6?O%$hCCiP z3j89GBbzt?ZJ#12&0CBa7x%5{a4-x)TM0SFfgcwP$2`!DD*S>d4tEGLFz`a7N6pR= z+@A%@2Ehq}K?eOHm)t6K*atyg(kwR8ydI8f)7BJ_a(LO6qG5SLQC1i?#a zLCPMiteF{6jl{kT2aCd1`y534Acc9_Fb?~XP|$lJ0$%(CF#;JN3Y8GcL~sSfp`nbz z6yB@^T2}HQ7e^=?7B3kIrdYvr!@|Ng-UB2!F(u`Y$gt--VuBqQYF0$Kr|r4L{?YMc zVTzHpD;tDIcry-`2iQ*zYVq_&Jd_~QchSN}qK(*)S>u^+=GW<%@3SnR`! zBhYwpP6{J1^UQ)NfFCr2g!3MZQ`Xy5J0a)B8RO!07pP!-3g@d^JQ)OZF;}j1BOFF^XXs4j?1*rWuJX77VfD z&ytbUv;ajsap0A}#4-O{;>r*>0T4fsU5px^5VYWg;?sY+5$6Hx>+>wd0QiD;-YgzG z5(<-imcqpJ>3&lNH}LnP!8x`eGae@x!Xhu~KkP@k<@$+=g5+Y&LXU|_f9Y-9vhgQ6 z>|^i!;42My+r3yQ{(PLRGME!k+C1N+_`_xTGc&U`Fa2B@pBM;Y@T1rc z?6Cn4HPUKR%!b?y8%Jc%z_P*FPlFvNzBVeBRO0%$kIV{9C}=+<7#xmkX-IyW&^bX+ z_+wHXQpDSF=j&I%k$?F(3y3Vn#oivYD9VBmNMINX*=+O=SFIwTm5p;xASCbqq+tUH zZu6jv`wb0PS`p|*%s^I(agpxU)?eg+E!*K>=|dqmrA)*`2@F#|zw5I;T$C%z*#p!2 zxR&l_j3ohHRoy=$Z;-ySxT^WyCBOzOTz*=8-++@{*%v6a_IGSoJsxLwOU4{5%<6^%E@@526}Fn%NQhbR8P|uHm9!xe{cu-obZX| z1hU&f{X@>oZ`dJqKS5Of z*JmGFbqn>RYQGKR1Nx_{EV9tgQ;?ipmuj>G)49H4wF4ayn%*%Fa7RUyCGjKe60?0l zz3`A5dv!e=jz2m<0KH#dozr!nZt^FxouBCqn)E_wsFKj0i`BezVdf z(rq`_Dw=PzkP)c^}VbPK4+m>fK^#k7B)bH-DS9{^Zy&h|iSM@Ur8!jT>u;Q93 zwO8l7veasnG*`sBEk?}OspeqYfZOO)aj<8i+eB^M*=|#n$fmtD0b+p3OJ<^`Pb`7a z7%`B>mnYcSI{JqOZB7s`QI~dSqrxhk8gLko4)$sX9yMpNsEb!?oIN3ZGS8xRO_io% zk^S&{`nch(bx#wmk5K(-xlnf6D^?aC`+`AmSM`nbHjf&#fOiz!N zdE;!nmfU-6aqV`#ro_*yY``yKtUrNShf92=#GmcYu zq3R83aG)j_GzWaSe(DFr5#8EslGtG5FR^XJFhwK={pMSAgLDi{)Y~`@`!*oyX!9W; z@))I}Y9X?Ox*r}LJY<;hwK_h-Cf`}UIZK~B9JT#?4EdQ#nwqIP!nnK~kZk?&dv3mJ z7Kjx5LBU3u3g}%Fl&L5dbIe6+x@g^|hgK@lj+bo;yta%K88Kg%hxDM)V?^&5+_R4N z|7hLZLv--sgTFpiNoRJ13VN(>QMQe6FdkTL^A)p4h+hf59AGrb-DI+}Y^pQNes+xx zuaP&&-$VqH{lBTK3BV|vsNEBF^LJ}@ShO7|RkPruR24r;ZM3V~431U&H7E|jJ5Qf% zwU>KOydKu6U&Fm0{A$2(Trl6rZgU#ID%V6a;tVaveh@~ zn1<384?T?0c1%o?_yut9i_1vt6iZ`}Z#IHna)_Ib92MVReCNCycNlpxNx&S3ak_gV zIjUDeo&VdV_&Hwje7uVl7x10e>zl>(<4Hhu{?vsXv+S2{Fj8|2F&8djbex!X!^ zAQUP&-9-K6t+ncRx}D_d%vSAz>#*Gvbx-$lMlWLLGaz&?+uybam*%WJG?lHo%9n}Q zqnT=N^&^u``UO7xMR=J0RjP;QQ-E-af8)qp1pCLhGYopbN!iOftsjz)H8_CJ+vgJu z-q>ua!NtoQS0$`+IT8qeLYvK|54}|ToO|pO0C=+5Jj0R85lN71x71pbRn7n;12bD? za%Pi*f4jwB?=)$B1Z+U))+oI-i9?N(s6v=RHcQCU(rc~cUO^E2qoO$YeCRz`^lvK; z_A2c@*r!m3$PFHe3mSj-&osf3GQM`aMbu+Ys%}zw6!>Ech0cG3qI3P@Do>XSF2aAr z6#SC#A21*^`0dhn0dT^f@?g~t1V2!{Vb8t=|3=s+8WMxC6Q`#h2TFlbn_R{DA$eTj zYoHtfZZ%HAo4o8wD%Cp^ zI;TVM!(jOVYw8mG_{Y{X`F7@}(CduuL+QPB#=S|Wx^>Q|+Lcz5`_=-kmt^kP4rsaL zyo1kxc6M@iiDx9q&YI9hf0)%IqO6H!nQlAncGs^U?;2HWxSph0H!&yQNt2kniJzp1 zU&acJRj8-AUXA6ZkZn}m``Wqa&r%4N(=D9ENeMw2Rn0`@bSgX<_nk886~NuoZeCp- znm7vG9Ex;UpO_9Kg99qmEs}E_A|vFmC9(ht3Lhq{R!q zoD&a@dneKD9yFe?mPr+Z7mtBcNc4TS7DcHu(}UFe5XYR ze&dzinSShr5cfCibp*6MiUJF`4V$*He>ZbjM=rgT+#d)e&tm)sVT>{#1T2Y$<@-zk z;S`~XsKiXN>~mNX06|ay<3a!s5DQ1c@o+Ghr>daW2Q;V5=*UEYl<6=9nIp!?fB*mh zfB*oH0s@_MIRPgz=JF%TZ+~qZwrH$Of}j+;1^<$^WD2?&o4nH`?rx4PE)+Entd{WI z0U;hgq#%t`VuXPK*ov@C;yyM20I&r(lI#qo$D5}%OB)n|O|OM^lm;xU>K6SSX92Vd zZ;D?$ilkjs-eKpCC%tp-PYCor-#qv><54dUaB~3QOxluHlh?uFCV3s1(m0n~3l1Vd zoV(@U?YJwEQQ?h}>g6SLV>arczbfljh6xmm6@m`27(~pf$?Y+nxr4eH8MRWy%VJ+u zRX_pz9Vc6 z3587Cq9~{bT*gFYxxws4S=xBL*{nz{ZLvpRKvGqXMfW3klOEyljZLIE{dD}J<~DMR z2yc!oJ1H|4Fn<*!W{vUS|0H47>5S_ZcM@sX!p6!q!02d33j(SU|7|{BnHGkQ#X%*L zJ7mZ+nfcw1oL^zvB<(t6;E@><>AKvqIGdoHJT?^EPLMHjZTPil*ir-yKqRscZDh@A zN+-FI>?_;;2p;)WTdkV4{;FkssksI%&%_JBntYu;g9J0cVLh+D; zia6^Dr5l57V?p@mn958Es0?fk_2@J=vv`~vgBDD;Avq$-xBcNYUE+E3jdU1o+>+Mo z4s|eU#Eb3N1PO;uKp+)laXDL@0NN zb9XEn*vQMSONzubPBU_5)}bb<<_y;n-3Un)6q*G+>9 zS>M~X$l(t{WXqdZP`W(9{`Y(t%ZU107q>xJkZF_eiK-Xb+7`Rm?6Zh5jh@F%t#sHF znn<92d46z;nrLAJ78_{yanJBBNM(Z!@IY~3CVD94GaeW6? zK~vjXa8FFoE45gXI<@v3U`|U6tJrop_!AUH&^hzifu+TE>%bJI8rDGxp6vC>w)X{gP>Fw5Op}}k?My#^@N5;LlfnDrk(B?Xw|l1 z_#4DG(MwI$+Vl7%X``mYW)Y+dFD^(P7KgYcl~T&v1RG<}?(Uuf!ztz5b9=0=ZYF+V z)4J_ttF`vgBD3`0K|G&sCm0z1DpO!OEop>$xl-M%dqIT>TL~lRJ>|?sXM+1w{sbZD zT>;d0kv%jcaBp_^jF2T8iL(z{UBGB#^d+6Yx!Kid=Hm%o7&l zrf*yz(vu4QSF1J&w+A;BgdTWHq}!k)Ak8w}e>i4i7wy$I!JU+MJ49=KK-@OpHTrB^ zusN*R04FQpl#$KR`(A_+mOIXvGyj)4pY7B6h=(C`D3`=SnOdaZQTdM0{eJ)HxI|-H zsmA3UGy^0=!qIbj& zssikXVP@W2!Z3GavIpo`Z(ClG{;8^#?wltV-sMJwGK*lqioHfNHY_^*!?7@(VJLJXLFll zOQcV_r@QX+!wu>79=$51?$y{fda}<4o`$SU2r+kX%O^CY z0(Fk%+FH;OrG<4}e8dJp-#M7e3XUtOP+AaWg`Z#IwWp!7BzP^@F07`cf|1K zZZKmlm}+rp+gKFhs#h$Hrb}q9hBYy31 zol2_Cu*m3Y)hMqVRz%SMVFIJOu@T|BtlykrBSeIlG>I>AT)(?1x%Fw;l}VYCng)eo zS1?}Y?=l|6)pZ4*v}M2P#fJtPNO!#9j4Gif0# z9PDST%MaX zmHPWH9nMOA6X08#-xc)lXON}|aYQ4X8;Q&uziyE&v>1J6DnZ>KM2It-Ik*HqIW)~Q zoUn(E@}zdiz^2~qX&eoS$OtOsw&zGE(j^CSTw}pqUfl~lQ(TT5Rnty%Ok(U?hW=g( zm1+WFeSB6|^~rJFA4}?6m`PqJX2(H_{AT_WvlLipk*wz7b-tBB`E#NPBC6FF0bJ%J9XT5KTbVgjQP_bthHTSlBE5Z=u2R;r5>xJJV1+K-wJJa`~omU!Wjy0JPYhUNvXg*W{PMlw1t`RFNBdR(ju@l1t+tQfW8Tr_@^ znbaf#eHoRZnvTy+5;C3(jPhbYbeWO7sKPhP^LtGpd#>ZP91`GakPZEKGq&f^FmPtx z{$ik&ZFx!)@I!k~WsS8@>k@%75dWZIpbnP;j$j-OFli8B^I@Y%Q&}{2V|)CcB$5&+ zeB6s<11F2^q95cF1h7ZO?+P*|E}VJ*0Yl1 zEsA+LP}KC6jPIh^T1s5ydla!CbL)QrlJeq%Zd7Qs6d3330n=IFfPmkyuSkAjjP?mUkJtehx^HJD=4jwW%kbC`^ImVB%xkJ1q(n zWm``I%Zi85LdA}SmXE`468#3kxO;d^TJ5i^1T9K}R_@=RE#9Cn>?F4yDz_hXb4%^} za_Y|vP^S4S!m8MXnIX>-l)85Cf}2io)fMY)@WpNR2%y+_iUNI3*?DNj>gDs72HA3SYeOYS4#+gDH7N{=%~Bii?rPLG zo#&;L1{vy2ghy!4X#rqiiY3eaS~%G_Xo{z>Yss%HkV%$!T$zhZeL33|C7$cnbHt|C z_&CyOYmeC}rRHCrq1A?NLm!%z$UP5~tAkQD6vyaBFH*9YcfvJb4y&l@o$74%JqWs=jYQs!$mWaLUSPrAWW_(R3HDGp4{bhr2 zJ2!PaHj(`4f_OWhH+~JaU!Cp1tuE;0+`J_RsswLjH z+30=i_kU~e>^?dM(u$1qa~*DEiRw&ia$!wjoGKINeygZY-`}?`iptUSE?tXfN4G(y3P58)-^lWTpq1(0FWui*Sc1zzBENuajgZSZ#mNJs2J zK-aMJgwEpBB+_x>5zM(uNy|M!R}|#2C^pLzZ?AmVFVuH-3OxEml7q=?@(2}NcXoj=v+hWay5Ra zukZcc0{SHMSb*LIzBYECbiq5h1Tlmn;E03RysJbMWAL% zUhvCk2aFJ59&hD%WVhNgSF5y8 zLU+jNU6_sBTz_9h^#RXTLk;)D1Z7fZ);(J4LKZ1bgJ!Gtr^# zEK(Nw??GyFti>eKuHCiFw6+=GyZ|J=`{8HmO{bipO3?ZB9c`_405bT=vVZjJbA+`b zZCaE!LXAdVGs>Yh>P>3#D5{z`N;m7G7dvM|N+oY3y}b0-KJGrn{cQ#v!>zer{IFWo zL_}lI-e7&@*M90WXm2CqR!|f`fKf~uKLKmhA@AG3mOgfMB0eJzLHH|)zNdi-m(TnY zm!Pjf)29iS?lNwoRk#iu-X9iC?ckRnOueKBmPcv_RhGf9?i~O)uJ>ba7688vM|Z zqsRAqWv^59u9(Sw@u&5Tn)MRZpk>}ZQq8efhDm2m&$@}eFaI*&S zO%Xx^ny9^^fu8$?=k>#AsN>TDzdAsQq4UJfEw*qsr8BIa9TFnd4K0@s-g5R=M?ahN z|DYirYsbJtOaRODpx$TSLL;7`?oJOP1)xe|pto9~nM$P$m)D$2o5SUKZHc76*JHKwa7&nN- zY9?~E-#aAR=_rr(%)+i&Hghi%|KyP(y0F4}ze*C!4 zuMTTM$pX1b!&+jLl)d?Ic=taH?>GKFG4$Rqdb{?yMs8cPid4kU>9-&NwO>s|maG?Onkt zTJiXp{cpWNU?rgWK$83jkT9ZMZ?jd7(A4OTjPn47M~cw0x*w9olVq%-g}Wt1SdlbW`&%cpCI8>fO-@2%Q|AQ zF0P$^PAMoA?nc4uh)##ZF%Qk1I{y&OR7I;rN)V<}HAeA7!XgL75K1g<-8(r}2vcbo zgGXsYUZOVA%)9uPL3nodmD8av6*hG*SAK+Zk1Up|KHzlaw0~sQ$#ioFNl6j*Z8#0m++F<-{3{ow#T z5@nMbG~4^(rksi>wJRNT97Rgb0<-eb(*9xs)5PNYMSV2hodjIdmHZ0f=YDCf;r;UV z@8|-UBIDTTWMlL5({Eh;u2Ivp;eqL z;iYd+ZDhvsFc+t^?*a0YcB{LM4Chm#1U(hT@^DS(2R~g3$PIPhcYoX{uAIl6QvVD; zBdUp&M7c7Nv@tzKb?+2pKEPZ*Paa&$Ffv^GP*nUOsr9Ro))0JA4YD8NWYJ3i3QlR8 z6uE9S>*`4&hS|E6XK8I5JUhRv35;IY!44%|H+@)aXHY2)D*=j*bIhVZcAN-Q{t*j4hr^@sT=q zHbbgIOa#KnrT{rW#=ixyDa{v+0@b$2(C1EDZ6SMpBmFuAF{xNs_fu7g`?01Cmy1E@ zwc>;G9KE(=Pm~Y2yE;2m#MWGP!qWl!cxJ79gkCaDVwUQUCb-&6-MATkZo5f;4)OO2 zOsxx$7YIK?rz=0li}#W^!p(nv1_vHGXTkBzC&59J6hW5Hfcl zZJmPDqC==&_JS5cn9gnIVA=B21&}dI*}L;ti@D)nv4Y?Zw`C{|!^|m&5?qCYy%7?7 z94ixh_u0dsbf6SL0f8td#k&;kQqL?5TJoSsen^gC*%k1SO@bh*BgVeTJ9>1fAN#Z_ zgM!`N{c{JAyq9{QyE7RtI@<+rXPp?mp^ird{3jR%afH<(h(QZ@cFr>hL2wUf;yeS7ED&#K>t&-cMV_IZ0T;tN z;c^U4fqVJ6RfO@Hf6H>c`&bwWZ0_<*J=IKfx42o~e{L+QGiCSu1nXViDYDt6@$-zS zJQwaWt!yc)!$~ln*1TlGlA&@8A&{tP-p z3YoLwPARmck6uXDTWX0{Pr6Z-DJ;FS zGZK(pTJH*rQ9k=~(6#LNYbO$PTbHu$E!!u20`RgRNhX&XCa?*r*@X!3%gkDg*4!3tYtPE#OlJCmW`mhpGG&$8yuK<|2OC9Cxy=}}puPX)3Kzk@VilEq1DZvh*XEk9f;*Fm@s@_d({0q2@uFC>#Dnir8Wi+ZHW$yT#W z@h%`IVPOV#KL;XInfaQv?Lblqq?5RCI4iEg3or8u0ijA_RA9SH6J($P2D+XTSb2ug zr0dNh*}^@MzcU~8FO~(abiL;l);xE{^1yMJX+#ON zYquoKUKr6D?iHU!?~8|Z&2aQEvhfIn@}|e!SH`&XW<&yTm#lQ{05Px}LB8e+^r{5< zPK*bH103PWnHhG2+EI6*9=37j9H6?Q6;XrEj`0CHbXh=c&NtW@@0*+vz%1JcAz7{P zzrJuIY^H{sF~Bg<@(zm{Wyz&0U1K-k$qf(Snp45ph{b^(;(J}ysq)7*-`S(%KQK*b zGIC05ezg)fmwbs+C)_j6fJIB4oCju`zko_|aBmV+0Z+Qp%x=@xbv&AfI9Gx8f0YDd z7G+n@D0D%?YZc(7ZInJCqFdo+>WlnqGqgwHo;{KpR7M^a&(J*R7hiygN&*A&NPIIv z%s9q3E9opcc7=5&%-K)GE7A==wZ-$-DgUjs3ry5wAmsH8+R`plh+Z=T-O&Ip z4!7dJvh1Xkww$T36mrjoCFqOZf2k@N)nvBBJ?vq7nm`?6Cg(_)8dhoK_~wX;J6krQ}PbrKa!fKWPNY}`;( zrwmwp@oeHi%r402^a7bt9fKF1EIGX7a6tMkPBI{Srt<*y!?wg#U2vrF#KQ1;_7XTU z?=GyG8zRvCM(ku8+4@O|+p*5T2_5GcJ-910nZtI|oCmc<1aLmuPIlv8#!N8`_mbbU z!W+54pB0G}7Inm`!mK9{?TZ~~yI#g}A#tHlt70Caq{}}Y?qJxXufSE{byEmAN&e-D zU6UsoIDTTUJA!?!t#d}Or^@V)OqGfcy=5o#1OUk=JIrRECUfB(@0L}nda@qpe9bj$ zprMbRB}6jB<1Iv6vYJ6Z1@!0cq7 z5xuS_g(?S}>r5CAo5B^U7AL3_`#Gl<4LqEp+p|zedlMk-s7N=KRlp+rl8>ZT0k>lN zOt7!B0hhv`g#jPKv>))$04Z|pjPt@9q>&bCQ5R2#-mIwZ6U2GVrygkuM^A2nzqi;` zRuwJ!en~Q$?tkFW#f_6CqciwmO*n45%CA^Z51Y6#4)TFJH!Da9HjF2azRGZz#=>^p7C95)9{ zBQN4ehL4k#@yRh9qPk{5Q#%TYVNdt8we9|guyKd!ZClomRE@5HM?TiN{Z#F_jfFOf zw`!-Mq#$H9U1qska9K?Qg$9{7e+J>wPS$wq1PCKWxe$pytQ7@%vd{+-t5sIk-F$6W za~E~fG(KH^&+0*ycZsaN2WWPaE1fA-IBWjJe8%Q0gqq*vKgImr>NMXxLWW{n75^+b zpq5c*DVS?~&J9QoNGkJ1J99Wv)WYli1woz^Ut$<6WwmArOfE6xkSp_d{1Uff;sXZIRstD|xCR;-tiY(vTCSV`QEq7X{ zeN^HxXljJxH4oQDh-sMt;1#+TSTRU?=L-shPocJ&^>7n<1$kcCIKY_ChfhxHz5b-BGJem z$15oc<-*aV@Eew_i7T?`|Hw(;vs8dg{y%kWE7Nnt$T#H_YQM0o4jWmo1atcnRVDAf$yw5K)P{ zU@4EK040fPlqcQ>{OYfS^5}-6snPa1%^W86yu6Vns@SJ0A$=cTCd%Gp(w9pyCBOM} zQm2Yw9iBK(nY_;k<|J}AC6NvzK#UIx2vTsv7}~)DNjbgxH4}Q`Pn~rcjqhA~419q4 zYjytpTD-fsXSkO9zdng{nXD4b7A*0z9o121fP7(Bb?0WwPfqPAMT3|gp;CURrBSfl z985t4(Lo!mt|+g{L|;k>_DQ=bwZ%byRjz}>uE1(y(lgnrPC36q-I{Tsz~#WLNun({ z(qV@1iW^Uk!_O|HVIU{R071AFhYjA$bHa-8%#JS@`T|N7ki)eK%qb5f1}BTDj$%;LZ7sKld{hxtGoM7BQ;-D=?1bz zc)IV03(w$NNT!$*PY92b>1mV0L!R9hnt#~0V78@y=G24@R*Gr>dv;;PYzJdZOcA{Z0gPr&_d}QD| z+LJgUdk)_XOer486T8b&xkn_4Gw+;3pCHHAwBKS3#;DCB7#n<3C6%w6E~tA*!Vt9) zS&=D#=4PTh^f+AxBT|&2xrCTt3&0|xqIBO{)g64>H$SBK?0%xnD^=$~jBbpm+05AD zft~>wJq%?!t=tCyRX*b@>|Q)|csn#|#)X3n!rqUYf6BiaeNH5u_V8&Pskmw1QJX%T z<}gH}z(Ya5ls?9R&H<0nF8_n6zh-CsO>PZ2EipH&_sSmqFh(EacNtGcQ7t3Ya)0VJ7|qN(97C z6~`5^s6KLvU$<78s2?uz5RC>jIUY>I-Sgv|R@wHT&Sr%IoX*0q!$(R}!QUyFIg}kW z{reqVZYNny^oxtJpj2vVuXN$Ty5m`il)*wXQ-aK zQ?$V*X-3V0&q_BbR`3I%YJFkv!qa4rWpw4OV5v*|ADLj^o>GTiGuqM@;bp#|iiPKT z7Qa-@l%Q>>aJe2NSX)SJR&~Yn2W7Z2eZNYH;=?DRW`D(8;T7UWB-$ncp%#x_R#ZAJ zcK|K)$c!A_+5x_SQo$2=y5Kx;SBXMzH8JA>D*%8mE;_B4D&e(4Y-Dr;6kCW;)GSv_ zEv~mEi&Nim@@{nPn%`D-S{ml9Fq$_?=?XU@QXc@VZy|3O#4Kd^V-Ki8)v!#Hu7{!= zF*jRt{|0Gnicq_=l25f}lSlq(Nd=4OBF&k)>=S@f_Vj}rip!N@`Mo;_yoz=}r`qBw z)dVjmv`si zaRRsspkCoavrsj`TC1p6TnsEjJJIU~@34)oaDzhPU7&UPUs@27N*`f1#9ZEtBEU1) zJd|mjvtS5--eUlnG>IBn2q`m{bC-=th7~Z~2d(6bNpEut?Rmi<3^>hY*bv5o0Y`v6 z;-RLGfI_xC6RyVlxnK`N%ya$H;a9Bt{p+-gTmSv5bZO7h!&olhQbZ^?3dg5}!-$## z*-O_Hb@d*xHvZAu)k&C;+Pec-%FZ^;N0a@*BIrhWQ+*AxhneTGx32uxQJN=}IO?$5 z6Y!O4sXSV0-1c-GWhU*-RH?|7@=wYnON7E(km>0N?Qqf$gtGTmDZsU)*UIKJYUaAR zrQ@>h`N9GaU}79$r1f9hwU=f}Y(7Btfc&?|I1d;dp;J5q-|};wgk>_&`r7PWhgIL~ z9n{Z3E3Gqs_0Rq60HFxx#-0pyPiBnT>WC7|&6y-(LU2+i8jwlp^y+QXdiD0**0j$x zC+{88r=R*6`)eE+3pS{^o7KU)kUFS6(E+u^e)U?aPSdkW{z3baUjnq;q&Jrscwr$# z+ZikjNX&|Wv|;X1e?hEBTGmTyVW|_6ENUc!2tg(JwVsJ4g^9_&lOStnxqhdXtps<{r5{ zA($8GQI@ndbuhk1kF;g58ON4sS*(8P2B--^#zw{Ofd|Yk#hJj= zlnuSlM=)+&(0W!)^^pwWbOLO8D4I!RAS_x%GtLZj0Fdw!z9Lk3oK>T_x7~-Y=YUOX zp$IRu1qgxcRFM>1k}7DW1><-<*JlFJ?hpE5PSUXY_D^M01C5+qd|)rgk~D}`=`r1^ zllbWe2=kFMj6D9T`lv=W2GrJfM0Ir%3VY)uBZ&+t5<6Nl`LmG$%0?eNqN1Y?d|jxM zh0I{n5L7R^gZmJJLCD;oy!1SL4rr@ecvqTR6zldP+qgumgqx*P^*S{iSwG*KFx7Q1 zLg96{0KA70zW9S2a*YEuzsk~s8*Lm>fSgemnd7;ZElV2b+pU2yj9}e9B>gLWqCuis z;`5lCth!$IXJMCd{yW2%kd`EeF$C~X*Ix6-yaz&eSF|aK4Llp1O58g!sF1LeV^@fB zz>+XCskfGEocbYySAuv3YFr4pF9$9miE}plcZ5i@Qxf^?@lAl7J%;My_u>Kb6n|oJ zNT_OR&A5}jthSUs$GfPep=Wp>D-*yOiv`A7PT)oooz7o12wa3Nss66gCext;1=1Lo zno9g{D9)vTA38uVVyJPk^s#NlYZ3OilVIovH|q-6jg6(Hp0OABSserTgGG8Q6fwKV z0y5`T+Z~!&w4KlsNLb$)w7A4@9ZQVNi^TYOVnm^OX2I0hxFv#dHU!zHW=ocoMo<-? zEZU5c=|V4~#zMmC#2PXij(*lT>KHORJHA4lFu;fypMr25&2rydH4w_ml9c=z3smT} zKZb`L06~a>us|qYweWR;rjQ}qV!4t?P38jD!&jD&J%B@B?PDpfvhj62S5gNq+dNfn zuOxaH&7LKn{d5zEt&Rr;R-PqCp2pkI6W_D?87U0eUk=1nFtr8dF(y*MDbV%bH4!&c7}nA)GW1Dh8{xgW(QjXos^Vj--A$ffXuYgGpTeB5}IzhM8~6tk9FqY_*Y|d zKoB6hnIl5t=ASU`^nMq#miCv92lQRoOvZJcZr}(%Azb!o6{-E*`aTo13fLVEB52pj ztGo_*nSQS+0m=)5hRE#-!6lQ$>JgL7m3m+=K{}XU0$@tBzO+gRS&Lg|sPLMN%1NuA zzq&y6K>{i$j|55n)gt|C10PceO`%^g!=20^l%Uq*k*vvv!Pd~fa)YM7O zgYWyq@RSSsMfj19QZbBWMgI+XuCzHr_Y7!Tv>6*zXNadx2a0{w@YvQ;du`pZ9_@h*^&uTW!M@X|Uhw;3&T|M6;Rvzj z`V82RgXA&L!3N3bG#8AeKZZ&?;JCWfBLK3!N^1IhvwXMxA3GM|K=_CJ=?Oe};ri*Z zg%o`ogq>#s(0pJh%Y&}$ekybXSYh_xeU6iT*v@+J>s*-{WU6hSsh5K1r(x!D47vRu>y42jpxTv>WOI(|ZLuX05+!iAzM{OE}Q-wx~4*GJLHs z3F?INM8n#huV%Buloz{dcoMB#P`IJr_ymc;!ItVzf@BB;V_3Q1Ns7mAoU!-{`AotL1C<`Bo1cTBz<5)sG84yQHedeE7*9e-TL2N6U@JCc5UOvWYcXCTL`pJd6m}fz;iUX1KPW1k}K_>s6Nf=LRk%M0j#y@em zg6c54-R7@D^OnW;eV4p{a)jr0psgGTwOLN>Rv`_zMYA5O8aQ!oadPIB_AMG}PFhVV z3ZniDMDUG=$_#%X<6y4U|ycN^Uj+$b!vGRv9QDmr(9N7L4?S?;uk(8!rTUTFDg6qFk{0;P_Y zGJfbA9ypeh7PkH4mOi-&(CL_?#%LRh)B-;F{Uu}Szz-QzfhtE|D%v@FMo)i(t5nR=BLP|v!Oc)R9f#uAZMLfl<3 zvjbW#Z^$W2%8)}B08(_eu(MnJ*)N(O8`x_9w4VGM^xt}TW*8pXS}!9%c$DXwQ0Jj; zNJgf1*0J06)=t`+l?NZ*^HbStI0Gr*9-`qc74o9s+#m8-*bfF?A8StZZ-YHwjh9uCklRH5^#evY?Og75 zgCL7E)3{6eGG6s&UF>^8Sk<8ROs2;n$c+QK2|^WlCYs{U!C@>l_Jaob5* z24(|~6a7rsfWwuBNz@rjd;vY>Cr8J~!;nHgM4HX1U3DT?m^(@n5Zt@W5URqG+YLxM zE5agInHfIAP_UA+^V!9x%z|jRX}rU!_2OLHt>lq;m}nk}J@16ZjQMT&Ij_pt5}ULx z#)r`TBmjLSXgko+u_;rgnqTFUFx0=^7RMe5na>Er}ZG{zK} ze7dAs9D9ZD4^>RSb-cmRV=ZzX7TRTayBO&dz6R-!?E&hlCy-$TpL=o+f!`%(oge8< z+11B^ELAC!;%RoUeY#e0X%nUvEY|uL9zat-twF$xj(Kk@B-xai zyn(M4n`!3+8YQHIei)0qsy^yYoJwj94TniPYFXE)^&j8_$=q(Di2%%Kc1E8`gZu+- zZBI3jjO+Xi-KFJCU4^Yzkvh}a*`T4UXsBV?YGg~ouu{ilU*k1mVmQdw_F?kxI3s_F z7}Szf&jW$1G57rLT7{PtKOF4X3A+TNK&H#Y_VjU1VLB{+5^C}XgE-1Y*f9ATYtqL{ zy%dv?boby(G?57DYHkrLU7>jbh?J(FWA5A=A38B%EDehDxC^o4`UX&$7qijVWXJz)!*D zrIX%G=|j(g*T~`ULPEbtt64n86oKv7-IVMSEDHEdJEh`}_nI9)7T|tkH)m z>mu($O{Ug#f8ydv@C!AlRR@vud0`0mfhKt1Y)M~8Sv-2nLn%p)Yo7E6atP1}=B{Ft zBxaP=ZHrt-d?dP^f>PUqkHUP6o72N|4MbKRUxy=Pz77IWc9N7CC5DbgN|EM9M^?qN z(+@gh8RW|-&9F_4iU5bwj}KZ6m$}v#pV~(5p+q3LFgy(_b+e5?^uB7(Wk08W1xK!d zfo*8uK5V z0?ZeC5k1+BwfKDm(@G9W0kx^0%+6gXioi3O<|~hJEl=eRX)0hiP#?3KaR6L8oC!pK z*nzG76Bja_J{&nlM<9lu+>~j695Zxq642_HwtUK!8S&37n~Rs5diV9tSl@$!^FEHz zkXf(SfSRF3PuqZA@*=T15RZ*cFhcNA&S~f3ShCp;t=fd#LH9kVik!L0&jQt??@V|` znUEt(>mz4!VJI^~T4u)>nKe!39Hxd}3EAQ~3~&`=PI62mCsOx-L8s(j-w6a%SJsiO zzSnR}KUSC-ni5%Yt&1XziD(>4Hi)xnc%$Bf$4?_VmUjO$W)Nf4qnpDf0@@5}KX?54UO3*0+?ljPw;%)dhaeyUVvS0W^CTTgjXZS3?3c-nikSy<4a- zB*w0?!Kk={{alg)w^rN85GEUu(tYJW2XieGG3usJWZ?ftc?RF43p~JWA@bJU_)EJT zjjeMlO`dP*KWa{T=3W<|RH{i%sk)-z)I!{p8&KNp-poT9(n@_w@<70m^Gq7)GCAx4 z2l9f0B%%N?O=deABAo>&q0VAV0P6F;!;YEPgBa6X6HuC==n`?=XbxPP3&3V78=JT=J%!-Ul^(!i z;c#H+8icc~Z92Hoxda(@?}dh%a1qKraz>Tj@$B(YM+=q++6l&6H&-{dMEn$?Qit~y zog7_L|BGGQs9#a2y&j##QU}J{S$c#=S<(g^M+jJ`k3f7N@HQ;|Z;ku@2JT`CiUl&h zeL!e0@t{IO-#a0M76^g@Ic=->V~#D&DUB+anKD)v_i24mEcaPUR&_xtRLo&fAkZWb zsMnL`sEM)DE1$|B~K>o|G$fx447C%>@_RB=;J@_p$ZT3b0125N=}!&C389 zpO@{79Nf0)>>#ku@7sR@jGV2DOsB0$6v#-%yq~<`3BadsgruQor}A=};(@yp^LnLY zZ)$>>PV*wC?q(A*Z?hS3eqVklGyT*M4u^-s5-qjU0pC@w#y}DH1u&ps5PQ&kP7b#f zd_tO{KAG$FLk{XR74D*g|5=QzBD-~Kiu1h(qR^H?{JW!?1<|%Xzx@wPrw|b90Hz{P zX2fx*b|g8~a*lZ_w@qJ2YyUW9F3mza)&=sIR)gBYx{s_-G=vfeBRSS+eh1lzLpcG* z_*@PJK}?veGY10g9mK(y!K&gnixCuu=c1XgBmGjNo!$+gK?m{BCKpPTvX3zAXo_$B zLaRD!Nc{kAqN0qU-8=Z2XS|}CDL}DMvO7MU(>FWYJn1~R0kA!Up`+7~epru+p;{lF zaW_`9a7n4FM;XRyFLf6r6x&F^_<|fhJ^Fb8^^_cSW)5wb;YfGN>u~ge7>5H^7PEgDLg`!4cPMNXj7s($=)SrX6CP(^ z*wS}C>bCyyFwL0v#!avx5A)jEFCXfqfjf$w6)l))`_;;oS}F_N)C>2aA@8bpoDB{W0UtxFU(1Qu zLWE5GhR%v<%--{m{PT=7V~wgaHwg-8y3W1OEGd$BEUr1M%DAk*i6UDi~|qzC*GOFFSn6EK2vj|LbKNb z)sP1tb4a;p%D8*73xV=oyGd*pWpHUm$rlB-%2<+aP_8^XFNPEcp{PQcU`v7R~-?23a|y=4!xz!^`VrFW^fM} zwTMf-N>BOqFm=7u>)eZTt<}t#=%sq^B$lfVp7jgJ~j$BZ@Vnsl* zYJgbIKtOeoOCTgFRB6xArAA*Qf*#F1KRBt55FNF0ZXkUyK*h6fe!1Q-<}5VEs!p2e zpbRMkZ#KaB^kjbtrre3(Fbux=8^U0yyvr`=MaLYh#&$EVy>NFT_igOZs^KmgIWEHP zwjmGmS*}B|4;_8me>o#1U|!rtk!3q4Wi}hVkxyfEfD!lO7Uc;3 z4Q`LCs)Huo`t4{Va8jN!%c~j3_o(cPJg6 z>!tpaN)pvkPMjPN#&l1*DPfZ6J823BGx!{qriAop58TgqgCwojW#J|uGqHCFwE>gShCzQG@}Odu9fXv29$r@lHKL+fYC|_ zoU+`eHG+8(wH1%w#oypaT9)ja z4;@Gn*_c^58?pG0WhI{OFb=H#wyc19Bz8n00SaB)TLlwdTwjC1i0+x~C!at}DnZt- zSg?JhbYXN(>#}$wis{YhZB1RvC~lXST@Lzw04Lr&E^48I-ujthFG^&8tnFQD z*yQ!5jQ3igFo^2t4tof~iQZbynSHfDDVE_)9o&>XyT_N|0DR)+WoPzQkAV07j;tj)Fp7T5ix4;R7{M_ zgCR#WV_;%O@kL{@Lhjt1dV5FZHbI^1m|i{{8MDcn`6WGUqekBM%gLMEIk3jou;6ZG zh@^#HjL4j1Qu0Z+jps@DZtv-hfhu~`o%rb?UoTSe7oQxg=ZJ9xK4+)iYvfOTiy=(fXp|4th5jClD)CUY5s9HL>|CTcOBRcl*?Dd z$j3;Va9nva&0B6HO3kzYk4fF1ecsyOEkS^C(FSy*fHoZw*~z;!O2|#%f+_QA*+=*6 z!I6yHK9HGu>Lb&zEu|l2KXO=IVAN#2bxWGz$W$2gA@-3PWNce!!gmp zZ-B4BbHXg&m{Dm&I}K%4%;07cg85ZQez4_V6`?t2K+DewLE~G!jz>I<3$#9Se$ZX3 z`F%}xOhuUR_V(?|wVw>*0AQOn;DcG=POvj5-vE57QaYzQ2^6p(J73ZRIzl`^VQO%g zIyc2RK!OWa-K9xpj0Fytu<}}#SKB*_f%Rj9`@RRLfglHM;raMzg>V7GKJ7+$){Twt zu14I+r}=oYJEzti*;A8c!J-&yLSwizvljM2rR(3#|3hKd@JJi7b$R5^6R1f8+hEbF zQ@&h^L*dt?84Nv&lpqSlV3U+#_-4?6Vpra@-tGv7v7OkN>hPMrAicQ2B6_nq;&>UX z$*D1v836EYua*O8z|uw4rrr&QSVu-gY+5ByGS3dx7Ov-2^tsQiF=Y~BbE&N!2>m%G znM7!*H6d-blZ59a_h=}wNoVdmRX*)T3J12W!1FL}1g#y2!P()UZ=&I>qz|%+A3#Q& zDSf-1sv#3pYO|x8U(edsy)n~LicUYFPo%+KaK`FT8xU{gSf$v07-aSw176-x^rHx! z(JAQ9=ZH7ad+iB(qmBH{xQoD5DYJVZYLZtTG@$wnV8Q&j4b5wwt62Fyk2#-&{t*7f zAWMEzH-a>&9u*r-L30A9aTdqR4@YrsqAMsjLA(}e$q`RTx>#f^3gvWD@SwD9ve`9? z%cgzCH;ShI;|qVQ<52IAIMRN3IR>wca-Q19!Rm&!QZg4jj-p6MdI%-p z=$#&c*dhBQ13Zu~E{j-L4RwIcJ1eT4O1(ONc&JpTtWd9!kZltMJ%UWPfB@ptg>VC^ zsk@{qq$I5W^G>`&CI*RPs9=R_zLcFxL8HY>i0R;*9Ff>gOMp<#H%^t$iSR#pNSfttp-i7?;kQ#k-+mc|WicZF?m3<4pQL3TH!KYFU}sw&4;uqkC^W=L?h$}V;UWDJ8{-6~ zlJWXoi3v)`>QQq7qk1w1IPRPP{*%HDCkN*U9kv!8!KB*`yopJnljIZ7)geQ^Tk5qF zf$d)y?Voqh)o<5mJEyA=M1K_%E-RE#AOZ5J2d-0SumMQA+OC*T)W8U5f*r4L8fIZT zp_&$h#bb526ZwYod~TwC$!l-o?4!!@s`9%Tt}`4E{eeb3A5XOG9F03jgJCqj)EO@n zL*)%M26y2aMHNRu@`5Lj*g7r%_=FkAQK%yL8x}G?lr@Zj2ls|?G__7Coo}f2VS4B( zai>lD3o<^!ofe&Z<>kF>U))_OVo~NaJ`a$UyNh13bj%LG(Ua3*W{<*8!oJX1_9jvs z(|jF!84eUtWgqXCabkFTzqY?9D{LT`lhojOWDTZc5ap@7u%BR26qT21b%ZYrAWPdo z7eEUG*{?DE>HKROQ;qj4P>ai1MAh|mf?CWtg~d{fm8?0kA%oZq0|5q>dpAP+4C58^ zFZD8jFc{D9ComYO#W-}^3URv``mqIyI?38+dt4iks2+C`c;&MifoHXQy!B;WIFLrk zVEJL+LE`RIDle;LJ$9!KhLseJ88%urkh6Ao(L;1Ha`v*%N5v6I64(NV9j1Zw@ zO9{sZ2G4G<@2+Y!JqYyh68I8$0H&tY{@_*Po8C}fqywc)9syg2Cu=(GQEDbFWr&=5 zA6yzU0uu`&j8^~&teWPp!5V?b6Qaml0tcb9xbuE#S@W|*1J(_|hr0)aZ*{3kk0gnD z8SJv!+wu9_l8F2krzt9NIR<%f50hX)N@NX)dSNu(drt1vsR?tt~^|@DEt)ATv zVfWbV(G{~e%>CZn(lMi8b%qC;koy7AJXCiW9jhCS4FdQ7U7)({$eaYJ_%dgi?BDo_aN7 zHAlXzO9H?i{oF!%t8V7*>a@ZdDfyGA%|1@bRl?RIZ-1ojnZAtJ6yN3N(DQIgwDHS( z%erAR4EU101%n#Z%Np>nEDD2Yr3wLRazbT-l`d5=X^vuq4AfQ@>?0m*A0X~B-EC($ zCGS74^i_3_I`_H2QfYMpLy;+1eXQWlKUhLRr}Orspa&H{VSRd%+pyi@Va?ul>NTQ} z9sV)%$!dB+z;;YD-x9jF3570P&8iP*tT6pi^=u)^SV9hH^QC7^ zYshk!GrIdXimQJv@&muXz9yyax^vdH`3EU%HVgRbW1#J2D zN)U&MLoIYMsPX7ilX1AN(J!^xYQ!f85h?N|B>7cNs`Ya5ZL>_a9l7->XU7{%lZ zf}Uh(`*v4|Kjd!yVAt8=y|zM=XZQOpkwKmSbj%Th`|jA?yItp zuLuxMkR3xHFgIV`hg>@!aMS<=fp5xO5X|Fq!5-w=5QG!T?&I71aXkw%L04LtTH4ae zE@7W!ErqZ+fiD#|q%JF$)5EhQ6awpoeWw-cp%bUXHe&S+G)^_%fyJQKI)biJjgxF` zX+6;50m=!&V|dN+U>eH1G+|952S{-9EDDp){3^H&2`kzhoi-oriaunNt6Z>Hq|q-jf!wR`O%$U zll=>yDRj{fdNe(?DCAmCii5-c)rK}tLzlvne5 z-B^d1hj-`HK@vH(j^hKBF&<6BIqq5pbsCkYJz|Soc5ggE-dz<8nDut%O7G$ zI6iF?Hd>O|v1oUrX^;`0D+>g+Q3iIhCcal46$nAW`8=mlF503Gp~}#HhMI&Le=u~{ ze8e7XUO@>eW^a@D`$g&*UCWu7LbEqWy_2Oxv<;r#LXAhH%3%uo3}{sQ!+t(9M2A6n z0U$8%Fb@l{*l`LQVF`UhtfhNg;1_2ujfvp~0tCBiY`N4M()YMMBD8eK4@M zRdA9E;Yhz|?%SU?Re2U$QP(nAcV{3zIiG4HI=U>{(h9HSzbKpHpKb>?6%C2_!rO z1kQX^F(uy!Dbn(-H-53UwN|kLSC=ArQc*CKA+jk#AV&?hQUNVZUtOsk+vP`6paHC= zCZ5_f#V3#BUz{(238pG9@`neMuu8s_$2c=(XRv z7wjT5;}+=mJ2XAw1&tDZ>o>^oE+uN`~y6vgx;bp}BiCKTLT|K)su z0nNIp!nXvI*AK0+e$l}kIw^5;De@gKB4}XYEcBLDT;D)avxq4`&fSQTmTtgUOg4ef zVS7dB62R0be6{d8Wedaz4BxgehZH}6D8De#Yc@vtbQYBYoPg{Ztrocm&R!|D2-(H; zSOc!qln$V8i&|GGF;)3Q{mPI!;vncrT_iTcDd@W@qJHe*a{v}4PMlSobtz2}c-gaG z03-($WPu^oH@p+)_g%9k8oEE?e4evQK=oO-00o08D6+RIsKFqxY628f8GK&gx0~_M zwr1)r+&;cEAR#ydcGO&hJ}V3g+|;`ZIJh!DwoCMIUIj!@+FXYlE71$F(b&02yBWgm zg_ww~5%|R)cmn`ZXQp}d4U(LZeS|lenw%nAK*j;i11T*q z?wRSFjTA8DMRdwmiTg3Sn=#*;nv==(EHzmj402Iz5PP7CJL6-c^QjV88wh6a!KP|Z zg@wex3tHBzWu>#$1(@RRnQQ{$fNB1!EWK(=z0LZD-Soa{v!}oERwCJbml~#9Acx{d zWs_2Tj{fb~5qS(v3k5G(;`2?Wn74^9KRIZepu)Uks06q7d(|E($>&xdAs$%4xS+s> z)q*rJ^SLcpOq{gmP?ei1fD9NifnQO}XPHKjErUx|;Jg)@56IToKLVE9^SN+~x`^>^ zEL3AHau$meG)%-f?7JT5wg}lawHMn?R9!(E86~?#fpvJt7C@Ej+#x0!8)8bU%K-IN zt-A%UQ5dNQIiW7m;po!F%~-{rxNrMx!4a6b!H_Yt5Jx$$?xMSIbj%0e&1#xZyb|im z+Qm;JoW*nx1-)>ah3w_#=cGvO2ZvC?`?ZO(4;C8igqWDAy1^k#I@+O<040Kg&fStjw6tt{p6;Eqj+yZoVo z@N7Y1X?QLa)X=fNy8-c9axMv2oHn?4yC;F+T!K#(AbwmCMJudp?W$mRDpz*pS)*N5 zs##b?wCM7Rq*(HKR!bKr$Ir53y5>1&t{Md?>XyroyR=_>KCN)wu9i z*lxv-C(CIGsF=PTz}}g<_0AjN6Di+i>wNr%wR$gOHGn*Q_F$7#3` zOg74hArI~Czw^5D)4-b!N>iVi+Y z&DL^`6TwGX6k!Ug=hd&bjKvdonD9Xb!m#&p1GaI}oq{%M)o_P~gIy^)iN|G&q?`~o zf({ve%$3fGUTqP>371nz+9&6;EioxYbXlCt@Vb{5@)Zx0rQRe}JnJJ?Ubl#8Dgnmb zDuS!`+VrA{TD5CE(*%qG7<}Tt*BqNu^-G+pmL_3Ox)c6YLfBNaLiLx7MoLdjc^>UB z^%SB?RbK7y||8 z_{KLZSUqN6dxYO`(5keTfyHLA0;+3EpA3AMShpkAw*EG_}Vz#8;8zs1zf0PoZ(9gqjNXFsVac=YMr9Mmo88);T_7U@fe)A+~@4LQ(=!B^^(oUH zV5}bS4bD6X1N4X1uwOePy60)i`Qm|SLN%o^yJS_cjoH3Ll^ce1^p5fie|UL71Ddr{ z+hiP3f93u_Oy$lNCBfPFXoh|Z)rabL+96Q-VF4{lEw5Op+x6~xo>TqVA(VL6f9U&N zbgi&mmA6-kT}EH)U349JZPzoL2aY=LTw2T}q?oH_zy)T@wUqo=*g z=SxljM&jp_zqQ*E)HRTQue#-&4#St%x+wB)9u{{FjwyhZl`9@~%%5K`1!%CDypyD& z7`K<+;0#oxI&?CeX7F!5jE{Bjj`S9co^rZ?=8zeT81kw8m=bQ8C=8lsY zO;OR)oic1s<3-vsqwhlWZ;!#37E=NknNMw0pw|468i7A@B8+LgT!9h}B~!F!4b{vk zdzYc~pv`S7Nki4}wwAZ$j2i>6G0LBVeKaiaOy}skEgGu%X%<>4ca#7%U8g2TE$zScREj7wFk)Y zXQ*$wH9u4)93H1QKZXdvm9%$vp|uC5-fGLrfC85#AQmXoNa1$2%uy3U&ha)uoYGpC zeW`g|DJ+rgFZg1qV?VyNw*T-bIpQ@oJ_}7oGgGrO{3giNna4nVqBF@>sxhXK+6!&} zvcaJDDIKkeB~#NtTc^fvq$ZDnnz9gehRjid9>bo>f{g;JjymS{kDsbhb&u-!XoK-X zGeVNpTRmsZ4OK`D*0*dJPDM`4sv~gNiaS?g@>!3l?%F{Xa|$(epBW} z-ssc0QT?Yu5$<)AoD!5f%o84CC*GMI&@M;57)%J*4FdifwRzJ92>LjRW}5xr;j5jA}hnz3iy%GIlgXY^bUJsQ8!~1To0(v9J-mjY`Wx-LbwLn!#irWjohW+MFYfrl!`k2#_-qM#M=!%B8_MD zdm2d7MY}16zw%Hs3k|jwkfctWM{znlwuIbo^FF8XT_hjRh=jxdmS6O;*rvikUqFgG zv1Y3+h1PNYV1~^DvOckiLctm}T81yWmPbKk>c%~yehb!CJYoG3xA$)Sa{!jyjBf@x zai;$LEomfyF57y*>!lV@f{cR{FJ9~uTLX^s%YvlTDjU~W$%WT0(Ms1D=?otGFWO@d zwEf}%6-z*@Jb9RlS}JHY%PalMvE~du8b9{fFSJ{gZG2wf>^1@UgE^6k|pH!N0k|JB?eOtzH)!RYj(FKmpVQFr6UD3K&H;M|`~*(SPw zzh%kVJ?=;7DMuW)_&PhBcObLz;OB?Gjl_Hka~kd<+QaG3Jxm47-kl5D$wYC|LR5po zHh_M6Q)LrSs+kig?)svMb7@YHhjiPyd}o>L5CJPXcCsLWzvWwRQTcA==T^=Fwmm*C z@>|Bis-2AM>%$;kt?kV!*|HjQGdb~_LHKZE*dde)wqyW^`j4sa6g3&@EUIjW7Y^=@ zGWCWQmDOI?&X;ECA&m~n6|(mWO3NX{?+{Q3M~nctH9{pfZv<%gd7LSQ9%2(MnjV;W zCa0I5X-g$#o8V8l)0j0~?4E4rQDLD5%!)Nho+~JID|+Zp6Rl+$Pd9qEV!{i`YMqZ;GYKM<1ARk~Jc7*Y<=AGmm zfaYfpKMk4#aT|=jC5PUeQpA(adJxc%36EM1+SwSpE88gKIbx-}Q{Abjzwkpm@w8^9 z$~K5wS~AYXv-GT|h?rw~P)6Q=YCO0;orAcL|U8U!AjD2;1>g>$(HrEhgRfbQnhM zKs9NbiVvDGd)%JRmj(zTN8+zX$PyDnA2;sO7E-84IFnYN_}AIU7oR8j9`_e9YCC#i zPs$h0q8!_)$!0@(aiutLD&L#5!M?_H@B$r!vYdWWS15tvE=HBN@cH~k(^J#4eiVZEAfH3iRS=V=OG+fC|G<44jv`yxu_*2WB(t!BztVZqCcCQ>`ONIJ$J&AP;sL7Dib? zV6E+oDHTM6q(u@x!y^pX*v|3jkq~Gn#rN_hw7ZrJ&v?L5QHl)>?olv5=FSsJ*4~3X zpNX`Lg}n^&>EYnAgrazO3_6KGLk%wrG?N1eC}#6rWy1%BI0!p@8cXri5L`jPC5=dd ze_BM<$~UD>rY`A2kX1;)EbPZ-(|gb!r`8CRQlqF!GRfpeDE^?^4FN>KQ#KQ;k|v0p zNvMAA%9N3izVP5%8vsliq3nV((F?`LInGC-vVLYnx~_#Z7da&sH;E`E72jwo6yu2X z6kPSN5Op3_!r(@{-acVRXBc;&4(5l5op4>D#9GvA$8QH=RalB8orUi~&ByK_;#K)r zc&LL(n3FZdCFB2G+`1nGjv%1FjbQru%@>fF%FSys9ODq{lV?uCEAW$(`W9G+>RGVE zHz#~t*S@rT9zo%^Io7IP4YpCl7Mpu_NUXU;a0n%HjtLJT>6S?oP^|zGbTxt==}Mq% zR^47meHKO;juM-)f0^BAKrz+DP9hm<85WW4Clc1Vhv zlhY|dRH783832ZZebRQ)Qb)a{ZZ$=eBx`XP(>-H7@tH4K2_Z@VFonXC#~*)CorJ++ zPpJXrfFai7lL0SvgS*K<9q0ju93yRqUDd&-+J`liPsWwW>cP8K`I|^Xn>U)H1Fn)) zbM~}#@9j}-yLT|!34=d|r3-eez+ahYdp{f3rR(1sMuSFEM80*t&f8v`Zxm$l{!ypk zr@(6|5Ah8^q7g|!yt=TOoVcOLlr!s{$*&YoxWp!gZ0BiPsO>HVr8b9;=;Q# zw3zz}XxuuSL|;9hGV?%EdO`&n*D97C^{ni)l2hcMv(YoN)r}}lzZo_?Ex;BL3^S=v z2{i}Ch2ccP+h|Z&co7?Eb7oI8fUzq(@o|t}jbI>8vzRevc{Z_m4$6B;gH&|1kj04F z==C|*xeb}wfNqUjC9*C6x&Y`FDHEQ%Nfk0HaA1ybJQ2A>L^<`Bm~8(u9t8ClP% zk)6!vM{`QNO^ke$%q*kA^@fpZ9`ypDiKtYp6s=<=2uQVoj(uP;&T@52``W>G82~$E2bZx{a?AUBW|(1(cL@?=cJ85x{QZxgAQvE>NDZ zZB$+s?gcEIW*;&f#&R`-1UL?wrbzNH8txk-vUdhvygX5_NN`EILXzWCznF%n$|Rq{ z2hm47Ks1;5PsfuCKN3}PiahAc&p3=mT)!P|cfSB?4a9Y5lvq3AYrodan4y}c+2Vyi zW3I7jbaU2ZiP(~|ertsP^~`rM5*NlI!oSJD9Qz0n6f$W{v^r`6=fYXP_P!hXm9WZ7 z4jEgm{ZJBxjb!M+Dl9l_rk?n$opYNmw8IL~8o+lpt4XRQYco@GX*7Ce988bVP4E$o za7TK1(y@U7@^388K8x~yzsF|OjWy1NOMMJrCQiZBKvr`U0P|7XPu8GR)FcAL#=w5g zjyB;Fqzu@i=pkm9vwjEk5HZv#6X63y!(t&;81tRBjO8#F{eF0>BM#F$rZaQnVM0ES)Cz`nzRifwd7(g@5o(; z<7Ploa3^m&l_&9@F(u(dvI@O~*Ya81AcR-kJ0PsIs3}B3oQ%pY)2}s+GpC3&l1EG> z7y7DUOWo-JEFsBcAO_V)*IoHnF(mpL*(*rM?ap$H7;AC$IVYB)f)J(%7D9LW?$i%8 z%d__lUS>}ZDjDgZ*C2}vUA!>B^Q@+J!y)w14t7*tn|sFFRYqL`*r>)Yvk3me^jRQ<>^v{ zUBm;#&)hNQ!H01irCs?aLXF14m4#1whaA}dAmBrsnL!*@rV^a(-~_)0w3G`(b6&B) zOq~r;x-E}oyZy+KbVxD)#9+&asLD;qE ztV<7*@ch7E{ux+Ihr}&dq8)hYF5htWKZ)km7JL=alc2+$gpMb2W27m5a)3*3%!AWJ z04IgdZ<3!gSe#dL3P!b>g#E$vrX#04zSd{J!J^H}+H5eIhKf5NJSbyNS}mxf_!x+Y zdi(%Nfq7?VXBaZ8!)scws=3cQbh5OmMe2E;o|By~kGSlP_~~+y!wZr&>>4GGs|rD% zJTp}qu}%{f7gqukteYrfk2jmsY_%ue^a0qceXKHpkQ%5?}ijk2bZfZOg4k?or9Yvb+ z-nqFQ?fBp+Q1Pk9Yc7~?OsnlrP}yW=Cy3O!DfD4w*J1sAW%tzKYHqU)sY+X#f>)fj zqcN;y>I?NUO64YvD(sAl#M4s&HCS0mW1-*8^UUO0@~aSr^PVcC%8$mUxvtX9u=o zwDP66KH0Tj;RQ#J`~YaoK)6Y_UZWO{|Aleqh$A~xyY|;PGNn}U6WE*(8S3TXo?vIY zKd%R6Ipt{g$r0h&kumB7LR+;RP1}G_p^P%#MCK*ndFEEFge=InY?fk$yH$*Vz;$Fb zl(V()n6@z}Dq-BS9?g9LnDKnO?eN569^8-AVV7~MQH>25$Bhq|ooa>Zv16Qu54zE@ zr@`kYMcJB&DQbn&tdkD$Q%rSu;9w4+#^$We_%szL#+8c(E(Uj@_7f-OsoebtxfPe^ zEvMbBmw5($J&jIXiM6my?0qV(x^>;&#|EfiIzHWM6y0?6q1iz2VEv#qf|e|IR+4Mxc$6*^3Cx7M6iji`);5S^ywX%kz{AAmB}poKwyB) z3Ico7wAh_fB^#jD|3r2sexVJPc>~TOqkJy5q@V=ljf<#}C0RM#_IAGvVugG=*c9Br z4`0u20vW4>73rFXqhZ|kCG|K*VfGFo2Q0aA&jY;+tx8L$IB5H< zd2y*Q&#tvJ6W&+?ci$I`F%96^UxJ21B)`c`ZscOigJ&f!`f>Axw9M+G>u@h3 z))0zN5crzR_Czp#g}aENn)d_jBpoW|->KFAQmd=+fDKn0)&sZ6?JpF022aMFAM>p9xU z4gr%-_6NIRcD0|UIT`q`I(^*oihA*Op)>{aj@XRIr7~QzAN=HKz4mf`Nr0NB_Wb3K z3%+l7%h0*nx_Z7pr0R9N)&375E10)JG>D2n;|q`#84f-GVvR3lg3~S-IKh(kq1K@A}YU6md2_wW2Ywxm6Ao zuB`Au@*K`&jDk%aWm>p{j_u@oFuJ*Le7w!(CeoN2CTTZKD7b?}BfZ>_PFs!yiaeHl zNL!xSRf7oyW6Nd{tTyT^6x;INX2z$+UOn~-5+Zs=Xb9RInYG13y92A?VYv8!!@{v% zPIrFkF!Xv*O3@m3w$af1>S#7+{YVB?pN<0yGm1ijZs4tB*fQ4b zIbQoYmX78kljV1@Q;~tqT$U9inU>)g=c%(spMd%A09%c&Oflt;&f4=c_6`P zomqu9m&GG#6q6|F%4gQh;{{?imefwIVX*%L>}w}?_>JL=B`h=ke@?wQfCEA`0(ChA zcjWP*yf?5xotk6^cnSVzwN&(z8zYX*J}QSn zlv;8_zTZ0oL9~?%QvUeER5@~W zKjjC%aqN;O>el>{!tBS-5lU-(`uqI776qTxC@=NDl9KGB92$i^CEe$f*;at#u{sr& z4k+9N)dc4B`@Bx|K=I(MLO@Xjnpy+5v|LzWicfq7LojKsS73O#Rc;#KK-wF5L-DMU z1=xn1Q%Q;@-o)&u7rBUL*8O@kS+*a$IDc`66_C0YzOx3m(U8x;4z(ayqgbMH>cXi- z#+ws_HIW|KNhDN#VK&e|D&n&RAk%TUtl|B@)Hwd|(#3X(oKxIk8z#!Kc`tb6{Y>P^ zWNdAYxapD}0Pi^oqp)_gg&U^(Etx7c9C@>v%ts|6#Wp~d(?XI|f#kqo zD6}8gaT%bmon?SgRs&iI)tziuYYbK!KQp1Rw&OlneC#~agJG_GJq?TXQ4$-qamnyQ z$;iSEuIVbo_RdkOa7?0CJ4%gthvUH}tJbSde6@>C3{jXwt(Br{08R1miEEZ|s&`YG z1hdQd4Z21zL6D#m211!SL}^o@bW_TkL#NGS|J*cDF}Wl{Fg?q1 z^cK%uO&EZmK#+rG`a|Qxs6m-5R+yWUU?Z9{^~-X{ujMkXsQ%XTdTu@{(GtWC0?n*v z>S99+>Es7FZj*0#*AQjwH%ovH;XU&a? z&&mSM)~Jk`7Kioj&z(D_87?oySF*`{Ni`?=`YGm|w9O@>vx$wKQf3e&AQF&2mrQ*v zEa@Cr&rG~imTEda9YDm1Mky*dAmOVwE0?Y+EAcY^?RLivZ=m=)SIkn8!X=M72yH(& zy08wpDD``dY=|tOJ=Ll*^{aCMr$Q-g$JdW1;yD#f3=Y>oq+=2nq=rJAa#vFNo-QM$ zIg-d*7MMDi3?5@42M9`@7#GLOBa06OhTj~jHH=twX ztxBJ^aeQ&TItr;q>I{*)EKRvM{d=YT0qs36z^P*lG|?%z0Pm!hy&&`iS4M?(^Q5Vn z{=q@6@vu(n#xTKyzcU~*&+n>9#qSy*Lx=87p#VrAJ`d=>WW@R&qsoF08WqbI)|U1* zSnqoR2rpFm7KY|nOJCwJkaQpaD^L7@R$>ZMCXBx{_n=s#VYgy?4HO~W6h6In9wp$@ zaQe<*EF-9wGUQ+!T4(ce*RE#wIbE6B?Gjr7jcg#>)9luBWGxrb3K(JTD>Z*ipX(>Q@9y`Y(Bkb|0)8)L<0qon;(5>w zsAqbuG^gE!+U2QCaE7QwM*W3s`Cm1d$!a-OwRG}*1Y}kWQ#B^9oe}rJ*Gs>oZ2u`B zhJG}S(x*-vd>6{)0-Bkz^RiDuk--=8oHm4lypdZ#b6gf^hJndMrhTfTh{i{!Izy;Q zvrmkT+-35r+J?bPsAXI6nDtSVvYLqhfA#)2nA)44b_b0g0>M|FJ5C@2W2m}krCA3z zoOiSJg!w5&4ail)rd0Ywe$urAPR_E585pZ{-&gqb%|ydoK-xfy9$>;$vpP*_ZOC{y%2Xeb3g2)I(Exh9et4mcl~@i`x6OkACEEiv+mU|Z zdNTP8XPlmZ{4q=Acp>z!6pY*VaU#Q`VO=mWe z`K^Y+#u}Dc7wjF2!6K1tST{tU|0}&&^4K zHoaThSdDG!`-RQv4H!kn zEMXkN4JSv(C(1WrE$OwKH_#=7P)hgPSkr1v{|r>=SUR0XM>1By$c>y(TNW|(lI4pF z$@gN;?cymm6hM2lr!$aB;CzP&)5aU;HmJH9`QN+mgGm$@yi7e=fzOE(89N8Xd(#y40 z-#Z-otp`9<{v89fr%9`(hp3xVCImo}2h4zQ*sZob#218$bfwmc<^LjpvS_3^2z za$8{oQVfOp{LOox-tQMSPu&cBJMWo5;$mRRFr5rc4c{!`#OK1I%am%`Y9^XP~J!Y`6h(3xdSj_wU`V&k4f{p{=#%$R1N;H5hCpa~nvgev3QZu!WgV^t(e6VkTgHwTx zznFkeyk{x=S`<=E5FpQrx+braf6P)5VE3Q-u`;tgh_)|wUa8&7 zjnv3oj7&w0^P!235N2QRs;eFc3bwS_4OE)A*4Pp4v_wi`;$FXW)Wj5$8J;nVE&!a* zPr=Q3h~y33bFgHkel+rp8OR`6LDGlNov2R2ApDB{XRY57NWP4k_J10xa2ZS&qK?TF zWL%HP?jfbp42{84GtwRnNXC@~Fv=~L8r5y4F)TEV5+KC5I{7MLCIe7 z!EUhSk5D$$DZhB+4ZfBfo-arFm^0H1wk^h;ff$5J0+Vz?_)meRog9X28@^8LoE{mZ zqFo8|g4-u#XNU=Mz@%V+8vOKYmyF3myDm~qlW%C=6(4ypd~ua~u> z>{IH9os2&1UvvlTN3bbXW2};33g5d|{liiK;xVzYFGiv@jZo&SV=v72YHM>YwWOH+6!q<}zL7XBW(pYsJG2Bbtdtf^=##{tf&G8ICp} zl;A6(VnH{|cG$fCZpaLx`^#AkyZs)MAX)%cRdyG`{tx4*&??XjuOgPV;#SK-u})Wo zK|q+Usz!}#?lWOf5R?Ar>h=_ua8^FO+O@ILAQR-A#~H(e>Ty;;WI4PuqQ>Za13=$$S2`-vlWu3_Y zPy%DfnmdHLiJl2EHinotmDR7k(j41|rs}Bd%6V|;5a&qy9UcC2Hm7Z_v-!>>T`tEq zb!A-2?Jen(;>sic1@Y^yFpin?)^`VKzX3ScPU&ofp-D%3LD+{P^kX5VVGs3PYs3~f zdC6(Qhk@`T0`X{_&)!tr)8P)spI3^o47Qk`g>nXqW@O;jz}u6+$wAKCts;hrZL1ab zvN7UyoOJP^Z^#_GgpC2UW<_iV%q;u|CUs*HC)jN%j0||71UgvhUjOfgQ@q9}Q!-qj z#G`s)@14~ip;G*RCu!Ew`y4m}w37J~Je(Q@kBjv<-V|_ zV%V-T(5K)@p%k%UQR*U}wVFu|jba}^6Us%%XEU_-fH)V7Zy;!TZ-fAl3z#!p(3%d2 zI>XOM@Ra7Zb-AnA_jjBsa{$j>aSrc4Rlj7+5D!;U*GD>f8Y^;9YD<;tv7HsXVah?t zEFE}8gof*^ouJ9C7V;CbuZ&A4erujj^g}E=ZRDo*i*NuBNFIkmgSRnR5G8yeqnmCP zas@q-c$(7bW_Fo#(GcSeP4~8mK_txyh@NoA*@ zK3YWF(wQtdB3UwEY43YMZtO-q7H0{@zs^_xqAKu*ot9?Drprw~ z7fBpnX5s%((l|kJDUF1NthLP{nHyOH;E|-n+M4Joh|fo5X9I|UrvRW9xdd`BU5R^7_^bw` z^DU;m&p-B=w({BHfyBmE=rmJgS~j65I~;nT2fH%9jkal?3h+sP6Y;4$^i1RcB7p&M zYr_)xl-P<`=rrB%`HHz)hC=zQFd1+?N_IjYd>g+xkO+-~YvRpr=Cc_wCuVPEzoP{z z2YhsYDqjvyp$0(n=4gRkn?}5BX?rO(PJ@ejt8RO^5>84&l4qeQrWY1}weu`@L;RyD zP&P+ysv;f}!Iz}lt7dkK;|rFt$;8e#b0=PHN8xoG`5CzX{#Skkt@1*FJJ!bhPFikki&rFN4eUuAMs!L@^#AFiDb3dF(29K<9s_4YZ#BAqAL zY8nz^%EOYMoJHu;%vO#GkMlUW-TGv8_%S`pw&E6Y_SWnh2b_6fE9)#;VLk)8jWbr) zNZ;}J;oj-foG$u@ZE?X4Qcj~A)}?5&tEE$Ch~y{Q#FaUxB}_&Wn1Acr>9la=p@`O> z<>+$o@Cf|fxM zH{20k2h)AA*Wy(wrJkDx-tglxTPAqxq^&F~XG5yp83a!?5GXN~7x4o@VF7nP50pIn zzUa`w?Z%kG>xBr&nvoDNWz$b7GwQ%dwq3{0nS=^yiVpesx1HB7R5q?ua&9CMy3Um5 z#56KqhN7iNp4rJt2n%O>730fvu8u?{11)f*j#oIFrr%Fdo36)j(Hz}sPXEuoWiTEb z+XAtx@!}1RH~O9c@~v|}FfD4MqzDhBgG@NUxplG{3|)cWRifWV$E*BC0X>_sywZzj zk!QZTE`D-Zo2gFFJq{({aHvYMNHskTOprsbfpS!8&yprOQl#uV5qQued%%&sQ`(Ee zer$xy;N5=*m4zPh;44nz93Gy-&&_nur*Sxq&*PotMId$ohrWVcO3Q|?9i;4xsf_CE zDdoi(>aVork?cm`!41x2;&5@?a<=r{%R$#!j)w_~5gX*L^}shiZ0YdIXys^E`E>aU zEv(rNK%zs?SrfYzJ~MlGkE5OLbx|>8qbyJI8S-#ydmbg7lD#mRn2oFJ(ER-fhh`d3 zMc?6Ii7tx*&1);IU#oRz&l>gh@6qA-XNJ1{D37qOweTOJI2B94$g@Ss+mhp)xfF@i z^q1$BTOvSzGQafnz{#EF;T17ZrAH;VO1rBQbomE&#? z*R{76IQm`(uI7{!LNFcEA+&WGyT8gA&S0Rih}4SBnpZ)eVMCPG@L6CUKwS@uIKZKX z2PN@l_q6$|_5qatkB^Zda0#lq(;qm7*NG0oR4FEl1z3d%%wMW3r<9`@PE$kzg(q3E zd$423DsrfV{h`Ts)+<4G`-=?D0Gxfl3t@IJmMIShNDku4915p~#J$TPOIgYhFE_W= zAyb$^TZ^-;`Kp%IEu79x+n%XzlMUIk2Odxjlma2O-91Xe5kjQyz$*-Tt7s#Xwb&p) zAwx`eIei^yOdxuY@j>K8OO8@ zW^_@|$7^cfALSf>-{(ccV!((AkNsWe_z0(QVzDU$*)uQfO^va?v%+gj$sP^@t*3me zJh&6c%-hc=eKg|Cj%Vh^ua9gUm<3hl59MX2 zj>_MzTNJpwLb>KMdUMi&lp!?^PQn7>ZXH)(3_v8MEd9Ub&!n8w`ZSh(sdkh6ZBuvv z$+KR~C}59)VFA?Zq?N`}gkD#y+i5@`Q0c5$C{YNHuGSB0#=4J>hmOuw@Q2^QfjHK& zWjEP3ytNB`J={4@IoTq%cR-z9l!hxXXNkuFIz{x0zI+1A05|Kk=cY^r@PB=o0#;v^ zGifpejpGy~U2MFuVcrJA!3K0B&|JlznP^gI9qePdTGcRl7_}+AoGSh)WQqkgr^M`t zY9nT~__;=`9?ciD*FQzW85e4Za&DpYhixB(!M?`=L9f;}qz5+XWPZXWFik11{Tzr> z5yfMa_SH^kG&$EpFt6(+1xfczzfKx%^m@D^8R}Zb0(fVkM@H|*izRx`{s~o|0wYRs znEjYk!LW9~ndaUtzMfGhgU&^#7<5e>a7G1GU8)TB4TXO&M2z7Z76{ zS}^5u8{9_{!R*$}pi@jDQ#14GH*X-#Ue~Vs01FLp)6u{k5?{nWm54e(7XILw2cVw0 zn?PPY&jr0D3pzuL+L*86IIdMPtCp9#{F@uyVgm91Bp#B$oT%E9hb~`sbFaH7^BQ63 zX8nv9g>P4Q7%q=so~jvjB8lHL%1>66Y9om5Sj=FxAN4jELEZ3$jApY}Pux>5qlTem zppNS|0+KlY7$8ct{faxO8q!b3YFtEm^l6ewYi{dMR`{B*9b?mu>MRgC#C33MPXYW@);$uR*AL{5Q*I1b{{HDS{w zroj%9!fN2?qPa0kxfc|O*+(&Y+lyy7RYBi=T)aC^=H7AcebhH{5abBJ@l?od@3?Er zqAIggEn#UvR3{(7d~zwyVh1baQ`Ei6;LM0fD&S$rkoV`9=TxDB{&{aDkeG}C3Uvbc zi=!`voBX9W#Z=AEjTWiT|2jf&9hZNbAWeGR-S1WdLwyMM?%x((U|yTar|)_~AGRgF zsK$DP%Tf*rQNnigZA4^UkRnf1aEy-fFFc(pvks{{6FG@_`9OS!*n_2dHIP4vWr~cGnLfD0{bk(SOpIHx@2k)+rHI^uPFOX+{)6a z_(;B^q0|nr*vtmL=4gGlE)Z_x2%%9de)Mg|bm+A&uq3kIFvTeG5$HN#$Sb&Bz#}ln zLJx(3v6MAMpc$b$s@nMF-{8N)uP1pjP5fa(d1Kw0?r7wlO84H(DF#xDTqL~WPZ?RT z*SA~Vr}=&D_`!4`-a?j}%S$uw{W+GT8gLmH2nEcuWmjT>+uqWMZZnBc{2gdci*!KN zx;0oD*0R^ICU0y+(4Cy$8gD2XSe`AaPJplF)e`e1gx5-KsX zh06zUNA1COQ|+89Ua~yHxD4PxgMi&;wiKDC;w?kZ*Af-^nko1lJkTqi0=(<=O{3Vn ztK^w$D138;L0%Ni%+uClGDi+`qzZTiY?o4Ej!UYWkom$(@ z?9>l>sdWr8E|P(GGeO`@#>O5$9N+X)#A_-0cDzEoxw>$!)t&aA5*m~KH=8rVIknYg z0FeOGvCfa)6U06{q;GRrQQc`Ny5LBcvVNMA#ftqml~I8(3`}2A4raw# zt8<$Y#d_nE&9wt|-%>0^_u*$E_9TqAcax_|Uh|mg#wXr&);fL)z<_HwG-g?wRm)j^ zp{A_w>6IK+uj+w_Sd7~1)_97uHNh&FvB4*!S!35yB?dcRk|B;UqXRp-G;f<)pP|R< z8?jHe$^w##J;#E~RA&rWQKwk6oRp$M?kp0tiD~ap*e=Z zx>`suAgO~y*#SK1rhhwbQI2r8rL63?NIo5qQe+-Y6Zw^% z!PK5$#-vwg%FKi%VsnM+L_y5=m});=glJ;TIzv;BT=rMuy6l0=PIH!_!&qZ%GBrD- z^E|N?WM7CjQxV1Ku!^cXUQ|Y{iDyKj_OQt;eeOc>$HxXeUs^$Q+W3shTnOE&=GiNj z_k{9;?6su}j4RX(cM({xWb6^hj8H0PemRaQBBmhlYeqG+JxKpHiWM@4t*?_5fjP*j zHJ@9kEooaGfqkxx)5qF?RAS8r#eKXI4jz~3-90dAx~Z7{$VhMu4-Oe%eYy{K)O6Gj z=Yn#wz65vkL@_vOHmK0+)VtOuZR8V>s>%a(X@WJ%Lf~sP3y2NI{qGk#{Ho2ocPAh8 z_S6i?vYlJ#)h{O)k~rLRXz3FXw$(C83L_tbXbay$4nq4GE+D;(-Qvw;YG3~dLDha* z%C-^e>EDBI^~9Rx4AK-cb}G$g#{mqm*e0dRP>gJ$=$z`COfvd-pYCRDQ6H!u!p*yW zPc~ascZRJ|-L(J6P9BilV0XxQ$w_W4TZ68Oal-l%7BNgWKq;6p$?FZ*b0JaMoPi^+ zgVp2ea{`0pBnMiL9MDe}91VC57=cUfC=WMsJVOi2tCKLG7z?8K;0nP?eUFgXKkXmu z;Z5&0a!)~yiJs&oH7PL@m>ohDopE=QtF&&CK^%_7nBCHG;;c<~&TB?Um8{(S3F@0T z2{0d9!1W^xFal#Iec-2}zC{YUHSP2U@8zSWu*3}WQLVyqu_=(E>*UI`gr6!wH&6x( zfzyD*dauwRf}y9G>xSsw+d{>ymeOR{OG;2;OKL9YMCn0~T~)cYZ>Px)?epYN4cHrt zyMfxKy`tkOHy%sM8_;k&B<5$>Y9}0m1~%RkPEf5Q_mBd2(7stOL|LehqB@E_?`$QR zNa8zTCw(z7BFoeZP~YZeYAdjVEoE-8cH7+UxIF957h-GOuAxhxA_dKA2$~~T19vu- zPlk9VBP_E)sKJh~rLS`Im><8N2o$C6zyVIPU8;#aFLyAqMrb*nfYHD+=9=Y^Jql}8 z$6q}XbMJYAqM-U4dZRnX_ro;X$hOm*1L_aoc2zeF1cn_`H+R@AJ#{gw*f)mVuBv!1 z+P_1ElRtgGmn?@Dvh#xsGrvAox|i=m=6_&Lizd#pH55-A+}6rv0>+j3V?YO}Ow93D zr6RE^aqU#~=u`&JZYH(*N#qVop-rpLpwChM9`J+z*Is7s)RUI%GAC8W>}KM7WhAEB zMC*P3@~-i! z+(p*6n81>K{MZeQS!Q}#7<-t{Idt5@1p7DRK-7~&`AD*Ow!`H;QkC7TlNz}Cwy3fdNj&B!kMNZ0Ul66;ZuQj+~m35 z&S$s6fqgu$5iG@qnDO3W*-!?4aXlej5pQL<)6mJs38|5QKAR zxS78}O)thZ#B>w-50AS6S+eyk6YdcXi_0~Lu&_C}e7ZKT)Seg2_}^QZ_4-3dGt+E4TjTBG z5sqFNDrcks>O9O&azjTEq*Hs4$0|tZ3R<{us)0JFlx>a0fl!nu+yUPrc1^v z8?giP>_FS%>ITTOapZ5N%*d*F4|JLHhY8b-2C_Ib$*7U<041#(GsA=lh2(_wVh|Ad z$~U=aYV74`8tM5y$1oU1()J+XxWZvc?esW74eGIqe1PtM1m3ar;q$#ddByq&hz(O} z(k!WTA|0qm+y)ITZ$Tup!~m9ROpcMZ+ouoHk*pP*4LO42(W^Un^z<@$gc>2KkL_=A*Xhxe zEP6;5TDj!=Xr5>ncfe>~8!gV{`{%vTbu5*@zGF=IYd3qjVlC!$A5k7v;g(cpB8da@&6*l;qH5_iCq+~JOuW;`DKCcKVN~tW z;q)Y+PowD7k2=MHzdABTReFfD+{va)<5xKy4ixw%v)`YeK%Dvmp&*AO_yB~C_Km#B z^!W?PE{R= z`UA)yA@E3tF>y;n9viijXM80Bp*BNe^T1*tV*<_>L3PZ_FP7j+coyw*Y7^>@^loJe zg7lTyIK+rxEuZzy{Tv88Iebj3M4+f$y;VJ5I=&U_QV91}-cjBrYIn$zK8lzf(&m4< zCGnXJp&Lmk<*>KD z<&7j6CX|r5L_XDW%J~DqC40_4!1ZqugZG?8IG~Ddp7Wv5ZJr?l-5Vy25JYIPlI^+E zwYTFX(HV7OlKBQ+Lb|#jjf;(U5aeU=fqBpoL|DDil_zgboofy3ZAh$=I}=DejK;c6g6ukP$;2`{ zAWs85VQFkQBU!*e01HgOF4wKNpu#T`C6~9R9@t^1 zgKe2G9qfY;RzAZe=QY=WlBnhv#8&-q!15)FbtX1^(csIhJKn5a96l`M1CT#|0l0w) zH++|@FowpI_`q2d(j;QsgPL>5^l6DUauD2egx18#%Sk;pVL7_Y#!E_z zq?&Ww9pKl7!d-rBtT0mv)cOrTMe+RDpR>PLf4k`u3!GiSA_B&Dl>2p`5ehz!&DF9% zd;&>`m~X*z`ZA$4P}F#xDuo??OSQ{XJh7lAkUTw6ZJs;N|56C0pGJ5MoEOoKJT5D^ zkP@8Kvp}-0c7I68HaYPoJcWDy(G6$ss-K9idz$Z#$7fCn>HX_cf|XNZ6B~b_nfaFtu&q4Xq%unjL}hoPfOT~IBd7r z=de6l2{q^S^Ul=;B;|F=qfKV@frVq@lRuc-snFvzD+Sq<##6fr>02#c0F>>VHxO?( z)@D;;GylUQU)qmvO8asDB{$LDhxf>1yjrOiCe(L;V&(lN-N6N0*c=KalAQ zd#xm40AkXmgXNQ$YhCzKPVz7I%?n%ddy-r)^plUw9`6~*Vp15}dE!kSZU8ivZr>)|LY zVN}{qBLonlKL|3+_rY>{v&vJkrpzuh(|<)4T|QuG|7CWRrzUJv&6?nR-{i3~Q@CPy zI-Qy|W*2(RaPa}3UGvz<=`l3#4rK}KZ`07_Ie|maZZ&e^+B6mYSTU~__1U!DV!&N+ z7WT&!i_}?f>(84c`s<91HbonzmbvG9W@Z9rG-2OYs5`9kiB!v25vzU7+$1^%-^4xc zf-?6*=?t;Bb3L-PASp!TTr7&IhtszP=fHt^u=aYI)P1~#9!^%HJC_kQ6j_{fp%fID zpZAzP-4w;@-1jxls;C|0tq6X5Pd9mUo$mG~<-P-${*D`$*Im-5w>dyw{`?5W&E$;L z^K_l%&Fa>@$pO7_y#uL_E4~9;PmItXD}kPUA%dwZRJe|mT0PsKXxM(s7yK^kJNlNJIDD?E->Pj^3!6N+$@ADgMthIBDRJSz!NfZSk${p5t!A1 zW`D$>rKGV$kU4zyY8fh31V&Tci4{Ec;=?k+h=&C1VTFQ4UcUWi>Hiua8gBFJ==1hQ zvJc>0_1sC)p|ZC6cN)DBSo?Ylt81JO8O@r`s`?9p5{79@f91?nGD15!+n_> zr^OF=;Kr_#*IQH5gCDvQZSAR}B>IF|P7F0Oo~O|H9$tDlJ8&>;+>~4qV@>UM046J!qsE@obN!4_XRBL@K!U!8yefoZ%8U=~0E|sp_JOxr)HMp0n#5Y@8PB^%QVwrLXm_-)~{?lU&cr+o4 zB@7I0@H?KtKz}2hlMR9h&I~D{i-F>jk4=&=hxkDp3r3A=o^(fCm)@^olPAUOWL(i+hT^Ti-)T|^ym#8@8eW4 zSheNO*Lkfa!_$MG_|)mkZepm)rv8&Wbrc8W}Yh7D%IRt z+_g%pHO8HzycUd~Ssu>Cx}zw=JwU7d#Y{^1q;rZ#kSb${#HXF+xE<`RJ<~1h;VR%V ziMqEonFVXm1}burUxZ#vx0CDA_R8ScgYwMuHZW&`2a8=kft2moSc+QRK7!S#GLR1| zXUyCoif#2kzZ!m6`;3X{-7zDL@>QOCB{rA38P`j>7uXLyd5(%m#lrGlXKu0B$%x#S z=;JND!5pMsfqa}@)}G(!CCt0aIt{o&ZbmJd_EocALFTSKgOw!VTs!whR?zyxjyI)< z@X=!UAJce@=8%AoeXz0{M$?a**;!TYm*jCnaTwb*c{HX+#m z?2?xGbeUs2)5`z3pN;EXwg)@0*~wmEk7}Cw46qRu+cc8YF$mbyyG(@nQR; zFZJpGK4U%UdYShw*07c@b(r3xR`3nLPaqC{xTBcrI1i9q;Y8y+&)fcPq}(a26#z!88i}` z3s^64Rp%&vIHSX37bByZ#O}VRQ)ap0Nr&EjWyuHYp=X45|ADhOf%17lEp?IH4tWMB zJ1{+XY7sjs&~S2vZ~NjyCz#Gsw~@q>c=Px^MwlCHnxf{Y%*Uvg;CGUC4_oJf0w*2jOE0u`Uf(GM z6jexgC}_doWAkC;qyKYla%KLDF0a}W|gr_8+3MyhfK!%i7UCO`UsnfUekoFaLFH)Bm3O4yRao+4R9czRyC(U z5dfjJ^`Jldqgjm#riJlxVpS!bfw6?>W!y)cg0u}7;&54~n>}DBvc&SBcOWq{1&Os- zb;-1Kcl6^+SY`nRdx7l4bbMZ;Alt8WYcwA_nhDu>cZuo^{3d*Vt|FN}0{uuox$vh8 z!mxliY)nW^Lk8Cd0k#imB){k zNqxB<{Zut75(dtvSp)3jqMB*@Cs(hg!hRa3c@vMTSL6ah2h%!GIFBKESNBM*Eo8$D zv0fDXLz$D)oSto*2Yu2|HFoM)$?bY=GodSG(>QWjW*w^9WaKiq6b>WR@A7(BlmU&P z%T9@~TIf%)gdL;ZhAuC!k7Dgxk;(uL(*}g)(OLG2YgiJ(i}{T+d7{%x5q$yKB3K zEdvlV{*l2=u!=pub}aNpSHMlR+=txKu%OU+Ak+rhEOu(9+~%TXANjC9R`dhDobxE` z6HUF7pw5RKtZ$GK&tBDkp>g{Y(O4%K6@97YQyB3~h37u9t>VyGzYPWXq>X?ba2%>h zF=;V5RHLwtyV%o_8)UnM%ho20-l-z@6)F^8;1IZ=4z>sU+*%Rc@xS3;52?Mv#ChdeBlCx*EnKYH5XNL0q*!L{ zCFq=~D^$`cj&G$pJ_Ii6B7V1o=o05~wOTM76!^p{6jCmjPKVDdcEruLw1KDg0@x#~ zW00j5U3yg(=wwaPN*iH& zy*R1}NEPfiE=$SelH!2@G6Zm=JAF6R!L5p5Za&>ClYWWEMc5!Gq+w7yQbc2^%;?5{ zo}IXZ?EM}?PqvRO#!1K#q~?@U&Tx*^ANG*G1-zex6^{!9+?=WOK*mv4-4+84Mu6k| zSq!1)M|xGb4Y4`%2rhGhZrL_jA=01~TSmfJ9dW#xq6Q)n)B z;ybR1@s8erZy3_2_hAwn33V<$e^*G`R7RXF1d@CMq*s_D^nuLo+HgD+K(`&q|31m0 zrU2%GjGX;VxP&G^r#qp?8BK!B;)z*(kdERVr(@ODO!nNU6pbBTLjxMcD0Gcdz%l^$ zM_$v)Fid*~*bl=Z(n6N9)@M(55u5WPPOR&XaDu*!%)#Nm(l!l?$W7poOKuCEO|dL&H4#xr8_}awmOsiP98OT zU*{c0wkKVW7M((S@J+adhoCm6uFrLQ9Hh)NqyXxuV5zAB?#9gdeO}jd>=czGqe}U$ zTb(w}ICajRVb7ijGLuAWCzhmXVpz)4LM*V18gS^1HDZe_%uXV&xS(>v2ile5s`jil@luM`QQgBjpIe8elSvYSBzZ0RM3ax0mqt0 zJO$##Q#@jgR2L0qZV*tG9|p@9&KVwkZ;DFjBs?n}wI@4Gl9SE>1eQ(=pFeH*o@657eLMUHbzm5??=#U z9ZwINBSx$d@@E{b6`zMYamqdo(mP!BSWZHGtFUATXpY=}|5cjsc?{y7%sY*S{?F(} zuiE!QvY(0lrzHY@MooFSoVLc5hpf6607a#edu*Dzc$9HirV)99z_RPIl@sP~MBVnt znl=sYnf)sk@^yUox1H0S|M0R%OgkL&RNO-Zjp4eX7Iu&$G zwZ7o|+3@i;=jPxStio3@b*cv``mv;w1|_d=CLKlc{(uMh3Dn3qT$5 zwkXr65yQ}Qb?52T2}RAp>r?!iaW}Q z(GUS0a0d-?XQc*-vvwh5UnmXF3<=0sT`b#>wW;-*PK=}l5I8R+#dckdXAU7*1$g0cV_r{K7H8Xc3^qT^X{Qh zoY7NAM(DuBcU8|}9DKk}QVarduQJSlNymmp3-2DtN_X1gOPM}My+D=Ly1 zeoIx4b{HL{$G=R=M~!lKvQyk4Ed)s|XEg;ZpDDxuRLxXz%kSFKb(_ z0Xo-nsygbg$RssV8~RaG;XddYt4y0gUg=O&;gi^bHlHBybtdVnjkH#)!Z!NLp0i`; z^>U8Cni7tuDDU-U)VBXA##(8HmW$SG{pU&0v@D20NI-w;cz~mW7}dwBRz^lNto-UL z2#6Ioh;ZS%Bi2T=P@31nreCRRq|s#8Y$QJhxxLAS`>fO@*wd2=%I&Rg?|ho#m>5Rs z^6!evcmjUW>4ZLCKX8;KeiMn&IBShl&Y1*v2X7;hw9$YD;EzmuLw{{PO101FG)^@h z^EoDmD<}#;S+yw=06GGGVV&`XNoK!8=bA`er%a4PR*wIi4fHab1iY|6;@=k#STTFB zJIS+d_O^D{-eRPm;;kubQ^e^!=-{UV8nt04_l=uUZ?TWY!e`W$WfssFVyqG;0N zM+Y4gsyINl;q^jBQe#F zj?C`~DR@tDM{lq5u;))_Ebm9CeNjO7#kXn&Fi}E0?5b;yYR2xbn!T&t6AM&pU=0ki z!vUepSPE=&Y<^@sdoNwG(#?jW4OZjOZZ1ms5jags64Dr4Ukd}V{-~*EY-GGRG?y)H zYw^8uVe|X;A-UiI+_RI%FUY~bZK%hP$?Ee!un#iqzy8NAc$LU0lVt3(VOAWW=V9Ut z)p9LoQB4=$?q`+{7i&28V27~SkLyV%$u<*P@qX-{ znJuiQStqL?g@Zor3lLaaU-Td@LK*t~+I5AC+`D;1On%!A?kGG}!Pne~>aU0&sJ9b8 zkcH~pLL$&*bi3g`=*poi&p6@3vi=&sbxC~3j1lpb?C0HTJs;dcde2S5T&DY#by8WQ zJaUJw#lqZj*tyqxRjGkCPYnG=_SQn!3nSu;j*jwR1cEWz$!yxIKB-eNx!<3+ZvBs9 z0|Bl0nKpmT5x|57QiYA$Js+on@`<(k%s1n0j61tWDNNH54}fvQe2k`b`~4UpCh?>cTS zbffPu!R1){Ips*5AY+saK3KiJk}+qN`SAetT+H#f{6cb%OXGV7Go)TNuPnL!`U9>< z%=#bQ6O4_CX>HlUj+F1|Cfcq}QmMw@BuSNWI6zSMWLueADVUL5D5=3beMB7e@SOA(N1vT5=eIkOY|vS`ft4oyg&% z0Z0v;-<;Zg7DS^gO}>pYU~Dt=2XeNuk$Q6IadJB^VUU_8c7PRr?8X2wH;GF5gRX5% z@Z%Vnue2gJo*FHlx;8hv@~#xobuJtJ{)ma{=+}|Dh{F8%jHY7!z>O7Fg2lNqhIE5K z&lMbu%ta0(d$&BNRCW2#b~YZ7NzT7x*S=dlO@G=fydIGOTY@bzuL?IGkORWzr@JNo(_n}1kK*J95k6F;6r+C2Y9+v@pn}&y{ zvA=0grm^s+P92%%9|G<>u7?NWTNuDCgILnep&Ot`zBGF+K(~{&teh(o-9@kwI(^Fq z&SG#ZkY*LCUSbtahrqPouBQ%IZFH+|R` zp@Tx@YpfShAX<{IdlYd+QNgorYuvKpEcIGb=~f7fN5S*WW2mh@R+;_Ie~9uwXgGN9 zxfl1UYgNUw+f$rnY~~2V&1`%M>=`oSt5ALuPY#yBU&Xqgj!oa2b10@TM;H(jod!uZ zje8-X*5GKhR808PSIdI*OXn4&ws6^#uyXlj}MV5KPwrXkc7TisH3PVq$Wa ziSQTi|Nq}mRV_k!2_z^@FD2N$mZjh&{C5+}80TeKFa4}C0Cp281GNs74y_IkdL7A< zA_}~6tA6%5d!3BM!iyLI$&KtkIM*JXMtj8*^%iz{ozBfbX4pIm*;zi|61Tvduc$@U zWC3n^+eVwj6zjH@$ryRAQBR`&N3KoT0BGn~)oZ!HIR2c7MGw#j|3NyW>Sy=-q`5dB zh#XrAK7{n>MENIbKcP(jOc2K}xZWcAs1Xt661ZO&mG(E{UmO5zR3TJJa5^rItwm%P zu*-qTg0AhjC|7@64>Jo;uIg?gCupDWjOcdaPMaYMj9HZV%P})siX0^kZ_-QG8`#J- z@pTF^4}N>kjn!Pd6yw-g!|sj4o8$m_UJDXwY-a2I`cy8k$lfRjr{_e0Nf{G5xO@!P znCp)#_#be3TPM6WADKfRx65mpz1;-Yj#T}s78qj>{BKt@=s~abr`+s1m+=#30hmY6 zNIB?|PkN8E%{4aag%M;ji}ZZRy?u=3QDjuRkdRya4KC~!`A}I21blgv#NH1m z7$XXLDUNzQ`Yz4^c6kTqCl{n8+7K2Kk3VvbF!ANB%ul)23y_p-B#mXIq9JvGV;bHW zN=k0hsV{Nn4iyj8I%^kb`z5kMC)osV$9IJe%LRR#i(@k&s?p{{qUj>to@IHHR*a?N z#1jwV;eZX&0HT+K(?c%+OeYEG8Y5__yiqw+P*Efr>DA4>ERFj zkdcjq`__93Foj0O5lzECozOU0aG6xqrU5wvX$0AXoi?(%Lqdtf_SX6UHZ?iBCaVvk#RSNG=k`3LhOXj#PP!g2Q0bVYo0lTs$PTwY#QUO`@FW#K`I|2WZH@?5qR^0`R*VMC?4U8w;zNtuJaAcFxQA*sMB@@&xw6EEa zXFSlPh;^?zWr`FjYRp2+Of`$kcY@MC{k=D%ASufQGX(fmx<^5#hD;PdG_^ECQ10

    s3{A zL>s88-pR4!XSD|Qn%6~LwfQLcN+&l~swAv?LJ9uq93=Qd;2~6*=l*fR)nGWuyamw~?id>_X?yc6j+B}Z$`e^ew9%g4WkB!u+H?!|0 zIb+^WA1sG3UL@W1Fd;U*kb~nNW1W1k6fM*4mUL&)84+yNiN1;0+MneKAcO_Mr!x9Y zKoGHW0DxbSy6{^yK7hkpx~F6iA6HeA_@6`q%KEXaD!*aJY&^~$Ftfm;C773IX&(GM zaFktE+lhYOMEV1i1>mVv>DCXvcqGv2pif7%_@fzOPX&}7Hm>TrrRts42a@(H~-~;(wQHQEIdqzZ{U_$3KsK>}w7v9!?X=`VG;@15| zWrl8)DtPNAuIgL6lM4^F8~JIk?AIhDK6Y&JVL~?Q?!lq>sc?Nfb9AX91$8xbx_Qo@ z!xvXAN1u+xA3y0FhXXE2vxu2*qiO-8hvoQ;lNgLlb|plELVN#^LWkbB8%^@RFn$L3 z1wrZfd;E$aKU^sgmMgY z#Ra9e=ZdQb<*DZj@07`}^z!dfK+wd7=8h)D`vR^X03-7+xvGkgfvSlRZhbma_~SyL z@~n`~1bJr(hLHF(IZ*;8)fklD%XRD095$;g}u?ak3Och4{ zSI_9JIJ{g(#BH%DJwwJZw1d4g+C>N?oY5SL)U8jk&}TFd|J&%Hd@nRSW1>;T$grOL zwD#QNhEGIw+ujCynX1?GY$EZd;OWr?|5F|@EviQhpaS5`CPDjEMiYu?O;N}&wk7Xl zuE(%|IJ-(=Mw+7F~-LGP1hfF?mn4=*F0!;i8RP^k74puu43za)u%f{8b3ri~MY5c75B&JYfSW*6A|xEG7c8*J0D*wj zt~Lr10TeWn)PaaQL5~+th#>ivggjT8ptSw+n(P|8kiu-|`Wie{S~8fbghQzZVVsg6 zfp&!h7@kCQ^%T)#-VpHTGr}Vd#K;alXcbC1Xj|>XfvCf-bYWAj`Kg|YUb>L%0M&wl zs~u@TQyjZJxn^_iP1cY;ioOci95$)&nU+Lb%r)v5u_t}7%}FMk#y!c-`k_O_#J86$VWX9WeYoI?bB5_<+Fb)%f+2#2F{Y@c)gp#IvWP-3inuhI zx0nRvL=T?e_<+Hc#07VzduO{Tu-LMW;`_lxdJc|<+*x)G@3isK^p{kt30<%!>(Ad?QE90Sas~jWdHH zhuF3r%i{0FJlF&De2PujAt=zmnEg&QbhbTWcmm>Iwp$j$qT2T%rlp~Zn5!Dt<)0EJ zlQxTG6A;5Rlk-{4GNMM^FmKQt)3R&ebE2r!t`}szU0GMWkqOcGYAiumPlxn|wy*73 zJ5W}XCbHJoYkj>w{hHD0WmeapKS?rLf7~X*3@>W{zYz%>wugUW^>9~LA0+)_e*}Pc zvLwSA-%%cd1&$N&+cK_51k!Q;9UkEW#)-N*{FmSdU;Cta0C*+>P8aFdiO`TFGCy|o zR$h?sf)R21P8vK56zmnmZebm;Phd$0gab5zO=$aK*=Rx`mUF;of>R2C_}_B{cp5$f zy%|^m{`n2ddSNmOf_EwT;IecE8;xNeME5wCj<%K#f5Ssj&RJcw3PI?C{4kT>W&A;v zpNTZ%2*i3-n>KRhtXhD`yews zhtO}FD*|7+hPB9AwQJ9C1|9H$se5S2~;&Cd2*IChQ<~x4JJ@ zC#wJ+OhF0%(E_lSN}Eo(jFU6; z^q4kDHhM4zx%JK%j_>)*&5)cPspJZ9AXVQC&erXwf*y_j_rVXc3c!_O!L%Md*cX)m9Q?$`s9nzu7m-smqeCOWh444VeNYjn=Vs;> zl4P~cZ8}+&BMyDgvQ9?u6n~cSpw_ehau_iAzr2$R2x5aDvHYv-Hd#>K4~GN6fk@D% z*l1KdPhh;rM(_ZpTw8r$?#ap?oXvr+H*i5->f;LjtF;l-1-orAh}W=7a>JOM@~*lAwb z+|uddsq=}TiV`SQXqOcaSJI+$qkIVd4p__72UEsaS5wzHKSIWyWl*h^L(c!H)4FE0 z&F56%7F1h5sJ1R?;fq7Aja!;i)Hap0#OPeplDNs$657cZQ^gADu}8n9W$fCLYaQ#h zasY&5`10;|B$n}=2$~+bGfl(qYB->5-WcW^Qlwy9fef7r0!7 zF~7%PeCP~7kAuQzGJhEW%St>AZ?J2B`52L@z@ys zDuQIv$0QI#Kf@eF`ijW#Yy0W7?cmmEY;Elu+cn-3>;=N2(GRifED=eBE{z>G3Kel? zY_G)NuPpIG%L-6Td{F?-5}$%58tR1>n;xge`$sRO0J?q-6b8Ou)cvsifE0y|XJ2Ad5E#DH|$Vv2X-h$ zcIs>SSMu;f0nQSmlv#~Eaq7Y{@Y-SvNc=MaZlb!gQ(<8f>|g^)sQwe!u#cSt_fJqr z5T%2uF69m*K`}1UJs6Q47x0(% zx9&t$IrG6*m0u<~Ou9UPfD`r4cccJqWfQ*?A0P)zQ7{6Cu6^D9ma?k0!>@GTNEdpK z1nQAr@B;*elt)(fuHyTPm`buDkobKd!2)DS7BSlA#OFhXNQ4zX!^Rf&vVRrmxY+nF zinQaA?RXTJobUyzE12zF7GS%(v%emL#zpCzjj4}%(ektT7fW5pwuAXqP?x3r0*)Wg z<4Cx#wAemWnTC#SHKi}omrK5R1MUOpZ2zoW^(!8b*-X7e3N%RB~$ls+eo z|3=`wIWdzTGZ8%F{*JM`L1@cg z{lNvFXOMGAP@nH?!kOF<5_Q%9a`P&nYPB0*MCurW7yF+vVS-kVw(g#$=vN)W9{d%G z=)yf0cA|n$xDL42!%_<_S~Qr5r&BJ6lcuOU9+hrY`Wr1vflZzc4wZl7)uYj@?@!?|TLVCrg`7QY z>yM8n=d2aSLjTc>&h~Lt9U)hNzZ0roT)zZhkRvnJPsSIebQSh&5{!1EBMv(R(IcIG9MiOub0J~_PA{JY5G2Lan^F)ee32-yQ=632T3izwuM{m^8K6Mm~nIYu=pLbpz|MmBg{zgZyxCxD%GDS@JVq2LzELXQx7v% zYwEBTpKwQF4eqLTyU@t~$-yo@ltQ1J^HLw4;`-VzJqQbKD;~s^;jMecKaYh!CX3gw z0V1-yGG2c5t~;YY9$^ZR<*jyVt*pt~9ts{n7Yt;3@4S{JCSV~ejxMgXhoFaIJFjXN z!Yd3pE`G9*EdfKW%(0=jdoAJ#9=lGO#~s(X?ub-~+2F?`LcCV>PbG3I!jO0E;oIe_ zZwiq&Xr?7U^IXn}5Lq`wg&V(7_0lhjdEThjHIMy40BO`yHW!gAcX=L>3Ri15auWV#jP&)2(ur+T2vO>sANPG1pJf!b8wX7Ra}F-FUnf$E*8lc8+0gua!vce9CX znUr@Z#8u~c(XH#P1fIR~UPF_x@uJVhAIQWTG=wW?aRI35U-0a(DN9V#Xly2IF9f&7 zG&^!^1UoWZ%8n7nd}t=WIKpUeX4KfWbjL?YZfu+|@gpA=c8f4i*f4op@uM!S;hU^^ z!cb1%Nvl5LIIiP{1@JU=#83T)%}{Q_d2ChHk$pwz)-Akzo0}I#D6JJ^779?e;@&XW zS-fo-ZKTNYDmxqaOO!db3byGV-k2Uv=)vA7sT`@iYS|1{Z*OQ6P#{YF&`#lXF_HAZ z5R=O%aknP}$B!aQ3Kt_QGpqb=w#-v#JG&2qw~k+kjx!Z;_A5C z+*X=?(8RM-V8uz0fQdldUy^uO*0V}>HptvrjX_1pkDi9bpR1=%QQp}{RGuNxSxNTB zDwTPomx2;2rBD;n(+X>l%*4(a)&NwIYh{kTs>Hq9mg z1e2nP!)`X;^q!9>dU7>R5m=@D1puqwF;UyIr2>Jq5*5s~MnCMtT|t?+>e=Dw zyV>;>jLjbX6OK!YIj>OXepq{?$|#Rp zTja`nhIT`o_p(MUN?-*mf1l}piX}{oAYIkNpJC%=>tWi~2rzHS|A}XNg$YCX zYi^2fAKCTrxL9rbw0s!=ML@d0nCgih!YdB+luYN)#megcYRIDA(%LH4n&z@( z;a+1LQ!`b@9q9Plp7B7dhbOHIB3v!}-}xyzESIIGNsvZL*>ZQ+Ll65=!vww<&DUFY zj(adxjuph0TnE2troJTKi2*D4s@5(6+xlwcJJ?}*(@DB4FobTd)4S50u&6nmgC4>M zmCce|MLRV(=dJQO>ElSQ;I3`gsG|*PeYRR& zn|dEd-cGJuI8R%2B6?st6tT1y*2MPgcdUocJQG`42A~|DAOAcGl*QS~d2pD(0M|4@ zWAQi*s)n0z*X5D2TJ`bi1z7CH`PAM#vxazsa*K@o4JS@N%Ek3`E!AKJa3n^PG z#F7ZGvnIi$!%S^MX||{>bzQKwZ`17C;txD>p0vJW^$zbjnt~U?wE!P%d#n1qZ>3w+ z-Lzwu>d>^w)m_<;d{^%BD5!9s{uyno$-qvEw{#x!QsZ1q5WMGOwsqHAqE^d}L2Sa| zvwWvD-dB|X%NgD8ruf-Cpy0t_(Fz4k`Q;bkJ~{td9Som0zSqBq6)XwGXD~1;#RB~r8Lxww!B3U5 z@4FF1Z)xi9LG5ziGQ5N{=r4#R2QpN@t8M&F`CDNnXkb2=WgZY1pp+B-?ZhHm{yi3x z0&T6yDo;e!W;F_V^3yQPuS zx$;%KP*fA*zTpV~Wdr2b6e8A;WZU0BxMcqVrL4BG=I>Aa&v=-M*euBpM?N>k9kvzU zqS;%|vhd!53ZKdVlL;-r$M-&_{<7k2b7~r7i<`b-{L$_liN-n4E zGe&{d@<2Q_L>R)3r;9Xx-2RZ}(S*D$;^x5$(8;qp)~WnMWWsc`{nD#LotcFm93D-! zGI}Bi;Ou!z^#q{oK?1Jw*&rn+!0B|xirkb?5u-ji97xzB^2r=QHw6SNb~<2c=W>8) zIR^}RTC*lcMeS^j01_hsPawe%Jh1_&+ICXa2vqiv{k&0G;raSjb{c2jt)|uqjr)%h z=_-(@`on7RF!l!xg;}+YI#yA8bnRlZx5W5%4pzGai^w1|BfWPrK1trHy62n^G%h8zo=#cw9hOU z136`hifRwe+J_rHDQ0%yQGlofw&Z{AU>Pb|ga0IQU_J(LZKedN5q!jEz_Zy3O&~Qo z!Muc=k(t!+zsn)r)w+*7rob!`po6>XFtT_);{w3Pcl#mi_3a9Ph}E|Wclv% zLH67Emj~|;H7dYBq$YtafrQVMe&FqC%6BAq!4yfA;9|lY;1!0;l@yA7T1d{We{6R% z@!dQBGB2?NG5QCj6}L<_=9PDp$2f;-jCZ>#m^`6@SW#elL-BpcOc1do)L13~%}V@| zgGbEONdzGc^9@t!Ys7v?=NzKT#4#Buu~FjDW(6HZf?KbuV@Ap&!z~d>SW`k_*D;M^ zQ41&=xGhW?HG=lse1=D=f)PI-lK$rFCI>Kh zzEz+5AHWKK*t_Pc6i{m5Aj1)QaL#i_xvj{jAj%Iz4FE~szJk$U)4`SuM_bnPcOb*V z0xPhX1_%Dq7b(Zmpj-nP`r(xjojMShG*vsz;C>1HrTIQez#MuN!FPg#uW<(hN+11j?eL}2s*J8N8;Nuqm1FB zDgDy3;%UcTZ?+E@hq1Gq+~hCF0}GR#n6Hml{uROu>tVgwi|AKFHZJ%pxHgRVQW*)J zhx_HJ?(<0beTN)P9L2afnLTKc`16_$8&eslOqYSR%pmY;^OdQzWEWIK%sPyDswwg% zm8qGIF{BbE8G*e4;{%~hJ(^KA4tgL|Qtb_*LuW)y(c+_ua>|31iV;Xs81&rj)+@fy zVuhq?LypsyDrT8-4fB#S5mS0sN|2A3qQPCrvqzF~wt{g6T& z{>S51u|LLIVg5NYl_0gs`A;`L49z9t0*R`yk6!dag(!0h`+tm0r9R~x76D)J0E1s6 zf>xS2OUGw~B`tIslB=TswD4=fttBvh1(n@qufdmlN zm!Neafk--nAl#g{FOWp1n%Gt740x8-FCzwljLJUBhY+P{)|0^X8NYuNPMQJB4+pwM z7J>;7OpNuMRci~B+$Yt%+RpVk4}}^iTPz~yV4l-fYc@JMPhio)Fpv z+jawu`R7szQzf4)r%GGH7<45sZMsr?J}+aCU+GdUCbqG`T%PQr z{gSb?U@0K}`%G3ZS4YFXuY%`xuEVmFPQ-frI z9I5|k;SZPqgP;5OmUt7t7*hBA_UGsP8AdOl_;Cfia+q|pO_N=>@#N9q?aRW};%A}= zQGrZq!<`+x&C3rxNij zCt)e`fzyX98~=p?Z@+?05ZEbjGp}3}pCZ0u>(b)*zmGs@_?i2g`+yljhJr)0AStjFGAc3MC4H3+)IkEee4EdlO{@GqH|RGnR|%3zJZ1rS3&$ z3?bB^H3ow_VK+oOcH;4nq*{t>01*z+0-`IT4@5KKb~gN=+kVyN&||VU0CL!k`lgfL zR{$=stZ$*B=qSrJ=j+Gz0HVbf!Fl?cby{9imNk{9;lxM307q78&dFUp)^MOwW0!P8 zS2#MC=Z(9LoteDGO?{Yg>*rY1K3vs%;tqb3fSCK>f0_sd#+fEzZAh}dU6x-g%rf5X zJQ7V`>A@aw`K@mSC4Cr7m;2(f)n?5viFI~z!dK(p2Yly2i z>~S^M4&L(m=jM73nw}XyJt0^eHHzW|g?>!T*vySHL(}?@yHAi*ZD1ki1cnJ)NPxsI z=z18e`-WvAKIpmsK)j6jX(9IE^@CN6HuxiQ4|Rb|<2J`brWw-TNr>P1{`(T${5yy0H9 zf>I}p0&iExBc{9UG^814jA@>IaU%pjr#lBj_gi2vLB@c@$#_`?!Pu`ilhWin7*XMepIv8t;*_O+Rz671uW1H296#Gt2i*b^gPvx z%U+8R>=a}_jwZ#f-TLNXe~}|Z8>17X-{U5eH_6p7uc%K^sIIluFkz>(w`hZN1ZS~) z-Jal%qC-GITF>*xC|O`xN8sXOxacpaFhv9d?O;smZfxokHw*WR*YhD8e+3mG#^ryB z!x6-mfiCU5o1I<#Wevj996VHo7Yg^=_Qr|OzZl8(&zf>nR$ntL$b~V5?dYT9V!ABZ zTgNh9;jWT({mVh@+cLhq0}jL78;JHp%s9KFn6)9DyOH4G+-@q=FLcaEp%&MqYynQs z6Ll4FJKUz$c|AM_oL1=@1CUYLNxdOS*P!oBNDM0cArA8p-_%MPzb~bH{jM%i3OwnN z&=7tus2mO?GyvlITyg8~qD^kE$L5>bH}|=sYn3ae+!tKw9M?yLH&;Q&(LCxM^ zOL!6Be9vr5hPf@MU;?gN$vte$TpS%7EYaMMI5HiEA2iesKGA>llEQhdj|yI8{`R76xr)J@AGT_0x-^-C<(EQOPSCOc>ty^pStoqU{pC(pxy zsO@h@=@lTsNgZ|SrvC1fF9%f5$dBj7nUs;vF?a;>Fh&f)E_Q|UQNZ?y`q}sZn#s4;Yxl?zVb3D?8 zgK2F_M2nvPF&$VSuKc9t_0>3LsJz>@W@h?F=fE_n5EZs)rCCvZ^$BzC)7=WaL4x@p znL|{eS27)sEzJTJbGM9TRk7)$Xi?H#Q_DCLkLkll$TF5iW-D*VM+aQ0Vev9kJQn}m z;v%~BG1a^0VVmpRK2$(I3XtKC;*&37HAuSa?m2gT1d_h{9Z(lf_Dd5}NwSTY__nT@ zu%^BO{`~I4v>LlRBY3xG)Tpw$^fB273=~JTQfJN-dLL0?V_`oyTQHpx=$Uz#~iggH`-*9js=1%p}z)6?V9eg0@=Vl~nn`CW5pK zkGibd->v`!nWuOPPDi{|=Kau08x;1M*u=#n?tr@#TPf7#MNye;_4J-aW#n#akbbUSAYErG+iSO zw{=jEx`pcc;9vNRzsp@j^FK9+Mn++Hr@BJEF00!#I4Q)VY>>bdmZ)a2qDizIIHKgo z>q6*a;7FDsRGzdl5P(}#ocrM$t2ptGB_}A!TTLZ>PY%9}-QL6r6frGUeVO0bAv<8o z4F=#2Ja&7O|Asi*!&ZTRaQA<2U_pH<>?-~aZ!jp`33)Lz)%_9T__a5ohrGZzvW7Rr zDFDeKqnJT{B$k0NQWiGOd;5(W-9+RBh;?Q@5y2o@MLuMnr#_Tdm5$g!Ivll5ds}UX zxz=378~_7}f8K`-C$1~;A7m^d`r<^3y0hPtL&y*#jhaDn{A^Pni#C|!H=U(K>pxM# z@1S^=={IT}g2Z=HMAD>T{yHdUXt%^`QI%9R!vHY(mw428>b3}p=vyC+{V$L~RQNZg zbCU=Xa@d}m*^an#dL2ffl2q{gD$?Nlco8Ra<%Q`yWn;G)Ere_xQSyZIWq!O;$=he0 z5%)MuU>C;`eDMbUD#(q<(0}91ardZRfXY0*k$j?}e0{R1e_3p7(z3b~L6gw3 zcgFgM;Hpyo5Eq&|A#Vt!xQ8UHMqe+%Z{uOoM2VFoQ$NVp#AY7>N6+-fG)9y%Hos~y zYkPDK+CcA>A3yxGy~m2KOJT}ym@*uu?Ddn| zwLQpiaGyc}@W7slhdsVZ_IA_R_}V8OTV>q}^9WN;K!z!^!Z^Z|9bqQP+Y~!F_`9Go z{7UIkg>{(??5rRIAzajeXxM4;*(A;;^XUg*qzUdAUbSOX%!J!v*3ILvmd5zx@7NZ4dGgH;BqpjXidcz}(9}ry?58bDQfnROC zXN=OJv=p)HHwkU*CW1}JbPV@Q(tx6A!$Q;OY5uB3t-_C?PG;;A_a zmJIcE;dWaEj^0Luen}0Hw~vHMAGjL8<$EMR$~4x1T%rogsP}p#gNcO{M(C-4P8grO zNG!+B$ki=Rjg_z^XflUNsaz3*wfq54p72fxNG`ooJmSO}iO~#kx+99VQ|kTkegNE( zkWf|!oop?_QD>NpZ3b{5A1#uD>%w{9-dFhNu!u>b$im4f86c7LgD#UYo-BxB)fyRj zpmT$&3~H3Q0BjUNtq-nQrrc*3N+QWZ$|>O23{Q}Fnre}u+TgOoffbclP&zADQ%F{3 z+3Z#dPHIW{0GkEMRF$_kkrqTu83Z{?QYy*bwqKBWP@l`XLKs=OBIu8|=U6`EahzBTo?4tZaK^j&f-Pra zW`#}?+#D)cI+G6W##}9j2liCqdOG~w9nTGEHZ8uaNBZ2$K=Ep=7l6T@%;z$B?BS`o zdG=Y?&7$eUkJK+KA^&t{z9{w0espe7g>$D$%oBXG5bXQHBtw-p&dwT81u;QPqqOcU zhHneh9qwua%P$7H=cyoc?9%D;VbD+^T-D(pTJ|5G&r+|^R0ZUWmMSLH)Ie}}kdjlWez^h%uO?^E+5pu}wR z#LMho_|L0vu3~5DXf3!#rYaZCSft)0H4olN^LAQ~FbzEmk7o zz1j7ksvnPtB#;Ss5 zNTx)-gHxm=M%-0U6$q@DyFZI+IS{1gey6|H4x&tZBOFAOx%I`|eG){{WZ40eCQ&{U zwzd=<+OT_gpTMkdbyI>XIo0lf%TTw2e4~MH(8tScC>MjnCbi(_a~QU$OcAn zi46KIv<;D3Rk(6M9qB_ikaVPFQai;MTvkAxXL5CkKFGbEoS=2-IMNdnc`bOej2uDs zBx$1?XgTRv&SKL&W&9bCqWAgnmde&F2WGTD{#eIY!B)Hi2d?O(Vp)*4r|m-maOL!RyI;3J zK=3VaJef3jY?n8(?OtrjMIj;^URylr?pKm*jd(wel5D(Gg=dNE4KL^=>Z>Fx2Urwu z1Tj`Gd?ik@JxIjp<8U&!$!X!|5+y{2^x$Em#tRpDcy)AdD%MOSzPNDN*{sJP{T~$% zI?2KQw-pw~6$D;axS#^f));@W2@cjP9_hacs2m>tc$Jkae@6Dl<8b(YZHw;(8F5AX zDbk#8a3)Q1J>9m%3$U|YW$i#B9t)UFyN}uJHxKld!u+I5QY6Ch-6Efqzp7se6k3-{ zNOG;_QhPZigWxdpRmH_{$GW`x9``ktEJ)T+vo*LwhSV z)PzlWq2uH(4c{ExYH!~KS!p55?D2C`x=9s7^PLX|@GX?N1*k-9^sHkA0DvGUV^jbP z4hsf@!AK~};y@H-19T;7=qYB&G?!r*30Y(uK|o*t00bZqBnSXgXfrAm#Sn(jHCiyR z`s_#*H^cHw^?Pipo($X2WP>*uiWLyidbD2=OhpEr8=GRNQfFjjytQ&rA~t@3dEZeX zh7sUm+}bEf_9qRNWaMTZ``l_2_KJAzhrR@Vjw)Lf*Q7$k7}|RFlIs6EMX-j|lL8nv{|r zB2=&x1e_Z>9(c=utr5LOYDD=?#^B8115vgEWE+{9w0s0bKUt5+#cqB=5&|8Vj1DOC zVbg@zTmu-^6!Ck?#<0Kp$M`9yLhM9rIe!8{NN7nlZ_2?!_%0Fm&pR#kHN(Rm?0I=X z#&FGuV;+V-68SR>e^^sW`9;|3;>zKaO{lpe(m03EeP%A$N=lfvQ(vHl_C84oJmX|R zlkFm`M0NR3Vl&6T5CVP9y3yVS_PLI-`aG@uJ5D_2_lW6@He%?NQ+Y4%>>8zj#1gdN zJmLK}XZ8&_rQ_o~2#b&3Zd$u(ZDEvZN5p^#Sqm^$x)0 z(w{APkry)U@))RYh+bYMuT`&BQ?iHNk5`&9e{ItONq}D-oTLmt#&wHcFDLP5OSUF8KM-&nLF5AG`pGLXIF43ld2%w=Py(s$g$rORilM`AKj>rb-FS$ z+UI0$N2hbR;pwc%lqThgX@3Dx#ObSrqXxmFKb5&ZDM_>D;mA8?AqYK6*Zeiak@(_I z;3>>b``loMQ(4E7$il)K)W?pa0`{A^y2kIweqxkgkG7y(g@(qWgJ#jTl4faECHU0j z4g-Rs(JWO2flZ@e!7Sw&>JBz*nrzT}&QpRg^^p+h9vI6meYor+uy*WpCeeQOGyfLu zHPwSq@vopz+QM^%M9PYS0pb#eU5>Hg*bF3#N0KTpk;6pBZ&gZ2Ce_OYcq;uRu4ItHzs@Us$=Y z{HDq-TSH$VBtPlC@XVg(#>l2f^1ds`fhik`UO{OZ$s=Jx2rQAMKbUB=_jR~ULhM``bJ?-=%rKcM_ZTT{0h$`I zg|_7M6HxP$8%ZKk&MdINN0eg=>AWkBzQ7w+5$52PJk%UYAs(c^0F`^P`W5NVgseAW zjPXsQf1LkFPEoIzyYW=&HA0RAjJsGnhcN7YhKRj2W*axVrx6sm2#JG!XH6U8ofP2# z6dm*g!lOs_Qwtx2h3VmqbbeR^^2AJ7s?7PW>Ua+)Z6yr+bi=RmnX7CBnJ5SZKsf`I zRBQ^DE0LXh*gfA#rBbkn&bk}4OYNReh1FCP1Ws2v$hTJ;@s`}?z}d4a+TdWlipO&N z{yq4xToQs9vyZgFkfF2O@$)b8e22io7juMxT zBKb&^DY^N$)x5JH06+Jul8#H9dBW+g69O{S3K_D(uIUW*SK<%81iVu#@H_-8`i#~V&1zSIU+6dx^x3GS@3T(6lQ=#3Sm%+^*)x_776fKs3^Vv0e z_gvk9ji@#0vf!~ENq7h*plXcVDtyh(^tFAA!+V#+9|SH1;50+`k~|sf%pQjvoH#~d z!(G?)s_OieFv(LVhO;MUq^!;V(xru$C2abarJ~PxF-2t+sN3nG^#&Z_2z=#jg*hP?nLMh#ZOS~gj~R=H(kXi9wGdflTSoUVgy$0MXZyU??DVB(j=g*Dn- z<`3KyO5RJ}LkrWdz}MK^5fu=P!p@9a-dpT*7-v0LpeUnz9^s^u`WMw6@D6CawK>H+ z7(X4D0kL|x$=+1NDY#^#_drH4!s=i|!0dR9C1;q{7rtQMJ08|8dvbIJZlexEV?gg8 z!a3F*?z~)QR*sQC;w@B;>YaXx|L({;s1$^>w7@7<24^AR+)2zeOUm}N>p{t|?7F@0 zp&cXxz!s&5Ttt|97}$daju=yl2q^!I=@8C3s$0_ChZQ5WifmVB5oLsZP_c`0y^7FO8XIZM6TFIKM505-l7xFr&PM|RF3@(6RLF+ zV}Hzd&xYdd0g3%bPjCuCdoL+}%FuU+oYQa0x3$?6gY!_ujVT)RL7mn43Q=k(Mz;uy zdXAe#LR5kC(@}Y_`2A&W3(fn1cF~v&i*$W(hKOVv;?1olm>;SlZZn4XTSR2t5em&F z7+5d7M??drNS*bj0NC5sLf4fLr9wv21Z#GNyJTKGj8J>FyQXkHb30QL;EaX45&JhIZ+rVYw$yEijH2foHVhAr7fuA2Q zVlcGbOp}e9nDg(y^d+==syvD{`IE$)6K5^NLkq8o?u_T91YL`fMTyCJ{q;4Cd69U= zmcaDMjLipJ=p8Fi!Foou1jjaoa283}s{g!O(}n)i`h?h^1n5&G)pz#h^*kf z7ipGsCC3WV_8*p zmLM;Bd3pi8ha1Lme^KRZFrQP@wU4|Bg6i2_Sdu$k(oUSe%08V>#cTmB5qJhy_xVL1 zNkTbn^$bv|PyDzpQ29n7^O>Cww89dAoemMlY`Vh!@2J0W=KO-A35l`(5WYqe#85Mu zaA{a>byIq~?6tJfY)4KeA6El>7C5b@C50u%(8x|kOZecK4kV#QwTsWE5X}A&ioTvH z0v-~5C@ZKD&t;zo)pQRpKpY9|YU)xpsgr$7Nevuv2}7o`5&hHz$96g1-iXCj+&rI9 zsxDV3@A?^lBBStzlyi&$IF@Z^l0~XWW7sX^SYELAg`Wr=Q<-DrC^YYk5mdDoLzYv z$MtFPijUmJ)5s-0G7kQ>K`K@~9MqU{YzDU@8c*9~d@jCPRs`kI zMH8Rw{*dzEV|kziI6#00u&>}y>E;W>Qy#i+{VsaO?J?>^mw|Bx(Fef)m_VO)DlU$) zM>Jf*ovr)Wb(3vaq9k_!Xbb7IRRz1Glglqs*hCqQ*Wgwc=nf;Yr%p#7BO_nM za`2)veYz6V{&V2idd8q0H%kQ7_HmzZ6E1U%NRU4Z+`9lB0`tWZ4#5d(4`D#4Y7>X0 ze)2S7!zYW)4(?dDY;J>8lD_1*#xaU)cz;_;)|YBYitD6~F1C5ssOv%dqlD8n{;Z1V zt~GFkj8C(}6$PTdQ9qc&_CW&%JCkt}LG!bysc>$HR#+q4z9DKoGw;`E=yG!gq;exY zFn#knb{n?zkUdoru%C7H$Ku4}Ujtfh@%SYha0DKhd>l~CsOq=6ex)4f{N_*_ra1@L zQZHA@bEdb6W|Y5RW`P&5JSUW%(n-NUiUsGN@))`lHic@QPmcy%C3_UDgMQHp-EDKDx#M9*uwB)6<9jP+wCrQY$ctpyNI|`& zUN5{dzPP-!>}(72IC}muQ84pQREucTlVP)S2PRU4P~Od!?DrGLBy=KIZnrt8P#!>* zf;H}L@qvkF^za{Dc4?=NmVsD!n9Jsgm9fE@jFzxSjKnb?89gy9lHYC+xAsV?sb8mi zgy2Zddx`Pz=hEpF(e^^~ZNoCr$W6O3HyO9mn<%4VUes}Z>Lfqvk~eft$#B|8M%o)h zkz`==qBKg5lzi~Z6<=nT+z}Td4TXwFzCimD3hI3Y4whf9(N@lJmvNFAcp$D6+^kk90X2yy>fUawka*f^SF!@A|pkXqR zPwf(ItjsW-zcRc$c`{EcM=CL|VGCs%E%^g-qx)Wv4p?h@x;gj630UdIq#CDOb!obH zBs|-GKs{&(wU*q`s6iW}I#bWg@mluYt(V71Pb_x284p}x5Sx-iv^&`&vWLgjlnldI zg@6ziu+cNakk3Zb4DI1QR|5k=fi;_cbtMxaS>0Ia!F7mdtASqTkc?obpAO0ciyJ1~ z@1euvXNK8+j}1M~Dxl5t+tkC!h7kBvEukI=BbyQrX4|jT?xC*MHWzK|Q4M*K_BK0y zii}F=9D>d1i91}1IfEFFv`{g{0IK5vrwv&A#U5-G1*HdG)bBO#*CI%D2ZlcW_K1^oDrul=b_D0{6sF5G1rV?wuk9B zBU7XTeH(f)Ybj1ADt>EGMvVV=1WmM?$%yp1>9{uWJ#J$ZCzUYeHQBeW0q`@D1kaEhCt#x6ie#{_&is%5I+g^Ib#2OsiZm^Buza4rGkC%EYQoEWc`6-gI1AJ1XAac&SK3<2?-VF;9) zhv$f46{tTLOS<9Q8{7?`6$WuerC~8Q0v~U#NDw(qree&C>&2zHyEc*wS2LfwF^}ec zfw?RU8N-eATZ;PqPy`CZqbO$_K?gh!+#$Px+yE391S6WGxOZ|ucnpMDqo8|k!v;>d z@iz*7VED;qs0X0GxoHp2=c%&_=!`9~FdXhi=Z&>x8BD-PCSQ8{X7sa-3XEK5&nGuv zN+Ey%l9)3rJ=+1uqn+d&*yf{ez!bq?12X@2Y;n~a)V!^J(j5-v1agj~?~CSIVFXGP zHbc*FhfZ_vGiruirnw>6sV=LFdufU1C_~?Bx$wr_FL!H>*Z24Aj+D=Bt|)cf3)|%$ zM&XVVQiUwJ%;6=3gDxvfmqVZyj1QM!-qFFc%ke%TAd)d) zZ_qn%ex>-Fu6&7#b(E70WmD`9TBmp+&Otgc}#FlRq)GCv1x?dH(w=p#DO zgqYpypZ{Q67t@0l=bp@)!o==vz<}!}nlkLnhuM(G*Qn)ZhMj$~vWt+4`lt4on~yzH zjYL}n;l~)Tf$f`n49XpqKceZk6T;@J)nOyroLT6kUo2yqE9F$ zt~D_OX$0(q++tk8mok^Et0mTrK_E`;Ts=sc@(9x{o_2T)-&Z#pn%`h3F zFI&t(#YXb8|HbXgMvS)D0VGY`!w|_d>==}kXbtLQsm(u-FvlgjKynhU1dLe<$QG7= zU^72{Nsp_<;w9ZDX027q7DeZN34da0*=VO5=nisP%u%y7(O1@yhAzrshY&JV9;QClh?tQ#i+C&VKLaKvmr!JU<~^-YTE z0oAsI7E8%vnWlNXxE|~D*e_6yy~AI*?>Iz`cN918TvdF6-h1;I52}5+AJPt4EY@0s zXp{qPGzaSAr^M)pQ+FSd2ACYEU0-;BM^U$M+>iYIfUw`W)rJGJLAN)2!es*jveigR zGf#?vg@_2@B6k-COp#ZKfy!nTWeOq~U3DXKLx&_|068BDYMVdG5w(tbasA_4CyCRz z{F;BGS3%E_-)OGg{v1INAd5LF`Taq3W`hstGWOz$t}SGP3MJ z8w1Be^f4>cfM|MIQ8G`0!WE{@XU%|IC|)8M&v{)ni#4z^B|LKuays;N%2m=DMXgr^MMP?VF^XD<_@HD})<{(G!%s~c38?6X%Oq=qzyPdHc1MAX? zZ#`mJXIjCG*!)T$%sKBa;W(}VY7Pp7oV^`3zPZHN6$`FH16d|5ih;6+Q|<_ywD zCHwmVchG3K0h8uT6r=_I+Gi0+?IZRdA+9eG;=`M)GoKgX6glS`#e$nr(itrG0r>{* znRQJ?!xWf8$?*_#fq+v|)z^_#1*bBro7-4&Fb|=l)gT$0)%vH?d0|W~Rt#kR)TW;_ z#)cexI)Mq2R4b-#YH{{u-A;?P=y_^nD=VIq&7RLR|ChPDi5SSxKb?2t!o(X>r$FMnM`Vc!Px;!-^iHOII#$}2rRxd1f#4h-svtA1iav#vF}-_eIU$1w**p#xN<_EZjMj{(}(x3+CIt}_Ok*^=!6%XT2~v=ZB7&e= z1+DXt^Q* zVaQ(zLFxLhyrXPIZ2k#yc;qIG&ecHZ-9?g>Xw`)_kPni@+>tVmZUk(oIu#i$F zlL`bDKuk3>Mv`X;9e~_(*X;!Lm)^x;Lc#5s2J_r!mu)p~9#?Q8j@>dmcIMCT@S6{} z|A-pqwS~VS-VN^&QXXwLR1&EWDNpi#JK?ZVQpWJlT(dXosmxI5^-_K){F}lSbFFyS zQQ;x#<9)l;jKgkPGb^go0UE}bT6TA~qRWU(ZEaK3EN5}F@xn63QqYe!hPDzqdT{#i zzI4Pon3o?Xs{3h6C z^~S*t{seEX&$}gBdGhSqP7zy@B7rG{f(-n)lHuZA)$LV_X2xK0(Wp+)jdOY+!60~d zPtu=)^p=yEFmICa&csaJ37J9uG}?D`s5uo9kssIJ0OylKJ{!Y{A*$8$r)=e16_(e( zNPU968*tuL$zcqAk^O%Q(8+=7S4#|%XVk_l@GZ}AZn0tHj11QV4tTJe>!Rhkgcq9a zBIsmC23SNHs~CvDA98Xuv?F28UW`=(PaN`j&In4E z0aFb0Qot(Pbx??On#h(3$a*X(&D0ymUEho>hK&a3FW*M7hAvj6>GrK2XITxbu{R_q zXfq?Eq?7iMOa>yF>2DVqniyRs2#l6p)y2E z=%d7R`WpT{jgcy94O&(3B}bsl8gBqm#F|wTkvl7FJmxYx8*Juck(Habw1lw1S>|6R z#yCqUJ!AfO%2mMlTv(*xH{{M1$rC>iFgCQ$E>;$#5L4jPrtd((hAhuWMM-PZ4I1x( z#$#21)EMs$3mE?7ba_(HgRPkwzw5=#=GE(x!}id5X|fL68ul`EKTq>bzB_%yk}n9z zPq|ds1ODqaoVyq@lr^@H9Rl8knq=Kq z4O$bX%RFf(Bza@x9=K%_h zM8HGJI-V}P&g^k%!wK1!73J5^bZKs>XyT&;Yi4d_4oespm8;%RY`h-HQ}}daWptmd zdoIKp3kI||!q!!c`KlK3r0bN(%wt0AFLqT}%<{~4O!LbRX68$Ri%%obyoaLpLT3Ra znSySAIZLilCD63 zWX0I1>1!C=?k?mB+Lp?gf=`1j$#Lau_xY|e=a2>{i>SrmZwWK!>B_Y3W}@&C!7Nn^ z@KP5#gU^0$yVbhJInZ1XG<$q(_Dk2LTVI!3xUn;$gu@3OFrM@CHDD0n(5eED@f!R&dVrASo#mS$5+y$jMhNL<%mp%PB*phK}*c(#O{b^Dt}7~WY;OCaJLaKv^^ z(8MFE0cnU##HL&0M{yO_^VP6rs_Xa*(`E9QgjIfKMWud!PfDWE{i{n~f1)IC&GWr( zldO1&)qSP9AwqoEN<35conU_LFmIz6!teqTB7=AfrGq*Y+cwlGVHmFQeIAM^gwd|>dryNSY$OF$#W)7 zG`_F$bK{}9cfcP>RpX~?D<{Y$`OyKSgXk&Th4dZ=p>31wWUImiAE|}MZbKmiqtDG3 z+6UVrH)0l2^xoRALW{oWNf7MP=EdQOabi+E2UR9B9eUb0)08Hg3<~R>T&2c=oNzNy zV?fyOc{UZt$K!)WYhe+FhRt3~ZnXOgXp5bpkE)xHpn072(V!R2BtKiy?VmMJ&N%lM zcb|A4XXk(LHb(GAb}l8ud9_~<;kKObT@I9eSecyetRqx!Tsu<&+J*r-3)HI8rjSygPlPY>PHfo@LlWd*J$@J(*w7rbtfck)xk$D zvkN#d!IZ;HE7$XJ9^z^ghJYGS^YVlUmjFXRyuTB6n8R!< z6&L^=^TK_A1VN`+^x1UoEZk!)Ce9-mhhaoK$OV0|Y7B&@29h=~z3KZPp0b8JrX>5% zWp1k^@lhg~z4YB!%}e0({S&`& z8f#b(SS9JaVGeCR*GD~Ul#IdArI-paOw5`(r$;e*c&Z=ab#`}>^I?#%56JubMr-%C zq7f)k{Y092O7`?k10Y~bYnKI;c5-GWr5i`XWU(7lU=4`$A6-+l1*%g#iu;x_fSVRf zM%>;Yo*N*EJoPjYgmLgBD+rKY1d^a#bUjjmZU-+Giz*`dC}3%f z#i<&w;WF~&UIcXs9z$p!8bCx86stVRu^~g=*ZRiuN%TWp3r%H~O6rsBeP4OJh z41rVa2tG&lcs5`rxXRX2xv_zq$^ zMMEB*ytl^DuAb=io=Q^6XO?tB24vHhn3SXS#jcW^IU8v*CKK~y z?4i$fCUwKX4q}7dJ3Y50T z13&aN=4NEm%~;uHC2NDpO0TO?#NsVS}!A*iipK}@@ z=0vL!EnV!ND{ko~9aCAxJ&cpbCyyy^zw`)4F>TIGa1(FLt<1~~2`BT1G80zBF>Xu| zLV#}XOV4cgifm8;PL$Q`ca%kt+*-VhT{cuxnbqUl95W>VtY$1unP&g(VRvP(B#0pb zQMFVj zv{WKPq&&FOF5D0=41IROAifB)h=yqUKuqUI6du@lI)>?)Fiy*DC)LF4RT)v9-lRaK z|HtdH!8J$$^)e2FV73P?c+N&l8A`MODkGj6FvR6d>}j8}&NMbZrCD!fbZ)xzh8u<( zGbLT8lf~i8l~2zW5YI75S4%kj^4h;de;#*7W{S(i5t|Q3=rf!-`L>@zoTH?$b2fa{ z?1$t6U&F%Yu2i;o@bbYpUxWyP1wcT><}v_;`~kQ-zA?2i5+3aT4UBg~6~!0T93t_a z;vcYRKy&XEr&t%<@s;{v85J;r4maXL;p1S+bbB-zxKl09(8@am3NtiK!2z6-=3gJz z*S5LKTb3}Ezxm{W_BvowLA`p7tK#vXAW%nF3(!q=y&8y6_q2(z#BVi>d-SPRCuzwX z+J_1t9IQYGJN9+9MHZd6dYZ8O$32%VKRi=!p)2gLhwE(mqN}qGRZ7BWpwaMv-Ue+{`*fG zY7uXB@ZuxTKsCD}-j=mdt@hZJV>NM}y9uARP<5rbb&HBVjnBKDu(yHA_88ZOW@^H6 zgP~}=lW_ep9-1!bln>Uu%~p+yx-tGxVD1C#=L5B$Wa$a*4)NEUNp%RW0f)>QT{~B9 z6VqOa?@=GYvFKZ9LLgEqi3V(+-fSINkNrsaj`@X5I4OMJ%ANMn$um2xk#00#?J9HKY1 zn#7~|Q-htJK!v4K+5)u4`I9VhpBILMze|#f&}z;donUIJA{;77qi(RQyNL{V$w)f9 zq;@)M!U6HJ?I!9^*Et!y0q+>|FPaU2&cK{Go&!*M1ENa;2Q=BuQvlQ^m4}ctPvGas zn|wN3>OiDUd;cY^c#vT2{I(qWH{iL}?Tws1)iCCn zr%apY@TuR=!Q#oj-L$7&bf1SS2(gofY^W=!6L`PV+f6v}GhSRinBtDWN0KyicRVX> z-E1Lr1e9?zT9gP94e^P@I$5~^L`77MpM$V?(3F%8B!H!V{=#BHLCsC*2le@ZmKD@A z5E&H_pIHPHd+UW7#1;nk3D#=^-()|q8J#%ZEkU;R1t>{ zk5_gL<`$Ts(cnQ2hx1y{>IlQ)4K@4}%F7H>aO3_(AP|{dLipUViYAk3no{|uo!NN4 zEoHN(`(dtl?>#fV2F1=mxGfir&VAITJ{egT+1C(ux?yLe|A^^U9e>352vf@QZ~!joY1fVVyNUkAbR)jOwC}i# zmeebfCYaF6G1DEYy#s z;$jscy%loikymNTSe>gvnWsz$M*o(cb@saRl1>vQ@T{vggSuo2u=p6xfd}%C$_8Gv zuR=gXv>Q{ER0)tufl)coevLt_9y$bT@EJ1AFn>(kE-o!dKvWAx%!1BEr<#z;&eX= zY&l*)m+lYXoZng13+L_To@b0^P!q;ehWL)!U$$T*4~E7@D;Kn_QIG2O5Jz4}G`O-g z&t@v;a7%mxWss$1TzPBSCaIVLB(lS(AV%(J|GYIShRF#GEdIz&0wq(NLq^Zo2~I06 ztZaMO#?&;LCKNxKpa}kjO)|sY?`d+fMQ$A-P5J~Zl(~A)<3chZ};FZB%WR zt$#rk%D)upslBYEvve07DVUf6+eW1>ZNP3anFJO?;${Z2p>F_?JGp2--F_972!{Tj zkxIbc(DN7k`dmQxI>K#g@mNe*&irNh_p-nxEwUC>rED7QZzw#DC#Z9ALn;WlTR_n- zSSAU;<%YS6@v?uD*&Bc%q`sJyTZC+N|DssvJC$rYEYrC(C_|0GDtYQ)OC1_@;yj1U zVQNCn$ZIJyxZ_1WJ~r1^hS2Z4FjtsTqgnd$E_Fsa`N%drfk-+m%_cBwwB!O}S(TG=G2-Vrdz&JQ>@C2g98 z%&s&I02|=;Hix+?$FtYJ#K=r#BKKyNtmGWhs$gQrHkxo1M1O2i_}N~GjrK(HHH7c{ zZ%7?U#~92vrzq>Y@x2Jy%M5vF19D1<3lg<6@0qH_{{>JKMst$*#V@7Fq6%6N1!HqD z7r9i~)E#ydw^{VPo8Y@K4Ab1=uj z9j~x-9kdhIZ<6RTK9&=zC|Z@C-_rPTpz>NBLw29ezyuf~SQ6sID3`7m%*8E;QRhCj zBM>*J0tMb8(cf;-{(C~qdGc@0GpDvj^1CdOA-gtVz36e^>@U^EZ z3CmvNf{Eu)=Wd{n5=11smP89$J@s0VllCtMRn?+TK+vtaVc! zX4|(!+@_wNLbFVej5oUarFOo7zKQnP*FE^92+Bbza|ql$!i?5p-0YMH7ATw^#z!Lg=?lm(PK!#h*uW?+cRd1mjmh5!QGFw_zI=_)Dr z3%x%PZ3K}I>G_421DcZal4^!cx}qzHS4lX&k|2mSaFCLq|I+sTulgl^ibPOIJa62<6INt}E@Q)M1h>=d$Z$H%>nC#J}5S(LdNzFE47bus!*{ z!UOLS*B0|wJg6G`M-3qA?u@LVo>nK{>EFR98!XEx@#6Rdv6)fip5k|i7pK-^4W(mv zG<7gZ21vmU6<>)o=TV%CqW<+GjinINGEJ-5V9JgX;3}K+dh_xrPLJ&WtM?~J@Ch?s&>Tof`26V??Ma)(&PmTs|7GQI* zr0ltJ4WXM`W;mcq846>0^-d=?8R#;{B>Rp4u7T@G^KYH%g6WAtAb?wn%U)zY)8y7PGX$QB_adk+^n? zjBF1cUtJG8g)Hc)!2~*gm_Tl|Z07-zGUphiK5(3l?6t``et)3w&y(b^j@Z2w4_7k2 z%TVe{>7lLJM~c&7T%0b^P8*HsOo_Jq$?wnK*HsP>$)I@Eg;sg-R5o`l63bSt2t9o% zhKZWyM8Cg|s9FNv8D1KS>%Vc>$ofpdCh2vmpV14*2nKYDi!!ePZX(R-n&X6dzsOCS z&EQ|P8}-vRDF|jvMr>Vj*=ZLzNMzA_sO*;yAyHzT&k9tL{o5j_r!;n!ABZpwZ40?9 z$YocFZGv)kiI0Bh=j?!7+jY@diM{M~*?|DRoXBV|Ku^-?had0qyCX>z>JgNx~!r1|{!yp&`7uMD;{jW2w_PAh*exkMWm~BZU^l=u= zjD@sPSO=T2jevM&e*zwU%=4X4*%i7`Km2Kun=#Y~pGSX@mbPmW%!ByU+2+hltf*ut zFt`MBc1OO=i_xH*$u>*8*R@+V*R2-p`O-t^z056uEcIPNE~4(8W^*shINmUN#r21* zWDHtRk8d0wIrl!}#|F57AKD9`U-EYeb~4iQ3a;nm_euPB2g+I!CK{eF!swkPW=lUN z*+)-$YAx4&7{SMizwuO$jqRpCuSWrjd6=4TuKwbu0tAdjatt`~ z(uFbtie!qqQIV|s#pt79X#AWQC+_%xgpF`S%y&bPBEtx`Zr3?^83@s$c@_cI3%4uWAbQqmenhN#RF6ns4hZU!dKen&P1@MCJA?Nia|K6m4i={fWwn=lL#aL&z{ z-^EtI!s6? zumR-m8{KxM%$lRIZ4LMPymXY38GsWwcRCRUNJGRPI+-F4TMF$+^E@DHEzx5zHuun@ z^T&GfSFM;?m7V$pkZNki$X;XwmE;tQlmhZE>7I0cYF3GwZxl5TLhjj?Ou=99P*8LM zF{qz5n~<_8$kV-go-ZEH#K`ldK)Ns?|BpQ*Ce9+z8Akb)AXpGw5RWb$pTD=lFA>y% zqZU|{4M7c+(Q3O8_&FgU!gYipU~erH0AM~4UzCqUly)Zg=iz5)ZuW~akRuK%vl#x% z#R=Oe@^@%J!P?!LEB?&bJp_uAZ@}G|T$CIp694r-{E2%(dYRDxU8MPGhB7Ag9o4Oh zB?pI!|Je!MHgxV*wnK;XiM)pP!z9KY{E34Hv~y|ybrA-LHgAf(9)5Bg97UMhJ5;31 zmE9kpfX99w*EhiKYJz}TLYX0n4l^T(3tqew5Oh}q4noK6hR2LumerA6+4$aNx9hmH zl|L^`8fV97%}@fh>~>Otz`0_-Dt9;#)%nArKC~Z|L}X^qD_3}iN@tCb9+EVTF?x%D z;{g%*6P&;3xI8St{G{)`vNkN{c)ZmDO$n~%j)q6pt9>9;sSbnuAbE0Xq&uX${(u(e z3+!7?EfNo_qkaT$>YvE3m}0+|qGxi12B)fLqwGa^*iuhCUEEBUuKGN!7`njN@QT|} z&w&J&>BM*xts_PBw^HB6~nKasuI5w!Yohx%dlU&`2) z0mQOGk7&S0$!xiXqBPzvf=P5dA&S{47TtEK1;;LTLpD4{ta<$4$-%IYB7G45@b#Av zO2T5nMA+K_A2NJC*Rd)_(cHdZLAqDFSILj6wHo{kqyTc4>En07-q(Ud2gmJ@()de70_a$!A zfQBlWC2xm$5@Cn%zyv&$hJYMo`=NkzPeX&2Vb{J7vBvM_Tj*ubIS6u*)dd*N46DTP^; z7@h(p6w#;(*DWtZJxWAbythISBs-StF~bb_dOkfxl5xa{%fPH*0>{s(p!NACU3b|e z2Ruaq7G-$4wA15v73@i_!`wK+km<3S@|Kp6x#vW$*O$V~2p3D!Fr!pO77T^g@Uswr zEr_P;cR^?Pyh$r;Oe9R=TCf_)RuWWj-|>(jNAu?1h2C;8YOCdt|C_h!1i{Z6B(K zhOxUy+uD$0naj>vXG7())Bh}bw4Em2$7R@6B$z$l+ZA5U*QVSvZiuPi?9p3^3ul%5?2+$>^ow=4-z!v^$T>Px5|4ILpIB< z&rmwc^Rs`EE4D#`Ct!c~02qd(Qo3Fp>!*MvluQBs{D)i!gViKmBE#lMvsTu+AIc<(q#T^<3eMdOFbCjB;VJuXKRSjpTF{~cPj45QThWiNIrHM(}td0*m zV0v;9KiEEowDFA&autq+_AdpmS#l?VDiw4oIN{T`7cO*oir3Bt2bPlAaOc#G>Cr8- z4&t%m+vn*e=c8&+ic4^m9l>^X3zM9zj3+@T*+@i<_#z+h>bo%lSDcX6Xp@b`hE zxh8c7oDIe52^_ZKg9#JhXdjOkaoZ;L7i2&L72(!pOGIDp zH%8I8msnz`$a0iJf4u?CPkE{w4&?yDvF0+D(e*a;_bvGISDv#Yqs#Oih&J_~uwpv| zV(y_E_(2I(YiPOug<^gm7xK0sQVniF{kb?GJIix+v`aAqff|F#oFiBEl7rpEpWbgK z69D`0ET(B&a__AJDudIu^dTX&Hj3lzn^i`nck${Z!Jm{oVCWJl7@>?=e609Nn@g_v^B0n^jZPSZ}n4IVq%_>;%Ix==SJ}y}znI|sn zxS{|Gks{ZbjLeY4B1W4XN^{pXaHVZb-9*whb7;U+=Sw^re~z6#=4k~slP;;V@_!*# z@GY7*JACp@gY@Hu^_gC<`+sT^8GykQrR0*mx*5ITl~l|118JrQVclEn-cPHK{aKTK zI$aLFoZt9+cz-wm_C8`R{joRuk6%G7c@$0D+hTGwNaZ)SOFtFz!nuRvh?{KX_~RJi zkd1LVn+txN6G+@JRBgQc_BcQn7GBwPF&}x&L4z!j@3^|{o_W&sVP_}F_*7<>-c}GJ zn2tPMWCT4S5F;@nQRG6PC%;v zzMnN9OSl6x+MC@W)~`2()?b1pYO-~lq*bwEUnGzts*xs?naX7KY+bd8l$sna?A^{G z_AC$Hp@`$G{K}8cdh%BH47XBGvy-CV?Lp+o;C!H5G&bFxfg9~Hyf`S1DzHycOZr{6QuR!zZr;-X4dOmi#o*ac^^XUjxu z)0!c)Q*c0x>oNx%^5%97N7+Q32xB5~fW0a6XzdWz@aNYmc_EL`eLQ3ZWl)Eh*i*s8 zWTfLb>>Zc9x(h=vCJkl~Xx|A`C;QAJ2G~1GM%p+#7OrO(^ScT*$5MLA@iGEIvxA25P0CSa9lG3)R|&Dv2nsSB!qH{zYz|C{u`?{?Cvya_Qg(-ydk z&rVQ{WQC%d-Q?mEWKIGuYGs-on!Dl=%q3VHM9tGgxGXs{{_%hrv4n%t@@grVTZLS( zF7ZaBpEVn{t9gBjDf@Vkof)e6Cl_KLCa)I|d+%k~7XB2eOXhVU+L`dg_2FG>TS>P8 zse%|ROTStL(~e13(1?=yfH1`Rq||-AzL0|;$IsaH(t5HYwA4OB`EEiKPykm&WfR6ScAZE6?8*v4~rky?~{ ze_1wc{HRpQe!{?#V)a+YP!GxbDimBGfs+_nIg&q4wr$s*BJSj9u*+O>6@b|_%^Uzo z6d6wQ-W5iH8mx@EPZosCVS)Odb)+VDLl5BOBi{84ymo9a=vA&6M-6Ib>~rOP&fJky z4NITj)0_caHB`+)gKog`Kg0M#KjjFeU&Z$w{+TADwTy{wq75p(&1GlB*a8bW0hWxr zNoW`rA_R;wdf-<4uk}hX+d6iooik!&q+#2*ugrgNKS6c-072>v&cKDO5?HnzJ_|A% z_~b2EQy#?8W>+|(`eIhC1zsOZLKpj|+WI&c7JHXqKw@2ofvM$>VmNVy#l5{{eRGcJ z6n%CxS`(xk;^48!%K;0GICqSG6y}WgP_8bGOnh(iLllg#8nT(>7%SE3-9c+8B)6|a zS3p{fzU>^zra3^0vI4h!tNIjZ{rgd{dRLPiIGHI3c&{hFkW$n%*P>;$i>JN!%SY?U zh6RuvWt^2XVJ5AzTRhuHsu_r}iiDtstksqJJo>Gbz$q7&zB5D=`~rhh#^3k|>?hfn z6WQIMb+=^now@0hrt_H_XS+4H%uE|_&rZv5^Nd65!+0}kYC3W9z$cOf+QKpBfN8i# zXX1V#r_%Y?gMK8%)_b62rtlBnD&w+IL1&?9FL9-G?3*Z^L`Y%4T<8QlDuJ2jR3mde zfOt{}KtXAAW&yK^u1R3&CB-<%IeG`64>1q5rl-V6ra@D8HiZl~+{ew#?IjtMlKT*cw|{XmV3vPz+gi|M&!x2JvJ4_bq=`TK!} z;m1^&x-%FlhAFX5w~wUwQO*`Wpg;3CaIF5$No=R%bAcJ}QTm-Mq*y$9V)YxrT*h#v z&lxESXWO*JiB-|7(gubHApSpoGsg{`o>g~&A6v0uaM?TzKqI_unxrV=?tac>=vy(q z()|^3@#|;SeFNjLs319jmQsx%SAGZYC39;wm`o$X;W~z{I=vqAi`cuo?ZwLHS=#%eR zNF2;@D*DRgm}3-?ri|0{w{K&W?L)x$aGaIlAlneJ#qNwoTqMXNBSRprkh;~lAxQ6o z88`^+;{&dZ*GSWM@XSC63~R8OQ`+X7Nt`Y;Rww9mhCFTG+>z#sW;gq)s6b*wA%F9{ zG60EP?eGo=0{$jQLr8#5cqfKAgG@2ue`1g z(Q;JO-wlf5$7kvP?ZpY2&YfFlHQ8n!WJElp{X;fi|&AwVP@4(4O-kBX&>K zK0j``hRW-yfO!#_QsaXGz^1!Yki(kx_ZJDOD|}(7UxrDJ0=T$fR|ji`HK2pca{6AI z2P`Ec*Ne)9YKKJkj}H#OOCT?}t7^)Cjmqw0e}gwNQ{+%;HB-vTj{B4S%)7>=J;`6| zrsH6PbWD&oM_I+8OBeVtU{iZds?vD|S#7JOtqe9}twN}37Qu6RFd(}y&Umr!r=nV;n&gFjWJerrgN%2mIk+aNH<*K+Og|WgTp78(c;_6DJ9B z;vIn{%0scBU*DV2mg*fDcbZ@Zgmk>QocT8Q*wEXDGei-lMRjldR1kVGO9NwMJ}Jk$`*o zpmS)Bcb=A4N!>>4v|Fd?6H2P-35m6yc)Tv7Z9vkc6|xb_l;+E(6H)j84Ub|c5S+uh z3Fd!EVs<-4iuSp1Ky&PF12w}$7^ATv1&N7kIH{f01lQkpSZ86C~5*_lK>LV(Rjog8Ccd`^qiC$nrV<%_7F>|tdFalo6o z=#W5cKY2sB=a-KLW5iFoa(+XOr)BQ*u;vrN_=}3?Pr%X9XFfy4>$UXZm75C;0u`js zPG4AE)%DPN=YzJDi2Nt-?sYetI?!1eZuzMrYj9Oe{1 zg&kG?98~^aW59-6p4Ft6b`@3!H;!*-gZI#v#CVCX84~Faw3%_}RE`AufBl?$rI`kw zV_uS|nld{-p3AK<&YplcX+iZsO}h!0|d9b#7|rVxd4>FWzE66+Vpq$ubo z^g+mD)5%Ze;f@iW730GwF?nsYnBjGh5je!a1(oLqJ#*8@YgrJTb<~(Tq>&&{4~JND zvY1>%4FQXH3cw*HB4lP%Uqoc?aV#CCOO^)AQ{xLWLEkU`HEVXWBy)zwv_#WTaCH-8 zh}aRJw~9RYc%`A{?L~U)6f_a^;nKlYCFnRJl%-fpY(2qQUb*kXt=#_enA8q)sudMV zkM$lLLbLu#UCAKQ$v-ICgNGW=`BK+p3WAJTBGGuv`7xaRYLxyDlZuV&aaH%Ef zQT3}8@*3EuEOfBfKzLqdeT@^eP!cnkLF`GN7+~=K?%k zFYx1)@mW+|awS!k0p?ePx)w7Wgu6nIEI|o_y3ppKij|=4#OmND`=~?_Da51+qlyZ^ zIU^U-0+P#C*4n=?n8mat13=8#6FB?opvj~|b_ac=Jvg5;=YwHQB2Z^P2#B*9 z7J)HD#`)l9rCz4@@T8qa(&X{_MZHmJCnF{??}%hPFt@QmF9N15bsLa16)h#{Qm9Nz zpf9SYoB#h3V?PuW5j9u%N=ppDnqO0z-|!`ec@$5hUovZQH)CHAXD}3-wMw`;ALCsj zqpzF>LG2rU=_VS-3s@Yz0+JkXxeWv6|IJwS767vCfuI|)%&c)9o~8zJRNkf7a4O`j zKs*Orn@GDi>|6H=kVw{yVG)`XZ`@x%r~Pby+p8JJe2wZ!Gx5R>=Gtfre-@j zJ8`0;5>5i{`Y@iUqu~2=3$}Ncv?6nWhb%4oY|3#{n};YbD?&r%+?zM99$N~ayZ6fg zYjn1#Qc%4kyvvo8%skEs7Hf|OSeHE)FTCjQ#9uQqpLWjtc>rnQYXXfnLJ0qvz?rxT zshKfh{R6ER?(44L2*qLf{71I8ZZ00zo&?*x(>RzMA}mZu$M;1Ygs#N%!D#ikwOu?T z&9IGK-;kT^#4*RYOk1bS@&VA?$RN4`+uY^}J?4QL^n;5`>l}`0&?B2SruFtd;;|w9 zIR=R_yF-l)G9+36vzmf{JtFhZwC+?|K&3W4yLd@kAT&}RwlxV8Hn4!lF$XwgC>pu>_5V)loV0+g!=S>|)m7RGDm`Q09uyago}fnTK|kHiD(-loUiK*X<8c0~R~hEzNsU_K+U7ZDUCbL=;87!H|(U58kIR>JjP3e9!v` zp_+vjL~iaEX0M8U7R(6M)3_0 z$XG*^?0H668(QpV`St@p$!CDO0Id#!5V=5&^1>eVIzD*%Z}k3sMRpfFZ5{0){S-Zq zyK3)Yt{_y%#@-OU2~+d>XjGTvF0@e~6Gg4p&LLb(wz(`ufUUmd98HTS9zMDf$$jVu zgBsI1cj9|!mwQ=FY}{{hGt9froJ0c-53#j2&eLj3@Y{F5PqZe`4VsOt0nh+Nd^jS4b^}CnezhFPl2^z*?7Ov1{FtgvXVlBZ-c6};SVuL z4M-DNtYDc6GOSx{2=?R{W$i&B<`;kRs%7xMuc|i|lC%NR;cMr5dP4u*b?25W zH-B3O)x$aM-s!X(!q7Y9D3frhO;vg=C^Q(4Yi~;} zseJ8_3h2?x3++(y&-O#-2n)eF$ZG)6OUb=LI|IXwn^U>~338ZMsqm7X}2 zjg*W*a159RGyFH%OXUv(b+d|ja4*3W1GPr?bF%m}$Jk&|MN4e{bfMh<&MY78lEJJG zgvF^xdoIp)*YstzX*}IC{afc-t;*r6N5G4CjUTqwFC6?hkUzhOqr$R}G;PREV`>yL z>b|o9<*XqeZ^O(DfUVntF=4YqZ(xvyQ_-DwFg-S3gIaX%*0Od8;>Mp={%+?v;p^+# zdlropz|NOCA-rA4h#eqB>0nD23*MH6K~=c?OO9kI(UU|T(7cb~jt6>ygOZ@iHJ|5$ zdPgi?DJz7*4)R*<;oygf@Wf$?j~g1p#Wt#Gq9x6T2IIQ@H@=Q$g5||bxFtCJN24~~ z)i^O~ZtElYA=#M1CWDPB>jT#(rDmG6>iy1^*24JRd3LLF@Bq5&r}_ju##5rcJRDh% z-=nC2K)Aa)03t`M)^BX7BG|y-`dPzVidt@nL_u`QX`78+?Y_1ZlJ;kYf`)T@rueOS(JhfjUwNdoM+6iS0wct2RTpM9QlYU-XMZzFzQopKBcG8YY z=;cTjJ}`W<*Q~ZWiUTk!1pB9oeP-;~FybYD)mp0tHIE*;Xoriek>&wP(zyu@t{^b%+gZm4oYN*V^m!AO4&@F`Ey($N7gozy*2;) z^TarIr}m}hpMDMk%7o2-mQ_cc?U`t%$n88{7de-4kqf{e3JApX!e@MpKA>6*D049yR|Wi+0X;pmcO*Cc&Q(tyxGE*(#8W^Ob{#EgR>lL9_h9OtEqDz;y17fl zjOF3u1;SoybW>jVUX5&12mi%JU=YCuFlpAl!3ivr_8NMAw2Gj|-A>+!s~T`O#T*KF zr9>RKugJj@aS8@0(mOAUfp;72biUHS9$f^`JmLSRpwo0mxJJjN8piHuBl|1vwNUl{ z&um50Q`zIlD5~!~rjI!KH{os913Wet%@D9>zTZXZx> zke0up>EVBtKD5urgTq619U{gMeot$|)^ti0AO72yO~`Z9j5pu42)YB2=7;>n&?rg5 zg*yfa!J)%^z9}v>vy%$3Gutkn=a^8 zvHd`q0Z%-2Qq2`7kq_)Kl(;^mhwPy-`4mdRFqukG<8I=)0ryyJH!#NpQ5dSSHXPs4fdzq_dM1s-vDHGseA@2>&m(y^K{S|Y!7JTRMaw~fAm%I2zLH}m zFT2D?!^peGVqb_)wDtpkYjtD;&3k?1=LdxB;V;?+2O9jY0O9t@m1w^_neskz7q0Kh z4ZmWsF$xH=r>m(?`#;n;f|rE#rDnS4&fv}yX`8YmAW3N29@i3S0;Vx|WWXX(opozk z>$d>&pB>kR%+uRq`7yO^v>qssG5qcyNt zM+Q##0r@0QXkGJCSRR$pOFtJ+HZPJE_j@@G6q-Ws8_)X$tItuFUsG{kEnei0_ZelI&x?%S`jEF2RLE_Lbx;lK~!Ed-FQbY zI9)(D%<(GuS@S6T3moX{8G1tP`%KUszYwvzb2^k!SLEDh98Fmd18G&=(PKGJmXFxi zx3jiPFUH4dbIK}jk>*=ay481xoV008ETbM8;!h5YqM^*2AQ&Owp;J7vyf+PXI5RBo zc;b5iDWerNy|E$#$x24t5a#0fFz1a5IxuV8WA2O!4(Lse^|=ouJvL+TKwoAFaX_m} zp^s9wi}#^M%z#E#VsK$s$OvGsT-WHy+Rx)Nx1nX=L$a-OFu>+LgVPxgINp(Ro#X)o zXa>#VMc+}u6K0G8zOPB{v+Q!+u8gBZ70ugcXRoi3v!n||qLhE)lxRO6<{=ZT-}oSc zvQe9RYd8H59P6LHNm#_5dmnB{rPP^to!jrY<+zy2_@SC^-a#%3@@i4JzH_hnXuo^N zUyx=-J&A494xhcTGDNP}|Mq6AHQYMqRHjSilVkm#9P%^RZS{@Oj20B~n^UyA!^tWI zCeFOO+a@|@#CGhVmbI$-%E4APFkb^4JEtUiv&Zx8&?;RBAfzE~P0E2On08Zl=Afn3 zk|#Jam7}y9ijy7Hh50n=HW^0{fnuOL3oGOZroFI9tpPUcB&6?uxoKO88C!Zg`;C_p zABhvUgMdFSZ1#ph5I6AhF%&JRE#d{Cav}js|CBt_-fy@W&f1v?^$l@ZhF1tV6s(4h z4%~~Sv}UnY_D-;AUzj{QNwqywxnI9<&7XHtOIA`;S@4BLn59qqvcE zG1$Cc+Ncse>o1mJQ-+?Y(OMXsNYsPhrIG5H;Ft+xm}_DdPP@eJp(S%nN&-wz=PvbW zK$}x77j1s*7*9dwW4hIuJz882F;-WK%PCXl4M0 zGl-{*zvDcovr89ourqP45y`1~-dR=BAVXB+h3lQSS6VHI@APJ)+Yr>^g)k7BYXSAM zVkC$7lApptV8JZsZw()UQ^YxU$Y}IeB5UmtKOBn1zb|TYCMdZ9PxvQ~6Jdj>PR-g} z$9FvB%OeK-kSml_(gAE}*8Vb3B=_;!XuTr>Ya`<4ozDzo)FW!!P+{&a&QHYk397$p>Db^FFnh+rM^;`}d39uK-9T!XeB`sV_>OGY7gm zL(pYV5ly=IR32W|L07|d`cQjba$tv53_a7Tq2OpR)0+~|HA!1dI4S)X1J5qTMv#X@ zro{gie-If!3LpiGdA!Dw{Yo1bZ(eZgWZ028jwCIN`rb0jPPc_~fkz5lwv(kn>$wOZ z>e+HM-q&{5K!=*83avGB6adWEpnw>@I;HAX3@No}CVCkuQ+J6+*9cMi;RTt%GDRB= zkoqf~(aVyLXSDuWAC@gW7B=#Ea6L#f|0$PTDK^~jiTr17SN?eOA>viqK&dvhfiQ7G zqP;+{)Xhyd@hg^!q>u)Aifa&gPZ3Yp*`odpZhZqlk9Mv~u@$%9Q|nn|ZHfDJ1#@@wp2 zY|m^YtuoHS3nOOZJ_{7wF)DcC$JmDKZRLL$Ny5vV%k&^@Ri1i>NZhsIH_13RdsF7Z zm|u(%j*D5MuErRZLeZ->MI!Xx2^;h=c*xXiy4;e?aKC9nQao@8Y(upHu?1p3a*rBn ztkFZK%HdC+C{;wQiVA4vEh*QKV%0?-5YtLgmoi$A8+0M;Sty|bNxEbDSK~zvAwp?yQpQ9T8+ZpH)mhIEP#Jq-86&w8!W(! zphA3QGQF5QT(sW^gt{9~F$0t9c^?1E3bExqn|W~U)Yx=)X>EAKd=F(mYk2qJ*Hje; zh)OHilWt{Xu$OZ)WBNK=kzwn2(}4t5E^jNQKabKv;u@>sR4jy+wA3#SYpkd$p7v8fKLeA�kgJp0<=Cd^PbXX@=x zbX{yRoR3IC?2lui%aORF#X!0QJJGQuxYop_s9zul%)#px16n@F{84P1Vhhd5ClGpHb#bH*AD%rVoQ^%snd8E|60mXW49&7Z>svb%%Bdscg37s5JT$=Mpq;op(WpLN#`@o2@hn; zLQ6v`2PNDCRC+S_pwY0yn4g}oLxsd7UQAy#LZGiVrHfz#7Mr@p>4IpR-*+>$~sSOaMVZzP~HNd{LQzfsf>Eb5Dc)0JH@S8;0y^ez8WAwGT0*^Qsvi zoCl-0vVZ-b*$*xAP0&pw5&|g2TQy^5p0RJ^+?T=4x%aPrATj-HcNl6Q$s`v>Z|1tu z8rJa_Odf3OKTsR(&l>@tniajpC^UyULnZtChqR_HCB!u%yHLF)JUJVS2XLG;g z{pAmEh$1J-5dG0Qp=AzjKkWOl-=IJ3%Oxj$2iAZPp;@%W#2DaE#FS|K_S)~`(j{IdfGas1$Ej1&Zn|@TJm|GDw)zuoo!&_#fiPfFM|a1d#R`s z7!<3Pq}q7Or{-{~MzI_LZ~t{g{HK`CPeR5~Z5=v~FS>to-jnrUShx%xbq} z|2P#dSY!or*%-iH?XhyOanI5g3$RC7L&4R03-w>=?Rl-?Zvo{W?~LAu~Ly z?PZ!05bk{$b)76}WZN;%fDR7fq4!4`(XBLs3{7YMgU#YsoymnI7wv35ARQqUUtLkJq(;!(KruPh zhLgK~Ol>1-_D{zc2~qC0b%hgcJqCeE4#prUy7LMC+_JRd`DE@@OZw_u0%# zOXUW3n9}fTJ|LMmI(?LCAAQQGHah)@k^CK7mKtwlexm0^JQ(|3i{<+`= zA2Qa%GiLwgcyz+)49@3=p~`EsK-l0Z`=Ngr{1$)I=7WK$b9Gy z-osv5gnhiNg5p}a422sIIRhSJ!PbvXwTnWAdAL=Mmi5ZW(ojry)K;br*iG~KBI<1X6B@67vntd9l3xL^z=&3t%T@V*k(5*iH@K*xo?%eU z7U^#oZ(AD0%na&)$wa|}Z@9q)*DXy|3U$x}f08^$slYO;9yF6(Y~CP7CGTGwC!l*C zLI>L;isjbkjSW{vrUSNnYMo;krh%9(LroTW->4b+XhKLREane8ZB{jX&p;1`SEiF2 z3?UFY_70u5QZiN=K!0xUff;6BHwpTvckY#(lHXF40PFx_y4}K*I*bAkKrCM~YGXi< zfRZ%o^I-WmlQMSuV5J)P=+*l?rF={UbwJk~Sg9j;M7{7nCW7J*rv9l1TpJU5O*I|t z85OKFxq^!KfBeAUrme1)hfe{Jd?~kpwksqr;t1xPd@KLVwY4Vke>YTZjqekKca=)Z zK*F^0d(tIuDeMbDfm9}1;4ZKi#2Ug6;e6IlGf%fLs-f#;E$)q%azfbxsI(#T*`q=?;Vu7kDA8Z(Skt_;+ z6;-G_$@sFUF5!*TT1btcd84DgnR975R5vtMIwo?xXxp&%s4wCg^*s=)2BPWU1^jFspYj#0)*tzE!?v?w$%cyl#8k0CSKR6TARlwdEw10Faka_hXmrV~-Bier1%}E?a{uLz7_5S3G zGV6YcPL z0Oo@lbcD?1uveG|O&x`ko8r!#sRnlpZ1IN2lLG!(tgQE&M0Y;e4AQh($0Pi8MkMQ~ zI?F1bo^r#wcajUl&ICtmgagl%8ZM^?6J9u;xM=XWP;7HFgQ2m36vHO8I!+U7MzM%? z%h2UptYi{M$8f?8afbi68T&xrarIeBN~v{@S${#CqnqgJ`*i)#GrEQqh{#RQvBj&v?hN!^Z z81i(0vN-WO|K=b3S$+He62FJPFhXNPi2Wd9Y=tRo;R_U|Hv-wU^+S+beV!@CENY0E zzka7%tDOheq918R0*htte#`GVKuFfCy@0#GJD)^2rK&RIB)KD*M= zqc#S7?;vYwnagNH@U^_RClQQZ5j$!}p!*)|O?ZB&|2tk=S{da4muV zS8O^wc@+)^ga)8ylhUGp zPzFO2JwhaqX^(rjgQpluKWy0;3;C*kvjS2>s&4`+Gkx5wlOBh47|E7+*S0qKqAf*X z(%%H(H`T#ou@W_iz&xK2L5^@pKKpg1hHb6UWI%oZ?^ils zF^AKXig1ogM=J%IdM!Mw9H)BL6H9zttLx&e(VVbMqF3-Sn2(yAIKe^BI%O-TzE&el zP*f6uIriaMjdIW@8U_x_DMGwF)B+2PHNo^152PPQXl2~5%zP?NsF`BF>2`dbU1-4z z*aqkXKPqbz@f!{1?pOa%_3rUY51k6rPYg3-G9*JE#1)ewkU*k z_=Juh8Sz{*hS;nguc9FYe^dKZ2rQl)F6rhzWHK?X?(+}IRl;;M6y|YpVa3*#FTrH7 zagEPsF5;E5eG|2bk_@~Da@p^P{-Jx#TrhnXdJIw!6?1}a%odU84L6<_P1da!Bp1_$ zLD~3l1Rx^#L!SUOjg8yUq`q+Z>gxSt5KjR3{M5d~fP640QQr?$HcLRm$Y#{q(mUGfM4 z*=c^hfZIAUXlg@9_LOx*Y1O91bTg;OhK}m{!WATRoc$j}KV?oH5uNcX?;LE(?J{16 zwR4eYBv$sBgwqZG;1}p~R4H$wJFy@^^xJFJilYqTe}X3?*q%ntb+zqIBXeFb6=9n) z3(fykrN=3=1#7~QkYgjME+TWKdN?qzDr$Mv;zJq92%xm{c{oq^Jl$kzOM2js71%o2 zE2MtK-tUBvQOn(%N41%0SF2cLvgWOU3Eg@bqY}j}@Zzk}lXv~+WE=0dsg3%_8V!Pz zKzVq5Mh{JtOK!mS0OQy&<(<#y>|PK#$4ovoE|0~@>A&Y*rq2CAYpLt*FvLmcbC3sg ziojy$@kBq%u*RwlY_4g6f(R85Zhr|1FtmHDG-|)I`x|2FO;M}u_SH@Vx!$*>#TfA= z&7ry|^WHK+N7!3BG!eY4J(a?A2~&cqQA15kl16FPScg!b$Kof8_iT*=nbT9Ma?wG=_KP;Aer}MRNPU-RJzfhw|&lOsbR_il3SOk>@GW zRs%Ra@bHD+y=ONrC^Ut~@T#+&*AHoGk_eo3JkKP7wGe8OiR;J5F@PDHVy_N9KkPX; zB*=-RD`p(jaT=hE!G4FBUrnF*&UqkeVCymw-1{g^3OL!+5K3 zE-N9U8xpZwhQ=<@n$Pp)kwE~wvu2^!440}M38`~fbx%MBY)~i(HEB>O*hK}?1f4S- zaQZ!rO_mUUJ3TbZ_G^gAgz-$N%Elnqk!s(Z%WrszVU(W%dO_HM`G0buoNptJc9cwG zJ%$)T0fDrM#lEP`Zu(OnLX63zrsX_6eRhQdM`q-W8#9Z~pZ5x(+JfwgS*D>+DxRX_ z8N6QGfTGivp(4iGNK>{PK-2g!ynS?hR`GN|0HuW4H@}siS#ONt8=0=ShPq{cJMKbu z9Q?62MBoO%@`2i*f}?>je(FfB;RL<*z&vqzXD;|7<+xgaR+iFP!~j-d-)0<{kBYLH zLfEwfHVm2!>v;p6QEODk_nQeUnP)u@eHbeW=QKlmRVGNew(M!!0)HE0<8_Wc!Hu}M zC@Q2_6e)Pj9bn5lm|33@h*x_q1LO_e!dwNzFDA@KK0DPl4zQ;TpW9w(6ANN8`vK5p z{81&o!Vma-E0#s{>l`s^dULdZ@#A0Xof*>HT?ArJoDQYy(JLDNkT3tO&QHS&&ev?Da1{hoo(*&IYYNxGD5?|2=MYXcRK$8%BF4CNk0lD4rB8IJ6dgPi(d>!STPMv&U zvs$AtbGtnTA~(arNXdM1z$N|0xIhwgW6|hGC80hS#hAjSlS0WNqi1>5bW8de&W&kG z6e60yjzr*Mb?<`^9ysM=9^<2@D#YpkGPdT^uOQiUr{^(4U5R#3oU0jjh9%tQN9TgM zhak57f{8gBxhaf^RjLWW(jnnvUJupH>k{3Q3Ad3ZhrtsGlOG%_UJchV8zFtG0J92- zwY4;^64I+}AuyNO%1xH5(?9+1+%V|pebQeVc7yD+V_5=2^kX(dZ1WFEn+3H)=;fUN zlEqOtTj9kg2!Tltp*k^4xmy;@aP#DLN(*L6GL-Vv=S7C&rmnXWaRb=kR5l+O=OU>e z1^(0fYf`Ln@)C!#J7Le0_RRifu4Z%1CGhRazYOj*%AaUSK)~X0wZf4Twb~kIg7Tqv z0TZcKUk6rAFZl%27eqe?6dLPfP0JIXoq6om0RJDd7=Ekgy=(a?Bv5k4@XbVNUJq2v%nbYd674 z&dVZJmjQkJOF}c2>Scb`mV`UXsQS#5V{Cu-RQW-R>h>Gz=@y4(+kkLFc{)9NYj^nV%#ku3>;)fK%mOP(JW3jkvl2#2OtPGUNR`2F~JscDrQqc6*6TGaIfa$JBC$7y41L z3H;_wK18;_Qw5D~WF7t-ejXUt@EnctI^_}|=$^+L(%~R0CCXbYgS%IK$SWoeHY|&}I~dsG|VL^d6@MwW~B<5kY9HONp7kkJIAZ7h(GySzyt_Mfyb9kzjAb`XrfR zL-~4qODO9%hO{`R13n}5K%QgKKzf9*h{3i@sNqQV#fyZt1;XGbBuJ+rt-+Ic8yJ=; z?wr}%bRP~&2KnrnM6X3LjExB^;-w8>$CQ9S8w9ePLXpSk3^MbxgiUe&;p5jn^a*fDkENgbiBWMAvV}w;i9D`c9e=GEv_=pE@Fs)=G|U)@+d8_Nf5^Zyu(%CRL2f8;^jy~;Ws!Z) zYv@)f1SjFK_&WC36qzxmVZ_^a1>@uz%-ZUp*17Ij2F_1%;%Cqm-bG5f9d@$3xOVLM z6NEj70D335ArjU6-qB}|_am2U)|3h*6YRSQT;>wvNumKv(WD6CBsS6wIzXUl6Uw0HSc3C z8$kM|XUMvkhwxatRsd z29;M((49t;S2hMEjn&IRpcrpfpaH2)%2mUs-I^jaqG^=ND9WM=b>@^-$9pL#cC1c^ zr$*DB8Th$c1Irw-HWOM`+-2((2zHF!ItjbaDKLe7Qqhxg-L1ZjSg9s9e5xDQp64FI znRwe9;MJF(g*3;Vio1!ZG)x)V)4dwl7gY!BXF-aiTkQ~YS61|tPzX>I$5(hs`DMVH zu%C)56VSZjSz;c&qfr0atuhu4VzLn`a7zYl5kL;mfa!E0*tOdj`KBi=gqz#Zhzhu| zPjje>_!z3I{A`vg@258;9Q2X#AY%CG;!W&{v=~uvLCky|++u~BkuNlF6w4TIw$sr@ z!iHwBD%SfkUa}s(IAt=lk0nTJLh%d%u`ya?q1Le1`Nb4iM=!?16}n-dQXa0&{nD{n za+uiPQv;DGW@|uipG{U?Vg~QBW^+G>)Q8Ql<4S=H^5HmU0r@gbVvPjtNpZZxT~cw% zV`xx0t_r|`O$B8tE8U*w@Ndaz?0!kf)sB`;5>h+i(z(3*TiX=U`p{~>&<*2}deq05 z_iBWlb6|HlPcyD}ow2V2&}IUp=AdxCqS-0W{}2o?d~{%;hfXP6IH&3{z%5 zSL4Ay)=j1_aX_HNUo5_r%%5XD4aE{E=u?m7S64o zOXo`V2ot(ZLJ)0M3SGB1r^^VEBv(kjy+Iv5&D>>IWVyP)X2GW6fUd2-sti?*qq=8q ztL!_<8M5$X`PogY3_vaNFZ#M`EW|4uq}F<>F4F(tp3R$Du&`U11cl2R;z2x>Y$PKI zL7d-cj(G~VgYzVbj;5)==&*<(YLO`|(=VP9vFy(V1hqti>~AKW06sjS1|I%0N@oIQ z@Q)CCaYq!Z^h~SXYQ}qXvlko)Gy?_r7xo#-p`>2rL&fIR@aDY>9@})Vp)s@I?~w4q z*+sb*`jtshkBCVw<&3GRY}$Vl$jAoel@+|FSnJ=uWA5FTL$aZ>cP|(WDa|Ua)y7Tk z0=McT6UHIP3s96HJ?dtu+7F`Uj3!145jr0b5`taRZGf4k#i!J4d5h9zbZYC0c{{~l zmJQ>?-C_vvZO>s(j z?=7U!n4vrK#9my zzg{v4)F*DCvSEF>{7uq>JR2v*u$}$GCxDp5Sv6WIe-D zrU9eUsHIdeh&09NXvzK3dt3*XpqxQ2gdhe+k&3e5E1tXZJDvgKtaME8hW3z~*5=-cW=ZZ(GrMIYiW4;9a=# zv2QLgyv$$@4E9A8&I2%=Qs zRWXzql*T^F4%^QGx3F9F$pn_D=o?s$v6({m;<|&8h&<-A9}Q2md5WNNV!<4SgY|cZNbZk;k8_ z_5wjd1JWqSe>4ac&iN2R%ba-@8MuZ#W(k?muzAM{0E8TQoZ1xs zeQ}0*yo$~sdS&8®ZYFuJQ@AAh>KI2T^$?scz3e*min{sNSk=@@w^0*Fah{V zl$8#N{?WfWYaq{fHwIE#5Uj?oF#(0u6yJiKS0-^XES8qr7}NS*Oo;4RbTfAp2aW8T zlFhBhV4D|as{C(xC`c8Vb==c?a*~M!H`r1YPVu(EDe?wb0w5#WvLNzaHxr@xruIAz zE`}T1$>jKbJM^ZZQ%KUwvyM!{rJ4>9g9%$ZXtG|M?FAg5a@&LWK830v1ok^Q?k(>o^ZD47h< zMMd5$1qzrJb-A~UabQX$j)c_%RQ(#<8UH4V&Zej>O3jfk4jPMk#HWlSROH!8A%qB7 zpu}#mUPQG(8bUWxJds~07M!dldX=|uI&2?TF~>c(iX4{FF2p)4g6;=UCierz5}1Je zm2}fVf!|^>7<> z>;O5-`aicwcO~)8N9agCQrIL6+`Kk(1N@g9-sdC1IehhwrF{x`t#S}?A<#_$H2bsV(t3JdAf2$o7nmdZU^HI4+_{zr|cj>6mM8R`W5{WtN z5=rkGro+wyD-skiv!ltRcwAIz^SvbA2#>sBAD})TE6tUe2@yb1V{YF*AHV??*KjU= zbKG+{l{jV7u2oAzT0PyYr;^J>r(3a0-Rp0-3_=1Tf{5A?_ z7=4mzAcBNSa7SbS3ktl_r^8ra4g}(B?(Cj)At~PWsI$>4qSU?cubFr(I zpcnGCLeBCPcu>%!QFxE)h%GFsFIwPO^iOY{66Ca&ll*gLC_jHr7H5Zf`1`+atr>Yd z>B`IlF+0NNiX==bp+J!<$Q(&r3g#IeF_ZaBi>~Kk@bX=$Lfa#&njl&CFfbP0_HdJC zKpwE6R$Q1??9Ca&xrl+$Vx;AcJyOH#;rS1NFRSY(sMUWR*~kF+v2=lwq}if!9WsHE$(9+nVLqPM{W>)7JR4>r(W`b)mU6qhB|ZE*`&Uy3rdMBR zDyn?TB_P@qb~0?Sy1ZAx|NbZNERfA@aS{+b!=c zvmmTSpe|~oDdreGy22-|5woFH?5Z&T3p0W-q$ol-(=t9`em*Q@fYgu6wRkW&m!mT9 z>Vr&XZpYW*`PAYc0W?IsCTF)#SVLXLfY~=_QJmal7T{4viC7K}vbkr~cA2iU;3ms`CIBnlRN*-JKD5fJ6dAc^d94?U36z%y()U8v+$dy>EL# z8$>tHtlO_EEb$gjq7cQKBn?lQfgU#$d-y@)L$NX-by%-#yPAZN zVTLUk!YJoHF~MmC&Z4JX+qxa@LoI~Cml1q1+i2Z)v>v2rh^CJ}#?JaGb1x7F8zi4q z{a~c)wjOS-|N10mYd5MiW6;ngEcfyKmG;gGQZI?A9sz8f2hCHAw)g~R6NL8|;|K7_ zgbU~Bi&zKaF6c48NpKu+CHN?UK;-nOm_0sA7bPTbOk!L6?}wLm;3DQ~>aArP47KBd-AhiSiF;VlK5ZQn*Dutcaq6_XFv) zMiNRABM}J^77;Pbs$H;89dj-R71qv5ud!k~=FTUo^m_hF*3JK@;d=e489?=v-zEKA-@8}#%{mjrh7^E={C$-+@*no*7Q zpp;I4O)4K3aC@4$`6iB7>J91Nn|Yfieh)T7ep|g2$)uSlMHl?0Kf?N~4cp6DFj0P|-Y{D&g0H4rdS^_4dR({9~XEak7Y6#IJ{g zVKr?W0>>@}JCF;X#9NI|Vb@T?aQ6wv20N4)K8d-E5@vcnjd@F%WW@BRYEX3FG7HjHm!Nq?bvGIaFR3UaO* z%yFkJiB1ACF=4b&M`R2ffB!r-hUJOuv#9mK*rALn1X{O-22rRE9N&B)2;i}U_Dr4i zc2i|BG()D8F$hz9XAEJUWuKN1Co`fT+w-yws)U7O+Ul2@t8RR1@(VlS)KS96F>Sc| zKpl2`QW9mvLp*kP`=CL2>`)Yi%TR~0X?$yZQX*i)$dSVG*wcZUi>H~_LhH^;#IdSi z@I`#fn)ZgB>mX!Rf>+pqXB0CJTlB%j!BbkGSOtvti-a6h9Q5)%;I~~5Mfn+u(G8!B z-b{6bPj3`>I%`fk1YuADG!U4ys>i;(!M>;zH1zO*AE+y^rEUFoG@EgIpPBXfKv{($ zLA4daGi{C{qRKZAaYMD?Q?epX=J=pb?C!}9RsnBt62-RE3%;1$4*IBs)4c8MDywEN zUew8|$@CUs?0I|N)g|@#I8laQ!aYS~fP*-S^!+H^Qp`1`Ny5x7ISm;rQ5Z<`j!|C7 zg*nj`SkR$mpsmWSOqG^HfyAmaQ&c$7P(93Oa>Ptg`nykCn4<>8yTk}UEe2f-IM>b{ zc;k6_N%${(3Ls=2#N@>75-ZI(Z?it!Fn=#NvnCD&J&Lom#!hY1`U=uO+kv~cFX#C) zztCoL?>*?*5&zAJcPQqx#b9)U=9ywqp96RzYM~z&|8P1V4 z*8ndu3r$Z#oO)JL&DyvyCxW;*+1Yj-B2BzDK4v^ZF;W1_8;~q;=&USoQwT~e zd90;y7D>2j2LWCJaHhLfo21az5#oMnGaj%0Sd`?--R#VE=0MbtW(vyOv19x9p<2A;*N5ju+o6>FAbB*{k74EpBFkv&DcaSVD)9SbV=UGY0Ewp^Q} z1~{p7=Nx|SArSS)&b}-PesFj)7=ka77m4qxs75m* zImkxXGQj*k- zv!hdJvEZU<{>?PCuU3X)GJlQ^49Ei^ipQwhVF%P0(BoS5+rlIWCZd?Yxh@LGK#oEG z;9g-FIh<|Q%GKYI%ZwA@uB%dUocg=M(~4_4%Xh`%?BzP8rF=NWxcZGS^FqZOn2<3! zNHmI3300c%R$*x{dk1*IY2Gups2k+)6ov?NKqSb#&G{Io!F^t!N?|}RA;(#AgE$$% zlNM}r@98EK{giWfs-l}h=?0~^BCsH`OK;2q7MmGMmo7YZGDEkudo-Wyz`I3g-)1bE)|i%_3lW_yU4Tmg z=%I{!l_sBEb3T8n0^wFG0!F#+YU&WPguIgOsFh?^(puq1X)9|Kz(0dP#D!%QcJoMq z3-ZG?hTRp-)e!)Rvi3}lioR<4WR-ZuGC4zgG_y0C2J4~x=}IXGr+o&&?M>aMN9iO4 zl0Jj5O?hO9eHaef(Y?(ngSAgA6obN&Z;=vUgD*f!D`2@&!gUsrd6hVJReI@S3gQ7O zgzZuKCJ@}zWEHw5m7Id<;)!%r@y#VrOO*k3TxT#89N)7YQ?6}+lLy3f$s??O48@!v zAxqr?gzYsJPpKCN47f@+wQyI|JH62(M^!nv(o{*BpvkZvuNSCDVquCFIe~)8uB=Bxk?Ajn5;?TV%;0f%q&Z1Tsf+|cs4M|hc83s9>)*auTQjYl;= z#dfz;FP<7fM>v*52*Yxe7F$8gQbRgIgN{8!&@&NNTI}Kq7Qt69%PUb~3ep7!SYD5& z)-TsI0>B&*0T75@6%A#)Q4%5pTg0*-&f!94@PDcUh~T@d*Ys3p2ZR4}dn@8w@zoNd z^*wAr?RCM6?*wlc4ZhFStTR#^Pk)xlL!8&~e&BSzkkzZ*O? z&Ymj(>w+7k0}Q553EHlTfOGq2=oS|=-E_}ItYuNKYE#7)b zXrXf|IHisuZxOd?J88@^Q56EloP`eC+=*-TcL9U2xUN&87kdbSbQ z!c6I7H#rY0Ox<{4dx*@2|IIR)Gk~-yn`lS~%wY0K0^Cjw5I+vhLmxD0IzE+Q1oI>n_v zs?`q3r%!-2fk1NSd?J3u%)GURr3-*DE?8KMda_x^o1so${9!n-p@9sh3sB&p%nc>X z^!&j)OihYy80eTT1h z!=VlImbBOEdSgzhucapGw{Cfvmx>MXh=|HVopv3io=&w~7{ohsFYnk7Ck7a#mP6ay zU5=xT%bMR~*A%#T{syo)pZ3|TQ)YHKLAn2U%h~XuX1LbH>3#G{8hQVTmEfPIRsG6CTG@O7_ z;PljMIAauxS3Mu?IA#Li)gN^pYe}pd!i=`No$$1V0<3l`Q^*64g*+pM2pi{9uuCc9 zpP-adwG6d3bau^UG{AR;Mt2W$u1=id=ZI?rq_GPST@JaUdOMoZYE;xd(+Dq!09-VM1 z3hfdmm>C=j5}&C6;v;VEBegFcr0WBKaB6*Y9t7-CF6n9LrQ)v>pE=At5hj_YVXN|B zz5tcBVv{f3JV zO68Pfa#!ZHW)eft<_o{14>5@mJn7hRT1-G{68m|DFl-ynLj+-~x&a}h)jBsrbRsXY zD&=cN%R|0{U`IK%@cfXnDbBz9@)mOjw36*^Di=UeH>sk5;q(a;8Y&?@FH>DT)z`bj z(r>4RgV#7Gw;9-yAHRiJG)||WeAOSV0pWi29qY2QLmS>?Z#cPVKIHmKb=1wL)_nWX z1kchGLgwT53*(^sP6&wxGHamp8hvl-!yQW-DmYu>#?#i}C5bvwMhe#fnQpE{l`X@b zaDZ)Zy>iJl*!I14<(`Fg6{JJa?mQQ6I{~?pEH?_EXDg9MJW+}iQfkX5&Ma1M&cHBF z?Fx@0%#L)#EEqd}Oa5zkBIqEXL7F`ns0@}HagT0k?w)-rk!`{9v-ca!K+=U)3(fA6 zoZ>xuccFpniQ$-Xd@IDm1(609hUH8^*+xUHc>r1Hu-7{UtEWVJo=nyj{7Phxh|%~F zYkIHohJQpuTI}YgmXW5SU=L*QXJOhsG#~2>-6=Yzmmj8+UsusWQv4QMK{c3?&m@T+ zIy^=#;u2RkQ?{4vU33ThOI)*h5{_;~O0L^;Vj0?S3Wcup=ebU%-D> z*oGOz!~!q;1Enp%TgO+fr#Xl^S`=*4EeiXT2wgdfWX3Bj0 zZ!v?3``mu&ux_Hd9sRz`jE88m$rnw%Hi^_p)9dVwPZ4rZ!jR-K55wIK#rQbR-K>zaaC1X3)<`*yTr5?bBm@w254x+r#05Akk%;^?@C8^4GXfuJwgE)&D$%DMwh08iyei4sadGQ zXY~MF3CuT8IO#$wgC8@S6H8`y!$yfGJ$`F;^edDSP{Q+yF40MJ#muGlxt4;Pu8P}t zl^<*Tj@PQ?stuyL#H^~c;(JY$;8J7$@vgCZ3&fhp+7>Q>DwfAib3X60=8dOW8vthx z8^>XzWz^W$yqFyEg$;@6WQ`6pyR%1Aj(x^nS0x+JvG>d#2ikl`SN>quW<0N=uVB}T zhaFaOBw85?GxRg<^kQp*_?)*idGLdXHy`a~ly_4rYZ$MIx!h8?vik@Q4UK8tG=foXR0G@3S9m58lUG zP01?^0$Lf_Q0xz*)Ma>85lnS;K;BIsGku60v;9C==5r_%a)-(!4H8kquMws!R;}4> zI@7|^dl9RKQ`BRM&8FQ@jFA6b{>k~c0g@zx2kGOOH0K%2pd-Icb^}17$p@BTY=1lq+P)yF% z4H9x8O#ZUSRUbCqlOnSGwtPTCfaFBdc=_vO+!4dLW8}fGp@M&hBuzF~FtW>i&MWd8 zX=VTx_fW_RzR3)9C|~ZrnDH%~B@(LBm4~vEXCYqY=GKatK}_0b3ekjIx+2Ws%~X` z*UJkeVv4*a(fhP4B~pG+&M6OuZqUpFH6>7DDTyePBp(OvF$cWxHAIQ%S<$V|10jOiGiuzyt$&T?;UdN~7g9 zf%rhnPq}7(Yo+Z8%^Q|l;m4ZfO7bRawvwcI@$%9gSu^1>Md*$Cb$Ygs17@mI`#*(} z{0XBehGSg_3^HxMj9Hu22z`FDTMj+;94>bk;(SixQ0;ClH1m&&d_^9Eax6&2VT(>< zfHvKnLopZW_%_6u{U-=y=5=TV2J_`}gtpe1V?A#m#13E`D<(?hX|3!S()h};=AKA#lmxA7C1tZ;xw<4L|w&YX-$ge<9tS$lyi^Ec-L+Rs|iGBI9}MO%iy85 zJda?Es-@*uHbT%Ww}K-?M3l-nFq_slZmDx{1?Wmjm!D6+%~mG}MVC5mfOmF<$`;w4 zi2-|JLh-bmr zcn`qxOpFYJBN^GcVrCdMm8-LRT=<+vj~T3Uny=f@84LCc?F!4nBD69$Z?9Zpu=| zbabDNMNqM&DSsp?KD8K4BrBuxB=&-n!07EXt2t)66+rpks<&c|F4_v{8*#`KZ&+>!l+PI|n`6NXx zn#x8HAn^Ijb2+`7yVrZu*3z}_d}kx7bAs>68^d_b*0NsQA?g#(YYbM+8b=jj8jq0* zAo*f&dd%si^6K7Q+Q(F9JJ{=Y)`jp!G@)Oa#TfJODgu5Y2*oQ5$itrt)G$+H=|p<* zss&S~0%J%%#$62(RE2t<=3a!bT!8iEc%$-Xo4Q7N0Y5Sw#w%HBi=48FCHhHfW=h^q z#J-)qr{E562sh!Gs62y?Vg&f^)~kf(69W}&PMN+jg7!qOvp4pH*&F**#`O3WTa#!t zTeI*u@N{XkSxML4efBt2-9W%tfi&weUp|JP>$MW*G1Yh6TVm?79$Asz2SQZL~{x>%qwI09#z}`$ z+#O%O=irY}g1;6bjZ_A8-zShlqGyMu&Eqq)tr+#k{qO@iK4X=XTYx zFV83<8q4=vJ2&awcFs^tt%S-B76L0WU%O2Q2>g&9x%QzrHwJ>tNd$b%H(*w5F2IcA zmD15~2ESJ}>)LjV@TqMjB9W(sr3tvocOly2&wi*EAB=8}Ae6aFzPD8`5 z#*%e`?%>w|q(0rAIFFwgx%yRShoNPVs!7|RE=wnpV3Wm3g+Hd_TxC{*+?rD*8e=^e zQ}YUu!bDyX-qu~F2*<6-<1U@k6P;FQ7jYV5ECc|7ceQAkZJ1bOn<+vQN%*BxtEE(; zpES78%+c?FKFy7;Ty>Zov5cJn;MX>0eM8O6dQtQxwqyM+ZBhbNSXg-O@lqF}gWg=4 z^DK?NqR?4Zr($IQJJJ1}Jk~T9# z7dGfi+`0Yx=tBEmvl~FO@##46YOFC_dvKT0+bV%4PQ9ETv)IHdoK7SpgtBV7pdElkG8IEjmuv$v<;KQ2 z=y2k6^ujk4TAa~PLh%*96jOJSoql!#QbW=Jx(yafE=(H$LqNR0y$zbNp*J*iqWx_l z!r3)RnU$_i({}q-#~xUsQw!1KIRawnxUn2&3YG>c=u|6-I04Eb?#wn7TD$epc7hS< zSnQM)q75E>hz6<=tv@p8Ns2AjonmdaPwb-*oJ5W5ChpA%Cf6w@L=#%2yaS-McWsfLPP))!9GU=(QHejFm>l%9-^b{^8e?C2{!lSL@j8 zYK@Evld97*61zOWB^&VTvG&xlU>rS>YgL1Jn!^ztd{60DwC|}OW}GZ3REKB8#!k-+ zQ96j$wBpfauyM#OYjl~{%~m3AF`7PGK}K;{_c_$^oQSu18sqYWEmNb%p+SXfabj@j zlf_6pny0|ErlU2hR#P>HCW}l20p6YNrSQ52@1aK*hlXwn#>UpBu{2yt)i4g+j4RC2 z_E-xazbQf!L&x52bziCIR3c23P;%Jz`O$CAv8ZwWM!xCOPTxUS)rOFU z$m;kMgD+1Dcijf3V63a~(AP=ln?6t!q2Vu+CF{(j&yqoQUuy(+gL{!*cA30k!V{I< z+WZh9$vNa4aNe_vi9=0vN{9%do5o5BT9dJz}vMhdQMx7R$QB{fL< z4bD1hyPt5Z87P?AD-czISO{;!ZnzSh4iJ2X5jS=!dd!awDvi1F4XC6p%Ucbg{BD?6 zK5gX1dey2|1RnL=so^R}eZXaegXNe~y`kQ0J;B-R(mb8O0Ux2F{X&Yv zAP*biX0w{&K@*Uva_T^wDiKZsY8N)Vq{qR>rp%e+EZlWE<-unc?rR~!=D7MHnwJ6F zWqs_@Q8m1Q#a?r|^sE7}ZRj!!dF6+C|IHFBF>(@1%$=FBId?Z@SQzFE-spH;*ZzZD z3MQ{fl{J@jv0}r`ZY1A`$@(n+!mfF&U^tWA3h1$4bU7 zAtf~AOZ##f?r96PVmo9M0MW@(7{kc`;UR=AjG?R%F?}b8VYv^q>IGtxPloL!kBPB3 z`*v7`R+uxOwVvEebC&58LImu2s=cyuA;JV zqjw32blov75n#9cDB@gsC+_bajVEe*_J~|g0w4s~Z_Xnp?LwdSLgdpF;Z6pL9&gx;{ac6OVpheV zH$@9vT{KE&!xQU;oyNSr*WBV5`S+#)zqYvb7^`^w0RF6gH-}P^h9nP3A>>0tMxL`? z=9hA7;Ulx4LYzKEJ6^c-s6w`VQMzyGA5AS3r>=k>FerH_>(Rs_4JeNUcLcQg^!$WC zLI$)`;Ag1ENY0bv#c+AXQN;kR7!7rVR-_vsR{71JEG8<<5jE*a+@~&bAfh$tZv%}7 zzaq3~fJBQ9^n58mJ`>?BKYVxV#Qt3DAC=0NG?IKX!X!fJ+-`TZuK2Zg$*5%fav zb0SW?9o#P>AY`QoOqVRE$w%qBGJ3h7O_$Yf>-jN$U?5&n3cD2j6SE0C2A2a*#9i>N3ymNsMmva>baFes zpZvsR4hD_mg^g@~M1>2ouI$5YB*Oss6%CZV8QyFV-S!a~I2BAqGNe6JRZ$|+nI6HCr5y@m!+>Sss23$)L&!%6PqE!K z%n`r$C3Y4i45(ZaD2^G1po~c_K_{imRec~5pi!2fgfCQXC^W{84WWV6(A}vzCCbuu zL5)Ar5=#_CW2A{X0U(Gd8L%8C9F_t>!NNS)n8cw{V-)hQa&+{@`6+-QU|3}!d!#Ft zNT)OrBZVBT5{A?>NK?@$4#UzhoG7KENlI5pX)4VU098Wi9i}56fK8~*PH$=IMlUD=WqEGq=s?JUBua zbBZ-eOEa~>=Zx7Ew3NKvM(Xn*F5|JBOlrrc^c68xHDF{#8AW=T9pf+>TEX#*{2skr zQ1^CB0r-9fMA#LmRv8^gk_vqlUwy5mAH^4I@lUU2TWSN17f)%yv-0es?9sQ?-RMVR z+14N(bkMU&kU!Nzzti7s{OXIwDzHXJb9k>&;R3Ilx%`UOo}X>%_LMmyV1n8cmDS^S zLSI;jH=>83<`~8F@VJ0&kC!vw113S|jV67gq?XV4ef+Xj9DNuA99ikffKgNT6_f2H3 zCSjd){EQ}byVBD~MHYsrDHt+cC1u*_|a07ARbv6H=`a*3#c6k3y+otn5?Qwgj~ zqCo?K`Z+^AG|#Bt<8}1z&C&B)eo#Zb^@|mjJOR^H2dTi7?7`h}PDVrJ;fk5xAYT0t zdR|1UAw;)#DukJ=uJo~+2}R&B4;LdIwC$;9BkhIdr{YD>0lCzW2UUKZ?B07?RVtXL zcytEbpf3KeN5})9J;N~D*9|gVXgs?%b&kwU;lM4gas)3S?mcaf8%nwr1@q#U7#l|< znx`-_j=B3jffvAR7+EHOf=reHHVdx*qDo-+RR-*kiwfggMovBo+PUVz!4!6k2I4)h z+Gw(iGki{<`_oYrOpYm~n=BQ8y3jrg%&o!eMHq=v3Oa@3-3#us>L*hMjzNB^v^6oZ z3@%_6ll2}gHM=ACa2(CQDUY$&4;z|!8|Z5F%7+T(29Fg{{ZIzrIniPtKTqC`G>hVw zaKJG)>M#&$i|m)iFJ~=q|2t59dLbE?3dFczLtg*d@e8orqZmHOF19Dm$F5^9uptpr zw1xi`i;4GsY^x58E=w2;9}V^>7uxW490c4nc0ueW1^vhN2+sTigeh5oCkFEF(i(pQ z=l;_5K~p{P^9g)$=LZFQWNAU|uoLgBdjS}{10LsN^vwj0+Et`O1&<11PZ$%^jSYP} zk)cuI89WftIzPrJDF+b*SH6&5GjRf4JkXWzyz%9C<_7dU9=Qy^`0-3xoWCh{S3w$C zcK35uXhEv|K+?+dn-niAf4-$Yk(A0sDnjkmq~Z!;>dhirJl4ff%6wEYAU8mR`mDp} z_Ej^qk$G$s1{W51Hpo(%AsJg&K}P}Kj5Mf1*~-NMN{_s+v#!Gsa>zbK(0jp?y~*d0 z8~hqFveGq!J<38mdGY}Y2UxPmAB<9=C{(iRW6OQ;YYE3 zie@a<$d72S2qD8+CWAq0kQQ#A9y&*DBSzLov$D59cmVda;#}Of?Sa;&9b{|8GH3hc z!8^Lv)X0vEx#K=w5b$vK0UtIt2uaMlm;9$UX1z&$a{QMRXXp3j=Lgm#nfa zW$uwm9KU=j16qsAw&+Nb^YiWq=0qP&;yG3E<%MQwYM>2cma$okcvq!%Dn_Ov?rN1^%& zIaH|hPW$~6LVL$1E_VH z3c0OF;^VQ6vDl8nVB%Al=d-*?*|dA&Qw%I&+8W&UIY>uppLHndI_-0H%K`vA>LM)E zkU_V|dABL#7cyMejNS;5-BT?I6Dju=#TTB?@a%m`h71|7jllgDaEic5G&yiLloGFX zO`cJ_r*-917;e?mne8ZXVwm*5l*g)baB8t2^$w59W>;PtHOfdmc4$V-3U_Z3!&Wvq zkB%prytHrcGWRmetdr*qT%BrSPYyFauGx2P^j|)6i~GVKHUKdp!4sF%@j+c{Wh6xb5*(wyqef z1)8#XO4`sCvU?ETpY6aLoP5KE3t7C7Ms-C=i{hRQc;I2AAkE3pqOGcp;qH@|+XlhD z0#OGdx-*?7p=S%Sd3)k)bI?UovkA?sI0+!RuoGZ@<^%HNpr|w8DV(>(gQ#qP1Q&8J zP76?H3lXgXQ%MHJXjv!af#7slz$(*%y&zx`59w^gAh&G9=YmbJRNR0mS<;dr z3>8ULIhMz_hbmplu&>do{w=9Ab3LjT+d@d*BCvxGV~f11u%5?#+R;D9O%v(H@D za&=%k1V`=CD%%ZkhTv)><5IpVwuR+!DUq-c*D04aV$!{*NwNV_x`VG`wH!wrrtI3r z=qpGtTX{`!a%|2uz!BtSW zCGlsX3JG(Lrwaebbxefjb#vM|3?!x>wq_bsE&x^`^_~vlSv+&Qn^A8$X1tqo#mZSq zAH{Blv##;CO8v$HoeGB8^LeG~%FY_s3ln;BngD%@U58z-wH<7Xaawqdr-4*#j-3K4 z0S3ip-lK*t3wIjEW-~%T#Dta|nwDH5FTj_!4Py(&XhRy+&hhwJmi?ePmPab@Cn8dp zp10$W-_`k8x9@OH;MhJfkp{(DLH*q?IeSby1D`ow+Lpfe*PHnT(}oClE1jzgYuot-Y7sq&)>9A*go8fpQ#AXV)qw!nigxc zW>-?I$xnpkDuc+cnh8~VV@cs+wH_fpMu8&jzyP`p|N8Th9Ug%TmK^PMcQoTZLaGFZ zl90MvnLu4=vpOOA&F(VdJT~Z{=}H>>oVndWL+FUUQi4j!Kbokl}sKwu$EeaQq=5g1kSZWYXV%6?* z4-HvjE1oV@PSZqH5pb-2Rn zrlS1XSYR8)msexv&{cbh=raNIsJvf#+}ZVjSimU#O=LLy3T(c@$hv1^joli)L7~ce zP1WXYBU<{qw2S9R^Ug#%*zd(Z*9g_!_^Ry#e{r*ovD!Cr#T^S%vBcXl_Nx0tO7 zDt`(IJyuCV-(Dc1fz|sXE@GFHx7@0QetfRfQ%zpDNv?Ao7g`aYI&GS`8iE*n2rR;G zJ;WzIo3yb&vEt2 zlN*fiz@{vY+S38l42m`*STrG`i`;ATj8e#OP5Hzl^oTZTu%3s=+GT$zCXW>qN-X$! zaaX!tU_4L*h4^Z8^nooj_6|p9XYF96C0x^6wwfqEB~v{XJq*<7TaxQ?Q&}aVfxZ#Y z@yOr^U=|UWym_gp5&_LuO}GNB1)Pls3H1DWZK@PwFFW@qJ(v($v`8ztKyahW3Lyjv ztd^fZo|J3Uc$Vf?DWPJ#8n8LA@nD3bjkFK;3l8sA7Z#VOOID05Igf>;ADu@KKJy zNYQPvqT7L_b1d_TE*H=>U34`g1@adR$3Rvb^q_Q7X&Vl|!U3c{O;<#Yter}fN}<_$4;bOp6LRf8Q=)58s+V-Uzh zJ!q+G$&M*zX37ADEI@=_1{i~8;%=k-D=r>k5@l;HDIcdwA*^TsL2a;VsGdQF zu?R0aFbgVgS3v`{&#M^Th>B%8)B{A3eQn0)7ls(i8@*Klo#YpUK>rLv)8{7RpIrzQ z*x?CNGyD)C1QN1P9cdpxGL2B?a3oI=J?NTmqc2TYsNzLjI8kRNXEnvdkHOxukv3FC ziXP|)_vw>1Tm>l!TE8v%Xf1f(lmw|#69MVcGJ}BTDX6<5u8PdAUI+^GaRI!ON5O&5 zJtSRS5ko}mZxX$d*&qadly`f=;VSdG8IRRoX)pfIirEc84UAXCGAFzQ=}lf0m2Q@h zJkj)>_6%HcfL_f8kQZJbRDgIP81gtI?GLl+1>nq(7(fOP=?Xx@Ux1w@+Z8+MY;}8? z)yW$05y~QMyJB4eH$}6)lt_@FB29p-@iZZkE`8}dH((_JXVay|vKjy09Mvg8A&q#< zzKDYd4Or41?z6K{rQJ?>C6iWZqBXS zhl*S1+%4PspzV-tl_3tcW|WFNf<7)?SJ3S>dQmvwn3{UQkI5Qrn)XZ(rSDL3?RZ%2 ze!(KoJmX|+R$Zp%t}4YYXSDBe3*m~Dkn6*=N;nl8Fo~Qh6&3}R>sUsm1&o}}%>cDqv%^01)*3rT(xGejqhnRY2h!p;ECawFKYWEP zpA70wc0Q@e0uI#2hAmJMxIprHV7qF?_Gf_hOLn|RDGY9P zhi~b0E(CZmxPk!&nJz0tBF+{d=5pVp`ua%ntDM6bEF;{MDu3Wm>2<4oVLb@ou))u*vj>(u7d|S zk>3GPYBJCO!m49AJi42$t?=PSR}qW`DuaS!7KH>t`K=(|A{U1%Rh$OB7T?mRwu1Sgj}lolHw1`k;{9lmWbBD_IN+9F8$X@5Rqxwe&})&ZJR2Qm-R2T5qn=6%DunK2)&*!?(IVwSzehsxOrzi7(4r&P zQ10LAHbH039AVAFvB8Ec#s`jD4yRtLOH9SqNZd#IgG5Q@D2({jPiGA#YHP1*eY1(s z;CLj1yKDoMSRC`%j-w?ypoW@!>lz?(kz;_dYH2m%}WG( zRo@5V0E*Z@!Qd(ws3Tmq=4M~fQ04c5a`8T9?Q#~2rcL@LW&!fSbkRp&<`7_ zbKrM-l~|srcJ0?X@@r)b;qHB>WXCEbYpGe&^v#=nr1U~aaP90)1=QCxE&%-1eLJUZ znLM(Zd$ac!?(u|h;c}wtx{ASeY#pjJUOg1bz_{5ofIJFj?*mmCe#%_@J93F0# zdA-zllRHHb6`h(*bo45&>LBFF{U@%)G|;&P=aW%Ln*|KoaZFd}yR6OptZT?Hty}>Z ztt~~4XHy=-daw)e-ea`t(Sz4%zVf>M1y&^mfUYWTB#C(GUzQx z=x~t&1a4Li=r{zcN2dut=lc~*x>_~Bj%Mr_J7#_}=p+<|5j5cF+CCIp3&KQxYXZ!H zc!d|zEixu9z9k>A$a!yDtSuXB!$Fi0a!tLZv^f&j^rb9(-lD;tSdBzxNH@XLZ~4@G zPddN@HNdfBydfW~S5BIPyPd5EH$k^$Yf%+x#q4eLh2}O?bKXX{I(~h2EMFcqgjmq* zE*rb}ed6iwnW8eQ$l+#sQ#9sjSeB3laXD+kH=SDSHerd26_Q*rpg}qi`vA7b1> zC0Qlx=vIKE2fjAJ@5U~`NesOskYwVfh%{h#eypAQi-B7VPqMXhhnI!|ht7!Q{I)P& zy?rn`w`B`e-Hy-Wu2-A*PDNUc&+XdIj3`^OS$nGAqN(yLlZfWbC0ZnvPANItRRHh( zG4yu`WABm)se#V$Z1D@4?5wU-d9%NmZz0W+8DDF!iDjmA5TV8wNHt3|%mAwCvS*My z^4&Mdu_Wr1F;!i7C6+wnaBK+#LpPHr6kR+SQWgZOg9^N%MbHLz>acS%jYNrsxd!O5 z6sWGu1oWY`%dJ)V1rbXr*=nF+SLUoiI#c=n03xx)H`s&vFlx{-AT6?kCBDra=1Pc> z$_p{lcv@yNyU_e&k=i_di}Pm_K;cYiqOB*!A$H6al)&BxTf)hhoL&-XlGC(#w~H>5 zs43_K&?4v&LmkROS2#Q0b&G-m0Wlcvh3FLRD;~j%fweO9@f9V?sMgipg56{uD!ISe zspz(2j=aVZk~olGKl`;Ifw|*wg39>!IEMg^)>J}YOn+vm?S!VNyX~=CGln)jx==Mr zKhv`0f_ceVrPA;%(2d1@Gix**sdzbIEjMoPTc2aa(y}fwJK0!9zK{C}=4&0fd1OHo zVPj2zSF%Qt4f*o#b6msz5_~oURnZulyoM4jsLzL^8RNygQJ9M({WlujG#N`C8}E^s zY}%Cg#t&PtA;kMFa}tw;ri(UZ_BR%2Io?+Ini;s#xtcoH!~=@@EP-tsl5g3tZv!`{ zBi1oCk%0PO_C1%Lb8y;fpnFhsnV=wZd)F?O`M55Y$rnhE{hiIVrjfmes#qh=y*KOI z<*K@&@V9C~f_gd~j4eS5vqYl5kD)(}X;Db;e||aM;Fi(a6hCOa4e(p98#)V^mk3SB z&NZVyG8cb?PUL|DS4L+f2v5GWw%2-(rWe24Xnvcr-U&Jv#wnb_CHjIc{UT`*%xWq^~ButkF?3zL`F zQsRsU*@1(@$vexrGz*M>v&Hzrggw20X0|)C{0=8#I1doc?!TZ)Q)2B2o^B)GRv|j0 zvCL(3E)y(9>ZwWos*9ia2Ep$9uK=(}!cjz}q){9~9jh81g^V>IJ#BtiaeIkt14eX{ zO%}Qi+tH_?cY>=6E*U}^Yp(KMx(*=HV?pr5psUpO4TK=64W*xLp(#{po6hG`ybIEG zNZ26xYChPbgm!ql2s8J=`P7dtw?z#~qqX(&7=D(m0a4Wz2wpZY;xR6uBD?t7(V$Eo z%7oC&n<=1bzD9S)n!4p>j@?lihuK!;K!NmMYF zzNtz{4ZqBYpiwFBz0J;ByEk`&`scKJ&9%AVxl6BQh4&6tKLu=3bx2P-9S0CGU6i0} zNq}w)o#*Ft9!9Oo@3kK3DI)tpG`MU?D9p?gEIIY5T}4TOq&$gA>TG@K%yqd02;DyI8SRhY2m#xDOJ0>lYpwD+D`2*NqibF-wR``J2!usv8zLs!7i?lt~qOoCsfg89FC2 zT3MyW`x6Zg73`C}>I>L)43?YVDhBw4KdAk3?1V>18#<~)NgMtcOsXl*oCTpY6dfJJ z1XUC_71A6Eq2L8GK#d6h)OiXjoO1T zofOuv>s}1M-Gq=R8|((m_RCcZk9be|;0`k7)rkbb=i}j~Olq{V4Zn}5bPQ9?b2b7H z0047C01Og~Mq|NPD3XPVCagZhB}#B9zfw_{>3x2Ma8ce^Gl&uiMy{QsRaQy&phJ{->&2N09NqAumXYPEy}#hXWIaVBuW*8fJnW^X= zKe3LwwFFj8WYqY(M%Y0u#&7V?O{C7R%9N3F+;3< z=KajOM-@?}8J#yx)em137955YH2pwNaIn?)d1j$*Hk%@e+OYp~5Z*(~voS$02~BlW zw&tmtSuoM;(_r22o92PlWu4$WqKwBzP(2|zc3hhlf&%*7QU_^Z*y!*E10 zbj=`{V|kAc?j0k?;Hx%>c~FjZ-TjfsYTZ5MowM@`5}=qJ!y7CV`bF4z7$L05miRD5n*z zSfklO{QuQ%`cB>Z4vze2gDD9Ns7MxfFhRTDTS>-9GQejis?`?k%#=F$Hm;?Hk9>hu<#|s%dmx5~`1)ckO}1M*vr39Agn5jCQ!bJA z4vO6YSu57|UVC^ZI{D$KR6nq#N5E(ILlO;w2{#vK3cr7$;_`;x4Ic zOBp8nkI3s_ZMjDrS7$;eEY%@J*=o)-&Hp6we3~e?vZ34iEh`zUE8Vu|v1&rdO=wJjy zT&Vg9A&O{w8zjA>&JoT=v2lT&(!*$>U;{r@ zZlXNR;h4eE**0JWhl+seyJFFk%0!o<`vgr$06}c6?TYVhJ{bmxFGow+rj5h}bQH;$ z$)wQaOTYxC-Pc>z{5Y$&HexJ*{eL5Iu5vnoVH_fo$K%X^?x0&tSJWmHBL92$pCR7v zy7K?5>ITF-54MiJI|bSRliR-!DF`%)SmA!-Q3De-2Ng?t@%TWg&^!C&0~n3y*=Tg< zKWD*xUq6h(N*VzR^KW>Wb#`+!RA>V*Lr`NzSEt;vLR}c^{G+A2U^A9IdV5!Trpvk| z2xmdP4QRf-ypcd@|M2z;Ow=Ax`{5V3SwG}vl=>Vv^a#bMUz@tnb9h#aV;ge>g>qRv zZaZ-WBOJkXaNM!zXQ>aG-CaKepc~o&<_)0fhfX|hz5eO0%m&EjGP)bF%2E6xt-7T0M|KI+Vb_LK#hURLlQ*fK zOk?UrR~Xuv z`esFijpY6f%9nJ~|0^~!qk&_=+P0N?wtKFmn4^5Co&n^8XT+&;(I`YAw$AaL2lxHH zT=2&a{w}91B=!Vr?w*Lhg}Ybae>m_h>kEX6is87xbghFU+~M~b%@8y5?^WZDQD;m2 z>E2uRTUr=Yfq5r0emr{S%Xl5ZRHpiCU62Ln!`NB?e?A3iQxurlWW?tOH~*Bmv`DkO zpO2U&z8l($*;bD=cp_EQav8d5hQa)N9F1VPtC8lV*}#2U7_LVNTr&%D=T{_23EQ}8 zn>G?@4$EycPB(~(1RXr*N(MRq(ly0_pD8xA-tg{W5h?#;8~$~ zhlX});6+*af20c0CJYAYq2&+3no}?7|9-|%r;j0u5jcV|cxcEVBz)hZpynbN^5f&p zntVqfhE&T0Yjnh)if}rhahD?Tvf}VV`7WlZ>I!f3V3`AKf~Vui41_!zSQtW_z_ZJ1 zV0j*+=U1qbAIdggI9!g*Butj${KNCL7CvN44hqK)H!&-jF>&$h`8U;wFhHb~~ z(T5yL{*DygFstS*x! zx!2F|Jca0*Ebsb)V(o zp?eGooKyGK4C-=cooAN=_sY{C5mG9ZxYN$w?4FR;K#nVChJ{rjSoiQ%fhDA#-R#61 z$W{@Qu3tfasJ9bN8}~Iq0yk_9n+ReXtD*8(Z8VOMlfc* zZHpTR(5Zv(CzMg7RVx&|m)iwHZ3*y=w3lj74mJ*0(^~imbZ0lK2^Xta49l<`sXdr? zDy1o74V1D+QZ}j}^}U1Jp;sVtRy(8&mbC=d<>xw-?Jx#`#~jGa34_R%e|mHZkcO{xIS9e0EPv@x^zbd3~A#+C5cd;3ENMytMD~83srzb##h&b;ebG zemW0(U^hZZLy<)ZYX)G*iBLIv$8(Dyj1wfs>;~PxPhygvnxhIseVOPc3d|6sjTMssD$UL zR0iaC@oyJB$@X4?Qp_RiZ;5)P(kiC}q_@nlz_LtppggpdKyYnaC0c887(7#&v>K_f z*VRO6Wq!aWCbwiHGMxbyec;+7F$pN9iUT1eDl1|McPIE>qa;AO#;_0g+zk*`zYMsk zQ?;XLEe?&Oq^*)j#CnlATmf}$$`gtMQ`d}u!CxB0e^LP10GBCh>Glt>|6%9eBI6J0jY2} zI3}h4+%ARteNl7Q9|?HPz7J~DJrfKaMtmCsoHhbv%+)hnK>|wQGVQ8!u7Aq@*ulr* zHV`Q3502DMqvst!%)eO=RjUCd&QstD`}s4MzYif9e5@M^i@VpH>)2Yfv-M7jaeasp z`ArNDwZ7qrJKbsnI`lh7fRBWIsD*x_nH7|B5xUPn^r=nGt8t{ZtM`|%8PN(yIF}Zw zo*t_Lio4cW{3DGAFSakSdXcyWN4@hA=ta0A_5?SRIz8!H2;qJx(3F*EcuzNi4s ziAJa|%>dHKWFmJJ18~lIrg}9QX`rUEyUsJ%kg@C9YwUxZV;9nLar6flwQwmDmEl`FKR~&W zT%|WsopMr^w;K+ub;&3f(ydly%2Ia@oaA--Wo-B*Hp){=ucEN%tNRp=L2#QKPNyfH zLU%c|-9XIX0BmidbXW} zk3#ocI_1;`24-t4rU!!IM78d*b5*#f!S@sAcKu|5z4NU*yEnSkRdtOvaT;yA{avRC z3=rLF;uxCkii_yKE|0PB4+EIeOg5-9kyiAV(PV*-Eo zn__|&;&@;qafy`jb;u-q%g7(Qvr1e&>wAmA$$-aQ09Fl;+L7H9ivThWq*{)VS@PWC zbyJFrl|mTh`Mcn>a2Gnu<7wfaveg(q7Xmjdx|KyVyWb5RYmU5?u5+2@FG5n_G7DZ;vE$K%g{Rz$Efj1k z((bZ`#Mv*2-sA>q5y0DfzVr=*%*RnkniOH35Ic@?gE2e*POB}w z=FIaCMe0Q0d=CNHd{gL4PMAO8+6y*51sUfS`DgddWMk&i3)!n$XDEC?=c-v|OAY?8 zB4TW~8!}_Llym7bUsHJ!6S$Z%=zlmkUBjq_ANx@jhfI3yxOOj^n$5yIJ2ExmAhwbP zM%yTpJx=l!a)8_?@YeQ@nNph)9y{Y%^=FU-^Sh1)RTrJoY{7h~ZwVbP!PM=B>gWAP zX9#HR^yr2@0&%@_=;Iox^^95_&zMQCy*v!LVJ%oy1d=#(P-bcC!oQQ-6f0z%DBPUb>cxa)y(9amD=a1rnJMdsGIh%pcgR{m zWIy2wnpUI-;LnrpRC>Y(R$ndr0f=Mo8#XWC_sfmZx;l!ac5apvZP{}jtOjTj_eu?H zNUmw(c&9kD3FQs>d{`)246vH1tDD_H*M z7d+1oereySYcm=#P-rKO9&_?@WwU)4R8f3eOqK^FnevaPs|~cL@no!hJ|Z%gm)9Db zZb7}a|FbJHWu$KfRAczN#77GXv5g8&n?Tndq(Cmj#T>t-S?KLx!%S$^AwyNjd4}#3 zNJ)W=(`GE_ONPqaho*E-?U=fEP|s*eH)11d{k44J&)XDtbT5wIVbczHAvMV9;RM7& zt7@vQQJ+*Ia!`C{6{@I>8cN%Fhf}%K;;xV^f+T+cKkSzDxi&BA4AF)C7lYmc^`;*^3;4QI$5<*?evA#C6{s_qw5e$A@xA)lAJ-8N`qWIwhn@*`UPQ(ESW<6D> z6shx;aU;%S)Q&uwn^7_#n+3CXE-D*o^laqVU^i(mw@x3z-f88YDnJ{AihiULg&w1U z1Nn263*;4KsGdFWy7y=Gih0)oKh@vo3BnOje%3P0jEFyYCWtg(Yu=Pi>dXC4h=n^)e|Vl{oB1b2W@; zy%QL&B!MH~0eyE9gdsHRbd7{Q(2);xCLtZSJ)qJtS+8cY!E7go0yhE|3Fg!mC)lgR z9eDH5;4`?~y#ITN?B#AmKqfUxkYuYW_X?!&>oTm+VDgd|206kivQ+$F&`ZiMrQ1gf z=iH(+*S7#N(}<87F35jf2W@RTGGq|}{jlL_hZEtUd653j<8Uq8{{b7y0zgf)4G`dziuJa=z27{zLi z&Zc&=+;K*|7kZZvR+9S#nz%1G3PmVdKpk~V)WDwd1nB;5nQxZZj|QV2gGb|EatIS8 zbZF-(1E1GjROziaB;Knt-<`4*C-Ry*br)*(KXzNGte0}tU1yqrN%ePX_USm%@s#TA zRNZ98`2#A4ecIpD5Ed8khT5&BcKLEm49=59xo3{Sl#T&A5R7cSUM>7~*6;vH*H<_k zu%+{pJ8WZpRcud%?q;0E|2os0zrOQ<9R0#8&YS|hmOYuyGCUkBuOXBT8k)HcJOChc zh;6})>1c0^0*(W*!_2oC*jF}=t-K)VViIuJ`wxAtE+A<#1isrX)w2GQ~W zw5}pDBUKUGZ4t}QCNRI;?q!b%;BJfjLqwb z*O1B`G2vMD08tr)r)hsr)Iw|1;n|hLz2P*{kjLQaZ?p9Lh_?~OAVaa_&xZ&>`!X$w z9hp>-Ywb*5Vldg>5Tj~fP=SeI$LeF?bmsXN^ONvtqeoy|IrsG7CFg0r9!^~zbGJd{qVZSwMWhzRYlU6q^hRjYYQ8aXDck6ah5U|aj?>p zkI7`V4{d9*0yf7@Dz3s9V#r@f(7lWTcf zHU&!FS{#1>89?U0_3_C_o@wL`<4HpP8HNKXD)>_f(ge(18^_I(6_3iMPo9`)%Tzr4 zXq-{G$*B^mpDHIMj!QLF16bu8hJ~;<&x|(IPI-{OiB+wuyvxI&{H>ojsI__L|FT+l^ zXO5WY>O&C;Ko&=c2^3w6)CkEAnWQQg46l088pOdB0y2`3hpr>dkxe}Jx{uV|*DHJ= z4zAyDemujd2ZIF4`7H**rWYMyXO|NwYzoBoNy&K8VTLyKAWsMtn+r;y+?%q-h@$SZ zKTTt8;W9_l8yU0&m$w6|7;qAbz#v$+O#K76a>4|gXI@pcTeNYS{a~*!@;gX7+ zmJVwD^$;wUSrusBMOTho#WxUT%+j~Mokw+3rzz*&^(aY8_#gpucJc8Rxd8C$me=dV7#JYb zWgYr%?Gp$a4`{?~Ik;W+al-!pD<;j-a*^xcP;UXdAlLC- zx8@eT=%#6@=g`7ILqGCsB>N}mp_4LRK6oXf0ZB6rFr@K}(1d^bC8aVWv-EhQ%Fos0 zCHiWtcLB6g#Ce7Q|3W^(VeZcJ9=2G`of#U|g85MKD29ApEb*2U3)Xya6L%Vv+4&1k zt!{<6IOQuMR&29*|6NCY%5uB4b_xpMXmOQx%5SQxj*unjxkQ7h>|0iIl&Od*xYCtWQN-YUmYw>L@%gX23SDUBTK*_ro5en$yyf4F0wI-;fv=UsuiAE`bM-s&jg+=%TU);EA5hJK9hR z>r8wwz%4I0FMpu8U-SJ{HbBAlMB-S3{B3q|iB#R!FsuX{z9G$&u1_eRU0}a%MS^Ss zVhFTo=K<&Ea>$_?U0}@b#%Z2bSm3*nHOZ$8=}~Fx6`yj~8PTx%8K2UCv;z*_1OWId zzH#h{C&?~^o_yRNr0FMHv$hJO6eoz<^zzk_UMkY&P-4XDc&AHhhr8B`YJHyJ#3Fnu zXvfZCw2}z7nqKsXUD%>#qBVfg)P$Pyu1PJ|dqJ>?BvyaSvqf^1(>iT1NJIs!n1bi^ z8l<|FLud3U4@QZ&G-pATPgU^Iv#0^=5&v>vYi;oD_aH}?{ zUA$g+YQ@^W1&F*8wCmF)lFR`n=)5!>{1e}0f*qmlF{9=YhwmG}B~jBcDLGTBHylg% zVn5>iBpYVO)QC+IOTd|p;}I?=eiCJI*bGw{&Q&?fu}?whnj6w}UM`5 zhS`M(6DN1SOsm{Ym`_64&`nCST(T9`h!(`frxwNVAl>?4_6F@5sO?TgZs&?1I*k<9 zKuQTh)v#4AFk(W76QpN_lQu{%beR@595zQD9vfgQ2)65~-)jb#LqrsXgHV+`i0m0AsL)+RpO{o?5GjSVlD7>PVRWH7d$DP}xD8%`|EH}Y^w#x;$2 z%b5O(3?18gko@WTo4geCsyL;k(0qzK5;l$@OhdM zv*3{X=WLGaassmz4UmLxvI{vbxypE`6{2W?{3yWHE_Q8*~qEpu9> zk2+)lUcpKaNoaH&;O!8f=ZVFf`WG;Z(#EY6i}d)x-0cwUM7<;Dbs1Fm(3 zO!KJO51mk8Lt*ZlLv{iyv`4jV5J+u^%VXXO+7z&dyzL3I?iKRj1Nfi*&eS&k63jfG zmtTxD)o;rB%m0DKp4@=dBI~GRV0JWmTO1FQ3XaT;G5&5;P~9TjfW?gmw~4673dX8Jn=3bM9+-P( z%$B{>)RX657S;{fk|%z zPkCv06nCz`WO)JN;=-`S~EP<<{SdC33+(fe-mYnuk~*GR~TpVR$Auakca{?IuobLSE&@izMY?k zp6%qzPe$1}))gvrL#ZQshDloi!z@P_;#%f8?J*Xt*4gWvgn)4Laoj{p?V#>(G{zsq zeE>xRt-*=1*1McJx#13fI1PYvmvpUsjJwDMfDPohvK*jU1=IBX2l6h#p#?=rz_v~@ z$bz~2>pqvNOp-PgcC0vSx%+2wCHZDc5sLeA4%9K3^Uo72mY}dq964kFGjOpdt zO0Rhnyfp0V>X1CW*cfSg>lH2ovjeA=2x+71;GH zn5=c1N=pOHNnq1QCf&^0raf-|$uY)~d0!(hDfQj_AG#esh&FzE{yFC|1(L)KYM?ui zQ%5$XBKL5rdx$##82?+(sHfAZ3+1W3Ajs1N|-3iArOT2AP z_nX~w;GKVqx(xW*b{Hi7|K=|nAl%|9q|-hz3zHA53%Dh zgA9Ya#?;SSCZ`>tgUjc&1Y*ySAh!teYC#wx+LWTVN2)=Zx zo1pj?{X1dau$r+@sGX;FGJ3S;|dB^FkWOgr{T0V7gsf2PpcR(-~Bw zIan%ktYFi&F|FT3Vy$hKlsdglL6U__%$K-0I&_q)z>8ykx$0jrK$2lc9FM^npQdKr zLU$S`b!LHIy>JMWhauUD6{i62A%0nr129X{I4||IG%PjBrV^tFUVL)rT(PV{%-yea z85s@bZ9!4?Gz~Ta9jtYcYWmt4$oW`KaB4`zS%jS!0F#aAM(Q4sM&4+;!)q$*j+}{{ zdTl_PXAL!bKGSFnEz3O+l{|yNbEA>1co^F!QRl%&!`0ehU09;1Lbm{c1v4D9j)=`< zs-qSDz^W2dZ@d^%{042Xw`{h zf%z1}a+rIoNgQR;w+G%7^5XV0)ORwN_trgx%D@zPD!2+Q$ngE+?=+BPr z19<>Xt`^CWR*l)e258e>lCulAM(BEsFCMSmOAbfqgE%RVbS3M7X0TFwXYg`VW;#K5#{xS2lgMy!CLrG(*VqdAT zWeF!(N0it29BU0IplI1-+#YeA@v<~-mE_JzR~8+G7U>uHI~|`)6gEa6mF2{#qnoXf z4+>TYg^{Wo)+iNfiOJJ{PASS9och;0B8ZG5qaJ2z6#tdtEr9D5+9nr8SB5xw^hkND2<&?I`Y75KZ z|1AO-wB`c2$MJ{|X#lqxx-Ek#aeFd5oXtj5f^a7DW@>|t`}qAivy0Bqjl61;e|9Q4 zG+kF2rm`X9Qj>z;^RELo7Uj+}Lu+EqE+SA*`=Ibd^crnPf*)qef zcmd>457&bN2orYt!o^+jNL~Nm#2?^;MU+W;J;M(-JMEtenFMTKpbrm|fYWV^~b3DJWQ;B5#S~21> zjbOh=I;+20h|$EAjoT@(T|-yT*x0%m96d6vI6J;gKBX?IJ1We=*wEmZ(=({n5`)>o zQ2t&;eHlW2`&?46;{w<)^p4^&HC6F2sJ{Pofg9B;=i|<%@rIZ(whxO5ZrHovZ!*M0 z;O;Mw#{&9~MlM5&EB(+7T6VIeb@l~MjY5>|m$p|}lT$Z`mZZhGEq1Y~Vaz`1e_hF4ZW~YE8rS!I~rDADHps?kE z{t>TFY;{Z@Q|1qk)@S_GOq4=zWyUiR>ND(J#&6U5SmM=MCvr zPN7g-KE#Rg=VUK>ET4dCKf5u{Dn;7zUai7w!(&QOm;YsgYoDU6)7--;QQAqk)@>%) zcIB_wYQ!B9c-k7N|1FC`E0#hazEQ`~C}5Qxb;GLF>(lmQB^N{+Azn}7{+;_YQ-8^% zWlnmd!QLQZTKva}dJRjWLict%XgE4x)80x4EA!7Bc?li_e0l;=>jNYR)~IO4W`?^m zYS)9(H{)Oj3I%77rYeY!7+gQVwLUNNY_=(=IWh|!?qf5N?2tW}4edSEWZ@k0@+fly z0oHgs>ajX~vL`$%L5Z>z^e*LA^E|=r4UjTn#uz`N0fs~BeOQcXKXLh}bW)haEtrfZ z*|@qN(+C?P66G`*DuzMSl6R=o^gxE5734~fNeWlEIW0dHrv`{yZV&3#igLc?8AHJ46C}JBxX^+q$E})*8fUKe zJu2Toy8Ra$voY)FCP13h`~?|3w|58DIPvA+{{OkB9fn?Z27PDm- zK~k@;{E*jP>s6???S}lGv|4z~*Y=zeT`rRiBoznjHdFI%)L($oKo96Bv$$w?+X0QV zI}mM*%vgq14NeYI$sYSbAjIwTvRX zx*7sHmrTR)?_y-J@e!|9ICXxiUK0(n5qJTKWjb@s8G?KUsBgxJx7mMt+!dc#Rtbh0 zMn6DOXzH}k;V0J)Ars6^aS7}3VNm)*(*X>sE#puYW^hRTGR3=r0ibB4C(-y$;Lq-` zc$HZ(DbJ#cmP$W|`_|4Ot)@#$KiQg(og79Hog)~g?NyOZ$kDgnq>Xx%T;7{WAVA6! z(bc$e1nkxr;#@`$sKu|<2mOkI*v6FZ1`Ygd3RAWaGit?XRtBYCvkVkrASF<(mGBE* z2~{rn%8lh-JG`;@T?K{V%MwP;Vd=$_&kw@(#O~DboYW)v zi2x$_LGx1%TTq~$J6Q?p>)aogd%Yh*t?enojZ=QOamy9FB=mmz&;shg3-H$t z23r)b2YZzlLc(nxI8hgHTqwd){Kj*Qi6&}}j%RKCL_dd)f|?|?DMuYEwY1J82D*5aA0h%`#k$DC0q8BnnUqgtpVg2VdF?r>$w%saU#V zx%E8DA+I>!3RdWk=K_kv&=7-;E~)A;Bm!t*HAAv9hgOUx{?;)Pr~QmTll9e4GX+8w zi^=Rgg;i$-iOjWSwr)&$pJ{711_j?(?U=xa?-xjTJkua?dA|BsQ_}FcK=)7aqMS`p zZNw%0FAm$2t+NO)Z-ClzOM&;p#>yzO7sH*!K|MkT13&jC6@DyY5qmSf_L8ps3R;Q_TuDq9}5udoS}>XcIeHXU^QWmef1 za6|(?NJ%?n7dy^ZXJllkO9DY7aWC+p&%3Rk9|^gG+Os-u(hlC3;ziPbUSlaLKp&;W zdQWSyPI$_Qp3#q4fiJP==Z1}zDhMT^h#HCNB>WOwgVD${p<*+`r=f^vXbXk!S23H` z@ft;XR+xw9%M3s>$QJw2y&CnSH@wN#YGmQ-*#!v~6o!PA=3vw$qywRnY@lF#ua^X^ zV~F8<^Hk`KbctadhW1Po)1*3}(`kM4S{?;F=ap`t@*?xwPzD`9n@9USodXNSDkxwy z8|;=2w`GTO)6srsSI>{a=e3 z8Iv$vGB`1lbBqEpzE?K)PrjDHU>Flh*%?717?|nC#TA3_q^CD6TIYgu&nb;}DabS6 zGs$e50@Gn=jg2hDf$cQ(>KzmUpTp85^5ay&)11aGIG5`~6x~9y^0fGZ1aVxzkSo-O z<}9vu_)n`PGi14d*Q7b(hYg|S-B!0b%-sZJqH~Mi1RUhrky!63cGfehL4x_qe9yg= zzJA96>k4e9@OloGbKl#3zafEHHeRK@!Th+Yi?3D3*|=^W9Tz_5t?ImSwSwR_)p<+) z8Yksq0<5a>`g_(B5MS@h8p>G|X9jBtKLhCZdBrN#C0=TD2oQ6R%%Y$M<)DR+c7&8Cr z8BcyS6*<9x^n3Zr7`|j}q!p6RQ1Xi)70#J=8}8k@b4Ka}av{Ftn!=+L%l6el*{J~McqoLsePPV&5>EGKRuG|2_C)5kQ%r(ERO1o`gIF%h`RA2n98_>0TSQ z_QxEv$~7rWwK#sKO8=$VdzfiNT|M*GB#$htEI%w)@f4grrDaami(!!R@d^^9x$Ro^ zaeb&6BN_qkkb(5z{ZS&Jpv6!G>rn%KYX}A*H;s_m&N!)vcbudvn`T?k%HcU1-xJ6# zPsE;+bPBb5pky&-x4fEolS%P}nL}hD*;)cwsPOnqN9ZlB8g5*sLWm0Z2H2rKo3JL1 zl1k!HFYb{xqr5oKAP8ND-ktM35-4KTEVJwXzfh7KN)j^Y!nB7pGLBpxs7uJ+pC7u$ z?Eh-|98Jk1Sq%feI#rDw8NP(rb|-#me!oCh*k?8vQc~fNf6eTFzE)69RXP)<4NoUj zOa@ui;LRn%DdML_uuXG+)0Zpezv(?qc1x>|@;3QjRwXx}&ckR@mYe>OSZ;-xA~nf& z#L4ey26$4vm2}z|t9xBfT#26$W9jN*1zMU6Izt;azIRN@qZ&7BTSJ&uwU=QW2sn!a z`ZNAxR!G2RTDHcaaHGoz$2}Lb=ocGHXfy(6TjQO_B5ew(dV}Z$Q6QdJi3}v>fmfI%Y~t1xbYuAH_hFdaH0w zLl$@}cwWUPg3sc>B}cmWk7+W&goqe!s<<1%nISJ3MzA2o!UVBwuUzL}w(K9#eQwu{ zCZODvO^|hXeJh;#OB|?ik(RmwpNlJ!ehvN8XPhsCJB5cOfrqB3WUZsnTQis#R^3Uo z1~v6MnQ-FX{DzpCP1-vW%Jo)`nDp?n6PmwnABK-cYteg1VDE6R5%lRfK|9 z-9Zi|ZA#6@eFi{gr^4-kGviuW-zGq$B@!UnjaMK|&Qxz3v2`FGXm2^+YSL}+oIp3&tA^gb7@yFD~mX)>Y5@0OmSiS(14BZhUcy-3Xvs?|M@PPr$ozp$d7kzV*q0E zC~$aC((14p6#w8n5Ke?f(SmE)JhZCc5XO97Q{oC&UT?&1<#nzztE(}XyFZ>GhG zuX`+gEqW0bG~9Ql!(im;pA}`AgSK76VQmJE)|K#w==PxxFg{<+vvQVs@83Dl8ZM?r zALseTkP6o9iW^M5SzwUwe!DN*<0xkWoPItogn9TIK|0y3JFX7E*Sf}zOj3s6fsD6w zEn?e-q05&(D!9q|DzS+)R#Sr@8LX-ypQFyD&_29nP&ahYs|nZ{{hwjAP*fLBlh~4R zYV~G$Z~V8U$6$|PC&TXqs=^2AC^%y7j8q9(xhJe zk7cvNo%5m;_#Z#~hYYb&eAr36^Ta;6dw8fjM?l!Xt(>%#QAl2F)o0ZlrzGtHry01wJ40L%(Z4RX@9a}L`Ef{833NV1(sgWsvn zO{=s1qS9wY;2iieREjlgqoD+JVUziMzphX{>=@_|tJxE{=()Cb11%Z8baRo7z1)7t zHJH!{l7ddrD0{qQ1fDr+(VU1P7PQxsBnS9#=v{=coG~2k`~|5#m;S!;H&Y5WDH_og ztmusL+f8lSFW7K{L+2@usXD)#9Da|qACAbdRLm+@G{eh}W$^No4=NI6!>y7s*{hh^ zFs>JdP;1C8Y&SDnQ_X%i3yX#=sHP=i?37IswU2pWudxD?MU4wU#sciOlPH@O$XM$z z(@1ln3htTi)9V;zwdO+wIH<-Ju(NexRw5$roi7NJtJrDV#v>-04m%$~8#tCIt#iKm0UA zC~Z{(^?0UWMP34#yI{sfk#1`U;RUBhr&I1PI%XN21yJWv!jZSt{w-3zWaK!@q*b@fXYfVhO02KW&tnF z>jEj_M06Y`3+u?}F^*m_*TK4Iy$o4_hqAtFM{lpe^XISX2>231y{hHdM^~xnn=J_) zW-sk++qyo<%k>aFWe^|<2GikH*w@m6>CWDXle_y5M7)iVw)P7TS^K*7k#fhH-DFQ7 z?pO~i4EwyBdVWM(Ue`SE-SO&`8ICvhMa^V%9Z*~6Y#e(Zhk*%}Ogyk^^)_V5b*5MA zf?*p_H;!5qZ2r0ff5i`r$KHO-+QfVUaXmfd+V>Ec#P}A0YpN;@S%!`dzal}{ldwd; zDq(GoaHI2yix1m%x*fus%3I6%U>q=^i-+z_bBEaMrqi4gO<4$2)aN`f_;d!@LWBOb z05%D;98h)7g%~$%Hbp=13OOgizfR-c8&Dx&nUAEh6+WD#B?$E)lY&e{NHHZ_vlsaB zF7>zQ9R@%G__|TJj*+p;ot_dc(rypUh;lw~)fy(vIO9#j0rEiOszQ4)`U~%TSJr|E46C|x?4(+p*H+gP9{nNJRS)* z6XM<|K`bunlS0-K;>@`lBO`-d6%JyQf2By!bzPW`?DfO-6;j|% zCpag7rO9=TRrvu`8XRIBJB&pCeHowm5!qSYp%j+q6M*pJ^F}SgbSg(*m;e`JA+}ap z@`d~S!4abzIH1{H8s2~R>-%)tWL0OGX|~+FA7WABhv1ZMVP+mS8#8mH8U)>%Gc}P@ z(-{QYH9ypA`lzxUYbfk~#Zox~luROL-F(?f+Qf;&r^E-erwg3{%FC1)v*xK$%T-G` zZE4vfMJCGeK8wR7r$^NC<7l7(!oc7$V5O*9t_UWL8qp76)N2#Z;6Jx$G1)L^-FnnE z#p@00tno!Mx$az5IOb!3#Bg4iFpp1eH=J-G_;4-?K5(* zU$5nH?~j^sOi6ef#Zf1WtY1)F(+tl+UOr_LDh38qL~O`C;sX){jQ@8301Ocj<_#)O zG7RJ4J#7)abG$iVXnAaOz{*4H9V49Kqs0jY#~&mP#Fp)ov}mZ_Ir2VH1!Yfz)E*8r zTyMjL0aH(%THe=>R>!R~EtGt?c`oXQ3m^hHB#`I<0f9wF9lt{+->m#E>(1@Y;L+gB zI?oCzwyD^-i4j+bsS97!vEm#NvwqXZ&(qnlI6~yQIbb%(ZK$a~8S?j7;u({(Vb0oKJHPvay-|e~ zY{XJgyInYgmu@-%9v)#hFwp#x*$>Q}4LZ6=m8Y>^2E&{el4^ccvL?ABYXnd?>8j&e z^VtpOKqP4aV&0X8!*kjKGG?5#O^m%AbaTPDr)LkGTk|yGl0lArN$AHpw;7U=ntiZf z!WinolyICIn224+eA5?V{IuxwirzL{az+DU@hvf>H!z3yNAD!=24l)<<#G);R;VxSg(9`uXxWugVe|#cBQuJfFlsc_h39 z`(0ngB>;mcG9c1P#%Y31$f-^a&iqqGzpDdID=ZRlRhhg~MF?3xofcyy(Jc)z+~7** z8O+J1h<{^QbPk;eW=CsZX<#1FOBkIv)#wri2-1`r)J{`yEAC(*%grPdGuw zQ>REGyh&Em*plUCswf1ob~Tk@<5Pxc4QJz2AycIz=(ZZOA>cAU%ga}A3Eb^j9-tP5 z25b&4J*|wXq^#bmd0|{1-y>T|4?Z-fX_W#;wqrG07;NOhr0x{u4q~85^=^J*j=c|B zOR@#KIDdu}o-ZR1z(;|4O38Et^^PXaskY8t`*TENKn;*|NES;95qW?oXy&Y6_UO8L z;VyM-4tS)ayeDaxr!kxs>wraO`aqC;-zMYmL7HDk_<%ExWQ1CCy&tc`^Jf7#4r~%& zdzRR-Kbt%qf|^HY0wUnRW)8#Kd?bByEk}VBb6jaB;k4Z?;ZbTuvd;DV4D0cmnKjnN zw{9I67PV%U$XGRwDd>#)OWq5plEUuEhxORY$r6{HJqi9+v2i55!M&rJQ;!E231J{ zY!M!Pp>d9M(;YAf(k$vE)o$5Ay7N#y>4>(SIV~M`N{>%4(6pDKiAN9;t-haMlyI=q z95_#-Xo0(1*=mVYUh_5pKto2WzU3|R^Z(zQrV5mbpRXb@FB z7vDI^GrW-7fKjjgxBfk7UCWQO#}yeeMYs83eDuG(mtCa{we^NW|M;B}til0HC04=_ zxk=J+;9CGU`Z8~)Yc*^a1w@TTCiAs8B9Jl29jztU(rL`=XyM4NPl*jR7Jypx_X_%& zwF(c87tx`7dd`1gQ{6N#D>xSnt1j{bWxe`bih4afm?u&h{N=(zO@5i*ktwtD3`|Dk z)t7~~#-iWku~#~d4x*gZ`WqYDJc}w}KmqMk2n7Cyw3PSlm0$BL&?nOde+@n@A+vzD!OIjB@f2n4tN2&1Li570Fv)v&aNA6 zg?`MuXp(=^=;%PLCt5?L!e5!0u3;N*5eKNV?_%itqv_bk(jr5|%9M#F*aV3R=wAK} z-#svME>yQejG1u)KICG*4+>sgACR%1k7H14EErcb!_3hcTkK1QBKyM+0RafGItO8| zy0N^!QuASBTJV{Z#po>6q%LkWm#X`EY9#|YGeYBoygGmdB)ac4rrj;)=-wT-qlqMM zP{#Rt-+AAS!9d)oy1rG4zVprYPEt8Ue_1)^{~Z{RIL!HWY-0G+%P|*Za>Y1v`S%vAMMht)>lVYI_$3AYzO!P zQq0{gtsvrL4dNC5 zrq*v2G)SIe8vCQhxgkE1CxsQi|6x{S$c(u?nO>?mHqi5#>%T1N!CZi- z9UFQev~=&0D1RG~Einq_EsI!o(0|v5Wf>NHfRS32Aszn1%IpJXz?nECE=RvTiyOYn zIInn-wWlnwhQt@if({QS$bf;quxhy6Tq4i`9S%8|4c3W|kfoCYS?+Vw0^v|pX#H@s z2&2Lrx%xODYuON^)6v?GEYjGv`_5vNsSH<9OU2e+@{o4tQniX+1CgCP>%lNi{Q#{*T@aXt zfRmzg)a+m$cs?);D9}x+XDS3Aujo2OdsM1I+fpJ>eEsN16D%wl_xYJ^TpUl0lNu4^ z3HN4(8um(253y9>tN$obj8&&g4>@N}?S;4pRZ7-lLeLwUW2AH1R;$m-aVxM#)eq&W z578@VOX66H%dR!tn>KM(B3!Rp2~prdb`ReE`ADGX(qOu?#vYm#@*!htAVXUqnBIc= z(xAuC%$?Ro&Awac9VFaOJx67RWbfPZNl>!-cePfZC$p)^B34tRH-1?H@~mVqu;yC# zKHaj}IXsc<^a+%Wx!5k$A_1rhKE|YH=s!B%wOJ3^AdUfi0{90+_Eucr($5@6P?nWUNv=4H=x(ZX>tQzGZYeY@UUkz6 zYf1lbt9CHxBxkwtk#v>E+}2}~0O1bPDVHNoCjyr*K%jtr!_NOqr(k_Fp_jE@rRZ7k zU&$kRXxQ!=o_;hkBB?dAB{K%AP*v`$=zpx`PMEHal&;@tm(KmUW2Bmxyd!}!s0&s z^W-ZEW`-v?1ge!#lVYkzoi!Tm+iTd1W-w94S0==Er`(F?@HbRw>NM%kQ6h3@}>Ut;jMYM8rwnPT33-rV3@}m)T7X=upNlOE|smG2$a?UKS6!9<}x=qHadx+Ke z^)+9;2pqXO1)^pYp31~fDNHsg?}SnwlR69$Xz)tI<_LSI+grA}Jq74P)ifQ=Pu=x@ z5X<5gFkog#&9{)gq-E73hYM;Z%tC>nEDhIs?kT-zaj^xf04=1j31paYbYVuOyiJ9{ zlZvyT$zP;J%$1+~_Yul`5o8hEa0 z??E2Tuxw#YLEr7NHQqzFa25p)$~1#NDmD8u5cNg3Qh?ykDy|Ev)|Arrl$fJ-PMYDQSZM$TE+ttFm{_W#gy`*f4`;=*?WgR6- z5k+{%CqS6FCOrjvpyX4)mbsI@*L(JO()r)mZEwy(@GyW-n>5dTx_@_`kvm$teklVOxlD$g_YCkQ8%<`b*^L^3)%d*ltN2vC%}s)$fK zX=EO+iHcD3@FZYeaJ&LU@MeN#>5qSeQOX#RDM9L|)B)*Ehe=d!fYWoaXugiQeIMxz zwPvJL^A-{i*q!+>WPv{JVoq}IbM0Sabao=mht+TEH4p&N=F2hOOweZ`dDt5+f*LuS z8ak!?T;>4l$qV9J>gjVyL*97ZwgKA8&ByJp=q#Wac$EfB4}LYje-a`Q0>TLs-HC_y z%-JLWTjcbbrm-J#nN}W^>7*Y1n^ar2b_ZHJ6)F(bc_^EDqU6TUal*BnjboU;CS2-Afy+Z^q zxa_#(*rf+j#eZt45em8ULd}^2LhejsBb1==h?Q8UgX4lwdf8dtLqCvJFq=JXGl$!V zC>{IZ-rk}Js_#Fm={PkE6Jr7=gotnNlz?E-G73Y>{NsT!Zm&~ZuP=1_wS1t}dObTXQy>!qPh}As zg?PYYt_80WvL5NfzPi;_8{fy6bsrjbSvvm*+Aey@T(Wt)CO_UL{LiY^&l!S$463?A zVzY!}u?`#$vR}z$2LLOyft)|R#k*-wR}%C3B@1Z&0O*PE8qM&!ZzBTU7de-?zW${X zF%O&%7!V<{i56pSl7OPc{pTGL#^UHmT7GqbVuqC!-<^rAkxrA=?){7!XU#d46xV|r z^{rpzs(vA=6Z7zPplQ&ZCF32Lwo34lB#;w;95yC|fsQZL4C0PXv?txobfXqCbv!01 z&l{R}cg%AdJUl%H`DVmle6fXgbZ-lKqm$TPJ^I+o`rk!tcw)Oj`TDM11Ptbn9YbL( z59`3nwie;KA8Av7DsLhRH@X-wnr&zFmas}US1RcQ87eLFsJr`y3r?e5rJEDNnTGmX zJ_lzS2`@}F(ud39O&*Fdg_ZKfbti$Q98Z1zv90t@<8&BVO*m*qX~2h|%Q5_~D78{_ z>Xls^5vi2YI^r(zj!Coq9`_;yE=!&UXx|{0S$KRvezKos|06u0HQrM6y;~#26cSmM7{qaNEZo5I+qrK;soLqn!bN+Y+{{GI zR6jdn9^S0Z8S?~Lx*+@V{D{VbToc7qlN zn=&h~s9X#eMh}R*`+XfgIi)rp>%X*zUdM+B4N(fq1jD~gt4y4m7MU;zq3&^s?l3vM z3wNzQ-a66M`Zh#67hSJODxP3!do>>y$(BxU@hr#7*>s~@ZMH<-7YrQw#MGx6CVfQR z3$IHc3}FC21H_S3;8`#v@>;-59#0&d4^!D0&2jy)T!OtgzM@LY$Z)z;DelsxKbxOr zg`G23^!K18z}q;9x*hfjG6uVW)1-KFh1_I6enRXE`GE!PDWn%AvIFBD)}jY3p2NSSsE1KmQE%E z08wwC+rr!+6XO!Vz>GFcdBIkjH*IPVd;@C2dKphqjSH9v>G3hScuEl=&4wR{BqjH= zeaNUeKgC7Pj9HkQp)@GARC!B%-lsk59J}MWCChHZ9(mO=Jt&~Vfnv{@To-?PYip*v z*r!udoFIL*?=&8M{R%guQR#uZQPEkwH3-dGFm_8E{|bp-cH4ikOHuIUAm$o?r1oQ z1)dkIvcc&M#88l96P=v@+iLUi5fuxz4cFp9k7@7xzI0v)7FosNtij}eJ|~hG)dF32 zOqtSJo2BTFO_oAe$)cNYisg7t=VMM&aVlGWC=epm6JLcYL|hh~*edLrdS|nct+$tj zZmLFDgq*<^1kJ9xjL3dx-WKRL^_GXrkDRC(L}?F`vkCh+mGq&LC68H=ZTOA&VGhL}tS}V~H@DuGrgRA9Vg4)c$OY;7=4v4b}2G5||Jw7g<8Dn3Y-9uM7x)LwBdlnGRd1lPTv|5ht?KEd0flh^@usHI$gIyNz=_A~ zNcZJcX)l4dIO8(Itc$k%+87{c<6tGlN(LV``r7D72yBKhn%m5H!GRG##oXtgyzTdA z$Y=n=D#XbZ*MmMXxsIvEccr;Cr1Xlc$^2m&t6&y<4NS{g;Y>Lm>&2?DqSLv;xt?T8 zweYrGv5;c!oxi6Mh~|GKJKnQ<5UxfRzxo2jzBWF#0t_@FEm>#ik-+EpVcXd%g8%Gb zXcH9K)NKRk<>%9E&=!@R-3L>P9@ixDbl`x{K(J4YE_7JHeYUZU-haU$5)HGO1_>7U zHSnLy!bdQ%W#rPs5H?eIXWcFOJ21z2FDEfFUEvNV3nUJ%h5pBHX%!3{q}j4-lrf+L zEx!Y|LhF(UM9Ago8pON3QZEl60P&~=bs&Z9;%$)tTUOv!6xe;Pp&2N#5|d}f%R9cQ zXByUJHpai9NDHvUjx24*I}h#-wWTTKdud)Ga!SU|;3zm_^@spi2|yCL#NZGFKu%m0 z4hORy)Kgr9zDq~9DxBdR4N@$yonMI^-$!$aJ+h>eZ-x}gdcc<#{TsUvKsf@+%lko@ z4>@-W2T1Dij=n98(`A5JG63$GK-NOq zY06(ZhT?-F?3Gx(qUAJpD+9*BWOpnv1vVxK!2DO>M}NjmvG?tC6ivoZY%~SHY&lXo z{^_H$TGszD&{*21=OXKuoO}f%-XmP}>0eNF(%28(tV|a5Y^q$aw34u3U)SmkK`GpC<0OAAy4MX zRtdnbYzI`@b6fHW4dW3p(6w+g+Ax+@XE@kz>PU42PDxWV)sY#?ZPLiC3Ijx!eG;(esXuHF9Gy5L4N9~CQ zW>Kd1(YUK9Uo&GXxmF*y)C!2<$2@jfS9T9BapyU4%Imd>;vR!JGEqwOFcm{P+J6ws zPKO^0fpHnu^({?RVxAuXr^cq7$MAT1%* zHu&=EKu+i88hGkAD$#CJh*0mTA0O*N}9y>f@U4Dv>t@@RD=(1;IVSv|bd@VP_ zlKXdgyWsMj(i20pF2QBJ2_|QNliK^hj!H!&_D{vNetYjVLZKGUHSqy5-sbos=AF(TL)>pJQmnf-uWn2HqNG2qE-T{5N zVLOaBshm6qj$B6z%~vZVdQ+fT6((v2=I=yqQ9=SU)UHUKP?C-3^^iR>*MuNNp1gc5sJ;)2R9M$Ws4-bG0!O+u zwm}diO8nUL?N4UMF!`6Sj{$oI>pXbsfiwKDKj8pnxa({|B-i|q&Y5L{&MfmEaeSo- zm}UMRuA5rj;ht89cMHusgf2Wy>d>8r8ZP?j?A2%7DK!B!jzj*2SE+EA#d2@wX|BC= zx`E!!@Nw!ymgl7d*+?U13Wo1CI1Sea)1UrabC^Z%2a!#?CvX|^l*E&h)LvJk^VtPl zd4cyDXeM6TY_3i+b?;1YmN;8Pkuefxqa)U~&X)Az4yyiLtpWF-=|4!L#JJ)4za^#k&W(xv7^Cac?Bvl*zpt3;T_H2B%keq24%pvo+scl zGxvczDGocP?2YjK{G(U)2~ zr`JNB!+>TUIw^|W8-PKn^7xOE_aoF+o~JuAH5g;HpcS-52Itz$5D)C;A!99?jH-Dq zM$P9B8{{E{3i+mZp35TD4NqQ!zd1*|T#NZ%cVbYaEf_3i?)`Z-trKNP+VN;mf-tiZ zns^9-+=fRlS6P=kg9HIoSZs`8!yxWx5zx-t_*94ucKmQ`t8)m^!mD;KwHvObG;49j znq(GcG>?^9bgdIn2R$ts&qwk)VPT! z0n$9}`2<}DOg;iYVV@(JmkLclPm*g+u2%*+g8M4Xngn~Gm_0r66zzD|sl*){`PA>Z z{F~{J%=pio$yiGuh#So#5I(e39ypyT`gF!58lwtH);X!zULAtNTBNywhdof6{99GbNrRcT_y>hLvv?&J6#3_ z<=V(h5bZ~eqCbjl6hS0A6i~6MMP;Z6r&PM|e15>nMMXye8h{;>%M^o6y_ZX4Ia* zgR-y6LG~Vg_}emC#p44UOe1R>U>VBvIPDLRAmQ*mxW9u?IwZ+-Y9?QCpSV-A2hWG| zJ7@YPUDu}5gGX%v@t{Re znP>sV3@}V4ILL)RrlwXQa&_7^I<8<@yZ1osKLAFI7{rXOy4BFbNK%qGYB}xpQT+{Y z0V1k0a+bV*$VXj*^2qE59RqgG5b6q6Wi@oFRI$23Yy6ae$X#U{Gfhh@2TJG?SyVS; zFM0v`L*2w=p@{R4hOK3NxV3m+MveMzmr zAJH|}bWo}Xv~RkU1}V*3&K)cXQ@uv#QwqsW=sVigbjHop@le{T_5?|u;@v)jD(OI( zdd~Jg-zCyqqHQ^8@xLT)z&84%>GoLWYVz`G1Zs*i$&yfGB+5>6gc9vkHZx}mU(Y!; z!YJ10ae#2^G1oKWY+@bbk^rYJ2Jh6)7BmVZ)(UvZwq@`XBdF)Ik-n=3f?D_j;I#$` zIgNb`v;;}85rG6ZpIn=hT0}T6r$mRFb`P$YdvNZ_H1BagQB5WkeGUKCgJ-fSkiE?i z-}OY3vIX!I4&9&`N(zU8Sa+>vQy)%+v*k4BHfpNqC3gUKEa}%sQig36oBibXtj(a~ ze1ov~5Jm#%i^Ex=qsaNaPpe6Knz{`HKwmaafodvoed`)f^J6lL~zi=Ey0bEIVK<0IWmOKsY6XQNZp=osc> zQ2Y#9IoXu34H*q$gQm!9<^dfDln4dXdCbF4p=SZPk{>er=?q#73X>dz_paG4Pv7rw zWyhNo#5m1`@Ut<`n6bLM>2}BDF(WNcDTn1^=X1=*{ADJ7IqiY0NL0uN8PRp8Q=8~G03RL||0ZJbBX zeicBg!zP|3dM5`b&jnn)lL4E6F_2++kz0Vj!PO^@&Qla|3QVm@78X&em|j@BTt(+` z(T+j#nuk7LLpPmq^+io+!{pQr*hZZ~2L^g~MOncc)6jo>{)8lm%^{1Gy<4(8IHvXs z{Yg@t+3Y()p$uBAkdoNVW&>>tbIs9Do|t|~?Z(7->Oe&YfYu+o1S86I#pMh8pGL@1my#zMxHo? zT@E0tkUdgDlL*#+;|;v#ja>U-GSJDI5&ry=#UB#WHChm12m;E2U~s8zcWnQ62&t*G zi^M6PG}wfI3!pH_B#i3j4lv>TC+JY-tVG;I{~-QM!XN!eD-FVROE90EgzB3;64h07 z*D4JVeAd$(Z1B&lEuF@)43I{ukL^Jw*BPJ}prF@@jvK z259<2S~DB}3>JZ{nUDn>6g-gZlVF7|w0*hPlZ_+B0J>cxfuF*FYUwVpbzQhJ*LoMa zFt|ZT*dKl%Hc~P9`hki_%yE6d=!W9!PfP>(P&oqdf-lvGLSil%l1fDeWDZN+@s-^j z^rdJqY2)o4DrC^?)YLT89Pc={nqDv`>BZKSX?yd(XKIeG^B;wjj=F`by=p@^Vf7iZ zq6lC~$vuYBMUlAaS%vl+Bqla5twClXqlM}Ns=`;j@TU%`IF8LR`qsjB-%xWfqd7DW z^k{4izldT4{PIJZL4+#ZK`k*}pFQo}OtXX5nwzgDZ%a`@7y(eqQQ}%XZ2RMsLKT8A za=ufD+%+159AfYa^etA6*AJNR-K@F*+sPm(z``#~8-;)$zD2Z4)vcn&_{{Z2Ak=LJq&>L2+n@>KeoeOpO@nhAkTEI% z;N|?IbMp-Mk^r(30aLl1;V|AYZp8!38l7|QS`NP9T+s8T_#I%*JPYEFHv|`@HYwK@qOE zqjo$+(Z?m{SqtP#`l_ws%Tf0f^cjbCDbC?ME9NZ{P9{)cOW|~FEg$EBeOqoW2q&)9 z_zh3fejqns?u=!{Rx0CUUjE&H-zi$*?p-{6GM?u}U5Dd4e$%f+m)VJT^pS1e_XX@^ z;5NctSmk@)<1&q~nb8L(1f|1g*+c`;@{?#|3V`|M64OWwyYFSa?;xi;flVsuWoh7j zdM%XO`!zX%7%9EAut7J#RJ|~wRkJKRs8cJeg_acr?ZGw5LTnWoie#(|jx{`BlI1dZOTG zQxmqr@j1_nJJF6Rrdkcm)jYU&|Fo%5j54!`ks>>?Z_A>$u88Ap?%sUfBJwHZ=I|Q> z;*9wyXU~yTcR(q1EMk`WRaBOB2WkpFu6mQn>51a{w-}Uy zvCg!dsFBVh>J@?2VSNTPXhC7da>3%TOErjKcyu+STZn>~bA&iG#)d=Xz^8#;>||w_ zEr73GHWU~bGyU>XHy~4_?f`lZFEP4&$T*iADv~ROOZLCn)8k9#0qHjJ#~InU21sEr zq%xXMm6o8tlhPJfK-`-ieKcB(8*2HiJHh#Id4Xk>c8vF=3qrv z{MaCEQGHvh22#p@b6O8fvT>-mzFJc|+!0}=glW9j?A!Kh!oybDJH-IVFdO3lEkW8< zr&;N7sRzp{F?~7Buo$Se*j^S!Sfkllwc}IB@|C@_eMZZ?|5`&oh_?1mp;jT*2}wDr73Jo>rSZq=!-4kD zWHsbF$+q0~ZD0ud3e_VxrIOM;WdY?34h`+m3zf~ZW&=i213iP-Qcf!+o#Xzo*AtLW~9t3Y=CEyEv5 z?`a90CNC=uXffTQsA%AJym3v<3vgZ$Cu+P=41?Zu5g9}(`H799RP;&J_>GlA7;Ldj zk6jpI5}Ns$*du15KY9-=4yU!{ksuP z4g|0@Rg=HGM%v+6>pE_Z7P~5o!mC2z2vNAtQeIbl8iE*Wbb(IMmB3D292KQNw41k$ zbx2c@ChTBie(|I#{}XkV32+M35m*9aqOP|OV)R=DlaAzua6gVuxk{Q{<;~RI3v1F{ z`gkywX%FNv%;IfDhqf%XUT=C+34hm`lzEkZd<1&rLP$3w(=$V7udytnC>U)Gw8EFI zL4)*hoDjUSnn*Bhm_#ABhAY&(P_BhD4~*0tS!sb2zETon>KLF?s^VL3`penhB!>7q ziD0x*u8LO}S?MLKhQ;P0;uI@+-T%r{Tx$~aEkJIf7%C3>!V5A&0#wY*qj9Jelh@Gc zpO7jGje1f5NV*zK@qnYl>r*uxk~@??^Wk5zF}44LF{kx_PfY7IM2W`+N}@aP&yLR5 zImQ30^!wt{qbFM#@y#=&M3Z8h+DRquQcG^OF(!)GAN$y?DEB|k19c4*wdX&}Qkl>2 zl$~wZX`K7?d}PLvBMj*nhmLFm6*@WA0Z-~Mq15{E&+#1%JhN#$pwmO!whPjw7Wt?|H+2S_4cxCKWRpS+ri3 zbqs5H1o=7E7sS)@d1aeVa1;Ir6nEjSHQKPaNn{=Dv{hw-ZiT&qV6}0nFZuVw>?Qlf zt1rwumb(KEHS(Bp#rHN!t_#`#uRD)beW-bo_zswlMkBJ4qd4ca!9!j>KecU~W>Pou z`l?hK9;+}*5SOWBgx9XeAIS7bd8fF17vp#m*Y1_RyTIe-Z>%L%SlzB6F%Zq^j<2wt zPWepq9T*4z9Q`21R65}|?;uC8iIan>cW^2LICQQ`!qerfV86#aLn#5W`2`LJW#aRhO zSKvUHDK{FS?aMV$gT$gu5g-T36le;Wlr4LQ&#Wkktob{y&A(N()P-uw)oMG5foi=M zkC<|IftJowTxxppV!PhqHtzA#6yQ?fKHjKazwV^5BdnM&CA}HDdbOK7!KFYzNWb1agV|TThyW?fO*Lq3vD`U_Kr{Q~#jZ99|6A`wFPNcJojgj<(FvUYD5 zcJqb6j)eHR>>aMgY1*g5l_Xoj@p<&00nz6fB8p=~aE(A|?-S8zAgD|!x@XpXP>LWW zMu|747oVQ-I(vDVYgBEX80~7Nk%El)AL$l!oiJ0e}f2r#_3GVa5cU&>UJ6-=LiB(w+1#zbKCnSplGj2+yZl1po+VvTp|LrRIA%1&L$!EP zEn3h9DP(?NX_xl0F5O693`qaT+IsJ6FU%T586GOiP`ZrdrRVWtr|Xi6XpVjD9}P9z zP>?D*Y~^Cs(q+fX5(6=?pBO4b5*p1tt;wF$h+*e;PlM`c!R69!-~vK^*HgDZW6Qan z(=gXzQCl%$J;j_d`L^TS1N?t<5jS_chn6vmv6NX0q&*06;3HSefx#70Ou@IKDVrM* zt?8UE#UyY8r~JaDbV$x$F;D4)5WYEakp#nwyo()(ZKm$D1h_{q=CP3J1Hv>EH9aO-BeI`FF=!%0e z6rf4t?V$Tq{RM@Rz0q+y`pyt?gkv!OP^Owqmk75|S}%c@XyA(8IKXe#Bf1uk9dAqS z1;h+vV0Et1uZ~VY@cOR5^@45ou2??=IN@Eua~~1i8;}6=?5xpU3nF+H*Bi%e`{DTv zGA0Qj&A8R@%z2yX04{mdbi&F8 z^l2z$79V2H1Bnp|&UY%zJ5FeS>o23ukOgL#{P)F~cK8SkHV0RO+8#Cfoyf(88FWzY zP@`T+S3>BQlONs?q%Fg41h2 zrc{bT`dJhKNP$c<={U0!nmTaDzut%8SwpW^EQ8<5A5%-(R z{FKK*hC&VpQIFbNT?X>i+TkejE?JN7ze|;iVBLzG9!{iGNs#0n3AxNfHuV6L7?;_R z-FMd*$!2iC-ioCeo~cs8;kzPgLX*^C4^Kc5gGD690uFMBhbjUK_+iFjx9%Hy z_=TXwm*ZtI1XW#-`Ut;`mo?h*WRum3TgLr1*rRQ~1LtL2_b<~DHo&8X0Pq^;LfdXK zUd^5f4l0mtU*?5YxR0;eeXW)kjJLJbreeMSw_b$*se=M#x%8sM-E}|jS*;D|T}y${ z;56skpQUF^H)7{j?6yD`V&-Kd=a+f2=NY2_?4dCg++Y;c#+^K(N5EbL-=S`zxvz{D zvtJ-rt-u9ifWl|7T`rn3ZVW46x^61?_VQ(wAMqa^)W`F+K`@2i7-w%Jr8X@STIrMW zoW!p1Y1~l?e_up)v5xl<$KF`>au07VNNw{Pa6;JN>BybG^i?HN*GXhPRUy?e>bB)iNZmr&tWzCUTkw%EHqap@=23t3V|nu&gq zxBGuTi+$##JjOU(zY^@dRwva}%(2yOAbr&ag!sf2-y_pVKX6NIk!L0VIXi(hU;`~K z5Fue(Eot1Gg>bikeXd9|!x@dD5<9FHR37&xd>qpP)OK}hVsZ&FmRuU&#!}F6+2t^3 zPJNr+$9sp%C!h!O+b{<*u%?qkD2+<$#$WlR z+BL3~a0XK)IVz4y)3Vk*724b%pbkF5-fxXd9TNn1P-Uu|{h?rst={jIp(YpA&gg(`d z)Vp0BpF!A;nnd8@cC5Xyj1Y)>t}O{oc})ud-t6|>nN~QT-;DVBR5WG^T&Qu+Q74)r z)1TuMeWAxu1<7GcR-DZSln%r5b|93ax+99Bn0nKf*rfvv*}qOFk%k?)RP+t$IAaWO zsOfpglUr0WD`=ZaU5GJFWjh!xcV*!wgCd5)azH-wd0P_8WhORa3%fd<_LjZn6g+i_ zn`0T?Q)!BT({xk&^!vB8nDs;b6W+Rbko@8;tle+V0<&nUydn7BAc6`Bv`Im69n=`G ztBOt)aYzxzlXYJ)mAfQnGDzV??rWwbNIGrdNnC=DJo_O=5F00BJFLaM{wcZ?B4^KO z_UV9M+=Xf^-^4(^e3J@uuAQ(T*J+FemAy=aItZmDow#!)SP|Xubpw5~(vTFy=RWU) z_?C^sj(8niEj8ltEpvFK$-qvt9ZTQa1&nn~GM;sh9N1K$i!Zl=f1TmDQM4JSO>4*eUL(u8gpwhT86w3(BEJi?vj$#Mt_O26KQni-lvyO_j zV)&})bc$``BBm7-4-CwXR-sneV3(cOl3Np);Swg=h$kI77+$H7&U}HzylZTF4tR{V zqv8HPZA8Nf91+xgHPhX_NE!hF;b0KJGRX#ByXnK>!pj&$N&IJH=k6U#_Kr}#+cH5E z8VH9KuaX~w>gD1xXG4Y;JQH}*h&dTpZgb}^5cMHipr4FKG(aF*x-x1Mqj{V?RP7w` zKnTzsqOUEV;pI*3PGN+~3I>ut(=z`vJvMKNDv|nDTLT{E=*&O>1s9tc?81?_JRS$` zHzDC^Jy?u*iI_M^U(~4D{gb%$qF*voyMsU)%)cONN5BGG%#qiXFni&>yix1TuqB~e z;5DrhI#XepD#^3|y!a+OA=)}wvhf!&jcl~Cdm-cLp)$}c-DAsstpLs8+)AMHOBgd^ zChN%7l9o8CGY0hud5oK*@&Vnz7PnIts4h5w;}}i4rk%2YIRqeR1V~RDI?|&JGp?!3 zlu=|&!i1T-OuVF0;)yD-;a-z#H=Hz#!509Ik3~M6i71nl!q=_Y0`z(IMs2m3B1K#D z+Al~J?gPjo#qp!lI^dV71lthY6Bx$=*@y))iO4ro-Y20#B#M!|Qj9DbbjGxtu`4QZ zfqPE}E>F+rgn_B)S^nQSQ=9}}ncOGH4^i!@R$(iZ!7&u(Nb>59I{HGZlvH1={5Z6o z`YzcF0}Aa+<+Omv@HI!!ei04qDOw{)*9bRU&;K(&2M3yXK`NPo*B7WkrJ5b*EfStM z<%`j6NPM;g4Wjn zL3yGh^IF?t%36lve-J_#am!NaGzE$r6sFGh22ZgO^>EDw;1SESMsSSWn5_UHj1Px) zNAnV>sC_HbOsY=eT9&%0jtCWw_QIX2I`sx1KxCZHc_yCYC<9mpxhOv-BKJpk9OM{3 z@ar@`6CvhOBXD2FTaT3wT1hZc@`Vr=LM}s#j(ijNj^9fZEi1O0RV2tdw>u9>?S7iek5&ZZmA>brxk#x1K*|as}?1 z$?>QJyd^xu=Pr#_N#=rAg04aVw$ych9hadqu8QL<`_L(AoXvp!^|<=~ng~arB|~0< zK=Mu6xZXOHOdhv0u=FyKZTEbG-cLVpdPLw_#FsMRqi=`q7}0DBW>Oo!GnwE4uWdc6 z!@NG7;(2OvO^oF@x?yf|?Y1L0o8-f$E~RQ{3(|Fdxj^R5nF^K8VJ7X_(P`q(Nl!ch z6`mkM2?Qe`8YBT_YLucu@HrFU;Rc@hk*zMTg|NRN^)u3rj`ltLE%=f+R>cTr8&w#l zv+yHBI4eSmIGo=<{WPs5Eu&!v=wt+T_|!0V%~k9DK(X9q#sy=7JVLJ6BznEPLEZpD zcH@P)p=WmtD3E)%lh&DSjTupAmGK?IYim_o`?kTCCVERTvVtretJ^3wq#9-LBa|r0m z&zkz8osBkvmMg&fGx(SzTg|7lVa|}+2Vld% ze$H?Y&T6-lCKCqQAdF^8ur1bZY~6d%ouHE&zdO;qtNq&d4!2P7AeZ}cB@Xm=P$NIu z;5lsg*HA33CrsNmi1dC>ZqL~oeJ>N8Abel|lSQ{(Uo&`38@C#wVQ5RxRM2Ct-#WTk zMa(B{(B^kWpUE!}0Vx`#M+b6+oHs_?LX{8gkh|NjF$q=B0~m3+WPRY_d)Ghg#+ zy}o0|c^3Z(Oi#D}RWcZchBy>&oNtQ>$*vb{fQc_1=d!D<8O{cE7-QGdFcYI;{sG2I z<4PeA3!emCXbhMiB#7wSDdPI?!~L-_^cLMEP2TOnopD)Vx2w7U1C<7 zc3s;>Nsb?v8VGK(c>@iExxfshaio|bVM3UtI{nO!bDQidrx@=^!gOoX+RP(^*mpB4 z`^}9DA#lP?9%Rk{mIH7pZj*w$)Im3zXjZ#Jm^Jx2O<8yDzMY#Oq;A3i1@dUZo96$N zyX5N>M$29|ZwkzSX>!%6DZwBEnOI|n{eU?JV>RDm!{=K9;RFqt$AM7ydDw7K{7CnU zMhw7oYi7;bP*Fuj0MVE}sU&`k==D05rbK8aT5be$G7E8tQs6MO3?uR+n=KiwIqR07 zXmiKr%^{-0_!VG-B@!O@PZjWI<@Oa?TpO1=rUC@uF6sIw03zt zXV9X~e6u@YK0w++G9lBR>~e%bQut>tdyt2-quYu_ zU-l^jt=k#5$qDO9()_#wHuW;9RJPyZZm>WAvMK8oQAwNHw>lrF;0~3f?h?cHIRcv9 z2RGhvnxg%GoCSMVZoP-#J)0mI2@YC-F=5bqXO>W5E0zg8dPncwi%F1=9<6p&2hZU~ zQM1GT6ZScX3mQH|ak+FkT2Gs%xb{7%Wdg}JVvb(*9q=s^%~5Teh2|Ix`4V+?W5nNN z*Rti~;r&rG^*A9rsvuo83?z*0BGf6>yRW;^=taF_eF6xFH z+)IFPx zI#vz~F{0C@Ej}L%NOE{>pUV;LC4!}RwHt>kWgab;J|Cto82@)A@aXA3`c%59m0mTp4_TNJ!Y;SVwM`2Unp+ zM^M*MctEh10JM`M=pvy_R{5wiTVghW5Da0f4s&K$;Ew4fFt)p!M-OU7e85 z5csHPfbc(SAy8&(j89n*43hb#j7yewvfpo?C|Qaru!3a;x{v!E{u6l)k9OBb@!GsHnR@m#M}RY zLahiI#Cq#M-&(dP!6>4Bv~Ugd8mZatRCb$6&iR{RJ>}DNW^)6W@_o*K1Nm;_+qCk- z&fRYGpcv-#5IJT$A7Qr82J=i`9LQQCEP_omo4TiIfywGZL4mMQ^VKG&UGH0_;*}3Lfh)m)sGL*xV@eX8_l4UeylA>ix#-}(` zW+4%^G(_bzCb!dZ5PLAUJL0|ESo2M2!iRWA z;On)+dO3MuOp2myFbeud`4sJ#XAwq$3Wd*F@hdp5eCq7e9M$qvwh?hKIS`h?- zTxdA96eHVfBi?@wNHw~ylP*S7v3^W}>}DH93sP^mr->#ALEMBTNB4W#=A|8CkGQ5P zRhu)xrQ1r1)O^%(M#!LNCOpgB5Ua?WqL{5y!~f@7RZTyTx6^aRQ1KKLxrR#Ghv(b* zl_ha9DKIe^qyn?3{zBCq$s=B%P-TaRzbgT16JXLJ5;v#bt}4 zCShQEV^j=8DS+ytTae)9vO$zt{Ak(4Rt(V`-*ko%!+d*kCWOeBWA@X3`tgClOB*pK zx_H_h-o|(0E!`S@hNSbO*5h;w!1@t(PpYX-xUTNN*kx$qaT^JSr#*wCV7&wCJ_CZZ zYe0@6^^^W(QSiwH8@F`Cw@Wf`MMb(iX2Z<2H=YfrY_%Y}kt1_RETYw!NywIy+7wgC z0LE2K09@G^i~|x1&CKcU0JE__@e)7>lAvaX8?Y`=yk>LD6xEmNjCdon#4Jp4)iA^x zD;_i0-6#=>r@_0EazWa3PI=wVU^um=Sn9K81r;+QH!hH)=v{vnmgV-lWR^1%4{|}- zCy6`P7Z{Bw0Crp)Kg1?x{6!p^P)cP1xpAtcoNQsU9MSrzNO+oaXkj_4x)PD?&H#0` zON;zcS2QYx^6;t$w0wJVs1X`4b>D&J)Qv^4Tei<BtGfoL;(6qK>ys?*b$u5Thns8DXw0(y;$CB4nQJRovAEraU#w*zA?zw3jx6* zY~&7u&j|w-1AR(z1=@F5TsFhe5sipBjMPe)$$>Qq8ND3e@9eotchv zZaVYO|9F?=&(Uo#Wl$HC=M(9IApY=JlOE<~5^1PWl(swSaP zSfFGZQhw`c$u};G zFP#;I%tuh(sGwJXqPfG$0pMvFpyNAUBdlv1oi493&UTcQ?{`rMqNA6?5X(w?`Z2~! zU^oA8_sp617p#DFD#Ap$X^A|JEfUvD)x+_hAinbRdu5G13y1tzV!CnBTJ9t9(F66m z^G1O|r!&$TT1_h2g+$l`wwO0jz*8H|`#28|`fgH+p&LyVgw!C~Vu#9e@|a2)!kWb} z);uHIRX{oI8~6{WcBqe2(PIUWCOs?m+DxH~dX8yR3etY4u&9vr*v8$pD;|J|nm&_} zX8Pjk!})8gE(1W=+4vEsQE&!H{V!t|>E{(u!COSxJ0Tsvf-@MVt_pzuz3zH&fYZ~c zG5^v()$yj5S+km&(1Vj+7V$!2A#;G6r5SH9g#emwkZf<3YdXqU%1L#E!XSj6F@&Vf zWTSpCZRkXm4i~L8MET}+3({kZzqQ_F5jiARtZZTNNt0FZoA5rF1Q0Fq4rQle2D=#?v@V{dbFPNTR&SnNy7s&ErmmM;U|lH~)|CREupXrwZ*nI}L7U z#%9$Br)xRL?U`+&OY;z`ZboZ*L&VIQyPA zm7{O3n(1f;3&80{#uNwanZTubNJUUnP`A@~CT;D(e<&ICOsTkY*mu{CFp4n%MS&Cs z1Xd-Xe|kmea$%<0kr%@&Ct`~r^W5WgT4ToxIS3d#MZl*C2CVrMLw@g?t77N~rj&=e zr{7;t_z_ZAJCjy^AtQu6b<@Skbt*I#D@ zdy((x?1{e#mPkHr^rne9F!LGK(kxXGI}Tv)?BKcqTFR-z5kZEK9wEB##AcmhSp$1pMzsn|?2)ANLEPX*m! z?a&c93Wza!h136-ikX|D^+d9Oo5@}6S(Sp$(46OMKjsMOLdw1BH@!O8aWdH~txf{Q zDNZ&xiSM%E^iT+%nqp-Yyht0h!3pNq5M^|-QbQn@C34&0n`h81CQ@Kj{yDvWMqbg` zCGzD^SLtZ${>1bxJq}A%ir{)ZEHMrnPy}WBUiTmC%;^it?~;#kH-*h2?2JP(hcz|y zIY`mL?qaorJ(~aS4Ze7yhmtk|=GF8m`{(RIEUKK_AWEn4LqWx#8(>n<_`K-S$D6{E zv_rVKR@%|9kNs>=XY?U|UHAu2Gc}RtAjva{aEgK87e7>MUCieZo$w$|I%t=PHVp?M zV`koUw4aY4gsZfzM%jRjSvOko>L(MC*Xx zP*J_520HS7)g4$^ys>`jm}_(k^bRMcs}#?g&ye+|WbA8p4`Ff5M|n@ztrmj~0f4ly zFp2=}?`PJ(@$cN$y}GUEvij$|g&+0Vu! zVu9>N3gp%pB@e_^Ym{Wv*j=|{9EJWv-(n{ifAHqbvdzr%tE zi3j<+4(J&w7VX1t6o+_2HHuoi$3Us&sO|(`D@^pL9Es;7?&#U707}_!g{HntLD&_Z zGFIW1dcl?j{%J1s9ID-xFLC6^Ml6MQgP1G!b&X3d(emcx9fDvCsj~rx##6Fr(R4v> zW|(q=6}Ge$V*Jy}WdoWHFZf}lzWKs}0l_wb-b0JI=dD}kw~`;O*GDs2fVyc6LSYl{ z`Er%!>Vj-j21ZuN=uzVKt!7;FPs%ac0!dhVo1Zlw8F6Dx>TbAmjm=2n$U)0TY$qMO zVFP){2DFsI>b=3L)u3j^wE{-3wZhNzmT%$!{lV&0e=I_SCU^mOno2oOUzvL;WHmO8 zsf3p@LL@r!tznAo1bsORbZuCfl8NKj)N z3}6>dUkoZ@(@-7o${?#<%;;+Mufd6LxJ~K|J#I@w@X!&c_wRVjDlK-@!81nrjBs<>=9>^;ECT}bj^V@e~2d(i>dG_SL7 zpdv_SLehSFh^%ky%udq_)zdM;tTH)tc@T_Ayw@n6s!<3YH`EHdBd0JR3r<@XB876C zdqEkdZma*9EE<~N0tfqiR5iMig#bN3!oP3OP-Hsp{KmuKvPcv^yhZ7`g9H-k)Tccd z&Z%DUM71NO3iBoKqnW;CXB0?{Z7KX4U)JTT{iX$`e4z z6B;yCPL!wN9!h7n1@60k1JI`jgXVh@+3(0PjW?G0{Jh>(8zQrC;+(y@oAikj%$}?W zVu*^i8?zMYRT%4yEzDLt%9xBb^}@Ehz+T?||GS^TAn?M1=Ek8vL6{e^g3P$-%D{RX zJUhhimCZ2pXws!fCxL7y1Mn4~Xc^TZ>;0qh@#2+Ds8trGocMf+|2(RJ=$I>A-+=1P zCp}`mGdGV^>-a<*1J)}K0cIM=ln#$s+}8msI+0Al1kwb@1o+s`=LrX=5Mh;Q3rhrU zO)0ZG0xgntNc{ZR+!SYO%?mHSJ0J~Sp|rzUV?{_Y+n8phyz|`CE|rhR%H1;n&J~9? z{Xazu#L8sQvdn4FA#s->LAQ#-)q{CF)hLf4zr_a@NzM(s#|LT7 zR*I7c+Icuzu~RDtp|=8a00cRV;ODrG>teapls*rdJ#AaTmw8s6;;hlILI|a@`7hQq zT4%U@D8YfOuP>{k4l6=@0_=+kGb|K-sZ3IdbAomOoZG?J9)TC3_f|hErSAku6SI$h zbG2F5R-VDlTeJa}CyRn0$DvN|-)%D2P`qA?qZQ#dF?=ZqYw6oi9agCa(kHW_(7kkd zZz_aHqUJLRdDS1ZjBK@t1jIzF0Zc?|=6JFj+4zEz3u;)@@XXYh*%%KQ9W(h^1QVG4 z@SLroOP?Q#j*dz1oDRF;l`W`SbkHH@(pLi*vZ5|&}5s|B~q<}g;$U{#-S=+w^OJSsdGRi9h8kP_nG|s z4J7E1pN{`I<}=ME;|?4FJJHlr$@qHEu{;dlf|~Q7+|Z=&d$pE?O@pMp6s)D}gHDK{ zj#B$G5hMYpJQ734Jm3Mo6u*fJ!FhLz#ySyZ)N4euhk`lv%#m^TpHt_t+H}AfTu*fI zb9~AWV`Km?-sY;SZIJ)aJ2Ql%SK!Q$4l0(MHZ7>rNn5mSb_2P0u!0nWJe>r=*=FCP zLhiRHnlsrj*V@g1n&}s z2^NZPZZ!dvA zCP@69mkpK9?k?tQM{lBL*mr0jCQan?o%4_I@6gQt-LPOk|WAT)5wgN3uR zttnDq1yh(AbU1%mxAlKdj#m=Z?u*!^+G8 z{d=R6Go5PXWATYKfZ&Y52@|FZx{l6>6hJ10U<%c|nePrMt#4eM2YXPpRVh5w20Km6 zAtJn?*|37Hl_rzvM#yCzaKym)IlIFobJ&@$IMC8?`P-sVS)YUbwruo7T2OxXOxqS; zC1S@b7!{!;sew00i{IApF?u8>WVEi!=Qa4mz`($WZK551WkH+r)?`AJ4v`m9Oi%&= zgIXJL{T@Z3VW%K!Dx4bZZSfV}x)c%HxeGSWqgyq84F?Qv*j~ z&4--~O~5xqyhvM<+F}MRNA`apSs+HHMs8Q=!gZaI*s8#WsD}7cp%6`o;Ak#Vb-q*l<8U^Sg;NV&O6YSlm8jAq<)e-l4MM)c^yZ`F{P7 zxpRS1gC3BmpW)-oYzQqwgA=c2ZgW`U2D)S?N}G1Uu!)Id8fBXJ7^DsYm;*2nHZ^d~ zvbfQhbHYQyXR$170SPm;byC^I8U#3?LIOl^?QAz|W4s!yhB$cH9HM^?A?wn#v$VEs z=>x+DEuKP&BiOYY(+3UKp$!VW!gMb>Fro=&EH|Vm)szyX_PqDnaX^LGxW$N1_Bj(3P zK9L1JaqDY`GeurK+1a>F;zK9e$BdKi8S092*h+jrqWIw*@nSYcW0uT$%`NLQm13{& zTl$4*gN7!P6e}R1z%ETr+JRT|^JdUac3MJ(fCeRz{*EPSG87$TP2b^6Ty zLZ$+>p;w!+!R){b$>|ps)xg*}W=o!!M`!%FJY_uS71>0=i$D^IE@m(0tc^9Gkx?62 za-7DP(Hlh*94OGIRBgCSlh8KNJySJa{s(85X>le}tW2glc69H&Ab?xl#YC~T&@c6N z`cvovGmioU0z4gh>_AQ#pZK{jZR{|1G`B_1)%`sBbO|}mi4(mGRfKd5EyCH)5pPin zhbmcFHG+objDE%c6=(lxlrU5Y6BJ7h=6C;!8^7Wmjrr6jtTAWHlMY*_^IVA*JEE&# z$#GN?cPf!Vi=!Sv33I}QN{^sPq2fj~6*uV}4ueI>(GgAUJmY3#ic0vO!+<(6&_05W z!yxb2WQD1HxBxIuji8@TVNN#sv(P%`QU>y2QgoG?t@>0qxIN@m5HyxlQKnx285ATl z0zj>zjv&AC4ucc(dsD=c*X%TdgLG0we2m&t_d@d9j9)W}PhmIcHfn`9wUjG;hd(Vo zztnheD{hkXkVvHjX-kk+rD{oX1PK>cYzPd&F=1ky3X%bCpWvbEnN9i+vUb5i$=eh@ z&^`J(1bFYwI5CeUhzl)amYDDZYtOOhAYGjlUOhWXYQf-d-U?<#A&q!uv{}dVqnf zW8Mg(6}UXpnHK4?%&&T=^3kVixjr=;pijMc?5dwz8Pekk@HrI?X?Yp&b7?J6J%HE1 zNSM(r+vvMm$7IFjy#->OfR5lLA%=--rBZA(!_K23bk`CXAp{gO6L}?$lncX}6R+l; z)7>bBAT5Akad9CKHD>yuYT<{Zobd2i3!M#yNxeO}6U^{(x*_kh0SeJLPh=c!mUA?? ziClnsa1#Y-o}hcy6%LeeXCF=g5Q^X&{%IGdn|ov!itk2(xAo`_?5!^wXv-!j$&$-b zW+i9FlKsM8I?%6FA{o42E_W^$#;8$lp1?;>fSJ2Q@Q6TF1J_>s8_vVcXbY_r3h($2 zy@_2b2`L~y^c8iT+F2=uuAy#44~k~Q9X$@e&qdqvSeX)HKoCqS$6t{VjDq3rheP#a z7zm(%80^NB)=#wskmTASYW(0BA1lC$i!oGbVtf{+Un+R#N@HlN7Q9uWn!A6+tZ$M` zzpN@NR9dVm!w3{0d=r(sJXLvZ_w@;DvqFV^DDQJ7Og%VSgT!fT?TNf^DLao6P^ zi8Ml~a)47$O!S0%w18gW*vVtCR|xePgP8Vc2ebEjOMD7BgO501c|Y`lK{bR8*w-jV*(N(6@d5-^_*g- zP98$oOz!O^_jdAzu#d?KXlat&OgiM5Rp51w`2;kZ0J(pNBk_!2X#Q}`kIhu$%_BU3 zAGIrfT%-7DU%#i;K7!9nT}2N^O3P(FV0K~!-`&%~1-{DObjJ!sy8sAsFIrc+T1w}F z$P7KJ)y34RWoS+MCi8dr&!5TBrqy?uVwBJx&PpS=Yuk~yOMnbn2w3~VDAdy?oXs<@ z6E1=a^;)aA29)%n0bQ8M*pT&$D-BB@UJjlEGieShLT%^qd_uH??woh-9rkLF9ydsj zHQKf5(O^-@$SA)7lr!d38UrnX0qt@xmVd|`jKtDi3NOerl*4m1Qe%Db6sn{@v`m*H z+N2gcKG>YrYIrl|x7U~)27j_&(MAs)C?PsbCCsahV#rtThJ~dueCbrfb_^vA;do;8 zmbRb}Gr=J$W+|mnbg0rjYL0v&m|2>9z@29xO?QT6?FHnon7KOgRRCza8|~WZX}A4{ zcrcpa@zX#Ap^>(c-4f(Ni7prjKvo?!nDDSzphcI%h38Uim=~wMBAvjFO5rK8VGBZ& z@95?(DFUrzx#7E|cUWE+RC>I8nS7V7gHCBsTn^_`O~XF@sO)0Uq-w+f*?H6I2}q-J zq3zRxr@%gLK;`voJJIzjRU6?RK&N4#xmo9ilJ=5+ zY960EOf6(9;{}hCj~CMpqb>+Eh#23c8V%`nF(Q%f?qd*MduRL5$BV~#_ZeZsdemeh zEBbA{w$czH-fNd*Wv4+8Yox&a27%smq0M<$lL)Y?P{l&qZd23f;Z)J=X>Uq@WR&&{ z{S4rlGL(RyDmxzc`An^~1bT~0S+qz3qu^4g zT2qC<5I4b zhR;xtciRP{B15{fGJVJrpYX*HUeCLOJ1y(wwR(p!X2Lr7|-zL*p>e)ClsZ zSh}+|mKkP3hMR3Y{$2XhIkZCn&*!pDpl^ylu#PaVbNt$6nu~2m^7y%kxj5n;vLM07 zJg{je?k(|PLVz2Ma6sU%ZBImR@anlo+#n!i%a5MTw<+H)&8V&@u*4~eL4q&70RmXmhoBC5XAMgNH}xW1thBjg88sV|VQk5J z^Fw$V14&-rCo!_h6^+nHK^dy@CK}CE?v;!eqOZv627@_arB07tY^5&Wu;Uf^3!wIW1y&|5G%GPtX;BHxd#nZn3I?Ij=;91RV=LetABF&RXeF8o;ar6^Np+ zUy*cP0%R4FQ3^w&Bo=#xDt&jhi_|blCXJbGgzu6tVO{?!fv%)^{urFrAtg*LQ zAC??WrBS6VuHPD;GUkQNl*e|$*i2B1!|ZlO&yS!=VMov~q4<^9=oJBw*|>DeG;M4~ z5CT94lx2#D%k{x9kWt7PYK#H{0{{RZ01yTRTOrT@l7-yRl8n~?)djJj!Ozd+CzrJM3u+bNmcD#HoZyD?$JkCsbPBU~&>vG8oli%n7x2jax$PsueBD3`3OgJ`WlC50!k%{M~HZyqF zW4SJjLftEFDg^~i%SiLRfo?^P%K99%y>M(MCsgb3b;{l0ide)i;YFlri+r4`nVHa< zL6G5snEMs{7ljdAbK&x9y#f-*G#>Qzr}DGWTlAZJ$M2VomUK6{q_m&|XGCqYtADkA zCdGn8vpUUZjg#`@Qumtbxd79$o^~ZqB7nR-!vX>`?1h_T^&Bj@J2NaPvqN3a^PRaT z>}A#P<44q&(dHFs_-BaUTazcc3Y$V`eLl2oiKa@V$|4By)Ewn+sw;HQ=K*s*f6RJXHajCBhqvx`_|J{cyu z>!w@Wk?WDr>lQK=o)*#3sU>#3$9WWw~V zg&A zp~Y(iwwQae2U7*BYQ%xSG~#N?#EVlmZAT8S;hjy7E&~*C@ivG!Z%KcRX|DAJLpU5} zq<^FcC3Xe3ln%reY0#iT#RAkrqZ~46{9ixe+tFxRtl6?{;DD@(dCk4pM~DIPF3 zz)nuwX;>;eH-IDxCfHBb@K76wTR_~Gy71!`HY;G>ziGZ6yVHVOk_01(!OW}$nmFJR zlO$S+jLk=H{e6*!^7d(UMa@y|+skB*#%y?|l9JK?ALy#LB!aV8$DEe(`N~Op#_f0G zEX4j+OvZ1VI)DT;@c@w6`?3MnO|vS0;mXdH9XEH8acRZchSKsQb6A5Lm8t0EBZLN17vD_5XyPt zYzbOe5jj6|FP>uIWpRLAboR!*jW9I%!a7Qst>qY%^a_r*^^cj%L*QT=vkZ8|%t`ie z>ZDZqw8{5N_Ce@wcTpsRNt*`Vm-rjqljAB}_O<;bYcS4ZaDKzEw2#7LISYW-J(00_ z80XY6htQmujQ>Z_N6n3nrsvjT^y_RH1N3F*l+B>6=I{cf-#a7k@pjA*q+e0Vl^-?$ zqN$KDi|n)q0O3e|xRn45z_wk7shIHxA4h;z5>=(NJ$v@E>LKmqP2cL=3ph)`w%!)ze(Kmp%<1n3UWsJ-*E~;0FMZ#J{5a zLCz*Hr;wr(?uC1VfkYa@v0~F`O4m=o)_Jg}yvMcFP~_MgK`SrgOaY}t{s$R=&LHxS zNTX;?pmWkV=gE=ohFJ+mW~Fo%O!7w3cN%7K?PK?vx1$u`!vkl#7)DNC1&<$~C7W`6 zAvy>1-{=|R=-FR1 z=p$W!4M!xihXKR_4gCso%H)c zc=bqyVP8@8;daj-P?NB-w1zs2vG-$LcG4DMn;mQd1nuA^{VHy(X+!(Mq?fMV8sbfn`#3FH{ zeWW^0Y8Hl(^x)l&2EOs zdD&r~6wQ!h+AtLmyay9Qph`wSj#=JnBvgyWy?eJnt~A}t z08h~1JWN9^<(*rwOM*yi7bIfQCm8>mPB*wHZ>6PdOGrtoSjmYHnihLZK%JD%Qlq+N z22ODGFH*R0H0dE8f{C3%FD`2A-4b*?5m;gb}o`W^v z@S5vSjI}H0yPhzDq&exgl3p4kStVI-wc}f!cDu9ul@!d#kSKOp-~^w@b4p5HaxAdy z!+t&;oIw$?rnCN}1@b!<4pG+*17ynxUXVG^&d`$v8*8{|iI^-eGjXNW$y(a^1F9A?IQpX^>_RxG^WWEj(33PJ1$Goc%xQ!D6kw|XjS--} zQ!Ornk+4pt;QJ}ID6~NfB03SZ#8Q63j~`t%6%A#}8An48;ffVo>!4cFOWQlUuUmkZRNqZGFra^=U3#2FnW)~90%{5vk|zbkj^ zM~>IPCN&REuFrpE`fnS+1sb0KF=~X9l(&95NKB(-#(0}xWhW>HM(OdTn+ybG0h=x{ z4>AfC)glMz3TKLrQ_i$@u9q1~2}aYJ{u6I%9_Gz|x`X=H`;T-T-Kf4@pb@H@H^~+5;zdt zv$oBc;mt5#5K;|pk&9}DJ&OK0dcS|~U7W;2T3e`F|LX)Y6EP>o@+mcfLob3E%-@0B zt*{xErC@Wlji*{@w9ArHz{$4S`jw~pMOJQdAwO0^9$2Ffq-ScA9xo;Z}g?gc!6l zq^1UUMlzO4_V_YSFJ%r32Wmz`@jHvo_tBn$-y!}WmK$(SKsr3o zj5nk$`RxRpCPOkRwe!D~?4Zz=Y!}hFw40I+S>&5HFhGt$qQ=iR^ps~LN(l3 zl*r)!Ga?E*vk4hWb}Mw*09GI7D%JDH4BxFClSKP_?DP-}93CqSpU~bi50qn-qDUFv zXSIflD_DTS8I}h`76Ffx^wUwd{BId+r1)=U+GiN`*H-xR8sS z-{Gi5Mm9hmxdYKL2O)3ZY!1K7?CE0EOisQhuR-@NMwu>zhZm&Y-gY< zfoJcoCFqPDzTU0Gn>~RQAoVHmoW(duqoFt}oip`Ru#0NLgh13u>{6G+Af2Hjr7)(h zg81_FIHRHd>@_x0q!GRd{90S^bdhB@K1L6F#wJsjWLuWwzX23 zYylNeQsksGFZ%MvUq?NraguPUV)~=LH-5-zViCxMRWtLfO0ofjoskRWZGk4u*Op1~ zxUji3%JSDI!!sO;4hZQNw;KHDl61~XOPzSIy?FX!UBCLWh=dEq#!L;i30kUKB!S#N z#W6d`h6nLC?Q5al0>{58O!!o`sq*-Bhw=HyqZ$hQ`(ML2o z;FuRMA>Bfxbt*s`GZ$wvB3K3!3Zw7l1YB zHs(q>PT^sOs5=wD2#d3gm<5io%w@_l#oz~M3AIh-YLjNjg>k!6zd{1v{~6(8W~N51 zL1=-FgSl1(lDD-<{oc=A!(5eb@wxHdA);7vid!0(#_{0_zrTQ*LUTJ0DCl+Wo-0x7 z41;eun1T$4!+3Uhvr{@`t}U%lg{NezCosc;m3lH%$qKd3x`BeT{5tX=&09AI+sag~ z&D;R)iRe~=g&`o5hJ#8cf&?AviWGC^oObor428d0-mCa?kDE)`RT6cq$#OvLhs0pm zlWe^|QgJRKR$wXNn~Vkz8DhDx2r6?88Qfw)!8OUKMSeDW900S!(Gg@;Hqyp4Jmp*i zj&2N9$N0ZohdZd9qE-Kf^Pu2|RL+kW$*Z%xRhUwZ0Ge%RpA?$SS6uWjG>~bwGW>WO z=vjRO%iiv`W^GV}1Q0kzlLhwVgMplQG09F+hycGav7pRa7#}D|x>H$RayJT4C~K0B5hN zYBc%U=G(p$FjM$Cn9Jl}XOEH1&hJ-|_cJ;a{Q?J_*N;dAcrnDaFRU9U&mKu;{pd=m zpZGqcR72willRV^#z%yK61|XX&`Ud}X?BWmS^7_1CA@oFIai5^jqwUXAqCq=W65xW z>jU)3*4ntN&$u~{tz8+ap~8gNshm1{OGhdT``F&WN?(8uVlv<-s&aMv3>d{dLz&#$d$?rE+gvWHjJ z7UltK0md&B<>%`87{hoBt-XlHXzJJ&vgXSSs7Zn9@I7}NDT*z4zP+&kB0yPFde@T> z1VSm_1_gmlsd(z+08j_DV8iz(UHlv4)B z>prB9inAW%5DcjW?q&K5QmqWeb1ws7apGtklskIZ;JN~@a-u9x-yxjs_9Ct>K`N>VAZiN$3dKgTHo~#t-sQeJ-;g_4WS74(Js&Wu zf2!n`32#1avkByAlAiSt2Dy$R6w?R`M_IbuJk{SGY9MH* zyTN?8TR|FxD2s_4~9@U zIYQ8dkesA8F8^pOo=j*+?}5gK)hW8{*aFR_Ihk-x_yS%^bhYrmCZY+76oZjB74*Rd9-l%790pjc zJdgYKzvLk9t@i;UUmWSP!Q7H?=5;Ie0lig;kh-i#UmEkiCm0|3UG zqhyk&B}ljuT>5tb(nR}7A@|1yDl&tksk%B*$z4h#$X?L}(x2JR)9W1qllM-|86Uu{ z>eMRn#1E~b#-PK<$odSn!KYKjW4&Ijo7j5O&^8TtLdHnh0&WV%Hm=mDFXA|ix{9DU zF`|0C}2aZVpfk|ac*~% zXqJLPS1BmNHoX3ENcr3<=ZJretFC;GHiwN%O%WO{!;EMUr{s6u=_M^ZJ^+QSH?-5MTi>&NJaOv1mU)#|=Qcs4a zR!T@&F{-PX|F1j|^^1_r{WZW3kn{39*bP;EtjI5lrd~Kbf}B2rrVfk`tRXj0q34ll z9_FmXgjQO|=on4;Y!%HN#5hJl>JR!-8D2oa89|N)Yk*Trxt>9M<@#H~KryBDf|Bif zqUYJK&x|9f$>|LfP5Zm3_KuP-?!gRHkok~TJ%9Z^<7w3@$@VTg#U5^Z96VxV`Ms&a zdM1*60UMebjjQHI;!yTBugD_<6Kd9+LTeIj-}k+yaN=4Q$jFf(@A02Q@JF@+T*^#X z(vCm9+qGoPDiXx(q?Z9nz;8kD z4~MdYQ9;#OZE;)s5Z3@=nQ^t45S3g5;m`jtZ?PPXvB7OfEg%0j}6IGz0c@M^M8DE_& zc6)Gaj{8B@HTFeg!z>XlgK3G7*Sv)%6X^M4;d&6k^wDW}?=1k!z#ZvW^DjGGiKt)V zzHf)@*>y}gv75E%@IT}WgYCts9wfECu6X{Sjt2ngt?iEMeg<(*aEN-ma=`eu2#fl@ zliZ!2^BF?kiUw9@Xuog5oPVF68)$txwq#|u8JfB>jH;Ubr}X(6W(9|;$1c1JbV7Tj zU-_Bii{jh}@7UviWcPJ(h8S6R@h=af9fSa9t0PrCLjoLEg!PEYc+$gJT z;OC(8 z44|`b*^WDH6-Z+M$lcx8kRnscs)JO2pJs%i_&FbhvZt{NkZH65081jDcL8DbB)A0$ zKP(MahU{RnKRK%pK7)ajXr~!5z9ch$n4ryv#84$AOwq829sq=v$q*(qBE!Z-p8>fy z+{)49@>1-InlaA`)Wbn;#9a*wA!#;tzw;gGGkriNHGBs*$)hVjJCbt_6+i=L8(qAx zJ?v7do6rRPjV`K{O_ZY6sMj_Ru6|1J%W%$@S0G+@bVT~OSLyEH-7jS+m_6fdo5s&7 zLrU?NFg)d0;L%Bf4sK}?4P;s}b2vzG@Xb3gIxSuQOeBYg7%~Mvc$im@2ef%9boA9~ z>7##8SNLhWbYiJLc{CKyBqU~33k9d4dFXkS$^<2OCVcNHWq^Q7=aw&l8_Aw>zj4M2 zHWk=5`h@ujq9~rD4}$!qD^GuD!U0xuzg_f*mtu4=GxT5>!4m8PdN1(9SNW?J7Ioy? zPZL9e*oAbj>f4J$lBfcIfsqTxgG>!`GJTLxxF09+9BE{=r}UYI7Hl)BHTS9LS2KGi zp~*=Yzj-u)Q3FP(gN?8<3d}dW6pjbSD5hl|G2Z>e@?p|H(FlAI~#%ouHL7M!g<_~LST;fpZ_@iTJ(9S*c@<>biP0ekY7~8ah^HoU)0#F!Csx3O zZ@Vb~GyuK`a+m8Gqb0~|BRgu%xXJS+4*>DVi8-8 zPP^cB_?J~I9U$TV&fLx0+&><(P6&(G_N>mB^C4kGTa6X!v=9X*w*=cbK#Lz-fYT^m ztNRXb`on{T8M=Lj^-9yiX)0VYxKuzlopwJELz`$cd9aD4dE7B~4U6NTtKDI&+s?ex zVv(ryN$EoWfcxmhcWEm%2}b$kqyzw}%@l}CQ^nAer>|L&TZ^!}0(}Xxx-8k9qQt`# zpgr0(BWWfyUFB|J-)oJ}FlYRLbe3O}Z>FU>+*1JItbC2zFI~;PJSu0c zs7kZxV`T*T&Egy35J6!)nw9v|ZkZBKvvrv_iI^R_!X2P@Gqj{V0RSvwPj?z{`hzVf z3Zu9v_dB2%6dy7=8RnFRht^8sNmOXcjp`7so;c6PZ1+8IXVej>546ZXz-T|Eb;i+r zQ}tpf!hxNK5tg?g!w7di9D{X(coOt;tiO#445Y15AAu7ABK^qN??YTxp zS!7V@s;?*l=j{;9 zRgI+K_!;c=;;g5jc31SLsHJU?InY(;j{>u_x2)@yIYc&*u5N&TF$4u1YF{Hy+}i8f zX|Aaofn0qLdSoq_u(tTQ7mUuWZeto6QxOVEndbggC%-+sesIV>8lcP++lXA(5M_ro z!ssO+czYdXkUx?aE$`!vQ-h9AC--Ywy7kCmdr|)mR;zwDzUBAX0h1bD+246md<%OV z4_tgmnif_>pw!`!O_^EAQCmwM4F`)d%!#qwk(sHbXzv8BFD{&J2NwrZiGA z3(t*?&hViQad}b0s3e3VPx}%!Kae(nskOw!=JW&F8huvl@(rF9P0u!3iN48(UGC@S$|B7U}%0FC5jstJaP-twFCAJnCmOf4gD7*RRrFBy?%n|a!^4>i&>VFc^f{q2IrGN61 z9pc`pbfaKK2mKayduoonR-{n_f(wU^ccdi(e)`^*)eQ4PxF>_ASn0#L*=NODO|I&e zIAwGO6iy+?ngQBI%0d~lwwo$@`Rg2-%+?%a4|K!8dhf=#1&Nf`9Pa2Py##E)ZojOc zd8ba`V$4w&sxdB3@WudypmfmK)8YAZW%~5&AVx`eM|Sk0(FL7yu--o(D0OXyT@JS_ z70i6fzeOgbnLye1fhF0MDAORs4_`jSj@-eSNNWo_N|bD`F+Q0)`Y-lyyotp?5fTSr zxV@X{>|Thm5~?VPsvx)MD%C5CA}m87bn<_Ckn7b?JETybRGxTOw~^mZr+Q*qVxuim z>|9lk49ulwPmwo9_&vY9{F+V zxQ<*C7dyLz5Htp#`5{8lEsbIWWPHR+9W_00F-bUn36Zs_dO>OgZu>I zru)LSP|YobIRBj9K$m=0oHL@~1Ev;6!<;O?50P&{1ouO)=NycSkPY#g6_}i;-H&hq z(XD2N0U^-|-=;JRIB>eGfO8?BG>ebB8T$#4gyv#kgv4#Yc7t+! zfw@~Zneu#9u%@!TwKa~($E{}#t~iKzd}w~o?tr~}bn7h^VSQ*627QAREbyyZ*ybC8 zgXw|BCp@`EpOSf9s@IP=_y^k2A2D5r21nTBrL?x%)szj$K?pdq1t5Ag-uucSx^td2 zDLVe3`xI(PSJ|umGsP)hL<=3;tY+A4i;&%=Mh0WKW&*-oGxgHu;j}hfGm8U0qf`}w zIpE=Tgc5SuHHjPM6=IqoJ&0SDRorD882C7Av|mifn(RFamFFyOq7}hCAu!`B&29t+ zcE+|(=$e`=q>GEtl3BCe;ho`D*hY7h<9?%}pHz z*ZlgqOi1+wQ~#LjOrnvxEK^oq|HT`-EPOKc&Ftq0s{8%@HvMh|qy*dqC?vt|OrxaD zR6)H8(i5QwM^q$`ez2+Fih+Ff@`8woqZM9g7mg62059f2$^>6dq#&s^yqHiGuA&+2 zc#;!>kd3Nv&QP>=j97uC6^2m!dPoW|tQ~`@NncKb6lM-UW7;9NWrU#-Y?8o;Qzh0f zo0buJZ8n-|3*BO%@AgR8Az`z=)LN&*?0lxgOV4lPkxl*-T)y$+KO}*&KWvp?2k|XJso0~ zWoc{pF#wb$IwS-GLo@>)X0tXIy&oL)#Z5NJ)j{3ig3!{l{jk6h6(+82K?Ugrm>q=G z$uj3yUcKGNjC%qAXOcz|8CjLK4%&hkL!ru%AON6qy(vOLCL&3Oh1hk@HZT&nCZPJA z+3Qmdv(C%|iZ%%Bm`!uG24;}{1Cs#|Xw{?`kX*~$P?U-B+4Vvot6|hL`W(OX)&bD7LlRDW9msz$uR?46cD4q*+hfZ07Epv4p7I) z<6>lsz}P^xNRbWMA{{DQgoC4Ok)b1^Y?28#xC#hAM({*IV5Q5s0R3d0ceFXnc4aS| zTFp8G=MIjd95CtnF~Y?NY({`+AqoobjH+P+jSHQEn-`uqm_aFP(Q;;BF5##qN(#pI zje5}4RKd*$iP>s~`(cIZL~l%b5ZE|K{ZZt>{ z<=~vn49p9=1W=iRWMkxlg#s)z7udyRXo(XsbV9dFoKd7)j!^bRMr^j@$4msX3^{n9 z!nLZ*>;fc1FV`C>pg5m1&Kgacv$`2wQcni;CR#xtZRyzP z;BZlS4*MJUEfR2vK|M6h>&+&_dWH`x%>fatiww;m=?9u?(4^n_?))%oy*Y6RQyIGy zI6qHgR9s=<0~(mExQ*D1;{hWL;p5YmEEIBPm#YVE(3#>SAlvbd^^{To%@FT^U?C9M zv`T?{0(;A{CZT8}fye20MtamRqbnL2HMHyxH=H$0v36vz&L1|?5RgMTqc+qb?FH2V zM{H)MYAqp&c1PIie1xS0{CenXk*_jl2taj?6Hi76(8Y@{$%G5Xc_B*|HybS~gqRWP zEFy}$BsFy`sYXNy6hU6FNg>2qL10T4$uAvC>iT0yKmBvj66}23N|6WPl3OaPRPhESbzSRdXQg&P&BefHo75p=RXygFIdEDfubYzOCr zwF=|fWGQ5EQDfz5r^ejGnWMKsj;skiAb~J|q0y;~2Y(}KF(e7llo4|a8L;=^0Wq5~ zW3e>gh=dbwX6`8lX+{(WAkSULKtoLh0k~mdIHKhmBEr6m62BNd5JfNG=^+GIwiX^% z>`sda>lFo!9PzvX(upT09AIvt;zq1Q)Pe*MKs8V!ZI1yS$);N)De|AWC-Rp0)J8?_ zd-BpAdh|f$_h}r+vwlm4^Aumpezl$I!zUB_y$t4&x<{E%Xu5y3TH1egMLF@K@iwY& z5wW8D{sipHpM)Xuj@GAmJM;xD#Vs1I@}Tm`eMH^T6jymGg?lAGV*i<*(o6AC8fC_P zQ;pZ&<3uf1{lUGLVi-uxrmJ*4`n^xru}Pf|?&BWr zR`@;h`-arGFGKtNbe_1A)!!0z#NVHO%H-70GpT)4ou=*~OH=GqO0gl6J5pUTN-X)k zti5zzIra0N?Ut)^S?N66mU|NbI{C}WC+G60v$S+xYyb97*Q-ZesC1&jy;kqyEmgNk zsO<}4h6>Y7w^G-Ux~)&uRX_Js++s`VX4^(iMBNZe=c~HvR_Y#vr-8(jSBRz9$fv~m zPu@KHU7V;phg&f#Eghw)hN5B^)h|>6`BKQe5Q8kLpt8lvUq2T2%On=}#_wl+G~~M` z*y3NDO6i>~^Ma)~Mo`&x`_%0kZ@oTL=QPDeTfepH_Irhuc#4g@hE5{U=<5fSLB7VNoUBaAQ4+Un-2aqOR}S^0dlcTw zL@R`XGy+p-rzbcu3{=Od{Lq_I@;<%EBtlxj>C>JI%l>0QGvdEX* z1AmkIFx`jN+f(cUlzUW3)=K$Ql0(0zqWZ0v&qgWkYRW42`hAT1Hr`4xb&nb|$}vr` z72ai~%*DO9zCUUy+ViDYsO(3-)>4$ezM1wQD)!>NN=e207OxWIO#Wom#;=#$i?Qg;}s_BTyaW!%fk&Lj2n4tXx#f67kAYYh3P zPY)iKpc44oCr{;V^HV|Plv*dLhhmbG+!r10V7xDR`_oTO#9fO4xcp+4 zV!02WR=6%QkBVE6R9b&{+zGV+y9ni>Zm};>N#3c3yRM?cZI$*+NZn#8?!GAGPPx04 zcBztw+HZZJ6c_n+G7)UG`x);{nyCHIrYUCQz2zvMDf!mU#|GS$+DgkmS>7$$w_qtQ zvPxR*dS<}=sE=C7yNfKd?Jn=Axae#I3vfH@R_jZ3KXT!|{?6o4Af>o9?)p@7-&=^X z)}FOgOE49?1Z5-dSl(hKA2;)A7aYnxCk42bejnoc`%goESSNCS#eq@`18vK?%3F|B zUcw9wu)u98?k+xA`h~<@H|}sS;Nfm&1(^8#k{i4O6D3ScJ6z4^fSE{jz)NPF4p@l< zFx&Hn4g!!Ifia1D%~9cU zc(URNiy^5KLtcbUfrV7yN*j<8--#GU zYY%Ix5FKCEWSm6kU3F9Fe`{lg&2j7DH+0lcDX5 zjreISDa7|RJ~=n01dbtV+}T#{>h4aR+@5O(H3M#3U+Md$B{)WxnGw^(nC*s2A4Ax0 zMsYi=#{9IDJ@4;@8f%)=O26oPPr}XlTc3}*Jw?GWq%reOD91!8!5(gRRFq3iu;2ak z8Q+m5b+EI~V}zVWiY20PgCX(>u%^zPj59Aj4{sq0iFb)8Y%o0j0B06@{OxK36Ve-3*@J>Zs^eo%H3u||*Y0Fi_fY(b0TC$cWCyIt4+r2|Q z4K!{0Wt878r@ZH6B49jV1%TZ36+__m>QktQeVg_?D~#KU6{B&AXLcSiHrU;lJzRj2 z5qL2=_bLlKC+}*l?y!d^L7q@;c%{_E4r&-@~X)l?_2r~`BT)DfQV#naxhwlswBM46sp@UKMSf31)zhtMRLm!v&7X?jB$=Sq zzE9@IsHNP;&?K9?4|6!0xeqwWQ27|aTroba-7dY_Asg{V4m}270x1zcvqyU?UAyZm zyS(S(o^504F6Y303lxD5W>8WjbKJGg-K}C|8s}5_+eO{Vc(qr)0B0f2_RH_LIX2+7 zOSfISS9|Vi&zhzs?v@#psdnpvgr5l-kQrr}-`czYw?nu%22i)xeT4>PAdNA(Tjn-0 zr#(c$;es4cZpswp<$o#4vi3nay1IY7`rGQKQR?jP)!kN=x(A;X3B+@<%!#`#t$%1S zKN+|?XWQ-XZxOk4O9!`afdgLyi>6$aOypq4-HVmS@;D%HQVZq8{A_z?j4abw$!KTK zebi~cElQGslZhnvL6q~wByaIDlx2uA3D{R_2+hQl*mHFj(R5rQWi<5np6Ut1jLde)d{0Pq-(TD z$<1jlBsES*RDv_Dg&16XMkPrnKTHcYCd|yhfMIYft&q9Kj+XtQHm3a6C+0Fs5JbqQ2Zt{K@dxu1jkU?zkhFuLBAUWIVD~{a2~F2y;&H*T!uKEW za)`Qw6NZ!*AUQ_2Ax3sLB2Y_V-xch&*GX+P^L9*rjx-uyQsqm2Uaf3J$ZWrN3H|R$ z<4|EPR^FSu$){SWrtURR4*X)g<@#-}4OS27S4-ct&Z5%KgS}atTa!>6hNk>-UmlzBlViDOS`ydAn`9jk{_^-Xo*xq2fK~cD;Vq zRLU?3?8;X9l^RNMy&4zyl2q;{(>9yf?s4s*eto*vyODAHo_NN~4mdsEZ3h@DrOP$6 z>f%!7JuYCA_n_M)`@JUgzeuSk@Qu{V5}cb@>qU zr%WXBhaGhe~$a zevOgGPw^AKYDki6YD{E2$&E*~d&Msk%?sSzE9P|P=4j$oXJ-Mr$fg{I#Sf@rezgtzls65pgtq=CiXt|jML5qZr0 z0(odZ{kA_?fZ_wMC|mJ>+WA`X$VJZcSt@<4co7#>Yh)(R(b-+U5*MWJ*GBpzkyI_e(Q3)j^Mx5-jW^6p>t{|QX4ZtCQUnfwMK+Uu}CFo_+ zCd@cAbNDsP6Z}9j3bNBxPO~=YjMY6W+O6I&gU^dt1`_i(f9R0BLCIrb4zbGt2~m!< ze@g-Z;si13z$b!_RC9(ZmZ4lk>d3XqbiMMF;09yOTzYzfNH9Vt2#K7ZAUhfa!66E= z3n7RMjvzT7F(fJAsAZOqUXbcOUOr%?F!%79Pw=VgE7}XF2M_^zXcrbhJy-y0X@Pq9 z^!WKf!6yZvjgcN7#v>=V;LwcHU?h;*sDw00amC5P$#zD5T>Ad;%TvRk}IC$!cxa^dcNm>NU_Hb%|h! zVVOZ~TIGVo7g{KG1(jKSNlK7-WrdRZ`}jGIIU^*I=kFkjp$Or(Y}zu{{xHtm!CYI7ghd2EG7;WLg56;t){~Bv4cdD?ApzY8-fU@{6`*n`kl;@n2xj zQidq577C6(ok9l@rA%lZ{1q_2(epBHI6;kk%6PXuuhpn`y>9qw2dVb*Z7`ya6vw(C zIXyWO+7(;8pr9wAvwmM6;miqx;P6vDm0L1eTklKy{ zSCj}eM+61%2SA`@e=h7ANHY)B-1qtH2n_gYsA))Z-~nbQg-9mZ@i+h4u1f;^<)s*f2~B#@x_J? z!6mTa9bO?858(0!ZPdK716TFpym693ggsBZTGk&BiH;f=w5+&13Vhey0s+jQrf={MDrdSuBm= zyPF2b1ZfiVIsVkiv4*dgNYInc-|#iEc>GHNRqs#T4j77t{bdBSaLiEq|8j__Uy`7N$tX?{o+iN&(ny!u zt#HCXa}a8S<-(v-V25!<1&g^U9DWha8ooAG57x;rzv^R`cS18v=}oMhU~8wwDr-(u zp5ES?$qcT0*$<NDY(lB6i}ro5C11Q+gY(;-2`=~?8%O6LmdGuHo&id)Ps%Ynf56 zrTv4>g59}+JloevYhxJCi7|iUeB8cFH3TJ_1lv$GkSE2uZ!l;gH=Fw-|JqdoCnx%n zwrQmQv8&P5G*la;PU?XwbS=v#9JKd~5*fwk>JG&-u4%zr%m3<7j*vfQ**m7`MUz!z z%M<(DUSo@Yt9PQ3+_Eg-2-qZHh08K&MSR5(WuJ=ZX~GcX26_ftHI3A)`y%X6I&d+J z>Pb3$B#CPoos#mN09e=Zs)U?A*4O`|#61)|EO^-`RZNTF>W<;&p7j2^Q+J54jCBOl zp#6mr0NGOLWAM2$ej#@68Rg-Aq@^P!z@-pbD1qMG7>H*K$YUe}?*IoNV}<~9r4{?4 zvihnD{*89FqSmVyaqQeys8G7hu@C~1*$D%BZSYU|CAKpDsPgTVX-k%0#LDQ^psYb< z%Lc?vnMF_L<{E`;<$Ay(Im=b3g$ld8NlwfNn$BXWgb4D>qR)L^Vrh0$pN+LXUMBCLFrYmYS{a@s_MZdQAQ~Q;T$bFRA4`9IvtVE zMBvQS$cunGp{j2ZZ_RK zbuU`F{m{q2s^yK9PYWBga8B7Gb|t)reMZ-;<~-cPx|(KFley^k4(fk$5O7>keVp1r zC7BWQ2Ck%xFdJ!cQ2fbBNn66uLVg;cE$!{#m-KL7t<@((^SNnS#CXa=dhkeH?{X)_ zXJldyQc_-pr3-9R{pLy_`_i;Pz3Os}=e5=9l5_dW*&p=)B89F1pB&hC1B4=o&-JI* zqEwN6(!~WYN>CR3e=;=sdyAB%xHv|W5i}}juaqKFxl7is6xzjmOjCUp78Y7{=3*+Wt-e_t<)+a-P6KdgS z9Tek1$j3GXo#d%VL@qQ-k-FI|5P(JOQX|FrS_NRvhXYA(7e`(~mN~hlMy01oD9>M% z55|w}$S$SadH5Z>7~xH5g+-p9(fFh5`koveDit8+&ZdYYx}i(FPF^O1|5sv#q(90x z6av{QSy;Mn9pm(4YFAZcJb`1>O?`6^OdG9qR*t>!SWT|BR<`3TGyV|WO^TFQNS@=1 z8@%syjzpY<3V{qC*`vElr~!hR7<;vj18Vlattf;I!J0+T;D7)!UsHC502Z{d|57|} z&UQ{M56lmkqVh6SI&R`E;$;LTOhP;POkQPEa0moT`Z}s9jYd1zh?HTS_;F}~5E(;K zl0gx!7{o3jA`uTcjAjNr*YX|Mr-f@bCe3kkgFTJxvBra1Kb-ydSfY4dD_D~BTw+6@ zgU|smt`6`wRra38wNeNkA6G~gl)Tw+D=+YN09RWoqg(odXRT70T~1@sih-tLiCgMC zv2x19Sg%MutY|V40Q|3FzAbyaM?WYnPA|oVG33dNRnfOyvb%ya1=ZkR;^0k9W8)PF zDwXR9-6S+DYg(R>%1<_of8F_G7qJqy!=~~+lMyDv4_8liY6P55Q`FZCbxLB7r_IeO z${qgS7|fRfWF}n>%Lh|6lV)bybWO;vfUcRPlp3znf8EkGmiE>Nk4byg7j*&%7D>(d zhDlU>&Gf;^6#8)c0ABH$+P3BNrS*XfovkJx>wCtq_=+q}?-teklVFz@yU;}vG99|H z-j5n@nT)XABBqBX;;R3+aI0f4INivY`!_0+eABjE*xj!#_c?Tk0ENuWOTtO)a$$?h zfu(EHO#+7H5qc0n!Fc$ew!oRx?S(NAT`7m5^+~4Fm6;cNHPy&cx>5HsXC&)f-i?AoxsH1UFP zx2h4G{^tA)6zY+x;%G@HfQygpiYM_mA%OX3uDCM`79iE4{k{>8^0>-<7WRUNk=M9L zvRL>4@@@L~T~eEHCR|(6lLrtV_Rc+cfW_{3pB5jfuNkhBrqw!$ReY#>%|L3#5Iq$9 z?%#T~`&NN}!}|t0X9f3tR4PaMaWlaawN{3Nd#yQ3n6pM>JM?)vi|6UU z&I~j^fUaKwF9W|jQr*z8Mxq{t?@cd*Bq(@^7Em)WTV66zfiI^e-L;K`Hpv{83=FF) z&76%eh`8aRS?1>@q)|NCiO#c6`tf||?16#3C{6R#o^=`B)U8Jz#l!B_zd?FqSZyE~sv^+|rh> zv`}BoydBv#P8w>(%n_7HL?wUhf+EGw zM2^Z1I`)%XN@c8%B*IEkMv+vq6N?oWMi>EH4GMht92n6i>Uzo3F}r8pz(*lqkNhO7 z+fYI5Dj(vnj+7P7$AoI{LdA<9tN$d)C&2_dI>a_w4CM+E3YOXbhRiB>$g?lF^rKt0 zzc$10y3wMc(D2DnwgXwEKRSHuy&^3 zjpF^-I3)38P=>)AzPD*Z;eLBme<=zbjB^eVp`Q60PiA29ZIuq1`u3sN6;lglXjKI-4POMkI(DZP4ffD+-Ig@Cr{hkLjphu|)F9rQ zWtWwVje3Bml36CPSCnCDiT_L!o-BEx`5ZGBtg#BDtP+6TVY(Ye&2Ej~D0k);QO^7` zZ4mglFk+rCSVLJpgSDS$vpXo}9|fXd0|Nxh7ZN!?F`H(M?(u*BRjNxyiI_b@y|?%* z6m%=!Pa5X5Vg;dfQ}(z|=qm+d#Sn;u5gLn^r-F%T9}&QZ+$xk^B}s7s;*;V^YA#8kKk ztlYWNLis2ZI~@zSq@?{-m@oocLEWgb{B|f)(B^!`*)TW=tV!qdaPV-Ty6l z=r9Uti(LR5iwz5)Sp^JMGB>PCw7qB}1B-URS|5pX+BUB8@WcUY`E$h&*25(&9}}n7 zUPp8jiAj)@%nsP5z?FCS8D%5NMXt!w^yZSo_U4#RXg=D=<}zKUlvxnkQ+knn(}VK2 z=8;IsSm6bTXZAZ~3Uxl>5xE#42d*o|bxWzKPCHCNfi9Ce#lo{u+7wH2>tJ%A{LFk# zuGkfC)>ek*334}?d5WgS7N+=jN2as+*^%_OW_!JM;O54WjF6$47N#mbQpC$w9Zr=R z5j>8do)nRdjpCo@(}1=>y34S$oAwW;-d@CWauhP0U{=}Yf5&EsqHw?b4Hj}6Uvmlq zKij;hZ=@#>CX0Mk2w|)WZ#zo+hMpwn7Oo9Xy$4lpDsb-lLxi!8UdA1twUwk;P7hBA zeq!9enjE%A`Uxm#hUfiky*RbOYS?xTp%UyP!j8HIf?Wd_hYZ{km=8>Rri_8EG|r7` zduRotq-nu;TmvYPk_CId^d3ZiRb;=pM%-n08c@YDF)j^*{g6tb%P>hVj0?sYgh)!g z72k&IR?Z6hT>H~Pj+-0hW>$%k=m0tbPW9@eVz*@&h{slnY8<0Xw&@q`z}qhsohv47g)Ug?k7&r(u1_hrU5H{5^TpZrRZVSRlbYv|gU4da~zN#vH?g zLZ{t2ofvo7!9FEE)C!oNG0#sLC8u7=(2~CIeBGbpj$7z82ticR?p6T3!tW68lsclE z2~e`LzssGHKmTSf4dzfC;>a);Oelr%@eY)`_aZw3`|B z=Px5fFzR#A;DK-2j^_E}Zy2Me+NZ6DeA|nlf^QMnq5yB;3?d9+SVi?Ri+1;<~@BVyq^LH3)a za*yH3+1KPkV_1nt)>2)>&7q(sti6yN5=OUY;3vi?H8r0TZEmXO!jV(5p&-2%5YEg< zH;ddNOHXJ#wdpjV-hGei$mgq`jfQdWzY zv^)TFZ`y#ACXKgFo;x6qi5@5Po~a&BQ8J-OvhUX^PX%wC^^}rO^A8v`5%YRcIWQQr z!&0&rqo9-H<1z#rs8DzW)Fy2ywnfM|cio}_WU)mUr_Jx`PZ-uZwkVZlEJt={yNJ}{ zbe@-(Jgsjqy@DP}r=2l)&JscfNqMo7{tJ?PlD3r;jZD4%GktGFd0iV;gt(VOkxB=Q znHOHi@1)4=5+g}d7ZtFGspckHy67xZVMQ4+N46FYivknRD?{qPYUGFkjOf%)l6=`& zIIvcKVK^*u{i4IUqIUz=x zZ`u-^g~u`VCi8DnU7H!Mu^g*hreZSl9X8D=j%aqwBEAm}YI%bzyZQ<`ZfjKTB^ClmLD&**c zy~>Yi?zC4R(Lc?v-0_vLjjenU^1hcU4V;=niPGD2-ZV_L!5pXRAcbk!BvrqLAFSvC z?#u|9h1dAjGk3i&$wTsifT!5kSj}ip^O?ZUv>_+?_5Xp>LdjG%bOg70C@+kHx`Y9G z*n-6mE)T^I(;MgQ$ifCE*sTDeJ#KKjh7R%cEB@DX)YD(1_e_$B7tKnM>cbB2p}j(Y z1mo*M)U(9(148acmhs=lEnpnLj4zA@OhEWC6*D3Lo8v_jUajg#_#&Wz&?Y=l%i&;y zH?}}au6W$Z?3y-QE0{|vmxMRyz|YsF;4V%bY0~L0iGn)(KzLBVrkhK4tB?}e<4zp* z2D2+zmaS7m|1iQB6h%E-BzgLSZf_T1YR9q`dUc%c1(4fe$x2f#E&G=*`K`3J;O0lg zy^t@)IO1~AT4sf3%oaqg=VF=a?`UO5givnS<%LaP%yIwwu6ecz0-lZRg8JBh1!7W2YlqhP^eU)R zsIbx+lB-JZ`mo?-uU1hN5=1Ae+sJ!R1Q4r3TaY04_UOH{c5EecS(tK%OoHWpWU2LB zOCp8OfpnEnfJ3O0>#Dk{YRH3W06_C_)ItJ4(&|v;63#?FEXE(VChyWzrVmUz8Rhy9kDokGKSQqAZ)STTszgO^trI z^F?^1cSWY+;~AN&FVYkbtsLkK+`2xp>TJL;y$?6r#Vdkjr(1KzF^E7HfhQ=RS>}op z-0Z542X2TT1)DI47=LETvRMLsPs7Oo8^=24DCs6EJm%IO6CC@e;fj2diNh|73QEFd zpW-riC1x(4w9vtcicSQ#+AtpBKsKCWxgW$9VjL*yeM{c$pxXF8?ea46nAuK`eMb<{Q!CMDZpm zc%I`~ z^DD4j#WZ%mNBb#64iv`(0iA-lM5uHz(4A6*T?21-hs;oo6>R`>z}X8ya8|Vz3C|BR zv?qD}>&@sCVZ0GPmcKlBF}=-$VHg+%oPS6srza|m>d3O;VwM?#T5SYzM-Q@W&8=kV z9$&&hkp<|WO6?qRU>qch89GVvoFqTk`LGQh_B_IYA7-%yl@g9|?FLf|2|tB2e$rPn zKV2sU(f9yKCtb~*pnsSIkneq9TPbTJbshhHGP_>W`^XIZ7v6^np%?I8Of34J{_Q&N z+)iXn1=u~6Ukj`AA5~-8miD{=H#91Fytf5A9Z~ReLaIW=8yyY8f-lNRGT$Ycq{UZc zBQm1Z$Uo(aJWq>f_gF+9yo7prp`nl7H)ad*Hc*D`^B$U9->P_j!&KOO3GSIh=}AKa zKSBmK+m2cWM?(=3^A^SdovZ+2;X-|-$TYh(z8YRJ& zl5t`!P9)e2Pao4fqZZsA!(NB8q|Y)N8pQFIbS&*WSz~T%7oFJbF|yC7=HG`QR>U|3 z;R)0zu!_4vE`6E5N)f8f{Am*r4fp{V1&J0C4!Ton#wF;LnwA3wQ_SDv3tfeaQCixeA5R5_ha=dm4d2DnmJ+Bqxj z-8ihBEi{DXFzWKV=R?I?<&{5Saio5{p{7l>IcxF#HQ%8CBe9AMNMpcIRC_`9 zx4kN1onxB^HM~Hzk*X2Dd0BoRBtcj8?9~Kmt;Nt;*&@~SvjAB8kgB^+cLqTrdWi6X zEe}7Jm~{%~zHr6ecfES|rFZ$U3Jo)f#_b}P9s}MJ64@!D?zX*8bCr@P9ABJ0W<5c= zj~GZbd~}kfgZlZain^?Mw$~Dq%;?KOJ+C6)Yc-D7F0fIbWN_yWBvN&1LWR)_mr{wf zP{;(Nq8qy8x(-a&!lF&3*Fm(mtwI0v?QNiMR0!IoJ}s$Ib^XNBh{*Dro2Fu*IZM~E6wIOP2fNU8BKMY5S_sX$0)sx` z9mFU6omaNnef?XDGRDi}xB9@Q99#sIsDRME^gHAqNIT~RrvNBDa6h88d>J)>Camp( zQ3lV|UzU2G^3dx~tno8GQ(eliqywaBKGCtX|q`^m@t|%IBDzIq{23fr-6=kVd(DUF-a({*0&9h#_T|xC`X` z*6>4TyLG0%I==E7h-eCIMfurc$mYhmUZVm4Kn(Ertupt3Cn2K6dQt5FF1L($*1lf?gY564q>iYrpPH5`?L8B=Q#~ z>iGOg#lHE00Dkn51){P*>AO!3r;}-&a;*ox)a&x|H*wX70$peE9-c(RC<4l6C|QiyOqT77$TPcz!}yG!Wk$V)&!gezv?8_3Ao| z;2SAC*k&%iafia$7*C|qbAZ(~k47HC`h*m_{BRW&J}*$J+A7YZ_tSTbpMlI1#9Y^3 zoQF&Krln!J;|~KV5F1a|4M(dgP4r&nV(Va234mK(uim{GnTYy}s9IZ=riKLO06_DY zQCU!sf}f*u45C#=|MePhCvq^jJUI7ok>t$) zF%8@WjMs2-lIZ%VpE^7g))GgLRy~Ftj$bba)?Lof$9hCRm&M(xd6d;<&I_*d$ySCb z^GKZ&>`94+Ii#Ra9CO(W0MI6qRoV5 zr}JCuhtkL4f|MN!&32A98-gDr^V*dyK{iLBwTO3y@b(VOj$@TI)dLfn6M>lsy-fcg zAqp8-C#B@}N^g!Y%l2-6XdmQ=mIFnhtlg1lMzo~1wuE7CD0s2o&?fET>PCwhTk2k< zmTldS`lA3XjTaL>tYyMF(rmQBnY7SiaLnsEFx{EX0}Pi#{`TSFOOIVE@OO1Et1oG@ z8N@i|we@WCfzv_NI6q7}Gv!Zj9rhbwarpAXWtzRW=Au^}QYFcddp39RejtuG7?R#t zjwlWZpzVmUk=Q;an9%25`fz@0B*Wj(w)F3yd~&{Rl(ZROE3WX74P^+E_t`Yvnv65a z1)k=DKfMFEl-e8SVB-Uzl@z+((qkYwQ=S%O)P}i$8=8i|t0j!`KIEl6H5;}Ju8K^0 z8@U=pyAi2-D2fQdzG3LaXZvu-Sil3Dq>yrOXF4$}=9G|e!I3SSVP>7QQybz_$_=AF zcv8-ZSzMgxR#&G2!2|x22HN2^p(SNWGF$#!cQj29SVUvwumk=MO%IzVg3DUgoBs;W zMOdw-Y6coDIhb2`fRBD_Tn8RqbB_mpoa-06&GuP_dZio7f+1d3ICSaWTS-}{5G--2 zW#kvLzObU|O2#6>$YIid#jN=ev(Q2Hw)D3hHHE9PzZ|>2EMhwW9W#{etXIKn?*bDY z94K}cM~-14a+k%q)vf^*Ps7b#QcFn6wN@Iw>&edtAh$e+r4S|F`o(l%4Hk7!9htaD z?ra%BDjRtGAj8ox2J}PuCKa5)Ig&n?R*Dm*kJzMvq;s%Vc--LzDi*0)rLX z)9vY-8ckfI06Ak7d-y|cycxnO7n^nZa}r`>*o=-rEF+COa*>voJ734bltN`Zj|kXD zJx(I#P+F!(_$72k8xub*Gi?(E8q`gBU<#>gfVIn7I^Xm7P`z$7eXN~vv{0Q$ewc)S zxjb%%nN>-Hl~rBHW+yMSP20!GIeI;KqFAS6^N@dh()?S60{w4phNbkh#7u!M18y_E zjAMtF&PH6%&Ov~{$)sT78RX~ra0;yTx?Sp&*q9##( z`^mWD6?ZYj-GqZhRY_2p(iO}rt5Vj3u~Ts#Mo zG*K6(?pKgR{Vx4nhcNXS`WIRtiAd87PvB}b?+U4j9KE}G_0)|f!cDbfk%q7+|9TwsF?}@9fp*eIpjR$LYc1~nQ~hJTEkj)c($B`g70K_i`2ZCiX09! z*TZtufm?2o+mLbH&|nxxxX9c{<~4TfEc{m6^_U?NKcl$Ks*1yqm<=k5)s*G>yPNB4aCJZnN{~-b;#%;U2-V$yT^)c8pp~mg1~su z=YcQo7=f>tQ@+LsDw2vcObhGN8oxSv=};CP9h3($3*wgqhB z5jQ#z3-x0rMZ9&=d2q2b4^j`w0aGDmL>@O9e}-<*VAl|THG;Oh^!{G1hR%;ZUoZ_F zJk6-2O>cjY>6+map~JEkh7dB+Ho11YL*NN5o|w9PU>@rj zfrRE(jx<4G3O99=BEo?n>-o^>_g&9qo=K>a9Y5NegAl6d7B!fT71(m(YMq5m%lqiN zgC9y~4hn;_lNUIhLnWLzI_RfkCqhyxql*DCcLI|Qt{&G!()`8bkCRfh3I&`Xuz)T` zia~*MlOcNgWjO`1DWADCfUCG56mkG4Yl#_N7(~H^0Ip`^ zbfA!W;F=gDinNN%Dgof9s8Qx4E)N>TBbg>HA2(-Q%yomvRCT4&x)Gea4KjnjJK{XV z#YW5ZtpHL*!cN5(=;GNj#}HNQ!Bd=(o01uGKJRg&A_>_9GcS%cV^PUGZnOwslP>K0 zc;dh`m3h=sgn?_-aqctB*!V%{FKR1k!#aP=i<;An)8CMS=jGsGIMaJEQ@{o~D?}XF z+9Bt%kcIj17>muw298c%!U<<4r*l-IOump2`2ld1(Fx$JF99Hfle1S7^8KXKR(31~ zzBUzgsCG-h)nctrRjM605bQ_T@Xcm>izY2pe2t(R@M?=GG$7Jw?(rCY%jv`cg;QOa zeuP%w0{(1*a+|{#Oq`1he?=P?dUmricS3qhL5av}bTrch?s|-SM290I$5ib2k83x5 zAtpOR4DTr?(`sh06qE4%%*2k&MtHe3l5#W5MO@%#A>d zC_1eektPF*sP~dIf1nX%o!D&L$0LTA3rMsfavfOp zy&D21w#WL0O=8AG_I8GAvD&f*rm8Y!mX2F!TFs};^WZZL{c_(FL@oI+380!jS&-pA z)7-C(SCU2a<1t^pAEBPKITwN!CFAZ?OrX_xud<{xNaPcZE6~#jNG(p+P!Rn{Lp1cEu)MuHEAiL(=-#d- zJFIRVU@F%~puSUxh&&zH%`05LRi|DBTDj*KKgZ?Xo~JK|jhPnEG?;&el3d{A4VD_n zF*E`>2oehMKCvPsEF?{m^(Af1dHdIpAEFLpf^zF{g{YHZp!ud!Wb7y&7(NP5VDG-8SoiO`K~YE zau}&%Q&dFKwW@6mvUd}nF|Uh9G8fu*A$ydh$F$Sqb|-&&Aszwk>mO?-Sw1NW8a%PL zZO)NAXd8t;NNz#TPv19?xJmeWklbwybbIYXBAww)Jwqjzn_qO-qKefQo>ZsbKwfR( zyW@>1$qP5>Uj(8)A04H@T4VUJ-UbWiYlDACj`=QS)56Uy+>uDyRRF0> zx(TCmo~kLwZ#H}&dU7%Z;D;2b)LaF{OcWabQ`)8kiy}%=@sD=u6R_Tz!BCLqqL}-a>c@*vHZYX?2z8Igx^QlPX%hTCrhX`8 zwRPG6%s$6-2ULMow~{l>w%Cmg8+6{6Q|Kj8+LEre3*NxO(HR5dzR)OZaL$9Y^zo}i(9jLr9eR3J_ znp4`&Jym}JuQ{vNTv+GAb0+`{VX82>2o`I#K0Q^(a;=t1jYgkargF(k&ANsVPms@7 z9t`SY8~f&Lfrht0`+~YpIzd~{MJ$gP>6SheGE7-HZ$GV- ztE%N;iUkDr&5CW)mDLkUYFbBWSdc!@9pTgZZ~>{Z04E}eLijz}Q~?P5%jHywLVu&{ zz!9(-5#;OZ(MK6BsD81Qt;s(UYbq|{xdqm?02C?z<9>j&p0RSPn zKABprf}|pZ3kCYk+<+skfOFEo`^p8%m{6mVe)vorNRxsuHQSps?k$WSxKEwp?i;v@xFLD2N0 zS5IIr{K$|;h>}!@*YqSnQu-yu06jp$zYs{|0?v;jR%Y>%HT$3YlmTjv17{j2uoT4! zH=fJ2y2-Fw(=x2}<;OuRyvq+BGp1N;YQ`(Rd|xCiNK6F|se}hL0eXq9 z`ov1<`|l5qql9YbOt3$oImJrxw+dh0`TFT9kX-!(3YPZ2CLcmFVNHnX>Tl_;M=L`K8Q z7jJ*>NsfGN{F1?-cq@LGK5nmPVC@Ch4}{YLlz@Xwl}B@s@ge^)n!$QV*JR+RffF7k z5l<%;V;Dgm@C#bT&{i5>DyE;Uxe-X9_wz2F$(m~=S*6#fl-1kHr}V0tm`np{I4Zp& zsT{)?2CF2Hw=a4~xDwk)GE3i8SP#R{fUQTPXh4HO1MUJMe=C|JW|Pi6OSlqICqzI% z2L8zxr;J^T`yPT2@zG*{uxg)V^K&S~#fKYR^)G+P+p%S+O z^0)vuJnU%Z_E9~=d{YM-n&5n?k;M7YvL3|*QpFo~+OHb4iPE#>RHiFz$$W+0w%gyC zr!h~d2~U7hbGCRifFgcF6gwg$H-dz{!pVryjLCbB2{ii<=2ectKcIple89*>0{!H- z?bqfgK9S9{-G#Hy*6-C$6uoE&OAe|)5afUXs>zSEcP2DWsNiO?A|`W+=iQsfJT&E0 zJ0=#VBAf(RrU=5JL&dAXZh-DZr9+q_0>n%^L<#ATvU-TplBBNs7I0jObveCyutP^Y zM(KJb^x*p8mU6s?tAH(-njlk!fFW``uT*WzyJIg(pXl9T>MlV|BH(wZ#6?z|e7umi zOyG`Ld#o_39*o{VK;nK>=k{^Jo%wpkb6<4tjJsXCW?MULY{Z zFFU5$IFT2^jL5RXgLj5KQSc`Q^Mw`r@!POE$pdU}DZXG}E}52-Bm&UcqGkpj$Hgu6 z?mH1y>{Uu>4__W#fjTQ#QEkXHj#sbi=>p~^%XQwK!;V5xIp-a;rpheRHLkcm*st;c; zLzvv>0^VN%w%vf{fR+G9!80r}z7ccf7vN_vQA+!-ZA5#-)jxAn%0B5nItEdErIU{q z*g|T~R8?SL*P6Hv6IGEI0&&%+=E|n(;3<0Lw^gHp+sC3?Lv7jZMy4U`zv=D1auYcW zviwDI$zdqxGCz3nlXGp2?D3NGg*RjDN-@|hk>F&;h%`tce%z5YvN&coA#~S*pEhbI z+cG8`yh*y~A%$%JU6vontngsXKN2-)(*j z(ZB71+4&u`xtYIfH@=pHB}_(7Z+5zZD?j8N`5yfkD(pjpnyWfUdTo!Qg(Y&lqY!aX z`j5As(=2bPzG1)e1MN@8T!=1oS(+haczZMRR(?X|+VHUe@st9Y0WP zS5PA(qk#HND`o`P7PA6u2Oq@VUgmZ=h_xrkD1d&$`E(cJI=FUP^@adXLQ1N7Q!067 zbHYb`jbDK7O5nZnxu7>N2_p{2n4UdgI$2s$a}D@|CesW&CL-<776h^IW4%eRrkMvV zen~+}&nhcZJV5rFclvB>853mlMa37EbR`uDO~0GpwckHnk98CCWCsB3w-w))OmUKfZo#qsoTY8r& zT)C}QkWb83PMOqeR^`Z9bmTqZ-bD*ok(UVUCFK6}F$zpgDihyFj_Ph(b(r1R34*&H zuG^=F0C|xab9kef23jZx9cg>h65W&IGRYI1v!NwuLOfIfC-cyuH{!%(nk>w~p=r6H z4T5-fQZzXHJ)ER)4XouEq&BOj{5xh<-ncc6A@ZmRrBOo~J`S;m3jEq%zX00}@@onw zPyk=|qB-~1AN`Kr0l}+(WL#T-!qxCcA1nP6IF6Yf=7FMppG^o!)3R{`mN|j^`(o~j<2AN z$_7h+sjbos=BEXTZ=0NQiG?ehp~ul}J2JwW06xI+t6b-xa&)l_$SpX`ZrXO_R$U71 z%%vnY5*(6)c}R47%km52)-qeyM*{t^UHgHQCtNG*6K6hQk?js8G>j<&7z5uZ>Yz`h zS{-zN`imrMH=nG?R_2B~>sP|cm%4XiSYR|KN7BHAW+Ai*qy|=%4}(~rd{t^3S{zs?s)xCnHdy{U?FeOQ{W+e?iiKCg=rOT%a6$f5hF zvf++4L>YAffatY!3g2SM>4xjn>QH4Eyy>Tmz&EGbls=y9Tfgz=L;8JRzG@z6yK8No z4(L#dGQAx|)a$T86;kl{LyO;KneV#J7fZ*S9g~p*|An|xiyTx+72OO>LUp_r3j*smw6h_Pg$h`PyVpK9@2%0mO5-pk4D&mN|49 zC1|Dj%KT#7S$Lo9?LkcB20)Y+03dxFWP7WGeUzjOy52+Uqneb#`7TV@VMR$W*&3Fe zDEVh6#}8n##xuk2zyd5KLCOqL@N_=ewi7eLL2Am4`nb;yScc3`Q9j8Tf#OX&NK9px?YSf!y1J-q$~=OP(Gl~bhg7lE7jSX%N`xn z`Lu-+@>s=aPdPajfDe=DoTJ;1!q0qa=qZA1kTf)Ae(V%BzpR1}1$Uqu(fcR=M)rD* z zRMZv<0I~$<=x>q^-ztBh~(0dECii*TEWP|OLi`2E{Ljg$5METQ}L0a(( z)VBpiXPtas=dy3GKvGaoEPJIw?AS6o_x^c&a*~?xr*+Lvn+O{-n3?i4jcW^$WFe|a%g)QeACpX zYwc?d?>{}!*18}1J^P2cnGZ>{$dMGCfWnz91(JH?J==laGjpX?B=Azc0vxkhpRvn- zEUoVZ#b^9N;1#};DrX7$qp&f(t94>A`hicZerWwo!f!OI3?-T1RS=~n_vE}jpQY;s zcckMr3EPAgXLCR84nY_C!}hbx#56s(;l>7=r&dbwCQRzu+dN!o%k2>P7Y-Ak7s^a&`{W}chM zGe5ClorqdPHD>?==awKeWKFy{1893VX^<*FY0C{bEa-=Bz>^0~!~qDv=D2vFJ_a^_ z_U5WuC>312DJvc@} z&yMW7fF|y_1_X%4dm>7%30B(3TAyZ2?vh7UtBkXTv!9j&ZZMW$-UbV5BJ!;n{#N<# z8axV(=S!$38Sz9NOl9~xw#2}MNJ*YyC0Jf@u_yybJj0_2D`>Pt9q3Mqi3KkHAgb|2!)MTan~Gnl^!fXg z>rx-~_4nx}y48wiV%4-6d*@FrNk1O#l^KirL8y60RWDM#q&~cO+7Ny+ZP=S~>L`{F z6&Y{F<>eqy@?qyg>ZML=Cbrc=%pr7L$?pxP^8xV){Goa|hRpaP`a~A-?BY>x~+_K#(#kIRS19O!K$%mpg{*agS zLsy*y+7?0p9L3#l45H>x4V@lXjAeRhQwMa|GloEvX#70UY_YDFeL$mfy&{1^EFGLt4bIhzLFBAc;&;Ffi-} z2{@c_Fb|0t=z6lC)Bf{ddUO;w%9}-a~aU z&EEtaDDn5MmY$j@zw1_p0_B&{tNfH$*sDwLusbt&O8v+ceCPp>5`2BTYokwg3ChB= z%~DUPeQ~3|3IO@3U1S_Q{K!~QbL}1%wBmCe`K&298R^^jzRG0xdK>i+C-Bjql7td) z?j7CBuCiddLXiH|5?}`Ce5E6Q~1tJ?#wU= z12j;ee3#_SYQ=hc!#0=-hfV@v>qTQrhI{k+QME(`v$1-2#uv zIk@RY@Y-}%1Gs8p+yt`?lzmac7vvPd(_>#YYB_MHi4WT=F%kKJW?;>~?7Mmb9SEfO zp1Vw<+))qw=bYg&SI24m*@QVv(j|b1n6Fn_{Z-GwLIgtA z5Q7zYAhNh{BcV$7<1mqT-HRZB&`8Y##(nkvs`FbcN-J1ePP}2tqx!vrJRxafkaNNt zTN!7~11VJHO6(G%q>|-`JUp!2*m#LW0tYx=?K1}Dq_%b*c^EfeYHI}5;tX=*z0gzS zR$+j$4(MHz>UJEH!s$6|dwdB}W_ytnN~Q!L4!})i0cJ*ABD3hwa}vh^7P#M!pE7<6 zZ3^oD>%YF7G;!?G%||pHa^98cOWCrQ&w8Z5qxL})T>I+71AV2>9GL>FTv$8#xzkQ)ah3dyTu= z6X{LV#fCV&*}jeIY3b&CGG)ZYs=jln$yl zl(kwk?@V1%Yx_;&%va^%Y|mA)(S?R90xN?l ztI=m7!zCi~U?^a3sm_a2SO-8ZJiL=#-4d9Pa*|&K(iJ2o;}$0rNtJg zBac8}xS%!iZ?qB-Wwb0l;@49ceG9E*M?V6$_FXQ({nt)G_hT!w<}2vCi63q01MNoTh$UKv0E>zfS;n!>}|P zfF?;THhZHdrIO;-F!g#{Ag{N!)U0Aa2bHe4Lj6BxSHlV_->YwI^Va9%A64u7HH}Xa zu?%>@0I*8~VuD=yqc2`Jb{QfDRgGy3WhlIIgGldP9~^NuCQFFdlhuql~r;2x0tL+4*;VKB!Eq*kZVb)2U#J3_HQr}gnb6D*sro$jbJ9v>^HIB$UIzmZa$i; zr@rI8bOVM4Qutu1ie7vH9=U37TG{%u@-^iW}h&I5yJh-wpbI1YAw>yH{A@M5ZEA-!R95BOb{8l6VEkTU1I02!ws1)r| z+%+2k03-whLjVjCi$m;Q;KhH>O$mzbVD$X+s184$>hS5@@ ztLT#n0Rpt|hC=n5GlC*2-ZY+RnIqO`><5+JGA1)Os--?{p;W9B=I+6P(~ zaG~53ki2)t^(Ul79gw$|?x&jpm9&84wZCl=Ovfoq?}Ir`#rBEyo;W;D!ZpxHc8N(kF`&#aeZn^h2W? z7XI5Ex$=qF8PK zfy21BN9&V3$Dehuidj^6U)bJYn!6?64oUeKdd?}|UCuet2lozY^Z;8tXrKq1goMo@ z=+~>QeJt%^QjL51Cj%{?%woh&Q8J1N#*F=w;@XL(3J2&FDvj?zt0j$qFCE4&gIhMk zJeE&B@tL~k9q5J!kFds3zZ`92pz0N5T+y--wG3f8*#luS6<_~* z%i~Kg;Z7gct@1~A!|fDhX0rnsCedG?V&>oN;3uXm(YR-sAmfD_Q7OzG0w1d%QA0(Q zi4mxiOW=kxMgHx};EEHsijw?8mQ+Xzv&_OWk{cyPVUo;DW^okz{j|9`+#rLpfO^=u zF@PqHCTKTKb~O!g>{{3GA%mSKFn}4N%&YP2Xw19~sMxb{heHv2JpGMfV0gmAA<6^~t(1S`8|v;4Ng&JO zB5ma*7NtT1OCWmy+?y6^Esp@teWukHC!Q3!{gc~kl8Z&v`M%PFBq-uThX!?#DgMMegDC=BnYWcX zmbBsr%Y26Qb^yH?P|uYw%Y!B+iDbU(Nr=hw@%Ls%kTT*hM=3H*iO*C|_pF}&3p7eB$J~#O}2VLj*aR*p#ht|oO7@CTAKu$MOu4C7k6FO?FyJhGMUK!zXp1&(q?HWbv)i2WG190 zvnSyf)kRlfG<7-yVYO>guoq${B1u-7%yUQ7Amil~>g`Sh(UI!js7=H9n=4K++Q=SM zIjuIrf~Y*=A0?=n9Zyx}fGh#b1lh**l~C2b*%2lXipCKc*lSTXcCN`_4v_&F|z}L`=E2rJz{?4CSR6m zDMdx8Y&7f`VRw^_(CtSe{wtK=h#qM3RHGP0?n-yFsrtaXu`!tmD{DC>331P+ukbQc95K0U|prd5EvL?>#vHLB%L-9{VG9Y*5%YA7Q=jBl0Xs7%J zZVJ`}x+q1KfM`jP?U&F{`A4b_!@zt9K`E0hEX8<0Fa_0fDgz*>f|YDkS<$eqHhhgh zl&7j*2NaNsVOGr0Km;$4F)4+oJ)^={n%n2Xv=lxZp2)`kKM*S}|tDRmq@+zy+9Z1&f|fcNo7o{(A`b zfIUm!%!-kVZ78kL*yKIcqPB6a8Q5kgRZ~LIqR6rHW?-JNrl6WW)P!}d?$#Bdhd9&xQC5S=w(sE9LjD1{n z`q>@}WMN_H+QppaascHjZXz|GhTjs_w0#F!VFiwnW@B!2I3+K}SAk-I)gbC@iTQF; zpg0bM!Q8lGqz|8*R4RB-Wh8L~k9d zh4ul^Pt8(IuQ;B}ep}w`g=k`s_RyL9JkTBz9&re4s4X8hoOb&iqkOpY@ zG8X?L?q@PXCfc}DrsUVR20oQh5CEOe-S;4*SyfLLwsgw<*QoOXk;GiuKcpqj4;%!- zxDhy58_c2G2mlw{oRAOISwcAGcjIg|k%}0))^t8#IIrSieO7W90DyQFBR~BN7FTD? z_cinZ0K)@+AHa(1F#~E&q;6s0Cq&~mEV|kx?(1tS<7|#5;zy3E&R$v9n5UO`gR{&)W4{TFzU8}e)dptb#3iWa`-V7U`YVFGMXep+aF5gRnK*vmj6v{)ZyXlrj z^K|Bkd4?LO+Vgguxy%2J_7_1ae?S62pJU{LA8i^;A5NY~8YeC`6R6~K-U%lz2;DRV z3n=Hqr93j|H)IYnYr6!_#>gy_HsNoM`_2fjle6V@J`p?*J#g+)#OI+V@nQ1^nF-%> z90eNxcbXPU`=J2I{Q5Sa@H~#zbH{JPKA>s?Q-3?Y>cVX?xf6)sh-U#TaPL+cg~Sja zpzn+iuWAs<**0*q2CV~@Btbvk2AoY8MCO(&oYfTLdrRyaxNKqi4ucDk=>gDXYSB$Z z+YwPS)a6R7(keQV>IIEOOp6PtQETVvSJoNo}qRA12WD9cu#f1`$`j<&Em-+6ilufc{Q&hrv+umWmRIL3f|TJ+qjJ`#47q= zYLTb;COyv31K%i;cSPjTFgaiO4f1=BNJhTzIIO*{KZXKHJ(f9((OG&g7;1rdtG#l& z1G~5+N*^%N+I(5#M73*kv0!a$pdHGRPUDp$H2LY7Rb|73GG+HV5vlPHuT!)#Gz>H9 zX9dH-yIPFgr?HfPxUua#XAJ71rypqf^gy)|#<&!dpYir$4sCDIp?iS-wSA4(1akM) zykLL&+j=+nez%HNsI{yziQrn{cgP?r82Juua!^H6t862=`k}|66|%(Kd!I1W^yz&j zuw&j`vZe_EAn0IIo=*aM)-4mRK@WA=zdFj$2N~Wf8+G~=_(0Xi+cm@U>vqYkwD#2v z_&1vAYY<-+MGBA_JVm&kJ%^Q5m@M8}6R?jQfOYT<@VEFO zHwgJ?jwEFMg-7@1rdrP1q_(5uQ%k}qM$Goj`I-Tv(j`3ihyoAUfVmB3AUEYaOk8aM zjYCDoIm3$=!r?KBBjE}cGyLVRcP3+Hq>hQ<^EqXIF)z(@DsOA(_Z=?%mCQTWaF=Ji zH}HcfVb-U)rk#@(kz#?KgEA+Vv;gf~gm<4){0A=TVd$-C!lWG?bnkNXl-@mm#lBVZ zH%ZFF$fX|aOs`5P)|5cLOdXW_;Cm#5%OtcsrI#rg3`86p9vh^RGKGSZ;>(DC3|i(Nhw|7)c~P)Wky6Mp;oZeX-wuz14!D45(jbSKXR;g_XmH-@s#N9 zhoza}_1MgYKw2@4kO^CvFH;q`r<|#8f1Gg{pK$TPnT#w8r>$rQI?*#^f_5jmZS@A% zy|+xE^hwBMY8ySeEBes|mFbQ5bRXEE#0R<~{)x%=!Tw+U39~HjaxcXGOWrNNVEw9Ji*mVx3@xPC z<@D(Tl|~3NTk(E{)}tmmTlJkDT91DIA~lz5Z}V@qy9DvaCgCm*_P_Up#BQh;bJ(_+ zNGF@ZPWx3P=(|x+;=l&kRxj}%isybKl@U1lBTBsNK^imD z*|$&0$nkGN*&9nNSTzZO#m}ma2OT8R8Gp*AcmbNUUzTIpCE$XK59xgrz5<& zb&B}MQj3B{k|2gGR&kiFfqUavfZ>Gz=-URMw5PLxZ>reW@6-0CE6|KzuZHZ{khCkD z^x*#>lR?J*1Yu2Wg_#h?QwxM^5yNmv zH70e}4~$NPV9bNn;#H*e4U~)`T=-BG3M>1ibl;l`6)D2g^hD+)mecXDREG7jcb0S? z@5vD-1=uv{zF{JdeLYi>#P>6Z#Z&P15y@$YW-k1J@UsK?%nMIg8QKBPsFS*!?=4rD zAgZHXK7t{(KkN^-u38FkoP*@eHi)t3wFY>Duw=m`MUMFSXhEe8owjq9Em-!D>ckAej$^>7KWXVxa;9*aq-C<^HTMLiS`LWo}XthF6oT}H7t5PcK}ycH_UwV zW!h;}E$Gj32sZV+dobqD3K*e%64w))zTDG1L6K6}IRt7DTtZQUAig1Zou4E$)Vfbc zvO_7&MD^4`>X{$U+~ZC6VfubUgs_&opOcJzL@-mUEeIs7gjF=Eu@#=W->B7)ilYPK zLrISILwDS73hzo!xBGrU<(po^Qs(Q{N@Wc57lHG_Y|X-Sy}s zda=euOifDGHuaYdv)Py1+VF-XFWSRf@J;B&$Eb=X9Hi#v6FrX%>__%&ll$_8jSD8M^8q~HP_eXtfuB# z?c-M131A5PbC0d5ri-X?2)l%$E+K@`Jt-k;o^0HHOlJ`evg|`ul8?qu?PhSc-w&J` zt4-w~U>$R#3G~e$2M|MxE*Xz0T1~h1fxm;Wojaf9;q(Rvp)VM^aZvszIR>MxYYCA2 zp17>x#!iXpmlI&?=Q&^Wm<+S~;y&Hz8##7`yMf!#y?@ch1{>09!C0LtbWQ+W| zWFX-gIo3_-ZwUYS9}CZ=wq{RRa6f@iYK=Ri0mcU9+ZEX^_NO)IRj?%s`KIWf5(AzUh{a=pE7|$nr9~w1(84D_Z_YmNd zY*(Z5)K(a=Uk-Vs7=wTuAA7M~R4l48@Y7AOa@MAHlBEg=w
    XyR-fY%eI$JTT2( z+DK49Od1ZdvRw_9 z(ak^+?GnD2O1fb+k5ZdJT9-g>WNj|e4}%uB5TS8w0(>rYl5&#OW9qHF{u;jqlnNYo zQuIY>5YN_5wmuk4g7pkT`+1M@0NAi;XoC@^wc2{6f!t~#3{u)8^;FBZ24v5*9^fOy zva%BATqF zwtZ3N_xEt>%r0u^zVPlFyiSWr97IyB6H)<>du$<&Ic~xtpC$y*UDOszH(LL$@4+KL z=R{JbZ&dIWetn&)@bKkLWbO=wW5ML+2Z&~C?u#@jp=O;h)qGecqv-E8x+4|7zN?lk z&j<};BP+@yVP5NJU}m4AlxQ&0YA=H;4>I<3rgXB$Qk;@-7pa`NKF=eEnacb15^E;O z(yIbC+|ifrIWpuC&%P8HE)8nnnpXj%Paum|dT?S9@yuo0X2_+ID0{BohwBh^068m` z!EZ)oQvG8ivL(!MC1Rx@wX;8`sM#@p3^W2pJM>M`n{T$pS-;Lgg-EJyhagUf?X@7`IpD81;{9aN@O+u(b^8 zVzh1%D1Nq(2m~D~lx(d~>A$pS>Qe~QKfUF_KcZV;eu76E?pIWZ>l81PhtG2`t;$V`#~i4q+S36FT;EKA2r-;K zj%U{JI+>g)epG26XAI0|WbfD|KuUv6P>~3slVj%6V>u=LmtB>?n-C5CqS-u-7wH9P zUYJ}>GokeJ%Ru9R45~CeO4xz+Rm7G6*3nmTMptQpdKCdoPV~2U_k}LRtS)05+`HQG zcsOmR9;G;(j}(q9BxQ_@DvZ_bo(qk2ORLj>OQaWaHOj5|3Q4O!-gHy$q)1~P*dO3n zU^;v#E<&RH2Kh?m%)@t_8`(MdzN;Dz<6m1fTa+55f&dH6P$x)P122`oPVX*$9aPE) za}x|x!D0xG-U8W%FP%;AmU`_|k7V*H`V4~IV^{{`b2#k5%5Hu(et*mkI^Ti0t}b5L zce)wua2wKp_clCZ?Be*u9@G7Pmv8G-VtdOfoFu8(-CzWW=>X=@mIqn&N15+{;wOd4lIDY!!J6r>IJrc|p%F&Wlc_JQKz zH^f#zN~t-{emRI&ps%TL{Ak3c>-uT@d+pM!YOed@cveH-WsS3qq0mD*B`))>IxyNM z7pVVjzAY?t3>-U+k?rwoaeXe)8b9qj1_0VBc|vonNQTkDXegOD=$!x-KnF8pTn|TF zbIGx^{ZjL_7KO5E4amR3YEfmu?-Mr(2fYFWqpsm5se@H*qxP%Hod*7In|B{|LcYgs zOWQ%dekiHK)$m1*5{nrFo4Y1IRY3az9Zqi<@8QPht_lQ1D|w8A(#4jJ{?Vd>=aja|EJAA@E1`P){qj~|=%i(o5F{8PGHQhm=Bw4_LQR0=ZX zPpuM@krV~xeL)iRq}+>*^RknReEX4`-N&r8Iz%T6fa{m-jB_S{`UP^W#kmRlD8hAqum=-XW=kgsW%zP(2@9P+Yd}3myzM(02ySQ?MxQfhPEGe~-A=T4 z80Xh11II~GN)I2#wDxn`q0W2x*MBcvgM!zgz+6a-7ZGQ3M)D$Mc7Tpo}aY7^`~W}w)Gof$YuWli)H zo~Q#jdi%ss>-{~Z6mw`pSw$O_vP&4(o;@`wOxm$yRVcOKW@uOpp4+1+ing(5 zlS(gnbS`J)L|!#0x6Kl`^8p1#FALm+-~WI+3wx%}%qClN%#Xj=GmG8Q#E1dtZj#cr zwAAJuYkeZD(0;PwYOS+vRW-&KI430zu&=S=kTh3KhKkiha%{ovr@QIzBX*W@Dog5S zeT<|2aL*fPY}ExK^3~ddHxaX?8LU0b{@Leu4B^KndipGvPOLgDhg6Q<7M6;reCgWg z{lx%LqT^E^^-=21<=vK=E*>NP_<2l<;98U^b@K?8JcX%<_`3E0%z!LuPzww~qC95s z(KE$H2s2Uz=};Z`5?0eqIQ;Rv-N{UDFY-X+%=*}6y#5Je`xAgt9r339!}ptM7jv@& z$5w1YFRpOwL?1)Z;s__ej^6xHFnyp*+MrWhxn4TB`&Lijd3U(A5R{Apu_O``$|f_RXh4Sa7-ucGM_JxQTxV0gzRl|>PyhI*ovanM85Wz{Zc#2i z9TeL#yU+USS)25e@)d<^6<@+>?V%KfiUN@^2{)gmwc6U`_H8B1qgLl0cr^_%5e~<7gp1>F+(7M?PBNC8uj|&r*5h?ABPz`)-WZzA|X- z0W5bZperA-V7I_d)X#2FX3g*KjW+sD*%nh{N#~uv0%t#)>xN*j=i;lf!n1cy!Q0{!%-M<{%-dsr~V;m>7+y2V1B>hHX3G zN(zo`DY#hM?G9eLuJjI&yS{tGUJNi=jermqLRu83?W~U+TXqb+WnHRZ#VNN-4pJQ; zj_fRE9~I{GK#r+vUGV@?v%%gsmicg5Y`e%w_%v)uLyK-NtoTco_7R=or1rm&`c~6< zV#166uukO$7IapKXzUwfq!4KDFyUNrVuBZhSNZ_qu1p-R_k~)FqxXO#3&fIJE0l8L zTAzl+P_RNW_X*mD$v4tAJBISqhjHti7a9C&*_#vZfXC%gqla`6%CFq^&}#*X95CR% zf(<|r5aIO6m)=o*8X_IjgHahAKY?_2>Iuy_Fg_u(`w}m7(TG@1-^{}LS9pcGd6H#L zskN#EHcaPg)6Lf5WI`%O4$5Rmjk0Hm*(lux*b&>9ap4UqA+mRfuY2DCDSxlA)d4#210 z${|)9Db`%sp_VYLFJ@j25PX;t-_iO1iHY|^uVPMT3pt2q>8tZyFg z%UNoEU6gAFQ}^Yr)y+tldGZW)PRP5k;CPxsG=%84LW7ancR|%-L#2gzv8u2D~`xeQ2P(?Cn%K zhOh|Gf*BcG%VB!5xQa{F5)H$w#YGd`=BVxcw*y+rVLMuj4NePR%)G>oahq|_>1Q~t zqZ0TkZZJloH^=t46f+}YSt|9Zk(0B3ogJ)>pV9$Ne+}M{=HY22uXfNo(c;e3ew9w= zD@;-Av)hI#>@k3BKI@+_fhZjT8DnZE`Bku<&g*@L=HZ{;?M<~}USenDlpPYM?zQIN z&p?UgC$q*!t4^33+8T#L={=S;Ri8&ac|XHp4G~7U)Q{1BkbACzq9!(ck*PReiw$>h zg2jZqxX`@;c3Pz%%v2arjTDRldV8Kcvg3w*^PMS0dp;w^BTj?Zu zWw(;Z@uB|MMXqEn8Ln>iucCyW;=|TwnCy~0dOwR3ZS17bJls~lj#zz9<@zfI+n2Fk zs_BzcG$Aqf%;{)q9dy7%ivw6tO=)=S<5jJ^)wcoK=us|g-RhG6h}qy5is=5$_?(`y z|DNDpBc&XGPB7BPcAzOI+KcLuJ8(RKt{*=9lZuYdcVC1PyWW^C?t#m$fcn3Fpd>Ns z_w$#e;*90#KdaJi6{RjO+N+9S@|$6Lb3;+Fsl0VVV-W;nOVQb8<`iyP_rG?{=O|b+SHt)^&2b`EY^-P0Vs94t z+g07_GVE9dN@UAVN$OIF#2-^$JD4-oz$>p_*!?Upu$$98{L<)D*!yvilrv)FcFCb( znL(m`iT?Yaz$gaeF^6m!t8qb9lkv4tQQP)6p|c#&kPH|~M9 zJtaCJhW#VQ-RmBpZZvU4p6^zTo#$V6*QAf1ZF0e0jr^wGRx+oS_?FK zke7bGE(b@y+C-Hd2MUkzFr>~mmv^m<4;i`-Z!O>9^+$*XfGXl~%PaJUrulH4jcEW;=CZ2y}k^0fU@HA;QAkOfbSC&my=M2hn@BLMJoDi#Y% zSnX_sP9NMd7uB*Wr@hXAio4O^^C~UeN}An~?jey(rP}PL{x1sdxbg1$N0?B5honR- z)=JWV^IZ1_BsYCA4n1D|B`b^ArYO#GRa%h~(G_N~t`##Kne$oElJ>Ztbn=LR$J@sd zy%E{+dVU7)0AKv~E>)klk6Sn~n7@i{r);buoQS+}pZJ!b*xOQp8tzLhHIcUmNFrg; zXMR>Fw6|qVH`*nQ@VT3V2aqyiM@1V8MD4xIGa9Bt3sNN2QbMFVT+3t57LE{qeNYkY zk{oEWZWx1%IHk-M8_g!|QuYLT`JWfc4VmH&&KjaMlun`$Hq{ zfj1&bQMm5C_LcwA)6!!SzZ%^|LUPnBa!Smc{^ASX6(ZRR8UNRV)`_+v*WpBhn<#+y z2_)8W4(d6*?PeLVVMcN@?b_1r`obfwvAOhE% z8Ax;8=I*e1dbk-GRJ*|Lyu$qB_CD$pm~hFj#;F+Y9BjSRxO^V-P!}=49m|4z%746eoDrYn}cJZA`74q zwZXzOYnBhX;x?KUvwSk``0i)99WUu(zCQPj-uXaSQ~&_v6HLKb?^fZXJKdChoEnWO zfn!r#&3s@2@WrQ{wI20}8AMD(lr}T%OgY3fTE^jJqXqK^ND~WlF@u3d@_sx~WqP`f zmPz7j*x3$R)q{RyFfDk+>~dXSS&v*0V7zAZq%YW zIi@(RDoj}qA8hmEq+7D`g{;JAM*ga82G?lOj3!EIJ%ov>?~hiPVtNW3g5rr+xVy~A zwIhsXCko#ILJ=REr|wUr_qMUu&Ef&|re^MevlBG&&a(M2+C;ocRrGn^$j7CxDTDE7 zTcb0Z2y5_7@FXVFa0Ckf2yVaoAhmq<>dL)G5N<7eb*uuM>LWG{j~u6xq7MVce6&xx zCg9nn2CKFC$?i&HD#{o$z#1(SklMsj0 zKXf6(7b2T1KJp{-lr;@+fDs?HO$}6t3F|!clP76$c~+^Ut`KQ2gx|a=j1)y3$Qf81 zFhZHdhsaO?g|(ww4vK+38t@0z9XCSH=U?-3TuXyqP-twF+?{RU$Ezh6MU*T((#>QQ zYXS2_fLNFaOK zG>jC^+le1dYM7Y{Z&l@6oSV}Rl6(o?^Iwo*x4ZB9SG~bek!}$Ap^Ay)*o~f5q4Tk0 z>7p=w*@|2zb36QycdN)zim-6h%{B)&{P}~UJi;vy^X19RThlYHnRP{jdQ`5^%)Uic z26omCq{ebB?3}LmX(!(IqMc>>qLxtF#_(~!uwBP8>WK6B%%mkee4eFO^6*^2E%-E9 zH=vvQxj#@~5k{9i5}9hL7aw-oS4=-#6Yxn_sBdhaDU4IC+n1Kjy z8c62?0h2VvEMp=iA_qj{`f7*J+gV0*J88n^RhDO61uZb|Pdh7QL-Rfv$I|2v z?DYRaM{! zW_-MS0a?&NzSq#aYzmejM~sPT79%-X41DTvv#!@&CJ=lQ;tel3eQmZkp9)YoCqHpp z728{~8nk$>nRfk%ZP66V zrDe zDQxUn3r9G8d!mO{K}92TpbpA+aX%`M4oFQDAcG5fTV*pUgd-7RU{O4U)~0WFw&RRO zcs4Llc9`kZ9e*&uK^Cn@PKn+> zMh7xchjg}{BNO$HBc>Nx_u2+HGQ72p1BI&$nAdtYsfDEg>4^R(1VRbW zAsMh)Cjy*?PIo(Loz0OKO(wMm1gP5OVY@NhMPC5ijKzRXUoG5gng@|g3uANRRPM9$ z6ZPM{8S(`tJ^Ej`Y5z~r=n!ufuR%PL_kGgf$whL_Y|DW@&UPj43O7;+0A#!|3nI9j zHm1uP1$xjd;&uppY@*(+o5o+)fGyD)DDzY+BOF)aC9{qxxp!$M@pVrVkdX~yoaifH zzM~pwaWPSmUzIps?ewmt_Kk+B=oT4`TNjyk%=`=ukFawRoxBZuFPZ0$Eq&a|f$-20 zE8;BPwyHnokv`hF*M2D%jXh*gT$Vkp%wdEqe(8F-pr8BMvc-(axF0YPJ}HCgo#&tR zejjq@#%#!L4PWZrmX3K){x$t6$W7S@g$YSISs>56(5X(Z+o{>EBnh9N6`Ddun%5dM zzGz!KHObgEeCr7^+0fVEdael|pl-CPEKB4VF`D!ZCDB+-T~6}XUf}q2lk9^I;8rNB z&~Rd=Hu`FP3@4)(pokhNN)zryVmpa0FylO}hY)X_pHwTu+LT9p3Ux?X>Eu*HOJi@Z z3gR0BCV8pcHyP?o0u+#8sONHU+&3as=z&TPp!pC1Yp}9*z_1%MeFJiN9M0buYWDCq zwNOQ)3MC8F)(6eVK%p2u(h83Ga_hI4OZ0*LnuL+&fDaY|4-k`bSxZ zJu{a`cz_>zJkSj?T{GIGybfF&JFOZL!%gvZxWmp5G0VZAvfRTUM?|JMvYQ%-7Fzrm zzp<}Fx`j^vRvoG9!-bg43dK$vt7X$@Ic)41GLwV?pvJP&_3OF1l9fc?%y0>zR-*6u zU8YO+5^H!CMYXxq!&BA(#PVH+Q)4OdgxJvV;gl{dLo5%5%Z@Q)(N39< zDr4E`Ulg^Q$U^o4I4jzQElU+H#5$kN{*WD%6AI~>!^|OB)rIuq{)e}Ayjz_)Yc_^i^>h0G44^L(tKIBOdAEgWr zmmxXhz374{g^s^VF6Na9gCBhCWP04=e zT5K=kq8$lCb%A;{e)+&`0FGe;IJd`l!p2b{ zC>HLa*5``HyZp-l$%;rq2kSuO5$RU$ypaZEP+B{vj}BjN3f}IngjF0dga1_M&yfU> zN)8^SFGXwAqUpaV^m5#ScG8uA!KSE@JWh!haQCa2MQxgZzyQa#N-Ad(crW*4i^TlR8vkJB$U3kT zaGoX`H*~*Qu=GO5opd$4CAjIIy$<|SCjOo)Lq{Pp6)C(~rf^B6-^mFWdW^P3)3#MC z%y`FgwkNH6x~Kt~hQgVJ9r|@<49!JPN$-|{nwlAMY$h@^d9M(3O9RgX$mH6j&mQ%q z`uPQ!qZpWkHH0va=F2n%q+%C)q_9T~`8akWQ45RbbSB9eZ@0eTeE2$fVwg>1H@~Od zFBO9pfOMn9g{A;(AJ~(`<)ngLkuSlk<)YUZRI}%}u)lHYQ&g`gayWHja)Lkc3*?A5 zJ(9LXP=IM4>F0nvT;L^qhaqMfH&bAqsyL(3{MIA%w;b8a>O75+aPLTGGaQ^az5iD2 zo?)aXPa`cG43e|Ybn4_w#7Mfq6U%CjF}|I0FKF8~AQ-|zWo(bX&|A&ew-E@2`Ez3g zKl(;pVG}exH(|e>BEsfqMJ?1gW3HrM3wB+5Z9*L?2VZu{f=1t^@z{m9=L+2l{*UsG z^9`=)u_Bl11FWZ-WOt@XTh%FhabwO)+J!20Sezl^5I~p2t>=6^X_@bcMxO~e^HiP> znh_NG4=j1u1)ptqpt%J{n8qrbvWHBhu2B-MZxBRc=C1X0U55*R2_TQ|#Apq}Lkoz8 z=~V;|diVl1i8$X}d8E7rtB4&E1WUH|3|HzS=2My62MCOWL1?^dKZi2iw*p>lNN)Rn z(8Yq@M$s1_XsKwnk6Vcy$yJ|&FW$-1P@ru`3wnzJJW9Ie8Zv zF`Rq*AnhRU5e_-XrXE7D`fhm_armqc(M~&WsES2L-}&1^&;aWLL>}nj+(4Q2Pj)tw2`qP^X~3NTbz1+!6Pw6Ys6J_(^ zdB}E2@pd_@HX$pNK$jxtZ*!adgQ=$WF0LgR*fB1pA86I)9lD?@f{{h%XbBYt;S|&kQ9cn>|TW5S8H&O>w5mMY|kZ9Er z_{5_nk7LKY@3*}+F{QwBBh8Ad$kHmnjXhb!W-hFFin)zk=g$@uA-CG26gQ|cBpwSS z^2t_(hn z8_f&17in!~Yf1X_gDgg$wn`bl45QHf_;61jh+4_hmbcEcUa4%=at5qE~O)7`wk2*;`}0LGz8GJ zOerw%9R-vQYerjJCPfMyA4mmFheMO)<**TaJXe(Bk(UYDDm|IaOBn0&3jJ#U0i}*T zolY9MRr{Z__qDUdQYL2PI)l{wtfx!GC7@hr^!ICHp#f%*%UivXRZB-pywZ?T)$0>X zzt`5?+acHah!jW3?fJfxPW99!I^}xb%x#!}R!2_C?IW(CLjv$;d>!|0Ee~^lG8;ux z8yBmrMXa3hW3MFesoi}mAou!qa$Rr&yk}?Z6&(eUz68DrKtu#lBxp27-kVGyxVfHm zIp&ARUNdYjaA4J%q|$lb>^y$#N?wyIhd2edVTF{n2$oq-((tjFXmHyl_?l$kTT4sG z8SW!!8-m{bcl4%UIZAhR1sbSBaU0JlVKRVTc{M#^CTN_U0V#CbEPT=*KyW^v0$@OF zmjO?-gn}?PBSzQwor>`u@5CSA?FOgvmdol@sK3mdgzwVkZvysx9@15i*8FSikU#5#{~g9VYrm z`joXG<#GW078a*q%kVCG@by-b&)Y%g^x4=99YDjs=UvYM=$w)PAh#{L8L~o|vlAXe z95l|-wn>^9O@QLhFVN zjsZF|%c^|7AX3nxz_glP1|_($&$Y{4*F62vt~D!AtEu60vzi6AF5Ha`>wa&}ab#J1 zq$7)?SP-92*q0h9WF!5gH~Cy3RP9CvLt=ZTL_6)?raB+Su3b%k+=vFdieY9u^B ztHKUo0D0h}uH4bBWw?6WQ!Wz_aa+p+ua=oDk+{FuJ z7~sE7*)_|H1NsV&t+T<~>rsJ*l5J+gz$?_@K+b^v&>^n(3)%0cCo{OH>r7}hq%QMjECD0L)Rq4nvuNp^(PQ*>o2nM^~}ts z&2@H$_ElxUSSjC`u*>?|5|p))8N{CMaFkzpT@Gf8GNn#%l99Z}W^o2Y1a*i5gI)&W zi`UN@t)hzUC&Mx2wOEC-T+(x#OD(EQnC6&sJU<}Y?n124HK5t}PKDae1A3G^@M@cf zX+;3k{JJuC#F|^=g)pAg=^g2t*z(5PqUi-nd`39<^=G?v(vITCWNb*;Fp80CTp0`K zcG&WyU^LBp(agji{HzOCA(>B>-ICZFVyjYkMITOw@@Ojn5?uV7!=zKkYs*tBe)RTH0G98V(MJ_hkSfZ9*$Y_t_sFLsJ@F{f2dUyZQUJ^S?t>v(i}7|HXx8h-6(AqBcpBl z-ix~u{$Hx2u()0grqKevR-hA$_)uhKV(CEyl_PXO&%hquy%wf}ILU5yrf+S}!9q~D z3X4w}R+6)?WfT3L1d93?#fLQ_W%Y~|BFipc_I2}327JCPD)WkrXr~Mj*s{(9Af~qv zcMcc$$1Rjoet~^E_5wB22C<5LwONMxxJi6}eK3*0jJuU_$Xbgm<5p?ni!SIBWrL9l zhtflC6;qDVWh-Y7)foS_3;*iYXoG=ccwvco>{F|-zhzh+JUv5?11rTbbn>AukyyN4 z$8JdsPg-KqJ}ugjp#SaKf83~KF@XWqTKQx`(}$>819GDb&M_M3EgJ-Th#FEdKeHMe zx3RT<_^L2hL-@Kx<$Xs)?lKf4{1Ip> zXid$utlPxU?E>i16SOmxAtf3QO0-c@#8IOsP88#B%4n4fkyku5(iC__UCKCYMuo{* zA})i|`iucV^e5Xq+g62V$%`?u_x=Ub8u9UfGw9A`xNA+4+l`&IfF0}$X_TJW#BO)# zQ(RtL1*t;4X1KvTI?JSEjq2uJ&4Q+!=RI+%V*#kFuNiSpBts6Y`rrn9qN!rcv{OJX6(@i2LvuoK$8^X-+IEmtq%iRv`xss zr{C*k>FdY9Eg;_@1l3hOdPgIKiVEt6#ANNRfJ|imEuz^VaEtr#qaqBu z$w+qXX!`FrOl5{WH?$-_)bA$K&*C78l#={V6rt&o9lU%VWCPdjBXRPgQ3;w){s1aX zn(X6#zJ`wd5u4NN-S9mm#rEZ1F&9`vFQFsQ9+&+Z#904fLR*r8Yyt_i0|5Y_5Ei29 zT2q`+8MAwU0_y>~bPm^ZiHSS750k|YiZ$Tx`+6ojZ?)kEW!Eb>DGCl79}rqjiM5#- ztt**FTYAx+3rW2*X#le)CunW4zKcI5QKq@s_X5JWmi_t^Q9(=r{_?svD8{ZGo*}EX zx~*=ywGy_pN}_;G_0EIGx0M_pjLwGX!cZYLhTu=(Miu(Hd%zsI4f95HnA(djMk65f z7sV+JCHY3YNBNplJs=I%A^B1HH51pyP>FQbT>MayW68T%Kqv;Kau6=uDD|qDa)vbG zKT{oF&ijjGgk!*^{KC}{Mtj3T){A(PUK>{Krs5N2QxW8HTRWG7X2}eb_0bZGKX>Qc zx=+KK23!p)Hz@7TPXl$t7n@%ZDl(60Nif4gn}+Zf%X^T*C1dNYBRI_C6iCbw&8134 zp0)>SM`R2e)N)aQxQ`MNUvNmNZbA5}K7HeN&W+}xd`{Van>QV5lc8i_^r5{0!Mcji zhwkx$C^+N9?#=NL+KB&!jEM*^U>bX{Um*blSh0Kn+0s{~eZsH`kzFvBOhOW;A-TTy zP)jH66Or=C+U2gi#|V!sFLOzxOC~6_cZtZZl9*i(_(Zu^SjgRNqh8;#l42!h7$J&TaJn>3})8goj}b_$h}+?H*Hn%)*?Fk5}`xFr%?e+)>w)LB;31#kR8n#_h-}M<=QA&QriR{F=!WZLy=9SPcQC6q!K-3>%H6!C8 z(BGi3urO-v4<>2N_uvoT5y^S7RPYyelEuTAUMieb7V{|>mf27JrzSR3Xo&MZNC&$TSVv#_)!XOI3{~!kVVL* zJ==TGqeDi6*D`OlDji*n)O*rp$}SROc(kK|U%oht$@+j`aMhJD1`*`11tVUj{D(cT zh>5(18wy8|A&0o+jcS@Pk>Qb3PHc4N$|lX$!LkouBj+EDqkNgH0|Spi`t{BfDS;+q zpt|_pbU2M%sS{>UhoE8Hwe$SwVRU5BL9y0|ZIm+nC9M`7YwCm(WFIeukoO>!qkvv$ zCDWrKe?o+oF1-25i-M@Oi|`*|dUdihFxMQcI07&m*a;wLj9V*4YRo<1#1#HhO67*1 zKn;XEbK9@VFcw?WgOdBI+6ELw2OM9C+8Eq=07rhvwy#J;&N7F@So zgD15~M+YClAJ!P&Q;~wAk!NcF3@3D;=*V6bR>uH{*&pcXO^2kut3YKz2T^}tK`lEZb{X9r5+`?T?`MHm#wZJYb+7<`rTXr;MbpKC&~$SS2I z!L*=U6A9c(!wrxbh546s|I*h&iGEt|^(*1c^ zht3!w_lgRyGT;@hf&qhVs*m?bg+*O-;^4`ho&$^@1sW5GttArb!|{irvrq^9q&vF! zNW4>T>7pMTGY9k5#CBEzcvOfN)@EvEAC?B$(GXq)AU9F|xX-a_ke!4KRPy2gwo%cn zgvp9{T?RNtsv=B|@<8rDo4QdLG?*QLx%DA$SVewuTI{{NJL6@KAJY#^V91(5IS*Rp z@Buf3X59)-g-0~_;JYWA1ns>vNoXDOyLPWfBQDxBbhys6`Z-Ek5HAR^O*?JWJeh<@ zP#sIJ6lbrw$`~DW(+vN4&2+CZ5Av9C$qXji)CDI~EX5A{QP;D6BF7JrZvj*@cM4f+i-AJ-6m& za6v!J|M6S%P~u%c5Y`IB5rBF+49}2>#1an1^)*DwcT3Qkl%g%o_8+YU91@Du2lO$i zM=hM@`2g~J;a7e3e6SAH{+D>aypg7okeYN5}akMVu*7~z$%xgwL;^13>bDV*&s?$va zJ_@voT#!<}K$3XHAemCXcpqWijEIP_aHP(5J!{5X%L41(Phx~KsLGqv8l5G-nC}$;7E+`YSepDtNQP;#8Xzj_TTrc{t9w zD18auLuF^>8L$R*2BWs7heUx}wKkpfxjZe&3C^b&=s7()AagEPEy<9_oHfH z$cy$=M(91D#ND`@AwdLJ8jSOUEFfQRGYJ6B6M+^e;0CK<{p>Fhy(9Z20;^ETNa|%~ z#m0;1FeTv9dUi0OiWyc(ZuqQiUQjM?&g}MygL$#_n)?U_Yn2Oj+oP>L4K}wOqqsTI z!wf74#ruyxS(eVSF^fT)+hxw^n=b|TI~FRN)ChG3bq$ubDEU>Bsni?|=~JJuglU;N zM)q1D;`-&MNRD5qY1EWRBO}$wJA91;8X2($wp234yd&^Z^V!u(<@&38#$f7CmX_Sa zKO)`>$mrvU4D+!;KJ0m5jOl<{7L$*sUKgCA%{pY7mxusF?&Vt&lH^sRl}1xmg<+Rc zY2*#&WtnOazzcMu!n|#D08xu|r>#V{tLoz41!@>vI~-R>o}k~9okb-!6XonP485=7 zx5};)lZHA#bV5avmzzz`WEZZ&Lg7>sWZ&PQWbdX+Xxh%0ps2`vR?K5LG4(cIs%I^;hM1ThC0)Lk< zX|ZhKh{(^lIW>S5%#QG0fK^YAIMtB6mur7AmE-CFgYt|FX%QozioLw!4J^CZbd-iI zo9PT?r);jemQG=BYF{g-n0-!4Z#{S7S=||f*AKry?-7rcWRjn<1@itR?SA|1Bkj)LzzKNvkpGV%5}8%Q|aHXuzONdgY-n*&^i^D1z&ggwV*` zZYj!0xBJ}1sKS{Q)E2@GgR|GCET&P$HU9yaO@;yBI#vQ6E=rxj8Z*Z`&WLbPy8*zp zpquZcblZc|y9M%3y;}3dp;mS|c%H^zzd^utXO6?mPe7N`>07XJHEp%RxB<|7SYQgZ z4bQ67es>xCbeNO$dSxQ1*PWjLaF3@F6~9jZHuZK zX7S*tRA~;!`YAPk0E3>IFrZZtOwa^+P@~W^5LntVIFcleNLekMxku{lQA@N@3T*fSIfT2Yb{ z-ytMZ9T3$6mN(sS`hT%2L^^CZ}Daj?T^dAN#2`} zvDhT`23%1ryA$80698D^$fdX@PMZcpNjV+v<=8i>zgI6@EGtzk1+3FGV<6; zbv*^%1U{xDrzU+ao(dYkc>4yw9wFaD+g3TSB|~8C$dGtIqUw})h{u4mpS{p{0abu0 zpn9%Eo>?xJ3gW;rBZPi`LJzn&wqSJ>N(|~6Qv1RIgcUmaD);%hhrN9tS5gA?OOwcDqRzJLcH}#{1cBWC&ZWSbzD+D630jx#eu(yCF zq;Yc{(E?orng`~xvR@-{M*`GaycP`^i8&EELLc3vbN?GzKZcZ6Wf5VO!u=v9ZDbOk zDS4wgfxV+bvalf$NXGRaq@ij~)4C_0Q=UYw59)yVQkm0rLYT^}q7Pz5{e@bR5cu~z zk2EjZODc50MkK;?eE(4z+G%Qs`f=dY0hu%f)YtqgQ%y>voO)U*%ji_8UY4Zj^HeR? zC5Zq4pGP5>zM*_2N3&7#^xw_oZ&XP)wzt?TE&Y8YB&IV2^AXVhi}^BBD$qLih%YK9 zqgq12g^P;poS%2kp1ovogTlF(flySrXEjT zz-qJiuc`G*c=H`gVl%b7lGJC7>xIm6_G;Eip19bj9LK4}1?)&Z<<=98H!VbGHzA}0 z$^S|gw9w{W74WHv!hPvchO90F%?Ta%!4W+yTYdetLT5X-JXOg&NefP-EJ}SA2=?zt zUeNx#Ly#!ZmL^2AmkLetk41vzmyi_O5Xm(p3U7i&g*#gxTSsZ&bm_;(P(UwrgSO^` zrB0w4WQ>fb`y_=nMQZ73@~0scNL>q+>H41^9A5gQpD*)kVy;qrC24SlX2Qt}EPzCw>`_vT6&D3Y5;DC(fX$o`1qSZd@ zM-K7Toq4Pk65Vp8g8aJ_oe##KQ`$PDZAWMz^vz|T^;g+)t5<=(*yna*W!G*s&9>QV z#$u|X+>l0~_%qNwxQ>}}W;OUW)^yX-pJi)rmHEWR(4U+)q1g8I6S27rUsof)(oY|~ zTIZ~pES3a1q}gQFo8<$?1mLWL0u-P>%8MQ>3!2v^Wr!<^R0l-Wu=v zdwY}c&$?@E*7MjPuqrezF9PcD<9|oga>=e>iQCk!q&~O_)c`gA2;RMZRF@5I8}az{ zS-^T0f_htMLBrp{32xz~j{6uP|sB@``#os7TL9RS}6)jUG{VjYf zlNRzaMAP<($Qke>Ig!L)%7BiD4OPIVA7!XYKl7$dLfqfA)LBp8XKuX)OXk7riN3xj z@sdi+_2Wjvpg-<>uONHQE}0CA?X1t-6%6SODh*6nA$)YEm2+F#V;Z%mvyq$P?deq6c`aIgc3y&Sg2ScC2827k zl6LdIFI}z5@@HJjzO)OqziLD$^qfR~o@-6V17wTU*wc0ByANVTd3>p$EB7ZRkWa~7 zqV<>5MfJnizlAECYt!W^@^nupdAcQAZ^7$M$D=EDg~wj68R5=gfw)e4_mcWIb;#@w z(s$~AEX$sdIIQx^_Wkhnes+S8v6xTL+e*I)r==G_9f9^k&HENi)O}Qwl|9&MioIK? z6M7MLP~KXm&WBb{c~LDi@MlcK-DSND{TnN_v?s$N;XV@|lD}8Q^HJXjP2dCYd>gG` zy$`dNs;SNq%>KTJJ0?P-_@BexA1-^f@Lg2CSGPK|R=J}+%*tKO&OZ>NNJ`-EWE|k} zcM?opG@$B?A>oG@2dpf!gTfIdo($F?+ZJ&UM7_6($Mli9e*rnxI_AV1=S&bMi}ou~ zh9xkw#Z4x{cB$(G6Jf)MdP_OmFI;W_ZthsgGj|IvaaVpRT+~c|86*(UTJ=X<|DNUo z=1g!%uT1SBj}wD>JAfjqMz_i%*xphmKO2)`hfU$&i5>8m1&)6ULxrqIX5Y4fli9Nc z2my$l(SH~gMipaez9f`xy+b5yc(B!5aq#+qG5`^Xt!X)%k%omT0u3RY0`Xz<;dLpQ zlD(zU_=WR6VFm^Q;dg9zKG2_bHIdF=Mf0eubUl}D&(r_Vmw@UM&_&(!9#~ThV6u*_ ziG_WNMQk05^}IugeMNQ3=Zt#hw@|3|=&1@Ts&)S8o2EUk!il8>woT8Z2^itYub-g0&Oy7geiCM!A0&B$)>m+Rzr_m_FD= zuhQvw%V;IZAGh}qVoNW(_5t)MT6DcA9SR+ZkKe1?xCJS{bXTjOwuf~;bNB6K>N}0~ zyQM|E&}RfR<`;NCw^j1Pa=Tmzgf-B1_atCrG-v>(2147?B*^FWeH0TUN_5$(_%?c& z9DE&QFXyOnrvx?;_A_a+q7GqOI|zjQCt?ur?bM=41-{D0|b-xN3X@ zU0^tiAif{=^nCyE2!PGAI26-9Crc)VS15fG`&U{)aIryODu$i3790RdH-CPCOR_ z&TGJ`Oe}xC&v~Hh5))>)#}SnYd@-moK(tz0146G$PnC-lwQN?+^6b-jrqzLvaieS= zhfuCN`!EL~GXw2GPPSt5!_4mTC=uo{) z2Ab$Xei4$pqSBr1WmCs?2eB$*MQr22y$;psfWFN&XN^+Jl}URgv)+YV|7A>Kp+9Q; zUp>`Qeq=zGu=RX3BkfLUn7BWgm-81Z=H^R8w7q#sfm{Q2N2c3Esf2CK{d ziDSX|be**lSDu>)6}_GueIf9lY;OWqYh#^B9mqOFG$F$h2dPwk`je}<-QKP9C~L49 zo9W}wp+;fx(1F#Yz#81;GAFgUGOeefZZxVxTq(Oqc)T(sRu3q%Rgt7IoZjoGwb=1L|lGkz0U8$(@o%2&?c6)r4UsKL!C)6%sm*bq}!4@yV^p`-Vqpc%2t%Wz4d{@Z4JjJC4 zxZP3M*ZRdWz)0JU4)FskihQ8mD*1^9#`qf@i}5!axFsbcOhF2Hgxo*|;1MnlRsghF z2beSLDk4h*?T`R~%$CuBup)vFo+iZEQJjSaVYo1lj$tnqKt}Fq(PBaS2s$<~)2ugy z1s(pwRnv*~lCAM0BeBM2SWk!_8Ze{l!{+y{DjZvnAxNF2_DWZL8<&0IRG41ANDHn1 zO;6cXMUdmPV4_#h4 zd<@9g{1Wo7JS)yZ4mNx(9C1TXOGC~^=~>pULKTlTNz!k>*yp2gMRLxA-xf~g^$l8p z?^E+9K35G>9Q5tI&{GEvI~z4QinvWRTs*9UfGkiJ@KLkbW>UYr;G+bY+iewNx#|gs>w5#Z#B%;| zTb3CJFSx1=Nfso4#bRb;WL`1E+d3c#+yRLSx!lofh>K)q1j0nxmLLQ!;Cz0Z_xb`F zv_&zZV=q2qw*D;QAFt8rahJ-E8` zmbkhy=L7XOTCgjIf5;?$**v#?43W41yVcZ|=>GyB(o`nO*lSNi+r63}Ns=|?3B+4y zUbo%LFY#Fm^uZV?>oyT}2SB}O!w_}6H2FM$IR3b{*@4I})TIb?`*uf0$C*XLFIl!u z1P%RQGSsOOX`YOT(4wfxno~Jd7gZl3yzG(#Mhy7`AfWlw34;3L?QyRLs1d`fo0N0< zkgmVOmwo*W*vM=j8O$xVC*zl`I>*Tb4I*AJx7pdGKMCiO=(=ARb~13EzfHayhCT1m z_~(3HQZ5fx^cs~0c5j%Gb{~-|(u}fP0(`(N*N46SK>O>kg zRM(EgH$V9canCf!v>_nIK#yhLF!XPuxZJ;r?>%=Cks+-mcpoC2sU?aV1ed=|7(+)a z!Q?A6#3KOk53 zE87hkzkV)ACRT1%F#K>-d*zTY5uF~9_#ewPtpL8`RdVg46w}8^GO8r+cWdtE^{=Q0$9@gs576<49$`+9v6m#LSn43UezS(v6mER z71$`hGKaTP{N_8sOvI@Bw_E7YiH%&dqR&G6#>nRi`70_3qBN` zyG&lv`Hk{jmMQUaqSmJUNL@|TT}pUVBh>Cwh2fcSijVfXxJsIL@Z*ack{4@8UO4K^ z=8+jem=j=k31nilCnS?d;cNsE!+~i60UFjABPe2+8Zoj$f=s!l+)@BdK(fEHDZ_(( z%Hsoq8NOGa&M09WcV|jYIOySmrSy4fJumkbTyZcU-p>f}LtL`t)5eDGSLtU#j?L-a zA0HDTB)Vv%aFsysH;!_NMHzCJy{+2kZ5vh-u|E;o!Vs3VfapGjly%8CLPi2I3RGmj@RGTZAfi2iOlh zF+ZPGY03S^=2tJd5Z-jYV64FH_Z2@!gOps86^d1fD3V{Y{Q}GOh33C)_Uc5F;Z|9H zxKLo>j zleDYU)D$SLHdt;9Hl=*9#S>P#k~8&1MM6THEao30bR&{&{gGHEhB&U6|RVWN?vajKVvB0wrR?edswFOCI09N!&A(H;IE1`AeOrl-?UT7 zui*DJKvPZ|v7B=HVYx%d-U@{myO%WbGk^aZCEzn{W zFrWYZPo&sTUAL^N>Gtq{1na^N$BDChye~Pn21#w=7ZtBy@Y<^;fbsFp@V+xpoyc19 zLD&Nrq!Jx?+xPeR7kF{hENaUX?SJL&tZBdaLJq338U{M_Z`YG2G0n&bVR);V{$9+o zzD!pojXQjB_=C`u7XV3{y%`g2;yBJ@Nbm7+Am-`NYGF1{@tf3xT~ z*%0-@;^!;^RR*{q>H7DUB)^6QoF-6*%N`hRzlVR0bq}xF<=z(TlA3=ebxVgE;B~#l z4gU9NtkCP8UqC{JBmLIw93MXNn=@v>-NWymf8~T10+<`UMHGRtF!04Z8Qj{QZ`Jd z2-ZBY2(xE;a*YPULLFRLK(Cd?B;R^VRlG3nbBp-UQT{>qYB^l;F6=WUrD`VBF)Idx z5(fAJ04u!_@@Kn2Y&GjSJp-K$cC8}{`j&Fo``l_FNzDf&runzhF3#hPsuqDBPdO@JgVo2eu% z8^?5|^IPDdrEQVU(0M-cf;9~1X&@RsU%L3(;WBHhS+z{QD zvn{C~t(&yshsD>bH|n$Yj~mO+Yk(fh!@wKi-%NV_Y)udo0;V#!s5G^MpA9Dn;X?9_ z_b1%oSaNOYe<}MThZWYdYt%MiJ!-L@o&9+eJa@U@sz9hRC^wi;5tk3|PEvlZi9Wfm zL?;8QogYKqx7MR5Tt_y^b}8R)WmxL8ib?Re4bG2qxW_px$68|&ep7orCfJJaFb5oW zHl+~gMZ-zPijEX1oV?j+HA5avv2eXdn|C^X;X+GJ`vqf7A$*Z4BiS`g*Lr-%)q@IB zKg;d3lcS7;eTK+k@L`I2+}n33eNMwAngIBrBBeqdzfg()BPv%gx63{~4Dp}4FLc(n zkLhLdK#2@MZ_p{YxxOg^b|XHB09w{s_jLYIV>ad6k)??*xmfb?b?i5z(Td0F7+uwKD~ z1AN!5)q7=yYX$e|+9z!nx+-75e%Y!L{=ozRmgy&_^s`Ip6~ZUq%L{Z5CTp{+>8W3z zW16$6YtdsU8!QS=EMX#`F8Yd1cZb8vh)Qz%T_hZz>{QXHDvFo%=cM-iGx|?T$&`{! zlD|D?G70(~fhk!%f~)KLEInSe+R>Wj>8vg^+ajs}lB`9o%kk#3&hje%cYc^@0<5)$mp*8lm&tN!#4RNRjV6 z6mOe${(d1KAW)YKyas{nev&~KoJ=acHZieulM@G@x3)vLeVJ{{3yjSR*@Zw$6U%|` zdF4yxfj6z&#{G~D^=dO?d-Xz_k*UC-{?AaaLSbOMl+jO{_dL*8LB8A!yuF*>X&`e+ zU{ikBUDlF4<)0sgJg08H-7_^)C5wH3rqLj>m(bCy_8HjX4GWmRk*Q+Rrq=)_TF*!; zY*RcIww&H@Vraaxv(dH>POw_~iMME9p$Ts4-lLbcG%wXoRW48b^|snpN$Hbe$|t{1 zuTe}u?Njrbd{jx8ITJJy(>_&C!H=6*Z|8Zaa1)Ka8+N7_a?U*qIW`Bwy2|V}YdIq3 zL4-RN^vF&K+%oDnMLEIu_9po^$CuQqYYr$Rg?M$B4jOuQQ<*ZXrGrmi52U+-u7)d#7Ws> z9b>>E2NmXH6~{O|E&1~)GG2@s)QWz1M{KBw2b@VYsFZN-QV!f(gB;KjQ24>zC)~U1 z7r{Q&1n1}6ml&Hh{_$KE{%2cnT#N@fcjKp>!c=1d zH^t~Dxi#taN=4d*{kaeXcEBFSM$pDX#PP8JwW@~KNlldas%&X?Yp{-C6_@eldF4R` zl*{5}!cyUMHiX7!X7rPkEc?mYf?1jTV6Q3&)Z~94HO3N8As&GY5a_ek;43p9b<$bw z!7vhZO7 zyO@oe-$#5?u)7@@K-a_=6BF7bpo=Ri2jmOW5ij^Rgn%D(v08R#Ab7p#fZU@I-}0F; zgh1*AqqW9ek4w~+1;>(Y7J~{37s_@tm=Wv?BBfa7c%jV_H3&d<9rEhXHvZJO2PH5b z_zJP8mHO~Xbb?HK-_tj#I-pDi=p12sL(nlIaWcdK*ppZ1rF&bnkY^h zSx#FT)EZNq4Y$R#C=C#E>Z2A2G~oQ%+~EMsNRWdU0Pu9QRYsg3m|&!}EJjkOA5xi= z&Lk#sqPge6o!0{Zj7~ZbW(EP<)-L&YM$Is^K=2HUYa;k?@-P{#s-Y5V%g`f?-PA*g zR!ew=qUOWHYc>1e6CY)R!qT=9V8~3v06_90fYGYWx?R$k3+ylXr7tiBQ8qo8#ooUPZ^n4J4(RYcl%tB z76U@oMJP=uD*HhF1Zr4isnkWn4fSmg1Gx=RT?CWChIIGi%%l!6{ZZ;@m+HS>+wHk9 z{4ViGaFDN&uaX}op!(5S7p{db!EXt@35=gaZ-U803y#0*TJQH3dxPZ&nVZ757;A0? z;JU(@9mu@SUZ3xw2u6|wi%)PU3sXF4`go(G|D{TA<^g?vYNm=0HorH#w^Lb6T&leN z-Bw<&s;B7!KGMhl1Lb@mwX^a$%TcC)zAac{)y)R8ntg`^#NHf&qKyDJePpK>J;c0>mt$duJ` zdaOKjV0$KES*8R0E`RGKsh|w$HS_vnm<98Y#>EhIfJ+WZMgb^;fw-}k&KtnCL;(!~d|3@dtnV@=bE4s$6=0gc%h4$~8J_ z@ZfE$R?z!YQ_`^&w7V?hE(^LTJ%ySO9opj5UM@)>Bje`6i!8!3%!gxK+IX{KRK#Yd zAa59}X{yG11@;yiwZ)}bvRZr7jM|#eU>KPFdkbe639f1rK z*7uzzh2LCxZ5q)oK;2q?Z>7awFNL%Q?Ng!b_)TxF&8{1*AWO;<_SWVa&n`no$lSwU zvi@8V7AOcJP;U!)*5JY^twJa`%c!lYtx^bCp8#M(>Jd3qD&iHe#-=fiqGUXOM2JzJ_%$!@_20G;WZBfIhTjt;_9HTPk@HCqO0>EM? zm7oFPCNI!|8m8_~7|jwlK!&#&6|`R2r;A?NDs|Cp6$X0cq%MOca`(Fk&SE8NBS&cQ zIMs4s%M76x!F%>rsQSI-8n7<=0Rb?tYIoFiC>J)j0rF26RTwDBq+7#Qy+$)II6HNkew_W4c5&h{D5 z!lnY4Xhw#U$PYDk&A7`I{Ax9gHyTUKu8gtD4@|70Zq$eQ*Zx-cxqKCne_)@rQS67c zVuQ7n*j(iQB1TYp30QC;!ryh3~>I(M8XS!;e4((t^kBs9*r?;^LMJ9*Uk+ z)~Fxj;?=?kLD(g^5BFms7@h*VA_ty}k%k{`GQ#&lFmSLa46C-Y$d)RZ)zp`ZRy1Y^ zQIS4yTF7>11AF~GzOR=6Y!kh)>>~6GlxV+e?0RKCgH_l$>gKQI$kvo#b;_VnP&8(?6U83+k{Wf^21&Y z^dt)v!<-f?KpA%Lj;n00XVONox8}~nZSa~TVE5!D>fkAAVmsY#8-nclcydMOVUBSF z@~gxOgeq!2Fugb4*GEY#>>ysy4q%Glfq zzyH%P zUZPw9pE>TyVz=ccCjSfY?-p!%sFLD)(giZn*~j9RM4~_IsrvNZqW#;xbo(s*w!;YhzdH@$S}jU7%Z!2Lki5 z1_NKz=yg~Ows-*(D25oM#_qOa@xld+tW*nEeJofY3_AEuXq1339STuk1aRTQ#oS^B z3@#U@+{GB&7NIcg1Z!dx$z*WhLgs}z3&bPA$-T$kp)UrB9HM;f*O~s#%lzZwhX7&B z;0wY=@0Xwo_>{g3(}#K}q8@oCD*> z10Rb(E}JQk^yu;i;dXxGtv?ulg&<_m)F67fB5Wyim4WwNLHJgKECaDd5t|powE+)0 ztRbiYH=~6nkPvUffCTS>93kv@>ImE@Z7i-q;esTTw82M1fFXhwxEVZn0}uL6uMB@^ zBpPmxTV@!V$p8}0y2!BTDZ%E3!m~hn8n1SOF z=U&Kyf?tqs`LTtJ2?%dH6r65AEnwGM;ad&~He7YMfF)~0k?(Z|n5|(^zW`=7DA6%C zG#pFm;It7#hnFF$j#vOwHcBfbY2$#OLU+)M02B&C1zuxYkUtK$Xj_1412xJH%?TfB zI^1Z$0|yVD8)=c6EJau#0K0LR2XB$W=RL* zkI>eQ^0{ePe)2u+e;lpP~*^;%e$st?kznu?$RiEs|g0ZL$3-Qu2R^X;_ zM}fbYZ$i$H*mHQ8h?#T6!^W48=tksGeER8dSd+oW(uEAmi!_-Yj}eMvh*1`~VHSr> z6b*YESR4aFfyl&GR^FXyXq(#2B+a_!w^lrMf?? zWcd2f!#L(6N`Sc@rHwfnoG37X!t7|Yianzd@Iz(UV2>D$Zi*^Ddd7-A^o^5>WI1e! zTaB-ZBYp@DIFcx*VQP-$2bQ8JP=!QHAl^37ISFS2eOpOF5a7Xqu;&yZ^dXE_=gQ76vq!j_Ck`WS&v@QErG24|#YpUQq(=Q5>pFR82DBSxCcr%$lqbGGp@b z=LXWnBnBaR%A2Jx$X7XSr-B{P9Y$3a)F9I+pCT_QQGtF4iKLVi5J@Rn$rPFQA+J(0 zDYA0z!Qhn32_kwIB8dzk@&hNCMll&AWMGKRw#L%w2G@O#M&CZITTX_Trs_jj)L0(b zsaumrQ1D^VQ!vP%uH*n9g|Z=hX=HA57|c=(Is2DPl$4jJ0_c-LF7YbI1dJ$IE)grU zFeN;#pp>GEbz5R~D^oN9QMxfF?NXHJ8M_m*RNcAwc@?=T0msIGQmn`ik;EdK0|r#) zC?aPWlQ|%Y0ugSAnNt%$p^8)*;ws-VwJeWhz7Dw%>C9wtd8DajAcW-)Tj@w$(0mcX z20$WzniekaHA8YsS1%vu55XPZ)@({$@)dphp1lbZib4GnHWfY>QQ3um;8YmZNLjXQ zc`U0d#d~sBVK?JO^|pi4;2`31gcbX6D0 zwho1uGmOA#wsig&$z^W$NJcOEN@8 zv+`3((dgzQkR35gLivzW>Qio{4m3r%lT%1uds&O>ypK+jaad}9dVO;coFOz* zmXh>z$u*7vRR3?nS@loKmB%74#s%3L(hf+5PKxtA0wwal=16<~cSav!!|PLrcIk*{ zO=%Mu=>9WMa#yw-qtR0lTKpi#Hsfr2t9=0?E;@fL42nqzO6cF zdJ)!j-X$fa-dYL@mLP}_5*P(>rt`+vG(Ann)oO>26I^xnABtm6>Vp0OMt~Q7+ZMLq zz`ZcZo30`q!N8Qv`jZ8vuaQYkGibfqs8Iu+`W^Odp8@t`N(g+bDQMkDI!LV0DU2OQ zfvLT5p1!9sU;%3tyJ$+sg)@G;G~B)BsP|Y3Gq9tdN~Ox|6O)fSLUrM&h28?6nC70N z$SQGiU(%&XhWa}&HTWT~*Q(PVe+dcUO-=swpVsTO7II#G5vu=){R|_R2GfCPrf*5sIS#~<&6U+ z2MXKxeU**_%*;_8{dFUqG?WobTont4OB^fCqUvHMOSiBA;xK3KL}^iVfq_bsvBkZ2 zG8c_T<@GTX4zf%i8^FaIqtVp5PZksmnNeKYM~f}?omQ=nq1eduae#~OQ5>uF%yC{7 zYEQ-%hkpZRF78M1taX?Gu|{02TpeaysX7C={?O1ke*H*6yHcS$(XOsEuC6pYDAI>O z>7XS?nj}lF`LCKF2%QRQT*WB5zNQF3vC|=p0>ToV%~y-10bk-JSn-$5{ASUW?1&=C z;XL0-cBP_$utfLO!l#3ymunIldVXo=i>dsobu=mJVBG#%B?QqNz7>>i8UM-}x?T*U zoKxnkW)4UU5j8L-LoGcv1E|kEFr8mBji6HmTF(!cW;Nv9NEB~p!s0bpXuV*L1B!vG z9aj%TNQql%*fxQ2LuTZw1sGK{i^!#L_1`EQ%^V37uU*Mw409n0%dfI#B*k;IWW zrFP`7;x__#{^KTk)^qV#uW=e+W}y_gr)EFfw7vJHUqjUMZfE`lzn zYPj$Rd2)F47~rJWE|5(AT38wERzZjw*Vjy)|K9o3jRCdy=!Dzho*c{% zSMt-9`ILQFUY_R&GGg;K(f?Tou3)I-N))grB0g#yi005R+tH!?ta|@^*3yEH#rwyRqEi?`pd$~i1 zfBJ4xkJ7OvkPqw%GV|*6?UIr`7_S`9d^@I+L(-lKyJ~xkWfMgtAUWAb-uMh$ogNU& zN09AhoIdJbQ^%5x{3}5?|&+PrKe;PXz%XH+xKS;B?4~Xndzc{~IF$q8dO|*$H zKd<9%7cg{9EtlDQs~?T!HggY!-ndQVd++INy{-WMSutt&2-gej=vvXvJmHx#kU>sg zF9qDoEcYdig2Y?^$8SC4H~cW2Z8;FPZ-YjTQaNlf`wM+t-UDr9s#t)1wg)YmH;!i6 z*QToNw7IQhqWYlWf5cVZFz)H7TRzb^fMpy(k0B-iaBt7zB{c3n)IZ<#HK@T4$a#zCyHR z0Ic@$An0cZP0`B(X||O;_o3!pG|X(IpvgKhhe;B}{pKI<-jvdrUzWq5T=PY_dGclR z4C4zU@O(b;vTMcN+%>tJI-81z-hmSAu>}j5|47ylN)&Ua;%RO%Kz}AgThc!Qs3Vfr z844|pI>}ljF0^GDwKqt>oK-S0l=zfdg8|@(da}bdfXY4k$IX^Tcq~rNYj?%NZ^D<2Ie|f1@tj=cj2U5BkCP{~~j66t***d7~qyA8wN zPn^CViRcRqMh4^)@Ub#syWm0-^y}AdIvRpIM+R!}z_}oIU(h4%JMQ2CpW6q=m|~}p zoX`6z{I8?m6(B*k^nVc~W7D6Na00+%V0pMS$k5M3uoA`Ab_4Z$+9^@=u9Y7Z=qDOv z9~esf|2PSP+8dcuc$FJBK-mK{0plm@*~v6+8^xJ!Kj+a}D~es2ytdx2#5X4bIID95 z*<8`ObN81dtV<>Q{wBMGI~1~?PE9=&{G(qWegA?fD{ny&ovOrOoK<}w3`Z%2JTLK6bkwKSYPChm|cyi849azZ=NMtg1Frz)+N0YL7S@m_9PJnb#?qAD&xE$;t z@F7i=ZcUs`Sdmo?1a-PE4EnX{JTg9bC^PuG$bRddH)r^{t#@>F`y99K51t>6^5FwJ zm-S@@PianlKk17NabEj+Q;aeC>w%tU6kvH4-+yAzH_-Sqf1K^+my)vCvHrcxObmMa z`}$!8A@3M}a*EFey02t-LQ>3f{^fGp{?Jl3Kkt5H@%RZzInMBvi~a6NO41)-1 zra28ke>s4i`URc!RB5mn(BEX5X57H`rv0^4Q6TbyO9KsJ$$-OqO7vJT_O{AFO%=tG zZx?8%Na70mKoYygcbIl3Ri$uN{j%xzBsm#jsM-vO6_Xb{e?Dbd115x`)%y#Fhc*u((EOuttXWplN>hVSqFgCv7E~SVs1S<=QBjXnst~J5ZwOpIKZN zG;325`lP%~D7;}v#5<>OM;=fM>GXo=Gr2ame-?1kuqyWqpm~Lp>9m^2d~Hf?^HgO) zRfR`;b!@Jn(qc&pByD>UP}yrum^ChscWEs1=gNM*M!#_^DJPhguWVq?mVF=`X5H)& zvI)Y73{)YH+jIJpa(vA2)@qeR+|6X|uQEC@=<@l0l#fjOmwfP|&e+b|=qcPmfB?3< zNFPxcQ6Rou{u(bp!QJ>$w>VQtdyXmhf(%!X`}r(Xx6(_0szO$W5iGFu6!VR5!=3nt z9s$ZffiCwzz`clI&!yh~%JN~!a<~3?=DC>Jd02DsQo_g8rA~*knTP3v;ep|G?~c_> zRqpl{rZXT$gGE06z41<82RGFxPsOrX2eD7vHpZ^$;F;Flsa-_bRLfR$F@D2?oq^Rc zDn&hPwjmEYCjGIjCNTl(v0^n~(Y$t8S_T57;nUixl3<>F-w>B2ly=`rLx92YlXhfxkSQ~= zlM%FnM7P6ais>6SjUM>SzxdE@yLG#KUR^X%t3fWTrZvH_gCihy6@s^A!LX63-RJdf zLu)Vl4~^pi8K}F%aNo>1^Elm36Z(Yx&m8<}c6U0(tx)zzc6P~$sh;!qkCmc6riM@7 z_qbQ;+hU&RgP8TI3zcV~KmS?h5QWfmHO#2pLF}Wc*XA_G%(%8WcKIEEG4RF<#~q=k!aOIQw>%%J+b^i~33s zSJ_=8=h4tzvmLly&2FY479nA>DtRI#asbcqr7?Yk-vzTtgT$n!FriQI(wGj0n5vBT zS|_CRTaT1+I|lJqJAb^OG<48zo|yn9*dgp|j@nXqJ@FU@aCj;lhP4B*Md>ni=}hbE zSV~vuI9NaHAxnMUKe*&dVOyxF+(d|T6&(tU0j46)o`2Z!cqg*}A?8uZ1E5e#$nWXD z*{=riKu*!oKo2eEX@v-SVKw%XRBo2B!F^LhZF_D%BCxxeJx(Mt#T-C5W z`e8r|=k|deyfdAM+h}5l>17*3!2AIGmDht!P;Kb1L0}j|35;Ejed30mqxac&jRB1C zkXkQ|a4-45WFU!-c}Zyyd=KW1PVM1DvF2@Mv zl2kZ7rxlsef2AuRk;qda{zex_61oF(K4-}zN80xroQsg?1?612e>=kuCuxR>d`Ya5 zN;{;}FGON!TQ@-x(8E(n3>0@@k`qdg)Ef^~qyPdM7hE|q5UyXSADQH_-6rRJWwXvC z>x72e>)=r00?L7s$XW=lTZoOUJ+Oe@1+s(#`!bf)nB_}ySVo@~bi z&@T1{9A~?XQ(dQLw$MY<6`MLkoMSir6Z7`KJUzR~^VO*VE)w&V*pu_@x!r=%xvG-)ig<8$(XN$Qcv`pya>pSxt1D?=~m< z@H5lXxE}ZuVIO&WVCrl-GI20}qLjOb9S{AKHa7y3HCP{4-e&_O2jzt>{QE+#Y?jV` zUcVU$v`KSZ=95KpYqIbo?pUbsqnndyPoW_W@iUgiqt$M=(GxJvpr@N|a^EHP49O9m zX=EKXtacb7pbu`Y^9_X16}?dAm?KtMP?ckOHe%vav;D94^Tg3|~d> zgUQ74jgS_&iejs!5UR1K_AFf`ch4$=2BI+9L&SeGPaEjwfGXev(no&*nog?U;Blsq z+8lFbAgXhKGjwz&Jq9>Iu(IM)(gCJoE_&`vdgg7>_MQDO`N!o4V5-a4wk5 zuh@eohvVc#jJs21ky-oB=6yi3lJ*qO!w4UPHP8j$&IL7283>rE&Iut0-W(QKf#449 zfF+)5U;zfRHk5O33OO2@AOQyh15hHx(N?5`M3lm;ei@q^r_c1g==1lAE&OJ%mPBZ2 zB{J4#k?TC*^o|1U?(N#d{HP5%1d!@Z8`7!M?sIQ6OpfBy-QY}Yj8M08?>=cF1_^RN zuO1uD_aqz?e$DI*PRan;GJ};~ZchtA?Mz2KFu;aTq5#f68Kspq=n;0Hx7ol|Dtym- zf+7W~WF99<>2Kd))w`e)7|Z1_VmT~%pk1Y}hUEOVU76p-l88yv-XB-zD9)h^a{>cQFy0~}h#U-#uTr<(s&3_=n*W-s0u z%6XT~Fzt;*ayd+SNY;bvWknf|Wi05H z*FYwS@-!KLEYBJu6^#3T`{vHD;kSWk?%p!X+c5-7PIsY&nM)CP!?h~|cdX5)`-sx$ z=0MO=(rjpGKMK6(C8#q6G#*l7&I`@p00|^uYhBm@A$9oWhn3erwylmL4{LxJh6e#r zhADZg2K+THNdUMXZ78!!k1`BtfblEt`<@O12=fmo25C!6oYOGx8fZXnKs*O^78$xH z#jXiMDb6mHTK>-m`%;^xjB75sDFDW(fT0475M!>N)pVMQ&(3P5H-Cl<46<)&w z|1N^Redk7u)-qsjEe1NA9zyVpR6|6s(Fm=~zK1WQ&`(!pL?V^Ay^LYp#8Amot)!X2f5 z2SqCyx9veEp;=xYnt*{AdO#d^dppN(&!oam{fAq@!q96dSAe0oel9lJ#y<)P{vT%E ztk3705=SirG=`$!QhWmPNWSaA^1eh<^P2&~U)>D$Tjt|E5>gYZ^yl^&AaX(OjJ~gS zo**X$sRw63n&q<_eCeX8iOv$!n@`w~^h~BY;t{Zuz`3ndoszzf%Xf+X@nx|cdABg# z`hELP4X~o*SP8)D3Mkp_CNJ^q4JSPc>ZIIg7TFnX9Q~hjbp-GP1U3*EW>V}h&<%WN zE(`O1X@+xgY3#MynV+io0SAo0Je<7!u@H!<0vjg)rGU*8d4GmnBB zHtj9MSiy^rZ%@06b}1}dDZ{X2vN%{pt6i{!H6I{zUG7?o)Lb#p*w~E^Ky&?2M6L!3 zV)B03+hQkfC@MDVa#3h@m7)X)+-*SWmj4lYQ30)COwe!Q%bR2-&Ao8Ht)CRt2pZiVX0AphK}&lHfUNOFa($v!u~; zyL1FFTgn3DLS5~Y0RsaslYJX9{%5Gsije~{#Y*UOf(b^*Jj!p`Xvg7%n7@<~%y;3D zF-AHL39Hm1w9n>UWU7_vFFzo*r~*lS4+lt=fU<1yr{^NyJ>rDnnR9^f26fx;Rwn|4 zJ|SY_G?0 z+R!N)shoFjV&+PP^q7vuE!*)5t+uy)L>XPjLP2<7GGH2;R4~e=P#3r>L=$1Op;ugc zfdze)!{99OdPL8nd$te|@kxr*Ycnx;a$9Hha7v)`F)w^97MIYd=V!_Jdm{l0v9!($ z8MW*Z|LkC|@HvsR)HObfg=)Yz8nFt>=EsK*!ND9g*0%L3NKR&PQ46*qCJ6K7G6xFr zQj#EUcP?gz!UsS`$;2XTIKYfiJW`QE*Gn&|E{5U~d@yn+G@XN__yZP=l8u}N#_2-p zGUsRrx7A#iG(_B1zJdYS^9p(&0KD8r^EX8#d?uV|IPJi zM-)YcvZP`MF0*4 zc7jB8Q^DxwhZv%~&&FM(B$Mt|7eCSP#6#1|)+jlK-|ZaA?;ZF>SZcg9mSTqX#A=!k z3s+n;06eAc0p3S^Ea|4fvu^;(`Yian_9SI-Fq~V>!G&((K7frPy|GDQH;nXkZFAMT6BVGo^&Sn*zm-43)AuPKl<0>;LvM|p94p!;huVF<$^Ts->okl-=5AQebok23f!93%&X=A6 z220&5POxb~iovUnuE~p{?7aARI)v7cC)~uKW>+=gVQ}4y8exfecy3uNZ~K(PyMzbK zZnp19m8PH~#}YW&tR|xs@Yf7p;FM`6a4|NgWb!3hWl-{HLl_oj*Ctg=>1bIuZ(mCuhVxFh9_rz+#Yd)+Y~RY>+#x z0!I5gSYCT`YxH@j8DmatS{$rW0zh~!{&ss!(j-y?d`JI_`2k-nZw%Y#V>vxZ;L$=J z3}6BjewRSjbN_Ub%loTM>zq_1ql05?&Fyz)T-Y*sA-lEV3owBhE@r{PihFJE@WwTG{w}wA3~^=kA=f{G z#pa!8`>`i%>?38re#%;JpKiiVE^d*PV!CwimUcD&XJ5<7s-B~kbDlK_n6Jkrfss9@ ztSx+C=NFM>wu!%*1>Z*V>CWp1^9}wuCTb??Zl=yTj`3|k!-1;Hh#i$>x}9~Now0UR z8fzQZCAw zXY*kOf6w*GV%#iRC5((z_TSjTJUO`Qy*}`s=)+6Bfu0+IJskK{9X2V>Facd&_l(8< zPm9Uq^O+yDu`hB1Uood~6_c8GHrsEYBODUMtZIc}h4Byb&V(3W+o3>6c8d5TSxnl{ zujCBNSp9c4qO4F9$$!TyrWM0SygQ?n=SK()hU@D9M>Fx(!rA`;>)oz-bu9MR8fIna zqN*e(h_@#mfCc74-?vQbBu*OWw_Tk)!LN$fWr~K_f;RE1y0xeKL1T2Cp``4Y6A}H` z#~ee4J0vf9ad##2+_*h_TKVaaOo_6$YY>2^qFBLf0sC_ zk~eutf)YnN6L(e+Cy?&JCI9&RFXZ3k(flQJm#oj?>!(n5xMV1tNjgONLmYr9v^ww7 z12aerV8+GK5~xm9r>0)dpcQJ3kCy#acF1(#e{+>hX2%e07w_lH>8^zFHf^FF+3&ur z!b<$c@~g`Mmi3tiVZg7Wt24%b$JXbT;nyo)5RSn+A>)Fa_PCi)RX7 z;nPI)A5dx_RQS`NEpPfU<4O)8A{XC;i=^~qrfJCoK-fu7ZiZ``3;q*GD1Zz$?e%$* zPfID>4mLj+oU$BI zN6KTz{bv|uk5ZWQbguh2OYd1sQtxuVm|(;ZSJRgNF6y+rde9gd(^&BZA9~#QpTr6JL;=j$Y*%eWnpuJ?h7g-HmfMRCHRPVOxv7tQ zeh>NBB#-*mO0}N@^p-d$ZI*Teon5Yk06jp$zdr|cjJEN2pqt0VOOpA@HjxQ0_EK6_ z3^Si4hTb+(KUbM7;KElV7TiOx3PhilS{fPbX+0c%`gCn? zEE8*^K1CP_yOuiPdlq>Zl{9;<0VkZlDZA%Ajk^hMhAD6Pn2w>Sm?7n>+?vY(SGDir zy!+A9cO?$4;+E~NrmxKJrz0Z}t=PVbLHKkfq?6(~!eK0271`ntL<6c;-?+H@oAj?8 zJBoYpgo!)G~H#A>{NKpNTWHzGg{*KF0GPbel!z5C|xLAXA1XcSRSBS zr)DZ|OwK9nj_swd$r^1W-IE5`lg&8O@lX@rHf}V-1^xiACb3Iugjv#Ku?vltIs=N} zdv+_5dszq*xdg1c+_`|~S(FWt2R6iNay8m9g7r3ZysDk!$QqagXy$6TGEFl!{q{}I z(rdE?GkUvOW~IBLn2R#+9=72#p`r)RHWd?yasgUWEfAU0>5nlLt79HurSo_ZTJC1IGB z5o2V?OJoNnL}PHM9oh2g-Uzrz`g)hZ={T@);ei-e)ZnVJS!rSKUrHbg5}qiE48Lf% z3GA1l&TaKz5=h6;7;r}eB4>vombD3?$6`~b`9|0UjyQsd-9cWK^};|=z=m!klq^{r zfSL!7DA(ZQGkqY0PLK{CuOkaRowV3&WYXM^d{S>}ca*W;H|s4oyBsdqPq95_GHLMl z(05WWg_=?exod%4U)TwZYoRNWchv=1N{??_d$vtDbpIHoGpR3 zlZ0X+eHnf-7AdZHSc2<3mH%i5NT!)()=K7CE13;Wd}C14Qy z>O1@ezb8jXZkUrToFLLMZB-d#ZYf(Yiok)%gPI^s_#aM%AK?NA6EL7P8Pn$DjM}Fc z)J`gmi8aNWX=YhX%l5N8*NmLm{kjZvhUKWFB+X#!&kpVE^ZpNUEf$7#Dh4Qk3Q@lW zgmG;2PRV}@iYNxbnrUssWfJ(|_W6aJKqWV1o)(LV5uM9b3CD6b~Hd5UaZQTWLg@isklXNptClpzy z=JK_K8|^ zNiEW%I$ROfs9@g17Bg&HD%q7$JaWTQiQLKK6&KdqATbo}rzr{OlG4jzBrU9e%cTxU z7;J)jL^kGR<+k__B$gOsu}W(C#1MBg zgeHO|y%UOZju8jO&x6Axz}S#O-P)<{pvieLZhSycFtEWo(U$nY34$`U4t;B=Z>LUk zjM#T3-r;s_F5fwpbK~Sc<`{2`AgDtKShd^R_?yKB!@lowZc$DN_9Eh}^~@R}I<+mH z2)CWwR;hEnug|r(r78GOg*)#W{4ftNpOWe7-``w7`8m-xN^glCWpg=dHMDQBgZvDo z0dzPE`pa{n+3+c+(~@GY?jD}0RNrQN=0lHC16TL=E?HgoOspclvcZ=1;^DVLAnGdR&-AoqsdJdL+xE zGgW`c$mWSN1jt9Y%NfB2AHeRZlrQ`u7PG8%-YTr$4Lhkv$6);;8vjA;N@fx~-o};n-==AX)P{a^c4Y*}m_9<#VQw_R5eL0X)ls&A{P3{MAB0`#Nr`1D2WKPnn zNYU9o)XZi-LxR)9fj9M2=97uf7W#&p$~DeYvc#S}&Rlm*umcK;IbB}mf_4cU%Lyxv zCFHsbHpbk`H&C=#DWz5r*gQPg0-GXEEwAOyfJmfLa`<1;GvPF3xNpe}8Zkk$b=?K+zJVb2jO_E6H@Hec>U^)f**tUiNyPLa2$Ch%N1EUdOgFd|*+?;LPP#E$?h77e}I0fIrkW!)DfEc@#1lg7l(IP z@xmmC0*zzceE4y1ozlaKzGs38xolDPgtQ&v+Lo(a>ga+47ZV3o@zo zS6Oj=lgdHzdKDgY4ROi@uK>R7LhRt%Q46M)B8a#-^JkxK zJxJ8R&W2QBZH|D&6pFMNE+B|a*%4&lNpo21u#UmM$i-JR8gJ)pLr@nH}$SR;O+YWz~ z1=5R=CYsE+9mKPPhHCg0YboSF)8%PJG)vfA(wh-r2=}_jt;o5g>6)EHy2W7TBq|gz ziB>mI3=uR#x}r^b-p|I_yrlf3WTxG}i`>vXq_1zyaVeGuIng?wwJKI$G$rAB?KWBv zcyKd7)k4KLYr+#%`<_MCX8wN%G!e%GNcYxLN@CBE43pU+}zP!`$M|Xhs_`s(UYnK%JaVYHJ=LC1c&QRZ5P5GSH-3eu7Kl| zLB-sZ+2aM9KnK;`c*(Qr5s{4+c-$FV7Gw-maxh#$NFI1Yvjb;h!UxH!k77GkGmoym z`N3DFH?)V5wF{Aj1o8f?xlJyF_4eID^PTsJyDpGEQ~to=gc=UM6Rg;JEGNl>9ecdP za)@Jg)BLpH$RV2F89#QlhIKUQN12Y}*?%p5;RiY?_QPA%E0j95V-qcR*SXGPori)b6oPlGyB7-2jb3GO46bXWnFW@ab3CIBG3EcfybZ zhQZ0OAXf$q^&m9lcfd+i(KUXh>z5tI`x;r(KMb7jq$HZln#R1;ER#X62qQ};0OW)=@S-Y=j z#AqQG9hi~Ot{2^idc)wqIEC7UyQC&SSR!hi*L|-f{((EHk`LF@YfoexjV^(9>?Ag= zEON-(ray+lj&{0G!{!U)dx}h*r1sGs4OnJ~^{mY~A(|c1E)3Gl#f{^*Gx3yZzQMkq z$b9<)AiR2gS7e@gACzJQ8-#J9HPVAmcsYR+1`^;gO@niBa~*MwzEo?Q8X!~|X*IP7 z-qtDjKA*6wYs0fvj19aKdq$&T6NeoMbUGSXTUj6hN12k=x7(p9arP1f^Fg`uC3yzM zs-a*Mqc9jz9V<(w%rvY#vw=9b1}=&?||<9c*`DkoE4u?1TBF zzsMQhW40&73*@*11Pke0!zz|`B~uqWWxx$*$@u6Q8hllgWB$B5!N^PmjTkFA&TBud#AGjK}gfB&E6d^!4!9+uDop5Q7OO3vR>MGPu9vKeh zm>R$`D^{Av9LoE!h}$D9+U-tMJT)o{0P<9O3DmKV%`^M>dVbm78}}c zr#5tUh)-gpWLUfmDs{sLcXaPOf!-oKQ>guQF zQ?nlpr7OMnWOsB$6->c!OJA2Ij5+n|MULsr`M{o-@AiZi7shE*nK4U*Q*tyeKSr%z z|4&k~q$oBBWt~Cel;46AxJQWt%meG(<2x8c%vI*r!ulQ}H!yf}yv(p)f$51is`Q&3 zbBZpKKER$&nH->Qh8c(pH~x*LWV}W)6K7T3m?D6A;2`9w&1|zzv}-sGZ?+dWQG++ zTx}aln0u?mA=Fv;YfZuG4XlewvlKywP1rRKBrnl@O~6(*D`gb<8?6-9OxWZ?=;g$& zYN`{=zi<6Cz`DuAo04%Ti#8k28^{h0OyU%AY0|X$0>|~Wz3)IF^ELYN#l;k?x@r&q zXFd&T9;^M2z8=Va=zL<;|5AA7ri^_s)kh3VXgYleSd6~g`hy$4WmPhOmiD?nmjNViNL0bOSN?qG06;^x+5ITL5`wwbk~ zQQ&{{W7sT%N4gxxoITzSk9Hu(sn1NsA5O$Mj~z8C=SE{!J1|VoE+7WE&_)gYi%`S+ zatI-`Ec@`P_IMs$H}TnA%x8Vefy@DD{buFT>XfK+-tR!tMhyH1wl!yY1D zz&!#2S)oB*;Um*2sHv%y6K^&hcZf++y?L8}PoozoN&4y=u~nxe0|;~0N#nz7{?2Pv zL;T`(lA+-6B+ik;G0yB#qKlL8t_p*eWHpJ^Wt9j##Tqz&FwixXeUMP=2vN;{S&neE zv^d!U&hI@#FBo)XMZbFaEOKE#;*JsWV8-e8rf3iN<2C*NhDMAPIHr!=)$9;PZ>c$4 zE3W>)eoTx)w7PEsJke7i{2W9cJc|)VpN@V0&O**+t)a+4w0Wa@YPF=D-3W#nvwpy! z1*~+iT>xJ1o}{!7(Od<|4FTbdz?4X>iihw?o(sdFFurQJfr0sgR0%{BMZsBgIjP1ndEK=~m6BTvpo+!#&2ivC{Wpc;8K9x}F| z7CB21L=W}}_u6zuM9n269ysO>ltwG$^3icJF`c#!fwzt*TmZPTtgx4oL7;0f)@-?xQN#0&`A}&D|)43k%lzg73J8kH4Z4*GVgV z!j1}Hm5mGt0%`!ph*H%;I8L>5Acf8D3LuxWXugn!H)d;=Py9nhtg-U&mV`g5K2J1= zLq1vgK%8hBcU_-K`ua7~EP^Y6} z(g=_E)hPjQ<9VMEh*#j(;7U4RG;^N7SpsPM@NL!}3=Cr?&lBX7b_6};GAG38;H2BV zbh}WLq%1L5HUh^DOozZ&s(jKM-0x()J3*CV^=Kdr8K%QN6=#CYTp9Q9+?K_*t*?ow zLUg1Wq4bP8vdmwV$H#-mfW6L2BqN2Pm4satsmvWn532a-#c|YVeEP?4AzSk{QB@<* z!=q$P$C9yHK%mXW?ydU9%6?v=`t>|=bnKg4^`Q@Ex~+|hZ50`E76)Bqcmf zERYx4=$UWXvs^diEG^)KaF;!b2DJ@A0L%BWITl9OzTpCb%MBXV@FjAh(WUq_@_570 z;uDy(NULX8mO+Gov;a0OZTA?ljo>kg$i=4Z5CcFopvZMv5jxfl5W*sccQc}6#R5#W zyfk|n@Or94(!jXO7R^pv71m>K1Tel=$s|3Ns?<+>&8#WMAM^FF`7JG!>jRfxO@fk- z7cZVU?ZGH?lDoT!mD>{$3Z{D(Lk5fjeVm3VT}0|}S9aiH8v*|>-}k`t_w7!&GUY*A zd1Os}_NFL4EWJfzKW^jPB>Je;lA34#Hv9Q#0z&n)L+mn&9csqLjo5*w5WD;$NSo8G z8Dr1)D8-UaIQ`o#mHXq*Z=il z;^3nvIJ_BH8VsZ%CY6_PaTPi1IHCs`7lstFzcGl9we0Q<=%mOFN5lG06a^p7Aww`Q zRpK^T;Dm?{>dT{ZH&SxMQ%iZ3ekVKD*~qn6Wge@L%@Uq2f(OOa4hNKiY`eAT*x`c2 zR%LnSfB#D(=Ei1ef*)0cYGZKvO?)bf?s_(twEn`Em_$sosR>*FcATfpBFMkklabk$ly{)dAG|7# z&!i^~z;rFp(@=>U7P^@w{|hVTgED|*8foP~RhX-Rsci!-CHuzJP?V`7&DT$-h-Iz{ z=$k|PI;`(j%3b_U?_s!DQCz>mD=H#3WO-%x#A^!KK+rRViv=OzLhA~q2L z3l!+6*}otSsW(7}S~=v-WvK}8^11}SOF=lm;a#MP{-UuoY6u>sMg-z;9O;Gr0EqRsKaSf?WS&3FPz)7I2m$oQD7-Ic{j#4$9$ zA9_^oAady0>m738o*d=DPwxd0d)(6I{=MFxl$r-n4nWu4n3A%-; z9E{#+92RpvFU1sY$kr}9kkJlo!NE6u8u%TeWknv(_0_=voZKJTf({kk$P>Z^`9bhI zuz@k+Hs23hxp-T_7k;R^YR&`0S>#J>8fgIi#5s2(+(-M^%tzzS*7kwAxnPwB>xay8 znp9X&0}`%Wu4PCP<1?|Lz{Pn}&vSH4>pByi@_?@?cto9%%`!QQ0Hk?3{vE${pC7A%tH+IFRk=4@M?|{amzUEEfe@$+f z+gFo9v9I$yTT;)?Op)K4TeRQ2-V7qlLZI2Qkx{w^?WT1KAf91DGnX_=IkygoB|GMq zkpXWh5MWX-0l^i(IFcU@z4tYT0FQ+(IGJnY%bxy%AhZLt)DW4Bp>Y=CRkyuW&)k5;XxUXE&bxd8 z>4V=Eaw)@L-b->dcD6I7ERh%>ATf}J%5&w~7!#TO-Z3a|$sr%ZMU6tNR9;8;8E4hC z3y4H!sdC^MnBxAwqQvUk4J~XKa#-!-wSLQ!WzyhaTJqaT0Nav`*hPd+7+_>fZho}Z z+1oVTF1a#=g4tXNT&GHH!x@HDIcKp)B!;LPcF6Z{d;*c-9d7EsXwIc}0vhE%czod8 zV)xDA5G8s?OJtIuD*^Q|Sn(cQKP$gW*T5385t{*@?$S0lGfw+&%>=3_4vSxNXt^|L z(qT0wzpWogP8eV0BJ3L|sQHH(_jq%#bh)fRMzlVaQPlZOCe|K7vB)CNw~t6z2iw`8 zf9*I*u|1kW0&`abgNCsJ(#q5Fjzp&*rUz}s`*YmF=Vdgh(r>StU_N_8jO5^HofH09 zwtk^Y#*gt~=hT2WQz)|_FGyKS&91N*rNrBW+tZP2x3g6Wzr^VcSByU$-`9;qS+mLk z9KRz;Y8Nu7f{L;2XI&g_0vZX>jzvtOo(5WuezrU9*N|H?lI!i22c3u3F#d#$S0zk* z3U9629&ssCHIRU8;LTP|1qdlVC`55XC|*Pv%pLz_a+nO6I_>Vlnymv|NyU=F*m>XD zRNnKgz%OQGRyrHt9%lW}5hWOFQqp(Z>GSN8XXF|=h^7%1g<}-Dzaedp=)E_d2tVx@ zlF{pxJZ|X0LB(9R6It7o?kS2lu}V63aQ$rOq(9A<@PB3VB>Yl{Z)$72A~E+_zZJY^ z_I42kFjs;qnmnQ%UxBB;8pcfS#URCVaE$Y`B+9QwKNb$;j3Y=sasesIA9o1jqkR(j zyRi+jq%=1ozW&sUzVn2LYU3`YL#42*Zx>WLY9(p1in>um8RMdx-UfE1@o2l2rF?A9vu9cxgn`x%j>Q;%DAi;xJ&_dDn{OY>)GtwfS-ofB%Uqv*20fD ze0Rh^$}gE?5%8Jug=T$}&ABOYlj}&x{)C&1E#^uK8g&woqIb_qWbRcXn9R?E6_i?o zQ@OW@rHRAH8EmILi>6jo1$NsIZq@H0ILp)4kJI|rC1L&;H4LMH_Iot$wi!bGP{Yqz8}?n9x5u-iy3mVdJ*Q`AbbG6(Ck6c3ePgpp5$iYtG+g#@~AL9pV zf$fcr^KbceurthlIvyPoRwoxVpzs*YKjnuJ zFc?c5(rk7WPNFDa`x}oAK^NUcQy;cVQUx1hkLm?95|*5cvW{Jab+x(1xz=C5}kxXN|iYw2$A3gO!|cf_nS z(|rKp0KI0!#Mv=%z@bD_tw3R$fVrl^k(`3IVETgp4_tq?gbZ=`s8CINK6`vTE2Q6k z@vcvukebD)9V!Rn$TK;}wmr^L>xs!7TX8F-@*Y{v$ZN~XM34&v0CNYtqbxA6|Lc6M z4eT+qfJr>-MvAa>l*Y4?GWqBP{mTgdW*K&G#y2zovEaZpf_p|2h7njp!$zBk(c?{6 z1L7LEWyi$2^x$mjy9U5YkbybkU!gejfSjV84~@W`7Y;B%fTxbLQr(gVgAO2?M8jTT z!jo0Mfh8Q=$o(CVH#FTwuG<~4p&_PHs=4>L5n|O1Hdmn-N&eL;j+Ga~B&pDh6D@_~ z=tPSW@t9IMKzU;gdQ-ptCpUZ?qhNoWI-lnD3=0q^+whHk1I8f7=CYM3eK#X(e33#w zURN1cB~4%IcxSe0!EyAPRxVVj>pOG#58AYGrJ)3Mnyx5SE%@S;%-r z=9zZB2!gDq%?B%&_MQjo(cCOVjjD*VQ5Bx7=kZX!r1n35fp%|(p*v_3vG zc0k;;tZ5CDweND7D^od+SMivi|047U0Vv|Bh`iF_IDYCno`EjRshwehH>Gn~jNmb# z*HcorDs*JdaI-b($#hPeq4#LXyriFM|D3iGv`41uglvo9#&kzm{L}*kt9M3NYlp#* zFd05iV>{}seeT9yLw!Cq=H)R{A#AoAB#^Do(3l@YbZ5>^AHbPOiPZ6em~fHjx&s|D zfz0#AqHNF(L|7#v_IKU-Qe(oq@8zAT`%h_yc`>OW=ewi5uP`ilh#e2NpUsVgO-0J& zy`)_aX{0q@NSq7vlhY`1Aiqs6$Ee;dE)Ko(R8F_GIyD`f%UV_4l4=B;WXpNQnZ2hU zw$*gM<6bBUQM53cziw4ZGQenIWixiMA|Lr8i-fh zsm0cy8x!sXPpdpycCVe29nmEQxgO2ec{xR8ZRqbYU&PS3E79wECiY07IH4(1~E>nS7w%vMSucC zG!8w8KU0nvAD0L=0_g*auQ9R*X@ zi*|nlRxzGxFkOG>rejkJW^&9-=&D1W8Ni~hN%vp6LW)VvW?$VB z%M-8^@j$)hEL>KzzUfkA@Lyd_nI(83HA!=k%;@w~CVj{)$SX@<1iA~b9!K`2%ds+3 z0bUqzUe0hi1sBV((FUkFD=U9gXRy!E6X`z`Wrs)x-S@}HMnV+eMrh%1Ycfy(;6!hb z$Y<51fvgn;hdR2M$+<)PJ(cH=-~c}sqJ|s7Z!WUNyN3N#Z84$Svh-w6lbh=~oAIFq zb}$r(&Uuu`LV*`vI35|BX6@5VR`h;~(_OyfJDXhp5ND>5bzGeI6KZZJ!4+PYuT~aS$IfR5^U&+`D8+ID`T|@djjAJ{%$(2RF=;89tpE`x< z?3w0o&~t>O_tUmFFu5PSYm#+M)b6AzgFzyY-^#v00y{s0i!k_{u8LUf5k0JX-8 zWEBEYk7d9~*Z#x^BHVtU|Ba0?7$FIB&lC{S`FQpt7zj+^V;^O8)=e`u0|vtX{h*au zHyZuTKf=ys2a}e&grdsv;nkh=7KShwohFxY^qD}9vV%8D%;I}Er~%BIlozXt zczmS}YVC*Vi#6a41L2ITNl987({h5V!|&&}pwjz%i^Ya_8bTBq$J&O1Pt$J-oeMPE{R2XBt z>pyICOCgl8+|)g%Mp8R9!GQ8US!xzXF+Zq$xDf5b0Y;%?ezJi$32*QlRXUc?-X|`) zX|b_Ax=_Un)dwH>GDJ3dq4Jy|@3p@ROfYoEmM)Ny!l55XIw`!1L)R z=?Q7v6C468o&4G#1%G@jTEL9Vw>;L(2?nWF_yYT$YWyQRp!4~;ojH?0b9*=6+6XyN zVyx@KoFS0bk>ry8cu$R?C*r-_|2^=L&C}N~NY1@Fea!F^9}-ppKBmZJ_#08kTUDcRiTL+n zjDiv0UL1%MZPB1wViO6VPwX5#u88>XpiO(dFS?0LYK1gAe zTLt_yI0y`9=Q$wZ-0~28AcP=KA2BQ!U2CayVSk}1o<4F|#4l$VtVqO7g%J3J8K5uohg11_^HjQ==BMQ%l6H^P*W zk7+j;*kD|nS$QYpwmC$`GBQ)XFI0hAC`T_`aPMi>z&vkm#R#g4)ABM--rManEX5r@ z!7C*Frtx}qoYL^dX1Y`qEvahsQ~-`bXa+Z9@DK(TJvt3(nrw~{Wv||ijn+PJj2MN1 ziw=^_1`w6ib`MzYejr>m@ z)?Mo7oV`>h8R2OJet0~=Slc2hFw-E=BhfftETOPsbRXp$UL7WLA@i5tC|T-9F8d_! z6*$2Wci*|*?n4l4b7F8T*G7BHj%9pMz<^d8d?(@E4(wqI3q&Y4G}qRaH_`X$@sX`2 z^7&xoozeQZB$+QR0zC`dULx&8jh<`YL?5M}C zdvn1INH8IX8xl9IY2T#C8;_s3|q9mg!M_BgzKcjf~}C!Ofb>X%*W^5-Ts8XLx;6+Si7%XH|1~B-0Uk{vL=3?0qUovmxc@tlKqqHteFdyLeqt^;r{!81_D-6QzL>uzC z$sTjvaE^nE^;htERhsehxCjv1{1Bo@?I~ z^orvP>_VZ`?+(d`O${_53Jrz;imo(Ag!&0OcxyN=IB3V5@U7=s?ThknN-{X|I5{qw zItT76=mww*Bt`<5X*VTnaX>fQJU?#HCIlJCN_yr!T08keq^KJX=vZt37vq%@;X+-J zwngv>Or_wrH}(M5zL`W;YM6K*&*RhyQHfZ{XodwFLGa6uxCNQ!^4eL)Bt5BH_yw;K zO)D*I0fcYz+}kLLK+dY^wQ%to|GgP;S)OKJs8IEqnRv~H6A8a_EW_m>_NnDGhkLZY z0erwxMBv|$1D;QPA||QiHcXqE46DQG8lP9RCd?B11~8>o3TCQa_9`8P5&c~)UeqjW zq1YSkNC7tYLN;sqvx8TOu^f!bPX)+Cbwe336+KFi~j zlfjvZJ>K8{gciAtY4Xe@9f!x$?E>2g28y1Z&tGM1f(FeRX!woc*q1XJPm;msvP>rn z-@58XcWqY~-*Cm`>;ySZKOjwJh6o%q3O8>@Tjmxq4DZAI;{)Lg69b!Hld2Pgf!$3Q zYTfPqBp||x31~B-JH|rUY8D83=sadClld4Lt_f=@kiTjZ*$)Z;4Q;*3BT4AUva*3a zru4C0rSB~+y;xWQwHa5@tIirOo z+XoyFr7{{EC1(8ks&%Df9|-<=lGC|*$`dkHca=lR0MJITZ?eJ}+FJ|9{c_-H*xlp} z1U;}Q*K^l`CqGe1v*V7Hh?~tUS4JDo05WRV<}@(HzE+C3cCxDeRhok$ly~iiRrya9 zKGdNKHt+VY$+wotszhCPz-z1W}pp15nL0p6>0X_VLZW$+l&z}^*j$C zskSN1NY2Z?MHS!;_&-k?flXpN(6#|T+e~QOzcsCrJmV7qP&+cVfW$Vw=>ZsN4>Q?^ z8{o@zs1QG6!?;1c7O*X+PF%4M0QDc~`#Qn5D;Mi+{Rprz$x%%PqLO3r;Uj`h@0 z2a4k)Lh|gQS!V>&kSCjq%=fEWY{)b<7@(8Du|jJEYA`FgyyW+gGM{}B<+YnVaySiY z4UVOIO#tGiO7#Df6o=iI`gZfT0|&QM6NAA+?7j({Z6TM2$8l$)+AvFlZd+eOJ7q-@wsU)UcfLAi0Cdw-H0agUtzMdA-PQSUwKSJ zcE063-SeEan6K20=OKX#%7i;`^c58dgq@4A83U6mL5%8xz3FHkEpa=3^vbOy#PIpU zJB34?*Eoi>bRwhOscj4rV9^eZ*m^}9a+lvRRmYn#2bJkjTMr$VICX-o!jp^Zm=af$EZyg4Fw zMhFzeN_HscM36xoc7|{#zdo#({C}VYwoJJvw@c0YTy!zvJ{>5FD#LfUU@pC7*R^xBFMDm_}Exs?FSXgjIE@{`_}MEel*>~`*`Q;q)*rf zgiY^zJ0;_D)xJ+K2^BRdTKQUqP(Cl~`~Fr`yk^$^9tgh<=3xSKIzh{{nK(t4$Zelloe1BMDF(FNk2^L=T3@K8z`87$ z&upRwFk*<&Rz2{3pR*F`6U(mI)gkC#g>R7PU4XU7G>6TBUOAzfJsPZgX00mUIPy-< z(=JefYp4-1h1C#^TNRvZV!@W4Ld*vd98-H^{su`L9-Hohsh(GbV4e2iFC)lFp>?$dG=<5e_ zUPX+}_zz6cd8o%<0d(ms&|WNx9o-f(?E-hP@EjK@V}B(;L}~`_ZAy#kPf7!Ps2Y{Rq^;!ZpAwyK-Wq8tZ zA{@7BiG6h;&PvH+v(a426TGEl%PK>aVbMtsAcqwrxro2NZ*9lmnRGo$kj|`8QdCCY zhwI#AVZD^eges9XlPOD+G3eF3H{s}?H$ud|4t0&#;qd6o5*X34gMxh+K5 z_UGho)M&RM8@&8Si*^<2e;J-`-NFpe8+Br0>Rn}Gn9QhVyJc5%97gtO(vF%Gc{@00 zD`{DdX870|Bgr6jI~`+I=xpdxw47cZv_MY9I^5;qc}7kH6Ll<2_-fC^hVmSP4TSj+ z45`#pX{4~!Yv4{6m09Pl9So*T!QStl=yuJ@d}HJyT@~I)VTg^@MAc;p!ckw?*%Tb@ z$IwyqX81{#=7hyREmpY@+~dbO6I?R&s4@ipSFz9^#4mLW6#6ovlGGgg7rL6wC*q1$ zmivj(b|O0ejSq*t4~V<7Ks&}Kr|dsXL%$XjwN9Q>P2eeIQI-}f65%-7SNVw4fDSJ2 zYFbrG-gw5}23|pXqDknNZWQa}>xvVK&OJIQymp=y$zwnp;)DY{Oe}~2MtgsDf@|b8 zsCIhZ1imrKNI{U?Pp4&BZ;fE3L_f~Yyg;&!j$v@@HsKjtWgu=dDy}d!t7)yJC!>=sv+RYp9Ta5Ebx1Ip4Gp>$M#e>fF8(0{SfOgnRm&mva3M683dNg zaVJ1(Gt%sHpT$$Gg!}P5EZ$~)rj}VH|7R7AB?X`x2mU{@m5)8uhOWu{!1DkBklqG} z!6XYq2MI`i%#eZru0y8p5zIB_G{dabqwM%=z&H{2@X*9BagPm5L6L^qba-)it7ef5 z_M~TDLp2@;EEtSwNZ_fQ`uSTz(xRh74^DXYco;i~`PJh;vt~@{^3MADjSAmnscokDTF26foU7^a@wehe2&QaR>f=xe1HI{pUtwY^x7H;0-q>`$w;! zn~cS+H3QtJQhvc~UJ;>qU*|-&-jf`63#Wq&QJ&;D`yk`JHpA2SBxVWn$1ZQWD3~bh zTfPlMyFp%iTXuQnrfv9dTmP18p9z_n1qO6c^lPA`Ol@J#-I*I%nPgn#O$7W_45VmA z9=lh7If9Gafcq1-bF1eW;5?X~7{o|p+5_Sw>VaYyL{YsLeZ#csxrsF-&*9lgw{2vJ#*2?vZ4G4AC*Z#Z7Wj4KsJGDr!$QVl+7+oY(MZOIX92ON2DmH=KfF0M`MmzvJK*YaR8(?^b z(=gi?yYs?^xqzXz0Ea%L7R#AOTL2LHYpkQsb;YRxAmbCt3OOpa}OF*pI zqh=a29zJ#3KyWv(ConPlUmu8MQ$`NuupC&po}<)HU2mA?`=Vu_Rw@{me{u|Dj`+O! z-8acuCShf`9%TxAQPlkafjo5vXgF8{-hZl}83PSC=BiONZroYPXrw!owv?N{&_Joy zX-U@AeXPF@um0&XOd~)fGZ0#8?oL>g>j_1pmTs^rYnIQ9$5^|L#|p0fEZ%>SwMOyC zhb_nuc%8+`0bv$6I~|#@D1-@(Ljz!(j)lofDX>JMow0k4Ce9+c#I9K~Wtxwekngdl z!J2JQH-IRDm35RsP+NCmXl1-0F&*5O5Pybl)wmpVT_fo7&gz0&GR>>Y=!MXFvv}M) zk)cq4$H!VW05pq1!`YB>*n+GA@cHy?KvI9D1Lr)Cng4EA4l*L)P*_|{9-z}OGNc`0W3*0F!8REUD9!Wsomb?qp0M7gJ!?8Ey{0F>%*7HWzRS4 z>bLNwZVm6DcemM{g?~a&sv{yi7q^Y=E7^sBSRQ?pLCrREjqQX~{3|31}A) zAhYN>OH$o3OBJI7h=Iu9_=n979S$J?m_foRIcC@Tv?U);zPk;Qj*k`V}OybZ<*xN-lLodO{7M*b(iN*7EcWg}U`Y!-K?0Q>U6f~~# zPK@1}v2v}q9c$dFHc2|(Y8(isp7_i&!!GHe#ap2LSV7TBtoWe#SQ`4VXCnJ}fRdlj z>Z9AvG$ACsy7&)Nc~hglec;tN&M-?*;FNLK)porfN5j#=+ZZwQZ}}cf zph7pLjo+*J>u@+~W{l*YRKAM0^5W2N{6A>Pbz_Z`>w$waAw)Nh|1p@MDmY!eFQfnp zP&q(m<0=!}$ywnVeRStXmH{$-Pu}r4z#`K$MqU&7=6b9d{-t|c*LjJZW-T|BKR+7I zGzRmQ{2!Az2a8;W`gI}V&iQox5jUiXa{;M++1qgAf{3F#6jSGzNM6X0vxTn|y zIx*YSPFTGo=TxR{`v~CiK=N^RqfT4~yg_})m(g2H{3}>?7`pX? z>Le~J_)|#d`I%ecyYIUw)2Jw{f^KJ-?CCH*HHXRAh@}5(oE}bzkTw+E@ zF>;hqD|D!4Ug-|ryhn!G+`$7KJY@*O=+4$Md@?|Su<>Y>c~yjqneLBHyUd0 zn5St@XVBt7ZdzKPwz35h65J8x5l{oZsFn{DIDb-=a$KjJI_u!ZqdyS?MVfTU=+CV; zM)1DaxtJ`H&ATK75wN>YJ~#+pBnQStgmqmF6&F7{xO0p{tT;L+cn5fS{82T|md)XZ zz!2Y&Z6{ujWUm(_U`>$3LCE`hO7{*9aWByA^`h4xQ3|7M`WKKfdoO!M13M39=gCy; zd>AX~%Cd zJyh^1zw%8dhe5#L4`n{ntesH|)KB`lsxEiMfi2SjNe<cIS)67&?t!+^(83fP*2PL>Pn7qBNsoQV!xM=u#-`z6gV0u5MSP0UiCM~cn6 zNAV^34m|+`4`q3+09Gwtv@I1_$PRfXE!%xb5uTRVn=w5k7%`j;l|5Uc_c0l-< zdge)RsFMLu2yC{W(dS(2^i8(Q0M~4ZyAKqewx7MckR7!DRY}6rEx_WB z2b=?cgfv2=hC5r}ZqE#G5)meNSXc(3huFyih9O{SfCCXUdX7q`ct=RNtJ>kv0J)pc zR6PRL)6&UZkr6@zGN4C`sjwAJ-)(JgXM9`$6$0K*d=m8&f|GDSKS7`*1oX{uw&^{q zCFYxMbrO@jXphmh{*fc1f5oJ~y;F=Na2$w&w5rw_)RN>^M1sn_3Q`9Bap&0l? zfNTc<=MY*174ReDqt{Rr$$U(Oeo&32L221VfA*vXSPq4npaF)Af(6wD&d?+U0(U1k z#eA4%uKy62Y66gHff^G7K);j@0)tZ+bfI8!G&k{<6JEnntA_Z?Y7xX)AioC6{BWVD zzrg}Gp0-jbN%{x6QhN0h6?lYpgd3k?91anw_zSZC#4wfot%uco(szZ}BIbCh7J4t4!BaCV*bs#VYg|xJO-FXfiRU8h>`_|m=^<&m-)wc@Ksf|0;@(k1WLbPg7i~S z{_bT_fbIVQb_hrIn5N)P)qkub&0biuV$`?EieC`(270+cgnb+VJ3#wL2cVre@xJX& z*FhQ93eC)+08ADxQj>Nfwk! z%v&?ri-ZM7D*(=>5s&rlgVW<5Mf9tT+AXZi7@&XV+z)R`AH|gNkR9)hN^juQ>_Gi? zr=u269-NOV^kVVCF%(E2eqOJhq(P5w*HQ0OgF;Ee$0M(rs=(VL3>5ZV5Lrrealr0B zxbCEqpX343u-kPsJv%2khm=>aDGQQ-7imkUIGARiKD3zaNxY8$>Fg&_?Zr6D-xJs% zC6I9-5cBO)^Zof$9btTWESB(L9EoxU^yBG^LJ5)<@)N=97v?P<&5cWqfF48l>oc1D z9~ORGhfCA5*JobghBzjufVaUV) z&v`nY1o{?n=$ne^3Djx@u?AWE9KpLlO>;DE-@wXie8sb1-NKb+Olkpekm07Nry+Yu zz#o#o|CcEioRF9hoic4uDkvg!c7Q}kt%Kdr(Sz#{RtH2Wba|YJmbF9E4@9Yeg(uTa z7FT*pWp25)(|qF5Bn1T)wBSdrpHQ1XK-IvZH_mI*I$$M3EnrY!P^sy2K6&X$g_I`2 z+q9Gl03;o8{9*MfhWVX7mkh9Ds)TZ(fQ;6QR$@Nt`-(3m8{$c6qD)XR{M-gXHm6nd z9DCzDtgu%ENFs3F2qJJ6n1}xN_3@=%G7nQzInz|Y1vkV?cdBkO4k)NH7Zx4$r=>4p z{YZpKV*nh+2O6c!KnipR)YV_J0-3-s<*nW_9m-Z&ZBxd-*?ZdY*-Y(@i=pvvU9)Y_ba0oFR})QXcd{&gz97Y9vHG0o zH3O=@9!8=h{4FCV-)FMI+(c&b>*lWmNtEI*(@9YIJOYhZN+I;6^ol>r!y zDrO6O6s6V`{rpqNxjHbQ5}$5e0@VAX>ZTCT3PI>tf71h|51i%cDTE`eh~()jH2*47 zinf&)TOm5qhv+PLVho1#U5;F=) z3Iz?y;RxFm08#~`7u41?pqj@Jy({?lVqe#SMXow}@+(=d)T~Yjxi4u_e5cF`!$DBP zLXB{fL@QnTGFmfgYpJL)Hq3zP}iD zS!%6A2U=4s+5`ZFG+%V;f|8L>mw?K@oS9I>_3iByF{YJvg$^p^Sr16e&1TP%=hP|uZxXW;mObeKW9j}Q9IuhL<}9~AYynUmJ$S%7MT0z?W+A9L#H3<#YB zSA;ImL?$wtRpZY@y8;~F6BUY?>VOdTZ^x2*4A2ij2ApD01jNt}neH;wir|Ie5S!J& zM%|CO{5a@sobGCA%&Cl@5CKOPo<8kotELfZ>#>l3y3KMB7nS(>ZVi4Zf-+{cVmPUR zaXuB@v(B5^{uM^iDKQorWh)-)+5fiCLSx+A@{qdYI~h&=O%m?9Y(6O1k)jk=Odl2^ zL5L|ZnXVRKL*#ib6JX>nO0Z8yBd#UfMKC}9Fs7n*HBC0){hR8s}+GQyirGT-yNRa(bFVg^*d>J{6@{vN>9c&4^Ow4QM zg+vR({(4T?)ufzCY z^)oT;8GSNa9TV~E6Ld6Q5qtkI^4Zz}Xkw}fOmt4*K_+zu_Sj;K0*;oT!#f$A$ytxF zvNJJR;+d4lp0N|(AyIb;Wlu(@m^BQ!R>1rf;pYwtg$Mv7XFD;s@^GQ?Lm|g(d?GT( zkK+>I@k27*tj>YOo!;q^Ge-PaODXHnlcT%nEsJYHgSm2u=8`_DxTythiycM0}s45JxjTj-cZI zs=@oK8Y<-ddMMc29EST|fUo&rV46g-kn_P{jA2}1_^u6NP_&$}5CcXW!`9k&>n+U| zrgUJMyfP;BAnstu)+bUBjLaBgZUoqfxJ_Q_tnF~~VxzxhrI^2FttmpZV8EVG+$q5gu~GC*ZR}Xb z#QoJK(7QxFm28Hmpt2p`j{9+$db$h86iuDH`a0zTPOq z0!y0L*oviVjD)8GGVAGJ-#-xm!VeYi5Ngo+buX4BYk%9AHe(h$uQPvM&h7_C`N@u1 zcI2ochXabMN+5!7s-x$$$lkPQy)smI1pf@!l5?J#NQ@tA?kx_>p@%bUjq08ojAOu| zi*p1!!KxfdX~B_~6MquNpP!1NFzi80DEc{0*YY0-ss%A_Om~2Nub#Cc`};ZRixzyg z^ycduozDgzbV|HcJjC5ta!Cg$N1!h1li0xHgi41g$5yBJ6*rvKdF5!-8UE7^fk`Wn z*6K{hO`NROJU8&L4Y0eJt6_IIMz_ozFE6rBRd}delv|!#-EgIV~wjkZp%}Qe$8RLz{yRPy%#|8076B zc2;<2P%!JFB+c-6>~`QahVInGDCgmo*_C>j2~F406>usA@esw}OBV4at`iHrv}3~NM>Cwk-#Y|Mr9E#u*#Zl`0Ez};d7y}UM)UX~Oa9sct4%CcM@ zsHwA2(?ZzZf`cGq!5-co zskZH8&xQvlJ}pubcnS74J;d>aAXS3L=0pKOfwLrg`Sy{uoKFUmx{8_yB))qdyiZ0c z77uxS3Gx{Gs%+WuVB|?if(;aE`W|?giL>e3(kDoI&+Fh;>utJIO`q~Ip)QqBq#?QE z@{UYt=uvGbzlHXOyeT(r=<%RKVdVRuClfWNf5W#U*t#BMZ}s#8me0fo9(B*X1W|sO zP!hZ!vQ#BO0s;}u^j+kl^gS|v&IT=oo$WgT?~z3<#Mgqm{rFJ-pBTB$RA}J=+yo!i zCqZYV@Vgw$^!&{3C%@G0?sF1)+BkB$FO<^iiE8<(TwUak^!2sKQKhX02^^>xjbZS2 z#I)I}(=WcCUfEj@skA5zS;K%2K4lOCwR6YoJH;DMy_jdFjb?a{2(k9U)5qjPSd+k7dQsc!`hb6jTME2& z!k^bqrF#h1AJ%IMKPW(josoJc##zk7K*gkqMiD-4zyYR?oumSbWITUdtC*13QbIok zemHRfT>?U{6_Fpn_F?RA`PvylUj96>eAZpzfq8=KPnOLzQ2i!C!Rzb{`NtN=`}WI;UPM&eo{I-=B@ zRzm><&zj8JNti&vW19mI{{KkN&i3{!w0JrM&nf(v26b%W2zC9k&v0zjic$94?V(IIfkL;zHfGIQ?;3I#L&py&#a|aFW20 zptA;D$e{7~X?j5*!5w|vFvrD^6%BF%owUxp1Wf>nrJc1(&uW(~9YO62A_Hv1JeXQh zB5-ePsPKhkoQ}aSAuK*&xaiFV)X^zUZFe+B6XI#$Zq=rfj79g$6 zv$$2@T5e{VYRRnpETx-fF?+J5(-YE+$v1L7$(7W!V74t&Il6JsjKGyD9VMK>T3~>N z_c+qmqgn+E`tyXQeuERdjTH)mU+hGvwUn%CVvbmx3&Phan zr)9uNo6cZyFZ$J@!OWymG1ZLQx7lpJq+h$F8zOy6h3AfH5LM)wYFMl^V@$J5wGgUC zZ&GG|bR%88RC5wqw*6_UPbx^NQo12FR@j`iAyqH+7jKi<}~h0`UOkfsR{<&g2nx?9M{ServJz`dTV5Ql<1sqRJ{{D5Hg?G zM$YAespPm8v2W6oziTa@$00TyhuM_t^u!ym30Mk?KM=+8ije}(ee#iXgnYi|O9>v6 z8|2ga6i9~~VLIiaS$$i1e?6PmXtb$_JWa{~8=~$*qUILPk=nGJ7#3Ws9eq>Qw6vhdPW=Nr|qx^_DvC!N&N(J##O5&HI zTE)&e;f;xqAE%U6wJbqUwRFNmCkWlt=NPhJsDrC6ktc~6uS)SMv5nA80vJTO_9kA* zL|$GX6sHnRGSf85b)Mo=s7YlgJ~Q#E#H1Lxyvzg%DL0~GULa(??5R4H;-ro8GEJNc z+*4haV;1H1H&v2Rd@3|4NlO!@xK(Nr)r(O4P>H-I8#nLVtP{X6%A1tpQl&{{nnZb- z+Y_$>#~{kf;G1|=m82Rca+pK8QZ`<;Orlwomk*~@lgjg?GR&g9T=OU|dyV3KWRj7Y z=1`8!#^o`G@}g{fi4`X-9`4LrxgwO`1aEF~YHDJ!Vr6Zcc12UJWb4Wsn&{o;=94YW zEO%4xo`|+vR^GO0i=t7Qh>prdlKsdz&T4YtH#PN3e~x^Yd2yAoC$e~OYVLUQa{y`E zdw7XVd1QYcpGIUIbasFO+HQFNYP&KXd$jRZf*wf`BM&%0 zz^2W?SV9FdAQ#`tZ4{#s_xgSZ{*i_lf22~?QpX2}Z(=fa90=+B!NG`x4>k)KDu=KQ z4RIp(iM>Z`bZ{0_KX}LqCwNILP>9ikM^PJkZ3$f=Q6YPXJ;;Y6Lm+f*G1P^ZgDlwa zETr`2TLk^O03GY6-$Y@oTZ3qAEOGIJh?bDd9WAsqW%BbKBKzUWmi3~595l%tOg zlGFlvo0soGlDoCvmrMc)jq_+H`%$YN+GgEeELNVb?Y*w#avUw6Oww>z7q@5&f`8NO zCP|<3f<1-jdru$OSA)gj@HkCH7KuJz(!CZ@dc28PWcmV}FRoBqq?-!FWs zQNa=-`ihnDS4@n|O3~aLcLv1;eNQgjdIlo4fVhiTAy4m$zYBS15)L29j)d*!RT1G< zFOwF^$Bf&Jwfkc3yh4XJXeIU?MfecNVlbCej)olq$VsfU$F?C9BVPnyMV`jC{?qAL1WhT2wRuLH!I8D zQQjzt%VjrfLc8^46ATRLyX@v>z#R_6H(dND&H;my-b5Eig|c6c`JPHbzajC@iK}=I zpVM2HJ+d+J_QNn8Y%!b0XFc{^V$BHmSK*Ctd5SNNKTn8@G2W^%c1(>DD={~yKQxhV z>vqqh5-Os_e#VrafeU=YU<`07pfA3QTj^h|5SN-GOppQWR{I{A=oXbcZZhChH2iOi zT_sV9b+iV=?-F3>d>EiV)8+l(sYrcp0=+2i*$EuC{c@Os2PFaGfh)-gNqU}o&scWh zCj;DA&w`fZ>EgYo+9BQE_<_tw_rLf%y!yN`3Vi_IULt)=y827Hp$xzwOFnei!{L;V ziGn%DModmPLQQ5l<+liG4)9I zN3|rb5kN`aL0zS}K!S`l><9*Y)>2{A(k4rsOkq)?bR`6nwt?Q%gZe>xv}e_}sUEgC zwE4p{g$|si!^mxOeYv0OthJu<7`nL0nRpJ^3~#BYLn4 zP@L~O7Sc;G`7sckH|wVRP=6ID3E7pbVp7@1K&-7gvfH{qKpVvVYiyh=Hv3D*HY&hH zH1qk0u^KR7nHIjV*xorwPf*1>)+~lTvqv2m3eo@bU_N?hr!^m z8%Sl2r%Xw&R1GBptK=2{kd=LsJ7^b?GH`PN#RuHr#K=QmO+Ywkpx zzY(i#%<|)ilcy69`%7kie(f@>V$ujs_wu_)8u@v;P|SQL5YFT`MwNNgCf}P zKA|x|DfooQ)#_x4zo6{(B+CLN=aYO|YBDo&e)s2nkQP$ruN}8SMqn+IDS7%(mQU}~ z-zOpt>(x1kxVIiC)JlH1?R-|gM233Kw-kmmlh#7%E8SQup5k7;$!51Jc$i;Y@q0lz zjZva?LglB@q?WPqRs|gyuXa4N`+J!nF=73_&r7c>e8#i|0d^DVk8v&_lvU{ z2zYVC6FW9#(+`!&j}(Z($ooEY=y-$!9x$uGk22GM6)w73(mrn7b`znnW!Ib*KFITbggU|*`=r| zR*CxJtvm2mr#vbES?D|Np%5Zl{RX2&K30~T0}c2S-}|Qm&dO^heR7xUjccp?C96Bn zcnJJRGdPb_j_|GS<*>L)u1ZLWkBXerxgv{P9KD2%DY|s~*G4&af*wCdi)51A6pFM@ zie~9e$g1QGnrOa=P+%fH*XLg)*`gUxKJ&U!+&z2_~7PH8L zfoaWvY7GkGCiH|^44ZuA!UfK0$AVFuG1^QDDYB-(Oa`Qay6t+tn{{H!YycY0~8@g~1OYlO+NYm=3pn z^+IN7d+M&M97%pfLncX9sCC`M?Qb_zuNE4nhF&%Ms1y33mPq0cRbt$-f9c0D=jKTG zH>RvJYqT#)D1vBxnDiUH7Cv);T+(*A8~2D=z?LFx6-oyib8O;shUimN2iF*M-6R;#@0>E`Mm)gqf#|=;LK6HF z5bjwNfmI zh+y6RMumaFt?o4iU^}H63eV$rbWuSGtuKOxA*?`K?|*qg(; zuX&b*r`|-(#ex-jz}i@G_E^CwgO~|frO{BAuOssPO|h3;b*;<9cN)Db7oR4LvB;;f zW+D7RzGi_@HSO^SgbFJDK|QgCUKbnR+mii$=F2NXe65R+jvfFf*p3Q#q5v?$wjyB- zl*H^t)=CIKJq}v}NL5Bx1nCwTrhm!B&?B=JSI=LCa_~f4l2q+!*(Lp$%Z3fs7K~Re zK}&i<7bkMo!LNkKim8wfP$g4OucY*d{hE5TkQMNS@Kd-bD+?c{rElR zrMuT=chO=~ktxkwBwYZ4WCb>lI&|Q?r&rb<=Gn(s$71gR{RF_)&u0ESm$8 z_ar?rWq0lsnRST)>;^bP=rk5+->xYr1abeEa{Z~H-<^m60B##3L%4PF;RAp{CdH-> zLTEm?=n!v5Av_0RfvqygpsPERfV)W(XA{D&!3LSdq#qd`mIoDuT0$}FrHcy$ zKuMWit(|Oq(56p86Pp`mY&&X9P(LonJ0kq*ejIm-_?`IK*_@!6z(aQj6KU6S!U-O~ zu^HG9%;O`z0{q)NQQ|`e*jQD2uxQr5v@Id%oJuhMg1k+B_h{YZH9Z^h71!01qX`dg zJ)p`sNsZ(Y6hPXZQxH$&KuL!Jg1QvIX%%vUx`a7SM1Y{QrrPQzud%1wbQCx>%A3Z-uaIxgH>W@j@-*3Zba+f$bB3%TV6C-4J;G#BpOopf z7hew61b{r-ee@=OTS{P;)R3I|z(d!_#h&}tP{&CRQz5R!BY(_bSh6*4zQmB zeQt<^6j88ES^ZED`2ZBwJr>%El5Ec6>As9EY*SXPL8bx1Q>42)bfODyz%dEVP>k*c zK@3=YTJR*LAlw1^V9C=THvuL_ca)t!no#lrT2n;c%>Vkc+9M(`hsVRO!M@MiNGK(M z|5021&Zv7trRQF?^LI|CM-C6ZdQcqZ!=-FQ>_%*W$}jV*j)oJA;+7kx{cMP zkw$yf?Sk?w$~O@6jhx{s*I|srjSgB zO;Co7K!HvPc2I+}2%H`2D;g#ap3Hu}*l|Hc;O1vHXzGE-SK=2=~sxaVSxXBeKu6q!1RtXvp- z7WBYJ;K*1kfkwgnlg46criv$r@h5=Rq+xD_mj&U9B)(^NpW=u2(iI71kq&u}I{bJ= z2+Lrr)7eB7zI{f9Itk4jG>BGwI|8!0i8jLTH~65BOVidzdBGb9QB_qc@Rgd*#M)paxejkV!(wKB+K0A2jkJP!SHu|-%VuoSf(B-4k2N&)U2 zz~Ub!h1Vw5?M=KFf^9#_JIOF#=c@iCrl}HKV6d}5>^Z$}mtOY9B=`@J@CVfqhxgmW zUL2b6!}8R>Na)$-`aM#ENl9N~MA8FTeiZIqlKNTZ8MANyM0t{dBP)AH{^6MxAkLuz z5M8(%EC;Hk2}(V8fReuUqe0W8$Ri`J1$#2z%Ju9s%Y{#vkxL*^rNd7V{u9}J$15ku zQT2jHGQzFWl7qp_r8jU%TC&nWaOUGcJ;7GT5&d6PcrAiv$#T!~nRj%QBR2eGC=$qz z#PlDJR~r-7JGwdwaaa^6vksL4CT%XDA$Mu6qIzSL5Je^rvP{|S{dzG+;jlLV;pmSiYN5>$sg zR23W4=i!KT@>BoP3E<1gPHE9K8ASM^-5%uYl5G3>SOZ2qYsJo#sKhmP`;p-4*L}3W zi$R!Qg3Fp)5&ZvU*z*D`d%@-LMRKQWp zzZRJg!Pqb;EYy;7*axg2vH|=BSX+QpkMT?5x_W?ACpw|at|K?fdA&zV-B1M3 z>%PRg10>S023lp+BVilF31kpZ@7RMnFQ#dcrF^S#8iM&-Z!0#fkYmFOhWypw?xRFL z=T+(^)%x3Lsn(Ri(D-j~o@*^W404p6%~Y0UL<>)9DzyyPj&`BpjCTI4p=xP^oJZd9 zM5b#DM$b|8|XtWf};t{iT+w zV)gdMUSDcgUR_OPH&ky|WpsL{Bh-O1ZbYM;2@OTbl2L?gj#obwm~!zwu;&``ScvHZ zS}^=l)Moo(JKMQKAe4~x#zp`Ok87U>HaLq$-8K$Cj~{R0(8xGYME^B>e_T^O$W>;t zBpRZe{s|qMJJvabj0^AT;NXFCJFa|0t2I`xu2Z6kht=01VEQHJvP0+B^%VA80>|mE zGtZoxzJ=%+KtQugcR{Z+NXzq%YqcA=m)~fCP18sM1yqyu;T2QR`{k^AwYV5rFhIxN z85=Flf}&O(hp~A~GSj`gpJ4n)+!CSzOjy~l0p^o%@}@`{*I+B&_fF%o!h;|&h)*;k zBLzWR(4tK808*|)#a5PqfCsBx6f$I`ndj6FEfU2(_f@M}g9KOVr@V!(ENbuC_;WU3 z9Qs-0t~O4FJtctg~qA8)|Cq8FY_)gJ`a2 zWnn{H1c#KV-j247?{$5UH%)XpYb#^vE3tC@srst@=Lax8sA3c&DGF~pSlC#ET*Rak zz!+{Sn>}BM{ngJg9X46!w;O@1{ynWT{?cH|Qg6yC6+oI7V^GQKji`cvxxnn~DyJA@ zUwijK$23s4q7n+L@XrAb_r;SO4Ova!zM;Ld7Fy3;cznwH*1G|#_TvE^D;Zv8VRd44 z@UA%(TBa-x-2fdpzzBsk(+hAhk*AN=NGg$$GJ;){4P3<8)243BXgzstNq)1E{+=Wc zk{1N9*AA~TvL{^%Z#?yY7&02HYC0z(u%uPWx6u!VAbA(Vg{Oe}3cT?A62rBv%fgb3 z|JkMt4;CZrn+3!*qP73ntgJ`Wl|7ers5s}6U~%|RXv%QLZ)Y{R@jMpxdY38Tx8h&# zf}J@)`n{Tn8k=N0OJxWW6Yw`Ri0;ziU1F+ ztPil^$Vqo$Z5<%FoL4O{KRwXuc!T_%eh;`lUW>iP18o0~QU`F) zfRRsTgOzMx`^*TucF2hSB$eHD%DY_kv$8`>KgwGQ7NHofC6x3OYy$8a@ooBPtSG%M z(Dk9b`^~(>Iu~0nu|9<{hwTEOOV3C)f{h(Dmfq0!41(nYV3%d(@oiXabbeBzX&~g! z;t1dnQ^b7S!Cb_4^X+Chc>XRoMKS1r5;W<^&D4AFGini0T0L^>B&7`+;@g@Sq-5g;Bw6*jm&u8!0E;s4^_EOCX|< zgQMDFJM$XrY^ovUM8c($^*e== zAy~<^(2b1T^=;8qMiYTA;e)Xi`Vekwt09bz)@lO)SoWJ3ELpQkZ- z$l~juzkz7`nr!$Q^Pm@60&u<$|2s?q!EW%cWlbtX=qf$>0GvBY-x*Oow$^~zMMtxP zfbnPkBHWF2OQcu7rHaRfmw@!;*1g=_xLv>zLlF&>o=qruH(~AMep5^L3&JcDIb`IQ)IK)uH7T*bmZAKS&X4g>Puoa!jK>y=)6daCP z;ze$a>8moSw(qRWZ={aub%^O^(a`?>aYK8wsuhM_vw=~>`b$p3s2!YxuXu5CZ@<0)ew70k&SZpWVQMYz#O1D-A0t42PEDG{a$+~6xEDC z=$xx;tWps`CYKp?a(E*vJza0i(1MDh?x>1`6EXLTw@TW;1PaN26!^y;zV4ptivA)Z znhFy?>VOfQkW?y2azDV-i*Hf(Rz(3A=(+HEl4zJ*bqQkt1h!}Ff!#jIS$$TrF7vGa z(!4YqK7qzM``iaNIlA9&OadZk$655I!-_)ed(pY6-|)_AfaJ0n2!`C69v0g|5J=6fVtb8qyCt6=wiBY{(_X*7w#^_9 zvO{B?1bYX%D&)ooWfZI}cs_+HNNkY4)9D#pRdY4B*8@fJ;`K#ZFCp*mmm;L2ElFJ9I6F!5CyBVYj=b-}rvhai!4Ksr7qLHDGjS^{pF+o==2UEB#9R zP$eTsxpr2j5^NBVKaMq;(L)p|#T~ z$MK1wHmM8PK3_}0hRJuXz)yT5Sob!hUX=fcn9knrEb0qom_+|AfB_PNvg!x#uX4vj z>_eL*7SBXo%m*huz9t_!`yhLXKTj_G@wK+JsL(Q4;qeMFK1{m%D8TQoXg&$r7FgzZ2t9>~6C;msHK41b0E?K!J6Btp^q-2?o4B_eO1 zps?@!ziMM2VWYmc147{G%CDB6N6C^{PeN}POpoW9;s$$e1a7odZwn=6`vw=SFuO}U zCW*Z<#Jt^gELbzTI!4yvuRZX_LU(P5W8Do?b27!LSAXqpqnaM)y6$_&_YD1#=$x|-TB}OAQyYx- z-!H$v&8t#w`CC;(ugy!1_N%LM1a9&SW1nw8xNRidp0$);gv`5a#-`Cny`Odrt@$e; z?}OZse;&}UA|8`tiHFuRcsUm@7s`^Z`+Faxzu6&oG2iacF(MXdLY#-h8H?4epUqj!p8s8!%K}t zF9+j{;_ga^)qumr2MP{rF))7ga!DRTAPFnI-ByQ8z=WWZqklp2jd(TrVK)*5{wmDt zF@^}*$mjyy)LY27V87iQHA}n)+^x1snqID0iL|lp*s)X^-5DT0V&dojv&yu<21rD5 zwegQ?Y!w*1*SKQ$2_AcKpR*}W%`8g?F zpCZfS>DqVvl~rQW=SarJ^b;pBXM4=Kw5LjZmoX{d3-(NFvDX;pwECE3oEG)}S+AE1&xtqMht}}75SR~o~ z-53exF85<`GZGn{*@V3LPPI*ov6SDscIxw}#TEy9ep`Pyp)KXiup6)F!uC6XGudgo& z62QR1!omLZ%FN6p-xJhsCH(|7;r2}J*3Qq)GK2F~&EG_2wF7IF8X-N!xlAop z`?K1HdK=$_tPb@N^%?cT`jR@8x)!i3F-%rMmiR^ID@*KRz$;6fh3d)@W7S+);_KN~ zmbka~Sz;2TI`cd|QUcovT&zZ}9oBZ+PnoCcpkd*rC`@sf9x-iVs%c7E&(?G5;rfDl zx;|Eat9z)A7|+k9#9OKwvner+g|aE}3?12&SSCI;B?bUMY)TyCBWy~nO$3_~!&pj~ z62EkQO^IE$E?!gOtW4LG7>ngXGGDi*#MgdRjFhd*5M{s21essXcg!bDiEGB@tyz|s zhNdh_JTpU}2EsX@Sre|%q7o5NdOXbcG2L39A#S>He9)Fh7d z*!Wd&*pGT_Q*JGHZHh5Gg*NqeG!K~4+p4i+Z7y;$|7x3HT2Mijix^28_O91fGZI#x zVNTng!rw}nCJYWI2v>!_*hsA|ZCD`yHoTa45d@Eg^0s4elN#`92FVv1FgRd>fX8xU zJ*`WYCyPCRy_T=ueykNIsg6^K(-Oy>M>+FeYDD|97It08^~}@KLVBXn*;`tTYSJTV zO%ch-b25uxU}9cedR($dS*#THx^v*YMJ2JIMw6&ZuYDMw?*V5vgB%k#SFyBw^7Qhkf|T2Q&ym3!;4FMC~?zp~tBNvg60Ft-`Xo9ZizvZvBAlg(u?IyVZPuK?=01aSn-}}C(36|o zZ-|?zo?}^3bqaM*2XnGezqj7#JWbRB)~sNtqj_L*zU6 zR0t))D$BW9`UvEZfrAGQe;iuW7Yo$oMY>W}>W72>+t`SKVv75oCnisg%K1U|klW#< z8FbMZv14{*a1LTYj}LAt^1s>7t$}f}y36P=oTKrJUUrdkT9Ih~+eW%*U@f`>Ux_ZR zx>abE3DP+K21w9IshH;2fod`l%*O8#7yYP<6%4MZJ>7_Ai>K)F8& z@^5hBy68{0Rfds>&!+}^5a>rBAV%6H!X3&bd|P>U(QSa^=SOZXa}I#qLj)e&jE0;H z;5P$qN*EYiIJZS$3tLOG@TNA`=1^g-t;e>e&9y(UtrX_ke{3t-T-yZOdN$Wy!M0AA zYr|k$&F0!R*w(VS_71j{Y_1)IZ5^9y7hzk)=GupBYuH?yk!=N=YcpY6CCs%a+19VQ zHYVHZHP@!Xwsy_6v9PUNb8Szyb!)CY%C>6FwY4C`&r0RE2f4kWJtil0PYeeZCof16 z5l|F`OMcLUMI*3_qTu!1W5d6@sHE0-eqxCKFnY}Il@6H>3`V~H{Zpv5UofU`4azR zy^8!_-uDnGuht*Q-L3b{lx5H&L0>m0y)>NApfr5&qe-Aulm}RvEcrHDm+n=S!o1tv z2g?z^QmY{{uri4HhLgW6b2Bt{J<7N*3W|8z#xhMX0g5MpolKtiKvnWTlT;zs@{l7D zt=v%lopx1=qcbNlT=qp!A?bCSq;YAOl??oZmvu^;C*7=deNw@g4e`wgv+ng6J%iRR zO6%;;(_^GsWB;m-nK29N=Pp~%>6q+D*Qe z<7O=-8sDRFFr?u)Dl!ImsuKs?)hkk_FfXNue%(9?n|B&udln#7LUcZ(I9~^t<5H7J zSX0isb~#&8j1MgEFU;sdR^u19H!>}0s6J!Z&PJ-YB;h`8<|afCZv@WN6Q%b zB#hFUWNZV!Xu${cx!dS!lF$~}Xg*-8Ck6IQxk;@AL%?JBW1a8h?_rL*e9;FO#9Pj= zx}R{UwVAe0Qcgi0XLEpNA>8L6{?;0Y*B-aggg!_+(P z415ZerBVOy9cBL8UxjSodareNF92M}8~+P*;n7X@^h`*)z7n`6w~Ll zf~XS4XHRgqrGAW2TjaY7AE}<9CV-T_72C7rbK%AfUc7eNjbJZ2;Cs3DVX)^$Ld%mDxvG9QTOOw%J$LfQB4S!7uq)?mk+-bCb-G&s%`YlTbnq3y6-QmoNDuFJvGZ0;3An0I0{ zD1+{WO1Ea|%uY2w`kP)=e>pbv8mpbEYss(L)s?>8fn=d|tqT4ykh!~Kg>KJ902p-E zhVf`3{*;g=*WPT4ql4bXDgwJc)u4~&^#5+w*38f8g8nxayZ{_j?SsYN=Lh#gzcKf#W67}riS5cMv7Xh21}d8p*clW@pv00001 zv;ae801y%ig(9Iy79~*-C7ONY#i&S1rRhu@!#IrMlu?F&$N&HU0000002Lgry{>;+ zCH=A-9c#`BqO~V4I1uU}Q`B3SbKt^(cLNjim0QDSB_G3SO+JToZPv~!gQp*Z+v^Nz z4mt8cJO;h1$>^davJWAf-bWg6l$M}!LeGlIj~4VgfI~#qi#>N>dI7QwM60!Lf(GCb z%)B{3pDj~caZ5ZIXe#r+`b?$af|$0_teXIvmRcM7#LBH8hZBWmw#c}Fjq4fm&1@{T zm*N=$t`lL#geer3Ey4mhKY>->v4csbfI@c8*d)SB7G^|mxUU4cW(v>n0~c?SFeG%T zG}B}%&hj!=`;m+lkN7Z)Gjba3z)Ip;cI2u`{vIXj5fcmd$WRF}1AeqrYh0P+6DELi z_QK$EKN7|M$&H~txqQfCJXyC_@IW$%#LA&~cighW(Kbcu3BzdKmvTH8QhCD256JzShRI)vtQ)6tGvE@2Db6VZDzW=`cSG zH84z~;A{5<0%MwI%$+rJsN16qTz-z3L=NS{r=oevx(NDTm{MAG{JV9;FCGip>p?|I zOOm_ApnP1_L}h*H{Ijypf-0@}+jLnO(@=YHfO?On;5rJ0*Q6@@E?(^m0=dQqG75q) z5lVQCf|2PwZ=-(Y%9h!UNLFNTRP4`&^)LlxoL+MZ~prK&i&TC3{zqN^fz@k{DUR~ z&OTnUwahL2|6$I|`^w<`_vqjr(n(mIUjkiLpoxe$q~|9gK6j`6)Ys+T5bg72@A4os zfd4la$GAU+B3ejw!Nz!Q%9(Zm?iOUhC=!I4F2H;2r0)64E!Ypz zSS0xD5mr96ZjlnQi0r7>jYWu?A$ARi(dxtHX+Qg!r1$}t=qQSAY3_t@(pjMyKm(PG z&)uQbiEh+&0ZoSbRY57NoNx{wV*&N{c!Wy=JkZn@GEQ4D9u!^^CT=+@=fXgPIb7j= z1!`c8SHj;6`z$zFg19(f?c;CDVGJXp4VzkSZe}Gj(hybnp`#(2&Wb{us^q`X)_Fl8 zisnTK!vmqr@tEWv5XM@az0s6ZI;h~vc08z)mGgDUL2`HV4W0Nizw2qj=utB%>3 z(kbRI^B9?>HVKkaTx8sG(oy5v?WV6znAIOYzEyJ(8u$j%PVl>spI7Cg15Mk$^>R78 z1{g1AFS!C9q~%7{mlD3=$rD-U>5fn~a62eOL@Y*>BTob}^!23&A@1ZELqM7W3@GO@Nlt?w5DVAyp^|V4CG@_2hPj#txZn zEB&V=bYJ>82`2dSg3|J5EJ7X+BBVlLEM8iEe^sm==sH-dRiKe(<` zh3u(pg+vkN^Vz5rQi@oACv3JnP7S5+VX1hBR3PW{hs zp+-?IpguH!kjW@mJ|tmmCb8nhj^a9alS=B8SYNy8Iruj@8yT_beN*jUm_ca35Fzjj zazyk{X0uodO*FNY>mQJsIa zjCwlQ&DfreZV=&PB=|J?-K7lJMZOKNBViy02vT6dnwBYJ{IxRa%347JJ|XNnsO23{29@<(aLAm z@-eFEv=E`W#Zpn?@wdt8NY!z2rq0G+NmE}qBtemuJGZeeKDR@wm)ER4x~blkt)>h= z-8a$gtju55TTx#KYulfrq!sqD6^0LMZJD5Oelw^Y^#I{jUai)fo^9exar zXX8{sRqbyT5bsh0040u+OUrF@N1<*wA@RYv@R(SRKq1a~K1_T=u1lAJ8*HUxaRv*NE@I^oQo2|j% zD-(&wHpAypyvn&66k+3gQ+0z!E6Hta5NQKSz0$vaXTE)CL^E!Y{i4b42yq8YSKBK) zx<($sT=Jyfbx3R6M9om^XLFKVAoMz$Y~Za-AS+IW=rh@5a^P*Gcvq~I#U}13)C}+u zsZ)qEUtzyuEb($%nuaiROSOmv%jnV*<}{aeJg*%id%m7W)u|zEsCe3h``rf2^B~Dw*TfbjqLn zc5alVYJKpWbGPU-)UF?x@oyG&($I22JH!xkfz0s4(*xVhS%eeW{lHVV9VF$i7^UKNN)K7GX2_*@pJTM|@a2-J#*@gs)N!nPEtk6~D!o5SwoLia8- zp}YB7NY?7Zcf!lr83WLwIdUEvvBxs_xOo%pgVvLnp)b6YM20Cxo;V`q=KjSsDI_rN z`cKiE;OFlf!_owbAE=aJAeuoiQPGJ}QJQUw;}EM>MdR^{7DCb}G~2{c44mu;{!nVN zCGI9|oS;F!`%PTF|LVL++6ZZdtl_0QfL(}D@Jl!f8F1mB!}&&^rK z1JGkim%4Yei>`N}+irH#7T|pYO`JxdaYcnT&K=e;|LBcU`@5;g0d7XfL%Y z9J^9}Ve4Q%2kC8SqZ(DmAkTe{Y_op#{Z^UUV=$|=}5*JHQsw3m@z{l`0CbxXCoYrj?;JIQ$ZClX9Q3g<#@-ccOy) zDT4r3l!5d3{>pH*@Dfx&1wXFDl2!H^5vM)3i(kw0mB=S{ykg&_*Y&N?CD^V<8e1bxlW?XzC zfipGEjm#j(`VEvi89|EdHZDY|@a0Gj=L&t)=RzSlIbNA#F)AQrpfEbiv$2a!9^gEx zc1G_SAWOI+=q-)ceNd^cXuSj->D@EdO?^{MCu>OpzmH?mGPB(Y&OjZ`pt@_IN_Lb` zyoJ~n*lGI**feXGaajrw1M(DAZvu>hE7Iye%~vT2M)b8}e~ppuZt{|C2AziKFS*7s zWX4*a1p~fMztfL7STrrh%_E%e=DO!su@h2pn4!X__NKTdvMMwmNaLpV_{WwqI3t<= zmw;GBm*~%3vqC=z%L-K~xVpcgPI#|hB*%R@uYT-jK z*jw?=7j;yJf50#~OxBEY6omZ?4zH%NlMi({j?+9lNbgk;JsdHx9kVHyD5{Z@|1%9) zfL%v7V*AmZ{iXehsN5SZ7xxl)O9ZMeG>Lp&krL~WdF>hS#-<`oH*M@IR-}#r$@hRU zqnzIY)0@OPbUW>j$lS+tdLVe5R!S6ngbma@2-3?H#Bv?LG{5gSE{t)3wt~jOZn$aeuMr{0|ra*MhNw>~E}nX0gf!uLj0tR#c6&g$V~26Swhe!5a9pO-i1*9&pMHlFEYonwj)?dsmxi~#7hNbcAM+nCeoMm^6Y%naV zk@%z2rczK%b3s4%O;+w=?u=nAnlmvw%Y=?I!|t8gE;=(r^AD-#%C(EGdEQ;T(67|| zMKg&-LN#14zWbLN_h`-(#epDFLNU;QwKU3Lno|&Lktf`PFm0F_Z9IWrZy2MN_YS-m zc;ZC$3HD*7HZY79M&K=&r_-K0UP!4x#wFr=7r&gdzx-4e?zi?B-Ho}He_O;@f=S|L>C zz;{5fvj$igCPo_psz_WjP7PbTX-8m_PlAs3ZeD~_@lw+R`YQ1lBNGK;k)!u*>OIVo z4_%x5nXCpHMD3Q7!)&nCWh1ia^$|D|4;qRN@ClHMSZrN$hWJ3vMp)E13F&Qqe4>X; z0wHUC;|n@fJgqjShA8V?aMI14_2g}XE&IagF?mnk$vS%t`xuX7rWHwW!09UJ?fXKI z>wTA-5xb;AGufk>Ya)&kGwIU`2|F@K?GZs-I;k+_+oI;r3k?v1kI(ArlUXVS!m~=$ zSJi`?%|3}jO8yw>?8`4j91E@Z?nS7n*Qmy={sY15(3rq!9ZB7t1Sw{22qTw3qGMG6 z2IBe|_2fZEZ;mv3ntgPP?BLrnhq6X-t6V9Rc{ZW^3X|d^UWe!WvosBp zMA!aV6Xcq?rQ_h?c|WsvD$$WAi(_sYqad{6Ls2ir7!eY)+WEVTN1l}!1iD!$8hZE7 z1LO2xs(Tt&^e)Gl&8z^BvG;BQia->|IfaG-LB!%JEcLf3Rg1Dk_}E%(j`SX5UEPK*-1~H5A^!tF4G(qqAPX2scn4UkLJ20sW1I{$c)2Ro26f_ob5Ox$KD(t-ikhMGlML?y$Rol%_t1S6+X z>!CM8g(n|XhR(#V3bA1jr`WV$Zb5Q9Gr0liKv>AKO!w7a9igX1Fs*2T)D03ZHrOyL z_B+Cs*Y}RQT!&NGVLLG@i&n8 zK#7%q^qG+tmx;bHNj=77zvf@GB^I0lkbRD@Yn@!28~df|oQOr#gEBsk^HLl5Bi*_x zu{6jsH2;}D-Yf5u@uSw;W5ESa&t8o`Bz8t*K|{Tf@B>|+Fe@Was`x?WUINW_7+XB@ zNb-aIbTg`S%1vKi6Z1JVrIyBlq8&IjwayNc<2bi1g8CRXCK5v6QT(_|`I_JrwIt1; zQPKzW(6{O)c75|IH=~4*`Q3FvWN#bqtEZ_$LC;v^YzueniOIU6((WK}A&s>VdY)Ut zaP5~3@AfRTE?Vl(K6X=Qw}D~!U5vj09GOPk@v?EcgO3goLwoMR?}wh2(iMG0K`8H+ znwb1{2!G?db~2WxytTHp0Tm8f=2pk(i71j`FUT&Q<+OPG@{*=W>$of~p4mXqQ8RDq zh4Ce6*Plqzv&p)UwL?2}IqDV;H>WyBG}tN|4SSJs1hWIBxDnY}H3UKs%{4SdxY+&Z zMlYwB!zko?5etW67%(@G}W6!$xB7z?9h50D=svInQ?@) zOr7LhBfj=QEN1CgbnN$KCfJEfUjXG+nYepRRPn{}p`_hsJ0)l_bmF+e9tG)d{v<*v zCZlXQb(V!1H&FAm(u5Af&$B_B356tY)((RKKx2ClfgRc!=5VoH7+lw~G_ZL5$=RM!Il~4)eb_SH7r`7#?;ijn(*WlM$-X8lt1N` zvmwdOk6Z%nF0`_JYui}){VbYm-unS}U9*JS`~cbx)Sklrvfw_A!B#N$8R12V_O))h zN!c2)j`FSFy!=7f#6RrX3@W!!-hOIBoVBHL&I?0sDM{u&C;@sL;19Iokg!wLpzAWD zm*8h_O}AF3J-IOf3-yDXJ^knA$g}eo-sFe)UPRCcU)@J3E)Mn8Md$aqg3q2!9g^cg z>6+7SqXexF5J!<_`-JAr?N)OYbx>51(|b7AU(!L;8EDRrdS&qz;SHR_P{{(*sY*q} zIG$l%yAxJYJYjW56-h-Msn3VCMi|Fyt$589~T5ugxfzv|Fp3VZpfJe3mQW zRljz9GT@cCZu$oUsRNM~Uy3GHQD_6CJGPtdBfnXIm6Jf=cz=gvTmHjH*m=*6w-Z=-py3JFCXJ?lhRSDZgGs zL5-1+23T(SpdvgN7(YFM9;fP-$qlZDM+^R1IjhKulG0#olxi@Tm3&O!5FV7FNm7_w z>6$*bmUm`%Bm}3)6f%g;>%c)S6hXBh8I+z8Ne77!jA>RqOv13VKfZ-%WFw<1j83Ll zw|y_HwoSo=L*k75EO>RKwLl7y8Q_7q4-A{c1RJ+Fx#_L#hV-<{AwWCXciFz1oDs_O zvzLAn+l=KQpGfZ(yDyr?PuY-yYGI1OjxzioBH~Uc%=7%6nyk(X`U1k~fDulyLwUxJ zIWx|rs$B!PBzVdtQ+cFC21?q`^VG;j-sM{AV*k^Ix-T6rrxz8-Y5P=F&zFQKRBW6= zlPw)xSUVf`xXjr$g$XOpUoqtIIpt2$9BP~*ggQTRwB&S==(=MADta_xrM(Y>hIDI`HfkGxAB@nQ;=#h%Az%n&~|2GsNTidP_T=pw|Y89`{A zi#@;Q+aOF%xSKdl2ulRC+- z{$nGY$mI1kR(SqeSgFH?-viskXgD`JL2O?pJJ*B^rtrDp2&Jg+JK;o^yBk&Pj>>}m zUX~|lquFvCp1DA~GqKo)y=?h3j&&@N_p{Ql7cCA8%vU&@XMA3S(D|N5U2^a1)hiWZokeAE%Mae|}p$ZKIeKm#`nP%$<%lm88l3K?5g!qp&3 z`d{>dxbxY@JQfFh8*NC>@M$0%9U9@Xq`v-K2$xZ~w;_ z#9oej3Bt`Nh5xFEf7Jrh(<0Bae|aJ!ug}oJ2P#5WY<=DRSLcdZmTu%vN)Q1}$V)E( z3#!Abt)5m*&Vx37M*br-G@;3%akCUj@SLYYK35m2UJq7v{Y0D~25&>MK%i;sOd(T!aWF z4nUEu4rKNmIt!|;Z;w?JIVIg_r>zc!^$Dyq{raI!_|X}M0>GZSH>7jXw_d*oRdLV= z-~7`PqQ}SF4T^#Ee_OuO3LgiSh)C%xx0Vt)Q$fPy;aGJ_&K>SrcD`SB3%|m>GUxL==-_`-&Y~ULvDDDK$NGeLUpYUJUEL@BDYb)f`$?$wh3A<*Z8KEqSpZA zXG2kH{0KeX%<|30X{uIcRDURCQM7V-VMQP+|8vc}q^cUAMVisU;&Dg}Y8z1bBVTTs zKo9WS!(<{8FMYPBA*(k`8c4|EkBJq~iAmO!^ zU|^09ad{_bOD>=|Y+pwA-W_RKo8mVS?k)?CUUG2LVn`)pvV{ZQE6__t9?dwN)8T5t zhMs{0$^e{ncl7Y;0HBGyBNo(+_!>)kl0bFqnh!l%y-^r2V=R@n-+?3i94)@|ui~&y zJ|>`~88q{N^TJ@3V=~rE-HFYaQ+mi`qWM|U-C>{TJC$ERu2VM~%^YI_PXn-RJ{cf! z&?|uI9LhXZzGE_sIQO~TD%PQi*-EC~r>xDv{edUAVuYJPRskbldV=6#R>0>9=kUU0 zmzsIJ*gOP)p0~ZwT@Mq_Dd z@z;9nQo9jTWZCsr(BsQYjT5FlvTnY=bXN2H<6OBSg@hIS^jpf6p4z9wOg29US2xf* z*toLr6Ay-X2;ielrCSZSL^EdbD32~yKPOp4b1iSGLqZ)~R}WA@ecq)*-Z;IocNN3D z8jLBK2sq_+ZxYLE0_TVFTu?{QnxZdia0cAwZZn_m!f>%oP{-4kra^O$b{K$ZB`%Nw z_6W+wKq!F=2L7FOCyjI(e99AM*)F%UYm~$3k301R1H5<8b%^?0;meDd9~oKFado!#6Nzx%cN6ikJn_br2CyXeDps5 z3}eHI8tR71>QrCYL#Pq#0KE{OqwPV(KE=S`U9Fqd1@K2*uc>N(s47u-y`4qPXK0X~!CrHMN~BMe)$X)rh9!F3S20-KO(jJL={UF>vE7k;UXaI!__?+!ejs2^+v&z~m$Xj$fh;oh1b zZTzK;;Fh=S*_++|CDh5ArPK{qZ#-S4ySKHtK@VV=>k1Fp@iRVZ)Q8U`n!Fj?{w?_0rvQi8TCfRSkO)VTYq-GZ&2yCXfSq2}dDtL2~cXr=tkh_myLCOg+ zET;=+8wI|&9mxBOGU_u`x-?8RT{rkDQa90f)tjjkNfe0>u;Ou`UP3-)P!%nB2m|~< z9~cAM%?T?XEx0`ekhD4<)XL(B)0Q7bfXQAZ>@ZLPXGE0kb6xWV@Y6u#AX~1UT9!{v z-lGRWvkv*i&G*75!HFcOXP|v<78o0oXkbi^o*R1T)5f0T-`cxd!m z1cEbp4w^U%tYRF54Kv{EmpkT8YAoP8jRA8z@zk6S8uVw(fSp86@m8hu2JB@#MMK zoT~-)R{Ql0_hM!YkopjE-BihTI1#J$6+_pPllfbdz*05`oj?I*CWCXC1$cW`JsK}l znRRguwzm$XW(?fEJC|@PlWZmqYPnIXFT<6|{4yX4f*q}=U9Be2fMWjU!jLX~Zlf46 z6zyxLNpVdCiz3HBYaOBU=-kY{s#QW(2Xx>s6vi@J-@&rbTS+eVl>|f;_5A3(Vzf!QZDWNev9&cywDEfVFISvQg5vbu?M~a}Ug& zK}Uf#C7D|U@erXYmq%&#VO9Fo4I(CZ_S`y$6w=s>kJ2+jFc?aN5I<*$-T+*^KG+z;JAh75{4MApf@Q!Wb&Ors?rOY*CU&xbQ!k{Q$Kw@qm*gqI9;AoQfY2x;JYoY>S_~ zGt!-JkTm>LTgOcPIoV(1b&s6Q&V@AR5;$xEBxhb2He0@b*EC@imcry4B#-17HYx0= zc@jo=YV^o;+?6+%>7{M4jO7SvF6$nb5%}&12?h3GtlT$5fO{0pGE>eX4fLaxKNTOk z(4`R#w+0}ZfmCs#6%7U?F`JY7nY(m^a-AofStnW@|0e%lK}!&3z)e;$6wMdi)y%a$ zYM-k8zG)*gLNm@y+ZbjCUxInC7%9|cH*bp~#2)Pc37e&KFiT+G}$Gjf|zP{AC(!0tq_m0In6 zoK&taC`b+Au@!DsQ&fVKm|m*ghb8}Z9lZyvV;_vCbfl^7G+YTQp&pKRWlei+bWhc_ zSxENZ66Dt3Z0UOCc0qQm@g}`G)TAURR=N6Uc+ACU-l?%WnekT+4Y>6X=|`3tf6%Y! zp0m@C2!j56d0pgZ(zId9=f6~OIi|u2Qxq>HS&()=c*X8)Y7I{!#!hbw$3?v*{$iXY zg*xciaHkTSZ_@it4MuG+P~ka&sS)y6!yWZaN~wqT(F~VJ!*|;Os%$**;04h5o7#qr zKa^5`=3vt&dPI`{+~t@d2~t3-SK8J}V0GI^>9A2GW-()FE(50h||> zh~7lb$jX)hEdtPhXgZANygMpE(+ujLftAcdkQd2(xe{O1&iqIl-&g{ay2biAs830TQo(mYdvjwvFig+M9?6>vEg@}JO-yy90pr$pjxW~9QCcx zhNrL+0ez*3_og^95My|WlD@(L-#}br4+J+A;s&kDe*#abbQZtfZ-oCGT=eLx8^p5awvx$3+$co_4bobhZIN0 zG(M7%-H-r8>w~#(bW)L0FK>yr=ql?w(!g2N*60xl9;4)J?{Gee0{W)3IfHa+P`)!_ zW=!2q?YMbCvOgqUaV~=KJ(R|R{5;8nsBdi119#Uplk^_J15=&Yz-v83R9&wxOS>@Ni>SO3)IKs>8|lCT$_&8svP zJf6ASPZ#CX7gBn{rVjn59Tgbc7?&w}tawZ)6xi6`I{i$5Qgk$dU+TZ2v;#3rH8nzd zmR&M;U@=g}Zf*bNLX{`118NA?y#oZYA6bA!ra1T^kt=qILT&6Ma~|Fqy0dMX7dDn+ zu#)>K1T8<7`*XVLR~YGeeE=G`2aCYEbXLrOBw{=T--{~bZLpA5CL&~meNVH4+h7Xd zqqz6~S9I}dY0kd24xhIN&aG|Xj+lIKGQh9x;RC|X+=B$^hw1J;lPX)_Acw-vbW&|M zYDfFo{+3#%hEl~F6y*?iiyJlA2}?erbYe^yQchJ9_x;0wAIAToPR6ksZHUMnK*$2* zOF?nBe#rQdJEgpf3+v@SG=U3ez0&Y6%sqnb^F8d{9o|9imJb@|HnqcZ=T~}RmZM+yYGaXK<=g$+E5E%;3bWl-a!n}e>?7u8cD9d??@(RVE%*<6> zbm69?sWjw6TGqVx2MkL*q)KIlu0NFoL#ko1c@)N8>VF>tHitcbbrfl~M4cJo|4PieN;q3(4IZ1e zlmcb6yJ5k6%xp<_VJa+K0>DU(m&ePL{RLUnQjjufT<3MNU11LHDa;4a!}sNIhw!*liQl(!VBVZ!vd3eCFv#%y0D zXJ0a}bBq{7RSNHBr1kE{IK38%83LQ2qy`Od@vFAv;KQDR8&woOd< z!!PC033&;MIM>X3E`;7auYlIJ#55B08>YBhMligDkZB?JSESc3^FiZaqIgo0$#MN}%y1ZsN|T zch)pFtos0}4YjmiVgcweMfzdqKJGhCG#alhdf|oDT@s?jEyGx=qVfC|3ZpkD48}*jpMKTn?e?=rIi33}~u>p>C zE5u!zFLha}xv~1KpQ%d0v;`w>`$nO`Zapmmkt0{8Sh!xJ#9r-B)rqC3S2vtro^WI~ zZ+JeUQi1c{X#4`KcT-_K!Z7jrJI}sSZ{`%2X~wALbJ;yxpHHB9>D+T?&y$u^V^*d? z+EjmR|&2w`!Q=tt`Tm7rW*yV(C`*JNSJz9u+OqyFOG@`Rsgs-@NqgiFOVS# z1NUtzp>@aRrqO*~UGH;y@PXc|ak4jLpT573pII>yP2|zQTm-Z}_?E*eb$CY47nXlp{#V%m zZvVT$pFP{7Fg$}_ZApyt*Y$htUuZ*lFX&r2&j;if#T1BpsD;FJn>3C9Ar~eae*F!6 zJDK2g`NM*nBH7s??0EXLE)cisqSBstdf>t6X({0yKqw4N)`NeFXq>c&Hlfa9(3(sF zoD(!86NGKXh+{P6Mtz$Fs>SZhP^!YQn7jRta+qpfsm%6I29c`gJfyXAGdkx9sjtMy z@CJs%F-wo0Pva10UA|g$w$^_{*^8hFll{gsn1d*bo2At;yhgJkV1LwMQ`qiP{#ALE z6g{&b>ZkEmYOo6?9lyE&-1m52Ek zqzGYklH!upC zRvr9A;$U1nPaWt$Reami#4fIU-c%jNnfW>ODoL{_L&-M{cIz-NYq%EMNb~jKq|n$k zl{Y9DQvQ=T-0eCO;)h8$IRB3-;%n-khXAF+d~bRHUHIQ9K@5k@Anntdt0b ze*1miVX;yJ&%YM1!BhUKQrD1SJ|q5oy&t5KV_G;w69QAb5080OJU=#7Z9VE?9H2V> z-R$d*Tg{PSZ8joqscsLTa%62NgQwrcOMW4qQ&^mnMpgiATJyG}xskX`c-EHnL}^*% z{$XLX2OD}(v?9#td$RfPi1c}YA(-rM06Yy0t*fHBI{+qwNBTV_>Ws6%4ky|!DRg`( z^D^6WpUAg!8gOFp{@XfDwbXp!cf1uh(~k8bw1c&%;~;PK2z8`v0W529ZG|*6=0^tM z(>^0eSinAXhFc%isf4?5UlO)pD(xoWeLvvXa|lNO|nfsKT>J{Xf<7u6kO7G6zxun)RK6 z6?K+&`c;cXZeOn;&d4;Jqt+*!b1W2xzfE^hN|#`@v>qPjWta4hDx6lS25!j%trQH& zfE6(&_KO0&_Fkmg)Cr7qw1l{8a7|s#ofg*BQ0+N6HZ!aa%qW%5i-p367r9+E#c?1r z689QTbF0-x8P^#P&fKG%1OTOH`j*#BR#cvxwIjLCISMrV(kk#POje8wLdZtldiCb;5bTWH_8=o9%rKG?QMg!i*A7K zTtk?L>=~3Lrj@%9$QiK_3U{TR(~m{| z^=W_P0}l(Cw3dv>ie`*as_D<<)03;ubH<8_==nkDyzXQPfYv$Oy;#sojG*lr`_#4m z?IvR=NKN=z8tPgH1N4drIg5~)du(E3HsW!Q!Z)=FL8YwYO~4uA%t4=wB5^}*JRWzj zLvzN@ftem%AoKhsR|nxUgG(Jz;_r#4!nkH44IN%8+XMz-*1C$9>zT?RI>X1w%f+RR z5L_`JWW-I9ANCocpZ5YwLp-N2mEDym9->>GvReE;XXL~tGC7wGlxf^aJkNf@i$y@} z>KyB-gqxB!r)kzdU~UGC_nrG@zzRNOW+Y~K8WE6TB-BOGKI@*ArI(61ln9Y%HWoDb z4SD~(8Ez3{<|iS`y5z|jVPMHCnKc-9lxo`?^>#W4fVvw1jEChK9Cr^nj1fZ7ZgK5R zz7}sUTaMLEs;g9k3NMH+U+7;_O-Z^e@EdFhfSGkhCuTR7wH>)<6?AxsW`SMAL&zK1)F; z?FH!Y`9;z;UI>{bBKq~}obHT9|NBot<3Q4U9e?QY=|W8Qo{I!IJz!Ue$9o3hz;RMw zh8l9LkL^w;D1E}Ki?bTJ?vO$4Ul@n=Nj@`pIMep9D2&6PN0!ihSeZJ6YS(b*+5;VJ%JL6^w`p(a?^f#-U%zzr)4bPv~24_32h{ZNOYAAnxEj# z1uL=cSWffvy3`7=*(AAHM&5X&aqts+G1LYV^@U>&!VX*NtekO;5D z7KawEtGYc#@#0lT6<&!qAHbB_RCMm|xR%o+dfN7m)`b?u8-kvSUE(tdM?($5;G$w8 z4LNcZ#?`a0OWoKie3Bjt7E~{|?RizNX@CBW<_lo#EClkiM|8At`gC1x78I4sf5ZKC z=6!X5HL714)sj{K&xtg82f+z3D_eoCn)IU4C#F!aABV3abrNRYjY67OUSd=}99?Ux zw384^`f2yi?RCNGG%X?_fASmVbb+flAbHzQGcb29g+UP=4If$CiX7(LKX?X&9GW{m ze{2k6OE-6mfD$voFk!lbtm8$o*Zt#CQfUmjwR(i-a%OK@qUUFCK-4PA|C4|Fao)0s|IZ12!Z>&Od-(qEdK zEL3$AOX*W31N280Y9Nz|`g=Z#GeW z`XdMF+pp&zYXWs6zy3tZ;YH@024W-+{Jh+*CGs0?nE7}(CRCnsEg9i77kCp_s4zTyD0fWKK?x=&*!Z{4NGd&?B zt@(3oIxg>aA&MYATn2auz`o)ld0pRzd~@kKgH|R`ltqg7^zP?12dnZ3an;du*-A`2 zBhR}jrOBhc*y7ogswT5{Wl&!>^bb47&KI|+I4NjX0|nPMB5U zN#B#XLFb%;zvZb;u2I<~x4~_vh4v13FLM@|MONNtDSJitT>Ni+N#&p!hO$YSD z@|wk`%i>a+!eepBQxK_}^dsF8fH3IQTxk2_eEPe)DWGCdg0EO$U<_`obq4m8;| z!U#cpi^U%>a-`v$6r-U${=Fg()s^}FNa2ndhsPgyjv|K~At>dENEZTGKb1?U$8Mr-dZE=g2FJGzaj$HpVckx4JF!P%)rW$@- zo-XxwL`)7_3jL6_`*PCGl`gC@hlSP;l zr@#^vo@KD4eODDd0LbwD&gA~l2jYAllqyEe)xkQjXdPA5iFa88 z_p2;@9)V?tdKl!vE+l1cgiqOQFs$K*+dSPK1H(okTb7GVuF@285Rdu$X!O}|I<9tD z&jDx%mr^d+`uN2MF#0cn{OA{y=Oj`0=nBFKG` z4?w5`#*IU5)!%pYyy&aWzl}Sew3X|Dv{3F6rioHE4#4Qs!8+-5dSj>85;GCfSULfh z5)h_IZ2d=99j+9#;l+TMfFH@#O#orY}&?AY8YfM2HDI#baL zEkHM2t5;_pEboymCO}_^1I}DqkF~N$&))3kb?7kcEx1D0R*U7FEZ~8jl9rLna|#*E zG74}=Glr$+3@^ILv6PG@zH!jdOqN>|B;cAhvxoucJ3&Xrp35^FVihk%>C=s)h7RQU+QC@Ie zLsfCWc`)lc6z*%o7~Cs-j3IgWKP->K#?EP0HM_F32?~#9INO&gw}v&S^S^Xs)Gl6xt`R9&t3;*}z|FgS%wqr=?(v_C~y zls|fiPo$VqU1>>|)5AT7^>6S>5@dI^la2kSyqShYkxZdBoF~_dcm^JjC=v-6cwV~J zZ;{)vhu@qU(5Mk6iCl6j_ZqHuTY^X>NT6uhUU>;sHPw3Yvzw`*p^ff#al_R7sXY#N7aw2ztM}hVei`GM|M=y=64Uc^<_m&Mf_L=W}pzBTUlslfaqSJ z;)V8z3J8c`^MqGQ$TzpU<^nwp2ZF@meT4RH=>;kN*m86Q@Gn4-bmOOUdNZ4X{lk^KbANsr^NjmH z8DE%@7t|Oost|=1g*O69TU8*j3A@o?)aT$1z2Hxjck)^sWPz{G_-fB_TV-B96&Wi? zz=Ls^eg%@8Jt|E|vR-W_H}1hA)JgZcERzU#cG6`?>Np{etLrbaNvjP`w#uBa#&8JN zkf}ele3J}Th?*mro0G3vIs?5~3O6>aebIM#CGb7%CJ6);+7qMx3MJ}21v+|Ib-Cvv z#>k#1i$fx@D3EWP#aUjTNp&U+&~|wkE_7umraFA9n>HL4r3S1`$G4ZoAmQ5IF&Ao7 zeg^@_^9K=6K@AD6Gs%RfOxfa>6V<)N_yg2OHNjz**2%P~N@5=N3qfavVvi}Ytg|X0 z%+Q9|SsWHmbZjwWDL=UJ;43du_Aw!ygP7pdGr$u~p6(F-kb`u@%azxz3v~u_Yr}lR zPIW+`>}K;>p{A-8QZAbrj#(v#W6fVK5Rr;n=HeYQh-0Q&Bw@sik+r{yn1t|vz6uUw zt34vwA{fGn!DJ&8(7V+AdcqG_9L_L(6%GH=c6(ql0*BaLfbD=;Q)YN$0CSbyiWD53 zvqd>HK!3WaTQmB3*9^9+J>hFmhc$dO7kP!Oc8q5{=0NY38?C1=G-*_CUZV-JXwsXb z30#Fj5U!l-oamWc6DZtl{SkR15c|kYY8`5ETQ$n>nH1F`30whSMbw6X%aR+V$jtP) zv%`tRO=zSg4~l@eF*d+xbi>3FRW{yOX33L}ypOZhD$vVaTBj++bJD!l%Z#AEtWzs1 zETGGt*kV-*?no?vjSqc6@#faMw5svb*N;=8)A4(X2_0oVN3hpaF;7|ci^)%13pPvE z@JqqtP*`q~Vcck`PSUp=A{Ug$h)U!IS#A0-_sVY3y=4UCD>s4(I*GPDWgpKF*3hG#^J)K8$$!bU5qhR(c zG^u@}(wlmrtBKWrAInFn8w(?S5}{(|{!2F!s^wT5z ztug)v?vVgsUVArMc>v0EC@r6E$7w4Us_#ei{=;uASS&eECbaF9v(j$cPtHQ|nnIBD%lZzADm?xs zj`~(>YHtk+mt)hxk-53;qGl!TFtsZ^Bu~piq5F?b20E_ z;R1PjKbBo>QY!D6`1i7Hk6E7JFw-BXtJIe6WLPLE8EqKDdzyU)$$6A=-U}tb?M|px zv>5VsVLx#;jq`3eE9v*~`sx9?xomQnd8gV=R1nurz$kR36=0+2d1Ead#Vr<5MHI)l z?aoTUSLJJ8c?n1{hXjPfHi0fqF-l>q-bA<$X{67>Y{D6)0$4pU?=TwVJC4$RR$%s9MUx8<)jxPwvci`LkfAxR2kSv3OnmYvOFEx9pgADT-wY%zmejHi7MWD>KP%33CWs9@Z5!iNjLM)9mne$1(r@0?)3^ z*vWK59kH7?fsl0#PN*}h_5a!h7M1-L_-|%9VS!&Er89$ZA(01S>MY2YPCVMgei|oc z@mKlB6e{3#7Dlh*STR|H^wbn)I+6tKH<<017f(r1&?H7!nouj5 zLQbDZy;sX{k317b$WI@7<1l0S0-;#uoD zu2PYG5wQ{3L-5&_5=pU(XGhF-N)Cz9JC>|o9&YqN)zYz~dM|^+N$Z|v`S8t`1dy%Y zfPi#Ovt*{{d$H#7c$5a(DP^ueKQP1i)kfaotzmsL{|bT5tCeA_4p({{r7gu#C23iE z5T=|iPGjeBw`e+JjL#wGOo_q{hWg01k|#Pq%H2;DA=);|3>@YnQ!7^#omkN%u$YeJ z>Z))M!cQ$H<;pOZP+;zMEog)8R@;QmGvvN)5J9oSmY))y@@g8mmOW8k44VD?T7{F* zc{-)58O3n4GNE_k9oQUqW^VmIT5%6Eu4lCxjBmzPh#+?!;WECGD$T*no^zdy{W#2) zb-{V!_Iu^%(-u4Ug%uKlr}F(8X9Y^HqZLm{cf|W{fOH0n@E?D-Vi?-bKf{gD_8C;& zN0DQJ!@<9@T4KXPhtJU{4s-9@%^2UDyvs8fM8IzFV2D;jgZ4S4Rsk{zZQ9qVZ3p4h zWivV!0a{N6^&itL(zmHR;;XbF?X_}=uJ9HV6KON3q?!bAX=RWSb^?cmim!T-F zIfgN0Gz$=brx^N>c@eT$jwW|2XYN2i{uuH)a=|YEl9)$&;d}Gbv(H5T0HnPa0Ri>K zMt`sPX_FF>;130=DB)u6$3TJ}5!kGK@L1ABE)XTXSWqC_t4d0h(E6}xl-=CtRJgAo zvuJ=N;)f?6^FzSG$D14yRFY7~px;;^A1OQQ5RT66lRZLZGvu1xx~auS*BgIGY)k$> zVF}{-BAczuHb8?OTLEpyZ&IkTrAi(hfcktFBqM};q@jgsGvHUkt!(yIlCshDShFBM zbd|>UDnU0YSdJ`02-5Ab1Ef?Pp#4PuZU63U`wzz-VSNA&r2MlW(DA3+oZqBZV6N3^ z%#gI%Cc6m$;F*PTy8ZndCm{dpN}wkMT&&nzPbNa$#$jwOo9hPX@11kN6Z&e@-z;{s zSo0s9$~Pl?B_1qf1AM=$Tfe&n!61Yj&GaFGtnss=Uxk(c;u*9wz|F;;1zdjV1LncG zH1npp%lxOsz8rK@Pj|d1h>9ha0GQ&5ab=i4Gr$7;)9tJ3l|LPvPKAP=(qH(v8GJGMbjxwm(_Sk?7bFrI9xI*r~NH<|# zw$K=}Ot>A)2+JPv3OPR_2h?_Hd`gzD6m_luQCh~H&Y;9!n*=s6z&&FNm0W!l$@>FTR~d_QgW2_#vC|?yTH>Nt9~1)C8Z4Qv4|FpwK*T^ zS8mz=9sTaV?NYS>4`?Z00Iy?kab0KuOv2kNo2>(5|^;r890n8Y*W2Q!!ficM`4gXLS|D#0h+dnL~E zD{8_?rQ7OOx;&Qvns8;hHNUgsAwvk;9YKqaJt;pPwgY01V$(iWMZ=j6%zmb(pm;zh z6ceogx=+%Tc7iTFmnc>y0!?o@yo-w(4wEwPC=aUuvMyWnxF?rD(@IZ_Ui#*@2%SP~ z7dnx5+U{a(8dwY*sES;UF|+-1-Lrlxvcj5qb}zr%Az@m6sR>L`{eY_w?CYE6jqO;8TQNcs{KyX6?iyqO zH`h}SzHj;w$@=D2iB?n(o}{dWjK^LRI>3(}l%X`?$Uz+Gp6UV06^HgiBuny9=(o^! zz0bSLZl1=nmYgjFryR13vU1?V?4KT_F8h}0GzM{{RGm6$%2YOgnxq6TVOI%ax&~>d zgQyt00WSp;dOu_7#Av`HQBcp5M@t%qK=zG&A|LZVy+sTem$|v@XVkF&# z6>g7(5WfhnSp zqsZu)HBPQU{SG+g?&aCf>w4cK1knvBc4O#1nX27zT=gKmfIU=&g~0s}RHKKt%!XIv zMQq;duzQ0!j&s+Dns?P|u_P)bjZYrJZf-bVp^)0^%CCr2c)aG#jib5DeKn5dvgR~1 zl&5mGk{3DGKD`%Aj>^c}_^#kNC@7Q{;UM@|z7eF=v($fIrV?{xFL!abUOdHbeJKs6 zgUO>vkRxcv&qz6j_a5JD$oK(+r9hwt=SnW%Iv|AcL`HAv$NZ=!Z2aD#T9paEHTcK2$&&HxiR zxm`-n1!U|eic@N^JYQEvhw(*N(jgsydGt7v?WMF07V*>r7)XN0kNBE72B&@Z#T zmFO!bdDm<8&va1Ve3N0;ID+Ycnn4dOp5TYoBjHbm1Ms-ViXNbbYa|}n+Q~tgoXmyD zN!KDy5{Y zlVV^{iE6@UR+NE8f$`=T(VR}qSwcK#7XY8DZk(!jAV+P51>jr$xQzGa|jUI3<;0D|4R1&xBuLvAZ3w(iuZ z+l6^F@zlH9n4e}&=PSH9@v;Lsfmb%a3a&6P4vQLm(=6v|PiI)Cd37d81R-{AB>L(( z-;q?HOhrOwnLd*&PD@l+|g29FM z#&kw=s|&}eoy#m}@(gAa=1yK5kx>66z%}*MuMhzW8H6xr;^9QH)B}M9-}ctqAOW%s zCIy)!it#cIMDC307zG>aZq|Jcd<{@Xb_={8y2~gtu5Lha5Qpj*`W5*-c}&M+X?vH;!N54Zp{7?(+Z8JDZqq_zbPAy_ zdGNdRwLR|(kdW}a;%s6BC5~oh$q2q^k>*tmd z^ey$n3ToVRx}G1z3k7_eHLGrFu0J3$w^iX35hxdyuS+qv9KH$NJf5=38u+7=0YUCq z{vs#qG44+9buip@L0AEefTzMg?-0h_?H>-T_T)35FttF{otO#1HmX8vK39}^GzzYl zE)EEJei;gn1PuAx@Nb+D4HeXunIg;nHE$PoAoRYnt-M4ThZ3>Pg24j@{K(;{#@p^= zb1P*FIkXt-2>AQ|YAn?*jYN6JeBAvlM+*(EnapQ$>(o~DKEdHMfoaAC434T~alnPo zTA|`ULN~TCtfSt}q$STE(*qF31xKlS9mF-bkHf`uB8BIwG)U}`GNk7fL8)y>U*nkT zi80wg)N?Gv;fnH6OW!02+k!}0&BuYsIw)0fFoGYUJWsfTV=))bIAYMO zt2%6J1zkB&0fkS=TcW{W8{F$JwFI5_uB%RD5=~G!5y|f7!cLok39~g~!)9_M?oy$Q*e?Kv@0c&5TD+wPhja)4Rsl;{xwe7Zhn{q? z_5Q*L5?KNxYD$w^s#sAg#MhZ6dWnUxEb9vgLf8IZtqi*WeQeoF|FBFDob9l%_?gYL zgkg(=%ew$4Hrmb4VHHN;&FXNiUa$h3h&H`r@q z|9I9RSqdfHoYNKfkrMuYA83%nqR~^ob>Hd15V1GNUe&QLzKNqv7kw9|z(?W3U2;)X6NMfKUh}!V3+`R43G;rn zVcxYeczD#w;K^cP!z9+4U+G+e+&(Vf~pfdDG&^NOw}7Fo`CziYi-DbIU* z(+eWcLRk8MC(aK0$cz&?C1)XoRK5AEv+oI)%$z9H-q2@37^-}8;+RdP0na#4Bcm!PDL3eRq&P@|8E!J-kuT~R#e(XN5P zrj2L+BfzHey5L#7SP#z4)>Kn!n-A4#Q_CTEDFcQmH1VGr?0QYlMeaF$OjMaClY;R; z8)_C_3!`Ax>%bHsW)tQUoRRUBuQA;_RL}g|^_2xUv0C3Gslo0*)Tm9;tkZ3b zWU8YuPmX39K-iDOUbw?rt4@4@85`v$ZU7eAo`2xq8yFE%CBh3qR|Zi7j6Je**{~+g zir6T1w9<_eiFVpg_Tq zIDu1Uq2;;pSe1fsh_vJ(Xan+9Fq-ML>4Lbmk@eeuMG-6?S=?)%F~V^;Szw+F5u|M_ z&nRTvr8wLYGj`T?DV5ec4c%y*)j`{sYAvpAH(+%S>3o_wiHa5WAPCD5W}??hH6?mG z!{YdVW%yw?pDnciIa$x8=G<$j_e}Nb;qxwo6MSZ`t^m=nN)I}GNs*BCDu@J)&sKj9 z>`s*t%Aa-q9{*$7x<=6FP^hKXX3<6#++)j&h6XslxP=`{FeHy*{-T<~V<}fZJFK)R zqpK5&q6Zg~Rn7P>8PyF5s>s2+F4>9U*x_a<+Mu~ zMC(W4_qwKuLya_(&@~6$JdI>>O%HmRQu_F{uRL%S4)5pEdDlYb>8mS$ug=oZ#xfUE z4OzLXmClDGG;2c%2SQnx3eR0^4BvHfXRhjw8#KI^5Fm!@;bj8MI9Z|LQ%-sfLpME& zRAl0`I9crsCu=5+YiQ-gdv`%xX0&R`jL}355LuS?YU3UdXPRi&kT~hucjr zUnK?p*s{r|&;KzawZrQEj)~RC5!3a;^)oi(U;|{@u1B|kvIng9o~P#9X@20Y7{RG% z<0cTNPl8E`-TDwuep`zMqf{9N+$N=5(n|o;-eYerS5L$PZMvsir@&_R4U>mclTf?H8INp=jGo5qefI>+4nq9kERzalPmvZY1IJm+l+_yrwCbKnvSJ3;rkHcG>pAa`AyJ>6Pk1;unwDOZt! zi%5R_pH7ptBsij1a$OjaCD_Tw?iyAd)7+x<*HjxS+KIl5!BAocsmiF`)G1z0T|tW* z=ymx4Snz;|ZeZ)Ghv)rx!9^h1bJoDA- z@P)TCTG#cx(mNa%&eGrv*b*!lP|)ei@Wn9={C2HdqXhJ~gU{z6ap8>+V~gkL&2crq z0|p-zjZB_uCz_ zDi0`h6X4X{3e{l{&D8Crh8%DihnSZFa0GQ-8WLknhiMYd(+H4h`Aecl2Hg6-oENp0 zL2BGdT4@v~Zv2RJo2pzn66S2F2|`{O^Ef)E&3VNhtd&q`eyYAA24PG14tkIR7Ju!c z945O4uG_W%mzSY9!B2;lJx%1=c~#<~(m+cvxD|Wb(qwITf*4)p zmUeF-Tx>`q*rDU637~)WX*l9KUm?Ud{)zC1``##wY!MP|kO>rhXHc$$Ni2!FE35?^ zIDwcm|CHWsLT!FJx6Z{=T@Tj z3Nxt??ipjmTG?o5qFMHYK*B<{PM^5GpH%Z{(3Sk%Sl9YlJ-(Kk4AeBZc}fc@i9VUV z$R45HCmGnX3p*>+NJGbuVceXDy+Yzk6*=yB@J~k3{haVJJR~1A0Va_O*bc{8EF72= zM>D(u0t4y&*L?9g@nC4MQ{6Dz0iW;gJio$3ca3SK&6=vUI02_veu5q>zsYGNPHQjB z2DX~$LXMq((HeY!{$fnF76K-9=14Vho))H;okP7onxBFSIw1r<3G!LcEszKUk1Ng0 zbQN~3>I^0-NtzyW_@M=GSp1t|?`mn&TTdL4&6Aan__5DHFV>)WP75K8$iN<8 zL-r_=IdfKou5cLgr)yg6Umoe1QH>QG^h@vIF5t9L*IE1XItY4$Qd7 zOr|37`CXzzmn^e-+YK*EB%6<}%?!`)MbQqTwUHqhyU=7(r8~h$v2^~*O+pI~YZ>0* zV-+m9_?%@G!^HPnkJ%`imIt&Ijs0SedAPYw6P$a?gIYnv!OA>;5ih_sEr)ogrPVg& zy|^u`{$;^`U>2|3Uob1>s=;(@W7k5^oA2kUk**lF^+1WMB>z)u6nw}{k1qc}5Z_#d zJ^4D1XlV5IE~99Ey6;oQeK}F4<}W#|%DWnE+n{kcr)tv`MOtxfXW$v{hQ}OPndCf^ zHcOf06uLKgApM-&N#n?UpxEA$-mIbcTUKp@il&pB=F@Lbus-%j5(LDS+n7Q=>^d_< zOaQ(v4D9ek>^(_<$R4?uhf$!pnYC=?I3^;iVC2}h5x5H95du+;rj!nF)wpnokWnHW zevqBv=NyzP@H1dNIFpYaS>rlPMT;~r?aI@oFPG+~Ms07`!F+kpP}&u_V@Id8G}}&j zlGlakxZo8j=cB#nNgc?~VsXdtGJi-TlUBv?TF=ECd|U?Qc~}i(wGy?9CLVcRA2?r5 zPPbb)Gwa2ue<|E_S|*mk5V%bHDLR+2P?K!XBnWScl8oNeSjYRx`gceeZ}8lcdW`#B z53`}Pj1EYW>~G>gb;PpNorUNCqCk@@Qy9b`$3<yl^f`oHjwWb%!l>CbsUuGqiF3Y#IZ7EK0A=bVUO7nhtrRL33UXI_YhgGrNjU#3)> z$M4(ePkRP%{GWTWS&)n|2@4tjAV712N564kR2SPeBUtoHe%G!W`r%2R$|{szDg#C3 zzgMRjVBH9`c8Qed4e+znUQXd zQgtMxjmpPE_McT{mPdY8wSk@B`#j+SnyPBvEc9#mx!q<1#>BzcSyyq+!rojlMg>oV z?mMKZ6*@16?z~g7J?Tw%LRujxnH0c^B1QkiJ@omIL2@rGLDH6aN zPmuI|OcVAoz0k*FSIdA%>uN{u!q|6hjz5x0bA7*q*$XmVK}RCDfREHoOg-!{Q^dRH zsYRb|`{MN9nk~%F?CDG#Gv~l3NZ(AD|2!N8)vea9Jv)q9IXYl~O)Mj@ViHWKxxrwQ z-|1mjJS~92Hdd7)o3B_HQLkZpBrqq9ln%oz}X z(^4W|{US0Yo4c>!M1w6lK@e?pLAdp(LDY{CL@DguKizpm12D0OR8VJBe_b>)<|MpviULs)KEp7k-&x0d+ff zA^Ql77M`=x*<E zfG2a2!y+uEzo2t1ohkIAfRIp#L4Ms*oQ2CxSdmxHXS4Wk+Rk1mSjC?U5^+jsJoQyM z%1hh6_j71)Y>YR(zytoUmFjto)PG5)AnztI@seVv=fysbxz;a5>oxQE$SeWcMnm$YF?nBC8#ZX0_mFWT#%ehY@ zb<9`urrJ|rh~4M`7lYj%pFHDIx|X(%i)RG}&d*Jm+}V$e83TNcRZyfffCC2~GXB(J zE}x!3Bi+v?+9`uDDkEZ)>G7Gf#{ioeTh`IbQ32Oan?~jRT z!r-%-KqJ#hSM1Jse9#iJj3Js1E0T;3S?>b^z(CaBfAxo_Lpdy$iWbII!)Du%a6JCR zy_8W@O2%&1plcWeFxz3v?6J~cY{4aTUSR&)CD}~5NsEkBy4CUhk{u+=*vU>-Muej| zL^$-+eXw(by#a&Jaq4VthsXGAQ!6VIE5=VCnra_Q5LOE0Y0Gyq-6-57&$?5z%~hyD z!qebO2PyL%=^>w;I`R(z@;pOsr7aC_HvUeoTzBegIS@GJYYTGV#eayIZkZ4KDjZIH z`%m;9nM}OkY%Rh=>-_*?u>io-u8heLB`@j`_dQp}ahRbR3j{4#^?NM2AQu!-HRD57 zrCqcmFZ_<_V@g)SA%3`^xoC^Uxi2HcR47btDnhbPYuvG3u zXxJE;PO(bK4E^=-cHEFOWDzm8KJBst&{VUk*1_)%l{xDxNmkA2hygLyfBWW+eXDJO zp8bHcV#vmmRlr`-iRGm!$w=zvoYIh7-mz--0{a zEP!M24=amiKV_N=9TxiefU|_!6TZHw+Z{nKM{7g^ zhnL>q9m$qRX)o1f2Y1yYz2*6&jtidMfqH0xz>)bBF1yf}CO8~OjA4#^B`t%IGeb&Oe{YZsxeWrT z;o&s8(Y+GpE|6~ zGzoFZ5E>gpP8r_ehgedSvBiI{-!fJ=8_{>I>xGTn?CFGKs8Ibe{%25 z+&#N52*qf^kd&DpD-nE~^!C*a0Q44_Sv^BtA5*IwANSmYHvB?L(_cS=(Iq7b7lY0I zGjI$IxdthY1gwlDWng;%=poonflZo`;9&8-4kt&pmq~B{GY6)B=rMLa`W2DCm`Khn z_`M{cKD;q<9P+lF_t}Ff->j#Ifq$)lG5|i#Mpevi%aO#(OT3N_hUV8t%>{>E50)o~ z-^U`-1{CAG_eJ_m%j=`yiU` zw4eePw-*OY6#!<3wNFY5mQ)3cvdQJFm4#W~18OPI01F zTFY-ThlJXBy;H8cI-;)q9yGdR)^=(V_~Y6LdmLk8+ubGeIH}1=wTLKeDEk-%9`nZ) zWHf`p07O8$zkQ?>wWn&Rbhxm=^mP|FG|Enw8*o8vL&~Njsj(CULqu3Ok3rBJI|)Qd z_|IwbfKV%0fXAKt1rU`YCz>SkzO;}adr9R#m1g5KO;7O7c(}ys_EqI;?KCxy$vH<= z-S3ad=<0cpaf($$hn--HxiRh8hLmq!HJcsoCzhaGe%S+<%T5zZ4G` zQ`*>SO(Eq-Wlb!Lq{>v=D?&{FA5Y!>lpg0_1r7l=w6kq z0s_dsB+-HR?LN<#M&ZUbB*JgF(MiYC2?u^9t|z8j%zYNM3|F?H3*o*P-HASn`DN{Q zeTkb>O;puSrvqbr=W+ql4cO#0Lu~LWIgUfIy&H-rz@!BJjaI{qFA^_3mVuH8rK@Ijb(a1@Aey}749YUtTe$QmKbuEMfA3urwO*G; z0(PE6l;0h+*`&m$92EEo$63g6zcN-vvkAy9Jao-A<977P0>zW6t?u`O^=fe19AWc$rW$M%{1rYB6PkGSoer75 zs+Earq0fLcqQMLq^#4=Y;I zuhJVJ@i@Ci{jlC)xLJAi9@xGy>EnQpA#oDT7q!a=>Ixm{&u_;s1k)S%P~HARi{3$q z=UH8_F!pKW0TTtBGFzh8;JZgP{|e3;ThITvoR064=%nP$AP%Xg$oeElw0Q~FNc)bm zGpBOmKp~sjh*hiw$2+aQQQ=^bK!20We|)^N!enxiZ&>Tx=qYU6fOLufYKAfJfAZyksH=DZ9>XuH(t_;zBL|g@{dn(xz zegk-#)qlyeH#$x!(zGZvCsKIs!QnIMG#>)Db>#6e9ZDMPAApdg^J&hE+6QZoV`O{` z!dVuX)IZ-AX-dYZZIyk;_mCz;FXS|KG$l@hrrP4Cf&6Yu8T-B`V;;3nQAT8*Qj-e4y$@vDq>8BR*=r7l-@4BXJ>eamAYX+u z)gkr=PA#Lqc+}i*=^N1I+#zE&=7FSI()MxwL?d@N6&^{#kIlDY^wx+iHxI1esN-fL z(Fc4CZoc=#`JZc>TK?@7ObA*qEzScHj97CdN@ECyQ8d#VYK*f>;OyK+Bp}?PF0WE3 zP~R<9Xm5+jj7UHx(;j0Zv0$;f#&X^fWkO_RSQfevw;p9DK+$0I;9uT0wF;Vh%d(Y* zaYLzu8J|=ITj>B`iF1Eg9$cMQ$7t6?Ps9mxa6rpRt=)c9vRQn`xy?ik4FXHWssW6@ zsUgQm)Kq|0{}JS$S=InTDRDJG9ojq<57g-lB35;Vn;;uyNbtkD{`4D3W+e|wLetGA zM(|zG4vv3N9iRf2j7A_84z~V8mY|)ik6N#S-t&FxYi~!?+g-!=;EvB=yhA3m!2OL) zb}{YIexZbN-&i#WKm2!DeAC_#4VCV-o*5=h1yt_%BDzQ?0=khI$nEF* z7C?U?s~CF#)fVH58%-Id%B_;0Psz$^(=IYck|%@i{y+@r0Yf~DIga0BK*?Z@@Mrre zZYrdqd&zAnkr93xZ)VlbWQ)sFa`Or?g7-2%;_XM;$8S@sVwVfOVYk-QCOQbxl#EA; zo>W|sXCHV3zHf`;0j-eVFTfCN(@&W;-k@Q4!Xp3V`|0z>UX-khjN{53pQj`3HGtGV zMcr3%&lg{Ur16Ao1deF{^8+~GV$=+b>3(y<5(`LF=#}E>^oqK{hy8eKK>NCS!I9Pi zzCjgjQ0H(XAEBG5c+$xP{1FuG{>v+w(Aav~hsQ)O`{Rw`{^>Zd)YMXi;^UB0Q>BE_ z$Z|A*;r)E6`xf>a>z5g1@^-%Z+i4afjzOB<1OOGP%{=YL92%WWsVzgXBmn!(^k^p3 z%Sg4{Jr+QdvMB?(YTVy!8l$GeKy|cD1OSA?u)c7{npMEpb8z1nl*-YN z|1c?e5n|Er#AM=?!gS5jq4@6D$<_?sQTNBy_oDNRemAsU@A4v|{KcAl=S6vSna1+4 z_8X*OqF5ae)o0^jcQ+L&s`vv{GuP)GPJ)K3>v6|iPrk@m}35*J(?p~5q%`?vV({=c7PZGoY0eTMbL*gVE z2-|FGj+bqi?m~f?^ub%$45X6V^A!T z`QKI1)j%*J7U*v_50PULO9ET>s*{5IRCv@AX47rbU|^ zqXT&lubf5lOPJ%A;+s69RcDOZ4+_-+sUgrNELx4^hU*f&Tz#^5p|}&BT|RvqYw&f(3-1{_Vd*E#5FiGuUkrbqPk=}fsjse#F3xaeyjRFy z^F=L_a*BV=!#=Ex@x9+W<~(*_nc5rf2WnKjlugIZ27q-C<+y31MZE5cY}g7)`_SJj zT3C?eVSu{31H&ku-)jPfbvl<+00`%M4c}JXTU3K5LU^eePg3A~jDXLGzr&X`Jt4hh zoubc2Y|w{KF;=J0xMGqx-rPAerv`k@Gx_gKI}^-XjN~m>z&2ZTtQ7ct-Z_-UCjd3O5t*Qq&&g zbhn>iugq7!A{){vY$^1&Ua>%lDOn&=HY2tIikUsvKB*H~IlLIh9}Jm^kFeV4NKVP{ zs?h-N+>f~1mM}=A@Hb2Mb#5#NW5%b+5NN}z?W z*lf=hW{^VgJX`ry@x7$80I=t?OYqWqtC15~ngvq3tjI(IsRmE@diB}aC3L0h_P^a% z%yVuhr5v*^8ZFfJK^qiH+9B)fI3X!3QzQC7@RQ?Nwx??G7};OozM$`?N5S^Dnj~f$ z(LaH`a`wXrBL~3xh~Ke(VQ?ATrN%s+GAWEV5W)EaLu(tQ`5k+15Pw&m*ac(uQHVRA zpWXR6<5CPgLpG$tjS<1NQhF!G6mx!JJH5eQi-%J-6_1x?#OYAK%{z@FL*Yrb$4te= zV%ae&n(0p|^$Fky5z2yG%cBiXf3DvCiSxy^g4Fpn(SO=j@=9zNk{S^l)tVRB+B1=4 ze+@D)Slu*2mZ%cIES5?QFLu(zgRN^17d7qR>nb5?ARc-enE$P$@Pi;?2`Ih7RkV!> zb~l@1Vb>Ff2$KFBkEIDYol~n z*1}j`R$K6oCTkB}INY8)bT^~ER~6y`o* zd|*EygTyQW^61xmlc70xV2$otk4@4Ql>dO?8wx^{9wB{awI)6+3E;6)0GSpI`4YRo zf(JL4@ShEfZdJ{?rNG)^Xa*LI&j&;ch#Iy}{0;+rm%r+*KZFvnc#bniVG*1b3u-R2 zxxgzi%^Cze8R7>lGLDXiqTBAs2x_PeI3}uJ7cE3!Ca+QsWO`Sd30ZfAAd-MnPJ9W@ zD4zu}hMTAO z4A9a!zVG@74>E|A3$^YSkqX1;pzy!hzAw(PT(18QAJr#%?0v%;+#}C3d!1L%{Bjmb zl{7O5>!LYREKfAZ+X@- z?#_{FzX%Yu!Tfp!bBfUF?m+CrTwW`us1h@|%zzR8uFsaXLxzSv z+;LXth19@42u^{uYzvS}B*q5rgT#0dJrEGC)d7G+l2o#XRW=W8kES2_io?M00|pvA z_{2#NuyL%t(J>!WV+L-gnsry+F5Ia&Jxlw+^8$2icF*&Z$xYXb zY%C8oI5K`KTT1?TKYIA{uer6s;-}_ogc8iz;b`l)Ru1U8NVO5^oU`vI!>tv3#9vKP zYzfmgQz&&1rW4$Q4Z0CPp@II4l9mzDm=sHK3|lq@>4>%tTIZY2#ivS?xfo1Yy;V?) zYo{q|c9rLzO>A%P{sV)#u_hMf@0vRO5_)Q(rOK)4QiEuTiV{MTUuXdZ0tN(Svs^^b zvn>kuC8Qejp(#S9JOvP!0yH%7noS*};D z0fyJ3^$;T5!DducTAND1C<@8Sz#BYwV=KS=u@e7E8VM7eRF%wHxWL1vL5Hp|GxFVK zoukbfRq_z_lf0i3hCxx*4^y>I$LUn~2BKsNcoypSC!)Uu8i`+k$R)I-URPqxT&Kc25+~Dp=W2L%HcV`?IE}6vpy|?{Od^Fv2^?N0c&j^i@yE39qq9bMqEJoO;V9v8M%dX})a)N{f zQH}4yZTtJC94BLA!%z}p5^O|oYRUG5$IP|r-LL5SY`!igXYr{JC=q^k7(W8PF(t_V zzFFVzia;+k{e|=f?`<3eL!wJSD^>1+M%o zIcxuU{_IB^(DYA!aYShGU~PB*s)RoBU`-pKYsB>zul`_W3KBRHj_#S?|E??07*+w6 z+(2@$q{YN~l)%dXvv3X+LbU}9&NL8^{63n=9(CzW&e7RuMT!B2e42`$9-y3)d>A0_ z%@2UGu&g6XmNg6%spG-+_sV>!2DDVMB&H@v>7Tz<7|3JtR;R?&Bne4+g=N2cGvrX| zN0W0jO)XM5dLx7{_bpb~GX}`MGb<>j#dxS9@E_hBH)K|~G@C>=n%AB0@XwEB1@h!0z;+~3ErYy zG4SD=v0TurDKP#8fcz`zCMhD`Yy*~aJ?+XNuGXJoJGJ;q;j^<1e`hV&Qfh8sp2KhG zI;)n-6C*~9B$=a|+i`ZL6}Cp5o>8Y{)M*$Pi>KKM$>!0SOEZX{=RiZ@Q;HEdx6SZ@ z`DYKrYzO#P1#B?5R1S=NGkQ!~2OfCSN74~(V){w7g7TPl8+ro}iX>9$hJd($$%LMB zLb#k|_|Z=KZsj4`WDDyPJQ+an^qL5o5kWkM<5^^d2!i$hPgLGmcpd{(3M*m~Sl}dA zbwAnkiUjKJiZ;QIFJVY1!uY?%F|J6!1E_%`sBd@ZrZ^O6AvsNSVp8EdF=UX!`T=Nv zj1f*>vOhJoH|S)c0Ls7!i}~8d2_Odt9(d+{kiSJ40sisX1OO0pOVx-3Ref~6{$w=@ zgMbg}6`}#y1{bmjB8WleMF&e42ob1LeBLw&LwmA}`q84Z6@0uj5iuM4#6(P4^yI&Q z#Be0`W?_Su@Fv*IBa+Ybgz5Z=U@w3`P#|g$%Mmg-EFduKWRVuJ+mhz-$rG#?E;z(a z8h}D$WguWMzySlh5es^-#O;=wnJ7c&x z@!3-{*ht$enmsKhUzyq(z*)NybJ(4(!Y&U;E z_(I_lrp!-LN%OF2KF*WYX^ryW#*{O2oQH+5h6|m!?FW>!uc2p4QK{H@h7P=QV`b>Z zxM@_C%TB|NQD~`L{Mpn1j{t7?Y1P%Rr_RP{>ez6W}31xJH>m7HXFSg+R8@ z)mH+ALZMJ76bgmnIF92+=E9(MQ1cb%fj7UZ;sIr~TnU1yl7{$EQ&zXHFSqo^TH3z# zQjy|)aN^1go?HaA5)+1mSwq?~feFtYVL})ySsQ5)0@O~lO~`wckj3JoUO2?#5oSn( zsi~9_$A!Q)kM@x*6FmZ7llDm~TcxSx6GKK2 zTZuH7eO%2dKCMkR7&jR%B83!aFCFZQBEr*GLKnX2ld+*pch*yujd{jG0mEO#?6m6e zr`2va%bg36Qm0Kc)z9t$zzCE}P~bLx-XU-|zErpK3C^uYt~Ogx@FIZFzdKw%Ip5Bc z3=f4@0(Xp;&EMbFNDi0ou7SLe;lbv2$7iQdYrXu}ymo{0(Rz?SZNYy>i~vF6YW%yr z(BRDRe`F~Lw6KH02}5;4x=Yh?sO*`-@Y_ADT50tJEzg|_iq*F*lV0fxg{8j}XqD~g zP2ew^9j;JcZNKNDm1n;6`@<`yYa~Fegw zaMHpD6n8INrg1%K<#8bninyTV8`0Q?B|v-EFrH4N;wrE}l2(p5ZUzrDbUCTI2Pmmf>Rja~p)FEMhD;v4d3($|yo*<8m$UsRXv> z0@T1W54wQeN2wtk`I5)+wkDAFk{~)eyIkYZb<#>o{*b3MH2=!lm(M?NwuXXD!Uh?C zyBjBY@`28z0PxX4$01Dk!rU8&4;dzo-_9C=Oo>Pt*#Q1S`i zZ9TGe5u2MeQg_GafzgM}Z_khWLQFBP6Y)FvBszA@8V2a_MRC(B2$?jLH4j8<;q96V z4F61fLF^6dPV$xuV`{Brm2*Geoxe_c`am$UK#gRW|KKCvN#IwKmb%l+3PS${t+%fd z2(dNBxGfK1Pk4k4_`)xM-x7pF7=56y#YGg>L+Oz9eU!a8@*dR>bsm_gKTg*2)*taV z972A!TU9I1J@BrnWPsk-N2bIs$IiFA%4%Abi7-32iyA+tHUhqoVWP2@lAcrW6jlSV z1dWfs)#XoCQN$>d`NO)xtSh!SPv8lW2;=28^TOxcCw^iVD(tUEvlnpGj%AQxG z1i|unxnqRZkrM_R1mlQHH;^9+zpS#qE#dLEbuu4byZr6Gb20K)+02}4XBRkt5N9#l zX524h$-Ab-{m6I&gfTx>t88x@#P|goWC~eduSY&+mI6o8ZV-zgLQG^k1c9_6sK)Ju z?pyUrR|1R!0uuxDK5NLAK-6#R16yb4?%A2!8j%SVYb(xBtd*T5k;!s_Fsaal83}x> zfEv9pOcO~+Kp5jvqaN{eqU^2An&PC7OQT#s;)*SdFbKC|JQ#V9diPtp{txjI9t-7- zGT*`dKmeNBkq1XUy0=$~?zgH~lL5vBk~X?roT4EOhr`%oBO-3B+iYAz>R%E23&LY| z*zXVBrG3KQ8gOwV5vIu5{JclJA|1E=rq($W$S1cT3nSGC^C#9wR`NB$cF z2td&NpA_R01j-sn5{~(#2s|O8Y%Ps6=Jm~E?n4pz8KkzbqXHye89#)fmvj;`2r9VJ z>Jv|&UDk%ojgH#pMEIY@bC~N8ap>Gi26&0j1re8D+T$U89oM@{wu%47hDZ>GqN=Ue zkix2<_?K%pZs5DH)DKKwx(~duAk>dJcZAuO5|=}urKs$AV+BS3*=9S+5U{{{1DRql zErmcI=0AY*3!Bhc6?+rmuEFVJMa&1JFCW9YT&7u327DFC#^+DPnEqOB`-@Vb$;x$I z*}<#PQ7K!TiNe0TC=Bp%oY$*V5Q{j9K91>wOStxKxvs<}%#GVQd^2!c;w&pD)9`b>K?bC_~_L7sB*r{R7UZ zVRu-p3dUI{i}ZJ6Ip{)G#8!UtLGyd$v(ZX>bMx79exK|vzufCvJfRblxe){mE4B7! ziyaJrk;g{M&p07a*Of+9YP^nZsP!9*_Qpkcb#dIAS$sYp4S#Tq`Cc2Fn@<><1hOw| z8Jc()wT)LF(Oo_cJ}dz-g&;od-}&OTtiwK~I#m*Gd@E_3|L&|haJiw{1*b=A{}~o^ zzpD4k`cLYg!1J!YpR85hYToUu8iq7Q$CrWVKcPV~1J*S}Y)9Hm5y|&El;!gg$ zhclPo6VAeb=Sr)rY#ksgJ}I(Gj?_YSN(Kc#rgWm|1NrfiyWZWF%rrQP-k5GqyDKKU zhuDmhri}kQeRuYlZk^)E>@j?WSy81Z17w$;*0u|QZQ_aW-v_b-L9VG zWZ&A(XA`Ns99{$Z#B(XdU=ClV``7TncnT?(9ccTIg9hiI)mU8dDt7uDG+>UE9JGeN z#s-e1GQFa_3yuVGJU+hG|MC1iTtM2VPh%uVz!{+ zVBq*J6x7TC?F!B-p0LUX6btYL!i?#USavJ!z6~EJj!Cc`sStn==oi9-F?ueI^$3_0 zJQCELg9@*IF#?|G2SQdVpili;1yohPN~J+)X47b6zft3G+|qw%qt17RnBcXtBDC>8 zH=sFgKn1uXP-|3e`BfPNp#5aX5}C{J!uPMH0i_L=X%j&E;mUF~IJqTXXx}{|{_Tn+ z_*QassH(^Yk|pCS9A(5Ypf}FfY$OUs&*VtOy$!yn24h@ibb~mE0Rw0r89oQO!HsUuosFjN4ZD?)@N%nS z1nn^UBS6p{k?zPLfM?$WyFugg!SMxJrcpgAgv~FWQdyL%T26Pu)jbmU&!r3H)xvD>-)@hpJ| z8r1-bB5xIsV%8);q#1c0Fw{ZIG+*1L0)!B;Tb;Vi5$Hc%dnQ)O<{UK5#O7?yRmd~Y zkLKEr*yDr9=FB5~akd{~b#@N1YtA{*7C3|0s^b}_oZE?*f4We^(=U+Y%Eg~GfkGHK z08WhnmA_LpJjxuvY5cph?_i_GXTeI`6NuA^#>PZy<8~JiW5+{$DBLpQjGDML(o#ux zf9J$*vm5LEcvPBsV5`UTMdW#7zwSv$ESL@Uo5{vz)|f_S!RMn7>1biPcWydLY$qvq z^Qu>ChfWN7m8$9_e(2Xsj|e+>Z!fFmTf#rC_Uwc64)&p8W(nKfzc&Q0K5SQw{d}|JhhA=`TIIA5nkq(e-1%nJu&Q<>PtdMAmuMEN$IO z+e99#^b)sfYHCZ^*0+Q^MO+BK6?VX_7 zY<2&7$7H>cPGB=j-a^eYAWt{lwfw%pT4KA8*zaTaF};J+?*>_YP_~1#^$+ib|NbE+ z4Iu+EfyI_WvB?SzpT6AE3!F*?GY8TC9O}(0({|xSJ z-)%nlN@`)!+svXc&Q}ebzL@!ii%!mgZW*{aO342Q@tfB(uBf9vBt zxl_FZnEGTe^n*A$nCh)lfuJXr@D0%+aS{v`zsuS5OZm0x&*bUUHwf1< zP{+FK4@$kI`M~_5R6ujLVT}LY(*)D1Dge^c{TvLBA}gZ<#1HLASZG zC;!BhKNOzwgKsM%IlfCMje5Wp4t(y2QOm14f-SyL7;j6LPZSoE!*XM;%F%aswm(?j zAdn>q=LZd|6d!R2X^wkwz3Ei~j$R7h>XI=c=H{v_*){3HIRD#$;qrX$m$A@(KTBphvB;Wtt_%*PV_nuOASb?G~5ryxc7kUIAw(oPie*&Y?bD zh{0ZY*>U*R829tqh2wndKAC>+ckQa%wiNbq)Xscb-`(jdl@x-{_Z zB@?PiP<{Af+LwyIc>OKV!63Q#ON^;vnxAOk z5kA%)*)0I{!|!+PG;t%#?bu-PyU^pTANym1w>#c0$qSYDXp4|m+aD$bvME_#PBssg z`@9{{pQc@~mc-)k`*DDnO4C@5r-avXDa31YA&nhih68AR*{>JglP(kTIB1dJBIO4A z;mO15LYSAn@mOomm`+t1BdYqdia&*B#^+O=%azzm;-L zfZw)O*Z``9P!p2jA0c}p^O9#q1aIDDc{H!hc=>tD%S$BF+k|V5HaGtASn)Wb^+g34 zmZ|;g*Ag1VBEQ=A1{t~Y|9V2QI38Y1&h_$PYwh7y(m0 zn6kCJPNENZmYthPRzTq5@${$k7}LybbOnn2cepolAqD-D$J+derIKDLj=?QctuK(ZtLs`I%`I8Jp6b8@T$)Wy zZ+efnDQed=^i*^e4t%j@tokEh&DTQ7nxbqyDNv8SNufLi!(Kb^F(?s=mMR46QMAnY zm~*vIkwUB+;s|rf<|e#*^o&?(o%E>6AdJ`bad_(o#Cct`&PETGYAEMmKJR*K#kr(Z z!_#z%tt|HLIpNnC)52^V1+6ZYj978t7oKXTOqv0Z9;|WyS_|x8OQ!-nSgnRb7X-bp zd|VK9a$Y^5^)* zZBEY#Z1nDy!9-FgZ-tdM`~z}g4Gd`0L=aC|Jo5uu(MY2 z5V-?+ewxJ=Agd_KU(&G~0h48IBFEF?@&V5M-Q7 z!DJO?X!O^HWb!g22El$e4ex#xAPeJUWBT6=zQQ8J&=vTS9}ayYMrxJCzR?N(*`qq6 zaNm8?fedAYYYyKe49V<3Lx42|g!B(J3vnPai9v`KgkcDjh(JuU5c(mrLVU2Vl=&#O z=iWcX-!)mgui2O;px?i$#iciO0n!!RPTuF%+bP|mD~$Q=T*EMwPj3v1ne>mp2ZYHK zdem^t%l<|PMK*Q3BA?V35N+6!OJglPjYJ8*l~f4CyjVn z@sfBVQ7*Bzc}t*E1=xik05#^CWbXyE1X6L? z#ed2=RLu{K{el~4%U^KACI9>#$8isx?1W0AH+D-j%4}}6f6>uI%U-;@mI!19+8b*- z$6iXE4?UL$8yi!tnaz~xSNqg%ul?+7FVomPNdl<0RSMBUk%AC_6lMdZ9bpN=WDQ%Z zn}!CdVyW2-71p6bCCiABxwp47sM8cmh4G{tS0#!9(30xckbqNN>}5?n<&@w?#YCi$ zc;Ny%bVG`{G$L9Un3XAfHLDqBFbJjbXs?P?^ipCP#R#rR+=w+Nhx_~&U)xJ## zL!+Y3NZepFpN*NraKh*YyO^YdF3ddJzeKr2!@ywso4BNRV!=>&sKzB4dVbyVSPt8r zOG1ZOJ{~uC_kMjolu0*XA?HS#rk=vz>Dv^3I@2`7kd1u+-2A9yDGKpDES1&~^z zW-!I}$|EG@CKyrJ7>pZF7ndlPwu9|4JX^&ju9?S;{odfWO@r;h_8|5R_WQAJEEw-P zdiF>>)Z@ts+v**?A1<8{!VfNealTK3?Z!bV8XpGHc$aL=W(@v$9Ao0RV?5~`vB7`S zxEF9&09C#q<^tEObnL$SECC-$4Bm4=-{9TFZ`w)odL1`G{UrTB3Hc&1vZgi!auJs3B2 z-~z7u)y1D};IKB3Czz3|uBxo6By5qbxcCTF*)8&fsx2}W)fNOZa@2#UsVJ!}@)Q^E zAPT!hh7h$yrfRUoz>IudaD}=)ZIPk4cm-FdEi!}a7P&!!Ed*v{>j7(%m1&FI#Kjx1 zE^Uz!ShvUtl&VP8qv}yLNh!|<LNasos^KR?}|X&$v+qk_m&r48gG4t$as`G|{0 z+9D?%ZIP9XwhEY$i?+xGs#|0uqAdbu&5TjU+CEwT>R zmT8Vzbc-D2;&HafRp=Hu@6S^nHwz+9`K}4pvKt1Ttbs+jbO12~GH9`4+S!HuD&~02 z3j9~MI9no^ZyQ9_?H7|##ikZ8)l3pxda9XEek)9DS%9lqgXZ9q)|@NMh^i}~G&hI5 zdjS4E(zm)a3$bRBsfX5TbU5i#Cdg=M_jTlWwZGo<((Ih@y;fYZxGPjq0)YoFcax?N z64nE-`=<;UF4W75LKiMJAMHi%=VzQzUn;KrU0)wmPifkeZ&%6<_f}CTB$jv=x~x0# z#U++^E4~g7l&XVA`Dh&eWeXL*>-%)`t=QmDIUh{jLOH9;21^Yk(BQPCxm*@#8$1mO z8q)?lmSy&$8|JdQZ1UVyy+q%dWlN)C=FraHg)aBsSQ+EE&PEzP-U&dMkc#L@hX;cv z$^xhsnX&FG^Gc-&BPyn74-J`Qyb+c)g1)u6&7 zM$i~}X}Uf{Q1m6!G)+ewjRRk793YxIu%h5PsD*MkbR`em_CwIv3iWkDYa``U?d?)G4zQP}d>Ra#=vo(=eq{W6}Yq77{ zSNU7h{CeI!8i&Zt=8ux`Qf=BwAg@xb?2h{I6LJfBkFRU*xao8Uh)w7VHt|4|B}+o` z_+t!-RLe+~l_<%Tnx;azCkX2(4SX?DZ2l%F9@OEJm2drE=DJ=G6e*TK@*gpZ(+d43 znmNPWn${F3PMo<&w;j(pdF3=%wZMICAR}L^^69G(g-imF1#HmcG;Zov^n}={v;r<_ zm>4uVRrzw$A2t~F6o4W`;xIYZR*3LR9H!$$BN6ikXU1@3sq()V)N6_gT)l?Ex#r?t zV*YO^&WEDCB+dVEgZF0vI6>li#APma6dzM2ed><*{dlV=3*bD(??;H88PHY12I zPr65ZqtRWY9oaug&2wbDeHuId2n|DW28eRCyP47ZShLu3>~E!Gq%xCWBX0u%3XZ82 znkpl*SGBg|5cknHl0K7!M7}aNg>zy{tW{Uu7+ED!Z2}2VRrzKE737nTsoXWX>oee8 ztyO7JS#8R_!F&tjpwIs0SC>|C6U1o$6&0Ka6(*xhAj?X?%6_sEIc#vxr#pLlg>}8{ z{JR}ua+~Mrp_ruXDx15?Pju#2+(F5SWfy_}SP&%mRWgXs<-g%bvHEPby0jl~#4u>F zSW;N~e(fv;KA#g9b?oB6z1wKK4@pMk=v(>i8w>BtlFA;RACq1qj4!O~i{Y56&t2wd zi>@~_jaZDpB|~c^Uw(N1I;2p@)AXhxnZPLHc{QkxWc-{B))eX_T%LhiAplm|dO!ub z31#1KsO!1JtKgE*$J>@BNrAKuu|A~btIxLGkTn-?Q>Up^LjdQNsKP0ig;q1ASJGPH zT4N=d%PZ_S{!>T93$87oSPqvA#sMeiAElOlVN%?(yse#FXKmMCHMHUK`-`#hAxsQx z3sxTBR~&3C1HH@d+==*6wjHmP|5md>{7B&(tQJwWFlirI~X!}w- zwDU~qo#LF8pEzIdhLe3`AQx!ckuZjmDYW5WjyJefX3bd0Fy9{3cFso4P$F@RH=_j{ zaL(+bsGAT0JGrUX`|kkzLUvX?fNnS+PjuqsPPw|8?UZZADE-sM#=&jpt!~rs_j1}} zzWiK|1UgJ80GQ90zOZK%X>Dd%2nyo~NwHb6n)t2mtyTlH4ibsJe~=?Bx>3%buakvM z&9R=B)k)@iV6cOuocIn-AdY?@nO~_@#@HMEX1_1|G5MDfONOo~_GJL3im8|O-?7wxJI#E|fl^Vg8pS-E^t8;AN^SYlXW zX`KLZw9b0sLgstYo3<8#TBG&iOTjyP7jYF}qjiNV@L74G?px`!^wH~|L77^>o=L*s zxMlTI@g@~+AK&=_vi#v2fWy}4?RrGg;yzq&b+yfJN&k;5Sa*SQ3{WxO@D|e!uoh@1 z2F90Qvy9Vr1wM-AW@AbJ6$qMqH~*K1%a_zuOI3zTed< z(91enzz@1-Cn)Aw$$dWKekk6S-%`fiiyrF3==$Q7s59l#QsYd-$Vc39qFC-%@;)C1 z0)t}=VqYhU267kJSHoc=-g$F&dmN)HaiVe?(*!+kc(`k-tYxr5*~Xk*w}?2A{j~D_n0SajnaVjI9*2;3Zb8g2M$9S zm~6h+00jAOX$L}|jlI6xJ^2@q6*%9avcJSGjaS>~nujv*DYojp`nwFN@gXiJ)B)~@ zgG-{~*%V>}e&O{@f8>dEh|!~aeW}YGzMB!4)=GLBOZ(q6%KyMzN`fLK(ztYe~v|+tlZ#0;_^XAm82wYQoKs*JcPd3NlZ}0K8r#U*^Dk z(9*#hWc{*w)4?HyjC<~1d;xh|p?_ec!x#{3g1+`XW@8gv6(zrh2dWTV(*YfzzV70g zhjG#etksZAOQX_EAZ{`_T1B^Ro2<^0ZiDMWZbs-?Ga8{kqI83X(>I@Ma$tzJe=pSJ zB&;ruMlen~4rTONnWH3+^5xzpoftH7sw;rRv<9Czh`l#XQj~1xwuM6cF=3T!RW=0V z_?I>sy!(vvK@*O$-*f6xBnNkCDdbIg1;B}^SD`u z$Vmu+VEc18J^**(0FC#@>$O^c!hCH%8eGjcHCi3Ld(m0%`Nvf65}fMM^myAD7k%Q4 zn{beQ;{M%xJje-2mE4&2Wt$en;W=INiW?^P{k}o#yRLAS^`_($LiVF(rC)oQ88ba}s)kzJsHl>vk=pf>Y=| zCPkmebjVtrvDC%n8!kz@3kXUga%_`m1Y=i|03%80r!eLymUiMsHA~}s!O7MU7_B@4LjJGal)VGa)moQLu4IS01 zsedPispDq}QdPt0RHJThOP=@lf=!dP{Wv<2_N`OvklG=IP=I|$Zd4f+h3_T0&(6&-d(7h^W1V^V z|HAaWYZzf)8u&Byspu$}5rJ86vId?xi}jjs@GWDQxBtzD5^H;ta)kT0oB7RPL@K-;iSswEl~h3~BuasOb3$Z=ph zlf==&0?m0pdeHQ#KYZ6>OMK!$fwKxjda~H*Tw&T}6r-KIdk-w3qL2tzmE7*EHUXdw z%&g)U%SQ`mL4OYi+6EUa5Hz*W3hLKpkU_2}*TB8kdN(aMV;ZK3q*J;7yA?Ovux7bK z(lrvbuw^ox-s;Z#Tb+dOU%xom3>DLLhrm1x#{5P+(`%WAP)8SyllXb){b$(E#tEYd zqpk5*ZQ6-XmHN>@XLT}doi@E}m3ggP)ixpg9gHKY+z;Cb+K93W)ce%hw_oF2i|4+e zQ-K#*fWl-6VmlZhQL7+5Cmb;?L|jHW2k2-ry!6#hd}2_v@&zF=vcBdqpqFX85d(*z zXnT|0QsyVb)?77(88qNb!oQ3_F+fRC6e^YhNO(v;gV;VE zDs3oty&n!zgHj89*hHS^`z?**S;{394e_yeaE6K4XqMDCs*{K{)5mk*$lifEz}-od zuW-ih7~;QIDr`UH7xU%Q2s$RZ>1?w-vmfq;O{)FbO_c`xwvxR+>91^NNg0VsRd92V zs(vauhH@Mk9t~cK(CU!fbL`-fqVgl9gshld#Aol0Xt>!EZi;_K^RsbysZ;*kQ7h_CzjMEW}eG`qZ zp6y3#yc@>uM&pOh_Uamc31h!R0w$5p(8Ik_zNNuBD4`;?Rw@{iv>=E;=Z z7W2(naIaz|)dfn5t7Y%`aUW9&SBYismDnv) zyj1FNujF}B7nsS|DvQxCUQML}W^NzTM@4O>vcK`cjmhyt7v*)xAv-K&x_u0m$_@x+ zPHVYmDluY&%Dz1mLZ^wH+b^l8bt@YVkdB)JIZB@eIO4My8|ilP{>(zQYg5@{bnRrY zhuA{wT5f4%imzaqj{LxH$<}uEezvx6!z#}9O)R%W*Bh&cNn*Fs_Rj63l2@5}b6&53 zJ7Z;v*Xf#KWck3}*JoQVtl-{twtu_6u-m95oNi=@uaLJX#Oj(@ZX}%k9P)v;V0aj& zy~M7;a;?tR_D-xmb+*6P_V?a~L&VMz<`|MZFG9jivVqev#OsAUV(^4J)Yp!vWqJ+U zw~^RwQ+FS;>w#FE4A$D+kIwc=Y?TaO!)?ogSe<;8+A8j1c=Vmkf(MFw08l(P`{o(& z1=I-#1-I$i|5}=}y^VF$?tR!SIc~mrK}uJAmcRO>mZ{>d0|wqgGI`Y*Pxz;(*pCqd z*pJz(QC&U1uk`9i`OO)rUp1knI^V(7E=s+_#KLD`7;D$#qoQ9Qw{rJ(yMA7)pO{KL z!s>a<7hDNe?|*zdq}~^Bv68QlOzwxDE2-c$lwY-1jdu^JUnNPlUtcBvC4;Md&)>>J z>fc~@Z-4ScU8N;I^EZgHDynktTK0gu?yb7GF8&o3>g634CH3|QyVk6|+Laa-7Lp+x zB!tu>)cby`Mdp0NqF-ON!#Ajdo^%T=?Vz{CfBOda#Ka$F?@X92TEq)+u%5XO6R5+O z9#kYO9NYBG(VpdS_l*dL+w(Qhx@7yl#+cinH_Rsle!*tP6h^6gc+nQ{+fxreFk z=5y8mV8Z;fIq`?tyXyS+%Ni9`)iqdIRgJPxU(uhpo$N*a|{t=Fi0 zOjQ+!eg77yl1Am%s`VOG<)QH#MZHR`d9}Lr4oaQ}{i67;gNcJ=u7rz&gHmf=?Iw2f zL)-|R2Lj0@7y=!zn{A<_;hElyv<6UsCKAS1`zn$BY=Xn9CR2m_S zbAVxP>w3{Y*14(|s#|-W`;qZ`>T{azJx}K#Gj`K*&%1eUB()&bUWIX@{rrJWe6B|O zakZLj2glM4I662_9Pe4!(5$AgtI0E2n5NJhS(wQ41>584TGjlt(-%tLNlRzHYpS;l zq9lyJz(?G$x0p#) z>arU~tDCC9Vbjo#Z3=4$HS z8cDvtKQ@+6Z_J^YD{E&k(eZ2kUx&~NIx5LQ@yxY&ljCZ&s|)Ab zUBtbM)bC&4=h801MJgEYdL?nI1BweIPd0{Tsv zeiO;06~!cN>a{Z5-!g&e_+uTf@p5r_Lg3m$l`dIkt zrv5tJ!`y>}JOq!Yg>%WJ5w8v7gI(dT3^RsTTp25u1f9%Nyf=*)SW0TBe1Ymu00`b& zdFj1$;v3WC;VhWN3Tt2pDOHDou1Qx zV25`-0qp|;xL||SrnEDrOak+NzJjm?YL~W= zC#IPQ@zzK2(<&y%kTi3wKyo}cmA?t`Yza1~UK!Lc%xW0os{%F1H{OpRrGDx+66xE6 z{h~;18YYDF%L)uQ2%BK_YRV@@m9^@0MZ}wiR>vrkAdkxNZaMaJ-Jm~d{R(RpzR@gr zD|-T(3{b(LXeh<7(Kd$If;90#H7Pm+Y)0hN7&UWqJwU8iq_a4vgN{#PP9qc<;NdM1_1? zPWeCDs1_|H>twe95cTB`HT~(|+@KhD;>aKFNW?uKn&fW;-z6ZBjhrz12sbF^c!R!l z`A2EJM2~FFTXVjB8TJ3cKO5eTe-6aVYR{Ltu=o93k_KDNIPC zO9w>W7>+=LDW4zsXT9_TA;!hd)(60Ueb;yuVVHUp9ls8+$1zB_xmq`2M<`RQJhPL2VppN)|?#|#pP?(a|F$_BMQ=42t|)^tnrqfxxW+?{zxUD zQR3<~%Ay>_+u@>4d-kzvk6qRd<#j004*f}-p9lJai&==WE^a@!Hfk!u(IGwJBP`+W zRgtxisj#qRC$qqZg>|{LskvZbW<5cjTF0tcd)AaX4cggq4}^Qp!Z681`UIC{m{>0f zBj`}OB=bZhVtOct7??ifeHiRq3jySaMU*-c9O1Sz%2hnd6e97jpp%|k(Cfo-eaOQ5 zH$94d1<~w%mdhQoAjXJ8%Ffi5?m#+M<1p~MZeuW~8h(KBs*ji^hWTOFV%;>@L3}%e z!>48vmBZ4-5T<7h&YeOzk^A0h-Sq85qpWjt?jyc+blR?Q;tqj%-O%kZyB)JN)%mix zUIlWGl^W+(4vEFQI{R~!Tp{rndrhqV27;kbL z&qdRM`}9k?sf$nC+yDv4ZPHrT_)QFZ^vn}!NH-9R*u9IJTW-XDaa{*{9+mCpG_656 zryHd%83hos$nxgj$A=bd>T>cD&bdVT)KrPBq zyC?w)K28(1WBYM!9C^#aUkzJb=3u2Y@Vs=+8M?{h5k>FjD4+-$6h68J=z{-KX|M}j{&Dr?IZYFU2VEQd?8%+{_E$sw zQg-PQa=kC-e1~K9XNLM&kX94vwEefj83aH%)Z#ZTDJ% zkhtr9=U#kkw#EfWLN-_Yui@d_AWH)nRc!DSta2(}b4aow@=Ron$=JAiwFvsCj!Z-z9m1dlNyg!9KKIx|kV6T8uLryL4 z-dtJ&p}Cx#TINwM-$?m8Uc^Bw&-fhyiglxK?t=zQs4mTvnPPWSDU$;tGG&IuZ;dHaA*-?#aui>RHoHj}xNA7^I;}{30>_^%#ULu{cEFB5J!T?lurVnpO=4 zq?RJvq;V`4h`#_aezm|BkS6^nX2gFkxqNrJc&Dzz`+Ku86K7B#&8p<6ygwe5bcQco zASQv;?f~_wZHMo#XZuZJt&jD-%)D#|{pVCOL5^kflD$?Tp64)KZ@@zsfFPEtBf}b&mliiTEMZ{h|yg7G#Tv~D?WPHN#nulOSM6} zlou+(`L2au_r0izfPHijQ|Av0gUKPPW%Q6z^BmMY*r?kcsM89OW+06(y?&SOZI@M2 zv909K_vL%?a&tx(tV_)_HkKk!!QVCIS5YE&z$#>f#Xj&%;iV_}`U4r7(6At&<{Gx`^+(dl#e^N$NSDw1fwjsu${ubbh6D*94 zCblN4pl=lZZh`yI^OyjdZzl)Q%V{^3qyB;=zzbXb9pXX^2d@Jrpa{i-H!#KdGM86wt`sfJrjVaKY8cLjkLCh*CTeloAZxDDpn=F~(HTr5Qb~z?`E;pz- z4e_lvVZq^dc?5@T4gck|sLpjlAJpwof9RR{RS4raY+Nd}z()FryN-0;@0@Sp3KUboM)p`7W9>z_-XQ;NRVfH~hKwSvs zzu8W~Hi#B9?pBsqZhzmZ|33UKbJYMWdk(kL2n+I{KzH7TZC|MkVf^+R?-j(FP8YZ} zb1b*os1%9ytK9A8Tg}b>T#UK`^}h)VsI1iT)l*II5F2$wb0%<1u=&K?=@TcbaA;w$ba9xca5$J^Qm`sHLgMxez z`V*jhY59Nn^pjk`IPTHK0q( zgB-NaoII3NIzz~PuDsuj9y5-cUc-|rWK z^i1qq6&Zr=%Lx*Z5ArII4@5ogh89#U2m%TjKmyXMmo#19-$a^U$TdyOdih9GiDKXZ zqQp9p1YmK6HU4CTf3KTnNwu6K1^Kz^7D)rG7%)K57c&3Ek2oiBYnqtll);t#>qpcaMwvyym4ZMGf9(xbOgg^n!oXnf`07Nj{&chyU&J-RECfyjG${)VV_M6b} z^j3TM>O3I|)7|NMKLwD&FJOPs5f^jn06xP(xxb1v*dv`Bsk+|5G5Q+)8tGZI0||=Z zmnxY^#aW&UcGsu|hQNQ_t}MiG-wu9U771cL(1{_4edsR7qC+IUwXQI%#fQ>a={qj^ z6ZXVeGg#x{%P2a4h_9x()843wx$zy>71oCaXl<l) z1Zy#%lw?J*$o9gCv!qPLHc06|hsD4EN?9fV78fKj_&qi}`CV7k+9v;DRnEj`fd7u= zQvBIRMx}0xjWcc6SCkbh3Su9sLG@=wg!RgS5=(6}IjsK^z{esQ+VOmb zzzeSZGD6H&9RCCZredfxi=Ah=_iyga!&Rxydv*3`y!ohf3zUq6M*{!=kOb3X01yre zM}yH&BuSzyPGju@WG3o}s+7?&5Xs+1UPHdVH#*Ex&ZTE+YDL&aA7_CI8 zh;1+PY>;td)-{p4pc!IUvs3w)s-GsWLF(9 zKeMDyPUpgi(#7pqU~oX?gD^xPMR#xy=ROd&{J1W&6OqITJmOO{%VMdmad`ZY*Zz1~ zYB2rs!sfSmssI6<0CnTFU_chpCF4><6?HsUd52-24^4IZ0C?Pq7;q1ms+qS)QfPL7 zKw$TZUUTt8fm24o$)5_zbre1-791FJw5JRpC+7I5*Pc_WfqGEWlbtl24lr0Od4V4B z{kqsN?1M(u07!1_1VysDl!b?jKeVE&masGr>u&GaaWogK#aEDUv=!h-(_;i|F0Q6{ z_dIuakc11qlmNpa4xOB6{y1ZyuElzx%H_}-e*_a|VBt-oCFM-@RS&~*+T(U9b>%la z=}`65Ht)zkLjlJ^Ov@KDG%{BX{Ny3!seOEhE-nd7Jzw(BWqj{m1`=wkqu-6ZrhoMu z;`K$Kai62H^OofBh5|W(dYMy zY5HtAe+6^BNx{;b>(FUNDndPKMJEt^u8M;9#Se7fLdJgVCaA-r(MLx3dE;(5gj2Wmt(jrc%c&IdBd{%zaZ zdv{loQGPT8FEo40=tH);Aq!@M-I!=LFChpPc&A1(H4*<0XL?u%P$s|$;9QT-^&OU#Rg!P0>tZh3@H%O`)N_zwu+B>#Z8Ex{Hc>B&OnpC-s zW8@O^3(L36_B7lqgLup@a3j9?w61R3-G>+q3S*9_HsO#Ulb2;qsrjawEeoOAo6FnY z(+jqJ>K4Eu`>ETXLTJCxR;qgx|74TK8+MML0<^pj z!s02mG(6kC-1&`-%wJ6z`#Q|>wKDsI_9AaDYkz9&*=DjD6iol&agH*kt^M)vgfE{L z^|s9Rbea7%Wj2G3i5(y52lB9&b_eOSAooo*uwbD0!YqF~Dc zi%4{Igt<()xT=8+Qx~9cZP$3+Fd@|MLxFDM8e4tQxUcITC8a5`^<<<=IH&CVR zT!yvZOuVmtMM7Lk+mPioHJw0X@k`tP;`?a#Q<~i=+C!fO1?%N_DE7m3x6A6quGLcu zenrX!Fs;{gm!k`8Z_S!Yo9)}Ux~&cP3nl4e=wd+%BSoCjE$bZ)p5!c~P4>j^eIfbW z>*z&iotIDD(Ej!SyJd*_4;W0Idk~ zBpZrqQ~a+`<*&rwg*vecxjH{4b7F|_TtOkLmH+@|;|X+Nm{2QeuC;~p z5g;t}D*{n1T0cO3Fh4`P)(nBWR{=9=diUIS_Mp;z8FC!8QJW@76CKC=*&aFVSF)bu zJ*AtKB>12T!lLcfYGA5*o7cCI%2Ik9!yft~&>9sSCpw=4mL-MB=t_6iOCr(XIEF4b z^4Ry33O*1N>zv6W&@6~tJnAkgL#SCL!R|Qrq!l!O>GLO^*%Wc%3{M?0NUOu;;-W z-!_57efof2gAaIzv4z3Vb<*k{h)m?ete*z^g! z3q1rUY^c3Qiw`Ohje6rczu4oJV%F|!AP;-90m7Nc2$9I)!_0>~AP@&{PTfX7gQg%%P7i6nxfY=K(wv{9S#?~@Y zB5#d45?{j;Rx3Rav0jqe^RpHxQ?ZX8ijnoAk$Jl*Y#xNpmx>Xb`IOs3iyuj+NcjKh zkc^>~Fpz|{%Y|KtjZfP>(ItRol9r1)cpo~Q*Bc(|7|UzAR88G5Ab=kVz~V<8*)HDa zFYg;N>Eg`CU{Sbi@i+}=yM6K1Kf6V79<(p6Gz;#01(wy1FeT zYCh_nQ2uo5SPEVc{2ejLqRciY?ZCsegx}0_wInE=O|<3v`E{Qw+}O~t_$K) zsvz1*9=e~4t4GHx{p!Jax9WVIJ)%du!lZK5Ua@?x94%=8Sz-)Akd!7_%UpLpge;pE zD0`3*9=Da_$mjxr5*qjEuL0)O71_;F)BXU@^r64k!{*8hiq+>v%)Lb>u8+bBJ&2F~B+CsW<{*Y-Y!?X7^2# zeZY3roekLf*C6gvtOs{Mh<4mHf1X8rwvb;`ye|Kjrw=!b&YyBL@FwUJoyafHi+^bZ z%?1tAsDm*gNA1fUXY`+a>ycdH*z2b1NvRFWQz`njOMB3|$2~~K(HY20oPLZw@uVE5 zS#&<0>P)vj@Xb3VfPwd$)gfzvBSt1GCQ5(5B+%@+bx)^t?)H?5S7nceF1uV>DWL?m zZefXFC5zFe-xzS#6ylK2NMgK-^fB&O8Zdc!gOgI`0ai59w|1 z?p{e0zsS^Gn%_t7MSNIqEnP6JY_WE1SZ)?|smI)?;Z1EUE4NXhND|KJ$~euSUZ8Essqw{U5-C~DjTy5$ zixIryi z#q%G*ASW)or>IlTuiGJD*`;I#uExD6+s#B=4%@GcMyxx?@}H^w>NUiR>%BGZr38Qi z()I?fmXd&&&@am0e-^d`XVq}$aj?3iA?#y9!Ns@~8@}5s#Whk?T!z(PwKC&e&*X2) z$r11BN|zBehru{cCdsFsJ?*vtBB6AvOd15KGw~?zb*tx#4}I)XouLk)NRaj(S;c{r z<@@3Hc0`)AIzW=CX>%e2dVU>9`c`Hd9#eZEAwXLw5UB35d&rj8Uk?1Mi>U9;$ElN4 zn_i8InmOw9mwjZ+Y(q0`#4Lggm?D@V4zdWHA^;UAJQZVF6p38@C5Ybgb;vGuv65elX=HTqD*Cg z-iRyLYr#eExWzbWxF(J=dm*Yx?ji}j*bHuUhN7eP%e8a*HW})4I@`)eyW;~!y?Z0F z*Q9rxE+iPD@Di+q9oB$gKGIz$jb@4(l?-S4Gx+QoLlWM*@;bocRU^k9n%1)zrEMe3 z@&f|cWGy-1A=>46dL5(0t4w?$)yL=#slsZGdy1+wyit50RIPIw8(FsHxFI`OLlzJj7Us#@qprUCd{YiFZLp)l1X>jbJPu&8fmI8{ajph5?u>Y*|gpL zMt?s&AdvXhSvXk5`MD%qH%0}-lt%_}`nN1NZW0@iJ*g{t7g+7WEXEQMyR#=?Ok zq&fCRIpe(e<#51Z+-4$xCsz#*?wfs#nwR6rz3@$oR=obdoyyK^3@GK@y;Ir0Le>{-oO_!g2xIFF43XT}ar9p-4SJ;~h(Qtb; z#FWv9*4)eXH@*g5B+3r*Y|wr-^zqy$g-WcP0()q+iTna91b82>98K1GvP-= zlzR+bw_|{T@MaW(G3cT(9aBp&``q(`3-?@6)Sv^BaV37Ytij40B$$ITTboRsI7*|x z+p(qh^o5q`*@s}R3$nm`bb%X;0b%Zdf5>vK4y1m*cr9>;v{;Y#lncc27XhgvPyt$I z9K+h^XsFCJ{7)kECZv6U+WE4C8yWktc-jW~;CM&M$Hn~;;2Ju{A1$)0w|;WSiCcld zqN8rFoW`P4bWR$s3rq};XUg*K-tJS2 z858#bU9kIY%2vjh2V2Cqzi>yR;+S6vGBlisXI0s?=t1Ny9-r#c99$b6pq{t;Fh=t* zk}I$iFV3r`jN%ggcFBU({8zKde3)cZdP>>Wkzrdz(3Bl2evxuJR{Z=>nP$NQ>(elJ zHifp?Cdf*_^>v090?wth0pt-;o~uc=5;~l2lQF}^k(78E4rAt?&}S-8FM^=xg?zRxwyr=NjsMBf*zVIIJ9`Ny^L|T~z9h#wa zAC}q}ZimRbOKY(YZ2i3EoF9D4Yi0r6$5)>MN?FKiC5LY`%y~%NJoa|+d|AcDQfQ}Mj8g2a-Vou~;-CZ!5%yAq&IBPy=AG4x4eUq_*LONTM%x0X zi@_L8c#kA7L`dtMblf%1`Luf)9mw+`Y~pUWC5LE1W&(q|lleSQT%7S{HH{Mv8a@F~ zzOa>jN5>E3+wrH8{)7jh#2{k57Sb#Hd8S%lqz$>l1hwHNM$Q5jOQ!*TsQyzEIcsVT zVW_DS_SnxK@FTnta-{go&;6p;9E1R&K^kAi(s5c}Lw4in^8gE@E4oIQ5A!m7Gx_>2 z+P-3VShl=sI03T*cQL^-xje?s&yC_T6Ka5N0kO})uJ18#bg2USywYqPN625$)mZ88LT%j`^0L3Wo z!C2b6g9)(^-v;*sGxqaJlCQ<-f$sTD+4xb#>>E7SweyX%9p1cqRZ%JxJCJz_mVgj2 zkNAiBXIi(uRH+uL`p1DiVbEa;$n!n!=B!fR zArlgBhvj%DM;SM88lJV)eFDx6v}!6@H@u?F5>`S>ih~He(K$io@k=-2yx`i3xb4_f{fmXu05n-X^_L^PGJjsI zn?g@L=OVQiZ&pJqGoZmD16A=+ph?HIP|{zBfZ`7zBbJwk)k!e1ID{z-%l~h%6NnqI zbaEcIZAfea)BWiY+6yAUno9`t3VcxB6Rs6>=r^VG%x}B6=I?hN5|{3^ZiIq7<%DoI z;BD6H!0(Uo7iUsb+dKj{AjjAdwTt_@Hi9H2K4X@+vQUMJo=I{Qnd8#$DB#7ycnGTP zVSLC!NpvCDmvf1$%BpgAmOIz0_`R9d`I)%Frt01Z#DFciaWLP;O=wftbX$}2nuTCn zNezOJ){?Wc(y+@b&j5@KzRhyeCi+J2x;P?a55t%;6X)#5Bw!-i5grVIO18p;n9(hf zPScBN5d5^fwxB;@$-s9X=cLFZzNna{V!FS_V3t8u$+keD15;=3hcA?CSY8ltP0gY{ zZuUj>NAezun0^3mB30Z~D&S%>R04*H86P;_Yc;Ahjb%=aQW=)Duu}?9QTJg@#ml#V zh1Kib7 zGZ({B`j?r#$z?tC_AKm`^}ZIzMv~ZLfmR)11f5NSFiz_~GWjJJzj=X}(Vh;9%IYffgEfzxLQy0h^P|*x{AsO7}KR(a;Pn%ZLa%Cxfa(L573sM((|D@-;nF z57|~4pnlrU&^lJN`*Ywit_zI7InQJZD&h}bXzFa6<|zrRkpSoj zj1YX$D0XGAI4~&jqCU+(bAn#JRSrHR511l+AUCrlxI!yN*X@H}<(qX9GbiM7gax!j z?K*cJ(yK>9$)NZcT;I1M)K)<4bbQqpJVuWb!r54HaL6t*gGYU@xeS1TybQvL1shQ! z8+9`bp^F_oYdJd~ks~3yL$=x%V^?7`|!9q1#yV)3@wyUi; zQwxVpJNbE$e--~`4+9#KN#>{hOMDgx3^Yc6N4aQiMa|Fq(Z}b2AozwmX~YDb8X=%& zU!PIedOWUBjUajrP{17^jhi^gWDD5=?j@8QK=`^FcoiZS^4TSDy>ynG<=uZ8Z5LBd zBOu|S7ZG0s=*A>Y(j;^P)mb8#l5~c0dCM0dt?OA6MRqz=y{Mz0r0oUys%8$&89pub znUK&nYQJlMpGE0V6~$WQA#Vu7H16U{AgzDs=zY*h$`mEF?>}3j$!_`nYiVO7YsP&z z(Fe8_`U&O|V;y7IMvO?NPJYwc+Y%UcqzNcu1I~~2PTU*@?6C$AZcOY)#t)olijxko zk`>rN_VtF(l@Sn5i>4G!+J{qI1Q9)aPgM5!)Ct7sZoyWtbC+#p-JB_YF?8(v1U4|? zBXmzB2#UXyuT53Hh@u_B$rT?uEz<^hw&RTy7_-3Wk1g${?ovRu_;T7oz@BfuXfL%eGH z@L|QHXV|dt_vxIDkbTMI3U_W=8+H%YT?MN-YsDpiC=J+`}!O^gkskt>;2IS>Q3=M`F zft0L`ZOS6;sp%@by&ZC-ftTc7TIRCcq2CNS#5Vl4>SQTc=&-kIKwsSHL-D55+wFt| zZ}g3?Uh|1_;(-uRef=+~049ibB>c2c>t|=wE?4RrI5W+~bR2sEjyrHtcp;2|FI_=3 zRJ~@C9czMnFn6!aZfKbg?Zq#%J!IHWyQLje>Qh5!bo$byjjDIuBxKh!`-^V5L&`%N zR)&4Nw8@iwKVv~6sQu6#7ps45&A6);QfuL4iq7Nc?F_LTu~HNsqA6{}yh91)aIGt- zOsG)sr8oAB5p({c-F?GnUY8c6G&X`d&oPQ+97-slDt4gP5z?Meky8`t%spacx0$Nc z0cNB;Fh5!W)$_oSpK}k|CZr#@`w%B_Lr3?-CA%Am9zFmtO`wJle)HzcnwZb;H<*yp zB9-Pa8SmJ4pl~rzhcJ27O@l;r>gr6_NPoQltVaGBhrjJ7`ZpY3X0gg}2flE1$fG4> zRCUg&Vglzt zBYBEhN(TLPGdCj`O*;`PQj>Vl34#A$I(e&6oxH#}2%zHb!B@NnPEv+y%>H5YF1j^z z(gS?1#N4N3&TSrs@S3#Kd;C|V&np1w3%@EYmK&#cZ8^DJ7$GaVOzCi#E8v{)!moD` zcoqC$N11;J`cYeu1`buxVBaU?nL=X_L3;d0jZb_^l?FZv$pOwwu3?8i6uik&T5WbU znU}DmUpc7v>6f$z;r3ymK9zDv9ufJ{@di4dsgK&4)9U*Mu0=o@>L^`(v0ds$+Q5W% zvE$rM&j**n3}v^rg-lH1ViG3H08lVBhff{fE2Lp&F(APaQPaF?7oA8foSS2y+*K}NO zQT7P^nap5(l?({W?vnudX>rqb0JA{iR2+e*v09|H>noK$)ZdU5REt~~j}!x>th`bff( zyj%9`r{#c!-;lLZjR}V_VDnrBUEh8{*$uqiC^1 z0G;4HG_Qf`bR2#%%jA>ZG=rj&33t-iVLRu6&FW0 z-jeaDCz~>JXk>t8r@jnRkWm{pE3L635VV-AC}~JvS6HP?yrL=nO8$uG%s2f;1H!DZ zIg_5i%VV+)1dGAHv}YT$xLdNm{4{oB48<_a0@C&>^%^Rm!`h98v&{^9cS=tM36obj zHQd9(HR}Z$oiPUr*8=e%`|TaL3=1mFc_%^Ik4rzs*bTF5>GMni)HBI0Hp+nT%1P4* z7Z-r)ueY+-KYtj4wC+IpkLUTGfK)Nl6)lNHylxh4&?8P<>=%s0zih|AJ93&sTEvUu z|DEY)`|>$9u<3n4Y-`|j#@jds?ZVuhw97^v>Lb)&%`<9;kVvs>S{GK57*Uueq5!_L?_3j z1DEoof|4_cJL^`h1M7wpm?jaaFTvK{3dNCuDf78=3h6$}A!H)(AB-W zMf*QV(s125H^32vg1XU;5(!>*hRraQ*odMu2XNe9dN{}V;7`Pn&Eo>Kn8B_o|6`@= z{C+u4{L?D}rl(%xaq0L863z>~v?4oM=f!e>{YUbg3^~C4a}taM&Xv>yb|R1EB)|j_ zuuZ_h&W=7_HvtI*Qmn^fS$v2&HI@vWjH z^wASPA7f-5=swfSXlFn`vsPU)a7$+>H?~omyu&M)=l24;*#n}N5(6a+>B$9qTFz%h z`Bpp=6E5`;+_|VFDIugNGuuXVnj8FDzcYB&=FiLnZB@}saXK$U2D(=fmC$^`F0tlJ z4T8w|M!jwJKtrPqwzbGz^mG0^J{sJdWfRXJHUu4S@x$5?#Nnjdpd4Iu{fs|R{2O2@ z!4KzKRTHu2to)r*6G>noiL%3MddI9I_41Se?&4-x*cg{tZjIUq7x+81>C%QIZ&2Z| zZ$925XTY$0&56gYRH=V;kM?ixP3_1n4qE_h*16C&hXhp3fF2$Jwe_CRM#0FH*))Ww zkA))#sBDU8-#Tz^jS1+jAf7ZaX>iDA9_`jZ7_7*8;(X9&pwLxXc0%i!;r4Nb7{|Xd zWfQaNb~6V;7!d=MT^7WS2LPuVSD#M?;tOI2+Ja}UJLRZDB+}_Z+?z7qStJz~NXXx2 z!#`z@?5cEL8Airb1Cc{w)^B)KfBg6FE~jSlXi_YunM)?j^bvZWkvAL#49uS-(=GfP zCX31E9!xnHC|&7|Z@W$CGNfYEJk23lEP_x8Wwot}H%5$Mix}d*MzQhPab>bdilvfU z&lqz^%LuKNh8s<|m;lYzb71KMvxTIe9#puz&C`h!ZR-DoK`PeGZ`bL+yOyxvXJUiT z?(09@RPMPya`XRSNvqx$|>1zgP)MQ12bb%i(-zR*BMk;$5YbDdXsm?J$ zUMP#?{J0{LW|E~Q@6N%9#iPsv86TlUtMJ%H<)}Rd4QaPNP+FhqzwW9jm=b(jx>G~m zq38ZA%T3TWxJl}r4Hcil4>}U_ke%R!cVqnBn$74PnNOv$R3%SH+s{$H;0RsYMZ5lz zgbVKSn_aDQG7MtfsFwM0vs)13JmdH4Krd?i6ImS^;4$V2b6iXsC*3c5M~+Rzgv6SbMAMjaW0x$LeH>1 z0fF|Mm}q2>>xmyBga-KDdpf6z^FaSUVogEjPu4Dw&If?y-eP9^5s`78S<)|9Q9tC8 z_cNM>P<9<^E;yG-p{<1ugLqhEDY1-L@CvxYo}V;7Tz zsqev}Qp_P1@B{$UDT2VtgnGD;#vdk*AM@{d^rY$t*u^`_P?hR_^ zP}1)z=VBq;(EcNF|;$|yo>(#d9uG~jvMkmU8_dIEv(#f&m ziN4P&+t}#qtO>K!URF$YvW|TLSPB!kREI5qKB&NOr3Xwui%BLf>Jbd1gtWJ$apOAX z7CgDNB&rcp2~QgbneNrAo_Q51$Wb~}M*&h$YPO?vqePU9mgf#pkiP&0?q{XK zRj)eq1z5x2?Nkqc?@Z|@86`mNfL*9ahK8M=wP6aU6!<`bG)};gb{ZjvUM98`fxPhv zpVG;I8$_x$2uTSyx!@%9p2uwUV+L&Vf8sMXY}UwU;=A$o4=2{odJuxfs?FM`(H7Ei zwc6F={kwQYVNV})0#Bz+ws1t@}Pn?O)NuaX%8XEH|s z!{Umn98v?0K0!T`dmKDDQ%!n4yHHMO<*TV2dEwWqa;&^Pp}zu0KOyH#8;*Ux-ITZo zRWRY$E@By}t=khiV09Jj#7qp22tx9{1Y{4!SZTg$O)e=i>P|fpYPG^y!DUQr7a@ou zrsp27=XSoXO~^ z_6~04t3ue0zP$DU$RBO=z50?9f+X^1~ zbC7N`gr$l@T1Kj|RIQ}WX7RZ)P@anne2H;m$o+NfE2K4FEDGZ)K+V)58sYfU&imXP!2eE!+TbS+G_tKKvk zY9~JwFuLNS)2%ad_h!B;?lvOcRVd*dnqD~=t&@c03fT>yJ&D=z^w z1Ht^7IAs5?%u|=ulG2q~dzZ_)jcoCU3iZf~eioF2{Oic>O(Pn)DB`8qz)dN@E6&r}O zyg54f(C6n?O@fs??D6OR0|^m{&xoblc$AQNnV{Sj4?9ZB-RGY@+w4Aeo2b->!5!#l%_%86LvQDa-#}KiyjS*Ghei znv1@7;R#v^abnzGM}GGoV1M#V)mt*coi#$9Rn*-mbE0)fPm89+g55jzhF1ekE!-r> zjEjjkTb{mOmUY1J-N4BexA26%s2i+x+lC#WIs;>!6i27qR zch$~v`7UTK0f`EUan+sjiC(fdI?=bz(vi60_6OYsHZEDHla6T<$OjSyTA~-%%+Tk_11;OT~`I}S0 zwdfMhP`j+mW#vXirZ%L)2{r(!J12|jm2oR~HxEg6sQ&~lK7*(ru7lmjo;D4fbv4pP zfWZuygmM%Vz4}*tmL#IjW1yG28>Kyh0{hl5OOTH-><%c&!6rKb& zFSg8MB#L+&LHCLHDD|j%BPvO%+J)xY%61QDnx(cdl_)Pu!LwY_i4cHkMuR$_euUb4 zWHVD5=rgNhqF3bv8XK7xZK>)Ju!-0&5FfM3d32li8Tx7zvLqH6FelD`GtO?@Kb#x@ zW~|HlDaxq^8=;3ELTN6Cm8_vZIov#}OS!rka~XtnA=4O@eYLv|h;5B`qzClvh=WtV zO!TMc3_!Kb!3ZTSFi#={A!w5p?8PL(7RoPH{M1Gh-N=Q)nsvL8jw&@sd3Tm}sDa28 zp4YVzR~2!{H%U-5-hr5qsyFm3BclI zg{j|at=G4i{Q+erYhTvdu5Nmts12)wx5+Z;>H=-x>vq7=*U%~ zHnu^a*;q%Z9y<60XKYbCMBU6kDjq}MUOP}X#U_4`9?tyvOL_A&13y9^Ux69X^;qZB zUXPnGiV7Y5HY8X!TmN*Bail=yrOQcpYnYo1_yqh|zHs&017fFbnyC z07%Y4m6qJSZKiXwktc(I%4UyB{zG}^K;4SL!B!5R71mzidkj&Bo+asq@&yMkZX|*9 z*q(hy&i-L!Efoj6SR>!9pBbgo0BhE)bA}7iU?Q>;_ie*UoceyjdVn>Bb-oqv(f?l1 zk96r5L}>7X1C`YJVR_3291!(V5xw5#r` zz9g@YH;}n*h6he8FweG}1*Z%oY7H`0iSVQXcm*&t`oj0-mVkbAeY?Gcc}J>9y;t-K zq5&rsm-<2=1_)LHZ{6z=$EbseQ~c;U3)P5qsYL*9_6T%#pfGg{LETX$Oe4jZZN9B@ z^PCJt#mfkaB#gq*jnM$RKC*1}q3B_8&CZ$FdM1Ex4w$u)90}{ zo+md`gz;q21=mPpNU-?Vyxz_w@NraI*`Pk~n-R}hR^wm|M{KCx^5k8nLd!z}av}*X82Pv; z1}0w0f1I?3b~_J09)$?86W&h60zJa~I|51ghpWf0#`l=`V#y^z94qE;eKUZT9g4Q4zgY5_fUKnnX&*>|sB_g3Qq*c5#0 zAeQH)0pMsMcnRr-DOr*MZ9dia(!(*@#M7>5vV!5fAbKj8IdYb*AX66NinJA8onS)H z-F8_-KC;;j{6d)@+C1sy;_HUuVQTAPlbHk?URx7Fg^R~}i)c*mKIjzWTXc!#sW#($ z*4U*?i1;c~>Pg!ohotMIY%F#}W4^;3>TT0L?XxetCnAxtG$5qU5ZtbF>uO&=HhL`0G8|sq+iPwzgYcMGQ-LKqIOkEfU3sqL zvCJe;8wd@)yK`2VL}XFkXZ3Klr+Guo1#hAIhu` z(CQ7!vVKnegPn!plW}DJnX^h{K8{w~) zWxf>=PFai?P!}Df22-yiXD~4vr_X1)jAk>iOT#Fh*R0IG3>&abgo#ZGFnHPKW4uOe@{j_dI%ok5 z4d6S7jZlVwr%XAF84?&9M`v$Yo$p7&cin>B3A4lVQF>I_faZT#Im9iWu_tHuauc!j z+MJ8un%ahVy3AU<+-c;%o|?VtyfFdFGM_+s`n;+v3w;&Ej&;z}b+SRA%jtN7X7GyQ zwe(u7b0ncMl`qkgfyBqFwCMPw3am$?wz(~sl*gzN}W_Hcq;A38gpdW0s z@CguCLP|ZtxLg%uZjW=Rz>OtLPWV@thkN~D9;qAdv`p5Tsb$tUIeoSm)2XUO;jpSO z7q3ME8E1?@3(YUwkl-k0=C24jVrHeJ(w8-xp#st8fRto=_hw*Ata5Z<-2h}z!s+fU z)nvVI#vlU;qmIk9hT5!_+v6a7Vhk3|OTM|o2p~dxP+(l4`w_qlJku8@nTKRVZnIG6 z+SB&A*=sLP8YmSB_$YhtBTW!6y6ar8J8q9%ybe}P)Z5gA*>5yWrqR1>=dl4XEZZ)z z!xhbuofn{)Xg5b~S8(%%ggVnvhuL6LHC3dcdF#4#5CN&{Pjy_MY;`WJ;3+)TpTmY$ zbKZ-Y<_x^D(I4FbZVFG$Il-S)p4t^7`Q8WM+5L-(90D$H$jh1JiAL zB9oPqsZYrc$zg?jq%jP=Dz|@y60GoLORVog;33s;09#GK=mpGAOuB*wEosNnDx88b zu`x?Gam-6p-Xp7V`(J!+M%jri1BVJcgf}E3i#HQW{FZeBB1%A+4TRP~ZJuqEpB-Rr z@)T;S$xTN+%=!qHVVAHoglbT7 zks8`fY80-%WrH)2Uo9z*Xj3xMCxx80p$Yw-!iF$zQLgBstSoM_!zTN*M9VEwM%>=J zN;%QKr6kKhW-FIj2bxctI@MXbP0VeIICO5<+Y`jdUfFJgG z)7d1dU2uNl0IRy#raK*)WS&(|II%fw?N#4S^eC5?ve5qVv? ztIMakg5ZK~bz*7N*Ev$HiO z{2J{@8KinXMg+@K>L8?0b=Oa}0M5}CXa?u%O}1wQ-uy=R;OGONyU(Ht7&boaPxCte zI_}AK`q7Fhm(x~2nlZ|N0*#vwet$*|D7Ty<)tT_j(OcO|iwuuX;kJJ%WQBpcB|Ptg zvgD@Av<`zro88oCH@!CzI~rZNP(r`(mcq4QLBoRw3veZPj{tnKAScs!_PF2d5yCb4vhAZE-X4;bqMXhe=R0>1@2xs9@ zN3l7iCl%^C02UVc6aBZbnB^(Zm7(hgYOl`Q;66>dH-`~3MR=9IUxK$k2Nm!)%03m$ zo&l_bVrIQ`!F4)C=JYTv>wJ}T<><9a;!yfBxVkLnIAh_S(&^j{Pg##kiPY+BJcxY00 zXH09U$227LoAUV`eP~ZMk7g8ZNgH6bEt`>jrWZnBLBNm!hQWbBT2M3{!)*mV3LEjo zGK(|bs?hPa(Hn+z+Q@ot=&l`q$Mj$JLL0{s4-ZG=*W(tQTlzu>H{=|+=@EeSsKB0H zQYDVfXg2axc)6;CG2tVgZMr0_i`{ z2A>~2>z#8tf|(+aSn#CM*^x9@?nAX?joF@VEqjSMakv%zRs=5Rnc$aJceMT5>msN33+C9&+tj^m$M<{dKSWafwzV|}c3x@KiP`b%hk zk@}79u{azfyaAcj{TYhJ;aIQC_9M=+q`kdWEcB3mtWupH_eq$-tuhvWRpT}JG|(Dq zAp-!J7x<7JvTSz}bjs3cwdr;Ji~QfrH;0JN2GVBrV3xE(!!{OaHe8UFw2u#FKBYqV zX}&Y3(jh0&<^jJ|Z4dC*t?>hz;%x-$03~R}UN{iLRhWM}k=b^F`_)3Up$ryBP(b(P z@b%6PVc&N30d{U}r=y71$q)F1_5Bng8X)J+e8pucQ6o4+G*v`seJxT4gO9_0WBzlo z0Ok@jeZ~|O^t@Hh?y)V%xQh-3_q;>e@h5Kt_mLfJYnC@+KC$(R=IabhMkT~2+xo9v zi{>fT`<+<$c?QSEOM6`YQsaE9t7UQPZ*!}R+{zj1@B;8J?ZL%0%K&nw#GHp`iMuR= zHCTf5O8wd_JwiM8-rWK=w+E5|xt^oim=e{T+IeMSb{nET!5kw_JiBIH;)y6tK!QZ=SE`+%|x;5S@ix?hNRsnw!6xo3k);>pO;9={?^J@<>q8e(*7+ZbUpDFbcnYpagI*zaZTG z03vloUGWAn5`F@AqjjFeoOtPcw!oCnG_p|aG@A9-&&Q7#rsD20awck<8WnUG48$&Z z4{=~1#7jFrfI>?b<5+q_-O%(7rjkWED z&D%;A3qQU1z~|Bd3S00=o>%x$RbKr6i?(;mD0GxuOK1nDG``-ZTSPjU1R0uK<9I0p zn^&wte_Cuh97!xb#~EE?LZluWhF^z7{58(>FUz>sb|Ne__BT+-wH*xd(vdY99u%s+ zK&t8zx6P2UnIKF>E)`+sWGcqG)i`KzW`-Z&(v2f1130YNGR}2ReP}+$JUt|wh(H=O zsx;jxXr|U!$@MaSgoG}sr^ku#>2dTJD|dG-{`6?xp+!skteUE4a70Hy!USnDcXI*f zvPwKWKX)2z5EtuFk6d*BrNYa|`Yqq9ZUyD01G3sgS0IS)R zJ0~zMhbVcP*+0^1xn4mJ|0aL*U=Ue<#;7kg1CzB0>CEoSvAq%k07joItVi>KCl!?s zL6N)GGrz>{sMa`AnAxmDwfPr989JY?_K7$Vj9C8b*JWPSd)mX)X=~E{ni_7)>TctC_MbBQZvwA9uTqI-1 zbDIR-9o<=gn`a@(lzJzRWEdz4x!Cz{?40(LwMENvmRadBX0ND=X*72V|F<2RruLDy^YI~z$DvwO4sL*&PZAymrZwrRy2pLyT!En`C5qN~ z35Pk!4{|=H9KByJ90Xcx@zlCh6ShsYB`54WLm?z7+F6#$Aw_IlzB8KV!ZM*BVPZ?k zjx>}Nb2Ph)?DesWMvMRT;O4Z<$LC2kZT%T?UEq|L(_r#APM1T~jyn%Nv9CzcBJQcG=w#GTAvh&Q z;Snfu0H+G`YqPy9euK6G>%MvXZ|feia6~Xp5^6d6@5KA-f6R+QC+|}*i1pL&SWvFS zl~{`YRm573$>q`mibCFS57Nb&d7hG|%3osU8272i!ge2iCe+Fst z3C%$l6B&fK2`(!>t%#Mrb#{xTFo8KUWkNv4&p^Z2tN-&O1zXGS-R94oz+?P_m3^z3 z+T=S*#JGyAUp%FVQl`E&xbQLxkPlG8=YAoS0Z&(unibQ9PG`U0OJajMdA@QhXKjrEk=>I1ftAu-LvOp4R~1{<@G*)pXL81W#p}Q z(ze!!1>JFHL+of{(S*-9-wnEU7xM)E^PYm8B}yGpfmR&$VuE{`{Hky5<$u-+ErJcw z+)=U)F>udNwAXMxpiIJ=R&&wRQ|%EQ*re+rLaPaqq8Wab-NE1~T&du#gitz~H}|It zmdpE=eW4M9G%TbBqa(=!{_3;00uaoYv2k0ajTN$TV3#+O2s>+N2s7GU8rIt?y8E?u#dcZDgq3yEb*;P6snk%_-ma!| zA(C+m96h|-X;RC$UmVrRtZSGRuCAX=#~1dG6!W88CmbRf8(M*CI69Wu!7L91i(%`h zgYG=%8K(Kf*uhtZU1!aba;3v);~w0-I?KlbUftvPfCE2L(Pc)7uvhV+`B^f}g4)K@ zwyAEK_YqW`053$-tbYs+OzZ|Rb4@nsLjlSf?qA_r3Kc2mdkyZr3@3!wKDmnoR8CQ` zeU(oK6$I&QESH!QXfezI6RQ_uRj9Wd@ir@M!wQA(~ql@(iq%^Vw2 zQwSvrG}>(ST-%eTQ}ZBney8X0D4*v-0A%u?;aO) zTBr-%+~s1B;LKBwidYqT`EN)fcnlnYo{#YphzeuJPfpRkDd<+Z8du77;#-sTJ=i|% zOFz%K(D(fGcGi_K20ZA+;gA3GK*K=oE{bM2e2w9#wdlEP$*^yEi{-Oq6g!>MtJle& z9Y$v&wvOu6)8w?nrVPpcqN|h%SfL5A9cEMs5t*OgPqBma zoGqyYxC=sUZXG%{h#)yeE7+xhDiON`mX6XQvVl)1Rx86L^+Fz&ZEX@=+eJ1)Z;9DV zpF`CkF(^B&gsy9DN&qPH)F4hcU<`zo_(d`6)S<5YZ**i9AR`%MO;3Z?cav;3ZjSc()y3QML3Z#swY1z(vhV+|e}-M)lG*K9SVbXGsW0A1+T zjV*nJvve3h!#!%+GuQL%tZ)wwPT$HIp@eFEU?-P%L5C}9_j&#puDOR%eu|Mp5OGn7!9UTP10*D&FaA&VuEpGk|W%8BHxnel7dP#$ZlajZt_Ur(=C?yI!qK`E6QENY<-!%P+~+Tz1r zxHLy^0W$by$?K;sAC)zxjU}h-wbcA!p z49Go!pM2DCj@W&H$rCmc61NlgN+5d{pz@|;K;}<4pHKbg@8zi(7X&AjyUK|jj16#B zO&g9K08(=89AHR6^gYfH@B0;om^0tY*L@19=s4r@!9hpKc3PZ*3^R?hhGoFQ6soy# zkl^T&W8mIHi<5=acP&1j?6+}oc);9HL=$-WF80L4I#DHUCkmeZw+)z%Cb@P5uu~r0U?E8fNvLH4cK8VyP>(_8f=huRwQM%KitipjHsrS zmk)kOnx01)d*!1rr6$(B`NCDU$qPp$Kg2ZB9k434f5hPPS(+9(I_NKpnoAhEt}B#! zgAjyf>xEy^=vk)~cAQ-usT#f+Tr)`q@jGL{&bSJe>-b@}(VNG5Ty{C$%3p16eB^m{ z!Mc4dSt=&cQ>H&nu4UBBr(}fX=>y2YjcTJZtI z%?Y&o{Yrzit5UAmXp6`9Z$JB+CmDaC*}GV#f_P?*Q61iivf%k&G_W&sYlpfnFMln3 zDh{t#2MP^yAtqo3Akmk^T^%5C`fm;`YEGCEC(%NY z;>u^RudHukJ0O+@_)40HVI4kDO(t87z(r$E(uWgn)+EFdLs-J;Vsy?E={asFWusjO z?MW^udT z=+ZzKP!eo1IficzY_w#*JRt2%45A^T_1$wR-kzy<)=thZRfGT_5&~N3W!l|x#<>Zn zz8XUSYIsBluCGNLV4I=|3p`KKr1pXf*#TnyzU{?#s%AD~H? z9c*GyAbs#41^_d9&)rwUV~_Y7y>IaH8dSA9W)f{nb?nh|yMupvYYe|2b6(q3zPO)E z^Hg(4&!9jryn7g@ctKn0Zh&Soxa>@~9j^os95b?D$!+Zg5u;bP;dc_m(@46Wz@O7h zAl14J+NCJR7Q0ifml6KY?prAWBqL+%eR7-C+$Ub&g|EZPLY=p}s+o>n^05F*mQxs7 z9{9&oz@nY(&0G*hij_tQQ8|q|!!zlK%xfNYAC@AAL4A1+B)GQYTxY+=v+b&OH9*<7UPaw-IX zI0nuj6(Vcrwu313ruPzuo^=D>nNuY1Qq1y$j+90t;=+(tCUEK~bR~E#MAeh4Q$ola zS&5z9}sDnOV8h~y@GEy^JJzeON_A+ys4ZWFOjUtO0Hny2r zUo$S14umSiQlU?ceqdLSpWw^y77sjc6mb6dgd;|ND+oJ(*;8**L9Si*s`pM2aabzo zN%xj<^O_cy@x&QDYxlwsjG(}ChP5pi@T-lJVzLWlWmjinz)A*R!V!{asm%H5o*jm| zs>#$_>Y4wW1Ip^;{or6L=k*%DC6g*2LkKefsPnUS;+O5D(B6cpyr>DXWz=e*te|bA z4M!N@2+9<(WgRhuhF>Rhi6yTi{w@%!42N=Sz`I>0iW7-_NiaY3Qhp8^23KE+J zSopc;k=uqOSRZBS8rxn~Xr6?XGt3SItKyFD6>@{kUest?-j6?BJ}hSL~Fs;1-fAdx5kVO@8#qIDjf8qsZe;zudMP9z5#OG(G^SY7b^ z9?ki2aoewG)NwU_{5Kxa;=dH&|C$U1$-B<&Sc_fL6!vQ%z%F!2edC8GVfKq@GOt|{ zK_)iAP7v`Xp;0C&{=`(pAMyw87X3h^$%E+XCPNeKzjGgVd*!q*L zFS3aM&YuufJ-^NBTi~E`YTt91bVNw~lBk5q#0u zV8f6V+%XuBU#zP7qL`tZj2DLjtaa32JPaWbu)Ct#S62_?<;3><`zf&Z;C8E0*UQvnm6L%rflsf>zsWq=nYejAXcKi`-afZT)E!#M& z8RUmXV@IeMT(Vsyaoe~_p__o(aE$-UJyeILripGT6{+X(B6!VG|C&t3;`HzK?kb^Anq)&;%BngGHR z$K!HlfbYYo6huLpA4{4q@gqSB~jqvJsMQ@UDLr6mm#fF%%= zUUlQiu2A@#(6%d078eDERK=e$BZ)l3;i`&;Yhg-U$N^EJ?9xwU_XpVy>qX@#X)-eZ z%i+90c(B=y$${+h1yKsLxb}{(HJ~*iAG3bERqNvQW&KRM1Q?FGsZ1KVZfz1|hVcTS zaxzh0!U3Qd3BvZn#L4|v=ge28z23J1AgaZ(zc=v2 zwQF3hjo%e?Se~F^(uL@P57`(Gpu8dUW~(D|a;4nJeFEIhr|4?^M(SLem;K2S+#`=h0%JTDk?+)~H{5;XR(;Gkax zg=|@ZSDO@`8hQ=F!74EJH)f^PAh<5h3{ic!Cbc}|#0;tpi=P1Wd)H5M<1-&R=~o1E zB`CplHG?b&G(LKD`>psRAOu82kOzgQFr*-K3T_rt9lF;R3WXd4!3=ub_)6 zQY)mRVJIV5$?1sON>85zDY5z=Run_&M|1&LjK8H-S&gCxnQOh-hUqsgBaQxJVovx! z$QD);vT16O%4-)`6k6icGjYabq0TI?qO;}z3_)rXfSi_gxaA}^@Qm30p26TDJft`P zp$iD<@Z<4Yn45z3t7(MxGCDrAa5qPT>ir2Ej723}(}Y97kq%rhm_T0I1?4DjKc$UM zQu~W)-hy~zT*n)U(qvQvz;KC~`iK`}_?DNp-O z2}4+cl?D_jiT&V_eu;fo!AzPDMPN%UJ!Kv=A|Q{0e*tuPPj6RJGAJ%i%)4#Jx%Y5P zd$w5PiPX*i6c2tau+wP94nRyZ$@z&K{KiPgN5+VO;;IIaVj_|4l)uU7;tENRQX|8& zXMB(9aq0P@B(p5#+&EG?`EfW(WB)Hf76j56KwPHfDZ5GU-HUu&piB@Jtr|@b8 zG>rx>@7sXT0HRx_ZjtL2nEWI2oLC{m1ClxFY#{|EQWl99A|WGln#sMXS7mnxht~4N z#QY7CA1oZbB-lU?4NUW;gjpWPN%j>v1wi01#3_pkRfd9^ZhFy5EGaG2t(X5l`-*(| zgRa|d6#;gU26d%Nk~%G5v$R11WqT-za<@#NUkn?YKCfZ!ToJ#tR08onV1J`BkwmW} zBlvOU@bITM83{DPLHp{iYd65NoguWypRmUeQ8pL~9yokwC{{4^5#X{9l4#b| zjN!b7avus7IE~wXvt!proa|0h5Qhy?Kwl7*B9vfmRduAHibt*S%)!E|9BjnJ3*1al zvg|UuQaZ6Fu9Na(1Q0cT$Lf0G1l#6w-5FxK5(6X8Ps2AqWhhd-ZBM9!QjkiTyl{}% zt1dY@N+|?R6_7KV_y*THF zceP20(X1pW0fAhBp0X*}h;lEZ2p{;k!rQ+&zg0#i1)O{#I}k1`U6YW_E8NC#6xRQ^ z&vGYl>}JRby)84{@)j18DP2&9ds^`wwLVQLslrhiv%O)|MFwAP%=Z(fz>|gwns&`U zLhf|Rs7w`gMOPlb8~J>n^98OV{u;RRl?n>x+CRJyTQ0cO6TQWUI*4sd)Vz(p7Uc*`Mh z3lilYmr$UAFG7c(Z13&`Q$pd*^&b4#vdZp2abxlJon*$H%AFAC9y_^rzq!i8@n~So zj_hjIJa@(e#j$mEpU|widj2)l|>1q5R3LkbD-P}8r zqe^y9h$jt>mf4TlD^?71LK{QT#4VyAp+_@P3Uo464A@~uI4o!f)fM~COeZ2OX1;Nq z(K$-IPWQ7t^#{a%$idZeS|%1oO*&S+c4^O5R)g*~vB1Rjvfq&M&;JRZWEoS5jB|hIGT6Jd8g`(_DG6cC_Irp67HPL=XU9pgiLDGYi}0dD$paFmll zaa1k#>RjZXKi0nsqD&gk-vdnMjcTQW_+bx$Skvp9Y)E`!StrU*p>CE{i2lq5nISyg z6KgCdvpdFVJPs9<5gXf?(w^>c?5CS!^T)Qm7h_4udRPqu%&>1q{w8HVk9=c{|8O-m zJ#MADyf5XaaZZPk_ILqI-ENle z37+5SOFHjvx?TVzhb~a0&!mkKZ;rF7NC6i2*TCO}mQ{WhOh2X3ttth5EMWAnazo;2 z0=pwPezWj)wD}Cm6GLN!KLmohfwfP5KTB-Qh8F%3h|q>Zjb5I(Zx{`pBwJdjGox!A zf~3UQlZMCmKgBwUW#e%?J5o@U02~wJQMI>fR(xG-#=ulD3h@;7d^eB~^|4wP0hl`{ z+RpDhIw|{(_89Fl1R=FKX6&y7T_WuS*I`+({fyu_hdqp(g2vfa#NTgdsjMbGY$tj# zQ1_&ak~gd$RA{z}oHzbm-X`Ct>i~q+L{NFoud<*!fx2L@?lD@sNisgXFyKnn*sxI> z@>OQ+Gn<_;9;Y++Od2PR0FLamW2_9kLDDKbeVCKs#G^rXQ-cnzw#>rmZybw&W-!_X zi8mbaIcA;RDBq4+TafR-b-}7n!7U6*W^nBqA&U_iG3EPtzEn6`1NMs<9Amw5!JoIK$PLPPLdS1$b=%NtFExH$mK(VYdClcJ@SjQK|(`=~01rL7Y-a*I($T zryewiBM309GXokSj@!T^?Mval?Cr)G_AJJlckZ&4xAe!+uxcaeW1VmU2>8)}Ma8+# z{kc)@-l?Yv)QfIqacKJ*ywJrL22NiKxyj3F4^Jb z+X4RI*UU=c2vY`A{T+a(zZr$b#DQ#wl4x2@I&2dGN2-~oAIok>1lV->Ta=qRZfCac zV(-8^9C!**;njDLE5Y_QxiflCyopgQt7zl@>`oE?3`G?%j|#M*1F1=fT^l7jWI#cQ zd^(a93Cgl$#ah(f9c7r~~A z*J)Z-VNBu^7LwM(kX$wudO2bk1+W9F0a48dx^BGcYTccy5QuVw|GyupBNvZqj5CyP z0%rqBX9M=PK%lds@O3T}dgmOZ{L%TX6sJ(l*r*q zMKO4tL!MgiKtWvd5==n2_B5DHMh}i)S5CS25RQ?^2PU+)NdXN*mGLDTS7PX>AxrMF~BC4v|>UjclmC!%jYlh2l9ZaKeFEwbu*yhMv^t^ zv{3^WsmhldY2Iy*u-FFRfy}au$b7a5Z#Esk*XdySfIAasm@4p6U73}fmoY>SCseM` z5DOte4Re&_$6x@@^v1X?WDbcx4Tofa5QlnL|ASr=dadfYWs6f`;YmbFB$=dmuFux$6jx;E1P~XgJq{m?IbY zHl*?t)@qN~2i{=%UR3Ak0eTb#E7^_XIn^~3*j1u=@3e=gCE>58HLYCQ)nJgsnWVxl=S>;02&(e%jT8(?kd-09D>cCw+9R z_&SX)Zr}Ud`BiemTxE{a;_DS|llpzE1>Vd>6d!c+N=drg3XY`{0<(uQ8vnq^_p`p} z0Lp6zi__a=UMevZq@u=YaE_n9ZFXpZ6#}jTrEH9EOy|;;9H+jIRIZO(kS7Aq5 zCPPiTeR;D80#hb7cc3dHdUhsC>|8GXO>i1xE_>w6*7XmXN{5ynhtUNs`MB;ez(6z@ zJm@(5o^KPd8cKgwaAG(f3!F~uM1=R`2sWlgcuD2)v+x&gqZMy}5K)T=A|a_yjhKcB z^VgU&?tSe|sTH4!`qhFxy>)TPwQeZD zHVB1T2cJ1#!8q7nCim|}cUI%PiaT=KsAbfdNZWmdwX<+Iu9ta;#Tb0j+XE z^&1CwT&;M3%pV*`_zEi&0e7bQsB~E#e6d27P9n^Om!6iQ}{4c zvHvWEPN&Yh$+PXdyf2}sqFn16Vnn2pmMc^GA)CM;bxy@;RZgd09sj?93~A+Z6b0Z7 zLaaqpdtZ$&H>lv`RmM)K@U`{tDjLvLx5DubIHk6XJT0PDB-?G*Q_I~V;3M4fw)Eq3 zTp?_@+g%T;UUFowf?YI!*xz`)XXT2e@5=jSD;{E%&;xS^{L*jJLIITh(jKS!78NwUMQ~;lUo{%EsB6kISC&3dc)CwAu6bw_ z%foxC4L@Ju&diyUCPSMQ(KS030AcP}#xHmOy$+)8AK7^dQ)yDTY$GPKQVU~{wds2eVwe?K99$S4$*+#^* zm*rF9Y2gcK3qVrc4bDo)DHzfOYi!QL!>K!l`_RQr+>2K`;P6s*kt4z znx9uo97FlYF&`B#mQsMQbMhaA!FQlS&qAuvA)gz>gm7oganSTl-SIu4a*0MVk$2jD zM3smPF8Dpa4QP6s+A*OamD6ih1V1+lk=|-uoghLlqX824hNYofIFRO7Up&=nPLhPl z=LJ{Q3GS22LT(I=B2sr@)z%D;{w-Q|Hjz9hG!KsYS2f7qX{R3J=rTDktLL6SL4*YC zX}O9MztyB%0Fz1L#Dqlf%z}X!k>!k4OwkKFP9`ylrML8bvtxs2YfDrcUzhH;ePEKl z8NsKstQeC-oZ1o5gSlt-(MbAor(jjNaD)2q67?h_ z&K)qSybS~hqUtFIaGA1_Ee#-|^hpNbl2Qd*3eZSyzBU>+7qx9!05SP6vhq|V zjEhR&f82yK$a3D>GQt)xRROwpPmgci!T_sWu89)8!(At16hGOlp<#NTX2eO+cpu_+ zUN@(oc$Xf^_sHE#u=zpue&jX>^X7NE))!m+Czgax+PdI3CtQO_d#85|Uv=Trx)Qfo z@BcCCzp?lKd3pvHOlYdyNAOE;;wiM7UU-eEwpGgD?R*KM9-W1USn@kGxB@_g2^(1T z0MoRMAfzRr!w-B~e7RVRr5*|_jLd68yz7gn2uGdSq>@2!I{xgNqeRmW|0q&>&aq0g zkimqt2R9gl)7E9Wf<=jIa-a<6Dc-blbcECXYEb~fM6=}y(W%v`Eu-DqV+zVzkKn1R zjE+|U^$9beP;LA=|8XM_fNn(fkK~19x)@ws1 znMp9Pfaac#mr{ZARUllK$sJmfOVS~p-e%>&&9GGNHcN14bb{w)5PT8o2rM@(CC?7ispmM1+vd zV*O8=?}!0wIwcf~0Wv;(H@Pjoo>d2qiY|SAHB9*~?xt;r@cS zkDOg*@H`xZk7#BS%4o^)6dNAcJdhBIoCXCg^Dzr*o?7DL$wU+U^3FtuoRqA zr^{*O(|iY(7qGKF`(PKOuo?^++n`JzYIuw)(|dJMrbC6Coz8lnN6p+X>si!i^d2!H zk8@da5B4d%3_BWMdhq!i?&y>|&ssh{nbIOvIQo*!+cdKt zvO`!@Y89`-MJfC;qg`KxI;B``HSx3&vvzE78=z+kZgA0`O85>hiq!f0>2q57-p;(D z;iibN0mtc2TAkgvc<=b1GdBa<6q0IUSbtBE1McT*tT{u-2QqR}VNz8HG(#`=nv84r zaEE_*U~aQAmaV{PVmGG&)WH~;s9={9J8pW=k7=2m$=s0$8O~EOBY4a)l~yoo(;$KQk)Lwrbej?wmi=XzT!ikE7V?vic^|YfU_TA zjx=Pk4%Ky1rY)z}6efBuGHqV_T$1PR#h6I+NErf3f0!&F98*M%ZDO9-?5x{k#=U;T z`863QmH`P7$ka8{QWL}SU@81}9>2&n({)BA!fYuUZmk}90k}#n=4I8wgJTT~r?6RG zl%_v!6e;s$%jB7nXgWg`MdUjFpb2nN_}T>@Md7so@DH*Ut*p4P(U;>5jxdqW$(GUS z{#Nerz?5Nrn(jk_JroXkbtA{Q-N(s@!Z+1teU_|zB1L=v5u2y;?)F!MRoJ5*j_ldB zGNOgKR;6?K1(Ef!9yvRrt}&1s+k>!N);(Xzw@A3Rxf-Ql*@=8e#7B;8FUb0R?lmDU zUqg5ui-6@KL``?Ut08n4Lep^&8B$m~=CnzHu^h3Lbh;~EqHRKHanrc5F3iWP;ALIC zjL2_;!HyHb2daY}rrZkEwaJz$la1xOZa*mo0CE24w13Nle3{;;>BjZbZnJ|Wg@lIJ zs!$3esNBt?Ty9oD9iM9GX^h1AvomHJ-pRJ-uLC))R?jVH8B4Wh@qMTQtB`K8^7^A4 z`Q#Ok`!R|t)p9yaEn!xTDF;}is&JFB#wZvd*y!oLJXlg3fQrVzbJnCTl^D~T`&QtR zPWIV6I}F^!a&75RCbJa1y>|^zlMsfG)05XBy52WslAigUZAzt99p;kVmR=mRp;0S3 z9g$CFjc6F;PRy$GEm>aRFfMI-q3#cM)y*>vDJkw7a*$RGLZ|^VW^T7w$!mtSy{@Lr>{-nJWorls zm<&g5!%!fdGmpw7X--D|V5|lK_c@MiNFfhjE4{5ZnRleFG?Q!-#5 zkD)smzenLvR^j6jM*nh1M`s{QwtlubgZ=;@@rs4Hl*cC*i4x#=>0wOZ*a!7aWMZ|Z zJ=0#oOOU}XL`rG*QAMcwp3!Xh|FrgkAeaEj`e2c)H)hH`KSnm1fc04B*c+uh=`r7h zDbjzR<^uaJX(&0CwNc&GegZ{KT39q*n}A!$Q2{nrZ>hW^OS+p_!L&!N3c1Kq-u?in zeVow07DL2v3HFwCJyy3mYtMMVis+UKs1Npn3<$w-P5}kZt}d zDhTJ8N5rDNIKo%wH*UNbmY91Q4_Ct+bi4>zyT`&+zj~*uirpFfzjOgsZN&;S@f8?^+JaFLMsKK@@jZE(if(uG13I^ zfeFL5kD$iqX{AT)RLwS4jnHBY;VrnEV!tQeBLMLkdZE-nct%`22VRNy4_3&VtuGd4 zaQu<|eueN_ni}r_@{yO6=U#$j*K(R#%mJtNmf@zMh#X@~v_k=LkeRXf3Q?Q<4m8UL z)N0_uCQl?`9#J4TR^TN{O?IFqSaq`TXqQ{bpi4zVGe%-ONNIii@nhQneEO5Gt4j$6 zS5atYM?Ej1tD!!}!u3DYxyG{%Qz?!Sw=y*oSL^lw-@aux+&liZszY;HtK-36f=cId z*=evr(AOZ8k8zx#>4XE$1ys|@hc|Bb?ZT*KNbbTureJYg!5Jd3dOzMRMtZxKI>OIx zV0z7ODeAcLUg5C~K&cd%o<3Ebj0E7HQc_<=%BQqGgVcY;Iyo%sMX}HQB20h*VAS7j z1o2BeOhmBgawnX5+)?+Cg^QKwiHeD+I|$7djH=>*<_HVZq%6e(XWmHGP;hNY;>G8Q z;TcI+akC9L;OVw8SuZ?Cx4RO})|C`i2MFgxB)U!Lx-IxwX76-p8M&0~B2sfQk`aWS z&iN*o#+f$D-L!!_Z3^Zr$e9bU&KseLOJcqcH*f`%9irT^F_KMDo4f0nM)BOv$Y>N} zWt_RU-~aS6*f+cxd9d0s>Cu` zaDajCwN)fsHo*?<;nVVU5wYsyfD2j$a_o)^u=F#aY!GC_W(wOW7fWgZ1xUR|l`h+U z+C8Oy^v#ltPZSEAq%{QZ0maRJim?V@W``1bJ#KYXj>V2Wt?g!u&rL-0E>gir?D)m0 zE-7FvkxqAJu}}x@Fjt+D9PCw!+q0!B|Ms=%O!2Antg5)Hx?)V0qN#H|P8z~Ou?L^$15^rG3Mu;u_OweyE zR0&yxb@7wb@5F|)Q=F?7&8`L0qq@bI(b78m3xhby2aEC6BN80$JT6Y;>{)-GXlLPc zO;Sd79^<=x+C(#Ba|{mcHsh-!SWjH@ZtHjAKTUI33rsr^Z}y~4o@L=K3|lEjiZ0Eh zuXc_!S@r=pnkZyMQ4}|lzNJ;E2z9EGP=d(SB=|Z2LC>%`vp+TnNO|ghmTw-gEA%ws z^6P`k=57Z&hS#;kA-uL;GM+$dxPU%x{;Dz+%4e(qFdtNTwG{jUd_HyxjU>Y5~hRS|?fZORcS{79>??y&8%#m~2 z_>yU?iJVvOeFs+aZBnXQparaR(Bp|p>eh#R#(f_5A@}}?VmVP%hVUDUreaFqbN@3Q zkP4bh$5<@;SY;kD@)NF@8@2y%{}PrDD_D!HI$|i9%N{pUD+$2*rY5HB+i77QiyOEV z0%1WgiNOQH{AuyzuN?C+Edb*y({>V7lII~k8=`n1BckU%GZ;4;II%4$BXO-Zz(Kvt((ASphz200B^HjRs(L% z8YX*c&i!zK)`Vr+>&meuD2fo?ef3eVqytS7V1#<0+$$a#UVolC`7=M_8wxX z_koK3w7Kqn!YX>W~OM;0^G$N)ka&$r$715VniudF_rS59?T--i)Rfh(iSi zW@A}+HjuEKS=kdPw8!#8LM5_WQ3kTHIs~p-@eb9U2Qvi!IhL!p_!!o{dWocq$A~^- zCSH8GU-qy}AwM_u(J1pBWE$|*3Hcy8S)a7gVY>l@5QOUjA1sZDr*6Q_HB?a}hZu|~ z1+4JkOK`6u9$E%FzhKlZbBEzv*E2qix1zEO6|{6kD|M{mu($;{P%=7;t`pi;Fv5!( zu+;hzby+HFIgr4ukfKRA2W~={n8HMxZ!sc?G>ngHjo0S^&dKKT@(*T8*u0+}`Nhg2 zvUY+z;t*a;Rqfj`azl>}#_zGFBbXAYTtdQMSGSjhnB(34v#E=?ETSulaW(=zpyw=% zx=y*Ik&0!Dd5u6aZic%b8D-PxGb#WEF@E&=ptC}bPkRNx4sT)kgo;QcRe~b41i6kd zJK^$D$*{EpjRO~yQH$^}bh80enlAuqriO%^W?g0Dln_1Z2R1t-shmW9C*Y}!m{?l= zt4%x`=MBid#qR!ae$FNu-lN=jTEe#q?kn!VGJR<-`#LZibLd>?_ zITW1Ye=^Epc>amLIF=t`(i?vjx7HON9OA#o4g@2>(EbVia4>HmXSNbIhGCi&UO~V) zekZFGhUcH?k9#?VxMBQ_ZOB`&lzZ3t|9bmIoTqU9+4Lib57N~Ww&ALa(CO4i-2+fK z;SVpg^Y%;+A9KUH{W1AK#(q-`h7prt?S4TC;1^eE%J8OvpdcX=VWTMf*_n3d)_X1> z`I}g6=n6m##?ErPRCpuLu=DSU^IKYw1FHM5RgJB#yqtHfvREi4A{Rpk6KznY)3$Lw z{>e{_NKFN&(yntXWI$j3eUxb}hDJuxU3hj>z|jT_nY=g!xYkUR`SC8Nj)KOh__nAg`lmoQ`>CQdv z72e^y)Cd z3*U3yt*h#YD-~v!OJV%MU6cj@!8DC-td6EIE*WDRLj`6c&mx+JQMG9B73g=V0k9n4 zK~^+O&i^O1`azoH673ag#oG3id@ZS5$iU37;}{tOvm7$~k{ii51y^bc43Wdh%ur*w zB{IAy>GmO$3bxIGU1v7&v{W8+CkzxqFQ%~TWr)>Ck#MNS$c?}4>cT<0mt$~(6hBjt zWgv~lis94f;8v`dh@cAChFr|7XKQ+41;QWTN+$_oYv3!F1V}-8@>hMP!C}SGKj)h? z6mrqpl$*rh24qBZ7?{3>ePY>|2JZuBV3q^IIGe1w6oXHVnwi!*xSoi*(&!ds?==tj zN9FfoyWtKlJX?~_p2;lO`*WyF)KL$b_hm4Ull#LLKB_msz;9%`$Sam=TsKDk+@;pD z4jVRAQyXLFvIl613A7z=P{i2w_e8Qs(`!g=e41v!V`L`eD|cMXm>n z2i?zPT*|0%2nI6i*rC1nMl(!#=0*L1VhpAu%yjIV+ zlF>{rtvO`}SdcD!2GyJsE0hr^uU^rMC2)BFFopOw*{$Vi(u7TUx`GtdS>b$wllK-e z4UiSHd}?2H2m97j3Mimj|LEAp6y(?#Odr~Q9I4Orl7>A@G3jPj3NHvP#^@QR%P16c z63d#_P;VJ;)^>G~4>!icQpa2gE^LES zk%{wRuDYc6U{bERHMNRTpnBBrN)W16)2x<)23iQ)nI>r`#Iv@f6nnaNtH=18^2Pwk z=-t%CIAF(0=8q5ApgwX7Cxha_O3G40Nc0Q5tZPmR7QF6^m!$&ngIcqeRPxQJP{u z(d>CD-u`dT7{fkYrHy>7j8+`_AEs2CmhccN) z&NT4hbb^4ILm7d5K6B_a&^dhr+qQO3#;gD7PyDsmrBI3f2*&Ra19e}+0>BHm}qGPX&q9;5*tFFe~&M-={c4` z*)wA<3KM}n`KUW4r2hm%L#XGV1gMeJ43LU~lJXm)kZ(jb{#Z!->>B zwDZQo`$f+`Vbh=q8Z~Ct={mR%P2{%20yX|UA>0Zo7>ayaR}-8OLJ#CLjiL{NA9v(g zm&{HtY3p(T0Twyo4|zVz1lp7}vu4z%?x)p2)bP8B!e0I{-%NPbsDuIsMn1{6$5vQ< zLjj12JOhMHb~n9h2yHm#o#HGDdGP2gJj(+xgRg-F6Qjx`oQs zGS7V<&*QCk=$KrQRehWB*Gej|=f?n~uqjDhMQ52q&w{ zM*n9g!=47z^zWA!268pGZdT^LXfo;tIo>puRA%juAsiD$;vte@K zt_E7jDtaxS45lkw&Q3Xzznf+G+LYfB0Ns?|`$I)bmwV@EY2L^9{e0dX2%Q5~4yVbu zPii58+^&_vBP%l5dywjo+tKt(DW`{fnLw9o~f#X>Kc5PgijzN{6<`}n4MCdDf{F#_!;D z8uyAoPFmpjj=pe4MvibTAg@N;#p{u`^MQ8S(mk5phV#}FOUO^$2ysl=ICB=1(D*cu zJjZd7OmXn(hBr{F1xSkBuEQ2;clfZSXo#)4u}7Rf&@YGL4!rnsl)ErcmIG-aAbTNnMB;>|Aq5tPAm%i=dM2rHL{fl|oGZj+kd6QUj`M9`;8H={1NxJMEX% z*{Y00D3!)6z+Yh{u(^tW-@~f&#v->qjD7}UTG(XBao$KZk}R$s=UF%N;e0YQRe9JU z3}v)j$#8nHtQ8dzBwuk16T%^~RmFv@T8LpXWrzpoL*z+fDM+%Fc8M{E9lbSVTK0{mPoM@A)dnD;Z6m0oE(DoXDgVpu3JC6 zph--mR(HJ}ELg^=>0B^d7kQ+sH;p$rm9@mP+i0s4pr$y9%>>CPEYHT?oH86kVd1BJ zbGUf!k7FPR-)1`4FFsM`xjY!X{I{<3=?dRIIR)hSO|pRg z2$j+ue;|wcaYH4Q7!K@>Znd-8rrvli-oCSMX~9e8ioQ@G9~KTd`;P8N6$^V6M8{S+ zXV}Yv+?<0}l6-z_Jdt2jSKdiV5i_H6FmdFB?>qJyX?M)w#w7=?5DLayEdd0xd&zvCd z5mXTe+c*II$%%kQvZoE`gNTMb+xp;j)Rold<=kUoOvlY<2zj`=5fe+7mUG??Y^dVo^jjnWJ*}a{GgW&?Ep~A0c^v*DDv5Mh?g0q@Dyeq=1P0~r(M*`aGfw6@Ysd%YT(gV`V~uZp&C zd+J2#7ZtQJ&+bqxDxN2po_P}M0s8kh&L!j<4i-1wl&U4y0H69YU41T17yi5~YvWqL z{TnxAM2u3aiZU}9nftFjeyY@83}RCsP^dI^$?sESDt zL6Vo{t(Z4PyIDao_@;AZG>E{?gm+`bp0(KwW^P&$95z^LJvrp6ieB{S#m3QOu{^H& zKA4Sg`5t8rq8u4|a6B@Bst_5HNi@|;mYT&G(^YinyRMmF&ixc?Lf*5c@6X2<4>oDJdNPUMtQx*T3W#XFeP`=(&x-&#HIzM|I2WhW54G}@Q6J{&dzUB_mny?$Kb zaEy*^ZmT>th6P4pBJ1Lksa%L1d*m*LZhCn5Of?>7e&z=oppP-lFpU3lLq1z`6B z0b7e=4<7YuW>$ZgSDcu`myO4!3QfWS09lgv+N3_DW%S6gFp(d<$z?B2am03I=H~hS zi@^Jm){EW`hq!?ZDBE1smz(m6;P)dhQj>=%sL0l%h53Yf^-|aZfKpuDCB;~UGPwfy zD$|XH3HH@38E(p0{Kyo`WEf(ehiLI`dhXFKI)}aEfEnN2x0n+ohS|8+(LS{OGpE^XtCOf+8iO%#(Ec#?{MH;$m|Dt&+H~aT;Uw}ug`Akll`HPCCi%{ySg8@#o#IF zwR?VSU>bq+obu0#2pBV+iLMI6hq~J3P_S9~v|dU;*Ne za3ruwu*$ykS$yWC5*E7ICSug9`A%x7Hum83DK-aGhDWU7?d~^NA`QH*N~T29li}t|oO? zY!OcEG(?ZYC)mladCHtZjcePkREY1(sup$sfxZsFJWT-&I2ZB>n4n9?zaGt6C6wvF zF>hr#6m60e3IWSkjsXzxqsA_=j#={Ju_7~WaViI=s1R<|J8 zUQkSa`^lw=n~J@7-H(P;QE91gz#H-JuP9I8rxwRk9zt4K8N|E002SQ*Q`}6>44p}& z3~LsHMpJopPDG!k{gxsQgy!vK0T?#BN0|QBf+KHJgr{xp98~;_Og6M3+cE<*=CSf7 z20USmZCTT8HlM&+S|d65*UVRJQ%Vs%@Dw;Yd8|w<-VPt<_KpnaiR;6~Mau$}JD<9M zTRZcw9rD~w;&~%?tOhw2gW7bat&0r9JNlK%N~XNkCrkh5$AyMD!Dm8m%;O6=;_j0t1{-SH&xacNVJ8$%TL%)fy*5uK6M`!YiomH**lC@I~zBIoA)l{dfoy>EH{H5C2>i z-w8Cj&`pOn_y#u*bYMpfYX8eLH1(_NHybB;zh4xO@wN3$e%nK59C>Q#^!9%k7&1Ar4t<^mtTGPU2@f&nw=&DLL+#F%=fWkW^jYV_EODyGX4>9O%EBc*+Ns7_LoLU+#PsLP1R z5H3i_X`le2EX%7v`1;%5@Y6l0d(}DA^gA0V41OPPm8yXh`EPKtsy^TQ>U%L-9o;Jh zd&M+$c5xgzW6G4a1{c614l_WBYpyxO^~_FQO+m))cFK?cb?ZEs(#w0JVKG@VcI{6w zhr-$c;rwe4zjLbn823u07qC&L3(|0xq&RmFrB1PPetleOsAZISiW1vb986uI@Hp6; zr4;*ielp;}sNlPsi2kZrY~x_W)It#dRQ_co&9Lhhr1UV9I;23gD#u;*<;8TFan8C_ z4h-T~6d&%Ag@c$o0V$tX`KxVn6KCe}O23I>V6&5sN6Xv-zi-#7=iGc^-WE6?$Va$n z5^8E`kY$xv{8?gvPkGsv9>+J)lp{!TSz^GSqR{Zok%kO{Xzi;N4yzTOc>*pe7Mxw;+yM z+ow3}=`@*r@qMA}^gw#{rls25Go7Yu#+bNMwabsW$js)jdUGhRnBu_3&P?1;S=!@M z6~;kFD(LuBI47LO?x1YWTQ_8MEmV0cKpM(g_QU$@p-uWz6>nd>o^d5I9EG8>Buwp0 zW$_WXhPd%1!L#S@21vLMf|eQC05HkVUCr}+s>c(dT+ zLMrZ&R{uzoZQsNldFzG`bMB6PdSVf4C9V+49G_X0zf6_2bTZ&NSni-u*S0HKHZ!@; zW)x_->5o{#A|4SuL)k)(v!Mtoc>Qp(L4fEfbOK3#a@qsVr3yDKbQqLDejJaRT6rQ$ z>HO*x)~nP`mY@P~(>rq0NO$h~;rt0=obbWxb`5sB=;Upq_p`K!22lgJ5iA8E*4>KnVqQxN=m*;zC*tqEQT__zHYQtXrh3UFdi%P6Pzq+pvswM6p6M-l|IFt;GA{@)NWDLA7!EjQ_x@48 zRa(A36JDdf{3`#*^nnSlT^zt&GJD@SO7d{GR$jXt$P5w^k^%dX;e%8c4wBKykOBWu z_eRKSuI=R-MUE{|2qqGhxpD$WXt30c&AA?+}_F zOcVi*Gywk$7Qis1R@#;0{9S}#-jnZj7xnPOGvMyso~4Yqnek5>-%9W^xhDs#7{J>$egKEpLlXWQ2HoFM<+woQz0 z*as@JcK};d>sJxnI@D-qA9NLQ47KK80{|M7Cp%v{{Sn|ntOxqh@B_7BL214yCX+dY ztCza&A-9tm@nyC$iVrS%`OGMUWh^&$s;kjar!rod=PuwB(*>QOvX{@hcJlH$feRI_ z%3D@&BKOAy_eVnrF>q3^xSg)>`gHY__>K_U6ab=wI>Qi~6P+I&E&xX0%~a@e0OSWz z_@7ADV$?=$)I_(wCoW0PP+oGI#mo0Bv)$eJw=&AqXT=2e3PsCvT|Fo8wfp4cQ2u6O zI{k3PzCUSVeqzFKVc4hyK=Rx9LTn85M;5t2lB0U50;ZcxhDnL5&}U)9?BBO|pUr|Z zGobiwE?~#X+owtzFihf^wvGd3;?ZkBO__3Mgf9SvtGZB_1|3` zcI-&QII*!yGW4=i4q`t@nq+VvPp1K6xJth&53QYH=_j#$E0WnKlIBAZE+gifE=|pK z%i#EPI7&?4niCK+W$MaFV)})9CK+iMO+#z$;g!|mk~pU8th$`o{`-@cG!b*S=|@5}GE974c99g*S_fEv1Z>^d(g>$^7bg8B-*-{K=lR=IN90~Kd z?)~A!j4lTDKm6lSFI6sW8{25UJ?CQkmXvU&!M4(3+b2ahyJ1F9hbpEnVjG8V%yO|U zSD^e(w})Pj0B}KUrvYy}GsV>YS$V7Xg&+mY_RmrbeqI`EtD`<$$|#R*v&@3^{m2mO zatTKvJ4z>3sb^g7?OuL(=`umQp^Lr2gBp%56Jvr)qY?%R!|d1uNtz&Bxs19n3Atl> zs`1mpenW1soNnCdq6!j*P_SA1>fM7{?Ma0g(@4Z#9!MYviMGlUW`=F!$;#FP6{#E?qiHSq=l@Q;bz zfC9m>fY}2h_|1S}14a#oGmLaE3XF`l-y@dp_^e2a$e{DdV9(qI_>63(otPH&Mp8_r zVqMi+2mnj9hw*>-k7QLb&M~HF7_>#(53{4uVbDKHwAChhJ^&>~eDETB zvzamYH`kod=g+kedM#7PHaFR=9zwl;5c3sRl_&xC3d7>@Y1$^UZ!_bu7fubcyAio$yh1xSv1E|5K$=z7*^oYZ`UQU(a$W? zm3KGuzW)6erCU~F0417pD$Gbr#Esa5d%>v2fe~fr^WZOVl9Avh4hmsO8?^=8pQ^Z) zNpTNB*1y#v#{8%%7`HVa4i|=-pLvPXbr}`&^(H*Yc7cZ%)BuVozY2Q7stN@gdt)DQ z!m1zGct6C5stNO2C&p~;UF(|r zpn-`?VD=^>)qKYc=N-)E#Ie=xc+Pj@j`t{rsg*~ zUBlVHUB5%zuXuj_J0HpDbic?LjVMSG;eHF7bu-S2w>O^a_nEjLs4^+YF_>jnwV%Uha2vab`!TV z5r%g-iPURp6(+Sawn3<{)H)HQiI4)pw@@tdbkvg9y@5C6(i>Z)PwC?0h6bbBJNSHs z+T!U)n67DiDcOM6Lp$WDG+o8`f$@Z*T$);J0ynGC?NAWF!j&wYF88-Ds=hD0S087h zI&aK%sA3fFX13c*PTcyTSD|?XYWus~WTL{tQT$Fuj027%3pw{~?*x>#RlpUq7w%ea z6&S~c7?NU2=vn!bald68;gHGRp7^Q?e*%flYX`Kvndp7=^Ra=3qcu1xFZo7cxJZ z#zW2Sx-|>WnaEU!>wX>u#_j5WnXnm1FnhX5PVQTwa2{OMU0K5{GR5rQAy(+2zKBEg zt4)#E#|{{FH(VTWZXd>ofIl9HP62o_OFCJRcRoeaLf_^*wd+mk*YsnedH(Kmtk%D{ z9q+o&h8pNYPDGjNWqN%qz_;Qmvu!SdSBB2EZQB zz`9nsX_?7Ia)4fqQyuBBsqEa`J1c*zQw6`h;I7-~hJ=*fbmBfCq--%3@?}jEvM_;Q zm%_q8_LwPusOJ--!)#``NWw%2V}LS>u0IhUzn$kr%Vr~94Na*f&J*XPNs1H2QOtnl z)j2S9K++Y)O?iGt)PHlXnLwly2b!Ra3KnGEhgCrdgO?x0v+|!+ed zU%dQw10FxVUf+QV!+)ED1WCtn=`x4SJ(ZQlQ$_bDQZws=nd895bbu9&DF9Fu(W)3* zW_-ag-l+w}fTrO*M*F&?5lH{)3irR}{9M4dDnY66;(4zn;+$EQ2~s31VJIYR`Aq_C z0zy;f90-3w^Grxl`1Jg_vlcAKH)dT^N8s=oF$=*J?Jv!_dX$IH$Ku!oA_2w*h7JyW zKA5#LvUuAeh{%U951r_jBSw8}r4*InsT0Td~|1EB4*@guTyLuBi$7}jOo zW7{KUyJz@lb^$ur?t4oGN)CN`oc_^AjvWa!IOBxIM*t-ql{8I|<}^I`p+*gcG;bc^ z)CkbX!_h?yH)`A<1*~~ObKr4jh*E$kYoI9Q;4lFQB^wWGG9$}u25>Y2Iin48j>^k- zV#B8i`qM|OWuyiThi5+6AIOs05&nL_1;0HFpEU+h%V0$%(o2&oybn|m{Ci=hk)V*n z4iE>nd=);ZIav{<6Ewy6<_|)`jwqi&J)aIYKPi$mckd?P>A=oU8Jyd%Lfn0N0vdXz zHCiMEBmLAo`5$@$DYoA94@E_~zBg)u4gt9+Uhj5?_4mW7ArcoB1E(v~%G)V-YiS%y z5!6hvA;5%TTz+G zPg-+HmvYa|hDsKaC)#L{saT~;vQ##?*&=yvQ>Vnoem&|NV8N4=gnC9&)e;r;i=P7m z@TJZlJ$6h6SxTAvmX;AF#kBc*lV{mpO#l2&9|sE%;4pYo0WhJC?Xw8G=v=Vj4+-K{ zy-Gsz%OvQM@r`_U!#aX&re@ivN@v_+>s`;=fs|4xTh(x)m75^Gu!7-GtT+C;UuS?; zu35j|w4r4D4zB-gxpoo6&Uz}(shfV09+vE=rFuGf#Iln7UEq* z^n;^q0xm}S8PqO;L!NHQgKbK&oyQ#tWhqm&^NhD_cfhf7NjbCpbY{srvkY}=k(=7`AzIz?ooHw@ z`B1r1X)yyOjgpI++Vb`3x>Ypdx49xTwgf52v`mk^6p4d6$G8 z$tfKv1x$GeuZn4&LaHh*kZitGDNp7Y%n$m@hojDXJ{WP(vC_K9=mt=O$Lr2e&f+>D zf+)jg)fEqv1hm2ns56c=X)MS^qc~R!s5pd3wI_t&*#MyBQ}$8UPQbS*X3&GP{(7}q ztJS;$4ww70+0a!b#B)Hx>Ia@xt1E#ztt$L!XmArT=$J9hv|jnpVa!!9>T7O^ODnv= zzw0VgnU(YGopf3wiRc8rs^6fSD8Y@7f==GbH1O98KFYu!s@0~-Uq$cPsXx)CbR1&i z-7K`*w$t0`i+|B{y<15q@DCf0)5g1a*9sGj6XLF(ie})+sGTJ7?}sigAs$1F933yI zABBnYGf$McmPuDEkiubUtJofht0P3XaGE$+`eS_)9yX$v797Ah;&C7wR`wyHAHDjDe zz;OC1It^*yVf>WIXTB)~z(#N#u-oQP3D1Z1+*tDhLnJ92XpL_N77UiPe$$SwG3P?}K00*s=;w8*)3=dcgtx;h1 zI-#FT8P1X(ooryO0IlTYP}a}jP_cj>kRi<`m99|UhAs3pu-qOcpcwK-JxK&;O_zW- zq>e(8Yard|Gc7lmMZK6E)2SbGqu1LTydAu&W~2$*`I{|dNQ{D%6d9g(CL&MH=0y|) z2m@>>beH_3AZss>a|&H@zmp(uAM?2!Z6#7$sc#sb@1Xke8^yCdWByh4@nHJtoP|2q z@4JW7i(k z?>t_;KOXLwN4h~Cu4AE&$fodcO(CIrALPk&ECl4y2{j9K$U7U&$^?FE@|0U-Z-2?cJ;2zq+=1JX|eot<=qVPwV+V3+`*4 zG#(XPZ!+>523ea^m^{C`-dSp7ZJv{>l0}BZI9&B?NW>j{wNRYA+8BdQ(4jKY8BVsg z!)E-P3c%sOjA)AwQ5XDnZ)d=7qhoSm-6pF6K3|oJ)61)VVsQKm>C{8+aqwe}${MHt z9G$r2J}i{ngBMQu;R>pI46qVEhHrF$rxVCQC-`fjuix!b5Z?eGhhH=K9ef9C+A@CC z$TUp|5+ip)g8a}{iY-`ke#Be+?u+7v9nl6C0px4T<|)Jcq%b25C7dloTW1>z7HcHS z6n%TewO0@lt{b8BObGS`I-_5WBJ3r zTeI^U87+ehIg;PO4VV@o19V`+6QDJ2s7N<3e#amsPg5gFSDvAzrlhBzLt8-yht0M< z30aBY5fVqd7|DQ@vdIzn*5)u|GJk29Dzfu37=VO%4V$^)0>;CF?*L&ruA1;P`BJWq z*t6Zw6(-`xe_3U56b#jeDee$*8A0qGn#|B_u?5yqhyz~fw`KsKXbXDOLIfBS0}Iy8h40ZYlwt!barYTvrY zUXy_|yaDxnTMmH!6!M%AP#tV4n^EtF0BNq)xS<}Y*mOP?W;Z?H&%#|k2Q6xxwq6+I zjkx030^UhMXcRtR()JhBa4%TP`Ht)sR$#cWtke04T=0kbPkID)vHV?$6J44p7dwDk z$(&034sAj>!Te_s6-_ObCE}cCB$#zq;u9T1>rNXZyyC4=*#kui(a-;~K;C;f9VROcpU=TnL+d0P;zII(i2Ohq0Xj{z%fE1iF6 zE2Vl*rO`rxrO~c^Me<4^m!>DrmWf{Lo7uSVz=9=h>q5sRv&eR`Xbxq;V#e+yqX7N! z(m_F8vaoo6SWqb7Yj^@Necx<)!u+19{N19<eQ}5C@i-G-A%VtEwyxU4wU6t zt{(_rr^=*tuDYYe%Q%P&0lWrwDeQds`0JN+!@E7CF%2aroK9*&CTHEn)OWU{{y6EW zOcA`oE@OFac401HdmHSSHYA2iH~_Oj(!+`-dHmfME-Ea$ys6|+BPq<5Kp0jMTmDK9 z9sU9}FX=B4yqH-`yMVF0(@J#v*%(9NJ1u)O(6|eyv=QN+;8P|}dWTc#;%Rfum?sgC z%z=tia6$~ou==>~C|aXsqa=sJ}-P4eC`{^v1elmIJl9cB&uT=)(tEl`Grt?kBi)oa@kOy{BsnWT+>U}`>#;= zS%yq1>E#usS|;`J@ymci=R7{kDM!hqPH@oBGy{af4zy%KVKH@wrvXTWvGU>J4%%L_y$$+n{tgU$O%-oNr%N z4|nHmuQ*>aoU_y8Q&BGmQzf=0AbQO}R$+?+#qp^z-EvBslY1lc+4AW*^@-7S$boZ5E9 zF?gvI?)%+GSDH zx0DL!jdA*C(BO@2kG8+JGmdkU>0F1T2BO>iV~wfw4F;fhs1!|8%&{8;fC4i^01y(3 z24mr9Bobs{q9@`9bSBD4%0>A+ib;cvBr_u;AOIjB002P%ilL7&YNn-VSM?eOV2l>B zm5_!MTp9{XKCIZDP`@}n7^zLyr6q<3fc<7RTMb;f_fL8=$U#OVyRC+5H}$0L#@dg@ zbX>;wR>LM9A_f^!H4^!DkIiW@$&sTG^@mHsZ0^)~a^_(G)Rf5hiJ=(WDatt*WM_b8 z69e{sPIU{9?v_#dd^Idt%!*;=7feI$Hln^0%`^-So5+vA;+(mgSk0nf zsiV*0(~0=95n1fLtQWEAI!$Uw0?$)<;msFMde@GrtFI1VPj!qQ)il&ZtzTk-;PmiI z83=gXCEq}{qgSRWr9dO4s49jBiXh#=(A)=ai2POw`f(Y^!h>*JU5xQ|?k?U?s_*4N zj^)~lKdB33qqTcr1C6uaNX>y`ZKttA1F0eHRf*sYp-KK&j21{FzYWS9l(A|Bun#<6 zvCw5Z`cT3c1ea@^2X86(`gP^g`|pXzz!EK^`4(9ZtoUCVp1M)+p|^zWl1X6of`h}N z>pharpXcWp(8EL0!I9Fp@^uFd*OuV!{1*h|A^s{Hz#EzaeFi9oRiME}5Q%lr3=6jv z<_jYj`3M6N0eAo`V{?{giFS|N1w#rT6k@B!?Ro--v^z&V!%HR2ID&dl296j31JwIw z51`DxLk<@-JwrWph-)6%acli?1#XS%Z5_tm{0vHpO%e6+#|EvAAOsW1guT+j z7fT!60k}AUO~Au<54V5{Wtc>~2$-GFxk*f+=Wz{qD|~6hd?#%@fL0A9IT;4htsCwm z02%C|^cHBP=!`L)X&pPPi|?Y;me~A z?omaMq)^1jfG+av{?M_c9fW^CAc?y_6$$%BnRGUdXzBMB)G{wf+kmTOjn#Fd_a$-Fu0V?(h(-wI-xukP-W_Z|D%N* z3OVQ(<$(kZ$nXF$QBXyN8dzgRRUziv6OGR8)Q@unoCdzz=2YAVu@kkYh8b*&Yk^9P zh`sMqy9-g)%ZJB=6h79$QV42Mnh7Ir7b6-H;dT)=HqN(#k@fsGGY4mn>~$reKitMi zK@uKdJ0~hihdFd&wfI{#2)zRIF_L@^);5hd>*K_Pu1XmaiAK@H*c@A$T;?yR zuWe_Tf})IM*G z@Wt9Y4&CyY(U_c8s!hP$IofDoe<^sCbS3hD@u<02Ew_#|K%1$*75P~9Q-Qk1Qyi3)#Fit>o*h^2A^FXuR!Cl5ZWyf6K1!Ee zmKjxZm)+PEL-TQo%iFYVTHtR>;4+Y(+r*qq7HiE;%~3EC`K~YkKVo+ehmBh%PLS`7(1PNVc*^=T4~STTwqf*;+Q%CxstxP&k0R$7=Odrsr-`WB4=V(+q*Cz z^5H8QBvSYH$oweJtBUIBYRmgSEp{y36<3Ps%TmHKcslrB`}LUX1#Z*G1R( zsG0ai2Tj%kR{s;GwlFeoPM6jyrFCAnU|_hmr}aKUTL9aa0N!dQAV;Ww}LbR8oJZ|opw zt-X{Sqqg+uoNN0-z2STT@l&5Qyn75ly>SNNcFlDc7UTI33xrm*6=cQjKk(S!!d8P)Q z{WJl9(h3=-F|^E3)4^C2$=FI*`9sF_VHwt()4Y1>g}|Y<=#V_HZEL@AS9YiS|c<%Zu_kUVQi^4z&lNxlwz>#Wl5q{%Q@1M6ybArfcVs#!e)_UIWe%NZ?gnPWktnw-ER^gn5+SE z_I5s10i{`4jWiVfWS6iiA$$SMHFlCHQ2sE-y{5EL%8CA6`9G$(yO4i3h8ZnZflawB zVQ)fg5{Tt=yI@r0uUq#Aa3il%v=avAY5}@6V~5d?Accf)hd^*XCMhM<(B-AOI`qpE?6@__qxetk;Rk$*QO1<2ZK%6$C@(hg>&A8cIsbx-NZ{vo{wC;BA zcSL6hFiIS~P?n1Q)nHN_beS9%T(4N8&n@C8=2KjpqT0Bky$pGT5r0^iVS6h*;FbbRZ^#H zOoPa1yjT9pf3(~kKtho8(670QR=6D@2GL>}9tze@G!^roV;t_?YK%vm(MEmyh4%CI zh{z}dSrswK?sV~nG(#aa?Yfc_L)MZ|I*su-o^Uu$`Ug`RnH6^)t>DsJ2m4UcbW#~L zk1<{33_N<=_n6`|F9kZ#-$NKs zv}f2;eesHZ6iq0_tUd8xj$5+{`KBO-`7lD?U~%R^iES-V03ID)&-RGL`TaY;e5>C{ zp0ILMh@AZlG+$qStU#C_N>UZx$vPaMvzMAK^rm4K9+Ef}bFkP$5QHfA!SxL$N=3Wz zwZHDI{xbyHAZj|(FhMd~4c+LJXUAMQ(~VO%nib2d;jFMJ41Nuo`DNa2K4`@oBQKhW zF7=~0yMk~|jm91_$)PcJy-zpf=KX+t^{5W zYE_>rx<5Hl!01yHU7sOxXn_`5K9wfO0@PLFw~VNfqDLo4V=gd|?gFGDsvV9oXw|de zlAL3yFPfyA=2j(OfRUvRbP>YH*u8)+a2UswD_r=EgmF|of7@Efn$-Oa(in8EZ?;yg zKJ(2AEy0j{SV*=8B( zLZ!7CrkXN-9KKY#5>9J}Tg$hvRv}d;${ScJNfF?U^&czBz1h>(@&19kmHU*qnbrD1fT`T36S05<0vKfLJoE?AECXgA{5vn<#Lrer_#{T2yAy%4B40X;Wz>cr*4LPQxOYR27M#WO8w%D2gfoyAPEu^7 z8-r?tPAmS+WNV_O>7I8z1?^olJ=RwWF>lYs)EMHhU&MQVMGm7X1Gsr?vkSpiC*+-B1nN_e)DyA6y&uV&OD^X8fsYZ)?Qtf zin$z2R-8?6o3G|%YAGOliclwhI8@P2iiif%>R}*&b$H53JPBT7VT_^_mdqRFJ!Ujl z%DDuWT1@gv0MQL!W6?=Q8I8`^)T*$Wk&o3(@D%0+3+wo+=Naw*ZZ??XUTxjsU1X68 z!znXC623->$yXNp??ZX;F5<9+4KIu3=*j z@lf2wC=;D%`$0poC;R~N*RcwAAM;P06!o!jn9=s6nmpzzLkG1EC?~g)`eK3luJ~J@ z?9i*f@*q>vr9@;I7}K<-!}fw88cn5hN}s{C1+vZ!JB;)8*IvhmE{IH3o_&7v8>R^dGn2Gp!r>ov1l4D`IM=^s61r5p+U^= z2A=f6E)00)BqHW-5UI&S-VU6ysZ=sXb?p7?KBS(_@HU&|e6WfP} z1P<`Webv6fes2K;$X*{XoB``{Cf7A<$p_0Rvt>%qO1HDaoU(5_*4CDo2~@VPSd>J;zz}%#t)H6`Er)Fd>a7 zVK~6pcMIqZu=7OM*`VxM-j;RM&WuhsCr{kxsDzN--0f)cZa@XMqpg~-Sj^Tiomg1z zl~!`kLY_ekVmjR$k1DvLmnf12b1({WjSu3@Y#pwdJ^4&HHKd*RY(XQd{x8504#&io z;n4W3$0>pez>y(LVujGQhl~y!f5eD!UR=knuAJgsHt}_($jP5|rAVuLF@y!4t+AeV zh2Rfcb_0MTs>UtGtWIs`U<*+nw2Y$wa3S%Eax%$cz`mx90It#k#FxpHS+Xd`}$WOmxz!c zp3hI7^s2!#|NG>Nn^+-w&J0AYmPRBWC_jj+d5epVdf7D~7Zf~6ofxQ-IZITz#KaZuc- zqsbf|!c`Z90%RU9%W5nWl<3&HI#7SxC4(Mbnhdspf%|qeWKi1GTAL|zT^#jsbYzjG z;VhLo8@k>|;JXv~-Q{6;x0yWKgLMvC70iFJWLsm6iRhI{zn;K49z%_PeB zKq}e&B?mzyHl2__vM9}T0~lv+BQU+C*F42&(Jj}agSfH}KRn6_hl;kCe^9QKovx(u zR5&WHUhQL?6l>Bj2#6aRUx zC>4o8Yd5p7Y;LK{Jup>jfD9dF8-g;dw*X5#3~y2sClrTX(GtB3c{m{+mVuPDpLJEa z=@o6{Qy613lv8y9ZJz9-^DOw&2>HZT;~bHYKnKx66}DV^^>VSBJ~H1(f`y4``T|2^ z+;&;N=~8xfFkz}ljo&lmrwTF?xrr|&S8g$>YC?dMA6wXq<~#}KxvtHrFUur1S(NX} zE5kz^2PVu}gBY+kF}tNUV5mjBEYcb-hXjpAw&H7u-Xg!{4LY`nIo z(@>fxS7(s!gk{%nP|7RZ;724rjm1SZ_id=+6B7T6BFxQQ{JFX_#Nct>+LZ~-Zx<-s z$=!w=`Qai7bBe2DMr(~Rq78RQT?rDMLCmtNGUog;Qn(r}_@e|+Gdbiy?Pb$DC6=ou z1{p;IBt_o~>hUs-!Hhp2xnWYIIzM_HaI?BdL{&+g)Yx?uLP_FFi@kRKwbgo2R~P8& zY-Gr3R!|#dGC6zF^8X6@RrZc+o|ECym$bwzvMK@vDh&$&42qqzT?hjWMYD zpkCRqE{-Vsq-yCYdLYP6z2ge99__GMg&td+GStdI%$#YaT0Hwk0h#1=@wku|bW1G1noR%)aKCg*4zn zOMSN|s1i|eAD*a!xrTA!7~7Se7E1&F@#m$mgSgP;>)q53RR%{+H_H-A08|yNJ-RNk zik=Am57#{dV(0eX*jlktX&^fQ!wk$jd2!jUmIpL#K-Tqxw!+@B$>$q~(Cu_&m9GGE z8;3Lmqe8WozCN-nWco4u4Y)KlTi6P#AJf1k)2Gv)IY2}(C(E3x9=!;d+23I1G<__w zd^U~|D6GFnW!Z%fm}+;8wwq}02msp{@Q?PuD2nBK|DcA;N*PT`MQV z4)peOml!1tXIdvlTDk(??0u^hcvY}K4srx^B}f7$oTpMLT1Q8}o5RqhzX|EuA1c8F zAf6rL?DucfbZam~(C>*s>zQ z0FC4RI4=y-&o&Olb_I=WI?hBi(h&D4yS)8|6t>Eq>&iz3=1(0yJ;z?+Q&oq$l)~Cj zXLq?qNYj!6Y;dtoPwv>X5^RL~&eZ!H@&H&WscD;;Yh?W3AC0?uPKZch=B$D;f(zr# zf5JKsD&4p!O?s~E+vh3`LtpB!;@di>RzSay}*LM2p+gZ2S#A^aG_(&ztZ`MJjl)WPs+qm0J zqYj)_f8HH*=~8n46%(7ToP_Wgpso*+lo@qKXRdSI0h72gh_M)Lv4@So#L2cO8Lux1 zsHVDKnsv30vf&uEhz~D(086K#*$kgQO`O0~WhGYL1U)4?;J?oVfw= z&uKU-!rAzaOkKgmg)Ws+u^NWS%}=+GOrN#{(es6U5q>9W(_fyx);v;ke4AY~BAHxk z57v@>u%FX7`TivhvD1w-NtL%2fHa^K4X-)?{$FAHeUsP$tXv!bN2in=O$zqRTFxiL zz>X3EeGqa-c;l1hTjoH3VGYyl&DK*gC@Kp=ub1{;9U2O?kjLa`2l7CDoMMDJFf0vV zJg8AEjPTz2U9Bv$NKHEE3eRozGpt6Ep=gyxEKM8*;D3S2$*`~G-PfK!2B1&HDT|7} zi5x63M`~#&&pJR`gfm6&!RW@_>Teh=>)GnZUSijmH@^PTOfINvEF~M|NB#uA7W$s zE@ywAjc|>kd1w9A>T8K-Bciw5|4h+qf&ER;SuxTg!49fI{v$#51}NvjW~h-e%x( zWw>QINJKodCFb}+GGY*~k9(lc!<{w9abi|z8@$~~5JsC&LEgP@6skqI)b8X!c|G?x zHH6CBGzxiAhzT-o6TpWIOuk;sMhBE&Nl37?0f{?z*Bem%-38`x=s7~HO5}r95Rg9Q z!>abcVzowg#u|=V9xj$jkigB-VGigLFIbHFwXOPJip^9%7g9(dkaKH(+=9C7bWEMc zi7=0<^G-k!I}CD<;vIIhFpYC`%3Wto8>k*AKes^W!VDLs!QstI=rXJOJwF*hxFU|j zS$e0`p=%86{!Q$2dOHYrb%*y!FBsDf!*yx@v!-r4k9kzQ5$Z2v`IU{PMWn*-8&(Sn z1^ZTB`scC&zJXJH)muX@;FHh9_3tRyU6AW9Mz7k=5KEr{BSoXfK9HYg73_`yq!FJw zQJ1;i!I^SZPf_Vm&$~4U9s|*SbvEw%=kn7k-JWYneXED^y8I6XI6hDYSm66&T)1es zxj-~rxga_&a2;TigAx9te^>zEUQx8~eCuC6vVDwvSoZ<>N$l?pxI|7Od7pr9;0NH! z-QL#AjPyqj!C8w@IS&@BWMoFHDPj6_=T6IQF>${TJZeWw+%--jOA9v#YNkvnJuHC_ z9=J>nYOWw?s`^+IzIq<g>1}Bw~&wsvBV(BhhnZ-G|{GEgeXo4w0qj2$< z-C9gFZCdW1BPMRdte#@$F+ZcZ*8RcX`b~=97c>xTG`yFJpX_;yt-(P25(K?;!vP7g9LvyK7$18XpE2XIVum}VO}UAIW_hr8vH~n{rGqs_p2Z=A zN;eR3%zzG%)8>Y!n%~JEen24T2f2wGGHWhqV+!xPuAG_hgWxqUJ8ncyHT|gRD~B9o ze1{gTGQCRX;;MT*vIzd{rOC6Y#th6Qw%^`5S4~8j&4otZ`|`HuQc2abGIjOFtz(qX z{_(&J_&tyu5+A2j2cG;UderP?-d(7lUhOUYYU+qzl70;O z;C>G}z(7KK0hMW`)zxQoc}BtzO{Qj3paDv~xONP%N0`8-k5W9Oh05+QXNt?%{|;q{(S5$~lM@m_Nz-cx1e(_SeRTy00& zrDwnZG8_TTKuqV|PpOs?d{~U3;B%!T?=2(9bo^5DcR%+pi+fmpk>cQ#f8wh2j_tv^ zsfN1)i*ByP6-9JqaKC5CK8U+?bKbkX=7>6|N9o$wRuI8#^YqX?xoPX7*+1&^Em+f* zBlqAWZwCPd;8QW87$DIZr$gUH9ez|5B}V0@`zhU~uu9XmUeGy(b|A;xek0h$DKX;G zE&@pf?X0{7Mc%>OD!67_0T>N239Vy>1H{UZ=*Id+)+{Z5>pr=5QXAgH{;a!~TCyHk zOhkUyq=*Q&0rDc(AxgyMBz5bzAr+-~^mdr(>Y9Hsvt`k9k(jk<;}A&I{gEGMpa$+J zTt?N-<@>20q(hO=m!v7{$O?p{EvHV0?#|Iio2gbX&n#ryF%;Ly=|a z_S>4a!8?jOTLi~Mp=g_?W1qEiDa?tt`X;)T(ipoY4UZR0g0WW!*ZxT6yc#h;)bTDS zw3gT9izBrc>a6DWSe2e#yb87X;fBKz-#f8k+dFKzNPqTqY?y0! zl0t<>(vu$=A^pQMz1cuuXA4Z#f`OGp3jlyq*rZ@v;QyWBdjfMd?!@wYgS@8UII)gs zSaLaL1NSzCAM=Bai*q|8Vm~Xx$GJPnLUUy?gi;^>oCM(OOg(0~IVTH{fq`Y9U zR^(``_$2q+7s<0s{s5t@!n8pIO^_ykhGT#j&^Cr;Z!(l+lxFCgoOnKg!2HjVDd-LF z{lrq}$ZmTE8mNVpQ@?SDxS+q>1s7_)+k#|44veAAzFdWpab2`%ua`ex4o-nim^tAY z>|%QKOyzHBxr3PE8zu@mxD<7){=aunzUatVcMy*k5LRI8&i69c;@Ce7%2u8{p7KTe zw~amEm{`SX)K312nc0r1V&yW2ZQ`79Q#~HtJCl}OdMEchgdR` z{`wBs0f-PW8uYbbu6nUkCc~iNjQyji53Ru{XK2sp+oROG~-pjJe8+(N%tRwndW4V;lxek=?XMqAyAwA!v6N!+~B6Z4{GZ*nb$_yiVZV?v5 zWwK4YB0%=&Z+i)GjYe70Ttik_NTH1hzrf)?C+ec8S{bJ!2q^fF_yoreh5=TVaSU+} zI0?QXL(3>2PcO9Z|4pQD)O8@XNEZ8^?z?2oEA@BuX(u62}Z4sBio-~Ytt1P`-I z^!xwq=Wr<$46jI#Ph@vICH6oc+Zug9g<+i9Oa2J zbgINAoi`|x<#jYTq=yUdr<-~z0~uwjczUH;KhhWDR>B$Dtt1W(@e(GQU|*(4U5$Fb zhvWNAuEDfV5RU$koX;_*b7s*HK170K$pSp?I$npl$Jh_Ob7%1~$VrICi{y|qy`mu! z4AZ&9;1hjxA)D2%O+{KLLK_)Qcfaz(i^z21r+DUE?thhT2y$R@8-^Ea59a5OJOCl_ z45S!iU98p?a2sZ9=#aQqQbXBV85T&U93Yo>oc2@r=CDU2RjzgbWvbqyg%7sKU zPrEU-=bS1B?9Fmq9w~YL*wdwJamePrOK-@4Fx$$2-T{IuKFW~tyoNI927`;^jB5qm z9X*3xu>pX}We3dAIM8JWI4!@=Q?I23_x@C&b2Zy=SuQQp11wgCt__bm6d*%x zW{QpN);cT-%xY;`6fjEJ))WlyMJO3=|0-qHM%>3*Q6!!M)C0d#Klioc;&2xq{n!j6 z++jt3Gc*Xdq&PqZzz47hDNKu?)~@FdEZ1$?n48rs8qm1s6z&Em{pa*KK7sNa?sDZr zeE&%~6OSpB))4lsQwZ;;Ex93yssXBU=N({Kqps+)r%)CPfNuYI-SPva{_CC8F|I-5 zNL_v|Mu+eOq1!k1ak2@KQrti9X=O9kg}rQ6TEkVKuVRHmwmg z`L#^^clvJG53d!r`HdR7E&gmi~6KRL;icEF8Hm{ z+0%g6WthZ38J!{ApbATIRI72fvH+b7{lK{@&4;QmVUG`;W=(s_lma!h9;Xdrl&{ff zY$?4)QB2_JXg=0;{93$|k{-!qT{p8pLA^zxxewu$Toy$Cehub*%>rW;a~2!^Sd0Ia zjqo+XNXq0ji@>a)xZ!d!(gCxGe$ykt$#borQhU69CgK>i+TglQQ{7#>8Mb+WUvmjA z^8AJ*8Si2>cJTCa;xlVk5+M9X8&<02;Ek$m&C`9%EHxQmRf&V*HvLC~VX_`_RPO#z zyZ20uvx-LZ%u3RvI>cjlEI`CygbD6n05yD%kp>S2Ot)7rdic{+@W+q%u2_Pn9x^$J zo`{zKr4|?|yHBBKuVzzxq_ii&#v*WQQXswZbB$hA2Tl|?R z!G}y*sFt=S0J&yjkVMyA91YGYiMoCNscVdrJ28`4Dn?-}u#;rVTdz*lBAYtGKc0VH zaj?o1piMgMOtG0}(vz8_3t&VVOGO$%H?;vx11r<;w?X$BU#|1qXx-Tk!QsbRd~u@I zBDeHy{8MgTsRos7CTt$DF~8vcb3a>UHEBacvvSG4qJI8-Us0$eCVA5fpv-x$?|4QT z*&DtrLWKd}`VvFOvIY7wkU+?TQ}sdlf&7hiqg9UbYwbXy^`N{3hb9>LoN-^VAPxv0 z2o{qD)&7?p+gIZ?;+xfa#HRl1bo!8!v3(9I=o3UZ;c--MQnwKwE>r_ z)rFMl6`G{W>T)7+);U>^UDM|#UIPHw8<>~APNrQvOx+HCGrG+7cXOLDjOH-Cd*=8C zP4Rq_DvUN~*VrtxuA!tWHORDsYh2ipu+1FujQ<~Mj?Rf*1~k_fum$Ek)+yj?vrlG} zsNbpVfx>E300ig5t3N4WX7O>h!`%#};63c8dDg8x$qt~(52khVr1j_?jA+Qm zYi52t0QVq()R3A2ZNg8~!6LN=DA%zq04ne{xZ#Eo;5okzL>o1C=TU9w-;NkHPt{lDCsdYZ9)6w!j$}e; zbfJ_#fYAH{wwr4qkbF7xN52RcO#>FuH(&qXzmW2P;XRil6$L`OE?co%A-Lmzz=f1| z+x)yRa-+}aw?_4qP~cb;JX{A&O*!s3%@i@!4@@w)XMi9#5lwrEscQ<|nfZk?4T(o; z2?UKv3qjdmXZdilJU33+7dznXv@1S(DbEXiYW!GK7@25yEA8y$XIZS!Y9(q z1HKr>4@}{q(u{Z(ew1aS?S>B;{vgIRIcAww=1ctx>68Y+To)e_2aS5Fw9Ex z;2ZT1A{ek>EzvhIO_Ma5cYRwDh!65$QMa~jbvokTRcqi(8G2<(8q)Z-gRHTD)b;Bx z6z1;f=c5tWw!uU7TvQ7_HI_?ifjgQ6Ub-gjoQ7DfI-s5H5dwx(aMU}lhuCx#XrU}H z03g7=Y{Z$b{iVyYJI-1?w~9L(PDoZRUEryLn~R1!VCX^1kO%tA~MbY>0Cr9bkO^w5amip7Q^tApXqGMWFQgsKqK zU7qrRNHr+t-}sXb`tt~DI`g&ZV^*GGi5VNOyijcgPc<6KQcp57*dy#?|0!#srG`>MEYQuz@rdS!WoY$y0yPV=gR8tE?$J5xmIVwicBH zdp7w;Oq$DHiZ_=(lo+k9qeG*h^YJY|QVLO$x^)oEl=UoXKw=zsgR!>{d?lq?ha!d8 zEsFn$*x;vAYfCe!-Vjz&Rxfy~Et}$T%U1T6s%Z+=5$iC$QZ2CVRabMMn8=+%H2ny= zC+&G}6miMVs9gX519;~oH*3GH=>UBTdyr7kc+qzRBS{~EM$QKTzfw%?+3Xh!0~W8# zf(wi%dXrPQ1VPIvk4oTSbV!>RH~6)M8dVB6W)3;)5x6EFav8jDVn;#c!E{TpBHZX_ zpmA%%Uz^qh$-PST2e~%+D?YXNYlk3T)BtKm1L%%vb9riq2jg;hK5Ti6*8rr}mjVsw z*+;(6h3g=bI1tqGirW~-TsN{`rX=kAD?^~TQU+Ff;?QQ>K`h#`FXb?jOEY8Ay_vj6 z=Ref@27ykPe_JHujwwHq0Cou?b{I;*f>XxdY z;h?Bm&m;rt|FT{ikEu0*A+v>B&RHupLCa7{hnSpH)qsOqTG+s`KuDenX8_@f-QmB0 z%Xto*M4*&%NUPzr$jM9Sk_bkYugt$J%RCP?uT<~NGNujy9POg(A-+{7Kz0ZS0`bgh zp5Ad&c38`mnhmpr47F>dF>!SRk{zG1*JG$I{Y^kAW?Z;v|Byk?D5HV2tKK#2HhU&) zCu(k8(%Hb5umM`Y7Qn1%aERdEI)uUWJH$9^eHoIkC3Nx!2$^v_fpYa^oZuTAR(U3?jwNA*YeDBkT= zA!W^jsGN&JN|vQ|2oo%7Q9i3J{6_lFfWMp_da&ohuA9aPXmInmB)m^zmBFmcuX3N6 zkLwsPtQ$GYM0G5l`@%s%TBf&xznjUMPvAGA0qxAUvkF4zw_{>eE#$~Ln4prchticF zt7;CkPB6Vac95R5?>DxMUSTG>s=4xr}=VRH&@*#YC>#T!V~|Tpcu^ zki{%W1e{Rjo*@S$hTjbg(w41?7wx+k-=$%+^4(0LJOzJP+CCmr^a1x`$s?ZlA&!>0 z2!k&R$kI=m8}-5xw3?Vs$R zAeM!*sQOKpxZg4$>#{D~F_^Fi4^ze!c@zxZJ#YDZUz*9tyJl4$;`w$CF*^fJUO(~R zACx@?EB2_aFr){Hgl=+)9>wQ-{R!ju?sb8>yS2F<|_d5>WuzLbMF#z-72a z*5+`&(Lvk-4;6+fNpe_7yhESlC32_}Cx4Yhwgq?2fR}`-24Fmd$)o5i21-%wkyTGS z6zXDB2maIGLb5yHD*6lCG$6_t19V9Uz72t^D zj`piY^e%PPR6rC|X`aCi7#(D^^lEsd7PI9`kAA`i)X4#a4K~ut*v60LlF+S>I?OWC z3TIQ(FhbO2$T>Ap&$x7r=Wva2XPV9IVed#QoB&z6ZHeC`!qXIC*X4L$pn&o9!v#3eR{BqZLhgO0-Yh=TI(dANRWPiH zeHMNv1yJRb?+OZ2xa{iP4(exfW=Bi_k)VDGI6vqOn&+PvM?UJmSi>--VS8VJ0_M+D_X zyXqBS4obyZy@arF`upJO*<+JlcofDi1?EE`gbAJnedo>mz3&T=#oRznqvEoy3+CkN zZAqJC5=TKR@`lg~W?<9jB45NmP8OQGU8I8Mo6Xrn7ST_^daU2+VAxtA_ih8v4{}C7 zg9QeIMW=BE=z~wb8#vnpNXSG0qejqhDH6?MiQop`f8(qY={ukLVspeRU>Db-e2Hah zXn@4)Q9!=DZuDsA`7rfwb0Q9Sy%cc>Z9&QAE-9hi60>wrLAw8IpC|c60d;m3mX{>5W~ec9O|6v=jBT78|u4cf+e^0 zK^*3qfRVhO-X~JdJM)PKg6t`~x$#jeL#~C5TBr1^UNxhp(%5=ed%7?T znORlsLS+Uozz6CkZ!AhgqTsLmCLa{np`>#_FV*GRD47kji*0D;qo9SNdf?3ZwUB>_ z-FYI4KR=^J{3q9G*TGPa`WOrctE8UlJ42cB?UEktD#9@8x0?pI#2U?rY2I-{CPRZT z8f?1+*sUj+&=GGFp&K0i0~=%6P72e(B5E26Kj&tdz(At2xBB(7y4kFa065=~tdYnM{zj`DL-tyOsw7 z!{u_+Fi7|o@6P>Hz-_erZ={$zRQ5(GfoZ_Xl?KD05xUCTZJ*6FF4BEsAz)*R8P^UH z^Nx*2{!C?}ODQjAHWNcCrKcFS4^nU_MQ2UuzC}%MsVA3ODUPg!m%DwzIPuZH>4bo@ zMkgHSrkJVC8s3cb_@G2^O0wIE+^ET^J5bI09+_WJ^Z0DQy#2R^%7B=%=K&hTbDmS= zyuf=NKn_vCBzt(%->sZvG|rOs4(%kVEWCk*)cLDu=U|g&qNkn4&s5%>Vxsc3|0mgn ziQtNtpA(=UPnO2G>7PwSz%@mq8`e}qa?D}UDA(GKf>3@{bUGIXB-(VBS(*8G( z1%ZEuE4tb?d8cj;pXG`yrr~h<)wKZ=8F!LmoAtns(*VdLa5za%aWMikj@AK08)U$x zYe$aKpUDaI!vILNjUlsS(X#)WWe+JtvjsWbQcpcy8jEuRdAgqFV~WaT1j( z+_8~tDf-{Uh1uRIcOp65zG2J)7J-{=aWPwV8|&he1o_jafT77H+zh)B?&S!5f-C_& z`W)H^&lIT7$>A(3BIq;gT#)vjMvhJdus`VCViI8mZ@p4;{eXGa zgU(|ni35=dk61$t)RvsgPV-ilc|E08=KNFd<*cSnoTP?G{qicJHI-R_kFt&ykeOVmH-@&B|ICWzIwkDU+Doky29dK7rx^x3x%3*R4}GcXajWq3J};r9#$;LWP2<1nhba}lp<&@ zC|0=_i*3WF+~zzCc{n;dNb5#C)G)UipcW7$PqJs8YV~ADpk<7wr0Fna4t1y?81&V_ z2)*Pv0}!7WgtN80_^z;JXq!#I6P59OSUPZ46wa07v=Uf;3&xQ&u`PJ0fK`Ao+1E`w zaKsZlU53L+jUo+pCn94&l8B*UyaypGewM8SG?VFZ@x0W5OF=Kc%+-Y>$FHG)WvX(4 zfF0Q_PiDf~>8sux%)K4MWqmk!lq^UB|L%>ie+Z0~DYeQm2zPZn4#Nex7n&M)to=sX zX@p|MfyOri?>_FWNZa8xqRS>YpM3N`unyqC`xk3+HT5(EK$9GtOI3NeZGE{Yw9+-k`&BErrsOT0L4KY(g!4^f*am&e>OOh#v3 zGAc8|mKgAF?cF#cY5`M>SvTgxvx{w%$u8$ADNiV4dShoLbmgzfj^4mw@&2oXDnpR6 z>9tJ8I7~gej@fR+!UcgPxrv^X-YGMSNn86o=bTh+E}{?*R6A#GBkNto($!*Yuo+^| znOsH!EeExbu4hU`7w&b$1lq!sHv4eXLxa%zYbAoL5Z+jEX=pVo9uVzIXU5Or$Ts0I z6;FKE`-wy4S>ufJR~z_z&Q#E}mR(77e$l>#mW)`PR~3d;?4$5s(0+9Y37pZo?9+XE zE)-K%c?Kh`uFJeMxCvM7BX4bZnE^98%>x9E5|uQu^g0OUvti*7=PG6XM|50^hM4%c z+*}O=VOO~|CysXQ7nMn;At}-46cL)RJBG)RM8$V7y82K?yjFlyQ1tv6isz=~Sbb?bU(`+3%GKl^#rW>qvge~!>r7{m zUDjcIomcn}WDBK|FzYp$gDifr2S!v*e3g0fA5>-IFfceiFI-G!eU)JgWc`ePCk0dI z^eU8m2sLlxwqu?P;E}Z~eM$$Qi587^$P1{^NU-tv3=e9iV@wp@`JJt*no0cc*tR}s z0=-21b|VE@m_H8BCf^NDMo1qTMhF)DS-rba)luE{Dt%GO9QbtPW*BvhL^sDLA}ck0 zIvB0aCs;+Z=N{g*fGYWZ{23M0%Wu(SIkCz@{VYRKoJ%Ms^H8i1we}{<02^`9{y0TK zmX_ks@%QU*hW-BZu3-)sFQ#=hhbU`xIB5n<|GMbrzD}}iiSpLF`0B=yMkIEwLUx-; z{-wPV5-sL)(VyVlAc~SvHg1>iNF&h8ay2@ySp=sUGoB!{2`o;Hq@|d^8=%$mfm61- zQZTV^dgKs>J7u?}Onl>?MMX}*ptmP3gBjS$V2>}(mBnHg2gfMKLbK4 zWkCcJAa0)9b@CX%XwL$0so=rHgp#*N-&3zK6p3gU4e<6R09R5T0G5Zd(bPF!GfT~U ze?J&@M%RjU$CtEPJ&-p7Px6JELEJO=mR+1wB}>(Y>e`>3YFS=uLmkf|+}0t}6o#yd zLRUbT-8$_ViuCGm_ql_Pp1!`hNqwfqpWgVV+e=UQ;)gi|qwZ|IUq5s`}Gl z4W#&hd88(dm~fY@7@lfXe|1MF{f7^9zjzH#PZl8`D{yH5_MlU-#OD1NF(7@lA;obc z<@}zOri+QkL7)I-D9OLlI0lN$F|%Q4iP^wjt(WUcC{Y`)5l-fM$&@KDg-JX96#-0< zZ*%sVK)UADci!(uWD4Ujt{JurXxu78XE_m`3f!t_REQwxTDd3h0!M=U-Z32n#~BZ@ z-y}+lGX@ng(#11KDA}}3MNnQm{A4D(h0fbQS&H~UfqWe`01_mYQGVV=K zABZPe<gT(lE#Icm4@=pSME#I4;ThkOvnCt(Ad_Gsy~%-%QB;5i)aOx3!TG{Y?q97vSL?+PAAW9Uh_v zT+s%DHaG}ma1QO$?E#5Hu7i@KmvQX87s0&SjdPa+c94fbb?50suDq5(g@|mTXTvce zb&l$hz`(iWI5FXypN@zL^bZ+-8uF zQZ%+JGH^6T9Zf%_AAY!ptDng-dMYxu?VThdg~3mC&&Z|((stm}-%~EgA?*BTYlG&s zdp$fvoFv4xDB#16`~BNU2e;N+;&r|_SyUBLO)~(e3Xbdk3mnd;0MF|vRF$}i@@11q zXQDdMlAU8I{W5$uyE?x^EK}%gDt|o7^vXlvdx+JwJPw@@S~r)0smRr<-M+W{66Mrn zq6sLok((*e3%)_NYi@hI%J?;Sw`oEc{bR&^g1=vf@)h7uZN!lfhvmVxA4_+9Mz{~r zHHT_(^tmKoUa8Q63xvs9gBoh=`E9?o?fo_F-(~0t88YF%O1Ol$QF-J{q!4q-fvdE; zu_1Fs`W&~HvpieZA;xpnoD6?QD)4^U4kF9jQlX+45h-xiG)e(3YsBV#pfn$MJO{{P zJ+kTj9e?I5c) zh;Mb9ZRt+CZ$c86RXG}80)N@h7e|2ep<%sZVPb=jrykv~2s_2#54tJzq4bb)WKTFE z47F!Bixo5nc`e+*aTa}pKqeeA4f!>X#uyo=6~Uc<=s1VQ8nH1}22nW_Z0MkEttqE+ zR}o?GF-(I~{k-bMkjsuej)%Hv&g%kj`=KZd0dt&paBH}qi*|;C54h!Vx#JhBw$7wV zvP6&(=-xAC_$v4*8{$-pn1|?_m@o8-CuP4Pc}=QNUO6Jo=H^ z)G-%`=f#oc4hp5a!IinK=;kI2Dv}z2}$KOAAfo zGDNDxF#;jTabpK!s@{+j--r&=y8_u8q-jNNqSAZ7LC+)~i~iPX;UB>uw*fPUU5#Ec z9!vruM$^47>EvN4oRzH;(x73(nn_U90}8+;Nx+57*-p|^?iaVje!LC!p}9w%VKXo0 z)I#J91!aZQrcdF2v;Hnfe>q;~BnIKNBo?Plw_@6ydBS@vNViiG`}?QuNwA4}_+fia zrK^(rG$PH9e*-N62ZK@)Ha`h7%v0 zgzh7tl*wUmgfA zj@JaCt6o}@wAs7}z=LkyTwb&+X3{H0jnusp;ILl5|UB7iOp^NrYg(9Z63& zvtM;ZX!VRid!+?&cc=!}g6s|}zgQqELpsEkcd;j*a1afrbcY-*|q%x|Y3gM}^tH z=uYGAk6Xor=uI-!DRl_|^;u956!kP5ICp^R@LqOYiY5reg6x1e;-&W-#@R-V;|le=9iKl^5zxUnt+T}B0y&AJcxEQv+Yx@W2tl}0 z*^(e&1D`_Dor9fRvC4P0=7eL}1RTfIJpIFw{sLo;Kox&7-|98BVh?$Q#Ygv3TPLT} z2S$Gs&T5J;z>B7pL#b?aY*w=;P$&HH=}aUbI=!Vzv-vxq z0(-f|R{y9(m*rq#UlXa0+J~%yf4z8EV0fFckkvsuG(Vh>FbPK&8WL5DVTIyJr|*#* zA6hUDOyObqaiwnnGbD^CX2*CRYk0~+DUbVm>nqpcnOFKDs#)!@!~ z@fByi=~x+Z8QEl`FSJurhs!8))FsPK7z{k;NO%!A_|9NPFTcJ#{}p%tRlPJTATERg z!U(aFEglC}2Tuq6RYcT?6=EUo*i^+L3}yv;e844M4(62nnvq{p?4$JxU?I0*N-qF z9SA-X7YtwL#yKZR@&zDeV|uQ}S+J#b{R0jyD)dytS`kttYOHB7J(Aw(`Dj9L;MA1u z)WVkJjpAPTwYdA#&Y5KT`hI95qDoj*oe%-yOL3EM6FklE;e-uK^;t>UFZLV@zod^) zfa)n>#-V0ey{tx5C8NMSz_n06q1bA|l9n0_8dslrwYO*MN8$az;i3MTlH+f^+pSTQ z{%^@dx2(wroh<{FH}}0Dj=kxafFE>v#wdIDv4gK!*$x z_t~b1ln-bA_<$)O%97%3tRK!*#{flM&{^r;P?yTC0;>=jR2-C=_rsNYNSKf0wiCCQ zdIn>Ed84PY(QjTR3=7aoA=k<jlV6xlTAU*&HdDtV^`=NE z+Yg~Ws=V{%;&!4${CJ0mFD=KmqYDo0kume@9Wh+IgDfJA`MoSAI|Ie#KCm@sP+t%_ zi0^o8&>v6qQ+I4TbB4v^ANLEAU9*_j%IqV=Be)~!+)-c|&n(qRmvuX*^q3AqfI~Qo za{wXmi6J2NK^TwKzpTGG-$$b!SjHhc$-k^0fB2|FcII9p>~^Snhy+4L5+WQF9Z}#& zb6Q|QazJWx{G6e1K`M8?91R112IfL3GK82iV_6fe&^tUmYvABB zIfipm#catkS!4dlRtJ5T@;Qo|9rqio0sj)03V4>H)nyMY7cZj2PjS2w?bha-^HgOZ z91AkbzT?}??BUyvGzmDZl5xU!;)Xjrpw|mT8~El&(|nx9j_y*Qjf7e*DJQ@n?8BJ}O;1rCAs-vd61lZ`wx166$aR zjDsk9Lb?FMuzzTFi8rCf9(INtJXF`l;y1Hg)=>Mi`?ZU3CnF>0pDC{ADm=cHH8h+I z_j87EI-$kTaeVo$kiVlQ(RX~9f0Ns43&){x6gyNvF&U?K%Nxs4wzN1d&VA<1OW&kY zH`K8tRvD)n!{Z~+0cYBgn50JTahvph)6AdBb-dji+bP`x!@!Z5q`Ue3Q%H|ky>to# z4b&*&E$<71NH^S#(zns7eoC$Kuwiu>eXF5TL9sPDHa6I~ z^uIP*j!Z*!&cL@D3@* z6B82?3!!HQxA}7e3xUH1RB?OSS-e>z#A3(Nj0wwT6gtDJqqkP6(G)C>D|(&&ik1o< z#mZ5hkBnbh4KJ0#|H9NxBgZ}jSQ--_$iKv(Ao29z3} z5vx0v;1%#<=aEkg=RBgtWM`NxNwQOC%fX4AY%+Xca!#~doe@rKB#X5ep#Z~z26J5p z&VvOBiouRz$1>t|^o)_dz`Q*487S|q`D}DPIB~SiDJCXXmUBkWoPedMrQ_Zb)8a#Z z`sR$HrIGjC+KAJ7o2Z+!O^n@|F4uL2#JboiMZ@dkByGfK-pra)3hqOg14Y0|rE8>X zY>ebkeR`nt>+~VmzL@8W^)DvWV{@;0zBRw*#rPycYkpeiHm_ zA~t)<325w=l4kT}F-y9p=96?rSPY%fKaFc*vKIj1e9bw9RCa#3o$cHM#rj#Sb~2sY z!gajb$sHiMCth=IU-VKmX*dhA$Bte~*=ePwrNGuXr7&jn((H^L*#~A-?WGNvsG_~J z28&+1qnC2%-K=?Pm_82z{nW5gb7!G#hEixH3t0;DPmzMV^p*+HeO~PDpC1Ti9dw7o zoy`}Ro*0+=0jYEGHbBA*0R1G|VG$8I9K#$eHmmU-MSt1`Qc#2E2@sg09VPlx0o?p) zDVmnY_DygJ69b0(fBeV;piUCdOVcmN3?;6J&}b%#GyLX~{0bF%b+4h5IoM#~aO@RP ze&Klqv2-;?g)4`fxpbc^9)0Z*Xw#ubky$xj@yjbdkWcD@VEWV7*O!;|pe8t^TzUViwZxuJQf)&X?3TKdcIPNzE zkW?rl`fn}1Q%y(-M9x@u&zd^IZ|7hCTqdg0e>W<{a4*F-}M%~HYp+(5*x@zdELR|~+G6n0d zWq|m1Uamk>Jiy+qh)!Xh(`*+=A((38?^7RmBeM9J#u?HtYQXwyBr|{3;($djS2N)_ zcG{1?->h8QmH(Ivi}9vx=>>)g98G4v@V60`qcY$qSKp`*$y8)Tr!e!<0Q1*=WO+%e z5=cLr*0TuT`QS^0GiFx4GQt*uQ9@CZk(+--;vX3x7QuvJ2`20QY6}Z<5hXgTFiQ8v z(Bjnclm&*~Dq*ENu*L#$H#NP?fBB4&K09qAd1mbwK{*%&HXC)+2f`9FCn zM)5p@8jAh~sHYLd921TtN$DUYp^v-2ihwnU;P&cqf^H`yR~?!1NQxG=Lv= zV7q$Yh%&B3LB;~w0}BrlT<|EhpS&`9CU~e}^!t*h#HL~z1X(79y8X01E_K6!)_aS?3i#uJnA#kxy$orq~DPne@_?lvb{=I7;mOUwm>bTrYxy z1s%0MGL(DPlE#*>vx8DCLYI_#?h*IFqzQ0wMB2M>D1eIYT-+uxmNhIDez7i~`jKoG z0ND`pCss80R$$f;kY$6*Z2=7}&}^v4DvRXSn#}CP4gqVHbPO*xCn#3FQd`vzeXX&M zCQh)uS{}W$sB?9Vuc>H!T|vKNRrAeKUfHkrz>r3U#e-Rhgt{xF9l)T(fD0p*q!bG1 z>UmLogHKqrN^0rcj7OQr6FSJKEUK3LVDQQ^`1|rFn|@v$Ma;C861cE9%Y;A^1&YPB zP>3vAN*|kSZ8%}YOycz0p`(bImM#HHhB8rTqG0K`P>7TkSx7h8aKeh2ArHe1CLvPr z1uXqZKjvc~UBxv~1r4;meEjlmNy(>nN}oQ<0n8OZtBCsz{v^3B<5yCkTEzUDE|04i1+Uv zx*5o90Q7OP0YT#71roq&oWZ5bgp46kABPEuLpy`=4N|v&?$;B+9_a}hN=s&)75~Mu zuH;hj3Krc->|QLZGVVGii3vEt8b{8a7q4Ma92!S(GH@}7V0J#i`Ua1uhAby95)qoJ zzF`sy=;aWznO8K1YK^u1V4n_a>ublH0Zj(#8{r6c?GDBq8xrV1rNjyiHa=KU-$T*> z82n;hGM|rBa`ikUK@!qEXR1cssPQi>s#}79A{tWXAq~Db{iNIVLjd`kg@Mq66`ufj zlhUKo+ULzgx#HucfOaRt`fW>pog-;UDG>@QsbWV01|j~C5F@ zaC(;oi^0@U*Zn2L`4G7AB0L|Q4kKG{b^R<{Es!0>n(Msqv(O_~i8blCj7lPyL~#MC z$lZ1>eRQGJctgx~9m^WDoLXx!Nhx3X?k*sbQ-=xFSdM7m(-pjb zsCj&lTTs&C>O^yY=rj;&Bnl?_dhhY&=xXRg6B&PtigFcK)4B?dGAIGyRKXA>0m@30 zm=sPBXCZcU{KWQNTH9Bd3jlsWbQLI+6fAytI4GgDMiZnYUi1vSHb6-eV30{v#h?{0 zY0{=zYK~$}dra{`sXFvfNCaGF^;SakI6C!YN7sB zsnhJVfi`$nP1Q!usq7%+lWuDbbV>=i*2dUQm5_DVDqYiTR2|`;MiNn zaD&WBgGBdTay35FX5K3!724E3wSh;_sgWv)I%T9{yGH6Vd1i;U43B@BP$^Z&ti^pw z5u167Dh)ITS(T12&&rGrMjks&+00!YUfu@JZY>5~jOQ1(0rbAH)8rH}2${WFUTvqE zQ#%CApUqNf*XZ)X&wOs2Q=fz4f3)U@U;1D^1;t};v{1EAr4ExCc;szTK}W1$Qt?hO zyG*KHPF>MsPvmee&^UWZTE{|=DmHRHd^L%s*$L{L@l$f71_h`VL~t{jt&0PC zj4~2n!(Gu(Fz)8kq;u@v_%{z6ll~Wibdwt!PPA#WWbQDqGOH>1bx57CzO}?In?~M=gY~ zdhwRh2f@X2V#1=_N`tmW8*l~NS-gCd(7z-WG^r+GIZ{1@8Gs2i47`93Qn|X25Y%IQ z&CsXJ8_@tnONRl9!_N(T2uv1aNJ{gt{|}p@6(Be4tE_5Q-M?$psSv?(II^h3#Wcdp zfgT6VV2N&E)P9Kqfsg4X;nCr5>L%aGx}8SIqU}0ar%q&f#V;$>TY{S}Wyc5HS})($ z$_iV$2^2EmtJ0?DRD>3*mkKHSZyMO6%oXt}iJY;{tOAb39>;{Y@5G3xA( z+iMSs55D+Gt`|&bNFSC{D5=Q%+ubtHe{5^SigwAUy&J&z^^A1TG3r8}GvI1g6jQ^W zw+d^RM6MLrPf8TX3qbE3ccPCJ3E8~@2_E+&8d*MQ!+jnIY)qlrU`8jA(F{yP17)@G zL+;PjZrh-!dzLM}YoA2&cA2-%+o)>osSSo?g!JQ{F2A}5GL2HM8*gRwIV z{gB8)y)Q*I2Cf_5bmuQv<7~YFp$Vo^;|&~wnFn_flzarb5V!+Gpa}$ndUaCno4v!W zJZ|!gcM3j-7k6=QKJJ<3YU$D)P+AkmdM5jM$PCW7C6VhIBfW+`fHX^Le^z7#c{z$J$Y zNC=<`#1T5;@! zw5=F`Xhs9{*GvrljCk8n#ETA4eixTYTH0QCY{go}rFV32ijEVKOVBa0=x%}AOByOA zdd`Y3T|mwTPYHP=X8=50jJ`NXe%hEiunGgq>6hFegc|c#@$(h@y8*G_rAf-htP_>q%?k|m)I2jdb-)W2R zBYwG~xc(OkXe|d=$)QshXxpOZ3!1s?B5$WHP^AA%7mg&wf~>Iiz3{7a>yn(@Ga|k* zX*a5A`>L|^+d$~wC<R?fbkP9QZSNyVk@xL^y+qEz*X>z0}n24KG@Y(7>qD^V(o3SD(r3Ix^ z;KE1|7lEX-A=$9{@dXB0kyRrYtwu)_h;m{%ti2es5^P|AT$DcI6gdqPpgb7FIP&)! zXFriocKHnA5I8ZSM%mtJu;K4~@c`D)!x1F;1#d7%g$ofz+<{!K6vBD?+JRc3Z3+Gq z;UN@1yi-&z`QIISRD;nX24_oR^6STYI5?u&8|_(~4M;M~{Wo7+U*xdomU2_YU*Htv z8V5^*Ttm3BhDEDA$J{R-#WDDKHpiZGs2O;Olf*wZP*(gn3K;(xwIdA{IS~Qi88yDL zbJ>31f<9@|>gR4Lrfl~{w+EsE-aw+`h zU~e>CWM$=ivqGT%1_hbuH+^7+c08E^4k)$!rQHXd`lApd%LDg+Qk{NY-Wsz;tP$G9 zTQ(NJ2%0ZeZ?k$9yN4~8bu3heHp6JmB^r}ulF2tIHyEyA^iEh?f#k>Cfb%aqkM(v; z&eV*%7ZqLCbzT4JO!7Uw%4A*<(Z>GQTOB6*=pp4tmLG40`R_C4V@6|Fn!k%Bzn=cq z@>V6&YE-*2`-cImU!wKvsh z1{6v~otlYEtA}U2$!OJ5@f``~)GmE>Otu6Q z>iNh@NCiClRyXV3QD9!>JNneVqbpus6|12&sA8wp`+jcKTD4j;|Jo0Cmfc%YQQ66X z$z>|P!}aVm`O}<-n_%nmT0Sd&K8?3l=j5E#B>Rk$x0(T$o#0++EwiREQ4!5u%$Usj zqgl!&0bU6*JU)(3kd{*Q4r%I3-3b#gN2Ly3=3UaTInLqXf-q|%y|~r!;Rak55L{Nx zsHYi=a4^*{PNQ2sCgp?!>LUPI`rhw1sjNNVC>o!YQ$8u8kV4EbnRwn@!z14_u| zGHJR*2|1?W%R*AFTmVT7lBH6)CzE+`-`~Zl6cV_G)oKGa=a{uT2f2nf41`Bls6=sf zTs33(0YsXeNR0seGQa~YK-u8sNZxqRI);UMQJ+J|#-zxccLqUBo>Tzyr83<;ri3Ku z&rio-)fR6|=stYCn3a%oAIiXK_&$Mjh|wp&RIKd#Esu>&$zNWt+IEYk)t-SRP=O`5 zVO7z|Ky@?CM#>oMpV=U^nZ|JLth;s+gHf$}e1HhKILy%Sh`QG%3blc zEP8Yoi72(W@yWihJjP4SI+5O`jr=AQpBX8@HEN&p$zSc50vPC~91UdeKMafj!By z?13$2YEQm^WG>=L7SeI$lTZQEc@F^V~R?$@d8c8ZFumn)l-V{2_(m5|LVSrVR8 zi)G5FzF8ke>K04&7DB0>cSgMM9iK1BWjr%9J2-<@W){p&#AUT##B3TmxER>$Azt#D zX2cZT@@h%e*G>>RWV4U-E*O?Qz2D|wZcS>SRj#SH{+{G2qGGw;U#bnF?C=T}xPt5p zl>Mbx*<8MJ^pRUmhMsvxVN%s!oKxRP->zp`(d!`O+OHjiL^Iao;V46sD~BR!%GlOfPMCvs$@C6He-t0qe>A8q;CQdQM(OzKwq`5#zhGO2<& z(BFdx3ix4iTOCG67o~|35(bRDBTC2=<=(1fLJ^&u7#whR?Xq1S_~(9Qa@h(nK{yZd zR$KETojXYCr3x30;w64w_P;G1^veXGcc`S!^QoyC0D_=Mqf-D76b^?Y;%F!ff+UQy z@&Ob^N@+@U`7n&J5JJ)r1Y`yP03d(>0001hAOL7TEwDM}%@v)_x^()>z#;2W>1y|1 zZYY$0=1vx%u9{UdZWx#{t+iYmQ;$V$9)XN2NA_R3EOT^NGNT7zr5*m82Iz9AOvtje zdnZWVWYV>0s>upiK=Rl>^tQMxD#kk@nVFLapH(rl(xCMafKh$ugZpJZR|h7)Y^4O_ z4~+rxl1Xkhd5~#})J|T;w9t)4$}_LV5nKRkSC34fVLw-KBxabgiW>UFAFN#K5shIm z30-Ds!?M&XdlXw#jVK+(a~Q+lHW>A==JMyrm%!uS2tesoAr>JkQ9RD6N(rCB8unj4 z0?jZ{F1s?Zn|wd28Cb(DV?fwQu$9WD&3!}ldD&}V%!{oH%bhsUL&KhVnV<%i4VZeq zm1?|B*J$2ms{vLfgFHS*}{oOe|*H zH`?jJ(9F@m^cK(^VB-#W(aHdpy@#C>{L(2-nja2soPWExDdpWoOrI25ZnL0*fbMWFm;U1OL7}`du z5U*Ne!I|r+IeIm;8D>5h%Z&G}8U~p|QDpeY!MNHgIiYI0ED}gaXx%})rpz}pqn9VU zV{gz8pg+qMsF)J@K@}MP%py7lV9v`9!w+OJ0pazq2@NWVwJ~%gQNbYpM>huc9OI24 zKzN5b$X^?1QWelv{WmU8x@xBS9~S@U%)y!cfJ=m3T(M2Gi|E=tR1G?$FS$o65N4Xc`&+C%+*F>*Y~Q z`B|7!jR{@obekN*Uf!|^c+ z__yZLAi^>;5=86DQiNP1vu4J9N^$KZb2|)ZQyVTeT^gl$A4~E#K6@*r>;!OMI)V() z`Oo4m3U#z=`=Oo{Fmkb`t4!{=Yr1v)ux_^JtSb9qbPVmU&R)7P&r6lk;Az#HCZbOA z>Xsnb&m}x&@w8!6L-P&m4XZh!Dw_=IR5mqHyLGl&(?QSzN7!8ztZ^{BBPD!j%hhx& zL-MUaoK3U@&%qF7cQnGR+GBWi!tXXBytPBqB|0xDSjK9j&W*xw_J8f2DD;#Qot5b{ z)rZkuQ4Lva<%+WDC;F>on)X-G7>*M8eggni75_XrN4$2a(kwb-Um6*w0}r(Ark&e& z8n1{cqBs&C!L)tqL?g{yz@hF;x0bX(1LIaBZ-W>C&|5J;jbdeJ zh`F1akqdbLggbP1a3fV7n!K@i*X+91`+z|pIN8jUKO^=TkuHR&_m8#k(I3@F3r%Oc zdd6lYc>;%{s=+S&*b>brH)!hu|4pZO-Jo53mVJI$#(|6|y(L}oLCoh;MhsyFbvc_g z0ZHGkwM==4s4?WiktA{9$P$&SoVa?RaE$$?3m!F^x+1dv5SUtaQC*L7KLYHp7*~M{ zorc0xP#_Ar7+B3v>1vNvTk$>2gB7g0s+-w*)MQ!8eP@NTV5sk03fIWjky0qh`9;W=zwXKIJ0mY<{8Op z$f5MgCV-wXubjXBIG)ZiMth4|EGmI-K?O{WL0zO$QO{0l_7Y&BZc+a+ zK#trG_Z>{XL~zU_i3#YzK8QG@JkTZyjdv8 zkm@Y|i5CkJISC_mJMknMLw78C?lvvYlM87)=Q0CcoILxF&>Q;g)Fj`<`PehGeMH&P zyZH9ZISC94oP(;L!~i<02+a(|I$V}_Q5ph&T3jWEIi@gr<9`2GDuEWbc?-u0hdyU` zb_kx#@;1%a=zToDtx)~D@e81WDdTJTH~E4x0Gspk!X>)w5hfqW`ln(J4@_;G=SbCS z0}?r(+@))|G3jR=Qk+d)baPY|ABpN%GVsC*@bX|fR(Rx6VRuMg)v|w(@39136enyx zGpF6EAI)QDAHzT!%?Twn)XX<56`^XXA_}rwJdGP`m@=|Kb@`G5I|ei3qH*nDde=lH zROq>)HY)X^^bHZB8+KfP9P~`#ep6SwkC2GWSd>?2kjQ`S7mp7Up(e(C>;wP=3u

    Zj9SmQ*bAhWElw5w4iOGrVic`l!&>3Fqa%xc2Yn_m_X(QRRl8K-;xlGJv@Hodnaw zOy4)#s@OW>K4g>3j36LW&GFuekMVD(Q6v&oi*0*{Plme+n!I<4*!7teM&1sB9eY$t@qug$2i1gJNkiux#33 zQUgB<+{&7sU9YKYyA7A!iMrGPIY7q07G=J(kJRq;8Yw7v8Ak(}X)jtIvxOo12CfXt%GgE^d%UEml^f0}|CB@xUZuor+PU>;%}hbl2N z^g@U@GM3U9Ar)+>yu!bH_$V6Llpbl^G(XJbaNTt-aq}R%d-7}C8<%kx2q8IJ z_BN47OfVUv1T9_~@K#lqF$PYBVeEfgSP4()*b%AkO~Z^=*~3t1bPbumWO-TIxRY?t{pAg+ZyZZeGc|SER6ZYG;snZ~)0p z^gPtY{SkZOJ_KuvjIhcUCEQmaLt#Gt&|5%Nb4o=j4>K&^$KLL=fF(cdz5`&UI1 zQs*xuGNe*Mra6DiP99uD0Sgh_11I`mM4QV$@CpzcYxE!^kf3_H98d^d9?u2Ahn~sr z!n_0!0x0^!^!%~t9pO9#C8H>^x+@^^-41)Xd82erI>80Wk>$1`0Bk~S;MXM^G_&YT zu3%^Ev8)l%1oh~OF4ANAm6?l~x1pr5TUBX~2bevZD#GQU4OF)6E_+P`NlCs2U<5?P zn_1`O-lI}Ip@}z#Mt=^}St)}bxkdB?-c%0cQ(6XYy;_n@F^1<<$i`Hc{>LKfET<6N zu4;$;6#q#R^|+f0JQSo9V|k!PqDt-&bS($7X}q~)O^Ty^)@Au@pT_`Mfkrk)p-p?= zB_}JH4qEvewTy3`mbYR7d(Td?w5L3d%urc!p|_iqWr4|gXGPBU4c}ZlI>bdJ?*wI$ z9#qtQ7a+cJtZ5XotKYt;f+pVbdx#i?sN>YKjP(Thj%5>1gSZof4e>J&tuYV*`YT%L z#5n9|SXMIjfjs+mwxT?Ru6;QllKfD@Qt4+0OWY5h0g%&&H(LhelQeF;^<7^8LotTT zb_sx6*>;mjs4c=|1e@?f@#G9z%*it&%t7A3L98{|SO@ZohO5F;(V?@3tG-A+=yq~@ z!WMZ0XXC_c$q?&^(!4|46plHsGVF6}!Y#-8XzCQZOVUxMJu5ol~@iRz_mz$3Yh*#Bj-R59aJ+C7GyPBc$#536oKy@v$#-T1cGBk zilJ7L7e|v!)&y-5#KZwTV}_h|i~tMUI3R z$lq+(ZBs3!0Max>gQR#zYim1|I={6mR>{+NDgKOj)Atcw?m35(xthx4q2rIv!+Rd>>}-U;Hi)E_UHX< zNkOlpt>t4?)cS0<%rF_!STV?h9+^|2hB+V=iRO)l(0$-2$B6pJ(Kfh-Cj(cu(>@L0 zyzpg$;#l<0M*S#J9La%YS!s@4v`ge1=u$8+LQj-0NM?$CSPipRP}7l~)Nl2mkD}`f z2gfI#4{I!N3AYzYhR!)`x;?Mf&dSuB`$wBUcrHoeJ8#$zVZ31}bX$RuSfwF#Jv zNC7`as0%~O&YGS~?6}$08+4IbzYEt7=ssYOGj|Ijn!G}5j(1r0@#7ZoV@r6!(jDk6 zO>klrKzVM{9c+BE??*i%Z<}Nk#3LnD$?0tIzo(I62#H*EFTP`n**~;?-1)Y5v6NC5)>EO zcBF!Bi4Q$cwDsGc&){mZuluizDKnr@$myq5Laf7(otBfVO3S|X<@`OR0e%Glmq(de zz>lZgcW@H&IZV(1^21B+;!_$J-aH|^ z*cm3O4Qcnsqp0`drezS(4RE4V6XR!ie|IO3{5tl~E$j95%%_}X!yRS)hf_`o7iK0> z+?5pZ;}BG<3*ECBQBwz+8SMPLD8zfk+ACSF#CrE&Vps>VKCQ_G=0* zXK6xLs`gcA-T7DZKCLEM#kPP@zWT?;+AyzsmdhM= zzvFiB!tEn06Y%}h2^g32quMXsjgaBrW{?TY58ToQf{mWMLJ1UQeci1{x2Fg;N4I+Z zua=BIyn&_*3&E(O)VkksaL4tW}SB6YJrV481UN+YhSLZ;;D6 zYz`9K`U!Z)!R$&8C?(pcicxlct(*Ud;>M|y+zhI8-3;PuQ z${Jesbt2Y{z*nx{+{az41jm=};M+YG#iXN0b?7{+B@aPeF zOlM|1SlEl94R!;EaJ2WW7#?6N)WHf(S5V$=UErh6Jw}$F(P5)vY0U4^LrXKi%nh0RIrb z3?Y?T{#<9G9;itKN)`*k)!HiSQVC>11~+%)L7_`1+)iJUhJ|CsoE}g1o~U@9(T2T zM*RU9nv$)FYgc82NC~kK%tShcw2>*PBO^`vdhTC|g&WaYqC(o(xDj&3W)Pt~*u6LY z88SM#@o{Xe80>?Fe*D_j`+dA1au*FTQ-{$<*RZk)vhOU+A|mqPk0sUFKEl;X^aBO& z3MRCM9nS$*Qoou@K>eCt#~#B(dZXU#EptR9gv?ZB&O4==$wRTwL|0!s8%WVx8rlwU zD~rNQ7p39MAR<Jt^~)yq4M6mmW3L(Irhh)V4)5ZcT!N9e=Q5P!bcUParo0P zx3LydLGl6Kf7%2I7_?OB6q&xN#9YhDU{vHi1 z9TC;b*Q|iRFaes^dox%l<+8n?v1+gwGc{YELU}+Q8Tx5mu}E&n2u0cd-@*9vl77C) zVVy~E2wYFcg-5^0hv zb9B9WskX&7XP8pl&vNXc;74|cl%t#tII1L-`}eu!1+K*g#!|TIx+wN|OjZ`Z10)@Z zIH%AJ>4nXeO3ZU5Xh`}r#XC&ci)hrq81xJo_6$e_$=(OiXrdMyTM=%ekDFPAuH~P0 z-c@|*ActRe6R}}f+bT4<;mp5t zFB{QJX{e{x_DO1(Ak-kiM*zwZW?sPnL8i%@;QiK$zUXEpV;Fd4FSS`lp=;Z}A`Jl0 zTMY@@W^@ZGRcVo)SJcgdrXIMP@mru6sL4DkX%)aP%due092K(Ywj?g35Hzsah#HNr z6e1%~yDo(HGTiM`jl{WXZ`yxX7QvHIRawZ!r9iQK^$dC74Jm$1sqy6HKs2iKp16&< zv#T*K5ah*!b@XA);mO%Vg8RwX5QobeHuu1!dLObqAl|lH-JbB60fjstuV&5|hcpDp zmcR4ll~IaYf)MonCQNLFjr*Lw7McH2 zfn&0NP=Ork82~=GhG14HI&K^Eg7LmYv7@a~=HuCuqQ1KF=z5bsUv6?-eAc!fi2h1d z`{;0xzi$hNV+moz%Kgn45NRehK)|84T zhecs{8xgdQ7cmdJ~Gg3{yan#mQ^Qp*|3FcrvGDw5?sV!luLx+%x;msyQG9o;K zd<@Nt8pb-y9Ep_~VZM4@0+!4s~as{R*3+GU&y}GSTj|br;|LyvbF`?;J}l;EGm!CiAS$Gh>Fb zkF75{LMqJO!U03ga?2cvu~+S_iMMl>W?ASh9|<_1&Ofl%f%mQ^!%|JIn&HN>yx#8g zwSl#40o(zsfH};p18J9a;m@04AW0hN&rO_@V@fFswnwuvW!g}GoKx{RHS}_1e{mG- zS}6?u%@D6#QHzir)Z*rhfX*ifzQFORz-sBw$GQ&JVs zJY{_ILVDdBSMBn2l5Iv^{bux5hf zB>+TBKLI+?Oln%9#M&C{drxXKU@ptTF%6JqO!CO{geX#P8e`je`qgG9;^ycurin_b zhIKxNFb5T(l0tC0*Mc)Bz;+V4%UHZqgt3^f;xulLfe0GaQ`i_7CpEaf;Sx9300xDy zba@6syf~M~LAf z|G*fu@jfJ-hKx$*8U^I$&c}Ay6Q|cf!5QQp@oU=BliA;GIO-0=FH^AfecT{Z{o^j4 z18Wrf7bA<|5N`V~O!sF-QL-ZrU1W;bX_*ur#cnQohG=%k2d%MKQK!&zaUCctLky;S z8sa@8nV3~wpQX$b@jjBc0HaaM*tz)wF{X~UsAUmJVCgC_q{{5HD3W@%M!+6J57P11=k$E|AMHyBgXv5Bs67Vup;44ifM|wW?LZ<5u!$9p|PfF^f&{;oA$_cUPyO zZ1keMxkE9?G^I4;2g?}P?Z>fd&zj^N81TFsXPUQKoGH;DL_Nf`iU(|1^;I!L7d{Rr z2yap|f=Hb3CwY+wxf>Oe2sEbD=^^GmY#Bh&K`PL=#Q0$i_SkHZVxsycqaK4eEC7Xr zHU^?ZFWY%hcVEnHlSwu<&vC>c$Zds$$N{5CjOdmlGa09V+?m+tUG`ukuSAE>+dUq~ z)Y_V{P#JriNbH)kDeNDokW{Qq^CY4*o2l00Mw+YY1;w*wP{z|_{}9-GboCeND9j)vymM|*TE~%9Kd~J~ zK1%KK?MsChZIgM)4LfAOeb=W{#TOaRF zLmH6Sp~`_`%H=qG=u$peivaVJsz&T6N#kSI5wTFzFX=@H=!t^T3mcjar0$)259gTP zANrS`%*(;libLe)>3gms_@{&?{br$!u8aQ3tZn=Xuk5$!_ zliEn_Ri0D?&YKVAR7q>uNaHaM9!og|&>cYw3S%F~xwSv7JzaZ;XD3=^Efyc*3EbgR z5(mtF2jhh^+m&Ist9;&_y2qkgVgJUR&I&18?aBbw^G^`xJnF3S%H~D&z6cZPa=HN% zgE5>|)96G9B?jMs6Pcf&t@4|s{ai#h>+?}&Bz zb)(2d0q9(NHO<8E826*?hRy&6P0msk+!%~%J`uigaz9*NW3rjk%OihCY$5}QF3x)y zV=yGlwU;@~8r-^r9h21=tsqK(FxbJ*!537B1p*UBdAs>ODKEJX8QSyT4jdbAd@CLiGM3ZidryHBSIncC0r|j3qTFdt_ z(uZW4SEBfZprinzZn9oUu->exvNkjRc~9!?c1{#!;mL#^WD9J_;l8luAjKtW z{@!gjk!CBck9r$CnYjw+DY6s)n~*i2*sAtI<;An`DM9NU(kXJZ&pWc#maCv#c5RWQzMRl+ClILPUZPrQjuO1 z)DqxPU3bcY`0VMJF=_^MC#7Jl)e0#O<1ZS`HDE+KXri8um$lq1FrYI4;!a$z%a_i9 zVi;_xZ5bfTFOLEgS);}<=BO(k3wP{*2t=n3E1z_cHUvZ z388KVzv?MX?i>;Arb#=S6YcATr8NreuN^83Ff*ne?5dk-mc4q%!}pBd5O)AT?TR=$ zORP-uWOLS6%Pt~fI1R@mrxAA@p-;ufK>LOyL#%n93gJm9wYM+mTg1p%MUN)&io7-#bmkhC zZh^=*I5~uKHu)(CbHUPq&ejUCZA?F=6^DTEt^3);{M!Wm3#^mbQnMNgVt_Bt zk<&LSHaou=St(4o??PcYM&P@I-W|q}LX)MY0*t`BZk%5a<7_do(cD?EhHvHu67fMa zf(@fVeY!>yiq_)@D+##jS%v`z!lrZq*i*h%_18S*62a}tliWlA_VdXM{SPaKGm z!>3Yad73&JbN2ajb~#YMrSk~b7#7pfFNK~kyI()_1Ce&FZk$mu(M*akDEVu`=->t( zebAqkNd{(%%yyqxkv7ZQx^?qF8$HmveyWGeg+TajnteRPqJ&33x%09O+?O3PKN8AQno%X7-2@2=upZ-rFtS4q8>W z4v$)u97wS&oEzP-=9{gw6#Jm%?!^4eLtPIQS9n;Y!Nv9Jyjd||YqyHaAcTO4G(4;y;$O% z(o5sb>Ti)h|1e=dv?5dJ+WuXA|LKZKnG^Ok-A>CC86c zo~<(_)m;xXH$U761mkC(n24r|v{rT$*lgB06fr9mtf-nx;;y_Lag`|4+Owo9fNFC% zdG9xNAk2H6iT3R*nOT(zBOMcaeMrxLc9WCVBDJwenu-f&=fo{G8P<8<&If=l5cD@d z4pCbd*aTVLRMYv}83bjsPz6Q8Fgh9OFU{TA36wX(rATv*S6dkdDj1Vex!vE{F#8g$ z86GUFKW`BwlVo_A_z&h_`TPQu=oXGpMyJI4^{)F%s!f@JJ407T%;qq;q*sq~U7d|v zZ)fl6juO0@0D0w~h?hQDx!!lgGJ09D+BE^AXa=;1`1TeJ_aMKQl7vU5E_cNuBk-Y@ zz)%r;7V{fVFmP}u^R>Zy_7ZaAT}nl7^pNVUI4|`U;&sQg;|>Q7H69Gjc(4hp=H48( zzwlWPdhOAtwm>$~Bj6?yAp?(KKnGmp82YF5dB-E#@v+rJwr0Te06?g@K>9OKnf8$P zL_+Z{9mdKgS2Grq$m0R(JcDTAD}%gkF{mtzN2{dCMFly9a498%`VQc5tsMqrw$5kp zjl@3~gH@c8BDQd~Vf|d_0bs(^P0o*_V^!lq+6|*5jYt=IVIoU1BMn7VgCkK=qrZSoVO{!bv@r}8q;C)^UdKB zMs4GQXQZ!Z0IF;@^{`NrzTaTvoE@s$I<`mdOpJ8@0GTS68j%^{o|XH|@F#{mY@h|6 z8CP5e@u5$HT{m@hK)?eg`_sl$iHMyOJ|+BDi869s=vFb$Cp7g{@ym^-{KIlUT3zr4 z70Bci*=$vXTVy(jEE`6QesrWMi!LDgpwUh19zKsFKs@Oyfuxh@#-edY$pZzWc_wJ3 zzZ8}X1)=rzN#v{k?>$r$Z+d-Yi3wlbI2Tmo-+gDf-d(=zEM_NM+|+@=tvjX?2Ls;V zMiXWwp;CGj&Ug@Uy%{*nqPtCX3prST6<3lgj!I@hO=(Q6ZLT9oH2p+sfdavr%)n0^ zVgm^uQPT8+c<_>dO`ZLX&j6Q2=JR6aGIE+hSB(9z*Q{UA%s`@EI#5Ol4)ubi%Kh+? z5lOXCYg)$CXIVsZfEZrBVt7at)!U(wrBrVwABhpduu<1737p}?uV^BH7v3Un$%WmY z>&J!?52rB=U3xjv1iOZk5ya-E^DFk7`7Z|-A|s{p2X{w@fl?iW=8YX7QXBU;N7gBL z>=`4ICfBCj-mmyNKfWQBNfmWjwo#*jgnj`wJ-Y?-T8FSqJ4ir4AT~1tp&C#uu@q~< z%Ru88Jj}8cgO9MOj@Rg)NOvq%wt&N}w#MRme2oc; zPt9}5q`eR_O80^bXWcaml5#d4+KrQvpfl2YaBgWAxazSPF$T}~Af&awvqv=#H5t8Z z9C%}MVq%$-*&M5)gek-Q@2k3&5xT|m0vNXm57tGksX}5dA?bXdK(rW;Q?9Skw9`5T zy159v4+L!)#MBZ(QjW7>XH9Y95E3tpE?hMBrO2cVji=X=N zJFMJu$?$?cJ@pTJPW^<~#APR?(!Jb(PX)XQw z{p3=QEJQ_?zWVaet__kSm&&|A;R6RENp?Wr9ep2Im4G+;G|}V&ZshODVY?$Y9fOif?pTHf8aR=ylam-rBMqf z=GWq|F%*{~Wx34c2$$uI^9{w6Z`bKg#z;mM z+f?DN$b4v)Geb`PkTi&Z>d#ZxFpfpmI|CdUHlY9AA7|;6e+XBQPw$%bDwU+iM_U(6 z=BqICMyin8mMlZ&pLm*Jq}XFGf)D>DDg$Id*Z^J1)o;!~v-k(S?^qz0(zWTLFts!@ z%kRXRU7Uv__q!!laCFn_YH|bd)bB?QdMjx@E>lL%fmk>iRo;7|nn>ze49IU7Oa|?& za82M%R>nodwPacX84qnLz(xjBOJwKO8J5&$?f|CI!u^}BhEaNhRq@G+Z21f=v$Oos zP`|-{h1GcFbU8gT3jiSibzQ_(Hn$d{<^B$_m{WXvAkboo6Zvv{hI(T-~zJeAgxZJc{2;p!tpIq}$dpsKy93 z`Z__vRyt*s@x>p-c~F)G}>yQsZM}Or3-cVT`opYD%c(P9zNdGjz$c*q5 zdgZS%DiD(@M3c#ms>}uwnc>Lt)!Irx5rTB@{Y@*Dhh$K?u|wIqe}~ zXL)tJrAtNW8@$A3(Yd=p{hm-8e2n~)kX8l3Dp2X&20w{*eO73Pcs|#$Ks|iPW%mmN zYX5ni=g#R9{%1Z}fQj8#VD(ubzQw@5A@#!a1&ww#LCm3`*sO9Bp>+=feid)Wb?z(N zhE54nyw|H^0#t}8v~shPFEQ^|?*ft=fAzYVzkdxu+SLe1%Hwk|${kN%0WT?Vp>9BgFk*2kXJC4JmvEp^6h5Vc!sa?2^+bB(GM79tjeA@SK>+2X znS3BmOR;1fJGK519@IrpL~t9o8hqBtTz+$BooKNK85{?o*L^40PjG<(Wz`-4Tcy4y zFkDo0^`plt7f8E&l&51x^1(Hn_;^`g$LNKwQx@iX4rtW32e~CId!`$HVA$OaJP0-O zu4X^9;yD)7k%KEN+mwg|PxQI_IN^#ZTzK7=dr!FOU#G3~^a0`+5p|H%DUrL^`CfdJ z3tC~X&UOxBl*D4V-y41j(B|%hJ)*@jEfYej@xtxJSA(C*7TIMtDDvk3vj+Tyju4pz zJ=2#E3-yC0F$`)@C^0)cD$}s-zDH{;jpgS<+qtJ77Z5EjKHmUX1o5;MZf0@DoWWQK z(lE|m6aJcWHa_Im*eLGA{uV9vT~5;GlOqOgXhM#>A+TZXT0 ztvV@Ey&c6dj`>HN4WzaCFxhqb%p`!sILL3ZclX!PEcTP2ojx5DqCi~RG(w$nOPO$K zBfVD$6=@idzQ8Uz-=^V>paEPos0YZ}0oB`)m>g=u-!OlMP&_9Qcs8y)fWHfqa!%Yy zv#w$Lde%U@P5Nb0DWcu1y};<1Dcgk^k#H#yr5wzsz6o!UHHjO%Q7Y&S16NTs+>S%D z@FB5s{3!@%!X9ySo^3oRr`A2WuWPc4B!OQL^ySt6y+rEdZ=>9LR;E=}M+J7DS$1?b zl#=5!TCCt_$y(^R;RYA9G^S3X#@Bp@G7&gbdIKIzePjx-v|AK$`B(UzKB@!~(Qmm% z+~;eJJ?M$HNPn+RAv%Svk5&ixw8RZ%h9f6XLRCe>Hz>Cp zjn`%UV4{mizA?>w^SNhDV9h6j*WQbM(WZnQNrrTp-B{(J7N4jdQHFpmuv)(n@30yU z2l}}8DH~34gO6a@d*l<|Vx`eebdokO#&KW})Ox>W6aY&^d{t%l(a5XK;r@yQK0e^2 zf3G9Z5Jg~S=(L|#kgwV3$xnB?{h4-Cn(ESMXS_ZhK?u@bO5kU=)hWYEF?~*#LV$d9 z&+Yn=JMP`md)-pQ28u99pkUM(-JI2dNK(8U$07u` zvp|WZLuVru9VkTIm>Z4BPsZg=T|PMbeUGT_6Y*I30sndjr9Fxf;gt@>r_CNo8x5f& z!VebpPH<9*Qp_Kww3-|!w=gpv)4sa<$cnopLx4^x4N&S&9{IY1{Wh6mG9El7P)T}R znG!p4aDxn)5Pg|7T=gNhr}p@;-Scc$am!pPOw7yxpb3+*)VED>ybW+lf_5)-5%1pq zH63Z{dVDZDIz<7l$TiBI$-aRWEl{dw&1g{)!rhtB8NwW9J&p0#1DThc<5{2n6BH!x z%upMRZM9YPWQUXgjQn-W%1#-VaGzx1Sq99K1oYK2F)XouUqD!ftDWa`Njy-?kB{{% z5KM{+NaQm&lE+=9X-8lTut~&SSk7f80gmx2+LoFljl*jy-yEyTY0rtFh}{r}sMqVt zU;0FM1`s|M-{aAYOjybzrL7g@Smi8>b6K zTC_0dF$OB}#&~vqp?IDxc3G+O`yX)(N}F<(SE6tU%^sPuT@vW%S8@0gA!C~y!7na) zT$E-kX)+U021h;O7^LJZYM6Q*1>I6W=+6dt0Xa)FY5A})cj5Kn;F&FCnfN_Sbd)si zm~HgakH^fRNOhgWd{qV{NHHF+Co3#ub1z_a9mO>IVVvMHz9sQLziBYs%#m^+aZdVz zqNpsMAHsvz9PYvo9&?ygc$~m^sRAwu8vD|x>oAUj{FErZzu3!%A&bN77?H*U3TaiH zyE0n3P+G_6>%eS^{2(K*Bb5?IuFaOnbvl#d0&}K|JQRbHNpX>a%%G3cB@5Yy0s#I2 z{PqjkS$ywPp4hp8!Bp!F?~Sxz?CJOm<$=S!2!+rKTFenj7kDdmbxG}&_D~(Gw55RR?6zM zxGvJj1mv%p87uC1WgU?u7E3rWO0=^A;z5zMb|!}PAeuiv2P>h)?h(iNiM0Z3eL{It_zYQn?>^>iASx~t%w%OMM3E<@htDQJ zp$1|MFQYPQ%7a0&3Irk-{ur&pWc;p*5o@nrmBhuHN8J)1(f z&yhY&K0y!k?1O6NIg)}!oZ)NhsO`kM^^RX7(W6aFgk}GDaEccO&(y}5aS#ioiDt1i z%4kd8N}sUP0c{Q4<0p&LQq=f-h?iJ2tz=y}(Kg+C(HZvn0z(C6J9_1hZPD{x-LU^5 zKu(~jO{QC-DH>}SRqRDUQbDeA$wla~!g7WG{g#FkWGgPJTRp(<>Q&?UD^RRa1^WlF z`Nfy;FARonlu0JFzV*58dl}osX(Ia@$sk|f9?6=~=f4=Py`$@Su2@+C3f046CeRYh zIy5pZ#eX)XqgW#JhU{*2svF6bp^D^@_r)EUJE0o{soV!_h*#H3z<3)kz0>2cL2}Q4 zpB@&{)dIlwL7)@~hcU3rBMN%Tn6*sJqB?6Cvfc1H!5BpIHl9T8a4Ri}&SemuDW~~v z{Bq|TVGh{LPmTy+l~wzla^>dLz{zb%4K=Q&VL5rf;bDQ(kK#}!rgV|I(oRYHugyO` zxuSqGpRuwAio(kqsvhqk2-U=R@`=l|(XI?!OIps*aY&5Xy@FO%Afu)V7Est}*DFr+ z!f3E!s$d2V6PHQ!<;Hpu1rznpMOt>I`>7?Qqal?0B?>dJ5lca=!0s_fA0U}rS{u`s zeptr)aRoo-1saq@4NY~!osbz+K##5QndKM%Q1WFb89@*l(+i`4!t8?bPQts&OxI}& zEx6?^-7Ja#rC>&lQGA^57li5X=WhyFu{a>$Eop5U1pjleH+P3@?31dybgE6lKMSs% z@4-2izq|xThHk0}j0T_`qXhAvaNc=(jVM6l=~o)^VgoevrkRKz$2_`N;G*=a%Qplv zNmDUuCgT&UV`b9I@uI%OtR-Wq=AI4U^`&lpf-|gB_#1YC=|h8%Xyd*4DV2rBYw!#z zj6el&XSQb?SaFd@NLV*Q2Uuop1pakZE>1~Csui$g2(OkKTUmx82 z>YqntiH$1$l@3PiqK`?EHQtJxV%)Fd2Wcnw1`%UU?hIRGgf{!m$&aA83*hX zfCcVYYfurIQNfHwOz;s}6Q-=_ma~Jqo1H6{Df+esb_>}iY))t?fkc2PBHMe8Ev6I) z4OVafocCfFWTa9Y^L4euhm>G>h44#B3}T_sVIuU|yleaJN=*6fLg>zy$=13B1>K+U zCp=i=0BmlUmQW8*6p*_YLb|O|9lT46*Tvio46?)XIC8iT9f=hozCZ_I{GieHl`j zCCn+~4YtqR2x(k6#O5GPr37n#cA`3Z{br=$bmM&y6Nha-P-ZfN&_bR4n2fag)@K1l z`)C`1_vmh$9b%Xl)(%o_3P|h=`1QRN2K=phtM@jAe^Mm7ZLSBehNvq%63Gg?SnYQDD<^}IdOwi?*=P0pdR{%W(Hv%`4 z%Gtu{cL=wZ9oA2&#SXMV-yLY-P?br32|i{96;{C3?sf=8*Ysp$C^|h+%Gyj*idVsc z%MPa(epG3`2ZdS>;JlSKBU0Kf+`5{lYc%SkG84Xm0bY)=Oy>2%7@i$V%{tY841T z7JH!VBaEqen%GVq>UfAX$TdrHse1V>d3Y1kn3v{|sw)chd@B;T!|!!ywYSeIeFIp2 zt?}!1p0i6}(v_myW}N8bI|D=%J@+i)@L&dhDu|JFDv-6~x{>& zwY6h2ZTQ+WLh2B&w^ev!Un^a}I;!HD8w1MFKPu|kvkvvs)wA(~3!PAwN2KZo!&$5;J`>ravC!-dwgjc*xJfPq zXBkL;wZbS;l;bemZcc$G03&j8om#Y$5Qt)9cXAk0yl6w{1j7Z7OQfN}${|~pJ4C>$C_9*$V(UIJ8?<$QcY+QMIbN+J8ExFKF%q@?;6`K^GO^%HA zQ<*PneqOyF$#td+K-^T3?aqF9wQym6p?7DEp3C0LY#P&7kh+5Y9P896d5<+B*E#}! z{5PwIWrG`5P~S=&K{CemWSj?f?}ta5)%4pbViGWqB5G9^&Q4O`0MntSCZtakOyB^5 zP4j~-yZ=7e*>leVAN0MhqBg2*FUlp!Qfe7)y-}+-3xP7On;kr;D)*dHKf4AhupcS- zPyO@^JP#;o9dOU8+uADiBTE3aJ17i&81Rq%d@?hjk5v9th@a2%*%sBEVadeE_nK~JY z01d;4z(Q5K=GiE`gzS7*OW1$!->-Kb?d}W#+l0LT2V`F|Qec>6#}MmGUI}GqpMHu( zrm~}<@pUWoM!kRMwkC>tw^zLC_pw;V(4d9;`Dp2~xizk*n}oEX0eef3Y>1rF1tdCL zSQlEbw!=X$mA-)H&Kv;;IlmHYiY}{J)y+5f1hn@3OX&^ z<8bJZH}5K3^Z0~D1)J_5zF_;C*C60wInfb8K|u(33O}KrvaxaI3zZ5j(fR}zq#fcC zdB8p+S0I3((5mn#xYXYG{T+az>=9%*GCIv=^V9Hf(r7|Ur~-C-$hJX7Kdj2|8?Y4u z{NEe+;v2lfTwPG)4yps<1YHO(2sXkt*;ezHE65A}mD&LaalZSf*hPgnnh9<%~wgg;57<=hYMJqe!sc z{0Rl2$Aop84~c|<*)i82$YysaU?NQUQeNuvl2Uc0+W+YXL@t+PdS&C#+FasXO*OTH$Xw0$dx>Ft71*Pm1LEItN?|;2VWp~1`V`qK8qhiA z-c;F^NW#_Ot$VCz1k?wdOm!OiOfbW(<1%puBd0ZlHyEMJzLrn1TB`&mRD4mXD%H)z z2>n55Z_7sY9mQ|`tl106il&W@CMu|!Vkt>9548qL7(#~3_zNA zt*yK4GFU=wYT;ryb~o$Y@u~-yx(`>brw|E2mOvWyqySNKBT5DKwXmwzlkI2iUQK3E zO8z^v-=P1x(wA>=1YQ0?Km~?t-k%GPmha zF7Hxt$whBUiMtXM^l5S^&oeAb&m6NMl2g9jiJ=#)?Igu*%$a5wh?pjq|9}FWLRKOk z2JynnE(K}BBp<@buF_u!eM98`y;hlgjnDEPxO|EBDN=d|3%FoD7W#h=OrlO`D_f*fAy-p#Q!g_U)S(9 z!JsP_p1mH7kf>NpDv3T=bT4#P19}8vdQlJ%NTnV8-y_=aSZ1Q!nK`R8G!Eh@D=?#{ z*^rsB1j=nOyi#Q@m$QFnUvoLQ*}bv1#Vb9RK*p-?*#Y|omo8lq25RS0^hkzk8=y1I ziP8s&2Vn<>2Q+Uv;;~*B8?-7JowsVP4aD2h=Bu|1QRY#SdrT2!CRvXeZ2LHIVU)N^ z%rIiExKigrzfm);&dL&SV!Eg;r(j~dKx{LU#JpS~#%sWUQKBKE!oS{TGo=!5)tSV& zsw|Q7;>xRe8THYrJ~|c4{rkMU&f@KiolA(TG*P}34#}6-c^TXxA+FwZkk3nWeuCZal*Zt!{-PYo0_|>kOw`a<#{fo=&q;>yb z!nFw(dX6m(q~{1eu*FsdORaq#Vbpr+t=Y@yk|s8Fg>!#Zt;fsY0+eC3%T;%@pD&%h ze=cAUXh*Nxa9fCu{Z!}s|4k6SK`ra_966nw*RrR!b3MZxv((MPXyICGs?JiwF}?-% zwVIYCR+Dwqb*`~%_4r_o*+_e!PlQjZ2KZ{us{R@1W4h6M-G%R8Fus5_(Z<*BDS^~; z1dWi*VtVQ^;95@|X10W*mYU&1I)kW+PXQsR0txsCNqvHH88KiKF}@IzzCb`oiogLb zgrqKl@)iaZix61|Nm&#iBrRaYP)Irq$_Y@>Q-n?-Bu#-rNQ&ZwP)I5a%1x9YQ6xA* zNIF7WEj*xUGDA&mW7Ww&vq`sgkJ{%!wh#Mj4O;8TvL$3%=NV*e}9&LoA#u_0h zQ70s&b3)P}jnG`gC&kIVnGVgi7<7>dZUnPFSXohCo%)%OjSZ?COgMbH$899Qr^^&W zOVq$oyi`*`+Kp$lkl;DKjMS7_b6<1qBkV5uuFP26WW_s&1zX7y#*h{kOtaMa4dho)d+DeBDeI4;O8tiH`tq5clW*tOH0}1lO+w&Ebe7mt> zwm4u-X0}4b;#ECXvTiOtcm1?q?H}stbGPNJD_++%T#RF>%i!wk8gS~}cu;Q5cNPr) z^ac8{7Th+rg@Iyojo-kUxD`VL+BDj1)4)1-g`4X*;6244|NV@_$h`<6<(CiohY^YT zi|Vnb{IniYyUlMvkA3sou@A%R1$b9c*QQlH5%zHx4gzhJEO_$yHUDa$ui=WY+)Lp=uC zR4ZCwbYyjL>7MV|ximiYlRoq9u6RHr&zixhzZH z0Z7QVXc0pRXZI!a|NrTP-yY1pfZQ#2JKH*T7GDynz*=p-sZ;w4Mi{WZ!p*nNlXyyf z;&K}D&}ljgW2w^|%IQfuBc>jojK(RENTum(@F(Tjpt0&XO+Gyn4MN%>g9v{|)DADn z9biFJKfI$%5VuH)6$#KY9FPF1%}Ia)=-~9d%$U49;CMo4JiIK*Fh~qAi+(Ub(!{9> z3|PD-4LXb84X?rU>~7B+Zu>DjQjuH%={R1JVKsy1C9Q|nWBO_`)8~_CT2EB~pN*x( zgJy`Ael&q_g_C1o_%3+UCLAPUT=Z4_Jdgg4i;A+wbC+1OEBdTtzP?`X)t50(1Mpjp z4=i@vYO_KRmZpJ^wJ0(FLs0a2*)Re@Q1o?i;3tG*L<+qe5k_7zDK*o{p#RNk)*f5! zt2O2srKQc@iFM8~qQW^~sC=UEmh0hit_MuVolNFYd=`o(GG49m!IB zS6A~^PZ-ouE9J=^1NR@r-CAYw`#R2IZ>uW}5A_Hi)#{!e#lRYCuC2g33p?8*eA_Sh z{RXU`hCD|2zH_bR0=$pMs}$cY+|loB(G6Hrf$d%DG9C0WrPW~eH8c>qF+%(#OI-fh zEoSh8A54YphvpEhnkZrOPmaC_LcWnaYL)^4E$mRh z{+iUt)&2wi>!is05s%EsB)7k;1qJ(O?TVMSaSkGp)rk@V{G?eF{D+YA?X+Kp@r_c} z#mFltu&SUomII|o_XBaonH6VY;Hqf&eMV;gZrR`3yL-WVnPLr|*{qamTJ@K$vM+TO zb}Nf(Yix7X*{l{jzR6e6`)Y;WQex0MtS)nJF&Atw+so^=zgE!iu`nA<%*zh*YC*TZ ziuM=_P4lgGzj;BMqM%mLyViDjq20L)TDw7SDix~Tn(L_;EVOJ4wZ&0T>KAIa*@F(K3wEMw`U0T9eB>XpssISQuvml zyG}b6x)IJ#G$F;0)p+c&s{Fy1y z40Xs2au{_9WeR966hOW-zy$$96U&+r%DlR@l_GdBusKumDRb+H5JP23I7%=|AC$Qi zzWZoOJ0(qx%~Q?4k+0Z$em5gun`f+D6ppA?EE8K)b|LY;EoqB)*xFPNcmyO}VrS*; zfiJF1TYf;x6w(+HcCMn(;tTV@!$9iFatBI~M_XNC1#A@?~-;M>g>!awtdoH1VU)kdJXFchSU+E{0qXqd9RXgeJo#KBR|oVH2l?L&BXV z9^7f-J2y@IcQbUOYvMfJQ2zVE825Z(0P`8qWK`7|_0r_R#c9N)HjA2Ay!S`%o5$K8 zqeN#t09t5^i&ahgxa!tEpzmwRcjLA-?51Ww4|#p=QD@1 zrj}RpNk4s(Sr|DwHr~DS*GL7&0f^l_nm;o5*PoQ+Mf_@GZyh61C1FzO8+4Ed`rY_l zaHLYR0RXhZxW`xrR00zF2OlzXHZ%7*&&-!UxR9A!GV>rampkT;%$%9K;W2YYX6}NS zb1}or5t;OlEwHP9hUHFgRn!E~7u}9`0DWU{7R)b))Y!Ld(my(wBKwv@oE1cWmS6(P z-rqFy`1@fJUx4u4_ae}z>!BqMK3T$-TyI5I6zj1xGA%CVrh3wqECMptS$5|p}F4XkN=@<94VmA%H+yX|)bAPc;tGWO#XOqJy z)l?gxIZgr-zWON^^E7k-zZbAWt7FVTI{Yw=uLMIhDfTH9o%RR0p<8uXhB!+f_D z?YbsWMX%cSO@d6Wi@u(fjye=;I8TGKqYrPGww$<7SvB^iXPf#ILj|AQ{?*Tjo#|}T zF5P0{I$?)8>^BR^PuxWQOyaE@)EG=dsMp(Fj4RzTVQ>3uh@{?N{Khf0#eUP)-mW=? zd8iXYbTpg$n})(OtewX61SZArGdQ)+-HMrSGU>JKK03{}*r)Am_i)JlY}m9WH6{d* zy3maqS8-zS+wTFdsx-eTc*m@!WzLpuyozcG`9h;CzM3=(}QZkw4`&-!_nXC_@g zpZ)=%4ur(F{jcXO9DwlYzmWR!#`A^%soVG|pSF#%aQnQQya}w-^G+_Cc=gj(-f%&k znb+rS1U~5>*3+I|J#8p1Py0!zBM)+rdwJSUJ4W(hm*>r-+mYV<9LR4d$a~LwIFvJK zB?Vqw2(z0J(ykgN)z^5LtkZiLVH0i!CiA@d*pa zVz>=yKnz+y@WFs=k>$coj6A>zlGsce2)-~R0#A^3kTxLrbdWe8;rL@!h$_A;NH>0g zAzwnw;5@-X;{S-CG8t=3~#_gpC8f6=)JPy zE_-fSX|=~ByLUFEOPeDOS04^R!0D9rzRKfXh%uTRx1evneJCQ+Gt%Pqm(2bh8gY}rrT`!4aRs*;rm!bg|t-te2pLDwSY7OuJM z?HKB5fM@^JM#hUm2ZqvQI5(s3M#pi4k@Qv9->+${Qfc~Eg?g%~pEb%`i@F`1DFnS) z^lw&l4|l(nuVA^2pxaluvpFYJoyjDsuI#7~EU3SRf!Qsqdg}RM)?enPGPg#92+VZK^7L}T(;kKwRy&Y~ouFkYJhTHW=^K_&YW5j=Ubn+c!yLm5!;WTW0Lhy{Bgdw| zj2HH)fE7I!y8?b^Dp(Akki9rTMNb&t*#^+NPm^)5prJtD330^= zzYGt%>=os6iSe+oMRwcT+4=d>BrfhjM2ru2f`kzQTDnRKT!rPDxkyMnX*3Tk4tQ}i zh9~?}lxb*^ZppkU zGmCe@mm#{CZ(Kd4O>Y@YCV#v#MlgIi23L-mT@cA+oJnKPqzFmGt(c-NmCPj#+6lQb zmRuOmHGTe!?Q)%>VwqBznM?G12$cgb&9WKP=}5#ffKK{Syr{u-!}x^?zZrNtbnz9{ ztg`Ai0-rI(@x=@FH%@TE2iflzQvuRHXO!7Y;)zH<3rIjx&baZVe0;I4G2D$$+|lAA zXK5)D=dp=NGwPd0L?$rlM`b2iZc24zYSOB>lPz80JRJHLpJ%YwY?Lm`s)&TFV z4vuRkSABwptGB`it$Ki3uB`qL3?WV)6_S_lg9uijN5`OA=se9mMHFc%ijVfc&QiEa02KoXI^C0^lCZ2E;&9pI!v!sqqy|ApmzCP_$<`7yNoeCbr<-B z*Y+6j%600iKgYL~wsBTH6$%C~W9k`rh>i*TU!$hjwWOTQxy;=r&s~6_CdMRq0#Il(k#Q{ej z&n|@y6eadvO;eKy_q;KkQJ{*B@c@ZQ2NsC3ZJaiRcey9< z1Z}Re7l$0hlo?ONcx})rk@QRW>2PmnqWiDMj}~%Ka)3sek6-H``Kk=6tW4w(&ErMnWUOl?MgLjcM?F*rxRZod&gCg89}6MMM-(Sh$L_{pPBR1)FSEa-S@VriZt*r$y6 zMKsd3P?JtR4aAm_2uB5&n{R(e#||7G32nqp22K||rc603hk`*0YPTO9(I>wg>dBE< zd8d;9I333YyWl7&cJR#Q)?qpnRLCP6hIV17YUO+{id=v?N3kB@<+z z?M95#d{f^EXGrt4&Vvqm66Ec*ZT`J5MJPSwgy|I0?2WrZ54-!3x z4LautJ{sjN+zh*opEuCAV1L;EzaC?l?86z~aqt?V+u*6&f?s9Jq;<(X%t$o(W02iA zD>AN(tloC)DzMfI0*GS8g(vvy0xT$C{e*Cl0Simn3K=W1G$%i=AP&qD5}pfv`*}XJ znF$gl&pY743gFO_keWd%|hU+n&pL)#p|6>_O@U`2fLN;e;9nE;*dxmf|yY> zWxVpP3uBY;uXYJ!)4W{Tegr1`p797g8}=M=0u%&f@k|=}_NQzp0G8v77MPWU$Kjfh zuP6i~B*hO61vvRR_z!0%#Gm5FsKWsQ z)3OfioB}Hj6zLYp0^|L*X(1~s`%O+iPs(O2#%XvC$MGdN6^GJgD0Gr?eKIB0MAe?~ zw4}~hxG?3WVZctpV=8aBQhFQ%LrqC7@d=8u`sh0us}D?y5vecTS~P*RLKnI+UgC1R z9DdEq7=H6cNy{fHY5l6M42$FVDOBtS-0qCD95nyY22S|Wq%yT&zA$+qU&+|8=ABB3 z*DQ$5>eCv3t53-mW+hf6C_9re!d#Liv$U+fGUF0laSekKM6#WeNQ3c+#W|`C{x78k#(SU?qYyg(G)f5>do*d|*iiYuqSY zm&5<9MZHtWOjVvrbv*H!raUGrkIGZRi*k8fZr}>kxC1x^F+j062|S*d7u(rRaP+C6#El2^&Ec~_nWMa_xtIdMJzE?c|DK5~( z609hiU~x<9WsD{46}}08*KclZsZcK%I*K~(K2-oH5W(T%3R__!;ztz{TA-tJU1ai5 zh-Asf0Wz#90ff$L+(i#}taSEx0LL0qNJjaFaiRO6nL^p;Q4xZvqk$*V2Nu96z?2rs zS}&-eRStoo*CQ+K8Du93n*V{Z6BV3dXw%i6wtl#&$|?NG`#AUB6?|ZrskU2t*NuwZ zRl`zq1EKS%H14%$u^IvZAOHZPasV7877E1SXcVPU&|=3O#HSAEX(U++B8HSf00saA z000CaAOKJh0RKehShMP-teu4tvKD&W5}#)UP^b6>*5n^NC{ieyWsVNu+t1;6G{ z3yV~$&I&Ws=9=JsdY*M>&|6w0xP1aOSqciW!yM=g{}52JHWrBnoUrivn~udy$gbf_ zU1&zuE=^a>O=eHn#wmB^^(rA9mEL>Jz&8xxpYdorMu3wf0Z5br9z)vHeg5VqX@V) z2Vt%Wj(RrABI#r@a83|JmN^4?HLl0&-AIx>XGEN?vF0ve6q;8%BDqyHLyex=ZV1dW ze=_8oM~IDXS6>+lbdTo%8RZgRTn(_nQ4q%cm^2{Cs0LRjK*IRfv-ghhEE4bEms#e6 zjlk9^sZJ=g`}g$%|y{ zUgUGoc`s3$EWq1$RU#6&371KLv;iEQ%F_Y!zadJE9019vJ<^8b;M@SieoNar0S*BI*I^$_X)t%p)RIMU|D4w4W(`oUc5 zBG{Z+(vD}wgsnLTQ%__LjKjS1qVi z&W0d$`j2wJMt_I}@f;a2+d$le<9mJSNH;%eBm>>t%skdNz@4qk(gj`iV?d%tiYvbB zfG3UiT6!@V7o|UxCwU&jKvi`p%@B}vtg*F)@QTJgqHQa(~ zqpO?kZu~hyqcHf}yHO`yJooW3h&na$rxQlfvTZ$2(O5#@|$Ep;OltdY0l<**>t;RJ_{mY2k@nhrkK1U zSLJN#VGxk@z+Oz!#5lxP+QH_RX5;YeXwF9_$;-2-cJVnWDi*0dgFcMy+PYQ)*)+#i zfoKrI_N7iW*8rs2*0ClZ3;}3xz^BOipV<-ZKfF?JIu6_e>SP%<*+Kn1Q2+$pGoXh8 z1Zn}j_@hxlT!k-`RbIv%s@JX%N8zJAF&^7l$~`=J>S&FBM_j(*8Uruq-Mn~swuNMC z^u=G3ZMnP|#S6Ivo4Bsx8iO(o#uNVR!6Q`=wJX=9%~S#p%_x(f7&tdT+z}_$Yp&}) z3L-n_H_wvkRKiKNd$t9kv#%|E!hQZNy7pxtlt{L4;e@jv^up-+e?BOdYazi8m@AL& zPCee&hv}$<%oZT4^De(tU0%G6Xn+qOUpVM-q~u_sy4ffG83V(6@H zVo*{8%#6%D&D}hS=D#^@bKzUArjMaz+D_2VFcAWS-O5=9cF=D};T%?SOD$}oV@8SA zqJk_qYSlXPA-I}W4`miVP4IkfeqcA!_~#b80cixnpCU;ET5Y~znjLB!ikie#LQykz zn^O=l+f{-<;t^!l0RGs-J zeF%p4I`4P9^J7HO{Q2C*WlJ`nAaEZtpl39a?9J5*w!-U1Y71Ab!%#qb*lTQQyr@Az z{^XQ~1Q0|6tFb&S@HirWF6!l?bNbwa4J=~?1+TMh7|+^@Xz=Y&#cQ{mslWq$98P6k z1+)IV>%w_AHEXNr+B~u9B}P5`#TF~U`Z21faxjq^rS!15%JdLTdZI%e{>p;}Pc3ro z(O8-^HkIuXmMF=on2kSkqc}-e9PS~yfzc7{9sBi3yz&YN8iS;RVD-Q??$?XF5@Pcx z2#@0o+ftC%In<_-qZ(ALjU^uudl1B#4~s9^weKm@<5>_NuFKk^RQDoXkgIkIpf zj0{5JwKGEz`(HmeX(Wo+F$XL5AV{-;=AJ-{wRPaO+~)u4r+v{Ey*xkJ06$vslPh7{ zxzzpbojtj40Z~@f)IsW;%Z{l;?gE&b`DSd`sp!U}{yAt@T6%7i{x6W-CtxZK$UB){ zICnZd`VqCxFqAh4OGIdn1F{*}>CBy8J?l!j7T$DBRSKiTEwdoAS9MJYjhjIU?T41x zSsG24_d{YQ^51Sw+P3X1K)VF?i0a5BOKo`Cj0jKP-sbtWW)|Xwbg5r`2CI20O1zc_ z6&mi6^G}v8rkDb41crGahA%B5#Xz&uZq*{D?Fx6NAI>%W0_>L8%n-dJ5}8i|!yI=a zJT}8QBqOua=7Xu!acXZR8!_G_#Wa^7OHle8V4a>6oV5130Kj% zWpICP74SZ7Z6K`*JTdJJsI5iSdv;v4eFVJm1pa&5KVaneB)+G{tuDr1`tLz79$J03 zZXxWtM6VGsZ$WR8}$sKiIl3aRz(MddZQ5f8;dnOEo%wk#Aa(-vIXZvPqz^c z-9`J`^I?8Xf+4As2HQNc0TP*Xh%n4q^hM6--NkHs>^hP__k_0m>SNn?(S@-t^y$fa zVDmA*++lD9U-3`?CW{eJAk&a0Y)U=SOQql)CrPNtXN45en#0etNY<&uno;}3^@GoF zmKo(iYOA54AP+gobUW1pb~a*h(TNchxvvCO<#>T{vyu`-0P2wwB8IEJ_se5DYkfu@ z6J7&3ywUf4jv)^|#6QQyP)>}Me;;dSOZ)q)72z0nzYV8aJan(GjHHjXX7$G5cZQqn zAE+9o2M9QP+_0+_n{17>g(^0rmZ&p$Y|J(#s5&KGZclcSbsh@d#j~x2z`i&tCZnpN zIEhXVwAyc)p^mf7s$Xm9t#I(|V<3dn z<%(PSR($j3P4mU!DDZNXlEyUrgOhM#m`e9Xmeu%H>l^u8ExV=#o+cQ&fOMETcU(=DMqp z9f{mwt`kZX$5C#4iCBTi0KIE4YK(dZ*yp8UjZzW6;uLyY!evIzr5zT_WQ`h#MbgzB z9VnMKDykY5s>ysHnuqfY4mf~Fs}Wbu$Pouhr?f1{=)UFve9Z8=0R<>tJt4#|{BmE~P9{(?ZG%t8AoI22?dIoEUF-sAbwD zINvkeH+_fnaY@eg_u%iyLVV=2uS-_ywGm6NG!=hA000$^@rNdZBniIDB0Jqm&JPO` zRQMn9!1#Cl`G1*F`Lan&g00<4PlU@n6`sf`aGuly#DkKO9F)wWTU-Wd25HR3AV&3( z{*Zkkuymrun4Jr112qvVauF3RFav{9Dv|GxbJYT~=>c?B+)uiC2kuZu#0&P$rzMgL z$hJehiZphqBcv`fw+GSVZI}jW4YI-AEZc%bbkN?naPqLuvIzcW^#6>L5@wacyAF%Q zXVpS5a@wHil*X2^RrX;A%9ou7T|oglxI%St(sG``>&}#ka>j8G)R(ITr3~%7*XLI0 zFm+PI*I$|aCFRib0mHG z7b9_U1*x`q@`7clz~&NjbkgNsRW8Wz&)N@y!w~0S)gP7lDd&mCe_55qEh#tf`<_8 z`u8epv{5^89T)|dG$qlSL)yBhu|9V43&V!|8W2gm@$+X6Y+&Sn)S@-TXM!j~r+%w?aL( zk_R9{R~64L*&F8CnS?IWSM4T9x^rMk(ZnozIO{xoYqbAlgdPBobcd1-#s`5U8sHik z6tbHp?~=rB?)3;pmnR7z`S~djNb@g8fpR{Z!GgtXisYz%Q9G8ptv>jTaf*E?dkia4D_ZE&M7y?tW_J z=))oSKr}K+$e9d{p|^|3pecHkg;}!O=FcMA8&9!X5kfC*p}$HH~2IZ?J_Z=y#r57z|+l=D_S(K9OspG6PO4z>fc;!qWZj0y3ZkiF)OU^2D<$`P`L%HI9!ti+y)8YbeVuNe2Rzu zorS7q-Xe_>gEOxo`)1b_P17u`-^37mu_Bykh~+8*w93gef%L>*@?g|tqM zNN5yNh}?G(pKn0k4I7x@!BKvMsiFgR(W~g_4@?_O9O^3+JQ5cT5R{(31!{k8Q~XW7~m+D_8~pU%WMSf`7yM_%|= z+VV815QJ29B0`CVt2AClt+idl%nE{5WvmRJt*Y6J3rUhuf`yuxP;OdLr}D+o6#ekM zw`DTipeHedzSy6x4YCVhVo^^^g9f4iUFc&7($s18{aXS?O@{}HLn}r*h7ll~J&$2^ zg$L}yN?}c9NMxpdfHiI+om31UPPpD|SC9J*S3ib+4TG1Ex!hJ*-@ca+oog7a>tm<1 zo$;#CcgsY>8w^HzuShp#Xd3$2Hogq0??kI`1KOVBA6+kq)@oDiY0sQ5K-=Rxqeh=dm=XgAdjj0If70*k zm3*PfU)?182Y zB9J;(|7xh}jjJEM<@n9PYeKnchkwno_(BrS{hoRhw7W?ki4fb$D@TDTI>*SJ>A0N+ zj)v4qhk)+}f^4D=RHnyC)N)P5y9}i;E5UQldIFgTiz52tu!m7XxL`nwU!v*Ke4g@vOlXbu9x!$fO>!K4viCgEC`TC6o!&ey5*aj-z@R2aI4l;R0Duk@7Sz88>E&9AOf4JHzx84Tlgoe6o;4FV-a z)jfo4m?F=4pNB+! z@@GhjrkPw&nDawmd0sK_<6ChB$M;;)5E^RID!Nu@KVLSdXt21K4*~ zy+}j?W9Vky0;)5Y6eiu!p|%Tw)5Q70qe_K79tvrf&wR>|4CU@rk(nwrJx9A@IXrPA z<{KB!cdHvS4<{wCr(ki%pvj96!XJL?pI!)2#X4_yxdivJrLJ7h0W*W=eFG~s)OUbN1uDL6wY=akWr=uOz6 zcykgH<0;U+(08f}KmpJA@LS`M0HjF=jYKXfsi6?@OOldUhI4d)nbK{yY%Dj4*%x`D ze@4Eu+r+;ZN*k!ogMU>4k9LcHuEsc9=4+Oxc3_Eh$ia%<3v)D7!Gh%6eODbo6sj7J zn{zdjE%WO@J}AbKV~YU=wj{K@9CW|@5x!To;NFPqmT4)meX$E_LllH$lEx%kj2NQ< zuLvhFl2zw1tDI~1_uuk^k)q2VFJpxzbo<_Z4da$&O1v9roBn2#-NNtJX$tNqh7UYm zPcJM)y6I8QBx-s!ijD4$ini^J@QCt@^i?Lekv=nJ>q3c*?R-2^u<#@z?gP?Qq5?15 zsr5$YjZ`%lh~dT=B)@4cp0nygy<8i4h27yRK>S&=hP!P#Jp07l|W#_7LuhNrm z&do!I+%k2n>gu7_2B@({he+^A-SmCnuiIIrlxr3P^18RY9Xrr4!#pmNIF`^tYRQn1 z3CJi@12(F&7Ht`mLJS5&9cT*B|8@aObMrXhC#0e6Gz#($wucK zLc?Jtze#kMcgsnb7WvdCMM$7>R5u(S2AT*{-T$mbsRVQTr__7-FQGKvz=IIweVT^j z>*Rlg=b3zY&yst772nmcdlpEQbHfkIURJ_WqSZWakovgo0Z%VC{hK+~g_e~~M2!o% z_1~dqH)*t!V}&c8{Jnod+r?jR9=;KRxWwx(D` z;|Rx%^snNNZnh)$2RvsXm$9HwuFW+8_Kb+Wtphcc)&6?;C?&(gt_n3)Ox#ae;bTqB zfVg>g$X+n_qm8F)+{60vMpk+7x7~V?2wq5X#Ff_bBsyPIbQJV@o`h&q4VBDkh^!r+ z3^KAbSH#YmhA_>yPrDldvrRnU4FXC7?%W!GxWAOMPo%5Ehyhc9IfsZqWoKxL>u<`? z_vmm_{uleLOb^wu0Y$M)QoT#N?gn`;&J=RzzQy#i|}<%lyAZ4r)b&@Vz1S zEeOB<34ar9e;7)hz^YR?t^V~Z6;!N#f2Gokv++FETa$rIW)oC0%{f+&8% z)2*{xx-p2hq;S)6MbCHG8bxt~37*4GMQY`Tk>iMloBSv{Xh=3yx}Blu5f$d$ zz;L#5anaf=sbn`gX5dC-4^gjh2yoBVa2yX-J zLHKP~4Y0W@S$}VhdHQYdr6gRFuEpRy=U*b1C7{H9Y0V^9vEkI}E;SU5SLIpfQOYRV zMvC&IKmLw*QZNccCNvlDLgzu>%68(-usX-ciP!x`6B&9lO3)UWZ$dly?Y0H7?~%vD z*!4Hno&8y*#bd=wV%qp$a5VsL*45q%rDfBUh4(4|V7M^9HwB_Vx*|%1+D7-J3NkXP z66$zTU($Je$dg#n92JBi54*!DC)08hLm64C!CP_sXPi2W3B7{llB|Xbk;97~Oc?ps zFb#uS(7I++xhEpXWqvl%E-pw<=aBVvldj@9GNOPJP+XDBWos8zDcoBUHZK~Vju+y) z%r(BnWu8V2&(lR1_1u(7yo0tSD+ns+IuRROB;ht)%fl%_Bvdqu@@Wj}yUAO!(>D-^ za<0tP4_nJ`Z@iccd8qlO|J0h@j%eUbgTcNZU z5~@?0q&nBf2OMC{E{aQf40q7$ATLD!t{RX=9q^pqD93M)L0rrG+vh?K|Vo|PRD z15f_*mX5g(W-I~~<*Cg>#?VgYvTW~$z8;R_u$&iINStSg&7m?3+FNgo?d?U1yh*;D zvGIa@;(nHBTo0}BI6&&dpI}hFvAsZ;C9C$e>lMmID59+0*S8Fooi3;s=>1_t`9=Ak&n3O?u zTws$>E|?Q9rl2|TU%yyFKd|GZ{lF&Q>(G+e^kTf(hD>_?--7hCSm+;e2(AzL=T6Hr-(Y3m4@+c)k8{SNGnvk%0ke7 zk~GV(wp@P_>r4hgw8eewuHX{5p(j^lA7GBHC~UVeD1q?fIAk+6-cx|Qi~(2?nM3Id z%|J672$^$ziCRH3G-2P)XO>?yE+lWqF9fV023omA3ZPn#)^Q;l;OR)=FV=%@De&N_ z@hwE;TqSxe4_G#S$|P{NeQAmoRB~vJ1m}s}zv>@X_{jHR;aC)#eZ&FZE4=3kYEbG*}kOml4C6a{0VvMjXJu$2Ef!J`Q zX2&;*r`huN=>QYGSZ;mq%N>o<^Jn1|kB`VElMNGjnsL6*woASNNza|>ZJ0bTfV%1E zKXxh!cA;l67UZ0->us3$k`-Uii4o3WRg)4SXl@mq9Wi8M5A&1hPMFS%h zb7VFEmn3K*r%EUO67`I&~F=n8IrxcW;{hNTOk1`E?S(n#n0;RdQK~nV7j6W`SNEb4BH$&y( z^-%|ey{crxL%f61gwgS$LHvwl4IY6zm`FYOfnT) z>%|e~2!qDifnzR0tL=;IcG=UG%InoB&HNm|e?d?dgkmCd=+MYPlsXx4Nw{AXY5*#MMTWQ&(+0Vc3f0>g+@p=K%`@lKe8 z(Ip&AH1Sa*zC8pHFPJzrVfd_ykbySUN@7LUC4D)3U+Oa_O>?`Xi+(o_cla);X)GIi zi~#dcRP`8a%0tG{3K(b*^&Wp01utSTPGkBno0!UFwFoyh`Bl>q*lpCXJU&?L%zA!g z{q96q+V}42tp*j{+A--7SaBC)B*t-hx6T3~=O8nmLDSJNKXzrFSkRWP5xN zpR=Q_i0}os1(BBm)KwneQrt%(*GnKnnnG`m%lAt)n zXg^m_;H4cn8^Q5q#?cTvov zr}kr1dcGSst?hw1)HB{lUJLob$cLv#F+)2 zpRIuH6hwnaEL0)4oUSD5%3>TV?jj)GLgi-}&cb0y*aw358M?pF@yeBQ$W)dk6swV! z6Yw-ciS8h)R0CTne}NJI(SjZM%C&1@A${sf_rWz%U#I=JKk*;1svz5+?d z&(Mjce2+z}LAiM32@&-?H{n8rvxSh^X+%v0fv7(w8m~n(I$t77kOgaRyJ$laI8p5o!sX zBH5PpBSxj=8~X^JNK0``vn0wE!7fO{L|1e=yxMRX_0%_x-j`mUr{D`gYH?}aiEf;$ z9T)S+FcEDF@&Cop{sPY*v_K*@AO7(i1OB+u$SaJNcg}|B|FPo&7XLy?@fr%-$=DBr z782ZT#COJ`tj;(PNcmsnXa%B&<#IML_x<}0Y}HJ{g9_J%uxAJaZ@6rKu1d^ zULnzz=6@;B*--3~2w40aeEzDIqr=ktlrfbpRTU`7-VC*_})nrYVq( z!w`#OK}!{XdZ?OD&E%l=Az*?4zIDLth0y2RYqE8&>{qDG3N#3=6o(5VOat^Qx(l@4 z!w!dzhu`H#K)&w0F*uTWWR%0U)=4xJ#uH%-hd}tGNI*&umAZQ{hyjMmHpIXs&_?AH z`^=N4Ca|L6-?l)X{&QBH==LSRF*8|k@bgxveLfUYTYZLQe@rbo0=s#g^zR?~_3N-H zR#W|QzGvQ_*Vp+F?nd{+UGwIyip zKfG6=N$Wy62~GlI$CveP@yoG**8%_%26Q)X{##Id5!Jy=Gn8 zc>xul=+1r7zSX?p7Ilv9A}lc$>_ErRZCUCTfY}I>6lnSec@=p0l^Jcte~yxl^p zf*>#vp4znCxwu@^aKKR$0t(K>_16!Ag)m4|K6bu$#R#|3$1^PUGFt9 z0CClN{orBEZtl(~$a+E9-gWeGvz-x=UUL}QPkFvx>6#_zl#fQRBeEpQ0!ith?Gbx> z%OE>s%zE#ew5F_pf-hmVk*Y(a&Ng`LHj3dh-=F$YhND} zv;o81%yK{Ojsdf9nV)&w7(OCB$EJ+j@qwSBpwf~%Fs62KD|1K;Un1NjoI07+XP*H2 zO1^`~oB%W69$7m;s5}L_Te#;>W=Y-^?(i*~>%w7x8iFj#2R8lFkj7M{S+t=c>=C%b z=et#ckAmfwoJw3~%<_%n|0B0QNU&7p_daU|FOpO$q{ica21H^V_PGoevYS=b-iUlk z`QJ*X>Ws?2y|{eWzrs$$3nOn{oB`YSB)UkEKq+=7w#sSQp-=uu?Dy8{9Wk4i9PG)x zj8McC-1}u`ZkVi3qA^h2hJH$@FaA~zS|wes)Z=!vo*~c!S3Tr+Up?Mtl-ykDa(cW5 z=;01g@Y;6FG|k=+8|DTc4b71uH3;(}NZ~t0v#t20hnw*^!9@i|t$_!~7HB7ei$m9J zMJ)#(6cDR21KPoe5VW+_0rz|~c`i%`N5R4awH>>{{m=+Xqe|xg3B_)*eHN_|qWg01 zvmAks3dcsYJz0kk({BD7FucJq&96CrIBA>I<~n)2fO&)2NWVjvhL%qagI{PIK5hJC z2@TqmJ@rMkVK(8u%++1Rzf#%A1~RGoWzh|Tuag$dFVAA25)F*$nRH;@G#XQj45U{& z6GcZ0$u7ZSAZ3XOnb(V`#2vU4UW%I~dRd|cTD7lZqWtUu^(sF=uJ#EzMw{j@hxYPE{*l63X+e@9r z1J#YF1x*T{BAvCyLp>A-smS34mL-6_@%OnimUcW|Ge9cihVXgl_o$5#nUpV4Q*j*Wc_i zX&XC|1wGIDc~M^7K7R*=x(q}w+DP3vF}U9apySC}UvXFO3RjG-fur2|hloPTi-rZo z%U`#|R^=rjSJz6-DOP%$b-K>hn5+V&STRtWO!QY`JS{sQ)$djD4Hs7S?{;Cll3dQqabp~96B~0 z@0BgQ18%0n(Ct}1w2m32v0WODzJY9Ei7$IbrYa3|T}Q%cdV)fbR- zm~n$1Sm@jE2F_PHeF}ZgJ}U&vABUakliY`I@zb~m0_l_aj<)v|Zt?;Zrf(fI9T@7L zWKn!;0$ZIa*hq$Vm4TbqR%isUx{G`s)hxE`9QZEhG_2H*UVWFb$I{#_g?+0n<^TH~_NqPdk9>V6gZlfHpNxVc>FtiR2HJXt&G|+*ML* ztIH=OE(KgOg@?T78wwg?yk4<3iYgB5mlQ3t^^&3BMfuSS;oFoLo6ekqO7RHu{P+BEO0^zz+~m~m_rSX=lD)sOjr znR@+M=E-P!{5q918B`za%S3tmz(a~}>_nq{=8LiBRtKGP|C7`ll_2|MR-YbmL9ya1 zSwb|UjE@e{s--{4X4Be!oK|064e-tt^9u@Q!J1ww{vcxG?&|i}(cLjYcFlhZ)u1ZD zLH`;Mi&_bjPswdM5PdHd@d0`Ec8G<0O&cWW&sRIzffA`nP@uL5pa+7}ItHh&97Lnj zkV(l1q}fwnqP4>gWiC)-^zG}cIS#_(+7}XiwL)1hZ6Lo+S@<3lW!LTDu~~nD6lL!$ zBLLi4S&w-up-$91yR$#6Fp7eWS|0o>nkiDx_#zKvy>u*9QgLl51RVTX@a1nv>DofV^&y;sESTcu9a>4SsVU+$>sMNmrG}{s3LXG0T8RCoIy<>y%IVRf3*jecev7>RerFCrf9GB?8D2K_X7AR z$5Nt*^lo_iwtkd0wr;!;b^uoy?%L#+fNf<(eTR$n!u=vKN$1zbMypcqGf7NJi%#R$ zfy+!U#D}t!6zLPnJjtve^SWciL{-+`<#Dbbk{T_1Px!~QTr}bv;Y&UXRmh5 z0rzDCU!c(cZpFiMS`cvc$L`{H49NigJBqdhg@ml_egYib4jOmaVsaTErlbGEO}7`s z3X>rZkJ@P~H9$HSt=s40Uxfqd880~aO-iE=E*lI}VjfdJDYt2z=%D$)G!|WOg85J(31S+| zdqgR7dDC&ySsDydbMVsNL?v4?au@1e^8+Fa_p3BMiMgGxr#qY-3X{%Z1`ZeC1i~_I zf{m9bpzEQMhK-KHD-@xx6ZX(WRPs+Fm%o*?i$E}tUCZC& zx6Yu*9u%n$pqG{(`9#gAi$8d^p!xH~VB6*DJ`DcK%ui(dA`R-+Nrr1@|2pFRCVW~l<$YHi_@e|RJ!_~ z05bwj@V(s)-7oAAsvO;0*z+P?z6w7TP-2k6==EDT1q|3gURUo~O6Vh|(1I%L&@*-; zcTRj}d?bLU&Nh&5X@j;KlH$FyNw?Zh2gE+}E4)7L$J9|FC+5i1ImoF4Tr#i0SYC)` zb>W)#imX=IQFF5?c}N=cY85BIY?7*%TldjYM(1d4@~3SvbDLcW3p}My3~~xSxdPlFY3>5H1C1fOd23#X9K$@`Mv>xus&n$B=gMlcKjf4IdoWSPPMAYzyRp^HA7zMm#d+Q%z68Bu z)!^y;YapZ(hNe>S)1p^FmC<)e@O%=RN}K6)D;pxVg69x0NVzfl`6jg>JykoHgGBI^ zL7~iPU=o<#l(y2vT=B#;^C?6dKAI0X7Y?apNc@}D!YDnx(%5Ejj9vg*D&u}OUDjnn zMdUt1Ji#eEBk`#%6ToVP*+a>8^C?`WGhJ<#R&4WJUXbmyp^@q4A zZm(>t5uH7Quw{n&%nIKV4Gk~jk04cADaiX>Tf5_GA#&OA5VnZ+hHc||X{owR6DO<( zK&f=zJUHEWb_0pbOsH5L@p|md>s?oj&d0C|pp>}a@y{*i=c43{ulfFFhplN{9M8(Z zL|yjEAC0hoF}WM8r~`B5RuZJ?`HaGT(aU75RSrkz-gHqmXZR30*DS~8VF(D5GMaTxtB|3w zzngs_3%@pXsPlMgUTrDr!-*K5TZ9Cb%j5DZz^GQS_E9@4zn)xfHax;b--81zd^uw>;wV*MvmI7YF)$gEgY3K1r`G)BPF;VZ zv2DMos>`M6b)aKivIY!gg2Wy))gHA+LlP#t;}~r^u3SdASgZ|OOlF% z?V=h|oMIhdz`7@HJDf1&!dqQ7iv3P!O}kRW>9jFGWh_nK8eVQ45E{+JMhsQ|{RKW1 z=nytrqvKZg7jBys>9MX^F^ZM$8HWHByI%4v}8~b)G$AE=P5H zf04IIB2#w=D%wjq8dX!Wz_^%i z1l^B`i+9kxW&+UPC#FfZYukVa}=62~{%zB*EN@hgj!PRxR zDid^Up1sl{t&3zuB+(xiwB*=WUgO6x-B^S1#NcqzE)pGMg&di}EuI`xO;3Uy9axs@ zFd30a!*HboNy@r0XTf`^Z4I_|0}eT!MR3xV3>ZBOX>LAcm`-y7U+W=JlHnQWg|tmAxA()=e!2$mZDr}# z#WE3s_JEw^z?hRqU~J5K=-!(T`W$s&%NoNBk%+Y~$@f28O-$P32lOz? zf&38z$C}#%UJj`TjYVtgBpd%I(GpD{#FGj?BBUHI5>Z2x_1 zTMCH&P9&qkR@;q^4?{3&N13cqP~2y>bg*!{)8_ZgeQJ{U5jqt<ITrD>8{`92-We1m|s0Tq6=yz0*qO2T8rMnd)l1xH5!4bIyA) zLQI9a{})xF2gctERX_Vg($H|_J~s75?@ML`HJ2&F1hdyI;pF>^fsjogoN1W-f%Dz7 z@q&Bu;krUKXS>6v?K!JlT~Xw@bd`!img2CxK7M_>U;E$0ZAHjP=FO}Lf|F{B0cM1d z7ln$=Canx8dTPfA3<&TSvyITv2zu4`NXx#W`>kbJC{?88QKmm# z)Tb}eS4p50kK(#lhXJ!80ss`;{csUUyXP9_S{Jm zmy&NXE{H%w)K+^(hdVr=!)m^RT&{j5v&CXEdM$6&)T1ONHj{WP^)MzyXhK;V8{#p( zXg3TO&m*`xv=hpgLcK67heORlv2jHg3gFThMZkXwQ7nNB_kF7G23m8_pHJ?yr~n2J zN!2``ZccfUG{vcnqsD*H4GiMJl&TNYMLQxpqZ}W8quN}d6*c!dWarw)#6A!vo>ntY z8szem%#y=X$SbB;?Q>xAUrP*k=^R=k1e;2voyoPdj#1)Ho)2?X5=fOK)K&hK>g(?c zl7jpo$6i($rW~8etf~`kOMq}o0}9d>f2975CYMid9C`AFXMb?rJmO1BR2Z&vO}GhA z^VMsJ9C&PIaA{l&7_0OfMM?1ti;hxnaUACo>nEOjq&*+qd@mD*9VRp9&=WCb`a0>( zhFm7OoGSQQ#1s7WAW#ImYP^b#1}%r;jWB9~<}wQqy}tP~q+rs}QF*jxO!=-FN;zPB zu7~~7B*-jcgA4eVUaCBM3VL<4kn0*R0^CT~lUh|4<&&d1nCeQJSbM+>#rhL?16Vjy zLN{Ckx_Fy$WU^TkY(W`#Qo(Lyom)YdYUXivu%A2c#md^O_T>GlOfTq0z-kKw3JI28<4m8KfO&fuv3W zXVk&9FT@|0i z^Fqjt=Cv!k9*qO|ah&(W(z0E>1h{k+LUKN9$#z83CDzP)AxKSsoY?{@wKfr0+HBJB z?LdaS^Dc}V-9{>7`_A$-23aNeD7qFO#~UdtlASSP>e@^H{4uh$Fp?*-B;=a!m0#L# z??0e`%~ffNkm~KKGK%66u!ko1{AdtzJNNZ_9Sh*H&}6G^jL`r#S&49y@+n}U%&ESF zXgi~A=V;uK=eGKDxU>ZXjY4bIP`=sK?=yBGIW=YtrBe@2No8|p)jYu54EpHc8aoP_ zMj@I-6O8d|;x_zvJ0L4y5{?3E5~~#Lvoblrz%Z7B`ag~?mD*--rx;AYgkk0(IW_zd z8NUnkVle!CZjG}ja5Zkm%pvLE-Lw&~zJkQoWx{}DlKolczL$nI^>0~{r2}kp7$8P0 zvse-xu~M#qX&~}ggbBu|jI{F28EpYwiG7*s{)-vZ{4$a^ueUy>nmi?uOmq*mgMjm4 zD!jt-BUHSy#p^UD`z_^H7!m(*l8m>G`}t>CDp=CGCK3+LFqTNfd>Leegk5Nmk zZH9cIc=@QpN9wfE|1+%cutp{=5)1`^^!5H$GcWq)QvwI;bkY@&|H67d_OFn<(s7k3H!(;{HglJ7 z1p>T#2Zl(@5(2YcGu zZ9f|)SpNZI{s~HOvUPL~j^5zG_L(669z<1?ta7YAzi}ev061VFPHGx9RkaCF2RMKl zK^Q5Dj{)w77HS^jLTZ{+jW*72YL!`dp0}}a)kjLciT-E9Az@d#EI|rwW&>NH!{Ium zPYjd1o073rv;2$(&<%^&@Jlv!h5W!`BCeR=h%yImhrT&ch41VCR$K&wGZ|tAGDhEO z_V{0C$7uZk8$cbmA7?p4@TmIr)Tx4@5eIEiP~bvDC{K2rNO>(*0uhoMuRYzc*o=I}fmPpXJ?B7gim=$tyDKY@oRUGizXM zNC}ppH|mH7j<$n|S)SRxZ!7GDWs96=W^yX+%uv3gh+z;@r#SE=ZR+q`8xqh>K8pP8s(_~h1b!^blyGXt;YN8pFL(Mi^Vk$5d{`2J zVO7r~lX_mUHCScW&<~IfJ!_J?Q47uhdD@{-yt@Op=vG02d;?6$^usK_!DeDpVb4f1pCywfn+$2kV7=U0saHI}v%@stG!9w%G~NNq=fk;r1RBxu z6B3peNT&e*4MD-qi$xGX2zCf>2pgbm;lrEDb3C5*0)<%HU<9|B&6r z`+k_T9XwG9&EwG74#`^2bp9MncyR2wqH~0pn7GYMXBOSziYtE3q`JrzW$I5Jj`;RD zuiv&yTqg@mBDyy@ zDTT@GZ;ywxU-P12#=kjiEHD=W5-W>WS>^ZUjePG0xFIUvX4^CnnDQ;09pEpiC-dlG zz#u~wBaPxRMQ0rg=XR?yDYb?T|J zuPe3_WttEoSZV27^1~dZ@3QlG zSF<|;3|(w5Vo{Qaccb}Rmza9k-taUSeerm!zV@O*jm27zFcoR<41YN$Fh<}})XIYz zTU+?vVNGul$1wIk)eW1j6qaX!!DuY0Bd~; zCYP59>yx0YQMkcfnVjJ(HtR`UqmyZI)%3T#U_*5@_}=z4OB==B=2h(lQ75&fyB_8B zTtk|GuQ5tEAc}EIg>T52)Tt!0t(9z`8ZxPCHdVpejM7=ieF0++rP!-`IzZ6+y&zIn zrM=gN9>Lj03L>a2<;O7P;Nw(0hD_34%X}z}bE&?`s^m-*9%YQ9Rz~{4{Xznf(Lonz zidIg?6?+PoZvl>J1>pr`0t<P``=ZsDu&P`c=fCG}R zvQZ;`V{xrp%O#(?xv#ZD{hTCUnJ~I7;K!j2))at!YaRHHR_fIdy5ogiYt%GAdfpJl zl>6ZMk&^9?DW1Yn-X1-<<+kp%xXhn-)>riuK>Y_2tW$h1+dJkXj53YABXnor>_0t` zvx#CYFnDJDw&PV_RDYruB6<+6zd?=k`IVY}g1#Sr?{gxLVY21 zWY0E+zB&OM?|mz1tW?NQ;&7B9sTA2~ZxD(=j* z&9o|}C{l2i%wRdC7i9D{K7LM8$ z8-i>$sl_>GV#H@#XU`e!x#$jR8#5w*2gIr>l*18?`|922@aFag;nsJDQgbz*7?IRYfSuCco?BwCUiB^!9 z>!FbLkTFa%?gNH_%~@oSwk+b5A#6*Lvyto3yXu34HYVy-MT82$)n3Q3p%4qS@j{~4 zMZ`O6Dg~-GJv{_I9m~gO%)v+1x(K4RxAg-;;V0L%vI8rXx2px+~~qe3ckN1UuhT*TmVMB zvGo?$Mi;E%*0A58J=_Et`8$ONIs~I?>}0ku#1aHH{Vsag%e)c9ncbXUdiNa8HC8=X zgKz$Jt*ztle}(a6Ut+*MyB1l?!j^ZbMy!L@+GqyceZhP$_8Fh4$B^uh{cs#hJL42)#WX8G;JRYn4B@cWNXgK%unbVg2|*o)q(LKH0P{2bH3 zC%|SZ@uJ7)XS2LK+%2To&M<+^0<>bP11sWvrc32*twagb6xE!hwfI?iIH=$K!W`6# z8zZm|V@~CYmy8;EgEan~47M74dk12`iPYU_t)CEY$3Csjv)Xx~p^b^X(p%l~_8VbK zjx8YrY-7(r)X%ThZD7tIyAj7nsQxh^j@&r#0ibxS$MRlk(9ErH_z_Z+0*VNl!bL$$ zOH+$bQ9gwIVL*?UB+fKpjfP9V_Cd=}!W9J^v^{t!61gLIP(x~fxrA6^3-5bCz-1a? z6u1T2NG$xRR@pgtJyDuU$7;(554*w;Q-ahi!Hkpuii z2W><{g`Q%5gm!$iQHNFpKbb=K9Xg-MPZ*inV8aEh{%?&^mKEE^1fKG`7`D=D%o^{D z=Vu*>dH|y@$wOtRLLI26#2TNDz$nghz68KW=+Vk#DH}FesBWCv)3+MmyK1HE7NdG3rVL+>9LinWy?#)OUY)8JQjsU)}Cq`NYlpA@D_4v zfQDY)Jid4jPG(K)Gr~j>%x*K%pW@EizPleBg7jA@?Nywr+XG98&^crP5aRke;I9nZ zYFv;`NqTAK%- zZb0-huh(GlF{R^`YGnV7&naQY(V-Gv4gcG4w#K*b~7$#@3pjbrH%1foY>AK08 zYbGk%7r&IBk5Wkj{_j*>Bnt0$>QUPhEO_qiELa*Xj*? zGyi^nEQIAt4JV(!)CKszL+%0ztYj`y z050&`pg_3pGflbsPW@|Qt-R=pP$&Nf&?M6tO9*Q{L@=zC-*V^2C!DP8>=m|`%=EsR z&(!2MX_!m_>RHl2S$|%xa^kxv@&|n)rVt^U=rAV125P`*% zN^$BM(21CcRH+k;MuD4TmH?Z8C}=C;eL2*(at9`y{1z;Upo4|8wp@oW{4y7q(_b}g z^fU%L_Fkw?%VBD_5c#KKG<96=O&374KZkU!a|S-_OF)*#xIIJuv;R7uduj6ivx zmB8_&WnM>`&n9UU#->CyL?3UI*Jgpzq|-XDuolO<4^7f(N20 z2-|K^R8LM-qV5fvB)tea53i6lwR$+k44xjvn@KaAj%ZQ5iLwF;?{dXTy+E;$>cL?B z^sawm(Oz-XlB9&CROSOS2y_k3Q0gsX-5@jsH2<>lzGK@A!X>N*N{k?MionB?O$~?| zG9{@reo*+$gP5wZsR?2eYf<8E7v0iI^>sb#+mYinZ;{5DaW>{{rg4|0(v~op!;6bckg6omgg}$Xk{f%L^XsY1JvIYT zL4L|)a}$0XK13(laiDlmqcamORbe?%F!~sj;AC+tuG37@Iej}~c%_JN-##Ic|34wa zv$p0{HBxP@o){xgP&%L2VpAO&JbpY09P%IKiq?80BmyfNVdbWC78KQje_rQh66EiV zHoto%V=TUE1QWkpXMCUmj)^G_C*;*f@jlX<5ncY|Ypc_6=Ye1Z1W`sCi!1F5B7%EY zR#lo;qES}rX_0mxKHP}&>9Scwh$OxqL!5PuL@_?_V`W)+V&$c(GQ~}l1nksV0^n7GKLroM z<~Wk(guw8BNCZFJh@vqMmx%;61!Pm*W?92~FTN%eP`P4x`8SV@jHPhkQn+v_9Dp~R zkniVQVPPTHs9#Zj9v#p>qcQn(z$9B*O`${tEX=~0uXSG%_QO2#^G{B9*P9l9BjjjL z&8U9JBekhatEPC+2oRuH%`PyGRdFxE7&7$$U3ur8DgS`vU^_bVD2NjDYj z%v&I$PWC7YlsC&Gv9>5uVWP#X)(3y*QgZ3gZam&u2;fWa!Rg58&?5V8HyYXW|XJ!SP;o0MZWeDBs! zZZ(v39Q{E#Ws%pEPD_e$zT(MTk7kYs>`Ed9fD+!5xNw{X6L0YsuBi)`Ty*qSlTXGj zL+Oy-lKK`Q5XNM>Y!bIFt?eGQFE;8MI$!|ps=2DXz~xgYJ;$wM)FN)UFH0N^+z}>w z^@8s(`ZrDQMQdc1&xVoxC6nLK;N(RipU$ARW_m%?n!;&CnbMfTB`8rhhRk-kV*>c1 zQEzh>`&6y|Iizk#@*PJJ62rGb^E&0ilQ2R<%n5nn+HB4`yUkKo1SlY74G}mGS>4>g zd#wEr-vd+Z7`&`efb5q!wOhVBR`~ZFG_4L(40UW!%d`+nm5_kFr3U%)v9uXr-#^6o zRqdQn1NI$mk4ar7v;5(h0Vr?RDOaa@t@z3@*fsYlHS;%X7P$Ny$Tb0LUSD}K90q_r zQGk2>_z;!i7=`e$YHQ>GHVGH@C}|!KO5Vy3!;)0!r>eX*uIrpf_U@q$u=Oq zm=I617&fQy*iW}EeSAQ553Co&DeI+&xi#`@yPYC<#S17wj8LmKQ0X(eHLC)1Gk{n% zlqZpLxB(6X)qbX`KjN#>9VnJx+EB4e&3^!Dk4ufy3E*(!hmHqiSBCvj(bZpx78<# zp(N?wkOS|^Cx2hq!1~{fj-r(!*iZI?KfM$@w*V)~p65TY@k&d%h;?*1iL4lz{*r>5@sCO9a`3ytMcm0$g488kpBNC4yNcl__@1DU?t? z=NCfb&uXK%vv7GAHhkzb4>u5lYiUXcvsI&${2`^VRDyX$3S(uF@5!cIl<-DN*jntq z4a5w(ldLYmmIprOw-KJ?BqYz<@#bFL(5$)IsY@#K%Pf{J+DKJV2EJhDWtAy$Qpi4M z{=DU{JOY&F^sZ`16~QF$u>~SKG(^CS9%RGZ+(R<+I+MHBb88pnFrNUuxB6& zQ}3tGjLhJ~Dx-xJLn<&+?!H#CJSiFPZwi=|K`Kd9N?=-$m+e|){#MEQos6^Rv3<<) zlqwb^WcXGUZ`u2ZkKVD_Id6ISjYCWEtR+A-K-luAS6S6=#z1v@Y7l{)q%gQ zII&8-{LVKuI23Ms3+kVH&H7fg08c=$zii;NDUzC1zhSph>##$P@|fSab=Itx^cF1) zJu||d412qn%vTkYpqEiLpj}#i1jq+R5#HanRz7V8HzxK*_sP9#_j#}q)4gP6l?;14 zd&A!H@|u0}6N4Q;CoAJg!x>k!&f*zxg z3WP`o{wyLq@v^M3u)wf$#zis$Wwkr+(sMQ4-wxidm5I^G?L6$W z{2;^89p{Po;~7)B$6lXhdZLsX;gh&AwyO3=f_o4~B5SCa#4P+ZIODx7{<*4+YYD&x zV@QkqjvSQgRXFJ^FiY#&&VF-#L?@fqDB^)y5v3b0k{#GQEeILPo7fQBQi{`i(tCO0 zpYTb>-O_KN+JW2Ei8}5}jrgCj{Yyr#PWj{sgF%;byuk;zeSmo9pbd?<>hh=M0F^Nv zHBnqL%-38l7W#NPt^6M+MK9U*C#0cRW~L=_)*8BUe*6RtR&kTQ9sN-4ZMzr&Y!o|D z79#LlwBQ+g$UIzZBi^OE2@_hk;eOhCxqRJ;*7w{lXCZy@t_}F1sy~*4J0zMpCI;u_ zCDDstz~EKCsbSV-OPzWUrsR1UY1sF-MGEhkJEvI-K+4>WxR^8hpomOb) zrHHS^h`aTWLyVW5XvWj2pIh6YxYtqs!5OWNO@rNMx9;k`S&7hZp@scjD|*`7)z);l z_MEkp+85t6^s`wzn`i_WL!lN3y;&k_=luriEdTEOM$OK6+2)7o7w1<}W&=@!a7FR`=$;{8D!s9aVUV38^yj~U zN?7HFKIv#vM~U>L;PQu@vw6~yKYhHh>89t7YCk;x8Ppbz6`@Z>?M?Hzq@#y@=^HM{ zoncj*rxy^D-{cAHE_S>xRktnk6W?$lTV3%$K_16q>V(q=^u@Ul!U0DN*& zFaaD!&*;}=A7TwdUE3|KPgJe}*3OA|e_od>n1~ApEuEhbPUEo9cPgIpvp+`b)I6J2 zKILAtHiWg@W+DVLNW9OMk3TIm2mD=>V1CN)G@g)(W5?{S;cMC3^+Pa)iYbKMLSnCc z2IIiW1g0~xniw|&1GA)SK2Y_6K!Tg6%!>1HQ-^-ij8p+w3tz-oxN@mRSu-!7(#0gc zOwbYY(xTd!;=jom{klxni>FN9dd>WKcW(#Iw7idhyA@&E1Qq;v#y#;xlX1w%O_e|f_~c9XsU@Z>Y5cQ$mOaEhV9!W_w?k=bgm9b!Tq zDdC}}hYHfhP)>%pujIJ5r$TfP-!MnOLYY=vt)G(e_ahQzSVR|wN0rjCSXQGdqGv4_+3-*FFTD%TN|+OSon(pm4Wz} z`jK_*p=ObT@zCxubKC7e<5t&Z6|F-|%~9t>*##XN@z&PT-Z<+S zgIGkFIQ;lg$y$M37y|9Yejq- zH!EMeBMx0&VF7TF|AqAN{6Jc+B3A|NaY=kacm-U_WIl#UM^3j(n1h7ICh&X84cXZ) zkIWW(4b-Y&{ZKj@Ha9Y~IJ$fGC5c-dx|bWBR}Iewdfrsj-l8jOAC$X$UCBVhhKE_= z@Ng{wWI*Ge=D=+G9ieuw{OPxZ#|l~;V;5J951N|?Ms`UJ_u8l!sT1$?JFb&?_ZU8GX=XI&sW6q z!SnO*fx+N>v-7cl;GFk?Vrrf0V0dQyBmt1#Y4ItMs(7n<5VuUI=#-;VhKeh(3qtCE z9`SL6hhW0$_jLt-2IJxZeL)R%EcQ^k#Aa5R_$p3Q1tM|q~r>gl`RJ_Qd2-$3tA}3ZU?3G)p zQxn8TwVvIiR;4CaHcgn4B3RLoYP2GK@{eMDufA86MQU~b{bN%ma?S-4n{lE!J2N}< zI49?kT>7tSxYQz(c^A>|zjpF~UT;Bv$H?W2(%Y4Z{4d!KF7+K1e67UOJq+VdwP)id zZIubaG&k3U(7LVNDYZ8KSMI~A8C|+@-rP20QQ|t){kKzZDK;Y$cIpkrd2>@;Q~@rD z`qnG#9Oy~9ci*Bj&-%fG;iogJoe+9^3PXIQz@=m?sLU8|fw9whm!EW5V zy2C%CwZzd_nJGpvv!AUpA@zf0{>o)6)r*vl5-VB}2@OhCyy{|u=3!P-=2@9MYdiDi zgB=HNG8V;~3iA94{O26(J79rt8VJ0hO$~~njoIsSy(=x^o25P0#{P|Waygrb89e0T z`+0k+6(9>uKvBWIO1>s?*&9+A1oKND#hC3EnDavnoWcT#)$9b}pP-9Rzn;a<4~6*{ zOr%*?AE0#Empo$goM;M%qPZ zj8nK?5c6)RDRHN~IUr;s9)Q25eJ$-B9zG6thAH5W>IZ4OX#8~@ ze53#?0i$vn38Uh}T~sdOMFL{6Pnkj)tt$N(2ZO{`kgducUa4>|Dq}fg3ue$3$7o`v z_1UkNVIzjp8WjtQ#hLLIrtf>@@TTS3Xc3B3ww_Vc<7I=97avn_otAi=GH=JA)!Jy$ z?Sf{ZyTN1MFj6;Z9U8gnBuaJ{GqJ)+iir((=%fdW2L+;D>Nu zVXLPQ+L^zD3b!%-2uhJEO_y!p)xYi~8;`CUPQCF_-wymJ&8P_MbZ&39dAL_=|@q zkS-7!J3e`+z7xV7E_P@BgNK5wqy@6*Y5xA0elOKmT7x2eeHpiuR~Va|wGpcd%LeEX zT^^KZfC-=}^Ov`dyf6oy2QO3}nFrKQ3`CgsSXL`UFNKT(CcjU2*IhEEvZjhWD1xYW zO!i8RLdbn?a0sQ5A>xoJL}-2h`DSb@5g#I0KSDp-kEhL&U+P1kPn7)LUX?9UGB_Zq zJRc123Scle&me+H7I$bxefSfE$01}9ARvT5MpDXEYap{eqbg&C!{5fnw^e&9A_<{T zh`cWnI7ERFDkDM${K9WUDJD0@rvXIqiSp@e6rK=hVauQrf*6CT(*?27l-$-#BtLy%v%)Bx)8x$tHvfx8^mvcNA$Kq?a?9q#y>oe-*qTnmkU z$a;{}mqIj@)3_Zie+oTe-rbo5Ja@OKfcqWP2OnA=F!ifQU?9I%eiSHn+WijoJI<-R z%uwzeS-Fawn_`<=*x8}=SXId}jK$aL)6_`(@MN{+I7hrdbhI~l_zhgY7%su0PqO&Q zUF^{#iM&!$W`O#2KtDoUduf&Mk&5fVkr1bXgb$oL&d6DuBo0|VV-24?(vRq~Tdt5j zvXG(H6?HdQCW18ND>wBwD%l>6h^Zzu#$y1$@Mo5YZQTANgY03pI?g6wM`>(4#ljpm z)r8Uj_`G7lPvP&2kquN{Q0yOJz~`t0@71PmNaCF zh+73Cc|8y7Bqi2kG*d)}e1-iTM3m`WQ8SWo z#nKWi?xWF<8l}f0MY)hUy^>Q)ysH%)4D5bJB%kUlIakXkO_y zF&hlx3)bb*iqk^;)AO<#=evq0RRAFWC$=gEE)@jLV+Mmaxf31AJnC3CktiyNT35Lkin2)#2A7B z009610Du5ApwM$`_LNo>Q=uIaimMeZ%N|P^eB!~(>#aUg<7*WMz{V-c3-j*Cde*1o zplanMh!(9lZtxw0m5@Mnq#S-aL06z(gHvXS)%14C*->cD(b~V^Q@L9qbm`tcJf23@S!+O zbRnaV$iVlRxD0Ij`L{ji{WTJvI24Cs+~X(2xbnG7mJs>2tovnd0FuBbh?{8Yi%XB6 z9>;#Ew;ViS6JD2gl0vM3)HLU8Iz@BsA)STJ6*suR^9$%nTXL;^>}<8V+*Hq#v_@O{uP;q3gA?H!}V4I07LIGRO`?)WIJW^d2Ja;_9(E z!8>bADJLu(0D_I)2rKJXL^FLgCifM6Tn_;MMi3c_>^0MontmTrvM~hFul)wz?+(Bi zCHuJwe2XET`8|{oF&5o|Hdf1Bn5u5b&|)F*)Wb<;4PY{PvkQN!y3eAy2~Hq_OB5or zJDxkEjG{+4vT#D;BU~m}saw=rGMFu~nsxBWpd*+xXa!CE+vu{3s8G;wn~JpeR!879 z_2z0S*Srr$kRr6X>Z$bD^v~|lve;^KZ>kNf2e0C3QW)(*zbJi2Y16*kZZ)7az1rw0 z&Ug5e$Gdr1IlyKk)n-z_L{nYY_cvD?$0TK8SVhzMy%7ooyM*H=cQI;@#^?;f*f#5U z;*`bN2jeS5HRS%l%QW4MI>=G{@2Fwj+E`CKF;ets{xc)ZL><qp9D*y1d1 z^+j=ufy3?HnY?Wz2F0Kjd+O!T@2kkBl{zLCGszhT$^4Hmgr>u62$8s}qXMhx*5qTkw5hrR58UjWD2C5kLKQfSQJhPfG z$mEms-6YSvd4-?|HlN|n18Yg)!xCq!BWtos^HdNtIO7UiWJW052ggpy|ne?V{hM>M=x1|TUM zIvSRbriy`K%EWOfaY{Om$tf&^!>%c#quSm5@suRF3Q8eo5ikmaxw_oI3qw0;!#pRL zvb9Bi9O=}VI`7EV$enk2Kv0HZ4D$iX5i^aYP&P^%fEkt6LFCM&=_4EXSeM%?k3Hb? zax%5Kwi(3?+>G-93(n0OfgfbTb17m76ySem6hGB&shrR7<{SuIZv*bf&Kh;icG}en ztRWiDIOr^+r=LqtgT@iBA{=e6g!y?PP_#!Mez*$dC`%Ce@-<~|Y7-yB*KI$;<_u+6 zVrnnGVb~qRFcyTo4z|;r0yTRSGXW1uH@M7s?>~O zk%=5iX&~55F`3>l4G!ppp3StP5)Wv2R7ZFrz}%&BDW1n}@M6fBdMnXN;69ksM?k}) zCE|hvpO6UyNi|q#Xv;M|$`<(`CSD`gVki56hIK)N8j$CSrzWy5FZDqQKtIZ`)SV8=FraXovsr|CjU=Y2^eWErXi>sAD*|>ZO*x}66MEkT! z6>22PGKnU3h-S@Kwk}MCV=DmO7mOn|zmX~9E;x@kfr#Fu#a_-$^L=#wxVYRZC)g4e z?F&`g`Qz&s5IOL>F+Q671?D;6emPy^5$I}tTlgep$>7!q4e`X?>4baKTw=o3h)6r4 zKLk$q3N|F1rS=4$&z7DLAcI)TG6OaYb82H!eTwdA2H}`F{eGIa*j*TILgWcQ`oujL-%G$F$}<1QhFx+3bf1U5Oz(BFmzGXlrR8Pqqd8m~k{ zQF+ki>7nuH0iZ;OO)5@t*VTE3RWIjX^BC4|^VpI}JH9pV=awS3k^i?@G!=~67M?To zydXCc=s1A=0iaF+uusoY$YQMioMid$mNaLnx1DNcGo5Dg%!CCJi*?c6B)gGO?X#s~ zY=pW^Oc0*K5dkoY((OQm5V!bO)Ri5Kkr*1ff%h_KxXsC@o4QubU}ysT<;$wJ#(2yK zW~Z1j{*F~_zUBB`Y~p_mXrtCYUHkKD7Qgax(?bSO24?S}SJ*__073(VhK#(3N6lN3 z(I#A;k{sL^6~n2=B=$=%?Ou3bP1w-U1*$*V%8P;Xw&WOgOz=s7=iZjNh}DONlL0sI z#8^60Q-^8w)VQC0sVx7EC>=Jz>3LGmSnj&o4FUn_yVG(6^u;M0ur+x-j4p;S*O}%V zw~O}k`r%l|XNW~J4^#={Cch&*&z|H7YJBn8=oWkIRqFR4#_XDkYsZcj_Jy#*&Nr?S zCWt@oQH{Y}sV@NjAxmHzE>@YMgD%GN8Zj#D))--C+s3b@aMXhehONWE4qKpMFulB0 zL(J~&_icCEanr`cCB8uO_39#Y|xEX%8$1$1! zSgux1Kn&y>4T!ir1Epr5|32nFv9i!xxnZcw(lls-l}f`_6}W|~ehAO))6}=z#1O9M zVf#^5rlU)5SXuZuge*c)LForLhItIeR6Xgz?uny5>H4WkU@|Gnyc=L+4$LQ(+N%Z( zjamtf%x5cryRBNl2(D#3L-#*K0E)#OCGV*^e~eB0_1=U#Hs<+5Y1uiFw9gWmQ+5#A z&{P%pXEg-O0&?Ej%E`h^3khLD-hrfhFbhWY9iVe(V)n3-8C-Rmh;1270eV4m(B_>d z87%X9?c78$lb(j{}%9>{Xue~ItEtE zjn~X$E>(tRs43&fXU59?2!G$r1EZTQ(>J5VTQo|5cxVcupyk#=)gncs%Ht9lynZJz z*AmgU?_!)!PUqtZP-6TzHG;#OD6QeaX_jF$4hj+?E5lMwpq&RDHEo)$MPnl)dK@>g zrFf@jM({=Wy@V(2BBSfw^)$r*z&WxFSasq(BZ3r=b~)QdSPgI-n0>LfNa3lLw!v8_D4 zY(XPOFQ4gE@#@nFcyBoZy|Z-0*E^)nlI90Dw{sCxIe9xz4RL4Yke|)EKFzN%L*VU3 z%O_$SKm8x8P}9^xT9&9U=;E}A&t>I{@x;qKzHDcm`OjDuN$qmhO-DjU{bEz{fQB~q z4Ku94>oh$zshq7T^}$B$)_p#5ZPS!{bZ7GJxnbI8l)jiT>m}g9HFlH+wj`|`BgCM8 zQ}{|})8I%{;8Hww`KJ=Y{qb~Kgl(+tnq{z0K-ET^#baF+7%q&*$JurDus)NU4m$+Z zU^`lVqVyky39w}7F$bl3SdBHTo!oo{nl7&1@d{*w`A09Ktuu@+8aI9kvq zwFzYdp;dj4;iv~dBcLOIn>8&fy+1+=QTV&+*%OnY!@Bid9uTp8|H+|M4!J^SP4p#O~2bbq#&a+(p_(H|ZcrezrkFc}dU2E1e>Ky_7= zY24Kp)me@NVrj<1y7|*7xGdv3l?&uza4}NqHtT5x3}d^&3&j2^oCFv8on9N&b7q)v zI25sRY=FDKfX?KCI0=LxY!%8ZEDLrx;^Emc2$h z%4i8P9i`#BNICBD1l#7{AGS(XlF9=8XC!Pr+6RPFj->L1SQMFZSDJ>VE~$e}UP8^# zLTvY%sBy{5nh&STYrq8fwG zOuy>G zPdG5F^YBScyEkJgAIIEKpt*tucv2u5b(`LMkt$XpLk>=5$O>5u?HUW8eCW3Kz9Wvb z1B^7Jqc%N)JEd{zTr8>KtsBo)o+JXgmrwj0t+zJ`Ff=xZk3ytPIdkeG#GS+M_}gmb ztcue{uO9Wai2&ven1CbGF1_rsTH}qNNNs_eMwY=zec&*aZ*K51G^3L^nxL_q6;c|U zc$-BBQ1TVtQce`_mGyA~i0H}w$}aV%y(9zd5}R^#Lt(^JUE%dm4`_bd;D6Nd&d zN%|jX7fKb=Sw7%Fe2mBLmB;SQMsk8+r^^jmjFEtS39IDBm02+4koO@=Qfm-b2P%+~ zQX=NZcKOP@?!Y|LVVQaFn&kL^3exJrDf9m!~f z6?&!}2Q*a#A}7)V0uXrlGsU3oDU=||r+sv9lTMUN8kCMN^moqHNHa8yKA+#Sq4J3p z)S$ITI^Jm zecy|5^oYYVWJ>Zk_3T~%j$GTITn^FmrW3@JAe4P!*sUu0`7fLzr`Wd!%|HA zo~Q9~m4AO?9LfCBO%RQ=P0QoGuVZEov>Gr|s9b8JW;Y9#-=hm+Y;24S9ZI;mW`f0# z8Emo1M1-2fYsy~7|4ZaLvDHoua&a@ZY#@wLm!ah}-Xn3Nbyqd^Uu3fbVHA98GQxFp z2$o<38|Gbz8I>rCg&0JCfG1-^kKd0QaSu#FObkPNqsPQ-9<3l^j-zcH!RQn1+O){5 zd3|GF!0$`uSkg)MSz&-X>5B3Ew+4@`vyo8^>qZqE-;++oX!>84aojm&qp}Mh7OX}Z zxKQZyL8W+^+4DPA!nBx?jRTVp;~m80-HL!6&97s?RV(0$?jV_&*QiIl1ha+0nV9%4 z=SqwLw~ba+MDBzF3q6o)8GsglW^X3Y=&~k$q=!BeZgSFA5(x#{8aVRJ)Qk4GEh>WQ z+ry1G%_oj>$Fv>9N5sb-gUW43k=y;re+O?z9+&DpDxSXfScm_*r&)>Q~l#m`E1F+ts z2}*ct_cCuSJElV|Ft<=o4^dfqI?j}pbvCK!CLhp*x&q!h&wpkkqVA?egBjv$i(rCE z4<(6ie3RkVci8j?Iuo{Ioc}7o7H-Dc$_hcs)MqAATV>@-P+xOrJSzis9uC@##S6`G z!ZS4Eek+j^YbXQwJS3;0iRt$ZVZtc%Fd8@s+nv&6OYDPPN=CBM& z$lpalfZ936*5=8@v8*P8{Es$q<{&kELlp!FPG_R^SQJ`%FJ?&8)elM;6STsrG6zay z=10kGMkEj*fvr_H+OK-IP+igN)a=Yz3 zIs)B*jMRZbkbo2Y>h3C^w=>MeQ%LdE|4+TLy}7shV-Zr_dtk0Twbq>J__ct-F*ZM9 z1c*QpBE8mm#;5)gm|*ZBF0R7TOXD-(=^*MXMV+M>Ie&F&(Hgv zFf&+&5;-UIlxp>zQ4mYc!jz?{!w%1O-k%%Y{Z>Umz4JMa;+zJ*!3_A{=<9Ddri|>{ z8r*dT|Co>qJ5;;2w%KNK1eImCA&o?rX2R||xS31yul*1jV}1pNwsE;1 z!|@bL!iUE0L<`kjG*nyHVKf}4T%eou&UyL!<7A7d4y&j7V^2}%F!Iz@GzVHRW&3Ic z0s*svZ6jhFVO>5N6XTL3nEkp7?(IqQ-rk< z&>gjT)F_3H7_!NYn&xq>*T75@lva@Q1?|jdhS5ejy7@MX5dP+Z7;=0tK1crigHXx@ zadj9gNuai5@vHFFmN~V+b^n>N}q8Y2@aR%JZC(bdXaxa)cgpWJ5#B%Ea_f45*nhWx6>$! zY^p>F^}({_y%$q4hCWkxpfrJ0WEi#$^{SSPcv?mdXvIEO@EFr@@jq(!)?SEb`211G zD)&0cx0=Iy5)~x5=qDc4!Mwx; z79fb&sr>Fg-+B)qpF(TI4-5PT<5v{*Jfh7uMG%)UO54Wssd)Uc^%fSVuF)(^Ny&hA zJaPBb_2azJ513e={YTwueR>aC4a$xF5=-kY_8h8ZmhN&)T0? z$xu`H7GuxtG5`x`RPFNWnmad1cNOyB8m?#ty)N${H!R z+dLNDjE(W0F-rIzZZjmSOjxag>1wh<$v4zSIN#&NI@C^E$Lm&c>|EvGKT#2o-Vo7C z-X-OmkKincQ2i>BSC~U^32}F-qw?lEEY!2pc$po^5RUp#0I7sA_ssd7c}*I9x23Nr zHA9AA+Gq}#vpv?rMKji4J&Ab!mn#Y$keXC&_!ZcUY>qa~p9(1^-liUfoxB%Qoyo zrYT?pW}{D+%hZTsSu}A~wb0riDn1vbaq!S6vV&4jD$lwdQ|qw<`CpO=QlX0683xKw zV=lmNeLhZP#p!u6wcbCtyM}V`qk|FyJ8HwtcY*8FtaPZoziuOJ1m~Cd95tiKG`|Oh z^`Qo;CbG3gSP6w2;tzCt4xSwTY8@w*Yn0h9-F*e0+#cyc<%{v3v1kFfC2sDJI3fS% z-4h{jd7x0ixkw#DAPV=m5dhG!gJge7n^iZJa8_jpr1+`nulnSx?C5TghQj1lnvWNek*(aGb zWWe{nGL-mC$39@05nE@5GJR)Bh7vlfR*8Ouu)Pl`4BndLZSqe|6)Q05MYRtTW-IW0 zjY#uAHX?{(2A%$Rb0QbAHfcYKfc?oG6!H8ijx(`Pd>#S_U8;r zOv8mz>PVNUUAhtL(`zFE(hW<3ZaPg}vhA0+9ww>S=_;u0(|GFajQO~Qd5Pz0O$T!H zsi9#(?LU~roI=y^pa=wFQJ~F=o45?AyI5HgkB;(M%(^xm(4+Ir zD9sAwwyMEjM%214Onn%LNiw*Yo63Pmum8GpC)U_8R9p+KVzuVaillfY#UH0ls&-%& zQ(XxaYBKy6{PoJw6@SWg&^bkL~s0=S_^y_4b`NT(?v}0qT-rFJW?oK$a6p~ zr~Kmo|LcIxdjr6ifPQwX#%LTj67V1X;k+9!14Fdg`5x3-{^vl$w)EBB?lWd+qgPPU z6}ZftGlGjzD33SGNmuGv`G*4L++B#G&owlM`&&gv&*#>zBIGXg71K)D>>_Ls-~|2; zR-vAH7A&pEEj;FjPqPm3KwBH52WNP_Tx`NFaW`cXi|L0PU_%cqiDwHg{L!(bG@?pO zBr{bFxf+hcWF}u1R}~CEV$QgBKqNJlKz%SP$k1kl#?H>aY(W%su*c-)f@HRCPd+t_ z^15e9JJXj%zLTxNa;`2CVzTp)BY#j4{)_|%jjK^ zy5W5aIy(U&Zy(L0cnxjEh0xVge>Z&WGXt(g)D7`&l`s?FS3yQ6Kw4Usc_UEcbsmKz zGgMd`ls&0l5{p`{MMw87_4CcTOQd@RCwXOwUQ>^15vhKRS_@=bOcCe$GSEMS!ju7v zdX9R>6z)Eo1QTuDM?UX4f z#|h5`_5Cfb$)KZhNz;AoG|b{|*nFO$84nn>1x4#f6k(dbtT{zLe?Pfy~)a1Ps!)WUST%KCMrg3H750FX&RUF&9>4I~?>~ zl#I@QR)LigQ~=YoI31=WT~F=XPA%0`{}6u{oVF!EYuNg2YGh$_O4W#1pGByK5&2XDsB($>|&oY`f8yHG; zGFYQOf$oOgfn(SG=v?W_9yJXA-47C1bcRI#4(Q!Ah-Q_UX! zTsnQtsH0CE_fGi9*)vLWS(@9MfNK^&qO~eccdQEGSz6QKWZUEcm@tx;&hP>&pQrW* zGFPpai@~6P#uDKqTrYTp$xl(}C$8XmMvc;nf7$;9?B`$=V70^7_!<>#i`T;l0azs;Y z&2tGN`3Xtyh%^*=!Dd!MnvfRg&t@)zo}qZRpA&z0C~P!2^h%C zH-DL}JyIpMdF~Rj?@YN3jkr%;`Q{m|C)4uA3JHLTH5^RJPHpZr&I;4t$O9WW8)s@hI#OQJi_O}aeFdx2ZnalRSVIb z3PL^K;H5HP`2Nk36W}Sp;9~1KAR8v#MoENP#kolvKi8jT_+`)`O>}S8=@3!3Lw;1^ zL5Gi-szICGjLg~7`0I&P+E#OrVnm8pguj-ZBA;B-@bK?Jj3~rRl9Ll@$82l5q4|Djj#XM$0jwWYzoK^o7z=o}X+YO?q+ zW=s@D@6)|ToF#r!k#}*#ynx~PcZ(E>OwIv)2&ZBWjY?(4$_J}CRd~|Ec|4n-4OQ}Hp-=ZQb z0$y!9mnCUj0nx>4fj#x0(%HZ%@1^9QcSI+M=pgvCjd-KDXlIqqXWhXC7Q{{-LNkxT zrzlvSS9oe|Slc#1g=2fRn0`yn*jMl6$SScN(o#-uhJQx&NKX~PRB@6UOyFIKVEAOZ zlX~u~ko!9O9FWjB$*j*4!TWzPtE@q>kNL`JTrAQID{k05G;+0(DOealcNx2BFCl+9 z0W(=|1%cIb(BRB8@KMnxOUh{rES|L0V-Sl*JPuX)#{v|XB8_|50z#WLD7LxxoatKQybYCPx|fVgn<&mI+aF5WOCdqMwD}!XOtDXc$|= z*=Fg|XS8DW`*qXKZ-A0D$7ruMkLL9X?2)D7$kV4BSMRTrXG_6xM=saCb4S1^d7;eB zHmJ*=VYuHOXCZiBwlF$SQZ%67%I%@W?!{kY~$e`B}srnE5q0Hc_T&=?12 zUARFH>xGNHWXpHanoE}`{l6#LDm1URvUTwbV*Iw!&N>ilj(Ye+IT)%~Eh}-QwI{B0 zI=-*lYv)XUx6*n9yY-1f&szG2ofED^9&Z43De>5-TIY)OaB4xOHr8+51hool7}RchE&l{h?X2m>i?3>a&q ziYkE~4516kzIz_WAUOG%rYRn}yEH#jdOH-qNg3F zlrFev%1&Y2{i|Y-6ZvkF+i)95E4$19rRSVMa ziM@%_5lspG&0rvFnih{ZP_Ze4HzP0+mS#K!PrKjhQFo^7n(Ar6D>ODCaEjNl+$&Cf zR3B*9D4AY+_?hw^#D?=smqsFU_&0jqs%TP(aXU-)L5t>MPJS&G$du;uX-Z{*z_qJ| z7q8mXE3}!9YT@oq8cI>Kt}8Jrb&bcTvxg`^Mlj9P8$ zg!|c+a<9y%@J&0GRk5=O5BfBT^S%_=B4X$Vzu2f(&h9*=W;XwV=45V;z_Sqqu@&jG z8YeAav&dgK9+mUXk22Bz=s^iIeWK}1N3ewlEW%IiHEw` zJ}0T{#x~CjXpIY&?Zhf-*2|S>QmlXt&f%f7mFDqyE5Y4fbg6c5%9RX6JvGDKq9lsZ z&8P1}y~^ zL><&JS7-XYzz6^4td?>&?CgVE+l=f#+la1C%A z8m+h5Xp13uN%8i&rF;>e6qpgLpOzNA0imLvg0os1!khTdk0WxqbUtazU=ZWS17Fun zyn}}WaA#t+ZI@;y$fY#rBz=vR7vE|6&p4!T0tWqr;JXW41wzsc-*QP_XCp(iMq(5g zMyD$nhm*D-MXA8GqUaKO$E&2lnSkQEEmAX9kA)JNbDKo!A#dqG)LR|#*>$YsEBx#* zJ;RQbl7SJd)rp?yV4n|2R7+YPHm>>=uYpnQWpTee%xoPRN2W3quQRVEE5l|BfK}ysB!So9)V^N zX(L9g2@Gm&CLDZ-&Dw}%q}@pJK+Jg()fmLmk|;L3mCy&BCdH5b|K-B5wX#V}(BOHVda2e!hhM#MT9y4_I7V?A&*F%T z-B!H}A~C1C3Ldrqod~=4U1TMoWbpjo#G2sbv=JQ!B%jRcnzZSqkD{rcw(cozR zjbpUznj0$&waJ#_RgeJP080i3te)Y;;Ci&5Oe^2PghU7UI%7bwG)Miz&&ZTeTrN$B zIDRNz7&gi?1oCZU82DL)#)CSwO0>I!riWtOFALmoTVrh89q<{`KNjIzLr;TqEL{V?lOw@kdb(@b8LI?u>o_*ufjTjKa& z797MV3L>2N?EfPGxU2K?a^A@1$(hgfv7y!ee_$29y%s(LRHVw*@q7uhz|`v_W5S8s zzUCZ@n{gls7*KQ$x<5hY=OZU(l<`03e845Q^)L7reqn!PA1)R@81@ve(-4;t@`)ZS z3RniN+U7RD;@fDA6Bz15iR$d^xAiYK=O3f8TdE)eJ`FS*hw5UtVyG4|A|H(VT#e#g zab{Q`Ef&a&4p)VQn`#48Jme2`ID$_n4sw0ub-ksC5%sC)C}e-$wM)PQ?;(ssCKg-? z7dx-?k@y>BMG&H8S1crLZ-`lcR0sz=a`nI#7KmYgKy_z=B!68es<0d+@)XXkuIOV8 zLmWMZVTp5&2zMnC?_m*Q06DX{JZCy%oXfqkYdgs@>8Iq?c1%ZI@7D&5G_(>@-#H-Z zD^=mA^4EGn)Z{ld8Yt1Y!TvH$JRf5mV##s^MLxq)sSa%o6SsGs%1pIM25Y$1CS)RU zRd9*ym?zNHv;b6w&m{m#ona227>Z2-c=p(Trz4Fbs7k_z?(l(Y3p}1mB zB({uIY3cYFKDYzABM8hpytLJ{$4y4n5i7#Ftr% zl`V?NS5l^aXeXF70YehvtV}sf4im zEv;Vbv{s>gKR9=^2#4G=sD=n=Gcc?@k^Lmej<04iAyFu7V>;&4n5leU^kMAiW@t z4e9#9!*E{(d4JIGN^EMG2);)UYD&S3wFIr8O)CI|E|RNv%@_F4N3_szXQ46oyt-dO z%kxmty(2g>H7;MK*`fo2x&63&xr;|Bu*Nru@PvEdH#i>C(Zl!+O%~AsE+%Vf>o7X= z?7?q&K9IqR#nkeqS0<(~kH2h-)ALdDV-RPveFNz<+iwe>loFWZVr7zg-2eAuW9hP^ z7*noQm2rQPruAjVsnF^guue78AW<@ro=3_*G|e8K$$(qw#$$QcklpqF5T_A|9dfci zXxUnQxvY+&)3J}DTr&{~>rCAu1i9}+mIysV zlc=DvQsVGbz>%*+Mmt!Nk(W@$)km}+QyF1K@kSbhFEq!gLDxy`yETE!7DSkngpnVO zY8Rg0P2ZKUE%N6;?T@EfXNGqR;& zB*!5tVB+u}i}&eHmxfQV-ws@_$I&022R(D0+MlIYR7FlBU%EFN6`0=w013InQoUK_ zr{0)itrj~S_mKfg1V=SXsGb#kaL@9E49$~aAoXYVt4OoSjL{~H#0G;kABw2q)_Bl@ zl~8?BkZ=tFO_PEjsCt44)Z+&d85Io>d*XtkaTuk9;bR&0IDd_mO-=|b__}Y>rWrBb zI_NGx08K!$zj5v{!r;N=NUTyn>wq6JR+Ve1?BvK@P=>69)v25~QJV3M((um21&z42 zv}onkHE4{|sHfof+6l(T)IUz8`L;S5Mg)1a;~&9CjMgVz@W~!d+jRPTx(3#>p}k!0CuJdIyo zQrF}368t_t@Be*ffut8{o-|Ey;Q{ zZ*Fdd+rIUI6jI!0%rx~Nj}|&ZIP6i+_rnKfztcZ1xwRWO#c409C{)I}KFi6SigGMX*S5T~?Ps=BS0WHTM z=G?uQ5`71jbHl2GSR2O2W{ty$w^4y9q6S07UM4urxWsG6t^;{X=p}ARMt)RrM@B`R z$!~^;?Cad`eKv%{V4_oF47!h!1_gy=Tpf8(iXnwpp#9()S)Uwf#G1XTTe(Mtfq zUQXtic!k%unn6`9pFLuoDY2{k|+Uzg!6 zhbk;SmRA_&Xv~8S_jY1BFL5@m$SMb{kZ3vgQRcV3|M*@R&q=>|8wbYgsr#u1HfA$MIndhJctM)gx~)Z{9qW z*SUz`Sp;Z$wx39XV3?VYy_n<7xH1y+Y3gGb z{5^7O6agTC+93-YON!}NfVY`CwI8&hA!BgVD_#I4_!5LV08pexS14}dnmcx0^kEl| zh3&{P)m^p^PCgN>Z1G*ps)CO?E-98pZ^@W4<+-pXW8C+c%ria5<@qdv+ybu6sTXLf3OosZkLB2Jnq@EtO_|J$4a zYYJXk8i1+5T*=UFkd;y}X@{JzyJNYK(wBfzolzRXExE_m9mI@{8b6)kR(Dnuh`2C+ zq|widY&lEHTEuvBQOp}o@r~}hj}KEi;m4Fo*zPtdrXcqRPJufO++cddmvD9>oNm8G z9PpvUYL48Ylyhr=HGWYnf~kGDPp>aoSEaet8m(@&R~p?6am-rNFSLGg<`LmCH34_T z4U;3dMwl^(5}I0x2+XwUtPR79%~Hdxp_yjOfOWKcStw)5Jx1Dc`8bvU4;!V0tq-Z$(vpg}=*|vD-W{Ftw7RjAI<2z>EK?5laDB*Liv=L}PF4{E3BQPgm zEdQShTE{_jCCgGz+K{^@M75eXB5bSBsY_fHArlg^c)~RA&KR=C>NtW60|BP| zNsj&7$Z!;v44<*@>Y_2braZ%~qf__-Qz zJB-!iy1I4N=$}_5AN|%k^#>r_s5re%)-h~x3pgA&kmC&_4QM}^QP^x>h0PKB@3c6) z#g+PWD0C3DD5E&NM$zm67q-#Bux*j(Db~UcwJ{Xej9xgw4rWT6GmT*4Gk06Wf> zaVVCY^f36h#cRP&94qB^X~-NAenQ5e+zC>jqZN~W$75)m=m-{$GVBn$8XmCaJVP%w zLoh#+4if?6|H-hv(X$s&hprI>hHf;?0;8N%1b14KG_wp4+t#B^v2d0-cf{NpMlMQm zwEEf`Z)Rz3;YI;&76GPd4_1!=gLrzjb4r6K(V7YgM1rb`4+rbAjn9L3R-hBbj78w# zjvnWC{6G#L{7m~m%!xbB1F=~{Air_oO~JlBt5EQmTd`1b<_Id}Ty+)g!OzTXJ@{0T zM}tR1ae0G^EWwhUu?rel3$s7qvm9{13U?5|GyR zI9ol?2P1HYf&@W;io@fR6AnG5t=7OUGKccP>MZ`OHR5VW+T&gh}V2#i2%$4JpZ(YiC)gqqC3#vrUsI9y-Sd zVdJd5<>S8g>M54U938Wxaa80zG{J6)SWMTso_M((!{8DLjM+xG1l0cFEM1vUH4a*nvEOjdUT&xsiXK(H}NHCnL%e>70vri3dXq*8Vp4Q7Q zV(-kw9vklS*CLvOe*BuAwr->m&EwYl|5Tm1GE7&w9MD5foh z-DS-y79I}BpmSJx)36q4lPPbJzy{k}5|L>!OyCO%l((jqx-oDn#6zmHJa!$D0Q00y z?~+QrqR7QrVt*csQW!<}FV6ehN$NyI`)dpN#2agAkm6I54;_t^A8#ciF4I3mj!SR@Q17P_m@?A991yExgu?Nl0dcA`;e!$dYmgANKY6}z*8$GlbiR@U#?&bGE3M@ zX`I$P^(H3^nd$LrrfQ^P{V)x1?Bf=E0qAh&tkvf+(W|ZSBO4ts7W$J$4`9T{1B`p| z969_NtWU2PE`_F;plgIdh?2LLv_4k1-p)lWbSPpXDS6$O9Uw2{9S4KZ$N|$<9e2}a z)U^cB&XMoqFlpQ$@zc0%z)5|vRX3MTuC%gMo#viq$!H2`ZDzeHtVdiX4*FuEJGuE` zwig+5d;1aL9NsJ;9sWT7u%<>{Vpbx?B$ncs(p)D?c_~YqxZZ3E=YF57V8mrwNQYTF zFrBd4hNUbnLOfzL%&gJSCtzH2HoE|^UL8fLU!N~d6cida6cL7TwX@#&T^|;uT~3z#d6Be;@Icb7c?13b(F|ME?nPD+rZKcYkv&XrF1`u{$FF z;jb^+nKK8Jpq>e6_K?|LlFhrwRuvgUr{pXP#y~!&F6}{WwP)xAo;syFQvJO32;?)g zd)q5Qjab_P?m1c8f&#fD@|goO_+roZi0WDlw}Ll6@Z$-%ZMsF^5o3k69lj%1rtw4+ zBy_>F(;PW<{Y+maf`1m| z;9L$S75yY-InraG%08XToy}myPJNT=*Dm@%55V-D zNiLqunY_P0k{a8D+0DcU0B`#e;2)~o3^-D@T~UCUgvr#=I8Z6mt%yE_As~cju1K=l z--yaFDBr@%9{@yKmd0UTwLgmKg<-J`IHu7Yiiot}#k5d;h|mq7g<9UAeXb1AgLSm^ z9U$sQ&iLQ2xR(nl%B5qDx`2Bw8rFSB&XrWV6Dm&^i`{84@fuEAxG`v8j-Ias&jN|Xdc94x#`lHV>)Q0Ch*lgM2z@jOL9PzB6g?u zAq9;>$_Q}xIkH0YchF=AZkbtle9?4;lwW5DUM_@v+CS1rD(wF5TBKV&=_hIAW!7 zoMx9A=gwCym*hD|(ZzwJJu;*F5pLy55$fdw=#;KWBluf(N4X)iIrI1I;yGQ=m=n$) zGUwT6K(3TJYpfTDgb)9g=e}-+)pm$Tl-=up^MyA7eAdXGo^mY~v+hXwHZjWG(6%H@ zpH3XsUkXXn?=9Z9ycG#%@EI-~qpF8i8LSrT>8(_LxsnAsN zM7g6(qrzDTc`5Qt`{$m%0Be#V#@(>~ghS!&g4x2ONVMXy$!rd7h{AwdgEv97d}iy4 zgp1LVnY&Kl8nMsxoUOkRX_{1Xe4*;t!;LTuWVT~DTSyZ!ZW2xkY*DPK!q4=EEO2); zRKz!~@O}J^u~|g!+d){*0vwE(c8etMx=c$Tu%O^pUY)>+a-;8MENeG&bMTt1K$-h~Ua> z+F9u-jlQC$>DtZ@rX`m?IAOH%XO2gMan%_%-Xt)6tGUrHB&qTqHgaf6JBh2Muv9_1 zzA7n3s&P>fph!@tP-nmf`y)Vb4y*@5Ws#A*`7#1Vl4i_`K`$H@ahwwvtZ!j(zMz;V z`|%5$YmFon1f}F0g`{@iStx6lMnX@{DW|jwVX(+Ke8RH)Vq4+COtVxuGiTg^NX3hT zR;`lepmPE$o>Y-=ohOWSLUSk?Hb^ATjR{x6DaAIF3@TEtly9xc)T!mLSA5wXXU5Rt zk#TQ^N97)aa8mn%aNtGb*Ka%SN;?c+#!0<9iVh04t#w8U2c+e~2|uUsK{uCWC%AA4 z81o}RetQMqNZZHY5aAf`qWFwCZlSu|*FjFwKhzHE6O}3snX&gkQ!8i79u@KHl@Ifz zvqLy%HydAs|GwpsQIYrge^}XUws$Uhl-FMg8f@*yA?`j8Hq&K|BD5h*I!R{XDQ6U# z4@+Q_3j(F>wzv{dqRC;qPxe8~#47vP>kS+uJKyJ~18WL1dNISFY(j+k)*9>zm!gM@ z>e_!69O8gkK5KyDw#q`hkW>BM8cy$@#l-cH=F_cITkwj~j{(I2NlouWDWN;R-#AXenVeio4s5FLJ7^{$65t3I9QP7?j!mOD-ZK8O zHGW3zq+xoosthfT14298WncSDlLyEMEVIJnDgbClk636WuK^dj_b!7;kXrb50r`k8eyO z@EkHTj6YhxtXq+rsYB?=(YP2wyN#_l|H*Gj#*`0D)%A@N-*(|OWp{9IU09cyE?X}c z;mWmv`_6N1sQupB3umaeQMiN&p0JO6^N|0Nt)Nznsfq>l+IVk5Xoeo$m_33;zFqf$ z04+APvD0|xKzuk2RaT(O++z}uh-`Dy)@{w~t>s_xt{FG+7HSoEl(wU-zd%BLQ&g|S zLU^pYDVo~~9hrR8<9ie)fU4m{;s6KG?^>brCl?;W_GGJUS<%^oY!e%{ra_->cQy(v zdcOAHmnX}y2gs%ZQN2XS|ES521z_wALWt3^x(7eBnvuHtf(uq(9rP!;x(oAisyV%+ z9L7ZCtGkd~8OaYc)AenWhuz)i5RU~fH|@;-i7|i$Fz19mfVq4{L!8WrPb~(xofNgg zk?hMKIb3Cx#X2rH*XQ}>2czT5zOV**StN4oUKGYwZfnWGp!+MG0PC@|o7DkxP3vwD z&5=ZijIE1+W?_phR50bLf@O_d=I@`VP`21WNQQr|p76`>5L%hS%}E&ePh?tGvfhYB)4bS+7n zc(Gw~!846mnxgLbn)f=YgdbW5hBL_-zRKjdRbw|Bx=ekYR2KO%agmh=o4`*;T!l%N zAbj^pzrf^X8s{1ON9}$<;8USbakRS=94Bc)K7=3Y?vAgZA~OQY&!3721(p^z6Swp* zlEjrwj-De#sheNs4L_!rjuS*@ds0QyJ1_B-d1U^^%))bGB5uy*wf7(Y($#OP>~R zlBPkEhKD-RA&Fjq$#iX$ffbz50R#e&qLRqmMWS&hC=$ z@c%b0UL>3^Tu3@1m3tfDnHT~bPnNvk#$n0}T=e*Q^Nwni0S*#wS|?_UO`3b_0eVBA|tdQYe^QU~Dp#{`=a!O=!gT zT)_*(J?zb48Ig8ln<)s<^o1A*4FNVM+`A8{5){ud8gsdrNqo7OkpgC1Z4WGd?O*dX zIonSR{&T0%xwrO{-nZkiA4dutL>o!#I_#J#9Z$AS>7Qu41Wq^_tFMZpEd(BaC8evm zR%*Ekhn&LM9ntVCpx;AvM#M0B1&zx9sw< ztfX+TtT^*!_0}nM1mqC}`zHR?Ka# z=}GDom5Abnb{LI@mYQg-O|V-zj;X3wUV=>Hw9)|im8~+vJ1wOM5bq>HE#k&x<6_-^ z1Urdm&$3h?a{mg-uGEqwIOx>3MvR$tXwAOrxnaRrjAiMAJxR{roU{!Avya3>GuF)m z2{77anS#!t))bJ$UlxuB7~p!2ep=$e!2Wt#&^p#8m0mQl-3xCkH`an*SYFdBs68s{ zXAI@daRlr~wh>V0mmQ9z)QZN_Wd_Bp0N)CqMl3-k#OoqjIuZ_WAlyn3`qEdPop#dx z*g1sFV4jT)f#Y9gYkM5aA!IoQjdm7V1_{DUTKA6YS=js|L{^P$rQ&r9isGuzAm@6{ znV>%Q{Ex5P9Xjd%zjd2=&uGTQk0;u|)@^Cj3=71LE;F{ZttNW(6c{4zZVecUMO?GjP#BCNY1q3Z=JnPBXiUpM^-I#7~IE8y=fcXoS_14b~ z#1SwD$>guAjR>{0@vT@4-7OL1Zpp=Gi;5BBQ`@XVUEoIi|1vc@t1#ZOAIL`qnI>F=tt_*BN|WF!F&apEwoNe2MGvja0aTI0mX8J?Is zg%t*o1?JhlaowrRF1p1dvvOwzIf6bt*-|R7+H_EbVmDhZ*}M-6qX*Qf^wwUu8#DRj_gyL=z%Wx6tHk{y=2m zeIEgFw@QgpU=9-UJ`&L98z0Vdx;oYgVWZVuVUiq}TNPK*?ASPu$0ZAv@ZxeBNat5m zCao7hrKDYq_V{mM98k?#Cj^_HNxjm}F6CFrMxa6-b*x^r{Ic8`4Nj#=e+Zy2G}eHrKvihA3aYs>4MB>fl`-EV zm0zP1xP)kZ4h~#0gR5}g?G@`!{={h(*saAJ=3b^I%55thDCsr4{#fk929(a`M$g9MYH<~O=`Idgjs$+cN_(j?f z_{FKAj&Lxm0m|#A0W^OQBq=nqZ(1_4bVrRWw#)-T)y)s$vh_(9In&rUX!Y{)^ieG} zeN)>WwDj|#U;|i9l}g?$kAphCO39y~4Gy@SjH}>-^6^>8_b_wOLrtPx3~w*ht2ERp zC6&!(xp>mLyS0YPQD;7g&OGWiyv=*tW!zy2<|@?1o5@_Xqh#H0%4ovL89~aFzlGBo z$5NyTiI?q%*)g29kmhkSP&thX4P&|>Ot=bzBxQ0_6ZG5~_cR9Y)}AR08brKowI0 z^z{WQw+HDr5Ma3u=n`<-%G2y(mKutA+zDiFA-Z<0605x8!`iTpRq{Pw_x0`Ae8_~U zOjTzaKlAJwncM-Z4sQ;E4sJ?jw>SEAQH_RHGhT9U*nU#qHJ`Hz{7*=!;_#gSRmrbC zjQ@$gLc_W35=eKfaw=e{7NC-VrAYPT&Pvh92Yr1Zs{pE9SyNpV_NkyJBtcK$n}ac3 zPA&Rzq`j7Y9r=&a>Ty%kPqZ7No9K!5vQidUgTKZ?X|H8;T_uXvpayVF!}H!zQ2Pa} zor381R6EVfV?h^Si&Sa?uR{A1L`0#;T59VwSS7zHkFp4lPSGX~zD1`j;?eEkw&KO% z?+9&FwJn!uS6z$WF~`ct4;vzxgY#wBYQ#AuztU>;Ghk!t0h#4#3@h&7cc+Xa&OfJd zY%EH7@!mdXK<1OeeQ2y~EiOzKz)K)sc*v-N3t3Aw@T~j z&DY4mU+XaWaP{vg|Ll}64^_Wzk5TfW+;oq2v(J^y~XP0$j9hAJuVC?V_)-fdvF#@{Ui|CNc3GL0ANOIKc|VpDN%|8^xIvo; zkiN_!2pIx^GUaa$z}L65<|}}R41LMW9)aP23M3gM7djo^0bry*H9sJ5>42I3-SI8L z20O#TCWuZNIR5t(;SR|b&Mqn|Nwg?0{#J^k zzv&H}8H{RaU>L|yh=C&;*&qY_I_Ls!x;Zfg!0a|s3L2ZP^rX3XGk8aoFW&~(JZDa2 zI7|nwr}IXu!w~wxm=BF^-erfaog5q>JB~jI!Z(QWo`@i6wOI1tV?dbzJkO1RHXPC; zR$L#7u8^}1`jWbOVk#Id?@Cvz&UKClQ^$k2!~xKpFGMb~yG6aRy1Nn8C{!8w>NC_i zS;*u=h5x1#0I<^~5EJBM*OAkSliiQtqfvaLK~|c$X(@JzlxZ}6&Hc#?ZV}N{dc%rI*0a|K9YoU%>dU=W&sceR4BM1;NiEZLPwN?yDM2u z+@*96#LL$*7@UERJ#u9dR~)V7va?cgnxY+kh#KUOUUoZ<{iG2zyL|v9ad{jU8jeA5 z{cwUe12PF2Zg?01h*n7t33Z4lA_!6Bi;^hB#5TXAC6VPsMK>W}Cf6lq#l^QF;U-KV zEFyvXtCNIjB84QCksEh`NRzQiA*>|cc>rT-BX>lGB9$s+tanfj4Njs>G&+(n(p7n- zjNthAt^gPrXW`_faw^4R61l)9y_0kj$hixGP2843E>G~(10YkCaOp4{p$uEkNy4oV{ytW;S$fTSp8z*TAGj!Gko7BYcgtvNa11nJ3#3GhjB z$H&uJ({@|{!r2mj<^$t5{HclrW_-g5iA*IGqe+M{56O-=TX-%5wPiGd57nb`RqeU}MZN02=QYE{4mw%gU%rmu>l4;(5Wkmpi8#-x;>W+xMqq3ciF1Q;ieG|L4`XjU zzr0-R5h|s^rr_2Pw(j@>Q$d={KVu(uL8R@1DqhDy#7nr#64G#*IBAB7dy`luQkJ@K z(r7h>vw(k&5l;#kfTakjxOrDZ$z&(su7K#`5>ydeCjg~joyi7E&Jvs~lrmt!1gI38 zv%8{UmId0KC1yHVd>W8Wp29YM7_ny=>!f0DA_`oYV05J`#NHF}-9F~&S)+#~Pfpve zeRXkzJt_il?asl2HNn((vVUF>hgj7@;p>Kk(yDKk4K@AiNVfYUw}Hp9xXd;S2<#sN zS=O0KvkFy8g5_Nt4g)xu|5z2cp0WZ9y+9T9#iNl{K3YBWl64>EK&Xqik;r|`s1vj+ zk^*m1oNWCD?Sk0YQsI>%WDaOez~*@XBYgQieF|7x6D~3LqL6sVm!#QMc3*5hwva^} z1#~RMD-Re3BYdhh%~+ZZ!%&rC1xz47{EDxt(k})I^uL4#gDJfO*$S0bSsALdzK&a* zY)3ac-u+qtq5CG#c!)({>@pqWd0N})Y~}3T{d>TLB(@N%@GLw-lyrr6mv2BuZlfr7Vy!UeI8p+_BwRe}G|41UgVh}@gS(QI42U1 zn(0sgT1&GqZ_Cd;j~?_ZJn0HsWeBOZPzw+OcQG80cy-u7SJv01;k$^%fH?dUa94L= zN8XWPmrY3Tz|G)TAu8`WGqhLWG59K{=^oYk2{5!<0irmEFZZ-%9I5PL!S zFitF^@OfTcnMlPssJXFkEY@Nc1c0`l4`>e5OjZY5KWejJ<6t62e{12PQ|%WHb}@IB zz?O`88ht5F^6W_bQ+nb-Hb8OEI^(nB?dG~Ac=YEh4o!Dvl=IK+EN@52jYpg~=QX%< zOuzV|($|^e^(>b06igLFIxq+_B2ryHnhKSay@^6^@g78!$($W%lVSgu?%V6kJ)l#3 zUkUN#AMGUNyP0_*(c>D(+ZN1c*(8F%0V~eq!=}}+gA?(~jmBd(BthAY&o}QGbDKK8 zt@tt`P``7%FOPf9mJ5UH)cPk($kpvwY*~`Tv=2K_exSS8W{z%zjc^YpF7vYVQc~o& z#^AY#m#<~E-iAUv$xZEo_{Cw~!oU|wqhu2zQpd|@Ak;A;RI4v!p;Lem)WHmiMAKoO}?frStZlQMyeC zP}{+;yElxD863fHA%ZBgNz<`*=mX>9aEHf{Yich%Ze|}+zZg9F2Km+4kB4J3(1$n? z1+La*drNEMvnioN7HhLu-e|NFk=wgReb)zAW7>8S-Is7rYDTbXa0so7DH%Z9bdh`^ zt4WMo2oQL1r|h%OZpW`QM{qRf;@RCqlPiNF$^pmeLv0?D_&qL3*-7QB%lV9WUJ8}`C3|lP% zE(vU!B2cB)EJ@fb5W)R$Yw<1wcK_hbVowAVH(A@8gd`i+chZKD5N|rZh~DB! z>>##xB;cRa`2e;&%VH=$VRoN||< z#k1%xh7o^O8K6EvNsl@KaYqD9af1;CPTI2o0=g&{*%#&v_H48Za1~BieHRnH0ie*O zxdvM%p<1M5q-tAICTloGi+}_5qe!v~36@%wW0LJ3By2!t1>lMzxZxTa5S_|0m4!3M ze#%|Nk;hfMdGhfVp&vk)ipmmiaGHWCy2VNi9cYa$f5GR`0@Ns4sU$NnG)KFOio*uX zVa*8wNftCREuQzhS2qf&l-1{nj#)h=&ZdGAqhv~_Cm1$E)E#(L!M0vM0HYn_lD$V3 zyWty!B&b{m%zQow$O-?&%H1(TN9hm)ObDAXmy{obhdMlomjL)4znn!BcR-}O5;NE5 zH!~!HM9;cbqr`{SM6Bt@=;*q0NsPM-8GKmRk2Gxm31tBJbl4&dX5sz~6T*F56=2ub zlS4hNZv;_zmIpq!F{>!wAKD$A9LXj_S+P38 z{XM*(qsmBBd&8=C^=$Q>7q#&A00q_fcjT)9esVbfgf=@f&d(*e*)U`b7XB4ML+k2V zug7B|BC!|@&iOj1|7>dC=7@$>W_q1d|MZM5ZUTo3ow+xf@A1w|;Dg_AyuG};_?0}{vgPSq$ISjD^ZTtKtk`^g?9LERIHebY)HhA;{eC+?_d#D)CmV;i(!s8RrL4ZenU93PE(DrOPB zCjYJ%{zgLrps_QRIy391Iz&z}d@Y|w92`YQ$}tlrE?FYKxru^4S0QJ|RZ&BJO614Q z?~|iJdFqJI{4nyyf1}^@DD3#oZ((BhFuEk#7p&8sHmA>=I~0uhIme@Fjz++d#K(U=AKiekp>07X*oUU$=nKsv;o0 zM`@gpwhyV?#x^_p$^9BnfiOO*pq4rui6zEdW?*}gIkrvew!o=)EZGP?rho|P{MPLt zOp@INimwR!ULyo7w9C`FF#LH(RMnR2W6Lc+a?X9~q~Z$JByWVV+txnz;az2V#s=P((<$6gvHm3A_vU zX6vG2l677hEQhP!8SX7nDO*#Q$Rc}`_;vvYVzEz<*U9oEFIFv9 zJRLp=UN{+4)*(YlhYV~Hs{U#ftO*uDevqJX0QLfM2Ir4K7mELr-GFduoG;%=28r7y zmC9x)@bajG6(8i{7Ur@SZ)67M+e3*9UwAtB1|g6YFJKs$f>DKrDGD`!pJ`+cgY6eZ}=6fS4+U&hJfWig7O zvOW9_5gMdQaO@eS%R=8L+oPW|cCTeQ#x*K)faZyG?kV|qHFBugc+tUAgk~=_+XPlp z{>r8Fk6&zTNi(gxwn{@fEw# znETBgbL3LWA`(~qgwYRwjqQ#y1Qug73}f})Lgg4ezs^JQt4+{}R(Hh=z$4roc;iAH zl|4X1kCbyL`DB{O@>jhHhwRmdlwaw`FLibe69=DN?@mSnqxvj?)L`f%eCy_x4PPh8 zZS{@^Y2ayaN6vxy-BFDjyqqzN~xN+9o+o4L*@Ij+ZVY`$=nkgOfxRc zj^kDGD3|agKb)AS__$4Mfv6&iY0zCm;9(3=n*QZ#e>}3AzlMREd95NFAdZ7gJ#L%@ zsp|6#l0TBx1M|b6-&k9x{qzFsuE-WuP|CP;3-no22^5haMmWVs6c?9}!5xe%#BZE_ ztiWd5k;J%H2Hq*De6X6XH-InzDg7GC{h)^pfe~cEpHv}`o{xpg2twaW#8PYIe4-(8 z`!l-0DXV1zgovXTvFQd8EkDsBFo&o?I0K`o?2cCMmiYUU90%;KF9lqv>`l`8>`VN} zJfw;dQ$;f&l|RkM`!4|CkfMemT^?&qOj1R}AP=QHIBX+O;Dcv@R_H4Lyz<|?WFi9b zh%^RT@gh<2=OAgsnXt;PWbl4@dG87(u_C^kgqCm`>%c$%PF2I*l!n5YV{09S7Yr{zY__5!gM@`xmr@v*7w;GQG6UudPN4n9Oy2RxnCZd7 zSlNbci@-A6S5DF#SS<=-oZLD7BsUSltvPUTU7PWp9@UX_&)k09#Qn|C`mO-rTVc#kta9y~A5e)V zZE5?=XI zNVqCYVyTj=loA|}ewEz1@85+Dd~Nt8?Zums1x_}a+;(xASsXo_bd?ow!)D8e0)G`^ z*e|RYUJ}*=JE0;c4G4lFQYEtgaTSnUu13VEV#i7SjyR1(be4dbD4<@o zKVGBP<@ZkfFYd6|sj*|`6D0>wd(}$SNXCzwlasa19|ko2qaS-E5SRSy0&TGCZ{0V( zK?FmL2aczgL`X(zg{e(ng*nbtX?NrY^$ny*Hy%IKx%r@P){K2Pq{(` z#|lm+jwa6LjpI)w_YequI&7cqFrMDwZuSCaAQ5KqMb#0K`2>mG4_1Ba5c7uSGR*Q< z_N&zL9(PST4cK;JVfp8RSY)4{-`Hc-G!07o+5$MI7qYH(_U*NRq$$4gv@%W#?4n2W zd-#vlfRB`!c$ze6YULBI28E+TfuiJFgp!)51^B6b8Lj>XRD;xJwofH>*8TM(ME6b5 zThMLbzfYopDcW*|Aav08xpCrv*#fiTi3z5g+HXe*KK`Uua&?-*arhL|8Uq*b~mf;aT$j_(Wa(t>UQ27-X^hH-a+%E$+<6*1- zuY5B%KWs$ujSBOf#(z2BrLZ042}NI=>Ho#Q&f-3ciaDSmexNIe%q)3c27lf<+u-8j zKtb4`^pYSo_lFLaQAl>NrA<~i78bU3v>7<3NK zSL6u&9pj_!BgsH9_&7>_hKVwtM#<+lY;m%Ah?kUD%+ESysraHXkBHvl^ObnYt;%aiH1f<#qjGdi&POW!Z)BL9m^fyeWx z6~Z2qYMgX_=OW#Q)_0jBA@m|=5E1n>_?0#k?8An!H`3hNI!|bBfXZ?xv?)LmoM6_zu7X#^W~vKGl1%wv$nf5#KdmlCsh;{xSO zL_*dixkywir%{e^gdM&XPw0DO=qaob=ywh;J|oX6S{pO(+-BC$v55FStK=W zO%LSFs)PDncb$4Mh`@=jqEaQ`*IU!x`KMWOsIVwoZ~S+&V!UhZ8f-5|05bD=qc|aM zsv;@P($P7JHP6C^ax@cNk_z};=|}Nw_rQ;it_RcgE_6cVUaJFc{=sJkeFGc4s+mtK z)CxY{j>Y~YNY8RuzjL*C>vrr{OSAP&Yfz=?#k7~bZY<-cIch!z<~gGRf8b#JwAWyb zaqU+>+MmtRSR4D-OK%|7Ns&ycto2c$5C1@=z{~O8SM^I&gp{I?@w5o8W}*et*D^9zhrV80#1&XZc) zIT$7d%#VjIKrN)GUhHI+|NA&Znii^W$EY>|v7hCpd^?zbcpdpG=*c6y>HsEa42Nn7 zwJY$x&T{o9SChLHm;&ARW_3#q;lr;Y;%4h$Z-EjoUQVmWckV#!svrvEem~Gqezr@= z7j4pjUsY8iGMQ{6&1@(JmI&&Bc?7?@gRCX~N+Q^L6`H1~^u*qm|LK+YY2QztbIQh7 zJ--Efyt|66gpPwzXH~swKX9fOe5~jfp=w*3EEjbJ|7$rS-RW8mR#zfMnE}7onDSMf zcYFnp@tpTd*|>Tix8<6)uA+8Raa0eiHo*5Uai{L<3OP>o+Q(W3jedR0VY@AnIC{mG z8OHpGEz5ICp!rq4&{_7NvKjVmwG&Ae!5j@6EC645=VOjb#3tSH1iW+JTYyFCyITwMi{oeB+&vwgwPr4MJc9Q8~e6X-v}? zvdvFY&NGOn-mTmk6{z#?17qF38DXE|X)MMF_}N$VZpq@i#tJN#(9OlqlSMF1V2z_d%_9i+(-l@=8&aCpNzV&jA}B z;2<0c;N!qrx!J5}o^S8`amZ2aq_Ej=?4EDa%Je7rgTRH81uP5WEddP!oV}n6r2sLj zAHHklK!|(H(SQpsgkd#uFPGPsoPMt_yvowVY_ZyFv1Xa5bFa@?N#aYcoLzp?0?=1< zWK#+$Ngj~^0Ow z2RAT1#Ah!sz9Cl^M*LzkGbdmrM2?6CbG;;JHsrYCl{n+Pw$Q@8x_~j7`B?&k_O;{+ z&BPK%v_B?4Wwgr=Rs>*$Y+ECD)IVsWoJuB+*n$}7;`hRr&nm-PpR<&xl8(ayK-Oio z@wh3oF`BZFa?0noTlsl zytuOfM-SC40fhMC-sgTu-JWi$jS394dK~DRU9?GW7=5aN z!D#R@I!fjD_2>XQK*YcPfeV!lsLo-9 zj1~`BJ`P+5w69oo2pmHD;;XGqi$?s1Akrza@6#C&>U;q6Qwn1yuz>qMLzm2dIe}n1 zVZVGJ5n^y9=nl}c1~~sy{!7F7zoxxcC=uvF0<|Z!15}QUqBsQrm`|U69tKAJ_lk`; zIi@&L8tXcuHy8mJ`FTQ_D~~VM?xW?~@Z(S(ptm$8Cxe<{OBA^fGc0fvl5p`CoDpCy z$U+tjl3Y{p5i4M;m)HxOun>#eu=V?fgodD8Ah`SE7q6!g_D#J!AgCoci&(!a6k(`d zPe8&Om7p%9R%akpUvOzwpu}qywEIc9!*ShNkl8=`xJH>R-bnng=aH7ZWy_Ya3GmE( z*Vt{qn41%CSIy6x+3gF+`gtx~#F6-eNN6<5)X!{c>WCPz52mJrnrq*9N}~-&Ec~K3qdsnK)$YK75o81ggCC8C=!eM6lXR7omL8kOZfEn^jnc>3 zymrenXSsEmyWGaiV|OReT$E^=1=}h*L_rl^NuNl7pYY+BYMJ=P^t1seRR9M$Bw0?wUSWMI{)K$ zF)Q~0qyo7$2}7z{-hSskwRmvIL}7y1l6{ot=|G+7$b_Z7vkqFF`xBMfvw*qdu{tYa zW9~bgC(90ZUGCRMSat7q92WIC>kj$sgh|d)#i2>^li_HD_F(*?wyGwRL`S^%u7T@N z51^XVo%;SCoL+r3jsYCw<|;u`xKf4M#AAEm7?rt!@I=`Y{wBr)(nT8^8c4XRL=Yv# zY>w;oi=rOiM=r*W<;)FFgx~&Rfv*HvfY}HuaQyuS`0_{pNZ%;^*DLG4o@Je6aNW{+ z*_tNg01&N))}J8BHE&6Q7Tx3hO)NG88(2{9jLgzq_9qSYpBVFqj|H5F={bkprf#-q zl7Uc)f=?~?AuPB?IZ9<(n1dqxGw6S&OKjZXNwFvgouMpTi5j5At39@v!>-qa}c-ba98l^Ku`8;Hr4XmT{@};;!z07Va;g?pG1q_0}6mv^QdFHu0OdORm&F z`X}g&pkGvzd2;61*}|44;LyQM8$iBHQ`xI^st9ISt_>r zyd5O#6-vONjmf@f9kA@ga3I#$VdAR@V~Y`MAe!uUD0)t@Pd*)TQF#c)dB4bs_8fVojXRGSu+Gaf_>a(QC<}9!V zUG1(D7{+9b38FbJnICaWt*+u%<4Q1ylfYA_q3(_9PQ@J%I6Xx@z&$+b9v+mh1Oo|v z8V=`Jv=4c*K5^rhy%xX!O1slXO*c)ed(V~CFrdk ziun>puZh}NoVl8S6Ab6wBH?fN2D4F}7*Ksjb=ZlA2~O!S%aN5o#*2Cz^<-gycbDHZ z;`JkQfH-n*RB7-G%R_l##@7Zo2mv5WQN`DlmkPjb_-57?fTxYDMC@?jL9_8r;0sw8EZk!>;3A&Q%OKKO6aJ>) zjwY|W4OwEkz~%;?R3Hg~UgL6yP_n@aC+OGhH(K&_vH~f>ijXl8(UaI7Lk;l2P9lM} z*TDZ`V$grhF7N}uvlQYkiZ~#)2H12iT^#2GWZhHc7&i%Z0+d;DAknrX1J+M0mHOh@ zW=AhcW0PiB+`eLs-|(NcY_i=Q#Ms_oA?MFYbZTgF0PG;?Mrs}#^7E)VCH|+nU)02& ztEzsK%Q}b@Gr#EwQBz$^K#)u(of7i(Fw>vk4D7Zaap1oZ?y19m8c5D>9&Y$SLVUJ` z?i>++AR>FOE)3{wD;b*+UDcP|e?2eAh_#17)CE5G2mI90dUS9aVP$sjA)T*%pqZ}+ zCvet-ANcp=ejsciCm;h4Ni%r5DpJFhqNj(ukKO#{D%58o2)$H|I90o6$4EG()hVip z=wT@HY~xyHyBB?r*G+BTEus^2Dd#-8uG}Y2?8*1k}ME>(J+u+ukgg=^AW6yyDq-gKZZqX5>%P+R6d_eI9r$BMj_|qS# z&HQ7NvF(%4AV32Lr#QPTS0_ZS$aitL>@Ec5hhX|rsJ==(ijoz~XgPSEQydSMMgd?j zE{*xkL>fq_&VVXVua&5&^RBK~^N%f(jzAh878w%QzSP`wX{uyZ0C(X!TNoUj6RmvR zJ(I}B;Vvveqei!rp;7Hz4T_+%>P5ne&&81wtCN0O90RuqR#nM}7=|7{Jj%HwYe*KN zh=QMtf)72+>@#=p^AhOn3@Qlssnc?ihF% zB#w5&ea$%)*HDy+bKY<$LTt%`>mdRzkAfWn^Q%VAPnXP3-$=8P=?rtIIZjV&qZaxv zFyB(SMfBdEPm34;so6axoqYbUNDJN2qP-sp%yjZ!)HlGoO<;yIf-;3v8<5mWPYOve z=MC~)5(@4<%*Eibo1ALm#Td5q%1I-}=ln-q>D5XV21rfK$Tur^#p1a!iSY1LomGwF zV#S6osFE{TV;9sfyOsowRfFdBw-)Z_?Zlf=&o7=fYjJ2fi$kfuE91iC;PA4*Y5mcz z7z#{Q;2w{%&5;SFpYZ;z4wo-jDeHrYZ}2UnLd72%tqhJ<#-!xuo*TmUCB(bFhP8Mo z@A{OR+#6mK<%lg~x8xGMILX(k)F-8K+CADfXUjI-d}pQNW3W_dkM;%kg+>wOhJ!d6 zE2^ev1mfT2X2FR^`#k9DVUYZogJ(~sTYbq2|6@VJR|D0Mahnthm#uCyG&X8|W zIE8?%9>R|6|`ZnC$8sIQTbre`s&wfSe?xo+<60%vfxB+ zw3@MF8y!X82e?dB@8(x5%7bPo@aI`&aW}`0 z0HB`a1|PqMgbW>4+_^OHJl}eFX9k}BoaCGa!ki}2!|eLq2!RK5Haf>~5#%9{(8Uw7 z6+$GqIQv^o@6U^VhM$Z16c~{$<4qT%LONIcxWc~yq&OByUTm`E8Gg*Rl(<8C{=+uw zQt`sZpIjM3ks(Uo67{p)o}d{=%>XREf>5!d!b6^+71f&$Gs+k}B^wIDw_OB^iE+tc`gW&Cj&N-fR;YQeZP~ zpxd-L$kX9ZxlePWkRqcTMCNkk#JT89IYn2h>Bwnx|b**^491;W7-=cpAJmR$|4( zE_7A?yyifaP&9~O+%C`~12@<6INU`EOe0JaIV@PXEe?AYLewV32ijZMohys%uiG2g zG-ji0vvAG4+A2BgOQE*C*`}1+MuAo`y_bX?$#VIcq(c;6uy)`kbJW}gd#A+`WPA0J zm$`m(U!tYB2uyC=7sWMQbYCSh&A-TmjR*B-y*w}PhuOk9Uj3}=R?D21R*n{;G{&+r z#^iZX8IfPguFCJaXpPG70od9GU~Cz+Pq)}akwv|eJ2_$FWO@{`y7K>pA;np2#jO^H zFr_^ci-lg0wjDsX2B;>u8UHZ3GrG~Z!-^sf8-xG%>AYs?cn987ckzZLeGfzeH`)gc z0_<8%pAT&WO#CY?!b!Ij7??ii~?y%d@Z9E~W z#3#fDq$8CbIzA37*3keIBYE@bO=~d# zdx))R3UdUe#E!op?W5+AYSbGnd-qC8Bqq(Ixw;=Jluw3#)}S;3eI{=2|b1PNi+P!~kc$%l|%InpcI zSA;&;-=WLG_OCPf>Fw+61Xc;RZv7?|$VW7(v-+G*^8(kx(Lu0&g|&72lm9ZnnStmc z_v!+={90OTndV`wpU3_a@%>07vhn^R2_qR7P`(JyeY%r(`xg(>w3B?c7Sl#}$!X91 zl5L^ywdP@~zZQ#2tcQpXE%+udX2-y7LpwP zG*Kra;+FrD^DYsxM+`>mtzGtYrX=FF3ErKc9~&CQ5}5~UPIL7eA<8+SElhli^?}f1 z)b<1gXY_t%T2v4N*Zw8Fi2UzV*6Wi0JC4E`EWB(1t_q=Iy`aD8kFvks2^wIf@-gVzGs*l}+i zE3vOc_N+RV2dG7l<@&jq1w6&0>>fZi?nQ>)O>gE5_=qEncr4v~AD{CUl(Jb?u4#If zywcU31iNh2t>a~v0qlNlg$4XU@Efb-c~H?uL{2MO-Jccy;hzS73yLhuhH7DRN5E%e z=ZR>oIkQVeP>0ZkYu{RhdJiwO5c*jCLpJknf~Ui<&qJ2{(aQ)PTKZgc=1X zDjTTj=Fc!<>MpZO3%N(x7ePut!SZ~|k}`J!S8It*)`uL_;YodFxdY~&`Z|YNlm3cb zTSiL=QqK#~0r4pN%b5_JI`T zUZB9BJ{NXNf1kIe>mndm3CZ8D%aAkYu{c5?mUTq zA2hH?tiYgS*6K3fU(5w_N=3|~p6GQ2$Fo>`3?U8!3XW5QvwFx4`?naxfFd*1797kt zt3`(j1uwSEweYsh1VnzXeP7Z6*#qFjuzu1UEwZUC-oJ;mJ4hbJYWCb$3IV0}G3){y*Df@w(MS=q>+%}%WpyLw(0eSxG+8)rkw3YXL@G2u87kXd zJ8%n?9l?uDmKJ&gH8W*r&SHxnHG+tNoMKO@a^<_`YHg^DH$^D9w44v^@(A_jeM&jS z80OC2OeK_tE=?vI3Hh95R`8uSr~;~x=D8w7@jCh|w-G8bKS7+pn~Pe?o%B}b#L>l* zfbhKH<2M_yKb{8+k}u7zXE#+ebBMfdeeuuQb?g+{20E7gW;6-}W1xQ26V|WPeIR+v z2m4qf!1-JqwV{0&KELcZOaFIulm6>NupJ&R1p;U*X{g?(u)r>x4QCa-OxGZb6Wnzx|$;w3Kk@gsE7y| z(nVxo>*l9a{g-b}n*peUhcAu#Zl0D{>J+XZz27wbN7UJ1Y35 zE_W=3>gA;=+G!$=Lx0%xylF5l#3BAdBh6N173Nq(vDmtAD`>=Y)^&?{wF+@dLJ=4$`E zuBt%Ro~IDMsHnS*-mUv&v0%TRj=F63R0EM)J58=^|KUD_7mrfWPe-5on2$LRci}g} z?_z0$K}VUQsxqpEzp9I@JU1Y!1YWjokG87@fL5*B`_$c1Qs;#aqE7<)0s}~Yq8S<8 zEE3rEElRjz-?SOn*zal?vS~*}Z<#i?h{Rx;%+erm|Ke{*6(fWs81UGVnhj;ws#{rv z=_QaqDhi1JLss3tT9%DjP{aVIqJ1q33h$PPXuYfv?8MGPGmH&0y%}N3$M=>&;{4_m z_FECe`JdXm&G`G!nvOOAv#*{7@~t5I+p_XzHTW6_*s?;&*AF5ABk4n{x2sim1tGsV z=E^vm(W4{?v;q`C3>CLHA^VN-^^lB+n{LxcW0)54QW;(Gz1ZLfZ}JPfeue&hlr+#{ z5(zf!Dd`MakDsHBk;(a>F*LGV-VAMwj3n=4jI1S3rHd=>;|ha?GL#PyTh#55iqsO= zRBS2%)x94AGTfN0Ka^CTl!bkz=kzkMzgsz#(^kgA>sf*1_%rQ z0000GG=Kp3DI}1Ay6StQEtR>Qwcx8PP?ck20sp5UHJN_P-1YxnGaYWe^{W-D^aO9y zYMFM1AD$NA+46HG(0DK7GdDCeHZ1xw_!ePnb-ZZSq!KR8FfD`$_7v)iQ#DirsTed6 zzhjwLl=vI5er&@e+NEip*K$_Iu|l5@XlBzup!3kGf?={}zd`h6oZ|DMSv(Xy8iy|q z5fcj3s-{!%m|N@5_Dwgw`(*K9DF>H#FQY+YRWINMY=a==ozH-Fc}FMa1Gj6P$Q&W7 z8q^pTjM!gpOjP+42Pqv^v43LUDC$2X2=YG<1SEG%FHOV zneyakiYr^D9+4uK{tt+$kix*9W>w(s&r?B``@J5#^A)X3F*(CHNlv+K1P9~%t+BHF zYG0*zk1UqgJ7ZbGB^oKv$W7aN;jQ{!a+?i3wxns#SYuD}#NH%I@XkE%ZB)#es(BWS zGfubfj{8O@?X2w!bmISz3_u^T!)vk}7Swp374#qSEi_P{@gBD-GGj7W(^b+j4N9oa z!DoL7NS_DB<_-o0hIQ(Wc%1IXzIJ~)8o?^Jl}zNksv=pWR;p}btLeciM$ZBKy59th ze+IgfqvB};)@Xd*UoENZvi`2z+D5RMP2gz`RiRo<=V9M? z*X4i>ldoYF9$*8=YWu4iD1T*{rdh0THfrD6o3|kwDs78BD&}O<5MVfgMYsj0Wtpf* z5QRmp%rAB%3f%%N^COwKqclGQ7EfS*^fcHeCRc88VdMi59=a4Xn_)Jr3ABPy=G7m1 z1}XJ7J1xbrN2^LblE(e7(x2o6nHHiE{`(Iun0R~@lOt>aM^>I@T?oNkJrc9y^6Wge ztoLPqKpnG*iNg{D$V@?Yq$!B+h}NV&w#P_>JFRW4>5<2bWj6k1w(#S~z7aj`C7xIN z0n{*#?a@811gaHkj6H|4YkTOSSrJ_l7&oJ9=?>Y?^X(kaxg-)@N`xt2uL>AS159Mt zwM)Odt80L-{W{~QoU17UM*d+2ebMvxkD=U0QHa4y_E2}3lAXMEHX645x*KmGqYX?; zk;8%vw|*RA;53#`i@~X|VfnmhP$JypMre--vudePt8`{cUzf$D;R>&6!apZ&mc@`G zsCe3$H4eL^&wPs(-q!PP6mc>}%>}a|h>jUys=fne5|n^cTPd$g3o>-3)UfPYnDQ&N z@B2CPQP#O?n7({*gW#frW^X{{Ik)W9U`bXcy3pZPmyr}b@0l3;C*v+xS8X*7X5KnY zK86BpIyQdTiE&Um>v7nS&TeAVJLYl-sy{|D3$UgO>h0cua{c6=FgU`bO2+@exnLcK zLr54qGcu3*WrS&~l`IptFrl1MAVej1?yD?fB8d3PI(QnQ2LtuX2E7VxDCpZ|sD{Ap zH*!8K`I&%NO-*;6ZBb>@^rebMHzrw*jEP~iGuO@S%)+Br#ptWoBD$^U-C@KhmaQK2 z9Eirc;-bjj8U&P-X@H93WkCl%Im*&33_0@SZ>@)C-a)$aerNXiWz(lm2ebZru6*RoC7C4u( z9b$Hlj?!ivc!JAYc;asV6gRvn0quI8S0bBXLeu8hfw^JRR(QQ)DfU0bo9XeFra==uSYvOj-p?J_Y+I9P~`R_7t-AYE*ikE4! zcwCz0KA#)!yglg>I{_8!i#l$#@qUMz@HblF+&Z-mtFFb*qVDm;>Kvc+c(;O>FM&^5 zW1=8Z^F{S)M&ZQY9{9CizGYjTNUk6W@?x1^nGU4D ze$`kEvMKoW3w_lwBerFz3FDxxK)vN)TT#(W2vvF#*m+I3$4?j_3A!;(+tpH$XK_Oi zQcMVFiMis4`9+167WG7~BjSU?y83E8VZ8xq#ML;oat_X_J}y3sfsBN>fwuZp`QBmQ zA92x}nWm&K`1M@oTA#Y84nG;SZx0gGli!MHaq;3td!^f||47V`1j2Wk& zk)BV!BrR8j#JN>Q32nj{g|yN3Td`C?qeZd(tBqeUNuBKp&g^-gIX3fi!v2onO zX;VmiW0w;R?kQzVtzf9!S`|{TBpPW=kQO^kGoEd5&5O!xFG}_%YfPjMrye$Uy7ysJ zoK8{4OtFhzw1#sbo~vD(?U;{_66YDbw*lL|o;3qeOQSHeDv1_s@?v{-aC$(Gc>yDI zifMF1i!|Cl8s@ieR#a8!DRkA1{q<(Gdmb!%b+|3OPVci|$(DBhB8?07Zf!E6t0b>s zEu{n?8vX+1bu&IX=_O6A0F#uZ zM=nEViX>TGge8#ze!DRm4S>) z(?3LeZjAbI=kOL@nkt{-h_ExRqmK2>M2+2#tYI6%hqZv~tg<#rH|hPV^a<^((4)I< z_Mkz4V)Zom?U?s#5a|e~nO%%^7xLpD^Rh$!Fymf+g5x*u%s8XNP`L^6<3?lm3u{?y zcE<0f{G*8}s%y;+fN43lTri8>5#XUU$v$grQi|T{rXC!K-s4P}$F>6_3+{vzDdjL_K3y&7?DisEexE$J;o7D73GV=TA@KWl3vOq>`8YI94(9Ap&QL z`TbsqmY&=!dyu+;kgY=HT+_;du~0yl`|dt81zh70^pO(2r}|*y!L67Yefx2iQxNov zS;mmG6Bia5o1lq(SCiD|6}q#cWIdz+^3NF|0&byP7NcC+Fr}S=5;GfMih}(=L^XId zOCH`jjb!v#$Bw6oJl3wd>!&2U6&iqL3}5Z$C|!Qv;b6q(_;F74Jr(JLGiwUrOSfmx z5PN;Gufr|CXLg^tu|47(F!aebO*SP{L0e@U)8R<*BYZN;^p_u>0U`jIunOQcnq{)} zS*b@_wD{#X0;JA2+A=YGvs|tY2-(StGWydw?Qo(19rm+NBL5G=oRmye6kO07R>hu(?dMK+GJ~ z&>V7Zr%icT!c2S#*8gnhii7bJKKRhH#H6o6CMd-Wl9bJB6=6EvQAt`&<%E+$*Emr{ z_7*|boltVelUhvIXg2CJpiHkJ#$Z`aerlU{DMayjnUSHx__zJgTfh}3GrbPf2e(MP zD-#3XW;`ZcrEq-vi;zlKx($H=GkKN=mVC6K=!q%vt;Nf3*UueEQxb1!zEPjBfL{m| zKrl6#%3kto_L&=Xuvl%zM{E;sw%}a)jRZyT{4ZFS*f{%6_R|j7C%lXYInW|CbawWP zI`R=&-3PLCoN`z(>uGmNdevi1*NuW6^NNY z_rDv@b~=@KfDUwR-0%XOy*ermbM1!T4ps}2>-Lt==0mavsppUbutp7inT!J zx&E=Eb)>6D9SaZQCJ|3E>qWds22vux#ymneBwj=PvH-MZ+qiS`NL|Drs&L$@1r7iu zFY%DD<<|B^{!$9>~SbwNTydYOT{#T_t zdF@kImTpCWR8uY(LRhTFhbr-F7nGTx3>^g2Pu+fJRztnOvq!^}W z2CBkIOoV<>oK%hA_&f{9!=b_L*Ei9jGcKtJtn(ehG;+gb`H!Wa>gyt(rA;cb!I zoPkS-I3addLwiQB-!&FZK)62!nbWO|VTZ}JgZWan*UMNRFmo*1JF8hu{%;N%Y}IaF zJ9|Bd6#WT84R6RJ!P^p)r*mcrQ!^;;DlQ5##u!NIEoTTqGy(Xa&&o(}2};x<^(6^G zMcvRRco63!L`U1PR5^i;Sl{2JQ?20f;NHSA+3CKQh2)~UcO!O2F1 zpcM>jE?TEvgPM}hY4Ej)!R1=y!QE~kxT59jS-t)BvmTO=Kqdai@`2+DMc$&lC{yvL zySAbC95B}`a2yR7l?SegK=Q+OG8x^T)7b)-5dNNuDG&tH_NJ_HG5LH$(2gQ~lTgvL z7}eY)kcFbh_~yIUdFQbtegnyx6Pa#9Jds=*``$qWcd33>VqaoV3A$i-5m2(STBBix z;VJavBIh+jkAIBXXKk)Hg2cT}XNrMKYXipAdLZY0PDbjrQ-{-#ZNM_QHu8RYxtjD8 zEDbG6KIlkfX$EFOwY$SZlIwJ#JwX*r#KOLEBZ}QG1y^1&@oCg=gxlK~FqV#d6gKzF zkt$ABW0u*c5 z3Z#nIG&xkB22(2%FWPaY!?Xgl^1E(uZPDQWb}sCwpPn?Xddyq`DuDR`kp&4ENbX)nJnV)#BVXP65N&KH+%Bwb}rMSXfxzv)pULkdsDGt00D$W{}FC) z(qllH;Uj>lc4$6cs%qeWTUezn@Jocz$I8rUNPwxs;|^DB(p^&h(fG`dNkQxb-uG!~@KHrKnu1~-yFZNaCCj$Hfd(xbKF2ND&Cx^&1< z;oKnse~`F1KLC(HdweT3H=M(QMvh%Nc8aSQy~Zh#GtO2&dZS_vLc>4uA#wiy?%>X~ z)1FjvogAtvgNtueW6kIH0u*hXZMh%K197m%?r|*(*8}_{$X1oZA>cu7=#qt|n-y8I zsu5e0%xh~)#Afy~u@5Eyg70(@16FKen)b`<S+NLfeR?N195gI%UChj3=d**&+Q$rpBUexX#X z{@e<+eYs8nE*N%LzZdnVkdZES)|U0onGC`?-h67VD-tUjoUSExCKBQQS*clOf3_(L6|9Xkl>mO$=8;>dJz?#y`=cml@?NM-}W&b)$+%DuDzK9C zm3Wv*i%363!yU{yw0_r17c`Xd1PZ5P^%|E(c8!su-FKl^b;a=79(ZU_ZzO-oUp3Yi zpQl=))K<@8g&hq?AJB^1{L{T#9op{pndwFYe1I6>l?9f~; z9+2m~8d_qsj)V<#-KA#kA6;jC^NVmV6fp0o;lwRXsMbU}8lcNeR)UZk$vRHQkw&3| z{8ac54TzR^BLbWW{00>Lv~MOKb^efQOm%IBKa(zX0(4Ah=X0I)6$WbyiG#`dogU+B zzs^OHuhtnn!u=g@Bc6$*rBNE{23%xtlZ??=LD=;v(A6uHz!+sl|Ch^LQ^BnLS;$4= zG`FU1Dji(epqBwoWd&$@N#{TaLphE+sD!wr-RaBofVCmC)&N7xTD)oR|D~l*(fVXP z_4HAE`wzjCz4NU6zcE9Z?<()PZuppJJ1~08TRVA|!HZf*Hx^&Wa~>e1K}GRX`>*T? zd#EBpnwzPvy9z&bz#~Z6@it*5$`Pxj1~LQ3AHaRFQ`Vo_WEAAeQrkx(;vAf)fZ#Jtfm*R5xDbaA{79oY9>jq?yt`eAO~7w~RYe`vi64J1#Xg=J^34bdfZdZD71- z%ukA;*fMaG*1SsU?CU^zNSp7}M!e_y)4F7uYUc@x-S~1b>$nxM467W*Y=XTO{6^+@ zC1y6eUrW84*V*1Z9MpLSK^6y4tj+Zy=0lZCR^^`jx@Wl&b&ii zc}D?hQ37c&b=tXb59}R0MAe2Q-M{leQ@LIX{otm)9nIV-@K+ZMkov8lpLe9J;UiP5 zAqTyvae|)Fk#*(oD2I@>#96bm`S2>qQ>e4UaS$t{F?nXbn@!JXjaG+#<^z1sIP1@P zhz!BFZNs!gVThF2pD4C~MuHyILw^Pc%TQ6*bF_@b#=u7xT+yUE|G@b+<&tw0WGHn@gPLU=_Z)!D{5d-5 zGUW>Kk^5>jJi8dnS6>btDC)UCp(?AT-fUqQ6<8@Ta@1B)vT9BtBj3O)RJkl8-B>B& zAT^m9%uU%8!O4^IOYRQtB=!+P)m9`eGR42Hq4t%R3c-KYK*Al*o_CtEuSlri!Rjym z@dK!m6S27;d&_8KmD2wXQlnaSLj=36X4k+O**r$-2=7_<=?q4_V~K(-Xjp5tGc2Tk zCZbYiXOda7&ZKZTVRr8r(0iFc)9@4>sj5utNJTIo!7W`JW|k8jG>akc=TB>QuMp28 zf{YUdy6*vx;|uf>|BV^-_&=k7%IbBbP03r}_73<1WE(&1gz<|kxn@3ao<-VL4k_CY zGEq&qH=EF78(|w8YSf;?Wp*AD1yv}lSl>pm^iYuLo`=#W3#QYBhFZ}U9nyQvoCEt< z1+~a|_#sMc%ME$GdXia^EicCx){AGV=)jJ*dPD-1g|%)((UtMT`yhPHPBDDI4GTsU%+vf9tOH3&lw zmtaX&{M|wKMA(?`FDujMmbX1P_76LWJRJ}Nl zQ@~nQTM(mW93thHHy7sOU!nuBzN1RFE{#9C5ihINFhJb#?Z8#Qio9%nuC4E>h1!hf z$bbh?1tyhrG5N~=rtOqX_rOnL>ngZ@%`D6H(q*X@2Dwhh@eeECn_BHr14KJme+^F&#{NJ}%9>9l zCD9qxaoC`ah83(eA6*G@59Oh0M8Gan^lhq1q#f~a1baQYYq3c@u_EH~BT5X~P9}YA z|1jmO_BX<*GB0gBNs`0v6f-h4q4}@z{&LK>bX(Q;El#<}$sA6U@--B}3u-;}w_os= z0X_`2%OUTANrhM&a92L>r;wR}Sctv&>dAWPdl#3BFD}E%WAQ%8MiUZ=eWr(p50egC zRZ^m>LGxi>-8k{U+1EPz`@zEI@_g9sYwvePi9zzfNFdo6oGOp{@&sbO77oHmu=}i` zsR%u^pu7kFy;}JLkTeV}jdZa5>sCAKea!;nCVwre@F4^OVM;y;47C~!`@$H(SY&O5 zq+P!35J9!;KWyLN3RA?)GfsDIFxisyo#n$6x9l#-e!!R~$3PPZ|K{P7;cEH>) zFqu}r)AFZBm0?CRYvVkmFUU5Yni;8MQi=iPnGmSFh()i7_<5vxY=@r;?WV&OaV|@H zCXkAR`SFyYDnT>F2E(>=$-|khF%D@_ZQry5BBv$kE;dDFrxG#l} z!nZ8@%z&iVl4BD_l3?=vnj{tEyGk6VKLBF8t(&RdO_$Kw8#ue8fb6?GaB(XFy_h4v z^s+05qGfDl*fpnFH8&n(0s``ofsMt9FeSMzW)?sv|W>mhZCYQ?%&{aXCYh>#9v>njskCeu5XV5 zQ5V-VbdvrhbrkMGQ&M~Z{VH>@0e{6Dwb;xjS%H(K!!h5}KO`t-Ih&`jGXI?NOu&qc z`=_)vR^~yG<1Jdim@xwjFeV6(gQ`EnofmT;tqzxvFQ~WpUy_ILPJ$ES+8HC4@Q-4X z-NHQmmZqsx0?b;bo~LW*2p33q)@L?2ivH_!rr)K_#YS$Jv{lzrxGo5^9l9dh2g`-B zYH`Z(8Fi~!jJHI}uGN$rLlmD1WH+pPnG6pyRhLmO$Je=9wVE`|~tY?P^z*u-(I0tAV1rKE8+?#+lEXu2mwy5Lz+Yfz0f+0ZDTKw8o() zrg%UEA_|6xel(s9Fhx%MtCw)>)=c}GBP9!gldeu^L3-

    SwQrMCzl-fP<&HPASpR zC@$8HU03eyQmL1PLi@{Uxeo54cGADVcKmyOev?#=7)>3xNEz{m=%i@t#Fpbz9~x6# zh0G^9N+(De>8Q#9)tBKGkwV*sXBU?`&>3?N@m)vBaDhR;5IZB7*ay#rI8g*&Ptli& z8?LK`;&ZdLJa**G=U&eg-8v*Rf+Vt1Y=emA%JQyI9;MTaUgRtB!<3LEJ5)JmL7!86 zzg3=CUft$T0)*J38F=8Hf=)B;3nX%PP5y-FC+%&R^C+js6!@sG-fQd9l{p=9TQ(!L z(!SW%6QojZMtTruU6_cGACc;p!;?Cz@Sp9jmh;iX!6jL0cbikzb|W8l;MX4xO};9V zz)?TwdnR_)6OP}MNpZRFh2gz&VQ`wny5hnHd25e>75c@y0VOzeeuxe8zU39(VMLNjUScDc}XO{ja-tWNDuJc}B^WG5v{Y zrylgATrsp3NH31Y7dxHcnvPw+B9aPuT=|A*L(r*5(*_3tM$yUPFggaY>I6YID+Ao$ zA{?3YC$!zWMV+F7VN}0j5hmDwkfu9p_EtN9UwybM%gj zZn;;WkHhwA(tl)wp;W@;l+Bm{cRAzP9IXq!)FPZS@_A2KsBYzn%gU@W3Qblg*e4ap zw0CmkoH#4edKuCtn3;e2lu_zB{SF{l+yS5CO>uQ0v3vtYdWX!zsF5yQc412TAeCc?mGTq7)$DV!1fLkI-Uz`$zFkg} z0*kC5-`Q`JR`j7zU58GFHJRj;sLCfDVaTmE*jo9ce!xQ<2ixJm=Q8t){tR4zx*A-u`%;(B_^;jo=L@2yZ)E^9BK@@=&^^@r`F6Fl*_sYdSq zeVzWb`>W_r(iv#~iYOoM#<$t4u$6gXqrAq)P-DxCZMff(y>w;>0VN^)c>2anjkMR|_9^bth&i9k`Hh|NNf2?@WwVzR6eIJUP#g9hsPO0(|-uNCO zJ?k1`)*qrr5;kmxP26b=M{q023`8h*21=F7GV6{r&+dP~47z4u6V{I-j-6Lc<3}{d zVT;@IY#LUHHn$$_}raLA>6;bO(VGwjcJxgwzq2}1;SI= z(6C{2bi7PT64XlT%W@Vv2Bh;zn`f1~!Xf;*;B~ z$q>XH-X#HvP%lAZMz+BvU z?(~4H8B45#W(#S*4tBQVf8;f`qIrWnhU}9WRRh(P&FDc-DTm;h8@sH-emLOdA_@** zdd<=PlMP^T%H((T7%=hh4b)WN7bd(h_j=0}6_?uis9+H6n)w%(I^zME)Np+z$vC4; z^8+&!sa`z%VPbncX7N7>`)g`|kDry6be2AW(8Jsr5H{4F6|LOAkkYR?o#4HFPY2SN z|EYqP60fl1A@VycU3W2df`qP-ufSG!Symg~d#i5j15G=yV#<%s!NVl$A$N8Q{gBz0SniseswJG0*I` zLTLawK*qlza-E$ggmT6Mu4yKuv+xxkl#WupWYnNN$Uq>V&q3 zWeLVUf)qilIWg$z3nz5}o5J`(>?SI-4@tJku1FGj?i``lno zM4!C2@r!Z6>doB(uZ=s5qynC_>6jG50hc7cgkWoDzv~hAN^>gncN%e)vw=?sjI2SW zIYoH-D$sGN>iOql)qRm$#b=F7*{aC(A8EsTBMlcFA^Qc>0tc^Y(VN{gB*^B_6SJM7 zSl`E+HvJ&&0;i*7{UCD6^!7vCI+I&(_W~Cm2Lv~1dJqsez$>BfMG=Uy&t$>pYO3^r zl7J2$-%oGfTvS11n)Lg}*AuBYOs?nGFpYF9x7n2GeXYf*i`TZNJ=4ph_WLI^F_VRk zCp@sEa4lu}GdMlsl;1vAroU@>aC9L!>!|D9)@r_lk|o1-&;OJW0?h4s;5)QKku5Zk zN1aR7z`Rarv!BcG^$_P3IDO5EZNLy(@h8(09w;@1cTd|AH_vlhf77GK45ChDtb2LW zD_6*hjO_=81=mCl* z{ij?_(L4lm`$5l%L6>OkuR`ZVncG;#vBYvCI9D0 zIiDzc7uSAS0NtUEl5X4J=C)qXt1P1&rb2zRL^LU-$p+BH_T)*wg2#~kMlVAybZfj2 zH0m07awofP?vcrWS4mwxLkKMld;|CeVsvlYbdS_hTu;l`WtvBTPuohX?74MAQGYrX zCiLi4_dM#$0UR;eC|j1O&NM|a^%3iPq(i8h7hZv_y!d|hA2K?eaHDoJuo&U#z2;|$yxk0KtLKau@*r8UaQp3eSb(Ruo z5#a)cQK3D9)hl1zUahD-Q0*BLckNRScrN)mh(11Z+>BPAh!s40dt40#RkQeXzfoqW z{M!h39%4B@Fhyk2Y#zy2nomb4W#m{#r0x(Xxl;wm#JraHG6mvJOpdbW%u%~j+^9M* zpQ;w9lq-87uJiDIFTl;1%|8~sjnd9kE8-DyxYa5r@!$4;ZSpN{=NWvN>EqO%5Qv&V zzgkNjEpjrqZwW&ZQa5dHO&I$u^2c;07}(oq;5oVDrXE_pUFy?G5kEFI^``vHy7k9A z97*TKW_k_OVAe~jY@%#rD^Wj@&4%0A*=V`5xFDwqvu)t?B+6mC5SlXW zz`{yeUyb}AB(5|Cu=Tl9pc3$(5VLLDojL0ungh6R-Z%>Q-f)7>tl$1q*dCtcUK)8x2Xn8?vg{dZoFBLsa9C2X`nfMDp`3dKR%yJz{&*I(lo1w{tm-EySFOu?YkwmSC+Y(2- zj3gUy2dObkqQo$G7(Fyhhpi)M~xqad&GRRK@NUdclCH!CowOX z{$9s0ptC8>Y1f%RYGQF<{Uj?e4%KE5i{n@jg@&F?FQ3ncy1iL*n{DqTOqoTzdhe{C zcvZP_C5!WQGR2wBUkd5Zn|#`*#-?W2lK%G8oXB4{>$hPZTTFS=V5FVpsp;V;aGozq z1ZtF2hdRsfA-FGT;} z6kf#L_(gQKPF_4|p)czvMWwVR9!J;G#_Fa~2%k%0U#h0a)sarW3fic40W}uolO7{l zCptDU)&W=T$h!s{UBrEdnU#loMcZ7 zqOgspL1ZO69(U9LOtxF@>;nIj$_s!4=tUOZt+)4#xlare`$yHJS51aGhu?p8xI;C5 z&u}M}FhS3w*Le$oD_!Wi19(D?n6q5sU>q6n&yV#9>Nmyo#;1a|fM>nh@O8cFp%2%2 zX+qPZjlsT{Cz*#%?^7mSpEls4f(_1v?JjTmPJrig1YeC_NDMA-=<0M$&6P{fjr6(c z7I~GP!vf#AwIdHeL^J0;NK~A~Yc`BHT##}=q#2wVr{K(7Xrc50*Mq!H({#a4fGGPI}J-`k=i2npK^jL{b)SB zHL`jJ*$c_VkYevuY0#+1!{I@@36qIp54vIe#S4nKri@UNGf4u`hzA#oHH!wZMmwWwGl5gQI)Apl={HZQ;^o(a0m zWjSs(7pe@FXG0?k;<|+!YX|;DiS)nLHWJ2k0ogwtJ?4wxny4~Y5q?7*jBd2y)>3iX zel86&DaS6-2hLb^R$G4@cx2ce|Dt=_NH-KXcyW+;ZD&M`r_<%J7{D2_)-ZF_kGM|S z50d!KcVJ4@|M;TUCNHIq=9Q{aGZ7Cb{Z>3M0o>wNrMdc(E5HxhmDve9PVvLS(D7u? z0G5)l)66>jwb3Cto4RWs27pH6EIEtY^^j0|m}2Ewq_MS`W1V1gilc<_q+EvUr0d?K z)0#(wyqtUDWmHOc1Vf|xak#AW$&5XS)q9x*4nugSSV;ZTat|MB2MEeX^b zN30y>U9rrQsfcL;^Yt7vc$bA&1M{Ka6jqW2>NZaY47tNw1Vub!cTh6kwPt$qSZ6CN$FFNQf>!#-i= zb{r>Yyg7d6v6Uji*8%NxT$1l*Pw3JeaBBJ=T88G25naT?X4<~bCMsFQ&i>+?AeH-n zt89g~{wQr-(Q$^N2Kiy$FJiFG*$uJtex)9Q8y>lBK94I}J}tjYmy2teJmhqTKY8}+ z0n`?g)Ifb-rqwc#z;$9dxis6y&-rPB=C2v$@eFB5a4Gj$qQR|F37Sjh4jJ#M$oZPFF*2w+XN?N}o&&)Rx$X@| zOaz$^hBzqcA;2%dX$IKGf+Z?R|w}BfjB<$k@@&_ zmo?RoPFi0;e{)m!O<<1U^lhE;Z4$g=*-q>hvRo2N$!5BVd3nZ0o8O7;YY zqI{zp{++B0DMMdwM{h#&SNL++8FNC6Ke!7TDp&F%7le{aIP2*E#*&Fix#Dcw4nv70SmMk_3FLn>>Bo zsSUJCw*xi;+RPOTrfHu}UO~aVRF^soTrD@#cCBAPE5cProyT22)hl%u`vt#JHc*k5 zHVh-3-Sqb==d5!qhcBxfZ(L!4iz76CCt0H%mvl zTt5h*QWNTw@QphYIaS2d=Yl)1AZsqcg9JeF~0!1*xi>Rc-n2wvC>!94Mb zIgd_bNq7b_-X&tzx&2~J+TP>l-57E8fKtj|en7A`Wi!4Wx-s>sw#!0yXX_#omp=3xuj?Gf7-J_aJc>*Em!|dBaa>Fc4dA$afQFc- zL9(1f@IFRV)Py` zThvAARW}G-8CFX85u)>b!%@6Ich+hoF;-RuV7gb&2UbxoF(WC(8(-)#lX%{DRXz3> z!iak;e*VXavthGqa-uPP8S~5}l$9RyXkvsFn4c)fKW2}}NKTF4nCjB;d6Z`#5SW3C z330U`n$Rhj%B(4{G`jZhX~VI-_u*3-^urVZ2CO|sU(YtBbx=QToL4MT+rG^w0|H#9 zvZZ1Ou#5TZ9g+kETSRNQD+Ae;&TsC33j8s;o3FyMJ{+Rb(Io?Qv7t{eufa50Rhnr} zP4o$lPXDT_H3FwlcIbNNT z(l7@EtxMggMUP({8_xnT=;P=Yfez<*%mAoHeDuVhS$v*f-2IQf_v@Lh^Tlrf z)rB4pTD8Zdro^rvHI%>i&vZ+$F^R}EJy}TTZor=lo=a{Kz7L{DX#O>>0 z9!gMk{HRM*GrJ$poBwT0qoCZdBTf(i#2GFLf%7c`9iUl;k7~zpqPuAgD^tcJ1b*=; z3PsU9C2v9 z!&5w*BD4EkT+J9!HEO(uK>9yDHxlsttDB6`2>D47xsF2>j#_Sq)p zYg38-1oX1vE*3^Xb^QUT&kyk^cN$y<0=q-l#rWw23qm!YtX3bjjqjNW5P z0oRkgUby!~*KXY#+qx)7aIFE1o_4D8%oUgUA2k4&yrdU|m9O^$_NhjewpjJ+A932f zkAVP_EvBQYc2gIZ`hHmZ=z07U-rNB{tagj3GCIU9A>2-pyghcmk+XF7&@M0?vUy`x zRXdM~M530$o1;=wY80rL$t3eEW_%ORsg63z{5i%wYA7irG;!hPx^=YkuwntQ>uUwj zlwJeEAS;?)YD$HgGTcU=QLb-A5RHZZiGNli9MABbHgRgjezVx8T(`R_G7XO%XSQLZ zYD0pSIfHF~mn5VIxIy*)!CMvLW^DP1#{ENUh6ZzWGdya?g0!!Z(;*NBirDise_tS^ zIyB@E3&A6qHpY9_=yxDN#gA+D;QPgn=3e2CD3n!w|s{=9@9F!gbbH8S>%Q8`-6&nWCgXwY{Iz}R7=Ab zBA^SXRG*OqDus)FI|+PaK_Ge$r>%#OU!)G|3l{~N2+c9+&D8fcEYC|Ytcgh)ZV*RV z_Pl8@yHh^qRWiniC#Ne+o2|6SLf%n>xzTD6?ssJ9(%}tS#K;2?n&mue!l~1!9MfiL84l(d@Vix2Re&?`+|E*lf{hLn^;yS{n535X#&`^4x~Dg zjAi%i@gc})$lA;$BX#;H-Etxb=*w3K$RLj{?n$x^s1<;}vuboNU&ZcU6OHX(zVoV$ zp47~`(WM*DBfOD)2s@+hU}0)%tO4zDgveO-AGIxtz_u1DcUo!lf@I>hhI#ap*`{XF59MM62_}7-P#IeS67eDx zi{ZklhV=E~8rH2{2k*Cb@Tv<=1VOGTG|)cPaesX7nZcKD9W6eOi%Q8d*%a@5!s)(* zI%nO5xY4A9CS4Lcfi6a){#nKM_($-%ET>p011eVc zdzp2Yd_spnr%gRydp-cLJ0T^1aqnc!V=R9fhk z=8iSiItyOV);c7QZ}GyrK?rQo2~{l*cTWrIqlsIx#@JOITu{4ThyghnR#i>{P%}b@ z!po6tc?C@pSEnBpJAY4knhB&rfbY8R*}c@5%G4HY3s##2x>aj~uS>LS=s)I^;TX%7 zhY9zO*Pk~7D`tuc7>H5G>Q9M58g9m+>-wG8-`r5Zs?qkt*h<`io%ci%`wFylvhzG0 z2f(Kzzz{$XIeZ+s5XlCydkr^nu&EQtBC2Ic2p{R3%!%G1O2lio{i;qRGCd+VU6Cb_ zHtpBE&Ax$7@TPcB2;!I+uQLw}UE2qwNXVk!3*FAAa?3J4)U+Lt})m_ZV(|s%u1TAwahY3<8 z8xD55tr`9wRlqLH!@;^NDjf~RyLxhEmBp!l!ixYTb6DO()Cu_}=@)mnN(UBBTOZwg4g zLR9w(h;j`-ITFg|U~ro3$&JBwfz{Th0-VZy1HAJJk-?d5A!Nrccr)F=ujO+r-J68F z5#q>+iEPnX^g8}=4U-hlCHK2!U4b~pl(g^7(h?1!Pi#Tx%&jnHIL`kn@5!O9o%@gy z=3O{;^L6NJ^vN67Swkk6!QLm$ozkhja8xq^zbmlCoCYdO1H%UHodW~dFYEtzY!ub@ z2%Ip>;k~wB?G%a7q}zHY3H<1^NQ-BZe?1h0j`z}igk$m|Gg7B{?-PZJ#>PQ|H(Szn zOF`tmIMDN}W4d+V!bW$%zl{jyQ+!eih7w5-JU&=7jqPEn;D9PqX-%#$YFRG8Y1$}5rGF}4hzavo5=^I{W-1HSgyo5F?LU@m zxvTT>-{V1(KGUGVn@KQ~tV?%%PRVS#3RDw(>kVU04fYw>2$cl2-KLv>cLCsU&LP&r-S;XR#ij*&NITqv!|MCcvYtYhoIowd|U%dt#d z!-0SL-;j$3X>KkTaGd*XQ0&>y9vQ9mg^2BqgB96B<&z{7Hc#P~|I;uMWWGDE4U2VG zOmhvzR!nL!1mCi=EN3k6X$gKSDTLnadCejW56SOP4dXV2d!dllLl`2=I!!a<(XHna z$!}~1JdmqFK>0RyOaz=A|{P2ux6T_mcE=u~qOkI30|#KUda6#z8stW8){yR8{W0x_zAt9 zmNqwQh$LELYMqPPuR9lCItwR%cq>oDy<4Use&vgZ?e4cZCt1Nj%!@y*O7nLHZ9kj=~8d=?ovV#3hX3jkCzB&S=()2Yh#fZPrIxHY_ zJyb!-m#}P48i|!+qs@{+!%Rr^KBYFgZ)p-uqU51R_$Bmhuz>Wf8+m+B-L@2ybFly8 z6Pt=npOLHVY8{}PE~!rS&UA)dX8|ORXa1L0Y}g=MKfyUz>FgQz>0Lc__R&g zue^TP#Fsh(ErwiKb`3xNWqDTm-5$e3I} z!{wAa=d)7`Gmn+M#LT*->Sk@Cu(GmcBuC9t63owXVD15ql7!3?}EvG1dbS)AnnT(Q9otJgwx;@hU*M}DJw=WkLa5B{L+ zdqQ|CtwF%kcvyKsmbc`Ju>W0$?6L`8FsR8iQmY&AGh2D^Uv|H-`m4b|c7tYw$8H)a z?Z&$Jv)JHeydr9SUj<(}5{Nd?&ebtWMslhhBrAh@qDvmbkA9gt0|J1>I2(w5V+KEz z`1VbVrka653|lv=yN83{WQvz&>!?l|I0K7wP=GLidos~aBjB=kWD;MulOPBj(pbl= z6$Xjn-6i<=i;ay@+05|8qKFnu+qhtcq!9FO(7{%|9(ib-dnCg6`+a;a(O znv^z)o=~^Tjfkcem4!+@GG9^le#7iy7GJD?guE2Ll zhvp`}0jC`DnZ$k(_WhCVR}bJQm#}~}AFo{rbgohfe>i~oEBl=#gs#*>2MT!u;Hf!D zSYdN&P?9`66`MODZf)3N#Kp*?5}YtYG|JL5;Q3&K8<@PEyh#@kNdn51lE=V&pL={xQ@aFHT8YsK z5>8;g-G~;vE~MHuSnViU1~G=SG-xyi6%bjE@EJJ}$}5g^WB^yYCTC_fUnIFS{!$hQ z5SHW(ML5T!>MbBSZ-+)ostg3KP5&3d)(1xHEIXt>bA&vYeCi$MU@O>;{i2o`ZOGDY z!ch^aF#!9B*?4Erd^ZYEyUnv392^+XHNCZlc#?d70h%<(clvG}BV{C-`0A@WX{3dE!BxB5Ed4l zW=(K{g->8_mz&&xoAmJkRh}LC&fiHl=xfHYf}B!}u)v5@bQ$TG#?ItG7V~wNI=eg{ zE9CY&5F7lsCT@5DIN9&Lu0?LO{B2Xpw@J_OH@*~O(XjK!WmG4a)c}j~rdR#Z@5KIH zg$JP07tq<5GtF6`8cr=7G7t1kE~J)0sAI*kx{G^O-Q_S-I19k!VYYLIR!8wq~#i!??;)#C5%xFHlC+;IMy% z_wDM793kWn(4|OfHq8CacK`BcM-3izto>I2 z$tzrAn)pEn#uiS48R$YBrdzJ2Zgwv5+xB}~-yh`$k+97N00v@RfBKU9G|IW0JC-+J zIiuK$rJ2zEIP@R7(XQB|vQ+%9a&2u!K9vKjC5LD9h8&C_^gwFM)Bs3IR%t60o6W`v z(}(+;B$_o;Ez-06+<8s3Es!sv!Cm82}R${vxkD2_b| zXv0meX-3h}E5f!^n66vH$U1;|CY-<+k>pmMFu~(>4sYOLywhZe_D(Xb7Ve4!a}PFX z`_W;cr5&ueoT5?LGccKs1vorm9Z<~qE2#vK*Z;)Y&4xAQ9Zah!`qqElcX4h~<6_JG z6>;#lc@8U{1Pp>Fs_Ivc?)8Y^vB=@KP&+E&q0ktpP7&5F2dGEbv4PPxP=t*driB_u${eP- zfEVgMM!8kGD6;0obqc^Jj3SLmx4{B#_oRy&t{@L~oFh`wKxz|(R@vjc9m`@IqL=*# zghstre~T_{^sTA0t-sjrTEZY#u8>cBFYT^yydPkXm{~<)E(a8MWI9cvyIM?hTus(= zk%#JU0YH?9^rG6j84XtKSoNkYnWjT=GiI5C8Zp}NL{!!Y50mt+fT0wz&bin82d{H) zIk#SYv_}07dXmnhJ#ANKRH*mZI~a(LtsMQ3@yN@TtWoLXhwQE7LPpNWd5;)6GvzVZ83$-c9T825{ zQ}22Db9_2LWr@N2*iE|95UjfF@ZbZA!0Cv+f|x>vKW_z4#6IjnR<4d7b4n91j&tiugomCoDRvyb z$VV557ZPiP>NM#A|0VKm58x08ga z30FbWL8f))I!;!b!N8zoZNHll2%TJHJ3LTgMury8HrXf?p!SDYI8y$uQ6g|?SaqK5 zh#d?~m%9Y6as|MlOl8hJYR0xeOS%-)fa|sg4&S!9^%8ZE@KH&SfO+gckZo^m4{Jad?D=G&ODI|vPaO-pUUGWsk%UQfl0Rrvvcs1?wUfkjvB2T@P3>~?-p^s+$x9JAJ2^yq&cxkR?T*GZb1M{U0X+C=XxCfl?@6HANXvV zn;nGCtmp-%aJI};07*wxAiIc{3vo(<5To2p)I-#&){(78*PUC52P)Ed!?w}7>!o~v@eV{E58-M zSxE@?4abXxsvtsjdsXxxQ_4)$5ts~gvD%%(=+Wv^pYX<-QSY^vW_1Wmbj~swxtmE5 zgaHrOn!GQ&4$#ISmSz5{8YH)-yC9>iK679+m00c&6pOm{N$dI2h% zL0r0Rz%xK}MEJ7tfjE48vMDkjyc#5r3BwUeiwI-gud?G1cgpbdhmMD|tg z!l?{2wvG=at!X7&LN#=6E5-|Av^3v)sW*uYmx9p%gxMxUvVpWYl{;>Ff-+|KbEPE} zIsU$BRMjVncAnd|B=>#LaR!EC zc{ltG!GaHCZoJqvVp}H56{(=JQ#69wIR=ejNP?2VCZa)Ec=_5SYd~1<_9j`CI)9l~ zryu1+f2x7!?Um*?jy4hodpvauQjK+hIpCDArF*dwT499pz|srWe9w1L0^vw@WzG=u zW1yVHE0Buugf4-7r&3*f!$~wb!;Y4yHiwPyHwa?O!T_WD4EN@|X1C--dWuPa#^a%J z_SWn%;~PDR$;P8=a7BAyxPiJ$kL*4uRuj6ZR)zzmz4t(YcRO3boMST@kM|vH8gxDP zy!uWvpx=^Ky2CF|XU#DS%<~U4rj9eBAj44SWeYf2w_D_){zYh>PgT7xO5qt6!I@r6 zT?m85TOr{LGfF)*F=qVE?&TYj%R~e}H^#3^r)a$CJ}FgN@?RQ!Sufv<8+PEmNa2gUu~E zpy~E(PiMC=F`2?}v{+oQdn@ICvWI*bjtAcHZ#T8yXoioFcELvIyBX6y^Tg$ty>sDq zzF=gb)hcbRFLKEri)gp|T))kEj{OV7(dBTyBk@4Z1&Tc;VM0 z{tVDyTxN(ev0Z&JH6%{LdPRJZRUKJ&yAqFT{bAa1wXn7$e-B?|95XBXT>ZnX4ek;M zL2m$ZNho{Q=O8tZ_25g}&hyI%%e2s0pCBt?GBez-Gi^R|M_1Npy5M3=AT2f~Tn9twYqi~BYI#1QKgx$Ki(0v&5|GkMnVyGY>BgKI zC&ATx3?Dj9pVyI68g&D$#sm2T(J{<)mOx3SPRYI(;acmVaZ3&=2zlvg3g>P$vz0AoxZA zopsGRz#<1#TOY%)78ao`;*n`VXrpxRVka*N(IR}(_ybf7CoagNTfH@;xT<1X(T?4m zKg)~?wJ*F>sPSP`n_&yo03FY~;-L@+uSON{dvEI@V-UyDuXtwY8Aa$6CNWT_j-%*e zJuzYAEiu)+x6QRW#P;kJ zhwsOhP!YaCry3(L^0RQih=T&2jLEQPYt~6q7&C!c9?#Rh12{fuP&|}|U^HQt0~?N5 zH3c`67OZX&wv4+)k(vYpIr+Qg*uw7CiHPb4hXz-a#1=nxwpb+B;SaYny^TIPy3GkA3?t>B-0j*AaL-9%~)a~!|=IP-2J z4SRfS^a}roK=lkQ?0}dN_g$aRKtb8H-{wq6IB~JJ2ta>LxOZTiEklxq-7fI}qUVIru&ktC?)fm^I`+~NAjcA`J_`1r?<9GT7~d>zb(>LgxA|!lBiDjz123ks>0a& zcF9ydOy0MZM3v$7Zkx#lhIrsB9y!J5q8InS$L1F4SaYOJaYkWFKFO&y6h|YbRIjbF zDo?T2o^jCG!Y1H4Ox7DzwN)alQkt>r6}6tN02bF_^b%Z!zG0-bj&S701$5V8MYTjQ zct_|Hv|BuE4;;b-{J;(LnF*a zikY9t5bKJa5y&w-YoFU;lC?`8fcX>Ky6O)Eq|v{^J_|A=M9jGmR%R8Krii?>nkxJ| zayf9(m6tFmX3KR$4K44~Tgi{kJYME1mIwRryrR&PG*U*CdGnq4Ec29;#IDP4(XAye z2jHxx|1i)DO@D$+T?V<)Ci+z7OSBHOVW3RE;iT`jmzHL(pD1=BC`#J`so7%ktGGf0xSR+AWGU{;R8`i5-sLiH7RV4W_3(x4at3%+J5e(whWoem zHEQ5186^ha4+OSTQiuqq16!6Q;>=#fc7Mtn+Z{z0=gDp%T=KC`G4=8+jda3C zJOAG=NAkR#Xg!)MDI;tyx|+pXRMWh4nTPu=^3PC*0t+Zc+<(DED<{MZRF&&s4u~u5-a-P6H>5X;^8qk_OAkl19Hg6!G z>8Esaz)9AdH@sus*5ZUwXj*MMKFyTsvA8?WqgukO_p{ctf!UG988(N+r?I?#JjAqL znbO%=*HzPRsycfLjvbK~w|;2dlNul9#B$G+8@bNvHP0FJC98sl2HN6wv4Q|T>Xr|N zIqippm|a%Gyk*@2raWwP&{9d0#6Q~j(t0Q{@8&{B%V^|9!PHCwMQ8vQGjdG~kVTf* zCRsT?;b>8{3zv9X5^UI?_86^*IdUA(M@ZzCt8bcvW?ZYx1){9^`lM@m<05Ss~8yN(zWs~+^p?LBU7zXhD8lR279@~O&m zGCxW`rs}<(-tdN@-OA|xMAB|ci5n>2#G>&2)W-Y2w;BS2IR*bN@mS+-;fHInTb*OE z@oQc4bF&TRQ(fg6v`F!mSvkvsv4OJ0OuOj3yk79= zHj5qAk?m?ni?ASH>L-Wfzf(cb%kQsYMXRHwU!*;WDVblSju7k<4)>HB@>>xKRRmV- z;|+Yf%)!Dh-Y9z&C?+@(Uzn|bICw(-B7gFXA4X=j@+u&g20Lv4u4TLTm2~>2?-_#D zP;BEskVg@qx`lA9;Cd@E%8koWePkW!FkFa#ZGWmc;}o5`8(8)n|bDQx&X9I1QDNgw7 zTvNStQb!le3TVB%7?|Tc!Y#Ab2BTRpqqXTo}pdj5x?bR4?-VHIm@u$e!x)la#_kcUnc8ffh6BmF$%HO#3@mv6qhbgqqzZyC z%xM+$sGj6!DgwC9h_)1rlENF5X()pvC#v{Sw5(ez)=6NXV zK}u9oIi1`^(V1TF9)QqYcPKkcelSa5-|t|2=kxDZ@;5-LO-;WlSq{CE8oA4Et_3 zMX&a>VI1Vp#6{6b4`h47`@)qOhN$yB2(bAPbu${UuJb_vZX0Hga{{2P)-Bi4hhVCB zm>B0HUx_E?-v!Q7%>7ICAHi!>1XaN}sELpP>}*37r1WoBP~fsGela~*sNNAcb_L#( z*FV2P?LTp5igiM<-peOb;5Ne5CEKb5=wd zRe1rWOH9DfLNlO4Ud!n}OUL-t#+&0Iuz532F6C0t4(;wso(4p!OhL)jL%{-P<8S?{ z48d?^*!+wjGQEx?WVOIWD{}-_2FED(g1m5<=xwTk;_(=em3cf!m&PF}bT8n#M;RPQ zuc6hkYsLDpjvjhQjAb z>NO0Wl@2gMI&Y3Peyx#jd>XL;;|kVh)%Xkoy73-0`e8p1uTFY24tCbPR6qtb{!?um zQWUcw1})6k(p>~%Ec)*34sloRiArP6y9&k>#UZ7KL$8iV`E674HTCizceMR)go@CI zS;bVW2)PGNKY#t5JUClgEb@WNXlehVw^vPG6iCqAJBOkguaG-|k%R7naU4?NBbWsI zlr#9Kh70~00EOI%(T{N@Yq68X!s3{<<1eL?KOx&6_?GqXxa&NPih%Rbi5pQOyGAyP z8Bk67ls0}FYZO+m`)Y9Aj1 zS(zDB>S8tv#SCo#0j~|qRB(00{e(56jON$0U)f9Y3aGK|fdGhwg?r4Ata9rNP-0a$ z*QSXF!;fKU2l3u7EH%XO`F}A>VFhS&@!CQ3dMRf|9U{Bm%9)M->K_>Ec?3NWWtn~;M_U7)$Hg*QBg=*|w3vA>&WW5mdSHu8-p=HZN* z@W1KI15SR}4?3uGv>F!#-e#UN@d-jCxQMyB>{;HSjME-!65=>mpYa=E6R@&7GQ7u+ z(W$2~dz%Ix?N!0Ki0tX=#a6+aeE_`i7m&Fz&HG|oCKiuxN*9HnZ^-=F;rn1U!7xR} z294aVV$m%lzzc-DEe{MWrdy_GkqF1FZ4Eh@`&%gjpPh>jS0W#bCB-bLI`8%=3N~Vb zq$>!wkvP+jQ_jUd4KIJ#!CK5$(ME!oR&5&K) z>e-?JxJ5oHA_X{B>i{=igCoMXaabg>P9T%6 zKR{$7yfgqB{}YY`iKq0p+>rp;HbydJtll?_>ap0~`Xm`$^2U+B~`{kk!< zjY~Vjjv(HOxQregY8hkSKm_>#jJdB)uc9MfUT;0K>}DBjAYgQ^8t&Zpo27N*v!T8` zufA#c*p>A9%bn)pFtO7|R32{g0gR{q zoI$4nJ8?1@_i1aNI^P;x)4u+x@lrOtZ+1SM1c+fUFLq?kAdBF9DqL#bS7jU20e3cg z>9pX`rA3^6(r&pz1<#kIUU}qR}kDlLV(l3P{AuO=EQtiBSnBxi<0w0$P94gaG*_YeU1Ulhf1{`M zyeKjy@Yw;~DWA_E7#J9iJk)qDVkyp5(FoI#1Q*27gdL74>0dYYGflD^bnd zW^8r(fIQ0Bm=J#r#snuqmb6-5iC;(JiNw6=^)84hHYOYmpNadly6$KS!#v=Sd?Voh z)=^O$Ol_q;#B}!8OY+x8<+2+VrmiZx=A_F2w2)zeaN02OtRa0 z`@9es=5-@8acebadFR41vGmdnxD$6XMk8HXpZ{y1W|CsN@y{^uPA32u$6MDZI(&Y;FAINIAj_4R{?ZEJMohzgl6jMhXaU=fb=uw zmbk5=_OnYO@rnIIW_8}$%qoe*C-x4Jh4X3~QOv+z5GTFfvUFZ;W|zbs{|x9KA{WnV z&9EErBZR2in<&l;jsnYW^v)T;{$sUT+h{wx)m|H5eX$~^LREpPEDxH72mI4olfx(a z#=0fiSJ_%Nv)I9(0eWf38_;ts(E~O>G7!Km_)Kmrmy%v;E+p)yv1)3Qw^mKR_#N-}OuvyV*cXxCz7Bht&2QWs?2E`Rzmxr*;rHAe zwngN(pTmC7?DuX4+eP%t&uL%J_B%I=eG&QL@37Z1`>o&9JkO02W(uqa^tcHj6x@7} z2Gu9lkF43FnF(WmXTEk6GFG*r+P?ml>>_1Z0n-}o90 zfd?u${=jPx3LN{YXxx>7N^%f(DkLu5^0JlY;%7o90}J=w3?qqZahUSkdU3-LjT`CY z>b+wvEOp!j?@{+w&sRb}zjx>xwSK*%5>ih0CsxI;^HaSt-{YCz=P~%j>Vcqp3{p4N z)g(2^np_)GyP&!WQulX4g-tc4NM3>{IQ)q(4fm<3cS+zm_C(5 zZWkF*SoUQQo|ppC+-Us8HA4Cw?o2tD_|nnLSJnu9mT3G$={o}NcS=ZM_+vw>6lw6Z4LL2_S_2QmqW z8R09qR*g*C<#^@H1R{e{nEF>f;lxmPKHJiIEv_OIMjDzPSr30Q8A7mNuT1MNQHpx;L_0Y7){GvRln5U4+^{imgne16Fj(r65f*$6m_pDAPWP0y z{b=}aM7$6N0R4kNK+wusYQ0|rU4e6Y+1O9weyS+a(f9HoAIx&}K`8wMIv{dOi z(BDW#xm#U0i$Pdl>d^<%Jr>8^`4~w1Txn}gRnLqXjU}j#Ou_6jeEln%k00}2;S?gnX zSWI5YX~*k%A2hh0Hz3!7SJfn{pb@b+*r!9mOO$-}vO7}ii^$tjA z11mceG$~Up;^|K5w)pD9$^j97Hsk=3Mhg$20kyfAUvSK0&n>@bZ} zd0OE!$A$YMC)re05$6jZ$JD{SSDzD`jsI-V`3PTuht&4jWfpWps13^f2}q-X)b;*A z+*tI%a9tz${5{AZH>@E?gvgyq7|sWOd8+z6Yn_>%g7ueU=2UTXoWx2z;OsDY7m`jA zuPur9a9>Itbx{l=)*ddp49vB4-`rtp>q_U@-$9h-qn<+xrR^e|-ww?^)4~61L;?o= z#S)6o?^9w6uc>Ln6>*X^jXKwQ&qrhq!ECwk(K!rg05E7A71g@4A z2^o-93#34pF_7#A8dk2D@5VN@5x6j5Dyi>-4O>fUK~X&fA`~{39o>Xyq=2|yj~gLg64d1dQ3yskG-tL-D~L#UBqPjT~G{zrj!2I;U>{r$2;HU`CRjS@~z zKy<_YrBb5pG18A(*EnEB?E+!8yA($!u<4lQpjYlezsiOTqYiyC{+K+t8@bQ|@ikIL z%j=k?!8!7km(3EuEUz?Fm)bir2_9VibMP1-WM*@YAb{gO{%cGa1M$zb65TiOarw0s z-hVJY{qI%(+pl@fuL8{%RLASriX8cKw{A`Ucorv%STr4(qp#?Xo**f%rM zrqPby3X~evg2K;m95!uirwt7~P5kN1G27TtnRF0saz9_5 zZqUjbV30=y@%j*f;shlAC)&*Z$}KgjY8;0)#2+%^I9}oGWIJcbu9?y6M>o-h4QT4c z)>GGABM-wt1o&Z*In$6Mv}3dnX2t$UYPu?$$?T?=CKly)Y&4H7-0k~>GlZJ?d@3hv zi>FhOX;@!vYO@Wi%rN2c%7f!eO#|7Lvb`zb_oE6C)wAgROgP?zlc&r&4tR#udN5&A z`5`A*E!0ucnt31vMv%zp002fYI>Ud`80O)QBZg3mlcuBcz&(~sFq4V9;y!9HnwHWL znUO;4Avj{g8}PrgF8QF-IT#^2vZjKOxMk5F+@2m@-D4v_X41*7@$(tV-A0q0|0f5uf! zztaaKS_nU=AivHARl&!iKCB|L zJ_EoRy~`&dT(W|!2p^3ft=^0~VH(KfLD{C}pcUEzP@sS?q=9`|pWg#^qZ|ro?+CQg z3oT$Bfzr$uP?&odwsf2QV|os|4Z@Kx;Buo|EuJ6RjWr@E=)*QNmk0wjf>9PNGle06us12C+f!ZkHKM=7X zyjkaNPByhwsb(A-8a4AW;~J)k;jAh`8bCgz0vRaT7>63l<2;% zfKohWaONjLRkoDt_N{;lzRic(G)+AF3Pm=7kjU3%h>+(8nf%!yd4nOq%WSTQa}O-! zOaqcyIXYQKjai2=V%or)^R%cNsLt;iq+)z_kp3r4Y;C#;QESF#iSUjs$__d-Ip+*! zmZ?R!Iu#JXEoD_%rDFB?jhri#mhxcbh{{*LqVVV^ZO4}c5A~7bzJP;8d8p^AKmf)XWq%kxywq45#7% zSSHvCK)a0K57(Tg@u{-5osuJ%3ZAKZ;iY?Tc4vo@yI`Kj!6FMCg^5r}E}*eM4H(*d z=L;jlkUvE;xKFxR7B)B^_i>;ZP|)4poe)}z44~BS5mJLFF)4WEIxI34>eli&v^WUF znl8@nWg!S3TK`P>@=YH%C=#;^ju7zZ4)p+=pWVR1k?PeZuAzjK_ob1tKS>6GlQf6@ za<<@T`wM9CzBrnaLMi`u)u4)*?ir3?RSG(7f7q|7MbBYHY zq2Ai~k6L!Z_S@_SM3}1Vnbtm-RO~sW(vd~Dxnn>LkbD!_K|^Si&Imbp_=ve;A}!~W zhlswPT;hU=wAk~%LNQ5%U&fpm+P31*mXoG$t4bIfTu2K6Je*cZT4M(m8q+iQEm8bR z-_(F>f;@$cTpKd_fd9pzdk6%oeji9zJ3L+o20i-o%;qxct&k9@C`_IcVNmZL2EP=U zZ;;U$E&K-ae&jro;Jj4OAInyE@||tpJ##fd5kvekq;)>qIDzLhj2@ak;!}Lm(0R>* z@A&Vew*ssJ2IT-n3Jw}Qfd!fx$>4Q8F%Mu)tTrm$Y^I)nRB|bjvPB~F^JK`?- zzU-T1BQntN35Zuv0a@erLs4t&OZ{fr&0*^@n9FoF06WmFR#$F8KW4?YdA6{$x1RXN z4(nS9V4hAzY@C&VE2t%n5ELm{>Ec#V&YE|kcT^D8i+0z;gOmfO2g5K`?+j_cD|d_7 zGM)VqB}y&v!YqY!~~&0=uN(T58_kV&8o9>oY4hC$6=Xy4$}eG~+;2_Dty zd7WG*d$m2{bXOY2YG@v#yVYfdNdE-9j{ZoxNq!iAJGA>=yDO$q&qbf-Ec8cCrm^FI zG0GVGy1{{)6(TELiiI|+(>YYPs59J85qZrus&vuLPDKwRGu3nmA#M^n40g5vsF>;Y zSo=QffFLUmFv3RXEye(2(zVujXQ8T%oH7tZCtdw6f!CGHmj4)^4&# z7V;Sl_b$*<_{hvO2bVC-H9UMzpCjOUf+9dsC`1Nw7(W zh{6%SiDQd|IP(zO2E6D=1uiOXv{=j|lj6i!>>S#aWOY42RmkQbffo|EoaMM zF`)COCYDGM_GE4O4ouopy6Tqz1r?nM8zD1eyt6LLtp%OTk0+i)%+f=aGHosjXIz`` zjK4yQaC5n6}8MP5?diAE5d>2{E_Rz78C+;4hMG3eOMj=yCeL= z$6V~2N*n?snz&^o?_mnh#{>m3bZo8-arL27WaKYqcpFWhgA^R_31$E)1M@UDYPtg1 z(-ikn0N(#ZW^!YO9Uvv1-u~Jcmvs|uj@};bNO_w?ny!mPRje69_Q(Y!G@bqOIpb1n zbVC*SNN^x9iV8C)H13A?Q^_Il(3E5(d*6HA);YKd<6G_1NAy?V?A)HmxXPq+$qX~w zh7imln0%hw-zScQksB*8kCzxEE?V4GylJ&7s0x+!C59%4R-b{Zird>FQml-zB!unFO z5HKo-wmH0Kg#A0Sjs2?OzchLaO}$62zko;Q6!JT!{3l)|oE)@>0lP>V4NMW&;e{2s z&*1nEFR7VoiWeq--N?vy(%jFu8SGfs$!68bNOlG_DnB*|;WC3}?gt1}QOP!}oxy2@ zzxm69aymQ})31 zK>Iz1Jzo7T=V#?sDi}mrC74?I9%Xh23hwNLU4elvbkhdp8QWDajt1khBgsnYPq~LV z-0t|E$VC=bHrNbJbI)y*b}dGHgOiiCum8q%(kphcl?zAbZN#mU1a7|*K7Lg=5QyWkkqmTpr`U7rW91E9D!R?}zRSwj8rO{VS(Gz?v&g`&*C1WBApw!0zh_lxcD~fKc zs9Mzo*$1$rPb*5Y!fMMnbAVeBXtsI<0DaG{lPRG``g6qex)5DPV$oZ7o0hF=h_HhH zV5p=&%qJ^ydH)NkSXg=7TLlD_K(69V&jx~q5*rshP{NG7SKv3bUr?>-$>1_B5Th1) z-AU5JH|V1(xTc=z7pOQpOwQE82mOLPfvY2oE9s9B9q*mggi_A| zRS@uEG$4bv*oHs?N3dupQjL&#%(evDYQPCRX*=NS=!4ajhpunK5kZt|%>yDgzlHSK z!%;^G7#dAKg+mGiM^8wsOsyW|h$-JxM`(*<*3(x}z)O-M8yT1(QXt2T7=%flwAp~+ z=X<(s+k@acv*N~n5;MajJlS&XiY&f;+Uh?g8WnCnE&lpRmG?8VHEHYQITVpxDomuA2#!Dty(4~tID zgI-A|OLl+RD*(Fs9Y063haB94T((-m3H>nFdf|aYz9jysZvE(O3sg+GG+PzSibVqI zXitzYS{~XAOaSZSvQ;hC*ZyDx)R_YK1-J_EM9I*UD0|+@pXAJpcrXwUUFy+Xqh9EN zK3k}?h{8ksNVbv6$vPg0(8TA3DHTQlJsP|Oq7p1XxtWZpd@Q5j9HsO`IMHuWekfa` z1snHUs`YMXY+@exg7l5*(DRh0&ABWBUG0?Ykq#IrA-YA$5RX-l4CXCzHt4Hb9`sl@ zM^whHkZt=A4E4g$u|(ASDxFgrfT80{50p({7k+U#Jmxv+=weLT!U>=rsvXP2s; zLkQ;G3oKMlD-k?R1QbwNQQ?hO7H-xY148Mp>O}*oCPP^iFPh97F5Ci|n7H_GBg%^s zN{ALfBm*i~@Akqd4wF@N>kMju9u5yHDq*fPDVxq}i_cJFPAnzf`35+cI#-iR!LK zM72(Iu|d@X1qedy`U)W$dN(Q`B#E{lJ!h&Ru3J%_iWIrg9VNq$5rBfQp(jBhbgA)> zuo>Mgk1Z7VaEdK2COsU1lOhR(%q^~tDu9c0An`v_nNL{3hNm^>fy<_@g%hzdfsN_w zo{Fsh2}S>PWYwllvdCHvTSZYLa%5$4BB^d}>WtPO^GpNuNGb@3lF@=oNN=Z(s>_ns5Y=O8K1ulbs4^AV~8Sq`kApdkktCqz8_x z^4a6)5eGJ6#QCN8B@QR@3z-u~4+6Tpu}+OWmmcYq%2&Lrcgc#|Rv#B+VS@8s0SJPv zblR-4V9-;oC!KS#t}x`XnLI)aA3y+St~g`1xO$$QiGFN5Igaf zW!I|ZM+WtUoQT4Zm8>K6=Be#_?Z z*F-b&F<|5biy=P+L0#vCPveLd21|;LtYD+f$OwJ$YHmx?3cVm}kRW$ljc@@IYRX#n z$kGda4-}yzSp(LT+*Z;0zeI0|A6eu!))xagO$@L|5TR((lrkhINxQX#Oan=FXdokz z(fep0))ebllDLi(jYLuask&*H>$+W9+5@*g(z|1}ubNf(A$&h%R~i>;T%7@bK9>`qcFk(8UdM2(vQ`6>zixkdsVv_8? z94EX-0}L_+$aHCmRIH5&mlQ~{R$$4Imi?q)15$C++fb}`iY|;52i7SHRD93}=|Ypn zf|7iRAFv-vu*yokMHeEAGQ$;dVke$Z z#ZNE=65RCkGSL7o{rI84@|~FCD%qisWcO7U-SwxHH_Ld>+K}xubi7-DvU!Z zs3QqcD8j}>>Y$kk!DWX}9+pf;B%&jYZbTzl;5H}_^i4quhP+YxFy-o7bdrAeR9vb>ro7Ud4=o~obdc3Z58?B8?M*=61&mRYb} z>2uR9=-uc?vfxk1SHeZM1@vqkRZx7f=bm{!E9{?x0SII!IfCG8=K-6RW$u<6<|OO} z-(2!cUk&oHZ1qvlgMpS#$9?>$yln;fRwNq0b zYjD;oUgW|I&N|3hTU8yQv+b;zx{A%_3QlA=EF^L4s6&PE7x#tXe$Dv8fsHmu@sHmu@E89#qI~RBGJr`Ui%BHf(Td^V^VRX^MfPQ2I-f(Ev zdSNNyj?nftI|wsbIJgLq2VmS4^_kb?CRP=>K%P%QRvA0Q##kXXNWm4LQwJ`2`8o9; ziZec^?mNNeI(1jcZJm0X)T@`AdhgSEk+HVtDG(6&^Hagc2WE8D^t3HcuL#@je7hHG zSPxtDl)MK*uSG9Sk^bpLs5w7(593k$H=U!Uha1er{<%Upbs`I(s62G)!xbX(q0@>y z7CLpI3TG}1I`v=*syqlgb-1bOb?PtE8Tt6U^&2}x3`XS*!wmUQC>D{&8iXlwVTPcK zJQxHYP<50s+YRJz5vnLw=J=iP@wvIBGU>m*=!fIz5B5aAFhlgm9io3|6#YaK(JQ&L z>=BAy*7Hg(+FI;=p2iww zay>lHEXy4uYO3^X(Nt|0g`e%ioZRs-BYRqkL}n!R6D4P)e03~Vfc-za|NGAUXX?hp zVh8hN>{I`dx!;kgi#e+uhgmdPdui-v@O@OH+F@WKH7m$QWV#xf$x5}-ku1nq;fm|= z@tsLWf|0$zAWgI1QAK)nSI@AfW|<94liI{(iy4M)6s0C*N|RacMflq!M_zK{9wP?Mm9i2B+2G#kPNX|GZlo4bAJ~E}hzA5YkJ3hE05LVT?V0*#5jnhS>;uiIZ@8z246u+G9tzOGXU4A0cQ ze5b!pb+E`4b0XsYA~}3 zC4?i5A`N3Psx_vi@w#%TL391KRuS`0%l0)VXB6~ApdrI$-YS~YBHG zf>=xdg4Zt$yW{LTY8cSPV@B=@kJ)=Oa`G3|%x+f!m8LORE=YYdgSmd05uy-a#Yyg$ z6u|}0eKK-zSWf52!~Jvpb97kQ{)Ge?J7z3lV4pVQ;K7kOCMwk~X$JRQE-^T2FnH6e zqp_cBPgAC>Dfon6bLNW%`(wMSZ}8Po_#)WU6wL>t$>^{$ZgUgi*4s|~aXJW5$HI(; z$Eb9>Q3grA-nx&ai(J$(G9ehXix;gRpNx*uzL*K ziZ^^(Joc-@7?Danvs<%(5dei2Z_~YXFr%qE2m}s@A#3qmALgR=bz)mc6_7w${I$$n zS%)hfw#N;9$N|*i$NrZywAsh0ax=R!tM;~k;Z*&VwiwwS0jWpk@T}#aTqep;UODuvi70a7khtMl52x~B zJQRA?v5-6##u}crFeuFMtb;)~81$@R_=S(p`h9^f(6a{m{D42t`X>X0@8|QO;rd*o z+q!K}2EA6vD|A)$s~1~}+F0)c)%J|EZE_VjpA zVC}HL`pF_xZ4B8A-7W7m8}K95DR|Jd+9K#U`RhCaIDFC4rL{P_9&~ zf)gkyN~Ta%oJ^NwU~3(httLJCuC}b6x*vBj(I>rbgB6#Uwd@PCG>T_T?Jat@i9K;RGf^Gp7GKcA@D_9dTO zpKEkmx9!oFdhG+e-Q#KTpM>x>nti8Cm$7uar`taU-_|x5B%?Q~p3GOWTiyO@Pp`~D zML|WyQS;ZBoh=1Y@h)pc*Ak+(C0ppUFn650CgE4;bQwc;FhbBdc2CX$Q( zizrbg+xi4MVPG~AM(m4neO6RR+tMz>m{zi;OEP$kbwab=L0MryXL;%cbS4s;(0Mpy zLg$#5g3dyr3+NmSE}=90g+u2zO%!wnLP6)>PYIoUJU4W9KO~`Z%k%`Ddr~%Z{s91%(m1dvTtu}RVG}+ZejdJAQ%Cn|()DA?%I|K5niIM~LoPXFmCGqBvoS$s_IsgBh zceJd%QTvYqdwajw$DT#HsbGu-8Oii9#gkz&9tY<|at1by%nni|T&P&az@IZ+jzlJ9 z80f>m(y4%91WB#m*d4Wg-`%M7+YVaaQd0U|r&-@Fl6sx8mX}GLPFWN2q&}ythfzsg zPFcrLNj*+k3zIP@YbG5ebD}l!NlJ%n*7j3>gVxBTUi6ZJA-|w%5}C^6@V=ArlM5S} zG=kTNdO{(E@$jcqLzH{z6h{%BiA0v|ah(%+2COWOX3lw$&1743H1o?0jgLX$3lUz1 zUV4cs(qEwTW6rv;Z?0E*83Vm!b3-@V=rm%?XdFxsus3>1MmNcXS)!rM&`q*BG|gNy zbJKz8MhzIHC_7Tm&YOvc4zyh`I~V?Ugh zD@P@K*-luQS=bjf4NVSpY1YPS4NC*d*-Gn+Yj8B9Gn{Dl+Ib>kG)@OE&zyKkOV=%! zw0t4>%d{mn8W@k0madg+Z&GEqj*8tkMiO4YxY*|SyE6E}Yk7dhX zSP%DWy-^la!N~D_L7!$f4QXl zc6EuFo3zByh%b#KCK#clV-oJ9rhq9i$d_>$DVJdYJp2D%uWen|=llJDK-$R%DS3d9 zJQ&nJ=#qvSnAv|}07LV`;O4#zdx0+u+rpmR+P)&@Pl=85T?VXeVe*-rtp_Hx=jtVFMPf6>})quRb3N2PneJVHDaP9(?l5tfzli*Eh5Hjop~ zv~lZmgtBvhaIk0gmfcI;OTbVj$F}#o6Xq#B*mY+`u9KQn>1+;+m&w)fN;|{5;P(ve z3Nx2_6K=pVxGDwWec<56Ar93B&QX;@d>EKOZPX>VBU2M?RIn~FSw4QHZ!%4s$Pd6+ z=wN931ANZQdfkQY)4o2Z0JEoV_bw+7MGmo-?$!^PHhbiqHA(%0zzKKGSXl8+GZlqGA_z zy$hOiw7lZ@T5CZorOgsYD${SzuY_;u>S&cz^^AFqoU$yA$mgdSDfh{>m~Kp7(=GPQ z$f{rV2hTin2F@>%-P$-2I3WLD|oWUv>W&j5azwZkK zW?cb+zn>H+zn{++0u|qq>taE{b=$UUtKEA&GG)C2{QsL@=S6ip?B766`*O!-8`8qv zn{T^~N@|ty;eDewKj0zKZOw)2q6TXbYx9EM3k`x8V)r)Q(?>vg}3UZwHfcD}P zRv~Tv3|ZRPqq!v=&qR)6;znI@^UY>bS{NFQ!?@WCOE}b_ZhZ}=b6N5?0>1rYu}!+P zvAlXqF$dsiwIv+ts9`XeZ|C-9X2>f|?ntjQIpLx|TF?{QX(;)%o>unI0jt?vzWpE=ek{iY)t#9}X9A(L?65}eX6eqo z0s8n&d(*BS~EAdM6Le=bYIZV%mJus2i2k&2EH+ zsW+NEuwp$->3>nhG;G%bRb1$iNF*rzP9qw|BNG*qAHb!EKIL)61FR51ULk+L9tj6& zfFL;Yi4ame->j0rdM7=rBu%PBP1=t+MvbWc6n)Qk))SxvNeOe=%jqg=xRSUhc*=_} z*PcC&nA_>qjP!bm;{Y8p=C#BKV8<~|QTy+ubDW~4?U9~?wf01D3kgjzkVZ&j@?44Q zXE7Ph`p_Z{m=8uSzCa#4)~BXtVS|3ls7!<|y$D5oju>!T;OdjB0egbzK?M04pz7P| znUX5_rV#W`O4{Hi{DNiXOc3Hq)d(C$I1)i-xHcr3;wLD_o?yahCcp(oS|q$lR<^L@ z4xq{DL9p?pe?LIYXozsVC+bcR*}A+v2`L~QKqn4W@kk5tz+X?!iNr4HhkQ6xk;ie2 zTqs;14+fFsF#H06V85!*b$@u;)&vjaFcHpl zftJ_4C(GsLHbK@Kd`6LMHBP~6YSo~LOr%7iWGZvGN-L!VN)VJR{E*BZ6WNZZ!oNqf zxoZ&qBsdpa&yv! z$@By002(x^_@)eg>DHsjC>PD+=)UI!LgJfBszx@jtFNbQRYL(^m`po@D7)|`Zdqs^ z6&yGAB~(<}1d0|$qw&ad(B_WJ6@>RA|5ti5Fmd$N3X?gXS;VdWa3H%X`B-kIflScz!l0 z0iy7V$@*Fov%?k^Tw?>Xpm&k8O+UeK>UA>dR#KjTLJ_ruGcB83q>xga_WY{uoJJ8AvH(kIq|R(&-9ccfQSl-i!%wvLxD$yNDS{ii(v}w zi%kFV8txk^HV0W2{+6-fV|V0Mg)N!Zrlssc@9AdrJqK@n-tYC=)^&Zp-wz0UUlfr{v@~*yAjsN< z4Gp4>)$*RnfwhL^fi05R?R@Utu6R$$>@1qL#Hc@pH#&TI&E=11Q%4eeL^mL{{I>Qr zReh1`GmFK1rps16bg+YcX5G;~$I)^WuSRHxm=*tJ6_H6cMtUxJIY!3wD4DICiHYMW z<(XJ10$4-kyMNqXM=rGYU2GH9bCr?t-}V=D68NAKdFHpnp2l!jz^ZEI3xJIALr0sFr5PCddUxr@ue+Ju+ zUSq%QICfcfsJ{{00000000C40G`Y|W;@nZGy5UtbAV(# zi2HHOvB!QJVO6*lxoh51c@+==>Q=x!A559+NIL!&^Fi0oA*;gYD$|&n=_&2Inz9de zk4V}yl1r$IvVB^k8axf5ccmRU7-iK>ie>Jy6kx;7;To1W^rC~$hKo8Tmk~JBOWl9J zQoZ6^WX+`7PQ(K>nLA|Lwd8U&q7=aIHr+TvlzqAXa@i3`Gx>c zDsUC<|4+S#_zND~KO!Q&KP}d-FnDgd+6Y2KSrlNh$M6dof*xBphIc@js2GPab0C~X z$bo*!Btg+)e8l)>5gVa$*$paa0$d#q;nSHSnM)vy6HHn?0rK%E84qd^=jJUYhuwip z^0W2ba|pK^%!i}Raze84xpa{#E=Z<4u-DXiB01a2#!COkLr5g(!n<1m5*+;IL;PLH z_}H~nNSOVvv%JfI%z_RgF$;QXoIxLSqyO{^Q|Z$WGU0(bKS%BsdIS;4y;VUHJp|ek z&Aqb+s*)!?J}L0BXFQ^IdfN~Ece&sCHGl}L!3%xT;1}sJ#fiioI4iBg(Pb{6Sc8;P zqN7gGg;?^iG)F3pO;0s|DUz}%*v+aZpUXypS*)d}1k*{d?Y9b1-RR(4QRA&yV_E;$ zP&86XO9LD#)?8u5{PC-$M=bnVs)WDmAbYeR3UP^h1-9TgvR)RqQ?eq>B~gwl`}QM3Jew)h|4*l ziYpj}o11+A%cpG3^$e{1^;75H-`nR5xiTjPcLb`_X`LyXoQt#M3`;IU2fAPmBW9qF zx)Wn2(m*3h1;+5(I`)9M#uAlR8IX(9iDVoxg5lFgr*hc>MVji52PgBth8ocTCi0)> zmfJGR45(44|H#HD&4Akwg24*aNp3w>C}-hEs88-<)s&kuX7i(K4E?kLQ+ ztaI$xWh;}h#)aHpm?+$Si>e!_(OSX+#ai8$-u-;-t61l^79Wri7KtMu#1vl1=SM?t z(i2!1>USkbLl`V#{1f{G%50%!;}OECtRdAz>A~5Smh=$pYQG@44)_57~Mrpu=HqD>&0G#qp5^1Y$m1&|M-S(73 zcN4JiWY>i`KVUy8=Q}nVX@0gQkD~AwP9$d)&g+DYr(+4Ine+{EfM6pxI6b`z^^^b! zylo9D7ypOmeuhh-@}j$KXH66SCu|_UB+{WP}Wg*M%CJUya~%PRXDm>YxsQy%CBRaf z@m+)ev>ECdj2(VtW#Fnpc@K6*QkTJ?bn2cSm&F-Slja6Hg(l8NR zheV{!hL0)DvIsF~pOxgTCoR2t&h%V5hfjJtzf;@;IC3eS4cj%G8G-a1B?POmz%Jg$;AUr){$AQ8%eL!{@ zL>Y>5WIFNRYR!G0#R34r&2aK317ry9K&KQTgsVOq2jMAz$tv8m2t}J03?V#y(Owr5 z?9>0n>?L+1@Kcy?cb!}M_2cHE8K|3ROlF>am5zaV@mNRL4I>AVU04FuG@Z9ku`pMf z?QcY|f@SnC~5a)qFI~cG>K$bRhsX72tfG5Ml zwi#%hk2}2^;cT4}Ya$jVzrT(H_DM8=Bd#nt7xr~Npk9w+*dJKc*O8&!F~gs#fQ*sa zgkM!=Z}#oHXggvl_em(7@)b9%Jy`KzmQ`=XfC?U8_PRCe16CQz2!#Ni-6f-4!XZ_M%$OMJ3h5*T%s*gGw>f&d`t zS`!J9z^-!T72equ7Iwh!OLftenFL~2iGi=U&k;3A>6ibJ=^jeQpRd3#^e4(5Kh=zf ziSMCs3eebF_T3kZVyu7q4O6FgK&Y@0wmWfw{&EUC@`kD=JiM>D3e+TTXH-oplfRE? ziBR;v{i4cI0(#qG9vojt_6Uq?fDM6&K;ljF5cVOEuhg6!2peu;65)S9#(h8$MjjB8 zKCKAv4oFqV3l5s}Hj)eoQ8yUoMy29_>+m!;8KnI_1z63;g7(;X?{FgUA)@)ZKa@D2 zBBupmLAM?Q)-dIH#4WXxTz;cmPlK0C!IEE68ywH4ueW62zC{i&@-dc6mh)0r;$m*> z2IgZK=%C^AQGvvA4CF!?2~j*Qlg_O1ffQrfWQmw~abfV;GIp ztsWBol{!~(v?K~eYh~~=b3;kF0rSaHWIx#aaH%q}oyX62J70JC+{pdeGlvYwb@BA< zy6oMZR5|4aED+W1^LrC$U@?L;sq+e^6EtAUO5K%EQlTKxx|NnjorZSEJ2MZpUfeLf z<#z2jpd*(0GoQyyr%+fxpV}+4vX}NILVVpQvGLL`sX{`oSa(I}#J%Zn99& z05Kc0PX}K{8eV8=*yJ=oU%LqhVx9D4sbOiRO&Y}X6yyV2#B_G>m?rPr`ancoDT2bG zh;s%;_#X!V4MrVe8Ouj6tcYY$VvJA8*24Ok(uvc)CtuOo)mlR#6{v`yVXvO`#o_gJZyn?dCKEK_pkVC~$@;wCxFw z{K4lQ0=?9-4nAsg_wXepCV(dnj(>^L?JNzq)OA8!;qP_2VmQQvv+&LVMyEy>PhwA| zH5E0>)!iL^*if@JduN!u2|1itCGkF(J4SNCs!HJIt}6{eMY2w{wphgzn5WqqkVjy>(Fh(+pl=~wpov8!# zU&cu`NEeOZv5cs_74aM@D+zJ-Ex8*s`;6Kf|kZ=5s;kBt=wp=10=7|_1>t` zcuLZG;bp~P#z1GOJb!0Zj}n|@P5j;8lvOGqOv#_e_4sIdgQ|SqBH{#O;-AusE(p1* zTHB_yRbH6J(tS;Is6h&IW2{v69UBV@*V7t*;OzKA*nAV(X5iPsRxqo%6;zD*JXfWv z5rx)!t4FxXgrnVAh)>2o0K}Q6`n^2y=9>E!WE2B1#VWItRNE$>(odnecFfbUmB;Lt z6z$NDqsIJjm0%KT4BD&Hh>z4=rg_bezU@s*um7E#&}K_wuVpn`h|I6&H{WQqDlqt% zAOY@7-Z8nVTpjjqkIL$wi5Z|#-Az{b(HwzwZa5Gw4t)BV1=|8lXL;?#_SiwyMS$Fy zn#ioI?Y5xsbc2CuufPKLiYVrtD~zhA*g)||K0FM-rydT(BW80loB&2PydAY?*0nNL z!t2-r+(&Sc5rKS{ybCthGbW!0Vy@|Bcq(ha&6H=k;{Y_TVFPBKI@S*pL)#A&poo{@*ZjPtswbY+%-T#~4=25HRz?sYuLUKM>7 z(EAnwpe~*U)2D^V^31}Jt@!^;fN~W67UKG>00^V^q;1we{SOSk=iYl}Pu?%WZz8(N z&xXpVwgEc0{YWEVZF*^tZW%^FQBJkxk3SFN9niW}Fw2%?_5~8qRG=`y=0L%X*77+F z#&kbE8NNs>aPOpk?y{gSNT(`1ZnK$vXXemi4 zT$EH7E+s34my*^(Wh9-;L^;?nbSYdH+tN}3RX;`jlz_4SS05@wtYO~efu-grspBd45^Iv@>K1~ekG94sOEWC!%j zPEDXzht?o}yELRgG%2#ub@kuESaB(>>5)#T-;pL57^!mJ?A5_B4j#xDSD5s{r_}0^ zr|Kn&`35U0SsP{wd@RSy9rZi;HQk-N&fo2m?a(ushHX(@%c&XOfd;v&o7mLZ>f<<} zr+^Z1N)RL3^Gp?uTt@i2(V!k9X;5&y_tB@G!{LrzFnGgBmT}XrL~s2x!(P-)Xll`C zMhF8ZzUHvJ0gXO)%8C&F$7kD`((cc?U2qsXa44crsyhhW!b*L#%SQcwt?h8K#{mVu zUL3~iv}+CF?fhuSSA+KoSbW8l^$s_dgUV3x?MGmqle^UaXn_HwMADs%U`S5>80MNy zTRux64Y$Y28$8GKqu0l*dg5%tkye5xGa&`Q#d;S!>KqJiqbFvtwR{ee%U3<0s>4o# z@4fKg0M=_HA-=SxMzsVMzKOIh7kJ;q07zjR@btbNX{r0LRqSC2Gn>3WOD`~Mg6Kx< zLZ!iec!g|~H1pggI_InKuv3scT6m5Vcz>+o`3T<6YDt}#f|y&em50rtY`iX3v_}L1 z9jp=o$`QTdR~5SrfI7ZZQgZ-{VUVuM7SJfrDgQa#!*Zrj>^jJdN?FEJOtq6Dc++TO z8l|&AF)~Gzv0MUjMe|VP3ld6iZcy$7&&l|psAhS%htavj3@E8gAMi<{Di6qnb<9*c zkIplrs~Z^BD6bK+m}EI;39ltu`B8fl8w zHd**2kUTkxE%!VLUa)o-m2qaux#;mieSe?pywHSf*gR;&d9!S+b7@HWDGCuC00V&9 zMQV@n|1M-`5~XFiwNH}=%3^fH*;*!1@;E*29+TUgUFRo0M+#{!V74?K5gH^0e*S5| zO7CFdc%gj2Ph(ub$%Lq1RCTRqh7V$_xYPryJNExvHc1H9$d?HFZOgmk6dTTsHf{BQ zth&8>s~Th5B!alXj6q1DK`OqQr1ZhE9{K6QC|s5NjH^%}*%S^LB*_a9cq}seYCkic z^VaQ0yf=;hY%JhHk-VHt1^O!cS}VABFBL|dDmg7im6iV0^T4MIX`L-r@~&wgo;-xT z44-nevM4qLm=v0nf}hcZ_FHs>suboPh0oxVsV5(9A;8FE4|nBj$LxkxF-5sohI7U5 z6(O^m%r0I$ux;%vo+Se^_p8^u7jLeRdzEfmjBquf)%@CUGUi%$Y=$5Hf=K_XL-8XgD7rWu6&H@FyXB zsp{~ro{pqd&XXc1laGPaVWg!=LfEhngp*zmvQkdGz0a+41pXKUaT6n|2Yj-~W8YIt z4P^iBGA~Npd5AZZ&&>>7lv*`W;fqt*jvnR5&Q;BmM{?%juhWZcu`P~>vV0(>gBY%y zf6a7$xkTPEaCp41`8SMU@N#7ghz&)=Ka)o!5N7DUQTm2b)8m)EXRUl=sYN$$Jkt!n zr;^$h^jJNnTs&fH(U46E1>AT4raq1CFmKI8$>BQoBwSik|3C)59}d4@R%#vK`AtB# z*oD9Oz)!avCf0PP0mYo+7U=3A=6Om$QPCp4daex8lnNd$2;6=RwEjpd6Qb&P1c#3B z{$k`=*&AH)A%UDK2s9MFMOre^TK=)nDN_#i_w|F2R!p;89iGgmQIJd)iGUlj8ZBXW zff7bRH_+vAjMYHEnhAsqW6}T2C?h>qHq2Qe=3<|Y{wpo7G;7(9O_QV;9k8(13 zw(!Dq5b*yiC{!bSlMokdvX9;zO*tjjuh~GD0#`l-seF^T#;?9qobG6Pl5JLS$$$SO zqTyC?4Xe1bNe+l7P}m-~$^~s|e{d(}_hzMB`C9Pu>AU z1iUK!0P;q!Xh0K3!U2CD6P;%cC9`n9Ukh24#+Bs^KaC0vJauXs#~e=QOdIq|9hwTZ1PX&&FSsqut5DBr~3o*iLNC{xkt z<}{8SJujy@P8iFP=8_g4bMD5de1au(g=_9WHr7o0FzaA-SP;FV-#%{8PYF3-02!W( zS?_@wa|9{_Qn7IY<|KWrRRCy{foCp|oPr@TmQbuKtO=&yC6?RDFbRK=bJPF(5 zC>*;1JnvVN10^l_-+bW#9nU=%;@}YvK<>J7gNHV!5Z@aTrMubq9KN|D67?sHO^F~y z`ENwTlb~w?omO@X+K|z^+4Z1tU;5>TBy^&vBSPpETDsLEi&cFL&1B)UiPUWKS%A^- zb0XmX1H44RF%(ugL5rL{p#oN}E`bYekGTBJ&9#o9WvtWjm6~JboV71EqJ!xf^AX=A zT9Yudx0KYP29G3*zk_t*2s(6<@nslsELzLhFL#p0%rf(@>&|opeE&)~RBCd%B4`Jh zDMEp?#yY@V)4;5NxSmU2glsV>zn2f8#02l5ZR=uk_#oUNw~g<-+T|Fg=lLm7dHuXX z|0u*KWvt_<>M21o9`RHiiXQaYEi;>|7}7^F<9FMI@^DV1`hflR2~=OhHD`QKaSI%x z2g(TH{?l}$2|?A5;KsSg(Q%;n2I4e_Tb%7wMQqQ6*ff&iY$GrJqb;eCqpaJ_F^3RL zc=6`QGAdzHxKnp;J{6}APpTJY3UuDRz$E(0B{dmLkJzjw2Yx9lE~tI<25aa-BqPUt zmX_*>!ol@H=N4oRnt0etL?dVEO0t=KTAnNZU!r*q$@nEgd|}ejlzrU3GhF`Ok_89v z0&_f|mTWaL!RcV*SnX*tEj)queG)n)K5A^pBK%(HyH=J+r&aY(Pw8BBO*=HL{~f&K z7c5Q+0vtDDvvJgPu{x3VDw8-ta<^B<{Wj*U`LAcghjUWk(Fvn7Qu%8Ol{xAd^HpEn z5Ab`l5yrd-cW4xF!@KxP(I^c9c%ZFL!tr(>$(~am+7;#(Zbd#xyRweFZovsay1{Vu zN`^Q{WO$+E3u6LTfcn%(hP~z@iQ&UN5Jolg`}gE8^Bh+n+%X|cb5BlXaf~bZES()*v%>iBPz{Q^fzWuOyS||^t=@6aHucunrDw`IjQi{DzRa{ ziby99Bc0PDA(Rnol1M2P-6F!Q*^{SOu~ww6$&2mHR#zNMI`aBL7rOO4XHYi=ul!bTrhA> z!aQ{*gLtf%p_bzrC6JTw;~FCkCJPR(&>ASq@VbsuubD{g#EowHWp{8FFj9YFu@K(b z<<<>95)a{+GYidJDZeIV7^sZuY7||PoYeJM*A3goHt%+^W0AEzjJO$3jZ%Vz*9a(B zxr|uB%GC%LtlU>RU>O)2EZ&AM2P?_gc(DE&$PX4T4UrI5Ps3G&m27NCSpOUhNtUoA zFj;j!$pvZP`vDEh`XGAKe0*i}zb0}ZGq>n`)qP3UiVFIS@QO4OI%vdyN|tZSnYQ%XWflJzQ$1k~DjWti+EB^MPiRxr8bV zfE%n*>y9JWpL>w&^S>U$A6j3VnM*S7kT5nZMq1W_N_r_<69lDEjHK(9qofh!JQ+tt zv9kwJ1*i^e=F!>~(M~8!kyK@OO0?#FLs?i*AlurHhX;S1$c!lFz54xkkOuh_qQz@z z$Pq{cl7oO2I|QxL6Tar~<*s0O$%f@u#$8zc)->VhkCn%bs!~|Io_tcTt=#&0xRnRU z7|}utM{7U_H*e7`vVPyeuEtFu%99YW=0Q4jm*GzLDRS%Dxo(c9V`&&4U+40F_MQD_ z@A)55Dp6Q8%rZ+94?)!BmtWpF$Oaalb!fNHOFW;v6#zoS=GT$+WFoXvZ;_Ykvof^R zo=mP!m+k@SoPKNozD9P+{J$@Z9#?4*233VW@oF)G{9a^{7C{q8m2KqT`{V<(mdv8Z zYKHaJ_vNZJ5JjFA0+qST85HZCszCwyKpylvv5TRwk#1vl1_}15w)Il2tg$aF#|GAH zsF85Kw=x$1nxQn%10e8_fx8=IsE93HH^0nfjv$|)2Y;@Bf?h2S2ECypak5wi3uxDL zp1HIqL76Qgodxyw(D0(4@$s-HUc)f=mNO_|qsm0JKUi=XE$?czyf;88_vu!vK!=w@ z`0s-~Kiwq@oxKG%HW|({y4gJ4fFv43rlh$W?9D}_*cDIcIP{#+AG22^DyHwl{~;r8;x- zNn06uWl{JiDTnf7porl<32-j(&-gG?C&3Gtlt$K3rlF&0i7_RVXB=JTK~TMDlBLNB zrj9Q^!efn_*N#u9w+bT#&bd6rD_zCgwi_WvD8D9l6OA5E+cT0!FJ@qbfQaT;#unH7EdVCQ z3KQcS$B_3JCJzdhyzw5V>erF)8!Bp8u@V^7u zKTm3s(%UGm{dO`w&jbGS7s=my5+%E`K!T-yJ&tOpG^n*E3J}tCz{Z;B5hK`*lIwmk z={OBqTV`|jx3xFzB1`>a|H)4QfRg6! zmaAchA$?e?*tTTpaK*2HC^QKbL+uNKof_mpSCBx**3uBR$OY&-zAi216zwX7C6$hX zYBPA`MXMzoc~>7mF+?{-ju@3Vo%|dZiLZb>@zkGa0X!ye@}>AAq9F*>US2I7K-m+I z3K)+uNCM!jZTI#?JAycJ2SyVrqD_kT1}8f9ANjf_VvNk)Wo;l_8tykexA}8PeA@b_ zTz6(t7|ZAdPnQ1^2SA@IzKsgS6O1Zl#T?rhJR4f@Sv0|%4w@#_oI zcP`DZ!TMto$p-I^no01J__Wg{LhRl>o|0XWlUufEkQ5r6hg5n#AVQZM#YgvdmIgk(XzBBa(pLpo2d4dt5x z0<%g@FUl%%#6EzW^p;*slJWowSB3OqV@0I#l;(Znk6sj8TLh$6^rDv322i=`p%-~8 zLh-_v#+}fuajY5}ZSpom<-L|GknzV+>&&uU<3p>kGtKW`73Cb0$={wvR0fW=xC4oq*@t_`OwYJ~i}%`^aYbjgZs zD6*$_dhFMwq;`}2E$ACP)ZV%GM)gC$AwYw=lY2LKLVzo1l8qk0shzH2Rn=jCv(KnC zJqp$9W%IGLP@AzWW42#G{Sm&J=`O}SI)EpTn7{x6bE-O3aM~PVMSYn zT9)U>8!Y=NXPU_j6Ge5oy!=GH#=F5MOM;(jDg8;Mk4fT#niAcd$8>Rn19bBq->3LEDTaSA!c=TtnqW` zQ{cx0v4uH%rtTGDQVaZKOeOMZHVOlHNX5Fwu8Oz*IG89jF z=+Ylm0Qzd{WjbpbOhLJ>WwvBCJXK=>#F(=~c?R9gL6XhD&6s!g`*de&jg|bc^ z>obKHtf93s$U!c0b2ZS<@={s|%orpA#Ix0A`ljEo+jB>^(b zJqi}AILVj^5Wu*t3ci2;vZyb|;e8N%9$X|}2GBgy8R7;OTClHr!}KW+*m(qAxrY$H z#PVhvGCxOblRhcMg~jbhAq6-bvY*2mgUbBpkfx`D19skJq}!Oh3Lj+3ZG84>`ipaK zsTvA(e9&gYP30~%LS_z4R8z227imezh2jEV$ngeUJ*T_uX+D3^dQM$j*Q_i%ARPR; zO$F^_R`nX^gy${dn2rV|dG}xVrp*_FMFIs5ffyEHS#9c*%S5lLmh*idsJZTrjoTXeUqYInq1hkrd z1EKx<05id{8}C_-DLM%6{Gvv~RB2oO#g`K0$~)|GQBR@k&K^kg$yM0UG1(F|q5#={ z(YvBB`&F(N37ax<_8H&|D-&TG<(Q^VVPdC#a-GvznMkEHxy{H=lS(qWN(2*Do2(M} zv@=5q-UTQNQ)W>BFkwxhT#vhJ2koLVHok!T`K}EO=>@f~=tT8>iIX@E_|AVQFdI{5 zGmfP8Wu4y*AFFYx^Rgks=`i&TQ^*IZahOsvRGmW=6J;jr@JH`93qA7=e;e3L1d5UY zYsuuH`yv^#YHF8LDS`ptG_!q$34`B)_PEuy-R!2uR%c&CsbYxHrjQbz=q}d#%;;}6 zlD#}!RT^|EsQm3T6Ip0GFgN?ZJHEMFW$Av(%bHx~+{kA^7Zyb`O0AS1TrYxJuwNr= zAjEH$=6+V=Lc1Fjf?rSL9WsWJ1W1W3sq*L~h2CrqzL>EwdVUbz#YxC4o?Cq-5+!w3 zQLafU5yD)0Ph?i3(V2{|u^KwxW=l=?F%>Bmq3~84C9m`|)4L1$CbKf&zCHcGWa~3} zy~q0EtAjz;lbAnVNd7drT;lkgA?=xmH$YOSV5t%0Idp&o1aPl=jMhsrw-_45XIq-q z=mSviKq`-P@eL_e-t(ac!L*Z5F1!f_wWc}Qbxf-^j|N?Q+D9KbipjkYT6rxdMz513 zz!^#XRS_N_y0Hnmq0Y4ggpwMjEtEry-jHTM7=*(KIGFSo-RQxCp5fiVp2ysGgaMmw zhPZW%dsgI{E~nA-W-L%4j~Lfd;dAC@RCz(}J9I$YOY=$yn!7#z;EH02BV80Pp>e*N z-un7?RUO;cMFl})BFfm^w$5zFuZi`RY zlrp6~YqoSuGNrr>qrL-XUO*^sA13FUD&Ua>RX7i%vElnGA}Lg+ zjl;2ExM>*wKOK^3Ytvz(Kg*vL!ahCVXqWBAGU5zd^ECzkHvVA^quj!>W*-*- z?HV1f;5%cYdF|-Nc1#In>WhD%^!sxNwN+*)Tr$hINjz*)B+;ENQ@WVyM6gk&O$518 za%u?=tWmCMs~hjHMo+^*Yk2fMWYYm>b~2a>0QDuPq46=2u{F}4*_ZTU5^N+;X#f=L z0I?Bvc36yrPz(nv^CPkz(M%tSVU)v#ayTKt=D7a2+pVt835U2iWnG=)(o#x9dS$zn|( z4!`xGN28^?lT^zd@Lu@t85C*%^f@ICWIX=}^Qn`g+zgMOijiy-xxvZ$t z`H(@2#VZtC7MA{F7{PWmb2k-T?}IO|1I;hO#pQq*3pTHe#y0vxOWT-BO81cFY*`-n zrbdxq2(n|60v%oRiTJ7zUt2KZCDj?63I^P8e0~KK=Fg&T6MM5Nz_Nf|K`kj*7QILK zk`|8CHDkI0Avt^t@1SjEu+sHRI3t+LzM$^bRxH24s&WI3Vya?Sbj9x(@ zL&1wu5Rt_pO&WDPgF%HbGFhKBk0ZyPUkQ85|U2xlj=_f`5$&MCkhAn*-fkcC$og4UjwFo={(KtHk#FKn%iyLQm#Hsc*Owi z0eW;MpSv9tmVO|TsQ55FSiIFdG9vHQ;&+8WmmoBjWny2CVs%%+kokIWHNB$fvx{k?0d|g;4@)cV&)& z;%5k~-42ZotarSPjz$4uTAq(bv`<$6&LHX$wm5D>*-rMDztIttmsoZb%om2k#bVAH zQF5SfmR2Iy%P7WcE+7~)`Drl7$I)HZWM-)z5rz=A;ca5Csy$7?5m-Oqkep^1*F3nW z3P|f@L6&@&WQ>4?W2kt`MRXdmQ*bxU*@g6yz#n6ur)A@~Q&kEOuPbNX^e*AyEqJ;s7 zAon`&3i`!mgRb8)382*1Bp`>Jv!$4DBuw>T=wwu|+nilCiA>X3A%#o6y7 zsrd3(yFqAr18;wH_r-ABjiSDor&GcgpIi88GuANoXBaOsBVNJ?G1D2RM=n)h`|D5> zdjS!H9PX$GY<#qNMIUbIG2VGNU1gc^5y}-?Rf`J1yEO1rK~@Tl&6DDeJRL)9b#Ed-E=t-m{)tjrKb-OY8oHZ*{3co|@R|rz)YlR| zIXWxFzw`yCWNwK`RnF=U-KwhYE(sU%p!7<3h!2yuUQnq9ug|g`qp91|0ou%W%KRSv zzaHtopA7=McW+bv+3JpOm8HJqbZbz}B=2*8H#u6oqqNcZrTO273XY{1sDdA!cN9sc)x9>3n=OaM$0j`WtHuaI{uG zzn|lv_~E4|5FD!_lNUd3VlHB%RcvNQ=~K?n1pG0I_QMcE@BO>9lCA1~)JKRH8p@coVdVVL-lqsU)kY=WtY58>2YlhY2OBbvf5rdM2VpRp?@^`F4S`A-Pf~ z4_72pH*faX?BJN za~2q>CNpF2suU@)f+B=oRQ*xiyvHeI`43zN_L-r}Gr8DB!RqLhSCXAgdu^>uXLCLI zF+AtyF3qt^4^t!bCL@nC6n0zS^{&B%Y^Y#Bz^K%#^VDlK%8*h;xoFE; zH{k=rCMpzkS4~aORH`Ho$+(=8E~r;&(B2O(pilzid>z_}isdZBTEda~K+aN&tL>F~ z$D9;%a#L>qq%`$_*mY7vgyTM?vlY;> z^R>aOPt2JgbZ15{%x)rLIsoJ`S!evKJl(l0l7n+)`5Q2E3+cH1;X$lep3(jolE{xCH=OY%Z0mZL{+ zOnuI1IzdRcP;T0%g8&5del*)SZE@zoiobQazGLHI&@7ss2e1S^c(k&B8%UTX|2T)t z2q#qYF>=?eLJ1N_^8rb?+nR8G=|ljT5G5P`;1jE_=+@mOtNd7H*)T!LD@J%C!?XasFyILO?oUknmU<@7U) z`Ua_pnjvoRM~+laAh_uccui;osJ_4%aCftgEb$eMiN*x0)7o<-I~5cPKOFN; z9W>A3`DswShZ5s<)`HPVrt-e?YpSEesiq~y+3?!J8Tmtg03S^C5~4iIPSNFXsqLTVj zx+eg1W`ER#cvc}Ft$lf2&t~<_FbMG*hZlMUo!PB3+%`dKPm&luJO_QAKj6ZL?bs|1 z8ZLkxcvU51h^X2@>u6>HG=UIWx+bhmzN5-;2q(ClP836m#@Gv)OJ>3j4j$?|AEE)E z1aI6YfDtGTN`dg$U0dHVBw`2;ey0zPvme+C;6#_A z6G;i@|6z>KDBfZ54#DbOex@THd{}I{aqOqd=j^tNDMZ{#Q4RUrkEB(NhL=HM*3^rf z^wb!fqM{fKyy{{f{(t%d7Tq^`~xq`gj8h1veVX>LlG)IEkwjpP1U zveJmm3@8I2OC#F_`3*$c>;zuGgzp1WjkQ)x`{hNHC(W(NaN{ggtm^UafT)JHM?{CW zVqcRU*xp5+Hm7ph!C*>-^aI%Xiot&+Gm%J<*QoH|%c=JT?3hwW+MhQ%C~S_u840GW z`quNj1K1bMgUKFrEyQA0#cwHq68h+}lvJ8^T7LDV3T-(c%}#X^ov~DpqZ1r@hF;)W z((&Z=UBm+PVX86_m5|GZ@-V62=wiiGww5F+_vwV@HccVU??qA9iqXv<{B+Fr_Lvu3 zyp!@_>5um;?cw7jh{r-9evo9o$$P36t&S5i<}8gIftJfXD*G`r*8^1@Wp|n>1<$WG znDE?{QBCM2Y(S+!G8@#vVJf9m`=XR0n*`#3WsUF2__Dl-HhXU%lGaZqdTfwTm6Ppa zulyOPQW7qq&cH#{$I!&`Rqpy;4rmN^Yko)t!>S1`tOg$JKl45;3Xw-Qx#!r)4t9RZ z>V@0F9prx0c;r*vkTWyz&dw0rcK5mUUB|d$z1g6U<|EggG(P-0S82#JmOzDC zR2hyi{Z{-@f(8+~R{_n$9?-<&Jg&UCrqBq0zp_)9gd9>Tn1E9!kvyHyNdO7AadUb9 z;1;F%BOOBN_{sLUWfpbPCEF;MfUj~2YNI}g+RX|;P^_3nC$GooK?D^K<;e}ndxwzv zVA;rIy6hF#E$x%t##=-jK>xsUu=|1?Twu}JIhQZcs^0;%7I4s**8)|A)?~s>HHDe7 z!7s+a)HHBY`-k|I0(pTf!jS>VWc*8idG1w+#4XIRX&cOog!y<}Yzh(6V<#&!5=r)* zbA##v)g4M{Zg2HlaAWV))PV9RNFZqWjU90C(8(kKM<`3$w07quH(S|Vq0!4bwcrxl zrnW7L!U?W&kHDZGvkO1W)Y)BmU%$HL3j+HF{-D|Vi#Hg4J&^Id`-6{}?~kV6PW$cU zX9(WA0IJ8WGZevbf|j06Oz~de2`&6b#$6Qs2dU<;Ghj9{zLTDG5b=HxIvDJovBp$M z4EKg3l(Tx>NT>AhH=6fz?lz2=ov&mGiLEyB>*NmTEY16r5LOTIhkErFC!;s3V>pI0LuW*249fGBgeCz$77ij zLtHF@5x42`!Du)4DorjxJid*Ps)-z+17Xo};YslVyL7;u&f_h^55A&|TP0}ilkse| z(ejKsCQg34!2K9Nrq$FYadQzgGX4}pv@j7}%=m@iI!+z;X_Zkw7$Js}GvrR3P2DGz z-l7FiLMEn}BoQuYd74oa8N@yG9_m3i0kw_dWDGpX3VD*yj;%bVXi)dX?&(UZ^RL;H zkmb>H!tr+KqqH(~mh-5y#=F-pjD8RUeAZ~RcH|h!>3D>zN_`#5mm7UpoRO%GYb5wE zzGM~v)Wz})Du$Jx9TgF;(7H}1S03CRj~r07uyA3q2OteFW>a%%v=AC6j5BLnr;kmC z94`n{&4=d>39_)W@jAF=E1Dh zW^Ys^l|)#efZh=;>A%jl#@E$B`Mw(?XFtFVLi4^TJTF61l8w|4=H&T(h+5$^Dhqjt zwvqa0=^x+Ztf^`ApF%2A@@d$JNrFxTf|elUuJE}z5yYNq`q#g_<@Ru-(`9X<7bo!KzJ(JoH#nEn z>T83j!!Y(##iqFQMeDo zH?KlXIKr5pPw&nMD5T#_6j#l&c}cg%);&gW#6)@l)Gsvi7t=isFV-pt1|$!4kA$Y&&s5vhomZ-`mCudw5F`M(k0xNp_(d)#SZP^kDcOo zR)#EqPU0ps(jp);kTN)>%)a4dq^Vzrtsc$VIFiWeama9gYCwt|l?U}bST|2mTsHi6 zRWv;-v^#x%`c%sdN$t}{Lldp1p=I%Ifh45SQ~c`=r4GT0ZRJCYp87u!eV{nm6xW!c zo3l?aJflbW=!{3Qggak|rrDPE2X7{D%w(7!{ps;iDgNY{LA*pn6?l^>&&N2`#pdgP z(UvM?;Tub5YhkwIeb)cVm7lxtcOXcOV6&oYyqnm%5f*K5i+jR!q!P-?uR?eS6S#e5 z$f>2dL+Sx^IGAum0bQ%Wa-xO-|KOQ|^lP|od5 z=g(73_GMSvbhc^{Xjv!8N?<~q&9Q$0C+Z>;L* z1V-P@uqk&jabNoM(0M-(R{^FcH8A@Zn}PYm#p@I=bne2LMZAfvXX7`RT*ZfY_|fmo zXuY%?pPg8Px|R-RPg33TBd#rgJp-PnH(dsrdb_aZtc)e!;qlJ+pKaBXg_J=DS=ue6 zZiC_h!J&!y&wKf@qu%z*SNLny_5(_rE>7(*<*4KXuYxwFtp{4#IYi#;Q^DW z7tjHp0e|_y3H?#?;az-n@3_C)^T~$D7&7YpaW2u%2knEADQ+Vxz|yMTc#A?S0|L%3__EZ2(=e)|2#%!TX<3i{Q#wH?X<3ke*8hNZHTQJ{pb;< zW=p)+3Co&VQ~qjAXj*>R(u?eq+AY9-mn1N>ZHIEcpPu!eyR^u}kF<*>?(6=oc?TEA zGDxeZpV_OYLG!S0yBBUu1fc-I_Ly3w2!ZkEBFQaCcIFWG`uys3T*W+}7eV5GEwBJg z#;uhQgx#qXUjxyCO*&9@C4>zK?lJ`_vC_&;nu=OiV(;D(#bwKtwHhk(dSWQl;0H(Y zVpz;li$zezv~DY5S4?0?TMb}!vUe{iIOu6l-7_7vZmhCWLP5pAIw{dKOE1YMKq{6a ze+nCK%gt2%*NO4!(Am(HzWI0jKIfRGD({N28)>6E*fR5ejC)W>;_%)Cm!0u<9J_-u z{PEenhM)}mreM_jbU91ynGnLT63-jj>@~b{4d~K=b6HR5tf5(o8@um~YEJ8*RnF{2 zkBJtABTuuAF6iJ=Zv#L8Lq#+K&WD>4c6RpR4&aHwBq)i{y)am?$me9?qY8dy;iZ7( zEz7a*GA(0TVdu|+2#wRr-@@^MjWNQB2C)W)91~=5%9EPF_0YYAd2#}Uw|R+8!2~d! zcKC4`?qZV{h>h=Ma}v~R_G(3_ZhX#nu9JCeF|9BUwjt6C=sXyfoa`hBC6w*Z?2@q- zf4N;MI6VsPDjdT}0WT91Ou#*lr|fy=zwl{PrN4|3$+^m!R8 zllJUMb${rBc*BP$?guPqnHDlsZz19Xy1idH=4FH$Js{u4nU#XqXO0G8x$LS`KgUue z=C`hbsAFQHK)F`%0r77~l4ey9<~SkY#OYGlo4KVspS%4_P)U^G{A5B>`2MSETQ0+9 zYLPj}_@e2xpkLrrQn|+zT$vHU8id+s*f=i?btw^uX3r}kGiO0<0a zHb{~3>jTr)A0K+VnfNyz1md3$%?B9TFlw&?SB)snW9vM9^Ug9-f`;DdThYDW(_-rs zOenj*2}|EnwPo0Bcu_qt%r-U+58RqIlZH_vNVsz|;7Sfd-qScc19w z9KyCplDiER2M3^VJRqRQ=Woi8ZNePPMCsj(=O%7b<27)oJ7~Z9P8}oe$)ZUB+0fxP@Wv8kxV4_hq4H_QRB4(^qL(MM_ZwzfVaE|{P^Ri1U27;VHL3&aHl+~?4M z3fr<_T}H@YiBQ9@gg)w`hfl|?3uMS^Sd5NLw$TxGWh%`VXGdG*UMDc*1WtnKBctO$ z%)9BU(9^(4+_Ooc7oKmOv8v(4^56JRQhaDhBNdKw%wic3lF%sP`kwMsc0{>1+CjaU z&%WK9>%2YSP{0!dI0K%lrQY7R@ZJcQIL#PH;C%e#S$u24=rlu!OP2{QswrtDCmG`Z zJS|76ILB+cVTPJ-C58=NjemK0a=?q)=@dTj4^?w5pgsZ8^3EVS{k?2Qu!LIgGR#&X zU*8ce`8}S>uRZnjLPj9F2bA{h#p))0vGV#&*I!CE5rHX~xYedDjEboVMq{WqgSW`N zh{qVc83wYc{eiKTKv%`frB(0|`2fYphGH|NuQ9L0^>iyW2Y3*}VKw#{Ghw3G;2#eR z0X@k7^|qQYaI!E3Fka@=IRuFK<%!DoTCFs=uP8KQ(yHH%;%Ta8%_ zFTz(^gV`Z!5q2&S5p{m98<3&(?hWAcqbVDT6JD_Haa+!jYJ%Feb|9O0pWJYSY{FBs z9T-sh9}3hRO>Hs{xS&IiQSB_OZNeV$LGmpZgPQ6|4BRJDPf!4*Cr|EidNre%<$A~Y zC?vZ90Wck5ubEa;4l@Jgfx9D%$fSveV~6P*^!=V(jyCi z%|KtPyQ^Bt`}mZ@-jB!vx_qP&Hhut`!=!EGdSsf*X7&4l(mYn7-yS-n{7$%W9Aydz z*!qV!8#A6=e0u80x$GHA<7Xb}-#-iu6LU$7t^4kae0&8ESnytciIqTMLV5wg;8l+b z7qy{iq7r;x=ECuK< z9Urq+08OWuJO!)>Q@l+C{uE>62^C;gF3?_54&AP46WY&SkuKrnJMxd<&xh;*$k**T z^g_ilB>oeM6=5fMkT^WBf_(x-ocp`GQy6n-*}+2T%FIGgY!HQ86bkFZ9T#=3L;iIO z<45bUl2kwqkRnVm$9f+QnOns1-2eHkH#;I*c+^8irf1*hF4(gbk8cJ75~}q2C7Z#+ zvxZ*z%r%Gm*Wrv0L{#;I?<)smfpyHvhx^HLdY7|&9#7){ub|`#zVB+v24B`37CC7G z<412*VFH@0tS|zQunHZiybx;fq6`5punrR>{`GguBX}syk{WS86(Sdp%Sg6T_&EMY zMqZC+zRqU;XjwtB$i78D3twl z!I*t%JN-q%ZzJ%%O-ttEOhtBfPB9)BeLS#gd&XcRNj zNHXI5HAlE4m}%)zd>UpmOn~W$zN4HfJV0`0i5P&NT@N;);c2`F;9DWM4 z9C1}!H-^C32(d?I%fgNFKO{22MwcTJ1mQqPAQ3#Ru!z=|PuPAlVN7__1i&z~7+Kut z!AEdNNDI?afKFk@gxM^7gu_c1uZRP!D-slh$2k}j5#xAPXsRaQ0=tv0P=)6S`fL__ zVn&iCGt)CzErW2^W|0d_!I2P0`@*aH$}t;67l1g3;lX{8_VjfydlZ1@#iI>W zsI`07@%vX`)Fn!c--dLSV;4v0v!0AJSkex#Ge1ihuUPHql}kG0q=BLB;E@#8#H2=g zNAISyqFD7ifQt-ps0P}PWz%KM&u^#T@ZB?LzS- zqtm32N8D$;67%Sxz{gVhOXx=(DkY}>8cYUv2k>@}86ox8^Vh|e$^%S2;1m!^d?N=! zL)F(a}JP#D94 z>fQ#?$!Q0_DKM0M2>$3Rg$XO!8uylSlfb>Hom$EY{HW~8QqU)tm=5PF zlg)hcm-}+1mfT%Jk+G14d9;){{yi%!_J(EhjXC-|W)RGo16tJGiwFvtY`OAz+%&(B zt^ejRHtrX{W@J+_2PzH5h~5+*paXNaxwtj|j5#WGxV_Vx;r5OtHY5+rOE9vY7P~cn zNc~hP+IpwSp#J*|*dccWYRmfj9WB#gQw>KZpEu?ZwfYy9WPGfbH^{!$&*56X|0?g4 z+12!amdCPI^SAk|TiG!$M^>D_GLe_Wiy_5|BN63#S`h+!-D zU2?s->{@5Ac5i<4@eIDb=6&rRdj$AILu83>m7{VxwRkNP%V&MOVkC~8Yx40|g?f>@ zJznCa8M8YUV;rSS6lWk04?H}2Xn+NIJS)nA0H63{fE~HV-hBd&7P^kEkV+3i{6n6} zgbNl;CzpwmpL1hQ3RsAo62Jh zgpQ$dO4Ef5EIv34_Hlel?4Jf8Vs+LlyO`~1qXYiDK+&M2A>d^#eYU+aHI+rJEsajd zRT1zPsx%si6^!JrmVL{p))joOln*u|*CBUC2EmvS64!^=d;ckY57BRFqoapT8)>{j z2@hHyDmH^lBKrZH z(`miWgVV2w>|zjJH@WA=F$nytVRg|BP_a3{(NO|c47%%K9Fb!~@qw2bZr`UFX4YrqlEB{oq>|1i`+$r|3TiN&5 z8wq(Bh>#+=!R>_uMzG2E0 zdnR?E@6v&gRzU-h3i(hapJ~9K>++$-d;yd^y7fu^2$^+~V2MH32@yf{uV7Ro<1Whk zY{SRj(!b$Q)gyh{sX+=4D`w3kO#-|zIl^Lk5L$6ziILM^WY$fdVFpLi=oTw0-k^E} z>s!li|4j;p(bHQH9U-jd^O?q4V;+ha`5hf<>nIQ}Sx{gK0jg?*{5Py%YSc|gzIFWs z8J1TzO=IUPfzcKDKrJD};#KMClMYlTtiJ>jynn=Dykm2Obuhv}4~b3`Uff5zF>ZiN zQn2$ZXn#Fra_qz4i_=!sM^c%Pf#ZNM7dTZYx^VukRtC)*wxUv#f9)o0jBll6Rih%t zI)vi-+8{A8j#VEgRa(qM50m+3dZif-{;33hr@bio%Ji6Al@1y6{HbB|&X|fS zb99hM`r^`dC0~79OKg|}@&$6kO~c)v5CBtBxKQyf;875wphjRWy!(NvYHX{41tgeA zEEq+21RxIL5|yaw>SRSkl^0-km~W-Xd`0xd;a8c^LuFDJ5g`ihKzdD^-`SlIjiLn@#PSA}1w551tAz`Q^ufd?Ge-N5YRU%9}zH1;exe{2Z? zz`E}!ORUSU!X-O&D4`7)P|8kAd*F-_fMI`#5clKKW@o|5tlSou`ya_Fe~kH&nykg@T{nBI`3;H!14MoA30wK*{5D;H{_GkRSM zQqghS?T<63$U8oBsqGl%!V^HpI1ubU)El)7%V3p$=r}_flgg~m@dW6Ckzz5}N!$(3 zy|mj5(?D@!IV035U_~K{Td1&{IP zDhphqSE~C_y_AaO74wOZ4Tf(nYwt6u4&q=mKvU5uIa!NQAg7N}0mj@OZh0@*(qe$l zJ6lB31psGP((u?u$2q}X_{<(nF$PD=EjEmvfq~ic4&eap!WUL;&}TuG5>|nyfrl0% z!g$<|0{P6Q6-{7`PJXbINtjq%WUxXi_-Q(9E66~p;#=#!DCs}7wxf$9fBk2e->&J< zSo9m++ppVO6ZsCJYu~!0`?MboxoLdHczZs3!A@iMxWwuJEY4anVBa=;IrMdIw~rVA zGtO@x*`Dt|DRg_6`16mHdk^gsLom+nOK5hO9}_M{TY(nSF7n$S7m7#B`kav2dhV3x z?L<8J!p68w)scE;d6wo9b(peZ zY2`LGsrS=qbd(~N=OSa!X!B#4+{{b)y>G_xz5A>GXR_(y!v4$6y2i-jkAMZ98A!@!#uTP&Ix)C z+*p=K(}b)S2_X{fCA6p_Y=cZg8^dTC3#*m@QF%* z^)H=0mqsWTMty3eohG$tA*zMfG{KJep5Kff-iv--Y7qhsqfW5+^(+ z{bEI-0ZA5GdhZB1U0&WaaIl2SV1=9dkH48=p2rMdVoqhsccGZxZ$l$j@lfII4Gxy> zacsk45NMcQf7U@Rq7j4z=2p3;9TQU?g5HlkUt(p?O~|@nmaf{?wSsWDG)@@^5`qNC zFJ!2^YL+SIj&HJ&xTS>5BrL}Xagu}5$a-Sc%MBqR6|$5ukK@;C9kD8vQ`U>)^(7m0 zh(RM~1^E_q1Vk~{$aT)HahwQ!Ii4ykpjV$glX@kT&-2J)M3=DJM=^g2EAR?3;DhF) z^=vc+LkL9>c#05GD22*!dvBQpl&05jn(ijJ3RI zu~P8S%wR8uUxxZK0SuWG7;8D^mx%#3`ioZOJ2f8O&z^$X`FK~VPi4xw`HcDkUT~+I z?Lm+Xr7IK4-}521&>dB}Ri{~_2_~Rv=4J4`Ru{e%7WQLNM||ovfPd|yTYsNo;&y-z zStQJb%$KYCb7{hY;N^!>zgyZU!g(?S`|#g#y<_RWf0Fb=!fuvum}v^=oq)ywnc;i) zKyQ|Dnl238!1zl8cX@69dz%F;hVkED9R7~PLE~SiN@Por*jxM<8uDfHX2@qU@zTPz zM#Nkj1RCDa48=8(#Uchore1}LmJU=^tUo%C1`y9b2ABLK3hwwOb_F&*_AC4}1Hf8| zaR{$1tgdCbck3br<4MbS5a?|<=L($V9B0!x?nn7Pwa1V}xt|49GXA_XLa1xkDP8sk zzkK!mXgxZDbX*P0`9stx4;rd`@>vobnc~22%PKVx-ep|0(Va}hDEYt^)NsM zF~D$Nv`fc#{Cj=33F5Txr7M=eTiY_E@$ufPo}!VoP!2&} zZ$e8H!t~GRky3m!j2}7LO{~0j7|+=7chsV@hU*tP4BhM?BEmlXH5A%ef1EhKklpQV zIshm1ks({EH2f(-Gc;WLRl1p6J0;=JB6pQ~jGR&Dr51d$7KFZi!X>kDs!cj>-1gh`ECl zZ!0qYm+v*#xsI6YYn~1Nmt{}!Cml)H8YVZq);y(aqNix4*|+If|JrMNc{Llj>8ASI zkWPLwf|LH3nLk3qW1rt}ognQ{$ye?*lhVdm4OKv>t<;F7p-{eFt4|cjXF<;eWi~n0 ziZWFw^6yf7uT;j;;7db>Q@dpx^*4@&xN z`wXIOIYQSJb9}6i^{Y>{)bv#&XK|Qm(Nwj8d{!yPr&%PsTznK^wi)va zuNw?lsTT0QmoRk}M~dC>!|_l+mL#)C0L!kmn738YTM+WGQ93~UGwczTsfqD>Jp^IT zRb>8IjY2e){iA{zG~HOw(Dlc|{m=XwcM`k}`#gMf3l@7&y(h6X4$-=nk zy}Kj9DxZUoDVusEd?Tb0TU)6|8^g|T^paZyAcU%%6X0z13wWn-5T9$J&wut&fj0vlr}wSI^YZy=3q=X~T4; zbHimDxuw6v?D>Xl$h2p=b-#0~LhLx>4VI6xm6{UKt3}Ih#)1`M{XJwnO$YO1$|i}B z55V-8yk$E7*v=whdiYQfP)s;+Hz`8WsQb(YPG|4lL)D2SX3z4n?k^7?wJc&dF)dWk zaxxL-0BHb`~rySq`wi%Dq7h}yhZw$$6Z!|oZRn1-T7=BORg5CkOY339BF~upS zNt-o$Ch!AuBI#Th6NUeVSLy>dRK@%(e+pouyEEhr0If0KSz+CUAm)#xh8WZP-V3hF zCw?f5qyiN@JN>J7*^vLX8;|`n4-ddkMIM)Ei@&kyOaPQZg8J(32kA?nP64G0vR23w z!N3a795=F#fQGVOfNf}l#2n>l!^IPpn!q|8-A+_L5LaxqG$d$<^gk}dn~U)K15una1R|G* zYrqM?$(8y}XprGo@&rj$NRqY9LO0s@@sactjFeGQq{}z!yEgti2cqt#2}$#4WaxXn zOL9<$N76rFv>5@;mA#d?alz#iA|Ke%o~6`MjUz-va~Nsyt84NNSQDWZXHC-)G>9Uw z97*6sL>v)o5szLXF8~F6kti;C{!yv*AI*x$0g?n3kT@7FmXI0IHR8tzA|tLq@dCvn zN{7HDy%I1cM*!O-*;*n&wcv_G5E5!6q>vy(f{;iW>9rdnHjf$X zODI{Kz^DpWja4c6PoQWJk;Vo}U=tfrfV^SyRWhM}DjT4Xc3j0KjC?gSi<)V|?=!g( zq(uv~U#y^BSZsowt!(#8k19t7 zVFa?nCfqmizAmXxtU(|C0Df&8H92|pzL!X9lwuPK5Gbrr;P`1h&yot9!Y6Qwpe6N) z8cvC$RyE^nffDtp(j*9H{gsSu*S1VJi?&r?InXNRVBxRc#=s`=F z!e+NAEjpa;JCyk&SKh6ja*0NFWd&&3`!&$pINiFLa^1+e;qzJdxjV4A{d?OsdDpPn z<^b1lO4p`o6m47QyWQU1)^NI|N!~S2w|;)jZt|}Crr9;{R+h`TLu$TDm+wq4rS4EP zue@!P%i-i@zP*jh&bNG9bG|R;Yje)EI=k!STeb@&ZdXcGcfH&;cHV^Fe@-{$vh#9Z z8%?e@m+$?QJKfnxxh;~eoOhLWyXm%BmnQEz=KEifUU|oBZsnR>1b5}#udTHEsbN0r za_$dY8IkX{^IZX4dF{>T-f}MEv}*^)Q*{%k-M%&)-;SU#=Q4fD6&@> zfLXEGmBV+pU2L;^hhOL0sF7g412@aiMqI^<{jbH`|tLfc!;n2h%|*NVy( z@!qb+TbX|C?RfY4Y1-SaFk>$r7L2hLqnkhH(E#e_DFU*B1rg4p*POKhrIQ(j8c7`- zQJ^+mbu4$M@}{tIfd$qoEc}uhd)e^$+e`7cS4U3I+iC7-)bMupnuUFJfrd=RCKoQt zC)UxS<~qCFF7UexCgO~CUv8KsKdl{Lm^GzD#5%a#OKK0-zpBP;($K8Q0_NksBWu#a zJU)SwFW2F~RZ3b_W4pXhen7f%uB{OxkVzj1v|tUe&IJ}as7@|VfoHAm&d`83S-C(N zRQcD@QF*z$j%~UwNm(gS9USFaBPl7Kg{GyY9f|Vs9VxWq%k%Q6)VR*Z*p69NR#sPc zhOR^B<-1(#lp5dRbh(x?B_Po3@CifDPv&=Vh;;2zntMxV(-Qnp{qhM^sDuvKd~Rm@dQBQS?J=Lkr98LMm(Cq!l30<_r`Bl$_d{#&^79 zKKPWB_k1Bs;goYsg&?7Tg^4c1ar4y3nEy{zZUl$^xQah{m`#s-WdWJdNG z^Wg@iD`X}pT^CXPHE zloX0Nr_6*i2n97Xl!HadDNBXII7{V=l77f*dtQfvf-<0ESh`{%+d15F*z9u70rka=U$n$2wvTG&>h6F(QmmDd-v&ABI+V zXo>7_T|wYx(mX9m62GTQful{bpe25)E|;@0OZ^`Yw2U17yZ~LVhpW_i5s&TEG{(v6 z5_1JQ2TlN}MvkE%ZZ0w0ne}>-2z~whS*!k3&nJ(wuTwCcMtm;mM>eaQoK?YO z8Kt$j-al>G25ah8LdsI6PI76FGZ45A#cN<;r7U6t;IFQ&+NK>gBqs}0)#* zC&Sq{J1dB1eC39tKgHcv4V7c*z4_F9^?zNixqbw9R>`fLUs0@7AKkBTyzwzNj6N&= z&Clp7+?)W1`UYeu$da+VcT4t42tFk0y@Mn0o@O3*vl!yS`x`o5y6WoQ4UhgE#}6vC z8TDC5Rx=}MxbmN4Y7{r@rs# z)P#-qHkPEqKM*WaxhbouVEuk~>)oneQk^QTgoPz4b;n-~; zoA9L|0gmT z4irrO#mtrFR4t0DNG3d*&;&_H5o|0#%_i){)7VD$HvSz!7tiK|2s)fsXOqBUEm2XO z>PNH9hbZ&?U!V%u&6z;18m?(9z_>|ghQ4;;m>ADU=z>mkB*AC&#fjFmj2nc0;0>NK z0?nLt08R7lbyPjIAxl7|MsE5G&M_8H*#xF2!FC{`>cGCh7#vMaqIst40`bI$+_cl@ z5}2eMt=&8pZH4GFH@H47c9^H`F@Zne;1b5*${3%H-|_ai4%APB^^Ry4zXNm%UB~oM z*Ufx)keFEtXpeME4l+T9+uh=B`siO}{D+oMoL3j)E4@tZ4WN8M69{R9AGV!GaKY_s z+|uYP+e?}h3*l5f=IbUW6Of0X1oLy`GpvEd6pRO5NmH0fp17sKzj?CAl*Z1@Ob&m3 zBIEbWfgq2>k+1KBB<>R!;`-E^#UB6rX~rN>D&5T#M!_d+{92Q4)ch9f4>Ez(lMM`-0|D!Hj1k;!^1;`?TWY;SiJsT7II4u+W{#f>YPDLCH8NM? z8*ChSLMxUkT+v3o6GPuPiPPfBay5XLx8}9nZgi-}qda|l!2uyn(oO(p7#m6mYS=Ci z%dl$dRL$}sXqQ&T<~6pn8YtdI$~C%cY9*%TN6$heSB%Pq-YLpnvqsT_xCm4taR_5VY+2H2R@&2uaLcY%l7)aA=t;+eS1zOi$na(W3XV1y+qr{cebbY%e@+{ zKQ{I%@id&in$yVFY*S=^l4?s^zJ?l@^9?i%z+)Ei6pX{adu@_+HkRwiZ2KCn*$&62 zG8e!UB%85_(+ed~?0^z-fW3BN1?#f3^RT#93Ff60#PTr4nwp}$Qd}2P-*y4EdM^(P zJ95nKg_QHviO6819m~ETXc$M{-X?^antR@=EP+?496GuTncGWdg=aNS#om>BIP}Tf zfV5CXGpQO95#_|q8e0Q@KXJr{4Ay=Ze2`YQ8gYeV2e0d%1V1nk_+*@^rLe>z`l_O&?nfD>LeX>5)Y zVPCwG;a=6n2FCvc&daIdn&N_Fq)93S78oIfh&Edtx6D{L9LJ>p5LD zpXxaNKSPe1cLyq+l)CM0G50dLLS0if`2~98XK=Gy%36{CkRpE7^KzMs&f|#kif6%Q z-0_ROi;k;SEVWk2y8m^w185LsNVow!R^tk)HU>6SMBNAE>}E`c-z=;pYi3YIuV7%e zH<{mCf5}*|6k%4-Ij0Hn4w^)|Yo6|X{F=iG{*wfL{N*+$+(NetmWGB}$Eib1(pcfW zwf;_o$Pn(u~UBOIu@Z;ROvI%085K*FKt)${n2=U+AtxGF5BJOGP+Bgv~`3cgoKRj zbC;^E?2|=#c802tDc<%(Wt7XUJh0An8{6{|HElCxsMvUAy8RQ({j^ugK1ue~4Ar|@ z#T7!8dRJj(MK`&2admklit9GWiFFt3fXYpu&?5xE>D-$1)(CozQ@(OkcgL_O9nXMK zfs#;*$VXj@Zj8Innol}=X}};x2iWbY4TN`Ag%gyKXY*iDyECOFOYfLOiDKcAmR|BY zpGDC{XOSqq2cq;+R19&_C-`BvUXWC^S}fyIn7MVcd;({qg(hyZz!wchoI1qNd;FTC zK6yfOC>q;>R->;qE1Qpr#JPSpNab4_j&-YYFWo?WD4|`~0SQaqoJildhbkZBbz}0E zO#luG@)GGb6|U|2LZIEUqQOFZ$t{e{D-8-|lzZSnrdh(b@IDwtn?KKro}8%SoCzImZ1N4Hq8A@8u~D2g zk7fk+FQJvN(Dod(CNmSYPyvFCT;dfOG}_;1rAM#+<)WJcBqd=A8`A=-2$=!kQdV6~ zvo&A8Fb;!!g13hi(UIwu*#KI5a!xm~J6-Olc3{tiE%Y6_4hjUVb2Cl8-$AmXPf zKb~CAcrJS)o@2<)VJ=1_04Kbg%5*p))tfY^!=1Daod!#NI!we$0Nlh>oHVlrs9;Gl z@{Pf``aoCj{qI!i(N?F2S3Nyn_4Ihv(&JV2F9(VjT|K<&^!%#Q)2o&quS$Bp%B+LM zHX@*WQPm?X_ho_##2#qjzc@2gyJ>cv5N_TOIVjA+vdE>sSi*`>1kNILj}XM4<53u@ z&tIQ#*UG6L=f^qRSHSpJ+x8`4_${*mVcD4_s}Ykr6EvJ^yGE0#fv| zObdggK8Z|;^sW2=V$u-kW-JM2&=e2~`06i3@;DDe7pHc=0!<_;5@U8%AggzLZI>m2 zI~tE4v*WedwBq2=1A}h{Gb+^cW+X47Fa_G1L>vSQ1K&3hO=WtS`2dn9L0~MU{)af` zopiwZQ;1pX)a0L|wg0!{Exz!=2a5F+2qz~<08NrNfnnjotUOzU@`RxVZSHjNv1hfwsG&Uak{Qr|;(4VZgVUXY{jQmf3xJk-y&6d-SyTkeP((K}&`?ZRK9 z!VKOu357|!qqRjg+z3pE)( z$r%WJicB<&H0Nk-M95)irnMp$+&VCvJ~-PR(!D~7pJh?C_u7}K1&?@ff)`7}ZfKSV zn;|@n#abM~i0ZPWC8g8y9iyzD`QnkaLW~#MFP3Q|Adk9W82zjKNQG}sduMxo zcTym&NYJwd&2gSZs1MTsbM+lgU$!V^R}jf}F9_`l?BxkPX~?ZO+Uc|HlS{O(y9k#* zwJc_MZ3IEsR0#jBr$yN)0&+TVtX=bxz8tQrR?O+)cItW_7~=m$k_5zd(hLlcfmF|| zuTA^YfeoJJeKQWhO=?~x5go98$H3UbPM)7lbI zXJHfsDwpL;A1XDt&>y}3pSJM)hbv?UsGv$`6+#uhQujM zO0jL(dqMrxiZk$cWzV7d@-@{@fY64BSIQu(rPrjoafxdc_rwmi5S(45=?<6lf%Jh% zlJ|t30eQslfiXIahQSq%42qp;vo&f#N@0NN*Vh`(-|dybw8Q17sqnV$uD5mi2c2>y zy9vSqz|^`V#6#6b93}=Na|!4(wP_V@mly00t`;NY{m&mEzJ4p|5g;{YIu#qyn265f zT|pm6k%O3rOSGP973l0~x> zbo@U$fEX*qK9EJ~pHKm1KE|Uj$@9!_Yk9YNHHkefZ~pvPe)}vM^7HC1&ex3b0%ad% zS2k%=u`efnWIpK*`^|~N3pW$uJ(W0kR)`0t{>#HGf0I4+3t`Rfp8!KZyua`_6cup!`x>J_A5PXheFubczk zW9{{qn=&Ge43nVc%I1Lym2eJsHef$H^StW!iiMg;ISKiL(70z`D?OM`yW~F6wh&e1 zQGa`IeiR-nvNI&3S6I8_}LUT(xr)WA>#unXaav;$%5fw^Vp zG`3+>K9}uj@W?Yg0oT&#Sp>YChhZbP2`ES{i@*H}p8&IxXzXeVKO!ARLO+rhAnq4a z$v?YrnyBERzHsJ$onuOz4$2oz<)0J0A%tmHK||l6QvDEA<#)h`BPbS($U;R+IcsTl z>8O@Dn#%Q&Y{aA12mhZ6rUM13g1}$GlbSNXX0!i{wTJ;?Eo@TlMG}&hLF0tDIUJI_ zanU@C`79`&mPY+|usv$At5Bb=v2{3to=JPqtoSOd$1ij)3{)y%QO(@dQ;4FnFYLBr;^ zuaoRpVnxy)c9nJd2g-o^I(@*qv*;cNWJ7P@7BT~QBei?)HfIi{BpX9BG@=@nE%M6nhAK>Y?ecPbpwy++UN$6Ws?Ajb{aYyo**RZipDS^Xnuj1DloIL*Hz|whf)Rjyh1U4mhk)>V(hITQF?O< z+f%)v+G(wBGnk@)d#9)lNlfNtpw*N5%Unx|#bA!t4QEF4{QxXJXPg$j%s@4 zOHVIQ*Mk@oaA-|HUy=x(kn7j>+@LuLb9q-~0bi^bT^E{bU;~6$)&;>D(J%!L-43j) zMCi5iKnW)E3O&#Pilgu8&1qObBVxg-xOhmsWL6NgkbmU>_i9W5#6twqZwx zFbhfQcgM_GgG~Lw@ueCDUd8QCMhjwze#(4i+5MfB$$f=UEZPoceqmkLwpIQstEh`( zQr_Y~FiH(pXsU=!`c~stX$o-)2`V{f9kP3VZOp+Y%H`mBHS^sJIFcuHn74OedilZB-W zU(Eb_+^c&J`dHk6xlfElvE!ZpfHj?s14KRTfow~HnVm)vnAuemeE-XJ1-56cT*Hp#cCIA0X}Gh=8SNGg37cBwIr`@B)mWcE0k zK_Jz|P{1P4aqBr>@4l&oIJAS(PDHF+!H`ZmZ7n5 z2{q)+Z11N{c)n~H8Efl=4yl0&(%}_)w70-fVcf1xL&})qg}`$X-OQ;&o|ZH$y#Qht z_sOj8k&12W8Z&+F$n{R$H7oTnnqhE_dJziNUp>$aj4_Q#xU*mzR&%0|QSt;oJwV zl@JVdsR*2uO;sAvft<157MM#eE1qv^%>w{E(wRFrOt*13EGrpUbE4bp@}z@(vF1lU zyIKa3gO(;8C0UZ-zsAfV*59uiY{2N;`JkAQfG0K~b9c(WPQKAuZ#KfPV|Fk;7VXQV zN4MoY3hXxezzs(%6%mvHx$&RLhM-k==+|$O1K9)>yV*o(r0i_Ux;)=>S^WHU4_+X% z2cVcs?F2p!8OwZXUTBb-8mYIwsZrL@x(p;j{Rk=m^XM-?7JE=F# zN;~t~d;;H=5oIG3>UG`uw+L$=py@X1bz5$Go8NmH6&>l0XgVy-B%swURbK*waVYkg!N5m=phWUGUlWhOQ~ zNLalLB=zQNgqH9Yd+Iqt_3mFaD@K$>eBj6*`D3_FWtEM5TY=p}wT-p_!x`dq;E-Qm zQ!uaSz?z-egiaAZ!R4W|2JebD`#21Z1unG4%5^))blhbP{@jQMPSB)7&uY)1^s*@N zjm__2VnyguDngC`VgPBsGaV2xt7o6kr2@o}E*a%l+a|G@$J4=KkBG4st4!~uO{cT| z@4GDBuLB?6@!A#n!gdm?U=MU|y>uFcpo1jN6;=pkQA){lWQvOoNrMKL8kqwy|FJCH zG{%LCXE8BzY_Of!CjIfE7EzV2s0}KttR{oX(hmY9JOo_n#kyg;g!K8CME9~nCkP?Mu-^N&b=}1TLVq2{f;4o zS`jsJ6*ZtBR|CrT3Yt|D491zO4nTC9x?`;=C;WIE}gN(+EiTizC1}kc|KTA3U7*L&uWc8w& zC7wON3bx0*W#!CNPB$N1NAfh%ievKTS*B@{7mU`FLS?rN_$onx-YLHXSThCX&di*K zq&)JjDq0Tvl4QvY$qtRXpP0hyT(a_&%K7Ky8h1YEkB$Ek0w5Y2ubHqj!Ux&d?v=WT z&VTEMuM9x=%o(WwruRgHo+0oo$Q+OW`WUO<`R?zIitI-dw?%8p zR59uUCUs5A6%qE^2n+fIP!zI*#mSlyMXQIefvF||`Bxm>ggx*pS{nB^F<`Zs^7QJ9 z0$H}sD02l`RST7!>gxhApeBEIwN~l=hT^%RO@0jw8P@L18wHR z&3P+Eu_>3a@Z?(XdK?w4v-x(x#QFABp7&c_o<++=sv<;Wuj{(YCue?Gz-J-syOtE&g|C6qb>APcGp<~5-ww|9>`E-9 zMWs2}WueAUVl*8-oW~1)7{Pa>O~)Zw=9f3g449|r+#SHY1O zX4MV1st2lnF(CFY*z`|&)9}XogkBEHr=avyx;~#o$H!>xRhgHL#NZ+ar-DEu0{%)N z^WP3I@rX>=RbOE(_GjS3DME$levx%H zu3k%8UErEfaKnH(LA1ra*F45@eK}i9e3(cO@>_H4Tmn8iEz!T7owB=V2oZPf22+Re z4Yk=od4I{Qz)JJ*HB8S@2TKKejjG`8%_OGmN{vx+ofw6WM<>!XGmc> z;3g%1kD580%)_rW=<3x@GOI)4vFkgFJE?2lluUGR=|4=6F4wt`JWfDh-$)~&xw!oy zjdTckv64fMrCH(Pv)Eut)X2M?z9JWeRV7X8ZfQhD(v%W6P2C6!M1_0YB{tPZEOBJC zj56(Rv`YL)AXWctDT=7L;Um)^M!hi#UNlIzvY@cV5PtsEl?eq!r1D3c(|*PNyd#~N zGj9eGbX|&2hez?fd1`j?$}>E8@mnN3lX#b)Z~y!@wi0Pzm|9z+f_7w{lRm6us)PHV z!HR;^Kb96&0!Fl@k8ms)H!nfOSDsYaGQ9mk5w#$YEHXUDwB0WgQKGElXfOp^JJUd>}C+-){yzUE6r6A@8Zj)*~YR zwo0;x4e!IGqOGUD}6TvpocuQhKT2kRC=)RO^M0xfd;7pc%01-!^U)5M`zQSrVwLgdU8&2n?p4xR zz;)&aI8&qTjQ@rR9fNVWlvVtfiE>pzLsPHq#u zf#umKQN8GW{&VUg7DJ>_DwV8{k&Fz`C&6%>|HPNQYac^0Iv3P>EI2=lM`9qKxQB?F z-xa^})%dp7~t2LT4H6zrLvb^*~@J!5>2t-!wJNchN^vcvwl$Z=E19)29+^@MQ) za`(!!^HW1hjf;Klw;GMv=naqO5O+FyI|eV)S#&%dY(giXX3c}G8`mD-&P7*FjeatM zI${p>vHIB^8HK^_%yXTqe(FWzIE3CA!15ecG^EL^hkixj%&FqSBsQ@V={>yI2S6jJ zyh}fXo5>u${&=j%?qw@bRF!PZTgYL@Jr#=qzy~SHk(Q#A4sS#USYKR##}Cl2SQySr`~4b6rRSRwl*o2(%Kk|9`S1D*=1%enbf+mK=oaBQD63N*D5gcdUxSy9G}H~g-qo}oX#oDxl@jHm6qG_W=LT#}s6eK5xc*mLOgqJ?m&TM?@O;o_nsIUo zS&T5pJ_C8&Rm)Wc3Vsxs3Yz)mQ?8}wCY>TdRO4lFH0e7|CZzjoeirvECMiUUgyn{I zTGU)7ck4$s;ZUYzxf>e@{^=%c3OWcr73b*}18g5lL1sbLvm)kZnsp7rsD%{9gSC0B zi<}LtAs$&tDi7{-1PVVVRUl_!u)HKBpYEv&b0*@JiAK`f@g8+)(l+=%gWe zQRoMoqt=RJ-dD8Wt-D3KgWO?Qu{g;phK9T;3*=8hZ&5@r1H=U?p)x(lBJdGZOf#cd z6=x7W%6il3#rs$rgORH7%7w?62CNa&cL5l5eMMr@?Y5?UJ|wRaAGBkam13vOdqhQD zZH`i_?g@3Ha0&KvapEQ+LG7yN(dE#<#vUU>#dn=RmsV7OX0ZeNn4oahy&0@-Qm%U| z-nt+3gWuHNke#^$z?PMlKp+^V4pSuD>R4GY1S6ycVdo^!w=Q$y#WmoC2R4zkW}Ryz z(E!9Q9>-$yh|YtI{nX-I^^l6wa;;j>5a~|(jY}Uh$Mz^Y_rGBpwHdkhD$!xJD-J<2 zWX8(GZar6yNmV2wi*AN6Dx2wuB#Mcu=7GgGy6tUeJ{;)~P!ZPVB*NOXq--8aeliMz z79BS5l16IZEN<;JPM)s!3O{04LT6~C)E&s-XeeEmQS zUP&TCw6sw#jisgJS(i}%DEVN*iDre*N^ig57`E_s+XPQBu;%x=wp!stT@kIZt20{r zHtJk=4Wb#BWL%3;(a-!ai0v7_)eTZQdyp#V9~2)-$f!r9izxIIFw6kGbgvk{=C7Yx z+n=e%gU)}Dv}e~|!-q@u*ak%B4u60%I*#(sW4Gt0r6H#Xr07{Y5fX>+(n-FcLK5d=j$P;3gO;P{dJXN?9I1S{j427?Qk)POr5^YL`&O zU?o;;SXMP-!5JqDQkW65%_c2H`b|9ZOph*tceSQlQFa9W>c9Rm_dI)Tpcv3`(Cm3Z z>%R~YFy2s_846PGjZ{C^bn1@)wcmIw4u*EIQwL<*kU`}LICw~^hTMmJ{6*y*AKhvA z61J#Uw|jIA*D|6dT2$07DVtPn!DT2WQOD3ajaK&OB;Dq+4grLonI?}(dp<-RgmeYM z86$h+R%WMgAkx%YmcRLh?vIsJ@e|%~EKI$0?yW3k*!z!!*hA6_E101n){TMHO8ZW< z-SLuvS24w-^a)yTY(gUFz?j+8p@6qW8lu7EtcuhY>)ujc4I?? zoE5`^P+CqXLlsm{J!Rh{%+`3oRq}{s{`eDaWD2X<1I1Ue@=bff!9d^!>yU#qZtTH{ zO;Z91@`=DgDF)!Q!Ie;VdxR$RZPVQQ>mS6EW5dl6lGZAAg31nHyTT<5eWjm!S8rFc z?(A^z*uB5p1joazjm_YHlwZN|9fPMefbtMIoNGEb=JaIMFVY7Wc|6Seas?duZ@%j9 zN+K1lj%2-;mRdYD9?`JwG_eKMd@#?Ug7>X#95KXn1pfos*=Z(KU`gm zZwVUMOs9-201;>28qnmB&f^4g$thQ&fwax%Sx#+fp7!d|yX61hzGvMs2s+tTk|XXL z&f$r4U!5--@!Y#~&tWvueED>RBADo`G1VX0e5npOQ#8iyM66JwyJX6u#%eto`?Z>j zxgH2%SJd^a3=ehO%kV`aH*Wbc>`2GB!BAxge{IA=?p$LY_gz?X@TeU-3nBI*J7Dal zfr=`H6P%e?zc+*))(jv8VSs1fvytxtgA!tQS{OngcdT9g0xDN;#DDq@5;HUl-V{g+ zmtyjYa7Tt=wHph6HG*j8lV+&7JReY|Sg0*)DAsCklNIk9P&Qt(gNS*01p$gSKqfP} zKl$O=z{vUJcg4LNI6wB0%$bx9nXB)H1sc@Oto4Mmx|36@LUd_cY|F*{$?Lc9rq>K+ zDy@ABX=L|u0-6J)%<^q*4jmMqnxqiu2*yT#vh~sgiVK=YA!o?}Z^Z-XmqB6&l*=Zw zI#=%th%E%nL3tk+Wfrebr4n|y$Lk)nTG2$+T5B#1={soypiw$LfjYA@TfRaJT%x4_ zW5T1*D2^0DLy)_ByAI&z|8s^PN0jZi;NA%vV!PnItMp+TkSv8_L4OV@uoo<;i6f{Y zlXabBCfOnOlQB(Q-c5M~x+8Qxzf2jA&NpbE+K3vCH54Rd_tj;CHjxz$8cvTK+K#|w z)UWBbvTt^CdkD6eAxmJU(~_8WFT9RMc>9ol@&D=D9zHY(77RpjYNW7xfs5QtE#T4G z-EqI`FV4rD%ySVtqP#tAlVu%!jB;CcNUp@EO60OY6mfDCU!OJ~F#hi#ISmchU|f{>tQcf#pH>hSbj!wy!!F5z-zW<%p$A#zvJrku=%_%Nyp<6U8gZI@vW$t zSh_0%)^sKFg@iCVk6?)|MT+Eq;(Cr3$DOa-Y?wntb`*q#VgyGrh|(|>KJcg}(QiE@ z7=+evglCr`ceOF!YcjThC<#LBRb2xjUHd2X&~gr{1JFmg3<0|TUp)^K49f!jZKNOw z6HF`+LThKsDRwB6^IWMURE^6J(m9Tzba*ZB=f2alJ`8tN&!>VGshIjBe>=cIc$2)x zW0!v{uwGGrF+ByWe*-Z^(UNa=br3jgN%!1sQ{384kpP%6xG4qT3dv=sxRzB@N&TdC zwwN08CP)x!{&z{7H9_(4i36uGz?@|Rzs|Rjvy#sz^GiqQ8-L>0Sn1dXy#Aq)eN_n; z=774HkXMs4*KSP{Eu%@Gs7bjnvx!nKKQ`Sy`>Gs7hOlGe)Ou|vRx{ioB(w_rG@f}V zBe674BD7zxOX!SnU^y$$8mhvV(Ht7gWKs|M!?p1E2T<||DgfKSxvPVw-w*uG#Cc^_ zDER(uV~YR!)Voobr@$ucq|rt0WPS5~zpGF~Jh5U4{aQhNeL31gd0utRWY{DwfKoJ) z;tig<;rmnEd7AMJQg445+$qnM+dt)~S9wf6dO_F-~-znU3Dr1aEtx}31!dBW2fxCIJS z0_!o@Wi~_2W}}kz>LBLP>{zmNoWZKVE*&E3)R~(2gZNRZ4npS$*4J0u?TsYF>}Hy( z_H)Gru#irzUY})>}3UEfKn6n4N-w8PUw^Lr6iyc>I5!M z{GcP*)SFC;NFCTS#U6O5O#Ufmg@H=&Q>ilhy?>XgK{jyRY8(W@bu@M;hy>16=>5PO zFkm{eXS1|u@k{)D8=EQ84+T>~t>8L0*{$F!uPTSFO|>DIZ+n-9R@EEqRWVXk?_(Z) zk@Uxl;Un4gO;13fM3uoupw+q}XnG)GPYn-yod;iot?YW;@$(LSuDdkHg7BF_~ zn3os1juHC6qFCNX-!;+#`-Kv$Wgh>Y_5(r?-Ja}_bY*+P>caSo`KX;ilL=;Xh*L}Q zY@dj(Qj6gO{4&!d*QSZ)!Dw8BnN}(zfaqe4S%^J5h$tWxEnYd4w1AIL;sWne&7yTEMMj32A&JqvWPEue zB)weGnJy%t_W)YT5LA!*6=u-E?c5$hpT;zfVAK5@QC||}l;4Y_%WT+52^!B7CtM$A z;QqAyhjYNBtRav*|ilK2+FlL@bx||XLI~rhEL^JdCwrt^ci0p4004hLO z*P)!~S#nfi$fCG$IJ&&9tGAG-eJD_@%_malDXO*`KImWfMa_K3ci!Yj(OikLDi)gA z#VY)pzt6X~dP3YstTu|@OZL2Ls1k625J!9R)zM;wAHG=CBjxNkN033S6duM4lhSc4 z?q}IhQSm!6ix0P2I8$;46OzNiLK&w)LUVr>G7u(As;w)69FF%$Gj$izq-r3RYKE{D zh9@9Na>8bt@i)gqbeW;Fm1yNus>%T6gy=$Hg0sM{IxLJY4?46SBx`;NY4h&*6tD7HA!J)5Xv1?PA%C`EDa$xg;0DypKT%RWnXvt1pi zoyC1pS;<_?1@BrXVM82kCJ`z?|DV@3RqS^Vj|Z5MTQI_f$}sXX&F@=1!0eeYV`+=5 zK;ukb9{PJpZ`W3RAd(|PE>&pWX7O!x#=;~^DrtT}TJJ^Yn2Y-t~r?kO9x8z&XcQps;z1sC}2FFmN zu3FHc*G1fi-WcIrnXW(UXKZ*BUX1D9vV6lfORhphSMQ+kCtB~LmasCMh3O$ zNYST83~c_F9^mLO$;K8Uo=s)^9N5 z-0}|Voll^{jaOwGSRV(^hV?E8>qn;yq|52q8}Acx1QCJNs~(!}K!MS{w%ds^0T0fp zh)+HXFZWF>%bdUQh>Lziqn!<7*-n{S-ZGOrF#H2=WR{Ci+GLs zmN_;#Ey8o&xxTh)BmV#>ML_QhSr9mnTy(LNv}nU+FqIk0e3)hxH!w5oLi%@4$^d$woD5L_z@wuZ;8bMg z8G(qv9g9h97*=8&?Cyk>8o0qAfw=TX375u^5@L@xMM0C;G~Yln!^VknH^hACd9Q8y zgUzP!M}^;r{Qq9E%EDtIB`XITWn5?-C)jbAWf4W33^V#JY*LZ3IE6ZN4F6bA zGOKIuT6b;eyx1ntqtQv3i2Sj1#5J4%u14|{GscpZSmbZ}-i*>Nl>32E1B2=6B$cI1O65{~j zv56P@QGcUPNzEmzW=DxmPqhq+3z`IVH*&tq@1BNU!j zS%o!FH^bRj1tslWHBP^J2_C58EGkg^4vd?rZ3xP^WH9-NT!S#f4yIn&1em}s&h|JK zwNFl{-q(8$e#b0HLLzbt?T6?!lj`&CGqYDZ%*@3Rn%&KL4SiTaod@or(A0<(sm%Z(HvhE5FjEAdt^NF$T)EQZxS-i zibGOrxgxQMLC6)1i_a%SB{^g~_Ii^E-bMH{bC;0;`#D-~7nKe1TzvR38&`zKS#|}v z!@eVilR;bL5Wl_rS3*woZgK|967+7ur3HUBYFn$BU)wh?gGPq8{#;gz+cOT**hBWG z4lTJH=O~MRA`~J`!n7OuwzkDYwV1bq4ddextEiPetM;%wKM!0i9F(566b`7mnARybRI;|G`q{{IWL^m-1x_}fKYj*qK^TB(k=h)$%JzZeEVd#RmDtST|hc2FiomBt$WQ7XlbO1Gb0|W&JaETzq(ELx?gZO9;Ek9mzIf`=cvZLEeikCcFSK zp4A1tW5d9s;6zWIBp?r-v8!d~H=E-3n?7_m4@^vf@FFJ24IxeAM3QIBIRdA)XtO-l zQTmsuN+dea*+EVH6_yo(0q}^xVpW0@7Uj0duMb~_^yeWkmVusvSo;WoAA0MeZ8ceD zNk;co3(ePI^GF$#lmyA4m-Rfu4eo+o{mTtMG1~6E41De$m%C!JEx6O(bA&dN zaSXZENtQRBUEaoTucz`hitg#sfk04J{Kp?KYG>v*6#vB*Wv~&0LFDXq91~oXbW8$# zNp=|kf_}Fq!p3n*N`Wu(ljUU;IncL^ajF284!MKT^0qyYv%qYjwx9fQRp+o43a3xH zvQz=_U1d+zV$oKz8&LtrwQbKgiq3P_?F7dh?GBx7N8;B#iyRtUH(aT6z3xAWww9Yx zy^GvAWDv(ydN6&^L)M@>slE|QPQa1lxvGtG9`VAf`A^4E8YYUWNdjPR0DV)l`H}A( zwcbFK(LPyKur2H!TG*;r3{01cZlH@m?TyE>xoPVB>c`0#YfGLfUUu^YL)qjUoRx>jCH zq<%b>qwj*2ZDq4M1q0WX!NYe6*Gzi3g%?}+-2{|rfuou|yjU*y3@~^z!#$eORv)`T`TIzq&!Gvro`;-$mrxq_{|L|v#2xVChxK~yKH+P z5i!fCpo9hP7lU;x37@;zJc-BIvMZw3L=I?7r3>%4&|dJzTTk-69S~Xi>btTx_fP6X zFZPHH#!R2TbAQ%#i=I7(WGuZ+bI^?1!&*!-U2(je54R#T(0Z`Rf@q)+m(y)Ba=K zCF;!gDo-B+k>|ZUFSxzDczuA@(ppLrf!0ZDhMSA>GSBQt+yEXpak2+Xr(HTV#~V{0}q z5TAorj=sZJu9?%%JRTyuZEVS(_tKXl?-DSnJ2!g|_J|FT%N6>2f8#t=e{qA1ww;st z|9N~RFfzisIcyw&F?`s_5^aDON zbpnhv@t~VF7o1c8e$quFMjlLrG4BtLr}2)*6ZiJHZ3)F*kbA9`QX3?sRB09&Mlg1h zHAu>I16m{6erMn;@;LG)Qz}Q-^)F{tvCPw3U6tA^>lKAke*?)`C8XO|V-m&Ui^;@%&Zdr8w6o8Fl6)!1E?LQP#7Phvbk zZH9T9g4W+{I$zR0y2t3}8NEW+oplsdyNC(HP| z2HNL!^lyIxdNCe{V5h5}g%)LR1tQs(Sc_$bk6DKX+rYY$d4m_g!_&DvML69q1U_(@ zL^xdBtE|y|lHJmlVN8vmZP*m5;Fl1BZ$V0Pm%SvZc}fe>KyuL}XpTccb9}@jzzi8m zIeD60-pbQ{32fj#j}#!distOifApr3e-!L#>NWs% zeI(=kKf|*H-9~MEg6}YMlihPm#Jg}W`%H@q*=;6yW!f$E35sqj1D*eNy0-n;9lgOY z5mqe^ASNk}-u#Os+UopF=8sWVh=UO!Leaoir%Z!O3}VSiW?LA|#7}*65MYvME#YqS z`TKajo$(60aDe3s9FWT_aG4nk`R#gvZ0{DCy*MRY#FWtf@%RDd26;>d13o#E)CErM zCa!kVt@7>*fa7;4K>S@8i&L#78k)P>$eNZ>x1v$>jA#*x51N9S0PTfY?JoX&#yans z6bHKavVwQ7YXAjH)+YoC3f~v<0EIewT{F9T^ZF zmEDPTU%s9aWzGE(hvCK@@F{tK=3_3Kf#GpkwsSDEapX=R=NAeMb1aXbMk5Q(nNTap z5dEU35k_ghxU?-0>zaf!e#1IB95ymjzL{ieOyF0X`=S{nxB?D+M}1Q6)5U(orryu4 zgWpMJ>2OHKz#)1QV{`e$b@!0b*YU62IRRF5HT?(Qlu(;-Yl*;#T8Y&?I<`yk4) zz9x@_(v~e$xM%L3sPdkN|Lq|dB-dr(Jy1JA8J^}>lv$YvW-lN~OVsxdf38Zzk#;=y zq0ap~@G7l%o>nCMg2C98SCfJ4d;;DFfnkAQ0lpqf)3RB;1pqeHesSFG@bbd;DM%fe zMGjX&ZKn)ZIh6_gY7VjKM{EW+bO>3!wh&G#o{U@(lxt(O+NUhSawsqIqysSsa+`mZM??MKFr_!jt^rrl zC_9?qZ+b%Wu|_Xx6y7p;mWZ-?zKP0*j+U@O8;M@{3^*ub$j0+k)C3R%zg)GI z3sO9ISxL*hwCRl~6HfpcLl}z!)?94?4=I|dsYP4~rQuMdsMb^gZ9ZIn1pt20GUC<9 z%%+cTY1!#SLW&TGdc5SzTS5;tL*ifu#nEr=t5bWf#=MS#W5(@gJx|ao2wxvo zr5E4T@d}aryu~k7+MNOCW?R7F%j0SJxF*l%u)wTS0|#5kY}*%hZv5Oog$epynbsu9 zEWvX6>p>Ah%4oA!G1=OLx5uz)LQON36?P=>>14WYRsJUC3@TQXB4_cUh;XrP9}i=d ztL7%#bj@6NbI--v$w^or!3UFM5Tv%bYB_?UjYG{xRn!lV0j1^UAVp#DulZP!64x?& zG*_ESHoK2fhnfAUIHAmybt@Ac%m|5a<_2*Oo#@goLC4$)T=j{e%pJb{X}z736%Y@+ zSwP`(|BSnEsp|3-c0t%ThhJuEWntn^uKNR%AG=G!IDd+f?wDGY+=uQJ6ve-Cq%h8q zSZm#M4h{6c^x3xWqwIl%ep8MDd9kdlDV~XVV)eE=P!-g~w&-v^1Cpz*1Q+n#KJ7C7 zT^h^S^Y8@fc%zs1oI@`e9uGOb1Z9|`7=QHcQixu2LT!b@Y3)34fncRo6goLDOR?_G zI}7skpFtNO(V9=nrj=0LmcL;(Ygzkdh%kd^88!rRAvU9Y*QF{ogj;HYp}kbKIq{DS zCT@-u`dC>{(lEz+ijGO@;WaWDA{LNm`;oWoqfI;XZq>ZS!mOir4zgq$BkA_FR$Gr01xO@2~*j`bB@P2w8It=k+XPR*mkMRoec)6 zmKvoJ>t4{8lQBSlMVniOi{wFsFbnDcb6ho{af@hT-8$FFDY_ zd79^@Ut!7{r8zFbc=Qxj)tm>_YllXH0EXJ*d~O+36L4!hYijexr}{ zy1J5tl9#cc`%r@J%LfxT(%>sr731N0cwIkDO+!=pfudpYVzbi^o=#mMS;kz+*|oS~ zip)Y8tevp$WW?0RU0r@6h&E zOdZZYso23oB5WNu25NK>j1+R95H_$lgD%1xV zLW(W*t~m0$n3|bEFF#?*H;e|4s>vOZ*P*>k#_v$Ku%*c?$KO} zr~N^icy=Ki8u9JFc!G*Jnu8HxZ=8J3&pIDF>mHk*mh&Mb!t)4u%q5fHH8y50tC@d% zE%ECT6V<~}P9ZP?3f{3<6^tF-BYRO_Za7bOrVmpADOHj*EEl(jj|3e~d798SEZB7* zF$GP5c29F5L!j9{^#U>;%l9HPXr(dgrO)vzg+O30tQlh^@^ei2BWjZ+b!evk^ zlS1aY)KEe$V_h#RxOp)OJ1=qy=14oO*!M4yyH`e&6i6YUZGb3*0BRmq_R4^Zrp0h( zrwm8Z6U6VB5HIO$jqUpOx4<7>3 zSZeKe?Ol0{N_sQmW3A)S#*!#XJ2y-x8L|tX@1j?5(M6GH14ZxGN0`hw^8kD~qjFQF zu;rWuIh}}*fkX#$xlCq5$k-FX4T{mruW0+IODSvozA(q`NsyTk>?aK5Z zGu#RG^nO->cB9ry8pmefq>|^K^t<)2Z+!SFHkgP#S`Dx_F6%}Kte^$@aT#u=z<)6a zt9)%RwG#QlofwV2#w>}4s1L!oDV(coUZ$>c5J-J}A=3c$fPD4K9y-~2Ll0dEiH^&> z@mVJuPaoyR6mDq)AYV}GSqRbs&U2keewZ1DiSi3hBwLU(ocv800G3P7t%j>UUMu;E z6IaO9DWeI=vu3`u0G{50ghABt6k!HHVLdhBCp@bl9k5b0h2|@R04TDSa>}+>p&4W? zh{cc7Vmm@4r5~>tbDavmo@`nxI@v0yc&ti07F16*Iw|FG(3YH(9(DH>%5{mzu!#1x5^BiOE-O>aOruP2+d>w=n;X$kGi;%YrWh4;EX-Du&Lvmtc0q{PZv?3&o|fK7p&62fm1oiv*hvPp^^_h|Y1$1{ z>{~cFtuoob$s`B9tjQOJW+r!7Q820J1aLBEqQ_~vVXh((Ejcm=oB(i9MHVFyllsGcm84nF83FO`B{l z=cZRDXPIZG3{SboZvxH(hXL1?VfUYGu}9K)4m|xTC}U+Xwg9@&MdCfCDT&N>)Jy-^X78$+`h|^ zJ5J|y@=&*(QdAsYY5+1o&A;a!b=#R!v*?c%-gD{6yP1K5`4IOCgMED=)mNTS8fmq} z+n_nvogO!O56K?$6|u2M1*GV8LKP_xP?UO1CJbhy%q}Uxa|gS|v*ii|_CaFj)HC_+ z<~k+Yq}KZU00|8d6&VQ_a6}--08yp(%L*fGlv0pu(GOF*WEB@lAN@)NLEF_^2LDPu z7@qHRSq^w~!0Mgo;u31<781$=^gt%HVVly7)%j0pI40USJx{~9i&{E*Yznpt%w{}O6P~6G_r3zbUQ$Fl;jA2 zy~F*kV5()Pkked>*^`%tw&K+la+RP=@v2bq@T7Qpi(M}vRlRs1$ZW>VyXMITRi@zC zcaPbqWbq%?O{l!tWe~%FCtDn@r;dk)}={=$5r;nFVe* zm84SxdVYh{EW%erYjVEWwa_NR)A5npC-?*P%W2sqc{lh$5=kC%h}mO?9n)4iRMDYH ziUXAApXnI2O%tGftv?oxgN2R5;o`|-UYC9 zmrTxq0|)fn{E44WDHpJO6t|kG4hCu5ydt7`OlB$NPm@@B4Q`H@o|_1YLA@(aj;7>N zybi_mHWg)c#v=IWIRJHR!{FD&;sp#KIXN($yh}+g4>O}((jVt&Xn~_T#z|i8&9#e& zgT$S)irB~cgL-$2hwfY2hqByZ5kt%Fz)sGR>6;8P&UD!?KD{HJv&X6ndG!9cw&3(} ztD$*LUe(+^obpO?F%ZJ{#Dg`L#l!Sq=LCnGwo%Z}M!WmWAe+s*l?raAm8n+^Y^fWN zo%l$FRN`d!bSs|TFyw{!QG*J@S~830#YtwZ$?Cxo86XN5MP1msxUV#rKv^Ah`IQ9! zE9S&LD8meJfF@+f85&fBi?()FtmwolHv!H!GGEyDd~qtNlX#WAFdR$=%wU2hz0OUgWYizyMZ#F3xE!S zhnYZu8|)y+>-P;iiX6n~u_8niH2aoqi1;e=gbH*gs~hAK!$*I=j|+u`M5RubD+jPK z#Wk=ge?SXE$Xvesd`>YM=Rpj$1X#N(d*zz2uWBa{c+wo?vGAraX(d8skHe$plkT%5 z9<^%+MzT6i4*^RkVhwy`zcg}vsDr#+CWDuG^{^z?<;PN3We*8UJIE-6-yl;Hj_T%2 zX>{*rHW{ll6G<*W5)2hyGHYLnHq_Y&&bWc8bc<#&kB8UXq}}kjF?;=B!J4joTc42< z(q$)g;u0-{r;@Z#`BM`OnU0>HW=!ChouM*dgyT%{;>4UbCe2g?8pQP?`zdWnCsQL$ z&?1!Au(>AtPQT=?bi{*oxopw5PciXl9HKF@JWWICO*2^{O_$?n>#==`nbE?U45oC6 z(Tty07%rH`Q4aou$QcS-+{GtMvE$Ikn~FpBfClC}U!;1X}aatBAoV z7gu_Zj5XwwZzDBogn0;Qag`S9R~7)7uRZ%E*Bqgdsl<1 zyh*KARCFgB&IW1^dlStzG^^!onHEuJ1&E^Zr5ata3p@mMq%~#pw{K6n zO3U3{@T(lGCX-wu4$b-dV{#aq=B$meeS#!m6VsPWtE1B=m!+hF76iXg@U8I%uY> zNaUn_b3(AmY+I(rm&>o;e4KEVr<_uIgG9VF;EWj=@M^}R>}n&N1dEPRd}6=1Mz_vm z<;>S|wP_{dwArid&Ai477!`@4F$VDI-A)K6pQV~u)Xlpo(RBOMW+jtpW#%|O3 zwP`H9@aAn!vxieX3+^EG8tn$6($4+%o%hNl@jvN;_GCv+*rC;>y;3+Z>yoqJBhVzQ=(FB+ZXgmA4r44nN=`Uays_4!zvy@z!I#D&oM> zHYc288aKsHyh3Mj_n%V?t1|9wD^{98hho3GV&fO7%1=x7-pT#MN>`g0)LULQSH%tq z=;m**C)yEgZxb7k-gw+0y-YYWMoIi;LyXQTMx`@gP+-bO80S<}<3e3lqlkG&IW5O(tu&kBJ|bvu8w*F#4-IZB?sYelcS}9q zls*7dY5@b^@2)fG>k~%o5!~*_{NfH@*^Dr5KC$bpqE|9iDI>=P9KQ(4$LN|C@rs&fn z#lXp^PLq(CTA3SHhT%9d9^WCu1l@k3@1(^4GJfulmiM90*guIxB^w26= zO{+TiM#r-NvGVC^V~LQ0p-C`L#6oVGn7$rNcT=!3{ZbTuK#*cn%pBIIi5s?L2Enh$ z>VC?9e}Hx=nIUr*S? zr$9xK%qseiz>05G#SWp#Nx=dFD?n89!%gC}o{gm9h(} zLwM4X2ZW4x#4NlJv3PUE<~EwQc7fl-cL7I9wm^0JlP4}SWJid_47-~DMH!_;iO?3M zNqq=()`pz3lu+aGUl-x%2tAz`L!9RfWh1~ZPaL=?GQ%$?N{Xb4RzuX{NOdq;?J-7y zx)P3*G7>)9eiCjRjLJQSFjv+iEq1CqKjSLVfJ|#+Y z;lZSprV{89$=3Nv9o`1G@x{@B&%n?&1$vCF!IWZZha^+Y$>VU5np~ENYbuFr$`D;t z-szI{I(>n>9X{wf(8)-GHq>B9J%^Z*o}?E{oYTOuu{RPQ?mQIdzz?ir1+#)vX=tr zZB{C2ep-lvG6-;m?*)h6v#6Y~mcyV(Pq^}{Gt2ALLA*wX62UycahV|HAF#FnP!eh|;o@^Uz0_C_8i!MD}O<35L zN~ua0j%b!p_omS@YUQDZN8QH_3c!gC$N>*4QZ<(e6c%(Imp^p4^&qn5NS%yFG=uk< zGZYSBu1tIrbW|3UbEN@mXeops2m6Se5JD_(f}`YtL`Fi0;$LqGHl5&x%Iv&|g5<9J$k$Bprrf1T`t%sFY3cs9af*v2ye99})%0NESx zaC|f3qbLaOW~@hBQpb)*pvR&p{&=;+!MiX6v7!|7_l=?<;whL4&u07q1cxUbfF+Ou zAfF%~2$=%;;X}w2{0$o2NBXM0rfBhK*M#2ogzRS3Ac*SX;a#BKL+64Y+< zEf4&73{x=peVIy{$OXY6iq3=08V)R^*0iVqqzsYDsofXKE*(e)x?4fd;S)u!_W<%n zcw`X~1nHd1`Bwy4EMiFo^VeL6)W`tICm@@@=VwuR3Pg_06kNhx8=SB6#%qRgW+zIePOIe`MyJdboc6vfv0sL4SJFN$YQ zi_-;V#!-pIG8#Z1*APj=GuSA{39`l61Vlqu=_sP)N@6Fo`gT7grp#Xh<6W&w|r z_814S?IUn5`wQZ>QPM!Zd$r#dhO%O;8XFB=i(^XB?dk|;@1PP0G2(o$aU9@1;q`?A zRvystU9&2_NDV+`Tuse^d1DbZ``IG0jlXm8_8juUx3dXC zuBQ7|`I(<1e0GXx6g}<=E|GcByqy9c2vZvbAs*?{ErT>TLhffiWKiy^x$V><)NJx$ z`IW$r2HkT2Xyz2ZWiMRl6eD)E_gGMjl2dmJ$h6q$^Ce?vDOe-RI-vs)nS%U zSCYkd=0OD!wERsuO|ebyDoR_SN>eiRn1WR7HP==eOYg^aWSl3mkH^lPFS1d%w)LXg zf{_KlL8J(Ebg=GzH#-OUxH_}cU_K0LFjvdrO_xfY5A4tdPB+zO<0#6Tr##-L_C4 zC?j^WHy2sFBz_Dfao<<&ew){)o4vb%8f>@jBNtk8eEUEa--(oEY`oB2!Ms{+Ue=751&I>ni3oX>OMK@mq=8?cF^R90#E`>!(kkZb zgtH87{vwS~l!^;MdKCWzqs3arszotsFA3}mlMs8-C9WN;<1z&1Q~F4h{)Y(atarDS zy9!qn?O0 z2y+`n06U1VWXF5mZ5S}jspPJ8`O$q4)!j0N?+xlZT@Dieg4_YzEADSu=GQ)JKJU>7 zsScJ2%^BiSMbGl?#&dX);7-eyDi2*t6v6zu$Vtr#TtT@alnYq_*p~;L=mdpxmdeiy za)+;k6<10Z84)U@n4I)lr0sh}c~SPfT#?`%`NF0u+G<}*9S!k`phUCMg^HTRW~)yuu;CdiCb4jMxal3AOV5PN*V)($y96$)o7`kJOj zK;vRqo)biZi27ZnRu$;Pf6zch6=KcgjZK4y)O)7E_Hgk`S)b9_It=q`ivJpWqmXX3fS1Fl%9=%Wv8H zg+VxS*Dl%O)S|Ch=d<%=N-)e9H)(->`-DF#$ty_A4g04VZ7f;9@nKSlBy<{ilwafq>2ysk0FV3z{E zn3v)XM3*F-T%O08mryF~xNO|h!THW*sQ$7QGc^=cD1`O>Nu$LCZIB5x<3gsC8M9l& z%-~PVSjjAAZT}=A32qJLCHVyXR!{PBc{3mz9JFa$0Zid(ale@N878aZd96U*gBH0{|fxxcEG=@n~uhk;>XP&+NDM z{qj{@`+hKM6|l3gzxCy5!gC)LGEWqb9t{Uv2{7}IH>L*i61fBf5be2Li!TZrVJQy7 zJj8_w01%avvGSb+hFBS+6i9!=95)EXj1fIK>t zz*QQD^#(S2Md12};d||ubQ;Xl{fuNyzv*QZOqv-vgylsht5|B86iDj>XPs2@A)4$o zc3a?U(u$^2D$MMT(!yuzNK`D0Md-4{Tz`daNme-*Xz9mFwT6lwV+c^to?-~1G(pQHs>Y|iHy zFI}lgLYE@+cuWe>kQa~miV=-cB$|*`oJ`gXP7@YjmAq-x1w(a^4yZ|KFXVR5S~Ok3 zgbz^s0=yI0u3(suH8ASxBJZ9?B(w&K^fyeAd~X<+vaG@KInkP@B56E7Tk)Ps4|dNd zrZ%bZRwZR`mQoL^03~n(dklv9&eR<(=-mRQoWIRf0x&OFy8g8+?!#i`sq31INK($1 zoFpc^A@ngHj5;Nzc5coF69*o!?UUGke@x$nTc{FLaQi8l!ZVP^`kR4-SOUN@M_#wc?W) zc{~+7tZ}5=42V@q{uIhbOroZo&JuytB+vkO8(4XYh4p>T<+z?v*QY#JARRC!mO2$e zUZtAP{D4B=bxb4c2bo$CqLvI^Dgo~A+G1Cdd?18HCX6nA=x$OoL8k%kobdga@xK!& zyAW8>lsMsz5_yu>Z`mfI8_boa2nu$P6jc1(h6_yuJsat%A{$$)TgOB&4uBqN%9o#e z42I7LHZ}e5!L|JK|pv zZ$aj&lovm(0-(W_P-tegay0D})k0-Xf6G%LFgY1(Qmu0!7!f9w=Et)FA7+;Vg7J}xu%(E-jO+!&t(%gP_`jNkCa29 z?lIERcS@z#QoIptd5v!kjaKO6y$KEj8pi?}3y529U!~Zqu^!4Ox#Tw9i|QmJkkj}& z#?bGWfAFq77sBR^o(z*0UxI7_ zwVz6pU^e*!hZ+=XUFttmV%(K1x(zhtKeW`Hp;n%$$|ec1Q_B*ogy?ys2=v8pkyTk~ zMD&_-Bds@C&y36X?R|{&Ro}PbGLLM*se*`pm42t(yTWaO_(S_AJ}g(zPKvHNZKTMa z#ZTEvA^mC85T@xKMsD76Ao-G9E^iYOAf;IM!NUPHZW_r`5PQ?F5EW2kk{&}i@L0Il zp4ek(09Ks17;@+I2dc4TMHte9cq{Ygs|U`Qhlp7c5j~!&0W--) z@EXzsx(ELLMt~>qP8ohcch67{fy;jXZlKB!CtiCE>KS|TZXW8&QmrETtB5p?+GGuY z79yC`*yPTV)HMpq!ekHvA273!mimQm4w^dI$j0l5zektlV!i9D6I2md{ywuR9aYoP z6In52XfLLt7Ka4hdaz4BMQSNMOEGXtAT>|Gu5BG*>5%V=212dQo2|E?4_>rAnN!5@ zsNkY!Zcr&}QWfBd4lhpx7>{s?^f0yCfpepc!>R5^K$QXYT)VR2933wfXx&pT zypZ-opGiB5^V_`(&%UuXK*L~mE;4eYDrgAN;*`bWOf>=45Q~*8M+TbDhN+6Hukh3* z!ghdS)lvOV)N`&BT9C0qE#;4+NMD7&CdE)c454*QI3@lf!bzY6FWi9<9XEVwIqt_Ui4;^xU~OhVNMu3%;>*Th3Ho?!7b%XuO*HDJ)WrT79nRkUAV@aZ)9q8EEs z12J?yzl5$8^yA^+<06KM9j*^Sh3^XThm6F|%_>I#!)azd-qve}q%(pSh4O}-iz`#& z%W9j9LP0JTwE{^(C~F1TUlg=sfffP6+{0l+inxGFUQnXc06jtEE?TxwmPS?wEqoFb zW9srpO3ROnuxW7@T!wmFR73@Kq4o)4l2Y(vy3mn6sBsM}*j(}6LJGRWmiLwp zN8iy;9@#BH5?-<^%MY6&P#?#~0ci9fh|k{`GBcG2go5a7L;s18qtp9i3CZuPewRZB zt=C@u0s#k!6olqHh{t%IPT1hJpQA_8)3Zr18h)_o%GB;K->_qY^bnn9ypbKB;50%a zpg}&DTLrKQNplN_J6CzD6#@kiFD*lF1nfUTVni&CY=IiH+lH2O0aJfO)&XrpVh(rg z4~Gs#WLCIf=P?*z`PJJ>h}q z4y2l<9y&<7s}_te7>DFGd6(rQd8Hkz2L~hsA@Eo$uqmHQ|GcLqLd@`VE3z z!CVxFGqZpK0y8RO6ba68cm+ay5F}Y6R=Xrs4{}bjnyiEH%9fCRlJ zF3Ncf2cD@Me%P;!bRHJBM;~#K4!J`0{o<|1nGMH*>nMN1WkKxcrv_k>PhTzzPb#WX z+}_HGgy*o-w}$Pcx#R|=fsD6wQsnP2I>gn|Q0Dy7CGw2bmr&;lr!tuA1e;`oKuT45 z`m_3!iaCdU+i%WKI(n0pi{lvUOhY*zzI=NM@DFL_*90TewxpYcH)#TezKVbn}|47E@^s5Ubo;S(@?!K}-VLTo0*nWn1MC%Qm4^EaPaZ zN!dw6EEh#sUKt=E0u>z-2vy&r&XNoXr?rF?KNzCO#cr7w3igmQO%u34Xf8r>DPE>&1yy9o4L+UT+?l-fnZ6TwdfJH{BD4^R6R^c-?Ff#e6TKzi zLy7Awvor`G?vlkPVt$Atz^9ZaA)-@yYs+t8^K&|)u4Kl=acVq~c+9HrzK6^sXAFKvx28c0dX^43<_}hRwxZT*x?0`MK6YDyZT-Q zInup5cFR36FIaQ}3osI@>_y9Bk~7na*y6BOxw+pl*5s>YA zI6m+am7((VbF&bsqZR0vs?Y7wB}d5EvQ60{Y3&Lm%7%g~^@8c8Qo6k2*ft z2D55GGF{U<`=gLA&xB9+nl1kly~^D$Le@<(a?H{)jD~@Lc^1ZCK*Ttr7xwyxqeiF5 z-4W0oUa{iVB$BY!+VyeCr+pc;4jo4_hEsYW&9x-Sj`%z!4`KR25BH9+l`FHUf|g_7 z{%?XvXtMQvO+7~f8e(XWRrawe|I?KsN!A!q@7h z7x9bXj&+T@mIP^?CA=}10JtCuS5z3`AC&zI!2I*8a6er(?cy&FZM0uc`9(f=vB9!WFz8=Q>z&IlDzm?(A>8je zR7RA5=D8pHZJZ)Qo9M}xF3kT3TLa2qiYdz0qC9+En41P`*oz?lruKM54^#2x6%{kW z1IVEHl{C;a!FU0Nd%TjhvJ9DjRMIuu+=af#3f*C*N2nfDX#Q@*-V)9;O1+`tV*uB8 zaevhu%oTQ6nt{_&?pT3M9$gC2nqj1h&GN7bk726lr67z!vp@^$AO&p8*Bwa8+Q=Vs zL06jA+%+R1-cezR@KI_2;wT*chzG3;F(n?j2oT1okGp)hY#%+whL`*(vX|eQyt4Ot#{tl@)5 zjQO+dk)X<-i%4}>dQkbyhzCSt1qH<2fd>cys625%e-|CkYl&vX4=HBJyPqP(O)dVx zFo`nNj25{Jy5;eTut5Y0NQrjIL#*vs)b88SG0hgI-??u^TrxZlhb4=w3TD-7(b=fM zpu=-9v*fV=gx`{a}<@+7fXN&bYA&oUQ4{?dx$Ql&BgYk9t-_ z1Yl*`ZbOD%Z$RpckbpZ;lj1GaXuUoHgmr|Jj^g^k&D^CET_qR5a^QofA6gtGaRjvl znrmA%&NK)P1dEljw2GXQCl71h{yTof1-ML;j28J8Dmz9P2^LwBgh=N)d6$CuAPX`k z3t-erf{YAP3pj-SFmfVSOi1jB=qh2RWeC~T@A-Xp(yax0h^V54t&`nQIF#5+c#>)C z=y@*@QL9iSCG46pNXNLr{Tu>EYnQ!Jt3dF2k z@zQ|kHMzX8Abpd9ZgT|{BCNSY>WLtexkv#`gG7lEAp)RqK=TARJKOCgNd1|Qn5D!G!Bkfo;D|h9xrh98eiDLi%_=PnKIcx3v{#c3Wf(g%rBUnUNH@v!U*ViSv`0-r?o^@ zR6EiVc6d!IKj{3^or5bgFChzdu9iU#4P%SpdQx7K=856OBAXITi4P>u()=Ury!275_V45#Ge~Jdu%_Kv{~6pPiiUGTK`#jQ^q;* z?GP${thSsT9+y0n8S5f3&NPM;TEa+swkK=>=;fim*D=O$JB)V^R1Kl$2x}b5Vxeah z`(}l<0)d$Mx7|B?bx~Z$3>JDeAmoY2o!~^$3BDVFUPFkE3?~~|VC2#gJQChjtSG%_ zX7emuWBoe}8~2KlAO~}r8i`_5B^#EXpKj(`f?S!9%bFJ$V}vCri}a3;LaQPY!J(UXK45(9EEw7fX zU5-n)%~geztis_3F`(L-s?@9!tXb`poCu`2m=I0Z?AexItEKl`faXilhuO&;XbjQx zHOZjYu4Y8xYoADe+)qxzN{zJTJ{6O{N5#5$&(|711MPFniaO?xYt{Wq%5K`^6!^1; zys{S%kcZ_)J+cPijpb8b-$uBG|5^+|)MPF&Md8H;Cg3s9V?!$EIM{G`xra};;buxW zTpr1+P{fL6Gc|yEK)=`);rNqk;%Kx&gR4%FG>!T&{N5ewqA1eePPBcJ31pjmz1;%O zVuYIl7GsdYfR#jp6^D+4!i_|{3=q8y@ZBh<0QjObJcJYsAa<+GW}78;`l2ifXJ#q5 zB26Er!;ul_XKNh3*har0^vD?WXNC}j4vnLR(3jQp_yCM7^_i^4HB##SfUcC|*o>iG zqjt&=8nA}%=PnkzzKRXyNMp5R%b%c{Cp!deNPJHVdfbh(wH1cd_d*Wl>J{eF4c)@&K^JA9! z5u$HDb_5MyWvbuYR8p^u`$4dZO1A-=>gir-m2oruV;3+rE12&mhCUKd>&kLni`kngJ+OTe4o@)SPc&GSebzYGkK;~vqpWbZZ7{&=7GH*f21^zRk-;y{Rr=&*DDSPI5?S8$mC5*_Ml$ zUtbk_Nai-@YGiXv=cc49eDu2Kfcm!8G|4K+=psNJog0yqv<}^!+=VD)n#zJT^39YL zn}nMM8+=u+e|oOK42+@$Mg||JT6oK%vFYt~Fn>WueO!VwkD|Yi$a#0WhzF@&H~}fR zkwgr8qRH5ASEwz=P4U)1daEmMV{S)r#bLmxD6;(Q=2>M>xb?XAC&J?zXnTk}y~W9Q z$6q*rYxH1cnwo2_T9XCE6Ry;i=(j8pl`9Sd`B2ji@4EnJf&J#pmbdFHCwh#ez72ULMotWK_;5b3yp(~b>5YzFtMpq478<1Z%0@GLij5qc)%Oi*2QR3C z0#ll$>dTGou;d{L0Gqe+gAN4`1o+?%pug~F$@P*}U+<(AhnJFnP(21L44l_{DZ1T@ zX%8z91K1s(TkyZ&t_iT}0Y-a(2Yd8nM4A_;a>TbUbcJkrj5kcprhlnQYhk4ozFm1M z&qMl_^^IQ&Il@m7KorYmYgRl2(V4dJQ6$J+j%1G=U-wK8k_xXpj`)2Y9|$Ds!(5AKNiXXMpH`<$Y5K#U(b*5oRCowwf{3B2a2wxHnkEDK zZ7ya_!Z>8gXeLJdt|g}T$N)r3|BRdEUk1w(dGIHS63WV4;^DlQCTT3s`~kD2+J7UO zE<2@_o}*Kw%%6YkFeP_tdjy^$E1Gb|4O@eDvhWGukC29vo{#9CoVa(NB;a*?>Vkp_ zYs+x8+|A0Tr;wx#C5x87^KX3|Cyp z9SmPu=?4J0IIbe+ti$b|XruR3jvLMqy%f6AE@4#P6CM+lq$fy6wsuE#MR8BsvVV!1o|q+8#I_&LJh`GO!uo| zjjx#*VAh%IYc3UQr;*(G!@_e||gOO7o!f z{=@O*GTegqHk2TU7pYXJu^HWR?QjYa@pG_WP)=F#KJzmaRA-5p$VG#@U`Y4#PDB0W zQ1;~3P;UV$9gfY+>_CMPckU-`H|9U09Um$c4yN1puSa%qN^QQu?}bsvhTznr^yvv- zr0|H^GWE?_Izc+MiVP|@auvBddN`=4D@Gf21o`wR$z_VHDjKBp+e%787G(lY&c$cIn3xrjELb>|mWx=G@ z{3^eNqMbCudtAectieK^=n9mVv?Ao|a0Y6slPShj@Afh)*xIDI^jV?4yVA5XGs&`M zX%rBBfUUMW^FM-{taa5`e0bd1rrEtbm&@!^pqe)&lhkesUICKLJw*U7sj zx>p<(?qR#~udRH0ZB`v1gn7Eio(plmzcOBz^n!yupt@ zh97!geJWLgP}|=gY-ax*nLrJGDpm}qxxZ2vtIB~lh_*-tdUObgIq-uWbva$5$19>W z#bPqN`zPmv+)27tS0*`l-AV!m`6v!S@=rWe##i8PGlp43hE8b8P2OQfI4mi(>~ zeolp*(BGn|x16GKO?`9JI@|6BG@2A%tvWc(fk=xT5tSVMoktA|1;9K+)p@ul6^CKq2KKzH?@$1 zT>)uhQyl~Tfk&-m@r?G_tY*fof|%9_G@2dPD7}+t9v6QAj?z{6R=mSwl)Tj75C$1O z5LrF4F8rkS;Xk)gP z3r*#y^`ShNWbsl@cS=LPPfbT4--8FE!1jgHce}nQLy0XmqygM`9my*jQ&ONon;yVW zVN0sVBZw8@n+TH*E{rG(`ffE}W5!c3mPSkY>lAjY&NH?eDYzR zLr^}E@JXofS#|%Nnrh@ey+D}RvP+tonG>`CXHZiK4I^vvMSu zSJH0#K2T$`>2&->?vD<_2hd#_}MWE0}yZ($HKf=v# zI0Lo6oapDFcaTBn-vodFyOA>Z7$rB^<_uX4TMG%N(rd;S!ZjWqQiItI8v!+5T)uTt z$o-9AJS7*7nN7+LU^u(xAC;EItJxo+CV?pZWA)8km;r-Z7`be;|HZ3)*^k{+FSPVa zWE<5h{n;YV@k5eu(gi-k7pM@B7W{;cHXm*@u>sowR)WaSZ;4U^Uic`1RT6VN?dqN2 zV=n!m4nIu}3G(r=M8`u=yD5}xqb0X&3d@sW;HfsTm?pDmS*dFLtP=FC8^6T>(BWe) zJJC;i)GGL`yw}u#ocd1IIHQg780+K70cHC}g?@mYqA%zPSAAv{AElC@VAd&DCEQWD zP98T1CW&$FGGDE7a8610nSD^RPDw4O!6g2P&l5@YhWfH=LsTGS_N?hI6-3%<^8#ot zuJY_@+9TW#q{=1!ihfj14?sECp~Gvf_B_$blTz=9Fn8OsBOnY8*E1zVc`tq>m2~B!to(cg)F48lAj>J-rfuxTh zO`klc@{lEtE0ad+2V+L`o-YgAX+r_15~{4DMhC^WW(Xp1^oqH4gcZSw)E)YEp$&DcOKNo zy~6I_W%!hXn>%UgFy_TTGwHA!v*FaYD4br33TcK4MTOW}H{>numS~VpnUXa}gLI9} zfmwX7u}PW16xf=;xe^E%g5c0EtC}Jt*W{}iMH1-uQ+WdVE6G=!zt}ga35Ev*JI092 z1>OW{Q7mS#Dh%Hx%QGUX*QL5ic9XnpQnpaFR{mCbt#uXZO&Sfa%z;y%WAmfeDQibL zgB8p+o1q=zG!nuIfU3)Kw)duVnF(G+ZDLlz!D)m9C=C}%S-O0KaPZ5Vtd783b4b?( z0hJw5P9fizxkO?HPcP@52S5}Y?#rY!2|L$J$UMtq>G>r*uvMsFzP9QClaVC_#AJ>@en;0!^QypoV9lVoo%mnr0d{A2pZ!JO=@&Z{HJc zV4neO-JILJg;KF}{&*@VcsS)Ah}kmBQ78$slrqXhX>DYlO7RR~rl7E!7SWMq`D&;6 ziw+jjW#35q$FOtYC?wmAlAkG3NP3P{cOW@bwy`m7G++7@h(d7LFa~SZEvuD3BSepJ z6K5u^`2CT+_j>M+TbIATgECJ@)U2=iheXqsAyY-&oqy{7muk);U*WttkXc(Y1?J|T zbk)AWMc;kLoF*ef4lj`nDt(vscY@m6JSX{+9Qm@IHSc7OyQLGBovVbt!j-&~8xFU> z5;Gui*>AGpZMfaBDdIEOjj!FYY;)S7If9yrHmV+yK9yiGF8ll;&dX$45v; ziyGyFJ|>^+E|Tz4Qc?wT(OD+b5V{FUabgDnsnO=Xom{wu7GO9O zPFuHZmXct{>VKFoLq75r9_j2@Vj6FFk)Nv_){sd?Pq=hhCH<+jhu_o-u+YXF;wUz5 zDeF2GG}$mxqRCn2Zu64}<`ehRg1Ye7Nri2d2*D}8Ai@^n7VZ0-o8GM|tU~-pf_=_1F3k$bm*&g|q)NV7~!^s)$AJXJ7bnMb9Zuc>q(?jICq8K#1lC2~FuoMk$Nom|KXO?6GD_}*XmjuiVi8FYp+cJUJ zE7p(aF-DK?!svjV=T1m==mEVt05?F$zrhR*IQ0Y8kj+8DIl|^59CBJw5z-|Q)z

    S7JRDwhXO$P%WI=-h`L z>7ADfXj7)-sl$eO^6nMTMa$H@;p4_HAg69$s7F&SUe7C4UC^uJuS>iPtnjw$KP(k7 z7Nf;U1KE%gr@XQruWy|~(GHxlX;FoCzhcWYhsX4+m37R#Ql#=gEA-+CL*}|K9M4&f z)11anKJNNF<-Pn-hJ|1z;RS^nrY?lKKc~zM(ZE~>o=!j$;`P*Ov(0dWlgBPg)cQld zir#!hPO?ijo8V9nG5W6t`U~(NrRNZ-lf&qJa1SNOLZnbbG86K(;^`RX(z10fvlUx+ zZXm8uhD|(oj}lCOn7Y2I;|Fk6(2^t?G-50Qfk?}2$z$X6H+6i%QAZLF3qnj8O@;j8 z2a6*U{28?O0HPgU>~ubWA{x1@Q&YFPhxnr#xVnCF2zaNyB55%zNu#;}2te7uqMxmq zb!Zri)18z1;i;4n*@JCEf})*AHi$84*`O~$^`4A=&^d_xT-6{W^Yvf08F11Z+BlA( zMHmzZwnev`ML5^g?t3bm{3dKBca5gTPw;QRmt%Cd=Sq^9a^Awnm)iFKT)8`&f2NLI z_fumbNg*pkL|S56_-~8QJg7wDZ8OWpIv&>Ericc5{d?2P$VHeYX)h>JfTYU;g0zhD z?%fIHEU}oS3u?0dVw565!kM<6NUr1{K0oG2hNWTUD3 zsSjMKYUo=skv0nw4MFm`5_vE*IAB?*YTzM!cB0Brv6;0(&*As)_yOUv1x(W4_?35F z9m}jTAon#bmhrcJ3GEDw*jE<<8;HX3cq(iJqQN#XiE%%%R^HO5%O9TeRCyjDHN*^L z1Xr_P+%|v2;l>(*fdu^k!-OeNtTSMp{rZ)PCUaQ?MDE8l!OePDUU6~b}=imiPn3M}fDs`H)}!%-0i=4Do-Rfn1t5xfs%s zg8b;epOxU>pWs$jkQfelrbb7M5wq)S&zdz+&GN5LKz@9zZ&=0;T=u0d_YtcL*e^QiQ#9@dMWGv?;n$-7#p`15ca3y9n8tUCrY)>?I1u0l)n)|0_$l3Hja9Z6I#d&0~k4Vd6Y; zOVu(3?`N<%k8?3&`&csVwL1mM1l*cmH+zXsfZ!dtQ@aXNcOkeRbkKLX!;}_bggR2> ztq$dJS3+b8!Hv5!Ps6R9rH~fD-N-3~lOK8YSdjC9gWkN+JIuQB-}wf&J@u`y6_vHaLD$tOrP*BpWRRi=@PPju6!AjxDi)njp{$eQsz$FmV?;^qmEb*z)Ac^=lp-o{6$NVZURI@q-IwGP!w^O_*u;Cqba zG2JDQ0atltFTGSlF20|P)CIpX)?qIf81fiul?wE?v=ahGHMY(I&)6+^I(KPc`VFf$ zrGv3dY*U=Br?h&3J0T!&A=RS(pqsx?`VeLf_6=ZBo{+IxM z_8Ejc1w^Fho;Phh1EEe*0m3Wz z4*n4X57h4W&tzo3R#L}EfpL1Gmo)u5GfH0lP$ik_<0%|Nx_v0&wV0*-zc8)C+qZ^f zJ^u9J!&TS6kmLCF5p=)!R(ns&@f8J}?AHdUK0{DibL@L6luL?wu!T3}9z!$6ny;2> zPmx&-dwQV`G@s>+QZ4HFowN^X59EstnAiK6YCmk#71FccrUFHl?N~U#i`#vejt{dF zJs0`70T{nIVN-FlIb~vkNIzo@x=`qF~S;z(1A12N8-f7Tnkf_b^95C{~o12~>1-Llp(_rSh9CC{$K`;O1Fihju>3bmOo-hVlbw*3!$1 zo#Mlwz-43@$4XDK&lE!-!~#BgU^MG9fA;B>X8H*kHCpR#kFNNuGUwc=b0#m<5Mj^6 z>a#m+(*EsWG#j6hc^_nK6M?3T*2OmgX*=Vf?YW}KGSe)O(gCKHB0PiH-akJ!JhH)oQ_Xq){mr$Yg2gcN(LGMc!( ziYB7j9>lb6oRO#Pg4-yI4p3nC@}9ROy418$F6UoD#^eH`$5p;@dC@#5f?A8tFd+FtGy&!)>4O}(F>upO0O7(C4CZTB z$y?s?uro-oM=8X`{O_S2K5$0aVkTiV_o#ds4lHHLQ_UW5US&F;J*OSBqH01ogSOvX zz{;7sEdDE9Js^dVu&QYx!u@-KOu~HrPhR+E7~XMIIpAT?g|5QygB%fL((iXP>b$0A znEv;WK+*Mw*zbo@lTvWg;W9)+%8awq7!nU0-q|A5o~6q@|CSu#9ce}x=do?}dC(9P zGz4{BpoMT6GVIKjZU^iX)6yh-bptF2X&0oC;0r5a(YRp?F3!!g93xs=xE0pk%Rbh_S!lB=hL$%7q1^ z6R=ef5f2UYNy(CLg_?z0z7opp?x?cZ3n?kz!y~ZAFmb%r)5kenCu$2aM-q{6Md9rZ zCP7H*0j3c*qh7}Fg&6KC8>K*5*TH1(Ofn)#qr8odu?!?%l2eGyO;df(np}@hH9j?= z(^|7ID?kGz-xg#kS2Q&T=2HA5+}r1+Oc-y|Sy`-r1#DN?iG4+dI9+T2zpOwJsZ0?& z5VNJq;k2L?x`0n}XA0pptiODzR_7iyJ;dtubiT?|VSc+)^DMZ+G_FH*Ycww*S->PI z$yX2Gg%LXEAP)IHQn}x`=-Spd1ggYT#t5Q@@=%9%uF^!{08EZ2)d9DM>SV z3Yg?N-RVPmz+P_DQZC`5wTc_I9;1gdq^l-TqML^{^ zi{;Y4kiAu}YBkPV&u-~cuM*dp!QKz?7m-swWl`6eGVEifQcE0YN7`Hc0Qrnlnl~R5 zN9~Dya!5RKphRqxY}!ud)aL1eESC-ce6Xc@W;fx>0#trepFj@@;GDbwUn>X;6XNAv zCdAV6Eu_Y)p#e=w?8PpNusGkbw3vtP@!2)@^mT|63zgu6>lQ~TZT=Nz{*v*aK010q zQUg~9(~m5~oW9LTr{GZ~lxS8I0#&&)$wDk5H)3Mit~_-oodJ2bpS%c99&1f-c>>P| zMniJ1+g;ohRs$$(qt52H%i4n~F zG%1T&KHZim1F`9x%JgZv+{9^?odv_6YK#r@8dg+l!MUz+QyDN>_cWBO+_Wg9+klJx zdgJER%4eHX9k6`3wK!9oS8(als>-|CIhnMWN87y1Gn&K0I-#I&MnYt;x_Op8&-cnc6gmd$g#uIf!MW)%UY!AzoZauQHEIquE=FaMavgeq^v;e#6c- zn4iNgI2>x63RM=c)!@nT}_B?MTmLm`1C1gJ2wpyuQ|7qJwK08!%)u7Jb$ zIVZyhb3h8WkcYz%LlTz--<{+isR7kmr0eL}H<1%$)P=ahbr+xAtUIpj`6I^iW zN)OqA%a&Nl69IfM4quuHB+Hn9jU8j@7*m3S;E5vGMA`_D9~1>;HYnhZ7U@AX@RYMYXXfeVHB&P~JRKj2mMVH{N$8n?zf_2~#) z=(i&PA1ZM*G1xc%p!;Opz{C-@&oNuHn;%kmu)(y%YMEk|ky#33cE;-aVPUulcYo=? zn}HUz-|HxFNGa!&kL}_HUq!^g58C8^jLU!-bSqhvwS}^zk$rO8sp81!dfSPz zRCrmzl8E> zSbx>b6=Kx47pq!3)@SBH^DMPQNpf7@=yi+B+AwSv5 z^HXw<+#Nm%ovZTa;+&qPsR~uu;W@@9Rr%eK9iW(A{2!;jGRVUaBhdD}lXpjtMCaz5 z)7pROYjvg!wem-`M6Ru>V=x5v?)OdR5gs)%a2)cGmv#(=vABFzcs$UW%w)% z*e;nuB=y&v?yCwbTDM)>5&PV}1&|Mkqw?1cq>r&d5`b=?bUpW(J#Pp`Ex~Yv6ZqV3 zhb{9fN+va|+`W|~(E|JV8;DgedJU^8M^7@CIQa4@=O-a+cG?N3Q#DgtmvK~YD!wMv z&DIX2`8ye?EHdMcjdBp`^*M)@Z6I79dfOX{<3<`dl$l%ad{WacPY`zQz#o3ZJ}#gH zuYlDcJAqzxGBDeO=rM0gm~bk1N)8-2u#ALDBk0b7uwhm5!~l-*Z;q%HBmLxFe-=SQ zGMP6DoGh{#ocNarC6I^-ABtf`s#a0T3th^!-aO@(ar9$Q&;-2V}s6OvPlm>F# zT@t<9gD|&gHwl|V+JnvR73SM0yrB0$4&h)Vss+3Z1{~Qrxq!(bpR=v=054+)Aq;8p zi!;ArL1osy;a#Jp(YK9bsq{eS-&5KHPL^bXPIdzkwush$$BzdFG-`ByuxgGc4eCDE z;KKu|UCV-roS^aIhhtDkxKhUWb(_{WEM572eKev#i%$i%Ro^G!Ba*pVmF}BS+anZg z;R$p^;$DBY+bS$7ICiK~;voj8DkWfNXDp$(G!tR;wKy%(A<*7z9tCoP5->^rFZgBg zZ-+tflAOHAf=TW`r11@zEUC?w7yi`N0zzzi;fgm#GVUyY2lGi>n6=?WXO8^&^a^|~ zfv73oGzP{WC$w5K8Vd0Mr4(mNvAEFf!h!K4ZB5-pM;m8=^}t)=$TE`Y2FaC`d|IEA zXmHu0!h(kQJkJ;lA$O_v2b3uRwi?b}4%7jL%-9Duc}s`-& zjfOQ7&qYM;HU)HZ6x5cPJRv%;`eA zKQy+wpAJ}&Qbap`n7C9yW2pi3C2BTzcHj_8MrUMc(p+b%e$KwdXSSa z0)pbq|BHN(l%YZ}p=OL1b5LN%(;*~*MlKd7WuCFT9q__(!1*kEPGUdku>#^NzjujF z)n2Wul%-JeKDx3?DPKA)b*caH=ODjB66X&S zNl$}J#bJg@PA?0`Lup2s4!GixyRn2(dlJ4{mPmj+-yzVPN>Iv^D@kjFBN)dmjuJqW zPbCKJ(K}#B`P-n#LkmO8QSa}N85|T$32K)1>kR%Q{zfns1Y=2{2+)5V;|p2HaJ`Vp z&DgP4Q3w;y4I}o5ejYsmz>Joj(%dUV`Ss9<-K`jO{gr ziJWFlrJt#}G4FK4aB2q-<9jaAa#jmUuSFg=`w+1lHV=3ghwHiAXh0=n#2xaZAwMEJ z`P~I6hqk%mKUrQ899v`H<{VfsH~?`b`(T=y#QH+7?O9EX#}upDdC^WmF3wT|@?D9} zV{Vvb-g;|KSY+}#yZ_nz7v#_JWgV11+8a%v*uajZ@){0 zAcdEW;ww#MzHl?V=se~Kz~fgkW#oR5(cA&IiqZXNG$I*9bpA#ahrG8^EqlyoFxa6; zth*D9@=H$B%{Ut^(O*FJ_RWfU9uRvh!4$&QYPV(+zVH3+(JZ)R*lQjB;j6H|*(@U!F@){B#aqfS#H zXxuL0AhYg)5&?c_(vJ)})*L?Z)#q@&S7g!hIo7j4|NaN;&R(m^?|_)&j^N#u0IjZg z$Yl1VEJTyBmV}C^{5rP`x4eB(@a0q2iT%zlLCS?7aF9`yQHU&$FnkmrstEJAkU&!^ zl_Cli>+}l5O8Cxg+G4oW|APMpDb>vrA~Vxh{AOQ@eXnQ44wY(;bX zYKBa{2v;<_a-_Y)*Q*&A7q5EGUEpmB5YGMmspOE!^YqRrz1u5(&x*508iy4=8IeOV zF1k2*^G`*P9uEaRCc|cR_xNMRQIQS%&;5d-)#~`X16_88jzF|i0TZf8hffZ#{I7*4 zl}K|O5ySW3AA*^Q6*oM8)LS>~t~@5k4zCH9R*kUtog;$eyP>*@Ws3fN4o&?=9vl*$ ziz1uTYlDAZyDdJdmyso<9NHWtelLEpRjD7XStm~rg$-t{Ox(Etu{Eh!5SCU*G%ds(Zcvo@8h@R?Xp84`(J|0W*Yd1J?G&Cb`;!WG$ zUx~-zDA#r@8uzvY&CiyYa5+G;K|set+khOc+$w?NxWr-j>$v^Cfg?R!RE8gcY!-RV zVae|e#tm%{20NBR^NQWNJs3F3daYmGIqrd-RbhO7ZG*A7*~l^7Lm8DxZy9i!18%_b zQHx)rfwcloYnzd~!j9G%t5I&6*OXK0)s0z>;iS77Li7?QvY&BMCe~%hzV}zP?l_%K z+1gMQ7BX+G&J~ztwY@^AZus~{#Y*g5&8?rLid(rj6|#Z@T&Zr*e5wO|Xs8xwD)RDH zCOEDPo`QxyCBh>(A1KoKuVlAe1cAyy}oOH9Rw>lh=Eace5G_YOG ziy>0Bwnw8OIxqzV+O#O#uTz|0>4lUc>IHa33cIRD5;e%50iJnEqiT;=bt&P-K%<8Z zFWZ4b+5X%GA>&i0@sB>2r9a3e`^eM{?4d#NjGMftJwY99oq=~IFAAjCQurs?iUx4w zzw!1#4=UM>^a;_lbbmu^aeD7%o_;)QuoG`Gw;FIwsOF#?V1F~_fO_~~#!`ry>%giRS-O(F`-XJJRH5T8nY2KRDs9Qp8jML``+!yZDqA zr0~y-8RqGY_DBQIRk0OoXxeoq_FD3&v#B-TvK4ivaBArt3fOo}*dTRy>a5LQS#-qS zR91dkArkxWOgTeDL%YaTCQ-jWmP|tRm}U|VczHjj&e#V&o{h+kejg;jR~xJoLjUWNx~JK1)Nx;wK_g)VzZi1QYBK;N) zMg@(gIlM~}MS!IT05;alGCe>;u|gw;v3!J9GNYZjyf51vx_urK&6y{iEA$_goU@|C z%?%GlPnZ$p`A<-^228n$4mTAQ7)Un$y;_~VW&S*k&H_62HjAglKYGe($w-v~)z)v~ z@ElOTfl~-pbVr!gxn1y7IGqqDzB?OxIKdj5csr21H=@mE#Wfg)R4LVX|uT6;FZBfE%6!;@u-s+AFPqcGq3V3NWp z;%H^RhmvjakH$m601D=1o3W-~B5a!KkaKdGE|i{$9CMpwo{9R=%gYJO87=4vvDJdw zB1j@RHk8>}J`p{Ijf}i`Fdm#6rO}l1=~J`tL6@NCd7f2g*4GR^zIAa^f;g`HaXbYZ za8t?|c1we!kBs5oskXIsH!lmghw-!FSkdT~i{9#y*OHN!YlWF{t3bl~c}ap}A^?TB z6{?qRJfg#sw72++#Ig9Q@8A{7uhEHpDREwy3-dK65ed}AG?E<=Y4xKK1JZxBJ=#Q>Hf7I z!hW-;ZXb$#Bva>&=k>o}fUcj3?O2sE8{C=h$D=O^05D3MEX#7F35Y+J~xcK3JT(qSPwAS?WmP|l5hK-cn(Yu#w zWKcb(<7wsT@uVjHOw;pW%N(rj=Gji>GyB+*)qjP&;EWoNeXeiz_s_X)N^pPts?6Vkdq&ZGG3jm?52WiSX0Lh?vg1q&hW zq&vk`BKY%;9~(;@C?;iR#SMYrNAsHgT*7E=me}q$)@6)n{r0yI|H`*WKvCVACSgKBn=|!f zI;Z&gA{3DsQXe%KrOegUy0okxC;HLB#bCJtTxSM~zu_)B<0&?GqkT940GSTI_30I5 zNXF8w3V=)6{eXb5S#0&UVUz8aH~?cRT6*3+iC7w_OQEiI7@sV&@QVZ^;Tq~gzpPj+ zgfcKwax6s{1acS$Mo1l`7QIk=-<%>JPByGXMN*rom}80dWWS!h*tx9=5UnL5S416g zxA@13Y~&iX%34$HlzWFnOHo_HsyAn833;}vLqg+bIK5<1jXQqVF)FLkU@&P04wGBj zX2vMBp>y@z=!RwBZya_QD6?)0Ap+?aOI%X<1y+M31VfDTV{uM5E~G#s!)Bb>7|46U zEM^Ju0L&`!Sken`t%*0iHU(x7v&{6^FS&ZPzPChXv)R*CP4y@cBC7%5rLa1yA-5Mv zCG)YWC}P}$-rU1la@8RNugAHvZf0W;)PeZ)7xS6JzcL_iX{hro$7kwRvC0bWxEc~*AfY}d&{YuEn-)wN4F>Y zx`LT))hDjy>r3Rg*i-^eVCAAu7b%5Zi}r4(^lxU(6<=0}GP~aE#~A2?h%}7!X6?lm zDmMw+1~w$i5I3cx|G1J_a5Y#&yWFg+KR@7A6r*Nwb0XnDHe&|1O!DlAp2nFFX>fL5 zW^fHb2ILKn1mv;JN{;Y7d0A`Yy2WRQ*E*^7v}xYUgXwQYbe$0y!c}xPoG;2j1Pc-m zUa9Igc)swl0X9_(BIKzl;)f%A*@`z6l-!Kn{|5n9S}C5Z$$+mifX0@>f8w zINIIasv_Y&>`MmNqoFWGxiM)TSeVN(`Vf{fyvm?&OEpBd%ZNJ$|XZzZy#ZWbfT!N{X zO2+OVecQA=fht7cAN$GMp#rx3b;GBWJ*1p3~1Bs#RGhEQSHWcXD-Z2%8;=RVf6_3DmLP!r# zXaxPIWw1|zqUGWM`O#D$`tH@qkdZHDD6EWBwN;nrZ0gL|?EFM`g@SC3>Fn}+i5C`( z!jDH3ET*#T022W#Szr?;B*#O8HQ=bB&j$ym+iIUM-2SlEHWovKZ!Z zLoe(mIfK7j12#Z^Zldn{V|5^zuegkrXXGq+%4DqIfHpBLI}9igF*ZeW4+Ga#=mB73 z3g#wROr190fcUF?pncZMvyFz)vzDP8HMI3!@J3pGldE=WX#tim4R1(Tca-S`f;-2r zfWvZYOP^+Fi#mL#MR)H)q(k$bM?1t`9fu)nNcF;P>IwcSsFGVghNpb#5uVbffpSSb zfCvmX5cV>k{3w&QF2r5G|7ZaRB8XsI{u=Fy!)E{|kJ`8Jb*<`_lnRH4uS z&4f9tJT4%XyGpjgm4+f4*P2f{WnYg}yNQ6iDn5wL^_mmk1XQ0M(HS#f$Ziq;WS`bY z>9e|^A5Mlh-*$wg-xEu>T=7MTVAJUIyt;H=VO?W_^$^0UTlEV0vj8EHM4xR$Djk~O zI3HWt*Cpxg$YC=)hvR<9GGM(%?xE#QVxIqy<&I_ZlN}z5-}-2qSZoOP7L4j*H`ib2 zt(irE6*?a5`}l5F{E(z}(rOEoX5C}wKAMtUS;nm$jM6pAjs33ez@&4^uVG{QoyAqo9&Y8*E=C*IqL2qtO3lnQ`ZggfK$+2YI`Gi1tmBrij4=}s z7^xmJRRSZvcOa4CixR-amBefBba9gQW1d5T*aM1^kCK5r7(}I*sxHMwfy{<3Q9#qu zz@~(>ige4NvrQVJ16rF%gB{LmD3~8e)nlTerKM$0>=D%~Ll|5=XwXBgrFrXKpVF^*mQmmF7#C&_(Q9agSV#|X8UH~3tAdqn+DfTl~-e4%{?^hB9VR=}s z=}2MQVB9p-E8|I^^V<;Fsd@r<3CWYRSxQSTJmZP?5ityHBGA4b|hiQi=3WHTodqtCxX?<6DFaQ}t%1f{0ivucn<+& z^P9U5JJ06uU+nL6P3CcE~e0sb)V`TVcTWlj|K#}4KogT;Ogj3m>17Y!HeHZ@dV zxu7p*B7Ph9EyZcmOa_?`bG2sUxVQ(kff#7z#t2qz4> zfmJ&EqkJtNO!(&%eTlVAGX0? zyX8qgzD2)mS%b_Fj34T)t92LyQEaPUf@(N_2aXXtl94xz)0pekoBCt%SC|?4h#2Nv zF5KOKYj3}czKsYX*^=Lj(31!7%QpMoP@<|7`*$huYy* zG%x9`m(l>RESFBlZZa!|bq}q75Vs)@LW*~#T0!^nZJH(0)8z6i0cwA2Q|Mj%6_ zwK#?ZeV{5USQHvnJ_jPQemFsjBLF(mA8Dp40a!?GX4jfg#C&u5&3FNTKoI%k^6gr} zW-|yX=|CXY%(nXrqNXe8!Qp_8+i5;PI!sNJp${0pTzqdl4@A5tAd|+EuZN*O_kKwCsZr zGQR~A)&q40fQE3W$XP;UFQ#@Gy_HU2?)^CYc?-z2z#1rrvN&i4IVQ7k3)&R(@i)uU zVMxkC#55hZYR=kW?~n@=VN%oYL*r?-K)KmAPl%$K$=^T~k$?m2_7;M2_##{!pLg8Y zwq)EBu;a)dK)j18c-Z}+8;!v&Hik7gReWLU8PvF2&pqcvzP|ZQd(3F&XU2C28h=kP;XRh4VJ`@CTc87(G9cvWF<8dU+Zclq<Bu@D*eF}bYT7*XH1X!7}vthDgdAFf2j4ONDhm04m620<&4V)26*VscM~kn#HZQFO8t&Y&ozpY)BDNT$>}Y25kVhq zfzt_#f;Q=Lt8W1Y191->zgVnn8#x1SQXaoUfLXP3^Cg*KiED6p=B96Bf9RgL6#s8y z;DQvwU8o08jfkJ`#}yl9H9Z2-K)el4uMd8$*AsNyoNUO^c0DzS%%%1iir5e0`1#Q+o$NyGtQK3uS+wG9B0GAJb(#i}W}Q^F z!&%ITH$(G4Sk!VYF>f+jvqJA1L$R3-_ANc*@10kXc(L+ap`##J3Jnw>f#OI;lnsaiP{gGQ;8eS z*(I8XG*UX9e|9$HRyQKZJ$iwXo zHJgUaE_hju=G&MTs{sl6#h5Lau75b0{Q0IVp7~P_p!1NH>?zZ4a(3C;vb_IDA0NuG zW#ONVCb~P4G}V~cxI7c{Yq^Z13H<}u4myF;j!ws3Q!~#k|B85csfM}tL|dYpXG9+7 zFQvpJm{-lh&pj2B-wMHCft6gOST({~1n55aEhh}1W-uHS>O&32pn5Asr5|SjlS~}- zPL6E+w~L{b#adLTPy2};;&m{mE0u+he#x?ux7(Fy*)Qy@X_5(Fj8{s_uf&SS(HY2# zxuWGoB-8!Kj8&{zW2M__CKR#pmX`*~H=#XLAq%}^U!hpXxIalW;h;J!F~RH4?LUwY z=si^%AC$``Tw7{3+us@i^zcnhUYdcc`=|tVCI*fXhH8%mlqb9U!k>uhl-QYwXerMY~S?1AR?^_pu5? zuHFd{d$GP!{iQIuO_aiwQTATwtU8LFx7V2pv?`!xM@)3|5sC;BalRo3Ce|Zt#QH9& zzz^6MhCR8Q#W>*Y!8aOSj4y=eco9V63EinT^3~9beqg*g2Mi+b1H;Qj#Gjd9dh!W1 znJklsGTc~T=jUtHYg}4x~DVVpQjTiyqT4=KF6k zXHpQPc`w{m51e82WYsWDvxzDMsEF2XQzb+{%_2*7$B~@Hwqar?Rq4z#hZj^;l9I_q z+zjhhK>8J_c$%xe-LK+x2)7%$SB8y&)ZiO1B%6I_8kk>>nC z#m#a0H~xSd<==ggdA3q#zk^fx_zEdl!G$iWj|_49S>ymTy6=w8{$+;LD8fMlqoirz zKr%QT7?2K{b2Z*-$ARb=S)g3p*ms}Xm%Fl=Gx6I0>#k)z*gsbvJG@o2ifTY2^TDEh zSn{TsqqK~n@3th+Z#ZVdECG8>+DTx^AAAW9WIXUHq6+fY@u7W;N*~ z_^72r3D!(*bcjJ8%9)HPCzkFHW2?Nxa_FrBM&TIS#TpxMyP0E~!+eb6MgWmxlnem2 z`M~=vCXX>7``D0~FVX>gv-Gw_1e|nq24%fA5_9%73_?rkHXTA9mphhyf@j3Y>DZw; zLkpyZB9R8Z{^`=WU(EU;cyI1O=c$LzAeo=2zSP!%)Hgd^EEuN4NTKzUp6ASUaI=tb zmZv6ah1Vp#m&#bX5(OS=uZ~? z1-rFH_q6ImwCS1u{_j#PUDG#)5$VUowCsvs$fhjLAEp`B z4%9eJ)be8qPT1r|-r9_bHV>UKj~1v5yuJgRYE!Z$Ei2|p1BGGL=hl4=WRY4Y2vDGM zCp@9tI+%YLl*nwxLNvL^^NX{P+jUJ`LqG&1JSp2FVLm?at6k%q#uGr2W$F2FsNxyI zNU8EhF?U?M9nYbR(8A5l=M&-uSl27yMn1~MOKAxdC9E_ACNg5gzXQ@Fsn?Vv)M=eL zI+@HOnC0l3*SL#fsy?R;%C$Q0&$cOPj~VQoUvr3f*43=gT!vbyURG?3>QC{f`xBN= z98Gv-b6W-us&qf6_KYPl4>!n0^H}l{gKBH83>yU^=2pD&h`f36jJgMkspqUB@F)9} z*2ST<)k8ln&e(52RU*0Q>}-lo(o;h3ydjF7x!!(@aeGqcHAcX6AH}a1HN-9w*Q)_= zOvFsla2SMg44D!%l5)!BVA}BmxxVEvP(wZ+1?ocq^VtAovn|Y2zCbA8!szv#iPq~$ zmd|xeYj8!BR7p4@a*v=t7qRIdT}ILD5ghHpJhH)SR#T6-5$t#j1{AdI62hCKor>fH zNbv(CF@-jl7Pp+X<4eCQt;n4fuCtoZ>-mspvv@iO@Wt?j7RlUueu5A+70MNMF-MCT zszs2%aqbG&&%u1@7ydsXZhK+iVaWWpyEg~7b;A>kl`P-Q=V{i#jqAI)z?{ID#2gbOV{ zUWgbN0u|))F#2;s$3?Jui`O2arizB$CMlO{gcdR$)rfGPDlj-a$*r77GR7-GLrLU7 zEW(B!+N6;;a{3T zEzU`WD&#cGEAY-;&3msM?*Kn69k6Tlkw%Uka2I2pP^hlznVRWQh99O(rn)eYx{c8 zs-zffn_BP`!sH#_7b|tf=ks{0fCb>j-=n~;Vmb+IT$E{5yrpnKc*~44f2=SIq`W0IINCYhk7rO)tc#e zPfn`_9AGF+)58RN|ASoGt33V*Ogb)5H0dd$2;3X46ukXQDx1L?f8z`DPg z5EbfPqTO6LQ=8TI17>XfNF#LJNE}KSfY#prE^KrAVuM*$7{oV_mU_vcd~1%)p{!J~&KqfMp!okY@#mflHYkyxYU>lC`C*x>aAn5iN^6 z`C?`2@vtLLHTm8?fSvAUfo+*M|3Cq7LGhcim$STH*)#qe7KVAHBMtV(I4iS;@_^kD zH3JB>ZSIKI`vR`{h@L1gY0T5AuBSTk>p_JyT?zfp(ey;46tt`P%ONJz+hFM`(8Y0YrH*~!_Z zbGwJSi*-3Ymft=~+Tv@Z5Zq|fzZot9?^Ak~Yne=c2=t{#QtUjBU?*QA&fflGTcy=D zUMeM>H-Mx+hfMJ%a9Wuo_(rPENoa<}N+Me$(f%aX#dKtg1NS>u?-%78fd-oBl<{OgeF!s$tYtEKP>l3x=G5JWLuR&9M^(z7yv<%8EdNz$B*fkqI{qekYpj6yl!ZKUIDQk za5_#7|Fm}Zy3eq1kOw~HH9D~Ny90^8txC=#n=UgB_oumxMl!6iuBv)vbyeAbs}SOAPSaJSCRgQ0#h&z1+> z3D9Iz%3GnD#}Z1cedwW~q=Kbvssj>_iJe+Q@z!BOaqadfm zooH3Sy>O7E6)pT5$QFIKzAMO~1JyJknX&)F*X&lEA*?(yFz{2?Is|$shgHd2X6PwS z#?4Lo!dtzBGfy?z^i8+8)-OXn-?@ucxJg@XpHpeVq|T!)`P|k@Lpi^9@#UpYjx8i-sIX`!G90teG$a+xXk4%p_G9dhY7Ptnk%JQyB&{3;V06{z2 zN7LXAEQkaxgRi#1GH!v0KojV^G9C6D1s*%av-GTQi~bCX(NN72q>z2lz3Q>NMG!L|kpJ?Vv$W zLV`IA+-9c*=6;*0(?lXDJ{V5yxn3Cw!U~1eeVqsoBO7QP(e(0B)-4<22m;fZK2Pgf zKLF+H?wk>yd1#c?qcf%x2L&med}AJjap)nXpeym$$YW;6%L5X0>in$4{9K1CQfqu8 zMzn|7?`UirSgPXMf%CJLMGBi+^`Sv|X#PhP_UMF$? z^#27J@cetYob?y~jD$oGZ{r=d;?|r3sxmH^8+TB^d!|kfi(XWOX_ewKL(DCs_fpdj zM|9Olv;wJjjHjLD8*qMbVs3(nKI5nZ55_5)-=fMoAwG`3U@8vzQL5gFx*8;W9x1($V9=X*4oym)ZW=PM-!)Y zEqE|VJjnp(=q{<1cTX)%RQ3RyK&uTOo=+5orws6)hY$kVr}Pd;$=j_)NdCJzIR6-{ zqaQmWZLN_sr~Od~)LMyF*C{}vta9~`ymNGM`yZeNVAXySHhch1Xey<<{0(Fg=XPL?6k9I62Wn6p z`!ls)rK$Du3r#mAHf&vr8NLevqRJY_4GZm|s;?+0J4)YZ9Sg7Vy{->reh6xAU}arm z9^2TS7d<958gs!l=ump7S|S+e89oD&o5b9C_7Kyjjk58npk{5GxQ2sCh)N5a8if%g z>^!@*qnUQxsJm*A@Eib*>2u>TM`Z=R7usryTvVZ&b^tc_4Ke`=cPQk3-J^;go5QgI z;QN0-{x}hKcSKZRn1r@Fq!H4$EPb}q(Pr*Q40$?UV)G?#9EI>72m)|_%-1S zhH#{;SKzg^L07(5)Df3jX8siR1o$HM+5?BkQe=&`S^8OL zJLAh?%2~-XqIp*BMiMA&;6jWt)`16gmUd`veS(Ep;u~os_&&8MGnuZ2KH8=S6l3J5 zMlByfaCSYfc4#8+^uUZ^ZYzgICA)LjaE@5~9Dx}IwxV7F6_vDcgE}xF32;nbk{*aPQQd4b8ZA=p%>AEWzxF`TtanJ8lea<3T|_KmvxLflOZ_&=H8=( zBek3g9u1%=Zb^L)KDhTxjjRi;=ND*(NHqR*6b3#;0lr`zl5dZ|W zk3xP}+jpD>O7(a4EsN`+8J!#S(i5%Kw0qOoq2!_DxajD3^*OGnk5K&lV7!mO4HjxB z3DiBtLz`G=n)bO3

    nxmA*#R&v*mji-d{^ZGUs9@dQrMUeG8j9 zY$-PzpCQ^MLBTfj634t@Tc;Sgz7Aq6Uzys_@9#9HR6(MxOhV!*Oz4_9WW{@RC>yo{ zR1?=RV>QN#Tj&3(GB#meHh2px%SsaLq^Gey7B45yT*7XI!N;Y}|8||Zb%r&+#)?er z)^X=`);m2abuo9%po#_{%I&FhjFoyfp&w@P3*Hp^xs2L^v&$0Q-wG)eV;O7v2|Yy> zs?5G~>Kc|1W~F)850PY(u>h~)B&21nY5Egz2nfOV$ZI=PNbFk1J=2n`41l)2hgBen z?s4Thm12vhFO-#^l%|j|-phU<9x4@sO6~WWij9#d7XAntI==)g8tbpBod@fpo z%hA*8tHAPn1baJoA()Scx|139M0@PFCx8$X82kVju!<30%1f{+l_i^y_$l4q(CtFa zH~+XX0Ym=#v5n2gGUA=DEIxNHW_g{!;5)md1?aW7WN5d zT-O-+{CO@KI4WO~-rw;AHhekpyQdW_9qM53J3kc7q>!@l0f9bLR8wy6EDkDg>{WIh zIZDXts1V|!P~9|wlXZsORYU;tv7VJ@7u7Ak`(`83HXV>8*I zx6N2Xn2ue%kqZZ$*$#Z(X<;c-!GYP|U1>^1HL; zn7vvBD-q2k6mG(zCYSHm`jW92*jh?hEfv?G!1-08OPq!auU`ToN)Rab;|KIX+@j0r z-N@Y4Gfrln(zcgZVS>{uT}c!Ln2Nm`s2Cwh57|A;Xd%7jNQneR9Vlp zj#p5onl-NhFbK8SIqEz^W@RidC0=0wqFm;VZhT|G^&Xafdg%LAFWrSUZjnZWRv)Y-ld5C%V}msmmBwDrGflBPnIj90B= zq4^?YDZ)IYpyFB&a@0OaAbv)eHOX&)wS!VIyXhk0xQv{!+wGako%r;6B+CAfvQC zj8X0jJ0L(9R7~?I(JV$X8QJGdVLaqwaQzg4v6p}sd(A|npheS?XRs5nIl{rmNpvA| za%WHf4R&?MX{G7CV%&X+NDBH3SUy=4H8p;zwHqDOfxtK64vge*zHqP+i?TkAgje)D z>=DM<;bP0cBGEB$PL~{#ddZsi%@H?`CYFtVm0h{^?It@R&mmOKvg?=0e(>%33V(Oc zvl7|P=Q9f$`vMGZcyJg9p=30g3-v<7QOcoKvPlF;puUt$2@6H%0i!Za7gl%%|rIE5; zD~wq$9D-E$f}qY*n~Ru160~f|jn$y}lZ$1BNs|#Dt}1=}k!1a=OjphqDad0=X=LkF zHGay3sS8Xq5g%4rThp&NS9&d4BHq|gxyspf>POrh5RCc`kwK8)!t=+L(H}yUmcO_L z;QA)-6G_s90(ZI2LL-V8gs=1`NNOP;9_79p%S|i?n)o9I6jmS|(RK$~elj?Ks;@0* zwL|r<<(>t6s$dBG9k;2|MVU(SG;~;IHD{1Mr~JY&1dHa2jd|u|$+CFM`|{eD1nF7~ zx(kW0i!Roho2{c0=qavMbic77F6bnQ`5Enb-CtK{s<7>oeGdJ4h<3)o2;h0_b*+-9 zTndEmK-d*I$QALUYtL_JKCFL724$4e^*XOTG>}5{o;61{Api(EjzvN%^C)ucC}api z)TkdXxoB1EA%?*_rPOSpb`ZTmo)M36g8>&i-qB@Yc*kYpkcK9s0sO|Vis}Pxo}b{| zsYJJA9mK29B?n#cWm+d!(YA$-is{3%YS;9g7bL&5YNR;o0WwGvo0X47WJ-i!E&Qj^ z)ptvX%)bb<>|und^VgjJh`I$n6pc;qiNfTQCBwl;fh%&R6$u(+0bl-eV%Ks*H|4>t zDTq)(G0ZP)LPA9W*!yB9=M0_)*|&<~IskDZzKR)8 z7f!i2w*3N&$9ZP-0)$D~zDY%o)dP*2r#|BVwPa%MaMqdrs3*Fl0>UDU)-~lsdq@b^;l* z2`P~q=32NR=#=ymD%CusEG{p0-Ne-j8@XU|S@vA>j~f{XffA@ez7bJUeifu?1L2f0 zP$6VQ3hQr{IA z^jRwPtI0d4)k>uL-GTU8q@(kJM3369J3@y>8%ma}AHV*OZ8A*@#VN!7e*hrV(@{98 z2-zOg=ctTnGND`XtBpR?(k&5X_It-4omFiK&t_m7yv{#I1O^KiSK>w;@?u6{&j~c7 zb)SRf5L}QOcE=qk0j%4m42wKKj}xC{FM*wzZ-r@?W^9-Hg`kECpK8u>b;|CnUg5dZ z-o7kWW?YdE0@z|w`}WB7uwXvWQvm)ruLHXB?KS|(beO#phGqd4aO)q#PXTv!aJ0V} zXFTDkgG9%tO__{F4*Yip{?Now)81I-qFi?a&CWp>nuw2PaAYK%^dKET!o11|o#=fY z#r|Js%bM4V^m@RIrZWJun)#zZbcdVX_pk0FZTuPT*E10+pEZnh zwB{uc(C;0ZXlo5nMbivY8}q}{adCQ3SlFL}U!c$xu*&`!qjo_4_cPz=7sR6<6xd>~ z$DA@R<8*`Ld{f{z=#N1W;>7Kwng+*-Aq>d6H;iG#P~{KMlt?3s0${icBmsuVCk=M6 z-7n}r|@VT&vj%0cvY!+4S`+KRq~LJbexx)jGF zCXIrWBj;CxEVw#Mk~o&JGP+zUr6bnD8cTA}yOKzv*;UQn>jN#|db4He9$X04UiFN;dAKS2M*BqboOy3*h=0s^o{IQ%=W> z@%Z2-9`K7#8<%tAV8oE^?*VWmD82v~_$Vv~p$taNXosReV111zyunpdiT8T+0WtZw z<$1Flirr)gIU5{dfHDiASCnvuN}?&3-+6KwSO=5`Ri_nql`Yi4 zInnf=AY3GMwpdQO;0^|aMJ9LE5XDuk?(B&VxL8)uIlbj2R%8pPEL) zUL~GvoWm3vd^dLf{uiLgl?!K*Jir4qFG6Fq*scl2S$QL`1TT^zd@slN2v_BVgER77 z0PqzVbS@lLB&x`sGhiz`qS1lyX-{WJDL)+E2#?567Yk%uZ7Hlvj|Bow$)yXIX;bUF z&UCi}0#Cw|Y%h}m5cu)l*fVIr+ebbd@iI-9F zL6RhWFjT>M%FqImW1@omwEvda0Al5Cn@$95;z9V)nYxpeCcei4F`}?32&YhY!HfnY zHb)%}wn90>{e}xDurZ^K*RaddM9Aoi3-<8^K{7jX3SS?-ERnm{@Jy_|Gkd05qN?cq5|b4+SyY^Q|2Z z5fSEl9a{7*F%(i}k!n4YdOs?EaaC>PIxloJI4Rb=7$)iz10T1~F=vLxcgEo;ARLxW z^)&gOf}<--2Cs+u4RU3NlFw-b)M+B}T0L_L2jSZuE2Tt>2yftu>jod<&jX~6D$a?@ zduXim%&9H;H1Ohr%~?3Q5@tn--qye@78XC??h_b6Nt4m^k!hS0E{%N;1XT&G>Pe7C zcu+~C5v%vECT@!GC`mon^bIdcFz##Jc5vJP{rr{_6dE3|QXhp!;TrCf5oatw=D`)t ze8>`zonu1~UT0&-*pL^Hk1i+zqp{-pkpeS~cU8QOx=PdJCMN9|K3xD!FvEHva6xft zTSOmVgJ*%(l+FRe$Q3vE5p)!NK?K+-n0govgjP2O?B36e?ab~<=vCiJfI5Lh{ed9z zr!eOB%ckA>Obs;!A2C5{Km zaWH;R6CoZH2=RPnYE0C-LXdVTP1?9_N@ z=NA6@kR<+Ocw&_ncXl~wKc-Sd(9i7j4oZjAE>dZH7txP{3t)!Nq7$_4h`^K=9sx0o zSXShaJ$FI46sMd+kva^#MDr~dc<7uVmwf<^3l*?6;4Ujb!={uyeS+5n5+zYJFc1a*15Dx__L#k~bmlSw>ct_23A z&oC9k+j1zV9+}|#HrO7Z*|pA>jy-`W7LM^9aaUJ}oD}#LGDkm4Hq}oa(UD~xiajf@ zaX^e8-#g;4qUFud%$u+-RHmpAdhV4~PFp6L-{Q%=!|4(B;wmzN%%Ds;2n=JmT~4li z_9?}&83My2a<&eFvO@Jo4pdW7@P)NnzxetM9LaO7$z155@!F<0# z2z+Fy9=?O)laUJmj@R<4QkrGW?yqUZLU7%J4ohZflS3JzPxcT#5x~XvXOwtYB^F@t zu2y+R6C8%mZNwac7Q)MaBbZ(RoE>u5Q7|D%VqJd|^<`6wxcPq4rA(DY-O~smq+=lm zL?^oB!}Kt$B4AA~gl%NN3HCXY3`c5Tlkog*L4+qIe3Soa^_W7V{^SZ;S>$!ZdtlL0#HN7rPe{ZV0i318 zOFV!Ll^|K zU8F}r)WZd%wdJFpJX?J6dOFE2fqvZflxN1E7$^?}vbsd&Lf(brh+J=i3||QV5YHAa zI4tMYPFU?8t( zC8V6Qh>Y(sk+~y+-u2X{6#NDe6|o8 z_zj-Or7TNc-iNmrYgq#K#*!z7<4n9=#hQczRclTz<%$*r2fSDhaU`G#UF7MrD2W2Y ziv|R@;&6*3Pl(i|gn={|R?&1*-*X9X8b5|kj;z6fjtBV?3uZu$d;)L-V-Ir zFN-eowt_dIKa9xT3oBz^=7;%R!#9`4yDToi=;w$$<>;bagI70NL9Rf70Qv~hxsyc zg%j3tG6>jsATWXRCZe?k0g_lb?OY`kk5?J*qB&p>k59u#eTeCt42XH})EGG_P-@>g z)kIK3gL(|dHyyHQ6JH7<4bQ=*kdMI8!wV4HU9a&dF-(+@pCMGDg7D(V7sM4dl``Nu zl&3f-yfqrU0*fWBC9scI0Hx212EeZ4{6OmKqJumU7mKbrX7IlA%B)EhZq~!{Y(xUG z_;D;?z*zMy@cW2Zt|YN`d!!xj=>c8iAfy4KY$C9=a znnXBIqyId*VSn)IR{vK|L12Pae0<40{s$)Cn#M%8lO{K^826&W&?WelqRx`aySxj? z>MfJfy7L0Z@+e2(^u(}4TRVKTJ+9Q%0}ufp|6ztJ2jGjzKZxyo9g03(x5|l-;Sx~y z3(BhH8|FC*sRVIT9<98ACad2I6jrV!TqwcN%EpVmWL0^bmAI^1r~urV?-oM5&H54` z@lM%5!wg;?o&br57O*ise;{Dd15OjdTL?rGV%qEZrLCdau_cQsv{fl~zhfHq5-jNT z&!8b9LqMH3=K4Z;LJHT9)IhTMgh=ISWW|J~Sak3xN#rD%h68_j_Vv`JB==PbbgGcn zmbrl!jG0Y7ppK!|0+>PLAUBGOP{tH>;wT*0kQsZ-d|OtkAJppnZl+*)=EE1~;N_e5u%K%Uqs@xMt zgI^o7wx8wnPnEb`F3@^Xr zfC3Jk!oX|bl#4UuSo!G^1f&SS7ha0T!3p@d$~zcOb&+MTaiy9`9)LfHzcA)$5z~s4 zAHO9TT?CXuHlaxau`}6`p@a8AgC`NLG8X)+ywT5trL;L3&m)>?;PNTG^+ltSv0l;F z0+5j8G*~uheoh)}*)XSpr^7EQJ<6%LSQ)8XuU~75v0& z5vkyz80rRaxxKoCoFGLc)EN7hAWa}-U_kq>FbhNiT3B?<4E%BuT0x<<2 z#3FNA!Q~$*87N{Fy_M4v`=*oQkNKhr(jsK>!;`YB z_?dfJw3T@kh@Q+NE2`hkF>*RXugfvz6|TIeDUM{Rp;sIF8dy6%Jo-oROzP?t$KUb8+tyBI;EJ z%+?2xaU@PrB*ImN2wf)0LHY$BCm4aih@H&Y@F9q#oU8WUFGD>A6;tEVN(F zu)ZwDkhy^w7tg7xpf(5PK1C${7`%S5cCz-6S2E!Kvji-|vWhyrD zLsM`f557#mP+aj0X+b(OhL$`O1Ql3czsh$Vtw1!(0q_o?1hPhD&o7SX-CgPla2q<5 z76jBSc?2>8xDW+_JL#1LEdh6^Po>oTvL$8qp-d^cPZBu4Trfik7u3KD)EL&#Au-6c zMyO_41AY9DoE@wrbfj+K4wzV=4e=;6WjYpUvGNpiJtD90;P~8I?vH^`E-#E@F$Fv< z^d$j2OR$av{3?LgahEXQg?wr8x&{GXMAgv_%TbZf4O(U~yE$+yZDTCFUQ9j5P^Z)Y zF`fFeb0d z9M32GfGsIgBV@`D&N0ZdVre@C zFbM7-G=t*|CV<|FxnkirG~i-&K%9GWD}5sR)n%jz$P7Rqaieuug_yq(3R6b`pqylk zD`{08_mg3+u>{6H)a(#J1F!9Yv#y0kR{;FhSc$?MTInUk*y1FC%Gt>v17v2|bno(G={M*Jz)|FZrupSEIt^4k)rhYDkxeUN7%sOSXfukQbTW?3IP2|dmLJUbm4 zZ4a&@)uX6VF{10u$!iEqCbkfIa4o*1K61l3SFDB2DB4PuR3zC}b^2FIeCnMXm}8xJt2 zL(JkS@JnJ!s9boFE~N+y3H1EbJc8f`Ip^9$w2VP=a>`V}|fjXgPBqpqZ+A z1O#7z4@H;6uL!4Lp$mmZElLpxZwdo^?{>izC}E{{`k-EtID_L!RBO{7V0pNanKD<) z5?2nmdFyb4?il8VnH@yb}Y^LOj-Lrk!+1ySMJ{ABQc_mIK&kEuK z~mgM_dB-PJiY(mWT^Ho%TJ(PPqF^%`n8`rjR(2^^bRM|AW;>cc?hpuAXGFd%^Y zr3`s6VuYPJfhHO%P|w61NQg_4&Cb$mxDl|`@wGaZ2{)ajJ%^9&JGR{<6jF!@=Yh4iWMHC3N9L|)4bVup%-%-^#{d?~pGWY&mN6+G61IF#1g{#o@m0j>b=(q`DrH+??`0iv2Jwq0^U$Y7m!gmaY zAN$!!k-#M51jfif$^edi2hhY861g6)6^;{N6c8)(qsj2)^dZ>(lK(a4~d_QH9tC400{f{;B^7Yl|5N8o<7!Gr@X49LEt zMHGh;s=aGkQkWWqqdXPH30+pS8J&j@MipEdr*|`wqTx3<^_vVtdNqQX&S%wmVagr^ zCND1mj9e_Yvbc?lk}oOwav^2PVlTmu$DDNq`|^ zVjRZ{LRI4AQtvW2xI+Ngz;S~tNtpl!A1F-25vJf4FU|2CFa^{-mQ2WRp zJT!({39m)V1VPr}ofRFd+@=c|b$MrFX&r&J%awUE<|{%fZCJqyB5 z=ZB>0G~j$#Vb#TXWna-U>Ga}|IFV>TLZtm`i*W$nNC6kx`EsK}it;``W*yXgIbWfr z@M03-yPw+_RZ0$K9zyR23C}jQqj~ytfFxs{Sh|46<7C)@(rBvm{Ly_W2#5q6u|zMC zLxQH$O_Bp$sB1G5&U%Xqf>lGls2l{2oe>?At0M>t25#Fh3RZ7Qx9NP{BE(L0|aX5z~ZAOECO>XdP_5sCN-VlTD7($O^ z<}v|(H0G*_?s9y3L1Dhr**Qw-908;%<_oY=Z(g1ptth3(J-O1_R)Fb@#isb$8)n+W zXi}Tm^PCk!1o_WE$VF_lwvZiY*FnN@$-NHUcq^iNIJwYetVR7JD%2BD^QfCt0)P88|mBNO-&tUwq*Ylc1hcmGN z&dy7XorS4PoC(+Lc|5q%ULf$k^G50-eucDD4Xby3kmVReRSon@CO-kv)g^>f-k64i z4r7!tn@u?Fvdi09iVW^uL3&z;ZzfXkVrsty3c^+vHxk=NaY< zeBtStPDkbg!%bQX6?A4i+_^CdseheCp3CZvyhIE|XMPxS#D{5Kr4tQ%sd_d$GWo00 zlEeJq@wF>#4e1F)oQ{|kEL-UX?NrGZGY$d2V=6_>w}GMki6X_z92*~RPKJC$5a?er z5Y9YAwYQLhuZ^%)_*K#IOg85A0t!U-&=rYpy~FE4Dc2j7Se$Jbl>U(zNiL0=a97VF znKFxku9ARjt^usjtYvza#rknATt`_6Fzc`0@Mf_i9k=T2n#p+LI8Xrto#uqu1cr3Z zUpmD2t?Sc)a(x=Xq1u~f0C|^)DDoK$9(RBxc-{z6mzfl4ydIAIRT!qcz{FRG3{58M_9XE;(3$R$ED#Z3Qv7W*SjVJT;<0TWHF^HvTSwD~K$mPWKXCci+@O z>vNeHpX&x+^l;`^xXeyShW8k|Ic_9u#<7$^Y95t0O#+Iu^|bV4H=inPq>AfMLS)Y+ z^EG=d&OKl-g{*kkpc}(@d6F6fSA}bvk8vnDTeLRM7qNzWqv=yEo4)Y&bl957f9YkF z!`$S3$&wd2(N0D;VJ$JMATszRQxde!rE9}gh@7vQ1o+yF8hH^_gwAZas@ZK$KV8Oe zOM{Y<=nqiA%_;!Ej0ZIL%2OOOCS_Ms^-*8N_|jZ*d^3V3V11K8MKfWIHmg>Qmb|6% z7*V=qNh_}i$lIrv5!yiO)Exxcbn7qUeF6k%N-@F)8vvsnjKDGjaq3-++Th&7RH*&_ z9Ob;7+3Ti&GS8k-YhhK?`KM^W-9Bv}=!n>r2W`_Ym3{O}q+g8)X#zA*bmH-bPNExi zAhe0?;~2*5L&?RHyw19*5%4&R4rbIjng0E&zzI&L zt)lgf1f#8L+S7nDg6^_lI(OB!cGZO3cTF}m1et|A#ALJugBl@&WGe_*{c7mEQegl=cB14VLA~DM91O_Gh;YBJn?awth6WOBqEe)tS6V>wBa__ z`8e@5BY!>OBF>|XN~RD-_-RhO{EJn}AA6)a0UXg~?;7PXeN3;?+ci&R6ytV(f7Fa>HzSF2u!O`5d2PCkBcT_D^&qc>1vUcP$@ZXS*p8;2@+lW0Uy?g^ITD-g zAq?r=ftAX`dO$Hjok}Ur!6XD0HDY{FU1vv^Nf))}|Btyz!Ew6w&&YMpAaY4y3 zNa(f;C7%BtZuOL|-+2dc=r41&{Z?+%?berX0b; zFqB&XlKKxG1A2JZ#+!K9H0z8bH;^^g83e^XgeBLF7d*5FM_bv^1Jo~Qc{Y}Z%vXp_ zlRb}&+bEcd+{23RQZ!1ajEgcO5QUhMnR^;H2}Go`L*u6nt|mREGEn4lu~0z8Y|-Br zpE5f!OC36&6uRPy7%UMWF)?k%aCrj}*0wnWCk~=>rR4H(oSn!a7YZ(%*UJ~oE?k5U z5tV`fq9N)uIP6$$M8JCwVq(ZTqIf$O+76o#tJ?Ew2vf1?0m3=Vrr7H9;`kd?RGi@j z!#zz9mMTNsgzhv33>a6)=l_UvfC#I0Ig=WeNEIUG&LINLAdEl^2SD0NMh{cW%dTOH z5+7&?0q`>Q0oz2pRp?G4mRq2+{(zN2#N_o>k3xx{@5tZ)$OvoH(L%EzB|h4CE|F6# zLRJAEChr7p&x*9`g;?9&V54))D6XhxW<4)lO2vrjkJG;>wY;HpVD$`4Pi;2*5}tF* z%8_G^ygLaf@R*b#^flbdz{z61{uKGxzy#sz31|T3tFX!WPz0xGI%?QBjL4%+-%qKh z!Rnd#taI@@8Dc{;5-R+F5sC`Dagn!TFd{F}Yd(TiDl&3(COy`cG3qXs^IHVwwuG;! zK2}!+sSkkBir20=Zin2iWUfM`4clNfCrRGIt;?IE*VWSFEs#$ zFa$y{#{<;#>e@niBvo4ra?u1o=f%Z?5DR#(GV&!C}b8}9lSSZE~-ma$~kCJ#jV(( zbzTb}7UaSfK{@fcrRW-D6yX8*Ld%(y%+1~fD&EIbiO(`7UT-7EZi^V{#cdo=wc%88 zK8?oJ<dv=BuBml^nzhfp}YHV{0i#M{{4tb(_miPYLO zV)Ysyl3p6LP#lel7)yl>)=x5c6#C=<_+lnIwxxBej|&iEN7n=oU+Od4vTU(+S1@~2 zBxFc%Oj)s91&^S=oN%fk%i!m$s`&WC87cllq%YbJYt4~>M*#?v;K^&^zd9VXVl;wDM6U_ihgZT-P(}EbQ)8H1F(mP{At7WJTp<3hO4xJ> z>x{1u(u1)m2I#|hhYEI5IebY5-UYv(t`Atey|VcmdLa*=2Svvk-YI2CHcKYV$#_Z1 z!h=rAo61CRjX|UCpIy?Vu*CCZ5R9mO=2(1{H>T4oJ<5~F5tudRY4=>3!cnhfmH;E* zXl1QfU@Itmrc6>InL^gDgru%Gwn_3LV^%Swa`^kD>K|t}S`a(6UCQ+PnFLRNw8Y1#Mtr!Fq z`daE6fS4R1!cgF;BS^rQs`NV9k`guuJ%8?$*W`&u7w~6_5c;|RUGdB<$6_mui3ejX z(bFK%^qi|;BbqG9Tt=zr3=lTUhp&jAy(HlW10Ksu^FDcAyf!p6qWi#tUh&d3Nnn@1C zhF`Eq!$}W;;umS_8yg~G!i0@JE}j>oP(ugLcEp3n+&Jz${=Ckx24ALN1D~aecLD!Y zoEK4vMHUSJKdS)AHss2Vr@ff0BE>b}L9U+s;3a0%GG%zdj$>_TE5qZ5=rtUTfwD@h z`bHZR8A@gc`?~QiP*F zEKp>UMrYJX_=x%;dZ6THBBscuc$j?Ln;lyhLLQHh!L_Vts`Ip!uwVw9VLb|j2moJp z9^6cXr7^fE&3AdTG%A6oZulCJ>O?ZHKPD;+lL;(@-2JRh7Z+l4@8(oAR5ZbM*+M~K zn@N1P@<-&3uZRN?GipMDSH|Zkgz?pa5PT-ApQb{-u#N@5?~6SW86GrgddmbhbThAU z>N|4bGQPkxwVpDZbe0MQ)DoP7I=WDbg8aJAVS(T=%q#z*Xq>~Ci064VXt_HPLik*% zh!|{fKmR~GANPzw?o9=wQVY@X^8Gw(y- zBtsB@Ww+!!s z0ccDW=a^T{5Rl@q3+=N(Mj+sz5qe_0AXkA%P;VnFOtO~-#`)v`JE)vk@=pV5L109+ zzDl4EL|jqHCOSu_%F*b>op)hZ2YT$M0$8^IrE$GfqoHOo*bgfH&3 zT)a5d>^8XTj25g;X6VrBGo5BQ^JNdp%_yQlkTGe0taO6N74-FDM0Qkq1m&LqGR9}c zZ>*JBr!e*E-Rdsam5n^S9dSriYW^O9N-w*f-9hS!~HRq z7CJQ;ifgZO%gWrf}2#rF2|@Y+u_7bBv9BP`6@f4{w}^1 zM^{LdBD?>gTAfp^Q2B?o5`d}%3Sh&^l)cxky)IdzNpRN%I;>mzcD!uL2t3cC7B^-Q zObJHGI`6qAQ_1mUqbJgq5$xCGMb92JTAn1YHo)zm8kHkQ)soCs#_Pq z=D}A6&&^+(Ksc*mw0i_Rg3BPe7@V=yoxFNCF@VOT^fm@W0$eiO)b#wQvdQikUDTBTQ8T>vzhPI5CMUpfU?a<~ z*$dTO3{~}jS+McDF>9l9fj0i9)h5qiL;8tZE&6XLkOp~I2Er@I%6n;$oCBmBEYsS;Bqu0L|Kk>4S3k9aBPZ#mO5)yy65#h~f zNCD#yCumf#Ii|@QXdUqIw90qf%^jVDwl#iNWeMXg4T3E~K8|(IyI9&S?sL&F#T;i^ zil>sQ;3Yz6^AL1CeHV8iK0_o^p%~aA&ka<-2S#D|T{3~7S|;W^=gTGSi6Rnb;{Y5q z>qK;7z^5D24_m(1L{c~S3D;34GxV-e?cF#4nPDj_;fr~zP?dUXbsWLQQesz+k2(BG z0~l86t5^EYgrIAC5aBN~v7qxCT&Odk1qIb%1d*Whr0m8;Kz5-LV72oIw60^jW?$!h z0Hdc%W0v=L0?VxVQTpu=Dzz(S&F-3I#^(?TaaY1SV}PEa;Du=TojVp|c?E$&v^-TZ zJj;_MvgnGoM~RuzT1K?V$3~YJ28fjLH!U7zhJcYiLB$yoG6>!$36uMVw>jYe%;>!Q zZ5B8WuMixBqHb?uN6PRd9^Hu;Nfax6dvN0!KgU|g9R9%=Bsru!k{y#kW`iGV$M?eG z3)z6kj-N@b#<7W|V|W9@V}|MJH#%sTvzNsqT^lfA2@8Fo(A3?Coe5ZOR!6{|^l<{P zt5n!?Fwsy*)Ub406Op=ZP46e0F&mT@ zt&s{dadI69p9L9EW>~nB3awf$CMGT}i?)ytGCX6+C_w016MBAW;EBMky4BKndI6=pJ|xc( z=TPPHk@U&vlNk)5~BrCtnXO|C3aj_)1Knvr3y z2Qt+OgL%{VB?tg}iGu*#ugMTBMlw8(V;4^gC7j-cRdGhcw2t}SlidkLBnrI7XJeKh zE24abG4SV%gyoe=C~N?x-1?Cx4qJ$7m}-Gb6v=yl6{lzvYQxUtGitVoPixwb(g@2( zA^3qrPOZwl{B)=c@e=zK952)~=~ynrjaQJOQWYHR zb>K?e7ab08U3L=3jg+<;H=^2W#z;#a43*l}B$v(8<{S~A1c-Sz1ZEk4JR-Q34f9k@ zX5o!7Jrp=Tobf?V*tQ84NKb)I3=redfEVp}3KB*}%8AfWbn-~-`2(3UFysi+ddjyz z$01cF=K%xk!j7}Q@4>0qAxVYp3374B{F238H`Z+k4PMy?HxRAm%^^LR;vTI+S08~2 zIyr zgb8I5 zTsfI>5N)oL)#JdBTQU4Y>@+$eyjZXleW?YeD?=^}-p0xVkyazR%W*(TM3A+40x$?N zZ7>2!OJG&Cdtg$)qXCXi?xK#16+z>I*L}4r(%I+EF>K}XakmdZ;(Uv{&bp~MN!nxXJ3($x9D<5m530$D zvmU4q*3#hg0IZF_jo9`3ZPLH(auU1Y#)&U>h@$GC0PcKnSmp>_Wyb;(H)Dv|&uc|* zjn6n6zjardn1xpHzgJDUUQ9TyC}dj!NQTc{n9{<)()9Bgk1c$|d>H)fWEYt0mn*N` zUGR7o$8+M-!@(b>C7x>7GS+0c9t%Q+UMwI)T*^~otKt+Ar*NcJmj^)WTllGf%Mc(p zy-dT|*GyPlk0fnKo*o5wno1V1b7M|lMAvY6;+3*u|^W38Zimrh> z_umMz9e{H81;`9(Eh@b;7Y=2Ppa@F#8Zx3q-7*gP z>vkzTnI4Su5D&f`1{bE6BsaX#@ai^Mn6zw}6g2wn2d3<5R`e67!t$%$mcCF4C%53y zWQVW=+EBNoN`f#WTm`>)5q0 z^*l*ic{J4QRJ45Clz@U3KJzwPEfDRm4rDy#=4OK<~UYcHDmMpc60r%pAl1!bfwCnx0(tyq0# zEMk`0?D9h+UUP#0$DIXCs{B;o@shK)4XL){GSq74N2bh1eL^{-aye>RFS#e9tD|SM z!Tm~XPy;g|YOlSyPc3*pkgD)UU&wS1QPHlgvOsoIy8IBYvtw1UZ67|O`OXQ}e^w=B z23;I92}>D&Qfhq#B`4-E+!Woyi*H_PHFL)vKeLS@AZ_-m+IA&)bdeC0_nea@%ssp~ zwiW}h&BP+YAt&Ju2_vkFhDd1Ht$U|ZK2#RywaT>k4ie7x0&-zi!sggW9FdxV9HB$R zI?fK{rusO|@^ChATLjou$C;jKBtwpyjDUe=?K&YZRUI}Gs^3g}hkDhz4f2$+A>E0G z)lYPb`T_|KcyA+0>?dL#-G#_Oel=ZkDuKkkK?v?QAfU(vj=ww@hXc9wm2IVTJ4?d& zx&l5QbK(ar@7mLFLj@Y1g9PD#Emqq}>WKcG0M^BqOXRl~I3F|D*uj`xZNLYQjHUKO zV?u!K34g?Y;DNz^OntQi-4BP+C9@lg49c8JO3z6kqA8Ei-I&6X2iejz?KDxwdsrNP z10=U*;#!?8rG(oR1&euckLfhBW@fayC0~UBW{x4-)4P8FnorBAiAlfaGsMaE(T(d^ zCaw>C^CIs}RsKgR?bgj)b#(Np>^Udd@^ak`sxn;OkKS^>d8l`&&sez4tqf%Q3n)iF zxgcu@eWY_14AdjoIlPfc%{HcSWDdIW@hNDI=itlZV?d~11QP0+4O4CCb)kdDCddt7 zq-XRr4V+=Rwp#WyhV#$jh@C4RC>aNIMa9Z>U(8y0= zYPBzLuIzXgrHMiS$y8X7-3cWbUJ@(NYo|5dX+*~toDe&r6sB3plnA}_E90qZR6dD^ z)Eqj$^(W@O$;xE2A%M&_KEd`^cA`HY5fAMN4JQh8x6 z=G1d9hr@66pd=@LD7#Y=pQaieJ+LFEY_$m5yercBOrFt5LPoOMwH`zOc)qF((s!{& zZAD;5f2nb$>jHnfg_s-7c}mtE#8TxQ1Ou+Y$Fw(mo%X1rhMCF`nMM+W^gMbazL}(q zOw%+s2+b!Q2Gs6VO6z7m4QQv8Kt%4ef#OJ>O1kI>_DyR_G8QWUttI!&tOE4JA9z7B zUp}$+olV>|i^}n2LV%A&N7GSwa$3kd91p>?n-{`Vr8~ z{6qnS%ZAs)04)b`}>~at`6f#nBen{l23s8Z6&3?OFG%g6~?+e zh?q`GO-^|a4_0IWbt?Kppxzbq2(^SN89EaPz()a~_=TF|Mn%D8c3tJ^$i5g|r}_6G zy=o0+^wt*?@nokW#5U7J+_+B2WIGG#Y z9vt@xu1xG??m`E+mvX43G0atH#n~61VxudEK=S$(o`?%kJ$^`y*+w0c^bbB;^IPWY zduz^QAB9ne>+Sgx#0z0x0_@Lw!1%k#DVIxo2WpWM1SKUGl!fS_J0lw0(f*k0hq%R!^9uVwA z$3~LMi9r`$X7%Au^weHU6Dvb_3ej3)YGx6Acl~z!*R5p|9^(m$`(ZMV;FoZpGxvjETRqy@2?#6pmPe^vp^XulE;gr(R%bbS1X zinwEaFZ{}v1@oFwgNJh9zRyJ$^a7g%+u<$>o!;Og(lN z3<>&+i__=AHp!7hU)sXf=U)$8=rduWT!R+6L&2h)DNt$Hm21gZc5UKWLy2OhIZ%k2 zpCl!pB0*Ba=r!1klXzVS?Z7EpkEl?v;1 z6hqBSC`ba%s5c_67^o`Gupy#3jP5j3=}j}z9FXZ)j5%>mQ{M@Q(w{a+9W0sIfvYg& zszVsxgArlgA#CA3_)=#zBsMyU+mv4^5WAF})7gp4osx*> z&L$gr6GYxW(fWhr~hUI~YD(*|gcqWo?_6<#xGEWeazdjntg>W?wjw|ve zFN``zf+@4GCgO?svCe0^jt2q6t-&zxI*n2;a}QjucJReYgJnVxI}9v6_X?5r6<&lo zOqfYVB2#<|EqusIypUdl2xB>jA=8=g$gu6DsVDcUV7t`~&bT?Yfaeps2d>tkglvQI zrt|oCTtn%DE;Hk}O=SS-9(A$u3BpkPR8{7$(J`4*2$qnk#y0Up$sF+QIkL;ayTRo`T&3f?Q5!|Kb(d=g=5?QcuZ#nY$N`c7veKaZ{A`9 zn7J81-nvnFLnBNY8*!-y=(ghhifmhrtgDF+^2>q8#K4cUOk+yg~G z<4`*yZ<%p(2SQl$p4HlIMBug!4qChV@R^w~K{(iu&WBV3{DY1Xaz{Y>pq=X6`NQtS zMZO0V6L}&T#M;R&?>Bt~WCWW&`mjr^dqdo|CK-=kxi-DGJ7v8grLNG+qHCz2cB`zT z%;9OrWzBNuzeLfFA=!B#X1;yp)5y%jWJ5cFW1VkE%>Pj3O&(rC>$M#PFUlQ*f>`KaSys3?wl$4^{8O;Ks78w*-q04v93VYUYK&Z@LJ~ zL?kr0SZ5b`a$fD?pR_Jb0&l>tvPkK~-BMWuX3*s;KX~*OVT>7V()Cz23*|4yE+^x9 zMZOKv@E-zp+A55-LpKrSL>&d60*6Evz{5)C<~?{1tr0C{oYqGUq0jEjTDIJ3V<=P) zyVTMSdU|e~3EPxdyl-;i@G$@!%9^g8O(iv0zDmILKr+Q$TjSL-ZVZqS_?>7YuSb37 z;lLlCoV?7IGtJ}FfSI?sNj41#c@0G3O!xR2=n}P(^YGB&->y86+Xk$D%1jx#lY)~^ z_2qUQW#o;8xb}?D1AjZg**za5s*@LfZBuB`Rac{3Wq9zZRwEb-o zGF`a=Oc&wN%7ZB~^jQJOu3bFs#CfI#X!Ukps4Kh9Sb<#igTi%YypZ)wVXsAMYnCDi z){>4UUc=Sn7J_}{!O)*884}HyR6~9y#p_kX(EKozr!GLC_ZW}}^`3{>`vBoImvI=- zW3)hB(?@Ts7(8tzrP*HaBEYR`84s98K_;CSzopP{PP=LB53|ESj~b5s6C7HaN!OPa zdt%jdHO^)xe3^}n$TPa|K5wXKt`#!+trHdUjaak;E1G=^ z2ox_vsKzMVW>PLiR`!>bQ*;!PoHq| z_z{Di&#O}W-dEm+@LGJV9cxV?(o5g9N_~qEz#M0!;zV`{u=0?Vn3nVz&D0jbR-hxB zM7xYq>!CRk-UEs|DmPcXKVai7NNZ8fXA>O!Lo^#v?^4_AM=nzJkbOZjqFrv1WM5 zFSG<65%{MKBszElr?M8Z;c?UvHJo%$47|1iBuS5%hv%6{z`f?AWYR|`UDXEE2@Y>w z!j(%#Ljd$PoTRr7)jo5F+@-L2wGAdP?Y3n2KTcH6O0N7a1t(WNePMcE$hVm&gj_>` z;n0R`k$13TJl`@I?qOf0wzX{Q$vE8ONjcCIj{M$)Mu<*8LBPG(9Crr0F#j=Ayb5{8 ztU`(QCe|vX9 z_R?V2I&)C`ZX5>89Ap&8x$wev98g!s99l-oz0|PLJVgthV6t!?!a}h}|9WR*AsLR? z6*jZZ9qvVzZT8Sd`oCN<>C!(r3!u4Yw2B4hDTob_w%u}dIlM>3~2G6K>+lE|$B*|8Rin%e4+N5+pePoj~M; zN9s9760gys$7P+yE6yRP(8Qs{51uodWd=uDj4O`$rodi{Nf6vRQ6V}5mXn$8Nz46Y z;Ld4pIhrQStXsS69+|b+UXGajrpeMg#*XQ|QCnuOFsB>AeQ-7^ot<Wr0ZFub!Ml_h3?S2{eqf)md7z^XB+6Af7motatH;88`$ZDk z<^%2WxtbI+YmRFBz_uPn(St^va$`2~x8e*gn`9Dt13Fdka^uaJ9w1dVR~ewX8IG1A zd5d(;4^{a^qgH3u#gKCuYCYJhrS0>SPf^Vwk`wq8K-=Rcyb_YzL(7G!9?8l{DNq{i<#s;{!zh7QeOa!2Fn z9!Q!Eqq_V+;*>)uBcuV-FtiQ^QXMvT+h9A4d;||A-4h7pf0Mzoacqb-(&BNZyAk^U zvql=p6BkddyD~E&S!f+VTssRG@DDHqnW0!Y`dXN%oMi;HX=(7vPIK2w5fsiH5ZwK< zOn8Q3RokCecQcIwqR(;-n&V)HF2=ys9A$3oMAWkXlK0^KFbhz@>(yU0M0pSj2>th^?=U`i=%!GgdoVhFSs7)=zL4i7p$6xGHs-Z9 zwi@yb>pY}StZl;J$S5WN=(t(@(ih(Io=iC}u!nx37vo>RQ5|3oXZ~z$e1j()nNt?Go9O1W zrOj{aNY$Oic7}U{h86P{Rn38=wDs(J^smZ1SGw%D;rQK|fOzP+PyjPHIn z_7xEZ0X#p)RCJ*f)yFytB8a z`|8;Gz=Q`K8idv&9D$sShLBdm_T@2*G&x`4S&t|K?E~H0LMo)m3(R=AmEP)XS_*b2 z2Uh1XD^7lAB`13rBcojf7@22PiF_`>fX{Gbd!vHR*KJ+(X$7Tu^@o82Z3U2>Se5qb zSKN7=`2EQZ>3r6?bi5zod2|i+9=z0EfQ6iP;-d8?DkL?h3<~lYCLvnFPm?=M5Od2E z98T%MO2g5*kc(_^bPb_n3#pdq##Xlefr8KqeqnSJrzmYC+9mVWxX>`p6x=CCfR3_A zMsCE*Ip>sV_aqkGMrV;693{d@KddzvXo@2^U@4!Dx;3a2i1$LVxBy%uA5{?CDU|Yh zXG2uWHi(%iOI~MbN+BPJE4vgIdNNYZQ1P1blb6DiRerX3Bl zbStluCLt!UbCw)6-wqJncylQesPejw91t@YLYf!j(7X*u-gRPh5qg=8 z^9H2@@X+`KFQE^!;=z?@5NyRO5wlZYh}+5@SR-l1W6kU_Lk#96GdpgRz(G$iAlx+)D1XT_h6Iu7b-;blpQ;|Dz@=E$FaQ`#!v1d zAl6oCSeG-xM2Xx68T28spl^AhUa3Ld<3g9Tr{)Q{t&c%-D8nlcK9K7!Bbw$R2R^@L z0oqjvHffvR2c3z8daWD1C$sV6Hm+4|;lh`;EmF`F^cMWZYSDqn0B9qdCGB%1cC54w zvjHZq=bfhBPgt{c0$t2uvhe7!2!rx0RH6gO=E^E&$#(Ez$N^x;IspeCE_qYcj*C~i z^K0{#Nn+dxjO-Y!0vuR~=1KuLS~OZzm#hLo=ba9$kX__$X%94F%xyAZN7%AB_Bpx7 zyf~NOONMai&pyr0ac0|MjE|cS3~e?8YUPoF33@~l`I~I9@(~|lOL>rXM^MCOk)-Bc zuBiI#6HX?ANqa1OGd`dQ(nFx`m@9$E-Nm7gyvm@+aXl1~MF5F-7Tgjg`hbb1C(6z3 zLN2O5rBs^?ikqA(f%sVBPS3kgW0YhhxDajYM6QcQCA$=-^Tc6JLMG;}cwXix86-3z zmnT5(sdE0lqF*q)z!=(cq|GZeAMC~G@v6&2(wx6APnO!WAZP`YwU11wvzzNEk z0424V(F)lMfLH4jahWHm6`pizZ1xND*;z`9z2cCSc1YLzb6w%{x zODdlO3dNNQ1V3^0c0sp!EMRFdHIV*0L#op_Uz`e0^kU%7{1{75Q*sGv$t7EJFcJWL zL9@nhiQf7bQBNkS;m~DzC-e-f(obDznjcZj_7qy+x2DY9h{JIc@dD*yEvn{M0XF_w z`7<}@x_XrH3c0XuLKg!*%4$lAALZ3hzT{od!$~54It2Q)9MHi3#cV{}9=6Ar_!DM>05*;-9OuHCC7p*?bh4hHu2DrRcM%~4 zac)9H#G}+myf7w_)1E450Z5SC#vtWMFpfB;5ZS3v4Cx7qpiQ>Gu7~{FXxT4*@op6X zON;Vh%~zo(u9|y7hBXvAk{9)G2YIO!!MT9Z{K!z6#(;(QJzHG4#GTxqI6cT{x;*X~ zM!`Ew;v)9NQdP815|N{I_>vbdA57@WQmVIDW@iac=@u?|`=Gx1L z&u8W(^<&}Efh;g=SgD>SqLz3(NHQ`ABp_$~gfJ&*7;p6>GP8wwY7#4sJi(oeTR0Lz zrZWKLU9iIQE$!~7C{E5=wUWp2r=u<0Xr0#u)4$Y+(rtG~WMlXV#UR1pranU zZ4fs80w&rwJCT~x#$h`d?fnz54Vi(?;-iv`bO#(u$I1-0Z*$izP5lH?rn zv^sPa=S=u$FPH7fVFfl%Mss*prShOFzu?NeSa%(nD?4ZLUA6%mQMrqR7M)WiWd@BZ zY%5P{GK3v1K4e0yY@igU*+yIRTtiG3>MWQ;8+>&c8GR+|S<7nu)d#xb8Z&nCdObsB5TtyW~83fyP9M(BV8!!hY&v#(}^!Sfoa#5q<` z=N@<<=NM~vUqa*~3kzv%8Zr=@7Si^Pa=!0TB-88*n_p)lmNb)rxoWwtwq6R-aRi{S zM+Kht+O@Yj`cUaEO zRDY~}8AMhF&^WhM+ufmDU}+|JLVe5UrO9x7o|MXuCKBexnGEr~?#8!Cr`ST=Po(Ug zbmcV{0=fEN8)Rn@wd+zKOJqGMv}2Y1t3t4WNLv-tlyOtz_yy5|-G&9}F7=6rL9$ew!^A!re;l-*uv7bfnB>exQU&ukg@BRuskYJES9R zME2QFz<@LH*@1_d8Y44)g5H!!;fXkic@z*{eLkc;iBtUa5e26B=N>a8d=(CKjzsGDY@zJYSoeN~ zwS*j+L(5Mc1;~v9<$$$p?RCPq|Lb9PBHnRkHXudkn0Ys?{t#5=FNy}6_e_fKZqm+sS#oz3Cv79?+rd(dpUdL872Z*cnn)`nmryHl8E1Yj z*<|aE0d&lQ6Yg?l9Y)Xg0TK0XsktVHpANFScfk=l4(2Jxe8&UfJY3M-jIL{6 z#XWUtJtb4*)>*yg69elYDUdw)22(c1dh$>U4d$~91$qeRYgVuXCh)OQY=4MA$b7cO z_EZ9#^AHKtP89s@LKjRecoo=0s4O&!3x;h#GU>N9PLD-N>8r39wiN;=tpf;eR?xyn zzu?`O9cTz^B0^$Ml+0>VF*M{3F*twqx+Mny|HNGvXKvD-U39D7Ay<>jS^~K+ih?mCZ1d|2S#6*K=s&ND$S#5S9UZp)HIdC za;XIrJq#-)dmL1nJGPg5sXkqcEL7wCaL#pFI9{u>^I})LZZxy)7;|BVUPwPdD{Lh) z&_BRB(4luvW-ZD^F*As_9s@pe33;!hi>{!Aq9b^@FstntY%|=$4v>S`Qbz{=DB`Xy zUrgx7$kUGN%9N>Gb~yzWVY8V|y2dbttx0p{Q|(HS(R8pq34+wt;>y{gO18aLhQoQv zMl@7Vl;#1fYzu6}9Yw)|nahV4N41LksgV|U+M@Si1f_RyVa|xo$NaK2S3^e79l;R z0=WZ;aYGKO^|_VkdJ7; zIPoO28j<)amfvCV)MyxuPjcK~l1E4)GB-Kcd#dp4DFe_Q&eN{zIA9%v z2eSwJ+FkET$$Y@cjNZiT%SbRzBuv(hlZgMK!fHO9T51)C#B*LS+q0U8XT1y@8U)*h z_HgE;UC^A(nTse|l1!wWqI3R~%{h6@R>PB2_?lyHcsx~T>NQ_=^e0&Pa*=YK);yM(S$UJyl#iCwa`$~uRl+7gDcIWmZ@pX!VH~vy4FY#7@W!> zcmRD@$-vCwthFD>HJTO#cdM`^gYFc6L3hqjJaitz3B`<) z0YvA(+9BtfIqgOw*WRUrat4`7GnpeV-|-|o*I-=z+9Bat1k0XJNSH&}2!01L5Zc8o zi0;WiI`{n3S}X({s!Xg=j6Rut%w@W4MrjLcD0?U4i@wr=NhjgaqJy?XJ`{?AOjVWG z2kfq7ObR`E2n-y*r4f3e;m04jaFb@4JCzrNQwg@o4}OZDLQCn7Fh2GJ0zGD7yvP^% zaM62D#`Msv^4*ew{!kk`)7t8EVl9+h#ddd2TnuLbHTTOXnGFoW=2#eb zbZ^qv55*4WO4}^0Rs5i1eVph3WejB+S+Um@p`!056Z9ICRQZOCNMpSo%7CYY2eD&d zu0f=%I}jR>TO~MXsX4K87NWJR)$NQM;;#`^d#;G3w-H$w&RuakUPVO1dsNXN=O!8t z`b~%9fpZ1;k*!>4aTX@R%t#~{ITD={*+-1W=J|EdC%*7L%vGt}7kZ$X)X~agdW7f_ zS9iU(8um3XH|DrUDDC5hL547R;Wah@kxlHJ`O_!lY$IW<_qYJhRl;~&w@RAK;&As; zBu~hHPO7I74n5J>k5Bm8aYfW6zhcDq3xaNLp=$0gjJCYRtOyy>g;aZ>oRS4qEOrxE zU^$D~>BICG8+L?lBc2%0DuRF;f)$DjABOqpfZrGMFlo~nw1v2}wU#7_^WcW6R}fQW zevBe|SR5322N!UQe}g@O!JXL>^{NSew=HR-y~2(LVJIrk^INv*;L(Zvc> zIOwQvBk60K+k#7f+nLp3xCD2O3{G-fZ{{y&5%;py*E$>OnyA3r9c{xL6%4bx7#RB& zGAdekH12=JKs@kZ}OL00^R1gx&S0Ve0z;-1nqv_TLL_=H)n zhJgy$W5~=-3*xM|RBdTI9l4ewMne~P^7p?H24(0qufw$dO(B&ZAL=IOBFOeQf{;%Z9w0o?uw~pR!8*x`R+Mcna&49SGCEPV~FiHrh+U*aI$yML>|oKjQ+4^dU`!FPX`(? zWt47$tydP|;p=n24Xy>%uvxqO z_F7dr)kOU zyaaELQ2{(JEU9;s&Pno%W;#$y62+1(tc>8c*AiOdf z)`LEhtZiD&tb0(S(n3@b9;L@;wj=~R8(-{9Rb+0n2PoR`?aK$Gns$N>V()+?!~1g2 z+)oLMA3LJmsTgv80^4yLM^8u>`$F2AjwHHEr%wJ5yXrNg_^r?_kS^DRF^z2*P=~#v zh7FlSXJ}_S@tLJ0jdYsLX?8*^NUpnQ8?%QO8+eC#L}J@*|NJ-lVwLkeaRX5j)#HO8a@2tFe}~ zVqZAvhjbb*7GE4i#h(cOsGU()OnUv;0Ti91GfM+^is%6iP_)=B@JtHySwp_U#iy^N z(7KkA4*w9@52;i=v&Ul_F{o@Zp{IFENzn~RooN$=V(t^=U@prM*mG2C@+blTy~UAI z_OURgmo!?+B5qV^(;VJIu@X0*uH<2ZZSLa-c)X~ZKA?l>NyJFGhgzkc03fJs&4A}p zCZwJccJv3jK#v<<&~m50*COmA!#>ORa1Bq!??B^pc0MW&=s~aI+6)g=;~%(4sP$F1tt7X{brsOftPBXLh8oruWEi-rSua%xWRB-^hvMf}afrb3G>*XB&d}qQISgwH)iJaMF z^qq5h4O^_+Z#1Ob%8aVBC}KIcilFH*vjAq$43IAaN|IxZwzP&Kq}IDxdtQ{|f3~@w z0Kr)dX^@|Cg~?x(P&kws37`G^Gl6ogGzXzc1xIBkF+E)c1sGX&xALwXD9CXz<})Vg zXiFv({hLI~L-ZxK*woQHc-(ggtB$YHF?UrD<*`DLXuVnUIc&^ykon4-+uWc{1>sVJ}%F-T~;33!zOsmA2y6afj7ORCQi#X0K<|xji&fP{u%DviZJf z^Pn(s8#oj4UAHq&U==||64UJ~L!gn5aX3Z}6<#|R z2~jiI0H}s5Gc%K^5mwiB0&ccF6bRLo^4>thQ1JCv8{5H^rX(#?8rraoE?pD_LtHz83v+_+oa+qxda6xtMxZO$KfWD$tbvRh2tqeI6&U{A zmR`B+%jPfaerMJvFMTsY?n--2?OBDgl~ANbm{+yBE(GI??8I*{fNg`YTrqbxb+%t{ z0J#xN-{}U$gm#e>xb7n~^2fQp?jBp7<})c;4*7*7{|K)h0q_U;cc}F}ZlI8-z)1WX z<&V5rLFi$;Jjt&wu$;-NuH0LL`<)6@bB89O=Tb(6EbD5c8-+qmOsv3!H{w|}MTpNd@p@ags5KIkC zxw9*4l7KyvP2odV%K6!l@G;tVs?i)(>+N#AT5-J65~Mk?$phrHcOwA zY>{hN4YkXL>OgQx?U%BVlp0S%LO*I@BWZ|X#}e6gvq@HDp^>wk=noF;D^ zCM~Z?nQHRlVNKzi^3r5<+*g=m@O4I3@QDvy^g@0ZK+u781nDF?`qKm+*PK&cm2(F{ zHSK>;+&(0+KOpa76AKW}DC>OW)7g1O&IyfPY5?b3mPsbQqU5`>@a*J9m;#?~AwnO9 zbi7>A?yY(a5{8yK4^zLgqnc3|or%RKf-y_da%1`bnJ=$npB0c5Sw7llnfgaru>8Hx zNA8rzr2pLs-%RCin@Fynqie``3K!fU#Rr8^Qx)byruTPRI%lS{d4m3TC0Izi&Pu{S z0nSOk>|V6l=HH7S*HhdJ{WS}j@mQOVYeFvsR6l0S(pIsfJbF_sX`gwH(|J=YHCgTHiqP-g0 zv605#i@8uwGYar#maA#Y9>}b1VtwA>np_9|r5rxe3a(AN8h!C*!E#C*K%0{U7jagb zBI=XmHlN$K=)8y;vH}XjrH7jIEvU&X({>oOacgsR5OiM=%N@Al$QmhjlV=|Lvvy$@ zcucTc8>vMejT?_g-p=<(f*r*lMRHPWjbq1)?ZY?Sd3bv*_J(N>doC8dt^}HIJBywk zb_cqXfV(PKhiBcdiuoAa7CH$)D?DIoeW*gU!LY)-by#y0ie`Y_3Y}e5(eUi5f`?~U z6^MyvSK8^omMd~}%2ji~idpqcMbGun_DuJYn&KSeQ0>xE8rtu>Ke$`hx)ttjU3(7E ziP2L23~aQgo+W05$_)O6X@_`rfD}!yyjO_P0P|3}E^-Rz;Eavm**C8}2(vN0yBp}t z(%+8`w~chQJGXZ>_+ZLCsZ$jVQhP9jrb{F3hI!x;d;u#8E!u;r0 zu6VgQ0d3dL1+`)%W7Zf$`HfA0qOxSuPG3Ky&TH0U;Keb+TO$|K3p4Pnq6ZzNj!qZKl^u0#^9M%ja+3(h9&PakJIZdj zmmWOYly$;=Tf6)XOzWm4@Gc0a#8GdLE@+`b#|2sGumdCBNo0hb#QYtJ54k*51*c`z zwBZ$THgr*e61YrAzE-auRv|$5HD>T&Aek$kA%In;gAvwASkU3!r~w+9afZ`n$*jRj z)R4S`1zDWOyWt1;iexsxHvJX&^EOQkI>YW8e7YL-xKbu(a1$bNLWKga*Pi#bY-npO@>P=~%TedI_lO2?$YmrQ?5oGLr zUVgMbjoMq!^%9;6qG&4$QQgWEfR;0d*+?R2HC7Bj{N{sQ3k7LuO}eb6L5H>t4F0~v z(;HkCSLF$8J9`bTUt`%Efg7A~Y&$8qQzW4{owzLALG|;qD+pvHrZa5|2H9L%`Fa(r z&Bp}p-qyfeA6cX1VoywSk0`&U1X7ksvzBgy{G&XUo8yff1%A#Gu&xrYz$Wxw|Iw)qp`e5~)*XpT(|HXQ&BS0%%`4JlRzKpFUI~}BhKe)#U>ull z{;=q%#4(>M^J}^vYkJBd*gs71!#zs%PD57koF;<4nugUvtv)&}&JxC=mD&(Ui|`Q> zbA6{v2+vC<2+OWEn3~LsG|zZ?a439cI@HAx56!q}dj@n`dvMOM^8mrL2(8^enDoQ3 zLs0&7MVKobsBt?Y)ZnHn44R7q$r}OA_5eBF%ZRbp9e9N9VYEyGU9M;Xw5o4Wm?S&V za{6GA06D{qrw+iw1?QfLZ9WdQZ|w>_C>`CYCVc5i&A@jKVhRI>T(Xa9LXA37ELwt9!u5!NKMkB5~ZLPs&q)hyT1KGx{UNy7SU*^ns zCgNBF1p)e2kfhfkvhy|3CT(NGZQh}(q1(hkeV7tJ`UM0+T$o?`l1NK#z~(@I+QHt* z0jwW5b0NcV!gm}o5cBM3;?cC_=&Hglk4>#?w97MRTLFZFG$q?8lqmywt?X4aP#=SR zeO(un%xaY8nAx<`rdqTWRkr5gspCOVWwM#Qydx2T^0V1j(R=tHb`h{_7=hPW>yqK( zA_#)lU`Ghf-TS&^-c@F^CIx8ZhAtTIRE4t5bV0#su*}^~8`yUIu-H9TGy01vsl8~B zkuzIoC!u{}F@J3h^cV#@GFWP?H{Jtq0Q4@b1lb2I^S(ou*iH`0uN3IaKS3;4kBj{p z>8iGiddT*UBVt}EY+eS`=CzU?wsEEJHptB$X4nNH1cD zU*q9Lw%;HNtXU+ePke!9BMh2PGIP*Y3RD~`$}#6YZs=YQ6mkv}UOoZ?)c3 zt`Y*SwSeHwsIdmR0GOrxnIv@za2#@qN)&wwRse^l`F#%pXIKkIP>W*0m)#vTi7t0A zCJ?PHw~YWE_IZd+K=#>ey5fRW>V(rEZ!9t@Iu4Txb6rRq+i%J+ z$!R<;Issu7#!_X|9NaY4rSirD3; zJ9my<({9F&z)8sf8%Uy(&IPji3^k9PXWE*LE((KOb2xa~fvIxe(0kC}!K|BH6=dUjFIzM5$B%6(Ijlt_8 zo;tFFINVlJp(-EVLOsWzJb_<1ubNU@`6r5`7!C={-khYvjW$+vt&^+$HDg7e)nU_L zyf|KmclWGis5uCivx6BRmC2mIw~$`50X6|1<;aCuV~n_%ycDN8>iifWM7gg(&!H61 zZ3U;l{bAM>KTf?im=J`mcWB^J9Wr#J3>0m`34p9yWvc_n)aflnFz?0&K@X9RX$efG zy~d67pN_Q0wPAY_EQWFv&lxQTQ|K+2mF;4Lm>(%&2_w(AO3PTu6+JG+-H8St0W51enn897kqv`tjAhAFLGr3#dVPK&e?i!S)>jE}z{gCTDa zYU{GR5xJH2@3%q2)B1VvwF^)FYj6&M^Xc~n;$us zqmqOVlwmm%7e@Ma3`<*?MapTFJG!%SG}VivW)dUqUqcKBlKFHb&K(DxN|9;IT3$&P z2fm`1dZAdV_WcFzSl0?&W+CjKh^-lv%A39&{Je=Dp3UKlh07^PcoD**48(*-gB4Zj zHX3U5jMrW)nMJK9O?>Dfv!CsEB|%P<gOxb78NDSBb2cE zYK&~_O19`9FvVkuVm2982t35W&s9}D+z#iL?!rZZiztw|nk^oBON}uPI02g8R$_pm z(Zm{Q+NvdwqI=WFr#OZK$BU98z-pXUl8+?Q_(;%Se5YdW74G!rGclPR#zW!))A2nFQuIChcVZo zk#$6~Ld5l-nzpBn!!; zb0&mDTJ^W>8d#m+IvWWZ>Z%AA!NS*xV1SP1Lv+S0RH(**$T-uJT179Q2q#OeDQGs2bXc$}w58x+$gBk@v`+@57J5wm zVHIsF0b%+Vfe%ibf$uNeXk-gS?@Se;7cxNcsWftY)C~7jTn(S(1>=*dXZq;HkP5Aa ziD@=;1U!#3TdcLYMQcZ=-E)#)If_$};l_DaW>QG>}73rJj;2$QfDSwHeIMoET-= zY(|Xu(9D!B1T~SXOu=*sq&57fqxN;SiXNszTNBuk+P0)abTjMh=!X<6$YyCrhYE}9 zEW8F-GJ-1BF9~DkQDYK%XiXW`{p>*8jnhVY>%cXA!r0B0~^HK!V3YBnN^`DhSCdp*f!BOe#q0g2n2sqouobhPjq zK_C4$D|NIa#(vX;>?K|RJq=z}zT%{-xi)LFhBPF41gnA@sI$?(0(9iW1Up)FOPLpr zk@*>c#*D{F;xjGKJNhcG7RqQbnb#0EMbLDs zOT)jZQwLYcqUp;v20b^RdsOWaJNZP>yEND^g~A@qdG>=T`}ZnRtNMRAij^Z~>3bR6UNdkap|dWTy4UBjS4@Fzu^e@o>a?_d zfuP{V2#KwmHUyUt#XAcQS(ph!P(z)luRK<0BT^i3l#tfhu==uejj+j1vnQl`zMygk z!^5_-R@!}ncmLsaoRlC-7jRPJx6bnO(^%pp<^xY>Z>9WkI<|nVc>_lVvnHT>%iivh%#ni8 zluo#rNjE&ePwP;Ap&9DN57ATdboSSTEL?|~&Z?!Qmt?@}qzh7dN&?H4vnqV<;E6_4 z?7;>ysJ_OWhnC~wI}n~9@A5U+R*Go+i;n2MbTVNlvN7%gjGU`YxwsGSfNq*{=5Hu? z<)qa)o#qDiDH;Qh7Z%lYE>pbe!;~knk*2%)4B)UQO%Jl;mDRAu`pul}A4T#)%X+pR zP7xPu$H?q0P8;-tA);=yWbLvis|PG_B1>3-r6ErpV8$90o+8e%rMPi?2F}7<8ild# zT-lM4_@w&LjkBka0c;NeG-MY!^FlT1lCA~`OE&@Y?X|lX&l~c6 zA`Q@n@|c7J6P<>dneCv_@FYaAz15?u(|Atvkf*!*ppzm8zMydd zvtJ#>rpE<^+{v;{1n(F_3WjBH)VV`vUD~*$v&?WjO-5hSNrKl3plrR26wp<~P;#oO z3;jS0ZHsw>B4=heY#}u~ubPc=#Cn%Fq3AcWvK`zI)JEE-(3OoD+=ULK9ru&H7x@z3A=#h zpKedxkpM~?$(I|ii{P3Ykxa?*7{N1L6{z827UMjy^RMyXF!@)OgltvBwdY&`kb5{A z^inNQ)-{0Fdu~1)4V<*!DRDZ|9p&M?K+8Y%>%^%t*LuLhh;fW`Z3z+AEi>bjuRyn|@^~czQaX{x z=6Q%f!&jGLPR5c5({Xk9l#|16(Sm!ifb6}lto{lo9iiTki+CY5J*`@$gjW>d_Uj!i zc1rToND|5N384{9rRBp7`F1~m%;w#Yx;_CFNv3@8)NG|@&L%zUZSO-zYJ~O(Ffga^!h3pYF8n}+pyuK0X$ZC z9A@j>K&u=ShwgA}TiOlnO1H-CX0{|)Ix*N92M04FRva{C>_`+d&E}ylj*4hCEiWYa7>9|6Fqo5W7uuSo;FJ9Xe6- zMV=CC)?k;5$J;@6%sE?p_h9P?!U*9fA7hcv!9&UeS);xqN{ikbD(pM}Oyf;Hd#PJ; zRNmdpgv~>z=}kJJ8^ZT|(ST1-qPeY;TKm|#=rR{Dnu-^IcO~8Zu<24khMTSJ&r=w$ z3o`YjBTM@B4eLkzKx-hpqP~T#Y~Cpnue%+5=-A)WDq~7V$fZeVtOp^(z?B2?Ux8JU4@;L_(pM^v`F_iP2v|Ju$ukk(pDBI1WVK4dGH3R`q zIJ5^>@1}_Dsm2t|7KTGxVbkHJUXs~_)0ajO2j!P%M7{NZOsJ1Eo%kMI=VdE*v(ajp zROzoES-?>?Ej(*UwR7!&IU|iUjN5zkAVaTAAjgO&$5w9t=W zYnsg$!Ar#jc^T8-$H1V{nr(b!!v$^c`NZ%;CzTBZw9EEKOLX9#APxGA*CDQMWeGHL~A3Z2zcnl~8^8p-o z|Gm4?uVDr>A6kXn1Jp(CNnwQO13B#OXyl0mylT31AZY&D#^!^I;2P2bASJZZzvS4# z5IsZ!75w+6K?8XG>ZP&}FFbKf)%W=zzc20Ogu?5nW$dQ6)=vr;^an9r{h>i^_6?kD z!_CTEI$PLRf<*aa>Ev&Cb;v&!JsUKv6LV;!?IL0iT0@8{{dUSE@2*xo3Ki*xu#shU zyy|c&UvD~!0qrq3nc_qaN9Pf^m!)gRMCQFU3p%XIl1@6pcnn@KI*pQ&W+OzJJAip@ z*$A@vEe>9Xx)|*85Tkd}yg}?zu5HTlDYbnWObzara#NoQeY+(o8T^H-=3=6D7!9uD zS6ka^y)v$F{fO#7cJy)Wqhns?hzKk7k12Q}xiF?&>P@Np_ zIDq@EVq8sbz}CnA}D+rb{yg zJI&Tiw`t150m=4+4C5Hp^|qX7_>EuGCm>nNnHRv^3XY^~$4HlEqkO`4S&-U7pxYfE zFMkDNHOELz&_+Q8vaMC`3mgFZ=%Siq0WHEiK<%`MM+FC3$`uaQ>!!tIW1IJDeeg>^MgEEhzwRl_b+NJ}BKl5zU`jW&G%pwad!j zdJRtqE#R?1|0$&*W+Y0DjUbK*tAO;Hf){HgI}5W7);)6Lt8G|x=N8P4Q`iB6LQwFi zuEJ`3gmxfd2VCY&_LP)vaF0MCpMwRrub83e3uAI~eG)yD(n>}OBiSv85aQ7e44SDI zF?*Vz>b=y~PCOd(S1X_$rNWM<=uwzq*df!jAaG;@6ky-DBos6GqPC|H*w>!b5Dv+( zs+AX?EUP=0i@O$5b|Z`Btv_mDBhy00hBQ(Ez;h|$YtbIC^ZXC@!Kr%nj3JATy+#gD zn{L@*C^^oiQ|9Jjl0aEJ_R+Vqu%OafNmsoEsj?lhMw{pj$>FFjH3=;j4L(*qxwFU5^WKz&STS%P z35IVA=?OSJw?!~#W><-BvVYj%bJ9PIN@p5H$R=r z2;gY|oX#MPgNp@1$)q{i00&BHC!xcU6;v{`00 zTr{+b(JvUzYk)xqk^9mCTqO1fUkwe!=&fN3d9fUFg!Zm?n^& znv14GnB_Pe8&&y+7#uG0F<)fBk!eJl%9IbBz)hE?@QB(w0#_ear$sImz~$k3oCsXP8_0M5vZj#Owu`+AiuLB0UB+INy(?e@gG4HN+MOxGn=$=JM+E&AlDg9+? ztMAB|b3zZFlb?)`mH1cZVM}58H}uBfF1pFLSs{eOu#9LsH?rn=LS76@K8Zbcg%8G!!=WHuy&KK#S7vEdl0a$oF+ zhCF(Jja)oY=GI=UTm360D<@gKdxV~<7F&$d0R+8ZIXs~L;bu+iZHm5!Vbx8g z*dEDAon|T#~c&tJ!`$kIflFtDzXzPEu3#B-2I z9;qjztJp{{r4;K`p^LY2n7`Iq<}KoUvxv3azoALf42me}yf8cGbaL4nbX76clb3Em z;VnZx(Kek`#hfci{LzdFtTv*=eRKD+RtwmUykPXCAF|iVq|H1S^!!Do8Wuohs@w1w zYPH>Xds2B+cX2>KZFW=zau;y*`N4*!*Q)bYlWJ{35SZ@9^i> zxu+JI2S-_}9$=6spos;_nYb#NE3^wMEr6B8V`woPNf6Ip8eMe_-qOr?hOc3(iZba3 z7yZR*10QyoHWNTy{PmTaRBXa;#jO>CTzv%(+MS%BVlGu+Zr~d*MEk%QvcGc9-nNN| zd?8QvpH%D`2GVWEY11QH^4;kog*~uQ7d6i!vL#Dcw9st0L}4vrLM=c^62Bs`awDN5 z|FH_9rFQ#Ti53J8Qj(CJY8BtcBbTcXf!@f2C!Iwr+F9V3X4@?cH;@@5PuL56Rt4Gv zT3KxlWSH=)=;8@yJe6oCZXh#J6w_>;(D^6OxfUcuIu!`e zvx+vg<_g`+CB;m`;iJM1rf|<81dOL)v3X^k_nTPO3Gi;UtQE;qYFf#ypdPwOj$cki z{A<_FKMXYo*)f*T#(lSk)|%F8v+ax(T&7R3Jmp!$~+ z5q_1j?4BnhFq+S6e_-QvIVpgT(4Nh=MC?`*nw-%`oL-Yg>Tk?e8?2W|#$X28lczo% zVlhg;wZZBIMuS}@DeF8k4BP21XH*xzPr>J*>(Hrk8;-Df$|2f!xUEKLE&)ux;&Vmg zDIw{+;Xwab^XdPexpsba(4gO6*~-I(^Nd z)2Clifccp;bF$>#o#%b6;@eu<|Hwj=Yv3gvNITe>Ln${)hU6 z9S?LL^A3mRkkebaQoba~OYE2)$KYR{L*?6gP=R@GNyP=F46_fdzY+9cDX5K4&HJH_u_g+|;v?_-JuR@G*SrUp(zyXUa zmoF~_G;;B$A?$eghN=zMbf9|^c5nE!glii`9$oWiNmI@s(_fFh&wUO1EsqiRv69ya zc*&drlgQkqHZJ?5h|5^u{R$^wdPxDi6DP??8}F{S?xDTznoh(-Vd_GWy^ZzmQ!*OM>hJ z24G`o5e82=>bBy64H@@SthrQCVp9rici#bP<)A)G?svd;QSbj5=~SX z;e$MKv8Y`NjxT`gI3eQhZE>}by|R+zRYXV zrDjjB((G~pCZ1pg4YYLQ89F>7(XGj}*vn!Db-YJI)J><5d;!{2?iE1hU@*mSBNU8} zKGJE+O4s)Avzf;P5wwCXGhTSKqt!I|Fc8o&?SfDdX92w)P11)9c|`Jj2~1=lW2(qX!T#}Dn}FwT9j z0(6ks)#k)&a|tMx`iWwV?8#NRsL)r;JNK@Mt-syjb(aoJUrXg58#^xt9}n z9-D+lOF`q%u#Y{z!X^M#+7oNjsR>t{6)`6ZB0~L3nX0C0`n%I;>gi+va|=shaM+!? z=H%JUWh&J9>LHuYQP3UK#_6UZbevGfV$+er`vgeKEa@}bdZ?^fjH>Fa{D6?jc4}~jDO8qz3YXq)K*adTAtvoYtw;;G1i}-d z^!-qC2nJj{x|J_A`A##*FKp?}j}YG4*AlS-G5_vHi!3)--(iqhYc`@K#}Ow1pP?}M zT`P9@g%}Mjiv%CIZf)W;%7cp55} z-`cYKHBX^En@ZtcPQ2g>NT@FX8Kh51Q0UP%0I-G|z7HGI;dU=TJ1+qZ9Lr|rjX$Pe z6vBEpNn$RkB`sDZ%ym0RXx1pCI2Oy79&<6{c}FA~$&!N128YU9_-tXvpt!oxAHZSe zNIC9Y$0>*xQc!)NTUCZ&2TX_hAZ!Ie+}g$!RjB`Nj@?z$!i@l4Wdm18{n%voH(k*` zUvscw)MtAw2t1p?)t{-rcp0Dx{v>zGhfv0NqE}=a^60rHBp5>$_y;6Z%ewtyH3Y&O zMU7dkpoQisVRdv5&+3QFDYgy)J`E{L0Kb^cL%!?$8w(L1Zn@w3~HxW>-2%2u*aw(-PX?8inm;dp%jY2SNkw6Tu2Qg&BPnNRaMA z#iD6XL$8M$c`(g?38CZ6WxY^oSMpe$D5=%pZ$!a7&xBaQ$C!Z+r_A!D1ffA_klre-5A|Qki zLI@$mkeMO90Z|A-h%tr`#4J~2t^vX=WS~nSivcl z)*Lhb$@Mj;9+haLKrNHPzI$!%^2CdS3qfS`MQtJ&(&;(7OIb8A6@N}d z){R(slzfl46g9Npe#&eUoAqj-KQ`f7!Q)3Uk28SoN$J(%&Hq%<$OoKX6G*R{d`?FU z=GOHae~p`a91)^+{4Rx1NJqAM7;cHZ?PoOZ2}{HjDBeEbCs2q_zV>p9Z_wJt{0*+X zR=2K|7-sM{+3nzMvB#ZyHc|<%2mSH)U}bPmuh+*A;X8`)pP71EFYW*B_pU^AuF<0{ zvrwtVMI^<4Tl^ZU`EJbFJolAbC}fh*_Kr1A9?wJx%>yRo_o7g{PSg(S;>-ql_=KZP zgu1Jnc7e`p2*pKJ&x7+sIoktg`~e#=jm5$&pO>-LW7Jh%L39y(t{_Tfik_xFY2iS=L|kJ~KlW|a>XrUN^kf<;la+DfezYYz z7LS>K{pVX?vitDj!QVYIZJWDN_7#vmUVQjbl1K_3JK~L#i0GE+z^6DzXoAQ^LQxJK zUdJA-$NBHC03Ul!eU>x?&1xbs_tp1}vtMa^El&HNS??C8e%sxf&%`5Bss{t|>H{4c z?^e?Xsh%9Y%pdr8o(25E{603}#1iukcr`cLtMEOQKV~8<*P=rYSHPW-$0-7ohUp(P zO@tHLkdr^H&1KIp(;FUX@m@z3dCIEZOsT6vM|(H;M(@OK2_7sxsII8e2?P8U0Q3Z3 zWM7b#@&B+$mht~^fS5R7P-OskZ*V>e3RnO-AOK|`ASY=jASgO1E&u>>Ul8Q5vz|7gGu^8cWKU_c-M=*WQ*s8R2X0ig^bOe%zsBH_3L(lLtUNQ#6Y zM~Hz&U?LL=L}p4XmFW|;9V40rXtaBngZtwO4#Q`u&Q&OF3}j;7f)n9JwoHnNV{{@M za{=|>Awll=AZ7~YZc1fx?aB)?;M7^eV%$K*Uae8-oEYx}_n z&u{lCE&t0~AtM=_rJPw!ZbJjPl=fe|W22(ib5gS%#-yM60WT@LH{~75j#m9*Nc^(H z8@;+8N39kcA-C+%vo?-nCiK}@PB?@?xPOCd%lCa8*z4i(6Ed&xk)reArpUvgSCar> z0#k@CcwafHGc}(zIhBta+?PYL80hpTHvwswP3d5F9b>uYbuzKj%)v4_QH?rq&s-RJ zv@&-=6CKN@taO+x$C8;3QgKBIj)*bymRaKXw+a}18Fh6I6#K58wA`d8#ruouXd!Y` zn=Pt3g}%K*SNTzsVfC^C4GfmM)x0O3@|arncg&uhT<=cK(`o=gRHEJL@9P-_ns(J- zyUU^rCbMjsPf3+sBl5ZXx|S+8gQ+3noUqI4CWr#zEpFn|FwGi74{003k)TRL3;0CX{ggV2KWfAaqb734I9l!o&ER21xyhdYr4 z%Ib*n|FDREOB4WjUjP7e0C>m%_Mi~=*wFa-V7LSG|1j`KCQ~SpV4%S8P+MF;UR;n} zc6Iar$aq*F=y!lnAn?GDU_?c3f+VOy{Zg8?1EML40%4MaIMgTsL7uMxQfiC`Ipl~! z#1KVfL`p=Jq*UsI0~mNnQP-=ITj54Wcfa1K%N9KR3Ugp|bEeyR9#$GyWGNem*F`HI zMvt#>Jj4^0i>$q0;!?Z-{v2(G^Nac~u@AP=Ve(tJasx-}rO_UIH#_-9G+*a}#yL+T zab~$-2#?wJYRPu>Sl#*3WeCj^@4^`Z$z>UB0`vbQI+2o~J73e>-2TLCproFVc~slc z04`{$sj8$lgi@u_Zk+)ZZP5`2VvsE!OAkRlYR1`Oc3MAkq*rpz6W&2)ZrC(h-)>-+ z&68lLKl8Wz4`?~s|Juq9@y-WCp{R`=Vm#AHga-PaDw#~%@PiO|g$#-A-$``eVqe=` zh=kYMcW;_&Kv(5_SzQtX9q~mr99dL)5I03jZIV{~)mpiyy&+HMUMIa-RF)kBK?}ib zC3t2`l?bPb{yEDHpJ|C0;BECDH#eR>4VFa&pchfAF*@*vG(W#hP={*_F_0X$bU4#v zh2=-rrqYz*;Mov{!%k^94~b9Y)3Sy3H}CBY!hzORedL+8<*G|B0kyMUNYo!GYyaYPD>>a)jVr~6#6P#3g&Jm0-PFX}FUOxVP%IY1d^oD_ zE>7&$cE}b1=!-YG9mHanG=9qG`NMvLP;(vmzG7lcI@$AIZ#2uhNNc?1qfrZX6#f#L zZqe(mrT+DmJlf7DkL4@_qq)aY*<;vAW)^rvfy%P|^}sF^+bMyAKY4$jUIP$y9Vuz; z27i;VB#R1cr|yKHOnbD4#UUNNiTmccTa;WzV~PkQAKC2ecsj|Onrn-0#swJ-I-MZ4JkaTkE)6E?=%$G zhqLVX_6$w|yNLmpx{hop_-(7$wUx&QUh`2~h>y8pKulB!{)xeAVB127ZmXaxe zDEn7{g}pn)`ooH@xQ;o~m??F0`M@E;bZR@x{pX%bg)YSJY>tQknLuX0Wy0LvjM_V`P^?%-h>L-jtJxtIb!i93br+J5wV3Yp=S z?r3XSVoTq^E+VaBM0MXK6e#66>n?k3>6V#Bcs4?c7J2SajZnv9N<3U5!b$PME;6@Fn*8lE45ARtnaVk%VDD?2_Rl&Q!V3>KY~%T0G6&>! zl+kw66w~9`!ZaH5E0P0JEG-IR@DxGx|4=}XUu<$;Z);@$Uoma~XD|R*SyOIr z0C045XPgFg~P z;}N;-jQK=FR^@vg3^PwNcO zoCH;rH=aq^J@Q~5@$G!^R53>7Vs3JsG-2cir0tFpEZ<+x8uCpJz6Mo;Imj4L?_Jb) z=Fh~ja zi3B%155^XlpLE`D4#|T#f1+AVqQ_w~G9nr=(*Te|Hi?&FO^eTH4D$^@n*rMdddcVBHy|*AZ zR=IH;Uesoh#~~%UqG517_z6G5VcU*K=Dh?3Ui~Usn{6tHoB7Eq1n-qcT<4XR35U_j zhaeOa;e!d>Ls~j)vcZR0gDcYlCeg*88TvvB*5Nq&iP=$CKp`H*gN?&RVBI)ffDqGW z&Nd|T4oFj85+~mIo|={No#72ECpfS*0!N8-Xg2?X@)*4?=rTuFES7GaLOx*9uT`=-tfRrevACzuWhIcRS8<03*LSE2IB0~Cz-sy-qUM% zkUo9#=nyuZlkh4QHYMMNjHN^J^t3^%9|&1rt*8jlTvw18&qXfagsARl07QY$UXKcF3(*Wkr;hv~0V-^8FSmKGP4LCF#t20OpU%9c(F2(cPN9CoQcM7H; zX#Rh}tpET303awZcmOZ}asYF1I503@H8x^&003gBp@}JkfrSOs(#96h)58-~P(&0Q z5e*%zpo}aeAq6E|QB55K7!U{;9#Bz15&ZDXJjlYz3SeVHBPbvUC`3R+1R$J|jUC|N zz#!n_!Xn7P$Ose@2N$HFg(ZxGj}HI?0|R(-OFOu;i#re#0~65F!V>J_&Mt6pKroDe zj0`+84?n1&h$t{J0y5mu%^mde#x`_tL^SN+%q*0Vg%t<`3ky_JM;BaBOdMEKOB=kg zjXeMX0Rbc+1SA{~3_~-Rkcb$}z|0Kr^1?FM(a9MsAPg+zw6KIUKtVwPP*Oq?d~r=ZjDd{}2mlBO z91{;8n30JY02mPo83X_X1W;2$6ZG@PH{jvHA^h>pJ#=zLHY_6#FC-%eC$O-9Fo=VT z3k(7d4ydDxE1;r+B5Yz#E|8Oh6HGx(4QOFWDSU8DJO}{^2?zoT3cRzAKkVbrFYxoj zGsMBg1%!i#2NVzl6#VkeK4f4-B;3-@9xNgbE=WU53m6g#8Uz9c1|T5;A!uVuD`a9u zCIA8g0`&34HIR~m5{QC|3Jd@Y46w65O{J*Iz&T92b7YA7Ubc@B_tvS zCV+r|0IZ>nE!@-3AE2RuAuuoiFf=m{$LE;KR*HWU#B6(Ax4A~-MzIP~zuG^C@4 zCqzL-1x!Fp41j@w0qEh$DTIK81eBA97c?;iHORxu3(UgK4m>anJaBPAF%S^}5yZpC z2Z(`*33PEqHTd((JJ{078u;+YIFyit6j)J78GwR<0>r??1pM>QKS)7I2{r; zC&0kK0L;VB57g7g7r3y9I1B?14~&A24nRUe0w5y;Bao4S5o};gEZEb_8>FCwBs4Gt zH1P4kF-Sm22*AR^0&HVXFFY{~JuD#&Edac-jy^mx4nDlFj6A@>!2zhEiYmCWiaJa} zP7YL2MHM(R3p?D<%p7Q7NGN=BPd}WHj2zg|$QVdMN(xj`Miz8)M>n9LfFSJQ%`HSi zMh3L8g*7N63oB${MJ4$1$~xfV!y~w{i8-*bfiawuj~`r8P9FI2$vNcW#wM_`f-*2M z0Ws*}$|`JOO)XqgPaovq#3bS3mXIh1qFDJkbn?qVoE9~A_^*)l8PEQ=q#kn+_1Q;U{u6J zY-m`(U@){Opx~s?kPrkMyfjGch-|17#1!1)^gN{a4BXf#WOyVj@NhuX zK)`ThtcdiifE>sys5H+;<6sKTpuj$*7i0i0j8x~>3pRnS3z=G*Xc*Irgqi}NnZ`X z%1yrNjop$h{k38ygqu+JktKI$lSo}DbOV_U>BGHc^409e6p1>E&Zoi(H?LI5rLwC* zd4F4nly;#5f6-fC8W5c{#u!gy8Yo}Z{Dxz(w@${6;}EEdBt6R?OUj750aj)V2`U6{ zfP+ru#i3P%+tdZhwB1mTaSBAUAc5Qvsleta5EZ7zcF@|aCCe$5CCLs#B|iO=yVwTKoGnH_yF)IT&Pq)gcOLFu;fU1l>8D79vpxm zj2K*WRInT*OaMgeSWxJE*vR}alw>@#C@WNvtKp^1az!RZ^19P(z(&BJ{GoUij@^Ijh15;2_u>l|ubC3|g z^3fpUa+A@5!C+A10kV=qvr@uHICyZP5~I;!!>~b8ae)965dc&3;qh{SFtD(L0;8g0 zlR;r{0Rpq*^TC4<@?g>;LlOcZV`2jFl7axUa?o-^l7SPbLGXqH5g-VGf`DW`2I1Qp zDZqm^DFRjeqi}lUnH{WXk-}k&VGz%)By)~WN+hlJ#87LaGR@}w(Lnmhl{-qe%XI0B z^e8D$SfVioShE%t&9|Wn!EID(jt%S=s`RKgVoMpMTpZDenMRWcD$Gozyfqop!ABIc zsKj{Vh6J-p!d%gydx_xs@FyoN>mUK$S;6R|z2fz#Xs69m1V<;Ibhc=50cgLJ>ua-4 z25W64ac1iz>s$@}*YINuF@*&MS0IHU(TNxcpi-JvftfOJcHQe3$RTeNg)OQ@@&2Zl z26r$IiP@>7q446S7YkP~pNQPAibK>2rXH0y&rby^f#UM1fANzuYn7NZ+%x@$d>UXK z`*h~I&5JJ?R+Y6+COeXsDa#~*>J&^5xlyM4rR_aqFR|ETvx=I<9uko?G|$Q=546I3 zDh$dZx7q~>5o~{qVPoaA0He64An~|BHBMDFRhj|G2(>l3U=le9p(1znbt(0bq*L@m zql9QLLTq{T!~hyd`c{Dk?WSI>bL_R8Sh9+*%xBcuu4W*3EEqhdZ-Wa`5}ors4v3 zpVcCqTVfAf)| zIiM17=dJ2(kxDt|qugnKFZ{whZ5{eYRh14-?cUZD7u|jcmogxjfHAfQbYbcbOh~aV z2?+N+cENJLC>8kvdA%b7W({|U2-J&?`U;f-qu!Fjgas|Kqi@Jkk*5breov529gJHs zhUB3RRqI0-|M<9+=14v@EEtbeBFEDH0*pER{*>;*Uecas9*<540hV?!IrA9v!VtU! z|7F|mzl!X%LWrU)3N;y)D~9(b3oi?5$%y2Ux$Iahtstk$SR9>mBEtvcak(`XdvM}? z_xXHcucZI%z~TBc^{SnI)?Zn*&%ZjJxe;Tmg%$`cHj2rNCZR!y>YH{q7BA_2SN&M4 zRa&K9r`GK>YQ}24FTayz@OjKw-{U!t-j0^6bs8;0@)o5LY z<<2jr1tUFH3a-6#)Z2jr_L;I6b&iHTp}=Bebo~{pnzdN3rCy0W_W$b&W)=Pd*DFtp znh)-JyVUw?s&t6;JYtz$PVOgPbGOf6WnhO$z*vRqH= z6k=WPQ4v>Dmbr+YOG?j4X>h1LU^3Yn4}>5fH3p`|qKYB`aIHfTCdLTj7)CR`49)ex zkuou6ph1$vqpmHW^Ny(l8!%p$z}>5@LlzQRK2q8HE{w}6R+>+r8H*RcjKzu{nj}Iu zvq_k>M~}sWTTQ{QFf5moJHl%$&O1zu#Cs-<#XPXa;vLEvh!K`4)L3gojm0#K#$r4j zGxf7St(skU;u&NyeD;(Jj@=Soy~hvN4c}?^6b=b^jov2>?lXeSX}1A_V$I=%pjFj*L7W! zkqPaA!C-J**L7XjbzS2vA#5b`W+~LnAeHrn_J+5&gz)=)L(?=()ASqO-V(w_GH;eb zO)wY?Mq3IsGe~89jm2YVgpFk0?9pO-+UZmM_pQ;FvDGU1zpiBs7%(u&-)5OuEz?|F zx}NY{FUw%uuCwWsYo4KA`epgM=&tPj&vvoVr`jSVO|RPQJcSC$XwpOSC^;cXlvI#J zkPJ%lBzO9p9;dhIkX=mY(y{a@{jd*qCf!H}(tY&2UZdM}xqjB`KGsq6Z5PqCy0%Ak zr@o62E2#!>^WP!Blnp-W^>t$dvPc3!rix>Y$cn>7P9p= zk8NYe*mS#XyVxss+5T>?&D|unh>f+Ww$s+IF>Izyv=wXwyTA_GKl|f6HVEO}l;IU7R$&}0i-3M7~S001IT#JA~*+nt$NbgSJ0!*{y$oc z-JM=P^C2g3wY9po1zA;4)pg6&-CeQd_CU+^c!@Vwpn`$@&nn5Rz6jmz6{%d%9sSer z?@jk=d@jdXVKyj?QdSk(1&nx-cp726GT#Gm2;{u*1^jlHrLqBg*p-TLAGoec@) zxs>qOrH#0$YGbOni6)H`Hu7Oz@NS@kk;NHy`S7m`a4kAu8fy*Pb+Dni2_Ar&tr_4$Nd~QZi zwhm#BB^{+@{e_gJjEBh)qTsq~P#DCPPRSf$5b-MGxsJ^-5DE#Zi)^ zgrM7qtNCu!my?zbV^lPZ5pGNii zG^*F9v6||avSNCqRnaR&CD97J8_#W{0Ex2lMa59rt#aYB7HVv~`ovA^fhMfz1DXnX zr)_DY+$a3w7dGy1N_uJ9Zc$ucLm*WaSWJzC?yP3xBAkm#WPY3;R}P$qJkKBGADbEq zy^g+loAG-c)k)_Ik=I!}X+cN5d&nPxn4WVL$Fqo^B%cwFJ+`0t19<+>8t1|M!YEoR zCqj@@QpSb|7rp!%DT36o3A3D)eX^@A0OuWEg8R*c9R(SxJ01a?n&4Y`_T15{U)6bC zz(1m2%tq8FHPk90lwm8O5=tW!Sr(cq1pXE!Np!8B54swix2*I(2RGO${niO;`3Gs{6^8FnM1K>-Gm(`L><&N_>H`36U+7%Nf zM`|WN6;HL)^1`2pvgEd0l>H7AS7nJ0c%N|zpTWMOUe41xzguVXj4!bZ4R5V zxJAR$v}P{yXn`~5wg}hm@-YmwZIDbGl2?Qs#|m{(PU#N+LlY%BXXTP*r@GqHgUE^9 z$?5E$6@>ZGcA9(aK$Do1y5wA%+2CsYS9jy!ea$@TTkQ-1-!&}F6F_HQyQCHc6-CCd zKZYp^DH-r__qASNS%bT%q1#2g=5$eKF)q3!!P-`){o|#(D98glGswXs$MNVppYKeN zgC5(a3eEpoRu!MJ?bo5=znZXfS=jz_4U7@3wzSV-F*zxw2#6gaml=B{9UR{5Tlol@ z&UfS?fUEGYGR<_`ST)xAgszchSpZwA5d2*XZz+*Zh2>EB;<2(RLGjcT=)dnV3PW_9 ztxck?GrigM%6oQ{qpui$fh{ZcwvdIFBY^xq(M2Ae5MN*@UHosf+14}?PwW3)FAke~ zzHw7AnX=;-7dZj`3pW>~(9kK$er}LKE^_wUdX8;|nLp9NoQnp*4^2KuHuuS;p4>9N zP`|I1f{ug`ZaYX1e>s+)EE_8y?y{#S&>4SQU2F{46tD&ZeN&jopO{NLy_gk+Z7Zu1 zx&VjCpw1%KhKXcgh+Rl?rFAdYgHv%gRqHMGbTM$ksOy<^T@5c)E9xT+2_<#HmRN$~ zF?%L3LxfcVhC>!@fBu(rd6^HY#Q9sP-Id5nn{xqm%c+<#8+}i7R4?1#B4AGN)Ln$E zDCi_oq2f`ROqR=^2!T|W8$sz9p%mkB^6Pvh1gxHBIixW_T_BsD>J>XE7|LM<1flm3 zyh2!&MrtL2w>27*CLq!}>Roxq>~jvwpV`acbH#NQ#b4Dz$^W_#P5Ng@s;?xLZ|;!v zjBqUnaGt}V6q%UgVxIDuBE1B-*A4Ss65!hnm3jq?{e6e{xm!>j%eCeaR7#tk{5lV$ zmvGqiTU2mniqamwVw@M_O)D{QmRA)@i4H6sG{uRY@+U(Bjz+x_?vpu5pFf#ykuHa}MHs#Iw2@$^9S3C~_vM+y+%?z<}=ZHgvhx?aWZ53&h~ z*FZ2^Y(86JM-?z_sJ(ZsnE1`o{_WoA;q{^qyGnyZSV@^xucjF1;iIX!}w4YXZN{y;DFbU+9F~Hez zmL-0q2TV_&82cUxpr4qQ;j3eht#? znPIXZZ)6bVIoXQC7Med`n)=K1 z-kZt-N2rS&lQl89f{ga?Nx`HOxl;L%|5HUqIIXkg|F97p)e1)3f3jW(QLx7lc2Tes zpM_R1E>$K$cFH@*BF8wobFM3xlw%~inB#~Zp+)$d(2DvkNvcV6=|a5`x;4&J&?pP^ z4#v>9;7s#arf5RAI8H?Mho6M_C=8;7;d8?YMSnPfAP&(i-HoDR8n_{rY04G@)Kxz+ zUrxUQ^!Y=a$rJd(6=GOH;ct$Y_+a}KQw%BXA)*rn+rbRUu!A8FGJX&jj=DH1?iK36 zwx+&#qc2yh7RvZq{CSX0PCk`bR3|J6?jFe2@?wpfxkJl0^L}q*75Q&qpS^X4oHHoC zvBSY>3Tm;?Ad)-CVJF@57eNTxh|Hv>FK_XOo;I~5Sw0W3W60H1bb$&7MDW5bnD|rv745&X$&~)xypCdL3Dyrp z&F%w0TT{f<)?&LkHZl|gwxFN+6qNdJT_osOP8)LVrj)LiGNN3Sr%;N&Zk zIo*e5M1^sT`+&nY*7{9(In@Z!%Z&6yonMdj#7~F*hjuoksg5@z5PI+uGK%I)THYF8 zsldD}JuSJcU|*K1CmvUBrHvQiT!~nQyBEcS7l>h+*yC2V+;L-iJ8a>c+TlZjg7XkO zt#1?=Ne!TJ)?+~lSdR=pS8#uxS(0@+$4&QqYS2oQr9Tk)A7=a4yY?gkNfTYhAf(o4 zC4n>Zcyy2WfcC>;X_V#FtH9_u%`;F%v>;~j8_gBK)6^0-4f-1SAq18tlTf?g73!RU zs>#ICj{F!o4LHXTuuZZQ-Dd|aIT*Ggbo9dH_%4r87~3dk=eQKIl?@#;J2wOj2zQ_K z^%s=4Nq1cxspj#o!m_LC8c?yAu*QCoA41o7peO6%KH7uqm~Y_fv#2&C7>@@|B&Vd& zI$5C>l5xb18X+okxUPx`3Io!70vIJ&dMZNW2R6BbiEkVqewsoK(Uoz1ZPNqbm5r`7 zC_8e!;JHG?Gfh51{875$L8+vHBa;~262+Y?VByGPTiYUpgOa@mb?(SMGJPoQq;=g8 z5&=9AS=srZNwP6M!a^*iKTXar(&f92YY4+RaUYsj+n~?KT%bZL0Pk z6nCn(&T_!ubXMRcQaWLIL3Jd#ZI^ zs9eo0EF`wfA?y3M&Xl~gi@=120BVTb64hfp@hZFN3F+7oobaUF0^F}LinU*Y{V;IQ zW3*84(I7p9vCpi$sn-MR`g@)R>Iic0DEtaRYHsdG3rje;;hKW{`Q0lzfVx|Yq?bbO zIHfwz7}(h=`~4AtM<2#+OoQXgCnjpgI)m!D09v!)t!<3ZC6NT+wR1ZRU$N3^2Y~_Z zXlbk26uw(Kt2-Nq>R9jc!KVdyD3KVS-+6QND}?F=B@(qqXiMx)Gd{QVu%`g)nm9T? zsK`$F&DU)E4TY3niv<@5YWzqpGeBb7iA>16@NF{ge?wg1a#^d53Pi1YRKJGWBQUK6 z8A0S^z63EaP)e=bg1Q44FMeZ@N_y+qW>AT036bdp$_19}TX|3sLRHY+HRB7~*hV!` zStl`q3e$^pnuG`{sCN*_SPe?J=O35_Uo+)U;?Qv7xsG-0liGwsOA|rw%4sed6feTKI^L%yXFUbyuM6qSCk%(YAk%`DX)N@ z=v(REv7(`IEHr?!?bZzOWmSis&{*u{?vXnbFw4!emR#r8jsb z5z8SNt+$6|?IodYyTJJg%dapt{T;f=JqHAvIH$4JGJ{B&bU-{t1M8|93A<*+twsI` zCF3HwZGL48epxON&(Scal&CCTrQ!By3_#!tZx|AOdOiSzn=$Izy_oRbQjOk@SJ8Jx z;<`y{e8zagW7qR8Atq^yRTiwZbzh0hI!wsG;RR+7^0_2vOIC(iJ`%4KRmn9EcsBK2 zmGlNqv=;f}Px$h#o@Ri?0Ix&%iZTQKP1aRZm>`U|wZJ(u9lK&i;^fKL8^@|sWFy1aq5+Fh~k780wZi-L6 z2zNy7bye8#rlNRPyRN<1anJC$%-n~S@AXoIHR{lwvOlA^n z3P6dM2#6W8*s*h?ko&?&rnTZab&DT6r8iK&ZyILn(h@thr9dSfF)_V8H}Ucz2ZM2f z%+aRhrqqs7)l(N)Z$wx|CTT1)&eM$(sinAu5*5*oL2ZgxQYxrTBf?v7w2Zi!T-4U! z1$vr7TXXk_SJ_yh63Y=(^i3*j?-@ z?9#jLPP+4Vz8$`+b!56PotI8a=cH589qEL0K{_7Yjt)mRqm$9K=vZ_oIuqT9&OUiBzm+KsIvV1J>$~EK{@~K=ZKgx;np&Tgh$#-&{oF-4nKk|+oBfrQg za)~@5uaKYfYVORJIWWiNcy8y!a$PyDoK=o0CzV^u8Rd#{Lb;n9O)e(al0(UnPE5iNYc3yBT zI2N1=&IIRytH4R%#<(y}ii6^K+!3eaa-751E$rrX+qz}AW!;)?M>nGz(QW94bECP* z++1!ex02h)4diCwrg6i#m2cJCe_P&mH~ePfV>lSD0ms6x@F@HVU&4*>BK!uo!Dnz7 z+yy_uLvRi}1Gm5@@Cx`Cm*P&m$BDQP-{B6nFPoQ*%cf<^V7p+8vMJe+Y(%ynn~yEW zW;0`Zv9Z`xY$>)A8;LE%)?wSQS+H5y9&BM-*H*RhwxdnI$?mWl?C!d^?yUR5-E;%p zKKIUjbI05+H_Kgei`*Z##(i;D+!A-h{cxY}?ET-+dwKWwe%p6l6RUyMx@sC~ShcH~ zRqd&^R7L93uq&?0CLv9;$)rpSq{cscmYSdZv!4RqB$Oqt2);>WTWV zowZ*RYhYdD^<6e2n{CaoW>mAN8Pu$4rZhvE3C(8=~N1pKqaoMd$Inj@9MMqtDdTN>Y4haUZ@A^dwQBareEnl`i=ggr|2j8bf4|7 z{ogx#zsLK#cSwdMxsn-@SV^lSQnDzylgvrtBxRB_~1TC6W-yZnBz$ zCYMP*NlfO+JL$lW@nF0cuYu3NU-4CZ6R*S*@k4wNufx~yG&~EB!jJG8JO+QkOYjeT zna}b%k3*Ir$B1cyuH>1|4~hI7gdf%~9saay&Vb96OE^M~LIYv3n#Q^CRv^!ANEd zGj?oACVq)qVwLz4m&Be}56gyQ!>?i1uxdy( zj2b!(jfO%)pyAK3XE-x-8MX{jh9|?1p~rAy7%?0Vv%`NV9ri#%Yb0OFQ5h> z7LW?~1atx>0gZq|KptQY@CHZ&gaMuaOMn}|3}6{}1^U1qm;>*h*e~qI_1pSo_+kC5 zeiwdIzo_5R59vqr3;Ox|a(*?xnIFk7={x#> zzMT*E)jh3VR*$Op)I;hO^@Msly_}v+52i=b6X}KYK6)3uh+ew)?Ol6+kM9xnGF?pn z(z*049fN*Br_z`7BRxpZ(Q)({T}FS=TLKc=2<=y^t!jJiPHSuHY*$t*dzGciE@hLl zNZF#SPWC2ila0y3WL2^#*^_KZRwNse<;YHC%h_-Cnw4hvEHHax%dlQpEbJ84344SM z!t!8our*j2>z9?ws=+E{jj}#jovcOHAuEuz$C_icvBFqS ztR+^G59@|C!+PPg?pC1HXT7Us)vzj8)v8KWZK^I+g{nT)oT^P#rdkE5c2q4?GpZ2P zboE^AR;5+H%2$QeyXrtCqmEI#s2Qjjs8v)c>JznznnX3C`cQYMG*lTX3l)WGLKUHQ zP%)?%)C%g?N$sgPDurL{2m85xt^ew``lbG;f9W6ke}0~S6Eld$|NO{4oQ8aI#L{|i&R7^jgUS_&(g2-DBY!Yv@F^c)ey~! zVnwZ@QPHPpQFJH@6wQgwL|dXN(UPb~^df2zEl0c2Z1j)zQD8KW-cT~A81xIe1=WH= zL6M+7P#)+G)CO7ug@K+xE1(ik27X z^X2LCTzQT>L7pE^j;F@6;wka`pUda|)SncbUrsKk24|MD%1Py1awa){oIOq*=Z!PQ z+2UMrk~l-09!?HthO>fm?ChPqbLXs`4$ZJ8R}(|is(GPF)l_OCHIJG(&6=i4lcd?v zw9w3GVl*e356y8i+^jbF=CMg^>P=kJZaVl~ewHugGx-b0*HLmtxDXCD!u7GHMC6L|O_hf0j8*oMp{&W(l)Ykyt`3 z&&%+#y7ZUArM|S66qIAiFeR80gYrswL0P4QQa&k}lt)S;Wsp)wd81@erYKRACdv0fQ$ryJhM%p zptD{Hc(9m&oRCIW3~-)Kuw`IO(?qkcs~89fIB4oU;1chWKGlr&1ZByAyGkxrM>)igA%r+4WZJ%$!TTcNAaPUs{w5*i5o zgXTf&pkvT0=nymq`T|XXo&$iDI%}P=&Qa&4Gt!yp z9CY?M^PFeSFz1)E$Jyd6aqgbC=j+)&FVDwwezwhC<}CA-dCL4`W-=3*am+Pl8MBL- z#k^uhF^`xnm@&*1W(xD!{F|NT-h4C*&9=ENi@va#2AYph{>HJ%znjg!VeW0~>G7-eiS?ih27HO3d?@;E&Hj<;jn z7#Ej`yTn>zEU}fiO6(+N5-*99#7JTzv5vS!tRgNEbBH&@7UHt_D*nYzaWCG*J8>?) zzrs;rr?67^C`=R%3jc(0!Zl%;FiZF(Y!W63kAy?Q=kPeZ4PV33FdsgKiD6+F7j^)L zfxW;Oz*k@?a1%HQOa$%$*MMEXEMO7v2bcql0j2;;fY0D8*a<#@f#4k&2d3~X`+|M5 zzF6O?uhjSHyYw~s7JY%fJzt)0&iCf)@>Thsd_}$*--|EBH~sB?rQiO`e~I7S*TGBX z{qk;kGkCGQR9+}=k=Mt|<8ASpctN}!-VHB?cft$dt$Lwe-+T1>yt>z+JJ#*$Zgn$s zuewm(r0!97s2kMn>FRWEx-?yx?n`&2i_$geesnRq5#4e(-2J=G?y}o=_bvr)88?fI z#l7NIajCdbTqiCQw}{)rwc*BaQMe-95H1H-gKNR1;6iXKaLe2*_sZqDIJe%0ZNIi& zTMS#Ot<&~r>$Bb2!faEvBwGvHjIG4>VVmBLx5TZzb=XqShG{iuv$RrLDD9EfNE@UD z(#B|Cv>@6Ktp)9cmO>kVxTxVt5gC!7q^y!8X#;^AgcL!97($R?%-R_8YY?T(+{gq; z3d*OPLS;DPStWuF#cuRX;KW5KMerydVbuie3#zWYRX!mC<<~Q*jLZHChIJa z+q?+GcUl9@W;veG+-snpIS5D=WsUyLr(_Nhp&?WnloF$jwxJRW;m$e(w2S#`=`IKr zfiK#3P+RL8!jM&M;CCQUvTA?!fz8%8uGC3v)S%?b3 zWl1+ysJ>(vWPEOn6z@iy6Znfwj5PWBT;V-3~ds0F5e8V9{tRVDNE>jCM z5)CvB(Z8um?5R(F1J(SKLIeeaII~VUPcy_L03Lx7 zFxVp_j3WiFMkdC_KgNFfk+|sShv*Y;&HIOkCWlO+6U(@`+PJA=Z4m(o1p*0APa#i2 zZk`P`HrO_;?rfW;rlO`<1X2Ie(r?n}u)QdLr_2c-C5V4Ywm{lG`Oyvn?Zo10dftj#Moj*bG31dIWSqocN?aTQzA z3=A*~U_2OXdwcPFgf%tPHMQYtfE^ul9q4H~_2A&A;8RE4v)9*q*Y>QlA;Q8h!d~r} zoGvc7E^U@vLrY6BOJaJKDgOT7{-Yt`T~}8@SArI<)fE*~6{tZfy?1xPcb~TI=r=dq zH>K-tlI7*I<$G4wo}ZsapN!cf6Y%io@Y5IlBT7m&N@{D2JKKMTE#(dKS1r!A+ z5ehA5XMtxQ=FWKJ3V-0aNyU zed&GAl=`xjm2Q>X`!`A0*hkoopRHE=`^)=_Fzayc?w{@>aly@eeC_zVW@d$E7vs!v z-Q82&rjDn37Z+R?xJxdtM@Ioi0!EHSo}NOUgxnz-%E}MQ9>s~&EiJSyb(vaNzrV)6 zk$Gb-2L~JnI2#T>t*wr&0V7AOT3U5l>MyjggM&7MY_%KjGc(LHh5u%@V`GtHKk~+0 z0uTxW5~`|_syR4GlW}p`aj&T2-pI%Y$PUkq#u*u88OVJy(Md@;Npf(KJK5Po*@l|0 zU-I(r^1~hZG2`Q_<4Z`}s9RfcTjDCVxrm4wh%}N7yqcO)nxx1nJ|-rZCM~{93okch%K%)#j$RGk}0PfONVY^uE5rzL|Vs zC(X?h%_iQ5>ohdbG`-|#iAYF2NP2aUGXMYE|Enb9RC;>#diRg?jgXLfko4+3WM5xl zU&21Vogg59ARVAUJ%G5VutY>8`XLS>jL1kJfsknjVHlzeTapyA>>2HUQqOzJYhOtY zOJoV|5D~Hf5?a!2#8QC>SpW$w@ynMk8|zFFm%jeKm3F?-69wGUI-<8wC;XIFzWaTKW~p?k>Q3*Hpra;0tC9aGy|+>uRw?h zh0lUsRi;cKrVIKZ!gFU4dh?xS@PVmFR>E=kP9GIcNfSM$FRx?3E2(sVf&kDzvo?q4 ze$*&^HA0l|qg4*{Hq)a$`!Q>jXFO>Gbeu zATPU-8#Q4vr!iz<^!bK@aAsB6*-tgGQa{4V8H_9dluc-8y=Z6E&<`3KXd2LRG|H~7 zg02}XLASKD>a@vTb$wJ+O;nm0sLqpgZV2ftSd!_R&I87 z#depo?BRlfGJ<5V8Rpj3f7bq~u_zlGY#Z2jHp8{G?zO>NcXY3>hOZGRL%wQiwQ6_Y z)E!VzT~N9Wpz1|M2}Kf2idXaV>+{PP`#3N#z%ZTgV6E@(o9`=h!^A&7{6FQxe%e)4 zNmY^@s>h~5X#+1Wyf0;wUP{2gC%{hU zosQn#U*5ifpiPx- z7zQvN3^t025{e|439hoT^0N6rc}wQzzvg3E(S;5UI1X?&9DW}kd>{B@KIdX$m0~yd z#8uSPchv5qwK}M%ny4uN)TCD zd0Fxxva5uIDuh(770_~W)pEC|(PPoZvcDIlrLLtx3s>ag;;-UEP1&JgVVPks_yANutG~id zv$OWI@kM(=At8hz6{SKnoSaIWl-4B(9v*le@Mb*jLqicmB2tE7$HzOzcKnmE{QTGa zvn%CK1OyZaBvDaWQL+f41h=>5x6x5^X6x&V>kDAZ;5 zPlzfis47i@RA;-p*1NH7YYM@^Bf&=EpNCUZQB$GD+Tw&J$gRB><6&}Y!jx4j$!YwSMq^hJz4pr?aD4-}^h){K0Ty0$1F}Q~K_{aE@KkaLVh9ZVUq!GdxBgW{5 zxB*W#rqcC!Z;?`9yqk`r40|;l;Mc+~Oa50CcQ@sq@JiZP$teo4plgM_T@dukJ_Tpw zCqav+eU;ez?tEt57e}7TEx!k?T7xrWVIV~?WFT@NfVilk3?Tv{ApHJk5l7l2J0*tw~0JgpIejuO!bPROfL(d7QbW(I6epx{6zH$Qz? zH0O&Y#;Z%H8tO;>e&=(1m2_;`B@7LKxTtVX8UsNPVj!lBLPBQVbio{Bh?0^bp}=W7 zn4V!O&m56fo?ZSfK=oH+@ez4A^KE6a=MIu`*dGM^I7J)FsX)fb&u;EHy2@&au`?+P zv<)X-6NX^x*@0FVAg1hZ9gz{n4v4;auGtBX8ZE)ZB$aU3eHu6Na585_6ac~f(@EkQ zXOu=yL_=F7(ed+c$h+%J0xhNn?Yd=VcGs~83xkc+rUtWA9z{OLQe>kuhSdrbR?Q-B zS@Gbft1;)1JHZ&&*zNbjHbcECxlk1vfCiNP6tx+VaX0AT{){lh(=Ph0BH*i(VuS#! zdeZz_jLae_*#xQxK@ut`fS+*4Iq2W!S$T|qHhhvYbZXcr9D&*1a4a#2tb`l_VFp(1 zXw6-3EweJvHE#A3$@55gLj$3lJEl=&Um~+0;r{DW@iw8vbEww^G}gaAQ;t9-j7;6Z z!|~NWqmM~Pu$Dtg5^-1uOHotUp=2ac|F<&xQqDUf*TJ)ekTTE7n`Fz*s7H^EA86RP zvY!Bh4=$x9eMBd6OL}!J8P8LE!chzb(Dp1N`6QD&)G&%Cz)r}`wxtzP6HyK|0-Qhq zbQEH2bO2UNPeW2gQ&3DrQ&UAkSyV+&PDN}007+wWXK!z0LUK|7bs$MBNp>JcS3ylu zK~GdJVs~?JEwtPO+}b|h`2P~-yJc`=W-W7MYc4QoX=flUS8OaTEj=J}E+9!}AZc`R zb8caBEMP4yJuqM(003WKVmd5MIz<3%XJ%h_%pGUvOz8_&t+p%JtgqK)t?iELs^gO{QQgMAOrAE?b+TdNg0*%jKnq5piTE>fV;Z2ff-cT z%~j`u2+a{nFY`)x;enm6S&r=PNZ-v4NSANdH}3b=x%|Yy%KW3r&nO!DL~VUg%m4y7xr0D#++q=Y|n00i3v&vz&05mC6*&N!*d2@^k)L$A^d z+ssOY2Bd^0vJhC(a290~R)?$(O_G5!7@lyjv-nD9(Cr_{b_Q^fAcd5=HvKPs?3!dN z%VBZ3=(?AS-0~Y#h1UujqvN>^O6aD{FquFl2QvJjH0BRKt38s(NF0hn(iQwN`-9zEBtc0-#xKwHkf2>;R@OprM_2dPtUn2n!errDXnl4_yn~!o? z=S`=zEz60RnGmwMK*pobjD7{q9=WFGIv^2CTB=`-!JB_{dd$*dGWq z-*r;P(3}~kd3GN-w2a3ntP$gej2QTKn+(e7j2bw}o9PnBk8%&hnqM!8OcPJY~$E1dC1Z+0#^TB*4M>xFbG0&2D9IR~k-|CH9hETi0|3?(` zz@#yTM#5e3Kgtfheg}wYHRwdoJZQf;OBjD-DWaGioE;nA*uBXdV9`heSEDieugcfH zwV){T%fzLZGN$$Gv>cGXt#b& zR3cd=Rni!H6{LnghlGPL%mYB#C->DO#RacZrogH?dZQiC(CO>lrhqbuM-qN-{NTOW z{;4o(3vTccOp9Lif$~NYg4OmAYE;))CQ}^jsYi+@05H;Gt0ball$sheI%TiYbdA1E zFw3psb|8mQFx%f54Oda>^w{GhwODqo8HyBWnKJT{$1jWZ>6S9KG^f9=wwzfL4+$%R zrW2zrSK6e*k3+fa9}7e<3LyxbX83F`qu>^{v|xW7RA>uB*TZQ!DG+eap~R_{;KvS( zQP`Q#ogJgnpIWbd&zl6^>s8YmMg{ z*$e*9?s_UNVQ4RKkF1RQom&yv37+6CDGW#}-U)GFqtgdGSjk3?*m!cF$63){UfWi} zrk!O*m0OH5*y9i9jWVFaK$1-?%$YVC_J#>oZtb%q1%xZq}^xaF6SZ0xSbz~35aDgy-B!F z;5tz`>v*q7q2UbYz7_TQxy7ZB-hEQUTER;MCQ-t^!%R`9+ zkY@QWU~*#~BqJ10rxj9SeI343V3I)y+cFl;JsD^#WHS(aIEM{1jA<_rL)pPm)iT@x zfpncAho02b>_Rt2UAgG_z%=Z!6ZxkEs$vW$CB# zsRgXJR;a)ciLWPC?lURaG{x5|k@5!OO|KfD{R1i8bK)e}@%U+b22q16*-L3-uBk}uEHa>$> zLYr&f>NGe=8gPU{(hm z+}0A}RD@Cmc#C@=dJb?vL*5On1c`EzJr-5V$*F4Wh3~v)+TamiHx7=cVVuFIBTG|> zZ9oK!%9bey0S*BS0b4K`MSB(?b*>%L`IiQ)EobN0tsGf&&9w6zTO4*~er;pcYv(w= z#^YCu+r6sloJ!Yub^13x>7x0|rYaWMQZQVi+j&$otLy2#wurd#({fbAb@Se8fRt>m z^9y%|ohOxqO2T>hAQCuWu;C*-(;N5#uk`aaVH5Mg7ZCw?qA}U*g!G_!Uh7XS&HtaJrDoMw`XyS*WwK_y zytqu&B_;|pjT9=VqBQc4R#7btPhG+rR3r+lP7x5h4p%evZ~iue!nj?Jpg#HXC~T9 zN>5d%veO&%6leF$HgD%$lHWNk zov(Ry{v?SK==Z4eCQ!35^vucMk;e3x&C=5&mP+;7t+yhLKSGpA;bDk6FIzH~-O5h0 z|4UHSDCKPAfMW+&^|M@^bGu{nH~Z+6JOXxnzxmXq4N4(1(&Ubn&@) z!CKm6k^2*S@&4vOdyQr9O7;8ax84$kmHBtx6R*maic!qucN)1~pHYinrg*0$!7)RO z^%@G6-&4$>G*QEZz}2246SxEwcl;iLB*hxJ>u>JtBvViZc7#he{;gxC>$d&o3hZ?e z3%|3(Cc*&s@vJ`EO4)ZVA-YlEsZk0 zN2%gpufvAFufzt?W<=FsgnRv?sLSM0;Ca<+63SkK5d(WKLmi0_a0D2r3pOfq!~?DK z1psq?=qqyVd_~N8>}3ydosS49@J_7r0l*eJe3#SCCp!s3ZF}7f5f6ox9J(@oRq6F0 zQlYyc+{+jUu@Gbe3U;Y4Hw{Yiilb?QMg-1*u5D&sR$58{BsB);&yw*o5XsN>Y~1G! z7y=;i5{ z1A5MviFnbM4X6>`#gK<~{AD4r*JzZ*G)8T8E3SBSUAV!QiHyCT6CnrA$a6c6Atq(U z>9-*!A@JZ6>=);>3Ueq!ECVOgwy>#m<8m=DB9lkMu_VistYe-99phGUSQd&v3Mrz9GXx5RBpMM33X&8Qq|gB% zGkBZnBzXy7kH};Uj~qVeD1>J4_)u7l!V&3&a%%!o(R}6?e@5(t0qXbJ%Obb2MwNP;?A%1FEgN2nkfk;he;^w#LK9|v27NMZB%ia#Woh&+^pTba!ypTY%V6h(zV5cwKT3) zmX0;&cA~m~-B+$yVtvKkgKE0+imB?8lQg$xLMbFfBV&r0W%@|^z}3Wv^D!wSZ@GZ^ zXa*=V!nJ_{Nyt0`@Pf6D<6d6DNKz0U zQCz5${3@ZSAZQ14$F5#lb#|E5BIjV;QzN$?q#hw`d7p}tTB}WR0FI#p_ei!{AFgQ_ z!eJR(J>te>WJ0GxQ|TAB8NOA|7Vnr zJaJaT@oN&|8yP0Z2CmACa)GoqeJ;uhptv>h?&!%fQhMwwET_kVfXM|GlJMh+Zo{}Y zvcy+aoaUc+9D!ZlmcUPJ6r4B%)vaeeXeb2h*``^~QVPgnZ3$CXDa8ug2xZi}*1_tk zcfE5$l<%IYcSeF&clW0f99R+sZnpx7qufHP=gHwGLe#^D+_AC^!osw z&G3ZDI%AxX4LPV!yaK~NC#SVyHFv`2E%@*)?r8U@Xu~eS@)TmcnRr$=3IaPqU5+QM z&nnB_VyIt*7L79_-BA`RkcDHnYS)`lrMHpF@R$fF#1OA1(jIXWRFX6AY6&RheH>#k zj$$s76cLfgL9aB^_iSFAfEn+h=8K8)YNnE1D#w(tkf6BuZ6^YAlx8ptN|9+pNZ{Ky&kV@wa8> zsuo#Q3Js~h*|WG&qJoK>JNIXx!$suokq6a;e(Dk7t-C%d%Fsbu?fsmCac73~`hv?a zMZ93fNz}x5Aty%S+2+4!DK%2Xp(>>=gRbK&#+<#O)t z0**=-a!T+VhggsAz19_7udk?ThI9Yu|MCV!;UN@NIx`;uh=S9U8glQ@<~A z%9uB0a&;&(79W~hBf3+48M)KqR0Dql`szKb7PKP{+WAD)D$&fn4tFob0Yw}@$!r~b z(H|>X8oNhTT@7K;bI-8b>RGZEe4RQacoHNEU*&taX`$R~99_0kK2lm1)UI|f-eHQk zR6*M;*rVBQvX5Y^N0pcDHn_>?4OW$TQY;HPj1z%}s^JOJX*$EyOY#Q~p#f@7e028bP@<4~?|-xcN%dlESW?RM9R(fYEm#;#uerj!eFjT$(l= za{FX^?iEeqnzA%>p_xPHtf4EdQ!bnfFUR=@*(I1EgSey6*XAhjacLGH4ioB3P24+y zLTDZGViyL$@qT8Bt$I&I4dV7PqTMBQmeP#le2O*-Ef8j}$#CkLS=b^w=O{QR1rR*g9GhsqIFTR}x6H zfK;9Z1G9=k;UmypT^Q{2b@0Mm@fa|32tF3fvJ*@X(#Fkq+bTz)3hpm+f9!F9_W_wp z6M=?izsenIy&i^6@3!^Gnx#{1dvMDi0v;XpJ|M>KN|T-ek4;;r2iDl`O?R63dBywV zbA`W)pyCn!Pgu|kwhF(u#>_G(*#N6Y<&P92zIV>H2VM^&-G1tU;-D^cZ;r!L8P+=p2 zIa@3h_OO>)#`JJjw7F~c3f+CosL|V~LO4kwiO%{+n>TCz0D}Kx`L+6v)PUk*h&q@& z?q46;vuD;%Q`2m~Xi8CF-=ukwc#M5oF0=+?JOV7_32seq)WqJnfYySt$^&t^>Ch8WQ z7EOXLNg$3OVKM0pE%Cg{9`jEE!G}+~MQFRHP+{NQi z{9U_Q+q`P3=Bb;+6Q|L6e4&eqz3B+GRY;g>d9Ls^i|5c;>!mQ5FIm4!F&vzW(ttd-3t?>`MVa8nh7sQwK>>9}cr1sM5P z3E4LoW4wsKtKbTO8rr!fj>=c+iiah_Ro~lk;h0MUF<=z&F$k;z)Ew2+v+?=w)e1Ba zPU{#Gs&-v|AbGUNg?4^mq`|2G+k)z79037dyM|yoq?}Qk_mJ%@7Em{nHqh+%YHf}^ zplkYZuJ-N63r<~CrI0~2F0;z@s{DyU*H z!PtPZ58%BwM^2lGYTQuK##w<2bQ>1|)Z?GIyi)0F?2q3T!?1l=!CF&D{!4Q1o@(NnIL`gv15)2GSb}dwA@>U~% za|eO!Rb3OvD@b5LOzKktxUt!O)AtvXvGMI#Jh|Y!lkH0AQF(6Vg)2F<2%vrd!rt)X z7bF`29E%7XS+LVGCU__ksijyRvWWt9Q7u8SI7MN9 zQr171bwGv^l)#LRpGV&r6!C~RVr+1!=^}-6ymDvLr2h1|(4LXIyf#yA8B$?5XhSgONqLc&nKr znBZU)4kb54 zlHYA-^cPyDB4sV6);m)DBZZk@&r2249+zEA*TS^?x2>A9kpN=Z+wn5t)c?`MRRi9i z+6B}_QNTMnzduul002%vt#PZ-5#hNt^r60XEP|KB`@MCb$7TfD&rDSa4P4tTLzSPUU7NG-|1CRqkY|-C*9Dwz= z9oYO^75Xhl4rR)e$$=+|D@CO*Z8xUD5YsWuoqgHG4Lx6Sv9Tbl0I4v*&DdmjpQ4l^ zim~=3QxN_ViY|pd0e+x{CG14Vxd#g1`mzIkibU_zmt+mU+yD(qq8XXcmk5yQu*2jX zg26tc3}ot;FoZy(587o6PXB$Gx$IY#eR)NU&X*WZsj)Am#G-&A=++E4UqZ=K1PEil zynKJz1PtuU9WXUtF1bWshCE*;!9KJ}Cw(b{9nCL|^ddEXnG=J}mm25{U;z4(2n-n5 zqc3rQz%MP>{L2c4j5#l;uJ21BV3{&~8N`L4FM;IpOPfmja>xB?;eJ`c-j@>CrY}`o zcRGHi$~i(gScoJ2HKB0uY}Oa>jS9t;#3JiP{Xt#au23WTLMTky+S}4PLu0%R7>KT+ zuNr#lZDwShE>-t%w@YseqZ;uO^YU(^MSX~j?ff>A%j#`8QVQj7!-1j=dfTo3ps#+( zoD^)tpGGf~Wdf1jR@O0{ZISi#Z8m-MHlIsMy{(Jvgu)f1(%X#CGUkREWp4{l0P1-m zn{P|O{=5wZ6K>w7UWu6Esbf*h`=I(l*jWS!O{{c{P>PE5QBmyV zY^JP|V2RO3K|wx&a*nOi2%P6A9Qr5}eLV^X0zjpsB?nL(uOAdR zgvkC;*OI9X8&23D>Q8v*Dv_#c=%_K{vX4SShH4Cq{&uR5I#Q)RiUTl`^b;OIBTq$I zTws4lSP(=l6;f;HCVf6C$ktv`r;h@%rG>)}70xiH1r?7heqU5Pc)geL2X&6e?6N+xPd+S_8l5Cg^xJxmXI3>k(mzVuic)tg@G30~mr z9w-w?G{n-ym5PQ=mweL-DD)=gqSc#5Bt3?+EW@yi?amgfH=jH;38mg-QlZ}5xwSW! z*iZ|fyvhRHL$GkYc>|_z0?9~k`aplu7kQm(&^LKprLhPP-PoHu>=kpaunB!{P5_oE zN0qwKo0WW7F^8DuGpZmX6rvLUvLZi=V!5_GSRss4PUh4TAl_k~ZTw;eAJes&kn`ob_8PNHhYSTg19yf)7Iez&KEqk0B zAnb8TZRj;FfQCJz12JKSl@iUz_3}o`u)r#v;$mz}vXFT7)K4L4kHFm$HlvTb+5Nau z3@c#6Q#~pa#~%vZ$MyT$U(}+!%#rAMoDyB>aWn~lk25o> zaD{lsj)tcF4J`uKrN|O=8mr(9cp~ipD5S%`aexR7^r=({N==^VDDD<};eyD%rfs23J z;f$GnLs$c+fr!i&(}VsNV?dbxH!xwi^WS7xK+fM{=q~uc^S2hH?oVZ5Xnzq`Kzo1V z0*+|xZ&`X+{q5DEw$b0N)SjfaQU-$VeLa3cNlHzuHky}? z{L;<_DE2i_ ziM%5H3Be}+E^48EM+L})BDI?M614(QTD`aX*hBydXr``&9wK#i5>Jx2M_nX+oDflc z=@7lBiT#}rOop~l&+p3Y;4m^_*@amQ>LoX%AP8h`CugHfgee&l#&p7%DN@eYWp$F^ z{0>Z#no50O{x0lZunIF&hNK1de%Gb;w5ccY8Y%9~YW*&QJ~qe$Ex6}qIr8e@iWOV? zT@{O|;QhN2b`A$NzY77kjJ$pag)jZ?7P-H35;E;3V*VYIoSJ?94g{Pe1O4uU4Qfc{ zBTTzOHUxcshothPEELp0#eKhHkuxx-!cvUxWU%_(23!dnU80r#-3t8uE=bYufDm#0 z&Sp<>r{7Uf$8eTq7={7T{O!v?*s3=7D}yb5so z#!E122pIc|A!%@#?i{<>xvp&^RQ9?u6W~y5*iUII0QPlcYB|zgH^#bdtoGN!e^79Ie-RAo^Z+L>s-%h^RTx>x#T#GyX#Kbt_CH#IM7^jT>FV zL$4b^s`I)F@)4Tbu&Ft0)Yzpp_UnFBA}QDFdg$KkDk;ZK8b5x%35Nzsd(ajdZ|wc1 z8@@I)??@yYXRMKz-jv$05vXy~5YaHh2c8ici6gjS&kWofl~N;=sA~?id&ZV%%eV=r zau4_0WRt)$$RHyf@$8CV3=lO*F~qa;P~A4M2wMDBOWPt>V)ToqUxeXB7+mBnNG;AN zLQX1)Mw!TJ5a>;&+LN|W%e&!IWN-Ho3h@cedUFT9xfC*?yLmGSQ@>fuzc&L#wJA+P zYhC0)pf0EH5O-w!ijEN%&CVZhfK;VdBCQ%uFh#}?q1+3F7@|DcfI1H#-h0Mt=U?#x@aPg%jPs+7FQ>Y>u)PG2p4>os8^}(?) zXP4Fa6NRcpJmE@h^Y&CSn^0*zX#BZZK%5@1h*I1nokH@@R~5x8;7S2CTLF1j;zfT} z(JdaZ{b@9$lEpt~F7o#$38<7h+u@?+pHVC=1N|vN%}IdGpDmK9AL-bi*S`AdPbX$n zsE>sDvxzwV$s{WoO456OBFRjDvV#8fVBQ5ph1wwVCag0AG?mK*yL(NXdQ+(1(;m$>P=*BD@ z)rIPGoHBJwiKcc6-vHeRFS^1(C8l|e3PfVPlUKUtrdACw4UN9`9nrX<22K0PN$sm4 z*<*k+vJ~2FFvEs2P*fztiXiChyKUBhyGY`wXQ3>^Fupt1RsdT~(-VE_OXS`~rvoiU$5h5CBQIjOXbMj}xbW*mYrD%97Z$fdC;46ly`0hkq+qdP9tY*RahWIn=A zfIVod+ZJxfp2(Du@OVF9VW|$s`KeoKbPA0wkzE2|B;GqLIAJ-EHSk5L^XFv%YYnu* z>vpvn7rXVMxMGhon_rD9S5?+g{{d11P1 zix+ElCr*+_n>GrGU3^x(r!zJ}iTV!;T<-6ADR3ll3pjh8Pl|$;+NH*xoQ0Fm!%~k> zZC@u?ErpuhiA)-4&$9voJ+I2XXiiVf^DqfB0es$+9#?vv%j)gQI$1^l&F4wE;`5@Q z7Yh!a3X6lNl;v(yfVf@&1DOd(4CSfd4FF&OH2(p^fk2@aesWQr2jAiUcHqmTe4pz% zk2l+cwGlPM7|DmI^0}jRSg>$>abbp~b>0Rs&aX^vBX;yVc1RIc$hl%`8MoeZ2x#u4 z0oJOfq=hvSt6nqTTO;~RyT?;uW=kv?9J3!W)0`FM@Iml}`&;d5x80OyLE3HGJn&$3 z71elD-Reve?v89|qtX*^b2mrSo^e%$Pgw>FN)Z`Q>^sv>WfQbD&dUy#O*3gijknJ5 zthO+d`){bvB$7<_=EcNfH<|&iq%wxKk!~YIIM(vNMmNA?+m>11D`>|@a9yZY`o{k; z@(;fE%`<(a_-hjAO1FItI5&+zUz z{df#@-tyBai?sYYJ3DxFNgmgmW_1JvQAdr|CSRe2VUvMu>z#k;L8V|oOSD1+hKEb%#96~%nX zcK;xBR;!7@(zD?PG3M&ndLG*R5wlS^v>}Au->|lp)4nEvzlk4T1a}Uoa4>Jjruc^$ zvalck&;Z8YBHZ#};GaFi?w~FKi+3q_D}(K5b-#n#8=o{^GMaduUv>EMYH!wi<)Pv$ zd}4>HdA}N$FTCXyXj;dF0b?sBx~sGYE_vELBwM=*4^cgn*=LGx&?bysOM z#nfWq(`-*}$gq~D7vSBo%#o(=hL*n?t8%|0YJhh*0bN5Rh!NYdSqLsLp)25!6Vzrh zv}bSC2cVoC-8qw2S;-bH+nqCO(Us)^1A5RrC5JeCT9NQGb_>==ma_e^L4G5PFVbvX zC-20KK~Ok1#Wf4gt908h>{RPB#wvI0xMYmSI)yXNj!ti4dQO2P>7erYLG)iI8E z(7>E|GQIx6H_G&V3RT{d0dUa!M+OlD?S`ub0FGReLq!}`P1X>`#m<`!*b4S;2k=09 zL(isrx0)}^NgaB2s&IR<;(FHMx;8%t%;mE0%RKX;t6fKsg~t&4st>fDp+{%pd2Zpy zTbY*-cKbwjQwG?@0v^<%ZM^-e8N~JFJcyq4e*W_{zYjqf&TCPxXt>8Uws}ZodKc`X z2KZ2IS6!cOGq9n0uI+yMWjfWH&W1z($PTLkSVq2NFrDHU!NPv#cC54MX|7@$Q_YrZ zD-^6XDC+UtdSml_>lLYs;xwIYuo}~3AkT!Fp|qsisR8`ClW`iCN*->ytrMo%K=kOI zu}GC(mbz`?ueKn&Xw>pK#?j<Y ze^U&!5@m*rmyfK^PUGHSDYmkmpr<#-uBQ84?<`x~&Z4mv@;VQwIqS;YU4HhJE6c)K zDpR!4_L~YTq()|_8qamzbXw#cKS@xOHUk~$xo)@lgGiA-4{H2qU%8w_t| zOi#e(Y_eSBcg%~zP*DNv*behAx?)Ps0_46!b9=f5AJ}!#?1~n%&>zH>UNf11*Ntu&9PKVf){qzI;4&5#Erd0@klxr93a{yDaYf&M#hBW#Tee8JutI6 zwss8{!wZs_Gv83*qbqd02azNk&bC)&Rcs+B$o01X+oSh#A3hDvnd@m9Qtg8S)20Wz zVpwWU8~ApWwv#I-R-YxB(uZh3KYNxp_lEke)4&k1{IQYUqNXdN@dn~{o58av-XK1r zy4YB<0|0$iAmU*K&cY%wp$tN~5y0HRcqLuv>H)fK?4y#N_YQ z?D3PbIbEo+-fFW8`T7{V_CP@DWHsamwvu@j-JbUr&551Q zhDgs#)}zn0;fi?ot<3ZoweTby1#^m(*z7>al#6ZW5&PDiIU3z+ot<#jsTv#>rZWuNUfaQAYR@C| zvYmglAl6`P_gcR<-;rJpv$L>l-Mu+My~dz-yBikG0uy_8m{~5*wv>}x3-1~3hK44W z(LC##ziE7&VGAf!S(y-uwCu{f@NV(73k0rz0{6R^1|BKH86w1#V7Xf*D#d?kgIV=H~aP zw1e@X~r;#u0Xw#{ELvMd$mEij=Ftc61?d;(qp0KPr0JO$Zv zy){~x;g3;~L!tWNqfiIS0qZ%P7uxnR%+~^DV5WL!yIQ6ii*p+^dS)V2{Y~p~SCEag z(C}g+mgL%KpFcqcQUe%QZ!)l1Lu+78k0H!ga}*%=v90nz)Jiiyw4h!!@Ms4;+VAcuJgzZ187GW{q4r5>l6BL!&-Iu4Y{}PK z+(Z>_Ml&VTRx@bqx328!TA+1Zb862Et*bTvec~>M@x;QX^hN|XH@gS2POzrj9>l-v z1JTtSD6?FS3~7`TlG(z=iUD-6zG~15y_~wxx?-SKgx^wK>`87e+#b0;;#uLdDN>r} z3Jr!cP`T|UHh~xn1Q@fe4ZLSUZOpiObIpF}9CSiy8bF)cMtJK_Adf1$Vms_iUc5ue zNRMr*C{@)M!H3ycof}Kl-D>Z4>o{*06P>63 zKF{Bo@4CNE58rWKtS*x*y3opOd4HYue_gh`NV~Sy&vA8_kyf)En+2E!p#>LYGJQ9q zw2sLo78Gfq+pYCO-2s4)Sg* zEc>Sh@-`3v9_z=nO`#I~=HqVuqOQ4zlw3=ovmP9eSF3l($Xj-j-d#JSt=9o%BB0Tv z{$uHQH@G$DkS|vbE3|iFY~SEoS2B(V2aWYNARBRwZ@NfSjac)toyxHk7K${x{E0kJ zjEDWJyZFqWI))Sz_SHv*0kOZ?G+0)bq*BazH=cD2Tg#d;qh#P6ajtnVt~V2mh!Vxb zk8+U3z@y<<#L-_&FRH*E7e3zBw}5x1`iVoNk~Ydfc;A}Mky^kSPrHi4Y?n}8KEgq_ z$LczxF?sWevVhgg@RUAb2ug_>NejU3U$0zKDXqYZpR{D7iN)jLI~(iQb=fPb$ydRB zw8pa=qf$wxrhQe+WoKS!hCa}xvv>0LZgWqdogXF}%xR=rEt?h1&g3=fNdl`w8=W zylu-a3I!l~xk;bsBzOA+sq={l&}sB)#!nQ7S~v-pCy#J(JdM!H^PdO=oAZfGw^r3B z8h|CHPxJxpeSabsyz_}V@WA{;8(^VN1nbSyb}OYP_XX+Cwr5c2@obgMY^1E&c(5<$&w`Za56~rDjk|JkqA*s zG!LIy*B|mgRLx2tVZlf?DDGHFYR#rv#V2`4+eg}92VRcH={1{LAQ>NN;YoX^dA?mq zWRAztH8>JSAmLZWVVfpC0%apB)sc9^jo8*@{ro_l?ZbgYdJn$&L#QE)6vDT!Sq7)> z$-+fS)Mx_99SMOl59^k_bOHY>$f0qbL3$TBl>@5I16uA!|@s-9C*%&fq$i44$*U;5`*4YnHhwLbjkle)k<6 zyIN40E(ghCVj)P(AF`r$|I?+oMFEj;w@_4?$M^|Zxf6l7{2?3N#C_#jSCNSgK%G=w z@aAVXHnap1vC{Yz541(Vu8E*He`rR-{6T9FR_6}^fonF^KllN+Os4&z9r}P_25A*u zOgF*S@`s}R$@yJP0u`2vR6G5dJb!2e_`*ft1B86kP4o4KJis)2wTH_d?+nlm3tfID@Qx&L6^H+GrX*S|*F!`9l@#6)p1!zzp&=ivQ3QSUoFC`ho|G zM2ZjkY;9*X_J<;%DSW!HR;or6Xl_}H0C+H8qiI&*mpfP{lI-#44?zHHT=s`btS$44 z9W1mI+4+y=!8;e*mm~!yWmv~3RU*!=(G;sL3=L_9VskPm@kGZbP}f=X@5Zy{@T3}D zAiHTz${;7t%5l^;fqZMCFSfZfc2(t0Ce!F*A}@*K1Ce*##NoLd<4tg^?5=q(k#+f@ z_o4xoE>tbysT-7oa?qp1L-OJ?cD}*i;L?%(!i~7`(>Wj+v9$ZNfe1e&8bS-1?P$|f zXd9y?15yw zS Xjm;1PAN3%v?X1S=%?v}rGD^}Y1~o3rIF*l>>Lv@U*ganQrC<7`U;1UrNmY;7 zgQ;hMFt{7W}0c9OFT`=cODKZejkTi~g9E;+M=>>&l8%y&$jJ{Zwjg&8N zx6e3sZ)~kHG&N5WLcs;BVHt%@D_e1khwAZ(mW`B!u8-AJChx21G8^TD7SjU$b!%b; zY@od&?q1tCS+!xZOA}VyDq{Nv*GdHiT6Pk?sZ-!6o(mIDU?*l1)Wt=CcgvW%U`#hH zv4Xu7`dtaSV{v^^*PM|_z!)V~ey_z zn5_fN;mybiV}8HE2vhIZhM41Vb`7TW^m`2two2Hjs^Cs`{Z0b}Oux@iZtNDY;HS*5NlJ0Iy^U(S_#Kqu*gD3eNyO zXXD_SN~P-e(}UqI4|w?mX~L8Fy#xo0@Miwi01=?iJ~V^}!VJvsAJCrPJs6_?-oX&1 z-#Ngt-#3Uhze6E1sQh;f@cq4o0n+#1FNpYe3+Vh^0N4M{qI0LeR}jSeor0-L3k#BREibLzjwY*>&-Ns8kK#q3z%^G1M_> zkPbcv4022#ovD4{4VWa|c--H*PHw}dP_vhG*?6+P#+@#x@zRhpj|Pq{oKed<){LlP z;pLVAgZkdIj4v5+N<5Lg5U15Kq!=8vLKyItbFgb?AOT>|7^iJ3Tag97P$7CRDCS+n z!1M*+3<6;Cg<8xk_A3Rrv7k6n$J=b0yt>l99Ds#dF>4rBtB|Sv0>kogRK%d&ll7g| zn>hsvCoDyL;?C@uZ49u&y>24!bi7}hrZNFz0amidLe~IGK(xQdx@66qz>7H{p?|Or zY&}<>*)zvn(+MjR0#K;?Xxq&+M-~BVJmo44gIx&l>`@J(JyXkBj6ot^?J_%+PZyd{ znnsc4?Oxlm48!)eEUThuj4d)L?jZlT2RsLq&;UJztt6a2PKbHrgJe(CAIAU)`?w%D z&BpNGfMjmL}J}!fY!Bu@+ z3kNUVhyum^aTmOrm-V}W>*FlgAm-yLs7N12fxLa(1TXj4$F1a6XK~cW1pt;lZi?(5 zC&8nATm;sB90Wb}aU~5(*`(m4If`v%Q8K7vk!mRRlWW3YW&7y~?xb_l68ljU(wp4u zHK~-R?n}_d^UldQxaP{#6g^ESOK|`Y$ZuZLGHhu}egIMbRU_!Z+g`R|+2Yo9DaGY= zP;Xx6+WaC8;0D@-l&6n!5bn9!&T8xz!B*4&qLMPefD7QgysOi#(lFU&ly{G8Q0<|5 z$|4N1yq0Hm6px~?WF*}0kL9U56wjA*{h|u0#QY)(u>VC9)SX{6W!fmgV9;n>iyF z-6zfyVKOv@UiX${*Cj#KYo4#0WCBS^?8^sOFjDO_5(vqz5&hGDo~nqEyNJ$5mqz6s8@9u?n3nRQ4YdASKC>Q(VMT+ zlXX!x4(TEJ*X6-2W=+)B)#QuN3O<^5JUc9zLj$|QH(tt{Jg{fFv!}hR-(A0s4XfHPK`zz^uJP3Hu&pjQiv;|8^CAy>Fb8*NLGkSZR(L0YQwu}ooe%SH9+ZzDk6E>*UcbfUnfH& zDDT2!;bJLa%@54itsqsn`0HZe%e(lDo;b#uIItr9*C7B3c^_`mx#mcmuS+4uFkG%*7-W9hz7HN9n0SNx(cl8>nKQs^>q_$ z+r3}+5RqR8f%loE#H1cku#dO(%yV{?Lp<4*Us4#oGn~;oJivc>sC)kII90F1D}gqBC;F7@j_;ydD3_ zdtm)X9#vaBBFm3D@*Hxf57y7YvEP6}{>F8(%TAli&$$7UeCIql$Kur1oUsimj|1h6 zYgcCPoIzEF;e(B+#+!Sj!TbKnJa#r?@dnnPL*vQlGp^1ygHAnSc9JC{;yiF3V^|x{ zIt)B=bPvx!4GeDN_Z=9x!{md0?u(1_b6wa0(?~yefqd&+P#E8$4imQkeBqm)yTYpW z3k?T)zZ0!^RnS2No+3&?U2{M&y%dU1K%39}RvStqop@4?7Hd;!d5H*jNY;jh3IoK_2;^pPSbv(>88^9s^MuWQ^Nn8oZjp{9FxEHEEDEY{Z|N!R~%8b+w=U zTnwD%=U~vNHCVa}xrN9AkMSloRy0tQa3zyJmw?%SP6b)hIdGih!YCBrrRK}e#WUW|mB97Z!L6S&>8$+R2hsL(7Sw2!8K<9{5|4gP0vh|dSBC26 z03egL<;tZT}|Br#fe z&po$RVRDqG>ZdSDm{;2r1=5Pjsq&CG61~x_yP|TwWPl|i!BF0h=jl5f@0WIE3I-^z z?|o}j7C(6&173PkQz=EoI(bJm)lXlrXiYMW>+DRtxMbF>uI9SHNullm*s3SRN}wYb zXhi>TA1-=$A#V`O+Cq?b!+~T#ZmILgKeUkCkI2(y8K>G}DvNjfr1ApUHmN`wovHvI zQOMu)%=dqY%pMjd~A1-WfP`;0mud4f&yC9oz8;lcndI50s1qsfI9we8%%Sr zaIIXNXS-Isnp?#ZE|-dTbEiExmuYC13Y!e zfYLRhFU0L@TZUoPO4MU@)Q+?TC;goZ_x5)!==yguh!wQQD$E%m4gg^!&Fl30!wJ*` zjk9Ys{W}t59v$J$@U1rV#RrxyWcLiA2bk;s4uomyIDa<)np(gI)dT#)dGzeY>dkb4 zC~sn|Xrb#`SXU^iB;Ti=uXjf0u#8Alj(x?^t``)3L6()S_y5 zk)u2xUdu8pN}aJ&RRtntq!$XEG=TCxsX5xu;E4_5oj^`xh|x!I6N|GoNo8VtxRG4N za7o?eqItUx23#G&Fz@12!@N+UMpH;yf(m+_>pF=GlehrWfv_Zy)j}khOAcrLX0tGg zg-2>5?-hNXN-C0n_Ke2njZEat9>Yy5lroT|&76qHli@J|Eja1+L_zB8G2EoWEeH7? zj#F!7Anz2zLXYGIV69(WgJlqKnt(tdzd23cJCg#>M6$N%2aNHXT@L_bA1|oyEyFgI zhOS_2kV>`foO5oSGLesW>JWueHoCV-i+jA=Z8l9_U0GiYz!LSlZCC;Hh z?ar%lTS6Qq#PO0i&op}{93;qYq=6Cg2rK>#+j?Xlz^Dsw~My2&KMh zO|Ahe2x`QmErV&8UOF1@i~*RTd6(fbsOf`;jV_SglMH#e&8E>SEbog4EES3N`6GEE zhSQx=Un*(F>3l1LN(u;VrtCrcI3k;Jn$i>_ua(>%1 zt&=adxiofFCA}Klh~#~=7SiSxW?57QSxBM!qE~bn4Bo}DHuvV8JZvd(qYb2Yu3_1Q zSzB9_HBmBN&;qA;JAc!(tb^~hu{3pMffO&P?q(EHhu&$W)Gq>H!AQ5;pUN|LB#tlm z#GCQ6$8Zyi6Pk(Vs-Pwg;cY0O`9(rtAp8z?bzLSx-F1MHjIt&d+1P4sH=gL)&k)YjhCvH<`Y2{CiFs||d#7d>#{AO=+@az5#`4#c z7vkK&7T~6?ll~d42b6RIldx zpbreJS=1Y!sZs zcH#_3XJ1CY%#q`Thc5~baW|yk0~PlNVOL}Z0wpF(_^sKzaM49#`OXKrIMdMTSiYg# z8!Tb#(yE&oPT?~P>Ob@pF+OJHts~KOE?MF!T!S%i=qi$Fy)#=wN1~ziMhrx2Ibmpm z3y9qqGBYjqY}J*~vRB@1gpE{pG||Rf+|{`lHyLmqDRT?e>sOHBz@T^Nd$gRqJaGJG zH(TP3qz!-XgPs1GwIv|d7jDpQ0+fdjk{35&8&*(mVpO-bG?rD%uLYS9ZWxAnk@JZnzbf&#iV zaG|*4eo_6M1l6vbZdp9?VDcN2QKZlA)^3^4fpU|{obT`vj2_MwF&om2s~lqzw;A2w z-%S$-awj8Kqqu$Ku5bork;q)oGqkybVU=^ZjY4fp4_>UC3}}<>TcNp{tJ-}K=Rzv! z%7wdo-uF639GJ7-Bd^9jW(SR}$ZEkeiwba`=y7jTbkbYMdvGRDcU$8`RYnREfkk6$ z!=z2yQPKm%Yn>ILk>c-})a9kPLKqKFzE6#MRngXI1WkZ7Wi*RxL7VVFudL4v-&m;` z%yO$02d;KqXG;6o=WudAT~o&d_p^8J0fT+`CR-VPd);GEjvsJ<9?td{u+(3nMKgxK zj~UlmA44Ao*4vp1b+Ff^a*ykrPeog=S&xUd$KKT6U4_}kKpc>WUVf&F&P_Ot%S<=g z-_`5UCB?bLvPiQ&8o!P=Ghi<1DDZj$H`vj%omtMMpb3n5H5mnf?k}7Pv|wUmyem$> zogDMA`IECc$cG0nC$)jZ52l?|2P(5<#3lgKG9N}+Srr!*GEuYH6IhNRLs7B2;-(0u zm`1oWp=Y?Dw$5{I=ID#vd5tlp}VR~nvvrTr0 z_AYNswS+SlQ=@ATHFL^z_r@#ua^J4(oPohl;9XfvRet^-Y*;j zI>^M@dcc5bwq9KtxNq8)m4L@X(ec?X(U&k7RW}-FFY=!k5qLrL(HU(a!ifR8uKN>JL7!>nUNo-~O2a z$5IQfkhLFx8l<~v^SKNb^t!Edr)6Uytnx}H8Y2Ekyjw@Uyj_c+CGgx?y5@l=1KB-) zy`vp9W}dYXzI5(l?U1vIK<}oI++j@nUEYL0aCf;66FsqIq%%GXQz?-7mOxahCjN4Ism{-Qp!koJF&xEnrR$7v9HrxG>c>8;9$o2fpwp z$feu0VpwAYa0X>Js5#q(E9Jn98Vj@Q)2KyZbF0`o?CnIuF-HpN*4C}ew})7EV=L@I zyQV1|%ZUve>#+r0(*FunP6Ky=9-^|&R*VJUpgg*5`NO95$!EAX7C;o|E_-KBp$nIT!G1hkN(5z+$%rY?qP0vL?UWV%Iq&%-E|p z`*mpZ-Mz7UJhC+#dU82=kttZw4r()|4b0Q3%o1&My1H%+y_qYZS_6F;!e8VIV6Q*t z(^dQ#IIl);n2aItJcip)KCYPr{)mVfKUrVc;c$1b)jzN!!!-uc#|VR-CawU-60G>c z!4cWX+PZOyOY-yrFV*!lCn8(WpZ!ep_Smyak%8r4soI8qnR-A28wvl!?mviHM z4xzR#tz3ClBkKFIU*=SCOn+>(#6CaduM1MD#z>f8vfA~)4FWFWicP*YlC*Mxx1|8Y z106Vxha)i@L)=3ueU4LQ9w5t1LBn3mX+}6hI!%Z<*I*Z0Bo_%sL0-!?T=}t?UULfA z6>2tn)sk!(>?iS`AbMax?3^n?XKu~Xr!EG%H%Iy$F^bGx@t4A(W>lk0*Og;@n__9}$A#%g6X*8X+*}Mhz-uiR-s|ppfLnl$7Bg+)sZ^qLS0l>- z8Qy++s>Dy^n|a27w*WhDqvpBqEa7z7U=-Ah&e8;%vspN`_9gk?FgD9RMTTR4f?!Zx zs`RkJ4I6ebh1lCRhy>>8!A^bl9#$r{slzS~#MfYR5M>NO7SvjRE_Q8{&x3#-foCSh zQslI06Jy!VY`T~hl!dl7YAP;qYVodFF76_I*&(ik_;pL@!nFbnE1+<(##tXKZwvGiwhowKj40BkIH*)(eRZ9GoPsHUD~tSN!3`yDZ{| zCpqWn-tlt=rWDJBlbgHqRqKn%5J=D&+aRoQMqS1>Zpg^NDlv$AlS)T?s3+nhRgHOz zO});h*7Vl$lO`f|iBRqy8k)0hl|NDCFyMUrUkqYPB3V0}T>H^8z5cZZ<3bu{7)PA< zYC*g#%WKcD478KLn>u9UmNnjsaJMuE#jpLSZjW~_0R{Vv097+Z;3WwO<5&d+Hi!Q>gr~U8-`4hbtA zx^fMnV@gjGP%jLwdy+S{;7^HBJ()10T(+GATW_g3ok@3JI>R-4FA!THCd8 zF|7RwH16PD!%j{5VfhdTR_!@9G*0i{dWWSOy83u#109c!dHxWBy|%k9_&iMJJ!@jO z=(?qO7NG|Kw!jHf(T-_jrTtmK)F{Hyew$Un4g)#!9Ee|J$B7%>>`M%p0oc5&g&~dV>(Bz5H0m zj1CSh(HP1N9&WYmSI9ac$hRMm$T2>ia5xPuEB662iT5o@>KVR{k^vgu|fOGcN?$& zYBAH6pk0~S`Ov}HV#=!q>@TKqrk}6#nt^ufx#z%6L0>F}&5-%J#yaUDv-zREEZ9Lv zEcCHuu+F`B0T_^TOnoSM=@rB*~M&fN&E^8}uJ}lA_hO;Y-{F>Ed zMIXXAy*(hOtNL=BP5RC}%593{XwP{&RdAqR0mvPRehnhyYW~4O6*psC{F+v(l+5upJrTCmOK0iTRGPcsw@w0P}WNLAJmuz)NW9 zxTSE6$>%VEbRFwf|0W53^krV$gs0S`s{}NZQ?+fc!`QNby1IdJCw_;wt$MCTE#zA- z=m;Y)w{1gluz4b=#*hR!*BIBJf;S#5-&}2M$njdu1-fKow&2H=-as|Cb8eiJZ@IOG zZXod-{d@T7o><@6%#g1Qzn==_FqUo*MYltCnZ9{vJuDpvnTave^|3cVc7_-V=pgIc zux^dl683n*(HS_imPvD4H=vt5#0U+D6HP-*thx7-qBnl- zz|k^uedr2iUUj-&x{)wVH+S_SdT}+B8q8P_$_$bDFIUt;0Xn!DUq28S zbZjxPf+lytO0?q~C1@#5G1>9&Snv>loyVJa5Qxj1x;Yyy8zEfQhhBC>^dE2&ONgfa= zk;q44BXsAgM!7s}7kTj$MXU|)n~2=;t_-`dE+X^@Gu1;pk=u}0NGGHY;$`|073A$$ zDOo2Shy?^sPgB*xP1BEOHBZLDH8)bVY9Dgx@)2V?9rNf$T$XtxPOOMF ze<(Tdj*cVh#rs|~;mAebhFwDqiQ{W5U48W8I-pv16XOrb0kWu9K@7gT>JFY*?* zpt|duW;pv$Sv)K{kpkL2R1_DA-or`!P)kH5=#iJ{pIkSI!Cg)w#y%7go#%GFEm9qV z3ZaRM@6aAP4^U2;3Crg`)DGPSh=YmDtpO(C8+{-RPOT3W1Al>L{PUq)fH?LgVG4jj zn@d!nHI~p1bwW2G%E{B@`cNZ85sE%k2=zmOKxZm}xmUJ-s1K^qenlHfUaAMLgNZW< zoL3);1Gr?5K9s8h^(;0P*I*iH*@udfWI%Txs)Aj^`9ooWJ(0{0MZxr*_Ms%ecl$tc zB|Cj6IFYuM3F9ryKU4#g$l4FZzIK$5R08*M zoDaon1nM7WS(I8R_vS(2(&c$Zsu-c-w}^X7{bdwuH8yope6W)YZumHVw#rD+tO zUQq9$-SSS~@+LvJ$Li3jNY?}^;Y=WGVv@*9&t==)6=@PhA?T!lCxgh#_SUIhLYtT> zxszx~wm@K*S#0p#mq+$v{q>xZdC;n(cGhvlT ziq#~Jm`3hKzLbwD3h{QIyi;qU>@!C&^@P}Y?V2EsI>sf;9R9xjVxFx3?3#0~O?6EOM+7g|ZF^^=OH_rX zjaME{ui5d9*4@?H8{+{N2} zvhsLe+DCcl-s&@V;>~|@;K@GI228%Xz1F5uH2P1ihkMZO$vSsdnkmD^%YSO%`R=r7 zIqByA#6Z>gPYbNUs=5CJ18sZXDpP?<{}YuV_@7=j_c%^9X0HEFQY6xUdbR#11k#B4 zPX_p<|HSGse?x#@o4OH}RUf$k+}gW*ySy&VqbSO|-DmIQn=9)K8Za@G*L!U%WuuEL zD4(41;=OjVU1Ac?cP2fFFEd)QY6{N0-8!>rrCwB@ZHsSZ+@SBat%QqeCKJYAWMFcQ zq9w11Rx$>Rcbb&Eq@C|kJDam8n`bIKk{wG%o$+OX}%Ee%H8-B#j zw#_=$hR%fH$h&b`MzVM|0(Ux0M=)M!E!Mo=Ll~&?NG{JM1e0}^Peve757PDC&_%vz zdB1I#W^H78(2FfI=WTh@Lm&}1B)YoTv)1(;iWe60XeMOJT-F^VE^VM5+cd-OtHyBg zq9CuSGi@V`Zvvv0sk8;WSN|3W?7qg8G?5jefWRB>(&B~w5t+OUCj~+713%2_MU3^~ z=}dHWy5J#d3>0HfhX?a79djSn-5g*}uF;W;mfh8xwBZq5oEof-o|lF#o}Z!LRElNL zA_i&8`y$y{d$dlTm?j7Y+3^ccX}e%|_DmKqnA^0QWQXL>k7@yn*N>{XO?uxFV9ymY zUdbLwct`zeoja`ys3k{uO5AA6vb{KT#tIRj_fCB4BYdlloRJ374B*B4?!;+3Nr#X> zz%o^^cJA7Kln3*O2i5wcI*>WuM!S9>-dzqX5zqNiE=fZLJqnd_<3r2VK1s*9o_NP`OHj#Z=;%!B=xFqn(o~Q#OAp#Q2w0I=4cVPMhY$MEMLl`~G z{G1n-i?@a4K?~WWgXH|VEGQQJ3JA0V5Zq;?pR)qW@&I&@**n{36*)|iZH^Cq!p?rq z3AzLh58r++iAnTxNK~8~U_9dWPTSQ6oxb}yBOw2|BC5~N5rM-qgU~@g_rsMn1Yq`C z`?((I(BAnu9%!I`hpa<|%>eUrIXv6X;b6m!&ClW7)Bphdb2LBzRH|vJj0`W+OQ%Tt zxffy(_F(YsyD=jR@Py?)M0Z^BAH2O|_MNeZY%a#AfQyZ7+EO|k_357~B zC3cc&tC8_HEQyTd1W2^)a{A+Q@*^g&xFfU%xs(aJ2%!(l$JHS0p~uYQ10?9J)5qa45wLN5 z&Fg4WBv}U(@|N>xBM)Xc9Z<&Q$T_p91D19p6G547Bih^<4%mP-t#pk(ZVd{=W140d ze%%x!6T_iwkHzP755AtFM{C;_31gF}A4%u#W@E9S=b(o=*h>uy#g~p}-=9 z1)>u9AK;CQ4|ItS)k}3Kh}|}~)FI|ffP=mvA5|M34H5w0%AjM2fq^I47b;MXaTg+h zJzEC)xE8LgKy9pSs{ny(H$kS4OW|pcf{gIx<7(mwJs(%X1Fnyg-E)qYE(zAh%KNwx z9&L*7em;)Iff;|h+%DClj|-s%LhA#~@k>^o(|`xoe_RJW$#WnXaJ?)!>Ekxo8Z4jz z&fsAXefZA4(K64#z}VcpKoapfajIDGZXZ{H9r`#dHy) zxGGS892Fn*aW4<&;}UpNa{o9fNVtC7i}^SNEbZeC=(CSAz|xOnL6(#QM$t8|)Qvda zL3)=Z7sX0pNny!&-L1{5H`_k<=6~{>G%Y9Ld}kJ@#zyI)lU0u@2UHh8md|mU-WbUa zeJToK5RYB@0PIsuFpWM{1X9MWl`B?kJ{1HP<{~cJKf2}|2jZt{MICSYR1Ihb@~hSQ zR4`TE4EIo-Po+QuvhO|>m8-Li{>=KR5|B7uVwq1hg@Nb0-k(a!0z04TfS2<-9FsJH z0`r3Xy^^1FslxKPUeik12;;Bw=)cG7LxO{^)|1)dM`MOS?O?SP(yrY~vn%?C0 z1T^tYd#PdqXZy#_NCTawym;TINV#NMVw)Z%lUy5?WJh9cI_c{mnLNWfYsvvJ_mSv` z0rTq`sXflQWJdfVleW3fKar1!_I@ZbL5X8Vc~Tdf;FhO*5trqkTI0>v9rEM?X87&v z4536{w`CzaL8=z5M0>t25K#c(wXfqt>QMIRJD&$fdU${m_Z@QyA6>y~$0v1Iqd7;H zIl9Cl->`1zd>xS|Z0t4q&{LzPv0*+|{EoC4(q$#a%za%LTKggmMir{+!fxTUpsMLv z)FfQ=by!THue+iH>0Z9hifQ}00qh?w<;>SnG4;Hz3xHl9+f)knbyH+1C{st;LthsK z=Gi!!#>zxNL1{fG_iq0>Ct?rI^>wk>^mR!*rmsW7|9o8$P_M5eA`W4Nc%u2bAnMiE z?a+OJfIvRRf4D)ela;v9o@Hxwq|Mg_;K_8t`nn#f6DP8-uT5} z=Idy9yRVyp>#w`1v9IHx%Y0oGN&C7f8tCf|u=ML#nppKtGAC9O=#+^ik#vp;m%ODA zoj)~*Qv$G359IB@KNR3c-D3mIJT9q&FKGir96pDQ!xC19!@iMwd=8gQ(6S+G9%=u~ zH7da#jd=zoGu$%`mr;5Cloyk9!G$KWLAD+on?+jfa)q-S!+WhV-a2t$6Rd^(YjDpYMG>+8F6QBu=#QdoeI0-cyE&`>g zHe5o8w@%wg83Yfk3?m&>4k*?)f6BE8#QslZfg8{ae2txT&F)p!K3*kp7HDg{iz8Mkzhvft}xO3DR{5`)C1b*PdPAKTVB@Trpsh? zEuymdBWuio3>@O}yL`L6F3|;^kf+#&x+FA&1!118Z;rHy{!|r>^QWj_*M>azr(Wz7 zDTT~*CaC|E0k6o*`VS$mKgF6me6yeKUL8afs67!E(llNzePW5c6~+;yYEnU+m+`3t zBUOMjjVG7@>=BAxo<^-Nj)aES>&pxV{W0Thw1TRgWknh*9e&8W%?&qoMUaOtBxY((w8FQ3K{X-zSIyD^BovN$CJ7*^+Qy; zMqf(D05@NXQrnl>ArkGJ2;q#8DH632*kLWD)#QBRr-r^+5#sQm(lJNBmM*YzDEY%IMFmGUpAOFNFc*UkXd^ z`BE`%yf5_tC;Czh5XoLe=u0UuX&W-Re<><;hz*@D^%8wm`chLO{!&uHu5+>&6WIS?fyK2#=zMDEW$ivZK;~x62>`ToNb2j$kIa0Ua;J)ZV@%<|xPbOc;G%7Ec?Xanp5kny~(H*uydhpzNS#xX{bck27XVcWoCKrduY z^d@*uXW}ZMlMtg$BXAL65Rqv-X=gplKsa`Jz-aLyB+ju&p%Bj{)Y?0IyFu8U=VN#3 z%@;t#n+}f9njBm@BOL1>++%gs_Q}`3KjVV{M8Qk%{=DJ){xAF*ul{ zPB&#HOvsD9G04(e(t=#-#ve)Xh^P-DKK34351L0uY6Fkl<#wqa(II%h)g5dcc{_~O zD57i(tx@qj`c`OkGt?-fCV4QpP#RzOD(DXZV(t{w&L}YSy9@>O>A@6@C#DlbwFwy0 zJPUDo=r7q|adcirG1tN7KUTMx3 z8@!uFl0@I?f_OtKh%#QhaKEu=3Mx;>(KR=A(VDw&6%%dWDgvqJ6$!zl_kAn)biS!G zalMPQ5ay|KzPNY*=6Y>sJi9+NM_Pe0TfAt0oha>FIS`Y4-m~mucc#s^YH8u>y4-Y` zsE)V?>7Fa+Ob`Pv$7?u=<~frp)nNgi*bT^434;5m6( zzk~<*rcNWpBoUIQ_t53GCJGj<&CR*QMWBe928FI7F~;ZBL?RP6y0VGL%Xxx{UimHk zkQmFHN#b3dHHve3P07%_U-zSAxeR&Xq$T0dtn&pIdDe!U$f(tw9iBceT^nRFXy!L!LLp&Px^o z?f@aPfv7)F9A2~I53Rhzx6AEPJ)%SNN}s6XgU-9!RPLaogFFgA&bxu)RN6xgbay09 zw1u?IJQ(L!&AQ`Enz1xSC@3OKyv znj3n4l?hwdMW+DO;0 zngU@AtSu!k;Uha#@2`4O=T{-{UcbtK$*Q?u#hU*uV8iGOh8+w=UcK;17f)R9R#h-6 z-IP=dQ8^q7Q11!eR_H`>GKFk<)x;wCOe{(bP>AHw`Xg}GI089t z1lCUA!pI^f&~_r2sf0tkA(0TjB(>Zm$p;BERgV$y@OjT6LL9rO!g1fAFPb5#2DLej z5D36$I|c$8Qd=`B86S)hWiK$g(9?Tnd*m0-X1g@>fQ56`M)yRDUcj8G#f#}6NMqrz zkX3Nd+B<#A9530QIO{+;cBzHc7mfK;RJdNhWnP!&krY6TU23Pu0{7LYvX|zQc-}J& zlw(&4S>xjdExfx?*d(6!EJFcrxQqrb(SIr*_{1i%PQ)g()1*lzA`y>OI$`pa0sK@; zz!(NeM7@i&EdStYb1tYC7!he%Um5k0JTJ}+A#Yp=3wHPqmS-P)@QgH{>V^tz@HM;` zmKm;=F+`kPgQHB#!YUJPq3%$?!n0MSPql)ynG>|C3eo1Z1S!y+=5>i4eX0^B_CUE( z`Cc(3+z=x0;5tPbO!`!=7j%2BWVy1z?Ne#Me|qINS>hQ8U_Mo}v`>}6Bl=VrSf3x4 z2B-vvF&WIe0CQRe7(>Fmw<7_x{~I8)wCzZ`SxmGScr&+$khdCqzL*+*^!aTJTBrXy z51^{-?r~@EFTIRqM;-e~ z9km_E@zxZBY-##8tXo7Jf#t1iX!^sxVnXt<*XR|-b#o??^xrWux zq2KP#f$&jr2Q2PNpSElbY01f8;5eD9bq1+5aSj`24Oh4QjLSM?f#<#XWEc#DJUX_k zUuM`2EEuw=cr}CIJ0mW3cvPD_e$LXfCz~$vYVM2&26tKGr#VC(r9PHjnsOGI^aD&(gf;Yo;U8)=ZNRMw+zNHBJm<#@+ExwJ}74E?1mR5Ge+2B*&`! zD?Vb>Bj9<~hf{6b?TP12I3GHKsXGg#0nuYNbt|EIV6!7S#=ao(Dp(_}=N-+xI6n=S z`RE1?@W9vjSxDPS2(b|v_aGZ zvFY410(LlbxHCOLwBKMZj(*@H@{C2b&N#nRg1>iDbR`tDbCLrFiS{#*x5KTgjr0Y6 z8qU#zG_R!Jg2bxNpq<9h%`Gdz80=SSY6fpt@Oic2Tw8g!)E3?tUNGMb4BKFf&~J2K zvW&fJS4nMcvgt7y78}kF-^9K6z3c>KKOYy4C49L;c`?`VYumWQU z$(?78dm)GBYtfXGw=pHR!+o-` zZP)Hi*O2$KOUzNtD!)cft$xfthJ1$G39^gPtvwIMi8MFj^0yCg98~kx-neZU*?I`} z^7ZGnwl|TJZro9OfDDHrSWR$bHht6S-uul|5k9?vXG_KsVm3q0bQ(%!=y zIixGOfh3`|Yiia1uA1*@=HQQVbrN!!@lb_VFZs@s_7JtDW{Nd9&erJh9{v zWAhE}JL-8Yjm6n{3m+M*aVChnP0ev?)w6aPnR79Wo4Og^v+oF~Qyek_7NgSE$;^XcmC@8}dln~6r}^EV zvKgz@>>t|0fxrJM1Jm4MKUdCVKdJ8eryhW(GtQ9W9)m823Hn(h>la_UY6bIE%n03O z%9Z-wHf8cyiqZXZg-kX5G0$KGgE!2Y4ba;iS-)H~Ym9Sfj$vfCW8ZwOQ5MTcer|S} zZ;x@;vlpJ*@5{bx6DaJ;JpIaU?PA*8Jbct@347$6>g~^it%+;BQ>QW-aE++Diul{^ zg|z>u`pC!WgWDQr+gfTUI8CW#Z*EHpw=<8!ns39?lkZi0(MmaS5Bm5P?g0~FJY-8D zxdcDB7(U9|EclkMJv0w?k!@o-!fTWr!r~KIqo*<5Hiz^*W0Dk zEV_)nnveMrz7}S4CtCM!p@$LmJb_7+^tgQsxNQ5)FM>SZq?Wg3NiF;_%J88ZG zv5(@DG+ar$i848|?*!Dl)0OKLhu*yE7KIt^k!6luCWYkRwfzo#OZ8nB^s!{X# z?9_^-Ey1s$KV`BQRo`fE*QDB~Y0P4`y2!9cc8@vUat^Ke;faf%yR<+&^mK)NfXdrA z7Up9o407I3jBer{(7O0iO0kSL_s+-??CQAgG>`Y8Em=|&w&Oi0_Clfk_J*VDxh)uA zMC{uEaXGTrYRwsC0TNpWcxD%94R$2q40lPsa&5U)8yR1BxDa#3d(O`uEAl-ldDN(Hr7L<3M9u;0ORtS3mpl3P#Hu0t29s?x>u9F1z>B?JsaBOJ2`! zAk%P@Sa3Ei!^r{6fYIn=1d`6-47NHbXg1yF?Qi5@wNTLZE1e{(&<`x0+f9f2xV2z> zHOLI*4O46PfUQEv}^SWSKy-=6H>G9H-)c`c^H z1N3~+Jg4wx(IuDQ)akj`YQyG+JV*OS6|Tm)+D@20h^kGg7Yp7*#GbpJVO~OdigRl+ zbaWV?u;Gl4D}oK%qQ}9x-oh1pV)Q0%%Dq#r&c&Dw>C|K+OrD?A!PRQ{^@%dKJk2W2 z9)7bM^HAt3dvQ%r#L#hmNi#w`Qn27{1Y`{uvFud$1)3~aOt6ip);5MQKagdhV2xId zw9`+&DK-ceMnCXe#~OMVWC9xu<7zt+-$iX@7+sml;MnfxRr|JjG|$?qcU3xS8yQx0 z`qdoJBZ5w!dxsd5nWwnR?v3kC5Rhz>Z@`oN^hS5!DJ}YwEBjVa1^UfgDq+(z)c)N` z-oi;&2VY?L7q25QTzE5?L+mB0-Ejp==_X09rMYazrgGoPotFr5qf5R+w?(=b%x4t0 zV?!?=*+=i-VQFp3>?|43=%$il3mPC{~yPlzk$V^B(ig)+i$#e>nXJ{D) z&0ey_$oAL~B ze|$Xdw6i`YbWx~$n%N8>4g2jy^jLUWROQoU+k6 zd2_MSrGC<^jbd-!LvEH0uAN*CrYzaEM8}>sl)noSKZskr9o*L)H09O-^)V5;?YWlg zRRLi=H+;V9D{d8UhQarQN0_T(ylrg8p4e&E`4I5Ua*STwamvPna_^3A{0zmV%rx)! zW`#3Q<}CCZb#u1;Ex&i|$jmZ00>W-_gri{Z+HtpRE8o97=SvG1?ry-t0qzvPae~6i zfLd=#+<|^h;_zV;{uFF6qD^)r7f=YvR#5?b$?|cpQ*HEwggKnGAMNQ+ZjP_&yxSFr z6XG_Vhx6axiRB4&eTH}Q;fiJTgKV5=8lC4N&H|?DMOeON`J0HD%x@=lC9FCFJcsY1 zXNn&dBzd>6@|a5&Cs8{La|{>U?KXTFsL#3a8+k9*owj8*|G1(H11-*Rj9nB`+o|vc&Cd4EdO9eJq9L5;iVxn zI+TqJt;|?Z44mRW3|VaFba;dztcAx!kYR9U?s}7Yo%mujY&{Q~K8kK(Hco6D#$>lU zG0oRt=`p@TAF?Vy$Mn3u6J>;t=h2W^i1G_`+>YDrzZyqMDvEljj zUsgH-^)$zb^3yu>!GOgXc?WAS>*)v%zNe9lK%dX(Z)jWiChYmc26Qh`iV71fT8rT9 z{7BCtF}4!UF^mi!kOcR@jEQEN07iJm);h|1yt;H<&+strR&JuB6j1o`rSjUvB zfDAdERqRd0k zXzHlpA_Qbj6rem0<${UhG*$qq7>WZBNIBh!O$Q7Fe^zNYAOQP@oDHBnJTOjfPz?hJ z0}BH?nAm){&zX@@IJ``DsV0H;bB*A1dKrpCB)u;o(+l|ovE(Tb{6{4=$)jN89o&aX ze_wVj%Ro9lFO<}()91R}AT(S)IN}?&W}rzjmAXyTjVR+snCRWi z&4%~zmZ7e#=FgEqjkwQrN&HCcRs3njq?QPDMrH;KGeMt=Mc(JSm|3QT?M6*yjQWhdu`Y zuPNj=6!#=rLG{3^yo)(P`rL$TGDw<1SQ`_NMsd-nxipd+000!%h2MhZbt0!(R0+d9~|bn{pF&v!TSV585%YzcD)Hv`lXWqRm47&cbNY1#J}7%!+4wpArOjJ|h) zN6^0d&c%#b*tbQbd)^Vjs_%DBbuDTZ+K4xOkHQvxhvLik{RvI=-F{0q>HC!m<3S;{ zW9NGln15$t!njZ!^ShM~>U$M@^nJ>9F(DE6_X;X~KY|V-?(Mr23q%iIB!2o1#{2zc zUzleO*7q7_)b}Vg8Y~PT>^lox;&&A62%yk+5ahV|4h0Oqcc78JZxBb%cMUM^y9IUW zy9Dy}9fwx){ee(_UjUqaR{#TjFMx|DJDCO!Os*8gNi=UnlBIaguzLGi`Aj&qhul!4 zLWQ;(HL{0mupY$e-U(YSo80m3LRnkQU?m?^@&TGV z3FcW6D3I_Qh~&W|9-P_yhM*Z*6i(^HT@_B{r|Srm|H*h}Pny zz~E|ZDNvb}Ol!0NQhrEjsWj3dF)$NQ7jbq2<$5l$NMN-NRYzPIQzBbE^X85iR* z^44N}TCP$KniK*V1YvYAqUK8B7tyD?9$dHbeqHG@eX7xIU<9I(l_ zyKC)Bim(QRqt|)R z3C`;@$QkteIt=d5c3DY`t4?2jU51=r4TQ^}`iE`lU9LPz1dtC!x((4$AH@)U{25|j40q!TX#mNrq z&*gOAgp;r;rU~nPX)?b|;uH_VC0z75Osc3bEyu2{uaA;6k>kP;qp3U-NoXYb5qm}k zxWhsp?26*1@+cNE^Q5pS|JW83H4`a1ZJdqnP~~~zipcAnNA0GNrg28Xup4Bps8q}v zmm>VppA%19o6OI1BF3)tJnxFd)hKFvUeT0wCc-6}ko}4)A(t!?Nc6#q*q4~iOIlE`6>r|CK zC^4v0zO!3G*y#Q|4|MWNXo4NY{X7md?P7~mVW7|RHi#}MHP4%s>3KP}2Jw1c1^DWD z5b&etNeaY2AfnaZ?0Gj5e4YZ|7nHMc&r2XKJJ3F-Slyrm>eT?WJHG7}pi|jJIr|STXv0FRY+9xIl z*YBF-Ez_t>9{nzlNW{b7U;{Y^gYmfY29~~qGUX+!UtdDo@96koJ!n%K-Fb5ZKm`-5rll|_7SS!%)Uf|b) z{GAQ^hf@|F;Iv$1Lf3ibH>E(Yl{b5Ghu`scP*u%WogLac4148!2>dQ`CCD{R`0 zRZCyLOF`zOz}i%K|BeSI{mz8h!=v-N5^Pn6`W*>KzjL9``rQYX>UU6T?RPq1>x7)& zQLy`^X$b5CCfxi^+K?OlE&*A;_`3pP6`#^iHx~B%E|y^Py8!Ie?*NESA+AMJ=yw4i zCG!)cWv|`}P2^!zZo0IJDbfdfyBhOx`9XW14kBaeybIndfp0!ZbBa<^dUmWx3_X> z*;_&B^sPMLgVpz2ad2sGwE<|~YFZ8Um~WLqwb|KQUGQ1Zq=_DBKuj(!T5^rLP#%?3 zH1k>>UtuKqptQ!bYeee@$=tEsvffJg5&MCO_{=oZr|_uJjl^mhxnpjr7}cBfB3Ne2 zXhrnyWO^cB5CNm?IArp^X9!rx1?wOr|3O2hFby$L^a3Y5gkGdA+iRAzI%(bNU0k;fi{=gL~ozV|_fg{>}ZzNbMihl|{14hpa!KYTt_ID|gYZaK1PZWPmt& zM22VBZ&&_nHhZQ$=ksO&DRcYYnzW~9THD`RoWyqUEKnG(-L*M|zsOgZ#^+{vlj+P5MVf=suAieF5Vzd)Agj~U*5&=MsARMm=(22Z z0rf%!8}{cX8*&{BuJjlh&w`^?t^=QW?i%Bh)sRZN7B0-c@9uW6QcN=D9X4YfFbKGbV+xCc=t4_4P2LW2Qg=$<*-B-@FH?65G0}mdFwGyLQHG&+ z?RqF#;&Z48XL5;Q&boV0o96svV1-nIly zpP^~DW+(2Y|7~WuuvzcDIA&{1mq}9o#Svex9-GtaN`Q0T<0je{6to{eZJe7aezALf zt8OCU?B-X=%^C)ET~zMdav)n6#ZMpMh|dk(N}`;@T^RfsiEHL@onHsCT@xEkLWj|Q z!D34s9=&iXr`bAj!d~f%`Zo1MFBoJ<_itk91y^l(|TYX{%SU>))RQWZ3SP4i7lDSP)`QOj0)%&)&p;o>SgrqOh#$~ zlKs84L=NN}xAR-L0nR|}27GKgI%dTMFaxd43YN*>Hbt$;0ZoYWiR3PRYZ`$qHBqx2 z|DvI6Vd!$e@W?H^q?1Xpx^G2KsArq$1ss2RYu;$0-7U7ePuJ|a`Zo)?y(hY+jo(3b z(6KZo=d6grLdNc+$QB*jIdhrVwvVxL=)u{62->f z&gzbr&1Vdz_<=5VV@i2p9tNe^$-ZQx!IQ=|O0PBlHy_q`x7%+cxLMzHD`ZcaeT~kC zrZyYU0yXHg#XW2Fsm}U!eBsQxHM3C-61GL;roi&)+hGP4Pz1E+juS7KW_vaPUxonK`?-J(oBtTsy?Cs7V+}L2h)kk)C zaYts_2n(oMwK3gzGJz(ncu8=8{_=%S)m%BI3RZhyAO;!tF%d6A|?+c*v8p55Z!s%?tgO;3ZNPR)wb zMSJr~h4^PXXN+E$T25fCsFlJ`nXQ0zZQ~FDjgv1EZs7b;ddn!Fn2*NO>v}!*N|%Rc z{fxLaH|pIx!dqo5C%lm-gyDN#g^klN*NzkO-gg@`dF=#P_sTdAc4IAeT0iLE0*Y~z zf3-B)_x!AiDN)(w?F41RU;9BsJvz@#n@5i-`!(dWFBIPGCw;@ZCWjL;$-suNJ-8N# zqbq)C<8Id)_nKAgQiF!ar9l>%P{p<4hZc*G3dh3_OfTn|1oplbVsS3$04JL8B3v?} z$R^*`0m{=f0uU2*_`6}Xhyh13ORE0wm5nw36q|uLIBuh^eglSGQ8fZGgSl=FsnFgb zO|M-EY=@Heh4ZZ14|3GBXR8->OatFJYc!%UXPdRPxi|z~zkt&imz2oR5Ah&Eu{*@9 zF;3qPSsaf(znCP8P(5&Rm_Kevx(@v77ta+WX6_vOU&!qJl!1DUhE zgDP#(tohEZqw-y0-Jp!|L0kAqZ})i|+bd3b(f|oqlG2!}n};^zL5xuinDw0d1e{*Tezlfp>An zg_xzyFPtHn=kt)Axhn!hK2B)bOn94v#k^BCR6$(rxUm_Ym!La2ST1}W^4vJV83#wG zzktJsz&_eS6Kn%4;jv1*eFs8!SIB2RQI9a3ez8|uuciGS)z?SQ12UkF4t1j@uA6EO z`Uqih5SqSQkBnzxi$*Ly=})qB)+!2Jl1%Z=`k*)KMa4ywS7wOsVPO#Wpj&>eQ8)G9 zD`a3AExxa_;RB{`Aio1&82heSaaZ$a$?b$?t)~a$NDPtDvND<+>Kw4d1$OlO84Yz9 zdf8mawooJV+7dcjhA+=A%UT1}-qG%FtG+5bZG#5(%$t4b!gW>TXm{%%zPGkVv~R&h z+Lfh91~F{0_`EaoBQS4N=FPwP@Xg!wwV8NYH3muU#7(_U;scojeP! zz^C8~Ol%y`yQ2fU5l07L$K4NScB8u!r@7fm37nUIVf|fStBU=Tt#iiL1$a)gnpdCr z01wx6aX1^~S{ttPs~iIXdhfh9O&}PWZB-J{Wrvo2V}^D$63fUsM_n?Zt+7qE-FkpE zRXp+ewYtVbKq*Ew53;!V;;>wq&kYe$5YP0?T9$oI(!L3U7r^Vz@LNlpO#)y8WCL*n zEDS9b9-C765HiAi0Sfs&p}mx>il0H9Sn zLsKsdVo>nZ;m@{c0vvD#p7%Khpe_Yl1c#<2564U{a z31t$=s`*qb0MJ9S^iAQ!Up)gVLEuRArt<5`HsCZq)e4?z=9Bn{@EDe&=aCi{u129) zwnTnCm2SFbf4}X6`IaNtGgf4SW$6L|gL@glm%c3e4;7|!UbEfkGA|Gig1qnAD@xEY;~XBdq|m zt9HYQ_4=C2QsiP129`2!1N+X#uOH9Lj0q$HslZ7+-#w9am3E$0~ z`fzTTIOl$ecdqQnd#<;^vUB5D(G%zT`q9nxwOVSfk8gS1o-j=-=j#<_c;f=Y$THwX zuR8?RP_r25XS2V#LnE``jq7_|U(Jniu1tfR>tR@MZrqD*ZtTkZ=yicFF7NTU`?iqD z8vy&@F+mO>FQOX{W;2F07x=n0>TgFtWP@KfHaI!#%VcRzeo6O)nY85R%IP%}Ij*i! zIN+ftc%Q50yne15NhbSP6rie~x%ylIoFV#Lv@s7Of8BM%WTA#~B zdcr;H%@Fl-;pm*7Yj)GFvg#ZK09K0DpX-Loc7^&}Hp!z+8;a?oS8qn=bHQj`Qdmw- z$>!(kG+*W&s`^|l%w!)w7iZ%AVSK5k}%4h*yXv%grVCSgY5_txy8z>Pkn2 zp=fG4(v|2+$TmhjQZ8vr;>KTfRxlRr=^DL)IyIfjb`Q;^A@H}oBw$2~Wgg-@JR&5h zc70~oNIbhqYL_^>Y_i>;7eiqO)Km~6L3S=r(9kDX{~ST$JJ)CDBI&tA&f6KW$xJpf z18t0;SyK;$v{DK#GR;VDj%U_{uPbDxSD&}*5CX)Y{i|8vEgcZ|L8|;}30A2%sQ_+^ zt)Rte5y#jik2t)#mgDJgRT5y@&v*Z-5wuE|B@M=0%&(3xJ8|Bab1mREw@B^!X4lKP zBeyh3o>$|U(?Mi&zFr61Ft0WttK}4D=t+V(N<-@=07WItSUmP#8v}HdRc>yO8477D zS5$x#l@9c62cqn9JG@7m0+;frkR|5hxkW^}M59}rc`sDDLZmyy=x z!LM35N_)ds@!LKS=vrV$u_u3HI6q!HtP!#%w;gsW_JkdEE$tRzOvcZNO$19)yCW}= zUu7b3Y+Sn74ZIR~LP+aUdwTHHZfXo#2EM)H1UDrJ5Qzf-LU$T5Gd%QBCDR_3M+~# zqU75a@yQ#tWNZ|qmH1R>yp;!(o196CDIW4Z>6h>)`h1k9usuFil>j(9-nG8{fL%90 z<;8aiqMKpTvC>5EEQqD%@TaOOb+ZuYlLF|nB0N4771ovQgU-XZAsG6Ad087n+okSM z=}fnMsxnC{wn>Y0eLM>`oSKBvOfoPGY18cc8EGnqfbg_^FxfrFL+rPcz zI+{+6&fI}71dhhoRTsdkbG$D_Ai%l3eB@Wor<&I2H68d*6>S;ik=KG3{oO%AP=J3r zvQbaZPgqd|KE4aj1slvohh*SSdcN3F zk1oUuPw@D48~n*~mwoLIQ6|&NxE8Gk_5fi! zxVambMYg<%&9z~^u+~-{8GT9G>lq-XXo1ZkQSsyAhh5_kL?n0wO5^as8@KoC%x)0LJjvV)@SXa%nj z=dxSg+y4Di+Pf5Fc&~12$6mYe*{^zGJnA@g5q-TTV5$kxqkKEZ0-RV! z2R;Kz#Dz@yt81Q2H1H>^YpqHUCu@(B;jdcZe6ks#CQ7MhEl&qE5#gXh?@!F?V9V`nZdE-S zKKLTt(~Hp2(X0+169Gz>T3*q?AQ5Ubou`+yUm&MLZvy|~0MSf0>k)!zK5;Q%s#OLE z9>yXmY*3mGFHl>4fdhnU0YsSDoz{ocoqqKPBO(6^3gUd2a?&GQZCJ+>?Fcl|^{!ua z%F#rCQkYupTHrkBMA>cw(0X|3Hg0oq3*}dJsLIW`myd5F&{G5AinB{3#J`#Yoa=R4 z&qCM{zsj^k%UB9p9@fjR((u}JX0TqPI;I%9;4MCW#jn0#)Xh9gcnAy7JP@3C=2w?= zs6FD6Cxxpdoe=sb%CuEo*!f(L=wmRy+5%FIAGOb31e=3GeneJYf-+WFuo3O%Wsz{J z2=vFErvlkklqIp0_Pc~5KloK89O*3!s^sRd@YeSb#n~_p1|22 zHV31tGYL6`<7BJA4@OVDA%^v>30Q@aq_9y)ihx-iZBu?+uDd5l;5Qzch48l$&}7xq zg5tL(bV(K5INv8au8cU2#YV?s*VF^!!j>hR_^mj6GD((N-Fa3U)T|~E3f{)w`gSdu zteGF$48B!{mQyWLiG4vOYx)gBK02dQ@U1f=9bS8*_A;5`sffd3Ua8m?>KKb8Zq*e18PVbmP zjeMvPM)E^u zz$X6p4ntm@Gb5|VK@aJbRWB$E`nS}_7E^h;{m~?pd5HKo4z?wso?uf{sk@tQI=d<* zJau>;8k+F$8@yGk3CDpF5v~I+de66ML>R=S%Pu-8PUTXE$ef|*RYx3-zLylN>F}eg7OctANi8J%fGWkDb1cQ+nWnJ z7ylkXXrpQTfPljO!oRV+N=>MK1j|0p4`$^($g#k`nKYBA2!KQrVt!$jP}sQSYzCeS z@oyzTIQarj0eTra|D6OU3YjD}#fILaYnRk|66t-LiBG>ysQ>m?usDM!~n-aQ~gI~ z$Lp6o6}*cF8mTZ3>O&TrG7~PXG}zrS8F;_bY1lJfpctI-F{aNAELGWtCQ=gMr0V#8fm4xULL+X4+8xKH_! z*Zuozc`%EHEZZ*3i)R>aWIJ%W5rUF8@aQ*KkP`oyGE-M`+IKPn-CL3LV3F9v6Y|-r zo&dVA2tB}*>yfnG)k1+ib>@6@oJO8f?h!#bU=cuQ!yL7>eec%Zf` zd6`%^RIcurc<}wI*M91h|5tVD&S+81>fH|_$&=(WVh-fW_$X`phWgF`Y~c1Dwq5bM z`o`z$=ft6VXwz%ibf?4>ph*#jN(s%}i6!Sh7=DZRhGzmstqrztVS^9g7O?+5QB8$}! z7)8CZ#eL|A?7@d58ZDwS-rsj_$Od^b%ID?~6JTsi>*U*%B9@iaP8`WRgbRZrxCAd0 zmkWCOg=U&ho3Op0=guJ7uj=lqW6TRDg^x+Qq*>~-0lNFo>>dqc4T&#Y=WGG&CVh4liS}cvHD7Ki_l3NY_l=INItdeFvz|Wpss_plMf1D<_i%GUJ@C+ z@^P2*@KnR7=FfjUheIZ<=U83<_ZruuR}U=9MaO*1t!qq`fj4K^5;EY{HOHY!P{3v* zg2lbm7V(>c|JguWM69y7Jbdwz0JdokXM+$+y=AlZYh2olFRNVO*}`qlLa{8(!*OW3 zEvU*^{3930$D$uhmyFCFgM04`t3m5_e)Jxyv}RLW|_(>gSEf9cE4IqiQ$Sg zJ5R@!VBj0fA~x@^A>R;2jHfIAKoE1TQxt?{2C4w_njAN0g`LBT$?o?TKGm8yVtME@ ziR#Mjkc^U_b#4t@z)>>D!qZlphvkJ0xK^1sWsj|dxD1O0B%$x%4qAh&uB?+i?Huq?|=1oV0Vaeu9#$qV_du}SfJr(LVbI@SfRNJRC+Eg&AA<2e=8H`T|}nplGa$i{V~&A zfBed*Uar8qg6NO}CB)JBk}}2FJAHhP@|5c$Uv~65y!J!HGb-!@cve}`tw}GM^EzwA z6e!JptW-_7Pgbo>M?95<*tF5hY4aiv6D>k`+{AIH*9~2J4t!O7`L7qNR}2@HQ^T-} zWzpQscY+(n<~0V42MZIPD$;ofc`PFT274xPLuJRxGdgSYRNp0KvC4NZn8y~p?P*hE zoV8E$d)X|$vajYjJ6)a8s#;y;eNTncCOcY51or1rYeI(F%?j2p=Z>JgV>852$HT?h z$+&dQ=_51He&Ns;8Y4t`AvJ|T+@tUBCu@h!pihyPi|M1Mid=L_E=9f zl|E!sEPi|t^zaN!T(8>Yui7zQoxpR|_1%5-_HzGLgT{wh6HmO#Uz1$k-%T5*b>?TA zn7lF6UCSqrz0SsQ7jtZuqH)O#M%Y-CT~ypQBzrWefXve6m0lW;|0Ev}yM?gKE?WfAO-+%!=o zO?$x-6aNXb13#~zws&K#Xn|i&i(&;6y*x**xNYZTp~ip5s(%Ju ze9eo)(0DL^XKWsK=NOu8#uj1ui6?aMXRjF=-4(HrH_0q+$}4g}{I<}R<*sw0Pu^JN zKyn-*!3^zpjFt1q?jPamGz+Nt)250aOTDVw#AnYH6Q5!0F(w|ss-=My2Tor;+`Ont|t2L0arr@N)YYg?H0M5B`v^9Lag z0A~V2Z|aTh2i^gfuOSl-TXUT=j6Z$%uVgnhupFP2jJ8u{iX={p)-GnctY-juJ{}jK z?D=y_r?%1iU=io<4E97ZYXfn#zo!Eq7S`#P3_7R63wQNJ4<@PumU9_dPu=52k_(@F z2+LlU{;9 z!wISDeqqrwtb?iIGGYewdDo|)S^M!g5Y(cc@Hk^Q?)F1_-;D72p!2Ti;^2~pXIox} z%$n~s=XEy5F$fJ7Zc+9ITh=?Mc9z7NEws5iK8F5gabTbIn04u*~A$bH_} z%>Ee!9!`#a`9m5&gLF86SRh{pj`A5V_#~rBOM6q~%0(rb@e{)~kf3v4nfe~v>hj(d z-*?L-?prfKb70DY34%i6E15lVcy~1+xGM(D@p5w_y>!c%b*`_73C3&*@84{VI7RZ0 z0H?b0#qRkMglD6is6Np&d63)fVp{9SEu2YcxMl0?bISY(j2@{6Ihs5o1BNBr>L+s9 zn*qB|rat5{SDn-5ZSpq!C5sL-QdE!t|-10e!OqDHS1g0 z#)HcGkar?0+E{&^Y+gzA#Ns z{sMyRJ8ZOewA{DyImht7!o$P2g9nSHsph*qalJE>)11LNBr`!M z=Vbe3G+=zW9;B8fmcta8T+QuWf#~&JR_4+{#ZSviUp^}iOWJa&`TwW;_jhyDaq#O4 z8zMCEVscoBB9Hw0nHc+K*uCbe%u}efhVWyJLsdCp-O_gIgUsm@+0W0CvET#ihLOdm zpJvxAH61Tn&V5_2N*|uSUhOZ)^e0~DJMu_ybA%A=#nA+gvAj7ig92OmaQ!%aT&OC@ zyPj*}dp-td=b>gZV-FF+XUe|1P}RYngAe^UW2_fb)UywqU_06YkAUGv{`HnAHCSxJ z$vunwg>>Y@?`t zDvNSbo7z^ZR}PFe@CFFk{?JN30cg7f&q9RLMA{yUvv_GKiY#^l_U z2Wy|W-${;FV_~usT3aih@JuSNjwo428^S#~I6$BG zBq_SSn9@P7Kb7|m^Wp~Caj!KGCDT-Djzy;|!^P8N!X8jABv8)S2KR872iArZ0dSVe zSmhykLp5_m^vVZ)dcZKW-F$SMh+r!eG9mP_Gr@h8`yoQch>jK#qENyGN%@ro?fd-Y zgs7*I)y4LwfD79{ur2u!fXiW42FDlU1Djv1X;oGi4ZusymYIPh^rO$1Q){R>(K$N< z2D4@L;xhv0be}5r^rfH3^N63IGrE1|{L%_MgHBKZSGUC+xIzYlM9Z4}?Pr1eShg6f zFyfg-_j*bq$5BjIaK1{cI~_$Ds&8DU%MimZYJ6&^FVBqHfJak&VFQ)P zBi-m0T?euQVT7Mv2VOtz#QYyO0Is6LBJ3LU*2~(9Qc?Km+w?qtP21QjSd_4PyR&@Z zz@zuBL>Bo)n=y|;43j6FxvMe$!O>FQ9q6wR5C`-9^!q^Z7;vZX00_ZJJ>dD><03e& z=wy49#<6TAf8ptQHEz{4D6eYo6mqdKnE#5v&ZBb-jRo0b3hZ5 z^H+2E!4FqyFw7I4W$St2E`1j>fSB5mieW)dFv?|z@yn3)hsVDTfo=h1Q7(Y3uvC6; z@ihCXZ|xSpxe{s0f*-J8pjUS@Rte6NaiU#9M&H3Kaq*eHXuC_o6&ujgJ9kj+BdEw& z?dmnBi96ky=a^;m2IO|)MwY4eSdT()iX(90mjuA^U8v_%JI6zc&I@#uc4xkPOn!1S zaiC{Tlj7ZolIlG{yX?KDiSB3@~)Q{OdZiCgwvn=Q{6*4&(-MlpM@vCcNgP+17x;Ec0KF z|FxF^Y>JSz3XHHP*!q;J)>wZ0MT7e@HG)FV@MSS@{Z#}+MJx=Q$9W1`Qhc7`m}JX zBXrrTg`FCkCy;k|x!s4&9pnwiXKJW_F@8zU=E3B)ttj6u^LoSSO_U2$KMo%F!aHC- z3Lre7IH~!t@JqugQ2TRZQv+wADuCt>fae>mukBBP<`UjJFr0CRvUFqqgf_4Ab6%S| zYQnOTg`1%5Gm>0ayXV8Av7spGd;B_w+cxpjEK5%#%-!I7hG04>GfH$#ZjbLuQWT_Q zBn+}^Hj%TFE#~6ZuWR=@=``@;Xtz#}=m%EI@40MOD%CDc-Ntb{-m~tO)sIYYp0f>) zkIERfHzM!;T;s^Rc@g<}I#>2FkNS_WU@9tw%&Z~^X<}C1m>V+Imk%2kM57DuMI(;9p#Afs7Dc>riuv>9 zT?97d!!+p3-`pQkToI1Bv`TJ7xg&q=%g8<08P_YatSM59w>eiL*h z{!`li=R|*V(nYftSKdW4%vYg&5_sTUHzWFIUAlQf^l#}7AK>m=(teG{jI70@9dcuy zd#TL!lr=)OxxMm&cvRAnoRF@Rzy4fFSp~6BJ%GR>Z(lZm;*BljY_1(ESx!yUO0vMZ zNTb`cTXG6pJ9Zu^DpB{r$Wx1GxoV7|o;xQ#9HTCc4D6-`1i|)vC&4Ue@PTlnE5@p?<54=P68SUPI*xf5G?B) z`4z5*uj}^7%>`Rt?53)Yp1)V$IBLgS@fn}?hK_DG(nqa+@BE%O<9um!*4R^Elo*8| z6KZnDMLA!ZF5gt!7YbEnL7ha7m}GJXe+QWdZwFDpFql0efW3UH2TNiOYbmEej|PQ4 z#Bc3DrejMp-Zs?~@^n2BoJY|dZOjQZFg;%%zm# zlqDE}fhWUTA!}IX1OIgDEhfhEoDH9s#=~6&C)+y&5#529#u6?-p(%}ziNmc}j+C*{&sfS= zeyq?TaH_(8NO@&_G&2KIKkj%unIx{rWW6Fp#zVp zv^?N-N4FIkaoiAn%(pU$IYE6?_@Qs5;AP)KO&h+oI8?@jcyX45w+WW>g?N!r#_Xbt?)LcB+$$T`!`=io z6rCS!QFu%WH${u>uImS>z8kPn8zm@lBltvo!)wOaUARV6ORfN^w2UdECP zKL8Jj>w<5kVMp-_fC0c6(n(C{O0Xs%RliZ-WEh?Qt#Yg_!t*oQDYCX$&bB5z^jl%` zPMHX7MlS0CO`PKXgMc)mf!UqgwJskPf=>|CahX=gpeE`lq zft&oQ4z}BU=8H%EYP8GE4ZyF7V$%Ke_>j{x^-MAwznVsfjD2{&dV>Zun<<4ShNUA; z)>kj-WPyp{!CS||uS$uz)jlmezq;3ZLwz1ev4K#(dSdGH-z zX0G)ZeR!Aht58_Emom+!X+7nEeszQ>8W-xlCA#ugpN_UX8L!i?iV$=1UEnU|8}d{9 zss~3LiLQZPGQ0N)y4n{*RT*vCIN;o`ipiaKm>FreVEY1(LKRieuV$e1iffzH2KeV! znUaJy>;wGTR!>CM<6oF?Kt>e+>!0WSjB;EE;z~aOBvrZUJ_Y=8*?8NpCbLt&Ys-Ld zbwp83z5?%NxW}&|x$b*~A9y_A(OXq&e|MH&MdoTiDO8-mz)^t~1Jm;v@>S*3hpc~E zQHHU!EBRF@^wSO|@T*73;;`oNgw#b|*{?oX@`;2cg_fX+2C4SW?T%xKPeX;2X zcpdyI6Iqts!khK0#Um2>Z-;jY(dU3&VBUx)-t=)3H%XA{RwZ`1%`ooYoPM>3i4t3;G=Ft`p1!VmqbuxRTg4PnToJ-iEkRY(O&_6zLdfBY(uQfnLH zskfX{Ei;{n!{96U)gZ^EjzCb9Nrh*BfVWC00`YV`DE9z<70A18pry`Z1kCf@U-cQ< z!B&%D{nWes@TgSeLuqPa(v(d>oDnG>5vx6p zcifdQ50D#g=8CrHe^tEEw|X-rlnG_vWze{}0Msm=n%9LG;YmnV;k4K}LIpgTU(F#a z(b6g)}SZqAS~p4Gq%i;gmpKJ4PvF@DlYhP=%iQl$>U^r1sMJ|mtF zRIXG9^%3gZ``9(IY!dpknC(&f(Tq7DLISt9O1YEEPIc7jFo#j&o>4BTWEA zK)b&!#fK2UvM*IF97AFpDo%ih_~@j>MW2cSlO&pp$6-YhJY~iGsZUDUyNkE+t(?fR zW9`81J&Ii6sZRxgf)0*m96Z_5MieN@7#vB#I8ow`7g9A0Z3ZfPFvd)VR2N^Clc(0v*6O zQrO+|0r}w285KMvL4og>f0Y)YwXOQjw}Lv!>bP(G2>-gK8{<4_ItaKVQ*=4Nod=GN zf4u=m7L9xg|N6|{a7W%4P~ftF@o1pYG2LlTpTUM~@m}Mje5)IjIO6hhU)@*tuLi)% zx^+pfQ(H^soW!zrmNX93xfLh)Tej7j#oh`g{IG~B%keFqP8li>(UM-drc@fJPZ$@^ z0Gs)p0kjF(3Bio$A^ho$EU100!6?IIxURG)@S%VnScS6J1S5es$dZ3OK{=eqyjRiA zBuuZto%>5dg%STsLRF|!@~#@Bn{&KfIL#Q{$yjG7f^mnlFP5kaUdaK}P@( zFWQ!WRn}P8sT>)kc@5LEnE@u1d*1jUCl*h5sc%(v0@MyMrg=60s=<78nBGj>u~96A=sx^ZNG}-8_4Y=|vD9vsLib*fkTds$8c48O%TgzV2o@jUp_*nCe1!Gthjr^nRKCgUk3lG#EstQ15C+IC{IiH9H!YF-Y-R4oS!^|E6u-RiIKR> zga`UoG$5y}@G-zY7e2rH*C|6Pj>N4UgWFs-s)r9t8TL!`ONEH%1iwFUeE8QVMP-kd z0Y;X*LXY>NXOzue6xF~0^2HL5sBXte&%YXrSRPQd@eirqO*!@SkS!zSjbHsM1y(J) z2TjXYCOs@;nHTz2P8?bnz*c^A$d?(V2l?0HTvg*@031$L`W%Dr;a`z3?Otz)5%?at zA_|9F84K`ViD;oV4PJ(l;t&QFjs^cpRE2fBd;#Ce2AC8R_W?g%_^(3HCLJ0cRH)mP zD`hy7phY=~3w_VmgK9=&u|pg?vvi(8Iz*rY^4O$96AghIe5@shg$RiU!zcOIAf~8W z10Kk?db(gs>2Iv)b;9cy6Iacag~!Y%+u^c{;oy^mRdvkj<1Kcb1b{EVzXG*_cMb2t zN{b9%1vV|73RWJ(t^Df`Gd63%D=7e%-vE0!TzzPF0zmj0MM!w+FI~(6FA$#!B}kIR z07~P`$_v0mT?`ChC`J7C**@Em9is@3qoqkXSD&k@2Bhekb$A*`xEilYmpX4>)SS>N zQ#Y?_6RgR_V0scSa=4(-^X70)j~s&ma5#QLP!kskZc>~~Kl;r0H~(s@l{g+=_+KAT zin6D`xB^SSN@TnB4h{BgWf2N`~aE#D)x&fgGD?STKnrEXF{d@L1Yu znSm*Aa}vx)aJv9UcZCAe>MXv+|5!%tBxhv&@LyrnoNCP{jdMoHZw^fx5#Xp1_%j&n zfH8sCWqjagc;@giI7Gqf9RM_=2A$UwCk93F#I>(G%shU1O-y=;Kjsj1HIh!up@GIL zHBsSQG&q1vYGW2`2yhI56fyK;m?o_x{#D17g~Q_K12E`P`)vCT;gMYfD}*l6uHl)k z*ih_WRa6=0p{N@sDPBBtN{WLXG|d1xHIc>x(zd0I;}@K|OyCKCbOz<%#;&o{KV19( z{uSr=V?~IWfAuj$(PB`NBu_Df&+)G?v)e!uI+P#{W5E+ZcKz12Nw=VncXStY{EI*H zubrvZ9fGo z=rq>JRPzxV(kCM=DX5lY-mq?dYgTQ)Ext7h;!BuY@vToZNoyuUz7@;3q|_7>0^iE@^i7n56Ck^? zdwy3`Q|}U-1dYVK@J48OV5QgRBrMFgVsl6)AFsev*FYUL_%hoVE_#$2(w4T&mNe##IWFA#8y1IG#Y0Qi9w zE_`d0OZT_}!WKWnudHpu=f3rM8*vui2?{(Rz<{Y>9wnXvIx*7rvtj z|HHT9;Yob5LW^O?!VAGfYI)snC85j>2LSCo^Gd!|4;H{=$mlu;F#NlDnF33&gLZFe z%01dm3CU2^@vi{&3x!q$-}=piWLe9i_K=zvftm`-he5?<8mTUpxL;8>n^iiOu|8_n*$Hc)&h~lspAHzM$NM?=k{~y-gUA&+7zR(%Ho3s2wZ7rk}f^r#ie7yG)xjA72yO)6bna zI^H(uuTKl@M%O>PpLY>x*=BIBR&=R7!`{p4ssdNyYr=n@H(pU;3y z?kMjalMsF`!^>7Q0o;v#P9?u~1Ay_Gx8vt7JfUcOFacakxdHV4g0XlH$=P-6%x#PB zF2i3sEW`G+WRwybq=_l9CJI&z=lNQP0YaJ*Qg|ytCT~hVI^bLQdDQKM%Tt(JZvjsl zDb0uWXj!7Fqfm2~h#m1X?XjILfsX9EXd z7={|bNnk{a;q}|qJPErG-{$8~wke+9V1(P1o^5l)Tm8I*`*xxR1s^$TqF(oK+VIGN z;=1!y>xH%CAMMtOh}@I0ibxA!g$rKjnVqjb$j?bQa;h<5gqIq^P&3c{c?jED6E^SU zh-=rEXyWK|KmR~>;<*RJ*2@zWHbK<^Nn0La-Mml;m)%|JLVnIcvPtQ)OpQO7hF@t{ z2VeDbF*8}$>YMyPg;mJ@$;I5_1@mNYXm(Sk?P)~kc_FEG)> zETaQHdxYwB1av|JPlGTE59(rmF2!|=vP^P}9hh=aRYh?gB~cM{a|R33%@IOb$xYS& zBCh04=I2npj2C$tl@!2+qX~~%Z%&IoULmPR$)_+%>P?$9Eo9BOsX5NW?`T@kv4r@j zpC2uiSh<&oAiFko3x;JcqvggURq;=AN*~E`zFJW~Q>Pe7oHS!yA!T1jV$hfu;$-;( z#=R2!+z2hn_CR0J78Fcea&s8ytvt z@^fDk-gjW$ua#}R?+fQ4skKs4edlOrjpsQ-TW`xpxwSN}{}T!%*7$h#!*grUtduN7 zF9PP_L}BD&^5&>lbH;bl&vDcx?MG4g%E@s}N1i2^!vAny$w+*yg4UUWfo}f;VF$)* zM#1;ky!HkghVJ6$Kcdi^8m|Lrsv2bDWHI4yVht2Q{6vE?>X6oG;0vlOXSH70D=l^V zypr<4ecDlEig#=>n94{slv7dOA*eeC6&=(+I8&^!AZf<)8+MTP#4sl#SHrT=@G2T6 zH*w}=iE8l|5IdT31^yLM#k?kea&S66) zRnX3PxH92$#*&G4LOv0hHx%8REfGs)O>L>BuPUeO=R3|Q6=vQbVl3ql0PZSsa5+(x zwdJgY*LmXRoteiv{1J1Khili7-{it!$|26u{t1Y6SiA=`pk}TK;4wQm{?!R0aJ*-x z_XGfBh<{2_B2)He6V1P$7vIcaS=FG2M&n%8+j(l5a}PT(Y; zHXOPXJtBd`FxKg?6O}uc&ihl^RB3`+KJS`Z;zYr2>Ege9tfHDW`Dl%b|JBvBmvjk)|aeoDE}Q zR?&EbhSxjlUwm>;vYP2-AAnntgVjO z$jv3Y3FdJ2wpmj57)*RDSBPBJXL`@~xKg!x38ejt%2Z1tvWOB%MB9*>fME%>PYA4@ zUb4UNu~)}m5S|cLM1=K(Fx-v;ItxB?d7T8ULif^*FyayRV}!js&X3(9xwrHkGN>!^ zqo(r&-L(zxumG9V#u~`TOT)VlK340QoVQKf1$k1xK!iFab&&AQ8RFpt!Srm0Oo6#TZgSgoYW(nYiK<9PL=NR5Y5KHWaj zkaVyr>s5U$wMeV(Pw5-Fq&^_J)$WMD85w#i2-DLwkyek~+elpf{#6PRJp# zM(#%AQxmhz(pZq7mxWK3sI)Z6XAM!Qm-NZEWFq?58*HSVKc-hshQTJ0Wqh2 zX7&>olZvBE;97dVjnT1{v>qZoNxkIKqQb|%(8{UMxpS`JjQY6{rJS+&rl^AS z4;_bD_?c;B{TAS3&os5R7m_|!g<_N5QGh}=i569}y+g1(O;^Fsb89q!Cn*GQeZ_Cnc|@dEfS=TH?N8h4hz~a zB9v>k1J&QG3m;pi=$d`H&L`$>V;k#ZONeqBZQ-$P;!X-($W95}aMzh&o|;APj-7lg z2S2$9e5JjY&&OV{ecm<=I9;enp1OkFYep#+Y}sCJ;wtkc)M@I8$!vm3Hj7a>ObRze zYs$VB^9qXk!s!X4NvfyR`vJR;?l`1vIr8}^z2Y7#$Yys|=5msAUV_62g+b5nW0Q=* zDlhPs*{IMwKf8!=WqCZKt*9}neXN#wX%@nQ8zaz1?V{-jyIJmR?1EK^o2F2i>dLkJ zP$6kPyGKdNp`lXSv$^LbW3kL#xej6zqTos@r|Usf%b7~N&RIoJ;kd(vrq>=W8E*dz#t0c}|D#$i8o2~(qxhZ6Fgq}9F~x!Nqr58uQG)bXI$I^+;dbJJjGc7l3>UZ5r-vxRrNo_n?~g4pcWBl_sh zqH@So^bCb0rt1~4M2SA056loBd!*KSeZ+UK59tD_%Em~7xal@;@^-1jf_rq8qtP@7 zqO?xirK{sG?%LeiR=&!e*{EDOP2$j5G=_GaIn@*s6>>@#m6LhQ%qwd18ACOd^38a| z-Do%Y)}lr^E$uk&uy@3ExVl*?9ZfotI*K}Q9ki_N)ajJtD2Fgdox_&Hl|!ePwxsR0 z(YBc_-c~i2N)HGhs68-0;JMHzCLBl{L>x4Z7nWAqypeR{M({@N#_aTjJxRq(${}rO zznpG8Lcw{Cg+4Ce<^l~rcIcY=^z`5~A1kB^`gZS{j}>BL_7x?S`PibU>2{V0EIPnC1&;Ullb7Rh9XbjG5_kf>x*g4szJ?+CMv zuqye-0-?J(Aw0k-wlJD?sKn)QwUws;0pmsi3>FJ0K@w+Sj@l5 z6$v0|1x~vL9sS^?+`JrzH&tbE%Qrdgp5UF@C`s zM7y*sh3M)VjcHT|;=PExI1Twe(CjNX#O}VRIZe(H8-NB}D=<8PHonRJe!)D2Q$WtX zHVf)^A;oR}A<7$g&w=_K74PfQsr--+LjSns%)SWEfj7R#JQS*iMC5HamY2AQInSnx z!^(?{aX^Np#aeyTR$Yg5`opYJCauP&>(-eNnJ%I{X87~e&hTWDO=mP^8!nm*d*VXV zl_G&Lw&-}M%~B`6nlZuxe80%LfbiT_=9zepc)xg!gx2R8mdPX7Ui$NeRF zLti4tpJ-eVos9V8!PYLU2Lfc5O}4h zXZSO*y`DRJM6X-tcl-5;y3eSaB_Y0tx4Y9@v*>11gFv6XeiHrR+W^J>6L10L_MMEH z)lMmm$4Sb*XSx+;`Td=dTKbG%EyABEwq9M}Hv&T;{~16*5~KfQ;n^WfHSDax_Y*8} zxcPqUJOc&!6}~qAKQIbe_>cd>y+^EeO!hr=tHsdsDEiCllosKH@Eo6?Rr}ol6V^Q zEat0k(h=8Q_UJSBH9;sfvyzc}Xx&`O7s5Vrg|X3}NZp6WZZ5`K;c)SP3V(%jc5G)c3`L-T$H^M4)JyL5jUW|iY^1x#zgORvBz50I$ zZ0Wm^N%ITDV^3Y0(z0A4heiL@Kh(2EF75v$2W$0Ni%j}$w&n|Mev@2>*_owjB#0+p zbmFXBC&D_Og?R`L!W)tWoRs(oBRAY9Bp(fIgxZgR^I8TlA6{PM>ey~_vq)MKhu?u> zF4sY))wcyO;>Q5oMSNCrT z>*t+GCoM_^hEnfGi^xZIa2@`p#HFf`pZ1|5?;oXfqv5Z`E|L2%hD>>3D6`9Ct=}du z-wJn6H?d*F9!pf|;pB?W0m^s(|I$zzcyjtZ#>-#KN+f%buY@}y8h@{k)*`gPAKc;U+4rT2$yaG?R zSp^B7Vhy12P`*F)3kST6MS50vZelpLKfWW_&TIIt=KA8+>Bh8+=P9u#{cK_arnQ@< z@Q+5*{g))uZd#wt9dG^5*kX8)8}Urcl(%b4@{)SVYeqk+Z;e=oHw7@#RpDDpIdhVfz_?5y*)uJ%Xj8iFad>dy){-W^0hofl#788PP`0q zbp}N^8^r*7f>bsz&uMCvN7Ht>)W94~cJ_Ta)CQ{hjD^P9i!#SUQj> zyj$A%-=?6dDG0=2+H9)Kzv^O=5gMCOny;>h`Kj;W?gzSqnLi3*0Ul_!0Ut1SZqV49 z0TrSbU?-ylwC*iuG^>LP(jVICHtn-dRW;z`y>`h7Dqqi_O(gleVu@i4BYGgfX#~jZ zdk9u;p?lN@>qx`>0QDc(E;T2bX#QZ&?dE0J8?EYM6#+L4gqT)8<6>7;UX7iwoJh~J zSX{IPbmfP5kU786IDd!)hA4nZo6Sgd!M}=Wkzbs$GAa#%t%#jUkC`9S5Ey5h#^sY1 z=2pGd7^WdJDp6Sl%^>^gyGahdluLIR*d6~njBfa0^jQ4JQ;_ct9TFumI7lb#QrOK| z%$3eAwN9qJ(}qCXN(iwF&JBt0Ikh71?fig+c5GnQm|f=U=q(TRNxI7noH0jjye0Q8 zPTKrrXnEWgLilln(0kug)j*_aqj*64;9f|cunvk7+kt3f6kWB4t(aH~m^kR$lMkFp zWIBkb-6s<)iqFlPb;I{ZL@R2d8<_UKK_DOQZJu%IQNTW$_lAakw?Z%oty(Zej`2;< zI$e8Q2)Qu4ssr=kL-_g64Y%>-hk}F?qW|mDz&4*%$~*-Se;k(ofh6~ZK20i;b)7ve zwNaMp7=V@QvU=MX2y(%x5OK_HO8n6GBKW=T`cFKL}e5*N>J zjy_VQ*!G-BBD*3C51}#c--P>C#M{Ll^XWlq-J5&QiS4DZ{TJh)<+WMc7!EA?DIVbB zayB-~K$!y*(dlc-deWaEMEiH0clQ)Uu+7M1st9%AK3BGs)$d@bnGO*#?xAbCCyVh; zveTju_VFjSY@a<#p{R3k$IJ%_lT+SIB}p*SmC z!c8M4`9P)KBRz4-1hhJpk&D)T;RiN{B*KV$+a%`!>Mw8aF9 z53EdhAj)YdcP>jlzyu%qGNvMwxZAA2zo?049ytA2f9*9>M;=6FKg?)tpNsb&J#ut! z=#wa>OHlNU`0Fx)i=GW0aE3+$?Y*5{uxwZCoq|QwdDc5`VhPgcgI_pEsEdv$>czw~ z4n-;dgE;bac8f?C;>-U1k=qvYc{<4~K5k^1DPyZQCUhYn1AT(dG0i~Lv1uXE9>brjRTG+>QWF1_Zz)z|1D$0*TK;GFewRyiDdA-Ze15$?f1vlX4SE~q`1y>k zTxc7X+QlgfbIs`f^NkX4B3^j7dKn~~4>r-R4?y!`$)_Yula+~1M5>OFhR5Mjya9`X z<^^`{9vE&F#Ecs>)r?>KUcRH5j zKdwPd#}q7Pou0dtyg3zTDSwE(ySvQbb`rz?xMKI@0&ShZUC+x%hKb|e=#|&h8`};p zJW4!UK`1rg#$BL#Oktf0N2Mpe`}DoKI%p^)CCBjdc~~Yj^Hg5c08^e49&Q#SHx#-$ zp@>txezboNJbYCLj+I`7f4hIFGGc-;zP8Ue@IC;!XCg|QD)?_HXYuTBzG@0mXQ<)gmPB~KOII@P{E% zX2rFxo*iFhuW)kjaj`cPKdw&pG}@gtGI_Sd{b~pdJ^H68=y=b^WiOs4OuCUx$UwKU zC+O9Qe~td|Lso^Np(TF!3;inJK%V zB*PBYx43p|braAJlaF%;1mdR^d%5AEgR=+H-@*I6cw~H*YASq6=ag(njoX|9<~UJiWgD=$dOV z1lIwrx?@H=-5*Hq!{2S|SCZ7Wfo?AfD_j z_o1f=Y5rRDg)hgQC<70Nrn^^;vW8K`iVq6Fie-We0->l!BEpCDg1wctut9Dsog62N zzZL%_v<7jq;z%dy+;K~hR?_^cP(2|UUMS+8xQqN>7R7yLiC;Shm-<+RiV+mV9-{Ye z+GCx4G=tD|7YTjwePS(@25&UXbRn|C47u3a{Sc&A-s@(I@jmh&ve(Rz9(g2%cBFs) zf%WTZ!fe40!rk-Lf2tp^k_<^Iw{}N4VEk0dY$hMjiCF}46pK*=G1{8<1h1ReDJnLn zsYV}aPSBRy?DOZL;SAX(aoSriCu2;5N%a6i(H4!o&U#D{6>0Jps9AB#4A7r<`gmg*{1RZ$^81QWj z2HZhE0c=g5d?Y}re4m+~EU5*qVtKbF16bhiv1GCl2ttXG72Jz-L)~!hZC&E$hd-M` z?KSKxS;*wP7jko!I_~n_^_RPOl~=Fzx%c*EHOz6>+ z6>QNcd}}b9x;Gv=-a@*=ALt7PcU5V>VnwiY1qo3`#|v!$&Q#9dbi=r1@}Q4Cpkfo9 zAYi##U!Y2uw-+iGFu?TK$lw9^ux`DAlCxb9BdvOSY0;(kfCR7bnp#g51osnUq#rhftk z_#kve<74-I(XRTak^fG)^Zceh+m_hgLr>WF=ZjZT?57C6C$E7z-+IvsSkU zpe}(}2x=QT*jCMv+3qnj0od0hIh1DJCT-52^Fbt^HQ&C?Y;vSbXRybbo5-$t{C$z) z3-WzCP0xN_?}2f(KvVqU_ zv%2lKpWfd;>8wooVrJLyyi1Q;S6TRoVIxOW8sDS0PmUg?;YsY( znZ^xnk$awH$0m<|@a>Y5o7OfhPQ`pdyoQ70^6bSf({i@g<(qkKSb)wD?VRfkzu@

    v zXC0f>u<%CHA||Z)U~~6*rLti4;1w#ofDenX`gU45@I>IXE*?&tBQALLh+~RcPisB?F5c8^}wsi`c>1Ay(A^6DMt)Po7r& zPD&#vwo;{fD&a-fU%PYBgOAver3c{dPf|LC{v-F+obcLn0Y~Kevu4Bk)&Zb3LGdEX zwFljtx5mHsH9`LZ!}ydlvpUW&Q}hKlJ)2r`X~nVLHP&eYqCVw`7+sZkVRUkGOIaS^ ziTR{*`$#MqKY+!-%UEKo@Wtxl$8yQr{T7i2@^wi;I^Q=BT~u1F1fS*jqsO%Rv0n? zop873@VgwH+x5eB0q{kLc0ztH4-jU$na(unxa5 zF_W>)%}JCWc;eP?&cm73y;MGkKK~$SPo;Fzb4lq(6#JuEW6hYgH`qsK$gl+?$! z9*EOxiL+L0ZO+Mbu5CT15ODPjc@IEYt)Q8}(a}5!M{Mn!MXY);{{PeR+s{GS1z5su z)#a@TFV~M5CSObj;X7)1k&VOT2lHu+sdU|Wyv{Is&hFpTmPw=sFJig~Jz2l264ceGmUIw=S6n7U^ zHa#kiW}^E2L&F7Y?$8p`GjlM~YDYP}ye3S!$8@35VHo`5E;BmD8AXg0NiB5L*?xEP zDRv$rTx1ZXZdZJho(0&)C3+upT4S@xJ0*YZ6J;JL3wgh?#P*=x`^&iUKO>0w*jz)R z&w_am(4uD@AqXx8`yh+=hrAk&OW#(>%zo7cUpdEpMZ^q2sz>I)oSs)$H7tGpnqWmj z3sArR*H>Y=?yJlZRh>cjd}4P}*FLD{-@rpdf#^~nN%~z|>+YR8yQ1t=A2Kjv-1vu-d&$xN_3<{SO(_CuPyTbixaZV9Kn{M-Lu`{B+ik z&B?io&aLT*Z$q}9EO)?eB}?x?aRn;Ix1^1jqZZ;;7pjYaEAh+t~Ut zq$$&ePgpr4PpEAxj>eHqN_eaL@hUuEarTk z7yXR*KB1uz9?Ba$S5)17#d3b7{Bvi?uful;0me66vQ04SFz3-xFNyU7>B}M3v4#|p z-_tEky1_S$1o=Fxg7o=OO-z4q?`&1x1PrEgrP#d4+XIV0g62wiQ}#7hc(|@xea>^N zAB?ni_5(RGDFhy?UT~7-oo}LU* z1&(OkZz0TIE!~@#$wKfk+cmEXL~|V0YsB+4=pH1VT@3-fKI?9vX8^#A8FQ#0!S&sW zW4?eddDmW=`g0RDdmDN5Hg$2(OrMZ0b9qqvRGllRIIlOXM-~+9j zfe4Ci$liA4Zn~-X|9*6qFu#c1!@AxRBL5xZdHgS!a$Edu#sAAxgj2uRfvOYz^Ik4riUJ=%e*{|SjROf}D*vY{( zn)k1Uj#F#0OmjQorf=;E3jEfTt)~RtX87_qxa1B05&G{$^}GLxy=OCj*}(G$ubRU} zVShB*EQ|w*LNuV(`v~uMFkY~1-;^?c_>#Pm=zt^Cr-WaWEZaC+}Gf{f3I-_ z{VlOQbQ7$9`vO8@ppaHm66XoHlQo-^#;i116dvqt-``9QOq$TxyZ)6zbMubHbJ;rh z2ctBViwQ29rNrdCiQ}VO<(5Vj?bHq@8@4cAUdda}yY%+zH+(%WA^p^^<8>KTW*q_&R3FEwoiDN4{eOQY8?&7Rryhra={a?>S@KJBn5BnYV z^j8T3P0rMR`Tr2*(ZXN+?f8exPJdkPHluHF|7TA-^VR&>!dk#JXa5ZUe~MO8CNAn*+Sa9n%79K+gYXL;sxF zUcU9h%0IPCjFCC5zZ#>yT;zT!I>Xo9ksQ!?i-}x!Jq6J*?VFx%Fz?KMhdw-p!6WSc zGR-}ke@>FX_ok$FDKRmLfAEc1U)$1C=A|Lf-F;HshXoT?Gv1=qu-WaH^Bm}ezBI5~ zT$C`iF#^*pJGgfZ> zU9uf$tb-3nVqfElY8A1M>CENa=?f16W1Ng&{3&yVt#9Tx$d- z3I6x@gYw@+k3ZGhSJ>viw!E%{U(_9r45ht)9Q z+u6nV(aXStE&vI|@7SC2Fee%_oLBIRa#DI6mG1L}1GLGJ&@7lFzl9g1iL}YLmQ?c$ z^R?fFM$ueKs=QMYCo|EGRlj%HE4}O`V6W!lOLJi0Myd%taO>;h;1EdpXa?!^e5( z%rx9G>=dAnY?ce6j?{EcNGd-(@8$1T!o(m3hFm3(<;58XGKX0NjUckfo-&{=Kd|~| z->1}9xoZlcGv6DgH;WBFYBF}j8(l$l2b~cvn3|)v-A1Y{af2*}R zwDTMR;yr)s`q=*<(0ohWv2mGR9n&a^$x%2{m)YX0j#v2*Ux{}0^XIiqg{~bn?6D>D z962ze4DTUqiE3Wc7d|+Lg{ds38g8QCKVI@zdcHbbEwd^e$Ca%I*l|Ah>tJChRETlkf#{N2ojL2Gm|5a$oRc1W)trtT%Bvwf9xUcmdI^d&7z zkC(D!Yvy=7WNmw!ymn_juPBmNSK#Ck=B+&N*srM=C+|lgAhy2$Pkb0^Mux7jU@SJi zKxAIV884db_?0ye5!f@*SoSdCb~F1vzWSeNDVHwPI4m zUQ%&ybqPOkj zZgB?D;JfF%oc@qM3=xuNzDelbG6g@y=;F|rrp~%X!>`e zo{jb&6zovY50caWrR5QJg`4;cS=hmwfo|g;k_)lMTDrlg*{BazbC|=5seQ04!VKR8 z@MqvoGrzs@lL#n2JyGdx+B`8b%~8KoD|!1}NRw}vO`l-9sB{6GF#*M9Z{9w*zZZwH ztvqw#wHVdIt6D_rRq_n*VtqGq(AJd5&bPWKo`&Fx>k&r#{UM&?EZ_}b`rciHuYB92 z)P1X%KRM4?yS|O;c!==0yWgs@c}Tr&e)#~G3ZwpDv}2{W7;x?>?8&KlAEf7}4}o~4 z@}@gO)^ds~WZr-h-1}Y~=ogf5`2jDGn)=N&M?ubUl}XyD#e`S$-Hz~8r!8(D#yCwx zm5Lg{$nV#*Lz?N}zmDSUsVVeZ_oKMz(>BkE_^VQWUhZ^OZ4HoE*Y%NmVhF6rvf0dmb!3kYbj9hodsMteT0`ZW(q^rG!}*?! zpGN-nm^iqKZhlGL|0$G9YIY^(_yjs;^#k%I#Y~y z2ujR_`2NCZJ9tN#kg=4-cfizB1gqZ66yuEIq>^qOqG84ep{iS4b{dpuA@44F($e-GQ;)< zWv{mk-0Zzp!HGOL-)0W(2A}%zajk4mzy~eEdL)4kK<&3jd}~rr_br zwZ8Z{&u^g8Y;#F`51+3pf4-nSvFS=DfB3JDmM@X*4;_UuFkm^=E$vRKaHSr?L+0MT#~-GjxUot zQNUE{n+JvYZUV6qqFk*@vm5uIU9mV9YEd7^~UG6e&TIcuUV~!0G;z!B{mVa1q6_ zXzn`c`g2Y<{q?nt-SC(5Q9bipk}panlq0mOY5=2b>4yzr+e&A;(|kei7b_96X8=JR zacJ}AkyQJ7(t$=GCU3d^G)ec<8r0+GF`B#Sw1bh?SoS~Eg8fsltxe5KNF>B67Dr#L z-Ep>ka|$EMKNjSCmPPkBwP)|v=mF&!1*SLku{{oJqSXw`4$$TJPfyQ&ipS8$(#<{k zl92d~-|g#1Z0!Nhzy}G~`Qg3yOs$PXT12yZ(G8z~+`zE7u9MoHrKce{)XLiXJAZqj zrdc=S*S84Qyy zZZgehfDwM=5B`S3qnnZVxesmN1N(39`dR8KJsYn8$;I$DqP**X$b(ltJMMkxNHy5I zAG0=_ZiiHmBJ;-5TWX$7&PV1H=HJE@CjBGAfG1Yp29OLn3hdnWWp}U>@DQ^&<3(QB zZ>!m^6`*+Rb+5_yILhDhVfe!!Li%h!I}P}!VMF&_tLDxHQ1D=3;5mS|!kCdEhaEor zuh*s>l6YC8BUr|8bAA@Wg18gRBaZ#ThX28-N5>Afs_ zH2bpfh1iGVba7vy%}?KpmhlfaVBWLF4dNy zeV@IuDync_vJW;2w+^EQ^O?>FozLL_JwU?04*H>=S4!=OJrg`M@F;?e@;8xD2&_Lj zlFt(F5IvlLR*A{TUk5BTVF2$T2^*qh{5G);+uJ{($p{6#Kl9JW2Ho$;qCQu?|D$)g zb-bLzFWY(&vH|nb^(T6v^NRd=y>MNRdWUCuygwJix6*FB|E?|jYnguuU=0bi?S_If z|7!2aqlfMLJij z!V_C#Kg_PA%phTI@5Eb*RlNApxj@4fsPR}}YKloWjqV#co*DG84tzvI8l#A_n13>= z+P8s?u=yEo1o1sNH@K*oSJMAHQQFfsy3S=!-zheOaf-;Sq9#AuH!-?#(3*jk_I77LTZv>XIsGg+)c`t;%IWi zb|f?rVvqQGSg(oCS5ZLs!uD71DQ2l&n*p9P1laRGC<`z`QhS`jkvnjqC?D5Ah8HMA zgQ-T0tNn9jEJ2`@MHLFDb$c|QrJ;JMHHKi@#tIKyECPDWscBUZFw5vR&{5%vI3%y2 z2P=dMd_!ALH!j2lw4mxDO)mhO6SvZu( zDvJRB(%dxLEDhdk4c-pjY#qtkf(DHSdj_uY_r%XL`A{B6*sK{^-V{&8&@kjfFTe@$ z6%zJGOF7|nyapeNy zbQFu8Y%34~ZSZ*!vJB=!{d~vtfOKP*WXU*P3owK-uKoB>k=)bTFwC&jZnR#RPlv88ttN9H{+pi695lG$$LvK4m6X4wmb z31&uJO>o+$N|w4-r_?^XmPX5emf(h2arr8E)*1#`T~#=%n_L3_Ii-_xUL{tkc?`gC zZZ2zQVkp37ldyKpHoiTX`JHaoF(y<5dFIuS7XC8~UCs?1gMN_j8z_weG1r+FlLx=~ zkP(6e%(K-8ZW%WGXVe(A`SG6~NCG_wEHB1?{s8fN2lon4J-1kwIh&@{vsJ)z92Auj z-hcY|K++lIA~0sgJGIIp-pO{o^Pd_3%4H|_0{*kfBi&0@H2;}_oy#Zj)@%}P(h>o0 z3kokXHg}9{KOPYd{xg}gu^|J{@V(==Ucf_jm4XMU>h{6MSRmf+o>7o!L3rzwaia8A z7&m>@PW}@aH{F_tNeLR+|2csJpnffHvq!!EbmA0*#EL{K32zCQe5n-aZgEk|QBlD7 z&*BcGyQcCp-a2?flkdn9bPL+D)IBtiT{&G?A=gCHq`^%`liBB zQqZBq1Zsgz_JtY!7;HJ~OXHc>2n zw0wuy3`tFFyH0rW8stWXZK-20qt&R5kfZRQP2hZp868inAzo2Q=`b=e7@MzsF3RCQ znedu9egg#%afz+>zI@Mr&P?^~qS>OmFAX}h>Frru@|05zzM)!HhLcaE}S8aIoFT1n>9 zZjxPQx`gt@Vkx*b7sxAHk?dfC7)*Gm2W`rNfbaG4#((CsF^E*C!|B6-nQPK~U;^l= zGYFoV*#5I7%S!ZmPTQnuTq;`l)xCn6?PZhID7j?EJZKh+srK=oI4mQDkcZ=5XZfEm zQ*Lv4Ay#s5?1B&f>4Hh=8?Bmp4Y8>?Vt9+4kkefoexp}aUemJ$Q&Uft27EpD4~PM8 zm$U7#$!<4pW?gyLDNZT=bG06IEV=Xt1L?A0@hI7}NnTwmrFN=vZ&18FoNqJC{AcPH zTlpsbQwAr)QoJp@{xhb!FQLMJ)}`M)g(d{==C*RwtZF?6P{pajFPUn~9&Rni{3>9Aw_43aZsNg8u@1s>+#cip} z-L$D9dsaC}lr6d8b<4K!jZ|`16ISQy43=Q3Nsz)M^aQ1vSRx|+=LmQZzrDyzIVEW^ zM10K4q8VIZ^C@{=Ws4&n0{`77lQ}|UDQ^Z z9HHo-_sFmf%t7x^wzZaxQL58*GT5@l^>P%wn zs4EFh$Ty5u*p2{M6G3!l{Q$;Voqh1~7e?IZ1(BzwbcJQP5^QrWaFVExc8 zX3Dw-0dQ9X@d0O!8{OD}J~Y~a5X}rsXHjWo3QlBsKtj1gKnLttd_(kuuXd0LV-zWY z58Yv7EQHB2=!4i>q4#V@!8;4X?z&oJgVWwV<)yTEyKFY-dN36vP%dPfp0ne23O>}y zwl6Py?V6RCb5`4!-ba}1GMUbAhSmwe?z zjasZKR?haa62xWQ^U+{UST-NZgilKY5dnRW{~#P_pqPs;{erpz6&E zle-y4*&b#M;_)|JWj-cIz&KWkzW~pcX=-d@nyY-@9P#eQ6OS)8tCf7{kfq~0<$T!; zm}Glwguaw%jao-IgQ}OG1!1enH%VmNWdK_O6<#r5m_R&Zz1l>b1+&ACad++thItvvpH8<5!QRK%oc;$bk3;?w~eQ;kBel7Ka;LB`-O0p zIxkH?K~Wzk(dWm^DPc+a0&kHD6P;~L?jfFhJSz|MZs)-cAp6{)eCQ53(+49Li8acV z(&n6m$fZhrU(~nv;sE1hJYL0z_HeM5Miv(pOZkNz!3kDn8bT?|uxaW+5_^h3Xr@K);4gZPi;!MW8|Y~r#=D_Ux%~J>n6FrFpSE^qEG@bSDgFG3n`fnpFyv^epnXo zl5t**@HA0;s0>rAtR9j&(5svItUg7X29Fa1?#mLaz0-SUOHORL&PAwrfnFjq3g!F6 z=Qa=@nu~WYoD_>ob`6ufx>1zcsf)Y6%k^G+To_0|>MqLawt=ax*OQ5DuOLYy0*pwb zp5Su!u`}8_vAyBEK)U1GUXoh!p;VyQ`52fFF5pEol6|NP%pNJJ8;2%(>r%ALYs$X) z`c_Htn+nNQSzKFGY9(N_dxn}>^M~3d5W6`vGDt+jAQMHU?50Kg$vHYq5FCsQjt-4- z)RWvs@ANTCJkki`g^Y6YmyBICs7H`<%~F9EOC}HHWIH6<+Pp(UXivm07#$d+N^F@9 zlZxeQd#ky)x($<(-M-j3CQgLv89PvtoEc*hUeZHcX{#ab+0CNz95RZEi=|^)SFzhl z9z;}urLKppm6EX;O1lLf8HdkZbBs$5^dcQTRA&MfkvwV!a9SX);7p*Th9iuD0c()j^#`_!|+yBmgLtAzN_A#$}PToUh;Z)uU~I1LE5 z-NtN3K2%5qU?N$hYJ6xA8E7tIfIl4$K!|Bx6CA zyGTUA4Z6I&wMD|oPS|Bnl6>gRBge15gy~($_LY3pX%6w)6av_CF^fs+LsfQ63@>7G z@S&;PrF9@snu3PDf=~2?${d-j4~-fAXwSu-)6t}@HJ1%GR9u7Bx$8m)phPH6c^h!W zI~03a>7Xc}T;w9UfNEv63=KKrn~+&RO{hXBFXhfX!if(}0jAN++*}y>6+Tn|H%XT{ zdXNiF*_oYmE;ImZZKXl-!|}aQK$=zz{5T?STMHc@D$7_J@LbrV4`!;2>WL7HKP|Qu z8~D(;N47xT#fNr4T}_WS~Z& zKq(qy`{gwg`}-0--3re^i49Pyl*)TzlDeWH^#G@hhx8Xa0Eht%*zqo2q&vym&URE+ z#-_ohCv>D`l0y-Ozn(6NTuXwDxkfZJ5Kl0lJK*m~oI>$!1rOryM zn^IzY4Yw$ZtoCtGpI%jhuE~}0HcTKFr^7?5U|VjH5uya;#%JDLCn@6;cJkxr)2d`# zc#Pb{--D=YG}p_EWbXj<-Y2FBh$M9-jd*-+%T?d(hfvO@2Ty^&Ct!!n2vt7HNjF+* z%&2{h4!{C!1jOur-$Ad%I}cdqEey@S`${uQi4N`hVzILTPI360s+yNn%d?)KZ+FXT zxwWih&!GgjKXj}#v6=^=McLE|hc)FJa3hlc-m^pgf|x1>*WDtm^n0q;PIe0o92Ne4 z!+UgFPkZ6vbhvGVK_mH=%U+D0}Xd4|Rn8_Y_yGPN)lR-oAFbswkTt$ImmZ*h#zz4*IrM$;>AqY*_}f$k%$AVxG8 zVDHIh?j}5W4&zMo=y{O znVG#OC-oG-sJ-j>mh39$Z(#u0VnUiR8c}A5CtcMGc?)8jmt4mso8n~!%6fd2@b{b$ zk4xPJ)mVIo6h?!H&^A(o^Fm$*Ne1F&_`44KtXNZ{3nT-eV9E)xCJ%vuuqgW9k;Fot zG`kM)A{;j=%{vlW!f5gx#i_er_FC&E`FA7vNe(tkuk!D*c53smIEhkj8GkRb)@m6H z#(6Fsi6BGXCs*YY+vb5LyaJ}f6&i-)JAWrq3V9KWa=Ea8zsH118~FDjdF}=x+a3VF zRv*%`0mV&fZuonUw@1gV=-H98+fm=~ zDy~}jm@EE{%T@e2ld4imTKlW!x%D3Y&XU6H(5$6bDIl$6K{7&ANhPc@7F9>p?B&ME zOU$(SMhsg|^=hNQeVf$S7+rtL7FcxQ2?k{+{5^%cu`yD#8Q)`=+LZ~tptc2{bFE!G zj=tN;OX?-%7MpG0Y}<*QwNw%wR6E&ONw>vnaPK8?K87=%+=tr5IQ9gg9y-v>hnB1n zZ9F#~?v~SaxM@e@;M%HJVNxD<6NQv}U|_p5*>r?tq`Nem-V&HxSZW(}neP!En&RIs zfT<3jiECD^l}pG>6o9`6APU4&EAMh)fdW&ugW?2>81NkPH4=ZHSt;Ghc~yzC1ajDZ zLhQEwux}G&S9XI`QkYOmYVh|GLOtvVJ+@OAvj`+A2*_hx(|yp|bO*^24f8O4+<-Pk zVz$U|eXjAD-Z>Zn%*_4$ZBk=ayNW^s-HlZef6rjep?-X8=%M`G6+x@VJX82P4{DV4 z1jE`vwI5G%B~41;O{zS-mHemjFuSw4ge`^=T6D|odtqV zGoQL|RDaK*Y~nP#7DUJE6mc;kCirBnks&xRngrC#cJM`s-Eowr>yzEzZvdMkk`RBd zaSG-;jS}p3t91qHQ~P%pFIpKStXYZg7R1FVWRUQ8kxjb~5XIj^K_)6Ex&OP8{BrHc zT+s@nkondnD;1PrcdG)kI0GsB>H(v+Gu}IK+8`-g{;q}sp-^bY|JkX&(~zH)fOcsy z3Uun4G3H5UO;V3cqp-;9u?g>>n{a4wuVm81R2~N-Q0vw$8n2e66bda41#` zJIpl7Wnm%cCAKs*?dy^?wnEqU=3rV3JJs^(hlYe@VMChaHBghdk8$Vn_|P#qLccXM ztJfK00xOpUb9WFC5T^D(Y(_OJFcRlAjIg-})K*EsaZd=BJlj$asL!) z;vC$n{}XF>DjR3tIxOqjRyp~FJdx7;9`7LVkaUB_4$YX$*AVzWu9)erxoH^qKP@LQ z#>OQGCgviA`N6yFq$~c9s+P-;BN6_O43ET)RwF9@&j3iqD16L|h>H=%1@A(%O=Gel zER+zF4HRER-gygiC8r34ZJ8z>_&+PK_YGdg`~Qf7rwLxBe*Iq_Aa8Jgq*H5E-T>o^3$xU7WMv zyt&zgkZeaKV;Yt>r8RM++#|2OpjtC#w1MypsRUV2?Ofku2_c?6*Lt--kTO?z^JXin z%>N+)Z&xxasV1wHYsvo^!8Xe58g8Tj{_YwIlP;e^IF2d3Lkin?tu8?#G*vub6NK19 z3xOd3cPrBF|9}9aZ`Er=BT@km+41aSSK)Ihkhz!#ZXOT4E%nnu3yxntQW*c|RW|P~ zrpDGp6;^$@268Qf*`4>e;aB7v>CmY(hqSqRDY~Qme=x9zHw+}8?cP^r`{7Z`d??;) zkrINZwg#(ZS){c^}5OdbPwWEhtP-vD5QBC;+@-S5=1(a5rnf-nhN8v*HD!tol$Da zFd=7XuPaU)euAuc(=g8K@$Hdfg*Apf%vES)d4j>-3cUGbY_4u^vCKN7vMeM&IOJu# z!QK95)ab{CQ71&U!;{NhgcK!1ebeYnz`Mvs4-@4({?ND$*POTW9~YlnZsYKOX0&iy zVI%q>#PN^?JtS+zB~$Z%NW2@Cmk3yhZz?hP7!oT4l#ly=MAYQk^DP{RQ#a&ggvCE0 z6pEFZ`I{s@CIX=+=-$BR+$nS5ioX_IA;22p&LnMC!fGsQ=EV*)z9txz(<{=EdKpxKDG&3N*65wt9vAv!c*@N8L)5L^JJ z8OMw&q>Z}F_XrQ;-$^IezzD$Xg~jAnf?16{!4l)|K-(VfP8NRM9C{u`+FBgSww=-x{snT8t%NJ+2R-|Ni~*106;p|Rh1$@+XxIdLwO*} zYZM1?{9^*U#=NjOu4R1ZV59h#-E zIPx3Z(e}jLfP8d8alz-O0cS46Uopqv*3N({yRyKdB`l=VC__e~8g4!<2eBkmRzI<4 z9()CT^GsHlBL0I@{#LP~rm+vp!7=0`2z0^E#|4;NrCwO-coYlhP`C;v+Q8qH%hh%w z<9Se%_YBA1B3##*Yzd*hcRthGwz*qNhDDSrh>mp=vw=_{qhJk2QoKO;DoYeFp6$E; zj*Q{Zt%IV6OvNyOrjzMAEG-|%A;|grk&fQ>-7@~3@W3`souGwASQ8zPj71|ogIOl% zWQyiRrd5UUhKEvFT2gK_trw|Hx0Ji@5?Gh4n~^9`j(~JW0h^=>ns%r(#Wsv+2LL1Y z00FddOT)wT(mu{( zh+)4Jpy@QSic&~4KFluE&w7W-@mPrk0h1e~x7slBTVLGA79Yyz)|%rN1@x=B^P=?n zPyY#XvuH^%r(VcDRcN`h?NH#-dSqTZ+E}p;Q2mCGjx>yNOy0S6y0LhjSvO#3;agMj zQi^uK8v`^3&<@16-P9#uhvJ!&M2y4<+>fi)X0`)9gZlmLBg5F6?ubX%h*n`wr^k6*RwC8UIl-bWbS6%rZyRpTUV1exqaFJJj*#a3M-s@F@Lmq4svU zM&LM;$AnDV2eJbG;?(js04sZ_?==ArD1*Ikd$o)qul9OMSig11gsbTr|GIS?Z@6n8 z{yH`#Zbv9qz&4v@`qiK?FmaL_YuurF#kdQ}%`YMGmWMBl%fn_L_F8b;LFNj8PV&y=yvggN8)Bxkx*RS3%#es| zhqtfY&j$&1{c~Sna6+;6tp8|{pI>u@AYJ7&5H~$%JFe8gGyc$~ zl+^eV+r^>dxsIFslJkJ~{E1ZkdA`&?b4E=Lucc81qU}2(2F_&jCF^_0)N@J*!#}uh zvb8>oo~q~vS?fQ4Nl#1|wAT;ez`5JrmU`ouzbOv39f6KxX!OT;qMP!GoBVlvL~X$z z{jkh$*~BBi(DM49((*kN$PWW40ZHpBK*PNgstFWF|lOyajEKTrTbbso!eRodf-4;}p|EzJNj#G_{Wr+2WIxMwuO}Y(YoK@qgLz!qyg$ zJl0=DaRN>*&&LFTXLLDUUdhx?1~Zi4!2^Retk=gEGs*Du%bw8-c(N77r9^v>mVYMu z0H-x<1LAi`rO&fJRvUPJc=&rb`Df4)cQU(W&TDPc7;>I{A>9o-X@mC_K8$aZF6Ax2 zzXMahcCn_PlKitfOqJuSKmCNv;F)U)4BxRql)dw8G?q23z_u3VteT`ELXC? zxE(Z1)(eTg5-MM2z40QKh-_r}n-qYNGTT)gEP=d<{yo?0VrYOjn;HGy8wL`#hxYWg zP-@DC_yD4Vklgcm*Ng0~J#auv4=y$O|8yZ-|4?D-toJ(GOm7R{jq^X-fW$mp$iEWq zqB5i3RlVyI-78>5-A}UeshAzm6*lrkgC1**1JJgvSl4;yk-fQV7r`C6tuqRVe zPiE{MYWk-oMf^AYC+*)nkbD5p1Ro)jDEPOC=igLX#ni~(yU`Zr%#cH4?3Y*uHz*7= zSPeqcP4kbart#0GIz=vEz0aYuMdp!RB|fUzZ?Zk`SG<@Elg^evs&KxN#W!c42RHGX z)wTuP#7Ot4`$JNz;Nv#>*S$dRU{g3$oUTq<|FKFNKOKC!-Hq}27PM2~^VY6XnC*2sdm3z>}b3huFMja5INN`7h z;DVEN`=&8I>c8FlC%JQ&P~&Tv=pN`O_q*f*!4`S29UE%AYV~~j(5i$1(Yf+t=ePCl zFt*#z5$3(@T)oZa0Pya1E~n7U?AqD$S@Pic4)<}I5~j2-mPz*vRj`D?b)h{4ZiLy%KF?0XXo29ep~=e0PR zPgFHA>D42Se;!})cXMP4lnkv(YZvk-VnLalyufV!xq_cAX8M#+uTy4XDPGPSBg-_B^4*qn% z!H=LOOoP=jf$&=UZ@}M{gM|I9x4$~5ZSCa&zN_g$Gj&*_;Kq1JlEh503@{$e@*PF` zAgtIjP;>>6pQn=&UwVPuRZOZ=A#C-MJj=Q#zK?wsJqBpa3eSUG7abHw$= z+t)#g)tMJq#M4#W0k~gywmbG6;Yf~)ztX9KJVuAsEyx25`%c_3zi-;2Oj6wAGjw!z^Z(-c(OhUJ3U8gT(+@k zKBPie>HRF^5VI?2Gai7l*7P4TAqGua`1{fZLT$b_cb!~RH=Gf-Op^TF;6SFX)DP{; z`kYMA^-@Os^ONN-hyQTW;6EIYL_RM7Xs|hU^h7MShTBb|{hMhyp!NY`XPaf0EyfS0 zFmdb>cQx$51Ote)_-%A6E$AV{-;$)psekkZ3~rb3p6I%g z`-;K+NNxvd*OS}GmDfN&h4X*tVdm6#$bN=@(y5}RB@9tpJ@@V?r z1Z6h-Fm+#eu{Z8tRi$q@(gZu6LcJ3_3%S?+dWFuLD&*(RL;Es^w4d&Dsm+E|`&zxO zXe<9&s6FUeX5uHN?o!OXgP&-g80e>i7(Q5bSY-~^`Egtyi7z{7e!cPfM5vg`<9=_; z35^kcuf4rGJ2xehTQK>P3o=3Q&en_D-QF{CfWh#{N(atFbpVpz#QHIIK5t)4&xr|a zdh^NTl?OaSbIZ{^{Sl;TeY+KG*T{!zy+mMoZ!flMTwHb-a(9!n;%aaJb2E`qaXa8j2v0T;wSlQJv6YM4sEA>%PQwa!!W23k2h5 zpyM^*zwjdPWt?Z#vlklkMgPgcnR(5BGh2w8^;a`X^I@xoU!5ND9!|ej3m$yNFHbTg z5A1@VhgO&t5$i}~Cm6tk$B+TR=Y{VixVLSbuW`1!YQDm^yMZE)WSZr1u8nDkkDnE+ z4|r66?|p^`H`ef>DeUY++Rq>MRJZJKrer{Sv0TZM~SWoGn5QT9o9zZ@E$nut!&47|&;q z0lsK??l4g&?ZUndd~T?@-b|0BMUuQDFmjPj^$i&q+yV`VFIxqXKlb2aI|lU}->WgA z+c0G1GQ4XV;Be>M((6zp*1wOZx07*fgyHAybjHxd*J=Bg4M(mhLjaeOx8a znW&2Gy+D7DRelaizC0ci@b-8gP7J>XBm7a|#p!ikV?BV@w-AnvS^8A8^86U&>*vcg z4RT(0zA~2M@yL<`Wm9JZ8nECNSzK>YcK=D+2{pmJbDl@LJagPDXQ1BGbPj6&-2IZj zhmxVdCb0WKQ|qe!BAG6i*Zaw^cZt3kv8=BV# zu`|plf*B5{VYbiw9ND+)1NVQXkDsITbf@$+ z=1MycNQvBd@NtW7U4Dwh@?eU=)r3><00SD}rXY|ij|Ec+Mm13OD1=e$o77NP zR~Jqx9Nt)a%?Zb2nEcOeZwNA3Zcr$+6iB4HFvmyM%om=5<1QTb@#A8DJ#z@Lc5|uN zkYgyZyiDCT=#%ce#<-s{EJAf{23njlFDpT9WcyKu2;g3OXU|9{xXr%zWTXRO*Nk=C z2sR6;;Un(ZbAZU6HK1)LNFRM>^PK+;tfHRzF1;;+E%osv*T$&XH*+Kdwrp2n;3Dqq z&&O&^XV@_RvA*R`2O;g`-kuGcy=HHt=o@ao%_n|m>3YDOss5FLb2*zAB^RLt5*ojx zJyvjICOe0ih;}xw_0OQ64Ai@|6}}6W$bXENAboDmLHc0qE`J|ea@9uk3QbQL(o8TE^!baAS z>DLU@d@afi1576zwk2p&{cD>lLFQ*G#_;RH1M5tn#K1@6DRKSHU5k<%S1$Z`dr|H1 zP!o}mVT3w!r+Vi?$2|x>hit!j{@L$}3NK`aUX$D_$8w3cX<=OrQ=)ZwkxL_44v0F~ ztKx=4v?y{#Cy{WUDZ)8VgNqygu&mdNUpMOkc;JPJDm*nVJo+^{^v%xdn)gCHVwgHv zcYIAXEiSw8MQ>(!HrM9-neVqx1K97Ho~1wzMUX0OV&2Ujk+3t4cLME0>||Kd3Y^|A z_K%(y*IxK9)%7p;H}*VFMYJLKA=5x>hFu%N=yIL(Yd?>TDjWb`gc7gMsIA1;9 zqLb7QoS!eA4xN0i<1O(4yMfL zJ!l}hB7>|0RsOjC!mj?uE@ z0y;F_h5g>2oAQibT_i!>@OS>c+c?pm6bF#Cvc5X8lVT;|-{>+q>Y;VLs>uGU-UDVQ zmz{u@62;k$prEN~gw--~_of>AjcI&o{ZS4Up#O7(L-V3 zprVZP?&I^*Ua#DCxgnZvU10SWcN|vAJmh%`GC9GMbcLF0DPAdZU+h;26=sKamW9s z(DC2dM$BgJ|FbN>^ORjIZvIWE&Z^+yz z);7j$Tgd_WyPk21dT4@{>h7HsR)|?oWlvk{7c2)nv7oJe2?N_J8ip~goE_o_A8izj zSzS-6Z{1@WPC&omDjfHpFR;Z2gUti%7o(cHdZXSyoyka1RK>MeBv_hWyFEHU5 z6tmqw)V~z&;^|A7PkKaio43C+q%*O|#XO%kiQuzJ-Sy($EyO2hB`m%C?xGVLOm^sU zE@?iF3mBXsw(^BWxY||n&?5x)#`>vL>Y{8}=K`3K!h79rbVL7i37l%%x7JUIy$VuD zl=eUcF)S`$W!BorcASs97?S6SLN08^AIJTr1H|*kj1MNG-D^2Q()H-eL)n24Wb`fEMK^Q&FHv?T#HsgD zZuP@_U}s>A>+EP-fhc*qNnNZXjR7VoC|!@0pL6SBO~)e-}ckdBeA zTg~#AKd&SEW|<8<-8#(;iLQpUS?-y0x|%C-#~BHTdBYNPpK3%)GODP=PYe#?pj-0z ztO8RJTq$U!penZ00C7qEfD?#HE;AY1RE-YE?vJ^DK>qTutn}jwnAt?GTxd7*v5AkZ z?EP2R{L4#e%>Zf}StV397**mA)b}nKBDRD(>uvD6k$yi8V_WOnRKdy7lOcmBHv)!|uT}CzgZO3!YltHucWJSpqU%>Z?8xIyZ zV-sPS-dQ$0GRu0Qb)l?a`P`ZwC#uSI?D@^x5~myL)8=8!*AC@RrlrJDqLc?0C!~05S4?XFW^6dUiW~n zUCEa2067Batq5f@^tx}da%KKAw!d#22-~045fp$sux_cIHkIP5m2cgd*j*?UnR+5M z3~floMr*DmTFIAbtAmnwJP#6swKF+rp*?nE{1B3eiB|E?e%4gSp2vqQl!o%MKK zLc?+<4wslX80}RZo19*!1nds1wk5Gd?+An^G^nx84QnE@>bh4jv*FA;K;h z85|&_>2+ld;H;Xr{_@`1KPf(xb})X6niqW1qyI-8Q{I3=d|)qU83*e$fB6aciu)=r zm-qgVZ=4!C^OG&IA6h5YV}u}Vyo_~Urn;LtCR4Xb3XuRqJ&LyFxsK1!qX3=1x3#Mb zdT?|Mh|@e2d#FQ&!xi_ktS{^f*?+J5$M+auEzZ}?8AhvY+;{`aU;-IVPwMEEMhLdW zdh0O=t>C_yL`KlC=6cZQ-h=~k#Elte>sv}RLq##X*EO2VxQY(Y0r>&ajT`wVajdO` z7sD3H;G?+zeU3PCgTgO3F%^zaSo0d67KAikru!sr1h=w@7(31FFsx^Fv}dnPI!wwe z8WlNdxb^3M(|X*-qrcW$zdG8R9IXHy4a+FL^Ezsj-LDCEzQ*HyOcoIL!Ix|IHJQ%G zq|lo@spY>&dyS`^dD=OhI+*1c^*;6m~RjV#^_~W`IJb;jL)4 zGzk3R)NNGi;=!td7@P;_5gl`T-p@X&YZ&eaM6A39T~NJ9zB>>=2^B9GIAH(ick8(= zblUR&UB>y+8O<2-(9R&Jt|gA9yygF;sQ8S_?E*th^AybQ5~5Kf{tgnRi`WvM!kW;| zco+_5`{r<5TkqecZQ*7aj_s%f_OEMs4{IC|qaT>&)M=_ftzeXP{a+vI%}WXIh$t%= z<144lv7X}r0cQKw*f=Rmt#p5|bZID#$5$@U(~%IA<9pqN8Z_djK{S59{W+hGb|Kt~ zmmt4v)MaY1++`;NuUy5)Oj`ZFFp%C=U0OX~9uK*qY{d$D96sRak{$xm6SV5tXf(4> zKb68d(-V21ebJoloa&Bo8}WL%o@}k^MtpDQ_ORws|HC1->0S(6$yQ*T;GaBdCY(|u z7EH;bw_V9;%(zd}7q*Z8@`QnCZIMqbSR$a*MnB%SBg~vtRV(A9KKY< z2~KB5k+Pjpj69$R5nVxUIFA*hPS(;PbG!{v-?#;hXn8pXUuHxJnbhgESCdgmG z2t6TG4FloI`~3qg*2%|<`+qY7mRE&)dzOnyBToV?2#8O@ax1B-+{IV;30&cF@0Drw zygJw5;Zuq8uny??!PJmEbPk=kV&TAAF?W#`od&`puZSri01jGj)Pfx5_@wBbzXNjv z>G%I${WI^$y|@sB58mrTOIrQ~k7mso%hdV<*zoE9MaAx-+UmxkB7P!& zg}B1y*u2@uhZWixXKZ};qtEM(<7E{-d};y`GP=;nQ4D8j`VCWm2u^~yLzY?v6t8?w z+;ip}rmyE8}N6$|DYMIDX(^b_jH6|j4#-f z4`9j=ZaNa11ub4{l7n(-0r$r{fK9t2J(|aSpKz45#-Bs3z65aO<%O({`Sq>}+RsTc zs~3Gh?%q{~BuC!`1UU#F;(3tUpm=9pZSd) zKB2Q0!^_`*jSf7Hn%*xs&%AolcqCy6lx|Vyb;{VzzeP{Yn)IG9)ROBQK$&>c)DGhY z&p7hcCK``6{|bEr`6>5*D5PA_3*IxUC6MHUqxy_f( zcQp|W^E8&PNg(BFkLmrBKlEHXP-w=~DP`<4#m;NeJjxX3^~NvUB<&eUU-@Bu%1RIQ?o z;JU{aSYh$(WiQ<{V>||)QG^n}@Ke#;%ed>hH}S5}aHysO&`&?)pIe+?NA_!)Ji2eL zYyV~_!5u6CHe#vfX9@x(?&inBJU21C29b3Aw(MV0?5u+M->~{HqY$2ZCo8+q_W0hW zus$%Xd)BM$Ky(NgYyxzdE+6k=jpdpf8#~yAx{r9~4dRm1t7PUn*kxZs#vsVf%T5a@ zKU6=KNW(3B{F4WHFG_!6BWN?bO&RSMzv+I90Et|cfiGhSQvvO8-cgM37Rp=!j4`_g zjPHWUO5@m#?qeH}VKyD+XmF>eQd=i;JNI{e(Jc;_10a5Hn5ckPh+!xmVyX07sg!rW zlko@S`M~YmxJ2FZwI=;>zMu-DtsPiuUAT02Q=LOD@wn-{{8apiH$9Mjj#||*PWb){ zU6aOK<3{5YY}%$gndP5|Nrb`Npi;V*A6C>B-e$PKS2@4xQ>tct_fSw$`R|{%MvqFm z1;>`#GksVhmje=3eJ&lP2H*5~IpY98tJ$2HjvrmA&|BeA5g-h1uj5vGZF_BQG_hF- zl>X#8EWlZ4ePbVl%xZ9 zHbenC5iFl11go#_YnrdgICVJ-Ml(wR^XEVE5GSyGwCk%#0@KM_#h6PUD3!v}8k;06IOM>577}J*-MgZ*)G*`X^ z<-YS!*N51Btij#6wHjg+as%`9DTpE=#jVZ4V!{^ehJe8*1nb zWsbb#KaFyaUL-naCuBT2a(jywqpCTNF8bc7Xl53wb=s1jZrBGLkK)-R^-nDxQ@ll1 zKJRHNdH`co{!Yji+}9p7+^l9M!L5;2Vm{}H2gQA0!*0ybzrj=bkB%2|I`xo$GZ5E* zxxNA2_vTN7>OeqNBf$hhv6qA@nEL&X{&-=^rFHR7&@HO|rg|jSQ4K zKn)SnCJ46j59FQvwwt8J^?I4yDuW($eRSWH?=oz6`n=G(g0Q0QBW)j|xiskp_{(p< zU(1ps*J)At?v?=Qta_I*BZJr zy)5()mI{>6O0+{VngEC0=-9)uu^F%UoDYT_D`96}ip)<# zxC6Een4S#%1t0MMpr(La3be3fPbaD`zKw{o5&D)xJ|?_xlLht9U=pdiOc3lN3==a= zZdy!q5SG#YQ;$6i?It8}N2QT!N7OI)uvGP0t3Z1a`{$K#Dt3?ZaSHJiZ;O*=tUb2+ zTJ)h$bD`p&NBJy=3EgCYY1Td}{<~ZD@A3p*!@;fAC4p8xQ1;e&4wmrFVGtV_{q$3~ z$Cld%J+>w;IxG4A*iT@F2XtkJa3YUW%I682K>?u=YV?ofs}*_u;~?Fd{cav!-tcYv zCE59}ox5e3MWxa1uGES}J?$4VI`@8w$qbRUeCmotsu?&yY>k&A4dZma5dGJ%SrT}I z_4Ok4Gelt*5hXE2^1cgYT|ei%l~SfnuWRs!gQX;jW)eJv9g7#b&Ts#`Kg>Rc63oEE zT{>tY3oty64B=Nf?ZnA+*OGM`|H{kLgF7S@P*%X}WzhMY`(?LQE^H|W9=`|1;w2KC2A#ApIV2K)Hi|l9ZFJOG;N2rQnq(Tt zQ4za=a4+IhgDKDuRpfU~JIP3-WlO8poVMhR_={$Q8IvR^kf&PeQ*fr`DYsOMz7s7dNn~s>^>XR zoQ*2YOKIU7@H8rAdYMPB4o-2%L;;UI;RU)LlH2d8k^9&bmkKIgx_#ZOB_vf;JIFy9 z_m1*=L`~aF%f_vtl2)z@q@Z)Xw2eOaN}(gF!6I<+9#@LFMnYA=3rb7wkwFrwR#ud? z`KV_=yo0DW8JcIz8QQ8RB+7Xe%@YdvXi%4S$BR$0>H(32dCTNwCQBAQ){#|@8^sd$ z_k4;@&qU}Zx%oV0HgDC_+Az<>xiFtkc)kzPIouHBWGL87+vMcXSemBAlL9$8dmAUW z+o<;HrDKYFm*8&gsmtoXRnu$OGPUcFz#gO7VHZ81X#IiMxd5#pj{U@YGDK=7NmvjYNp7`D4YS ztg`YjKx&&uYC_^h@p*O$h%~Umx$LCw_O>{Do}CnpWY>0Jre+J8GE_-=hqyts!uUL3 zq;xH4GZpI#9cC**^GsrO7?9rM^K?PfKSn^c%#HiO=0e8de z)%y567r;JoRrtqBh54Y+V#2f&8S54M9-%oU=_cAIUWpZiCkrA?)uU#M8}riHfyH5A zvbaxLR_v^|n2jn34G*ph6cU9nH(EeYc&HfBZZja<3n7d>5-$XX=+K^}nvw(A4EUyS zrIyZ<9O)$;cLKUtw{<*>tma}HWj;vjU>m5~OQVKifU-$4T|{vWB}Q;*O(W=4407jd z!!TW(xLO?3P>y|3$hjjeRRu`irfC53<_G>%4%>T%GPQ1S-EzF9@h z^-!g?FCaI_u|}SFZ~%-d>N^loe;ys6yZ0T#B_dTHfo4;5km`cnPpoD<@w{LQzIe5GfXXk(<@`pgrFZ%&s6r+}*_- zV{B%N8-+W?=fMG@)u-Ud^d_`0|A1WhJT5ED(_maW9L$XkrihJ(iKD~JymXYod}d|E zr}cYzmJE5#i>~_0Hsi|YQ8|Mxk<1TOtNJ{3Qij5U0`r98X~Bn4X(q`_O9C&rFL%sG z1(4k%BZZ`mXLFP3>`x9Ld>)kXdb6^y0%HS0g0_qC7$9bI*}RXG&qLdGo(v*gvb1Wo zJ=2b^AhyY|6HWjh4Mt^y$!TmbpD94JnGSrO(+~O?fh6#G0&wEdU~*<|8;l)P37<18 z3!;T+p9chED@NwNX9xlM)R^&kHXzw#K2}eTczgjdg+fnO1+#dcR$g2=B=9ECI+%xK zn!(u`%3MVUl8l4%c`%?=;}_Ny_60X`8T+1`!oBZ2^MZxXV?ht4NoWdtAoN$k4L<_hw{a|7nluFh0P&xScPep zazif_kf(_@HASQklvke55c<-eC)|@^z!O0~B*{Ou-i5-L^mYn%y!oSK-kP%4nLle9 z&{GFZ7{(cTd0Mm3=WC;JonYQc@u6YMOj1g9Jcj9ngZ(kVsg*x7fM`B{rvxx$3WnWS zt3hRl1i9B&Kn)|mBZ8R~ZdrY>Mvw78^CiOtYxs9)82P{D`2I>G94toYB}RLav7xI| zwjQa$8xBpqPZJ!5E>uk>eX=sQWWrvf4Lp%>ZgiN)(8?pddJ99;BzZdul{@t{m=hv1 zs@(3t7n(_b)|!lt4)?_w^dKyG#G5FDpAO&P-8~cyUmX3tuP3q-)t^>sLO4qNo&5FwV3>!9%H^@VabJd)|Ylv-E&S%uA6U~6=>B$hsV^qT2eBrB(BQkn*YuY z{)9DM7s;mM_&ZQh>;xSUXouQIo;4 z{Jq`QP8PQkjRnlQL4uW{>9!n@=u^et ziGY;%qX9@HvkI|re+P+OY5U-EIU(LW20VDAnu+RBh*nlWxzeA6}|iQ}9*; zs!#zimrH76FvfE)?^5D>(IzIVEYG90CI*$S$_Cqa;=$)$=8DS_k!=UjRmMp!W&Y^k zgDoprA*K|bcnR;#;2f0^e8m7!v$kC${!R|QUW&*JHSP(-+is2Y(e%dX6%Q8uYt>`8!&Wm}oF^&|qd{y88l2 zncJTvJ5sK;TSg3WaTSEXmS<*aJ56M5e5I10XxU)`BholfR2l$p-36k>d`|FplpJY2 z7A{T2)Q@#blYm!_hS7A`3#)V4Nb8%nF$JV;^L?6&z$Gi3OhOVS8Sz50ByB23LPl(` z%7fmTGG)FSAyU5|h~V!?0>VhcMUzKfA;&KT>56B&{c;(}Ndn5(yt5>v=) z1%W<;;hv^pAVNYwLdN|EHYgJ%=7STC!!(bPY31%OJ%j=XL==Hqymue-cGO|wowI9k zLG~Ql(&!d>fjXHmF)vD(7riFaZ)8B?lT8c@UCJ<^Jnw2kHfL;z<5IbN%cLJIvl?{T zk~h(1`dxL(S_?m2ziDC=H6FgSEKO~Rnos0AW8;gyn0Rx|#1k&dbd3ol_|5te6r0?I z%-xYD%zG$YY1Y1WTR9I)JeH_-eL+)86OT}k%3I!uvR-bhVW%37S1*yZ`eZ7LN#>#t zzS(DpHyZ;WH*_PUZIzDcUHKRhThphIs&<(4v2;0DJ?9*;qm%_pPNmYqyo6UnS{U(A z%3AIPzq;N0>L4i~ghf7Y$ONE*H#@F6SoejV@;7qXlTz(mjh%3EL`=0m_^Nwt0}&%+6^SE=!NvpWHZWPZ96<;(vCPy zg%b|GVVYSGlR!e1My8#9N4SnBR6ZgL;L9O*8LX<^XxYv54O~fsTSNfc^?fyU>;#~F zF*ga62`k-5dJT+p3a%0x%4;KP%rpr&DxndKl0oAy83&h_~NLh7w z+XmBfp-hQ&u_-&MdW-{lQ)yDw)EZr}*xiIIvpt?dLMbi`1I6D>pxxw_2J^%F+{Qve zvtyFjXhHs7f*;LpLt0IG`0;lE;9h>^qgA^tTgKaE7ER>lql0m&g1BxzWXai0oPRG| z3qX6XVrJIZ1P*n%mqa0I+qhpT%~p(b4p zBvE_t6Zf`^Oi|ynjT-rQ4?*?P+zCb6 zF-S3eyK=&v@lvlEoWEd{9hc?{60o$&HRW3ZCT%m^0+O6+V@{Y6(MC}h``riuHa9$x zdM*dPzno|?D;E)N>F+djS6h+~B$YA`5RgN7$jjldnf4->&YGa3Bv!cZn6zUqMD^D)%8X<{f=Ok`EvH z%>y&6l&#^Ue8NjgB9miRuIUMPfTYA0pTHQoOWKsNC0@ZP^;Y$4DtEaxM_7-krqI~? z;c&Cqiv!-K!D54TM6+;qJ?ASZMu`SZl^~Ke!#Dx0vm(kCN-?SJFDcW}ayxyOO`k8u zg9&VwnzFlchrClF?9EuL_d{7k%2 z4vWLK$2~Dm6^C-!FPOS^ci>oxJA>k?v}^JeYhTcIachI)Wj?VQ{G)@ZfeYx0-?IS{ zOk0xUX`S)Gb2We}$^d~vEYvgGer3ShdKN6H$o-NrV!L<~y32jQ19j@QWi3J=+4$sr z#Lqjrsyl6%#&c$xN-q%R@>X3TvIEK{*m5ukH|?s4Il-$iRV)F%NY}Kopk=P==99yb zl5g%Qylg7U6}hqrcL^NAS)TQ#lkn7G=AA^n_GX{Sx7zix3u&qZpNsRhO7@W%B^*4%M{vL}84* z@M$)G`C5X$aB`Rny=0L+dQT)(2{%G<1xD5ptWV^wd~piYH$U^$-|T@UC^itiswPm} zm^Kt}hprUY2Fa9|EJi||-V%J&pgo4DS!6GZd$BR=O^SD{Ox>MG3UP|y*ftXi)KD|K zHbRR~*LPmVCn7BOOt+jQ!=#sl9YI6JCfc1WS84Fb3KPL;*HscMPe2q};c3001&y?^ zzAbAByrHX-w_~D&TR>`;$eq?-k0oY$Q52(Ka6_w`byfl{7HzAXBeXSZS5^n-Oy&>%nC=LvaM__*{k=;ZSbwzs2L;K#sX14Vcq?m zc%A?tEq?XglX;NQ@}O(Vt{Ph9)i$n>p?-RaMbtaO&qNA^;GY%ve1Ax|=i|-f9iBsh zUfV9;m?PZr21yRXxn?jyrM(ni3vxrJpLGO$;^--dYW2(A zwO+z0BJDfTWIL8iEvS7-)b}WlfTG+D?aaQyHvG{0qXIRfZ|QiOXi_D=HRbdV~dgDKv8i)C>B!Ki*=XiwOx_1%?EVBEBApo}3?Mfn}JLFbRy)6wYA zZdt5n<5x2m`*J1POcN@Nx{jPX^Qi10XGU8DCE+!e@h~o&8#uIUuX~3NEON}UJ2jzWjRt#hKBj3jT&bufk(R|glPvX#w&Do&HjpiT50(?} zw(TWSe$SOEjEW4-rwZL(W7$@^{GOYrcdK+NQOcqC@orPW^ zdo;f#8@osZUul$}PTnN|uEroWbSE3JveRW7*9DoDEjXDp=oyi)G|_I)pDAv@nh9=a z%cziWjkr9rZo4j%CF80nTT;o5*aggmnOWrkRd?pwO)~|Vos-lTWpjyS4o6L&GxwxH zVY{c&RTFfC-I?u?h7d>!Ra|VHU0*b?_M4sC5*VVl2lN?)ek_5I3y-{d@02f!FVq)3 zM!uNeBOfTXE9wTNu`~vG9^h^{nJypgYTl^_dl7p1S%E!8f=bW~A@$9>J^Hhjb&(<1 zj@8>5Lxg$&(cTh%Pfdxn`pBGS*gcot#F@8A3oyfRC)^K_hc8V*zP{WGeCYscN+$Ld z=?T;jQpr@p=se+u?AVu{!a(^dhJ2|BzUxY6*Ll%qGsfN@RrFLGlS`&RNaf5#rf{Rg0XkRA!j!6OHDm9 zO2+3kOkk5T9o!~pJK6^eHx2eR2>4PEY*fr$Qb)0bs$@MOZNu05;efLjN6F+PhsBqE z;A?t(`NGZT17j}*d+}g24;`|YEH%%DaV0N2YkFqY zerX5t)o01A%NWNPjHMieY_k68fR=9ko3zZ17QXa-fAmr3V?h^ojSUEd zS0gYxWD_**3^(nLeJs-_lXFC)_7iM!#U!7}2ApeAX;kqSccBN<(h(OgvC-2Q(rl?H z1F|ixpsmg*5o7!XTpV92164zX?iz%F5eHxD=A3gAm-eCYr5|B%wz)ps6Fg~iGtQk} z+P*t)r{IaBz(^vJ?Kx4mCQ3ZJhUpf|-ZYD|N;;zsMrNXon;0 zzAu!ymjgI7%<$QZDpEf7v}WB4Kn`$kKsA0;1GdkG;h-y$-f4l7?2M^g#6H&)t`=ur zV?Zg(SUx#yd#$4>OO}d0WA6RoTToG|QDz=aeamk&X5H&6Hw39&somFDjiI6eNB$ z8Iq0AM7va=jjKQawFru3z5?$JXGyX&$;i>DiA6ev%-k@6KHIikD%1({p@Q6)4t}(W z7)l7LK}y6(Qg0@RL?G~^OWZh?6)V_WE^_gsMJP(NO%S?Mi?0$KY`K#XPrT&TX9E5O zlcOWZ%@@j@h6D-PF_xlA;YYdLXdVI}+|D9T^>I`R3itQQ17acEoBT(Q80mHk#M8k{ zaRr3i;za26*+DfwDg=y)gd5**_Y{|^0Y4f9$@?cznkdPuEJOU6%9TL8kVJo=)=~hN zfNbM_e$*#lXXugEwdiuREH=Y=FwSObW`F?#0>WXfRG5zt1aqM;TKwovl&tM=T?qQ* zXbrUNR00ovGzJO4cMbOjXzl^K+j@5ljgER2o9mC4IL1sXS}dhrY!A2}A|9m9E!Rh>;73_T?L=eUbWy?<62r2u z_|Ye#>%BSvwOOhnomht->x?OAuv^Fb8Gckr5+;p>hGvC>-$Y^6xK=Dy z&V|ZF@}od(Sf~U4(I2QLzOro>>t(NEX#5tg%R?H8LKsz!>w~e~Tpp?o6!r!-7S%~tS9S!v?e5zqqp^@kwsm?Qp~OSNCCm{qb%eR*5WAP z$dj}D=t>roMYA8BnNKtp+b$v`B}juU-cEM>s0?yvyI0&K%1+HH2k0<1GBy~RBvu%Z zaew@13ozh}2Tl1=1&nAX+m9x|Xv;F8k4;2d>-f=B%^5e{C<0`?x(X(Yt`hsv0|e=~ zl^FoY#euZcRoiy1;FCo(bvPmmRu zx}_53M@<;vz6ishC4_`DjY>>Z07Kdb!G4s4-PzlrYIFQ30FJ;JF9ElSAYOKlC2Uxq z_eV$QVPRBQTxj7f_e!{T_Ce@{wW~9<1cXR=g^y6;GHCP#cRbv!CX?l`8b6hOfM1tQ z10b3Qh{uLB<@OPfq z?x8{97uJ~h0zHBWe_&XNFU(M>}Suh&@e#H%?n-#WGN$pLs!`-9}qq@tC_=-Z96Y+PX zE%I3Y4#j&s#%y&HHJtneLeyFUuVB3d{VLM3En4dDN!*CG%$71|HF1U)31571>B)2@ z|9}(n2wBVs8AQ;bFb2Gc*Y!n2Q5dw|uPrdNLg%U%rH6dAvtpVeFvYfY;dW3B#?wrzR=8CKYJu4wRi;bb}<_& z#()tHO%-Jw3D?fm970ZKa!ADeavctGEvqx{Aj%fsFVB>{QkBggk~Xw`3xIP~8WPs? zGCF0t;T`Q*$JJbW(jd;P+Q z$z=6}uM2RDiV0_W27OuN9E3KWU|0 zECJtJ$cBwoacHV3D@jsXVm0XWC3i&JucnjLU^;%=C{!HfHDyUuE23r=X&vr9XKqPD z!iru<|4g+}4r|+IO#PS(eJ_QZXYmWRM{||71Vu!>KB3HI(r640dB9swrps?N?G%Hb zgl=p7q?K~91blZ?LN;uyibGRPSxIuz601Qc>`U&5xL-{ttHE^qwo#~<_L{OJs!i0) zBCW&S=gci>NLbMe>7S{|D2KJ}Gp2sbg}#@<&9nFg+oO3(TVf)jUY}6rGHEmhhdkh| zC)4Gxj4r`U_{heh_7l@|BnhR6dRd%xw!fVAaz>VBBH{H1lzFlyLbghm38_$@!0%T%_Ydz~7V5)EY_q^S8arW*{XnZzDx!AE&>| zijd&dCxs!i1|EAtUGIjY&0?>Yeb03Xj)~-J3HmMrUAQ1(D2Y!!p{b0yGU#SGF~)SN z2_n+X1ymzLiZcm-CDGp9At(6MSk7NQeCi0lHZ%nGVqs{#m#A*qB2YzC3W$T&QAI$h zST#89Q=9v+&G4xq2x;pjJ)a5!wMfhP)DN1nnJ8LR4~Qk7!*u{C1?2KB8ecC%b5}nV zrv0pTWza(1AjnIPKsbw<^i?7a>+h}?2$2(IY>TD{;?GiW+% zW@LeM6k`siVsNCrARB~%Pqm=EZR{YJD4*K?kWDf=pqeoTFe|%mFwwdZf zGYr@a&Ow5q zogK1?Vk7)bkz_7iT4VHI+32NozywEMRO!Jk^7J;6)l@Ci8~We)30 zP0CbQha>}lru^v?M;(hll_EzKB3G)Mgjown`cNJib4OYQNEne|eL9J3*alAMH0|;} zU$@Kb$Gw9vNY8NMMbXYAWj0R)Uh*p3yD);HD$p*K+{|H+nz$PkZ8AlAFFQx(P&Al( z+5}$pEP&iD%-?Oyk%GL);JBMsq6PM+5~xoeiOwcuZ*f&SZS*fHSDI&b4A+EWYKch_ z-bk|d7SZ=83uU5RVvD6J@TEd$B)bXAuF%s8eeOzXu?n>AuC^txF%`@$(wOQWs~?!p z`iN|KLlt7aHwn{B)?xCjWn~N_;May)?+UamOpR)Rt@*aN<0vP5V^&BaFvI+g7!S`j z*{t8rVRK8v{mkkRx_i`72y%b4pzqJ5frEQzw6Q^K~L3@Fnu?x=2?k;q3qOLmu!*0-cTC& zGB>`07~H%m7nxYTBM5iK2ID@U&c;4ak&Hjxa)Z&PL&V&A>w}72Bc)#R7%nI9J=+GS zbQ0}>D*DY*q(a^x%~UY4}2;7DGaok7N08&VDdg#UHqw*+-d9Z zr!PQ2m1q~>{KkrD2!lO2n%C(Qk7`}^Z3@R{2Yw%)K&a*-u^VR~u<{?gGp|AD^-g(+>|h%@LFAir2Px$Ag$lwmKw$jojva08 ziE*misgBdA#KoWRr+F6Xe{gk{4r;Bczcv!gtqqybzIF^QKFw*5yjzNfKh05spFtwP zWj&EUwTZFbLus|}Pme#Xd0{mg_r{;PQf){8ug^(wm&j?0Iec@pRykSQf@;89ASnJ+ zMvm(bs;B&E-E?{x768=`E@UThyLBc>bvw1lQIhDZK+?YO~Rum)t2^EUy+@XA!%sjD1F z65y2uz-Ye5lqP>FzxPZG%q-1|j7$djY;9sRv|}lRmyQ64P=veW)dO_<(^${$vJ82N zkz(XeN6>e(8661s2sZ_w9{$u60!#zJR@8AEaUBN2SXLU&%lcC| z7s4_tUyjxbBuv$M0w2xX%&Lf*^z=r1^Z*+qS$8B8nl>g5zyZT%FD%@}t@zUo-s6)Y zQw?;z_}PX&m~A*U{**K?^_IKD?oThU-tLbWAP`Kcj-lZhuU?hIYKi#M5v{ygNS^Qo zL%8v3Rdn%-UJYrr`JcYDr628*Kdmur;hQTle@X-Ss}W#F=|*I(WcgE32W^%Xj6bcw zx|~&2{OOF`=e;|^G{gZ*1Z&ob&g4%)MJGxS|I~$Z9QOz82LH6R1&2UpT6q#7A#RX% z?U2^VYMP(45>-qAv-M62=q5o>)<;6p1}(3eLC&d5+Sn0ccs~qsx*N8d&siZF=@>DT zZ9CvgO;BxTVzi{J=uPb$i6HdOiOC;&5-F6gJ1io|&8unTct8y4F;_q&<)NiFJ zs7680&oX?pji0FsU>kZzG%r*kC++XjW+ZJ}kQkx`bWM}frAhS_Xn!83we;1OLLsvA zCqiuqMuZwNkGYTj;Y3!aZ@S20R1-GdS4vF#`_c*Q)EEm_Mv?jRN-TAh{}BUXDcjJ9 zq{Oy@cA|)I@~r_{fn z^%ni~4snAD;p=%|(fcVc{s#|a+YpVHW5=!VxhicHvqoWHlIp3xGq;e!7Gh|%-UB%OxF-8g+d&@K6e4R zZH_%L-Lck%F=m*xq|VMv=n@iF3kqNAM3jVeg6MeiW)hIM5WbWal=+YaPsulI*^^Ar zj__*k0g@USHE&LpaZ`YNlwjOJaD&0CWFaoFf=ll7#m#uV}xmD zlZot@=Ew+O*@(_sEuk$vKEz@K&K0@FLlgkb?o?`%g>z++6oGTMl_!EIFN{Ybcw>6j z#oaBwR0wm}Ho-rrr|$I-pk`e1jWg>oYYTt1UPtgY`lUgtD-1ypt8{SrQXnC$ygS<+ zL*h;olTl|vKbJ(w}Vm+ruavsKIW zX#s~X)nQ7_Y)mj8a6fs;1X}^Q%nT~{QWcB|4f%3j0XQsPQgbs9ly5p9D#6?+CnzhY z#>tl^V1$FYMUt;rX{V~Q3^H_#yA8{S?fN0+^RnCuvmIZmg2@0J5aG5vhrW~!8gCID zuZF1PBsMLP4xj;3*8l(*kESpV1W6RtoCB0`urNFljRWU^V2BFENQz=42#i9;m=Q4o zv`ql_+b>g?<6bHwN_Z=u#X4#uQz*#Ki0c4@I4<1SoM_&KG zs;^@SH+>a!DcUQ8 zCmOz^Uwbh+YllzRp}p-aB@fe%2y8%h-mA9unh%UMRuFEKTDd;(LIfL}04>1Hl?YJV(3xO=}dhd=!}^lbg)3F2To zQ=3h9E6gV%uPeG%UmwQhzR81byfk%ByaCkj20s9fjTcF{~0SARoz-lliW9imLZ zeoo8*i`;~6*bOYKbFv-o?{aZ(V6&qzCCrhIUb>c_Z&zkGR6?{1Lol`IVh;`d%hSWbMN>h?*`Q` z3mvkY&(`G$apd!|jVwxIMLqNLd1%1*vv)m{WBY*=aEHO%Ey>fA2quV_xIOk{f8}Rh z<46y6x4|YhwGU^7_s!o?qkMKESLj~TT!ovD&4@qTLFf{vmg3>(?+`Q98Va}nn_Uq% zzW#rd*Pk1C-qc?;CsFU$dQRc~pQM<#Esiy2y;r>~W0sBt`5^`G(1F*Q&*}G=H;9+H zzGf7R3u{ic&d|ZwB)*>iILAMA-&N`3_a@E3eoHZ&0r@;r?9;zReDJwAnWfkkD*2>2}#VTl;W(^W<1j ze(S#mYrRZ?|eZZ}1FQ^ND=hrzYDK z+iXTi7x>L*0bfq@c?-JVD3)hv+|wmY??3-`&jAw6xOmxM1*Ci}e$ zfCq>#E$RTv4=Un8=Il$e?KD{b)VR9k`IhE{<+GVlLT1-)t=Yhpkn6hWi^I)m#il;5 zT3(285`JP&n|4q9dgNiVBST4!z1V=-vM-M(CsJRJE25(z1_Xez-jr8p{uwkF`|95h z8)8W9>c>dZ>P2&xHzy zu23KE0rS?pgWDO(t#Wv`nMUd`zWbtBc+1@98rZ5CBIGDujPo&8DP^f9qe8F5^~+9m z`XV2Xc_A|>SSr>h{R3m{&OPOHYu zzwM&@!q%0KkszwwpGv<==@Q}DS^PDMRU+BL@4}N6x3MvwerS?9jEulM4aUozF>zBC zyjM>w`e~+qr0^OB7SH<`JDUpK&Tf%LhA6^EgznArjsp(iXt0%nxyfsKtdTkTR#}Z~ zaF{eNYmc22{0_i;_^vvYIAGJWUcFwH=@edR}`O&Q@=-W}?XfO!iXkB<%)IXwM6 zS+V`l)sw9o5GhM}ft5`dM{lrloy0-!e3^9$aUoB7Mq0+46_>-EyAzR-Eud8aavY+( z5tiKwMmR$+QL8xz9ofYzd=y7-GatV_AK1xn$AK6eXAiQh^PxG(e&~MTpHmm>|JfVe zoyc_ ziR*L-&oTUG;$6oP!J4L7#ZnebF!v!Ym*Rz790SJ#cbr3$;P!&iU%i3+a_IX3{FZ95 zpPw=t_s?7L-q?opLTguv3l@6Jx$_7h8`a|J z*P#h~V;3GW3BzWzXME`Yu@w&T0j0rq7qfbLI+u4*^Lq)<&q=W@%-5vzAii#QK8|66 z64}EKgSOvNTv85mM+5a#*u(tDK}m1o{IBiJpX}umD_(fbgb#FAzL%)V55(#fz85*s zzW~7(bclzyMWK9!)9*9@*7}T|0(9MdEG8`EWjf*IEyI>W*Sp_HHskqiw7u^#-pN7( z9Q-6!KXN;WX8#by63ZdDcJ<|iYlnrohp`*0YmB!0&ca3U#qk;?;e|@RZ}J4>{TgZ#Y-z=h#m_AFQzn|s4e4m z(%?Cyp2rw8W{#EQlGpT}|6BhsBDh@uO+d20hoEn>+j}8X@HX=8 z6&Ur71XzuEyydEC2 zK#|dZY0lo4M$+Li${u#oxAk{Zsf4uJVBfdlF)SetMEm6b5PmFUJ?&R z(G1~Hyr$A_W=uEa(#aokMeR8A`skd|&mxhjN|+}-gQubwF0L=#*K`^F4(*jOKo#R9=vT`|$PV-;E)J5qDmH%X^S2@2CgXUak*eRh29Xv18(X}FYh@Jm|9(FJ<4&o(Q zo4p%1z_{8|Z235M{*Sk4+nua^WRTNm^8LS#PuLo-u;N|ve1}AYGtgTwJK+5b5`aU1 z8lQ}%78B@nTQjCT0FKEF2giH@BKEbfyua#6%-$Do`}4voyj$dDxf^tGa=#n^DMoo> z^-?kSOK-d}D5d-uxUEd4-Sidt3_3v?YRrdp@ubFX+JCq^t!bdmV)_`rJKmkefEHT| zap$YuCh~y0c&pe>5R&Q=PKCezKUrMPBw_Z=z6Z?xT>(RkSCWt!{>tZwCJ+C~iNLEu z>lz~&!kta&apz+jiBVSE%BHiVa6sP1kD5LYOP?$aa4=7=w? z_u2fDl+6j(25-WhM}^hPgFtu|&0$y8WXahs7pHgGp$saJyL)qDaQF6)t_ySa zaCFSnVVVLReVgj*>TcToB7%J}2k1)L(=EfCZoO#^e9q}6Jyem0!Utk`YMmwkz-B&Y zTp8&OTkg*Iq@dTp|1fZ?o7Dv5M1L*w1ByLQH?D&ny6y<&n z4Id0v_iD(YbM&&KJGPmruW4qvl@&{V|NAp}lS21HoY(0g@MWW;UlUkz z0r|2i=jH*4hqtDvpMlKeW&l6^lfw7xg*g`pH@VI`)qAupHGPSj#BV5%w0_|!(yM@te=Z&Av-?JL%aO9h5>qT=FX#w~gSaY3-Rm-(IY$=gcoF*& zQo}Dcffw%L4T;nZjnV!PIbaj11!b!I!)-U$6nY$gbY{3RT?yV5vOLu^$q#Ywy&3%e zn~wKI$^hArw-pNFvP+O2k3P+?^!ykye;AMK2WH`6n2E0V$8%-OO{Xf!1e2ZYnCdPj z5(d2#Coi5xdG}QfSwL;Zevq4%@tJ?P$@E{xq?G?LeqRJPVcX>Lih2{^xb*S+ zYF!Zqj(=y*;qnHmUGKKSa~dYOlFu=a^E1rFMpT_!-CO_6=oa-@Of{ahN$&vi!{We& z*6{)fX0{#QG4*7{L}jguig`Nqmxhy&cO< zbuqXGlTknmr$rJzG1rkN1Vc$fzWOw)4vfdV0n^Y>?D8SfFDjzV0S zAGsoi4P#Rz7za-IMiRXzg6E;G|3SxJm%IcUcx+(^-HXxaD}Ns+f6&MGG>g}V&lpZl z_B)^cVtPhD=phBzFNx@b^F+_YFt>t#HGe20Z(Ay*ePNiXm3e!#i_%J~{5en!eApnr zT=^Dg=d-1qPruv4+a$R6gKoYQek~Gn3|mV2eaUBfc-lpvbm_1wk9}*q+kosRDKYQ$ z82ynvOErmf(*2m=f9=Ze`4~VlpvT$mGfk*T8&oT?*>&<4zI}I*+Wd}_`1PhOJkV2P zY7Te@_mW!`N->5e!P*Qtd_CVLk2U5u%mxrdZJ1>_;m*;qc!#fktdq&;WxZ@p&TsH2 z;S(hByS!lnEOCE>82^gG{|qRya^D@CxD4j71}QkEylu_`L3zF8}E@z&xYZA4pF9D*50$)*M~b z4;RU*?Ck&^1H=Bc*qBdl@4Dvkum{Q?NbREaIr&h*Z}YEjY*$LD39u&m_7}rm?~Y71 zoqQ=>8zS+uH)b>rb@^Vz!ITc3im?}qzpr_@MkMtv^2y}(OvcF!(WlxZH>YKZe9)Hj z>SNM?kU=}6>DfCV@Zaf~Z52*5ZUDSI( zaytBsEq z7c685(6|-M!kTw9&ztFg6L>$h;3FU9C*roRipUwq?-uhH!C(to@1}<8(b&qdMfMoc zHD%8Dkkt?O7E;Sseh%n+sMh}krNb1s&P8_k2>ZJX7H4NIPnLewWUd2a!A9us8_%_4 zH{UrBcWo96#&G`SMm4R_%0y*NJ`%62%1c|ocV6cl%n>haa&`rTB?VsoOi~#Dpj6Td$TP_LKPGA`Lba@VzJnpiN zuohU}8@c}mzdP|X`L#Q>U*%d7rjU!6DRiUBn7+|)n@ime>J`ec)&4DSVMM>-=+x|d zkwv$6;JAm^Y3Kw2fxW=VLIC{OUUIY`A7F=CHbFCex=+I$b?(}EA24uYkrRgrHNPjj zMa6ky+nzD1VVunF-0(D>!%d}ki4UBfZHzQ*>wt?&K!3em;y4T7<#auNw*DT^*9Rbr z8yXIu%dhyQ7TBro@pY;&hrouPQ8E8hP(N46!SuD)I_dp$?fHTr$&@UU*M^Y)aBjF@ zgjE_1Ey4DJ2-eLz_`MlFe1g%b6J{oQ2k)By6!GSmi9wi+q(JnHU}pdt#sAzeRj@UI z&ZO(;eqCro493UTdD*$tR?&o5Zo2dlqlA3x?v*ZJIDntO>}a!b87#cnf-r!VR(xO{ z$kgC^>sR^*(%QvqpSrFVH}6Jy%j>&*QZW6N{{h(OvSBttzbM?i6?~@b6<0rt2{r*d z!^Xw9Z4-^R&!}9BanLgvvR=XwoXhNgK9(^5bEo#_ug@|=xd#@}?88h0r-%4+wZDTj zs_x6ZuVyoI*)`7|fsPov)*iTZp8`Z|^gmo91)(Jnpi9 zz6PGzv+DDQke=OUzg*p35Edh1DyU7jUW_b)aM;uNB z-v!9GIOSW7tG%?a4a!7AJ9b>XFPw*(7o~#7su<_+*>Zd^u7$3$I$$h)y#&Mz_ zm3w-UF0QA_DsXZ?@F1Hpai~U0eRlEAhmA%4adR=S|4^LPEnR%dsm-tr!*8Yiq{KIN z{8v7>P2?nV!q7QvN6}vaOyQ0Z)HLsB*E|!0j*#0_<+jEpufzbfqefn10#Y;jL;ACG zw0IEoS*n(aRz#`I>T1gQ71fPSbJ#EN_4e3JVIp@o!yK655_vljQbvimn!Cj0o?e&v z_$J)?_2Bo#8p&UU-9@$kZ zc(z_2#d;Vv)AgDkHd=RL(^XH|E=bt7+ku6wP~qgm;U$E7@TT^WMMAemgoV~XTamso z^0Q46ldG*cV6huv_WKo-yr2WWj{MC>8k73yS2+*w;nyEJ<1sPSispWa1hj~hQD;tH z?Y%JP5~Jo|Pd^>`db=w#hP;puCY4b)8$XbpZA=1qqbFoG@s{yL@vTB?c+^idn}7Lh z5B*{OZT{YK;9fi5j86lPXYCPRhD~v`!+1AW@!~kSF(*38e~aB?!ifHLU`6`#t98CV zq#|r2cl_di5N?5Urb>LyO^dFmF1=~J9di4;o@&|Kg*%{JGvMP}`7%O4UE~1G?Wxn~ zO`cOiRn?2K#cNo=jq|rkIxXUZ4%Dw0nYogD;3UrA`||k-78?j7td&!X=5ZJQ5Du>@ zq&C~xQoHr@y1fIM`AhZmfQ1D?S6+Pt9(nfY*$Z3n`r!Kk^Em{d8%I~&CKyFl-~4pT zCt5mow}i4jt!n4-Fb^7HQYbs{NA2?o^AUD3%@V=73f?m`EMbQHc~y-o9}gb_C{N_o zZOq)VuP;ZmszcnnRQZ%|(hZmQRu*82@fCQRDc!AHae5Kt>@-Xo&fApVeb<%-gtp#7 z%`>ru)JZe8T&%CJJTZTv?`{?t;>U`8f&Sy)e|m3Y7!(o<|I}2>c0oaFS_If;+XnHOll`rZa($Bz|?@)obJA?t>HpdJ znPS`Dw5bDpX#eLcbm#v8Ig0x8vEc_qtbgAxMo-K8<4gzFiNe87cGvMM9sL;DpVp@3 z-dO7Y2t6$7y~6sbV~v7n?(^(Uw6_C4%ha!*4hY@iDX1_DM?X$*TCmp1bgi@t`?t%J zW5R-%5w9R5xy1&bS)`H1Pbpdc2D5dachWB4JZXNw{AG|I{K0p1es(&6c@;?ZOlLse ztjHlw$F64K9sZ^neqiwcN2iQVGSb1fPxABs<^y_WY%H@FFXOL;tE@yjbQId8u|u1s zlLuAn;}TlFXc;eudWG@B0+?nR{ad|W%_8akNU5S1&e#<76w-0DbhnxXo>EBLZN~$1 z_fL%w-58%64UR^0G5P~(qP=N%RCM{8qhfxpw2b_YiEfZ&si_@1m%WNGKgiF4yTj$x zJa3zCVsbCN&xa!(5}Oo7c84ScOk|J!r-mQQK+>4Qpx1zPL!4jPf(MKM+kZb}>6qi* zuE7xpz=!PWYIKnc82-dey_>k^`8YYlnotL~cJ$rEgPl5Lv*eWBgY9|^JMBs0li~P8 zZ9HE;ui9WAuRIvQUR|jaL=+9Dl6LY6?c96C%*Uv2yvr~b0Oa^joI;ql>XE^RR^uOl zO~}V_kgoI1FsFx=ecm&OhvdT)`Y%;vidU%S^_NOy)N#B|4ULV4$!5qju*pvgQr{SBh^=>==i>D2_H*?PQW|^x5wD$Ts9+ChHdd z`}~=B*j4kKy3FM8qZ2_5d&fgjHL|3khF$?)wh)lXkL;myIUvQ)8vE(b6%lzJp zRu%A~qk`OXvJMj9z=#&?!f=K+f|m(25m6gEyIIEMt)U;r1Pd6?t;O*Z4l#NL9auEF zavF$0EO~TFX}}Z zSTT|_fk%nyOHn=D_oSB1%syN^z)>&k9Dud~96{FY6s_q;QR?4$Xpwi|?*p0`)e63$ za$p?e(pyW26^ht(kIUE3BG%~vbg#)K71ZI%a0}1}P@NzDX%x({^y4qyvd)EZD+13i zxnA4H(@O(Mm`O0k_yjE^xwGd3+k4RMKB28YZ`;8#J>G#0#BB{apQ&s(HkWWzhJp9e zBQ@o`tKB%53d3F;hxeWxx+9lwrSp~1O0X!uiKdKmn!>=pZWd(z4#)o)!;t<0$1u@<{- z03i9{8-F>1r>Yp33fXHSMh5@r4PB>AOYb-`cEeU>#ji-noQK)*NDmm!zgl!(i3&SI zF-dd@*^iWaTVM!9&4f$-MTOC`n43!tQ(EsNbLVp>1~S~Ein5*~VeSLUiX)WW@9quc zNqLc9pdDu2d-tT{e&G)nK_{s|yrDy_9X0Gf2l8@%&@IX$!l&-MWQ#pRDJlcV7u!}k z2gxg-Y@en61qd-iFNwc2p}lfhmz-@zb|m>bX;s(;>gX|@Ihf98pxV(*VKy+D^eJF& zk(e|4c2(w_IWuJC;}ECW%!KldzN4CKcOP9JixS=lGi)7kl05RJsu@7o<`IN0sg62wU<1X@zw)F+8~$aArt{%nWw5}W&q2iEasSk=yB)tJ z^Q?A-_)T+Pgs;pP{Br0GA^8#(A$^L5B$o$a(QQ4`|T{f}Hp2 z?Dpm^dKY2z7TvcWF%ucySDw8ehk|FKv`xtzmjl!|?*lv8$57B~i&7O(Tg=d0Fh+n> zf#~r&qnwRJISht=0{CZ0No@-G0<0h+1steL-zpa5!mw{v4?+sT``cAd+)^F z87v1*a9gp`nJ~TiD3+DleF1`jd%7H#DXf9o08Am(dfl;WczApG^%)G$qBYG1XYBn0 z0OxIwa_*l6?>^#rM}A7?v}YI+{~Qg`Pd)77wqBV0$ND4vvM6*-r=w`ZV*y69Z*vF{ zb_aVBI)Eqku;88P=fruGb5;3Q9{R-<(0dxLz#jrf|4i4dgnD4q@Rqo5=f|4Bk2ya# zKfSpaU!-SojO3XfQ>z-{w)@ zNBIKxsk)B7ye~AI5*au%?%WWD@k5}F4z3+*z}e&1h1e75+40?OE5O(6^L$xIEy6Qj z7&Umyjc*qkbvLatVneywEnXg7+vXGdvjQ4FSb?v}hAgL!sXg%4=ReX>-`C*4KwXb_}iaNEBYv8dZH5|`h1|zK8nU1X~sO| z&86xuOG#^(>0M_FGpF5#WKdto~c%KNK?qB^^*j%Q!qvjLihgehrh0nnV_0Kg) zNJ$ZylnB_o24Lln6>X2luVb)(cxc+xfX3VmJ_fcGb}Oa*=NzGUL3a_F&HxQeMq7nLw0Wft53#* z0bCtFEK_^pqJQjgIPE7+3Z8OUcLGPlpq=yD0STk@9UI#;kOEHy`2yc~^aXZ%HP{nc zKR(w20py`=V;<`&f+%c|vqtn4g)#7p!Q;8z#gl}w8T3b`V84Ad7%ZJkO6tBuGq5!| zscU<{*oL$zt*e0@X*q4{GZvfD=F@x8(Yyed0?-aOhgd6<9ZB=LRuf&5Wbp5QAQeuf zL;zF*HM$|J4YdjkSGLri&BT@rLQw$P;EeM=JvEbk8ffi?SQ^@ql&DwRe!M*e1!w|v zbi*jkh|`*v)qQEOA#G0EX1qOa8Y%)%0jR?b_3A9M7~|^V(}a`BIiW;>Py%jpi9bj+ zE$c&#X&-Yix%Xuu3?FHEHj}+yA zd^oIu3(F>MEw{E;>n4EY0Z;{qE#9)42U`?auPNn)%slCK&OK&@@!^h-gl-S9*(a=a zL~AoQyej?%DUE}I!<#cu3dh(%k~GOuyv}3q?hud9EZ}+p!;R1U=Q|0L;XRP)G22*4 zDhuv*sWb8xA}c&1*WFCW{27VOu0QizSEubY)+G(DVqbhy$Mv)Q{qxrP+>ZMC9~8f* zWVKyn=%3s;Vs$?tO2~S+-0KY z9rJ9_MU&v8Ozf^KTYqS;M0hUP+r|RqQ^E9R0h53Z>}FRE2ryHUd)t7I4up2T-O2lhj!FmtFU+a`M+4 zm(!!e4douTOGc4VDs(;1`b4993DuhjN|Xr?R7pY!C4c~;=ofWzgo5xH9PeGU?nnp` z#1J7wXq@E%mviJXg%K5YsDMKkhAMz`1^llK z9)&(eXIPzq+aLAA?Jo9cO$2nqfsQn|p^1;{n#n%#Os^a&?{brG-UCF2FI%TrKYl&h z+W=ghHB;*C?KZc7ll*-f6{rSRn17E&7o&I(dm22=`SYBQ`}^koF+;(_oxc}||DbXQ z=IN&2rH%7q=n-*UKjX9SfZvjBH@x$fKvwha@zmFl4%IWv)u5FDZa#b@4Fy{?O*yyE z#{!O}j5+8u?Wi{BUp)-V*3rfBFC^la^;s@Pdjley7VZnUE0;CjLJA&IX%Kt% zBkV~h0}ik6VD>tQ1=h9&pA!VNYMEEr0BDn`-pcU?@nY6{<}1g<>Ot-hvhl)1UbmsB4 zsI|8A6Vv{Jk|u*Eae1u_I3-^+khS4wGBRH}>eGA2Sd64q*a?s4m&FF~Op<9phmmW< zpW}hz31>vB|OUCy1^;7}bFV0g#Cp{Wy;dr+w6xnckyq_}QcFmge;TL{6O(AA*8Q&Rr zI7WP-FQFxwe+BEmM#Tbj7yp9i@MaF{4~;IRrjX^q0oEI7j9Y!jw2!*d2FdEKL)5KT zhvx&O|8gY%qk`#P7WbF+%QF>!M!OdFEN~sr66+M5h;WyNeDnYoZ_UMJN^(5rGy*-= z$6}msvm^ZR{0e)`f4G@_YSSEFx#amWwnq{Fbp&?`88;IY1Uk<07QoBkS`@#fPHyFx zI5j+F3F&$s3^RJTC)m?q=)m`ta)`V<@(r9In&HnA{??+`j?N|N8NnptF@xd2u{S?$ z2JaHeV@)mDc32#`XUV zK7lzx|D~za+Uv@W_NsAHME0Yv9CdKa!CQPZ-j(1lW&c)k8=s>A4achu&@VXiQZnYKqdY2%l$jK6Cq6r zCLkhdRD{*B3h2wt+JnaI8ozH6f;|ruSwNz~Zr1qj`!NNQ>;V>nA|nHZLqWwp<2U9$ z&h9fje1PhBhPRZ<0qN^!e0J%(H6S53(~>H3h}|M+|FvX51Wtd{ z-LFzY_e#ZVahQs!6Kf&cKB|1w8jfd+X_L9L!PWJ@zoAtg{QSPqGzfcBHz;4tl%jUd zoV?>*>~GJ6YeyKgf!p`>REdvY`v#lJzs8-yUGy*ex$52D2xFdGAHj70k)mr(&1YPu zGor8p6gv<3vqN_5bpvzgd2O&4+%=ReUZ4Pnghc?Va{$VvmYu)S`b}JtKV{#8fNFfM zChrgZ-dOXrJWR~N%aIcYo`x!ilq0hvCk{yt1YiN>kU4xh^2CW8KxN41(B#OA)ADro z(dgZ*mm~V+^0Bx^Wq*EI8B-kj<#C~m1QIIGpZ)LD-Za?=9Gqim+>>Dgbnrna9qNHd zfLb8R>)?zY<~ImOe#Z@n<43wkJ|k7bZ&zjBl7ZKei@eC48@XG-XpMrzu!B0qMcG)3 zzd5-B7ZxsNSKhzH>neE0;g(xez|#3P`=EIjaU71f58WifKJJ7#>o8dlL|ase2;CN| z-uS1d*k;Dj4{ak$LA)mljlJGl8()N2;@tfiV+M`nXO}ydbyf4B&p0+VnzOip3G8C} zx(hlj&qoPyAefa=$Pg4pr2xC4I$U&*`=c`tXL5UtJ_!!{OUw}@-28G709Tg|BeqQI zBihey7%>rI79R|ml#hJ+35;i)AC`$c$H+-+W!%YxzvjePps7%O5j z*oxYh?Xr>cP+&1o<(*K!35`3?EpOAn!PV}EAmP2o4<)1)CG+v_b3D$?sNNBbF9@7~ z(P%3* zE4RbszdPobBluMBDgu>S(N^#qBDUQg&1fxY5*~e`8C4f8h3FdjmzqCdd^5D`?yaBQ zNPeuD8JqbG#7F*yPI!GjQod3nFG=Sl<%4#kCNZyKJD;e5r|s`PgTO_RQ%`Wo&lgiUnG!&bJrUY*4w zPJZ6~zE~f@ZqU66#`xY7_%jdu70D&T9q)yKB{yg$g^xlw{fCsb zl(XbA;`#DFjKSiOdX?F*{Z{LXr%xas=}y<1bpO`9Kk%#Iz6R10{9zd{1<2x8b?R^IZ^bsD=|x%P^ErVhG9ACEjB`SFGhI$K!bNX6e0$F4`yWAK^b zGxVl!M-X1mAHEyxn*pXhfI_u{nSqq3D_iZdP?s9C1Dq#Jc4iJAIS71~JdR!LG0)_T z1&=ud?yOU-OMyJ3LG!-4jmLKkzToR!!6){V_U^Yev2n60YNwfZSfb#&*TnCtWHcZ7YI9^)1U%ez3aU$5-iiSxvi zW~*{cet*AT3jSU;3-iRzdMU4k4yuK0R+7tTL>Uh;@x|4>gAhD-Xq#l0IesVYZ|HlR zX+Y|-Dzc%e@O;__B?F}30eu8*Hs1@uFkn%BKQob%hU*nb3t3vX;#!! z=JwY-dA)ugmiM3wtJP!t49_Oc9&-7=|c-Y(O^>7A>;7Qoi?77Nr9!_?K-u_+BO445L z{s6GeCHMY9_cgJ2bY5{O{L&$-0W?QQOdly^i2cydoV<5%Ve26rrx#X+RqUV@en8h+ zPaICGiEZEk)x)3~YyWlzQVPAahDX`={U_a5$K-46H@Eaf;Dq~RYnOS-OU=60ero=X zQg_5a6ysNri4HM4hjgewZ@K{#vol;y*tkCcGLTZB*)Im_cv4IZTP3#l&LF96Ns5Q3 zFNoVf!#`X=ass6iKR-wo+=*ZN3aMjyCRIF1X$Qmc_U1u&i6r>+4<%4BEHa$0r+t(R+(=IPD&&@|C%``9~LhV!Zz3jhN) zBJ9`qn#avKsD=2yjtR*GQkzpIF;6h=z|B=2N+*T0P&^_HDu7= z&r|laB14MrVGt)rec7y#bLIGU{|2PRAAtP%`hZeaN68(9(Nx-aY3?>S+iS-?6_bs5 zj0$MEVVidtU*f@dFIYZhqHgkoN~5>vvMKy;s@O zwQg^KtA0Kwoj_l+77^IO!UTWPi-|W`r{#a&IC$D1py9^Ra}@QDIUY^kU7?8Y3qS)x z65qcE+KE;;@?Qg$?K$V`(;O4>3OwQcnHY*6gbol-j{H*+4M)ac#Q#}c%Lh7{5>6b> zRY=2O)^CZ$wb#e?FwbDUo^(oC0D-h(_dp)rVf9#ua$wyB2nY~qbvV}cyn5fu^3eFx zmk0FjJ)ZjBr|si@l7?|_)svJTgBqduS;myBefL?Y(1cBbww z$fxzyWs7)~&&QApxkXNQJL?CneDlO^Px>P-txtuA27Tq_eAk7|Q!L|n_1$eR-ePmW zEVbxS{b|_1s`#<%+lu(p^@&ax!pA6UY{ePXrTlC4!!Cy7zH(z63|xc2h&O z%a88e-zM=PboE>~=oZK@gvrB%@$AHd+Y3hr#LDpJ_cT52jBYo>b9mD9G%6I-eL_dE zJh2_+-fqXdW8b+^qPESfAnxB=7~gOi^8OI=urRp zws~7A$KCNU-bxsPLt;T6|0`7Gz6g<|G7+^Q6K%_z?=Vo`BDN zU04Zm@bvSs?*6QSzhOZ$?|n9C+hAuo5#iZg`hSFD$R`f{CHXQSlFMZC)*iVv)!wJ73G`jhK&}QY=;>Mjk zpg*#<;D`Iky>-MEpX47=Agz7y(fsP3ipTVYI(K)0ZvqH=F_N~D;GgUZH#3o;gVlxs z|FZ#}VtdI&kMJU3!O!f8;U^z8bi;n+@9nr$UgCE1ii13Dbjo!8dH?g;?<;C5oA4>$ zJ=D>$4f+gNVm`w1hszyP{9gus{f7})2ATM04Oy$7WTAH?i@42&x zO77=9TOQ7+N04DkuE|CpREzG%h{C<^-rBI7A5WeU<|pR6I%`&UC4~DQjOJrgxcA9m z6$DKR5j!n;BCNb;+jbJ$kZ*ipNWGd*WTlXXD$UK3YiaR2=yc|tA=(r5hzm^F6JN;V z{@f9=JMEL@%+)dM_%+?o%7e6T25tMDI&sF%$58iiyhp|lSAb+o61UgaEeCT) zJ+{aobzO4Fpo2{2{xpTl{IUwbvscFU_NLEk<_7;;Fdo&sXVFe-v> z9@evrCg`*9Y1hQq1x5TKVbq?;Q{g4f031PwFt%%N@O#hx%K^WULLG{@foZeBvbZ>~ zhJWblbU1;s=c2+9%7~qy8ZMyNqun8cFNF^yZd?<)EZ{6!_E>GZqwotVi!*c zW9pEkWTsd<0Pga(UxXJCYs|=(j^*FYcEa0xmq!)N-!d6IY7>Tc7z#wWo&HR<~NCO!b?vHwxap#%4|Etm00InTD| z1aU|7hpOS6JFDBw!>2UI_HgyhvHbw7uir;4zBnuk{8lA2(>m1KZ2UIH5 z$;e|r2^{+@uLS~Gvooj@zfvNh^QHX*5J%9?1LslmuFrbH&YU^1J&|RdEB*p zBp(j_Meu8)xXp|geQM^zOOCJG`?>?loqnCE&f>L@*Hsn#tzy8?ah4@qiCLaFZ*jY! z0?5?X9d`>(?Gr=7o(p{UHe~}T5!jEd7g*;sa+?e413aIi$*vtX#>QWX|AJRwSjiCx zgSShMdKmG#=+y9AjA_*NQ({M(FO2rpRrqPGP0w##JH3=#?*bji(d07)Fp<#5eN-dA zci4M8xom7-`n2T>ckBWjjOWIZdn^ySBw==_ad_#FPB%!eVF!*qjZnRZH!_jBYu0ATGEEjckfz>|#R=er;MJzQ<}7~nMhKR}?j4$m|P{Rwl+TSKn7 zx+2_#H`q?Mp4IG*8*Yn!_8TM%76U$Y-S@eVN%$}aUU+JV%s~Cp-Fg;r`yHJ*Z$@wc zH(5&pctxgWE|}?!?Jn}y)I3fxJ$#W^J-UlA%~975U<_9TwOljR(5v=??AzmoN{BOu z7u~of$lz3VZ`ahgQ9btSNeLZFG0oy^?9Ngg{3K>^BNM-pcI0ueWNnXIqdQVgm?NnWY%1{KBhKo5d~v03_s1s&fL;GgB*Hq92y9=9e9zr=k(qzb zEH!L&{h?4WL1{TFe-`m9A!pVfB<6|o{`7RCcihNrBRvQ|AIBD;x$|h=28^2Dx7Qkb zo%4Cg@@?AmEx5NkgI*H{Yd4z@|9yumdCQ`;eKf{kh>9^i?x2}d zq9PZ%P46$_ggh;U(n>_o_nq38PuQvMht?&6H!Alj;m@~Esb7e!OfW_@?x7wm-++-p{|f{bUr5%>RR{R95683Pt*X3ypV#C<{125Dxl-}JT#^M2YOBdds57xvQJp0Re#LAdW0EA9|Kryn_Y_Yc$4K#J#T!gN8JILnWLy5Lt1#h`$QC?8i+|Fe6t|Z!3M@$8qX@X996rzp-cXTdv|`(G14w3{a6P?@J= z_krOKdZ>*`j2$q_UNyCT(-z;crH%Df*SNtcyBLw7ytNCdd3MYhgkT!P7 z=X1UFq}t^sAFyb{JD@?ZL=k$CP1b@#DZ~2({;u$h`(f9^{U(P}*36Rrmt6ydZiDj$ ze;A3vYRdgcnfMrKjiG5`Z;wV|fGC8Hp)qwaRwP6ryyK)7 zT<-x=W(n+}Q){0Sl=gD}V?Vk#D5Drm*j`UvvSyN=N9Ue<6L;V|;PPzx2yoW$S?%uZ z^yq1H>5KSKM#+7mAmh|xSwL-?J+`CQg6VS|qE83ZY=bhJwL9-g%z39d3>o@3(8pU&FA}E&tyI^bXO}Z)E zMEN!ZYwVeNLVC`?y@I%;Lq{6{2mEi?&o9W)mZz8{?T3%YR-1RQvs-yE$DzBMn!G$< zY5Z`w6W+E*m~j7-Nrh3$9`b&B%~SWB_CNnOeTEhefO^eDUS`z>2>pIZaspdhwsRhb zxgqiWuRt4z+B?|TXK=*%$HpT(X7vSF=Y3uLbz-^58nh_1&*;B6pg$+j8w7`g zzne_t?qq~pdy-Hbcs(K=Qghn(@tT1n>2L)<{DZ2e5@lAQ_c^!N_s((GZJ1y1jkH^Z zh9jpUYB}+ZB=lIupJxzn9zPwny?gVaaq{c0)-2c zkp2q=pFQQ2)MS^W{p$JoMK-_E=|=(LUf~g(={Rrx6X(BjYmq1#Q{EjD?>~QjY^5F# z0lTsk#Dbp{57rKj*?)cneOj{)Pza^paGrJKj~@=OV3!~Aa01YM@E`$yXN^y1BreJ^ zun6vdF(Y2(@DODM?q}0srpHj^PE*$^3N}kdTWB zTg9}99@SmHy6VrM>4(n4ca*Ze-&d?-%;M$=yVWzS=8r>*Tw`@0e;~Lg;)0b=j^Lqn zSA@)oPv1oxqkC@n#C8j&1&EOo<-QO25v$)dE7kDBVKj*G6NodJV_EEvcnU2SJ0N%R zw(7TkTL5Q3n7=(juL*k+c~n?-c0)lN+xT=Z^vbC)I^5PTiSeoYRrv7(IfL${9Ur6N z5OK7m;o~3j|J(J3FHYkuatnRdUs9n@nF|eW)W4@uaP-raDZ17orn!R9UJN%UdxR=5 zjFIj{ST`N9g&y(ImTOWo*BBP&RrnxM$~!}}_^g@Fjaic>9a)EJca$5@=%Xe(z*dq` z`6%d2YCQ|%2-MON6#BJa@;{(EB>YH5B=VJXG_*c@zS7G-b6*O=EI|sGp|wyG3k!6f zdI3|u|7-F8&&{le#P?2)K*KtB=Bz4qD%j`e?KB7LVr8VJbQ-@>gfi z#i5>BVHEUqfzdj*!l1~ z9y~yuSs};jif6J^dx@riB3UZ25Q%MNf&#aLsxWtA>BDV)W;6{V~;}l z$~7_){64EHrVqs6Tc3)9Kz|?r<>CO1-0ktIMgVy;FMu%`hat`_BzI zt~S4>T5L7Oq?=*LG+Z}vUPRDl>Yom;<>XfDD`Eo+DkQQ>2?{DU5wb6sU5GYX7<~rw zazUecodvN3PUsrA7Qe0^4GXVw{wyU(s$Du(6z8SZ|d{juw{fX5h= zds9ku7&IDdFX{urt|3;v+Extx3f{R^+8ePxe6IsF5_q`)&~jR`seRl{)ib!57ku_U zlWyF?%uOs<#U`!gCI`0c@v+hDjeI33H=g_a_YLpZ`x%ORFGBOULKiRWp!4U>FT%P8s@j=9aC zZV&7Wb@20@HK*wKzs@d9!RP(sy11$&U=s6S?PGPeB{=koIa0)(v`*uKtV=l7M zcut4*T2&JdS;W*F-tvzBhvB~-=d!|^0G#Qkzh&-}f!=`gBcyX={eXVLs{HjZx~%Ky zf;)wU3{A6+fA7gQkFMBIx!znoxVrH4j9UEQA)}c-9sR&``KG#CmcD}>_YG@DYxg9f zS2ry4y1vAFs`}H;3ciPyACGnnKzM#}HhC?&ULjN)QxkU}|9~WzNI~reg2(gQyeOJzF9LwNI7j!$wxipm_uBg2Fz6k= z#r!rPWOZ-WT3!yb$ENxGAngQ>$#eiS{$X8krEgE31NWF_ko&*7*3hgj-A(g8{T%M? zyvNIatuFxoXBtrilRqQE`L06Jtb|B8Y&d11edvtRv$KhV6OQkrO@n^&zOa)`49uWP z;rE}UB1_^#GenQyz^>U%`jqp7sf@o;rDv;VQ{D5lyuX?W4n@+i1bzhiBzC#6Z=VtlLQf_D;1yge`WVRYObxjIt zUQ;|FceV%3xuH&zVU{~YbH?#Qzk^FXqh@e8yNAc#I}b~=mm4y=>Ld22u8)Uj$F@{B zyhtPAMh=&)!6jjVIO_3v(X9wCb+QYW;JXFnoen$u^U<%>mIc0jRffqB&I`sz)9wUM zh+ugz+7|jkvw4pq=qPL&IJ@_&E_Xloes4$yG%*BfQ5VBb5FpHkH~lYwcUHApmG0m+ zG0AlI*F~B|vuGC0qS-k2T}bbY_Gm}h67g~HSbXrn@nHQ0wN-WMs+~%Rd%XDqGt`nS z%Qrlp~Gfg~f2hAh1D@=O#hSu)1M zZqNsfbLAN`ar$HGVi^t+Zw3v*?Y>p&oQCl((^N-=qr;nPHZn~47z{w=xEKJcrP`@< z0aawYfY}&tcebjD{)RIKh@rAmuxf{IU4SmVX)6Q#Zxw^7(;ol@<6EK7Jif2k->QI= zmSzW;X~G0lC}VjmJzb1OPe5&wLIE#b+rh#x9cP5p+(G}O=`Y;XO~C7l>}LC|V8lil zHz-ecauFO927V{ufB04}-fq6z@~zIH6bccW%+UF*UCcq7=B8RR*;sj+PDOGqblWdU zE;4n+m2=UX&BB0T$FnUy!YMj0Kr>CpTIb}WfX?kO>0x4=iV8roMEas=oW{9kt*Al^ zCc(FE0i@kSp2V!Ojl^}vw}O#1i*V5h@vT=(f2gKRnSb%EOQ(rsg>ia^V3mRf#B(cO z!**tkq6^VIh4tZ4;#MfMI-}SVhvQG^PO=d&4}?^_)kMp;I$;x?yp!;S<6DtoPPHHs zut8}nEL6U=3DwV@v4u5OCYm#D2|G!HgR(&0c&l-X7k(q;2%6cOB9Xc~SA20AXeC06 zSqmYA)VhpsB~p|0(AQ{uYY?bjt<+yW_^m*wQr>|qUKEOodnDgF1SRP)Jg$fL_R8xO zzLkgMNsnQ|t_o==&Wwj)iDbqKRBnWCJ%C7yDz0zMA!`3@Am54u7?BS!ZisKa;kK04 zfXdmmYK(6+02X!67r+y_r_~F0l{y>Lg# zwa_tjSdM&a3n=0!Bm?v~94k+m=P(GCd6J5ciF{BY0LRY7bxFqMKpY^tW}`E^Veks2j4RTz$re0Wxui#rpNVy~$0e2aO4VWzz1j{+#i5%BX*D1*qF7rag|vIEJ1a`3 zLjE155c;`7y3}{D@DXR+6+5nO!C)P384-fFi-mw-+s?7rG=m1YNuiLVo0_FI^8xEMw#Sc96(SMRi+IC(bF+;C66%OIFDodcb>RSSv~AY;_^rHmi~?t z#azr3um#VM6n_T^BS?AE!^1WHj*+*A5rMyB#M0S8(JrfOvTsS&768;JfQF`IxU5k~`lHRGpEY8rp$C)!#uF&k!~pE-BO4&wqOARqcAS!DYp=lHK|&JYudRd& zo|HygCh^h1`_)of{>UuLGGq4;3Q`4%4qD@`{2e1Ra>Saso%lONbZ{ynJfu*7v7ET7 zB|Ae#Q+Y=SmkH&FhQ70Fw%8_%ZPeW3F3EIaDqmC|pi$2W3hlbaCsPIay&wdrw9K}5 z58Bk0)m%oyR80Ee$hr`!wLQeW~)FEjj|8Xac&jm_s# zT1cP$J2pbCwbA|pr`>WOeWub6f( zV5fzH2w6=+cWj=qq=TygQr!iL?XZHT`elF*DyKp6Tjq)?3)?4?xpTOl{$-qJ(Mg08%naAmudJGB8qDjA-C=Y!fcQ$^xUq}|Q-cQ|nBv)$U+fQFJCgwMhFJ9J8m z#W!HLH0@|GBhC;;iEAansqlAx%uu?Sz(T92oeXlNZO7~f{!R(E!}B) zI};S4D;NZSM*`)rUZNrbgproJkQ9I}9pN#9BjxwpQ9dY@T5`4#Z@>-mT^s=pUjKq6 zgozj96jj->*A4_A-)bfZ^-jTXdZNN^*gf?iR^uXchjGcl3p#=`oyzL(IFM3(u<++& zxt08#22j);21d{LrTP7x1&YWy$IFk9tgXJ>{*Dh^Y6GMgoZ|j+<1}+XFZxu3)ODh=|*B9NBh+-OjFr*l7>wV3sW5%E@6hd(bV6c zCQpTOIUolQzj{R}dIL>S=UBS+C3kS1)w@}BInw7TEbd9i7t$(@v16pThx>zwn>+giZ1l8)p`*iNwsmLxPwK0RVmwO;yuc-@T*hoTre(N z>MI3g(?T$*Pnq>~=3rB^@iwDdaKXmh_v(Jf}=AX+`y0;G{Eh0tu&klu$nC z5^3~;xWuGxOsN`$3Q(782_>)P+UcOeeahKF^Sbb>Ntp|~GNtENp{Nz{&kz^`VA2Vc zEPqA+$%F*eO8KiuU1>gm$6-;5-Z5Qm!gP#FHtW;Fa<>H07V9@o%+g1l$6n_TmxFBEh{A=N7K?0#>%2E(sXnKIj4K2g|^y1tWD zZ?`Oon-oxu6q54<#alG79qLgY=cKLqF;1ms^m|0*(eie!cScfp(QEk;H zRap#1^jB;4E6lGhfhJx4S9R^rGk1*et3;rrK0@G_rHS-Jj~z({Q>hHYCSEF9H~uW$!)&z4b?6c%}(rD~M!oWZU3D zGZl5mR7*udGqKuh>c$k%gd6!#)8cBWhgsZ1b8Eva?r=NsXj%{E??O;0_n^96N}0_j z@&L}E4LBrgs3UeH)ezASn@a(TYI?>ukd(0vG9jsnsxL>X;itz{XKexsk!O2#{{0Icga^yj z#0BGO;PGuWrO3QlTks*t3+cBb*78c790h{!)P+V=va2){lnfC?z`aYntJY*`zKf-1 zE?~h)nid6>lPb)_ElPB{-YCRc^2Fa$h}K4X4mRKWRQog@e=a8{;O&+h@%RhmKFu>( zZh3@7E8RA+JdI&o4fwkilTM|pvInpCxc>-7Dey6?+>Wc5hC2L_Ea>TcwO?LC$+nUX zS4;)hor!gpC@1^PMx0r#Bn=d8T8o71%Br<<4k2aHP)EE^k#$)-6jcIlsy&Krdc_p+ zcPCx#{^XT<3}h3KNhn91%}Zu%F1!svF22l-HJ-`elZ1LD8oUyJN3y&5d|( z)zF#BKxe$?cQ8hV&#kDQB#@GHCV*z#ZiDK|8BwMI^f*t1XF**mNtH;#)#CqWGuoC1THZ}MvIezug!Y|R#4!&Y-DX?u0;=+*>y>K6+r2?W_T);#@VAp;1L|)ie1y?WVL5&Zz`-ujrr(UfYdv z;8yE8aHAL%(rsa~NXLwK$CV9E&Sv}2$r!k)WGMlZ<`^6Jx+93ci$GHHuyw#j{tiMY zXK!b7Xaax#U_O};01}g1($S>;Fg|_A8RvoRqhT$dLN`A>O*Ek?G$VvaCLNX3f`5RI zeT0ASKrW)HJ(5!=b#TOi^mYz*98nX7a~i{9|GNdRlC&-A;09yT&XWS9rD&t}5s=!m zp~bM)tnCokkn!K;t?k~{djlfWrx+Pc>K%g469S+z#_5b|KGWahJ4X|S4D^P9(PJjl z*k~Z}cOKHI4N236`OkurZr?%IY$y(Y4Th!$;1n&~+fXdt4v&_XH|~MPX2fH@p#NMcY_& z@CFB=_y>xagyk|rZW)+OfS#?!c~|(?Ha1AjR<`cR5S*RIu|aZrX|l4xtFS8&-(q;V zbZH68b4h^)CH|EHGbF7A!)f^%B13*yW17n4FoXtjiO9c7fV2zoa--9&pv=A62uGro zZu(>*ZGVX3DgsC?ZPy6Qvmvz_5f6b3RJeb6FaO$;niA1&g|-4>B|HifEmgQ|iBfA& zR!3zCSxg3%yd29LbJnz-^>c(lD7uwSr%r0JO5B0k-PXpHWxJ}^1e!x2kv5jf%^5iw zl71x}T{Go%>O`Yt3trW3M{g#6%yncwo>>m&aZeZiHA|9dNPwon=56G69T%VEkXvD9w1TC0=!gZrkOHAK_ok z@DZER(d>4^mjJr}k0D2Qe)g}?sgb@R3Xa~8hTCM8IHAGG2(iiB@4qGh#MQ$v4s&)m zv3;>}#PtaPI;U$9Li&`^ZkZYnKORoAojlwPy|fD;B%F z9s`Gey&_biyKl?`v9?RCMxhocm&>CO_Jos1FK^756-hg;!hx9z-hMM}+LBi0#+ZsJ zQal^X0RB}9T1L;HMsO_=y?GSxp4>)pV3-TeKMD9(C~7{OXL}ABKtZc|&%Yu|!X|Pz zlgor$T%tBRB11<|QVE%DNfPnAZQ3gEuSnQBWAKgfK~tkg*goPLBZD#mR4t+=WWF&y z?qZ3H8+kdPSHy`(;kGE_TWbz60-j=csPN%)r?K(CVP9$&)cDsPPD0mC$j9`rJk;Kp z9VnXX$`&I!)Tn+%K>UM6q46~qz!a_n^hEdNUw3$&$smqqV_$U$37PS(1^lZ}ScTC( zhsESLsbIU_H2yUQAr&uz@3i=!6z6;1_^&tM@F{S){%Z}(-JW5RMFsx>(#RE7G?aWa zGbRQVJ95PfujOA0AgkiDmS4g`#MJz2&(_mts_?bf;$K;izA+#bPEWw3B~s)|tc0y@ zKi>s5!_Od@VzWFH7ZXqnD(}+02(SnLngy?O+-LN!SnfB*%kvRq{3|ZW#Hrl26Ff+c zGsoGi#2*>{l>W8KM--C5;b9zcY@4C27)wQluV**$NBU$#0lhKrJiGi0|N5lp62jxg zCVC`KW@1wgWZ6zWU8-@nwv3gtTTCQ#yCzC~10`?7xQ!GeI81ZZW2ef6dnL}H&1?1i zS0uWU?jF*D&&`mFx);obgny-labg zyf@tah8wlvGHtlUpbeL2!@b#XZMd`zSGM66dn9=tk*+l|1&}^!1G{I;Q~HRqteb0B zT$C3}69|!{bOUlTrkRm-j4B)g|J+X+%KoB60(5`fs`1-18 zLvmZX20&GIZQqb~zq+_k8MpGUtsRQL+7Z}dyOdBN!XpXgf+AfM<2q#2OlScJ$o%Wf zy8v%<;9psyrz>Y=#Pgm%RWrB5mG#`y!oAF5D9|=CYSE72Tu+$YLp~_{s|ng#<;w9k zUSdAyUrWF#yJ!YWBsh6Vz_1-{{A)d`aa|N15Y2#7dj;Vsjd$SrR}V@;RS=iUwZ-@7 zo9$ms*$^zox-z570k1TV=C`mvV#!6gj60+5&yuc;eE`{j!SvO#D+b5g9Oko+@GCb_ z>ZxXjp75^WcJq|$1*x3Ag79Z;yjma&xw$LJnmVm!MtCDIoM$bW72%6D9F;p?@W%t* z;+bqjN>xicBH(_N0Qb7$mBiq?9t-@$zs}VhAwMW#!+T%}|0?JEEdw}*kEDjT>KEI( zuIjqLYl_&BihRwTBw@3QG)5f#oG8 zMgedPj}=42zPwG1P+_yD#Pw#l>Y78Qx$+eU^^IL0lc;A4UO_5+=AIldl4Vy|)%EhC z@vq)^yqm1Tm~_0xPbgIBrxD}0R9bpu;HeX@qfPPE zo|;H(OlKv-7O8-)Ou?RC|oWyv*k*vK!thc-0IrrC+g$I3rZ=n72|XGpknUB#hBam~$i| zAbcJoA({Tet|omjZc)N|o{u>2QeDCq$|Xk)B{MQl;WkXOsxlS zLxi8WA`~@*&l4ne(jbWvOYjWP32=wO=fTO@-WA>$GIF_v<8hV-O#BG3m;!(>7}Wjr z9%>9xj~nx(I;NZ}-hefmo}y`_JQ|Ym>5Zg+DVKzGdoNZjo?Wbe;_){Zb38bRHu0(Lwp`uG(1V2EaBQSm8UJSd4uR8gyQWwD9(7}*=joegNxD+8JC3> zV`;pVK%~x?7fbX7VM4QxHrTuXsFTm1ht$mPoD($LYR&%O^HdP)+zarn&qIMIzg;Vw zM~sOKTYzq-_9@ju6b+7^Of6hscGR8-p{W@d&jk1o_T=*;cgwOg`8=a6Vl{3gK92*^ zCBDVa5cxblnz{Q6tjC}}&kiPick!Ng^ZX_GJfPolCc=!*OSct%BvST=4UJ zfV&I!@gY&Y+8ZKV3@FT{+YKy4Au1?IyYcF9dsQ4Jj=a z6iUskmSmiL4k=9bl(;30d1I+K*u#S8_Wk+#3OkAV zg06s9d2!3|w*>?2bwy#b!r6g5OGD*r|puOEoR?2*fWJ<{vde;q~Mea1&;O{I` z$rA!g5VQTyULnsl6cn^ATy}OTI_6$=6bfTF?&=pdv#B&uC7BgZ#IcPPBx$XKe<_JV zFg7LdR5b_iJWuVA(J@ZQdRMMhtFS@in-|u42FEA z;56YmSGe)x%p=zk&3ZBs5Pmk<#H>c;Up{|Em5P%-DR?SlXwg-q;j&NUwD^jXC!V8J z1k6x#tHU`BJ)JqA$tY0@obIT$s%%$jP1`wM0@S0c)k=Rrn@yy0c>ED{4+v{eZn93) zP&S}d6Vms@W4ec^(dvF=ZL#8KkuqQD<$3V%-fCrqho5CaiMV7J$u3c)(p2vyKjUYQ z`cIZb5;GDd+l7Pw;Af9O!p8l)YvqNEpDm(Fr5TyY;84U*h8K;u5sQe!&koUx-ZT)8 zpy__MD~KI_76@V!81%WfdEz=K%4PG$&kl_UnckVK5669W2-}zY{RJR=q&K!1U zb&7x@gtyyRN~y40@6RGY1iV8u@TUlyQnhc_JXcE&6h*G74Nd3^@y}*}r~*H$g6vkg zUOTw#0HO*~>EJ(AMnkg?zWYIBeoFy~jsEU~yhbuJ1W%?_t z2k~ye;#p-G$@Py&}brmZQ9ovIi~%RPLMc`Um&8#NbV zjzrlLVjZtzgc`SfV*Ko>2NEp*$ndj3NPEq)vin&PoJ;)^Lj3a*#?RI=8)<6fXFs4% zHS*&D4V(j z?8_HRCrxaG_p=!2g0LMy8=buXhtJI%M(<797m%YB%u?~oF8)~wRJ0fiI2(abv?L1wPuT;EW1GE`N}gq=6^hq@pOw*p@Kpyc7zh8^ z9kD7)r!E0dBbxsbV83H1=NHso%NPNc2&+f3*a9hUSVv3F3h-yQT;K@iz#2F`*t- z0wCKfLI z$L`1wnpZIF1ESFSg%^~MU4tk@eQqQ^mKwv2C!hsaKXyvw;vd%;y3rPT7>*cCzoR5v zi$C(QV(cW^->@J)XTCJrzC7l_LPOix+p0kdZHPJ?4uUgWgB}Vm!7v-~u?ip|2?B#B z`c)AfJefSil|jOXv@sy2_-$z-&M$ys8}(+6Oh+sju}(~-{z9pvLaq=#)(ZlRRDP<1 z`E;%U=D52Tkk%?3J{Akz7KP)lu#0yQZ=BNZ2%xu(GtIS`0vAA5(6m;ld@L0xA}#pA2A^K^J_%__0XP z4E4IH&{XiTM->aU`RHVBHpU+Wd=npgL`+kuZny#;OT?G>Nr4WUCC3hN^4&RJoEuP{ z!-bFSp=!ek@FF@vaI$%Mh@JFHi;vaWQDZ?r1p2WEcuhJI1-Nt2jV5c!FZJ|UY<&3GF4f-04LkQMa8V5b!*G1-lg7t# z$-Al}Fb5y21!tUNS|5wU(PA;Y`^Q>QLF7rGqJ%}ZkA))4-O7)BvgIR} z(;Y)ZOPB)KoQA`F$Wg<`!crjNEZ1wdq=9L{<31GRXc56+kR7F15|B;o0O(o{9&nByDUu3>j}<{xgM;7E>OuS4 z=|m8U9{WL-`QE~VCVo5NJ?{o>g+^RmeB@cCf$QR0q^ca^> zbLk4H8wZJ{BUtKVI{+159}VIgN}gdk2-)!lIr_%ZQ_&1t0eiu9Q66VYrY{b~st|yt zmoSju7%TJ%w#qrRp8K&EjD~o=(;sU=v_=KTsERz3Yj-9+A1i@M=cUU(AgFGp8vu}S zJBv#Du@O)q(J(vySO}2G8fzvAaEJ0vKK6l>KCiO0unycxuG7cLvTE)IP#BbTcsYhQ zAUSLUQ*14vk7Xda^}E%_E}$H40o&NG91p)A>qAOPhj+X_HV0|Pjjx#9$9}XrvzAKc z7UiXq$#Eb1ZfP9OxnnV#EFNgzH-6;BiY>qffGr5*(yfblF1!`*g=@Fps7EZ$7ApnKc)1;!n$nu#ul91s+n8Up|;7RIqgY55V)S|iuf1l!XP%~C= zaQqz&C%J7?|9%E(*Kb0i(4lfS!-h*)LW;9}7S9IB^oDA(ERFY?zGCTQY$sy;y^Nqw zpHW~*qi?OBYR1(?{!WHX@4#|w0wQVg@=I#fF=$Wu13aP{L`9{%D;@^+@OLqooNOJc zcY*NusFzg5aI(O#1h>8HDfX^_l=jLFRpKn?1#9MpBtUOsGx4ihObI-VKAX#=OiUE8 zbociyn#}jraVP;N2{pNffx0W-$TU^(nvB zQEdx(l_d8<7EP<>_BEae7zX0%J)2ci!?ImLK3M3eI0PJwVXn3AEh| zpw&C)_xxZyo}ln)aC0(UJsuu0@o?d-97&4nP-@0Kw$Fk0vw5*tIGD?%%<45_!b1+a z{GOYUSoZ}_4O3it!bW+`w}RKRn5OP3brI5R1(dYccFpVrQ0FA`y?zfq=LE3pPdt9| z+QJi)H#Hl{cFeDo_&qeQG{xokdtyG~Y3aG>&))+ZsfNIo$s_Kg@CtUrp+)R76w2sO z0><)yHx6}Pe20-BEpP3950D{oYF13a`(u#Vv>QkwlY~*S^@I?Tt!%Jb$ZW%6!8D&M zN9T=9f{-L0fwACZj=*d!zlVe1t%dj64P&3rKeQ^Q@*=9BGII8$xL0pZ$MCEelG82<1eUUNmK1!*+vk%vy(c$&j0 z1OQc}yboivzZ_fL2GIqa`I03$RFBA3it(A5GPuYf#$jCKf*_H1^urN}z$ZJhf)g9j z2(_)9reXav;YzbnT>~0vXK1Vp+Cs9J2MC3ewp^`qKT?HKT-1irG%>TfR4Ru^pHVNK zh_lWci~@~6U{9CpO0ZbB#Yt_*noqyYWVtEdWBh3+Q$SShberl|h$I~?XSpcig=DDN zMdE6m^ft*Q>gWRB9mp1viBz#k?%B}-;ao6~-;<-1%n?F;yK$6eC%}5xAzX*8$Lmsg z1thL1GMyeXt2r=(%RO%mgYyv1h~I!U9W8%@RVu+qXcZNmD&hTOcRJQgeq5oM!5k}E(%@7MnF;%$98}sCKsP z-lkMFGQ2zlcv38I_*$(AcnfXTEo9$Xo)WmP34ASfM!i=(KIeVyPBZaxt;$@sm4sNu z-D;&(B-KabU`oAY9e}S=xn5#m7#eS3PX`ygg(s9K$o)M-K&3DEP|bXgB3K zXB`lCz??0lli^GOm~l!stqz>@<^p6XbQ{`wvwoY|vU!Bpj;f3_Dp=o4Dw-}i;52I; zAn&L$^FW_WOz%mI+eCFpo`JmaE=Q#^Gq$NwmGLx!jZuA*A;Ku0kv?zR>qLe|QcM(1 zAng5cJemZ#yMx&Y$^cOEXp9ivG2$JAZ8VNnnXwKyiKtc0;k&NIt)G@BxXrgrfvbMmj{A{s3H zfZFJ&Osdi`HPyUUrgz73U$*eIVQ9-9ya4=wugyYw z9K1mBPj})i3~E4u|5V$2!c34diV2&bI>($5DPP+|&PL^S(_hO2F+_XqB)^wgkDt(B|yG5i|(9pHc&)^CnGP#yV+>5kYqt%Dq!68Yj4xN#>5>( zIean;+D;kla#_SnNsyzdeC?D9WGuYu!@$={v3Y=r!X=Wx)Z|VcsfOqH+9(v%Mf4zw z)O+ZxwKm+gZT=4O_ORogvj9wRDz$1~3&pq9Sx49<^ZVK+Ih{@lB7tYRAIQx*Mj)B5 zRkG7YVKu;?{@P23Advu-lYsl$9J`9&ERUn>Et%qLaS-b6@(xjwWST52@RV7$q0U!h}eu?WVowkqR&AbIJ+TUJmwIl~6ZBKme*&2RMGMs&<}wFrnn# zG9&&Ser@UjoBK25YfHF2^)De?2ac~5foZD^(SG2-=%y(FtKbfhNu5>10AI_2zC#6Z z!Mv~4KsL2nIPUf&>P}ZJPXmK-n9}7!kj-WmP5Yw(6D_lCFltdVwiRESL2B44(&TF` z2-RRQd@Tt{qiBG6;IBJ~+pfnPp4@p1Z z8vwH1Q+%FD@p+~=NVF21R{%Z_8nh>#g$tiYI`?9D22ngw--{!r6x*Z{teLo9eZC;+&|Ti#%ttWRq#VZ= z2Rsr1*d5{W+moiff_Nbdf536>^cD{ef11I1EYi;tMn}azU%)Qk!spon6~uAGs@r1;_hcI5_o)nCPL;(y43qv`pQ zKbpD0OV!#34Gq;w`BdzI3Z{6fn?1X2yv|2&gl1dXRCm^rHsTG4+vRLJ*-phX^=2RF zrv*xbO(9Z;&T#l6>f&N;i1Sd0qKX1kskKTi>&=Zr;zS4m)#>FzF8?9i=3 z)h3!mL=O=%7Zw|DSvbVpbH%<0p`~Y0PXz8Y6WyhDCB=4ro*;0vH*}u|2%dNc>o9P6 ze8_%aI1Qhthb8U>v_tm2zt|x_rK#CdW~(Q)EZzo7Cs#1l0c=d&=s_SGb|4fcaHS;D zJ%Ifk38#dR(~UC@oK3h_6qG0*4dDTXPV;NUV}R?c#Mhshsk4SbN8I6}0_F42pt^lg z?dXAMFfYFXgWFL#rKpHz29fc&5F(ChSctwkRLmK59Y-9AYGH>Y$KbM$O8pAXlbkQV zeI6d^mck9!o>A63Ux>3jMKy}g;{^}lwoS~d&;_WhcgW%cqCqd8XN4QD_`IF*dANXP zx;^9yb58Ae07!>ZtHM)Ct$#S3)0Jkk6-8OK#=9S#MWj5`(Qz{#N~jd*5)t zCY{5Wu2ifMZ=ISN0!o8TpwSn+?NnMEU}^y;=EakfYEe{jR$i|eE1%~|8ot#PpJ%P2 ze8MDQNm+o$mC@4hOi6ClxOt?^MBE2_e{8+kT?Fi9m?3<*C!xq>uHvlJ1$AweM~WZ; zGv)vQ9uEjn7>J@MN^{!)00uc|QC1||#3ILHs^bg5UvBYf)6qK=RF2;sy@_#DqL)u? zOsjg*JvT6wpVuLbo(@mo7Ep5Lg%sATbyU7Vs7t+Vr&HYV2!3}W+A2vU2iF8P>yaYqwepB_?( z!L|E_?n01b4WGj5h~fhP-)YbfNV=iY{e)Ru7>8%@!f=4qv*WfUqfxYpFkiAM)W&P{ zE)-?McVbrgn!;^0>Vxg?6K@92e`TLAExM>$Nd-VkU`WP(AA$49!O70W9|lM%V}uL` zY(aKzbVTT*Gn{l|uP^U=nYY0FC49wrg)5&wKclJ=?i_R?6< zb^sK?6aDG`zeT^84+Nn?Gdoe%9lrOs7!Bz0LTt*$(0qIx>Cp z+d!FqUOfXEpg2z5p6TAP8(pcW+pn86cPEvITH>2^_j0&296qma6JAUo8pyXSsf@m0 zezdSrEWk~><_47SsKd6g6T5B?0R^_Ss`jeuY zs3820nn(RK(1Fiodw833MW+rwQ)X~_V%P<`!d$goYT)Pn7enK@s~+8x2C+jVx$vJp z4tn*Iz64wvuh5(+>_?46&k<9Ps@+ks^b07gu4}mop@Wgb2h$5}wR60Dbp?!>dlDFo z{XaA4aAk3V%@B6yjPZj%&2k#+zXJF%-ZxQv`Fq`vD--V0roV<{g80z43wnV^=`oa? z`B>FQI1&MM^vol@5iwP0)O9|W#Pgk-aHN=Pl8H})OtU>7NMuSoxX5}pYWP?of^(#V zW4F;O!nkd2*DE&tp2lN)2wskkvtB2`Jy4k6T((=k3fl+{3#gdNZdPjCJ$z9#vjmQ~ zmRY5%P_pbS@(dGmMV7cEqN2w);B)5rWR=LsR3t!a^oFX4n1vd*V88nrOgVMXV}dU) z?e!rCG~=47kNX2Mh;JCi*ved2_su^rpDEhav(s2q4UuT|J>b>)a#(bM6-@8`efj`H z7GCn7$IN*PXMhWc78YThG?6txm>*Ko^pWtI_sEm^6i_;>y{ zsNCzL6Dq0gLhE0W1^FAV12s$V)kS?-I%8*j+e`^ojuV`IJn4B9D4nDn-t) z@rBIV{iy8^WyYIctN|OABI@{~NcW^iObefVXG4!Lo%}K{85gwap7e-s;q!h$tf5Gp zK=I?e^9T6`mLk!;P=d}uu{KT>famrTPYgr*V`qyIT4Sz8)(5G_puQM%u@))o1 z1p zI34o}!{t&!VC7ZpkB&=x8uX?VCn!}kB1L=GY=<`7TI%~a2#Ow}SbeAPz*4=ahVg!! z;XVX!dpHbFeFh&R&27cE@cXoE|FvphGeEv{!T^8eFHPpZx_a9VI#Lj$7~RD z^c)rZuAHLURc84A^D49RuEMbd#iv&Jm76h$#e3O0G;|_8-TfSdRxFBK zrvl!qTAq-K46xpu+;4ex z`i!5shB4HdFA|~`+eMf;St^#1%%yZev~93@ zpO2&Jjjw5o&A;v+cpf;BWv@D^{NW&=3!ic|1)X8&kHjajThSF9W%;t#&Q8?Ww1vkA z{s5ib;~~a)?DVzFI`>3G15M&^smfMqJJ-1W{J@m&WtK0jm{s+iD#)k5rAy|IlRSH{ z`HX1DjnZRAb?!+XkuE-aj%}eW+$q)1aXfj0(K~1Z+M>%j~ir*B&MlM)rqJ`sbT2`!53=xM|?{ow+7;r>AytFNQsi zk>(fLbX?+gKf1eqP4Q_>>V0fLk|!Gnu3wMmilP6@mtgYE*v7-{i5YY427GN39O^#p zJ$FH+Im+$W!%atLQ(UByaeZcZm)g~;$LcHSaVGP;q-F{zx05VX)7~tF{-t{5uHFbC zuq$uD{b}mS^b5_)i~vJGyub1tG8M_L&@=skC4v{gyqc1Gxb@+*Ll?+aJ6amM;T|%C zpRz<8u4naC_%*YJxF7J;41dt6D)HzQH~6vN|3fOhZrvS-pg+CTuV=vbu}D0p!A#Yc zVP+rS;K_&k%ID>P)fU>*YYn{dqNvMvO?vylAYd1pb%Kly|MN6dEL^Tf(bYGu^{M;; zXVaCBMLaIpUH!JKyX$+gU!_7@{<~HNYvOMX^d`U4nBKffKBM^`fC~!6-BN!koTc7j zLpKg<@VLp(`zW$zaaNzUW)p#e`)bm_6i+551Fi|V=w9nhzk`a#VQpMN!tYW^1`JSB zL>b*g#M9hme@>>Z9}7V8ljD;Jmy;K(UC;`zLCtg3k}*!?2LPVz;kVj*waeoeXOgHU z!MMg9t2tc8dXoIi+kZ7h*JWu49YNdmR;d~&j4wZOrrV531$|{ffgMjK0q{BR*Zzg2m1fUc@0gTngJtMX{G5- zy=fYQvmIe6ZDyw-I^y?yxX1XM=$Ncf%9dc^_Kt5bbiYd({nBL9jq>3+H>eQRG z1#G6jj9!x;EV_*c(8cV)N{~TFV8m`4P-loW{95bNt<9Eq9YE7RSAP|_R8S-&S)#{M zT%=C^;i+!~L+wc})p=dijF=lq0)psJZic~YQh0JP{uda)LR+-vQQ+dK-8`S{Ga>B! z_AcJlIU07s0)1H*-L!F^&-!HYmf$u!2)IKo;eMN#<)q95HPiW(_MIrxn?=ZM4fjbQ zU-UNsQ9J-Z@9N?NoVl9)jPP-JTVV>k-bxDnK&EY>wBhD{{g2C4fU}87{v0!(564-W zoGC8cfU`V8zr`Z6XHk5wnuin4WPw*yw{uf6^C2`JVZu5N=C$o~doy89=^)`#XW|Hq zus6)xO#Q89Ls`oh*_TD}`76ysFi34k(2DxS)~}AWbmGmaT+(>NQsFOq@7iu3w~Fl|Uzm_K3s^qTWsY(&rEdY`xZX=OgB zljhsiie_%?59Abp#zb>hiu+$*D$Qc@yj{v+u(c^TWZr!oG)cHCKJ}^CwvvJBr@NR3 z^@V`8?V7qd_AkHP1QH&kRhV{dUiJ<0KGBPzyc1vY=Gy?gWWGJ?-yUZL2|1kB5wb;E z^-uYC;R=8%_wlH2bUpt47JeCdfCnzFT|05aUMr_^yX8OcpBY!jok$MRr!~|;-xjZ0?t3ln+Hbs^`*c|Z9a~h$M+W?ipVB|oyDVR;I`=y z+q{Ki4SehW=^Q(qlegyue2%>79R9O5KKX;_(p!AcV}f!{Lk2!q=6h5#Q<@g)`Ebqm z;9CtV`zt#XS#kkk8Yn1#N6pW5j*J1zJUmbD*OvoE1#)7Y=iXQXg2yD-Y`!1ITf^fR@h(%z+WowAu+=FQjj$ zsE3#2v0D$_G{MvIf;~GaTb=!U3B5VUwo%r*+>keh9Zcnk%z!Vm!(oa(TNHb*iaM>~ zN9b|-ZmIRnb|3N}5KT~rMtrQ-^uk^NKhEOpZ>QOha;#kB&^|sMf;pP>k0`4fl)dhn z=(!Jn@-ScV9PL$cIkQq~3N=!fW>nDcUYWx1cEp&ScI z+IxGf2ZRP&M|TCF2Ebev8x|;MCkVW0TjmI>qAyPm5crW?8%9dhygEu&;87`~sYeEq z@guo360^$sD4@5(x4)!y=9oBdeYpA2y~b$Q^6%(Axs*BHUF0}lE3y4>0Cjq(V}Rl|5kO^KHBsv+ z%)~tjX`iM0@r881r{PFn^={%3^ZYh$ZKIcJZQjk)0cFuEy2LR$DL)R!U1Ayo55)-w zxI}N}`Vi$iQ8WV6o?Pj&UC-F;iL8fQt`9?JIHvu&qJ@3m^UL%w7;ey+{h z%vO1GE)xG*IZs=Z(Gn_N4_-Lwf>Uk920jn}oSmU}0jV0@eXW&ADf2;g8!?*z9)O} zOM<)vF8F&)|9gybqM?t${^WI45)G47hcD%e1ldi!68EHL0H@Q>#!%p&x#`ZQjakJ^ zsm(X;12&3ZdB5@p4AHikJ^cl1=(7Cwcb0mJrAn?;E`DJ>{)MIoajQK%1c)5JrJ-j? z2hQ|}61%781G0X9`_h>i!L2THLMVuNP%Gg$xHoH$>r1&?e1p-u8`5{o;J*F4uLjc5 z0$)Cid8EH!n@LUpc0At9FWz+ECs;8JkEm2Ttckgf{9Q`@8YpN%jpuU1FuZvN*$36+ z?YgvuTI7$sSq&Wa`Gc#{1L{X-m-YZPhYTGjGOYh*K2(e{@Wu$;m*;!47dwInHrt;u zHbSd%KFYq@G3m&X^cnTm>+T-)TE7*$x3=Hl^G;X?dVo6y)9$M2PnPaVCk^xxThj@M zxXA++o#p)2{QezT)TGcG_-46D;PKKhfOz|N2>vv;myNLazSS2S^H4hk+!lV8bj{D7 z{Q*wVNnI^{;%!1^+U9-4T0T+0fn+CzIkP(&6+F&LmIQ7*8#lWbtZW`9uAz9$FgmIJ z(Hnh=dEoJBw%*-8PYxg&Ab7C@1KpSmFVnlxx~h2@fd(XDd?CUw{ns!%z&I^LUnU87 zLBV`IyVUP?OzifuLENaj?vsXM#QolhrBeKs*qEvnJxzf9P`wHtQ?#UC@O(;F)ag2XpIQL7BKs*UD<+&(KDD zLA$jd{$8QQIavAYUvYYTTV!{X4s>1uJZ5;el4s1|I^~SnchsS58cX0yG>#$El2}zW z9uQOoT)dYS#+GRFW#75tv><*0ghvWx_9g66oI;#!>xQ3W!D#Mr=lchZck>J>hS1?_ z?TR0ZISr%K@>_u3dFmN9bRN*bfbCYvM;y>on~mQ+G+b-$&;gxt@re7keb~3w=uDw2 z3wIvZ^?e<)XvR6Sh!!#vXO!m#8f(tQd!z$RL_Ht>Cl8@)70VTc42U}N8hE3|BYJ)n z10{}OZ5l1Kxs|WXJFc0kyC3$|@Qze!@LIFceG+TN#J)EQ6ZufbtKT2GT(Ip|Nbrf9 zKhLUi({Y5=nq=wj*|R@TQ*S;|@^IuaH}=C5V&YABgnis#QNem~W4kBCO-$r0v6|*9 z6H1t+3(>&^-{9DF^KF1V`}WMvSTe;SdGcrw&L|zQul_NLiVh05sW%y3Bj{6gHO3n> z7iwX=|J8&_gD8vA{NVz8?9oi4b!odOHfw8oh)0*^7QmkP!c)m*jfu*VPOH{m$U7=< zAX^uG_!V;p_W*VS*ctBz#fy4G2xGiF^HQ|U*25#U8z4Rslujx8?ydZ=>vDMbs)9rw zQ^o%!&5NN-OZM^fbAV}jP!wa8UUP#HzMbTQ4A{%l0qP=h#7)fuM8J&%41=P1+%9To z!{Rw|M1xSn9>q)eo$c<s=j-L0IVvnjyJvJ+OPjP*1_F0L1_d~t zyRFF%XWW|3dG@XxD{3!3KExVFzQz+%^40_+Qy;HC-{`uc$18sd(3j@52%es_v$=A( z=U`;VJ7!l|`srncQt`JAHu>g097)FWP+VLiO2xULAkcK(;pPX=+3Oddg2yfJ(Hhb& z=q>1VGm<}3lFa&B)kDBV66|@)9-wP??ja1}VsK7>&LVK&OzsymxzfkwcK`Jfc=cG<>DZM zDqaxVW)m*^k?JiqyZsRGE;LmzoRFRRK1K(R&J5&z1~q9>I$%k!sWV;KUe^sXJm-$I zZ))(Q=V)PI!-G~UJedLbp}$*G-*9ODzlO4;uY<-J1&1~ByR;zVr2{CUyuwtqm@uRX zMY#aTE2+`KZ-bH7wd9s;mjmaF|W1|k<*br ztNa9d$-X;iNH6b)gpM1yo2P!#mnc$Pids3T#sgwNN?Yyre!Kw?(U(vpa6_8;ZBpal zhCN2w3+_O^zoRe>RL+l%y~PF#OBr`@oV}f4P`q;IbHwrEa8lo8G|wzRZt*|WtQ%*F zjhER_>fa&Mh?TEEEIZO##`h6vb?-rEzkx`cbYk8?lf+uIT1zrD6SY%&c#o73JR~p><+%Po(oiLS`wFISRB$ z8;z)+B)8q@eX~sQX=IlLI(^pLv|FD z4a92yG|mJpV!~-*<8Q*L-Dl+u@^RbtpopwJ^0&~qY%o`cx}wnz($ILyv-<_MBm zk|sF3{;zWUk+GG(gO{ME6lH%w<9I$Qi~FmcA6XbRqNg_ABPYo}4Gwd93~u)4q;|O~ z<|Smngtp&LyWKWVoAt}3zQ zm^3UP$WSc3jYO|#RX-M$tb3~GKhK;n_Z@|>WxxC84ev849C|Hxxghhf7uQyhVnLtM z)4QJPoj-7Qez5<7W69l_`InE!QETJ2BHVTfZOeRwBhsJJyZt$evuz+~9J%@{z3 zmU%qKkBsR}7!PZdeeQP1vKJejVh=(ue61gK0=nZkj2#zJ>B$ZS`SjfEENaSl7dE9e z_&ST!Qz|H1sO@T43*jf{FYX5sQ;N|kS*OukeokjNdq2go+j(k#E*JWP|7L8lAfEXd zrYy`4>GFM=JI#TP|HoMCKK0}UompMBkgJbo%mUZBozWSAN= z0F^K(K&1vV#m9516>rawOi*f4z0M9m}ffCYvQSd|J@VjWeK4&=YLJKstOH)rQ zyuAUD4gFgbWM67DFmmuc5-ARM@!{L_uS>o3O}}DLpA9@DIIepcY+RCOV@{)c$Z^iG z`NzM$Xf5Qqs?^(&ytbX6OhFzsCGfmk92T8>krBvq1BTW(Y6=_!UhxRr&NzNA)#vRj|$z_6>pKDZJV{|m5aCLz{n9E;+ z6@!m9!tj6Wb!9(GW(L%t{)XiANyoZi)C6=X(vx6#9q4$ksLeZZz|X&pjrDJ*_VmL9 z7ij4Hw#9Ax7kNoiD2kxi+ONGfcnc@YVQDF zW*?GWv`Cs>!b0tuIo+%ar@#N*CMQ*@xn!(@<6!Ut#5YR4YR&r=&7Rsdk21aIAY8qnmjw!47V;&q2^AL#om zk~I!KC2vNW?V(<~av(0eBE0z`E6H2PfnsZ%4p;_ zn8S7~%&E82p+^X7e%yA<_TEJQbNLbATwM9LbnrPdTXSpEQ6pq2shWOW#ky z`$z0kSDig1$4Kb|mBl1}aO@43AI%tUW0WnKP7S|f>*Yb8-r6>mH{s74=XujJI18^J zJ0Hts1CxJfGFP>PG!NKyOgUvzj&*vDAHCPy6JpWnzE169J(|Vf>U&n>k;EI96xDnF z(oI~9bl_CD5^MRFU%|;;GSZjl2T?~>f5juM@ETP%J(tj_fP{tCv?n$W{$$^poJRQI zjlL2b@*gTb(O}yjT;KTJs7LX69=Jr6Wd{FJErWQQi@Y5?~3qUq5dAdYV3c88Ja&X~-%xS1R5?1@2+rLokT#u>mI z%k60yF$-qq$b{ji77~)O3DY(~zwAUfD$QI{8lDp6HeC%MZwiBiLyO~1z6&5=gEHk0 z6e0tx8+m(;#=}fgkHyZC#XH{S#}fKHBWM3t2Mja~)BP0G{UrV@a|jcPVQ-M`2u*D0 zR^*QZ(-8KCz!-x7!WwI)C;fxkQySZ8{o(rc(anI47BJta_z6m*M)E)2?wS2NqAtOk zg>*RVf^BCxPbB%=Vgb8_pYsUd^ZhHz=~(5eGII{u<93(-{-8;eF32?GsiQBiJ=xlj z+zBH47kjh2Mq|X~3aEue_X91lUi%RJA2y(4&5zql6!pk(E>R9>div1K%54Wu%5*21 zXvA0W9(9;u)V3VB%kG;7F#NcS1`hbd5e`W#?5fB<<_0#AeFJ)50<6zTsj2@-AaU{E zYvIRelz3K4F#|sX-5uRsKceAqF1fw7d%@GZjkL5p4?#a1bPdI-lBse8@`rk;`D0%u zqc}IUlp9$;_sc|elk5f+HSYU=b>@0Ut_wAOwK zt?g81?a4~mIMnF5rq=-5MDvV@h5JP?(2t36@M(;WrX?U|I>wt&rtL?yu(KtH$bz&@p38$jdAi0OaU#} z9X+h|mU*;Q@W-Y3^tkIuL8HS@;!@`yB5bo1yY1wKs57f@!PH<u5Omj0X&`Q;hbEElOK zWzLmq8&h1kFu6FIu0CM^1PeaJZ91vqj@L^rNtxmlGkQEcU|WkbAmfU09gVsqeh>9t zN*q4uwz{918NjgtfaC&>RiW87iru^th~UYq^ez~ytK zP`8YGBv?CEB}e3nElc?mt;ZKyfrJZULiG6p7-xRX+3#yI>pZjd*jW_VeaQ09m^`1V zYfabX8uw)~!#ZXynbVIw?sRHh)sq;l-Q6^J$j@fr`iA^K;amMPHs7Q5w?iC|+msnc zi>sI=Uj;x0Bj z6IS8Q2~|4#Y4uJ;7?9H77hy-kk9TU_x? z*8GQ8`Q;dq(}95*+8;)>GaUG=DuJ)8p;{8ef5&`Oze@)Ukq+sD=*WyX9oD&2C}t}g zzl~y|x1o|%U{kpGdMG{=yK4;0B4QC@$$_Lv!`r>OV8$%IX(m2Y=8eJ+vMUIGR>Dz; zag;~qb{KqINY5}#ZSs@TaJ&)|v zta)a-wa5FmT${Sj<8}^JOtoA2dh)*K=V?#iwtE~Fe1@+5LJnrhmeO(l4!`A{!(r&| z?KNqZ&Y#>mX26o^2nf=U7>sk!oEN6Wp2TXIK3K-uiH{tbET%l->zs!u6x{-Q{OJM2 z3xfloMPR~b>rt!n_wL-B%xne|B870(vof68cRK@0p#}WPm)E|{vI=o2IqdxU%~v8H z$a6ronkf>>Q-%_`^!4YZ;w);n5szG`FnUqGu*c~`hiV_1`2trvM>qO-a<-=j*9kYQ z0O0%aEobmd%D~aQtM{YqK~*6l+}y%E)<@%L&%u8;#pnINqgW62VQydM{GT>fq5&c& z`132JfBJ}Xbq>r6Ajd>Ln<5zntpSr~wJpMHv}@?@zU0w=`aNy`+|un$TdOkgI-sXU z-TljHF;nF|Fk+N-H$1H`tD?A}N3v5KJ9uCfflunvMqWmVWCW}NqN5*yz0dn6pG~|S>-+7;n zyKB%q97K!f#7Cvj>D1>=ONDq>RGc`SV^JNGRm7@M5hht4el%bkP-w8GQ3rcWcUy#) zAu~>)kDHP?lDYRGVMC+hMgPXfxYoAkJJi*cdTzNeMblUb$X8DTzh0i^XW+Z z#F6|90-N=(7LU=KC2f8NN(MN^?T_i=5`dDpnmQ0p@z6Te{{2UrNR~i_T{!%;OwnW0 z_a9^8C(@-n!`bDnsA_v>cX@lcTwxqP$TyM01vLi9VYrEJ*$%#y?OUyi)AM{R4ix>ux#FJ4tpKYmK>Qi zQQ}lmtd@;8daz5cLGw4`wegMa4#q#&{uX>9S@x{#oY zn#-%%+Smf>u?_!c9f~V|?{uISx`jcI4>q-1+RxsJoZpG#fq{t!^je;rdhwd0#p#+p z^3FLDpT2@E1Y#B=TCwl5fe(^f*N@BTh(Ew){ayhzHtKXZRL&@OuVwElyecTQjyXf#Q^bPmTOY$Rf?rP>)dVWfDrGL{%6IK@oIDF5} zrRtlIf7A3BFM+%TmtW7>NJbw2|3+hDtF&Kdy}5y&PlqwXzOS_ptLVr-mifcx^BvGY zNR;2&E;Q-A4;g?$YnVS{);WcI{kgd7OIWxP=tF>8ehWd@VZ>R{=ASI&)&{NEjf(m_-g z6FkiEXxW@R{=WeTE+9+nr-E0Kd%ISNeU`4+NXW_lu#}EI8y}kW^TP&a6`S(w|61WV zd&#!!a_M~FB?ek9|0ARwC@a&LR)pAc-{&Xvv&37fALL;BKhHF(C+ z-d15Q~0c(}v9`e|36Lp^?E3Ln|Gg+ieYdh{< zivjdY0^G;^M#x;cl*jS5JS%hpINzHHetiBA(Xj14IID|iMEVqGq}aBl<8-h)S$j`g zW2^HEH;5)+LNAP-Ch!NBK0eNBJ9Yj}W(p5E5TP|ve{Ujny6DyG%rnqGz^uIYi|V?- zZJYCA_?_lIvMVsgIHx;#DCTxqjg|axIyD!9bjsr>(P2WqE!2NIHzc;WhNC;HCkYa~ zAsh@7i(jK=o0qdhHGn1azBP~dY>i?_Xo#dS$D zd^nO-EO&>Gwp6_?c+oS`oq$x;VaVrYERJElfnRCjCi+Xn90}m?z{QQ}|I8cuPpbdy z2MT||IA=WQE&oj!v=#YSZ*?1fdQF5}127L4K%JMdy`{B2YYuvP7EuDeZu|-dyeW^j%rx(<9q%mw{kNf5!V*YcngHte#P9B zsl9D~SQ`ULtX!miT~HoG+#*)jPyKyccGoQ^tboEL|DTi zIdQBuk-lmAC4SSM)5iTE%{w9S^C&k7;V=N!Ep}cTAh#c8q$^lPnl%pyRP(YJ60|u= z?k61{j01K~O#c_lZ+Qpz$FE3?{8R4Wwk3QnJXHu>ue(zBwQlAiX($d9=ItFxdY%pR zvkm`_F;Xu1ul%g$aNNdvlSP1Z5Cb1&#UtnDBl3~GdokFfcLZ%wZHpZ zxRvFS{MKHv#iz_tZn^o1DgRXmXlsBu2g^JaHcXy}D)i}Z^CpO6@)=u0hFrqG=Ks8a z$7PJ^MwT(e%Is+$LzhX-I>kO-T(O)bnKLcjT@Z<7CdKPhKvw>W^KjguW; zeart+q({aY=ffCJvk`OAg%3IA_2jdE9;ov;6$w7dGmX$K&HkaKGd}cEH-0;S0lkN2 zEQtnOdi!hU{f?S`)p4dZkZdILXRsj(UAp_HNB~kB-t_%WFLe+3=@7oX)XPQhcI6pH^?@e7 zPVOPx?{Mz@`T{eD)s_qB{Apl9_{nb?SMMb1Ty9*A>hcCnpC@ot=>gyH%{<;1++lDU zFY25G;I>TeYbW|Oe_?okrcAwV693!Wm0Men2QZ4`1%K)&Le4kMfYy?+x|G<%i_Yz+ z2gMbmKan53(8Wznn}Uh7(bnwRLiPW(PrjPw>E->|LZ?+PY)Qt7jja< zT$02TG7EIKM0u85GZ)~C6rKTtgts`5o$nywsca|Kb-lA6;xNX&p8L83iFx{h%uT3e zv;C8}SpNf z3c!cnjqsftc2K$^A#JxVpMSqL6gbfSWEp3k4712k2H50OGMboeUS9gziiHz2ZO7_kv{}m zP&{!<7ewqn2MzHVL0jQnym{jB$2+cb=>nJm(mEQM+b*_0`=WlWU0oi${b zzeGSaKi}ZgM}qh#c>HtbZQpw}P>=SUA{_uQ_y{q9%|dD=8cu{bDSob_toIe}&wiCF z4k%rw{`LIR;DOq0Mo;|Xlf!T9hPHl-M0|kMgEBfCcfDStxWC#xaVhjq^<0QsUhjy# zchWmGKLnf}{4E_qlQ{kU#U<_Q0@+gMiy0k|ZZ0yC&Wl5+qKT_7XQ0 zxtS>WLW5}uI&J)C-g}EqYB(G`x&o+O@sBm7OS{EQ2k`Id2$j7e`o@@cgIww^T%hZt zM(jP^W7^EtB`rJtWl3UL9bArl_5R~**2bYDj~k-XmeNSM;8elSEZ~^Y+U7Xkj=M|p zJll~iC?`?6AEgnPqtAS_LKujH&_zOt1h~uk2L>_OxXJLs63`^7)_K!)-3JDsisI49 zRfpkf%FG#zxJNGIYSJ|EEC>l9o$J>a*pngkIC}P-O6)nX0pMb0 z*f*3obMpk@N@QixGtGltkC@+_n}1HXwZWb8Ww+w)k~0HKG$zmW8e@&~|0(r!kLn%) zK>CPrflu>8t_qI&@?R;&StBqyEXo&j(T+3U9R}xVHLD8;hXj{<9?EIR$i?MZ`|;@E z`i#*(41Vqmgc)H=BJ2G!osWOXu8ejzC7%KUeRtwP1=+LMys=g}Z7_E+`j}rM4z;Ve z9TeZPX4>{9H%$z7Ue_Y{tr4w$=^0g+Vn`xDcdZnwT0C=kvsg#GMe2wTsY$qwvPV6- z+>;_J0%3H!kd~$)rSJtf|F&OxPYJuLd{}>&I#HklxV0`vWn6W$z+8|yo`pAaQ_{GV zP)j-zCGZ5W!*~&S&Fi|8-!he}DF(%50N}a+#sA$vmCosH{mhY` zj`=X1z^5E3MnHIHAz_v4zEodt!G8F}dq=W*@AG!g1n_Ylo7Y?< zSpWS-BPTVwmb1S8&;KZLMtZr>rFLSTt5d`-kt`@w)D2-+j!6rA$k z0JEiyaf8ZGF4Eokt12!$cFWn2_!<^NhY`hZ~KKab)ngm{6K8=W{M%^?_5O`cD zjNre7S4IWLai)sgm%>Z4pI9Ahc~@r(!)fG2%L{wdx26(3_}u?NN&{M~S&+g1mDun- zvn{HUAezIu5gbJB%dx_cHxTgAhjTdPcg&v_l=UHMn!PN{WG|l0K_cy^8!5Hr8^+JI zOQyaW^l>cyhlk7SK%BPva(H|GtQ~Lj2QbCu>xxzUY{A=?xw=awV-;Rq=ULs8pmXT* zLm*YJud?a~OZopOIVUH<$Mdk4o4NZD zLwHu6-69|OkUa)NJ~62Yen-OW#4qxHJQr`fIZW@m{Ei?)CFRgbK341>q&Ht0Pow0fvr!E9%x;`M*4^1m#RkjqS7M$S+^&|LN#$EneVn(;4Eh z+1*-Ij_6t@hF4Kq3FRIKgL+|C{(>&btr7ZhssQq7&R+$1${L*ILC=6f|HxSVft~5| zwyV3M&w16@V-oqvEG9~5 z8-BXK23$eY^Gb&d4tF%DKZ4pvO=)=0^6V8AX`+G!8Uc{IH94Rti7U?z)n|PXp;y=e zVF>@HkT(a5#1wN<+AU>%i5Jp=y#BD}AJhp1F z*>AY`9yGitzyD#3xvUebHV1pkWY&KJ$E%qN%-vJjhJk9?&1NXS{KvmuDsNT#9Sksb z?l!p;TwZ(gv2A%Y$#OkUK=`@iY6eWT-1lej?N(GlAPCIUTOu=Ycdtf{)mU>+`HUXC;n#qi%rrk|H1 z;|u6KWF+=V_euT!ag=7tHMVW!4czpNm0`m<0DN;YsY&r-a>c{2-xNLlU&#b{DC9oM|;Tk`lh? zp6Gb;rNK4<0|lLor_97FHeC*>ng1a99v;i#sHO@>AC=`uca%08I=>Zy`6vx(-W!4I z$97Ybp)dR3Su~~Zr@Z7ngmX+&`0Jz;O`I?>5BAmr65KvHO}50aJ6GMa~o7s3pXnO&LHN8?RN6^3~uTi#@%!A3rRL{4__^| zHSOk@B?=nc__S99aGwFz%6!fF_sTpJ<$EM0*vl?91LKY&le)E z-t|bOVGIsFY3pJpM1^$EsB~CT#7n;Fr!J)WO}GuSs0b z``s%QFtiW##!8`6RLp>ePyC!yG@&@X9G0_yVt_d{!mGR}-JZ9PMAUXA58hbz;gn2@ zoA>qS`j{J-BhJtjRy10~5WTSF>neajBZPG)v&hqO`ShSps($5J)m)NN}fWI;bx*bNl$l;vvp14E~c-fZKj}c6#Fq`4ywr@+GT3 zrXB;E3E@b#*^~ssd{E#XDbQZh|2(4uieYFzX^w?WILd^Vi(Cj$rMWm5062h6-t>pw z;!2774s&K2vCoypCmX#S&je+RJJ9t2NEDBuy7PW*gm$n)<%~Uo9qwFp{4}!MB|D(w}zb zprygdvgprzX;|3;gG=X6wd}!xpCNgNOp?Zqcb>4Ax%^z|@g%2;#@Wzs+#;s`^Mmm} zgA3Bi$5^&6tncUb@?&%9>mZCx=4Dt5U`N>YJdsCaM#OQarEZgZ^2kmIn$Az1?rxS( z*L@#zpZHbA(Q!JFTe8rF>Z&o7c=^4`@QjNcU3G?*=dh#c4Hf24C&7{o1ygp7lzN6w zVo?3=v*RmNsZM3-Q<|@+7Qq-UDu3++d#r6EBkcSVn;%wV9O-tsR5IbR%gzXzp45tq zYEiIvg3AdgobZI~=Y#YxnO4iK197qZXy5@N!R7n|h_L|%<1$~P( z_#dM6w+go(7a4z?1qoQ28M&*K83!?vqDAMA&0I+(!?x^eA?f#M$zFH-}33t7jj*Y*g4do4n|sgX(V zmI=wK{oik(pIPEz1G}1=@Hblq(!x;{N4tNxAE(Q<{r<4qum8b6()x<2Pg)}}Z3XYN z`qk6CeysOFxdXcu%HAr}yG(2Ec!Oke(xkiEVJ&Uf`HpeaG3V79itp&=aczVH4C9Oy zlFxqu7{u^Y|Lr4o$!kgZD^!dnCY`AcLsH~S3Iv&koIB=VtAnAFV0kbiR%s?Yrf@7* z03$b;Q;aOjDv*d3O8ny)XL{fKfT>D z3#;Im)OyMlfQyY+BflS0G=;NrJK0F5;bofEV-0jyZG}_zZ12?ay5tU?C#=aH3^rJ8 z@%bje8~X?E&j1h58_^xpeHXHoZp8S6IdFk`P6tCST`=LNt9?@m^XZpGa#Tt@XVP2` zhQnAlfr8-5516LlHP2kTCc@px%>P!nR`kyCstZh&73yGZfwm-uYXU>WZB?PL8|$#t zVZKx8pQ!Au_Q$_3-qz-3a@sxKL=Tfs%fQk}OU?j& zf!uZuK=ar{wC)|oZQonc7a80W$2!E|oGv1;y8<#g2RaQQW!_^rorgKAcO zFj&5I9bxO9odWe%etM=*ib&Mm2ia0rALnqdi+qjK2>wDRd;K98# zm}BSeKdrw1hRA1IYj^R8K0By;GOo!q28ZntJpkctpGYM~G`u%{pQ_$6pnf$!zz@nw zKkLIS{pPIKIicxudtsT=MxRDH)~y-cok|3@qR?lB3eJS1Vd@oNLxo)ZT_gHrIEgp8KM4)0poX` z7^62X99IPFz01>j2nS}0%QDyVbD=%_(L#BdlsdiCxF=IyS;!}%QL4x%S%H60eZr9w z&}AMk7f;#)DX2ESUb<5x0}mE%L#EMHRps@DUS9Aj>X+OA>#JXh+6u41w<`8Ok`Ld% zIMsPR(iNVy;4f~D9QI_X1;(UxP)V~v>G*^`l^=F17x~2+m` zK2dPrMmNqk%yIrVdwajUe_ugd=uevdL{#St2#Bt3<9n8P`4AI%i(CFdQLdS3w3_oZ|g*)$MHQyaPCfv3Jz8Rf4yG1l( zp`At;J6b6y#re*`mOCNo3w>?&_}^!7HM`?1=(@Xgf|KD*1B7NXfTz=o&3;77q=!AlFiEKJ$>7;-T2Hn`0-N1yx{M4#8$`UB>4(~N=u z?T}hkE`9djHEX(8#_xZfy6ZsVHSseqMUVMdzh;OUuknXd$@^ZpI_@W0tgs;GAUn|I z5V-og2c-Y_F$vbya25OAgp4tnrJ0=e`huzNC-?z4x|_b+%r+)3h*Ej+*ue=zG6#N+ z%TMS%DCuF++-F7vIh^3YezHQ9e2)OUK8!0}VM~rf!S0e)r zBY)NN)=VY?WY7Nzj_2#yUGd}{sYhnJQ!weUzn&Pxbx$i>4WQ32iQexGD>36Pl%1iO z^O()y_{59c%mo3+qYUZXeR^P#{Ba<|GW=q19^H79(2WD4u}<#?)w4tCM=#S&%;lk< zx~jlooQ?eQE52<3*M&*4ub=;+kA5r-bCe=0uuWinP-tS_UrIEeuJuz3gJst*b` zuX&CJCv2%tlDHf|hK9|9!1!Mm?1^&vo>M)4(zH_BP(tV13ggQBmF}%Qj%SfmKn+Hz zM;J}$!BdaLfiY|8jYHd}NAf2TQ>5SRs`t>E&+ixmedbcfGQ6>TcsSY%-CytIh;)So zPi$vy>jU7X4vNMSK!;oD*vP}6h&mY6Ic^VD3pr^byl-ZwS>sfmp|^Ajw^^y=Uw1qXQb9-lerI2OXf0HYqiE#@}NXm%|-_(u-6 zWLck@8#u&g@;h}cH;3Q&xR^8FPFYO~KKETMnspFZnz<5YQ2;zZ!@n?~Ea(0W>6hA! z?iW8;Q>QwxYzRK#8TG_S)&QU#}*Es z6P@*A!2^=c3_hvq${}r4f>V3rrz{6JM6*kxwUCJUzux<#Qa-GOBjFVpRY26C*}|hB zPN_nqAP>L_AEWtPFm6FBYEE4{VUqSMbpw4BwT!ZL{O>=-h~VLOnF#HL!+f)l1bKIs{148t<#Oc zUoeKi`@7yRV@)2!A`t#s9q3#3`Ba(Iw-ey?$avV-&zBoZch^+p`B0eX->^A85+31T z%@^(GJUZZnm(~h-GT|nl=W`sB_%#gi^yatWbJz_4iJzm zunmCH4(nzjzjW7-><7M+bp$+YjVVs|2YkAhaN&Jv%JHM(>~8Sj!>zJ9y zxx4+kp`$m~X5;C^y$Qr_S5ChyKP*l1Sj@N4km!C4!l#6-V!%VjJ;wDhwLKEf_*BKIb8EV;>9!erGd z{|q9q_F}l(<-U4qtz?1kv>Xp!{u{r%u@vn&5L|p;!8VElme5u{Kcfy^8aDC#sh^K+ zJbn^z%_^saKEFB0{L$i{<7O9oI7|zs-=rI8veb6ZKD#ISODLPRguu+r!_<6fqPAih6$%yzSi?o6!%vR z{A!{w`!%CZ82GI*#t5HIa7|`)u}9>;lw}xhB8xrB*la6Td6`dnNS=tKAA%uTh@L5*5#n0sbe` zukZu)6|q1ZJx>8Trijfe&9nUKNN#V5Of2~@2L3Qh4`SFj;XwyCSPIj(oJ%5Zo`Hx? z+9msRc-9q{J42Blh^xwpLw#pJ(4@pb4F&I{ETzFpICGqG=gAdG{M936cSH-C~MQ#BP{-y8|@--#C_zB7(I{u4Jx z6vqX3F=Fp3+6;`3eLB#Xb#Ibhm$837HmFO1O9OwJTx22mn;p`I3Z&Yr>#qz=Lk;@2>I()Tk1^`9kSuL?YUYH-g`p) z#N#7+2*xW-_`LGOKWY-up2O}laOc&ac0h7dc3+Y*eNQ~l%|VO3YQE+<>DLoxnRA38 z+rY!b$^gIv;r6_LRKyX_eZ)J+V?w*Wrk(GticZzN@1SN^wR&04e=S(;so;?L+ec-L zuN$RW*K@CCj-LbTuHH_ak;RDM4qn^91g$#Ir^OC+Ky|kD%zg&-YT!!w_gIo|?b-}c zJiWTZ_(O-Q_+yBibJ@Pb`EV=yr|=-*gg69`81=favwThGZtbbb@DUK#+2kYT$_a0l zVsHbv{9Y4~^jXdNH|&O{7#rOhW=;JF13SRA5nc=o&i_*VjW zo!5^!m1z@QU?(OopTLr1AoPc&odJTZGo!COP>9-{)BYT2jS-b|XyN;kH>!S^Q0-V# zG@|q6GP&9BM!^3a_uN<1;_8s*1bXEuMZy)T&&zSK`iFg8o1Rr}*`qV=`l-O}*@s)V zIZ%(fgC8F6Z{1;u2ix~H;o}}k-%#hRlCdJ#UUO7*ndG8hTgD+cr~C8IUpQ}~4(Q4@ zas7V5Uv_74>~DyL;#k{#$oLf%Jp=R2vma;Jg=u{}KHkJZUzaio*u{sW!KgXvm0-t7 zX+*3(GWfn|FddwbvKn)GqM}oNXWuyXSJAdd`m+1NI4Q@JIKx!ngCTZJbZ1#_;1jrc zV(W(^ZWzdC26_;%RR8{ziO&p}yZ^gMM|Bfq5QP0ak{>F`PNa{@k>!^iFcB8>6(g}@ z(723GABKf1q1XWZDQ893tbwg5z2HH)KmAmq zkO^kmkfdbfd)}6BU%ls8gdLE*)X}n?vP{yG@hC^3OIERVYnHRHe~(F3HIGz1S$Qn| z6*m-i<3=|k{e5XG{GPluBFkn2p9cQgW@CfgsWYQTSroWHc=qGfd??b3J zhC^f?7W6&rz7yyCKt2@~hKoB_oYFl`Re}exnCHVWmgf!ta9_NOP-3@o4~YD#&T4mE zK>S(gy3+?Jc*8ygmG}1)7|L+7`kABbc^U??AwzFMqJJ65m`R8GLd^N1*ApAfqxbefWQTHji%2ZT@5Aa;;+958J|_ouEGniK$`#?_);Fad`cL z&W_J@X+1|c&l7HA4$(_X6B2E@;&G4y2SLw?UwB+2){C7uJ(^dD7V4#^x!sbNTD8b^}_ z`1#RT1sl1pPEZHA8MCQBulHWZ3V;*V{5C~$0)P8aCyr6r|$}<-*Tm3m= z+CLP~Qqx$+?rw0gJWaVYdx1qhR^1luBhluf%6>X1@ABabBtw`B`pGniFN2JbnFvC+xn|8-f-#MGKp=-CfV_`#%$#{?oR$>h?%gF?7u4j{)Oj} z^sPrq;LIeP5GrT<5r#7NU_j6J&zWT=-&*;ZAiDQen$1bJb}*m` z5GTR;`E`%V*ynnc{SWt{>D%xFnqXb}cC~KHcC`OtA9-qpfZ%bN0#vl!$sW(rfqBKv zf|bR;Plv)FXEFw~b^wc62o*;GN&!^?Jya}q3$WGQ;{Yc2R{9z5L#td}c|CKsTqlcD zr1}b|RBiI(_cS1OR=MrGyGXG%*J>`mXNoJOmN3bgRVFVQ!yN>C%_|44Q`eZRgoN7| zD3z-yK~kHwXet`1iYQJpgPv}il#}m%F^N;ROM~ANr6QM7$hT1_Lu^c83SU6UlV3Fy z9ALhb`F#bFi1o2n0l5NH~9E!!Tce2=E{o z-#4du!SMTqe|mU9;jrNNRtx$eu;Z1^wq6K>l6(l@AklV1yw*>tfKvDn@S~~zg4w`Y zEfy^HA@HhhtsoxHWm>Ns2E^`ed2zvzd{9v)CCD2q*t#33BalbSY2M=R>2eX_t(tpf zLmqRtAq#OxUO!*`J#45TTiJMDf!`EYfEktwzlW=<>1Lept|d@j@vg%j;6~!JfJGB zb4q2oqIm#uUH^mYknmA;X3#Y{|nJ_Ilr0Z-apd;!%ab3mFyz=9{!e|khq zJ4gfo-NaUS8(O7ZK~F`a;AYmeSU!kny<&U_OyEKeAGz@2MzW+GMdeprdil-i|~+04;I>TnK2&mUA5 ztx5A~ib_{y;TwUGc6S1{)Cbf&Yc8gkugy1a#28}K0@#Q;m%@GPHW>TJRTXCmc8z*Y?QR`{4c1fURYG!3WP2AU@| zE(!upQ20%=!y=^wg!;I1Gu;*40kbDC7$C+nI7V?O;|xQFI7VbfL_~t5AW6~z00VLl z?RabLZ@Cw02^ULvLWM%%K$~op6G7dVar}nIme#1q~`QoSVjYSDpu;T2A^W=gE6m{pEMa@M=j6)gWPNwhJNw` zga!AW)=4LM)_#>Wu3ClAM3JXjK5i9Q_d)XaUyl5vb4mHEM=SZ4~`h0|C_FKY0;fuqqo34r%$w?^Saam3RBySDn!^Z`fH+Nz&J*y2yP4J|Xkd#@4A7Z! z9mhu&1izO;3G;rQ>D|c!b>LV8x?^BYu*w0yNjLd9qKICyJcdnT*t+^QfCy-vrZ;GK zvmS}1W|bkKw_W$cbS@n`mumIbb_nQeO4`c4)|p-5J18)B3@`03vOZv4bZ(Q7S!s8o z?&MRKZlTQs_jx}X_WQ+r>ZJP&qceVrNgtb&7feJ7@DBz5kSRfr$TnbH7$$DY6D(EaeeH?-(MMB)VPf1dnD@14(-j|XTZ*0tmrs)ueQ>rBQvZam<0D!&}> z7|%+~PkVl4Q9L?12e&z4b2>tfvP-F&1 zRm3o5sNGW+Px)qsjhl#X&O(>%z}xVe#A^At*{3=SmMh13kM?y9{2|Sr92^k$VH`D>(jkY(w1f!{CYE* zjz(^5izM?BYWX)Dg760V*ky(#j31U_IphlrvE!q33`(yv_wL62O4G2vrtTBV=hfi% z3wEwy-gU|g`ao8`gdy#y^+w zZyao8qJ-;jo~GG4wnvfsGyWlKo+HGXAw)P$&6!#s-aW(mctg6Ybb@ZyDqpf=ZgiG~ zH>@+kRll-7SU267~}WPy|3LK_(SN}a42mcE0CTb-sq52(Go89T(KQB?3bRUPCA z_mdoKF5142hIwd#(PN(fMbRZ!HQz&i@c}C|z5Ja)|A^;3gBk!kpdwxuP}a#t*7?yB zf?i|X5CJ|uXK4{>HD$DkbLA+M+bkR3`KfUBftul$qqB~JO1Z#wyjkSlvhmC^b{oP> zuR(csbORU18SDS+;p%i1sk4qKpLlJl0}ZBq9ez%`=oe`JHUAT5QAW36xU(-_o&782 znW`hy^6Z`T*M6FH_<;DC*nK8c8zgZ*L!gF{n@`sUBYOU;9Q-vR0QOFxi%R0}&L8Z5 zIDo&GUrm!u9;7m6qMD&Kx5~F0k@DiGpn(0R^$zVV5P&)5*ePe=`(+us-WrU`@lPx; zZtR!ht)-dHHhD>!U*F#=D~u0qaP&$Kus#;HlBuo~W)QbT^xN?=|MM5zy7e(q0!v4H+pK{*=>4O>iD(@+*BoR zOh;zr<+B%I<{(Z3{sYXfJLp^p9Sf7RuO>%x2mkgouo<$cUa?dmm6g-cHt+$P3kreG zWT9}`-2sK*v#@5l_c|lPJzgmEU4wJq8u^d(Jy{o@Utdh5*2lWEdTu$+F!FQD$<%Q* z!T&#ZFAaQ64V}IY?vxJI8y=_Z*vH@}q9-_5cgk^*+^?Ydvj%!Zdt{iz2IM~bevX_)RGDLf_iCGgNmhdf5Z(rcwJ zpGJJ2-Onh{+xnVC1gB-&TpXfjGzrfsoKz4P!0qdyXIVt}PHkzS?tjpD>c1<#Xg!|| zwO>u-rWA=C*eEnfFb`{c+SjST6%I4rZhCUU=?B!fOmmGK&kN)NXkG$Ki`@ zn;d`4^FPQxo4qU_brF*t))%w~t3Oe(NxI@@A;Mpr@$D()yIZ8jh>Vst^P1-6@+X9y zoWbjS@S@7rP^bt;AV1N|eg8$epH3Z^^_T>~p#d@sIMbeTKzRI9_1S$8ZY|{K#+Wqs zyAhlM(uSZ9@VXtq(Vr(m3K0qCPM%5S#J4F72Ha^SVgroF)|s#6Ax z=;Cxf$ZgR?^8FIif(*iTw@P-eNT~bwm3%4t%oXKE@O}exdW!%P7I>Zm zlh>R+0}XSv&3-`3qiOh<>Mue)0srK(e6Xr{{opTdG|Sud^4RJNFpX&G7bi5a1hu#} ze+SGPF%<8F7eNQ4U3x5TcW9+8und#0bSf?hRZpS&28c6$Ul`PSW}TBjDaj zAeiaA>m+Bh-B4#@H&Pn{%oqSCl~7OsPXJK>G8{BjjBc`L1b{d&X?N7pQxk<0rG`3G zzXnb^8B}e9QI5fn00nPq11fF74sxv9=J&hgM___iIkI_AQKB4y69~a_CnIeQ6lF%$ z(S)1>@~9`Aa|d=jnz(1%<#G-sTOqwr!^1p6Qgd+Pjv_!ZO>r=QV1y94$)S3xn{3Z= z+%{f|@{vxcg4uS2DG*O5{J%iKNb-l9hy(MT%r*;2BU5b1QRp_rf&2OUN5GWA&CC?} zQ1K(c!7!#V0M?4Y23+J0AAlbLI#k1JfV=Qv7P8tBfgi83Wz%p0dkmU(F1y!n&PU*a z9%fr|X~TTTCm0tb5kwnJciDw6l{=WlxR|SfDVRMI1n5M2zHS?pj$NcxvemBFJNpp` z0f>>$jXwe(7@x2(Htl%Rjc72$M=?ZHvGhZH>>{fHfj+#E;58gp13JduOS>5k=ZFwsYvttu+bs#{oKgQ?z85=ac z`~+3&nOiT)v^q6IJ4Iom1EMShSI&KeW`e^9 z2ScDwqHlP@yR7vSo}Muqw>Os2aWlYRVY6KiMyA9woX&s)A?tL^s*STz2^I2O=C=NfEj(b|i>|-QTA9857;t2G4-}Q~#w>(|{ z8avp1XJcivaj8mb46lC}USEZFfAE6E0?&|anOHQ;%JQ;xa(3;{dC2c!SJ>9Qa}S__ zo(b;QUUNjV?BLJgWyXp&{lHnm8{Yd?IO`DL8olTRh9d0AciSf06$DWd{&`2e4gD#6 zzm)pfG0Ykp&n*ToKxYk^BU#0^^l1yZ@H0R|70Ix}3aiIt#dz3ZS<$!VzOb(QCz8ku=f5!**+*5qso5AUq&|~AfPTLF64;1zWIwUW$z7_IQ)o;DQZtlzQRA%#8sA~T> zo`_B+4*DHz>3i%JDI;3QR!i8FuNs3{0a0YWelMNzCM}FB5-To2IF$(1}rag z_P8?&$~yj5eOe{k&`}UMCjDV2FB=b(r^SWkR#R&FTt?>Dwc8~dWPA2+*^d1*JY);@illPA3SX$vWzdD(k##&ajGCQ9 zxC!}o?Y;%uG+$IC9iFvO!Y>S+((J@=I(;gJcc6fSZ9$O=` z%eKj9)cpDG{6@qEF`Z4i{n->h*}s0O@A!T8$E#Nr^7>SlTydOci+1W|t~J!`M~FZy@-R!8N3gFH zdFMMymB+2;d{`VFH}nYOI4tjSjsse3^2=p0$nTU#wO^k{9Jgh+O&)#z9NxM3fjqW& z&GJ}vQRtEBlS$7+PKQ+DlcamV06>EkvUPe*Qi<431%RNqu}le3&1{NNqcw63q+x`} zOduB~XlbFcwH*O|!~i%f)5BO?>f*DZ#tCQ`aY5E5A_{3kci=d4l6`i z>Auek+q5wHB58G4r{>g1sw7%>PeCw^(G2)s@=e+L34jMcxX)AHw%nIDj=O}6Y8Q8+ zR)cMpvA9}bCGvu7K}}1`r*_+Gu6d$jv#w{qV3kj1^-J~>33&vB2wQn^j*eq(92Ocm zkpv{F04gzwKujRWXe#NeDU?F)fMQ_{@?j#mi`uaqq`>cVyJx8iR+Np90~ot!j@7_! zKrtaT4}Z`JYQxXFP=EMZzF=$$fPmUVWJYbg;@Rru4se&!HrL24N8TB!_v4|X8>R8j zMl3eI`B=rrx1Vi|f1U#F@yAmqHm*5}W{-2PezwYaCG(n{2-^g>y_P}IA+K|b{&;0u zbV-J7g4RLDz@lhx0235?#pv77AX^PQj8k@0813kY8t0_ zuXS}DkldomCBA`ZmE7u=B$!R&u+u^m&JrOxy2Vc7Tqz2WQYA!WT(snA>1K;i#<3EL za?HslF8cAKp^Jw6=*2~7Hx`;X=%^Zd=a%pUlf~<*dyBxjwxWu=?p$k!y8>Nn17~IN zi@Rs#@Qc2yz+)9!yj6A;Z{E7|6os6kjJ?dz;QH8W?N^Ba%vERgfF8Rb z`~zgXRre8b%=M-;!il@?mPY(=SKqtpScDk#i?@o!gPK9+GJKVwxfEZ8=c+Vw5js^K zciA`<7*omFh2N>n>|)G26s{Zq-s~dKIm~&h@Ep!iwJAYwu`yTLrTQ%8X0E$OZG0!fX?3Z+ny~>`#xeM_1&t7Z?Q~CCZ@fi4d0C+3_ApX*GuQdJ| zbT2)7`EZxw1zchbhU8mz28;5oB6bnSGp^hP6VCv17dqTRj=y-k#h$;wyaikzf4Thv zK!08N1xhMf`$MZ@@8LQ%$FNRHy~SXYi^w&4Vx zPXI9tJU8)n3Jy&{p25nnn1D)%2)-EX%^@gau*5@9gN`|HBLffN!!oMe0X~72!R0c_+yS&Wmht8w zpjbxYK?LDr8H@jr#WRrjLk)v1-ov27$nJrPJpgeSk6R%+%b5YxwX{cKA(7s=KW@ejLF;g0licXpxxyDE;PubX&2vr0sIi^Bm4SZZR z_9{5H@WfSvuW)87xH|=1h38F0TjAXb%bRnyGW!HSw(9W-gsu|w2~F(b#+$y_1CTdC zv4Pmqyt+@L91t-#}=?jC{kEYao0E!xeM;RN9IaUP{M`MR`<^ z4WsgBkrm@{C_5{LVZH5ArP(h3<*liQ17CWWf3Fjyv zZ`xr}0AeOTOAy@Wo+qVkRG!m=Hv6>k;sM!4X}LPebJUF+mHAmn22+WjSkA2B=i!O? z_!)R2D1NGa`R6B-FU>wA=j>C>lWl%ZL6K4RN#w^jj*2ss;VU6SrFlhMHM@oqaCp)Y zBjK=84h>8pRw7eDG`31?XpN(eRg$~$kdqRfl=yV904Nsw33y;nM2LF?20&Oe(x8#R z80pVQSd6q+ml*X}qcKAu@**{cp!Om=D+M_di;>ox=!%i#e932}!7Hm+$<32`j!<@F z-bP6K@y06cxDkz&YW#VIz~rf(A>cjTVF-kd7COo7C=@5{I9leUGfpD%s^+95-#SjB z^R40}#qXMv1YH9RR?9A+2IxKvt-wjx0Cz(F=4qAv;!`^fXde2+qi1U*dlj@>&gY?5 zxt*^D_Y@EMzN1w(<#IGjdaUJRE5aFPU5U(Dc@80svpV>LG-p|PfDw>2OEgv*%KG9g zC_kI+0hP0eyMFeHf8ri((;`pJ?8WT9Ez0MWjJMGCzC8jXynIvMwA*IeC-m8-GVApB zrY`Fw_@*c8B&5nM=~*WuOG{VQ$qkDn!F96pq_{)avCb(jkmjtD-HsjQtrL|W#jO*d z8{OHb8aG66i+{kyOoe~&cBDT~Br-SEtr?TtCMpljnTZVr!j!{IX1;;e22`Cf&dVD{JE)=O`Dn|fotHw6 zZK#_ESNy=q4mrw0`P-o)W%mQ(oS<{Al5QYLPa`SO@D^y{?wHJ&0m6?F8? zAL3%!q>fvDY_qY0H4q_~Ma-l-6Ni~}4 zUV6E*(2s&vY34>jR<=Qlpn3@4up(Z^pL@!IZ}*Dm-+lj<{+#l_psLxyqo$F~&$H#V z1OM<9hmCt*BO5Bvxdt*}RHwYkZB1J=B9u&Qr6i)0M4nW8lB^=TSb3y*bYdmhf9Ir< zE8DEh@nn>*os)&WY#Fq;24j98KB_&PVwL)ZK4&AwbPyC7o9yt~spi^UdNUmhas* z*_~q4r!va$GUu2H#mqgdbj-{xN9ma9r>Xk6XbwZw;UYBOJ}$ERmT^(uSBsg6zkmWH zfZ#YVq(_{lIoigln4@N{V4U{(=5cE0TjvxG09r5=#kfewnR;fznTeL@A|odnG?AW} zhE8;Z2+c)lU+x(+^Us&d9$p%`a*&m8yj;7|i+i9wjD;3-o_cZe&)QWZPBz=;w9HoOaCGF3;~pOYrS8SY!Ph}X z{s2*dH04|qT@9g&)?wXT{~Q4zZoIS6hONQ4)`aSKjf25chU63@{TPX89~tLljie)< zlWI5OcoHedA!?0f6f2L|HH`6)jfiH#{X%TC&enw^ZTL87OC9HYT;rphSH&1m%yi0V zrvX@9d|Nq3#McTnP~K$8%3 zC_ETNN5cd<^-t1e_N}LVT6uMSpz7 z_JUcsB=CHh$0WGC1l$CaW4;P>;|*W!y&C%J&Z`w)Iq_BDue$ik%o$+6#TxD^R@t=- zQ2xB(3||h_fiut@ii|T@IaC&B*m0;fXJ|VV4o?9(hC^qlaSUXRp^2Yujv>w$09k6z zFR1ZT?-u<0+;R(eem1!UH9w2of|;Y9yaF9Z@x4MCKkK~027dne6COux@Fz8n((xz2 z4^DuNnsYj#+1bZahMrn`6U`|I@)VV(B{ZHga-~8`ouOlps94I-kBC@G$&YeaO3I7) zI10~;vN+0%qXxg+;V3v)x^dErr#N`h%u-p795ix>rNaF9$5LB-#BojUmz6JJb{lV{C&cjn+zp2tyzMin|;1y zCykqjzEo!?jxPzZGsu@VaFfj=#Icf~n_4_19lA+}0umQD#Z)LNWap6#Oh7l6oN4A} z-j8AI=Y25f-3e)!10Q;W&~Ee!iWMyxMpS29#$&FXo-D!zeP`UHaT5)$)v6hlM%?u}keyC!3q((`|IA#nHDwEMR9Wp_L z1$q<&9raGq0U`}FV`PLz0uc$46cm*d6r@sU46>S&BW2$UejVXymW{!PXQsVQZYzpI zqZsKuJJ@BHBvI?lgDE6G(e>$G-v+nm=K&N0yfYQ9a;=#L1Kh zwpy*n(Iq*B6=JFyJ==cYjm=ObB0m+t9;@lP`6+l2i~DfAmq%wq&k$wRU#db=3>7-P zZ3Snqe684ClE};k4cPm+K@zqcA%l{hHk3FB@WJsB^!~EBth;;({&Ol&s8$LcG>}uU zYM`9rz<0(-oAZ9?Px+sUJhMX?p31K$!Wq!Ie~(Oam;dUGFrq*tbHmvY#{6nli=yW%##KOR{fZC zs3xZy2Q5INxG1R#yVbzCZh)(@)aX2`zn@m=M#gXS^Uz?07GnSL3i2Hw_xdE4yRujB zU&mNb^`6Nv91UP9gftLaSrJaqw-l~QnpeU7G`DOW04LBfPEf2xKkguHyQu!k@U9a2 zRX$}Tzj?qpE`ffHaFjUxA%H%sPl7-WKI1$69v^}WK@csN+@jmY>@qS&pkc|xv=e<) zsO_X6nD+)a@XlCmL~1bnk0wQ6Kp z2!sbhe?v2iKraddOxCttwh%#4RV{_Eu-7dQ#)nG?aN{9-2Sl|20v_&gU`z}+=4B3F zHn0;BMcMeF@}{3)zO$Y|I2;3n7};Gz-Q=x8IKHOgC%n1Z=mKPL9XW9h8cX`uo+7UYdnBTLs91-qP+Xf8T$@Ce8CQua}NYrjT$` z1hB{bQI{t8A6z>VrmlPRe3Kml@!y1Tt(C@k@^S|1Dz8pFu;+}T@G_>A7v`tW0wo{r z!S6`;I<&e{vKF>BYf3a`!Oqt{;xIbF11OMZD8)t=+?!$fia3&j%)r7;`L#Q!+2NE) zC;o1ERBO2#9}^ESxIUDVL{R)fd|M=`t{I+Tm`)0bxp7Lv-y}eGW+XC0D|gc66vMJh zF6S#;fTZaAA~2Q!CX!_pw+w8MtL63T7s-&Z{8qm3cD?DeTz@fJN)d$(3ShKZljxLr~og9s}UPpoNtuhi2j1Q?~XkWVoh z5LjUZuczR}8l;3@>UTF%{y1;3{#)$Kp&}K%#Dl{yA~H9-pDa+r58Uej8g*?hAnn-7X_KszE5M89EqvlrUNt}Z+HR3kd^jRd zL4Mo4T|QviGaM{s;QQu<`(m-b0@24S8}DwUvk}g|kP6|!>1S@%UlS^N3I8X zMDXL|Ba-`O_?U(OW*wn<=A)Mjj#Mn5MC=wOU;#=24dB3!rzLO-+*`3{f59m%*oyg) zX@aIH5R8C-aEl*}_|5PLXJG}r$wkK9 zt)vq6KltQ|LNbP(hl4P%MN?w%70ugZh6sNHVo5RO8kHJonf~t{mY+S?au}<1 z>5Q#rzIL{@`Iar2!e#ab@GO?rX;W3Mtlc5zR$07mc`>W&b4PqLK>*S@_21+>2;F;~a?R zJ}%y?6&b)F?6X0Si-mVCeDmIxg*V*X<003DgkX?%Plb<+8$CUpw2PjusBn-uZO$1_sHdc>#3$0Slc zLADDsj*oRx=F2c2ZylY!rewIQV6^048ye?m#Ykh2M-B!YRNsF94|+SmeMZRKq?VP7R}c*kwx~R9g}z zv7lm*%v&B>Ie&S1Lo5^w(DP%n&dnU|0s5`j_omh|``Aw5*k^WH#=W>I!wEk_FZ|*l zFthllb~4RBw{4?WL_a3hInm8tF2f#6!W@KSihi(*hi+%^hRuPW*nMq$T^_2@nT&~N zpnNzJ5^y(ydB;6AQdi?1nNvLX(h9J7Lo*&`u~P`~ES$4D5OUcV0G_dMhXcjz6+a>O zE%n}57`8x686MJj$z+NNB)nYnE45tSaH-^E8JBObhFr?MBoc^^SC%pITo>T z?ZzrD7P2u9J=^$r!hZ3^Kv2PEvLf10<|FyNe6s(>8`mtZLR{rM#$osb znF5>17eVTe_!5GMtB+Va)R#$IK|RSipPt+a>`q1Q6yzboOajNYF% z#h64B3#bzStR6>+eTPh`uvd1=){i&LY4Dmo1E!-{cf*!v_sg*@!?v6|$+hK^E%%(7 z?dGuMnh^-FBKYp^>H~9M754_&?`f$$C+-<}uj^+T`I$Xlifu3M-&1>PKa%aaos8RF znW#EvO)aN8R1?kj%bH}LfPEzwHUmWtRsGm%-H!3EOloQP2Pf5mU8#&#thfsM=%@$d zMJc0}cO@xE12u;xHiw*hrpuOsirN$*9tZ{XdZ5&zJH@3}-7S|jl3<)T(c%%5ID?ll zLl4WoEF_c6zAGEYhl71xAXe}TP-pm5U9TSr*8>TG8upRRN3jR*_*nKHmyc*jQyN%= zi?9bz3br7m_WH!?=+%;CxJp;4$R_D)|BK<}D+^>Hv~CIS0gt;xB*8 zmxcgPK$f{;(NJg5A*VDxU5fr_YHko6Bz z8#BpRyP_*E;Z>k$$R^@hF-a=~g$b_0gBLdK^1!O`nHn)%dD$7LW|EI1)p=5yAHh9I z>_7Ow#kSh?53g=}B=9+PM;t2iu%v2EYN#}jzM`G4NasQ+ zzTyB~K%&2)3wij8IUb~QaqYk}7svc(_aE3#ITzbdJ!KFVnf!DwUir!A^oNUv_8jyI zN>~_5s4@oY#{13ELJTHbXkpt!aO}dX1I_%)yRgW8Q7-iI9v=tU+;npg&R=6;kCS#5 zzAYY_=iuGx*$U4NfDqOJXzFI!Mryzuq44^uy)?Fx;A`i)QxfnRHrjNQBr?K>TgQ}Gpz!%Ztkc*yq9$g z+}dB=AE^G?ejiJE?T^aItNQcu>ZAghoI+V(*SdIOVP*L8Jz{?Yp1>neLww2jE9G#g z<&>*MMDa0g`N_xHO36gcBMh45`b$%T7W~pL++G!yBiI(wk_}I_|?Ar6IM<73~$v zHP9&`lQK^6u(4m*FfX51z|_cBFm-YhOv63^`%M+B`5ESuhKW>sqVW)mSO+8oLg{Av zO-$_aId&_NTPBo(T;h4D#=hWYwbXivwe$cL#^7>)nvbKlp*1QQFB(%Z-zpV{2f#J$ zRIY4SvS8DKV}Lvi^52hR1S*)Tozp>{GiIL}ab@xqWJ@g<@0YI+kB9+)-C)~+aSzs2 zBElbknS)I%ydh$Wd@~7m5{X~qB$o|?8gd15dgf=Hg0W9+xXyjWxElIqah38Gt~5S@ zYm$e^V1GpZ)AFy$dv)xSO^V;G790GQjfu?Z4c|9+?59CVzE!?OOvk=8?9bqYfknKj zXXBe^8itA~6w@s-gt)*QTlXYGJnG#}w+R*2#$Nrivo~_hwwZ&98Ox5I5SU#o0RAVlM$5d#Sy1`U< zE>*=;Yc3VURB~Q|kg0gQL>*HRc?mTyvE?P6004qBpYU-JX|9^f;3>>ic5f=;4>{QC z?Ms2Yq{mi2eze6#R9uwDRCzCIvxylm;$jm#UgTvHL{60FDlHC(j@U}fjYe!@?L{Rv z5%)8XP3Z75i>nBoILO4c3)fub=D;&oY57mhRb%dBv(E-s)p#$7tGsSTan%!>kn)?^ zgqD+UY+?-EVsmZtD#ezfbf$$)&Dbd{ns*T&A}+c7ct>-2XDAhqnGI%jh1UN+mt)Jv9WAG*UwsB^Dmu6VCHZnv;%DSYrl zQG>V3JL5+aY>w9`HcZo;qM5=uU9x9PYka}%N5B)f3S;0$RB^u`1KUngG4RYQ6$8C| zn6khbfZ(Ry8wKMMmCPMGgw0xFz@^-yZ}xYLm(Mqf_Y4IH@TR#2F0thupP?yV*q=Qb z7s&`vxp?PX%mOh%3ah;nyaIJ{xsQg=A0!(Y#pjJvIzFR(k@z(75=x}Ffc#I4figt+ z?v_h$h|w&wX@h}GYLtp)VApA!fmcp%Fp%s&yi*|tqLtV&n@NQS4X_HI@(Vu-nz8x+ zxSaE2z07kG&SV;wSWYf+`Q_ElrIpvX4wkORWni%aO?e-hr5>1l7J23L-u#o}pP;{s zG1yyUVeU|#F~A{M>M_wlQTye3^#r)?P(tA>-UP_F!KtqdG~fzs%n5RCssI>NlZO^V zEpx&0-2#S1oj0P<7RG0S!%d zGsv-ll^1}3C1Al0Nun}wjr~G`UlPr7J>ww+TR7YqHU~|=^@8CR&VfI8lMu}$Ad`7s z;rKRQ%X}aIo!2e@hSN8vaqLqzlWb0}_=5a8Yd)D6tPT)@27O$Soc3_V@%`ia%k}OxK#=6bN;94m#7b%RP{vAF z?m>x_!rViam53bakCp6>6lWzjM+#%5x%)_2KKf%LKsL%_qb)WP;-tJ2O|epwAE9_@ z>%~4+BJ?7epG@qfp&Tda@RAJ=E-^5WliJ+3=e{0S;;}bKDNZ7*fZ93f3JF@qc0sjf zM!*sTJh23w);SfkSE~ibc+(S+Kh^M4lRN$Jla`104bDt?-K2p)dQ z<0nFILNk;NZ<1oDtvB(o55kZ^%o&6me~|MBHAAs&p(QXwiCwAe9`5*w$31L0(wB|+ z*h@xd7QuC*IEI??R)E zl=Y(+`voJJiDbOk#y;}|U?hO;Q;5WI7alzDDN4vxi&u)N)(9a!&@880e7s{~cv!m! zHuj)(q_-oP8R?6WZ1|`HPI_{q98S`D5!R1wAQ&524h@#DM z2yCL!SB=y+>cn))=?wb|#S%CKPBuSx_-yjx)y*e90liG~Ip;LbsS*glyi6VeWAG|J zI(m6&#AVxGN5`d~Z=1`wFBudHlI~;}Qp=-<_-Y=K81fnEA*03;-k7F*B zLvkPl$%Q6I-}TF$E)CNbQ^P zxJHWA!0-X~^{s(fR0zpVZ(RV|FHYm9aVA5O+hda7P?3N&bd|f(a8|VdI-&Fo`R1*i zcFL7#fnv$z1ECqovzn*<6iFk%`UaDqC-}8SDFFSAO2ANIp9O>|iJ+@?RVh)-8}hrFtQE z*2Ov%t;*}EKe@JGr3{n@Z3U>a%c<6XB0b28W}5R**5ZxsDVy5@V=bG+F7AuH7nQb2 z@T{W!b6W1=TSS1Fu{M+sT@6a964faGPIh2j-M|88V2r>?ZTBEbDLQ;6gn^z5H!93K>{6z;_WXe0@*AehjJ{lM~nR#aY@Pf zYcNN&693e1@BP=y*r5F8e1OY@oz*vIdY?macJdL*S(@exiG7GPyo4LK+!4^6&CDt=GNbbtYScjAHbX5EENoCMb$A z=YTvG)N$eCDIlaMXAlrU6VVtjBlfC9s9295ny#lP8>!myXHcB zY?d_o;_|9tu-0e7-#crE_R6+FU5Ao|P~uMPc6+U7gteO3_a~rIk_v-Y#M79uf68*N z240(>oOua;TE)mco7|~;`bInp`+>>$B zTZr?Tlzke!p06aucEwvXp)%jdA(g4Lxp0>_v_(sBeS|0jbO09+Z`e;8eM?`501)Pv zZO+Ia*wNXrRq_?BURPmT%fzq*sLnhs6Q;%t)zUfA)e879;2FmI+<+}Kv6sfHL=9zC zUvG~z9AF2IH@JfwPzQBXAQaz6MXph8*TnUJ?AZI!92;WPmv}Y95#v@3Iq*|mzLk`9 zn+XT>HOAwV;U^Q~+9l&9N)s#^kOH<7hP-6rvxkV>iwi#LEoB#?)zS8#ILJ0U6*IylQ5>1=&W)ZLpyut`?#^Emd)L$pwCp5s9v(s8t{Y5DTOb@-s^62abZekm z9kjDp#m+gI2#GfB{|w=bs^UqHzGs<)K|fD_$?pw29lYnq zu)%}25+sS&)97Z>X}04=Vr@!S+i>Ca(90LEC*xIG-zg{BVboI7DBXni`NlR7j5e>< zMvExOFrUOr1A@6{Q?v1=gFcA?&aP?51Z8i=U%&?>(ZT5wyD!{rfwN!Mi45pi$-Lk) zYTUodA>qH)8&%QZ>*=ULdN_W+?n-}t$=9e{=e)~uAmNe^>i%=hw8W*xRT(?~dB|&| zJg1cn)W2c{x15Igks0olXGcHkO1$e-&p--kV-CUr>9W<}2O_f8D1h4*!}2d-_e^qi zA-L-u3F!sS37&F-p-2 zrTh6{v-Yu$_-X~OOWnl?tpT2^xwtSp&l@BZC+*{ob0%O4>+-W1?qb^PEuFo5k7x$b zhD_k9CU=QfrUN8^Nx^30a4Jpvqc=Jm+f0fg#;~YxeN{3Srf4@p$_c1GbV0cX?BgqS zCCnk=HT6-fa9S@{BQ!Q4kjdhb^|V$R&w2VzFpxzO=|)+Kty@;T!!d|QpoRgMqzSlS z=B;k!NvzW>6t_n?AiTQA{^cuFn(Lsi^{c&kQw`rEK@{#9qgho@H)G{ddX`y53TDtDFjYDXojN*$slN z-kkLc$H$s<$}cPr@C%(UmS<%~fsqJoyDiR%M)`NhaKin}&v7Sc#_fyW@0yo%fV8G& zZ4Db%)ED!n+u7DCm6$1WBFrv6bev*~_UT&UZf^=r8u@f}69WRSI3)wE{S}SQrVe+6W zLOK!PlDA1Zd{AFoXWiPEO|AItP;$T#cSGKnN2G&H?2UztM|)P);oN@y^=?byIio7% z@5NJjN5YaJQ}C)Mnm<$S4!jIx{A0HI5MqKYiXn;m)8{Nip9dz$Y!*xbm@w+KLK{&f zb-&vMS||}Y9Zo55rpI91S%V-B>4LWYZc}c~7mYJP#f)47H10?YAc}$EJ^?Ivri0JCtCb zz6%nhGT`K_u|)NadnKH%7Xj2DxrdUqEnQ{1Y*ZMPKR%&=5~S8Qgz`e)ic7>sGKjS; z(2x>uti10)sQ?bt5qfxIsC$66uWenZ%AdQ0Gd3~F;jedO)j5I(BbDL|7t+B3FoC&U zP_bHXm>`|;zJU|BFGL*&SVT-YkYeHP2{lfh^drZ$2EUtXY%@VL(DBE-ov8X%sFmU+ z-u6v6Xh+KmHdVlEAtVZVUEpA#_2BHJeoEut{|&$not* zAuurk`Pds?bISOx?{+qi2cHXWJa<#q9Zr$cCrhQsVVP^8-ncm62llYjGUiRCLDyqk zm)klT^iKekS;R~L1OSl&ECH7S)3l{v`$0fAspEHpEV8S~9)H9&r1oHs^3N#od1qLZIP$)we zJpoSu5MKOj26Y929*Z2B8m}0_7uOr)7WWheH4_yKDg!zSN&;F0X9?0!H4q^1G{A5( z5Wq5!_&)&wV8lBh#5l;R3oQV}17Ls#ppf_w0LCCxK`bE00Ahg2JK!JyaRH#n7=OnG zFpB^PpvpkY%9w!546(ohdKiVlKuE%%d2qu3#9(-s#h`b_;C8^rK=8pjo?EpuAVey#N64z93Z?i@(5AK;J-U z;NjxqM zrophny2Hf8&c)cq;>YaB_5h@i*DDI76aXKZDw{Q&K%GmT;|W%zV9sjKbkKg$h|-eN zoYbb(u-3ZQ#MsW+*xKUT?A-R<0Hq476|EqyE3Y=NL9tA-SG8icZMS&1gS(ErnZ2aG zufMwA(ctLe|Kb*=E#ySyTjp}-is+*0y6wpB)&S<3_L~N$7M&)ZHlIeIR-tC1cB6)* zmZheqwv+_A67akdO&|gQ`k?uMh_Lod5U5LEKnT$JNJ?HXXh~flh)7%Q^721cmUAL6tDp1;N^tF0geKb1D6B<1)>J8 z2fzr(3Dyeb3-b*64gL-U#19M*wh@Y~MNd`%20&9SZgT<$Myikl2u;TT1Xa4vlm%Uw z00w2It_Nc%p^%djqyV531gEM16bP%Z02Q;l02aK=02jsJ02t2w02$W~#v0%v02>JDC;%Ms zH$NQ(`bSS5|FY3n9|TliXCMiZ!EYgWfg%eIijyOpr6d>0t|bT=w!S9D&L`I1DA35} zDFq?w@+u|=#}g|bEG!5sIYBKmNm4Fb053RU05AzaZU8Y!e*iL4ivTlQnE*6or2sW; zwg5JE$N)Eg+yFR;`UA*02azGraykf@D>gfzNmV>yZasU4K9it7<;;>m1*omIL9NWx zLIt+p=R>>s3CTnWz#jlb$tE*K1=2%KM+w(qYe?XIjY;XHw@UKT-%I=S0?JGTRT(Kw z4MI##7F}#lABvMuoKXTOqPJ25D%BJtQ!U=`R50`qb5%0~%P>|p5hYhSA}m-uK2ljf zZa`W>g^XK8lbT$is9mqNUdFv&1Wv-sU{avZ*J0l2VhHqOR{jBGSqT7TToM*$3STE+ zXK6i1Xa#Ij0BLbx0BUqHoGWX0W^il?dU}Lyj+kzutZ%lqa0!FV)o}-m;p%ep{&SN6 z3e9wwCKz=EpCT}Kq(Mn|2&z$8d1-oad3ykXhJ6dNm#BUNy~4tO2EfP1fCt9S*ntSm z_5sd<)gLQ^-8e{uBoe74DHI30^HojcVhoeM9ekZLxh60Tj8!{! z1hbR?*=iycmOulTb|Fe?Y}5;;E~a3ungdK9vL>Qm<6_iuX28MmaxHB7AUulF=WC=h zma{XGi9DVbGwr2$mnCIwXLY6+x``#>CU!qfa$m@3!DN(uf1jTmTC1|!GGI1BYoB4% z_WqerJI=b4e{6ICW1NI-$5C3J9jt}XERdXyDcTd@_*W>Bzln)rjJL2fBgbhtL%vg? zNxk7>L=`4=f|f@ax2?RjVzJX09*XeP$YGYln#W#CnGKbQ zI!=!V@VA{xGt8gk4lRsESK9u#v}z^YDlo;17{0f!*+sF_^@&Wcezcg5Zsd`ZzjSC1 zFNz(DQX20JQEO7_&XKS%8P#bZSok#SdQvAWY10FZ4Jn#^j63%iud%vUzC@0VT^mXGZ37oM}ZvcoZp}BZ_`K ze*C{*(G6^hUXo=dv~V{Gth3_Gl)M;~nIfJw8e$h3uW2zwWDG2JUJEULcGa=n5F2wKx7&GMUP`-54x?HLa~BgxPfIm+au#HY zp7sh1tuvujCdmLHnhOlT(7GrvM(d(@z@l|DrsH=LpzUJ$fW3{Px02*goG+~hn-$xI zzm@Q@)e72>Y_~-Oz>#t-n@h@c_cd5QPGK&6aX%3OjO$EF2=;<_nW(vu0|2;;h-5PB ziNxm)biRr@oH4$%9Kf>|MR)9t0033%U?t)c-A zGq@a@w#6M>`ILq6v2*aWOvc*TQ9u~HJ#-!w4%9+|j^GThuBPE|w*IJ#`OvPpF~xik z^nAR&AyU|3LaQ6P!g0c>(LP-uXd^qb_FH~ zo0x>HIz<*f3lA2^NK>AN07)oEy|O+9FKp>TU78r$9j$~NRckGx_u8mb{DY z`9)+(+yw7 zjeBBeLW@tSN&LJQ!%xyE{I0^_>-rISksWZHOxutjoBiJO%lDO4y=QgeeWuawPdL!M z8&2-CWN=Ry;PyveC$_IKQVaWG+6(K>-bbvEXQs+NaWu&BXvDq@2J9=ac)bHd*Vh3i zfP8sG>uujykDB)5G{RQzc;(}NP^yPZN_|^Uk6SH3JrK<)TuTd&k9DPYyb6hqD;cYp z-p9A}HngOFY0crP<}rFCp*UW=Df->YcIaUt*`TYZiZ@P5_<2yk6weu#ed*3g$UU@; z6MlLoHRRT4oRQISYE=NSsWhaf`5z7I89-c~zcSy9rIvAIE6o31K*s>W3U<2mfqT@p zEd30E@lIq=x%Y;EGDB4i`vnrvq=HrhERsr$xl-P#` zwjV#}c)rHV&0zf5uQ!oVuU#Ur-8;wj z+oO9+_pxdCKmrVm1D_TZ+8%|ZGQFW6+byv?9RqGW0c|dn5xECCo616qaAv+bxkE0- zU}EP3Ex78Wj*?a?P50F&l({;u2q8*6hva}-q?v)B(N0$mFA`JNPNG!paW~SwwuyEu%d2KEx}!(n}$%j->D@8P=4mMx0bm$ROWbs$$S#c<3p zt1njFkLn;U+->1eQx}qYf(o@OQD=sF@6%%`T-5276aJV&!UIh-T`rI5?hs3V@}Tq` zvk0^*U`a>DVk7-_>gcW$jDCt#^i81v?#M&*5;ze4Mldy3wtVfoi>~GwTsJvEGw;b(u>H#U_+i4}MoY7Lw{Y8ZSJCqJ=ja zP92a?>U4q?e)bpjD-uv&%6t0H9fboh=S0i`H{nOxB;2<{(_7P+?zv&vq5MEp~blV}Jrvg2=jh>)KG5~sD&d=X$9Nc}t z=M`jnPDFs`30fKmudM96dClOzC^~;F`+}DyQE(Z}IcHSH`QP!)LkuVQ8L-W_dJ$Yg zE&%tbt@(`XfnbzZnj^CsIIil9&Yxmu>nxh@BMiL&K7 zZvl6KWFdlX4De#bmFpU+T$Zr?R6+Jb|JKJOfucU7Udj;m+JiSCCt?Wy?r<^*;!P*`MF&|nEC*IJ$zGW9NnQF z+3oa1(s(>bh8-u((s4~G(?2qm-jIm&Bzkf@?q>9DGB}PFNjiKvM-d^(aXHfb;^x{O zFh)En128B0p{1AOHYicXlCYc{WJ8Q>M8NZI5#rh)$ElyHD#n$H#f7KDpQyuaVmr{n zQAVUF!8*(}p+w%I6Zn9eL+*z8dv~Spo!-6oVZl2Yv$*>uhq?zQ%zbMh?mzu*C9h|D z=DXSthoJqg+w5i8gnTtk_NHY){+S{6nO?A;%zAxemFrVT0r?+=){kIfJsi@HuMw?& zEXc>VdQ{)mNxkXuehuoGWllf*!sELvJ1)!C@zpaF(dem1QQ9~gWQ~(4(l{3(=ac+xE*HtuyoI?LZ)(dt zQJReNjA7oUE5>20)|ZlPD9e8-!MGKKN(oOsYs$kmcyS*LP9~4404;gY9FsSV3&#;I zEsEUi$QGC)vqPdoVT`cot1EsaJE5tbylI|uM~-v@4Y^#O4m4AO1q%=rLW=;3$= z*vPIroC1e8Si6kcaXRh9Xy5R&mzkY&!&{VHknD9Dt~T~Eu|MTzaF7%B7%=0t`vHme zsI&$%e*x3#27ws>06+)yCjbEhON&5W0R{v-vhAT4-8c5?cpo~YC4UlZUq^cn)5_A` zatscpWwk*UE@rJt7`K-RPupU-teYh5M2hh;m}GfCUjEZ6CEio&KL2R3F8gCwwVa|f=aF|EP370)$A;+P!~2QYxOSjAnV{gu*>V6KSL zQD3UzrS6L9qJ1`lioE(>!N_p4$=%yRM0)z4=4*^PH^!-_Vqv%+w|qXhaLFfDG7%iu zTsbQ00X!x#yW*Cto?DwYXlZo)XF)W31yOMvvds8?!U(8E!MPbrw*|8>JV=au=lZq_ zguY9L_XS%Y@749mz2?5;T3$!HNm(!+FeKjEgG%&poP`-(X5wAv6!0Vekn{UwZu_i< zLO6=i=a0r3ED4ey@>@A;%oBd=Oi5s2SoA?Ogvgu;^O#aXYo2o7pOPWWu(KK5BE8jI zzoAy#X;D@tm{ChMo~E)rFg0tny5VOCrRr>oiU@P2_}|cm?^+B6?6YD<3ZnbSPGP`+ z@=Exf?wb1a&YcZ~z7NnUTcW_mNX;N_2LfWzf3CCVR+_m#m5{L5eS@_TZj$)3jezvZ zFLV6}KiTm&nvQhZEn#?x)5+~GK}3G|jpl3ZLKUfbZB(3~qMswf%Ah9`Z61O@+!35`@l8` zFfg0s#VG6=%bx94eKXY`D-PPeby87r5RLK6$teJoelU%uBb|0j7+&IZa{EgVksp4e z`C9r?Q|sH*+@AUn3~kL;cze@Eiy;lQxOZvW5)Z*#6oeu7Tt`oAE%njaVg}I}(w}3& z^f@fL!OfPrVMBvZgW*FHPB;7w;Y1xxQCCPVuv>PrY@JI0>!Mhc0h)4WDx$dP zClyBY>>}~4kD=*`s0RqgA7gzWA02Pk*adKob91LNQ16N3;P9z{n39^*%PP=I59pNqPD-}qC*IE_b{6P z3A7?##))6V+JPLTzmN?Xg6lVcbPrIY@^}lT4>pd#h>xN;)UaP@HW6fSu+&95Kwu3f z9c0O*dlu!QOUJMtbOqM8WYZ^%%G2|n-qk#o0X&fCruRBb&8ew7x^ciEt>{V&6%lJC z)Bmy6NQpxpT721m97bqCl)cm{XjmI}E{e+J^RnU>#PaHH!a~IJw)=mqQ+Hgz1H||w z74f?bZr4IXV^nXE){{_M-6g*da5lzVwGgfi1yTUqQSS(A99TWS9iu>IPfJpQAIZeRCU1 zOelb_(02kfWU#4;FaW%A^$~k%&y<`}qgw=}bl^8e&6Y%{rFR_xD~~rPQ~-|xtqu|d zV=O5bcfum(>Uu3d&~!LAGC_r|xgjDw{9ZU~gqvhPavyL-@9?2I17vy(W7&@cN(5Rur}k2iJ0 zFpSDL7xFJhVk~>(>MwgoyghV=+Eos2fh&j~bX z0B<5mwO?rZ#)d#-7%jhyFT=uIbS(PgTJ~;J$q2?Cs{wqJ01KoLC~*RZ0)zs#j|&#O zI>yALHm0PIGBPuJF8=;zvMbfkfn+BdKnp-T!h7h$hGC?N5g-&(n0XPd3okU4APk^q z1RI6UO&!YMiHeaAC(gS;@ISm%0)GQgh6@vkfq!^!RwX_L<(KuO)OXYafy8He_)G#U z!P!gpHK2DO1M+rsuC4JdA4gC~5mKTe;)6);?q|gAZpwAfP=xMO#dB{G4)GsgxzqT@ zUA+r;WZbvQ*1COE2#9OOw!MYxhaa+f_z53u&+E~F=TV3Uhtrv^JuHXXD~P5&=my#k zbe=6~(=bCu*4*&>E2GSZk4v)6%}Na~UQCW9Cb|&2yMxT&!GmMi*w`XiRaK&U!UPoS zF9!q!(O%D2=3{r&vT~*Fu-p2heABYJW56M+nY9dSkk5U^fedSnfwIbi)sHAtoq-b7 zUjn$$qr?Qr!sm9T9(5ySXG2rr%><&(8UX5~!vyso1K_k)mD z@VlRsoVzW+Iav++=2tKYJ|Te3htkpru0RO@k6Es9ZWAAPvoFnmZ4LYtc0F^_Rhh@& zp)PPl(U_N@0rR;_0#}QCIR-=(mlF*RU_j&7f@Cd1fUzzdn`QO0LjWPA8&>vC;=oj9 zP-eARAX;FbAmOyOb5lx5v!x-SsgjCLfN&t7O^&R6&^Pj{UOsH&f(uI;!BDesjL>asfCr{FJfH-@aC8PD z0)!wv3}{w)SOS>nXrMd%c9y!! z`^sj9_WrMin)l0@DZA&T)cqJ_?u%C7zBR?|Ndavo^JMmF|C;S+fA=;!O2|P-7lRG5 zHvOiL(yPC{VfzU3YCx4V(FDX}W~6#aOaIeD-O9Hhrb=;eYG)f9ROQaOYjNcZ>_0n{_CoW6k@3XdO1vO_jT zSqEj`+_0(4TDf;!svAqHn&Ur4uLH+#h<--sLGM_5B5*)zz@zc3atDO!&t#w8%R9m05;+k*@w>sVX`(%l2*}a0?A2=lOQe(;USk$LzgRxDG56UA@q2j zKoD~&$c8zKz~tZ*fVQuFCU}U>{mr1{5TL{$-TX zJSuvbEfTczPVgB}pxDZZ|Y(fPm2=M%xNP$q#>djvnUP4%yPiPIREK)VJoK z0KwW-sNF=`@z5T3*2Br+&dkLn{kEZ5c&+TVRRfu+jV=u^9IM6%`JTk&P9tPcgB%J2 zo8tkivO3$1lr!_ya-_w}clCq1>(j+ESA@akEf>0BtsxtDvp}n6v6gyTuMV`ZPcb+T z!C@stM~x~QE@Ds}>b)<_ePFb37M5bF<#i^cZrSoGfR2TTS{x82OuVwHo|=y0;emE? zW?oXp#l0aL6%7f`$wBasMBd$;ReBSytwY*|G0O?+OR%miD+^JGPE1KfLqKvp403D^ z$g~`hmH=%F?F#Lh7KQfhb_!vVX655yU_!v&+*;XJRyJ=7)l<_^(9ZW$NN{FeQobRX znHv=i2?hU#Q$~=;yPJb+Q+X3m?2xu$46JK+H_OUGloOMzY*Nt>P!EIE)f}4xG6ZH@ zOuuGVX4kVQvrp12dCAWy9}fff<}x#9)ylrIs-6xHyP1xHc5-I!?owS+z9AbGWo0`U z5(@s2$Xi{#n}ciXkY;KcwP6gbE6eKh^UOk&6H`)AX66u34}%<=$;ksULI?lRXP$G~rWw~cSRwkS*ia=3_oD*>l6gba> z0+Ulq8{q`Vw*mp%Xtv&fY#BxoI*QOHL^!1BBy%#va~BilNX_XnHqGBs(oz|GM8BaI8Dm^`Zy$1#0lPZ^baObI>K-{rAcy`c%$xp^^cs~EhaEXLZqHYsv7ZB9n{ z804bp+L#=^+01}M=e{g3EX1a$!dG_(f;>ATNjDv4y2>5IW%QKEG z6?5=e#*#o82G@xe)`B5SNOw7f+Bk5s-df*%gj`m|csTPsBS?a9E@KQ!fig^-y;2wf zlFYmtR)1mwBr-Gs#3SrV3rg&+xbsTcv0VkOvsa3qwy9htC1ECfk%OEn1{ z`a=fXbPoY?{9axag>g9Md^SO3A;l`JVoXa*gu&h{_cxOqL=zVq3A3SH1kADQM(#bK z)p06*l}WBW;*tr`?`0{u+uvX0_PJu%B4BMHD=9zO$bB0nkHo<|oUj0oK<`3$oEsk; zs_>@Kipy?v;X*Nq)j_6rx=oRe4D85Z$DJ>QtvCo=s&Y0=Qw~1nBNMzR1ba?KoH;#p z7-gU++pWP|^xpt3xQ072CUNUYKQrwRq=qv-RKG-4&SN#Rl3!S#1~h<2xHGjLkqmzn zeFM6&v`p-4TUfHQiooYzCGAD%kOl6k7A~#z|l9WAxulQL_$z zIZOY-mK__t6Q1Ds7&u2B3TBS9(U_PySdHkMnS|6#9)V|MwXBNdW?^~3HU1xk0c>Xp zMPKiw8$|QP;t9Xd$e97r=e_XCP#FN?n%8U<*nI%twvsWR-Z9Pcb)93L6a4EVyejP5N)GvFO_-w!D&7Q1AK&{z%k%Ntka8A|9C{zmDZ) zVrIMHQ?BdFhR0qxPTLkHdvW2-oiLgJovyKR@J4Y|d7&%l<10+9d_V zgkS)!!MsAignQUOqhcqnzcT*LVb^~yq+EUJIS_xEGi5$#0}-y=Xxh#}=(pBEf#O+( zcK9-M`ompQ*McPCm$8_gC3xzY)ldZk?$fiXlOx2eZ{KZjM=5+i5WF%uct0EtYux?} zKT!4KlS}##kz#{1W*G=h(N3tI8r4L!Q+-i+ly+)-i4Bb>&I8{!cN2jf>bLVIGt^kwhoH{dXFE-`leF9Z{@v}$v#fM6UefE)$$Kr=Zn+ovoI3vJxS z(uF}+m`MyjN_uZ8fj0$^Zr0nEjm{``V1)To@)NO-WUdE*^#8(0i_ed7YH16BmZj`y zCkJjgnq7k9$ho>Y##M3f8S9D3+GewRBD~)=GY&S0nA_#8=%K`e`8OAG4E6CR!1io~ zMzCv=ze(k4_fD%43|1=bOvmc5{o^Hf?(65SYRkV*6U)}sgONZpG|m_!D}!g(_dRKI z`Z{hPbYb^FkA29UkvxCvVK#vLWkp{_%C19Y2WMZa8_0m4fhTc$smbI4jbOFofGdSb z08Bu$zfAg_Y*MiuBq<2DZ!u2R2UhD=Ixxf?`pq)O8_K4ZEMWUN7ea$d(Ltu9U{Vrj zF&fyM1uP)eR&T)&Dl9Z4qaD)HZn@1D>?i_mlm^sX%g~(EAScQW(EFZag={c~N&uro zvf^UyPVG&t6FdOaR>Xp#$pd`{qFVMra7^6tWS~WuHB*N3rkoo+g?pZX!@0C)u*`c6 z^Dq|%pHi_=4#^e#&H*-9%2Lz8 z@nolWndK-Ab@H@7$ATi`!s$}#_9Edr^iHG)Z1{K*`N-h9B0-RyanWqLV1 zCOvNk+$4ov8eSW&A{6*|$xF;bf~-(=rif~1V0fRXhI7CY@`tr2;5T4a7+yQp`yD1p z?1Mn|D`I1062m6AGLJyk9m4O5h<@}I+&#t;5nhEDGkA07WBv8(URWOlMlKJOH^1LBUK- zDH;WUKvhz>+hDo{klD6W#{UBfF%gE7r}@4uTJT|``w`?5LdYh2r>O+Q1hfQ%o&g?; zl4Q-*;43Z*b?YzA>QO8DofTvwk}(1UWFS&yVGf#07Mi>&!iu zUqJZ}T7u1C0!MXn9n%i4gYTGiR1mnG9ALzqaaj(HGw0a26pjkVbVO;P7l0gXW=zF`G;#^JRVv2JT<#GkaRh4WrTh1y$o} zD+dsh*fGnGu;Ql7n;S*FFF7O%d|uMIe^K|!*ERLUh3s6qO(@;=;) zl9E?6uZo_cWDDt6tbDwr-`vDvy~NCWY}H(h?;-u<{F!J4`W?$do(PWW2&iV>L4uq? z(jRIM-Gle&J?sNw1~G%6Jxm|hhbh_+1q)w_$BjyZyJ`noYJT$e7VAfZDt|TS4OvOQ z_Jc0=OORx>6?@PpT{%-DVmW&>m@1N5rE|ezxQ_qaLF$#>o#KAY^qf}CViqSymW&ULZg9=BQC&Y$oYmS;IsVA5UIhO1N2T;9#5R=Ujfsn_ya z?usz?enXXc&EkoA*;W_}! z?B%Yxj#Mo-jqj|&Du$QL1+t&r2r9Xj8)QnkzZd1Q%Z3mdWpC+gOgP1sY&cof{oTZ% z?|tiic-C(WX-u};_~}$$OJ}q1#Fp^4`$yII4Wdn!a|!EqbL%)?v+4GfC*x1_oh-KG z4Ug`(O`bGwfg=J+*5x|qddsu9dQ>U6Y)$6?Zw=+UaJIF|r?u!WE2(;?Q7LtfmZ7{P zD?3fAxizRih6Y^4Y>btYA9s+`Yo)W9D93WqI9}8I%uE>uzqbcjb={UXu6$!Wux^DEEOG{1xt0gQEVTK;Cn~1Pl6NeH)sn@2hJizaG3eG zNcsxAFcs2oAb)cwVr2RL@KlIk<_G7_1{QjvKNB>^q?ZQCi_i;ISAhVHiZnv&uzy$} z_tzi#hYlS+xP@WNe$m4!HhEb!QcMNE}tj(WbgW>9a2-x>N=Mn>AM<_}jW^O=Gk zs$k`QFT`MINGN@|U(d~HDiAOWj-eNW)kdi8tcT^y7V?cJ{>Z!)IX?Bsa4F-$4!A;6 zS*5gog=KKfE~!8==g;(&NqcHm5)J3I4b5oLjF4c|^FSEw|8@L3%U+K}fXp#wM(Bx2pF`@Lo|FC0)q%jmkFSp6icn4L8ZHdtH zI8$Z9*#!;~`wfD|E^v?npe&=~@&;P6$R$?4 zTC917_2M<|WntQ_zO^%s7bO^vp}9&D;{$TAypg`JMxSwGrGaheC*eXRaqvu`(kN3Z zichJ}WDfto7Da#p{@Z{rfgoghw_UJ9_l@E9yJ(F;ZD9bnWQ4k)-tyXg&oY#a)+d1Z zj`W4$MK(6J4Yg{vTe;2GZhg%jpOj$^P_;BeO!gAEi`9M( zYu*<;88LdBzC&rctjiW_+h*}4m18zEDX2l$+PVAC@1p=G=@nolM9>pVV--hQ<_LkUlp6JgdUaa{(Ip#e4G!ak(aRa{Wno}jc3_f` z3TK#Is7NS~m6es1iK}fw1&h^6>rY%Qbp<|gU7%Pfi!$rW^Mt9jG{aJrL-PaFIkigZ zsHg5>n2t!LP%DBvHBp%)?9`XQRUtG8UBI3yMLR@vB&<;ViFe>kqP4F!jlq#GWuW;> z$Mw;kNv|S@ z5tD!q|JoWmx>ZcMoRzzBKWF83oqY%2*?77*$EsN)>pgLUy5TnOR=&NZa3%@Yd2x7b zgQn?AoJsw)r9m_{&0VwCWH!5tJscjCOPfgpQQ`a2-Wg1q!MwI-@&EsE=3F{IEJA|7@@8SG!pH0Kh&xsS)15bRJ8*)11OMpnATNcT68NT42%6(I zVCE>nOdi%;foLG6sNydhygA8x;iAO$MQ?$|z%f#;87(-*E_jPhGveuwWNzfzM=DTTT~IMUtQHWDyIx4gGxb9b7=|8W_15~ zUi3n*(>j+u>o{QO1N(T~L-V*f)*Lv@{Qs(1UW+f7T~(g`2fyCksdN+txfs#y2;vp2KKGvl!IhlS#+uHi1%_|2=S z#$9rTZm{0;7#^a07DjR_YR2G_T**})a_A4(GYsLYvH#HW3gsWMfLDYx4rOmYGD#D@ z57H{sK~#QN;3M~V8p0#R34-*MBtIum;Cl?8U3S&uQ|hqQ*d84HUFgYgK%T4T=F!6t zun679zk~vYP(DSXAf)fi8NGd z!eoCT6i|?eBF_n#&RAt^-lQ2m_-8@q+F_+!N{$LW1k8P%IJb(Y@NzlQkklJVu**!FALH=! z<8i}>+FTzS{CCa2)ZT`CJ8wy9a3M(DOMjW>7QhL0Kod9QWg}Pv6gaq8;zrwRZ4qbi z=w!!kMH56XGrQ6j2{GQo1NX=YMD13jugtxOy+F8FXJRS1K+H6ssE{4jF$9?bbW2Xt zW8k${{`FQx%(GJeS~1_siFul+vfq+|_R=7gCp3WvUl$sb@__cl|1jXs3gilq+2c_F zfo=fxJ~q%v`XOPzkDd~Xt@;5HulY;Sv7k$d^2=2gd4^U(}rNYWGTm&v*KGgT2L}hDbA7gFJ&rkR&OB_#%8wZk|~O4W}}8uz&mBN z49n77H2CRTkQdm+)(!c5i8Wo*-LPQNfXQn6OIpn-VHCJOrlm$D7KYY`d(CoV zCl@N&rfK{!iM=-A7!=2~r4jgLLivq5O6&UvJ_z%lezpf<2%^I}qG3jGqXn=!1oMfp z$_c}07{FhM;3`FMlOH9Ukq7Vz0alU&Pj{A3u5g*_kG+E%BLOGCkJ|mP^||tsx%^l~ zd#uk@A7S%Z`!ef0r%1_DP8wPI?ylfcwDQ*hx3>D2t?ZeFX1losFJ0t4|Nmm|$0v*) zL+i0u22Z)N#`^CU2h0CBwhx@6AE5v0;5%~H3>sagR}C9C{(0=j-=n_|{r7+H2a^9k z$bS3?^iM$lHMx-dufTSKe@K5K`tL8mpMgAy?7zr<{9*l#=)d0p&%@Z3Fa$fl@eOt9ojA$_h$B0mjHY@v9ER0AQ0-jDIf*vO+75MG3d zULt*&XHu;4uCbksfk47yr3sd4J#^h29$aE}=1kZZfE`q%E}qDk^?}Xes`!KQSHY^|b@C!_VK>)ZW)rV>i zR*GpduC8tlwE}+V#hX}M!YDNa^Ru^xtkrtCvvzkpp`qZ0;*iNVy1}Mhsi6QIaS7#U z?#WU}Ry$}X>LY=wxjixc(8>y?tB;aj98$^8l*bg>sTiz)FR&Ke3iOl|>@k}J(oEJ7 zS%i?X05pV&K>)E;HcBdW*gu$4HBu=r9R))eaj3rM&EF5C2Mx~X|NSOn^p5gBd?sEza1Z@}fBR!u{)!&{nO)ML+^$qxP{jXq0ct9$1MgEu?^=Tu z=KX_oLiNfOmEjryZQlZvorQI06|nfGp>iz&1(fdD2y`H6Ef14J01jA=F-~QBFt4c2 zqJtDbu}svOfe1FjgncV=QF{8RD{-}POCvA*gE?VImjEeNMb?DXG~6-=g^eT;i-88uGfpZD7tgRSNR@1dV~{&BuQlex}nYCvi{8G3#A~n zF0cG~y44d_HG9eCb0V9#yoSz0rJkO0K37(CzwYU_uFfhydS+9H2@@vFT9qhhoe5lC z>%}dCPr&^*x#SV}QGIHVpWrQl9uvV+3)DNbdv1vQ*~I0S#^p)l+UPQ*RXuD~`_UdQ zuN8moDo=ltRE|_d?<8Uzg>k?EUw!8@oCq*gNH~$!dCVY2bQQtbDU^NXuQiGSBXr|O zHxOZLDU#Eu)Fz($1H&0AhyqC{p(E0$Im97=0Th}51^^HO5U3#n3;+TFKrt}@000aR z2nZq+DPWMH42diNLN@y^f=V+9+P4z1xeMUSI>FcFNX{!MaBl|YJPCO9J_Cqbz>NC| zRyK3~JPCO9l0fEf2v4gVUio1X!<%wO{!dH*Y^g@O&LxM=84>HgDpR_R0^0l%8Xb1w z!{4yZzAn8or+XBj44flmeSf4K_}S^6nzn-0l8KVI(O&_&w}kOnO!?fu8Yf@N87SvTH=sBY6m$`2(15z&fgi z=;lH)I%M2pT9-G;!eV-osm&Hyiv;PI$8?<6lRw26d9|J42jTsYX9Mr_q6Xj_+TC zK|b4Nhb?ss^x%r(|B$=#M{UQ!J+C8kd16E{{wl1a3j_28Vw6eAu62YIfL6yS_@w#p zeiUQ|%W3eg(>#a~?|Cvbbo_BaAfAzxhBTlSA=0dJYFxjMdE9e#-k2GR8EzLV!57`r zN(h$LpzA7j2AC0o=u18^#nkOh7z%Iyu7ijj+?hQdvt@<}C#f{tm^x~!8!?5SzZPbn zlTE}_wiC>c%aO*WJ#>-@LJeX(RqG8$VgK5=Qx zq)}rH((8I`xi^6W{A6NmM-k)PkkXpvO7a(jLh;D@SnjT=G;rZeCn_%Oxfm?Cq4owc zdlZ-Ex~35@{(WlV_%oF^v#e^k;UI%HC2?I!4Pw_Gz^`nB zHAtb+m}`@}`Pf`(uyw17o!&K*R{-%=-<90FRRGT?DNv zn)ab-8!-W3Z-WUY1H?Z?8h-?IOS`D$GBaDsc%z;yhHjMq5*cU!Q}6d!3j6Zj#HI5Z z9PVjxj72cmX;y3t1W~S^t=P&Uwy*m~xbb`nO){s^f_K#~BXCLi$!aw)qAD)>--!Dm z5FZlgECybCAaEvBU{XoIxM;&>S6tc!&`6 zbAbU}0j8^=zxE;GZsGr)dq`vJVoWQUaz~2xM#9S0{_jnTOYs8zBLRvuamQGga2Orf z_kf2llM0uL3TX4&fQRI*D;5*BcaTa`u%EUSy&Ojd$=d78t{ce1#&Ju1C=fufHZ8YsjY>omndqz1r^?VS*T7U%`>Z zFMe~}h8EVBfdpLTIFK4)N9avtZ{vz1WkfqVAG@(@p9`J`nJ=)KMr$4DjA35#}Z>62^3h|2_mO|xP|0dn+Y8y0~eKR&MHkVn>b{TtH4)nc3A}Y;yi8+RhTfKjp z0dLVl`zru)?QQP8cccB@w=ALMztSAEeK?gR0xG4-zZ0?iTgC|WJ&6HVF;c3{N$p&mE z_f5a*0$~^AU=`SEFb?1U;;7z)Xj@^<<#HBzn%IhEwOUTwo;x^|;W`$M#??6&Nakr_ zH+F2*5l0_2=)mek=}Ee!akU%)GeKWtu9~DNGO#=M-MsMKUk2lDOkF+@%E{6wbT| zChGjsN7U`>{4ILmUW;eT@oXQk3x5nb?0b3YHz?pl$%;hM2QP{G;r!CnWI#)rtzOH` zle^p6u?PopnK=7?<-%15ADSN$sNf`DC{rZq{3i#@@|(S45kZ1XqQR_ObH`AK^par+ zZik5&f=km3e#U$l^jr=JUt-T4 z)97TJ92<`z(M|{3wv^3tz?v~f)IA=0`1Rj`h1uk&c=%x&1aFUz&0rUQsM9__l%yUQ z_A}*xhW52;my@B*bCQk!`W>Xp-7G#)fNc&m)tq-OykLbI2^eIk^02YCha%8laN8#C zfm+}YV4R5HC`TL8@J+!R7*Bvt(D`^pAV7ibi{OC;wqOVANK*wo4NIQ*=S|9bxg7TK zWM^Kjj3R{@W}i}}o6keiok?7}wsK0>OSlA|lXOdB6S`KWIXPegS5sHBSuy<&!D-1W4-`d3!()N$z{u$|5%sf#rYSuf$bCvt!v#;K5A4-p zt1huIT0c`1Gg#J#9L@Fz`zIRYzl2MBU(1XH@xt!er5lwi+e`a%K&?^6m0Xthhs z2cqjp0g?33AMl&zZ(Djv=y20XOdmtK*z^<9`A=7hE^PD<=;=>?nl8c;A2=)5rX0Tw zpgKe#;nU@7spx%7xw2DXv4NY1IFJ@%Glak=pSA|NtdQ8 z64Z?j7kPci(-rP6==2prJP_HS&x5WhxWX)bJ?OqvAuGaCL0^#oP2GmhDZOyuzNet+ zO+65V9r$ZDbr0L1Ni9}5_u69(LC>{lOW14a1kB4%sIaPC|mW_C8M!l2qt+mu7A zS_kg%G&^8`8l3bEYA+p8gDgYE^43-JfpI`^xD+an$lDtkoQ`W8{!tIoqYr-zNspt! z=i-?{Iz_$^+7W<5H_iZn#Pf#im<$lZ@ITS14Jp?QqRLo8*dNEaTPUHR_OE1U7KgQ? z2ja;bN(OK{g%*uS8asr}02YH@a-nJt>J2e7yN@9Ynk_mbpf(GYTw@rx!YHvI>9R@| zM6xWB1yyocLU4mnTVsMKVNJ*~CB%|xw-MTdY>{e%VgNW>m-@YdgVgZMIRI3nGQee2 za9!C%2IUO~g2pINgFKVB4S##wz1Q#>gEMeg!&^a22W$jZUkUCh89Bi3ELOA`YXBcK zS#rD?>Pae(5;Eb6gP8mPxdP)%@92|iZypEaoo}=wLjZFF&^4k=dq#!`SnDb@F9^In z6E#2s4f*NN#BV^Jyc&?bRs;qB9{PYKq(8jxzS--A0h|7tm-E3*-yD>;7f%D;ee;*4 z!JnR+*XO~TA5n~)H11v;2W)$1UOWeV^=)6FEq3Ak=An>*S;NcUC-G$4A7l5dYO+wq zTW1mH4s`iNc@KO*YrcdUP+SIvM!Tibkme~$k#)upWqD2wvi_l11PG3L9P>O>YRj;C zPy=0K9bh>F(CF5U1O|R>G=MwXghn0E8|CpHIF^h&W3c6>;{h%*UqY)f{TZ2WEZkuEjSDFte%!;6TX6=^jb>L2O(Dwp0|!0a$Y%v&wel zZx@@%6h)4~v@31dz5y6Ec(QqO0AduAHSQRG;iz~4BsS(u+J$ZAd$s(S0_IsykWLza zKrXEO2s)_j9`FK8>)_88_xF#?hj&gT=(!It`ks5Z(ulDjR3jU#4 zF=p7$6|=Kyck-a#$pssk%Rac!@w<1zvlpJ!3(t^NFKZlv>PD#Qe!!))iC$F?``Myc&Q^8xCIQnkn|%rS0+Iw#$w(gH&~-sWGZ;91<9`aYv`RQB&Q* zrfu*|Kfz~1|^`@zG&JO2=ymc82{RzUj{;1Mde78@Fa@6ZCi-+r@@C_B>*MCkLA zYSV{NZzr9a$rAk`4yS8AxQk-qFnU2XiOHoVC7-c;uo?dd&JrTeVaWpeDH3)N*)SAC zYcS2npPC1q4k64Q7}GGXKj1Ut8044>yW7eF|G|t(`Xfp9=+xD%p!i8tBzy4`-4$&R z`Gg0pS(qHME!!^eJx~!EB7B4~LUy zVHOoQ+?S}C$i%-o>YVZ_{HNw{a$OBnLpJ$fI}rz@=lZ1k6+dQ>Y|h+1Vpx{H&u9kK zX?FBp@PRRYnN=Dco+-T?JOFMD_I&zJhtB`1bOy%y1GZ9?V=sep$!@oh%A<3Q;(9&k zMSl5{a~Ybb9;DPCNNkFMSa_VuA589}73D-fb5F@}3UxV>VSYEz5KvsYjmD@l@+l{8 zSEdfo>lY66h6>AEBvWJje=?SE(It>aWA3~lg9AL~`Ai)|Mf0xfixoYI3g^(cP@L7V zWf!;cWh4mnGX*H8d*lET=Z|RNgZ2>l6x6`?$e}7^*fAvYi@cA#X8;drB_l2wUl`a< zkFbauUEkPRHBoBN#tkknU)HzfdALjqf`o`jpq$D7bFz%5(9NIU{^17O3LQKY*g0J-XI{@pQa>{FYuPr+*2Q$!rK0wIr4$8jJ#HBxL}PapMeg zo30aWlp6jRQr>#B$P(ADltpUC!Jmd15^y{k{_CUYEEOq7rp0nQ=v15W<$Ry8vxMQR z9n`q*1EiUt7EC!nqL-ZqJ>Q31?x^vVr&Tq&bgpEeedM|CF~`%h8CV!TCr>gX%tyBe4u=YM{UU0mRxD?;^lMicc+$jFNQkIv$c$iV{RTWbJZ z2P1Ud%#b=5<6O)2RT;y~wea*kQ${8Ak4eZ3hmgDbh^EMBl`XYCbT(4zH&io8pG|Wo z7-ljzvkwz`E#Kgk952qskO2G}9Z(F3p)QqA+R@RV)t#KmyqL_rMhwkM+0XA=+N5BE z7B`u)##51zsi6MynPE@170G|mDcfM-^;sa7E6iUuY23R*nQ18DZh|F`r6^y>bwK!! zCrZSzGr)nKONJ55a~km?I@#Ro;}icdo;;&)t#wZLUTY6e6pz-zCl$7P9)w|cB-%sk z`;7*vUU&>eY1tfsMNKf@{>U<0I=3SR8cDk(Js(7KCPW$Yd14%cz9i?k5oe_XL4j!u zLd4QLtb4I>nC$l1XB|*ZCf_a}aXZ&EM{LOYnDDS?T#ZcqBSIZmlHV*p!Ki3>e$4G! zTbQ+6rqArZdC;|4^SOpQTkgSQi$7R{Jz+7E$tH2dHp1@*H?uT(zs+QHPYZm007Xg| zW9z9<9H-w3r714#%^CSKXCm6;K!YW%9L3}uh+7|`h1}GPn=5e19xY&MMg#M|)rXl; z5^u9JUNbg!2Aqlr&*RfpD>srQ*5;c|!9o$m!iBw{jxFW)dn%)G5*_L(OqMkI=N1^0 zh>SR*CQOdjvK2<>N~Af|K%ZcaP~fvtp+7=F*~s#fr6@lCO1DHax~bBi?HtcL-5u9> zXNX2J-w5gB+yFc%2*q`}cZxppbJtj~8Ji2sg82m+cK=s&O=U5?GY zsIRS$(^F6XZ@wP}eoV5I5EqT6@ zf0AWL`FDV@W6%CqLkyqtbjGJE_F(mSL@zQxD#wFjeV`B>=9Uo4ue5cJV=~wm#YBJ( zWFeD8GzHT4%5D4zEJY+v_Km=`f?)+O8{7iaP%>U(QsR!hl#h;;CW&%))!T=b{;>5L zS=kX*Ftmp(sfKkbN?`PU40GxoOq*a*x<~RPQ?M<4!O^Cu+JFnU6>sga?L5%}wTO$l z=#dc|x{nmiye8t<6@b?0dAoR~6Q{hj|+)uV4I1vK|-l=-Z=$xd-;_i1{yeH4>9nze|z z{K0rdEITf9-Q>+Yhn-|019F%b{BaiCkI_rIP9cmK8+Sc^aF)y;pp}Sq88h?5dC?1x z%IX+XSQfHx>9uXs7n|J{aArW0-_luh$yg-0wLtWaSC`_QFD4>O%ZND5l=Fs*v7(p5 zc%U-%MPMWcrf9o7Q$RgAi@B3w*)qqa3Pq8b8<*w;#$+1e>Y|TxMUa|VOV5XC`nq%T#rLq7nEMdVyxMs$T(+EPwBW14yu2CjS%OOh8tGJO56su$2e(*R1uYu8 zKxSl4`F8(~GB}fH%y#DeDX$FH1itr4gQ5EhH0DK#5GG9l1%_HC={Efm$dvHQfrW#Z z(D`BBd075HC_^8-KZ%Zji;?}N1N!U`%T~u^4x^h7Zg7T_fDCNPFA8A@3 zYu5`qAm?UZmWg*JaQlt%Mqo0_Whu?RXx9j2rwIOvX1ll=6@0kVDTwTrjw<;^zT^%n z66L?SN=i26J_yuw+iXU=v7)F&nk+v{XvS=v#bq6jD~Bars&F9%xF7Tq8|Tp#Zg5>R zCeZOTO^_cx)EAOI!`v~yHFza0nUcN^exi?IDXQ%}a#>9YaL(j!!xi|LM zvmMv9s&8ZY+|JPjd@?+5_VsM@>15w=xGT;~V<5K-Y_JgL!?P?SVeB%^>8xqxqg40V zKe* z0rdg*ZDV`too>0+&ALX-|3)owhD*`QhR31y@p;1O+nl4y@$^eJYn*+vlbqS~bmyJ@ z=GQUv>=1h9w6>}0w0YCqDwLyxahS=igK+wAPqzk07HK?eV~^0s)}kk*jD)X3JMZ zLPG&bZW1L~fy5ZOX9ITxE>A*gc}s2phIG&sFO*~2kBxz76l{>(5x{f_T=d7xe!@@) z52V1BG9(cfk(_`9FdfGF2IgS{BeFQOA~3zb^catgLXWM-$5fjGNCW8Dz8$+Kf`N;R zTy>ZNYoG$BVTo>8UMp~%))xLMu>&kx;MD~V^a5`fSV|0R$~bg&g`pULBS1020$ex& zGjJdpn5_$+UYJLXuoq@suZ?ga{z7&k<6uEs*kFdlA4|T7Eg#+L$ zci|}A2_Z!vsx(+SlYy?`4Q0SEo}X~;sjNc$6j zUlO0;(GK~+pndWOJ`6l7fVf|bN+kW!)Pdow>ATI>Xv8c}*JaPm+uRR1?)6>7d(Z>-KUXX0ARw0X6NAR~YO`s!I6wcJV1)L!I)i-eSc6?%6Yr>Wp zg|;eBv_uA>t+4+FRe`YKd2w>aQE0$pN=w=!V@Tk`mA)= zsZ_M*(noRf?G|nK0qs&Mv}%Xcsr04almac&S(?0zYSL$-CP$yQ_EakJQu!>U)ikNb zoWot}ze+ivqDb|2l=PE04(nS<{e9n~WRjPMM-9xsNm>A^0Qj%MkKqZBV=!aTz8Fda zoOh@U`w_ar3V_>)n*hK%06fKtx+88ehJl}p_7(tUL0xo37wj*UK>llCwR=Xl2LK;h zQQ-Fkd=}EeLb>VCo3A3W|0kr0RQ*H2)YAcB+ovr54hIcIz(045A-e|~qn8Gxs|8UUHwQSadVAaoG${0XV5g0QH+aI&B(N>@Pd zY!E=eJzqng>8RI^eYFm%{qPdj56VK9kZHmmgbLDi&d(p{-P`al11b4|0U+=Sy*ciH zL+T*oR(L@LJ6;MEY)GuRd&KA_f-C?xkvt|h@khWR<9Ki$m~G`6C1g&F!4i`dCdnFz z0(cMIw$cIEO%5`+ws}ivp?=8xADVRZ_#@;nPedF}{t8=woQ-}7I#>loIlXXz;@Y_< zrIg-Q>Lnh1MZg+X8xRl)lYle^5#>H9;7o$`v#!AFI1ZE!%FhC-mL^<4x`f?Lp5orZ z{ezOg`MJdo#9t~gW<^6o-yonh19r8briLORpdBNA)DqCAC6GRzyPR{5n$p>PZbN_` z&^0b$>3~Lka>7jV!yHAd8B+)e^9Lk{X<*{t@B$eb;C~yT{B(f6<`qM_t2qOn!K^`@ zVI$xoKnEaoWI8Gxsg5uV9ftK$7C;t2A7e1!ydJKkP$K-3?vR=ET$|@?T7wwyrPsa@ z&>jgTX?cBq^kX;Z7H+IunFj0p1csw z0jLA!lMjrhALBlinF||@Hb`)g3dZ=Kg zkn(seCkpz6ES^`AYJ5)AOK7!9JG^qhd~hBAAF>DCde9;dC2NHSL_4Yo*-CC8%Q9e3 zm^eVm=a8y0*e`3tzALF zq6U9ZHBq@Dx@tBdZzVtlrn3*fgNpEYa!H38@W;CFWmlwNn8a>H0xrdgHsm0hIZW`S zP?rHT_~sqpXCSv=*sYR-Y&T=;KKTY{WnBe$JOeNT282la`~s0MF2_eQ-pYncb{fjv0zBh3kpe$Kof|^Q zc}7$xH1)sy1XisrB|xJPy|W={!j7>|g(<6N;AL(fS|ROw?3~IQcWy&dBhN3{qx3ES zu1Vfbm|<-^PvOft6Lm94kg*J#rE7u~riLU&~U8F|T0JgdM$b>xD@P zcI360M?*ItaRtErKt>>kLbzkIX7>TJ5I}$t6hI&-1Q>Ka0YZQfAS_K0BnU!s0z!yk z0;Z5D@&Q29c$=U>bF46PYFHAagRMyI#^>#ivZ=E$G{q@%4xRcO>%@c)4BfEP`n=_? zQeg54Ng)=AAf9XxIO>^$l|SQft~2a`xZ;rI_Q4xaicudwG{_o|t-f~qr9FBJ1L?rU z{YhTaTemQ8$k~2-BZ6tQX(Bgp+io^tnRNs4H+X|@3b_9OZD>Q6&_wu#HO8H1C7=E3 zAjH%Nr^Y2GOmAjw0P*Ru{3vL2y!m?KuSg%mEnx?~!?bW@ zIjz~RA?J+3LIa>=w;`?eU<`@@##y&ow@)4N5|BPRZo=@YQ@dUmM#D8(=gms>1aB^3 z66QXpSueoM<{d_j16&77j`6K<>p^XVaN7!#XW)mIB}fMvG2MRO`?00QIIzHh0P;c9 zRtSBln{IgX8N+T5$Mxl2xOijqBLHhV8xaTF*T_bo>Npmsn+8-_rcgK4V<9{>0WD+w z4p&wYI;nXJyRoI-Ruw3p(}V?Nk1B;ht0|JbvAhEm!#LSMjT95cK<-6b*JKlyKc&9} znci^WAWzEGjOLvjnxm+QhH$+^d^~E}Df~$B9m3K&G9!kC9lz@g~|gx`uU~%1;EGlXw;Lb{WH>1R0`P z^$Urjg~j$(K?`c03&Bb^;^{# z-P)OO&ivNJO@28X$#O(+9!AJ{buePG#y#ikIckX1S9$71gGDBucM{l37l_q!q#=hu zAGqFo1&0u$Lh1=VY|x3tmv-hxxkC7e#b+GChs?79LXJ-Jsp-=21p0X~6OV4#lYo5X zKhRGP`sX7+_h+r;DZP zLj;eFwir}fEBphR8??4k#P%it>4pu~NLd1EPBV0#`55;7T7fxI+7nK1Zmh<@%YZOK ztdjhY{Js%T)+UyO4T~UFo0|j|)zyLvtl3u_RC$Gb19A4}a&Xb|S~z3OD@TVbK$yKb z1VDqTDmwiaN2=rq4DF01JN9&t@qw{JMxz;Rz@TNeRcP>JwyuY1)6D_U2qM?8aqRHq z?Y}@?T4UF1c5Gl%Iz96=-M{Kg>jDoLMb&MgHhb(-tz#f@nX0J)xB-miStG>Q!_}a6 z@j4TTAIY_R=ND`?DjBRSuJdeWv$ z3e9n#$mr#}R8-I~QD~gzD*ECc&@%>9QX?NQ)~sXn z=quuI)h2^0y2aU4G-Fd>Amv&?6teJS+zzURUUYw);YyWzlHJILqi5t}+FeqZ9R<=uHuW zxvYR_G&VD9Krs$z-p-M?zU{r7H5mL?_j*{7__cbU$L)8LV^9o0YstTuhOmci?gL98 z0g0htf2i|9zulrAV=Schu*8sMP$!HT*p?-${eCH9gULSr#P8>qu@)&kAR$T_oLX*# z$>K8i#acx*wJ(}CZJG6fgsDedO8dBkvHBn|Xl#A}w<}@!H=+g)%wxdAG4ym~6$S_@ zMR<9`DEed&P_2Lf6m+_70Q*Lt*cO3mGRxh|3QjjFDrF>;0I3f`;aZS@Uia=u329BiYp z{$|+FopW3ZfZySgV@8;X{Oqm=BqSe_>A-KERpx>m7mwoq#vAhQDpa$^_2nLzZK(VM zQ7w4}#O(|q#T*7pHGz0oi<4@|DX5PHh8ko_`5MgDS7Z(60UPPgNDhXVoot9{XHsC& zO&e|;K!-8J+=+W%Zc~44S9VL>&+zP6M$yA^dEg@R{cM0aJe=SL)=M~%`PhY;UD>hc zvv858q`BU6aVj?7JmAT{-*e#eUUegm4`?E05FYXwLJ;G#tb6;LX3TY1;&xY-5td>2 zMPv=eSJ7e_XGM%zj1euCWtO;#vBv2L#gzSIR>wT=`A}e;nTbvr!5Ki_{@Zah?151W zAH;D1NRNRAfkm1nM{4i@7#YH3VV;6Xox^)p!a!WRm_Yt~|#q zwbfzVwZRit}OpvGDU6c;TC-dRI$2%IXL`EWl&#xs7%7~x|w9|$0Uu1 zXZZ^y#mnBNkY+^i8O^wdEb2~ooI4!j1>5qR6LP~dPE=->zdL;L@pf{?3!JezCvxV_ zwt%-B;{x7rYzsNVv0b>WopHjpcg~RrA4oO_yoiC4V}x&v9}}QLgt@zZ0sB3`I2b?j zF;@p4(Bg80g))xDt)$sR8nt>*g`A1X+HTk>OMKFTEJ+p8o3k!40h8sS>tHZeSPo0=baCh8Kbi=(f!%J3duj3x>1L~iJ2G|pr`9a8w0Hn+C zkH?9h0P3l^9(xkEz?h+F=+OwjJzpYqjn$Fz?fq@%69p^a31XdET@lA-oWigIK&T+ z0Kqu(do)HHeZ7uhFol8L50f^>a(WvLJ6{emyv^^@hzuM==3a@%3*4BciVS^&bT#}p zW+nCjtXDv2k5Dv9E)Ik5M_sYF-jgRY4tUJiwD3M^5VVmYnZpBe$gx!0T}6Xr0WO%5 zG%(n(fuEyIwT|y$A8ekT5Z2@vjO@^w!bC_J>S68RDM#3Zxiw7Q+pB3>!oP;?iNRUI zzjQMOu#+tezoyUT9L=3AjGv|$&6!R4EsX2{s~Jd~PF%fJP#j#eb=$Z@qd|kayF&xP z9Rk7K-CY_F?jGE|arfZv4jn9bkU(($@8O4Rg~qC2S{fkmH1bV*!*dcX<7q@EV@tg(4k>0fB`O z0w4#TFtH>PQt*C9mH{yWVblQtSYt=zfTVapQjQ5Fpu83Odzb}z9st~!2T&XqKCr;E z4y3~p0$Hh8)0qH3fFvuBK^+7D62eH5!>H@qx?_Gv2h1a2q=ge9cL=}`%XO08zkfIb zvJjH!5Y^yN2`JIvkeBg3F+dPbltAVvgfAa3?^y~T2!QKy*{5y+!1@B8jJB0mWJY=0 z=<4wU;sOEP{~s*=U$FFl!SeqB;FBH@ge*=-nWwJFLr!ahD!PuCSgT7(uT|M`fj0R} z!+-0oV9g(Tu(@aVijQqlMorqUG9PREJ`jKz#&DxVa4R$tGa^AVEWkf3uh$us5pK~U zBfuIWWhPVb?_XT<3?9-_hepwKiR*00dP2-d&qg{LBK+siisF@zCC>lyMmI;-)|?Ck zT7mz4+6dU4WYwMmLli@?T~DZ6=#GWxE(-k{Pp#8GDn=p_j1(Yra2R$#3U@9h zEa6GA$Cvk}mhU8s{b%ks+&P8+MO^=bQ2!UP{STT9{hvXm|3NYTi|GCbDf};@`X6+5 z`v1Ly8VU-FOOU9%^PV4wx8X=^g3$tXTMe?O9ngA;uOL%pxmS=k>3^jco zJc(Sqy0SM?XrcrkZmnN)tr*Mm$2>&kAP7yfZgsV3A!k~n{WzPzn!CSIt^B4tPm-&a z3UEl_!bzhBUL*uSli1Jz`;>)Ag4CAC^(YjbwDZg8NkDFF6PN2p;P?%5p_-OS;{ZgM z0tWB_m}k14LLOCPdoa4@dQ%@@K$!LhGGY>%P{}B$XlUyhnc0N7`9&q0FBX+nj!o4< zS~_|L*nf^s&o8e#Y+t@2!{AXe^U3O(Ik@@a!2(PV1SG*Qk+Df>IfYea4Skc_XOZmx z0Ki=S3+MoC*lUXNBTU;a+v^Y@0w%Hm2~>HTJRdWoJFJoYv~>p@6!Qb==53d0t2p50N5ZC06btCHuVQw zK71KM9byYo5AsixX;j8Mv}KGPtYhE}#Umwv3Y89@fr5#ig;N9sPzS(#gE1+BwSo(R z|Beuk2$PA_fZT_&fqIJupO21@L5azRr2sSo`@;ZYb6^40?Qnp((*hC%00S=~KowvW ziVXOH4`=}oqXHIyfL-u8HsBepkc9gaKn{QlFmS*F_z?giKLOH60Yzkh20}m&5nvL$ zN(?w60NjFMibw#MqyQ2!04v}#KuonT23*QPG(aKG0aE*bnFj-)CIBGx4PfUVmsj6E z|LYczjY-NRAoJDC1rQvYS<=uwwzPMieJS#oq)DL)`UWrrN&{TJB-Pe*T!}zT0IpZC z$RP`rgDtP>bVS(L*zy`#wJ^8H98`S(O5ABRisbL#zaTJ{(8xz}9%>b#cNN~phmnIM zysy+hY-)0~XEA8LP9^LW{>sf~MC!6-{~DVRQ1q~=K&XeBniY+9&Wr8m>eF8_A9HNk zfTrX>>Q~Q!?iF!MsB4suzp5+1I}HAOkm?nFfxVNWjDm!>lQGCMP5N7Fs%HgP7G(3s zy;=iM+FJvGo80BYH&jsJjZtj_(|j+mgxT;yId;wt$=44?IT{)(?l*a|QFSG_qu11R zJFwCn7$aujwdL|cMVGqvhHG+`4F2@>fbK83(D5C_4%N+Y(PE$SXN@6JGb%R{uqp>`z%_po-`?3Fe8$%tXU=rNScKKpO+ z7HiS!C0&%@&keTB!8KA=jutfp=M5=Keur@mT%Vlw|BA{sz?kDIwk>=mRRUYmy(?C< z9eQxK3{3wvhc!c~7Z8#zi;eE5Dl?%9OdIs&-+i}^zr2!OkE*d4qS03tj8Lqv*kP*NuWKAEslutJ#&nSjY; zWI#2J>m--t!c>=ej&yJu5CEOexE>G>FO0NeVq1yhTaFHSK$>9k3VTkj!ElAx>$k6c!H7!IiH3Nj11;oLsMggJ#p}W8! z1LqAnOiT;_9Qt5g6JriUIzkvmL0CCmI9q@CxEzFv4#b}`NGk`(*Y5xun8<0^*(^9T zdSZAg1ZFNo0ZAl<|0X9UfCED#3&=Z{D5xj+j4m1P&@P}Ppoa?5$qRCk1q{lnserT% z0cJLi?mj``vB^71M~Yd1hU-xZm0gYp0EQHh1|*{P)db)Y3eGNs3`{|fP2ODazJQsN zBnx#RE(1~X`2f{c&@|-W`q@McD4j$%Aaboip>EF+u9j!g<}wF9NrI6nB%bGnDw$|l z0)r?rIUt}3wSAXI3QbJec{-@rwKm`@-q-p7K+|>;J7_onBJ%59I+p+1uLib35O}%y9YEo_TA{KIblXJD7<%^K z{!#Afx{hoW4D8b8Ldrb66 zkh9H_3r?@ty>fiaqO8>>uWxV+2O<{f-MBs4qtcRmNWbvh7!+rGd2hYCvrAU-RdDy} z59`!j_j|R3Vk~V1B7or+mJD^Hi4Nb1pZOKjy!VN~l2`xb0Rj^Z(5g8NWaeC}RryBu zTN3-{`bU3g)Zyd(7CZcBS{NtxDGZMiErIj5)AvO2iRC4nw^MV(M%H1jbyY$kZf|Cb z&z6lpnHF!X%~EI?%)$wV9mOC?!W`yy44ej%b&yJmFj{3Wg8)J-&Pjy6>U=jHN0!pc z{?z#>IQrDp+>PdXzDGdYdrEGeDw>LU2cIP)ZcYO zRpuG?8`-1YZzBAZq?H+1)A^bP-d(!w*b)xadS+nT#C6Jpr?oCqa+olk99pchghD|& zPW`f&McO99 z$^lp_*@L%ic+}QiJPQ3oDPka-Xvu|nrC_=mlV*-CAYkZvV{(2GvYE8+a;A2dboOEb zr_6zNeF{$spoFaPn1~PPKv(U6UdjPUfSBtfK*!#uhmEt1ou!HXilhD?d)^`Q-bOQR zbw(O#+vdO8KIdDnv@yhPZ}Q71^RGjlQ^g_V}z-)pd9qa+E5t4 z0g!DjtY;yqhwkiVckTv2LqMg(xuvL$0C#i!h2Hgn1xFb31>n{s6vh$=z#0ho44^Fp za{{H3f;B)^jsQ7vulb-*lfc-tYyW((UwJ);a#x}6&?E(5G06w22KWm=u>#I}6PkEY z0+_A1A)YAWE>>CqV>=EHkB}tyxOAvnNu5dOFw}Jk%zVo64sTuPLSRh}=^+8w$-jF0PwaPBrc35ytb^IY+M{1mJWh!Y!;Sgp4R^vTmQAb@%!oM z0RZsFt1U9H07@8w|Kge+>_;Vs1ONWK8v?|WrNeDRqsupAeuZ(VY#>$Qdl>Q_(9w%O z2~x)#_0`sJBD3w?QtEB7n%HVyLU_Ts^#~eg6j>~AUz9#a^4*Zje-(kf5{=0Yo2k(3 zV=t$Ylt%G3TsIsSj6O6m7)9+h|474O<1nkpX(cC!F~H08grTq2pSvE_)pB>K&N_Qc zE^utV3w*A=9dZbqs`5J4roxxXecUdN5Gr-3Mnv8c3kcYnMLoz=9eVCm_^-oKoRs|c zyD9!|lKZQ|@u9eXp04uC*I@;Y$0J3Q*!PTj=YM^p6#6&ZTs}b*@{-)ucyDl)>!m6Y z`L^460_=%eznfPd>9=wGX<9lOzJQ~5d{@SY!t%{6-W){l?>68jrIw%!DB*# z>nM~qgmGMjuwL`7PuTo>$K-qxY-kjUj&+HN1=UKF7Bn&0&qfA&q`g8Wh4DO7(*{`Vp)68)>YRvZNddk%PTpoi0`lAi zMi{$30{_t4%=^%>=G3Q}SjKD%O_j2?6CHNwyC%M$-S__F4iJ>~Dm){NQGp#Wl7p>y z_NzZ5ia8je3&hobhb=W$YB0+w#`)mQ3cNy*qq&F}^s9*)>Zh*zltR3w(Q)#d2UpJv zd)y-fxE^szQ)=@8g))zw>vH7G9x{uoTY|Utz zhXxv$mr(;4AbN~Trk-7$jw%NT@6>~b?y|DD_}S z18ntra0D*Q%X!S;v+AX!@pLC^6-Oi(m&i$egS%49{SMr$xC*zY{-Q|oR4MVoeUV9N zQ%C04v=(Mz+W%z!dFuOEW>hxiZ3paGsS>ZI*x84EO0^YgpGn`4PJJMw@=1w!6qMUD$btDP2ic| z>xoW8S!B_^gLChVAkHb9PJOG_oW2oQz=-+xkCMSUYT-|XBJK~8VfS9CRGxLy7-({P z`VkdzKgB=>jj>G1Y2A!I6_QN92HW7KKo8LFN$MPK91+fu8i89w5t_Xe`|dcs-!sV8 z-C|b$1=IeYyu;LWR7Uyk_+;!dL-xfbA}baj>nWlPj%l8f>9)Ru@^omES8%6@ zTjk33p5F|wr+lOOG|7VIg;xKdoBBZ6WaWRQHOC|H@}D1SqOJ7|xy2M$-Ay`DlJgbPoxZRaIVN z4g4zAnde*md^JgPUj9_iT!^X^_fzAHqubNSjGRY#jV)t;cjv&g`QJG*g3qf?e?J zU;9#SNckQ!cRupzN^m+j<&|3GbO9zqm>k=hj(J(W3ZUY^YLD#U*S1*?e{@ znUFFnq$Qgp}eM5t_nGDfI89#|7RvM#H#B;(`wCs)HdYaRWZE#z|j0bqHfT=$-^_B9rIF8V?j__`95_{ z|I2^J5!1t-HEMXQUwn~|#Lk7dp^y2mB)(h5$Ap5dB5CoD{(s(nq-EL-0CeAaB|pf* z8)H}#UM$*xzG7C-SBra|7d$Dkp}7?*YA%1hmZRkEqV)A`o-Ofe0ud1YU4@eB@aO_l zZHt&KIK16`7=c>FrKl^C!<_09l}CtbgKWYxjfeY7m*6?C$Z)5IbCA67R4Wl5SJcD~ zOlQFJFtSjPqtiarJzjlY!XN;}*w~0Rx?HO5M}?%LXJN;|o`D&)Is2IJ{K#{1%V-12 zX>(VfQM^fSF)OCrCY4)^g5GRg6=ynE{G9_eU49KsSpDfZ!pnX{XH>moZeIrdZWdK* z;e6v~Pw8+T@Oo+m5l2=2xP7mnXVeo!V;quliSwbl$T+l_opbt# z#WsVYT;3Vna8GVvnEz}PX2`R_id^Q+aRwBzUR&2I2NcV8fsNX}*!Y)h0e zp-g7fie$Y)F?CP3Jy_Jm0ob8|xkP2!x_N$)f>asv3vaArRjB@%!to}}hNRBLdup(? z%<70THf6D^yK?^g!)0lVVF`Jj?^amLz<`X$;T`NC^2q$N<*Wp;#gQ_y73AVgm@JQJ3>eK!b zr-r!d4q)Q|&+^Nd0j7SxwHVAvO?R5P>S?l6OyW4!;=@Z$yg?DI!66E(?)=xknV<~; z>|gVvAMtx|YH{L?A>V~ksY($$P1Hu8Hu}UF`V$tU?{0)bt8#umzo`C94y3?_)aVPP znPu?QmL@L2kSTbsqDXejZHhrt&@r9B8=Lx`0mAqP5zshZ`N3R%xQ`|Agds zM}NMuHH`oU%{beOXKPH~B%CGpblBJWE#>9(`kW?CuAq}&)eDv{(Y2VgNc{YD-&_R$ zR?1|9s1L8UimE$~f?+(g4{m8b^~Lx+qVTt)l~(0{o5;SPtCGw8fs0(xDbihuNAxua zGe+bnuX=s;cQ^18wm^qC@9uk8)u0_o-7f1R@@-ttQXUN{2BUo)M)ZyQcd;-UGlpOG zpAswxcIPg=a`E~I+Mf`Q;*uDv;O#UdWTzzqf�}8Nv>}oU0d13je^Od4qQTq{M_5 zDPLuYt!zI93YMJ*S%`0E%71$E$l0?(S>V%7_O)(~8MRN%lpjEsidv|!R8L%sD6XCP zFP9r!Ho^NRmLugy%1x3cQ>oqF_&H3lX(}R+!1{E~jQ?4mw#>uKESD7vXb;P(;7qkKW>&PaRo(4QU4UI#hC(o&N z@K*g*Nzz&cH(PEVuqTkcR_`z*#hVaDZ72V5w6rsMf6W%^zNoyMNT%I=Dzpc7$zPN; z5(QH0LyTAC|EVAcOP8MRG1jC%`+@jEc5z7=3Fl!El^ySdF+4(jzR@j_{ZR=c>gnov z202Nwpf+v42`$kxL|eIko9F-O&Hk6Q6O9duM!4Z4|5q3gxRfhyaZU*s|FIHBq288S zMpR5NGY>PV{#E&1(xxCUn8io1V)hCE2r9z2Xw(lnA?3pb)~o9+yEfrj1Eu)_GcR~D8R`F!PR#C}&Dn&EIQ7*Cxw zvdty-ofv8Nx*8vi1L>q+PS85#Zg2;>J}2O-z412k%W&7RiDXH>ej~Dm@ektXAJM%} z!>~UU#bVhdz1m-KYcvh{MP0gxAUKg(V+&6pwAi+PA;^!weMC3#cNv?N;<&>wSZ$2o z$6toWoxJ!!i)pWO-I3GFsfN2IeQ7;kyhmRaOWla?qUs4L*{MRpJn#UK_#YwM$K)2*+Ee6_|*v|}(yGVshqs@M!>{44du&}Q)*67xQad9k$V zL&XShkM{!x*Q%HeCN($tMdMxyee!;ZA_mJIhTO$B&N)2GWR(GS9UpE;zZlS9(v#*0 zpZfk_SpS0-G##fNC3K8G)q}uC)|j$gCHQyz2h(OiG>s5Cmo~`ArRbL60g>wKnw+k~ zls+UaB??r}kJAT|$92r9maMzMPWnAC>yW9MgxCTEoiFfLbSNp9L>qI(qRTyQY6hHk zP6kCd@N$RGqz+~fli=9WB#hU}D?aU}dYG7a)R6pEtgx|QYw*r9%(nGjyO(jit0|o# zsJ=aJHhwg9!Nq3ETZo{=0?ABsE!iPxH0tuI8QDylDM{m%Aw@LqW zYAif@gE(KGh?X7cXJhWT`!{$tk@P@`f4jPhf@uDDbd8W4tf0Q={eyLRGWOt7vK0OD zfF2X_u7`vZprKf7x^m+hbN?tyb;T^kh76azE4eAug`bEz3y>2o<@vK#`$a$%tYTSIAe&H0T^N_p-+Yuk!6G zvrfWPDoGXoP?6sD5s{yWJNC|0^mE%W#w^q9!<#F8xzSxMZ$<&8WIrOCx^3s@ zmG7M*plhr8S4{=~Rh z5qER>vZpu9YxWRijWpxKZ@i3>K$agRcjxXnqyp`2#dhl$I_X6Sg2C!6;}st3jApgRL3FN znkN&!0^S~c13M)BQZ+1TH!^J1ko~J>dYkxtQ;Ykt1cjNj&{`HmAAW4mfbP>RcS3*3fb>E!;pAo z*ZRRmR#z+V?;?@Rn01%8bgV(pR6VYDj8ddlqP`#_VN>Rwy58iUHLd*{CEJ{%xsF@IIbnyH4b-?;Ra@ft!$eRzN%2HRk#sE@*q9yk8N;{E}^KQ^>WM;kb!*kfYX`jn&+9mf5rky;3 z+qXNc0Yb_xV)T?hk>ihxnHef&zXi(5Mm>B=o@PV@x~V;w>wKBAw=Q$>+Wdbk>4_lB z26r5`{+Ctz^HuN}K#FMLq#OwP=fxNRud=n6@yhS+zUbq(q{-6IJ{?ZW_R zg5G|5*ypege;l)yq>h87(qZ5`-9nf#_h-IV%6-9zyi3FxInJJS9iK1+`l$a8O@Hs4qezW1w;BVJ7@lNt`cx z+zSqDx*7sk5}iS8SV^ZF`p<#9T=tO*O$a8K7k}6?cP3m=P{p)z!y~%zKG9Cm9hdIH ziRNXpx~&5WA2xx*FP!j)5-GE- zGHoT)mhCNimBPUo#&Hdl!ZAG1SQmu5=3B1#cNS&Q?uj>5_lWIJL-x3aZPFX;n$DCm6Dd$31w}A#OtH+C9)2WP6c{x z`=21~Es8~W9J84vPuj?#i;E|Ye6G4qlqz!cJc`7F#SEVroVoI;)PHfkM!}i`4|#^$ zjHi?=mQzd4i4CXCe#66n#AjNZ-M^BfXrebi$@z07KTE?!!ml5|@W&x8Hr++=Kbm&E=MChBnZ2XSK||UMO@2 zV!pvHe--|rU&STq%!R+5ZvAQ$Za(fG)pm=@>STUfEMTjrZ8pQM!i^Ci4DJEtC=`?9=6h=8V?c{QQed ztW&94IPt$g+aq7U=Pc7q1!<14dtn=O63lS#61SH+3d zH2ghd$K=d>G#&OK&f4!HqR*YD#w!`)#BeNu$&AzSaoZbzH`8}Y7LE6v!`t%o4XNjd zE>Xw`gD$VXA+|rDuo5|M$<810FTnnreqPk3Oa;5$3-2Iq(uA7s%lsE@E;?-YxG-GI z>;m8jGt}|ZQ6zbmFstc4T7^<^S|94!VaUCk=Mh@&F(r7>8l|Y?ELrQ;i1S#BLVd7) zqSmciipx%HVb!VlQ0@VsSsh{3ic+7Pdh2-I<;jJJjtat-GI27_=L3&*^cyu|YQ`*` zY}C^B%gi3h@NiOW^PK*PoNE~H)-|Y?C#7|myzkfv#Q0oKG;^Z$lz$bt?<1T?67AA7 zB3F$M%WDN3MrB3D$OZx_X!x59*i@*mGyse!PuTZN}3{=$dv#Sk5`jKMeNriZa4?b1b zw19ld)vpYKt@O?iT7U*@EsG-H_k+eGty>J2fC-md$js6DfWeLqUIX8~ysfO+P&3t!! zE`k-*j2tMVW&gXZ)jeEJ&9-H=p7t-v_M7`nAjWn`advIs;spds{Uo<=TQZJ*m=ARd);yvlasquy!aT>7Y5lc9&hi9WnEo}R?-SSx49rRYbCQ}OnQn++HaYU?+Sj(RIZ$I6 zWJSt`P@~iEE#qI3{2~7qDmvIizarp`UL@=s-8#2Wht$%;ZYhFv2lTIJsIW~Dbpo3xpvv3kh)fLz$+p5Pg&ySbB=Hi_2h zBSy}F-TJXC{1Vv);TNSrp~2?BnwIz76EIoXi?1Fnb7ogCdLA=-T0>h{;}QPN{u0|$ z<;Lzqf&mXzp3P3mUrnlg-x~^`vu8}8UQP}gV)Z71u6YApM2}xSV;AF$wq&U`AVzbr zl>>>@pT4f^pnrpzxmsP4Z{>292uUzWG>bl%i(WWHOL1GJ?_acQL**?wpmql~&15OX z(Ea15TFz*0Uf}4=ud7T)G?5om#Wn@!XpN3~*Om(bD>usT_Qx1EiSmR1DOAq37EHJI z4h8+tX7uV|55Z=@aSvPhFOa+*DXfz!Z6nmv`?_&dE(q^j%CkSN$Uf4BAb#l-E#%q4 zGH|<02Rp)*Iy}4}8)EgDi5-(Mw!nF-@UMF4lQ7pHWCyMpBy%on$&DV2n}Uu$P(>-- z*|dXZ0|=mTeoSa)9jNGl(;kmVE@a8(QkZL(imV0-iJ0JG9WBaJmnHDU)aXR22PvpA zXGx`LN(H0Cm1>eA9q-PYYr+cziR7)LRcPnp^vv}*#eWq;P(FBswxS6>^L1!=!2uBM zMw~nM!>ww^eor|R8Yfrq?J*cM+2|X4-PdAVruI3(?xVYmGIT$jN`B0cbVU)@kDW<6 zkMzM=LVg;%b2UkKOfwIq)3w}I3vzZ2^`j!vE86wqk`T7>sq{*Zp>nivD{(&K=KN&! zZ`J{Xm_sTXexR4cBd{pn%%G8^W!|iuP}nGVHuedooXj$B z%JZ?(8Jnhy3rqP$X5$j|wMdEooq>j9pV!oqR#@HmQ9e@;*;HBd;YDm*6;xHPkP~Z$ zUO1dn?~8PkO#S(={VP-%A^wYX9vil1|1rcH|Gd9EH^U(PR@PgU1d}O_1;e5lPYS=S zZAiZe*&JVlE}9Tf!1N0)@KCR6HnwNW|HWQ%9QzF2LLMQX+oG3>63ZKR$zksbEq>TF zNm{=&HEbxGxs6dj?q2;H=#|Q+g<=|@Hxu5+Go0y+R27q>L6q<^vI3v2PkMVB*S%Tl zsJ29bvfz^?1)~lZ8^p3lg)EdS*;@ISZLhH1Xt}K5skMu+DW0R`W5U4fhq*VeLi2)_MtY2dX?i-WAyzjxe zxTs9TRg5VOyCb<4?VssaYoM19-8GcVk8y;=&JELD=0t;T?GY#0urY-q-E21#_!9H~ zt{scQP~wBc_?2pSN3Su+P%r38gk8d$yf+*^)FUo4$mg}+5fNBwBQ zIBzPwaSq~(n%!y-b0`|i@m&LZHQ4k7pj3ODGkAU@`T|LtRsG?SlC3z3C)!ab5HqI7 z;}{c_kw!C3K4ztY9CdzWQx>iWTBC%beJd8(d=XrKeP^E~4(C3%6r#!Ty%*}Avhmi5 zsDCqD`pkZ5rt1(XXH8;vc3ex&W3|VJq3e?ba*fPc`ZSUo+<1LM414?qU0E*j2$LRB zp`YmbBH$HgW2?($>EhbcYYbLSRq?lYi`peh09meWzN89@S4xbh-B)E!$-qQGOpE0K zYbyZS<}Bt+-&8(2GFCvDH6Pa$OW4$3EapdWQq`*3Z%Wno?SC2K-JdJhRLFDrpwN}- zILdOtprq*2TIb;YKJz7};y#Gj16a)s`98bJDn@-J+LyEB#{es*o=JH8|1VW@Xa-%`m3Z*szz`Smu74C z@u2dEcG9n(RfAZ&(+nT&ScXQm#^^URdy%ct=03F?Y=dH9x4l0NMi%)km1c_tnTV+N zRm!00&ZDi|X%ZZ&?gRM83iMc(`}DmZrG&92Gnpg~^yY;l`+3tjOV7z;IJ?wYn2mN? zBg1s_Q)uD(5rnZ~WbpD1Z{5_ZMc-+u2TFQdx0>V@MRmEu0!)I@xtXC zM`!M*XKrP;0;{#ySKDOa1lyMP{ikMqIu#^=DZ_~_@lndL%1c*9n$0{M{)sF0l3je| zUZ`DrfV?E3RE*CH zN5bfmXuu9`n!}W14k-vo7E5*8_}pblF2nlixtp`8)n?jMaIB3*Y;mpKXVhcH4n>=D zpjM)W+d(lR?=moz(ot|-9IBG2rr$I3kD`nKn^QJpqLpK7F3cwU zYl^BdCIf9`!=dX3kkSJV)tf!)^!y-@KUqB52$x zNjUxbV>k0<-KSS|4*;(+jTx`6DT=2FTTBJ<8VTfH6k4_V#49QD& z_KlwvRlC2QjJj*A;Q3$C;S>d38KgV((f%p=0vNAgT+FO!DJyWXKcd@b?LciW5`7f2 zF$n7@g@y$r-yVNiTT)jb7yKOuTQsS!_30bI+SjAD?lgn1({5gM`#;Xqx!P0SVFRu= z5Z}t>c50$ry5a5gQYjm_DyFS3PX+n?sWJG#T@=jy3DR(LTY6WDVzNb@=GFVVnJH>J zC5mN%A$%&TIhz{aap}W~1*-L8z4?a8Gt7b9geb-Ktm`Qn?2W35OF`&D=vOm!r%~J1 zN`D_FP6%CQKkoN2)$$y#$T8VD8TpnG^Ou|8)fOc*$#LEohmlXB@Yzm4aUngUiM^Ri zo2M4$x4U3D$lt!Mux~W)-3;W5-ze!<|I+ok=X76}jr~*g8^)gvFt1){tKMRVdR1Tp<{rXPmb>RMmC+fbBc>hrlObDw>X=$SsDY4e#07X_m85zUJ#M>KsZDT?U7QMg=8`kSJ8 zsg-wK7tWx5x0(Frc7nK7$zo}gN3gwMFS&3p1FpeoJ$u+G9ZI~Dn?9p&%GyOrhM5j${*$R{{A&j{accsN5e)&x~v?mee@%5~2yx5au`>`slmim5bWQg9+_ ztkiUGm#T;kjsLPCaTH_#KrW`W&eaez3d;P$GEZ<@nrVSpLzyY`YbH{3jK&ND`By3X zJB~rdbnoEq>;2aQ%wyj~8i+GX6b#SJRVN5_6_J}(@wwzX#mp`m{(UKrd)F>i^WX1p z*duoI*i7wJO6af1ie{s71lk({zYeD@;dCz_BqgvOvQM%me+_?4>s8k$NO46xkWIUL zw@V+?ms9w()_iN$sYI=G8YL6CN?K%Z(|UC@T%Qp0kXHIQ@pD9Jlkr?U z5@}GCx$~BdR@z21%o_{w+2ZSWQS8;yhiiG01NdOE&i=vlA1&}BKTUdz$eft;gx+IR zk$j&D1OwX+7RQLxv!y0!U!KmZ`-ZZca?E&Wb{cpF&7y2YX!c%JR!<%;t_(AE*RA0Z zyGm#v>9A8#sk&{tW4uM3#r;3i!(yLUPz~~*RL=s{QoQGIL=KttxB_ARcH$qUkwf$9 zk3$mlj>c}iZwXEb*S&mOlz&s(bVV_8R*at${NbW%Am!nemnW67V6`_F%hYI9NsK_o z`?XbZ!J-*LNUO$2B?2FCqK8d!Kk)LS(k!BJeYo2sm1M5O4IS@?AFEY%=?rpm;b6(_ zd6~@N7;*c6c^hr`#jco>%$8&~{ASoO^?$lYv4lwZf$gCIRT$7%#Js@7Onq8^CMlC0 ziu8v(Bp_XD(lyVt>?zM0q7JP1FOX?m9m#j~K`^bC(01mp;8;JoAZ=QKEbZoOQqu4* zef)j%Wy?_+VcP{qw~&Z!eGYTfJS8V3HDRayAA>6|w+>Bnib-gbaCY^@k{n4zZrscO zXWU)3$zneysz`$LkK}-=+<20G!9;8lk}`>MXAtKLm^2bMh&B5AgG*;?Rh?^_8RdtL z@^6b38ubjsa1VRJUJJn-PL&f^7+>@c=?RGnqgUWj^-cbML6sg>kQ=gF7`HU5c!+dR z(c2pWKHVM=nSi4=A6DCE@lyp!Mm3|EmU()2&KQ_ zPsO4>NrZrfTs)~gG&XvHm3k5}YHz47?G(cSY}Y>i>C@n+d{{UFbNb&(@nw4ypQg_l zM7UZ6k7@p42CD>Nldc@2bKwDDPOL5vAEJtYWa~Xw_>K5H!@z1MNZADR<0iY^CYjrg z$P~d`jg^E4VeLA8>;5)4Sxn_S0ngi{KVugQ4@QgheE~X!fJ(eX{Za05B#Dgmdg=wr zzuzJvg;iOE&CH9uZh5aqaKtZB>!HqRHIWD$Ik5Pn5U6tdtG5u(-Z&;+n@TMRcZ;}8Q&7< z2|CZyQR7;!{|Pr8oRO8MkJZB6yv zh-Hro(f1#KOWOrt<)062K3etQ(x@Fg?#`{6Ut?K!Q{-!3KSaL0RRH+=F zJz{TuTR-yRiE$ot%NjFbQO<)!8@=||hyLZVSjmWdrukamIK}gUZk^n%%i|qVV)DHs zb?8JOlHj)98FG(&RG?3poo6mVA;GD7h?)H3b=$U0YVv1pf2D8_;)d9*`v;oLTrh&7 z&cAnu*x}~A{M!J~2`D;an+Ua+?8r0WO3`CFonPs>xawPNpF*ADD_2{}c-Mz*4o8FW zXxeeEIimvZmbqMOeqG)t4LpU~h0XoktJ5dkO8N|-SnZPbr{l|FhvqP!w-H&%cWiOY zaf=cwWBG&`@BWF)ip-Gr@ZS#iH>v?i)5|2ifyrDG$nub96k{o}{;+pSO%`o8nuJg$ zTH)q{JNHCU;T(g%1XA{}DI#%hkq(^e_&FfE(oG%jW+(Loh~l=Flo7y;!;0vepin5o zXCb8!QCgXQ;Z2F!RqM;w(Bp&5+OgODAL$~a#t0N zt8iMT-nXBUA~V*5-r(?&d)9>)C02xmdI>8{ewXe)={?&Q5;SVdUL^uk#Gu=;r(MR_lX43i=LBCZEHnF}LS3O0Q7niqy6Uot$+2GwbiVYq z##TB%IS8r#y|kn9HL%8t-w&Kmqj}>zuLY?-Pi1K5GV5Xzm>G{6>mXwwwB>W|Wc?+; zB?W(pG6j}04k0>vw@k!ADK(UrPP7gmX5z2cp1iS{FADR6>gj54G$cqs4SOjB!*o+? z)owYbdd8ZOYpyz1jaoYX?2_SDRmvC)X|?eaj2N{`#^i9TJ(H;fN$8b39Ibk8^tDtq zlQSllNFo9{(nKU{ULtUjG5$50g2YGLbxzpv=B^-LgJ0(LD-Bj}BIUqWSEA;q)U0Z< z@i?a~{JFX{mzT)*QxaSY;6ugvzNu|LenVygMCd%(&)d=sPPA@@QytzJGO=TnTt9XIqK?BlI2&c z)WXn9HmS+^zj>b_7s}Kvxp0%cQJRx~=1=7u)93>D)4!D(5mR?)!CTrhrubR%73m22 zs?MUt$+zG{iP#w2RGd+UKMf6w!?kmsuW1n>GkOPZHD}MRu;!8}wk|B`HbYSW8*EWx z(I8_Aw`iy_8b}414N;?HWnt}9qWlcyc@7Pz%{Svvl{bDjIF#V>!#doirz26qAR&^x z!c-t}V&%KANHfOP%*|w8R`~LnM3agrRYYLiV9wkROwH-*te|NR<83&r-Opi~1+Hq4 zLiHR+20ZNSF17NtIEN6G>ys?J*CAvL1?WSRF91Sezn6T@MXn7yiioEeq_;3SYJ*Z% zFYf56ro0pFTWn~}qqYWya&XVr;GAnW>>!&(ORAr6d5+F*zkt;0;V#TnRvERd{ep)Z zP`*93eYv3_%!{C9gIV%?p@pC8?z#`BbeSmTPlje?pLT4sOyCy9o*`_~W1R~n-mUsN z4%?K!t^FB{d|VJ4{F$}k(z8O7eR`v|9X!Y8&dW?qq#&d^uq2(MFmrGezZfU?YFB4n za}xJ1Mtuzra*h;flz+2e zsrH0-bqb68ZsWm)+({~_K4f{VDWsx4JbOd-^T6fj_7uetentTLh3frD0dj!b5XO<^ zm^-p%Fm`DTH@0g(H~mSv(@Mz*h<1f8s1Y&XH@uMbB$^PERhZFGSV!|)2(^5EMW93Z zX0lMi{{uQe#lPfVw!Q>nkZV1u?SfY_>1uKM`8GFJKS^HTPp(nd*WIURfymyCVxD1~ zLC~7nWY6?BSuHODiB$!KGN0HWmtH>$$H@MICJ7PqyOgjvozUnyXFl+6#D*Qz0%C&C z5K=9!TK z>+fFe5pVcD@YHS40b$D42B@uL(e@!U+d57u)I^DXpkx)cV@gOnox z&meXH)~dg`){DC;{g*4(bc-@)cP#bwxInXg+Duv7;u}9=Sx+YLydpP%c~w;{l@p^U zQeZc`4H5P_$-M~F8E^;P$k&A69f;Bet(p0@Q_xu628TjJ1$+|vcmJih2Qk!Xw{p%k z9g%28<8HW%jtC!s0zqz8hrZYNCO=_*VXmSAXcs{G7c@W5-jBn_U`0NpH*U61Oi$g%eu^rT0S?A8z-9XHg4;b+{%z_tLY15G;re0#6)$mkM&s zw;JHlA6z*5JCF_=e&u;8Kx06j9V8NhBC`O0ms9x$O#YAj8sRn|R<~Wun z-Yw(7|?yqM_gB&JTDC2w6%sTBtBD}@7?3OJi zyypeW@J*n3K%K3Wplz!&pPtx~7;~~8ymW$RZ-r@_-!PxAdo9NYQM0@xwt1O;-doU3 z?V_G^FwQSv^s_?5IC+{|^4_ub#Y{$7@l{#=i%UsUJ(^q*2*Q;F!!v8J4L^Ue<@-r7 z*AVg_6m8&ZPp7Mr-spAf?5{^U_AqC4vuBnQQeB8)xfg50B3{c9YzdwO8hEB1AXWY+ zz^exuQ52a`l$OW~BfFK6RN4k=(!w(@G8AHcp-q4+-rIQp?^_7wiMzWejz&?R0FM zVgf5CV|YFdZo5{FaWw9lge4zu_-wqTfnJHj?>SC1I&5dLcl8(Ofr>k118Y^3qu=xc zLgXg1oVv}lM{eeM=*mo~S^%yh+>$~$FXZ1nD<~&i5PBz{r<6H3L7vTUrU9JQ z7-wz{nX=yPJSjy@K+am)XFzFpnckn}YvEflOu*ID6TVh}@c6tbc$tD_h-xqJ_z1pzAt1OA#CI|>z*Ees=%2a$s+=R5e*(MXY+_ouhu4z4eWexX2W)H;7CF|g zk$$_^F`PMdzhy%t-`JNp-)9&D^pw_Zm=MF}#GBw5tD>!=DtLN)A0D(J3bUX1t22M= zxYg}6)167)7l}PJZSaO-Z}MEjz3P~{=u)OC42ty-j=cN=c@?3Fl_qccf#AN}8u~tQ zP3r|mR7uj)TlJ?P1ZG#0dYFwL;6Ggo3|A6A+LN^tGmc0ZyF(by>wzPScOr-w8K&p!J8^N)$S@N%JoS z_^UR-2*cwPejAZa2iUp>frQjRcfW*~K8i*hXP8jq77-qsdT#4%#-#df?s(+HJ<&hO zVcbZv8)`UUnZx>)+sd~HKiu^kJc0RG^n~ymH%F4HVZfQ7MQe^m-C41P`~PdwxHKU5ybq1R+D+}XZ1G1 zVSCgNr9TQo6E~w-N^CKD6EHtC;;f;nLibSq2tKTrD0U`!QvD5X9)@SK&$p`RsDQZK z5~$S}%u#P+=85O+>rxPwe&C0*>NhEt|7s@XKom&g0lkq) z%WMei3=YlPkS~`9_-XG-(vy%-1g3kt0Mp0+kz%R7w4JQ$V-Cos$1<{Wm167A3veBA zIE*$4E!cMZ$>MA)*ez4dkJG7D+3I#L>$cxMC|$U;i~7Qa2i~rMFkUqOYjAxh3J{26 zsEe4PBV+z39AwN4^nCRn81LbgOmoJrxMy!+GCe^CY2YU!V&2fLlOihaz`dEWd%&s6 zdCWfZGNb}Q)j*UASgz3dIJq7XW#-2agnl3Uq!J9>7szL`NVOO;>i}C{#m_s^KL1LjyISrF`4mMw7?i)6g zWd{u*VnHF7I}jv26kSm<|ny1xFwQsLtG(7-}lOh+|`QP z?#$6OCF8Kv2m6clGSuM(S(<=lJ>MV{P=;bfq*sZuUa8XsC0lEw?n*qMumA@Q3Vqij zC$I6bZ*A=Y=gCxu4{~d2fIjm_qGF)fxS~s;mE%eS-BF9otx1Pd#2E@)NEB=W!*RA~g@lFJp>=pW9esIPc7X zvr2Hn^rn9Cy@Zue$!#pmaSJQ5!@g{e9Q@D_DH&cc?%-fNR`0plgWY3OQ&JpWTzqQg zzEE?7$I?5&3GbM($cLDu_SpenD25Wa0&IlMt(oT-gon=`m;B^;hn=>qw z0QjsAXBJNr*TYNrG&+XuSVdcr#A^uf%sT`nWBiO^@+RS{o>Z#(tGDw!O>kH##T9Zg z8JgpNG_A4qY?7t1$oB?k32~yocI|IY3?^(q|2z*%l`R_gbl}@|_HtnxOJjL|-ITU` z>i0Vid`qL}B3fsWpIQXiA!>1BZX~Vn?fNH|+4kKSPg6rXcL93|h}@KxmyfdfdSIUE zmiU>Pg<&4MT4Sr}2r615p;U)DZ~NZHSmyn#u=GVk`Nlxbrm=Ys9`0Gg>1e5}vM=0_ zNy2@K*zn9+>zk{;;4yM^$)Pd^GMaw>53PW$Ube?;B7r81?mgd>HKyP#1?9vN=^(cd zW2opw6}}4JgH?NiGpdUUj}T{S z$6mjUF2R7w#XrAVhox9jhOM$bWJL`Yt7nd-CTk^v@E$iJFv5V>U+U0F7rIO*!V`qk zza4Rv3VK<$6)BrCl7;rh0w|v;f}3w60<*^=f&x0wS|dkq%(zv-en0Mc9;jO!B}0N) z=x*#2QEU$*2XgAK_P^dNMnp+SAa!M3e`X}CArJ-wB6o}(ki^O;hp(bIQ2V-wu5gC6 zv&%0B=jfL43KvAO^^g+~=c&RHM7|Z#1ZE+CZ5oW+WCXt)a~vGU^e&J23ZEJTcrzbx zQxZA{OJjA>8J3CMBphJBW?3)hyXcgQ@V+5f z`Ilvo?2H)$X>)2x|81S8V{ysjDU1mJJ-siEwcycQlOH*2PCj1cbq{UolGhjUZzDm7 zibn^J1Apk8#%Ok7VxIo&f4okk2vu80k{Xk5Ms@w+ltoAR5{foLDG!r=;WWoH|#{YsGyBU8_ z*(0lIRELL$rgc2y>ZZCPVjxI95mNKA1)B4s^<~f%$UBktig0c+{1V+#Vr;A7#8AVv zCLUedv*9;iGHgbMOU2lAB+N6^DpxvSI)E&rh?Jpf-W1Sp# z$AeB@y^FbnX%GJvbKS2UtVT)aC4}(BlsgR4sOl6Z1l^$#=`{1O7pK6mMh4jC&9sIK zVSYpdC@!?$^PVB&G8=*Pa(on=N@F*zrkyr+G?+@N5Z=_cTbiC`HirTxAi+bdpIKps}OZSBw;j{Gn+`>na<^_mZutHo3kZgK8BM~_H zE?1CYNZ|EWF-gI4v0$Y5ri^M0V6Prt{>-~-gqKigv`|ZS|FN2)RTq7=KN{KFCol=ixVemO|?oNjI;3OdLlZzliwBLMh< zr5H=UMkN&yMIVe#@B>Ia%mLyAUdE&x4%5{8d zSWw1*i2XBdnAS@GWAXojCcyTe0t_$J6bT_FUsEvtxxb0qxE6h7#2WNna@jfo%F;%% z->P$E;v%>GWs{_hY~WE)7>qig4LA*5zV?(&<(t|vT45%oH%hQ1q3Tox&7JC|!grxUEqp2l{HLU^e;q74Y^)seM z?i|FZi^h>k`f+t?;8R_a$~rSQ)BFv`LCxG0fUpwVj}#UKFEwYyX>VP;MI2tU7zE@>J&swX5OlmOSP z{gC!pyrO8lRRNIVrZqp3%M~ToXX-*wCnFs;l#s0j&&~^x2Cqs(4hUq!;0tW92QF~+ zDqUm7ZvacM^mQ`u?|V82`tu%Q!x7#*{0=m8#ck?2ovE@=n>*J`cntGoR)hkMKyCr- zy{G`cbZJ=`wq0KkYCeA;9_?cH@FzzilCNgY@d%6yYjOSN&f`Uc*CwQ@O;9I}DE0Cb zIuTq`FadT&VCEK6Bvg$J1b!41Go5*b_~R!y_v474J7)@Fo#f-A->?1Gc49aa|6{bL zwYt$F$P40(F-2J^U9QS2=kG=`GdC~g>DFWg^C=L{3V zNgx=3)2N@j_}UV=lYQhW5A)I@<(1mw!pphB+QIx4th4>u^zMlRctl*-FCmNprD7Y8 z0Pc|0rQ5U3sHAF0m`?J`@>D+e-v6i{wP1JbTX7cO2*G%y8sNlGe3Q`EZ2=wYeYV^{ zb>6qj369wd9AW}0qKSaFdH=8gc0QZ@2qKascp~=pkEZjcvb7Hd>~bv z`=_Jdy>ZHhKu$`4k(!G_Y3xoES@Z^b*`0ENJ!0FeK+y*QSi}`@lDqNf8gtO-?vY^x`Bjwei+Lumid#{-JB7X;dNJ+qQ zRuYYc+&oUN*)3x~2Ly@SxJNklYqkcy>hzL)YP+skCBC3)l=QnGrK(RyDwI-y z1dRV%+ZD^`Ypj^|p0ZPi{Wy-Qfa1m6j?vEg`&C0qW#E{)O5;twzN=z_3@I(YA++CA z2@T&bW96uOe0GSqq$qX4f5{VQy#+NuLyQuB0cL;)UmfkN8#ESPm9pxw4v({btg?9B9NCA^_bf}!ophmY zQTRd(MYqH>(=o9o$?wIcJu)-Yo%&n zy%vqioIP=qvz=XX^l$wmTNhHBAQp%Uv}R!n#vFH20Sb5R$aO0Q+kW?;>o($3b0Tnnor<6e*V2>-vE9czF*n)qUE6nYs)9=O2%*R&8PApQhp!ld!N7Q z%$}7Y+M7%!5b5R+WME*e84b6mdiCmTSxMLD^=MJB;+LI~68XzRSRrMvf5JCc> zRn8vU0YW-cn;zzH{tpQB?GKmKP7cxTUjU(B1sH{)1HLYAaQ+)DAhz*8G7Jc%k?;Zl z^?5xU16!L~VuOv{k zGiAiuS+B09&Y72Ypx5v$9SyACyiil^m86zYME@TWs3s!u3eT@wLyqPFraSqCZn5Ni zG1|TtW@lr~t^uzr1D}96S@35wHVfqgk~zI2iR-zhMUTo#zd;xvjEx+DpQ^P78} zsTo2GS8A1lDNKmFSZN#)c@fyBM-lz^%YG4juH7x~MxTSZPgB%&3kdeev8yzXw;!<@ z8t#zw*Jv~Ma~*Gyub_NDj2mk?d6w4*_(mGY@JJ(7nGu-RHt%?}8m6`vRBT>%`W%)N zgog7xuuW|%=U`NUGBC%K?UjDO3lZjj$oK$sukjKH0|VO^7W8@~nr+DNz&2?dw`O<< z`*6o>BNmZ;aC+?R^Y((fJ9iJow`PK+EqZ}Y5YILE7S=|gn%PN1S}-GnkSY1&+llVp z4P*B_CpD=iGL_MRODPAHh9PbBboZ=X3^u;mYMHK*d%!<@RZ=6lb{WlP8-Sz8+v4OD z3~m?Y*S|Z3mT62A|IS*xWvhMMoq=z<#Yt}DEX(+ta3tQdQ#bN|ma1aL?mk9b$BEk7 zWW_`Cg=lVeaV*jm3l)^H__(^%`@nJ%@RMCQHma=D7K-&`jGoA|#)>`{4^B)Ad_`i{ zuHd|KgP}C+DVkD!*)TCpNO$8F#5c=><(XRY8%B=m5))iFXYwCXS7rY$K3sRAtWd5( zXDQj3x|=JSqq1cz6vbfXrc0pn4oM!oSFzuiq>zjh?{6;GnXQ22QkM{Vo5<3FQQlSWehPW~D_ znFGqzGl(cuYqTBF=Ro3+gUoNw4)F$O<%#{p0{&Kbm&Hjc(c_|23OZkGa2v&pA+*5v ztU%JVd&cB!LpENIsSzTyQ{HJDd_<6N<1UE!`g&m1HX}KcL@&K{9}ll05`1<0Xuo7f zGf|9W*HUUevv0A}Of)zkfF?RlSD8NXh!+eNlOpfmOHTUZTWGnJ(*D2JazsugSW6tr z3iK~f@>7JN-El6ocg>VAf?>4uu|}KIyR}>rr=uGsq@C6o!GC(eCL{t9R?qf7Y`bgT<49@^M7YXC)siBo3&K5Ap%M#gV2~<0RR7Cdk6&5w5;utDb?%igeLM9lU;% z5{;F6wHJS)3-T>J!*kXoOkojR57p%xG`;7TIC0j%9_ZD#jTi*rV~~UjjqeN}Ss#tj z`?e#Y}ve$646)b*RXoe1| zb-B9LFEWoM>#?;b_s<`^Imjt)LO^2=yCWB{^=0PQo3wUo4b-odQyneNF6%+0j8mM)1b;h3w8pKV}tPjJ-vd05;s#6)98Q zkw)I>iaPLbIbk#Sz6w5W4B+G>;PuGm!+21sRyo8Cbv)}+wI~b8shU&I=-UIlq84Q4P~t z1TCiCRu!rAvHDE^*5pTfS{8G8AgQh#vpuqY#~uUVRG(%~7Zk!Ka(iYY4V_~1{s6PtIl@1xuz*d<1b)WO&ezU5bY zc1}@$PjxqzwS*J(pc}c}fB8kE@(G>2p{L}Lv9GH)oGi*J0UHfrW?QW{87R^#g+0;G z$RxNxc5X>z45l_L?SOsZc0J$iEYHe#_b&1GhZMEu61}!7WrdI7!(Wh=|5K zhcl=g;7Q$<0|ky$J4uuE&wBfLZ}xWirOx}_o1AAaTmp4TR;}l!af$(6{q?8Fd|)<+ zy(qpT2u1n|EF$eCCj#fS9aQ_WOM~iZE(Z2DbKq1pF5ve+{*^D1>HTGBg#U&NRC&@a zwYLS+WV#4$o4RUp>kf{|tA&=n%akzGs)U~OW=+d*(fTjypS_VOGte4^pGWn4U-z$t z_On-4UsEH_#yvU+(KKvZ3a{dTs*Yrl4-0A3Gcs!k__uJ^wUy&;U}y_nZqn>z;;6*K zLr{{kbGKe;W&LOz)tyo}--jpw?_DE8D=8H2L}Xpb|Gdj;E#iEwdV*sttVc zRsRZ=hJL5MQI_A=1j-$^HifsAKCB*Qj4Km-_)#BX9seCfGIT9u#>(eUxLuy;0T*93 zHXb#vk6DWG@UPf_*Y1Cx?GCYqaVD{Q7C&4}LqQdmm$O_0=DdWuqY2j@qxJX*{f-og z!!Ujis2o0ne5;hMa1@Btx^RCx-+}p-eO88~Us>pj0d?u&&T(s5({Pj4czED`J}va%$$` zNE)#|0%4W8Q~8JDHlNjM^S4tg(fI6HjnI_p_PE#|oSeG@`gaOfJEUu@%B zdoI9f7$M{xXPOsyx&k@SOml{_?ZOS4GTbcRp{OoQv4!UbOLs>*blGnMG;8SN4?Q_z z(M&C)kWh--Z|uXh!^*)Z+!$K7I9+tU$Mkkac(x0B+Bh>&#NLS60b+*dW7vx#u>{B( zQE`MQXGRry->8?;wmdYRs@Kjox2v>38k=D-#D_FTLLzsk6gKo<6cyjxUy}GA+`bgc zmOAkM*tmAUwv}eL%fJc3;6s}*)jtweQbJ!%m3|Bv+_^pf>WrYNHx4qpUcIFMJ^5By zb(>!5t^z7S(T+1jnHpT_h%=zYc=XrzK*EWMKY&)W0_kiP_JetN7l3NlfwS{CV4+@@ z3uwuTE{ppQi~zgOK&HMaUR_O3vq>%^SV4Fo-ljf5amSZlFm2n?>k56HtS~8iSM2ii z=#(6##7=$*q~r5zi}}33q_oFzIGzyYZI90=YAFm@@18osZQicW_n-&%0dHF7{Z!L5 zSf)ou6rg+Tm3bJpWmCE4-4klzvJOBQ3Wb=JdG?5uq4mv-`0n_+kT8-d0`&Kp9X^2| zZr2@Ds}_}b2ERhk!Q-KvpP!S%+)A*Qpe1&2?ueZafFIESxAF`XB#nMq;p3E5LpyDT z!0)76{=_lvIN08F3M4&84a1S6sNv{{0g+ip*7}a4ruGKUZu$B^zV#agAF4Mq@F_y1 zat>tkn0A*vl}9Lj=tU8ojoslPd@?D{O7aL3uNT`l#jsmy@&O&4XD0CZbRos!N`CjX zuf5)!sZu%ToX!x^LFPc@mjdMv3(|N|lOb5zCqo@nel25bjr}hmv%vPl!p^_sSfGiy zKjr>NBpx`}H4IS=I$|ydRghnM{Za2`os77V9Af#J4WB5FPDVGu8D~R-uo-jVn{U)~ z8jGlw?hoaV;+FpE*&W`3zIG5ihRGIIaBF67zKNcrd+Hrp_UBPkOYjTp5X1*8ILuRa zYDz8Q4-zy6#2582;0PcJBlgHFM!WE{)mfrW`dQg2!dk^6dmosA?VxZn)uD}9PiJ!3Wrn7Tn$sKX`$m{&=tMEN+?@wz4km?_X$VIxInZuI zlUP~{XE@{utQLG=yZo!(mM?7H;tNv;B~-lB*JxjuIN0EeL&7A?11D24lo#ajB;d5^ z@Js(IFDw5}x`mk~rgxNW`Q_ET=#l)^;ySgp!{oHCkY`IiZrLNiA&6V43~b^Y>Y7wH zg18SK6fRD-7M)9BvO-anHep{2kJaDM^kq;4=MzAWXk31|50mYHadB+Itr3PnTkd?l zDq{uHOmAl%KF@oz0&D0BcD^1u=oazo7za2Y;4GXn#PYw^KQh}wtLt=G+UPP_q$fFc zg2{XPGv>wFAn@x2acE_Kk!|kQI534=r8R$xTw+q``#0F$1gSYFZN0-}p9hXsKq|kQ z#9$zw3Kjo=UP`JaMYyC)4l#n`kn}C9<^Pw^6YxVeogX~7?!p}G?LJC|6|dY2e}^Su z&OETzfSEtKO+z=H%bBkP=CVd(l!cBk!wHi)1!R>GW)@?w480TKK2K67d(+_k=z))%HX%6{fFRK}|BrrtneOte22E$0R-njx}F%Vc6MY@HUgNU*VA@os! z%lZtUq1~vrA_Axj9`>T}_P>W#05DF%|7qVgFceR7mknXgBqq%{RHFf25d}CXqB6$B zi7*aP^D?P`MS*e)%B9uW;3uqvf)8pW(;U034_^%+x)VWyJ77t=%Kqx9Ur7Z+@W?aJ z&}>>IUKo4=g?GwjTi|JYZAFfa#2Q#L6PVJVFkP@aD<4E;Gv2qt!iojK+ENspIsVUG z=sWwB?d;Ps?2Q;hNq?z5HCoR*Qpmm_mfBQK2;M;Yd4q41Btp{KHK%iIx%{V9;{L>>bm*=l7CU7ppf=Ap_kjP{&`Oi9In3);!go{}LeLmTer) z8EMGL?U?PpEC-3`+(*7cfa;m#%h`yoDLolI($X9akFT8L*9koqN$EU1MV3OQR07eR zmGeaLCLZ%1VjbeWFsizQMXKV>_0_Qu7!^v4CtWa-jv)3QP(WD2UV3+UrNhwQ+cdNA zfH{C{&1|lFXv$ZfZs3yuv(05;5I508+=&NAq zN%?h7sofQjyL;2ueQvT4Im00o08yEJKq9jQ81;#2bqQ3PVuL`MlP8I0Jywo*hh@$z zX<|+K<1coGsFIV8fV4J7fTI}f?fC~9CQkz5#a;*pFz_Aq3-|CuOX@oeU?g!mup#?0 z=e;6SKKfwS+Sw5wL{mct%GHFm7fw_LME}iv_CL|{@;|isd!=~$8)@3moe2hr8@-C% z)lyW`@4=>GFWx53@kV?X_REXM&BSW8DwsyS(>#bJIo>_i)XtTtwpv?OO*?o-H?iQ1 z-1C~80b0RPUsmDTBd!k5KN)VkqRV(u&G(^wzaI2Zpa?6B|B-0(A69ZHsZ6*1k5e}p zXLtelAO7cC@SOBn0P`Oj+3Ee|Y|rM{)V=N6Q{7?1*}m9nM(+Ah1ba5Xp!o#eU1A5s zYaG}F3l@Cn*)G%+%lT~lij)*L82XIc@Y3UgxPVcVfO{=o zdA5xD*C7{o5ziI9G|mdM28HJg!ul<{e7czuC;n5EK*{u4W#EB`-KEBXPO_UKs#KwO z@a6)H?WpDrR~nfL3yzU)j*B#ne!v~zC@CO5VB)arfQ_(~4nex}7^JNeJNjTw`xDGC z0-BHgpXN+~-~aAnl~~b6X3X=gZNV*iDf0BNpyk=(X- z^$#XJT@Hf!k@)dB&$!vI*TnN!6XYot%9Xn~fs673kDm_2Z7;Ok{cBJ#B9yOt-6rIM z+}qo)otso-9E@(7R^D=mQuqAY?pF^>}KQSz%?Ep%f z>-;hSI$9mjM0cD~C@0L@0)qb2eM<&lwpOu{RI-xDQ@~svggop$VGJ^Cc*+P&WyvS< zhjd>!+}g#)?HSs=?MN)~ho%H63QJ%pTR&!Q754GtTf%jioi#T|cXsa7_20b^vNwy# zW;(S5miduzwFS=++mo)--9$i)O#B^pT~v%@^s3m6OPE1LlbQG+Oaw0xqciS)%3f=U zOAM7sZ&UO_i5JPK>Ay z^@Q<|XU+69H^gk?IvFPmg#XL4JbPESqid$ByptxHp3|@RvjpIlx+BA54PXoG+PLnZ z-dfW3g%8sitKO|o>nC*|OuSEitV6)`vTnFUX|bzCUR_L-+WL^rjqG|0p*$~zgbbh^ zTmECGktQqMrx}BJOE$I|^e+FBB&@U^^Owe$8ku~WC~CtW z|IS;Qbpqzv!c0h~BqYBj%WWY&O&E$3of1_s1dJrf!;_h1ZwoC{dmMK?cO;)jSEWMQ zX~cOnh@U@1ei&SfnxLi!?5moYRk}KoZ|}5dDO_aUgu*TTfG#7 zbhxo}af^ho!Xpnj!HhHicBUv*0N(! zxsS-af&4L9QdDUjfd_&L?}|V6snTHHWiBSEhdO?JYya1}wT}l*8?+m5AD6Kq%SOz3 zUO+Prf^)LctR;JEc0KOO9Sk;n9;?+uF}Fj+`<X zCd$KQKKBopelX`8tUIT+Jn=NdK!*Tb;6RjO#FWLuxbnmf7&B0cni}w?&Kp}p~8+sg1zVGVNol{m&sUe3!WmP@w4qvTC&7Paj zhE~5#9|0eTbNmbKQoBb2ni{%WIxEQ6qJZ1v2$7+!2-pK?fDZ#I<|yoi|44|6gc^dy zbxNhvRCx@TZWI#*2+6JRV;sVCDRS<6`-qP4e!Ox(clY!Cc4SRV==)2&3Q{1_(6@Z* zHR+c6Z~}%%nIJ5f4BTV`$_N<;y^QC=FZVfv?yRv4hnqK6C-H}t>}S-x3qdh6Tc%Q$ zgSe%dE^2=az`;Qg*=NHwMs}^upF~Sm?i8C`$=PkztG)LYeL?q>soJr?6bls51Lcnf zKD@Mfn-;=l>_`N%ksM6m8#^miaU?y$h{Sp;vMRn)VsXtgS}lU>hQyMgXw8HXARB-e zqtXMvn*uo9IMj-`7V;oduep{wGeqA}7tGa??{DURAQ9jwrkD?#Z{kbBEA?sDy?V)h z0H)O)5uvB^ocPVg)~dkOy;S=ad%(e|Dn7W z5*oD8Q4Cn$w8nCZAH?>WX9jH2SbQk;>A%D2aBfjiYOiuOIAKKP*Hk%QKOdGB{izU_ zq2m@iV9ca=J|+_Kzp;K9T(7Onyyqq6z7prH!d6t8njt(Mbhw12vq5oVILR z88;g22ZZ5Oq4`WhQHte%RD??24R^r!j#@v~dCoi1^TWa6%e*Lw;NR`AGw!EL+^ORY zW(6yQXZ{Gwn97Hb{y~F#?-<-P%4lY5#bTVk!Ft^$&1QhSB>Z*w)<3*c=7bIo(hAQ( zfASNFk^VRP)7dHvM}V5cg?1hFl--f8hmU~m&*(FZeL2Lu3M|9{YfcYh&QOxi>_e;; zlPU=B?B-1CE60*3elSPof00pu3=-mZ53>fQqu|+#C>kKklP9^X0u#-FlhCn4-;NY? zT7}%AtO4E^iQgkpR-(xS%s;!ng~eT)QNpig_FT~q#X2y3AkVveeAU2wEF)6dxoj$X zEbW1I4i5eL(AOmP0=f^^g6bfq-`A_Xz>k`!f@iKaG^^tw1}KW@pXI6^M_JQ2^;$2y(Gta`@OY^`{AhasT1 z9^0!}ek+RoIZd{~XG@QxR6;a6*b->IiyzF`P`CS`Tt`yXE`Dj%-D^Wd!1ko zhV+WAZEagd<7PO>s5x|UK+&55HJwfyV$N~(^mNWTso#T|1scoI&!FTgL zO^mBk?>xEmg3^d34Yj2t%Pu`H?Mw92?auV8s-I(#sBy)&b-IUL_Vj4ak@NE1LbY`= zcvcNckCY=MO=nE{55$o zpMy9azM6Wqyhi%Ui3D3BKGGu`DX%8?iNR-nv-C*tvGU&jsHxxE_5^flLRN=o&vZr08*@7B0tU7uc_2Z@`^M(dq(YqXHmE=Kzk*c7cyWVGgo)De#-i30e(AtX*& zSqN54{w#mt#rMj|ZLrxXemW3>mo@4+OR?|5KumW71z%@>A6Ct{V}a7)2)y8Qn*M&m zT1Jd86Z$?j5F+K_O9@MBQNvg<~mxr(tiW~Y8W7c5W69g!u{;1a2?S$OX?j6LNa>NTPY zo8Z^?b%y{QRh5ussQ*A63e^*a_Earte+gBTXVmo5BO6N9O%$yCs^Na$q<>G^2{&|? zm(nVCF z8Uo3;t*a%(C9eGUG6L=Q;saAvVKSe{L9vhJxHu{0HH+z+((tb2&jKd2@=yE_2>>L) z{h=8pwi?ntEW)@c@a&oHk{IqncINb(SCP~u7yb~GCu>>D#{i*vw;{#r26JZ7+y#IS ze8(-(y$NKTb;(sc?PlG{AVvOUPl~FT_UX%z<+Y!=1CSPa%StV~rdA zvpn?&Mf=lj#_7&EI8!`)6wL0-+i=fw(m*p4?(7i^36F0(v}Vi;n}F_LoHKG}ddoi9 z9ko|yXbxJc+vBslD`NLG5TETuhOgQVs8oIStM@yd`l$40u&fl-Tjr@>LtVCm9-V)5 z4*=60Wb!QIZW;j)O~o+Iq)&BpvZwtOYWdY~RV*#N(mxY8>;pwDxEZo3+J%+*V~ye7 zaQ1}|0mN51HSKYvu)p%O5QyY`Fz}K z;j*U<{4vyWmOBLrfZ9b1VJavnVsG9~V*+i7)9+eEKNKsWs5Z4Cnoj&FBr;Nl20#v?qht*Cm4YZ~YzU)fRdt0BcOkoq1Yb512oZ-Ydx{1kU9Frw{v zObcU>*-(+4Q}tSA=c_9(yzFdaczp5GPhM39@Nnt3-3Ph1pCwCqteL>+AyDTB`lKr~ z=}T0;6yyCMEspxwXj%ue_v? zgvO7&G$>Q$pZ~GM27|PAKS*RSA!jnPm1kywf#s@hI#W5*_@1aVUWA=GeE*oJG?-2i z!F+0un8Nugd*}7r?2W~l`o|?LDyz+VPgKYc&!OU5@7m9s;rwl^6=G6D`7#p@+PP4N zo-@GDH;$toKYnJ;xE*(*6+tHRR&k6qtz~?K@rK^`VDu`%Fx-vSYZF63yC?t#HJsB7p z-K)VvIE{A5bNYr)fs5Kr;Km^keaKoSfPpmS2`f@DnOahuyrM;E&K#{R@f0cK4U3KI z17v&Xu9O542Y5wgHxhIxmB?b??R*{8>y+c=CKt{-o*D>_q)b*nCE{ddsySbhDQxp} zHA7ba+K>yZ59KHi7!_yxKi>?mK~HNBM;Wu5CML&$!pS5tX^28`9wd$ z$%?z21-HKnX@N5G9`O>|_Ej0*dSv51)c}Chn9K_SEbMj$4P}0@#m?%~RUkG}D zH%O;fgXj0xWXy?etCx6E1w2M@;)7{P*o^-Bcn+PL%a7hT}As3p4VjDmHO}N@gzTK z5++*>c`Sb066$R3fCs#G{>_!fN?_V_i0FJFVbg|ro{1`54@5mJOqz^q?Rah0_z~2Oh z>0OwWmAk*xP$g5i5S66&O8N6vZ(gXOI{7u4K(_wdQ|BA!WH9)6h*5^=^frsMLs|IN zWcy--^-dey-%baBl-wUI2;a4o z$`WpXr-+S+PrCc%Ts7V{;A#^;1Lo-V#(WTNw&a$V5F=TM_DMT;vJ^kjzH=vQ&q261 z_{afc%HLO_PEfGbsCwOS`cg6*OF2A`yq8I9#m=m>i;{6(^9hO{?%}g2(dV>)`{{rx zykr7tVpjp+oN0Ul+8;rpgN`A4EbuFKmIW4@gq)6-(!}l&#x;Gc_(p)ova0@}{RL;$ zR^lQusjy(Z%~8K*_q|QfxBcP0_KEYpdxqo95gMQh$c3tLK2rQ3i-vgIM?(M`FdsL?oFKsC#w{4$-?ygj$G&6VGwMVZ*f8Us+I=G(h|n;UrN-=868{gH6XZX?bT>)X-B%bDtnT#*qAlf#j~-$EO2%AvE@uojONZmxM{?o5xj< z`?l%2acd-Y8gJiNr@)xtKl%M?`gHS{C}@0^X&!JU**-5O3k!gSe9M<|C@$uVh2-W7 zH}ipz4js5Leps+}>(^<$ppV%NAk@d)kAPiBMh&?7` z=gCw9mI+))RMl+JasJ+P(`n#!$9`a#{tyD%51>u--k+xl8!T%-1`8oE55xvCod7*cJh z;VrycSi|usWZWiMhR2vn_fFSHB)DVjJ=&iar7<50=l4knnjF1mI?9cDGaRB6AZSyB zohl(>AT%+e4pGsbS%HAnE7h45y4RU!#j<#CsxOswNXj(GATr06Iy9xdCnDpP11swN z!KgrmRo&qdALY?5uaj){w;Qbo|9~*reBmLiOg86LsCw;|AD(dNMeUL+1_z2sFGCzd zm5%7L$%PJg$5ghC_`Oxj?2aY_a6E@0i`eD-BfO9m;WmAVq8u@Sqj9`LFvv2a#&EZE zI5LTX~(tK`F=a(%9JEw{t2$=JIAq{isaGZlnR1z>g%u; zF;2sFany#dv&Qu7e5>(S;cfcFY5M#V(pT)j2@Jy|VS=|#r2SOsuIpe)Y+ms`VE(IZ zgEpWi{=54zw+>e0WLIu_-oZT-zi}k`Wx7v(`I9B zhp|l97U!!FN|;cvk;Sgq@cwCoHJ*gR*6h4yHmSctKnHS!8;9p$h$P$u9^}h^WxPPr zT3-1L0c{7z{o^jXe%(W1DxfU`p*rg1p%SFT!vdkZ%M;*orbLTSjNIJzxU z?2(??I1j=$;G_l2sU(_pc`CtDa+HYCi_K)zQofVz#We4Ds+f}_N|Gtoi3zPnzWLA?9M_Ei(p zwSb5LmEIfHDCZnSMKLuPN9bDelx45Y0sV$wCCp^Xcj|IG_q@vF59Egv6}z&ICv|u?cU%H0bf2p;T*Wss4!iaygm$Hdn&-`oU6*mqW;}wO z-Dd1q+F&(7o;DRdc9V-q(lnL1D?GDPxeGg04W!@RfD5qgXP>F%f%O|$D8qMU@kW1L z@%KUs4asc&Fh!+wq>n%~9?Q@a>^H8$*mc(kKj*_+Q7%LA+F7D*+e7!Pm$B>kEZqA{WzOW~8meHr94Nnb=z}vE9Xl z#rk+lf{A>|M?H{W!WOJ?1M84r#YO)N$rHwf&$;KX8ywYA6C_jZ2C=I*RM7!zTQ`9Lj ziwN8I6|Gp5yEbCq$Y>W`x!7&TQ^g%X<0u0o@;M9XUW+i^?obTzeIr4c(SZnEcB-a{ z$cXny7u_w)iQfQWIiYQScGYx_8*hql_fmG@tar)U@aWVbQsipF!aqCB-ypAyy$eTQ z!%1kii!|It@lJCknWs(SY|z~6wDs|MiYB?F;PYs%A?n~^76w>GQubs_#9|0}02WgZ z%9a;B7pugA}Z3)u2Y6(=HNgevqY&bLDJ0ob@v&c=p>&3_zX4`~OAb`T*+R#s-@( z&9d#MYOa)mng=DFi5smDtSr0&=;&U3^^|Yiu*{%xjUg-jAu#mOMjjJQ$g7V_aa=p6 zKNopMCM~_6xte0uzA^$2YA0?O$m>L$Bji3oH{mP;IOtV)mH3CAkuoS=LMx!j11v_v zXfv-+u&3Epc0j)JZ3nL^)#_1=$2h|9A@l}^Cr>7gV9`YeEdkq&m(n5|SwiwvFzkCgPc965V)*o49A z5?NuEN=}^AgYIZR9FS|O?@5Ma-Ke6Eam@1qqF&cYaUgd{n-5vNk$U;x+}V}N2y@t_ zM0Ho+w;4?%OtB=y+02HP*cQR{JLKlMi8eX2M3zBK(zGXY03hTJ!m-)qYsWR4ODVif zU#^?rem|_pGSB)a`tOtCP{mF8?`Xx#wb(1#ZNPrA%Zvb}ke3We7=K9-b8B<6yj8&j zI%e1k5DD<4W1~Uy$b32%7VM0{2QcK+!17Yg1bYPRgBq*V{OIp1NfFnb`cm+llF`Fl zIukz_zJ^9AD8M{a`zT^UErsdsXmJ1{k~E^z7;ibD_)Ez}^{p9)u^MtF<mF^=VeKG9*p&-kw=rStKgSZn|ay?G(*z7gQmv zq6^1ZsBs@udglk`SKf*slv!&*t#)q|!D+l$NRd;9B-;SGJx@u%gAkp(CR2~rIJgm$1EW(|TpHppFIB4hEEgdB{)*^)A51awS z5!H#mOEyBj#>mqyuC+-F&pl;<3t)V3vqr|R8nLVL2cN|$gK`9>&- zz??0TO_hLIN_hcy0BywuC9p_ptAR@lwJmfUN#OtLMaLYfBO!+ETd+9xhkY{STg^Az zy-Z;%d=xdie7*PY>xdt<&sdk4^gRHbmQ`M4Aae#CAiY>!Q~=gBm%arE(Pn^2>f|bO zJ||2A{9w8S1%~5~ur>B0JWw!v{?2QdDGH0ja z#qY^o;(iJ?!9^V;B9E%)dT*y3xozEw7JSg6zX?v=At7<|KCKSdsQ_O}*rr@7rbH8N zd!>%!0tWFlYM1OA!P{SNo(EBjsEu+>BzL8W)fANJXn)eqjA?;QH~e?zN&{keLpiF`i5k8QHacA8_C)?RsnysaI3c)g-38q0NtUy6%p zYPl-Dx~?Fmcn&*~F>XqcrfzN$f6S~^pV2+ZCp*zO&)NN1M(#OqwqHU9DRS!ARqxKA zhdXjoWiK>I=ILza?YeMhrh86{SS<4PL&}j{@J&y!C8zMchUaa#K8Sj|ChLr1o62Y? z*Gi|ffiw3K&x%1C8?`F=-N(Ml+2}v^aOtMKIz?c<)1Jo$fXf^C%%^;);4x=sytdto z<1iFKFzSZWoZX=;R^ci=tJe&eZvJUi*B!CFvz>&7n+=U~%<2l`NhbC4yq+x21qkR& z2GIa9IM2zJby@4m;@w?45Y}Oq@TNs1?C6EKKo-ReaGHsSzan{QPWmG^h(Lm@Y>_Vb z&-Ifx_jY5_u}2*~-~2e0UOl2rA}0v1E=pvHkdK_gy|_IIPnTQnt!VPN)Fc9T$;r8d zo~eVsfwm)DDm4V8u(9#LKs{Rsk=dNii#cC{j~H?~BQ+75zJeP^axldaG%D`ic8O12 zJ`15)t?$)E67tpdr24yBI+Bl1=uMm`sBMfiXybVp29HuuVMqkG*uprnMJMLBa&;c7 zbMqN4wGt_&Gyd!-k8piu$7c~JQJ?=Z4Aa2Mv2db`)Tr;_r)im3FJXyPn*x4HTNS@j zFo&QM^_IK=yPPzQVYEYxwu}iF`Uk{?0e~|S|Fi&P=w`%i_tG{|{=>xIb4A7nI{zFq zzu7hCB3+FRn{jW>-P3d)eMDhHoj~Zt&NPDVC=XdmJI2LVq?wS;=m-WWv0^C5q-6v} z2^yYSr|Tv7-a?7*2YvzMwhs|faCBosJs+))I%>KR%V=+Lg>gne@<4@3aCEF#2NO8m zL?{rm3Z-h~Fk0U*ByYbCUWGi!Tip;t_WNuvtoMS5{4jkl1+J0$dolzzDYz!<)J?k3c!WgYGMN-ae6lwbgg*Jd&UzZoJmNO(tdu1 zOAs@J=X7{6dwRAq>s8Y)h1S=qK;xH4uCgd}1`ohODnnHM8eXovo z!qWu2XE-{i3G->Qx9kE~5EwM>iu>3^%R(k5co5iKA*gnMW4L4Zt`Z(oW6V~x)Za%` zj8}{KneD-hW0iyhG# z*u^+Xg7FVY#%v@bZGaQtq0?v`W)|aC;VUQH!k5CpDN0v=OwO7w+!4qzrWzj$ZmO&J zO&B`d+N)f5HY2b->_ooZqNxGRY73y+vPC2!V3JT665b4819_Lh!_aDN04C#UJ0UBpg;{q99sV|cdF+U>lS_zNw8XZ-{qhX0%$bkmp4+aa6@J)9q zpRXs(E0Rg+#E&-vDuusnERZzAiAQiz!MXW*p%uXiM!Qs2Gs&ak-IDF3-^j_`1(M4i zzFK>8DzirCuW=?zXNj_ss5-kGHy&ifTfG;MI4YfpUNu5{w6bz#qse%5)YPN`)#UFyknvaKFhlv0*K%HXBakkv zngmoWbITxWZ2i!`# zXFy`eZo+T5O5hdR)2|Aq^31%?>gVEMnbI$~`o^p==0R^hq}Yctm+0%>t#|HxwmLga zD?8McnClWJ%w#f8@BjBQQ^yl>c8J^Fm@!Xc3|hl`=Sb0gQA(y#j>uNQp^Y6a;?XF;5HB%a8)G&aI8g=%x}f$+$6UJV|0Gl?J?_@&e(cTr)a7qLU-8F?Q+qwMs#S&6ze z5<=~zRy9{tt)?UMA?+KzUmzzOiX7$X0_e1=Yt;jfW&?Z09HjG2+8yk`4D&}zoOLy| zeUjW+8Cob7UHc0d-t+Q?L@f57xxP;CjI(KT(Ux1bXn1S|0pS`N6JvTN6e{7KXa5h! z8f5i!j^={aA8B~i@PEpbytNa?Bh%;U%+pH~YGUoM{Tm6|Ab=lT3+8s6H#lnG$w1l) zsM=aOf1R_W^A^qDJ*C*!=<#U^UA{7Fa3RMu4Fn|y^RhenDS3n_78NtF&xFFm2qi(n z$O;rsJcsANu^w0fjIxgx4y|Qr4>*a6H;m({b$~s1Y@KCi;0BJc5M&gp6;4SpT^(V} zg2g(ex%(FoJ*sS3aqHzKhuQ@uJoW0BUL2&p@4<5^D1YL7@%r#w&_~jxZaD-^$ir)| zb781ezViN%_tBj8Aqp)KZY~g1TqkXE^Fl&6Nz2IE20rfXr==6U2)Ks#yR_T~(Wmx)($RdV6U`Cvg8pw2H&Wv$li7O<^L!QgG zS!{d8qAIgO+onE>J@I`e3Py$R_EYykqTd#UZaM%2>(O&itGDz3TaClRtlQF zx`3z{pxPv;xQ{xchN*_COw$D#+T=_iL7H&b^VEsoDTsZjJW#7>$q`r1@u16SYJ`h` zvH6bPQap#a&R$D1-Pf8$WdQ4mXGMJD>4ss?HmPtQE-7IZ_jt9|xr>c;V$rTNTi$d4 zsXWH+LrSkk5C22CRlj*d__t6t#aH~4S52j>I{nK{1G%I8rl)u?pEv+H?0y!Z{)_3B z8V>tNSOEZ??Yw+j+y!)AL6#tpPsNwSY>Nd@{?8=L>X~Wat@1Z>_sEcg7dFLg zDnp#4m2iTAeuD*tf%jk^ht2Hl<0?`4_KpPkCXBAw2|=hv)0gOQ{(42Kp2O>lXr`&y zmp+_~270zJ!j@Y-JUT3;1}SVWSO`^9HNKwdzkUjEnw9CG0K4dQ?DEHJddiDwbfk6w zSFnG;VCNmeodw^s!Hx`4r&Y+U(y>Jw+u9X_nk zfe~~1RLtzw91a`1bjw<)w%x^5$NDEK(%6X3wr3PQjan(s_S`MSzJBL&_||S^s-IHj zF~#a!jt*&4qQl5Xj|a=2187jGi~qobTIDNPuWn`6)aQw0BOEA&eQ0Mi9n&4P7oN`uO1A_njmpFKW%87=hlbwl% zkKh`djrL8#dzyzksRh2_3DFvOZYi#LJrz z;l<&05YGbHVqjFtg(&80$YU}g48=8_wXIb>doK{bYd_n;=~7@2r5bRIW-3kH=4fgG z64@l}ufjUU1q$(d$H8tcDOKx?vAEZatfrw3G%W1i;Bj$HvNO=1teutQI#ey+NepQ{ z`CA}dIC~&dG{>69OXG?jlkNWbsZY$}2Uy)W-5)uEdxMLsIL$|K9p_fu;UWWC{!mw@ z4qkG}UfAk|bPkvILD}IPWRxJuJbXB}HvwuDh<+m>6(9#sT;Z2@z?q=NS1TTZCyZ~* z_OypIGG&?jpD2|KYv;V^?2e02y+EOD>2jw#G*(r~o<53fle^9IBa?cWG?-q%rq%kC zh%4eMu2L#BHjxdJ*I$(T&aY| z?t17|{f2_v5u!LXe0r}|HO^XM3Q*=dmnCSa%g9PrLY{-w=mPd+{5++`>~1k0a^rJK z=L>LTDYn!GyID)A^e!*c_Zy>NR?}g+>347$;SO1aW52R1Ugb%?K81)^I&c8PM=V1) znu#4Zj`8wxyD7w$q=zy<=aLaszsx$U*K!}K(@2r-24FB zUlfdMYO0T^>jNMgnjgBA^3_9-3;X8wc7MF6dHKqhgc3q-lQ-m&1exP$H>9J2)YA2! zP)w9rHoq9hJS}Jy%j*L0UU?tUPUK5-=W?XD`8T8i9jRNuI4tdQ<_{P}iMQ8VXel1y z^)xDqy$?6=ZZMcSqFBQ%A0u0I0>K19NoFE^j0h`i~F zS4kA*rot#xZUoYj#23|F4D zG_a*U5;=iT+_^*T?JYX~z9@iDYtHZ~h(~IMTbbZn2een;<8TQrsScsat4n@?S&AwKvO zSH^&&mE-rwht}tLy}ED43%Q@{$kN660D{|@sGDT2S^&RA{@SqR4my;i^3DqmDq7av zMaS+7{n_M17w^#fwC!I=+(62zeJ40Y6JT#iw%jiVCAIG1*0kISm(2 zK8VNKPg>7fnnc1Y_ZYGx>(uWkR5YS^=Z@rg2`fmLEqX1pZt*ul`1%)i6)|w zj@9-kh1(qwY*hv+%|q3?z`P@A>`+8e&L$-%;% zSVE^JC?fKSOi})5iUCMp@TtfnL{~%S*7%#9PdiyWSlYfgErl%5D)k9;1#<9-Ef{3Q zhSw(z4g`Epg`KqujwEZ&v@&Ea!DVHcC>QR~%?F1vCsBnDW2YvIf|-~}207X#;L5y~0w< zOdT+w&jczuwm?GPqbp3Gx;@!?HCYJ6o_J!6_^~o3^B`DK-nJK5G)_VS;D6`}0(|Bo zc&k%=GaSf%0+c%9iWr)E?euKfr>>tC>hw7?NWs&Gk2P`)+OLJ$qeOSNysvp^JVFvH z^@X_EW3~vv|6c-m4_}p>?&bMv+P9$Op`@1U{7Nx4_Xp3yyo!d8ADAH7Uw=CB$mavz zwb%V1y^juRibo?BO4ZoU5tlXZNvJkg;dvdKmSmo}IFEK>F|2u`Qk*X8I*#B#l#s&= zYHN>1aE$59fL_WidOI7iT?|fOS`C`armhRuXP;{L2scO|G|nO`wf>J~NQsg?nT~?20O|BuvsfHkUY?-N?r5a;O~?5u6fS39naBZ!9u5zdL#dgQdfqHb$2<}s zl`J*^qvuSp9IGE3y%xQ9f6|w_LMN6D$1OydR7>2lK1}r;aCVH>bX2O2@VIsg$= z?MjDISHTWS*%VXq(P942R#C$yLlqFvkp54Ml2kjq>?sYKJEod$H}kio#yX?rhX1k< zn1$HjGnjxrIov|hWYT+m9Z>4VWm~}gwfcv|ye(Aw0GFtPx2&yM4)Bw`X^t@!pWFz} z&<)u?)4qJgQHt)Rt&r)6(M*nBrw-uEAsVDmSca3F=sEAEdZ`;xN)@q>H9_L{cF_B^ zvefn(HGz?q)TS65(8=(d{9fsOwhQ2jYsO357AAF!kPw_kD}Y{Ct7#}1)7iV1Y|2=$ zVGBQ6G1LHH-_5qK2DMY`|M-t= zr5zw;kcAFB@UM)d%ZXl|tOq|^PxKdI0#f4CfH`irJIIJgKp?ALya_wnfAOgs(2^{^ znwRm`FQ_!l(}L9_;Sw>_^*7)WDsz z5Qz`Bk*C?+8FF2y<<_5FX5VNqj>wnB;@(RoD%ijd1$)MLR%4UKzS7>*$=Ja9iVprX zkM|8hNg_hR&Bh~4EB*j44L6_?y?q4@w1m&%Hs;&`S^WK>Dfu1c{MmVb_aC;9 z)T3H+ymr$(-s~b4&RyB)RMzw4ZIjFN%@iDy?VKu|{ zmK9I)3(~S@^A5ue5Ok7?Vx*+CW09p+)X~;r6-h;qIbb&Bd;5yrV7nruQ39*a#E!2T z0P1U!FBLzF_q>w9u8yE~+<2i-zui(9}Xzp)*_Wjl5{)t8l179oBf+1FHEf+e2 zUm&ifp!}W0X)Z(@D>SZMafo5Y|KOaubsex_E^5f8k_-g>wHkNnFMG98E`i} zCDRnzJ!f}pOP&H6CX}cz-%#VZQyxV(V8weXuhHFY4uxg zme7}d7S=qC5n;gJzu{JRdG5hU&6U}igRn<`rWdA?+l2hsoFg2?RW8+T0@9@3Pj_m< z{b!RUE%~8b0(l2M`sNNC<T4+iU)JjB{G3^~xR+GhMN>5P8X zNOtcZppY9Wr`%iYB)-WutGjkgeg*6+cK&Sf*FqK0{@b> zU1%)h4px`kBN{4;736tq?Uebe$t2}>c*^o-ExdhF1NpHO9<4773qR}u{;7##??I!; zi)nh8+@jclLj7l#H85_qIM|SANNY{aY+u+=VCd%;AZ6g?agrsKMT%j=F6ROI`rL+Qg)C^6> ztVwUj)c}b*aAv(MJPNocZURe3u%A=w@hU67j)g;N{Im+s-Un}ij}Po^NH}xn2UB8Q z$F&rQajO?uwoDxg#3;ORkY9mp(kW)4tzbF}#7f2L%O2vFm>N}-gaGEiUJN#jSRwo+ zO9*AR8$AZBWf(lu0?V0NVE@t{`YbH$PbJjNciHX zi`*(H>E~BXHA3>D$nG#$G9tR;%sM$pl`F9hXo<|)6 zV#;&$qD%I;t4YQIB)wm?b(Z_Du`7y{CYY2PN8)yFsf`Ql=V#G+7~46t!(G8w_e2@x zmbJ8rT5%U>flFHF&Lk4x?F<$|h+i-7Iw;@IUqfwB1zZ0<2U5XEJf%X2{7-`#6QPPfg5);}S8I@>#_6O`V7l7Yt5 zcvmjM8*kXv!t=1KF$dZxO5M)niWQBP zE_X+wbK5UF!m5+p!GABQPz6#W6Sz7+ei=XX`I_(TkEOCYQ)|YT-`qR%FDGX=O7uCG zafa?vo*j~PY-Te{VtOZva>5=SXBKY-*xAx2!~1W%8p<*rotNz1;y#SDFsJaB=;qIe z7`&A!K<@<#;w^Vfj}OgYL2v7`HP)a2rdzaNI+*Y~p0qJZA~ae2Q=N%ANl2s*E#dL2 z+TMw@==nVUwmvQ>zLTe>YIsX)NeBCInN9~npaq;S%;h(F4tbq-_QsRmh_?DH;r1Wc z?GP;%1GbZvP=ANBqn4z*(s)>I0ehw{{3Zw*s!4SpBvXBaSgnGM+a!(CK`*xNEf#ma zMqH&enM0zQZx&vyET7xow~#Y%0ysB5r309(PVlETjw(Ws&2uhLrGtL<5rc0rJ#L-O zWbwiY?A3#m1ULc3A^=ptbScb@eV$Pm!~wH#t->ML_#C=mYnIvWOh7BQ&|x>`_bj83 z<;AIj@TZwFE`CPFIih{aTnLVqlf24f;k(9a96(t=K05 zV$0yW4d0_~pL9^6U(y$|fP)LY0KhyV&{lN77Y@x213T4p25f)!Y23X`YM@Ao_`8ap?+HQS~vpjpUi=9P{83NP|9kja0w!c)KJ7DK|0{1(=R-0o8U2$gq&$p)LNk6EcK%8U&5k7|a1 z&mn(&>J4!!tpjO!>Z-tPrhO%62<+hJJFV?XuB-a$&3V$t<3tN?b=r^)AbaJLi`+M} zfXf6eD7$0Cbfuc?q8y5ZSx=Q0<%Qoox&^+*40o&NKry^JAb2=-_tlo%12 zV(n&@(8Z5JmJikN1A-X$aN{08i79zJQXkYd3^y=R@(YE~w!=UQtLE%UEcU-`P>_pl z^%ZgG>V9VflUQ5prW^ zwZResq%}b$l$_Zbl~Q|;CQXZCoz;)&0eph-7g4JCnYwx;aTii^)KL|Gcpw_Jk=}8s zF@T83$Sh*(F#=8BmQ&L4_~6Jmz7(>=32`Y|By9;1U=PWAEk<$%MHe7_848PjS{S$K z!fr7mQH#tp>G{7pFAA$4Zz`u?|3wu}tuZ6t=l)9Ud5*}Md=!GQl+RB_eL$Na&C$LQ z8xmW!ST&HR7HEDOkM=ZfddbgCMNMo6*SMfAF|U03=+EQz-W-`=OEI}7xjuCE`@I< ztGA#0b<5Q?W5|%Rtd!yo8LJ^p2Yd?R7g+jk%+ka#{6)^RXTKhAw(?@xT00DGrr^V$ zRA!kkJrz^7S6nvnfGw4MiJSu(K-NxFMQigXEJ0#@-kUXCa{s}2096mBM=dkSrt~ri z;sBp3x!5qUFttOv1#?b2P8(ZcyY@#kWrDo5Svg{_5gv~@4=_?e-i`{LE+N6KpoHiY zgARAyf^^AQxq9m3?7qw?{GuNYbTb&`;y8#qp&SW5niR+3q@;|{R?BPIh>n2d*(0m; zK)aS0ij%)Ku(PLdC8z6PdX0l@>?YLifb^%$8Ru%EGB8SUM>5YDnHTfVrpF1wQydB$b`ua` z)VnW(N{ElX3p2N+pwHq5)OB#PRDmE0eEaiB#JPar|KYv9lhf7zc`~>B-l7uhcSr*s zt3Q4l^nua%c@X9h-<2`EFyf)vlsEp%4g-dQnri&3tkKga$H}K)*i%i2tHKLk-%inz z8y$jqyeG9*7lh4za3c%ZrtX0=ge2c8W1)XEb!@essq zrsN&;!&9MM!}lnis}zlbLrm^jr!Q8#Huoub((pQuj%cB<(C{X3p-svs3E)g;k~VyG z1wbcmz|6VY9-WkxF}cL)9|#TgR@0n*Ss&Pxb~q?_@)%aPQ%#na|VFH-z+7q!U?!g=u5Xj6ka#O7`Eji4j zQ0wMHo^IRWBdXlrdW#G9Jrhv7NZ<=fcL;n&okqS8(qx%b_p|TeLyN7 z2TVGs?lsK7UyqUmempkgMM9NcOZIqVvZC(N`rS~v&z9S3&);WIxW!!eV=7Jgw=rYL zcph@ybu?zJ`L6Zy7v6p2G*H`P2Rn&BGMLHFBG`z9FYj^CR`YbF#a_qRQt5mw&L}wO z-;$?NVg$EYW*}ZOHwfr>zZ!ltI`g0sc=;jN-Z*GlSFNRV6)B4Zqq({_;Bwi#G{nECUUwfVWe?LDU z@H$zt?|m805#xGjRz)IvHd=^npq;{?2QM{c>1Y2BkcS^tppg6A>?Ky)3`Lt+5c%r9 z60<={Pe_*lbiu>cEiV@2u7!cEd^}vtHATB)T3>dk1SiR2#iy8~QYvv+avT%hkBor& zTLUynNko{|w#C*ignWvlLbYX$f(LXAjjW4b(%20+J_RYgAMSQKBj~L4CeAK{Ah*9N zKBHI1H#16tm|wI!8p=>x^Uy5c(gBNWC|ioBL8aLGF&$?NulhU9V6aoldIBvu^?*nj z$?R6HWJVT`sNS+Q=Vk=;bI2QGEZU({Xl8G!p$!(qZwx(b+88xmb}9@N{)H5@|1_CR zdyP0@H25oTr71m9;W$TM5wtX;TbzQWr?i-Fx#3lfM^cGSaZ3xu(c?GOR|2UD-A{y= zlU6e>nM%WYB-F@tyHJv;Q1I?^EoIv9DnyF)Fapz1H+B-h;bE3S{aB0YOzb=m2yNcFppOY~IT$y!UW59~ce-IF>X2 zPA{h8X5S8S&p`>%r?urYzwsPU;P^W_nBY$BgD5=VF%UGdjraV2d~Jki^}{>J0wQ{O z8CsQ!%ZPM;^6j&(3S@Hu-05S!J5XoI*@>#djKk87QtMZL{bcHtLwF7Wt8f;LBh3YZ zs<$1_5kRmOz~%`@?2zXUL2ceZElf~eY9UE(S9199CxDr=f#8Z-*`Uc8J^qW4kJ{e# zm-Hq8_MdOW?Iv27_~V7FQabN7>x`Cq(vR1hvx@-&~q z$PJpu{NDF#E2K9E(N&912yxT_i!sqE{HO-0{oSyI=~_h(lAp*iA7V;qq7wgws#sb! zecEsS?fEKNt<@xi5TTs=hyZ49>^KE_7E;(&;!mDcy~UmHO43jFw$iK9)ZK_I61~p* z+mx}Ih0J|ba0ZWYceUYk765dPREwFhU!zR@4rXxPgc3~Y`=&aD;NrDgm+gQs58B;SD&%nba<9@&YA zRdTTWGGpd{Pimr7p*P5Cm45O812FvF6Lk0J?3BtMaLjYgr#zDK(Mx8gKa+V3zI^qw zGAFoGG2Qu%-?1Fgi9nsU2&>L6WWV9lbv3|YrAu~2uqb60s%k&M5M=4qu@UT2-gQf# zCbP*UGP6DUv#+I=(GxXEymW}cr@`I4~ z?ZEbDzl)Kvn}33PToqkapIV#X6a2mxL*;x!?h?sL`K}1hIC!ux9p8a#dIOdyAaw^UU$J`5X@N z0nu`nz1HD$MRqC11|-4`t_tLd(;Pjdm3xviE2x+`+Q!B|qHN@}rDr&F82}F{5c>Yo zh=!+Ia$zcBAs>qZ51vA%jP4}hYl z^!ZeyYh`~{96KR%gXp9 zye1ZoXr<=Y#&4r;{q7K=Cdpm<7=H*cWT~!E!IlY`7rO7(Jp#M+4Ivr!8((MQd)|BS zZ*?3;(RKXB%zK@qsL!cN43G4o4gFP(oP^WzECQf0rq76gPumoCAaxWF4_>M8{i;2j z2d0QDY7#pLgfqs_qnGck^8Gn~MQYu)Bn*9{w}r6xB`1ol%dhCi^F?xQqt zm=^REZF~)Yb4jgHwNAXm=eJnxO^n-SQ_t**>MoHSdAT^dGI5-}i5sVV;(YEzt_&{h z@w<|k^1bt0V}65!BfOC_Z&g$Q%Jra9Rv$Dv#9JTkVz&!~mPYt%*DO;=E(~d;wa>Uc z#HXqQ3aZ#dSgl)-KGTl~ zX9|>TGQFkjn-=^}q^o!Csno!&gsy{s?1oBwN5!VkH24eUuny)WfxMFu^7_|n;7c-9 zzS+6klUV}Zy4+-n=t}|4FrBs_?o^EM>WW(_O%T50fCz90!g`ss*j|zWlD}Ti8POR1 z|Dj0R{%8K-!F~Xl5!Y!!ci6hj#T~60LfGoYNW>n4er%N#!{{Tti&L=zBaGI^h_e_V zu6kgGfa!ht#c2@z$S7uek$gD_TJLBwln{iAYv>^PWS$-)-fl({6^J{$%ey6~ZWy>f z8fZc5c;)joPXBu6A`u~hKBARg{{#V${q_TH!dfq z3h-X--l!IDFte@VOL_P^UIM2g)b=!x!`qFzkuD9XQSd&__&CevjU5UZ`7&Xp0OvOy z{b4h(@rK-N2I;cJ8W~bs3WyIwfJemW9n9I1+X6ij%dVF_7e}U9cx`p4fjKp-OTj51oA}$EC6;7<`~j$K*jYzd@y@|^5nC%VI4bzE%lry`o;F}B}B#*;jFxm_%L`r>zo@>Rd@ z2!$9Yf_jA9|C|Fx9a++OHgBKb%N}*P^75EE2w2T@;;_}AJ*sxjl>tw`&80qql8Zmk zK9Dy#BI$J<6)$-yo|)DX>7dcW4Xbv;B2%`Sa?c~AJsjIX1_#|xFFXCz#)U`$o`!rg zF9eA7grqq)f08&6aXZH9Iu~yrto=M*z90p1DOpyk42}cs&s;DOzxu%DRRVI=X2c#NLu$7* zKk5gNh+}J0V|8fZ$y>UpjqadS-yYZ!{x-RjfO>i~Wd#bmy9ZIkI)okQGfJrn4WWorAa&>X#H8(`!3?Ka#jCJZF0YVhNijcjYMP0;6PIj5(Y zu^qxCP;VxCw%HaAcjjwwK6|l2sA@aLr}*j7`B2(dUrpH~93*75z>14W@tF{#$AO(E z3&GcuKc`e!GEk!fN$LalRCtgz#ifZxJ9k?OgH&(#F=X)mz0|h)m{IjmTdgQ)&oVR+ zjEP?VYi{y@GVY7vDB~s5vm-9^R?)2@TjhbnSrrFkETcoKW3kFirix&w`bGIPE= zXs0JJW&h<*7rj)PQDlMBBQ@*kayV@9z*4n8Db|hoEVPQMHbrppjd1saE#i;9kkuEy z&-c7U`$Tp%LG3AeiF>huatGf0&8@BJ)#Qt^;Ws3EG`Rjn&4w#kc(8<-WpiRW^0caE z4deMsIz%T1Nv3c1;yuJGO55h`&*;8qJWioWw`?!42IZ%$>t(SH_Sk-ggNK)I8PT-7 z^zuay!M%EVh6OAd~`O)i8e=fjbcQ|+PS;kX>-z4sf(MCZ1bzQQ70gCI_Uq4@1d zAL9k0)NnLm$hX7z>P2l^*6CR(y3DV6?)v8H5*xz~qlRbV{9b?XGZ;5uP|yjN`HOZJbQ79c~xQ#0_sUrF{}q*WX#l&OXNd zERo4UDEU-ODSh%Gx`E9ay{2>Cy{jnfkIAZEySw$H`|m^002SkFIS!X#8g!8cX!|8!MTdMjpHw~* zIMfuV!(}kTI`GgD(`W&9bD(A1J5K05U?GB(`%S6F01G54`Vx*okDf#ZSCgyIaM3bT z;O0U1RgBa20>ufN#&qUqP#yTl@?jfPiEzFD&!mC(K))FYlAUoo(!o_oefd$}daTt2 z7LQ?cF{}eFKsf9WG3~_h=VQSG5$_a$$}3nl5)>--WzJh1IY|Clbn41yDwL{&U9Qx4 zD`={>L%5mQe&MfdV)4gB>EqcRb;W#Op+h56L&BjyJJa+ueC?o|lycKHq zMK>{eCQs~&7pwKK#rmc*V8&h<$<4bn;>n{P@b{6NZ_D=rV+|KeDSG~=K zXGvn8iV6?H_A1QO;+M*uV+z1IlC6g5_`RO7<;_93_m^QbIP z^0a7vLK)ow>WDxb>(*@+-%Rv(7Vb(y^_?K!OCHZvo>#C>v@)SjlTneX~ zoT^C-&K^|`#Sm0L)58;9&dCO3kgs2$Z~|>+a9TK1DJc)n-LVIAEE#%|Ipo+z9?6N} zXgy9k0yxEs?hoh;WAq54a_Qz9MvO^zsibWfvj^o<&!4cTi#D7GQeFt?sEj+e*Iui8 zfLEQ%=u$pSrjxrw%~)UopL|lFN$l0ZsjbbxiNOxG-SX5DcHXK1=#9tY_-T4ayHp)Q zc4)hy&mHjl?nuW0?b$9)`_}`)?Vrvt8`FHj9W6pc6%>fJ=@BtM(vk+A6@+CI8#r+L z7-v}Sm6xIbOH@P$TaImnQj$Cy4^4bDOYw2$A^)hO>;be-liDZYO&tbGprT<6XYA_l zrT{$>pti$maO++&wQ%0HW_16p{~>uJjn2CO$ad1FNh#};Z&1!aDcv|1sm=%yDv#Jo zUmzd+H^)Gp2DfRV=U2@sA|C*&*oYoYpdr9-OC&*83C9*skJ(^fLftx#)#UkhWe%bBg0gFk@p}16dM(MoeEE)7IEs)3OSS3DL_ypDDvDHia$XCxM5fCn6yT5 zn`Ow#A`z2+388^2N63AVY4+VgK2Y}Hhz(!6-yUk9iIJz5fDC4Z9#g(JFB?ASHiTbK z?}VKL6-0=JSGCDgOdtjKr;2o@xM! zIX|J(xsZ{Fvxxqm@A%SEs;eWM@QH^LkOzb&k3*djE7?iu%r&%IJXHir00V|EHK&yN z)|j|PfvY(SNz{pr>_Oe~=sogzQm3spV#^aT zS20cN1RYc27%|ulbIDml@6?~;IJPoYeQpT~7|@n}1s4r%X}28~uThCNstP;*Xr{ac z3|aRX=$xhGvN3<6Z4i_-tlV&E;(6L#ClveDWB1sW9}Bwuw@iwU`Lb9&L4Pi4+91AA z?PKQUNfRzUewRm3x{Mn3$!nqICl4KokQ?JON{zWlCo3^B7p}7D3l5nkYjhu9tX}Ef zZu8gmrjWUws7!H;T=CG#BsQNDnv9QNCAclCkj499eej^JXGfdpZK2DE(vB>y<_FoI zDY4IU{MaW&!Hsy0h?_%#KmPez!}@t%O3tEkUypU=)s#hIWWj_NtTB{Up_4G zUXRU_c@t^hT-NOAl4}v8;$!HDvR*cwh+X%1f3syW-8(q>VWtr#wMTyfCxVZ(YO{~5 z0g%$i7ni)-XNj+N{eV7tI_@~n^tX6{JLcXwh$F#!moc1r$@v~0oOCF59AR~uE?mb@ zaSUCUN!Vwf3km>A%gR!cc&u+94gBpZGI}g}!F324WN_l`bafS=5K&d%Z}B089qVku zGH~r|5GHXSMcAg|*RxB_Q(K$P&{Ptfb`PckCQ28-B+itz09s_+{+Ms zqL#pHwkUpd;mh0Wa>z9tT?Mk=KfyO*M;7G)^>SoUxN@YdM#+6eq|72bwCzB`9mjHQ zxO}QMffH54089o$LyVh3Eh&`R7r$$Q5t=2nh(NI-krhq;mNk^T#~gmpq zNx0$?s4cXt98+<0+^`0Yjr=lq+j_AFlg7EwhNg+X{D|)3mV_^Bj}{>D2;keDUdxCf zxl`q$GGQYXp>yOV#1B0b(cwWH30>ox-#+J!)Np+YKMib> z*lD5$bc96DrNDV_I8*Id=2CPE4HbjZuEv78%AJQ*r7g3sqT~PWsr4maS_Dc&W%b^? z^;TY^URf0o)5|T%`+ltDbaD|^EWg|%nO$#LxZ{2}}i#SO(W9ABLEKjVaBUqZX<(L~iN zPp0c@JT)ysLM8bf)!TD{BJ0WxwRK-Tbo`$fa%N2r6U$LDp>@{wV1Rlk_Z=S6tS_DVg6go zCUfQHdl}kO2B^pAnhSch)95!^8vbyN;V*Yzh|RkOumPBrgx~W~mY%@7^^o2~L6la= zmvl_HIE~ofC^3VHGzR<4UKFaQvG1?wr5qB=M>&n9_{R-) z*5ksOHK&0uSKoB9J9we`!eTpoctK;a zG0%#&^%*lVC&tZ!Np>{??AOBbhIW6UwI+86Gy}x&NfNK9DlM}RymT*vuU;}i4CU5D z_X7oJ2h7O_7$>*@fbNvg!FDgcxSNP0RCv19%Urf>IS@EadT+o780}mo*$LjH!7E)8 zC@>)>DZ0LS&kkx|aS>*>!YzOCDK;+j(xhUzQ?Pd{rx4=U5YCOoV!jy!UYI?3yR9Ii9B{J;DnH+*mx@IDQP7$TpYbqs>wTuP>j)lSCH zlsf>VDZ#QvZYr(e8ugU1L`+gUx?z{$U11m~u~;cB#thT@bS2?HZ=V`e`05 za(Z>;G_f6tQ#h;}ir4`2uMSVP10-n>arwXnmxP<-r<8<`dv&Ry{K&>6W~rh&mP|M+ zzZ8ZZbtoqaV>_ih@AA$fmfA3Oc96$?@})OOqx%JGOxdRw#?#gK;rhJBs3^qwMBKQr1hZ5N*YUgW&_qH=~hXx zlG@u5%dHOwI@ zQ|I!-#h+K>!5!5Fb>lDXm`OlNYcMnMngj;{6z1Co89hAouNH4qed|3`42cV(f_z{| zdyWXL%Fmk?=;XJ7H7KgN)0LQE{vY9q5gua4O2e&D+#bG?d2rGvT$rl!chU1%r4JWg zoi$>!Go!JNn?VnCzN&pD3UMk|W7`*M%cP%-AO4xFVe&2|l%)t{i$MmRG?Q3ZiRm!4LxDxwkeA;T!-S5oZS;oWJFW6y7@T6qsio$eO`(nsY z7IpvnlluJ{zx?JF#%DdF=gxBR_6}!S|FKGFPLhGMXYEH_;hDGeRL{h7s5XdF`xMvxPt>!dECelQ2L05q*2CCZ;Et5{ztm zcf-l9%h$gn1+j*#YwODY(Om<@JuE;rbiXC6VAW!UDRF`myCD5qNH^YzHUVVf1s2W2 z0xyE~WHozN{aorFj^cIlwPd>Jhp^Z*3-%Qs7$VUwWX+TL!LfDsmI32~yZu$Q>GCxl zbUN*0X|rTz|4-E8r-6t@vjkBaktg)DGeAAD6=Z*k%Ja7X$eBWzcwcDXQb*_$by(sc zVc_(CY5CTdMjS)4R@lQ4;$z2CK^tzb-hBiD9dg7Gr}8PjYgf%iDhnB1uUR*y2;oP) zJzH4GE87oRNQ=b%V9j&a+nY(?wrn)z;F=hPUvn_^wwX?>NBT>c~b z4WtYCqJtirT8aY1(RDlwE*HAz{G4;D(BjE-;Pf%?tZi273Ln=IBM7c2w$E#=W8oZP zNZXw7*DxDu9`p(HNL)y#vwu&V3ivg!7~n|43mn*&?Lex(g{mat{twd|mJReukx_U# zkUQ4?ey#)ifDb3&hLM|Bb}?DX*a(0jwmZ77Fe6gVX56l2>2VK(@&M)$YQc0IcC2=Q zFcJaicflrFpZPT_XA=FgVbw2^fPZ7cXj1WuB-ei&9#B>k zan1%!DAQzuc&(B@ihyMwzxajBNE}G>qJ}Bq$BldfIaXAX>$(H64u{rV4HPR520b3P z8WZpllr<{>F#~O}0vzD63`PN;GWQm1j@EV~sz3IRS=uV=)Yzzk5m?7CF6{mhZbO2q z%LC&H57he=RN}gY;W!(TZoJLs|{|m&SUUaWy`wJqGz^pLR3#U39RMXTy zz!e(?LYDlyk57M$Rm3_7cipg_mnJtRP0_b(Le+lA!d75No6>d{3_BdP5_?|LH zlWoTw<|A0r>`QUHTsFQr%xQ|E*8YvpP)@=oSRAwb(1kTe(oVr2d)siSfuUr^>DV3> z6q1T$sX91c$46K!Sx-v|Z21-Mgmpee!?ET*qy0gOznv=-3~$QX3E+6f87T1E^aN!0 zC|FaM-_EB~1bSNmY-q}x#M7@DjA+P8_Ac4CXAFq}j)W6J6Ps?QU{I${OYb=g8$U5- zaTl3$Zcg~D=uv+S=ScM!M!0354t?jE{J|BmEti?TydyQTVA-|f%J|KkkJ7$oEw(_?jRF0c zj!vX$!t0apl-w=SHKc_M@UGNMVzV#bBzD2OK5Sv}zI~+XIYrprXaV@Aw}^LgT*?1i ze}WWtlQW{zZu#eF@lNN#Z!fa)J#W5J6QBbD{D;!zK*tnC^J|&%?iY_C3IrjBBU_iy z8g2@RnI6VN?qqI@Mq>Y=!W^XJa}$<%rhgh`h*QVr$p)Z*jPC!;snOfms{$+4Fxp znefL1W6mgda68JmnsnQG)!gKvo+|yX@V|?}7r@=q`by~u2dbuVpK<<0k~qH5Q&he6 z;-%_2_7J566E`sUFvYl`hHUY=rE*rdPQEOs!Z_DXK3~k4X-sQ+;61KqXXfkqd5p7l zm0(19RG9sNP(h;=tH>Z8+qM!(_giCD>=P(69oz~&zz=h?^%Jk3?%r*rgq2Yebmzwv z_w?@|A64nTj}y?_ZlVkEXXaj1*J@2xYLs1v1>}HY+!| z1DiJ;dQ5*s&qSbIh=wg;h*;XS<~w+B_uoBsf<~V`6*qcb^bT`Sr$nW^yiDJTC!0U8 z;jU)eYz0g-k%Ts6Jed2Y3}k`mGyCRjKAbc78Ls(U!m7vgCNensTHcVEZ7OH3&`#Yu zPBm9(U>uB))%ZGC=A�KSynm)b3#023!Iw`&yC;nz5-!-+Li~hK~XNF-*ss751%< zL|y*(PRxT*{CZ`DE<5mV_>ImX@NYfm(&Bh;>)W8OiPe~Ly0jbj&!QtFJ4C*(cnu_O z*zG+q|Ig({Tz_XTzfh|Da46Yy8SXJ0O|=Crdt@EdfXr&tgar;8lrjfL`7wATb;YTd z*WR6s$$qG#$~?btWje4b`_5*;={G8Wq97}97W}#u?nl{LWSgW$XzBr6NCh=mDdW9;n`em( z@boOxtD6=g-#68_tF#>T3x}uqoxx?KdNu!>Yt~%n0X2b)Fty}n#&I|UE5Y~XtR>Hb zH(;jhQ>=3xu#(R}UeVnhDcVcrEF+Fy5Q%WJOuzyRO3p0BMvc|fGZ;pqHE zlG!h^#;hLAmPg@qAC4!IRScxPFxV;!IaR*bC)Zz4vjA`)wFLa;di_(CfeAw-Y&kGl zf7U}djh5E^RbwMf0bg!dgROy)w|5)rh^tDaLeeZ^}#Y!V%QD}}*G+f~&x3+)&Z%A>Zaj;ivb9_YMQz^~^ z#>(KNb!r$rFWLAzuNz|+Q)3NJ=n8yq?VAbG%r=j&59tNixmM<^hqTJXDM+HI-(7@} z4Irl=?2P#n&^lhtf=M&4^^6G|YUWc5yW*C>uA|0-eBd6m@pPC;?J3$bd(Npul6ZME z9`O^S=QhHz?HnhCa5+Tz5_y(>MiE-nJ^KA5(Ak=`*Te4C`9IPqT|7{l$+eTvrKX{J z=Ilk@X8j5chS=!g$@hB1`D8u)^CFyt-8lv=cfhi!Ntx!?&OEzk|MXAJyUBAE(>F>) z&llMbJz3JG3ntS{k_@8Lh6MEIiEMkj7LMvi7cBz#a9dc2O-*b(w69Ugd2zWXABoh*P$%0 zh4UxVOA9T!jTJXoj3}P_wVK^u9|E;uBK%@Yaor=FY|e$a><$t!{F*$zSVmke7B3=- z2c$2!Mgp#udQj0+0!?wo1cT9{Yw30Hh95sxkk))}Tp|uF`@z5s22Z`%;LM#?KgH33 zWz}a?^CO+CL?B}5!yLfxCje{q!SqpS#R@_KutMnTE^VnKgiyJ)s2+{^3fu|_^Dq46 z`U6OOz7rHIMfdvi@t3yyT>Jz+S-n7xo4{f15ZDP06)=I~1K z?S)KgIb}7Jkl4k_Rz<0cI7Mp1BXN3_8VRKNv5D)2?=p0N`iv!Z$TP6)f2+^3|gZ-gf{%OL3-D5pS7$srK6SuIp~M8o^Elc*3&kG0A& z7~lgm+^sBlh%7`gOdA8WbTjG+W^BxRPIU#bekHxsR0T5NungK-i@dC@S}X}?Fq95po+4+M~Z z8ltNI;;)x)r#8=b+sJC>q{SDu5MDXsSo3&c{w!VR2OcXJ2z2=r!U~y?^d|esqw`MB zZPy_@x5JhcdJCN*Z3_Sru5{_Dm;p257nSrUSmyHSRXPOH21|^MDKP0a)9u`C+p20l zZeh~_K%wKCd0&<$(})Yi2NqECyQyOoR}Sj-UQN5qlMINWyLwI4)BtZ28eB@7$pc6Yv1xL{+p^r=%?XCLaQ`lm_˃r5 znUMD22tS<7=HypVuU%QYu4sB0;Nf{An@V?tTAY->B303#(wv;4cICISy)Qea)BY#5+d`uXvCtqw&%G}g zj`tv3xCAt~@EpWbMf+7_RhQZ1dsEG9=nPkOOVty6Z;LtADSX%RND^2RNIjmBCMgFk{?`LbUaRkp7dkC z*)dZws2Eo5F>@YE)-vBj3>^2e#{QT-+;hqGX1Anol#7Vq_=mqbb|~|eS-bo@A5Ffx z^Ww%<=W?4rj9LU73|`-AQkq`=B-{hsP>Fcu#c-B1gVj(t?e0}GS96CwK(q>6VUG3y zM&j7KP&YIqU67(^Z!|gEY(+#TVvx)wtTRX~P`Z_@Q}o+K$5OiRQGh)p>i9}pZ{V(g zFn+S*@3K0bOJ2Q4R#&_4yIP<4kZc7bn`BxuX^Oz|!7l`qC+i^W;r>oX zXj!H@PZsRA&6`1@q^;=-$uZlB{V82r!CFs9xTzM5P-P)DIjYrp-?npz*bO+Uy6Y!*;-R{yabSN@kOUr+*@ zLj13^B6g!@2uS=thiKvII$dKPQ+mek_MspU3V35E;um?n)zR6{GYN48j#De9i?fCO zRFjhP(tpW(ryyyisN}la1!{#^s|{bQ#5uYp02mWKY5=O#`r*iZAx%ao$b;#H<27h? zN)qidB&MCkwqa*phfnYD7+Y+GmGH_3MYWF;8U?t5qs^eAj0oJ-BPWow3=&uC4*E zoPi^gLT5aWadaixa9_?_M>;sCK(ix7{3PMjnHYg1&V}q}2Wgjrkl4K~KhYysmECqB zk`HlXkt_N(L2st#PH;5D9!JD5U@YcfvxV*c2)E?oYCE>(<(nxQQ+(Yn`>lXFJv@+* zfw2>~gJtEoh~{a4R)5G18o`DAM?BQ(zz{KPzHlAz!gQ1eb(KiHaBi)_q(gWvV1u$Z zLtSbtAIvG&@u48g5H znDwE7M{YKy%w4X=LOpbU*QgSbH*Xo9F*yfK(TSY`RBkIxGA}=Cx?3T-pP|j%`Y-%C z0vE!ze~)iPyA<_&)^{v8*tXmPssXZ+DpA1kcCwj7RFY?y7nqiw#q>Mj04jKEp4=r% z>1_uX@45>3X98|+qKQt-63s2G&shSbUn3Jkj#ucj{W8xCJ+*PeoTBbrxJW#REvwDy z&p(8T1Mh1TgDD(DsH8qez5y}l4PhsBYB{(5<8Q%4h-1v%Psx6G^V1zHU#!}46~R;v z3-9s6W6bw|a^07U+Ch5L3L&;Aa!R0_gdz?8yrhD+$o=~0n<2d5`KKuRE-%{NHILLO zyeIJj;Yg{-UEBW*n1D|#1C+?WR@n)8eDtEu58eBZZJrjMt=ZT@B_ack7_nfzgi-Nw zdkDoU$ESG{^IMU>bPM>na`hj~DX)0M;whuM@Z1d=6F4^Q=6OJ<=0~hUNGjg;<+f48 zqX!mDX$19MZVrC6LWZmYC?RW#y-6qM>=cO+7sCdCD@!xP~adR^Qg;+s&1U|V+iyPFxFbNmJn zkjN&J`xc#+Sl^D|aVR+6hqBylNzPm1yV|P!YJp!f+WH}Rc(fx^vdptG#UbzLd|KtC zCTn6*_^0dO*ZGu8RF-7Q@fB~U3$5*DWSD4&s9BgI6vM%*=shJ_zqB6STqGfd%z>~n zn#DK9klPAUO1p{DA*R%FdRWZn_hbUHVhbCcG#2>B+#UnTD$%IXyr3(9uPK0Tu0E{t zW`5GKkFbke;zSFmOSVbXS!2a{_=a%o#3)^z#-W0asO?(OqN**GNjkh{&)6O|>#QxS zDVQ6xbRpr2(4v;OiTk!~&vZL8Nv*`8CMxq1eM^Uv9e;A~`wuCpELM~Fv)_k0&P;|_ zln%P!l=2;W*%-Hvn)NbmYU1{?1T%3;N0=SqXLAd5GpH58EQYrk5amk46vQ0+F7@kE z;@3g09m60p>&z`w>gk1NzMk^aap~g=RS?QYx#L0PQ5$jRivF}i^jB2LXER_>yPkZS zoLpgPO>uPTVUbFO4jRPP&ibo=I7w<=0tKJTj{ZD%DWxRXhDj9&w^9ekn3)A7WncSV~2?R4B|K~`c26izHMB5*4}R+MX<&yeVfd|zr~ zi$Zqdn8kw+GWhA<5?MLagi5;%$altviRU|Z1tv)Gd<8NSm}p*I#Vvte)j@rApdR_G z6RlMiskKKVRWvlSCD0wWw&S%k1IKbkoJC>zsx0nOVN?{c0?6R?g zE(&SJc(efzlV9E9QeIk|E_mCR5LHB=q3PlG@>$=H!zLg7*{PgtCjIhaCzSR|+%?77 zLS5(;%JS$g_7btR+Ga=1h35Gk^j&1l=LRT{>$UfQ{I-^4FFqZ$?SO@Y({WPkz9Xyl z1Wk9GSePiD2^7Wtbycz=6*kS=qNf!|A^yPpw)3f8XwU1p=%bDPpXvk2R#f}>7e+_6 zV5_K)YQ;tKB|&CL%#dIUR0I6#qHGcfRXy*0b9x!|8T{I#G?5ZCdO=NBX>=->biezc zlc)s!OS6yPy(jcG=cA1-86)Z0KAhuz`08)xpce2x=c+7(%16QfWV#7TP58Fb5z33% z+pB{#`ZAer){k=^F$q68f64tLujUNKTeElS^!@L`(e2m2{i{>w+t=w1G~Wp;HMD@N z+O$XoeGh4L(iMa3xc+{Btc2FRqShEQ@9t!zvR1A(?>aI1&s9>o9$FhtPVQOHzV$m2 z017{afOPXm@Qx~J=NHvU!AX+geB8J4qjokja$$jCqP*G1i9Gt9Eev2!BbhmLDvf;t z$_8eZLj8msi+etDVgVRnAa2j$gYx~JEgxdPc>e^muyHm)>>(%`Wonjg+6}jEw&c^dqjkj&QO&iPP)$tw=GxRd{ z4J4%Ru!lEyT-wH?iZWTnq)r3C8G>fTA@D2UoK+59LIN~vlL1k)pJ4Z-AP{abU*kz+ z`6pP|zKu=jhfyiK)}uOR0y-!f)X)(=@-?lkw>R0vPy;Q5O>tC8 zn5~-5dUv?CVI5&gp5EJlK%Ta@w+B$gqwXdLcR8=jyA_I_)TJ3HF6NcFL8*#*Cb_EZrlM+rU6#gq}~*|p4n2|8(BYA zP%lnF-7*v7!McmrZDATzVT{(shR-g8-#0+m_TZO1{-t+ZDJlUxfXgvj&{&QPgnzgq z65VoKbtqh$<1Ul$_v~wJQAcg#kfASuV@|+-%p++cs_@WBVW4_5US;1_dfhHv98Dvl zxO(wTW2lsOe!C0cCX(GDT!Q=bC1)Qn35ViX>n&dj0N?=P9sB7SWB`e=da&Z>J)ZlM z2O-l{b-Iaa%(33fMB*0+?o}&7bx}IBn%Y|a7uxIIM z1g6I~1>wUUc8C46Fh!H#z=0;ek;^DFaX9;;p03;dT3WIZ)sn}5&g>Wa@(O+si=6@Y z&pD_T>;=PrUg*Z8{Ce<1Q}bquP2bdsMJOa7wI zH=zx7Oq>gc6_Cv%sss4&Hh*>I8AVd#h&D3$IdF7etDybXTR_e9q+CX5D5wSf53Jw1 z(p$KpGI;dl3!wy@KpPG7im(SWNt)@oVYaI_xUqMpD!u3bC zN<%lDtyN0}Yb%&RLF{`K2}cDG$q?{+VH9x`5)RAw4y&E`d*OaA1LkA#+hJAkdoxXR zsQ-$ey_=r4RCbyLijbcdKv7VG7^=%?XCLNNYSY0!K)|Ybj3uI|49&1VX+-Vj z0=Fa5K*_4K=8H-I6HgLFEvrU3-|x)2^WfNoJ_u)~Ko+xod@#C)B1;tO9#M2%^U2K& zAdWY~1Rylo<)+2l`@~u+s?5cZP)6Co(iN(#I=Aobgpf#VH$cP+_lzTS4@aM^5{I}( z3TsNe3{f=Cq?fj*;J56#Puglk>TsN!A@kuuCD^oK<}iXaq}&$_@GBcVg9oEs*hioO zR!QB++)edE#_q(1J^EsA&n02ZXl=3F&AtC@p^#J0{GQThp%(ZX?yVDU?E1MZ0$Sd< zfxxsa#Kru zNxSV&vLBJf@3@IIMaD^7mAAZ3R_ODRBsE;yTtUSbJ& z@+#_Lw$ZJSfjzUyghk?GJfiovK=_nzfXv-jGhpNT*z-CKNlITf$N|8XwcVDagi>zvm_}Yo;0}cVcRF$u_tacFFFb*3qe=WBcAYdX^cnQv z1T6dCzd1^CfT+)S+9Lnb!l>^`9L%leR$65e8XOLA{N#g+mu%6(V_|El&EdS{|L`Uz zENl?zDAui>?z+`(76n_*_|aWF#m!M-AwW5c#jr@I$=2$liEXM5$G=&?n@w#`piMbp za58SFGW_x}Y*zK4tPleK*8Jqm+2sR3;dW*Lj}jO^K9LVUhx4u45i%*@n5vna!m#_P z)Ak9O6xZkuw;=Rz7$>2cxVb@qv~AAg_4WXOAFRR5W&4wB?eig7$cXRkup zXzJ5N5#wgH(PobVlUZWk@)5{}mCf5s`^*`E^V0M^!ApADm*kv0lKCr;8`Xj5W`=5Q z2?fqu-PRl+CUwY&C_%9aLST!TfxDf;4bO!8S+3G?uObOYr*aU&-1W=X_is3=ySxF$ zd!X(nK^Pstr2vz_mx6+g;MCCMD5!b4>{Q~Ss2cNL<;HkkcAz_R~Do}vmLv;<4u_5 z9Jn54Wf!(utwY%OavZ|4fF!UOjXTZ$>#M#oYhc~?FQ9v@r0~EaTxuzSy#P;u6Uq3%qkDsUvRkwh!Y;9*EWZ_ z-JI|cezQOjFNG(09+p5nZ4Lx697tjhfni^U4NS`oQy*(35?k6$|JDL(+!XdAEN|Q! zhP~~r2Ov7`oeGPz1)VR^ghY}l&WbCcN-Ls}Sqs>ymmNK@zpt>GudmvuQDCd@Jd=+T z56Zjry7av2`Mb^Of&#}^1sax!Cb>nQb@zCtRsYH$@{4SMW!M@T7ghkcM8cil(yngV z%=E@>u`bfDi3mCxidgINM~vHLIO6h=!s#e(A}_AtnC}>+iHl`DZKr7SD+YEOrDKv* zp=lgt7*Oj02{u0#b$AFwsgFO3Rcv@Fn41;tT4X~joC;M8_Pn09ma4h~-R~|sfdmbW z;MRS<6~G#2=(>IsLsmrb{uX+YueJ~dhUY%Fn+b5XGN7jZhlHZJvERGfeVwyE>3rWw z)53CwjldiK9WZAT$jPvHO9-`w&~)jl5mP3yb_S5stq4b%*;5O$F!}ezTuhrOQjF$l zr2gd?u?j}qsOu79#f|#Adl6nj&NnG{9D0BvbQK<8)|y(E!hVyQgwF>RyP7n}J^|0X zcbEJ(BkM5sH|0|X0VHvNLbpqeW-!I8JF8}jJq~P=>oadQU61DPVxI)=A+C8$As{L+ z5lcylNZwJbe^uc{68vE_HWUNx+C@U5MksLMTBqiuWF(qWZOSi3Vm|}k)C;E^C)QQE zM@Zb+84z?R4j-KfBF0A2DI)=u0{c)sfWu_R92wEOd2-ZY4a(T^5l(lXoy!Tu=^i&AaAf_> zkgYj_D_PVmwiT6Y#hAek-t{n=b=OEL| z5cac_oq}ipN16R9gP>uQ(5+1khk5;c56{a#eI^lJC8Xpz@M3WokC7l?3$Z(P3KGKh zvWmW%G{m)gvs+its8+h*#)Hvn5biq~$8C3Ms{EN0JjV?}jk9;NPZ<}JrRSEhVPpK5<+E)H1~+}x#dZki&z zc$#QFXyA;;O6OC5ZYM3fTnp5pl9VuiygEFBs3}WF!2f+)j_hQqLSSC=M?ADQwGu#N zoe+W1sB*~SQvUxW9Z@oonVBSooiS1f5Lm{ch)B!U^=m%^JD@iTXg6uC6wrFTA}FB6 zLzkgIi;-47py|;w1;RbUEd>q*1nv~HIAzZSw41GWaDY$B1Fes&jY6wnO|_^YtAsgq z2@SobGFP>;w!9-VMS~*&SQf#S?*>0c;&7#Fu6sP|>Kk{_r~?-^?`ULjLdFMQ%g!~X z4FZ|A{NQFVhl53AAQAdlY zw&TDh!orvy!IkLRPvEi!Qh?};a`d&0)j_!Gda&^O&=j6Bn@wU%!970CUK#hjyIbjM znmFzh-z?5{JoR%8pzkFh?6ShmC5@SWb2-SQIhupwI^hnw{kS)(q}V3yq~y6;9|Q4F z8L>DTM>I~ysh~I+#?i|r2{AE5h0>JQoJ!|`upLKtlWN#mJl|KNJb2K;nF%uf){e~b znh~KWHVc5sWceNJGGk_3uFJM2hP-bTH{hVVLwG9&<>b>S`^S0ZN0Yxt+QqQDDlj60 zgkyYX);n}MjY&oC16}b$s&4LbI35Rz6T|B$+1}z+5 zq$H>Ooy?8u0&sanUj<}cJ_4Q;y46+^vv^|YVSv<;-YvSsawBSqV{YgBI~p}YVYewRdpiAr)UF@l*WPzRE(H>G88`qy_R%OAAVJ5K)0tkcHosRX`!PsPM z;d*P;FOWp3J^7ls@s$lt4?Y)kg3m&06I7S^B+s2LA%J7n5yBt}6vD}|$9%W= zXSN34157C@RhW#Zl$viK6;p9II_ylsWLyroXG>s1;ynhYS zfFGr~Go4hxUG0#x!wOFzZB|L88fPHLtyg`rKY-Tm$qi(d6cUW*2Y~Ee63^GJ?(_p zZ!tj#S+MC4@dg|s`hXlQ74?cwBgmK<0DsxRY_8*jChuZum~|r_z56d7cM;LyX)f80 z+2b1`ehiV?U|+KxP|yV55}&Tbrm;(_tYK>X+cM-3)s#dXD_y3^J)w@*QgiEF-+V?j zbAbRaK+wNwXbXN{d~yoz9ih5No_lj}R%zaSa_++)={grLgAEp_Fx_d3QyEgdNc*pp}ZO3Q@Y6pT$&;|@HA zL+NuuO8K1(MPP}*g7K__l(k6pCc-#I?ZR@E$aH1)6?D_r* z(I#P-TgJeEQROhzsCXKu z>;U40pQVacE8XY0Qn*bhvAPkVh~vqS^mADA&Xm6fMDza44u#VhnGfv?@&cWB-LHkw zVz)3a8;7q03V+;cv%T*CK0u$%z1pGqnHx{f83?k{)YRariZrEAR-|}01lAiBU%$Rb z!KMZ=Raya`L-dexq{F15Rm;A%+?)4aM*pI1PmUwab%)jjLo^|F*ICd;h<7|^j$^s` z&rk(iL%ge1-PSV&|Nj)c1=Z1w@$GNnQ3QvX&EZCjjrmkG?mcFDv%eUt%JgBrlTqhuQ%eXDJvl~4lHo4-0$>D@7x0;Y2YZG&gDco+o z4fz7|l~h#x@stCWj@Z#`E9aV;%A_hJe~<`+lO=l#BU`EVweqp@Z1=crQIO6%GHoVv zmN5&mbG8S-w!|@u<=>P}AcASQF|*3eQIwCUQZf8*an6SyHD0V`5cCp4tLJ%$$&zm~ z@SL`c&#{`^aK55&l~#lSSN{DgzZYg5Y&RcU{Q}6l2J`#}NQhz@9XOtqK^) z5S0;TF7^>6)e45`pGXdnq}6^X+E_r#l($*5@*}zX8UQXT1FHD+r`tDaC+;Q5$|ul7 zwFBVQN^chw`&7tPX6FjiJ$I-c&=|SM^2sLnVJ;(0Cok zFiz>I$a_sLprF?3^Lg8%D46JOJEIbnKuPh7naw%=u`8b^-1getfe8gQ$Y}0SQ{xR$s|r0%NO}@>np4Xy!w%k z6d==^-I$=S-o!R_)b}Xu6ct9W@_mI*|A02C1dH9y$g?eloV8DK^Pcy*p+gTkq%}i^=-k8tuScmIlr0z)m(IvA~*^Io!n1cyLJs$kNIUqw&*pWXmt0B=}uWxP5u5!N-7h(_={ispzsthPPW5 z)1%j%H$Nh-bM~+`5QO$=#LqH4O#YMb2|8?UEj?Tb!K zj)1`4k_JENY2?8z>;^Pb%4w*|%4@e)$s7p~*Zm1v85Y!Y zgh5GjCvt#~snM)5a|nLtm)$6(^wxih_d?S#ocI%NXVJg+bbI!q)N1VmLN8O+K=}nS z_Re&Fix1mt|Ld(k0+(Sq!$x)&0i=+)uSE9fo+>+A-_CdQnsLwy>!Mq2w5#)azUfuU z1TgEskDr8$H%t^b(o$}Xv;_m+6W^d@(($LdT|er#(jFNFEAbNqsK6Is`4yn!iI5t> z+|Dxao3)63;Tc(6uzZM^hFwQx=Zu5wM&M|6_*nOa?A=>-XNRJ%bZ34x`SVRNR)N9y zvC?6wJ0XLbkGeqlG8MTh6DE4YtYHOSg%|#2et;;Y8Z+v$X4hj)o}mh&9>S65 z(mNESgl7okZsoTN>Rs!gWh*We>KnxPmW>P(>xe}Ucm_j@YgtxhU405bHEz2@8l|@8 zX-yUG8R$Z+xMVeQ2b#E|bVc*sYp2Pp@a3~fr4_K+rKMmTeH+{S!`4D{dEVcP6m~^O z=>A&ve(44lB%{Gk7o)Z=pZI#nHUTdng1G38c|cSFBW)!0y3^oN9X|W>WiK?J#?cGQ z{B=+67xt$+2MQa&mb!RR+cKAQ(HT&|EAe~1guta?b&-SWeUIY01gwvT>|h4 zb$7aRZ_8eO>2CIE_FCy?`0VlAG-*Hu(+7W&D+qbL*Z7C0H_a%pK8sAi&uYe-xRl+M zNVwOqw)Q=(YHM*e02WJO_}KBYqq{Wv2J5haQ%v~kZ8_Z<=d+(!)A)I2)m|BLf`wTZ zYr-^ckI%a{(=VIYY<26q+O|5{WNur+ojPPz;CnLeNIUaDtl&L=0cr4HB_5YSo2L@% z>kf)GITbD`JOkWjx*hYFLCS#ECo7wrpBNB1F#ov; zf`Qh}VsbhIDM(0HFs~bY)HqDIuSQvFO}(DF=%+A17{c<+ni>k0`l8Q4cj$`Hil#1^ zEq?YiNsF0FvqK@0=YvA~wH7hK65N3&=6YamX}2&U0ye;9hJts-9d^aX53-~uayY3~ zqu9JYIN-cFL+fB6BI(#cD}t(AmFA6Y+xS=Q8IkG`4h+yQF`}7`C@r$3niyQ^))W|< z`ZRXK8*A1+MXY`-56Fe^Y!0B&+6B>Vd9QxxC4=QdhZ3|dM6AU1IMa{eWSc4E*^S>6LZ&YdA2U7pAo@RmM9Y(q?6)N2o4P|f(EFdnl|wYDCS3W-kAc_UTcvhfDHhcZT;+w+8$ zQX$b_5_CMF50iU~d9@kq(HpfC7McK~OCdYMcQWS*hEy!bVAQxO#mx-Y>xKxUg~iyd zn>*%d{{<38OQ;4<_2wS=AVC+p5z{C!HW2Gr6Szf`^Go$K=e|qtJawd=isGr&Z6)o3 z%7EU>uIjgIbOC#MMUtS9&KjNb8V#n~oUQNWJxj7gGS z8oMDN;?4t^R6H7AXiQx8J}n2{9+|U;mOalhN`lloMD>RXUF*(dX9m}Q&!(r|&;5muM1tyF@DjtsF z{i|0_by{@Z@vKu(2&QP!?OtyZ9PPRuAezeFHOp^B@dJ1Kw!C>{R@yET^qs5V2GdOp zL4yLgA~d!&Q!p($h|0IeBb)mT6{k#6oTipLqT~CM`BQ{QGn^l$ZgmsdkJc~<;)B-2 zV&sA(fiFDYH8kJ{=l|6CFObN@cj=0JsPClS6+5=CyeJoT$IOU&a>YDA7k@qx`Vhvj zAu1C>#yso5Qit0^q1KHUov^P>v)emcw}^ujQRNVd*o532vU;B8PhYd7N>wZmj)l(~ob-m+t*T z?(}O+=O4~b^t2?s>nu=Vi=+ZK4{D!>oX4N+xA^slXH!a=(eVvR=>oR_DN_Trk4RzD z8d=Mzu+6rNCp<7L!raOR>}O3Tsx~Sq6fp25j=EDvdj9YARIeZ#05nMZ^AIoLUKE!O zZ%DR4K74!~en7@xJ%cgio$p><=twAF7|c!KW{3!}KU#LZNX$iIvEtqH=PFweaI^m0 zodjD(L|Xn=xu8xGS0Y~h{%L6M25FZTaZ2{V<^J(Luj4O8qrb8xDDr2K@N;uSs?;V0 z_q)!x+HPC zt$Xz?i%#z$|srYAD~>FWXw@0mAAH> zp+p~*q!a-mWURscAs3g^1*_=gGd4^C{aaIv1;O}(Ah(17{CrU0@aR|^ZLf=BSux}b z3C2W1+kl#N{mU%6CPY-h*K;~m{QrY{y7`opOuXZoSyyDf;o-?6g5Sd4mn=}XYI5DF zlsKe%?xBA8ie~N9OnTZ=(`qe6H@Z&hR~p{z5$8+tYwvNMET7FE1!qIT#I?_0{X~Kd zvO@Cf+HACGB7eRuvWcm+z54tey;dGoj4+?7;bsj*Mm_-`(B7DgE8rEtZx!fskX~z> z$Z*_@o}W8r<_j$#ENYBFqp<|XMc;_E(wvT?1%(me5u7K@TKZCsO&OayRv%Lk!j{Pk z)o!(HJye3R*#;t$@aN(twx!uoC?cW`zmhN+HrHAqM}7HlyP7dF?FrqNln^FYj+^2Y zpGEFC`aQKf7^mY#$dqH8f&l%pupj9AB-(%xAG2uocGp3xMAirpmDv`WvSJtQMavry zTp51@E~2(niM+r-mzlZg*PU z8xT@HbSRW8C@1epwSV&_Qd}jlChx9cKD@>{E;@+i_us+>;)}=}-Jg&kOxR<7g~Q@5 z2V#|7nQ9CGWX~JIHzI9%RON~*20Kdo>4!Zj5Y)Rm6ei8F4%k)7$62FP z@L}H*0Yk(ftEE_hsfV8Z*x1ado1l~s$so)V4Yr?~eVO z5t%~oPOrPseq0b;XSq!e#5cr2OkPYjmaOuzk50Qy5Cj&Wo5nN{XpfO;ZIsigT#QB@ zdfT>-QlPzl%V^^#(0t7Vk6Xx+BwDVcw$#esx);a!|-;roH zccDHBbZv!Fw|3_cN5bq@1%75~3&Kz;_Rm#BLftdIFZQ%_y|=d|KTh-`ZW&9FDC2h# zr>{ncPA)rRL+=IX_8p?q2Azg#?^Bnv6*cdEp4s8939EAZRJwCPlBY<(QVVzyB*Yp<3Le|RWsv?S?EAD(H6I~M z%)zK6Yv1e%4*PQ%k#HA{yuN#LViR&HDE+X5*P!O_M>*1>^Rq=>IVf-?P;Pxb3D3c9 zg;FlT!Qc&Kx@QYidgl#rV<4V0TN`pmu@$;J+8#j)444zjz0D6}usGoHjt=H#Fp`K= z51&C@oSwH;U`Db|$$?o}?f~?S5Me!v{sf%udd_VkyV#EJdLC>1g!d_1fOg?$p3M_{ zuFA@Q!UcEc41+ST! z7N7))rFlJ>y;EWrMMs3)lwc@*E;SRNPvHEryl&X@S3OlOkFgUr3lm>r^f}qv`NPbc z;uxdTQ-k=>WOzsgZ6GFoJm>1Qv}V&FOcg#Er>BZ6-+090`ilHMLEr2_a#wH{!yCUx zsr9{=$e#kKUK5{G)?*CV8PM!umjdNvGy4s^DC=P(rQPJLJcMQJm=Y9)Y!i_A@ z-!H?bGQowF2W*X=syUKhKNZ=~S3E{Qrj^2)`a5i{V~h`T=~3cD`LXJO?9|(MtOnjf zM}vvA(|igMUK*{UzZzS)=|RpY^xnhORVw6B|NMR*q`;n|O%lpJwe(`GapirY`+4iL z7GRT&+dOjhO0XqV7@u?{RS(GB4lMG%y#oZ90Cg$%IBhu|uCjA^*l*Ud`Uckra~L-Q ztPd!E%Zr*>j5%TTu0qPXZ#pN23(}r1m_73M)a|Ua%*eK)rQWbRw76=vKWv4O%!Re? ziT1)5f;7|mimVPiZGD8gJkp7z1e1G@F1WTEVix)@d{ySZXR6#|ZBlWO_j|9@sC%Ir zR}I^d>m-X*sWvF`kYltz>vW1K+~78NUzxW_aqngJbZsy20AdqUrGg{@w2X>YMQ?Yv zk~07Vml}Gq*xwKa_|Hfbaj}b0yqGX}`pv~74Q4*C^>&_1_||O}EBufry}Q~tZKRRj zNg0%Szme|4cv;|F5+-PO5u)91J=CM`HHKCho$5s^)K^xbK6cz8f7f%Uq9c5BnY}$# zfL48XXfUf5BPyw8MyxDiGYuE-*LBE7-s1=02E^v~&EJG=yaLz6X^W?=ql}2 zAUxZ(Z90&G9{~ivzvIouNS;vrL~h^FE-~284@}NIzM00E2LX-{a&fSIxK-nHgiIII zpS$Q$dfThD9pn)&aSP^rKxfvc?ywApX=Ri%%gCWV3*#;&*tcqmiGX34{Wou*8PJLa zPUp*aFd02JHQp@JD281&Q3Da0CdbDzY=HAqsml#(c&{12!X2btGji(?P2ISt;o30g z)>fmf7$KPMw2`Ue^3kWSt#+k=(0MTtA2L>{X;?<<`Tg(V#zl@Be}}Fv#yg3qgUsR% z9ZDJ4L0(9~`sLUP-ItJMbH0uCe*&SMQJRVRo_ow*NA;Eb3lyE+mv~RE_lAT#-LmXN z%qsh|o0FaMZpx?M!p!rHV|Yx(k;w!u6U3pS!}tOS_$2~o8u%5CeT_RrY$%y%`Qkf~ z-{H?XFDvNna9h=@ZgNdYgj!rPp??d~%2FD^_yWZgo7wfeVb3NB)(%6{$ns>yDaco4 zuJ@8ACor{;ci)o>K%YL8>+xH*p^uzioV z)2TE2Ua#%E=Zrh`5{e*@orcByGZ$h*;iqBb-a-Z_H>FvCXz&eNF%YDol~bO_s1dDWj8vU(s<~c!k>X_+V)tO|@$V6z-G-K8?xgUL?r0orY^yx(g0|nn zh|D)#J$~-p7wn-&JR;M*2&SJHBFGkfa zzMUYz;3YT6U0^@mpS{WQh-Eb8d_h%>4FgN*yXFlK+}L{i;#PbkVu;_jRBQ0T_*Ffb zNBjw*8QBNiloJO${4yH|!ri)Fa7Y`C9FmuN&`UKiS~QfxhoOI=?eHMt#;_+WBtt`s zwcP5ytN@18J)*QD}h#BAK%e;tl0!~a#yv+-S z#HaX1L=67iD{0T4pzUk$=^(9Lq7m5v|ALrMXi&5hs~K^@p`GJiiQ^^c(Hgnvk_~y? zDumB8z~eOKb?GkTed~~kb2Wnq57!S!o8;!fdn67P374L7_Xhk!F5M^~4Hu_Qa1YOk{#uQ>cvlXk;$?S=e4m|=I z?7vZC@uCMwp1y5K@~wKyWq{0q#s~@5F0#O7tz}2phm_7)u^|)M^@dn3@L7?(NVN%3 zP8a#2y@~4W=!6VQN+wV zD+$FeT|G8kif+alThJ?u{8DqACLP)F-#Q&+EBiwi3agp|9(m9OmA}CGQ!^Rkc=Dr& z?|DB|T$46C5<9VhWp5N|9Geosj_pJdFeN$5%9D%;d{2z)Yeyu7RH9rX8ZMdulmP?F zH^>xtu4Wn{SUVF$MOgOB?c_%Evkknuhs@9EPkLIEXQ0v;Lgx^w7DqhY4rW7$U!lLY zKGXZhOj+dtMP^#iMvw#WhgVY5zggxe_@VTPP7XiAxSz*uN_~Jxl)w>5FlpIz zNA1}18@_t!f=E}ge30f8B*rVWN5tBic zt-v@}b~;C&*4Qeq{v*A=wuSIFxT13N1$anL2T+c3G(hm%kM1Z-B+TSZ+q&66#>Lqy z8|+s!&gcunU^!`yTebX|T{w(RF|>nlK^xk$YYTs3b&^~@&VtODu{E(y#P`!y%y7ai z&jPGpQgKu;|C43;z9WdwDZSb|^aHF=K=!9Y-BnUH+5cdGKyYIXVrtRyn6zKRC5*fA zHURxWrW zdDyz$R=*=uFq%#*)lF9ki-oxsh52{M2J`<@=r`w&7DEuc2I8kD?Vik2c#IrJi=PgwVHAC(t{Cnt|E3CQv zQ`)tW5MP9`rdSV3p9mae=l(jYYwIL3x$dsPM37R?(4Ipq&L(;L?bhP~_!E_kN6I_u z@BGtw$Z^bar&#adF;>_Uv&*XfT<_F?lbE?PAi@|?Il-Y%O;-ONQ^ z)fDR=;;@Yf zbFbmS5Tk9p&bN(8&y9iWG-NwRqur_R5Wv=4DgYUGTwuNP$U;2_m?IOra8R+arrww` zi26poq$E!7Pen(wY4~*-5)6o&o|N)Z-o(piHg5HNd}rY{?eGA;d1MPs9jC49;B{=R z5quw1s*oaUw`E^>dNEsRzp%umms=6DuieaujokKt=GOPm(Ah6vEexdZ+G1|bax&c? zw!&|`6vIb$>czf2oF{jTGqksCe6V+VN*ZEUDZ>A10{x*s6N%p1kYzb5c|+MdA$3DI)6hNUI%`5vV2}bZC@_J7e_Tgy| zi|!ryo1FlSLjSl>)v;P5`Bj;Z6N*Z*PLf#rvF7rOL$?%4*E84jXwV?Sfqx0rg~?O0 zLt!v~)%08nAr1nI#*xxkX(hmDmX$ckGMm=mv0De@C>{Xc>P`4pL$>(TROtc)WtEz* zf?wAFG8Nik7Y8GgoKj`j8bSL9t8Rh}&-I^5_l_~-UmZH?;0&s(P|Uv%d%bF*lwa_4 zNwqH2p{jm}1wD;pq`2iMvh-YRMh?J%L<;nDUxD797vu1uv})!-(}tD!3=9ra*CY&e z2{ttjt4jHW&eZ}=;BBWtNC^bts=$=1eOZFRT~Qz9`TI_WFZ(rUVa$oQzFeV0E0LGh zzMy(;?i$Qs<}hn!imxNFm@ScI=N#vDe<67L~!a3dyPqqL6 z_~gOy$*wTLva;4c`s@+^s(ly2pS{|kub{3(z&mE-0-*;Q(7A{)4J>Ds9ul3{bP119 z6}+9C^xbOovHBR|u*4u6xZmLA;Rs-UEvKK^N@crSqff2ZeS;e9$vFw}@Z2*x>wLUo z+;o|-2KXg2tO$N16JtEmbuEIm8U{ES*C8fBV^TjlRW?CBPzva=!$+Cyz4b?34(7&- z!y85M=81%y6vXN1V;W6EA$!GYb-zLJkxg}x+SRN3u5%O(2Abn?a4V+md-nL5Nx%OP z@GsuUm4+Q(5444uyK?EMH>oDT31l!F2&3zb};tbH?eR3k{1B7mQ{lt_Y% zfamxf1Y6UT4X<*VxZ0Q&5l!QKAg84*wTDGXefPc zMlWD5alTsbL2c?KbOxc1mDdZyb_U|xu`?E3Vu7w}U#=auA^CIW8j2)(aZHh+xW$D-0yd3KxwF0PL&c0Osg?C638^z^{YrZ8H`RD-^yynN_Pdju z_a8=!Pe4)Mw1)g(nV^hCKhV2Vt&kSS{iUd69pphJr$;|)0)Y&EH%)q{`niYZ6SKS> ztOm>tbt*Iq>vBl)oM_{2Chbj%oGYHuk)A23Sya34OpGoYM5D%_i>#U4$O64A&*5$oSwgvv$aZch*%^(5bws}r;(5KsR%nE@I*B ztDuD2$z5lonE)$t%1b(GcJ3*9x}eR%i?^h_*y%)JKe*%(dTMgLAfpfKm_1^tQK3|F z&^Ls+GA}iw+b-6X$~lS>Xw5f&E$rZ(kk;U%I)_=IaGF%oz@?1u|qs zy|(#xgTWgH*#BJn2 zeU4#^D!+v_c8zI%OY5tyTNz1?#;W~q3@E3)Z+;oL6yq>ar=^C1#LHv~3>-w{tX2Zf z_v}J2)l(h}>JhNvB5@^Ml;N8%tM+*rSSg`^l<+g~rnkYOFeqR)8+a3=M#hUSOb4wV zLKa-PTxkF+Gf^zNGD&=iNe2lkb2sw3C1#~qjlM1sr8R?8<6#?I+l9NDr}o7{&SCF+ znr<5+<__;ic`aa{{R>_tkz0B0>L22teuG$zg zgs8Y;u}9EwxL?kBmPt}NsTuXCKeK>(Ea560Asg^ocl6ZA+{=+o4ZP+8`!*v<+}A-h z0wQ(BmsUwQ14l_xgg=OR@MO5aS{}CeKJUl(%M%+`ZnB%Vick;Ftw=DMK59?nmBuyb z=N|DJJ+*-epE{)slD(^7ss&s_ONP)xS=P(ieOPX!_L|I0aZ=y1tDMKds4tdD1%rJV z>Ah*`9>TL(67cor<@_EfA4@=Rbm9ZAW$lGGs*3PG___m`RnQFg{x-Ux!U z!TvX6h!%Z(gL#T-ka!RFVm3w{vJ1jhN3Oy)sy01O3nR_u)Co}6yNv3m;4f*^6Ls=lgBw)GcfFm$?Du>M zI3|Xl(z_u2KlFvs4pOt3jSNKeyR76uL^*HakSpVGz%?kaiyOou*a<6*%O6L(g@|I3 z+3VX!{8B=r_Id*(ujPxj{L^jyX0F7-NA{sCS6t93X?fJ(72K7xrEMSFRvXC2NZ;3ZE$IZH04!OnAGO&u(859{E z0Ek35?NZJcQYp>Ti*^>)!})QjzGmCa0x$Y;CT-)TzEcz_4F^g%68$|HHKQSJ60D2mf+z zIVQlMA_V<_`MH#5{ev*9}g!xf1x@9Qa&c@{jwD0N-tsf#Ue^|5NR>M^?g}ncD|3 zzH0!L*Z9NyKp!)EuoJImGV_Uezj9T-S4m*6t#9Wy3U92Z5MiYy=^aISKQYkWXBULpuZhk)r25KuMX;~M8fKUfR~yFoCfLmhEewY>vQxx1oKa+s zTh=uR@*w`&C#_zDbdSrul8Q{O~Q4;eZVWg9VQzt-JHn++bQd9LU|5YyDyTnnk)@O96{fW2bn9)(AviQ*OP73Ss%b^>Ek2iM?| zrprZ_(dy9vXP|mvW&C;p98wjf7l=)SzV;V#I02l-AAx03Z#7(IoV2KK*!y?B;C{TAC%d<|WkNNG@UnLmx68m@?GDhk5|OzeqNj9kgX3GB ze5OA{CGUX5z7~g8Z93}H%@IV3d9D%Zs_&149%#}|LSidGu~Q> z#zIJGHAm#?_;cvTE|y}ZfE@xAL9fcx*;!yuXlXLWzes3PwoRPmVZtsz4=Zs&3f^x@ zDpW*>0z^*QUgMMbsdzkvq|5P32f1IK#n*?9cD-6jWCe)smP5B+A)%EA_nzXiighAr%{glWM7DIz!=l@%$2 z#Ql=mpXOgxEd?1x*KD@!cNHFgXty`p7~aAN4A}iriQY#+A3O-`jEi4mEID@zLyOh-*bupZioxMM2gIX+^xB8d9je^~{d(9vZ3Y{Hj&G^(c9yqhKj>Rzv^C0h1IC?;* z-mVXbjP2R1G6L9eO|MnL zRhzjC#B_4y6R(OUI)c2seCjnK8<%C98g~050EicO=%j<9-tG)}FU_3)eF&2r7n?9B zGe}1D`C#=SaOmz18~LaanN)r!t*6v;AUv)L(Ja@;hNl19W>o~xQHc$`@rIJS8~lPb z7knyECSOyMEZKRmk#Bm)1yCt=*0Gk2h0a{s&{=wyp@y0h=w;Dh_ENzZG zQQ{dnY4!~qIV_gEP;Th<GmfNG~ zX)3)uaA(5_;e-Ab!@eoT0RkEudpi(f6L%mO>8m86dA@qDzJr|Sx1-U($-gVOmz@x#hj1Cy(xYs zjx|%+MfY~GBz1<<-)FW;$#qET&ei6qyu31+&~-tE&=5gb3p7K8?vCzirLY3RCior8Ym(bC0WP{9xJr2~e#hj$ zy?$G=e`OZXQ>r;)6RpPO+JpY3HnwI>Vp;-s3~~)dJiB581}y2ziu4A_6jGX1R#qK~&3=U` zYrKHdL7C}fr6@PyoL_L0ZE7iAS{DuQT8xKJ^DU(MSXc$piU?O>3IG9e0kqU*_2xKm zW%2K?b`r`iRMbD65`HadFaBy|$TNogEirnx0Rd~WO{DNFyP-wq zvmrPubpNM!QUV?Wj*{p}QY5I$^%>YEACK8u45Q)XZe~+Q6^yiG$M-5OXVm`2kYfNm zx~DzKXTJS^Y02EG0hT3w@bWRfqIrVG###@CXK>ce{L?(F!XiDIRQiMyNAT`F1Y0TL zU(y8Aw4Zyox8N*&e?~7t2p}5)Ch-IMD@IEt$HSu+;)msR9TuOLMVzD<1lYc4nMTCA8@@P@iGq<${J~@ku zbOs;@K|-pp3ePAu7xo@z=Q@7;*uTHJGHX)70IZ-N3CofL4_$|nu#_P@{Xm_-s1m^6 z^|F_`ta`3~Um9MKsx%@cBM1&?=IF{_8E|jNEXzrlM_u)2MZcCWGx6oaJxnFz1wrNo z{bTx3rbF`hDn{=q>ZWivm)S{elQp*!L2^_UtI0Ov6I9CldySG$Zj;lnpynxet!c%^p_f& zxhuv_Q-Qp{V_aLZ7upvKDjIbNgM4|Rk}(@LhGd5%KuHbr1skung(V+THO3(u6!_$S(1R5Jjs zZo1GEE0%;Z6Te3w$#OB!Hm3>lSR1MrliPvj6$dLZg8K7E%@CW7y?pS?9Dr>_AxDA! zwN}7tZsTRY5!3G`xUTuv%&hcw zgGt7)Vd|xe;36{2@|2kc*f1Cqr;rj`FF=BT0VI}hk*8B~%PTo($%XSGKR(IbP>W1W zjgy(g>-Df9m9YZ+6nEJ*1>4o;cu!jdw|7u;)miwW-aL*9ECorP2GR$?}eklGAbwf zUTs7R?SISH8=UXcVpbncREGWk9iV&NiF$tPp|AZTd&S}T#QJZ+6GjmLn9p{{dwlUh zR6#U3bl4?e3WCI0pRnfM<9X^0K&2WuIGuJP5|H}$ws?ja28!An(rElh_;ROgxMMCY zv&76T>t~WO`p$iN`OyL-H97+*;2te9myWh0WV;3Z9Ga6FN<+0+7(mKfDRIS#uvtWxKHQ2(#R(bahBe845@ z=sN{2@Tl_f*)5859T)_wOg(+COB760iNmeg({qJu%OoGV5v?*oSD5?Bg4e8$?l_Vu z61Pr60BSuh6xU0m;(XanU1>U4nV&PC3eP)wgH8gM}}<e5Hjc+FUN+AS10MPU^0x@SUeA z-@6wtV_cpcIBbsKE@~rggML?Fm$5*F)J~)IbqW?7Ev^Ea>jb4N*pBp}5=dZD`W_s( zjf<4@7h>eAv)%`)h9e95YcG8-=#=j`tij`=sSL-k{^J4V#DV+HWPG(GMrf#1yfL6|T&T*BWDC;` zSnUlbJ6z@Wvz%~Bby52M8+@Tay=2vUGvb|}2RzQCo9~_%|9RC>9;>l%!&%ptlCHrd z)XN6x6*efl7>F8Hd?^ZiRLMog3~qNSHjYNJ832uppV)IC!^FzE#C4NEXG`uyocLEU z9^i76Fx#Q`6i4*5eN2-9_!=GRA~B@Dcv^ab zPI>6Fb?5?XC&N`5<)yrcI)+))VN=WZf*k%-tkk&Lju#jX9r#)LGYepG*7_Z5ak#^8 z$E+X06&q{VV|_ZniASYeqCylbvyC|0;&98k+HR${>{FJaACD-nTHY%9Em!X>rT|9Q4Up9tg{1&ZjMwt=C{pOPP zW@c7JSa9o@Bu&n`*M#P@gP!aV^es?4W1C9BGZWzf>1#A-Cts4mc0-*y+je9_Lzxxs z3ZdTKW;aq_f{9_eVNY!b>< zHlsTVH>u0yZeFoILPRm@xmFCu^mA>)vJgjJh*NBGK}7^KE8OkDA}l|Gj0AJY9^sJa zIGW1IWD0Jd6FZ{dm04-BM}-7HnK#)QAABAQ+iAVm&!;OG)=pr#yOfseJf|Yj-{Q7U z49NNvrJblj)GC7MQaz0N_A3iK0t1d$Llz`hL1i0!DIac?aGoH` z*HD}6#njhcv?l{&B- z?}_QeBQymFD7MfLU|=JDFdre7*x=Svhj!i^n4hgHO6)|d*60oSv=z9ar>b>Y&v2RW zJf-DSez5Ho9x=9!1F@Q6#8iupDciy?^zsl@Lvz7AV1xfw&gEgd=CD{#NmAvNTeVnR zbB)NLEC$y$B(rL=;c=?BTvF`ZcfgzMd~P}Jdqyaw$@&<<8?~dmmHH}jU)lMe=%nCm zO>3pVX6f66x)0V{qAyM$I;B@!uom!3W5p>0iW#zJ>rteM#-R83yM4BJ14u>p5-HZD z`r_omQAhZMGa3wXki)<+iY`dyc%4uQjU^rmbL0aqi@P=mD0OWR*Z#x8?Q#|R4Slk! zm*lcdwrYF#t}BwB=Ql`WOqtrTjBKnO6=8Hf(N{yx(IWevb&GfvCPRgcxV6NznvV1% zV@reSYP`(vv;t0`j}shc)TxVu)gDBn2D ztOQK?o=3Jkx5_y;^M`T~zqMbja`+yg8FN!M9HXA66O{AZ5LNv!2kQ|T95@Hl`a%zPW) z)h9>4tOfuxK+L}vDApN1FjOO`yg@OOz)rcr-qcoA7d%P2_I;LVj-&k@BEmZF?et}_ zKWM)OI}_+6a4JOBNzk-5zmxfUNt0D)*0u4RBivX1*iT)DMyEMSonnMeD41-GAl(vJ z#h8K=KZXe=Nqk;T2S5y!l_8G^0Bg1cIu6XE&h+>?3qd+?ilybEM0;vmbr6Y!D8MFuof^i`*HW^6fS8SPt z$wu@%mN1&xF6JAtYAEVl4Nf&KQOiP?wB172jNm!c2uNpG?L%1~f@T>m2^qXq_zW(9xRlR`@6U3X(O_@*mm0 z=6rjlO`fJmon^@Y3bkFwN*ri;q*kS5;#@1tFMZJkkSral-!89aEci9)p&~G@Jyqg@z znB9A`I4jgBv7KRL;4W5rggNbW^m7fRGXWsUAX7zJin4mLm;f`hK~z?wZGe28dfewD z9^a89CV(P4PG;W$O6X7iSs7Md|CnK}2S@OBJ#rgB;eJ#mT-)68c~j>6vg0c6n;8LH z-wy>OAa36SG^WCy$>2XE%gLGLVS{N{bj&Z)p1CM%M=p?=q*6hI6Oe_$Q(0#A1et8Q zK-7G5Qnlna2-~R>%5&~Y5t9M9SlJIVr7ts}woMiGvIaa=Ll-H*cd2tK3Zp5Fu+>xC zmJx+dDT4<$k5X+W$E-oClnkOEruiYc<{YFo8hH-}_pNxM16v<=aE=W2w?He}^3+YeIKqO01AG5)q=qax z3`;%T8MZNd6TEVlsNg}vwQzV!+YNJ_sD0h}tQG?>e{sHQJ%Cdg%c^u}=6^+q@9Qsw zluPyE@8=Fy{LE%Q7VuZ~2&R26r}n}fCzGfD9mvb2IQ~^_@U7<&5&K0bRx7uvWRdl& zKa?NELeDL66_#&o=(2b$4xIcKh=AU~n;UsRTXnL#CVlzqKziO``%#dOkI3!Dq_0b# z?`9h4REa`plnVO$GK_C-8Zp<=oxWp;P&`sAj#SSpC9Vb@>m64Ben|N^A<_GCJF>|* zyrOCf)z)ufj^#+n*k`&WWUjQNQcdEK9dWk%Y@T6+Szaq~59ZQT0ckf+pIfr~8gB{9 zA#eRBKLQGgRXg-ls%2G%AXapMb6?o^Uxaqi`)%%&2=y=*KI02`(st4YEQL4d=LHE5 zwY~+xzb7%reLEM3N`jPNs=A!CQYXdbf9g~2~$#9NMBxp2pH8cTN@H@DAtbmI)vAK`R=f8?(v z&Yj@{KeO1KH_33n?1Nw4R@3oVuTJEf$M`hbtcg%Z^TMzU z6|Qp?@}XZj9&RPwCqt;IEF!|vrKY=gYk-y9EXuun*X<%ZvK9{{85x{|J|K=q!68au z-W;8r0?pZ#wVWbkPG)RVxjhk}pXAhLIK1=cn07^BH2uX+4%mGB$uuAL9Kc#bHnj=X z{0!Es2Y3YW<2fJQ-;S#ai{bfUci(0BLqeal2#X2>#+d15Es!n-s$)F*Z@s84(gcLm zI6k)`aL(P$u71x6#$tZiUd+kqNB6Fyu(KBx4!j-tWpgJ|tcwDLJ&me{6-t&KgfNCY zcr$QXi6RfpLnxGD7@{^0iNg=Cz^SyjBbtPBiWzEDlMKBnghmZ{JwA(vcj$1VSbNrT zO@Y1RG$CdADqUZIgRYdHPdA5DARg%8$4=^-cXBJq71ZH@WDY?`F3?qGT<#A#dybk& z(E%2s44#kx`v@C#y`}G2+-V*$xK%WAX^GcI-&whqZf=Q)Ml?I{Zs~(HR4(u#*Fs*JD7}o^8!%5Nwp81NpM*zR!6xJtAA#v7cc2{U0 zm++QCy{c@#Ikmp!nm}cSJdI1dr%~2J)tT#ZC5nr9+4oScYd3D+vC2V?vU?4G+TSQ8 z*g-_nJjPjvC&c>D0{dV94UR0Sq=X)sVua`Xadol>dT{FVA3>)Fan+_;?34QDEu{v*X6E~DA&Xb}@7N5-!TmIU*Y)-awGZny9;X`yA)oPhvz#2Jm zk%muuc@lIfpGA))nu56FE- zFv&GxEnNI8nb&9AT0sjK`&V=|9v+iJ<=s1Omu9$r-|}1~BvMUMuw(@VRAb%#u2HF+ zM2Qf3v!8#!vs>NC^`B$WF>W7L=@(hah*M0ITiDKVQ0K4i2bj&1PlEoa@m6dpd?43G(2o?r);*>sEsqITk;%pRg_4)A3Jp5cEGb(<7 zMurauaKB~&Yt|Q=6U5vS;MG|U{(0fg9;x-iXNu4Z6s3lw>lM-HAQ_jeD`6!$Jiq>{ zeKwDer7v{C>#da4zZoXcIXWHkgq`5UEI{^NuW!*DiD>AxGu0^P;Fa~y6*MRcwU&S1 zdA$!H>cvd-5{KEDb5PBcCo+BxY}TgA`eO^z`2>Rx%{NDm@!sq_JuQcUm&IRO;C!yc z>InNU_l)DFgU>$S`2V+BPk%3~;T$$$S;++cq=EMC)I$@#scswI@v^}W6AzdHWl4`d zlFf~!2CbA=hrkg1JGz}cwUpeLD}z}VMn~Ej^&LuHBxfcLUYcKiZz_FT{yBJv-7WW6 z!H{-hD2Mq>sd)dt<}wBe#r-T>is=PyG@~g5b>rVD{{T_X$kC0j9xAI@SPlo&06Sfj zaq#s*R-g@R2=!DaiV47!GyMD6ORngj6A&9Ey9l+qapPyIC5?=om6m_<=)F24eQFc| z0Pp#61O80tY-}~wGFwiXMF38i84@{qC$gM>1Fzmy;aHsTD%~nYKu6xkN{@dli26 zzmQ+g<%lm^Au?cu<9rSTF^{V0f=_e6oDK^vv+Ukw08)Z#D&R)ktm|^VXcouM`Iq(B zZZX+^c*cFM$aVammkAQN)nyt(&{T=dhSDI_^h)xDDrTD*0Pbt8F0u9fIY%DX1p z7c;Q9-c(6%1ry<$pI^7{W0-lhZ*KiU*rdSU*33Unj&VW~dVdBp&81|^<~BI{1DWQ< z4J%-MJuRe;EJ{$SF+IKV(<1^|mUmgf$qWn6YwNu-7KteW$>QB0Pac%tEaGJ<@W53LF% zTg%B5=2s8vCzBx%LTV_2PTRIDYN<9z%{PS9N>eostpqNj4^t={)d=}fcfsFb9@>mU zAu=8Nc!p7?!A2F??vw(9qp?M#n$Mnj9E5$cwI(?gw!PFeCUVri?e{MuL|d&)smaJN zptDjfNKUO6aZApkv8}Vhq63-tV(qEIA9&LFl3sO3yU=&;`paLvO#*T4>G7Eo@syG& zSFdZ07hRb6rN)2>wgbr__Ff0s#|Vy`^Id(GF5&NO-nr`y>&j)*?bhkUX3r7HoBu#H zQxpq<3^LLgRg|@$+{ixi_p^gep5)?%{OOzikQGTpx$rq#4hBeikMzJO&1tPUgB zs!rw8;Z=G?%i^jSfM>khj-S@$V7Ubc-gwN6I^Ol@aUwo?5v0x~qLl&tozvl;zsg3y z+#T76?l$*jp7v4n)EX@hjLoj<=0WjJDokVCbD&m}gV@@sjV{fzH4sbqN!3?&HbNui zX(bmmC4>^i(KmpyI*5y7zUUV&6EJC~l@_JFl>Slu*vNB($P!KpW`Tj+d2m=z!mlXY zW~()CcXh@)&AL^JniUJOz)q(7z3w3a0|qAsAcVx$0u_Q6%*4W!$1^!XceB2=I>PE@ z8@u>7RzmNd930nY;e=)x$qirx4@r56kEa)pPDqhnc7-F(Ao4zG29;a?!aM&NsWQRy zNqk|B3pJC+;QIAu{BF5K*iIR-@zg=jR@p`QxiB}!a6`s$ePJIMyBd%@{AGO^3W1TZ zfz0Mc<4Y8%_;5J6-00P~5E0nfoE^uA0K-cDzyhG@4~2J!e*4Uh>w<91wN57ThR^R} z2%w_@HM7ANV7d#TfLyz@y7I&8O95|vrxUE~o6N)CcTi~2+MTxiJ@LWhhNep8SWYGs zGNTQ>!p#ju+IY=JQ)*}$!wc&jYsZ^c6z15U?e)ZC7F+`I;hCktO5IC)iIpr6Xl?ua zeb92h1-;fImTsxH=-{mc$*%h%5=^Y`<-!Z3AwQ5%N*vzZA%>FNjh5)iiqHuhFcTU9 zhSI?wyL405xz{JeY%Z#QmMKBkJdxF{^PaM0k0CNrKMGTI2t;iz^{5xL=q+&hVKi8P z68yEdVx=WwnF}1^8-4jFi?NepC(zxJc95o#y86PL0SNsKkK2|=zDgBvrPqF^Tl4py z4Tdk>=&Vr=P~O5sKTTMa${a;ky3K(7+#f#xb`N+NhC2KrQ6VRahPEVIIsA3G7A$?h zSyM43F>dt3J(EfT0UT`5g0&qJcPtqB8@zpe=i2m6Q-!D6gt3x9@nNf2Pq^cPP+EDyhpZwdCDYx z^(O1I^PI0iLeIYctmCY29ES>*G5XO-KO0ZL$&}<9e+}Q@uiB6Mz{6!C&UDnnalsR% zN80WFGr#jQuoqE#Jnj%y&OwsxC!Vm#7~WlHoqzU|qmX~IF|SM4&rh2^Z-tKJr$~)` z6AOH7m-IYJ3vTL>>=hq$bcE&ZTGBk(J&%r>yTJS{i1ABHMpqK$_lRhL z2joRO_uA>J*Vs&?^5GWpoWfHtZwgL_l{=_dx^RO3_!=V2Rq7m^MAD}QM~I{GKKyJk zX>6r--|}|clng&mkcIkfi64%k8>4+c^`ONPaD5db))MdX@rFt@` zh@ia}%w+1^&BwWUy^htz$9v)QpQ3vgWj_aeG7a?fo`j7x≠iLj6Y;*gGK9D2Aj1 zqyTOPpOr&RWg`SBDO3-CS?TZO&;vK;<+y`a{uv+se8tRKa22KLT34xMX&i=nC3rE? z(QuXp;d&)SS*R8`FQA7aWAF{Y*IKjYo=k-zSRe?SZsRlfQBlOSAW!Wi|U z%5mbEtD8G;C7zdL6BDi}KX#IS?$=5Skk60QW=T|AHaxrD+HwM|RtC&K4sw*RFj+Lr znZa&vtm*&~FJ~VH1QLrIa30o4+>jT~vyC8QIUdb}QeAbvaMxCptavk@5(=_h)hW_d zK=nQyC6KdJ;ak1As4O3kk7j%GeOd)0ugi<+Nl+PKl~wfqMpCm+M}I&~XayllafOLT zbmd2c0!TuWbuGw&byh&L?X+F=fkhIZ=D{5P_=~xM#RWgXnS-w;u~+20DHPn<#4d`J z5EiHR(@WHmBpR=T-nm;O35GmD{@8GcTnC9ik4b0X*0Lk0kWRRGCT_=J=hGD2mn-ZL zTps>@2eAWo3iR$EEqt^sYd!{>v*_ZUri?Y<2PI6TX*=4(v3|QFMR4HcqjA#U)J(J5 zf7urIXKE}HtE0|2#-Xb${h1pObDn_kbN`?CiW=gKSHyWg-9!O& z-fnEx33J;}nmZwrm8hXCF!bj5WbDhA;JC~3;L#}VAL6X3~2xp^#Hr9neM<&q+=E>sxh;r%Na1uhD ztQoC~M$f=k@{uj3BmN;^^W|8%SeJ&V##-|SG>(DYZ=M(*53@sm?H8kFrR@xiD$*9? z10)#k(G|n&)QI1GSd#8%1d^?73(Z&xxVyu^Xh@y6k$j@4p`w4-`7r(VjWEN++2xca@G^|#}49@WOXZ&%+TpsF3cFnSI= zukKV_aJR9Z0pKLLkNiQZT}}XbXMr*?M-;Ml(92_!uuB{gsLP+&VFl`yn<}r60bxF; z)^-Hv6gde=Mtb%ei!tR^c@4X$oqQl4p#ZIUvDeNf-)I3N7|%oa)4ql(r-^Mz+`#!< zz_|XcL4LvmKj1-|c+Q|NfHIbwQ6iuftYY2|&c=60yXTYa#+EwEq}UcAuU476Xani~%$eMTI2RAPg;zuJi3rY$oZ~d!SG-6^~!V*;S>#vK2Nr4>W<$Xr}c~BvD6e z+!+o8exwQ&G1fpqG)w1A8u<0;kSh3#z&oVKG~Un%;bKN?+-V<38!n2x<52f9zAzwb z?gDsr^UnQSpqMLZA3k4aI7`%{$8vH_~2Ky6tSY z{#=(s704@RW;_u!q5iw>XTReL(PsJoAQ&(6FC+8g9=yEKJhsvkA~tPe-m4(f>=Z+^ zmrZ$J5OtH&la&qnN4iU-@{k`wmt$;8Apd?#;@NTl|2sl0W64X#lU>ZX5^%p^KPB^! z6ca^w_Hwr2vA1?$CS+7 zxTTZX+!2y@wO&gxpcxngGv9mQJdYps?nhFG$gdaak+Uay+XgYTe%=G?iy{6Z)-4yzm#Hea4^=vks3inAsqDnugA*w*``1fW*My zBG_DO`&%=^2HinOW@IeNiq9ywn;fgRt4*7Jo(`>--FxO@@y>vYjsd6Hrw(;UD!3rB zVN_0=uf#lxRuBI-l7zdI7`e_8sX=)ZEa2kmXYswlc9t3CUuJ;<4Rij_lDXm zbcTH@*34jv1G&i^i;D6xSJSX;4!=}6G;IF-h=y1sHTHuqPT#%;XtV?+Qp^G>qf|;m zDr%vPK+T#EvfDJt!&3uoQwEM2XH|gyl`hTh_c+}~?h27R=Ca6eqlE>L zyN~n-zo=>M3I~x~JQ05|s>$V*oBHOYDuXE}O*t&J=>^2usTqg-nW*G(E(=V9;#74RcDDH{ zK^3^e>Xk^Ih7eDH`B{?wk~;=(oT9daZMWf?#&TY@9p4`XWY}5!duv~}QFMTEhE=aB zgp=E?cr3vSrWk%;eD6*q8lFY|KhHO+_b!249MQ1r-P>2Z8;_#_qNjYxb{HvX@1ya{ zjsevuUqgiiQT$>+oL_rH&8#d0z5fJYEth@p*HjKZztU<8hKh{4%<+UjzHcX@G`Kjh zn;}g?nW8<*g)ZF_AFqT?izxdjzecKTI3i!A3OvKh3bqQD*3rur?^}|VTra?r1z?V* zJ~1bSE4FP&HJ6guGqS`{y<7TBy|4@%%B3A*b#VZRK{?&z24{vBG|GW#2wd4HS`el3lAp6e%t(G$z8azs})*ay`j@fqk*ExC{@2&SQkcec;b7 zYG)}6f3i??4FI;)?#;UiY0L3&e<(f9+;^$oDV`9DViXVzXwXO8^t z$Ho#aSaf;gF?|PWO4%uq@M^HEBhtD2CAk00#Q2!?y~lXEDjJh;;wj?%c2H&x_>$`0 z8IZ+vZ`1Xie{41c^gRN{jZzxy<_{i+>e(rn*5juu&$t%XL3n z*IWoWb9g2Ikz6-@<67BOBpceAZjM$!E^@a+jk5Tcta$iw3k$FrBeT+xnks7*)hErV zppOqRQ*6fo)O4M6kc$0MMTjvUok7%uD_lOyrpHy0m-*?cD*jzCT5bXt$0(nAA(fCAtKd?3#-%I z%#-BgzHiiirM-*ahN8lpr?E(b#77TZZ5RsIR-315`(=OB%-b({u+n#{nc=n1Eo@0b zZr`lhk-8Kvj;@0H3LBqIMk~v`X0`?TrRUaM@}udI9bg`lMmU4le{}FAfP3B01aYEI zn^7TT8b;fe1J-w;ufAjUD~%e{=bw8d`9VK9KuqI?IO|&bNufg_wtDEk!#b3{-YKJ_ zTy&I0D{M>K0mA3_3?Cg5PM(`q|34U5Q3hGBf0gF?h982Dc&f9Cj*7z--FzAC9j>fu zSd@NwLbP26e`H5$K2&cdnkcFV+}$TkDQhUirmjB-dupPUuP?~fBORq?x!fj<)2 zw?*}YGI?2j>#qxywh;mzARVj;NBcyQ-4fPCM_>fpjzB!N%z;)wDji5j{ce^ZSZwe! z)Ev`pJ%Q}?v9S57QA&$;bT0eYHGg?ovk=(`%PdlIQX#A*ApWGU<#W(ak9N#*Vh-s>du#n~0SNc@Bi|m`afefi9LN zp(zYfHRNNs;aJqgdGI8##D;^(R;cx@z()T&({DsV49(lv={FYaYAW;Y4x$ui2W5ej zSqi7PV`>*%?P5Z+@mz3w&h)=5Jt@2xF7+QMsXPYrjcGsEe2J#&)$G{HsY1LDu;XZc z=Q==9yZYHi%+!Ym%G5>Buj=NoF%19`islDBSM{ZNf$iCxRgjBpjAK#B;` z5p(b$K2@P9%J=VxL+rs2O35R}oxq(nX;@KvMBUhrd`PBX+M&@G4pvAx?8Z}#HCBDz z{rp~Mf@ukIdGJAC5$tUWRwM$SqwNO(VF@ad*1NMTQ!YzseC#+sOza=r5%^H<5!)QV zt!n(T^`4S?KTt34zr5UFIOp8v-bB}X+2N#s*EL01Uuw`0tD~!Q&>iZ2zoJtfd`>vo zw^dJaY3uXVDG8tLZ4hfZ!F6-n$x4ts8>KIScF+v@dei?mVC+jbpLWh_(3cY7x*O@ z_$u5Ub~qI7%C5Uv1K~CT=MGD$UHpc77>PB;M848Y`^Agd4>F#97g**JuJsx8Dks8H z(FYu%>3u*_K_IdpfDNYnZpX_Fgkkfv%SYYjg;!vK45^AmwMQ^GyiQwnDQOE796GY0 z(?JT2dvneWw{#zZB7n8jkB+vp8W=ZyKMu#^Vp%`MxA>|dba^bZwe7OC9WbtSbQ<~~ zxR(&>e{AWXNOQs}K@*j4kuD(Pi5;}#9w#8ot9hZE${9hVvFo=MJPp{!YD@@74lMZD z6pZl6%hb9^Y<4mPyu=G(i<{XGP8H^F%Znc{2GM~j_z}6cBlPdMyE+j6tmeM8wz|to ziZ!&Ei_^U|vOLqb;L-;Y{ju)9_|j}|jSWDB^)LXy#D(l6d7p>Ho~;j0?zr;Mkrv~3 z)Rbx|n2Q~Ygw7k&h@gGIhvq*VNdtl!FbE_y2v@^?uTSCXA-ZY%v-&AMW>VW2AHy`j z!@KS&n>>!R=N3b1as5?342(xDE1?!pvSU12{83JHy_RBHbTJur_23&CG@YjCoLb_G zqxRAZC#wxku z8?;0@Eia@_!^g2VFyes_JNrbFJZ|1Cpd0zaAQvRX14px{$9Y5M+0hh+z}zieIKE80k`lZd7Fk63^POH);`i| zghlvfJDG=AOcP_9DX7eUTKdn8{}{_UjZ+-FaRejtuUB9-AbkQ|OfZ;1D$zQtk-<|f zh|LF?liGo|-A`f0bBz&EGvXPg9a@M0H0MF&AxqmTQ&!^sY~_DV;1AHh3>U?}%m z%&;nR=bmnf_23Hoqo}fq`Af74Ee2%)CNMZlT?1tDR^u z@YszX^n>MyiN~&|0HJ`sIH~3ra**YVRa%&Qy*XR-

    cpVGR6jl>zBODI>6EC1X!h z5o0ODV*Sq>3!dwc}9e5tKDITEUvb}7@x-l7^fiV^L6UFd5 z>2=zyVBqVH8l<_CfBGXzCM#tF)FK-N4e;rn=_A-@W$0?zFsFJG_ib`%sFStk@48Q7*-dvhs<;YxTn*$%1%)=x)^mTJH)aw5BZ@fOe| zRT?+|;SK2u#mOdXMWorK`3Mq^{qI(lmc=pXm?K;2Nz(yNcl2(zBRxs= z?j^n>8#|56{1h1Q(lnZgSO3N(vvnd|f!%h#&;V1MPdg%HW7y>1Hodkatm(cDy-Uik z45H(1oU&S9g5n}})29ZzyC@sDxM5ZdjPeI1M$$H!$Hm-)y!9?xLmEpSw>a z?`*)&1fIma&NR0{g?qPI5Q;qQq$B}EA=Jns9h?7Z&R^2)T6L>}9G=oQE)wzca)b}l z?$S^R80!Lq6B#Ql;3$ZE@B8$JGP6r_1%P`*zdk|sdc?_LOdIvqf`!OXyZKQ@5GPAx zI+8t&oYZs4Qn)Ndz1pD*b?%YeNL40g2!tND%@#sNg!Vm*`hv~_0>lVHwS zsT`WxRb1%<;i3$wXa}Y$cdEk}c(m)=NDV^N{a$?=O2siE0()E#3l}N{!`!Eq`qQ86 zJI!-q&dIU$xJMg3+Jv939z<-O!=@Br6EC*xVpIvQ9vroLBe9GIB)2|-K3onB;aIlk zUCrtb$+}$)7G(D{f>hXdqrjrW3(_o7n~P+l@b)vnfWTtGrHz`&cs4)__0%oRAGtCc z`>RSl)zDQyLni6ZdCS`%CfbyKgr)`%o=?AVb=?<_{-)SNCA15}9cCziN?%*1Ie=N{ zb#*;!*!!s44_2z-w+|k~P_h4LA;Dx!oy6SK)(N`l8sc+-XY{DJ`{zigXf zRLSVPRo@oF!}8JT8YhOJ+mW>93$;%WbBnAUJ}P7Ee~Hr+KjoCe!dK$CZV^BMJaXfX|lu`YvA}& zC1%=!SKH|1B*y7_E4+=2wzK@x*N_6e{$4pKjtN>@UgdY~Bl0jI*SNyYEld}fe3nG0|5h3Y$5HtsMz{oZ%w2@8Qb-r`IPnjb^GZP|x zxQKc7niKZL7d+9pDFim(IFTA)wY4d%8bM?Z9G&7@e=H||#~{~(d)ttjI?%kkMiKj- z;%$A+&c2POJ{*PhKi!?E`a{Nt`&W_qp*%8@Il_Z&2-0=+($nQU*pw)1uRaG%-p1i-aX{? zLnW&&)8Ow#M-W1HY=Ks}MN*?a9q$1!QVaxss7ReQxNR)gldX^5-JAm5=Jj&Vq6gg) zi23&+I6=krEc(+Kv-j2))cSk4CuPZtKX~SX!33}AO8_qP7%_4?JCiKMnOF>VbaV*$ zBWD9q7&Z`$A_@)oHUQ;;!CxZ)UmIL56V^QZ%l$SqNk*e z>N4%Z_F#ZZi>{BE^X&S#g3_FNXx1+kkqk}Lgv!&X?n}XD1a2x0;dM6V4s`d6o%+&P znr~SiR}!DkLx1`-)VSEi5kB=o5uP}9ECclrpH1Ka`7#k3J+|bEs_aI^=GCZic#>D> z?njd{3F1VJiY>{1S4Rp2mE}EWYG$7(=XmbcaQ#g+=V>}n_rNY(aUKbz_Ua|a_Hwtz zu09PUbwShy|K4mm*hE!kQ(ki5gM($0VL9)W8gFSE_nrHIjF%9@_>s>Umb;%cPfA?* zDewFXJAA6|FTaU*wVQ&;(RQOK*m8_}5i5jdk~J>4&B>Y4MZ-^*()V4NZ2~KwPc?G{ zFFMsYT$-##5&$w-2U#h_8MVG#24)|;e*1F89Nbbfxf-->dF;Z1Y6D89o*&Rp@2VD@ z0%&Q-PF#g8dBYlKMb;tu539Z4I=&$e9ASCDxtd=0{IMCj2>_-4bj&y(BI;d$sZ5(QySDn>o~9I% zEg!Wg@dpK2iledcpPQl9O7>ae7#qWq@Cot$7b894LjKzXLK+gkhhR*lg|S_uE||C$ z~@*^q9Fr%^*GscSC$($II zO4C{iUqVhSxutneOT9zr<3vuzgzz1|6{VbU2xFB72(8k|!x`AqE(T_$0H<@9xaF)^ ziZ_V;e8Sc4b>7&;c&kb(^|II_)dJjt@`&dh}g%OSGO^%j0^pF zE+*l%=kNWkCHN8le0IooW*dK@(n;h+!W;@kqu^BS=p5)H`sJg7I*rm9#%_HI~YBJFm4DP-W@P%ZwL9p-028P@s z!_V(Qn0g^!7`qyiMDg{up)1vk{=K>1RxI<&unWzwxZ91yc&}S`O!SLjosP0MI*Jsa zbL_7y9bK>K;A|TDF}ZW;IuIgudVWWuaI^sN&%S1U^T-|)Q@;*@iv-%+XS;9ju#s`s z_n*PpP$ED}q1>obrDDxV6l+sWiWs$rU>A?#&s9ob5Bvg*0%*9z3LajY(t=*E-iuPs z)T3TLSM?zFt6jI3x2z6U9Vo@kI+hvgF}Vk?LkiO`zd&x;>SxTGTrlL+%9%ZsG*aHY zoJl4a=uAePd?Y|0UN9QR4PBdl&8L&x7sDYBwjW+)rbVQ$<-8Nqc35V=@?|B2m_No& zIO=XwiBGN@F2-O0J*SPsNF}17lpL5*oE*n~NI%+=kMzL+`M$g*rW}+$3glkv^vzfpRFrc zmh9be*x^0xc8KL3&_5teB+^qEF536stlwpoBtBPiNh#jgq$hkw zW;{BqH1qQUIk#WXfe+rBB$5z=)R!@RoI8D`p)OP{3&T6Zg^K+B#lpEzrRu&BFP`7% zT`fK>_4u9`mBciEkdAwW)xWXPS)+-$)Ac2gPQ^ez1_u6KWPg|Hj^p&+#}9Wasl@lwQ@~KW*Rb>eAMV708=farbF^Tbz&WkE5LBpWtwV{7C zYrT$Plf(6+>W2qccW6(zHV%RP@Pk0AYeOfmJNBK_`h-?nkeGvpw3cGl=1*}Lp>%l+ z%m=ycDf(?<0~a3ckjniYTRlrz9H_@&_Olx1e#N4af*Ss}w$gPw_bw&-?-jEQd1n^C zcb5`4WEHcyYMk%L;|BvMdFzRGVmW7tVGfTZumqi04b5 z^dO~uj^kwVQm82Em=v1XDYhGb2=PqA-`qO6*iZr@9Y>3sw93S#e}A47dK2=&GJ%+e zGagw>s7h2R#?6*k!`(PX1#Cpp;0%%1onNRCte*l^F=UChOnosWp%%h?Z4VYdFH;4N zAczJ7zmf*wz#D{S)Z3VXmIELESi(48u(%RSVCY+3GrV8B7)OpFFu|dc_WQ_C<7G#- z_|oDig*Nz;3~oO@Bghr%mXtMQ4kTHC#=aL-%T|K&SoZecewI#yJD3Qo1Ld-)xCE?o zo1ulbZ?_Zkc#l)UzF0puZac7q6nP^n@DM_Vuq09l0h8LJJ{={PrWk zj1jC{uf|IyRcZ`%?{%rXo$^Y|Neu=q(NyE5<(JQ3j9{?jnyca#W=YJX&}AKu&AyFsCl zkTtwRW2dADj=KJut6#hZ&7%06;V8S^hh#C>EHNU2>qBlO?&OxxCPAM|6NLA z#K&~UC4-d|fEaJ1@qy(>BBKe0zyOul`|B?G?xr%;7Qzv7ZEUA~s8pLEa}?1(pdEdk zL+*Cf^Gi_@6lh7vE^yB$1-k8_US0 zaNd#1vVp3DEWQObBI9WZ{cu2vJ-|Vkfg@w=O3-aH!(%=&E{UsUy~M8I_;DYKyqRf4 zX_Ive3SP7$KMX(TTjHyG0dwz6k|)2TZ4+*v+5f%ps`Aaho6cUfkrb`y085K0e(4u? z>TmdqQn*EM@SCYAY5gdcn)L#?#`6ejpAZHUiq0H^PF%NZ{zlMah9da9qc>J$FPOQF zyl!5k5_b0DBNsT!UCXzqT!s0xJU|1R8?|J+#v6c^0XXF#cDx`%b#nxszs8;b zNm*m+yK!z2*7MW7hK=JEP$_@uMBY}C7sYMKdJAUB&3cZ_2l;L+d3P)yk0BT!3ZF#D z`X9Ti2>kx4@b;=LX{+l7NZVTPi~Z(ViCw2KCB#4z$M^oK*$I&0I{4^5J-dM@3=uNE z&VQ#l(BX~9;!yj-zAaa$^#%3*oDD4?L^7vD2I6(LZ(WFj4lf_)u+ zFl7+IprzC&+Udz7jZ8t@n{}4POq&4*h>0JHolOTb?PBDzr?fcikh1Uo+oim8O@V3iOT72gGC)}lv#71D{CISGjhxsEFC6b@iUZo zyD+0Qg=-Ia26o#$s_Nc_>k`GnZge-l8*t|ml{Ys8wqBg%#V4m;a(!8i;4+g+prcG2 z`r%)km}6`A*Qpp)xN5$m0vg6`6;1;!+l*jG1R5<9qQge6^~9VHP34G}=}8xGa8<-f z0~d-)cLgr&-&q1^V{d;Q6NQ=y4%^<&*e}JT9hh6_Nmi<>zu@3j)G zk&qEm>27+MczWi_8h}W+`42g4t10B4j^|oX&bjGJ`V@73JUR7IzAvyFz;J3xSP$Ep zJFG>Tel`2m1Sk0n_^x=iyytnnck$m!E@7ai8Cy@G`!_NR^OIF_`WUNc;v0Y|Nhgx=LOj8em z!Uz!Gnw_PB1+tCnL913fPXNZlJJ5sUW^suPh)eudsmsvA!FnB zJcFzpV{HCJdXZ+xXH3=d>Dk4F{}{iBCAE3U=g?6vs~xHFRc*%{Qn7w8s~!Lp^}@eM z8;8*v2V!R>4FoC>{lpKMQ#QD?Qe$j%gjg)v&QOY9^v6`wNcxeTQN1}rdnlDalZk>X zLjc%0HsCaif?B9+<=u^EydJaoUz2F@C@<~JZoC*=xtU`yDf4#DycgkPEq1c$a%`WL zT9J`lUIb=oe76WlC^pL0paWo+%o0ph%uXz+H$=T09{WhC)_JP<4^*WcPR%_9k;rS`h5(qrL&9*qiJ{q z_9(__Pg<=|kn94@6~y8_;GWctc$#t~&G&1`YMs%y;7C4Kl+T=T`l9vKQySt~2%!sI zkc?p^bzSq7zY}D3wwEm_fqc368;+JU81Meb646;L7>|N8phJpS<(uegHE2ard6@)8 z{=^3@Q!3{Q&^S4uFuZX}JbUnA!8S+?D)H<=+?V)}q*=;MzLOc3mj(!;k#9jg*EPx= z_IczhiPrUz^8#{M>dF8=K)}Dl&sn_X*NO+5bIMYi9&#j{AZxHOJ%jDiI^k}lLc0Hm zJc{K>7%5an>v4J9qqLP`6(-&hF?@;44OB@oNomS+$6!>&x)*mDEIL)yUo)R5eE9pv z;kHWD0O1-UGqfVe1dNtx*A8qUu1WC{V^!K#G~Wz+Zd*CLF87#oMn(#%K+2|W7Pbq2 zY!oco;4Ir!?2g>h2YkBqh}*yJ9e#paC$t3q`*|!E;|1U#h<}@mL}-C?68B9T?V$*W zdw^ltZQh8Nf0g^;c5Thz&jW`PPu;e?aQo!~AWzZu7 zM#~8bX-9!$D{vLzpLuLY^BY9z%a9SO7_P(x#5^we4K=(fV*Q43%LoR4Ub(FbePzf? zt<7W@6$->@qVZ6_4PXKE|Fo9HybWI}D`i#d3uGFP5}fkX7Hv~9T(j}Xp!(WFP6x9< z^7ls4?n!32v8TMz0T~|6#0G3}yG7UXXKneyg-6TI5L;`6!IONh?Os}?n5SKcQ_ekQ`qnL0eE}O~6j&Vc7JDGYki3(`5 z&yL7&f-la|S`ibk(1NsDlfhF1v?6gGQjmF;D&li2_g5G1vnWEe*dx&2#htzKr4{cR^$Y0+Q2g zU}XfLqYRe}vVTVLYQx*>2iZGmSh4EV*h$4-G;C!V$#yEUdBiUb91Hw7EV|gi;5zp% zQA4Aizltph+o98gUGQTye=iZ|OnbTXzO6JbC=QWkuRX28b9We^wVb!Oju)FDwyS|| zZtBm|PQbh+sHj|;BOcm+DJRY&Ry*zqAN5P74cz4>T^U3+nBDp^wbs@{i?28Jcx}oI zz`=5Sn=;Xc;C~W1m5+FzgPc*qz}GF!Cs3lSO^H@u&dKF%`Hb6+uz%5+zF=051^;^D zfwb`YP$M~5{J2IZ9IUE={)_tc+5J{>Sv@Y36vAvY1*6C~ba2VklULng{bIQ=dyQK} z-oGyGa-4XX?x)*QhRk5uX#Dr+tWiX)1Uj_ykS7|)GXog~rw_u=-yhcBs4uL!#s&*xAFk~~ z=H9Z;>`X-m4)LWeG^fcnohhYRxI*Np z>LawOe=g2IomMv|_Q{4S)g?UHcl&4+!^w+xDFh%{3bmTzh*`O9?a!p7lJV%b7`d)4N;JqDYHbsSCH z2mAdAxsOrFlV`kVmhb{HKJ0b9rL_Z9TR;}D~Mi4AUy%6K~@z+0PzOn2)7vj3VB2`HP z3(iE{NSn4hw4YGj51(m5o?`PX(rk@b8wegFj&C*k!@o)|9uRxxEPl5ITn@_dp{0G zOrFRKArKvX?qbkS$3|A5{p}p(tGHH`D23y7StUxD8E!5+Z%V@GufUlW|a41^^~1 z`7opL&5DdI0YovMJNn0=DpEX!#=~bM@{}Bq!rWNu8EpmR51h6B*y+Qp*hI+&{^QCx zat!Rn%<-ww6D|bqP{NR;-N&Si>CAjbV-6=ZMmo1tTc)E2+dC~(2sz`|)FT4sK>H);{V8 zUl=g_5lx~kM`B&Ie85~^+dPY^P3IKZ?Xc^lb}aiut^M@87bZGi`sQQKQ#Yv{TV0DO zrchClvi4+Du2GetfIXGV#pgU@RPC&&m)Zof4bGLRdpsj&?<2*<8g{$-*_HY}B334^ z!x`*eX+-HbQq+)krv2qbrF7nMkEdsy7#TibRU*P-HbA7;qs>(S%}8ulhc7F(wOikg z@N;DdCz4E#-6oMPk)m*5q=^_2uoa5lctV>l9PwQi!g`*6oss(&5Bdmch3CHwt*nbu zDVIT*_4Z!ci!=l4gy~J9C@~jzb`j<XnrS1Fq_=ko-vgh|3Qv-6>9f8G0=Ox51(`6v4q%!yk?VrG;c;@)q|6 z{TZW~KCR8sV;$!BUR9#=m=GvFBMS{aL2mBI=mXUxa#f1LcY|gB$a6o7O|iTYhOps( zA!wDNM2}~jZbegHpbO)CmjPb}Eip69W2Y||6TA4Eqr>Q6krkKkytYjImE1Ym05UsM zJGugyRb6%Sm8fC#nMEvnn)0o)P@MPEC_DG)?+(Ks5a-*F3>_&=oI89w=(}-v2G35r z8mK~U232Gn6wEhDPe0+~&HX8YBz`%ly+%uchcla!+tu?A+ z-!9a*Kq`aF7&jdey0*E|sqPI8>rHc07C}P*kLm;7ABnhMR$Bjl6OL^e5EP)u%zj}m`FAVOgwuzT#l=nHNQxdO9Qn8ghi^Gz7fKlo$KDV8Cj{q$sc4DW zPK;6I)g>D5dz)odVPt*I%(Oz*lawfR926iA>FhPQ2}S*+?67!4in=ob^_+-(sBNjFbTKLE*75AC{DLc=&fY-XG;LW-Lw^>7sX9qTy$V&uK2Xbd zvLj|7T$rWCfDF#IJkke!Rp{3fXw?ip>V%=uNw6-H*+%kQx%32w?I9MCO^MA7jsJnK;snEDK2? zhRaNSAa7zb2MQ^btKX0l)0fv2$xr(PXqEH&$bc5(6Qx7D`K_*cl>+FR2e46|kUK5N zK6fNZwU~P8%jR0G!dRiPl+o@Ne3@NocMN)`tq8qvw_xSJhItm{V?F1t{x zyG^BgmWy`W0Bf#KVcjN6rRc9Srxd0IXWwzPvuI5ISG3qDuiP+|3>$Sgj@Jk|H#Dgwbiwi^^7 zvI&fX+2Re6T6W}82^@uaaqzG3F{p^rrJ5M=#<%8TKUkDdr&4wW^n1M@fi!*?X4R3n z^PL!a>O8s&Pahw}>%1us8WB=3O$kRiupL=IsWP#| zs$OA~OTO#E&!9f zb6y8#7B9RT^+4^M!`mYEdfO0FGc4FpP-nDYDBVd}d>NzVmY&cuhf%!Nk>Mwna$>rAejen$4(S{G{@d(BAV>@rLb=6#3 zBTnijy=ME~Dg2s8^X@9yzN4$}I|r-J<} zG&j*tM4vF}$+uZPeQ9S;1RWQqqwg$tQWgn%-(r6OxUe4s4Q%Jx1qk*Gen>Clz<*!k z1%YlA+)7^vwrqH{Z(a z7npZB>{Q*mY{H1R&s9t=EHHd(ayzMe#aOhAmF8mV;p5>+Kd#GIr*_yKkF{XTl3}WZ z21s^zm2qX{&pD<`;{6#4r6RfJjHr;g5C(6yLrURrX^x-52&Q(lZxbq{iYdMz6)@F)DOz)y?M3aoFvG zlB!4fTms+Z~_UsxINKpu2gA3`4H1$3-tF$E{z{%U#LfeCja( zT{?q@?3MAC^Vnh)Z^J%ST^7d=!Xx66tNR-vU;7kSWAtwai=b(SX~HdTg@yHRyo*w7 z-WB9a*k8moYl~IVL<>Or(nkh<22qPep;!^3Ya?3F`V})FEb@ba58j0H zDD}WU-{c^jw)1<1|FiUS)-{gxfE5hhB-nAKM~eA$zM^f2*>O1H5?qSrx&_ud zZhv32uC^61$02xBI1SkIooExN`{>L9x4EbdSd(g<05M**93wyGR(o3IjS-hF7^4fO zoIFhh3AHy9+e8MxWeb%1ANjo1)m)nxHvKB1ABtpBHbuCms2x(x60^2%+tuF`Rmcaa zTIF3aJwUh$NFoGKzN>olgrbJc!~1%)fz%`l6;Vs(+qo|PjiV7p z%$lM@Ni)<4-F{_qJ`H%ka~|?mKv*pBB>0xB<(2kiH;h%OJXgX54e*>=Zs5bmM9CWV zYfP0)qClyW-DvPkYyBIdVOk%`V7zc?+<`ptA*bWO`{V&UFdl?xJ7za69Ii2nR}Ckj zIPaTA<`st32@sCm@^qs5c_*+6NGukN09~a}SJ1nqi=;~>WCNp#Fgs4oK)SiPxhkc$ z{-o(${twm+@p~xm^V=8lQXAY=*p>c>wC<6t?e0Cq#1diZtvUE~d=Q(FW3&9O3Ma;Q z;KW2pQK6_gPgN&CZp#R+8Hdjyzj<)k1ko;x<hX3T!7-8 zrb5ntAcX3fv&rM`U#$Eus(gUFJbp_BAs&S`l$`_y}wY?`|7KWn(A;7&MV7`J(5%n_iP3q&_~}JzNQ7(Q%~i%m8~`lEM3+} zofUzaG#UzOsH=+mIvMUbV)1%QQ0;_!cSzg> zePm#30ZIet1~*#_WWcRA=>>r{!l?VEJQtDv!&a`T74EC>eg|OgFrbJWLDFW$@|Ed? zU*;fYtDL>RJG;oKxaz?-g!B1c00%>a*9bb)?@;jmpo01wLvNQfiOG@nv)Ti|Akw4s z%J~}0{t**S;y9Fv%6_S}0c(`kdA&>3gyv zXDL&4)yTe(INBvXgMgRI(bWUHCpzmSn&ba>h0VH?pf&7n=)4SL%zO1LcuVzo?o)Kk z3yt`bNHI|51d^Mq1G3DmsCFg8R|&}egPpPMvBo+MmSE^sKQPYGcg>qX4?PDf5kv^p zeryS_V+h#?L<_kZ7#Foxg{m(Z8M}wWQfJCG9^B~`fS}7{XsOTWbM+gMR;r8H@wvV+ z$DWb#g(VOf;c*K3uNe0zGm55KHjkkjLh)&Pbq&gYkvcj%6NDGvnId5`MqYujm6H-u zLZI#qb>0(oX(5nyzK@{*|CMT%P7kL=3aD%%kNZs}c1}?KJu+Uk=6)^Y5*ICZu=pA@ z%PhYC*iaWxz3STcQsK|Arts_=tVeFGFjD04McHq{Mm8ZveZSi`^$MX+=a}}VD(ekRdkh)O+j5nV!?~t zXLG4O;`9S=7PWkar)_bd(uz1Vr~zRyEuP$ejRw3dWFG1>^MVfiJZB&hg&s$LSNnxd zA^=MQp0VKSLEh{lT#5s0;6pNibAfw8M+4Ymz536-s`Tu? zv`zees}5hJlHCuqkBIU`a~TQvcKk2*PfgtYcC>Wj1#MpTvlXPy3Jyms(6q#G^}_yF zsKq_OI}=(J?^ly#e!3&4NB{B3l+=8$+mms1d1hIOD6n9YX!mK?%_uzfeZI*Ki>w$| zT3bxJ9)Ty);Zrmg(T}%XD3VhetfP^-V1zK@F=vN0zm?wNVyaZw2DyDnP~|~{zpv0{ zn=2HaasHzT^jXmIHKsCs0!Z{0RW?5I=c2JrD@2yPadv6d|Cpr!$wqrj}%M6kBn@CghCze^sebFkFSN`V_g-r5V!;Q z5+@thb4x`T8UZRdcGtz@TZI{jf%%J+r6dbuCdH;lFv)Yyl_5UlgLuPGs*MncTPF)F zyj0#euqDj#A>m?gqdvZu6H&96U-_!(mb&AHHWD8KW=j~rHp`Fz#Hye-)I@ivGMQs( z6sbeO!?socXYZa5&IRrZSfe7^Y15;q-X*$;@tFdIURFTLsTcvAr2Pv1W5pFNKf|i- zyY5q^cUT0qi=r1olLZN?qAr4N zBjoMkgFs92A@41RoSD+QZs{z7o{;+l<~Xr{Cyoy7HXdaeUzjf$|rs zV3RJv|^Dm!;gS zPo%P?r>Ri2dQ(DE9nxRq{R768pQ+;j_9#L~VCo7QZ>D;;WpIw&Zb8d= ze?D|i3I>)Kchye*$>#(55(sbW@5sRU_ANdFV<;+UXeV4_F)4wbBh3VYSAlj&awQie zf@p79l^Z`@VWp0qlXcK&yg*gV;PG81IwM=I;rt5XlcQVvw&!sgbl}{=LmSx7T$Z24 zq9@I7j`B?LYJv5^NCIwDkq`95ozo>GS@gJPw&nB^9N98-w0*-h+sA4UQdXzta%*l= zQ&ArDn5E6m>&yC|#_T?1$((_E74z-7PPmw5$bLU+0V_RwH;x00xJ2kNUF!sK4 zTf%=y5JxRY0IfcH1{BKy9u9@Ky`XiYQ6pLi_er*U-ny~ya*|n}H>LnZOfuy^ghDt0rRjchA z>`WhACO#DUab6FKx>CG2YqcV%mq+N2KxQ`?RYA-m>Lh(f7`E#Be!6FN66L;}(e@}) zZM?W0i#J!{TlGg&ipXZ8v>}4qnm}$Ck)7!xsmH3FzNkw{1#{~q{Ygryg8Ijdjaz?N zg2h^#QDfAd2Mm0c`-+AzUbu;M7$(V;)PA`=DTtiMW4J8)R*SUzSgrfB&z(2U4PCiY z@{qX|-yC>iP~isl-YbC`>G(@8i8aaq&8J6vqAoQBd@NyMoE-!l9%wmhWPAt^1a1k< zWA`7p(H35JnYBN5@Lf+#2KM#QXrJ3mg%PJ8*brw}(&NTFx@GVJ z4txB)@-3$7Uwzx$xIhtGbp5ep-WElkkG?k8 z>pg>*)~fqKm3OnL3BON^c0VU=d)Vu!RzH;@v>l6?O?ycHecJ=u$lLqz-U@Kl^yAFh z-<{iSf$b451!|QtA74$`+4cA?)a{k z7$-Mh!`$SPp4qpIw-B*hu_e=*@63l{;jv%9@ixlxcV^?HMp01JjnNIentoCfWC!=> z*uvZ~NLdKlQSDz$3ERsqkzSVKbRe$jx@~P}3t!lQ?#JWo7;@SLn1Iy{!$Ctg2eH;U{GmY0-;7u2LJZCDHK(W`9{Tod9hkECFbwa6?Gh|v zWmVAkIdY5Ea0yb-L&#|B@TC+qGJR!L_Zd0##i{ixzhcSssR?9va2=B%RY_UiGJ~t7 z1+W2^={A#*u zfN`c9K?11k*54O;%#@e8tm|k*040Ixgi^S~QrV;1eDv)GCoe9NDeu8)t zhlulVqS|&1LK)EzSL#A90}b>#h-j)qXH>Tp$t0hF=@P75_MC9~WL~{| zEvYt&Jm$l=GOu?x-SD=#$FAu@{~K}kBmmNg%`1RmRz1s1bOmxtW&4dmnuM%80H!D; z$%GwXGgV~QjUoO11;+~V*NlaCzxwFJOrEPUW-JFb{s&W&t7?X&n_dx34e!aF;LR5o z_JuP1N@F=Ct-4NDCdRRzHX(iyeI#;-@>#k8VavlF=C%w#bfLv;icq#Nn$nX|*4e zXXXS3HeO&DL*9%@LF94XLUyAQ;5fK)fx3O`A%`FJi298zphnJMxz7-b#a!vZ6)QBI zIGP^D6JONG7aaQo+01Kr(mHgj)9<­W~9BS^UHvEWg{~n}`{#-6*sLP%6YFC-U zp3s>IO&|EY7nMkugiBR_ad85k7O|%C|R}^Lfq?m=(6yoVp zWJ~V9uc{XvNR;2W?FBc-p`3;Ct;svjpi*zR01 z^RpPBQM(|noE`8cG0=`8VZ)E)2Y#s!+Q{JU5<-EDQV;Zl9W~sQI~FH5GM8lNx-R;@ zUD^VCS{jCoT8{a&-S~%E%vX$X)}VGa3BMgMY9k;m?wX`~MvYR2tDywl%Ajbu;A@$T zc~;GF78mxi_t+N5CN~(MrZja|e9i4!=wj#Icu+RF0}+vvsFq$cU3ZG5Ca#fETjy3! z`II_-cP{qiP8lk`gm2LLuhOT5TQqb)<r9+2Z8{_)GJZpkNVs0;7K**ku6xArvwa=`8UW-4BbM z<;*+db00|hbE ziWBYi0R&J%jQ#(qII$lTZ;(R%KhLrZ4t7fGD0ZT}?)t&?zI9~^?yBa0$dyBkI;Eq8t^H%^pypD*o!-f5Uz^?D6=3~q zi#brbwGLD@L#w^}>0qNSo+Q7@IKvYKC+P??OBUoxRG3UQBqm|p8I7=b zO?v?EZayfKx<-7UynQ-_#DOejib7`Lb_)xbNqy7aIXFHc7YA7Wd+Jec$*gA=pRfqI zDxwL!-}zloQ>hBs@;ik%gDH|xd$NyX^zK~^cIGV#5-q0HeXM{gp|D=SOe3W(ij2LYuz zB7QUZc0R^xQ=o^^R-BpX(dc?d@1(U_!r)t`4|65+;k^p;@H zK>Kiw18%C7Xgk80Y0};RuNJTv+KVm;-~NFS$0Bh$*hoJJ7{vxHqmJ!hUf05Es1lb` zG=z*^8b|Ztg%bZ`{+K&p&|BS}#cqCxh^LZ~=8#vGq|BLb4Jo@_2M`LHFP6yNu<g&^S10Q7x*VN>mJ=ek*RqL7bbyI)t43CU&2N>$oxOVB$HCTcFZ}*Wk*P=y z(4qQHCFUl*K&_WsUKG4sBRS=fwSVTcN9`k}JCM;dw-8&)CJKBIL0G!_#T?3k_$eaf zBJ#p-q4|>)RZ_%C5!#Lph^_ZZJn;?m7H=AK6;PaAt2*!$k253Xk5R1 za9%)g3;2$boIU=^-L$%weXaW{GAKee&~?^W_nAC10&bIjGeAO^g`WCfz!Kd>opI^e zqZl%i@DbMl0kXXY(2gN-Ws5zr#Ao{g00dcD04{TAb98caVPXI-Zf|sDE@y6aE@XLb zb9rraa$jMsQXK!X@XkTV>VQpn!Xk>C@V`6i2E@5mgUuedI0$#J z0OFw~eUyYN4TAzX*&vIVfS56euLz?ENI3LSwF3yasCWSgyAA^YKnTYVNV!O<7y#1& zU|@I{-~-sf1Q2oo#PAF00N^~(?+D-=Jq&L2NCN>V4cMNnJ`y%zG-Nk2G%;jvV=Ztk zEiXe)P+3A#L?BFQV`Xl0WeN&IZ*X}aC_^bAGB7eRATA(5Y-}KNAY?8I3Q}btZ*pyO zEOK-TZEs{OAarP9W^Zh4Z+B!0AZ=xIItmIPASxhZZ)9O&Z+34AENo?RE+8OuVPr3D zVRUm&Wod6_X>@aMa&viPZe(R|ZEs{|b08pNX>?_7b8`w*NJQ%^=zS3y!mAVeTS zSs+wMMIc#HNk>RjAV^P4L`70lAVE$tQbA5s zNkvmEAS@stPES+{R8K5MAWcP5Lr6hFNlZypSw=}zPJub7vPwlsMn)tM2_h*eCk4#` z@f<-2L4`;pW+Z3_;t6P=Eii}?BPkJ)AX-LY>+Bq_;LUt5E+|;j8R87}35p5J6GF2v zH_&5sGgO1P;I**NW(3e*fgHp~De+27b`j#e{BMu!<`r`E>O#ax5gsiiMSr~Iaxt=k zVtW{G}&gEwJ!8?^iH9LTak@(;14crgyMTR$|c>`dDEbkdUh9Fw!e6Vi}DD; z(k>ldIQt-^eNo)<&I!Fv9ewv4^g+g<+Pp~?O-w}}E>>X;7t#=zQLu$=gNWReMHa0f zjEFC>*~cdCTX&z-;9cCbirUe07jV5Sg=mi|yH9k%6bH1?{CWI&-8-p4i#0}DzQ}`H z=rOgW*vM|v%(4K@U(2TrqX>l>qB&a_9(J~niFu=x*Et+5p*jjaURR+R>@@Mvukd75 zxLq_t`lnM=vHjEfa+2zDC2T+^b77*}r}d>}LNq6JI^q7s{?Zq&w|ey&N+F62-Y6Ut zs@m6yD1zWL@#n&!9{kS!`yzbxdx-7Ddi9RFZ~yU;haYYIFYjsUf+5OZ2Ys@GD33{h#{GG^@$Ea3pvIh#_`Q__?mvY^jpBqzz{7A$T5^A z2Xsnl8i{`gD+Xg>#dzU8WefF=m_}AS;^ON090E)x0EXy>KtPL|14x!(=K2|iVHn1i zu=r-Z`2qOFen!C@C5hYXpxt0*0HL3jKxj>-Ux%qMzzN|Z^l6MuM2N^OrA$($6np@B z0A~OfgIROgDl~7?bQ!E+811rg7Y&2&_hBB+9lkbQM%!RAS=Lm5-R6Oo{N?Okng@Cr z4lD4oOy+{M5B#>zvw$An&^iz!aLF4v!{4>(vUV>HyE=`t!o2 zit1YXR;jvI*K#S6T#_V7ElQ=7lv*@W+g@GPT0j2x)YjeFD%<{BORuG}Qtv9wuiUl- zg%Tm9wE^aw?Xmid-!yuSaWbcAPCh3-rx+supH=#Qb=wgA)ASz${=wtvm^`o?v;|N^ zgAM_SKw%)kJ8&Y63d1sRfuaBfq&TWgvT4voe@?d`Ss^$#=y6Qt=ph`&*Cp z0M`uE&mpZHE=9j&=D?KRmTSmXvyzt?RRUa&XAs3myQ0&+MLs6wD zJTX$&%(2g4w=9JYT!kM7OxBi51rlt>)Z=P@bpZHDBlSUx6-7&Hd{%1A9tHuN87rpi z(H%4I`0NiV#?lgACl*!4t2MXacSTyF1|TGafHcvTEt6Y5G`Ln{a609(-MpxJmVs2E z0Vs?GV#U47t91!?L^0;Z6I}hmB-(yxD4G(*$;M31%N#ltE^2$lOZ~OM5MUZDzlJ5q zM6m(z4MKrLImk0n2H+GUw$9<1brPAfTvLs;6!yD#OKu}KV^ z@j=~v_F?^+=A~(#h}^CNS#?Zj7yJX$?k96fDm#6#(^ZZWGurA}(8j%p}rM1sjLDMxzA zE3%9vBhg4R5{tCLL0AY6VIZ7^uSg(_g{?>`=D|A{1~+~1z+th7e8lDyZ!Ad=SV`hU zi76G2xEU3XHV3_V0-sh1#46exfj8E)E41Sl^`$M=rntxvVqCaAO8}9`Q2GW|82F>v z01Zi4Q2?JU(7Pw>&z(Lr4@I)m(HoMLTXGo+z-uOVy_~$H!Z;-=7cr{71C2;P`HmBC zWu-GqGN_zbW$ieEQWyIBMWg2l#r=@Lcy`4_hvG99jajj-C&XaXqFi^jOM&AW(qCD* z%?TpsvV%evpCpCGT7mhC2o@}& zACV5U*jd)Z5kt~LHlb#Y8`H*onl&bkIb+J0F{aZD8Yhd12wHH~>r32jov(dY`75v? z0{UIq{gO8>XsPxx^oOz*ahwrEP&nefdR?#WVF2H|-a*+C+`yk*aq{!;c)3oFL1Bnr zZ}MV@Yf#kcAm|@^?FL&NY>=ZdE|3w5su=Jo20VD94fMQTha$@1{xbN;U^kG~+1wry z!<2L|J^gm=uCn%mp}(wQ#6cr{PMV^!4`UP|+h9=)TcUAYKNZ!ow4PftTX&1js#)dH zzWt)}^XlM)qS5RAI^OnMFe<+LcMeM3hZA9L+fKNJMX)by?5Qu z*Se@p$*V2!8k^J~G@c2Sb*u40Ps3a7Td0Zh7@d!qRn8e%F4%L zo=|}Hm-!Uc%e)LOIVnER0pKnNZ5KDfe8+K<^OaoWf^(=MJ0q&vB$@U%f)NH}S)NEr z>z3vs3y_>CKuD315fKTJq@*AEdnJv|bZua%{K8cVWbMz-gLl7vL1w#Zd>x+?uk=2>=YI56TlD zxw6gupCHo>B>M*6_45jA;v-|)aRfE|n*@R=2kPzetQLQU? zcCW(q)%uA7WV!50TzxzZw3hs`hQ82&KpJ!1bNJoZ(uo@#n-4sc%EnVclY&%9HD8eC zK_!H3^MjXSgi&7_*wl2g>e1TgELGTJe<)! zZe)oy{3eJ)o3SDXT?pzAKP)5VJi;940tKWt^54t1i-c{` z6IYEt9#d=VO&R-4aI|*TwG9W4ZEpGV-MC`}nk2de;}6`k>0Rt2A`g$d)JJ=T<<<%& z)@V)+e0vHeRIWfspup-gk7&^y7y~&r$xoVo*P#REpjl{!|{sY z2)ong*y#vvD-so}fO3&VT@6r;!KVx-ZZq+Guz_2bwdUA*+RCurHqYx%u|m9IWiMvH zE{!-&5bFTT3n6eY1(_cre=pk+{1MC;(Oot|pba0VY2);;Bx{QY(gV`6tt^U+*5LgB zz#&b%e8RHj3Y^|5of!?IU7a~2zaAAq6upT{EDeZg8VP zNUTQ^R8i!qcukzi(z`hwW#`zQo5zf1ec1mbq%28Q8jw#cTn)HL1QZfF(;?$b;$jOt zVqS;WB?(I5INV&8ZNbk+@wpX1#(>2lxkZlQWh6II(A*6Roj=6=t!ym$NKwqB%QzXd z7t#(Et-7?dl-WOiRZDl}HAd6yj(Y{WLs~6t(DFWMle}@YvSp|Ze#$b|fkm=XeAeiltTlY)Z3KPS= z&q2VlRI+jz3H)CGHb2cp@Rrj7II9}NISVv4(^Yr&Q>yfrsoA^P(cmBU47Il@xHPDA zIZrJ+MjJa|D%z)TIhRX4HRw#I%f)h)>#vAh$22qD?p( zHJl$*L0t&&c@*?|a9vcw!S6D_P;}NP)4D&h zQR4^_r()1eX66O&VT6&p`%Tp~y(ggm^1J`n{{OX)AK$Y|QvLsLmnhjQa7zih`}tCs zm&9`a<=;GU3@OAMR&WDmYCS+HKkO&~uc;XB=u`o~?^!*<+c0+jsLA=eJI(bQ`s%6a zza20mL;1D4yGf=wC-tnk&brb^xE z)v$=I*32XXgyyKT#^&K99Rsxx93G1bC8DIM`g0Y4140EfOd6vgnP5ajBt}F+5s@TG z+S^1u81wJ42eg4|&z&_*Ey0~a)Ceh8tt0z-0g45%?I@W!4##NNx{Jfoa0d}In~$AE z-;W|mXABqIn5lj6eCu7q(_1r~kP&L0w2*{$44qg0>n^TlZ?}%oPm9>i55Wyr^2ZEa zOdC%sc~Tvp&?WY&9{y^!T+--txj);llx|cj4|kg+Gay7Ur; zc8gbeBA|s%)@K9N)Q(4_ToES+^WV6kcN+)R$11WVuVQn!jf607u>G<(v>_0rVdyY| zvHEtDRH_VC_*O?R4lIrEv}?-);VqNty2dqoe)n;epiv9ToC*rs=n|1Z1&sCZ#ALk# z{gxJ8sRUvhFAk^9o0PXlAvdi2u+!uMN$PGlCqgrHqhCgwg~8A-O2SKRs@6AeBc)JU z(G4+Ei~-JVwP=sL2#7%c`RXrGOygS`5KUb4!k;V7%lv@KC`IC)4U@~;Vz;sF<_-{t zzq)cE#J=0!*2J2wN0G*M?lDQ7nt)B6?+#nq#nIMG70zCAptC!Z@1TzS3Q$G*GqXD@ zvG6%fAxPKf{5L9yLTB@Y)}_LvTY`!H{j>R8c)tn7_80Q7sEojc#OA}rY+90zYB zgF%l|-=Lw$Pj%sH#8ZX5$`RMA7g4ix_ZL+Sy|SEk<`p_s5fu~ae8DUf(d~;tavt>T z*>Q8z?AhY%6gmOAe#o&vFoR1#il9i~1rE{xuu_u40%W)*c-7nv35#W4?`#A-A4^ zqOU*fQ;_HE;5Hb>;)3`_uM$P9tw3- zIJ(~3ZrSk9L&$so;q^=^48!_>i@ zH`0AyRGdY2cSs{?oZyt22pM-&zjYLy=OXA&u8N7@NnoAx>m>8~!S#Gnl9oZIYf?Cq zt5Xjvqo)^2G#CtDma#bIE)k<}v;q?|N%T1C;4mH(#0HEb4aKt`;LXov;}nvrVg+ZD zVuJ$vN1U+-PIWk&bfUX1?LeNBX6GK-ltvg(J9kWAoE%!zulCIcvp^X58eNR^@vW5v zZ&Y&`nJ_m=6qp3fWx1_e2Qihql{8K70)<6i7_GFbDbC+Xt zM+35pAMfRDKsWrMXW+%uWa&sikNzHvlitz=)?S!%&~Rbt)<7tm+qjm0QKaF9agwg9 zt>7TcVcIA*M-|u)X}P7j*Vnz)B{VVITHtMD49K))9N1WvbV(gW6X|=|`m0}f7RnfQ z5W2-1Ssh#cGTz~Ud-<#Z(+SuX;xti-NDnu7GGX7|%9l1%#I}D2a+D9AapuhQZnd;>aYn+XlkliE0T9{=4Oic*Tj-1svGq!S-YSqt9 zBe|!;4<2BubCv12zaAmWHA#<^9?#*gl$Pq=R8?3Ip(hb0${;8r;$2~Z_$%5y7v1&derTQ6VVcf3Lkhhl4P!D7n?zBe?s3SLB%0!+X(Vmr&A5 z$zG|FaLCQww5S~rRhT~<4a+)k_!)k?#F{(pY}5C6(asu;h5q?rXyt@Z74p&ywTyFD zNd$)Kv_kl8HajE94jaz{V-$p2K)o4sk4^xjh!TnMfB|X}1RaI_UYjzP;2{1x>xs|Z z3L}^+BupBh8?hGDp+AZ}sDOMyyi2m-bmt`U1fp@$2PpJ;f0@!bNmxh|F64bBdb~gk zwTfs-HC*Jk z7*EC6kvi;U_7hSQZD9g82+(sl9e-vPiZ!&;xwEa1cKUJ<#8cCe7GeiVwX5D;tgl~7 z03RW5A*93RB;9bK3MlF^y=-lChLHL0X@m9GT$Vm(8L`|Z9iS&BF^G02ft87rp65H* z@H4^P&%1s5#27o%FP;JJ?*;Gwz0(j3OJn?m;pe2+QM5=~<}Y>fx-$xlF(<2~fP zLy^IxKvGX@jmNYiVOkaU&dVY?{AvKU{?tOC@TLRslv<$26Q2O@`$)3jS6%vO$t6=S+OT1m3sU|yHNt507mQtpaQp5nr0KWhtTc_}{ zrk!ZPmcTfhj->HB7Swhg!a5ojnARtUvR~Sl-*g8E4u8>X$4-wvH+Yk|s1CB@4)J zY>AqbMu7q*2l%N&@iyo?<9b(Y*8X1oxQjuG)h{V$`o_aTGN6SN(FP9jmDK-9~y9xE`;j(ULF`gUG?oC zpF>r37;*yVaieL7OG{y3bhnZde%a&4l63bx#IGk~js(1j!piL*NI-v`E>g-rheTs5 z%el5vV=;cR0o|1B9Nl=>S5wEG%9y;jWBc z@21=GPm7Inx+@B6+boh4OJ!Eh&yCq$C$8+{2<`S|WwLwvoO8OA(y9FF>ZT+^(^+)R z(;Mimb?cqjE-b~AEe?QVGU2W%Rsq?tG{}m&rWfgCxe82cy>}Id4Yk{ofeb&(%O6)d zN@UbiOo}rnzq%+?s-iy8QP$-zj`13hOi`&USbOt>XK9E}wBJP8l<3*7u2?Qq_&v@h zEGc?VYe`$pkc%wIM3n{^|0-h64+5EhN8lxRPjSi3)1QO{!Q%({h#{oiy+!*woy#el z=;kh%FJ8KUNnDIN>F@fUQ$E*j%X9r94e19}2};9RZEWJ6?C6y5QpJ&HQ`+&jS1e}O zp`s-zjEd$IRdtY4zOaDOpQ>WtfR)eY27WWKV+53FQBsOFNcHuLNWCJolU%EjKGpov#d&|RxfBvj4MwIF*h{>A~gK9u;tGy}ko{Eg_jc zL;Vo`SV?4lpoMF2Hx3I(<$a<`bFLHC1QZ!(oR$=&8;BtfgXwZsjf9b_m#;?8rs~hN zDE`A|q$c+p3~n(xCzl;3#Y5f=uyFv^!0f?Fc7ynxtn?{Y=!O$wB7>LWYA1MZwm%`* za27WFcIPEM4jkW)vW7hJUF~hEd<5!(#xSB%O(6w~;tc2mX(runf}oinGUCP}+LDA< z>zfrrY%<(*-`t(R8GZ1;i~q-)NoBC>jJQNucaM-sVA&e=X5ufWZ1jwSWNq{3w2kCQ z9*9A&JZ36H_S}lthbhbWGMZPW&G5cF-z0`39kgy5RnPk>$GXrEg98B%w_?KHT&kO! zkdjDeOzggNzXRs)dZ1-5&Y0527XKL~rR@8@Hwq4XXgF)WBP$niy1?X?P_0N#+WuZd9`QSqS%8tKOHgExA^)?_f)nN^VJ;8^ z=xjy=O1=Tm!RJS0ixBSzH$u*pfi7fLxh=94E5_h0L>Gpe*#sA_J3O)&5?oq*$(n9J zmV_1H@2zum%2~zH5-+-CZg|OMSsF^4Jap%-o^gZ2l}tmWUtlOGYe$}0xt|nlfI)3_ zj014+Wbq|-%8*K9G8hF0f9@?V_OwZGvVbwI8c}ge9S9@jY>xS~UoG-Z*u?M5Ga1H1Ww zIQ|{Hysz3Dj&wbs`ihk7oj#E;b=jd6r8bw@z(iF*Fqf31**W7`e^lULBd0J)$X*Uq z_GIf~iZJ2^|Ab!Vp?hmS@!gqfU=@f6P%ti}U&MZxR|L-4zidv^xNy^By|tZ-tYmz1 zyEQS?4MuiSi2WuC59M4Rgu`eKq~xY<>a+XytOggy?zfdjO(=?l>VIG$nyK)vKdWhu^_G=X=Z zW5R=iOXZ1={~F0@e;%1S#Oj|&lb(thKMS)>_aOC1=gBdhv>HY8Q;_RQCjxFE@7ooJ zDA(&^)DMm6lVb)tET$vi`+NN?j9q%1Tx}@c`cB_KU8~S-hR#&ZYk#Ub=rT&dj@*pm zTx1YGq+|g)&mL1`$}-Typw9j1^pHKqoAWXT8V|)vfS48mP?%Rk_gKDtdM=$zSnRML zbujF0?x>9*eWq!LhH9#COjj|ICgKFc0L=7N24llt+6pT#xC zII}kuj#xw0i{}Cv&KmpSle`N@RB<#i9vgQ}qR{i7t?UU>gjVeVjXkGil)@&Q)k5bP zo3&m7zMz~0`o{b4(WK-#mVQPv;}*u-d3D(Ckw)-txLFG;+Oue+*ol+OAC?B6V{*K` zeD-ZZf6`EWpQ3mwmPIPi3FUw017p2UjYu7e?_=k^-;1q~Js&(dOlIq9%B(a~Bp;b1 z7pc>ju*|MaTA=;tRVIfB1LoZklUVCwIhpil`FpXK1%M88OCe7bUSBFdkyPcjpV;Ty zK+B9`z~)D2x3D9eZna7tQfNjb>Ck8mbzT6Ks|YXx@Qp)Ss8ChEbB6Nn3VMWmZ}>%? zwtzwB+1?S{7-d(0YL5KFyI_{WgixKd>-dJ&XC7lw4-z<@?>YX;ZrMz%b!m#N@yfbD z)_<+6x+}(Ht87VI{fBa*T#vkAy8QIRpk%}kM1IXrtnZbh46=Ni=+oeQsG^$G`1qYW zzV*|E+9Yn?C>W}Vwfn2+lXGfr%&P&2JP(^A&;mFDBDS+~bvc@hK&$Aa3=WezlZmbv z0@od`YH+s+c|GeL0O=4Hu%$$bE54;9hl#;!4?1^$W$7$;670Kp3n)>}EZ+>pxT6TB-= z4cHWaL7v#$HfaTl&XlJRB+oy^-#Ix#J~~{nwOs1BY;!&&+%L^ApM+;_nW#Qt*3997 z>rZZElA!b*2|y6-=fSk2;hQn}5mt(v|_U^wd?20G_D3LNO2&e`OH4@ILjVX-`%Pmo-~2x}bN-m$Y%us+~> z93^zJV4ziq`{_@3I*Br~j3-KS$1HPtOKdRbvzH~CA1k}SjK^{r4yw9H z4q;;yL*1}`Wj=^R_GKx)`#<)pkEFtZ$7ZxZ^Jsh+;Y@F*-LA$MEy3lgD%PZs1ck3a zkM}fLpnWMD08j0z5H=E>oultZmSdWPAfjG5wxhDfIhh*V7(8IgkxptjHR3?k{JfBU zW8S3lHU&Y<^;tpUt(r%o#01U|4QUoJv{y zrW+?lheR06K01BwwgY5W04Bb(H(*Vg128!RjnvpFtP?OhEkWteMRi~XhHa;tfgujK zf7o4-3L3VxHd@-mYl9WjXsQ{t?o&fHVb#7#)7$z|I&pDkpT-<5G- z6$0mA%V4pa`8Tq~2rRRpY$;fl3r8ERwboiwGT@8wlm|V+G9Hq+Jd^3}4mkw5doob- z7w8uVN>JE|W1p;k_z7CPBQX)2IPb&< z6eAX2@fNWnuEhBldHkApqAJe}1b^YhalZMbX%q)O?>zB2%~SrxF%meD~~Ik{a}?edn;?RD|5R#x9!@suj=ZiVd?Hy zRpF{`FGKfSx$D|(@9w5s8Sa~Y9H)UA-OercJQSVP&HMwISErfitM*g(%ymZE1ySPs zr0J<$?9_`;KfQx#ntGvN^;8v^nwHit@rDCIVj7J%oYovU51jCCwv})$FY_+l%-pKZ ztn95d1VIi(Xj^N}z7WLj?9A@Y8uNIcwnn2-RfcK*xH`zmh-rm*EI^G2vCDw%DstjyZF;4Z_c zcGFf>=G(U2Xr%{F1T`M%7ik&D6HJ0!NZvdIYCOJ~rmwmmz*p3BY^v!opyL|~@_-ZS zsrZm$#PJvJxCn&isPjhmt|pZZGX@bH6phE^EEId`1LGB-^f4LAF@p>uG$Im+h)7bD zBuQa8y$NJ!uyZ+6T@Q4sQ;RSNF_h8fuRs#q_Xs%AYN`p@N!2RWcMYo?$rdtoA*qYV zfYGdjcr39p9ib%rr(pqMW-6dHV4vArHCr%GP1JwF;w;u}PjeJjEoOm%MQksCDAp9l zPse;+3I&>XSqfwn?7&)I@1VB+m*-;nS~Pthhm}i|UVx+asM&cVf8N4HrDO_Kx8$}R zOC4x>Bhg_`_+Y^ZKsAUiB1vZvgC|TMO)a6Z*z2^B;1i<0B^Ztt`{g|q=`#Wdipj4T zcdEtyd*WTn2J4fIgf<)S0jLUqwy(uUQoid^&oil5v1Io{nPkmY9@+Gg5l)8UDYYby zXf6B_1WI@{M(!2DG92)ynL(7H)OV!4j)0Ie$>sxj`UMVX&@|Dqa7#7Vu#(hq`c8Y{ z27d}A(!bxVztXY4!f_e2QFvC`G}BBzX1GAylA?g2O94Iy@ZzaK4bbUWiNRlRsi`O&G}Xz@$YPR!@dPzOX)^aAlVM~*Dn0u`s|G37u;cVc zm}C1uoy2cc9c7brrc56rqNxWq_r!*1Vdl2JL667@1Beo{^~aFTMfyKvX`dNpMq!4P zNF*}x(@}3fl3@?EbD#~}9=8DcX$e`>Yepe#S6EU02~U;PXi>2P?XG8X06c`m_*v?e z#SIX#&J{$F-rn<6nRmo}>TdxMdd|xLJ`k`aXZ(Orsh?sHaLm+{w8;{}zwFGW#MWbN?KC@Tac;_di#ZtOK&XNcA-a()p zQB+1DV6MbIal)#hRMtXdHcKVlwPcQNhZ3YmUK}k&Rq67OU7X+dPx+-mK(Hg5L@v~P z!_0{!k1@5+z7=D4GdhYfyA~a{$A9WEi-FfmU&sPU`$i^VAP3>$Wv^ijmBtc}wxB{} zWd1tkGKSjGc8{r;`%+D#)41dHU0bPO1|*PZSoT8NSKLfwGk!8k4%`_H>{V9w~n!!=5|2bX1ZA?0p zhlgT&*e+!PmyA4r&$M$I8{$nWJRh1aICe0J9e1qCSEHdDsN>J@(Fqi;PS)6R8G{s<3Kc+ zs}#tk=&~&LG2!GV!(^eH%aW*gl+b4q^}Q%7^w6Kp*$2JKT(N`%Z<9c(ZD58kVbfp7F1}j4B1Ai1Q>K= zcPy@=1OP;gz;xYE3oK6_%E_y;0% zCEnl7p323tAM*KRH5CY2pu!t2+mahqZdgj08YAgSZV5j16PzL5;^w-iF%4X}{=p6t7&-)j>$OZam(`(%k%ND4jpoz8G1q57y)R;@WfWHqKJ0?mqd z*vdFB8dH;*P&CMUM#^m072J#5#I~VOJ*w@?(bLFP@A+rg)Tqk+K&Go-A<$ae+q^A( z`Ic}+#o!t@H%F3i(*gX)XGc|g6AtO-x{CA-hN5_mvbvD^wnUQCCs62_zbE+M%r-i# zES)I@uhkrx@&Da;&g!KBD;e)!BILeW7MihCKP30|ucWKgU%HUvmd@OWuk5bqu|Eg| zQTD+c4Fq%vvbAi6jqA4N`C2NPR(4zJI4Tl>g}RAxnV}3a9l9VUxf(f~H5(sg-&It3 zT6P@AZ0Rt1kpG=!xc;Y2^Yh#d#o|fv8B5h8r-x8>BJw)L!nT|1ung%FPIxS!P5wMB z^>@C#4~4m6UMSgw;z2)cbtGxrYWR{p?K6#WJy?L?k0f-gjwSz^<-1!(-|8?I*W$$j zFx`du+DjI_r~*r7Shm^D23C$K=?*KdshIu0S^mim*{jV2fFW5LaRFi@scF8&77wAn z(AdFe0KUrL_1c}=;E39y1ZtZ83ge2?>+aAQbG`;xEVuj77&4qWCywd1VG4FF1G%59 z5*{rNKCLPsy2t4ej+|&^+Ex*F!0#9qT|BdwUCYtc|(+sG;!Eo_8D`S#oa(X`( zWQ)own~aMA+R=O}OF-gL+Ofocz&a*_Q!1N9B+b!z*?YNK4c^vYV8jA>J@tM4DaiH@ z7T7`U05pt#up9h^Jgu=`@~Lp)aK#gCYpsz+h(vaG_ohudp8}`?h5{(O1cT0XO?7{W zaMyKn>klr*rE+SPhnfw`8`VN86Q%U_WXpGB@OCz>X&9}r`24{ttSHM<_WU91d1vyz zyM*_S3m4z}N9P7v%$q**H{k5zo5OyL@j<^E3PgCgv7Nydlk1ZJ##noeS!-n9?x)=B zy7~knT}uciVDAD?qTHJ+?6?i5&z}>fwyS{E1}HIlI9o8hkpD^n%)}rf1QHkO3B+GCu`m(O5L#$)X1Y9k_TksBoiNqXG92e}=#~I16W%ukrNCM!M00AZX>^Wg$YsKFvq*Myi}1y>k`5aYc)o0t+JPhf_*KpSyYJxw;An+2axa2g zFVio0Z2INR84k<*(p}5v*&8Wi^kIuJ&Kdrl+?|}<-N^|$IsO0p&zE`rIl7tsQOcJQ zRxL0T!%P@*a+LZTlv8y2dCy5KL$tlZJaC4!EM^lsftnVZ>^j5i(*znt9dqkx`PoN3 zaBne-tY)*)sKMP9xFt|wM6tDS7-M`fy%=MPHO8IA z_*yw>41+0^RBlvmDM{%jA(h*v%0>19tsfMT*XG1kv`N;6TCt?wk`Uph&`dSuIjJ}m ztc0f)6-`@Q3uvOU7OY#@7M$(&651rHo5JLYz+9h%gv?YlG zN;wHh3>zamfA9f89Xwu89o{yjBo~Vlo5B_t4^~P7Urd03A_E{iSbNE`t_#K*2}uVF z84j4CgE3C6Ny1+5ju<+O)j-xjFl_ zX({(+m8z@R1+zjhC_98NTu%COL`sAVWw%LbB~H7XKFN#Cwi}A=E~uTR2UM0>eIIZ_ zFO?j5QC$m4Op1AngfayPPx{EeS@&{b%>^?{@!z7X({RS}!!E*&l$~be7F*kj8w4XM zrOWQ>`O5OKd2~ED7T8$hdtEC?d1(jbsg5U}qapr^4M*F9Sc%?DU1u0K|j&Z+|A_9h&#S-^9N@w<#y{Noeu=TMBMTLk87dcL6b@L%NGjS*s z3WbHt`K~Ce48Y2_kj{lO1imWBoEVi&D@2G8Awa4HAV>#9BWFG;dQFhY)q1b2^>g*xal-g-uzgzX#X0^@pWmAPZl{crewMFaK7=C1 zn!U<`^+o^dszZH#@1u+5g`l$|DE#e&M_D#dTvhvi5D( z*?O&fa!&h}%W8cHYaRMabY~W?ymn?*Pr3ic7-^2hNW*=8I-?&uj}S&kJ#+b7PU|o} zjZ|(F;ym-iPq;|20uW|mJF>wP+v%feQ*fmz1v}F0Sp(7vOtksph7E^!*z}G4Z_SQW zq};p3kG+Q=Q$!RL6oZ2N=X{@0kYaJja-A~KQcUJ6R^C$^rno%`SD?AD#(5)R`pJ6J zbWwGH+Mf^R`kqI((214=!RVR0yU#SQX%F!&rIb>}2# zU_w1I=sNrvl}HLCf$a479$HzqJGcwp8@Ge=Op?LY-J!dr#2#UcG47wNUr`HqgpJU@ zlrcUU?9ib;Vk?PSkZah)gzljZD(4D{VId(s^(OvfEU%Fwx0#AzPEFe5Y zi8sNpEqVrnNN}rw9Y79}ZTxn1AuuXG7B?Of92aAc%^L1wjz65az*!l`3bOSW!u4;c zV=?L?Cg?gYiA8_e)5!1^|4jI7r{yThc(rUNZ2R7QDm6GrQN@Erqg~` zWT9Ys3d$Yc+?o;upqFp{8k?rfHg{X_}^8IA{I+BzS0+m_PsDnNa%rJYSda zTMbxbqQb^74p;1GHWv;_?8-wRMuQn&D_t|Kj1Pr!qTF}cp$!IC#u+&CGxJ^<@sGeL zsQ3a6{+KM19~u*q!MmQ31}l!&ec{+m8=Q2RdFRx#cJT0`Q=UZMKz$InC7E_Z26L~WA$Tylm=nX7T6^E~3D|Rh2Qp z7-Ni@Kb>-ScP^(mRP?yHZyVjLjZ1cJS<9N8(=DA}Z5JtLolxLu#R$ih!&0)c+*m)m zrOe7yXPocg4r?ZOJfnYg3%!-W*Lmv$~9hF1N zWvL>%P$Gs#O!{sRLzY)rLfX3zXP0iw+kFXs>WV~slF_(&rT^G!jv$r9_kEJX@YfebgWnaU{H`7-%fDT>eC8k^vC6#N91JgkSON=&O!WZ@3*laGQUAQp zi#YfV`ct#Q!U|!Mu$w+-RzD$P0>N(6e^eNiFvj9Y^#_CZ-&wt7tPn9AgYwiB7rdpX5GjU^FqfT{qrh#IXR zoa@4sqWj|hLQft5zy9ihN+dOb1NdTwH_!_U{UYHrorIYrDDCbQ^QmRXJGXGnPISDLLgfT8XZ-yOYb&;n;^iCzqp)OP-Frh$QRw`fJCv#w!rc zx9Bk;+dNRddH}lMVKE5LB=L5v1RFD|3MZmy*?3vl|(fFE4Kh+@IxbXW3x#R zdlgti4`^eZ1hIUECceRMML6r7*kUY0qKO0`%=pCD1iWeU7~<5$x*+iK$0xUa@Qv$Uy32A`{No|H6vS&+1L@y!+{o%7(l03fuJBfreL~^b_~K?Y>#FrUU13~ z58$NFUmBh7@$Voyp#2=R_+|h_v?X2s`(Xa^zFcL8nN!McnfR86Ziylu-G|+gG@t4~ z_S0LOLkCwXhOl<~3e#x555Vw+6}!spe(H7{UW7T{`zh{Z_tx_+tOi?RavT z1o|A}$&T4nYWkF!M@-GK-EjhXEh1vai337yFbT;F&u@C5A3b|odTH&Vi%X})GQmeC zLMzUZHS6KcjE5A^Sgb4#0%6Lvu0*?eGD;wa7P|`GPP<8g?s%BwdKe-=U)v3Ay-?K1 zIq;QBSoG>wF@csG`&QAYnwfsk`c+{MEV8~G&NNM}IFB6U=^+r{hd|@Zq$ljc=2+=t zPfD9IpU!jqJFkv+&88=&m=yw&doV&=fTviqU6Rxe4%WaB&+0Jo__LVbr{Ayap!Ioq z=i0cm;Yjh_;=L=x=I)#H6-< za$4?2k(he?Ir=*-wS{i7%WYvrD}m}i964~JKgUAC3iz3X=}3n;0X7D4*BqBf8~eOM zOA?(masi7qnrpqkDe$Cb?Kzldf+h&WH*dBgarvmIvWNm{i^7_gs^VAUp1Z?aY*(9b zD;6Vu#SkAfg#s8J)10jPy3mj5Nz;;g)r1$lFe$!UiuJb4+tr6ykEhe!st8*XT67*R z2s*)3ju+kBvLFSS=uhth_R7mKe|_`-ne<}4(Rid5=}%oPS_dNKD5@rvOv?E4Gyw*; zqy$3FXrf6{jLh7LU}i}B4i`R4Xo#1n`cfMHB^bDIPYuny%)s{}LwHD>-ubGQ16)#b z8-dhv1yPRh3-30p%go@Mz9=Ah+Ed}#q6!xBE`7&G=wF524#Lrqu!j7AGM9Mz4C=_W$216wQ8IVITp}whoZ4iIV>8pdJprI)2p3 zUL=M?)$UQmM&&3ar-9`d2iQB#Wj78nbs8GM?I=c!JHm(*K!)&w25nm`I3lK4vE?xW zoK6Hdm>!GNUxEv7QTwBJ1&|n{)rgJTT|bU3$gp7r&-s(NV|{q)ixlk$^RbT*R9$9J zOr#-G2AWC&0hixkxu|QnF(F+d!B9%R&lX!{h?26!_o3EJCg7Sml2|trh0)6iQ7nd_|zCr^$+~k z5wdt!Hbc%sV?K^Px5r`bF_lso?gFronzKdS5Xr?@q(&F9$kXcq)4bdFDWZRIX!~CU z*z+F;st?0dEf}%C1B|3i)_Ay?jlny*ZeE*4PwRFkgYc1ccqY3mQwCra6yB)uE$v8d z8ctNCwY|lD5F>cI(GGz)SC0=n&wtc3Rmy~I61(F72rI{A$XWIHqITHso6(s@+n!9|#P_`q za}r~o&k<%^*_Z+{zs;R<1mc9y5^cj|7(u2uNGLpJmGh9lYrbs7^mKV}RDsnI)%wYv zA?k(C)T=Prkr!+~Z8?z-=-)qhH=0h3_O~eGfpmXy!gizIif~O0pvoYEP0k|n5;%^A zY6xgJj!qgF*anB`0fQy2mflE|aEMTF@c;zRU6PmZdDX9bBn3?&uYN7YaL&(cRdCu| z($dn_mgua0)PNDCXZnk~smnTosG{}M^MBjib7STSHLS*1UeZg%L0(W8XR4a@}?9SpS(jj%?9~mFonEF8n+Ey+d0!3mFyg#KZ}CHMEfWBZch!kH0%nv`t#{E{$IgM9r7w>nko#l1N0X*v}1?H7%Mw?OAjVrHv4xVY73Jf zsa(J!46-CAs%zT9kxk-OxUeeUH)`pC77-WyWrHhu4sueVdEBk;>dVH}CqCvaBV=FXrD?*=@P#F<5UL6ZPlGGX;X7?^lZO4TJauB%ewac7~;8BFJ~oZl8{O%JiE{%ES6rfV>D8mWkovv3xiljd2{?ozb{3U zR`Jd-Xpl~yc^EFS=5;$lG(*cwUV%QJ7Zx1OEaQ=cP_p8R2ETAY&C!eOnd3%JwTHl?&Ms25g=o53s(R8gu)7@ zXM&ocLSm$(Tx)9OloB`fNxovY_}S-jiPEJmS7{aVjxQ~tLQcJ*#aJcPp@R;!cnJ(>igz9|yHxH2J>o@<`;K+Mx`&rJebD>at;`BNde$g{wZv>LCNaGy`0 z!LEE6RouUUf+#h8kp(6<1UCoIeB;n#IyK_W_Q%!0^CIS$@$9HQokoiv_9Q%b!TW0$ z9@X!;vW_t2I}qk6Xw1J>g4!0d-Ex&whsc^F$|lU%=DWZ|P=(Xipn-g9IkawH@l)SQ z2dgM6!pvj{*b6@Mnz@5&1gtU`EM2Id%IEFTaCDJTpH^`k%X+2Dq8}>kXW5C* z*MvW6P(2-_R8D$;<&J7bK=TIVX;s5B{2s@E=fvyZ?slqN{7v56W=`Ow>hg!M+qHAaX^b&hC>!L)BQLv z`O^a`U6I+$pGlI8I=Wzk2y#&Tn4zcP@OUh&Tu*-cDvNaH3fdvly{6^({Mqu+TF>dF z-DVgXVqEE8y};dKy4cu=%V(s0)g*?uF@sR8L0wV9D@8Z&ETLM1)Fc2iA2vSV6d23z z?oCRM_H^8#`cGdgUIa3o!{&2{>;j_<0tJBYOyApP<4`%>?~tt9ZD2_5zz`AF7Q0>x zXe1pgWRbNxX}4}L8pdzm>|5+Q%oaWvX9XXw#W9|eWl0Sk-u5U9BMz*L&Sk4u31+Gb zLeKIhH)PxAtUgSPe>Q>`@g`H*bpJ$zv45o}Bg#9liMJSBB|Qs_L=Z^jaAHV4BE2NC z*1pIZpka#xX|KaDkuJ9B;PdV&NGxb}kM~b?bL4EmLF@?w*-wW5LJfq$;xlG`^I_PA zM7w!$mc>PMpn)lr+=Vi^r3K@@l0bBGm>C_YLGSJ99CW^E18o$al&&@7WH>-89R`f% z%5;}l$_90OI~Mu)*DiI{{=TnveDAs!f>+sj6_IpsLgSd&QkGGI)yq zCQKIuQQzEm(^$y6!}E@ll%>9VLd5?calh~=8!zKcc^2&UIVV*rGO={Z6Hn#fE=ktW zw&&f1?ofT@5z}uw&ADcSbOw0(8bOkg52-=8pct*ZC3px`H{)&ayDe@NAy4HdcIe89 zecKRjC3}%>$KAM*B#3j+9$R$6`M{&7AbViO)bXp<*&lDdZMoYZS_-cZLnb6H3F~1+EC#x6I-w0PX5VV5^c5OrONH%3~^}wq< zJ&5_myvPV)Ux-47`{a8f$Rc_}sb3gy$qZ=s+AfWKc|rbO3IO%0w!+6BIT<0`$IL>! z4}jY-bK0xUjp#cEG0c$Wtb3i52-K_}0Qxs!W zxCgoPwf#$;y1Pc<)j9!hYUrOB9IAMpftpyOeoO8t?c0X1|%#fXtqErtj_ z(Ccm(BjA(Ox48yQrovL$S57HB6nEhylNRD03wNI7jZb*G%Wve494^WDEoA29t6wmX zb&U-h%OZdQqKKs~bx@J;Xi(q;IB3%q?*Gk^9XOf&E9#H7{47vv8zQn~(QhqdVvfKE z@Lf&|#1Rb~QkEImdNzzJsfxkLmm?2V(}dQD=xB1Qld;@~wSK}DjIR17w}++)Zf^xP zmUf|LZo-{NBPSGDpU*bQd>M`Wwda?dfo)#0No~AyHT!+n1p>`>n*Y`6lmN#s%rhNp zB9!%qMr>f23G#Pja@q?eFn*D!0*3>sB@da$5a-1eA- zP04EN%?=O$`Jhx9&IRQP?UhLQ0q=%DI=78P!&zN}9C{PIU~+yj>-7b4byF#*zIERY z2<@ldiW|2M-#1hE1Z$GC35#Ue)DkvX%X~v1N3_-kZM@5(Pu@E(2aWtZ7Mc#B0LGvk zSyC$VNMCDrEC@(_Ng`{8rqoHgZjyrs4*K;lB6blqK-<3q|Cw@LNu=C+YxCNZtD0ch zH4=1rz+w{WAu7RSPdfm?lQv?x_G!yFAiNAFQ>$ZIGzhdp&EmVS-N=qU5Ka@_>t~qR z*tXMm0}MG}LSMB7v(}iz;nO!Wu$DGyxbZ0q=jkfPU-p+^&D2`65Z~6~!0)%)BdM4;zmwY!1@H{?X5wr7u;(-2>~tlcb~{M9<~*^4wYG2$pgHgscD?VgJ;`)JnH z!xU(aI4N;YnV-_IL5DZB8*eiw%WD{!QrAo=+3G#Z#4YP`lsWjvbddd1UZo6ew=l^4 z1WQIp#n36-RAR{!ZRMBHwl9RL%{9cK0ck00lvElai3f;1I?Ib|`O``$&iKN-#2e! zQ7qIZNHkrqTDOH;(6(Sjyncnyn(cT6Iss zbgdq|fwL}B1Z%mz##T`$dd3m<)JxLja{pgPi9BFl9tH)&eo%zhp!}!qhtzpY{x$Yt zU^ay7QzU!YTIAlBndSHvJe*Q>58t}{%Ry%;lt7wPQWX@_Rm)mdBPU>%4_!C2fKG%r39kaTCEeOK>2j>Q=>#5*q86KuxWwdp ztJriC1ZXQV-j(Nx1}X&u%;FUnI@WoKzZY)e*@}KLDEuu;4d7nTuJ;8GO*?2!IrJj= z{~fl8@TnizAXQl%53U}t0@p^JHfsjex@aE=4s2S-XwU) zOz;?-;ETM&85j)zMLTr^Ii{sXCI~fVxm_^G8*#{eM=wo?#yXbks#$YslI9#*G6__z zr9WM-DeM}#}=VZ%8f3-s&t*stjN(3<@xy)K4} zqAUTSd51?kW)giTutI}}h-@PWmp3FI;>pp5DD|*SX&r zVMH;JqJt5sNE0eKnvFXi&u!29KXeMoTtTxvr5d{v4+YbYsWVSFcWJcandZQRe_G3R zx;15{hDi&Rc9aT?<-sZOIA7=Eih(lJ6D@;p#78w`bFT;@)Ajz4o^^D)pp`Q3PLPWq ztF!`KCy2%`su+5BjA36DKit6k@(^x1k{v8SajjDtRTvN`*wkg)v5hd4l%DtEE)flb z;*<<-60(!y4HyJxlte>o)P28$iz zq15NFd9q7?Go2SjF#-UQG!_k@3NOh>-2LWBYwpTRf$Wrm|r-IeDQVB#m^OWHIMg-y|hyF^`2^ zQNdQ=hbP6^knhb~KVF*bamAfqtfJcJ4dT@omsUy#2Eo-En80|Ncih%!UTBPyPGjh7 z(Em2K>CnL~#!~N%)(a_ZBiVCOMNO+$d4F&)S{DJ7P%p?;61$x!NBWVxTQG!Er#|O4 zi|ok30sJS%fv-vU+2PiZh@IlTT(rvcDNaCtc@VnEeSkxRYb5Y+tsSZopVg%Kn_pVrJFQ2VY9ROZX0Io|rGucxi!21)| z_ECpvB`@i`$ef8bWU=0K(MGy%blmwr*SGEK$v*hvP)^YS=Ww9#|U1oDRwSzvs4f8E6%0^cBdRb z*g+!yc;7BaVPDirxuBS+7c5H2=qdIycNQE$*qBMz;2uSK{Y8oYdzk7XFmdBl-1n-V zo2p)vw?G=tIyQ;<~D1)nw$vow>sDg$?P3S6$E^yzXBF4qs_9HT06 z0K)@1@}|6F(Tp?-Sth5kt7ZW)*2IA|YL82>OF71Cky@6OsJY zqB0A-bBFn7%tTkU|4gPIAQ|}3i)1*Cx_Dwmp)Q#*{@Lp;CJw3?EjxuPz+)U9>bM^G zG()@e4v+jS4vef$+L7pa+Y_|awA6wua+u^&v>u!-?-Fu4K>QpWt|+=OCnGT7NmUP1 zXrC@DyH_304Y$e;U=gqo8BcTe%svGOvhwR$)qPxnK5rk|-sH%2a`*UZla;2OJYao3 zhGu4L131{c?ja?9$I#R9O0I1!R@vm^>0%EkDI!?>Ks2wlQkmQJyMe&3Sp{jr#*oI& zhgr39z|{I`8^$w+PGZn3SHQpATL_0${;wVA-ZW1vV%OR~(quUW6d@j>UFFZMIC?wfJ?;eJX!XQ-vHYND&!rA$qEb8G-bhlpP(6@j6H(fOf*A5_vIDqX{ z51?g3s7>^*Z#Uau=b=8=ntS7j-cFiteDlybc3e1yG}7f^de@Z$qobZQC!fHW$jvVN@A<2MLj(tHGY8QYj`u;w`cM*lx zsL+P;VysaZPXRrFVSER0_`_>-hEG)QIYOQKO%dSc%w#1N4^l^cOtK&bptp8`o^XOw z428fKXF4zT0-N3r5rMgSRn1~|J7JxgWzL3k8X=nx1MskZ=nG(cn(6+g1jqFe;Ou{= z53inIrWt<@i$b9DDv2KT_AtsJG*YVg(mcZn@LoZoJ388+Y6M zqulIKbuIof;dzro?wx`uW}39Z^! z@mtw^sK~1GXc?wJjR&a`^NdvEp+9bvh9n-xzD5aCLBf*+OHQ&}u{VB?#ff&Gsyp^K z=}0K`Zgu?k1E1}@wlA|-P775MK%=qd_)g8iU@`~RC=hWdT1PMTe#qJhcnsuq){gD5 zg;b0*ME)vqxqTa71`xkNLmSjCpNc;akVFBj=DDZPCNi-OGx&c~P;Qq(cpeq`bx2sq zGCx2b^sWuhOy?1V)V&bx79v07tM{m*oK&+d^A;;>hJ3mlw1sxqE$6kbBFyB@xE2vJ z01y%&m?C+yV%Y;4w9OgGuy_51_!=JZDk9FI;$lG z*xH${FD@5@N@Gezwl>smIrZZSFJJ`iyFfQ>T+Wq1x?G`_YKpG{vwaXvBM(*i?p3Wd zr}ya=iBw}AHoLMW{Af8CAsymVgX4gz`A;F8fJkHDVTz2?U91zDd%2cDQ6B%q*Clpw zp$_Z*PFt)5oPa#)bT!jt z{2;m2Q*IQj`l{RjiZ!m!n`ka+3`9pecvj;mD{n$g?<#=)(36%aYzuu0Y{@|vSoBxu z1#&{YX(`znYLJvw74i>h;vcwUu*Ca$jxwTeS)l^7|6v3Ih)1l4M?}@R*W{`r_T=M0 z0$dy@%4QrD)Ec)4+5Iy)z}A^7{Sn!?)?_>4coNp+uB|gEWM!?H@QD_dF_eaxb}; zpoSVK63{bn-k;kat&CaoXYDBD=XmgI^zJ!S|4$Fo1_3Qj7(``$@ChdLW8D1f#pIy+ zW8f^2ljdG0VwVbzc5U<^lEed#hw2m)!4D>elufVg+(45pY&8?C0+CoRcIJ8K6$T&i z%v)%c0uX-$fC8hzMv}`uPm4BqB?msP>T53w_4XzoXAEZzZP}n-RegZ6`c$^x0UC%K zzdBCuboOXQR^^|XTS7O=nZQmHzJkpqb_WXHnt_9Nqla5W?b4NN4>O8^;VM$y$|}bR z%X8kpt3m}UAaEetEkYZTeRDUozGRdx$hHQ^0&8|GQ)g>dgDle`)VXU$Bu&TRK)34)n-TUWq*!~a3+8rut%yEo0YaMQlD6ZC8D_g8Dg=rKy%c#`P)f{v+%LefC zqvEP6#nF`9IJs%s)leMjitOR4U|MRih%uO{tkq5Umxb2_p>-?pd(U>mc>8U<{dlE0 zMgVhs%#&kmE=Kqs!U^&J|Ns9#qW}LNPJiy*3`8{F>!T$e-uJt3=(Bpi-pofm=_iJvBACCsKO8xiVdy#`jf4e+NQYL-VJI9H_>EvA75ixYsK`Tct zptUy8{4E5H_fhI5`SAib$yQK+h2LRZyf z3QmKW4+=D$+`a9~)Te9RG4||^9BnAIW5!*UMkxr(W|(DH9_EWN#wcZ^F*2!{#q7i` z?rM3XYR)$&opVx-0{w0Tu)lOL_Lqpg0tIHnRnzK}0#%?!NZq_*j2uKjG7PFB@BkJ# zumFOoTqwv(a_k%7d+%locHb7GalFbu=6)oQg`tyZg*iU*zgn7h0GyZ`(D^MCKZ z%xe=%OV$6cE5h~Z%rI@vNr$NTeofOFvSlfq^J1Cpj+UUDU|LGG4Es4_q#3>LhRz0x z4j@ia%FE+PTc!y2hY@bH3cF{a*XIifQJ>t5VX-K zNfvPf{dY~WmL-axR9CV{3jB*>5-gSg8>^~K*N@7bf$jvG&PRP|I;I|CYM|(>0%&_I zG1a2j6eSc9av`KcqTszu?&faG*1l7JLhqaY-{0;YFx=f8LI|Nt=?*1i2z^SwE2K8M z{Hgr08Z=^2T$&+Gz)2_UF!kR#jRx0s$!M{t&8cx!t5ef5nqk*Pc|I#z62ATaXJ5iM z=VZOm(Cy8sTNDaaxz}KY^lhyg#*NX*MLs9zglkB(-s^Vs}1;CQYeDmFWfQ2afK=?#9wxgv9oqEHn_Gnm7C9XCoIm$j%^y5MmH!@P5Wk zjH4XqvF|^LztD=-OKxh=`&$rQEF<=^nPrqxN-3ptPMT@9sjanEI&H0$(soiGLd%-8 zEvv6N>y?Z)sI*Z!&H({Kga8y8jK?DqX&$JF+6h!CfGU?K#>F8y5Tz-OQA8O<0001F zAOIkNfdP#HrqqEJ1a?06Da(jiblC}F56feczePv4)D+_pzN?1oPpS7^p1o?pDN$3U z`nx~(#5zwM>{7noF-IU_?t})g;ye^>rH$)`mSV8!TTz>4@HYj&Yr&tRtBzs~u5K){ z0i)D=rHVFP>~v2KGxETVG0la$>;$~_!ea$VbjjdDCxd4wW44#`nYLG4l*5JYLY*c& z%zlGlTF@)?Xst74G!uZK2oz6aK3HyR760YE-3R58_{q#wp_mti((xXb_8PLT2bGEE zvSSeR62e_7smDs(8@$KH2@P}20($>7O@wL|{L793O2N4>HppRfvjl>TC8n8tZh6MJ zi&@Wfqiy0?SqU|EMq&{EW%}i>@E>QhBqDfHU&RQNBO_g;t}neo?Do!XuJEb=?CiIT zPSJ2jPKz>`tc?RjvD(lrCQkXr(mxbYmTjZ)wm}y~qnDzdZQ)rAZ2AQF#M#e;DXRqC zj~wI${%p%Vot7j6T7Ek4q(#~iZy(Cy(0jwaJJ{+PhfQSeix9;q zV-I+Y>#SAch>;V5`v6mTtSZ4KmL^I&skb9+IJZQ^1LnF|@6AKeWY#pz1Dt`$+(IK2 z_U8+r`P75ARA_N37dWjm)?<&^G3ibXn%m*$HIHqJK_?ueApLODb4imJ3bTT$vct&Q zB1%DQ%@>z8;Oc1owSjHpm>v{8*01~Yp0MH}c=zf8x z1UuEf>^V1ErAS9^m3!NBnSQhD8gW%2(V7#RR+O6xU%TbLUne<^Q%{?mE~Pz{^WOgI zDSLL&TGs~aoV6;e!Y6G*p+_zOdz!Lc%T_la0la7`my97nsTSH_jP&z$vT+bk zlc|Q)cj?HZFWZ!{Ju#w*IunGF@_^X~K8!8@I{10H9Efm4dj>ZQ3zVndp{#57VOSaFaKJvlsg zbwEaY>}FW|;6b@cf|+-gLrM*0mhRG4xq1vR0z4I4%C>Ha98#$obwS7=<1!qH`B+N5 zH6$1GE^bG~L}x<;(;;=A9`#TtgIMx{@jXEb@oMk6x@9$Jr42zo1mtqw^M5FZc$R)y z*2Z3RC0CUdScGh%M84Cu+C*bE8?zQqlodsQHZKtXmWSGK!bB?R)#s1Vsnj_eHP#A%RfVvgz(+ zBXfV!^3m^alGb2@%C4mJl#byCw=Do zQqwi+D1>`r3~D4H_KAHELO|woF`ioArZJGOmx5J~Aqxlq>vJ-mA<~_906f0esCi&a zTO?#lLfh$(@pq=b_{0VS>{)P|ww@G;X;kT_0V{`(P_klk*rx9&zBuNhIvZ0&odR=k zt0dW1Tx!^h^P??METhnt%>+v9KzIC`hFZhW5k>FFgWWZY61upd_40Bm?o5Z$1*19Y zwy7b$^qkHe-<`oXnJ5J#9>P+#;Vr;}a5Ll#mZ)8xnd`ND-RwbHc@+AT&le^Z!E&&Qc%&%+d^5dxDyyD(M!%O|I7; z^ytnnt-G|}i0CdYULyG(cL|k%^>@br=x4*R z0*wtC`+$O~WjLre5K?BE4gBge#mP&{7|^j`>p-fRkW$??E)yw3Xfx2c-eFMMXH2_e zacujj@b_Ef!12#oyP!2_;YQR5DPcak5K-mwH|l;mV8#RmD6 zaDot;p0nIi!{DrJI)*o_3@hnFc^0d2_3v3(*bFyJVm;MxdC8;^60=7$^|s5 zM}Q+4<1cWE_aW=@Wd0YVr!B^#kW`bLh`ppo{xvy{id{+b^#WAKwk`*E&Y6>6K}XcfydmwRJt%J^)*63 zE+xtU7yh|VF?D)fJ0-n)Aj8` zwx10E2tkg_1MmmSNdBVz*oVPtTAsvvJCGb$1?|{IX5U+B^1Mvp4*QdJ zLN^r&o^-~RBse*Lh9!~&255ABAEksyD*DI~H1n*o3nQ^%m4E=>xF>Pw)U|0ip642B z0S#XpFRRqItC!+CI}3QESrVmVV*+Hw;G%w$a9-IT(5j9U>brr(-xv-Hx5#;j4k}`# zG@r`~S`QU!KID+8Iw@w!eHd=>=6s;o=8VqIB@7y8@?geH7s zHDqMDAOx@?rsZS@B-28vTM)sc^H-dX5Ya2O)=(4yiyk0?L`1TCV<`iwTbYxBQQI&A zIYcz~>UZ`M>&q?KC)Z+`wC;&Z+g33DPecxxca;NPQLVUuhAPV1uzCLzCL7&?`XuBs z;m)KXZznFN1G3p__eMrD7VtSI9HR5;6t1XlXof@!L z$E9*R1lMy5Szr^vn1T$$)Eado#H)k&0_s2{-!dZH$BK3UrQ5ki?7Q3E9G&@tKW})P z2fs8R`yKG_+-;tLlgkA|C~u!cXTL3p+UIQDGR-Y&n$uUDv^Tr5wc-G1CE)V|C9h!b+|Wfd7NK+=r4vxI?rz(|7q8m3ZtVRrJvdOyk4ksd-4>bhEyB z-sJkYQ+GSJ_(6W}Hw%-p86T{q7IUgq<^o|X+`Eu**1vZedy3UQr@?jMW~dXWT2^k4 z1dPW6Ji_Jom$gyGtb%ES6#rEb{*raDKPzNCJpq8JL93O}b%8WhFXgd$Q7hdoPXZ(W zJ^s(veP~TBBViEjnrH_32|a`!qJz5daB+_Vj-(~KA$UtjPJZ%Gf zB&R6_yNSFW`7=o%{k%gWjHIF;kU%=Fxm`8E;dL@GWhwopU6hCc%H-RN8ObkFs8~!r z&IMh!k~eKtCIpbnVY)%Rm3vE4?MFrO7b8yU{RNnqIzw_kPLc3moc1ZpPAwCq9@ECA z2{<^6ZObxK6Z(qr#L@gbFAspDyYMDlh{(1!n98wnZKcr3C3lsPRtnhUWK^a<4O?RB z%G6Khy_hsShtqE4N&XfhUf+rKS6EEy$l3b9DYhf7$8=B$12*7!nlxBdX|7pYEV6^PfSFXM4h#B6DPCExkRzE zBN^88-r`U83eiuI-~qpOd|z&Oqh4%2o@B)Rkjb_PQyBzP?E{8g7K5cfz?9{lxFlSCx-r_or8Ye>;I~KsSC(GQZapB_n|oEadT2Z#e|jP^O(Y zKC5sDjlC!wUXLlVOSs1oLE3Hkg2GxseHDOE1;XABv^Aj%xc8jfH-B;God!+n)cSF(z=_ky_@i)>CnMBWcD;3v8(N__XE`M36;fau>Qadw>j+dVf4J` zWIYoX4z?r^%FZ3yn1Jt3pL=CTqCfFV-m#f#3@sR46f-&olYR8oP zprtwm{xXwjhZ=xmyVn#)tRH7pGCa5u+2ONcgn%Pes&GBYc@Tm{)O!i$?;wRT>KrmD z1cmt%`h84POd0h1um_8t6dMMinP+BVuKzDek7068NQI?1T62ZAuP571C~sIznBhWb z7%BgO){V0N=-xsx`cb@lL2kjCSQCDt6yz|F!}+$OZ)~XSl(Zk_Qo#3WMhnk9gM0wW zpcPM?RslV&dweDC)>vV>w<}0Dk}JIq0znS0;^Y}nsgo`H-oE!2!FT>0>IR~KB~tpd zHh;+`wTGO1;2fjXkAA;6c9l#JrS-79%b3|Ubz7mBvMj-k;#hE~dt-LV@Vi8=j4A0| zFc|dXW;$g3!>=@l+)y3jB!$2_IZMAJ)<#j~@Bk%kB^KDg*oUSS;X1lelrzm$(hG=| z`G#sO*o5_GG+ueh7cb6;9$s#grZ}2V)UcWNOF6pc_b&;ai6I;Zwx})%_33MVvO@s! z`pqDXL?prT6?5T%pKsvpJK|PZs44<+LY;6?#qupBhs(dexy_%gt1Vj1cj$yAB$%z{ znrAaaR4nJT{~pV#RKnNheX**tQQd{^goEhuTNC*i_l|O>eC&$Cas54Rp5|1GK@oY@ zbHFT)js;CHp{$J+CfV~1S3bq=T0KTMA_EfP`>GcD`fyydrhqQ^e=8J*wf1t)@N&1$IJd+@wD2 z(tHZm=>KUMy!3l9sBs@&&10jCBDaxQ7IFY1n$Z<9lEf%?$Xp5}+FkM&>DNNau;LjR zYU>nh5M7{Covj8X4~7vM=@Yb<$guv#zVN@&$Aj0P5)LedL@HM)eN%~B+K#jYLpo_m zvIkKdcL(KxjINwDVuMz@Apek??bI(gnjrYRj1kug;o}3dgs+s52dIZW`z$9jY!!Sl z-{WWj2a>h0ZvB3|;S{tDldaZhqe+dzwG~&8qI@6Gdy92CO3z?~QB!D4pGPcDnQU|4)oFEbUQ)5@y)kzz0uk2mR!iX zTSy81dzbs_-(d`6*g%B(nxOvAy0Z9(t*}=v?+jTU33;XpsiM9}8DrmN?50QVMlzJ% zi3-qH>BPruUQNQUO>ZL7QB78?i1Kepq8kGWw0!kX-0@-;2}k0pkU$|-l5(>Q*T!3` zV5F}!(Pm93Ek3LT(96sL(_zG3S%HwoN|mYrHehukx}|-0;wOgL7O79Rtr|zwoHIOIAeq~ITR2f>=W9h7y{%UZVF7&mkzNiXQoGW6_EoC z?+S{!*1)XMA&Y_uGlxN(inv4ah)AxUZY3std7MFY!%&(qt?77*65C=%qmzDGWh5-2O2S@Jk_D|!&NkR5zVq1W(zagz zg=&cmeO4Rx7{~UctXeJ)M_AI-+dU&VU(apBZ=7FhPi{h*m7)fl<8BQ{Y8CV@Fnx{) z-9-d9M}~uJXPpY6;EW2TIvgnIU*1zzo&opON!{(pLxu{FlF0kHN<%L5=Eix$(ycNJ zYx%uT#lF$R(b>TJ5^~JWn&r=(Q5|MY;@17e9dmBGsjYge!}%m%W0BfZY#YF6wyLAJ zut=ZnQ<~+Engv>1tE6XJwEolzInN`qb@O^R<7HoCIg77=*-Tw(Ox^|a!-19mg2-53 zQkP)#X_FN<$f^{CE|Nw{)tS0>byfnyV;~ug-c$|CFfLWWOXYYNsWzK0+q!YP^uPmx zFG7rYRVho-iWNRjrBrFvtJ;do-DfaoN8<+D*0BBn6zr$XXei0mPz!68%q@Zz z?ih#;$N#!@_>6@YAh>QHF=v5DjIvxjW|Us9g#C}ks^RGHH-5DlzFUek?;mlj!iKr} zt?_U)-IWShJf6U$M}arUIt4@0N}e1Nobrxw)%wj3qOW~rCaqfB7UBs-{##yV@e6Qr z=aIdm3=1=vm;`hj;mChe0zGLIN#)N*;sk5l8`QAN+WI2dp!Xb|1%0l2VQDm<1P&A+ z_lNLBl#n;Wmo3+Ux4w#pNl;<^8nV8A0`H zy@{KM--|>oLRsHw1lKPV7i3zhX{AO7RJmj9jk{_eZa)zlclB%aFzD;<&=r60ODif^ z911$1&jetWewFm|Qkeh+(EnCtp_dO$;Irc~o~Wy?Gj8YLl|`V4)}KE#2urla?c*s3l}g)2 zu3hPVt6x;vD+Vwo@3w*px!_x8@kS;AOo0GuP#_Xapq6zGNo@)dI*x%;G?I;;lYEFP zMvvRqloJ<%<QvEnYqcdF}BMBa669nE{e-ATupt^uGZP@H(JNxG+)`)^|OyK!&{dAy0*^e#d^;K zT;;uxS+Az#_Y;>%@&d_gLS{hCY_g0_SclD6&dO-5u2$2vy(Zh;Y&F}B>twsG%O#E5 zY@OC^tpf(L9EP`L;WWQRz)#+AHu9xyc`ib>eeTQ8^;`~}$u@4tdV_1aC> z+HB)#gG~F9Hk-*<&SA05)tF#&B zp8Fixw`-Po0 zjmCSM-8E56Wu z>T-s~q>UaV&ySipG2@$iyfY=nfT|Esth8X8MK6EN8$T}&@GalcR|4>}h?REwCJ^yu zc^1CH`*;5QpYOUZ_c{07+uu5dv0K~QPFkO_&tjszcI>lb`}a@{rf5f9Ki*k{ckGOd z0{VzHqKW7snn?>;BA!&vKRM~)MPjkupwsKop7rtYq_QfT;%{ds$auqMPSMH9Nr{r$ z&uFipBGHCP;143PxWvRX4Bjv@Dw1Qzjvwy_2&n1An1@g>h!Ygzg-H?lCZm9{eh>}J z)m zr2|M`*{-?hbdK+*8mG~A4{&Q(0!txS57uL4xI%SMohz%^Y{-O_xicgb3WY+UP$(2i zQBj$4lu{K1%2bpo!en8VsG_1W(3xrytsx^8`^1EdR7ZcgJcg-3e+N;{s z?1^299jQdHAJj!F$9z-h=H)KO#tq{p7ox*C=scchX=9peesk5jzF6_nL^ z*32ZyFb0Em5D*dyMgyXx=N;PvLlgkxKotw37{pKrhcF0Y3^9ZdLyV9ZLkQ8_EVKrt zWu@e^cBy0kBOxHyjxq*h_W9AIjTBb@6fiS9q!ga|_d`O$Z7SF&0-Ooe7_1>}42+4q zV=w8VZs;O!=|`kkeN+`x)G7%{F4^SBB8MEAK{U9$KYcj}jpOx=>7c+8Anv@rIhe+A z`h@gQ;1UvdPM;h^^SJs$Iw)WXh(A|<4x(`!eKB1qxCF$Vqb~>3c)Y%l4is2I;-1%+ zgJ?KT{|C}R!6hL6IsG{(&Eu{eWH6g*y?+QL4;>1emDYn#tB(~5RP8q8Ff}g#uHz@H z3Kk<*c7$~kTvv2-mvOVDYpq@PD8DWs@E-2;8z1vV2}gHZ#1ywl6i#Wb6$l< zYJ16gLnlqNO4On27pXKQfc)Docwkv&+bbSffoJCw z)|Suw2kS+!XTNHnT^-wro$uk`47FjfiYVC8M4)gHh$RTr&aVqXfJ_fXpc#AkEQ07( zL4eF@_?T2}Y6PVie6fcZ80(FgPz9EYBnl?r8jl_VE+$Y^ON2h4v2wl!bX19e{LK?r z1LXm4ymB3r#?mAYCal;V(nlZFxPe59uEzBVK18Vb-nr%IA38h9$02pna?qhi&*=^- zf;!PuG4XKSN`CbI=Z1AW_{Y8g1|nJDk&R!^oxm4MSXM+(p7#{ODPgDfD_{3%B)Maq zG0HM}yT2xJq0E=v3CBo}gOR!5$9#8E48vForI;(~=3_k^{Y~9j>QbxF+ae6k1?2~X ztQ(!pk}Pk>|IFV2S07G4vjtZ2tsq>=36{>H=hf*!V zSD^@AkTbR-a}=jIB@UKUz^LCI!ld3GaN&?Bjb*#hi!gebFarWmJen4>z;kmdklTIx}kcBH06 zGD6J&i{Q}Vnjexc9j)^yqOY=OH0IdD8*k+V&H&m})~J&^;sD6^zmxI%$Okcu;P0UAZ>^d@+30k{_|oTlsf}Ms~+kI*)qQKzHVYX<H@S|Z;nWD_W7M_+ZJ<00Wv@_TmSs*B$4M(tYsH@cHpw>X{ z7g^NkQs>&Ha@3TJSqeCpv00oD z@*V05NK49Ftp(Z7RuS9hN?fSJ+)j)SV46UBjr+$FM?}YC!owF~>`X6|5mUh z=onL_3Xa)9ZYW-Wbqm_A{$WBCA~Citdb~Pni)Y?`S_Z9D8k$`%X{S08!%IK^cN9Bo zc!3l0x066y+0l4*)muLuhk$2C&wRW`>6fMe2UX*bsccy zfH+DoGk46Jr_Jsvooy~_7;n*NMhd~18Cor@V4T(9pql{sEGUhw)<)yC!)3yq~w4&~-BbtI|NcvDOG z55#PrfLJzdAEt?5bvdIaP--7aXotk{N8kr!`u)jD`;7|+tq-fqxyYAkK*ak_aYy2i zOd{dudULo7Mnv|9PSQ0hw^;l1?Th=+8~At^P>j;kR#A2g0oKmiTw+xfwevItKm1yc zN@CwkHR{CYr@3x*B!v>5!9sXGn!91B#dIvF5;354`6I@|y&X?oyS}Gu-NRneqi#l= zeeAl>ii-Vod(TRINR$Q}Mw_}@?U4Cce@!Sj17K2nR}7*WYvu6elZ&pFA%)Mw1nvnn zV&AwvnDEmVa99V17E;%15*?SoAYdrg!%Epm0oq_!4eefnK7nf8w>M=J!eQ0%IKZa) zG?dE+hlA7}Uz0g)fg-&@f_5H=lE&uZ)nO@1?a)C$YR*s5MCLo163~ZrC#)a80Q{9o zM?g)2%(UggS>T@9g)rijjg75cuAc8GEMA(Gha^N(b#rx<@Mb3W{M-YJ_+YZfG8D*j zmSQHmnHs54ScL3jm=P_W3y}p=O5A-E#S`JN_61Zf)DgrXlV4Zp0ju?+P>JB^FdLPv zzW~wHg>r-{SgtU|{mM01z#8lk;e~gw>A5i~mZ62s)f&Z2k2w%ezY2tgwctatn+ksd z!f7U3*Kdd9^NaJ7Im$qwP<5)hj6*_$Y-QS;u^x4T zz0&@l!O?}O{>{=H3DE+W7ygYWE0~Fiun2(E>bLh{q{X)u3na3hw)LfYN1+EnhG6eC2eRGf}K@;U~Y}>YN+qP}n=8kP!JNE33ZF_cX z+c)3c#UU>4E~5L-%E+pYuFQN{^GRY$rud(^C%$!D@bkyGkb>260 z)D~o4@V*Z7@KKwx%}MQiA##(Qc(g(|wqVwR=~PcO;(!SOe?m2a6|;Kv<2dudHcBw*k2wR z(uNYW#DG@fAnD#KS#HG0EKy-iL5*l)`HB7uufX?~5LZ`|`93h>`WWun7(&S4|N1n3 zJ7@z0F@u2th|qLn+3a;Y@RUx!`ZA^wAm;HYLEQl+0Am1MSM=n#{kZXx?W$4kUCN5V zW#>du&c^{SLdIsv5*fIp{5%OU#_89oix+heB03nl;%N@hYX?nn>dYtQ+et?i0yW$U z2uL6-2N{vuu6nlhF8GkEYCA3ir=m>CG#`}$(iQj|c&LqZ7AJ4UoZxZ_H8>=pDYkDc ztiO1afib3X_%s(Q=>5LY+abfHGsgXhy_ZZ=&X6`I=7WI-8!d{t#x;uTE2spvRrcuhtwJ10d#%KkUnty z7n>cw)|K;j9cTUPKMPy#ddGQ9oVq*yO>UPh(mdzQd4A?<{#uj6@V_!2AJfn2Qd4E zqJ$9_q(XB{ICSpdZNNne4ppvHjaK{uC5uWD#ZSVq{Lx-TaE?g3xwug*#DhgajgTK5 z>oZDZOn|qyw+*$nge@&(E{{en7#*6MOH7dRF@zldr4 zH?0c68*glWq_i+pEx_HTDF_9Gbs!S@B}&gINOA{{TG0D_ej{UuQ-I{P0t*`WB~JeZ ze}nE3CWg$Vzr(tZ^?@k?rSa8qq-BC27lro9l#CVmR&9#<_WP_rM%%T~M{R_u(9z=Isx<$VyExAI>ehQe@?-#asc(Ek z!C-<&8yV4r=yQP#sp#L|slLg%+VyR$x-Ug1KcJY0G)2Z9kxXdBAdi z>~X^66St%DlP1n^=5fa4gHIfJ1RmFBV+=#ED&$CiYCjH30oSgqyd0|me&=Mfx*`1r zAuJV>1*fA{(u?rvNmhvBpH{E$k>t<49ZOJ8uXrILidd8Aaeo`b$-@k%FRKE^)ouWn zTqah1%YYM!KI5KOYb7OS0->~d&=V#Lkh*8~^g;?s0sE*BNrlH(mxamxlPGH;0 z$HL`uLd@`$1H!Ew`E8CT6#lmKTL4kO6(?=z1;a%+PymHoX*?6Nq=EdY-p#X&Ir#M+ z`J!#x-30j$uG5FpY3p?JjWe?URNKb71>_Vdh~@z)m3{iGk`XGdo6T!hK;b7q43E=|=Di{~03R43SjZsxp zv+#_eHDhE6oj{SO5(G`fN&Q8Ek$$v~JLm)3?YMe0>E;Ole|#@ciWby*LQw=$5Q%a` z_~+$4qF8Y4+kn~9joeC*!Ca3l25`%Av9?dB`QHgHQB=PY9_>{Kaa<0OErqPNN}(%Eh3vsKW_m+d9V-~-!|Kk>pjVu+_yVWeD4Y>XFi){#_5+|E54_ZdZi z(53y~5^;1<=>bASO=^6yY^Wg6Gu~bK*p$il%pRb#kww2p7u%qWEN<2ISTP3;9+R{5 zb7mI(ikW-vM0(Cvn}B+AO9GXsghV>PN&jqS4vfGq7R`5N^`^ z93UgY5F*0DqM}X$P!Zwa5s;APkSNeG&@nLa@RsmEh=76d@y7x9$=Sd_NC84ALW$)N zLWqdqLP8aUN#M!D5QJdK(6ITC)$l}!h<%7D{6s<{!w`sPK*F$yn?Q5$TL>_? z_W&4FfY9$H2t*A;8=V7?`Og5HLV<0f;}qSIFKAz)k3BPAF++>}=)%(DeYw zTDiCZM6KM-TnvP4+??G2@@_7cZU9v?TQ>_gJ7YJ1qLG_{h?Tv8q>&rI&dt`9l8W2a z(#6eK)y~n>jL^WH8z5t8*1&DY#I$If8SU9_yxc~s7&ZG*Y3tKNoOBW+o2U|HST^E413qa8YAmRdWb~bV`FbW*3=v&K@f`-O= zg58bmr3_DC5w{c%mPSZ|4or(A{1IRzrJ{;o9G%AYHWc31b5dKz5r1SMVovV#-^C5f zuk3)bGlrWV(d82E$2Q=e?d91Pu5#PVtYvEC*SR925RN7r#!tPg-rH}#H9GrUWt;8a zU;#z(6UpiN~UA6P>alQC2->5l0e6hQp$ z?u^UOsqvyHYj`=>@)Az*{}@F!r}%?hsR^FYN5}oP4ap3c=*MiRHOWAQ1QHm}o*CMM zsiVViiwBR}7mdCUxZ?o-#NjG(ug@P%hiN2QR?QvXK$b|KbuuRl> z!;DQJU+$LAK+9vdq_xPCRA%r3m*G!L*Y>aM#z`)j?24>Z9C%G_J#Bm_iw6>-{D(<9 z8BItWgzfoJL9GqFV$Y~Va^bIiwML`goT*)Djxc3N{P535Rd1s0y@fWURM;VwlkZ9u z>XSytUkk%2+@A!JRRlnbUBHP064~)i&%eKIe3rkiK@nBeYJaYxar^K8GF)GGZ{DJx z>$+^iiGr!XOnkw|nVKdPZ|M8Vcf@D+5#<#y7$y@x!lr^w1MUF~0LB2SG+q%?Zc}DW zzYzK62DbIIx4a?T;oc-BH7Acj_;w^V2kAFn{`FBjL0bz-YEe+ zC3h&P9u=a@pkmgFdCsXXsb%^{UIioljeC82iOy*$BUA5MHa0x><|nNi%l0<9b`GTL zU|ituAXIhNs6C`wPGdaHTe-Nn`xUEhvZ@W?SHf4TXlsm?X9^(jweTcf93@)6HaOP0u5)|w~wbx6u;_`uw1jXS?)7&IO%ze&*kZH6OnrL4(~N5AI7#F>?KsJ5hDOJS>-OBVDu?48B(w^*)gRnifwpiG=QytR8xyyp z<{M=#H?C}gjdeE=5LE9IbgQ}6mKw3??0g68s$FvWF!!+EVyv$ZFLD792N8c^5XLKw zcD#VJ35w1Dr|lJFrhgqsi8ARckUT9#S8yt6J6DCqrJp)I1i4Nym9BXVkQtZ;XJJc^ROXYD%g4I<^lS|U|l?6{%<+J>y!!jc7^nm4p zei%aSCBZTDt%E*!Mh~8Tdp~gt5q6Fat?$K6nZy!0Y`s4cT3S zxsdV3xhEi?ns>tRT6B9p0TY<0grGGwa~F$CEGW_6o&XUQcNqgGT`vFWB4*8#zRc!G zK@)tlr=WgvfB~)`@ucImz~;QD|I*>zTKk{Yf}JJ@#B(^o6v>@RW$)PlGb=^p))%vzB4p~`c#yHDOAwGcfJ6MGfoGhLG4~!J zsESVSKO94vu__DU)$%MqmpES%^CtHIJGkF{jvF!F-RS&)I9c*xZ3qEsHwym|MB?rw zS|(xwyylAF-;R+A?7XTfH!mY8Sr#WEg)JdC?1cCbGb?5wG9xW5nbxYR^KERi2LSnN@9k*^N9fHt0V}_hbF8zQtO*n4YT96Tx zh|u=P_%*P>Q$p)Zl96nl6tCi2Hwf}V>IaJp$6-L6-X1iELObdr2?|6q8J5HroqIeL zXDUj(3M+`5p!9)c#`a2eNjvJ;q4*2ellj)vBvk2gc!6(c=H0$$*J#(bTwdNoKNt6<)=o@Fzfa|7x+x1YUJC_9E$%l+6DG33X8`7whH2UBf3^YSeLWo0n zXJUlZ@&+FZVo%)00hp@%BJotL0`$NG4srifD=fuXaA~;l*SH%!k*wIgj1AKKrLN_9 z3I;V3B#66Ex5&UEl=!j_)Nbf-Qv53CDPUJJ&4EytR*FKsrYsKFXHy=y-V0$3r)_z9 z5HkErK7=%Lm@OQK(x@7nm?*$5XFU7hp2>`l&!b@f3(3!(CMupfJo7xan^juoFK!690!<P`ydypp(t=q) zMztAlHSwZvz^bK)g+3KgVe`uZSol(ekl#fu3Z77u6LLd0Arg$?5pAS$Wyg7;MUES7 z%?J+_e?wAi#^9iy=)sC_4{==@);}Y8EJCVFnu={28Nm*x&Nw7+S))q#H4QjFeQr_n zES(hDq)TCfQiByk-Z-V~5>BkJQJX#=T#HvAp-PNvIc5H+?vVOrDHqp^bYBqzGaKq( zORHI0kyO%(ni^7!vf`bH)Ir^8`3@yjV1~efF%@+Dg#kk_YD(~d_!S3sz8GboX9{Zp z*0Ob;U;B4Jjwz4()Hq3YyMJXH3y~ns-h4h7SXS<+)s%&yVBUxZa~7v76A$cH`u(qW z)zXZG#K8DsY0X)DQ{F-bK0H;BB{IzA-tZb^!sphSQsx)o_HUeBO7l}hvG84X0tbBNR5$YE#ProA6Xoknim>UmD z@91<7ot))_vh6?P-kpoLl;yKR$qE)kRyU^gUUc6ij2vxWRy^Q0KKB@2L_~*6cX~P| zQuHu*1Cp_DPoZl6S}b=;1qC^mfph(r!#+tiVbgKTz$&If%3db+$#_1?TJ)Z>5&ul! zUdVFDbx5Pe1`uNdEp=68CEo?*1pQRzkUvQd(%j5@=D!sN?Vo*8yCwB6^VOrDm+q-= zi+ao*)+PpI;NOr$;f;|((OHR3ut^CaDJ3DeL5V?9z)qkM(by3Q6$xfh2+0M#1w91W z0#5>u0tW>x1yM)=VgP86L?AK%H{ju!kovRI0e?Hbi;MYJL&UiNOoWjdT0ti?6l9Wc zHUYug34Sc3Ur3!0lOU1c!0flbcfgdFd41b6aS@?2vGe@2)!1Zt=_c~t$W?qlO(r9~wB=y;s`S6`;{U7g71PF8T_N8ttPHj4775Ey_Zh?OQn=TD3u)#NZwn<*6w@huW!dt&n&b;;%!{F0l94(o zhA!SNnlEyvWLLDU;H}`nPx46j;^l{&8M3(iXc`mf$jAH(=Ut93&yyp|nP~X-LxB52 z*@yH(8Raul+LzlWx1Z)T)~>8eX`enZsJ2J!^n7P;LUB#+-sbmFaag=mY`3^RH$OKl zwHQ7ZZls^OQj!{&DqRsbi@R0ZRUNU!q)JbXp$hVYm%({vr!pTJw<~s1Z6*07$urB( z%Q?&a5IPS~35*+jyAsfQpZ7j;QZiR4B;*w|a?9xn`IW&}k1ZOq0X<@nFb;(m>is$M zT6nZ3c-?V78&UK9fPwmZhpO=M?d@^>a<$`^pKE8Z!E&+p*~M|W#P?VE_hR{;%AA&) z`T}F}ffk---zr@zWcJWkssHKU2DaHk;KFf51;xpOoDy6_qk3xKx#N*ShZ7u1oD*zI zY)WjA3JgjNOY{@MMd(EYY_RbW&?*Quk-1siS)K~KW_WB6YzQ)ocUsd{ritYN&GO5_ zvwhq@neiPtW{GeXBaQhJ(P#Uw9y(h>vOMN+S$cAHNBSjp z#@P$z_~=i!zh{Pckc<{+bHYZJ!7u)m`o-tbh1e<)$y&z7?m~e&;aA%PIqr{ocsg5I zVJt>R`|EBd|Nb-T7z#9S7u;@3drl$v&#YGvBjfzs!AdFdv+~eQNELMv-~A$%H)^)o za*SDXDELqsO`mF1{foclWGhO17u-* z;FiT~G64(aNG3yAm|kZbvL~?bozJ0vv)xJrwcT7pD0mPOF^GV-;!+F}J~AxG&kO4W z*u~DwNKb25wxA{flVAp`!miwRvy(z_yfS8IBvr0i<}g=3V$uQ_8ZN?w{X;oMO)o{! z57Y;-4*4lbEdg|Y;z}Y7iOf?iCI2A6IXAX9v5pwFbMKcx7|qqyp39EArHif9mm5rq z{TS!R2;358Iklq9d9*f~U(XhK8CfZ52}v=rojYZ3I+axys%J(YO>mGx7AY47(!2>o zES8gl9TC6nY=Qex0c=o4Iy(ANG73r(+lfUMPbLRHzIgvg-{P)^(C94x%sSKMw z2>9TxKksw^N_njjg#U;3@Bp|>rmwEFJ3;sy53S1E%iS|d=Nk<@1ivFJl|IjCFxbRS zDvf%LY9aDT$)+hh3bT*2Dx+sW+5j&MPmb%SfnKiF=!-QgpG~Ku;nac3ei9=Jvj3$ zj2@fQ3h>V5pQwdle7xJfNE2V2bK5<37<9|xqIP+k&UU$Iv39A11jj3hMw9$uac&Qn zgTbJEawMedm`vsfgLS>miVo9C<*+F%K|y|he_xdn(bEuitH$y+P(S+P*ApiT4hjkP zx!@tsFlc9JR4n<7NJV4O;8rG_2)MmwR#sMM)amKTNkT!#e}O9_C6`1+kEBwO)uadCbxDXHEy2V*KLt0#jY64%psY$W@8Mg$@Qbf%-eSS;o@6ByK& zPfhiTvoJ(mG8pt~$d!shsGB^=gOd`C^o=MTeP$LQx)Gur>7)afwL{S;-x4iWGQxSYPVwRCh=vjDI#pn=tltSn96k{V$!YG_o*oLs3)vB>B*gg;UcVq@Uz zq#<^ky6EKKPkn#>Gg^TyOX+7(Ah>Iz96pw}jZ7w; zL?~50XTf5ApU9lq&D%~SG7O0n9H9XUnLxn*=ivk?90H*Qj|bZAWHb?E1diUrL+9dR z+;+91SV)q?M1ER^<-mBb2lBRX02~f;aekIECsW9=w;;wAHV88#y<=i?$udH|O)gz- zFN@V;95W8;zBD1>S6Uy98YswjnP|{m$=G%h>G{L!&z9>Y9Q<+8Kr#Z?h0SU{Iuz+M zr#Hto=XRcC39=g`;!#^I6dQpw+>+%Dy(ix03(SZcTGYnpFtLHZ(N(+Y*=0lnz7gC8 z*7~7t)pf38p+s=%eo$O~J8hiH&j1bVwW z+neiapcSQr_`Gs6QW9d?b&4($)C6Z0+_FS+WzCTELs5X7prd{7xS6Pku$3dw)lE8kUQU4!4@)8O8 zKddJ1hwH&%Gi+h87;l~b zg*>(ujY67YH{N=X#N5aPY7E}qn4~U6RYCC^B^fyh$wMXuuMryZty12lB6&@s6Yr6A zFXrWc7=z0LmoPa>h{0sEW6*0h>;t(K(1pein~Bm##`XJIL?Tbbj}drWPq=P-dU0I& zVZD0A|II}@xY+(oEKms8@zG&N(3hZk29STXH8kDO41#1}j|XnX%EHWh_EC)@>OevQ zOIGl1%&9NeE4)neI93R$aDG7%_2Dl><;0-cw01z3-!|v4$NE>i1@FsfF30VAU`o0a z_9{vUk}1I_pmPw!aH1HI)QE0T36cH=Sk~Fnl2go2yT1QX#|GYtr|_p&uc(-FbumHO z1p_UE1rg*gViF09WpRoRh@Cm!-=85zVq%cUxD2_}&guOJ_H{!S*yb%3$!{Kd%k?1j za48=6*KbwWTouwl>~M94yrGsqy{kR1&aXp3?#r9og))%Wb7&m7QCl0h0bl?}S5qpE zkV`RG2fmd9+lYeAq7Irln2Cvm{{E)aZ^aO`kgERB>q&OGvrwEATk2J&a>0K)1}j{)7X9!m>!rOGyPZgP|Kckc3M(gyXYnn z&?ce%;+ULsGS9aEb8FkBosJ~8&frrk3|eok!Q4*qQtPbzY?{?rv-ok9vK5bS-R+Ax(-~+m~jgdgUX`BT^>`sYC@WsOU-9Y&K#xVkE#bK@V{){7aaj zFy0O6EvrsQPGW)L1o43}eY@n_TF=m*F zvL#MhA{8hETEb5Vt~j_-d6AM@VW?cQ?BeffidFLIHtJ}~2Gr1b_&CxP)DAIi`BGi4Ea}w zn1rD4wIEhul>XP~EPDmEs<0-EHJBbhAMcO?l)}wC(i7FcSAtyc9IqVb9G#~ei5$~u z3W@|3k261%#@AI{+jXlyR-IT2uq4J7dzmKDr)dl+zA4_aF_*Jaty09~e@Poi!26Al^hi5sQ}Q#w}w_#G1<*l1A!V5)t`(-PFX`OwkZY?Zk@}tQ_7P zMrUD8H@sW@<;G>tBzlV175Pv}cJ32DNEAe)CA=j%Dg8*yNW@f0$Vl)=$WrVR%@d6i zwG-beOD(D3PjeT;o8_gK7i{LO=gsCXS&g!C$bo=g;D#V?_saJKqO!zc+tKjYL5;|e zzDI6H+n#&=R$tG6>;~NE|FN>z+<13QM}8EwCzc>?T~^wlP{5^Xqu8UEqt3*Zlw4UQ9>f>vwMno^urd6Ao+j9PzkjpUusJ5T zOKm*6&#=#+&$v5foBNo{nB$oLGP5z8Xme{MbI`F}_{k~krhce`)}DINV=R5PpjW>H zi4jC?M6E?FMdd`L#`VW4WL43Xkd@XeROYFUO?y36S{17l^Ayt*lN@nEGzS9B(a)Mq zerm0+6Xp~4Ea<6hj46jn*&{w`Mr#IZanwv9RjtJ!$}&7f&X;O?Qx0XSh@`0EFUe`8 z1QI7$`ppxGqagSqYH!!Ja_OkUQ_c5yfPRj=(W>=@7ZftQ0{hWwXKB`CRAu&4?Kp~nI1KU?^*F?HbaJSH-Ao@n3l^pGyi!zhshP6Vf zufQD!Xq3ln?U;(=Q-LY+q7Y5U(3h$|@OqC&cllu)539F7Wf>n^I{J0Uh*l`|Ad7K# zYh!&~O`U?gv?NHYV%`ba?tEtw^vAu4au_s^qO?KsPh8biGt7YtqN*qt7W{*uqF+ww zE2sa@6OYq|!-m6W(QVOHQ?asmQSt2BV4VSvY%1Lzc%)Yv89Qp~oZLyGsSV1qw0Y|y z_rf^WHitInf;)S{FUnAw5tWW z+nE#^%rII2QJ^RFqm0Dsj8HcFoA;#M+>`|Pb-!n-uASt{sy10+8nW7^I}#JZH6_4)zoy#7_V8s0a*LB#+O?^ zm%e;pc7L+bwT7Cqr<$in?XN7%E^1)v0%^JsJE3m6D%DUIxuMr43^~I9%8DSQ522IYLVB4$=2Hgd@qbahHp^Eev zgBZdUT@CeXwbA0^91e$?Zdeq>bLVu{wDxpXtarS2ytfjcgd$!AxaxCdVMT65=1HYa zg$Ct~v2(I{d3MSE{6TX_v!-(VpAd0T10f!vzks43{7WiWF=tEX(PoLh1Z3nC{t53p}wdNn$;GY^n&X;-18XBwYM zmrAutsnz2Z{S~ch9aTE&U=>v&OVtERWB6`BYBAnoxkbWCg=MiSybEj#BFrjG3;lEp z?Wez}!cW1PsMc8f9(q}A-`KXY%;g%&#!u556RCmUr1nb~N-#?>N{~trOHAiM=RxKf zPt#pxI#c`yau|1#EXEoRRGkIeaYg)zI3|b=OkXwq2{9)A-qqIVX70yF2l~$;&$XVs z)Jj60JnsQ7!j1#9!MB3Vg?<-EL(epoW1Lz&O!7zM2`5gAALEwiEnLXn?0;A-Ta8=w zTY=BoF6fGo*K(C1F#l$(1!V@w44A~3z?$H!qw^ppmbD^4vxp%wb;@@e6r~ygD6yGi zm4AX>gF!S_7Uoq;OnBYchCvtPr||!2N^aWL8q4GRnfhwi)|atDXy%5pOM^-n`;%t z*~veHVf#TMT3|5-(Wzw<5O;+_Zh*m{;6wee0Q;3J5=csL*ensIgMn5)r;TJV=rpRU zf&R*GFFA~JD#4=vi!1-rV4ciWCnZx6&sF%#tdR(Z$a63!yzQ@J`>hRrNBB0~R;^Z* zRzICqI*2;Er6;Q{)h+&=gm}NFgT4XFh&WtMhjmKgDxv>T%e0#I8HYjR%qmC|{@;BQrq>4lt*Ql0 zzxMxH5t1&$Lf|l{HY5`yLS9GB2}hxBUuAJ>g48(QyVXJxi0N$h=t%3?3@+7ZrC=)6 zItR*2*%-yR)O|2$WL(K`vYyT)9jRJU^*ie5Z}=GSoF z!S{bYcbg3&67V@3cBn{8IaDT`oKevGztNN+-lf>llgh_-X~+jGH$mgm7AIsv;?&P-}u2p7p*6akikX2fPEf2y|suM zLR*;B+Q}Z&8$_Nx`izmT5yV#A_YqFw&K7(;I1w1PebIax{5+#2O* zJpO+JDoDOxotV7trslE+%y*llrzzy_KncA?(nG?DI2KkJOQHywz#jYlpe}yDDJd!{ z@~ZwUC<7W;X(1h5h>mtRh&~LVD;2=z=26fVC>YGp0Im~0gX_h>(7@0Trhgn?kn;Vb zJeU|DCT2E-kwD$6AcscC$fovV65rJ?l@C(nMR9vZwICJyS$^DAA=-Dtq)~O)h z8X0CZtqQ0<30Xdz@~hzqk#p|ZtxSg;64ldR4E%g%hV*!v`G;gAnYqL=Po|gQDC%W_ z?;us!@^Hv9z0(9%SSx4(D({}7^x^01X?A*hXsdsEIB!3lmsxcF0faLDI0$-?aN5UA z++LPLpPTtL#wAObIOZOz#OJYzS zypvW&7HS9n$zTRTw>nhL_9)*C3byJpIu!hsZTVfL?I0)kl zB!ii8XoELk?&d~PhkmT=>2cRvaa=FOv}OZ?WdAtQEF%iZu_G$cl6DZ3$D^DdBJi)# zm}UrM{9*xboDzBf7V;DD_bgTVTj)n4vJ>34Q8FHog2GHZg7^&8@iZ3&@pS@f`lTY{ z)-9VUME*!GzOe4WCV_*g5pS}nN*Fg69v6Ef-qEi0-yYH*B_R>R!=mJ0VrXOjCe@Jr*_W3rVq})>i z^X}<~7o#&-_%SwzEIOB(@B$}|HYsvG8iBR~V4-&GhD}Xcdut{SsMz;+PF%AtPLel? zf-^S4jjMM_5#cGBiGHxrT#6^BED*KL3|Jqg=O>WQ%e61=0*;4cz0@*H3|;=FB=`#U zeluv^c3Xskp;8mG`9Ea)u!Coa7GBiT7@^g=j%d?7>FBgf!bp#I2)KAEv|4&QIg3`^ z<)|#rw0*W`BV+yqB(CvQC&3mS#>X;A-c!ub-@`VJke$;VlO1O^Npwkc0qvsgUb?(j2v_i6P&Iz|nd}cKB~z|% zoYD3aVDiTD2J*ftJ59-}NvjFoCH%pXiU|dnWY~pF*2buzVMr^M1hX#pkw61<2i{7? z^vXxzyTH3=|F&cGI#$Y@e|t1J-OJ2+&L`}QMq2&J=4V1?Mn={Pt6Q&K++^}_J$C<& z#JIaxIQM-#Aym3B8;oSxMc=EM-2I)D*QYLSM%n8Z9%C4au>2@wdNTm>p5SH?lS-2X zHUu^5z9zmEgPMR&9oY6(q@T^eW9n((X%J|-r(Uj@PZ;Pf%rLb&BYf-t`YW-E(mh2V zHJ1~Y41H-36QA2)ZDtl}yG<+=K6apm&xi|@@REUg5nmdJ^ z@Uxgx!c$ycTt-}(gaVHP==m4Sk$+}Noo*pOm-2bc&N)@L+rE55>w+5FS8RE$j%pLx z9;_{B)8{nt3Du_+!S7I;%IC=>;vvREMw zQ(wdA_qo2FL7l_$O4VuCC%V~Rk)3mm z6Pc;MGYAxh!pxE8~I@!28_EL0h*HE0(wJudi13-$Ay!Kp3Z zY2RR+`-FXJ|5fjKJ?*}3(U5I+_XY?0s|-#PDklH?Tpf5B2HWDF%CNOF)5pdJ ztJAmHu<)@pxGeQ+ws;!Hf9?eu(6O8Lj(dyCQtA<}6_?9Emwgv5BAD}=4YOo8L9yiE zrI*a8K04L;b=>9)_>vgghx=n@@b&)bf87PM=4Kjg8f?lv;5vE`LM3mdbQ+6{UP>cP zmcoh2hQ)++C_b|_tZ(Ac(6&l<0q+jZvwGEX-!)$sF$ZtGM&GQfP3zpF?+vee|*1RS{omrhpC{*-^v+xGwgAiWGxJ|!|q9Us@tunf@)kL+WN&~1$aEUAx z*bTTPMw@+#WeP;ZTi82zPV@lNdbi{8AU95)f4cJimsPl>x21j4f+fm&WGOU`BRESe z7m?$5#NF$%1u>m^fs)3mX!+Jep9%6?r(2iUV;jy#`)OHM8 zh1Fz+$kya0S3^QmfNSH@EagWbn~3$EX6>a}#%h_({1CgxpXFqa|MWq23rI+S84((> z!w_~a(_$fzeyu2%`JqoIYnDxk^(H1xq(Zw3(zVgJ8nZoPCH~W zKz60_z;>nV{Z#z@8zjTNLiLzE0vse5H~|P03;+mx_o1a`S8qEXJd3WvF}Vk%A(E9!Cp- z`!jN$O#uY)j0usxd*-Wp-IW_CN%VTuNaeenUmtSu4Q*{a+vnuBZZ#~!Z9lgWlii3Y zdvhtw_fX)5Q_IEE^763i#Dlyp)sgaqD|iUiO!?Rp7c&W^hdi^-T_q>`1k9Ry|6U3BuH#o4oug`eWC=&Y75 zNSoPN*m9=2HdQ$otp}~*kG&EP{D_ZpO(tnAY>C#o_Xsk=* zV9o_lA0|en`qTQj>Qww$5X`hLL+@mg=X>*9`!h7^wVmo3Q1_*%h9G$AsdGC=2q7o` z_fHKmJbd-D^9U$zuu?tdKCmS`mV{}zwK~dWH;vKwuXC6xJzi_A zODJYJyeC@NbiCCFOh$HuhaxEjpCXXNhgi9;QCl3#eYRLsGt1cd>)B7Lh_nK@`_hmF z5TX=teEQSr;JM4JNrnh zukp+*x;I(;_=BS4%yzW9l->lkG~U$&xZZHLxF1i|A$X|L$qTb@19dfH8WWEe*%f=k zGXxtOS?*~u=sUJPIODX9afAn?YwT*|xKJvLYxc+tWuM6uMbsQdD_`hc9Kr#kbgaXc`_7(;tZM1k#+n!KA@ z(peO%W`q60r-aW!iaGOLst@N{37if!0fPo#LlDoH^478c)uK((MXJi~Ev5Q9ntRW$ zSunq~jc(gYsDwL@s5*^<^mLMWwXeNPBnqr7fI>5{xLU&R@qBDU-Lj@>C$!;hTJr?z z4)y(4raj^4%suA_Oddz*&Mze7mrcxUH4Of3&#H(+8SgY$f7IIE;^8O#)j~MJhxrMA zyn4Lemo}2uPjlG0kx-K|sPCDm$Q~54!6Bp;(-^+?Tv8iX&9jAkgNrBlbG$U5=hKV^ z!@gZ#y$7c1;I3tEThuEvsdwxB&^g8iT;}=xVjVFO-Us|&3Ifkoa&%f=o%ES?%UnGY z8oSrH4&>Z(cklJk`AP}_Fi|QTZ_eWJ;fhASRb2 z1(AOZZNgXH!FOSIzr**8OFDP{4)MV21U__nWQ1^GF;HDMRc$6%ukd~3=r3MO-WPMt z$T)|wwL7cQ@IJmwn>`us+mD1-qLjlH&m9AKr+4#k!rrV3)l3mNoe{nzdD|lYfz!%9 z{+zvF5cn*e=4F;RN1DTey+c!?^(k*msBeZ}?aH=&e$1QmJ7b*dy8-}%6T7lXz7!N< zO~*mLNV(x&K~ZIhk88016VF6MVptBOEOR9a=ZT7L66`vLYVhSOHr%H@0MwIeQiula zgizKgLlp4{p&CQ^RHTM}4{R-E@)LGCKU>Isd~y(Qy9My1l(Vjt4OsHnf9A_l)_vIC z7BZV12f%H4JANwTyEdlQ{QUCYBw8O2v}R~g+y~LTh;DDJn|Kqk`vFE+Jx{>qZ}H*M zGfx_qDqkFuMos0ljM`*D8in^)|7v=DOkIZ8j=yJ9;2ZgNY|^_XoDrBEtB)ed7s?UI zca^&?b-yqLjaMGA(_l>&yQB9?yvw4fAEsqTA!28_a=wt|zvYgeVx&@7H2bkMXSudH0;EZux*MQ8kksEISg zsf2e+lYKa1o}ZpGc4<5>LN_pwn~XcMi8u?fk~& zgQ#A0@SFd);6$n1N1y){`Vl2+Jy1IDL7x}=e+eHY;M%0;!f2owYo?L+*1Dd9T%GVi z&zOen?p^#qxc4=NRs&5oh2kJI+GJ&Oeb^FjTOyGPS$($9hOMo$ZdvVGVkR(G%5)=W zcbau#8__nBc)F)+J+ptWR$0wd_Xh=|=O&cyCf@aO;4CY#?PAgCr&Ub;o!)z5b$7Ju zWJ2(jB{sO#Qw+3&Br7^>s=)eqkBQQYW%Cfgr5?v!QQaBKiG5dGygGVEF||REu{9N2 zBTyrV_9+wGc}dRZHo?oAr-oU2c>{`f6u+G8p2JAZE1RpEz7)k&PBwMS(7?T}3ej7n z2bWGV*nAo5x?{3TKIl`fH`>mJK`%hc2#;q##vRVv7;shH!}nqj0)4L^#R~;+Z;{vh zVxLIQk_TF*rYmP1@jSkLaPuJFg#iB{&qkW+OI477Y%+{*I`lfeh))n#d4YWV@ca&G zhk4X>u)v#;X%Ei!JNE|wbw;E$YM^riZJY5pP^s>f z<6au|YkM2W!kJcdDkGvUjRL z85rX3;W2#1DRJ6~?zU59M|Iy1dqL=RjDC=*_YAo*jTCCk8Ba-(-dq}5bxfKw0$x^T z`l6a=q>wD7$BxEkIf|TbpQ{TPog6)Lh-w_3S9G1BIh&%de<;q)TlX-!N_I{00>I)PNEEz5F!)EkXZ`Vt5f@Nz# zHS|oK6g$tEU~UhIdKrE|AtpIXWbHwv%(|S~I&a9$DS* zn9xP#Z_ws=Bm{uM2G7o^gM4Neur(4$zx|8id zUWSaQJg+r>8N=aRvi#xIDuUA&8^jWi&>XkEU>g z##vxzA2;dree2IXv3xUa+z^_$%KD9$)rf+~80W-kPS?|#eBtEWci|2eRpdvAxGk12Oomc6>XMx)pJeSto* zCWvwApb&ky8j^DCd-TS=-Y4ab(#cM#IJS1FH8L1_pxjpI#PP22|GX>H`#n!TbD`^x z-vS~pYjmZe`TNaj?JMqW$n5UJS>S%)&799UAnk9*3*g-}L>m2KrM~Fw&kzj8*F#kW zh2IxQV-v#!Np62`$_Ccw6&WmhTXyd>F^Krv_YncF!5}=%!+y&~1S`Ss9G_&7>RrMu zBGBSnj}Rclm{-RI5aP@`!Z>tnl`{_v6t>E-0|ts)W!w!b&CXWu0fAFOEf<~%G{>z? zhc^t3<{pqZ_79|qRF%*RvLmjbhL#9YuctCoQQK{7Le?u)I(A+9!1~?$kym%sjpkb2Kr0fOJ& z?Xdz-e}^+rhc59G+3|Hv-x-D}o?Zt(-cZ1sbM4RarTMmR`1o;nH;tEC$8F}ZO5L-M zXP(M|T=N4=WcH%+kp$=+3~;;oQoh|tvLDI(({?I2-?Wp2#IK|tI-f1_p3L~uOwyaY ze%Q%P^pll(&u)tLF|_Pw)UN;3_T>ZZ`u9S!rxzz*wOZ_U@-#cP$f;oIz!iy;H`Akn`QsI^x=@VJ( zE){nI3_NF6gO>&fT4#{~0cEXsk{l8tBPB`Ux+|Z`qOL) zDaxihcxi$8txvwaFy`L^5!?J$DnbL2{nmJc73uy9jm0qHx+h);5OvjK69kC6>bM93 z)Lqp~TqaOMz5WirJa7c~3twjtsZlY`5Gi||STF(pZbdM?+bag5Fo(0CmsqB zc*kcZXkXXO|HDywB<@$spV#uS*>dDqfsYxQV8YU}Kb?WH_rb!R z;oWXa?orSFpj=VnT}Z`E8%^4n?q-MfyuA`_f*2h9w+VZ2XLlYLJO(g9_Kz2UzI!}SwSCa>=|+HIfV=Aqf2$5Qwhx0a5@5bv)# z25hRj$m=+4>-+Pub*bsa6xXkDzZRbP77o~p4_JQ%MSSUq*YEko-uJpVdmql%ypI{r zPGg#7M}yzPAtvWz&mwR)G7SBXg(z$hxxW1;@}}KT=35qCZ z<;wITe-CdLn6oB*&$>GFqrAav>Z&XL{XC)i7@ z0qns%^TqGzSLB|>zp_S8O8&6PMN`ihA;_QH>KO1kfy;W=>-?la$P|Pqb~uccfz%3O zL*AdfVvn+(iC*Z%s4PE+Sv15pQkY*c^4KTx`oX|Tv4V!N>P;^;`#zBgqXy7MZ`>OG z`j#KrrCu{&94+P@AFI!ou->4-2Dsgh@+o+KuOsWI{V z2Uk#M#~afp(gqxWq$JZQEqw7I=d!^nOwNZZg=wFC%4^- z&{00epM1&??Yys&xRvx@dBIpNKg*)l^7vaWK9{9;dE*J-FOM0_<%e0+Vjg+S#V51$ zG7nkGWuIBm8phMS`kDwG&~Nk5-Q541#p&Y&uLJox@1M@K*IDI5+?EMHIb{D&1@H2xW-b)%o} zX!swcI;7u^G=e3idD2HdY;~oP$CuKd>5pp~AO1(;hwVo>Cdf0b@r&iFO?~u z`l6>Azb_PD_0C&e^It7H)+2n@?Zx-C?qhA_x85&-;<-|867O9vIjder+e5?IA0=`)%va z?TNeH=&1YKcpfg{<37XVm+SO%ePUiW}KCkkDE`88v7J3sC-IF)^ z@Qk#UFKeaOgYKW{Yj%45hPseZEcLpneu4}2wmKh;^)R}$wH}Dhtp?gKNDX7%!-9BJ zWZ?)(Fq?-B|201yCu}*-knXdV1KoVk_Y1vk-{L2F>Tz|sV5Fz4H07+yOi%3e!$Tdg zrDmJzhpQdh>cEdR&1?O5uH!jM(0k2pu>W(hBThC8oBjOI(TC3Pr9jaf;+OXBHOYY3 z|B8d(Eh5(gc-YNG2r}{p`Jthb(yr1y8&emR->C0x-Df`OQD5i`|Iecjnx}_8^+hlF z=z353LVW3!H(lW~`qOjFAN9PRn&zrc^wqnZb^lvm_paCCulqXebC12k%kKKw_fC8J zuU*UAzV~mhIqu5OeXHx<|K07M_gTL8zVEx{zfU;u-556$^Q%m+~ycGWW&~M0b>^E?*pZ!47zT?_U!us|F+H%gl{O$+(-dpzmo#x-%4u16EpS_na z-ZMTv5p>D)fbR4HvpRX0ajjLbOd0x0;yPeBp-HTaBH@*I=^VtT(1z6)VDmh?1G+&0L2 z;{e{Zld1OW)^Hr;z4sqz5Qae%v4k0Vmho~wX>o}R-jtVBTyV&xaQHO(ASub1!52K&1E>K(X|vkwua~~sz3FU=n8ihGYtC#J_0bm3_!SQeqiYq`Xot=G+Cmv->dfNl=!OJRH0-Ik7O#!U|E zdG%5jM@^~(a_xGy2OUNH6j?3PIBbwb)~qzGi18F{)p&AM@${pye7fxvCP&n8g~!t( zn6ovp7Lm`-Wu`5pV;v9;RjxPJFMq89h9^JlgP|Q9BY3@fN|{QuknVPFX1K>8dcSC# zUBrKj=tZ+~eYAglH3$sp`^`Rgogt8-vj60WMz8muw!hC3e=RG{KU6=huDU=bATYK! zOLGsq<(##3_d8H=)&U*IPWW{BFjUVP&L~FabZZp8 zoq_Jp<3NM+@^t(@@>tT_scD|19L(_hCMnf@sLJjxFL9pHGNinjB+VF>al4eZh$8spn@(>B>Sn(<;}^{R7k zv^C=M81xzW@AF_@u;cOzHv=uJ`<$nSfDfD7^1_1p7zO;PG>2G|GaswQlh2bWTMv&u z)q%J;?NJpPhkbCH*X$!V^A`?BjH~#}QQ&l9Sr%4&>3%%j|B;=zy}(l)rTqC}#J#1# zUGMp71N$>P8PJW3Q0G*2fZ0(jY%meZ##p46*lZTJw07CYI}Qj53`OqQ_d65B!GPnL zf?JlQP>51wUMT$-YzUn2xkq5{ntK!d6NA%9Gc2omcdGhi#24xlbCSoeGmI3^1@lou zggkgvCrKUNF|6E|i!mlogY=YLv=sq5SvM1dkhB)C)q)Wu63~0Xo&P=WpY&!$Ir(dy zli;0Wh94o_fRO84WeBVuhfTxC7?b0NyDONA$ICIxRcgvi9?a%aL!`K`%$=%ie4dgT zzZ+}$_7ncJQ4&0k$u>lK1yz5F@)6SFq&p5b-)g@g2Q@D%zxr`pWK@Go2?8yz$lc>w z!T7jU8p{%m5K&eXY4^x64IT*BXeid;RPK5oi(0`t{A%pZg&q68Q8pDU`Jq{3ZKqM` z2HV>S8a3&v=OSCq=f=6D)wSI6-Han=t3Iao4H^<}CXyKmI}Jlo6^3)Ezl6CuERgeP zqaTRw%yepkG$6w$3r343ktg?$G@gVpVR6}n2Qy$~f_{Vp524wAb`ED++& zKXLi@;N!6UUKznKTH-yi8E94sJ87B-B%-t3|d zf*W7iUrERBf!ogsEU3Xl4sC6!x@^K13XO39T2aIkJ0RwD1I)cUu;T?X7*LmSC?EBW zU+i#@Xrwl}?vIrB{FkBlL|dpv(`2$6bT|$P8_#5!=lg!!qMg(NF##$8CIMTrD1Ae3 z8%jsD*{Y~?I*mf_sr0s;^mAI%wROkR&e~}|Yv)udt?4`36!V%s>nT0GI;A)6teRFe zv7XW}?Y0W7*`SKXR-qZ)h`?WyOD&^rZEab#T6zj85-^21YdK{HO!g`7-jHXORG`wB zWy)%jLlkt0;0T4R15TRrig!aexs9!O#VCX+WBx)RTTpWSCPaA9Ao{fFtSbc{fmKzL zfPg6}rl$iIYO};D4NZ*22U&vgYPn?2y-2<~C7z?(nJ;U?COu{u#4&4^Oj`k9%KfAc z1z@9pB)Cqns*lY;N2I2t-b{CNGqnYZ1_La!Yo?HFQW5ZgesT|LP%)2Nn0bu|gn6c{ zF1ZLqt&&m2xTj)KCss*%QLEtD~D!dbv2J z|I^*`uqpuW2gi}V51&0quZIhF^m*R!+_59&>li(qIB>q+c(=BtcazQcH3GbvJ<6xS zdNfJTHb&{igaNaiy%i_)%ESo;TSC?DL9gU2{}TEnYDls~f5aQnpJs5i`imCBnuUSu zK|M&OKkeO_OWh*1#O&D_am>0ch8l%NDaCWTMk>WSfQdTr$BMyXre?H z6bS=jBbp)#gqQ+>SAFmhpaTa18#KrnFeEQ5EkJS26)0G#XHpaJIf7l&VozH^tt_mZ zxM0T)73fu*n4mZy$&{D4EMu|87$3sUr~9>k?SDTGLK&YwL1^=vF=Lt~tEJEAb2>eX z($e~QJMFu+Z<@Agy@t~DR0^f7wKS^T122yE2KTjL&Av5WEPtoq=d`KY-BP2zrc5w& zOxR17^h)*(Mrog<{F1hPcqAQC{)kWhjvDRhdW-UwUr{3DN0dEeNG}BZgtRyrUUpCn zLB@Zl+hwzK@}IMI$K(Rxfbg&C{NsZEPx1TtefS9f9{KBm0~`K4I)40b^T)Gq^PNn4 zXD=guJ6+(fV_$=x&b@Q1Pk)YfC!^x?mm{VvyBdES`NK*6H*VZEvEz5shRvEQ@~cV1 zt!BZ{82=gVE`Kv+*npqRnD~PM{x8+|d&!@Em-urL{w?s=0{<-W$8rV!D`h!1_^sq? zR~-ITvUu@R*@b@!@k=Sghd+w&L!oQ-fBB+b4L==mHaeIudYV}$D| z{UU2#B18ed-|t67MK!`g2Mu0#ttEX*Y1A}o`f0tra;o)?UODUgu5H@By2`2{V6#oK zy{qV9cx4rRmn*dXaAK?^Nvw9qNRDj9MvBxiks(6jATbcE_(z%#1aS`@@s3zWR-6Mz ze4|2aBd%cp?nHCiq)7|TbYrqF)s_^%l_*V;)E5cTBR)rsYIx5IW<={Py5YP9u%bkW z4jC$x1rwrSJR2V5gau*2cXnKGodcNe3C|^f<-)WK;6M#vKyh2}A1UnT0Nh7QOUp`Q zuV6m;5QZ}|>n7hX$k&T)mdkG!9QktT7T+zm+5Bo*zFEZbFf4fTy;7x8Un_ao+FNA| zj0&`Vr{u4cv*ha}>Q#~iH@<4b7fIL=+s0ob!nX*JAKN!=`11B3K2$3KVpPNAHQ8jS1j%j-q0LCh2W!f*!~33mt@(DwIeC0a#UY`UB19 z%~9?-P@%k5f9S)l-RYr5a8@Ef6?hVynG$t4$%I~7=~(47T`SSau| zu`%ZIPq_4zCGw*nz@~rgPjH%kSdFPpy0b)c&32#L5Ir0j$b6)X4ya37W}`i*Mxqy8 z40S+!ym(VnzT+R3&eG+NIohuy|9hc!#rwZc6jlQJ|L?=VFZiOH7cq3iScYq$fDY3f zrNQv(8eorXbkuYxgWQMe>#hWdGgRyGxDaFaF<~in`+Vu!?eh@ zgs|csi(fZGovl9T0m$3RVvRSDjn+W85mcl-etPH3ePP1kP74SaKDL+==S3X;+$Qba zFjhg;BBnr8!`)N9_9k=PRzh&41x?~ThGMt-yk&Sn;w}Ua5M6IIn(%{VJ7|cndJLu6 z3qaWd7EzQxJHrAOXBdXn^{1p{_#L7}eO#J~&_BGj3UxFKqo9c!ejcSCm;)(Jc3j?r zWb22^o|h#|&Zf#Y?1qQeE34J5N(g{D;A*gK99~i3sYgq!hJ*p+2o)JD)fX^mgqfq@ zUxct!YwLP*1oHf#$^ba@0~zN4j3tYKbuADq%?T8zT;nr5EsX4zi<4soW3$#hMIycd zLX*fqkffO4w#g?Np6nD|)DcoeVN=efiASy6TVR{(j!E`;9-xPykd8yIH7%ig# zwP3jSy)z#=_COd*3243dQ3r9Mau|RhJ?^Y;l{P&$2%!}v!qK;>Y_NPLBQ$|%5PV>I zJSuv7fy5XQgp5Uo@7q~frfReV6#0#YY5UmHMso9l6k5nMVQ&>NU01)zCl|Y+baT7K(p14jp{mcX*Hae06&Y(4DGYYC021#8*JTHM8%rtC7i-;e!8U!sZgvnwi7UM$c zv#(Pf?BRQ!fXp0&4ANzgU_DS?8Ks0gnQCWocC|W3K2At@`tV%~q4cVO_o`$u*5Oq~ zWy3@R{6Hq@%wG?xKMcDNgq0#s+O*MmQmt&>H0?1Ryqb{X{fc3Z9DFuuwvE4BEY#G< z$|rQ;RHrlO(h8y16eB~pcf&lA<9D5M^UkbO!SoO;!c+kq48fz); zZt6TK91b4`iFF;NCZy|NEPsruY=?|${VeLFVPH2uK^d#Q`UTVE`CY(KfppOGZV&=| zAfPMF5H3!Ty&1(du$BGd)xu%7;nf-uE|UIcJ*_D5K(FgVXi7!i1X;N_feQ%Z>!`@!! z4TP#34#xDzCl<*Cl(`S2PpI+wbi?SDLwfQsnHJyqAUFIxO!BGk{y}9-5i82ne4w>j zeBiNU^xY20-Xg00(Vtq>1!g&_mtwE49atHKlLPOPUse^C{i6z|a4`$gGE}c2^D3EvYNajiq(y|lwL7uaBGxgzEk zm1$gKmD44=u@_Ad%^3v<*d1@xhn@WK{tC%iQI(A?x>@cbxz#2BxuvKvNnh(7CL$_N zpZ0VpvsP+OB8edzkJt(sLpF|=EqeuTtLycoGc$K!w*0kQTf&y*|E``}(k!@E>7Wp= zF(i{(|0k2qGbocnAgjAEA?u`V8}g*etxohnoQ1oh8_T21TZgS?-u^DkIB_jhQ791< z8xplYY2;-p{KpKKq(InJHPbmV2`HrRBG|gyRG7NDOH(O~#}lvT+$#QmM91y{EBSu8 zNDCY3uBwb7RBp}92t534+`~-h8yKKco-uC!{v5!UEaT^eHn-bpW&yJ9zu&0w{A2)N z!)){b-oW(w^>#tuPIZ1*U@AXnH(;MWO89dwU{y$MHIy7mDVCGeE4UNHfirrMT>+=+ zOo9Xy9=J%r0_$7m`-CuPmoe?z(J?jUZ*9MadVI*jYRG19u{%@jp70l*7Yyj3g?1kx z)8t6NA8Wll;Fd>I>^!C+p6l#b0cnglCK@7DX=7#7ZgQ>!XWyg<-|+t*0j|Ju#I_tO zDj_$ZyT3%)M1!gqjLrx+{A8<(P*+5ebfNpTwr=GJP)xCI#kYM3g<1+Gl*` z!|XXgQx|gCjVcJKWur9u>&79(Ew|v^JBti`bV%b~Ki22;eWZ z#Z&-c#-ers@ZJWbl7QBh%J%x}Ze(mo}wsR&_zB9h^= Y50Dp(&U6o$O Date: Fri, 6 Sep 2024 08:49:31 +0100 Subject: [PATCH 004/298] Downstream changes Squashed all downstream changes to a single commit on top of trustee v0.9.0 Note: previous history is on branch "main-archive-2024-09-05" Signed-off-by: Leonardo Milleri --- .tekton/multi-arch-build-pipeline.yaml | 571 +++++++++++++++++++++++++ .tekton/trustee-pull-request.yaml | 50 +++ .tekton/trustee-push.yaml | 47 ++ kbs/docker/rhel-ubi/Dockerfile | 85 ++++ sgx_dcap_quoteverify_stubs/meson.build | 2 +- 5 files changed, 754 insertions(+), 1 deletion(-) create mode 100644 .tekton/multi-arch-build-pipeline.yaml create mode 100644 .tekton/trustee-pull-request.yaml create mode 100644 .tekton/trustee-push.yaml create mode 100644 kbs/docker/rhel-ubi/Dockerfile diff --git a/.tekton/multi-arch-build-pipeline.yaml b/.tekton/multi-arch-build-pipeline.yaml new file mode 100644 index 0000000000..08e00d627d --- /dev/null +++ b/.tekton/multi-arch-build-pipeline.yaml @@ -0,0 +1,571 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: multi-arch-build-pipeline +spec: + tasks: + - name: init + taskRef: + resolver: bundles + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:092c113b614f6551113f17605ae9cb7e822aa704d07f0e37ed209da23ce392cc + - name: kind + value: task + params: + - name: image-url + value: "$(params.output-image)" + - name: rebuild + value: "$(params.rebuild)" + - name: skip-checks + value: "$(params.skip-checks)" + - name: clone-repository + taskRef: + resolver: bundles + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8b399017f8bb17a271e609c21bea4883eec052a7f03a3108258bc89fb7436bfa + - name: kind + value: task + when: + - input: "$(tasks.init.results.build)" + operator: in + values: + - 'true' + runAfter: + - init + params: + - name: url + value: "$(params.git-url)" + - name: revision + value: "$(params.revision)" + - name: ociStorage + value: "$(params.output-image).git" + - name: ociArtifactExpiresAfter + value: "$(params.image-expires-after)" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + taskRef: + resolver: bundles + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:f0f34850f9169f4211ed8a1e2bb5624fd7f6a3181f73d20729d23ab2f8d9da0b + - name: kind + value: task + params: + - name: input + value: "$(params.prefetch-input)" + - name: hermetic + value: "$(params.hermetic)" + - name: dev-package-managers + value: $(params.prefetch-dev-package-managers-enabled) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: build-container-amd64 + taskRef: + resolver: bundles + params: + - name: name + value: buildah-remote-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:3860f6c00ca52bca35a7a46e7e40a9c8e6a83d0123a2219b8d7f9f2e00eddf32 + - name: kind + value: task + runAfter: + - prefetch-dependencies + when: + - input: "$(tasks.init.results.build)" + operator: in + values: + - 'true' + - input: "$(params.enable-amd64-build)" + operator: in + values: + - 'true' + params: + - name: IMAGE + value: "$(params.output-image)-amd64" + - name: DOCKERFILE + value: "$(params.dockerfile)" + - name: CONTEXT + value: "$(params.path-context)" + - name: HERMETIC + value: "$(params.hermetic)" + - name: PREFETCH_INPUT + value: "$(params.prefetch-input)" + - name: IMAGE_EXPIRES_AFTER + value: "$(params.image-expires-after)" + - name: COMMIT_SHA + value: "$(tasks.clone-repository.results.commit)" + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PLATFORM + value: $(params.amd64-platform) + - name: build-container-arm64 + taskRef: + resolver: bundles + params: + - name: name + value: buildah-remote-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:3860f6c00ca52bca35a7a46e7e40a9c8e6a83d0123a2219b8d7f9f2e00eddf32 + - name: kind + value: task + runAfter: + - prefetch-dependencies + when: + - input: "$(tasks.init.results.build)" + operator: in + values: + - 'true' + - input: "$(params.enable-arm64-build)" + operator: in + values: + - 'true' + params: + - name: IMAGE + value: "$(params.output-image)-arm64" + - name: DOCKERFILE + value: "$(params.dockerfile)" + - name: CONTEXT + value: "$(params.path-context)" + - name: HERMETIC + value: "$(params.hermetic)" + - name: PREFETCH_INPUT + value: "$(params.prefetch-input)" + - name: IMAGE_EXPIRES_AFTER + value: "$(params.image-expires-after)" + - name: COMMIT_SHA + value: "$(tasks.clone-repository.results.commit)" + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PLATFORM + value: $(params.arm64-platform) + - name: build-container-ppc64le + taskRef: + resolver: bundles + params: + - name: name + value: buildah-remote-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:3860f6c00ca52bca35a7a46e7e40a9c8e6a83d0123a2219b8d7f9f2e00eddf32 + - name: kind + value: task + runAfter: + - prefetch-dependencies + when: + - input: "$(tasks.init.results.build)" + operator: in + values: + - 'true' + - input: "$(params.enable-ppc64le-build)" + operator: in + values: + - 'true' + params: + - name: IMAGE + value: "$(params.output-image)-ppc64le" + - name: DOCKERFILE + value: "$(params.dockerfile)" + - name: CONTEXT + value: "$(params.path-context)" + - name: HERMETIC + value: "$(params.hermetic)" + - name: PREFETCH_INPUT + value: "$(params.prefetch-input)" + - name: IMAGE_EXPIRES_AFTER + value: "$(params.image-expires-after)" + - name: COMMIT_SHA + value: "$(tasks.clone-repository.results.commit)" + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PLATFORM + value: $(params.ppc64le-platform) + - name: build-container-s390x + taskRef: + resolver: bundles + params: + - name: name + value: buildah-remote-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:3860f6c00ca52bca35a7a46e7e40a9c8e6a83d0123a2219b8d7f9f2e00eddf32 + - name: kind + value: task + runAfter: + - prefetch-dependencies + when: + - input: "$(tasks.init.results.build)" + operator: in + values: + - 'true' + - input: "$(params.enable-s390x-build)" + operator: in + values: + - 'true' + params: + - name: IMAGE + value: "$(params.output-image)-s390x" + - name: DOCKERFILE + value: "$(params.dockerfile)" + - name: CONTEXT + value: "$(params.path-context)" + - name: HERMETIC + value: "$(params.hermetic)" + - name: PREFETCH_INPUT + value: "$(params.prefetch-input)" + - name: IMAGE_EXPIRES_AFTER + value: "$(params.image-expires-after)" + - name: COMMIT_SHA + value: "$(tasks.clone-repository.results.commit)" + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PLATFORM + value: $(params.s390x-platform) + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGES + value: + - $(tasks.build-container-amd64.results.IMAGE_URL)@$(tasks.build-container-amd64.results.IMAGE_DIGEST) + # - $(tasks.build-container-arm64.results.IMAGE_URL)@$(tasks.build-container-arm64.results.IMAGE_DIGEST) + - $(tasks.build-container-s390x.results.IMAGE_URL)@$(tasks.build-container-s390x.results.IMAGE_DIGEST) + # - $(tasks.build-container-ppc64le.results.IMAGE_URL)@$(tasks.build-container-ppc64le.results.IMAGE_DIGEST) + runAfter: + - build-container-amd64 + - build-container-arm64 + - build-container-s390x + - build-container-ppc64le + taskRef: + params: + - name: name + value: build-image-manifest + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:ff7779cea8cd99c211e690f218fc367fe30374e528bb53507a73c7214be8ce9d + - name: kind + value: task + resolver: bundles + when: + - input: "$(tasks.init.results.build)" + operator: in + values: + - 'true' + - name: build-source-image + taskRef: + resolver: bundles + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:0b3588d23f3a19c929dced05b745687f2aac9f3e59ada4a58669f9f44bddd7fd + - name: kind + value: task + when: + - input: "$(tasks.init.results.build)" + operator: in + values: + - 'true' + - input: "$(params.build-source-image)" + operator: in + values: + - 'true' + runAfter: + - build-image-index + params: + - name: BINARY_IMAGE + value: "$(params.output-image)" + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: deprecated-base-image-check + taskRef: + resolver: bundles + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:d98fa9daf5ee12dfbf00880b83d092d01ce9994d79836548d2f82748bb0c64a2 + - name: kind + value: task + when: + - input: "$(params.skip-checks)" + operator: in + values: + - 'false' + runAfter: + - build-image-index + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: clair-scan + taskRef: + resolver: bundles + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.1@sha256:baea4be429cf8d91f7c758378cea42819fe324f25a7f957bf9805409cab6d123 + - name: kind + value: task + when: + - input: "$(params.skip-checks)" + operator: in + values: + - 'false' + runAfter: + - build-image-index + params: + - name: image-digest + value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" + - name: image-url + value: "$(tasks.build-image-index.results.IMAGE_URL)" + - name: ecosystem-cert-preflight-checks + taskRef: + resolver: bundles + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:5131cce0f93d0b728c7bcc0d6cee4c61d4c9f67c6d619c627e41e3c9775b497d + - name: kind + value: task + when: + - input: "$(params.skip-checks)" + operator: in + values: + - 'false' + runAfter: + - build-image-index + params: + - name: image-url + value: "$(tasks.build-image-index.results.IMAGE_URL)" + - name: sast-snyk-check + taskRef: + resolver: bundles + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.2@sha256:b89e6afcef84d98ed8291e2a9aab012b9e3bc649f1f50212bb3959f84c1c2bf8 + - name: kind + value: task + when: + - input: "$(params.skip-checks)" + operator: in + values: + - 'false' + runAfter: + - clone-repository + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: clamav-scan + taskRef: + resolver: bundles + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:7bb17b937c9342f305468e8a6d0a22493e3ecde58977bd2ffc8b50e2fa234d58 + - name: kind + value: task + when: + - input: "$(params.skip-checks)" + operator: in + values: + - 'false' + runAfter: + - build-image-index + params: + - name: image-digest + value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" + - name: image-url + value: "$(tasks.build-image-index.results.IMAGE_URL)" + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:e6beb161ed59d7be26317da03e172137b31b26648d3e139558e9a457bc56caff + - name: kind + value: task + resolver: bundles + params: + - name: git-url + type: string + description: Source Repository URL + - name: revision + type: string + description: Revision of the Source Repository + default: '' + - name: output-image + type: string + description: Fully Qualified Output Image + - name: path-context + type: string + description: Path to the source code of an application's component from where to + build image. + default: "." + - name: dockerfile + type: string + description: Path to the Dockerfile inside the context specified by parameter path-context + default: Dockerfile + - name: rebuild + type: string + description: Force rebuild image + default: 'false' + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: '' + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "true" + description: Enable dev-package-managers in prefetch task + name: prefetch-dev-package-managers-enabled + type: string + - name: java + type: string + description: Java build + default: 'false' + - name: image-expires-after + description: Image tag expiration time, time values could be something like 1h, + 2d, 3w for hours, days, and weeks, respectively. + default: '' + - name: build-source-image + type: string + description: Build a source image. + default: 'false' + - name: build-args-file + type: string + description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file + default: "" + - name: enable-amd64-build + type: string + description: Enable amd64 builds + default: "true" + - name: enable-arm64-build + type: string + description: Enable arm64 builds + default: "true" + - name: enable-ppc64le-build + type: string + description: Enable ppc64le builds + default: "true" + - name: enable-s390x-build + type: string + description: Enable s390x builds + default: "true" + - name: amd64-platform + type: string + description: Enable the amd64 platform to be changed from the PipelineRun file + default: linux/amd64 + - name: arm64-platform + type: string + description: Enable the arm64 platform to be changed from the PipelineRun file + default: linux/arm64 + - name: ppc64le-platform + type: string + description: Enable the ppc64le platform to be changed from the PipelineRun file + default: linux/ppc64le + - name: s390x-platform + type: string + description: Enable the s390x platform to be changed from the PipelineRun file + default: linux/s390x + workspaces: + - name: git-auth + optional: true + results: + - name: IMAGE_URL + description: '' + value: "$(tasks.build-image-index.results.IMAGE_URL)" + - name: IMAGE_DIGEST + description: '' + value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" + - name: CHAINS-GIT_URL + description: '' + value: "$(tasks.clone-repository.results.url)" + - name: CHAINS-GIT_COMMIT + description: '' + value: "$(tasks.clone-repository.results.commit)" + - name: JAVA_COMMUNITY_DEPENDENCIES + description: '' + value: "$(tasks.build-container-amd64.results.JAVA_COMMUNITY_DEPENDENCIES)" + finally: + - name: show-sbom + taskRef: + resolver: bundles + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b + - name: kind + value: task + params: + - name: IMAGE_URL + value: "$(tasks.build-image-index.results.IMAGE_URL)" + - name: show-summary + taskRef: + resolver: bundles + params: + - name: name + value: summary + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b + - name: kind + value: task + params: + - name: pipelinerun-name + value: "$(context.pipelineRun.name)" + - name: git-url + value: "$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)" + - name: image-url + value: "$(params.output-image)" + - name: build-task-status + value: "$(tasks.build-image-index.status)" diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml new file mode 100644 index 0000000000..318860bce1 --- /dev/null +++ b/.tekton/trustee-pull-request.yaml @@ -0,0 +1,50 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/openshift/trustee?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" + creationTimestamp: null + labels: + appstudio.openshift.io/application: trustee + appstudio.openshift.io/component: trustee + pipelines.appstudio.openshift.io/type: build + name: trustee-on-pull-request + namespace: ose-osc-tenant +spec: + params: + - name: dockerfile + value: kbs/docker/rhel-ubi/Dockerfile + - name: git-url + value: '{{source_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: build-source-image + value: "true" + - name: enable-amd64-build + value: "true" + - name: enable-arm64-build + value: "false" + - name: enable-ppc64le-build + value: "false" + - name: enable-s390x-build + value: "true" + pipelineRef: + name: multi-arch-build-pipeline + taskRunTemplate: {} + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml new file mode 100644 index 0000000000..02e93fb160 --- /dev/null +++ b/.tekton/trustee-push.yaml @@ -0,0 +1,47 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/openshift/trustee?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" + creationTimestamp: null + labels: + appstudio.openshift.io/application: trustee + appstudio.openshift.io/component: trustee + pipelines.appstudio.openshift.io/type: build + name: trustee-on-push + namespace: ose-osc-tenant +spec: + params: + - name: dockerfile + value: kbs/docker/rhel-ubi/Dockerfile + - name: git-url + value: '{{source_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: build-source-image + value: "true" + - name: enable-amd64-build + value: "true" + - name: enable-arm64-build + value: "false" + - name: enable-ppc64le-build + value: "false" + - name: enable-s390x-build + value: "true" + pipelineRef: + name: multi-arch-build-pipeline + taskRunTemplate: {} + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile new file mode 100644 index 0000000000..3db05464d8 --- /dev/null +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -0,0 +1,85 @@ +# Use UBI to build. +FROM registry.access.redhat.com/ubi9 as builder + +# Install build dependencies from CentOS or RHEL repos. +RUN \ +# Update packages. Get CVE fixes sooner. +dnf -y update && \ +# Enable additional repositories for CentOS or RHEL. +if command -v subscription-manager; then \ + REPO_ARCH=$(uname -m) && \ + subscription-manager register --org "$(cat /activation-key/org)" --activationkey "$(cat /activation-key/activationkey)" && \ + subscription-manager repos --enable rhel-9-for-${REPO_ARCH}-appstream-rpms --enable codeready-builder-for-rhel-9-${REPO_ARCH}-rpms; \ +else \ + dnf -y install 'dnf-command(config-manager)' && dnf config-manager --enable crb; \ +fi && \ +# Install packages. +dnf -y --setopt=install_weak_deps=0 install \ + cargo pkg-config perl-FindBin openssl-devel perl-lib perl-IPC-Cmd perl-File-Compare perl-File-Copy clang-devel \ + # These two are only available in the CodeReady Builder repo. + tpm2-tss-devel protobuf-compiler \ + # This one is needed to build the stub. + meson + +# Build. +WORKDIR /usr/src/kbs +COPY . . +ARG KBS_FEATURES=coco-as-builtin,resource,opa,openssl +RUN \ +# Build sgx_dcap_quoteverify stub. +pushd sgx_dcap_quoteverify_stubs && \ +meson setup build --prefix=/usr && \ +meson compile -C build && \ +meson install -C build && \ +popd && \ +# Build KBS. +cargo install --locked --root /usr/local/ --path kbs --no-default-features --features ${KBS_FEATURES} && \ +# Check the sha256sum of the Intel provided RPMs on x86_64. +if [ $(uname -m) = "x86_64" ]; then \ + pushd sgx_dcap_quoteverify_stubs && \ + echo "2621eac23cb756bc238f88d6db5401f7efed55d87855fc2b7e446ddfc1bd37ca" libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm | sha256sum --check && \ + echo "57da5fb2253a99bb2483d19b6f30d1170ebc384e2891937e2c89fa55886b7034" libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm | sha256sum --check && \ + popd; \ +fi + +# Package UBI image. +FROM registry.access.redhat.com/ubi9 + +# Update packages. Get CVE fixes sooner. +RUN dnf -y update && dnf clean all + +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/src/kbs/sgx_dcap_quoteverify_stubs/libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm /tmp/libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm +COPY --from=builder /usr/src/kbs/sgx_dcap_quoteverify_stubs/libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm /tmp/libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm + +# Install Intel binaries +RUN \ +if [ $(uname -m) = "x86_64" ]; then \ + dnf -y --nogpgcheck --setopt=install_weak_deps=0 localinstall \ + /tmp/libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm \ + /tmp/libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm; \ +fi && \ +rm -f /tmp/libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm /tmp/libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm + +# Declare build-time variables. +ARG NAME="trustee" +ARG DESCRIPTION="The Trustee server." + +# Red Hat labels. +LABEL com.redhat.component=$NAME +LABEL description=$DESCRIPTION +LABEL io.k8s.description=$DESCRIPTION +LABEL io.k8s.display-name=$NAME +LABEL name=$NAME +LABEL summary=$DESCRIPTION +LABEL distribution-scope=public +LABEL release="1" +LABEL url="https://access.redhat.com/" +LABEL vendor="Red Hat, Inc." +LABEL version="1" +LABEL maintainer="Red Hat" +# Reset labels inherited from base image. +LABEL io.openshift.tags="" + +# Licenses +COPY LICENSE /licenses/LICENSE diff --git a/sgx_dcap_quoteverify_stubs/meson.build b/sgx_dcap_quoteverify_stubs/meson.build index 81045fd8ab..e7d13be84b 100644 --- a/sgx_dcap_quoteverify_stubs/meson.build +++ b/sgx_dcap_quoteverify_stubs/meson.build @@ -1,6 +1,6 @@ project( 'sgx_dcap_quoteverify_stubs', 'cpp', - default_options: ['warning_level=everything'], + default_options: ['warning_level=3'], ) stub_headers = files([ From 97b9dca1d35c859d2862e6b65fd0c15c7d56da58 Mon Sep 17 00:00:00 2001 From: Camilla Conte Date: Fri, 6 Sep 2024 16:01:28 +0100 Subject: [PATCH 005/298] docker: update path for cargo install Necessary because the rebase to v0.9.0 changed the directory structure. --- kbs/docker/rhel-ubi/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile index 3db05464d8..28ff19beef 100644 --- a/kbs/docker/rhel-ubi/Dockerfile +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -33,7 +33,7 @@ meson compile -C build && \ meson install -C build && \ popd && \ # Build KBS. -cargo install --locked --root /usr/local/ --path kbs --no-default-features --features ${KBS_FEATURES} && \ +cargo install --locked --root /usr/local/ --path kbs/src/kbs --no-default-features --features ${KBS_FEATURES} && \ # Check the sha256sum of the Intel provided RPMs on x86_64. if [ $(uname -m) = "x86_64" ]; then \ pushd sgx_dcap_quoteverify_stubs && \ From a9ebd4e4ad9d902c460d83e10057b2bbab682d5e Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 08:29:44 +0000 Subject: [PATCH 006/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/multi-arch-build-pipeline.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.tekton/multi-arch-build-pipeline.yaml b/.tekton/multi-arch-build-pipeline.yaml index 08e00d627d..fcff58db5c 100644 --- a/.tekton/multi-arch-build-pipeline.yaml +++ b/.tekton/multi-arch-build-pipeline.yaml @@ -28,7 +28,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8b399017f8bb17a271e609c21bea4883eec052a7f03a3108258bc89fb7436bfa + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:b03bb5e21665b17ae2f645496013a072b00f1a174024dc1ff41dc626f364c66b - name: kind value: task when: @@ -57,7 +57,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:f0f34850f9169f4211ed8a1e2bb5624fd7f6a3181f73d20729d23ab2f8d9da0b + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:ad15707d97026d6d462e4c02a09e73a3cffdcdae3a91b03f39d2675d5a000d2b - name: kind value: task params: @@ -80,7 +80,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:3860f6c00ca52bca35a7a46e7e40a9c8e6a83d0123a2219b8d7f9f2e00eddf32 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:a790abd146ae2583863b17991f016b5b78497cf3560a1fb7062432490c2a0303 - name: kind value: task runAfter: @@ -124,7 +124,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:3860f6c00ca52bca35a7a46e7e40a9c8e6a83d0123a2219b8d7f9f2e00eddf32 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:a790abd146ae2583863b17991f016b5b78497cf3560a1fb7062432490c2a0303 - name: kind value: task runAfter: @@ -168,7 +168,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:3860f6c00ca52bca35a7a46e7e40a9c8e6a83d0123a2219b8d7f9f2e00eddf32 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:a790abd146ae2583863b17991f016b5b78497cf3560a1fb7062432490c2a0303 - name: kind value: task runAfter: @@ -212,7 +212,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:3860f6c00ca52bca35a7a46e7e40a9c8e6a83d0123a2219b8d7f9f2e00eddf32 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:a790abd146ae2583863b17991f016b5b78497cf3560a1fb7062432490c2a0303 - name: kind value: task runAfter: @@ -287,7 +287,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:0b3588d23f3a19c929dced05b745687f2aac9f3e59ada4a58669f9f44bddd7fd + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:639995e4221da90f5a9fc14dacd0dba384e2a37e3a2c7aa5dafec3c2ab3f5f74 - name: kind value: task when: @@ -379,7 +379,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.2@sha256:b89e6afcef84d98ed8291e2a9aab012b9e3bc649f1f50212bb3959f84c1c2bf8 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.2@sha256:c2f5eb19cfe6e48595368cc50907be74a7c8a375866ad16e7663df540825af6b - name: kind value: task when: From 321ad89d6c6fb3edf70b705774f077061331307a Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Mon, 9 Sep 2024 08:18:39 +0100 Subject: [PATCH 007/298] Fix IBM SE verifier Added the missing se_parse_hdr.py file to the IBM SE verifier code Signed-off-by: Leonardo Milleri --- attestation-service/verifier/src/se/README.md | 107 ++++++++++-- attestation-service/verifier/src/se/ibmse.rs | 41 ++--- attestation-service/verifier/src/se/mod.rs | 9 +- .../verifier/src/se/se_parse_hdr.py | 162 ++++++++++++++++++ 4 files changed, 277 insertions(+), 42 deletions(-) create mode 100644 attestation-service/verifier/src/se/se_parse_hdr.py diff --git a/attestation-service/verifier/src/se/README.md b/attestation-service/verifier/src/se/README.md index 9d14da24dd..0ee09c0882 100644 --- a/attestation-service/verifier/src/se/README.md +++ b/attestation-service/verifier/src/se/README.md @@ -1,10 +1,22 @@ -# Deployment of KBS with IBM SE verifier + +# KBS with IBM SE verifier This is a document to guide developer run a KBS with IBM SE verifier locally for development purpose. +## Index + +- [Deployment of KBS with IBM SE verifier](#deployment-of-kbs-with-ibm-se-verifier) +- [Set attestation policy for IBM SE verifier](#set-attestation-policy) + + + +# Deployment of KBS with IBM SE verifier + +This section is about deployment of KBS without rvps checking. + ## Generate RSA keys Generate RSA 4096 key pair following commands: -``` +```bash openssl genrsa -aes256 -passout pass:test1234 -out encrypt_key-psw.pem 4096 openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -pubout -out encrypt_key.pub openssl rsa -in encrypt_key-psw.pem -out encrypt_key.pem @@ -20,14 +32,25 @@ ibm-z-host-key-signing-gen2.crt DigiCertCA.crt ### CRL -ibm-z-host-key-gen2.crl +ibm-z-host-key-gen2.crl +DigiCertTrustedRootG4.crl +DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl + +Note: `DigiCertTrustedRootG4.crl` and `DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl` come from commands as below: +```bash +# openssl x509 -in DigiCertCA.crt --text --noout |grep crl + URI:http://crl3.digicert.com/DigiCertTrustedRootG4.crl +# openssl x509 -in ibm-z-host-key-signing-gen2.crt --text --noout |grep crl + URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl + URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl +``` ## Download HKD Download IBM Secure Execution Host Key Document following: https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document ## Get SE Header Build `se.img` following [Generate an IBM Secure Execution image](https://www.ibm.com/docs/en/linux-on-systems?topic=commands-genprotimg) and retrieve the hdr.bin via command like below. -``` +```bash ./pvextract-hdr -o hdr.bin se.img ``` @@ -35,7 +58,7 @@ Refer [ibm-s390-linux](https://github.com/ibm-s390-linux/s390-tools/blob/v2.33.1 ## Generate KBS key Generate keys used by KBS service. -``` +```bash openssl genpkey -algorithm ed25519 > kbs.key openssl pkey -in kbs.key -pubout -out kbs.pem ``` @@ -43,7 +66,7 @@ openssl pkey -in kbs.key -pubout -out kbs.pem ## (Option 1) Launch KBS as a program - Build KBS -``` +```bash cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa ``` @@ -56,6 +79,8 @@ cargo install --locked --debug --path kbs/src/kbs --no-default-features --featur | └── DigiCertCA.crt ├── crls │ └── ibm-z-host-key-gen2.crl +│ └── DigiCertTrustedRootG4.crl +│ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl ├── hdr │ └── hdr.bin ├── hkds @@ -92,25 +117,24 @@ remote_addr = "" ``` - Launch the KBS program -``` +```bash export RUST_LOG=debug export SE_SKIP_CERTS_VERIFICATION=true ./kbs --config-file ./kbs-config.toml ``` -> Note: `SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. +> Note: `export SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. Use `export CERTS_OFFLINE_VERIFICATION=true` to verifiy the certificates offline. ## (Option 2) Launch KBS via docker-compose - Build the docker image ``` -DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs:latest --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile +DOCKER_BUILDKIT=1 docker build --build-arg HTTPS_CRYPTO="openssl" --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile ``` ->Note: Please add `--debug` in statement like `cargo install` in file `kbs/docker/Dockerfile` if you're using a development host key document to skip HKD's signature verification. - Prepare a docker compose file, similar as: ``` services: - web: + kbs: image: ghcr.io/confidential-containers/staged-images/kbs:latest command: [ "/usr/local/bin/kbs", @@ -135,7 +159,7 @@ services: - ./data/rsa/encrypt_key.pem:/run/confidential-containers/ibmse/rsa/encrypt_key.pem - ./data/rsa/encrypt_key.pub:/run/confidential-containers/ibmse/rsa/encrypt_key.pub ``` -> Note: `SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. +> Note: `export SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. Use `export CERTS_OFFLINE_VERIFICATION=true` to verifiy the certificates offline. - Prepare the material, similar as: ``` @@ -149,6 +173,8 @@ services: │   │   └── DigiCertCA.crt │   ├── crls │   │   └── ibm-z-host-key-gen2.crl +│ │ └── DigiCertTrustedRootG4.crl +│ │ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl │   ├── hdr.bin │   ├── hkds │   │   └── HKD-3931-0275D38.crt @@ -167,10 +193,63 @@ services: ``` - Launch KBS as docker compose application -``` +```bash docker-compose up -d -docker-compose logs web +docker-compose logs kbs docker-compose down ``` +# Set attestation policy + +This section is about setting attestation policy. + +### Retrive the attestation policy fields for IBM SE + +Using [se_parse_hdr.py](se_parse_hdr.py) on a s390x instance to retrieve the IBM SE fields for attestation policy. + +```bash +python3 se_parse_hdr.py hdr.bin HKD-3931.crt + +... + ================================================ + se.image_phkh: xxx + se.version: 256 + se.tag: xxx + se.attestation_phkh: xxx +``` + +We get following fields and will set these fields in rvps for attestation policy. +`se.version: 256` +`se.tag: xxx` +`se.attestation_phkh: xxx` +`se.image_phkh: xxx` + + +### Set attestation policy + +#### Generate attestation policy file +```bash +cat << EOF > ibmse-policy.rego +package policy +import rego.v1 +default allow = false + +converted_version := sprintf("%v", [input["se.version"]]) + +allow if { + input["se.attestation_phkh"] == "xxx" + input["se.image_phkh"] == "xxx" + input["se.tag"] == "xxx" + input["se.user_data"] == "xxx" + converted_version == "256" +} +EOF +``` + +Where the values `se.version`, `se.attestation_phkh`, `se.image_phkh` and `se.tag` come from [retrive-the-rvps-field-for-an-ibm-se-image](#retrive-the-rvps-field-for-an-ibm-se-image). The value `se.user_data` comes from [initdata](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/docs/initdata.md). Please remove `input["se.user_data"] == "xxx"` if `initdata` is not used. + +#### Set the attestation policy +```bash +kbs-client --url http://127.0.0.1:8080 config --auth-private-key ./kbs/kbs.key set-attestation-policy --policy-file ./ibmse-policy.rego +``` \ No newline at end of file diff --git a/attestation-service/verifier/src/se/ibmse.rs b/attestation-service/verifier/src/se/ibmse.rs index fc60c4a7e0..e8cf22477b 100644 --- a/attestation-service/verifier/src/se/ibmse.rs +++ b/attestation-service/verifier/src/se/ibmse.rs @@ -90,8 +90,7 @@ pub struct SeAttestationResponse { pub struct SeAttestationClaims { #[serde_as(as = "Hex")] cuid: ConfigUid, - #[serde_as(as = "Hex")] - user_data: Vec, + user_data: String, version: u32, #[serde_as(as = "Hex")] image_phkh: Vec, @@ -160,12 +159,12 @@ impl SeVerifierImpl { fn encrypt(&self, text: &[u8]) -> Result> { let mut encrypter = Encrypter::new(&self.public_key)?; encrypter.set_rsa_padding(Padding::PKCS1)?; - + let buffer_len = encrypter.encrypt_len(text)?; let mut encrypted = vec![0; buffer_len]; let len = encrypter.encrypt(text, &mut encrypted)?; encrypted.truncate(len); - + Ok(encrypted) } @@ -218,7 +217,7 @@ impl SeVerifierImpl { let claims = SeAttestationClaims { cuid: se_response.cuid, - user_data: se_response.user_data.clone(), + user_data: String::from_utf8(se_response.user_data.clone())?, version: AttestationVersion::One as u32, image_phkh: image_phkh.to_vec(), attestation_phkh: attestation_phkh.to_vec(), @@ -277,22 +276,19 @@ impl SeVerifierImpl { let c = certs .first() .ok_or(anyhow!("File does not contain a X509 certificate"))?; - #[cfg(debug_assertions)] - { - const DEFAULT_SE_SKIP_CERTS_VERIFICATION: &str = "false"; - let skip_certs_env = env_or_default!( - "SE_SKIP_CERTS_VERIFICATION", - DEFAULT_SE_SKIP_CERTS_VERIFICATION - ); - let skip_certs: bool = skip_certs_env.parse::().unwrap_or(false); - if !skip_certs { - let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), ca_option.clone(), offline_certs_verify)?; - verifier.verify(c)?; - } - } - #[cfg(not(debug_assertions))] - { - let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), ca_option.clone(), offline_certs_verify)?; + const DEFAULT_SE_SKIP_CERTS_VERIFICATION: &str = "false"; + let skip_certs_env = env_or_default!( + "SE_SKIP_CERTS_VERIFICATION", + DEFAULT_SE_SKIP_CERTS_VERIFICATION + ); + let skip_certs: bool = skip_certs_env.parse::().unwrap_or(false); + if !skip_certs { + let verifier = CertVerifier::new( + ca_certs.as_slice(), + crls.as_slice(), + ca_option.clone(), + offline_certs_verify, + )?; verifier.verify(c)?; } arcb.add_hostkey(c.public_key()?); @@ -301,8 +297,7 @@ impl SeVerifierImpl { let encr_ctx = ReqEncrCtx::random(SymKeyType::Aes256)?; let request_blob = arcb.encrypt(&encr_ctx)?; let conf_data = arcb.confidential_data(); - let encr_measurement_key = - self.encrypt(conf_data.measurement_key())?; + let encr_measurement_key = self.encrypt(conf_data.measurement_key())?; let nonce = conf_data .nonce() .as_ref() diff --git a/attestation-service/verifier/src/se/mod.rs b/attestation-service/verifier/src/se/mod.rs index fe10b02455..7fef50c2a8 100644 --- a/attestation-service/verifier/src/se/mod.rs +++ b/attestation-service/verifier/src/se/mod.rs @@ -38,13 +38,12 @@ impl Verifier for SeVerifier { se_verifier.evaluate(evidence) } - async fn generate_supplemental_challenge( - &self, - _tee_parameters: String, - ) -> Result { + async fn generate_supplemental_challenge(&self, _tee_parameters: String) -> Result { let se_verifier = VERIFIER .get_or_try_init(|| async { SeVerifierImpl::new() }) .await?; - se_verifier.generate_supplemental_challenge(_tee_parameters).await + se_verifier + .generate_supplemental_challenge(_tee_parameters) + .await } } diff --git a/attestation-service/verifier/src/se/se_parse_hdr.py b/attestation-service/verifier/src/se/se_parse_hdr.py new file mode 100644 index 0000000000..d8191f6642 --- /dev/null +++ b/attestation-service/verifier/src/se/se_parse_hdr.py @@ -0,0 +1,162 @@ +# Copyright (C) Copyright IBM Corp. 2024 +# +# SPDX-License-Identifier: Apache-2.0 +# + +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import serialization, hashes +from cryptography.hazmat.primitives.asymmetric import ec +import hashlib +import sys +import struct + + +def parse_certificate(cert_path): + """Parse the certificate from file path and return the public key.""" + with open(cert_path, 'rb') as cert_file: + cert_data = cert_file.read() + cert = x509.load_pem_x509_certificate(cert_data, default_backend()) + return cert.public_key() + +def ec_point_to_affine_coordinates(public_key): + """Convert EC public key to affine coordinates (x, y).""" + if isinstance(public_key, ec.EllipticCurvePublicKey): + # Get the uncompressed point bytes + point = public_key.public_bytes( + encoding=serialization.Encoding.X962, + format=serialization.PublicFormat.UncompressedPoint + ) + curve = public_key.curve + x_bytes = point[1:curve.key_size//8+2] # skip the first byte (0x04) + y_bytes = point[curve.key_size//8+2:] + return x_bytes, y_bytes + else: + raise ValueError("Invalid EC public key type") + +def bn_bn2binpad(bn, size): + """Convert BN to binary padded format.""" + bn_bytes = bn.to_bytes((bn.bit_length() + 7) // 8, byteorder='big') + if len(bn_bytes) < size: + padded_bytes = b'\x00' * (size - len(bn_bytes)) + bn_bytes + elif len(bn_bytes) > size: + padded_bytes = bn_bytes[-size:] + else: + padded_bytes = bn_bytes + return padded_bytes + +def generate_sha256_hash(data): + """Generate SHA-256 hash of input data.""" + sha256_hash = hashlib.sha256(data).hexdigest() + return sha256_hash + +def bytes_to_hex_string(byte_data): + """Convert bytes to hex string.""" + return ''.join(f'{b:02x}' for b in byte_data) + +def parse_img_phkh_from_hkd(filename): + # Parse certificate and extract public key + public_key = parse_certificate(filename) + + # Get affine coordinates + x_bytes, y_bytes = ec_point_to_affine_coordinates(public_key) + + # Convert x_bytes and y_bytes to binary padded format + x_bin = bn_bn2binpad(int.from_bytes(x_bytes, byteorder='big'), 80) # 66 bytes for P-521 curve + y_bin = bn_bn2binpad(int.from_bytes(y_bytes, byteorder='big'), 80) + + # Log x_bin and y_bin + x_bin_str = bytes_to_hex_string(x_bin) + y_bin_str = bytes_to_hex_string(y_bin) + + # Concatenate x_bin and y_bin + ecdh_data = x_bin + y_bin + + # Log concatenated data + ecdh_data_str = bytes_to_hex_string(ecdh_data) + + # Calculate SHA-256 hash + hkd_phkh = generate_sha256_hash(ecdh_data) + return hkd_phkh + +def parse_hdr(hdr_file, hkd_file): + with open(hdr_file, 'rb') as f: + + hkd_phkh = parse_img_phkh_from_hkd(hkd_file) + key_slot_used_idx = -1 + + # Read the entire header based on the size defined in the structure + # https://github.com/ibm-s390-linux/s390-tools/blob/master/genprotimg/src/include/pv_hdr_def.h + header_size = 8 + 4 + 4 + # pv_hdr_head size 416 + pv_hdr_head_size = 8 + 4 + 4 + 12 + 4 + 8 + 8 + 8 + 8 + 160 + 64 + 64 + 64 + + after_key_slot_size = 144 + # pv_hdr_key_slot digest_key + wrapped_key = phkh + phkh_size = 32 + + hdr_data = f.read(header_size) + + # Unpack the header fields + fields = struct.unpack('8sII', hdr_data) + + magic, version, phs = fields + # The last 16 bits is the image tag + f.seek(-16, 2) + image_tag = f.read(16) + # Print the extracted fields + + print(f"Magic: {magic.decode('ascii')}") + print(f"phs: {phs}") + + f.seek(pv_hdr_head_size) + + length_phkh_data = phs - pv_hdr_head_size - after_key_slot_size + phkh_data = f.read(length_phkh_data) + + # Define the struct format (32 bytes for digest_key, 32 bytes for wrapped_key, 16 bytes for tag) + struct_format = '32s32s16s' + + # Calculate the size of each struct + struct_size = struct.calcsize(struct_format) + + for i in range(0, len(phkh_data), struct_size): + if i + struct_size > len(phkh_data): + break + chunk = phkh_data[i:i + struct_size] + digest_key, wrapped_key, tag = struct.unpack(struct_format, chunk) + if digest_key.hex() == hkd_phkh: + key_slot_used_idx = i + print(f" ========Host Key Document Hash used in this slot========= ") + print(f" Key Slot: {i//80 + 1}:") + print(f" image_phkh: {digest_key.hex()}") + print(f" wrapped_key: {wrapped_key.hex()}") + print(f" tag: {tag.hex()}") + # if the 1 slot selected, the idx is 0 + if key_slot_used_idx > -1: + chunk_used = phkh_data[key_slot_used_idx:key_slot_used_idx + struct_size] + digest_key, wrapped_key, tag = struct.unpack(struct_format, chunk_used) + print(f" ========Host Key Document Hash used in this slot========= ") + print(f" Key Slot: {key_slot_used_idx//80 + 1}:") + print(f" wrapped_key: {wrapped_key.hex()}") + print(f" HKD tag: {tag.hex()}") + print(f" Copy below value and set in rvps ") + print(f" ================================================ ") + print(f" se.image_phkh: {digest_key.hex()}") + else: + print(f" The HKD file not included when build the SE image ") + + + print(f" se.version: {version}") + print(f" se.tag: {image_tag.hex()}") + print(f" se.attestation_phkh: {hkd_phkh}") + + +if __name__ == "__main__": + if len(sys.argv) != 3: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + + hdr_file = sys.argv[1] + hkd_file = sys.argv[2] + parse_hdr(hdr_file, hkd_file) From 24d4c827e9fb1c5ffaf4de8bdacf2cd8e500ec51 Mon Sep 17 00:00:00 2001 From: Camilla Conte Date: Thu, 10 Oct 2024 17:00:11 +0100 Subject: [PATCH 008/298] Add renovate config Enables automerge for updates to konflux references (tekton). Replicating https://github.com/openshift/trustee-operator/pull/61. --- renovate.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000000..06ee16360a --- /dev/null +++ b/renovate.json @@ -0,0 +1,14 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json?raw=true" + ], + "tekton": { + "enabled": true, + "automerge": true, + "automergeType": "pr", + "automergeStrategy": "rebase", + "platformAutomerge": true, + "ignoreTests": false + } +} From 038ab27c0a3919247be08c54ee9e99437ceda870 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Thu, 31 Oct 2024 10:23:53 +0000 Subject: [PATCH 009/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/multi-arch-build-pipeline.yaml | 28 +++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.tekton/multi-arch-build-pipeline.yaml b/.tekton/multi-arch-build-pipeline.yaml index fcff58db5c..94194d30ac 100644 --- a/.tekton/multi-arch-build-pipeline.yaml +++ b/.tekton/multi-arch-build-pipeline.yaml @@ -28,7 +28,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:b03bb5e21665b17ae2f645496013a072b00f1a174024dc1ff41dc626f364c66b + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d1e63ec00bed1c9f0f571fa76b4da570be49a7c255c610544a461495230ba1b1 - name: kind value: task when: @@ -57,7 +57,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:ad15707d97026d6d462e4c02a09e73a3cffdcdae3a91b03f39d2675d5a000d2b + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:4e43e71a09cb5ce2b3a6b591e32f2cd223657c9b882d9a42020dcaa21ac27338 - name: kind value: task params: @@ -80,7 +80,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:a790abd146ae2583863b17991f016b5b78497cf3560a1fb7062432490c2a0303 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:bd704cf7eb042f1fd48bfbd872a3f5a3632697a117602e242653ed323e6db52e - name: kind value: task runAfter: @@ -124,7 +124,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:a790abd146ae2583863b17991f016b5b78497cf3560a1fb7062432490c2a0303 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:bd704cf7eb042f1fd48bfbd872a3f5a3632697a117602e242653ed323e6db52e - name: kind value: task runAfter: @@ -168,7 +168,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:a790abd146ae2583863b17991f016b5b78497cf3560a1fb7062432490c2a0303 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:bd704cf7eb042f1fd48bfbd872a3f5a3632697a117602e242653ed323e6db52e - name: kind value: task runAfter: @@ -212,7 +212,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:a790abd146ae2583863b17991f016b5b78497cf3560a1fb7062432490c2a0303 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:bd704cf7eb042f1fd48bfbd872a3f5a3632697a117602e242653ed323e6db52e - name: kind value: task runAfter: @@ -271,7 +271,7 @@ spec: - name: name value: build-image-manifest - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:ff7779cea8cd99c211e690f218fc367fe30374e528bb53507a73c7214be8ce9d + value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:b0cf7cb6749ac811c01a7c47596e6b8381c98100c4c6050567b02f4e8d7ddcb1 - name: kind value: task resolver: bundles @@ -287,7 +287,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:639995e4221da90f5a9fc14dacd0dba384e2a37e3a2c7aa5dafec3c2ab3f5f74 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:261f075fd5a096f7b28a999b505136b2a3a5aef390087148b3131fd3ec295db3 - name: kind value: task when: @@ -315,7 +315,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:d98fa9daf5ee12dfbf00880b83d092d01ce9994d79836548d2f82748bb0c64a2 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:b4f9599f5770ea2e6e4d031224ccc932164c1ecde7f85f68e16e99c98d754003 - name: kind value: task when: @@ -337,7 +337,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.1@sha256:baea4be429cf8d91f7c758378cea42819fe324f25a7f957bf9805409cab6d123 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:28fee4bf5da87f2388c973d9336086749cad8436003f9a514e22ac99735e056b - name: kind value: task when: @@ -379,7 +379,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.2@sha256:c2f5eb19cfe6e48595368cc50907be74a7c8a375866ad16e7663df540825af6b + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:92af5ba1bb9d6bf442c8d3b317ada71d44a9c1ab59959a37bbb5d163205a104f - name: kind value: task when: @@ -399,7 +399,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:7bb17b937c9342f305468e8a6d0a22493e3ecde58977bd2ffc8b50e2fa234d58 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:a94b6523ba0b691dc276e37594321c2eff3594d2753014e5c920803b47627df1 - name: kind value: task when: @@ -425,7 +425,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:e6beb161ed59d7be26317da03e172137b31b26648d3e139558e9a457bc56caff + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:f485e250fb060060892b633c495a3d7e38de1ec105ae1be48608b0401530ab2c - name: kind value: task resolver: bundles @@ -544,7 +544,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28 - name: kind value: task params: From bc43685b3d0b7a9ff6d28dd68b0ea29e04ffb57d Mon Sep 17 00:00:00 2001 From: Camilla Conte Date: Mon, 4 Nov 2024 09:52:30 +0100 Subject: [PATCH 010/298] tekton: use build pipeline from bundle Get the pipeline definition directly from the Konflux repo instead of maintaining a copy here. This solves the enterprise contract violation of a missing task (rpms-signature-scan) and reduces friction for future changes. --- .tekton/multi-arch-build-pipeline.yaml | 571 ------------------------- .tekton/trustee-pull-request.yaml | 21 +- .tekton/trustee-push.yaml | 23 +- 3 files changed, 25 insertions(+), 590 deletions(-) delete mode 100644 .tekton/multi-arch-build-pipeline.yaml diff --git a/.tekton/multi-arch-build-pipeline.yaml b/.tekton/multi-arch-build-pipeline.yaml deleted file mode 100644 index 94194d30ac..0000000000 --- a/.tekton/multi-arch-build-pipeline.yaml +++ /dev/null @@ -1,571 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: multi-arch-build-pipeline -spec: - tasks: - - name: init - taskRef: - resolver: bundles - params: - - name: name - value: init - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:092c113b614f6551113f17605ae9cb7e822aa704d07f0e37ed209da23ce392cc - - name: kind - value: task - params: - - name: image-url - value: "$(params.output-image)" - - name: rebuild - value: "$(params.rebuild)" - - name: skip-checks - value: "$(params.skip-checks)" - - name: clone-repository - taskRef: - resolver: bundles - params: - - name: name - value: git-clone-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d1e63ec00bed1c9f0f571fa76b4da570be49a7c255c610544a461495230ba1b1 - - name: kind - value: task - when: - - input: "$(tasks.init.results.build)" - operator: in - values: - - 'true' - runAfter: - - init - params: - - name: url - value: "$(params.git-url)" - - name: revision - value: "$(params.revision)" - - name: ociStorage - value: "$(params.output-image).git" - - name: ociArtifactExpiresAfter - value: "$(params.image-expires-after)" - workspaces: - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - taskRef: - resolver: bundles - params: - - name: name - value: prefetch-dependencies-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:4e43e71a09cb5ce2b3a6b591e32f2cd223657c9b882d9a42020dcaa21ac27338 - - name: kind - value: task - params: - - name: input - value: "$(params.prefetch-input)" - - name: hermetic - value: "$(params.hermetic)" - - name: dev-package-managers - value: $(params.prefetch-dev-package-managers-enabled) - - name: SOURCE_ARTIFACT - value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - - name: ociStorage - value: $(params.output-image).prefetch - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - - name: build-container-amd64 - taskRef: - resolver: bundles - params: - - name: name - value: buildah-remote-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:bd704cf7eb042f1fd48bfbd872a3f5a3632697a117602e242653ed323e6db52e - - name: kind - value: task - runAfter: - - prefetch-dependencies - when: - - input: "$(tasks.init.results.build)" - operator: in - values: - - 'true' - - input: "$(params.enable-amd64-build)" - operator: in - values: - - 'true' - params: - - name: IMAGE - value: "$(params.output-image)-amd64" - - name: DOCKERFILE - value: "$(params.dockerfile)" - - name: CONTEXT - value: "$(params.path-context)" - - name: HERMETIC - value: "$(params.hermetic)" - - name: PREFETCH_INPUT - value: "$(params.prefetch-input)" - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: PLATFORM - value: $(params.amd64-platform) - - name: build-container-arm64 - taskRef: - resolver: bundles - params: - - name: name - value: buildah-remote-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:bd704cf7eb042f1fd48bfbd872a3f5a3632697a117602e242653ed323e6db52e - - name: kind - value: task - runAfter: - - prefetch-dependencies - when: - - input: "$(tasks.init.results.build)" - operator: in - values: - - 'true' - - input: "$(params.enable-arm64-build)" - operator: in - values: - - 'true' - params: - - name: IMAGE - value: "$(params.output-image)-arm64" - - name: DOCKERFILE - value: "$(params.dockerfile)" - - name: CONTEXT - value: "$(params.path-context)" - - name: HERMETIC - value: "$(params.hermetic)" - - name: PREFETCH_INPUT - value: "$(params.prefetch-input)" - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: PLATFORM - value: $(params.arm64-platform) - - name: build-container-ppc64le - taskRef: - resolver: bundles - params: - - name: name - value: buildah-remote-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:bd704cf7eb042f1fd48bfbd872a3f5a3632697a117602e242653ed323e6db52e - - name: kind - value: task - runAfter: - - prefetch-dependencies - when: - - input: "$(tasks.init.results.build)" - operator: in - values: - - 'true' - - input: "$(params.enable-ppc64le-build)" - operator: in - values: - - 'true' - params: - - name: IMAGE - value: "$(params.output-image)-ppc64le" - - name: DOCKERFILE - value: "$(params.dockerfile)" - - name: CONTEXT - value: "$(params.path-context)" - - name: HERMETIC - value: "$(params.hermetic)" - - name: PREFETCH_INPUT - value: "$(params.prefetch-input)" - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: PLATFORM - value: $(params.ppc64le-platform) - - name: build-container-s390x - taskRef: - resolver: bundles - params: - - name: name - value: buildah-remote-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.2@sha256:bd704cf7eb042f1fd48bfbd872a3f5a3632697a117602e242653ed323e6db52e - - name: kind - value: task - runAfter: - - prefetch-dependencies - when: - - input: "$(tasks.init.results.build)" - operator: in - values: - - 'true' - - input: "$(params.enable-s390x-build)" - operator: in - values: - - 'true' - params: - - name: IMAGE - value: "$(params.output-image)-s390x" - - name: DOCKERFILE - value: "$(params.dockerfile)" - - name: CONTEXT - value: "$(params.path-context)" - - name: HERMETIC - value: "$(params.hermetic)" - - name: PREFETCH_INPUT - value: "$(params.prefetch-input)" - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: PLATFORM - value: $(params.s390x-platform) - - name: build-image-index - params: - - name: IMAGE - value: $(params.output-image) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: IMAGES - value: - - $(tasks.build-container-amd64.results.IMAGE_URL)@$(tasks.build-container-amd64.results.IMAGE_DIGEST) - # - $(tasks.build-container-arm64.results.IMAGE_URL)@$(tasks.build-container-arm64.results.IMAGE_DIGEST) - - $(tasks.build-container-s390x.results.IMAGE_URL)@$(tasks.build-container-s390x.results.IMAGE_DIGEST) - # - $(tasks.build-container-ppc64le.results.IMAGE_URL)@$(tasks.build-container-ppc64le.results.IMAGE_DIGEST) - runAfter: - - build-container-amd64 - - build-container-arm64 - - build-container-s390x - - build-container-ppc64le - taskRef: - params: - - name: name - value: build-image-manifest - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:b0cf7cb6749ac811c01a7c47596e6b8381c98100c4c6050567b02f4e8d7ddcb1 - - name: kind - value: task - resolver: bundles - when: - - input: "$(tasks.init.results.build)" - operator: in - values: - - 'true' - - name: build-source-image - taskRef: - resolver: bundles - params: - - name: name - value: source-build-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:261f075fd5a096f7b28a999b505136b2a3a5aef390087148b3131fd3ec295db3 - - name: kind - value: task - when: - - input: "$(tasks.init.results.build)" - operator: in - values: - - 'true' - - input: "$(params.build-source-image)" - operator: in - values: - - 'true' - runAfter: - - build-image-index - params: - - name: BINARY_IMAGE - value: "$(params.output-image)" - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: deprecated-base-image-check - taskRef: - resolver: bundles - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:b4f9599f5770ea2e6e4d031224ccc932164c1ecde7f85f68e16e99c98d754003 - - name: kind - value: task - when: - - input: "$(params.skip-checks)" - operator: in - values: - - 'false' - runAfter: - - build-image-index - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: clair-scan - taskRef: - resolver: bundles - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:28fee4bf5da87f2388c973d9336086749cad8436003f9a514e22ac99735e056b - - name: kind - value: task - when: - - input: "$(params.skip-checks)" - operator: in - values: - - 'false' - runAfter: - - build-image-index - params: - - name: image-digest - value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" - - name: image-url - value: "$(tasks.build-image-index.results.IMAGE_URL)" - - name: ecosystem-cert-preflight-checks - taskRef: - resolver: bundles - params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:5131cce0f93d0b728c7bcc0d6cee4c61d4c9f67c6d619c627e41e3c9775b497d - - name: kind - value: task - when: - - input: "$(params.skip-checks)" - operator: in - values: - - 'false' - runAfter: - - build-image-index - params: - - name: image-url - value: "$(tasks.build-image-index.results.IMAGE_URL)" - - name: sast-snyk-check - taskRef: - resolver: bundles - params: - - name: name - value: sast-snyk-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:92af5ba1bb9d6bf442c8d3b317ada71d44a9c1ab59959a37bbb5d163205a104f - - name: kind - value: task - when: - - input: "$(params.skip-checks)" - operator: in - values: - - 'false' - runAfter: - - clone-repository - params: - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: clamav-scan - taskRef: - resolver: bundles - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:a94b6523ba0b691dc276e37594321c2eff3594d2753014e5c920803b47627df1 - - name: kind - value: task - when: - - input: "$(params.skip-checks)" - operator: in - values: - - 'false' - runAfter: - - build-image-index - params: - - name: image-digest - value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" - - name: image-url - value: "$(tasks.build-image-index.results.IMAGE_URL)" - - name: apply-tags - params: - - name: IMAGE - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: apply-tags - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:f485e250fb060060892b633c495a3d7e38de1ec105ae1be48608b0401530ab2c - - name: kind - value: task - resolver: bundles - params: - - name: git-url - type: string - description: Source Repository URL - - name: revision - type: string - description: Revision of the Source Repository - default: '' - - name: output-image - type: string - description: Fully Qualified Output Image - - name: path-context - type: string - description: Path to the source code of an application's component from where to - build image. - default: "." - - name: dockerfile - type: string - description: Path to the Dockerfile inside the context specified by parameter path-context - default: Dockerfile - - name: rebuild - type: string - description: Force rebuild image - default: 'false' - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: '' - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "true" - description: Enable dev-package-managers in prefetch task - name: prefetch-dev-package-managers-enabled - type: string - - name: java - type: string - description: Java build - default: 'false' - - name: image-expires-after - description: Image tag expiration time, time values could be something like 1h, - 2d, 3w for hours, days, and weeks, respectively. - default: '' - - name: build-source-image - type: string - description: Build a source image. - default: 'false' - - name: build-args-file - type: string - description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file - default: "" - - name: enable-amd64-build - type: string - description: Enable amd64 builds - default: "true" - - name: enable-arm64-build - type: string - description: Enable arm64 builds - default: "true" - - name: enable-ppc64le-build - type: string - description: Enable ppc64le builds - default: "true" - - name: enable-s390x-build - type: string - description: Enable s390x builds - default: "true" - - name: amd64-platform - type: string - description: Enable the amd64 platform to be changed from the PipelineRun file - default: linux/amd64 - - name: arm64-platform - type: string - description: Enable the arm64 platform to be changed from the PipelineRun file - default: linux/arm64 - - name: ppc64le-platform - type: string - description: Enable the ppc64le platform to be changed from the PipelineRun file - default: linux/ppc64le - - name: s390x-platform - type: string - description: Enable the s390x platform to be changed from the PipelineRun file - default: linux/s390x - workspaces: - - name: git-auth - optional: true - results: - - name: IMAGE_URL - description: '' - value: "$(tasks.build-image-index.results.IMAGE_URL)" - - name: IMAGE_DIGEST - description: '' - value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" - - name: CHAINS-GIT_URL - description: '' - value: "$(tasks.clone-repository.results.url)" - - name: CHAINS-GIT_COMMIT - description: '' - value: "$(tasks.clone-repository.results.commit)" - - name: JAVA_COMMUNITY_DEPENDENCIES - description: '' - value: "$(tasks.build-container-amd64.results.JAVA_COMMUNITY_DEPENDENCIES)" - finally: - - name: show-sbom - taskRef: - resolver: bundles - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28 - - name: kind - value: task - params: - - name: IMAGE_URL - value: "$(tasks.build-image-index.results.IMAGE_URL)" - - name: show-summary - taskRef: - resolver: bundles - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b - - name: kind - value: task - params: - - name: pipelinerun-name - value: "$(context.pipelineRun.name)" - - name: git-url - value: "$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)" - - name: image-url - value: "$(params.output-image)" - - name: build-task-status - value: "$(tasks.build-image-index.status)" diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 318860bce1..7980af79e9 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -32,16 +32,19 @@ spec: value: '{{revision}}' - name: build-source-image value: "true" - - name: enable-amd64-build - value: "true" - - name: enable-arm64-build - value: "false" - - name: enable-ppc64le-build - value: "false" - - name: enable-s390x-build - value: "true" + - name: build-platforms + value: + - linux/x86_64 + - linux/s390x pipelineRef: - name: multi-arch-build-pipeline + resolver: bundles + params: + - name: name + value: docker-build-multi-platform-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta@sha256:615b78b471bde880e94a7caa27cb25ffd9a0962f3bdcaaf4780858cec6093836 + - name: kind + value: pipeline taskRunTemplate: {} workspaces: - name: git-auth diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 02e93fb160..d7479a6260 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -7,7 +7,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch - == "main" + == "main" creationTimestamp: null labels: appstudio.openshift.io/application: trustee @@ -29,16 +29,19 @@ spec: value: '{{revision}}' - name: build-source-image value: "true" - - name: enable-amd64-build - value: "true" - - name: enable-arm64-build - value: "false" - - name: enable-ppc64le-build - value: "false" - - name: enable-s390x-build - value: "true" + - name: build-platforms + value: + - linux/x86_64 + - linux/s390x pipelineRef: - name: multi-arch-build-pipeline + resolver: bundles + params: + - name: name + value: docker-build-multi-platform-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta@sha256:615b78b471bde880e94a7caa27cb25ffd9a0962f3bdcaaf4780858cec6093836 + - name: kind + value: pipeline taskRunTemplate: {} workspaces: - name: git-auth From bf1200ccbfdea035ab83cb097023461ae62e641d Mon Sep 17 00:00:00 2001 From: Camilla Conte Date: Tue, 5 Nov 2024 13:35:39 +0100 Subject: [PATCH 011/298] tekton: add pipeline timeout --- .tekton/trustee-pull-request.yaml | 2 ++ .tekton/trustee-push.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 7980af79e9..ef75946074 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -50,4 +50,6 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + timeouts: + pipeline: "2h" status: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index d7479a6260..dc8058715b 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -47,4 +47,6 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + timeouts: + pipeline: "2h" status: {} From bca83222d60cb43b5bc37a193b0d2a827dd40517 Mon Sep 17 00:00:00 2001 From: Camilla Conte Date: Thu, 14 Nov 2024 10:33:01 +0100 Subject: [PATCH 012/298] tekton: add tag to pipeline ref to enable renovate to auto update the digest --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index ef75946074..4419a5e08b 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta@sha256:615b78b471bde880e94a7caa27cb25ffd9a0962f3bdcaaf4780858cec6093836 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:870d47d4a0ddbe80293e87d4dd548c75f5d8322c58bcf8d578f339c9e8097e36 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index dc8058715b..6491805426 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta@sha256:615b78b471bde880e94a7caa27cb25ffd9a0962f3bdcaaf4780858cec6093836 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:870d47d4a0ddbe80293e87d4dd548c75f5d8322c58bcf8d578f339c9e8097e36 - name: kind value: pipeline taskRunTemplate: {} From 91bdddf3720b63c192e946739bec150a05630895 Mon Sep 17 00:00:00 2001 From: Adithya Krishnan Kannan Date: Thu, 21 Nov 2024 15:12:06 -0600 Subject: [PATCH 013/298] verifier: Change logic to check the attestation report version Fixes Issue #589 Change the check condition to handle multiple attestation report versions. Signed-off-by: Adithya Krishnan Kannan --- attestation-service/verifier/src/snp/mod.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/attestation-service/verifier/src/snp/mod.rs b/attestation-service/verifier/src/snp/mod.rs index b5e4276b71..9c31123241 100644 --- a/attestation-service/verifier/src/snp/mod.rs +++ b/attestation-service/verifier/src/snp/mod.rs @@ -32,6 +32,10 @@ const SNP_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .3); const TEE_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .2); const LOADER_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .1); +/// Attestation report versions supported +const REPORT_VERSION_MIN: u32 = 2; +const REPORT_VERSION_MAX: u32 = 3; + #[derive(Debug)] pub struct Snp { vendor_certs: VendorCertificates, @@ -90,8 +94,9 @@ impl Verifier for Snp { verify_report_signature(&report, &cert_chain, &self.vendor_certs)?; - if report.version != 2 { - return Err(anyhow!("Unexpected report version")); + // See Trustee Issue#589 https://github.com/confidential-containers/trustee/issues/589 + if report.version < REPORT_VERSION_MIN || report.version > REPORT_VERSION_MAX { + return Err(anyhow!("Unexpected attestation report version. Check SNP Firmware ABI specification")); } if report.vmpl != 0 { From 9a89aa18027d5929c2f6090cbbe8a69d48cfef93 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 7 Dec 2024 08:44:21 +0000 Subject: [PATCH 014/298] chore(deps): update konflux references to 09c01c9 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 4419a5e08b..f6792492ff 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:870d47d4a0ddbe80293e87d4dd548c75f5d8322c58bcf8d578f339c9e8097e36 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:09c01c9147905499b8bfc18789a33b3e84e7d349d035066c8010d248a4a77cd8 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 6491805426..79f3decdd8 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:870d47d4a0ddbe80293e87d4dd548c75f5d8322c58bcf8d578f339c9e8097e36 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:09c01c9147905499b8bfc18789a33b3e84e7d349d035066c8010d248a4a77cd8 - name: kind value: pipeline taskRunTemplate: {} From acde8d1286ee557606862f08c4525c4ec2438da6 Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Thu, 12 Dec 2024 10:28:22 +0000 Subject: [PATCH 015/298] Fix konflux digests Signed-off-by: Leonardo Milleri --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index f6792492ff..d825a725e2 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:09c01c9147905499b8bfc18789a33b3e84e7d349d035066c8010d248a4a77cd8 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:98bbc1940dc8c2605d0e44420baa10c306d3758b1f9fbbc08588440c42b68718 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 79f3decdd8..0772b48e39 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:09c01c9147905499b8bfc18789a33b3e84e7d349d035066c8010d248a4a77cd8 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:98bbc1940dc8c2605d0e44420baa10c306d3758b1f9fbbc08588440c42b68718 - name: kind value: pipeline taskRunTemplate: {} From 56af52a4207b3589c80dd386c590e23457435513 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 14 Dec 2024 17:00:04 +0000 Subject: [PATCH 016/298] chore(deps): update konflux references to 73c6701 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index d825a725e2..9784cab9f6 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:98bbc1940dc8c2605d0e44420baa10c306d3758b1f9fbbc08588440c42b68718 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:73c6701427023daf5791c3e5179ec5b4005a9e7e81fd3f6a6c3d7859d7cbdf42 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 0772b48e39..24016f3034 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:98bbc1940dc8c2605d0e44420baa10c306d3758b1f9fbbc08588440c42b68718 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:73c6701427023daf5791c3e5179ec5b4005a9e7e81fd3f6a6c3d7859d7cbdf42 - name: kind value: pipeline taskRunTemplate: {} From 29c2c852baed956640a0adc5846735b0a8aa3eb7 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 8 Feb 2025 09:05:19 +0000 Subject: [PATCH 017/298] chore(deps): update konflux references to 397b727 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 9784cab9f6..55d6912eb5 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:73c6701427023daf5791c3e5179ec5b4005a9e7e81fd3f6a6c3d7859d7cbdf42 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:397b72713668243d23c5ccce9b1353de95cd40c1c0a672f4bd8c94f820bd2ac8 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 24016f3034..67cde87959 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:73c6701427023daf5791c3e5179ec5b4005a9e7e81fd3f6a6c3d7859d7cbdf42 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:397b72713668243d23c5ccce9b1353de95cd40c1c0a672f4bd8c94f820bd2ac8 - name: kind value: pipeline taskRunTemplate: {} From 7a7c05a334c0503b9a758f1a9372382d655d5158 Mon Sep 17 00:00:00 2001 From: Pawel Proskurnicki Date: Thu, 20 Jun 2024 13:46:29 +0200 Subject: [PATCH 018/298] intel-trust-authority-as: add error message log - Added logging error message for failed appraisal request. - Fixed typos Sample log: `ERROR api_server::http::error] Attestation failed: Attestation request failed: response status=400 Bad Request, message=Invalid nonce and/or run time data provided in the request` Signed-off-by: Pawel Proskurnicki --- .../attestation/intel_trust_authority/mod.rs | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/kbs/src/api/src/attestation/intel_trust_authority/mod.rs b/kbs/src/api/src/attestation/intel_trust_authority/mod.rs index 7104548ce9..2eac0ac656 100644 --- a/kbs/src/api/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/api/src/attestation/intel_trust_authority/mod.rs @@ -38,6 +38,11 @@ struct Claims { policy_ids_unmatched: Option>, } +#[derive(Deserialize, Debug)] +struct ErrorResponse { + error: String, +} + #[derive(Clone, Debug, Deserialize)] pub struct IntelTrustAuthorityConfig { pub base_url: String, @@ -92,10 +97,16 @@ impl Attest for IntelTrustAuthority { .await .map_err(|e| anyhow!("Post attestation request failed: {:?}", e))?; - if resp.status() != reqwest::StatusCode::OK { + let status = resp.status(); + if status != reqwest::StatusCode::OK { + let body = resp + .json::() + .await + .map_err(|e| anyhow!("Deserialize error response failed: {:?}", e))?; bail!( - "Attestation request failed: respone status={}", - resp.status() + "Attestation request failed: response status={}, message={}", + status, + body.error ); } @@ -103,7 +114,7 @@ impl Attest for IntelTrustAuthority { let resp_data = resp .json::() .await - .map_err(|e| anyhow!("Deserialize attestation respone failed: {:?}", e))?; + .map_err(|e| anyhow!("Deserialize attestation response failed: {:?}", e))?; let header = decode_header(&resp_data.token) .map_err(|e| anyhow!("Decode token header failed: {:?}", e))?; let kid = header.kid.ok_or(anyhow!("Token missing kid"))?; From e4fafe386bc1bc9c598fe33100c86bd6de88bc11 Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Wed, 26 Jun 2024 09:26:39 +0800 Subject: [PATCH 019/298] doc: add rvps guide for ibmse verifier - Added guide on how to set rvps for ibmse verifier Co-authored-by: Da Li Liu Co-authored-by: Lei Li Co-authored-by: Yan Song Liu Signed-off-by: Qi Feng Huo --- attestation-service/verifier/src/se/README.md | 255 ------------------ 1 file changed, 255 deletions(-) delete mode 100644 attestation-service/verifier/src/se/README.md diff --git a/attestation-service/verifier/src/se/README.md b/attestation-service/verifier/src/se/README.md deleted file mode 100644 index 0ee09c0882..0000000000 --- a/attestation-service/verifier/src/se/README.md +++ /dev/null @@ -1,255 +0,0 @@ - -# KBS with IBM SE verifier - -This is a document to guide developer run a KBS with IBM SE verifier locally for development purpose. - -## Index - -- [Deployment of KBS with IBM SE verifier](#deployment-of-kbs-with-ibm-se-verifier) -- [Set attestation policy for IBM SE verifier](#set-attestation-policy) - - - -# Deployment of KBS with IBM SE verifier - -This section is about deployment of KBS without rvps checking. - -## Generate RSA keys -Generate RSA 4096 key pair following commands: -```bash -openssl genrsa -aes256 -passout pass:test1234 -out encrypt_key-psw.pem 4096 -openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -pubout -out encrypt_key.pub -openssl rsa -in encrypt_key-psw.pem -out encrypt_key.pem -``` - - -## Download Certs, CRLs -Donwload these materials from: https://www.ibm.com/support/resourcelink/api/content/public/secure-execution-gen2.html -Which includes: - -### Certs -ibm-z-host-key-signing-gen2.crt -DigiCertCA.crt - -### CRL -ibm-z-host-key-gen2.crl -DigiCertTrustedRootG4.crl -DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl - -Note: `DigiCertTrustedRootG4.crl` and `DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl` come from commands as below: -```bash -# openssl x509 -in DigiCertCA.crt --text --noout |grep crl - URI:http://crl3.digicert.com/DigiCertTrustedRootG4.crl -# openssl x509 -in ibm-z-host-key-signing-gen2.crt --text --noout |grep crl - URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl - URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl -``` - -## Download HKD -Download IBM Secure Execution Host Key Document following: https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document - -## Get SE Header -Build `se.img` following [Generate an IBM Secure Execution image](https://www.ibm.com/docs/en/linux-on-systems?topic=commands-genprotimg) and retrieve the hdr.bin via command like below. -```bash -./pvextract-hdr -o hdr.bin se.img -``` - -Refer [ibm-s390-linux](https://github.com/ibm-s390-linux/s390-tools/blob/v2.33.1/rust/pvattest/tools/pvextract-hdr) to get `pvextract-hdr`. - -## Generate KBS key -Generate keys used by KBS service. -```bash -openssl genpkey -algorithm ed25519 > kbs.key -openssl pkey -in kbs.key -pubout -out kbs.pem -``` - -## (Option 1) Launch KBS as a program - -- Build KBS -```bash -cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa -``` - -- Prepare the material retrieved above, similar as: -``` -/run/confidential-containers/ibmse# -. -├── certs -│ ├── ibm-z-host-key-signing-gen2.crt -| └── DigiCertCA.crt -├── crls -│ └── ibm-z-host-key-gen2.crl -│ └── DigiCertTrustedRootG4.crl -│ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl -├── hdr -│ └── hdr.bin -├── hkds -│ └── HKD-3931-0275D38.crt -└── rsa - ├── encrypt_key.pem - └── encrypt_key.pub -``` - -> Note: alternative is to use system variables listed in [ibmse.rs](./ibmse.rs) to overwrite the files. - -- Prepare the `kbs-config.toml`, similar as: -``` -sockets = ["0.0.0.0:8080"] -auth_public_key = "/kbs/kbs.pem" -# Ideally we should use some solution like cert-manager to issue let's encrypt based certificate: -# https://cert-manager.io/docs/configuration/acme/ -insecure_http = true - -[attestation_token_config] -attestation_token_type = "CoCo" - -[as_config] -work_dir = "/opt/confidential-containers/attestation-service" -policy_engine = "opa" -attestation_token_broker = "Simple" - -[as_config.attestation_token_config] -duration_min = 5 - -[as_config.rvps_config] -store_type = "LocalFs" -remote_addr = "" -``` - -- Launch the KBS program -```bash -export RUST_LOG=debug -export SE_SKIP_CERTS_VERIFICATION=true -./kbs --config-file ./kbs-config.toml -``` - -> Note: `export SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. Use `export CERTS_OFFLINE_VERIFICATION=true` to verifiy the certificates offline. - -## (Option 2) Launch KBS via docker-compose -- Build the docker image -``` -DOCKER_BUILDKIT=1 docker build --build-arg HTTPS_CRYPTO="openssl" --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile -``` - -- Prepare a docker compose file, similar as: -``` -services: - kbs: - image: ghcr.io/confidential-containers/staged-images/kbs:latest - command: [ - "/usr/local/bin/kbs", - "--config-file", - "/etc/kbs-config.toml", - ] - restart: always # keep the server running - environment: - - RUST_LOG=debug - - SE_SKIP_CERTS_VERIFICATION=true - ports: - - "8080:8080" - volumes: - - ./data/kbs-storage:/opt/confidential-containers/kbs/repository:rw - - ./data/attestation-service:/opt/confidential-containers/attestation-service:rw - - ./kbs.pem:/kbs/kbs.pem - - ./kbs-config.toml:/etc/kbs-config.toml - - ./data/hkds:/run/confidential-containers/ibmse/hkds - - ./data/certs:/run/confidential-containers/ibmse/certs - - ./data/crls:/run/confidential-containers/ibmse/crls - - ./data/hdr.bin:/run/confidential-containers/ibmse/hdr/hdr.bin - - ./data/rsa/encrypt_key.pem:/run/confidential-containers/ibmse/rsa/encrypt_key.pem - - ./data/rsa/encrypt_key.pub:/run/confidential-containers/ibmse/rsa/encrypt_key.pub -``` -> Note: `export SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. Use `export CERTS_OFFLINE_VERIFICATION=true` to verifiy the certificates offline. - -- Prepare the material, similar as: -``` -. -├── data -│   ├── attestation-service -│   │   ├── opa -│   │   │   └── default.rego -│   ├── certs -│   │   ├── ibm-z-host-key-signing-gen2.crt -│   │   └── DigiCertCA.crt -│   ├── crls -│   │   └── ibm-z-host-key-gen2.crl -│ │ └── DigiCertTrustedRootG4.crl -│ │ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl -│   ├── hdr.bin -│   ├── hkds -│   │   └── HKD-3931-0275D38.crt -│   ├── kbs-storage -│   │   ├── default -│   │   └── one -│   │   └── two -│   │   └── key -│   └── rsa -│   ├── encrypt_key.pem -│   └── encrypt_key.pub -├── docker-compose.yaml -├── kbs-config.toml -├── kbs.key -└── kbs.pem -``` - -- Launch KBS as docker compose application -```bash -docker-compose up -d -docker-compose logs kbs -docker-compose down -``` - - -# Set attestation policy - -This section is about setting attestation policy. - -### Retrive the attestation policy fields for IBM SE - -Using [se_parse_hdr.py](se_parse_hdr.py) on a s390x instance to retrieve the IBM SE fields for attestation policy. - -```bash -python3 se_parse_hdr.py hdr.bin HKD-3931.crt - -... - ================================================ - se.image_phkh: xxx - se.version: 256 - se.tag: xxx - se.attestation_phkh: xxx -``` - -We get following fields and will set these fields in rvps for attestation policy. -`se.version: 256` -`se.tag: xxx` -`se.attestation_phkh: xxx` -`se.image_phkh: xxx` - - -### Set attestation policy - -#### Generate attestation policy file -```bash -cat << EOF > ibmse-policy.rego -package policy -import rego.v1 -default allow = false - -converted_version := sprintf("%v", [input["se.version"]]) - -allow if { - input["se.attestation_phkh"] == "xxx" - input["se.image_phkh"] == "xxx" - input["se.tag"] == "xxx" - input["se.user_data"] == "xxx" - converted_version == "256" -} -EOF -``` - -Where the values `se.version`, `se.attestation_phkh`, `se.image_phkh` and `se.tag` come from [retrive-the-rvps-field-for-an-ibm-se-image](#retrive-the-rvps-field-for-an-ibm-se-image). The value `se.user_data` comes from [initdata](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/docs/initdata.md). Please remove `input["se.user_data"] == "xxx"` if `initdata` is not used. - -#### Set the attestation policy -```bash -kbs-client --url http://127.0.0.1:8080 config --auth-private-key ./kbs/kbs.key set-attestation-policy --policy-file ./ibmse-policy.rego -``` \ No newline at end of file From 75a3aedc2ca4b5dc1d72d3146b7aac561e022ead Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Thu, 27 Jun 2024 08:36:14 +0800 Subject: [PATCH 020/298] doc: rename parse_hdr to se_parse_hdr Signed-off-by: Qi Feng Huo --- .../verifier/src/se/se_parse_hdr.py | 162 ------------------ 1 file changed, 162 deletions(-) delete mode 100644 attestation-service/verifier/src/se/se_parse_hdr.py diff --git a/attestation-service/verifier/src/se/se_parse_hdr.py b/attestation-service/verifier/src/se/se_parse_hdr.py deleted file mode 100644 index d8191f6642..0000000000 --- a/attestation-service/verifier/src/se/se_parse_hdr.py +++ /dev/null @@ -1,162 +0,0 @@ -# Copyright (C) Copyright IBM Corp. 2024 -# -# SPDX-License-Identifier: Apache-2.0 -# - -from cryptography import x509 -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import serialization, hashes -from cryptography.hazmat.primitives.asymmetric import ec -import hashlib -import sys -import struct - - -def parse_certificate(cert_path): - """Parse the certificate from file path and return the public key.""" - with open(cert_path, 'rb') as cert_file: - cert_data = cert_file.read() - cert = x509.load_pem_x509_certificate(cert_data, default_backend()) - return cert.public_key() - -def ec_point_to_affine_coordinates(public_key): - """Convert EC public key to affine coordinates (x, y).""" - if isinstance(public_key, ec.EllipticCurvePublicKey): - # Get the uncompressed point bytes - point = public_key.public_bytes( - encoding=serialization.Encoding.X962, - format=serialization.PublicFormat.UncompressedPoint - ) - curve = public_key.curve - x_bytes = point[1:curve.key_size//8+2] # skip the first byte (0x04) - y_bytes = point[curve.key_size//8+2:] - return x_bytes, y_bytes - else: - raise ValueError("Invalid EC public key type") - -def bn_bn2binpad(bn, size): - """Convert BN to binary padded format.""" - bn_bytes = bn.to_bytes((bn.bit_length() + 7) // 8, byteorder='big') - if len(bn_bytes) < size: - padded_bytes = b'\x00' * (size - len(bn_bytes)) + bn_bytes - elif len(bn_bytes) > size: - padded_bytes = bn_bytes[-size:] - else: - padded_bytes = bn_bytes - return padded_bytes - -def generate_sha256_hash(data): - """Generate SHA-256 hash of input data.""" - sha256_hash = hashlib.sha256(data).hexdigest() - return sha256_hash - -def bytes_to_hex_string(byte_data): - """Convert bytes to hex string.""" - return ''.join(f'{b:02x}' for b in byte_data) - -def parse_img_phkh_from_hkd(filename): - # Parse certificate and extract public key - public_key = parse_certificate(filename) - - # Get affine coordinates - x_bytes, y_bytes = ec_point_to_affine_coordinates(public_key) - - # Convert x_bytes and y_bytes to binary padded format - x_bin = bn_bn2binpad(int.from_bytes(x_bytes, byteorder='big'), 80) # 66 bytes for P-521 curve - y_bin = bn_bn2binpad(int.from_bytes(y_bytes, byteorder='big'), 80) - - # Log x_bin and y_bin - x_bin_str = bytes_to_hex_string(x_bin) - y_bin_str = bytes_to_hex_string(y_bin) - - # Concatenate x_bin and y_bin - ecdh_data = x_bin + y_bin - - # Log concatenated data - ecdh_data_str = bytes_to_hex_string(ecdh_data) - - # Calculate SHA-256 hash - hkd_phkh = generate_sha256_hash(ecdh_data) - return hkd_phkh - -def parse_hdr(hdr_file, hkd_file): - with open(hdr_file, 'rb') as f: - - hkd_phkh = parse_img_phkh_from_hkd(hkd_file) - key_slot_used_idx = -1 - - # Read the entire header based on the size defined in the structure - # https://github.com/ibm-s390-linux/s390-tools/blob/master/genprotimg/src/include/pv_hdr_def.h - header_size = 8 + 4 + 4 - # pv_hdr_head size 416 - pv_hdr_head_size = 8 + 4 + 4 + 12 + 4 + 8 + 8 + 8 + 8 + 160 + 64 + 64 + 64 - - after_key_slot_size = 144 - # pv_hdr_key_slot digest_key + wrapped_key = phkh - phkh_size = 32 - - hdr_data = f.read(header_size) - - # Unpack the header fields - fields = struct.unpack('8sII', hdr_data) - - magic, version, phs = fields - # The last 16 bits is the image tag - f.seek(-16, 2) - image_tag = f.read(16) - # Print the extracted fields - - print(f"Magic: {magic.decode('ascii')}") - print(f"phs: {phs}") - - f.seek(pv_hdr_head_size) - - length_phkh_data = phs - pv_hdr_head_size - after_key_slot_size - phkh_data = f.read(length_phkh_data) - - # Define the struct format (32 bytes for digest_key, 32 bytes for wrapped_key, 16 bytes for tag) - struct_format = '32s32s16s' - - # Calculate the size of each struct - struct_size = struct.calcsize(struct_format) - - for i in range(0, len(phkh_data), struct_size): - if i + struct_size > len(phkh_data): - break - chunk = phkh_data[i:i + struct_size] - digest_key, wrapped_key, tag = struct.unpack(struct_format, chunk) - if digest_key.hex() == hkd_phkh: - key_slot_used_idx = i - print(f" ========Host Key Document Hash used in this slot========= ") - print(f" Key Slot: {i//80 + 1}:") - print(f" image_phkh: {digest_key.hex()}") - print(f" wrapped_key: {wrapped_key.hex()}") - print(f" tag: {tag.hex()}") - # if the 1 slot selected, the idx is 0 - if key_slot_used_idx > -1: - chunk_used = phkh_data[key_slot_used_idx:key_slot_used_idx + struct_size] - digest_key, wrapped_key, tag = struct.unpack(struct_format, chunk_used) - print(f" ========Host Key Document Hash used in this slot========= ") - print(f" Key Slot: {key_slot_used_idx//80 + 1}:") - print(f" wrapped_key: {wrapped_key.hex()}") - print(f" HKD tag: {tag.hex()}") - print(f" Copy below value and set in rvps ") - print(f" ================================================ ") - print(f" se.image_phkh: {digest_key.hex()}") - else: - print(f" The HKD file not included when build the SE image ") - - - print(f" se.version: {version}") - print(f" se.tag: {image_tag.hex()}") - print(f" se.attestation_phkh: {hkd_phkh}") - - -if __name__ == "__main__": - if len(sys.argv) != 3: - print(f"Usage: {sys.argv[0]} ") - sys.exit(1) - - hdr_file = sys.argv[1] - hkd_file = sys.argv[2] - parse_hdr(hdr_file, hkd_file) From c7d12555487f52900b774b9ea76ce3d354e7d622 Mon Sep 17 00:00:00 2001 From: Lei Li Date: Tue, 25 Jun 2024 03:10:45 +0000 Subject: [PATCH 021/298] CLI: specify ATTESTER for to build kbs-client - Add ATTESTER in Makefile to specify seperate attester for kbs-client Signed-off-by: Lei Li Signed-off-by: Lei Li --- kbs/Makefile | 11 ++++++++++- kbs/tools/client/Cargo.toml | 10 ++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/kbs/Makefile b/kbs/Makefile index f90445f0af..7ec323816f 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -8,7 +8,8 @@ ifeq ($(filter $(ARCH),x86_64 s390x),) $(error "Unsupported architecture: $(ARCH)") endif -CLI_FEATURES ?= default +CLI_FEATURES ?= +ATTESTER ?= COCO_AS_INTEGRATION_TYPE ?= builtin @@ -20,6 +21,14 @@ else AS_FEATURE = $(AS_TYPE) endif +ifndef CLI_FEATURES + ifdef ATTESTER + CLI_FEATURES = "sample_only,$(ATTESTER)" + else + CLI_FEATURES += "sample_only,all-attesters" + endif +endif + build: background-check-kbs .PHONY: background-check-kbs diff --git a/kbs/tools/client/Cargo.toml b/kbs/tools/client/Cargo.toml index 8957aa6edc..0b5e500a60 100644 --- a/kbs/tools/client/Cargo.toml +++ b/kbs/tools/client/Cargo.toml @@ -28,3 +28,13 @@ tokio.workspace = true [features] default = ["kbs_protocol/default"] sample_only = ["kbs_protocol/background_check", "kbs_protocol/passport", "kbs_protocol/rust-crypto"] + +all-attesters = ["kbs_protocol/all-attesters"] +tdx-attester = ["kbs_protocol/tdx-attester"] +sgx-attester = ["kbs_protocol/sgx-attester"] +az-snp-vtpm-attester = ["kbs_protocol/az-snp-vtpm-attester"] +az-tdx-vtpm-attester = ["kbs_protocol/az-tdx-vtpm-attester"] +snp-attester = ["kbs_protocol/snp-attester"] +csv-attester = ["kbs_protocol/csv-attester"] +cca-attester = ["kbs_protocol/cca-attester"] +se-attester = ["kbs_protocol/se-attester"] From 68d7142ad5faddab77a83a7c075f27f770ebdc83 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Thu, 27 Jun 2024 13:30:58 +0200 Subject: [PATCH 022/298] ci: test use https in tests This test will enable https for the token-kbs. The resource-kbs will remain http. The test folder structure has been reworked a bit, so we don't end up littering the filesystem with temporary files, all temp resources should now end up in `./work` and can be safely removed without overwriting unrelated files. Signed-off-by: Magnus Kulke --- kbs/.gitignore | 7 +- kbs/test/Makefile | 146 +++++++++++------- kbs/test/{data/e2e => config}/kbs.toml | 16 +- .../{data/e2e => config}/resource-kbs.toml | 8 +- kbs/test/work/.gitkeep | 0 5 files changed, 107 insertions(+), 70 deletions(-) rename kbs/test/{data/e2e => config}/kbs.toml (57%) rename kbs/test/{data/e2e => config}/resource-kbs.toml (53%) create mode 100644 kbs/test/work/.gitkeep diff --git a/kbs/.gitignore b/kbs/.gitignore index 979f7dafd2..db212e5b3c 100644 --- a/kbs/.gitignore +++ b/kbs/.gitignore @@ -6,11 +6,8 @@ data # test -test/* -!test/Makefile -!test/data/ -test/data/attestation-service -test/data/repository +test/work +!test/work/.gitkeep config/private.key config/public.pub diff --git a/kbs/test/Makefile b/kbs/test/Makefile index ee0c588d8a..5bace17ef6 100644 --- a/kbs/test/Makefile +++ b/kbs/test/Makefile @@ -3,13 +3,33 @@ RELEASE := $(shell lsb_release -sr) SGX_REPO_URL := https://download.01.org/intel-sgx/sgx_repo/ubuntu SGX_COLLATERAL_URL := https://api.trustedservices.intel.com/sgx/certification/v4/ SGX_QCNL_CONFIG := /etc/sgx_default_qcnl.conf -KBS_REPO_PATH := ./data/repository -KBS_CONFIG_PATH := ./data/e2e +KBS_CONFIG_PATH := ./config MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) PROJECT_DIR := $(MAKEFILE_DIR)/.. BOLD := $(shell tput bold) SGR0 := $(shell tput sgr0) TEE ?= sample +WORK_DIR := $(MAKEFILE_DIR)/work +KBS_REPO_PATH := $(WORK_DIR)/repository +ATTESTATION_TOKEN := $(WORK_DIR)/attestation_token +ROUNDTRIP_FILE := $(WORK_DIR)/secret +REPOSITORY_SECRET := one/two/three +SECRET_FILE := $(KBS_REPO_PATH)/$(REPOSITORY_SECRET) + +# match those with the entries in the config/*.toml files +CA_KEY := $(WORK_DIR)/ca.key +CA_CSR := $(WORK_DIR)/ca-req.csr +CA_CERT := $(WORK_DIR)/ca-cert.pem +TOKEN_KEY := $(WORK_DIR)/token.key +TOKEN_CSR := $(WORK_DIR)/token-req.csr +TOKEN_CERT := $(WORK_DIR)/token-cert.pem +TOKEN_CERT_CHAIN := $(WORK_DIR)/token-cert-chain.pem +KBS_KEY := $(WORK_DIR)/kbs.key +KBS_PEM := $(WORK_DIR)/kbs.pem +TEE_KEY := $(WORK_DIR)/tee.key +HTTPS_KEY := $(WORK_DIR)/https.key +HTTPS_CERT := $(WORK_DIR)/https.crt +KBS_POLICY := $(WORK_DIR)/kbs-policy.rego SHELL := bash ifeq ($(OS),Ubuntu) @@ -71,38 +91,48 @@ client: .PHONY: bins bins: kbs resource-kbs client -ca-key.pem: - openssl genrsa -traditional -out ca-key.pem 2048 +$(CA_KEY): + openssl genrsa -traditional -out $(CA_KEY) 2048 -ca-cert.pem: ca-key.pem - openssl req -new -key ca-key.pem -out ca-req.csr -subj "/O=CNCF/OU=CoCo/CN=KBS-test-root" && \ - openssl req -x509 -days 3650 -key ca-key.pem -in ca-req.csr -out ca-cert.pem +$(CA_CERT): $(CA_KEY) + openssl req -new -key "$(CA_KEY)" -out "$(CA_CSR)" \ + -subj "/O=CNCF/OU=CoCo/CN=KBS-test-root" && \ + openssl req -x509 -days 3650 -key "$(CA_KEY)" -in "$(CA_CSR)" -out "$(CA_CERT)" -token-key.pem: - openssl genrsa -traditional -out token-key.pem 2048 +$(TOKEN_KEY): + openssl genrsa -traditional -out "$(TOKEN_KEY)" 2048 -token-cert.pem: token-key.pem ca-cert.pem ca-key.pem - openssl req -new -key token-key.pem -out token-req.csr -subj "/O=CNCF/OU=CoCo/CN=CoCo-AS" && \ - openssl x509 -req -in token-req.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out token-cert.pem -extensions req_ext +$(TOKEN_CERT): $(TOKEN_KEY) $(CA_CERT) $(CA_KEY) + openssl req -new -key "$(TOKEN_KEY)" -out "$(TOKEN_CSR)" \ + -subj "/O=CNCF/OU=CoCo/CN=CoCo-AS" && \ + openssl x509 -req -in "$(TOKEN_CSR)" -CA "$(CA_CERT)" -CAkey "$(CA_KEY)" \ + -CAcreateserial -out $(TOKEN_CERT) -extensions req_ext -token-cert-chain.pem: token-cert.pem ca-cert.pem - cat token-cert.pem ca-cert.pem > token-cert-chain.pem +$(TOKEN_CERT_CHAIN): $(TOKEN_CERT) $(CA_CERT) + cat "$(TOKEN_CERT)" "$(CA_CERT)" > "$(TOKEN_CERT_CHAIN)" .PHONY: generate-attestation-token-signer -generate-attestation-token-signer: token-cert-chain.pem +generate-attestation-token-signer: $(TOKEN_CERT_CHAIN) -kbs.key: - openssl genpkey -algorithm ed25519 > kbs.key +$(HTTPS_KEY) $(HTTPS_CERT): + openssl req -x509 -out "$(HTTPS_CERT)" -keyout "$(HTTPS_KEY)" \ + -newkey rsa:2048 -nodes -sha256 \ + -subj '/CN=kbs.coco' \ + --addext "subjectAltName=IP:127.0.0.1" \ + --addext "basicConstraints=CA:FALSE" -kbs.pem: kbs.key - openssl pkey -in kbs.key -pubout -out kbs.pem +$(KBS_KEY): + openssl genpkey -algorithm ed25519 > "$(KBS_KEY)" -tee.key: - openssl genrsa -traditional -out tee.key 2048 +$(KBS_PEM): $(KBS_KEY) + openssl pkey -in "$(KBS_KEY)" -pubout -out "$(KBS_PEM)" -$(KBS_REPO_PATH)/one/two/three: - mkdir -p $(KBS_REPO_PATH)/one/two && \ - openssl rand 16 > $(KBS_REPO_PATH)/one/two/three +$(TEE_KEY): + openssl genrsa -traditional -out "$(TEE_KEY)" 2048 + +$(SECRET_FILE): + mkdir -p $$(dirname "$(SECRET_FILE)") && \ + openssl rand 16 > "$(SECRET_FILE)" .PHONY: start-kbs start-kbs: kbs.PID @@ -110,18 +140,22 @@ start-kbs: kbs.PID .PHONY: start-resource-kbs start-resource-kbs: resource-kbs.PID -kbs.PID: kbs kbs.pem token-key.pem token-cert-chain.pem $(KBS_REPO_PATH)/one/two/three +kbs-keys: $(KBS_KEY) $(TOKEN_KEY) $(HTTPS_KEY) + +kbs-certs: $(KBS_PEM) $(TOKEN_CERT_CHAIN) $(HTTPS_CERT) + +kbs.PID: kbs kbs-keys kbs-certs $(SECRET_FILE) @printf "${BOLD}start kbs${SGR0}\n" { \ - $(CURDIR)/kbs --config-file $(KBS_CONFIG_PATH)/kbs.toml \ + "$(CURDIR)/kbs" --config-file "$(KBS_CONFIG_PATH)/kbs.toml" \ & echo $$! > kbs.PID; \ } && \ sleep 1 -resource-kbs.PID: resource-kbs kbs.pem ca-cert.pem $(KBS_REPO_PATH)/one/two/three +resource-kbs.PID: resource-kbs $(KBS_PEM) $(CA_CERT) $(SECRET_FILE) @printf "${BOLD}start resource-kbs${SGR0}\n" { \ - ./resource-kbs --config-file $(KBS_CONFIG_PATH)/resource-kbs.toml \ + ./resource-kbs --config-file "$(KBS_CONFIG_PATH)/resource-kbs.toml" \ & echo $$! > resource-kbs.PID; \ } && \ sleep 1 @@ -138,30 +172,40 @@ stop-resource-kbs: resource-kbs.PID test-bgcheck: client start-kbs ./client \ - config --auth-private-key kbs.key \ - set-resource-policy --policy-file <(echo "$$TEE_POLICY_REGO") && \ - ./client get-resource \ - --path one/two/three \ - | base64 -d > roundtrip_secret && \ - diff $(KBS_REPO_PATH)/one/two/three roundtrip_secret + --url https://127.0.0.1:8080 \ + --cert-file "$(HTTPS_CERT)" \ + config \ + --auth-private-key "$(KBS_KEY)" \ + set-resource-policy \ + --policy-file <(echo "$$TEE_POLICY_REGO") && \ + ./client \ + --url https://127.0.0.1:8080 \ + --cert-file "$(HTTPS_CERT)" \ + get-resource \ + --path "$(REPOSITORY_SECRET)" \ + | base64 -d > "$(ROUNDTRIP_FILE)" && \ + diff "$(ROUNDTRIP_FILE)" "$(SECRET_FILE)" @printf "${BOLD}background-check e2e test passed${SGR0}\n" -.PHONY: attestation_token -attestation_token: client tee.key start-kbs - ./client attest \ - --tee-key-file tee.key \ - > attestation_token +.PHONY: $(ATTESTATION_TOKEN) +$(ATTESTATION_TOKEN): client $(TEE_KEY) start-kbs + ./client \ + --url https://127.0.0.1:8080 \ + --cert-file "$(HTTPS_CERT)" \ + attest \ + --tee-key-file "$(TEE_KEY)" \ + > "$(ATTESTATION_TOKEN)" -test-passport: client attestation_token start-resource-kbs +test-passport: client $(ATTESTATION_TOKEN) start-resource-kbs ./client --url http://127.0.0.1:50002 \ - config --auth-private-key kbs.key \ + config --auth-private-key "$(KBS_KEY)" \ set-resource-policy --policy-file <(echo "$$TEE_POLICY_REGO") && \ ./client --url http://127.0.0.1:50002 get-resource \ - --attestation-token attestation_token \ - --tee-key-file tee.key \ - --path one/two/three \ - | base64 -d > roundtrip_secret && \ - diff $(KBS_REPO_PATH)/one/two/three roundtrip_secret + --attestation-token "$(ATTESTATION_TOKEN)" \ + --tee-key-file "$(TEE_KEY)" \ + --path $(REPOSITORY_SECRET) \ + | base64 -d > "$(ROUNDTRIP_FILE)" && \ + diff "$(SECRET_FILE)" "$(ROUNDTRIP_FILE)" @printf "${BOLD}passport e2e test passed${SGR0}\n" .PHONY: stop @@ -174,12 +218,6 @@ e2e-test: test-bgcheck test-passport stop clean: rm -rf \ kbs \ - resource-kbs \ - kbs.key \ - kbs.pem \ - tee.key \ - tee.pem \ client \ - token-signer \ - roundtrip_secret \ - $(KBS_REPO_PATH)/one/two/three + resource-kbs \ + work/* diff --git a/kbs/test/data/e2e/kbs.toml b/kbs/test/config/kbs.toml similarity index 57% rename from kbs/test/data/e2e/kbs.toml rename to kbs/test/config/kbs.toml index 4c0ec0ecdb..0f08b733f9 100644 --- a/kbs/test/data/e2e/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -1,16 +1,18 @@ sockets = ["127.0.0.1:8080"] -auth_public_key = "./kbs.pem" -insecure_http = true +auth_public_key = "./work/kbs.pem" + +private_key = "./work/https.key" +certificate = "./work/https.crt" [attestation_token_config] attestation_token_type = "CoCo" [repository_config] type = "LocalFs" -dir_path = "./data/repository" +dir_path = "./work/repository" [as_config] -work_dir = "./data/attestation-service" +work_dir = "./work/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" @@ -18,12 +20,12 @@ attestation_token_broker = "Simple" duration_min = 5 [as_config.attestation_token_config.signer] -key_path = "./token-key.pem" -cert_path = "./token-cert-chain.pem" +key_path = "./work/token.key" +cert_path = "./work/token-cert-chain.pem" [as_config.rvps_config] store_type = "LocalFs" remote_addr = "" [policy_engine_config] -policy_path = "./data/policy_1.rego" +policy_path = "./work/kbs-policy.rego" diff --git a/kbs/test/data/e2e/resource-kbs.toml b/kbs/test/config/resource-kbs.toml similarity index 53% rename from kbs/test/data/e2e/resource-kbs.toml rename to kbs/test/config/resource-kbs.toml index 792333e91a..5c14ab5195 100644 --- a/kbs/test/data/e2e/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -1,14 +1,14 @@ sockets = ["127.0.0.1:50002"] -auth_public_key = "./kbs.pem" +auth_public_key = "./work/kbs.pem" insecure_http = true [attestation_token_config] attestation_token_type = "CoCo" -trusted_certs_paths = ["./ca-cert.pem"] +trusted_certs_paths = ["./work/ca-cert.pem"] [repository_config] type = "LocalFs" -dir_path = "./data/repository" +dir_path = "./work/repository" [policy_engine_config] -policy_path = "./data/policy_1.rego" +policy_path = "./work/kbs-policy.rego" diff --git a/kbs/test/work/.gitkeep b/kbs/test/work/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 From 02f42aa306f45758a8d2eb95f137309738f05038 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Mon, 1 Jul 2024 14:06:07 +0200 Subject: [PATCH 023/298] KBS: Revive policy-volume with write permission Using initContainers, we can make a previously read-only mount point writable. This allows the test code using the set-policy endpoint to function correctly while optimizing the use of configmap. This commit configures the initContainers for the KBS deployment and adjusts the overlays accordingly. Signed-off-by: Hyounggyu Choi --- kbs/config/kubernetes/base/deployment.yaml | 20 ++++++++++ kbs/config/kubernetes/base/kustomization.yaml | 3 ++ kbs/config/kubernetes/base/policy.rego | 40 +++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 kbs/config/kubernetes/base/policy.rego diff --git a/kbs/config/kubernetes/base/deployment.yaml b/kbs/config/kubernetes/base/deployment.yaml index d4d9390f0e..c1a17de953 100644 --- a/kbs/config/kubernetes/base/deployment.yaml +++ b/kbs/config/kubernetes/base/deployment.yaml @@ -12,6 +12,19 @@ spec: labels: app: kbs spec: + initContainers: + - command: + - sh + - -c + - cp -r /config/$(dirname $(readlink /config/policy.rego))/* /opa/confidential-containers/kbs/ + image: busybox + imagePullPolicy: Always + name: copy-config + volumeMounts: + - mountPath: /config + name: config-volume + - mountPath: /opa/confidential-containers/kbs + name: policy-volume containers: - name: kbs image: kbs-container-image @@ -27,6 +40,8 @@ spec: mountPath: /kbs/ - name: kbs-config mountPath: /etc/kbs/ + - name: policy-volume + mountPath: /opa/confidential-containers/kbs/ volumes: - name: kbs-auth-public-key secret: @@ -34,3 +49,8 @@ spec: - name: kbs-config configMap: name: kbs-config + - name: policy-volume + emptyDir: {} + - name: config-volume + configMap: + name: policy-config diff --git a/kbs/config/kubernetes/base/kustomization.yaml b/kbs/config/kubernetes/base/kustomization.yaml index cc2890df46..999aec1d89 100644 --- a/kbs/config/kubernetes/base/kustomization.yaml +++ b/kbs/config/kubernetes/base/kustomization.yaml @@ -17,6 +17,9 @@ configMapGenerator: - files: - kbs-config.toml name: kbs-config +- files: + - policy.rego + name: policy-config # KBS auth public key. secretGenerator: diff --git a/kbs/config/kubernetes/base/policy.rego b/kbs/config/kubernetes/base/policy.rego new file mode 100644 index 0000000000..d9f9eb5328 --- /dev/null +++ b/kbs/config/kubernetes/base/policy.rego @@ -0,0 +1,40 @@ +# Resource Policy +# --------------- +# +# The resource policy of KBS is to make a strategic decision on +# whether the requester has access to resources based on the +# input Attestation Claims (including tee-pubkey, tcb-status, and other information) +# and KBS Resource Path. +# +# The format of the resource path data is: +# ``` +# { +# "resource-path": +# } +# ``` +# +# The variable is a KBS resource path, +# which is required to be a string in three segment path format://, +# for example: "my'repo/License/key". +# +# The format of Attestation Claims Input is defined by the attestation service, +# and its format may look like the following: +# ``` +# { +# "tee-pubkey": "", +# "tcb-status": { +# "productId": “”, +# "svn": “”, +# …… +# } +# …… +# } +# ``` + +package policy + +default allow = false + +allow { + input["tee"] != "sample" +} From 83bc7a11d6faaae31b36d3e5fd259a824dc761a6 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Mon, 1 Jul 2024 14:20:16 +0200 Subject: [PATCH 024/298] KBS: Enable deployment for s390x The following changes enable KBS deployment with a different configuration for s390x: - Environment variable declaration: SE_SKIP_CERTS_VERIFICATION - Persist volume/volume claim: required attestation credentials This commit differentiates the {overlays, nodeport} configuration for KBS deployment between x86_64 and s390x. It also includes updates to `deploy-kbs.sh`. Signed-off-by: Hyounggyu Choi --- kbs/config/kubernetes/deploy-kbs.sh | 21 ++++++++++++++++--- .../nodeport/{ => s390x}/kustomization.yaml | 2 +- .../nodeport/{ => s390x}/patch.yaml | 0 .../nodeport/x86_64/kustomization.yaml | 13 ++++++++++++ .../kubernetes/nodeport/x86_64/patch.yaml | 3 +++ .../overlays/{ => common}/ingress.yaml | 0 .../overlays/common/kustomization.yaml | 6 ++++++ .../overlays/s390x/kustomization.yaml | 20 ++++++++++++++++++ .../kubernetes/overlays/s390x/patch.yaml | 19 +++++++++++++++++ kbs/config/kubernetes/overlays/s390x/pv.yaml | 20 ++++++++++++++++++ kbs/config/kubernetes/overlays/s390x/pvc.yaml | 12 +++++++++++ .../overlays/{ => x86_64}/kustomization.yaml | 2 +- .../overlays/{ => x86_64}/patch.yaml | 0 13 files changed, 113 insertions(+), 5 deletions(-) rename kbs/config/kubernetes/nodeport/{ => s390x}/kustomization.yaml (88%) rename kbs/config/kubernetes/nodeport/{ => s390x}/patch.yaml (100%) create mode 100644 kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml create mode 100644 kbs/config/kubernetes/nodeport/x86_64/patch.yaml rename kbs/config/kubernetes/overlays/{ => common}/ingress.yaml (100%) create mode 100644 kbs/config/kubernetes/overlays/common/kustomization.yaml create mode 100644 kbs/config/kubernetes/overlays/s390x/kustomization.yaml create mode 100644 kbs/config/kubernetes/overlays/s390x/patch.yaml create mode 100644 kbs/config/kubernetes/overlays/s390x/pv.yaml create mode 100644 kbs/config/kubernetes/overlays/s390x/pvc.yaml rename kbs/config/kubernetes/overlays/{ => x86_64}/kustomization.yaml (96%) rename kbs/config/kubernetes/overlays/{ => x86_64}/patch.yaml (100%) diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh index a3e9c3a318..c19b51d0d7 100755 --- a/kbs/config/kubernetes/deploy-kbs.sh +++ b/kbs/config/kubernetes/deploy-kbs.sh @@ -6,11 +6,12 @@ set -euo pipefail DEPLOYMENT_DIR="${DEPLOYMENT_DIR:-overlays}" k8s_cnf_dir="$(dirname ${BASH_SOURCE[0]})" +ARCH=$(uname -m) # Fail the script if the key.bin file does not exist. -key_file="${k8s_cnf_dir}/overlays/key.bin" +key_file="${k8s_cnf_dir}/overlays/${ARCH}/key.bin" [[ -f "${key_file}" ]] || { - echo "key.bin file does not exist" + echo "key.bin not found at ${k8s_cnf_dir}/overlays/${ARCH}/" exit 1 } @@ -21,4 +22,18 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem" openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}" } -kubectl apply -k "./${k8s_cnf_dir}/${DEPLOYMENT_DIR}" +if [ "${ARCH}" == "s390x" ]; then + if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then + export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') + envsubst <"${k8s_cnf_dir}/overlays/s390x/pv.yaml" | kubectl apply -f - + else + echo "IBM_SE_CREDS_DIR is empty" >&2 + exit 1 + fi +fi + +if [[ "${DEPLOYMENT_DIR}" == "nodeport" || "${DEPLOYMENT_DIR}" == "overlays" ]]; then + kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}/${ARCH}" +else + kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}" +fi diff --git a/kbs/config/kubernetes/nodeport/kustomization.yaml b/kbs/config/kubernetes/nodeport/s390x/kustomization.yaml similarity index 88% rename from kbs/config/kubernetes/nodeport/kustomization.yaml rename to kbs/config/kubernetes/nodeport/s390x/kustomization.yaml index 38bcc74a19..28a4fedb59 100644 --- a/kbs/config/kubernetes/nodeport/kustomization.yaml +++ b/kbs/config/kubernetes/nodeport/s390x/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../overlays +- ../../overlays/s390x patches: - path: patch.yaml diff --git a/kbs/config/kubernetes/nodeport/patch.yaml b/kbs/config/kubernetes/nodeport/s390x/patch.yaml similarity index 100% rename from kbs/config/kubernetes/nodeport/patch.yaml rename to kbs/config/kubernetes/nodeport/s390x/patch.yaml diff --git a/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml b/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml new file mode 100644 index 0000000000..3f844547fe --- /dev/null +++ b/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: coco-tenant + +resources: +- ../../overlays/x86_64 + +patches: +- path: patch.yaml + target: + group: "" + kind: Service + name: kbs diff --git a/kbs/config/kubernetes/nodeport/x86_64/patch.yaml b/kbs/config/kubernetes/nodeport/x86_64/patch.yaml new file mode 100644 index 0000000000..aed089ccc4 --- /dev/null +++ b/kbs/config/kubernetes/nodeport/x86_64/patch.yaml @@ -0,0 +1,3 @@ +- op: add + path: /spec/type + value: NodePort diff --git a/kbs/config/kubernetes/overlays/ingress.yaml b/kbs/config/kubernetes/overlays/common/ingress.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/ingress.yaml rename to kbs/config/kubernetes/overlays/common/ingress.yaml diff --git a/kbs/config/kubernetes/overlays/common/kustomization.yaml b/kbs/config/kubernetes/overlays/common/kustomization.yaml new file mode 100644 index 0000000000..84ababaf4a --- /dev/null +++ b/kbs/config/kubernetes/overlays/common/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: coco-tenant + +resources: +- ../../base diff --git a/kbs/config/kubernetes/overlays/s390x/kustomization.yaml b/kbs/config/kubernetes/overlays/s390x/kustomization.yaml new file mode 100644 index 0000000000..24a3a1d92a --- /dev/null +++ b/kbs/config/kubernetes/overlays/s390x/kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: coco-tenant + +resources: +- ../common +- pvc.yaml + +patches: +- path: patch.yaml + target: + kind: Deployment + name: kbs + +# Store keys that KBS will release to workloads after attestation: +# kbs:///reponame/workload_key/key.bin +secretGenerator: +- files: + - key.bin + name: keys diff --git a/kbs/config/kubernetes/overlays/s390x/patch.yaml b/kbs/config/kubernetes/overlays/s390x/patch.yaml new file mode 100644 index 0000000000..937acca200 --- /dev/null +++ b/kbs/config/kubernetes/overlays/s390x/patch.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kbs +spec: + template: + spec: + containers: + - name: kbs + env: + - name: SE_SKIP_CERTS_VERIFICATION + value: "false" + volumeMounts: + - name: test-local-volume + mountPath: /run/confidential-containers/ibmse/ + volumes: + - name: test-local-volume + persistentVolumeClaim: + claimName: test-local-pvc diff --git a/kbs/config/kubernetes/overlays/s390x/pv.yaml b/kbs/config/kubernetes/overlays/s390x/pv.yaml new file mode 100644 index 0000000000..266f75c193 --- /dev/null +++ b/kbs/config/kubernetes/overlays/s390x/pv.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: test-local-pv +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteOnce + storageClassName: local-storage + local: + path: ${IBM_SE_CREDS_DIR} + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - ${NODE_NAME} diff --git a/kbs/config/kubernetes/overlays/s390x/pvc.yaml b/kbs/config/kubernetes/overlays/s390x/pvc.yaml new file mode 100644 index 0000000000..18f86b16ae --- /dev/null +++ b/kbs/config/kubernetes/overlays/s390x/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: test-local-pvc + namespace: coco-tenant +spec: + accessModes: + - ReadWriteOnce + storageClassName: local-storage + resources: + requests: + storage: 1Gi diff --git a/kbs/config/kubernetes/overlays/kustomization.yaml b/kbs/config/kubernetes/overlays/x86_64/kustomization.yaml similarity index 96% rename from kbs/config/kubernetes/overlays/kustomization.yaml rename to kbs/config/kubernetes/overlays/x86_64/kustomization.yaml index 87e40e92c6..9b162df589 100644 --- a/kbs/config/kubernetes/overlays/kustomization.yaml +++ b/kbs/config/kubernetes/overlays/x86_64/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../base +- ../common patches: - path: patch.yaml diff --git a/kbs/config/kubernetes/overlays/patch.yaml b/kbs/config/kubernetes/overlays/x86_64/patch.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/patch.yaml rename to kbs/config/kubernetes/overlays/x86_64/patch.yaml From 788eeae582279018cee19d0fa3aeaa8ef90eeb75 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Mon, 1 Jul 2024 14:51:15 +0200 Subject: [PATCH 025/298] DOC: Update kbs/config/kubernetes/README.md This commit updates the documentation to include instructions for KBS deployment on s390x. Signed-off-by: Hyounggyu Choi --- kbs/config/kubernetes/README.md | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/kbs/config/kubernetes/README.md b/kbs/config/kubernetes/README.md index e4e1b4efaa..7a893f523d 100644 --- a/kbs/config/kubernetes/README.md +++ b/kbs/config/kubernetes/README.md @@ -9,7 +9,7 @@ We will see how to deploy KBS (with builtin Attestation Service) on a Kubernetes Create a secret that you want to be served using this instance of KBS: ```bash -echo "This is my super secert" > overlays/key.bin +echo "This is my super secret" > overlays/$(uname -m)/key.bin ``` If you have more than one secret, copy them over to the `config/kubernetes/overlays` directory and add those to the `overlays/kustomization.yaml` file after as shown below: @@ -91,6 +91,29 @@ Deploy KBS by running the following command: ./deploy-kbs.sh ``` +For IBM Secure Execution (s390x), an environment variable `IBM_SE_CREDS_DIR` should be exported as follows: + +``` +$ export IBM_SE_CREDS_DIR=/path/to/your/directory +$ tree $IBM_SE_CREDS_DIR +/path/to/your/directory +├── certs +│   ├── DigiCertCA.crt +│   └── ibm-z-host-key-signing-gen2.crt +├── crls +│   └── ibm-z-host-key-gen2.crl +├── hdr +│   └── hdr.bin +├── hkds +│   └── HKD-3931-0275D38.crt +└── rsa + ├── encrypt_key.pem + └── encrypt_key.pub +5 directories, 7 files +``` + +Please check out the [documentation](https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se) for details. + ## Check deployment Run the following command to check if the KBS is deployed successfully: @@ -114,3 +137,9 @@ $ kubectl -n coco-tenant get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kbs ClusterIP 10.0.210.190 8080/TCP 4s ``` + +## Delete KBS + +``` +$ kubectl delete -k ${DEPLOYMENT_DIR}/$(uname -m) +``` From 1db103edcebd4ec3885f7c41221204790c750359 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 24 Jun 2024 15:54:12 +0800 Subject: [PATCH 026/298] KBS: refactor code structure This commit will tidy the code under kbs directory. It deletes api-server crate, and move all logic of api-server to KBS crate, also mark kbs as a binary of the crate. This commit also makes some common dependencies of sub-crates to use the same version of workspace. Signed-off-by: Xynnn007 --- .github/workflows/kbs-docker-e2e.yaml | 2 +- Cargo.lock | 206 +++++---------- Cargo.toml | 20 +- README.md | 4 +- attestation-service/.gitignore | 4 - .../{attestation-service => }/Cargo.toml | 4 +- attestation-service/Dockerfile.as-grpc | 2 +- attestation-service/Dockerfile.as-restful | 2 +- attestation-service/README.md | 24 +- .../{attestation-service => }/build.rs | 0 attestation-service/docs/grpc-as.md | 2 +- attestation-service/docs/policy.md | 4 +- .../src/bin/grpc-as.rs | 0 .../src/bin/grpc/mod.rs | 0 .../src/bin/restful-as.rs | 0 .../src/bin/restful/mod.rs | 0 .../{attestation-service => }/src/config.rs | 0 .../{attestation-service => }/src/lib.rs | 0 .../src/policy_engine/mod.rs | 0 .../src/policy_engine/opa/default_policy.rego | 0 .../src/policy_engine/opa/mod.rs | 2 +- .../src/rvps/builtin.rs | 0 .../src/rvps/grpc.rs | 0 .../{attestation-service => }/src/rvps/mod.rs | 0 .../src/token/mod.rs | 0 .../src/token/simple.rs | 0 .../{attestation-service => }/src/utils.rs | 0 attestation-service/tests/e2e/Makefile | 2 +- deps/verifier/.gitignore | 2 + .../verifier/Cargo.toml | 0 .../verifier/src/az_snp_vtpm/mod.rs | 0 .../verifier/src/az_tdx_vtpm/mod.rs | 0 .../verifier/src/cca/mod.rs | 0 .../verifier/src/csv/hrk.cert | Bin .../verifier/src/csv/mod.rs | 0 .../verifier/src/lib.rs | 0 .../verifier/src/sample/mod.rs | 0 deps/verifier/src/se/README.md | 241 ++++++++++++++++++ .../verifier/src/se/ibmse.rs | 0 .../verifier/src/se/mod.rs | 0 deps/verifier/src/se/se_parse_hdr.py | 162 ++++++++++++ .../verifier/src/sgx/claims.rs | 0 .../verifier/src/sgx/mod.rs | 0 .../verifier/src/sgx/types.rs | 0 .../verifier/src/snp/milan_ask_ark_asvk.pem | 0 .../verifier/src/snp/mod.rs | 0 .../verifier/src/tdx/claims.rs | 0 .../verifier/src/tdx/eventlog.rs | 0 .../verifier/src/tdx/mod.rs | 0 .../verifier/src/tdx/quote.rs | 0 .../verifier/test_data/CCEL_data | Bin .../test_data/az-snp-vtpm/hcl-report.bin | Bin .../verifier/test_data/az-snp-vtpm/quote.bin | Bin .../test_data/az-snp-vtpm/tpm-quote.msg | Bin .../test_data/az-snp-vtpm/tpm-quote.sig | Bin .../verifier/test_data/az-snp-vtpm/vcek.pem | 0 .../test_data/az-tdx-vtpm/hcl-report.bin | Bin .../verifier/test_data/az-tdx-vtpm/quote.bin | Bin .../test_data/az-tdx-vtpm/td-quote.bin | Bin .../verifier/test_data/cca-claims.json | 0 .../verifier/test_data/occlum_quote.dat | Bin .../verifier/test_data/snp/test-report.bin | Bin .../snp/test-vcek-invalid-legacy.der | Bin .../test_data/snp/test-vcek-invalid-new.der | Bin .../verifier/test_data/snp/test-vcek.der | Bin .../test_data/snp/test-vlek-report.bin | Bin .../verifier/test_data/snp/test-vlek.der | Bin .../verifier/test_data/tdx_quote_4.dat | Bin .../verifier/test_data/tdx_quote_5.dat | Bin docker-compose.yml | 2 +- kbs/{src/api => }/Cargo.toml | 46 +++- kbs/Makefile | 6 +- kbs/README.md | 4 +- kbs/{src/api => }/build.rs | 3 +- kbs/docker/Dockerfile | 2 +- kbs/docker/Dockerfile.coco-as-grpc | 2 +- kbs/docker/Dockerfile.intel-trust-authority | 2 +- kbs/docker/Dockerfile.rhel-ubi | 2 +- kbs/docs/cluster.md | 2 +- kbs/docs/config.md | 2 +- kbs/quickstart.md | 2 +- .../{api/src => }/attestation/coco/builtin.rs | 0 .../{api/src => }/attestation/coco/grpc.rs | 0 kbs/src/{api/src => }/attestation/coco/mod.rs | 0 .../attestation/intel_trust_authority/mod.rs | 0 kbs/src/{api/src => }/attestation/mod.rs | 0 kbs/src/{api/src => }/auth.rs | 0 kbs/src/{kbs/src/main.rs => bin/kbs.rs} | 6 +- kbs/src/{api/src => }/config.rs | 0 kbs/src/{api/src => }/http/attest.rs | 0 kbs/src/{api/src => }/http/config.rs | 0 kbs/src/{api/src => }/http/error.rs | 2 +- kbs/src/{api/src => }/http/mod.rs | 1 - kbs/src/{api/src => }/http/resource.rs | 0 kbs/src/kbs/Cargo.toml | 28 -- kbs/src/{api/src => }/lib.rs | 0 kbs/src/{api/src => }/policy_engine/mod.rs | 0 .../policy_engine/opa/default_policy.rego | 0 .../{api/src => }/policy_engine/opa/mod.rs | 86 ++----- kbs/src/{api/src => }/resource/local_fs.rs | 0 kbs/src/{api/src => }/resource/mod.rs | 2 +- kbs/src/{api/src => }/session.rs | 0 kbs/src/{api/src => }/token/coco.rs | 3 +- kbs/src/{api/src => }/token/mod.rs | 2 +- .../protos => protos}/attestation.proto | 0 .../protos => protos}/reference.proto | 0 {attestation-service/rvps => rvps}/Cargo.toml | 0 {attestation-service/rvps => rvps}/Dockerfile | 4 +- {attestation-service/rvps => rvps}/Makefile | 0 {attestation-service/rvps => rvps}/README.md | 4 +- {attestation-service/rvps => rvps}/build.rs | 0 {attestation-service/rvps => rvps}/cgo/go.mod | 0 {attestation-service/rvps => rvps}/cgo/go.sum | 0 .../rvps => rvps}/cgo/intoto.go | 0 .../rvps => rvps}/diagrams/rvps-grpc.svg | 0 .../rvps => rvps}/diagrams/rvps-native.svg | 0 .../rvps => rvps}/diagrams/rvps.svg | 0 .../rvps => rvps}/src/bin/rvps-tool.rs | 0 .../rvps => rvps}/src/bin/rvps.rs | 0 .../rvps => rvps}/src/bin/server/config.rs | 0 .../rvps => rvps}/src/bin/server/mod.rs | 0 .../rvps => rvps}/src/config.rs | 0 .../extractor_modules/in_toto/README.md | 0 .../extractor_modules/in_toto/mod.rs | 0 .../extractor_modules/in_toto/shim/README.md | 0 .../extractor_modules/in_toto/shim/mod.rs | 0 .../src/extractors/extractor_modules/mod.rs | 0 .../extractor_modules/sample/README.md | 0 .../extractor_modules/sample/mod.rs | 0 .../rvps => rvps}/src/extractors/mod.rs | 0 {attestation-service/rvps => rvps}/src/lib.rs | 0 .../rvps => rvps}/src/native.rs | 0 .../rvps => rvps}/src/pre_processor/mod.rs | 0 .../rvps => rvps}/src/reference_value.rs | 0 .../src/store/local_fs/README.md | 0 .../rvps => rvps}/src/store/local_fs/mod.rs | 0 .../rvps => rvps}/src/store/local_json/mod.rs | 0 .../rvps => rvps}/src/store/mod.rs | 0 .../client => tools/kbs-client}/Cargo.toml | 6 +- .../client => tools/kbs-client}/README.md | 0 {kbs/tools => tools/kbs-client}/attest.json | 0 {kbs/tools => tools/kbs-client}/attest.sh | 0 {kbs/tools => tools/kbs-client}/auth.json | 0 {kbs/tools => tools/kbs-client}/auth.sh | 0 .../client => tools/kbs-client}/src/lib.rs | 0 .../client => tools/kbs-client}/src/main.rs | 0 146 files changed, 574 insertions(+), 328 deletions(-) rename attestation-service/{attestation-service => }/Cargo.toml (92%) rename attestation-service/{attestation-service => }/build.rs (100%) rename attestation-service/{attestation-service => }/src/bin/grpc-as.rs (100%) rename attestation-service/{attestation-service => }/src/bin/grpc/mod.rs (100%) rename attestation-service/{attestation-service => }/src/bin/restful-as.rs (100%) rename attestation-service/{attestation-service => }/src/bin/restful/mod.rs (100%) rename attestation-service/{attestation-service => }/src/config.rs (100%) rename attestation-service/{attestation-service => }/src/lib.rs (100%) rename attestation-service/{attestation-service => }/src/policy_engine/mod.rs (100%) rename attestation-service/{attestation-service => }/src/policy_engine/opa/default_policy.rego (100%) rename attestation-service/{attestation-service => }/src/policy_engine/opa/mod.rs (99%) rename attestation-service/{attestation-service => }/src/rvps/builtin.rs (100%) rename attestation-service/{attestation-service => }/src/rvps/grpc.rs (100%) rename attestation-service/{attestation-service => }/src/rvps/mod.rs (100%) rename attestation-service/{attestation-service => }/src/token/mod.rs (100%) rename attestation-service/{attestation-service => }/src/token/simple.rs (100%) rename attestation-service/{attestation-service => }/src/utils.rs (100%) create mode 100644 deps/verifier/.gitignore rename {attestation-service => deps}/verifier/Cargo.toml (100%) rename {attestation-service => deps}/verifier/src/az_snp_vtpm/mod.rs (100%) rename {attestation-service => deps}/verifier/src/az_tdx_vtpm/mod.rs (100%) rename {attestation-service => deps}/verifier/src/cca/mod.rs (100%) rename {attestation-service => deps}/verifier/src/csv/hrk.cert (100%) rename {attestation-service => deps}/verifier/src/csv/mod.rs (100%) rename {attestation-service => deps}/verifier/src/lib.rs (100%) rename {attestation-service => deps}/verifier/src/sample/mod.rs (100%) create mode 100644 deps/verifier/src/se/README.md rename {attestation-service => deps}/verifier/src/se/ibmse.rs (100%) rename {attestation-service => deps}/verifier/src/se/mod.rs (100%) create mode 100644 deps/verifier/src/se/se_parse_hdr.py rename {attestation-service => deps}/verifier/src/sgx/claims.rs (100%) rename {attestation-service => deps}/verifier/src/sgx/mod.rs (100%) rename {attestation-service => deps}/verifier/src/sgx/types.rs (100%) rename {attestation-service => deps}/verifier/src/snp/milan_ask_ark_asvk.pem (100%) rename {attestation-service => deps}/verifier/src/snp/mod.rs (100%) rename {attestation-service => deps}/verifier/src/tdx/claims.rs (100%) rename {attestation-service => deps}/verifier/src/tdx/eventlog.rs (100%) rename {attestation-service => deps}/verifier/src/tdx/mod.rs (100%) rename {attestation-service => deps}/verifier/src/tdx/quote.rs (100%) rename {attestation-service => deps}/verifier/test_data/CCEL_data (100%) rename {attestation-service => deps}/verifier/test_data/az-snp-vtpm/hcl-report.bin (100%) rename {attestation-service => deps}/verifier/test_data/az-snp-vtpm/quote.bin (100%) rename {attestation-service => deps}/verifier/test_data/az-snp-vtpm/tpm-quote.msg (100%) rename {attestation-service => deps}/verifier/test_data/az-snp-vtpm/tpm-quote.sig (100%) rename {attestation-service => deps}/verifier/test_data/az-snp-vtpm/vcek.pem (100%) rename {attestation-service => deps}/verifier/test_data/az-tdx-vtpm/hcl-report.bin (100%) rename {attestation-service => deps}/verifier/test_data/az-tdx-vtpm/quote.bin (100%) rename {attestation-service => deps}/verifier/test_data/az-tdx-vtpm/td-quote.bin (100%) rename {attestation-service => deps}/verifier/test_data/cca-claims.json (100%) rename {attestation-service => deps}/verifier/test_data/occlum_quote.dat (100%) rename {attestation-service => deps}/verifier/test_data/snp/test-report.bin (100%) rename {attestation-service => deps}/verifier/test_data/snp/test-vcek-invalid-legacy.der (100%) rename {attestation-service => deps}/verifier/test_data/snp/test-vcek-invalid-new.der (100%) rename {attestation-service => deps}/verifier/test_data/snp/test-vcek.der (100%) rename {attestation-service => deps}/verifier/test_data/snp/test-vlek-report.bin (100%) rename {attestation-service => deps}/verifier/test_data/snp/test-vlek.der (100%) rename {attestation-service => deps}/verifier/test_data/tdx_quote_4.dat (100%) rename {attestation-service => deps}/verifier/test_data/tdx_quote_5.dat (100%) rename kbs/{src/api => }/Cargo.toml (63%) rename kbs/{src/api => }/build.rs (65%) rename kbs/src/{api/src => }/attestation/coco/builtin.rs (100%) rename kbs/src/{api/src => }/attestation/coco/grpc.rs (100%) rename kbs/src/{api/src => }/attestation/coco/mod.rs (100%) rename kbs/src/{api/src => }/attestation/intel_trust_authority/mod.rs (100%) rename kbs/src/{api/src => }/attestation/mod.rs (100%) rename kbs/src/{api/src => }/auth.rs (100%) rename kbs/src/{kbs/src/main.rs => bin/kbs.rs} (97%) rename kbs/src/{api/src => }/config.rs (100%) rename kbs/src/{api/src => }/http/attest.rs (100%) rename kbs/src/{api/src => }/http/config.rs (100%) rename kbs/src/{api/src => }/http/error.rs (99%) rename kbs/src/{api/src => }/http/mod.rs (97%) rename kbs/src/{api/src => }/http/resource.rs (100%) delete mode 100644 kbs/src/kbs/Cargo.toml rename kbs/src/{api/src => }/lib.rs (100%) rename kbs/src/{api/src => }/policy_engine/mod.rs (100%) rename kbs/src/{api/src => }/policy_engine/opa/default_policy.rego (100%) rename kbs/src/{api/src => }/policy_engine/opa/mod.rs (77%) rename kbs/src/{api/src => }/resource/local_fs.rs (100%) rename kbs/src/{api/src => }/resource/mod.rs (98%) rename kbs/src/{api/src => }/session.rs (100%) rename kbs/src/{api/src => }/token/coco.rs (98%) rename kbs/src/{api/src => }/token/mod.rs (98%) rename {attestation-service/protos => protos}/attestation.proto (100%) rename {attestation-service/protos => protos}/reference.proto (100%) rename {attestation-service/rvps => rvps}/Cargo.toml (100%) rename {attestation-service/rvps => rvps}/Dockerfile (82%) rename {attestation-service/rvps => rvps}/Makefile (100%) rename {attestation-service/rvps => rvps}/README.md (97%) rename {attestation-service/rvps => rvps}/build.rs (100%) rename {attestation-service/rvps => rvps}/cgo/go.mod (100%) rename {attestation-service/rvps => rvps}/cgo/go.sum (100%) rename {attestation-service/rvps => rvps}/cgo/intoto.go (100%) rename {attestation-service/rvps => rvps}/diagrams/rvps-grpc.svg (100%) rename {attestation-service/rvps => rvps}/diagrams/rvps-native.svg (100%) rename {attestation-service/rvps => rvps}/diagrams/rvps.svg (100%) rename {attestation-service/rvps => rvps}/src/bin/rvps-tool.rs (100%) rename {attestation-service/rvps => rvps}/src/bin/rvps.rs (100%) rename {attestation-service/rvps => rvps}/src/bin/server/config.rs (100%) rename {attestation-service/rvps => rvps}/src/bin/server/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/config.rs (100%) rename {attestation-service/rvps => rvps}/src/extractors/extractor_modules/in_toto/README.md (100%) rename {attestation-service/rvps => rvps}/src/extractors/extractor_modules/in_toto/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/extractors/extractor_modules/in_toto/shim/README.md (100%) rename {attestation-service/rvps => rvps}/src/extractors/extractor_modules/in_toto/shim/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/extractors/extractor_modules/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/extractors/extractor_modules/sample/README.md (100%) rename {attestation-service/rvps => rvps}/src/extractors/extractor_modules/sample/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/extractors/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/lib.rs (100%) rename {attestation-service/rvps => rvps}/src/native.rs (100%) rename {attestation-service/rvps => rvps}/src/pre_processor/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/reference_value.rs (100%) rename {attestation-service/rvps => rvps}/src/store/local_fs/README.md (100%) rename {attestation-service/rvps => rvps}/src/store/local_fs/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/store/local_json/mod.rs (100%) rename {attestation-service/rvps => rvps}/src/store/mod.rs (100%) rename {kbs/tools/client => tools/kbs-client}/Cargo.toml (89%) rename {kbs/tools/client => tools/kbs-client}/README.md (100%) rename {kbs/tools => tools/kbs-client}/attest.json (100%) rename {kbs/tools => tools/kbs-client}/attest.sh (100%) rename {kbs/tools => tools/kbs-client}/auth.json (100%) rename {kbs/tools => tools/kbs-client}/auth.sh (100%) rename {kbs/tools/client => tools/kbs-client}/src/lib.rs (100%) rename {kbs/tools/client => tools/kbs-client}/src/main.rs (100%) diff --git a/.github/workflows/kbs-docker-e2e.yaml b/.github/workflows/kbs-docker-e2e.yaml index 6dc5aa98e9..acafd71294 100644 --- a/.github/workflows/kbs-docker-e2e.yaml +++ b/.github/workflows/kbs-docker-e2e.yaml @@ -28,7 +28,7 @@ jobs: uses: actions-rs/cargo@v1 with: command: build - args: --manifest-path kbs/tools/client/Cargo.toml --no-default-features --features sample_only --release + args: --manifest-path kbs/client/Cargo.toml --no-default-features --features sample_only --release - name: Setup Keys run: | diff --git a/Cargo.lock b/Cargo.lock index b780e8d7c7..62d3562599 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -396,51 +396,6 @@ version = "1.0.82" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f538837af36e6f6a9be0faa67f9a314f8119e4e4b5867c6ab40ed60360142519" -[[package]] -name = "api-server" -version = "0.1.0" -dependencies = [ - "actix-web", - "actix-web-httpauth", - "aes-gcm", - "anyhow", - "async-trait", - "attestation-service", - "base64 0.21.7", - "cfg-if", - "clap 4.5.4", - "config", - "env_logger 0.10.2", - "jsonwebtoken", - "jwt-simple 0.11.9", - "kbs-types", - "lazy_static", - "log", - "mobc", - "openssl", - "prost", - "rand", - "regorus", - "reqwest 0.12.4", - "rsa 0.9.6", - "rstest", - "rustls 0.20.9", - "rustls-pemfile 1.0.4", - "scc", - "semver", - "serde", - "serde_json", - "strum", - "strum_macros 0.24.3", - "tempfile", - "thiserror", - "time", - "tokio", - "tonic 0.9.2", - "tonic-build", - "uuid", -] - [[package]] name = "arrayref" version = "0.3.7" @@ -576,7 +531,7 @@ dependencies = [ "thiserror", "time", "tokio", - "tonic 0.8.3", + "tonic", "tonic-build", "uuid", "verifier", @@ -828,7 +783,7 @@ dependencies = [ "lazycell", "log", "peeking_take_while", - "prettyplease 0.2.20", + "prettyplease", "proc-macro2", "quote", "regex", @@ -2520,15 +2475,6 @@ version = "1.70.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800" -[[package]] -name = "itertools" -version = "0.10.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" -dependencies = [ - "either", -] - [[package]] name = "itertools" version = "0.12.1" @@ -2675,13 +2621,44 @@ dependencies = [ name = "kbs" version = "0.1.0" dependencies = [ + "actix-web", + "actix-web-httpauth", + "aes-gcm", "anyhow", - "api-server", + "async-trait", + "attestation-service", + "base64 0.21.7", "cfg-if", "clap 4.5.4", + "config", "env_logger 0.10.2", + "jsonwebtoken", + "jwt-simple 0.11.9", + "kbs-types", + "lazy_static", "log", + "mobc", + "openssl", + "prost", + "rand", + "regorus", + "reqwest 0.12.4", + "rsa 0.9.6", + "rstest", + "rustls 0.20.9", + "rustls-pemfile 1.0.4", + "scc", + "semver", + "serde", + "serde_json", + "strum", + "tempfile", + "thiserror", + "time", "tokio", + "tonic", + "tonic-build", + "uuid", ] [[package]] @@ -3680,16 +3657,6 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" -[[package]] -name = "prettyplease" -version = "0.1.25" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c8646e95016a7a6c4adea95bafa8a16baab64b583356217f2c85db4a39d9a86" -dependencies = [ - "proc-macro2", - "syn 1.0.109", -] - [[package]] name = "prettyplease" version = "0.2.20" @@ -3744,9 +3711,9 @@ dependencies = [ [[package]] name = "prost" -version = "0.11.9" +version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b82eaa1d779e9a4bc1c3217db8ffbeabaae1dca241bf70183242128d48681cd" +checksum = "deb1435c188b76130da55f17a466d252ff7b1418b2ad3e037d127b94e3411f29" dependencies = [ "bytes", "prost-derive", @@ -3754,44 +3721,43 @@ dependencies = [ [[package]] name = "prost-build" -version = "0.11.9" +version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "119533552c9a7ffacc21e099c24a0ac8bb19c2a2a3f363de84cd9b844feab270" +checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4" dependencies = [ "bytes", - "heck 0.4.1", - "itertools 0.10.5", - "lazy_static", + "heck 0.5.0", + "itertools", "log", "multimap", + "once_cell", "petgraph", - "prettyplease 0.1.25", + "prettyplease", "prost", "prost-types", "regex", - "syn 1.0.109", + "syn 2.0.60", "tempfile", - "which", ] [[package]] name = "prost-derive" -version = "0.11.9" +version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5d2d8d10f3c6ded6da8b05b5fb3b8a5082514344d56c9f871412d29b4e075b4" +checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1" dependencies = [ "anyhow", - "itertools 0.10.5", + "itertools", "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.60", ] [[package]] name = "prost-types" -version = "0.11.9" +version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "213622a1460818959ac1181aaeb2dc9c7f63df720db7d788b3e24eacd1983e13" +checksum = "9091c90b0a32608e984ff2fa4091273cbdd755d54935c51d520887f4a1dbd5b0" dependencies = [ "prost", ] @@ -3906,7 +3872,7 @@ dependencies = [ "strum", "tempfile", "tokio", - "tonic 0.8.3", + "tonic", "tonic-build", "walkdir", ] @@ -3950,7 +3916,7 @@ dependencies = [ "chrono", "chrono-tz", "data-encoding", - "itertools 0.12.1", + "itertools", "lazy_static", "num", "rand", @@ -4902,20 +4868,7 @@ version = "0.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125" dependencies = [ - "strum_macros 0.25.3", -] - -[[package]] -name = "strum_macros" -version = "0.24.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e385be0d24f186b4ce2f9982191e7101bb737312ad61c1f2f984f34bcf85d59" -dependencies = [ - "heck 0.4.1", - "proc-macro2", - "quote", - "rustversion", - "syn 1.0.109", + "strum_macros", ] [[package]] @@ -5280,48 +5233,15 @@ dependencies = [ [[package]] name = "tonic" -version = "0.8.3" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f219fad3b929bef19b1f86fbc0358d35daed8f2cac972037ac0dc10bbb8d5fb" +checksum = "76c4eb7a4e9ef9d4763600161f12f5070b92a578e1b634db88a6887844c91a13" dependencies = [ "async-stream", - "async-trait", - "axum", - "base64 0.13.1", - "bytes", - "futures-core", - "futures-util", - "h2 0.3.26", - "http 0.2.12", - "http-body 0.4.6", - "hyper 0.14.28", - "hyper-timeout", - "percent-encoding", - "pin-project", - "prost", - "prost-derive", - "tokio", - "tokio-stream", - "tokio-util", - "tower", - "tower-layer", - "tower-service", - "tracing", - "tracing-futures", -] - -[[package]] -name = "tonic" -version = "0.9.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3082666a3a6433f7f511c7192923fa1fe07c69332d3c6a2e6bb040b569199d5a" -dependencies = [ "async-trait", "axum", "base64 0.21.7", "bytes", - "futures-core", - "futures-util", "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", @@ -5340,15 +5260,15 @@ dependencies = [ [[package]] name = "tonic-build" -version = "0.8.4" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bf5e9b9c0f7e0a7c027dcfaba7b2c60816c7049171f679d99ee2ff65d0de8c4" +checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2" dependencies = [ - "prettyplease 0.1.25", + "prettyplease", "proc-macro2", "prost-build", "quote", - "syn 1.0.109", + "syn 2.0.60", ] [[package]] @@ -5416,16 +5336,6 @@ dependencies = [ "valuable", ] -[[package]] -name = "tracing-futures" -version = "0.2.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97d095ae15e245a057c8e8451bab9b3ee1e1f68e9ba2b4fbc18d0ac5237835f2" -dependencies = [ - "pin-project", - "tracing", -] - [[package]] name = "tracing-log" version = "0.2.0" diff --git a/Cargo.toml b/Cargo.toml index c50b07651c..06feea9254 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,11 +1,10 @@ [workspace] members = [ - "kbs/src/kbs", - "kbs/src/api", - "kbs/tools/client", - "attestation-service/attestation-service", - "attestation-service/verifier", - "attestation-service/rvps", + "kbs", + "attestation-service", + "rvps", + "tools/kbs-client", + "deps/verifier", ] resolver = "2" @@ -20,7 +19,6 @@ edition = "2021" actix-web = "4" actix-web-httpauth = "0.8.0" anyhow = "1.0" -api-server = { path = "kbs/src/api", default-features = false } assert-json-diff = "2.0.2" async-trait = "0.1.31" base64 = "0.21" @@ -30,11 +28,13 @@ clap = { version = "4", features = ["derive"] } config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" +jwt-simple = "0.11" kbs-types = "0.6.0" jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" -prost = "0.11.0" +prost = "0.12" regorus = { version = "0.1.5", default-features = false, features = ["regex", "base64", "time"] } +reqwest = "0.12" rstest = "0.18.1" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0.89" @@ -46,5 +46,5 @@ strum = { version = "0.25", features = ["derive"] } thiserror = "1.0" tokio = { version = "1.23.0", features = ["full"] } tempfile = "3.4.0" -tonic = "0.8.1" -tonic-build = "0.8.0" \ No newline at end of file +tonic = "0.11" +tonic-build = "0.11" \ No newline at end of file diff --git a/README.md b/README.md index 844db4b9a6..60fde0cc4a 100644 --- a/README.md +++ b/README.md @@ -21,12 +21,12 @@ in the RATS model. The AS verifies TEE evidence. In the RATS model this is a [Verifier](https://www.ietf.org/archive/id/draft-ietf-rats-architecture-22.html#name-verifier) -- [Reference Value Provider Service](attestation-service/rvps) +- [Reference Value Provider Service](rvps) The RVPS manages reference values used to verify TEE evidence. This is related to the discussion in [section 7.5](https://www.ietf.org/archive/id/draft-ietf-rats-architecture-22.html#name-endorser-reference-value-pr) of the RATS document. -- [Client Tool](kbs/tools/client) +- [KBS Client Tool](tools/kbs-client/) This is a simple tool which can be used to test or configure the KBS and AS. For further information, see documentation of individual components. diff --git a/attestation-service/.gitignore b/attestation-service/.gitignore index 49808cdbad..8225730b14 100644 --- a/attestation-service/.gitignore +++ b/attestation-service/.gitignore @@ -1,13 +1,9 @@ # build cache target -# Local Fs tempfile -reference_values - # Temporary files generated by e2e test tests/e2e/grpc-request.json tests/e2e/restful-request.json -verifier/test_data/*_output.txt # Output files generated by unit test tests/tmp/ diff --git a/attestation-service/attestation-service/Cargo.toml b/attestation-service/Cargo.toml similarity index 92% rename from attestation-service/attestation-service/Cargo.toml rename to attestation-service/Cargo.toml index 306759409b..529fa6efb8 100644 --- a/attestation-service/attestation-service/Cargo.toml +++ b/attestation-service/Cargo.toml @@ -66,10 +66,10 @@ tonic = { workspace = true, optional = true } uuid = { version = "1.1.2", features = ["v4"] } [target.'cfg(not(target_arch = "s390x"))'.dependencies] -verifier = { path = "../verifier", default-features = false, features = ["all-verifier"] } +verifier = { path = "../deps/verifier", default-features = false, features = ["all-verifier"] } [target.'cfg(target_arch = "s390x")'.dependencies] -verifier = { path = "../verifier", default-features = false, features = ["se-verifier"] } +verifier = { path = "../deps/verifier", default-features = false, features = ["se-verifier"] } [build-dependencies] shadow-rs.workspace = true diff --git a/attestation-service/Dockerfile.as-grpc b/attestation-service/Dockerfile.as-grpc index bc12799bde..ab770d97f7 100644 --- a/attestation-service/Dockerfile.as-grpc +++ b/attestation-service/Dockerfile.as-grpc @@ -17,7 +17,7 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/ apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi # Build and Install gRPC attestation-service -RUN cargo install --path attestation-service/attestation-service --bin grpc-as --features grpc-bin --locked +RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin --locked FROM ubuntu:22.04 diff --git a/attestation-service/Dockerfile.as-restful b/attestation-service/Dockerfile.as-restful index 29758cd770..42a9352fe6 100644 --- a/attestation-service/Dockerfile.as-restful +++ b/attestation-service/Dockerfile.as-restful @@ -17,7 +17,7 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/ apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi # Build and Install RESTful attestation-service -RUN cargo install --path attestation-service/attestation-service --bin restful-as --features restful-bin --locked +RUN cargo install --path attestation-service --bin restful-as --features restful-bin --locked FROM ubuntu:22.04 ARG ARCH=x86_64 diff --git a/attestation-service/README.md b/attestation-service/README.md index 01db83eb4b..111aca2b86 100644 --- a/attestation-service/README.md +++ b/attestation-service/README.md @@ -13,7 +13,7 @@ Today, the AS can validate evidence from the following TEEs: - Hygon CSV - Intel TDX with vTPM on Azure - AMD SEV-SNP with vTPM on Azure -- IBM Secure Execution (SE): [Attestation Service with IBM SE](./verifier/src/se/README.md) +- IBM Secure Execution (SE): [Attestation Service with IBM SE](../deps/verifier/src/se/README.md) # Overview ``` @@ -74,14 +74,14 @@ The format of the attestation evidence depends on the platform and the implementation of the verifier. Please refer to the individual verifiers for the specific format of the evidence. -- Intel TDX: [TdxEvidence](./verifier/src/tdx/mod.rs) -- Intel SGX: [SgxEvidence](./verifier/src/sgx/mod.rs) -- AMD SNP: [SnpEvidence](./verifier/src/snp/mod.rs) -- Azure SNP vTPM: [Evidence](./verifier/src/az_snp_vtpm/mod.rs) -- Azure TDX vTPM: [Evidence](./verifier/src/az_tdx_vtpm/mod.rs) -- Arm CCA: [CcaEvidence](./verifier/src/cca/mod.rs) -- Hygon CSV: [CsvEvidence](./verifier/src/csv/mod.rs) -- IBM Secure Execution (SE): [SeEvidence](./verifier/src/se/mod.rs) +- Intel TDX: [TdxEvidence](../deps/verifier/src/tdx/mod.rs) +- Intel SGX: [SgxEvidence](../deps/verifier/src/sgx/mod.rs) +- AMD SNP: [SnpEvidence](../deps/verifier/src/snp/mod.rs) +- Azure SNP vTPM: [Evidence](../deps/verifier/src/az_snp_vtpm/mod.rs) +- Azure TDX vTPM: [Evidence](../deps/verifier/src/az_tdx_vtpm/mod.rs) +- Arm CCA: [CcaEvidence](../deps/verifier/src/cca/mod.rs) +- Hygon CSV: [CsvEvidence](../deps/verifier/src/csv/mod.rs) +- IBM Secure Execution (SE): [SeEvidence](../deps/verifier/src/se/mod.rs) ## Output @@ -145,15 +145,15 @@ The results of every policy that is evaluated are included in the attestation to **Note**: Please refer to the [Policy Language](https://www.openpolicyagent.org/docs/latest/policy-language/) documentation for more information about Rego. -If the policy is not updated, the AS will use the [default policy](./attestation-service/src/policy_engine/opa/default_policy.rego). +If the policy is not updated, the AS will use the [default policy](src/policy_engine/opa/default_policy.rego). Concrete policy usages please refer to [this guide](docs/policy.md). ### Reference Value Provider Service -The [Reference Value Provider Service](rvps/README.md) (RVPS) is a module integrated into the AS to verify, +The [Reference Value Provider Service](../rvps/README.md) (RVPS) is a module integrated into the AS to verify, store and provide reference values. RVPS receives and verifies the provenance input from the software supply chain, stores the measurement values, and generates reference value claims for the AS according to the evidence content when the AS verifies the evidence. The Reference Value Provider Service supports different deployment modes, -please refer to [the doc](./rvps/README.md#run-mode) for more details. +please refer to [the doc](../rvps/README.md#run-mode) for more details. diff --git a/attestation-service/attestation-service/build.rs b/attestation-service/build.rs similarity index 100% rename from attestation-service/attestation-service/build.rs rename to attestation-service/build.rs diff --git a/attestation-service/docs/grpc-as.md b/attestation-service/docs/grpc-as.md index cb7f28db34..71fe12d33d 100644 --- a/attestation-service/docs/grpc-as.md +++ b/attestation-service/docs/grpc-as.md @@ -111,4 +111,4 @@ docker build -t coco-as:grpc -f attestation-service/Dockerfile.as-grpc . ### API -The API of gRPC CoCo-AS is defined in the [proto](../protos/attestation.proto). +The API of gRPC CoCo-AS is defined in the [proto](../../protos/attestation.proto). diff --git a/attestation-service/docs/policy.md b/attestation-service/docs/policy.md index 9bd8253ba9..4bf1ad4919 100644 --- a/attestation-service/docs/policy.md +++ b/attestation-service/docs/policy.md @@ -4,7 +4,7 @@ CoCo AS provides a flexible policy support based on Rego to facilitate the custo ## How to Use Policy -For both [gRPC CoCo AS](../protos/attestation.proto) and [Restful CoCo AS](./restful-as.md), we have a +For both [gRPC CoCo AS](../../protos/attestation.proto) and [Restful CoCo AS](./restful-as.md), we have a parameter named `policy_ids` to specify which policies to use to enforce the evidence check. For a running CoCoAS, we can set any new policies. @@ -79,7 +79,7 @@ curl -k -X POST http://127.0.0.1:8080/attestation \ We will introduce the format of policy by providing some examples to show the use cases. -1. The [default policy](../attestation-service/src/policy_engine/opa/default_policy.rego). This policy will check whether each entry in the [parsed claims](./parsed_claims.md) generated by the input evidence matches the reference value obtained from RVPS. +1. The [default policy](../src/policy_engine/opa/default_policy.rego). This policy will check whether each entry in the [parsed claims](./parsed_claims.md) generated by the input evidence matches the reference value obtained from RVPS. 2. An [SGX policy](../tests/coco-as/policy/example-1.rego). The client want to ensure the `mr_signer` and `mrenclave` are both expected value. 3. A [TDX policy](../tests/coco-as/policy/example-2.rego). The client want to ensure the TDX module (reflected by `tdx.quote.body.mr_seam`), guest firmware (reflected by `tdx.quote.body.mr_td`), kernel (reflected by `tdx.ccel.kernel`) are all as expected. 4. A [IBM SE policy](../tests/coco-as/policy/example-3.rego). The client want to ensure the `se.version`, `se.tag`, `se.user_data`, `se.image_phkh` and `se.attestation_phkh` are all expected value. diff --git a/attestation-service/attestation-service/src/bin/grpc-as.rs b/attestation-service/src/bin/grpc-as.rs similarity index 100% rename from attestation-service/attestation-service/src/bin/grpc-as.rs rename to attestation-service/src/bin/grpc-as.rs diff --git a/attestation-service/attestation-service/src/bin/grpc/mod.rs b/attestation-service/src/bin/grpc/mod.rs similarity index 100% rename from attestation-service/attestation-service/src/bin/grpc/mod.rs rename to attestation-service/src/bin/grpc/mod.rs diff --git a/attestation-service/attestation-service/src/bin/restful-as.rs b/attestation-service/src/bin/restful-as.rs similarity index 100% rename from attestation-service/attestation-service/src/bin/restful-as.rs rename to attestation-service/src/bin/restful-as.rs diff --git a/attestation-service/attestation-service/src/bin/restful/mod.rs b/attestation-service/src/bin/restful/mod.rs similarity index 100% rename from attestation-service/attestation-service/src/bin/restful/mod.rs rename to attestation-service/src/bin/restful/mod.rs diff --git a/attestation-service/attestation-service/src/config.rs b/attestation-service/src/config.rs similarity index 100% rename from attestation-service/attestation-service/src/config.rs rename to attestation-service/src/config.rs diff --git a/attestation-service/attestation-service/src/lib.rs b/attestation-service/src/lib.rs similarity index 100% rename from attestation-service/attestation-service/src/lib.rs rename to attestation-service/src/lib.rs diff --git a/attestation-service/attestation-service/src/policy_engine/mod.rs b/attestation-service/src/policy_engine/mod.rs similarity index 100% rename from attestation-service/attestation-service/src/policy_engine/mod.rs rename to attestation-service/src/policy_engine/mod.rs diff --git a/attestation-service/attestation-service/src/policy_engine/opa/default_policy.rego b/attestation-service/src/policy_engine/opa/default_policy.rego similarity index 100% rename from attestation-service/attestation-service/src/policy_engine/opa/default_policy.rego rename to attestation-service/src/policy_engine/opa/default_policy.rego diff --git a/attestation-service/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs similarity index 99% rename from attestation-service/attestation-service/src/policy_engine/opa/mod.rs rename to attestation-service/src/policy_engine/opa/mod.rs index 773aa47045..40f66d9d88 100644 --- a/attestation-service/attestation-service/src/policy_engine/opa/mod.rs +++ b/attestation-service/src/policy_engine/opa/mod.rs @@ -269,7 +269,7 @@ mod tests { #[tokio::test] async fn test_policy_management() { - let mut opa = OPA::new(PathBuf::from("../tests/tmp")).unwrap(); + let mut opa = OPA::new(PathBuf::from("tests/tmp")).unwrap(); let policy = "package policy default allow = true" .to_string(); diff --git a/attestation-service/attestation-service/src/rvps/builtin.rs b/attestation-service/src/rvps/builtin.rs similarity index 100% rename from attestation-service/attestation-service/src/rvps/builtin.rs rename to attestation-service/src/rvps/builtin.rs diff --git a/attestation-service/attestation-service/src/rvps/grpc.rs b/attestation-service/src/rvps/grpc.rs similarity index 100% rename from attestation-service/attestation-service/src/rvps/grpc.rs rename to attestation-service/src/rvps/grpc.rs diff --git a/attestation-service/attestation-service/src/rvps/mod.rs b/attestation-service/src/rvps/mod.rs similarity index 100% rename from attestation-service/attestation-service/src/rvps/mod.rs rename to attestation-service/src/rvps/mod.rs diff --git a/attestation-service/attestation-service/src/token/mod.rs b/attestation-service/src/token/mod.rs similarity index 100% rename from attestation-service/attestation-service/src/token/mod.rs rename to attestation-service/src/token/mod.rs diff --git a/attestation-service/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs similarity index 100% rename from attestation-service/attestation-service/src/token/simple.rs rename to attestation-service/src/token/simple.rs diff --git a/attestation-service/attestation-service/src/utils.rs b/attestation-service/src/utils.rs similarity index 100% rename from attestation-service/attestation-service/src/utils.rs rename to attestation-service/src/utils.rs diff --git a/attestation-service/tests/e2e/Makefile b/attestation-service/tests/e2e/Makefile index 6bbd48dd18..7b866f6d90 100644 --- a/attestation-service/tests/e2e/Makefile +++ b/attestation-service/tests/e2e/Makefile @@ -66,7 +66,7 @@ restful-test: restful.pid $(REQUEST) .PHONY: grpc-test grpc-test: grpc.pid $(REQUEST) echo $$(cat $(REQUEST)) \ - | grpcurl -plaintext -import-path ../../protos -proto ../../protos/attestation.proto -d @ 127.0.0.1:50004 attestation.AttestationService/AttestationEvaluate + | grpcurl -plaintext -import-path ../../../protos -proto ../../../protos/attestation.proto -d @ 127.0.0.1:50004 attestation.AttestationService/AttestationEvaluate .PHONY: stop-restful-as stop-restful-as: restful.pid diff --git a/deps/verifier/.gitignore b/deps/verifier/.gitignore new file mode 100644 index 0000000000..45c991d176 --- /dev/null +++ b/deps/verifier/.gitignore @@ -0,0 +1,2 @@ +# Test tempfiles +test_data/*.txt \ No newline at end of file diff --git a/attestation-service/verifier/Cargo.toml b/deps/verifier/Cargo.toml similarity index 100% rename from attestation-service/verifier/Cargo.toml rename to deps/verifier/Cargo.toml diff --git a/attestation-service/verifier/src/az_snp_vtpm/mod.rs b/deps/verifier/src/az_snp_vtpm/mod.rs similarity index 100% rename from attestation-service/verifier/src/az_snp_vtpm/mod.rs rename to deps/verifier/src/az_snp_vtpm/mod.rs diff --git a/attestation-service/verifier/src/az_tdx_vtpm/mod.rs b/deps/verifier/src/az_tdx_vtpm/mod.rs similarity index 100% rename from attestation-service/verifier/src/az_tdx_vtpm/mod.rs rename to deps/verifier/src/az_tdx_vtpm/mod.rs diff --git a/attestation-service/verifier/src/cca/mod.rs b/deps/verifier/src/cca/mod.rs similarity index 100% rename from attestation-service/verifier/src/cca/mod.rs rename to deps/verifier/src/cca/mod.rs diff --git a/attestation-service/verifier/src/csv/hrk.cert b/deps/verifier/src/csv/hrk.cert similarity index 100% rename from attestation-service/verifier/src/csv/hrk.cert rename to deps/verifier/src/csv/hrk.cert diff --git a/attestation-service/verifier/src/csv/mod.rs b/deps/verifier/src/csv/mod.rs similarity index 100% rename from attestation-service/verifier/src/csv/mod.rs rename to deps/verifier/src/csv/mod.rs diff --git a/attestation-service/verifier/src/lib.rs b/deps/verifier/src/lib.rs similarity index 100% rename from attestation-service/verifier/src/lib.rs rename to deps/verifier/src/lib.rs diff --git a/attestation-service/verifier/src/sample/mod.rs b/deps/verifier/src/sample/mod.rs similarity index 100% rename from attestation-service/verifier/src/sample/mod.rs rename to deps/verifier/src/sample/mod.rs diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md new file mode 100644 index 0000000000..8589439614 --- /dev/null +++ b/deps/verifier/src/se/README.md @@ -0,0 +1,241 @@ + +# KBS with IBM SE verifier + +This is a document to guide developer run a KBS with IBM SE verifier locally for development purpose. + +## Index + +- [Deployment of KBS with IBM SE verifier](#deployment-of-kbs-with-ibm-se-verifier) +- [Set attestation policy for IBM SE verifier](#set-attestation-policy) + + + +# Deployment of KBS with IBM SE verifier + +This section is about deployment of KBS without rvps checking. + +## Generate RSA keys +Generate RSA 4096 key pair following commands: +```bash +openssl genrsa -aes256 -passout pass:test1234 -out encrypt_key-psw.pem 4096 +openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -pubout -out encrypt_key.pub +openssl rsa -in encrypt_key-psw.pem -out encrypt_key.pem +``` + + +## Download Certs, CRLs +Donwload these materials from: https://www.ibm.com/support/resourcelink/api/content/public/secure-execution-gen2.html +Which includes: + +### Certs +ibm-z-host-key-signing-gen2.crt +DigiCertCA.crt + +### CRL +ibm-z-host-key-gen2.crl + +## Download HKD +Download IBM Secure Execution Host Key Document following: https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document + +## Get SE Header +Build `se.img` following [Generate an IBM Secure Execution image](https://www.ibm.com/docs/en/linux-on-systems?topic=commands-genprotimg) and retrieve the hdr.bin via command like below. +```bash +./pvextract-hdr -o hdr.bin se.img +``` + +Refer [ibm-s390-linux](https://github.com/ibm-s390-linux/s390-tools/blob/v2.33.1/rust/pvattest/tools/pvextract-hdr) to get `pvextract-hdr`. + +## Generate KBS key +Generate keys used by KBS service. +```bash +openssl genpkey -algorithm ed25519 > kbs.key +openssl pkey -in kbs.key -pubout -out kbs.pem +``` + +## (Option 1) Launch KBS as a program + +- Build KBS +```bash +cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa +``` + +- Prepare the material retrieved above, similar as: +``` +/run/confidential-containers/ibmse# +. +├── certs +│ ├── ibm-z-host-key-signing-gen2.crt +| └── DigiCertCA.crt +├── crls +│ └── ibm-z-host-key-gen2.crl +├── hdr +│ └── hdr.bin +├── hkds +│ └── HKD-3931-0275D38.crt +└── rsa + ├── encrypt_key.pem + └── encrypt_key.pub +``` + +> Note: alternative is to use system variables listed in [ibmse.rs](./ibmse.rs) to overwrite the files. + +- Prepare the `kbs-config.toml`, similar as: +``` +sockets = ["0.0.0.0:8080"] +auth_public_key = "/kbs/kbs.pem" +# Ideally we should use some solution like cert-manager to issue let's encrypt based certificate: +# https://cert-manager.io/docs/configuration/acme/ +insecure_http = true + +[attestation_token_config] +attestation_token_type = "CoCo" + +[as_config] +work_dir = "/opt/confidential-containers/attestation-service" +policy_engine = "opa" +attestation_token_broker = "Simple" + +[as_config.attestation_token_config] +duration_min = 5 + +[as_config.rvps_config] +store_type = "LocalFs" +remote_addr = "" +``` + +- Launch the KBS program +```bash +export RUST_LOG=debug +export SE_SKIP_CERTS_VERIFICATION=true +./kbs --config-file ./kbs-config.toml +``` + +> Note: `SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. + +## (Option 2) Launch KBS via docker-compose +- Build the docker image +``` +DOCKER_BUILDKIT=1 docker build --build-arg HTTPS_CRYPTO="openssl" --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile +``` +>Note: Please add `--debug` in statement like `cargo install` in file `kbs/docker/Dockerfile` if you're using a development host key document to skip HKD's signature verification. + +- Prepare a docker compose file, similar as: +``` +services: + kbs: + image: ghcr.io/confidential-containers/staged-images/kbs:latest + command: [ + "/usr/local/bin/kbs", + "--config-file", + "/etc/kbs-config.toml", + ] + restart: always # keep the server running + environment: + - RUST_LOG=debug + - SE_SKIP_CERTS_VERIFICATION=true + ports: + - "8080:8080" + volumes: + - ./data/kbs-storage:/opt/confidential-containers/kbs/repository:rw + - ./data/attestation-service:/opt/confidential-containers/attestation-service:rw + - ./kbs.pem:/kbs/kbs.pem + - ./kbs-config.toml:/etc/kbs-config.toml + - ./data/hkds:/run/confidential-containers/ibmse/hkds + - ./data/certs:/run/confidential-containers/ibmse/certs + - ./data/crls:/run/confidential-containers/ibmse/crls + - ./data/hdr.bin:/run/confidential-containers/ibmse/hdr/hdr.bin + - ./data/rsa/encrypt_key.pem:/run/confidential-containers/ibmse/rsa/encrypt_key.pem + - ./data/rsa/encrypt_key.pub:/run/confidential-containers/ibmse/rsa/encrypt_key.pub +``` +> Note: `SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. + +- Prepare the material, similar as: +``` +. +├── data +│   ├── attestation-service +│   │   ├── opa +│   │   │   └── default.rego +│   ├── certs +│   │   ├── ibm-z-host-key-signing-gen2.crt +│   │   └── DigiCertCA.crt +│   ├── crls +│   │   └── ibm-z-host-key-gen2.crl +│   ├── hdr.bin +│   ├── hkds +│   │   └── HKD-3931-0275D38.crt +│   ├── kbs-storage +│   │   ├── default +│   │   └── one +│   │   └── two +│   │   └── key +│   └── rsa +│   ├── encrypt_key.pem +│   └── encrypt_key.pub +├── docker-compose.yaml +├── kbs-config.toml +├── kbs.key +└── kbs.pem +``` + +- Launch KBS as docker compose application +```bash +docker-compose up -d +docker-compose logs kbs +docker-compose down +``` + + +# Set attestation policy + +This section is about setting attestation policy. + +### Retrive the attestation policy fields for IBM SE + +Using [se_parse_hdr.py](se_parse_hdr.py) on a s390x instance to retrieve the IBM SE fields for attestation policy. + +```bash +python3 se_parse_hdr.py hdr.bin HKD-3931.crt + +... + ================================================ + se.image_phkh: xxx + se.version: 256 + se.tag: xxx + se.attestation_phkh: xxx +``` + +We get following fields and will set these fields in rvps for attestation policy. +`se.version: 256` +`se.tag: xxx` +`se.attestation_phkh: xxx` +`se.image_phkh: xxx` + + +### Set attestation policy + +#### Generate attestation policy file +```bash +cat << EOF > ibmse-policy.rego +package policy +import rego.v1 +default allow = false + +converted_version := sprintf("%v", [input["se.version"]]) + +allow if { + input["se.attestation_phkh"] == "xxx" + input["se.image_phkh"] == "xxx" + input["se.tag"] == "xxx" + input["se.user_data"] == "00" + converted_version == "256" +} +EOF +``` + +Where the values come from [retrive-the-rvps-field-for-an-ibm-se-image](#retrive-the-rvps-field-for-an-ibm-se-image) + +#### Set the attestation policy +```bash +kbs-client --url http://127.0.0.1:8080 config --auth-private-key ./kbs/kbs.key set-attestation-policy --policy-file ./ibmse-policy.rego +``` \ No newline at end of file diff --git a/attestation-service/verifier/src/se/ibmse.rs b/deps/verifier/src/se/ibmse.rs similarity index 100% rename from attestation-service/verifier/src/se/ibmse.rs rename to deps/verifier/src/se/ibmse.rs diff --git a/attestation-service/verifier/src/se/mod.rs b/deps/verifier/src/se/mod.rs similarity index 100% rename from attestation-service/verifier/src/se/mod.rs rename to deps/verifier/src/se/mod.rs diff --git a/deps/verifier/src/se/se_parse_hdr.py b/deps/verifier/src/se/se_parse_hdr.py new file mode 100644 index 0000000000..d8191f6642 --- /dev/null +++ b/deps/verifier/src/se/se_parse_hdr.py @@ -0,0 +1,162 @@ +# Copyright (C) Copyright IBM Corp. 2024 +# +# SPDX-License-Identifier: Apache-2.0 +# + +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import serialization, hashes +from cryptography.hazmat.primitives.asymmetric import ec +import hashlib +import sys +import struct + + +def parse_certificate(cert_path): + """Parse the certificate from file path and return the public key.""" + with open(cert_path, 'rb') as cert_file: + cert_data = cert_file.read() + cert = x509.load_pem_x509_certificate(cert_data, default_backend()) + return cert.public_key() + +def ec_point_to_affine_coordinates(public_key): + """Convert EC public key to affine coordinates (x, y).""" + if isinstance(public_key, ec.EllipticCurvePublicKey): + # Get the uncompressed point bytes + point = public_key.public_bytes( + encoding=serialization.Encoding.X962, + format=serialization.PublicFormat.UncompressedPoint + ) + curve = public_key.curve + x_bytes = point[1:curve.key_size//8+2] # skip the first byte (0x04) + y_bytes = point[curve.key_size//8+2:] + return x_bytes, y_bytes + else: + raise ValueError("Invalid EC public key type") + +def bn_bn2binpad(bn, size): + """Convert BN to binary padded format.""" + bn_bytes = bn.to_bytes((bn.bit_length() + 7) // 8, byteorder='big') + if len(bn_bytes) < size: + padded_bytes = b'\x00' * (size - len(bn_bytes)) + bn_bytes + elif len(bn_bytes) > size: + padded_bytes = bn_bytes[-size:] + else: + padded_bytes = bn_bytes + return padded_bytes + +def generate_sha256_hash(data): + """Generate SHA-256 hash of input data.""" + sha256_hash = hashlib.sha256(data).hexdigest() + return sha256_hash + +def bytes_to_hex_string(byte_data): + """Convert bytes to hex string.""" + return ''.join(f'{b:02x}' for b in byte_data) + +def parse_img_phkh_from_hkd(filename): + # Parse certificate and extract public key + public_key = parse_certificate(filename) + + # Get affine coordinates + x_bytes, y_bytes = ec_point_to_affine_coordinates(public_key) + + # Convert x_bytes and y_bytes to binary padded format + x_bin = bn_bn2binpad(int.from_bytes(x_bytes, byteorder='big'), 80) # 66 bytes for P-521 curve + y_bin = bn_bn2binpad(int.from_bytes(y_bytes, byteorder='big'), 80) + + # Log x_bin and y_bin + x_bin_str = bytes_to_hex_string(x_bin) + y_bin_str = bytes_to_hex_string(y_bin) + + # Concatenate x_bin and y_bin + ecdh_data = x_bin + y_bin + + # Log concatenated data + ecdh_data_str = bytes_to_hex_string(ecdh_data) + + # Calculate SHA-256 hash + hkd_phkh = generate_sha256_hash(ecdh_data) + return hkd_phkh + +def parse_hdr(hdr_file, hkd_file): + with open(hdr_file, 'rb') as f: + + hkd_phkh = parse_img_phkh_from_hkd(hkd_file) + key_slot_used_idx = -1 + + # Read the entire header based on the size defined in the structure + # https://github.com/ibm-s390-linux/s390-tools/blob/master/genprotimg/src/include/pv_hdr_def.h + header_size = 8 + 4 + 4 + # pv_hdr_head size 416 + pv_hdr_head_size = 8 + 4 + 4 + 12 + 4 + 8 + 8 + 8 + 8 + 160 + 64 + 64 + 64 + + after_key_slot_size = 144 + # pv_hdr_key_slot digest_key + wrapped_key = phkh + phkh_size = 32 + + hdr_data = f.read(header_size) + + # Unpack the header fields + fields = struct.unpack('8sII', hdr_data) + + magic, version, phs = fields + # The last 16 bits is the image tag + f.seek(-16, 2) + image_tag = f.read(16) + # Print the extracted fields + + print(f"Magic: {magic.decode('ascii')}") + print(f"phs: {phs}") + + f.seek(pv_hdr_head_size) + + length_phkh_data = phs - pv_hdr_head_size - after_key_slot_size + phkh_data = f.read(length_phkh_data) + + # Define the struct format (32 bytes for digest_key, 32 bytes for wrapped_key, 16 bytes for tag) + struct_format = '32s32s16s' + + # Calculate the size of each struct + struct_size = struct.calcsize(struct_format) + + for i in range(0, len(phkh_data), struct_size): + if i + struct_size > len(phkh_data): + break + chunk = phkh_data[i:i + struct_size] + digest_key, wrapped_key, tag = struct.unpack(struct_format, chunk) + if digest_key.hex() == hkd_phkh: + key_slot_used_idx = i + print(f" ========Host Key Document Hash used in this slot========= ") + print(f" Key Slot: {i//80 + 1}:") + print(f" image_phkh: {digest_key.hex()}") + print(f" wrapped_key: {wrapped_key.hex()}") + print(f" tag: {tag.hex()}") + # if the 1 slot selected, the idx is 0 + if key_slot_used_idx > -1: + chunk_used = phkh_data[key_slot_used_idx:key_slot_used_idx + struct_size] + digest_key, wrapped_key, tag = struct.unpack(struct_format, chunk_used) + print(f" ========Host Key Document Hash used in this slot========= ") + print(f" Key Slot: {key_slot_used_idx//80 + 1}:") + print(f" wrapped_key: {wrapped_key.hex()}") + print(f" HKD tag: {tag.hex()}") + print(f" Copy below value and set in rvps ") + print(f" ================================================ ") + print(f" se.image_phkh: {digest_key.hex()}") + else: + print(f" The HKD file not included when build the SE image ") + + + print(f" se.version: {version}") + print(f" se.tag: {image_tag.hex()}") + print(f" se.attestation_phkh: {hkd_phkh}") + + +if __name__ == "__main__": + if len(sys.argv) != 3: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + + hdr_file = sys.argv[1] + hkd_file = sys.argv[2] + parse_hdr(hdr_file, hkd_file) diff --git a/attestation-service/verifier/src/sgx/claims.rs b/deps/verifier/src/sgx/claims.rs similarity index 100% rename from attestation-service/verifier/src/sgx/claims.rs rename to deps/verifier/src/sgx/claims.rs diff --git a/attestation-service/verifier/src/sgx/mod.rs b/deps/verifier/src/sgx/mod.rs similarity index 100% rename from attestation-service/verifier/src/sgx/mod.rs rename to deps/verifier/src/sgx/mod.rs diff --git a/attestation-service/verifier/src/sgx/types.rs b/deps/verifier/src/sgx/types.rs similarity index 100% rename from attestation-service/verifier/src/sgx/types.rs rename to deps/verifier/src/sgx/types.rs diff --git a/attestation-service/verifier/src/snp/milan_ask_ark_asvk.pem b/deps/verifier/src/snp/milan_ask_ark_asvk.pem similarity index 100% rename from attestation-service/verifier/src/snp/milan_ask_ark_asvk.pem rename to deps/verifier/src/snp/milan_ask_ark_asvk.pem diff --git a/attestation-service/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs similarity index 100% rename from attestation-service/verifier/src/snp/mod.rs rename to deps/verifier/src/snp/mod.rs diff --git a/attestation-service/verifier/src/tdx/claims.rs b/deps/verifier/src/tdx/claims.rs similarity index 100% rename from attestation-service/verifier/src/tdx/claims.rs rename to deps/verifier/src/tdx/claims.rs diff --git a/attestation-service/verifier/src/tdx/eventlog.rs b/deps/verifier/src/tdx/eventlog.rs similarity index 100% rename from attestation-service/verifier/src/tdx/eventlog.rs rename to deps/verifier/src/tdx/eventlog.rs diff --git a/attestation-service/verifier/src/tdx/mod.rs b/deps/verifier/src/tdx/mod.rs similarity index 100% rename from attestation-service/verifier/src/tdx/mod.rs rename to deps/verifier/src/tdx/mod.rs diff --git a/attestation-service/verifier/src/tdx/quote.rs b/deps/verifier/src/tdx/quote.rs similarity index 100% rename from attestation-service/verifier/src/tdx/quote.rs rename to deps/verifier/src/tdx/quote.rs diff --git a/attestation-service/verifier/test_data/CCEL_data b/deps/verifier/test_data/CCEL_data similarity index 100% rename from attestation-service/verifier/test_data/CCEL_data rename to deps/verifier/test_data/CCEL_data diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin b/deps/verifier/test_data/az-snp-vtpm/hcl-report.bin similarity index 100% rename from attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin rename to deps/verifier/test_data/az-snp-vtpm/hcl-report.bin diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/quote.bin b/deps/verifier/test_data/az-snp-vtpm/quote.bin similarity index 100% rename from attestation-service/verifier/test_data/az-snp-vtpm/quote.bin rename to deps/verifier/test_data/az-snp-vtpm/quote.bin diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/tpm-quote.msg b/deps/verifier/test_data/az-snp-vtpm/tpm-quote.msg similarity index 100% rename from attestation-service/verifier/test_data/az-snp-vtpm/tpm-quote.msg rename to deps/verifier/test_data/az-snp-vtpm/tpm-quote.msg diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/tpm-quote.sig b/deps/verifier/test_data/az-snp-vtpm/tpm-quote.sig similarity index 100% rename from attestation-service/verifier/test_data/az-snp-vtpm/tpm-quote.sig rename to deps/verifier/test_data/az-snp-vtpm/tpm-quote.sig diff --git a/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem b/deps/verifier/test_data/az-snp-vtpm/vcek.pem similarity index 100% rename from attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem rename to deps/verifier/test_data/az-snp-vtpm/vcek.pem diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin b/deps/verifier/test_data/az-tdx-vtpm/hcl-report.bin similarity index 100% rename from attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin rename to deps/verifier/test_data/az-tdx-vtpm/hcl-report.bin diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/quote.bin b/deps/verifier/test_data/az-tdx-vtpm/quote.bin similarity index 100% rename from attestation-service/verifier/test_data/az-tdx-vtpm/quote.bin rename to deps/verifier/test_data/az-tdx-vtpm/quote.bin diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin b/deps/verifier/test_data/az-tdx-vtpm/td-quote.bin similarity index 100% rename from attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin rename to deps/verifier/test_data/az-tdx-vtpm/td-quote.bin diff --git a/attestation-service/verifier/test_data/cca-claims.json b/deps/verifier/test_data/cca-claims.json similarity index 100% rename from attestation-service/verifier/test_data/cca-claims.json rename to deps/verifier/test_data/cca-claims.json diff --git a/attestation-service/verifier/test_data/occlum_quote.dat b/deps/verifier/test_data/occlum_quote.dat similarity index 100% rename from attestation-service/verifier/test_data/occlum_quote.dat rename to deps/verifier/test_data/occlum_quote.dat diff --git a/attestation-service/verifier/test_data/snp/test-report.bin b/deps/verifier/test_data/snp/test-report.bin similarity index 100% rename from attestation-service/verifier/test_data/snp/test-report.bin rename to deps/verifier/test_data/snp/test-report.bin diff --git a/attestation-service/verifier/test_data/snp/test-vcek-invalid-legacy.der b/deps/verifier/test_data/snp/test-vcek-invalid-legacy.der similarity index 100% rename from attestation-service/verifier/test_data/snp/test-vcek-invalid-legacy.der rename to deps/verifier/test_data/snp/test-vcek-invalid-legacy.der diff --git a/attestation-service/verifier/test_data/snp/test-vcek-invalid-new.der b/deps/verifier/test_data/snp/test-vcek-invalid-new.der similarity index 100% rename from attestation-service/verifier/test_data/snp/test-vcek-invalid-new.der rename to deps/verifier/test_data/snp/test-vcek-invalid-new.der diff --git a/attestation-service/verifier/test_data/snp/test-vcek.der b/deps/verifier/test_data/snp/test-vcek.der similarity index 100% rename from attestation-service/verifier/test_data/snp/test-vcek.der rename to deps/verifier/test_data/snp/test-vcek.der diff --git a/attestation-service/verifier/test_data/snp/test-vlek-report.bin b/deps/verifier/test_data/snp/test-vlek-report.bin similarity index 100% rename from attestation-service/verifier/test_data/snp/test-vlek-report.bin rename to deps/verifier/test_data/snp/test-vlek-report.bin diff --git a/attestation-service/verifier/test_data/snp/test-vlek.der b/deps/verifier/test_data/snp/test-vlek.der similarity index 100% rename from attestation-service/verifier/test_data/snp/test-vlek.der rename to deps/verifier/test_data/snp/test-vlek.der diff --git a/attestation-service/verifier/test_data/tdx_quote_4.dat b/deps/verifier/test_data/tdx_quote_4.dat similarity index 100% rename from attestation-service/verifier/test_data/tdx_quote_4.dat rename to deps/verifier/test_data/tdx_quote_4.dat diff --git a/attestation-service/verifier/test_data/tdx_quote_5.dat b/deps/verifier/test_data/tdx_quote_5.dat similarity index 100% rename from attestation-service/verifier/test_data/tdx_quote_5.dat rename to deps/verifier/test_data/tdx_quote_5.dat diff --git a/docker-compose.yml b/docker-compose.yml index 8e14c38da9..2250258a72 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -46,7 +46,7 @@ services: #image: ghcr.io/confidential-containers/reference-value-provider-service:latest build: context: . - dockerfile: ./attestation-service/rvps/Dockerfile + dockerfile: ./rvps/Dockerfile restart: always # keep the server running ports: - "50003:50003" diff --git a/kbs/src/api/Cargo.toml b/kbs/Cargo.toml similarity index 63% rename from kbs/src/api/Cargo.toml rename to kbs/Cargo.toml index 336ca2580f..98f08db18c 100644 --- a/kbs/src/api/Cargo.toml +++ b/kbs/Cargo.toml @@ -1,5 +1,5 @@ [package] -name = "api-server" +name = "kbs" version.workspace = true authors.workspace = true description.workspace = true @@ -8,16 +8,38 @@ edition.workspace = true [features] default = ["coco-as-builtin", "resource", "opa", "rustls"] + +# Feature that allows to access resources from KBS resource = ["rsa", "dep:openssl", "reqwest", "aes-gcm"] + +# Support a backend attestation service for KBS as = [] + +# Use CoCo-AS as backend attestation service +coco-as = ["as"] + +# Support resource policy for KBS policy = [] + +# Use OPA/Rego as resource policy for KBS opa = ["policy"] -coco-as = ["as"] + +# Use built-in CoCo-AS as backend attestation service coco-as-builtin = ["coco-as", "attestation-service/default"] + +# Use built-in CoCo-AS as backend attestation service without verifier coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"] + +# Use remote gRPC CoCo-AS as backend attestation service coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"] + +# Use Intel TA as backend attestation service intel-trust-authority-as = ["as", "reqwest", "jsonwebtoken"] + +# Use pure rust crypto stack for KBS rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"] + +# Use openssl crypto stack for KBS openssl = ["actix-web/openssl", "dep:openssl"] [dependencies] @@ -26,35 +48,34 @@ actix-web-httpauth.workspace = true aes-gcm = { version = "0.10.1", optional = true } anyhow.workspace = true async-trait.workspace = true -attestation-service = { path = "../../../attestation-service/attestation-service", default-features = false, optional = true } +attestation-service = { path = "../attestation-service", default-features = false, optional = true } base64.workspace = true cfg-if.workspace = true -clap = { version = "4.3.21", features = ["derive", "env"] } +clap = { workspace = true, features = ["derive", "env"] } config.workspace = true env_logger.workspace = true jsonwebtoken = { workspace = true, default-features = false, optional = true } -jwt-simple = "0.11.6" +jwt-simple.workspace = true kbs-types.workspace = true lazy_static = "1.4.0" log.workspace = true mobc = { version = "0.8.3", optional = true } -prost = { version = "0.11", optional = true } +prost = { workspace = true, optional = true } rand = "0.8.5" regorus.workspace = true -reqwest = { version = "0.12", features = ["json"], optional = true } +reqwest = { workspace = true, features = ["json"], optional = true } rsa = { version = "0.9.2", optional = true, features = ["sha2"] } rustls = { version = "0.20.8", optional = true } rustls-pemfile = { version = "1.0.4", optional = true } scc = "2" semver = "1.0.16" -serde = { version = "1.0", features = ["derive"] } +serde = { workspace = true, features = ["derive"] } serde_json.workspace = true -strum = "0.25.0" -strum_macros = "0.24.1" +strum.workspace = true thiserror.workspace = true time = { version = "0.3.23", features = ["std"] } tokio.workspace = true -tonic = { version = "0.9", optional = true } +tonic = { workspace = true, optional = true } uuid = { version = "1.2.2", features = ["serde", "v4"] } openssl = { version = "0.10.46", optional = true } @@ -63,5 +84,4 @@ tempfile.workspace = true rstest.workspace = true [build-dependencies] -anyhow = "1" -tonic-build = { version = "0.8", optional = true } +tonic-build = { workspace = true, optional = true } \ No newline at end of file diff --git a/kbs/Makefile b/kbs/Makefile index 7ec323816f..c5b6190ce6 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -77,13 +77,13 @@ uninstall: rm -rf $(INSTALL_DESTDIR)/kbs $(INSTALL_DESTDIR)/kbs-client $(INSTALL_DESTDIR)/issuer-kbs $(INSTALL_DESTDIR)/resource-kbs check: - cargo test -p kbs -p api-server -p kbs-client + cargo test -p kbs -p kbs-client lint: - cargo clippy -p kbs -p api-server -p kbs-client -- -D warnings -A clippy::enum_variant_names -A clippy::needless_borrow + cargo clippy -p kbs -p kbs-client -- -D warnings -A clippy::enum_variant_names -A clippy::needless_borrow format: - cargo fmt -p kbs -p api-server -p kbs-client -- --check --config format_code_in_doc_comments=true + cargo fmt -p kbs -p kbs-client -- --check --config format_code_in_doc_comments=true clean: cargo clean diff --git a/kbs/README.md b/kbs/README.md index 9046c37864..f683df3c5c 100644 --- a/kbs/README.md +++ b/kbs/README.md @@ -4,7 +4,7 @@ The Confidential Containers Key Broker Service (KBS) facilitates remote attestat The KBS is an implementation of a [Relying Party](https://www.ietf.org/archive/id/draft-ietf-rats-architecture-22.html). The KBS itself does not validate attestation evidence. Instead, it supports different external components to verify TEE evidence in the form of plug-ins, including - [CoCo Attestation-Service (CoCo AS)](../attestation-service/) ([All plugins](../attestation-service/README.md#attestation-service) supported) -- [Intel Trust Authority (ITA)](src/api/src/attestation/intel_trust_authority/) (Only supports SGX/TDX) +- [Intel Trust Authority (ITA)](src/attestation/intel_trust_authority/) (Only supports SGX/TDX) # Quick Start @@ -127,4 +127,4 @@ A custom, [JSON-formatted configuration file](./docs/config.md) can be provided ## Related Tools ### KBS Client -We provide a [KBS client](./tools/client/README.md) rust SDK and binary cmdline tool. +We provide a [KBS client](../tools/kbs-client//README.md) rust SDK and binary cmdline tool. diff --git a/kbs/src/api/build.rs b/kbs/build.rs similarity index 65% rename from kbs/src/api/build.rs rename to kbs/build.rs index d39333e6b9..1c674af11b 100644 --- a/kbs/src/api/build.rs +++ b/kbs/build.rs @@ -9,8 +9,7 @@ use std::process::Command; fn main() -> Result<(), String> { #[cfg(feature = "tonic-build")] - tonic_build::compile_protos("../../../attestation-service/protos/attestation.proto") - .map_err(|e| format!("{e}"))?; + tonic_build::compile_protos("../protos/attestation.proto").map_err(|e| format!("{e}"))?; Ok(()) } diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index 7d61d98b26..8e8ebab14f 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -36,7 +36,7 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s WORKDIR /usr/src/kbs COPY . . -RUN cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO} +RUN cargo install --locked --path kbs --bin kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO} FROM ubuntu:22.04 ARG ARCH=x86_64 diff --git a/kbs/docker/Dockerfile.coco-as-grpc b/kbs/docker/Dockerfile.coco-as-grpc index 1aec856389..77ca1f82fe 100644 --- a/kbs/docker/Dockerfile.coco-as-grpc +++ b/kbs/docker/Dockerfile.coco-as-grpc @@ -8,7 +8,7 @@ COPY . . RUN apt-get update && apt install -y protobuf-compiler git # Build and Install KBS -RUN cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO} +RUN cargo install --path kbs --bin kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO} FROM ubuntu:22.04 diff --git a/kbs/docker/Dockerfile.intel-trust-authority b/kbs/docker/Dockerfile.intel-trust-authority index f1078d828d..31679df855 100644 --- a/kbs/docker/Dockerfile.intel-trust-authority +++ b/kbs/docker/Dockerfile.intel-trust-authority @@ -7,7 +7,7 @@ COPY . . RUN apt-get update && apt install -y git # Build and Install KBS -RUN cargo install --path kbs/src/kbs --no-default-features --features intel-trust-authority-as,${HTTPS_CRYPTO},resource,opa +RUN cargo install --path kbs --bin kbs --no-default-features --features intel-trust-authority-as,${HTTPS_CRYPTO},resource,opa FROM ubuntu:22.04 diff --git a/kbs/docker/Dockerfile.rhel-ubi b/kbs/docker/Dockerfile.rhel-ubi index 802e92d9e6..426c9a8d31 100644 --- a/kbs/docker/Dockerfile.rhel-ubi +++ b/kbs/docker/Dockerfile.rhel-ubi @@ -17,7 +17,7 @@ WORKDIR /usr/src/kbs COPY . . ARG KBS_FEATURES=coco-as-builtin,rustls,resource,opa RUN \ -cargo install --locked --root /usr/local/ --path kbs/src/kbs --no-default-features --features ${KBS_FEATURES} && \ +cargo install --locked --root /usr/local/ --path kbs --bin kbs --no-default-features --features ${KBS_FEATURES} && \ # Collect linked files necessary for the binary to run. mkdir -p /root/trustee/lib64 && \ ldd /usr/local/bin/kbs | sed 's@.*\s/@/@' | sed 's/\s.*//' | xargs -I {} cp {} /root/trustee/lib64 diff --git a/kbs/docs/cluster.md b/kbs/docs/cluster.md index d358c71c67..13e329288c 100644 --- a/kbs/docs/cluster.md +++ b/kbs/docs/cluster.md @@ -1,6 +1,6 @@ # KBS Cluster -KBS provides a simple cluster defined by `docker-compose`, include itself, [Attestation Service](https://github.com/confidential-containers/trustee/tree/main/attestation-service), [Reference Value Provider Service](https://github.com/confidential-containers/trustee/tree/main/attestation-service/rvps) and [CoCo Keyprovider](https://github.com/confidential-containers/guest-components/tree/main/attestation-agent/coco_keyprovider) +KBS provides a simple cluster defined by `docker-compose`, include itself, [Attestation Service](../../attestation-service/), [Reference Value Provider Service](../../rvps/) and [CoCo Keyprovider](https://github.com/confidential-containers/guest-components/tree/main/attestation-agent/coco_keyprovider) Users can use very simple command to: - launch KBS service. diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 33d4b1994f..fa2ccc79df 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -115,7 +115,7 @@ This section is **optional**. When omitted, a new RSA key pair is generated and | `store_config` | JSON Map | Used if `remote_addr` is not set. The optional configurations to the underlying storage. | Conditional | - | Different `store_type` will have different `store_config` items. -See the details of `store_config` in [concrete implementations of storages](../../attestation-service/rvps/src/store/). +See the details of `store_config` in [concrete implementations of storages](../../rvps/src/store/). ### gRPC Attestation diff --git a/kbs/quickstart.md b/kbs/quickstart.md index 2a1285f86c..d793c750ad 100644 --- a/kbs/quickstart.md +++ b/kbs/quickstart.md @@ -199,7 +199,7 @@ Where `/path/to/policy` should be replaced by the real path to your policy file. Resource policy also needs to be the `rego` syntax defined by [Open Policy Agent](https://www.openpolicyagent.org/). -You can read the notes of [default resource policy file](./src/api/src/policy_engine/opa/default_policy.rego) for more details of resource policy. +You can read the notes of [default resource policy file](src/policy_engine/opa/default_policy.rego) for more details of resource policy. ## Attestation Token Certificate diff --git a/kbs/src/api/src/attestation/coco/builtin.rs b/kbs/src/attestation/coco/builtin.rs similarity index 100% rename from kbs/src/api/src/attestation/coco/builtin.rs rename to kbs/src/attestation/coco/builtin.rs diff --git a/kbs/src/api/src/attestation/coco/grpc.rs b/kbs/src/attestation/coco/grpc.rs similarity index 100% rename from kbs/src/api/src/attestation/coco/grpc.rs rename to kbs/src/attestation/coco/grpc.rs diff --git a/kbs/src/api/src/attestation/coco/mod.rs b/kbs/src/attestation/coco/mod.rs similarity index 100% rename from kbs/src/api/src/attestation/coco/mod.rs rename to kbs/src/attestation/coco/mod.rs diff --git a/kbs/src/api/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs similarity index 100% rename from kbs/src/api/src/attestation/intel_trust_authority/mod.rs rename to kbs/src/attestation/intel_trust_authority/mod.rs diff --git a/kbs/src/api/src/attestation/mod.rs b/kbs/src/attestation/mod.rs similarity index 100% rename from kbs/src/api/src/attestation/mod.rs rename to kbs/src/attestation/mod.rs diff --git a/kbs/src/api/src/auth.rs b/kbs/src/auth.rs similarity index 100% rename from kbs/src/api/src/auth.rs rename to kbs/src/auth.rs diff --git a/kbs/src/kbs/src/main.rs b/kbs/src/bin/kbs.rs similarity index 97% rename from kbs/src/kbs/src/main.rs rename to kbs/src/bin/kbs.rs index e42bd5fe81..b2ae1b66b4 100644 --- a/kbs/src/kbs/src/main.rs +++ b/kbs/src/bin/kbs.rs @@ -9,13 +9,13 @@ extern crate anyhow; use anyhow::{bail, Result}; use std::path::Path; +use clap::Parser; #[cfg(feature = "as")] -use api_server::attestation::AttestationService; -use api_server::{ +use kbs::attestation::AttestationService; +use kbs::{ config::{Cli, KbsConfig}, ApiServer, }; -use clap::Parser; use log::{debug, info, warn}; #[tokio::main] diff --git a/kbs/src/api/src/config.rs b/kbs/src/config.rs similarity index 100% rename from kbs/src/api/src/config.rs rename to kbs/src/config.rs diff --git a/kbs/src/api/src/http/attest.rs b/kbs/src/http/attest.rs similarity index 100% rename from kbs/src/api/src/http/attest.rs rename to kbs/src/http/attest.rs diff --git a/kbs/src/api/src/http/config.rs b/kbs/src/http/config.rs similarity index 100% rename from kbs/src/api/src/http/config.rs rename to kbs/src/http/config.rs diff --git a/kbs/src/api/src/http/error.rs b/kbs/src/http/error.rs similarity index 99% rename from kbs/src/api/src/http/error.rs rename to kbs/src/http/error.rs index 23f25af5b7..147cc3e331 100644 --- a/kbs/src/api/src/http/error.rs +++ b/kbs/src/http/error.rs @@ -15,7 +15,7 @@ use actix_web::{ use kbs_types::ErrorInformation; use log::error; use serde::Serialize; -use strum_macros::AsRefStr; +use strum::AsRefStr; use thiserror::Error; const ERROR_TYPE_PREFIX: &str = "https://github.com/confidential-containers/kbs/errors"; diff --git a/kbs/src/api/src/http/mod.rs b/kbs/src/http/mod.rs similarity index 97% rename from kbs/src/api/src/http/mod.rs rename to kbs/src/http/mod.rs index 12d0c72605..426653a398 100644 --- a/kbs/src/api/src/http/mod.rs +++ b/kbs/src/http/mod.rs @@ -18,7 +18,6 @@ use actix_web::{body::BoxBody, web, HttpRequest, HttpResponse}; use jwt_simple::prelude::Ed25519PublicKey; use kbs_types::{Attestation, Challenge, ErrorInformation, Request}; use std::sync::Arc; -use strum_macros::EnumString; use tokio::sync::{Mutex, RwLock}; #[cfg(feature = "as")] diff --git a/kbs/src/api/src/http/resource.rs b/kbs/src/http/resource.rs similarity index 100% rename from kbs/src/api/src/http/resource.rs rename to kbs/src/http/resource.rs diff --git a/kbs/src/kbs/Cargo.toml b/kbs/src/kbs/Cargo.toml deleted file mode 100644 index 8ba106d3c4..0000000000 --- a/kbs/src/kbs/Cargo.toml +++ /dev/null @@ -1,28 +0,0 @@ -[package] -name = "kbs" -version.workspace = true -authors.workspace = true -description.workspace = true -documentation.workspace = true -edition.workspace = true - -[features] -default = ["coco-as-builtin", "resource", "opa", "rustls"] -as = [] -resource = ["api-server/resource"] -opa = ["api-server/opa"] -coco-as-builtin = ["as", "api-server/coco-as-builtin"] -coco-as-builtin-no-verifier = ["as", "api-server/coco-as-builtin-no-verifier"] -coco-as-grpc = ["as", "api-server/coco-as-grpc"] -intel-trust-authority-as = ["as", "api-server/intel-trust-authority-as"] -rustls = ["api-server/rustls"] -openssl = ["api-server/openssl"] - -[dependencies] -anyhow.workspace = true -api-server.workspace = true -clap = { version = "4.0.29", features = ["derive"] } -env_logger.workspace = true -log.workspace = true -tokio.workspace = true -cfg-if.workspace = true diff --git a/kbs/src/api/src/lib.rs b/kbs/src/lib.rs similarity index 100% rename from kbs/src/api/src/lib.rs rename to kbs/src/lib.rs diff --git a/kbs/src/api/src/policy_engine/mod.rs b/kbs/src/policy_engine/mod.rs similarity index 100% rename from kbs/src/api/src/policy_engine/mod.rs rename to kbs/src/policy_engine/mod.rs diff --git a/kbs/src/api/src/policy_engine/opa/default_policy.rego b/kbs/src/policy_engine/opa/default_policy.rego similarity index 100% rename from kbs/src/api/src/policy_engine/opa/default_policy.rego rename to kbs/src/policy_engine/opa/default_policy.rego diff --git a/kbs/src/api/src/policy_engine/opa/mod.rs b/kbs/src/policy_engine/opa/mod.rs similarity index 77% rename from kbs/src/api/src/policy_engine/opa/mod.rs rename to kbs/src/policy_engine/opa/mod.rs index a9237fd662..054d920cc8 100644 --- a/kbs/src/api/src/policy_engine/opa/mod.rs +++ b/kbs/src/policy_engine/opa/mod.rs @@ -119,7 +119,7 @@ mod tests { let tmp_file = tmp_dir.path().join("policy.rego"); let mut opa = Opa::new(tmp_file).unwrap(); - set_policy_from_file(&mut opa, "../../test/data/policy_1.rego") + set_policy_from_file(&mut opa, "test/data/policy_1.rego") .await .unwrap(); @@ -133,7 +133,7 @@ mod tests { // IOError drop(tmp_dir); - let res = set_policy_from_file(&mut opa, "../../test/data/policy_1.rego").await; + let res = set_policy_from_file(&mut opa, "test/data/policy_1.rego").await; assert!(matches!( res.err().unwrap(), ResourcePolicyError::IOError(_) @@ -141,92 +141,38 @@ mod tests { } #[rstest] + #[case("test/data/policy_1.rego", "my_repo/Alice/key", "Alice", 1, Ok(true))] + #[case("test/data/policy_4.rego", "my_repo/Alice/key", "Alice", 1, Ok(true))] + #[case("test/data/policy_1.rego", "my_repo/Alice/key", "Bob", 1, Ok(false))] + #[case("test/data/policy_3.rego", "my_repo/Alice/key", "Alice", 1, Ok(false))] #[case( - "../../test/data/policy_1.rego", - "my_repo/Alice/key", - "Alice", - 1, - Ok(true) - )] - #[case( - "../../test/data/policy_4.rego", - "my_repo/Alice/key", - "Alice", - 1, - Ok(true) - )] - #[case( - "../../test/data/policy_1.rego", - "my_repo/Alice/key", - "Bob", - 1, - Ok(false) - )] - #[case( - "../../test/data/policy_3.rego", - "my_repo/Alice/key", - "Alice", - 1, - Ok(false) - )] - #[case( - "../../test/data/policy_1.rego", + "test/data/policy_1.rego", "\"", "", 1, Err(ResourcePolicyError::ResourcePathError) )] #[case( - "../../test/data/policy_invalid_1.rego", + "test/data/policy_invalid_1.rego", "my_repo/Alice/key", "Alice", 1, Err(ResourcePolicyError::PolicyLoadError) )] #[case( - "../../test/data/policy_invalid_2.rego", + "test/data/policy_invalid_2.rego", "my_repo/Alice/key", "Alice", 1, Err(ResourcePolicyError::EvaluationError(anyhow::anyhow!("test"))) )] - #[case( - "../../test/data/policy_5.rego", - "myrepo/secret/secret1", - "n", - 2, - Ok(true) - )] - #[case( - "../../test/data/policy_5.rego", - "myrepo/secret/secret1", - "n", - 1, - Ok(false) - )] - #[case( - "../../test/data/policy_5.rego", - "myrepo/secret/secret2", - "n", - 3, - Ok(true) - )] - #[case( - "../../test/data/policy_5.rego", - "myrepo/secret/secret2", - "n", - 2, - Ok(false) - )] - #[case( - "../../test/data/policy_5.rego", - "myrepo/secret/secret3", - "n", - 3, - Ok(false) - )] - #[case("../../test/data/policy_5.rego", "a/b/secret2", "n", 3, Ok(false))] - #[case("../../test/data/policy_5.rego", "abc", "n", 3, Ok(false))] + #[case("test/data/policy_5.rego", "myrepo/secret/secret1", "n", 2, Ok(true))] + #[case("test/data/policy_5.rego", "myrepo/secret/secret1", "n", 1, Ok(false))] + #[case("test/data/policy_5.rego", "myrepo/secret/secret2", "n", 3, Ok(true))] + #[case("test/data/policy_5.rego", "myrepo/secret/secret2", "n", 2, Ok(false))] + #[case("test/data/policy_5.rego", "myrepo/secret/secret3", "n", 3, Ok(false))] + #[case("test/data/policy_5.rego", "a/b/secret2", "n", 3, Ok(false))] + #[case("test/data/policy_5.rego", "abc", "n", 3, Ok(false))] #[tokio::test] async fn test_evaluate( #[case] policy_path: &str, diff --git a/kbs/src/api/src/resource/local_fs.rs b/kbs/src/resource/local_fs.rs similarity index 100% rename from kbs/src/api/src/resource/local_fs.rs rename to kbs/src/resource/local_fs.rs diff --git a/kbs/src/api/src/resource/mod.rs b/kbs/src/resource/mod.rs similarity index 98% rename from kbs/src/api/src/resource/mod.rs rename to kbs/src/resource/mod.rs index 08826a4430..f548c5903f 100644 --- a/kbs/src/api/src/resource/mod.rs +++ b/kbs/src/resource/mod.rs @@ -7,7 +7,7 @@ use serde::Deserialize; use std::fs; use std::path::Path; use std::sync::Arc; -use strum_macros::EnumString; +use strum::EnumString; use tokio::sync::RwLock; mod local_fs; diff --git a/kbs/src/api/src/session.rs b/kbs/src/session.rs similarity index 100% rename from kbs/src/api/src/session.rs rename to kbs/src/session.rs diff --git a/kbs/src/api/src/token/coco.rs b/kbs/src/token/coco.rs similarity index 98% rename from kbs/src/api/src/token/coco.rs rename to kbs/src/token/coco.rs index ffbacfa482..fc99790261 100644 --- a/kbs/src/api/src/token/coco.rs +++ b/kbs/src/token/coco.rs @@ -201,8 +201,7 @@ mod test { #[test] fn test_parse_pem_cert_chain() { - let pem_cert_chain = - std::fs::read_to_string("../../test/data/test_cert_chain.pem").unwrap(); + let pem_cert_chain = std::fs::read_to_string("test/data/test_cert_chain.pem").unwrap(); let mut chain: Vec = Vec::new(); assert!(parse_pem_cert_chain(pem_cert_chain, &mut chain).is_ok()); assert_eq!(chain.len(), 2); diff --git a/kbs/src/api/src/token/mod.rs b/kbs/src/token/mod.rs similarity index 98% rename from kbs/src/api/src/token/mod.rs rename to kbs/src/token/mod.rs index 60b5a70931..a448daa17d 100644 --- a/kbs/src/api/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -7,7 +7,7 @@ use async_trait::async_trait; use serde::Deserialize; use std::fmt; use std::sync::Arc; -use strum_macros::EnumString; +use strum::EnumString; use tokio::sync::RwLock; mod coco; diff --git a/attestation-service/protos/attestation.proto b/protos/attestation.proto similarity index 100% rename from attestation-service/protos/attestation.proto rename to protos/attestation.proto diff --git a/attestation-service/protos/reference.proto b/protos/reference.proto similarity index 100% rename from attestation-service/protos/reference.proto rename to protos/reference.proto diff --git a/attestation-service/rvps/Cargo.toml b/rvps/Cargo.toml similarity index 100% rename from attestation-service/rvps/Cargo.toml rename to rvps/Cargo.toml diff --git a/attestation-service/rvps/Dockerfile b/rvps/Dockerfile similarity index 82% rename from attestation-service/rvps/Dockerfile rename to rvps/Dockerfile index 5e4980390a..41f57355ab 100644 --- a/attestation-service/rvps/Dockerfile +++ b/rvps/Dockerfile @@ -10,11 +10,11 @@ COPY . . RUN apt-get update && apt-get install protobuf-compiler -y -RUN cargo install --bin rvps --path attestation-service/rvps +RUN cargo install --bin rvps --path rvps FROM debian -LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/attestation-service" +LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/rvps" COPY --from=builder /usr/local/cargo/bin/rvps /usr/local/bin/rvps diff --git a/attestation-service/rvps/Makefile b/rvps/Makefile similarity index 100% rename from attestation-service/rvps/Makefile rename to rvps/Makefile diff --git a/attestation-service/rvps/README.md b/rvps/README.md similarity index 97% rename from attestation-service/rvps/README.md rename to rvps/README.md index 4a4126b4a2..165f1220ac 100644 --- a/attestation-service/rvps/README.md +++ b/rvps/README.md @@ -56,7 +56,7 @@ We can run using the following command ```bash git clone https://github.com/confidential-containers/trustee -cd trustee/attestation-service/rvps +cd trustee/rvps make build && sudo make install ``` @@ -72,7 +72,7 @@ By default listen to `localhost:50003` to wait for requests We can build RVPS docker image ```bash -cd ../.. && docker build -t rvps -f attestation-service/rvps/Dockerfile . +cd .. && docker build -t rvps -f rvps/Dockerfile . ``` Run diff --git a/attestation-service/rvps/build.rs b/rvps/build.rs similarity index 100% rename from attestation-service/rvps/build.rs rename to rvps/build.rs diff --git a/attestation-service/rvps/cgo/go.mod b/rvps/cgo/go.mod similarity index 100% rename from attestation-service/rvps/cgo/go.mod rename to rvps/cgo/go.mod diff --git a/attestation-service/rvps/cgo/go.sum b/rvps/cgo/go.sum similarity index 100% rename from attestation-service/rvps/cgo/go.sum rename to rvps/cgo/go.sum diff --git a/attestation-service/rvps/cgo/intoto.go b/rvps/cgo/intoto.go similarity index 100% rename from attestation-service/rvps/cgo/intoto.go rename to rvps/cgo/intoto.go diff --git a/attestation-service/rvps/diagrams/rvps-grpc.svg b/rvps/diagrams/rvps-grpc.svg similarity index 100% rename from attestation-service/rvps/diagrams/rvps-grpc.svg rename to rvps/diagrams/rvps-grpc.svg diff --git a/attestation-service/rvps/diagrams/rvps-native.svg b/rvps/diagrams/rvps-native.svg similarity index 100% rename from attestation-service/rvps/diagrams/rvps-native.svg rename to rvps/diagrams/rvps-native.svg diff --git a/attestation-service/rvps/diagrams/rvps.svg b/rvps/diagrams/rvps.svg similarity index 100% rename from attestation-service/rvps/diagrams/rvps.svg rename to rvps/diagrams/rvps.svg diff --git a/attestation-service/rvps/src/bin/rvps-tool.rs b/rvps/src/bin/rvps-tool.rs similarity index 100% rename from attestation-service/rvps/src/bin/rvps-tool.rs rename to rvps/src/bin/rvps-tool.rs diff --git a/attestation-service/rvps/src/bin/rvps.rs b/rvps/src/bin/rvps.rs similarity index 100% rename from attestation-service/rvps/src/bin/rvps.rs rename to rvps/src/bin/rvps.rs diff --git a/attestation-service/rvps/src/bin/server/config.rs b/rvps/src/bin/server/config.rs similarity index 100% rename from attestation-service/rvps/src/bin/server/config.rs rename to rvps/src/bin/server/config.rs diff --git a/attestation-service/rvps/src/bin/server/mod.rs b/rvps/src/bin/server/mod.rs similarity index 100% rename from attestation-service/rvps/src/bin/server/mod.rs rename to rvps/src/bin/server/mod.rs diff --git a/attestation-service/rvps/src/config.rs b/rvps/src/config.rs similarity index 100% rename from attestation-service/rvps/src/config.rs rename to rvps/src/config.rs diff --git a/attestation-service/rvps/src/extractors/extractor_modules/in_toto/README.md b/rvps/src/extractors/extractor_modules/in_toto/README.md similarity index 100% rename from attestation-service/rvps/src/extractors/extractor_modules/in_toto/README.md rename to rvps/src/extractors/extractor_modules/in_toto/README.md diff --git a/attestation-service/rvps/src/extractors/extractor_modules/in_toto/mod.rs b/rvps/src/extractors/extractor_modules/in_toto/mod.rs similarity index 100% rename from attestation-service/rvps/src/extractors/extractor_modules/in_toto/mod.rs rename to rvps/src/extractors/extractor_modules/in_toto/mod.rs diff --git a/attestation-service/rvps/src/extractors/extractor_modules/in_toto/shim/README.md b/rvps/src/extractors/extractor_modules/in_toto/shim/README.md similarity index 100% rename from attestation-service/rvps/src/extractors/extractor_modules/in_toto/shim/README.md rename to rvps/src/extractors/extractor_modules/in_toto/shim/README.md diff --git a/attestation-service/rvps/src/extractors/extractor_modules/in_toto/shim/mod.rs b/rvps/src/extractors/extractor_modules/in_toto/shim/mod.rs similarity index 100% rename from attestation-service/rvps/src/extractors/extractor_modules/in_toto/shim/mod.rs rename to rvps/src/extractors/extractor_modules/in_toto/shim/mod.rs diff --git a/attestation-service/rvps/src/extractors/extractor_modules/mod.rs b/rvps/src/extractors/extractor_modules/mod.rs similarity index 100% rename from attestation-service/rvps/src/extractors/extractor_modules/mod.rs rename to rvps/src/extractors/extractor_modules/mod.rs diff --git a/attestation-service/rvps/src/extractors/extractor_modules/sample/README.md b/rvps/src/extractors/extractor_modules/sample/README.md similarity index 100% rename from attestation-service/rvps/src/extractors/extractor_modules/sample/README.md rename to rvps/src/extractors/extractor_modules/sample/README.md diff --git a/attestation-service/rvps/src/extractors/extractor_modules/sample/mod.rs b/rvps/src/extractors/extractor_modules/sample/mod.rs similarity index 100% rename from attestation-service/rvps/src/extractors/extractor_modules/sample/mod.rs rename to rvps/src/extractors/extractor_modules/sample/mod.rs diff --git a/attestation-service/rvps/src/extractors/mod.rs b/rvps/src/extractors/mod.rs similarity index 100% rename from attestation-service/rvps/src/extractors/mod.rs rename to rvps/src/extractors/mod.rs diff --git a/attestation-service/rvps/src/lib.rs b/rvps/src/lib.rs similarity index 100% rename from attestation-service/rvps/src/lib.rs rename to rvps/src/lib.rs diff --git a/attestation-service/rvps/src/native.rs b/rvps/src/native.rs similarity index 100% rename from attestation-service/rvps/src/native.rs rename to rvps/src/native.rs diff --git a/attestation-service/rvps/src/pre_processor/mod.rs b/rvps/src/pre_processor/mod.rs similarity index 100% rename from attestation-service/rvps/src/pre_processor/mod.rs rename to rvps/src/pre_processor/mod.rs diff --git a/attestation-service/rvps/src/reference_value.rs b/rvps/src/reference_value.rs similarity index 100% rename from attestation-service/rvps/src/reference_value.rs rename to rvps/src/reference_value.rs diff --git a/attestation-service/rvps/src/store/local_fs/README.md b/rvps/src/store/local_fs/README.md similarity index 100% rename from attestation-service/rvps/src/store/local_fs/README.md rename to rvps/src/store/local_fs/README.md diff --git a/attestation-service/rvps/src/store/local_fs/mod.rs b/rvps/src/store/local_fs/mod.rs similarity index 100% rename from attestation-service/rvps/src/store/local_fs/mod.rs rename to rvps/src/store/local_fs/mod.rs diff --git a/attestation-service/rvps/src/store/local_json/mod.rs b/rvps/src/store/local_json/mod.rs similarity index 100% rename from attestation-service/rvps/src/store/local_json/mod.rs rename to rvps/src/store/local_json/mod.rs diff --git a/attestation-service/rvps/src/store/mod.rs b/rvps/src/store/mod.rs similarity index 100% rename from attestation-service/rvps/src/store/mod.rs rename to rvps/src/store/mod.rs diff --git a/kbs/tools/client/Cargo.toml b/tools/kbs-client/Cargo.toml similarity index 89% rename from kbs/tools/client/Cargo.toml rename to tools/kbs-client/Cargo.toml index 0b5e500a60..83085dc04e 100644 --- a/kbs/tools/client/Cargo.toml +++ b/tools/kbs-client/Cargo.toml @@ -17,11 +17,11 @@ anyhow.workspace = true base64.workspace = true clap = { version = "4.0.29", features = ["derive"] } env_logger.workspace = true -jwt-simple = "0.11.4" +jwt-simple.workspace = true kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="df60725afe0ba452a25a740cf460c2855442c49a", default-features = false } log.workspace = true -reqwest = { version = "0.12", default-features = false, features = ["cookies", "json"] } -serde = { version = "1.0", features = ["derive"] } +reqwest = { workspace = true, default-features = false, features = ["cookies", "json"] } +serde = { workspace = true, features = ["derive"] } serde_json.workspace = true tokio.workspace = true diff --git a/kbs/tools/client/README.md b/tools/kbs-client/README.md similarity index 100% rename from kbs/tools/client/README.md rename to tools/kbs-client/README.md diff --git a/kbs/tools/attest.json b/tools/kbs-client/attest.json similarity index 100% rename from kbs/tools/attest.json rename to tools/kbs-client/attest.json diff --git a/kbs/tools/attest.sh b/tools/kbs-client/attest.sh similarity index 100% rename from kbs/tools/attest.sh rename to tools/kbs-client/attest.sh diff --git a/kbs/tools/auth.json b/tools/kbs-client/auth.json similarity index 100% rename from kbs/tools/auth.json rename to tools/kbs-client/auth.json diff --git a/kbs/tools/auth.sh b/tools/kbs-client/auth.sh similarity index 100% rename from kbs/tools/auth.sh rename to tools/kbs-client/auth.sh diff --git a/kbs/tools/client/src/lib.rs b/tools/kbs-client/src/lib.rs similarity index 100% rename from kbs/tools/client/src/lib.rs rename to tools/kbs-client/src/lib.rs diff --git a/kbs/tools/client/src/main.rs b/tools/kbs-client/src/main.rs similarity index 100% rename from kbs/tools/client/src/main.rs rename to tools/kbs-client/src/main.rs From e4bd65978045c4f61236dca00e90aae3f98ab572 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Tue, 25 Jun 2024 15:41:07 +0800 Subject: [PATCH 027/298] ci: update kbs-docker-e2e actions-rs is now out of date and will be reported as an error by actionlint. GHA runners have rustup installed already, thus we only need to set the toolchain to the version we want. Signed-off-by: Xynnn007 --- .github/workflows/kbs-docker-e2e.yaml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/kbs-docker-e2e.yaml b/.github/workflows/kbs-docker-e2e.yaml index acafd71294..a3599f5b15 100644 --- a/.github/workflows/kbs-docker-e2e.yaml +++ b/.github/workflows/kbs-docker-e2e.yaml @@ -18,17 +18,15 @@ jobs: - name: Checkout KBS uses: actions/checkout@v4 - - name: Install Rust (for client) - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: ${{ env.RUSTC_VERSION }} + - name: Install Rust ${{ env.RUSTC_VERSION }} (for client) + run: | + rustup update --no-self-update ${{ env.RUSTC_VERSION }} + rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustc + rustup default ${{ env.RUSTC_VERSION }} - name: Build client - uses: actions-rs/cargo@v1 - with: - command: build - args: --manifest-path kbs/client/Cargo.toml --no-default-features --features sample_only --release + run: | + cargo build --manifest-path kbs/client/Cargo.toml --no-default-features --features sample_only --release - name: Setup Keys run: | From 53e30f7b80a049a18649a59924f8ca5a7f94169b Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Tue, 25 Jun 2024 17:25:07 +0800 Subject: [PATCH 028/298] kbs: tidy ci yaml files Combined Azure vTPM ci yamls. Also rename the ci pipelines with a unified name format for better preference. Signed-off-by: Xynnn007 --- .github/{actionlint.yaml => actionlint.yml} | 0 .github/dependabot.yml | 8 +-- .github/workflows/actionlint.yml | 4 +- ...as-dockerbuild.yml => as-docker-build.yml} | 8 +-- .github/workflows/as-e2e.yml | 9 +-- .../workflows/{as-basic.yml => as-rust.yml} | 14 ++-- .github/workflows/kbs-docker-build.yml | 3 +- ...kbs-docker-e2e.yaml => kbs-docker-e2e.yml} | 4 +- .github/workflows/kbs-e2e-az-snp-vtpm.yaml | 65 ------------------- ...z-tdx-vtpm.yaml => kbs-e2e-azure-vtpm.yml} | 16 ++++- ...kbs-e2e-sample.yaml => kbs-e2e-sample.yml} | 4 +- .../workflows/{kbs-e2e.yaml => kbs-e2e.yml} | 9 +-- .github/workflows/kbs-rust.yml | 17 +++-- .github/workflows/link.yml | 2 +- ...nd-push.yaml => push-as-image-to-ghcr.yml} | 2 +- ...-push.yaml => push-kbs-client-to-ghcr.yml} | 17 +++-- ...d-push.yaml => push-kbs-image-to-ghcr.yml} | 2 +- 17 files changed, 66 insertions(+), 118 deletions(-) rename .github/{actionlint.yaml => actionlint.yml} (100%) rename .github/workflows/{as-dockerbuild.yml => as-docker-build.yml} (78%) rename .github/workflows/{as-basic.yml => as-rust.yml} (84%) rename .github/workflows/{kbs-docker-e2e.yaml => kbs-docker-e2e.yml} (91%) delete mode 100644 .github/workflows/kbs-e2e-az-snp-vtpm.yaml rename .github/workflows/{kbs-e2e-az-tdx-vtpm.yaml => kbs-e2e-azure-vtpm.yml} (86%) rename .github/workflows/{kbs-e2e-sample.yaml => kbs-e2e-sample.yml} (83%) rename .github/workflows/{kbs-e2e.yaml => kbs-e2e.yml} (86%) rename .github/workflows/{as-build-and-push.yaml => push-as-image-to-ghcr.yml} (98%) rename .github/workflows/{kbs-client-build-and-push.yaml => push-kbs-client-to-ghcr.yml} (86%) rename .github/workflows/{kbs-build-and-push.yaml => push-kbs-image-to-ghcr.yml} (99%) diff --git a/.github/actionlint.yaml b/.github/actionlint.yml similarity index 100% rename from .github/actionlint.yaml rename to .github/actionlint.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e4fcde3500..e205c670ea 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,13 +15,7 @@ updates: interval: "weekly" - package-ecosystem: "gomod" - directory: "/attestation-service/attestation-service/src/cgo" # Location of go.mod - schedule: - interval: "daily" - open-pull-requests-limit: 1 - - - package-ecosystem: "gomod" - directory: "/attestation-service/rvps/cgo" # Location of go.mod + directory: "/rvps/cgo" # Location of go.mod schedule: interval: "daily" open-pull-requests-limit: 1 diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 94feda73fd..01a2625181 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -1,8 +1,8 @@ -name: actionlint +name: Actionlint on: [pull_request] jobs: actionlint: - name: lint workflow files + name: Workflow Files runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/as-dockerbuild.yml b/.github/workflows/as-docker-build.yml similarity index 78% rename from .github/workflows/as-dockerbuild.yml rename to .github/workflows/as-docker-build.yml index 5c4d1592bc..129076d56f 100644 --- a/.github/workflows/as-dockerbuild.yml +++ b/.github/workflows/as-docker-build.yml @@ -1,16 +1,16 @@ -name: AS & RVPS Container image build test +name: AS & RVPS Container Image Build on: push: branches: - "main" paths: - 'attestation-service/**' - - '.github/workflows/as-dockerbuild.yml' + - '.github/workflows/as-docker-build.yml' - 'Cargo.toml' pull_request: paths: - 'attestation-service/**' - - '.github/workflows/as-dockerbuild.yml' + - '.github/workflows/as-docker-build.yml' - 'Cargo.toml' create: @@ -36,4 +36,4 @@ jobs: - name: Build RVPS Container Image run: | - Docker_BUILDKIT=1 docker build -t rvps:latest . -f attestation-service/rvps/Dockerfile \ No newline at end of file + Docker_BUILDKIT=1 docker build -t rvps:latest . -f rvps/Dockerfile \ No newline at end of file diff --git a/.github/workflows/as-e2e.yml b/.github/workflows/as-e2e.yml index 5352665551..fde6456ee8 100644 --- a/.github/workflows/as-e2e.yml +++ b/.github/workflows/as-e2e.yml @@ -34,10 +34,11 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: ${{ env.RUSTC_VERSION }} + - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) + run: | + rustup update --no-self-update ${{ env.RUSTC_VERSION }} + rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustc + rustup default ${{ env.RUSTC_VERSION }} - uses: actions/setup-go@v5 with: diff --git a/.github/workflows/as-basic.yml b/.github/workflows/as-rust.yml similarity index 84% rename from .github/workflows/as-basic.yml rename to .github/workflows/as-rust.yml index 4591717524..858757826e 100644 --- a/.github/workflows/as-basic.yml +++ b/.github/workflows/as-rust.yml @@ -1,16 +1,20 @@ -name: attestation-service basic build and unit tests +name: CoCo-AS Rust Suites on: push: branches: - "main" paths: - 'attestation-service/**' - - '.github/workflows/as_basic.yml' + - 'rvps' + - 'deps/verifier' + - '.github/workflows/as_rust.yml' - 'Cargo.toml' pull_request: paths: - 'attestation-service/**' - - '.github/workflows/as_basic.yml' + - 'rvps' + - 'deps/verifier' + - '.github/workflows/as_rust.yml' - 'Cargo.toml' create: @@ -34,8 +38,8 @@ jobs: - name: OPA policy.rego fmt and check run: | - opa fmt -d ./attestation-service/attestation-service/src/policy_engine/opa/default_policy.rego | awk '{ print } END { if (NR!=0) { print "run `opa fmt -w ` to fix this"; exit 1 } }' - opa check ./attestation-service/attestation-service/src/policy_engine/opa/default_policy.rego + opa fmt -d attestation-service/src/policy_engine/opa/default_policy.rego | awk '{ print } END { if (NR!=0) { print "run `opa fmt -w ` to fix this"; exit 1 } }' + opa check attestation-service/src/policy_engine/opa/default_policy.rego - name: Install protoc run: | diff --git a/.github/workflows/kbs-docker-build.yml b/.github/workflows/kbs-docker-build.yml index 8899d4d9a4..7d9a29d532 100644 --- a/.github/workflows/kbs-docker-build.yml +++ b/.github/workflows/kbs-docker-build.yml @@ -1,3 +1,4 @@ +name: KBS Container Image Build on: push: branches: [ "main" ] @@ -7,7 +8,7 @@ on: jobs: ci: runs-on: ubuntu-latest - + name: Check steps: - name: Code checkout uses: actions/checkout@v4 diff --git a/.github/workflows/kbs-docker-e2e.yaml b/.github/workflows/kbs-docker-e2e.yml similarity index 91% rename from .github/workflows/kbs-docker-e2e.yaml rename to .github/workflows/kbs-docker-e2e.yml index a3599f5b15..24f5f8863d 100644 --- a/.github/workflows/kbs-docker-e2e.yaml +++ b/.github/workflows/kbs-docker-e2e.yml @@ -1,4 +1,4 @@ -name: KBS End-to-End test with Docker Compose and Sample Attester +name: KBS e2e (Docker Compose and Sample TEE) on: pull_request: @@ -26,7 +26,7 @@ jobs: - name: Build client run: | - cargo build --manifest-path kbs/client/Cargo.toml --no-default-features --features sample_only --release + cargo build --manifest-path tools/kbs-client/Cargo.toml --no-default-features --features sample_only --release - name: Setup Keys run: | diff --git a/.github/workflows/kbs-e2e-az-snp-vtpm.yaml b/.github/workflows/kbs-e2e-az-snp-vtpm.yaml deleted file mode 100644 index 058b2462af..0000000000 --- a/.github/workflows/kbs-e2e-az-snp-vtpm.yaml +++ /dev/null @@ -1,65 +0,0 @@ -name: KBS e2e with az-snp-vtpm TEE - -on: - push: - branches: - - main - # Note on repository checkout: pull_request_target sets `GITHUB_SHA` to the - # "last commit on the PR base branch", meaning that by default `actions/checkout` - # is going to checkout the repository main branch. In order to pick up the pull - # request code, this workflow uses the `github.event.pull_request.head.sha` - # property to get the last commit on the HEAD branch. One limitation of this approach - # is that, unlike the `pull_request` event, the checked pull request isn't necessarily - # rebased to main (so it is up to the workflow to ensure the pull request is rebased - # **before* the workflow is triggering) - pull_request_target: - types: - - opened - - synchronize - - reopened - # This workflow will be run if the pull request is labeled 'test_e2e' - - labeled - branches: - - 'main' - -jobs: - authorize: - runs-on: ubuntu-latest - if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test_e2e') - steps: - - run: "true" - - checkout-and-rebase: - runs-on: ubuntu-latest - needs: authorize - steps: - - name: Checkout Code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - # fetch main on push, otherwise the head of the PR - ref: ${{ github.event_name == 'push' && 'main' || github.event.pull_request.head.sha }} - - - name: Rebase the source - if: github.event_name != 'push' - run: | - git config --global user.name "GH Actions Workflow" - git config --global user.email "" - ./kbs/hack/ci-helper.sh rebase-atop-of-the-latest-target-branch - - - name: Archive source - run: git archive -o kbs.tar.gz HEAD - - - uses: actions/upload-artifact@v4 - with: - path: ./kbs.tar.gz - - e2e-test: - needs: - - authorize - - checkout-and-rebase - uses: ./.github/workflows/kbs-e2e.yaml - with: - runs-on: '["self-hosted","azure-cvm"]' - tee: azsnpvtpm - tarball: kbs.tar.gz diff --git a/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml b/.github/workflows/kbs-e2e-azure-vtpm.yml similarity index 86% rename from .github/workflows/kbs-e2e-az-tdx-vtpm.yaml rename to .github/workflows/kbs-e2e-azure-vtpm.yml index 2299021301..a284e6ff25 100644 --- a/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml +++ b/.github/workflows/kbs-e2e-azure-vtpm.yml @@ -1,4 +1,4 @@ -name: KBS e2e with az-tdx-vtpm TEE +name: KBS e2e (Azure vTPM TEE) on: push: @@ -54,12 +54,22 @@ jobs: with: path: ./kbs.tar.gz - e2e-test: + tdx-e2e-test: needs: - authorize - checkout-and-rebase - uses: ./.github/workflows/kbs-e2e.yaml + uses: ./.github/workflows/kbs-e2e.yml with: runs-on: '["self-hosted","azure-cvm-tdx"]' tee: aztdxvtpm tarball: kbs.tar.gz + + snp-e2e-test: + needs: + - authorize + - checkout-and-rebase + uses: ./.github/workflows/kbs-e2e.yml + with: + runs-on: '["self-hosted","azure-cvm"]' + tee: azsnpvtpm + tarball: kbs.tar.gz diff --git a/.github/workflows/kbs-e2e-sample.yaml b/.github/workflows/kbs-e2e-sample.yml similarity index 83% rename from .github/workflows/kbs-e2e-sample.yaml rename to .github/workflows/kbs-e2e-sample.yml index a321fe2cbf..df7c24ab12 100644 --- a/.github/workflows/kbs-e2e-sample.yaml +++ b/.github/workflows/kbs-e2e-sample.yml @@ -1,4 +1,4 @@ -name: KBS e2e with sample TEE +name: KBS e2e (Sample TEE) on: pull_request: @@ -19,7 +19,7 @@ jobs: e2e-test: needs: checkout - uses: ./.github/workflows/kbs-e2e.yaml + uses: ./.github/workflows/kbs-e2e.yml with: tee: sample tarball: kbs.tar.gz diff --git a/.github/workflows/kbs-e2e.yaml b/.github/workflows/kbs-e2e.yml similarity index 86% rename from .github/workflows/kbs-e2e.yaml rename to .github/workflows/kbs-e2e.yml index 456394e377..29a6567418 100644 --- a/.github/workflows/kbs-e2e.yaml +++ b/.github/workflows/kbs-e2e.yml @@ -31,10 +31,11 @@ jobs: - name: Extract tarball run: tar xzf ./artifact/${{ inputs.tarball }} - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: ${{ env.RUSTC_VERSION }} + - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) + run: | + rustup update --no-self-update ${{ env.RUSTC_VERSION }} + rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustc + rustup default ${{ env.RUSTC_VERSION }} - name: Set up rust build cache uses: actions/cache@v4 diff --git a/.github/workflows/kbs-rust.yml b/.github/workflows/kbs-rust.yml index 7f696c1d47..f99c102a20 100644 --- a/.github/workflows/kbs-rust.yml +++ b/.github/workflows/kbs-rust.yml @@ -1,4 +1,4 @@ -name: kbs rust tests +name: KBS Rust Suites on: push: @@ -19,6 +19,7 @@ env: jobs: ci: + name: Check strategy: fail-fast: false env: @@ -29,14 +30,12 @@ jobs: - name: Code checkout uses: actions/checkout@v4 - - name: Rust toolchain installation - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: ${{ env.RUSTC_VERSION }} - override: true - components: rustfmt, clippy - target: x86_64-unknown-linux-gnu + - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) + run: | + rustup update --no-self-update ${{ env.RUSTC_VERSION }} + rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustfmt rustc clippy + rustup target add x86_64-unknown-linux-gnu + rustup default ${{ env.RUSTC_VERSION }} - name: Building dependencies installation run: | diff --git a/.github/workflows/link.yml b/.github/workflows/link.yml index 6e049d4da6..b6ec28480a 100644 --- a/.github/workflows/link.yml +++ b/.github/workflows/link.yml @@ -1,4 +1,4 @@ -name: check links +name: Check Links on: push: diff --git a/.github/workflows/as-build-and-push.yaml b/.github/workflows/push-as-image-to-ghcr.yml similarity index 98% rename from .github/workflows/as-build-and-push.yaml rename to .github/workflows/push-as-image-to-ghcr.yml index 04f7287278..7f5caa929a 100644 --- a/.github/workflows/as-build-and-push.yaml +++ b/.github/workflows/push-as-image-to-ghcr.yml @@ -26,7 +26,7 @@ jobs: - docker_file: attestation-service/Dockerfile.as-restful tag: coco-as-restful name: RESTful CoCo-AS - - docker_file: attestation-service/rvps/Dockerfile + - docker_file: rvps/Dockerfile tag: rvps name: RVPS runs-on: ${{ matrix.instance }} diff --git a/.github/workflows/kbs-client-build-and-push.yaml b/.github/workflows/push-kbs-client-to-ghcr.yml similarity index 86% rename from .github/workflows/kbs-client-build-and-push.yaml rename to .github/workflows/push-kbs-client-to-ghcr.yml index 944b1716fa..a2518911aa 100644 --- a/.github/workflows/kbs-client-build-and-push.yaml +++ b/.github/workflows/push-kbs-client-to-ghcr.yml @@ -1,4 +1,4 @@ -name: Build and push kbs-client +name: Build and Push kbs-client on: push: @@ -31,22 +31,25 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - name: Install rust toolchain - uses: actions-rs/toolchain@v1 - with: - toolchain: ${{ env.RUSTC_VERSION }} - override: true - profile: minimal + + - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) + run: | + rustup update --no-self-update ${{ env.RUSTC_VERSION }} + rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustc + rustup default ${{ env.RUSTC_VERSION }} + - name: Log in to ghcr.io uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Build a statically linked kbs-client for ${{ matrix.arch }} linux working-directory: kbs run: | make cli-static-linux + - name: Push to ghcr.io working-directory: target/${{ matrix.arch }}-unknown-linux-gnu/release run: | diff --git a/.github/workflows/kbs-build-and-push.yaml b/.github/workflows/push-kbs-image-to-ghcr.yml similarity index 99% rename from .github/workflows/kbs-build-and-push.yaml rename to .github/workflows/push-kbs-image-to-ghcr.yml index 980dbe5ad6..36f6e64398 100644 --- a/.github/workflows/kbs-build-and-push.yaml +++ b/.github/workflows/push-kbs-image-to-ghcr.yml @@ -1,4 +1,4 @@ -name: Build and Push kbs Image +name: Build and Push KBS Image on: push: From c20b4e4040a56ce852b3f075d9576b7d112d2d2e Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 26 Jun 2024 13:34:45 +0800 Subject: [PATCH 029/298] ci: fix release kbs client if oras push failed, the original ci would still return true, which is not expected. Signed-off-by: Xynnn007 --- .github/workflows/push-kbs-client-to-ghcr.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push-kbs-client-to-ghcr.yml b/.github/workflows/push-kbs-client-to-ghcr.yml index a2518911aa..fd32f5de98 100644 --- a/.github/workflows/push-kbs-client-to-ghcr.yml +++ b/.github/workflows/push-kbs-client-to-ghcr.yml @@ -57,7 +57,9 @@ jobs: oras push \ ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-${{ matrix.arch }}-linux-gnu-${commit_sha},latest-${{ matrix.arch }} \ kbs-client - [ "$(uname -m)" = "x86_64" ] && oras push ghcr.io/confidential-containers/staged-images/kbs-client:latest kbs-client || true + if [ "$(uname -m)" = "x86_64" ]; then + oras push ghcr.io/confidential-containers/staged-images/kbs-client:latest kbs-client + fi - name: Take a post-action for self-hosted runner if: always() From a468e5e0b057c0feb66bb3959b709af5047ea9c7 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Wed, 3 Jul 2024 13:55:00 -0400 Subject: [PATCH 030/298] Fix broken SE link The refactor of the repository broke this link. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/config/kubernetes/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/config/kubernetes/README.md b/kbs/config/kubernetes/README.md index 7a893f523d..67382994a9 100644 --- a/kbs/config/kubernetes/README.md +++ b/kbs/config/kubernetes/README.md @@ -112,7 +112,7 @@ $ tree $IBM_SE_CREDS_DIR 5 directories, 7 files ``` -Please check out the [documentation](https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se) for details. +Please check out the [documentation](https://github.com/confidential-containers/trustee/tree/main/deps/verifier/src/se) for details. ## Check deployment From 94567bedbccaa65d325b7196b9d1075505e8b458 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Thu, 4 Jul 2024 10:31:15 +0200 Subject: [PATCH 031/298] e2e-test: fix binary build on self-hosted runners split the build of the binaries out to a gh-hosted runner, only the test need to run on TEE hw. Signed-off-by: Magnus Kulke --- .github/workflows/kbs-e2e.yml | 35 ++++++++++++++++++++++++++++------- kbs/test/Makefile | 25 ++++++++++++++++--------- 2 files changed, 44 insertions(+), 16 deletions(-) diff --git a/.github/workflows/kbs-e2e.yml b/.github/workflows/kbs-e2e.yml index 29a6567418..79a6d5b0fc 100644 --- a/.github/workflows/kbs-e2e.yml +++ b/.github/workflows/kbs-e2e.yml @@ -21,12 +21,13 @@ defaults: shell: bash jobs: - e2e-test: - runs-on: ${{ fromJSON(inputs.runs-on) }} + build-binaries: + runs-on: ubuntu-22.04 env: RUSTC_VERSION: 1.76.0 steps: - - uses: actions/download-artifact@v4 + - name: Download artifacts + uses: actions/download-artifact@v4 - name: Extract tarball run: tar xzf ./artifact/${{ inputs.tarball }} @@ -47,6 +48,30 @@ jobs: target/ key: rust-${{ hashFiles('./Cargo.lock') }} + - name: Build bins + working-directory: kbs/test + run: | + make install-dev-dependencies + make bins + + - name: Archive test folder + run: tar czf test.tar.gz kbs/test + + - uses: actions/upload-artifact@v4 + with: + path: test.tar.gz + overwrite: true + + e2e-test: + needs: build-binaries + runs-on: ${{ fromJSON(inputs.runs-on) }} + steps: + - name: Download artifacts + uses: actions/download-artifact@v4 + + - name: Extract test folder + run: tar xzf ./artifact/test.tar.gz + - name: Set up SGX/TDX certificates cache uses: actions/cache@v4 with: @@ -60,10 +85,6 @@ jobs: sudo apt-get install -y make --no-install-recommends sudo make install-dependencies - - name: Build bins - working-directory: kbs/test - run: make bins - - name: Set cc_kbc sample attester env if: inputs.tee == 'sample' run: echo "AA_SAMPLE_ATTESTER_TEST=1" >> "$GITHUB_ENV" diff --git a/kbs/test/Makefile b/kbs/test/Makefile index 5bace17ef6..ae67f77a4b 100644 --- a/kbs/test/Makefile +++ b/kbs/test/Makefile @@ -51,6 +51,19 @@ allow { endef export TEE_POLICY_REGO +.PHONY: install-dev-dependencies +install-dev-dependencies: install-dependencies + sudo apt-get update && \ + sudo apt-get install -y \ + build-essential \ + clang \ + libsgx-dcap-quote-verify-dev \ + libssl-dev \ + libtdx-attest-dev \ + libtss2-dev \ + pkg-config \ + protobuf-compiler + .PHONY: install-dependencies install-dependencies: curl -L "$(SGX_REPO_URL)/intel-sgx-deb.key" | sudo apt-key add - && \ @@ -58,19 +71,13 @@ install-dependencies: | sudo tee /etc/apt/sources.list.d/intel-sgx.list && \ sudo apt-get update && \ sudo apt-get install -y \ - build-essential \ - clang \ libsgx-dcap-default-qpl \ libsgx-dcap-quote-verify \ - libsgx-dcap-quote-verify-dev \ libsgx-urts \ - libssl-dev \ libtdx-attest \ - libtdx-attest-dev \ - libtss2-dev \ - openssl \ - pkg-config \ - protobuf-compiler && \ + libtss2-esys-3.0.2-0 \ + libtss2-tctildr0 \ + openssl && \ echo '{"collateral_service": "$(SGX_COLLATERAL_URL)"}' | sudo tee $(SGX_QCNL_CONFIG) kbs: From 143da61a55875d7e94975b66586c3af5ca550ec0 Mon Sep 17 00:00:00 2001 From: Pawel Proskurnicki Date: Mon, 8 Jul 2024 15:12:32 +0200 Subject: [PATCH 032/298] docker: refactor docker folder structure - Refactored AS/KBS/rvps docker placement This change improves Dockerfile readability as current approach (format: Dockerfile.[name]) is not compatible with code inspection in IDEs which can lead to errors. Signed-off-by: Pawel Proskurnicki --- .github/workflows/as-docker-build.yml | 6 ++-- .github/workflows/kbs-docker-build.yml | 6 ++-- .github/workflows/push-as-image-to-ghcr.yml | 6 ++-- .github/workflows/push-kbs-image-to-ghcr.yml | 4 +-- attestation-service/.dockerignore | 3 +- .../as-grpc/Dockerfile} | 0 .../as-restful/Dockerfile} | 0 attestation-service/docs/grpc-as.md | 2 +- attestation-service/docs/restful-as.md | 2 +- docker-compose.yml | 6 ++-- kbs/docker/Dockerfile.rhel-ubi | 34 ------------------- .../Dockerfile} | 0 .../Dockerfile} | 0 kbs/docker/rhel-ubi/Dockerfile | 12 ++++++- rvps/README.md | 4 +-- rvps/{ => docker}/Dockerfile | 0 16 files changed, 30 insertions(+), 55 deletions(-) rename attestation-service/{Dockerfile.as-grpc => docker/as-grpc/Dockerfile} (100%) rename attestation-service/{Dockerfile.as-restful => docker/as-restful/Dockerfile} (100%) delete mode 100644 kbs/docker/Dockerfile.rhel-ubi rename kbs/docker/{Dockerfile.coco-as-grpc => coco-as-grpc/Dockerfile} (100%) rename kbs/docker/{Dockerfile.intel-trust-authority => intel-trust-authority/Dockerfile} (100%) rename rvps/{ => docker}/Dockerfile (100%) diff --git a/.github/workflows/as-docker-build.yml b/.github/workflows/as-docker-build.yml index 129076d56f..0bd1c37209 100644 --- a/.github/workflows/as-docker-build.yml +++ b/.github/workflows/as-docker-build.yml @@ -28,12 +28,12 @@ jobs: - name: Build gRPC AS Container Image run: | - DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/Dockerfile.as-grpc + DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/docker/as-grpc/Dockerfile - name: Build RESTful AS Container Image run: | - DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/Dockerfile.as-restful + DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/docker/as-restful/Dockerfile - name: Build RVPS Container Image run: | - Docker_BUILDKIT=1 docker build -t rvps:latest . -f rvps/Dockerfile \ No newline at end of file + Docker_BUILDKIT=1 docker build -t rvps:latest . -f rvps/docker/Dockerfile \ No newline at end of file diff --git a/.github/workflows/kbs-docker-build.yml b/.github/workflows/kbs-docker-build.yml index 7d9a29d532..96faee36b8 100644 --- a/.github/workflows/kbs-docker-build.yml +++ b/.github/workflows/kbs-docker-build.yml @@ -17,6 +17,6 @@ jobs: run: | DOCKER_BUILDKIT=1 docker build -t kbs:coco-as . -f kbs/docker/Dockerfile; \ DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-openssl --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile; \ - DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-grpc . -f kbs/docker/Dockerfile.coco-as-grpc; \ - DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-rhel-ubi . -f kbs/docker/Dockerfile.rhel-ubi; \ - DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-ita . -f kbs/docker/Dockerfile.intel-trust-authority + DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-grpc . -f kbs/docker/coco-as-grpc/Dockerfile; \ + DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-rhel-ubi . -f kbs/docker/rhel-ubi/Dockerfile; \ + DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-ita . -f kbs/docker/intel-trust-authority/Dockerfile diff --git a/.github/workflows/push-as-image-to-ghcr.yml b/.github/workflows/push-as-image-to-ghcr.yml index 7f5caa929a..667081ba83 100644 --- a/.github/workflows/push-as-image-to-ghcr.yml +++ b/.github/workflows/push-as-image-to-ghcr.yml @@ -20,13 +20,13 @@ jobs: - coco-as-restful - rvps include: - - docker_file: attestation-service/Dockerfile.as-grpc + - docker_file: attestation-service/docker/as-grpc/Dockerfile tag: coco-as-grpc name: gRPC CoCo-AS - - docker_file: attestation-service/Dockerfile.as-restful + - docker_file: attestation-service/docker/as-restful/Dockerfile tag: coco-as-restful name: RESTful CoCo-AS - - docker_file: rvps/Dockerfile + - docker_file: rvps/docker/Dockerfile tag: rvps name: RVPS runs-on: ${{ matrix.instance }} diff --git a/.github/workflows/push-kbs-image-to-ghcr.yml b/.github/workflows/push-kbs-image-to-ghcr.yml index 36f6e64398..7fa2523214 100644 --- a/.github/workflows/push-kbs-image-to-ghcr.yml +++ b/.github/workflows/push-kbs-image-to-ghcr.yml @@ -28,11 +28,11 @@ jobs: https_crypto: openssl name: build-in AS - tag: kbs-grpc-as - docker_file: kbs/docker/Dockerfile.coco-as-grpc + docker_file: kbs/docker/coco-as-grpc/Dockerfile https_crypto: rustls name: gRPC AS - tag: kbs-ita-as - docker_file: kbs/docker/Dockerfile.intel-trust-authority + docker_file: kbs/docker/intel-trust-authority/Dockerfile https_crypto: rustls name: Intel Trust Authority AS diff --git a/attestation-service/.dockerignore b/attestation-service/.dockerignore index c81564d652..98d036a1da 100644 --- a/attestation-service/.dockerignore +++ b/attestation-service/.dockerignore @@ -1,4 +1,3 @@ target -Dockerfile.as* -Dockerfile.rvps \ No newline at end of file +docker \ No newline at end of file diff --git a/attestation-service/Dockerfile.as-grpc b/attestation-service/docker/as-grpc/Dockerfile similarity index 100% rename from attestation-service/Dockerfile.as-grpc rename to attestation-service/docker/as-grpc/Dockerfile diff --git a/attestation-service/Dockerfile.as-restful b/attestation-service/docker/as-restful/Dockerfile similarity index 100% rename from attestation-service/Dockerfile.as-restful rename to attestation-service/docker/as-restful/Dockerfile diff --git a/attestation-service/docs/grpc-as.md b/attestation-service/docs/grpc-as.md index 71fe12d33d..5fb024a3e6 100644 --- a/attestation-service/docs/grpc-as.md +++ b/attestation-service/docs/grpc-as.md @@ -106,7 +106,7 @@ Build and run container image ```shell git clone https://github.com/confidential-containers/trustee cd trustee -docker build -t coco-as:grpc -f attestation-service/Dockerfile.as-grpc . +docker build -t coco-as:grpc -f attestation-service/docker/as-grpc/Dockerfile . ``` ### API diff --git a/attestation-service/docs/restful-as.md b/attestation-service/docs/restful-as.md index ac42eeb847..9af8097072 100644 --- a/attestation-service/docs/restful-as.md +++ b/attestation-service/docs/restful-as.md @@ -96,7 +96,7 @@ Build and run container image ```shell git clone https://github.com/confidential-containers/trustee cd trustee -docker build -t coco-as:restful -f attestation-service/Dockerfile.as-restful . +docker build -t coco-as:restful -f attestation-service/docker/as-restful/Dockerfile . ``` ### HTTPS support diff --git a/docker-compose.yml b/docker-compose.yml index 2250258a72..75b493ca73 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ services: kbs: build: context: . - dockerfile: ./kbs/docker/Dockerfile.coco-as-grpc + dockerfile: kbs/docker/coco-as-grpc/Dockerfile #image: ghcr.io/confidential-containers/key-broker-service:latest command: [ "/usr/local/bin/kbs", @@ -23,7 +23,7 @@ services: as: build: context: . - dockerfile: ./attestation-service/Dockerfile.as-grpc + dockerfile: attestation-service/docker/as-grpc/Dockerfile #image: ghcr.io/confidential-containers/attestation-service:latest ports: - "50004:50004" @@ -46,7 +46,7 @@ services: #image: ghcr.io/confidential-containers/reference-value-provider-service:latest build: context: . - dockerfile: ./rvps/Dockerfile + dockerfile: rvps/docker/Dockerfile restart: always # keep the server running ports: - "50003:50003" diff --git a/kbs/docker/Dockerfile.rhel-ubi b/kbs/docker/Dockerfile.rhel-ubi deleted file mode 100644 index 426c9a8d31..0000000000 --- a/kbs/docker/Dockerfile.rhel-ubi +++ /dev/null @@ -1,34 +0,0 @@ -# Use CentOS Stream to build. -FROM quay.io/centos/centos:stream9 as builder - -# Install build dependencies from CentOS repos. -RUN dnf -y --setopt=install_weak_deps=0 --enablerepo=crb install \ -cargo pkg-config perl-FindBin openssl-devel perl-lib perl-IPC-Cmd perl-File-Compare perl-File-Copy tpm2-tss-devel clang-devel protobuf-compiler \ -tar gzip - -# Install build dependencies from Intel repo. -WORKDIR /root -RUN curl -O https://download.01.org/intel-sgx/sgx-linux/2.24/distro/centos-stream9/sgx_rpm_local_repo.tgz && \ -tar -xaf sgx_rpm_local_repo.tgz && \ -dnf -y install --nogpgcheck --repofrompath "sgx,file:///root/sgx_rpm_local_repo" libsgx-dcap-quote-verify-devel - -# Build. -WORKDIR /usr/src/kbs -COPY . . -ARG KBS_FEATURES=coco-as-builtin,rustls,resource,opa -RUN \ -cargo install --locked --root /usr/local/ --path kbs --bin kbs --no-default-features --features ${KBS_FEATURES} && \ -# Collect linked files necessary for the binary to run. -mkdir -p /root/trustee/lib64 && \ -ldd /usr/local/bin/kbs | sed 's@.*\s/@/@' | sed 's/\s.*//' | xargs -I {} cp {} /root/trustee/lib64 - -# Package UBI image. -FROM registry.access.redhat.com/ubi9 - -# Install runtime dependencies from Intel repo. -COPY --from=builder /root/sgx_rpm_local_repo /root/sgx_rpm_local_repo -RUN dnf -y install --nogpgcheck --setopt=install_weak_deps=0 --repofrompath "sgx,file:///root/sgx_rpm_local_repo" \ -libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ -rm -rf /root/sgx_rpm_local_repo - -COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docker/Dockerfile.coco-as-grpc b/kbs/docker/coco-as-grpc/Dockerfile similarity index 100% rename from kbs/docker/Dockerfile.coco-as-grpc rename to kbs/docker/coco-as-grpc/Dockerfile diff --git a/kbs/docker/Dockerfile.intel-trust-authority b/kbs/docker/intel-trust-authority/Dockerfile similarity index 100% rename from kbs/docker/Dockerfile.intel-trust-authority rename to kbs/docker/intel-trust-authority/Dockerfile diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile index 28ff19beef..d3f3150ded 100644 --- a/kbs/docker/rhel-ubi/Dockerfile +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -24,7 +24,7 @@ dnf -y --setopt=install_weak_deps=0 install \ # Build. WORKDIR /usr/src/kbs COPY . . -ARG KBS_FEATURES=coco-as-builtin,resource,opa,openssl +ARG KBS_FEATURES=coco-as-builtin RUN \ # Build sgx_dcap_quoteverify stub. pushd sgx_dcap_quoteverify_stubs && \ @@ -45,6 +45,7 @@ fi # Package UBI image. FROM registry.access.redhat.com/ubi9 +<<<<<<< HEAD # Update packages. Get CVE fixes sooner. RUN dnf -y update && dnf clean all @@ -83,3 +84,12 @@ LABEL io.openshift.tags="" # Licenses COPY LICENSE /licenses/LICENSE +======= +# Install runtime dependencies from Intel repo. +COPY --from=builder /root/sgx_rpm_local_repo /root/sgx_rpm_local_repo +RUN dnf -y install --nogpgcheck --setopt=install_weak_deps=0 --repofrompath "sgx,file:///root/sgx_rpm_local_repo" \ +libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ +rm -rf /root/sgx_rpm_local_repo + +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs +>>>>>>> 202deb9 (docker: refactor docker folder structure) diff --git a/rvps/README.md b/rvps/README.md index 165f1220ac..3500d3f09e 100644 --- a/rvps/README.md +++ b/rvps/README.md @@ -5,7 +5,7 @@ All the reference values will be stored inside RVPS. When AS queries specific so ## Architecture -RVPS contains the following componants: +RVPS contains the following components: - Pre-Processor : Pre-Processor contains a set of Wares (like Middleware). The Wares can process the input Message and then deliver it to the Extractors. @@ -72,7 +72,7 @@ By default listen to `localhost:50003` to wait for requests We can build RVPS docker image ```bash -cd .. && docker build -t rvps -f rvps/Dockerfile . +cd .. && docker build -t rvps -f rvps/docker/Dockerfile . ``` Run diff --git a/rvps/Dockerfile b/rvps/docker/Dockerfile similarity index 100% rename from rvps/Dockerfile rename to rvps/docker/Dockerfile From e76eca9b23fc7e6b2e156408f8c7929bcf24cadf Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 9 Jul 2024 10:59:50 -0500 Subject: [PATCH 033/298] config: fix custom pccs deployment for TDX We recently split the nodeport yaml into an s390x and an x86_64 directory, but we forgot to update the custom_pccs yaml to point to the correct one. For now let's assume that the custom_pccs will always run on x86_64 since it's for TDX. We might revisit that assumption in the future. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/config/kubernetes/custom_pccs/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/config/kubernetes/custom_pccs/kustomization.yaml b/kbs/config/kubernetes/custom_pccs/kustomization.yaml index 07c08c3cb9..4d24a667cc 100644 --- a/kbs/config/kubernetes/custom_pccs/kustomization.yaml +++ b/kbs/config/kubernetes/custom_pccs/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../nodeport +- ../nodeport/x86_64 patches: - path: set_custom_pccs.yaml From c9554469ac5b23b4ca6f392c8ff30ba523f78337 Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Thu, 11 Jul 2024 08:35:54 +0800 Subject: [PATCH 034/298] doc: update ibmse verifier document Signed-off-by: Qi Feng Huo --- deps/verifier/src/se/README.md | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index 8589439614..eca3d93f18 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -32,7 +32,18 @@ ibm-z-host-key-signing-gen2.crt DigiCertCA.crt ### CRL -ibm-z-host-key-gen2.crl +ibm-z-host-key-gen2.crl +DigiCertTrustedRootG4.crl +DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl + +Note: `DigiCertTrustedRootG4.crl` and `DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl` come from commands as below: +```bash +# openssl x509 -in DigiCertCA.crt --text --noout |grep crl + URI:http://crl3.digicert.com/DigiCertTrustedRootG4.crl +# openssl x509 -in ibm-z-host-key-signing-gen2.crt --text --noout |grep crl + URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl + URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl +``` ## Download HKD Download IBM Secure Execution Host Key Document following: https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document @@ -68,6 +79,8 @@ cargo install --locked --debug --path kbs/src/kbs --no-default-features --featur | └── DigiCertCA.crt ├── crls │ └── ibm-z-host-key-gen2.crl +│ └── DigiCertTrustedRootG4.crl +│ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl ├── hdr │ └── hdr.bin ├── hkds @@ -110,7 +123,7 @@ export SE_SKIP_CERTS_VERIFICATION=true ./kbs --config-file ./kbs-config.toml ``` -> Note: `SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. +> Note: `export SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. Use `export CERTS_OFFLINE_VERIFICATION=true` to verifiy the certificates offline. ## (Option 2) Launch KBS via docker-compose - Build the docker image @@ -147,7 +160,7 @@ services: - ./data/rsa/encrypt_key.pem:/run/confidential-containers/ibmse/rsa/encrypt_key.pem - ./data/rsa/encrypt_key.pub:/run/confidential-containers/ibmse/rsa/encrypt_key.pub ``` -> Note: `SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. +> Note: `export SE_SKIP_CERTS_VERIFICATION=true` only required for a development machine. Use `export CERTS_OFFLINE_VERIFICATION=true` to verifiy the certificates offline. - Prepare the material, similar as: ``` @@ -161,6 +174,8 @@ services: │   │   └── DigiCertCA.crt │   ├── crls │   │   └── ibm-z-host-key-gen2.crl +│ │ └── DigiCertTrustedRootG4.crl +│ │ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl │   ├── hdr.bin │   ├── hkds │   │   └── HKD-3931-0275D38.crt From e213e56e7f4284261f47eba9defdc05a1d18b5ea Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 29 May 2024 16:39:09 +0800 Subject: [PATCH 035/298] AS/verifier: support AA eventlog in TDX This is an alignment with guest-components side AA eventlog. Signed-off-by: Xynnn007 --- Cargo.lock | 1 + deps/verifier/Cargo.toml | 1 + deps/verifier/src/az_tdx_vtpm/mod.rs | 2 +- deps/verifier/src/eventlog/hash.rs | 22 +++ deps/verifier/src/eventlog/mod.rs | 189 ++++++++++++++++++++ deps/verifier/src/lib.rs | 2 + deps/verifier/src/tdx/claims.rs | 12 +- deps/verifier/src/tdx/eventlog.rs | 5 +- deps/verifier/src/tdx/mod.rs | 38 +++- deps/verifier/test_data/aael/AAEL_data_1 | 2 + deps/verifier/test_data/aael/AAEL_data_2 | 2 + deps/verifier/test_data/aael/AAEL_data_3 | 3 + deps/verifier/test_data/aael/AAEL_quote_tdx | Bin 0 -> 5006 bytes 13 files changed, 268 insertions(+), 11 deletions(-) create mode 100644 deps/verifier/src/eventlog/hash.rs create mode 100644 deps/verifier/src/eventlog/mod.rs create mode 100644 deps/verifier/test_data/aael/AAEL_data_1 create mode 100644 deps/verifier/test_data/aael/AAEL_data_2 create mode 100644 deps/verifier/test_data/aael/AAEL_data_3 create mode 100644 deps/verifier/test_data/aael/AAEL_quote_tdx diff --git a/Cargo.lock b/Cargo.lock index 62d3562599..44e1f3eaa9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5619,6 +5619,7 @@ dependencies = [ "serde_with", "serial_test", "sev", + "sha2", "shadow-rs", "strum", "thiserror", diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index 774b10d51b..8f78b6ff45 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -42,6 +42,7 @@ serde.workspace = true serde_json.workspace = true serde_with = { workspace = true, optional = true } sev = { version = "3.1.1", features = ["openssl", "snp"], optional = true } +sha2.workspace = true tokio = { workspace = true, optional = true, default-features = false } intel-tee-quote-verification-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true } strum.workspace = true diff --git a/deps/verifier/src/az_tdx_vtpm/mod.rs b/deps/verifier/src/az_tdx_vtpm/mod.rs index 2e85da789c..5ceeb7f90e 100644 --- a/deps/verifier/src/az_tdx_vtpm/mod.rs +++ b/deps/verifier/src/az_tdx_vtpm/mod.rs @@ -63,7 +63,7 @@ impl Verifier for AzTdxVtpm { verify_hcl_var_data(&hcl_report, &td_quote)?; - let mut claim = generate_parsed_claim(td_quote, None)?; + let mut claim = generate_parsed_claim(td_quote, None, None)?; extend_claim_with_tpm_quote(&mut claim, &evidence.tpm_quote)?; Ok(claim) diff --git a/deps/verifier/src/eventlog/hash.rs b/deps/verifier/src/eventlog/hash.rs new file mode 100644 index 0000000000..0b828311b9 --- /dev/null +++ b/deps/verifier/src/eventlog/hash.rs @@ -0,0 +1,22 @@ +// Copyright (c) 2024 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use strum::{AsRefStr, EnumString}; + +/// Hash algorithms used to calculate eventlog +#[derive(EnumString, AsRefStr, Clone)] +pub enum HashAlgorithm { + #[strum(ascii_case_insensitive)] + #[strum(serialize = "sha256")] + Sha256, + + #[strum(ascii_case_insensitive)] + #[strum(serialize = "sha384")] + Sha384, + + #[strum(ascii_case_insensitive)] + #[strum(serialize = "sha512")] + Sha512, +} diff --git a/deps/verifier/src/eventlog/mod.rs b/deps/verifier/src/eventlog/mod.rs new file mode 100644 index 0000000000..7580f2f0f0 --- /dev/null +++ b/deps/verifier/src/eventlog/mod.rs @@ -0,0 +1,189 @@ +// Copyright (c) 2024 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +mod hash; + +use std::str::FromStr; + +use anyhow::{anyhow, bail, Context, Result}; +use hash::HashAlgorithm; +use serde_json::{Map, Value}; +use sha2::{digest::FixedOutput, Digest, Sha256, Sha384, Sha512}; + +#[derive(Clone)] +pub struct AAEvent { + pub domain: String, + pub operation: String, + pub content: String, +} + +impl FromStr for AAEvent { + type Err = anyhow::Error; + + fn from_str(input: &str) -> Result { + let input_trimed = input.trim_end(); + let sections: Vec<&str> = input_trimed.split(' ').collect(); + if sections.len() != 3 { + bail!("Illegal AA event entry format. Should be ` `"); + } + Ok(Self { + domain: sections[0].into(), + operation: sections[1].into(), + content: sections[2].into(), + }) + } +} + +#[derive(Clone)] +pub struct AAEventlog { + pub hash_algorithm: HashAlgorithm, + pub init_state: Vec, + pub events: Vec, +} + +impl FromStr for AAEventlog { + type Err = anyhow::Error; + + fn from_str(input: &str) -> Result { + let all_lines = input.lines().collect::>(); + + let (initline, eventlines) = all_lines + .split_first() + .ok_or(anyhow!("at least one line should be included in AAEL"))?; + + // Init line looks like + // INIT sha256/0000000000000000000000000000000000000000000000000000000000000000 + let init_line_items = initline.split_ascii_whitespace().collect::>(); + if init_line_items.len() != 2 { + bail!("Illegal INIT event record."); + } + + if init_line_items[0] != "INIT" { + bail!("INIT event should start with `INIT` key word"); + } + + let (hash_algorithm, init_state) = init_line_items[1].split_once('/').ok_or(anyhow!( + "INIT event should have `/` as content after `INIT`" + ))?; + + let hash_algorithm = hash_algorithm + .try_into() + .context("parse Hash Algorithm in INIT entry")?; + let init_state = hex::decode(init_state).context("parse init state in INIT entry")?; + + let events = eventlines + .iter() + .map(|line| AAEvent::from_str(line)) + .collect::>>()?; + + Ok(Self { + events, + hash_algorithm, + init_state, + }) + } +} + +impl AAEventlog { + fn accumulate_hash(&self) -> Vec { + let mut state = self.init_state.clone(); + + let mut init_event_hasher = D::new(); + let init_event = format!( + "INIT {}/{}", + self.hash_algorithm.as_ref(), + hex::encode(&self.init_state) + ); + Digest::update(&mut init_event_hasher, init_event.as_bytes()); + let init_event_hash = init_event_hasher.finalize(); + + let mut hasher = D::new(); + Digest::update(&mut hasher, &state); + + Digest::update(&mut hasher, init_event_hash); + state = hasher.finalize().to_vec(); + + self.events.iter().for_each(|event| { + let mut event_hasher = D::new(); + Digest::update(&mut event_hasher, event.domain.as_bytes()); + Digest::update(&mut event_hasher, b" "); + Digest::update(&mut event_hasher, event.operation.as_bytes()); + Digest::update(&mut event_hasher, b" "); + Digest::update(&mut event_hasher, event.content.as_bytes()); + let event_hash = event_hasher.finalize(); + + let mut hasher = D::new(); + Digest::update(&mut hasher, &state); + Digest::update(&mut hasher, event_hash); + state = hasher.finalize().to_vec(); + }); + + state + } + + /// Check the integrity of the AAEL, and gets a digest. The digest should be the same + /// as the input `rtmr`, or the integrity check will fail. + pub fn integrity_check(&self, rtmr: &[u8]) -> Result<()> { + let result = match self.hash_algorithm { + HashAlgorithm::Sha256 => self.accumulate_hash::(), + HashAlgorithm::Sha384 => self.accumulate_hash::(), + HashAlgorithm::Sha512 => self.accumulate_hash::(), + }; + + if rtmr != result { + bail!( + "AA eventlog does not pass check. AAEL value : {}, Quote value {}", + hex::encode(result), + hex::encode(rtmr) + ); + } + + Ok(()) + } + + pub fn to_parsed_claims(&self) -> Map { + let mut aael = Map::new(); + for eventlog in &self.events { + let key = format!("{}/{}", eventlog.domain, eventlog.operation); + let item = Value::String(eventlog.content.clone()); + match aael.get_mut(&key) { + Some(value) => value + .as_array_mut() + .expect("Only array can be inserted") + .push(item), + None => { + // This insertion will ensure the value in AAEL always be + // `Array`s. This will make `as_array_mut()` always result + // in `Some`. + aael.insert(key, Value::Array(vec![item])); + } + } + } + + aael + } +} + +#[cfg(test)] +mod tests { + use std::fs; + + use rstest::rstest; + + #[rstest] + #[case("./test_data/aael/AAEL_data_1", b"71563a23b430b8637970b866169052815ef9434056516dc9f78c1b3bfb745cee18a2ca92aa53c8122be5cbe59a100764")] + #[case("./test_data/aael/AAEL_data_2", b"31fa17881137923029b1da5b368e92d8b22b14bbb4deaa360da61fce7aa530bd2f4c59ac7bd27021ef64104ff4dd04f9")] + #[case("./test_data/aael/AAEL_data_3", b"0de62b45b29775495d278c85ad63ff45e59406e509506b26c545a5419316e1c4bd2b00a4e803051fa98b550767e13f06")] + fn aael_integrity_check(#[case] aael_path: &str, #[case] sum: &[u8]) { + use std::str::FromStr; + + use super::AAEventlog; + + let aael_bin = fs::read_to_string(aael_path).unwrap(); + let aael = AAEventlog::from_str(&aael_bin).unwrap(); + let sum = hex::decode(sum).unwrap(); + aael.integrity_check(&sum).unwrap(); + } +} diff --git a/deps/verifier/src/lib.rs b/deps/verifier/src/lib.rs index f0e2e7a289..40c09d345a 100644 --- a/deps/verifier/src/lib.rs +++ b/deps/verifier/src/lib.rs @@ -7,6 +7,8 @@ use log::debug; pub mod sample; +pub mod eventlog; + #[cfg(feature = "az-snp-vtpm-verifier")] pub mod az_snp_vtpm; diff --git a/deps/verifier/src/tdx/claims.rs b/deps/verifier/src/tdx/claims.rs index e24171ffbf..168db155dd 100644 --- a/deps/verifier/src/tdx/claims.rs +++ b/deps/verifier/src/tdx/claims.rs @@ -50,7 +50,7 @@ use byteorder::{LittleEndian, ReadBytesExt}; use log::{debug, warn}; use serde_json::{Map, Value}; -use crate::{tdx::quote::QuoteV5Body, TeeEvidenceParsedClaim}; +use crate::{eventlog::AAEventlog, tdx::quote::QuoteV5Body, TeeEvidenceParsedClaim}; use super::{ eventlog::{CcEventLog, MeasuredEntity}, @@ -72,6 +72,7 @@ macro_rules! parse_claim { pub fn generate_parsed_claim( quote: Quote, cc_eventlog: Option, + aa_eventlog: Option, ) -> Result { let mut quote_map = Map::new(); let mut quote_body = Map::new(); @@ -172,6 +173,13 @@ pub fn generate_parsed_claim( } let mut claims = Map::new(); + + // Claims from AA eventlog + if let Some(aael) = aa_eventlog { + let aael_map = aael.to_parsed_claims(); + parse_claim!(claims, "aael", aael_map); + } + parse_claim!(claims, "quote", quote_map); parse_claim!(claims, "ccel", ccel_map); @@ -329,7 +337,7 @@ mod tests { let ccel_bin = std::fs::read("./test_data/CCEL_data").expect("read ccel failed"); let quote = parse_tdx_quote("e_bin).expect("parse quote"); let ccel = CcEventLog::try_from(ccel_bin).expect("parse ccel"); - let claims = generate_parsed_claim(quote, Some(ccel)).expect("parse claim failed"); + let claims = generate_parsed_claim(quote, Some(ccel), None).expect("parse claim failed"); let expected = json!({ "ccel": { "kernel": "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa", diff --git a/deps/verifier/src/tdx/eventlog.rs b/deps/verifier/src/tdx/eventlog.rs index fb9fdca333..3278c9e71a 100644 --- a/deps/verifier/src/tdx/eventlog.rs +++ b/deps/verifier/src/tdx/eventlog.rs @@ -46,11 +46,8 @@ impl CcEventLog { if rtmr_from_quote.rtmr0 != rtmr_eventlog.rtmr0 || rtmr_from_quote.rtmr1 != rtmr_eventlog.rtmr1 || rtmr_from_quote.rtmr2 != rtmr_eventlog.rtmr2 - || rtmr_from_quote.rtmr3 != rtmr_eventlog.rtmr3 { - return Err(anyhow!( - "RTMR values from TD quote is not equal with the values from EventLog\n" - )); + bail!("RTMR 0, 1, 2 values from TD quote is not equal with the values from EventLog"); } Ok(()) diff --git a/deps/verifier/src/tdx/mod.rs b/deps/verifier/src/tdx/mod.rs index d4a9f1c384..6878f214a6 100644 --- a/deps/verifier/src/tdx/mod.rs +++ b/deps/verifier/src/tdx/mod.rs @@ -1,7 +1,9 @@ +use std::str::FromStr; + use anyhow::anyhow; use log::{debug, error, info, warn}; -use crate::tdx::claims::generate_parsed_claim; +use crate::{eventlog::AAEventlog, tdx::claims::generate_parsed_claim}; use super::*; use async_trait::async_trait; @@ -21,6 +23,8 @@ struct TdxEvidence { cc_eventlog: Option, // Base64 encoded TD quote. quote: String, + // Eventlog of Attestation Agent + aa_eventlog: Option, } #[derive(Debug, Default)] @@ -105,15 +109,32 @@ async fn verify_evidence( } } + // Verify Integrity of AA eventlog + let aael = match &evidence.aa_eventlog { + Some(el) => { + let aael = + AAEventlog::from_str(el).context("failed to parse AA Eventlog from evidence")?; + // We assume we always use PCR 17, rtmr 3 for the application side events. + + aael.integrity_check(quote.rtmr_3())?; + info!("CCEL integrity check succeeded."); + Some(aael) + } + None => { + warn!("No AA Eventlog included inside the TDX evidence."); + None + } + }; + // Return Evidence parsed claim - generate_parsed_claim(quote, ccel_option) + generate_parsed_claim(quote, ccel_option, aael) } #[cfg(test)] mod tests { use super::*; - use std::fs; + use std::{fs, str::FromStr}; #[test] fn test_generate_parsed_claim() { @@ -122,7 +143,7 @@ mod tests { let quote_bin = fs::read("./test_data/tdx_quote_4.dat").unwrap(); let quote = parse_tdx_quote("e_bin).unwrap(); - let parsed_claim = generate_parsed_claim(quote, Some(ccel)); + let parsed_claim = generate_parsed_claim(quote, Some(ccel), None); assert!(parsed_claim.is_ok()); let _ = fs::write( @@ -130,4 +151,13 @@ mod tests { format!("{:?}", parsed_claim.unwrap()), ); } + + #[test] + fn test_aael_binding() { + let aael_bin = fs::read_to_string("./test_data/aael/AAEL_data_1").unwrap(); + let aael = AAEventlog::from_str(&aael_bin).unwrap(); + let quote_bin = fs::read("./test_data/aael/AAEL_quote_tdx").unwrap(); + let quote = parse_tdx_quote("e_bin).unwrap(); + aael.integrity_check(quote.rtmr_3()).unwrap(); + } } diff --git a/deps/verifier/test_data/aael/AAEL_data_1 b/deps/verifier/test_data/aael/AAEL_data_1 new file mode 100644 index 0000000000..f0fca95a89 --- /dev/null +++ b/deps/verifier/test_data/aael/AAEL_data_1 @@ -0,0 +1,2 @@ +INIT sha384/000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +image-rs CreateContainer docker.io/library/alpine \ No newline at end of file diff --git a/deps/verifier/test_data/aael/AAEL_data_2 b/deps/verifier/test_data/aael/AAEL_data_2 new file mode 100644 index 0000000000..1f5e6b46fc --- /dev/null +++ b/deps/verifier/test_data/aael/AAEL_data_2 @@ -0,0 +1,2 @@ +INIT sha384/000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +github.com/confidential-containers CreateContainer docker.io/library/alpine \ No newline at end of file diff --git a/deps/verifier/test_data/aael/AAEL_data_3 b/deps/verifier/test_data/aael/AAEL_data_3 new file mode 100644 index 0000000000..29d1455166 --- /dev/null +++ b/deps/verifier/test_data/aael/AAEL_data_3 @@ -0,0 +1,3 @@ +INIT sha384/000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +github.com/confidential-containers CreateContainer docker.io/library/alpine +github.com/confidential-containers CreateContainer docker.io/library/busybox \ No newline at end of file diff --git a/deps/verifier/test_data/aael/AAEL_quote_tdx b/deps/verifier/test_data/aael/AAEL_quote_tdx new file mode 100644 index 0000000000000000000000000000000000000000..47c500f1654889e08e7a815ee10204a2c7c92f76 GIT binary patch literal 5006 zcmcIn3$PQ_8NP7gf{P-efFO#Bqv+M%&Fkhy$HzIlo6RQKB)gkUvOyh_O|p4xUN?_T zw%AJ5PGKBhg+3V6Dq2OSQc2o4~~Ahz0yl`GW_JxT6`T)0%wX=XB; zeCI#s{QrNx|9t5_iaz*6_}Mc5h7F8*QHxEXI>V!CuMJ5|^|cS%<# z{&2%;%&4wG>(=A&TKy-X>MdW5`C#Bp4nO^8PfrNjuYN7tdDGN2?|q(~xM{PsvijxA zcC4JfXW83xM)xfqHu=>4Olp|#8{OLfx%snxsbBcni+QOm%qkuXPkyDE5>w>zWq^G@1$GKx_;YKCw8d3@DI!< z4@oa+oo`HiW%E4S1*<=N|GEiA^0%F9XYPF3nJX+vOg=FCH=jD3g z`NY(F`S~{=B5nw9*|h_Aop;Sw z-X#|wymh_pNps z;krkEwe5lzKd`P{Id|7>*RI&|o^{}*G50;{+_K%b^vcYSa(lP$|L1*Ec(CIK{hh&! ztLvgyUUY{2-uy@ZnVa58Pw#weyS{t+A$R9`#{j;qtHX}G=;}IqO6TE@vB!FNqW@C{ z2lfp<_bz*U)mD7X;%j~(xK(M{GVlB5{icC07Tkl~xpDj*nRO>xX9$1)!7JwF7u_?B z_Lv|4n)syi%z0Df&t80ar+mYk-<#-v;`JfB|JQSL$MA|i)qS?ZLw4-&!ppa9d2H6S zm1`#&zrJn;xp2>lAK%S>x@!Kq_r7VpJ#)E*8|G~gUwGue!&i6M?pS>OuXBIQjOYJ7 z<=_Kz@qTuSFY~*7r%juC&-A&mh1Z|yIe2K#pRXD_cGup`muy__e`nE!9UY@aca9m` zHE#TA*o4#1n0V%-vnHQ?&XlRs&YeEvyqV`;Fl%hb%@aF1u4;TBMKhiY35xeKc7_0c zs)=GO!%%%BK|p6j0U85=!iaQ*cKFOP$Ch0L?4_)=?o>rAFiMRD8lgyxD<5X`G)^IV z4UTSO{A1a8Of3JSH)AND6hxMQJ-8&f4lx0g{}bim*^=+7pV#V?z@- zqpdE}wz?GJ3sIxFW+#CF6;A*HnI#OKWHiSo8Ol?VLe3=1l{A8r$NRoyJe zG*^X5mIwq`&5@KnY?{+pKQOQ)t9$$$9&BJbH4MXoX{fORqcNblB1uBkiFQ+?1oZO; zMG+~F8||#hIld6is%hk*%JO-QZrQsq6559*kWrIUL*HbKR;$r8C9;rdd8KJ?(P*#4 zXiDLXwWOS-YJ?7)jSw-EcI3SWw#7wLnlm8kFw8=hhV>#Xux1-jD4HM!e`}Nj;0%CN zAHbMux<(e#abI_L(NKnRR1z&_kIf8<@g9d=iIT9MVCC+#T!_$unlL-cT$U;p-5O;F zvZKynE=BIwg-Rh}%@h5UImK}Cw4$&q;s;5PAklEsA+Qupf}jG0K-6IJRQYPMSA@=b z%#UMipBVR1eAHXLFrkrsg}lF?Rnn>@KVVMDkRj|9U7$!JGUTg7dXaJLDjBSud>O4`zr-=JYf zSr%5KSx+@gtCg^B$b>_T=4g~px0HC}OUQTj0Y9U!odH{z*3?k5#CJ2y{G>0O& z+6Mv0alRT}@+H$gSITd878P@(P|*7t_Cb`TRFTF6CTjL`6k3hZ6vggG`_V+>?2qDz zDil2ePBd_AgaHx_5F_B!NH~Uewxa=Zgb6gl;Rv_`;V3~ZPuoLaPOy-(eL`Dkt_D6* z2<{V1U`N6mA$Ud_K)Ck=xUU^=4}ohRXmgcExSNH2$DWP=Q64a;pc_`B0MNjZPcuR2 zjE^qDq7y(wf?V_LkK!DKL6rc}#$*!sppq{pGby^8!qM$X*@@;Un2(txQ50>9>NZ87 zi{(-4HU%9 zmh1Fz*EtR^DI#4%x)rX%KLc}TIw+VcqGEUcf=8()td-8eBUGeemQjkvcNGU5VgluN0Xnsw> z8iH$f;%dJm&z8DFc}u>h6zcWbxM0n}gKAi$y)mA%%GDwtiWHgurMKVol6#Wl{{?wG B@RtAp literal 0 HcmV?d00001 From f626a5923b981cd7a7d90fac508d5079dab7cc8e Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 20 Jun 2024 17:39:40 +0800 Subject: [PATCH 036/298] AS: fix flatten function Before this commit, the parsed claims of arrays will be flatten into a nested structure like map. But in real scenario like AAEL, Array will only be the "leaf" member of the parsed claims. Thus keep it as-is is better. Signed-off-by: Xynnn007 --- attestation-service/src/utils.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/attestation-service/src/utils.rs b/attestation-service/src/utils.rs index ddc26e2fcd..a116397d24 100644 --- a/attestation-service/src/utils.rs +++ b/attestation-service/src/utils.rs @@ -73,10 +73,7 @@ fn flatten_helper(parent: &mut Map, child: &serde_json::Value, pr let _ = parent.insert(prefix, Value::String(str.clone())); } Value::Array(arr) => { - for (i, v) in arr.iter().enumerate() { - let sub_prefix = format!("{prefix}.{i}"); - flatten_helper(parent, v, sub_prefix); - } + let _ = parent.insert(prefix, Value::Array(arr.clone())); } Value::Object(obj) => { for (k, v) in obj { From 32239efc7b7ee0e20a0eae86a00dfa7a85cdbca7 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 15 Jul 2024 10:59:27 +0800 Subject: [PATCH 037/298] Verifier: fix lint error for SGX/TDX delete useless code for SGX, also makes submodules public. Signed-off-by: Xynnn007 --- deps/verifier/src/sgx/claims.rs | 32 -------------------------------- deps/verifier/src/tdx/mod.rs | 2 +- 2 files changed, 1 insertion(+), 33 deletions(-) diff --git a/deps/verifier/src/sgx/claims.rs b/deps/verifier/src/sgx/claims.rs index c47fa448ab..c513f49d12 100644 --- a/deps/verifier/src/sgx/claims.rs +++ b/deps/verifier/src/sgx/claims.rs @@ -39,7 +39,6 @@ //! ``` use anyhow::*; -use byteorder::{LittleEndian, ReadBytesExt}; use serde_json::{Map, Value}; use crate::TeeEvidenceParsedClaim; @@ -112,37 +111,6 @@ pub fn generate_parsed_claims(quote: sgx_quote3_t) -> Result { - pub descriptor: [u8; 16], - pub info_length: u32, - pub data: &'a [u8], -} - -impl<'a> TryFrom<&'a [u8]> for TdShimPlatformConfigInfo<'a> { - type Error = anyhow::Error; - - fn try_from(data: &'a [u8]) -> std::result::Result { - if data.len() < core::mem::size_of::<[u8; 16]>() + core::mem::size_of::() { - bail!("give data slice is too short"); - } - - let descriptor = data[0..core::mem::size_of::<[u8; 16]>()].try_into()?; - let info_length = (&data[core::mem::size_of::<[u8; 16]>() - ..core::mem::size_of::<[u8; 16]>() + core::mem::size_of::()]) - .read_u32::()?; - let data = &data[core::mem::size_of::<[u8; 16]>() + core::mem::size_of::() - ..core::mem::size_of::<[u8; 16]>() - + core::mem::size_of::() - + info_length as usize]; - Ok(Self { - descriptor, - info_length, - data, - }) - } -} - #[cfg(test)] mod tests { use assert_json_diff::assert_json_eq; diff --git a/deps/verifier/src/tdx/mod.rs b/deps/verifier/src/tdx/mod.rs index 6878f214a6..a33d24d674 100644 --- a/deps/verifier/src/tdx/mod.rs +++ b/deps/verifier/src/tdx/mod.rs @@ -13,7 +13,7 @@ use quote::{ecdsa_quote_verification, parse_tdx_quote}; use serde::{Deserialize, Serialize}; pub(crate) mod claims; -mod eventlog; +pub mod eventlog; pub(crate) mod quote; #[derive(Serialize, Deserialize, Debug)] From 1f7ee48ae7199c5ac23074493ce2e14200bacea1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jul 2024 01:40:56 +0000 Subject: [PATCH 038/298] build(deps): bump clap_lex from 0.7.0 to 0.7.1 Bumps [clap_lex](https://github.com/clap-rs/clap) from 0.7.0 to 0.7.1. - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](https://github.com/clap-rs/clap/compare/clap_lex-v0.7.0...clap_lex-v0.7.1) --- updated-dependencies: - dependency-name: clap_lex dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 44e1f3eaa9..c9ec47efcb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1087,9 +1087,9 @@ dependencies = [ [[package]] name = "clap_lex" -version = "0.7.0" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce" +checksum = "4b82cf0babdbd58558212896d1a4272303a57bdb245c2bf1147185fb45640e70" [[package]] name = "coarsetime" From 0899fae486aa9d12b5b56177ac7309bd3d9bb5ea Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Sat, 20 Jul 2024 13:33:12 +0800 Subject: [PATCH 039/298] KBS: add aliyun KMS backend support for KBS storage Signed-off-by: Xynnn007 --- Cargo.lock | 402 +++++++++++++++++++++++++++++---- Cargo.toml | 4 +- kbs/Cargo.toml | 4 + kbs/src/http/resource.rs | 2 +- kbs/src/resource/aliyun_kms.rs | 59 +++++ kbs/src/resource/mod.rs | 14 +- tools/kbs-client/Cargo.toml | 2 +- 7 files changed, 443 insertions(+), 44 deletions(-) create mode 100644 kbs/src/resource/aliyun_kms.rs diff --git a/Cargo.lock b/Cargo.lock index c9ec47efcb..ca9cf35d28 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -496,6 +496,28 @@ version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" +[[package]] +name = "attestation-agent" +version = "0.1.0" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +dependencies = [ + "anyhow", + "async-trait", + "attester", + "base64 0.21.7", + "config", + "const_format", + "log", + "serde", + "serde_json", + "sha2", + "strum", + "tempfile", + "thiserror", + "tokio", + "toml 0.8.15", +] + [[package]] name = "attestation-service" version = "0.1.0" @@ -514,7 +536,7 @@ dependencies = [ "lazy_static", "log", "openssl", - "prost", + "prost 0.12.6", "rand", "reference-value-provider-service", "regorus", @@ -531,8 +553,8 @@ dependencies = [ "thiserror", "time", "tokio", - "tonic", - "tonic-build", + "tonic 0.11.0", + "tonic-build 0.11.0", "uuid", "verifier", ] @@ -540,15 +562,16 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=df60725afe0ba452a25a740cf460c2855442c49a#df60725afe0ba452a25a740cf460c2855442c49a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" dependencies = [ "anyhow", "async-trait", - "az-snp-vtpm", - "az-tdx-vtpm", + "az-snp-vtpm 0.6.0", + "az-tdx-vtpm 0.6.0", "base64 0.21.7", "codicon", "csv-rs", + "hex", "hyper 0.14.28", "hyper-tls 0.5.0", "kbs-types", @@ -652,13 +675,33 @@ dependencies = [ "zerocopy", ] +[[package]] +name = "az-cvm-vtpm" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1940b5a30bbaa585acd365e329c8c4c5c119345fef81830bd5f38f2360caa7d6" +dependencies = [ + "bincode", + "jsonwebkey", + "memoffset", + "openssl", + "serde", + "serde-big-array", + "serde_json", + "sev", + "sha2", + "thiserror", + "tss-esapi", + "zerocopy", +] + [[package]] name = "az-snp-vtpm" version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d9da68a854978d9d32cc03ba6cd4a24b1f43fafad91eb7e15578cdf9a9cbdfe7" dependencies = [ - "az-cvm-vtpm", + "az-cvm-vtpm 0.5.3", "bincode", "clap 4.5.4", "openssl", @@ -668,14 +711,45 @@ dependencies = [ "ureq", ] +[[package]] +name = "az-snp-vtpm" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a276bcc39a8cf650ebc32941409f89c751cf8266c67f233872ac8c50ffa5405" +dependencies = [ + "az-cvm-vtpm 0.6.0", + "bincode", + "clap 4.5.4", + "serde", + "sev", + "thiserror", + "ureq", +] + [[package]] name = "az-tdx-vtpm" version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8575eeaefa72d9591355597f5acf9b4ddee8cc19d8b03d947173ae8fcf1e8c2e" dependencies = [ - "az-cvm-vtpm", - "base64-url", + "az-cvm-vtpm 0.5.3", + "base64-url 2.0.2", + "bincode", + "serde", + "serde_json", + "thiserror", + "ureq", + "zerocopy", +] + +[[package]] +name = "az-tdx-vtpm" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eb795802e685a153ea4906349c86f5760012478a72e349538dd47012409465de" +dependencies = [ + "az-cvm-vtpm 0.6.0", + "base64-url 3.0.0", "bincode", "serde", "serde_json", @@ -732,6 +806,15 @@ dependencies = [ "base64 0.21.7", ] +[[package]] +name = "base64-url" +version = "3.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "38e2b6c78c06f7288d5e3c3d683bde35a79531127c83b087e5d0d77c974b4b28" +dependencies = [ + "base64 0.22.1", +] + [[package]] name = "base64ct" version = "1.6.0" @@ -783,7 +866,7 @@ dependencies = [ "lazycell", "log", "peeking_take_while", - "prettyplease", + "prettyplease 0.2.20", "proc-macro2", "quote", "regex", @@ -1129,7 +1212,7 @@ dependencies = [ "rust-ini", "serde", "serde_json", - "toml", + "toml 0.5.11", "yaml-rust", ] @@ -1285,7 +1368,7 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=df60725afe0ba452a25a740cf460c2855442c49a#df60725afe0ba452a25a740cf460c2855442c49a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" dependencies = [ "aes-gcm", "anyhow", @@ -1503,6 +1586,15 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "des" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e" +dependencies = [ + "cipher", +] + [[package]] name = "digest" version = "0.10.7" @@ -2475,6 +2567,15 @@ version = "1.70.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800" +[[package]] +name = "itertools" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" +dependencies = [ + "either", +] + [[package]] name = "itertools" version = "0.12.1" @@ -2532,7 +2633,7 @@ dependencies = [ "serde", "serde_json", "thiserror", - "yasna", + "yasna 0.4.0", "zeroize", ] @@ -2635,11 +2736,12 @@ dependencies = [ "jsonwebtoken", "jwt-simple 0.11.9", "kbs-types", + "kms", "lazy_static", "log", "mobc", "openssl", - "prost", + "prost 0.12.6", "rand", "regorus", "reqwest 0.12.4", @@ -2656,8 +2758,8 @@ dependencies = [ "thiserror", "time", "tokio", - "tonic", - "tonic-build", + "tonic 0.11.0", + "tonic-build 0.11.0", "uuid", ] @@ -2691,7 +2793,7 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=df60725afe0ba452a25a740cf460c2855442c49a#df60725afe0ba452a25a740cf460c2855442c49a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" dependencies = [ "anyhow", "async-trait", @@ -2712,6 +2814,39 @@ dependencies = [ "zeroize", ] +[[package]] +name = "kms" +version = "0.1.0" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +dependencies = [ + "anyhow", + "async-trait", + "attestation-agent", + "base64 0.21.7", + "chrono", + "const_format", + "hex", + "lazy_static", + "log", + "p12", + "prost 0.11.9", + "rand", + "reqwest 0.12.4", + "resource_uri", + "ring 0.17.8", + "serde", + "serde_json", + "sha2", + "strum", + "thiserror", + "tokio", + "toml 0.8.15", + "tonic 0.9.2", + "tonic-build 0.9.2", + "url", + "yasna 0.5.2", +] + [[package]] name = "language-tags" version = "0.3.2" @@ -3237,6 +3372,23 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" +[[package]] +name = "p12" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d4873306de53fe82e7e484df31e1e947d61514b6ea2ed6cd7b45d63006fd9224" +dependencies = [ + "cbc", + "cipher", + "des", + "getrandom", + "hmac", + "lazy_static", + "rc2", + "sha1", + "yasna 0.5.2", +] + [[package]] name = "p256" version = "0.13.2" @@ -3657,6 +3809,16 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" +[[package]] +name = "prettyplease" +version = "0.1.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c8646e95016a7a6c4adea95bafa8a16baab64b583356217f2c85db4a39d9a86" +dependencies = [ + "proc-macro2", + "syn 1.0.109", +] + [[package]] name = "prettyplease" version = "0.2.20" @@ -3709,6 +3871,16 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "prost" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b82eaa1d779e9a4bc1c3217db8ffbeabaae1dca241bf70183242128d48681cd" +dependencies = [ + "bytes", + "prost-derive 0.11.9", +] + [[package]] name = "prost" version = "0.12.6" @@ -3716,7 +3888,29 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "deb1435c188b76130da55f17a466d252ff7b1418b2ad3e037d127b94e3411f29" dependencies = [ "bytes", - "prost-derive", + "prost-derive 0.12.6", +] + +[[package]] +name = "prost-build" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "119533552c9a7ffacc21e099c24a0ac8bb19c2a2a3f363de84cd9b844feab270" +dependencies = [ + "bytes", + "heck 0.4.1", + "itertools 0.10.5", + "lazy_static", + "log", + "multimap", + "petgraph", + "prettyplease 0.1.25", + "prost 0.11.9", + "prost-types 0.11.9", + "regex", + "syn 1.0.109", + "tempfile", + "which", ] [[package]] @@ -3727,19 +3921,32 @@ checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4" dependencies = [ "bytes", "heck 0.5.0", - "itertools", + "itertools 0.12.1", "log", "multimap", "once_cell", "petgraph", - "prettyplease", - "prost", - "prost-types", + "prettyplease 0.2.20", + "prost 0.12.6", + "prost-types 0.12.6", "regex", "syn 2.0.60", "tempfile", ] +[[package]] +name = "prost-derive" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5d2d8d10f3c6ded6da8b05b5fb3b8a5082514344d56c9f871412d29b4e075b4" +dependencies = [ + "anyhow", + "itertools 0.10.5", + "proc-macro2", + "quote", + "syn 1.0.109", +] + [[package]] name = "prost-derive" version = "0.12.6" @@ -3747,19 +3954,28 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1" dependencies = [ "anyhow", - "itertools", + "itertools 0.12.1", "proc-macro2", "quote", "syn 2.0.60", ] +[[package]] +name = "prost-types" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "213622a1460818959ac1181aaeb2dc9c7f63df720db7d788b3e24eacd1983e13" +dependencies = [ + "prost 0.11.9", +] + [[package]] name = "prost-types" version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9091c90b0a32608e984ff2fa4091273cbdd755d54935c51d520887f4a1dbd5b0" dependencies = [ - "prost", + "prost 0.12.6", ] [[package]] @@ -3817,6 +4033,15 @@ dependencies = [ "getrandom", ] +[[package]] +name = "rc2" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "62c64daa8e9438b84aaae55010a93f396f8e60e3911590fcba770d04643fc1dd" +dependencies = [ + "cipher", +] + [[package]] name = "redox_syscall" version = "0.2.16" @@ -3861,7 +4086,7 @@ dependencies = [ "env_logger 0.10.2", "log", "path-clean", - "prost", + "prost 0.12.6", "rstest", "serde", "serde_json", @@ -3872,8 +4097,8 @@ dependencies = [ "strum", "tempfile", "tokio", - "tonic", - "tonic-build", + "tonic 0.11.0", + "tonic-build 0.11.0", "walkdir", ] @@ -3916,7 +4141,7 @@ dependencies = [ "chrono", "chrono-tz", "data-encoding", - "itertools", + "itertools 0.12.1", "lazy_static", "num", "rand", @@ -4028,7 +4253,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=df60725afe0ba452a25a740cf460c2855442c49a#df60725afe0ba452a25a740cf460c2855442c49a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" dependencies = [ "anyhow", "serde", @@ -4560,6 +4785,15 @@ dependencies = [ "serde", ] +[[package]] +name = "serde_spanned" +version = "0.6.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "79e674e01f999af37c49f70a6ede167a8a60b2503e56c5599532a65baa5969a0" +dependencies = [ + "serde", +] + [[package]] name = "serde_urlencoded" version = "0.7.1" @@ -5105,9 +5339,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.37.0" +version = "1.38.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1adbebffeca75fcfd058afa480fb6c0b81e165a0323f9c9d39c9697e37c46787" +checksum = "eb2caba9f80616f438e09748d5acda951967e1ea58508ef53d9c6402485a46df" dependencies = [ "backtrace", "bytes", @@ -5134,9 +5368,9 @@ dependencies = [ [[package]] name = "tokio-macros" -version = "2.2.0" +version = "2.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b" +checksum = "5f5ae998a069d4b5aba8ee9dad856af7d520c3699e6159b185c2acd48155d39a" dependencies = [ "proc-macro2", "quote", @@ -5231,6 +5465,68 @@ dependencies = [ "serde", ] +[[package]] +name = "toml" +version = "0.8.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac2caab0bf757388c6c0ae23b3293fdb463fee59434529014f85e3263b995c28" +dependencies = [ + "serde", + "serde_spanned", + "toml_datetime", + "toml_edit", +] + +[[package]] +name = "toml_datetime" +version = "0.6.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4badfd56924ae69bcc9039335b2e017639ce3f9b001c393c1b2d1ef846ce2cbf" +dependencies = [ + "serde", +] + +[[package]] +name = "toml_edit" +version = "0.22.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "278f3d518e152219c994ce877758516bca5e118eaed6996192a774fb9fbf0788" +dependencies = [ + "indexmap 2.2.6", + "serde", + "serde_spanned", + "toml_datetime", + "winnow", +] + +[[package]] +name = "tonic" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3082666a3a6433f7f511c7192923fa1fe07c69332d3c6a2e6bb040b569199d5a" +dependencies = [ + "async-trait", + "axum", + "base64 0.21.7", + "bytes", + "futures-core", + "futures-util", + "h2 0.3.26", + "http 0.2.12", + "http-body 0.4.6", + "hyper 0.14.28", + "hyper-timeout", + "percent-encoding", + "pin-project", + "prost 0.11.9", + "tokio", + "tokio-stream", + "tower", + "tower-layer", + "tower-service", + "tracing", +] + [[package]] name = "tonic" version = "0.11.0" @@ -5249,7 +5545,7 @@ dependencies = [ "hyper-timeout", "percent-encoding", "pin-project", - "prost", + "prost 0.12.6", "tokio", "tokio-stream", "tower", @@ -5258,15 +5554,28 @@ dependencies = [ "tracing", ] +[[package]] +name = "tonic-build" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a6fdaae4c2c638bb70fe42803a26fbd6fc6ac8c72f5c59f67ecc2a2dcabf4b07" +dependencies = [ + "prettyplease 0.1.25", + "proc-macro2", + "prost-build 0.11.9", + "quote", + "syn 1.0.109", +] + [[package]] name = "tonic-build" version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2" dependencies = [ - "prettyplease", + "prettyplease 0.2.20", "proc-macro2", - "prost-build", + "prost-build 0.12.6", "quote", "syn 2.0.60", ] @@ -5594,8 +5903,8 @@ dependencies = [ "asn1-rs", "assert-json-diff", "async-trait", - "az-snp-vtpm", - "az-tdx-vtpm", + "az-snp-vtpm 0.5.3", + "az-tdx-vtpm 0.5.3", "base64 0.21.7", "bincode", "byteorder", @@ -5624,7 +5933,7 @@ dependencies = [ "strum", "thiserror", "tokio", - "tonic-build", + "tonic-build 0.11.0", "veraison-apiclient", "x509-parser", ] @@ -5970,6 +6279,15 @@ version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" +[[package]] +name = "winnow" +version = "0.6.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "59b5e5f6c299a3c7890b876a2a587f3115162487e704907d9b6cd29473052ba1" +dependencies = [ + "memchr", +] + [[package]] name = "winreg" version = "0.50.0" @@ -6026,6 +6344,12 @@ dependencies = [ "num-bigint", ] +[[package]] +name = "yasna" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" + [[package]] name = "zerocopy" version = "0.7.32" diff --git a/Cargo.toml b/Cargo.toml index 06feea9254..3d7bd6bbc9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,7 +29,9 @@ config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } kbs-types = "0.6.0" +kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" @@ -44,7 +46,7 @@ sha2 = "0.10" shadow-rs = "0.19.0" strum = { version = "0.25", features = ["derive"] } thiserror = "1.0" -tokio = { version = "1.23.0", features = ["full"] } +tokio = { version = "1", features = ["full"] } tempfile = "3.4.0" tonic = "0.11" tonic-build = "0.11" \ No newline at end of file diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 98f08db18c..a983769c56 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -42,6 +42,9 @@ rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"] # Use openssl crypto stack for KBS openssl = ["actix-web/openssl", "dep:openssl"] +# Use aliyun KMS as KBS backend +aliyun = ["kms/aliyun"] + [dependencies] actix-web.workspace = true actix-web-httpauth.workspace = true @@ -57,6 +60,7 @@ env_logger.workspace = true jsonwebtoken = { workspace = true, default-features = false, optional = true } jwt-simple.workspace = true kbs-types.workspace = true +kms = { workspace = true, default-features = false } lazy_static = "1.4.0" log.workspace = true mobc = { version = "0.8.3", optional = true } diff --git a/kbs/src/http/resource.rs b/kbs/src/http/resource.rs index b4045ef5dd..c0f17265b3 100644 --- a/kbs/src/http/resource.rs +++ b/kbs/src/http/resource.rs @@ -118,7 +118,7 @@ pub(crate) async fn get_resource( .await .read_secret_resource(resource_description) .await - .map_err(|e| Error::ReadSecretFailed(e.to_string()))?; + .map_err(|e| Error::ReadSecretFailed(format!("{e:?}")))?; let jwe = jwe(pubkey, resource_byte)?; diff --git a/kbs/src/resource/aliyun_kms.rs b/kbs/src/resource/aliyun_kms.rs new file mode 100644 index 0000000000..0c380f67fb --- /dev/null +++ b/kbs/src/resource/aliyun_kms.rs @@ -0,0 +1,59 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use super::{Repository, ResourceDesc}; +use anyhow::{Context, Result}; +use kms::{plugins::aliyun::AliyunKmsClient, Annotations, Getter}; +use log::info; +use serde::Deserialize; + +#[derive(Debug, Deserialize, Clone)] +pub struct AliyunKmsBackendConfig { + client_key: String, + kms_instance_id: String, + password: String, + cert_pem: String, +} + +pub struct AliyunKmsBackend { + client: AliyunKmsClient, +} + +#[async_trait::async_trait] +impl Repository for AliyunKmsBackend { + async fn read_secret_resource(&self, resource_desc: ResourceDesc) -> Result> { + info!( + "Use aliyun KMS backend. Ignore {}/{}", + resource_desc.repository_name, resource_desc.resource_type + ); + let name = resource_desc.resource_tag; + let resource_bytes = self + .client + .get_secret(&name, &Annotations::default()) + .await + .context("failed to get resource from aliyun KMS")?; + Ok(resource_bytes) + } + + async fn write_secret_resource( + &mut self, + _resource_desc: ResourceDesc, + _data: &[u8], + ) -> Result<()> { + todo!("Does not support!") + } +} + +impl AliyunKmsBackend { + pub fn new(repo_desc: &AliyunKmsBackendConfig) -> Result { + let client = AliyunKmsClient::new( + &repo_desc.client_key, + &repo_desc.kms_instance_id, + &repo_desc.password, + &repo_desc.cert_pem, + ) + .context("create aliyun KMS backend")?; + Ok(Self { client }) + } +} diff --git a/kbs/src/resource/mod.rs b/kbs/src/resource/mod.rs index f548c5903f..7f5ce4228a 100644 --- a/kbs/src/resource/mod.rs +++ b/kbs/src/resource/mod.rs @@ -7,11 +7,13 @@ use serde::Deserialize; use std::fs; use std::path::Path; use std::sync::Arc; -use strum::EnumString; use tokio::sync::RwLock; mod local_fs; +#[cfg(feature = "aliyun")] +mod aliyun_kms; + /// Interface of a `Repository`. #[async_trait::async_trait] pub trait Repository { @@ -46,10 +48,13 @@ impl ResourceDesc { } } -#[derive(Clone, Debug, Deserialize, EnumString)] +#[derive(Clone, Debug, Deserialize)] #[serde(tag = "type")] pub enum RepositoryConfig { LocalFs(local_fs::LocalFsRepoDesc), + + #[cfg(feature = "aliyun")] + Aliyun(aliyun_kms::AliyunKmsBackendConfig), } impl RepositoryConfig { @@ -73,6 +78,11 @@ impl RepositoryConfig { Ok(Arc::new(RwLock::new(local_fs::LocalFs::new(desc)?)) as Arc>) } + #[cfg(feature = "aliyun")] + Self::Aliyun(config) => { + let client = aliyun_kms::AliyunKmsBackend::new(config)?; + Ok(Arc::new(RwLock::new(client)) as Arc>) + } } } } diff --git a/tools/kbs-client/Cargo.toml b/tools/kbs-client/Cargo.toml index 83085dc04e..c960e62c13 100644 --- a/tools/kbs-client/Cargo.toml +++ b/tools/kbs-client/Cargo.toml @@ -18,7 +18,7 @@ base64.workspace = true clap = { version = "4.0.29", features = ["derive"] } env_logger.workspace = true jwt-simple.workspace = true -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="df60725afe0ba452a25a740cf460c2855442c49a", default-features = false } +kbs_protocol = { workspace = true, default-features = false } log.workspace = true reqwest = { workspace = true, default-features = false, features = ["cookies", "json"] } serde = { workspace = true, features = ["derive"] } From 46aaa6aafccb32c08e4a2a3961e39b5f2c9710a7 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Sat, 20 Jul 2024 14:32:45 +0800 Subject: [PATCH 040/298] kbs: update docs, dockerfiles and Makefile for aliyun backend Signed-off-by: Xynnn007 --- kbs/Makefile | 12 +++++++++--- kbs/README.md | 11 +++++++++-- kbs/docker/Dockerfile | 6 ++++-- kbs/docker/coco-as-grpc/Dockerfile | 6 ++++-- kbs/docker/intel-trust-authority/Dockerfile | 6 ++++-- kbs/docs/config.md | 17 +++++++++++++---- kbs/docs/resource_repository.md | 11 ++++++++++- 7 files changed, 53 insertions(+), 16 deletions(-) diff --git a/kbs/Makefile b/kbs/Makefile index c5b6190ce6..f1cef76e70 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -1,6 +1,7 @@ AS_TYPE ?= coco-as HTTPS_CRYPTO ?= rustls POLICY_ENGINE ?= +ALIYUN ?= false ARCH := $(shell uname -m) # Check if ARCH is supported, otehrwise return error @@ -10,6 +11,7 @@ endif CLI_FEATURES ?= ATTESTER ?= +FEATURES ?= COCO_AS_INTEGRATION_TYPE ?= builtin @@ -21,6 +23,10 @@ else AS_FEATURE = $(AS_TYPE) endif +ifeq ($(ALIYUN), true) + FEATURES += aliyun +endif + ifndef CLI_FEATURES ifdef ATTESTER CLI_FEATURES = "sample_only,$(ATTESTER)" @@ -33,16 +39,16 @@ build: background-check-kbs .PHONY: background-check-kbs background-check-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE),$(FEATURES) .PHONY: passport-issuer-kbs passport-issuer-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO),$(FEATURES) mv ../target/release/kbs ../target/release/issuer-kbs .PHONY: passport-resource-kbs passport-resource-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE) + cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE),$(FEATURES) mv ../target/release/kbs ../target/release/resource-kbs .PHONY: cli diff --git a/kbs/README.md b/kbs/README.md index f683df3c5c..fd322f3ab3 100644 --- a/kbs/README.md +++ b/kbs/README.md @@ -90,7 +90,7 @@ The Makefile supports a number of other configuration parameters. For example, ```shell -make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] +make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] ``` The parameters @@ -99,7 +99,7 @@ The parameters if it is not required. - `AS_TYPES`: The KBS supports multiple backend attestation services. `AS_TYPES` selects which verifier to use. The options are `coco-as` and `intel-trust-authority-as`. - `COCO_AS_INTEGRATION_TYPE`: The KBS can connect to the CoCo AS in multiple ways. `COCO_AS_INTEGRATION_TYPE` can be set either to `grpc` or `builtin`. With `grpc` the KBS will make a remote connection to the AS. If you are manually building and configuring the components, you'll need to set them up so that this connection can be established. Similar to passport mode, the remote AS can be useful if secret provisioning and attestation verification are not in the same scope. With `builtin` the KBA uses the AS as a crate. This is recommended if you want to avoid the complexity of a remote connection. - +- `ALIYUN`: The kbs support aliyun KMS as secret storage backend. `true` to enable building this feature. By default it is `false`. ## HTTPS Support The KBS can use HTTPS. This requires a crypto backend. @@ -108,6 +108,13 @@ The options are `rustls` and `openssl`. The default is `rustls`. If you want a self-signed cert for test cases, please refer to [the document](docs/self-signed-https.md). +## Storage Backend + +The KBS can use different backend storage. `LocalFs` will always be builtin. +`ALIYUN` determines whether aliyun kms support will be built. The options +are `true` or `false` (by defult). Please refer to [the document](docs/config.md#repository-configuration) +for more details. + ## References ### Attestation Protocol diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index 8e8ebab14f..2831d6a5b8 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -1,6 +1,7 @@ FROM rust:slim as builder ARG ARCH=x86_64 ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false ENV DEBIAN_FRONTEND noninteractive @@ -36,7 +37,8 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s WORKDIR /usr/src/kbs COPY . . -RUN cargo install --locked --path kbs --bin kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO} +RUN cd kbs && make AS_FEATURE=coco-as-builtin HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 ARG ARCH=x86_64 @@ -60,4 +62,4 @@ RUN apt-get update && \ apt clean all && \ rm -rf /tmp/* -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile index 77ca1f82fe..2a96e9045d 100644 --- a/kbs/docker/coco-as-grpc/Dockerfile +++ b/kbs/docker/coco-as-grpc/Dockerfile @@ -1,6 +1,7 @@ FROM rust:latest as builder ARG ARCH=x86_64 ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false WORKDIR /usr/src/kbs COPY . . @@ -8,10 +9,11 @@ COPY . . RUN apt-get update && apt install -y protobuf-compiler git # Build and Install KBS -RUN cargo install --path kbs --bin kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO} +RUN cd kbs && make AS_FEATURE=coco-as-grpc HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/kbs" -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docker/intel-trust-authority/Dockerfile b/kbs/docker/intel-trust-authority/Dockerfile index 31679df855..a2b4f650e2 100644 --- a/kbs/docker/intel-trust-authority/Dockerfile +++ b/kbs/docker/intel-trust-authority/Dockerfile @@ -1,5 +1,6 @@ FROM rust:latest as builder ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false WORKDIR /usr/src/kbs COPY . . @@ -7,7 +8,8 @@ COPY . . RUN apt-get update && apt install -y git # Build and Install KBS -RUN cargo install --path kbs --bin kbs --no-default-features --features intel-trust-authority-as,${HTTPS_CRYPTO},resource,opa +RUN cd kbs && make AS_FEATURE=intel-trust-authority-as HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 @@ -15,4 +17,4 @@ LABEL org.opencontainers.image.source="https://github.com/confidential-container RUN apt update && apt install -y ca-certificates -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docs/config.md b/kbs/docs/config.md index fa2ccc79df..5c9de577a2 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -54,11 +54,11 @@ This section is **optional**. When omitted, a default configuration is used. Repository configuration is **specific to a repository type**. See the following sections for type-specific properties. ->This section is available only when the `resource` feature is enabled. +>This section is available only when the `resource` feature is enabled. Only one repository is available at a time. -| Property | Type | Description | Required | Default | -|----------|--------|-------------------------------------------------------|----------|-----------| -| `type` | String | The resource repository type. Valid values: `LocalFs` | Yes | - | +| Property | Type | Description | Required | Default | +|----------|--------|-----------------------------------------------------------------|----------|-----------| +| `type` | String | The resource repository type. Valid values: `LocalFs`, `Aliyun` | Yes | `LocalFs` | **`LocalFs` Properties** @@ -66,6 +66,15 @@ type-specific properties. |------------|--------|---------------------------------|----------|-----------------------------------------------------| | `dir_path` | String | Path to a repository directory. | No | `/opt/confidential-containers/kbs/repository` | +**`Aliyun` Properties** + +| Property | Type | Description | Required | Example | +|-------------------|--------|-----------------------------------|----------|-----------------------------------------------------| +| `client_key` | String | The KMS instance's AAP client key | Yes | `{"KeyId": "KA..", "PrivateKeyData": "MIIJqwI..."}` | +| `kms_instance_id` | String | The KMS instance id | Yes | `kst-shh668f7...` | +| `password` | String | AAP client key password | Yes | `8f9989c18d27...` | +| `cert_pem` | String | CA cert for the KMS instance | Yes | `-----BEGIN CERTIFICATE----- ...` | + ### Native Attestation The following properties can be set under the `as_config` section. diff --git a/kbs/docs/resource_repository.md b/kbs/docs/resource_repository.md index 7caaab50cc..ba95b55e9c 100644 --- a/kbs/docs/resource_repository.md +++ b/kbs/docs/resource_repository.md @@ -19,4 +19,13 @@ defined below: | `file://<$(KBS_REPOSITORY_DIR)>///` | `https:///kbs/v0/resource///` | The KBS root file system resource path is specified in the KBS config file -as well, and the default value is `/opt/confidential-containers/kbs/repository`. \ No newline at end of file +as well, and the default value is `/opt/confidential-containers/kbs/repository`. + +### Aliyun KMS + +[Alibaba Cloud KMS](https://www.alibabacloud.com/en/product/kms?_p_lc=1)(a.k.a Aliyun KMS) +can also work as the KBS resource storage backend. +In this mode, resources will be stored with [generic secrets](https://www.alibabacloud.com/help/en/kms/user-guide/manage-and-use-generic-secrets?spm=a2c63.p38356.0.0.dc4d24f7s0ZuW7) in a [KMS instance](https://www.alibabacloud.com/help/en/kms/user-guide/kms-overview?spm=a2c63.p38356.0.0.4aacf9e6V7IQGW). +One KBS can be configured with a specified KMS instance in `repository_config` field of KBS launch config. For config, see the [document](./config.md#repository-configuration). +These materials can be found in KMS instance's [AAP](https://www.alibabacloud.com/help/en/kms/user-guide/manage-aaps?spm=a3c0i.23458820.2359477120.1.4fd96e9bmEFST4). +When being accessed, a resource URI of `kbs:///repo/type/tag` will be translated into the generic secret with name `tag`. Hinting that `repo/type` field will be ignored. \ No newline at end of file From 1df25c2afee5dc92e9474809c0a8392bc0c08767 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Wed, 31 Jul 2024 09:21:00 +0200 Subject: [PATCH 041/298] GHA: Remove {pre,post}-action steps for self-hosted runners The following hooks: - ACTIONS_RUNNER_HOOK_JOB_STARTED - ACTIONS_RUNNER_HOOK_JOB_COMPLETED could perfectly replace the existing {pre,post}-action scripts and will make a workflow independent of the runner context. This commit wipes out all GHA steps where the actions are triggered. Signed-off-by: Hyounggyu Choi --- .github/workflows/push-as-image-to-ghcr.yml | 16 ---------------- .github/workflows/push-kbs-client-to-ghcr.yml | 16 ---------------- .github/workflows/push-kbs-image-to-ghcr.yml | 16 ---------------- 3 files changed, 48 deletions(-) diff --git a/.github/workflows/push-as-image-to-ghcr.yml b/.github/workflows/push-as-image-to-ghcr.yml index 667081ba83..5b1ecbc435 100644 --- a/.github/workflows/push-as-image-to-ghcr.yml +++ b/.github/workflows/push-as-image-to-ghcr.yml @@ -32,14 +32,6 @@ jobs: runs-on: ${{ matrix.instance }} steps: - - name: Take a pre-action for self-hosted runner - run: | - # NOTE: Use file checking instead triggering a step based on a runner type - # to avoid updating the step for each new self-hosted runner. - if [ -f "${HOME}/script/pre_action.sh" ]; then - "${HOME}/script/pre_action.sh" cc-trustee - fi - - name: Checkout code uses: actions/checkout@v4 @@ -61,14 +53,6 @@ jobs: -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" . - - name: Take a post-action for self-hosted runner - if: always() - run: | - # Please check out the note in the pre-action step for the reason of using file checking - if [ -f "${HOME}/script/post_action.sh" ]; then - "${HOME}/script/post_action.sh" cc-trustee - fi - publish_multi_arch_image: needs: build_and_push permissions: diff --git a/.github/workflows/push-kbs-client-to-ghcr.yml b/.github/workflows/push-kbs-client-to-ghcr.yml index fd32f5de98..49c5d35354 100644 --- a/.github/workflows/push-kbs-client-to-ghcr.yml +++ b/.github/workflows/push-kbs-client-to-ghcr.yml @@ -21,14 +21,6 @@ jobs: packages: write steps: - - name: Take a pre-action for self-hosted runner - run: | - # NOTE: Use file checking instead triggering a step based on a runner type - # to avoid updating the step for each new self-hosted runner. - if [ -f "${HOME}/script/pre_action.sh" ]; then - "${HOME}/script/pre_action.sh" cc-trustee - fi - - name: Check out code uses: actions/checkout@v4 @@ -60,11 +52,3 @@ jobs: if [ "$(uname -m)" = "x86_64" ]; then oras push ghcr.io/confidential-containers/staged-images/kbs-client:latest kbs-client fi - - - name: Take a post-action for self-hosted runner - if: always() - run: | - # Please check out the note in the pre-action step for the reason of using file checking - if [ -f "${HOME}/script/post_action.sh" ]; then - "${HOME}/script/post_action.sh" cc-trustee - fi diff --git a/.github/workflows/push-kbs-image-to-ghcr.yml b/.github/workflows/push-kbs-image-to-ghcr.yml index 7fa2523214..4c4a25e9ef 100644 --- a/.github/workflows/push-kbs-image-to-ghcr.yml +++ b/.github/workflows/push-kbs-image-to-ghcr.yml @@ -39,14 +39,6 @@ jobs: runs-on: ${{ matrix.instance }} steps: - - name: Take a pre-action for self-hosted runner - run: | - # NOTE: Use file checking instead triggering a step based on a runner type - # to avoid updating the step for each new self-hosted runner. - if [ -f "${HOME}/script/pre_action.sh" ]; then - "${HOME}/script/pre_action.sh" cc-trustee - fi - - name: Checkout code uses: actions/checkout@v4 @@ -71,14 +63,6 @@ jobs: -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \ --build-arg ARCH="${arch}" --build-arg HTTPS_CRYPTO="${https_crypto}" . - - name: Take a post-action for self-hosted runner - if: always() - run: | - # Please check out the note in the pre-action step for the reason of using file checking - if [ -f "${HOME}/script/post_action.sh" ]; then - "${HOME}/script/post_action.sh" cc-trustee - fi - publish_multi_arch_image: needs: build_and_push strategy: From 1ad82a76333d04179498b58c3b6a4d22b9b68c8a Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Wed, 31 Jul 2024 12:57:14 +0800 Subject: [PATCH 042/298] kbs: Fix rate limit error with busybox Fix rate limit error with docker.io/library/busybox:latest. ``` Warning Failed 76s kubelet Failed to pull image "busybox": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/busybox:latest": failed to copy: httpReadSeeker: failed open: unexpected status code https://registry-1.docker.io/v2/library/busybox/manifests/sha256:50aa4698fa6262977cff89181b2664b99d8a56dbca847bf62f2ef04854597cf8: 429 Too Many Requests - Server message: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit ``` Signed-off-by: ChengyuZhu6 --- kbs/config/kubernetes/base/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/config/kubernetes/base/deployment.yaml b/kbs/config/kubernetes/base/deployment.yaml index c1a17de953..2e53192642 100644 --- a/kbs/config/kubernetes/base/deployment.yaml +++ b/kbs/config/kubernetes/base/deployment.yaml @@ -17,7 +17,7 @@ spec: - sh - -c - cp -r /config/$(dirname $(readlink /config/policy.rego))/* /opa/confidential-containers/kbs/ - image: busybox + image: quay.io/prometheus/busybox:latest imagePullPolicy: Always name: copy-config volumeMounts: From 4ff1686d161a92f7529de00f96d585951a653180 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Tue, 30 Jul 2024 18:58:49 +0300 Subject: [PATCH 043/298] kbs: add ProtocolVersion error kbs already supports checking the Request version but any version mismatch is not correctly returned to the client (nor checked by the current RCAR client handshake). Add an explicit kbs ProtocolVersion error that is returned when the Request version is higher than what the KBS claims to support. Signed-off-by: Mikko Ylinen --- kbs/src/http/attest.rs | 27 +++++++++++++++++++++++++++ kbs/src/http/error.rs | 4 ++++ kbs/src/lib.rs | 22 ++-------------------- kbs/src/session.rs | 7 +------ 4 files changed, 34 insertions(+), 26 deletions(-) diff --git a/kbs/src/http/attest.rs b/kbs/src/http/attest.rs index c8dd2426ed..5089fc00de 100644 --- a/kbs/src/http/attest.rs +++ b/kbs/src/http/attest.rs @@ -11,8 +11,27 @@ use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD}; use base64::Engine; use kbs_types::Challenge; use log::{debug, error, info}; +use semver::{BuildMetadata, Prerelease, Version, VersionReq}; use serde_json::json; +static KBS_MAJOR_VERSION: u64 = 0; +static KBS_MINOR_VERSION: u64 = 1; +static KBS_PATCH_VERSION: u64 = 0; + +lazy_static! { + static ref VERSION_REQ: VersionReq = { + let kbs_version = Version { + major: KBS_MAJOR_VERSION, + minor: KBS_MINOR_VERSION, + patch: KBS_PATCH_VERSION, + pre: Prerelease::EMPTY, + build: BuildMetadata::EMPTY, + }; + + VersionReq::parse(&format!("<={kbs_version}")).unwrap() + }; +} + /// POST /auth pub(crate) async fn auth( request: web::Json, @@ -22,6 +41,14 @@ pub(crate) async fn auth( ) -> Result { info!("Auth API called."); debug!("Auth Request: {:?}", &request); + let version = Version::parse(&request.version).unwrap(); + if !VERSION_REQ.matches(&version) { + raise_error!(Error::ProtocolVersion(format!( + "expected version: {}, requested version: {}", + *VERSION_REQ, + request.version.clone() + ))); + } let challenge = attestation_service .generate_challenge(request.tee, request.extra_params.clone()) diff --git a/kbs/src/http/error.rs b/kbs/src/http/error.rs index 147cc3e331..d278e2d8f3 100644 --- a/kbs/src/http/error.rs +++ b/kbs/src/http/error.rs @@ -58,6 +58,9 @@ pub enum Error { #[error("Resource not permitted.")] PolicyReject, + #[error("KBS Client Protocol Version Mismatch: {0}")] + ProtocolVersion(String), + #[error("Public key get failed: {0}")] PublicKeyGetFailed(String), @@ -140,6 +143,7 @@ mod tests { #[case(Error::JWEFailed("test".into()))] #[case(Error::PolicyEndpoint("test".into()))] #[case(Error::PolicyReject)] + #[case(Error::ProtocolVersion("test".into()))] #[case(Error::PublicKeyGetFailed("test".into()))] #[case(Error::ReadSecretFailed("test".into()))] #[case(Error::SetSecretFailed("test".into()))] diff --git a/kbs/src/lib.rs b/kbs/src/lib.rs index 1eb7523e81..5d51775981 100644 --- a/kbs/src/lib.rs +++ b/kbs/src/lib.rs @@ -24,7 +24,6 @@ use attestation::AttestationService; use jwt_simple::prelude::Ed25519PublicKey; #[cfg(feature = "resource")] use resource::RepositoryConfig; -use semver::{BuildMetadata, Prerelease, Version, VersionReq}; #[cfg(feature = "as")] use std::sync::Arc; use std::{net::SocketAddr, path::PathBuf}; @@ -68,28 +67,11 @@ mod token; /// Resource Policy Engine pub mod policy_engine; -static KBS_PREFIX: &str = "/kbs"; -static KBS_MAJOR_VERSION: u64 = 0; -static KBS_MINOR_VERSION: u64 = 1; -static KBS_PATCH_VERSION: u64 = 0; - -lazy_static! { - static ref VERSION_REQ: VersionReq = { - let kbs_version = Version { - major: KBS_MAJOR_VERSION, - minor: KBS_MINOR_VERSION, - patch: KBS_PATCH_VERSION, - pre: Prerelease::EMPTY, - build: BuildMetadata::EMPTY, - }; - - VersionReq::parse(&format!("<={kbs_version}")).unwrap() - }; -} +static KBS_PREFIX: &str = "/kbs/v0"; macro_rules! kbs_path { ($path:expr) => { - format!("{}/v{}/{}", KBS_PREFIX, KBS_MAJOR_VERSION, $path) + format!("{}/{}", KBS_PREFIX, $path) }; } diff --git a/kbs/src/session.rs b/kbs/src/session.rs index 6c075defd7..ec2169d3be 100644 --- a/kbs/src/session.rs +++ b/kbs/src/session.rs @@ -6,10 +6,9 @@ use actix_web::cookie::{ time::{Duration, OffsetDateTime}, Cookie, }; -use anyhow::{bail, Result}; +use anyhow::Result; use kbs_types::{Challenge, Request}; use log::warn; -use semver::Version; use uuid::Uuid; pub(crate) static KBS_SESSION_ID: &str = "kbs-session-id"; @@ -52,10 +51,6 @@ macro_rules! impl_member { impl SessionStatus { pub fn auth(request: Request, timeout: i64, challenge: Challenge) -> Result { - let version = Version::parse(&request.version).map_err(anyhow::Error::from)?; - if !crate::VERSION_REQ.matches(&version) { - bail!("Invalid Request version {}", request.version); - } let id = Uuid::new_v4().as_simple().to_string(); let timeout = OffsetDateTime::now_utc() + Duration::minutes(timeout); From 25ad33000e01e1de5061482a1d7100cb81ed17c8 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 26 Jul 2024 14:43:09 +0300 Subject: [PATCH 044/298] ci: fix doc_lazy_continuation checks added in rust 1.80.0 Signed-off-by: Mikko Ylinen --- attestation-service/src/lib.rs | 16 ++++++++-------- rvps/src/reference_value.rs | 10 +++++----- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs index f987b4305e..7307ac77ac 100644 --- a/attestation-service/src/lib.rs +++ b/attestation-service/src/lib.rs @@ -154,19 +154,19 @@ impl AttestationService { /// Evaluate Attestation Evidence. /// Issue an attestation results token which contain TCB status and TEE public key. Input parameters: /// - `evidence`: TEE evidence bytes. This might not be the raw hardware evidence bytes. Definitions - /// are in `verifier` crate. + /// are in `verifier` crate. /// - `tee`: concrete TEE type /// - `runtime_data`: These data field will be used to check against the counterpart inside the evidence. - /// The concrete way of checking is decide by the enum type. If this parameter is set `None`, the comparation - /// will not be performed. + /// The concrete way of checking is decide by the enum type. If this parameter is set `None`, the comparation + /// will not be performed. /// - `init_data`: These data field will be used to check against the counterpart inside the evidence. - /// The concrete way of checking is decide by the enum type. If this parameter is set `None`, the comparation - /// will not be performed. + /// The concrete way of checking is decide by the enum type. If this parameter is set `None`, the comparation + /// will not be performed. /// - `hash_algorithm`: The hash algorithm that is used to calculate the digest of `runtime_data` and - /// `init_data`. + /// `init_data`. /// - `policy_ids`: The policy ids that used to check this evidence. Any check fails against a policy will - /// not cause this function to return error. The result check against every policy will be included inside - /// the finally Token returned by CoCo-AS. + /// not cause this function to return error. The result check against every policy will be included inside + /// the finally Token returned by CoCo-AS. #[allow(clippy::too_many_arguments)] pub async fn evaluate( &self, diff --git a/rvps/src/reference_value.rs b/rvps/src/reference_value.rs index f644cce722..4e5877649b 100644 --- a/rvps/src/reference_value.rs +++ b/rvps/src/reference_value.rs @@ -55,10 +55,10 @@ fn primitive_date_time_from_str<'de, D: Deserializer<'de>>( /// * `name`: name of the artifact related to this reference value. /// * `expired`: expired time for this reference value. /// * `hash_value`: A set of key-value pairs, each indicates a hash -/// algorithm and its relative hash value for the artifact. -/// The actual struct deliver from RVPS to AS is -/// [`TrustedDigest`], whose simple structure is easy -/// for AS to handle. +/// algorithm and its relative hash value for the artifact. +/// The actual struct deliver from RVPS to AS is +/// [`TrustedDigest`], whose simple structure is easy +/// for AS to handle. #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Eq)] pub struct ReferenceValue { #[serde(default = "default_version")] @@ -140,7 +140,7 @@ impl ReferenceValue { /// AS, it will include: /// * `name`: The name of the artifact, e.g., `linux-1.1.1` /// * `hash_values`: digests that have been verified and can -/// be trusted, so we can refer them as `trusted digests`. +/// be trusted, so we can refer them as `trusted digests`. #[derive(Serialize, Deserialize, Clone, Default, Debug, PartialEq, Eq)] pub struct TrustedDigest { /// The resource name. From 249f62e31126666b7cf48fed7864f3f913ac15c1 Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Thu, 1 Aug 2024 13:54:09 +0100 Subject: [PATCH 045/298] kbs: Refactor nonce handling Create a common function to generate a nonce, and add a unit test for it. Signed-off-by: James O. D. Hunt --- kbs/src/attestation/coco/builtin.rs | 14 +------ kbs/src/attestation/coco/grpc.rs | 12 +----- kbs/src/attestation/mod.rs | 63 ++++++++++++++++++++++++++--- 3 files changed, 61 insertions(+), 28 deletions(-) diff --git a/kbs/src/attestation/coco/builtin.rs b/kbs/src/attestation/coco/builtin.rs index 1433b5f702..c5a194e8fe 100644 --- a/kbs/src/attestation/coco/builtin.rs +++ b/kbs/src/attestation/coco/builtin.rs @@ -2,13 +2,11 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use crate::attestation::Attest; +use crate::attestation::{make_nonce, Attest}; use anyhow::*; use async_trait::async_trait; use attestation_service::{config::Config as AsConfig, AttestationService, Data, HashAlgorithm}; -use base64::{engine::general_purpose::STANDARD, Engine}; use kbs_types::{Attestation, Challenge, Tee}; -use rand::{thread_rng, Rng}; use serde_json::json; use tokio::sync::RwLock; @@ -56,15 +54,7 @@ impl Attest for BuiltInCoCoAs { .generate_supplemental_challenge(tee, tee_parameters) .await? } - _ => { - let mut nonce: Vec = vec![0; 32]; - - thread_rng() - .try_fill(&mut nonce[..]) - .map_err(anyhow::Error::from)?; - - STANDARD.encode(&nonce) - } + _ => make_nonce().await?, }; let challenge = Challenge { diff --git a/kbs/src/attestation/coco/grpc.rs b/kbs/src/attestation/coco/grpc.rs index 93fefe3f2f..0d61f271bd 100644 --- a/kbs/src/attestation/coco/grpc.rs +++ b/kbs/src/attestation/coco/grpc.rs @@ -2,7 +2,7 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use crate::attestation::Attest; +use crate::attestation::{make_nonce, Attest}; use anyhow::*; use async_trait::async_trait; use base64::{ @@ -140,15 +140,7 @@ impl Attest for GrpcClientPool { .into_inner() .attestation_challenge } - _ => { - let mut nonce: Vec = vec![0; 32]; - - thread_rng() - .try_fill(&mut nonce[..]) - .map_err(anyhow::Error::from)?; - - STANDARD.encode(&nonce) - } + _ => make_nonce().await?, }; let challenge = Challenge { diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs index 87982340a2..bacdd56405 100644 --- a/kbs/src/attestation/mod.rs +++ b/kbs/src/attestation/mod.rs @@ -26,6 +26,20 @@ pub mod coco; #[cfg(feature = "intel-trust-authority-as")] pub mod intel_trust_authority; +/// Number of bytes in a nonce. +const NONCE_SIZE_BYTES: usize = 32; + +/// Create a nonce and return as a base-64 encoded string. +pub async fn make_nonce() -> Result { + let mut nonce: Vec = vec![0; NONCE_SIZE_BYTES]; + + thread_rng() + .try_fill(&mut nonce[..]) + .map_err(anyhow::Error::from)?; + + Ok(STANDARD.encode(&nonce)) +} + /// Interface for Attestation Services. /// /// Attestation Service implementations should implement this interface. @@ -42,13 +56,8 @@ pub trait Attest: Send + Sync { /// generate the Challenge to pass to attester based on Tee and nonce async fn generate_challenge(&self, _tee: Tee, _tee_parameters: String) -> Result { - let mut nonce: Vec = vec![0; 32]; - - thread_rng() - .try_fill(&mut nonce[..]) - .map_err(anyhow::Error::from)?; + let nonce = make_nonce().await?; - let nonce = STANDARD.encode(&nonce); Ok(Challenge { nonce, extra_params: String::new(), @@ -129,3 +138,45 @@ impl AttestationService { } } } + +#[cfg(test)] +mod tests { + use super::*; + + #[tokio::test] + async fn test_make_nonce() { + const BITS_PER_BYTE: usize = 8; + + /// A base-64 encoded value is this many bits in length. + const BASE64_BITS_CHUNK: usize = 6; + + /// Number of bytes that base64 encoding requires the result to align on. + const BASE64_ROUNDING_MULTIPLE: usize = 4; + + /// The nominal base64 encoded length. + const BASE64_NONCE_LENGTH_UNROUNDED_BYTES: usize = + (NONCE_SIZE_BYTES * BITS_PER_BYTE) / BASE64_BITS_CHUNK; + + /// The actual base64 encoded length is rounded up to the specified multiple. + const EXPECTED_LENGTH_BYTES: usize = + BASE64_NONCE_LENGTH_UNROUNDED_BYTES.next_multiple_of(BASE64_ROUNDING_MULTIPLE); + + // Number of nonce tests to run (arbitrary) + let nonce_count = 13; + + let mut nonces = vec![]; + + for _ in 0..nonce_count { + let nonce = make_nonce().await.unwrap(); + + assert_eq!(nonce.len(), EXPECTED_LENGTH_BYTES); + + let found = nonces.contains(&nonce); + + // The nonces should be unique + assert_eq!(found, false); + + nonces.push(nonce); + } + } +} From a8625e82c699c4e31a4d218716a0314107c2009c Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Wed, 31 Jul 2024 09:32:02 +0800 Subject: [PATCH 046/298] initdata: enhance the initdata spec for PeerPod and IBM SE Added IBM SE fields for initdata Added examples for digest calculation in PeerPod Signed-off-by: Qi Feng Huo --- kbs/docs/initdata.md | 81 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/kbs/docs/initdata.md b/kbs/docs/initdata.md index ce361fc1cd..101971dead 100644 --- a/kbs/docs/initdata.md +++ b/kbs/docs/initdata.md @@ -182,6 +182,7 @@ attributes, but we select only `mr_config_id` for such use. - AMD SNP: `hostdata`, 32 bytes. - Arm CCA: `CCA_REALM_PERSONALIZATION_VALUE`, 64 bytes. - Intel SGX: `CONFIGID`, 64 bytes. +- IBM SE: `user_data`, 256 bytes. When users want to deploy a TEE, they need to prepare an initdata. The host (probably untrusted) SHOULD start TEE instance with initdata digest as TEE initdata. @@ -232,6 +233,86 @@ version = "0.1.0" will apparently get different digests. Thus the concrete use case should ensure both producer side and consumer side use the same encoding. +`[data]` section might be wroten in files separately, in this case, the digest should be calculated based on the static parts, likely in PeerPod. the initdata might be: +```toml +algorithm = "sha384" +version = "0.1.0" + +[data] +"aa.toml" = ''' +[token_configs] +[token_configs.coco_as] +url = 'http://127.0.0.1:8080' + +[token_configs.kbs] +url = 'http://127.0.0.1:8080' +''' + +"cdh.toml" = ''' +socket = 'unix:///run/confidential-containers/cdh.sock' +credentials = [] + +[kbc] +name = 'cc_kbc' +url = 'http://1.2.3.4:8080' +''' + +"policy.rego" = ''' +package agent_policy + +import future.keywords.in +import future.keywords.every + +import input + +# Default values, returned by OPA when rules cannot be evaluated to true. +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default OnlineCPUMemRequest := true +default PullImageRequest := true +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StatsContainerRequest := true +default TtyWinResizeRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false +''' +``` + +Network tunnel config `daemon.json` will also be added in, like: +```yaml +write_files: +- path: /run/peerpod/daemon.json + content: +- path: /run/peerpod/aa.toml + content: +- path: /run/peerpod/cdh.toml + content: +- path: /run/peerpod/policy.rego + content: +``` + +We can generate a meta file like `/run/peerpod/initdata.meta`: +```toml +algorithm = "sha384" +version = "0.1.0" +``` + +Then calculate the digest `/run/peerpod/initdata.digest` based on the algorithm in `/run/peerpod/initdata.meta` and the contents of static files `/run/peerpod/aa.toml`, `/run/peerpod/cdh.toml` and `/run/peerpod/policy.rego`. While `/run/peerpod/daemon.json` will be skipped when calculating the digest because it's dynamical for each instance. + +`/run/peerpod/initdata.digest` could be used by the TEE drivers, likely added in `user_data` in IBM SE. + # Use cases ## Confidential Containers From 785ea9c2be70abef99491f2bbcc836cea5c73eb6 Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Wed, 31 Jul 2024 15:13:22 +0800 Subject: [PATCH 047/298] initdata: add PeerPod initdata link in spec Added initdata link in PeerPod Signed-off-by: Qi Feng Huo --- kbs/docs/initdata.md | 82 ++------------------------------------------ 1 file changed, 2 insertions(+), 80 deletions(-) diff --git a/kbs/docs/initdata.md b/kbs/docs/initdata.md index 101971dead..5f07f47b5c 100644 --- a/kbs/docs/initdata.md +++ b/kbs/docs/initdata.md @@ -233,86 +233,6 @@ version = "0.1.0" will apparently get different digests. Thus the concrete use case should ensure both producer side and consumer side use the same encoding. -`[data]` section might be wroten in files separately, in this case, the digest should be calculated based on the static parts, likely in PeerPod. the initdata might be: -```toml -algorithm = "sha384" -version = "0.1.0" - -[data] -"aa.toml" = ''' -[token_configs] -[token_configs.coco_as] -url = 'http://127.0.0.1:8080' - -[token_configs.kbs] -url = 'http://127.0.0.1:8080' -''' - -"cdh.toml" = ''' -socket = 'unix:///run/confidential-containers/cdh.sock' -credentials = [] - -[kbc] -name = 'cc_kbc' -url = 'http://1.2.3.4:8080' -''' - -"policy.rego" = ''' -package agent_policy - -import future.keywords.in -import future.keywords.every - -import input - -# Default values, returned by OPA when rules cannot be evaluated to true. -default CopyFileRequest := false -default CreateContainerRequest := false -default CreateSandboxRequest := true -default DestroySandboxRequest := true -default ExecProcessRequest := false -default GetOOMEventRequest := true -default GuestDetailsRequest := true -default OnlineCPUMemRequest := true -default PullImageRequest := true -default ReadStreamRequest := false -default RemoveContainerRequest := true -default RemoveStaleVirtiofsShareMountsRequest := true -default SignalProcessRequest := true -default StartContainerRequest := true -default StatsContainerRequest := true -default TtyWinResizeRequest := true -default UpdateEphemeralMountsRequest := true -default UpdateInterfaceRequest := true -default UpdateRoutesRequest := true -default WaitProcessRequest := true -default WriteStreamRequest := false -''' -``` - -Network tunnel config `daemon.json` will also be added in, like: -```yaml -write_files: -- path: /run/peerpod/daemon.json - content: -- path: /run/peerpod/aa.toml - content: -- path: /run/peerpod/cdh.toml - content: -- path: /run/peerpod/policy.rego - content: -``` - -We can generate a meta file like `/run/peerpod/initdata.meta`: -```toml -algorithm = "sha384" -version = "0.1.0" -``` - -Then calculate the digest `/run/peerpod/initdata.digest` based on the algorithm in `/run/peerpod/initdata.meta` and the contents of static files `/run/peerpod/aa.toml`, `/run/peerpod/cdh.toml` and `/run/peerpod/policy.rego`. While `/run/peerpod/daemon.json` will be skipped when calculating the digest because it's dynamical for each instance. - -`/run/peerpod/initdata.digest` could be used by the TEE drivers, likely added in `user_data` in IBM SE. - # Use cases ## Confidential Containers @@ -321,6 +241,8 @@ Confidential Containers (CoCo) leverages Initdata to inject configurations like [kata-agent's policy](https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/how-to-use-the-kata-agent-policy.md), configurations for [guest components](https://github.com/confidential-containers/guest-components). +Approach in [Confidential Containers PeerPod](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/docs/initdata.md) + The encoding of initdata is TOML. To establish the integrity of the initdata data, CoCo software inside TEE: From f8df2b749c60ad5ddc1a99083c85779e5e973917 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Aug 2024 01:15:58 +0000 Subject: [PATCH 048/298] build(deps): bump serde from 1.0.200 to 1.0.205 Bumps [serde](https://github.com/serde-rs/serde) from 1.0.200 to 1.0.205. - [Release notes](https://github.com/serde-rs/serde/releases) - [Commits](https://github.com/serde-rs/serde/compare/v1.0.200...v1.0.205) --- updated-dependencies: - dependency-name: serde dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ca9cf35d28..c8dffe68c3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4738,9 +4738,9 @@ checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca" [[package]] name = "serde" -version = "1.0.200" +version = "1.0.205" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ddc6f9cc94d67c0e21aaf7eda3a010fd3af78ebf6e096aa6e2e13c79749cce4f" +checksum = "e33aedb1a7135da52b7c21791455563facbbcc43d0f0f66165b42c21b3dfb150" dependencies = [ "serde_derive", ] @@ -4765,9 +4765,9 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.200" +version = "1.0.205" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "856f046b9400cee3c8c94ed572ecdb752444c24528c035cd35882aad6f492bcb" +checksum = "692d6f5ac90220161d6774db30c662202721e64aed9058d2c394f451261420c1" dependencies = [ "proc-macro2", "quote", From 44d48b6002d3be9a5438c00d223f69b40b6cf70e Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Fri, 9 Aug 2024 09:56:38 +0800 Subject: [PATCH 049/298] ibmse: SKIP_CERTS_VERIFICATION for all image Enable release image to have SE_SKIP_CERTS_VERIFICATION also Signed-off-by: Qi Feng Huo --- deps/verifier/src/se/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index eca3d93f18..11cde22f26 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -130,7 +130,6 @@ export SE_SKIP_CERTS_VERIFICATION=true ``` DOCKER_BUILDKIT=1 docker build --build-arg HTTPS_CRYPTO="openssl" --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile ``` ->Note: Please add `--debug` in statement like `cargo install` in file `kbs/docker/Dockerfile` if you're using a development host key document to skip HKD's signature verification. - Prepare a docker compose file, similar as: ``` From add57f709e19a21935317be0460661343fcea8cb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 01:55:32 +0000 Subject: [PATCH 050/298] build(deps): bump regex from 1.10.4 to 1.10.6 Bumps [regex](https://github.com/rust-lang/regex) from 1.10.4 to 1.10.6. - [Release notes](https://github.com/rust-lang/regex/releases) - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/regex/compare/1.10.4...1.10.6) --- updated-dependencies: - dependency-name: regex dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c8dffe68c3..0dd2bbf1ef 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4104,9 +4104,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.10.4" +version = "1.10.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c117dbdfde9c8308975b6a18d71f3f385c89461f7b3fb054288ecf2a2058ba4c" +checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619" dependencies = [ "aho-corasick", "memchr", From fcf01b9dcb9bda2bb9384fc5e691ac43ea172443 Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Tue, 13 Aug 2024 16:59:39 +0800 Subject: [PATCH 051/298] ibmse: update readme to reflect initdata change Update readme for initdata and se.user_data field in attestation policy Signed-off-by: Qi Feng Huo --- deps/verifier/src/se/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index 11cde22f26..0ee09c0882 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -241,13 +241,13 @@ allow if { input["se.attestation_phkh"] == "xxx" input["se.image_phkh"] == "xxx" input["se.tag"] == "xxx" - input["se.user_data"] == "00" + input["se.user_data"] == "xxx" converted_version == "256" } EOF ``` -Where the values come from [retrive-the-rvps-field-for-an-ibm-se-image](#retrive-the-rvps-field-for-an-ibm-se-image) +Where the values `se.version`, `se.attestation_phkh`, `se.image_phkh` and `se.tag` come from [retrive-the-rvps-field-for-an-ibm-se-image](#retrive-the-rvps-field-for-an-ibm-se-image). The value `se.user_data` comes from [initdata](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/docs/initdata.md). Please remove `input["se.user_data"] == "xxx"` if `initdata` is not used. #### Set the attestation policy ```bash From ab3a43ba18a177aa1585da6ba5611f307de71d22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Aug 2024 02:01:24 +0000 Subject: [PATCH 052/298] build(deps): bump ureq from 2.9.7 to 2.10.1 Bumps [ureq](https://github.com/algesten/ureq) from 2.9.7 to 2.10.1. - [Changelog](https://github.com/algesten/ureq/blob/main/CHANGELOG.md) - [Commits](https://github.com/algesten/ureq/compare/2.9.7...2.10.1) --- updated-dependencies: - dependency-name: ureq dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0dd2bbf1ef..8488056f33 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2893,7 +2893,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" dependencies = [ "cfg-if", - "windows-targets 0.52.5", + "windows-targets 0.48.5", ] [[package]] @@ -4474,6 +4474,21 @@ dependencies = [ "zeroize", ] +[[package]] +name = "rustls" +version = "0.23.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebbbdb961df0ad3f2652da8f3fdc4b36122f568f968f45ad3316f26c025c677b" +dependencies = [ + "log", + "once_cell", + "ring 0.17.8", + "rustls-pki-types", + "rustls-webpki 0.102.3", + "subtle", + "zeroize", +] + [[package]] name = "rustls-pemfile" version = "1.0.4" @@ -5818,16 +5833,15 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "ureq" -version = "2.9.7" +version = "2.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d11a831e3c0b56e438a28308e7c810799e3c118417f342d30ecec080105395cd" +checksum = "b74fc6b57825be3373f7054754755f03ac3a8f5d70015ccad699ba2029956f4a" dependencies = [ "base64 0.22.1", "log", "once_cell", - "rustls 0.22.4", + "rustls 0.23.7", "rustls-pki-types", - "rustls-webpki 0.102.3", "serde", "serde_json", "url", From 7228932bbc6e6dc5863e3d9d3e102680a832d08a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Aug 2024 01:30:53 +0000 Subject: [PATCH 053/298] build(deps): bump zstd from 0.13.1 to 0.13.2 Bumps [zstd](https://github.com/gyscos/zstd-rs) from 0.13.1 to 0.13.2. - [Release notes](https://github.com/gyscos/zstd-rs/releases) - [Commits](https://github.com/gyscos/zstd-rs/compare/v0.13.1...v0.13.2) --- updated-dependencies: - dependency-name: zstd dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8488056f33..b2eebec2eb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6407,9 +6407,9 @@ dependencies = [ [[package]] name = "zstd" -version = "0.13.1" +version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d789b1514203a1120ad2429eae43a7bd32b90976a7bb8a05f7ec02fa88cc23a" +checksum = "fcf2b778a664581e31e389454a7072dab1647606d44f7feea22cd5abb9c9f3f9" dependencies = [ "zstd-safe", ] From 01dc50b34cf7c3830a9c91b34116b3f2f1ea7ad4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Aug 2024 01:49:40 +0000 Subject: [PATCH 054/298] build(deps): bump backtrace from 0.3.71 to 0.3.73 Bumps [backtrace](https://github.com/rust-lang/backtrace-rs) from 0.3.71 to 0.3.73. - [Release notes](https://github.com/rust-lang/backtrace-rs/releases) - [Commits](https://github.com/rust-lang/backtrace-rs/compare/0.3.71...0.3.73) --- updated-dependencies: - dependency-name: backtrace dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b2eebec2eb..866f93bc15 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -221,9 +221,9 @@ dependencies = [ [[package]] name = "addr2line" -version = "0.21.0" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a30b2e23b9e17a9f90641c7ab1549cd9b44f296d3ccbf309d2863cfe398a0cb" +checksum = "6e4503c46a5c0c7844e948c9a4d6acd9f50cccb4de1c48eb9e291ea17470c678" dependencies = [ "gimli", ] @@ -760,9 +760,9 @@ dependencies = [ [[package]] name = "backtrace" -version = "0.3.71" +version = "0.3.73" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26b05800d2e817c8b3b4b54abd461726265fa9789ae34330622f2db9ee696f9d" +checksum = "5cc23269a4f8976d0a4d2e7109211a419fe30e8d88d677cd60b6bc79c5732e0a" dependencies = [ "addr2line", "cc", @@ -1004,13 +1004,13 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.96" +version = "1.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "065a29261d53ba54260972629f9ca6bffa69bac13cd1fed61420f7fa68b9f8bd" +checksum = "68064e60dbf1f17005c2fde4d07c16d8baa506fd7ffed8ccab702d93617975c7" dependencies = [ "jobserver", "libc", - "once_cell", + "shlex", ] [[package]] @@ -2024,9 +2024,9 @@ dependencies = [ [[package]] name = "gimli" -version = "0.28.1" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253" +checksum = "40ecd4077b5ae9fd2e9e169b102c6c330d0605168eb0e8bf79952b256dbefffd" [[package]] name = "git2" @@ -3249,9 +3249,9 @@ dependencies = [ [[package]] name = "object" -version = "0.32.2" +version = "0.36.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a6a622008b6e321afc04970976f62ee297fdbaa6f95318ca343e3eebb9648441" +checksum = "27b64972346851a39438c60b341ebc01bba47464ae329e55cf343eb93964efd9" dependencies = [ "memchr", ] @@ -4395,9 +4395,9 @@ dependencies = [ [[package]] name = "rustc-demangle" -version = "0.1.23" +version = "0.1.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76" +checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f" [[package]] name = "rustc-hash" From 42c96d32026914b06915797a91f2c381126190ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 01:24:35 +0000 Subject: [PATCH 055/298] build(deps): bump colorchoice from 1.0.1 to 1.0.2 Bumps [colorchoice](https://github.com/rust-cli/anstyle) from 1.0.1 to 1.0.2. - [Commits](https://github.com/rust-cli/anstyle/compare/colorchoice-v1.0.1...colorchoice-v1.0.2) --- updated-dependencies: - dependency-name: colorchoice dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 866f93bc15..8c8989cacb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1193,9 +1193,9 @@ checksum = "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" [[package]] name = "colorchoice" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b6a852b24ab71dffc585bcb46eaf7959d175cb865a7152e35b348d1b2960422" +checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0" [[package]] name = "config" From 7b06162639df877a4bfa30c02826762331ce264c Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Mon, 19 Aug 2024 10:47:24 +0800 Subject: [PATCH 056/298] kbs: msic fix in self-signed-https.md - Fix the miscs in self-signed-https.md Signed-off-by: Qi Feng Huo --- kbs/docs/self-signed-https.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md index c3ec74e209..8899f304e2 100644 --- a/kbs/docs/self-signed-https.md +++ b/kbs/docs/self-signed-https.md @@ -9,7 +9,7 @@ This guide will take the following goals ```bash # Edit a crt configuration. You can change the following items to any you want -cat << localhost.crt > EOF +cat << EOF > localhost.conf [req] default_bits = 2048 default_keyfile = localhost.key @@ -61,7 +61,7 @@ openssl pkey -in private.key -pubout -out public.pub ## Launch KBS server Set up a `kbs-config.toml` ```bash -cat << kbs-config.toml > EOF +cat << EOF > kbs-config.toml private_key = "/etc/key.pem" certificate = "/etc/cert.pem" From 4a80ea13c8733363413f39b369e837a6a4b0d9e2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Aug 2024 01:31:21 +0000 Subject: [PATCH 057/298] build(deps): bump zerocopy from 0.7.32 to 0.7.35 Bumps [zerocopy](https://github.com/google/zerocopy) from 0.7.32 to 0.7.35. - [Release notes](https://github.com/google/zerocopy/releases) - [Changelog](https://github.com/google/zerocopy/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/zerocopy/commits) --- updated-dependencies: - dependency-name: zerocopy dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8c8989cacb..fdeae4ac19 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6366,9 +6366,9 @@ checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" [[package]] name = "zerocopy" -version = "0.7.32" +version = "0.7.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74d4d3961e53fa4c9a25a8637fc2bfaf2595b3d3ae34875568a5cf64787716be" +checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0" dependencies = [ "byteorder", "zerocopy-derive", @@ -6376,9 +6376,9 @@ dependencies = [ [[package]] name = "zerocopy-derive" -version = "0.7.32" +version = "0.7.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ce1b18ccd8e73a9321186f97e46f9f04b778851177567b1975109d26a08d2a6" +checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", From 52aa719c98edbe5b63aea98bcef7e4a29439e86b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Aug 2024 01:21:06 +0000 Subject: [PATCH 058/298] build(deps): bump security-framework-sys from 2.10.0 to 2.11.1 Bumps [security-framework-sys](https://github.com/kornelski/rust-security-framework) from 2.10.0 to 2.11.1. - [Release notes](https://github.com/kornelski/rust-security-framework/releases) - [Commits](https://github.com/kornelski/rust-security-framework/compare/v2.10.0...v2.11.1) --- updated-dependencies: - dependency-name: security-framework-sys dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fdeae4ac19..0a0f6270d3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4737,9 +4737,9 @@ dependencies = [ [[package]] name = "security-framework-sys" -version = "2.10.0" +version = "2.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "41f3cc463c0ef97e11c3461a9d3787412d30e8e7eb907c79180c4a57bf7c04ef" +checksum = "75da29fe9b9b08fe9d6b22b5b4bcbc75d8db3aa31e639aa56bb62e9d46bfceaf" dependencies = [ "core-foundation-sys", "libc", From 7f97ce673b4e7a06d2f2f49df3ff9e708d3c03df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Aug 2024 01:28:13 +0000 Subject: [PATCH 059/298] build(deps): bump flate2 from 1.0.30 to 1.0.32 Bumps [flate2](https://github.com/rust-lang/flate2-rs) from 1.0.30 to 1.0.32. - [Release notes](https://github.com/rust-lang/flate2-rs/releases) - [Changelog](https://github.com/rust-lang/flate2-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/flate2-rs/compare/1.0.30...1.0.32) --- updated-dependencies: - dependency-name: flate2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0a0f6270d3..05f5369f0c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -234,6 +234,12 @@ version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" +[[package]] +name = "adler2" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" + [[package]] name = "aead" version = "0.5.2" @@ -768,7 +774,7 @@ dependencies = [ "cc", "cfg-if", "libc", - "miniz_oxide", + "miniz_oxide 0.7.2", "object", "rustc-demangle", ] @@ -1836,12 +1842,12 @@ checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" [[package]] name = "flate2" -version = "1.0.30" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f54427cfd1c7829e2a139fcefea601bf088ebca651d2bf53ebc600eac295dae" +checksum = "9c0596c1eac1f9e04ed902702e9878208b336edc9d6fddc8a48387349bab3666" dependencies = [ "crc32fast", - "miniz_oxide", + "miniz_oxide 0.8.0", ] [[package]] @@ -3031,6 +3037,15 @@ dependencies = [ "adler", ] +[[package]] +name = "miniz_oxide" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1" +dependencies = [ + "adler2", +] + [[package]] name = "mio" version = "0.8.11" From 4b3301acd63036edfb2667032fec6867b4a43c0c Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 22 Aug 2024 15:45:16 +0300 Subject: [PATCH 060/298] chore: fix cargo warnings on missing default-features Builds trigger the following warnings that are easy to fix: warning: /home/runner/work/trustee/trustee/deps/verifier/Cargo.toml: `default-features` is ignored for tokio, since `default-features` was not specified for `workspace.dependencies.tokio`, this could become a hard error in the future and warning: /home/runner/work/trustee/trustee/tools/kbs-client/Cargo.toml: `default-features` is ignored for reqwest, since `default-features` was not specified for `workspace.dependencies.reqwest`, this could become a hard error in the future Signed-off-by: Mikko Ylinen --- Cargo.lock | 210 +++++++++++++++++++++------------------ Cargo.toml | 6 +- deps/verifier/Cargo.toml | 2 +- 3 files changed, 119 insertions(+), 99 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 05f5369f0c..9adf1c3fb5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -40,7 +40,7 @@ dependencies = [ "encoding_rs", "flate2", "futures-core", - "h2 0.3.26", + "h2", "http 0.2.12", "httparse", "httpdate", @@ -103,7 +103,7 @@ dependencies = [ "actix-utils", "futures-core", "futures-util", - "mio", + "mio 0.8.11", "socket2", "tokio", "tracing", @@ -496,12 +496,6 @@ dependencies = [ "syn 2.0.60", ] -[[package]] -name = "atomic-waker" -version = "1.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" - [[package]] name = "attestation-agent" version = "0.1.0" @@ -637,7 +631,7 @@ dependencies = [ "pin-project-lite", "rustversion", "serde", - "sync_wrapper", + "sync_wrapper 0.1.2", "tower", "tower-layer", "tower-service", @@ -854,7 +848,7 @@ dependencies = [ "proc-macro2", "quote", "regex", - "rustc-hash", + "rustc-hash 1.1.0", "shlex", "which", ] @@ -876,7 +870,7 @@ dependencies = [ "proc-macro2", "quote", "regex", - "rustc-hash", + "rustc-hash 1.1.0", "shlex", "syn 2.0.60", "which", @@ -1279,9 +1273,9 @@ dependencies = [ [[package]] name = "cookie" -version = "0.17.0" +version = "0.18.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7efb37c3e1ccb1ff97164ad95ac1606e8ccd35b3fa0a7d99a304c7f4a428cc24" +checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747" dependencies = [ "percent-encoding", "time", @@ -1290,12 +1284,12 @@ dependencies = [ [[package]] name = "cookie_store" -version = "0.20.0" +version = "0.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "387461abbc748185c3a6e1673d826918b450b87ff22639429c694619a83b6cf6" +checksum = "4934e6b7e8419148b6ef56950d277af8561060b56afd59e2aadf98b59fce6baa" dependencies = [ - "cookie 0.17.0", - "idna 0.3.0", + "cookie 0.18.1", + "idna 0.5.0", "log", "publicsuffix", "serde", @@ -2083,25 +2077,6 @@ dependencies = [ "tracing", ] -[[package]] -name = "h2" -version = "0.4.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa82e28a107a8cc405f0839610bdc9b15f1e25ec7d696aa5cf173edbcb1486ab" -dependencies = [ - "atomic-waker", - "bytes", - "fnv", - "futures-core", - "futures-sink", - "http 1.1.0", - "indexmap 2.2.6", - "slab", - "tokio", - "tokio-util", - "tracing", -] - [[package]] name = "half" version = "2.4.1" @@ -2301,7 +2276,7 @@ dependencies = [ "futures-channel", "futures-core", "futures-util", - "h2 0.3.26", + "h2", "http 0.2.12", "http-body 0.4.6", "httparse", @@ -2324,7 +2299,6 @@ dependencies = [ "bytes", "futures-channel", "futures-util", - "h2 0.4.5", "http 1.1.0", "http-body 1.0.0", "httparse", @@ -2351,19 +2325,20 @@ dependencies = [ [[package]] name = "hyper-rustls" -version = "0.26.0" +version = "0.27.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0bea761b46ae2b24eb4aef630d8d1c398157b6fc29e6350ecf090a0b70c952c" +checksum = "5ee4be2c948921a1a5320b629c4193916ed787a7f7f293fd3f7f5a6c9de74155" dependencies = [ "futures-util", "http 1.1.0", "hyper 1.3.1", "hyper-util", - "rustls 0.22.4", + "rustls 0.23.7", "rustls-pki-types", "tokio", - "tokio-rustls 0.25.0", + "tokio-rustls 0.26.0", "tower-service", + "webpki-roots 0.26.1", ] [[package]] @@ -2750,7 +2725,7 @@ dependencies = [ "prost 0.12.6", "rand", "regorus", - "reqwest 0.12.4", + "reqwest 0.12.5", "rsa 0.9.6", "rstest", "rustls 0.20.9", @@ -2780,7 +2755,7 @@ dependencies = [ "jwt-simple 0.11.9", "kbs_protocol", "log", - "reqwest 0.12.4", + "reqwest 0.12.5", "serde", "serde_json", "tokio", @@ -2809,7 +2784,7 @@ dependencies = [ "jwt-simple 0.12.9", "kbs-types", "log", - "reqwest 0.12.4", + "reqwest 0.12.5", "resource_uri", "serde", "serde_json", @@ -2837,7 +2812,7 @@ dependencies = [ "p12", "prost 0.11.9", "rand", - "reqwest 0.12.4", + "reqwest 0.12.5", "resource_uri", "ring 0.17.8", "serde", @@ -2899,7 +2874,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.5", ] [[package]] @@ -3058,6 +3033,18 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "mio" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec" +dependencies = [ + "hermit-abi 0.3.9", + "libc", + "wasi", + "windows-sys 0.52.0", +] + [[package]] name = "mobc" version = "0.8.4" @@ -3243,16 +3230,6 @@ dependencies = [ "libm", ] -[[package]] -name = "num_cpus" -version = "1.16.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" -dependencies = [ - "hermit-abi 0.3.9", - "libc", -] - [[package]] name = "num_threads" version = "0.1.7" @@ -4009,6 +3986,54 @@ dependencies = [ "psl-types", ] +[[package]] +name = "quinn" +version = "0.11.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b22d8e7369034b9a7132bc2008cac12f2013c8132b45e0554e6e20e2617f2156" +dependencies = [ + "bytes", + "pin-project-lite", + "quinn-proto", + "quinn-udp", + "rustc-hash 2.0.0", + "rustls 0.23.7", + "socket2", + "thiserror", + "tokio", + "tracing", +] + +[[package]] +name = "quinn-proto" +version = "0.11.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ba92fb39ec7ad06ca2582c0ca834dfeadcaf06ddfc8e635c80aa7e1c05315fdd" +dependencies = [ + "bytes", + "rand", + "ring 0.17.8", + "rustc-hash 2.0.0", + "rustls 0.23.7", + "slab", + "thiserror", + "tinyvec", + "tracing", +] + +[[package]] +name = "quinn-udp" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8bffec3605b73c6f1754535084a85229fa8a30f86014e6c81aeec4abb68b0285" +dependencies = [ + "libc", + "once_cell", + "socket2", + "tracing", + "windows-sys 0.52.0", +] + [[package]] name = "quote" version = "1.0.36" @@ -4183,7 +4208,7 @@ dependencies = [ "encoding_rs", "futures-core", "futures-util", - "h2 0.3.26", + "h2", "http 0.2.12", "http-body 0.4.6", "hyper 0.14.28", @@ -4202,7 +4227,7 @@ dependencies = [ "serde", "serde_json", "serde_urlencoded", - "sync_wrapper", + "sync_wrapper 0.1.2", "system-configuration", "tokio", "tokio-native-tls", @@ -4218,23 +4243,21 @@ dependencies = [ [[package]] name = "reqwest" -version = "0.12.4" +version = "0.12.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "566cafdd92868e0939d3fb961bd0dc25fcfaaed179291093b3d43e6b3150ea10" +checksum = "c7d6d2a27d57148378eb5e111173f4276ad26340ecc5c49a4a2152167a2d6a37" dependencies = [ "base64 0.22.1", "bytes", - "cookie 0.17.0", + "cookie 0.18.1", "cookie_store", - "encoding_rs", "futures-core", "futures-util", - "h2 0.4.5", "http 1.1.0", "http-body 1.0.0", "http-body-util", "hyper 1.3.1", - "hyper-rustls 0.26.0", + "hyper-rustls 0.27.2", "hyper-tls 0.6.0", "hyper-util", "ipnet", @@ -4245,17 +4268,17 @@ dependencies = [ "once_cell", "percent-encoding", "pin-project-lite", - "rustls 0.22.4", + "quinn", + "rustls 0.23.7", "rustls-pemfile 2.1.2", "rustls-pki-types", "serde", "serde_json", "serde_urlencoded", - "sync_wrapper", - "system-configuration", + "sync_wrapper 1.0.1", "tokio", "tokio-native-tls", - "tokio-rustls 0.25.0", + "tokio-rustls 0.26.0", "tower-service", "url", "wasm-bindgen", @@ -4420,6 +4443,12 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" +[[package]] +name = "rustc-hash" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "583034fd73374156e66797ed8e5b0d5690409c9226b22d87cb7f19821c05d152" + [[package]] name = "rustc_version" version = "0.4.0" @@ -4475,20 +4504,6 @@ dependencies = [ "sct", ] -[[package]] -name = "rustls" -version = "0.22.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432" -dependencies = [ - "log", - "ring 0.17.8", - "rustls-pki-types", - "rustls-webpki 0.102.3", - "subtle", - "zeroize", -] - [[package]] name = "rustls" version = "0.23.7" @@ -5195,6 +5210,12 @@ version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160" +[[package]] +name = "sync_wrapper" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394" + [[package]] name = "synstructure" version = "0.12.6" @@ -5369,21 +5390,20 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.38.1" +version = "1.39.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb2caba9f80616f438e09748d5acda951967e1ea58508ef53d9c6402485a46df" +checksum = "9babc99b9923bfa4804bd74722ff02c0381021eafa4db9949217e3be8e84fff5" dependencies = [ "backtrace", "bytes", "libc", - "mio", - "num_cpus", + "mio 1.0.2", "parking_lot 0.12.2", "pin-project-lite", "signal-hook-registry", "socket2", "tokio-macros", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -5398,9 +5418,9 @@ dependencies = [ [[package]] name = "tokio-macros" -version = "2.3.0" +version = "2.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f5ae998a069d4b5aba8ee9dad856af7d520c3699e6159b185c2acd48155d39a" +checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752" dependencies = [ "proc-macro2", "quote", @@ -5452,11 +5472,11 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.25.0" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" +checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" dependencies = [ - "rustls 0.22.4", + "rustls 0.23.7", "rustls-pki-types", "tokio", ] @@ -5541,7 +5561,7 @@ dependencies = [ "bytes", "futures-core", "futures-util", - "h2 0.3.26", + "h2", "http 0.2.12", "http-body 0.4.6", "hyper 0.14.28", @@ -5568,7 +5588,7 @@ dependencies = [ "axum", "base64 0.21.7", "bytes", - "h2 0.3.26", + "h2", "http 0.2.12", "http-body 0.4.6", "hyper 0.14.28", diff --git a/Cargo.toml b/Cargo.toml index 3d7bd6bbc9..3c75c979ce 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -36,7 +36,7 @@ jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" regorus = { version = "0.1.5", default-features = false, features = ["regex", "base64", "time"] } -reqwest = "0.12" +reqwest = { version = "0.12", default-features = false, features = ["default-tls"] } rstest = "0.18.1" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0.89" @@ -46,7 +46,7 @@ sha2 = "0.10" shadow-rs = "0.19.0" strum = { version = "0.25", features = ["derive"] } thiserror = "1.0" -tokio = { version = "1", features = ["full"] } +tokio = { version = "1", features = ["full"], default-features = false } tempfile = "3.4.0" tonic = "0.11" -tonic-build = "0.11" \ No newline at end of file +tonic-build = "0.11" diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index 8f78b6ff45..1c446e3513 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -43,7 +43,7 @@ serde_json.workspace = true serde_with = { workspace = true, optional = true } sev = { version = "3.1.1", features = ["openssl", "snp"], optional = true } sha2.workspace = true -tokio = { workspace = true, optional = true, default-features = false } +tokio = { workspace = true, optional = true } intel-tee-quote-verification-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true } strum.workspace = true veraison-apiclient = { git = "https://github.com/chendave/rust-apiclient", branch = "token", optional = true } From 8c17bff542c4568fb86c1186600c198fcb8b81d2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 01:56:29 +0000 Subject: [PATCH 061/298] build(deps): bump hyper from 0.14.28 to 0.14.30 Bumps [hyper](https://github.com/hyperium/hyper) from 0.14.28 to 0.14.30. - [Release notes](https://github.com/hyperium/hyper/releases) - [Changelog](https://github.com/hyperium/hyper/blob/v0.14.30/CHANGELOG.md) - [Commits](https://github.com/hyperium/hyper/compare/v0.14.28...v0.14.30) --- updated-dependencies: - dependency-name: hyper dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9adf1c3fb5..b4a17dc79b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -572,7 +572,7 @@ dependencies = [ "codicon", "csv-rs", "hex", - "hyper 0.14.28", + "hyper 0.14.30", "hyper-tls 0.5.0", "kbs-types", "log", @@ -622,7 +622,7 @@ dependencies = [ "futures-util", "http 0.2.12", "http-body 0.4.6", - "hyper 0.14.28", + "hyper 0.14.30", "itoa", "matchit", "memchr", @@ -1416,7 +1416,7 @@ dependencies = [ "bitflags 1.3.2", "codicon", "dirs", - "hyper 0.14.28", + "hyper 0.14.30", "hyper-tls 0.5.0", "iocuddle", "libc", @@ -2268,9 +2268,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" [[package]] name = "hyper" -version = "0.14.28" +version = "0.14.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf96e135eb83a2a8ddf766e426a841d8ddd7449d5f00d34ea02b41d2f19eef80" +checksum = "a152ddd61dfaec7273fe8419ab357f33aee0d914c5f4efbf0d96fa749eea5ec9" dependencies = [ "bytes", "futures-channel", @@ -2317,7 +2317,7 @@ checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" dependencies = [ "futures-util", "http 0.2.12", - "hyper 0.14.28", + "hyper 0.14.30", "rustls 0.21.12", "tokio", "tokio-rustls 0.24.1", @@ -2347,7 +2347,7 @@ version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1" dependencies = [ - "hyper 0.14.28", + "hyper 0.14.30", "pin-project-lite", "tokio", "tokio-io-timeout", @@ -2360,7 +2360,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" dependencies = [ "bytes", - "hyper 0.14.28", + "hyper 0.14.30", "native-tls", "tokio", "tokio-native-tls", @@ -2874,7 +2874,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" dependencies = [ "cfg-if", - "windows-targets 0.52.5", + "windows-targets 0.48.5", ] [[package]] @@ -4211,7 +4211,7 @@ dependencies = [ "h2", "http 0.2.12", "http-body 0.4.6", - "hyper 0.14.28", + "hyper 0.14.30", "hyper-rustls 0.24.2", "hyper-tls 0.5.0", "ipnet", @@ -5564,7 +5564,7 @@ dependencies = [ "h2", "http 0.2.12", "http-body 0.4.6", - "hyper 0.14.28", + "hyper 0.14.30", "hyper-timeout", "percent-encoding", "pin-project", @@ -5591,7 +5591,7 @@ dependencies = [ "h2", "http 0.2.12", "http-body 0.4.6", - "hyper 0.14.28", + "hyper 0.14.30", "hyper-timeout", "percent-encoding", "pin-project", From 1b543c5d8a607ebe329552dbf2298e6d85887a6c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 01:15:52 +0000 Subject: [PATCH 062/298] build(deps): bump is-terminal from 0.4.12 to 0.4.13 Bumps [is-terminal](https://github.com/sunfishcode/is-terminal) from 0.4.12 to 0.4.13. - [Commits](https://github.com/sunfishcode/is-terminal/compare/v0.4.12...v0.4.13) --- updated-dependencies: - dependency-name: is-terminal dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b4a17dc79b..a327979cee 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2129,6 +2129,12 @@ version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024" +[[package]] +name = "hermit-abi" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc" + [[package]] name = "hex" version = "0.4.3" @@ -2527,11 +2533,11 @@ checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3" [[package]] name = "is-terminal" -version = "0.4.12" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f23ff5ef2b80d608d61efee834934d862cd92461afc0560dedf493e4c033738b" +checksum = "261f68e344040fbd0edea105bef17c66edf46f984ddb1115b775ce31be948f4b" dependencies = [ - "hermit-abi 0.3.9", + "hermit-abi 0.4.0", "libc", "windows-sys 0.52.0", ] From 21d02873c2c4a9d86ce43c9048f53baa1aafad97 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 01:38:36 +0000 Subject: [PATCH 063/298] build(deps): bump getrandom from 0.2.14 to 0.2.15 Bumps [getrandom](https://github.com/rust-random/getrandom) from 0.2.14 to 0.2.15. - [Changelog](https://github.com/rust-random/getrandom/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-random/getrandom/compare/v0.2.14...v0.2.15) --- updated-dependencies: - dependency-name: getrandom dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a327979cee..88b37d2187 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2001,9 +2001,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c" +checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" dependencies = [ "cfg-if", "js-sys", From 6961c111a36ad4d92c0b31f6d4df1abe26d8a806 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Tue, 27 Aug 2024 20:54:49 +0300 Subject: [PATCH 064/298] kbs: allow only clients with exact protocol version match kbs does guarantee backwards compatible functionality so only clients with exact protocol match are allowed. Signed-off-by: Mikko Ylinen --- kbs/src/http/attest.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/src/http/attest.rs b/kbs/src/http/attest.rs index 5089fc00de..c72357a221 100644 --- a/kbs/src/http/attest.rs +++ b/kbs/src/http/attest.rs @@ -28,7 +28,7 @@ lazy_static! { build: BuildMetadata::EMPTY, }; - VersionReq::parse(&format!("<={kbs_version}")).unwrap() + VersionReq::parse(&format!("={kbs_version}")).unwrap() }; } From ccfa88b63fd31e7300bd5511d9bf9a2dbeb67871 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 26 Jul 2024 08:27:28 +0300 Subject: [PATCH 065/298] chore(deps): Bump kbs-types and kbs_protocol This bumps kbs-types from 0.6.0 to 0.7.0 and kbs_protocol from guest-components to the latest HEAD. It's done in one commit to make the KBS protocol changes atomic. Signed-off-by: Mikko Ylinen --- Cargo.lock | 31 ++++++++++--------- Cargo.toml | 6 ++-- kbs/src/attestation/coco/builtin.rs | 12 ++++--- kbs/src/attestation/coco/grpc.rs | 12 ++++--- .../attestation/intel_trust_authority/mod.rs | 2 +- kbs/src/attestation/mod.rs | 14 +++++++-- kbs/src/http/attest.rs | 2 +- kbs/src/http/resource.rs | 15 ++++++--- 8 files changed, 59 insertions(+), 35 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 88b37d2187..a09a99adde 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -499,14 +499,15 @@ dependencies = [ [[package]] name = "attestation-agent" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "async-trait", "attester", - "base64 0.21.7", + "base64 0.22.1", "config", "const_format", + "kbs-types", "log", "serde", "serde_json", @@ -562,13 +563,13 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "async-trait", "az-snp-vtpm 0.6.0", "az-tdx-vtpm 0.6.0", - "base64 0.21.7", + "base64 0.22.1", "codicon", "csv-rs", "hex", @@ -1368,11 +1369,11 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "aes-gcm", "anyhow", - "base64 0.21.7", + "base64 0.22.1", "ctr", "kbs-types", "rand", @@ -2769,9 +2770,9 @@ dependencies = [ [[package]] name = "kbs-types" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "febd73b2b1df274ea454d81ddf76f596af9754410b7ed6f988f2e1782a175da3" +checksum = "9b6441ed73b0faa50707d4de41c6b45c76654b661b96aaf7b26a41331eedc0a5" dependencies = [ "serde", "serde_json", @@ -2780,12 +2781,12 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "async-trait", "attester", - "base64 0.21.7", + "base64 0.22.1", "crypto", "jwt-simple 0.12.9", "kbs-types", @@ -2804,12 +2805,12 @@ dependencies = [ [[package]] name = "kms" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "async-trait", "attestation-agent", - "base64 0.21.7", + "base64 0.22.1", "chrono", "const_format", "hex", @@ -2952,9 +2953,9 @@ dependencies = [ [[package]] name = "log" -version = "0.4.21" +version = "0.4.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c" +checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24" [[package]] name = "matchit" @@ -4297,7 +4298,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "serde", diff --git a/Cargo.toml b/Cargo.toml index 3c75c979ce..0fb08e68e8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,9 +29,9 @@ config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } -kbs-types = "0.6.0" -kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="cd16b445291ad401b4b53664266983f4927a370e", default-features = false } +kbs-types = "0.7.0" +kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="cd16b445291ad401b4b53664266983f4927a370e", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" diff --git a/kbs/src/attestation/coco/builtin.rs b/kbs/src/attestation/coco/builtin.rs index c5a194e8fe..cc0bdcf9dc 100644 --- a/kbs/src/attestation/coco/builtin.rs +++ b/kbs/src/attestation/coco/builtin.rs @@ -34,7 +34,7 @@ impl Attest for BuiltInCoCoAs { .read() .await .evaluate( - attestation.tee_evidence.into_bytes(), + attestation.tee_evidence.to_string().into_bytes(), tee, Some(Data::Structured(runtime_data_plaintext)), HashAlgorithm::Sha384, @@ -45,13 +45,17 @@ impl Attest for BuiltInCoCoAs { .await } - async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { let nonce = match tee { Tee::Se => { self.inner .read() .await - .generate_supplemental_challenge(tee, tee_parameters) + .generate_supplemental_challenge(tee, tee_parameters.to_string()) .await? } _ => make_nonce().await?, @@ -59,7 +63,7 @@ impl Attest for BuiltInCoCoAs { let challenge = Challenge { nonce, - extra_params: String::new(), + extra_params: serde_json::Value::String(String::new()), }; Ok(challenge) diff --git a/kbs/src/attestation/coco/grpc.rs b/kbs/src/attestation/coco/grpc.rs index 0d61f271bd..903dbf3440 100644 --- a/kbs/src/attestation/coco/grpc.rs +++ b/kbs/src/attestation/coco/grpc.rs @@ -105,7 +105,7 @@ impl Attest for GrpcClientPool { .to_string(); let req = tonic::Request::new(AttestationRequest { tee, - evidence: URL_SAFE_NO_PAD.encode(attestation.tee_evidence), + evidence: URL_SAFE_NO_PAD.encode(attestation.tee_evidence.to_string()), runtime_data_hash_algorithm: COCO_AS_HASH_ALGORITHM.into(), init_data_hash_algorithm: COCO_AS_HASH_ALGORITHM.into(), runtime_data: Some(RuntimeData::StructuredRuntimeData(runtime_data_plaintext)), @@ -124,12 +124,16 @@ impl Attest for GrpcClientPool { Ok(token) } - async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { let nonce = match tee { Tee::Se => { let mut inner = HashMap::new(); inner.insert(String::from("tee"), String::from("se")); - inner.insert(String::from("tee_params"), tee_parameters); + inner.insert(String::from("tee_params"), tee_parameters.to_string()); let req = tonic::Request::new(ChallengeRequest { inner }); let mut client = { self.pool.lock().await.get().await? }; @@ -145,7 +149,7 @@ impl Attest for GrpcClientPool { let challenge = Challenge { nonce, - extra_params: String::new(), + extra_params: serde_json::Value::String(String::new()), }; Ok(challenge) diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 2eac0ac656..616b036bac 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -66,7 +66,7 @@ impl Attest for IntelTrustAuthority { let attestation = serde_json::from_str::(attestation) .map_err(|e| anyhow!("Deserialize Attestation failed: {:?}", e))?; let evidence = - serde_json::from_str::(&attestation.tee_evidence) + serde_json::from_value::(attestation.tee_evidence) .map_err(|e| anyhow!("Deserialize supported TEE Evidence failed: {:?}", e))?; let runtime_data = json!({ diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs index bacdd56405..e306f78039 100644 --- a/kbs/src/attestation/mod.rs +++ b/kbs/src/attestation/mod.rs @@ -55,12 +55,16 @@ pub trait Attest: Send + Sync { async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result; /// generate the Challenge to pass to attester based on Tee and nonce - async fn generate_challenge(&self, _tee: Tee, _tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + _tee: Tee, + _tee_parameters: serde_json::Value, + ) -> Result { let nonce = make_nonce().await?; Ok(Challenge { nonce, - extra_params: String::new(), + extra_params: serde_json::Value::String(String::new()), }) } } @@ -121,7 +125,11 @@ impl AttestationService { } } - pub async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + pub async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { match self { #[cfg(feature = "coco-as-grpc")] AttestationService::CoCoASgRPC(inner) => { diff --git a/kbs/src/http/attest.rs b/kbs/src/http/attest.rs index c72357a221..f4de7e87dc 100644 --- a/kbs/src/http/attest.rs +++ b/kbs/src/http/attest.rs @@ -16,7 +16,7 @@ use serde_json::json; static KBS_MAJOR_VERSION: u64 = 0; static KBS_MINOR_VERSION: u64 = 1; -static KBS_PATCH_VERSION: u64 = 0; +static KBS_PATCH_VERSION: u64 = 1; lazy_static! { static ref VERSION_REQ: VersionReq = { diff --git a/kbs/src/http/resource.rs b/kbs/src/http/resource.rs index c0f17265b3..abf8aed54d 100644 --- a/kbs/src/http/resource.rs +++ b/kbs/src/http/resource.rs @@ -189,10 +189,17 @@ const RSA_ALGORITHM: &str = "RSA1_5"; const AES_GCM_256_ALGORITHM: &str = "A256GCM"; pub(crate) fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { - if tee_pub_key.alg != *RSA_ALGORITHM { + let TeePubKey::RSA { alg, k_mod, k_exp } = tee_pub_key else { + raise_error!(Error::JWEFailed(format!( + "key type is not TeePubKey::RSA but {:?}", + tee_pub_key + ))); + }; + + if alg != *RSA_ALGORITHM { raise_error!(Error::JWEFailed(format!( "algorithm is not {RSA_ALGORITHM} but {}", - tee_pub_key.alg + alg ))); } @@ -207,11 +214,11 @@ pub(crate) fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result Date: Wed, 31 Jul 2024 13:04:45 +0300 Subject: [PATCH 066/298] kbs: doc: update protocol spec with the latest functionality KBS protocol version was bumped up to 0.1.1 so updating the spec accordingly. In addition, clarify the error handling of "request": also errors can happen, such as when the "request" version does not meet all the requirements. Signed-off-by: Mikko Ylinen --- kbs/docs/kbs_attestation_protocol.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kbs/docs/kbs_attestation_protocol.md b/kbs/docs/kbs_attestation_protocol.md index 797696ee00..8a77e84b8d 100644 --- a/kbs/docs/kbs_attestation_protocol.md +++ b/kbs/docs/kbs_attestation_protocol.md @@ -70,8 +70,8 @@ The payload format of the request is as follows: ```json { - /* Attestation protocol version number used by KBC */ - "version": "0.1.0", + /* KBS protocol version number used by KBC */ + "version": "0.1.1", /* * Type of HW-TEE platforms where KBC is located, * e.g. "intel-tdx", "amd-sev-snp", etc. @@ -286,6 +286,10 @@ The authentication service is provided by the KBS through two endpoints: the attester and its attestation results with that cookie. 2. An attestation challenge for the attester to take. This is the content of the response, set to a [KBS Challenge](#challenge) JSON payload. + 3. In case of an error (such as if the KBS rejects the [KBS Request](#request) based + on `version` compatibility), an HTTP response with a 401 (`Unauthorized`) status code + together with ErrorInformation JSON payload. + 2. `/kbs/v0/attest` only accepts `POST` requests whose body is a [KBS Attestation](#attestation) JSON payload and the header contains a `Cookie` set to the value received in step 1.i. This is how the attester replies to attestation challenge received From 51a3be9881ba171e9b5a7d6751a35fb13cf94780 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 8 Aug 2024 15:07:35 +0300 Subject: [PATCH 067/298] kbs: token: drop unused impl Display for tokenverifier Signed-off-by: Mikko Ylinen --- kbs/src/token/mod.rs | 7 ------- 1 file changed, 7 deletions(-) diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index a448daa17d..d33a2af92d 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -5,7 +5,6 @@ use anyhow::*; use async_trait::async_trait; use serde::Deserialize; -use std::fmt; use std::sync::Arc; use strum::EnumString; use tokio::sync::RwLock; @@ -51,9 +50,3 @@ pub fn create_token_verifier( as Arc>), } } - -impl fmt::Display for AttestationTokenVerifierType { - fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { - write!(f, "{:?}", self) - } -} From 20ae941bf122622a65739f2c69e396f22c980c2a Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 28 Aug 2024 11:17:22 +0300 Subject: [PATCH 068/298] kbs: token: Derive Default for AttestationTokenVerifierType Signed-off-by: Mikko Ylinen --- kbs/src/token/mod.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index d33a2af92d..006731b29c 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -18,13 +18,15 @@ pub trait AttestationTokenVerifier { async fn verify(&self, token: String) -> Result; } -#[derive(Deserialize, Debug, Clone, EnumString)] +#[derive(Deserialize, Default, Debug, Clone, EnumString)] pub enum AttestationTokenVerifierType { + #[default] CoCo, } #[derive(Deserialize, Debug, Clone)] pub struct AttestationTokenVerifierConfig { + #[serde(default)] pub attestation_token_type: AttestationTokenVerifierType, // Trusted Certificates file (PEM format) path to verify Attestation Token Signature. From ec207f7ee4f32edc7b3beaa4ca1326b107307282 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 28 Aug 2024 11:22:03 +0300 Subject: [PATCH 069/298] kbs: token: drop Option from trusted cert fields The defaults for AttestationTokenVerifierConfig are now automatically generated so the impl Default can be dropped. Signed-off-by: Mikko Ylinen --- kbs/src/token/coco.rs | 47 +++++++++++++++++++++++++------------------ kbs/src/token/mod.rs | 12 ++--------- 2 files changed, 29 insertions(+), 30 deletions(-) diff --git a/kbs/src/token/coco.rs b/kbs/src/token/coco.rs index fc99790261..73316099bc 100644 --- a/kbs/src/token/coco.rs +++ b/kbs/src/token/coco.rs @@ -7,6 +7,7 @@ use anyhow::*; use async_trait::async_trait; use base64::engine::general_purpose::URL_SAFE_NO_PAD; use base64::Engine; +use log::warn; use openssl::hash::MessageDigest; use openssl::pkey::PKey; use openssl::rsa::Rsa; @@ -17,26 +18,29 @@ use openssl::x509::{X509StoreContext, X509}; use serde_json::Value; pub struct CoCoAttestationTokenVerifier { - trusted_certs: Option, + trusted_certs: X509Store, } impl CoCoAttestationTokenVerifier { pub fn new(config: &AttestationTokenVerifierConfig) -> Result { - let trusted_certs = match &config.trusted_certs_paths { - Some(paths) => { - let mut store_builder = X509StoreBuilder::new()?; - for path in paths { - let trust_cert_pem = std::fs::read(path) - .map_err(|e| anyhow!("Load trusted certificate failed: {e}"))?; - let trust_cert = X509::from_pem(&trust_cert_pem)?; - store_builder.add_cert(trust_cert.to_owned())?; - } - Some(store_builder.build()) - } - None => None, - }; + let mut store_builder = X509StoreBuilder::new()?; + + // check all files in trusted_certs_paths but don't exit (only warn). + // the result can be an empty trust store. + for path in &config.trusted_certs_paths { + std::fs::read(path).map_or_else( + |e| warn!("Failed to read trusted certificate: {e}"), + |pem| { + let _ = X509::from_pem(&pem) + .and_then(|certs| store_builder.add_cert(certs.to_owned())) + .map_err(|e| warn!("Failed to add certificate to trust store: {e}")); + }, + ); + } - Ok(Self { trusted_certs }) + Ok(Self { + trusted_certs: store_builder.build(), + }) } } @@ -90,8 +94,8 @@ impl AttestationTokenVerifier for CoCoAttestationTokenVerifier { } } - let Some(trusted_store) = &self.trusted_certs else { - log::warn!("No Trusted Certificate in Config, skip verification of JWK cert of Attestation Token"); + if self.trusted_certs.all_certificates().is_empty() { + warn!("No Trusted Certificate in Config, skip verification of JWK cert of Attestation Token"); return Ok(serde_json::to_string(&claims_value)?); }; @@ -116,9 +120,12 @@ impl AttestationTokenVerifier for CoCoAttestationTokenVerifier { untrusted_stack.push(cert.clone())?; } let mut context = X509StoreContext::new()?; - if !context.init(trusted_store, &cert_chain[0], &untrusted_stack, |ctx| { - ctx.verify_cert() - })? { + if !context.init( + &self.trusted_certs, + &cert_chain[0], + &untrusted_stack, + |ctx| ctx.verify_cert(), + )? { bail!("Untrusted certificate in Attestation Token JWK"); }; diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index 006731b29c..b0160ded32 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -30,16 +30,8 @@ pub struct AttestationTokenVerifierConfig { pub attestation_token_type: AttestationTokenVerifierType, // Trusted Certificates file (PEM format) path to verify Attestation Token Signature. - pub trusted_certs_paths: Option>, -} - -impl Default for AttestationTokenVerifierConfig { - fn default() -> Self { - Self { - attestation_token_type: AttestationTokenVerifierType::CoCo, - trusted_certs_paths: None, - } - } + #[serde(default)] + pub trusted_certs_paths: Vec, } pub fn create_token_verifier( From b94be6ae1a360b3217a1e4d52842770b0692acca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Aug 2024 01:16:27 +0000 Subject: [PATCH 070/298] build(deps): bump version_check from 0.9.4 to 0.9.5 Bumps [version_check](https://github.com/SergioBenitez/version_check) from 0.9.4 to 0.9.5. - [Commits](https://github.com/SergioBenitez/version_check/compare/v0.9.4...v0.9.5) --- updated-dependencies: - dependency-name: version_check dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a09a99adde..7fc010cca4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5996,9 +5996,9 @@ dependencies = [ [[package]] name = "version_check" -version = "0.9.4" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" +checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" [[package]] name = "walkdir" From d8e374c87f720344ade7a4f10047d6da5e5920c1 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 8 Aug 2024 15:06:19 +0300 Subject: [PATCH 071/298] kbs: make token verifier initialization async This is useful if any token verifier needs initialization data pulled remotely. Signed-off-by: Mikko Ylinen --- kbs/src/lib.rs | 2 +- kbs/src/token/mod.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kbs/src/lib.rs b/kbs/src/lib.rs index 5d51775981..b46abf82f2 100644 --- a/kbs/src/lib.rs +++ b/kbs/src/lib.rs @@ -240,7 +240,7 @@ impl ApiServer { #[cfg(feature = "resource")] let token_verifier = - crate::token::create_token_verifier(self.attestation_token_config.clone())?; + crate::token::create_token_verifier(self.attestation_token_config.clone()).await?; #[cfg(feature = "policy")] let policy_engine = PolicyEngine::new(&self.policy_engine_config).await?; diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index b0160ded32..19afed5b92 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -34,7 +34,7 @@ pub struct AttestationTokenVerifierConfig { pub trusted_certs_paths: Vec, } -pub fn create_token_verifier( +pub async fn create_token_verifier( config: AttestationTokenVerifierConfig, ) -> Result>> { match config.attestation_token_type { From fac45ffd58fe3099a7e267cc302c2ff3ddaabcd9 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 8 Aug 2024 15:18:42 +0300 Subject: [PATCH 072/298] kbs: token: add verifier with JSON Web Keys Add a new token verifier that uses JSON Web Keys (JWK) from the configured JWK Set sources. JWK Sets can be provided locally using file:// URL schema or they can be downloaded automatically via OpenID Connect configuration URLs providing a pointer via "jwks_uri". Signed-off-by: Mikko Ylinen --- kbs/Cargo.toml | 2 +- kbs/src/token/jwk.rs | 161 +++++++++++++++++++++++++++++++++++++++++++ kbs/src/token/mod.rs | 11 ++- 3 files changed, 172 insertions(+), 2 deletions(-) create mode 100644 kbs/src/token/jwk.rs diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index a983769c56..e61283c314 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -10,7 +10,7 @@ edition.workspace = true default = ["coco-as-builtin", "resource", "opa", "rustls"] # Feature that allows to access resources from KBS -resource = ["rsa", "dep:openssl", "reqwest", "aes-gcm"] +resource = ["rsa", "dep:openssl", "reqwest", "aes-gcm", "jsonwebtoken"] # Support a backend attestation service for KBS as = [] diff --git a/kbs/src/token/jwk.rs b/kbs/src/token/jwk.rs new file mode 100644 index 0000000000..aa975e0750 --- /dev/null +++ b/kbs/src/token/jwk.rs @@ -0,0 +1,161 @@ +// Copyright (c) 2024 by Intel Corporation +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use crate::token::{AttestationTokenVerifier, AttestationTokenVerifierConfig}; +use anyhow::*; +use async_trait::async_trait; +use jsonwebtoken::{decode, decode_header, jwk, Algorithm, DecodingKey, Validation}; +use reqwest::{get, Url}; +use serde::Deserialize; +use serde_json::Value; +use std::fs::File; +use std::io::BufReader; +use std::result::Result::Ok; +use std::str::FromStr; +use thiserror::Error; + +const OPENID_CONFIG_URL_SUFFIX: &str = ".well-known/openid-configuration"; + +#[derive(Error, Debug)] +pub enum JwksGetError { + #[error("Invalid source path: {0}")] + SourcePath(String), + #[error("Failed to access source: {0}")] + SourceAccess(String), + #[error("Failed to deserialize source data: {0}")] + SourceDeserializeJson(String), +} + +#[derive(Deserialize)] +struct OpenIDConfig { + jwks_uri: String, +} + +pub struct JwkAttestationTokenVerifier { + trusted_certs: jwk::JwkSet, +} + +pub async fn get_jwks_from_file_or_url(p: &str) -> Result { + let mut url = Url::parse(p).map_err(|e| JwksGetError::SourcePath(e.to_string()))?; + match url.scheme() { + "https" => { + url.set_path(OPENID_CONFIG_URL_SUFFIX); + + let oidc = get(url.as_str()) + .await + .map_err(|e| JwksGetError::SourceAccess(e.to_string()))? + .json::() + .await + .map_err(|e| JwksGetError::SourceDeserializeJson(e.to_string()))?; + + let jwkset = get(oidc.jwks_uri) + .await + .map_err(|e| JwksGetError::SourceAccess(e.to_string()))? + .json::() + .await + .map_err(|e| JwksGetError::SourceDeserializeJson(e.to_string()))?; + + Ok(jwkset) + } + "file" => { + let file = File::open(url.path()) + .map_err(|e| JwksGetError::SourceAccess(format!("open {}: {}", url.path(), e)))?; + + serde_json::from_reader(BufReader::new(file)) + .map_err(|e| JwksGetError::SourceDeserializeJson(e.to_string())) + } + _ => Err(JwksGetError::SourcePath(format!( + "unsupported scheme {} (must be either file or https)", + url.scheme() + ))), + } +} + +impl JwkAttestationTokenVerifier { + pub async fn new(config: &AttestationTokenVerifierConfig) -> Result { + let mut trusted_certs = jwk::JwkSet { keys: Vec::new() }; + + for path in config.trusted_certs_paths.iter() { + match get_jwks_from_file_or_url(path).await { + Ok(mut jwkset) => trusted_certs.keys.append(&mut jwkset.keys), + Err(e) => log::warn!("error getting JWKS: {:?}", e), + } + } + + Ok(Self { trusted_certs }) + } +} + +#[async_trait] +impl AttestationTokenVerifier for JwkAttestationTokenVerifier { + async fn verify(&self, token: String) -> Result { + if self.trusted_certs.keys.is_empty() { + bail!("Cannot verify token since trusted JWK Set is empty"); + }; + + let kid = decode_header(&token) + .context("Failed to decode attestation token header")? + .kid + .ok_or(anyhow!("Failed to decode kid in the token header"))?; + + let key = &self + .trusted_certs + .find(&kid) + .ok_or(anyhow!("Failed to find Jwk with kid {kid} in JwkSet"))?; + + let key_alg = key + .common + .key_algorithm + .ok_or(anyhow!("Failed to find key_algorithm in Jwk"))? + .to_string(); + + let alg = Algorithm::from_str(key_alg.as_str())?; + + let dkey = DecodingKey::from_jwk(key)?; + let token_data = decode::(&token, &dkey, &Validation::new(alg)) + .context("Failed to decode attestation token")?; + + Ok(serde_json::to_string(&token_data.claims)?) + } +} + +#[cfg(test)] +mod tests { + use crate::token::jwk::get_jwks_from_file_or_url; + use rstest::rstest; + + #[rstest] + #[case("https://", true)] + #[case("http://example.com", true)] + #[case("file:///does/not/exist/keys.jwks", true)] + #[case("/does/not/exist/keys.jwks", true)] + #[tokio::test] + async fn test_source_path_validation(#[case] source_path: &str, #[case] expect_error: bool) { + assert_eq!( + expect_error, + get_jwks_from_file_or_url(source_path).await.is_err() + ) + } + + #[rstest] + #[case( + "{\"keys\":[{\"kty\":\"oct\",\"alg\":\"HS256\",\"kid\":\"coco123\",\"k\":\"foobar\"}]}", + false + )] + #[case( + "{\"keys\":[{\"kty\":\"oct\",\"alg\":\"COCO42\",\"kid\":\"coco123\",\"k\":\"foobar\"}]}", + true + )] + #[tokio::test] + async fn test_source_reads(#[case] json: &str, #[case] expect_error: bool) { + let tmp_dir = tempfile::tempdir().expect("to get tmpdir"); + let jwks_file = tmp_dir.path().join("test.jwks"); + + let _ = std::fs::write(&jwks_file, json).expect("to get testdata written to tmpdir"); + + let p = "file://".to_owned() + jwks_file.to_str().expect("to get path as str"); + + assert_eq!(expect_error, get_jwks_from_file_or_url(&p).await.is_err()) + } +} diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index 19afed5b92..5f4ab6fb97 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -10,6 +10,7 @@ use strum::EnumString; use tokio::sync::RwLock; mod coco; +mod jwk; #[async_trait] pub trait AttestationTokenVerifier { @@ -22,6 +23,7 @@ pub trait AttestationTokenVerifier { pub enum AttestationTokenVerifierType { #[default] CoCo, + Jwk, } #[derive(Deserialize, Debug, Clone)] @@ -29,7 +31,10 @@ pub struct AttestationTokenVerifierConfig { #[serde(default)] pub attestation_token_type: AttestationTokenVerifierType, - // Trusted Certificates file (PEM format) path to verify Attestation Token Signature. + /// Trusted Certificates file (PEM format) path (for "CoCo") or a valid Url + /// (file:// and https:// schemes accepted) pointing to a local JWKSet file + /// or to an OpenID configuration url giving a pointer to JWKSet certificates + /// (for "Jwk") to verify Attestation Token Signature. #[serde(default)] pub trusted_certs_paths: Vec, } @@ -42,5 +47,9 @@ pub async fn create_token_verifier( coco::CoCoAttestationTokenVerifier::new(&config)?, )) as Arc>), + AttestationTokenVerifierType::Jwk => Ok(Arc::new(RwLock::new( + jwk::JwkAttestationTokenVerifier::new(&config).await?, + )) + as Arc>), } } From a6bd23945a712171647c8bd9bf87573a7664aea7 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Mon, 2 Sep 2024 14:29:31 +0300 Subject: [PATCH 073/298] kbs: token: make jwk tokenverifier public Signed-off-by: Mikko Ylinen --- kbs/src/token/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index 5f4ab6fb97..30f5090617 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -10,7 +10,7 @@ use strum::EnumString; use tokio::sync::RwLock; mod coco; -mod jwk; +pub(crate) mod jwk; #[async_trait] pub trait AttestationTokenVerifier { From 7afd2a806b9385ca0cda0b637822fa593312d363 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 30 Aug 2024 11:31:42 +0300 Subject: [PATCH 074/298] ita: use AttestationTokenVerifier Signed-off-by: Mikko Ylinen --- kbs/Cargo.toml | 4 +- .../kbs-config-intel-trust-authority.toml | 5 +- .../attestation/intel_trust_authority/mod.rs | 58 ++++++++----------- kbs/src/attestation/mod.rs | 4 +- kbs/src/bin/kbs.rs | 2 +- 5 files changed, 32 insertions(+), 41 deletions(-) diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index e61283c314..b0f2e2976a 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -34,7 +34,7 @@ coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"] coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"] # Use Intel TA as backend attestation service -intel-trust-authority-as = ["as", "reqwest", "jsonwebtoken"] +intel-trust-authority-as = ["as", "reqwest", "resource"] # Use pure rust crypto stack for KBS rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"] @@ -88,4 +88,4 @@ tempfile.workspace = true rstest.workspace = true [build-dependencies] -tonic-build = { workspace = true, optional = true } \ No newline at end of file +tonic-build = { workspace = true, optional = true } diff --git a/kbs/config/kbs-config-intel-trust-authority.toml b/kbs/config/kbs-config-intel-trust-authority.toml index df70b71b6c..48d435b64f 100644 --- a/kbs/config/kbs-config-intel-trust-authority.toml +++ b/kbs/config/kbs-config-intel-trust-authority.toml @@ -2,9 +2,10 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "CoCo" +attestation_token_type = "Jwk" +trusted_certs_paths = ["https://portal.trustauthority.intel.com"] [intel_trust_authority_config] base_url = "https://api.trustauthority.intel.com" api_key = "tBfd5kKX2x9ahbodKV1..." -certs_file = "/etc/intel-trust-authority-certs.txt" +certs_file = "https://portal.trustauthority.intel.com" diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 616b036bac..812c78c6d0 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -3,17 +3,17 @@ // SPDX-License-Identifier: Apache-2.0 use super::Attest; +use crate::token::{ + jwk::JwkAttestationTokenVerifier, AttestationTokenVerifier, AttestationTokenVerifierConfig, + AttestationTokenVerifierType, +}; use anyhow::*; use async_trait::async_trait; use base64::{engine::general_purpose::STANDARD, Engine}; -use jsonwebtoken::{decode, decode_header, jwk, Algorithm, DecodingKey, Validation}; use kbs_types::{Attestation, Tee}; use reqwest::header::{ACCEPT, CONTENT_TYPE}; use serde::{Deserialize, Serialize}; use serde_json::json; -use std::fs::File; -use std::io::BufReader; -use std::str::FromStr; #[derive(Deserialize, Debug)] struct IntelTrustAuthorityTeeEvidence { @@ -53,7 +53,7 @@ pub struct IntelTrustAuthorityConfig { pub struct IntelTrustAuthority { config: IntelTrustAuthorityConfig, - certs: jwk::JwkSet, + token_verifier: JwkAttestationTokenVerifier, } #[async_trait] @@ -109,35 +109,23 @@ impl Attest for IntelTrustAuthority { body.error ); } - - // get token kid let resp_data = resp .json::() .await - .map_err(|e| anyhow!("Deserialize attestation response failed: {:?}", e))?; - let header = decode_header(&resp_data.token) - .map_err(|e| anyhow!("Decode token header failed: {:?}", e))?; - let kid = header.kid.ok_or(anyhow!("Token missing kid"))?; - - log::debug!("token={}", &resp_data.token); - - // find jwk - let key = self.certs.find(&kid).ok_or(anyhow!("Find jwk failed"))?; - let alg = key - .common - .key_algorithm - .ok_or(anyhow!("Get jwk alg failed"))? - .to_string(); - - let alg = Algorithm::from_str(alg.as_str())?; - // verify and decode token - let dkey = DecodingKey::from_jwk(&key)?; - let token = decode::(&resp_data.token, &dkey, &Validation::new(alg)) - .map_err(|e| anyhow!("Decode token failed: {:?}", e))?; + .context("Failed to deserialize attestation response")?; + + let token = self + .token_verifier + .verify(resp_data.token.clone()) + .await + .context("Failed to verify attestation token")?; + + let claims = serde_json::from_str::(&token) + .context("Failed to deserialize attestation token claims")?; // check unmatched policy let allow = self.config.allow_unmatched_policy.unwrap_or(false); - if !allow && token.claims.policy_ids_unmatched.is_some() { + if !allow && claims.policy_ids_unmatched.is_some() { bail!("Evidence doesn't match policy"); } @@ -146,15 +134,17 @@ impl Attest for IntelTrustAuthority { } impl IntelTrustAuthority { - pub fn new(config: IntelTrustAuthorityConfig) -> Result { - let file = File::open(&config.certs_file) - .map_err(|e| anyhow!("Open certs file failed: {:?}", e))?; - let reader = BufReader::new(file); + pub async fn new(config: IntelTrustAuthorityConfig) -> Result { + let token_verifier = JwkAttestationTokenVerifier::new(&AttestationTokenVerifierConfig { + attestation_token_type: AttestationTokenVerifierType::Jwk, + trusted_certs_paths: vec![config.certs_file.clone()], + }) + .await + .context("Failed to initialize token verifier")?; Ok(Self { config: config.clone(), - certs: serde_json::from_reader(reader) - .map_err(|e| anyhow!("Deserialize certs failed: {:?}", e))?, + token_verifier, }) } } diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs index e306f78039..b49dfa1061 100644 --- a/kbs/src/attestation/mod.rs +++ b/kbs/src/attestation/mod.rs @@ -98,8 +98,8 @@ impl AttestationService { /// Create and initialize AttestationService. #[cfg(feature = "intel-trust-authority-as")] - pub fn new(config: IntelTrustAuthorityConfig) -> Result { - let ta_client = intel_trust_authority::IntelTrustAuthority::new(config)?; + pub async fn new(config: IntelTrustAuthorityConfig) -> Result { + let ta_client = intel_trust_authority::IntelTrustAuthority::new(config).await?; Ok(Self::IntelTA(ta_client)) } diff --git a/kbs/src/bin/kbs.rs b/kbs/src/bin/kbs.rs index b2ae1b66b4..5861e3bd37 100644 --- a/kbs/src/bin/kbs.rs +++ b/kbs/src/bin/kbs.rs @@ -47,7 +47,7 @@ async fn main() -> Result<()> { } else if #[cfg(feature = "coco-as-grpc")] { AttestationService::new(kbs_config.grpc_config.unwrap_or_default()).await? } else if #[cfg(feature = "intel-trust-authority-as")] { - AttestationService::new(kbs_config.intel_trust_authority_config)? + AttestationService::new(kbs_config.intel_trust_authority_config).await? } else { compile_error!("Please enable at least one of the following features: `coco-as-builtin`, `coco-as-builtin-no-verifier`, `coco-as-grpc` or `intel-trust-authority-as` to continue."); } From 8522feb169ed25688b1519316a8a5b14166fb718 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 30 Aug 2024 11:42:03 +0300 Subject: [PATCH 075/298] ita: use anyhow context() Signed-off-by: Mikko Ylinen --- kbs/src/attestation/intel_trust_authority/mod.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 812c78c6d0..6ec6289eb6 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -64,10 +64,10 @@ impl Attest for IntelTrustAuthority { } // get quote let attestation = serde_json::from_str::(attestation) - .map_err(|e| anyhow!("Deserialize Attestation failed: {:?}", e))?; + .context("Failed to deserialize Attestation request")?; let evidence = serde_json::from_value::(attestation.tee_evidence) - .map_err(|e| anyhow!("Deserialize supported TEE Evidence failed: {:?}", e))?; + .context("Failed to deserialize TEE Evidence")?; let runtime_data = json!({ "tee-pubkey": attestation.tee_pubkey, @@ -82,7 +82,7 @@ impl Attest for IntelTrustAuthority { }; let attest_req_body = serde_json::to_string(&req_data) - .map_err(|e| anyhow!("Serialize attestation request body failed: {:?}", e))?; + .context("Failed to serialize attestation request body")?; // send attest request log::info!("post attestation request ..."); @@ -95,14 +95,14 @@ impl Attest for IntelTrustAuthority { .body(attest_req_body) .send() .await - .map_err(|e| anyhow!("Post attestation request failed: {:?}", e))?; + .context("Failed to POST attestation HTTP request")?; let status = resp.status(); if status != reqwest::StatusCode::OK { let body = resp .json::() .await - .map_err(|e| anyhow!("Deserialize error response failed: {:?}", e))?; + .context("Failed to deserialize attestation error response")?; bail!( "Attestation request failed: response status={}, message={}", status, From e37843398f66ac575c01b7adcae316eab4da2c98 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 29 Aug 2024 13:49:05 +0300 Subject: [PATCH 076/298] update CODEOWNERS Make trustee-maintainers the CODEOWNERS for this repo. This also fixes the broken syntax with org-wide teams. Signed-off-by: Mikko Ylinen --- CODEOWNERS | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 1a8873df0a..49e9e226f8 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,2 @@ -# Global owner for changes not matched by more specific rules -* @sameo - -/kbs/ @kbs-maintainers -/attestation-service/ @attestation-service-maintainers \ No newline at end of file +# https://github.com/orgs/confidential-containers/teams/trustee-maintainers +* @confidential-containers/trustee-maintainers From f1d192edda185cdca42d5b0c5d3747512f6e67de Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 01:52:53 +0000 Subject: [PATCH 077/298] build(deps): bump wasm-bindgen from 0.2.92 to 0.2.93 Bumps [wasm-bindgen](https://github.com/rustwasm/wasm-bindgen) from 0.2.92 to 0.2.93. - [Release notes](https://github.com/rustwasm/wasm-bindgen/releases) - [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md) - [Commits](https://github.com/rustwasm/wasm-bindgen/compare/0.2.92...0.2.93) --- updated-dependencies: - dependency-name: wasm-bindgen dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7fc010cca4..a0b7a8b0be 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6036,19 +6036,20 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.92" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4be2531df63900aeb2bca0daaaddec08491ee64ceecbee5076636a3b026795a8" +checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5" dependencies = [ "cfg-if", + "once_cell", "wasm-bindgen-macro", ] [[package]] name = "wasm-bindgen-backend" -version = "0.2.92" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "614d787b966d3989fa7bb98a654e369c762374fd3213d212cfc0251257e747da" +checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b" dependencies = [ "bumpalo", "log", @@ -6073,9 +6074,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.92" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1f8823de937b71b9460c0c34e25f3da88250760bec0ebac694b49997550d726" +checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -6083,9 +6084,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.92" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7" +checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" dependencies = [ "proc-macro2", "quote", @@ -6096,9 +6097,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.92" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96" +checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484" [[package]] name = "web-sys" From ebe232a7532b1d397f9e739e6659d33a73a462ff Mon Sep 17 00:00:00 2001 From: Pawel Proskurnicki Date: Mon, 9 Sep 2024 08:32:57 +0200 Subject: [PATCH 078/298] Bump az-tdx-vtpm, az-snp-vtpm, sev, base64 libraries - Bump az-tdx-vtpm from 0.6.0 to 0.7.0 - Bump az-snp-vtpm from 0.6.0 to 0.7.0 - Bump base64 from 0.22.0 to 0.22.1 - Bump sev from 3.1.1 to 4.0.0 Signed-off-by: Pawel Proskurnicki --- Cargo.lock | 164 ++++++++++++++++++--------------------- Cargo.toml | 2 +- deps/verifier/Cargo.toml | 8 +- 3 files changed, 79 insertions(+), 95 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a0b7a8b0be..4fcde3d190 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -527,7 +527,7 @@ dependencies = [ "anyhow", "assert-json-diff", "async-trait", - "base64 0.21.7", + "base64 0.22.1", "cfg-if", "clap 4.5.4", "env_logger 0.10.2", @@ -584,7 +584,7 @@ dependencies = [ "serde", "serde_json", "serde_with", - "sev", + "sev 3.1.1", "sha2", "strum", "tdx-attest-rs", @@ -657,19 +657,18 @@ dependencies = [ [[package]] name = "az-cvm-vtpm" -version = "0.5.3" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e2d89967f683d16dafdaacb578a2841daff9f43c856c6a6dc9939cc11272712" +checksum = "1940b5a30bbaa585acd365e329c8c4c5c119345fef81830bd5f38f2360caa7d6" dependencies = [ "bincode", "jsonwebkey", "memoffset", "openssl", - "rsa 0.9.6", "serde", "serde-big-array", "serde_json", - "sev", + "sev 3.1.1", "sha2", "thiserror", "tss-esapi", @@ -678,9 +677,9 @@ dependencies = [ [[package]] name = "az-cvm-vtpm" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1940b5a30bbaa585acd365e329c8c4c5c119345fef81830bd5f38f2360caa7d6" +checksum = "f500c98db61d29b592d51d1cf56a1d996c34f9346b8b89b28008b5403e65450a" dependencies = [ "bincode", "jsonwebkey", @@ -689,7 +688,7 @@ dependencies = [ "serde", "serde-big-array", "serde_json", - "sev", + "sev 4.0.0", "sha2", "thiserror", "tss-esapi", @@ -698,43 +697,43 @@ dependencies = [ [[package]] name = "az-snp-vtpm" -version = "0.5.3" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d9da68a854978d9d32cc03ba6cd4a24b1f43fafad91eb7e15578cdf9a9cbdfe7" +checksum = "7a276bcc39a8cf650ebc32941409f89c751cf8266c67f233872ac8c50ffa5405" dependencies = [ - "az-cvm-vtpm 0.5.3", + "az-cvm-vtpm 0.6.0", "bincode", "clap 4.5.4", - "openssl", "serde", - "sev", + "sev 3.1.1", "thiserror", "ureq", ] [[package]] name = "az-snp-vtpm" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a276bcc39a8cf650ebc32941409f89c751cf8266c67f233872ac8c50ffa5405" +checksum = "49473355e76f066300f14aa56c6df23b1a037bea179dbb1b582ecefc8f6fd37c" dependencies = [ - "az-cvm-vtpm 0.6.0", + "az-cvm-vtpm 0.7.0", "bincode", "clap 4.5.4", + "openssl", "serde", - "sev", + "sev 4.0.0", "thiserror", "ureq", ] [[package]] name = "az-tdx-vtpm" -version = "0.5.3" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8575eeaefa72d9591355597f5acf9b4ddee8cc19d8b03d947173ae8fcf1e8c2e" +checksum = "eb795802e685a153ea4906349c86f5760012478a72e349538dd47012409465de" dependencies = [ - "az-cvm-vtpm 0.5.3", - "base64-url 2.0.2", + "az-cvm-vtpm 0.6.0", + "base64-url", "bincode", "serde", "serde_json", @@ -745,12 +744,12 @@ dependencies = [ [[package]] name = "az-tdx-vtpm" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb795802e685a153ea4906349c86f5760012478a72e349538dd47012409465de" +checksum = "55802d75ce5ef102b03f687b220dab76a626e0ca4c79e3f4af3c544734152356" dependencies = [ - "az-cvm-vtpm 0.6.0", - "base64-url 3.0.0", + "az-cvm-vtpm 0.7.0", + "base64-url", "bincode", "serde", "serde_json", @@ -798,15 +797,6 @@ version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" -[[package]] -name = "base64-url" -version = "2.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb9fb9fb058cc3063b5fc88d9a21eefa2735871498a04e1650da76ed511c8569" -dependencies = [ - "base64 0.21.7", -] - [[package]] name = "base64-url" version = "3.0.0" @@ -895,6 +885,12 @@ version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2d7e60934ceec538daadb9d8432424ed043a904d8e0243f3c6446bce549a46ac" +[[package]] +name = "bitfield" +version = "0.15.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c821a6e124197eb56d907ccc2188eab1038fb919c914f47976e64dd8dbc855d1" + [[package]] name = "bitflags" version = "1.3.2" @@ -2716,7 +2712,7 @@ dependencies = [ "anyhow", "async-trait", "attestation-service", - "base64 0.21.7", + "base64 0.22.1", "cfg-if", "clap 4.5.4", "config", @@ -2756,7 +2752,7 @@ name = "kbs-client" version = "0.1.0" dependencies = [ "anyhow", - "base64 0.21.7", + "base64 0.22.1", "clap 4.5.4", "env_logger 0.10.2", "jwt-simple 0.11.9", @@ -2881,7 +2877,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.5", ] [[package]] @@ -3487,16 +3483,6 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" -[[package]] -name = "pbkdf2" -version = "0.12.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2" -dependencies = [ - "digest", - "hmac", -] - [[package]] name = "peeking_take_while" version = "0.1.2" @@ -3735,21 +3721,6 @@ dependencies = [ "spki 0.7.3", ] -[[package]] -name = "pkcs5" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e847e2c91a18bfa887dd028ec33f2fe6f25db77db3619024764914affe8b69a6" -dependencies = [ - "aes", - "cbc", - "der 0.7.9", - "pbkdf2", - "scrypt", - "sha2", - "spki 0.7.3", -] - [[package]] name = "pkcs8" version = "0.9.0" @@ -3767,8 +3738,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" dependencies = [ "der 0.7.9", - "pkcs5", - "rand_core", "spki 0.7.3", ] @@ -4089,6 +4058,15 @@ dependencies = [ "cipher", ] +[[package]] +name = "rdrand" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d92195228612ac8eed47adbc2ed0f04e513a4ccb98175b6f2bd04d963b533655" +dependencies = [ + "rand_core", +] + [[package]] name = "redox_syscall" version = "0.2.16" @@ -4125,7 +4103,7 @@ dependencies = [ "anyhow", "assert-json-diff", "async-trait", - "base64 0.21.7", + "base64 0.22.1", "cfg-if", "chrono", "clap 4.5.4", @@ -4616,15 +4594,6 @@ dependencies = [ "zerocopy", ] -[[package]] -name = "salsa20" -version = "0.10.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213" -dependencies = [ - "cipher", -] - [[package]] name = "same-file" version = "1.0.6" @@ -4718,17 +4687,6 @@ dependencies = [ "syn 2.0.60", ] -[[package]] -name = "scrypt" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f" -dependencies = [ - "pbkdf2", - "salsa20", - "sha2", -] - [[package]] name = "sct" version = "0.7.1" @@ -4943,6 +4901,32 @@ dependencies = [ "uuid", ] +[[package]] +name = "sev" +version = "4.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a97bd0b2e2d937951add10c8512a2dacc6ad29b39e5c5f26565a3e443329857d" +dependencies = [ + "base64 0.22.1", + "bincode", + "bitfield 0.15.0", + "bitflags 1.3.2", + "byteorder", + "codicon", + "dirs", + "hex", + "iocuddle", + "lazy_static", + "libc", + "openssl", + "rdrand", + "serde", + "serde-big-array", + "serde_bytes", + "static_assertions", + "uuid", +] + [[package]] name = "sgx_types" version = "1.1.5" @@ -5959,9 +5943,9 @@ dependencies = [ "asn1-rs", "assert-json-diff", "async-trait", - "az-snp-vtpm 0.5.3", - "az-tdx-vtpm 0.5.3", - "base64 0.21.7", + "az-snp-vtpm 0.7.0", + "az-tdx-vtpm 0.7.0", + "base64 0.22.1", "bincode", "byteorder", "cfg-if", @@ -5983,7 +5967,7 @@ dependencies = [ "serde_json", "serde_with", "serial_test", - "sev", + "sev 4.0.0", "sha2", "shadow-rs", "strum", diff --git a/Cargo.toml b/Cargo.toml index 0fb08e68e8..0dee36d521 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -21,7 +21,7 @@ actix-web-httpauth = "0.8.0" anyhow = "1.0" assert-json-diff = "2.0.2" async-trait = "0.1.31" -base64 = "0.21" +base64 = "0.22.1" cfg-if = "1.0.0" chrono = "0.4.19" clap = { version = "4", features = ["derive"] } diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index 1c446e3513..e65188a512 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -20,9 +20,9 @@ anyhow.workspace = true thiserror.workspace = true asn1-rs = { version = "0.5.1", optional = true } async-trait.workspace = true -az-snp-vtpm = { version = "0.5.3", default-features = false, features = ["verifier"], optional = true } -az-tdx-vtpm = { version = "0.5.3", default-features = false, features = ["verifier"], optional = true } -base64 = "0.21" +az-snp-vtpm = { version = "0.7.0", default-features = false, features = ["verifier"], optional = true } +az-tdx-vtpm = { version = "0.7.0", default-features = false, features = ["verifier"], optional = true } +base64 = "0.22.1" bincode = "1.3.3" byteorder = "1" cfg-if = "1.0.0" @@ -41,7 +41,7 @@ scroll = { version = "0.11.0", default-features = false, features = ["derive"], serde.workspace = true serde_json.workspace = true serde_with = { workspace = true, optional = true } -sev = { version = "3.1.1", features = ["openssl", "snp"], optional = true } +sev = { version = "4.0.0", features = ["openssl", "snp"], optional = true } sha2.workspace = true tokio = { workspace = true, optional = true } intel-tee-quote-verification-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true } From 591a01042aea1dd70279b958d023d773b09b74ad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 01:56:35 +0000 Subject: [PATCH 079/298] build(deps): bump serde_spanned from 0.6.6 to 0.6.7 Bumps [serde_spanned](https://github.com/toml-rs/toml) from 0.6.6 to 0.6.7. - [Commits](https://github.com/toml-rs/toml/compare/serde_spanned-v0.6.6...serde_spanned-v0.6.7) --- updated-dependencies: - dependency-name: serde_spanned dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4fcde3d190..3229e8ee10 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4797,9 +4797,9 @@ dependencies = [ [[package]] name = "serde_spanned" -version = "0.6.6" +version = "0.6.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79e674e01f999af37c49f70a6ede167a8a60b2503e56c5599532a65baa5969a0" +checksum = "eb5b1b31579f3811bf615c144393417496f152e12ac8b7663bf664f4a815306d" dependencies = [ "serde", ] From 90b2ecf6db148f063f4d075b9191ea4297d99349 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 02:02:13 +0000 Subject: [PATCH 080/298] build(deps): bump curl-sys from 0.4.72+curl-8.6.0 to 0.4.74+curl-8.9.0 Bumps [curl-sys](https://github.com/alexcrichton/curl-rust) from 0.4.72+curl-8.6.0 to 0.4.74+curl-8.9.0. - [Release notes](https://github.com/alexcrichton/curl-rust/releases) - [Commits](https://github.com/alexcrichton/curl-rust/compare/curl-sys-0.4.72...curl-sys-0.4.74) --- updated-dependencies: - dependency-name: curl-sys dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3229e8ee10..d4d681f646 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1458,9 +1458,9 @@ dependencies = [ [[package]] name = "curl-sys" -version = "0.4.72+curl-8.6.0" +version = "0.4.74+curl-8.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "29cbdc8314c447d11e8fd156dcdd031d9e02a7a976163e396b548c03153bc9ea" +checksum = "8af10b986114528fcdc4b63b6f5f021b7057618411046a4de2ba0f0149a097bf" dependencies = [ "cc", "libc", @@ -2877,7 +2877,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" dependencies = [ "cfg-if", - "windows-targets 0.52.5", + "windows-targets 0.48.5", ] [[package]] From b9dca0f04ad4d984ef075624ba7eff682c4d400c Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Mon, 29 Jul 2024 11:55:56 +0100 Subject: [PATCH 081/298] kbs: ita: Set hash algorithm based on TEE type If the TEE specifies the hash algorithms it can use [1], add the appropriate hash algorithm to the returned `Challenge` [2]. For backwards compatibility, do not return the selected hash algorithm if the TEE does not provide the list of hash algorithms it can use. Partially-fixes: #242. [1] - In the optional `extra-params.supported-hash-algorithms` list. [2] - In `extra-params.selected-hash-algorithm`. Signed-off-by: James O. D. Hunt --- Cargo.lock | 28 +- attestation-service/src/lib.rs | 4 +- .../attestation/intel_trust_authority/mod.rs | 311 +++++++++++++++++- kbs/src/attestation/mod.rs | 23 +- 4 files changed, 341 insertions(+), 25 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d4d681f646..ec5867ba8c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -516,7 +516,7 @@ dependencies = [ "tempfile", "thiserror", "tokio", - "toml 0.8.15", + "toml 0.8.19", ] [[package]] @@ -2824,7 +2824,7 @@ dependencies = [ "strum", "thiserror", "tokio", - "toml 0.8.15", + "toml 0.8.19", "tonic 0.9.2", "tonic-build 0.9.2", "url", @@ -2839,11 +2839,11 @@ checksum = "d4345964bb142484797b161f473a503a434de77149dd8c7427788c6e13379388" [[package]] name = "lazy_static" -version = "1.4.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" dependencies = [ - "spin 0.5.2", + "spin 0.9.8", ] [[package]] @@ -2877,7 +2877,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.5", ] [[package]] @@ -5508,9 +5508,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.8.15" +version = "0.8.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac2caab0bf757388c6c0ae23b3293fdb463fee59434529014f85e3263b995c28" +checksum = "a1ed1f98e3fdc28d6d910e6737ae6ab1a93bf1985935a1193e68f93eeb68d24e" dependencies = [ "serde", "serde_spanned", @@ -5520,18 +5520,18 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.6.6" +version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4badfd56924ae69bcc9039335b2e017639ce3f9b001c393c1b2d1ef846ce2cbf" +checksum = "0dd7358ecb8fc2f8d014bf86f6f638ce72ba252a2c3a2572f2a795f1d23efb41" dependencies = [ "serde", ] [[package]] name = "toml_edit" -version = "0.22.16" +version = "0.22.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "278f3d518e152219c994ce877758516bca5e118eaed6996192a774fb9fbf0788" +checksum = "583c44c02ad26b0c3f3066fe629275e50627026c51ac2e595cca4c230ce1ce1d" dependencies = [ "indexmap 2.2.6", "serde", @@ -6322,9 +6322,9 @@ checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" [[package]] name = "winnow" -version = "0.6.13" +version = "0.6.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59b5e5f6c299a3c7890b876a2a587f3115162487e704907d9b6cd29473052ba1" +checksum = "68a9bda4691f099d435ad181000724da8e5899daa10713c2d432552b9ccd3a6f" dependencies = [ "memchr", ] diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs index 7307ac77ac..d2f44ccb2a 100644 --- a/attestation-service/src/lib.rs +++ b/attestation-service/src/lib.rs @@ -22,7 +22,7 @@ use serde_json::{json, Value}; use serde_variant::to_variant_name; use sha2::{Digest, Sha256, Sha384, Sha512}; use std::{collections::HashMap, str::FromStr}; -use strum::{AsRefStr, EnumString}; +use strum::{AsRefStr, Display, EnumString}; use thiserror::Error; use tokio::fs; use verifier::{InitDataHash, ReportData}; @@ -30,7 +30,7 @@ use verifier::{InitDataHash, ReportData}; use crate::utils::flatten_claims; /// Hash algorithms used to calculate runtime/init data binding -#[derive(EnumString, AsRefStr)] +#[derive(Display, EnumString, AsRefStr)] pub enum HashAlgorithm { #[strum(ascii_case_insensitive)] Sha256, diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 6ec6289eb6..a87d3f4069 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -3,6 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 use super::Attest; +use crate::attestation::{generic_generate_challenge, make_nonce}; use crate::token::{ jwk::JwkAttestationTokenVerifier, AttestationTokenVerifier, AttestationTokenVerifierConfig, AttestationTokenVerifierType, @@ -10,10 +11,30 @@ use crate::token::{ use anyhow::*; use async_trait::async_trait; use base64::{engine::general_purpose::STANDARD, Engine}; +use kbs_types::Challenge; use kbs_types::{Attestation, Tee}; use reqwest::header::{ACCEPT, CONTENT_TYPE}; use serde::{Deserialize, Serialize}; use serde_json::json; +use strum::{AsRefStr, Display, EnumString}; + +const SUPPORTED_HASH_ALGORITHMS_JSON_KEY: &str = "supported-hash-algorithms"; +const SELECTED_HASH_ALGORITHM_JSON_KEY: &str = "selected-hash-algorithm"; + +const ERR_NO_TEE_ALGOS: &str = "ITA: TEE does not support any hash algorithms"; +const ERR_INVALID_TEE: &str = "ITA: Unknown TEE specified"; + +#[derive(Display, EnumString, AsRefStr)] +pub enum HashAlgorithm { + #[strum(ascii_case_insensitive)] + Sha256, + + #[strum(ascii_case_insensitive)] + Sha384, + + #[strum(ascii_case_insensitive)] + Sha512, +} #[derive(Deserialize, Debug)] struct IntelTrustAuthorityTeeEvidence { @@ -60,7 +81,7 @@ pub struct IntelTrustAuthority { impl Attest for IntelTrustAuthority { async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result { if tee != Tee::Tdx && tee != Tee::Sgx { - bail!("Intel Trust Authority: TEE {tee:?} is not supported."); + bail!("ITA: TEE {tee:?} is not supported."); } // get quote let attestation = serde_json::from_str::(attestation) @@ -131,6 +152,87 @@ impl Attest for IntelTrustAuthority { Ok(resp_data.token.clone()) } + + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { + log::debug!("ITA: generate_challenge: tee: {tee:?}, tee_parameters: {tee_parameters:?}"); + + if tee_parameters.is_null() { + log::debug!( + "ITA: generate_challenge: no TEE parameters so falling back to legacy behaviour" + ); + + return generic_generate_challenge(tee, tee_parameters).await; + } + + let mut supported_hash_algorithms = vec![]; + + let Some(hash_algorithms_found) = tee_parameters.get(SUPPORTED_HASH_ALGORITHMS_JSON_KEY) + else { + log::info!("ITA: generate_challenge: no TEE hash parameters, so falling back to legacy behaviour"); + + return generic_generate_challenge(tee, tee_parameters).await; + }; + + let Some(algorithms) = hash_algorithms_found.as_array() else { + return Err(anyhow!( + "ITA: expected array, found {hash_algorithms_found:?}" + )); + }; + + let hash_algorithms: Vec = algorithms + .iter() + .filter_map(|s| Some(s.as_str()?.to_lowercase())) + .collect(); + + supported_hash_algorithms.append(&mut hash_algorithms.clone()); + + if supported_hash_algorithms.is_empty() { + log::debug!("ITA: generate_challenge: no tee algorithms available"); + + bail!(ERR_NO_TEE_ALGOS); + } + + log::debug!( + "ITA: generate_challenge: supported_hash_algorithms: {supported_hash_algorithms:?}" + ); + + let hash_algorithm: String = match tee { + Tee::Sgx => { + let needed_algorithm = HashAlgorithm::Sha256.as_ref().to_string().to_lowercase(); + + if supported_hash_algorithms.contains(&needed_algorithm) { + needed_algorithm + } else { + bail!("ITA: SGX TEE does not support {needed_algorithm}"); + } + } + Tee::Tdx => { + let needed_algorithm = HashAlgorithm::Sha512.as_ref().to_string().to_lowercase(); + + if supported_hash_algorithms.contains(&needed_algorithm) { + needed_algorithm + } else { + bail!("ITA: TDX TEE does not support {needed_algorithm}"); + } + } + _ => bail!(ERR_INVALID_TEE), + }; + + let extra_params = json!({ + SELECTED_HASH_ALGORITHM_JSON_KEY: hash_algorithm, + }); + + let nonce = make_nonce().await?; + + Ok(Challenge { + nonce, + extra_params, + }) + } } impl IntelTrustAuthority { @@ -148,3 +250,210 @@ impl IntelTrustAuthority { }) } } + +#[cfg(test)] +mod tests { + use super::*; + use rstest::*; + use serde_json::Value; + use std::io::Write; + use tempfile::NamedTempFile; + + // Generate the contents for an ITA certificates file and return it as + // a JSON string. + fn create_certs_file_json_string() -> String { + let data = json!({ "keys": [ + { + "alg": "PS384", + "e": "AQAB", + "kid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "kty": "RSA", + "n": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "x5c": [ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + ] + }, + { + "alg": "RS256", + "e": "AQAB", + "kid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "kty": "RSA", + "n": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "x5c": [ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + ] + }]}).to_string(); + + data + } + + #[rstest] + #[tokio::test] + #[case( + Tee::Tdx, + json!({}), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!(null), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!(""), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: []}), + Err(anyhow!(ERR_NO_TEE_ALGOS)) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({}), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!(null), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!(""), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: []}), + Err(anyhow!(ERR_NO_TEE_ALGOS)) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string()]}), + Err(anyhow!("ITA: TDX TEE does not support sha512")) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha512.to_string()]}), + Err(anyhow!("ITA: SGX TEE does not support sha256")) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha512.to_string()]}), + Ok(Challenge{ + nonce: "".into(), + extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha512.to_string()})}) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string(), HashAlgorithm::Sha512.to_string()]}), + Ok(Challenge{ + nonce: "".into(), + extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha512.to_string()})}) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string()]}), + Ok(Challenge{ + nonce: "".into(), + extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha256.to_string()})}) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string(), HashAlgorithm::Sha512.to_string()]}), + Ok(Challenge{ + nonce: "".into(), + extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha256.to_string()})}) + )] + async fn test_ita_generate_challenge( + #[case] tee: Tee, + #[case] params: Value, + #[case] expected_result: Result, + ) { + let mut file = NamedTempFile::new().unwrap(); + let certs_file = "file://".to_owned() + &file.path().display().to_string(); + + let json = create_certs_file_json_string(); + + file.write_all(json.as_bytes()) + .expect("failed to write certs file data"); + + let cfg = IntelTrustAuthorityConfig { + base_url: "".into(), + api_key: "".into(), + certs_file, + allow_unmatched_policy: None, + }; + + let msg = format!( + "test: certs file json: {json:?}, cfg: {cfg:?}, tee: {tee:?}, params: {params:?}, expected result: {expected_result:?}" + ); + + let ita = IntelTrustAuthority::new(cfg).await.unwrap(); + + let actual_result = ita.generate_challenge(tee, params).await; + + let msg = format!("{msg}, actual result: {actual_result:?}"); + + if std::env::var("DEBUG").is_ok() { + println!("DEBUG: {}", msg); + } + + // Note: for now we simply check for error, not the type of error returned. + if expected_result.is_err() { + assert!(actual_result.is_err(), "{msg}"); + return; + } + + // Only compare the params as the nonce will have a generated value. + let expected_extra_params = expected_result + .unwrap() + .extra_params + .to_string() + .to_lowercase(); + let actual_extra_params = actual_result + .unwrap() + .extra_params + .to_string() + .to_lowercase(); + + assert_eq!(actual_extra_params, expected_extra_params, "{}", msg); + } +} diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs index b49dfa1061..6141304f87 100644 --- a/kbs/src/attestation/mod.rs +++ b/kbs/src/attestation/mod.rs @@ -40,6 +40,18 @@ pub async fn make_nonce() -> Result { Ok(STANDARD.encode(&nonce)) } +pub(crate) async fn generic_generate_challenge( + _tee: Tee, + _tee_parameters: serde_json::Value, +) -> Result { + let nonce = make_nonce().await?; + + Ok(Challenge { + nonce, + extra_params: serde_json::Value::String(String::new()), + }) +} + /// Interface for Attestation Services. /// /// Attestation Service implementations should implement this interface. @@ -57,15 +69,10 @@ pub trait Attest: Send + Sync { /// generate the Challenge to pass to attester based on Tee and nonce async fn generate_challenge( &self, - _tee: Tee, - _tee_parameters: serde_json::Value, + tee: Tee, + tee_parameters: serde_json::Value, ) -> Result { - let nonce = make_nonce().await?; - - Ok(Challenge { - nonce, - extra_params: serde_json::Value::String(String::new()), - }) + generic_generate_challenge(tee, tee_parameters).await } } From 9988787267d87f010559f0ddf5a8159658c803fe Mon Sep 17 00:00:00 2001 From: Pawel Proskurnicki Date: Mon, 9 Sep 2024 09:25:10 +0200 Subject: [PATCH 082/298] ita: add support for Azure attestation using dedicated API Add support for azure tdxvm API and update attestation request body accordingly to chosen tee Signed-off-by: Pawel Proskurnicki --- Cargo.lock | 1 + kbs/Cargo.toml | 3 +- .../attestation/intel_trust_authority/mod.rs | 68 +++++++++++++++---- 3 files changed, 57 insertions(+), 15 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ec5867ba8c..9c82b4969c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2712,6 +2712,7 @@ dependencies = [ "anyhow", "async-trait", "attestation-service", + "az-cvm-vtpm 0.7.0", "base64 0.22.1", "cfg-if", "clap 4.5.4", diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index b0f2e2976a..fc0ae81091 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -34,7 +34,7 @@ coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"] coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"] # Use Intel TA as backend attestation service -intel-trust-authority-as = ["as", "reqwest", "resource"] +intel-trust-authority-as = ["as", "reqwest", "resource", "az-cvm-vtpm"] # Use pure rust crypto stack for KBS rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"] @@ -82,6 +82,7 @@ tokio.workspace = true tonic = { workspace = true, optional = true } uuid = { version = "1.2.2", features = ["serde", "v4"] } openssl = { version = "0.10.46", optional = true } +az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } [dev-dependencies] tempfile.workspace = true diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index a87d3f4069..91783e0939 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -10,11 +10,13 @@ use crate::token::{ }; use anyhow::*; use async_trait::async_trait; +use az_cvm_vtpm::hcl::HclReport; use base64::{engine::general_purpose::STANDARD, Engine}; use kbs_types::Challenge; use kbs_types::{Attestation, Tee}; use reqwest::header::{ACCEPT, CONTENT_TYPE}; use serde::{Deserialize, Serialize}; +use serde_json::from_value; use serde_json::json; use strum::{AsRefStr, Display, EnumString}; @@ -24,6 +26,9 @@ const SELECTED_HASH_ALGORITHM_JSON_KEY: &str = "selected-hash-algorithm"; const ERR_NO_TEE_ALGOS: &str = "ITA: TEE does not support any hash algorithms"; const ERR_INVALID_TEE: &str = "ITA: Unknown TEE specified"; +const BASE_AS_ADDR: &str = "/appraisal/v1/attest"; +const AZURE_TDXVM_ADDR: &str = "/appraisal/v1/attest/azure/tdxvm"; + #[derive(Display, EnumString, AsRefStr)] pub enum HashAlgorithm { #[strum(ascii_case_insensitive)] @@ -37,16 +42,24 @@ pub enum HashAlgorithm { } #[derive(Deserialize, Debug)] -struct IntelTrustAuthorityTeeEvidence { +struct ItaTeeEvidence { #[serde(skip)] _cc_eventlog: Option, quote: String, } +#[derive(Deserialize, Debug)] +struct AzItaTeeEvidence { + hcl_report: Vec, + td_quote: Vec, +} + #[derive(Serialize, Debug)] struct AttestReqData { quote: String, runtime_data: String, + #[serde(skip_serializing_if = "Option::is_none")] + user_data: Option, } #[derive(Deserialize, Debug)] @@ -80,15 +93,9 @@ pub struct IntelTrustAuthority { #[async_trait] impl Attest for IntelTrustAuthority { async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result { - if tee != Tee::Tdx && tee != Tee::Sgx { - bail!("ITA: TEE {tee:?} is not supported."); - } // get quote let attestation = serde_json::from_str::(attestation) .context("Failed to deserialize Attestation request")?; - let evidence = - serde_json::from_value::(attestation.tee_evidence) - .context("Failed to deserialize TEE Evidence")?; let runtime_data = json!({ "tee-pubkey": attestation.tee_pubkey, @@ -96,20 +103,53 @@ impl Attest for IntelTrustAuthority { }) .to_string(); - // construct attest request data - let req_data = AttestReqData { - quote: evidence.quote, - runtime_data: STANDARD.encode(runtime_data), + // construct attest request data and attestation url + let (req_data, att_url) = match tee { + Tee::AzTdxVtpm => { + let att_url = format!("{}{AZURE_TDXVM_ADDR}", &self.config.base_url); + + let evidence = from_value::(attestation.tee_evidence) + .context(format!("Failed to deserialize TEE: {:?} Evidence", &tee))?; + + let hcl_report = HclReport::new(evidence.hcl_report.clone())?; + + let req_data = AttestReqData { + quote: STANDARD.encode(evidence.td_quote), + runtime_data: STANDARD.encode(hcl_report.var_data()), + user_data: Some(STANDARD.encode(runtime_data)), + }; + + (req_data, att_url) + } + Tee::Tdx | Tee::Sgx => { + let att_url = format!("{}{BASE_AS_ADDR}", &self.config.base_url); + + let evidence = from_value::(attestation.tee_evidence) + .context(format!("Failed to deserialize TEE: {:?} Evidence", &tee))?; + + let req_data = AttestReqData { + quote: evidence.quote, + runtime_data: STANDARD.encode(runtime_data), + user_data: None, + }; + + (req_data, att_url) + } + _ => { + bail!("Intel Trust Authority: TEE {tee:?} is not supported."); + } }; let attest_req_body = serde_json::to_string(&req_data) .context("Failed to serialize attestation request body")?; // send attest request - log::info!("post attestation request ..."); + log::info!("POST attestation request ..."); + log::debug!("Attestation URL: {:?}", &att_url); + let client = reqwest::Client::new(); let resp = client - .post(format!("{}/appraisal/v1/attest", &self.config.base_url)) + .post(att_url) .header(CONTENT_TYPE, "application/json") .header(ACCEPT, "application/json") .header("x-api-key", &self.config.api_key) @@ -201,7 +241,7 @@ impl Attest for IntelTrustAuthority { ); let hash_algorithm: String = match tee { - Tee::Sgx => { + Tee::Sgx | Tee::AzTdxVtpm => { let needed_algorithm = HashAlgorithm::Sha256.as_ref().to_string().to_lowercase(); if supported_hash_algorithms.contains(&needed_algorithm) { From dc446787190f8248f1499cfa861e03b87dd5baf4 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Tue, 10 Sep 2024 14:43:23 +0300 Subject: [PATCH 083/298] kbs: add k8s kustomization for ITA Signed-off-by: Mikko Ylinen --- kbs/config/kubernetes/ita/kbs-config.toml | 14 +++++++ kbs/config/kubernetes/ita/kustomization.yaml | 20 ++++++++++ kbs/config/kubernetes/ita/policy.rego | 42 ++++++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 kbs/config/kubernetes/ita/kbs-config.toml create mode 100644 kbs/config/kubernetes/ita/kustomization.yaml create mode 100644 kbs/config/kubernetes/ita/policy.rego diff --git a/kbs/config/kubernetes/ita/kbs-config.toml b/kbs/config/kubernetes/ita/kbs-config.toml new file mode 100644 index 0000000000..0bba5e3f2c --- /dev/null +++ b/kbs/config/kubernetes/ita/kbs-config.toml @@ -0,0 +1,14 @@ +sockets = ["0.0.0.0:8080"] +auth_public_key = "/kbs/kbs.pem" +# Ideally we should use some solution like cert-manager to issue let's encrypt based certificate: +# https://cert-manager.io/docs/configuration/acme/ +insecure_http = true + +[attestation_token_config] +attestation_token_type = "Jwk" +trusted_certs_paths = ["https://portal.trustauthority.intel.com"] + +[intel_trust_authority_config] +base_url = "https://api.trustauthority.intel.com" +api_key = "tBfd5kKX2x9ahbodKV1..." +certs_file = "https://portal.trustauthority.intel.com" diff --git a/kbs/config/kubernetes/ita/kustomization.yaml b/kbs/config/kubernetes/ita/kustomization.yaml new file mode 100644 index 0000000000..b802699558 --- /dev/null +++ b/kbs/config/kubernetes/ita/kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: coco-tenant + +images: +- name: ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.9.0 + newTag: ita-as-v0.9.0 + +resources: +- ../overlays/x86_64 + +configMapGenerator: +- name: kbs-config + behavior: replace + files: + - kbs-config.toml +- name: policy-config + behavior: replace + files: + - policy.rego diff --git a/kbs/config/kubernetes/ita/policy.rego b/kbs/config/kubernetes/ita/policy.rego new file mode 100644 index 0000000000..3c179197d2 --- /dev/null +++ b/kbs/config/kubernetes/ita/policy.rego @@ -0,0 +1,42 @@ +# Resource Policy +# --------------- +# +# The resource policy of KBS is to make a strategic decision on +# whether the requester has access to resources based on the +# input Attestation Claims (including tee-pubkey, tcb-status, and other information) +# and KBS Resource Path. +# +# The format of the resource path data is: +# ``` +# { +# "resource-path": +# } +# ``` +# +# The variable is a KBS resource path, +# which is required to be a string in three segment path format://, +# for example: "my'repo/License/key". +# +# The format of Attestation Claims Input is defined by the attestation service, +# and its format may look like the following: +# ``` +# { +# "tee-pubkey": "", +# "tcb-status": { +# "productId": “”, +# "svn": “”, +# …… +# } +# …… +# } +# ``` +# NB: beware of the differences when re-using CoCo-AS rego policies with ITA +# tokens. + +package policy + +default allow = false + +allow { + input["attester_type"] != "sample" +} From 39f014e4d42fa24a37590128be6c3a0124cdbd00 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 11 Sep 2024 12:59:15 +0300 Subject: [PATCH 084/298] chore(deps): bump kms and kbs_protocol from guest-components Signed-off-by: Mikko Ylinen --- Cargo.lock | 201 ++++++++++++++++++++++++----------------------------- Cargo.toml | 4 +- 2 files changed, 93 insertions(+), 112 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9c82b4969c..102a151575 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -487,9 +487,9 @@ dependencies = [ [[package]] name = "async-trait" -version = "0.1.80" +version = "0.1.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6fa2087f2753a7da8cc1c0dbfcf89579dd57458e36769de5ac750b4671737ca" +checksum = "a27b8a3a6e1a44fa4c8baf1f653e4172e81486d4941f2237e20dc2d0cf4ddff1" dependencies = [ "proc-macro2", "quote", @@ -499,7 +499,7 @@ dependencies = [ [[package]] name = "attestation-agent" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "async-trait", @@ -507,12 +507,13 @@ dependencies = [ "base64 0.22.1", "config", "const_format", + "crypto", "kbs-types", "log", "serde", "serde_json", "sha2", - "strum", + "strum 0.26.3", "tempfile", "thiserror", "tokio", @@ -549,7 +550,7 @@ dependencies = [ "serial_test", "sha2", "shadow-rs", - "strum", + "strum 0.25.0", "testing_logger", "thiserror", "time", @@ -563,12 +564,12 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "async-trait", - "az-snp-vtpm 0.6.0", - "az-tdx-vtpm 0.6.0", + "az-snp-vtpm", + "az-tdx-vtpm", "base64 0.22.1", "codicon", "csv-rs", @@ -586,7 +587,7 @@ dependencies = [ "serde_with", "sev 3.1.1", "sha2", - "strum", + "strum 0.26.3", "tdx-attest-rs", "tempfile", "thiserror", @@ -655,26 +656,6 @@ dependencies = [ "tower-service", ] -[[package]] -name = "az-cvm-vtpm" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1940b5a30bbaa585acd365e329c8c4c5c119345fef81830bd5f38f2360caa7d6" -dependencies = [ - "bincode", - "jsonwebkey", - "memoffset", - "openssl", - "serde", - "serde-big-array", - "serde_json", - "sev 3.1.1", - "sha2", - "thiserror", - "tss-esapi", - "zerocopy", -] - [[package]] name = "az-cvm-vtpm" version = "0.7.0" @@ -695,28 +676,13 @@ dependencies = [ "zerocopy", ] -[[package]] -name = "az-snp-vtpm" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a276bcc39a8cf650ebc32941409f89c751cf8266c67f233872ac8c50ffa5405" -dependencies = [ - "az-cvm-vtpm 0.6.0", - "bincode", - "clap 4.5.4", - "serde", - "sev 3.1.1", - "thiserror", - "ureq", -] - [[package]] name = "az-snp-vtpm" version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49473355e76f066300f14aa56c6df23b1a037bea179dbb1b582ecefc8f6fd37c" dependencies = [ - "az-cvm-vtpm 0.7.0", + "az-cvm-vtpm", "bincode", "clap 4.5.4", "openssl", @@ -726,29 +692,13 @@ dependencies = [ "ureq", ] -[[package]] -name = "az-tdx-vtpm" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb795802e685a153ea4906349c86f5760012478a72e349538dd47012409465de" -dependencies = [ - "az-cvm-vtpm 0.6.0", - "base64-url", - "bincode", - "serde", - "serde_json", - "thiserror", - "ureq", - "zerocopy", -] - [[package]] name = "az-tdx-vtpm" version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "55802d75ce5ef102b03f687b220dab76a626e0ca4c79e3f4af3c544734152356" dependencies = [ - "az-cvm-vtpm 0.7.0", + "az-cvm-vtpm", "base64-url", "bincode", "serde", @@ -1043,7 +993,7 @@ dependencies = [ "num-traits", "serde", "wasm-bindgen", - "windows-targets 0.52.5", + "windows-targets 0.52.6", ] [[package]] @@ -1365,7 +1315,7 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "aes-gcm", "anyhow", @@ -1377,7 +1327,7 @@ dependencies = [ "serde", "serde_json", "sha2", - "strum", + "strum 0.26.3", "zeroize", ] @@ -2738,7 +2688,7 @@ dependencies = [ "semver", "serde", "serde_json", - "strum", + "strum 0.25.0", "tempfile", "thiserror", "time", @@ -2778,7 +2728,7 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "async-trait", @@ -2802,7 +2752,7 @@ dependencies = [ [[package]] name = "kms" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "async-trait", @@ -2822,7 +2772,7 @@ dependencies = [ "serde", "serde_json", "sha2", - "strum", + "strum 0.26.3", "thiserror", "tokio", "toml 0.8.19", @@ -2878,7 +2828,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" dependencies = [ "cfg-if", - "windows-targets 0.52.5", + "windows-targets 0.52.6", ] [[package]] @@ -3454,7 +3404,7 @@ dependencies = [ "libc", "redox_syscall 0.5.1", "smallvec", - "windows-targets 0.52.5", + "windows-targets 0.52.6", ] [[package]] @@ -4120,7 +4070,7 @@ dependencies = [ "sha2", "shadow-rs", "sled", - "strum", + "strum 0.25.0", "tempfile", "tokio", "tonic 0.11.0", @@ -4277,7 +4227,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "serde", @@ -4894,7 +4844,6 @@ dependencies = [ "iocuddle", "lazy_static", "libc", - "openssl", "serde", "serde-big-array", "serde_bytes", @@ -5139,7 +5088,16 @@ version = "0.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125" dependencies = [ - "strum_macros", + "strum_macros 0.25.3", +] + +[[package]] +name = "strum" +version = "0.26.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06" +dependencies = [ + "strum_macros 0.26.4", ] [[package]] @@ -5155,6 +5113,19 @@ dependencies = [ "syn 2.0.60", ] +[[package]] +name = "strum_macros" +version = "0.26.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be" +dependencies = [ + "heck 0.5.0", + "proc-macro2", + "quote", + "rustversion", + "syn 2.0.60", +] + [[package]] name = "subtle" version = "2.5.0" @@ -5250,7 +5221,7 @@ checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f" [[package]] name = "tdx-attest-rs" version = "0.1.2" -source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.20#621a0850fccf531a8d8131f9293a760925f55730" +source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.21#e945c58bff60bb96e4daca57b73c93f96b14418a" dependencies = [ "tdx-attest-sys", ] @@ -5258,21 +5229,22 @@ dependencies = [ [[package]] name = "tdx-attest-sys" version = "0.1.0" -source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.20#621a0850fccf531a8d8131f9293a760925f55730" +source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.21#e945c58bff60bb96e4daca57b73c93f96b14418a" dependencies = [ "bindgen 0.59.2", ] [[package]] name = "tempfile" -version = "3.10.1" +version = "3.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "85b77fafb263dd9d05cbeac119526425676db3784113aa9295c88498cbf8bff1" +checksum = "04cbcdd0c794ebb0d4cf35e88edd2f7d2c4c3e9a5a6dab322839b321c6a87a64" dependencies = [ "cfg-if", "fastrand", + "once_cell", "rustix", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -5944,8 +5916,8 @@ dependencies = [ "asn1-rs", "assert-json-diff", "async-trait", - "az-snp-vtpm 0.7.0", - "az-tdx-vtpm 0.7.0", + "az-snp-vtpm", + "az-tdx-vtpm", "base64 0.22.1", "bincode", "byteorder", @@ -5971,7 +5943,7 @@ dependencies = [ "sev 4.0.0", "sha2", "shadow-rs", - "strum", + "strum 0.25.0", "thiserror", "tokio", "tonic-build 0.11.0", @@ -6179,7 +6151,7 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" dependencies = [ - "windows-targets 0.52.5", + "windows-targets 0.52.6", ] [[package]] @@ -6197,7 +6169,16 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets 0.52.5", + "windows-targets 0.52.6", +] + +[[package]] +name = "windows-sys" +version = "0.59.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b" +dependencies = [ + "windows-targets 0.52.6", ] [[package]] @@ -6217,18 +6198,18 @@ dependencies = [ [[package]] name = "windows-targets" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" +checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" dependencies = [ - "windows_aarch64_gnullvm 0.52.5", - "windows_aarch64_msvc 0.52.5", - "windows_i686_gnu 0.52.5", + "windows_aarch64_gnullvm 0.52.6", + "windows_aarch64_msvc 0.52.6", + "windows_i686_gnu 0.52.6", "windows_i686_gnullvm", - "windows_i686_msvc 0.52.5", - "windows_x86_64_gnu 0.52.5", - "windows_x86_64_gnullvm 0.52.5", - "windows_x86_64_msvc 0.52.5", + "windows_i686_msvc 0.52.6", + "windows_x86_64_gnu 0.52.6", + "windows_x86_64_gnullvm 0.52.6", + "windows_x86_64_msvc 0.52.6", ] [[package]] @@ -6239,9 +6220,9 @@ checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" [[package]] name = "windows_aarch64_gnullvm" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" +checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" [[package]] name = "windows_aarch64_msvc" @@ -6251,9 +6232,9 @@ checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" [[package]] name = "windows_aarch64_msvc" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" +checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" [[package]] name = "windows_i686_gnu" @@ -6263,15 +6244,15 @@ checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" [[package]] name = "windows_i686_gnu" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670" +checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" [[package]] name = "windows_i686_gnullvm" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" +checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" [[package]] name = "windows_i686_msvc" @@ -6281,9 +6262,9 @@ checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" [[package]] name = "windows_i686_msvc" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" +checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" [[package]] name = "windows_x86_64_gnu" @@ -6293,9 +6274,9 @@ checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" [[package]] name = "windows_x86_64_gnu" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" +checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" [[package]] name = "windows_x86_64_gnullvm" @@ -6305,9 +6286,9 @@ checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" [[package]] name = "windows_x86_64_gnullvm" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" +checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" [[package]] name = "windows_x86_64_msvc" @@ -6317,9 +6298,9 @@ checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" [[package]] name = "windows_x86_64_msvc" -version = "0.52.5" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" +checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" diff --git a/Cargo.toml b/Cargo.toml index 0dee36d521..6492d46677 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,9 +29,9 @@ config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="cd16b445291ad401b4b53664266983f4927a370e", default-features = false } +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="1db6c3a87665dde58d0efa56f4e4af5fcd19620e", default-features = false } kbs-types = "0.7.0" -kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="cd16b445291ad401b4b53664266983f4927a370e", default-features = false } +kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="1db6c3a87665dde58d0efa56f4e4af5fcd19620e", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" From e1c66455a1a338982b373272328bcccdc67ceed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 11 Sep 2024 22:07:35 +0200 Subject: [PATCH 085/298] ita: Build the kustomization based on nodeport MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While testing on an environment as close as possible to the Kata Containers CI, I've noticed that we need to build ITA based on nodeport in order to get it working as expected there. The tests I ran earlier, in a different environment, already had this based on nodeport, but I didn't realise it while reviewing bdaa4b2185d. Signed-off-by: Fabiano Fidêncio --- kbs/config/kubernetes/ita/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/config/kubernetes/ita/kustomization.yaml b/kbs/config/kubernetes/ita/kustomization.yaml index b802699558..aee8fb824f 100644 --- a/kbs/config/kubernetes/ita/kustomization.yaml +++ b/kbs/config/kubernetes/ita/kustomization.yaml @@ -7,7 +7,7 @@ images: newTag: ita-as-v0.9.0 resources: -- ../overlays/x86_64 +- ../nodeport/x86_64 configMapGenerator: - name: kbs-config From 43ea3d92622a47c5872bae711826e4425183fc93 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 02:03:51 +0000 Subject: [PATCH 086/298] build(deps): bump libloading from 0.8.3 to 0.8.5 Bumps [libloading](https://github.com/nagisa/rust_libloading) from 0.8.3 to 0.8.5. - [Commits](https://github.com/nagisa/rust_libloading/compare/0.8.3...0.8.5) --- updated-dependencies: - dependency-name: libloading dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 102a151575..0ad4e0037e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2662,7 +2662,7 @@ dependencies = [ "anyhow", "async-trait", "attestation-service", - "az-cvm-vtpm 0.7.0", + "az-cvm-vtpm", "base64 0.22.1", "cfg-if", "clap 4.5.4", @@ -2823,12 +2823,12 @@ dependencies = [ [[package]] name = "libloading" -version = "0.8.3" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" +checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.52.6", + "windows-targets 0.48.5", ] [[package]] From 41eb812ab12dc784e24e755acc03d8bc75ef2ccc Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 12 Sep 2024 22:08:08 +0800 Subject: [PATCH 087/298] chore: update guest-components to v0.10.0 Signed-off-by: Xynnn007 --- Cargo.lock | 24 ++++++++++++------------ Cargo.toml | 4 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0ad4e0037e..bbed096a78 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -499,7 +499,7 @@ dependencies = [ [[package]] name = "attestation-agent" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" +source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" dependencies = [ "anyhow", "async-trait", @@ -564,7 +564,7 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" +source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" dependencies = [ "anyhow", "async-trait", @@ -977,9 +977,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "cfg_aliases" -version = "0.1.1" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd16c4719339c4530435d38e511904438d07cce7950afa3718a84ac36c10e89e" +checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" [[package]] name = "chrono" @@ -1315,7 +1315,7 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" +source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" dependencies = [ "aes-gcm", "anyhow", @@ -2728,7 +2728,7 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" +source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" dependencies = [ "anyhow", "async-trait", @@ -2752,7 +2752,7 @@ dependencies = [ [[package]] name = "kms" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" +source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" dependencies = [ "anyhow", "async-trait", @@ -2805,9 +2805,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.154" +version = "0.2.158" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae743338b92ff9146ce83992f766a31066a91a8c84a45e0e9f21e7cf6de6d346" +checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" [[package]] name = "libgit2-sys" @@ -3044,9 +3044,9 @@ dependencies = [ [[package]] name = "nix" -version = "0.28.0" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab2156c4fce2f8df6c499cc1c763e4394b7482525bf2a9701c9d79d215f519e4" +checksum = "71e2746dc3a24dd78b3cfcb7be93368c6de9963d30f43a6a73998a9cf4b17b46" dependencies = [ "bitflags 2.5.0", "cfg-if", @@ -4227,7 +4227,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" +source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" dependencies = [ "anyhow", "serde", diff --git a/Cargo.toml b/Cargo.toml index 6492d46677..73a7bc4df4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,9 +29,9 @@ config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="1db6c3a87665dde58d0efa56f4e4af5fcd19620e", default-features = false } +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", tag="v0.10.0", default-features = false } kbs-types = "0.7.0" -kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="1db6c3a87665dde58d0efa56f4e4af5fcd19620e", default-features = false } +kms = { git = "https://github.com/confidential-containers/guest-components.git", tag="v0.10.0", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" From dc051c353ddf4b296c676f1ae2503aa5ad5b6e75 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 01:37:06 +0000 Subject: [PATCH 088/298] build(deps): bump scientific from 0.5.2 to 0.5.3 Bumps [scientific](https://github.com/alexkazik/scientific) from 0.5.2 to 0.5.3. - [Commits](https://github.com/alexkazik/scientific/commits) --- updated-dependencies: - dependency-name: scientific dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bbed096a78..73bff2563d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4574,9 +4574,9 @@ dependencies = [ [[package]] name = "scientific" -version = "0.5.2" +version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc53198b8e237c451c68dba8411a1f8bd92787657689f24d67ae3d6b98c39f59" +checksum = "38a4b339a8de779ecb098a772ecbba2ace74e23ed959a5b4f30631d8bf1799a8" dependencies = [ "scientific-macro", ] From c78a5275d3c82f49bd09c972037374bd5408a2e5 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 13 Sep 2024 15:18:35 +0800 Subject: [PATCH 089/298] kbs: update kustomization yaml to v0.10.1 Signed-off-by: Xynnn007 --- kbs/config/kubernetes/base/kustomization.yaml | 2 +- kbs/config/kubernetes/ita/kustomization.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kbs/config/kubernetes/base/kustomization.yaml b/kbs/config/kubernetes/base/kustomization.yaml index 999aec1d89..5446b3bc3d 100644 --- a/kbs/config/kubernetes/base/kustomization.yaml +++ b/kbs/config/kubernetes/base/kustomization.yaml @@ -5,7 +5,7 @@ namespace: coco-tenant images: - name: kbs-container-image newName: ghcr.io/confidential-containers/key-broker-service - newTag: built-in-as-v0.9.0 + newTag: built-in-as-v0.10.1 resources: - namespace.yaml diff --git a/kbs/config/kubernetes/ita/kustomization.yaml b/kbs/config/kubernetes/ita/kustomization.yaml index aee8fb824f..7715acd360 100644 --- a/kbs/config/kubernetes/ita/kustomization.yaml +++ b/kbs/config/kubernetes/ita/kustomization.yaml @@ -3,8 +3,8 @@ kind: Kustomization namespace: coco-tenant images: -- name: ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.9.0 - newTag: ita-as-v0.9.0 +- name: ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.10.1 + newTag: ita-as-v0.10.1 resources: - ../nodeport/x86_64 From 2eafac26e0530b8ca0c04a5299391f6e5ca5059a Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 13 Sep 2024 16:04:28 +0800 Subject: [PATCH 090/298] kbs: fix release helper script - fix the ITA kbs docker image pushing - add latest tag for released images Signed-off-by: Xynnn007 --- hack/release-helper.sh | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/hack/release-helper.sh b/hack/release-helper.sh index a463083a38..94fc32329f 100755 --- a/hack/release-helper.sh +++ b/hack/release-helper.sh @@ -11,18 +11,15 @@ declare -g release_tag declare -A staged_to_release=( ["staged-images/kbs"]="key-broker-service" ["staged-images/kbs-grpc-as"]="key-broker-service" - ["staged-images/kbs-ita-as"]="key-broker-service" ["staged-images/rvps"]="reference-value-provider-service" ["staged-images/coco-as-grpc"]="attestation-service" ["staged-images/coco-as-restful"]="attestation-service" ) declare -A staged_to_release_tag_prefix=( ["staged-images/kbs"]="built-in-as-" - ["staged-images/kbs-ita-as"]="ita-as-" ["staged-images/coco-as-restful"]="rest-" ) - function usage_and_exit() { echo echo "Usage:" @@ -109,7 +106,21 @@ function tag_and_push_packages() { --amend ${ghcr_repo}/${release_pkg_name}:${release_tag_full}-x86_64 \ --amend ${ghcr_repo}/${release_pkg_name}:${release_tag_full}-s390x docker manifest push ${ghcr_repo}/${release_pkg_name}:${release_tag_full} + + docker manifest create ${ghcr_repo}/${release_pkg_name}:${release_tag_full} \ + --amend ${ghcr_repo}/${release_pkg_name}:${release_tag_full}-x86_64 \ + --amend ${ghcr_repo}/${release_pkg_name}:${release_tag_full}-s390x + docker manifest push ${ghcr_repo}/${release_pkg_name}:latest done + + # Push ITA + docker pull ${ghcr_repo}/staged-images/kbs-ita-as:${release_candidate_sha}-x86_64 + docker tag ${ghcr_repo}/staged-images/kbs-ita-as:${release_candidate_sha}-x86_64 \ + ${ghcr_repo}/key-broker-service:ita-as-${release_tag} + docker tag ${ghcr_repo}/staged-images/kbs-ita-as:${release_candidate_sha}-x86_64 \ + ${ghcr_repo}/key-broker-service:ita-as-${release_tag}-x86_64 + docker push ${ghcr_repo}/key-broker-service:ita-as-${release_tag} + docker push ${ghcr_repo}/key-broker-service:ita-as-${release_tag}-x86_64 } From 7010d75ddeb1ab86641dea7c5ccd11cf18f2295c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 01:40:27 +0000 Subject: [PATCH 091/298] build(deps): bump cc from 1.1.12 to 1.1.19 Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.12 to 1.1.19. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.12...cc-v1.1.19) --- updated-dependencies: - dependency-name: cc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 73bff2563d..3a1d0e29ce 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -951,9 +951,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.1.12" +version = "1.1.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68064e60dbf1f17005c2fde4d07c16d8baa506fd7ffed8ccab702d93617975c7" +checksum = "2d74707dde2ba56f86ae90effb3b43ddd369504387e718014de010cec7959800" dependencies = [ "jobserver", "libc", From e44bb3854912f7fb8e4a54819b75eec07108de2d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 01:59:30 +0000 Subject: [PATCH 092/298] build(deps): bump autocfg from 1.2.0 to 1.3.0 Bumps [autocfg](https://github.com/cuviper/autocfg) from 1.2.0 to 1.3.0. - [Commits](https://github.com/cuviper/autocfg/compare/1.2.0...1.3.0) --- updated-dependencies: - dependency-name: autocfg dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3a1d0e29ce..4194810dce 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -607,9 +607,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.2.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" +checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "axum" From 8c8cfd424248f0b27676e9a47200f3fe8f08075d Mon Sep 17 00:00:00 2001 From: Pawel Proskurnicki Date: Mon, 16 Sep 2024 11:35:38 +0200 Subject: [PATCH 093/298] rvps: add missing Command use import Signed-off-by: Pawel Proskurnicki --- rvps/build.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rvps/build.rs b/rvps/build.rs index a0bec1a035..39726f8b83 100644 --- a/rvps/build.rs +++ b/rvps/build.rs @@ -10,7 +10,7 @@ fn real_main() -> Result<(), String> { println!("cargo:rustc-link-lib=static=cgo"); let cgo_dir = "./cgo".to_string(); - let cgo = Command::new("go") + let cgo = std::process::Command::new("go") .args([ "build", "-o", From d1eb5c66a3411c93c6e7443d6b96e590ecfe531b Mon Sep 17 00:00:00 2001 From: Pawel Proskurnicki Date: Mon, 16 Sep 2024 11:35:47 +0200 Subject: [PATCH 094/298] ita: updated certs_file property documentation Signed-off-by: Pawel Proskurnicki --- kbs/docs/config.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 5c9de577a2..2153fae270 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -144,12 +144,12 @@ The following properties can be set under the `intel_trust_authority_config` sec >This section is available only when the `intel-trust-authority-as` feature is enabled. -| Property | Type | Description | Required | Default | -|--------------------------|---------|----------------------------------------------------------------------------------------|-------------------------|---------| -| `base_url` | String | Intel Trust Authority API URL. | Yes | - | -| `api_key` | String | Intel Trust Authority API key. | Yes | - | -| `certs_file` | String | Path to an Intel Trust Authority certificates JWKS file used for token verification. | Yes | - | -| `allow_unmatched_policy` | Boolean | Determines whether to ignore the `policy_ids_unmatched` token claim. | No | false | +| Property | Type | Description | Required | Default | +|--------------------------|---------|------------------------------------------------------------------------------------------|-------------------------|---------| +| `base_url` | String | Intel Trust Authority API URL. | Yes | - | +| `api_key` | String | Intel Trust Authority API key. | Yes | - | +| `certs_file` | String | URL to an Intel Trust Authority portal or path to JWKS file used for token verification. | Yes | - | +| `allow_unmatched_policy` | Boolean | Determines whether to ignore the `policy_ids_unmatched` token claim. | No | false | Detailed [documentation](https://docs.trustauthority.intel.com). @@ -205,6 +205,10 @@ Running with Intel Trust Authority attestation service: insecure_http = true insecure_api = true +[attestation_token_config] +attestation_token_type = "Jwk" +trusted_certs_paths = ["https://portal.trustauthority.intel.com"] + [repository_config] type = "LocalFs" dir_path = "/opt/confidential-containers/kbs/repository" @@ -212,7 +216,7 @@ dir_path = "/opt/confidential-containers/kbs/repository" [intel_trust_authority_config] base_url = "https://api.trustauthority.intel.com" api_key = "tBfd5kKX2x9ahbodKV1..." -certs_file = "/etc/intel-trust-authority-certs.txt" +certs_file = "https://portal.trustauthority.intel.com" allow_unmatched_policy = true ``` From f8d73f348568bbe11202f8cd7695c2864368d3d3 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 13 Sep 2024 14:10:44 +0800 Subject: [PATCH 095/298] lint: fix lint error Signed-off-by: Xynnn007 --- attestation-service/src/token/simple.rs | 2 +- deps/verifier/src/sgx/types.rs | 14 ++++++-------- kbs/src/token/coco.rs | 4 ++-- kbs/src/token/jwk.rs | 22 +++++++++++----------- tools/kbs-client/src/main.rs | 1 + 5 files changed, 21 insertions(+), 22 deletions(-) diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs index 897d0aca0e..20c1d9652b 100644 --- a/attestation-service/src/token/simple.rs +++ b/attestation-service/src/token/simple.rs @@ -150,7 +150,7 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { x5c: None, }; - jwk.x5u = self.cert_url.clone(); + jwk.x5u.clone_from(&self.cert_url); if let Some(cert_chain) = self.cert_chain.clone() { let mut x5c = Vec::new(); for cert in cert_chain { diff --git a/deps/verifier/src/sgx/types.rs b/deps/verifier/src/sgx/types.rs index 19ae489ff0..138805839d 100644 --- a/deps/verifier/src/sgx/types.rs +++ b/deps/verifier/src/sgx/types.rs @@ -97,11 +97,10 @@ pub struct sgx_quote3_t { pub header: sgx_quote_header_t, pub report_body: sgx_report_body_t, pub signature_data_len: u32, - - /// The length of the signature data is defined by `signature_data_len`, - /// which cannot be determined at compilation time. Thus this field - /// is just marked with a `u8` slice of length 0. - pub signature_data: [u8; 0], + // TODO: add parse rule for signature_data. It's omitted here due to + // `zero_repeat_side_effects` error (see #448) + // The length of the signature data is defined by `signature_data_len`, + // which cannot be determined at compilation time. } impl fmt::Display for sgx_quote3_t { @@ -174,9 +173,8 @@ REPORT BODY " SIGNATURE -\tsignature_data_len:\t{:X?} -\tsignature_data:\t{:X?}\n", - self.signature_data_len, self.signature_data +\tsignature_data_len:\t{:X?}", + self.signature_data_len ) } } diff --git a/kbs/src/token/coco.rs b/kbs/src/token/coco.rs index 73316099bc..76e40be0c8 100644 --- a/kbs/src/token/coco.rs +++ b/kbs/src/token/coco.rs @@ -170,12 +170,12 @@ fn rs384_verify(payload: &[u8], signature: &[u8], jwk: &RsaJWK) -> Result<()> { Ok(()) } -async fn download_cert_chain(url: String, mut chain: &mut Vec) -> Result<()> { +async fn download_cert_chain(url: String, chain: &mut Vec) -> Result<()> { let res = reqwest::get(url).await?; match res.status() { reqwest::StatusCode::OK => { let pem_cert_chain = res.text().await?; - parse_pem_cert_chain(pem_cert_chain, &mut chain)?; + parse_pem_cert_chain(pem_cert_chain, chain)?; } _ => { bail!( diff --git a/kbs/src/token/jwk.rs b/kbs/src/token/jwk.rs index aa975e0750..2bb29eec6d 100644 --- a/kbs/src/token/jwk.rs +++ b/kbs/src/token/jwk.rs @@ -20,11 +20,11 @@ const OPENID_CONFIG_URL_SUFFIX: &str = ".well-known/openid-configuration"; #[derive(Error, Debug)] pub enum JwksGetError { #[error("Invalid source path: {0}")] - SourcePath(String), + InvalidSourcePath(String), #[error("Failed to access source: {0}")] - SourceAccess(String), + AccessFailed(String), #[error("Failed to deserialize source data: {0}")] - SourceDeserializeJson(String), + DeserializeSource(String), } #[derive(Deserialize)] @@ -37,35 +37,35 @@ pub struct JwkAttestationTokenVerifier { } pub async fn get_jwks_from_file_or_url(p: &str) -> Result { - let mut url = Url::parse(p).map_err(|e| JwksGetError::SourcePath(e.to_string()))?; + let mut url = Url::parse(p).map_err(|e| JwksGetError::InvalidSourcePath(e.to_string()))?; match url.scheme() { "https" => { url.set_path(OPENID_CONFIG_URL_SUFFIX); let oidc = get(url.as_str()) .await - .map_err(|e| JwksGetError::SourceAccess(e.to_string()))? + .map_err(|e| JwksGetError::AccessFailed(e.to_string()))? .json::() .await - .map_err(|e| JwksGetError::SourceDeserializeJson(e.to_string()))?; + .map_err(|e| JwksGetError::DeserializeSource(e.to_string()))?; let jwkset = get(oidc.jwks_uri) .await - .map_err(|e| JwksGetError::SourceAccess(e.to_string()))? + .map_err(|e| JwksGetError::AccessFailed(e.to_string()))? .json::() .await - .map_err(|e| JwksGetError::SourceDeserializeJson(e.to_string()))?; + .map_err(|e| JwksGetError::DeserializeSource(e.to_string()))?; Ok(jwkset) } "file" => { let file = File::open(url.path()) - .map_err(|e| JwksGetError::SourceAccess(format!("open {}: {}", url.path(), e)))?; + .map_err(|e| JwksGetError::AccessFailed(format!("open {}: {}", url.path(), e)))?; serde_json::from_reader(BufReader::new(file)) - .map_err(|e| JwksGetError::SourceDeserializeJson(e.to_string())) + .map_err(|e| JwksGetError::DeserializeSource(e.to_string())) } - _ => Err(JwksGetError::SourcePath(format!( + _ => Err(JwksGetError::InvalidSourcePath(format!( "unsupported scheme {} (must be either file or https)", url.scheme() ))), diff --git a/tools/kbs-client/src/main.rs b/tools/kbs-client/src/main.rs index 0a924e53f8..178db4a447 100644 --- a/tools/kbs-client/src/main.rs +++ b/tools/kbs-client/src/main.rs @@ -80,6 +80,7 @@ struct Config { auth_private_key: PathBuf, } +#[allow(clippy::enum_variant_names)] #[derive(Subcommand)] enum ConfigCommands { /// Set attestation verification policy From 635dfde947c2cadf7a0799bfe9b9a1f260fcae7f Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Sat, 14 Sep 2024 10:50:39 +0800 Subject: [PATCH 096/298] kbs/Makefile: update lint check rule Signed-off-by: Xynnn007 --- kbs/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/Makefile b/kbs/Makefile index f1cef76e70..33d76f642d 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -86,7 +86,7 @@ check: cargo test -p kbs -p kbs-client lint: - cargo clippy -p kbs -p kbs-client -- -D warnings -A clippy::enum_variant_names -A clippy::needless_borrow + cargo clippy -p kbs -p kbs-client -- -D warnings format: cargo fmt -p kbs -p kbs-client -- --check --config format_code_in_doc_comments=true From e17d1f221677d6b19901806498680e4c2db68c68 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 01:39:26 +0000 Subject: [PATCH 097/298] build(deps): bump unicode-width from 0.1.12 to 0.1.14 Bumps [unicode-width](https://github.com/unicode-rs/unicode-width) from 0.1.12 to 0.1.14. - [Commits](https://github.com/unicode-rs/unicode-width/compare/v0.1.12...v0.1.14) --- updated-dependencies: - dependency-name: unicode-width dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4194810dce..5d76dfe7ef 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5798,9 +5798,9 @@ dependencies = [ [[package]] name = "unicode-width" -version = "0.1.12" +version = "0.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68f5e5f3158ecfd4b8ff6fe086db7c8467a2dfdac97fe420f2b7c4aa97af66d6" +checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af" [[package]] name = "unicode-xid" From f7ab1e39b5ad3142371cedb88df4c8ab52a86c80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 01:19:54 +0000 Subject: [PATCH 098/298] build(deps): bump native-tls from 0.2.11 to 0.2.12 Bumps [native-tls](https://github.com/sfackler/rust-native-tls) from 0.2.11 to 0.2.12. - [Release notes](https://github.com/sfackler/rust-native-tls/releases) - [Changelog](https://github.com/sfackler/rust-native-tls/blob/master/CHANGELOG.md) - [Commits](https://github.com/sfackler/rust-native-tls/compare/v0.2.11...v0.2.12) --- updated-dependencies: - dependency-name: native-tls dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5d76dfe7ef..fc2b5fc7b8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3026,11 +3026,10 @@ checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" [[package]] name = "native-tls" -version = "0.2.11" +version = "0.2.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07226173c32f2926027b63cce4bcd8076c3552846cbe7925f3aaffeac0a3b92e" +checksum = "a8614eb2c83d59d1c8cc974dd3f920198647674a0a035e1af1fa58707e317466" dependencies = [ - "lazy_static", "libc", "log", "openssl", From 9377a8856d56ce08e5e86f573feba490d90c40fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 01:36:11 +0000 Subject: [PATCH 099/298] build(deps): bump k256 from 0.13.3 to 0.13.4 Bumps [k256](https://github.com/RustCrypto/elliptic-curves) from 0.13.3 to 0.13.4. - [Commits](https://github.com/RustCrypto/elliptic-curves/compare/k256/v0.13.3...k256/v0.13.4) --- updated-dependencies: - dependency-name: k256 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fc2b5fc7b8..6bbce59a21 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2640,9 +2640,9 @@ dependencies = [ [[package]] name = "k256" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "956ff9b67e26e1a6a866cb758f12c6f8746208489e3e4a4b5580802f2f0a587b" +checksum = "f6e3919bbaa2945715f0bb6d3934a173d1e9a59ac23767fbaaef277265a7411b" dependencies = [ "cfg-if", "ecdsa", From 139c974e4e28bb0164afd8382e3c947e4912ede4 Mon Sep 17 00:00:00 2001 From: Pawel Proskurnicki Date: Fri, 27 Sep 2024 12:43:14 +0200 Subject: [PATCH 100/298] ita: updated trusted_certs_paths property documentation Updated Attestation Token Configuration section in documentation which describes supported trusted_certs_paths values: - Local PEM file - Valid URL (local and remote) pointing to JWKSet Signed-off-by: Pawel Proskurnicki --- kbs/docs/config.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 2153fae270..0659832121 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -37,10 +37,11 @@ The following properties can be set under the `attestation_token_config` section >This section is available only when the `resource` feature is enabled. -| Property | Type | Description | Required | Default | -|----------------------------|---------------|-----------------------------------------------------|----------|-----------| -| `attestation_token_config` | String | Attestation token broker type. Valid values: `CoCo` | Yes | - | -| `trusted_certs_paths` | String Array | Trusted root certificates file paths (PEM format). | No | - | +| Property | Type | Description | Required | Default | +|----------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------|----------|---------| +| `attestation_token_config` | String | Attestation token broker type. Valid values: `CoCo` | Yes | - | +| `trusted_certs_paths` | String Array | Trusted Certificates file (PEM format) or a valid Url (`file://` or `https://`) pointing to a JWKSet certificates (local or OpenID) | No | - | + If `trusted_certs_paths` is set, KBS will forcibly check the validity of the Attestation Token signature public key certificate, if not set this field, KBS will skip the verification of the certificate. From ba9d661e252951ea30f6e1f5a1da6811ae42dbf3 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Tue, 1 Oct 2024 10:17:23 +0300 Subject: [PATCH 101/298] ita: add USER_AGENT to HTTP header USER_AGENT missing was noticed being missing in a review. Add an identity for "Coco trustee kbs" originated requests. Signed-off-by: Mikko Ylinen --- kbs/src/attestation/intel_trust_authority/mod.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 91783e0939..9f5ae4c4cf 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -14,7 +14,7 @@ use az_cvm_vtpm::hcl::HclReport; use base64::{engine::general_purpose::STANDARD, Engine}; use kbs_types::Challenge; use kbs_types::{Attestation, Tee}; -use reqwest::header::{ACCEPT, CONTENT_TYPE}; +use reqwest::header::{ACCEPT, CONTENT_TYPE, USER_AGENT}; use serde::{Deserialize, Serialize}; use serde_json::from_value; use serde_json::json; @@ -29,6 +29,8 @@ const ERR_INVALID_TEE: &str = "ITA: Unknown TEE specified"; const BASE_AS_ADDR: &str = "/appraisal/v1/attest"; const AZURE_TDXVM_ADDR: &str = "/appraisal/v1/attest/azure/tdxvm"; +const TRUSTEE_USER_AGENT: &str = "Confidential-containers-trustee"; + #[derive(Display, EnumString, AsRefStr)] pub enum HashAlgorithm { #[strum(ascii_case_insensitive)] @@ -147,9 +149,16 @@ impl Attest for IntelTrustAuthority { log::info!("POST attestation request ..."); log::debug!("Attestation URL: {:?}", &att_url); + let user_agent = format!( + "{TRUSTEE_USER_AGENT} {}/{}", + env!("CARGO_PKG_NAME"), + env!("CARGO_PKG_VERSION") + ); + let client = reqwest::Client::new(); let resp = client .post(att_url) + .header(USER_AGENT, user_agent) .header(CONTENT_TYPE, "application/json") .header(ACCEPT, "application/json") .header("x-api-key", &self.config.api_key) From ec03c3b31cb313d63c8df258f1aa5c335b351c8a Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 2 Oct 2024 17:29:58 +0300 Subject: [PATCH 102/298] docs: add Jwk to attestation_token_config Jwk was recently added as a new Attestation Token Verifier type. Update attestation_token_config documentation accordingly. Signed-off-by: Mikko Ylinen --- kbs/docs/config.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 0659832121..6181e3d98e 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -37,10 +37,10 @@ The following properties can be set under the `attestation_token_config` section >This section is available only when the `resource` feature is enabled. -| Property | Type | Description | Required | Default | -|----------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------|----------|---------| -| `attestation_token_config` | String | Attestation token broker type. Valid values: `CoCo` | Yes | - | -| `trusted_certs_paths` | String Array | Trusted Certificates file (PEM format) or a valid Url (`file://` or `https://`) pointing to a JWKSet certificates (local or OpenID) | No | - | +| Property | Type | Description | Required | Default | +|----------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------| +| `attestation_token_config` | String | Attestation token broker type. Valid values: `CoCo`, `Jwk` | Yes | - | +| `trusted_certs_paths` | String Array | Trusted Certificates file (PEM format) for `CoCo` or a valid Url (`file://` or `https://`) pointing to a JWKSet certificates (local or OpenID) for `Jwk` | No | - | If `trusted_certs_paths` is set, KBS will forcibly check the validity of the Attestation Token signature public key certificate, From c96626bb2848b3f497619a7ea323eaebe8e790f5 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Wed, 2 Oct 2024 10:41:00 +0200 Subject: [PATCH 103/298] CI: Fix artifact names in kbs e2e test With the latest bump in the upload/download github actions, there has been a change we need to accomodate. we need to specify the artifacts in a single workflow run: https://github.com/actions/upload-artifact?tab=readme-ov-file#breaking-changes Signed-off-by: Magnus Kulke --- .github/workflows/kbs-e2e.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kbs-e2e.yml b/.github/workflows/kbs-e2e.yml index 79a6d5b0fc..7c7c7e473a 100644 --- a/.github/workflows/kbs-e2e.yml +++ b/.github/workflows/kbs-e2e.yml @@ -61,6 +61,7 @@ jobs: with: path: test.tar.gz overwrite: true + name: artifacts-${{ inputs.tee }} e2e-test: needs: build-binaries @@ -68,9 +69,11 @@ jobs: steps: - name: Download artifacts uses: actions/download-artifact@v4 + with: + name: artifacts-${{ inputs.tee }} - name: Extract test folder - run: tar xzf ./artifact/test.tar.gz + run: tar xzf ./test.tar.gz - name: Set up SGX/TDX certificates cache uses: actions/cache@v4 From dec7d227981ef0df988d9abeecc57cfc9d00df9e Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 1 Oct 2024 14:53:24 +0100 Subject: [PATCH 104/298] kbs: Simplify deployment overlays The current "s390x" overlay support is currently very SE specific, whereas deploying on non-SE s390x with the sample KBS is still an important scenario for our testing without specialised hardware. This scenario deployment matches the x86_64 deployment scenario, so let's go back to having a standard deployment, with a special case for ibm-se rather to reduce duplication. Update the documentation to clarify when and where `IBM_SE_CREDS_DIR` is needed. Signed-off-by: stevenhorsman --- kbs/config/kubernetes/README.md | 9 ++++++++- .../kubernetes/custom_pccs/kustomization.yaml | 2 +- kbs/config/kubernetes/deploy-kbs.sh | 19 ++++++++----------- kbs/config/kubernetes/ita/kustomization.yaml | 2 +- .../{x86_64 => ibm-se}/kustomization.yaml | 2 +- .../nodeport/{s390x => ibm-se}/patch.yaml | 0 .../nodeport/{s390x => }/kustomization.yaml | 2 +- .../nodeport/{x86_64 => }/patch.yaml | 0 .../overlays/common/kustomization.yaml | 6 ------ .../{s390x => ibm-se}/kustomization.yaml | 2 +- .../overlays/{s390x => ibm-se}/patch.yaml | 0 .../overlays/{s390x => ibm-se}/pv.yaml | 0 .../overlays/{s390x => ibm-se}/pvc.yaml | 0 .../overlays/{common => }/ingress.yaml | 0 .../overlays/{x86_64 => }/kustomization.yaml | 2 +- .../overlays/{x86_64 => }/patch.yaml | 0 16 files changed, 22 insertions(+), 24 deletions(-) rename kbs/config/kubernetes/nodeport/{x86_64 => ibm-se}/kustomization.yaml (88%) rename kbs/config/kubernetes/nodeport/{s390x => ibm-se}/patch.yaml (100%) rename kbs/config/kubernetes/nodeport/{s390x => }/kustomization.yaml (88%) rename kbs/config/kubernetes/nodeport/{x86_64 => }/patch.yaml (100%) delete mode 100644 kbs/config/kubernetes/overlays/common/kustomization.yaml rename kbs/config/kubernetes/overlays/{s390x => ibm-se}/kustomization.yaml (96%) rename kbs/config/kubernetes/overlays/{s390x => ibm-se}/patch.yaml (100%) rename kbs/config/kubernetes/overlays/{s390x => ibm-se}/pv.yaml (100%) rename kbs/config/kubernetes/overlays/{s390x => ibm-se}/pvc.yaml (100%) rename kbs/config/kubernetes/overlays/{common => }/ingress.yaml (100%) rename kbs/config/kubernetes/overlays/{x86_64 => }/kustomization.yaml (96%) rename kbs/config/kubernetes/overlays/{x86_64 => }/patch.yaml (100%) diff --git a/kbs/config/kubernetes/README.md b/kbs/config/kubernetes/README.md index 67382994a9..d552f920cf 100644 --- a/kbs/config/kubernetes/README.md +++ b/kbs/config/kubernetes/README.md @@ -91,7 +91,10 @@ Deploy KBS by running the following command: ./deploy-kbs.sh ``` -For IBM Secure Execution (s390x), an environment variable `IBM_SE_CREDS_DIR` should be exported as follows: +When deploying trustee on an [IBM Secure Execution](https://www.ibm.com/docs/en/linux-on-systems?topic=management-secure-execution) +enabled environment, where the IBM SE verifier verifier is needed, +an environment variable `IBM_SE_CREDS_DIR` is needed that points to a directory containing extra files required for +attestation on IBM Secure Execution: ``` $ export IBM_SE_CREDS_DIR=/path/to/your/directory @@ -114,6 +117,10 @@ $ tree $IBM_SE_CREDS_DIR Please check out the [documentation](https://github.com/confidential-containers/trustee/tree/main/deps/verifier/src/se) for details. +> [!NOTE] +> For running trustee on non-TEE s390x environment using the sample verifier for non-production environments, this extra +> `IBM_SE_CREDS_DIR` environment variable is not required. + ## Check deployment Run the following command to check if the KBS is deployed successfully: diff --git a/kbs/config/kubernetes/custom_pccs/kustomization.yaml b/kbs/config/kubernetes/custom_pccs/kustomization.yaml index 4d24a667cc..f373a287f9 100644 --- a/kbs/config/kubernetes/custom_pccs/kustomization.yaml +++ b/kbs/config/kubernetes/custom_pccs/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../nodeport/x86_64 +- ../nodeport/ patches: - path: set_custom_pccs.yaml diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh index c19b51d0d7..ddd2fdf172 100755 --- a/kbs/config/kubernetes/deploy-kbs.sh +++ b/kbs/config/kubernetes/deploy-kbs.sh @@ -6,12 +6,11 @@ set -euo pipefail DEPLOYMENT_DIR="${DEPLOYMENT_DIR:-overlays}" k8s_cnf_dir="$(dirname ${BASH_SOURCE[0]})" -ARCH=$(uname -m) # Fail the script if the key.bin file does not exist. -key_file="${k8s_cnf_dir}/overlays/${ARCH}/key.bin" +key_file="${k8s_cnf_dir}/overlays/key.bin" [[ -f "${key_file}" ]] || { - echo "key.bin not found at ${k8s_cnf_dir}/overlays/${ARCH}/" + echo "key.bin not found at ${k8s_cnf_dir}/overlays/" exit 1 } @@ -22,18 +21,16 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem" openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}" } -if [ "${ARCH}" == "s390x" ]; then - if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then +if [ "$(uname -m)" == "s390x" ] && [ -n "${IBM_SE_CREDS_DIR:-}" ]; then + # We are using the ibm-se overlay + echo "ibm-se overlay being used as IBM_SE_CREDS_DIR was set" + DEPLOYMENT_DIR="${DEPLOYMENT_DIR}/ibm-se" export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') - envsubst <"${k8s_cnf_dir}/overlays/s390x/pv.yaml" | kubectl apply -f - - else - echo "IBM_SE_CREDS_DIR is empty" >&2 - exit 1 - fi + envsubst <"${k8s_cnf_dir}/${DEPLOYMENT_DIR}/pv.yaml" | kubectl apply -f - fi if [[ "${DEPLOYMENT_DIR}" == "nodeport" || "${DEPLOYMENT_DIR}" == "overlays" ]]; then - kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}/${ARCH}" + kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}" else kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}" fi diff --git a/kbs/config/kubernetes/ita/kustomization.yaml b/kbs/config/kubernetes/ita/kustomization.yaml index 7715acd360..32c10818a2 100644 --- a/kbs/config/kubernetes/ita/kustomization.yaml +++ b/kbs/config/kubernetes/ita/kustomization.yaml @@ -7,7 +7,7 @@ images: newTag: ita-as-v0.10.1 resources: -- ../nodeport/x86_64 +- ../nodeport/ configMapGenerator: - name: kbs-config diff --git a/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml b/kbs/config/kubernetes/nodeport/ibm-se/kustomization.yaml similarity index 88% rename from kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml rename to kbs/config/kubernetes/nodeport/ibm-se/kustomization.yaml index 3f844547fe..a52e20c616 100644 --- a/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml +++ b/kbs/config/kubernetes/nodeport/ibm-se/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../../overlays/x86_64 +- ../../overlays/ibm-se patches: - path: patch.yaml diff --git a/kbs/config/kubernetes/nodeport/s390x/patch.yaml b/kbs/config/kubernetes/nodeport/ibm-se/patch.yaml similarity index 100% rename from kbs/config/kubernetes/nodeport/s390x/patch.yaml rename to kbs/config/kubernetes/nodeport/ibm-se/patch.yaml diff --git a/kbs/config/kubernetes/nodeport/s390x/kustomization.yaml b/kbs/config/kubernetes/nodeport/kustomization.yaml similarity index 88% rename from kbs/config/kubernetes/nodeport/s390x/kustomization.yaml rename to kbs/config/kubernetes/nodeport/kustomization.yaml index 28a4fedb59..a40ff19c87 100644 --- a/kbs/config/kubernetes/nodeport/s390x/kustomization.yaml +++ b/kbs/config/kubernetes/nodeport/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../../overlays/s390x +- ../overlays/ patches: - path: patch.yaml diff --git a/kbs/config/kubernetes/nodeport/x86_64/patch.yaml b/kbs/config/kubernetes/nodeport/patch.yaml similarity index 100% rename from kbs/config/kubernetes/nodeport/x86_64/patch.yaml rename to kbs/config/kubernetes/nodeport/patch.yaml diff --git a/kbs/config/kubernetes/overlays/common/kustomization.yaml b/kbs/config/kubernetes/overlays/common/kustomization.yaml deleted file mode 100644 index 84ababaf4a..0000000000 --- a/kbs/config/kubernetes/overlays/common/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: coco-tenant - -resources: -- ../../base diff --git a/kbs/config/kubernetes/overlays/s390x/kustomization.yaml b/kbs/config/kubernetes/overlays/ibm-se/kustomization.yaml similarity index 96% rename from kbs/config/kubernetes/overlays/s390x/kustomization.yaml rename to kbs/config/kubernetes/overlays/ibm-se/kustomization.yaml index 24a3a1d92a..3f9443960d 100644 --- a/kbs/config/kubernetes/overlays/s390x/kustomization.yaml +++ b/kbs/config/kubernetes/overlays/ibm-se/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../common +- ../../base - pvc.yaml patches: diff --git a/kbs/config/kubernetes/overlays/s390x/patch.yaml b/kbs/config/kubernetes/overlays/ibm-se/patch.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/s390x/patch.yaml rename to kbs/config/kubernetes/overlays/ibm-se/patch.yaml diff --git a/kbs/config/kubernetes/overlays/s390x/pv.yaml b/kbs/config/kubernetes/overlays/ibm-se/pv.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/s390x/pv.yaml rename to kbs/config/kubernetes/overlays/ibm-se/pv.yaml diff --git a/kbs/config/kubernetes/overlays/s390x/pvc.yaml b/kbs/config/kubernetes/overlays/ibm-se/pvc.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/s390x/pvc.yaml rename to kbs/config/kubernetes/overlays/ibm-se/pvc.yaml diff --git a/kbs/config/kubernetes/overlays/common/ingress.yaml b/kbs/config/kubernetes/overlays/ingress.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/common/ingress.yaml rename to kbs/config/kubernetes/overlays/ingress.yaml diff --git a/kbs/config/kubernetes/overlays/x86_64/kustomization.yaml b/kbs/config/kubernetes/overlays/kustomization.yaml similarity index 96% rename from kbs/config/kubernetes/overlays/x86_64/kustomization.yaml rename to kbs/config/kubernetes/overlays/kustomization.yaml index 9b162df589..87e40e92c6 100644 --- a/kbs/config/kubernetes/overlays/x86_64/kustomization.yaml +++ b/kbs/config/kubernetes/overlays/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../common +- ../base patches: - path: patch.yaml diff --git a/kbs/config/kubernetes/overlays/x86_64/patch.yaml b/kbs/config/kubernetes/overlays/patch.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/x86_64/patch.yaml rename to kbs/config/kubernetes/overlays/patch.yaml From 9d7dec692694ba262d2f92c16b722a197ea020c2 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Mon, 7 Oct 2024 15:20:07 -0500 Subject: [PATCH 105/298] docs: fix doctest error For doctests, there is no keyword `no-run`. Doctests recognizes `no_run`, but this still compiles the code, which will fail in this case. We could fixup these examples with some hidden lines so that they compile, but since we don't really use rustdoc currently, let's just have the compiler ignore these examples. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/src/http/error.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kbs/src/http/error.rs b/kbs/src/http/error.rs index d278e2d8f3..70fd461286 100644 --- a/kbs/src/http/error.rs +++ b/kbs/src/http/error.rs @@ -84,11 +84,11 @@ pub enum Error { } /// For example, if we want to raise an error of `MissingCookie` -/// ```no-run +/// ```ignore /// raise_error!(Error::MissingCookie); /// ``` /// is short for -/// ```no-run +/// ```ignore /// return Err(Error::MissingCookie); /// ``` #[macro_export] From 3fe0e92d943e3413517b10ac83fb58ed306318df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 01:11:32 +0000 Subject: [PATCH 106/298] build(deps): bump security-framework from 2.10.0 to 2.11.0 Bumps [security-framework](https://github.com/kornelski/rust-security-framework) from 2.10.0 to 2.11.0. - [Release notes](https://github.com/kornelski/rust-security-framework/releases) - [Commits](https://github.com/kornelski/rust-security-framework/compare/v2.10.0...v2.11.0) --- updated-dependencies: - dependency-name: security-framework dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6bbce59a21..ab32e01b6d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4669,11 +4669,11 @@ dependencies = [ [[package]] name = "security-framework" -version = "2.10.0" +version = "2.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "770452e37cad93e0a50d5abc3990d2bc351c36d0328f86cefec2f2fb206eaef6" +checksum = "c627723fd09706bacdb5cf41499e95098555af3c3c29d014dc3c458ef6be11c0" dependencies = [ - "bitflags 1.3.2", + "bitflags 2.5.0", "core-foundation", "core-foundation-sys", "libc", From d29d4867ec08a5dafedf451e79646bbfedec09ac Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 9 Oct 2024 16:33:03 +0100 Subject: [PATCH 107/298] kbs: Fix ibm-se deployment In #521 I re-worked the deploy-kbs script with overlays and didn't factor in that the key.bin needed to go to a different place for ibm-se, so it was causing: ``` trustee/kbs/config/kubernetes$ ls overlays/key.bin ls: cannot access 'overlays/key.bin': No such file or directory ``` on an SE system. I think the least bad way to resolve this is to move the ibm-se logic up before the key.bin check and rely on the updated `DEPLOYMENT_DIR` Also update the deployment doc instructions to add the ibm-se case Signed-off-by: stevenhorsman --- kbs/config/kubernetes/README.md | 12 ++++++++++-- kbs/config/kubernetes/deploy-kbs.sh | 21 ++++++++++++--------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/kbs/config/kubernetes/README.md b/kbs/config/kubernetes/README.md index d552f920cf..91f177904b 100644 --- a/kbs/config/kubernetes/README.md +++ b/kbs/config/kubernetes/README.md @@ -9,7 +9,11 @@ We will see how to deploy KBS (with builtin Attestation Service) on a Kubernetes Create a secret that you want to be served using this instance of KBS: ```bash -echo "This is my super secret" > overlays/$(uname -m)/key.bin +echo "This is my super secret" > overlays/key.bin +``` +or, if deploying on IBM Secure Execution run: +```bash +echo "This is my super secret" > overlays/ibm-se/key.bin ``` If you have more than one secret, copy them over to the `config/kubernetes/overlays` directory and add those to the `overlays/kustomization.yaml` file after as shown below: @@ -147,6 +151,10 @@ kbs ClusterIP 10.0.210.190 8080/TCP 4s ## Delete KBS +```bash +$ kubectl delete -k ${DEPLOYMENT_DIR}/ ``` -$ kubectl delete -k ${DEPLOYMENT_DIR}/$(uname -m) +or, if running on IBM Secure Execution run: +```bash +$ kubectl delete -k ${DEPLOYMENT_DIR}/ibm-se/ && kubectl delete pv test-local-pv ``` diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh index ddd2fdf172..6897f619c3 100755 --- a/kbs/config/kubernetes/deploy-kbs.sh +++ b/kbs/config/kubernetes/deploy-kbs.sh @@ -4,13 +4,23 @@ set -euo pipefail # Environment variable that defines which directory to use the kustomization file for deployment. DEPLOYMENT_DIR="${DEPLOYMENT_DIR:-overlays}" +OVERLAYS_DIR="overlays" k8s_cnf_dir="$(dirname ${BASH_SOURCE[0]})" +if [ "$(uname -m)" == "s390x" ] && [ -n "${IBM_SE_CREDS_DIR:-}" ]; then + # We are using the ibm-se overlay + echo "ibm-se overlay being used as IBM_SE_CREDS_DIR was set" + OVERLAYS_DIR="${OVERLAYS_DIR}/ibm-se" + DEPLOYMENT_DIR="${DEPLOYMENT_DIR}/ibm-se" + export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') + envsubst <"${k8s_cnf_dir}/${OVERLAYS_DIR}/pv.yaml" | kubectl apply -f - +fi + # Fail the script if the key.bin file does not exist. -key_file="${k8s_cnf_dir}/overlays/key.bin" +key_file="${k8s_cnf_dir}/${OVERLAYS_DIR}/key.bin" [[ -f "${key_file}" ]] || { - echo "key.bin not found at ${k8s_cnf_dir}/overlays/" + echo "key.bin not found at ${k8s_cnf_dir}/${OVERLAYS_DIR}/" exit 1 } @@ -21,13 +31,6 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem" openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}" } -if [ "$(uname -m)" == "s390x" ] && [ -n "${IBM_SE_CREDS_DIR:-}" ]; then - # We are using the ibm-se overlay - echo "ibm-se overlay being used as IBM_SE_CREDS_DIR was set" - DEPLOYMENT_DIR="${DEPLOYMENT_DIR}/ibm-se" - export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') - envsubst <"${k8s_cnf_dir}/${DEPLOYMENT_DIR}/pv.yaml" | kubectl apply -f - -fi if [[ "${DEPLOYMENT_DIR}" == "nodeport" || "${DEPLOYMENT_DIR}" == "overlays" ]]; then kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}" From d346bbed8ee8cad47a2393604bc15a9e4ea9e5be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 01:57:32 +0000 Subject: [PATCH 108/298] build(deps): bump quinn from 0.11.3 to 0.11.5 Bumps [quinn](https://github.com/quinn-rs/quinn) from 0.11.3 to 0.11.5. - [Release notes](https://github.com/quinn-rs/quinn/releases) - [Commits](https://github.com/quinn-rs/quinn/compare/quinn-0.11.3...quinn-0.11.5) --- updated-dependencies: - dependency-name: quinn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ab32e01b6d..a6c06faed1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3914,9 +3914,9 @@ dependencies = [ [[package]] name = "quinn" -version = "0.11.3" +version = "0.11.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b22d8e7369034b9a7132bc2008cac12f2013c8132b45e0554e6e20e2617f2156" +checksum = "8c7c5fdde3cdae7203427dc4f0a68fe0ed09833edc525a03456b153b79828684" dependencies = [ "bytes", "pin-project-lite", @@ -3932,9 +3932,9 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.6" +version = "0.11.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba92fb39ec7ad06ca2582c0ca834dfeadcaf06ddfc8e635c80aa7e1c05315fdd" +checksum = "fadfaed2cd7f389d0161bb73eeb07b7b78f8691047a6f3e73caaeae55310a4a6" dependencies = [ "bytes", "rand", From 2754479e1ecde2db5ca720fb351d8e2d222dc120 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 02:02:01 +0000 Subject: [PATCH 109/298] build(deps): bump superboring from 0.1.2 to 0.1.3 Bumps [superboring](https://github.com/jedisct1/rust-superboring) from 0.1.2 to 0.1.3. - [Release notes](https://github.com/jedisct1/rust-superboring/releases) - [Commits](https://github.com/jedisct1/rust-superboring/compare/0.1.2...0.1.3) --- updated-dependencies: - dependency-name: superboring dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a6c06faed1..99c478670a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5133,9 +5133,9 @@ checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc" [[package]] name = "superboring" -version = "0.1.2" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbde97f499e51ef384f585dc8f8fb6a9c3a71b274b8d12469b516758e6540607" +checksum = "cee25cd9d145d2c1ef92a52720376eeb510c8870dfa0f84edb371901ec6a12ca" dependencies = [ "getrandom", "hmac-sha256", From bf8d3f8660f4180fd5dcdcd6da3cd20435946884 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 01:40:47 +0000 Subject: [PATCH 110/298] build(deps): bump lycheeverse/lychee-action from 1 to 2 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 1 to 2. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](https://github.com/lycheeverse/lychee-action/compare/v1...v2) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/link.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/link.yml b/.github/workflows/link.yml index b6ec28480a..62ec8a0d3b 100644 --- a/.github/workflows/link.yml +++ b/.github/workflows/link.yml @@ -22,7 +22,7 @@ jobs: restore-keys: cache-lychee- - name: Check links - uses: lycheeverse/lychee-action@v1 + uses: lycheeverse/lychee-action@v2 with: args: "--cache --max-cache-age 1d ." fail: true From fdda3b3bd09b2c66e6df722475de8ae407f1865a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 01:47:05 +0000 Subject: [PATCH 111/298] build(deps): bump serde_spanned from 0.6.7 to 0.6.8 Bumps [serde_spanned](https://github.com/toml-rs/toml) from 0.6.7 to 0.6.8. - [Commits](https://github.com/toml-rs/toml/compare/serde_spanned-v0.6.7...serde_spanned-v0.6.8) --- updated-dependencies: - dependency-name: serde_spanned dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 99c478670a..3dc6d64d48 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4747,9 +4747,9 @@ dependencies = [ [[package]] name = "serde_spanned" -version = "0.6.7" +version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb5b1b31579f3811bf615c144393417496f152e12ac8b7663bf664f4a815306d" +checksum = "87607cb1398ed59d48732e575a4c28a7a8ebf2454b964fe3f224f2afc07909e1" dependencies = [ "serde", ] From 712894b080f2527e98b6992e595fab9a8c0c16a2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 01:08:40 +0000 Subject: [PATCH 112/298] build(deps): bump reqwest from 0.12.5 to 0.12.8 Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.5 to 0.12.8. - [Release notes](https://github.com/seanmonstar/reqwest/releases) - [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md) - [Commits](https://github.com/seanmonstar/reqwest/compare/v0.12.5...v0.12.8) --- updated-dependencies: - dependency-name: reqwest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 61 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 42 insertions(+), 19 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3dc6d64d48..c3561118ca 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2679,7 +2679,7 @@ dependencies = [ "prost 0.12.6", "rand", "regorus", - "reqwest 0.12.5", + "reqwest 0.12.8", "rsa 0.9.6", "rstest", "rustls 0.20.9", @@ -2709,7 +2709,7 @@ dependencies = [ "jwt-simple 0.11.9", "kbs_protocol", "log", - "reqwest 0.12.5", + "reqwest 0.12.8", "serde", "serde_json", "tokio", @@ -2738,7 +2738,7 @@ dependencies = [ "jwt-simple 0.12.9", "kbs-types", "log", - "reqwest 0.12.5", + "reqwest 0.12.8", "resource_uri", "serde", "serde_json", @@ -2766,7 +2766,7 @@ dependencies = [ "p12", "prost 0.11.9", "rand", - "reqwest 0.12.5", + "reqwest 0.12.8", "resource_uri", "ring 0.17.8", "serde", @@ -2828,7 +2828,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] @@ -4173,14 +4173,14 @@ dependencies = [ "wasm-bindgen-futures", "web-sys", "webpki-roots 0.25.4", - "winreg 0.50.0", + "winreg", ] [[package]] name = "reqwest" -version = "0.12.5" +version = "0.12.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c7d6d2a27d57148378eb5e111173f4276ad26340ecc5c49a4a2152167a2d6a37" +checksum = "f713147fbe92361e52392c73b8c9e48c04c6625bce969ef54dc901e58e042a7b" dependencies = [ "base64 0.22.1", "bytes", @@ -4220,7 +4220,7 @@ dependencies = [ "wasm-bindgen-futures", "web-sys", "webpki-roots 0.26.1", - "winreg 0.52.0", + "windows-registry", ] [[package]] @@ -5177,6 +5177,9 @@ name = "sync_wrapper" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394" +dependencies = [ + "futures-core", +] [[package]] name = "synstructure" @@ -6153,6 +6156,36 @@ dependencies = [ "windows-targets 0.52.6", ] +[[package]] +name = "windows-registry" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e400001bb720a623c1c69032f8e3e4cf09984deec740f007dd2b03ec864804b0" +dependencies = [ + "windows-result", + "windows-strings", + "windows-targets 0.52.6", +] + +[[package]] +name = "windows-result" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d1043d8214f791817bab27572aaa8af63732e11bf84aa21a45a78d6c317ae0e" +dependencies = [ + "windows-targets 0.52.6", +] + +[[package]] +name = "windows-strings" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10" +dependencies = [ + "windows-result", + "windows-targets 0.52.6", +] + [[package]] name = "windows-sys" version = "0.48.0" @@ -6320,16 +6353,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "winreg" -version = "0.52.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a277a57398d4bfa075df44f501a17cfdf8542d224f0d36095a2adc7aee4ef0a5" -dependencies = [ - "cfg-if", - "windows-sys 0.48.0", -] - [[package]] name = "x509-parser" version = "0.14.0" From db9f1db14703b813e17181f94f2af14a756efe01 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Tue, 15 Oct 2024 14:15:01 +0800 Subject: [PATCH 113/298] ci: replace Rust toolchain with actions-rust-lang/setup-rust-toolchain@v1 The original way to install rust dependency will not check if rust is already installed, thus it would require `rustup` be installed on the ci machine already while self-hosted CI machine may not. We use `actions-rust-lang/setup-rust-toolchain@v1` to install rust because `actions-rs` has not been maintained for over 1 year and is archived. Signed-off-by: Xynnn007 --- .github/workflows/as-e2e.yml | 8 ++++---- .github/workflows/as-rust.yml | 8 ++++---- .github/workflows/kbs-docker-e2e.yml | 8 ++++---- .github/workflows/kbs-e2e.yml | 9 +++++---- .github/workflows/kbs-rust.yml | 9 ++++----- .github/workflows/push-kbs-client-to-ghcr.yml | 8 ++++---- 6 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/as-e2e.yml b/.github/workflows/as-e2e.yml index fde6456ee8..1ba4b9cdd0 100644 --- a/.github/workflows/as-e2e.yml +++ b/.github/workflows/as-e2e.yml @@ -35,10 +35,10 @@ jobs: - uses: actions/checkout@v4 - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) - run: | - rustup update --no-self-update ${{ env.RUSTC_VERSION }} - rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustc - rustup default ${{ env.RUSTC_VERSION }} + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: ${{ env.RUSTC_VERSION }} + components: rustfmt, clippy - uses: actions/setup-go@v5 with: diff --git a/.github/workflows/as-rust.yml b/.github/workflows/as-rust.yml index 858757826e..aa225e907b 100644 --- a/.github/workflows/as-rust.yml +++ b/.github/workflows/as-rust.yml @@ -58,10 +58,10 @@ jobs: sudo apt-get install -y libsgx-dcap-quote-verify-dev libsgx-dcap-default-qpl - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) - run: | - rustup update --no-self-update ${{ env.RUSTC_VERSION }} - rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustfmt rustc clippy - rustup default ${{ env.RUSTC_VERSION }} + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: ${{ env.RUSTC_VERSION }} + components: rustfmt, clippy - name: Build working-directory: attestation-service diff --git a/.github/workflows/kbs-docker-e2e.yml b/.github/workflows/kbs-docker-e2e.yml index 24f5f8863d..3d75f6f9ce 100644 --- a/.github/workflows/kbs-docker-e2e.yml +++ b/.github/workflows/kbs-docker-e2e.yml @@ -19,10 +19,10 @@ jobs: uses: actions/checkout@v4 - name: Install Rust ${{ env.RUSTC_VERSION }} (for client) - run: | - rustup update --no-self-update ${{ env.RUSTC_VERSION }} - rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustc - rustup default ${{ env.RUSTC_VERSION }} + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: ${{ env.RUSTC_VERSION }} + components: rustfmt, clippy - name: Build client run: | diff --git a/.github/workflows/kbs-e2e.yml b/.github/workflows/kbs-e2e.yml index 7c7c7e473a..6ecbeecad6 100644 --- a/.github/workflows/kbs-e2e.yml +++ b/.github/workflows/kbs-e2e.yml @@ -33,10 +33,11 @@ jobs: run: tar xzf ./artifact/${{ inputs.tarball }} - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) - run: | - rustup update --no-self-update ${{ env.RUSTC_VERSION }} - rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustc - rustup default ${{ env.RUSTC_VERSION }} + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: ${{ env.RUSTC_VERSION }} + components: rustfmt, clippy + rustflags: "" - name: Set up rust build cache uses: actions/cache@v4 diff --git a/.github/workflows/kbs-rust.yml b/.github/workflows/kbs-rust.yml index f99c102a20..7207933d20 100644 --- a/.github/workflows/kbs-rust.yml +++ b/.github/workflows/kbs-rust.yml @@ -31,11 +31,10 @@ jobs: uses: actions/checkout@v4 - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) - run: | - rustup update --no-self-update ${{ env.RUSTC_VERSION }} - rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustfmt rustc clippy - rustup target add x86_64-unknown-linux-gnu - rustup default ${{ env.RUSTC_VERSION }} + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: ${{ env.RUSTC_VERSION }} + components: rustfmt, clippy - name: Building dependencies installation run: | diff --git a/.github/workflows/push-kbs-client-to-ghcr.yml b/.github/workflows/push-kbs-client-to-ghcr.yml index 49c5d35354..22d5c28d14 100644 --- a/.github/workflows/push-kbs-client-to-ghcr.yml +++ b/.github/workflows/push-kbs-client-to-ghcr.yml @@ -25,10 +25,10 @@ jobs: uses: actions/checkout@v4 - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) - run: | - rustup update --no-self-update ${{ env.RUSTC_VERSION }} - rustup component add --toolchain ${{ env.RUSTC_VERSION }} rustc - rustup default ${{ env.RUSTC_VERSION }} + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: ${{ env.RUSTC_VERSION }} + components: rustfmt, clippy - name: Log in to ghcr.io uses: docker/login-action@v3 From fc61cb2843c8dfef5641c0b9752605c9973f2256 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 01:26:59 +0000 Subject: [PATCH 114/298] build(deps): bump futures-sink from 0.3.30 to 0.3.31 Bumps [futures-sink](https://github.com/rust-lang/futures-rs) from 0.3.30 to 0.3.31. - [Release notes](https://github.com/rust-lang/futures-rs/releases) - [Changelog](https://github.com/rust-lang/futures-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/futures-rs/compare/0.3.30...0.3.31) --- updated-dependencies: - dependency-name: futures-sink dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c3561118ca..1d267b2665 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1892,9 +1892,9 @@ dependencies = [ [[package]] name = "futures-sink" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5" +checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7" [[package]] name = "futures-task" From 73ea001d4958677f6112f4dcf8f4bfe58844984e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Oct 2024 01:42:18 +0000 Subject: [PATCH 115/298] build(deps): bump crossbeam-utils from 0.8.19 to 0.8.20 Bumps [crossbeam-utils](https://github.com/crossbeam-rs/crossbeam) from 0.8.19 to 0.8.20. - [Release notes](https://github.com/crossbeam-rs/crossbeam/releases) - [Changelog](https://github.com/crossbeam-rs/crossbeam/blob/master/CHANGELOG.md) - [Commits](https://github.com/crossbeam-rs/crossbeam/compare/crossbeam-utils-0.8.19...crossbeam-utils-0.8.20) --- updated-dependencies: - dependency-name: crossbeam-utils dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1d267b2665..af34bfd855 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1302,9 +1302,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.19" +version = "0.8.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "248e3bacc7dc6baa3b21e405ee045c3047101a49145e7e9eca583ab4c2ca5345" +checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80" [[package]] name = "crunchy" From 508b9ce689f426f49f4e4312911149c45babeb36 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Tue, 15 Oct 2024 15:36:10 +0200 Subject: [PATCH 116/298] verifier: verify init_data in az-*-vtpm verifiers This is in preperation for the upcoming init_data feature. On the attester equivalent we have settled for PCR8 to measure init_data into. This register is usually occupied by GRUB, since we use UKI images for peerpods this is vacant. We cannot merely compare the hash entries, since PCR registers are extend-only. PCR8 will be filled with 0s initially and extended with the init_data digest. For a given init_data the PCR will contain: ```bash sha256sum -b <(cat \ <(dd if=/dev/zero of=/dev/stdout bs=32 count=1) \ <(xxd -r -ps < /run/peerpod/initdata.digest) \ ) 1+0 records in 1+0 records out 32 bytes copied, 4.7e-05 s, 681 kB/s bddaccb9c52249e97a31baea61b7d91be8221a16e703d92148d04fb8e9c1dfdd */dev/fd/63 ``` `bdda...` is the value we want to verify. We cannot perform a simple equality check, but have to replay the extend operation. that's also why the checks have to be somewhat local to a TEE verifier implementation. An option would be an overrideable default on the Verifier Trait. If we later move the init_data verification to a more generic place, we would call a verifier's `verify_init_data()` impl. Signed-off-by: Magnus Kulke --- deps/verifier/src/az_snp_vtpm/mod.rs | 100 ++++++++++++++++++++++----- deps/verifier/src/az_tdx_vtpm/mod.rs | 14 ++-- 2 files changed, 90 insertions(+), 24 deletions(-) diff --git a/deps/verifier/src/az_snp_vtpm/mod.rs b/deps/verifier/src/az_snp_vtpm/mod.rs index a1cced4cda..9e54c194b2 100644 --- a/deps/verifier/src/az_snp_vtpm/mod.rs +++ b/deps/verifier/src/az_snp_vtpm/mod.rs @@ -15,7 +15,7 @@ use az_snp_vtpm::hcl::HclReport; use az_snp_vtpm::report::AttestationReport; use az_snp_vtpm::vtpm::Quote; use az_snp_vtpm::vtpm::QuoteError; -use log::{debug, warn}; +use log::debug; use openssl::pkey::PKey; use serde::{Deserialize, Serialize}; use serde_json::Value; @@ -23,6 +23,7 @@ use sev::firmware::host::{CertTableEntry, CertType}; use thiserror::Error; const HCL_VMPL_VALUE: u32 = 0; +const INITDATA_PCR: usize = 8; #[derive(Serialize, Deserialize)] struct Evidence { @@ -63,21 +64,24 @@ impl AzSnpVtpm { } } -pub(crate) fn extend_claim_with_tpm_quote( - claim: &mut TeeEvidenceParsedClaim, - quote: &Quote, -) -> Result<()> { +pub(crate) fn extend_claim(claim: &mut TeeEvidenceParsedClaim, quote: &Quote) -> Result<()> { let Value::Object(ref mut map) = claim else { bail!("failed to extend the claim, not an object"); }; - + let pcrs: Vec<&[u8; 32]> = quote.pcrs_sha256().collect(); let mut tpm_values = serde_json::Map::new(); - for (i, pcr) in quote.pcrs_sha256().enumerate() { + for (i, pcr) in pcrs.iter().enumerate() { tpm_values.insert(format!("pcr{:02}", i), Value::String(hex::encode(pcr))); } - debug!("extending claim with TPM quote: {:#?}", tpm_values); map.insert("tpm".to_string(), Value::Object(tpm_values)); - + map.insert( + "init_data".into(), + Value::String(hex::encode(pcrs[INITDATA_PCR])), + ); + map.insert( + "report_data".into(), + Value::String(hex::encode(quote.nonce()?)), + ); Ok(()) } @@ -90,6 +94,7 @@ impl Verifier for AzSnpVtpm { /// 4. SNP report's report_data field matches hashed HCL variable data /// 5. SNP Report is genuine /// 6. SNP Report has been issued in VMPL 0 + /// 7. Init data hash matches TPM PCR[INITDATA_PCR] async fn evaluate( &self, evidence: &[u8], @@ -100,10 +105,6 @@ impl Verifier for AzSnpVtpm { bail!("unexpected empty report data"); }; - if let InitDataHash::Value(_) = expected_init_data_hash { - warn!("Azure SNP vTPM verifier does not support verify init data hash, will ignore the input `init_data_hash`."); - } - let evidence = serde_json::from_slice::(evidence) .context("Failed to deserialize Azure vTPM SEV-SNP evidence")?; @@ -121,8 +122,11 @@ impl Verifier for AzSnpVtpm { let vcek = Vcek::from_pem(&evidence.vcek)?; verify_snp_report(&snp_report, &vcek, &self.vendor_certs)?; + let pcrs: Vec<&[u8; 32]> = evidence.quote.pcrs_sha256().collect(); + verify_init_data(expected_init_data_hash, &pcrs)?; + let mut claim = parse_tee_evidence(&snp_report); - extend_claim_with_tpm_quote(&mut claim, &evidence.quote)?; + extend_claim(&mut claim, &evidence.quote)?; Ok(claim) } @@ -184,6 +188,26 @@ fn verify_snp_report( Ok(()) } +pub(crate) fn verify_init_data(expected: &InitDataHash, pcrs: &[&[u8; 32]]) -> Result<()> { + let InitDataHash::Value(expected_init_data_hash) = expected else { + debug!("No expected value, skipping init_data verification"); + return Ok(()); + }; + + debug!("Check the binding of PCR{INITDATA_PCR}"); + + // sha256(0x00 * 32 || expected_init_data_hash) + let mut input = [0u8; 64]; + input[32..].copy_from_slice(expected_init_data_hash); + let digest = openssl::sha::sha256(&input); + + let init_data_pcr = pcrs[INITDATA_PCR]; + if &digest != init_data_pcr { + bail!("Expected init_data digest is different from the content of PCR{INITDATA_PCR}"); + } + Ok(()) +} + #[cfg(test)] mod tests { use super::*; @@ -319,13 +343,50 @@ mod tests { } #[test] - fn test_extend_claim_with_tpm_quote() { + fn test_verify_init_data() { + let quote = QUOTE.clone(); + let quote: Quote = bincode::deserialize("e).unwrap(); + let mut init_data_hash = [0u8; 32]; + hex::decode_to_slice( + "8505e4e25e50a27c5dc8147af88efbece627fbea55291911eff832d9ee127781", + &mut init_data_hash, + ) + .unwrap(); + + // sha256(0x00 * 32 || "8505...") == "bdda..." + let mut digest = [0u8; 32]; + hex::decode_to_slice( + "bddaccb9c52249e97a31baea61b7d91be8221a16e703d92148d04fb8e9c1dfdd", + &mut digest, + ) + .unwrap(); + + let mut pcrs: Vec<&[u8; 32]> = quote.pcrs_sha256().collect(); + pcrs[INITDATA_PCR] = &digest; + + verify_init_data(&InitDataHash::Value(&init_data_hash), &pcrs).unwrap(); + } + + #[test] + fn test_verify_init_data_failure() { + let quote = QUOTE.clone(); + let quote: Quote = bincode::deserialize("e).unwrap(); + let pcrs: Vec<&[u8; 32]> = quote.pcrs_sha256().collect(); + let mut init_data = pcrs[INITDATA_PCR].clone(); + init_data[0] = init_data[0] ^ 1; + let init_data_hash = InitDataHash::Value(&init_data); + + verify_init_data(&init_data_hash, &pcrs).unwrap_err(); + } + + #[test] + fn test_extend_claim() { let mut claim = json!({"some": "thing"}); let quote: Quote = bincode::deserialize(QUOTE).unwrap(); - extend_claim_with_tpm_quote(&mut claim, "e).unwrap(); + extend_claim(&mut claim, "e).unwrap(); let map = claim.as_object().unwrap(); - assert_eq!(map.len(), 2); + assert_eq!(map.len(), 4); let tpm_map = map.get("tpm").unwrap().as_object().unwrap(); assert_eq!(tpm_map.len(), 24); @@ -334,5 +395,10 @@ mod tests { let value = tpm_map.get(&key).unwrap().as_str().unwrap(); assert_eq!(value, hex::encode(pcr)); } + let init_data = map.get("init_data").unwrap().as_str().unwrap(); + let pcrs: Vec<&[u8; 32]> = quote.pcrs_sha256().collect(); + assert_eq!(init_data, hex::encode(pcrs[INITDATA_PCR])); + let init_data = map.get("report_data").unwrap().as_str().unwrap(); + assert_eq!(init_data, hex::encode(quote.nonce().unwrap())); } } diff --git a/deps/verifier/src/az_tdx_vtpm/mod.rs b/deps/verifier/src/az_tdx_vtpm/mod.rs index 5ceeb7f90e..da839f8866 100644 --- a/deps/verifier/src/az_tdx_vtpm/mod.rs +++ b/deps/verifier/src/az_tdx_vtpm/mod.rs @@ -3,7 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // -use super::az_snp_vtpm::extend_claim_with_tpm_quote; +use super::az_snp_vtpm::{extend_claim, verify_init_data}; use super::tdx::claims::generate_parsed_claim; use super::tdx::quote::{ecdsa_quote_verification, parse_tdx_quote, Quote as TdQuote}; use super::{TeeEvidenceParsedClaim, Verifier}; @@ -12,7 +12,7 @@ use anyhow::{bail, Context, Result}; use async_trait::async_trait; use az_tdx_vtpm::hcl::HclReport; use az_tdx_vtpm::vtpm::Quote as TpmQuote; -use log::{debug, warn}; +use log::debug; use openssl::pkey::PKey; use serde::{Deserialize, Serialize}; @@ -34,6 +34,7 @@ impl Verifier for AzTdxVtpm { /// 3. TPM PCRs' digest matches the digest in the Quote /// 4. TD Quote is genuine /// 5. TD Report's report_data field matches hashed HCL variable data + /// 6. Init data hash matches TPM PCR[INITDATA_PCR] async fn evaluate( &self, evidence: &[u8], @@ -44,10 +45,6 @@ impl Verifier for AzTdxVtpm { bail!("unexpected empty report data"); }; - if let InitDataHash::Value(_) = expected_init_data_hash { - warn!("Azure TDX vTPM verifier does not support verify init data hash, will ignore the input `init_data_hash`"); - } - let evidence = serde_json::from_slice::(evidence) .context("Failed to deserialize Azure vTPM TDX evidence")?; @@ -63,8 +60,11 @@ impl Verifier for AzTdxVtpm { verify_hcl_var_data(&hcl_report, &td_quote)?; + let pcrs: Vec<&[u8; 32]> = evidence.tpm_quote.pcrs_sha256().collect(); + verify_init_data(expected_init_data_hash, &pcrs)?; + let mut claim = generate_parsed_claim(td_quote, None, None)?; - extend_claim_with_tpm_quote(&mut claim, &evidence.tpm_quote)?; + extend_claim(&mut claim, &evidence.tpm_quote)?; Ok(claim) } From 88cc7dc805bd54b6785edf1b1f1b55b56888423a Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 18 Oct 2024 10:11:57 +0800 Subject: [PATCH 117/298] verifier/tdx: fix TdShimPlatformConfigInfo parse error comparation The original unit tests use anyhow for error handling. The results are unstable because the debug format of the anyhow error might change due to different environments. This patch replace anyhow with thiserror without changing the test aim. This would give a more robust error type defination for comparation. Signed-off-by: Xynnn007 --- deps/verifier/src/tdx/claims.rs | 91 +++++++++++++++++---------------- 1 file changed, 46 insertions(+), 45 deletions(-) diff --git a/deps/verifier/src/tdx/claims.rs b/deps/verifier/src/tdx/claims.rs index 168db155dd..393bf033af 100644 --- a/deps/verifier/src/tdx/claims.rs +++ b/deps/verifier/src/tdx/claims.rs @@ -49,6 +49,7 @@ use anyhow::*; use byteorder::{LittleEndian, ReadBytesExt}; use log::{debug, warn}; use serde_json::{Map, Value}; +use thiserror::Error; use crate::{eventlog::AAEventlog, tdx::quote::QuoteV5Body, TeeEvidenceParsedClaim}; @@ -239,8 +240,20 @@ fn parse_ccel(ccel: CcEventLog, ccel_map: &mut Map) -> Result<()> Ok(()) } -const ERR_INVALID_HEADER: &str = "invalid header"; -const ERR_NOT_ENOUGH_DATA: &str = "not enough data after header"; +#[derive(Error, Debug, PartialEq)] +pub enum PlatformConfigInfoError { + #[error("Failed to parse `Descriptor`")] + ParseDescriptor, + + #[error("Failed to parse `InfoLength`")] + ReadInfoLength, + + #[error("invalid header")] + InvalidHeader, + + #[error("not enough data after header")] + NotEnoughData, +} type Descriptor = [u8; 16]; type InfoLength = u32; @@ -254,7 +267,7 @@ pub struct TdShimPlatformConfigInfo<'a> { } impl<'a> TryFrom<&'a [u8]> for TdShimPlatformConfigInfo<'a> { - type Error = anyhow::Error; + type Error = PlatformConfigInfoError; fn try_from(data: &'a [u8]) -> std::result::Result { let descriptor_size = core::mem::size_of::(); @@ -264,21 +277,24 @@ impl<'a> TryFrom<&'a [u8]> for TdShimPlatformConfigInfo<'a> { let header_size = descriptor_size + info_size; if data.len() < header_size { - bail!(ERR_INVALID_HEADER); + return Err(PlatformConfigInfoError::InvalidHeader); } - let descriptor = data[0..descriptor_size].try_into()?; + let descriptor = data[0..descriptor_size] + .try_into() + .map_err(|_| PlatformConfigInfoError::ParseDescriptor)?; - let info_length = (&data[descriptor_size..header_size]).read_u32::()?; + let info_length = (&data[descriptor_size..header_size]) + .read_u32::() + .map_err(|_| PlatformConfigInfoError::ReadInfoLength)?; let total_size = header_size + info_length as usize; let data = data .get(header_size..total_size) - .ok_or(ERR_NOT_ENOUGH_DATA) - .map_err(|e| anyhow!(e))?; + .ok_or(PlatformConfigInfoError::NotEnoughData)?; - Ok(Self { + std::result::Result::Ok(Self { descriptor, info_length, data, @@ -317,13 +333,12 @@ mod tests { use assert_json_diff::assert_json_eq; use serde_json::{json, to_value, Map, Value}; - use crate::tdx::{eventlog::CcEventLog, quote::parse_tdx_quote}; - - use super::{ - generate_parsed_claim, parse_kernel_parameters, TdShimPlatformConfigInfo, - ERR_INVALID_HEADER, ERR_NOT_ENOUGH_DATA, + use crate::tdx::{ + claims::PlatformConfigInfoError, eventlog::CcEventLog, quote::parse_tdx_quote, }; + use super::{generate_parsed_claim, parse_kernel_parameters, TdShimPlatformConfigInfo}; + use rstest::rstest; // This is used with anyhow!() to create an actual error. However, we @@ -528,44 +543,30 @@ mod tests { #[rstest] #[trace] - #[case(b"", Err(anyhow!(ERR_INVALID_HEADER)))] - #[case(b"0123456789ABCDEF", Err(anyhow!(ERR_INVALID_HEADER)))] - #[case(b"0123456789ABCDEF\x00", Err(anyhow!(ERR_INVALID_HEADER)))] - #[case(b"0123456789ABCDEF\x00\x00", Err(anyhow!(ERR_INVALID_HEADER)))] - #[case(b"0123456789ABCDEF\x00\x00\x00", Err(anyhow!(ERR_INVALID_HEADER)))] + #[case(b"", Err(PlatformConfigInfoError::InvalidHeader))] + #[case(b"0123456789ABCDEF", Err(PlatformConfigInfoError::InvalidHeader))] + #[case(b"0123456789ABCDEF\x00", Err(PlatformConfigInfoError::InvalidHeader))] + #[case( + b"0123456789ABCDEF\x00\x00", + Err(PlatformConfigInfoError::InvalidHeader) + )] + #[case( + b"0123456789ABCDEF\x00\x00\x00", + Err(PlatformConfigInfoError::InvalidHeader) + )] #[case(b"0123456789ABCDEF\x00\x00\x00\x00", Ok(TdShimPlatformConfigInfo{descriptor: *b"0123456789ABCDEF", info_length: 0, data: &[]}))] #[case(b"0123456789ABCDEF\x01\x00\x00\x00X", Ok(TdShimPlatformConfigInfo{descriptor: *b"0123456789ABCDEF", info_length: 1, data: b"X"}))] #[case(b"0123456789ABCDEF\x03\x00\x00\x00ABC", Ok(TdShimPlatformConfigInfo{descriptor: *b"0123456789ABCDEF", info_length: 3, data: b"ABC"}))] #[case(b"0123456789ABCDEF\x04\x00\x00\x00;):)", Ok(TdShimPlatformConfigInfo{descriptor: *b"0123456789ABCDEF", info_length: 4, data: b";):)"}))] - #[case(b"0123456789ABCDEF\x01\x00\x00\x00", Err(anyhow!(ERR_NOT_ENOUGH_DATA)))] + #[case( + b"0123456789ABCDEF\x01\x00\x00\x00", + Err(PlatformConfigInfoError::NotEnoughData) + )] fn test_td_shim_platform_config_info_try_from( #[case] data: &[u8], - #[case] result: Result, + #[case] result: std::result::Result, ) { - let msg = format!( - "test: data: {:?}, result: {result:?}", - String::from_utf8_lossy(&data.to_vec()) - ); - let actual_result = TdShimPlatformConfigInfo::try_from(data); - - let msg = format!("{msg}: actual result: {actual_result:?}"); - - if std::env::var("DEBUG").is_ok() { - println!("DEBUG: {msg}"); - } - - if result.is_err() { - let expected_result_str = format!("{result:?}"); - let actual_result_str = format!("{actual_result:?}"); - - assert_eq!(expected_result_str, actual_result_str, "{msg}"); - return; - } - - let actual_result = actual_result.unwrap(); - let expected_result = result.unwrap(); - - assert_eq!(expected_result, actual_result, "{msg}"); + assert_eq!(actual_result, result); } } From ef986eb5967f3705582a47f7ad2fb22e2e3d9581 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 01:46:31 +0000 Subject: [PATCH 118/298] build(deps): bump thiserror from 1.0.59 to 1.0.64 Bumps [thiserror](https://github.com/dtolnay/thiserror) from 1.0.59 to 1.0.64. - [Release notes](https://github.com/dtolnay/thiserror/releases) - [Commits](https://github.com/dtolnay/thiserror/compare/1.0.59...1.0.64) --- updated-dependencies: - dependency-name: thiserror dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index af34bfd855..6b43829fb2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5278,18 +5278,18 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.59" +version = "1.0.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0126ad08bff79f29fc3ae6a55cc72352056dfff61e3ff8bb7129476d44b23aa" +checksum = "d50af8abc119fb8bb6dbabcfa89656f46f84aa0ac7688088608076ad2b459a84" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.59" +version = "1.0.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1cd413b5d558b4c5bf3680e324a6fa5014e7b7c067a51e69dbdf47eb7148b66" +checksum = "08904e7672f5eb876eaaf87e0ce17857500934f4981c4a0ab2b4aa98baac7fc3" dependencies = [ "proc-macro2", "quote", From c3012395e22c048f13cb04629a0b94561de6e5c8 Mon Sep 17 00:00:00 2001 From: ssolit Date: Wed, 16 Oct 2024 19:39:27 +0000 Subject: [PATCH 119/298] derive debug for data and enums Signed-off-by: ssolit --- attestation-service/src/lib.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs index d2f44ccb2a..207bf25ff8 100644 --- a/attestation-service/src/lib.rs +++ b/attestation-service/src/lib.rs @@ -30,7 +30,7 @@ use verifier::{InitDataHash, ReportData}; use crate::utils::flatten_claims; /// Hash algorithms used to calculate runtime/init data binding -#[derive(Display, EnumString, AsRefStr)] +#[derive(Debug, Display, EnumString, AsRefStr)] pub enum HashAlgorithm { #[strum(ascii_case_insensitive)] Sha256, @@ -66,6 +66,7 @@ impl HashAlgorithm { /// Runtime/Init Data used to check the binding relationship with report data /// in Evidence +#[derive(Debug)] pub enum Data { /// This will be used as the expected runtime/init data to check against /// the one inside evidence. From caec790daaa14c36b0e39649f14934198526f9e1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Oct 2024 01:11:01 +0000 Subject: [PATCH 120/298] build(deps): bump enumflags2 from 0.7.9 to 0.7.10 Bumps [enumflags2](https://github.com/meithecatte/enumflags2) from 0.7.9 to 0.7.10. - [Release notes](https://github.com/meithecatte/enumflags2/releases) - [Commits](https://github.com/meithecatte/enumflags2/compare/v0.7.9...v0.7.10) --- updated-dependencies: - dependency-name: enumflags2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6b43829fb2..cd428403aa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1671,18 +1671,18 @@ dependencies = [ [[package]] name = "enumflags2" -version = "0.7.9" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3278c9d5fb675e0a51dabcf4c0d355f692b064171535ba72361be1528a9d8e8d" +checksum = "d232db7f5956f3f14313dc2f87985c58bd2c695ce124c8cdd984e08e15ac133d" dependencies = [ "enumflags2_derive", ] [[package]] name = "enumflags2_derive" -version = "0.7.9" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c785274071b1b420972453b306eeca06acf4633829db4223b58a2a8c5953bc4" +checksum = "de0d48a183585823424a4ce1aa132d174a6a81bd540895822eb4c8373a8e49e8" dependencies = [ "proc-macro2", "quote", From 55d85875e5eb644a25967ccdafc8c3023f7b0a2f Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 9 Oct 2024 12:08:31 +0800 Subject: [PATCH 121/298] KBS: combine CoCo Token and Jwk Token verifier Actually, the ITA token and CoCo Token are both JWTs. They both need a JWK to verify the JWT. The difference is the way to gather the JWK. This commit combined the two logic, and add two ways to get the JWK. 1. From the configured JwkSet when launching KBS 2. From the JWT's Header's jwk field. The two ways will check the jwk endorsement in different ways. The first way is to configure the trusted JwkSet from the config. The second way is to configure the trusted CA in config. Then get the public key cert chain from Jwk's x5c field. The both ways are also supported in this patch. Rust does not provide a mature crate to verify cert chain, thus openssl is used in this patch. We also abondon rustls and openssl feature of KBS because openssl is by default used. Then we use openssl by default to make the code base simpler. Signed-off-by: Xynnn007 --- Cargo.lock | 101 ++------ kbs/Cargo.toml | 16 +- .../attestation/intel_trust_authority/mod.rs | 16 +- kbs/src/http/mod.rs | 2 - kbs/src/http/resource.rs | 31 +-- kbs/src/lib.rs | 58 +---- kbs/src/token/coco.rs | 216 ------------------ kbs/src/token/error.rs | 30 +++ kbs/src/token/jwk.rs | 139 +++++++++-- kbs/src/token/mod.rs | 110 ++++++--- 10 files changed, 261 insertions(+), 458 deletions(-) delete mode 100644 kbs/src/token/coco.rs create mode 100644 kbs/src/token/error.rs diff --git a/Cargo.lock b/Cargo.lock index cd428403aa..e8451c9f01 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -135,10 +135,8 @@ dependencies = [ "pin-project-lite", "tokio", "tokio-openssl", - "tokio-rustls 0.23.4", "tokio-util", "tracing", - "webpki-roots 0.22.6", ] [[package]] @@ -2580,7 +2578,7 @@ dependencies = [ "base64 0.21.7", "js-sys", "pem", - "ring 0.17.8", + "ring", "serde", "serde_json", "simple_asn1", @@ -2682,8 +2680,6 @@ dependencies = [ "reqwest 0.12.8", "rsa 0.9.6", "rstest", - "rustls 0.20.9", - "rustls-pemfile 1.0.4", "scc", "semver", "serde", @@ -2768,7 +2764,7 @@ dependencies = [ "rand", "reqwest 0.12.8", "resource_uri", - "ring 0.17.8", + "ring", "serde", "serde_json", "sha2", @@ -2794,7 +2790,7 @@ version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" dependencies = [ - "spin 0.9.8", + "spin", ] [[package]] @@ -3938,7 +3934,7 @@ checksum = "fadfaed2cd7f389d0161bb73eeb07b7b78f8691047a6f3e73caaeae55310a4a6" dependencies = [ "bytes", "rand", - "ring 0.17.8", + "ring", "rustc-hash 2.0.0", "rustls 0.23.7", "slab", @@ -4244,21 +4240,6 @@ dependencies = [ "subtle", ] -[[package]] -name = "ring" -version = "0.16.20" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" -dependencies = [ - "cc", - "libc", - "once_cell", - "spin 0.5.2", - "untrusted 0.7.1", - "web-sys", - "winapi", -] - [[package]] name = "ring" version = "0.17.8" @@ -4269,8 +4250,8 @@ dependencies = [ "cfg-if", "getrandom", "libc", - "spin 0.9.8", - "untrusted 0.9.0", + "spin", + "untrusted", "windows-sys 0.52.0", ] @@ -4415,18 +4396,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "rustls" -version = "0.20.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b80e3dec595989ea8510028f30c408a4630db12c9cbb8de34203b89d6577e99" -dependencies = [ - "log", - "ring 0.16.20", - "sct", - "webpki", -] - [[package]] name = "rustls" version = "0.21.12" @@ -4434,7 +4403,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" dependencies = [ "log", - "ring 0.17.8", + "ring", "rustls-webpki 0.101.7", "sct", ] @@ -4447,7 +4416,7 @@ checksum = "ebbbdb961df0ad3f2652da8f3fdc4b36122f568f968f45ad3316f26c025c677b" dependencies = [ "log", "once_cell", - "ring 0.17.8", + "ring", "rustls-pki-types", "rustls-webpki 0.102.3", "subtle", @@ -4485,8 +4454,8 @@ version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ - "ring 0.17.8", - "untrusted 0.9.0", + "ring", + "untrusted", ] [[package]] @@ -4495,9 +4464,9 @@ version = "0.102.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f3bce581c0dd41bce533ce695a1437fa16a7ab5ac3ccfa99fe1a620a7885eabf" dependencies = [ - "ring 0.17.8", + "ring", "rustls-pki-types", - "untrusted 0.9.0", + "untrusted", ] [[package]] @@ -4643,8 +4612,8 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ - "ring 0.17.8", - "untrusted 0.9.0", + "ring", + "untrusted", ] [[package]] @@ -5019,12 +4988,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "spin" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" - [[package]] name = "spin" version = "0.9.8" @@ -5415,17 +5378,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "tokio-rustls" -version = "0.23.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59" -dependencies = [ - "rustls 0.20.9", - "tokio", - "webpki", -] - [[package]] name = "tokio-rustls" version = "0.24.1" @@ -5820,12 +5772,6 @@ dependencies = [ "subtle", ] -[[package]] -name = "untrusted" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" - [[package]] name = "untrusted" version = "0.9.0" @@ -6070,25 +6016,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki" -version = "0.22.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53" -dependencies = [ - "ring 0.17.8", - "untrusted 0.9.0", -] - -[[package]] -name = "webpki-roots" -version = "0.22.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87" -dependencies = [ - "webpki", -] - [[package]] name = "webpki-roots" version = "0.25.4" diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index fc0ae81091..6ff78dd421 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -7,10 +7,10 @@ documentation.workspace = true edition.workspace = true [features] -default = ["coco-as-builtin", "resource", "opa", "rustls"] +default = ["coco-as-builtin", "resource", "opa"] # Feature that allows to access resources from KBS -resource = ["rsa", "dep:openssl", "reqwest", "aes-gcm", "jsonwebtoken"] +resource = ["rsa", "reqwest", "aes-gcm", "jsonwebtoken"] # Support a backend attestation service for KBS as = [] @@ -36,17 +36,11 @@ coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"] # Use Intel TA as backend attestation service intel-trust-authority-as = ["as", "reqwest", "resource", "az-cvm-vtpm"] -# Use pure rust crypto stack for KBS -rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"] - -# Use openssl crypto stack for KBS -openssl = ["actix-web/openssl", "dep:openssl"] - # Use aliyun KMS as KBS backend aliyun = ["kms/aliyun"] [dependencies] -actix-web.workspace = true +actix-web = { workspace = true, features = ["openssl"] } actix-web-httpauth.workspace = true aes-gcm = { version = "0.10.1", optional = true } anyhow.workspace = true @@ -69,8 +63,6 @@ rand = "0.8.5" regorus.workspace = true reqwest = { workspace = true, features = ["json"], optional = true } rsa = { version = "0.9.2", optional = true, features = ["sha2"] } -rustls = { version = "0.20.8", optional = true } -rustls-pemfile = { version = "1.0.4", optional = true } scc = "2" semver = "1.0.16" serde = { workspace = true, features = ["derive"] } @@ -81,7 +73,7 @@ time = { version = "0.3.23", features = ["std"] } tokio.workspace = true tonic = { workspace = true, optional = true } uuid = { version = "1.2.2", features = ["serde", "v4"] } -openssl = { version = "0.10.46", optional = true } +openssl = "0.10.55" az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } [dev-dependencies] diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 9f5ae4c4cf..7986fd4ec8 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -4,10 +4,7 @@ use super::Attest; use crate::attestation::{generic_generate_challenge, make_nonce}; -use crate::token::{ - jwk::JwkAttestationTokenVerifier, AttestationTokenVerifier, AttestationTokenVerifierConfig, - AttestationTokenVerifierType, -}; +use crate::token::{jwk::JwkAttestationTokenVerifier, AttestationTokenVerifierConfig}; use anyhow::*; use async_trait::async_trait; use az_cvm_vtpm::hcl::HclReport; @@ -16,8 +13,7 @@ use kbs_types::Challenge; use kbs_types::{Attestation, Tee}; use reqwest::header::{ACCEPT, CONTENT_TYPE, USER_AGENT}; use serde::{Deserialize, Serialize}; -use serde_json::from_value; -use serde_json::json; +use serde_json::{from_value, json}; use strum::{AsRefStr, Display, EnumString}; const SUPPORTED_HASH_ALGORITHMS_JSON_KEY: &str = "supported-hash-algorithms"; @@ -190,7 +186,7 @@ impl Attest for IntelTrustAuthority { .await .context("Failed to verify attestation token")?; - let claims = serde_json::from_str::(&token) + let claims = serde_json::from_value::(token) .context("Failed to deserialize attestation token claims")?; // check unmatched policy @@ -287,8 +283,10 @@ impl Attest for IntelTrustAuthority { impl IntelTrustAuthority { pub async fn new(config: IntelTrustAuthorityConfig) -> Result { let token_verifier = JwkAttestationTokenVerifier::new(&AttestationTokenVerifierConfig { - attestation_token_type: AttestationTokenVerifierType::Jwk, - trusted_certs_paths: vec![config.certs_file.clone()], + extra_teekey_paths: vec![], + trusted_certs_paths: vec![], + trusted_jwk_sets: vec![config.certs_file.clone()], + insecure_key: true, }) .await .context("Failed to initialize token verifier")?; diff --git a/kbs/src/http/mod.rs b/kbs/src/http/mod.rs index 426653a398..4d4c443236 100644 --- a/kbs/src/http/mod.rs +++ b/kbs/src/http/mod.rs @@ -11,8 +11,6 @@ use crate::policy_engine::PolicyEngine; use crate::resource::{set_secret_resource, Repository, ResourceDesc}; #[cfg(feature = "as")] use crate::session::{SessionMap, KBS_SESSION_ID}; -#[cfg(feature = "resource")] -use crate::token::AttestationTokenVerifier; use actix_web::Responder; use actix_web::{body::BoxBody, web, HttpRequest, HttpResponse}; use jwt_simple::prelude::Ed25519PublicKey; diff --git a/kbs/src/http/resource.rs b/kbs/src/http/resource.rs index abf8aed54d..ee5e6e66bf 100644 --- a/kbs/src/http/resource.rs +++ b/kbs/src/http/resource.rs @@ -15,15 +15,10 @@ use rsa::{BigUint, Pkcs1v15Encrypt, RsaPublicKey}; use serde::Deserialize; use serde_json::{json, Deserializer, Value}; -use crate::raise_error; +use crate::{raise_error, token::TokenVerifier}; use super::*; -#[cfg(feature = "as")] -const TOKEN_TEE_PUBKEY_PATH: &str = AS_TOKEN_TEE_PUBKEY_PATH; -#[cfg(not(feature = "as"))] -const TOKEN_TEE_PUBKEY_PATH: &str = "/customized_claims/runtime_data/tee-pubkey"; - #[allow(unused_assignments)] /// GET /resource/{repository}/{type}/{tag} /// GET /resource/{type}/{tag} @@ -31,7 +26,7 @@ pub(crate) async fn get_resource( request: HttpRequest, repository: web::Data>>, #[cfg(feature = "as")] map: web::Data, - token_verifier: web::Data>>, + token_verifier: web::Data, #[cfg(feature = "policy")] policy_engine: web::Data, ) -> Result { #[allow(unused_mut)] @@ -45,20 +40,16 @@ pub(crate) async fn get_resource( c } else { debug!("Get pkey from auth header"); - get_attest_claims_from_header(&request, token_verifier).await? + get_attest_claims_from_header(&request, &token_verifier).await? }; let claims: Value = serde_json::from_str(&claims_str).map_err(|e| { Error::AttestationClaimsParseFailed(format!("illegal attestation claims: {e}")) })?; - let pkey_value = - claims - .pointer(TOKEN_TEE_PUBKEY_PATH) - .ok_or(Error::AttestationClaimsParseFailed(String::from( - "Failed to find `tee-pubkey` in the attestation claims", - )))?; - let pubkey = TeePubKey::deserialize(pkey_value).map_err(|e| { - Error::AttestationClaimsParseFailed(format!("illegal attestation claims: {e}")) + let pubkey = token_verifier.extract_tee_public_key(claims).map_err(|e| { + Error::AttestationClaimsParseFailed(format!( + "Failed to extract public key in attestation claims: {e:?}" + )) })?; let resource_description = ResourceDesc { @@ -168,7 +159,7 @@ async fn get_attest_claims_from_session( async fn get_attest_claims_from_header( request: &HttpRequest, - token_verifier: web::Data>>, + token_verifier: &web::Data, ) -> Result { let bearer = Authorization::::parse(request) .map_err(|e| Error::InvalidRequest(format!("parse Authorization header failed: {e}")))? @@ -177,11 +168,11 @@ async fn get_attest_claims_from_header( let token = bearer.token().to_string(); let claims = token_verifier - .read() - .await .verify(token) .await - .map_err(|e| Error::TokenParseFailed(format!("verify token failed: {e}")))?; + .map_err(|e| Error::TokenParseFailed(format!("verify token failed: {e:?}")))?; + let claims = serde_json::to_string(&claims) + .map_err(|_| Error::TokenParseFailed("failed to serialize claims".into()))?; Ok(claims) } diff --git a/kbs/src/lib.rs b/kbs/src/lib.rs index b46abf82f2..1bc7ed052b 100644 --- a/kbs/src/lib.rs +++ b/kbs/src/lib.rs @@ -22,6 +22,7 @@ use anyhow::{anyhow, bail, Context, Result}; #[cfg(feature = "as")] use attestation::AttestationService; use jwt_simple::prelude::Ed25519PublicKey; +use openssl::ssl::SslAcceptorBuilder; #[cfg(feature = "resource")] use resource::RepositoryConfig; #[cfg(feature = "as")] @@ -30,12 +31,6 @@ use std::{net::SocketAddr, path::PathBuf}; #[cfg(feature = "resource")] use token::AttestationTokenVerifierConfig; -#[cfg(feature = "rustls")] -use rustls::ServerConfig; - -#[cfg(feature = "openssl")] -use openssl::ssl::SslAcceptorBuilder; - #[cfg(feature = "as")] use crate::session::SessionMap; @@ -148,45 +143,6 @@ impl ApiServer { }) } - #[cfg(feature = "rustls")] - fn tls_config(&self) -> Result { - use rustls::{Certificate, PrivateKey}; - use rustls_pemfile::{certs, read_one, Item}; - use std::fs::File; - use std::io::BufReader; - - let cert_file = &mut BufReader::new(File::open( - self.certificate - .clone() - .ok_or_else(|| anyhow!("Missing certificate"))?, - )?); - - let key_file = &mut BufReader::new(File::open( - self.private_key - .clone() - .ok_or_else(|| anyhow!("Missing private key"))?, - )?); - - let cert_chain = certs(cert_file)? - .iter() - .map(|c| Certificate(c.clone())) - .collect(); - - let key = match read_one(key_file)? { - Some(Item::RSAKey(key)) | Some(Item::PKCS8Key(key)) | Some(Item::ECKey(key)) => { - Ok(PrivateKey(key)) - } - None | Some(_) => Err(anyhow!("Invalid private key file")), - }?; - - ServerConfig::builder() - .with_safe_defaults() - .with_no_client_auth() - .with_single_cert(cert_chain, key) - .map_err(anyhow::Error::from) - } - - #[cfg(feature = "openssl")] fn tls_config(&self) -> Result { use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod}; @@ -240,7 +196,7 @@ impl ApiServer { #[cfg(feature = "resource")] let token_verifier = - crate::token::create_token_verifier(self.attestation_token_config.clone()).await?; + crate::token::TokenVerifier::from_config(self.attestation_token_config.clone()).await?; #[cfg(feature = "policy")] let policy_engine = PolicyEngine::new(&self.policy_engine_config).await?; @@ -306,15 +262,7 @@ impl ApiServer { }); if !self.insecure { - let tls_server = { - cfg_if::cfg_if! { - if #[cfg(feature = "openssl")] { - http_server.bind_openssl(&self.sockets[..], self.tls_config()?)? - } else { - http_server.bind_rustls(&self.sockets[..], self.tls_config()?)? - } - } - }; + let tls_server = http_server.bind_openssl(&self.sockets[..], self.tls_config()?)?; tls_server.run().await.map_err(anyhow::Error::from) } else { diff --git a/kbs/src/token/coco.rs b/kbs/src/token/coco.rs deleted file mode 100644 index 76e40be0c8..0000000000 --- a/kbs/src/token/coco.rs +++ /dev/null @@ -1,216 +0,0 @@ -// Copyright (c) 2023 by Alibaba. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -use crate::token::{AttestationTokenVerifier, AttestationTokenVerifierConfig}; -use anyhow::*; -use async_trait::async_trait; -use base64::engine::general_purpose::URL_SAFE_NO_PAD; -use base64::Engine; -use log::warn; -use openssl::hash::MessageDigest; -use openssl::pkey::PKey; -use openssl::rsa::Rsa; -use openssl::sign::Verifier; -use openssl::stack::Stack; -use openssl::x509::store::{X509Store, X509StoreBuilder}; -use openssl::x509::{X509StoreContext, X509}; -use serde_json::Value; - -pub struct CoCoAttestationTokenVerifier { - trusted_certs: X509Store, -} - -impl CoCoAttestationTokenVerifier { - pub fn new(config: &AttestationTokenVerifierConfig) -> Result { - let mut store_builder = X509StoreBuilder::new()?; - - // check all files in trusted_certs_paths but don't exit (only warn). - // the result can be an empty trust store. - for path in &config.trusted_certs_paths { - std::fs::read(path).map_or_else( - |e| warn!("Failed to read trusted certificate: {e}"), - |pem| { - let _ = X509::from_pem(&pem) - .and_then(|certs| store_builder.add_cert(certs.to_owned())) - .map_err(|e| warn!("Failed to add certificate to trust store: {e}")); - }, - ); - } - - Ok(Self { - trusted_certs: store_builder.build(), - }) - } -} - -#[async_trait] -impl AttestationTokenVerifier for CoCoAttestationTokenVerifier { - async fn verify(&self, token: String) -> Result { - let split_token: Vec<&str> = token.split('.').collect(); - if !split_token.len() == 3 { - bail!("Illegal JWT format") - } - - let header = URL_SAFE_NO_PAD.decode(split_token[0])?; - let claims = URL_SAFE_NO_PAD.decode(split_token[1])?; - let signature = URL_SAFE_NO_PAD.decode(split_token[2])?; - - let header_value = serde_json::from_slice::(&header)?; - let claims_value = serde_json::from_slice::(&claims)?; - - let now = time::OffsetDateTime::now_utc().unix_timestamp(); - let Some(exp) = claims_value["exp"].as_i64() else { - bail!("token expiration unset"); - }; - if exp < now { - bail!("token expired"); - } - if let Some(nbf) = claims_value["nbf"].as_i64() { - if nbf > now { - bail!("before validity"); - } - } - - let jwk_value = claims_value["jwk"].as_object().ok_or_else(|| anyhow!("CoCo Attestation Token Claims must contain public key (JWK format) to verify signature"))?; - let jwk = serde_json::to_string(&jwk_value)?; - let rsa_jwk = serde_json::from_str::(&jwk)?; - let payload = format!("{}.{}", &split_token[0], &split_token[1]) - .as_bytes() - .to_vec(); - - match header_value["alg"].as_str() { - Some("RS384") => { - if rsa_jwk.alg != *"RS384" { - bail!("Unmatched RSA JWK alg"); - } - rs384_verify(&payload, &signature, &rsa_jwk)?; - } - None => { - bail!("Miss `alg` in JWT header") - } - _ => { - bail!("Unsupported JWT algrithm") - } - } - - if self.trusted_certs.all_certificates().is_empty() { - warn!("No Trusted Certificate in Config, skip verification of JWK cert of Attestation Token"); - return Ok(serde_json::to_string(&claims_value)?); - }; - - let mut cert_chain: Vec = vec![]; - - // Get certificate chain from 'x5c' or 'x5u' in JWK. - if let Some(x5c) = rsa_jwk.x5c { - for base64_der_cert in x5c { - let der_cert = URL_SAFE_NO_PAD.decode(base64_der_cert)?; - let cert = X509::from_der(&der_cert)?; - cert_chain.push(cert) - } - } else if let Some(x5u) = rsa_jwk.x5u { - download_cert_chain(x5u, &mut cert_chain).await?; - } else { - bail!("Missing certificate in Attestation Token JWK"); - } - - // Check certificate is valid and trustworthy - let mut untrusted_stack = Stack::::new()?; - for cert in cert_chain.iter().skip(1) { - untrusted_stack.push(cert.clone())?; - } - let mut context = X509StoreContext::new()?; - if !context.init( - &self.trusted_certs, - &cert_chain[0], - &untrusted_stack, - |ctx| ctx.verify_cert(), - )? { - bail!("Untrusted certificate in Attestation Token JWK"); - }; - - // Check the public key in JWK is consistent with the public key in certificate - let n = openssl::bn::BigNum::from_slice(&URL_SAFE_NO_PAD.decode(&rsa_jwk.n)?)?; - let e = openssl::bn::BigNum::from_slice(&URL_SAFE_NO_PAD.decode(&rsa_jwk.e)?)?; - let rsa_public_key = Rsa::from_public_components(n, e)?; - let rsa_pkey = PKey::from_rsa(rsa_public_key)?; - let cert_pub_key = cert_chain[0].public_key()?; - if !cert_pub_key.public_eq(&rsa_pkey) { - bail!("Certificate Public Key Mismatched in Attestation Token"); - } - - Ok(serde_json::to_string(&claims_value)?) - } -} - -#[allow(dead_code)] -#[derive(serde::Deserialize, Clone, Debug)] -struct RsaJWK { - kty: String, - alg: String, - n: String, - e: String, - x5u: Option, - x5c: Option>, -} - -fn rs384_verify(payload: &[u8], signature: &[u8], jwk: &RsaJWK) -> Result<()> { - let n = openssl::bn::BigNum::from_slice(&URL_SAFE_NO_PAD.decode(&jwk.n)?)?; - let e = openssl::bn::BigNum::from_slice(&URL_SAFE_NO_PAD.decode(&jwk.e)?)?; - let rsa_public_key = Rsa::from_public_components(n, e)?; - let rsa_pkey = PKey::from_rsa(rsa_public_key)?; - - let mut verifier = Verifier::new(MessageDigest::sha384(), &rsa_pkey)?; - verifier.update(payload)?; - - if !verifier.verify(signature)? { - bail!("RS384 verify failed") - } - - Ok(()) -} - -async fn download_cert_chain(url: String, chain: &mut Vec) -> Result<()> { - let res = reqwest::get(url).await?; - match res.status() { - reqwest::StatusCode::OK => { - let pem_cert_chain = res.text().await?; - parse_pem_cert_chain(pem_cert_chain, chain)?; - } - _ => { - bail!( - "Request x5u in Attestation Token JWK Failed, Response: {:?}", - res.text().await? - ); - } - } - - Ok(()) -} - -fn parse_pem_cert_chain(pem_cert_chain: String, chain: &mut Vec) -> Result<()> { - for pem in pem_cert_chain.split("-----END CERTIFICATE-----") { - let trimmed = format!("{}\n-----END CERTIFICATE-----", pem.trim()); - if !trimmed.starts_with("-----BEGIN CERTIFICATE-----") { - continue; - } - let cert = X509::from_pem(trimmed.as_bytes()) - .map_err(|_| anyhow!("Invalid PEM certificate chain"))?; - chain.push(cert); - } - - Ok(()) -} - -#[allow(unused_imports)] -mod test { - use super::*; - - #[test] - fn test_parse_pem_cert_chain() { - let pem_cert_chain = std::fs::read_to_string("test/data/test_cert_chain.pem").unwrap(); - let mut chain: Vec = Vec::new(); - assert!(parse_pem_cert_chain(pem_cert_chain, &mut chain).is_ok()); - assert_eq!(chain.len(), 2); - } -} diff --git a/kbs/src/token/error.rs b/kbs/src/token/error.rs new file mode 100644 index 0000000000..835de1e90c --- /dev/null +++ b/kbs/src/token/error.rs @@ -0,0 +1,30 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use log::error; +use strum::AsRefStr; +use thiserror::Error; + +pub type Result = std::result::Result; + +#[derive(Error, AsRefStr, Debug)] +pub enum Error { + #[error("Failed to verify Attestation Token")] + TokenVerificationFailed { + #[source] + source: anyhow::Error, + }, + + #[error("Failed to initialize Token Verifier")] + TokenVerifierInitialization { + #[source] + source: anyhow::Error, + }, + + #[error("Tee public key is not found inside the claims of token")] + NoTeePubKeyClaimFound, + + #[error("Failed to parse Tee public key")] + TeePubKeyParseFailed, +} diff --git a/kbs/src/token/jwk.rs b/kbs/src/token/jwk.rs index 2bb29eec6d..b51b7c9a1c 100644 --- a/kbs/src/token/jwk.rs +++ b/kbs/src/token/jwk.rs @@ -2,10 +2,18 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use crate::token::{AttestationTokenVerifier, AttestationTokenVerifierConfig}; -use anyhow::*; -use async_trait::async_trait; -use jsonwebtoken::{decode, decode_header, jwk, Algorithm, DecodingKey, Validation}; +use crate::token::AttestationTokenVerifierConfig; +use anyhow::{anyhow, bail, Context}; +use base64::engine::general_purpose::URL_SAFE_NO_PAD; +use base64::Engine; +use jsonwebtoken::jwk::{AlgorithmParameters, Jwk}; +use jsonwebtoken::{decode, decode_header, jwk, Algorithm, DecodingKey, Header, Validation}; +use openssl::bn::BigNum; +use openssl::pkey::PKey; +use openssl::stack::Stack; +use openssl::x509::store::X509StoreBuilder; +use openssl::x509::X509StoreContext; +use openssl::{rsa::Rsa, x509::X509}; use reqwest::{get, Url}; use serde::Deserialize; use serde_json::Value; @@ -14,6 +22,7 @@ use std::io::BufReader; use std::result::Result::Ok; use std::str::FromStr; use thiserror::Error; +use tokio::fs; const OPENID_CONFIG_URL_SUFFIX: &str = ".well-known/openid-configuration"; @@ -32,11 +41,14 @@ struct OpenIDConfig { jwks_uri: String, } +#[derive(Clone)] pub struct JwkAttestationTokenVerifier { - trusted_certs: jwk::JwkSet, + trusted_jwk_sets: jwk::JwkSet, + trusted_certs: Vec, + insecure_key: bool, } -pub async fn get_jwks_from_file_or_url(p: &str) -> Result { +async fn get_jwks_from_file_or_url(p: &str) -> Result { let mut url = Url::parse(p).map_err(|e| JwksGetError::InvalidSourcePath(e.to_string()))?; match url.scheme() { "https" => { @@ -73,37 +85,122 @@ pub async fn get_jwks_from_file_or_url(p: &str) -> Result Result { - let mut trusted_certs = jwk::JwkSet { keys: Vec::new() }; + pub async fn new(config: &AttestationTokenVerifierConfig) -> anyhow::Result { + let mut trusted_jwk_sets = jwk::JwkSet { keys: Vec::new() }; - for path in config.trusted_certs_paths.iter() { + for path in config.trusted_jwk_sets.iter() { match get_jwks_from_file_or_url(path).await { - Ok(mut jwkset) => trusted_certs.keys.append(&mut jwkset.keys), + Ok(mut jwkset) => trusted_jwk_sets.keys.append(&mut jwkset.keys), Err(e) => log::warn!("error getting JWKS: {:?}", e), } } - Ok(Self { trusted_certs }) + let mut trusted_certs = Vec::new(); + for path in &config.trusted_certs_paths { + let cert_content = fs::read(path).await.map_err(|_| { + JwksGetError::AccessFailed(format!("failed to read certificate {path}")) + })?; + let cert = X509::from_pem(&cert_content)?; + trusted_certs.push(cert); + } + + Ok(Self { + trusted_jwk_sets, + trusted_certs, + insecure_key: config.insecure_key, + }) } -} -#[async_trait] -impl AttestationTokenVerifier for JwkAttestationTokenVerifier { - async fn verify(&self, token: String) -> Result { - if self.trusted_certs.keys.is_empty() { + fn verify_jwk_endorsement(&self, key: &Jwk) -> anyhow::Result<()> { + let AlgorithmParameters::RSA(rsa) = &key.algorithm else { + bail!("Only supports RSA JWK now"); + }; + + let n = URL_SAFE_NO_PAD + .decode(&rsa.n) + .context("decode RSA public key parameter n")?; + let n = BigNum::from_slice(&n)?; + let e = URL_SAFE_NO_PAD + .decode(&rsa.e) + .context("decode RSA public key parameter e")?; + let e = BigNum::from_slice(&e)?; + + let public_key = Rsa::from_public_components(n, e)?; + let public_key = PKey::from_rsa(public_key)?; + + let Some(x5c) = &key.common.x509_chain else { + bail!("No x5c extension inside JWK. Malwared public key.") + }; + + if x5c.is_empty() { + bail!("No x5c extension inside JWK. Malwared public key.") + } + + let pem = x5c[0].split('\n').collect::(); + let der = URL_SAFE_NO_PAD.decode(pem).context("Illegal x5c cert")?; + + let leaf_cert = X509::from_der(&der).context("malwared x509 in x5c")?; + // verify the public key matches the leaf cert + if !public_key.public_eq(leaf_cert.public_key()?.as_ref()) { + bail!("jwk does not match x5c"); + }; + + let mut cert_chain = Stack::new()?; + for cert in &x5c[1..] { + let pem = cert.split('\n').collect::(); + let der = URL_SAFE_NO_PAD.decode(&pem).context("Illegal x5c cert")?; + + let cert = X509::from_der(&der).context("malwared x509 in x5c")?; + cert_chain.push(cert)?; + } + + let mut trust_store_builder = X509StoreBuilder::new()?; + for cert in &self.trusted_certs { + trust_store_builder.add_cert(cert.clone())?; + } + let trust_store = trust_store_builder.build(); + + // verify the cert chain + let mut ctx = X509StoreContext::new()?; + if !ctx.init(&trust_store, &leaf_cert, &cert_chain, |c| c.verify_cert())? { + bail!("The JWK is malwared because no trust anchor can verify it."); + } + Ok(()) + } + + fn get_verification_jwk<'a>(&'a self, header: &'a Header) -> anyhow::Result<&'a Jwk> { + if let Some(key) = &header.jwk { + if self.insecure_key { + return Ok(key); + } + if self.trusted_certs.is_empty() { + bail!("Cannot verify token since trusted cert is empty"); + }; + self.verify_jwk_endorsement(key)?; + return Ok(key); + } + + if self.trusted_jwk_sets.keys.is_empty() { bail!("Cannot verify token since trusted JWK Set is empty"); }; - let kid = decode_header(&token) - .context("Failed to decode attestation token header")? + let kid = header .kid + .as_ref() .ok_or(anyhow!("Failed to decode kid in the token header"))?; let key = &self - .trusted_certs - .find(&kid) + .trusted_jwk_sets + .find(kid) .ok_or(anyhow!("Failed to find Jwk with kid {kid} in JwkSet"))?; + Ok(key) + } + + pub async fn verify(&self, token: String) -> anyhow::Result { + let header = decode_header(&token).context("Failed to decode attestation token header")?; + + let key = self.get_verification_jwk(&header)?; let key_alg = key .common .key_algorithm @@ -116,7 +213,7 @@ impl AttestationTokenVerifier for JwkAttestationTokenVerifier { let token_data = decode::(&token, &dkey, &Validation::new(alg)) .context("Failed to decode attestation token")?; - Ok(serde_json::to_string(&token_data.claims)?) + Ok(token_data.claims) } } diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index 30f5090617..6381c9041a 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -2,54 +2,92 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use anyhow::*; -use async_trait::async_trait; +use jwk::JwkAttestationTokenVerifier; +use kbs_types::TeePubKey; +use log::debug; use serde::Deserialize; -use std::sync::Arc; -use strum::EnumString; -use tokio::sync::RwLock; +use serde_json::Value; -mod coco; +mod error; pub(crate) mod jwk; +pub use error::*; -#[async_trait] -pub trait AttestationTokenVerifier { - /// Verify an signed attestation token. - /// Returns the custom claims JSON string of the token. - async fn verify(&self, token: String) -> Result; -} - -#[derive(Deserialize, Default, Debug, Clone, EnumString)] -pub enum AttestationTokenVerifierType { - #[default] - CoCo, - Jwk, -} +pub const TOKEN_TEE_PUBKEY_PATH_ITA: &str = "/attester_runtime_data/tee-pubkey"; +pub const TOKEN_TEE_PUBKEY_PATH_COCO: &str = "/customized_claims/runtime_data/tee-pubkey"; -#[derive(Deserialize, Debug, Clone)] +#[derive(Deserialize, Debug, Clone, PartialEq, Default)] pub struct AttestationTokenVerifierConfig { #[serde(default)] - pub attestation_token_type: AttestationTokenVerifierType, + /// The paths to the tee public key in the JWT body. For example, + /// `/attester_runtime_data/tee-pubkey` refers to the key + /// `attester_runtime_data.tee-pubkey` inside the JWT body claims. + /// + /// If a JWT is received, the [`TokenVerifier`] will try to extract + /// the tee public key from built-in ones ([`TOKEN_TEE_PUBKEY_PATH_ITA`], + /// [`TOKEN_TEE_PUBKEY_PATH_COCO`]) and the configured `extra_teekey_paths`. + /// + /// This field will default to an empty vector. + pub extra_teekey_paths: Vec, - /// Trusted Certificates file (PEM format) path (for "CoCo") or a valid Url - /// (file:// and https:// schemes accepted) pointing to a local JWKSet file + /// Trusted Certificates file (PEM format) paths use to verify Attestation + /// Token Signature. + #[serde(default)] + pub trusted_certs_paths: Vec, + + /// Urls (file:// and https:// schemes accepted) pointing to a local JWKSet file /// or to an OpenID configuration url giving a pointer to JWKSet certificates /// (for "Jwk") to verify Attestation Token Signature. #[serde(default)] - pub trusted_certs_paths: Vec, + pub trusted_jwk_sets: Vec, + + /// Whether a JWK that directly comes from the JWT token is allowed to verify + /// the signature. This is insecure as it will not check the endorsement of + /// the JWK. If this option is set to false, the JWK will be looked up from + /// the key store configured during launching the KBS with kid field in the JWT, + /// or be checked against the configured trusted CA certs. + #[serde(default = "bool::default")] + pub insecure_key: bool, } -pub async fn create_token_verifier( - config: AttestationTokenVerifierConfig, -) -> Result>> { - match config.attestation_token_type { - AttestationTokenVerifierType::CoCo => Ok(Arc::new(RwLock::new( - coco::CoCoAttestationTokenVerifier::new(&config)?, - )) - as Arc>), - AttestationTokenVerifierType::Jwk => Ok(Arc::new(RwLock::new( - jwk::JwkAttestationTokenVerifier::new(&config).await?, - )) - as Arc>), +#[derive(Clone)] +pub struct TokenVerifier { + verifier: JwkAttestationTokenVerifier, + extra_teekey_paths: Vec, +} + +impl TokenVerifier { + pub async fn verify(&self, token: String) -> Result { + self.verifier + .verify(token) + .await + .map_err(|e| Error::TokenVerificationFailed { source: e }) + } + + pub async fn from_config(config: AttestationTokenVerifierConfig) -> Result { + let verifier = JwkAttestationTokenVerifier::new(&config) + .await + .map_err(|e| Error::TokenVerifierInitialization { source: e })?; + + let mut extra_teekey_paths = config.extra_teekey_paths; + extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_ITA.into()); + extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_COCO.into()); + + Ok(Self { + verifier, + extra_teekey_paths, + }) + } + + /// Different attestation service would embed tee public key + /// in different parts of the claims. + pub fn extract_tee_public_key(&self, claim: Value) -> Result { + for path in &self.extra_teekey_paths { + if let Some(pkey_value) = claim.pointer(path) { + debug!("Extract tee public key from {path}"); + return TeePubKey::deserialize(pkey_value).map_err(|_| Error::TeePubKeyParseFailed); + } + } + + Err(Error::NoTeePubKeyClaimFound) } } From 093d545ee3f2145fb579c61d397f4ec8f46294cb Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 9 Oct 2024 12:09:51 +0800 Subject: [PATCH 122/298] AS: move JWK to the JWT Header field Due to RFC 7515, JWK should be part of a JOSE Header rather than claim body. Signed-off-by: Xynnn007 --- attestation-service/src/token/simple.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs index 20c1d9652b..23281c3237 100644 --- a/attestation-service/src/token/simple.rs +++ b/attestation-service/src/token/simple.rs @@ -92,6 +92,7 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { let header_value = json!({ "typ": "JWT", "alg": SIMPLE_TOKEN_ALG, + "jwk": serde_json::from_str::(&self.pubkey_jwks()?)?["keys"][0].clone(), }); let header_string = serde_json::to_string(&header_value)?; let header_b64 = URL_SAFE_NO_PAD.encode(header_string.as_bytes()); @@ -109,7 +110,6 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { "iss": self.config.issuer_name.clone(), "iat": now.unix_timestamp(), "jti": id, - "jwk": serde_json::from_str::(&self.pubkey_jwks()?)?["keys"][0].clone(), "nbf": now.unix_timestamp(), "exp": exp.unix_timestamp(), }) From eeeb36a4501035259e31abeb790c7b452e6913f0 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 9 Oct 2024 12:12:51 +0800 Subject: [PATCH 123/298] docs/ci: abondon HTTPS_CRYPTO and update token verifier config Due to latest change, KBS will not maintain both rustls and openssl suites for HTTPS. Thus we need to delete all the options of HTTPS_CRYPTO config in documents and codes. Also, the latest change changes the config format of `attestation_token_config`, this patch also applies the change. Signed-off-by: Xynnn007 --- .github/workflows/kbs-rust.yml | 2 +- .github/workflows/push-kbs-image-to-ghcr.yml | 7 +----- deps/verifier/src/se/README.md | 6 ++--- kbs/Makefile | 7 +++--- kbs/README.md | 5 +--- kbs/config/docker-compose/kbs-config.toml | 2 +- kbs/config/kbs-config-grpc.toml | 2 +- .../kbs-config-intel-trust-authority.toml | 1 - kbs/config/kbs-config.toml | 2 +- kbs/config/kubernetes/base/kbs-config.toml | 2 +- kbs/config/kubernetes/ita/kbs-config.toml | 1 - kbs/docker/Dockerfile | 3 +-- kbs/docker/coco-as-grpc/Dockerfile | 3 +-- kbs/docker/intel-trust-authority/Dockerfile | 3 +-- kbs/docker/rhel-ubi/Dockerfile | 10 -------- kbs/docs/config.md | 25 ++++++++++++++----- kbs/docs/self-signed-https.md | 2 +- kbs/quickstart.md | 20 ++++++++++++--- kbs/test/config/kbs.toml | 2 +- kbs/test/config/resource-kbs.toml | 1 - 20 files changed, 54 insertions(+), 52 deletions(-) diff --git a/.github/workflows/kbs-rust.yml b/.github/workflows/kbs-rust.yml index 7207933d20..ab6fefb0c3 100644 --- a/.github/workflows/kbs-rust.yml +++ b/.github/workflows/kbs-rust.yml @@ -58,7 +58,7 @@ jobs: - name: KBS Build [Built-in CoCo AS, OpenSSL] working-directory: kbs - run: make HTTPS_CRYPTO=openssl + run: make - name: KBS Build [gRPC CoCo AS, RustTLS] working-directory: kbs diff --git a/.github/workflows/push-kbs-image-to-ghcr.yml b/.github/workflows/push-kbs-image-to-ghcr.yml index 4c4a25e9ef..ed30c3b6b4 100644 --- a/.github/workflows/push-kbs-image-to-ghcr.yml +++ b/.github/workflows/push-kbs-image-to-ghcr.yml @@ -25,15 +25,12 @@ jobs: include: - tag: kbs docker_file: kbs/docker/Dockerfile - https_crypto: openssl name: build-in AS - tag: kbs-grpc-as docker_file: kbs/docker/coco-as-grpc/Dockerfile - https_crypto: rustls name: gRPC AS - tag: kbs-ita-as docker_file: kbs/docker/intel-trust-authority/Dockerfile - https_crypto: rustls name: Intel Trust Authority AS runs-on: ${{ matrix.instance }} @@ -56,12 +53,10 @@ jobs: run: | commit_sha=${{ github.sha }} arch=$(uname -m) - https_crypto=${{ matrix.https_crypto }} - [ "${arch}" = "s390x" ] && https_crypto=openssl DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \ - --build-arg ARCH="${arch}" --build-arg HTTPS_CRYPTO="${https_crypto}" . + --build-arg ARCH="${arch}" . publish_multi_arch_image: needs: build_and_push diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index 0ee09c0882..d2cfa5a4ba 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -67,7 +67,7 @@ openssl pkey -in kbs.key -pubout -out kbs.pem - Build KBS ```bash -cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa +cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa ``` - Prepare the material retrieved above, similar as: @@ -101,7 +101,7 @@ auth_public_key = "/kbs/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" +insecure_key = true [as_config] work_dir = "/opt/confidential-containers/attestation-service" @@ -128,7 +128,7 @@ export SE_SKIP_CERTS_VERIFICATION=true ## (Option 2) Launch KBS via docker-compose - Build the docker image ``` -DOCKER_BUILDKIT=1 docker build --build-arg HTTPS_CRYPTO="openssl" --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile +DOCKER_BUILDKIT=1 docker build --build-arg --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile ``` - Prepare a docker compose file, similar as: diff --git a/kbs/Makefile b/kbs/Makefile index 33d76f642d..90c6267d33 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -1,5 +1,4 @@ AS_TYPE ?= coco-as -HTTPS_CRYPTO ?= rustls POLICY_ENGINE ?= ALIYUN ?= false @@ -39,16 +38,16 @@ build: background-check-kbs .PHONY: background-check-kbs background-check-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE),$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(POLICY_ENGINE),$(FEATURES) .PHONY: passport-issuer-kbs passport-issuer-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO),$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(FEATURES) mv ../target/release/kbs ../target/release/issuer-kbs .PHONY: passport-resource-kbs passport-resource-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE),$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features resource,$(POLICY_ENGINE),$(FEATURES) mv ../target/release/kbs ../target/release/resource-kbs .PHONY: cli diff --git a/kbs/README.md b/kbs/README.md index fd322f3ab3..6b6e69c6e1 100644 --- a/kbs/README.md +++ b/kbs/README.md @@ -90,11 +90,10 @@ The Makefile supports a number of other configuration parameters. For example, ```shell -make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] +make background-check-kbs [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] ``` The parameters -- `HTTPS_CRYPTO`: either `rustls` or `openssl` can be specified. If not provided, `rustls` is default. - `POLICY_ENGINE`: The KBS has a policy engine to facilitate access control. This should not be confused with the policy engine in the AS, which determines whether or not TEE evidence is valid. `POLICY_ENGINE` determines which type of policy engine the KBS will use. Today only `opa` is supported. The KBS can also be built without a policy engine if it is not required. - `AS_TYPES`: The KBS supports multiple backend attestation services. `AS_TYPES` selects which verifier to use. The options are `coco-as` and `intel-trust-authority-as`. @@ -103,8 +102,6 @@ if it is not required. ## HTTPS Support The KBS can use HTTPS. This requires a crypto backend. -`HTTPS_CRYPTO` determines which backend will be used. -The options are `rustls` and `openssl`. The default is `rustls`. If you want a self-signed cert for test cases, please refer to [the document](docs/self-signed-https.md). diff --git a/kbs/config/docker-compose/kbs-config.toml b/kbs/config/docker-compose/kbs-config.toml index b999639892..461d2aa549 100644 --- a/kbs/config/docker-compose/kbs-config.toml +++ b/kbs/config/docker-compose/kbs-config.toml @@ -3,7 +3,7 @@ auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" +insecure_key = true [grpc_config] as_addr = "http://as:50004" diff --git a/kbs/config/kbs-config-grpc.toml b/kbs/config/kbs-config-grpc.toml index 04bfd13810..4bc5969173 100644 --- a/kbs/config/kbs-config-grpc.toml +++ b/kbs/config/kbs-config-grpc.toml @@ -2,7 +2,7 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "CoCo" +insecure_key = true [grpc_config] as_addr = "http://127.0.0.1:50004" diff --git a/kbs/config/kbs-config-intel-trust-authority.toml b/kbs/config/kbs-config-intel-trust-authority.toml index 48d435b64f..070841da69 100644 --- a/kbs/config/kbs-config-intel-trust-authority.toml +++ b/kbs/config/kbs-config-intel-trust-authority.toml @@ -2,7 +2,6 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "Jwk" trusted_certs_paths = ["https://portal.trustauthority.intel.com"] [intel_trust_authority_config] diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml index d04fd53408..7b99f03599 100644 --- a/kbs/config/kbs-config.toml +++ b/kbs/config/kbs-config.toml @@ -2,7 +2,7 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "CoCo" +insecure_key = true [repository_config] type = "LocalFs" diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index c6544eece9..67d01a6ffa 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -5,7 +5,7 @@ auth_public_key = "/kbs/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" +insecure_key = true [as_config] work_dir = "/opt/confidential-containers/attestation-service" diff --git a/kbs/config/kubernetes/ita/kbs-config.toml b/kbs/config/kubernetes/ita/kbs-config.toml index 0bba5e3f2c..044864e78d 100644 --- a/kbs/config/kubernetes/ita/kbs-config.toml +++ b/kbs/config/kubernetes/ita/kbs-config.toml @@ -5,7 +5,6 @@ auth_public_key = "/kbs/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "Jwk" trusted_certs_paths = ["https://portal.trustauthority.intel.com"] [intel_trust_authority_config] diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index 2831d6a5b8..f6bd8294a0 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -1,6 +1,5 @@ FROM rust:slim as builder ARG ARCH=x86_64 -ARG HTTPS_CRYPTO=rustls ARG ALIYUN=false ENV DEBIAN_FRONTEND noninteractive @@ -37,7 +36,7 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s WORKDIR /usr/src/kbs COPY . . -RUN cd kbs && make AS_FEATURE=coco-as-builtin HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=coco-as-builtin POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile index 2a96e9045d..67f099e6ac 100644 --- a/kbs/docker/coco-as-grpc/Dockerfile +++ b/kbs/docker/coco-as-grpc/Dockerfile @@ -1,6 +1,5 @@ FROM rust:latest as builder ARG ARCH=x86_64 -ARG HTTPS_CRYPTO=rustls ARG ALIYUN=false WORKDIR /usr/src/kbs @@ -9,7 +8,7 @@ COPY . . RUN apt-get update && apt install -y protobuf-compiler git # Build and Install KBS -RUN cd kbs && make AS_FEATURE=coco-as-grpc HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=coco-as-grpc POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/intel-trust-authority/Dockerfile b/kbs/docker/intel-trust-authority/Dockerfile index a2b4f650e2..0638b9cf82 100644 --- a/kbs/docker/intel-trust-authority/Dockerfile +++ b/kbs/docker/intel-trust-authority/Dockerfile @@ -1,5 +1,4 @@ FROM rust:latest as builder -ARG HTTPS_CRYPTO=rustls ARG ALIYUN=false WORKDIR /usr/src/kbs @@ -8,7 +7,7 @@ COPY . . RUN apt-get update && apt install -y git # Build and Install KBS -RUN cd kbs && make AS_FEATURE=intel-trust-authority-as HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=intel-trust-authority-as POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile index d3f3150ded..2c4aa2410a 100644 --- a/kbs/docker/rhel-ubi/Dockerfile +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -45,7 +45,6 @@ fi # Package UBI image. FROM registry.access.redhat.com/ubi9 -<<<<<<< HEAD # Update packages. Get CVE fixes sooner. RUN dnf -y update && dnf clean all @@ -84,12 +83,3 @@ LABEL io.openshift.tags="" # Licenses COPY LICENSE /licenses/LICENSE -======= -# Install runtime dependencies from Intel repo. -COPY --from=builder /root/sgx_rpm_local_repo /root/sgx_rpm_local_repo -RUN dnf -y install --nogpgcheck --setopt=install_weak_deps=0 --repofrompath "sgx,file:///root/sgx_rpm_local_repo" \ -libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ -rm -rf /root/sgx_rpm_local_repo - -COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs ->>>>>>> 202deb9 (docker: refactor docker folder structure) diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 6181e3d98e..1d2498bf17 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -39,12 +39,26 @@ The following properties can be set under the `attestation_token_config` section | Property | Type | Description | Required | Default | |----------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------| -| `attestation_token_config` | String | Attestation token broker type. Valid values: `CoCo`, `Jwk` | Yes | - | -| `trusted_certs_paths` | String Array | Trusted Certificates file (PEM format) for `CoCo` or a valid Url (`file://` or `https://`) pointing to a JWKSet certificates (local or OpenID) for `Jwk` | No | - | +| `trusted_jwk_sets` | String Array | Valid Url (`file://` or `https://`) pointing to trusted JWKSets (local or OpenID) for Attestation Tokens trustworthy verification | No | - | +| `trusted_certs_paths` | String Array | Trusted Certificates file (PEM format) for Attestation Tokens trustworthy verification | No | - | +| `extra_teekey_paths` | String Array | User defined paths to the tee public key in the JWT body | No | - | +| `insecure_key` | Boolean | Whether to check the trustworthy of the JWK inside JWT. See comments. | No | `false` | +Each JWT contains a TEE Public Key. Users can use the `extra_teekey_paths` field to additionally specify the path of this Key in the JWT. +Example of `extra_teekey_paths` is `/attester_runtime_data/tee-pubkey` which refers to the key +`attester_runtime_data.tee-pubkey` inside the JWT body claims. By default CoCo AS Token and Intel TA +Token TEE Public Key paths are supported. -If `trusted_certs_paths` is set, KBS will forcibly check the validity of the Attestation Token signature public key certificate, -if not set this field, KBS will skip the verification of the certificate. +For Attestation Services like CoCo-AS, the public key to verify the JWT will be given +in the token's `jwk` field (with or without the public key cert chain `x5c`). + +- If `insecure_key` is set to `true`, KBS will ignore to verify the trustworthy of the `jwk`. +- If `insecure_key` is set to `false`, KBS will look up its `trusted_certs_paths` and the `x5c` +field to verify the trustworthy of the `jwk`. + +For Attestation Services like Intel TA, there will only be a `kid` field inside the JWT. +The `kid` field is used to look up the trusted jwk configured by KBS via `trusted_jwk_sets` to +verify the integrity and trustworthy of the JWT. ### Repository Configuration @@ -207,8 +221,7 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "Jwk" -trusted_certs_paths = ["https://portal.trustauthority.intel.com"] +trusted_jwk_sets = ["https://portal.trustauthority.intel.com"] [repository_config] type = "LocalFs" diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md index 8899f304e2..4c36f62f8a 100644 --- a/kbs/docs/self-signed-https.md +++ b/kbs/docs/self-signed-https.md @@ -72,7 +72,7 @@ auth_public_key = "/etc/public.pub" insecure_api = true [attestation_token_config] -attestation_token_type = "CoCo" +insecure_key = true [repository_config] type = "LocalFs" diff --git a/kbs/quickstart.md b/kbs/quickstart.md index d793c750ad..5466fff13d 100644 --- a/kbs/quickstart.md +++ b/kbs/quickstart.md @@ -240,13 +240,27 @@ Adding the following content to JSON config file of gRPC AS: ### Configure trusted root certificate of KBS -Adding the following content to the config file of Resource KBS to specify trusted root certificate (PEM format), -which used to verify the trustworthy of the certificate in Attestation Token: +Attestation Tokens are now all in JWT format. + +Adding the following content to the config file of Resource KBS to specify trusted root certificate (PEM format) +or JWK set which are used to verify the trustworthy of the Attestation Token: ```toml [attestation_token_config] -attestation_token_type = "CoCo" +# Path of root certificate used to verify the trustworthy of `x5c` extension in the JWT trusted_certs_paths = ["/path/to/trusted_cacert.pem"] + +# URL (`path://` or `https://`) of the trusted JWK that can be indexed by `kid` in +# JWT Header. +trusted_jwk_sets = ["/url/to/trusted_jwk_set"] + +# For Attestation Services like CoCo-AS, the public key to verify the JWT will be given +# in the token's `jwk` field (with or without the public key cert chain `x5c`). +# +# - If this flag is set to `true`, KBS will ignore to verify the trustworthy of the `jwk`. +# - If this flag is set to `false`, KBS will look up its `trusted_certs_paths` and the `x5c` +# field to verify the trustworthy of the `jwk`. +insecure_key = false ``` If `trusted_certs_paths` field is not set, KBS will skip the verification of the certificate in Attestation Token. diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index 0f08b733f9..7c6314ab5a 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -5,7 +5,7 @@ private_key = "./work/https.key" certificate = "./work/https.crt" [attestation_token_config] -attestation_token_type = "CoCo" +trusted_certs_paths = ["./work/token-cert.pem"] [repository_config] type = "LocalFs" diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml index 5c14ab5195..8abbec27eb 100644 --- a/kbs/test/config/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -3,7 +3,6 @@ auth_public_key = "./work/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" trusted_certs_paths = ["./work/ca-cert.pem"] [repository_config] From cfacf88f78796374757a684dff7092cfe5071bd3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 01:45:00 +0000 Subject: [PATCH 124/298] build(deps): bump rustversion from 1.0.15 to 1.0.18 Bumps [rustversion](https://github.com/dtolnay/rustversion) from 1.0.15 to 1.0.18. - [Release notes](https://github.com/dtolnay/rustversion/releases) - [Commits](https://github.com/dtolnay/rustversion/compare/1.0.15...1.0.18) --- updated-dependencies: - dependency-name: rustversion dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e8451c9f01..03f9f5554f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4471,9 +4471,9 @@ dependencies = [ [[package]] name = "rustversion" -version = "1.0.15" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80af6f9131f277a45a3fba6ce8e2258037bb0477a67e610d3c1fe046ab31de47" +checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248" [[package]] name = "ryu" From 2b1158b396440ff90d59b996deeb4de3b1f9bebd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 01:29:45 +0000 Subject: [PATCH 125/298] build(deps): bump arrayref from 0.3.7 to 0.3.9 Bumps [arrayref](https://github.com/droundy/arrayref) from 0.3.7 to 0.3.9. - [Commits](https://github.com/droundy/arrayref/commits) --- updated-dependencies: - dependency-name: arrayref dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 03f9f5554f..558cd193f5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -402,9 +402,9 @@ checksum = "f538837af36e6f6a9be0faa67f9a314f8119e4e4b5867c6ab40ed60360142519" [[package]] name = "arrayref" -version = "0.3.7" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6b4930d2cb77ce62f89ee5d5289b4ac049559b1c45539271f5ed4fdc7db34545" +checksum = "76a2e8124351fda1ef8aaaa3bbd7ebbcb486bbcd4225aca0aa0d84bb2db8fecb" [[package]] name = "arrayvec" From 2ea4c2aa34bf3eaa45146014c196e1eb2eabb8e5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 01:42:53 +0000 Subject: [PATCH 126/298] build(deps): bump object from 0.36.3 to 0.36.5 Bumps [object](https://github.com/gimli-rs/object) from 0.36.3 to 0.36.5. - [Changelog](https://github.com/gimli-rs/object/blob/master/CHANGELOG.md) - [Commits](https://github.com/gimli-rs/object/compare/0.36.3...0.36.5) --- updated-dependencies: - dependency-name: object dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 558cd193f5..926b7b2d97 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3190,9 +3190,9 @@ dependencies = [ [[package]] name = "object" -version = "0.36.3" +version = "0.36.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "27b64972346851a39438c60b341ebc01bba47464ae329e55cf343eb93964efd9" +checksum = "aedf0a2d09c573ed1d8d85b30c119153926a2b36dce0ab28322c09a117a4683e" dependencies = [ "memchr", ] From ef6c9eff519bedd328d3c64431e05749b160f1e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 01:09:49 +0000 Subject: [PATCH 127/298] build(deps): bump openssl-sys from 0.9.102 to 0.9.104 Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.102 to 0.9.104. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.102...openssl-sys-v0.9.104) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 926b7b2d97..ec4601673b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3280,9 +3280,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.102" +version = "0.9.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" +checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" dependencies = [ "cc", "libc", From 4784abad6fa11df0b7b45c10c64c3458f27c7fa1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 01:50:38 +0000 Subject: [PATCH 128/298] build(deps): bump colorchoice from 1.0.2 to 1.0.3 Bumps [colorchoice](https://github.com/rust-cli/anstyle) from 1.0.2 to 1.0.3. - [Commits](https://github.com/rust-cli/anstyle/compare/colorchoice-v1.0.2...colorchoice-v1.0.3) --- updated-dependencies: - dependency-name: colorchoice dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ec4601673b..f9a3d0f1de 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1138,9 +1138,9 @@ checksum = "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" [[package]] name = "colorchoice" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0" +checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" [[package]] name = "config" From 6dabcb2aa6d1f1632749d92b6cb60e7546fafc5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 31 Oct 2024 01:59:26 +0000 Subject: [PATCH 129/298] build(deps): bump autocfg from 1.3.0 to 1.4.0 Bumps [autocfg](https://github.com/cuviper/autocfg) from 1.3.0 to 1.4.0. - [Commits](https://github.com/cuviper/autocfg/compare/1.3.0...1.4.0) --- updated-dependencies: - dependency-name: autocfg dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f9a3d0f1de..ae54a89a8c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -605,9 +605,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.3.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" +checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" [[package]] name = "axum" From f2c7cc93a373344cb1d8d9c0f9ec3c825ffb209f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Nov 2024 01:54:35 +0000 Subject: [PATCH 130/298] build(deps): bump linux-raw-sys from 0.4.13 to 0.4.14 Bumps [linux-raw-sys](https://github.com/sunfishcode/linux-raw-sys) from 0.4.13 to 0.4.14. - [Commits](https://github.com/sunfishcode/linux-raw-sys/compare/v0.4.13...v0.4.14) --- updated-dependencies: - dependency-name: linux-raw-sys dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ae54a89a8c..65aee6f604 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2863,9 +2863,9 @@ checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f" [[package]] name = "linux-raw-sys" -version = "0.4.13" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" +checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "local-channel" From 951d5c715028c535cff626b21eac3dcea42992f2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 01:30:10 +0000 Subject: [PATCH 131/298] build(deps): bump num from 0.4.2 to 0.4.3 Bumps [num](https://github.com/rust-num/num) from 0.4.2 to 0.4.3. - [Changelog](https://github.com/rust-num/num/blob/master/RELEASES.md) - [Commits](https://github.com/rust-num/num/compare/num-0.4.2...num-0.4.3) --- updated-dependencies: - dependency-name: num dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 65aee6f604..ce84e44e57 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3071,9 +3071,9 @@ dependencies = [ [[package]] name = "num" -version = "0.4.2" +version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3135b08af27d103b0a51f2ae0f8632117b7b185ccf931445affa8df530576a41" +checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23" dependencies = [ "num-bigint", "num-complex", @@ -3085,11 +3085,10 @@ dependencies = [ [[package]] name = "num-bigint" -version = "0.4.4" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0" +checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" dependencies = [ - "autocfg", "num-integer", "num-traits", ] @@ -3113,9 +3112,9 @@ dependencies = [ [[package]] name = "num-complex" -version = "0.4.5" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23c6602fda94a57c990fe0df199a035d83576b496aa29f4e634a8ac6004e68a6" +checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495" dependencies = [ "num-traits", ] @@ -3148,9 +3147,9 @@ dependencies = [ [[package]] name = "num-iter" -version = "0.1.44" +version = "0.1.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d869c01cc0c455284163fd0092f1f93835385ccab5a98a0dcc497b2f8bf055a9" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" dependencies = [ "autocfg", "num-integer", @@ -3159,11 +3158,10 @@ dependencies = [ [[package]] name = "num-rational" -version = "0.4.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0" +checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824" dependencies = [ - "autocfg", "num-bigint", "num-integer", "num-traits", @@ -3171,9 +3169,9 @@ dependencies = [ [[package]] name = "num-traits" -version = "0.2.18" +version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a" +checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", "libm", From 2969539b58481edadd6e159baf844c19663fc2b8 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Mon, 4 Nov 2024 14:28:54 -0600 Subject: [PATCH 132/298] Dockerfile: fix capitalization Docker prefers that statements using FROM and AS have those two words in the same case and will even warn you about it if you don't. See https://docs.docker.com/reference/build-checks/from-as-casing/ Signed-off-by: Tobin Feldman-Fitzthum --- attestation-service/docker/as-grpc/Dockerfile | 4 ++-- attestation-service/docker/as-restful/Dockerfile | 4 ++-- kbs/docker/Dockerfile | 2 +- kbs/docker/coco-as-grpc/Dockerfile | 2 +- kbs/docker/intel-trust-authority/Dockerfile | 2 +- rvps/docker/Dockerfile | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/attestation-service/docker/as-grpc/Dockerfile b/attestation-service/docker/as-grpc/Dockerfile index ab770d97f7..4ad794068d 100644 --- a/attestation-service/docker/as-grpc/Dockerfile +++ b/attestation-service/docker/as-grpc/Dockerfile @@ -2,7 +2,7 @@ # Licensed under the Apache License, Version 2.0, see LICENSE for details. # SPDX-License-Identifier: Apache-2.0 -FROM rust:latest as builder +FROM rust:latest AS builder ARG ARCH=x86_64 WORKDIR /usr/src/attestation-service @@ -44,4 +44,4 @@ VOLUME /opt/confidential-containers/attestation-service CMD ["grpc-as", "--socket", "0.0.0.0:50004"] -EXPOSE 50004 \ No newline at end of file +EXPOSE 50004 diff --git a/attestation-service/docker/as-restful/Dockerfile b/attestation-service/docker/as-restful/Dockerfile index 42a9352fe6..3496211520 100644 --- a/attestation-service/docker/as-restful/Dockerfile +++ b/attestation-service/docker/as-restful/Dockerfile @@ -2,7 +2,7 @@ # Licensed under the Apache License, Version 2.0, see LICENSE for details. # SPDX-License-Identifier: Apache-2.0 -FROM rust:latest as builder +FROM rust:latest AS builder ARG ARCH=x86_64 WORKDIR /usr/src/attestation-service @@ -45,4 +45,4 @@ VOLUME /opt/confidential-containers/attestation-service CMD ["restful-as", "--socket", "0.0.0.0:8080", "--config-file", "/etc/config.json"] -EXPOSE 8080 \ No newline at end of file +EXPOSE 8080 diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index f6bd8294a0..ec9ae43f82 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:slim as builder +FROM rust:slim AS builder ARG ARCH=x86_64 ARG ALIYUN=false diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile index 67f099e6ac..654d227796 100644 --- a/kbs/docker/coco-as-grpc/Dockerfile +++ b/kbs/docker/coco-as-grpc/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:latest as builder +FROM rust:latest AS builder ARG ARCH=x86_64 ARG ALIYUN=false diff --git a/kbs/docker/intel-trust-authority/Dockerfile b/kbs/docker/intel-trust-authority/Dockerfile index 0638b9cf82..d7be1aa7d4 100644 --- a/kbs/docker/intel-trust-authority/Dockerfile +++ b/kbs/docker/intel-trust-authority/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:latest as builder +FROM rust:latest AS builder ARG ALIYUN=false WORKDIR /usr/src/kbs diff --git a/rvps/docker/Dockerfile b/rvps/docker/Dockerfile index 41f57355ab..be466a121d 100644 --- a/rvps/docker/Dockerfile +++ b/rvps/docker/Dockerfile @@ -2,7 +2,7 @@ # Licensed under the Apache License, Version 2.0, see LICENSE for details. # SPDX-License-Identifier: Apache-2.0 -FROM rust:latest as builder +FROM rust:latest AS builder WORKDIR /usr/src/rvps @@ -22,4 +22,4 @@ CMD ["rvps"] VOLUME /opt/confidential-containers/attestation-service/reference_values/ -EXPOSE 50003 \ No newline at end of file +EXPOSE 50003 From 251cce30b710dbf46d1a52e361282531017f320d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 01:54:43 +0000 Subject: [PATCH 133/298] build(deps): bump cpufeatures from 0.2.12 to 0.2.14 Bumps [cpufeatures](https://github.com/RustCrypto/utils) from 0.2.12 to 0.2.14. - [Commits](https://github.com/RustCrypto/utils/compare/cpufeatures-v0.2.12...cpufeatures-v0.2.14) --- updated-dependencies: - dependency-name: cpufeatures dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ce84e44e57..dda1e68a14 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1273,9 +1273,9 @@ dependencies = [ [[package]] name = "cpufeatures" -version = "0.2.12" +version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "53fe5e26ff1b7aef8bca9c6080520cfb8d9333c7568e1829cef191a9723e5504" +checksum = "608697df725056feaccfa42cffdaeeec3fccc4ffc38358ecd19b243e716a78e0" dependencies = [ "libc", ] From 9232fb45486860da2d9dc7dfc85cee44cc7b67b6 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 14:41:51 +0800 Subject: [PATCH 134/298] KBS: refactor attestation module This refactoring combines all RCAR (attestation) related code into one module. This would help to better modularization and error handling. Signed-off-by: Xynnn007 --- kbs/src/attestation/backend.rs | 362 ++++++++++++++++++ kbs/src/attestation/coco/builtin.rs | 3 +- kbs/src/attestation/coco/grpc.rs | 9 +- kbs/src/attestation/config.rs | 29 ++ kbs/src/attestation/error.rs | 42 ++ .../attestation/intel_trust_authority/mod.rs | 7 +- kbs/src/attestation/mod.rs | 191 +-------- kbs/src/{ => attestation}/session.rs | 4 +- kbs/src/http/attest.rs | 153 -------- 9 files changed, 449 insertions(+), 351 deletions(-) create mode 100644 kbs/src/attestation/backend.rs create mode 100644 kbs/src/attestation/config.rs create mode 100644 kbs/src/attestation/error.rs rename kbs/src/{ => attestation}/session.rs (95%) delete mode 100644 kbs/src/http/attest.rs diff --git a/kbs/src/attestation/backend.rs b/kbs/src/attestation/backend.rs new file mode 100644 index 0000000000..febc9e4902 --- /dev/null +++ b/kbs/src/attestation/backend.rs @@ -0,0 +1,362 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use std::sync::Arc; + +use actix_web::{HttpRequest, HttpResponse}; +use anyhow::{anyhow, bail, Context}; +use async_trait::async_trait; +use base64::{engine::general_purpose::STANDARD, Engine}; +use kbs_types::{Attestation, Challenge, Request, Tee}; +use lazy_static::lazy_static; +use log::{debug, info}; +use rand::{thread_rng, Rng}; +use semver::{BuildMetadata, Prerelease, Version, VersionReq}; +use serde::Deserialize; +use serde_json::json; + +use crate::attestation::session::KBS_SESSION_ID; + +use super::{ + config::{AttestationConfig, AttestationServiceConfig}, + session::{SessionMap, SessionStatus}, + Error, Result, +}; + +static KBS_MAJOR_VERSION: u64 = 0; +static KBS_MINOR_VERSION: u64 = 1; +static KBS_PATCH_VERSION: u64 = 1; + +lazy_static! { + static ref VERSION_REQ: VersionReq = { + let kbs_version = Version { + major: KBS_MAJOR_VERSION, + minor: KBS_MINOR_VERSION, + patch: KBS_PATCH_VERSION, + pre: Prerelease::EMPTY, + build: BuildMetadata::EMPTY, + }; + + VersionReq::parse(&format!("={kbs_version}")).unwrap() + }; +} + +/// Number of bytes in a nonce. +const NONCE_SIZE_BYTES: usize = 32; + +/// Create a nonce and return as a base-64 encoded string. +pub async fn make_nonce() -> anyhow::Result { + let mut nonce: Vec = vec![0; NONCE_SIZE_BYTES]; + + thread_rng() + .try_fill(&mut nonce[..]) + .map_err(anyhow::Error::from)?; + + Ok(STANDARD.encode(&nonce)) +} + +pub(crate) async fn generic_generate_challenge( + _tee: Tee, + _tee_parameters: serde_json::Value, +) -> anyhow::Result { + let nonce = make_nonce().await?; + + Ok(Challenge { + nonce, + extra_params: serde_json::Value::String(String::new()), + }) +} + +/// Interface for Attestation Services. +/// +/// Attestation Service implementations should implement this interface. +#[async_trait] +pub trait Attest: Send + Sync { + /// Set Attestation Policy + async fn set_policy(&self, _policy_id: &str, _policy: &str) -> anyhow::Result<()> { + Err(anyhow!("Set Policy API is unimplemented")) + } + + /// Verify Attestation Evidence + /// Return Attestation Results Token + async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> anyhow::Result; + + /// generate the Challenge to pass to attester based on Tee and nonce + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> anyhow::Result { + generic_generate_challenge(tee, tee_parameters).await + } +} + +/// Attestation Service +#[derive(Clone)] +pub struct AttestationService { + /// Attestation Module + inner: Arc, + + /// A concurrent safe map to keep status of RCAR status + session_map: Arc, + + /// Maximum session expiration time. + timeout: i64, +} + +#[derive(Deserialize, Debug)] +pub struct SetPolicyInput { + policy_id: String, + policy: String, +} + +impl AttestationService { + pub async fn new(config: AttestationConfig) -> Result { + let inner = match config.attestation_service { + #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] + AttestationServiceConfig::CoCoASBuiltIn(cfg) => { + let built_in_as = super::coco::builtin::BuiltInCoCoAs::new(cfg) + .await + .map_err(|e| Error::AttestationServiceInitialization { source: e })?; + Arc::new(built_in_as) as _ + } + #[cfg(feature = "coco-as-grpc")] + AttestationServiceConfig::CoCoASGrpc(cfg) => { + let grpc_coco_as = super::coco::grpc::GrpcClientPool::new(cfg) + .await + .map_err(|e| Error::AttestationServiceInitialization { source: e })?; + Arc::new(grpc_coco_as) as _ + } + #[cfg(feature = "intel-trust-authority-as")] + AttestationServiceConfig::IntelTA(cfg) => { + let intel_ta = super::intel_trust_authority::IntelTrustAuthority::new(cfg) + .await + .map_err(|e| Error::AttestationServiceInitialization { source: e })?; + Arc::new(intel_ta) as _ + } + }; + + let session_map = Arc::new(SessionMap::new()); + + tokio::spawn({ + let session_map_clone = session_map.clone(); + async move { + loop { + tokio::time::sleep(std::time::Duration::from_secs(60)).await; + session_map_clone + .sessions + .retain_async(|_, v| !v.is_expired()) + .await; + } + } + }); + Ok(Self { + inner, + timeout: config.timeout, + session_map, + }) + } + + pub async fn set_policy(&self, request: &[u8]) -> Result<()> { + self.__set_policy(request) + .await + .map_err(|e| Error::SetPolicy { source: e }) + } + + async fn __set_policy(&self, request: &[u8]) -> anyhow::Result<()> { + let input: SetPolicyInput = + serde_json::from_slice(request).context("parse set policy request")?; + self.inner.set_policy(&input.policy_id, &input.policy).await + } + + pub async fn auth(&self, request: &[u8]) -> Result { + self.__auth(request) + .await + .map_err(|e| Error::RcarAuthFailed { source: e }) + } + + async fn __auth(&self, request: &[u8]) -> anyhow::Result { + let request: Request = serde_json::from_slice(request).context("deserialize Request")?; + let version = Version::parse(&request.version).context("failed to parse KBS version")?; + if !VERSION_REQ.matches(&version) { + bail!( + "expected version: {}, requested version: {}", + *VERSION_REQ, + request.version + ); + } + + let challenge = self + .inner + .generate_challenge(request.tee, request.extra_params.clone()) + .await + .context("generate challenge")?; + + let session = SessionStatus::auth(request, self.timeout, challenge).context("Session")?; + + let response = HttpResponse::Ok() + .cookie(session.cookie()) + .json(session.challenge()); + + self.session_map.insert(session); + + Ok(response) + } + + pub async fn attest(&self, attestation: &[u8], request: HttpRequest) -> Result { + self.__attest(attestation, request) + .await + .map_err(|e| Error::RcarAttestFailed { source: e }) + } + + async fn __attest( + &self, + attestation: &[u8], + request: HttpRequest, + ) -> anyhow::Result { + let cookie = request.cookie(KBS_SESSION_ID).context("cookie not found")?; + + let session_id = cookie.value(); + + let attestation: Attestation = + serde_json::from_slice(attestation).context("deserialize Attestation")?; + let (tee, nonce) = { + let session = self + .session_map + .sessions + .get_async(session_id) + .await + .ok_or(anyhow!("No cookie found"))?; + let session = session.get(); + + debug!("Session ID {}", session.id()); + + if session.is_expired() { + bail!("session expired."); + } + + if let SessionStatus::Attested { token, .. } = session { + debug!( + "Session {} is already attested. Skip attestation and return the old token", + session.id() + ); + let body = serde_json::to_string(&json!({ + "token": token, + })) + .context("Serialize token failed")?; + + return Ok(HttpResponse::Ok() + .cookie(session.cookie()) + .content_type("application/json") + .body(body)); + } + + let attestation_str = serde_json::to_string_pretty(&attestation) + .context("Failed to serialize Attestation")?; + debug!("Attestation: {attestation_str}"); + + (session.request().tee, session.challenge().nonce.to_string()) + }; + + let attestation_str = + serde_json::to_string(&attestation).context("serialize attestation failed")?; + let token = self + .inner + .verify(tee, &nonce, &attestation_str) + .await + .context("verify TEE evidence failed")?; + + let mut session = self + .session_map + .sessions + .get_async(session_id) + .await + .ok_or(anyhow!("session not found"))?; + let session = session.get_mut(); + + let body = serde_json::to_string(&json!({ + "token": token, + })) + .context("Serialize token failed")?; + + session.attest(token); + + Ok(HttpResponse::Ok() + .cookie(session.cookie()) + .content_type("application/json") + .body(body)) + } + + pub async fn get_attest_token_from_session( + &self, + request: &HttpRequest, + ) -> anyhow::Result { + let cookie = request + .cookie(KBS_SESSION_ID) + .context("KBS session cookie not found")?; + + let session = self + .session_map + .sessions + .get_async(cookie.value()) + .await + .context("session not found")?; + + let session = session.get(); + + info!("Cookie {} request to get resource", session.id()); + + if session.is_expired() { + bail!("The session is expired"); + } + + let SessionStatus::Attested { token, .. } = session else { + bail!("The session is not authorized"); + }; + + Ok(token.to_owned()) + } +} + +#[cfg(test)] +mod tests { + use super::*; + + #[tokio::test] + async fn test_make_nonce() { + const BITS_PER_BYTE: usize = 8; + + /// A base-64 encoded value is this many bits in length. + const BASE64_BITS_CHUNK: usize = 6; + + /// Number of bytes that base64 encoding requires the result to align on. + const BASE64_ROUNDING_MULTIPLE: usize = 4; + + /// The nominal base64 encoded length. + const BASE64_NONCE_LENGTH_UNROUNDED_BYTES: usize = + (NONCE_SIZE_BYTES * BITS_PER_BYTE) / BASE64_BITS_CHUNK; + + /// The actual base64 encoded length is rounded up to the specified multiple. + const EXPECTED_LENGTH_BYTES: usize = + BASE64_NONCE_LENGTH_UNROUNDED_BYTES.next_multiple_of(BASE64_ROUNDING_MULTIPLE); + + // Number of nonce tests to run (arbitrary) + let nonce_count = 13; + + let mut nonces = vec![]; + + for _ in 0..nonce_count { + let nonce = make_nonce().await.unwrap(); + + assert_eq!(nonce.len(), EXPECTED_LENGTH_BYTES); + + let found = nonces.contains(&nonce); + + // The nonces should be unique + assert_eq!(found, false); + + nonces.push(nonce); + } + } +} diff --git a/kbs/src/attestation/coco/builtin.rs b/kbs/src/attestation/coco/builtin.rs index cc0bdcf9dc..a6b9faaf0a 100644 --- a/kbs/src/attestation/coco/builtin.rs +++ b/kbs/src/attestation/coco/builtin.rs @@ -2,7 +2,6 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use crate::attestation::{make_nonce, Attest}; use anyhow::*; use async_trait::async_trait; use attestation_service::{config::Config as AsConfig, AttestationService, Data, HashAlgorithm}; @@ -10,6 +9,8 @@ use kbs_types::{Attestation, Challenge, Tee}; use serde_json::json; use tokio::sync::RwLock; +use crate::attestation::backend::{make_nonce, Attest}; + pub struct BuiltInCoCoAs { inner: RwLock, } diff --git a/kbs/src/attestation/coco/grpc.rs b/kbs/src/attestation/coco/grpc.rs index 903dbf3440..7e4d9a3dab 100644 --- a/kbs/src/attestation/coco/grpc.rs +++ b/kbs/src/attestation/coco/grpc.rs @@ -2,23 +2,20 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use crate::attestation::{make_nonce, Attest}; use anyhow::*; use async_trait::async_trait; -use base64::{ - engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD}, - Engine, -}; +use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; use kbs_types::{Attestation, Challenge, Tee}; use log::info; use mobc::{Manager, Pool}; -use rand::{thread_rng, Rng}; use serde::Deserialize; use serde_json::json; use std::collections::HashMap; use tokio::sync::Mutex; use tonic::transport::Channel; +use crate::attestation::backend::{make_nonce, Attest}; + use self::attestation::{ attestation_request::RuntimeData, attestation_service_client::AttestationServiceClient, AttestationRequest, ChallengeRequest, SetPolicyRequest, diff --git a/kbs/src/attestation/config.rs b/kbs/src/attestation/config.rs new file mode 100644 index 0000000000..f49be5a3b7 --- /dev/null +++ b/kbs/src/attestation/config.rs @@ -0,0 +1,29 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use serde::Deserialize; + +#[derive(Clone, Debug, Deserialize, PartialEq)] +pub struct AttestationConfig { + #[serde(flatten)] + pub attestation_service: AttestationServiceConfig, + + pub timeout: i64, +} + +#[derive(Clone, Debug, Deserialize, PartialEq)] +#[serde(tag = "type")] +pub enum AttestationServiceConfig { + #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] + #[serde(alias = "coco_as_builtin")] + CoCoASBuiltIn(attestation_service::config::Config), + + #[cfg(feature = "coco-as-grpc")] + #[serde(alias = "coco_as_grpc")] + CoCoASGrpc(super::coco::grpc::GrpcConfig), + + #[cfg(feature = "intel-trust-authority-as")] + #[serde(alias = "intel_ta")] + IntelTA(super::intel_trust_authority::IntelTrustAuthorityConfig), +} diff --git a/kbs/src/attestation/error.rs b/kbs/src/attestation/error.rs new file mode 100644 index 0000000000..c00bf13967 --- /dev/null +++ b/kbs/src/attestation/error.rs @@ -0,0 +1,42 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use log::error; +use strum::AsRefStr; +use thiserror::Error; + +pub type Result = std::result::Result; + +#[derive(Error, AsRefStr, Debug)] +pub enum Error { + #[error("Failed to initialize attestation service")] + AttestationServiceInitialization { + #[source] + source: anyhow::Error, + }, + + #[error("Failed to extract Tee public key from claims")] + ExtractTeePubKeyFailed { + #[source] + source: anyhow::Error, + }, + + #[error("RCAR handshake Auth failed")] + RcarAuthFailed { + #[source] + source: anyhow::Error, + }, + + #[error("RCAR handshake Attest failed")] + RcarAttestFailed { + #[source] + source: anyhow::Error, + }, + + #[error("Set Attestation Policy failed")] + SetPolicy { + #[source] + source: anyhow::Error, + }, +} diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 7986fd4ec8..bbfe6f8890 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -2,9 +2,10 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use super::Attest; -use crate::attestation::{generic_generate_challenge, make_nonce}; -use crate::token::{jwk::JwkAttestationTokenVerifier, AttestationTokenVerifierConfig}; +use crate::{ + attestation::backend::{generic_generate_challenge, make_nonce, Attest}, + token::{jwk::JwkAttestationTokenVerifier, AttestationTokenVerifierConfig}, +}; use anyhow::*; use async_trait::async_trait; use az_cvm_vtpm::hcl::HclReport; diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs index 6141304f87..10d9ca88d2 100644 --- a/kbs/src/attestation/mod.rs +++ b/kbs/src/attestation/mod.rs @@ -2,196 +2,17 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use anyhow::*; -use async_trait::async_trait; -#[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] -use attestation_service::config::Config as AsConfig; -use base64::{engine::general_purpose::STANDARD, Engine}; -#[cfg(feature = "coco-as-grpc")] -use coco::grpc::*; -#[cfg(feature = "intel-trust-authority-as")] -use intel_trust_authority::*; -use kbs_types::{Challenge, Tee}; -use rand::{thread_rng, Rng}; - -#[cfg(not(feature = "intel-trust-authority-as"))] -pub const AS_TOKEN_TEE_PUBKEY_PATH: &str = "/customized_claims/runtime_data/tee-pubkey"; -#[cfg(feature = "intel-trust-authority-as")] -pub const AS_TOKEN_TEE_PUBKEY_PATH: &str = "/attester_runtime_data/tee-pubkey"; - #[cfg(feature = "coco-as")] -#[allow(missing_docs)] pub mod coco; #[cfg(feature = "intel-trust-authority-as")] pub mod intel_trust_authority; -/// Number of bytes in a nonce. -const NONCE_SIZE_BYTES: usize = 32; - -/// Create a nonce and return as a base-64 encoded string. -pub async fn make_nonce() -> Result { - let mut nonce: Vec = vec![0; NONCE_SIZE_BYTES]; - - thread_rng() - .try_fill(&mut nonce[..]) - .map_err(anyhow::Error::from)?; - - Ok(STANDARD.encode(&nonce)) -} - -pub(crate) async fn generic_generate_challenge( - _tee: Tee, - _tee_parameters: serde_json::Value, -) -> Result { - let nonce = make_nonce().await?; - - Ok(Challenge { - nonce, - extra_params: serde_json::Value::String(String::new()), - }) -} - -/// Interface for Attestation Services. -/// -/// Attestation Service implementations should implement this interface. -#[async_trait] -pub trait Attest: Send + Sync { - /// Set Attestation Policy - async fn set_policy(&self, _policy_id: &str, _policy: &str) -> Result<()> { - Err(anyhow!("Set Policy API is unimplemented")) - } - - /// Verify Attestation Evidence - /// Return Attestation Results Token - async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result; - - /// generate the Challenge to pass to attester based on Tee and nonce - async fn generate_challenge( - &self, - tee: Tee, - tee_parameters: serde_json::Value, - ) -> Result { - generic_generate_challenge(tee, tee_parameters).await - } -} - -/// Attestation Service -pub enum AttestationService { - #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - CoCoASBuiltIn(coco::builtin::BuiltInCoCoAs), - - #[cfg(feature = "coco-as-grpc")] - CoCoASgRPC(GrpcClientPool), - - #[cfg(feature = "intel-trust-authority-as")] - IntelTA(IntelTrustAuthority), -} - -impl AttestationService { - /// Create and initialize AttestationService. - #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - pub async fn new(config: AsConfig) -> Result { - let built_in_as = coco::builtin::BuiltInCoCoAs::new(config).await?; - Ok(Self::CoCoASBuiltIn(built_in_as)) - } - - /// Create and initialize AttestationService. - #[cfg(feature = "coco-as-grpc")] - pub async fn new(config: GrpcConfig) -> Result { - let pool = GrpcClientPool::new(config).await?; - Ok(Self::CoCoASgRPC(pool)) - } - - /// Create and initialize AttestationService. - #[cfg(feature = "intel-trust-authority-as")] - pub async fn new(config: IntelTrustAuthorityConfig) -> Result { - let ta_client = intel_trust_authority::IntelTrustAuthority::new(config).await?; - Ok(Self::IntelTA(ta_client)) - } - - pub async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result { - match self { - #[cfg(feature = "coco-as-grpc")] - AttestationService::CoCoASgRPC(inner) => inner.verify(tee, nonce, attestation).await, - #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - AttestationService::CoCoASBuiltIn(inner) => inner.verify(tee, nonce, attestation).await, - #[cfg(feature = "intel-trust-authority-as")] - AttestationService::IntelTA(inner) => inner.verify(tee, nonce, attestation).await, - } - } - - pub async fn set_policy(&self, policy_id: &str, policy: &str) -> Result<()> { - match self { - #[cfg(feature = "coco-as-grpc")] - AttestationService::CoCoASgRPC(inner) => inner.set_policy(policy_id, policy).await, - #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - AttestationService::CoCoASBuiltIn(inner) => inner.set_policy(policy_id, policy).await, - #[cfg(feature = "intel-trust-authority-as")] - AttestationService::IntelTA(inner) => inner.set_policy(policy_id, policy).await, - } - } - - pub async fn generate_challenge( - &self, - tee: Tee, - tee_parameters: serde_json::Value, - ) -> Result { - match self { - #[cfg(feature = "coco-as-grpc")] - AttestationService::CoCoASgRPC(inner) => { - inner.generate_challenge(tee, tee_parameters).await - } - #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - AttestationService::CoCoASBuiltIn(inner) => { - inner.generate_challenge(tee, tee_parameters).await - } - #[cfg(feature = "intel-trust-authority-as")] - AttestationService::IntelTA(inner) => { - inner.generate_challenge(tee, tee_parameters).await - } - } - } -} - -#[cfg(test)] -mod tests { - use super::*; - - #[tokio::test] - async fn test_make_nonce() { - const BITS_PER_BYTE: usize = 8; - - /// A base-64 encoded value is this many bits in length. - const BASE64_BITS_CHUNK: usize = 6; - - /// Number of bytes that base64 encoding requires the result to align on. - const BASE64_ROUNDING_MULTIPLE: usize = 4; - - /// The nominal base64 encoded length. - const BASE64_NONCE_LENGTH_UNROUNDED_BYTES: usize = - (NONCE_SIZE_BYTES * BITS_PER_BYTE) / BASE64_BITS_CHUNK; - - /// The actual base64 encoded length is rounded up to the specified multiple. - const EXPECTED_LENGTH_BYTES: usize = - BASE64_NONCE_LENGTH_UNROUNDED_BYTES.next_multiple_of(BASE64_ROUNDING_MULTIPLE); - - // Number of nonce tests to run (arbitrary) - let nonce_count = 13; - - let mut nonces = vec![]; - - for _ in 0..nonce_count { - let nonce = make_nonce().await.unwrap(); - - assert_eq!(nonce.len(), EXPECTED_LENGTH_BYTES); - - let found = nonces.contains(&nonce); +pub mod backend; +pub mod config; +pub mod session; - // The nonces should be unique - assert_eq!(found, false); +pub use backend::AttestationService; - nonces.push(nonce); - } - } -} +pub mod error; +pub use error::*; diff --git a/kbs/src/session.rs b/kbs/src/attestation/session.rs similarity index 95% rename from kbs/src/session.rs rename to kbs/src/attestation/session.rs index ec2169d3be..50892776c9 100644 --- a/kbs/src/session.rs +++ b/kbs/src/attestation/session.rs @@ -23,7 +23,6 @@ pub(crate) enum SessionStatus { }, Attested { - attestation_claims: String, token: String, id: String, timeout: OffsetDateTime, @@ -85,11 +84,10 @@ impl SessionStatus { return *self.timeout() < OffsetDateTime::now_utc(); } - pub fn attest(&mut self, attestation_claims: String, token: String) { + pub fn attest(&mut self, token: String) { match self { SessionStatus::Authed { id, timeout, .. } => { *self = SessionStatus::Attested { - attestation_claims, token, id: id.clone(), timeout: *timeout, diff --git a/kbs/src/http/attest.rs b/kbs/src/http/attest.rs deleted file mode 100644 index f4de7e87dc..0000000000 --- a/kbs/src/http/attest.rs +++ /dev/null @@ -1,153 +0,0 @@ -// Copyright (c) 2022 by Rivos Inc. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -use crate::{raise_error, session::SessionStatus}; - -use super::*; - -use anyhow::anyhow; -use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD}; -use base64::Engine; -use kbs_types::Challenge; -use log::{debug, error, info}; -use semver::{BuildMetadata, Prerelease, Version, VersionReq}; -use serde_json::json; - -static KBS_MAJOR_VERSION: u64 = 0; -static KBS_MINOR_VERSION: u64 = 1; -static KBS_PATCH_VERSION: u64 = 1; - -lazy_static! { - static ref VERSION_REQ: VersionReq = { - let kbs_version = Version { - major: KBS_MAJOR_VERSION, - minor: KBS_MINOR_VERSION, - patch: KBS_PATCH_VERSION, - pre: Prerelease::EMPTY, - build: BuildMetadata::EMPTY, - }; - - VersionReq::parse(&format!("={kbs_version}")).unwrap() - }; -} - -/// POST /auth -pub(crate) async fn auth( - request: web::Json, - map: web::Data, - timeout: web::Data, - attestation_service: web::Data>, -) -> Result { - info!("Auth API called."); - debug!("Auth Request: {:?}", &request); - let version = Version::parse(&request.version).unwrap(); - if !VERSION_REQ.matches(&version) { - raise_error!(Error::ProtocolVersion(format!( - "expected version: {}, requested version: {}", - *VERSION_REQ, - request.version.clone() - ))); - } - - let challenge = attestation_service - .generate_challenge(request.tee, request.extra_params.clone()) - .await - .map_err(|e| Error::FailedAuthentication(format!("generate challenge: {e:?}")))?; - - let session = SessionStatus::auth(request.0, **timeout, challenge) - .map_err(|e| Error::FailedAuthentication(format!("Session: {e}")))?; - - let response = HttpResponse::Ok() - .cookie(session.cookie()) - .json(session.challenge()); - - map.insert(session); - - Ok(response) -} - -/// POST /attest -pub(crate) async fn attest( - attestation: web::Json, - request: HttpRequest, - map: web::Data, - attestation_service: web::Data>, -) -> Result { - info!("Attest API called."); - let cookie = request.cookie(KBS_SESSION_ID).ok_or(Error::MissingCookie)?; - - let (tee, nonce) = { - let session = map - .sessions - .get_async(cookie.value()) - .await - .ok_or(Error::InvalidCookie)?; - let session = session.get(); - - debug!("Session ID {}", session.id()); - - if session.is_expired() { - raise_error!(Error::ExpiredCookie); - } - - if let SessionStatus::Attested { token, .. } = session { - debug!( - "Session {} is already attested. Skip attestation and return the old token", - session.id() - ); - let body = serde_json::to_string(&json!({ - "token": token, - })) - .map_err(|e| Error::TokenIssueFailed(format!("Serialize token failed {e}")))?; - - return Ok(HttpResponse::Ok() - .cookie(session.cookie()) - .content_type("application/json") - .body(body)); - } - - let attestation_str = serde_json::to_string_pretty(&attestation.0) - .map_err(|_| Error::AttestationFailed("Failed to serialize Attestation".into()))?; - debug!("Attestation: {attestation_str}"); - - (session.request().tee, session.challenge().nonce.to_string()) - }; - - let attestation_str = serde_json::to_string(&attestation) - .map_err(|e| Error::AttestationFailed(format!("serialize attestation failed : {e:?}")))?; - let token = attestation_service - .verify(tee, &nonce, &attestation_str) - .await - .map_err(|e| Error::AttestationFailed(format!("{e:?}")))?; - - let claims_b64 = token - .split('.') - .nth(1) - .ok_or_else(|| Error::TokenIssueFailed("Illegal token format".to_string()))?; - let claims = String::from_utf8( - URL_SAFE_NO_PAD - .decode(claims_b64) - .map_err(|e| Error::TokenIssueFailed(format!("Illegal token base64 claims: {e}")))?, - ) - .map_err(|e| Error::TokenIssueFailed(format!("Illegal token base64 claims: {e}")))?; - - let mut session = map - .sessions - .get_async(cookie.value()) - .await - .ok_or(Error::InvalidCookie)?; - let session = session.get_mut(); - - let body = serde_json::to_string(&json!({ - "token": token, - })) - .map_err(|e| Error::TokenIssueFailed(format!("Serialize token failed {e}")))?; - - session.attest(claims, token); - - Ok(HttpResponse::Ok() - .cookie(session.cookie()) - .content_type("application/json") - .body(body)) -} From 3e527c5223be1211bb59e201ddfe465cd0916780 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 14:54:23 +0800 Subject: [PATCH 135/298] KBS: refactor policy engine module This commit does some refactoring upon policy engine module. Including 1. Change ResourcePolicyError to PolicyEngineError. This is because in future, different client plugins would share same policy engine thus the new name will match better. 2. add a new `set_policy` api for PolicyEngine. This api will handle SetPolicyInput format request rather than the plaintext of policy. This would help to integrate into the KBS server. The plugin mechanism is by default enabled, thus we delete `opa` and `policy` feature. By default integrate `regorus` crate for policy. Signed-off-by: Xynnn007 --- kbs/Cargo.toml | 6 -- kbs/config/kubernetes/base/policy.rego | 2 +- kbs/config/kubernetes/ita/policy.rego | 2 +- kbs/src/policy_engine/error.rs | 36 +++++++ kbs/src/policy_engine/mod.rs | 95 +++++++++---------- kbs/src/policy_engine/opa/default_policy.rego | 2 +- kbs/src/policy_engine/opa/mod.rs | 60 ++++++------ 7 files changed, 119 insertions(+), 84 deletions(-) create mode 100644 kbs/src/policy_engine/error.rs diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 6ff78dd421..69e5ac914c 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -18,12 +18,6 @@ as = [] # Use CoCo-AS as backend attestation service coco-as = ["as"] -# Support resource policy for KBS -policy = [] - -# Use OPA/Rego as resource policy for KBS -opa = ["policy"] - # Use built-in CoCo-AS as backend attestation service coco-as-builtin = ["coco-as", "attestation-service/default"] diff --git a/kbs/config/kubernetes/base/policy.rego b/kbs/config/kubernetes/base/policy.rego index d9f9eb5328..c369cf7ce0 100644 --- a/kbs/config/kubernetes/base/policy.rego +++ b/kbs/config/kubernetes/base/policy.rego @@ -15,7 +15,7 @@ # # The variable is a KBS resource path, # which is required to be a string in three segment path format://, -# for example: "my'repo/License/key". +# for example: "repo/License/key". # # The format of Attestation Claims Input is defined by the attestation service, # and its format may look like the following: diff --git a/kbs/config/kubernetes/ita/policy.rego b/kbs/config/kubernetes/ita/policy.rego index 3c179197d2..e940d3f221 100644 --- a/kbs/config/kubernetes/ita/policy.rego +++ b/kbs/config/kubernetes/ita/policy.rego @@ -15,7 +15,7 @@ # # The variable is a KBS resource path, # which is required to be a string in three segment path format://, -# for example: "my'repo/License/key". +# for example: "repo/License/key". # # The format of Attestation Claims Input is defined by the attestation service, # and its format may look like the following: diff --git a/kbs/src/policy_engine/error.rs b/kbs/src/policy_engine/error.rs new file mode 100644 index 0000000000..0970b4b5ea --- /dev/null +++ b/kbs/src/policy_engine/error.rs @@ -0,0 +1,36 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use log::error; +use strum::AsRefStr; +use thiserror::Error; + +pub type Result = std::result::Result; + +#[derive(Error, AsRefStr, Debug)] +pub enum KbsPolicyEngineError { + #[error("Failed to evaluate policy {0}")] + EvaluationError(#[from] anyhow::Error), + + #[error("Failed to load data for policy")] + DataLoadError, + + #[error("Invalid resource path format")] + ResourcePathError, + + #[error("Policy IO Error: {0}")] + IOError(#[from] std::io::Error), + + #[error("Decoding (base64) policy failed: {0}")] + DecodeError(#[from] base64::DecodeError), + + #[error("Failed to load input for policy")] + InputError, + + #[error("Failed to load policy")] + PolicyLoadError, + + #[error("Set Policy request is illegal for {0}")] + IllegalSetPolicyRequest(&'static str), +} diff --git a/kbs/src/policy_engine/mod.rs b/kbs/src/policy_engine/mod.rs index 29d6926e36..995dea2bda 100644 --- a/kbs/src/policy_engine/mod.rs +++ b/kbs/src/policy_engine/mod.rs @@ -2,63 +2,41 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use anyhow::Result; use async_trait::async_trait; use serde::Deserialize; +use serde_json::Value; +use tokio::sync::Mutex; + use std::path::PathBuf; use std::sync::Arc; -use thiserror::Error; -use tokio::sync::Mutex; -#[cfg(feature = "opa")] mod opa; -const DEFAULT_POLICY_PATH: &str = "/opa/confidential-containers/kbs/policy.rego"; - -#[derive(Error, Debug)] -pub enum ResourcePolicyError { - #[error("Failed to evaluate resource policy {0}")] - EvaluationError(#[from] anyhow::Error), - - #[error("Failed to load data for resource policy")] - DataLoadError, +mod error; +pub use error::*; - #[error("Invalid resource path format")] - ResourcePathError, - - #[error("Resource Policy IO Error: {0}")] - IOError(#[from] std::io::Error), - - #[error("Decoding (base64) resource policy failed: {0}")] - DecodeError(#[from] base64::DecodeError), - - #[error("Failed to load input for resource policy")] - InputError, - - #[error("Failed to load resource policy")] - PolicyLoadError, -} +pub const DEFAULT_POLICY_PATH: &str = "/opt/confidential-containers/kbs/policy.rego"; /// Resource policy engine interface +/// +/// TODO: Use a better authentication and authorization policy #[async_trait] pub(crate) trait PolicyEngineInterface: Send + Sync { - /// Determine whether there is access to a specific path resource based on the input claims. + /// Determine whether there is access to a specific path based on the input claims. /// Input parameters: - /// resource_path: Required to be a string in three segment path format://, for example: "my'repo/License/key". + /// request_path: Required to be a string in segments path format:/.../, for example: "my'repo/License/key". /// input_claims: Parsed claims from Attestation Token. /// /// return value: - /// ([decide_result, extra_output]) + /// (decide_result) /// decide_result: Boolean value to present whether the evaluate is passed or not. - /// extra_output: original ouput from policy engine. - async fn evaluate( - &self, - resource_path: String, - input_claims: String, - ) -> Result; + async fn evaluate(&self, request_path: &str, input_claims: &str) -> Result; /// Set policy (Base64 encode) - async fn set_policy(&mut self, policy: String) -> Result<(), ResourcePolicyError>; + async fn set_policy(&mut self, policy: &str) -> Result<()>; + + /// Get policy (Base64 encode) + async fn get_policy(&self) -> Result; } /// Policy engine configuration. @@ -83,16 +61,37 @@ pub(crate) struct PolicyEngine(pub Arc>); impl PolicyEngine { /// Create and initialize PolicyEngine - pub async fn new(config: &PolicyEngineConfig) -> Result { - let policy_engine: Arc> = { - cfg_if::cfg_if! { - if #[cfg(feature = "opa")] { - Arc::new(Mutex::new(opa::Opa::new(config.policy_path.clone().unwrap_or(PathBuf::from(DEFAULT_POLICY_PATH)))?)) - } else { - compile_error!("Please enable at least one of the following features: `opa` to continue."); - } - } - }; + pub async fn new(config: &PolicyEngineConfig) -> Result { + let policy_engine: Arc> = + Arc::new(Mutex::new(opa::Opa::new(config.policy_path.clone())?)); Ok(Self(policy_engine)) } + + pub async fn evaluate(&self, request_path: &str, input_claims: &str) -> Result { + self.0 + .lock() + .await + .evaluate(request_path, input_claims) + .await + } + + pub async fn set_policy(&self, request: &[u8]) -> Result<()> { + let request: Value = serde_json::from_slice(request).map_err(|_| { + KbsPolicyEngineError::IllegalSetPolicyRequest("Illegal SetPolicy Request Json") + })?; + let policy = request + .pointer("/policy") + .ok_or(KbsPolicyEngineError::IllegalSetPolicyRequest( + "No `policy` field inside SetPolicy Request Json", + ))? + .as_str() + .ok_or(KbsPolicyEngineError::IllegalSetPolicyRequest( + "`policy` field is not a string in SetPolicy Request Json", + ))?; + self.0.lock().await.set_policy(policy).await + } + + pub async fn get_policy(&self) -> Result { + self.0.lock().await.get_policy().await + } } diff --git a/kbs/src/policy_engine/opa/default_policy.rego b/kbs/src/policy_engine/opa/default_policy.rego index 207717bdad..f3470f42e6 100644 --- a/kbs/src/policy_engine/opa/default_policy.rego +++ b/kbs/src/policy_engine/opa/default_policy.rego @@ -15,7 +15,7 @@ # # The variable is a KBS resource path, # which is required to be a string in three segment path format://, -# for example: "my'repo/License/key". +# for example: "repo/License/key". # # The format of Attestation Claims Input is defined by the attestation service, # and its format may look like the following: diff --git a/kbs/src/policy_engine/opa/mod.rs b/kbs/src/policy_engine/opa/mod.rs index 054d920cc8..372ec54e02 100644 --- a/kbs/src/policy_engine/opa/mod.rs +++ b/kbs/src/policy_engine/opa/mod.rs @@ -2,7 +2,7 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use crate::policy_engine::{PolicyEngineInterface, ResourcePolicyError}; +use crate::policy_engine::{KbsPolicyEngineError, PolicyEngineInterface}; use async_trait::async_trait; use base64::Engine; use std::fs; @@ -14,7 +14,7 @@ pub struct Opa { } impl Opa { - pub fn new(policy_path: PathBuf) -> Result { + pub fn new(policy_path: PathBuf) -> Result { std::fs::create_dir_all(policy_path.parent().unwrap())?; if !policy_path.as_path().exists() { @@ -30,41 +30,47 @@ impl Opa { impl PolicyEngineInterface for Opa { async fn evaluate( &self, - resource_path: String, - input_claims: String, - ) -> Result { + resource_path: &str, + input_claims: &str, + ) -> Result { let mut engine = regorus::Engine::new(); // Add policy as data engine .add_policy_from_file(self.policy_path.clone()) - .map_err(|_| ResourcePolicyError::PolicyLoadError)?; + .map_err(|_| KbsPolicyEngineError::PolicyLoadError)?; // Add resource path as data let resource_path_object = regorus::Value::from_json_str(&format!("{{\"resource-path\":\"{}\"}}", resource_path)) - .map_err(|_| ResourcePolicyError::ResourcePathError)?; + .map_err(|_| KbsPolicyEngineError::ResourcePathError)?; engine .add_data(resource_path_object) - .map_err(|_| ResourcePolicyError::DataLoadError)?; + .map_err(|_| KbsPolicyEngineError::DataLoadError)?; // Add TCB claims as input engine - .set_input_json(&input_claims) - .map_err(|_| ResourcePolicyError::InputError)?; + .set_input_json(input_claims) + .map_err(|_| KbsPolicyEngineError::InputError)?; let res = engine.eval_bool_query("data.policy.allow".to_string(), false)?; Ok(res) } - async fn set_policy(&mut self, policy: String) -> Result<(), ResourcePolicyError> { + async fn set_policy(&mut self, policy: &str) -> Result<(), KbsPolicyEngineError> { let policy_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(policy)?; tokio::fs::write(&self.policy_path, policy_bytes).await?; Ok(()) } + + async fn get_policy(&self) -> Result { + let policy = tokio::fs::read(&self.policy_path).await?; + let policy = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(policy); + Ok(policy) + } } #[cfg(test)] @@ -76,20 +82,20 @@ mod tests { use serde_json::json; use tempfile::{NamedTempFile, TempDir}; - fn compare_errors(a: ResourcePolicyError, b: ResourcePolicyError) -> bool { + fn compare_errors(a: KbsPolicyEngineError, b: KbsPolicyEngineError) -> bool { match (a, b) { ( - ResourcePolicyError::EvaluationError(_a), - ResourcePolicyError::EvaluationError(_b), + KbsPolicyEngineError::EvaluationError(_a), + KbsPolicyEngineError::EvaluationError(_b), ) => true, - (ResourcePolicyError::DataLoadError, ResourcePolicyError::DataLoadError) => true, - (ResourcePolicyError::ResourcePathError, ResourcePolicyError::ResourcePathError) => { + (KbsPolicyEngineError::DataLoadError, KbsPolicyEngineError::DataLoadError) => true, + (KbsPolicyEngineError::ResourcePathError, KbsPolicyEngineError::ResourcePathError) => { true } - (ResourcePolicyError::IOError(_a), ResourcePolicyError::IOError(_b)) => true, - (ResourcePolicyError::DecodeError(_a), ResourcePolicyError::DecodeError(_b)) => true, - (ResourcePolicyError::InputError, ResourcePolicyError::InputError) => true, - (ResourcePolicyError::PolicyLoadError, ResourcePolicyError::PolicyLoadError) => true, + (KbsPolicyEngineError::IOError(_a), KbsPolicyEngineError::IOError(_b)) => true, + (KbsPolicyEngineError::DecodeError(_a), KbsPolicyEngineError::DecodeError(_b)) => true, + (KbsPolicyEngineError::InputError, KbsPolicyEngineError::InputError) => true, + (KbsPolicyEngineError::PolicyLoadError, KbsPolicyEngineError::PolicyLoadError) => true, _ => false, } } @@ -106,7 +112,7 @@ mod tests { .to_string() } - async fn set_policy_from_file(opa: &mut Opa, path: &str) -> Result<(), ResourcePolicyError> { + async fn set_policy_from_file(opa: &mut Opa, path: &str) -> Result<(), KbsPolicyEngineError> { let policy = std::fs::read(PathBuf::from(path.to_string())).unwrap(); let policy = URL_SAFE_NO_PAD.encode(policy); @@ -128,7 +134,7 @@ mod tests { let res = opa.set_policy(malformed_policy).await; assert!(matches!( res.err().unwrap(), - ResourcePolicyError::DecodeError(base64::DecodeError::InvalidLastSymbol(_, _)) + KbsPolicyEngineError::DecodeError(base64::DecodeError::InvalidLastSymbol(_, _)) )); // IOError @@ -136,7 +142,7 @@ mod tests { let res = set_policy_from_file(&mut opa, "test/data/policy_1.rego").await; assert!(matches!( res.err().unwrap(), - ResourcePolicyError::IOError(_) + KbsPolicyEngineError::IOError(_) )); } @@ -150,21 +156,21 @@ mod tests { "\"", "", 1, - Err(ResourcePolicyError::ResourcePathError) + Err(KbsPolicyEngineError::ResourcePathError) )] #[case( "test/data/policy_invalid_1.rego", "my_repo/Alice/key", "Alice", 1, - Err(ResourcePolicyError::PolicyLoadError) + Err(KbsPolicyEngineError::PolicyLoadError) )] #[case( "test/data/policy_invalid_2.rego", "my_repo/Alice/key", "Alice", 1, - Err(ResourcePolicyError::EvaluationError(anyhow::anyhow!("test"))) + Err(KbsPolicyEngineError::EvaluationError(anyhow::anyhow!("test"))) )] #[case("test/data/policy_5.rego", "myrepo/secret/secret1", "n", 2, Ok(true))] #[case("test/data/policy_5.rego", "myrepo/secret/secret1", "n", 1, Ok(false))] @@ -179,7 +185,7 @@ mod tests { #[case] resource_path: &str, #[case] input_name: &str, #[case] input_svn: u64, - #[case] expected: Result, + #[case] expected: Result, ) { let tmp_file = NamedTempFile::new().unwrap(); let mut opa = Opa::new(tmp_file.path().to_path_buf()).unwrap(); From bca12d7319748e8b2f27b43ac6295adb2fe21007 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 14:58:15 +0800 Subject: [PATCH 136/298] KBS: add Admin auth module This module brings all admin authentication logic together. Currently it allows to use a public key to verify the admin access. Signed-off-by: Xynnn007 --- kbs/src/admin/config.rs | 30 +++++++++++++++++++++ kbs/src/admin/error.rs | 30 +++++++++++++++++++++ kbs/src/admin/mod.rs | 58 +++++++++++++++++++++++++++++++++++++++++ kbs/src/auth.rs | 25 ------------------ 4 files changed, 118 insertions(+), 25 deletions(-) create mode 100644 kbs/src/admin/config.rs create mode 100644 kbs/src/admin/error.rs create mode 100644 kbs/src/admin/mod.rs delete mode 100644 kbs/src/auth.rs diff --git a/kbs/src/admin/config.rs b/kbs/src/admin/config.rs new file mode 100644 index 0000000000..050ef250c4 --- /dev/null +++ b/kbs/src/admin/config.rs @@ -0,0 +1,30 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use std::path::PathBuf; + +use serde::Deserialize; + +pub const DEFAULT_INSECURE_API: bool = false; + +#[derive(Clone, Debug, Deserialize, PartialEq)] +pub struct AdminConfig { + /// Public key used to authenticate the resource registration endpoint token (JWT). + /// Only JWTs signed with the corresponding private keys are authenticated. + pub auth_public_key: Option, + + /// Insecure HTTP APIs. + /// WARNING: Using this option enables KBS insecure APIs such as Resource Registration without + /// verifying the JWK. + pub insecure_api: bool, +} + +impl Default for AdminConfig { + fn default() -> Self { + Self { + auth_public_key: None, + insecure_api: DEFAULT_INSECURE_API, + } + } +} diff --git a/kbs/src/admin/error.rs b/kbs/src/admin/error.rs new file mode 100644 index 0000000000..2c21f631d4 --- /dev/null +++ b/kbs/src/admin/error.rs @@ -0,0 +1,30 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use log::error; +use strum::AsRefStr; +use thiserror::Error; + +pub type Result = std::result::Result; + +#[derive(Error, AsRefStr, Debug)] +pub enum Error { + #[error("Admin Token verification failed")] + JwtVerificationFailed { + #[source] + source: jwt_simple::Error, + }, + + #[error("`auth_public_key` is not set in the config file")] + NoPublicKeyGiven, + + #[error("Failed to parse admin public key")] + ParsePublicKey(#[from] jwt_simple::Error), + + #[error("Failed to parse HTTP Auth Bearer header")] + ParseAuthHeaderFailed(#[from] actix_web::error::ParseError), + + #[error("Read admin public key failed")] + ReadPublicKey(#[from] std::io::Error), +} diff --git a/kbs/src/admin/mod.rs b/kbs/src/admin/mod.rs new file mode 100644 index 0000000000..f5a376a7b5 --- /dev/null +++ b/kbs/src/admin/mod.rs @@ -0,0 +1,58 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use actix_web::{http::header::Header, HttpRequest}; +use actix_web_httpauth::headers::authorization::{Authorization, Bearer}; +use config::AdminConfig; +use jwt_simple::{ + claims::NoCustomClaims, + common::VerificationOptions, + prelude::{Ed25519PublicKey, EdDSAPublicKeyLike}, +}; + +pub mod config; +pub mod error; +pub use error::*; +use log::warn; + +#[derive(Default, Clone)] +pub struct Admin { + public_key: Option, +} + +impl TryFrom for Admin { + type Error = Error; + + fn try_from(value: AdminConfig) -> Result { + if value.insecure_api { + warn!("insecure admin APIs are enabled"); + return Ok(Admin::default()); + } + + let key_path = value.auth_public_key.ok_or(Error::NoPublicKeyGiven)?; + let user_public_key_pem = std::fs::read_to_string(key_path)?; + let key = Ed25519PublicKey::from_pem(&user_public_key_pem)?; + Ok(Self { + public_key: Some(key), + }) + } +} + +impl Admin { + pub(crate) fn validate_auth(&self, request: &HttpRequest) -> Result<()> { + let Some(public_key) = &self.public_key else { + return Ok(()); + }; + + let bearer = Authorization::::parse(request)?.into_scheme(); + + let token = bearer.token(); + + let _claims = public_key + .verify_token::(token, Some(VerificationOptions::default())) + .map_err(|e| Error::JwtVerificationFailed { source: e })?; + + Ok(()) + } +} diff --git a/kbs/src/auth.rs b/kbs/src/auth.rs deleted file mode 100644 index 053f22ce15..0000000000 --- a/kbs/src/auth.rs +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright (c) 2023 by Alibaba. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -use actix_web::http::header::Header; -use actix_web::HttpRequest; -use actix_web_httpauth::headers::authorization::{Authorization, Bearer}; -use anyhow::{Context, Result}; -use jwt_simple::prelude::{ - Ed25519PublicKey, EdDSAPublicKeyLike, NoCustomClaims, VerificationOptions, -}; - -pub(crate) fn validate_auth(request: &HttpRequest, public_key: &Ed25519PublicKey) -> Result<()> { - let bearer = Authorization::::parse(request) - .context("parse Authorization header failed")? - .into_scheme(); - - let token = bearer.token(); - - let _claims = public_key - .verify_token::(token, Some(VerificationOptions::default())) - .context("token verification failed")?; - - Ok(()) -} From 065e115c18121f32eb9bfc3ba9082d44cd4918fa Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 15:01:26 +0800 Subject: [PATCH 137/298] KBS: add Plugins module The Plugins module could provide a plugin way for developers to extend the ability of KBS client APIs. This also provides a Sample implementation for example. The oroginal resource is refactored into plugins as a plugin. Also, we change both `read_secret_resource` and `write_secret_resource` to Fn rather than FnMut. This leaves the synchronization handling to concrete underlying plugins, thus promote the performance because we can avoid a global Mutex. Signed-off-by: Xynnn007 --- Cargo.lock | 13 +- kbs/Cargo.toml | 1 + kbs/src/http/resource.rs | 240 ------------------ kbs/src/jwe.rs | 65 +++++ kbs/src/plugins/implementations/mod.rs | 9 + .../implementations}/resource/aliyun_kms.rs | 14 +- .../implementations/resource/backend.rs | 157 ++++++++++++ .../implementations}/resource/local_fs.rs | 50 ++-- .../plugins/implementations/resource/mod.rs | 73 ++++++ kbs/src/plugins/implementations/sample.rs | 64 +++++ kbs/src/plugins/mod.rs | 10 + kbs/src/plugins/plugin_manager.rs | 120 +++++++++ kbs/src/resource/mod.rs | 106 -------- 13 files changed, 544 insertions(+), 378 deletions(-) delete mode 100644 kbs/src/http/resource.rs create mode 100644 kbs/src/jwe.rs create mode 100644 kbs/src/plugins/implementations/mod.rs rename kbs/src/{ => plugins/implementations}/resource/aliyun_kms.rs (79%) create mode 100644 kbs/src/plugins/implementations/resource/backend.rs rename kbs/src/{ => plugins/implementations}/resource/local_fs.rs (64%) create mode 100644 kbs/src/plugins/implementations/resource/mod.rs create mode 100644 kbs/src/plugins/implementations/sample.rs create mode 100644 kbs/src/plugins/mod.rs create mode 100644 kbs/src/plugins/plugin_manager.rs delete mode 100644 kbs/src/resource/mod.rs diff --git a/Cargo.lock b/Cargo.lock index dda1e68a14..bcf09686ba 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2676,6 +2676,7 @@ dependencies = [ "openssl", "prost 0.12.6", "rand", + "regex", "regorus", "reqwest 0.12.8", "rsa 0.9.6", @@ -4073,9 +4074,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.10.6" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619" +checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191" dependencies = [ "aho-corasick", "memchr", @@ -4085,9 +4086,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.6" +version = "0.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "86b83b8b9847f9bf95ef68afb0b8e6cdb80f498442f5179a29fad448fcc1eaea" +checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3" dependencies = [ "aho-corasick", "memchr", @@ -4096,9 +4097,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.3" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "adad44e29e4c806119491a7f06f03de4d1af22c3a680dd47f1e6e179439d1f56" +checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" [[package]] name = "regorus" diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 69e5ac914c..6414ebdc1e 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -54,6 +54,7 @@ log.workspace = true mobc = { version = "0.8.3", optional = true } prost = { workspace = true, optional = true } rand = "0.8.5" +regex = "1.11.1" regorus.workspace = true reqwest = { workspace = true, features = ["json"], optional = true } rsa = { version = "0.9.2", optional = true, features = ["sha2"] } diff --git a/kbs/src/http/resource.rs b/kbs/src/http/resource.rs deleted file mode 100644 index ee5e6e66bf..0000000000 --- a/kbs/src/http/resource.rs +++ /dev/null @@ -1,240 +0,0 @@ -// Copyright (c) 2022 by Rivos Inc. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -use actix_web::{http::header::Header, web::Bytes}; -use actix_web_httpauth::headers::authorization::{Authorization, Bearer}; -use aes_gcm::{aead::Aead, Aes256Gcm, KeyInit, Nonce}; -use anyhow::{anyhow, bail}; -use base64::engine::general_purpose::URL_SAFE_NO_PAD; -use base64::Engine; -use kbs_types::{Response, TeePubKey}; -use log::{debug, error, info}; -use rand::{rngs::OsRng, Rng}; -use rsa::{BigUint, Pkcs1v15Encrypt, RsaPublicKey}; -use serde::Deserialize; -use serde_json::{json, Deserializer, Value}; - -use crate::{raise_error, token::TokenVerifier}; - -use super::*; - -#[allow(unused_assignments)] -/// GET /resource/{repository}/{type}/{tag} -/// GET /resource/{type}/{tag} -pub(crate) async fn get_resource( - request: HttpRequest, - repository: web::Data>>, - #[cfg(feature = "as")] map: web::Data, - token_verifier: web::Data, - #[cfg(feature = "policy")] policy_engine: web::Data, -) -> Result { - #[allow(unused_mut)] - let mut claims_option = None; - #[cfg(feature = "as")] - { - claims_option = get_attest_claims_from_session(&request, map).await.ok(); - } - let claims_str = if let Some(c) = claims_option { - debug!("Get pkey from session."); - c - } else { - debug!("Get pkey from auth header"); - get_attest_claims_from_header(&request, &token_verifier).await? - }; - let claims: Value = serde_json::from_str(&claims_str).map_err(|e| { - Error::AttestationClaimsParseFailed(format!("illegal attestation claims: {e}")) - })?; - - let pubkey = token_verifier.extract_tee_public_key(claims).map_err(|e| { - Error::AttestationClaimsParseFailed(format!( - "Failed to extract public key in attestation claims: {e:?}" - )) - })?; - - let resource_description = ResourceDesc { - repository_name: request - .match_info() - .get("repository") - .unwrap_or("default") - .to_string(), - resource_type: request - .match_info() - .get("type") - .ok_or_else(|| Error::InvalidRequest(String::from("no `type` in url")))? - .to_string(), - resource_tag: request - .match_info() - .get("tag") - .ok_or_else(|| Error::InvalidRequest(String::from("no `tag` in url")))? - .to_string(), - }; - - if !resource_description.is_valid() { - return Err(Error::InvalidRequest("Invalid resource path".to_string())); - } - - info!( - "Get resource from kbs:///{}/{}/{}", - resource_description.repository_name, - resource_description.resource_type, - resource_description.resource_tag - ); - - #[cfg(feature = "policy")] - { - let resource_path = format!( - "{}/{}/{}", - resource_description.repository_name, - resource_description.resource_type, - resource_description.resource_tag - ); - let resource_allowed = policy_engine - .0 - .lock() - .await - .evaluate(resource_path, claims_str) - .await - .map_err(|e| Error::PolicyEngineFailed(e.to_string()))?; - - if !resource_allowed { - raise_error!(Error::PolicyReject); - } - - info!("Resource access request passes policy check."); - } - - let resource_byte = repository - .read() - .await - .read_secret_resource(resource_description) - .await - .map_err(|e| Error::ReadSecretFailed(format!("{e:?}")))?; - - let jwe = jwe(pubkey, resource_byte)?; - - let res = serde_json::to_string(&jwe).map_err(|e| Error::JWEFailed(e.to_string()))?; - - Ok(HttpResponse::Ok() - .content_type("application/json") - .body(res)) -} - -#[cfg(feature = "as")] -async fn get_attest_claims_from_session( - request: &HttpRequest, - map: web::Data, -) -> Result { - // check cookie - - use crate::session::SessionStatus; - let cookie = request - .cookie(KBS_SESSION_ID) - .ok_or(Error::UnAuthenticatedCookie)?; - - let session = map - .sessions - .get_async(cookie.value()) - .await - .ok_or(Error::UnAuthenticatedCookie)?; - - let session = session.get(); - - info!("Cookie {} request to get resource", session.id()); - - if session.is_expired() { - error!("Expired KBS cookie {}", cookie.value()); - raise_error!(Error::ExpiredCookie); - } - - let SessionStatus::Attested { - attestation_claims, .. - } = session - else { - raise_error!(Error::UnAuthenticatedCookie); - }; - - Ok(attestation_claims.to_owned()) -} - -async fn get_attest_claims_from_header( - request: &HttpRequest, - token_verifier: &web::Data, -) -> Result { - let bearer = Authorization::::parse(request) - .map_err(|e| Error::InvalidRequest(format!("parse Authorization header failed: {e}")))? - .into_scheme(); - - let token = bearer.token().to_string(); - - let claims = token_verifier - .verify(token) - .await - .map_err(|e| Error::TokenParseFailed(format!("verify token failed: {e:?}")))?; - let claims = serde_json::to_string(&claims) - .map_err(|_| Error::TokenParseFailed("failed to serialize claims".into()))?; - Ok(claims) -} - -const RSA_ALGORITHM: &str = "RSA1_5"; -const AES_GCM_256_ALGORITHM: &str = "A256GCM"; - -pub(crate) fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { - let TeePubKey::RSA { alg, k_mod, k_exp } = tee_pub_key else { - raise_error!(Error::JWEFailed(format!( - "key type is not TeePubKey::RSA but {:?}", - tee_pub_key - ))); - }; - - if alg != *RSA_ALGORITHM { - raise_error!(Error::JWEFailed(format!( - "algorithm is not {RSA_ALGORITHM} but {}", - alg - ))); - } - - let mut rng = rand::thread_rng(); - - let aes_sym_key = Aes256Gcm::generate_key(&mut OsRng); - let cipher = Aes256Gcm::new(&aes_sym_key); - let iv = rng.gen::<[u8; 12]>(); - let nonce = Nonce::from_slice(&iv); - let encrypted_payload_data = cipher - .encrypt(nonce, payload_data.as_slice()) - .map_err(|e| Error::JWEFailed(format!("AES encrypt Resource payload failed: {e:?}")))?; - - let k_mod = URL_SAFE_NO_PAD - .decode(k_mod) - .map_err(|e| Error::JWEFailed(format!("base64 decode k_mod failed: {e:?}")))?; - let n = BigUint::from_bytes_be(&k_mod); - let k_exp = URL_SAFE_NO_PAD - .decode(k_exp) - .map_err(|e| Error::JWEFailed(format!("base64 decode k_exp failed: {e:?}")))?; - let e = BigUint::from_bytes_be(&k_exp); - - let rsa_pub_key = RsaPublicKey::new(n, e).map_err(|e| { - Error::JWEFailed(format!( - "Building RSA key from modulus and exponent failed: {e:?}" - )) - })?; - let sym_key: &[u8] = aes_sym_key.as_slice(); - let wrapped_sym_key = rsa_pub_key - .encrypt(&mut rng, Pkcs1v15Encrypt, sym_key) - .map_err(|e| Error::JWEFailed(format!("RSA encrypt sym key failed: {e:?}")))?; - - let protected_header = json!( - { - "alg": RSA_ALGORITHM.to_string(), - "enc": AES_GCM_256_ALGORITHM.to_string(), - }); - - Ok(Response { - protected: serde_json::to_string(&protected_header) - .map_err(|e| Error::JWEFailed(format!("serde protected_header failed: {e}")))?, - encrypted_key: URL_SAFE_NO_PAD.encode(wrapped_sym_key), - iv: URL_SAFE_NO_PAD.encode(iv), - ciphertext: URL_SAFE_NO_PAD.encode(encrypted_payload_data), - tag: "".to_string(), - }) -} diff --git a/kbs/src/jwe.rs b/kbs/src/jwe.rs new file mode 100644 index 0000000000..44e68d1b11 --- /dev/null +++ b/kbs/src/jwe.rs @@ -0,0 +1,65 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use aes_gcm::{aead::Aead, Aes256Gcm, KeyInit, Nonce}; +use anyhow::{anyhow, bail, Context, Result}; +use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; +use kbs_types::{Response, TeePubKey}; +use rand::{rngs::OsRng, Rng}; +use rsa::{BigUint, Pkcs1v15Encrypt, RsaPublicKey}; +use serde_json::json; + +const RSA_ALGORITHM: &str = "RSA1_5"; +const AES_GCM_256_ALGORITHM: &str = "A256GCM"; + +pub fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { + let TeePubKey::RSA { alg, k_mod, k_exp } = tee_pub_key else { + bail!("Only RSA key is support for TEE pub key") + }; + + if alg != *RSA_ALGORITHM { + bail!("algorithm is not {RSA_ALGORITHM} but {alg}"); + } + + let mut rng = rand::thread_rng(); + + let aes_sym_key = Aes256Gcm::generate_key(&mut OsRng); + let cipher = Aes256Gcm::new(&aes_sym_key); + let iv = rng.gen::<[u8; 12]>(); + let nonce = Nonce::from_slice(&iv); + let encrypted_payload_data = cipher + .encrypt(nonce, payload_data.as_slice()) + .map_err(|e| anyhow!("AES encrypt Resource payload failed: {e}"))?; + + let k_mod = URL_SAFE_NO_PAD + .decode(k_mod) + .context("base64 decode k_mod failed")?; + let n = BigUint::from_bytes_be(&k_mod); + let k_exp = URL_SAFE_NO_PAD + .decode(k_exp) + .context("base64 decode k_exp failed")?; + let e = BigUint::from_bytes_be(&k_exp); + + let rsa_pub_key = + RsaPublicKey::new(n, e).context("Building RSA key from modulus and exponent failed")?; + let sym_key: &[u8] = aes_sym_key.as_slice(); + let wrapped_sym_key = rsa_pub_key + .encrypt(&mut rng, Pkcs1v15Encrypt, sym_key) + .context("RSA encrypt sym key failed")?; + + let protected_header = json!( + { + "alg": RSA_ALGORITHM.to_string(), + "enc": AES_GCM_256_ALGORITHM.to_string(), + }); + + Ok(Response { + protected: serde_json::to_string(&protected_header) + .context("serde protected_header failed")?, + encrypted_key: URL_SAFE_NO_PAD.encode(wrapped_sym_key), + iv: URL_SAFE_NO_PAD.encode(iv), + ciphertext: URL_SAFE_NO_PAD.encode(encrypted_payload_data), + tag: "".to_string(), + }) +} diff --git a/kbs/src/plugins/implementations/mod.rs b/kbs/src/plugins/implementations/mod.rs new file mode 100644 index 0000000000..8bf856bbf1 --- /dev/null +++ b/kbs/src/plugins/implementations/mod.rs @@ -0,0 +1,9 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +pub mod resource; +pub mod sample; + +pub use resource::{RepositoryConfig, ResourceStorage}; +pub use sample::{Sample, SampleConfig}; diff --git a/kbs/src/resource/aliyun_kms.rs b/kbs/src/plugins/implementations/resource/aliyun_kms.rs similarity index 79% rename from kbs/src/resource/aliyun_kms.rs rename to kbs/src/plugins/implementations/resource/aliyun_kms.rs index 0c380f67fb..50833412d5 100644 --- a/kbs/src/resource/aliyun_kms.rs +++ b/kbs/src/plugins/implementations/resource/aliyun_kms.rs @@ -2,13 +2,13 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use super::{Repository, ResourceDesc}; -use anyhow::{Context, Result}; +use super::{Error, Repository, ResourceDesc, Result}; +use anyhow::Context; use kms::{plugins::aliyun::AliyunKmsClient, Annotations, Getter}; use log::info; use serde::Deserialize; -#[derive(Debug, Deserialize, Clone)] +#[derive(Debug, Deserialize, Clone, PartialEq)] pub struct AliyunKmsBackendConfig { client_key: String, kms_instance_id: String, @@ -32,12 +32,13 @@ impl Repository for AliyunKmsBackend { .client .get_secret(&name, &Annotations::default()) .await - .context("failed to get resource from aliyun KMS")?; + .context("failed to get resource from aliyun KMS") + .map_err(|e| Error::AliyunError { source: e })?; Ok(resource_bytes) } async fn write_secret_resource( - &mut self, + &self, _resource_desc: ResourceDesc, _data: &[u8], ) -> Result<()> { @@ -53,7 +54,8 @@ impl AliyunKmsBackend { &repo_desc.password, &repo_desc.cert_pem, ) - .context("create aliyun KMS backend")?; + .context("create aliyun KMS backend") + .map_err(|e| Error::AliyunError { source: e })?; Ok(Self { client }) } } diff --git a/kbs/src/plugins/implementations/resource/backend.rs b/kbs/src/plugins/implementations/resource/backend.rs new file mode 100644 index 0000000000..c1228c8ff7 --- /dev/null +++ b/kbs/src/plugins/implementations/resource/backend.rs @@ -0,0 +1,157 @@ +// Copyright (c) 2023 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use std::sync::{Arc, OnceLock}; + +use anyhow::{bail, Context, Error, Result}; +use regex::Regex; +use serde::Deserialize; + +use super::local_fs; + +type RepositoryInstance = Arc; + +/// Interface of a `Repository`. +#[async_trait::async_trait] +pub trait StorageBackend: Send + Sync { + /// Read secret resource from repository. + async fn read_secret_resource(&self, resource_desc: ResourceDesc) -> Result>; + + /// Write secret resource into repository + async fn write_secret_resource(&self, resource_desc: ResourceDesc, data: &[u8]) -> Result<()>; +} + +#[derive(Debug, Clone, PartialEq)] +pub struct ResourceDesc { + pub repository_name: String, + pub resource_type: String, + pub resource_tag: String, +} + +static CELL: OnceLock = OnceLock::new(); + +impl TryFrom<&str> for ResourceDesc { + type Error = Error; + + fn try_from(value: &str) -> Result { + let regex = CELL.get_or_init(|| { + Regex::new( + r"^((?[a-zA-Z0-9_\-]+)/)?(?[a-zA-Z0-9_\-]+)/(?[a-zA-Z0-9_\-]+)$", + ) + .unwrap() + }); + let Some(captures) = regex.captures(value) else { + bail!("illegal ResourceDesc format."); + }; + + Ok(Self { + repository_name: captures + .name("repo") + .map(|s| s.into()) + .unwrap_or("default") + .into(), + resource_type: captures["type"].into(), + resource_tag: captures["tag"].into(), + }) + } +} + +#[derive(Clone, Debug, Deserialize, PartialEq)] +#[serde(tag = "type")] +pub enum RepositoryConfig { + LocalFs(local_fs::LocalFsRepoDesc), + + #[cfg(feature = "aliyun")] + #[serde(alias = "aliyun")] + Aliyun(super::aliyun_kms::AliyunKmsBackendConfig), +} + +impl Default for RepositoryConfig { + fn default() -> Self { + Self::LocalFs(local_fs::LocalFsRepoDesc::default()) + } +} + +#[derive(Clone)] +pub struct ResourceStorage { + backend: RepositoryInstance, +} + +impl TryFrom for ResourceStorage { + type Error = Error; + + fn try_from(value: RepositoryConfig) -> Result { + match value { + RepositoryConfig::LocalFs(desc) => { + let backend = local_fs::LocalFs::new(&desc) + .context("Failed to initialize Resource Storage")?; + Ok(Self { + backend: Arc::new(backend), + }) + } + #[cfg(feature = "aliyun")] + RepositoryConfig::Aliyun(config) => { + let client = super::aliyun_kms::AliyunKmsBackend::new(&config)?; + Ok(Self { + backend: Arc::new(client), + }) + } + } + } +} + +impl ResourceStorage { + pub(crate) async fn set_secret_resource( + &self, + resource_desc: ResourceDesc, + data: &[u8], + ) -> Result<()> { + self.backend + .write_secret_resource(resource_desc, data) + .await + } + + pub(crate) async fn get_secret_resource(&self, resource_desc: ResourceDesc) -> Result> { + self.backend.read_secret_resource(resource_desc).await + } +} + +#[cfg(test)] +mod tests { + use rstest::rstest; + + use super::ResourceDesc; + + #[rstest] + #[case("default/1/2", Some(ResourceDesc { + repository_name: "default".into(), + resource_type: "1".into(), + resource_tag: "2".into(), + }))] + #[case("/1/2", None)] + #[case("/repo/type/tag", None)] + #[case("repo/type/tag", Some(ResourceDesc { + repository_name: "repo".into(), + resource_type: "type".into(), + resource_tag: "tag".into(), + }))] + #[case("1/2", Some(ResourceDesc { + repository_name: "default".into(), + resource_type: "1".into(), + resource_tag: "2".into(), + }))] + #[case("123--_default/1Abff-_/___-afds44BC", Some(ResourceDesc { + repository_name: "123--_default".into(), + resource_type: "1Abff-_".into(), + resource_tag: "___-afds44BC".into(), + }))] + fn parse_resource_desc(#[case] desc: &str, #[case] expected: Option) { + let parsed = ResourceDesc::try_from(desc); + if expected.is_none() { + assert!(parsed.is_err()); + } else { + assert_eq!(parsed.unwrap(), expected.unwrap()); + } + } +} diff --git a/kbs/src/resource/local_fs.rs b/kbs/src/plugins/implementations/resource/local_fs.rs similarity index 64% rename from kbs/src/resource/local_fs.rs rename to kbs/src/plugins/implementations/resource/local_fs.rs index 99640be00c..8ec7201a13 100644 --- a/kbs/src/resource/local_fs.rs +++ b/kbs/src/plugins/implementations/resource/local_fs.rs @@ -2,22 +2,25 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use super::{Repository, ResourceDesc}; +use super::{ResourceDesc, StorageBackend}; use anyhow::{Context, Result}; use serde::Deserialize; -use std::path::{Path, PathBuf}; +use std::{ + fs, + path::{Path, PathBuf}, +}; pub const DEFAULT_REPO_DIR_PATH: &str = "/opt/confidential-containers/kbs/repository"; -#[derive(Debug, Deserialize, Clone)] +#[derive(Debug, Deserialize, Clone, PartialEq)] pub struct LocalFsRepoDesc { - pub dir_path: Option, + pub dir_path: String, } impl Default for LocalFsRepoDesc { fn default() -> Self { Self { - dir_path: Some(DEFAULT_REPO_DIR_PATH.to_string()), + dir_path: DEFAULT_REPO_DIR_PATH.into(), } } } @@ -27,7 +30,7 @@ pub struct LocalFs { } #[async_trait::async_trait] -impl Repository for LocalFs { +impl StorageBackend for LocalFs { async fn read_secret_resource(&self, resource_desc: ResourceDesc) -> Result> { let mut resource_path = PathBuf::from(&self.repo_dir_path); @@ -43,11 +46,7 @@ impl Repository for LocalFs { Ok(resource_byte) } - async fn write_secret_resource( - &mut self, - resource_desc: ResourceDesc, - data: &[u8], - ) -> Result<()> { + async fn write_secret_resource(&self, resource_desc: ResourceDesc, data: &[u8]) -> Result<()> { let mut resource_path = PathBuf::from(&self.repo_dir_path); resource_path.push(resource_desc.repository_name); resource_path.push(resource_desc.resource_type); @@ -60,6 +59,11 @@ impl Repository for LocalFs { resource_path.push(resource_desc.resource_tag); + // Note that the local fs does not handle synchronization conditions + // because it is only for test use case and we assume the write request + // will not happen togetherly with reads. + // If it is to be used in productive scenarios, it is recommended that + // the storage is marked as read-only and written out-of-band. tokio::fs::write(resource_path, data) .await .context("write local fs") @@ -67,21 +71,27 @@ impl Repository for LocalFs { } impl LocalFs { - pub fn new(repo_desc: &LocalFsRepoDesc) -> Result { + pub fn new(repo_desc: &LocalFsRepoDesc) -> anyhow::Result { + // Create repository dir. + if !Path::new(&repo_desc.dir_path).exists() { + fs::create_dir_all(&repo_desc.dir_path)?; + } + // Create default repo. + if !Path::new(&format!("{}/default", &repo_desc.dir_path)).exists() { + fs::create_dir_all(format!("{}/default", &repo_desc.dir_path))?; + } + Ok(Self { - repo_dir_path: repo_desc - .dir_path - .clone() - .unwrap_or(DEFAULT_REPO_DIR_PATH.to_string()), + repo_dir_path: repo_desc.dir_path.clone(), }) } } #[cfg(test)] mod tests { - use crate::resource::{ + use super::super::{ local_fs::{LocalFs, LocalFsRepoDesc}, - Repository, ResourceDesc, + ResourceDesc, StorageBackend, }; const TEST_DATA: &[u8] = b"testdata"; @@ -90,10 +100,10 @@ mod tests { async fn write_and_read_resource() { let tmp_dir = tempfile::tempdir().expect("create temp dir failed"); let repo_desc = LocalFsRepoDesc { - dir_path: Some(tmp_dir.path().to_string_lossy().to_string()), + dir_path: tmp_dir.path().to_string_lossy().to_string(), }; - let mut local_fs = LocalFs::new(&repo_desc).expect("create local fs failed"); + let local_fs = LocalFs::new(&repo_desc).expect("create local fs failed"); let resource_desc = ResourceDesc { repository_name: "default".into(), resource_type: "test".into(), diff --git a/kbs/src/plugins/implementations/resource/mod.rs b/kbs/src/plugins/implementations/resource/mod.rs new file mode 100644 index 0000000000..a3b90b1fd3 --- /dev/null +++ b/kbs/src/plugins/implementations/resource/mod.rs @@ -0,0 +1,73 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +pub mod local_fs; + +#[cfg(feature = "aliyun")] +pub mod aliyun_kms; + +use actix_web::http::Method; +use anyhow::{bail, Context, Result}; + +pub mod backend; +pub use backend::*; + +use super::super::plugin_manager::ClientPlugin; + +#[async_trait::async_trait] +impl ClientPlugin for ResourceStorage { + async fn handle( + &self, + body: &[u8], + _query: &str, + path: &str, + method: &Method, + ) -> Result> { + let resource_desc = path + .strip_prefix('/') + .context("accessed path is illegal, should start with `/`")?; + match method.as_str() { + "POST" => { + let resource_description = ResourceDesc::try_from(resource_desc)?; + self.set_secret_resource(resource_description, body).await?; + Ok(vec![]) + } + "GET" => { + let resource_description = ResourceDesc::try_from(resource_desc)?; + let resource = self.get_secret_resource(resource_description).await?; + + Ok(resource) + } + _ => bail!("Illegal HTTP method. Only supports `GET` and `POST`"), + } + } + + async fn validate_auth( + &self, + _body: &[u8], + _query: &str, + _path: &str, + method: &Method, + ) -> Result { + if method.as_str() == "POST" { + return Ok(true); + } + + Ok(false) + } + + async fn encrypted( + &self, + _body: &[u8], + _query: &str, + _path: &str, + method: &Method, + ) -> Result { + if method.as_str() == "GET" { + return Ok(true); + } + + Ok(false) + } +} diff --git a/kbs/src/plugins/implementations/sample.rs b/kbs/src/plugins/implementations/sample.rs new file mode 100644 index 0000000000..ad04b72495 --- /dev/null +++ b/kbs/src/plugins/implementations/sample.rs @@ -0,0 +1,64 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +//! This is a sample to implement a client plugin + +use actix_web::http::Method; +use anyhow::Result; +use serde::Deserialize; + +use super::super::plugin_manager::ClientPlugin; + +#[derive(Deserialize, Clone, Debug, PartialEq)] +pub struct SampleConfig { + pub item: String, +} + +pub struct Sample { + _item: String, +} + +impl TryFrom for Sample { + type Error = anyhow::Error; + + fn try_from(value: SampleConfig) -> anyhow::Result { + Ok(Self { _item: value.item }) + } +} + +#[async_trait::async_trait] +impl ClientPlugin for Sample { + async fn handle( + &self, + _body: &[u8], + _query: &str, + _path: &str, + _method: &Method, + ) -> Result> { + Ok("sample plugin response".as_bytes().to_vec()) + } + + async fn validate_auth( + &self, + _body: &[u8], + _query: &str, + _path: &str, + _method: &Method, + ) -> Result { + Ok(true) + } + + /// Whether the body needs to be encrypted via TEE key pair. + /// If returns `Ok(true)`, the KBS server will encrypt the whole body + /// with TEE key pair and use KBS protocol's Response format. + async fn encrypted( + &self, + _body: &[u8], + _query: &str, + _path: &str, + _method: &Method, + ) -> Result { + Ok(false) + } +} diff --git a/kbs/src/plugins/mod.rs b/kbs/src/plugins/mod.rs new file mode 100644 index 0000000000..ec0bdf59ee --- /dev/null +++ b/kbs/src/plugins/mod.rs @@ -0,0 +1,10 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +pub mod plugin_manager; + +pub mod implementations; +pub use implementations::*; + +pub use plugin_manager::{PluginManager, PluginsConfig}; diff --git a/kbs/src/plugins/plugin_manager.rs b/kbs/src/plugins/plugin_manager.rs new file mode 100644 index 0000000000..f558aa64f8 --- /dev/null +++ b/kbs/src/plugins/plugin_manager.rs @@ -0,0 +1,120 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use std::{collections::HashMap, fmt::Display, sync::Arc}; + +use actix_web::http::Method; +use anyhow::{Context, Error, Result}; +use serde::Deserialize; + +use super::{sample, RepositoryConfig, ResourceStorage}; + +type ClientPluginInstance = Arc; + +#[async_trait::async_trait] +pub trait ClientPlugin: Send + Sync { + /// This function is the entry to a client plugin. The function + /// marks `&self` rather than `&mut self`, because it will leave + /// state and synchronization issues down to the concrete plugin. + /// + /// TODO: change body from Vec slice into Reader to apply for large + /// body stream. + async fn handle( + &self, + body: &[u8], + query: &str, + path: &str, + method: &Method, + ) -> Result>; + + /// Whether the concrete request needs to validate the admin auth. + /// If returns `Ok(true)`, the KBS server will perform an admin auth + /// validation before handle the request. + async fn validate_auth( + &self, + body: &[u8], + query: &str, + path: &str, + method: &Method, + ) -> Result; + + /// Whether the body needs to be encrypted via TEE key pair. + /// If returns `Ok(true)`, the KBS server will encrypt the whole body + /// with TEE key pair and use KBS protocol's Response format. + async fn encrypted( + &self, + body: &[u8], + query: &str, + path: &str, + method: &Method, + ) -> Result; +} + +#[derive(Deserialize, Clone, Debug, PartialEq)] +#[serde(tag = "name")] +pub enum PluginsConfig { + #[serde(alias = "sample")] + Sample(sample::SampleConfig), + + #[serde(alias = "resource")] + ResourceStorage(RepositoryConfig), +} + +impl Display for PluginsConfig { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + match self { + PluginsConfig::Sample(_) => f.write_str("sample"), + PluginsConfig::ResourceStorage(_) => f.write_str("resource"), + } + } +} + +impl TryInto for PluginsConfig { + type Error = Error; + + fn try_into(self) -> Result { + let plugin = match self { + PluginsConfig::Sample(cfg) => { + let sample_plugin = + sample::Sample::try_from(cfg).context("Initialize 'Sample' plugin failed")?; + Arc::new(sample_plugin) as _ + } + PluginsConfig::ResourceStorage(repository_config) => { + let resource_storage = ResourceStorage::try_from(repository_config) + .context("Initialize 'Resource' plugin failed")?; + Arc::new(resource_storage) as _ + } + }; + + Ok(plugin) + } +} + +/// [`PluginManager`] manages different kinds of plugins. +#[derive(Clone)] +pub struct PluginManager { + plugins: HashMap, +} + +impl TryFrom> for PluginManager { + type Error = Error; + + fn try_from(value: Vec) -> Result { + let plugins = value + .into_iter() + .map(|cfg| { + let name = cfg.to_string(); + let plugin: ClientPluginInstance = cfg.try_into()?; + Ok((name, plugin)) + }) + .collect::>>()?; + Ok(Self { plugins }) + } +} + +impl PluginManager { + pub fn get(&self, name: &str) -> Option { + self.plugins.get(name).cloned() + } +} diff --git a/kbs/src/resource/mod.rs b/kbs/src/resource/mod.rs deleted file mode 100644 index 7f5ce4228a..0000000000 --- a/kbs/src/resource/mod.rs +++ /dev/null @@ -1,106 +0,0 @@ -// Copyright (c) 2023 by Alibaba. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -use anyhow::*; -use serde::Deserialize; -use std::fs; -use std::path::Path; -use std::sync::Arc; -use tokio::sync::RwLock; - -mod local_fs; - -#[cfg(feature = "aliyun")] -mod aliyun_kms; - -/// Interface of a `Repository`. -#[async_trait::async_trait] -pub trait Repository { - /// Read secret resource from repository. - async fn read_secret_resource(&self, resource_desc: ResourceDesc) -> Result>; - - /// Write secret resource into repository - async fn write_secret_resource( - &mut self, - resource_desc: ResourceDesc, - data: &[u8], - ) -> Result<()>; -} - -#[derive(Debug, Clone)] -pub struct ResourceDesc { - pub repository_name: String, - pub resource_type: String, - pub resource_tag: String, -} - -impl ResourceDesc { - pub fn is_valid(&self) -> bool { - if &self.repository_name == "." - || &self.repository_name == ".." - || &self.resource_type == "." - || &self.resource_type == ".." - { - return false; - } - true - } -} - -#[derive(Clone, Debug, Deserialize)] -#[serde(tag = "type")] -pub enum RepositoryConfig { - LocalFs(local_fs::LocalFsRepoDesc), - - #[cfg(feature = "aliyun")] - Aliyun(aliyun_kms::AliyunKmsBackendConfig), -} - -impl RepositoryConfig { - pub fn initialize(&self) -> Result>> { - match self { - Self::LocalFs(desc) => { - // Create repository dir. - let dir_path = desc - .dir_path - .clone() - .unwrap_or(local_fs::DEFAULT_REPO_DIR_PATH.to_string()); - - if !Path::new(&dir_path).exists() { - fs::create_dir_all(&dir_path)?; - } - // Create default repo. - if !Path::new(&format!("{}/default", &dir_path)).exists() { - fs::create_dir_all(format!("{}/default", &dir_path))?; - } - - Ok(Arc::new(RwLock::new(local_fs::LocalFs::new(desc)?)) - as Arc>) - } - #[cfg(feature = "aliyun")] - Self::Aliyun(config) => { - let client = aliyun_kms::AliyunKmsBackend::new(config)?; - Ok(Arc::new(RwLock::new(client)) as Arc>) - } - } - } -} - -impl Default for RepositoryConfig { - fn default() -> Self { - Self::LocalFs(local_fs::LocalFsRepoDesc::default()) - } -} - -pub(crate) async fn set_secret_resource( - repository: &Arc>, - resource_desc: ResourceDesc, - data: &[u8], -) -> Result<()> { - repository - .write() - .await - .write_secret_resource(resource_desc, data) - .await -} From 100cf3d8b0df5c4355ca20b504e366aa92f66e04 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 15:08:14 +0800 Subject: [PATCH 138/298] KBS: Use new launch Config This is mostly a refactoring patch for KBS. It brings API serving into one function, and will perform different sub-function due to the requested plugin name. This also changes all configuration codes to have a default value. This patch would have some compatibility issue as it changes the old configuration format. The old configuration format is not well classified. This patch tidies the configuration items. Signed-off-by: Xynnn007 --- attestation-service/src/config.rs | 4 +- attestation-service/src/lib.rs | 6 +- attestation-service/src/rvps/mod.rs | 6 +- attestation-service/src/token/mod.rs | 15 +- attestation-service/src/token/simple.rs | 1 - kbs/src/api_server.rs | 317 +++++++++++ kbs/src/attestation/coco/grpc.rs | 41 +- .../attestation/intel_trust_authority/mod.rs | 2 +- kbs/src/bin/kbs.rs | 54 +- kbs/src/config.rs | 490 ++++++++++++++++-- kbs/src/error.rs | 126 +++++ kbs/src/http.rs | 27 + kbs/src/http/config.rs | 131 ----- kbs/src/http/error.rs | 157 ------ kbs/src/http/mod.rs | 41 -- kbs/src/lib.rs | 268 +--------- kbs/src/policy_engine/mod.rs | 6 +- kbs/src/policy_engine/opa/mod.rs | 8 +- kbs/test_data/configs/coco-as-builtin-1.toml | 8 + kbs/test_data/configs/coco-as-builtin-2.toml | 23 + kbs/test_data/configs/coco-as-builtin-3.toml | 28 + kbs/test_data/configs/coco-as-grpc-1.toml | 29 ++ kbs/test_data/configs/coco-as-grpc-2.toml | 12 + kbs/test_data/configs/coco-as-grpc-3.toml | 12 + kbs/test_data/configs/intel-ta-1.toml | 30 ++ kbs/test_data/configs/intel-ta-2.toml | 17 + kbs/test_data/configs/intel-ta-3.toml | 14 + 27 files changed, 1148 insertions(+), 725 deletions(-) create mode 100644 kbs/src/api_server.rs create mode 100644 kbs/src/error.rs create mode 100644 kbs/src/http.rs delete mode 100644 kbs/src/http/config.rs delete mode 100644 kbs/src/http/error.rs delete mode 100644 kbs/src/http/mod.rs create mode 100644 kbs/test_data/configs/coco-as-builtin-1.toml create mode 100644 kbs/test_data/configs/coco-as-builtin-2.toml create mode 100644 kbs/test_data/configs/coco-as-builtin-3.toml create mode 100644 kbs/test_data/configs/coco-as-grpc-1.toml create mode 100644 kbs/test_data/configs/coco-as-grpc-2.toml create mode 100644 kbs/test_data/configs/coco-as-grpc-3.toml create mode 100644 kbs/test_data/configs/intel-ta-1.toml create mode 100644 kbs/test_data/configs/intel-ta-2.toml create mode 100644 kbs/test_data/configs/intel-ta-3.toml diff --git a/attestation-service/src/config.rs b/attestation-service/src/config.rs index e2becb1b68..232567648f 100644 --- a/attestation-service/src/config.rs +++ b/attestation-service/src/config.rs @@ -10,7 +10,7 @@ use thiserror::Error; const AS_WORK_DIR: &str = "AS_WORK_DIR"; const DEFAULT_WORK_DIR: &str = "/opt/confidential-containers/attestation-service"; -#[derive(Clone, Debug, Deserialize)] +#[derive(Clone, Debug, Deserialize, PartialEq)] pub struct Config { /// The location for Attestation Service to store data. pub work_dir: PathBuf, @@ -19,6 +19,7 @@ pub struct Config { pub policy_engine: String, /// Configurations for RVPS. + #[serde(default)] pub rvps_config: RvpsConfig, /// The Attestation Result Token Broker type. @@ -28,6 +29,7 @@ pub struct Config { pub attestation_token_broker: AttestationTokenBrokerType, /// The Attestation Result Token Broker Config + #[serde(default)] pub attestation_token_config: AttestationTokenConfig, } diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs index 207bf25ff8..6e66c722e6 100644 --- a/attestation-service/src/lib.rs +++ b/attestation-service/src/lib.rs @@ -6,9 +6,9 @@ pub mod config; pub mod policy_engine; -mod rvps; -mod token; -mod utils; +pub mod rvps; +pub mod token; +pub mod utils; use crate::token::AttestationTokenBroker; diff --git a/attestation-service/src/rvps/mod.rs b/attestation-service/src/rvps/mod.rs index fe43a7f159..4e34ce847e 100644 --- a/attestation-service/src/rvps/mod.rs +++ b/attestation-service/src/rvps/mod.rs @@ -5,7 +5,9 @@ use anyhow::Result; use log::{info, warn}; -use reference_value_provider_service::config::{Config as RvpsCrateConfig, DEFAULT_STORAGE_TYPE}; +pub use reference_value_provider_service::config::{ + Config as RvpsCrateConfig, DEFAULT_STORAGE_TYPE, +}; use serde::Deserialize; use serde_json::{json, Value}; use thiserror::Error; @@ -38,7 +40,7 @@ fn default_store_config() -> Value { json!({}) } -#[derive(Deserialize, Clone, Debug)] +#[derive(Deserialize, Clone, Debug, PartialEq)] pub struct RvpsConfig { /// Address of remote RVPS. If this field is given, a remote RVPS will be connected to. /// If this field is not given, a built-in RVPS will be used. diff --git a/attestation-service/src/token/mod.rs b/attestation-service/src/token/mod.rs index 7212b37e33..1af172196a 100644 --- a/attestation-service/src/token/mod.rs +++ b/attestation-service/src/token/mod.rs @@ -6,12 +6,12 @@ use anyhow::*; use serde::Deserialize; use serde_json::Value; -use simple::COCO_AS_ISSUER_NAME; use strum::{Display, EnumString}; mod simple; -const DEFAULT_TOKEN_TIMEOUT: i64 = 5; +pub const COCO_AS_ISSUER_NAME: &str = "CoCo-Attestation-Service"; +pub const DEFAULT_TOKEN_TIMEOUT: i64 = 5; pub trait AttestationTokenBroker { /// Issue an signed attestation token with custom claims. @@ -23,7 +23,7 @@ pub trait AttestationTokenBroker { fn pubkey_jwks(&self) -> Result; } -#[derive(Deserialize, Debug, Clone, EnumString, Display)] +#[derive(Deserialize, Debug, Clone, EnumString, Display, PartialEq)] pub enum AttestationTokenBrokerType { Simple, } @@ -42,9 +42,10 @@ impl AttestationTokenBrokerType { } } -#[derive(Deserialize, Debug, Clone)] +#[derive(Deserialize, Debug, Clone, PartialEq)] pub struct AttestationTokenConfig { /// The Attestation Result Token duration time(in minute) + #[serde(default = "default_duration_min")] pub duration_min: i64, #[serde(default = "default_issuer_name")] @@ -53,11 +54,15 @@ pub struct AttestationTokenConfig { pub signer: Option, } +fn default_duration_min() -> i64 { + DEFAULT_TOKEN_TIMEOUT +} + fn default_issuer_name() -> String { COCO_AS_ISSUER_NAME.to_string() } -#[derive(Deserialize, Debug, Clone)] +#[derive(Deserialize, Debug, Clone, PartialEq)] pub struct TokenSignerConfig { pub key_path: String, pub cert_url: Option, diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs index 23281c3237..4b20e4ebee 100644 --- a/attestation-service/src/token/simple.rs +++ b/attestation-service/src/token/simple.rs @@ -18,7 +18,6 @@ use serde_json::{json, Value}; use crate::token::{AttestationTokenBroker, AttestationTokenConfig}; -pub const COCO_AS_ISSUER_NAME: &str = "CoCo-Attestation-Service"; const RSA_KEY_BITS: u32 = 2048; const SIMPLE_TOKEN_ALG: &str = "RS384"; diff --git a/kbs/src/api_server.rs b/kbs/src/api_server.rs new file mode 100644 index 0000000000..8d4f05772d --- /dev/null +++ b/kbs/src/api_server.rs @@ -0,0 +1,317 @@ +// Copyright (c) 2023 by Rivos Inc. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use actix_web::{ + http::{header::Header, Method}, + middleware, web, App, HttpRequest, HttpResponse, HttpServer, +}; +use actix_web_httpauth::headers::authorization::{Authorization, Bearer}; +use anyhow::Context; +use log::info; + +use crate::{ + admin::Admin, config::KbsConfig, jwe::jwe, plugins::PluginManager, policy_engine::PolicyEngine, + resource::ResourceDesc, token::TokenVerifier, Error, Result, +}; + +const KBS_PREFIX: &str = "/kbs/v0"; + +macro_rules! kbs_path { + ($path:expr) => { + format!("{}/{}", KBS_PREFIX, $path) + }; +} + +/// The KBS API server +#[derive(Clone)] +pub struct ApiServer { + plugin_manager: PluginManager, + + #[cfg(feature = "resource")] + resource_storage: crate::resource::ResourceStorage, + + #[cfg(feature = "as")] + attestation_service: crate::attestation::AttestationService, + + policy_engine: PolicyEngine, + admin_auth: Admin, + config: KbsConfig, + token_verifier: TokenVerifier, +} + +impl ApiServer { + async fn get_attestation_token(&self, request: &HttpRequest) -> anyhow::Result { + #[cfg(feature = "as")] + if let Ok(token) = self + .attestation_service + .get_attest_token_from_session(request) + .await + { + return Ok(token); + } + + let bearer = Authorization::::parse(request) + .context("parse Authorization header failed")? + .into_scheme(); + + let token = bearer.token().to_string(); + + Ok(token) + } + + pub async fn new(config: KbsConfig) -> Result { + let plugin_manager = PluginManager::try_from(config.client_plugins.clone())?; + let token_verifier = TokenVerifier::from_config(config.attestation_token.clone()).await?; + let policy_engine = PolicyEngine::new(&config.policy_engine).await?; + let admin_auth = Admin::try_from(config.admin.clone())?; + + #[cfg(feature = "resource")] + let resource_storage = + crate::resource::ResourceStorage::try_from(config.repository.clone())?; + + #[cfg(feature = "as")] + let attestation_service = + crate::attestation::AttestationService::new(config.attestation_service.clone()).await?; + + Ok(Self { + config, + plugin_manager, + policy_engine, + admin_auth, + token_verifier, + + #[cfg(feature = "resource")] + resource_storage, + + #[cfg(feature = "as")] + attestation_service, + }) + } + + /// Start the HTTP server and serve API requests. + pub async fn serve(self) -> Result<()> { + info!( + "Starting HTTP{} server at {:?}", + if !self.config.http_server.insecure_http { + "S" + } else { + "" + }, + self.config.http_server.sockets + ); + + let http_config = self.config.http_server.clone(); + let http_server = HttpServer::new({ + move || { + let api_server = self.clone(); + App::new() + .wrap(middleware::Logger::default()) + .app_data(web::Data::new(api_server)) + .service( + web::resource([kbs_path!("{plugin}{sub_path:.*}")]) + .route(web::get().to(client)) + .route(web::post().to(client)), + ) + .service( + web::resource([kbs_path!("admin/{plugin}/{sub_path:.*}")]) + .route(web::get().to(admin)) + .route(web::post().to(admin)), + ) + } + }); + + if !http_config.insecure_http { + let tls_server = http_server + .bind_openssl( + &http_config.sockets[..], + crate::http::tls_config(&http_config) + .map_err(|e| Error::HTTPSFailed { source: e })?, + ) + .map_err(|e| Error::HTTPSFailed { source: e.into() })?; + + return tls_server + .run() + .await + .map_err(|e| Error::HTTPSFailed { source: e.into() }); + } + + http_server + .bind(&http_config.sockets[..]) + .map_err(|e| Error::HTTPFailed { source: e.into() })? + .run() + .await + .map_err(|e| Error::HTTPFailed { source: e.into() }) + } +} + +/// Client APIs. /kbs/v0/XXX +pub(crate) async fn client( + request: HttpRequest, + body: web::Bytes, + core: web::Data, +) -> Result { + let query = request.query_string(); + let plugin_name = request + .match_info() + .get("plugin") + .ok_or(Error::IllegalAccessedPath { + path: request.path().to_string(), + })?; + let sub_path = request + .match_info() + .get("sub_path") + .ok_or(Error::IllegalAccessedPath { + path: request.path().to_string(), + })?; + + let end_point = format!("{plugin_name}{sub_path}"); + + match plugin_name { + #[cfg(feature = "as")] + "auth" if request.method() == Method::POST => core + .attestation_service + .auth(&body) + .await + .map_err(From::from), + #[cfg(feature = "as")] + "attest" if request.method() == Method::POST => core + .attestation_service + .attest(&body, request) + .await + .map_err(From::from), + #[cfg(feature = "as")] + "attestation-policy" if request.method() == Method::POST => { + core.admin_auth.validate_auth(&request)?; + + core.attestation_service.set_policy(&body).await?; + + Ok(HttpResponse::Ok().finish()) + } + "resource-policy" if request.method() == Method::POST => { + core.admin_auth.validate_auth(&request)?; + + core.policy_engine.set_policy(&body).await?; + + Ok(HttpResponse::Ok().finish()) + } + #[cfg(feature = "resource")] + "resource" => { + if request.method() == Method::GET { + // Resource APIs needs to be authorized by the Token and policy + let resource_desc = + sub_path + .strip_prefix('/') + .ok_or(Error::IllegalAccessedPath { + path: end_point.clone(), + })?; + + let token = core + .get_attestation_token(&request) + .await + .map_err(|_| Error::TokenNotFound)?; + + let claims = core.token_verifier.verify(token).await?; + + let claim_str = serde_json::to_string(&claims)?; + if !core + .policy_engine + .evaluate(resource_desc, &claim_str) + .await? + { + return Err(Error::PolicyDeny); + }; + + let resource_description = ResourceDesc::try_from(resource_desc)?; + let resource = core + .resource_storage + .get_secret_resource(resource_description) + .await?; + + let public_key = core.token_verifier.extract_tee_public_key(claims)?; + let jwe = jwe(public_key, resource).map_err(|e| Error::JweError { source: e })?; + + let res = serde_json::to_string(&jwe)?; + + Ok(HttpResponse::Ok() + .content_type("application/json") + .body(res)) + } else if request.method() == Method::POST { + let resource_desc = + sub_path + .strip_prefix('/') + .ok_or(Error::IllegalAccessedPath { + path: end_point.clone(), + })?; + let resource_description = ResourceDesc::try_from(resource_desc)?; + core.admin_auth.validate_auth(&request)?; + core.resource_storage + .set_secret_resource(resource_description, &body) + .await?; + + Ok(HttpResponse::Ok().content_type("application/json").body("")) + } else { + Ok(HttpResponse::NotImplemented() + .content_type("application/json") + .body("")) + } + } + plugin_name => { + // Plugin calls needs to be authorized by the Token and policy + let token = core + .get_attestation_token(&request) + .await + .map_err(|_| Error::TokenNotFound)?; + + let claims = core.token_verifier.verify(token).await?; + + let claim_str = serde_json::to_string(&claims)?; + + // TODO: add policy filter support for other plugins + if !core.policy_engine.evaluate(&end_point, &claim_str).await? { + return Err(Error::PolicyDeny); + } + + let plugin = core + .plugin_manager + .get(plugin_name) + .ok_or(Error::PluginNotFound { + plugin_name: plugin_name.to_string(), + })?; + let body = body.to_vec(); + let response = plugin + .handle(body, query.into(), sub_path.into(), request.method()) + .await?; + Ok(response) + } + } +} + +/// Admin APIs. +pub(crate) async fn admin( + request: HttpRequest, + _body: web::Bytes, + core: web::Data, +) -> Result { + // Admin APIs needs to be authorized by the admin asymmetric key + core.admin_auth.validate_auth(&request)?; + + let plugin_name = request + .match_info() + .get("plugin") + .ok_or(Error::IllegalAccessedPath { + path: request.path().to_string(), + })?; + let sub_path = request + .match_info() + .get("sub_path") + .ok_or(Error::IllegalAccessedPath { + path: request.path().to_string(), + })?; + + info!("Admin plugin {plugin_name} with path {sub_path} called"); + + // TODO: add admin path handlers + let response = HttpResponse::NotFound().body("no admin plugin found"); + Ok(response) +} diff --git a/kbs/src/attestation/coco/grpc.rs b/kbs/src/attestation/coco/grpc.rs index 7e4d9a3dab..064a3ea66d 100644 --- a/kbs/src/attestation/coco/grpc.rs +++ b/kbs/src/attestation/coco/grpc.rs @@ -30,17 +30,27 @@ pub const DEFAULT_POOL_SIZE: u64 = 100; pub const COCO_AS_HASH_ALGORITHM: &str = "sha384"; -#[derive(Clone, Debug, Deserialize)] +#[derive(Clone, Debug, Deserialize, PartialEq)] pub struct GrpcConfig { - as_addr: Option, - pool_size: Option, + #[serde(default = "default_as_addr")] + pub(crate) as_addr: String, + #[serde(default = "default_pool_size")] + pub(crate) pool_size: u64, +} + +fn default_as_addr() -> String { + DEFAULT_AS_ADDR.to_string() +} + +fn default_pool_size() -> u64 { + DEFAULT_POOL_SIZE } impl Default for GrpcConfig { fn default() -> Self { Self { - as_addr: Some(DEFAULT_AS_ADDR.to_string()), - pool_size: Some(DEFAULT_POOL_SIZE), + as_addr: DEFAULT_AS_ADDR.to_string(), + pool_size: DEFAULT_POOL_SIZE, } } } @@ -51,19 +61,14 @@ pub struct GrpcClientPool { impl GrpcClientPool { pub async fn new(config: GrpcConfig) -> Result { - let as_addr = config.as_addr.unwrap_or_else(|| { - log::info!("Default remote AS address ({DEFAULT_AS_ADDR}) is used"); - DEFAULT_AS_ADDR.to_string() - }); - - let pool_size = config.pool_size.unwrap_or_else(|| { - log::info!("Default AS connection pool size ({DEFAULT_POOL_SIZE}) is used"); - DEFAULT_POOL_SIZE - }); - - info!("connect to remote AS [{as_addr}] with pool size {pool_size}"); - let manager = GrpcManager { as_addr }; - let pool = Mutex::new(Pool::builder().max_open(pool_size).build(manager)); + info!( + "connect to remote AS [{}] with pool size {}", + config.as_addr, config.pool_size + ); + let manager = GrpcManager { + as_addr: config.as_addr, + }; + let pool = Mutex::new(Pool::builder().max_open(config.pool_size).build(manager)); Ok(Self { pool }) } diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index bbfe6f8890..9cc9a073d4 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -76,7 +76,7 @@ struct ErrorResponse { error: String, } -#[derive(Clone, Debug, Deserialize)] +#[derive(Clone, Debug, Deserialize, PartialEq)] pub struct IntelTrustAuthorityConfig { pub base_url: String, pub api_key: String, diff --git a/kbs/src/bin/kbs.rs b/kbs/src/bin/kbs.rs index 5861e3bd37..76725eeaa7 100644 --- a/kbs/src/bin/kbs.rs +++ b/kbs/src/bin/kbs.rs @@ -4,19 +4,15 @@ //! Confidential Containers Key Broker Service -extern crate anyhow; - -use anyhow::{bail, Result}; +use anyhow::Result; use std::path::Path; use clap::Parser; -#[cfg(feature = "as")] -use kbs::attestation::AttestationService; use kbs::{ config::{Cli, KbsConfig}, ApiServer, }; -use log::{debug, info, warn}; +use log::{debug, info}; #[tokio::main] async fn main() -> Result<()> { @@ -29,48 +25,8 @@ async fn main() -> Result<()> { debug!("Config: {:#?}", kbs_config); - if !kbs_config.insecure_http - && (kbs_config.private_key.is_none() || kbs_config.certificate.is_none()) - { - bail!("Must specify HTTPS private key and certificate when running in secure mode"); - } - - if kbs_config.insecure_api { - warn!("insecure APIs are enabled"); - } - - #[cfg(feature = "as")] - let attestation_service = { - cfg_if::cfg_if! { - if #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] { - AttestationService::new(kbs_config.as_config.unwrap_or_default()).await? - } else if #[cfg(feature = "coco-as-grpc")] { - AttestationService::new(kbs_config.grpc_config.unwrap_or_default()).await? - } else if #[cfg(feature = "intel-trust-authority-as")] { - AttestationService::new(kbs_config.intel_trust_authority_config).await? - } else { - compile_error!("Please enable at least one of the following features: `coco-as-builtin`, `coco-as-builtin-no-verifier`, `coco-as-grpc` or `intel-trust-authority-as` to continue."); - } - } - }; - - let api_server = ApiServer::new( - kbs_config.sockets, - kbs_config.private_key, - kbs_config.auth_public_key, - kbs_config.certificate, - kbs_config.insecure_http, - #[cfg(feature = "as")] - attestation_service, - kbs_config.timeout, - kbs_config.insecure_api, - #[cfg(feature = "resource")] - kbs_config.repository_config.unwrap_or_default(), - #[cfg(feature = "resource")] - kbs_config.attestation_token_config, - #[cfg(feature = "opa")] - kbs_config.policy_engine_config.unwrap_or_default(), - )?; + let api_server = ApiServer::new(kbs_config).await?; - api_server.serve().await.map_err(anyhow::Error::from) + api_server.serve().await?; + Ok(()) } diff --git a/kbs/src/config.rs b/kbs/src/config.rs index 4359f0687d..b145b4af69 100644 --- a/kbs/src/config.rs +++ b/kbs/src/config.rs @@ -2,60 +2,26 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -#[cfg(feature = "coco-as-grpc")] -use crate::attestation::coco::grpc::GrpcConfig; -#[cfg(feature = "intel-trust-authority-as")] -use crate::attestation::intel_trust_authority::IntelTrustAuthorityConfig; -#[cfg(feature = "policy")] +use crate::admin::config::{AdminConfig, DEFAULT_INSECURE_API}; +use crate::plugins::PluginsConfig; use crate::policy_engine::PolicyEngineConfig; -#[cfg(feature = "resource")] -use crate::resource::RepositoryConfig; -#[cfg(feature = "resource")] use crate::token::AttestationTokenVerifierConfig; use anyhow::anyhow; -#[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] -use attestation_service::config::Config as AsConfig; use clap::Parser; use config::{Config, File}; use serde::Deserialize; -use serde_json::Value; use std::net::SocketAddr; use std::path::{Path, PathBuf}; -const DEFAULT_INSECURE_API: bool = false; const DEFAULT_INSECURE_HTTP: bool = false; const DEFAULT_SOCKET: &str = "127.0.0.1:8080"; const DEFAULT_TIMEOUT: i64 = 5; -/// Contains all configurable KBS properties. -#[derive(Clone, Debug, Deserialize)] -pub struct KbsConfig { - /// Resource repository config. - #[cfg(feature = "resource")] - pub repository_config: Option, - - /// Attestation token result broker config. - #[cfg(feature = "resource")] - pub attestation_token_config: AttestationTokenVerifierConfig, - - /// Configuration for the built-in Attestation Service. - #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - pub as_config: Option, - - /// Configuration for remote attestation over gRPC. - #[cfg(feature = "coco-as-grpc")] - pub grpc_config: Option, - - /// Configuration for Intel Trust Authority attestation. - #[cfg(feature = "intel-trust-authority-as")] - pub intel_trust_authority_config: IntelTrustAuthorityConfig, - +#[derive(Clone, Debug, Deserialize, PartialEq)] +pub struct HttpServerConfig { /// Socket addresses (IP:port) to listen on, e.g. 127.0.0.1:8080. pub sockets: Vec, - /// HTTPS session timeout in minutes. - pub timeout: i64, - /// HTTPS private key. pub private_key: Option, @@ -65,20 +31,48 @@ pub struct KbsConfig { /// Insecure HTTP. /// WARNING: Using this option makes the HTTP connection insecure. pub insecure_http: bool, +} - /// Public key used to authenticate the resource registration endpoint token (JWT). - /// Only JWTs signed with the corresponding private keys are authenticated. - pub auth_public_key: Option, +impl Default for HttpServerConfig { + fn default() -> Self { + Self { + sockets: vec![DEFAULT_SOCKET.parse().expect("unexpected parse error")], + private_key: None, + certificate: None, + insecure_http: DEFAULT_INSECURE_HTTP, + } + } +} - /// Insecure HTTP APIs. - /// WARNING: Using this option enables KBS insecure APIs such as Resource Registration without - /// verifying the JWK. - pub insecure_api: bool, +/// Contains all configurable KBS properties. +#[derive(Debug, Clone, Deserialize, PartialEq)] +pub struct KbsConfig { + /// Resource repository config. + #[cfg(feature = "resource")] + #[serde(default)] + pub repository: crate::resource::RepositoryConfig, + + /// Attestation token result broker config. + #[serde(default)] + pub attestation_token: AttestationTokenVerifierConfig, + + /// Configuration for the Attestation Service. + #[cfg(feature = "as")] + pub attestation_service: crate::attestation::config::AttestationConfig, + + /// Configuration for the KBS Http Server + pub http_server: HttpServerConfig, + + /// Configuration for the KBS admin API + pub admin: AdminConfig, /// Policy engine configuration used for evaluating whether the TCB status has access to /// specific resources. - #[cfg(feature = "policy")] - pub policy_engine_config: Option, + #[serde(default)] + pub policy_engine: PolicyEngineConfig, + + #[serde(default)] + pub client_plugins: Vec, } impl TryFrom<&Path> for KbsConfig { @@ -88,10 +82,10 @@ impl TryFrom<&Path> for KbsConfig { /// `config` crate. See `KbsConfig` for schema information. fn try_from(config_path: &Path) -> Result { let c = Config::builder() - .set_default("insecure_api", DEFAULT_INSECURE_API)? - .set_default("insecure_http", DEFAULT_INSECURE_HTTP)? - .set_default("sockets", vec![DEFAULT_SOCKET])? - .set_default("timeout", DEFAULT_TIMEOUT)? + .set_default("admin.insecure_api", DEFAULT_INSECURE_API)? + .set_default("http_server.insecure_http", DEFAULT_INSECURE_HTTP)? + .set_default("http_server.sockets", vec![DEFAULT_SOCKET])? + .set_default("attestation_service.timeout", DEFAULT_TIMEOUT)? .add_source(File::with_name(config_path.to_str().unwrap())) .build()?; @@ -109,3 +103,397 @@ pub struct Cli { #[arg(short, long, env = "KBS_CONFIG_FILE")] pub config_file: String, } + +#[cfg(test)] +mod tests { + use std::path::{Path, PathBuf}; + + use crate::{ + admin::config::AdminConfig, + config::{ + HttpServerConfig, DEFAULT_INSECURE_API, DEFAULT_INSECURE_HTTP, DEFAULT_SOCKET, + DEFAULT_TIMEOUT, + }, + plugins::{sample::SampleConfig, PluginsConfig}, + policy_engine::{PolicyEngineConfig, DEFAULT_POLICY_PATH}, + token::AttestationTokenVerifierConfig, + }; + + use super::KbsConfig; + + #[cfg(feature = "coco-as-builtin")] + use attestation_service::{ + rvps::{RvpsConfig, DEFAULT_STORAGE_TYPE}, + token::{ + AttestationTokenBrokerType, AttestationTokenConfig, COCO_AS_ISSUER_NAME, + DEFAULT_TOKEN_TIMEOUT, + }, + }; + + use rstest::rstest; + use serde_json::json; + + #[rstest] + #[case("test_data/configs/coco-as-grpc-1.toml", KbsConfig { + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::LocalFs( + crate::resource::local_fs::LocalFsRepoDesc { + dir_path: "/tmp/kbs-resource".into(), + }, + ), + attestation_token: AttestationTokenVerifierConfig { + trusted_certs_paths: vec!["/etc/ca".into(), "/etc/ca2".into()], + insecure_key: false, + trusted_jwk_sets: vec![], + extra_teekey_paths: vec![], + }, + #[cfg(feature = "coco-as-grpc")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::CoCoASGrpc( + crate::attestation::coco::grpc::GrpcConfig { + as_addr: "http://127.0.0.1:50001".into(), + pool_size: 100, + }, + ), + timeout: 600, + }, + http_server: HttpServerConfig { + sockets: vec!["0.0.0.0:8080".parse().unwrap()], + private_key: Some("/etc/kbs-private.key".into()), + certificate: Some("/etc/kbs-cert.pem".into()), + insecure_http: false, + }, + admin: AdminConfig { + auth_public_key: Some(PathBuf::from("/etc/kbs-admin.pub")), + insecure_api: false, + }, + policy_engine: PolicyEngineConfig { + policy_path: PathBuf::from("/etc/kbs-policy.rego"), + }, + client_plugins: vec![PluginsConfig::Sample(SampleConfig { + item: "value1".into(), + })], + })] + #[case("test_data/configs/coco-as-builtin-1.toml", KbsConfig { + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::LocalFs( + crate::resource::local_fs::LocalFsRepoDesc { + dir_path: DEFAULT_REPO_DIR_PATH.into(), + }, + ), + attestation_token: AttestationTokenVerifierConfig { + trusted_certs_paths: vec![], + insecure_key: false, + trusted_jwk_sets: vec![], + extra_teekey_paths: vec![], + }, + #[cfg(feature = "coco-as-builtin")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn( + attestation_service::config::Config { + work_dir: "/opt/coco/attestation-service".into(), + policy_engine: "opa".into(), + attestation_token_broker: AttestationTokenBrokerType::Simple, + rvps_config: RvpsConfig { + remote_addr: "http://127.0.0.1:50003".into(), + store_type: DEFAULT_STORAGE_TYPE.into(), + store_config: json!({}), + }, + attestation_token_config: AttestationTokenConfig { + duration_min: DEFAULT_TOKEN_TIMEOUT, + issuer_name: COCO_AS_ISSUER_NAME.into(), + signer: None, + }, + } + ), + timeout: DEFAULT_TIMEOUT, + }, + http_server: HttpServerConfig { + sockets: vec![DEFAULT_SOCKET.parse().unwrap()], + private_key: None, + certificate: None, + insecure_http: DEFAULT_INSECURE_HTTP, + }, + admin: AdminConfig { + auth_public_key: None, + insecure_api: DEFAULT_INSECURE_API, + }, + policy_engine: PolicyEngineConfig { + policy_path: DEFAULT_POLICY_PATH.into(), + }, + client_plugins: vec![], + })] + #[case("test_data/configs/intel-ta-1.toml", KbsConfig { + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::LocalFs( + crate::resource::local_fs::LocalFsRepoDesc { + dir_path: "/tmp/kbs-resource".into(), + }, + ), + attestation_token: AttestationTokenVerifierConfig { + trusted_jwk_sets: vec!["/etc/ca".into(), "/etc/ca2".into()], + insecure_key: false, + trusted_certs_paths: vec![], + extra_teekey_paths: vec![], + }, + #[cfg(feature = "intel-trust-authority-as")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::IntelTA( + crate::attestation::intel_trust_authority::IntelTrustAuthorityConfig { + base_url: "example.io".into(), + api_key: "this-is-a-key".into(), + certs_file: "file:///etc/ita-cert.pem".into(), + allow_unmatched_policy: Some(true), + } + ), + timeout: DEFAULT_TIMEOUT, + }, + http_server: HttpServerConfig { + sockets: vec!["0.0.0.0:8080".parse().unwrap()], + private_key: Some("/etc/kbs-private.key".into()), + certificate: Some("/etc/kbs-cert.pem".into()), + insecure_http: false, + }, + admin: AdminConfig { + auth_public_key: Some(PathBuf::from("/etc/kbs-admin.pub")), + insecure_api: false, + }, + policy_engine: PolicyEngineConfig { + policy_path: PathBuf::from("/etc/kbs-policy.rego"), + }, + client_plugins: vec![PluginsConfig::Sample(SampleConfig { + item: "value1".into(), + })], + })] + #[case("test_data/configs/coco-as-grpc-2.toml", KbsConfig { + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::default(), + attestation_token: AttestationTokenVerifierConfig { + ..Default::default() + }, + #[cfg(feature = "coco-as-grpc")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::CoCoASGrpc( + crate::attestation::coco::grpc::GrpcConfig { + as_addr: "http://as:50004".into(), + pool_size: crate::attestation::coco::grpc::DEFAULT_POOL_SIZE, + }, + ), + timeout: DEFAULT_TIMEOUT, + }, + http_server: HttpServerConfig { + sockets: vec!["0.0.0.0:8080".parse().unwrap()], + private_key: None, + certificate: None, + insecure_http: true, + }, + admin: AdminConfig { + auth_public_key: Some(PathBuf::from("/opt/confidential-containers/kbs/user-keys/public.pub")), + insecure_api: DEFAULT_INSECURE_API, + }, + policy_engine: PolicyEngineConfig::default(), + client_plugins: Vec::default(), + })] + #[case("test_data/configs/coco-as-builtin-2.toml", KbsConfig { + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::LocalFs( + crate::resource::local_fs::LocalFsRepoDesc { + dir_path: DEFAULT_REPO_DIR_PATH.into(), + }, + ), + attestation_token: AttestationTokenVerifierConfig { + trusted_certs_paths: vec![], + insecure_key: false, + trusted_jwk_sets: vec![], + extra_teekey_paths: vec![], + }, + #[cfg(feature = "coco-as-builtin")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn( + attestation_service::config::Config { + work_dir: "/opt/confidential-containers/attestation-service".into(), + policy_engine: "opa".into(), + attestation_token_broker: AttestationTokenBrokerType::Simple, + rvps_config: RvpsConfig { + remote_addr: "".into(), + store_type: "LocalFs".into(), + store_config: json!({}), + }, + attestation_token_config: AttestationTokenConfig { + duration_min: 5, + ..Default::default() + }, + } + ), + timeout: DEFAULT_TIMEOUT, + }, + http_server: HttpServerConfig { + sockets: vec!["0.0.0.0:8080".parse().unwrap()], + private_key: None, + certificate: None, + insecure_http: true, + }, + admin: AdminConfig { + auth_public_key: Some("/kbs/kbs.pem".into()), + insecure_api: DEFAULT_INSECURE_API, + }, + policy_engine: PolicyEngineConfig::default(), + client_plugins: vec![], + })] + #[case("test_data/configs/intel-ta-2.toml", KbsConfig { + attestation_token: AttestationTokenVerifierConfig { + trusted_jwk_sets: vec!["https://portal.trustauthority.intel.com".into()], + insecure_key: false, + trusted_certs_paths: vec![], + extra_teekey_paths: vec![], + }, + #[cfg(feature = "intel-trust-authority-as")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::IntelTA( + crate::attestation::intel_trust_authority::IntelTrustAuthorityConfig { + base_url: "https://api.trustauthority.intel.com".into(), + api_key: "tBfd5kKX2x9ahbodKV1...".into(), + certs_file: "https://portal.trustauthority.intel.com".into(), + allow_unmatched_policy: None, + } + ), + timeout: DEFAULT_TIMEOUT, + }, + http_server: HttpServerConfig { + sockets: vec!["0.0.0.0:8080".parse().unwrap()], + private_key: None, + certificate: None, + insecure_http: true, + }, + admin: AdminConfig { + auth_public_key: Some("/kbs/kbs.pem".into()), + insecure_api: DEFAULT_INSECURE_API, + }, + policy_engine: PolicyEngineConfig::default(), + client_plugins: vec![], + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::LocalFs( + crate::resource::local_fs::LocalFsRepoDesc::default(), + ), + })] + #[case("test_data/configs/coco-as-grpc-3.toml", KbsConfig { + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::default(), + attestation_token: AttestationTokenVerifierConfig { + ..Default::default() + }, + #[cfg(feature = "coco-as-grpc")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::CoCoASGrpc( + crate::attestation::coco::grpc::GrpcConfig { + as_addr: "http://127.0.0.1:50004".into(), + pool_size: 100, + }, + ), + timeout: DEFAULT_TIMEOUT, + }, + http_server: HttpServerConfig { + insecure_http: true, + ..Default::default() + }, + admin: AdminConfig { + insecure_api: true, + ..Default::default() + }, + policy_engine: PolicyEngineConfig::default(), + client_plugins: Vec::default(), + })] + #[case("test_data/configs/intel-ta-3.toml", KbsConfig { + attestation_token: AttestationTokenVerifierConfig { + trusted_jwk_sets: vec!["https://portal.trustauthority.intel.com".into()], + insecure_key: false, + trusted_certs_paths: vec![], + extra_teekey_paths: vec![], + }, + #[cfg(feature = "intel-trust-authority-as")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::IntelTA( + crate::attestation::intel_trust_authority::IntelTrustAuthorityConfig { + base_url: "https://api.trustauthority.intel.com".into(), + api_key: "tBfd5kKX2x9ahbodKV1...".into(), + certs_file: "https://portal.trustauthority.intel.com".into(), + allow_unmatched_policy: None, + } + ), + timeout: DEFAULT_TIMEOUT, + }, + http_server: HttpServerConfig { + insecure_http: true, + ..Default::default() + }, + admin: AdminConfig { + insecure_api: true, + ..Default::default() + }, + policy_engine: PolicyEngineConfig::default(), + client_plugins: vec![], + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::LocalFs( + crate::resource::local_fs::LocalFsRepoDesc::default(), + ), + })] + #[case("test_data/configs/coco-as-builtin-3.toml", KbsConfig { + #[cfg(feature = "resource")] + repository: crate::resource::RepositoryConfig::LocalFs( + crate::resource::local_fs::LocalFsRepoDesc { + dir_path: "/opt/confidential-containers/kbs/repository".into(), + }, + ), + attestation_token: AttestationTokenVerifierConfig { + trusted_certs_paths: vec![], + insecure_key: false, + trusted_jwk_sets: vec![], + extra_teekey_paths: vec![], + }, + #[cfg(feature = "coco-as-builtin")] + attestation_service: crate::attestation::config::AttestationConfig { + attestation_service: + crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn( + attestation_service::config::Config { + work_dir: "/opt/confidential-containers/attestation-service".into(), + policy_engine: "opa".into(), + attestation_token_broker: AttestationTokenBrokerType::Simple, + rvps_config: RvpsConfig { + remote_addr: "".into(), + store_type: "LocalFs".into(), + ..Default::default() + }, + attestation_token_config: AttestationTokenConfig { + duration_min: 5, + ..Default::default() + }, + } + ), + timeout: DEFAULT_TIMEOUT, + }, + http_server: HttpServerConfig { + insecure_http: true, + ..Default::default() + }, + admin: AdminConfig { + insecure_api: true, + ..Default::default() + }, + policy_engine: PolicyEngineConfig { + policy_path: "/opa/confidential-containers/kbs/policy.rego".into(), + }, + client_plugins: vec![], + })] + fn read_config(#[case] config_path: &str, #[case] expected: KbsConfig) { + let config = KbsConfig::try_from(Path::new(config_path)).unwrap(); + assert_eq!(config, expected, "case {config_path}"); + } +} diff --git a/kbs/src/error.rs b/kbs/src/error.rs new file mode 100644 index 0000000000..5cdaf68868 --- /dev/null +++ b/kbs/src/error.rs @@ -0,0 +1,126 @@ +// Copyright (c) 2023 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +//! This Error type helps to work with Actix-web + +use std::fmt::Write; + +use actix_web::{body::BoxBody, HttpResponse, ResponseError}; +use kbs_types::ErrorInformation; +use log::error; +use strum::AsRefStr; +use thiserror::Error; + +const ERROR_TYPE_PREFIX: &str = "https://github.com/confidential-containers/kbs/errors"; + +pub type Result = std::result::Result; + +#[derive(Error, AsRefStr, Debug)] +pub enum Error { + #[error("Admin auth error")] + AdminAuth(#[from] crate::admin::Error), + + #[cfg(feature = "as")] + #[error("Attestation error")] + AttestationError(#[from] crate::attestation::Error), + + #[error("HTTP initialization failed")] + HTTPFailed { + #[source] + source: anyhow::Error, + }, + + #[error("HTTPS initialization failed")] + HTTPSFailed { + #[source] + source: anyhow::Error, + }, + + #[error("Accessed path {path} is illegal")] + IllegalAccessedPath { path: String }, + + #[error("JWE failed")] + JweError { + #[source] + source: anyhow::Error, + }, + + #[error("PluginManager initialization failed")] + PluginManagerInitialization { + #[source] + source: anyhow::Error, + }, + + #[error("Plugin {plugin_name} not found")] + PluginNotFound { plugin_name: String }, + + #[error("Plugin internal error")] + PluginInternalError { + #[source] + source: anyhow::Error, + }, + + #[error("Access denied by policy")] + PolicyDeny, + + #[error("Policy engine error")] + PolicyEngine(#[from] crate::policy_engine::KbsPolicyEngineError), + + #[cfg(feature = "resource")] + #[error("Resource access failed")] + ResourceAccessFailed(#[from] crate::resource::Error), + + #[error("Serialize/Deserialize failed")] + SerdeError(#[from] serde_json::Error), + + #[error("Attestation Token not found")] + TokenNotFound, + + #[error("Token Verifier error")] + TokenVerifierError(#[from] crate::token::Error), +} + +impl ResponseError for Error { + fn error_response(&self) -> HttpResponse { + let mut detail = String::new(); + + // The write macro here will only raise error when OOM of the string. + write!(&mut detail, "{}", self).expect("written error response failed"); + let info = ErrorInformation { + error_type: format!("{ERROR_TYPE_PREFIX}/{}", self.as_ref()), + detail, + }; + + // All the fields inside the ErrorInfo are printable characters, so this + // error cannot happen. + // A test covering all the possible error types are given to ensure this. + let body = serde_json::to_string(&info).expect("serialize error response failed"); + + // Due to the definition of KBS attestation protocol, we set the http code. + let mut res = match self { + Error::IllegalAccessedPath { .. } | Error::PluginNotFound { .. } => { + HttpResponse::NotFound() + } + _ => HttpResponse::Unauthorized(), + }; + + error!("{self:?}"); + + res.body(BoxBody::new(body)) + } +} + +#[cfg(test)] +mod tests { + use rstest::rstest; + + use super::Error; + + #[rstest] + #[case(Error::IllegalAccessedPath{path: "test".into()})] + #[case(Error::PluginNotFound{plugin_name: "test".into()})] + fn into_error_response(#[case] err: Error) { + let _ = actix_web::ResponseError::error_response(&err); + } +} diff --git a/kbs/src/http.rs b/kbs/src/http.rs new file mode 100644 index 0000000000..9cc929c965 --- /dev/null +++ b/kbs/src/http.rs @@ -0,0 +1,27 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use anyhow::{anyhow, Result}; + +use crate::config::HttpServerConfig; + +pub fn tls_config(config: &HttpServerConfig) -> Result { + use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod}; + + let cert_file = config + .certificate + .as_ref() + .ok_or_else(|| anyhow!("Missing certificate"))?; + + let key_file = config + .private_key + .as_ref() + .ok_or_else(|| anyhow!("Missing private key"))?; + + let mut builder = SslAcceptor::mozilla_modern(SslMethod::tls())?; + builder.set_private_key_file(key_file, SslFiletype::PEM)?; + builder.set_certificate_chain_file(cert_file)?; + + Ok(builder) +} diff --git a/kbs/src/http/config.rs b/kbs/src/http/config.rs deleted file mode 100644 index 8328a380b7..0000000000 --- a/kbs/src/http/config.rs +++ /dev/null @@ -1,131 +0,0 @@ -// Copyright (c) 2023 by Alibaba. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -use super::*; - -#[cfg(feature = "as")] -#[derive(serde::Deserialize, Debug)] -pub struct SetPolicyInput { - policy_id: String, - policy: String, -} - -#[cfg(feature = "as")] -/// POST /attestation-policy -pub(crate) async fn attestation_policy( - request: HttpRequest, - input: web::Json, - user_pub_key: web::Data>, - insecure: web::Data, - attestation_service: web::Data>, -) -> Result { - if !insecure.get_ref() { - let user_pub_key = user_pub_key - .as_ref() - .as_ref() - .ok_or(Error::UserPublicKeyNotProvided)?; - - validate_auth(&request, user_pub_key).map_err(|e| { - Error::FailedAuthentication(format!("Requester is not an authorized user: {e}")) - })?; - } - - attestation_service - .set_policy(&input.policy_id, &input.policy) - .await - .map_err(|e| Error::PolicyEndpoint(format!("Set policy error {e}")))?; - - Ok(HttpResponse::Ok().finish()) -} - -#[cfg(feature = "policy")] -/// POST /resource-policy -pub(crate) async fn resource_policy( - request: HttpRequest, - input: web::Json, - user_pub_key: web::Data>, - insecure: web::Data, - policy_engine: web::Data, -) -> Result { - if !insecure.get_ref() { - let user_pub_key = user_pub_key - .as_ref() - .as_ref() - .ok_or(Error::UserPublicKeyNotProvided)?; - - validate_auth(&request, user_pub_key).map_err(|e| { - Error::FailedAuthentication(format!("Requester is not an authorized user: {e}")) - })?; - } - - policy_engine - .0 - .lock() - .await - .set_policy( - input.into_inner()["policy"] - .as_str() - .ok_or(Error::PolicyEndpoint( - "Get policy from request failed".to_string(), - ))? - .to_string(), - ) - .await - .map_err(|e| Error::PolicyEndpoint(format!("Set policy error {e}")))?; - - Ok(HttpResponse::Ok().finish()) -} - -#[cfg(feature = "resource")] -/// POST /resource/{repository}/{type}/{tag} -/// POST /resource/{type}/{tag} -/// -/// TODO: Although this endpoint is authenticated through a JSON Web Token (JWT), -/// only identified users should be able to get a JWT and access it. -/// At the moment user identification is not supported, and the KBS CLI -/// `--user-public-key` defines the authorized user for that endpoint. In other words, -/// any JWT signed with the user's private key will be authenticated. -/// JWT generation and user identification is unimplemented for now, and thus this -/// endpoint is insecure and is only meant for testing purposes. -pub(crate) async fn set_resource( - request: HttpRequest, - data: web::Bytes, - user_pub_key: web::Data>, - insecure: web::Data, - repository: web::Data>>, -) -> Result { - if !insecure.get_ref() { - let user_pub_key = user_pub_key - .as_ref() - .as_ref() - .ok_or(Error::UserPublicKeyNotProvided)?; - - validate_auth(&request, user_pub_key).map_err(|e| { - Error::FailedAuthentication(format!("Requester is not an authorized user: {e}")) - })?; - } - - let resource_description = ResourceDesc { - repository_name: request - .match_info() - .get("repository") - .unwrap_or("default") - .to_string(), - resource_type: request - .match_info() - .get("type") - .ok_or_else(|| Error::InvalidRequest(String::from("no `type` in url")))? - .to_string(), - resource_tag: request - .match_info() - .get("tag") - .ok_or_else(|| Error::InvalidRequest(String::from("no `tag` in url")))? - .to_string(), - }; - - set_secret_resource(&repository, resource_description, data.as_ref()) - .await - .map_err(|e| Error::SetSecretFailed(format!("{e}")))?; - Ok(HttpResponse::Ok().content_type("application/json").body("")) -} diff --git a/kbs/src/http/error.rs b/kbs/src/http/error.rs deleted file mode 100644 index 70fd461286..0000000000 --- a/kbs/src/http/error.rs +++ /dev/null @@ -1,157 +0,0 @@ -// Copyright (c) 2023 by Alibaba. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -//! This Error type helps to work with Actix-web - -use std::fmt::{Display, Write}; - -use actix_web::{ - body::BoxBody, - http::header::{self, TryIntoHeaderValue}, - web::BytesMut, - HttpResponse, Responder, ResponseError, -}; -use kbs_types::ErrorInformation; -use log::error; -use serde::Serialize; -use strum::AsRefStr; -use thiserror::Error; - -const ERROR_TYPE_PREFIX: &str = "https://github.com/confidential-containers/kbs/errors"; - -pub type Result = std::result::Result; - -#[allow(dead_code)] -#[derive(Error, AsRefStr, Debug)] -pub enum Error { - #[error("Attestation failed: {0}")] - AttestationFailed(String), - - #[error("Received illegal attestation claims: {0}")] - AttestationClaimsParseFailed(String), - - #[error("The cookie is expired")] - ExpiredCookie, - - #[error("Authentication failed: {0}")] - FailedAuthentication(String), - - #[error("The cookie is invalid")] - InvalidCookie, - - #[error("The request is invalid: {0}")] - InvalidRequest(String), - - #[error("Json Web Encryption failed: {0}")] - JWEFailed(String), - - #[error("The cookie is missing")] - MissingCookie, - - #[error("Policy error: {0}")] - PolicyEndpoint(String), - - #[error("Resource policy engine evaluate failed: {0}")] - PolicyEngineFailed(String), - - #[error("Resource not permitted.")] - PolicyReject, - - #[error("KBS Client Protocol Version Mismatch: {0}")] - ProtocolVersion(String), - - #[error("Public key get failed: {0}")] - PublicKeyGetFailed(String), - - #[error("Read secret failed: {0}")] - ReadSecretFailed(String), - - #[error("Set secret failed: {0}")] - SetSecretFailed(String), - - #[error("Attestation token issue failed: {0}")] - TokenIssueFailed(String), - - #[error("Received an illegal token: {0}")] - TokenParseFailed(String), - - #[error("The cookie is unauthenticated")] - UnAuthenticatedCookie, - - #[error("User public key not provided when launching the KBS")] - UserPublicKeyNotProvided, -} - -/// For example, if we want to raise an error of `MissingCookie` -/// ```ignore -/// raise_error!(Error::MissingCookie); -/// ``` -/// is short for -/// ```ignore -/// return Err(Error::MissingCookie); -/// ``` -#[macro_export] -macro_rules! raise_error { - ($error: expr) => { - return Err($error) - }; -} - -impl ResponseError for Error { - fn error_response(&self) -> HttpResponse { - let mut detail = String::new(); - - // The write macro here will only raise error when OOM of the string. - write!(&mut detail, "{}", self).expect("written error response failed"); - let info = ErrorInformation { - error_type: format!("{ERROR_TYPE_PREFIX}/{}", self.as_ref()), - detail, - }; - - // All the fields inside the ErrorInfo are printable characters, so this - // error cannot happen. - // A test covering all the possible error types are given to ensure this. - let body = serde_json::to_string(&info).expect("serialize error response failed"); - - // Due to the definition of KBS attestation protocol, we set the http code. - let mut res = match self { - Error::ReadSecretFailed(_) => HttpResponse::NotFound(), - _ => HttpResponse::Unauthorized(), - }; - - error!("{self}"); - - res.body(BoxBody::new(body)) - } -} - -#[cfg(test)] -mod tests { - use rstest::rstest; - - use crate::http::Error; - - #[rstest] - #[case(Error::AttestationFailed("test".into()))] - #[case(Error::ExpiredCookie)] - #[case(Error::FailedAuthentication("test".into()))] - #[case(Error::InvalidCookie)] - #[case(Error::ExpiredCookie)] - #[case(Error::MissingCookie)] - #[case(Error::InvalidRequest("test".into()))] - #[case(Error::JWEFailed("test".into()))] - #[case(Error::PolicyEndpoint("test".into()))] - #[case(Error::PolicyReject)] - #[case(Error::ProtocolVersion("test".into()))] - #[case(Error::PublicKeyGetFailed("test".into()))] - #[case(Error::ReadSecretFailed("test".into()))] - #[case(Error::SetSecretFailed("test".into()))] - #[case(Error::TokenIssueFailed("test".into()))] - #[case(Error::TokenParseFailed("test".into()))] - #[case(Error::UnAuthenticatedCookie)] - #[case(Error::UserPublicKeyNotProvided)] - fn into_error_response(#[case] err: Error) { - let _ = actix_web::ResponseError::error_response(&err); - } -} diff --git a/kbs/src/http/mod.rs b/kbs/src/http/mod.rs deleted file mode 100644 index 4d4c443236..0000000000 --- a/kbs/src/http/mod.rs +++ /dev/null @@ -1,41 +0,0 @@ -// Copyright (c) 2022 by Rivos Inc. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -#[cfg(feature = "as")] -use crate::attestation::{AttestationService, AS_TOKEN_TEE_PUBKEY_PATH}; -use crate::auth::validate_auth; -#[cfg(feature = "policy")] -use crate::policy_engine::PolicyEngine; -#[cfg(feature = "resource")] -use crate::resource::{set_secret_resource, Repository, ResourceDesc}; -#[cfg(feature = "as")] -use crate::session::{SessionMap, KBS_SESSION_ID}; -use actix_web::Responder; -use actix_web::{body::BoxBody, web, HttpRequest, HttpResponse}; -use jwt_simple::prelude::Ed25519PublicKey; -use kbs_types::{Attestation, Challenge, ErrorInformation, Request}; -use std::sync::Arc; -use tokio::sync::{Mutex, RwLock}; - -#[cfg(feature = "as")] -mod attest; - -mod config; -mod error; - -#[cfg(feature = "resource")] -mod resource; - -#[cfg(feature = "as")] -/// RESTful APIs that related to attestation -pub use attest::*; - -/// RESTful APIs that configure KBS and AS, require user authentication -pub use self::config::*; - -#[cfg(feature = "resource")] -/// RESTful APIs that to get secret resources, need attestation verification -pub use resource::*; - -pub use error::*; diff --git a/kbs/src/lib.rs b/kbs/src/lib.rs index 1bc7ed052b..d11e0edcdc 100644 --- a/kbs/src/lib.rs +++ b/kbs/src/lib.rs @@ -4,273 +4,27 @@ //! KBS API server -#![allow(clippy::too_many_arguments)] - -extern crate actix_web; -extern crate anyhow; -extern crate base64; -extern crate env_logger; -extern crate kbs_types; -#[macro_use] -extern crate lazy_static; -extern crate log; -extern crate rand; -extern crate uuid; - -use actix_web::{middleware, web, App, HttpServer}; -use anyhow::{anyhow, bail, Context, Result}; -#[cfg(feature = "as")] -use attestation::AttestationService; -use jwt_simple::prelude::Ed25519PublicKey; -use openssl::ssl::SslAcceptorBuilder; -#[cfg(feature = "resource")] -use resource::RepositoryConfig; -#[cfg(feature = "as")] -use std::sync::Arc; -use std::{net::SocketAddr, path::PathBuf}; -#[cfg(feature = "resource")] -use token::AttestationTokenVerifierConfig; - -#[cfg(feature = "as")] -use crate::session::SessionMap; - -#[cfg(feature = "policy")] -use crate::policy_engine::{PolicyEngine, PolicyEngineConfig}; - #[cfg(feature = "as")] -/// Attestation Service pub mod attestation; -#[allow(unused_imports)] -/// KBS config -pub mod config; - -mod auth; -#[allow(unused_imports)] -mod http; - #[cfg(feature = "resource")] mod resource; -#[cfg(feature = "as")] -mod session; - -#[cfg(feature = "resource")] +/// KBS config +pub mod config; +pub use config::KbsConfig; mod token; -#[cfg(feature = "policy")] /// Resource Policy Engine pub mod policy_engine; -static KBS_PREFIX: &str = "/kbs/v0"; - -macro_rules! kbs_path { - ($path:expr) => { - format!("{}/{}", KBS_PREFIX, $path) - }; -} - -#[allow(dead_code)] -/// The KBS API server -pub struct ApiServer { - sockets: Vec, - private_key: Option, - /// This user public key is used to verify the jwt. - /// The jwt is carried with the POST request for - /// resource registration - user_public_key: Option, - certificate: Option, - insecure: bool, - - #[cfg(feature = "as")] - attestation_service: Arc, - - http_timeout: i64, - insecure_api: bool, - #[cfg(feature = "resource")] - repository_config: RepositoryConfig, - #[cfg(feature = "resource")] - attestation_token_config: AttestationTokenVerifierConfig, - #[cfg(feature = "policy")] - policy_engine_config: PolicyEngineConfig, -} - -impl ApiServer { - /// Create a new KBS HTTP server - pub fn new( - sockets: Vec, - private_key: Option, - user_public_key: Option, - certificate: Option, - insecure: bool, - - #[cfg(feature = "as")] attestation_service: AttestationService, - - http_timeout: i64, - insecure_api: bool, - #[cfg(feature = "resource")] repository_config: RepositoryConfig, - #[cfg(feature = "resource")] attestation_token_config: AttestationTokenVerifierConfig, - #[cfg(feature = "policy")] policy_engine_config: PolicyEngineConfig, - ) -> Result { - if !insecure && (private_key.is_none() || certificate.is_none()) { - bail!("Missing HTTPS credentials"); - } - - cfg_if::cfg_if! { - if #[cfg(not(any(feature = "as", feature = "resource")))] { - compile_error!("Must enable at least one of the following features: `as`, `resource`"); - } - } - - Ok(ApiServer { - sockets, - private_key, - user_public_key, - certificate, - insecure, - - #[cfg(feature = "as")] - attestation_service: Arc::new(attestation_service), - - http_timeout, - insecure_api, - #[cfg(feature = "resource")] - repository_config, - #[cfg(feature = "resource")] - attestation_token_config, - #[cfg(feature = "policy")] - policy_engine_config, - }) - } - - fn tls_config(&self) -> Result { - use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod}; - - let cert_file = self - .certificate - .clone() - .ok_or_else(|| anyhow!("Missing certificate"))?; - - let key_file = self - .private_key - .clone() - .ok_or_else(|| anyhow!("Missing private key"))?; - - let mut builder = SslAcceptor::mozilla_modern(SslMethod::tls())?; - builder.set_private_key_file(key_file, SslFiletype::PEM)?; - builder.set_certificate_chain_file(cert_file)?; - - Ok(builder) - } - - /// Start the HTTP server and serve API requests. - pub async fn serve(&self) -> Result<()> { - log::info!( - "Starting HTTP{} server at {:?}", - if !self.insecure { "S" } else { "" }, - self.sockets - ); - - #[cfg(feature = "as")] - let (attestation_service, sessions) = { - let attestation_service = web::Data::new(self.attestation_service.clone()); - let sessions = web::Data::new(SessionMap::new()); - let sessions_clone = sessions.clone(); - - tokio::spawn(async move { - loop { - tokio::time::sleep(std::time::Duration::from_secs(60)).await; - sessions_clone - .sessions - .retain_async(|_, v| !v.is_expired()) - .await; - } - }); - (attestation_service, sessions) - }; - - let http_timeout = self.http_timeout; - - #[cfg(feature = "resource")] - let repository = self.repository_config.initialize()?; - - #[cfg(feature = "resource")] - let token_verifier = - crate::token::TokenVerifier::from_config(self.attestation_token_config.clone()).await?; - - #[cfg(feature = "policy")] - let policy_engine = PolicyEngine::new(&self.policy_engine_config).await?; - - let user_public_key = match self.insecure_api { - true => None, - false => match &self.user_public_key { - Some(key_path) => { - let user_public_key_pem = tokio::fs::read_to_string(key_path) - .await - .context("read user public key")?; - let key = Ed25519PublicKey::from_pem(&user_public_key_pem) - .context("parse user public key")?; - Some(key) - } - None => bail!("no user public key given"), - }, - }; - - let insecure_api = self.insecure_api; - - let http_server = HttpServer::new(move || { - #[allow(unused_mut)] - let mut server_app = App::new() - .wrap(middleware::Logger::default()) - .app_data(web::Data::new(http_timeout)) - .app_data(web::Data::new(user_public_key.clone())) - .app_data(web::Data::new(insecure_api)); - - cfg_if::cfg_if! { - if #[cfg(feature = "as")] { - server_app = server_app.app_data(web::Data::clone(&sessions)) - .app_data(web::Data::clone(&attestation_service)).service(web::resource(kbs_path!("auth")).route(web::post().to(http::auth))) - .service(web::resource(kbs_path!("attest")).route(web::post().to(http::attest))) - .service( - web::resource(kbs_path!("attestation-policy")) - .route(web::post().to(http::attestation_policy)), - ); - }} - cfg_if::cfg_if! { - if #[cfg(feature = "resource")] { - server_app = server_app.app_data(web::Data::new(repository.clone())) - .app_data(web::Data::new(token_verifier.clone())) - .service( - web::resource([ - kbs_path!("resource/{repository}/{type}/{tag}"), - kbs_path!("resource/{type}/{tag}"), - ]) - .route(web::get().to(http::get_resource)) - .route(web::post().to(http::set_resource)), - ); - } - } - cfg_if::cfg_if! { - if #[cfg(feature = "policy")] { - server_app = server_app.app_data(web::Data::new(policy_engine.clone())) - .service( - web::resource(kbs_path!("resource-policy")).route(web::post().to(http::resource_policy)), - ); - } - } - server_app - }); +pub mod api_server; +pub use api_server::ApiServer; - if !self.insecure { - let tls_server = http_server.bind_openssl(&self.sockets[..], self.tls_config()?)?; +pub mod error; +pub mod plugins; +pub use error::*; - tls_server.run().await.map_err(anyhow::Error::from) - } else { - http_server - .bind(&self.sockets[..])? - .run() - .await - .map_err(anyhow::Error::from) - } - } -} +pub mod admin; +pub mod http; +pub mod jwe; diff --git a/kbs/src/policy_engine/mod.rs b/kbs/src/policy_engine/mod.rs index 995dea2bda..6ff3838a32 100644 --- a/kbs/src/policy_engine/mod.rs +++ b/kbs/src/policy_engine/mod.rs @@ -40,17 +40,17 @@ pub(crate) trait PolicyEngineInterface: Send + Sync { } /// Policy engine configuration. -#[derive(Clone, Debug, Deserialize)] +#[derive(Clone, Debug, Deserialize, PartialEq)] pub struct PolicyEngineConfig { /// Path to a file containing a policy for evaluating whether the TCB status has access to /// specific resources. - pub policy_path: Option, + pub policy_path: PathBuf, } impl Default for PolicyEngineConfig { fn default() -> Self { Self { - policy_path: Some(PathBuf::from(DEFAULT_POLICY_PATH)), + policy_path: PathBuf::from(DEFAULT_POLICY_PATH), } } } diff --git a/kbs/src/policy_engine/opa/mod.rs b/kbs/src/policy_engine/opa/mod.rs index 372ec54e02..08ac27508d 100644 --- a/kbs/src/policy_engine/opa/mod.rs +++ b/kbs/src/policy_engine/opa/mod.rs @@ -116,7 +116,7 @@ mod tests { let policy = std::fs::read(PathBuf::from(path.to_string())).unwrap(); let policy = URL_SAFE_NO_PAD.encode(policy); - opa.set_policy(policy).await + opa.set_policy(&policy).await } #[tokio::test] @@ -130,7 +130,7 @@ mod tests { .unwrap(); // decode error - let malformed_policy = "123".to_string(); + let malformed_policy = "123"; let res = opa.set_policy(malformed_policy).await; assert!(matches!( res.err().unwrap(), @@ -192,10 +192,8 @@ mod tests { set_policy_from_file(&mut opa, policy_path).await.unwrap(); - let resource_path = resource_path.to_string(); - let res = opa - .evaluate(resource_path.clone(), dummy_input(input_name, input_svn)) + .evaluate(resource_path, &dummy_input(input_name, input_svn)) .await; if let Ok(actual) = res { diff --git a/kbs/test_data/configs/coco-as-builtin-1.toml b/kbs/test_data/configs/coco-as-builtin-1.toml new file mode 100644 index 0000000000..7fd6da32cf --- /dev/null +++ b/kbs/test_data/configs/coco-as-builtin-1.toml @@ -0,0 +1,8 @@ +[attestation_service] +type = "coco_as_builtin" +work_dir = "/opt/coco/attestation-service" +policy_engine = "opa" +attestation_token_broker = "Simple" + + [attestation_service.rvps_config] + remote_addr = "http://127.0.0.1:50003" diff --git a/kbs/test_data/configs/coco-as-builtin-2.toml b/kbs/test_data/configs/coco-as-builtin-2.toml new file mode 100644 index 0000000000..b5e1006a55 --- /dev/null +++ b/kbs/test_data/configs/coco-as-builtin-2.toml @@ -0,0 +1,23 @@ +[http_server] +sockets = ["0.0.0.0:8080"] +# Ideally we should use some solution like cert-manager to issue let's encrypt based certificate: +# https://cert-manager.io/docs/configuration/acme/ +insecure_http = true + +[attestation_token] + +[attestation_service] +type = "coco_as_builtin" +work_dir = "/opt/confidential-containers/attestation-service" +policy_engine = "opa" +attestation_token_broker = "Simple" + + [attestation_service.attestation_token_config] + duration_min = 5 + + [attestation_service.rvps_config] + store_type = "LocalFs" + remote_addr = "" + +[admin] +auth_public_key = "/kbs/kbs.pem" \ No newline at end of file diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml new file mode 100644 index 0000000000..20d8df7b8c --- /dev/null +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -0,0 +1,28 @@ +[http_server] +insecure_http = true + +[attestation_token_config] +type = "CoCo" + +[repository] +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" + +[attestation_service] +type = "coco_as_builtin" +work_dir = "/opt/confidential-containers/attestation-service" +policy_engine = "opa" +attestation_token_broker = "Simple" + + [attestation_service.attestation_token_config] + duration_min = 5 + + [attestation_service.rvps_config] + store_type = "LocalFs" + remote_addr = "" + +[policy_engine] +policy_path = "/opa/confidential-containers/kbs/policy.rego" + +[admin] +insecure_api = true \ No newline at end of file diff --git a/kbs/test_data/configs/coco-as-grpc-1.toml b/kbs/test_data/configs/coco-as-grpc-1.toml new file mode 100644 index 0000000000..d9e3f8d9c4 --- /dev/null +++ b/kbs/test_data/configs/coco-as-grpc-1.toml @@ -0,0 +1,29 @@ +[repository] +type = "LocalFs" +dir_path = "/tmp/kbs-resource" + +[attestation_token] +trusted_certs_paths = ["/etc/ca", "/etc/ca2"] + +[attestation_service] +type = "coco_as_grpc" +as_addr = "http://127.0.0.1:50001" +pool_size = 100 +timeout = 600 + +[http_server] +sockets = ["0.0.0.0:8080"] +private_key = "/etc/kbs-private.key" +certificate = "/etc/kbs-cert.pem" +insecure_http = false + +[admin] +auth_public_key = "/etc/kbs-admin.pub" +insecure_api = false + +[policy_engine] +policy_path = "/etc/kbs-policy.rego" + +[[client_plugins]] +name = "sample" +item = "value1" \ No newline at end of file diff --git a/kbs/test_data/configs/coco-as-grpc-2.toml b/kbs/test_data/configs/coco-as-grpc-2.toml new file mode 100644 index 0000000000..a0aedc0d53 --- /dev/null +++ b/kbs/test_data/configs/coco-as-grpc-2.toml @@ -0,0 +1,12 @@ +[http_server] +sockets = ["0.0.0.0:8080"] +insecure_http = true + +[attestation_token] + +[attestation_service] +type = "coco_as_grpc" +as_addr = "http://as:50004" + +[admin] +auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" \ No newline at end of file diff --git a/kbs/test_data/configs/coco-as-grpc-3.toml b/kbs/test_data/configs/coco-as-grpc-3.toml new file mode 100644 index 0000000000..c6d8e61e33 --- /dev/null +++ b/kbs/test_data/configs/coco-as-grpc-3.toml @@ -0,0 +1,12 @@ +[http_server] +insecure_http = true + +[attestation_token] + +[attestation_service] +type = "coco_as_grpc" +as_addr = "http://127.0.0.1:50004" +pool_size = 100 + +[admin] +insecure_api = true \ No newline at end of file diff --git a/kbs/test_data/configs/intel-ta-1.toml b/kbs/test_data/configs/intel-ta-1.toml new file mode 100644 index 0000000000..281b1ea40c --- /dev/null +++ b/kbs/test_data/configs/intel-ta-1.toml @@ -0,0 +1,30 @@ +[repository] +type = "LocalFs" +dir_path = "/tmp/kbs-resource" + +[attestation_token] +trusted_jwk_sets = ["/etc/ca", "/etc/ca2"] + +[attestation_service] +type = "intel_ta" +base_url = "example.io" +api_key = "this-is-a-key" +certs_file = "file:///etc/ita-cert.pem" +allow_unmatched_policy = true + +[http_server] +sockets = ["0.0.0.0:8080"] +private_key = "/etc/kbs-private.key" +certificate = "/etc/kbs-cert.pem" +insecure_http = false + +[admin] +auth_public_key = "/etc/kbs-admin.pub" +insecure_api = false + +[policy_engine] +policy_path = "/etc/kbs-policy.rego" + +[[client_plugins]] +name = "sample" +item = "value1" \ No newline at end of file diff --git a/kbs/test_data/configs/intel-ta-2.toml b/kbs/test_data/configs/intel-ta-2.toml new file mode 100644 index 0000000000..3c77144301 --- /dev/null +++ b/kbs/test_data/configs/intel-ta-2.toml @@ -0,0 +1,17 @@ +[http_server] +sockets = ["0.0.0.0:8080"] +# Ideally we should use some solution like cert-manager to issue let's encrypt based certificate: +# https://cert-manager.io/docs/configuration/acme/ +insecure_http = true + +[attestation_token] +trusted_jwk_sets = ["https://portal.trustauthority.intel.com"] + +[attestation_service] +type = "intel_ta" +base_url = "https://api.trustauthority.intel.com" +api_key = "tBfd5kKX2x9ahbodKV1..." +certs_file = "https://portal.trustauthority.intel.com" + +[admin] +auth_public_key = "/kbs/kbs.pem" \ No newline at end of file diff --git a/kbs/test_data/configs/intel-ta-3.toml b/kbs/test_data/configs/intel-ta-3.toml new file mode 100644 index 0000000000..90b1580594 --- /dev/null +++ b/kbs/test_data/configs/intel-ta-3.toml @@ -0,0 +1,14 @@ +[http_server] +insecure_http = true + +[admin] +insecure_api = true + +[attestation_token] +trusted_jwk_sets = ["https://portal.trustauthority.intel.com"] + +[attestation_service] +type = "intel_ta" +base_url = "https://api.trustauthority.intel.com" +api_key = "tBfd5kKX2x9ahbodKV1..." +certs_file = "https://portal.trustauthority.intel.com" From 2327280b2a9ee505a5eff9a5e9a1b799b32c8dac Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 15:17:52 +0800 Subject: [PATCH 139/298] KBS: fix CI, docs and exampled configurations This patch fixes example configurations of KBS inside this codebase. Also, it fixes the CI test and the docs. Signed-off-by: Xynnn007 --- .github/workflows/kbs-docker-build.yml | 1 - .github/workflows/kbs-rust.yml | 4 +- deps/verifier/src/se/README.md | 2 +- kbs/Makefile | 5 +- kbs/README.md | 6 +- kbs/config/docker-compose/kbs-config.toml | 15 +- kbs/config/kbs-config-grpc.toml | 12 +- .../kbs-config-intel-trust-authority.toml | 10 +- kbs/config/kbs-config.toml | 26 +- kbs/config/kubernetes/base/kbs-config.toml | 20 +- kbs/config/kubernetes/ita/kbs-config.toml | 10 +- kbs/docker/Dockerfile | 2 +- kbs/docker/coco-as-grpc/Dockerfile | 2 +- kbs/docker/intel-trust-authority/Dockerfile | 2 +- kbs/docs/config.md | 299 +++++++++++------- kbs/docs/self-signed-https.md | 4 +- kbs/quickstart.md | 4 +- kbs/test/Makefile | 4 +- kbs/test/config/kbs.toml | 35 +- kbs/test/config/resource-kbs.toml | 12 +- kbs/test_data/configs/coco-as-builtin-3.toml | 3 +- 21 files changed, 289 insertions(+), 189 deletions(-) diff --git a/.github/workflows/kbs-docker-build.yml b/.github/workflows/kbs-docker-build.yml index 96faee36b8..ce7e61bcf5 100644 --- a/.github/workflows/kbs-docker-build.yml +++ b/.github/workflows/kbs-docker-build.yml @@ -16,7 +16,6 @@ jobs: - name: Build KBS Container Image run: | DOCKER_BUILDKIT=1 docker build -t kbs:coco-as . -f kbs/docker/Dockerfile; \ - DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-openssl --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile; \ DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-grpc . -f kbs/docker/coco-as-grpc/Dockerfile; \ DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-rhel-ubi . -f kbs/docker/rhel-ubi/Dockerfile; \ DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-ita . -f kbs/docker/intel-trust-authority/Dockerfile diff --git a/.github/workflows/kbs-rust.yml b/.github/workflows/kbs-rust.yml index ab6fefb0c3..eacd5a6aa0 100644 --- a/.github/workflows/kbs-rust.yml +++ b/.github/workflows/kbs-rust.yml @@ -56,11 +56,11 @@ jobs: working-directory: kbs run: make - - name: KBS Build [Built-in CoCo AS, OpenSSL] + - name: KBS Build [Built-in CoCo AS] working-directory: kbs run: make - - name: KBS Build [gRPC CoCo AS, RustTLS] + - name: KBS Build [gRPC CoCo AS] working-directory: kbs run: make COCO_AS_INTEGRATE_TYPE=grpc diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index d2cfa5a4ba..569d4c92f8 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -100,7 +100,7 @@ auth_public_key = "/kbs/kbs.pem" # https://cert-manager.io/docs/configuration/acme/ insecure_http = true -[attestation_token_config] +[attestation_token] insecure_key = true [as_config] diff --git a/kbs/Makefile b/kbs/Makefile index 90c6267d33..04652a016c 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -1,5 +1,4 @@ AS_TYPE ?= coco-as -POLICY_ENGINE ?= ALIYUN ?= false ARCH := $(shell uname -m) @@ -38,7 +37,7 @@ build: background-check-kbs .PHONY: background-check-kbs background-check-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(POLICY_ENGINE),$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(FEATURES) .PHONY: passport-issuer-kbs passport-issuer-kbs: @@ -47,7 +46,7 @@ passport-issuer-kbs: .PHONY: passport-resource-kbs passport-resource-kbs: - cargo build -p kbs --locked --release --no-default-features --features resource,$(POLICY_ENGINE),$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features resource,$(FEATURES) mv ../target/release/kbs ../target/release/resource-kbs .PHONY: cli diff --git a/kbs/README.md b/kbs/README.md index 6b6e69c6e1..f09a926267 100644 --- a/kbs/README.md +++ b/kbs/README.md @@ -90,18 +90,16 @@ The Makefile supports a number of other configuration parameters. For example, ```shell -make background-check-kbs [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] +make background-check-kbs [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] ``` The parameters -- `POLICY_ENGINE`: The KBS has a policy engine to facilitate access control. This should not be confused with the policy engine in the AS, which determines whether or not TEE evidence is valid. `POLICY_ENGINE` determines which type of policy engine the KBS will use. Today only `opa` is supported. The KBS can also be built without a policy engine -if it is not required. - `AS_TYPES`: The KBS supports multiple backend attestation services. `AS_TYPES` selects which verifier to use. The options are `coco-as` and `intel-trust-authority-as`. - `COCO_AS_INTEGRATION_TYPE`: The KBS can connect to the CoCo AS in multiple ways. `COCO_AS_INTEGRATION_TYPE` can be set either to `grpc` or `builtin`. With `grpc` the KBS will make a remote connection to the AS. If you are manually building and configuring the components, you'll need to set them up so that this connection can be established. Similar to passport mode, the remote AS can be useful if secret provisioning and attestation verification are not in the same scope. With `builtin` the KBA uses the AS as a crate. This is recommended if you want to avoid the complexity of a remote connection. - `ALIYUN`: The kbs support aliyun KMS as secret storage backend. `true` to enable building this feature. By default it is `false`. ## HTTPS Support -The KBS can use HTTPS. This requires a crypto backend. +The KBS can use HTTPS. This is facilitated by openssl crypto backend. If you want a self-signed cert for test cases, please refer to [the document](docs/self-signed-https.md). diff --git a/kbs/config/docker-compose/kbs-config.toml b/kbs/config/docker-compose/kbs-config.toml index 461d2aa549..9bb770fc9c 100644 --- a/kbs/config/docker-compose/kbs-config.toml +++ b/kbs/config/docker-compose/kbs-config.toml @@ -1,9 +1,18 @@ +[http_server] sockets = ["0.0.0.0:8080"] -auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" insecure_http = true -[attestation_token_config] +[attestation_token] insecure_key = true -[grpc_config] +[attestation_service] +type = "coco_as_grpc" as_addr = "http://as:50004" + +[admin] +auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" \ No newline at end of file diff --git a/kbs/config/kbs-config-grpc.toml b/kbs/config/kbs-config-grpc.toml index 4bc5969173..45d2c08657 100644 --- a/kbs/config/kbs-config-grpc.toml +++ b/kbs/config/kbs-config-grpc.toml @@ -1,9 +1,13 @@ +[http_server] insecure_http = true -insecure_api = true -[attestation_token_config] +[attestation_token] insecure_key = true -[grpc_config] +[attestation_service] +type = "coco_as_grpc" as_addr = "http://127.0.0.1:50004" -pool_size = 200 \ No newline at end of file +pool_size = 200 + +[admin] +insecure_api = true \ No newline at end of file diff --git a/kbs/config/kbs-config-intel-trust-authority.toml b/kbs/config/kbs-config-intel-trust-authority.toml index 070841da69..90b1580594 100644 --- a/kbs/config/kbs-config-intel-trust-authority.toml +++ b/kbs/config/kbs-config-intel-trust-authority.toml @@ -1,10 +1,14 @@ +[http_server] insecure_http = true + +[admin] insecure_api = true -[attestation_token_config] -trusted_certs_paths = ["https://portal.trustauthority.intel.com"] +[attestation_token] +trusted_jwk_sets = ["https://portal.trustauthority.intel.com"] -[intel_trust_authority_config] +[attestation_service] +type = "intel_ta" base_url = "https://api.trustauthority.intel.com" api_key = "tBfd5kKX2x9ahbodKV1..." certs_file = "https://portal.trustauthority.intel.com" diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml index 7b99f03599..b510696087 100644 --- a/kbs/config/kbs-config.toml +++ b/kbs/config/kbs-config.toml @@ -1,24 +1,28 @@ +[http_server] insecure_http = true -insecure_api = true -[attestation_token_config] -insecure_key = true +[attestation_token] +insecure_api = true -[repository_config] +[repository] type = "LocalFs" dir_path = "/opt/confidential-containers/kbs/repository" -[as_config] +[attestation_service] +type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" -[as_config.attestation_token_config] -duration_min = 5 + [attestation_service.attestation_token_config] + duration_min = 5 -[as_config.rvps_config] -store_type = "LocalFs" -remote_addr = "" + [attestation_service.rvps_config] + store_type = "LocalFs" + remote_addr = "" -[policy_engine_config] +[policy_engine] policy_path = "/opa/confidential-containers/kbs/policy.rego" + +[admin] +insecure_api = true \ No newline at end of file diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index 67d01a6ffa..5256b8c8dc 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -1,20 +1,24 @@ +[http_server] sockets = ["0.0.0.0:8080"] -auth_public_key = "/kbs/kbs.pem" # Ideally we should use some solution like cert-manager to issue let's encrypt based certificate: # https://cert-manager.io/docs/configuration/acme/ insecure_http = true -[attestation_token_config] +[attestation_token] insecure_key = true -[as_config] +[attestation_service] +type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" -[as_config.attestation_token_config] -duration_min = 5 + [attestation_service.attestation_token_config] + duration_min = 5 -[as_config.rvps_config] -store_type = "LocalFs" -remote_addr = "" + [attestation_service.rvps_config] + store_type = "LocalFs" + remote_addr = "" + +[admin] +auth_public_key = "/kbs/kbs.pem" \ No newline at end of file diff --git a/kbs/config/kubernetes/ita/kbs-config.toml b/kbs/config/kubernetes/ita/kbs-config.toml index 044864e78d..ef942819c9 100644 --- a/kbs/config/kubernetes/ita/kbs-config.toml +++ b/kbs/config/kubernetes/ita/kbs-config.toml @@ -1,13 +1,17 @@ +[http_server] sockets = ["0.0.0.0:8080"] -auth_public_key = "/kbs/kbs.pem" # Ideally we should use some solution like cert-manager to issue let's encrypt based certificate: # https://cert-manager.io/docs/configuration/acme/ insecure_http = true -[attestation_token_config] +[attestation_token] trusted_certs_paths = ["https://portal.trustauthority.intel.com"] -[intel_trust_authority_config] +[attestation_service] +type = "intel_ta" base_url = "https://api.trustauthority.intel.com" api_key = "tBfd5kKX2x9ahbodKV1..." certs_file = "https://portal.trustauthority.intel.com" + +[admin] +auth_public_key = "/kbs/kbs.pem" \ No newline at end of file diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index ec9ae43f82..c2dcf2746d 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -36,7 +36,7 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s WORKDIR /usr/src/kbs COPY . . -RUN cd kbs && make AS_FEATURE=coco-as-builtin POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=coco-as-builtin ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile index 654d227796..143da4f80f 100644 --- a/kbs/docker/coco-as-grpc/Dockerfile +++ b/kbs/docker/coco-as-grpc/Dockerfile @@ -8,7 +8,7 @@ COPY . . RUN apt-get update && apt install -y protobuf-compiler git # Build and Install KBS -RUN cd kbs && make AS_FEATURE=coco-as-grpc POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/intel-trust-authority/Dockerfile b/kbs/docker/intel-trust-authority/Dockerfile index d7be1aa7d4..cdd1bded90 100644 --- a/kbs/docker/intel-trust-authority/Dockerfile +++ b/kbs/docker/intel-trust-authority/Dockerfile @@ -7,7 +7,7 @@ COPY . . RUN apt-get update && apt install -y git # Build and Install KBS -RUN cd kbs && make AS_FEATURE=intel-trust-authority-as POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=intel-trust-authority-as ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 1d2498bf17..63013534b8 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -16,33 +16,31 @@ environment variable. The following sections list the KBS properties which can be set through the configuration file. -### Global Properties +### HTTP Server Configuration -The following properties can be set globally, i.e. not under any configuration -section: +The following properties can be set under the `[http_server]` section. | Property | Type | Description | Required | Default | |--------------------------|--------------|------------------------------------------------------------------------------------------------------------|----------|----------------------| | `sockets` | String array | One or more sockets to listen on. | No | `["127.0.0.1:8080"]` | -| `insecure_api` | Boolean | Enable KBS insecure APIs such as Resource Registration without JWK verification. | No | `false` | | `insecure_http` | Boolean | Don't use TLS for the KBS HTTP endpoint. | No | `false` | -| `timeout` | Integer | HTTP session timeout in minutes. | No | `5` | -| `private_key` | String | Path to a private key file to be used for HTTPS. | No | - | -| `certificate` | String | Path to a certificate file to be used for HTTPS. | No | - | -| `auth_public_key` | String | Path to a public key file to be used for authenticating the resource registration endpoint token (JWT). | No | - | +| `private_key` | String | Path to a private key file to be used for HTTPS. | No | None | +| `certificate` | String | Path to a certificate file to be used for HTTPS. | No | None | ### Attestation Token Configuration -The following properties can be set under the `attestation_token_config` section. +Attestation Token configuration controls attestation token verifications. This +is important when a resource retrievement is handled by KBS. Usually an attestation +token will be together with the request, and KBS will first verify the token. ->This section is available only when the `resource` feature is enabled. +The following properties can be set under the `[attestation_token]` section. -| Property | Type | Description | Required | Default | -|----------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------| -| `trusted_jwk_sets` | String Array | Valid Url (`file://` or `https://`) pointing to trusted JWKSets (local or OpenID) for Attestation Tokens trustworthy verification | No | - | -| `trusted_certs_paths` | String Array | Trusted Certificates file (PEM format) for Attestation Tokens trustworthy verification | No | - | -| `extra_teekey_paths` | String Array | User defined paths to the tee public key in the JWT body | No | - | -| `insecure_key` | Boolean | Whether to check the trustworthy of the JWK inside JWT. See comments. | No | `false` | +| Property | Type | Description | Default | +|----------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| `trusted_jwk_sets` | String Array | Valid Url (`file://` or `https://`) pointing to trusted JWKSets (local or OpenID) for Attestation Tokens trustworthy verification | Empty | +| `trusted_certs_paths` | String Array | Trusted Certificates file (PEM format) for Attestation Tokens trustworthy verification | Empty | +| `extra_teekey_paths` | String Array | User defined paths to the tee public key in the JWT body | Empty | +| `insecure_key` | Boolean | Whether to check the trustworthy of the JWK inside JWT. See comments. | `false` | Each JWT contains a TEE Public Key. Users can use the `extra_teekey_paths` field to additionally specify the path of this Key in the JWT. Example of `extra_teekey_paths` is `/attester_runtime_data/tee-pubkey` which refers to the key @@ -60,117 +58,114 @@ For Attestation Services like Intel TA, there will only be a `kid` field inside The `kid` field is used to look up the trusted jwk configured by KBS via `trusted_jwk_sets` to verify the integrity and trustworthy of the JWT. -### Repository Configuration +### Attestation Configuration -The following properties can be set under the `repository_config` section. +Attestation configuration defines the attestation service that KBS' RCAR protocol +will leverage. -This section is **optional**. When omitted, a default configuration is used. - -Repository configuration is **specific to a repository type**. See the following sections for -type-specific properties. +The following properties can be set under the `[attestation_service]` section. ->This section is available only when the `resource` feature is enabled. Only one repository is available at a time. +Concrete attestation service can be set via `type` field. Supported attestation +services are +- `coco_as_builtin`: CoCo AS that built inside KBS binary +- `coco_as_grpc`: CoCo AS service running remotely +- `intel_ta`: Intel® Trust Authority -| Property | Type | Description | Required | Default | -|----------|--------|-----------------------------------------------------------------|----------|-----------| -| `type` | String | The resource repository type. Valid values: `LocalFs`, `Aliyun` | Yes | `LocalFs` | +Due to different `type` field, properties are different. -**`LocalFs` Properties** +#### Built-In CoCo AS -| Property | Type | Description | Required | Default | -|------------|--------|---------------------------------|----------|-----------------------------------------------------| -| `dir_path` | String | Path to a repository directory. | No | `/opt/confidential-containers/kbs/repository` | - -**`Aliyun` Properties** +When `type` is set to `coco_as_builtin`, the following properties can be set. -| Property | Type | Description | Required | Example | -|-------------------|--------|-----------------------------------|----------|-----------------------------------------------------| -| `client_key` | String | The KMS instance's AAP client key | Yes | `{"KeyId": "KA..", "PrivateKeyData": "MIIJqwI..."}` | -| `kms_instance_id` | String | The KMS instance id | Yes | `kst-shh668f7...` | -| `password` | String | AAP client key password | Yes | `8f9989c18d27...` | -| `cert_pem` | String | CA cert for the KMS instance | Yes | `-----BEGIN CERTIFICATE----- ...` | - -### Native Attestation - -The following properties can be set under the `as_config` section. - -This section is **optional**. When omitted, a default configuration is used. - ->This section is available only when one or more of the following features are enabled: +>Built-In CoCo AS is available only when one or more of the following features are enabled: >`coco-as-builtin`, `coco-as-builtin-no-verifier` -| Property | Type | Description | Required | Default | -|----------------------------|-----------------------------|-----------------------------------------------------|----------|---------| -| `work_dir` | String | The location for Attestation Service to store data. | Yes | - | -| `policy_engine` | String | Policy engine type. Valid values: `opa` | Yes | - | -| `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | Yes | - | -| `attestation_token_broker` | String | Type of the attestation result token broker. | Yes | - | -| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | Yes | - | +| Property | Type | Description | Default | +|----------------------------|-----------------------------|-----------------------------------------------------|----------| +| `timeout` | Integer | The maximum time (in minutes) between RCAR handshake's `auth` and `attest` requests | 5 | +| `work_dir` | String | The location for Attestation Service to store data. | First try from env `AS_WORK_DIR`. If no this env, then use `/opt/confidential-containers/attestation-service` | +| `policy_engine` | String | Policy engine type. Valid values: `opa` | `opa` | +| `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | See [RVPSConfiguration][2] | +| `attestation_token_broker` | String | Type of the attestation result token broker. | `Simple` | +| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] | [1]: #attestationtokenconfig [2]: #rvps-configuration -#### AttestationTokenConfig -| Property | Type | Description | Required | Default | -|----------------|-------------------------|------------------------------------------------------|----------|---------| -| `duration_min` | Integer | Duration of the attestation result token in minutes. | Yes | - | -| `issuer_name` | String | Issure name of the attestation result token. | No | - | -| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | - | +##### AttestationTokenConfig + +| Property | Type | Description | Default | +|----------------|-------------------------|------------------------------------------------------|----------| +| `duration_min` | Integer | Duration of the attestation result token in minutes. | 5 | +| `issuer_name` | String | Issure name of the attestation result token. | `CoCo-Attestation-Service` | +| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | None | [1]: #tokensignerconfig -#### TokenSignerConfig +##### TokenSignerConfig -This section is **optional**. When omitted, a new RSA key pair is generated and used. +This section is **optional**. When omitted, an ephemeral RSA key pair is generated and used. -| Property | Type | Description | Required | Default | -|----------------|---------|----------------------------------------------------------|----------|---------| -| `key_path` | String | RSA Key Pair file (PEM format) path. | Yes | - | -| `cert_url` | String | RSA Public Key certificate chain (PEM format) URL. | No | - | -| `cert_path` | String | RSA Public Key certificate chain (PEM format) file path. | No | - | +| Property | Type | Description | Required | +|----------------|---------|----------------------------------------------------------|----------| +| `key_path` | String | RSA Key Pair file (PEM format) path. | Yes | +| `cert_url` | String | RSA Public Key certificate chain (PEM format) URL. | No | +| `cert_path` | String | RSA Public Key certificate chain (PEM format) file path. | No | -#### RVPS Configuration +##### RVPS Configuration -| Property | Type | Description | Required | Default | -|----------------|-------------------------|------------------------------------------------------|----------|---------| -| `remote_addr` | String | Remote RVPS' address. If this is specified, will use a remote RVPS. Or a local RVPS will be configured with `store_type` and `store_config`| Conditional | - | -| `store_type` | String | Used if `remote_addr` is not set. The underlying storage type of RVPS. | Conditional | - | -| `store_config` | JSON Map | Used if `remote_addr` is not set. The optional configurations to the underlying storage. | Conditional | - | +| Property | Type | Description | Default | +|----------------|-------------------------|------------------------------------------------------|---------| +| `remote_addr` | String | Remote RVPS' address. If this is specified, will use a remote RVPS. Or a local RVPS will be configured with `store_type` and `store_config`| Empty | +| `store_type` | String | Used if `remote_addr` is not set. The underlying storage type of RVPS. | `LocalFs` | +| `store_config` | JSON Map | Used if `remote_addr` is not set. The optional configurations to the underlying storage. | Empty | Different `store_type` will have different `store_config` items. See the details of `store_config` in [concrete implementations of storages](../../rvps/src/store/). -### gRPC Attestation +#### gRPC CoCo AS -The following properties can be set under the `grpc_config` section. +When `type` is set to `coco_as_grpc`, KBS will try to connect a remote CoCo AS for +attestation. The following properties can be set. -This section is **optional**. When omitted, a default configuration is used. +>gRPC CoCo AS is available only when `coco-as-grpc` feature is enabled. ->This section is available only when the `coco-as-grpc` feature is enabled. +| Property | Type | Description | Default | +|----------------------------|-----------------------------|-----------------------------------------------------|----------| +| `timeout` | Integer | The maximum time (in minutes) between RCAR handshake's `auth` and `attest` requests | 5 | +| `as_addr` | String | The URL of the remote CoCoAS | `http://127.0.0.1:50004` | +| `pool_size` | Integer | The connections between KBS and CoCoAS are maintained in a conenction pool. This property determines the max size of the pool | `100` | -| Property | Type | Description | Required | Default | -|-----------|--------|------------------------------|----------|--------------------------| -| `as_addr` | String | Attestation service address. | No | `http://127.0.0.1:50004` | +#### Intel® TA -### Intel Trust Authority (formerly known as Amber) +When `type` is set to `intel_ta`, KBS will try to connect a remote Intel TA service for +attestation. The following properties can be set. -The following properties can be set under the `intel_trust_authority_config` section. +>gRPC CoCo AS is available only when `coco-as-grpc` feature is enabled. ->This section is available only when the `intel-trust-authority-as` feature is enabled. - -| Property | Type | Description | Required | Default | -|--------------------------|---------|------------------------------------------------------------------------------------------|-------------------------|---------| -| `base_url` | String | Intel Trust Authority API URL. | Yes | - | -| `api_key` | String | Intel Trust Authority API key. | Yes | - | -| `certs_file` | String | URL to an Intel Trust Authority portal or path to JWKS file used for token verification. | Yes | - | -| `allow_unmatched_policy` | Boolean | Determines whether to ignore the `policy_ids_unmatched` token claim. | No | false | +| Property | Type | Description | Required | Default | +|--------------------------|---------|------------------------------------------------------------------------------------------|----------|---------| +| `timeout` | Integer | The maximum time (in minutes) between RCAR handshake's `auth` and `attest` requests | No | 5 | +| `base_url` | String | Intel Trust Authority API URL. | Yes | - | +| `api_key` | String | Intel Trust Authority API key. | Yes | - | +| `certs_file` | String | URL to an Intel Trust Authority portal or path to JWKS file used for token verification. | Yes | - | +| `allow_unmatched_policy` | Boolean | Determines whether to ignore the `policy_ids_unmatched` token claim. | No | false | Detailed [documentation](https://docs.trustauthority.intel.com). +### Admin API Configuration + +The following properties can be set under the `[admin]` section. + +| Property | Type | Description | Required | Default | +|--------------------------|--------------|------------------------------------------------------------------------------------------------------------|----------|----------------------| +| `auth_public_key` | String | Path to the public key used to authenticate the admin APIs | No | None | +| `insecure_api` | Boolean | Whether KBS will not verify the public key when called admin APIs | No | `false` | + ### Policy Engine Configuration -The following properties can be set under the `policy_engine_config` section. +The following properties can be set under the `[policy_engine]` section. This section is **optional**. When omitted, a default configuration is used. @@ -178,72 +173,144 @@ This section is **optional**. When omitted, a default configuration is used. |--------------------------|---------|------------------------------------------------------------------------------------------------------------|-------------------------|------------------------------------------------| | `policy_path` | String | Path to a file containing a policy for evaluating whether the TCB status has access to specific resources. | No | `/opa/confidential-containers/kbs/policy.rego` | +### Plugins Configuration + +KBS supports different kinds of plugins, and they can be enabled via add corresponding configs. + +Multiple `[[plugins]]` sections are allowed at the same time for different plugins. +Concrete attestation service can be set via `name` field. + +#### Resource Configuration + +The `name` field is `resource` to enable this plugin. + +Resource plugin allows user with proper attestation token to access storage that KBS keeps. +This is also called "Repository" in old versions. The properties to be configured are listed. + +| Property | Type | Description | Required | Default | +|----------|--------|-----------------------------------------------------------------|----------|-----------| +| `type` | String | The resource repository type. Valid values: `LocalFs`, `Aliyun` | Yes | `LocalFs` | + +**`LocalFs` Properties** + +| Property | Type | Description | Required | Default | +|------------|--------|---------------------------------|----------|-----------------------------------------------------| +| `dir_path` | String | Path to a repository directory. | No | `/opt/confidential-containers/kbs/repository` | + +**`Aliyun` Properties** + +| Property | Type | Description | Required | Example | +|-------------------|--------|-----------------------------------|----------|-----------------------------------------------------| +| `client_key` | String | The KMS instance's AAP client key | Yes | `{"KeyId": "KA..", "PrivateKeyData": "MIIJqwI..."}` | +| `kms_instance_id` | String | The KMS instance id | Yes | `kst-shh668f7...` | +| `password` | String | AAP client key password | Yes | `8f9989c18d27...` | +| `cert_pem` | String | CA cert for the KMS instance | Yes | `-----BEGIN CERTIFICATE----- ...` | + ## Configuration Examples -Running with a built-in native attestation service: +Using a built-in CoCo AS: ```toml +[http_server] +sockets = ["0.0.0.0:8080"] insecure_http = true + +[admin] insecure_api = true -[repository_config] -type = "LocalFs" -dir_path = "/opt/confidential-containers/kbs/repository" +[attestation_token] -[as_config] +[attestation_service] +type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -rvps_store_type = "LocalFs" attestation_token_broker = "Simple" -[as_config.attestation_token_config] -duration_min = 5 + [attestation_service.attestation_token_config] + duration_min = 5 + + [attestation_service.rvps_config] + store_type = "LocalFs" + remote_addr = "" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" ``` -Running the attestation service remotely: +Using a remote CoCo AS: ```toml +[http_server] insecure_http = true + +[admin] insecure_api = true -[repository_config] +[attestation_service] +type = "coco_as_grpc" +as_addr = "http://127.0.0.1:50004" + +[[plugins]] +name = "resource" type = "LocalFs" dir_path = "/opt/confidential-containers/kbs/repository" - -[grpc_config] -as_addr = "http://127.0.0.1:50004" ``` Running with Intel Trust Authority attestation service: ```toml -insecure_http = true -insecure_api = true +[http_server] +sockets = ["0.0.0.0:8080"] +private_key = "/etc/kbs-private.key" +certificate = "/etc/kbs-cert.pem" +insecure_http = false -[attestation_token_config] +[attestation_token] trusted_jwk_sets = ["https://portal.trustauthority.intel.com"] -[repository_config] -type = "LocalFs" -dir_path = "/opt/confidential-containers/kbs/repository" +[attestation_token] -[intel_trust_authority_config] +[attestation_service] +type = "intel_ta" base_url = "https://api.trustauthority.intel.com" api_key = "tBfd5kKX2x9ahbodKV1..." certs_file = "https://portal.trustauthority.intel.com" allow_unmatched_policy = true + +[admin] +auth_public_key = "/etc/kbs-admin.pub" +insecure_api = false + +[policy_engine] +policy_path = "/etc/kbs-policy.rego" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" ``` Distributing resources in Passport mode: ```toml +[http_server] +sockets = ["127.0.0.1:50002"] insecure_http = true -insecure_api = true -[repository_config] -type = "LocalFs" -dir_path = "/opt/confidential-containers/kbs/repository" +[admin] +auth_public_key = "./work/kbs.pem" + +[attestation_token] +trusted_certs_paths = ["./work/ca-cert.pem"] +insecure_key = false -[policy_engine_config] -policy_path = "/opt/confidential-containers/kbs/policy.rego" +[policy_engine] +policy_path = "./work/kbs-policy.rego" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "./work/repository" ``` diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md index 4c36f62f8a..e278ba51fa 100644 --- a/kbs/docs/self-signed-https.md +++ b/kbs/docs/self-signed-https.md @@ -71,7 +71,7 @@ auth_public_key = "/etc/public.pub" insecure_api = true -[attestation_token_config] +[attestation_token] insecure_key = true [repository_config] @@ -84,7 +84,7 @@ policy_engine = "opa" rvps_store_type = "LocalFs" attestation_token_broker = "Simple" -[as_config.attestation_token_config] +[as_config.attestation_token] duration_min = 5 [as_config.rvps_config] diff --git a/kbs/quickstart.md b/kbs/quickstart.md index 5466fff13d..8447f3057a 100644 --- a/kbs/quickstart.md +++ b/kbs/quickstart.md @@ -48,7 +48,7 @@ and pass it to the KBS server through startup parameters. Build KBS in Background Check mode: ```shell -make background-check-kbs POLICY_ENGINE=opa +make background-check-kbs sudo make install-kbs ``` @@ -112,7 +112,7 @@ issuer-kbs --socket 127.0.0.1:50001 --insecure-http --auth-public-key config/pub Build and start KBS for resource distribution: ```shell -make passport-resource-kbs POLICY_ENGINE=opa +make passport-resource-kbs make install-resource-kbs resource-kbs --socket 127.0.0.1:50002 --insecure-http --auth-public-key config/public.pub ``` diff --git a/kbs/test/Makefile b/kbs/test/Makefile index ae67f77a4b..6671fa0b8a 100644 --- a/kbs/test/Makefile +++ b/kbs/test/Makefile @@ -82,12 +82,12 @@ install-dependencies: kbs: cd $(PROJECT_DIR) && \ - make background-check-kbs POLICY_ENGINE=opa && \ + make background-check-kbs && \ install -D --compare $(PROJECT_DIR)/../target/release/kbs $(CURDIR)/kbs resource-kbs: cd $(PROJECT_DIR) && \ - make passport-resource-kbs POLICY_ENGINE=opa && \ + make passport-resource-kbs && \ install -D --compare $(PROJECT_DIR)/../target/release/resource-kbs $(CURDIR)/resource-kbs client: diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index 7c6314ab5a..f8ba5c4008 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -1,31 +1,36 @@ +[http_server] sockets = ["127.0.0.1:8080"] -auth_public_key = "./work/kbs.pem" - private_key = "./work/https.key" certificate = "./work/https.crt" +insecure_http = false -[attestation_token_config] -trusted_certs_paths = ["./work/token-cert.pem"] +[attestation_token] +insecure_key = false +trusted_certs_paths = ["./work/ca-cert.pem"] -[repository_config] +[repository] type = "LocalFs" dir_path = "./work/repository" -[as_config] +[attestation_service] +type = "coco_as_builtin" work_dir = "./work/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" -[as_config.attestation_token_config] -duration_min = 5 + [attestation_service.attestation_token_config] + duration_min = 5 -[as_config.attestation_token_config.signer] -key_path = "./work/token.key" -cert_path = "./work/token-cert-chain.pem" + [attestation_service.attestation_token_config.signer] + key_path = "./work/token.key" + cert_path = "./work/token-cert-chain.pem" -[as_config.rvps_config] -store_type = "LocalFs" -remote_addr = "" + [attestation_service.rvps_config] + store_type = "LocalFs" + remote_addr = "" -[policy_engine_config] +[policy_engine] policy_path = "./work/kbs-policy.rego" + +[admin] +auth_public_key = "./work/kbs.pem" \ No newline at end of file diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml index 8abbec27eb..5b8ce37db1 100644 --- a/kbs/test/config/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -1,13 +1,17 @@ +[http_server] sockets = ["127.0.0.1:50002"] -auth_public_key = "./work/kbs.pem" insecure_http = true -[attestation_token_config] +[admin] +auth_public_key = "./work/kbs.pem" + +[attestation_token] trusted_certs_paths = ["./work/ca-cert.pem"] +insecure_key = false -[repository_config] +[repository] type = "LocalFs" dir_path = "./work/repository" -[policy_engine_config] +[policy_engine] policy_path = "./work/kbs-policy.rego" diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index 20d8df7b8c..13186fe02a 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -1,8 +1,7 @@ [http_server] insecure_http = true -[attestation_token_config] -type = "CoCo" +[attestation_token] [repository] type = "LocalFs" From 13baed470eeae5f32856c0a7fd6d5713a28262d1 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 15:19:51 +0800 Subject: [PATCH 140/298] AS: reorder the dep in lexicographic order Signed-off-by: Xynnn007 --- attestation-service/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attestation-service/Cargo.toml b/attestation-service/Cargo.toml index 529fa6efb8..237ce6d46f 100644 --- a/attestation-service/Cargo.toml +++ b/attestation-service/Cargo.toml @@ -50,9 +50,9 @@ log.workspace = true openssl = "0.10.55" prost = { workspace = true, optional = true } rand = "0.8.5" -rsa = { version = "0.9.2", features = ["sha2"] } reference-value-provider-service = { path = "../rvps", optional = true } regorus.workspace = true +rsa = { version = "0.9.2", features = ["sha2"] } serde.workspace = true serde_json.workspace = true serde_variant = "0.1.2" From f5bce85eace940894de611d497445e8f38f76b59 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 27 Sep 2024 15:21:34 +0800 Subject: [PATCH 141/298] KBS: change default feature to all backend AS and resource Now the KBS could be built with support for all backend ASes and enable one of them runtimely due to configuration file. Signed-off-by: Xynnn007 --- kbs/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 6414ebdc1e..de2b4a48e9 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -7,7 +7,7 @@ documentation.workspace = true edition.workspace = true [features] -default = ["coco-as-builtin", "resource", "opa"] +default = ["coco-as-builtin", "coco-as-grpc", "intel-trust-authority-as", "resource"] # Feature that allows to access resources from KBS resource = ["rsa", "reqwest", "aes-gcm", "jsonwebtoken"] From 9fb3eefde9c2a6601ac055adba9d523fb2a0ab9d Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 30 Oct 2024 10:03:29 +0800 Subject: [PATCH 142/298] KBS: Use one API to serve both admin and user requests This patch uses a single logic to handle all different requests built upon plugin system. Also, resource module is by default a plugin and will be enabled by default. Signed-off-by: Xynnn007 --- kbs/Cargo.toml | 15 +- kbs/Makefile | 10 +- kbs/src/api_server.rs | 192 ++++++------------ kbs/src/attestation/config.rs | 31 +++ .../attestation/intel_trust_authority/mod.rs | 2 +- kbs/src/config.rs | 115 ++++------- kbs/src/error.rs | 4 - kbs/src/lib.rs | 3 - kbs/test/config/kbs.toml | 11 +- kbs/test/config/resource-kbs.toml | 9 +- kbs/test_data/configs/coco-as-builtin-3.toml | 11 +- kbs/test_data/configs/coco-as-grpc-1.toml | 13 +- kbs/test_data/configs/intel-ta-1.toml | 13 +- 13 files changed, 179 insertions(+), 250 deletions(-) diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index de2b4a48e9..6121655d29 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -7,10 +7,7 @@ documentation.workspace = true edition.workspace = true [features] -default = ["coco-as-builtin", "coco-as-grpc", "intel-trust-authority-as", "resource"] - -# Feature that allows to access resources from KBS -resource = ["rsa", "reqwest", "aes-gcm", "jsonwebtoken"] +default = ["coco-as-builtin", "coco-as-grpc", "intel-trust-authority-as"] # Support a backend attestation service for KBS as = [] @@ -28,7 +25,7 @@ coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"] coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"] # Use Intel TA as backend attestation service -intel-trust-authority-as = ["as", "reqwest", "resource", "az-cvm-vtpm"] +intel-trust-authority-as = ["as", "az-cvm-vtpm"] # Use aliyun KMS as KBS backend aliyun = ["kms/aliyun"] @@ -36,7 +33,7 @@ aliyun = ["kms/aliyun"] [dependencies] actix-web = { workspace = true, features = ["openssl"] } actix-web-httpauth.workspace = true -aes-gcm = { version = "0.10.1", optional = true } +aes-gcm = "0.10.1" anyhow.workspace = true async-trait.workspace = true attestation-service = { path = "../attestation-service", default-features = false, optional = true } @@ -45,7 +42,7 @@ cfg-if.workspace = true clap = { workspace = true, features = ["derive", "env"] } config.workspace = true env_logger.workspace = true -jsonwebtoken = { workspace = true, default-features = false, optional = true } +jsonwebtoken = { workspace = true, default-features = false } jwt-simple.workspace = true kbs-types.workspace = true kms = { workspace = true, default-features = false } @@ -56,8 +53,8 @@ prost = { workspace = true, optional = true } rand = "0.8.5" regex = "1.11.1" regorus.workspace = true -reqwest = { workspace = true, features = ["json"], optional = true } -rsa = { version = "0.9.2", optional = true, features = ["sha2"] } +reqwest = { workspace = true, features = ["json"] } +rsa = { version = "0.9.2", features = ["sha2"] } scc = "2" semver = "1.0.16" serde = { workspace = true, features = ["derive"] } diff --git a/kbs/Makefile b/kbs/Makefile index 04652a016c..b6f4d88041 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -16,9 +16,9 @@ COCO_AS_INTEGRATION_TYPE ?= builtin INSTALL_DESTDIR ?= /usr/local/bin ifeq ($(AS_TYPE), coco-as) - AS_FEATURE = $(AS_TYPE)-$(COCO_AS_INTEGRATION_TYPE) -else - AS_FEATURE = $(AS_TYPE) + AS_FEATURE += $(AS_TYPE)-$(COCO_AS_INTEGRATION_TYPE), +else ifneq ($(AS_TYPE), ) + AS_FEATURE += $(AS_TYPE), endif ifeq ($(ALIYUN), true) @@ -37,7 +37,7 @@ build: background-check-kbs .PHONY: background-check-kbs background-check-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features $(FEATURES),$(AS_FEATURE) .PHONY: passport-issuer-kbs passport-issuer-kbs: @@ -46,7 +46,7 @@ passport-issuer-kbs: .PHONY: passport-resource-kbs passport-resource-kbs: - cargo build -p kbs --locked --release --no-default-features --features resource,$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features $(FEATURES), mv ../target/release/kbs ../target/release/resource-kbs .PHONY: cli diff --git a/kbs/src/api_server.rs b/kbs/src/api_server.rs index 8d4f05772d..694f5cdd0f 100644 --- a/kbs/src/api_server.rs +++ b/kbs/src/api_server.rs @@ -12,7 +12,7 @@ use log::info; use crate::{ admin::Admin, config::KbsConfig, jwe::jwe, plugins::PluginManager, policy_engine::PolicyEngine, - resource::ResourceDesc, token::TokenVerifier, Error, Result, + token::TokenVerifier, Error, Result, }; const KBS_PREFIX: &str = "/kbs/v0"; @@ -28,9 +28,6 @@ macro_rules! kbs_path { pub struct ApiServer { plugin_manager: PluginManager, - #[cfg(feature = "resource")] - resource_storage: crate::resource::ResourceStorage, - #[cfg(feature = "as")] attestation_service: crate::attestation::AttestationService, @@ -61,15 +58,12 @@ impl ApiServer { } pub async fn new(config: KbsConfig) -> Result { - let plugin_manager = PluginManager::try_from(config.client_plugins.clone())?; + let plugin_manager = PluginManager::try_from(config.plugins.clone()) + .map_err(|e| Error::PluginManagerInitialization { source: e })?; let token_verifier = TokenVerifier::from_config(config.attestation_token.clone()).await?; let policy_engine = PolicyEngine::new(&config.policy_engine).await?; let admin_auth = Admin::try_from(config.admin.clone())?; - #[cfg(feature = "resource")] - let resource_storage = - crate::resource::ResourceStorage::try_from(config.repository.clone())?; - #[cfg(feature = "as")] let attestation_service = crate::attestation::AttestationService::new(config.attestation_service.clone()).await?; @@ -81,9 +75,6 @@ impl ApiServer { admin_auth, token_verifier, - #[cfg(feature = "resource")] - resource_storage, - #[cfg(feature = "as")] attestation_service, }) @@ -110,13 +101,8 @@ impl ApiServer { .app_data(web::Data::new(api_server)) .service( web::resource([kbs_path!("{plugin}{sub_path:.*}")]) - .route(web::get().to(client)) - .route(web::post().to(client)), - ) - .service( - web::resource([kbs_path!("admin/{plugin}/{sub_path:.*}")]) - .route(web::get().to(admin)) - .route(web::post().to(admin)), + .route(web::get().to(api)) + .route(web::post().to(api)), ) } }); @@ -145,8 +131,8 @@ impl ApiServer { } } -/// Client APIs. /kbs/v0/XXX -pub(crate) async fn client( +/// APIs +pub(crate) async fn api( request: HttpRequest, body: web::Bytes, core: web::Data, @@ -182,136 +168,84 @@ pub(crate) async fn client( .map_err(From::from), #[cfg(feature = "as")] "attestation-policy" if request.method() == Method::POST => { - core.admin_auth.validate_auth(&request)?; - core.attestation_service.set_policy(&body).await?; Ok(HttpResponse::Ok().finish()) } + // TODO: consider to rename the api name for it is not only for + // resource retrievement but for all plugins. "resource-policy" if request.method() == Method::POST => { core.admin_auth.validate_auth(&request)?; - core.policy_engine.set_policy(&body).await?; Ok(HttpResponse::Ok().finish()) } - #[cfg(feature = "resource")] - "resource" => { - if request.method() == Method::GET { - // Resource APIs needs to be authorized by the Token and policy - let resource_desc = - sub_path - .strip_prefix('/') - .ok_or(Error::IllegalAccessedPath { - path: end_point.clone(), - })?; - - let token = core - .get_attestation_token(&request) - .await - .map_err(|_| Error::TokenNotFound)?; - - let claims = core.token_verifier.verify(token).await?; - - let claim_str = serde_json::to_string(&claims)?; - if !core - .policy_engine - .evaluate(resource_desc, &claim_str) - .await? - { - return Err(Error::PolicyDeny); - }; - - let resource_description = ResourceDesc::try_from(resource_desc)?; - let resource = core - .resource_storage - .get_secret_resource(resource_description) - .await?; - - let public_key = core.token_verifier.extract_tee_public_key(claims)?; - let jwe = jwe(public_key, resource).map_err(|e| Error::JweError { source: e })?; - - let res = serde_json::to_string(&jwe)?; - - Ok(HttpResponse::Ok() - .content_type("application/json") - .body(res)) - } else if request.method() == Method::POST { - let resource_desc = - sub_path - .strip_prefix('/') - .ok_or(Error::IllegalAccessedPath { - path: end_point.clone(), - })?; - let resource_description = ResourceDesc::try_from(resource_desc)?; - core.admin_auth.validate_auth(&request)?; - core.resource_storage - .set_secret_resource(resource_description, &body) - .await?; + // TODO: consider to rename the api name for it is not only for + // resource retrievement but for all plugins. + "resource-policy" if request.method() == Method::GET => { + core.admin_auth.validate_auth(&request)?; + let policy = core.policy_engine.get_policy().await?; - Ok(HttpResponse::Ok().content_type("application/json").body("")) - } else { - Ok(HttpResponse::NotImplemented() - .content_type("application/json") - .body("")) - } + Ok(HttpResponse::Ok().content_type("text/xml").body(policy)) } plugin_name => { - // Plugin calls needs to be authorized by the Token and policy - let token = core - .get_attestation_token(&request) - .await - .map_err(|_| Error::TokenNotFound)?; - - let claims = core.token_verifier.verify(token).await?; - - let claim_str = serde_json::to_string(&claims)?; - - // TODO: add policy filter support for other plugins - if !core.policy_engine.evaluate(&end_point, &claim_str).await? { - return Err(Error::PolicyDeny); - } - let plugin = core .plugin_manager .get(plugin_name) .ok_or(Error::PluginNotFound { plugin_name: plugin_name.to_string(), })?; + let body = body.to_vec(); - let response = plugin - .handle(body, query.into(), sub_path.into(), request.method()) - .await?; - Ok(response) - } - } -} + if plugin + .validate_auth(&body, query, sub_path, request.method()) + .await + .map_err(|e| Error::PluginInternalError { source: e })? + { + // Plugin calls needs to be authorized by the admin auth + core.admin_auth.validate_auth(&request)?; + let response = plugin + .handle(&body, query, sub_path, request.method()) + .await + .map_err(|e| Error::PluginInternalError { source: e })?; -/// Admin APIs. -pub(crate) async fn admin( - request: HttpRequest, - _body: web::Bytes, - core: web::Data, -) -> Result { - // Admin APIs needs to be authorized by the admin asymmetric key - core.admin_auth.validate_auth(&request)?; + Ok(HttpResponse::Ok().content_type("text/xml").body(response)) + } else { + // Plugin calls needs to be authorized by the Token and policy + let token = core + .get_attestation_token(&request) + .await + .map_err(|_| Error::TokenNotFound)?; - let plugin_name = request - .match_info() - .get("plugin") - .ok_or(Error::IllegalAccessedPath { - path: request.path().to_string(), - })?; - let sub_path = request - .match_info() - .get("sub_path") - .ok_or(Error::IllegalAccessedPath { - path: request.path().to_string(), - })?; + let claims = core.token_verifier.verify(token).await?; + + let claim_str = serde_json::to_string(&claims)?; - info!("Admin plugin {plugin_name} with path {sub_path} called"); + // TODO: add policy filter support for other plugins + if !core.policy_engine.evaluate(&end_point, &claim_str).await? { + return Err(Error::PolicyDeny); + } - // TODO: add admin path handlers - let response = HttpResponse::NotFound().body("no admin plugin found"); - Ok(response) + let response = plugin + .handle(&body, query, sub_path, request.method()) + .await + .map_err(|e| Error::PluginInternalError { source: e })?; + if plugin + .encrypted(&body, query, sub_path, request.method()) + .await + .map_err(|e| Error::PluginInternalError { source: e })? + { + let public_key = core.token_verifier.extract_tee_public_key(claims)?; + let jwe = + jwe(public_key, response).map_err(|e| Error::JweError { source: e })?; + let res = serde_json::to_string(&jwe)?; + return Ok(HttpResponse::Ok() + .content_type("application/json") + .body(res)); + } + + Ok(HttpResponse::Ok().content_type("text/xml").body(response)) + } + } + } } diff --git a/kbs/src/attestation/config.rs b/kbs/src/attestation/config.rs index f49be5a3b7..532548de60 100644 --- a/kbs/src/attestation/config.rs +++ b/kbs/src/attestation/config.rs @@ -4,14 +4,31 @@ use serde::Deserialize; +pub const DEFAULT_TIMEOUT: i64 = 5; + #[derive(Clone, Debug, Deserialize, PartialEq)] pub struct AttestationConfig { #[serde(flatten)] + #[serde(default)] pub attestation_service: AttestationServiceConfig, + #[serde(default = "default_timeout")] pub timeout: i64, } +impl Default for AttestationConfig { + fn default() -> Self { + Self { + attestation_service: AttestationServiceConfig::default(), + timeout: DEFAULT_TIMEOUT, + } + } +} + +fn default_timeout() -> i64 { + DEFAULT_TIMEOUT +} + #[derive(Clone, Debug, Deserialize, PartialEq)] #[serde(tag = "type")] pub enum AttestationServiceConfig { @@ -27,3 +44,17 @@ pub enum AttestationServiceConfig { #[serde(alias = "intel_ta")] IntelTA(super::intel_trust_authority::IntelTrustAuthorityConfig), } + +impl Default for AttestationServiceConfig { + fn default() -> Self { + cfg_if::cfg_if! { + if #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] { + AttestationServiceConfig::CoCoASBuiltIn(attestation_service::config::Config::default()) + } else if #[cfg(feature = "coco-as-grpc")] { + AttestationServiceConfig::CoCoASGrpc(super::coco::grpc::GrpcConfig::default()) + } else { + AttestationServiceConfig::IntelTA(super::intel_trust_authority::IntelTrustAuthorityConfig::default()) + } + } + } +} diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 9cc9a073d4..9dd910accd 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -76,7 +76,7 @@ struct ErrorResponse { error: String, } -#[derive(Clone, Debug, Deserialize, PartialEq)] +#[derive(Clone, Debug, Deserialize, PartialEq, Default)] pub struct IntelTrustAuthorityConfig { pub base_url: String, pub api_key: String, diff --git a/kbs/src/config.rs b/kbs/src/config.rs index b145b4af69..f02233e354 100644 --- a/kbs/src/config.rs +++ b/kbs/src/config.rs @@ -15,7 +15,6 @@ use std::path::{Path, PathBuf}; const DEFAULT_INSECURE_HTTP: bool = false; const DEFAULT_SOCKET: &str = "127.0.0.1:8080"; -const DEFAULT_TIMEOUT: i64 = 5; #[derive(Clone, Debug, Deserialize, PartialEq)] pub struct HttpServerConfig { @@ -47,17 +46,13 @@ impl Default for HttpServerConfig { /// Contains all configurable KBS properties. #[derive(Debug, Clone, Deserialize, PartialEq)] pub struct KbsConfig { - /// Resource repository config. - #[cfg(feature = "resource")] - #[serde(default)] - pub repository: crate::resource::RepositoryConfig, - /// Attestation token result broker config. #[serde(default)] pub attestation_token: AttestationTokenVerifierConfig, /// Configuration for the Attestation Service. #[cfg(feature = "as")] + #[serde(default)] pub attestation_service: crate::attestation::config::AttestationConfig, /// Configuration for the KBS Http Server @@ -72,7 +67,7 @@ pub struct KbsConfig { pub policy_engine: PolicyEngineConfig, #[serde(default)] - pub client_plugins: Vec, + pub plugins: Vec, } impl TryFrom<&Path> for KbsConfig { @@ -85,7 +80,6 @@ impl TryFrom<&Path> for KbsConfig { .set_default("admin.insecure_api", DEFAULT_INSECURE_API)? .set_default("http_server.insecure_http", DEFAULT_INSECURE_HTTP)? .set_default("http_server.sockets", vec![DEFAULT_SOCKET])? - .set_default("attestation_service.timeout", DEFAULT_TIMEOUT)? .add_source(File::with_name(config_path.to_str().unwrap())) .build()?; @@ -110,11 +104,13 @@ mod tests { use crate::{ admin::config::AdminConfig, - config::{ - HttpServerConfig, DEFAULT_INSECURE_API, DEFAULT_INSECURE_HTTP, DEFAULT_SOCKET, - DEFAULT_TIMEOUT, + config::{HttpServerConfig, DEFAULT_INSECURE_API, DEFAULT_INSECURE_HTTP, DEFAULT_SOCKET}, + plugins::{ + implementations::{ + resource::local_fs::LocalFsRepoDesc, RepositoryConfig, SampleConfig, + }, + PluginsConfig, }, - plugins::{sample::SampleConfig, PluginsConfig}, policy_engine::{PolicyEngineConfig, DEFAULT_POLICY_PATH}, token::AttestationTokenVerifierConfig, }; @@ -135,12 +131,6 @@ mod tests { #[rstest] #[case("test_data/configs/coco-as-grpc-1.toml", KbsConfig { - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::LocalFs( - crate::resource::local_fs::LocalFsRepoDesc { - dir_path: "/tmp/kbs-resource".into(), - }, - ), attestation_token: AttestationTokenVerifierConfig { trusted_certs_paths: vec!["/etc/ca".into(), "/etc/ca2".into()], insecure_key: false, @@ -171,17 +161,16 @@ mod tests { policy_engine: PolicyEngineConfig { policy_path: PathBuf::from("/etc/kbs-policy.rego"), }, - client_plugins: vec![PluginsConfig::Sample(SampleConfig { + plugins: vec![PluginsConfig::Sample(SampleConfig { item: "value1".into(), - })], + }), + PluginsConfig::ResourceStorage(RepositoryConfig::LocalFs( + LocalFsRepoDesc { + dir_path: "/tmp/kbs-resource".into(), + }, + ))], })] #[case("test_data/configs/coco-as-builtin-1.toml", KbsConfig { - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::LocalFs( - crate::resource::local_fs::LocalFsRepoDesc { - dir_path: DEFAULT_REPO_DIR_PATH.into(), - }, - ), attestation_token: AttestationTokenVerifierConfig { trusted_certs_paths: vec![], insecure_key: false, @@ -208,7 +197,7 @@ mod tests { }, } ), - timeout: DEFAULT_TIMEOUT, + timeout: crate::attestation::config::DEFAULT_TIMEOUT, }, http_server: HttpServerConfig { sockets: vec![DEFAULT_SOCKET.parse().unwrap()], @@ -223,15 +212,9 @@ mod tests { policy_engine: PolicyEngineConfig { policy_path: DEFAULT_POLICY_PATH.into(), }, - client_plugins: vec![], + plugins: Vec::new(), })] #[case("test_data/configs/intel-ta-1.toml", KbsConfig { - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::LocalFs( - crate::resource::local_fs::LocalFsRepoDesc { - dir_path: "/tmp/kbs-resource".into(), - }, - ), attestation_token: AttestationTokenVerifierConfig { trusted_jwk_sets: vec!["/etc/ca".into(), "/etc/ca2".into()], insecure_key: false, @@ -249,7 +232,7 @@ mod tests { allow_unmatched_policy: Some(true), } ), - timeout: DEFAULT_TIMEOUT, + timeout: crate::attestation::config::DEFAULT_TIMEOUT, }, http_server: HttpServerConfig { sockets: vec!["0.0.0.0:8080".parse().unwrap()], @@ -264,13 +247,16 @@ mod tests { policy_engine: PolicyEngineConfig { policy_path: PathBuf::from("/etc/kbs-policy.rego"), }, - client_plugins: vec![PluginsConfig::Sample(SampleConfig { + plugins: vec![PluginsConfig::Sample(SampleConfig { item: "value1".into(), - })], + }), + PluginsConfig::ResourceStorage(RepositoryConfig::LocalFs( + LocalFsRepoDesc { + dir_path: "/tmp/kbs-resource".into(), + }, + ))], })] #[case("test_data/configs/coco-as-grpc-2.toml", KbsConfig { - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::default(), attestation_token: AttestationTokenVerifierConfig { ..Default::default() }, @@ -283,7 +269,7 @@ mod tests { pool_size: crate::attestation::coco::grpc::DEFAULT_POOL_SIZE, }, ), - timeout: DEFAULT_TIMEOUT, + timeout: crate::attestation::config::DEFAULT_TIMEOUT, }, http_server: HttpServerConfig { sockets: vec!["0.0.0.0:8080".parse().unwrap()], @@ -296,15 +282,9 @@ mod tests { insecure_api: DEFAULT_INSECURE_API, }, policy_engine: PolicyEngineConfig::default(), - client_plugins: Vec::default(), + plugins: Vec::new(), })] #[case("test_data/configs/coco-as-builtin-2.toml", KbsConfig { - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::LocalFs( - crate::resource::local_fs::LocalFsRepoDesc { - dir_path: DEFAULT_REPO_DIR_PATH.into(), - }, - ), attestation_token: AttestationTokenVerifierConfig { trusted_certs_paths: vec![], insecure_key: false, @@ -330,7 +310,7 @@ mod tests { }, } ), - timeout: DEFAULT_TIMEOUT, + timeout: crate::attestation::config::DEFAULT_TIMEOUT, }, http_server: HttpServerConfig { sockets: vec!["0.0.0.0:8080".parse().unwrap()], @@ -343,7 +323,7 @@ mod tests { insecure_api: DEFAULT_INSECURE_API, }, policy_engine: PolicyEngineConfig::default(), - client_plugins: vec![], + plugins: Vec::new(), })] #[case("test_data/configs/intel-ta-2.toml", KbsConfig { attestation_token: AttestationTokenVerifierConfig { @@ -363,7 +343,7 @@ mod tests { allow_unmatched_policy: None, } ), - timeout: DEFAULT_TIMEOUT, + timeout: crate::attestation::config::DEFAULT_TIMEOUT, }, http_server: HttpServerConfig { sockets: vec!["0.0.0.0:8080".parse().unwrap()], @@ -376,15 +356,9 @@ mod tests { insecure_api: DEFAULT_INSECURE_API, }, policy_engine: PolicyEngineConfig::default(), - client_plugins: vec![], - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::LocalFs( - crate::resource::local_fs::LocalFsRepoDesc::default(), - ), + plugins: Vec::new(), })] #[case("test_data/configs/coco-as-grpc-3.toml", KbsConfig { - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::default(), attestation_token: AttestationTokenVerifierConfig { ..Default::default() }, @@ -397,7 +371,7 @@ mod tests { pool_size: 100, }, ), - timeout: DEFAULT_TIMEOUT, + timeout: crate::attestation::config::DEFAULT_TIMEOUT, }, http_server: HttpServerConfig { insecure_http: true, @@ -408,7 +382,7 @@ mod tests { ..Default::default() }, policy_engine: PolicyEngineConfig::default(), - client_plugins: Vec::default(), + plugins: Vec::new(), })] #[case("test_data/configs/intel-ta-3.toml", KbsConfig { attestation_token: AttestationTokenVerifierConfig { @@ -428,7 +402,7 @@ mod tests { allow_unmatched_policy: None, } ), - timeout: DEFAULT_TIMEOUT, + timeout: crate::attestation::config::DEFAULT_TIMEOUT, }, http_server: HttpServerConfig { insecure_http: true, @@ -439,19 +413,9 @@ mod tests { ..Default::default() }, policy_engine: PolicyEngineConfig::default(), - client_plugins: vec![], - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::LocalFs( - crate::resource::local_fs::LocalFsRepoDesc::default(), - ), + plugins: Vec::new(), })] #[case("test_data/configs/coco-as-builtin-3.toml", KbsConfig { - #[cfg(feature = "resource")] - repository: crate::resource::RepositoryConfig::LocalFs( - crate::resource::local_fs::LocalFsRepoDesc { - dir_path: "/opt/confidential-containers/kbs/repository".into(), - }, - ), attestation_token: AttestationTokenVerifierConfig { trusted_certs_paths: vec![], insecure_key: false, @@ -477,7 +441,7 @@ mod tests { }, } ), - timeout: DEFAULT_TIMEOUT, + timeout: crate::attestation::config::DEFAULT_TIMEOUT, }, http_server: HttpServerConfig { insecure_http: true, @@ -490,7 +454,12 @@ mod tests { policy_engine: PolicyEngineConfig { policy_path: "/opa/confidential-containers/kbs/policy.rego".into(), }, - client_plugins: vec![], + plugins: vec![ + PluginsConfig::ResourceStorage(RepositoryConfig::LocalFs( + LocalFsRepoDesc { + dir_path: "/opt/confidential-containers/kbs/repository".into(), + }, + ))], })] fn read_config(#[case] config_path: &str, #[case] expected: KbsConfig) { let config = KbsConfig::try_from(Path::new(config_path)).unwrap(); diff --git a/kbs/src/error.rs b/kbs/src/error.rs index 5cdaf68868..cfc09f18fa 100644 --- a/kbs/src/error.rs +++ b/kbs/src/error.rs @@ -67,10 +67,6 @@ pub enum Error { #[error("Policy engine error")] PolicyEngine(#[from] crate::policy_engine::KbsPolicyEngineError), - #[cfg(feature = "resource")] - #[error("Resource access failed")] - ResourceAccessFailed(#[from] crate::resource::Error), - #[error("Serialize/Deserialize failed")] SerdeError(#[from] serde_json::Error), diff --git a/kbs/src/lib.rs b/kbs/src/lib.rs index d11e0edcdc..818e21f4ca 100644 --- a/kbs/src/lib.rs +++ b/kbs/src/lib.rs @@ -7,9 +7,6 @@ #[cfg(feature = "as")] pub mod attestation; -#[cfg(feature = "resource")] -mod resource; - /// KBS config pub mod config; pub use config::KbsConfig; diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index f8ba5c4008..d5acea1b36 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -8,10 +8,6 @@ insecure_http = false insecure_key = false trusted_certs_paths = ["./work/ca-cert.pem"] -[repository] -type = "LocalFs" -dir_path = "./work/repository" - [attestation_service] type = "coco_as_builtin" work_dir = "./work/attestation-service" @@ -33,4 +29,9 @@ attestation_token_broker = "Simple" policy_path = "./work/kbs-policy.rego" [admin] -auth_public_key = "./work/kbs.pem" \ No newline at end of file +auth_public_key = "./work/kbs.pem" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "./work/repository" \ No newline at end of file diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml index 5b8ce37db1..99ef258e7f 100644 --- a/kbs/test/config/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -9,9 +9,10 @@ auth_public_key = "./work/kbs.pem" trusted_certs_paths = ["./work/ca-cert.pem"] insecure_key = false -[repository] -type = "LocalFs" -dir_path = "./work/repository" - [policy_engine] policy_path = "./work/kbs-policy.rego" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "./work/repository" \ No newline at end of file diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index 13186fe02a..003dc0f135 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -3,10 +3,6 @@ insecure_http = true [attestation_token] -[repository] -type = "LocalFs" -dir_path = "/opt/confidential-containers/kbs/repository" - [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" @@ -24,4 +20,9 @@ attestation_token_broker = "Simple" policy_path = "/opa/confidential-containers/kbs/policy.rego" [admin] -insecure_api = true \ No newline at end of file +insecure_api = true + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" \ No newline at end of file diff --git a/kbs/test_data/configs/coco-as-grpc-1.toml b/kbs/test_data/configs/coco-as-grpc-1.toml index d9e3f8d9c4..addeb00de8 100644 --- a/kbs/test_data/configs/coco-as-grpc-1.toml +++ b/kbs/test_data/configs/coco-as-grpc-1.toml @@ -1,7 +1,3 @@ -[repository] -type = "LocalFs" -dir_path = "/tmp/kbs-resource" - [attestation_token] trusted_certs_paths = ["/etc/ca", "/etc/ca2"] @@ -24,6 +20,11 @@ insecure_api = false [policy_engine] policy_path = "/etc/kbs-policy.rego" -[[client_plugins]] +[[plugins]] name = "sample" -item = "value1" \ No newline at end of file +item = "value1" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/tmp/kbs-resource" \ No newline at end of file diff --git a/kbs/test_data/configs/intel-ta-1.toml b/kbs/test_data/configs/intel-ta-1.toml index 281b1ea40c..68a85ba893 100644 --- a/kbs/test_data/configs/intel-ta-1.toml +++ b/kbs/test_data/configs/intel-ta-1.toml @@ -1,7 +1,3 @@ -[repository] -type = "LocalFs" -dir_path = "/tmp/kbs-resource" - [attestation_token] trusted_jwk_sets = ["/etc/ca", "/etc/ca2"] @@ -25,6 +21,11 @@ insecure_api = false [policy_engine] policy_path = "/etc/kbs-policy.rego" -[[client_plugins]] +[[plugins]] name = "sample" -item = "value1" \ No newline at end of file +item = "value1" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/tmp/kbs-resource" \ No newline at end of file From 78057cbf970185fd3b7c3e00dfdfae53a3452566 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Tue, 29 Oct 2024 15:46:08 +0800 Subject: [PATCH 143/298] toml: add extra line to all toml files Signed-off-by: Xynnn007 --- kbs/config/docker-compose/kbs-config.toml | 2 +- kbs/config/kbs-config-grpc.toml | 2 +- kbs/config/kbs-config.toml | 2 +- kbs/config/kubernetes/base/kbs-config.toml | 2 +- kbs/config/kubernetes/ita/kbs-config.toml | 2 +- kbs/test/config/kbs.toml | 2 +- kbs/test/config/resource-kbs.toml | 2 +- kbs/test_data/configs/coco-as-builtin-2.toml | 2 +- kbs/test_data/configs/coco-as-builtin-3.toml | 2 +- kbs/test_data/configs/coco-as-grpc-1.toml | 2 +- kbs/test_data/configs/coco-as-grpc-2.toml | 2 +- kbs/test_data/configs/coco-as-grpc-3.toml | 2 +- kbs/test_data/configs/intel-ta-1.toml | 2 +- kbs/test_data/configs/intel-ta-2.toml | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/kbs/config/docker-compose/kbs-config.toml b/kbs/config/docker-compose/kbs-config.toml index 9bb770fc9c..bf9b6157f0 100644 --- a/kbs/config/docker-compose/kbs-config.toml +++ b/kbs/config/docker-compose/kbs-config.toml @@ -15,4 +15,4 @@ auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" [[plugins]] name = "resource" type = "LocalFs" -dir_path = "/opt/confidential-containers/kbs/repository" \ No newline at end of file +dir_path = "/opt/confidential-containers/kbs/repository" diff --git a/kbs/config/kbs-config-grpc.toml b/kbs/config/kbs-config-grpc.toml index 45d2c08657..8bdc818dac 100644 --- a/kbs/config/kbs-config-grpc.toml +++ b/kbs/config/kbs-config-grpc.toml @@ -10,4 +10,4 @@ as_addr = "http://127.0.0.1:50004" pool_size = 200 [admin] -insecure_api = true \ No newline at end of file +insecure_api = true diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml index b510696087..a42fb7d897 100644 --- a/kbs/config/kbs-config.toml +++ b/kbs/config/kbs-config.toml @@ -25,4 +25,4 @@ attestation_token_broker = "Simple" policy_path = "/opa/confidential-containers/kbs/policy.rego" [admin] -insecure_api = true \ No newline at end of file +insecure_api = true diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index 5256b8c8dc..489cfdf971 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -21,4 +21,4 @@ attestation_token_broker = "Simple" remote_addr = "" [admin] -auth_public_key = "/kbs/kbs.pem" \ No newline at end of file +auth_public_key = "/kbs/kbs.pem" diff --git a/kbs/config/kubernetes/ita/kbs-config.toml b/kbs/config/kubernetes/ita/kbs-config.toml index ef942819c9..37eefb7271 100644 --- a/kbs/config/kubernetes/ita/kbs-config.toml +++ b/kbs/config/kubernetes/ita/kbs-config.toml @@ -14,4 +14,4 @@ api_key = "tBfd5kKX2x9ahbodKV1..." certs_file = "https://portal.trustauthority.intel.com" [admin] -auth_public_key = "/kbs/kbs.pem" \ No newline at end of file +auth_public_key = "/kbs/kbs.pem" diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index d5acea1b36..933f169797 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -34,4 +34,4 @@ auth_public_key = "./work/kbs.pem" [[plugins]] name = "resource" type = "LocalFs" -dir_path = "./work/repository" \ No newline at end of file +dir_path = "./work/repository" diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml index 99ef258e7f..977ef10c6a 100644 --- a/kbs/test/config/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -15,4 +15,4 @@ policy_path = "./work/kbs-policy.rego" [[plugins]] name = "resource" type = "LocalFs" -dir_path = "./work/repository" \ No newline at end of file +dir_path = "./work/repository" diff --git a/kbs/test_data/configs/coco-as-builtin-2.toml b/kbs/test_data/configs/coco-as-builtin-2.toml index b5e1006a55..c2398128c9 100644 --- a/kbs/test_data/configs/coco-as-builtin-2.toml +++ b/kbs/test_data/configs/coco-as-builtin-2.toml @@ -20,4 +20,4 @@ attestation_token_broker = "Simple" remote_addr = "" [admin] -auth_public_key = "/kbs/kbs.pem" \ No newline at end of file +auth_public_key = "/kbs/kbs.pem" diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index 003dc0f135..1d8e13f449 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -25,4 +25,4 @@ insecure_api = true [[plugins]] name = "resource" type = "LocalFs" -dir_path = "/opt/confidential-containers/kbs/repository" \ No newline at end of file +dir_path = "/opt/confidential-containers/kbs/repository" diff --git a/kbs/test_data/configs/coco-as-grpc-1.toml b/kbs/test_data/configs/coco-as-grpc-1.toml index addeb00de8..4a6067a0c2 100644 --- a/kbs/test_data/configs/coco-as-grpc-1.toml +++ b/kbs/test_data/configs/coco-as-grpc-1.toml @@ -27,4 +27,4 @@ item = "value1" [[plugins]] name = "resource" type = "LocalFs" -dir_path = "/tmp/kbs-resource" \ No newline at end of file +dir_path = "/tmp/kbs-resource" diff --git a/kbs/test_data/configs/coco-as-grpc-2.toml b/kbs/test_data/configs/coco-as-grpc-2.toml index a0aedc0d53..dc5c1fdbd7 100644 --- a/kbs/test_data/configs/coco-as-grpc-2.toml +++ b/kbs/test_data/configs/coco-as-grpc-2.toml @@ -9,4 +9,4 @@ type = "coco_as_grpc" as_addr = "http://as:50004" [admin] -auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" \ No newline at end of file +auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" diff --git a/kbs/test_data/configs/coco-as-grpc-3.toml b/kbs/test_data/configs/coco-as-grpc-3.toml index c6d8e61e33..0ba9958a02 100644 --- a/kbs/test_data/configs/coco-as-grpc-3.toml +++ b/kbs/test_data/configs/coco-as-grpc-3.toml @@ -9,4 +9,4 @@ as_addr = "http://127.0.0.1:50004" pool_size = 100 [admin] -insecure_api = true \ No newline at end of file +insecure_api = true diff --git a/kbs/test_data/configs/intel-ta-1.toml b/kbs/test_data/configs/intel-ta-1.toml index 68a85ba893..84a4125d4f 100644 --- a/kbs/test_data/configs/intel-ta-1.toml +++ b/kbs/test_data/configs/intel-ta-1.toml @@ -28,4 +28,4 @@ item = "value1" [[plugins]] name = "resource" type = "LocalFs" -dir_path = "/tmp/kbs-resource" \ No newline at end of file +dir_path = "/tmp/kbs-resource" diff --git a/kbs/test_data/configs/intel-ta-2.toml b/kbs/test_data/configs/intel-ta-2.toml index 3c77144301..e4b40b73dd 100644 --- a/kbs/test_data/configs/intel-ta-2.toml +++ b/kbs/test_data/configs/intel-ta-2.toml @@ -14,4 +14,4 @@ api_key = "tBfd5kKX2x9ahbodKV1..." certs_file = "https://portal.trustauthority.intel.com" [admin] -auth_public_key = "/kbs/kbs.pem" \ No newline at end of file +auth_public_key = "/kbs/kbs.pem" From 3b3614ca2214484f355c55f4668e4f8ede3606ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Nov 2024 01:37:51 +0000 Subject: [PATCH 144/298] build(deps): bump once_cell from 1.19.0 to 1.20.2 Bumps [once_cell](https://github.com/matklad/once_cell) from 1.19.0 to 1.20.2. - [Changelog](https://github.com/matklad/once_cell/blob/master/CHANGELOG.md) - [Commits](https://github.com/matklad/once_cell/compare/v1.19.0...v1.20.2) --- updated-dependencies: - dependency-name: once_cell dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bcf09686ba..06b016e2e2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3226,9 +3226,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.19.0" +version = "1.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "opaque-debug" From c2eb782cb74fe8ce725e89659dcce7337118323d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 01:17:07 +0000 Subject: [PATCH 145/298] build(deps): bump clap from 4.5.4 to 4.5.20 Bumps [clap](https://github.com/clap-rs/clap) from 4.5.4 to 4.5.20. - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.4...clap_complete-v4.5.20) --- updated-dependencies: - dependency-name: clap dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 26 +++++++++++++------------- tools/kbs-client/Cargo.toml | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 06b016e2e2..a09e0c734c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -362,9 +362,9 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.7" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "038dfcf04a5feb68e9c60b21c9625a54c2c0616e79b72b0fd87075a056ae1d1b" +checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" [[package]] name = "anstyle-parse" @@ -528,7 +528,7 @@ dependencies = [ "async-trait", "base64 0.22.1", "cfg-if", - "clap 4.5.4", + "clap 4.5.20", "env_logger 0.10.2", "futures", "hex", @@ -682,7 +682,7 @@ checksum = "49473355e76f066300f14aa56c6df23b1a037bea179dbb1b582ecefc8f6fd37c" dependencies = [ "az-cvm-vtpm", "bincode", - "clap 4.5.4", + "clap 4.5.20", "openssl", "serde", "sev 4.0.0", @@ -1081,9 +1081,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.4" +version = "4.5.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90bc066a67923782aa8515dbaea16946c5bcc5addbd668bb80af688e53e548a0" +checksum = "b97f376d85a664d5837dbae44bf546e6477a679ff6610010f17276f686d867e8" dependencies = [ "clap_builder", "clap_derive", @@ -1091,9 +1091,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.2" +version = "4.5.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae129e2e766ae0ec03484e609954119f123cc1fe650337e155d03b022f24f7b4" +checksum = "19bc80abd44e4bed93ca373a0704ccbd1b710dc5749406201bb018272808dc54" dependencies = [ "anstream", "anstyle", @@ -1103,9 +1103,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "4.5.4" +version = "4.5.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "528131438037fd55894f62d6e9f068b8f45ac57ffa77517819645d10aed04f64" +checksum = "4ac6a0c7b1a9e9a5186361f67dfa1b88213572f427fb9ab038efb2bd8c582dab" dependencies = [ "heck 0.5.0", "proc-macro2", @@ -2663,7 +2663,7 @@ dependencies = [ "az-cvm-vtpm", "base64 0.22.1", "cfg-if", - "clap 4.5.4", + "clap 4.5.20", "config", "env_logger 0.10.2", "jsonwebtoken", @@ -2701,7 +2701,7 @@ version = "0.1.0" dependencies = [ "anyhow", "base64 0.22.1", - "clap 4.5.4", + "clap 4.5.20", "env_logger 0.10.2", "jwt-simple 0.11.9", "kbs_protocol", @@ -4051,7 +4051,7 @@ dependencies = [ "base64 0.22.1", "cfg-if", "chrono", - "clap 4.5.4", + "clap 4.5.20", "config", "env_logger 0.10.2", "log", diff --git a/tools/kbs-client/Cargo.toml b/tools/kbs-client/Cargo.toml index c960e62c13..d0ce61712f 100644 --- a/tools/kbs-client/Cargo.toml +++ b/tools/kbs-client/Cargo.toml @@ -15,7 +15,7 @@ path = "src/main.rs" [dependencies] anyhow.workspace = true base64.workspace = true -clap = { version = "4.0.29", features = ["derive"] } +clap = { version = "4.5.20", features = ["derive"] } env_logger.workspace = true jwt-simple.workspace = true kbs_protocol = { workspace = true, default-features = false } From 7d90061156fbce1cda74a13fedbe28ee11858e5b Mon Sep 17 00:00:00 2001 From: Tyler Fanelli Date: Wed, 6 Nov 2024 22:14:07 -0500 Subject: [PATCH 146/298] as: Don't use all-verifier features The verifier/all-verifier option is already enabled with the default build. Yet, if a user wants to optionally compile with a subset of verifiers, they cannot due so unless disabling the all-verifier feature in the dependency. Signed-off-by: Tyler Fanelli --- attestation-service/Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/attestation-service/Cargo.toml b/attestation-service/Cargo.toml index 237ce6d46f..f7dfc61155 100644 --- a/attestation-service/Cargo.toml +++ b/attestation-service/Cargo.toml @@ -4,7 +4,7 @@ version = "0.1.0" edition = "2021" [features] -default = [ "restful-bin", "rvps-grpc", "rvps-builtin" ] +default = [ "restful-bin", "rvps-grpc", "rvps-builtin", "all-verifier" ] all-verifier = [ "verifier/all-verifier" ] tdx-verifier = [ "verifier/tdx-verifier" ] sgx-verifier = [ "verifier/sgx-verifier" ] @@ -66,7 +66,7 @@ tonic = { workspace = true, optional = true } uuid = { version = "1.1.2", features = ["v4"] } [target.'cfg(not(target_arch = "s390x"))'.dependencies] -verifier = { path = "../deps/verifier", default-features = false, features = ["all-verifier"] } +verifier = { path = "../deps/verifier", default-features = false } [target.'cfg(target_arch = "s390x")'.dependencies] verifier = { path = "../deps/verifier", default-features = false, features = ["se-verifier"] } From ff6c43b515dd7072d095c0147a84416007eff5e7 Mon Sep 17 00:00:00 2001 From: Tyler Fanelli Date: Wed, 6 Nov 2024 22:35:41 -0500 Subject: [PATCH 147/298] as/Makefile: Allow conditional features Supplying a FEATURES argument to the attestation service's Makefile can conditionally compile features into the build. The FEATURES argument will disable default features and instead supply the selected features. For example `FEATURES=restful-bin,rvps-grpc,snp-verifier make grpc-as` will expand to: cargo build --bin grpc-as --release \ --no-default-features \ --features grpc-bin,restful-bin,rvps-grpc,snp-verifier Signed-off-by: Tyler Fanelli --- attestation-service/Makefile | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/attestation-service/Makefile b/attestation-service/Makefile index 60e285b12f..67ca329539 100644 --- a/attestation-service/Makefile +++ b/attestation-service/Makefile @@ -8,6 +8,16 @@ BIN_NAMES := grpc-as restful-as DEBUG ?= DESTDIR ?= $(PREFIX)/bin +FEATURES ?= + +ifdef FEATURES + OPTIONAL_FEATURES := ,$(FEATURES) + default-features := --no-default-features +else + OPTIONAL_FEATURES := + default-features := +endif + ifdef DEBUG release := TARGET_DIR := $(TARGET_DIR)/debug @@ -19,10 +29,10 @@ endif build: grpc-as restful-as grpc-as: - cargo build --bin grpc-as $(release) --features grpc-bin + cargo build --bin grpc-as $(release) $(default-features) --features grpc-bin$(OPTIONAL_FEATURES) restful-as: - cargo build --bin restful-as $(release) --features restful-bin + cargo build --bin restful-as $(release) $(default-features) --features restful-bin$(OPTIONAL_FEATURES) install: for bin_name in $(BIN_NAMES); do \ From 72f3bdca04cc0d02a8e3f16c064642536dfe2200 Mon Sep 17 00:00:00 2001 From: Mike Frisch Date: Tue, 5 Nov 2024 15:35:48 -0500 Subject: [PATCH 148/298] fix(kbs-client): update README to reflect recent restructuring kbs-client was moved to it's own tools subdirectory off the top of the tree. Signed-off-by: Mike Frisch --- tools/kbs-client/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/kbs-client/README.md b/tools/kbs-client/README.md index f6ac188dcf..da363625fe 100644 --- a/tools/kbs-client/README.md +++ b/tools/kbs-client/README.md @@ -23,7 +23,7 @@ We have a community version of kbs-client on [Github ORAS](https://github.com/co Build the client binary with support to the default features as: ```shell -make -C ../../ cli +make -C ../../kbs cli ``` By default the client is built with support to the sample attester, apart from the @@ -32,13 +32,13 @@ require fewer dependencies and so usually handy for CI) then you can pass the `sample_only` feature as: ```shell -make -C ../../ cli CLI_FEATURES=sample_only +make -C ../../kbs cli CLI_FEATURES=sample_only ``` -Find the built binary at `../../../target/release/kbs-client`. You can get it +Find the built binary at `../../target/release/kbs-client`. You can get it installed into the system as: ```shell -sudo make -C ../../ install-cli +sudo make -C ../../kbs install-cli ``` ## Examples From 4dd9661f7a2b946051d7b90b47e255272feaaf61 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 01:28:40 +0000 Subject: [PATCH 149/298] build(deps): bump thiserror from 1.0.64 to 1.0.65 Bumps [thiserror](https://github.com/dtolnay/thiserror) from 1.0.64 to 1.0.65. - [Release notes](https://github.com/dtolnay/thiserror/releases) - [Commits](https://github.com/dtolnay/thiserror/compare/1.0.64...1.0.65) --- updated-dependencies: - dependency-name: thiserror dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a09e0c734c..84865b4951 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5240,18 +5240,18 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.64" +version = "1.0.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d50af8abc119fb8bb6dbabcfa89656f46f84aa0ac7688088608076ad2b459a84" +checksum = "5d11abd9594d9b38965ef50805c5e469ca9cc6f197f883f717e0269a3057b3d5" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.64" +version = "1.0.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08904e7672f5eb876eaaf87e0ce17857500934f4981c4a0ab2b4aa98baac7fc3" +checksum = "ae71770322cbd277e69d762a16c444af02aa0575ac0d174f0b9562d3b37f8602" dependencies = [ "proc-macro2", "quote", From 7889195efd1914ff6283da047904019824aaa98c Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 15 Oct 2024 17:01:50 -0500 Subject: [PATCH 150/298] resource: add PKCS11 resource back-end PKCS11 is a generic interface for carrying-out cryptographic operations using devices like HSMs. This commit adds very basic support for storing KBS resources in an HSM with PKCS11 One of the many things supported by PKCS11 is storing keys in a device. Usually these keys are wrapped and/or generated by the device itself, which is not a good fit for the KBS resource model. Instead, we use one particular generic secret key type that allows the KBS to read and write the plaintext secret value. This might not capture the full potential of an HSM, but keep in mind that the default backend simply stores the secrets in the filesystem. To fully take advantage of key wrapping, we will need to add PKCS11 support to the CDH or possibly introduce a plugin. This backend allows users to provision keys to the HSM as well. In fact, it is more reliable to use this interface than it is to provision keys separately. The cryptoki api is not thread safe so a Mutex is used. This backend might not be as performant as the file system backend, especially when using a real HSM. Signed-off-by: Tobin Feldman-Fitzthum --- Cargo.lock | 45 +++++++- kbs/Cargo.toml | 4 + .../implementations/resource/backend.rs | 22 ++++ .../plugins/implementations/resource/mod.rs | 3 + .../implementations/resource/pkcs11.rs | 102 ++++++++++++++++++ 5 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 kbs/src/plugins/implementations/resource/pkcs11.rs diff --git a/Cargo.lock b/Cargo.lock index 84865b4951..5534094d13 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1061,7 +1061,7 @@ checksum = "67523a3b4be3ce1989d607a828d036249522dd9c1c8de7f4dd2dae43a37369d1" dependencies = [ "glob", "libc", - "libloading", + "libloading 0.8.5", ] [[package]] @@ -1352,6 +1352,29 @@ dependencies = [ "typenum", ] +[[package]] +name = "cryptoki" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "60d645cc2c5faf466571c0c752d39d8fbc2746773b2f043ac8f9cd73bec55db9" +dependencies = [ + "bitflags 1.3.2", + "cryptoki-sys", + "libloading 0.7.4", + "log", + "paste", + "secrecy", +] + +[[package]] +name = "cryptoki-sys" +version = "0.1.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "750380200f47d4ff677be725b6e0d78b590e1d0343573dcd4b62147f25dc6efa" +dependencies = [ + "libloading 0.7.4", +] + [[package]] name = "csv-rs" version = "0.1.0" @@ -2665,6 +2688,7 @@ dependencies = [ "cfg-if", "clap 4.5.20", "config", + "cryptoki", "env_logger 0.10.2", "jsonwebtoken", "jwt-simple 0.11.9", @@ -2818,6 +2842,16 @@ dependencies = [ "pkg-config", ] +[[package]] +name = "libloading" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b67380fd3b2fbe7527a606e18729d21c6f3951633d0500574c4dc22d2d638b9f" +dependencies = [ + "cfg-if", + "winapi", +] + [[package]] name = "libloading" version = "0.8.5" @@ -4635,6 +4669,15 @@ dependencies = [ "zeroize", ] +[[package]] +name = "secrecy" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e" +dependencies = [ + "zeroize", +] + [[package]] name = "security-framework" version = "2.11.0" diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 6121655d29..cd92b38b6b 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -30,6 +30,9 @@ intel-trust-authority-as = ["as", "az-cvm-vtpm"] # Use aliyun KMS as KBS backend aliyun = ["kms/aliyun"] +# Use pkcs11 resource backend to store secrets in an HSM +pkcs11 = ["cryptoki"] + [dependencies] actix-web = { workspace = true, features = ["openssl"] } actix-web-httpauth.workspace = true @@ -41,6 +44,7 @@ base64.workspace = true cfg-if.workspace = true clap = { workspace = true, features = ["derive", "env"] } config.workspace = true +cryptoki = { version = "0.7.0", optional = true } env_logger.workspace = true jsonwebtoken = { workspace = true, default-features = false } jwt-simple.workspace = true diff --git a/kbs/src/plugins/implementations/resource/backend.rs b/kbs/src/plugins/implementations/resource/backend.rs index c1228c8ff7..85186ba7ee 100644 --- a/kbs/src/plugins/implementations/resource/backend.rs +++ b/kbs/src/plugins/implementations/resource/backend.rs @@ -7,6 +7,7 @@ use std::sync::{Arc, OnceLock}; use anyhow::{bail, Context, Error, Result}; use regex::Regex; use serde::Deserialize; +use std::fmt; use super::local_fs; @@ -57,6 +58,16 @@ impl TryFrom<&str> for ResourceDesc { } } +impl fmt::Display for ResourceDesc { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + write!( + f, + "{}/{}/{}", + self.repository_name, self.resource_type, self.resource_tag + ) + } +} + #[derive(Clone, Debug, Deserialize, PartialEq)] #[serde(tag = "type")] pub enum RepositoryConfig { @@ -65,6 +76,10 @@ pub enum RepositoryConfig { #[cfg(feature = "aliyun")] #[serde(alias = "aliyun")] Aliyun(super::aliyun_kms::AliyunKmsBackendConfig), + + #[cfg(feature = "pkcs11")] + #[serde(alias = "pkcs11")] + Pkcs11(super::pkcs11::Pkcs11Config), } impl Default for RepositoryConfig { @@ -97,6 +112,13 @@ impl TryFrom for ResourceStorage { backend: Arc::new(client), }) } + #[cfg(feature = "pkcs11")] + RepositoryConfig::Pkcs11(config) => { + let client = super::pkcs11::Pkcs11Backend::new(&config)?; + Ok(Self { + backend: Arc::new(client), + }) + } } } } diff --git a/kbs/src/plugins/implementations/resource/mod.rs b/kbs/src/plugins/implementations/resource/mod.rs index a3b90b1fd3..9efe34ce04 100644 --- a/kbs/src/plugins/implementations/resource/mod.rs +++ b/kbs/src/plugins/implementations/resource/mod.rs @@ -7,6 +7,9 @@ pub mod local_fs; #[cfg(feature = "aliyun")] pub mod aliyun_kms; +#[cfg(feature = "pkcs11")] +mod pkcs11; + use actix_web::http::Method; use anyhow::{bail, Context, Result}; diff --git a/kbs/src/plugins/implementations/resource/pkcs11.rs b/kbs/src/plugins/implementations/resource/pkcs11.rs new file mode 100644 index 0000000000..d6a79e446b --- /dev/null +++ b/kbs/src/plugins/implementations/resource/pkcs11.rs @@ -0,0 +1,102 @@ +// Copyright (c) 2024 by IBM. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use anyhow::{bail, Result}; +use cryptoki::context::{CInitializeArgs, Pkcs11}; +use cryptoki::object::{Attribute, AttributeInfo, AttributeType, KeyType, ObjectClass}; +use cryptoki::session::{Session, UserType}; +use cryptoki::types::AuthPin; +use serde::Deserialize; +use std::sync::Arc; +use tokio::sync::Mutex; + +use super::backend::{ResourceDesc, StorageBackend}; + +#[derive(Debug, Deserialize, Clone, PartialEq)] +pub struct Pkcs11Config { + /// Path to the Pkcs11 module + module: String, + + /// The index of the slot to be used + /// If not provided, the first slot will be used. + slot_index: Option, + + /// The user pin for authenticating the session + pin: String, +} + +pub struct Pkcs11Backend { + session: Arc>, +} + +#[async_trait::async_trait] +impl StorageBackend for Pkcs11Backend { + async fn read_secret_resource(&self, resource_desc: ResourceDesc) -> Result> { + let session = self.session.lock().await; + + // find object with matching label + let attributes = vec![Attribute::Label(Vec::from(resource_desc.to_string()))]; + let objects = session.find_objects(&attributes)?; + + if objects.is_empty() { + bail!( + "Could not find object with label {}", + resource_desc.to_string() + ); + } + let object = objects[0]; + + // check that object has a readable value attribute + let value_attribute = vec![AttributeType::Value]; + let attribute_map = session.get_attribute_info_map(object, value_attribute.clone())?; + let Some(AttributeInfo::Available(_size)) = attribute_map.get(&AttributeType::Value) else { + bail!("Key does not have value attribute available."); + }; + + // get the value + let value = &session.get_attributes(object, &value_attribute)?[0]; + let Attribute::Value(resource_bytes) = value else { + bail!("Failed to get value."); + }; + + Ok(resource_bytes.clone()) + } + + async fn write_secret_resource(&self, resource_desc: ResourceDesc, data: &[u8]) -> Result<()> { + let mut attributes = vec![]; + attributes.push(Attribute::Class(ObjectClass::SECRET_KEY)); + attributes.push(Attribute::KeyType(KeyType::GENERIC_SECRET)); + attributes.push(Attribute::Extractable(true)); + attributes.push(Attribute::Private(true)); + + attributes.push(Attribute::Value(data.to_vec())); + attributes.push(Attribute::Label(Vec::from(resource_desc.to_string()))); + + let _object = self.session.lock().await.create_object(&attributes)?; + + Ok(()) + } +} + +impl Pkcs11Backend { + pub fn new(config: &Pkcs11Config) -> Result { + // setup global context + let pkcs11 = Pkcs11::new(config.module.clone())?; + pkcs11.initialize(CInitializeArgs::OsThreads).unwrap(); + + // create session + let slots = pkcs11.get_slots_with_token()?; + let slot_index = usize::from(config.slot_index.unwrap_or(0)); + if slot_index >= slots.len() { + bail!("Slot index out of range"); + } + + let session = pkcs11.open_rw_session(slots[slot_index])?; + session.login(UserType::User, Some(&AuthPin::new(config.pin.clone())))?; + + Ok(Self { + session: Arc::new(Mutex::new(session)), + }) + } +} From 4e8dd8a0f81ad670b350edf08dafd8ed50d9964d Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 22 Oct 2024 12:20:15 -0500 Subject: [PATCH 151/298] resource: add test for Pkcs11 Add a unit test for setting and getting a secret from an HSM. This test uses SoftHSM and will only work if it is already setup on the host with a slot initiated (and with a user password set). Thus, the test is disabled by default, but I have run it locally. Signed-off-by: Tobin Feldman-Fitzthum --- .../implementations/resource/pkcs11.rs | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/kbs/src/plugins/implementations/resource/pkcs11.rs b/kbs/src/plugins/implementations/resource/pkcs11.rs index d6a79e446b..ad7a9cad63 100644 --- a/kbs/src/plugins/implementations/resource/pkcs11.rs +++ b/kbs/src/plugins/implementations/resource/pkcs11.rs @@ -100,3 +100,44 @@ impl Pkcs11Backend { }) } } + +#[cfg(test)] +mod tests { + use crate::plugins::resource::{ + backend::{ResourceDesc, StorageBackend}, + pkcs11::{Pkcs11Backend, Pkcs11Config}, + }; + + const TEST_DATA: &[u8] = b"testdata"; + + // This will only work if SoftHSM is setup + #[ignore] + #[tokio::test] + async fn write_and_read_resource() { + let config = Pkcs11Config { + module: "/usr/local/lib/softhsm/libsofthsm2.so".to_string(), + slot_index: None, + // This pin must be set for SoftHSM + pin: "test".to_string(), + }; + + let backend = Pkcs11Backend::new(&config).unwrap(); + + let resource_desc = ResourceDesc { + repository_name: "default".into(), + resource_type: "test".into(), + resource_tag: "test".into(), + }; + + backend + .write_secret_resource(resource_desc.clone(), TEST_DATA) + .await + .expect("write secret resource failed"); + let data = backend + .read_secret_resource(resource_desc) + .await + .expect("read secret resource failed"); + + assert_eq!(&data[..], TEST_DATA); + } +} From e19424073e04786c1a9e6fef8b035715426d676d Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 7 Nov 2024 15:29:25 -0600 Subject: [PATCH 152/298] StorageBackend: update documentation for Pkcs11 Add information about the Pkcs11 storage backend to the docs. Also fix some terms that we changed in the plugin refactoring PR. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/README.md | 4 +- kbs/docs/resource_repository.md | 31 --------------- kbs/docs/resource_storage_backend.md | 57 ++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 33 deletions(-) delete mode 100644 kbs/docs/resource_repository.md create mode 100644 kbs/docs/resource_storage_backend.md diff --git a/kbs/README.md b/kbs/README.md index f09a926267..87d0e48e92 100644 --- a/kbs/README.md +++ b/kbs/README.md @@ -120,8 +120,8 @@ The KBS implements and supports a simple, vendor and hardware-agnostic KBS implements an HTTP-based, [OpenAPI 3.1](https://spec.openapis.org/oas/v3.1.0) compliant API. This API is formally described in its [OpenAPI formatted specification](./docs/kbs.yaml). -### Resource Repository -The [resource repository](./docs/resource_repository.md) where KBS store resource data. +### Resource Storage Backend +The [resource storage backend](./docs/resource_storage_backend.md) where KBS store resource data. ### Config A custom, [JSON-formatted configuration file](./docs/config.md) can be provided to configure KBS. diff --git a/kbs/docs/resource_repository.md b/kbs/docs/resource_repository.md deleted file mode 100644 index ba95b55e9c..0000000000 --- a/kbs/docs/resource_repository.md +++ /dev/null @@ -1,31 +0,0 @@ -# Resource Repository - -KBS stores confidential resources through a `Repository` abstraction specified -by a Rust trait. The `Repository` interface can be implemented for different -storage backends like e.g. databases or local file systems. - -The [KBS config file](./config.md) -defines which resource repository backend KBS will use. The default is the local -file system (`LocalFs`). - -### Local File System Repository - -With the local file system `Repository` default implementation, each resource -file maps to a KBS resource URL. The file path to URL conversion scheme is -defined below: - -| Resource File Path | Resource URL | -| ------------------- | -------------- | -| `file://<$(KBS_REPOSITORY_DIR)>///` | `https:///kbs/v0/resource///` | - -The KBS root file system resource path is specified in the KBS config file -as well, and the default value is `/opt/confidential-containers/kbs/repository`. - -### Aliyun KMS - -[Alibaba Cloud KMS](https://www.alibabacloud.com/en/product/kms?_p_lc=1)(a.k.a Aliyun KMS) -can also work as the KBS resource storage backend. -In this mode, resources will be stored with [generic secrets](https://www.alibabacloud.com/help/en/kms/user-guide/manage-and-use-generic-secrets?spm=a2c63.p38356.0.0.dc4d24f7s0ZuW7) in a [KMS instance](https://www.alibabacloud.com/help/en/kms/user-guide/kms-overview?spm=a2c63.p38356.0.0.4aacf9e6V7IQGW). -One KBS can be configured with a specified KMS instance in `repository_config` field of KBS launch config. For config, see the [document](./config.md#repository-configuration). -These materials can be found in KMS instance's [AAP](https://www.alibabacloud.com/help/en/kms/user-guide/manage-aaps?spm=a3c0i.23458820.2359477120.1.4fd96e9bmEFST4). -When being accessed, a resource URI of `kbs:///repo/type/tag` will be translated into the generic secret with name `tag`. Hinting that `repo/type` field will be ignored. \ No newline at end of file diff --git a/kbs/docs/resource_storage_backend.md b/kbs/docs/resource_storage_backend.md new file mode 100644 index 0000000000..6314968a67 --- /dev/null +++ b/kbs/docs/resource_storage_backend.md @@ -0,0 +1,57 @@ +# Resource Storage Backend + +KBS stores confidential resources through a `StorageBackend` abstraction specified +by a Rust trait. The `StorageBackend` interface can be implemented for different +storage backends like e.g. databases or local file systems. + +The [KBS config file](./config.md) +defines which resource backend KBS will use. The default is the local +file system (`LocalFs`). + +### Local File System Backend + +With the local file system backend default implementation, each resource +file maps to a KBS resource URL. The file path to URL conversion scheme is +defined below: + +| Resource File Path | Resource URL | +| ------------------- | -------------- | +| `file://<$(KBS_REPOSITORY_DIR)>///` | `https:///kbs/v0/resource///` | + +The KBS root file system resource path is specified in the KBS config file +as well, and the default value is `/opt/confidential-containers/kbs/repository`. + +### Aliyun KMS + +[Alibaba Cloud KMS](https://www.alibabacloud.com/en/product/kms?_p_lc=1)(a.k.a Aliyun KMS) +can also work as the KBS resource storage backend. +In this mode, resources will be stored with [generic secrets](https://www.alibabacloud.com/help/en/kms/user-guide/manage-and-use-generic-secrets?spm=a2c63.p38356.0.0.dc4d24f7s0ZuW7) in a [KMS instance](https://www.alibabacloud.com/help/en/kms/user-guide/kms-overview?spm=a2c63.p38356.0.0.4aacf9e6V7IQGW). +One KBS can be configured with a specified KMS instance in `repository_config` field of KBS launch config. For config, see the [document](./config.md#repository-configuration). +These materials can be found in KMS instance's [AAP](https://www.alibabacloud.com/help/en/kms/user-guide/manage-aaps?spm=a3c0i.23458820.2359477120.1.4fd96e9bmEFST4). +When being accessed, a resource URI of `kbs:///repo/type/tag` will be translated into the generic secret with name `tag`. Hinting that `repo/type` field will be ignored. + +### Pkcs11 + +The Pkcs11 backend uses Pkcs11 to store plaintext resources +in an HSM. +Pkcs11 is a broad specification supporting many cryptographic operations. +Here we make use only of a small subset of these features. +Often with Pkcs11 an HSM is used to wrap and unwrap keys or store wrapped keys. +Here we do something simpler. Since the KBS expects resources to be +in plaintext, we store these resources in the HSM as secret keys +of the generic secret type. +This storage backend will provision resource to the HSM +in the expected way when a user uploads a resource to the KBS. +The user must simply specify the location of an initialized HSM slot. +Keys can also be provisioned to the HSM separately +but they must have the expectd attributes. + +The Pkcs11 backend is configured with the following values. + +* `module` The module path should point to a binary implementing Pkcs11 for the HSM + that you want to use. For example, if you are using `SoftHSM`, you might + set the module path to `/usr/local/lib/softhsm/libsofthsm2.so`. +* `slot_index` The slot index points to the slot in your HSM where the secrets will be stored. + The slot must be initialized before starting the KBS. + No `slot_index` is set, the first slot will be used. +* `pin` The user password for authenticating a session with the above slot. From b17cb7d8a7cdc0d32d32435ba39a8dcc84f1244f Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 7 Nov 2024 16:50:43 -0600 Subject: [PATCH 153/298] aliyun_kms: fixup KMS after plugin refactor It looks like we might not be testing all of our storage backend features, which allowed some bugs to creep into the refactoring PR. Reconcile the aliyun_kms with the changes to the resource plugin. Signed-off-by: Tobin Feldman-Fitzthum --- .../plugins/implementations/resource/aliyun_kms.rs | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/kbs/src/plugins/implementations/resource/aliyun_kms.rs b/kbs/src/plugins/implementations/resource/aliyun_kms.rs index 50833412d5..70ee173256 100644 --- a/kbs/src/plugins/implementations/resource/aliyun_kms.rs +++ b/kbs/src/plugins/implementations/resource/aliyun_kms.rs @@ -2,8 +2,8 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use super::{Error, Repository, ResourceDesc, Result}; -use anyhow::Context; +use super::backend::{ResourceDesc, StorageBackend}; +use anyhow::{Context, Result}; use kms::{plugins::aliyun::AliyunKmsClient, Annotations, Getter}; use log::info; use serde::Deserialize; @@ -21,7 +21,7 @@ pub struct AliyunKmsBackend { } #[async_trait::async_trait] -impl Repository for AliyunKmsBackend { +impl StorageBackend for AliyunKmsBackend { async fn read_secret_resource(&self, resource_desc: ResourceDesc) -> Result> { info!( "Use aliyun KMS backend. Ignore {}/{}", @@ -32,8 +32,7 @@ impl Repository for AliyunKmsBackend { .client .get_secret(&name, &Annotations::default()) .await - .context("failed to get resource from aliyun KMS") - .map_err(|e| Error::AliyunError { source: e })?; + .context("failed to get resource from aliyun KMS")?; Ok(resource_bytes) } @@ -54,8 +53,7 @@ impl AliyunKmsBackend { &repo_desc.password, &repo_desc.cert_pem, ) - .context("create aliyun KMS backend") - .map_err(|e| Error::AliyunError { source: e })?; + .context("create aliyun KMS backend")?; Ok(Self { client }) } } From 4e78e9a196db6c2ef24cc267254cf978c6a36104 Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Thu, 7 Nov 2024 09:02:47 +0000 Subject: [PATCH 154/298] kbs: docs: Fix ITA note Fix a mistake where the wrong AS name was specified in a note in the ITA section. Signed-off-by: James O. D. Hunt --- kbs/docs/config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 63013534b8..07cb803859 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -142,7 +142,7 @@ attestation. The following properties can be set. When `type` is set to `intel_ta`, KBS will try to connect a remote Intel TA service for attestation. The following properties can be set. ->gRPC CoCo AS is available only when `coco-as-grpc` feature is enabled. +> Intel Trust Authority AS is available only when the `intel-trust-authority-as` feature is enabled. | Property | Type | Description | Required | Default | |--------------------------|---------|------------------------------------------------------------------------------------------|----------|---------| From d32b1acd8fb395eee832283527346f42846f3c39 Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Wed, 6 Nov 2024 10:52:17 +0000 Subject: [PATCH 155/298] kbs: ITA: Handle empty body error Split the error body handling so that there is now a separate error stating that no error body is available which is clearer than stating that we cannot deserialise the error message (there isn't one). Signed-off-by: James O. D. Hunt --- .../attestation/intel_trust_authority/mod.rs | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 9dd910accd..996cbf089f 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -169,12 +169,17 @@ impl Attest for IntelTrustAuthority { let body = resp .json::() .await - .context("Failed to deserialize attestation error response")?; - bail!( - "Attestation request failed: response status={}, message={}", - status, - body.error - ); + .context("Failed to deserialize attestation error response"); + + // Only inspect the body if there is one. + match body { + Ok(body) => bail!( + "Attestation request failed: response status={}, message={}", + status, + body.error + ), + _ => bail!("Attestation request failed: response status={}", status), + } } let resp_data = resp .json::() From 281deb19bfd4880c1271de086832beab08f4f1d3 Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Wed, 6 Nov 2024 10:54:01 +0000 Subject: [PATCH 156/298] kbs: ITA: Allow policy IDs in config file If one or more policy IDs are specified in the config file, add these to the attestation request and implicitly set `policy_must_match=true`. ```toml [attestation_service] type = "intel_ta" policy_ids = ["aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"] ``` Alternatively, specify multiple policy IDs like this: ```toml policy_ids = [ "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb", # ... "nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn", ] ``` Signed-off-by: James O. D. Hunt --- kbs/docs/config.md | 15 +++++---- .../attestation/intel_trust_authority/mod.rs | 32 ++++++++++--------- kbs/src/config.rs | 4 +++ 3 files changed, 29 insertions(+), 22 deletions(-) diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 07cb803859..d044b7632d 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -144,13 +144,14 @@ attestation. The following properties can be set. > Intel Trust Authority AS is available only when the `intel-trust-authority-as` feature is enabled. -| Property | Type | Description | Required | Default | -|--------------------------|---------|------------------------------------------------------------------------------------------|----------|---------| -| `timeout` | Integer | The maximum time (in minutes) between RCAR handshake's `auth` and `attest` requests | No | 5 | -| `base_url` | String | Intel Trust Authority API URL. | Yes | - | -| `api_key` | String | Intel Trust Authority API key. | Yes | - | -| `certs_file` | String | URL to an Intel Trust Authority portal or path to JWKS file used for token verification. | Yes | - | -| `allow_unmatched_policy` | Boolean | Determines whether to ignore the `policy_ids_unmatched` token claim. | No | false | +| Property | Type | Description | Required | Default | +|--------------------------|--------------|------------------------------------------------------------------------------------------|----------|---------| +| `timeout` | Integer | The maximum time (in minutes) between RCAR handshake's `auth` and `attest` requests | No | 5 | +| `base_url` | String | Intel Trust Authority API URL. | Yes | - | +| `api_key` | String | Intel Trust Authority API key. | Yes | - | +| `certs_file` | String | URL to an Intel Trust Authority portal or path to JWKS file used for token verification. | Yes | - | +| `allow_unmatched_policy` | Boolean | If set and `policy_ids` specified, unset the `request.policy_must_match` setting | No | false | +| `policy_ids` | String array | List of one or more quoted and comma-separated policy IDs. | No | `[]` | Detailed [documentation](https://docs.trustauthority.intel.com). diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 996cbf089f..5ed6a3811b 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -15,6 +15,7 @@ use kbs_types::{Attestation, Tee}; use reqwest::header::{ACCEPT, CONTENT_TYPE, USER_AGENT}; use serde::{Deserialize, Serialize}; use serde_json::{from_value, json}; +use std::result::Result::Ok; use strum::{AsRefStr, Display, EnumString}; const SUPPORTED_HASH_ALGORITHMS_JSON_KEY: &str = "supported-hash-algorithms"; @@ -59,6 +60,8 @@ struct AttestReqData { runtime_data: String, #[serde(skip_serializing_if = "Option::is_none")] user_data: Option, + policy_ids: Vec, + policy_must_match: bool, } #[derive(Deserialize, Debug)] @@ -66,11 +69,6 @@ struct AttestRespData { token: String, } -#[derive(Deserialize, Debug)] -struct Claims { - policy_ids_unmatched: Option>, -} - #[derive(Deserialize, Debug)] struct ErrorResponse { error: String, @@ -82,6 +80,7 @@ pub struct IntelTrustAuthorityConfig { pub api_key: String, pub certs_file: String, pub allow_unmatched_policy: Option, + pub policy_ids: Vec, } pub struct IntelTrustAuthority { @@ -102,6 +101,13 @@ impl Attest for IntelTrustAuthority { }) .to_string(); + let policy_ids = self.config.policy_ids.clone(); + + let policy_must_match = match policy_ids.is_empty() { + true => false, + false => !self.config.allow_unmatched_policy.unwrap_or_default(), + }; + // construct attest request data and attestation url let (req_data, att_url) = match tee { Tee::AzTdxVtpm => { @@ -116,6 +122,8 @@ impl Attest for IntelTrustAuthority { quote: STANDARD.encode(evidence.td_quote), runtime_data: STANDARD.encode(hcl_report.var_data()), user_data: Some(STANDARD.encode(runtime_data)), + policy_ids, + policy_must_match, }; (req_data, att_url) @@ -130,6 +138,8 @@ impl Attest for IntelTrustAuthority { quote: evidence.quote, runtime_data: STANDARD.encode(runtime_data), user_data: None, + policy_ids, + policy_must_match, }; (req_data, att_url) @@ -186,21 +196,12 @@ impl Attest for IntelTrustAuthority { .await .context("Failed to deserialize attestation response")?; - let token = self + let _token = self .token_verifier .verify(resp_data.token.clone()) .await .context("Failed to verify attestation token")?; - let claims = serde_json::from_value::(token) - .context("Failed to deserialize attestation token claims")?; - - // check unmatched policy - let allow = self.config.allow_unmatched_policy.unwrap_or(false); - if !allow && claims.policy_ids_unmatched.is_some() { - bail!("Evidence doesn't match policy"); - } - Ok(resp_data.token.clone()) } @@ -473,6 +474,7 @@ mod tests { api_key: "".into(), certs_file, allow_unmatched_policy: None, + policy_ids: vec![], }; let msg = format!( diff --git a/kbs/src/config.rs b/kbs/src/config.rs index f02233e354..06d3af2a1e 100644 --- a/kbs/src/config.rs +++ b/kbs/src/config.rs @@ -80,6 +80,7 @@ impl TryFrom<&Path> for KbsConfig { .set_default("admin.insecure_api", DEFAULT_INSECURE_API)? .set_default("http_server.insecure_http", DEFAULT_INSECURE_HTTP)? .set_default("http_server.sockets", vec![DEFAULT_SOCKET])? + .set_default("attestation_service.policy_ids", Vec::<&str>::new())? .add_source(File::with_name(config_path.to_str().unwrap())) .build()?; @@ -230,6 +231,7 @@ mod tests { api_key: "this-is-a-key".into(), certs_file: "file:///etc/ita-cert.pem".into(), allow_unmatched_policy: Some(true), + policy_ids: vec![], } ), timeout: crate::attestation::config::DEFAULT_TIMEOUT, @@ -341,6 +343,7 @@ mod tests { api_key: "tBfd5kKX2x9ahbodKV1...".into(), certs_file: "https://portal.trustauthority.intel.com".into(), allow_unmatched_policy: None, + policy_ids: vec![], } ), timeout: crate::attestation::config::DEFAULT_TIMEOUT, @@ -400,6 +403,7 @@ mod tests { api_key: "tBfd5kKX2x9ahbodKV1...".into(), certs_file: "https://portal.trustauthority.intel.com".into(), allow_unmatched_policy: None, + policy_ids: vec![], } ), timeout: crate::attestation::config::DEFAULT_TIMEOUT, From a69c43423e0c39c6de513b12a86b1a1e422ae3bf Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 7 Nov 2024 11:35:38 +0800 Subject: [PATCH 157/298] kbs: add default value for config deserialization Before this commit, if we do not explicitly specify the `dir_path` when using localfs resource storage, the launch of kbs will fail. This commit adds a default value when kbs tries to read config. If no value is given it will use the default value. Signed-off-by: Xynnn007 --- kbs/src/plugins/implementations/resource/local_fs.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/kbs/src/plugins/implementations/resource/local_fs.rs b/kbs/src/plugins/implementations/resource/local_fs.rs index 8ec7201a13..2acc7f8ebf 100644 --- a/kbs/src/plugins/implementations/resource/local_fs.rs +++ b/kbs/src/plugins/implementations/resource/local_fs.rs @@ -14,6 +14,7 @@ pub const DEFAULT_REPO_DIR_PATH: &str = "/opt/confidential-containers/kbs/reposi #[derive(Debug, Deserialize, Clone, PartialEq)] pub struct LocalFsRepoDesc { + #[serde(default)] pub dir_path: String, } From 27f5cf217ce99477063f4bbd3a0c078ec060b9fe Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 7 Nov 2024 11:37:16 +0800 Subject: [PATCH 158/298] docs: fix https document using the new format of config file Signed-off-by: Xynnn007 --- kbs/docs/self-signed-https.md | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md index e278ba51fa..034bf77b01 100644 --- a/kbs/docs/self-signed-https.md +++ b/kbs/docs/self-signed-https.md @@ -62,37 +62,38 @@ openssl pkey -in private.key -pubout -out public.pub Set up a `kbs-config.toml` ```bash cat << EOF > kbs-config.toml +[http_server] +sockets = ["0.0.0.0:8080"] private_key = "/etc/key.pem" certificate = "/etc/cert.pem" +insecure_http = false -sockets = ["0.0.0.0:8080"] - +[admin] auth_public_key = "/etc/public.pub" -insecure_api = true - [attestation_token] insecure_key = true -[repository_config] -type = "LocalFs" -dir_path = "/opt/confidential-containers/kbs/repository" +[policy_engine] +policy_path = "/opa/confidential-containers/kbs/policy.rego" -[as_config] +[attestation_service] +type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -rvps_store_type = "LocalFs" attestation_token_broker = "Simple" -[as_config.attestation_token] -duration_min = 5 + [attestation_service.attestation_token_config] + duration_min = 5 -[as_config.rvps_config] -store_type = "LocalFs" -remote_addr = "" + [attestation_service.rvps_config] + remote_addr = "" + store_type = "LocalFs" -[policy_engine_config] -policy_path = "/opa/confidential-containers/kbs/policy.rego" +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" EOF ``` From 255a2ffc073cd5f543cdbeb28cd48879571c8473 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 01:31:17 +0000 Subject: [PATCH 159/298] build(deps): bump winnow from 0.6.18 to 0.6.20 Bumps [winnow](https://github.com/winnow-rs/winnow) from 0.6.18 to 0.6.20. - [Changelog](https://github.com/winnow-rs/winnow/blob/main/CHANGELOG.md) - [Commits](https://github.com/winnow-rs/winnow/compare/v0.6.18...v0.6.20) --- updated-dependencies: - dependency-name: winnow dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5534094d13..9bd7f34d25 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6305,9 +6305,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "0.6.18" +version = "0.6.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68a9bda4691f099d435ad181000724da8e5899daa10713c2d432552b9ccd3a6f" +checksum = "36c1fec1a2bb5866f07c25f68c26e565c4c200aebb96d7e55710c19d3e8ac49b" dependencies = [ "memchr", ] From ed5efe87387b47dc26438b25447be7441ed002a2 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 11 Nov 2024 16:07:49 +0800 Subject: [PATCH 160/298] KBS: Update configuration file format Fixes #570 Signed-off-by: Xynnn007 --- kbs/config/kbs-config-grpc.toml | 5 +++++ .../kbs-config-intel-trust-authority.toml | 5 +++++ kbs/config/kbs-config.toml | 19 ++++++++++--------- 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/kbs/config/kbs-config-grpc.toml b/kbs/config/kbs-config-grpc.toml index 8bdc818dac..2302e3dd5f 100644 --- a/kbs/config/kbs-config-grpc.toml +++ b/kbs/config/kbs-config-grpc.toml @@ -11,3 +11,8 @@ pool_size = 200 [admin] insecure_api = true + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" diff --git a/kbs/config/kbs-config-intel-trust-authority.toml b/kbs/config/kbs-config-intel-trust-authority.toml index 90b1580594..6d5d4e4382 100644 --- a/kbs/config/kbs-config-intel-trust-authority.toml +++ b/kbs/config/kbs-config-intel-trust-authority.toml @@ -12,3 +12,8 @@ type = "intel_ta" base_url = "https://api.trustauthority.intel.com" api_key = "tBfd5kKX2x9ahbodKV1..." certs_file = "https://portal.trustauthority.intel.com" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml index a42fb7d897..e7bed67c3f 100644 --- a/kbs/config/kbs-config.toml +++ b/kbs/config/kbs-config.toml @@ -4,25 +4,26 @@ insecure_http = true [attestation_token] insecure_api = true -[repository] -type = "LocalFs" -dir_path = "/opt/confidential-containers/kbs/repository" - [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" - [attestation_service.attestation_token_config] - duration_min = 5 +[attestation_service.attestation_token_config] +duration_min = 5 - [attestation_service.rvps_config] - store_type = "LocalFs" - remote_addr = "" +[attestation_service.rvps_config] +store_type = "LocalFs" +remote_addr = "" [policy_engine] policy_path = "/opa/confidential-containers/kbs/policy.rego" [admin] insecure_api = true + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" From 390708ba8a2d1a69b6fd2da70dac8b995e22ca4e Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Wed, 6 Nov 2024 15:59:26 -0600 Subject: [PATCH 161/298] verifier: bump csv crate to latest The CSV crate has been update to not be tied to a specific version of OpenSSL. We definitely want to pick up this change. Signed-off-by: Tobin Feldman-Fitzthum --- Cargo.lock | 26 ++++++++++++++++++++++++-- deps/verifier/Cargo.toml | 2 +- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9bd7f34d25..4e89ea9076 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -570,7 +570,7 @@ dependencies = [ "az-tdx-vtpm", "base64 0.22.1", "codicon", - "csv-rs", + "csv-rs 0.1.0 (git+https://github.com/openanolis/csv-rs?rev=b74aa8c)", "hex", "hyper 0.14.30", "hyper-tls 0.5.0", @@ -1375,6 +1375,28 @@ dependencies = [ "libloading 0.7.4", ] +[[package]] +name = "csv-rs" +version = "0.1.0" +source = "git+https://github.com/openanolis/csv-rs?rev=3045440#3045440238a4487fc468a69dce07313662992a64" +dependencies = [ + "bitfield 0.13.2", + "bitflags 1.3.2", + "codicon", + "dirs", + "hyper 0.14.30", + "hyper-tls 0.5.0", + "iocuddle", + "libc", + "openssl", + "openssl-sys", + "rand", + "serde", + "serde-big-array", + "static_assertions", + "tokio", +] + [[package]] name = "csv-rs" version = "0.1.0" @@ -5913,7 +5935,7 @@ dependencies = [ "byteorder", "cfg-if", "codicon", - "csv-rs", + "csv-rs 0.1.0 (git+https://github.com/openanolis/csv-rs?rev=3045440)", "ear", "eventlog-rs", "hex", diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index e65188a512..e1b3ff6cd9 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -28,7 +28,7 @@ byteorder = "1" cfg-if = "1.0.0" codicon = { version = "3.0", optional = true } # TODO: change it to "0.1", once released. -csv-rs = { git = "https://github.com/openanolis/csv-rs", rev = "b74aa8c", optional = true } +csv-rs = { git = "https://github.com/openanolis/csv-rs", rev = "3045440", optional = true } eventlog-rs = { version = "0.1.3", optional = true } hex.workspace = true jsonwebkey = "0.3.5" From f0db379f828aab448397a4e0f3daa3d0db8be92a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 13 Nov 2024 09:54:08 +0100 Subject: [PATCH 162/298] kbs: ita: Don't expose apiKey on debug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's take advantage of the "derivative" crate and simply ignore fields which we do not want to expose when running the kbs in debug mode. Signed-off-by: Fabiano Fidêncio --- Cargo.lock | 12 ++++++++++++ kbs/Cargo.toml | 1 + kbs/src/attestation/intel_trust_authority/mod.rs | 5 ++++- 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index 4e89ea9076..5fd14343f9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1563,6 +1563,17 @@ dependencies = [ "powerfmt", ] +[[package]] +name = "derivative" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b" +dependencies = [ + "proc-macro2", + "quote", + "syn 1.0.109", +] + [[package]] name = "derive_more" version = "0.99.17" @@ -2711,6 +2722,7 @@ dependencies = [ "clap 4.5.20", "config", "cryptoki", + "derivative", "env_logger 0.10.2", "jsonwebtoken", "jwt-simple 0.11.9", diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index cd92b38b6b..d7c781391f 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -71,6 +71,7 @@ tonic = { workspace = true, optional = true } uuid = { version = "1.2.2", features = ["serde", "v4"] } openssl = "0.10.55" az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } +derivative = "2.2.0" [dev-dependencies] tempfile.workspace = true diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 5ed6a3811b..45026292f8 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -10,6 +10,7 @@ use anyhow::*; use async_trait::async_trait; use az_cvm_vtpm::hcl::HclReport; use base64::{engine::general_purpose::STANDARD, Engine}; +use derivative::Derivative; use kbs_types::Challenge; use kbs_types::{Attestation, Tee}; use reqwest::header::{ACCEPT, CONTENT_TYPE, USER_AGENT}; @@ -74,9 +75,11 @@ struct ErrorResponse { error: String, } -#[derive(Clone, Debug, Deserialize, PartialEq, Default)] +#[derive(Clone, Derivative, Deserialize, PartialEq, Default)] +#[derivative(Debug)] pub struct IntelTrustAuthorityConfig { pub base_url: String, + #[derivative(Debug = "ignore")] pub api_key: String, pub certs_file: String, pub allow_unmatched_policy: Option, From c69921ac09962245be972f07c543147ee5e6f38b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 13 Nov 2024 10:06:30 +0100 Subject: [PATCH 163/298] kbs: plugins: pkcs11: Don't expose user pin on debug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's take advantage of the "derivative" crate and simply ignore fields which we do not want to expose when running the kbs in debug mode. Signed-off-by: Fabiano Fidêncio --- kbs/src/plugins/implementations/resource/pkcs11.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kbs/src/plugins/implementations/resource/pkcs11.rs b/kbs/src/plugins/implementations/resource/pkcs11.rs index ad7a9cad63..3005ff08fa 100644 --- a/kbs/src/plugins/implementations/resource/pkcs11.rs +++ b/kbs/src/plugins/implementations/resource/pkcs11.rs @@ -7,13 +7,15 @@ use cryptoki::context::{CInitializeArgs, Pkcs11}; use cryptoki::object::{Attribute, AttributeInfo, AttributeType, KeyType, ObjectClass}; use cryptoki::session::{Session, UserType}; use cryptoki::types::AuthPin; +use derivative::Derivative; use serde::Deserialize; use std::sync::Arc; use tokio::sync::Mutex; use super::backend::{ResourceDesc, StorageBackend}; -#[derive(Debug, Deserialize, Clone, PartialEq)] +#[derive(Derivative, Deserialize, Clone, PartialEq)] +#[derivative(Debug)] pub struct Pkcs11Config { /// Path to the Pkcs11 module module: String, @@ -23,6 +25,7 @@ pub struct Pkcs11Config { slot_index: Option, /// The user pin for authenticating the session + #[derivative(Debug = "ignore")] pin: String, } From acf8814b043ed0ab5d38e1d331d70aa267d235dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 13 Nov 2024 10:32:05 +0100 Subject: [PATCH 164/298] kbs: plugins: aliyun: Don't expose client_key / password on debug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's take advantage of the "derivative" crate and simply ignore fields which we do not want to expose when running the kbs in debug mode. Signed-off-by: Fabiano Fidêncio --- kbs/src/plugins/implementations/resource/aliyun_kms.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kbs/src/plugins/implementations/resource/aliyun_kms.rs b/kbs/src/plugins/implementations/resource/aliyun_kms.rs index 70ee173256..85212365b4 100644 --- a/kbs/src/plugins/implementations/resource/aliyun_kms.rs +++ b/kbs/src/plugins/implementations/resource/aliyun_kms.rs @@ -4,14 +4,18 @@ use super::backend::{ResourceDesc, StorageBackend}; use anyhow::{Context, Result}; +use derivative::Derivative; use kms::{plugins::aliyun::AliyunKmsClient, Annotations, Getter}; use log::info; use serde::Deserialize; -#[derive(Debug, Deserialize, Clone, PartialEq)] +#[derive(Derivative, Deserialize, Clone, PartialEq)] +#[derivative(Debug)] pub struct AliyunKmsBackendConfig { + #[derivative(Debug = "ignore")] client_key: String, kms_instance_id: String, + #[derivative(Debug = "ignore")] password: String, cert_pem: String, } From 34391eaf54fe4b548deb5a5e18a3e49fcd57b1a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 13 Nov 2024 11:18:33 +0100 Subject: [PATCH 165/298] kbs: Let users know that sensitive fields are omitted from logs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit By doing this we avoid any kind of confusion on why this or that field is not present in the logs. Signed-off-by: Fabiano Fidêncio --- kbs/src/bin/kbs.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/src/bin/kbs.rs b/kbs/src/bin/kbs.rs index 76725eeaa7..143d24d71a 100644 --- a/kbs/src/bin/kbs.rs +++ b/kbs/src/bin/kbs.rs @@ -23,7 +23,7 @@ async fn main() -> Result<()> { info!("Using config file {}", cli.config_file); let kbs_config = KbsConfig::try_from(Path::new(&cli.config_file))?; - debug!("Config: {:#?}", kbs_config); + debug!("Config (sensitive fields are omitted): {:#?}", kbs_config); let api_server = ApiServer::new(kbs_config).await?; From 80f89639b3fb1c56c8b5acc01cf823d715657f8c Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 13 Nov 2024 09:23:34 +0800 Subject: [PATCH 166/298] AS: fix build feature selection We have two needs to build an AS docker image. 1. Use specific verifier suites (also for AS binary) 2. Install specific verifier software stack due to verifier This patch accomplish 1, by disabling all verifiers in CoCoAS basic code and providing a VERIFIER env for makefile to specify the verifier suites. For 2, we add make dockerfile function which also follows VERIFIER env to install related verifier software stack. By default the generation of dockerfiles will use all-verifier. We add target platform detecting logic to the KBS crate cargo toml to determine the built-in AS features. Also, the CI pipeline of CoCoAS is updated. Signed-off-by: Xynnn007 --- .github/workflows/push-as-image-to-ghcr.yml | 30 +++++++++++++++++++ attestation-service/Cargo.toml | 7 +---- attestation-service/Makefile | 26 +++++++++++----- attestation-service/docker/as-grpc/Dockerfile | 23 ++++++++++---- .../docker/as-restful/Dockerfile | 22 ++++++++++---- attestation-service/docs/grpc-as.md | 10 +++++-- attestation-service/docs/restful-as.md | 10 +++++-- deps/verifier/src/lib.rs | 2 +- kbs/Cargo.toml | 11 ++++++- 9 files changed, 109 insertions(+), 32 deletions(-) diff --git a/.github/workflows/push-as-image-to-ghcr.yml b/.github/workflows/push-as-image-to-ghcr.yml index 5b1ecbc435..16b00ff067 100644 --- a/.github/workflows/push-as-image-to-ghcr.yml +++ b/.github/workflows/push-as-image-to-ghcr.yml @@ -19,16 +19,45 @@ jobs: - coco-as-grpc - coco-as-restful - rvps + verifier: + - all-verifier + - se-verifier include: - docker_file: attestation-service/docker/as-grpc/Dockerfile tag: coco-as-grpc name: gRPC CoCo-AS + verifier: all-verifier + instance: ubuntu-latest + - docker_file: attestation-service/docker/as-grpc/Dockerfile + tag: coco-as-grpc + name: gRPC CoCo-AS (IBM SE) + verifier: se-verifier + instance: s390x - docker_file: attestation-service/docker/as-restful/Dockerfile tag: coco-as-restful name: RESTful CoCo-AS + verifier: all-verifier + instance: ubuntu-latest + - docker_file: attestation-service/docker/as-restful/Dockerfile + tag: coco-as-restful + name: RESTful CoCo-AS (IBM SE) + verifier: se-verifier + instance: s390x + - docker_file: rvps/docker/Dockerfile + tag: rvps + name: RVPS + verifier: all-verifier + instance: ubuntu-latest - docker_file: rvps/docker/Dockerfile tag: rvps name: RVPS + verifier: se-verifier + instance: s390x + exclude: + - instance: ubuntu-latest + verifier: se-verifier + - instance: s390x + verifier: all-verifier runs-on: ${{ matrix.instance }} steps: @@ -50,6 +79,7 @@ jobs: commit_sha=${{ github.sha }} arch=$(uname -m) DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push --build-arg ARCH="${arch}" \ + --build-arg VERIFIER="${{ matrix.verifier }}" \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" . diff --git a/attestation-service/Cargo.toml b/attestation-service/Cargo.toml index f7dfc61155..fce9a5a6cc 100644 --- a/attestation-service/Cargo.toml +++ b/attestation-service/Cargo.toml @@ -4,7 +4,7 @@ version = "0.1.0" edition = "2021" [features] -default = [ "restful-bin", "rvps-grpc", "rvps-builtin", "all-verifier" ] +default = ["restful-bin", "rvps-grpc", "rvps-builtin"] all-verifier = [ "verifier/all-verifier" ] tdx-verifier = [ "verifier/tdx-verifier" ] sgx-verifier = [ "verifier/sgx-verifier" ] @@ -64,13 +64,8 @@ thiserror = { workspace = true, optional = true } tokio.workspace = true tonic = { workspace = true, optional = true } uuid = { version = "1.1.2", features = ["v4"] } - -[target.'cfg(not(target_arch = "s390x"))'.dependencies] verifier = { path = "../deps/verifier", default-features = false } -[target.'cfg(target_arch = "s390x")'.dependencies] -verifier = { path = "../deps/verifier", default-features = false, features = ["se-verifier"] } - [build-dependencies] shadow-rs.workspace = true tonic-build.workspace = true diff --git a/attestation-service/Makefile b/attestation-service/Makefile index 67ca329539..c8ed190ebb 100644 --- a/attestation-service/Makefile +++ b/attestation-service/Makefile @@ -8,14 +8,24 @@ BIN_NAMES := grpc-as restful-as DEBUG ?= DESTDIR ?= $(PREFIX)/bin -FEATURES ?= +VERIFIER ?= all-verifier -ifdef FEATURES - OPTIONAL_FEATURES := ,$(FEATURES) - default-features := --no-default-features +RVPS_GRPC := true + +# TODO: Remove `RVPS_BUILTIN` +# when https://github.com/confidential-containers/trustee/pull/553 gets merged +# Here we also declare another variable `RVPS_FEATURES1` because a blank will +# be added when doing '+=' operation in Makefile +RVPS_BUILTIN := true + +ifeq ($(RVPS_GRPC), true) + RVPS_FEATURES1 := rvps-grpc +endif + +ifeq ($(RVPS_BUILTIN), true) + RVPS_FEATURES := $(RVPS_FEATURES1),rvps-builtin else - OPTIONAL_FEATURES := - default-features := + RVPS_FEATURES := $(RVPS_FEATURES1) endif ifdef DEBUG @@ -29,10 +39,10 @@ endif build: grpc-as restful-as grpc-as: - cargo build --bin grpc-as $(release) $(default-features) --features grpc-bin$(OPTIONAL_FEATURES) + cargo build --bin grpc-as $(release) --features grpc-bin,$(VERIFIER),$(RVPS_FEATURES) restful-as: - cargo build --bin restful-as $(release) $(default-features) --features restful-bin$(OPTIONAL_FEATURES) + cargo build --bin restful-as $(release) --features restful-bin,$(VERIFIER),$(RVPS_FEATURES) install: for bin_name in $(BIN_NAMES); do \ diff --git a/attestation-service/docker/as-grpc/Dockerfile b/attestation-service/docker/as-grpc/Dockerfile index 4ad794068d..26fe023e0d 100644 --- a/attestation-service/docker/as-grpc/Dockerfile +++ b/attestation-service/docker/as-grpc/Dockerfile @@ -4,6 +4,7 @@ FROM rust:latest AS builder ARG ARCH=x86_64 +ARG VERIFIER=all-verifier WORKDIR /usr/src/attestation-service COPY . . @@ -17,26 +18,36 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/ apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi # Build and Install gRPC attestation-service -RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin --locked +RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin,${VERIFIER} --locked FROM ubuntu:22.04 ARG ARCH=x86_64 +ARG VERIFIER=all-verifier LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service" -# Install TDX Runtime Dependencies -RUN apt-get update && apt-get install curl gnupg openssl -y && \ +# Install Openssl Suites +RUN apt-get update && apt-get install openssl -y && \ + apt-get clean && \ rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/* -RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \ +# Install TDX Runtime Dependencies +RUN if [ "${ARCH}" = "x86_64" ] && ( [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "tdx-verifier" ] ); \ + then apt-get update && apt-get install curl gnupg -y && \ + curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ apt-get update && \ apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ + apt-get remove curl gnupg -y && \ + apt-get clean && \ rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi -# Copy TPM Runtime Dependencies -COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu +# Install TPM Runtime Dependencies +RUN if [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "az-snp-vtpm-verifier" ] || [ "${VERIFIER}" = "az-tdx-vtpm-verifier" ]; \ + then apt-get update && apt-get install libtss2-dev -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi COPY --from=builder /usr/local/cargo/bin/grpc-as /usr/local/bin/grpc-as diff --git a/attestation-service/docker/as-restful/Dockerfile b/attestation-service/docker/as-restful/Dockerfile index 3496211520..9bc76f99ea 100644 --- a/attestation-service/docker/as-restful/Dockerfile +++ b/attestation-service/docker/as-restful/Dockerfile @@ -4,6 +4,7 @@ FROM rust:latest AS builder ARG ARCH=x86_64 +ARG VERIFIER=all-verifier WORKDIR /usr/src/attestation-service COPY . . @@ -17,25 +18,34 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/ apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi # Build and Install RESTful attestation-service -RUN cargo install --path attestation-service --bin restful-as --features restful-bin --locked +RUN cargo install --path attestation-service --bin restful-as --features restful-bin,${VERIFIER} --locked FROM ubuntu:22.04 ARG ARCH=x86_64 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service" -# Install TDX Runtime Dependencies -RUN apt-get update && apt-get install curl gnupg openssl -y && \ +# Install Openssl Suites +RUN apt-get update && apt-get install openssl -y && \ + apt-get clean && \ rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/* -RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \ +# Install TDX Runtime Dependencies +RUN if [ "${ARCH}" = "x86_64" ] && ( [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "tdx-verifier" ] ); \ + then apt-get update && apt-get install curl gnupg -y && \ + curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ apt-get update && \ apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ + apt-get remove curl gnupg -y && \ + apt-get clean && \ rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi -# Copy TPM Runtime Dependencies -COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu +# Install TPM Runtime Dependencies +RUN if [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "az-snp-vtpm-verifier" ] || [ "${VERIFIER}" = "az-tdx-vtpm-verifier" ]; \ + then apt-get update && apt-get install libtss2-dev -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi COPY --from=builder /usr/local/cargo/bin/restful-as /usr/local/bin/restful-as diff --git a/attestation-service/docs/grpc-as.md b/attestation-service/docs/grpc-as.md index 5fb024a3e6..41f0042c92 100644 --- a/attestation-service/docs/grpc-as.md +++ b/attestation-service/docs/grpc-as.md @@ -77,7 +77,9 @@ Build and install binary git clone https://github.com/confidential-containers/trustee cd trustee/attestation-service WORKDIR=$(pwd) -make && make install +make ATTESTER=all-attester && make install + +# You can use different attester by changing the value of ATTESTER ``` - For help information, run: @@ -106,7 +108,11 @@ Build and run container image ```shell git clone https://github.com/confidential-containers/trustee cd trustee -docker build -t coco-as:grpc -f attestation-service/docker/as-grpc/Dockerfile . +docker build \ + -t coco-as:grpc \ + -f attestation-service/docker/as-grpc/Dockerfile \ + --build-arg ATTESTER=all-attester \ + . ``` ### API diff --git a/attestation-service/docs/restful-as.md b/attestation-service/docs/restful-as.md index 9af8097072..2a4c3196cb 100644 --- a/attestation-service/docs/restful-as.md +++ b/attestation-service/docs/restful-as.md @@ -67,7 +67,9 @@ Build and install binary git clone https://github.com/confidential-containers/trustee cd trustee/attestation-service WORKDIR=$(pwd) -make && make install +make ATTESTER=all-attester && make install + +# You can use different attester by changing the value of ATTESTER ``` - For help information, run: @@ -96,7 +98,11 @@ Build and run container image ```shell git clone https://github.com/confidential-containers/trustee cd trustee -docker build -t coco-as:restful -f attestation-service/docker/as-restful/Dockerfile . +docker build \ + -t coco-as:restful \ + -f attestation-service/docker/as-restful/Dockerfile \ + --build-arg ATTESTER=all-attester \ + . ``` ### HTTPS support diff --git a/deps/verifier/src/lib.rs b/deps/verifier/src/lib.rs index 40c09d345a..41a71b5213 100644 --- a/deps/verifier/src/lib.rs +++ b/deps/verifier/src/lib.rs @@ -181,7 +181,7 @@ pub trait Verifier { } /// Padding or truncate the given data slice to the given `len` bytes. -fn regularize_data(data: &[u8], len: usize, data_name: &str, arch: &str) -> Vec { +pub fn regularize_data(data: &[u8], len: usize, data_name: &str, arch: &str) -> Vec { let data_len = data.len(); match data_len.cmp(&len) { Ordering::Less => { diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index d7c781391f..1288c8d34f 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -39,7 +39,6 @@ actix-web-httpauth.workspace = true aes-gcm = "0.10.1" anyhow.workspace = true async-trait.workspace = true -attestation-service = { path = "../attestation-service", default-features = false, optional = true } base64.workspace = true cfg-if.workspace = true clap = { workspace = true, features = ["derive", "env"] } @@ -73,6 +72,16 @@ openssl = "0.10.55" az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } derivative = "2.2.0" +[target.'cfg(not(target_arch = "s390x"))'.dependencies] +attestation-service = { path = "../attestation-service", default-features = false, features = [ + "all-verifier", +], optional = true } + +[target.'cfg(target_arch = "s390x")'.dependencies] +attestation-service = { path = "../attestation-service", default-features = false, features = [ + "se-verifier", +], optional = true } + [dev-dependencies] tempfile.workspace = true rstest.workspace = true From 8296e0e9f7de5641ad1e36b8bc3fb2e376f2a13e Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 15 Nov 2024 16:26:58 +0800 Subject: [PATCH 167/298] AS: fix restful-as dockerfile VERIFIER is not claimed as an ARG thus not take effection in the following building steps. Signed-off-by: Xynnn007 --- attestation-service/docker/as-restful/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/attestation-service/docker/as-restful/Dockerfile b/attestation-service/docker/as-restful/Dockerfile index 9bc76f99ea..e0e0659b7c 100644 --- a/attestation-service/docker/as-restful/Dockerfile +++ b/attestation-service/docker/as-restful/Dockerfile @@ -22,6 +22,7 @@ RUN cargo install --path attestation-service --bin restful-as --features restful FROM ubuntu:22.04 ARG ARCH=x86_64 +ARG VERIFIER=all-verifier LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service" From 8218f502c2c9e3a35d3cce85c936535b14961b4e Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 15 Nov 2024 10:31:04 +0200 Subject: [PATCH 168/298] kbs: fix configs in kubernetes deployments some of the mandatory TOML entries were not correctly updated to the kubernetes deployments. Follow ca9bf40e3b changes to update kbs/config/kubernetes TOML files too. Signed-off-by: Mikko Ylinen --- kbs/config/kubernetes/base/kbs-config.toml | 5 +++++ kbs/config/kubernetes/ita/kbs-config.toml | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index 489cfdf971..b142f52c67 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -22,3 +22,8 @@ attestation_token_broker = "Simple" [admin] auth_public_key = "/kbs/kbs.pem" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" diff --git a/kbs/config/kubernetes/ita/kbs-config.toml b/kbs/config/kubernetes/ita/kbs-config.toml index 37eefb7271..203adef19e 100644 --- a/kbs/config/kubernetes/ita/kbs-config.toml +++ b/kbs/config/kubernetes/ita/kbs-config.toml @@ -5,7 +5,7 @@ sockets = ["0.0.0.0:8080"] insecure_http = true [attestation_token] -trusted_certs_paths = ["https://portal.trustauthority.intel.com"] +trusted_jwk_sets = ["https://portal.trustauthority.intel.com"] [attestation_service] type = "intel_ta" @@ -15,3 +15,8 @@ certs_file = "https://portal.trustauthority.intel.com" [admin] auth_public_key = "/kbs/kbs.pem" + +[[plugins]] +name = "resource" +type = "LocalFs" +dir_path = "/opt/confidential-containers/kbs/repository" From 29664179e1a25c73f392e2efb6926c697d2531bd Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Fri, 15 Nov 2024 07:28:29 +0100 Subject: [PATCH 169/298] gha: Add image build check for s390x Issue #568 highlights the need for an image build check for s390x, similar to what we have for x86_64. This commit addresses the need by: - Extracting the image build steps from the push-{kbs,as}-image-to-ghcr workflow into separate workflows - Configuring these workflows to run on PR events or after merging a PR Notable change: - On merge, the workflow now pushes `ghcr.io/confidential-containers/staged-images/rhel-ubi` Signed-off-by: Hyounggyu Choi --- .github/workflows/as-docker-build.yml | 26 +----- .github/workflows/build-as-image.yml | 85 ++++++++++++++++++++ .github/workflows/build-kbs-image.yml | 66 +++++++++++++++ .github/workflows/kbs-docker-build.yml | 16 +--- .github/workflows/push-as-image-to-ghcr.yml | 81 ++----------------- .github/workflows/push-kbs-image-to-ghcr.yml | 56 ++----------- 6 files changed, 170 insertions(+), 160 deletions(-) create mode 100644 .github/workflows/build-as-image.yml create mode 100644 .github/workflows/build-kbs-image.yml diff --git a/.github/workflows/as-docker-build.yml b/.github/workflows/as-docker-build.yml index 0bd1c37209..e8d7db3c51 100644 --- a/.github/workflows/as-docker-build.yml +++ b/.github/workflows/as-docker-build.yml @@ -1,4 +1,4 @@ -name: AS & RVPS Container Image Build +name: AS/RVPS Container Image Build on: push: branches: @@ -15,25 +15,7 @@ on: create: jobs: - basic_ci: + check_as_image_build: if: github.event_name == 'pull_request' || github.event_name == 'push' - name: Check - runs-on: ubuntu-latest - strategy: - fail-fast: false - - steps: - - name: Code checkout - uses: actions/checkout@v4 - - - name: Build gRPC AS Container Image - run: | - DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/docker/as-grpc/Dockerfile - - - name: Build RESTful AS Container Image - run: | - DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/docker/as-restful/Dockerfile - - - name: Build RVPS Container Image - run: | - Docker_BUILDKIT=1 docker build -t rvps:latest . -f rvps/docker/Dockerfile \ No newline at end of file + uses: ./.github/workflows/build-as-image.yml + secrets: inherit diff --git a/.github/workflows/build-as-image.yml b/.github/workflows/build-as-image.yml new file mode 100644 index 0000000000..1d0ff7335f --- /dev/null +++ b/.github/workflows/build-as-image.yml @@ -0,0 +1,85 @@ +name: Build CoCo AS/RVPS Image + +on: + workflow_call: + inputs: + build_option: + description: 'Build option for the image' + type: string + required: false + +jobs: + build_as_image: + strategy: + fail-fast: false + matrix: + instance: + - ubuntu-latest + - s390x + tag: + - coco-as-grpc + - coco-as-restful + - rvps + verifier: + - all-verifier + - se-verifier + include: + - docker_file: attestation-service/docker/as-grpc/Dockerfile + tag: coco-as-grpc + name: gRPC CoCo-AS + verifier: all-verifier + instance: ubuntu-latest + - docker_file: attestation-service/docker/as-grpc/Dockerfile + tag: coco-as-grpc + name: gRPC CoCo-AS (IBM SE) + verifier: se-verifier + instance: s390x + - docker_file: attestation-service/docker/as-restful/Dockerfile + tag: coco-as-restful + name: RESTful CoCo-AS + verifier: all-verifier + instance: ubuntu-latest + - docker_file: attestation-service/docker/as-restful/Dockerfile + tag: coco-as-restful + name: RESTful CoCo-AS (IBM SE) + verifier: se-verifier + instance: s390x + - docker_file: rvps/docker/Dockerfile + tag: rvps + name: RVPS + verifier: all-verifier + instance: ubuntu-latest + - docker_file: rvps/docker/Dockerfile + tag: rvps + name: RVPS + verifier: se-verifier + instance: s390x + exclude: + - instance: ubuntu-latest + verifier: se-verifier + - instance: s390x + verifier: all-verifier + runs-on: ${{ matrix.instance }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GHCR Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build ${{ matrix.name }} Container Image + run: | + commit_sha=${{ github.sha }} + arch=$(uname -m) + DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} --build-arg ARCH="${arch}" \ + --build-arg VERIFIER="${{ matrix.verifier }}" \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" . diff --git a/.github/workflows/build-kbs-image.yml b/.github/workflows/build-kbs-image.yml new file mode 100644 index 0000000000..5727e8262a --- /dev/null +++ b/.github/workflows/build-kbs-image.yml @@ -0,0 +1,66 @@ +name: Build KBS Image + +on: + workflow_call: + inputs: + build_option: + description: 'Build option for the image' + type: string + required: false + +jobs: + build_kbs_image: + strategy: + fail-fast: false + matrix: + instance: + - ubuntu-latest + - s390x + tag: + - kbs + - kbs-grpc-as + - kbs-ita-as + - rhel-ubi + exclude: + - instance: s390x + tag: kbs-ita-as + - instance: s390x + tag: rhel-ubi + include: + - tag: kbs + docker_file: kbs/docker/Dockerfile + name: build-in AS + - tag: kbs-grpc-as + docker_file: kbs/docker/coco-as-grpc/Dockerfile + name: gRPC AS + - tag: kbs-ita-as + docker_file: kbs/docker/intel-trust-authority/Dockerfile + name: Intel Trust Authority AS + - tag: rhel-ubi + docker_file: kbs/docker/rhel-ubi/Dockerfile + name: RHEL UBI AS + + runs-on: ${{ matrix.instance }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GHCR Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build Container Image KBS (${{ matrix.name }}) + run: | + commit_sha=${{ github.sha }} + arch=$(uname -m) + DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \ + --build-arg ARCH="${arch}" . diff --git a/.github/workflows/kbs-docker-build.yml b/.github/workflows/kbs-docker-build.yml index ce7e61bcf5..f979b788f2 100644 --- a/.github/workflows/kbs-docker-build.yml +++ b/.github/workflows/kbs-docker-build.yml @@ -6,16 +6,6 @@ on: branches: [ "main" ] jobs: - ci: - runs-on: ubuntu-latest - name: Check - steps: - - name: Code checkout - uses: actions/checkout@v4 - - - name: Build KBS Container Image - run: | - DOCKER_BUILDKIT=1 docker build -t kbs:coco-as . -f kbs/docker/Dockerfile; \ - DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-grpc . -f kbs/docker/coco-as-grpc/Dockerfile; \ - DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-rhel-ubi . -f kbs/docker/rhel-ubi/Dockerfile; \ - DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-ita . -f kbs/docker/intel-trust-authority/Dockerfile + check_kbs_image_build: + uses: ./.github/workflows/build-kbs-image.yml + secrets: inherit diff --git a/.github/workflows/push-as-image-to-ghcr.yml b/.github/workflows/push-as-image-to-ghcr.yml index 16b00ff067..3a5f4e780b 100644 --- a/.github/workflows/push-as-image-to-ghcr.yml +++ b/.github/workflows/push-as-image-to-ghcr.yml @@ -6,85 +6,16 @@ on: - main jobs: - build_and_push: + build_and_push_as_image: permissions: packages: write - strategy: - fail-fast: false - matrix: - instance: - - ubuntu-latest - - s390x - tag: - - coco-as-grpc - - coco-as-restful - - rvps - verifier: - - all-verifier - - se-verifier - include: - - docker_file: attestation-service/docker/as-grpc/Dockerfile - tag: coco-as-grpc - name: gRPC CoCo-AS - verifier: all-verifier - instance: ubuntu-latest - - docker_file: attestation-service/docker/as-grpc/Dockerfile - tag: coco-as-grpc - name: gRPC CoCo-AS (IBM SE) - verifier: se-verifier - instance: s390x - - docker_file: attestation-service/docker/as-restful/Dockerfile - tag: coco-as-restful - name: RESTful CoCo-AS - verifier: all-verifier - instance: ubuntu-latest - - docker_file: attestation-service/docker/as-restful/Dockerfile - tag: coco-as-restful - name: RESTful CoCo-AS (IBM SE) - verifier: se-verifier - instance: s390x - - docker_file: rvps/docker/Dockerfile - tag: rvps - name: RVPS - verifier: all-verifier - instance: ubuntu-latest - - docker_file: rvps/docker/Dockerfile - tag: rvps - name: RVPS - verifier: se-verifier - instance: s390x - exclude: - - instance: ubuntu-latest - verifier: se-verifier - - instance: s390x - verifier: all-verifier - runs-on: ${{ matrix.instance }} - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GHCR Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build ${{ matrix.name }} Container Image - run: | - commit_sha=${{ github.sha }} - arch=$(uname -m) - DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push --build-arg ARCH="${arch}" \ - --build-arg VERIFIER="${{ matrix.verifier }}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" . + uses: ./.github/workflows/build-as-image.yml + with: + build_option: --push + secrets: inherit publish_multi_arch_image: - needs: build_and_push + needs: build_and_push_as_image permissions: packages: write strategy: diff --git a/.github/workflows/push-kbs-image-to-ghcr.yml b/.github/workflows/push-kbs-image-to-ghcr.yml index ed30c3b6b4..47bb6882b7 100644 --- a/.github/workflows/push-kbs-image-to-ghcr.yml +++ b/.github/workflows/push-kbs-image-to-ghcr.yml @@ -6,60 +6,16 @@ on: - main jobs: - build_and_push: + build_and_push_kbs_image: permissions: packages: write - strategy: - fail-fast: false - matrix: - instance: - - ubuntu-latest - - s390x - tag: - - kbs - - kbs-grpc-as - - kbs-ita-as - exclude: - - instance: s390x - tag: kbs-ita-as - include: - - tag: kbs - docker_file: kbs/docker/Dockerfile - name: build-in AS - - tag: kbs-grpc-as - docker_file: kbs/docker/coco-as-grpc/Dockerfile - name: gRPC AS - - tag: kbs-ita-as - docker_file: kbs/docker/intel-trust-authority/Dockerfile - name: Intel Trust Authority AS - - runs-on: ${{ matrix.instance }} - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GHCR Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build Container Image KBS (${{ matrix.name }}) - run: | - commit_sha=${{ github.sha }} - arch=$(uname -m) - DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \ - --build-arg ARCH="${arch}" . + uses: ./.github/workflows/build-kbs-image.yml + with: + build_option: --push + secrets: inherit publish_multi_arch_image: - needs: build_and_push + needs: build_and_push_kbs_image strategy: fail-fast: false matrix: From eefabb161ee411fca16d6d63c53fecb938f9ffee Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Fri, 15 Nov 2024 14:51:34 +0100 Subject: [PATCH 170/298] gha: Skip duplicate image build on merge The following workflows are triggered twice during a merge: - build-kbs-image.yml - build-as-image.yml For self-hosted runners, which often have a limited number of available runners, this duplicate build is unnecessary and may cause CI bottlenecks. This commit ensures the workflow of interest is skipped when `github.event_name` is `push`', which occurs during a merge. Signed-off-by: Hyounggyu Choi --- .github/workflows/as-docker-build.yml | 8 -------- .github/workflows/kbs-docker-build.yml | 2 -- 2 files changed, 10 deletions(-) diff --git a/.github/workflows/as-docker-build.yml b/.github/workflows/as-docker-build.yml index e8d7db3c51..b6cc596923 100644 --- a/.github/workflows/as-docker-build.yml +++ b/.github/workflows/as-docker-build.yml @@ -1,12 +1,5 @@ name: AS/RVPS Container Image Build on: - push: - branches: - - "main" - paths: - - 'attestation-service/**' - - '.github/workflows/as-docker-build.yml' - - 'Cargo.toml' pull_request: paths: - 'attestation-service/**' @@ -16,6 +9,5 @@ on: jobs: check_as_image_build: - if: github.event_name == 'pull_request' || github.event_name == 'push' uses: ./.github/workflows/build-as-image.yml secrets: inherit diff --git a/.github/workflows/kbs-docker-build.yml b/.github/workflows/kbs-docker-build.yml index f979b788f2..f8e64aa082 100644 --- a/.github/workflows/kbs-docker-build.yml +++ b/.github/workflows/kbs-docker-build.yml @@ -1,7 +1,5 @@ name: KBS Container Image Build on: - push: - branches: [ "main" ] pull_request: branches: [ "main" ] From 3a04f529db0e2a9ca8dc6f9a4a5da858acd7066e Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Fri, 15 Nov 2024 12:21:01 +0100 Subject: [PATCH 171/298] CI: consolidate matrix configurations The current matrix configurations are more like an manual enumeration of build options expressed in verbose matrix/include/exclude statement. The PR changes this into a simple matrix of the build and then use include to add required auxiliary fields to each of the valid matrix combinations. Signed-off-by: Magnus Kulke --- .github/workflows/as-docker-build.yml | 1 + .github/workflows/build-as-image.yml | 65 +++++++++------------------ 2 files changed, 22 insertions(+), 44 deletions(-) diff --git a/.github/workflows/as-docker-build.yml b/.github/workflows/as-docker-build.yml index b6cc596923..94464af9bf 100644 --- a/.github/workflows/as-docker-build.yml +++ b/.github/workflows/as-docker-build.yml @@ -4,6 +4,7 @@ on: paths: - 'attestation-service/**' - '.github/workflows/as-docker-build.yml' + - '.github/workflows/build-as-image.yml' - 'Cargo.toml' create: diff --git a/.github/workflows/build-as-image.yml b/.github/workflows/build-as-image.yml index 1d0ff7335f..948527e41e 100644 --- a/.github/workflows/build-as-image.yml +++ b/.github/workflows/build-as-image.yml @@ -14,51 +14,28 @@ jobs: fail-fast: false matrix: instance: - - ubuntu-latest - - s390x - tag: - - coco-as-grpc - - coco-as-restful - - rvps - verifier: - - all-verifier - - se-verifier + - ubuntu-latest + - s390x + name: + - RESTful CoCo-AS + - gRPC CoCo-AS + - RVPS include: - - docker_file: attestation-service/docker/as-grpc/Dockerfile - tag: coco-as-grpc - name: gRPC CoCo-AS - verifier: all-verifier - instance: ubuntu-latest - - docker_file: attestation-service/docker/as-grpc/Dockerfile - tag: coco-as-grpc - name: gRPC CoCo-AS (IBM SE) - verifier: se-verifier - instance: s390x - - docker_file: attestation-service/docker/as-restful/Dockerfile - tag: coco-as-restful - name: RESTful CoCo-AS - verifier: all-verifier - instance: ubuntu-latest - - docker_file: attestation-service/docker/as-restful/Dockerfile - tag: coco-as-restful - name: RESTful CoCo-AS (IBM SE) - verifier: se-verifier - instance: s390x - - docker_file: rvps/docker/Dockerfile - tag: rvps - name: RVPS - verifier: all-verifier - instance: ubuntu-latest - - docker_file: rvps/docker/Dockerfile - tag: rvps - name: RVPS - verifier: se-verifier - instance: s390x - exclude: - - instance: ubuntu-latest - verifier: se-verifier - - instance: s390x - verifier: all-verifier + # add docker_file + tag to each target + - name: gRPC CoCo-AS + docker_file: attestation-service/docker/as-grpc/Dockerfile + tag: coco-as-grpc + - name: RESTful CoCo-AS + docker_file: attestation-service/docker/as-restful/Dockerfile + tag: coco-as-restful + - name: RVPS + docker_file: rvps/docker/Dockerfile + tag: rvps + # add verifier flag to arch + - instance: ubuntu-latest + verifier: all-verifier + - instance: s390x + verifier: se-verifier runs-on: ${{ matrix.instance }} steps: From b2a60b8dd1e91ea2d260db0bfa178f9e051b2d17 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 01:26:36 +0000 Subject: [PATCH 172/298] build(deps): bump serde_json from 1.0.116 to 1.0.132 Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.116 to 1.0.132. - [Release notes](https://github.com/serde-rs/json/releases) - [Commits](https://github.com/serde-rs/json/compare/v1.0.116...1.0.132) --- updated-dependencies: - dependency-name: serde_json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 5 +++-- Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5fd14343f9..810e18f6c5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4781,11 +4781,12 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.116" +version = "1.0.132" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3e17db7126d17feb94eb3fad46bf1a96b034e8aacbc2e775fe81505f8b0b2813" +checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" dependencies = [ "itoa", + "memchr", "ryu", "serde", ] diff --git a/Cargo.toml b/Cargo.toml index 73a7bc4df4..d935bc44ec 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -39,7 +39,7 @@ regorus = { version = "0.1.5", default-features = false, features = ["regex", "b reqwest = { version = "0.12", default-features = false, features = ["default-tls"] } rstest = "0.18.1" serde = { version = "1.0", features = ["derive"] } -serde_json = "1.0.89" +serde_json = "1.0.132" serde_with = { version = "1.11.0", features = ["base64", "hex"] } serial_test = "0.9.0" sha2 = "0.10" From 5cf2c57c8fdc260876b4811ac6f52b3dc1682930 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 15 Nov 2024 17:43:42 +0800 Subject: [PATCH 173/298] AS: Add error log print Signed-off-by: Xynnn007 --- attestation-service/src/bin/restful/mod.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/attestation-service/src/bin/restful/mod.rs b/attestation-service/src/bin/restful/mod.rs index be0ee21a41..0a50940c34 100644 --- a/attestation-service/src/bin/restful/mod.rs +++ b/attestation-service/src/bin/restful/mod.rs @@ -5,7 +5,7 @@ use anyhow::{anyhow, bail, Context}; use attestation_service::{AttestationService, HashAlgorithm}; use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; use kbs_types::Tee; -use log::{debug, info}; +use log::{debug, error, info}; use serde::{Deserialize, Serialize}; use serde_json::{json, Value}; use strum::AsRefStr; @@ -22,6 +22,7 @@ impl ResponseError for Error { fn error_response(&self) -> HttpResponse { let body = format!("{self:#?}"); + error!("{self:#?}"); let mut res = match self { Error::InternalError(_) => HttpResponse::InternalServerError(), // _ => HttpResponse::NotImplemented(), From 46dc43bc243c72530c693315e286fc616fadadf0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 01:28:28 +0000 Subject: [PATCH 174/298] build(deps): bump mobc from 0.8.4 to 0.8.5 Bumps [mobc](https://github.com/importcjj/mobc) from 0.8.4 to 0.8.5. - [Release notes](https://github.com/importcjj/mobc/releases) - [Changelog](https://github.com/importcjj/mobc/blob/main/CHANGELOG.md) - [Commits](https://github.com/importcjj/mobc/commits/0.8.5) --- updated-dependencies: - dependency-name: mobc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- kbs/Cargo.toml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 810e18f6c5..00f398f44f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3002,9 +3002,9 @@ dependencies = [ [[package]] name = "metrics" -version = "0.22.3" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2be3cbd384d4e955b231c895ce10685e3d8260c5ccffae898c96c723b0772835" +checksum = "884adb57038347dfbaf2d5065887b6cf4312330dc8e94bc30a1a839bd79d3261" dependencies = [ "ahash 0.8.11", "portable-atomic", @@ -3066,9 +3066,9 @@ dependencies = [ [[package]] name = "mobc" -version = "0.8.4" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8d3681f0b299413df040f53c6950de82e48a8e1a9f79d442ed1ad3694d660b9" +checksum = "316a7d198b51958a0ab57248bf5f42d8409551203cb3c821d5925819a8d5415f" dependencies = [ "async-trait", "futures-channel", diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 1288c8d34f..b58e08b15a 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -51,7 +51,7 @@ kbs-types.workspace = true kms = { workspace = true, default-features = false } lazy_static = "1.4.0" log.workspace = true -mobc = { version = "0.8.3", optional = true } +mobc = { version = "0.8.5", optional = true } prost = { workspace = true, optional = true } rand = "0.8.5" regex = "1.11.1" From 38e28ae0f18dce0ce2afd40219f8d56aa698f351 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Nov 2024 02:03:38 +0000 Subject: [PATCH 175/298] build(deps): bump intel-tee-quote-verification-rs Bumps [intel-tee-quote-verification-rs](https://github.com/intel/SGXDataCenterAttestationPrimitives) from DCAP_1.21 to DCAP_1.22. - [Release notes](https://github.com/intel/SGXDataCenterAttestationPrimitives/releases) - [Commits](https://github.com/intel/SGXDataCenterAttestationPrimitives/compare/e945c58bff60bb96e4daca57b73c93f96b14418a...2562057f6a3149c03f5985826ffaba978ece58c2) --- updated-dependencies: - dependency-name: intel-tee-quote-verification-rs dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- deps/verifier/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 00f398f44f..e826be1ff6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2506,7 +2506,7 @@ dependencies = [ [[package]] name = "intel-tee-quote-verification-rs" version = "0.3.0" -source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.21#e945c58bff60bb96e4daca57b73c93f96b14418a" +source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.22#2562057f6a3149c03f5985826ffaba978ece58c2" dependencies = [ "intel-tee-quote-verification-sys", ] @@ -2893,7 +2893,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.52.6", + "windows-targets 0.48.5", ] [[package]] diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index e1b3ff6cd9..62a498999b 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -44,7 +44,7 @@ serde_with = { workspace = true, optional = true } sev = { version = "4.0.0", features = ["openssl", "snp"], optional = true } sha2.workspace = true tokio = { workspace = true, optional = true } -intel-tee-quote-verification-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true } +intel-tee-quote-verification-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.22", optional = true } strum.workspace = true veraison-apiclient = { git = "https://github.com/chendave/rust-apiclient", branch = "token", optional = true } ear = { git = "https://github.com/veraison/rust-ear", rev = "43f7f480d09ea2ebc03137af8fbcd70fe3df3468", optional = true } From 1a74e6e7348119766bee09e0ab92082abc48306c Mon Sep 17 00:00:00 2001 From: Adithya Krishnan Kannan Date: Mon, 4 Nov 2024 09:56:59 -0600 Subject: [PATCH 176/298] verifier: Fetch VCEK cert from KDS instead of bailing Fetch the VCEK cert from the KDS if it is absent in the cert chain instead of just printing a bail statement stating that the VCEK is not found. Signed-off-by: Adithya Krishnan Kannan --- Cargo.lock | 14 +++++++----- Cargo.toml | 2 +- deps/verifier/Cargo.toml | 1 + deps/verifier/src/snp/mod.rs | 43 ++++++++++++++++++++++++++++++++++-- 4 files changed, 51 insertions(+), 9 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e826be1ff6..69824ac905 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2736,7 +2736,7 @@ dependencies = [ "rand", "regex", "regorus", - "reqwest 0.12.8", + "reqwest 0.12.9", "rsa 0.9.6", "rstest", "scc", @@ -2764,7 +2764,7 @@ dependencies = [ "jwt-simple 0.11.9", "kbs_protocol", "log", - "reqwest 0.12.8", + "reqwest 0.12.9", "serde", "serde_json", "tokio", @@ -2793,7 +2793,7 @@ dependencies = [ "jwt-simple 0.12.9", "kbs-types", "log", - "reqwest 0.12.8", + "reqwest 0.12.9", "resource_uri", "serde", "serde_json", @@ -2821,7 +2821,7 @@ dependencies = [ "p12", "prost 0.11.9", "rand", - "reqwest 0.12.8", + "reqwest 0.12.9", "resource_uri", "ring", "serde", @@ -4241,14 +4241,15 @@ dependencies = [ [[package]] name = "reqwest" -version = "0.12.8" +version = "0.12.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f713147fbe92361e52392c73b8c9e48c04c6625bce969ef54dc901e58e042a7b" +checksum = "a77c62af46e79de0a562e1a9849205ffcb7fc1238876e9bd743357570e04046f" dependencies = [ "base64 0.22.1", "bytes", "cookie 0.18.1", "cookie_store", + "futures-channel", "futures-core", "futures-util", "http 1.1.0", @@ -5958,6 +5959,7 @@ dependencies = [ "kbs-types", "log", "openssl", + "reqwest 0.12.9", "rstest", "s390_pv", "scroll 0.11.0", diff --git a/Cargo.toml b/Cargo.toml index d935bc44ec..70751e0684 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -36,7 +36,7 @@ jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" regorus = { version = "0.1.5", default-features = false, features = ["regex", "base64", "time"] } -reqwest = { version = "0.12", default-features = false, features = ["default-tls"] } +reqwest = { version = "0.12", default-features = false, features = ["default-tls", "blocking"] } rstest = "0.18.1" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0.132" diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index 62a498999b..8d7c37fc4a 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -49,6 +49,7 @@ strum.workspace = true veraison-apiclient = { git = "https://github.com/chendave/rust-apiclient", branch = "token", optional = true } ear = { git = "https://github.com/veraison/rust-ear", rev = "43f7f480d09ea2ebc03137af8fbcd70fe3df3468", optional = true } x509-parser = { version = "0.14.0", optional = true } +reqwest.workspace = true [build-dependencies] shadow-rs.workspace = true diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs index 9c31123241..7be5a1af8d 100644 --- a/deps/verifier/src/snp/mod.rs +++ b/deps/verifier/src/snp/mod.rs @@ -14,6 +14,10 @@ use openssl::{ sha::sha384, x509::{self, X509}, }; +use reqwest::{ + blocking::{get, Response as ReqwestResponse}, + StatusCode, +}; use serde_json::json; use sev::firmware::guest::AttestationReport; use sev::firmware::host::{CertTableEntry, CertType}; @@ -32,6 +36,10 @@ const SNP_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .3); const TEE_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .2); const LOADER_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .1); +// KDS URL parameters +const KDS_CERT_SITE: &str = "https://kdsintf.amd.com"; +const KDS_VCEK: &str = "/vcek/v1"; + /// Attestation report versions supported const REPORT_VERSION_MIN: u32 = 2; const REPORT_VERSION_MAX: u32 = 3; @@ -88,8 +96,9 @@ impl Verifier for Snp { cert_chain, } = serde_json::from_slice(evidence).context("Deserialize Quote failed.")?; - let Some(cert_chain) = cert_chain else { - bail!("Cert chain is unset"); + let cert_chain = match cert_chain { + Some(chain) if !chain.is_empty() => chain, + _ => fetch_vcek_from_kds(report)?, }; verify_report_signature(&report, &cert_chain, &self.vendor_certs)?; @@ -312,6 +321,36 @@ fn get_common_name(cert: &x509::X509) -> Result { Ok(e.data().as_utf8()?.to_string()) } +// Function to request vcek from KDS. Return vcek in der format. +fn fetch_vcek_from_kds(att_report: AttestationReport) -> Result> { + // Use attestation report to get data for URL + let hw_id: String = hex::encode(att_report.chip_id); + + let vcek_url: String = format!( + "{KDS_CERT_SITE}{KDS_VCEK}/Milan/\ + {hw_id}?blSPL={:02}&teeSPL={:02}&snpSPL={:02}&ucodeSPL={:02}", + att_report.reported_tcb.bootloader, + att_report.reported_tcb.tee, + att_report.reported_tcb.snp, + att_report.reported_tcb.microcode + ); + // VCEK in DER format + let vcek_rsp: ReqwestResponse = get(vcek_url).context("Unable to send request for VCEK")?; + + match vcek_rsp.status() { + StatusCode::OK => { + let vcek_rsp_bytes: Vec = + vcek_rsp.bytes().context("Unable to parse VCEK")?.to_vec(); + let key = CertTableEntry { + cert_type: CertType::VCEK, + data: vcek_rsp_bytes, + }; + Ok(vec![key]) + } + status => Err(anyhow!("Unable to fetch VCEK from URL: {status:?}")), + } +} + #[cfg(test)] mod tests { use super::*; From 59aea7edc9c2f3da0757b1bb4c3aaf2c421029e4 Mon Sep 17 00:00:00 2001 From: Adithya Krishnan Kannan Date: Mon, 18 Nov 2024 16:51:33 -0600 Subject: [PATCH 177/298] Changing fn fetch_vcek_from_kds() to async Per Ding's feedback, I'm testing the use of reqwest asynchronously with get instead of the earlier used blocking version. Signed-off-by: Adithya Krishnan Kannan --- Cargo.lock | 43 ++++++++++++++++++------------------ Cargo.toml | 2 +- deps/verifier/src/snp/mod.rs | 22 +++++++++--------- 3 files changed, 35 insertions(+), 32 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 69824ac905..6e446dbb45 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -605,9 +605,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.4.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" +checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "axum" @@ -1138,9 +1138,9 @@ checksum = "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" [[package]] name = "colorchoice" -version = "1.0.3" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" +checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0" [[package]] name = "config" @@ -2932,9 +2932,9 @@ checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f" [[package]] name = "linux-raw-sys" -version = "0.4.14" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" +checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" [[package]] name = "local-channel" @@ -3140,9 +3140,9 @@ dependencies = [ [[package]] name = "num" -version = "0.4.3" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23" +checksum = "3135b08af27d103b0a51f2ae0f8632117b7b185ccf931445affa8df530576a41" dependencies = [ "num-bigint", "num-complex", @@ -3154,10 +3154,11 @@ dependencies = [ [[package]] name = "num-bigint" -version = "0.4.6" +version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" +checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0" dependencies = [ + "autocfg", "num-integer", "num-traits", ] @@ -3181,9 +3182,9 @@ dependencies = [ [[package]] name = "num-complex" -version = "0.4.6" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495" +checksum = "23c6602fda94a57c990fe0df199a035d83576b496aa29f4e634a8ac6004e68a6" dependencies = [ "num-traits", ] @@ -3216,9 +3217,9 @@ dependencies = [ [[package]] name = "num-iter" -version = "0.1.45" +version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" +checksum = "d869c01cc0c455284163fd0092f1f93835385ccab5a98a0dcc497b2f8bf055a9" dependencies = [ "autocfg", "num-integer", @@ -3227,10 +3228,11 @@ dependencies = [ [[package]] name = "num-rational" -version = "0.4.2" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824" +checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0" dependencies = [ + "autocfg", "num-bigint", "num-integer", "num-traits", @@ -3238,9 +3240,9 @@ dependencies = [ [[package]] name = "num-traits" -version = "0.2.19" +version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" +checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a" dependencies = [ "autocfg", "libm", @@ -3347,9 +3349,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.104" +version = "0.9.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" +checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" dependencies = [ "cc", "libc", @@ -4249,7 +4251,6 @@ dependencies = [ "bytes", "cookie 0.18.1", "cookie_store", - "futures-channel", "futures-core", "futures-util", "http 1.1.0", diff --git a/Cargo.toml b/Cargo.toml index 70751e0684..d935bc44ec 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -36,7 +36,7 @@ jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" regorus = { version = "0.1.5", default-features = false, features = ["regex", "base64", "time"] } -reqwest = { version = "0.12", default-features = false, features = ["default-tls", "blocking"] } +reqwest = { version = "0.12", default-features = false, features = ["default-tls"] } rstest = "0.18.1" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0.132" diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs index 7be5a1af8d..93e57eadef 100644 --- a/deps/verifier/src/snp/mod.rs +++ b/deps/verifier/src/snp/mod.rs @@ -14,10 +14,7 @@ use openssl::{ sha::sha384, x509::{self, X509}, }; -use reqwest::{ - blocking::{get, Response as ReqwestResponse}, - StatusCode, -}; +use reqwest::{get, Response as ReqwestResponse, StatusCode}; use serde_json::json; use sev::firmware::guest::AttestationReport; use sev::firmware::host::{CertTableEntry, CertType}; @@ -98,7 +95,7 @@ impl Verifier for Snp { let cert_chain = match cert_chain { Some(chain) if !chain.is_empty() => chain, - _ => fetch_vcek_from_kds(report)?, + _ => fetch_vcek_from_kds(report).await?, }; verify_report_signature(&report, &cert_chain, &self.vendor_certs)?; @@ -321,8 +318,8 @@ fn get_common_name(cert: &x509::X509) -> Result { Ok(e.data().as_utf8()?.to_string()) } -// Function to request vcek from KDS. Return vcek in der format. -fn fetch_vcek_from_kds(att_report: AttestationReport) -> Result> { +/// Function to request vcek from KDS asynchronously. Return vcek in der format. +async fn fetch_vcek_from_kds(att_report: AttestationReport) -> Result> { // Use attestation report to get data for URL let hw_id: String = hex::encode(att_report.chip_id); @@ -335,12 +332,17 @@ fn fetch_vcek_from_kds(att_report: AttestationReport) -> Result { - let vcek_rsp_bytes: Vec = - vcek_rsp.bytes().context("Unable to parse VCEK")?.to_vec(); + let vcek_rsp_bytes: Vec = vcek_rsp + .bytes() + .await + .context("Unable to parse VCEK")? + .to_vec(); let key = CertTableEntry { cert_type: CertType::VCEK, data: vcek_rsp_bytes, From b6289dbb4e8edfc83928a8e7db3862695d3c2b62 Mon Sep 17 00:00:00 2001 From: Adithya Krishnan Kannan Date: Tue, 19 Nov 2024 10:04:20 -0600 Subject: [PATCH 178/298] Add documentation describing each function Per Ding's suggestion, I've added a description of each function as part of documenting the code. Signed-off-by: Adithya Krishnan Kannan --- deps/verifier/src/snp/mod.rs | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs index 93e57eadef..3012d19bf8 100644 --- a/deps/verifier/src/snp/mod.rs +++ b/deps/verifier/src/snp/mod.rs @@ -46,6 +46,9 @@ pub struct Snp { vendor_certs: VendorCertificates, } +/// Loads the Milan certificate chain and returns a static reference to it. +/// The chain is loaded lazily using `OnceLock` to ensure it's only initialized once. +/// Certificates are loaded from a PEM file and must contain exactly three certificates (ASK, ARK, ASVK). pub(crate) fn load_milan_cert_chain() -> &'static Result { static MILAN_CERT_CHAIN: OnceLock> = OnceLock::new(); MILAN_CERT_CHAIN.get_or_init(|| { @@ -64,6 +67,8 @@ pub(crate) fn load_milan_cert_chain() -> &'static Result { } impl Snp { + /// Creates a new `Snp` instance by loading the Milan certificate chain. + /// Returns an error if the certificate chain can not be loaded. pub fn new() -> Result { let Result::Ok(vendor_certs) = load_milan_cert_chain() else { bail!("Failed to load Milan cert chain"); @@ -82,6 +87,9 @@ pub(crate) struct VendorCertificates { #[async_trait] impl Verifier for Snp { + /// Evaluates the provided evidence against the expected report data and initialize data hash. + /// Validates the report signature, version, VMPL, and other fields. + /// Returns parsed claims if the verification is successful. async fn evaluate( &self, evidence: &[u8], @@ -139,6 +147,8 @@ impl Verifier for Snp { } } +/// Retrieves the octet string value for a given OID from a certificate's extensions. +/// Supports both raw and DER-encoded formats. fn get_oid_octets( vcek: &x509_parser::certificate::TbsCertificate, oid: Oid, @@ -163,6 +173,7 @@ fn get_oid_octets( .context("Unexpected data size") } +/// Retrieves an integer value for a given OID from a certificate's extensions. fn get_oid_int(cert: &x509_parser::certificate::TbsCertificate, oid: Oid) -> Result { let val = cert .get_extension_unique(&oid)? @@ -173,6 +184,7 @@ fn get_oid_int(cert: &x509_parser::certificate::TbsCertificate, oid: Oid) -> Res val_int.as_u8().context("Unexpected data size") } +/// Verifies the signature of the attestation report using the provided certificate chain and vendor certificates. pub(crate) fn verify_report_signature( report: &AttestationReport, cert_chain: &[CertTableEntry], @@ -234,12 +246,15 @@ pub(crate) fn verify_report_signature( Ok(()) } +/// Verifies the signature of a certificate against its issuer's public key. fn verify_signature(cert: &X509, issuer: &X509, name: &str) -> Result<()> { cert.verify(&(issuer.public_key()? as PKey))? .then_some(()) .ok_or_else(|| anyhow!("Invalid {name} signature")) } +/// Verifies the certificate chain based on the provided VCEK or VLEK. +/// Ensures the chain is valid by verifying signatures and relationships between certificates. fn verify_cert_chain( cert_chain: &[CertTableEntry], ask: &X509, @@ -278,6 +293,8 @@ fn verify_cert_chain( Ok(decoded_key) } +/// Parses the attestation report and extracts the TEE evidence claims. +/// Returns a JSON-formatted map of parsed claims. pub(crate) fn parse_tee_evidence(report: &AttestationReport) -> TeeEvidenceParsedClaim { let claims_map = json!({ // policy fields @@ -305,6 +322,7 @@ pub(crate) fn parse_tee_evidence(report: &AttestationReport) -> TeeEvidenceParse claims_map as TeeEvidenceParsedClaim } +/// Extracts the common name (CN) from the subject name of a certificate. fn get_common_name(cert: &x509::X509) -> Result { let mut entries = cert.subject_name().entries_by_nid(Nid::COMMONNAME); let Some(e) = entries.next() else { @@ -318,7 +336,8 @@ fn get_common_name(cert: &x509::X509) -> Result { Ok(e.data().as_utf8()?.to_string()) } -/// Function to request vcek from KDS asynchronously. Return vcek in der format. +/// Asynchronously fetches the VCEK from the Key Distribution Service (KDS) using the provided attestation report. +/// Returns the VCEK in DER format as part of a certificate table entry. async fn fetch_vcek_from_kds(att_report: AttestationReport) -> Result> { // Use attestation report to get data for URL let hw_id: String = hex::encode(att_report.chip_id); From e4494868195d96f6173073d94a6b6536954f9731 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 01:07:10 +0000 Subject: [PATCH 179/298] build(deps): bump tinyvec from 1.6.0 to 1.8.0 Bumps [tinyvec](https://github.com/Lokathor/tinyvec) from 1.6.0 to 1.8.0. - [Changelog](https://github.com/Lokathor/tinyvec/blob/main/CHANGELOG.md) - [Commits](https://github.com/Lokathor/tinyvec/compare/v1.6.0...v1.8.0) --- updated-dependencies: - dependency-name: tinyvec dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6e446dbb45..4cc2089ca5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5383,9 +5383,9 @@ dependencies = [ [[package]] name = "tinyvec" -version = "1.6.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +checksum = "445e881f4f6d382d5f27c034e25eb92edd7c784ceab92a0937db7f2e9471b938" dependencies = [ "tinyvec_macros", ] From bf142fbbdd90309fed3db7581ad59914253374b8 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 19 Nov 2024 14:12:21 -0600 Subject: [PATCH 180/298] cargo: bump guest-components to fix kbs-client We recently bumped the version of csv-rs in guest-components and Trustee, but we didn't bump the version of guest-components that trustee uses, which leads building the kbs-client with a version of openssl that is not compatible with the older guest-components. Update guest-components so we don't have this problem. Also need to bump tempfile in Trustee to avoid a versioning snafu. Signed-off-by: Tobin Feldman-Fitzthum --- Cargo.lock | 789 +++++++++++++++++++++++++++++++++++++---------------- Cargo.toml | 6 +- 2 files changed, 550 insertions(+), 245 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4cc2089ca5..d409083021 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -40,7 +40,7 @@ dependencies = [ "encoding_rs", "flate2", "futures-core", - "h2", + "h2 0.3.26", "http 0.2.12", "httparse", "httpdate", @@ -66,7 +66,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb" dependencies = [ "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -199,7 +199,7 @@ dependencies = [ "actix-router", "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -424,7 +424,7 @@ dependencies = [ "nom", "num-traits", "rusticata-macros", - "thiserror", + "thiserror 1.0.65", "time", ] @@ -437,7 +437,7 @@ dependencies = [ "proc-macro2", "quote", "syn 1.0.109", - "synstructure", + "synstructure 0.12.6", ] [[package]] @@ -480,24 +480,30 @@ checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] name = "async-trait" -version = "0.1.82" +version = "0.1.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a27b8a3a6e1a44fa4c8baf1f653e4172e81486d4941f2237e20dc2d0cf4ddff1" +checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] +[[package]] +name = "atomic-waker" +version = "1.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" + [[package]] name = "attestation-agent" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" dependencies = [ "anyhow", "async-trait", @@ -513,7 +519,7 @@ dependencies = [ "sha2", "strum 0.26.3", "tempfile", - "thiserror", + "thiserror 2.0.3", "tokio", "toml 0.8.19", ] @@ -550,7 +556,7 @@ dependencies = [ "shadow-rs", "strum 0.25.0", "testing_logger", - "thiserror", + "thiserror 1.0.65", "time", "tokio", "tonic 0.11.0", @@ -562,7 +568,7 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" dependencies = [ "anyhow", "async-trait", @@ -570,13 +576,12 @@ dependencies = [ "az-tdx-vtpm", "base64 0.22.1", "codicon", - "csv-rs 0.1.0 (git+https://github.com/openanolis/csv-rs?rev=b74aa8c)", + "csv-rs", "hex", "hyper 0.14.30", "hyper-tls 0.5.0", "kbs-types", "log", - "nix", "occlum_dcap", "s390_pv", "scroll 0.12.0", @@ -588,7 +593,7 @@ dependencies = [ "strum 0.26.3", "tdx-attest-rs", "tempfile", - "thiserror", + "thiserror 2.0.3", "tokio", ] @@ -616,7 +621,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3b829e4e32b91e643de6eafe82b1d90675f5874230191a4ffbc1b336dec4d6bf" dependencies = [ "async-trait", - "axum-core", + "axum-core 0.3.4", "bitflags 1.3.2", "bytes", "futures-util", @@ -637,6 +642,33 @@ dependencies = [ "tower-service", ] +[[package]] +name = "axum" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3a6c9af12842a67734c9a2e355436e5d03b22383ed60cf13cd0c18fbfe3dcbcf" +dependencies = [ + "async-trait", + "axum-core 0.4.5", + "bytes", + "futures-util", + "http 1.1.0", + "http-body 1.0.0", + "http-body-util", + "itoa", + "matchit", + "memchr", + "mime", + "percent-encoding", + "pin-project-lite", + "rustversion", + "serde", + "sync_wrapper 1.0.1", + "tower", + "tower-layer", + "tower-service", +] + [[package]] name = "axum-core" version = "0.3.4" @@ -654,11 +686,31 @@ dependencies = [ "tower-service", ] +[[package]] +name = "axum-core" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09f2bd6146b97ae3359fa0cc6d6b376d9539582c7b4220f041a33ec24c226199" +dependencies = [ + "async-trait", + "bytes", + "futures-util", + "http 1.1.0", + "http-body 1.0.0", + "http-body-util", + "mime", + "pin-project-lite", + "rustversion", + "sync_wrapper 1.0.1", + "tower-layer", + "tower-service", +] + [[package]] name = "az-cvm-vtpm" -version = "0.7.0" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f500c98db61d29b592d51d1cf56a1d996c34f9346b8b89b28008b5403e65450a" +checksum = "3f7ef43d012a8cf77739366d7ccdb895fb284e03bb1579d8d1792644ef3e6148" dependencies = [ "bincode", "jsonwebkey", @@ -669,16 +721,16 @@ dependencies = [ "serde_json", "sev 4.0.0", "sha2", - "thiserror", + "thiserror 2.0.3", "tss-esapi", "zerocopy", ] [[package]] name = "az-snp-vtpm" -version = "0.7.0" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49473355e76f066300f14aa56c6df23b1a037bea179dbb1b582ecefc8f6fd37c" +checksum = "7c16506502dc64f7111f7241ca400f3ee0f54e69dfd1f4be5cef29b96332f22e" dependencies = [ "az-cvm-vtpm", "bincode", @@ -686,7 +738,7 @@ dependencies = [ "openssl", "serde", "sev 4.0.0", - "thiserror", + "thiserror 2.0.3", "ureq", ] @@ -701,7 +753,7 @@ dependencies = [ "bincode", "serde", "serde_json", - "thiserror", + "thiserror 1.0.65", "ureq", "zerocopy", ] @@ -805,13 +857,13 @@ dependencies = [ "lazycell", "log", "peeking_take_while", - "prettyplease 0.2.20", + "prettyplease", "proc-macro2", "quote", "regex", "rustc-hash 1.1.0", "shlex", - "syn 2.0.60", + "syn 2.0.87", "which", ] @@ -915,9 +967,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] name = "bytes" -version = "1.6.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "514de17de45fdb8dc022b1a7975556c53c86f9f0aa5f534b98977b171857c2c9" +checksum = "9ac0150caa2ae65ca5bd83f25c7de183dea78d4d366469f148435e2acfbad0da" [[package]] name = "bytestring" @@ -973,12 +1025,6 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" -[[package]] -name = "cfg_aliases" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" - [[package]] name = "chrono" version = "0.4.38" @@ -1110,7 +1156,7 @@ dependencies = [ "heck 0.5.0", "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -1175,18 +1221,18 @@ checksum = "373e9fafaa20882876db20562275ff58d50e0caa2590077fe7ce7bef90211d0d" [[package]] name = "const_format" -version = "0.2.32" +version = "0.2.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3a214c7af3d04997541b18d432afaff4c455e79e2029079647e72fc2bd27673" +checksum = "50c655d81ff1114fb0dcdea9225ea9f0cc712a6f8d189378e82bdf62a473a64b" dependencies = [ "const_format_proc_macros", ] [[package]] name = "const_format_proc_macros" -version = "0.2.32" +version = "0.2.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c7f6ff08fd20f4f299298a28e2dfa8a8ba1036e6cd2460ac1de7b425d76f2500" +checksum = "eff1a44b93f47b1bac19a27932f5c591e43d1ba357ee4f61526c8a25603f0eb1" dependencies = [ "proc-macro2", "quote", @@ -1313,7 +1359,7 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" dependencies = [ "aes-gcm", "anyhow", @@ -1397,28 +1443,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "csv-rs" -version = "0.1.0" -source = "git+https://github.com/openanolis/csv-rs?rev=b74aa8c#b74aa8c8ada293fb7edd6db0a770789368fdef71" -dependencies = [ - "bitfield 0.13.2", - "bitflags 1.3.2", - "codicon", - "dirs", - "hyper 0.14.30", - "hyper-tls 0.5.0", - "iocuddle", - "libc", - "openssl", - "openssl-sys", - "rand", - "serde", - "serde-big-array", - "static_assertions", - "tokio", -] - [[package]] name = "ct-codecs" version = "1.1.1" @@ -1637,7 +1661,7 @@ checksum = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -1660,7 +1684,7 @@ dependencies = [ "phf", "serde", "serde_json", - "thiserror", + "thiserror 1.0.65", ] [[package]] @@ -1740,7 +1764,7 @@ checksum = "de0d48a183585823424a4ce1aa132d174a6a81bd540895822eb4c8373a8e49e8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -1815,9 +1839,9 @@ dependencies = [ [[package]] name = "fastrand" -version = "2.1.0" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fc0510504f03c51ada170672ac806f1f105a88aa97a5281117e1ddc3368e51a" +checksum = "486f806e73c5707928240ddc295403b1b93c96a02038563881c4a2fd84b81ac4" [[package]] name = "ff" @@ -1941,7 +1965,7 @@ checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -2078,6 +2102,25 @@ dependencies = [ "tracing", ] +[[package]] +name = "h2" +version = "0.4.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ccae279728d634d083c00f6099cb58f01cc99c145b84b8be2f6c74618d79922e" +dependencies = [ + "atomic-waker", + "bytes", + "fnv", + "futures-core", + "futures-sink", + "http 1.1.0", + "indexmap 2.2.6", + "slab", + "tokio", + "tokio-util", + "tracing", +] + [[package]] name = "half" version = "2.4.1" @@ -2283,7 +2326,7 @@ dependencies = [ "futures-channel", "futures-core", "futures-util", - "h2", + "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", "httparse", @@ -2299,16 +2342,18 @@ dependencies = [ [[package]] name = "hyper" -version = "1.3.1" +version = "1.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe575dd17d0862a9a33781c8c4696a55c320909004a67a00fb286ba8b1bc496d" +checksum = "97818827ef4f364230e16705d4706e2897df2bb60617d6ca15d598025a3c481f" dependencies = [ "bytes", "futures-channel", "futures-util", + "h2 0.4.7", "http 1.1.0", "http-body 1.0.0", "httparse", + "httpdate", "itoa", "pin-project-lite", "smallvec", @@ -2338,7 +2383,7 @@ checksum = "5ee4be2c948921a1a5320b629c4193916ed787a7f7f293fd3f7f5a6c9de74155" dependencies = [ "futures-util", "http 1.1.0", - "hyper 1.3.1", + "hyper 1.5.1", "hyper-util", "rustls 0.23.7", "rustls-pki-types", @@ -2360,6 +2405,19 @@ dependencies = [ "tokio-io-timeout", ] +[[package]] +name = "hyper-timeout" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0" +dependencies = [ + "hyper 1.5.1", + "hyper-util", + "pin-project-lite", + "tokio", + "tower-service", +] + [[package]] name = "hyper-tls" version = "0.5.0" @@ -2381,7 +2439,7 @@ checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" dependencies = [ "bytes", "http-body-util", - "hyper 1.3.1", + "hyper 1.5.1", "hyper-util", "native-tls", "tokio", @@ -2391,20 +2449,19 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.5" +version = "0.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b875924a60b96e5d7b9ae7b066540b1dd1cbd90d1828f54c92e02a283351c56" +checksum = "df2dcfbe0677734ab2f3ffa7fa7bfd4706bfdc1ef393f2ee30184aed67e631b4" dependencies = [ "bytes", "futures-channel", "futures-util", "http 1.1.0", "http-body 1.0.0", - "hyper 1.3.1", + "hyper 1.5.1", "pin-project-lite", "socket2", "tokio", - "tower", "tower-service", "tracing", ] @@ -2432,6 +2489,124 @@ dependencies = [ "cc", ] +[[package]] +name = "icu_collections" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_locid" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637" +dependencies = [ + "displaydoc", + "litemap", + "tinystr", + "writeable", + "zerovec", +] + +[[package]] +name = "icu_locid_transform" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e" +dependencies = [ + "displaydoc", + "icu_locid", + "icu_locid_transform_data", + "icu_provider", + "tinystr", + "zerovec", +] + +[[package]] +name = "icu_locid_transform_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e" + +[[package]] +name = "icu_normalizer" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f" +dependencies = [ + "displaydoc", + "icu_collections", + "icu_normalizer_data", + "icu_properties", + "icu_provider", + "smallvec", + "utf16_iter", + "utf8_iter", + "write16", + "zerovec", +] + +[[package]] +name = "icu_normalizer_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516" + +[[package]] +name = "icu_properties" +version = "1.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5" +dependencies = [ + "displaydoc", + "icu_collections", + "icu_locid_transform", + "icu_properties_data", + "icu_provider", + "tinystr", + "zerovec", +] + +[[package]] +name = "icu_properties_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569" + +[[package]] +name = "icu_provider" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9" +dependencies = [ + "displaydoc", + "icu_locid", + "icu_provider_macros", + "stable_deref_trait", + "tinystr", + "writeable", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_provider_macros" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + [[package]] name = "ident_case" version = "1.0.1" @@ -2458,6 +2633,27 @@ dependencies = [ "unicode-normalization", ] +[[package]] +name = "idna" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e" +dependencies = [ + "idna_adapter", + "smallvec", + "utf8_iter", +] + +[[package]] +name = "idna_adapter" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71" +dependencies = [ + "icu_normalizer", + "icu_properties", +] + [[package]] name = "impl-more" version = "0.1.6" @@ -2555,15 +2751,6 @@ version = "1.70.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800" -[[package]] -name = "itertools" -version = "0.10.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" -dependencies = [ - "either", -] - [[package]] name = "itertools" version = "0.12.1" @@ -2620,7 +2807,7 @@ dependencies = [ "num-bigint", "serde", "serde_json", - "thiserror", + "thiserror 1.0.65", "yasna 0.4.0", "zeroize", ] @@ -2662,7 +2849,7 @@ dependencies = [ "serde", "serde_json", "spki 0.6.0", - "thiserror", + "thiserror 1.0.65", "zeroize", ] @@ -2688,7 +2875,7 @@ dependencies = [ "serde", "serde_json", "superboring", - "thiserror", + "thiserror 1.0.65", "zeroize", ] @@ -2745,7 +2932,7 @@ dependencies = [ "serde_json", "strum 0.25.0", "tempfile", - "thiserror", + "thiserror 1.0.65", "time", "tokio", "tonic 0.11.0", @@ -2783,7 +2970,7 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" dependencies = [ "anyhow", "async-trait", @@ -2798,7 +2985,7 @@ dependencies = [ "serde", "serde_json", "sha2", - "thiserror", + "thiserror 2.0.3", "tokio", "url", "zeroize", @@ -2807,7 +2994,7 @@ dependencies = [ [[package]] name = "kms" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" dependencies = [ "anyhow", "async-trait", @@ -2819,7 +3006,7 @@ dependencies = [ "lazy_static", "log", "p12", - "prost 0.11.9", + "prost 0.13.3", "rand", "reqwest 0.12.9", "resource_uri", @@ -2828,11 +3015,11 @@ dependencies = [ "serde_json", "sha2", "strum 0.26.3", - "thiserror", + "thiserror 2.0.3", "tokio", "toml 0.8.19", - "tonic 0.9.2", - "tonic-build 0.9.2", + "tonic 0.12.3", + "tonic-build 0.12.3", "url", "yasna 0.5.2", ] @@ -2860,9 +3047,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.158" +version = "0.2.164" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" +checksum = "433bfe06b8c75da9b2e3fbea6e5329ff87748f0b144ef75306e674c3f6f7c13f" [[package]] name = "libgit2-sys" @@ -2932,9 +3119,15 @@ checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f" [[package]] name = "linux-raw-sys" -version = "0.4.13" +version = "0.4.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" + +[[package]] +name = "litemap" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" +checksum = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704" [[package]] name = "local-channel" @@ -3077,7 +3270,7 @@ dependencies = [ "futures-util", "log", "metrics", - "thiserror", + "thiserror 1.0.65", "tokio", "tracing", "tracing-subscriber", @@ -3106,18 +3299,6 @@ dependencies = [ "tempfile", ] -[[package]] -name = "nix" -version = "0.29.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "71e2746dc3a24dd78b3cfcb7be93368c6de9963d30f43a6a73998a9cf4b17b46" -dependencies = [ - "bitflags 2.5.0", - "cfg-if", - "cfg_aliases", - "libc", -] - [[package]] name = "nom" version = "7.1.3" @@ -3203,7 +3384,7 @@ checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -3329,7 +3510,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -3545,7 +3726,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "560131c633294438da9f7c4b08189194b20946c8274c6b9e38881a7874dc8ee8" dependencies = [ "memchr", - "thiserror", + "thiserror 1.0.65", "ucd-trie", ] @@ -3569,7 +3750,7 @@ dependencies = [ "pest_meta", "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -3634,7 +3815,7 @@ dependencies = [ "phf_shared", "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -3698,7 +3879,7 @@ checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -3792,16 +3973,6 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" -[[package]] -name = "prettyplease" -version = "0.1.25" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c8646e95016a7a6c4adea95bafa8a16baab64b583356217f2c85db4a39d9a86" -dependencies = [ - "proc-macro2", - "syn 1.0.109", -] - [[package]] name = "prettyplease" version = "0.2.20" @@ -3809,7 +3980,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5f12335488a2f3b0a83b14edad48dca9879ce89b2edd10e80237e4e852dd645e" dependencies = [ "proc-macro2", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -3847,118 +4018,117 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.81" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d1597b0c024618f09a9c3b8655b7e430397a36d23fdafec26d6965e9eec3eba" +checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" dependencies = [ "unicode-ident", ] [[package]] name = "prost" -version = "0.11.9" +version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b82eaa1d779e9a4bc1c3217db8ffbeabaae1dca241bf70183242128d48681cd" +checksum = "deb1435c188b76130da55f17a466d252ff7b1418b2ad3e037d127b94e3411f29" dependencies = [ "bytes", - "prost-derive 0.11.9", + "prost-derive 0.12.6", ] [[package]] name = "prost" -version = "0.12.6" +version = "0.13.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "deb1435c188b76130da55f17a466d252ff7b1418b2ad3e037d127b94e3411f29" +checksum = "7b0487d90e047de87f984913713b85c601c05609aad5b0df4b4573fbf69aa13f" dependencies = [ "bytes", - "prost-derive 0.12.6", + "prost-derive 0.13.3", ] [[package]] name = "prost-build" -version = "0.11.9" +version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "119533552c9a7ffacc21e099c24a0ac8bb19c2a2a3f363de84cd9b844feab270" +checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4" dependencies = [ "bytes", - "heck 0.4.1", - "itertools 0.10.5", - "lazy_static", + "heck 0.5.0", + "itertools", "log", "multimap", + "once_cell", "petgraph", - "prettyplease 0.1.25", - "prost 0.11.9", - "prost-types 0.11.9", + "prettyplease", + "prost 0.12.6", + "prost-types 0.12.6", "regex", - "syn 1.0.109", + "syn 2.0.87", "tempfile", - "which", ] [[package]] name = "prost-build" -version = "0.12.6" +version = "0.13.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4" +checksum = "0c1318b19085f08681016926435853bbf7858f9c082d0999b80550ff5d9abe15" dependencies = [ "bytes", "heck 0.5.0", - "itertools 0.12.1", + "itertools", "log", "multimap", "once_cell", "petgraph", - "prettyplease 0.2.20", - "prost 0.12.6", - "prost-types 0.12.6", + "prettyplease", + "prost 0.13.3", + "prost-types 0.13.3", "regex", - "syn 2.0.60", + "syn 2.0.87", "tempfile", ] [[package]] name = "prost-derive" -version = "0.11.9" +version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5d2d8d10f3c6ded6da8b05b5fb3b8a5082514344d56c9f871412d29b4e075b4" +checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1" dependencies = [ "anyhow", - "itertools 0.10.5", + "itertools", "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.87", ] [[package]] name = "prost-derive" -version = "0.12.6" +version = "0.13.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1" +checksum = "e9552f850d5f0964a4e4d0bf306459ac29323ddfbae05e35a7c0d35cb0803cc5" dependencies = [ "anyhow", - "itertools 0.12.1", + "itertools", "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] name = "prost-types" -version = "0.11.9" +version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "213622a1460818959ac1181aaeb2dc9c7f63df720db7d788b3e24eacd1983e13" +checksum = "9091c90b0a32608e984ff2fa4091273cbdd755d54935c51d520887f4a1dbd5b0" dependencies = [ - "prost 0.11.9", + "prost 0.12.6", ] [[package]] name = "prost-types" -version = "0.12.6" +version = "0.13.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9091c90b0a32608e984ff2fa4091273cbdd755d54935c51d520887f4a1dbd5b0" +checksum = "4759aa0d3a6232fb8dbdb97b61de2c20047c68aca932c7ed76da9d788508d670" dependencies = [ - "prost 0.12.6", + "prost 0.13.3", ] [[package]] @@ -3990,7 +4160,7 @@ dependencies = [ "rustc-hash 2.0.0", "rustls 0.23.7", "socket2", - "thiserror", + "thiserror 1.0.65", "tokio", "tracing", ] @@ -4007,7 +4177,7 @@ dependencies = [ "rustc-hash 2.0.0", "rustls 0.23.7", "slab", - "thiserror", + "thiserror 1.0.65", "tinyvec", "tracing", ] @@ -4108,7 +4278,7 @@ checksum = "bd283d9651eeda4b2a83a43c1c91b266c40fd76ecd39a50a8c630ae69dc72891" dependencies = [ "getrandom", "libredox", - "thiserror", + "thiserror 1.0.65", ] [[package]] @@ -4181,7 +4351,7 @@ dependencies = [ "chrono", "chrono-tz", "data-encoding", - "itertools 0.12.1", + "itertools", "lazy_static", "num", "rand", @@ -4208,7 +4378,7 @@ dependencies = [ "encoding_rs", "futures-core", "futures-util", - "h2", + "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", "hyper 0.14.30", @@ -4256,7 +4426,7 @@ dependencies = [ "http 1.1.0", "http-body 1.0.0", "http-body-util", - "hyper 1.3.1", + "hyper 1.5.1", "hyper-rustls 0.27.2", "hyper-tls 0.6.0", "hyper-util", @@ -4291,7 +4461,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?tag=v0.10.0#075b9a9ee77227d9d92b6f3649ef69de5e72d204" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" dependencies = [ "anyhow", "serde", @@ -4402,7 +4572,7 @@ dependencies = [ "regex", "relative-path", "rustc_version", - "syn 2.0.60", + "syn 2.0.87", "unicode-ident", ] @@ -4454,9 +4624,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.34" +version = "0.38.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70dc5ec042f7a43c4a73241207cecc9873a06d45debb38b329f8541d85c2730f" +checksum = "d7f649912bc1495e167a6edee79151c84b1bad49748cb4f1f1167f459f6224f6" dependencies = [ "bitflags 2.5.0", "errno", @@ -4564,7 +4734,7 @@ dependencies = [ "openssl-sys", "s390_pv_core", "serde", - "thiserror", + "thiserror 1.0.65", "zerocopy", ] @@ -4578,7 +4748,7 @@ dependencies = [ "libc", "log", "serde", - "thiserror", + "thiserror 1.0.65", "zerocopy", ] @@ -4626,7 +4796,7 @@ checksum = "d2ee4885492bb655bfa05d039cd9163eb8fe9f79ddebf00ca23a1637510c2fd2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -4661,7 +4831,7 @@ checksum = "1db149f81d46d2deba7cd3c50772474707729550221e69588478ebf9ada425ae" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -4672,7 +4842,7 @@ checksum = "7f81c2fde025af7e69b1d1420531c8a8811ca898919db177141a85313b1cb932" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -4778,7 +4948,7 @@ checksum = "692d6f5ac90220161d6774db30c662202721e64aed9058d2c394f451261420c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -5016,7 +5186,7 @@ checksum = "adc4e5204eb1910f40f9cfa375f6f05b68c3abac4b6fd879c8ff5e7ae8a0a085" dependencies = [ "num-bigint", "num-traits", - "thiserror", + "thiserror 1.0.65", "time", ] @@ -5151,7 +5321,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -5164,7 +5334,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -5199,9 +5369,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.60" +version = "2.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "909518bc7b1c9b779f1bbf07f2929d35af9f0f37e47c6e9ef7f9dddc1e1821f3" +checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" dependencies = [ "proc-macro2", "quote", @@ -5235,6 +5405,17 @@ dependencies = [ "unicode-xid", ] +[[package]] +name = "synstructure" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + [[package]] name = "system-configuration" version = "0.5.1" @@ -5265,7 +5446,7 @@ checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f" [[package]] name = "tdx-attest-rs" version = "0.1.2" -source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.21#e945c58bff60bb96e4daca57b73c93f96b14418a" +source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.22#2562057f6a3149c03f5985826ffaba978ece58c2" dependencies = [ "tdx-attest-sys", ] @@ -5273,16 +5454,16 @@ dependencies = [ [[package]] name = "tdx-attest-sys" version = "0.1.0" -source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.21#e945c58bff60bb96e4daca57b73c93f96b14418a" +source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.22#2562057f6a3149c03f5985826ffaba978ece58c2" dependencies = [ "bindgen 0.59.2", ] [[package]] name = "tempfile" -version = "3.12.0" +version = "3.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04cbcdd0c794ebb0d4cf35e88edd2f7d2c4c3e9a5a6dab322839b321c6a87a64" +checksum = "28cce251fcbc87fac86a866eeb0d6c2d536fc16d06f184bb61aeae11aa4cee0c" dependencies = [ "cfg-if", "fastrand", @@ -5324,7 +5505,16 @@ version = "1.0.65" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5d11abd9594d9b38965ef50805c5e469ca9cc6f197f883f717e0269a3057b3d5" dependencies = [ - "thiserror-impl", + "thiserror-impl 1.0.65", +] + +[[package]] +name = "thiserror" +version = "2.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c006c85c7651b3cf2ada4584faa36773bd07bac24acfb39f3c431b36d7e667aa" +dependencies = [ + "thiserror-impl 2.0.3", ] [[package]] @@ -5335,7 +5525,18 @@ checksum = "ae71770322cbd277e69d762a16c444af02aa0575ac0d174f0b9562d3b37f8602" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", +] + +[[package]] +name = "thiserror-impl" +version = "2.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f077553d607adc1caf65430528a576c757a71ed73944b66ebb58ef2bbd243568" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", ] [[package]] @@ -5381,6 +5582,16 @@ dependencies = [ "time-core", ] +[[package]] +name = "tinystr" +version = "0.7.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f" +dependencies = [ + "displaydoc", + "zerovec", +] + [[package]] name = "tinyvec" version = "1.8.0" @@ -5398,9 +5609,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.39.3" +version = "1.41.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9babc99b9923bfa4804bd74722ff02c0381021eafa4db9949217e3be8e84fff5" +checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" dependencies = [ "backtrace", "bytes", @@ -5432,7 +5643,7 @@ checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -5480,9 +5691,9 @@ dependencies = [ [[package]] name = "tokio-stream" -version = "0.1.15" +version = "0.1.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "267ac89e0bec6e691e5813911606935d77c476ff49024f98abcea3e7b15e37af" +checksum = "4f4e6ce100d0eb49a2734f8c0812bcd324cf357d21810932c5df6b96ef2b86f1" dependencies = [ "futures-core", "pin-project-lite", @@ -5548,24 +5759,23 @@ dependencies = [ [[package]] name = "tonic" -version = "0.9.2" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3082666a3a6433f7f511c7192923fa1fe07c69332d3c6a2e6bb040b569199d5a" +checksum = "76c4eb7a4e9ef9d4763600161f12f5070b92a578e1b634db88a6887844c91a13" dependencies = [ + "async-stream", "async-trait", - "axum", + "axum 0.6.20", "base64 0.21.7", "bytes", - "futures-core", - "futures-util", - "h2", + "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", "hyper 0.14.30", - "hyper-timeout", + "hyper-timeout 0.4.1", "percent-encoding", "pin-project", - "prost 0.11.9", + "prost 0.12.6", "tokio", "tokio-stream", "tower", @@ -5576,23 +5786,26 @@ dependencies = [ [[package]] name = "tonic" -version = "0.11.0" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76c4eb7a4e9ef9d4763600161f12f5070b92a578e1b634db88a6887844c91a13" +checksum = "877c5b330756d856ffcc4553ab34a5684481ade925ecc54bcd1bf02b1d0d4d52" dependencies = [ "async-stream", "async-trait", - "axum", - "base64 0.21.7", + "axum 0.7.5", + "base64 0.22.1", "bytes", - "h2", - "http 0.2.12", - "http-body 0.4.6", - "hyper 0.14.30", - "hyper-timeout", + "h2 0.4.7", + "http 1.1.0", + "http-body 1.0.0", + "http-body-util", + "hyper 1.5.1", + "hyper-timeout 0.5.2", + "hyper-util", "percent-encoding", "pin-project", - "prost 0.12.6", + "prost 0.13.3", + "socket2", "tokio", "tokio-stream", "tower", @@ -5603,28 +5816,29 @@ dependencies = [ [[package]] name = "tonic-build" -version = "0.9.2" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a6fdaae4c2c638bb70fe42803a26fbd6fc6ac8c72f5c59f67ecc2a2dcabf4b07" +checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2" dependencies = [ - "prettyplease 0.1.25", + "prettyplease", "proc-macro2", - "prost-build 0.11.9", + "prost-build 0.12.6", "quote", - "syn 1.0.109", + "syn 2.0.87", ] [[package]] name = "tonic-build" -version = "0.11.0" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2" +checksum = "9557ce109ea773b399c9b9e5dca39294110b74f1f342cb347a80d1fce8c26a11" dependencies = [ - "prettyplease 0.2.20", + "prettyplease", "proc-macro2", - "prost-build 0.12.6", + "prost-build 0.13.3", + "prost-types 0.13.3", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -5679,7 +5893,7 @@ checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", ] [[package]] @@ -5876,16 +6090,28 @@ dependencies = [ [[package]] name = "url" -version = "2.5.2" +version = "2.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22784dbdf76fdde8af1aeda5622b546b422b6fc585325248a2bf9f5e41e94d6c" +checksum = "8d157f1b96d14500ffdc1f10ba712e780825526c03d9a49b4d0324b0d9113ada" dependencies = [ "form_urlencoded", - "idna 0.5.0", + "idna 1.0.3", "percent-encoding", "serde", ] +[[package]] +name = "utf16_iter" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" + +[[package]] +name = "utf8_iter" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" + [[package]] name = "utf8parse" version = "0.2.1" @@ -5931,7 +6157,7 @@ dependencies = [ "reqwest 0.11.27", "serde", "serde_with", - "thiserror", + "thiserror 1.0.65", "url", ] @@ -5950,7 +6176,7 @@ dependencies = [ "byteorder", "cfg-if", "codicon", - "csv-rs 0.1.0 (git+https://github.com/openanolis/csv-rs?rev=3045440)", + "csv-rs", "ear", "eventlog-rs", "hex", @@ -5972,7 +6198,7 @@ dependencies = [ "sha2", "shadow-rs", "strum 0.25.0", - "thiserror", + "thiserror 1.0.65", "tokio", "tonic-build 0.11.0", "veraison-apiclient", @@ -6041,7 +6267,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", "wasm-bindgen-shared", ] @@ -6075,7 +6301,7 @@ checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -6360,6 +6586,18 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "write16" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936" + +[[package]] +name = "writeable" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" + [[package]] name = "x509-parser" version = "0.14.0" @@ -6374,7 +6612,7 @@ dependencies = [ "nom", "oid-registry", "rusticata-macros", - "thiserror", + "thiserror 1.0.65", "time", ] @@ -6402,6 +6640,30 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" +[[package]] +name = "yoke" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c5b1314b079b0930c31e3af543d8ee1757b1951ae1e1565ec704403a7240ca5" +dependencies = [ + "serde", + "stable_deref_trait", + "yoke-derive", + "zerofrom", +] + +[[package]] +name = "yoke-derive" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28cc31741b18cb6f1d5ff12f5b7523e3d6eb0852bbbad19d73905511d9849b95" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", + "synstructure 0.13.1", +] + [[package]] name = "zerocopy" version = "0.7.35" @@ -6420,7 +6682,28 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", +] + +[[package]] +name = "zerofrom" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91ec111ce797d0e0784a1116d0ddcdbea84322cd79e5d5ad173daeba4f93ab55" +dependencies = [ + "zerofrom-derive", +] + +[[package]] +name = "zerofrom-derive" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ea7b4a3637ea8669cedf0f1fd5c286a17f3de97b8dd5a70a6c167a1730e63a5" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", + "synstructure 0.13.1", ] [[package]] @@ -6440,7 +6723,29 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.60", + "syn 2.0.87", +] + +[[package]] +name = "zerovec" +version = "0.10.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079" +dependencies = [ + "yoke", + "zerofrom", + "zerovec-derive", +] + +[[package]] +name = "zerovec-derive" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index d935bc44ec..03f76b0506 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,9 +29,9 @@ config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", tag="v0.10.0", default-features = false } +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } kbs-types = "0.7.0" -kms = { git = "https://github.com/confidential-containers/guest-components.git", tag="v0.10.0", default-features = false } +kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" @@ -47,6 +47,6 @@ shadow-rs = "0.19.0" strum = { version = "0.25", features = ["derive"] } thiserror = "1.0" tokio = { version = "1", features = ["full"], default-features = false } -tempfile = "3.4.0" +tempfile = "3.14.0" tonic = "0.11" tonic-build = "0.11" From 3f8e190f2ed37ef6cc85f4dc8617137509ffe610 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 01:19:39 +0000 Subject: [PATCH 181/298] build(deps): bump actix-web-httpauth from 0.8.1 to 0.8.2 Bumps [actix-web-httpauth](https://github.com/actix/actix-extras) from 0.8.1 to 0.8.2. - [Release notes](https://github.com/actix/actix-extras/releases) - [Commits](https://github.com/actix/actix-extras/compare/redis-v0.8.1...redis-v0.8.2) --- updated-dependencies: - dependency-name: actix-web-httpauth dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- Cargo.toml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d409083021..6a326ddb5c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -204,13 +204,13 @@ dependencies = [ [[package]] name = "actix-web-httpauth" -version = "0.8.1" +version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1d613edf08a42ccc6864c941d30fe14e1b676a77d16f1dbadc1174d065a0a775" +checksum = "456348ed9dcd72a13a1f4a660449fafdecee9ac8205552e286809eb5b0b29bd3" dependencies = [ "actix-utils", "actix-web", - "base64 0.21.7", + "base64 0.22.1", "futures-core", "futures-util", "log", @@ -3080,7 +3080,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 03f76b0506..1d69c5b0df 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,7 +17,7 @@ edition = "2021" [workspace.dependencies] actix-web = "4" -actix-web-httpauth = "0.8.0" +actix-web-httpauth = "0.8.2" anyhow = "1.0" assert-json-diff = "2.0.2" async-trait = "0.1.31" From bc67a884b845363b720ec5a3ac702ae237f83f58 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 01:38:03 +0000 Subject: [PATCH 182/298] build(deps): bump libz-sys from 1.1.16 to 1.1.20 Bumps [libz-sys](https://github.com/rust-lang/libz-sys) from 1.1.16 to 1.1.20. - [Release notes](https://github.com/rust-lang/libz-sys/releases) - [Commits](https://github.com/rust-lang/libz-sys/compare/1.1.16...1.1.20) --- updated-dependencies: - dependency-name: libz-sys dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6a326ddb5c..26de0e826b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3101,9 +3101,9 @@ dependencies = [ [[package]] name = "libz-sys" -version = "1.1.16" +version = "1.1.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e143b5e666b2695d28f6bca6497720813f699c9602dd7f5cac91008b8ada7f9" +checksum = "d2d16453e800a8cf6dd2fc3eb4bc99b786a9b90c663b8559a5b1a041bf89e472" dependencies = [ "cc", "libc", From f55b6d5afc9be0273de7e9724a8d0b51a8310f1d Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 1 Nov 2024 11:13:11 +0800 Subject: [PATCH 183/298] AS: fix build with rvps features Before this commit when we only enable `restful-bin,rvps-grpc` features, the attestation service cannot be built. This patch fixes this issue. Also, this commit deletes the `rvps-builtin` feature as the code of rvps does not bring in any new dependencies. Related configurations are updated to make it more robust, together with the documents. Signed-off-by: Xynnn007 --- attestation-service/Cargo.toml | 19 +-- attestation-service/Makefile | 14 +- attestation-service/config.json | 4 +- attestation-service/docs/config.md | 145 +++++++++++++++++++ attestation-service/docs/grpc-as.md | 2 + attestation-service/docs/restful-as.md | 3 + attestation-service/src/config.rs | 21 ++- attestation-service/src/lib.rs | 6 +- attestation-service/src/rvps/builtin.rs | 3 +- attestation-service/src/rvps/grpc.rs | 32 +++- attestation-service/src/rvps/mod.rs | 126 ++++++---------- attestation-service/src/token/mod.rs | 3 +- deps/verifier/src/se/README.md | 2 +- kbs/Cargo.toml | 2 +- kbs/config/as-config.json | 5 +- kbs/config/kbs-config.toml | 2 +- kbs/config/kubernetes/base/kbs-config.toml | 10 +- kbs/docs/config.md | 42 +++++- kbs/docs/self-signed-https.md | 2 +- kbs/src/config.rs | 20 +-- kbs/test/config/kbs.toml | 16 +- kbs/test_data/configs/coco-as-builtin-1.toml | 5 +- kbs/test_data/configs/coco-as-builtin-2.toml | 10 +- kbs/test_data/configs/coco-as-builtin-3.toml | 10 +- rvps/README.md | 3 +- rvps/src/config.rs | 15 +- 26 files changed, 339 insertions(+), 183 deletions(-) create mode 100644 attestation-service/docs/config.md diff --git a/attestation-service/Cargo.toml b/attestation-service/Cargo.toml index fce9a5a6cc..4e9e32bc7e 100644 --- a/attestation-service/Cargo.toml +++ b/attestation-service/Cargo.toml @@ -4,7 +4,7 @@ version = "0.1.0" edition = "2021" [features] -default = ["restful-bin", "rvps-grpc", "rvps-builtin"] +default = [ "restful-bin", "rvps-grpc" ] all-verifier = [ "verifier/all-verifier" ] tdx-verifier = [ "verifier/tdx-verifier" ] sgx-verifier = [ "verifier/sgx-verifier" ] @@ -15,24 +15,21 @@ csv-verifier = [ "verifier/csv-verifier" ] cca-verifier = [ "verifier/cca-verifier" ] se-verifier = [ "verifier/se-verifier" ] -# Only for testing and CI -rvps-builtin = [ "reference-value-provider-service" ] - -rvps-grpc = [ "prost", "tonic" ] +rvps-grpc = ["prost", "tonic"] # For building gRPC CoCo-AS binary -grpc-bin = [ "clap", "env_logger", "prost", "tonic" ] +grpc-bin = ["clap", "env_logger", "prost", "tonic"] # For restful CoCo-AS binary -restful-bin = [ "actix-web/openssl", "clap", "env_logger", "thiserror" ] +restful-bin = ["actix-web/openssl", "clap", "env_logger"] [[bin]] name = "grpc-as" -required-features = [ "grpc-bin" ] +required-features = ["grpc-bin"] [[bin]] name = "restful-as" -required-features = [ "restful-bin" ] +required-features = ["restful-bin"] [dependencies] actix-web = { workspace = true, optional = true } @@ -50,7 +47,7 @@ log.workspace = true openssl = "0.10.55" prost = { workspace = true, optional = true } rand = "0.8.5" -reference-value-provider-service = { path = "../rvps", optional = true } +reference-value-provider-service.path = "../rvps" regorus.workspace = true rsa = { version = "0.9.2", features = ["sha2"] } serde.workspace = true @@ -60,7 +57,7 @@ sha2.workspace = true shadow-rs.workspace = true strum.workspace = true time = { version = "0.3.23", features = ["std"] } -thiserror = { workspace = true, optional = true } +thiserror.workspace = true tokio.workspace = true tonic = { workspace = true, optional = true } uuid = { version = "1.1.2", features = ["v4"] } diff --git a/attestation-service/Makefile b/attestation-service/Makefile index c8ed190ebb..f75e1daf22 100644 --- a/attestation-service/Makefile +++ b/attestation-service/Makefile @@ -12,20 +12,8 @@ VERIFIER ?= all-verifier RVPS_GRPC := true -# TODO: Remove `RVPS_BUILTIN` -# when https://github.com/confidential-containers/trustee/pull/553 gets merged -# Here we also declare another variable `RVPS_FEATURES1` because a blank will -# be added when doing '+=' operation in Makefile -RVPS_BUILTIN := true - ifeq ($(RVPS_GRPC), true) - RVPS_FEATURES1 := rvps-grpc -endif - -ifeq ($(RVPS_BUILTIN), true) - RVPS_FEATURES := $(RVPS_FEATURES1),rvps-builtin -else - RVPS_FEATURES := $(RVPS_FEATURES1) + RVPS_FEATURES := rvps-grpc endif ifdef DEBUG diff --git a/attestation-service/config.json b/attestation-service/config.json index 1c66a61a02..332abd6111 100644 --- a/attestation-service/config.json +++ b/attestation-service/config.json @@ -2,8 +2,8 @@ "work_dir": "/var/lib/attestation-service/", "policy_engine": "opa", "rvps_config": { - "store_type": "LocalFs", - "remote_addr": "" + "type": "BuiltIn", + "store_type": "LocalFs" }, "attestation_token_broker": "Simple", "attestation_token_config": { diff --git a/attestation-service/docs/config.md b/attestation-service/docs/config.md new file mode 100644 index 0000000000..a59807a1f0 --- /dev/null +++ b/attestation-service/docs/config.md @@ -0,0 +1,145 @@ +# CoCo AS Configuration File + +The Confidential Containers KBS properties can be configured through a +JSON-formatted configuration file. + +## Configurable Properties + +The following sections list the CoCo AS properties which can be set through the +configuration file. + +### Global Properties + +The following properties can be set globally, i.e. not under any configuration +section: + +| Property | Type | Description | Required | Default | +|----------------------------|-----------------------------|-----------------------------------------------------|----------|---------| +| `work_dir` | String | The location for Attestation Service to store data. | False | Firstly try to read from ENV `AS_WORK_DIR`. If not any, use `/opt/confidential-containers/attestation-service` | +| `policy_engine` | String | Policy engine type. Valid values: `opa` | False | `opa` | +| `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | False | - | +| `attestation_token_broker` | String | Type of the attestation result token broker. Valid values: `Simple` | False | `Simple` | +| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | False | - | + +[1]: #attestationtokenconfig +[2]: #rvps-configuration + +#### AttestationTokenConfig + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | +| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | + +[1]: #tokensignerconfig + +#### TokenSignerConfig + +This section is **optional**. When omitted, a new RSA key pair is generated and used. + +| Property | Type | Description | Required | Default | +|----------------|---------|----------------------------------------------------------|----------|---------| +| `key_path` | String | RSA Key Pair file (PEM format) path. | Yes | - | +| `cert_url` | String | RSA Public Key certificate chain (PEM format) URL. | No | - | +| `cert_path` | String | RSA Public Key certificate chain (PEM format) file path. | No | - | + +#### RVPS Configuration + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `type` | String | It can be either `BuiltIn` (Built-In RVPS) or `GrpcRemote` (connect to a remote gRPC RVPS) | No | `BuiltIn` | + +##### BuiltIn RVPS + +If `type` is set to `BuiltIn`, the following extra properties can be set + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|-----------------------------------------------------------------------|----------|----------| +| `store_type` | String | The underlying storage type of RVPS. (`LocalFs` or `LocalJson`) | No | `LocalFs`| +| `store_config` | JSON Map | The optional configurations to the underlying storage. | No | Null | + +Different `store_type` will have different `store_config` items. + +For `LocalFs`, the following properties can be set + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|----------------------------------------------------------|----------|----------| +| `file_path` | String | The path to the directory storing reference values | No | `/opt/confidential-containers/attestation-service/reference_values`| + +For `LocalJson`, the following properties can be set + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|----------------------------------------------------------|----------|----------| +| `file_path` | String | The path to the file that storing reference values | No | `/opt/confidential-containers/attestation-service/reference_values.json`| + +##### Remote RVPS + +If `type` is set to `GrpcRemote`, the following extra properties can be set + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|-----------------------------------------|----------|------------------| +| `address` | String | Remote address of the RVPS server | No | `127.0.0.1:50003`| + + +## Configuration Examples + +Running with a built-in RVPS: + +```json +{ + "work_dir": "/var/lib/attestation-service/", + "policy_engine": "opa", + "rvps_config": { + "type": "BuiltIn", + "store_type": "LocalFs", + "store_config": { + "file_path": "/var/lib/attestation-service/reference-values" + } + }, + "attestation_token_broker": "Simple", + "attestation_token_config": { + "duration_min": 5 + } +} +``` + +Running with a remote RVPS: + +```json +{ + "work_dir": "/var/lib/attestation-service/", + "policy_engine": "opa", + "rvps_config": { + "type": "GrpcRemote", + "address": "127.0.0.1:50003" + }, + "attestation_token_broker": "Simple", + "attestation_token_config": { + "duration_min": 5 + } +} +``` + +Configurations for token signer + +```json +{ + "work_dir": "/var/lib/attestation-service/", + "policy_engine": "opa", + "rvps_config": { + "type": "GrpcRemote", + "address": "127.0.0.1:50003" + }, + "attestation_token_broker": "Simple", + "attestation_token_config": { + "duration_min": 5, + "issuer_name": "some-body", + "signer": { + "key_path": "/etc/coco-as/signer.key", + "cert_url": "https://example.io/coco-as-certchain", + "cert_path": "/etc/coco-as/signer.pub" + } + } +} +``` diff --git a/attestation-service/docs/grpc-as.md b/attestation-service/docs/grpc-as.md index 41f0042c92..1084d09b67 100644 --- a/attestation-service/docs/grpc-as.md +++ b/attestation-service/docs/grpc-as.md @@ -64,6 +64,8 @@ Then a response will be returned The value is a base64 encoded JWT. The body of the JWT is showed in the [example.token.json](./example.token.json). +More configuration items please refer to the [document](./config.md). + ## Advanced Topic ### Building from Source diff --git a/attestation-service/docs/restful-as.md b/attestation-service/docs/restful-as.md index 2a4c3196cb..ab5c9618da 100644 --- a/attestation-service/docs/restful-as.md +++ b/attestation-service/docs/restful-as.md @@ -54,6 +54,9 @@ eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJjdXN0b21pemVkX2NsYWltcyI6eyJ0ZXN0X2tleSI The value is a base64 encoded JWT. The body of the JWT is showed in the [example.token.json](./example.token.json). + +More configuration items please refer to the [document](./config.md). + ## Advanced Topics ### Building from Source diff --git a/attestation-service/src/config.rs b/attestation-service/src/config.rs index 232567648f..895b008577 100644 --- a/attestation-service/src/config.rs +++ b/attestation-service/src/config.rs @@ -13,9 +13,11 @@ const DEFAULT_WORK_DIR: &str = "/opt/confidential-containers/attestation-service #[derive(Clone, Debug, Deserialize, PartialEq)] pub struct Config { /// The location for Attestation Service to store data. + #[serde(default = "default_work_dir")] pub work_dir: PathBuf, /// Policy Engine type. + #[serde(default = "default_policy_engine")] pub policy_engine: String, /// Configurations for RVPS. @@ -26,6 +28,7 @@ pub struct Config { /// /// Possible values: /// * `Simple` + #[serde(default)] pub attestation_token_broker: AttestationTokenBrokerType, /// The Attestation Result Token Broker Config @@ -33,6 +36,14 @@ pub struct Config { pub attestation_token_config: AttestationTokenConfig, } +fn default_work_dir() -> PathBuf { + PathBuf::from(std::env::var(AS_WORK_DIR).unwrap_or_else(|_| DEFAULT_WORK_DIR.to_string())) +} + +fn default_policy_engine() -> String { + "opa".to_string() +} + #[derive(Error, Debug)] pub enum ConfigError { #[error("io error: {0}")] @@ -48,15 +59,11 @@ pub enum ConfigError { impl Default for Config { // Construct a default instance of `Config` fn default() -> Config { - let work_dir = PathBuf::from( - std::env::var(AS_WORK_DIR).unwrap_or_else(|_| DEFAULT_WORK_DIR.to_string()), - ); - Config { - work_dir, - policy_engine: "opa".to_string(), + work_dir: default_work_dir(), + policy_engine: default_policy_engine(), rvps_config: RvpsConfig::default(), - attestation_token_broker: AttestationTokenBrokerType::Simple, + attestation_token_broker: AttestationTokenBrokerType::default(), attestation_token_config: AttestationTokenConfig::default(), } } diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs index 6e66c722e6..0f95bf8362 100644 --- a/attestation-service/src/lib.rs +++ b/attestation-service/src/lib.rs @@ -2,7 +2,6 @@ //! //! # Features //! - `rvps-grpc`: The AS will connect a remote RVPS. -//! - `rvps-builtin`: The AS will integrate RVPS functionalities itself. pub mod config; pub mod policy_engine; @@ -273,7 +272,10 @@ impl AttestationService { /// Registry a new reference value pub async fn register_reference_value(&mut self, message: &str) -> Result<()> { - self.rvps.verify_and_extract(message).await + self.rvps + .verify_and_extract(message) + .await + .context("register reference value") } pub async fn generate_supplemental_challenge( diff --git a/attestation-service/src/rvps/builtin.rs b/attestation-service/src/rvps/builtin.rs index 055dd51307..084281516c 100644 --- a/attestation-service/src/rvps/builtin.rs +++ b/attestation-service/src/rvps/builtin.rs @@ -1,5 +1,4 @@ -use super::RvpsApi; -use anyhow::*; +use super::{Result, RvpsApi}; use async_trait::async_trait; use core::result::Result::Ok; use reference_value_provider_service::{Config, Core}; diff --git a/attestation-service/src/rvps/grpc.rs b/attestation-service/src/rvps/grpc.rs index 5ddc232b5d..6538e8ae2d 100644 --- a/attestation-service/src/rvps/grpc.rs +++ b/attestation-service/src/rvps/grpc.rs @@ -1,5 +1,5 @@ -use crate::rvps::RvpsError; -use anyhow::{Context, Result}; +use serde::Deserialize; +use thiserror::Error; use tokio::sync::Mutex; use self::rvps_api::{ @@ -7,18 +7,39 @@ use self::rvps_api::{ ReferenceValueQueryRequest, ReferenceValueRegisterRequest, }; -use super::RvpsApi; +use super::{Result, RvpsApi}; pub mod rvps_api { tonic::include_proto!("reference"); } +#[derive(Deserialize, Clone, Debug, PartialEq)] +pub struct RvpsRemoteConfig { + /// Address of remote RVPS. If this field is given, a remote RVPS will be connected to. + /// If this field is not given, a built-in RVPS will be used. + #[serde(default = "default_address")] + pub address: String, +} + +fn default_address() -> String { + "127.0.0.1:50003".into() +} + +#[derive(Error, Debug)] +pub enum GrpcRvpsError { + #[error("Returned status: {0}")] + Status(#[from] tonic::Status), + + #[error("tonic transport error: {0}")] + TonicTransport(#[from] tonic::transport::Error), +} + pub struct Agent { client: Mutex>, } impl Agent { - pub async fn new(addr: &str) -> Result { + pub async fn new(addr: &str) -> Result { Ok(Self { client: Mutex::new( ReferenceValueProviderServiceClient::connect(addr.to_string()).await?, @@ -37,8 +58,7 @@ impl RvpsApi for Agent { .lock() .await .register_reference_value(req) - .await - .context("register failed")?; + .await?; Ok(()) } diff --git a/attestation-service/src/rvps/mod.rs b/attestation-service/src/rvps/mod.rs index 4e34ce847e..b95b0a6b30 100644 --- a/attestation-service/src/rvps/mod.rs +++ b/attestation-service/src/rvps/mod.rs @@ -3,15 +3,35 @@ // SPDX-License-Identifier: Apache-2.0 // -use anyhow::Result; -use log::{info, warn}; -pub use reference_value_provider_service::config::{ - Config as RvpsCrateConfig, DEFAULT_STORAGE_TYPE, -}; +use log::info; +pub use reference_value_provider_service::config::Config as RvpsCrateConfig; use serde::Deserialize; -use serde_json::{json, Value}; use thiserror::Error; +#[cfg(feature = "rvps-grpc")] +pub mod grpc; + +pub mod builtin; + +#[derive(Error, Debug)] +pub enum RvpsError { + #[error("Serde Json Error: {0}")] + SerdeJson(#[from] serde_json::Error), + + #[cfg(feature = "rvps-grpc")] + #[error("Returned status: {0}")] + Status(#[from] tonic::Status), + + #[cfg(feature = "rvps-grpc")] + #[error("tonic transport error: {0}")] + TonicTransport(#[from] tonic::transport::Error), + + #[error(transparent)] + Anyhow(#[from] anyhow::Error), +} + +type Result = std::result::Result; + /// The interfaces of Reference Value Provider Service /// * `verify_and_extract` is responsible for verify a message and /// store reference values from it. @@ -26,93 +46,31 @@ pub trait RvpsApi { async fn get_digests(&self, name: &str) -> Result>; } -#[cfg(feature = "rvps-grpc")] -pub mod grpc; - -#[cfg(feature = "rvps-builtin")] -pub mod builtin; - -fn default_store_type() -> String { - DEFAULT_STORAGE_TYPE.into() -} - -fn default_store_config() -> Value { - json!({}) -} - #[derive(Deserialize, Clone, Debug, PartialEq)] -pub struct RvpsConfig { - /// Address of remote RVPS. If this field is given, a remote RVPS will be connected to. - /// If this field is not given, a built-in RVPS will be used. - #[serde(default = "String::default")] - pub remote_addr: String, - - /// This field will be used only if `remote_addr` is not given. - #[serde(default = "default_store_type")] - pub store_type: String, - - /// This field will be used only if `remote_addr` is not given. - #[serde(default = "default_store_config")] - pub store_config: Value, -} - -impl From for RvpsCrateConfig { - fn from(val: RvpsConfig) -> RvpsCrateConfig { - RvpsCrateConfig { - store_type: val.store_type, - store_config: val.store_config, - } - } +#[serde(tag = "type")] +pub enum RvpsConfig { + BuiltIn(RvpsCrateConfig), + #[cfg(feature = "rvps-grpc")] + GrpcRemote(grpc::RvpsRemoteConfig), } impl Default for RvpsConfig { fn default() -> Self { - Self { - remote_addr: String::new(), - store_type: default_store_type(), - store_config: default_store_config(), - } + Self::BuiltIn(RvpsCrateConfig::default()) } } -#[derive(Error, Debug)] -pub enum RvpsError { - #[error("feature `rvps-grpc` or `rvps-builtin` should be enabled")] - FeatureNotEnabled, - #[error("Serde Json Error: {0}")] - SerdeJson(#[from] serde_json::Error), - #[error("Returned status: {0}")] - Status(#[from] tonic::Status), - #[error("tonic transport error: {0}")] - TonicTransport(#[from] tonic::transport::Error), - #[error(transparent)] - Anyhow(#[from] anyhow::Error), -} - -pub async fn initialize_rvps_client( - config: &RvpsConfig, -) -> Result, RvpsError> { - cfg_if::cfg_if! { - if #[cfg(feature = "rvps-grpc")] { - if !config.remote_addr.is_empty() { - let remote_addr = &config.remote_addr; - info!("connect to remote RVPS: {remote_addr}"); - Ok(Box::new(grpc::Agent::new(remote_addr).await?) as Box) - } else { - cfg_if::cfg_if! { - if #[cfg(feature = "rvps-builtin")] { - warn!("No RVPS address provided and will launch a built-in rvps"); - Ok(Box::new(builtin::Rvps::new(config.clone().into())?) as Box) - } else { - return RvpsError::FeatureNotEnabled; - } - } - } - } else if #[cfg(feature = "rvps-builtin")] { +pub async fn initialize_rvps_client(config: &RvpsConfig) -> Result> { + match config { + RvpsConfig::BuiltIn(config) => { info!("launch a built-in RVPS."); - Ok(Box::new(builtin::Rvps::new(config.clone().into())) as Box) - } else { - return RvpsError::FeatureNotEnabled; + Ok(Box::new(builtin::Rvps::new(config.clone())?) as Box) + } + #[cfg(feature = "rvps-grpc")] + RvpsConfig::GrpcRemote(config) => { + info!("connect to remote RVPS: {}", config.address); + Ok(Box::new(grpc::Agent::new(&config.address).await?) + as Box) } } } diff --git a/attestation-service/src/token/mod.rs b/attestation-service/src/token/mod.rs index 1af172196a..6a6616e4d5 100644 --- a/attestation-service/src/token/mod.rs +++ b/attestation-service/src/token/mod.rs @@ -23,8 +23,9 @@ pub trait AttestationTokenBroker { fn pubkey_jwks(&self) -> Result; } -#[derive(Deserialize, Debug, Clone, EnumString, Display, PartialEq)] +#[derive(Deserialize, Debug, Clone, EnumString, Display, Default, PartialEq)] pub enum AttestationTokenBrokerType { + #[default] Simple, } diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index 569d4c92f8..887b711d4d 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -112,8 +112,8 @@ attestation_token_broker = "Simple" duration_min = 5 [as_config.rvps_config] +type = "BuiltIn" store_type = "LocalFs" -remote_addr = "" ``` - Launch the KBS program diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index b58e08b15a..663dcc03a8 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -19,7 +19,7 @@ coco-as = ["as"] coco-as-builtin = ["coco-as", "attestation-service/default"] # Use built-in CoCo-AS as backend attestation service without verifier -coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"] +coco-as-builtin-no-verifier = ["coco-as"] # Use remote gRPC CoCo-AS as backend attestation service coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"] diff --git a/kbs/config/as-config.json b/kbs/config/as-config.json index 9445908e56..0a2a3e1f9e 100644 --- a/kbs/config/as-config.json +++ b/kbs/config/as-config.json @@ -2,10 +2,11 @@ "work_dir": "/opt/confidential-containers/attestation-service", "policy_engine": "opa", "rvps_config": { - "remote_addr":"http://rvps:50003" + "type": "GrpcRemote", + "address": "http://rvps:50003" }, "attestation_token_broker": "Simple", "attestation_token_config": { "duration_min": 5 } -} +} \ No newline at end of file diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml index e7bed67c3f..0adef72eaf 100644 --- a/kbs/config/kbs-config.toml +++ b/kbs/config/kbs-config.toml @@ -14,8 +14,8 @@ attestation_token_broker = "Simple" duration_min = 5 [attestation_service.rvps_config] +type = "BuiltIn" store_type = "LocalFs" -remote_addr = "" [policy_engine] policy_path = "/opa/confidential-containers/kbs/policy.rego" diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index b142f52c67..3bee3790b4 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -13,12 +13,12 @@ work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" - [attestation_service.attestation_token_config] - duration_min = 5 +[attestation_service.attestation_token_config] +duration_min = 5 - [attestation_service.rvps_config] - store_type = "LocalFs" - remote_addr = "" +[attestation_service.rvps_config] +type = "BuiltIn" +store_type = "LocalFs" [admin] auth_public_key = "/kbs/kbs.pem" diff --git a/kbs/docs/config.md b/kbs/docs/config.md index d044b7632d..b4830c18a1 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -82,7 +82,7 @@ When `type` is set to `coco_as_builtin`, the following properties can be set. | Property | Type | Description | Default | |----------------------------|-----------------------------|-----------------------------------------------------|----------| -| `timeout` | Integer | The maximum time (in minutes) between RCAR handshake's `auth` and `attest` requests | 5 | +| `timeout` | Integer | The maximum time (in minutes) of the attestation session | 5 | | `work_dir` | String | The location for Attestation Service to store data. | First try from env `AS_WORK_DIR`. If no this env, then use `/opt/confidential-containers/attestation-service` | | `policy_engine` | String | Policy engine type. Valid values: `opa` | `opa` | | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | See [RVPSConfiguration][2] | @@ -115,14 +115,40 @@ This section is **optional**. When omitted, an ephemeral RSA key pair is generat ##### RVPS Configuration -| Property | Type | Description | Default | -|----------------|-------------------------|------------------------------------------------------|---------| -| `remote_addr` | String | Remote RVPS' address. If this is specified, will use a remote RVPS. Or a local RVPS will be configured with `store_type` and `store_config`| Empty | -| `store_type` | String | Used if `remote_addr` is not set. The underlying storage type of RVPS. | `LocalFs` | -| `store_config` | JSON Map | Used if `remote_addr` is not set. The optional configurations to the underlying storage. | Empty | +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `type` | String | It can be either `BuiltIn` (Built-In RVPS) or `GrpcRemote` (connect to a remote gRPC RVPS) | No | `BuiltIn` | + +##### BuiltIn RVPS + +If `type` is set to `BuiltIn`, the following extra properties can be set + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|-----------------------------------------------------------------------|----------|----------| +| `store_type` | String | The underlying storage type of RVPS. (`LocalFs` or `LocalJson`) | No | `LocalFs`| +| `store_config` | JSON Map | The optional configurations to the underlying storage. | No | Null | Different `store_type` will have different `store_config` items. -See the details of `store_config` in [concrete implementations of storages](../../rvps/src/store/). + +For `LocalFs`, the following properties can be set + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|----------------------------------------------------------|----------|----------| +| `file_path` | String | The path to the directory storing reference values | No | `/opt/confidential-containers/attestation-service/reference_values`| + +For `LocalJson`, the following properties can be set + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|----------------------------------------------------------|----------|----------| +| `file_path` | String | The path to the file that storing reference values | No | `/opt/confidential-containers/attestation-service/reference_values.json`| + +##### Remote RVPS + +If `type` is set to `GrpcRemote`, the following extra properties can be set + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|-----------------------------------------|----------|------------------| +| `address` | String | Remote address of the RVPS server | No | `127.0.0.1:50003`| #### gRPC CoCo AS @@ -231,8 +257,8 @@ attestation_token_broker = "Simple" duration_min = 5 [attestation_service.rvps_config] + type = "BuiltIn" store_type = "LocalFs" - remote_addr = "" [[plugins]] name = "resource" diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md index 034bf77b01..3d9e19df6f 100644 --- a/kbs/docs/self-signed-https.md +++ b/kbs/docs/self-signed-https.md @@ -87,7 +87,7 @@ attestation_token_broker = "Simple" duration_min = 5 [attestation_service.rvps_config] - remote_addr = "" + type = "BuiltIn" store_type = "LocalFs" [[plugins]] diff --git a/kbs/src/config.rs b/kbs/src/config.rs index 06d3af2a1e..3c4f2ff41a 100644 --- a/kbs/src/config.rs +++ b/kbs/src/config.rs @@ -120,7 +120,7 @@ mod tests { #[cfg(feature = "coco-as-builtin")] use attestation_service::{ - rvps::{RvpsConfig, DEFAULT_STORAGE_TYPE}, + rvps::{grpc::RvpsRemoteConfig, RvpsConfig, RvpsCrateConfig}, token::{ AttestationTokenBrokerType, AttestationTokenConfig, COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_TIMEOUT, @@ -186,11 +186,9 @@ mod tests { work_dir: "/opt/coco/attestation-service".into(), policy_engine: "opa".into(), attestation_token_broker: AttestationTokenBrokerType::Simple, - rvps_config: RvpsConfig { - remote_addr: "http://127.0.0.1:50003".into(), - store_type: DEFAULT_STORAGE_TYPE.into(), - store_config: json!({}), - }, + rvps_config: RvpsConfig::GrpcRemote(RvpsRemoteConfig { + address: "http://127.0.0.1:50003".into(), + }), attestation_token_config: AttestationTokenConfig { duration_min: DEFAULT_TOKEN_TIMEOUT, issuer_name: COCO_AS_ISSUER_NAME.into(), @@ -301,11 +299,10 @@ mod tests { work_dir: "/opt/confidential-containers/attestation-service".into(), policy_engine: "opa".into(), attestation_token_broker: AttestationTokenBrokerType::Simple, - rvps_config: RvpsConfig { - remote_addr: "".into(), + rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { store_type: "LocalFs".into(), store_config: json!({}), - }, + }), attestation_token_config: AttestationTokenConfig { duration_min: 5, ..Default::default() @@ -434,11 +431,10 @@ mod tests { work_dir: "/opt/confidential-containers/attestation-service".into(), policy_engine: "opa".into(), attestation_token_broker: AttestationTokenBrokerType::Simple, - rvps_config: RvpsConfig { - remote_addr: "".into(), + rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { store_type: "LocalFs".into(), ..Default::default() - }, + }), attestation_token_config: AttestationTokenConfig { duration_min: 5, ..Default::default() diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index 933f169797..012e8b6220 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -14,16 +14,16 @@ work_dir = "./work/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" - [attestation_service.attestation_token_config] - duration_min = 5 +[attestation_service.attestation_token_config] +duration_min = 5 - [attestation_service.attestation_token_config.signer] - key_path = "./work/token.key" - cert_path = "./work/token-cert-chain.pem" +[attestation_service.attestation_token_config.signer] +key_path = "./work/token.key" +cert_path = "./work/token-cert-chain.pem" - [attestation_service.rvps_config] - store_type = "LocalFs" - remote_addr = "" +[attestation_service.rvps_config] +type = "BuiltIn" +store_type = "LocalFs" [policy_engine] policy_path = "./work/kbs-policy.rego" diff --git a/kbs/test_data/configs/coco-as-builtin-1.toml b/kbs/test_data/configs/coco-as-builtin-1.toml index 7fd6da32cf..1b776755d6 100644 --- a/kbs/test_data/configs/coco-as-builtin-1.toml +++ b/kbs/test_data/configs/coco-as-builtin-1.toml @@ -4,5 +4,6 @@ work_dir = "/opt/coco/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" - [attestation_service.rvps_config] - remote_addr = "http://127.0.0.1:50003" +[attestation_service.rvps_config] +type = "GrpcRemote" +address = "http://127.0.0.1:50003" diff --git a/kbs/test_data/configs/coco-as-builtin-2.toml b/kbs/test_data/configs/coco-as-builtin-2.toml index c2398128c9..e137d9523d 100644 --- a/kbs/test_data/configs/coco-as-builtin-2.toml +++ b/kbs/test_data/configs/coco-as-builtin-2.toml @@ -12,12 +12,12 @@ work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" - [attestation_service.attestation_token_config] - duration_min = 5 +[attestation_service.attestation_token_config] +duration_min = 5 - [attestation_service.rvps_config] - store_type = "LocalFs" - remote_addr = "" +[attestation_service.rvps_config] +type = "BuiltIn" +store_type = "LocalFs" [admin] auth_public_key = "/kbs/kbs.pem" diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index 1d8e13f449..7786781d83 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -9,12 +9,12 @@ work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" - [attestation_service.attestation_token_config] - duration_min = 5 +[attestation_service.attestation_token_config] +duration_min = 5 - [attestation_service.rvps_config] - store_type = "LocalFs" - remote_addr = "" +[attestation_service.rvps_config] +type = "BuiltIn" +store_type = "LocalFs" [policy_engine] policy_path = "/opa/confidential-containers/kbs/policy.rego" diff --git a/rvps/README.md b/rvps/README.md index 3500d3f09e..f2fb5fb491 100644 --- a/rvps/README.md +++ b/rvps/README.md @@ -100,8 +100,7 @@ RVPS can be launched with a specified configuration file by `-c` flag. A configu ### Native Mode (Not Recommend) -In this way RVPS will work as a crate inside AS binary. If AS is built without feature `rvps-grpc` -and with feature `rvps-builtin`, the RVPS will be built-in AS. +In this way RVPS will work as a crate inside AS binary. ![](./diagrams/rvps-native.svg) diff --git a/rvps/src/config.rs b/rvps/src/config.rs index 63103d014b..98bf34f581 100644 --- a/rvps/src/config.rs +++ b/rvps/src/config.rs @@ -8,16 +8,27 @@ use serde_json::{json, Value}; pub const DEFAULT_STORAGE_TYPE: &str = "LocalFs"; -#[derive(Deserialize, Clone, Debug)] +#[derive(Deserialize, Clone, Debug, PartialEq)] pub struct Config { + #[serde(default = "default_store_type")] pub store_type: String, + + #[serde(default = "default_store_config")] pub store_config: Value, } +fn default_store_type() -> String { + DEFAULT_STORAGE_TYPE.to_string() +} + +fn default_store_config() -> Value { + json!({}) +} + impl Default for Config { fn default() -> Self { Self { - store_type: DEFAULT_STORAGE_TYPE.to_string(), + store_type: default_store_type(), store_config: json!({}), } } From 36c2e1aaa1208b0591f628ae7c6d135b70df5abc Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 25 Nov 2024 10:06:00 +0800 Subject: [PATCH 184/298] chore: Update futures suites to 0.3.31 Manually for #594 Signed-off-by: Xynnn007 --- Cargo.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 26de0e826b..b2b90f0603 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1926,9 +1926,9 @@ dependencies = [ [[package]] name = "futures-channel" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78" +checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10" dependencies = [ "futures-core", "futures-sink", @@ -1936,9 +1936,9 @@ dependencies = [ [[package]] name = "futures-core" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d" +checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" [[package]] name = "futures-executor" @@ -1953,15 +1953,15 @@ dependencies = [ [[package]] name = "futures-io" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1" +checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6" [[package]] name = "futures-macro" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac" +checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" dependencies = [ "proc-macro2", "quote", @@ -1976,9 +1976,9 @@ checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7" [[package]] name = "futures-task" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004" +checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988" [[package]] name = "futures-timer" @@ -1988,9 +1988,9 @@ checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24" [[package]] name = "futures-util" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48" +checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81" dependencies = [ "futures-channel", "futures-core", From f24ffada1fe5c735452188cd4fc28db7b5efe14b Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 25 Nov 2024 10:18:59 +0800 Subject: [PATCH 185/298] kbs: allow resource uri to have `.` in safe ways We deprecated `.` in resource uri to avoid security issues like accessing the upper directory with `..` path. However, in some cases `.` is safe like `example.txt`. This patch allows a string not starting with `.` to appear in a resource URI. Fixes #593 Signed-off-by: Xynnn007 --- kbs/src/plugins/implementations/resource/backend.rs | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/kbs/src/plugins/implementations/resource/backend.rs b/kbs/src/plugins/implementations/resource/backend.rs index 85186ba7ee..ebe72b9739 100644 --- a/kbs/src/plugins/implementations/resource/backend.rs +++ b/kbs/src/plugins/implementations/resource/backend.rs @@ -38,7 +38,7 @@ impl TryFrom<&str> for ResourceDesc { fn try_from(value: &str) -> Result { let regex = CELL.get_or_init(|| { Regex::new( - r"^((?[a-zA-Z0-9_\-]+)/)?(?[a-zA-Z0-9_\-]+)/(?[a-zA-Z0-9_\-]+)$", + r"^((?[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)\/)?(?[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)\/(?[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)$", ) .unwrap() }); @@ -168,6 +168,14 @@ mod tests { resource_type: "1Abff-_".into(), resource_tag: "___-afds44BC".into(), }))] + #[case("1.ok/2ok./3...", Some(ResourceDesc { + repository_name: "1.ok".into(), + resource_type: "2ok.".into(), + resource_tag: "3...".into(), + }))] + #[case(".1.ok/2ok./3...", None)] + #[case("1.ok/.2ok./3...", None)] + #[case("1.ok/2ok./.3...", None)] fn parse_resource_desc(#[case] desc: &str, #[case] expected: Option) { let parsed = ResourceDesc::try_from(desc); if expected.is_none() { From ad5a851475a9a5d0bbe9dd60e43d2100c0e3ac1e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 01:59:17 +0000 Subject: [PATCH 186/298] build(deps): bump iana-time-zone from 0.1.60 to 0.1.61 Bumps [iana-time-zone](https://github.com/strawlab/iana-time-zone) from 0.1.60 to 0.1.61. - [Changelog](https://github.com/strawlab/iana-time-zone/blob/main/CHANGELOG.md) - [Commits](https://github.com/strawlab/iana-time-zone/compare/v0.1.60...v0.1.61) --- updated-dependencies: - dependency-name: iana-time-zone dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b2b90f0603..ae3431af84 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2468,9 +2468,9 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.60" +version = "0.1.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141" +checksum = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220" dependencies = [ "android_system_properties", "core-foundation-sys", @@ -3080,7 +3080,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.52.6", + "windows-targets 0.48.5", ] [[package]] From 9d67f1ca6905c19da781f2dabd45009403773085 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Tue, 26 Nov 2024 17:42:53 +0800 Subject: [PATCH 187/298] KBS: return more context about RCAR/Attestation error Before this commit, if the rcar auth fails, the client would only get error information "Attestation error". This commit expose more error information to the client side. A typical error would say "Attestation error: RCAR handshake Auth failed: KBS Client Protocol Version Mismatch: ..." This would do much help to debugging and error locating. Signed-off-by: Xynnn007 --- kbs/src/attestation/backend.rs | 6 +++--- kbs/src/attestation/error.rs | 2 +- kbs/src/attestation/session.rs | 7 +++---- kbs/src/error.rs | 4 ++-- 4 files changed, 9 insertions(+), 10 deletions(-) diff --git a/kbs/src/attestation/backend.rs b/kbs/src/attestation/backend.rs index febc9e4902..6e130d0e8e 100644 --- a/kbs/src/attestation/backend.rs +++ b/kbs/src/attestation/backend.rs @@ -181,7 +181,7 @@ impl AttestationService { let version = Version::parse(&request.version).context("failed to parse KBS version")?; if !VERSION_REQ.matches(&version) { bail!( - "expected version: {}, requested version: {}", + "KBS Client Protocol Version Mismatch: expect {} while the request is {}", *VERSION_REQ, request.version ); @@ -191,9 +191,9 @@ impl AttestationService { .inner .generate_challenge(request.tee, request.extra_params.clone()) .await - .context("generate challenge")?; + .context("Attestation Service generate challenge failed")?; - let session = SessionStatus::auth(request, self.timeout, challenge).context("Session")?; + let session = SessionStatus::auth(request, self.timeout, challenge); let response = HttpResponse::Ok() .cookie(session.cookie()) diff --git a/kbs/src/attestation/error.rs b/kbs/src/attestation/error.rs index c00bf13967..c568fff85b 100644 --- a/kbs/src/attestation/error.rs +++ b/kbs/src/attestation/error.rs @@ -22,7 +22,7 @@ pub enum Error { source: anyhow::Error, }, - #[error("RCAR handshake Auth failed")] + #[error("RCAR handshake Auth failed: {source}")] RcarAuthFailed { #[source] source: anyhow::Error, diff --git a/kbs/src/attestation/session.rs b/kbs/src/attestation/session.rs index 50892776c9..22cde081ff 100644 --- a/kbs/src/attestation/session.rs +++ b/kbs/src/attestation/session.rs @@ -6,7 +6,6 @@ use actix_web::cookie::{ time::{Duration, OffsetDateTime}, Cookie, }; -use anyhow::Result; use kbs_types::{Challenge, Request}; use log::warn; use uuid::Uuid; @@ -49,17 +48,17 @@ macro_rules! impl_member { } impl SessionStatus { - pub fn auth(request: Request, timeout: i64, challenge: Challenge) -> Result { + pub fn auth(request: Request, timeout: i64, challenge: Challenge) -> Self { let id = Uuid::new_v4().as_simple().to_string(); let timeout = OffsetDateTime::now_utc() + Duration::minutes(timeout); - Ok(Self::Authed { + Self::Authed { request, challenge, id, timeout, - }) + } } pub fn cookie<'a>(&self) -> Cookie<'a> { diff --git a/kbs/src/error.rs b/kbs/src/error.rs index cfc09f18fa..fe5c1c9b58 100644 --- a/kbs/src/error.rs +++ b/kbs/src/error.rs @@ -18,11 +18,11 @@ pub type Result = std::result::Result; #[derive(Error, AsRefStr, Debug)] pub enum Error { - #[error("Admin auth error")] + #[error("Admin auth error: {0}")] AdminAuth(#[from] crate::admin::Error), #[cfg(feature = "as")] - #[error("Attestation error")] + #[error("Attestation error: {0}")] AttestationError(#[from] crate::attestation::Error), #[error("HTTP initialization failed")] From 6db4f4b75fcefc8ba8a92c1ee9bdbc4f0695b965 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Wed, 25 Sep 2024 09:54:43 -0500 Subject: [PATCH 188/298] token: implement EAR token generation This commit allows the AS to issue EAR tokens with the help of the rust-ear crate. EAR tokens require particular claims. This creates a binding between the AS policy and the EAR token. Specifically, the policy engine must return an EAR appraisal. The policy engine is still generic. Multiple policy engines could be implemented as long as they create an appraisal. Since policy evaluation is now closely tied to the type of token we are going to generate, make the policy engine more generic and move the logic around calling the policy engine out of lib.rs and into the token broker. There are a few other changes, including that the policy engine no longer takes multiple policies. For now, we only evaluate the first policy in the policy list, but future commits will change this convention so that we only ever think about one policy for the attestation service (until we introduce support for validating multiple devices at once). EAR Tokens also do not use flattened claims. The TCB claims are currently flattened so that we can use the key names as the input to the RVPS. This commit breaks this functionality, but a future commit will change the way the RVPS works to accomodate. There isn't a direct pairing between claim names and reference values, so there is no reason to keep flattening all the claims, especially because the flattening code has some corner cases that it does not support. This commit also adds the init_data_claims and runtime_data_claims to the tcb claims as long as the corresponding claims about the hashes are already there. This will allow the init_data to travel with the token, which will be convenient except if the init_data is too big. Signed-off-by: Tobin Feldman-Fitzthum Signed-off-by: Xynnn007 --- .github/workflows/as-rust.yml | 8 +- Cargo.lock | 966 +++++++++--------- Cargo.toml | 3 +- attestation-service/Cargo.toml | 3 + attestation-service/README.md | 2 +- attestation-service/config.json | 5 +- attestation-service/docs/policy.md | 2 +- attestation-service/src/bin/restful/mod.rs | 3 +- attestation-service/src/config.rs | 116 ++- attestation-service/src/lib.rs | 88 +- attestation-service/src/policy_engine/mod.rs | 94 +- .../src/policy_engine/opa/mod.rs | 343 +++---- attestation-service/src/token/ear_broker.rs | 583 +++++++++++ .../src/token/ear_default_policy.rego | 30 + attestation-service/src/token/mod.rs | 108 +- attestation-service/src/token/simple.rs | 418 +++++++- .../simple_default_policy.rego} | 0 attestation-service/src/utils.rs | 159 --- .../tests/configs/example1.json | 14 + .../tests/configs/example2.json | 19 + .../tests/configs/example3.json | 17 + .../tests/configs/example4.json | 22 + deps/verifier/src/se/README.md | 6 +- kbs/config/as-config.json | 10 +- kbs/config/kbs-config.toml | 4 +- kbs/config/kubernetes/base/kbs-config.toml | 8 +- kbs/docs/config.md | 4 +- kbs/docs/self-signed-https.md | 6 +- kbs/quickstart.md | 5 +- kbs/src/attestation/coco/builtin.rs | 2 +- kbs/src/config.rs | 26 +- kbs/test/config/kbs.toml | 8 +- kbs/test/config/resource-kbs.toml | 4 +- kbs/test_data/configs/coco-as-builtin-1.toml | 4 +- kbs/test_data/configs/coco-as-builtin-2.toml | 4 +- kbs/test_data/configs/coco-as-builtin-3.toml | 4 +- 36 files changed, 2025 insertions(+), 1073 deletions(-) create mode 100644 attestation-service/src/token/ear_broker.rs create mode 100644 attestation-service/src/token/ear_default_policy.rego rename attestation-service/src/{policy_engine/opa/default_policy.rego => token/simple_default_policy.rego} (100%) delete mode 100644 attestation-service/src/utils.rs create mode 100644 attestation-service/tests/configs/example1.json create mode 100644 attestation-service/tests/configs/example2.json create mode 100644 attestation-service/tests/configs/example3.json create mode 100644 attestation-service/tests/configs/example4.json diff --git a/.github/workflows/as-rust.yml b/.github/workflows/as-rust.yml index aa225e907b..3235d38d01 100644 --- a/.github/workflows/as-rust.yml +++ b/.github/workflows/as-rust.yml @@ -33,13 +33,15 @@ jobs: - name: Install OPA command line tool run: | - curl -L -o opa https://openpolicyagent.org/downloads/v0.42.2/opa_linux_amd64_static + curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static chmod 755 ./opa && cp opa /usr/local/bin - name: OPA policy.rego fmt and check run: | - opa fmt -d attestation-service/src/policy_engine/opa/default_policy.rego | awk '{ print } END { if (NR!=0) { print "run `opa fmt -w ` to fix this"; exit 1 } }' - opa check attestation-service/src/policy_engine/opa/default_policy.rego + opa fmt -d attestation-service/src/token/ear_default_policy.rego | awk '{ print } END { if (NR!=0) { print "run `opa fmt -w ` to fix this"; exit 1 } }' + opa check attestation-service/src/token/ear_default_policy.rego + opa fmt -d attestation-service/src/token/simple_default_policy.rego | awk '{ print } END { if (NR!=0) { print "run `opa fmt -w ` to fix this"; exit 1 } }' + opa check attestation-service/src/token/simple_default_policy.rego - name: Install protoc run: | diff --git a/Cargo.lock b/Cargo.lock index ae3431af84..f599be502b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -8,7 +8,7 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5f7b0a21988c1bf877cf4759ef5ddaac04c1c9fe808c9142ecb78ba97d97a28a" dependencies = [ - "bitflags 2.5.0", + "bitflags 2.6.0", "bytes", "futures-core", "futures-sink", @@ -21,9 +21,9 @@ dependencies = [ [[package]] name = "actix-http" -version = "3.6.0" +version = "3.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d223b13fd481fc0d1f83bb12659ae774d9e3601814c68a0bc539731698cca743" +checksum = "d48f96fc3003717aeb9856ca3d02a8c7de502667ad76eeacd830b48d2e91fac4" dependencies = [ "actix-codec", "actix-rt", @@ -31,8 +31,8 @@ dependencies = [ "actix-tls", "actix-utils", "ahash 0.8.11", - "base64 0.21.7", - "bitflags 2.5.0", + "base64 0.22.1", + "bitflags 2.6.0", "brotli", "bytes", "bytestring", @@ -71,22 +71,24 @@ dependencies = [ [[package]] name = "actix-router" -version = "0.5.2" +version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d22475596539443685426b6bdadb926ad0ecaefdfc5fb05e5e3441f15463c511" +checksum = "13d324164c51f63867b57e73ba5936ea151b8a41a1d23d1031eeb9f70d0236f8" dependencies = [ "bytestring", + "cfg-if", "http 0.2.12", "regex", + "regex-lite", "serde", "tracing", ] [[package]] name = "actix-rt" -version = "2.9.0" +version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28f32d40287d3f402ae0028a9d54bef51af15c8769492826a69d28f81893151d" +checksum = "24eda4e2a6e042aa4e55ac438a2ae052d3b5da0ecf83d7411e1a368946925208" dependencies = [ "futures-core", "tokio", @@ -94,16 +96,16 @@ dependencies = [ [[package]] name = "actix-server" -version = "2.3.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3eb13e7eef0423ea6eab0e59f6c72e7cb46d33691ad56a726b3cd07ddec2c2d4" +checksum = "7ca2549781d8dd6d75c40cf6b6051260a2cc2f3c62343d761a969a0640646894" dependencies = [ "actix-rt", "actix-service", "actix-utils", "futures-core", "futures-util", - "mio 0.8.11", + "mio", "socket2", "tokio", "tracing", @@ -122,9 +124,9 @@ dependencies = [ [[package]] name = "actix-tls" -version = "3.3.0" +version = "3.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4cce60a2f2b477bc72e5cde0af1812a6e82d8fd85b5570a5dcf2a5bf2c5be5f" +checksum = "ac453898d866cdbecdbc2334fe1738c747b4eba14a677261f2b768ba05329389" dependencies = [ "actix-rt", "actix-service", @@ -151,9 +153,9 @@ dependencies = [ [[package]] name = "actix-web" -version = "4.5.1" +version = "4.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43a6556ddebb638c2358714d853257ed226ece6023ef9364f23f0c70737ea984" +checksum = "9180d76e5cc7ccbc4d60a506f2c727730b154010262df5b910eb17dbe4b8cb38" dependencies = [ "actix-codec", "actix-http", @@ -174,6 +176,7 @@ dependencies = [ "encoding_rs", "futures-core", "futures-util", + "impl-more", "itoa", "language-tags", "log", @@ -181,6 +184,7 @@ dependencies = [ "once_cell", "pin-project-lite", "regex", + "regex-lite", "serde", "serde_json", "serde_urlencoded", @@ -192,9 +196,9 @@ dependencies = [ [[package]] name = "actix-web-codegen" -version = "4.2.2" +version = "4.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb1f50ebbb30eca122b188319a4398b3f7bb4a8cdf50ecfb73bfc6a3c3ce54f5" +checksum = "f591380e2e68490b5dfaf1dd1aa0ebe78d84ba7067078512b4ea6e4492d622b8" dependencies = [ "actix-router", "proc-macro2", @@ -219,19 +223,13 @@ dependencies = [ [[package]] name = "addr2line" -version = "0.22.0" +version = "0.24.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e4503c46a5c0c7844e948c9a4d6acd9f50cccb4de1c48eb9e291ea17470c678" +checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1" dependencies = [ "gimli", ] -[[package]] -name = "adler" -version = "1.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" - [[package]] name = "adler2" version = "2.0.0" @@ -347,9 +345,9 @@ dependencies = [ [[package]] name = "anstream" -version = "0.6.14" +version = "0.6.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "418c75fa768af9c03be99d17643f93f79bbba589895012a80e3452a19ddda15b" +checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b" dependencies = [ "anstyle", "anstyle-parse", @@ -368,37 +366,37 @@ checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" [[package]] name = "anstyle-parse" -version = "0.2.4" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c03a11a9034d92058ceb6ee011ce58af4a9bf61491aa7e1e59ecd24bd40d22d4" +checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9" dependencies = [ "utf8parse", ] [[package]] name = "anstyle-query" -version = "1.0.3" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a64c907d4e79225ac72e2a354c9ce84d50ebb4586dee56c82b3ee73004f537f5" +checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c" dependencies = [ - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "anstyle-wincon" -version = "3.0.3" +version = "3.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61a38449feb7068f52bb06c12759005cf459ee52bb4adc1d5a7c4322d716fb19" +checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125" dependencies = [ "anstyle", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "anyhow" -version = "1.0.82" +version = "1.0.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f538837af36e6f6a9be0faa67f9a314f8119e4e4b5867c6ab40ed60360142519" +checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" [[package]] name = "arrayref" @@ -408,9 +406,9 @@ checksum = "76a2e8124351fda1ef8aaaa3bbd7ebbcb486bbcd4225aca0aa0d84bb2db8fecb" [[package]] name = "arrayvec" -version = "0.7.4" +version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96d30a06541fbafbc7f82ed10c06164cfbd2c401138f6addd8404629c4b16711" +checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50" [[package]] name = "asn1-rs" @@ -424,7 +422,7 @@ dependencies = [ "nom", "num-traits", "rusticata-macros", - "thiserror 1.0.65", + "thiserror 1.0.69", "time", ] @@ -463,9 +461,9 @@ dependencies = [ [[package]] name = "async-stream" -version = "0.3.5" +version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd56dd203fef61ac097dd65721a419ddccb106b2d2b70ba60a6b529f03961a51" +checksum = "0b5a71a6f37880a80d1d7f19efd781e4b5de42c88f0722cc13bcb6cc2cfe8476" dependencies = [ "async-stream-impl", "futures-core", @@ -474,9 +472,9 @@ dependencies = [ [[package]] name = "async-stream-impl" -version = "0.3.5" +version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193" +checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d" dependencies = [ "proc-macro2", "quote", @@ -534,10 +532,12 @@ dependencies = [ "async-trait", "base64 0.22.1", "cfg-if", - "clap 4.5.20", + "clap 4.5.21", + "ear 0.3.0", "env_logger 0.10.2", "futures", "hex", + "jsonwebtoken", "kbs-types", "lazy_static", "log", @@ -555,8 +555,9 @@ dependencies = [ "sha2", "shadow-rs", "strum 0.25.0", + "tempfile", "testing_logger", - "thiserror 1.0.65", + "thiserror 1.0.69", "time", "tokio", "tonic 0.11.0", @@ -578,7 +579,7 @@ dependencies = [ "codicon", "csv-rs", "hex", - "hyper 0.14.30", + "hyper 0.14.31", "hyper-tls 0.5.0", "kbs-types", "log", @@ -588,7 +589,7 @@ dependencies = [ "serde", "serde_json", "serde_with", - "sev 3.1.1", + "sev 3.2.0", "sha2", "strum 0.26.3", "tdx-attest-rs", @@ -610,9 +611,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.3.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" +checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" [[package]] name = "axum" @@ -627,7 +628,7 @@ dependencies = [ "futures-util", "http 0.2.12", "http-body 0.4.6", - "hyper 0.14.30", + "hyper 0.14.31", "itoa", "matchit", "memchr", @@ -637,23 +638,23 @@ dependencies = [ "rustversion", "serde", "sync_wrapper 0.1.2", - "tower", + "tower 0.4.13", "tower-layer", "tower-service", ] [[package]] name = "axum" -version = "0.7.5" +version = "0.7.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a6c9af12842a67734c9a2e355436e5d03b22383ed60cf13cd0c18fbfe3dcbcf" +checksum = "edca88bc138befd0323b20752846e6587272d3b03b0343c8ea28a6f819e6e71f" dependencies = [ "async-trait", "axum-core 0.4.5", "bytes", "futures-util", "http 1.1.0", - "http-body 1.0.0", + "http-body 1.0.1", "http-body-util", "itoa", "matchit", @@ -663,8 +664,8 @@ dependencies = [ "pin-project-lite", "rustversion", "serde", - "sync_wrapper 1.0.1", - "tower", + "sync_wrapper 1.0.2", + "tower 0.5.1", "tower-layer", "tower-service", ] @@ -696,12 +697,12 @@ dependencies = [ "bytes", "futures-util", "http 1.1.0", - "http-body 1.0.0", + "http-body 1.0.1", "http-body-util", "mime", "pin-project-lite", "rustversion", - "sync_wrapper 1.0.1", + "sync_wrapper 1.0.2", "tower-layer", "tower-service", ] @@ -734,7 +735,7 @@ checksum = "7c16506502dc64f7111f7241ca400f3ee0f54e69dfd1f4be5cef29b96332f22e" dependencies = [ "az-cvm-vtpm", "bincode", - "clap 4.5.20", + "clap 4.5.21", "openssl", "serde", "sev 4.0.0", @@ -744,33 +745,33 @@ dependencies = [ [[package]] name = "az-tdx-vtpm" -version = "0.7.0" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55802d75ce5ef102b03f687b220dab76a626e0ca4c79e3f4af3c544734152356" +checksum = "80875afa68553e2035bc45836d00101ab80c94ec386de66f2fb14af480514711" dependencies = [ "az-cvm-vtpm", "base64-url", "bincode", "serde", "serde_json", - "thiserror 1.0.65", + "thiserror 2.0.3", "ureq", "zerocopy", ] [[package]] name = "backtrace" -version = "0.3.73" +version = "0.3.74" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5cc23269a4f8976d0a4d2e7109211a419fe30e8d88d677cd60b6bc79c5732e0a" +checksum = "8d82cb332cdfaed17ae235a638438ac4d4839913cc2af585c3c6746e8f8bee1a" dependencies = [ "addr2line", - "cc", "cfg-if", "libc", - "miniz_oxide 0.7.2", + "miniz_oxide", "object", "rustc-demangle", + "windows-targets 0.52.6", ] [[package]] @@ -899,9 +900,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.5.0" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" +checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "blake2b_simd" @@ -934,9 +935,9 @@ dependencies = [ [[package]] name = "brotli" -version = "3.5.0" +version = "6.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d640d25bc63c50fb1f0b545ffd80207d2e10a4c965530809b40ba3386825c391" +checksum = "74f7971dbd9326d58187408ab83117d8ac1bb9c17b085fdacd1cf2f598719b6b" dependencies = [ "alloc-no-stdlib", "alloc-stdlib", @@ -945,9 +946,9 @@ dependencies = [ [[package]] name = "brotli-decompressor" -version = "2.5.1" +version = "4.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e2e4afe60d7dd600fdd3de8d0f08c2b7ec039712e3b6137ff98b7004e82de4f" +checksum = "9a45bd2e4095a8b518033b128020dd4a55aab1c0a381ba4404a472630f4bc362" dependencies = [ "alloc-no-stdlib", "alloc-stdlib", @@ -1001,9 +1002,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.1.19" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d74707dde2ba56f86ae90effb3b43ddd369504387e718014de010cec7959800" +checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" dependencies = [ "jobserver", "libc", @@ -1025,6 +1026,12 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +[[package]] +name = "cfg_aliases" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" + [[package]] name = "chrono" version = "0.4.38" @@ -1042,9 +1049,9 @@ dependencies = [ [[package]] name = "chrono-tz" -version = "0.8.6" +version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d59ae0466b83e838b81a54256c39d5d7c20b9d7daa10510a242d9b75abd5936e" +checksum = "cd6dd8046d00723a59a2f8c5f295c515b9bb9a331ee4f8f3d4dd49e428acd3b6" dependencies = [ "chrono", "chrono-tz-build", @@ -1053,12 +1060,11 @@ dependencies = [ [[package]] name = "chrono-tz-build" -version = "0.2.1" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "433e39f13c9a060046954e0592a8d0a4bcb1040125cbf91cb8ee58964cfb350f" +checksum = "e94fea34d77a245229e7746bd2beb786cd2a896f306ff491fb8cecb3074b10a7" dependencies = [ "parse-zoneinfo", - "phf", "phf_codegen", ] @@ -1101,9 +1107,9 @@ dependencies = [ [[package]] name = "clang-sys" -version = "1.7.0" +version = "1.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67523a3b4be3ce1989d607a828d036249522dd9c1c8de7f4dd2dae43a37369d1" +checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4" dependencies = [ "glob", "libc", @@ -1127,9 +1133,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.20" +version = "4.5.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b97f376d85a664d5837dbae44bf546e6477a679ff6610010f17276f686d867e8" +checksum = "fb3b4b9e5a7c7514dfa52869339ee98b3156b0bfb4e8a77c4ff4babb64b1604f" dependencies = [ "clap_builder", "clap_derive", @@ -1137,9 +1143,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.20" +version = "4.5.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19bc80abd44e4bed93ca373a0704ccbd1b710dc5749406201bb018272808dc54" +checksum = "b17a95aa67cc7b5ebd32aa5370189aa0d79069ef1c64ce893bd30fb24bff20ec" dependencies = [ "anstream", "anstyle", @@ -1161,9 +1167,9 @@ dependencies = [ [[package]] name = "clap_lex" -version = "0.7.1" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b82cf0babdbd58558212896d1a4272303a57bdb245c2bf1147185fb45640e70" +checksum = "afb84c814227b90d6895e01398aee0d8033c00e7466aca416fb6a8e0eb19d8a7" [[package]] name = "coarsetime" @@ -1184,9 +1190,9 @@ checksum = "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" [[package]] name = "colorchoice" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0" +checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" [[package]] name = "config" @@ -1241,9 +1247,9 @@ dependencies = [ [[package]] name = "constant_time_eq" -version = "0.3.0" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2" +checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" [[package]] name = "convert_case" @@ -1275,12 +1281,13 @@ dependencies = [ [[package]] name = "cookie_store" -version = "0.21.0" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4934e6b7e8419148b6ef56950d277af8561060b56afd59e2aadf98b59fce6baa" +checksum = "2eac901828f88a5241ee0600950ab981148a18f2f756900ffba1b125ca6a3ef9" dependencies = [ "cookie 0.18.1", - "idna 0.5.0", + "document-features", + "idna", "log", "publicsuffix", "serde", @@ -1302,9 +1309,9 @@ dependencies = [ [[package]] name = "core-foundation-sys" -version = "0.8.6" +version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f" +checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b" [[package]] name = "cose-rust" @@ -1319,18 +1326,18 @@ dependencies = [ [[package]] name = "cpufeatures" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "608697df725056feaccfa42cffdaeeec3fccc4ffc38358ecd19b243e716a78e0" +checksum = "0ca741a962e1b0bff6d724a1a0958b686406e853bb14061f218562e1896f95e6" dependencies = [ "libc", ] [[package]] name = "crc32fast" -version = "1.4.0" +version = "1.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b3855a8a784b474f333699ef2bbca9db2c4a1f6d9088a90a2d25b1eb53111eaa" +checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3" dependencies = [ "cfg-if", ] @@ -1430,7 +1437,7 @@ dependencies = [ "bitflags 1.3.2", "codicon", "dirs", - "hyper 0.14.30", + "hyper 0.14.31", "hyper-tls 0.5.0", "iocuddle", "libc", @@ -1445,9 +1452,9 @@ dependencies = [ [[package]] name = "ct-codecs" -version = "1.1.1" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3b7eb4404b8195a9abb6356f4ac07d8ba267045c8d6d220ac4dc992e6cc75df" +checksum = "026ac6ceace6298d2c557ef5ed798894962296469ec7842288ea64674201a2d1" [[package]] name = "ctr" @@ -1460,9 +1467,9 @@ dependencies = [ [[package]] name = "curl" -version = "0.4.46" +version = "0.4.47" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e2161dd6eba090ff1594084e95fd67aeccf04382ffea77999ea94ed42ec67b6" +checksum = "d9fb4d13a1be2b58f14d60adba57c9834b78c62fd86c3e76a148f732686e9265" dependencies = [ "curl-sys", "libc", @@ -1475,9 +1482,9 @@ dependencies = [ [[package]] name = "curl-sys" -version = "0.4.74+curl-8.9.0" +version = "0.4.78+curl-8.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8af10b986114528fcdc4b63b6f5f021b7057618411046a4de2ba0f0149a097bf" +checksum = "8eec768341c5c7789611ae51cf6c459099f22e64a5d5d0ce4892434e33821eaf" dependencies = [ "cc", "libc", @@ -1600,15 +1607,15 @@ dependencies = [ [[package]] name = "derive_more" -version = "0.99.17" +version = "0.99.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4fb810d30a7c1953f91334de7244731fc3f3c10d7fe163338a35b9f640960321" +checksum = "5f33878137e4dafd7fa914ad4e259e18a4e8e532b9617a2d0150262bf53abfce" dependencies = [ "convert_case", "proc-macro2", "quote", "rustc_version", - "syn 1.0.109", + "syn 2.0.87", ] [[package]] @@ -1655,9 +1662,9 @@ dependencies = [ [[package]] name = "displaydoc" -version = "0.2.4" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d" +checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", @@ -1670,6 +1677,15 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0688c2a7f92e427f44895cd63841bff7b29f8d7a1648b9e7e07a4a365b2e1257" +[[package]] +name = "document-features" +version = "0.2.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb6969eaabd2421f8a2775cfd2471a2b634372b4a25d41e3bd647b79912850a0" +dependencies = [ + "litrs", +] + [[package]] name = "ear" version = "0.1.2" @@ -1684,7 +1700,26 @@ dependencies = [ "phf", "serde", "serde_json", - "thiserror 1.0.65", + "thiserror 1.0.69", +] + +[[package]] +name = "ear" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1134a8dbb5ad666d26d82da83d12b71703b16f2ed5433d5ba24d8cfea2b66d96" +dependencies = [ + "base64 0.22.1", + "ciborium", + "cose-rust", + "hex", + "jsonwebtoken", + "lazy_static", + "openssl", + "phf", + "serde", + "serde_json", + "thiserror 1.0.69", ] [[package]] @@ -1713,9 +1748,9 @@ dependencies = [ [[package]] name = "either" -version = "1.11.0" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a47c1c47d2f5964e29c61246e81db715514cd532db6b5116a25ea3c03d6780a2" +checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0" [[package]] name = "elliptic-curve" @@ -1740,9 +1775,9 @@ dependencies = [ [[package]] name = "encoding_rs" -version = "0.8.34" +version = "0.8.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b45de904aa0b010bce2ab45264d0631681847fa7b6f2eaa7dab7619943bc4f59" +checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3" dependencies = [ "cfg-if", ] @@ -1814,9 +1849,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.8" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" dependencies = [ "libc", "windows-sys 0.52.0", @@ -1861,12 +1896,12 @@ checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" [[package]] name = "flate2" -version = "1.0.32" +version = "1.0.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c0596c1eac1f9e04ed902702e9878208b336edc9d6fddc8a48387349bab3666" +checksum = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c" dependencies = [ "crc32fast", - "miniz_oxide 0.8.0", + "miniz_oxide", ] [[package]] @@ -1911,9 +1946,9 @@ dependencies = [ [[package]] name = "futures" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "645c6916888f6cb6350d2550b80fb63e734897a8498abe35cfb732b6487804b0" +checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876" dependencies = [ "futures-channel", "futures-core", @@ -1942,9 +1977,9 @@ checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" [[package]] name = "futures-executor" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a576fc72ae164fca6b9db127eaa9a9dda0d61316034f33a0a0d4eda41f02b01d" +checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f" dependencies = [ "futures-core", "futures-task", @@ -2049,9 +2084,9 @@ dependencies = [ [[package]] name = "gimli" -version = "0.29.0" +version = "0.31.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40ecd4077b5ae9fd2e9e169b102c6c330d0605168eb0e8bf79952b256dbefffd" +checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f" [[package]] name = "git2" @@ -2095,7 +2130,7 @@ dependencies = [ "futures-sink", "futures-util", "http 0.2.12", - "indexmap 2.2.6", + "indexmap 2.6.0", "slab", "tokio", "tokio-util", @@ -2114,7 +2149,7 @@ dependencies = [ "futures-core", "futures-sink", "http 1.1.0", - "indexmap 2.2.6", + "indexmap 2.6.0", "slab", "tokio", "tokio-util", @@ -2146,6 +2181,12 @@ version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" +[[package]] +name = "hashbrown" +version = "0.15.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3a9bfc1af68b1726ea47d3d5109de126281def866b33970e10fbab11b5dafab3" + [[package]] name = "heck" version = "0.4.1" @@ -2277,9 +2318,9 @@ dependencies = [ [[package]] name = "http-body" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1cac85db508abc24a2e48553ba12a996e87244a0395ce011e62b37158745d643" +checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184" dependencies = [ "bytes", "http 1.1.0", @@ -2294,15 +2335,15 @@ dependencies = [ "bytes", "futures-util", "http 1.1.0", - "http-body 1.0.0", + "http-body 1.0.1", "pin-project-lite", ] [[package]] name = "httparse" -version = "1.8.0" +version = "1.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d897f394bad6a705d5f4104762e116a75639e470d80901eed05a860a95cb1904" +checksum = "7d71d3574edd2771538b901e6549113b4006ece66150fb69c0fb6d9a2adae946" [[package]] name = "httpdate" @@ -2318,9 +2359,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" [[package]] name = "hyper" -version = "0.14.30" +version = "0.14.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a152ddd61dfaec7273fe8419ab357f33aee0d914c5f4efbf0d96fa749eea5ec9" +checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85" dependencies = [ "bytes", "futures-channel", @@ -2351,7 +2392,7 @@ dependencies = [ "futures-util", "h2 0.4.7", "http 1.1.0", - "http-body 1.0.0", + "http-body 1.0.1", "httparse", "httpdate", "itoa", @@ -2369,7 +2410,7 @@ checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" dependencies = [ "futures-util", "http 0.2.12", - "hyper 0.14.30", + "hyper 0.14.31", "rustls 0.21.12", "tokio", "tokio-rustls 0.24.1", @@ -2377,20 +2418,20 @@ dependencies = [ [[package]] name = "hyper-rustls" -version = "0.27.2" +version = "0.27.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ee4be2c948921a1a5320b629c4193916ed787a7f7f293fd3f7f5a6c9de74155" +checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333" dependencies = [ "futures-util", "http 1.1.0", "hyper 1.5.1", "hyper-util", - "rustls 0.23.7", + "rustls 0.23.17", "rustls-pki-types", "tokio", "tokio-rustls 0.26.0", "tower-service", - "webpki-roots 0.26.1", + "webpki-roots 0.26.6", ] [[package]] @@ -2399,7 +2440,7 @@ version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1" dependencies = [ - "hyper 0.14.30", + "hyper 0.14.31", "pin-project-lite", "tokio", "tokio-io-timeout", @@ -2425,7 +2466,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" dependencies = [ "bytes", - "hyper 0.14.30", + "hyper 0.14.31", "native-tls", "tokio", "tokio-native-tls", @@ -2457,7 +2498,7 @@ dependencies = [ "futures-channel", "futures-util", "http 1.1.0", - "http-body 1.0.0", + "http-body 1.0.1", "hyper 1.5.1", "pin-project-lite", "socket2", @@ -2613,26 +2654,6 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39" -[[package]] -name = "idna" -version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e14ddfc70884202db2244c223200c204c2bda1bc6e0998d11b5e024d657209e6" -dependencies = [ - "unicode-bidi", - "unicode-normalization", -] - -[[package]] -name = "idna" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6" -dependencies = [ - "unicode-bidi", - "unicode-normalization", -] - [[package]] name = "idna" version = "1.0.3" @@ -2656,9 +2677,9 @@ dependencies = [ [[package]] name = "impl-more" -version = "0.1.6" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "206ca75c9c03ba3d4ace2460e57b189f39f43de612c2f85836e65c929701bb2d" +checksum = "aae21c3177a27788957044151cc2800043d127acaa460a47ebb9b84dfa2c6aa0" [[package]] name = "indexmap" @@ -2672,12 +2693,12 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.2.6" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "168fb715dda47215e360912c096649d23d58bf392ac62f73919e831745e40f26" +checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" dependencies = [ "equivalent", - "hashbrown 0.14.5", + "hashbrown 0.15.1", ] [[package]] @@ -2692,9 +2713,9 @@ dependencies = [ [[package]] name = "instant" -version = "0.1.12" +version = "0.1.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c" +checksum = "e0242819d153cba4b4b05a5a8f2a7e9bbf97b6055b2a002b395c96b5ff3c0222" dependencies = [ "cfg-if", ] @@ -2724,9 +2745,9 @@ checksum = "d8972d5be69940353d5347a1344cb375d9b457d6809b428b05bb1ca2fb9ce007" [[package]] name = "ipnet" -version = "2.9.0" +version = "2.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3" +checksum = "ddc24109865250148c2e0f3d25d4f0f479571723792d3802153c60922a4fb708" [[package]] name = "is-terminal" @@ -2747,9 +2768,9 @@ checksum = "06d198e9919d9822d5f7083ba8530e04de87841eaf21ead9af8f2304efd57c89" [[package]] name = "is_terminal_polyfill" -version = "1.70.0" +version = "1.70.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800" +checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" [[package]] name = "itertools" @@ -2760,26 +2781,35 @@ dependencies = [ "either", ] +[[package]] +name = "itertools" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186" +dependencies = [ + "either", +] + [[package]] name = "itoa" -version = "1.0.11" +version = "1.0.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" +checksum = "540654e97a3f4470a492cd30ff187bc95d89557a903a2bbf112e2fae98104ef2" [[package]] name = "jobserver" -version = "0.1.31" +version = "0.1.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2b099aaa34a9751c5bf0878add70444e1ed2dd73f347be99003d4577277de6e" +checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0" dependencies = [ "libc", ] [[package]] name = "js-sys" -version = "0.3.69" +version = "0.3.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "29c15563dc2726973df627357ce0c9ddddbea194836909d655df6a75d2cf296d" +checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9" dependencies = [ "wasm-bindgen", ] @@ -2807,7 +2837,7 @@ dependencies = [ "num-bigint", "serde", "serde_json", - "thiserror 1.0.65", + "thiserror 1.0.69", "yasna 0.4.0", "zeroize", ] @@ -2849,15 +2879,15 @@ dependencies = [ "serde", "serde_json", "spki 0.6.0", - "thiserror 1.0.65", + "thiserror 1.0.69", "zeroize", ] [[package]] name = "jwt-simple" -version = "0.12.9" +version = "0.12.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "094661f5aad510abe2658bff20409e89046b753d9dc2d4007f5c100b6d982ba0" +checksum = "50ae7e0018905a795d6f2a60ac32a547490abdd8df509906a8c6171e6d861711" dependencies = [ "anyhow", "binstring", @@ -2875,7 +2905,7 @@ dependencies = [ "serde", "serde_json", "superboring", - "thiserror 1.0.65", + "thiserror 1.0.69", "zeroize", ] @@ -2906,7 +2936,7 @@ dependencies = [ "az-cvm-vtpm", "base64 0.22.1", "cfg-if", - "clap 4.5.20", + "clap 4.5.21", "config", "cryptoki", "derivative", @@ -2932,7 +2962,7 @@ dependencies = [ "serde_json", "strum 0.25.0", "tempfile", - "thiserror 1.0.65", + "thiserror 1.0.69", "time", "tokio", "tonic 0.11.0", @@ -2946,7 +2976,7 @@ version = "0.1.0" dependencies = [ "anyhow", "base64 0.22.1", - "clap 4.5.20", + "clap 4.5.21", "env_logger 0.10.2", "jwt-simple 0.11.9", "kbs_protocol", @@ -2977,7 +3007,7 @@ dependencies = [ "attester", "base64 0.22.1", "crypto", - "jwt-simple 0.12.9", + "jwt-simple 0.12.10", "kbs-types", "log", "reqwest 0.12.9", @@ -3085,9 +3115,9 @@ dependencies = [ [[package]] name = "libm" -version = "0.2.8" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058" +checksum = "8355be11b20d696c8f18f6cc018c4e372165b1fa8126cef092399c9951984ffa" [[package]] name = "libredox" @@ -3095,7 +3125,7 @@ version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d" dependencies = [ - "bitflags 2.5.0", + "bitflags 2.6.0", "libc", ] @@ -3129,6 +3159,12 @@ version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704" +[[package]] +name = "litrs" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4ce301924b7887e9d637144fdade93f9dfff9b60981d4ac161db09720d39aa5" + [[package]] name = "local-channel" version = "0.1.5" @@ -3180,9 +3216,9 @@ dependencies = [ [[package]] name = "memchr" -version = "2.7.2" +version = "2.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c8640c5d730cb13ebd907d8d04b52f55ac9a2eec55b440c8892f40d56c76c1d" +checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" [[package]] name = "memoffset" @@ -3215,15 +3251,6 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" -[[package]] -name = "miniz_oxide" -version = "0.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d811f3e15f28568be3407c8e7fdb6514c1cda3cb30683f15b6a1a1dc4ea14a7" -dependencies = [ - "adler", -] - [[package]] name = "miniz_oxide" version = "0.8.0" @@ -3233,18 +3260,6 @@ dependencies = [ "adler2", ] -[[package]] -name = "mio" -version = "0.8.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c" -dependencies = [ - "libc", - "log", - "wasi", - "windows-sys 0.48.0", -] - [[package]] name = "mio" version = "1.0.2" @@ -3253,6 +3268,7 @@ checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec" dependencies = [ "hermit-abi 0.3.9", "libc", + "log", "wasi", "windows-sys 0.52.0", ] @@ -3270,7 +3286,7 @@ dependencies = [ "futures-util", "log", "metrics", - "thiserror 1.0.65", + "thiserror 1.0.69", "tokio", "tracing", "tracing-subscriber", @@ -3278,9 +3294,9 @@ dependencies = [ [[package]] name = "multimap" -version = "0.8.3" +version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" +checksum = "defc4c55412d89136f966bbb339008b474350e5e6e78d2714439c386b3137a03" [[package]] name = "native-tls" @@ -3319,27 +3335,12 @@ dependencies = [ "winapi", ] -[[package]] -name = "num" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3135b08af27d103b0a51f2ae0f8632117b7b185ccf931445affa8df530576a41" -dependencies = [ - "num-bigint", - "num-complex", - "num-integer", - "num-iter", - "num-rational", - "num-traits", -] - [[package]] name = "num-bigint" -version = "0.4.4" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0" +checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" dependencies = [ - "autocfg", "num-integer", "num-traits", ] @@ -3361,15 +3362,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "num-complex" -version = "0.4.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23c6602fda94a57c990fe0df199a035d83576b496aa29f4e634a8ac6004e68a6" -dependencies = [ - "num-traits", -] - [[package]] name = "num-conv" version = "0.1.0" @@ -3398,32 +3390,20 @@ dependencies = [ [[package]] name = "num-iter" -version = "0.1.44" +version = "0.1.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d869c01cc0c455284163fd0092f1f93835385ccab5a98a0dcc497b2f8bf055a9" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" dependencies = [ "autocfg", "num-integer", "num-traits", ] -[[package]] -name = "num-rational" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0" -dependencies = [ - "autocfg", - "num-bigint", - "num-integer", - "num-traits", -] - [[package]] name = "num-traits" -version = "0.2.18" +version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a" +checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", "libm", @@ -3489,11 +3469,11 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "openssl" -version = "0.10.64" +version = "0.10.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" +checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5" dependencies = [ - "bitflags 2.5.0", + "bitflags 2.6.0", "cfg-if", "foreign-types", "libc", @@ -3521,18 +3501,18 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-src" -version = "300.2.3+3.2.1" +version = "300.4.1+3.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5cff92b6f71555b61bb9315f7c64da3ca43d87531622120fea0195fc761b4843" +checksum = "faa4eac4138c62414b5622d1b31c5c304f34b406b013c079c2bbc652fdd6678c" dependencies = [ "cc", ] [[package]] name = "openssl-sys" -version = "0.9.102" +version = "0.9.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" +checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" dependencies = [ "cc", "libc", @@ -3617,9 +3597,9 @@ dependencies = [ [[package]] name = "parking_lot" -version = "0.12.2" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e4af0ca4f6caed20e900d564c242b8e5d4903fdacf31d3daf527b66fe6f42fb" +checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27" dependencies = [ "lock_api", "parking_lot_core 0.9.10", @@ -3647,7 +3627,7 @@ checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.5.1", + "redox_syscall 0.5.7", "smallvec", "windows-targets 0.52.6", ] @@ -3663,9 +3643,9 @@ dependencies = [ [[package]] name = "paste" -version = "1.0.14" +version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c" +checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a" [[package]] name = "path-clean" @@ -3675,9 +3655,9 @@ checksum = "17359afc20d7ab31fdb42bb844c8b3bb1dabd7dcf7e68428492da7f16966fcef" [[package]] name = "pathdiff" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" +checksum = "d61c5ce1153ab5b689d0c074c4e7fc613e942dfb7dd9eea5ab202d2ad91fe361" [[package]] name = "peeking_take_while" @@ -3721,20 +3701,20 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "pest" -version = "2.7.10" +version = "2.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "560131c633294438da9f7c4b08189194b20946c8274c6b9e38881a7874dc8ee8" +checksum = "879952a81a83930934cbf1786752d6dedc3b1f29e8f8fb2ad1d0a36f377cf442" dependencies = [ "memchr", - "thiserror 1.0.65", + "thiserror 1.0.69", "ucd-trie", ] [[package]] name = "pest_derive" -version = "2.7.10" +version = "2.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26293c9193fbca7b1a3bf9b79dc1e388e927e6cacaa78b4a3ab705a1d3d41459" +checksum = "d214365f632b123a47fd913301e14c946c61d1c183ee245fa76eb752e59a02dd" dependencies = [ "pest", "pest_generator", @@ -3742,9 +3722,9 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.7.10" +version = "2.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3ec22af7d3fb470a85dd2ca96b7c577a1eb4ef6f1683a9fe9a8c16e136c04687" +checksum = "eb55586734301717aea2ac313f50b2eb8f60d2fc3dc01d190eefa2e625f60c4e" dependencies = [ "pest", "pest_meta", @@ -3755,9 +3735,9 @@ dependencies = [ [[package]] name = "pest_meta" -version = "2.7.10" +version = "2.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7a240022f37c361ec1878d646fc5b7d7c4d28d5946e1a80ad5a7a4f4ca0bdcd" +checksum = "b75da2a70cf4d9cb76833c990ac9cd3923c9a8905a8929789ce347c84564d03d" dependencies = [ "once_cell", "pest", @@ -3766,12 +3746,12 @@ dependencies = [ [[package]] name = "petgraph" -version = "0.6.4" +version = "0.6.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" +checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.2.6", + "indexmap 2.6.0", ] [[package]] @@ -3864,18 +3844,18 @@ dependencies = [ [[package]] name = "pin-project" -version = "1.1.5" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6bf43b791c5b9e34c3d182969b4abb522f9343702850a2e57f460d00d09b4b3" +checksum = "be57f64e946e500c8ee36ef6331845d40a93055567ec57e8fae13efd33759b95" dependencies = [ "pin-project-internal", ] [[package]] name = "pin-project-internal" -version = "1.1.5" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965" +checksum = "3c0f5fad0874fc7abcd4d750e76917eaebbecaa2c20bde22e1dbeeba8beb758c" dependencies = [ "proc-macro2", "quote", @@ -3884,9 +3864,9 @@ dependencies = [ [[package]] name = "pin-project-lite" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" +checksum = "915a1e146535de9163f3987b8944ed8cf49a18bb0056bcebcdcece385cece4ff" [[package]] name = "pin-utils" @@ -3939,9 +3919,9 @@ dependencies = [ [[package]] name = "pkg-config" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" +checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" [[package]] name = "polyval" @@ -3957,9 +3937,9 @@ dependencies = [ [[package]] name = "portable-atomic" -version = "1.6.0" +version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" +checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" [[package]] name = "powerfmt" @@ -3969,15 +3949,18 @@ checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" [[package]] name = "ppv-lite86" -version = "0.2.17" +version = "0.2.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" +checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04" +dependencies = [ + "zerocopy", +] [[package]] name = "prettyplease" -version = "0.2.20" +version = "0.2.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f12335488a2f3b0a83b14edad48dca9879ce89b2edd10e80237e4e852dd645e" +checksum = "64d1ec885c64d0457d564db4ec299b2dae3f9c02808b8ad9c3a089c591b18033" dependencies = [ "proc-macro2", "syn 2.0.87", @@ -4053,7 +4036,7 @@ checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4" dependencies = [ "bytes", "heck 0.5.0", - "itertools", + "itertools 0.12.1", "log", "multimap", "once_cell", @@ -4074,7 +4057,7 @@ checksum = "0c1318b19085f08681016926435853bbf7858f9c082d0999b80550ff5d9abe15" dependencies = [ "bytes", "heck 0.5.0", - "itertools", + "itertools 0.13.0", "log", "multimap", "once_cell", @@ -4094,7 +4077,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1" dependencies = [ "anyhow", - "itertools", + "itertools 0.12.1", "proc-macro2", "quote", "syn 2.0.87", @@ -4107,7 +4090,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e9552f850d5f0964a4e4d0bf306459ac29323ddfbae05e35a7c0d35cb0803cc5" dependencies = [ "anyhow", - "itertools", + "itertools 0.13.0", "proc-macro2", "quote", "syn 2.0.87", @@ -4139,67 +4122,71 @@ checksum = "33cb294fe86a74cbcf50d4445b37da762029549ebeea341421c7c70370f86cac" [[package]] name = "publicsuffix" -version = "2.2.3" +version = "2.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96a8c1bda5ae1af7f99a2962e49df150414a43d62404644d98dd5c3a93d07457" +checksum = "6f42ea446cab60335f76979ec15e12619a2165b5ae2c12166bef27d283a9fadf" dependencies = [ - "idna 0.3.0", + "idna", "psl-types", ] [[package]] name = "quinn" -version = "0.11.5" +version = "0.11.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c7c5fdde3cdae7203427dc4f0a68fe0ed09833edc525a03456b153b79828684" +checksum = "62e96808277ec6f97351a2380e6c25114bc9e67037775464979f3037c92d05ef" dependencies = [ "bytes", "pin-project-lite", "quinn-proto", "quinn-udp", "rustc-hash 2.0.0", - "rustls 0.23.7", + "rustls 0.23.17", "socket2", - "thiserror 1.0.65", + "thiserror 2.0.3", "tokio", "tracing", ] [[package]] name = "quinn-proto" -version = "0.11.8" +version = "0.11.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fadfaed2cd7f389d0161bb73eeb07b7b78f8691047a6f3e73caaeae55310a4a6" +checksum = "a2fe5ef3495d7d2e377ff17b1a8ce2ee2ec2a18cde8b6ad6619d65d0701c135d" dependencies = [ "bytes", + "getrandom", "rand", "ring", "rustc-hash 2.0.0", - "rustls 0.23.7", + "rustls 0.23.17", + "rustls-pki-types", "slab", - "thiserror 1.0.65", + "thiserror 2.0.3", "tinyvec", "tracing", + "web-time", ] [[package]] name = "quinn-udp" -version = "0.5.4" +version = "0.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8bffec3605b73c6f1754535084a85229fa8a30f86014e6c81aeec4abb68b0285" +checksum = "7d5a626c6807713b15cac82a6acaccd6043c9a5408c24baae07611fec3f243da" dependencies = [ + "cfg_aliases", "libc", "once_cell", "socket2", "tracing", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "quote" -version = "1.0.36" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" +checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" dependencies = [ "proc-macro2", ] @@ -4263,22 +4250,22 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.5.1" +version = "0.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "469052894dcb553421e483e4209ee581a45100d31b4018de03e5a7ad86374a7e" +checksum = "9b6dfecf2c74bce2466cabf93f6664d6998a69eb21e39f4207930065b27b771f" dependencies = [ - "bitflags 2.5.0", + "bitflags 2.6.0", ] [[package]] name = "redox_users" -version = "0.4.5" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd283d9651eeda4b2a83a43c1c91b266c40fd76ecd39a50a8c630ae69dc72891" +checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43" dependencies = [ "getrandom", "libredox", - "thiserror 1.0.65", + "thiserror 1.0.69", ] [[package]] @@ -4291,7 +4278,7 @@ dependencies = [ "base64 0.22.1", "cfg-if", "chrono", - "clap 4.5.20", + "clap 4.5.21", "config", "env_logger 0.10.2", "log", @@ -4326,15 +4313,21 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.8" +version = "0.4.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3" +checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908" dependencies = [ "aho-corasick", "memchr", "regex-syntax", ] +[[package]] +name = "regex-lite" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "53a49587ad06b26609c52e423de037e7f57f20d53535d66e08c695f347df952a" + [[package]] name = "regex-syntax" version = "0.8.5" @@ -4343,17 +4336,15 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" [[package]] name = "regorus" -version = "0.1.5" +version = "0.2.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77dd872918e5c172bd42ac49716f89a15e35be513bba3d902e355a531529a87f" +checksum = "843c3d97f07e3b5ac0955d53ad0af4c91fe4a4f8525843ece5bf014f27829b73" dependencies = [ "anyhow", "chrono", "chrono-tz", "data-encoding", - "itertools", "lazy_static", - "num", "rand", "regex", "scientific", @@ -4363,9 +4354,9 @@ dependencies = [ [[package]] name = "relative-path" -version = "1.9.2" +version = "1.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e898588f33fdd5b9420719948f9f2a32c922a246964576f71ba7f24f80610fbc" +checksum = "ba39f3699c378cd8970968dcbff9c43159ea4cfbd88d43c00b22f2ef10a435d2" [[package]] name = "reqwest" @@ -4381,7 +4372,7 @@ dependencies = [ "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", - "hyper 0.14.30", + "hyper 0.14.31", "hyper-rustls 0.24.2", "hyper-tls 0.5.0", "ipnet", @@ -4424,10 +4415,10 @@ dependencies = [ "futures-core", "futures-util", "http 1.1.0", - "http-body 1.0.0", + "http-body 1.0.1", "http-body-util", "hyper 1.5.1", - "hyper-rustls 0.27.2", + "hyper-rustls 0.27.3", "hyper-tls 0.6.0", "hyper-util", "ipnet", @@ -4439,13 +4430,13 @@ dependencies = [ "percent-encoding", "pin-project-lite", "quinn", - "rustls 0.23.7", - "rustls-pemfile 2.1.2", + "rustls 0.23.17", + "rustls-pemfile 2.2.0", "rustls-pki-types", "serde", "serde_json", "serde_urlencoded", - "sync_wrapper 1.0.1", + "sync_wrapper 1.0.2", "tokio", "tokio-native-tls", "tokio-rustls 0.26.0", @@ -4454,7 +4445,7 @@ dependencies = [ "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots 0.26.1", + "webpki-roots 0.26.6", "windows-registry", ] @@ -4606,9 +4597,9 @@ checksum = "583034fd73374156e66797ed8e5b0d5690409c9226b22d87cb7f19821c05d152" [[package]] name = "rustc_version" -version = "0.4.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" +checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92" dependencies = [ "semver", ] @@ -4628,7 +4619,7 @@ version = "0.38.41" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d7f649912bc1495e167a6edee79151c84b1bad49748cb4f1f1167f459f6224f6" dependencies = [ - "bitflags 2.5.0", + "bitflags 2.6.0", "errno", "libc", "linux-raw-sys", @@ -4649,15 +4640,15 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.7" +version = "0.23.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ebbbdb961df0ad3f2652da8f3fdc4b36122f568f968f45ad3316f26c025c677b" +checksum = "7f1a745511c54ba6d4465e8d5dfbd81b45791756de28d4981af70d6dca128f1e" dependencies = [ "log", "once_cell", "ring", "rustls-pki-types", - "rustls-webpki 0.102.3", + "rustls-webpki 0.102.8", "subtle", "zeroize", ] @@ -4673,19 +4664,21 @@ dependencies = [ [[package]] name = "rustls-pemfile" -version = "2.1.2" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "29993a25686778eb88d4189742cd713c9bce943bc54251a33509dc63cbacf73d" +checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" dependencies = [ - "base64 0.22.1", "rustls-pki-types", ] [[package]] name = "rustls-pki-types" -version = "1.5.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "beb461507cee2c2ff151784c52762cf4d9ff6a61f3e80968600ed24fa837fa54" +checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b" +dependencies = [ + "web-time", +] [[package]] name = "rustls-webpki" @@ -4699,9 +4692,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.102.3" +version = "0.102.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3bce581c0dd41bce533ce695a1437fa16a7ab5ac3ccfa99fe1a620a7885eabf" +checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9" dependencies = [ "ring", "rustls-pki-types", @@ -4716,9 +4709,9 @@ checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248" [[package]] name = "ryu" -version = "1.0.17" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1" +checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" [[package]] name = "s390_pv" @@ -4734,7 +4727,7 @@ dependencies = [ "openssl-sys", "s390_pv_core", "serde", - "thiserror 1.0.65", + "thiserror 1.0.69", "zerocopy", ] @@ -4748,7 +4741,7 @@ dependencies = [ "libc", "log", "serde", - "thiserror 1.0.65", + "thiserror 1.0.69", "zerocopy", ] @@ -4763,20 +4756,20 @@ dependencies = [ [[package]] name = "scc" -version = "2.1.0" +version = "2.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec96560eea317a9cc4e0bb1f6a2c93c09a19b8c4fc5cb3fcc0ec1c094cd783e2" +checksum = "66b202022bb57c049555430e11fc22fea12909276a80a4c3d368da36ac1d88ed" dependencies = [ "sdd", ] [[package]] name = "schannel" -version = "0.1.23" +version = "0.1.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbc91545643bcf3a0bbb6569265615222618bdf33ce4ffbbd13c4bbd4c093534" +checksum = "1f29ebaa345f945cec9fbbc532eb307f0fdad8161f281b6369539c8d84876b3d" dependencies = [ - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -4857,9 +4850,9 @@ dependencies = [ [[package]] name = "sdd" -version = "0.2.0" +version = "3.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b84345e4c9bd703274a082fb80caaa99b7612be48dfaa1dd9266577ec412309d" +checksum = "49c1eeaf4b6a87c7479688c6d52b9f1153cedd3c489300564f932b065c6eab95" [[package]] name = "sec1" @@ -4886,11 +4879,11 @@ dependencies = [ [[package]] name = "security-framework" -version = "2.11.0" +version = "2.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c627723fd09706bacdb5cf41499e95098555af3c3c29d014dc3c458ef6be11c0" +checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" dependencies = [ - "bitflags 2.5.0", + "bitflags 2.6.0", "core-foundation", "core-foundation-sys", "libc", @@ -4899,9 +4892,9 @@ dependencies = [ [[package]] name = "security-framework-sys" -version = "2.11.1" +version = "2.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75da29fe9b9b08fe9d6b22b5b4bcbc75d8db3aa31e639aa56bb62e9d46bfceaf" +checksum = "fa39c7303dc58b5543c94d22c1766b0d31f2ee58306363ea622b10bbc075eaa2" dependencies = [ "core-foundation-sys", "libc", @@ -4909,15 +4902,15 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.22" +version = "1.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca" +checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" [[package]] name = "serde" -version = "1.0.205" +version = "1.0.215" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e33aedb1a7135da52b7c21791455563facbbcc43d0f0f66165b42c21b3dfb150" +checksum = "6513c1ad0b11a9376da888e3e0baa0077f1aed55c17f50e7b2397136129fb88f" dependencies = [ "serde_derive", ] @@ -4933,18 +4926,18 @@ dependencies = [ [[package]] name = "serde_bytes" -version = "0.11.14" +version = "0.11.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b8497c313fd43ab992087548117643f6fcd935cbf36f176ffda0aacf9591734" +checksum = "387cc504cb06bb40a96c8e04e951fe01854cf6bc921053c954e4a606d9675c6a" dependencies = [ "serde", ] [[package]] name = "serde_derive" -version = "1.0.205" +version = "1.0.215" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "692d6f5ac90220161d6774db30c662202721e64aed9058d2c394f451261420c1" +checksum = "ad1e866f866923f252f05c889987993144fb74e722403468a4ebd70c3cd756c0" dependencies = [ "proc-macro2", "quote", @@ -4953,9 +4946,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.132" +version = "1.0.133" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" +checksum = "c7fceb2473b9166b2294ef05efcb65a3db80803f0b03ef86a5fc88a2b85ee377" dependencies = [ "itoa", "memchr", @@ -5028,7 +5021,7 @@ dependencies = [ "futures", "lazy_static", "log", - "parking_lot 0.12.2", + "parking_lot 0.12.3", "serial_test_derive", ] @@ -5046,13 +5039,13 @@ dependencies = [ [[package]] name = "sev" -version = "3.1.1" +version = "3.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2890179f8ef689340f441ba05f0b268bc14f672ae4b36d629cc2266d0d747ab" +checksum = "35156eab65ff1b63432b5a11a06b770e92120033e2831c7dee064865de5dbbbd" dependencies = [ - "base64 0.21.7", + "base64 0.22.1", "bincode", - "bitfield 0.13.2", + "bitfield 0.15.0", "bitflags 1.3.2", "byteorder", "codicon", @@ -5186,7 +5179,7 @@ checksum = "adc4e5204eb1910f40f9cfa375f6f05b68c3abac4b6fd879c8ff5e7ae8a0a085" dependencies = [ "num-bigint", "num-traits", - "thiserror 1.0.65", + "thiserror 1.0.69", "time", ] @@ -5339,9 +5332,9 @@ dependencies = [ [[package]] name = "subtle" -version = "2.5.0" +version = "2.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc" +checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "superboring" @@ -5386,9 +5379,9 @@ checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160" [[package]] name = "sync_wrapper" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394" +checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263" dependencies = [ "futures-core", ] @@ -5439,9 +5432,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.14" +version = "0.12.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f" +checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1" [[package]] name = "tdx-attest-rs" @@ -5501,11 +5494,11 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.65" +version = "1.0.69" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d11abd9594d9b38965ef50805c5e469ca9cc6f197f883f717e0269a3057b3d5" +checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52" dependencies = [ - "thiserror-impl 1.0.65", + "thiserror-impl 1.0.69", ] [[package]] @@ -5519,9 +5512,9 @@ dependencies = [ [[package]] name = "thiserror-impl" -version = "1.0.65" +version = "1.0.69" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae71770322cbd277e69d762a16c444af02aa0575ac0d174f0b9562d3b37f8602" +checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", @@ -5616,8 +5609,8 @@ dependencies = [ "backtrace", "bytes", "libc", - "mio 1.0.2", - "parking_lot 0.12.2", + "mio", + "parking_lot 0.12.3", "pin-project-lite", "signal-hook-registry", "socket2", @@ -5658,11 +5651,10 @@ dependencies = [ [[package]] name = "tokio-openssl" -version = "0.6.4" +version = "0.6.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ffab79df67727f6acf57f1ff743091873c24c579b1e2ce4d8f53e47ded4d63d" +checksum = "59df6849caa43bb7567f9a36f863c447d95a11d5903c9cc334ba32576a27eadd" dependencies = [ - "futures-util", "openssl", "openssl-sys", "tokio", @@ -5684,7 +5676,7 @@ version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" dependencies = [ - "rustls 0.23.7", + "rustls 0.23.17", "rustls-pki-types", "tokio", ] @@ -5702,16 +5694,15 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.10" +version = "0.7.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5419f34732d9eb6ee4c3578b7989078579b7f039cbbb9ca2c4da015749371e15" +checksum = "61e7c3654c13bcd040d4a03abee2c75b1d14a37b423cf5a813ceae1cc903ec6a" dependencies = [ "bytes", "futures-core", "futures-sink", "pin-project-lite", "tokio", - "tracing", ] [[package]] @@ -5746,11 +5737,11 @@ dependencies = [ [[package]] name = "toml_edit" -version = "0.22.20" +version = "0.22.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "583c44c02ad26b0c3f3066fe629275e50627026c51ac2e595cca4c230ce1ce1d" +checksum = "4ae48d6208a266e853d946088ed816055e556cc6028c5e8e2b84d9fa5dd7c7f5" dependencies = [ - "indexmap 2.2.6", + "indexmap 2.6.0", "serde", "serde_spanned", "toml_datetime", @@ -5771,14 +5762,14 @@ dependencies = [ "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", - "hyper 0.14.30", + "hyper 0.14.31", "hyper-timeout 0.4.1", "percent-encoding", "pin-project", "prost 0.12.6", "tokio", "tokio-stream", - "tower", + "tower 0.4.13", "tower-layer", "tower-service", "tracing", @@ -5792,12 +5783,12 @@ checksum = "877c5b330756d856ffcc4553ab34a5684481ade925ecc54bcd1bf02b1d0d4d52" dependencies = [ "async-stream", "async-trait", - "axum 0.7.5", + "axum 0.7.9", "base64 0.22.1", "bytes", "h2 0.4.7", "http 1.1.0", - "http-body 1.0.0", + "http-body 1.0.1", "http-body-util", "hyper 1.5.1", "hyper-timeout 0.5.2", @@ -5808,7 +5799,7 @@ dependencies = [ "socket2", "tokio", "tokio-stream", - "tower", + "tower 0.4.13", "tower-layer", "tower-service", "tracing", @@ -5861,17 +5852,31 @@ dependencies = [ "tracing", ] +[[package]] +name = "tower" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2873938d487c3cfb9aed7546dc9f2711d867c9f90c46b889989a2cb84eba6b4f" +dependencies = [ + "futures-core", + "futures-util", + "pin-project-lite", + "sync_wrapper 0.1.2", + "tower-layer", + "tower-service", +] + [[package]] name = "tower-layer" -version = "0.3.2" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c20c8dbed6283a09604c3e69b4b7eeb54e298b8a600d4d5ecb5ad39de609f1d0" +checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e" [[package]] name = "tower-service" -version = "0.3.2" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" +checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" [[package]] name = "tracing" @@ -6009,39 +6014,24 @@ dependencies = [ [[package]] name = "tzdb_data" -version = "0.1.2" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1889fdffac09d65c1d95c42d5202e9b21ad8c758f426e9fe09088817ea998d6" +checksum = "654c1ec546942ce0594e8d220e6b8e3899e0a0a8fe70ddd54d32a376dfefe3f8" dependencies = [ "tz-rs", ] [[package]] name = "ucd-trie" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed646292ffc8188ef8ea4d1e0e0150fb15a5c2e12ad9b8fc191ae7a8a7f3c4b9" - -[[package]] -name = "unicode-bidi" -version = "0.3.15" +version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08f95100a766bf4f8f28f90d77e0a5461bbdb219042e7679bebe79004fed8d75" +checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971" [[package]] name = "unicode-ident" -version = "1.0.12" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" - -[[package]] -name = "unicode-normalization" -version = "0.1.23" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a56d1686db2308d901306f92a263857ef59ea39678a5458e7cb17f01415101f5" -dependencies = [ - "tinyvec", -] +checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83" [[package]] name = "unicode-width" @@ -6051,9 +6041,9 @@ checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af" [[package]] name = "unicode-xid" -version = "0.2.4" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c" +checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853" [[package]] name = "universal-hash" @@ -6080,12 +6070,12 @@ dependencies = [ "base64 0.22.1", "log", "once_cell", - "rustls 0.23.7", + "rustls 0.23.17", "rustls-pki-types", "serde", "serde_json", "url", - "webpki-roots 0.26.1", + "webpki-roots 0.26.6", ] [[package]] @@ -6095,7 +6085,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8d157f1b96d14500ffdc1f10ba712e780825526c03d9a49b4d0324b0d9113ada" dependencies = [ "form_urlencoded", - "idna 1.0.3", + "idna", "percent-encoding", "serde", ] @@ -6114,15 +6104,15 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" [[package]] name = "utf8parse" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a" +checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.8.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a183cf7feeba97b4dd1c0d46788634f6221d87fa961b305bed08c851829efcc0" +checksum = "f8c5f0a0af699448548ad1a2fbf920fb4bee257eae39953ba95cb84891a0446a" dependencies = [ "getrandom", "serde", @@ -6157,7 +6147,7 @@ dependencies = [ "reqwest 0.11.27", "serde", "serde_with", - "thiserror 1.0.65", + "thiserror 1.0.69", "url", ] @@ -6177,7 +6167,7 @@ dependencies = [ "cfg-if", "codicon", "csv-rs", - "ear", + "ear 0.1.2", "eventlog-rs", "hex", "intel-tee-quote-verification-rs", @@ -6198,7 +6188,7 @@ dependencies = [ "sha2", "shadow-rs", "strum 0.25.0", - "thiserror 1.0.65", + "thiserror 1.0.69", "tokio", "tonic-build 0.11.0", "veraison-apiclient", @@ -6247,9 +6237,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5" +checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e" dependencies = [ "cfg-if", "once_cell", @@ -6258,9 +6248,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b" +checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358" dependencies = [ "bumpalo", "log", @@ -6273,9 +6263,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.42" +version = "0.4.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76bc14366121efc8dbb487ab05bcc9d346b3b5ec0eaa76e46594cabbe51762c0" +checksum = "cc7ec4f8827a71586374db3e87abdb5a2bb3a15afed140221307c3ec06b1f63b" dependencies = [ "cfg-if", "js-sys", @@ -6285,9 +6275,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf" +checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -6295,9 +6285,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" +checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" dependencies = [ "proc-macro2", "quote", @@ -6308,15 +6298,25 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484" +checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d" [[package]] name = "web-sys" -version = "0.3.69" +version = "0.3.72" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6488b90108c040df0fe62fa815cbdee25124641df01814dd7282749234c6112" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "web-time" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77afa9a11836342370f4817622a2f0f418b134426d91a82dfb48f532d2ec13ef" +checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb" dependencies = [ "js-sys", "wasm-bindgen", @@ -6330,9 +6330,9 @@ checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" [[package]] name = "webpki-roots" -version = "0.26.1" +version = "0.26.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b3de34ae270483955a94f4b21bdaaeb83d508bb84a01435f393818edb0012009" +checksum = "841c67bff177718f1d4dfefde8d8f0e78f9b6589319ba88312f567fc5841a958" dependencies = [ "rustls-pki-types", ] @@ -6367,11 +6367,11 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" [[package]] name = "winapi-util" -version = "0.1.8" +version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4d4cc384e1e73b93bafa6fb4f1df8c41695c8a91cf9c4c64358067d15a7b6c6b" +checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" dependencies = [ - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -6612,7 +6612,7 @@ dependencies = [ "nom", "oid-registry", "rusticata-macros", - "thiserror 1.0.65", + "thiserror 1.0.69", "time", ] @@ -6708,9 +6708,9 @@ dependencies = [ [[package]] name = "zeroize" -version = "1.7.0" +version = "1.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d" +checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" dependencies = [ "zeroize_derive", ] @@ -6759,18 +6759,18 @@ dependencies = [ [[package]] name = "zstd-safe" -version = "7.1.0" +version = "7.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1cd99b45c6bc03a018c8b8a86025678c87e55526064e38f9df301989dce7ec0a" +checksum = "54a3ab4db68cea366acc5c897c7b4d4d1b8994a9cd6e6f841f8964566a419059" dependencies = [ "zstd-sys", ] [[package]] name = "zstd-sys" -version = "2.0.10+zstd.1.5.6" +version = "2.0.13+zstd.1.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c253a4914af5bafc8fa8c86ee400827e83cf6ec01195ec1f1ed8441bf00d65aa" +checksum = "38ff0f21cfee8f97d94cef41359e0c89aa6113028ab0291aa8ca0038995a95aa" dependencies = [ "cc", "pkg-config", diff --git a/Cargo.toml b/Cargo.toml index 1d69c5b0df..679e00fcd5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,6 +26,7 @@ cfg-if = "1.0.0" chrono = "0.4.19" clap = { version = "4", features = ["derive"] } config = "0.13.3" +ear = "0.3.0" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" @@ -35,7 +36,7 @@ kms = { git = "https://github.com/confidential-containers/guest-components.git", jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" -regorus = { version = "0.1.5", default-features = false, features = ["regex", "base64", "time"] } +regorus = { version = "0.2.6", default-features = false, features = ["regex", "base64", "time", "std" ] } reqwest = { version = "0.12", default-features = false, features = ["default-tls"] } rstest = "0.18.1" serde = { version = "1.0", features = ["derive"] } diff --git a/attestation-service/Cargo.toml b/attestation-service/Cargo.toml index 4e9e32bc7e..d7bde01dd0 100644 --- a/attestation-service/Cargo.toml +++ b/attestation-service/Cargo.toml @@ -38,9 +38,11 @@ async-trait.workspace = true base64.workspace = true cfg-if.workspace = true clap = { workspace = true, optional = true } +ear.workspace = true env_logger = { workspace = true, optional = true } futures = "0.3.17" hex.workspace = true +jsonwebtoken.workspace = true kbs-types.workspace = true lazy_static = "1.4.0" log.workspace = true @@ -56,6 +58,7 @@ serde_variant = "0.1.2" sha2.workspace = true shadow-rs.workspace = true strum.workspace = true +tempfile.workspace = true time = { version = "0.3.23", features = ["std"] } thiserror.workspace = true tokio.workspace = true diff --git a/attestation-service/README.md b/attestation-service/README.md index 111aca2b86..fafc65632f 100644 --- a/attestation-service/README.md +++ b/attestation-service/README.md @@ -145,7 +145,7 @@ The results of every policy that is evaluated are included in the attestation to **Note**: Please refer to the [Policy Language](https://www.openpolicyagent.org/docs/latest/policy-language/) documentation for more information about Rego. -If the policy is not updated, the AS will use the [default policy](src/policy_engine/opa/default_policy.rego). +If the policy is not updated, the AS will use the [default policy](src/token/ear_default_policy.rego). Concrete policy usages please refer to [this guide](docs/policy.md). diff --git a/attestation-service/config.json b/attestation-service/config.json index 332abd6111..fc2406d105 100644 --- a/attestation-service/config.json +++ b/attestation-service/config.json @@ -1,12 +1,11 @@ { "work_dir": "/var/lib/attestation-service/", - "policy_engine": "opa", "rvps_config": { "type": "BuiltIn", "store_type": "LocalFs" }, - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Simple", "duration_min": 5 } } \ No newline at end of file diff --git a/attestation-service/docs/policy.md b/attestation-service/docs/policy.md index 4bf1ad4919..f1f6b4e985 100644 --- a/attestation-service/docs/policy.md +++ b/attestation-service/docs/policy.md @@ -79,7 +79,7 @@ curl -k -X POST http://127.0.0.1:8080/attestation \ We will introduce the format of policy by providing some examples to show the use cases. -1. The [default policy](../src/policy_engine/opa/default_policy.rego). This policy will check whether each entry in the [parsed claims](./parsed_claims.md) generated by the input evidence matches the reference value obtained from RVPS. +1. The [default policy](../src/token/ear_default_policy.rego). This policy assigns multiple trust claims based on reference values. 2. An [SGX policy](../tests/coco-as/policy/example-1.rego). The client want to ensure the `mr_signer` and `mrenclave` are both expected value. 3. A [TDX policy](../tests/coco-as/policy/example-2.rego). The client want to ensure the TDX module (reflected by `tdx.quote.body.mr_seam`), guest firmware (reflected by `tdx.quote.body.mr_td`), kernel (reflected by `tdx.ccel.kernel`) are all as expected. 4. A [IBM SE policy](../tests/coco-as/policy/example-3.rego). The client want to ensure the `se.version`, `se.tag`, `se.user_data`, `se.image_phkh` and `se.attestation_phkh` are all expected value. diff --git a/attestation-service/src/bin/restful/mod.rs b/attestation-service/src/bin/restful/mod.rs index 0a50940c34..96d83fd225 100644 --- a/attestation-service/src/bin/restful/mod.rs +++ b/attestation-service/src/bin/restful/mod.rs @@ -139,9 +139,8 @@ pub async fn attestation( HashAlgorithm::Sha384 } }; - let policy_ids = if request.policy_ids.is_empty() { - info!("no policy specified, use `default`"); + info!("no policy specified. `default` will be used"); vec!["default".into()] } else { request.policy_ids diff --git a/attestation-service/src/config.rs b/attestation-service/src/config.rs index 895b008577..a2bd53016d 100644 --- a/attestation-service/src/config.rs +++ b/attestation-service/src/config.rs @@ -1,5 +1,5 @@ use crate::rvps::RvpsConfig; -use crate::token::{AttestationTokenBrokerType, AttestationTokenConfig}; +use crate::token::AttestationTokenConfig; use serde::Deserialize; use std::fs::File; @@ -8,7 +8,7 @@ use thiserror::Error; /// Environment macro for Attestation Service work dir. const AS_WORK_DIR: &str = "AS_WORK_DIR"; -const DEFAULT_WORK_DIR: &str = "/opt/confidential-containers/attestation-service"; +pub const DEFAULT_WORK_DIR: &str = "/opt/confidential-containers/attestation-service"; #[derive(Clone, Debug, Deserialize, PartialEq)] pub struct Config { @@ -16,34 +16,19 @@ pub struct Config { #[serde(default = "default_work_dir")] pub work_dir: PathBuf, - /// Policy Engine type. - #[serde(default = "default_policy_engine")] - pub policy_engine: String, - /// Configurations for RVPS. #[serde(default)] pub rvps_config: RvpsConfig, - /// The Attestation Result Token Broker type. - /// - /// Possible values: - /// * `Simple` - #[serde(default)] - pub attestation_token_broker: AttestationTokenBrokerType, - /// The Attestation Result Token Broker Config #[serde(default)] - pub attestation_token_config: AttestationTokenConfig, + pub attestation_token_broker: AttestationTokenConfig, } fn default_work_dir() -> PathBuf { PathBuf::from(std::env::var(AS_WORK_DIR).unwrap_or_else(|_| DEFAULT_WORK_DIR.to_string())) } -fn default_policy_engine() -> String { - "opa".to_string() -} - #[derive(Error, Debug)] pub enum ConfigError { #[error("io error: {0}")] @@ -61,10 +46,8 @@ impl Default for Config { fn default() -> Config { Config { work_dir: default_work_dir(), - policy_engine: default_policy_engine(), rvps_config: RvpsConfig::default(), - attestation_token_broker: AttestationTokenBrokerType::default(), - attestation_token_config: AttestationTokenConfig::default(), + attestation_token_broker: AttestationTokenConfig::default(), } } } @@ -79,8 +62,7 @@ impl TryFrom<&Path> for Config { /// "store_config": {}, /// "remote_addr": "" /// }, - /// "attestation_token_broker": "Simple", - /// "attestation_token_config": { + /// "attestation_token_broker": { /// "duration_min": 5 /// } /// } @@ -90,3 +72,91 @@ impl TryFrom<&Path> for Config { serde_json::from_reader::(file).map_err(ConfigError::JsonFileParse) } } + +#[cfg(test)] +mod tests { + use std::path::PathBuf; + + use rstest::rstest; + use serde_json::json; + + use super::Config; + use crate::rvps::RvpsCrateConfig; + use crate::{ + rvps::RvpsConfig, + token::{ear_broker, simple, AttestationTokenConfig}, + }; + + #[rstest] + #[case("./tests/configs/example1.json", Config { + work_dir: PathBuf::from("/var/lib/attestation-service/"), + rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { + store_type: "LocalFs".into(), + store_config: json!({}), + }), + attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration { + duration_min: 5, + issuer_name: "test".into(), + signer: None, + policy_dir: "/var/lib/attestation-service/policies".into(), + }) + })] + #[case("./tests/configs/example2.json", Config { + work_dir: PathBuf::from("/var/lib/attestation-service/"), + rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { + store_type: "LocalFs".into(), + store_config: json!({}), + }), + attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration { + duration_min: 5, + issuer_name: "test".into(), + policy_dir: "/var/lib/attestation-service/policies".into(), + signer: Some(simple::TokenSignerConfig { + key_path: "/etc/key".into(), + cert_url: Some("https://example.io".into()), + cert_path: Some("/etc/cert.pem".into()) + }) + }) + })] + #[case("./tests/configs/example3.json", Config { + work_dir: PathBuf::from("/var/lib/attestation-service/"), + rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { + store_type: "LocalFs".into(), + store_config: json!({}), + }), + attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration { + duration_min: 5, + issuer_name: "test".into(), + signer: None, + policy_dir: "/var/lib/attestation-service/policies".into(), + developer_name: "someone".into(), + build_name: "0.1.0".into(), + profile_name: "tag:github.com,2024:confidential-containers/Trustee".into() + }) + })] + #[case("./tests/configs/example4.json", Config { + work_dir: PathBuf::from("/var/lib/attestation-service/"), + rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { + store_type: "LocalFs".into(), + store_config: json!({}), + }), + attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration { + duration_min: 5, + issuer_name: "test".into(), + policy_dir: "/var/lib/attestation-service/policies".into(), + developer_name: "someone".into(), + build_name: "0.1.0".into(), + profile_name: "tag:github.com,2024:confidential-containers/Trustee".into(), + signer: Some(ear_broker::TokenSignerConfig { + key_path: "/etc/key".into(), + cert_url: Some("https://example.io".into()), + cert_path: Some("/etc/cert.pem".into()) + }) + }) + })] + fn read_config(#[case] config: &str, #[case] expected: Config) { + let config = std::fs::read_to_string(config).unwrap(); + let config: Config = serde_json::from_str(&config).unwrap(); + assert_eq!(config, expected); + } +} diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs index 0f95bf8362..e009f8c391 100644 --- a/attestation-service/src/lib.rs +++ b/attestation-service/src/lib.rs @@ -7,7 +7,6 @@ pub mod config; pub mod policy_engine; pub mod rvps; pub mod token; -pub mod utils; use crate::token::AttestationTokenBroker; @@ -15,19 +14,15 @@ use anyhow::{anyhow, Context, Result}; use config::Config; pub use kbs_types::{Attestation, Tee}; use log::{debug, info}; -use policy_engine::{PolicyEngine, PolicyEngineType}; use rvps::{RvpsApi, RvpsError}; -use serde_json::{json, Value}; -use serde_variant::to_variant_name; +use serde_json::Value; use sha2::{Digest, Sha256, Sha384, Sha512}; -use std::{collections::HashMap, str::FromStr}; +use std::collections::HashMap; use strum::{AsRefStr, Display, EnumString}; use thiserror::Error; use tokio::fs; use verifier::{InitDataHash, ReportData}; -use crate::utils::flatten_claims; - /// Hash algorithms used to calculate runtime/init data binding #[derive(Debug, Display, EnumString, AsRefStr)] pub enum HashAlgorithm { @@ -94,7 +89,6 @@ pub enum ServiceError { pub struct AttestationService { _config: Config, - policy_engine: Box, rvps: Box, token_broker: Box, } @@ -108,21 +102,14 @@ impl AttestationService { .map_err(ServiceError::CreateDir)?; } - let policy_engine = PolicyEngineType::from_str(&config.policy_engine) - .map_err(ServiceError::UnsupportedPolicy)? - .to_policy_engine(config.work_dir.as_path())?; - let rvps = rvps::initialize_rvps_client(&config.rvps_config) .await .map_err(ServiceError::Rvps)?; - let token_broker = config - .attestation_token_broker - .to_token_broker(config.attestation_token_config.clone())?; + let token_broker = config.attestation_token_broker.to_token_broker()?; Ok(Self { _config: config, - policy_engine, rvps, token_broker, }) @@ -130,14 +117,14 @@ impl AttestationService { /// Set Attestation Verification Policy. pub async fn set_policy(&mut self, policy_id: String, policy: String) -> Result<()> { - self.policy_engine.set_policy(policy_id, policy).await?; + self.token_broker.set_policy(policy_id, policy).await?; Ok(()) } /// Get Attestation Verification Policy List. /// The result is a `policy-id` -> `policy hash` map. pub async fn list_policies(&self) -> Result> { - self.policy_engine + self.token_broker .list_policies() .await .context("Cannot List Policy") @@ -145,7 +132,7 @@ impl AttestationService { /// Get a single Policy content. pub async fn get_policy(&self, policy_id: String) -> Result { - self.policy_engine + self.token_broker .get_policy(policy_id) .await .context("Cannot Get Policy") @@ -164,9 +151,9 @@ impl AttestationService { /// will not be performed. /// - `hash_algorithm`: The hash algorithm that is used to calculate the digest of `runtime_data` and /// `init_data`. - /// - `policy_ids`: The policy ids that used to check this evidence. Any check fails against a policy will - /// not cause this function to return error. The result check against every policy will be included inside - /// the finally Token returned by CoCo-AS. + /// - `policy_ids`: The ids of the policies that will be used to evaluate the claims. + /// For EAR tokens, only the first policy will be evaluated. + /// The hash of the policy will be returned as part of the attestation token. #[allow(clippy::too_many_arguments)] pub async fn evaluate( &self, @@ -202,56 +189,23 @@ impl AttestationService { .map_err(|e| anyhow!("Verifier evaluate failed: {e:?}"))?; info!("{:?} Verifier/endorsement check passed.", tee); - let flattened_claims = flatten_claims(tee, &claims_from_tee_evidence)?; - debug!("flattened_claims: {:#?}", flattened_claims); - - let tcb_json = serde_json::to_string(&flattened_claims)?; - let reference_data_map = self - .get_reference_data(flattened_claims.keys()) + .get_reference_data(["placeholder".to_string()].iter()) .await .map_err(|e| anyhow!("Generate reference data failed: {:?}", e))?; debug!("reference_data_map: {:#?}", reference_data_map); - let evaluation_report = self - .policy_engine - .evaluate(reference_data_map.clone(), tcb_json, policy_ids.clone()) - .await - .map_err(|e| anyhow!("Policy Engine evaluation failed: {e}"))?; - - info!("Policy check passed."); - let policies: Vec<_> = evaluation_report - .into_iter() - .map(|(k, v)| { - json!({ - "policy-id": k, - "policy-hash": v, - }) - }) - .collect(); - - let reference_data_map: HashMap> = reference_data_map - .into_iter() - .filter(|it| !it.1.is_empty()) - .collect(); - - let token_claims = json!({ - "tee": to_variant_name(&tee)?, - "evaluation-reports": policies, - "tcb-status": flattened_claims, - "reference-data": reference_data_map, - "customized_claims": { - "init_data": init_data_claims, - "runtime_data": runtime_data_claims, - }, - }); - - let attestation_results_token = self.token_broker.issue(token_claims)?; - info!( - "Attestation Token ({}) generated.", - self._config.attestation_token_broker - ); - + let attestation_results_token = self + .token_broker + .issue( + claims_from_tee_evidence, + policy_ids, + init_data_claims, + runtime_data_claims, + reference_data_map, + tee, + ) + .await?; Ok(attestation_results_token) } diff --git a/attestation-service/src/policy_engine/mod.rs b/attestation-service/src/policy_engine/mod.rs index ca72d98e5a..6a9e78875c 100644 --- a/attestation-service/src/policy_engine/mod.rs +++ b/attestation-service/src/policy_engine/mod.rs @@ -1,13 +1,52 @@ -use crate::policy_engine::opa::RegoError; use anyhow::Result; use async_trait::async_trait; +use regorus::Value; use serde::Deserialize; use std::collections::HashMap; +use std::io; use std::path::Path; +use std::sync::Arc; use strum::EnumString; +use thiserror::Error; pub mod opa; +#[derive(Error, Debug)] +pub enum PolicyError { + #[error("Failed to create policy directory: {0}")] + CreatePolicyDirFailed(#[source] io::Error), + #[error("Failed to convert policy directory path to string")] + PolicyDirPathToStringFailed, + #[error("Failed to write default policy: {0}")] + WriteDefaultPolicyFailed(#[source] io::Error), + #[error("Failed to read attestation service policy file: {0}")] + ReadPolicyFileFailed(#[source] io::Error), + #[error("Failed to write attestation service policy to file: {0}")] + WritePolicyFileFailed(#[source] io::Error), + #[error("Failed to load policy: {0}")] + LoadPolicyFailed(#[source] anyhow::Error), + #[error("Policy evaluation denied for {policy_id}")] + PolicyDenied { policy_id: String }, + #[error("Serde json error: {0}")] + SerdeJsonError(#[from] serde_json::Error), + #[error("IO error: {0}")] + IOError(#[from] std::io::Error), + #[error("Base64 decode attestation service policy string failed: {0}")] + Base64DecodeFailed(#[from] base64::DecodeError), + #[error("Illegal policy id. Only support alphabet, numeric, `-` or `_`")] + InvalidPolicyId, + #[error("Failed to load reference data: {0}")] + LoadReferenceDataFailed(#[source] anyhow::Error), + #[error("Failed to set input data: {0}")] + SetInputDataFailed(#[source] anyhow::Error), + #[error("Failed to evaluate policy: {0}")] + EvalPolicyFailed(#[source] anyhow::Error), + #[error("json serialization failed: {0}")] + JsonSerializationFailed(#[source] anyhow::Error), + #[error("Policy claim value not valid (must be between -127 and 127)")] + InvalidClaimValue, +} + #[derive(Debug, EnumString, Deserialize)] #[strum(ascii_case_insensitive)] pub enum PolicyEngineType { @@ -15,36 +54,55 @@ pub enum PolicyEngineType { } impl PolicyEngineType { - pub fn to_policy_engine(&self, work_dir: &Path) -> Result> { + pub fn to_policy_engine( + &self, + work_dir: &Path, + default_policy: &str, + ) -> Result> { match self { - PolicyEngineType::OPA => Ok(Box::new(opa::OPA::new(work_dir.to_path_buf())?) - as Box), + PolicyEngineType::OPA => Ok(Arc::new(opa::OPA::new( + work_dir.to_path_buf(), + default_policy, + )?) as Arc), } } } type PolicyDigest = String; +pub struct EvaluationResult { + pub rules_result: HashMap, + pub policy_hash: String, +} + #[async_trait] -pub trait PolicyEngine { - /// Verify an input body against a set of ref values and a list of policies - /// return a list of policy ids with their sha384 at eval time - /// abort early on first failed validation and any errors. - /// The result is a key-value map. - /// - `key`: the policy id - /// - `value`: the digest of the policy (using **Sha384**). +pub trait PolicyEngine: Send + Sync { + /// The inputs to an policy engine. Inspired by OPA, we divided the inputs + /// into three parts: + /// - `policy id`: indicates the policy id that will be used to perform policy + /// enforcement + /// - `data`: static data that will help to enforce the policy. + /// - `input`: dynamic data that will help to enforce the policy. + /// - `rules`: the decision statement to be executed by the policy engine + /// to determine the final output. + /// + /// In CoCoAS scenarios, `data` is recommended to carry reference values as + /// it is relatively static. `input` is recommended to carry `tcb_claims` + /// returned by `verifier` module. Concrete implementation can be different + /// due to different needs. async fn evaluate( &self, - reference_data_map: HashMap>, - input: String, - policy_ids: Vec, - ) -> Result, RegoError>; + data: &str, + input: &str, + policy_id: &str, + evaluation_rules: &[&str], + ) -> Result; - async fn set_policy(&mut self, policy_id: String, policy: String) -> Result<(), RegoError>; + async fn set_policy(&self, policy_id: String, policy: String) -> Result<(), PolicyError>; /// The result is a map. The key is the policy id, and the /// value is the digest of the policy (using **Sha384**). - async fn list_policies(&self) -> Result, RegoError>; + async fn list_policies(&self) -> Result, PolicyError>; - async fn get_policy(&self, policy_id: String) -> Result; + async fn get_policy(&self, policy_id: String) -> Result; } diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs index 40f66d9d88..d55f63691a 100644 --- a/attestation-service/src/policy_engine/opa/mod.rs +++ b/attestation-service/src/policy_engine/opa/mod.rs @@ -5,72 +5,37 @@ use anyhow::{Context, Result}; use async_trait::async_trait; use base64::Engine; +use log::debug; use sha2::{Digest, Sha384}; use std::collections::HashMap; use std::fs; -use std::io; use std::path::PathBuf; -use thiserror::Error; -use super::{PolicyDigest, PolicyEngine}; +use super::{EvaluationResult, PolicyDigest, PolicyEngine, PolicyError}; #[derive(Debug, Clone)] pub struct OPA { policy_dir_path: PathBuf, } -#[derive(Error, Debug)] -pub enum RegoError { - #[error("Failed to create policy directory: {0}")] - CreatePolicyDirFailed(#[source] io::Error), - #[error("Failed to convert policy directory path to string")] - PolicyDirPathToStringFailed, - #[error("Failed to write default policy: {0}")] - WriteDefaultPolicyFailed(#[source] io::Error), - #[error("Failed to read OPA policy file: {0}")] - ReadPolicyFileFailed(#[source] io::Error), - #[error("Failed to write OPA policy to file: {0}")] - WritePolicyFileFailed(#[source] io::Error), - #[error("Failed to load policy: {0}")] - LoadPolicyFailed(#[source] anyhow::Error), - #[error("Policy evaluation denied for {policy_id}")] - PolicyDenied { policy_id: String }, - #[error("Serde json error: {0}")] - SerdeJsonError(#[from] serde_json::Error), - #[error("IO error: {0}")] - IOError(#[from] std::io::Error), - #[error("Base64 decode OPA policy string failed: {0}")] - Base64DecodeFailed(#[source] base64::DecodeError), - #[error("Illegal policy id. Only support alphabet, numeric, `-` or `_`")] - InvalidPolicyId, - #[error("Failed to load reference data: {0}")] - LoadReferenceDataFailed(#[source] anyhow::Error), - #[error("Failed to set input data: {0}")] - SetInputDataFailed(#[source] anyhow::Error), - #[error("Failed to evaluate policy: {0}")] - EvalPolicyFailed(#[source] anyhow::Error), - #[error("json serialization failed: {0}")] - JsonSerializationFailed(#[source] anyhow::Error), -} - impl OPA { - pub fn new(work_dir: PathBuf) -> Result { + pub fn new(work_dir: PathBuf, default_policy: &str) -> Result { let mut policy_dir_path = work_dir; policy_dir_path.push("opa"); if !policy_dir_path.as_path().exists() { - fs::create_dir_all(&policy_dir_path).map_err(RegoError::CreatePolicyDirFailed)?; + fs::create_dir_all(&policy_dir_path).map_err(PolicyError::CreatePolicyDirFailed)?; } let mut default_policy_path = PathBuf::from( &policy_dir_path .to_str() - .ok_or_else(|| RegoError::PolicyDirPathToStringFailed)?, + .ok_or_else(|| PolicyError::PolicyDirPathToStringFailed)?, ); default_policy_path.push("default.rego"); if !default_policy_path.as_path().exists() { - let policy = std::include_str!("default_policy.rego").to_string(); - fs::write(&default_policy_path, policy).map_err(RegoError::WriteDefaultPolicyFailed)?; + fs::write(&default_policy_path, default_policy) + .map_err(PolicyError::WriteDefaultPolicyFailed)?; } Ok(Self { policy_dir_path }) @@ -87,93 +52,91 @@ impl OPA { impl PolicyEngine for OPA { async fn evaluate( &self, - reference_data_map: HashMap>, - input: String, - policy_ids: Vec, - ) -> Result, RegoError> { - let mut res = HashMap::new(); - + data: &str, + input: &str, + policy_id: &str, + evaluation_rules: &[&str], + ) -> Result { let policy_dir_path = self .policy_dir_path .to_str() - .ok_or_else(|| RegoError::PolicyDirPathToStringFailed)?; + .ok_or_else(|| PolicyError::PolicyDirPathToStringFailed)?; - for policy_id in &policy_ids { - let input = input.clone(); - let policy_file_path = format!("{policy_dir_path}/{policy_id}.rego"); + let policy_file_path = format!("{policy_dir_path}/{policy_id}.rego"); - let policy = tokio::fs::read_to_string(policy_file_path.clone()) - .await - .map_err(RegoError::ReadPolicyFileFailed)?; + let policy = tokio::fs::read_to_string(policy_file_path.clone()) + .await + .map_err(PolicyError::ReadPolicyFileFailed)?; - let mut engine = regorus::Engine::new(); + let mut engine = regorus::Engine::new(); - let policy_hash = { - use sha2::Digest; - let mut hasher = sha2::Sha384::new(); - hasher.update(&policy); - let hex = hasher.finalize().to_vec(); - hex::encode(hex) - }; + let policy_hash = { + use sha2::Digest; + let mut hasher = sha2::Sha384::new(); + hasher.update(&policy); + let hex = hasher.finalize().to_vec(); + hex::encode(hex) + }; - // Add policy as data - engine - .add_policy(policy_id.clone(), policy) - .map_err(RegoError::LoadPolicyFailed)?; - - let reference_data_map = serde_json::to_string(&reference_data_map)?; - let reference_data_map = - regorus::Value::from_json_str(&format!("{{\"reference\":{reference_data_map}}}")) - .map_err(RegoError::JsonSerializationFailed)?; - engine - .add_data(reference_data_map) - .map_err(RegoError::LoadReferenceDataFailed)?; - - // Add TCB claims as input - engine - .set_input_json(&input) - .context("set input") - .map_err(RegoError::SetInputDataFailed)?; - - let allow = engine - .eval_bool_query("data.policy.allow".to_string(), false) - .map_err(RegoError::EvalPolicyFailed)?; - if !allow { - return Err(RegoError::PolicyDenied { - policy_id: policy_id.clone(), - }); - } + // Add policy as data + engine + .add_policy(policy_id.to_string(), policy) + .map_err(PolicyError::LoadPolicyFailed)?; + + let data = + regorus::Value::from_json_str(data).map_err(PolicyError::JsonSerializationFailed)?; + + engine + .add_data(data) + .map_err(PolicyError::LoadReferenceDataFailed)?; + + // Add TCB claims as input + engine + .set_input_json(input) + .context("set input") + .map_err(PolicyError::SetInputDataFailed)?; + + let mut rules_result = HashMap::new(); + for rule in evaluation_rules { + let whole_rule = format!("data.policy.{rule}"); + let Ok(claim_value) = engine.eval_rule(whole_rule) else { + debug!("Policy `{policy_id}` does not check {rule}"); + continue; + }; - res.insert(policy_id.clone(), policy_hash); + rules_result.insert(rule.to_string(), claim_value); } + let res = EvaluationResult { + rules_result, + policy_hash, + }; + Ok(res) } - async fn set_policy(&mut self, policy_id: String, policy: String) -> Result<(), RegoError> { - let policy_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD - .decode(policy) - .map_err(RegoError::Base64DecodeFailed)?; + async fn set_policy(&self, policy_id: String, policy: String) -> Result<(), PolicyError> { + let policy_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(policy)?; if !Self::is_valid_policy_id(&policy_id) { - return Err(RegoError::InvalidPolicyId); + return Err(PolicyError::InvalidPolicyId); } let mut policy_file_path = PathBuf::from( &self .policy_dir_path .to_str() - .ok_or_else(|| RegoError::PolicyDirPathToStringFailed)?, + .ok_or_else(|| PolicyError::PolicyDirPathToStringFailed)?, ); policy_file_path.push(format!("{}.rego", policy_id)); tokio::fs::write(&policy_file_path, policy_bytes) .await - .map_err(RegoError::WritePolicyFileFailed) + .map_err(PolicyError::WritePolicyFileFailed) } - async fn list_policies(&self) -> Result, RegoError> { + async fn list_policies(&self) -> Result, PolicyError> { let mut policy_ids = Vec::new(); let mut entries = tokio::fs::read_dir(&self.policy_dir_path).await?; while let Some(entry) = entries.next_entry().await? { @@ -193,7 +156,7 @@ impl PolicyEngine for OPA { let policy_file_path = self.policy_dir_path.join(format!("{id}.rego")); let policy = tokio::fs::read(policy_file_path) .await - .map_err(RegoError::ReadPolicyFileFailed)?; + .map_err(PolicyError::ReadPolicyFileFailed)?; let mut hasher = Sha384::new(); hasher.update(policy); @@ -207,86 +170,116 @@ impl PolicyEngine for OPA { Ok(policy_list) } - async fn get_policy(&self, policy_id: String) -> Result { + async fn get_policy(&self, policy_id: String) -> Result { let policy_file_path = self.policy_dir_path.join(format!("{policy_id}.rego")); let policy = tokio::fs::read(policy_file_path) .await - .map_err(RegoError::ReadPolicyFileFailed)?; + .map_err(PolicyError::ReadPolicyFileFailed)?; let base64_policy = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(policy); Ok(base64_policy) } } -#[cfg(test)] -mod tests { - use super::*; - use serde_json::json; - - fn dummy_reference(ver: u64) -> String { - json!({ - "productId": [ver.to_string()], - "svn": [ver.to_string()] - }) - .to_string() - } - - fn dummy_input(product_id: u64, svn: u64) -> String { - json!({ - "productId": product_id.to_string(), - "svn": svn.to_string() - }) - .to_string() - } - - #[tokio::test] - async fn test_evaluate() { - let opa = OPA { - policy_dir_path: PathBuf::from("./src/policy_engine/opa"), - }; - let default_policy_id = "default_policy".to_string(); - - let reference_data: HashMap> = - serde_json::from_str(&dummy_reference(5)).unwrap(); - - let res = opa - .evaluate( - reference_data.clone(), - dummy_input(5, 5), - vec![default_policy_id.clone()], - ) - .await; - let res = res.expect("OPA execution should succeed"); - // this expected value is calculated by `sha384sum` - let expected_digest = "c0e7929671fb6780387f54760d84d65d2ce96093dfb33efda21f5eb05afcda77bba444c02cd177b23a5d350716726157"; - assert_eq!(expected_digest, res["default_policy"]); - - let res = opa - .evaluate(reference_data, dummy_input(0, 0), vec![default_policy_id]) - .await; - - res.expect_err("OPA execution should fail"); - } - - #[tokio::test] - async fn test_policy_management() { - let mut opa = OPA::new(PathBuf::from("tests/tmp")).unwrap(); - let policy = "package policy -default allow = true" - .to_string(); - - let get_policy_output = "cGFja2FnZSBwb2xpY3kKZGVmYXVsdCBhbGxvdyA9IHRydWU".to_string(); - - assert!(opa - .set_policy( - "test".to_string(), - base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(policy) - ) - .await - .is_ok()); - let policy_list = opa.list_policies().await.unwrap(); - assert_eq!(policy_list.len(), 2); - let test_policy = opa.get_policy("test".to_string()).await.unwrap(); - assert_eq!(test_policy, get_policy_output); - assert!(opa.list_policies().await.is_ok()); - } -} +// #[cfg(test)] +// mod tests { +// use ear::RawValue; +// use kbs_types::Tee; +// use rstest::rstest; +// use serde_json::{json, Value}; +// use std::collections::BTreeMap; + +// use crate::transform_claims; + +// use super::*; + +// fn dummy_reference(product_id: u64, svn: u64, launch_digest: String) -> String { +// json!({ +// "productId": [product_id.to_string()], +// "svn": [svn.to_string()], +// "launch_digest": [launch_digest] +// }) +// .to_string() +// } +// fn dummy_input(product_id: u64, svn: u64, launch_digest: String) -> BTreeMap { +// let json_claims = json!({ +// "productId": product_id.to_string(), +// "svn": svn.to_string(), +// "launch_digest": launch_digest +// }); + +// let ear_claims = transform_claims( +// json_claims, +// Value::String("".to_string()), +// Value::String("".to_string()), +// Tee::Sample, +// ) +// .unwrap(); + +// ear_claims +// } +// #[rstest] +// #[case(5,5,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,2)] +// #[case(5,4,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,97)] +// #[case(5,5,1,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,2)] +// #[case(5,5,2,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,97)] +// #[tokio::test] +// async fn test_evaluate( +// #[case] pid_a: u64, +// #[case] pid_b: u64, +// #[case] svn_a: u64, +// #[case] svn_b: u64, +// #[case] digest_a: String, +// #[case] digest_b: String, +// #[case] ex_exp: i8, +// #[case] hw_exp: i8, +// ) { +// let opa = OPA { +// policy_dir_path: PathBuf::from("./src/policy_engine/opa"), +// }; +// let default_policy_id = "default_policy".to_string(); + +// let reference_data: HashMap> = +// serde_json::from_str(&dummy_reference(pid_a, svn_a, digest_a)).unwrap(); + +// let appraisal = opa +// .evaluate( +// reference_data.clone(), +// dummy_input(pid_b, svn_b, digest_b), +// default_policy_id.clone(), +// ) +// .await +// .unwrap(); + +// assert_eq!( +// hw_exp, +// appraisal.trust_vector.by_name("hardware").unwrap().get() +// ); +// assert_eq!( +// ex_exp, +// appraisal.trust_vector.by_name("executables").unwrap().get() +// ); +// } + +// #[tokio::test] +// async fn test_policy_management() { +// let mut opa = OPA::new(PathBuf::from("tests/tmp")).unwrap(); +// let policy = "package policy +// default allow = true" +// .to_string(); + +// let get_policy_output = "cGFja2FnZSBwb2xpY3kKZGVmYXVsdCBhbGxvdyA9IHRydWU".to_string(); + +// assert!(opa +// .set_policy( +// "test".to_string(), +// base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(policy) +// ) +// .await +// .is_ok()); +// let policy_list = opa.list_policies().await.unwrap(); +// assert_eq!(policy_list.len(), 2); +// let test_policy = opa.get_policy("test".to_string()).await.unwrap(); +// assert_eq!(test_policy, get_policy_output); +// assert!(opa.list_policies().await.is_ok()); +// } +// } diff --git a/attestation-service/src/token/ear_broker.rs b/attestation-service/src/token/ear_broker.rs new file mode 100644 index 0000000000..fd2ab39b2c --- /dev/null +++ b/attestation-service/src/token/ear_broker.rs @@ -0,0 +1,583 @@ +// Copyright (c) 2024 IBM +// +// SPDX-License-Identifier: Apache-2.0 +// + +use anyhow::*; + +use base64::engine::general_purpose::URL_SAFE_NO_PAD; +use base64::Engine; +use ear::{Algorithm, Appraisal, Ear, Extensions, RawValue, VerifierID}; +use jsonwebtoken::jwk; +use kbs_types::Tee; +use log::{debug, info, warn}; +use openssl::bn::{BigNum, BigNumContext}; +use openssl::ec::{EcGroup, EcKey}; +use openssl::nid::Nid; +use openssl::pkey::{PKey, Private}; +use openssl::x509::X509; +use serde::Deserialize; +use serde_json::{json, Value}; +use serde_variant::to_variant_name; +use shadow_rs::concatcp; +use std::collections::{BTreeMap, HashMap}; +use std::path::Path; +use std::sync::Arc; +use verifier::TeeEvidenceParsedClaim; + +use crate::policy_engine::{PolicyEngine, PolicyEngineType}; +use crate::token::DEFAULT_TOKEN_WORK_DIR; +use crate::AttestationTokenBroker; + +use super::{COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_DURATION}; + +pub const DEFAULT_PROFILE: &str = "tag:github.com,2024:confidential-containers/Trustee"; +pub const DEFAULT_DEVELOPER_NAME: &str = "https://confidentialcontainers.org"; + +const DEFAULT_POLICY_DIR: &str = concatcp!(DEFAULT_TOKEN_WORK_DIR, "/ear/policies"); + +const RULES: [&str; 8] = [ + "instance_identity", + "configuration", + "executables", + "file_system", + "hardware", + "runtime_opaque", + "storage_opaque", + "sourced_data", +]; + +#[derive(Deserialize, Debug, Clone, PartialEq)] +pub struct TokenSignerConfig { + pub key_path: String, + #[serde(default = "Option::default")] + pub cert_url: Option, + + // PEM format certificate chain. + #[serde(default = "Option::default")] + pub cert_path: Option, +} + +#[derive(Deserialize, Debug, Clone, PartialEq)] +pub struct Configuration { + /// The Attestation Results Token duration time (in minutes) + /// Default: 5 minutes + #[serde(default = "default_duration")] + pub duration_min: i64, + + /// For tokens, the issuer of the token + #[serde(default = "default_issuer_name")] + pub issuer_name: String, + + /// The developer name to be used as part of the Verifier ID + /// in the EAR. + /// Default: `https://confidentialcontainers.org` + #[serde(default = "default_developer")] + pub developer_name: String, + + /// The build name to be used as part of the Verifier ID + /// in the EAR. + /// The default value will be generated from the Cargo package + /// name and version of the AS. + #[serde(default = "default_build")] + pub build_name: String, + + /// The Profile that describes the EAR token + /// Default: `tag:github.com,2024:confidential-containers/Trustee` + #[serde(default = "default_profile")] + pub profile_name: String, + + /// Configuration for signing the EAR + /// If this is not specified, the EAR + /// will be signed with an ephemeral private key. + #[serde(default = "Option::default")] + pub signer: Option, + + /// The path to the work directory that contains policies + /// to provision the tokens. + #[serde(default = "default_policy_dir")] + pub policy_dir: String, +} + +#[inline] +fn default_duration() -> i64 { + DEFAULT_TOKEN_DURATION +} + +#[inline] +fn default_issuer_name() -> String { + COCO_AS_ISSUER_NAME.to_string() +} + +#[inline] +fn default_developer() -> String { + DEFAULT_DEVELOPER_NAME.to_string() +} + +#[inline] +fn default_profile() -> String { + DEFAULT_PROFILE.to_string() +} + +#[inline] +fn default_build() -> String { + format!("{} {}", env!("CARGO_PKG_NAME"), env!("CARGO_PKG_VERSION")) +} + +#[inline] +fn default_policy_dir() -> String { + DEFAULT_POLICY_DIR.to_string() +} + +impl Default for Configuration { + fn default() -> Self { + Self { + duration_min: default_duration(), + issuer_name: default_issuer_name(), + developer_name: default_developer(), + build_name: default_build(), + profile_name: default_profile(), + signer: None, + policy_dir: default_policy_dir(), + } + } +} + +pub struct EarAttestationTokenBroker { + config: Configuration, + private_key: EcKey, + //private_key_bytes: Vec, + cert_url: Option, + cert_chain: Option>, + policy_engine: Arc, +} + +impl EarAttestationTokenBroker { + pub fn new(config: Configuration) -> Result { + let policy_engine = PolicyEngineType::OPA.to_policy_engine( + Path::new(&config.policy_dir), + include_str!("ear_default_policy.rego"), + )?; + info!("Loading default AS policy \"ear_default_policy.rego\""); + + if config.signer.is_none() { + log::info!("No Token Signer key in config file, create an ephemeral key and without CA pubkey cert"); + return Ok(Self { + private_key: generate_ec_keys()?.0, + config, + cert_url: None, + cert_chain: None, + policy_engine, + }); + } + + let signer = config.signer.clone().unwrap(); + let pem_data = std::fs::read(&signer.key_path) + .map_err(|e| anyhow!("Read Token Signer private key failed: {:?}", e))?; + let private_key = EcKey::private_key_from_pem(&pem_data)?; + + let cert_chain = signer + .cert_path + .as_ref() + .map(|cert_path| -> Result> { + let pem_cert_chain = std::fs::read_to_string(cert_path) + .map_err(|e| anyhow!("Read Token Signer cert file failed: {:?}", e))?; + let mut chain = Vec::new(); + + for pem in pem_cert_chain.split("-----END CERTIFICATE-----") { + let trimmed = format!("{}\n-----END CERTIFICATE-----", pem.trim()); + if !trimmed.starts_with("-----BEGIN CERTIFICATE-----") { + continue; + } + let cert = X509::from_pem(trimmed.as_bytes()) + .map_err(|_| anyhow!("Invalid PEM certificate chain"))?; + chain.push(cert); + } + Ok(chain) + }) + .transpose()?; + + Ok(Self { + config, + private_key, + cert_url: signer.cert_url, + cert_chain, + policy_engine, + }) + } +} + +#[async_trait::async_trait] +impl AttestationTokenBroker for EarAttestationTokenBroker { + async fn issue( + &self, + tcb_claims: TeeEvidenceParsedClaim, + policy_ids: Vec, + init_data_claims: serde_json::Value, + runtime_data_claims: serde_json::Value, + reference_data_map: HashMap>, + tee: Tee, + ) -> Result { + let tcb_claims = transform_claims( + tcb_claims, + init_data_claims.clone(), + runtime_data_claims.clone(), + tee, + )?; + debug!("tcb_claims: {:#?}", tcb_claims); + + let tcb_claims_json = serde_json::to_string(&tcb_claims)?; + + let reference_data = json!({ + "reference": reference_data_map, + }); + let reference_data = serde_json::to_string(&reference_data)?; + + if policy_ids.len() > 1 { + warn!("EAR token only accepts the first policy. The rest will be ignored."); + } + + if policy_ids.is_empty() { + bail!("No policy is given for EAR token generation."); + } + + let policy_results = self + .policy_engine + .evaluate( + &reference_data, + &tcb_claims_json, + &policy_ids[0], + &RULES[..], + ) + .await?; + + let mut appraisal = Appraisal::new(); + + for (k, v) in &policy_results.rules_result { + let claim_value = v.as_i8().context("Policy claim value not i8")?; + + appraisal + .trust_vector + .mut_by_name(k) + .unwrap() + .set(claim_value); + } + + if !appraisal.trust_vector.any_set() { + bail!("At least one policy claim must be set."); + } + + appraisal.update_status_from_trust_vector(); + appraisal.annotated_evidence = tcb_claims; + appraisal.policy_id = Some(policy_ids[0].clone()); + + // For now, create only one submod, called `cpu`. + // We can create more when we support attesting multiple devices at once. + let mut submods = BTreeMap::new(); + submods.insert("cpu".to_string(), appraisal); + + let now = time::OffsetDateTime::now_utc(); + + let ear = Ear { + profile: self.config.profile_name.clone(), + iat: now.unix_timestamp(), + vid: VerifierID { + build: self.config.build_name.clone(), + developer: self.config.developer_name.clone(), + }, + raw_evidence: None, + nonce: None, + submods, + extensions: Extensions::new(), + }; + let mut jwt_header = ear::new_jwt_header(&Algorithm::ES256)?; + jwt_header.jwk = Some(self.pubkey_jwk()?); + + let pkey = PKey::from_ec_key(self.private_key.clone())?; + let private_key_bytes = pkey.private_key_to_pem_pkcs8()?; + + let signed_ear = ear.sign_jwt_pem_with_header(&jwt_header, &private_key_bytes)?; + + Ok(signed_ear) + } +} + +impl EarAttestationTokenBroker { + // TODO: converge this with the jwk function in the simple token broker + fn pubkey_jwk(&self) -> Result { + let chain = self + .cert_chain + .as_ref() + .map(|certs| -> Result> { + let mut chain = vec![]; + for cert in certs { + let der = cert.to_der()?; + chain.push(URL_SAFE_NO_PAD.encode(der)); + } + Ok(chain) + }) + .transpose()?; + + let common = jwk::CommonParameters { + key_algorithm: Some(jwk::KeyAlgorithm::ES256), + x509_url: self.cert_url.clone(), + x509_chain: chain, + ..Default::default() + }; + + let public_key = self.private_key.public_key(); + let group = self.private_key.group(); + + let mut ctx = BigNumContext::new()?; + let mut x = BigNum::new()?; + let mut y = BigNum::new()?; + public_key.affine_coordinates_gfp(group, &mut x, &mut y, &mut ctx)?; + + let algorithm = jwk::AlgorithmParameters::EllipticCurve(jwk::EllipticCurveKeyParameters { + key_type: jwk::EllipticCurveKeyType::EC, + curve: jwk::EllipticCurve::P256, + x: URL_SAFE_NO_PAD.encode(x.to_vec()), + y: URL_SAFE_NO_PAD.encode(y.to_vec()), + }); + + let jwk = jwk::Jwk { common, algorithm }; + + Ok(jwk) + } +} + +fn generate_ec_keys() -> Result<(EcKey, Vec, Vec)> { + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?; + let ec_key = EcKey::generate(&group)?; + let pkey = PKey::from_ec_key(ec_key.clone())?; + + Ok(( + ec_key, + pkey.private_key_to_pem_pkcs8()?, + pkey.public_key_to_pem()?, + )) +} + +/// This function does three things. +/// +/// 1) If the input claims include an init_data claim (meaning that +/// the verifier has validated the init_data), add the JSON +/// init_data_claims to the output claims. Do the same thing +/// for the report_data and runtime_data_claims. +/// +/// This means that the full init_data and report_data will be +/// available in the token. +/// +/// 2) Move all claims from input_claims except the ones mentioned +/// in the previous step into their own Object under the tee name. +/// +/// 3) Convert the claims from serde_json Values to RawValues from the +/// EAR crate. +/// +pub fn transform_claims( + mut input_claims: Value, + init_data_claims: Value, + runtime_data_claims: Value, + tee: Tee, +) -> Result> { + let mut output_claims = BTreeMap::new(); + + // If the verifier produces an init_data claim (meaning that + // it has validated the init_data hash), add the JSON init_data_claims, + // to the claims map. Do the same for the report data. + // + // These claims will be flattened and provided to the policy engine. + // They will also end up in the EAR token as part of the annotated evidence. + if let Some(claims_map) = input_claims.as_object_mut() { + if let Some(init_data) = claims_map.remove("init_data") { + output_claims.insert( + "init_data".to_string(), + RawValue::Text(init_data.as_str().unwrap().to_string()), + ); + + let transformed_claims: RawValue = + serde_json::from_str(&serde_json::to_string(&init_data_claims)?)?; + output_claims.insert("init_data_claims".to_string(), transformed_claims); + } + + if let Some(report_data) = claims_map.remove("report_data") { + output_claims.insert( + "report_data".to_string(), + RawValue::Text(report_data.as_str().unwrap().to_string()), + ); + + let transformed_claims: RawValue = + serde_json::from_str(&serde_json::to_string(&runtime_data_claims)?)?; + output_claims.insert("runtime_data_claims".to_string(), transformed_claims); + } + } + + let transformed_claims: RawValue = + serde_json::from_str(&serde_json::to_string(&input_claims)?)?; + output_claims.insert(to_variant_name(&tee)?.to_string(), transformed_claims); + + Ok(output_claims) +} + +#[cfg(test)] +mod tests { + use assert_json_diff::assert_json_eq; + use jsonwebtoken::DecodingKey; + use std::io::Write; + use tempfile::NamedTempFile; + + use super::*; + + #[tokio::test] + async fn test_issue_ear_ephemeral_key() { + // use default config with no signer. + // this will sign the token with an ephemeral key. + let config = Configuration::default(); + let broker = EarAttestationTokenBroker::new(config).unwrap(); + + let _token = broker + .issue( + json!({ + "claim": "claim1" + }), + vec!["default".into()], + json!({ + "initdata": "111" + }), + json!({ + "runtime_data": "111" + }), + HashMap::new(), + Tee::Sample, + ) + .await + .unwrap(); + } + + #[tokio::test] + async fn test_issue_and_validate_ear() { + let (_pkey, private_key_bytes, public_key_bytes) = generate_ec_keys().unwrap(); + let mut private_key_file = NamedTempFile::new().unwrap(); + private_key_file.write_all(&private_key_bytes).unwrap(); + + let signer = TokenSignerConfig { + key_path: private_key_file.path().to_str().unwrap().to_string(), + cert_url: None, + cert_path: None, + }; + + let mut config = Configuration::default(); + config.signer = Some(signer); + + let broker = EarAttestationTokenBroker::new(config).unwrap(); + let token = broker + .issue( + json!({ + "claim": "claim1" + }), + vec!["default".into()], + json!({ + "initdata": "111" + }), + json!({ + "runtime_data": "111" + }), + HashMap::new(), + Tee::Sample, + ) + .await + .unwrap(); + + let public_key = DecodingKey::from_ec_pem(&public_key_bytes).unwrap(); + + let ear = Ear::from_jwt(&token, jsonwebtoken::Algorithm::ES256, &public_key).unwrap(); + ear.validate().unwrap(); + } + + #[test] + fn test_transform_claims() { + let json = json!({ + "ccel": { + "kernel": "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa", + "kernel_parameters": { + "console": "hvc0", + "root": "/dev/vda1", + "rw": "" + } + }, + "quote": { + "header":{ + "version": "0400", + "att_key_type": "0200", + "tee_type": "81000000", + "reserved": "00000000", + "vendor_id": "939a7233f79c4ca9940a0db3957f0607", + "user_data": "d099bfec0a477aa85a605dceabf2b10800000000" + }, + "body":{ + "mr_config_id": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_owner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_owner_config": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_td": "705ee9381b8633a9fbe532b52345e8433343d2868959f57889d84ca377c395b689cac1599ccea1b7d420483a9ce5f031", + "mrsigner_seam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", + "seam_attributes": "0000000000000000", + "td_attributes": "0100001000000000", + "mr_seam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656", + "tcb_svn": "03000500000000000000000000000000", + "xfam": "e742060000000000" + } + }, + "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", + "init_data": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + }); + + let init_data_claims = Value::String("".to_string()); + let runtime_data_claims = Value::String("".to_string()); + let transformed_claims = + transform_claims(json, init_data_claims, runtime_data_claims, Tee::Tdx) + .expect("flatten failed"); + + let expected_claims = json!({ + "tdx": { + "ccel": { + "kernel": "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa", + "kernel_parameters": { + "console": "hvc0", + "root": "/dev/vda1", + "rw": "" + } + }, + "quote": { + "header":{ + "version": "0400", + "att_key_type": "0200", + "tee_type": "81000000", + "reserved": "00000000", + "vendor_id": "939a7233f79c4ca9940a0db3957f0607", + "user_data": "d099bfec0a477aa85a605dceabf2b10800000000" + }, + "body":{ + "mr_config_id": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_owner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_owner_config": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_td": "705ee9381b8633a9fbe532b52345e8433343d2868959f57889d84ca377c395b689cac1599ccea1b7d420483a9ce5f031", + "mrsigner_seam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", + "seam_attributes": "0000000000000000", + "td_attributes": "0100001000000000", + "mr_seam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656", + "tcb_svn": "03000500000000000000000000000000", + "xfam": "e742060000000000" + } + } + }, + "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", + "init_data": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "runtime_data_claims": "", + "init_data_claims": "" + }); + + assert_json_eq!(expected_claims, transformed_claims); + } +} diff --git a/attestation-service/src/token/ear_default_policy.rego b/attestation-service/src/token/ear_default_policy.rego new file mode 100644 index 0000000000..0c60199325 --- /dev/null +++ b/attestation-service/src/token/ear_default_policy.rego @@ -0,0 +1,30 @@ +package policy + +import rego.v1 + +# For the `executables` trust claim, the value 33 stands for +# "Runtime memory includes executables, scripts, files, and/or +# objects which are not recognized." +default executables := 33 + +# For the `hardware` trust claim, the value 97 stands for +# "A Verifier does not recognize an Attester's hardware or +# firmware, but it should be recognized." +default hardware := 97 + +# For the `executables` trust claim, the value 3 stands for +# "Only a recognized genuine set of approved executables have +# been loaded during the boot process." +executables := 3 if { + input.launch_digest in data.reference.launch_digest +} + +# For the `hardware` trust claim, the value 2 stands for +# "An Attester has passed its hardware and/or firmware +# verifications needed to demonstrate that these are genuine/ +# supported. +hardware := 2 if { + input.productId in data.reference.productId + + input.svn in data.reference.svn +} diff --git a/attestation-service/src/token/mod.rs b/attestation-service/src/token/mod.rs index 6a6616e4d5..c0d04e67f2 100644 --- a/attestation-service/src/token/mod.rs +++ b/attestation-service/src/token/mod.rs @@ -4,80 +4,74 @@ // use anyhow::*; +use kbs_types::Tee; use serde::Deserialize; -use serde_json::Value; -use strum::{Display, EnumString}; +use shadow_rs::concatcp; +use std::collections::HashMap; +use strum::Display; +use verifier::TeeEvidenceParsedClaim; -mod simple; +use crate::config::DEFAULT_WORK_DIR; +pub mod ear_broker; +pub mod simple; + +pub const DEFAULT_TOKEN_DURATION: i64 = 5; pub const COCO_AS_ISSUER_NAME: &str = "CoCo-Attestation-Service"; -pub const DEFAULT_TOKEN_TIMEOUT: i64 = 5; -pub trait AttestationTokenBroker { +const DEFAULT_TOKEN_WORK_DIR: &str = concatcp!(DEFAULT_WORK_DIR, "/token"); + +#[async_trait::async_trait] +pub trait AttestationTokenBroker: Send + Sync { /// Issue an signed attestation token with custom claims. /// Return base64 encoded Json Web Token. - fn issue(&self, custom_claims: Value) -> Result; - - /// Get the public keys and X.509 formatted certificate chain of the attestation token broker. - /// Returns the certificate chain in [JWKS format](https://www.rfc-editor.org/rfc/rfc7517#appendix-B). - fn pubkey_jwks(&self) -> Result; -} - -#[derive(Deserialize, Debug, Clone, EnumString, Display, Default, PartialEq)] -pub enum AttestationTokenBrokerType { - #[default] - Simple, -} - -impl AttestationTokenBrokerType { - pub fn to_token_broker( + async fn issue( &self, - config: AttestationTokenConfig, - ) -> Result> { - match self { - AttestationTokenBrokerType::Simple => { - Ok(Box::new(simple::SimpleAttestationTokenBroker::new(config)?) - as Box) - } - } - } -} - -#[derive(Deserialize, Debug, Clone, PartialEq)] -pub struct AttestationTokenConfig { - /// The Attestation Result Token duration time(in minute) - #[serde(default = "default_duration_min")] - pub duration_min: i64, + tcb_claims: TeeEvidenceParsedClaim, + policy_ids: Vec, + init_data_claims: serde_json::Value, + runtime_data_claims: serde_json::Value, + reference_data_map: HashMap>, + tee: Tee, + ) -> Result; - #[serde(default = "default_issuer_name")] - pub issuer_name: String, + async fn set_policy(&self, _policy_id: String, _policy: String) -> Result<()> { + bail!("Set Policy not support") + } - pub signer: Option, -} + async fn list_policies(&self) -> Result> { + bail!("List Policies not support") + } -fn default_duration_min() -> i64 { - DEFAULT_TOKEN_TIMEOUT + async fn get_policy(&self, _policy_id: String) -> Result { + bail!("Get Policy not support") + } } -fn default_issuer_name() -> String { - COCO_AS_ISSUER_NAME.to_string() -} - -#[derive(Deserialize, Debug, Clone, PartialEq)] -pub struct TokenSignerConfig { - pub key_path: String, - pub cert_url: Option, - - // PEM format certificate chain. - pub cert_path: Option, +#[derive(Deserialize, Debug, Clone, Display, PartialEq)] +#[serde(tag = "type")] +pub enum AttestationTokenConfig { + Simple(simple::Configuration), + Ear(ear_broker::Configuration), } impl Default for AttestationTokenConfig { fn default() -> Self { - Self { - duration_min: DEFAULT_TOKEN_TIMEOUT, - issuer_name: COCO_AS_ISSUER_NAME.to_string(), - signer: None, + AttestationTokenConfig::Ear(ear_broker::Configuration::default()) + } +} + +impl AttestationTokenConfig { + pub fn to_token_broker(&self) -> Result> { + match self { + AttestationTokenConfig::Simple(cfg) => Ok(Box::new( + simple::SimpleAttestationTokenBroker::new(cfg.clone())?, + ) + as Box), + AttestationTokenConfig::Ear(cfg) => Ok(Box::new( + ear_broker::EarAttestationTokenBroker::new(cfg.clone())?, + ) + as Box), } } } diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs index 4b20e4ebee..d69394ac86 100644 --- a/attestation-service/src/token/simple.rs +++ b/attestation-service/src/token/simple.rs @@ -2,9 +2,16 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 +//! # Simple Token Broker +//! +//! This is an implementation of Token Broker that uses OPA for +//! policy evaluation. + use anyhow::*; use base64::engine::general_purpose::URL_SAFE_NO_PAD; use base64::Engine; +use kbs_types::Tee; +use log::info; use openssl::rsa::Rsa; use openssl::sign::Signer; use openssl::x509::X509; @@ -14,22 +21,100 @@ use openssl::{ }; use rand::distributions::Alphanumeric; use rand::{thread_rng, Rng}; -use serde_json::{json, Value}; +use serde::Deserialize; +use serde_json::{json, Map, Value}; +use serde_variant::to_variant_name; +use shadow_rs::concatcp; +use std::collections::HashMap; +use std::path::Path; +use std::sync::Arc; +use verifier::TeeEvidenceParsedClaim; + +use crate::policy_engine::{PolicyEngine, PolicyEngineType}; +use crate::token::{AttestationTokenBroker, DEFAULT_TOKEN_WORK_DIR}; -use crate::token::{AttestationTokenBroker, AttestationTokenConfig}; +use super::{COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_DURATION}; const RSA_KEY_BITS: u32 = 2048; const SIMPLE_TOKEN_ALG: &str = "RS384"; +const DEFAULT_POLICY_DIR: &str = concatcp!(DEFAULT_TOKEN_WORK_DIR, "/simple/policies"); + +const RULES: &str = "allow"; + +#[derive(Deserialize, Debug, Clone, PartialEq)] +pub struct TokenSignerConfig { + pub key_path: String, + pub cert_url: Option, + + // PEM format certificate chain. + pub cert_path: Option, +} + +#[derive(Deserialize, Debug, Clone, PartialEq)] +pub struct Configuration { + /// The Attestation Results Token duration time (in minutes) + /// Default: 5 minutes + #[serde(default = "default_duration")] + pub duration_min: i64, + + /// the issuer of the token + #[serde(default = "default_issuer_name")] + pub issuer_name: String, + + /// Configuration for signing the token. + /// If this is not specified, the token + /// will be signed with an ephemeral private key. + pub signer: Option, + + /// The path to the work directory that contains policies + /// to provision the tokens. + #[serde(default = "default_policy_dir")] + pub policy_dir: String, +} + +#[inline] +fn default_duration() -> i64 { + DEFAULT_TOKEN_DURATION +} + +#[inline] +fn default_issuer_name() -> String { + COCO_AS_ISSUER_NAME.to_string() +} + +#[inline] +fn default_policy_dir() -> String { + DEFAULT_POLICY_DIR.to_string() +} + +impl Default for Configuration { + fn default() -> Self { + Self { + duration_min: default_duration(), + issuer_name: default_issuer_name(), + signer: None, + policy_dir: default_policy_dir(), + } + } +} + pub struct SimpleAttestationTokenBroker { private_key: Rsa, - config: AttestationTokenConfig, + config: Configuration, cert_url: Option, cert_chain: Option>, + policy_engine: Arc, } impl SimpleAttestationTokenBroker { - pub fn new(config: AttestationTokenConfig) -> Result { + pub fn new(config: Configuration) -> Result { + let policy_engine = PolicyEngineType::OPA.to_policy_engine( + Path::new(&config.policy_dir), + include_str!("simple_default_policy.rego"), + )?; + info!("Loading default AS policy \"simple_default_policy.rego\""); + if config.signer.is_none() { log::info!("No Token Signer key in config file, create an ephemeral key and without CA pubkey cert"); return Ok(Self { @@ -37,6 +122,7 @@ impl SimpleAttestationTokenBroker { config, cert_url: None, cert_chain: None, + policy_engine, }); } @@ -71,6 +157,7 @@ impl SimpleAttestationTokenBroker { config, cert_url: signer.cert_url, cert_chain, + policy_engine, }) } } @@ -84,10 +171,98 @@ impl SimpleAttestationTokenBroker { Ok(signature) } + + fn pubkey_jwks(&self) -> Result { + let n = self.private_key.n().to_vec(); + let e = self.private_key.e().to_vec(); + + let mut jwk = Jwk { + kty: "RSA".to_string(), + alg: SIMPLE_TOKEN_ALG.to_string(), + n: URL_SAFE_NO_PAD.encode(n), + e: URL_SAFE_NO_PAD.encode(e), + x5u: None, + x5c: None, + }; + + jwk.x5u.clone_from(&self.cert_url); + if let Some(cert_chain) = self.cert_chain.clone() { + let mut x5c = Vec::new(); + for cert in cert_chain { + let der = cert.to_der()?; + x5c.push(URL_SAFE_NO_PAD.encode(der)); + } + jwk.x5c = Some(x5c); + } + + let jwks = json!({ + "keys": vec![jwk], + }); + + Ok(serde_json::to_string(&jwks)?) + } } +#[async_trait::async_trait] impl AttestationTokenBroker for SimpleAttestationTokenBroker { - fn issue(&self, custom_claims: Value) -> Result { + async fn issue( + &self, + tcb_claims: TeeEvidenceParsedClaim, + policy_ids: Vec, + init_data_claims: serde_json::Value, + runtime_data_claims: serde_json::Value, + reference_data_map: HashMap>, + tee: Tee, + ) -> Result { + let claims = flatten_claims(tee, &tcb_claims)?; + let reference_data = json!({ + "reference": reference_data_map, + }); + let reference_data = serde_json::to_string(&reference_data)?; + let tcb_claims = serde_json::to_string(&claims)?; + + let mut policies = HashMap::new(); + for policy_id in policy_ids { + let policy_results = self + .policy_engine + .evaluate(&reference_data, &tcb_claims, &policy_id, &[RULES]) + .await?; + + // TODO add policy allowlist + let Some(result) = policy_results.rules_result.get("allow") else { + bail!("Policy results must contain `allow` claim"); + }; + + let result = result + .as_bool() + .context("value `allow` must be a bool in policy")?; + if !result { + bail!("Reject by policy {policy_id}"); + } + + policies.insert(policy_id, policy_results.policy_hash); + } + + let policies: Vec<_> = policies + .into_iter() + .map(|(k, v)| { + json!({ + "policy-id": k, + "policy-hash": v, + }) + }) + .collect(); + + let token_claims = json!({ + "tee": to_variant_name(&tee)?, + "evaluation-reports": policies, + "tcb-status": tcb_claims, + "customized_claims": { + "init_data": init_data_claims, + "runtime_data": runtime_data_claims, + }, + }); + let header_value = json!({ "typ": "JWT", "alg": SIMPLE_TOKEN_ALG, @@ -105,7 +280,7 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { .map(char::from) .collect(); - let mut claims = json!({ + let mut jwt_claims = json!({ "iss": self.config.issuer_name.clone(), "iat": now.unix_timestamp(), "jti": id, @@ -116,8 +291,8 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { .ok_or_else(|| anyhow!("Internal Error: generate claims failed"))? .clone(); - claims.extend( - custom_claims + jwt_claims.extend( + token_claims .as_object() .ok_or_else(|| anyhow!("Illegal token custom claims"))? .to_owned(), @@ -136,34 +311,25 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { Ok(token) } - fn pubkey_jwks(&self) -> Result { - let n = self.private_key.n().to_vec(); - let e = self.private_key.e().to_vec(); - - let mut jwk = Jwk { - kty: "RSA".to_string(), - alg: SIMPLE_TOKEN_ALG.to_string(), - n: URL_SAFE_NO_PAD.encode(n), - e: URL_SAFE_NO_PAD.encode(e), - x5u: None, - x5c: None, - }; - - jwk.x5u.clone_from(&self.cert_url); - if let Some(cert_chain) = self.cert_chain.clone() { - let mut x5c = Vec::new(); - for cert in cert_chain { - let der = cert.to_der()?; - x5c.push(URL_SAFE_NO_PAD.encode(der)); - } - jwk.x5c = Some(x5c); - } + async fn set_policy(&self, policy_id: String, policy: String) -> Result<()> { + self.policy_engine + .set_policy(policy_id, policy) + .await + .map_err(Error::from) + } - let jwks = json!({ - "keys": vec![jwk], - }); + async fn list_policies(&self) -> Result> { + self.policy_engine + .list_policies() + .await + .map_err(Error::from) + } - Ok(serde_json::to_string(&jwks)?) + async fn get_policy(&self, policy_id: String) -> Result { + self.policy_engine + .get_policy(policy_id) + .await + .map_err(Error::from) } } @@ -178,3 +344,187 @@ struct Jwk { #[serde(skip_serializing_if = "Option::is_none")] pub x5c: Option>, } + +/// This funciton will transpose the following structured json +/// ```json +/// { +/// "a" : { +/// "b": "c" +/// }, +/// "d": "e" +/// } +/// ``` +/// into a flatten one with '.' to separate and also be added a prefix of tee name, e.g. +/// ```json +/// { +/// "sample.a.b": "c", +/// "sample.d": "e" +/// } +/// ``` +/// +/// But the key `init_data` and `report_data` will not be added the prefix. +fn flatten_claims( + tee: kbs_types::Tee, + claims: &TeeEvidenceParsedClaim, +) -> Result> { + let mut map = Map::new(); + let tee_type = to_variant_name(&tee)?; + match claims { + Value::Object(obj) => { + for (k, v) in obj { + if k != "report_data" && k != "init_data" { + flatten_helper(&mut map, v, format!("{tee_type}.{}", k.clone())); + } + } + let report_data = obj + .get("report_data") + .cloned() + .unwrap_or(Value::String(String::new())); + map.insert("report_data".to_string(), report_data.clone()); + + let report_data = obj + .get("init_data") + .cloned() + .unwrap_or(Value::String(String::new())); + map.insert("init_data".to_string(), report_data.clone()); + } + _ => bail!("input claims must be a map"), + } + + Ok(map) +} + +/// Recursion algorithm helper of `flatten_claims` +fn flatten_helper(parent: &mut Map, child: &serde_json::Value, prefix: String) { + match child { + Value::Null => { + let _ = parent.insert(prefix, Value::Null); + } + Value::Bool(v) => { + let _ = parent.insert(prefix, Value::Bool(*v)); + } + Value::Number(v) => { + let _ = parent.insert(prefix, Value::Number(v.clone())); + } + Value::String(str) => { + let _ = parent.insert(prefix, Value::String(str.clone())); + } + Value::Array(arr) => { + let _ = parent.insert(prefix, Value::Array(arr.clone())); + } + Value::Object(obj) => { + for (k, v) in obj { + let sub_prefix = format!("{prefix}.{k}"); + flatten_helper(parent, v, sub_prefix); + } + } + } +} + +#[cfg(test)] +mod tests { + use std::collections::HashMap; + + use assert_json_diff::assert_json_eq; + use kbs_types::Tee; + use serde_json::json; + + use crate::token::{ + simple::{Configuration, SimpleAttestationTokenBroker}, + AttestationTokenBroker, + }; + + use super::flatten_claims; + + #[tokio::test] + async fn test_issue_simple_ephemeral_key() { + // use default config with no signer. + // this will sign the token with an ephemeral key. + let config = Configuration::default(); + let broker = SimpleAttestationTokenBroker::new(config).unwrap(); + + let _token = broker + .issue( + json!({ + "claim": "claim1" + }), + vec!["default".into()], + json!({ + "initdata": "111" + }), + json!({ + "runtime_data": "111" + }), + HashMap::new(), + Tee::Sample, + ) + .await + .unwrap(); + } + + #[test] + fn flatten() { + let json = json!({ + "ccel": { + "kernel": "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa", + "kernel_parameters": { + "console": "hvc0", + "root": "/dev/vda1", + "rw": null + } + }, + "quote": { + "header":{ + "version": "0400", + "att_key_type": "0200", + "tee_type": "81000000", + "reserved": "00000000", + "vendor_id": "939a7233f79c4ca9940a0db3957f0607", + "user_data": "d099bfec0a477aa85a605dceabf2b10800000000" + }, + "body":{ + "mr_config_id": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_owner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_owner_config": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "mr_td": "705ee9381b8633a9fbe532b52345e8433343d2868959f57889d84ca377c395b689cac1599ccea1b7d420483a9ce5f031", + "mrsigner_seam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", + "seam_attributes": "0000000000000000", + "td_attributes": "0100001000000000", + "mr_seam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656", + "tcb_svn": "03000500000000000000000000000000", + "xfam": "e742060000000000" + } + }, + "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", + "init_data": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + }); + let flatten = flatten_claims(kbs_types::Tee::Tdx, &json).expect("flatten failed"); + let expected = json!({ + "tdx.ccel.kernel": "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa", + "tdx.ccel.kernel_parameters.console": "hvc0", + "tdx.ccel.kernel_parameters.root": "/dev/vda1", + "tdx.ccel.kernel_parameters.rw": null, + "tdx.quote.header.version": "0400", + "tdx.quote.header.att_key_type": "0200", + "tdx.quote.header.tee_type": "81000000", + "tdx.quote.header.reserved": "00000000", + "tdx.quote.header.vendor_id": "939a7233f79c4ca9940a0db3957f0607", + "tdx.quote.header.user_data": "d099bfec0a477aa85a605dceabf2b10800000000", + "tdx.quote.body.mr_config_id": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tdx.quote.body.mr_owner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tdx.quote.body.mr_owner_config": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tdx.quote.body.mr_td": "705ee9381b8633a9fbe532b52345e8433343d2868959f57889d84ca377c395b689cac1599ccea1b7d420483a9ce5f031", + "tdx.quote.body.mrsigner_seam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tdx.quote.body.report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", + "tdx.quote.body.seam_attributes": "0000000000000000", + "tdx.quote.body.td_attributes": "0100001000000000", + "tdx.quote.body.mr_seam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656", + "tdx.quote.body.tcb_svn": "03000500000000000000000000000000", + "tdx.quote.body.xfam": "e742060000000000", + "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", + "init_data": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + }); + assert_json_eq!(expected, flatten); + } +} diff --git a/attestation-service/src/policy_engine/opa/default_policy.rego b/attestation-service/src/token/simple_default_policy.rego similarity index 100% rename from attestation-service/src/policy_engine/opa/default_policy.rego rename to attestation-service/src/token/simple_default_policy.rego diff --git a/attestation-service/src/utils.rs b/attestation-service/src/utils.rs deleted file mode 100644 index a116397d24..0000000000 --- a/attestation-service/src/utils.rs +++ /dev/null @@ -1,159 +0,0 @@ -// Copyright (c) 2023 Alibaba Cloud -// -// SPDX-License-Identifier: Apache-2.0 -// - -use anyhow::*; -use serde_json::{Map, Value}; -use serde_variant::to_variant_name; -use verifier::TeeEvidenceParsedClaim; - -/// This funciton will transpose the following structured json -/// ```json -/// { -/// "a" : { -/// "b": "c" -/// }, -/// "d": "e" -/// } -/// ``` -/// into a flatten one with '.' to separate and also be added a prefix of tee name, e.g. -/// ```json -/// { -/// "sample.a.b": "c", -/// "sample.d": "e" -/// } -/// ``` -/// -/// But the key `init_data` and `report_data` will not be added the prefix. -pub fn flatten_claims( - tee: kbs_types::Tee, - claims: &TeeEvidenceParsedClaim, -) -> Result> { - let mut map = Map::new(); - let tee_type = to_variant_name(&tee)?; - match claims { - Value::Object(obj) => { - for (k, v) in obj { - if k != "report_data" && k != "init_data" { - flatten_helper(&mut map, v, format!("{tee_type}.{}", k.clone())); - } - } - let report_data = obj - .get("report_data") - .cloned() - .unwrap_or(Value::String(String::new())); - map.insert("report_data".to_string(), report_data.clone()); - - let report_data = obj - .get("init_data") - .cloned() - .unwrap_or(Value::String(String::new())); - map.insert("init_data".to_string(), report_data.clone()); - } - _ => bail!("input claims must be a map"), - } - - Ok(map) -} - -/// Recursion algorithm helper of `flatten_claims` -fn flatten_helper(parent: &mut Map, child: &serde_json::Value, prefix: String) { - match child { - Value::Null => { - let _ = parent.insert(prefix, Value::Null); - } - Value::Bool(v) => { - let _ = parent.insert(prefix, Value::Bool(*v)); - } - Value::Number(v) => { - let _ = parent.insert(prefix, Value::Number(v.clone())); - } - Value::String(str) => { - let _ = parent.insert(prefix, Value::String(str.clone())); - } - Value::Array(arr) => { - let _ = parent.insert(prefix, Value::Array(arr.clone())); - } - Value::Object(obj) => { - for (k, v) in obj { - let sub_prefix = format!("{prefix}.{k}"); - flatten_helper(parent, v, sub_prefix); - } - } - } -} - -#[cfg(test)] -mod tests { - use assert_json_diff::assert_json_eq; - use serde_json::json; - - use super::flatten_claims; - - #[test] - fn flatten() { - let json = json!({ - "ccel": { - "kernel": "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa", - "kernel_parameters": { - "console": "hvc0", - "root": "/dev/vda1", - "rw": null - } - }, - "quote": { - "header":{ - "version": "0400", - "att_key_type": "0200", - "tee_type": "81000000", - "reserved": "00000000", - "vendor_id": "939a7233f79c4ca9940a0db3957f0607", - "user_data": "d099bfec0a477aa85a605dceabf2b10800000000" - }, - "body":{ - "mr_config_id": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "mr_owner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "mr_owner_config": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "mr_td": "705ee9381b8633a9fbe532b52345e8433343d2868959f57889d84ca377c395b689cac1599ccea1b7d420483a9ce5f031", - "mrsigner_seam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", - "seam_attributes": "0000000000000000", - "td_attributes": "0100001000000000", - "mr_seam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656", - "tcb_svn": "03000500000000000000000000000000", - "xfam": "e742060000000000" - } - }, - "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", - "init_data": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - }); - let flatten = flatten_claims(kbs_types::Tee::Tdx, &json).expect("flatten failed"); - let expected = json!({ - "tdx.ccel.kernel": "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa", - "tdx.ccel.kernel_parameters.console": "hvc0", - "tdx.ccel.kernel_parameters.root": "/dev/vda1", - "tdx.ccel.kernel_parameters.rw": null, - "tdx.quote.header.version": "0400", - "tdx.quote.header.att_key_type": "0200", - "tdx.quote.header.tee_type": "81000000", - "tdx.quote.header.reserved": "00000000", - "tdx.quote.header.vendor_id": "939a7233f79c4ca9940a0db3957f0607", - "tdx.quote.header.user_data": "d099bfec0a477aa85a605dceabf2b10800000000", - "tdx.quote.body.mr_config_id": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "tdx.quote.body.mr_owner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "tdx.quote.body.mr_owner_config": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "tdx.quote.body.mr_td": "705ee9381b8633a9fbe532b52345e8433343d2868959f57889d84ca377c395b689cac1599ccea1b7d420483a9ce5f031", - "tdx.quote.body.mrsigner_seam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "tdx.quote.body.report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", - "tdx.quote.body.seam_attributes": "0000000000000000", - "tdx.quote.body.td_attributes": "0100001000000000", - "tdx.quote.body.mr_seam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656", - "tdx.quote.body.tcb_svn": "03000500000000000000000000000000", - "tdx.quote.body.xfam": "e742060000000000", - "report_data": "7c71fe2c86eff65a7cf8dbc22b3275689fd0464a267baced1bf94fc1324656aeb755da3d44d098c0c87382f3a5f85b45c8a28fee1d3bdb38342bf96671501429", - "init_data": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" - }); - assert_json_eq!(expected, flatten); - } -} diff --git a/attestation-service/tests/configs/example1.json b/attestation-service/tests/configs/example1.json new file mode 100644 index 0000000000..da1c7a3290 --- /dev/null +++ b/attestation-service/tests/configs/example1.json @@ -0,0 +1,14 @@ +{ + "work_dir": "/var/lib/attestation-service/", + "rvps_config": { + "type": "BuiltIn", + "store_type": "LocalFs", + "remote_addr": "" + }, + "attestation_token_broker": { + "type": "Simple", + "duration_min": 5, + "policy_dir": "/var/lib/attestation-service/policies", + "issuer_name": "test" + } +} diff --git a/attestation-service/tests/configs/example2.json b/attestation-service/tests/configs/example2.json new file mode 100644 index 0000000000..2000b5c780 --- /dev/null +++ b/attestation-service/tests/configs/example2.json @@ -0,0 +1,19 @@ +{ + "work_dir": "/var/lib/attestation-service/", + "rvps_config": { + "type": "BuiltIn", + "store_type": "LocalFs", + "remote_addr": "" + }, + "attestation_token_broker": { + "type": "Simple", + "duration_min": 5, + "policy_dir": "/var/lib/attestation-service/policies", + "issuer_name": "test", + "signer": { + "key_path": "/etc/key", + "cert_url": "https://example.io", + "cert_path": "/etc/cert.pem" + } + } +} diff --git a/attestation-service/tests/configs/example3.json b/attestation-service/tests/configs/example3.json new file mode 100644 index 0000000000..4ed2563df4 --- /dev/null +++ b/attestation-service/tests/configs/example3.json @@ -0,0 +1,17 @@ +{ + "work_dir": "/var/lib/attestation-service/", + "rvps_config": { + "type": "BuiltIn", + "store_type": "LocalFs", + "remote_addr": "" + }, + "attestation_token_broker": { + "type": "Ear", + "duration_min": 5, + "policy_dir": "/var/lib/attestation-service/policies", + "issuer_name": "test", + "developer_name": "someone", + "build_name": "0.1.0", + "profile_name": "tag:github.com,2024:confidential-containers/Trustee" + } +} diff --git a/attestation-service/tests/configs/example4.json b/attestation-service/tests/configs/example4.json new file mode 100644 index 0000000000..a192969da2 --- /dev/null +++ b/attestation-service/tests/configs/example4.json @@ -0,0 +1,22 @@ +{ + "work_dir": "/var/lib/attestation-service/", + "rvps_config": { + "type": "BuiltIn", + "store_type": "LocalFs", + "remote_addr": "" + }, + "attestation_token_broker": { + "type": "Ear", + "duration_min": 5, + "policy_dir": "/var/lib/attestation-service/policies", + "issuer_name": "test", + "developer_name": "someone", + "build_name": "0.1.0", + "profile_name": "tag:github.com,2024:confidential-containers/Trustee", + "signer": { + "key_path": "/etc/key", + "cert_url": "https://example.io", + "cert_path": "/etc/cert.pem" + } + } +} diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index 887b711d4d..1df4d87cc8 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -106,9 +106,9 @@ insecure_key = true [as_config] work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" -[as_config.attestation_token_config] +[as_config.attestation_token_broker] +type = "Ear" duration_min = 5 [as_config.rvps_config] @@ -252,4 +252,4 @@ Where the values `se.version`, `se.attestation_phkh`, `se.image_phkh` and `se.ta #### Set the attestation policy ```bash kbs-client --url http://127.0.0.1:8080 config --auth-private-key ./kbs/kbs.key set-attestation-policy --policy-file ./ibmse-policy.rego -``` \ No newline at end of file +``` diff --git a/kbs/config/as-config.json b/kbs/config/as-config.json index 0a2a3e1f9e..125e1dbb6a 100644 --- a/kbs/config/as-config.json +++ b/kbs/config/as-config.json @@ -5,8 +5,12 @@ "type": "GrpcRemote", "address": "http://rvps:50003" }, - "attestation_token_broker": "Simple", - "attestation_token_config": { - "duration_min": 5 + "attestation_token_broker": { + "type": "Ear", + "duration_min": 5, + "signer": { + "key_path":"/opt/confidential-containers/attestation-service/keys/private_key.pem" + + } } } \ No newline at end of file diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml index 0adef72eaf..f4f17b7044 100644 --- a/kbs/config/kbs-config.toml +++ b/kbs/config/kbs-config.toml @@ -8,9 +8,9 @@ insecure_api = true type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" -[attestation_service.attestation_token_config] +[attestation_service.attestation_token_broker] +type = "Ear" duration_min = 5 [attestation_service.rvps_config] diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index 3bee3790b4..921b5780c4 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -11,11 +11,14 @@ insecure_key = true type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" -[attestation_service.attestation_token_config] +[attestation_service.attestation_token_broker] +type = "Ear" duration_min = 5 +[attestation_service.attestation_token_broker.signer] +key_path = "/kbs/as-private-key.pem" + [attestation_service.rvps_config] type = "BuiltIn" store_type = "LocalFs" @@ -27,3 +30,4 @@ auth_public_key = "/kbs/kbs.pem" name = "resource" type = "LocalFs" dir_path = "/opt/confidential-containers/kbs/repository" + diff --git a/kbs/docs/config.md b/kbs/docs/config.md index b4830c18a1..848995853f 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -251,9 +251,9 @@ insecure_api = true type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" - [attestation_service.attestation_token_config] + [attestation_service.attestation_token_broker] + type = "Ear" duration_min = 5 [attestation_service.rvps_config] diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md index 3d9e19df6f..94625a0e24 100644 --- a/kbs/docs/self-signed-https.md +++ b/kbs/docs/self-signed-https.md @@ -81,9 +81,9 @@ policy_path = "/opa/confidential-containers/kbs/policy.rego" type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" - [attestation_service.attestation_token_config] + [attestation_serivce.attestation_token_broker] + type = "Ear" duration_min = 5 [attestation_service.rvps_config] @@ -132,4 +132,4 @@ Set resource success shows it succeeded. -**The port mapping is very important as the FQDN inside the cert is set as `localhost`.** We must ensure the URI used on the client tool set is the same as the one inside the certificate's CommonName. \ No newline at end of file +**The port mapping is very important as the FQDN inside the cert is set as `localhost`.** We must ensure the URI used on the client tool set is the same as the one inside the certificate's CommonName. diff --git a/kbs/quickstart.md b/kbs/quickstart.md index 8447f3057a..8e4ac535a2 100644 --- a/kbs/quickstart.md +++ b/kbs/quickstart.md @@ -214,7 +214,7 @@ which both should be PEM format. Adding the following content to TOML config file of KBS itself: ```toml -[as_config.attestation_token_config.signer] +[as_config.attestation_token_broker.signer] key_path = "/path/to/token-key.pem" cert_path = "/path/to/token-cert-chain.pem" ``` @@ -228,7 +228,8 @@ Adding the following content to JSON config file of gRPC AS: { ... - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5, "signer": { "key_path": "/path/to/token-key.pem", diff --git a/kbs/src/attestation/coco/builtin.rs b/kbs/src/attestation/coco/builtin.rs index a6b9faaf0a..be2d303a5d 100644 --- a/kbs/src/attestation/coco/builtin.rs +++ b/kbs/src/attestation/coco/builtin.rs @@ -41,7 +41,7 @@ impl Attest for BuiltInCoCoAs { HashAlgorithm::Sha384, None, HashAlgorithm::Sha384, - vec!["default".into()], + vec!["default".to_string()], ) .await } diff --git a/kbs/src/config.rs b/kbs/src/config.rs index 3c4f2ff41a..1262c7e374 100644 --- a/kbs/src/config.rs +++ b/kbs/src/config.rs @@ -121,10 +121,7 @@ mod tests { #[cfg(feature = "coco-as-builtin")] use attestation_service::{ rvps::{grpc::RvpsRemoteConfig, RvpsConfig, RvpsCrateConfig}, - token::{ - AttestationTokenBrokerType, AttestationTokenConfig, COCO_AS_ISSUER_NAME, - DEFAULT_TOKEN_TIMEOUT, - }, + token::{simple, AttestationTokenConfig, COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_DURATION}, }; use rstest::rstest; @@ -184,16 +181,15 @@ mod tests { crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn( attestation_service::config::Config { work_dir: "/opt/coco/attestation-service".into(), - policy_engine: "opa".into(), - attestation_token_broker: AttestationTokenBrokerType::Simple, rvps_config: RvpsConfig::GrpcRemote(RvpsRemoteConfig { address: "http://127.0.0.1:50003".into(), }), - attestation_token_config: AttestationTokenConfig { - duration_min: DEFAULT_TOKEN_TIMEOUT, + attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration { + duration_min: DEFAULT_TOKEN_DURATION, issuer_name: COCO_AS_ISSUER_NAME.into(), signer: None, - }, + ..Default::default() + }), } ), timeout: crate::attestation::config::DEFAULT_TIMEOUT, @@ -297,16 +293,14 @@ mod tests { crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn( attestation_service::config::Config { work_dir: "/opt/confidential-containers/attestation-service".into(), - policy_engine: "opa".into(), - attestation_token_broker: AttestationTokenBrokerType::Simple, rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { store_type: "LocalFs".into(), store_config: json!({}), }), - attestation_token_config: AttestationTokenConfig { + attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration{ duration_min: 5, ..Default::default() - }, + }), } ), timeout: crate::attestation::config::DEFAULT_TIMEOUT, @@ -429,16 +423,14 @@ mod tests { crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn( attestation_service::config::Config { work_dir: "/opt/confidential-containers/attestation-service".into(), - policy_engine: "opa".into(), - attestation_token_broker: AttestationTokenBrokerType::Simple, rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { store_type: "LocalFs".into(), ..Default::default() }), - attestation_token_config: AttestationTokenConfig { + attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration { duration_min: 5, ..Default::default() - }, + }), } ), timeout: crate::attestation::config::DEFAULT_TIMEOUT, diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index 012e8b6220..9dc505222e 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -14,12 +14,12 @@ work_dir = "./work/attestation-service" policy_engine = "opa" attestation_token_broker = "Simple" -[attestation_service.attestation_token_config] +[attestation_service.attestation_token_broker] +type = "Ear" duration_min = 5 -[attestation_service.attestation_token_config.signer] -key_path = "./work/token.key" -cert_path = "./work/token-cert-chain.pem" +[attestation_service.attestation_token_broker.signer] +key_path = "./work/as-private-key.pem" [attestation_service.rvps_config] type = "BuiltIn" diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml index 977ef10c6a..0d68410c0d 100644 --- a/kbs/test/config/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -6,8 +6,8 @@ insecure_http = true auth_public_key = "./work/kbs.pem" [attestation_token] -trusted_certs_paths = ["./work/ca-cert.pem"] -insecure_key = false +type = "Ear" +trusted_certs_paths = ["./work/as-public-key.pem"] [policy_engine] policy_path = "./work/kbs-policy.rego" diff --git a/kbs/test_data/configs/coco-as-builtin-1.toml b/kbs/test_data/configs/coco-as-builtin-1.toml index 1b776755d6..2d43c9f284 100644 --- a/kbs/test_data/configs/coco-as-builtin-1.toml +++ b/kbs/test_data/configs/coco-as-builtin-1.toml @@ -2,7 +2,9 @@ type = "coco_as_builtin" work_dir = "/opt/coco/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" + + [attestation_service.attestation_token_broker] + type = "Simple" [attestation_service.rvps_config] type = "GrpcRemote" diff --git a/kbs/test_data/configs/coco-as-builtin-2.toml b/kbs/test_data/configs/coco-as-builtin-2.toml index e137d9523d..3ad045a5d8 100644 --- a/kbs/test_data/configs/coco-as-builtin-2.toml +++ b/kbs/test_data/configs/coco-as-builtin-2.toml @@ -10,9 +10,9 @@ insecure_http = true type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" -[attestation_service.attestation_token_config] +[attestation_service.attestation_token_broker] +type = "Simple" duration_min = 5 [attestation_service.rvps_config] diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index 7786781d83..060aa78da2 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -7,9 +7,9 @@ insecure_http = true type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" -[attestation_service.attestation_token_config] +[attestation_service.attestation_token_broker] +type = "Simple" duration_min = 5 [attestation_service.rvps_config] From 2b07c524fbbcafbeeedaf20037960afff38964e9 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 22 Nov 2024 17:37:16 -0600 Subject: [PATCH 189/298] token: allow KBS to verify ear tokens as JWTs EAR tokens are JWTs. We already have a JWT verifier, so let's use this to validate our EAR tokens. We'll need a few small adjustments. First, add the path to the public key in the EAR token (it's in the endorsed claims). Second, expand the token verifier to support EC JWKs because rust-ear does not seem to support RSA. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/src/token/jwk.rs | 59 +++++++++++++++++++++++++++++--------------- kbs/src/token/mod.rs | 3 +++ 2 files changed, 42 insertions(+), 20 deletions(-) diff --git a/kbs/src/token/jwk.rs b/kbs/src/token/jwk.rs index b51b7c9a1c..7f66223edf 100644 --- a/kbs/src/token/jwk.rs +++ b/kbs/src/token/jwk.rs @@ -6,9 +6,11 @@ use crate::token::AttestationTokenVerifierConfig; use anyhow::{anyhow, bail, Context}; use base64::engine::general_purpose::URL_SAFE_NO_PAD; use base64::Engine; -use jsonwebtoken::jwk::{AlgorithmParameters, Jwk}; +use jsonwebtoken::jwk::{AlgorithmParameters, EllipticCurve, Jwk}; use jsonwebtoken::{decode, decode_header, jwk, Algorithm, DecodingKey, Header, Validation}; -use openssl::bn::BigNum; +use openssl::bn::{BigNum, BigNumContext}; +use openssl::ec::{EcGroup, EcKey, EcPoint}; +use openssl::nid::Nid; use openssl::pkey::PKey; use openssl::stack::Stack; use openssl::x509::store::X509StoreBuilder; @@ -112,34 +114,51 @@ impl JwkAttestationTokenVerifier { } fn verify_jwk_endorsement(&self, key: &Jwk) -> anyhow::Result<()> { - let AlgorithmParameters::RSA(rsa) = &key.algorithm else { - bail!("Only supports RSA JWK now"); - }; + let public_key = match &key.algorithm { + AlgorithmParameters::RSA(rsa) => { + let n = URL_SAFE_NO_PAD + .decode(&rsa.n) + .context("decode RSA public key parameter n")?; + let n = BigNum::from_slice(&n)?; + let e = URL_SAFE_NO_PAD + .decode(&rsa.e) + .context("decode RSA public key parameter e")?; + let e = BigNum::from_slice(&e)?; + + let rsa_key = Rsa::from_public_components(n, e)?; + PKey::from_rsa(rsa_key)? + } + AlgorithmParameters::EllipticCurve(ec) => { + let x = BigNum::from_slice(&URL_SAFE_NO_PAD.decode(&ec.x)?)?; + let y = BigNum::from_slice(&URL_SAFE_NO_PAD.decode(&ec.y)?)?; + + let group = match ec.curve { + EllipticCurve::P256 => EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?, + _ => bail!("Unsupported elliptic curve"), + }; - let n = URL_SAFE_NO_PAD - .decode(&rsa.n) - .context("decode RSA public key parameter n")?; - let n = BigNum::from_slice(&n)?; - let e = URL_SAFE_NO_PAD - .decode(&rsa.e) - .context("decode RSA public key parameter e")?; - let e = BigNum::from_slice(&e)?; + let mut ctx = BigNumContext::new()?; + let mut point = EcPoint::new(&group)?; + point.set_affine_coordinates_gfp(&group, &x, &y, &mut ctx)?; - let public_key = Rsa::from_public_components(n, e)?; - let public_key = PKey::from_rsa(public_key)?; + let ec_key = EcKey::from_public_key(&group, &point)?; + PKey::from_ec_key(ec_key)? + } + _ => bail!("Only RSA or EC JWKs are supported."), + }; let Some(x5c) = &key.common.x509_chain else { - bail!("No x5c extension inside JWK. Malwared public key.") + bail!("No x5c extension inside JWK. Invalid public key.") }; if x5c.is_empty() { - bail!("No x5c extension inside JWK. Malwared public key.") + bail!("Empty x5c extension inside JWK. Invalid public key.") } let pem = x5c[0].split('\n').collect::(); let der = URL_SAFE_NO_PAD.decode(pem).context("Illegal x5c cert")?; - let leaf_cert = X509::from_der(&der).context("malwared x509 in x5c")?; + let leaf_cert = X509::from_der(&der).context("Invalid x509 in x5c")?; // verify the public key matches the leaf cert if !public_key.public_eq(leaf_cert.public_key()?.as_ref()) { bail!("jwk does not match x5c"); @@ -150,7 +169,7 @@ impl JwkAttestationTokenVerifier { let pem = cert.split('\n').collect::(); let der = URL_SAFE_NO_PAD.decode(&pem).context("Illegal x5c cert")?; - let cert = X509::from_der(&der).context("malwared x509 in x5c")?; + let cert = X509::from_der(&der).context("Invalid x509 in x5c")?; cert_chain.push(cert)?; } @@ -163,7 +182,7 @@ impl JwkAttestationTokenVerifier { // verify the cert chain let mut ctx = X509StoreContext::new()?; if !ctx.init(&trust_store, &leaf_cert, &cert_chain, |c| c.verify_cert())? { - bail!("The JWK is malwared because no trust anchor can verify it."); + bail!("JWK cannot be validated by trust anchor"); } Ok(()) } diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index 6381c9041a..da896f4e78 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -14,6 +14,8 @@ pub use error::*; pub const TOKEN_TEE_PUBKEY_PATH_ITA: &str = "/attester_runtime_data/tee-pubkey"; pub const TOKEN_TEE_PUBKEY_PATH_COCO: &str = "/customized_claims/runtime_data/tee-pubkey"; +pub const TOKEN_TEE_PUBKEY_PATH_EAR: &str = + "/submods/cpu/ear.veraison.annotated-evidence/runtime_data_claims/tee-pubkey"; #[derive(Deserialize, Debug, Clone, PartialEq, Default)] pub struct AttestationTokenVerifierConfig { @@ -71,6 +73,7 @@ impl TokenVerifier { let mut extra_teekey_paths = config.extra_teekey_paths; extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_ITA.into()); extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_COCO.into()); + extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_EAR.into()); Ok(Self { verifier, From e935a35c9bfd2d7cd65fc08b07ab5dd6fd09a1c4 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Wed, 2 Oct 2024 17:49:11 -0500 Subject: [PATCH 190/298] tests: remove unnecessary env var The sample attester is enabled by default. Remove setting the environment variable that used to enable it. Signed-off-by: Tobin Feldman-Fitzthum --- .github/workflows/kbs-e2e.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/kbs-e2e.yml b/.github/workflows/kbs-e2e.yml index 6ecbeecad6..5d03733fcf 100644 --- a/.github/workflows/kbs-e2e.yml +++ b/.github/workflows/kbs-e2e.yml @@ -88,10 +88,6 @@ jobs: sudo apt-get update sudo apt-get install -y make --no-install-recommends sudo make install-dependencies - - - name: Set cc_kbc sample attester env - if: inputs.tee == 'sample' - run: echo "AA_SAMPLE_ATTESTER_TEST=1" >> "$GITHUB_ENV" - name: Run e2e test working-directory: kbs/test From 49a260cbedd99ec7834c9bd9a0db34724b72145c Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 3 Oct 2024 13:55:49 -0500 Subject: [PATCH 191/298] tests: update e2e Makefile test We now require a keypair to sign/validate the attestation token. Add this keypair to the e2e test. Interestingly, we were using a keypair for validating the old CoCo token in this test, but only for the passport mode. Even in background check mode, this keypair is required or the token won't be validated at all. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/test/Makefile | 4 ++-- kbs/test/config/kbs.toml | 5 ++--- kbs/test/config/resource-kbs.toml | 3 +-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/kbs/test/Makefile b/kbs/test/Makefile index 6671fa0b8a..515824978a 100644 --- a/kbs/test/Makefile +++ b/kbs/test/Makefile @@ -46,7 +46,7 @@ package policy default allow = false allow { - input["tee"] == "$(TEE)" + input["submods"]["cpu"]["ear.veraison.annotated-evidence"]["$(TEE)"] } endef export TEE_POLICY_REGO @@ -107,7 +107,7 @@ $(CA_CERT): $(CA_KEY) openssl req -x509 -days 3650 -key "$(CA_KEY)" -in "$(CA_CSR)" -out "$(CA_CERT)" $(TOKEN_KEY): - openssl genrsa -traditional -out "$(TOKEN_KEY)" 2048 + openssl ecparam -name prime256v1 -genkey -noout -out "$@" $(TOKEN_CERT): $(TOKEN_KEY) $(CA_CERT) $(CA_KEY) openssl req -new -key "$(TOKEN_KEY)" -out "$(TOKEN_CSR)" \ diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index 9dc505222e..f2f0d26dd6 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -5,21 +5,20 @@ certificate = "./work/https.crt" insecure_http = false [attestation_token] -insecure_key = false trusted_certs_paths = ["./work/ca-cert.pem"] [attestation_service] type = "coco_as_builtin" work_dir = "./work/attestation-service" policy_engine = "opa" -attestation_token_broker = "Simple" [attestation_service.attestation_token_broker] type = "Ear" duration_min = 5 [attestation_service.attestation_token_broker.signer] -key_path = "./work/as-private-key.pem" +key_path = "./work/token.key" +cert_path = "./work/token-cert-chain.pem" [attestation_service.rvps_config] type = "BuiltIn" diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml index 0d68410c0d..6d03ee1e78 100644 --- a/kbs/test/config/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -6,8 +6,7 @@ insecure_http = true auth_public_key = "./work/kbs.pem" [attestation_token] -type = "Ear" -trusted_certs_paths = ["./work/as-public-key.pem"] +trusted_certs_paths = ["./work/ca-cert.pem"] [policy_engine] policy_path = "./work/kbs-policy.rego" From 9fd08aef84073c9217f3549ee8bbb531f21065c4 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 4 Oct 2024 12:01:49 -0500 Subject: [PATCH 192/298] rvps: change interface to get all reference values Previously we expected the caller of the RVPS to provide a name for the reference value that they wanted. In the AS we were flattening the TCB claims to get this name. Ultimately, the names of the TCB claims do not map directly onto the names of the required reference values. This changes the interface to have the RVPS determine which reference values to send. At the moment, it simply sends all of them. This allows the reference values that are used to mostly be set within the policy itself, which is probably a good idea. In the future, the RVPS should be improved to include a context abtraction that allows groups of reference values to be provided to the AS. Signed-off-by: Tobin Feldman-Fitzthum --- Cargo.lock | 1 + attestation-service/src/lib.rs | 18 +------- attestation-service/src/rvps/builtin.rs | 11 ++--- attestation-service/src/rvps/grpc.rs | 7 ++- attestation-service/src/rvps/mod.rs | 6 +-- protos/reference.proto | 4 +- rvps/src/bin/rvps-tool.rs | 12 ++---- rvps/src/bin/server/mod.rs | 13 ++---- .../extractor_modules/sample/mod.rs | 9 ++-- rvps/src/native.rs | 43 ++++++++----------- rvps/src/reference_value.rs | 31 +++++++------ rvps/src/store/local_fs/mod.rs | 10 +++++ rvps/src/store/local_json/mod.rs | 7 +++ rvps/src/store/mod.rs | 10 ++--- 14 files changed, 85 insertions(+), 97 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f599be502b..05eec94942 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2940,6 +2940,7 @@ dependencies = [ "config", "cryptoki", "derivative", + "ear 0.3.0", "env_logger 0.10.2", "jsonwebtoken", "jwt-simple 0.11.9", diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs index e009f8c391..c6dab66312 100644 --- a/attestation-service/src/lib.rs +++ b/attestation-service/src/lib.rs @@ -190,7 +190,8 @@ impl AttestationService { info!("{:?} Verifier/endorsement check passed.", tee); let reference_data_map = self - .get_reference_data(["placeholder".to_string()].iter()) + .rvps + .get_digests() .await .map_err(|e| anyhow!("Generate reference data failed: {:?}", e))?; debug!("reference_data_map: {:#?}", reference_data_map); @@ -209,21 +210,6 @@ impl AttestationService { Ok(attestation_results_token) } - async fn get_reference_data<'a, I>(&self, tcb_claims: I) -> Result>> - where - I: Iterator, - { - let mut data = HashMap::new(); - for key in tcb_claims { - let reference_value = self.rvps.get_digests(key).await?; - if !reference_value.is_empty() { - debug!("Successfully get reference values of {key} from RVPS."); - } - data.insert(key.to_string(), reference_value); - } - Ok(data) - } - /// Registry a new reference value pub async fn register_reference_value(&mut self, message: &str) -> Result<()> { self.rvps diff --git a/attestation-service/src/rvps/builtin.rs b/attestation-service/src/rvps/builtin.rs index 084281516c..69d5046806 100644 --- a/attestation-service/src/rvps/builtin.rs +++ b/attestation-service/src/rvps/builtin.rs @@ -2,6 +2,7 @@ use super::{Result, RvpsApi}; use async_trait::async_trait; use core::result::Result::Ok; use reference_value_provider_service::{Config, Core}; +use std::collections::HashMap; pub struct Rvps { core: Core, @@ -21,13 +22,9 @@ impl RvpsApi for Rvps { Ok(()) } - async fn get_digests(&self, name: &str) -> Result> { - let hashes = self - .core - .get_digests(name) - .await? - .unwrap_or_default() - .hash_values; + async fn get_digests(&self) -> Result>> { + let hashes = self.core.get_digests().await?; + Ok(hashes) } } diff --git a/attestation-service/src/rvps/grpc.rs b/attestation-service/src/rvps/grpc.rs index 6538e8ae2d..4e65d9b710 100644 --- a/attestation-service/src/rvps/grpc.rs +++ b/attestation-service/src/rvps/grpc.rs @@ -1,5 +1,6 @@ use serde::Deserialize; use thiserror::Error; +use std::collections::HashMap; use tokio::sync::Mutex; use self::rvps_api::{ @@ -62,10 +63,8 @@ impl RvpsApi for Agent { Ok(()) } - async fn get_digests(&self, name: &str) -> Result> { - let req = tonic::Request::new(ReferenceValueQueryRequest { - name: name.to_string(), - }); + async fn get_digests(&self) -> Result>> { + let req = tonic::Request::new(ReferenceValueQueryRequest {}); let res = self .client .lock() diff --git a/attestation-service/src/rvps/mod.rs b/attestation-service/src/rvps/mod.rs index b95b0a6b30..ec805490db 100644 --- a/attestation-service/src/rvps/mod.rs +++ b/attestation-service/src/rvps/mod.rs @@ -6,6 +6,7 @@ use log::info; pub use reference_value_provider_service::config::Config as RvpsCrateConfig; use serde::Deserialize; +use std::collections::HashMap; use thiserror::Error; #[cfg(feature = "rvps-grpc")] @@ -41,9 +42,8 @@ pub trait RvpsApi { /// Verify the given message and register the reference value included. async fn verify_and_extract(&mut self, message: &str) -> Result<()>; - /// Get the reference values / golden values / expected digests in hex of the - /// given component name. - async fn get_digests(&self, name: &str) -> Result>; + /// Get the reference values / golden values / expected digests in hex. + async fn get_digests(&self) -> Result>>; } #[derive(Deserialize, Clone, Debug, PartialEq)] diff --git a/protos/reference.proto b/protos/reference.proto index e550893ee4..7adefeb4ca 100644 --- a/protos/reference.proto +++ b/protos/reference.proto @@ -2,9 +2,7 @@ syntax = "proto3"; package reference; -message ReferenceValueQueryRequest { - string name = 1; -} +message ReferenceValueQueryRequest {} message ReferenceValueQueryResponse { string reference_value_results = 1; diff --git a/rvps/src/bin/rvps-tool.rs b/rvps/src/bin/rvps-tool.rs index 8065eee927..709a8d4fa8 100644 --- a/rvps/src/bin/rvps-tool.rs +++ b/rvps/src/bin/rvps-tool.rs @@ -31,11 +31,9 @@ async fn register(addr: &str, provenance_path: &str) -> Result<()> { Ok(()) } -async fn query(addr: &str, name: &str) -> Result<()> { +async fn query(addr: &str) -> Result<()> { let mut client = ReferenceValueProviderServiceClient::connect(addr.to_string()).await?; - let req = tonic::Request::new(ReferenceValueQueryRequest { - name: name.to_string(), - }); + let req = tonic::Request::new(ReferenceValueQueryRequest {}); let rvs = client .query_reference_value(req) @@ -77,10 +75,6 @@ struct QueryArgs { /// The address of target RVPS #[arg(short, long, default_value = DEFAULT_ADDR)] addr: String, - - /// The name to query reference value - #[arg(short, long)] - name: String, } #[tokio::main] @@ -100,6 +94,6 @@ async fn main() -> Result<()> { match cli { Cli::Register(para) => register(¶.addr, ¶.path).await, - Cli::Query(para) => query(¶.addr, ¶.name).await, + Cli::Query(para) => query(¶.addr).await, } } diff --git a/rvps/src/bin/server/mod.rs b/rvps/src/bin/server/mod.rs index f12881d508..94473876e4 100644 --- a/rvps/src/bin/server/mod.rs +++ b/rvps/src/bin/server/mod.rs @@ -31,21 +31,16 @@ impl RVPSServer { impl ReferenceValueProviderService for RVPSServer { async fn query_reference_value( &self, - request: Request, + _request: Request, ) -> Result, Status> { - let request = request.into_inner(); - - info!("query {}", request.name); - let rvs = self .rvps .lock() .await - .get_digests(&request.name) + .get_digests() .await - .map_err(|e| Status::aborted(format!("Query reference value: {e}")))? - .map(|rvs| rvs.hash_values) - .unwrap_or_default(); + .map_err(|e| Status::aborted(format!("Query reference value: {e}")))?; + let reference_value_results = serde_json::to_string(&rvs) .map_err(|e| Status::aborted(format!("Serde reference value: {e}")))?; info!("Reference values: {}", reference_value_results); diff --git a/rvps/src/extractors/extractor_modules/sample/mod.rs b/rvps/src/extractors/extractor_modules/sample/mod.rs index 46af628f7b..23020ee83b 100644 --- a/rvps/src/extractors/extractor_modules/sample/mod.rs +++ b/rvps/src/extractors/extractor_modules/sample/mod.rs @@ -33,7 +33,7 @@ pub struct SampleExtractor; const DEFAULT_ALG: &str = "sha384"; /// The reference value will be expired in the default time (months) -const DEFAULT_EXPIRED_TIME: u32 = 12; +const MONTHS_BEFORE_EXPIRATION: u32 = 12; impl Extractor for SampleExtractor { fn verify_and_extract(&self, provenance_base64: &str) -> Result> { @@ -54,12 +54,13 @@ impl Extractor for SampleExtractor { let time = Utc::now() .with_nanosecond(0) - .and_then(|t| t.checked_add_months(Months::new(DEFAULT_EXPIRED_TIME))); + .and_then(|t| t.checked_add_months(Months::new(MONTHS_BEFORE_EXPIRATION))); + match time { - Some(expired) => Some(ReferenceValue { + Some(expiration) => Some(ReferenceValue { version: REFERENCE_VALUE_VERSION.into(), name: name.to_string(), - expired, + expiration, hash_value: rvs, }), None => { diff --git a/rvps/src/native.rs b/rvps/src/native.rs index 78ef07ba1a..30298e64d3 100644 --- a/rvps/src/native.rs +++ b/rvps/src/native.rs @@ -4,16 +4,15 @@ // use anyhow::{bail, Context, Result}; -use chrono::{DateTime, Utc}; use log::{info, warn}; -use std::time::SystemTime; +use std::collections::HashMap; use crate::{store::StoreType, Config}; use super::{ extractors::{Extractors, ExtractorsImpl}, pre_processor::{PreProcessor, PreProcessorAPI}, - Message, Store, TrustedDigest, MESSAGE_VERSION, + Message, Store, MESSAGE_VERSION, }; /// The core of the RVPS, s.t. componants except communication componants. @@ -71,28 +70,24 @@ impl Core { Ok(()) } - pub async fn get_digests(&self, name: &str) -> Result> { - let rv = self.store.get(name).await?; - match rv { - None => Ok(None), - Some(rv) => { - let now: DateTime = DateTime::from(SystemTime::now()); - if now > *rv.expired() { - warn!("Reference value of {} is expired.", name); - return Ok(None); - } - - let hash_values = rv - .hash_values() - .iter() - .map(|pair| pair.value().to_owned()) - .collect(); - - Ok(Some(TrustedDigest { - name: name.to_owned(), - hash_values, - })) + pub async fn get_digests(&self) -> Result>> { + let mut rv_map = HashMap::new(); + let reference_values = self.store.get_values().await?; + + for rv in reference_values { + if rv.expired() { + warn!("Reference value of {} is expired.", rv.name()); + continue; } + + let hash_values = rv + .hash_values() + .iter() + .map(|pair| pair.value().to_owned()) + .collect(); + + rv_map.insert(rv.name().to_string(), hash_values); } + Ok(rv_map) } } diff --git a/rvps/src/reference_value.rs b/rvps/src/reference_value.rs index 4e5877649b..1b19f6a342 100644 --- a/rvps/src/reference_value.rs +++ b/rvps/src/reference_value.rs @@ -8,6 +8,7 @@ use anyhow::{anyhow, Result}; use chrono::{DateTime, NaiveDateTime, Timelike, Utc}; use serde::{Deserialize, Deserializer, Serialize}; +use std::time::SystemTime; /// Default version of ReferenceValue pub const REFERENCE_VALUE_VERSION: &str = "0.1.0"; @@ -53,7 +54,7 @@ fn primitive_date_time_from_str<'de, D: Deserializer<'de>>( /// Here, ReferenceValue is stored inside RVPS. Its format MAY be modified. /// * `version`: version of the reference value format. /// * `name`: name of the artifact related to this reference value. -/// * `expired`: expired time for this reference value. +/// * `expiration`: Time after which refrence valid is invalid /// * `hash_value`: A set of key-value pairs, each indicates a hash /// algorithm and its relative hash value for the artifact. /// The actual struct deliver from RVPS to AS is @@ -65,7 +66,7 @@ pub struct ReferenceValue { pub version: String, pub name: String, #[serde(deserialize_with = "primitive_date_time_from_str")] - pub expired: DateTime, + pub expiration: DateTime, #[serde(rename = "hash-value")] pub hash_value: Vec, } @@ -76,7 +77,7 @@ fn default_version() -> String { } impl ReferenceValue { - /// Create a new `ReferenceValue`, the `expired` + /// Create a new `ReferenceValue`, the `expiration` /// field's nanosecond will be set to 0. This avoid /// a rare bug that when the nanosecond of the time /// is not 0, the test case will fail. @@ -84,7 +85,7 @@ impl ReferenceValue { Ok(ReferenceValue { version: REFERENCE_VALUE_VERSION.into(), name: String::new(), - expired: Utc::now() + expiration: Utc::now() .with_nanosecond(0) .ok_or_else(|| anyhow!("set nanosecond failed."))?, hash_value: Vec::new(), @@ -103,14 +104,18 @@ impl ReferenceValue { } /// Set expired time of the ReferenceValue. - pub fn set_expired(mut self, expired: DateTime) -> Self { - self.expired = expired.with_nanosecond(0).expect("Set nanosecond failed."); + pub fn set_expiration(mut self, expiration: DateTime) -> Self { + self.expiration = expiration + .with_nanosecond(0) + .expect("Set nanosecond failed."); self } - /// Get expired of the ReferenceValue. - pub fn expired(&self) -> &DateTime { - &self.expired + /// Check whether reference value is expired + pub fn expired(&self) -> bool { + let now: DateTime = DateTime::from(SystemTime::now()); + + now > self.expiration } /// Set hash value of the ReferenceValue. @@ -162,13 +167,13 @@ mod test { .expect("create ReferenceValue failed.") .set_version("1.0.0") .set_name("artifact") - .set_expired(Utc.with_ymd_and_hms(1970, 1, 1, 0, 0, 0).unwrap()) + .set_expiration(Utc.with_ymd_and_hms(1970, 1, 1, 0, 0, 0).unwrap()) .add_hash_value("sha512".into(), "123".into()); assert_eq!(rv.version(), "1.0.0"); let rv_json = json!({ - "expired": "1970-01-01T00:00:00Z", + "expiration": "1970-01-01T00:00:00Z", "name": "artifact", "version": "1.0.0", "hash-value": [{ @@ -187,12 +192,12 @@ mod test { .expect("create ReferenceValue failed.") .set_version("1.0.0") .set_name("artifact") - .set_expired(Utc.with_ymd_and_hms(1970, 1, 1, 0, 0, 0).unwrap()) + .set_expiration(Utc.with_ymd_and_hms(1970, 1, 1, 0, 0, 0).unwrap()) .add_hash_value("sha512".into(), "123".into()); assert_eq!(rv.version(), "1.0.0"); let rv_json = r#"{ - "expired": "1970-01-01T00:00:00Z", + "expiration": "1970-01-01T00:00:00Z", "name": "artifact", "version": "1.0.0", "hash-value": [{ diff --git a/rvps/src/store/local_fs/mod.rs b/rvps/src/store/local_fs/mod.rs index 6d8931a655..19130c67be 100644 --- a/rvps/src/store/local_fs/mod.rs +++ b/rvps/src/store/local_fs/mod.rs @@ -72,6 +72,16 @@ impl Store for LocalFs { None => Ok(None), } } + + async fn get_values(&self) -> Result> { + let mut values = Vec::new(); + + for (_k, v) in self.engine.iter().flatten() { + values.push(serde_json::from_slice(&v)?); + } + + Ok(values) + } } #[cfg(test)] diff --git a/rvps/src/store/local_json/mod.rs b/rvps/src/store/local_json/mod.rs index 91ba8a1ac0..b08bbeb0cf 100644 --- a/rvps/src/store/local_json/mod.rs +++ b/rvps/src/store/local_json/mod.rs @@ -71,4 +71,11 @@ impl Store for LocalJson { let rv = rvs.into_iter().find(|rv| rv.name == name); Ok(rv) } + + async fn get_values(&self) -> Result> { + let _ = self.lock.read().await; + let file = tokio::fs::read(&self.file_path).await?; + let rvs: Vec = serde_json::from_slice(&file)?; + Ok(rvs) + } } diff --git a/rvps/src/store/mod.rs b/rvps/src/store/mod.rs index 4113e53780..0fd951efd3 100644 --- a/rvps/src/store/mod.rs +++ b/rvps/src/store/mod.rs @@ -39,16 +39,16 @@ impl StoreType { } /// Interface of a `Store`. -/// We only provide a simple instance here which implements -/// Store. In more scenarios, RV should be stored in persistent -/// storage, like database, file and so on. All of the mentioned -/// forms will have the same interface as following. +/// Reference value storage facilities should implement this trait. #[async_trait] pub trait Store { /// Store a reference value. If the given `name` exists, /// return the previous `Some`, otherwise return `None` async fn set(&self, name: String, rv: ReferenceValue) -> Result>; - // Retrieve a reference value + // Retrieve reference value by name async fn get(&self, name: &str) -> Result>; + + // Retrieve reference values + async fn get_values(&self) -> Result>; } From 3001c3eb9a7a92bbb6d4fada06bf460e8d5bfd3c Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 4 Oct 2024 16:10:41 -0500 Subject: [PATCH 193/298] policy: expand default policy THe skeleton for a policy that can be used to validate the TCB claims of all platforms in the context of confidential containers. Only sample and snp are supported currently, but this should give a good idea of how to extend the policy to other platforms. There are a few tweaks we can make later, such as supporting `>` or `<` comparisons. Signed-off-by: Tobin Feldman-Fitzthum --- .../src/policy_engine/opa/mod.rs | 4 - .../src/token/ear_default_policy.rego | 116 ++++++++++++++++-- 2 files changed, 109 insertions(+), 11 deletions(-) diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs index d55f63691a..0f6654ed77 100644 --- a/attestation-service/src/policy_engine/opa/mod.rs +++ b/attestation-service/src/policy_engine/opa/mod.rs @@ -187,11 +187,8 @@ impl PolicyEngine for OPA { // use rstest::rstest; // use serde_json::{json, Value}; // use std::collections::BTreeMap; - // use crate::transform_claims; - // use super::*; - // fn dummy_reference(product_id: u64, svn: u64, launch_digest: String) -> String { // json!({ // "productId": [product_id.to_string()], @@ -214,7 +211,6 @@ impl PolicyEngine for OPA { // Tee::Sample, // ) // .unwrap(); - // ear_claims // } // #[rstest] diff --git a/attestation-service/src/token/ear_default_policy.rego b/attestation-service/src/token/ear_default_policy.rego index 0c60199325..3353cebd5f 100644 --- a/attestation-service/src/token/ear_default_policy.rego +++ b/attestation-service/src/token/ear_default_policy.rego @@ -2,29 +2,131 @@ package policy import rego.v1 +# This policy validates multiple TEE platforms +# The policy is meant to capture the TCB requirements +# for confidential containers. + +# This policy is used to generate an EAR Appraisal. +# Specifically it generates an AR4SI result. +# More informatino on AR4SI can be found at +# + # For the `executables` trust claim, the value 33 stands for # "Runtime memory includes executables, scripts, files, and/or # objects which are not recognized." -default executables := 33 +default sample_executables := 33 + +default snp_executables := 33 + +default tdx_executables := 33 + +default az_snp_executables := 33 + +default az_tdx_executables := 33 + +default se_executables := 33 # For the `hardware` trust claim, the value 97 stands for # "A Verifier does not recognize an Attester's hardware or # firmware, but it should be recognized." -default hardware := 97 +default sample_hardware := 97 + +default snp_hardware := 97 + +default tdx_hardware := 97 + +default az_snp_hardware := 97 + +default az_tdx_hardware := 97 + +default se_hardware := 97 + +# For the `configuration` trust claim the value 36 stands for +# "Elements of the configuration relevant to security are +# unavailable to the Verifier." +default sample_configuration := 36 + +default snp_configuration := 36 + +default tdx_configuration := 36 + +default az_snp_configuration := 36 + +default az_tdx_configuration := 36 + +default se_configuration := 36 + +executables := min({sample_executables, snp_executables, tdx_executables, az_snp_executables, az_tdx_executables, se_executables}) + +hardware := min({sample_hardware, snp_hardware, tdx_hardware, az_snp_hardware, az_tdx_hardware, se_hardware}) + +configuration := min({sample_configuration, snp_configuration, tdx_configuration, az_snp_configuration, az_tdx_configuration, se_configuration}) + +##### Sample # For the `executables` trust claim, the value 3 stands for # "Only a recognized genuine set of approved executables have # been loaded during the boot process." -executables := 3 if { - input.launch_digest in data.reference.launch_digest +sample_executables := 3 if { + # The sample attester does not report any launch digest. + # This is an example of how a real platform might validate executables. + input.sample.launch_digest in data.reference.launch_digest } # For the `hardware` trust claim, the value 2 stands for # "An Attester has passed its hardware and/or firmware # verifications needed to demonstrate that these are genuine/ # supported. -hardware := 2 if { - input.productId in data.reference.productId +sample_hardware := 2 if { + # The sample attester does not report any productId. + # This is an exmple of how a real platform might identify the hardware + # that is running. + input.sample.productId in data.reference.productId + input.sample.svn in data.reference.svn +} - input.svn in data.reference.svn +##### SNP +snp_executables := 3 if { + # In the future, we might calculate this measurement here various components + input.sample.launch_measurement in data.reference.snp_launch_measurement } + +snp_hardware := 2 if { + # Check the reported TCB to validate the ASP FW + input.snp.reported_tcb_bootloader in data.reference.snp_bootloader + input.snp.reported_tcb_microcode in data.reference.snp_microcode + input.snp.reported_tcb_snp in data.reference.snp_snp_svn + input.snp.reported_tcb_tee in data.reference.snp_tee_svn +} + +# For the 'configuration' trust claim 2 stands for +# "The configuration is a known and approved config." +# +# For this, we compare all the configuration fields. +snp_configuration := 2 if { + input.snp.policy_debug_allowed == 0 + input.snp.policy_migrate_ma == 0 + input.snp.platform_smt_enabled in data.reference.snp_smt_enabled + input.snp.platform_tsme_enabled in data.reference.snp_tsme_enabled + input.snp.policy_abi_major in data.reference.snp_guest_abi_major + input.snp.policy_abi_minor in data.reference.snp_guest_abi_minor + input.snp.policy_single_socket in data.reference.snp_single_socket + input.snp.policy_smt_allowed in data.reference.snp_smt_allowed +} + +# For the `configuration` trust claim 3 stands for +# "The configuration includes or exposes no known +# vulnerabilities." +# +# In this check, we do not specifically check every +# configuration value, but we make sure that some key +# configurations (like debug_allowed) are set correctly. +else := 3 if { + input.snp.policy_debug_allowed == 0 + input.snp.policy_migrate_ma == 0 +} + +##### TDX TODO +##### AZ SNP TODO +##### AZ TDX TODO +##### SE TODO From 17cba16ba9e492dd070f67bf73453bad2b2a8128 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 4 Oct 2024 17:14:51 -0500 Subject: [PATCH 194/298] docs: update docs and examples for EAR tokens Update the attestestion service policy docs to describe the requirements for policies that will generate EAR tokens. Also update various example and default policies. Signed-off-by: Tobin Feldman-Fitzthum --- attestation-service/docs/policy.md | 35 +++++++++++++++++++ .../tests/coco-as/policy/example-1.rego | 4 +-- .../tests/coco-as/policy/example-2.rego | 4 +-- .../tests/coco-as/policy/example-3.rego | 4 +-- kbs/config/kubernetes/base/policy.rego | 2 +- kbs/src/policy_engine/opa/default_policy.rego | 2 +- kbs/src/policy_engine/opa/mod.rs | 25 ++++++++----- kbs/test/data/policy_1.rego | 5 ++- kbs/test/data/policy_4.rego | 2 +- kbs/test/data/policy_5.rego | 9 ++--- 10 files changed, 65 insertions(+), 27 deletions(-) diff --git a/attestation-service/docs/policy.md b/attestation-service/docs/policy.md index f1f6b4e985..94db2d57f3 100644 --- a/attestation-service/docs/policy.md +++ b/attestation-service/docs/policy.md @@ -2,6 +2,41 @@ CoCo AS provides a flexible policy support based on Rego to facilitate the customized verification rules. +Different token brokers will use the policy engine to evaluate different claims. +The simple token broker only evaluates the claim `allowed` while the EAR broker +implements a set of claims described below. + +## Simple + +The simple token broker only evaluates one claim, which is `allowed`. +Policies that are used with the simple token broker should evaulate +this claim either as `true` or `false`. + +## EAR + +EAR tokens support a more expressive policy result. +The EAR broker will evaluate the followig claims. +A valid policy must evaluate at least one of the following claims as number between 127 and -127. +* `instance_identity` +* `configuration` +* `executables` +* `file_system` +* `hardware` +* `runtime_opaque` +* `storage_opaque` +* `sourced_data` + +These dimensions can be used to return a detailed, but generic description of the TCB of the attester. +More information about these trust claims, including what the numerical values of the claims represent, +can be found [here](https://datatracker.ietf.org/doc/draft-ietf-rats-ar4si/). + +AS policies will be provide `data` and `input`. `data.reference` points to a dictionary of reference +values provided by the RVPS. + +`input` are the TCB claims generated by the verifier. + +See the [default policy](../src/token/ear_default_policy.rego) for an example. + ## How to Use Policy For both [gRPC CoCo AS](../../protos/attestation.proto) and [Restful CoCo AS](./restful-as.md), we have a diff --git a/attestation-service/tests/coco-as/policy/example-1.rego b/attestation-service/tests/coco-as/policy/example-1.rego index f189b24f3e..a4faa7672b 100644 --- a/attestation-service/tests/coco-as/policy/example-1.rego +++ b/attestation-service/tests/coco-as/policy/example-1.rego @@ -2,9 +2,9 @@ package policy import rego.v1 -default allow = false +default executables := 33 -allow if { +executables := 3 if { input["sgx.body.mr_enclave"] == "8f173e4613ff05c52aaf04162d234edae8c9977eae47eb2299ae16a553011c68" input["sgx.body.mr_signer"] == "83d719e77deaca1470f6baf62a4d774303c899db69020f9c70ee1dfc08c7ce9e" } diff --git a/attestation-service/tests/coco-as/policy/example-2.rego b/attestation-service/tests/coco-as/policy/example-2.rego index 7798e192be..009a553eb7 100644 --- a/attestation-service/tests/coco-as/policy/example-2.rego +++ b/attestation-service/tests/coco-as/policy/example-2.rego @@ -2,9 +2,9 @@ package policy import rego.v1 -default allow = false +default executables := 33 -allow if { +executables := 3 if { input["tdx.quote.body.mr_td"] == "705ee9381b8633a9fbe532b52345e8433343d2868959f57889d84ca377c395b689cac1599ccea1b7d420483a9ce5f031" input["tdx.quote.body.mr_seam"] == "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656" input["tdx.ccel.kernel"] == "5b7aa6572f649714ff00b6a2b9170516a068fd1a0ba72aa8de27574131d454e6396d3bfa1727d9baf421618a942977fa" diff --git a/attestation-service/tests/coco-as/policy/example-3.rego b/attestation-service/tests/coco-as/policy/example-3.rego index c92aa50bba..38c104cd18 100644 --- a/attestation-service/tests/coco-as/policy/example-3.rego +++ b/attestation-service/tests/coco-as/policy/example-3.rego @@ -1,10 +1,10 @@ package policy import rego.v1 -default allow = false +default executables := 33 converted_version := sprintf("%v", [input["se.version"]]) -allow if { +executables := 3 if { converted_version == "256" input["se.user_data"] == "00" input["se.tag"] == "773780962a7350165054673b6c54235d" diff --git a/kbs/config/kubernetes/base/policy.rego b/kbs/config/kubernetes/base/policy.rego index c369cf7ce0..4d9b33916a 100644 --- a/kbs/config/kubernetes/base/policy.rego +++ b/kbs/config/kubernetes/base/policy.rego @@ -36,5 +36,5 @@ package policy default allow = false allow { - input["tee"] != "sample" + not input["submods"]["cpu"]["ear.veraison.annotated-evidence"]["sample"] } diff --git a/kbs/src/policy_engine/opa/default_policy.rego b/kbs/src/policy_engine/opa/default_policy.rego index f3470f42e6..9bcb7e40cf 100644 --- a/kbs/src/policy_engine/opa/default_policy.rego +++ b/kbs/src/policy_engine/opa/default_policy.rego @@ -36,6 +36,6 @@ package policy default allow = false allow { - input["tee"] != "sample" + not input["submods"]["cpu"]["ear.veraison.annotated-evidence"]["sample"] } diff --git a/kbs/src/policy_engine/opa/mod.rs b/kbs/src/policy_engine/opa/mod.rs index 08ac27508d..361785bf4f 100644 --- a/kbs/src/policy_engine/opa/mod.rs +++ b/kbs/src/policy_engine/opa/mod.rs @@ -100,15 +100,24 @@ mod tests { } } - fn dummy_input(product_id: &str, svn: u64) -> String { + fn dummy_input(product_id: &str, svn: u64, executables: u8, hardware: u8) -> String { json!({ - "tee": "sample", - "tee-pubkey": "dummy-key", - "tcb-status": { - "productId": product_id, - "svn": svn + "submods": { + "cpu": { + "ear.trustworthiness-vector": { + "executables": executables, + "hardware": hardware, + }, + "ear.veraison.annotated-evidence": { + "sample" : { + "productId": product_id, + "svn": svn + } + } + } + } } - }) + ) .to_string() } @@ -193,7 +202,7 @@ mod tests { set_policy_from_file(&mut opa, policy_path).await.unwrap(); let res = opa - .evaluate(resource_path, &dummy_input(input_name, input_svn)) + .evaluate(resource_path, &dummy_input(input_name, input_svn, 2, 3)) .await; if let Ok(actual) = res { diff --git a/kbs/test/data/policy_1.rego b/kbs/test/data/policy_1.rego index e3a2573d85..64ecfd906d 100644 --- a/kbs/test/data/policy_1.rego +++ b/kbs/test/data/policy_1.rego @@ -3,9 +3,8 @@ package policy default allow = false path := split(data["resource-path"], "/") -input_tcb := input["tcb-status"] allow { count(path) == 3 - input_tcb.productId == path[1] -} \ No newline at end of file + input["submods"]["cpu"]["ear.veraison.annotated-evidence"]["sample"]["productId"] == path[1] +} diff --git a/kbs/test/data/policy_4.rego b/kbs/test/data/policy_4.rego index 326f861800..c82f95b3e9 100644 --- a/kbs/test/data/policy_4.rego +++ b/kbs/test/data/policy_4.rego @@ -20,7 +20,7 @@ allow { - input_tcb.productId == path[1] + input["submods"]["cpu"]["ear.veraison.annotated-evidence"]["sample"]["productId"] == path[1] } diff --git a/kbs/test/data/policy_5.rego b/kbs/test/data/policy_5.rego index 311d38c92a..5c063f3c7f 100644 --- a/kbs/test/data/policy_5.rego +++ b/kbs/test/data/policy_5.rego @@ -8,17 +8,12 @@ default allow := false # path should be of form `repository_name/resource_type/resource_name` path := split(data["resource-path"], "/") -# these are the claims that the verifier extracted from the evidence -input_tcb := input["tcb-status"] - -platform := input.tee - # mapping of resource ids to minimum SVNs resources := {"secret1": 2, "secret2": 3} allow if { # check that evidence comes from expected platform - platform == "sample" + input["submods"]["cpu"]["ear.veraison.annotated-evidence"]["sample"] # check tht resource path is valid count(path) == 3 @@ -28,6 +23,6 @@ allow if { path[1] == "secret" # check that the secret name exists and tht the minimum svn is met - resources[path[2]] <= input_tcb.svn + resources[path[2]] <= input["submods"]["cpu"]["ear.veraison.annotated-evidence"]["sample"]["svn"] } From c41ffbee996eef642dd6bc3786a1bddf0d04429c Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 31 Oct 2024 15:56:04 -0500 Subject: [PATCH 195/298] ear: add expiration extension EAR tokens do not support an expiration claim by default, but fortunately we can use the Extension framework to add an `exp` field that will match what we would expect in a JWT. Add this extension and check it when we validate the token. Signed-off-by: Tobin Feldman-Fitzthum --- Cargo.lock | 1 - attestation-service/src/rvps/grpc.rs | 2 +- attestation-service/src/token/ear_broker.rs | 16 +++++++++++++--- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 05eec94942..f599be502b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2940,7 +2940,6 @@ dependencies = [ "config", "cryptoki", "derivative", - "ear 0.3.0", "env_logger 0.10.2", "jsonwebtoken", "jwt-simple 0.11.9", diff --git a/attestation-service/src/rvps/grpc.rs b/attestation-service/src/rvps/grpc.rs index 4e65d9b710..fa84feb517 100644 --- a/attestation-service/src/rvps/grpc.rs +++ b/attestation-service/src/rvps/grpc.rs @@ -1,6 +1,6 @@ use serde::Deserialize; -use thiserror::Error; use std::collections::HashMap; +use thiserror::Error; use tokio::sync::Mutex; use self::rvps_api::{ diff --git a/attestation-service/src/token/ear_broker.rs b/attestation-service/src/token/ear_broker.rs index fd2ab39b2c..c7717a88ac 100644 --- a/attestation-service/src/token/ear_broker.rs +++ b/attestation-service/src/token/ear_broker.rs @@ -7,7 +7,9 @@ use anyhow::*; use base64::engine::general_purpose::URL_SAFE_NO_PAD; use base64::Engine; -use ear::{Algorithm, Appraisal, Ear, Extensions, RawValue, VerifierID}; +use ear::{ + Algorithm, Appraisal, Ear, ExtensionKind, ExtensionValue, Extensions, RawValue, VerifierID, +}; use jsonwebtoken::jwk; use kbs_types::Tee; use log::{debug, info, warn}; @@ -23,6 +25,7 @@ use shadow_rs::concatcp; use std::collections::{BTreeMap, HashMap}; use std::path::Path; use std::sync::Arc; +use time::{Duration, OffsetDateTime}; use verifier::TeeEvidenceParsedClaim; use crate::policy_engine::{PolicyEngine, PolicyEngineType}; @@ -276,7 +279,14 @@ impl AttestationTokenBroker for EarAttestationTokenBroker { let mut submods = BTreeMap::new(); submods.insert("cpu".to_string(), appraisal); - let now = time::OffsetDateTime::now_utc(); + let now = OffsetDateTime::now_utc(); + let exp = now + .checked_add(Duration::minutes(self.config.duration_min)) + .ok_or(anyhow!("Token expiration overflow."))?; + + let mut extensions = Extensions::new(); + extensions.register("exp", 4, ExtensionKind::Integer)?; + extensions.set_by_name("exp", ExtensionValue::Integer(exp.unix_timestamp()))?; let ear = Ear { profile: self.config.profile_name.clone(), @@ -288,7 +298,7 @@ impl AttestationTokenBroker for EarAttestationTokenBroker { raw_evidence: None, nonce: None, submods, - extensions: Extensions::new(), + extensions, }; let mut jwt_header = ear::new_jwt_header(&Algorithm::ES256)?; jwt_header.jwk = Some(self.pubkey_jwk()?); From b4094c01485911e6095bf62aeb31f4983bf52d06 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 1 Nov 2024 17:07:16 -0500 Subject: [PATCH 196/298] policy: fix as policy test Now that the as policy engine is more generic, re-enable and update the test. This test is slightly tied to EAR. Signed-off-by: Tobin Feldman-Fitzthum --- .../src/policy_engine/opa/mod.rs | 213 ++++++++++-------- 1 file changed, 114 insertions(+), 99 deletions(-) diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs index 0f6654ed77..398293bddc 100644 --- a/attestation-service/src/policy_engine/opa/mod.rs +++ b/attestation-service/src/policy_engine/opa/mod.rs @@ -180,102 +180,117 @@ impl PolicyEngine for OPA { } } -// #[cfg(test)] -// mod tests { -// use ear::RawValue; -// use kbs_types::Tee; -// use rstest::rstest; -// use serde_json::{json, Value}; -// use std::collections::BTreeMap; -// use crate::transform_claims; -// use super::*; -// fn dummy_reference(product_id: u64, svn: u64, launch_digest: String) -> String { -// json!({ -// "productId": [product_id.to_string()], -// "svn": [svn.to_string()], -// "launch_digest": [launch_digest] -// }) -// .to_string() -// } -// fn dummy_input(product_id: u64, svn: u64, launch_digest: String) -> BTreeMap { -// let json_claims = json!({ -// "productId": product_id.to_string(), -// "svn": svn.to_string(), -// "launch_digest": launch_digest -// }); - -// let ear_claims = transform_claims( -// json_claims, -// Value::String("".to_string()), -// Value::String("".to_string()), -// Tee::Sample, -// ) -// .unwrap(); -// ear_claims -// } -// #[rstest] -// #[case(5,5,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,2)] -// #[case(5,4,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,97)] -// #[case(5,5,1,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,2)] -// #[case(5,5,2,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,97)] -// #[tokio::test] -// async fn test_evaluate( -// #[case] pid_a: u64, -// #[case] pid_b: u64, -// #[case] svn_a: u64, -// #[case] svn_b: u64, -// #[case] digest_a: String, -// #[case] digest_b: String, -// #[case] ex_exp: i8, -// #[case] hw_exp: i8, -// ) { -// let opa = OPA { -// policy_dir_path: PathBuf::from("./src/policy_engine/opa"), -// }; -// let default_policy_id = "default_policy".to_string(); - -// let reference_data: HashMap> = -// serde_json::from_str(&dummy_reference(pid_a, svn_a, digest_a)).unwrap(); - -// let appraisal = opa -// .evaluate( -// reference_data.clone(), -// dummy_input(pid_b, svn_b, digest_b), -// default_policy_id.clone(), -// ) -// .await -// .unwrap(); - -// assert_eq!( -// hw_exp, -// appraisal.trust_vector.by_name("hardware").unwrap().get() -// ); -// assert_eq!( -// ex_exp, -// appraisal.trust_vector.by_name("executables").unwrap().get() -// ); -// } - -// #[tokio::test] -// async fn test_policy_management() { -// let mut opa = OPA::new(PathBuf::from("tests/tmp")).unwrap(); -// let policy = "package policy -// default allow = true" -// .to_string(); - -// let get_policy_output = "cGFja2FnZSBwb2xpY3kKZGVmYXVsdCBhbGxvdyA9IHRydWU".to_string(); - -// assert!(opa -// .set_policy( -// "test".to_string(), -// base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(policy) -// ) -// .await -// .is_ok()); -// let policy_list = opa.list_policies().await.unwrap(); -// assert_eq!(policy_list.len(), 2); -// let test_policy = opa.get_policy("test".to_string()).await.unwrap(); -// assert_eq!(test_policy, get_policy_output); -// assert!(opa.list_policies().await.is_ok()); -// } -// } +#[cfg(test)] +mod tests { + use rstest::rstest; + use serde_json::json; + + use super::*; + + const EAR_RULES: [&str; 8] = [ + "instance_identity", + "configuration", + "executables", + "file_system", + "hardware", + "runtime_opaque", + "storage_opaque", + "sourced_data", + ]; + + fn dummy_reference(product_id: u64, svn: u64, launch_digest: String) -> String { + json!({ + "reference": { + "productId": [product_id.to_string()], + "svn": [svn.to_string()], + "launch_digest": [launch_digest] + } + }) + .to_string() + } + + fn dummy_input(product_id: u64, svn: u64, launch_digest: String) -> String { + json!({ + "sample": { + "productId": product_id.to_string(), + "svn": svn.to_string(), + "launch_digest": launch_digest + } + }) + .to_string() + } + + #[rstest] + #[case(5,5,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,2)] + #[case(5,4,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,97)] + #[case(5,5,1,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,2)] + #[case(5,5,2,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,97)] + #[tokio::test] + async fn test_evaluate( + #[case] pid_a: u64, + #[case] pid_b: u64, + #[case] svn_a: u64, + #[case] svn_b: u64, + #[case] digest_a: String, + #[case] digest_b: String, + #[case] ex_exp: i8, + #[case] hw_exp: i8, + ) { + let opa = OPA { + policy_dir_path: PathBuf::from("./src/token/"), + }; + let default_policy_id = "ear_default_policy".to_string(); + + let output = opa + .evaluate( + &dummy_reference(pid_a, svn_a, digest_a), + &dummy_input(pid_b, svn_b, digest_b), + &default_policy_id, + &EAR_RULES, + ) + .await + .unwrap(); + + assert_eq!( + hw_exp, + output + .rules_result + .get("hardware") + .unwrap() + .as_i8() + .unwrap() + ); + assert_eq!( + ex_exp, + output + .rules_result + .get("executables") + .unwrap() + .as_i8() + .unwrap() + ); + } + + #[tokio::test] + async fn test_policy_management() { + let opa = OPA::new(PathBuf::from("tests/tmp"), "default").unwrap(); + let policy = "package policy +default allow = true" + .to_string(); + + let get_policy_output = "cGFja2FnZSBwb2xpY3kKZGVmYXVsdCBhbGxvdyA9IHRydWU".to_string(); + + assert!(opa + .set_policy( + "test".to_string(), + base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(policy) + ) + .await + .is_ok()); + let policy_list = opa.list_policies().await.unwrap(); + assert_eq!(policy_list.len(), 2); + let test_policy = opa.get_policy("test".to_string()).await.unwrap(); + assert_eq!(test_policy, get_policy_output); + assert!(opa.list_policies().await.is_ok()); + } +} From 0f5fbe59f131a8f740b5d27a72049ac005f0d250 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Mon, 25 Nov 2024 17:52:02 -0600 Subject: [PATCH 197/298] config: config tweaks for EAR Since we validate Ear tokens using our JWT verifier, there are not many changes required in our test configs. Since we have a JWT, we don't have to add a new keypair for EAR tokens. This means that we're keeping the same parameters as the simple tokens. By default, the provenance of the JWT is not verified. In a future PR, we should think about creating a more secure default configuration but that is orthogonal to the EAR work. Signed-off-by: Tobin Feldman-Fitzthum --- attestation-service/docs/config.md | 18 +++++++++--------- attestation-service/src/config.rs | 1 + kbs/config/as-config.json | 8 ++------ kbs/config/kubernetes/base/as-config.json | 5 ++--- kbs/docs/config.md | 6 +++--- kbs/quickstart.md | 2 +- 6 files changed, 18 insertions(+), 22 deletions(-) diff --git a/attestation-service/docs/config.md b/attestation-service/docs/config.md index a59807a1f0..ee16b3c930 100644 --- a/attestation-service/docs/config.md +++ b/attestation-service/docs/config.md @@ -18,16 +18,16 @@ section: | `work_dir` | String | The location for Attestation Service to store data. | False | Firstly try to read from ENV `AS_WORK_DIR`. If not any, use `/opt/confidential-containers/attestation-service` | | `policy_engine` | String | Policy engine type. Valid values: `opa` | False | `opa` | | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | False | - | -| `attestation_token_broker` | String | Type of the attestation result token broker. Valid values: `Simple` | False | `Simple` | -| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | False | - | +| `attestation_token_broker` | [AttestationTokeBroker][1] | Attestation result token configuration. | False | - | [1]: #attestationtokenconfig [2]: #rvps-configuration -#### AttestationTokenConfig +#### AttestationTokenBroker | Property | Type | Description | Required | Default | |----------------|-------------------------|------------------------------------------------------|----------|---------| +| `type` | String | Type of token to issue (Ear or Simple) | No | `Ear` | | `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | | `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| | `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | @@ -97,8 +97,8 @@ Running with a built-in RVPS: "file_path": "/var/lib/attestation-service/reference-values" } }, - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5 } } @@ -114,8 +114,8 @@ Running with a remote RVPS: "type": "GrpcRemote", "address": "127.0.0.1:50003" }, - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5 } } @@ -131,8 +131,8 @@ Configurations for token signer "type": "GrpcRemote", "address": "127.0.0.1:50003" }, - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5, "issuer_name": "some-body", "signer": { diff --git a/attestation-service/src/config.rs b/attestation-service/src/config.rs index a2bd53016d..48ac206fa3 100644 --- a/attestation-service/src/config.rs +++ b/attestation-service/src/config.rs @@ -63,6 +63,7 @@ impl TryFrom<&Path> for Config { /// "remote_addr": "" /// }, /// "attestation_token_broker": { + /// "type": "Ear", /// "duration_min": 5 /// } /// } diff --git a/kbs/config/as-config.json b/kbs/config/as-config.json index 125e1dbb6a..5918f54975 100644 --- a/kbs/config/as-config.json +++ b/kbs/config/as-config.json @@ -7,10 +7,6 @@ }, "attestation_token_broker": { "type": "Ear", - "duration_min": 5, - "signer": { - "key_path":"/opt/confidential-containers/attestation-service/keys/private_key.pem" - - } + "duration_min": 5 } -} \ No newline at end of file +} diff --git a/kbs/config/kubernetes/base/as-config.json b/kbs/config/kubernetes/base/as-config.json index 8935ffc9fe..d725d179b0 100644 --- a/kbs/config/kubernetes/base/as-config.json +++ b/kbs/config/kubernetes/base/as-config.json @@ -1,8 +1,7 @@ { "work_dir": "/opt/confidential-containers/attestation-service", - "policy_engine": "opa", - "attestation_token_broker": "Simple", - "attestation_token_config": { + "attestation_token_broker": { + "type": "Ear", "duration_min": 5 } } diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 848995853f..57b77d41e1 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -86,17 +86,17 @@ When `type` is set to `coco_as_builtin`, the following properties can be set. | `work_dir` | String | The location for Attestation Service to store data. | First try from env `AS_WORK_DIR`. If no this env, then use `/opt/confidential-containers/attestation-service` | | `policy_engine` | String | Policy engine type. Valid values: `opa` | `opa` | | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | See [RVPSConfiguration][2] | -| `attestation_token_broker` | String | Type of the attestation result token broker. | `Simple` | -| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] | +| `attestation_token_broker` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] | [1]: #attestationtokenconfig [2]: #rvps-configuration -##### AttestationTokenConfig +##### AttestationTokenBroker | Property | Type | Description | Default | |----------------|-------------------------|------------------------------------------------------|----------| +| `type` | String | Type of token to generate (Ear or simple) | Ear | | `duration_min` | Integer | Duration of the attestation result token in minutes. | 5 | | `issuer_name` | String | Issure name of the attestation result token. | `CoCo-Attestation-Service` | | `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | None | diff --git a/kbs/quickstart.md b/kbs/quickstart.md index 8e4ac535a2..7dfaa26112 100644 --- a/kbs/quickstart.md +++ b/kbs/quickstart.md @@ -247,7 +247,7 @@ Adding the following content to the config file of Resource KBS to specify trust or JWK set which are used to verify the trustworthy of the Attestation Token: ```toml -[attestation_token_config] +[attestation_token_broker] # Path of root certificate used to verify the trustworthy of `x5c` extension in the JWT trusted_certs_paths = ["/path/to/trusted_cacert.pem"] From 099d2b3635f6ddedbd545d0f00cb254208adf0ed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 02:03:57 +0000 Subject: [PATCH 198/298] build(deps): bump cpufeatures from 0.2.15 to 0.2.16 Bumps [cpufeatures](https://github.com/RustCrypto/utils) from 0.2.15 to 0.2.16. - [Commits](https://github.com/RustCrypto/utils/compare/cpufeatures-v0.2.15...cpufeatures-v0.2.16) --- updated-dependencies: - dependency-name: cpufeatures dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f599be502b..2b67a57222 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1326,9 +1326,9 @@ dependencies = [ [[package]] name = "cpufeatures" -version = "0.2.15" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ca741a962e1b0bff6d724a1a0958b686406e853bb14061f218562e1896f95e6" +checksum = "16b80225097f2e5ae4e7179dd2266824648f3e2f49d9134d584b76389d31c4c3" dependencies = [ "libc", ] From f22f924fcb14a0151c09baad41d3a90fff3fb52c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Nov 2024 01:46:12 +0000 Subject: [PATCH 199/298] build(deps): bump tracing-attributes from 0.1.27 to 0.1.28 Bumps [tracing-attributes](https://github.com/tokio-rs/tracing) from 0.1.27 to 0.1.28. - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](https://github.com/tokio-rs/tracing/compare/tracing-attributes-0.1.27...tracing-attributes-0.1.28) --- updated-dependencies: - dependency-name: tracing-attributes dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 2b67a57222..c5371846d7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5892,9 +5892,9 @@ dependencies = [ [[package]] name = "tracing-attributes" -version = "0.1.27" +version = "0.1.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" +checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d" dependencies = [ "proc-macro2", "quote", From 3f721c43bdde8b635646e4af459965d1df14fca8 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 28 Nov 2024 10:48:55 +0800 Subject: [PATCH 200/298] kbs: fix the configuration file read test This commit fixes the unit test items for kbs configuration item reading to ensure strict compliance between the content configured in the original configuration file and the code. Configuration items that are not given are assigned default values in the expected object of the unit test. Signed-off-by: Xynnn007 --- kbs/config/kubernetes/base/kbs-config.toml | 1 - kbs/src/config.rs | 1 + kbs/test_data/configs/coco-as-builtin-1.toml | 16 ++++++++++++++-- kbs/test_data/configs/coco-as-builtin-2.toml | 2 ++ kbs/test_data/configs/coco-as-builtin-3.toml | 3 +++ kbs/test_data/configs/coco-as-grpc-2.toml | 1 + kbs/test_data/configs/coco-as-grpc-3.toml | 1 + kbs/test_data/configs/intel-ta-1.toml | 1 + kbs/test_data/configs/intel-ta-2.toml | 2 ++ kbs/test_data/configs/intel-ta-3.toml | 1 + 10 files changed, 26 insertions(+), 3 deletions(-) diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index 921b5780c4..9aaaefca9f 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -30,4 +30,3 @@ auth_public_key = "/kbs/kbs.pem" name = "resource" type = "LocalFs" dir_path = "/opt/confidential-containers/kbs/repository" - diff --git a/kbs/src/config.rs b/kbs/src/config.rs index 1262c7e374..b42b2af104 100644 --- a/kbs/src/config.rs +++ b/kbs/src/config.rs @@ -429,6 +429,7 @@ mod tests { }), attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration { duration_min: 5, + policy_dir: "/opt/confidential-containers/attestation-service/simple-policies".into(), ..Default::default() }), } diff --git a/kbs/test_data/configs/coco-as-builtin-1.toml b/kbs/test_data/configs/coco-as-builtin-1.toml index 2d43c9f284..45b4e46ae2 100644 --- a/kbs/test_data/configs/coco-as-builtin-1.toml +++ b/kbs/test_data/configs/coco-as-builtin-1.toml @@ -2,10 +2,22 @@ type = "coco_as_builtin" work_dir = "/opt/coco/attestation-service" policy_engine = "opa" +timeout = 5 - [attestation_service.attestation_token_broker] - type = "Simple" +[attestation_service.attestation_token_broker] +type = "Simple" +issuer_name = "CoCo-Attestation-Service" [attestation_service.rvps_config] type = "GrpcRemote" address = "http://127.0.0.1:50003" + +[http_server] +sockets = ["127.0.0.1:8080"] +insecure_http = false + +[admin] +insecure_api = false + +[policy_engine] +policy_path = "/opt/confidential-containers/kbs/policy.rego" diff --git a/kbs/test_data/configs/coco-as-builtin-2.toml b/kbs/test_data/configs/coco-as-builtin-2.toml index 3ad045a5d8..18385d64fb 100644 --- a/kbs/test_data/configs/coco-as-builtin-2.toml +++ b/kbs/test_data/configs/coco-as-builtin-2.toml @@ -10,6 +10,7 @@ insecure_http = true type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" +timeout = 5 [attestation_service.attestation_token_broker] type = "Simple" @@ -21,3 +22,4 @@ store_type = "LocalFs" [admin] auth_public_key = "/kbs/kbs.pem" +insecure_api = false diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index 060aa78da2..edda5a3d3f 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -2,15 +2,18 @@ insecure_http = true [attestation_token] +insecure_key = false [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" +timeout = 5 [attestation_service.attestation_token_broker] type = "Simple" duration_min = 5 +policy_dir = "/opt/confidential-containers/attestation-service/simple-policies" [attestation_service.rvps_config] type = "BuiltIn" diff --git a/kbs/test_data/configs/coco-as-grpc-2.toml b/kbs/test_data/configs/coco-as-grpc-2.toml index dc5c1fdbd7..be95376a95 100644 --- a/kbs/test_data/configs/coco-as-grpc-2.toml +++ b/kbs/test_data/configs/coco-as-grpc-2.toml @@ -7,6 +7,7 @@ insecure_http = true [attestation_service] type = "coco_as_grpc" as_addr = "http://as:50004" +timeout = 5 [admin] auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" diff --git a/kbs/test_data/configs/coco-as-grpc-3.toml b/kbs/test_data/configs/coco-as-grpc-3.toml index 0ba9958a02..b0ee2252d5 100644 --- a/kbs/test_data/configs/coco-as-grpc-3.toml +++ b/kbs/test_data/configs/coco-as-grpc-3.toml @@ -7,6 +7,7 @@ insecure_http = true type = "coco_as_grpc" as_addr = "http://127.0.0.1:50004" pool_size = 100 +timeout = 5 [admin] insecure_api = true diff --git a/kbs/test_data/configs/intel-ta-1.toml b/kbs/test_data/configs/intel-ta-1.toml index 84a4125d4f..e9a7fdf936 100644 --- a/kbs/test_data/configs/intel-ta-1.toml +++ b/kbs/test_data/configs/intel-ta-1.toml @@ -7,6 +7,7 @@ base_url = "example.io" api_key = "this-is-a-key" certs_file = "file:///etc/ita-cert.pem" allow_unmatched_policy = true +timeout = 5 [http_server] sockets = ["0.0.0.0:8080"] diff --git a/kbs/test_data/configs/intel-ta-2.toml b/kbs/test_data/configs/intel-ta-2.toml index e4b40b73dd..489d4b3ffe 100644 --- a/kbs/test_data/configs/intel-ta-2.toml +++ b/kbs/test_data/configs/intel-ta-2.toml @@ -12,6 +12,8 @@ type = "intel_ta" base_url = "https://api.trustauthority.intel.com" api_key = "tBfd5kKX2x9ahbodKV1..." certs_file = "https://portal.trustauthority.intel.com" +timeout = 5 [admin] auth_public_key = "/kbs/kbs.pem" +insecure_api = false diff --git a/kbs/test_data/configs/intel-ta-3.toml b/kbs/test_data/configs/intel-ta-3.toml index 90b1580594..4f04c0079b 100644 --- a/kbs/test_data/configs/intel-ta-3.toml +++ b/kbs/test_data/configs/intel-ta-3.toml @@ -12,3 +12,4 @@ type = "intel_ta" base_url = "https://api.trustauthority.intel.com" api_key = "tBfd5kKX2x9ahbodKV1..." certs_file = "https://portal.trustauthority.intel.com" +timeout = 5 From 8cac765c0fd5fd714b44ed7bf263deff9571c036 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 28 Nov 2024 10:51:40 +0800 Subject: [PATCH 201/298] config: Update config docs and files Due to EAR PR (#516), now the policy engine related configurations are moved to attestation_token_broker part. Thus the original `attestation_service.policy_engine` does not work anymore. Also update the configuration file document to align with the latest configuration items. Signed-off-by: Xynnn007 --- attestation-service/docs/config.md | 24 +++++++++++++-- kbs/config/kubernetes/base/kbs-config.toml | 1 - kbs/docs/config.md | 32 +++++++++++++++----- kbs/test_data/configs/coco-as-builtin-1.toml | 1 - kbs/test_data/configs/coco-as-builtin-2.toml | 1 - kbs/test_data/configs/coco-as-builtin-3.toml | 1 - 6 files changed, 46 insertions(+), 14 deletions(-) diff --git a/attestation-service/docs/config.md b/attestation-service/docs/config.md index ee16b3c930..855e5710da 100644 --- a/attestation-service/docs/config.md +++ b/attestation-service/docs/config.md @@ -16,20 +16,38 @@ section: | Property | Type | Description | Required | Default | |----------------------------|-----------------------------|-----------------------------------------------------|----------|---------| | `work_dir` | String | The location for Attestation Service to store data. | False | Firstly try to read from ENV `AS_WORK_DIR`. If not any, use `/opt/confidential-containers/attestation-service` | -| `policy_engine` | String | Policy engine type. Valid values: `opa` | False | `opa` | | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | False | - | | `attestation_token_broker` | [AttestationTokeBroker][1] | Attestation result token configuration. | False | - | -[1]: #attestationtokenconfig +[1]: #attestationtokenbroker [2]: #rvps-configuration #### AttestationTokenBroker | Property | Type | Description | Required | Default | |----------------|-------------------------|------------------------------------------------------|----------|---------| -| `type` | String | Type of token to issue (Ear or Simple) | No | `Ear` | +| `type` | String | Type of token to issue (`Ear` or `Simple`) | No | `Ear` | + +When `type` field is set to `Ear`, the following extra properties can be set: + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | +| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `developer_name` | String | The developer name to be used as part of the Verifier ID in the EAR | No |`https://confidentialcontainers.org`| +| `build_name` | String | The build name to be used as part of the Verifier ID in the EAR | No | Automatically generated from Cargo package and AS version| +| `profile_name` | String | The Profile that describes the EAR token | No |tag:github.com,2024:confidential-containers/Trustee`| +| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token/ear/policies`| +| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | + +[1]: #tokensignerconfig + +When `type` field is set to `Simple`, the following extra properties can be set: +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| | `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | | `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token//simple/policies`| | `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | [1]: #tokensignerconfig diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index 9aaaefca9f..dbad9b0555 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -10,7 +10,6 @@ insecure_key = true [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" -policy_engine = "opa" [attestation_service.attestation_token_broker] type = "Ear" diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 57b77d41e1..a6b9348b84 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -88,18 +88,36 @@ When `type` is set to `coco_as_builtin`, the following properties can be set. | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | See [RVPSConfiguration][2] | | `attestation_token_broker` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] | -[1]: #attestationtokenconfig +[1]: #attestationtokenbroker [2]: #rvps-configuration ##### AttestationTokenBroker -| Property | Type | Description | Default | -|----------------|-------------------------|------------------------------------------------------|----------| -| `type` | String | Type of token to generate (Ear or simple) | Ear | -| `duration_min` | Integer | Duration of the attestation result token in minutes. | 5 | -| `issuer_name` | String | Issure name of the attestation result token. | `CoCo-Attestation-Service` | -| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | None | +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `type` | String | Type of token to issue (`Ear` or `Simple`) | No | `Ear` | + +When `type` field is set to `Ear`, the following extra properties can be set: +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | +| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `developer_name` | String | The developer name to be used as part of the Verifier ID in the EAR | No |`https://confidentialcontainers.org`| +| `build_name` | String | The build name to be used as part of the Verifier ID in the EAR | No | Automatically generated from Cargo package and AS version| +| `profile_name` | String | The Profile that describes the EAR token | No |tag:github.com,2024:confidential-containers/Trustee`| +| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token/ear/policies`| +| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | + +[1]: #tokensignerconfig + +When `type` field is set to `Simple`, the following extra properties can be set: +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | +| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token//simple/policies`| +| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | [1]: #tokensignerconfig diff --git a/kbs/test_data/configs/coco-as-builtin-1.toml b/kbs/test_data/configs/coco-as-builtin-1.toml index 45b4e46ae2..b57fb5576b 100644 --- a/kbs/test_data/configs/coco-as-builtin-1.toml +++ b/kbs/test_data/configs/coco-as-builtin-1.toml @@ -1,7 +1,6 @@ [attestation_service] type = "coco_as_builtin" work_dir = "/opt/coco/attestation-service" -policy_engine = "opa" timeout = 5 [attestation_service.attestation_token_broker] diff --git a/kbs/test_data/configs/coco-as-builtin-2.toml b/kbs/test_data/configs/coco-as-builtin-2.toml index 18385d64fb..070b6190b7 100644 --- a/kbs/test_data/configs/coco-as-builtin-2.toml +++ b/kbs/test_data/configs/coco-as-builtin-2.toml @@ -9,7 +9,6 @@ insecure_http = true [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" -policy_engine = "opa" timeout = 5 [attestation_service.attestation_token_broker] diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index edda5a3d3f..f42049d6e8 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -7,7 +7,6 @@ insecure_key = false [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" -policy_engine = "opa" timeout = 5 [attestation_service.attestation_token_broker] From d12210fb0d22c6670fa161335faf5395f2ada1ff Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 29 Nov 2024 10:16:12 +0800 Subject: [PATCH 202/298] verifier: add judge logic for quote and eventlog string This patch adds a check logic before trying to base decoding TDX/SGX quote and AAEL/CCEL. This would do help to raise a meaningful error message when an evidence with empty Quote is given to verifier module. Also, when AAEL/CCEL is existed inside the evidence but without any value, the deserialization and parse will also be skipped. Signed-off-by: Xynnn007 --- deps/verifier/src/sgx/mod.rs | 4 ++++ deps/verifier/src/tdx/mod.rs | 12 ++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/deps/verifier/src/sgx/mod.rs b/deps/verifier/src/sgx/mod.rs index cc2e2b4c6f..0ac2e8cdfd 100644 --- a/deps/verifier/src/sgx/mod.rs +++ b/deps/verifier/src/sgx/mod.rs @@ -73,6 +73,10 @@ async fn verify_evidence( expected_init_data_hash: &InitDataHash<'_>, evidence: SgxEvidence, ) -> Result { + if evidence.quote.is_empty() { + bail!("SGX Quote is empty."); + } + let quote_bin = base64::engine::general_purpose::STANDARD.decode(evidence.quote)?; ecdsa_quote_verification("e_bin) diff --git a/deps/verifier/src/tdx/mod.rs b/deps/verifier/src/tdx/mod.rs index a33d24d674..2375164796 100644 --- a/deps/verifier/src/tdx/mod.rs +++ b/deps/verifier/src/tdx/mod.rs @@ -52,6 +52,10 @@ async fn verify_evidence( expected_init_data_hash: &InitDataHash<'_>, evidence: TdxEvidence, ) -> Result { + if evidence.quote.is_empty() { + bail!("TDX Quote is empty."); + } + // Verify TD quote ECDSA signature. let quote_bin = base64::engine::general_purpose::STANDARD.decode(evidence.quote)?; ecdsa_quote_verification(quote_bin.as_slice()).await?; @@ -86,7 +90,7 @@ async fn verify_evidence( // Verify Integrity of CC Eventlog let mut ccel_option = Option::default(); match &evidence.cc_eventlog { - Some(el) => { + Some(el) if !el.is_empty() => { let ccel_data = base64::engine::general_purpose::STANDARD.decode(el)?; let ccel = CcEventLog::try_from(ccel_data) .map_err(|e| anyhow!("Parse CC Eventlog failed: {:?}", e))?; @@ -104,14 +108,14 @@ async fn verify_evidence( ccel.integrity_check(rtmr_from_quote)?; info!("CCEL integrity check succeeded."); } - None => { + _ => { warn!("No CC Eventlog included inside the TDX evidence."); } } // Verify Integrity of AA eventlog let aael = match &evidence.aa_eventlog { - Some(el) => { + Some(el) if !el.is_empty() => { let aael = AAEventlog::from_str(el).context("failed to parse AA Eventlog from evidence")?; // We assume we always use PCR 17, rtmr 3 for the application side events. @@ -120,7 +124,7 @@ async fn verify_evidence( info!("CCEL integrity check succeeded."); Some(aael) } - None => { + _ => { warn!("No AA Eventlog included inside the TDX evidence."); None } From c96fa6104db6b916722f159cd18c053e77e55c75 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 29 Nov 2024 12:45:51 +0800 Subject: [PATCH 203/298] chore: update protobuf suites Signed-off-by: Xynnn007 --- Cargo.lock | 219 ++++++----------------------------------------------- Cargo.toml | 23 ++++-- 2 files changed, 40 insertions(+), 202 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c5371846d7..5dfa339b9a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -542,7 +542,7 @@ dependencies = [ "lazy_static", "log", "openssl", - "prost 0.12.6", + "prost", "rand", "reference-value-provider-service", "regorus", @@ -560,8 +560,8 @@ dependencies = [ "thiserror 1.0.69", "time", "tokio", - "tonic 0.11.0", - "tonic-build 0.11.0", + "tonic", + "tonic-build", "uuid", "verifier", ] @@ -615,34 +615,6 @@ version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" -[[package]] -name = "axum" -version = "0.6.20" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b829e4e32b91e643de6eafe82b1d90675f5874230191a4ffbc1b336dec4d6bf" -dependencies = [ - "async-trait", - "axum-core 0.3.4", - "bitflags 1.3.2", - "bytes", - "futures-util", - "http 0.2.12", - "http-body 0.4.6", - "hyper 0.14.31", - "itoa", - "matchit", - "memchr", - "mime", - "percent-encoding", - "pin-project-lite", - "rustversion", - "serde", - "sync_wrapper 0.1.2", - "tower 0.4.13", - "tower-layer", - "tower-service", -] - [[package]] name = "axum" version = "0.7.9" @@ -650,7 +622,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "edca88bc138befd0323b20752846e6587272d3b03b0343c8ea28a6f819e6e71f" dependencies = [ "async-trait", - "axum-core 0.4.5", + "axum-core", "bytes", "futures-util", "http 1.1.0", @@ -670,23 +642,6 @@ dependencies = [ "tower-service", ] -[[package]] -name = "axum-core" -version = "0.3.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "759fa577a247914fd3f7f76d62972792636412fbfd634cd452f6a385a74d2d2c" -dependencies = [ - "async-trait", - "bytes", - "futures-util", - "http 0.2.12", - "http-body 0.4.6", - "mime", - "rustversion", - "tower-layer", - "tower-service", -] - [[package]] name = "axum-core" version = "0.4.5" @@ -2434,18 +2389,6 @@ dependencies = [ "webpki-roots 0.26.6", ] -[[package]] -name = "hyper-timeout" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1" -dependencies = [ - "hyper 0.14.31", - "pin-project-lite", - "tokio", - "tokio-io-timeout", -] - [[package]] name = "hyper-timeout" version = "0.5.2" @@ -2781,15 +2724,6 @@ dependencies = [ "either", ] -[[package]] -name = "itertools" -version = "0.13.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186" -dependencies = [ - "either", -] - [[package]] name = "itoa" version = "1.0.13" @@ -2949,7 +2883,7 @@ dependencies = [ "log", "mobc", "openssl", - "prost 0.12.6", + "prost", "rand", "regex", "regorus", @@ -2965,8 +2899,8 @@ dependencies = [ "thiserror 1.0.69", "time", "tokio", - "tonic 0.11.0", - "tonic-build 0.11.0", + "tonic", + "tonic-build", "uuid", ] @@ -3036,7 +2970,7 @@ dependencies = [ "lazy_static", "log", "p12", - "prost 0.13.3", + "prost", "rand", "reqwest 0.12.9", "resource_uri", @@ -3048,8 +2982,8 @@ dependencies = [ "thiserror 2.0.3", "tokio", "toml 0.8.19", - "tonic 0.12.3", - "tonic-build 0.12.3", + "tonic", + "tonic-build", "url", "yasna 0.5.2", ] @@ -4008,16 +3942,6 @@ dependencies = [ "unicode-ident", ] -[[package]] -name = "prost" -version = "0.12.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "deb1435c188b76130da55f17a466d252ff7b1418b2ad3e037d127b94e3411f29" -dependencies = [ - "bytes", - "prost-derive 0.12.6", -] - [[package]] name = "prost" version = "0.13.3" @@ -4025,28 +3949,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7b0487d90e047de87f984913713b85c601c05609aad5b0df4b4573fbf69aa13f" dependencies = [ "bytes", - "prost-derive 0.13.3", -] - -[[package]] -name = "prost-build" -version = "0.12.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4" -dependencies = [ - "bytes", - "heck 0.5.0", - "itertools 0.12.1", - "log", - "multimap", - "once_cell", - "petgraph", - "prettyplease", - "prost 0.12.6", - "prost-types 0.12.6", - "regex", - "syn 2.0.87", - "tempfile", + "prost-derive", ] [[package]] @@ -4057,32 +3960,19 @@ checksum = "0c1318b19085f08681016926435853bbf7858f9c082d0999b80550ff5d9abe15" dependencies = [ "bytes", "heck 0.5.0", - "itertools 0.13.0", + "itertools", "log", "multimap", "once_cell", "petgraph", "prettyplease", - "prost 0.13.3", - "prost-types 0.13.3", + "prost", + "prost-types", "regex", "syn 2.0.87", "tempfile", ] -[[package]] -name = "prost-derive" -version = "0.12.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1" -dependencies = [ - "anyhow", - "itertools 0.12.1", - "proc-macro2", - "quote", - "syn 2.0.87", -] - [[package]] name = "prost-derive" version = "0.13.3" @@ -4090,28 +3980,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e9552f850d5f0964a4e4d0bf306459ac29323ddfbae05e35a7c0d35cb0803cc5" dependencies = [ "anyhow", - "itertools 0.13.0", + "itertools", "proc-macro2", "quote", "syn 2.0.87", ] -[[package]] -name = "prost-types" -version = "0.12.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9091c90b0a32608e984ff2fa4091273cbdd755d54935c51d520887f4a1dbd5b0" -dependencies = [ - "prost 0.12.6", -] - [[package]] name = "prost-types" version = "0.13.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4759aa0d3a6232fb8dbdb97b61de2c20047c68aca932c7ed76da9d788508d670" dependencies = [ - "prost 0.13.3", + "prost", ] [[package]] @@ -4283,7 +4164,7 @@ dependencies = [ "env_logger 0.10.2", "log", "path-clean", - "prost 0.12.6", + "prost", "rstest", "serde", "serde_json", @@ -4294,8 +4175,8 @@ dependencies = [ "strum 0.25.0", "tempfile", "tokio", - "tonic 0.11.0", - "tonic-build 0.11.0", + "tonic", + "tonic-build", "walkdir", ] @@ -5618,16 +5499,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "tokio-io-timeout" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30b74022ada614a1b4834de765f9bb43877f910cc8ce4be40e89042c9223a8bf" -dependencies = [ - "pin-project-lite", - "tokio", -] - [[package]] name = "tokio-macros" version = "2.4.0" @@ -5748,33 +5619,6 @@ dependencies = [ "winnow", ] -[[package]] -name = "tonic" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76c4eb7a4e9ef9d4763600161f12f5070b92a578e1b634db88a6887844c91a13" -dependencies = [ - "async-stream", - "async-trait", - "axum 0.6.20", - "base64 0.21.7", - "bytes", - "h2 0.3.26", - "http 0.2.12", - "http-body 0.4.6", - "hyper 0.14.31", - "hyper-timeout 0.4.1", - "percent-encoding", - "pin-project", - "prost 0.12.6", - "tokio", - "tokio-stream", - "tower 0.4.13", - "tower-layer", - "tower-service", - "tracing", -] - [[package]] name = "tonic" version = "0.12.3" @@ -5783,7 +5627,7 @@ checksum = "877c5b330756d856ffcc4553ab34a5684481ade925ecc54bcd1bf02b1d0d4d52" dependencies = [ "async-stream", "async-trait", - "axum 0.7.9", + "axum", "base64 0.22.1", "bytes", "h2 0.4.7", @@ -5791,11 +5635,11 @@ dependencies = [ "http-body 1.0.1", "http-body-util", "hyper 1.5.1", - "hyper-timeout 0.5.2", + "hyper-timeout", "hyper-util", "percent-encoding", "pin-project", - "prost 0.13.3", + "prost", "socket2", "tokio", "tokio-stream", @@ -5805,19 +5649,6 @@ dependencies = [ "tracing", ] -[[package]] -name = "tonic-build" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2" -dependencies = [ - "prettyplease", - "proc-macro2", - "prost-build 0.12.6", - "quote", - "syn 2.0.87", -] - [[package]] name = "tonic-build" version = "0.12.3" @@ -5826,8 +5657,8 @@ checksum = "9557ce109ea773b399c9b9e5dca39294110b74f1f342cb347a80d1fce8c26a11" dependencies = [ "prettyplease", "proc-macro2", - "prost-build 0.13.3", - "prost-types 0.13.3", + "prost-build", + "prost-types", "quote", "syn 2.0.87", ] @@ -6190,7 +6021,7 @@ dependencies = [ "strum 0.25.0", "thiserror 1.0.69", "tokio", - "tonic-build 0.11.0", + "tonic-build", "veraison-apiclient", "x509-parser", ] diff --git a/Cargo.toml b/Cargo.toml index 679e00fcd5..97ed8dc081 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,14 +30,21 @@ ear = "0.3.0" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } kbs-types = "0.7.0" -kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } +kms = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" -prost = "0.12" -regorus = { version = "0.2.6", default-features = false, features = ["regex", "base64", "time", "std" ] } -reqwest = { version = "0.12", default-features = false, features = ["default-tls"] } +prost = "0.13" +regorus = { version = "0.2.6", default-features = false, features = [ + "regex", + "base64", + "time", + "std", +] } +reqwest = { version = "0.12", default-features = false, features = [ + "default-tls", +] } rstest = "0.18.1" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0.132" @@ -47,7 +54,7 @@ sha2 = "0.10" shadow-rs = "0.19.0" strum = { version = "0.25", features = ["derive"] } thiserror = "1.0" -tokio = { version = "1", features = ["full"], default-features = false } +tokio = { version = "1", features = ["full"], default-features = false } tempfile = "3.14.0" -tonic = "0.11" -tonic-build = "0.11" +tonic = "0.12" +tonic-build = "0.12" From 5152b98cb7c347fae40f8e9f48b68f0ad0ed8c0a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Dec 2024 01:20:39 +0000 Subject: [PATCH 204/298] build(deps): bump bytes from 1.8.0 to 1.9.0 Bumps [bytes](https://github.com/tokio-rs/bytes) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](https://github.com/tokio-rs/bytes/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: bytes dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5dfa339b9a..95fb6f0ac0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -923,9 +923,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] name = "bytes" -version = "1.8.0" +version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ac0150caa2ae65ca5bd83f25c7de183dea78d4d366469f148435e2acfbad0da" +checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b" [[package]] name = "bytestring" From f10f3cf98c895f596ef46fc5da7b433308532e6e Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 3 Dec 2024 15:06:36 -0600 Subject: [PATCH 205/298] token: fix simple token broker Fix bug where wrong claims were added to the token. Also, rename claims to flattened_claims to be slightly clearer. Signed-off-by: Tobin Feldman-Fitzthum --- attestation-service/src/token/simple.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs index d69394ac86..a837269a3a 100644 --- a/attestation-service/src/token/simple.rs +++ b/attestation-service/src/token/simple.rs @@ -214,12 +214,12 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { reference_data_map: HashMap>, tee: Tee, ) -> Result { - let claims = flatten_claims(tee, &tcb_claims)?; + let flattened_claims = flatten_claims(tee, &tcb_claims)?; let reference_data = json!({ "reference": reference_data_map, }); let reference_data = serde_json::to_string(&reference_data)?; - let tcb_claims = serde_json::to_string(&claims)?; + let tcb_claims = serde_json::to_string(&flattened_claims)?; let mut policies = HashMap::new(); for policy_id in policy_ids { @@ -298,7 +298,7 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { .to_owned(), ); - let claims_value = Value::Object(claims); + let claims_value = Value::Object(jwt_claims); let claims_string = serde_json::to_string(&claims_value)?; let claims_b64 = URL_SAFE_NO_PAD.encode(claims_string.as_bytes()); From 98225e2637809bec46cdc762a0400c7aa93189f7 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Wed, 27 Nov 2024 22:43:28 -0600 Subject: [PATCH 206/298] misc: clean up comments, logs, and errors Assorted fixes to text. No functional changes. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/src/error.rs | 6 +++--- kbs/src/token/error.rs | 2 +- kbs/src/token/mod.rs | 27 +++++++++++++++++---------- 3 files changed, 21 insertions(+), 14 deletions(-) diff --git a/kbs/src/error.rs b/kbs/src/error.rs index fe5c1c9b58..344c86f07a 100644 --- a/kbs/src/error.rs +++ b/kbs/src/error.rs @@ -82,7 +82,7 @@ impl ResponseError for Error { let mut detail = String::new(); // The write macro here will only raise error when OOM of the string. - write!(&mut detail, "{}", self).expect("written error response failed"); + write!(&mut detail, "{}", self).expect("Failed to write error"); let info = ErrorInformation { error_type: format!("{ERROR_TYPE_PREFIX}/{}", self.as_ref()), detail, @@ -91,9 +91,9 @@ impl ResponseError for Error { // All the fields inside the ErrorInfo are printable characters, so this // error cannot happen. // A test covering all the possible error types are given to ensure this. - let body = serde_json::to_string(&info).expect("serialize error response failed"); + let body = serde_json::to_string(&info).expect("Failed to serialize error"); - // Due to the definition of KBS attestation protocol, we set the http code. + // Per the KBS protocol, errors should yield 401 or 404 reponses let mut res = match self { Error::IllegalAccessedPath { .. } | Error::PluginNotFound { .. } => { HttpResponse::NotFound() diff --git a/kbs/src/token/error.rs b/kbs/src/token/error.rs index 835de1e90c..66d34a4b4e 100644 --- a/kbs/src/token/error.rs +++ b/kbs/src/token/error.rs @@ -22,7 +22,7 @@ pub enum Error { source: anyhow::Error, }, - #[error("Tee public key is not found inside the claims of token")] + #[error("Tee public key not found in Attestation Token")] NoTeePubKeyClaimFound, #[error("Failed to parse Tee public key")] diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index da896f4e78..5146e1b5f6 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -31,22 +31,27 @@ pub struct AttestationTokenVerifierConfig { /// This field will default to an empty vector. pub extra_teekey_paths: Vec, - /// Trusted Certificates file (PEM format) paths use to verify Attestation - /// Token Signature. + /// File paths of trusted certificates in PEM format used to verify + /// the signature of the Attestation Token. #[serde(default)] pub trusted_certs_paths: Vec, - /// Urls (file:// and https:// schemes accepted) pointing to a local JWKSet file + /// URLs (file:// and https:// schemes accepted) pointing to a local JWKSet file /// or to an OpenID configuration url giving a pointer to JWKSet certificates /// (for "Jwk") to verify Attestation Token Signature. #[serde(default)] pub trusted_jwk_sets: Vec, - /// Whether a JWK that directly comes from the JWT token is allowed to verify - /// the signature. This is insecure as it will not check the endorsement of - /// the JWK. If this option is set to false, the JWK will be looked up from - /// the key store configured during launching the KBS with kid field in the JWT, - /// or be checked against the configured trusted CA certs. + /// Whether the token signing key is (not) validated. + /// If true, the attestation token can be modified in flight. + /// This should only be set to true for testing. + /// While the token signature is still validated, the provenance of the + /// signing key is not checked and the key could be replaced. + /// + /// When false, the key must be endorsed by the certificates or JWK sets + /// specified above. + /// + /// Default: false #[serde(default = "bool::default")] pub insecure_key: bool, } @@ -81,8 +86,10 @@ impl TokenVerifier { }) } - /// Different attestation service would embed tee public key - /// in different parts of the claims. + /// Different types of attestation tokens store the tee public key in + /// different places. + /// Try extracting the key from multiple built-in paths as well as any extras + /// specified in the config file. pub fn extract_tee_public_key(&self, claim: Value) -> Result { for path in &self.extra_teekey_paths { if let Some(pkey_value) = claim.pointer(path) { From 9d51cbc6cdc8034514f884f85dfe40edcd862453 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 4 Dec 2024 16:00:02 +0200 Subject: [PATCH 207/298] rvps: fix binary target path without the fix, make install fails. Signed-off-by: Mikko Ylinen --- rvps/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rvps/Makefile b/rvps/Makefile index f9045f5797..03c1937072 100644 --- a/rvps/Makefile +++ b/rvps/Makefile @@ -1,6 +1,6 @@ PREFIX := /usr/local -TARGET_DIR := ../../target/release +TARGET_DIR := ../target/release DESTDIR ?= $(PREFIX)/bin BIN_NAMES := rvps rvps-tool From 5d6932fc62c18c1181a9061f6bd42206c2daca33 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Wed, 4 Dec 2024 12:05:18 -0600 Subject: [PATCH 208/298] plugins: minor cleanup of api-server code Since the path doesn't necessarily represent a plugin, let's not call it a plugin and sub_path. Instead, let's just say base_path and additional_path. I think this clarifies the relationship between the built-in features and the plugins. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/src/api_server.rs | 41 ++++++++++++++++++++++------------------- kbs/src/error.rs | 8 ++++---- 2 files changed, 26 insertions(+), 23 deletions(-) diff --git a/kbs/src/api_server.rs b/kbs/src/api_server.rs index 694f5cdd0f..cdef86e977 100644 --- a/kbs/src/api_server.rs +++ b/kbs/src/api_server.rs @@ -100,7 +100,7 @@ impl ApiServer { .wrap(middleware::Logger::default()) .app_data(web::Data::new(api_server)) .service( - web::resource([kbs_path!("{plugin}{sub_path:.*}")]) + web::resource([kbs_path!("{base_path}{additional_path:.*}")]) .route(web::get().to(api)) .route(web::post().to(api)), ) @@ -138,22 +138,23 @@ pub(crate) async fn api( core: web::Data, ) -> Result { let query = request.query_string(); - let plugin_name = request + let base_path = request .match_info() - .get("plugin") - .ok_or(Error::IllegalAccessedPath { - path: request.path().to_string(), - })?; - let sub_path = request - .match_info() - .get("sub_path") - .ok_or(Error::IllegalAccessedPath { + .get("base_path") + .ok_or(Error::InvalidRequestPath { path: request.path().to_string(), })?; + let additional_path = + request + .match_info() + .get("additional_path") + .ok_or(Error::InvalidRequestPath { + path: request.path().to_string(), + })?; - let end_point = format!("{plugin_name}{sub_path}"); + let endpoint = format!("{base_path}{additional_path}"); - match plugin_name { + match base_path { #[cfg(feature = "as")] "auth" if request.method() == Method::POST => core .attestation_service @@ -188,6 +189,8 @@ pub(crate) async fn api( Ok(HttpResponse::Ok().content_type("text/xml").body(policy)) } + // If the base_path cannot be served by any of the above built-in + // functions, try fulfilling the request via the PluginManager. plugin_name => { let plugin = core .plugin_manager @@ -198,20 +201,20 @@ pub(crate) async fn api( let body = body.to_vec(); if plugin - .validate_auth(&body, query, sub_path, request.method()) + .validate_auth(&body, query, additional_path, request.method()) .await .map_err(|e| Error::PluginInternalError { source: e })? { - // Plugin calls needs to be authorized by the admin auth + // Plugin calls need to be authorized by the admin auth core.admin_auth.validate_auth(&request)?; let response = plugin - .handle(&body, query, sub_path, request.method()) + .handle(&body, query, additional_path, request.method()) .await .map_err(|e| Error::PluginInternalError { source: e })?; Ok(HttpResponse::Ok().content_type("text/xml").body(response)) } else { - // Plugin calls needs to be authorized by the Token and policy + // Plugin calls need to be authorized by the Token and policy let token = core .get_attestation_token(&request) .await @@ -222,16 +225,16 @@ pub(crate) async fn api( let claim_str = serde_json::to_string(&claims)?; // TODO: add policy filter support for other plugins - if !core.policy_engine.evaluate(&end_point, &claim_str).await? { + if !core.policy_engine.evaluate(&endpoint, &claim_str).await? { return Err(Error::PolicyDeny); } let response = plugin - .handle(&body, query, sub_path, request.method()) + .handle(&body, query, additional_path, request.method()) .await .map_err(|e| Error::PluginInternalError { source: e })?; if plugin - .encrypted(&body, query, sub_path, request.method()) + .encrypted(&body, query, additional_path, request.method()) .await .map_err(|e| Error::PluginInternalError { source: e })? { diff --git a/kbs/src/error.rs b/kbs/src/error.rs index 344c86f07a..d66bceeed8 100644 --- a/kbs/src/error.rs +++ b/kbs/src/error.rs @@ -37,8 +37,8 @@ pub enum Error { source: anyhow::Error, }, - #[error("Accessed path {path} is illegal")] - IllegalAccessedPath { path: String }, + #[error("Request path {path} is invalid")] + InvalidRequestPath { path: String }, #[error("JWE failed")] JweError { @@ -95,7 +95,7 @@ impl ResponseError for Error { // Per the KBS protocol, errors should yield 401 or 404 reponses let mut res = match self { - Error::IllegalAccessedPath { .. } | Error::PluginNotFound { .. } => { + Error::InvalidRequestPath { .. } | Error::PluginNotFound { .. } => { HttpResponse::NotFound() } _ => HttpResponse::Unauthorized(), @@ -114,7 +114,7 @@ mod tests { use super::Error; #[rstest] - #[case(Error::IllegalAccessedPath{path: "test".into()})] + #[case(Error::InvalidRequestPath{path: "test".into()})] #[case(Error::PluginNotFound{plugin_name: "test".into()})] fn into_error_response(#[case] err: Error) { let _ = actix_web::ResponseError::error_response(&err); From bccb02901635973377c7f7488e3efb107d28ed12 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 4 Dec 2024 09:38:51 +0800 Subject: [PATCH 209/298] chore: Update jwt-simple dependency Some other related packages are also updated in Cargo.lock by `cargo update -p jwt-simple` Signed-off-by: Xynnn007 --- Cargo.lock | 161 +++++++++-------------------------------------------- Cargo.toml | 4 +- 2 files changed, 29 insertions(+), 136 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 95fb6f0ac0..eab9dc22b2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -546,7 +546,7 @@ dependencies = [ "rand", "reference-value-provider-service", "regorus", - "rsa 0.9.6", + "rsa", "rstest", "serde", "serde_json", @@ -1329,7 +1329,7 @@ dependencies = [ "ctr", "kbs-types", "rand", - "rsa 0.9.6", + "rsa", "serde", "serde_json", "sha2", @@ -1504,17 +1504,6 @@ version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e8566979429cf69b49a5c740c60791108e86440e8be149bbea4fe54d2c32d6e2" -[[package]] -name = "der" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de" -dependencies = [ - "const-oid", - "pem-rfc7468 0.6.0", - "zeroize", -] - [[package]] name = "der" version = "0.7.9" @@ -1522,7 +1511,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0" dependencies = [ "const-oid", - "pem-rfc7468 0.7.0", + "pem-rfc7468", "zeroize", ] @@ -1683,12 +1672,12 @@ version = "0.16.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca" dependencies = [ - "der 0.7.9", + "der", "digest", "elliptic-curve", "rfc6979", - "signature 2.2.0", - "spki 0.7.3", + "signature", + "spki", ] [[package]] @@ -1720,8 +1709,8 @@ dependencies = [ "generic-array", "group", "hkdf", - "pem-rfc7468 0.7.0", - "pkcs8 0.10.2", + "pem-rfc7468", + "pkcs8", "rand_core", "sec1", "subtle", @@ -2791,32 +2780,6 @@ dependencies = [ "simple_asn1", ] -[[package]] -name = "jwt-simple" -version = "0.11.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "357892bb32159d763abdea50733fadcb9a8e1c319a9aa77592db8555d05af83e" -dependencies = [ - "anyhow", - "binstring", - "coarsetime", - "ct-codecs", - "ed25519-compact", - "hmac-sha1-compact", - "hmac-sha256", - "hmac-sha512", - "k256", - "p256", - "p384", - "rand", - "rsa 0.7.2", - "serde", - "serde_json", - "spki 0.6.0", - "thiserror 1.0.69", - "zeroize", -] - [[package]] name = "jwt-simple" version = "0.12.10" @@ -2854,7 +2817,7 @@ dependencies = [ "elliptic-curve", "once_cell", "sha2", - "signature 2.2.0", + "signature", ] [[package]] @@ -2876,7 +2839,7 @@ dependencies = [ "derivative", "env_logger 0.10.2", "jsonwebtoken", - "jwt-simple 0.11.9", + "jwt-simple", "kbs-types", "kms", "lazy_static", @@ -2888,7 +2851,7 @@ dependencies = [ "regex", "regorus", "reqwest 0.12.9", - "rsa 0.9.6", + "rsa", "rstest", "scc", "semver", @@ -2912,7 +2875,7 @@ dependencies = [ "base64 0.22.1", "clap 4.5.21", "env_logger 0.10.2", - "jwt-simple 0.11.9", + "jwt-simple", "kbs_protocol", "log", "reqwest 0.12.9", @@ -2941,7 +2904,7 @@ dependencies = [ "attester", "base64 0.22.1", "crypto", - "jwt-simple 0.12.10", + "jwt-simple", "kbs-types", "log", "reqwest 0.12.9", @@ -3609,15 +3572,6 @@ dependencies = [ "serde", ] -[[package]] -name = "pem-rfc7468" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24d159833a9105500e0398934e205e0773f0b27529557134ecfc51c27646adac" -dependencies = [ - "base64ct", -] - [[package]] name = "pem-rfc7468" version = "0.7.0" @@ -3808,37 +3762,15 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" -[[package]] -name = "pkcs1" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eff33bdbdfc54cc98a2eca766ebdec3e1b8fb7387523d5c9c9a2891da856f719" -dependencies = [ - "der 0.6.1", - "pkcs8 0.9.0", - "spki 0.6.0", - "zeroize", -] - [[package]] name = "pkcs1" version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" dependencies = [ - "der 0.7.9", - "pkcs8 0.10.2", - "spki 0.7.3", -] - -[[package]] -name = "pkcs8" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9eca2c590a5f85da82668fa685c09ce2888b9430e83299debf1f34b65fd4a4ba" -dependencies = [ - "der 0.6.1", - "spki 0.6.0", + "der", + "pkcs8", + "spki", ] [[package]] @@ -3847,8 +3779,8 @@ version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" dependencies = [ - "der 0.7.9", - "spki 0.7.3", + "der", + "spki", ] [[package]] @@ -4377,27 +4309,6 @@ dependencies = [ "serde", ] -[[package]] -name = "rsa" -version = "0.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "094052d5470cbcef561cb848a7209968c9f12dfa6d668f4bca048ac5de51099c" -dependencies = [ - "byteorder", - "digest", - "num-bigint-dig", - "num-integer", - "num-iter", - "num-traits", - "pkcs1 0.4.1", - "pkcs8 0.9.0", - "rand_core", - "signature 1.6.4", - "smallvec", - "subtle", - "zeroize", -] - [[package]] name = "rsa" version = "0.9.6" @@ -4409,12 +4320,12 @@ dependencies = [ "num-bigint-dig", "num-integer", "num-traits", - "pkcs1 0.7.5", - "pkcs8 0.10.2", + "pkcs1", + "pkcs8", "rand_core", "sha2", - "signature 2.2.0", - "spki 0.7.3", + "signature", + "spki", "subtle", "zeroize", ] @@ -4742,9 +4653,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc" dependencies = [ "base16ct", - "der 0.7.9", + "der", "generic-array", - "pkcs8 0.10.2", + "pkcs8", "subtle", "zeroize", ] @@ -5032,16 +4943,6 @@ dependencies = [ "libc", ] -[[package]] -name = "signature" -version = "1.6.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74233d3b3b2f6d4b006dc19dee745e73e2a6bfb6f93607cd3b02bd5b00797d7c" -dependencies = [ - "digest", - "rand_core", -] - [[package]] name = "signature" version = "2.2.0" @@ -5117,16 +5018,6 @@ version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" -[[package]] -name = "spki" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67cf02bbac7a337dc36e4f5a693db6c21e7863f45070f7064577eb4367a3212b" -dependencies = [ - "base64ct", - "der 0.6.1", -] - [[package]] name = "spki" version = "0.7.3" @@ -5134,7 +5025,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" dependencies = [ "base64ct", - "der 0.7.9", + "der", ] [[package]] @@ -5227,7 +5118,7 @@ dependencies = [ "hmac-sha256", "hmac-sha512", "rand", - "rsa 0.9.6", + "rsa", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 97ed8dc081..b87b1d18b4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,7 +29,9 @@ config = "0.13.3" ear = "0.3.0" env_logger = "0.10.0" hex = "0.4.3" -jwt-simple = "0.11" +jwt-simple = { version = "0.12", default-features = false, features = [ + "pure-rust", +] } kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } kbs-types = "0.7.0" kms = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } From 9ed5aab3d7bcada591f9e2b31009477fade1ae39 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Dec 2024 01:13:39 +0000 Subject: [PATCH 210/298] build(deps): bump libc from 0.2.164 to 0.2.167 Bumps [libc](https://github.com/rust-lang/libc) from 0.2.164 to 0.2.167. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.167/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.164...0.2.167) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index eab9dc22b2..fedc03b9ec 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2974,9 +2974,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.164" +version = "0.2.167" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "433bfe06b8c75da9b2e3fbea6e5329ff87748f0b144ef75306e674c3f6f7c13f" +checksum = "09d6582e104315a817dff97f75133544b2e094ee22447d2acf4a74e189ba06fc" [[package]] name = "libgit2-sys" From 3dc87c4669318288b1803b61ed6a8a4f1deeb962 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Dec 2024 01:48:06 +0000 Subject: [PATCH 211/298] build(deps): bump fastrand from 2.2.0 to 2.3.0 Bumps [fastrand](https://github.com/smol-rs/fastrand) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/smol-rs/fastrand/releases) - [Changelog](https://github.com/smol-rs/fastrand/blob/master/CHANGELOG.md) - [Commits](https://github.com/smol-rs/fastrand/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: fastrand dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fedc03b9ec..1c963b1598 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1818,9 +1818,9 @@ dependencies = [ [[package]] name = "fastrand" -version = "2.2.0" +version = "2.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "486f806e73c5707928240ddc295403b1b93c96a02038563881c4a2fd84b81ac4" +checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be" [[package]] name = "ff" From 5b44a004a2c6a4c983016c96c112316d4a3df2d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Dec 2024 01:26:32 +0000 Subject: [PATCH 212/298] build(deps): bump quinn-udp from 0.5.7 to 0.5.8 Bumps [quinn-udp](https://github.com/quinn-rs/quinn) from 0.5.7 to 0.5.8. - [Release notes](https://github.com/quinn-rs/quinn/releases) - [Commits](https://github.com/quinn-rs/quinn/compare/quinn-udp-0.5.7...quinn-udp-0.5.8) --- updated-dependencies: - dependency-name: quinn-udp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1c963b1598..209863b17c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3983,9 +3983,9 @@ dependencies = [ [[package]] name = "quinn-udp" -version = "0.5.7" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d5a626c6807713b15cac82a6acaccd6043c9a5408c24baae07611fec3f243da" +checksum = "52cd4b1eff68bf27940dd39811292c49e007f4d0b4c357358dc9b0197be6b527" dependencies = [ "cfg_aliases", "libc", @@ -6093,7 +6093,7 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" dependencies = [ - "windows-sys 0.59.0", + "windows-sys 0.48.0", ] [[package]] From 4f53faf9cbbafa11ee39aedf8d607dc07af51f56 Mon Sep 17 00:00:00 2001 From: Jiale Zhang Date: Mon, 9 Dec 2024 14:30:59 +0800 Subject: [PATCH 213/298] Added checks for AS and KBS policy setting Signed-off-by: Jiale Zhang --- attestation-service/src/policy_engine/mod.rs | 2 ++ .../src/policy_engine/opa/mod.rs | 10 ++++++++ deps/verifier/src/snp/mod.rs | 6 +++-- kbs/src/policy_engine/error.rs | 3 +++ kbs/src/policy_engine/opa/mod.rs | 24 +++++++++++++------ 5 files changed, 36 insertions(+), 9 deletions(-) diff --git a/attestation-service/src/policy_engine/mod.rs b/attestation-service/src/policy_engine/mod.rs index 6a9e78875c..1ecad5ec74 100644 --- a/attestation-service/src/policy_engine/mod.rs +++ b/attestation-service/src/policy_engine/mod.rs @@ -35,6 +35,8 @@ pub enum PolicyError { Base64DecodeFailed(#[from] base64::DecodeError), #[error("Illegal policy id. Only support alphabet, numeric, `-` or `_`")] InvalidPolicyId, + #[error("Illegal policy: {0}")] + InvalidPolicy(#[source] anyhow::Error), #[error("Failed to load reference data: {0}")] LoadReferenceDataFailed(#[source] anyhow::Error), #[error("Failed to set input data: {0}")] diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs index 398293bddc..dff1f93b56 100644 --- a/attestation-service/src/policy_engine/opa/mod.rs +++ b/attestation-service/src/policy_engine/opa/mod.rs @@ -122,6 +122,16 @@ impl PolicyEngine for OPA { return Err(PolicyError::InvalidPolicyId); } + // Check if the policy is valid + { + let policy_content = String::from_utf8(policy_bytes.clone()) + .map_err(|e| PolicyError::InvalidPolicy(e.into()))?; + let mut engine = regorus::Engine::new(); + engine + .add_policy(policy_id.clone(), policy_content) + .map_err(PolicyError::InvalidPolicy)?; + } + let mut policy_file_path = PathBuf::from( &self .policy_dir_path diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs index 3012d19bf8..2dce3b6886 100644 --- a/deps/verifier/src/snp/mod.rs +++ b/deps/verifier/src/snp/mod.rs @@ -37,7 +37,7 @@ const LOADER_SPL_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .3704 .1 .3 .1); const KDS_CERT_SITE: &str = "https://kdsintf.amd.com"; const KDS_VCEK: &str = "/vcek/v1"; -/// Attestation report versions supported +/// Attestation report versions supported const REPORT_VERSION_MIN: u32 = 2; const REPORT_VERSION_MAX: u32 = 3; @@ -110,7 +110,9 @@ impl Verifier for Snp { // See Trustee Issue#589 https://github.com/confidential-containers/trustee/issues/589 if report.version < REPORT_VERSION_MIN || report.version > REPORT_VERSION_MAX { - return Err(anyhow!("Unexpected attestation report version. Check SNP Firmware ABI specification")); + return Err(anyhow!( + "Unexpected attestation report version. Check SNP Firmware ABI specification" + )); } if report.vmpl != 0 { diff --git a/kbs/src/policy_engine/error.rs b/kbs/src/policy_engine/error.rs index 0970b4b5ea..d948e1b46c 100644 --- a/kbs/src/policy_engine/error.rs +++ b/kbs/src/policy_engine/error.rs @@ -33,4 +33,7 @@ pub enum KbsPolicyEngineError { #[error("Set Policy request is illegal for {0}")] IllegalSetPolicyRequest(&'static str), + + #[error("Failed to set policy, illegal policy: {0}")] + InvalidPolicy(#[source] anyhow::Error), } diff --git a/kbs/src/policy_engine/opa/mod.rs b/kbs/src/policy_engine/opa/mod.rs index 361785bf4f..3961f639e8 100644 --- a/kbs/src/policy_engine/opa/mod.rs +++ b/kbs/src/policy_engine/opa/mod.rs @@ -61,6 +61,16 @@ impl PolicyEngineInterface for Opa { async fn set_policy(&mut self, policy: &str) -> Result<(), KbsPolicyEngineError> { let policy_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(policy)?; + // Check if the policy is valid + { + let policy_content = String::from_utf8(policy_bytes.clone()) + .map_err(|e| KbsPolicyEngineError::InvalidPolicy(e.into()))?; + let mut engine = regorus::Engine::new(); + engine + .add_policy(String::from("default"), policy_content) + .map_err(KbsPolicyEngineError::InvalidPolicy)?; + } + tokio::fs::write(&self.policy_path, policy_bytes).await?; Ok(()) @@ -153,6 +163,13 @@ mod tests { res.err().unwrap(), KbsPolicyEngineError::IOError(_) )); + + // Illegal policy + let res = set_policy_from_file(&mut opa, "test/data/policy_invalid_1.rego").await; + assert!(matches!( + res.err().unwrap(), + KbsPolicyEngineError::InvalidPolicy(_) + )); } #[rstest] @@ -167,13 +184,6 @@ mod tests { 1, Err(KbsPolicyEngineError::ResourcePathError) )] - #[case( - "test/data/policy_invalid_1.rego", - "my_repo/Alice/key", - "Alice", - 1, - Err(KbsPolicyEngineError::PolicyLoadError) - )] #[case( "test/data/policy_invalid_2.rego", "my_repo/Alice/key", From 1d5a9217f7790f7634ffb86d9fdf3d3c6c2ade1e Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 10 Dec 2024 14:51:33 -0600 Subject: [PATCH 214/298] ear: remove productId from default policy The sample attester does not report a fake productId field, but we have used productId in our tests since before EAR. The EAR policy erroneously expects the evidence to contain a productId, this leads to generating contra-indicated tokens for EAR. Remove this field and update the tests. Signed-off-by: Tobin Feldman-Fitzthum --- .../src/policy_engine/opa/mod.rs | 20 ++++++++----------- .../src/token/ear_default_policy.rego | 4 ---- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs index dff1f93b56..04bd28cd7c 100644 --- a/attestation-service/src/policy_engine/opa/mod.rs +++ b/attestation-service/src/policy_engine/opa/mod.rs @@ -208,10 +208,9 @@ mod tests { "sourced_data", ]; - fn dummy_reference(product_id: u64, svn: u64, launch_digest: String) -> String { + fn dummy_reference(svn: u64, launch_digest: String) -> String { json!({ "reference": { - "productId": [product_id.to_string()], "svn": [svn.to_string()], "launch_digest": [launch_digest] } @@ -219,10 +218,9 @@ mod tests { .to_string() } - fn dummy_input(product_id: u64, svn: u64, launch_digest: String) -> String { + fn dummy_input(svn: u64, launch_digest: String) -> String { json!({ "sample": { - "productId": product_id.to_string(), "svn": svn.to_string(), "launch_digest": launch_digest } @@ -231,14 +229,12 @@ mod tests { } #[rstest] - #[case(5,5,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,2)] - #[case(5,4,1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,97)] - #[case(5,5,1,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,2)] - #[case(5,5,2,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,97)] + #[case(1,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,2)] + #[case(2,1,"aac43bb3".to_string(),"aac43bb3".to_string(),3,97)] + #[case(1,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,2)] + #[case(2,1,"aac43bb4".to_string(),"aac43bb3".to_string(),33,97)] #[tokio::test] async fn test_evaluate( - #[case] pid_a: u64, - #[case] pid_b: u64, #[case] svn_a: u64, #[case] svn_b: u64, #[case] digest_a: String, @@ -253,8 +249,8 @@ mod tests { let output = opa .evaluate( - &dummy_reference(pid_a, svn_a, digest_a), - &dummy_input(pid_b, svn_b, digest_b), + &dummy_reference(svn_a, digest_a), + &dummy_input(svn_b, digest_b), &default_policy_id, &EAR_RULES, ) diff --git a/attestation-service/src/token/ear_default_policy.rego b/attestation-service/src/token/ear_default_policy.rego index 3353cebd5f..c035ef0a56 100644 --- a/attestation-service/src/token/ear_default_policy.rego +++ b/attestation-service/src/token/ear_default_policy.rego @@ -78,10 +78,6 @@ sample_executables := 3 if { # verifications needed to demonstrate that these are genuine/ # supported. sample_hardware := 2 if { - # The sample attester does not report any productId. - # This is an exmple of how a real platform might identify the hardware - # that is running. - input.sample.productId in data.reference.productId input.sample.svn in data.reference.svn } From d14ffb69e90bb996a6a87e571212ace26e13c9ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Dec 2024 02:03:43 +0000 Subject: [PATCH 215/298] build(deps): bump pathdiff from 0.2.2 to 0.2.3 Bumps [pathdiff](https://github.com/Manishearth/pathdiff) from 0.2.2 to 0.2.3. - [Commits](https://github.com/Manishearth/pathdiff/commits) --- updated-dependencies: - dependency-name: pathdiff dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 209863b17c..bad040edbc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3552,9 +3552,9 @@ checksum = "17359afc20d7ab31fdb42bb844c8b3bb1dabd7dcf7e68428492da7f16966fcef" [[package]] name = "pathdiff" -version = "0.2.2" +version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d61c5ce1153ab5b689d0c074c4e7fc613e942dfb7dd9eea5ab202d2ad91fe361" +checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3" [[package]] name = "peeking_take_while" From adf8c3d016635da8af1d78836100ebfbc4fb5136 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Dec 2024 01:32:59 +0000 Subject: [PATCH 216/298] build(deps): bump serde from 1.0.215 to 1.0.216 Bumps [serde](https://github.com/serde-rs/serde) from 1.0.215 to 1.0.216. - [Release notes](https://github.com/serde-rs/serde/releases) - [Commits](https://github.com/serde-rs/serde/compare/v1.0.215...v1.0.216) --- updated-dependencies: - dependency-name: serde dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bad040edbc..51ebd7e71f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4700,9 +4700,9 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" [[package]] name = "serde" -version = "1.0.215" +version = "1.0.216" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6513c1ad0b11a9376da888e3e0baa0077f1aed55c17f50e7b2397136129fb88f" +checksum = "0b9781016e935a97e8beecf0c933758c97a5520d32930e460142b4cd80c6338e" dependencies = [ "serde_derive", ] @@ -4727,9 +4727,9 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.215" +version = "1.0.216" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad1e866f866923f252f05c889987993144fb74e722403468a4ebd70c3cd756c0" +checksum = "46f859dbbf73865c6627ed570e78961cd3ac92407a2d117204c49232485da55e" dependencies = [ "proc-macro2", "quote", From 45991808fae642d8ee692e482720c290bbb5bca7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Dec 2024 01:20:38 +0000 Subject: [PATCH 217/298] build(deps): bump thiserror from 1.0.69 to 2.0.3 Bumps [thiserror](https://github.com/dtolnay/thiserror) from 1.0.69 to 2.0.3. - [Release notes](https://github.com/dtolnay/thiserror/releases) - [Commits](https://github.com/dtolnay/thiserror/compare/1.0.69...2.0.3) --- updated-dependencies: - dependency-name: thiserror dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- Cargo.lock | 6 +++--- Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 51ebd7e71f..41d2eaa464 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -557,7 +557,7 @@ dependencies = [ "strum 0.25.0", "tempfile", "testing_logger", - "thiserror 1.0.69", + "thiserror 2.0.3", "time", "tokio", "tonic", @@ -2859,7 +2859,7 @@ dependencies = [ "serde_json", "strum 0.25.0", "tempfile", - "thiserror 1.0.69", + "thiserror 2.0.3", "time", "tokio", "tonic", @@ -5910,7 +5910,7 @@ dependencies = [ "sha2", "shadow-rs", "strum 0.25.0", - "thiserror 1.0.69", + "thiserror 2.0.3", "tokio", "tonic-build", "veraison-apiclient", diff --git a/Cargo.toml b/Cargo.toml index b87b1d18b4..04dd7d9ad8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -55,7 +55,7 @@ serial_test = "0.9.0" sha2 = "0.10" shadow-rs = "0.19.0" strum = { version = "0.25", features = ["derive"] } -thiserror = "1.0" +thiserror = "2.0" tokio = { version = "1", features = ["full"], default-features = false } tempfile = "3.14.0" tonic = "0.12" From f9d7010525203b92ae3cc7ba0ef3f2d4db5233a1 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 12 Dec 2024 15:17:04 -0600 Subject: [PATCH 218/298] token: avoid hard-coding ear claim names Instead of hard-coding the names of the EAR claims, get them from the EAR crate. Also change the policy engine to take Vec rather than &[&str] to make dynamic configuration easier. Signed-off-by: Tobin Feldman-Fitzthum --- attestation-service/src/policy_engine/mod.rs | 2 +- .../src/policy_engine/opa/mod.rs | 21 ++++++---------- attestation-service/src/token/ear_broker.rs | 25 ++++++------------- attestation-service/src/token/simple.rs | 6 ++--- 4 files changed, 19 insertions(+), 35 deletions(-) diff --git a/attestation-service/src/policy_engine/mod.rs b/attestation-service/src/policy_engine/mod.rs index 1ecad5ec74..e494c441c3 100644 --- a/attestation-service/src/policy_engine/mod.rs +++ b/attestation-service/src/policy_engine/mod.rs @@ -97,7 +97,7 @@ pub trait PolicyEngine: Send + Sync { data: &str, input: &str, policy_id: &str, - evaluation_rules: &[&str], + evaluation_rules: Vec, ) -> Result; async fn set_policy(&self, policy_id: String, policy: String) -> Result<(), PolicyError>; diff --git a/attestation-service/src/policy_engine/opa/mod.rs b/attestation-service/src/policy_engine/opa/mod.rs index 04bd28cd7c..149b5a290b 100644 --- a/attestation-service/src/policy_engine/opa/mod.rs +++ b/attestation-service/src/policy_engine/opa/mod.rs @@ -55,7 +55,7 @@ impl PolicyEngine for OPA { data: &str, input: &str, policy_id: &str, - evaluation_rules: &[&str], + evaluation_rules: Vec, ) -> Result { let policy_dir_path = self .policy_dir_path @@ -192,22 +192,12 @@ impl PolicyEngine for OPA { #[cfg(test)] mod tests { + use ear::TrustVector; use rstest::rstest; use serde_json::json; use super::*; - const EAR_RULES: [&str; 8] = [ - "instance_identity", - "configuration", - "executables", - "file_system", - "hardware", - "runtime_opaque", - "storage_opaque", - "sourced_data", - ]; - fn dummy_reference(svn: u64, launch_digest: String) -> String { json!({ "reference": { @@ -247,12 +237,17 @@ mod tests { }; let default_policy_id = "ear_default_policy".to_string(); + let ear_rules = TrustVector::new() + .into_iter() + .map(|c| c.tag().to_string()) + .collect(); + let output = opa .evaluate( &dummy_reference(svn_a, digest_a), &dummy_input(svn_b, digest_b), &default_policy_id, - &EAR_RULES, + ear_rules, ) .await .unwrap(); diff --git a/attestation-service/src/token/ear_broker.rs b/attestation-service/src/token/ear_broker.rs index c7717a88ac..cf3d6e511c 100644 --- a/attestation-service/src/token/ear_broker.rs +++ b/attestation-service/src/token/ear_broker.rs @@ -8,7 +8,8 @@ use anyhow::*; use base64::engine::general_purpose::URL_SAFE_NO_PAD; use base64::Engine; use ear::{ - Algorithm, Appraisal, Ear, ExtensionKind, ExtensionValue, Extensions, RawValue, VerifierID, + Algorithm, Appraisal, Ear, ExtensionKind, ExtensionValue, Extensions, RawValue, TrustVector, + VerifierID, }; use jsonwebtoken::jwk; use kbs_types::Tee; @@ -39,17 +40,6 @@ pub const DEFAULT_DEVELOPER_NAME: &str = "https://confidentialcontainers.org"; const DEFAULT_POLICY_DIR: &str = concatcp!(DEFAULT_TOKEN_WORK_DIR, "/ear/policies"); -const RULES: [&str; 8] = [ - "instance_identity", - "configuration", - "executables", - "file_system", - "hardware", - "runtime_opaque", - "storage_opaque", - "sourced_data", -]; - #[derive(Deserialize, Debug, Clone, PartialEq)] pub struct TokenSignerConfig { pub key_path: String, @@ -244,14 +234,13 @@ impl AttestationTokenBroker for EarAttestationTokenBroker { bail!("No policy is given for EAR token generation."); } + let rules = TrustVector::new() + .into_iter() + .map(|c| c.tag().to_string()) + .collect(); let policy_results = self .policy_engine - .evaluate( - &reference_data, - &tcb_claims_json, - &policy_ids[0], - &RULES[..], - ) + .evaluate(&reference_data, &tcb_claims_json, &policy_ids[0], rules) .await?; let mut appraisal = Appraisal::new(); diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs index a837269a3a..c120e8bc3b 100644 --- a/attestation-service/src/token/simple.rs +++ b/attestation-service/src/token/simple.rs @@ -40,8 +40,6 @@ const SIMPLE_TOKEN_ALG: &str = "RS384"; const DEFAULT_POLICY_DIR: &str = concatcp!(DEFAULT_TOKEN_WORK_DIR, "/simple/policies"); -const RULES: &str = "allow"; - #[derive(Deserialize, Debug, Clone, PartialEq)] pub struct TokenSignerConfig { pub key_path: String, @@ -221,11 +219,13 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker { let reference_data = serde_json::to_string(&reference_data)?; let tcb_claims = serde_json::to_string(&flattened_claims)?; + let rules = vec!["allow".to_string()]; + let mut policies = HashMap::new(); for policy_id in policy_ids { let policy_results = self .policy_engine - .evaluate(&reference_data, &tcb_claims, &policy_id, &[RULES]) + .evaluate(&reference_data, &tcb_claims, &policy_id, rules.clone()) .await?; // TODO add policy allowlist From 81065a5a7134ed05173c7d65c93ad7c58126af24 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 13 Dec 2024 15:34:21 +0200 Subject: [PATCH 219/298] cluster: use latest staged images ad991b7 disabled image pull because that pointed to release images and often times they had conflicts with local files in the repository. As we now have staged images published on merge, we can try pulling images without forcing local builds (or local .yml editing). Also, Compose warns about 'version' being obsolete so drop that too, while we're at it. Signed-off-by: Mikko Ylinen --- docker-compose.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 75b493ca73..7d72c7f7ab 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,10 +1,9 @@ -version: '3.2' services: kbs: build: context: . dockerfile: kbs/docker/coco-as-grpc/Dockerfile - #image: ghcr.io/confidential-containers/key-broker-service:latest + image: ghcr.io/confidential-containers/staged-images/kbs-grpc-as:latest command: [ "/usr/local/bin/kbs", "--config-file", @@ -24,7 +23,7 @@ services: build: context: . dockerfile: attestation-service/docker/as-grpc/Dockerfile - #image: ghcr.io/confidential-containers/attestation-service:latest + image: ghcr.io/confidential-containers/staged-images/coco-as-grpc:latest ports: - "50004:50004" restart: always @@ -43,10 +42,10 @@ services: - rvps rvps: - #image: ghcr.io/confidential-containers/reference-value-provider-service:latest build: context: . dockerfile: rvps/docker/Dockerfile + image: ghcr.io/confidential-containers/staged-images/rvps:latest restart: always # keep the server running ports: - "50003:50003" From 281ee6f14ee7fa688cbc7b17d6d3843ae7704d27 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Dec 2024 01:08:30 +0000 Subject: [PATCH 220/298] build(deps): bump libc from 0.2.167 to 0.2.168 Bumps [libc](https://github.com/rust-lang/libc) from 0.2.167 to 0.2.168. - [Release notes](https://github.com/rust-lang/libc/releases) - [Changelog](https://github.com/rust-lang/libc/blob/0.2.168/CHANGELOG.md) - [Commits](https://github.com/rust-lang/libc/compare/0.2.167...0.2.168) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 41d2eaa464..854b48d5b3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2974,9 +2974,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.167" +version = "0.2.168" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09d6582e104315a817dff97f75133544b2e094ee22447d2acf4a74e189ba06fc" +checksum = "5aaeb2981e0606ca11d79718f8bb01164f1d6ed75080182d3abf017e6d244b6d" [[package]] name = "libgit2-sys" From 93ca13f94ba05a2ec5399e37b8782819e5763f55 Mon Sep 17 00:00:00 2001 From: Pawel Proskurnicki Date: Mon, 16 Dec 2024 11:26:08 +0100 Subject: [PATCH 221/298] token: allow KBS to verify Azure VTPM token Added new entry in default extra tee token paths for Azure VTPM ITA Signed-off-by: Pawel Proskurnicki --- kbs/src/token/mod.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index 5146e1b5f6..f0735027d8 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -13,6 +13,7 @@ pub(crate) mod jwk; pub use error::*; pub const TOKEN_TEE_PUBKEY_PATH_ITA: &str = "/attester_runtime_data/tee-pubkey"; +pub const TOKEN_TEE_PUBKEY_PATH_ITA_VTPM: &str = "/attester_user_data/tee-pubkey"; pub const TOKEN_TEE_PUBKEY_PATH_COCO: &str = "/customized_claims/runtime_data/tee-pubkey"; pub const TOKEN_TEE_PUBKEY_PATH_EAR: &str = "/submods/cpu/ear.veraison.annotated-evidence/runtime_data_claims/tee-pubkey"; @@ -77,6 +78,7 @@ impl TokenVerifier { let mut extra_teekey_paths = config.extra_teekey_paths; extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_ITA.into()); + extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_ITA_VTPM.into()); extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_COCO.into()); extra_teekey_paths.push(TOKEN_TEE_PUBKEY_PATH_EAR.into()); From d0e2b5c0587543b134d91509798057c1626a0121 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 13 Dec 2024 11:11:09 +0200 Subject: [PATCH 222/298] attestation-service: implement *_policy() methods for EAR token broker without the changes, kbs-client "set-attestation-policy" gets "not supported" errors. the changes are taken from 'simple' token broker. Both token brokers have a policy_engine instance created. Signed-off-by: Mikko Ylinen --- attestation-service/src/token/ear_broker.rs | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/attestation-service/src/token/ear_broker.rs b/attestation-service/src/token/ear_broker.rs index cf3d6e511c..6ed2ceb8b4 100644 --- a/attestation-service/src/token/ear_broker.rs +++ b/attestation-service/src/token/ear_broker.rs @@ -299,6 +299,27 @@ impl AttestationTokenBroker for EarAttestationTokenBroker { Ok(signed_ear) } + + async fn set_policy(&self, policy_id: String, policy: String) -> Result<()> { + self.policy_engine + .set_policy(policy_id, policy) + .await + .map_err(Error::from) + } + + async fn list_policies(&self) -> Result> { + self.policy_engine + .list_policies() + .await + .map_err(Error::from) + } + + async fn get_policy(&self, policy_id: String) -> Result { + self.policy_engine + .get_policy(policy_id) + .await + .map_err(Error::from) + } } impl EarAttestationTokenBroker { From 322dc16dc8dbbeb911c80d60c58aa9d1d798a716 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 01:44:16 +0000 Subject: [PATCH 223/298] build(deps): bump strum from 0.25.0 to 0.26.3 Bumps [strum](https://github.com/Peternator7/strum) from 0.25.0 to 0.26.3. - [Release notes](https://github.com/Peternator7/strum/releases) - [Changelog](https://github.com/Peternator7/strum/blob/master/CHANGELOG.md) - [Commits](https://github.com/Peternator7/strum/commits/v0.26.3) --- updated-dependencies: - dependency-name: strum dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 52 ++++++++++++---------------------------------------- Cargo.toml | 2 +- 2 files changed, 13 insertions(+), 41 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 854b48d5b3..bd4d0c5904 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -515,7 +515,7 @@ dependencies = [ "serde", "serde_json", "sha2", - "strum 0.26.3", + "strum", "tempfile", "thiserror 2.0.3", "tokio", @@ -554,7 +554,7 @@ dependencies = [ "serial_test", "sha2", "shadow-rs", - "strum 0.25.0", + "strum", "tempfile", "testing_logger", "thiserror 2.0.3", @@ -591,7 +591,7 @@ dependencies = [ "serde_with", "sev 3.2.0", "sha2", - "strum 0.26.3", + "strum", "tdx-attest-rs", "tempfile", "thiserror 2.0.3", @@ -1114,7 +1114,7 @@ version = "4.5.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4ac6a0c7b1a9e9a5186361f67dfa1b88213572f427fb9ab038efb2bd8c582dab" dependencies = [ - "heck 0.5.0", + "heck", "proc-macro2", "quote", "syn 2.0.87", @@ -1333,7 +1333,7 @@ dependencies = [ "serde", "serde_json", "sha2", - "strum 0.26.3", + "strum", "zeroize", ] @@ -2131,12 +2131,6 @@ version = "0.15.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3a9bfc1af68b1726ea47d3d5109de126281def866b33970e10fbab11b5dafab3" -[[package]] -name = "heck" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" - [[package]] name = "heck" version = "0.5.0" @@ -2857,7 +2851,7 @@ dependencies = [ "semver", "serde", "serde_json", - "strum 0.25.0", + "strum", "tempfile", "thiserror 2.0.3", "time", @@ -2941,7 +2935,7 @@ dependencies = [ "serde", "serde_json", "sha2", - "strum 0.26.3", + "strum", "thiserror 2.0.3", "tokio", "toml 0.8.19", @@ -3891,7 +3885,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c1318b19085f08681016926435853bbf7858f9c082d0999b80550ff5d9abe15" dependencies = [ "bytes", - "heck 0.5.0", + "heck", "itertools", "log", "multimap", @@ -4104,7 +4098,7 @@ dependencies = [ "sha2", "shadow-rs", "sled", - "strum 0.25.0", + "strum", "tempfile", "tokio", "tonic", @@ -5058,35 +5052,13 @@ version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" -[[package]] -name = "strum" -version = "0.25.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125" -dependencies = [ - "strum_macros 0.25.3", -] - [[package]] name = "strum" version = "0.26.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06" dependencies = [ - "strum_macros 0.26.4", -] - -[[package]] -name = "strum_macros" -version = "0.25.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23dc1fa9ac9c169a78ba62f0b841814b7abae11bdd047b9c58f893439e309ea0" -dependencies = [ - "heck 0.4.1", - "proc-macro2", - "quote", - "rustversion", - "syn 2.0.87", + "strum_macros", ] [[package]] @@ -5095,7 +5067,7 @@ version = "0.26.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be" dependencies = [ - "heck 0.5.0", + "heck", "proc-macro2", "quote", "rustversion", @@ -5909,7 +5881,7 @@ dependencies = [ "sev 4.0.0", "sha2", "shadow-rs", - "strum 0.25.0", + "strum", "thiserror 2.0.3", "tokio", "tonic-build", diff --git a/Cargo.toml b/Cargo.toml index 04dd7d9ad8..9c5db45fc1 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -54,7 +54,7 @@ serde_with = { version = "1.11.0", features = ["base64", "hex"] } serial_test = "0.9.0" sha2 = "0.10" shadow-rs = "0.19.0" -strum = { version = "0.25", features = ["derive"] } +strum = { version = "0.26", features = ["derive"] } thiserror = "2.0" tokio = { version = "1", features = ["full"], default-features = false } tempfile = "3.14.0" From 45b51ed93934724480e53ce9259fea36c35ea8f1 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 13 Dec 2024 15:48:24 -0600 Subject: [PATCH 224/298] rvps: rework rvps configuration Update the configuration for RVPS store (and rename it to storage). Previously we were using a type field and an opaque json config field. Combine them into one enum that contains a config struct following the format that we have started to use elsewhere in Trustee. Also, change the configuration of the RVPS server binary. Previously the RVPS server had a separate config file that duplicated the options in the main config but added one additional parameter to set the address of the server. Instead, take the address of the server as a CLI argument and use the same config struct as the rest of the crate. Signed-off-by: Tobin Feldman-Fitzthum --- rvps/src/bin/rvps.rs | 17 +++-- rvps/src/bin/server/config.rs | 43 ------------ rvps/src/bin/server/mod.rs | 2 - rvps/src/config.rs | 34 ++++------ rvps/src/lib.rs | 4 +- rvps/src/native.rs | 18 ++--- .../src/{store => storage}/local_fs/README.md | 0 rvps/src/{store => storage}/local_fs/mod.rs | 65 +++++++++---------- rvps/src/{store => storage}/local_json/mod.rs | 23 ++++--- rvps/src/{store => storage}/mod.rs | 36 +++++----- 10 files changed, 101 insertions(+), 141 deletions(-) delete mode 100644 rvps/src/bin/server/config.rs rename rvps/src/{store => storage}/local_fs/README.md (100%) rename rvps/src/{store => storage}/local_fs/mod.rs (80%) rename rvps/src/{store => storage}/local_json/mod.rs (86%) rename rvps/src/{store => storage}/mod.rs (50%) diff --git a/rvps/src/bin/rvps.rs b/rvps/src/bin/rvps.rs index 819db98b4f..b701193f39 100644 --- a/rvps/src/bin/rvps.rs +++ b/rvps/src/bin/rvps.rs @@ -1,18 +1,20 @@ use anyhow::{Context, Result}; use clap::Parser; use log::{info, warn}; -use server::config::Config; use shadow_rs::shadow; pub mod rvps_api { tonic::include_proto!("reference"); } +use reference_value_provider_service::config::Config; + shadow!(build); mod server; const DEFAULT_CONFIG_PATH: &str = "/etc/rvps.json"; +const DEFAULT_ADDRESS: &str = "127.0.0.1:50003"; /// RVPS command-line arguments. #[derive(Debug, Parser)] @@ -23,6 +25,13 @@ pub struct Cli { /// `--config /etc/rvps.toml` #[arg(short = 'c', long, default_value = DEFAULT_CONFIG_PATH)] pub config: String, + + /// The address that the RVPS server will listen on. + /// The default is 127.0.0.1:50003 + /// + /// `--address 127.0.0.1:55554` + #[arg(short = 'a', long, default_value = DEFAULT_ADDRESS)] + pub address: String, } #[tokio::main] @@ -47,9 +56,9 @@ async fn main() -> Result<()> { Config::default() }); - info!("Listen socket: {}", config.address); + info!("Listen socket: {}", &cli.address); - let socket = config.address.parse().context("parse socket addr failed")?; + let socket = cli.address.parse().context("parse socket addr failed")?; - server::start(socket, config.into()).await + server::start(socket, config).await } diff --git a/rvps/src/bin/server/config.rs b/rvps/src/bin/server/config.rs deleted file mode 100644 index 303853171a..0000000000 --- a/rvps/src/bin/server/config.rs +++ /dev/null @@ -1,43 +0,0 @@ -use anyhow::{Context, Result}; -use reference_value_provider_service::{config::DEFAULT_STORAGE_TYPE, Config as CrateConfig}; -use serde::Deserialize; -use serde_json::{json, Value}; - -const DEFAULT_ADDR: &str = "127.0.0.1:50003"; - -#[derive(Deserialize, Clone, Debug)] -pub struct Config { - pub address: String, - pub store_type: String, - pub store_config: Value, -} - -impl From for CrateConfig { - fn from(val: Config) -> CrateConfig { - CrateConfig { - store_type: val.store_type, - store_config: val.store_config, - } - } -} - -impl Default for Config { - fn default() -> Self { - Self { - store_type: DEFAULT_STORAGE_TYPE.to_string(), - store_config: json!({}), - address: DEFAULT_ADDR.to_string(), - } - } -} - -impl Config { - pub fn from_file(config_path: &str) -> Result { - let c = config::Config::builder() - .add_source(config::File::with_name(config_path)) - .build()?; - - let res = c.try_deserialize().context("invalid config")?; - Ok(res) - } -} diff --git a/rvps/src/bin/server/mod.rs b/rvps/src/bin/server/mod.rs index 94473876e4..3afd341666 100644 --- a/rvps/src/bin/server/mod.rs +++ b/rvps/src/bin/server/mod.rs @@ -15,8 +15,6 @@ use crate::rvps_api::{ ReferenceValueRegisterResponse, }; -pub mod config; - pub struct RVPSServer { rvps: Arc>, } diff --git a/rvps/src/config.rs b/rvps/src/config.rs index 98bf34f581..2555ff33ca 100644 --- a/rvps/src/config.rs +++ b/rvps/src/config.rs @@ -2,34 +2,24 @@ // // SPDX-License-Identifier: Apache-2.0 // - +use anyhow::{Context, Result}; use serde::Deserialize; -use serde_json::{json, Value}; -pub const DEFAULT_STORAGE_TYPE: &str = "LocalFs"; +use crate::storage::ReferenceValueStorageConfig; -#[derive(Deserialize, Clone, Debug, PartialEq)] +#[derive(Deserialize, Clone, Debug, PartialEq, Default)] pub struct Config { - #[serde(default = "default_store_type")] - pub store_type: String, - - #[serde(default = "default_store_config")] - pub store_config: Value, + #[serde(default)] + pub storage: ReferenceValueStorageConfig, } -fn default_store_type() -> String { - DEFAULT_STORAGE_TYPE.to_string() -} - -fn default_store_config() -> Value { - json!({}) -} +impl Config { + pub fn from_file(config_path: &str) -> Result { + let c = config::Config::builder() + .add_source(config::File::with_name(config_path)) + .build()?; -impl Default for Config { - fn default() -> Self { - Self { - store_type: default_store_type(), - store_config: json!({}), - } + let res = c.try_deserialize().context("invalid config")?; + Ok(res) } } diff --git a/rvps/src/lib.rs b/rvps/src/lib.rs index d12667b048..80f13a52b9 100644 --- a/rvps/src/lib.rs +++ b/rvps/src/lib.rs @@ -7,7 +7,7 @@ pub mod config; pub mod extractors; pub mod pre_processor; pub mod reference_value; -pub mod store; +pub mod storage; pub use config::Config; @@ -17,7 +17,7 @@ pub use native::Core; use serde::{Deserialize, Serialize}; pub use reference_value::{ReferenceValue, TrustedDigest}; -pub use store::Store; +pub use storage::ReferenceValueStorage; /// Default version of Message static MESSAGE_VERSION: &str = "0.1.0"; diff --git a/rvps/src/native.rs b/rvps/src/native.rs index 30298e64d3..391809931f 100644 --- a/rvps/src/native.rs +++ b/rvps/src/native.rs @@ -7,35 +7,31 @@ use anyhow::{bail, Context, Result}; use log::{info, warn}; use std::collections::HashMap; -use crate::{store::StoreType, Config}; - use super::{ + config::Config, extractors::{Extractors, ExtractorsImpl}, pre_processor::{PreProcessor, PreProcessorAPI}, - Message, Store, MESSAGE_VERSION, + Message, ReferenceValueStorage, MESSAGE_VERSION, }; /// The core of the RVPS, s.t. componants except communication componants. pub struct Core { pre_processor: PreProcessor, extractors: ExtractorsImpl, - store: Box, + storage: Box, } impl Core { /// Instantiate a new RVPS Core pub fn new(config: Config) -> Result { let pre_processor = PreProcessor::default(); - let extractors = ExtractorsImpl::default(); - - let store_type = StoreType::try_from(&config.store_type[..])?; - let store = store_type.to_store(config.store_config)?; + let storage = config.storage.to_storage()?; Ok(Core { pre_processor, extractors, - store, + storage, }) } @@ -61,7 +57,7 @@ impl Core { let rv = self.extractors.process(message)?; for v in rv.iter() { - let old = self.store.set(v.name().to_string(), v.clone()).await?; + let old = self.storage.set(v.name().to_string(), v.clone()).await?; if let Some(old) = old { info!("Old Reference value of {} is replaced.", old.name()); } @@ -72,7 +68,7 @@ impl Core { pub async fn get_digests(&self) -> Result>> { let mut rv_map = HashMap::new(); - let reference_values = self.store.get_values().await?; + let reference_values = self.storage.get_values().await?; for rv in reference_values { if rv.expired() { diff --git a/rvps/src/store/local_fs/README.md b/rvps/src/storage/local_fs/README.md similarity index 100% rename from rvps/src/store/local_fs/README.md rename to rvps/src/storage/local_fs/README.md diff --git a/rvps/src/store/local_fs/mod.rs b/rvps/src/storage/local_fs/mod.rs similarity index 80% rename from rvps/src/store/local_fs/mod.rs rename to rvps/src/storage/local_fs/mod.rs index 19130c67be..d801dad3fe 100644 --- a/rvps/src/store/local_fs/mod.rs +++ b/rvps/src/storage/local_fs/mod.rs @@ -8,17 +8,16 @@ use anyhow::*; use async_trait::async_trait; use serde::Deserialize; -use serde_json::Value; use crate::ReferenceValue; -use super::Store; +use super::ReferenceValueStorage; /// Local directory path to store the reference values, /// which is created by sled engine. const FILE_PATH: &str = "/opt/confidential-containers/attestation-service/reference_values"; -/// `LocalFs` implements [`Store`] trait. And +/// `LocalFs` implements [`ReferenceValueStorage`] trait. And /// it uses rocksdb inside. pub struct LocalFs { engine: sled::Db, @@ -28,23 +27,30 @@ fn default_file_path() -> String { FILE_PATH.to_string() } -#[derive(Deserialize, Default)] -struct Config { +#[derive(Clone, Debug, Deserialize, PartialEq)] +pub struct Config { #[serde(default = "default_file_path")] - file_path: String, + pub file_path: String, +} + +impl Default for Config { + fn default() -> Self { + Self { + file_path: default_file_path(), + } + } } impl LocalFs { /// Create a new [`LocalFs`] with given config - pub fn new(config: Value) -> Result { - let config: Config = serde_json::from_value(config)?; + pub fn new(config: Config) -> Result { let engine = sled::open(config.file_path)?; Ok(Self { engine }) } } #[async_trait] -impl Store for LocalFs { +impl ReferenceValueStorage for LocalFs { async fn set(&self, name: String, rv: ReferenceValue) -> Result> { let rv_serde = serde_json::to_vec(&rv)?; let res = match self @@ -86,12 +92,11 @@ impl Store for LocalFs { #[cfg(test)] mod tests { - use serde_json::json; use serial_test::serial; - use crate::{ReferenceValue, Store}; + use crate::{ReferenceValue, ReferenceValueStorage}; - use super::LocalFs; + use super::{Config, LocalFs}; const KEY: &str = "test1"; @@ -103,13 +108,11 @@ mod tests { let temp_dir = tempfile::tempdir().expect("create tempdir failed"); let dir_str = temp_dir.path().to_string_lossy().to_string(); { - let store = LocalFs::new(json!({ - "file_path": dir_str - })) - .expect("create local fs store failed."); + let storage = + LocalFs::new(Config { file_path: dir_str }).expect("create local fs store failed."); let rv = ReferenceValue::new().expect("create ReferenceValue failed."); assert!( - store + storage .set(KEY.to_owned(), rv.clone()) .await .expect("set rv failed.") @@ -117,7 +120,7 @@ mod tests { "the storage has previous key of {}", KEY ); - let got = store + let got = storage .get(KEY) .await .expect("get rv failed.") @@ -134,10 +137,8 @@ mod tests { let temp_dir = tempfile::tempdir().expect("create tempdir failed"); let dir_str = temp_dir.path().to_string_lossy().to_string(); { - let store = LocalFs::new(json!({ - "file_path": dir_str - })) - .expect("create local fs store failed."); + let storage = + LocalFs::new(Config { file_path: dir_str }).expect("create local fs store failed."); let rv_old = ReferenceValue::new() .expect("create ReferenceValue failed.") .set_name("old"); @@ -147,7 +148,7 @@ mod tests { .set_name("new"); assert!( - store + storage .set(KEY.to_owned(), rv_old.clone()) .await .expect("set rv failed.") @@ -156,7 +157,7 @@ mod tests { KEY ); - let got = store + let got = storage .set(KEY.to_owned(), rv_new) .await .expect("get rv failed.") @@ -175,21 +176,19 @@ mod tests { let temp_dir = tempfile::tempdir().expect("create tempdir failed"); let dir_str = temp_dir.path().to_string_lossy().to_string(); { - let store = LocalFs::new(json!({ - "file_path": dir_str - })) + let storage = LocalFs::new(Config { + file_path: dir_str.clone(), + }) .expect("create local fs store failed."); - store + storage .set(KEY.to_owned(), rv.clone()) .await .expect("set rv failed."); } { - let store = LocalFs::new(json!({ - "file_path": dir_str - })) - .expect("create local fs store failed."); - let got = store + let storage = + LocalFs::new(Config { file_path: dir_str }).expect("create local fs store failed."); + let got = storage .get(KEY) .await .expect("get rv failed.") diff --git a/rvps/src/store/local_json/mod.rs b/rvps/src/storage/local_json/mod.rs similarity index 86% rename from rvps/src/store/local_json/mod.rs rename to rvps/src/storage/local_json/mod.rs index b08bbeb0cf..e0cb828fde 100644 --- a/rvps/src/store/local_json/mod.rs +++ b/rvps/src/storage/local_json/mod.rs @@ -1,12 +1,11 @@ use std::{fs, path::PathBuf}; -use super::Store; +use super::ReferenceValueStorage; use crate::ReferenceValue; use anyhow::{anyhow, Result}; use async_trait::async_trait; use log::debug; use serde::Deserialize; -use serde_json::Value; use tokio::sync::RwLock; const FILE_PATH: &str = "/opt/confidential-containers/attestation-service/reference_values.json"; @@ -20,16 +19,22 @@ fn default_file_path() -> String { FILE_PATH.to_string() } -#[derive(Deserialize, Default)] -struct Config { +#[derive(Clone, Debug, Deserialize, PartialEq)] +pub struct Config { #[serde(default = "default_file_path")] - file_path: String, + pub file_path: String, } -impl LocalJson { - pub fn new(config: Value) -> Result { - let config: Config = serde_json::from_value(config)?; +impl Default for Config { + fn default() -> Self { + Self { + file_path: default_file_path(), + } + } +} +impl LocalJson { + pub fn new(config: Config) -> Result { let mut path = PathBuf::new(); path.push(&config.file_path); @@ -46,7 +51,7 @@ impl LocalJson { } #[async_trait] -impl Store for LocalJson { +impl ReferenceValueStorage for LocalJson { async fn set(&self, name: String, rv: ReferenceValue) -> Result> { let _ = self.lock.write().await; let file = tokio::fs::read(&self.file_path).await?; diff --git a/rvps/src/store/mod.rs b/rvps/src/storage/mod.rs similarity index 50% rename from rvps/src/store/mod.rs rename to rvps/src/storage/mod.rs index 0fd951efd3..236fcf2d50 100644 --- a/rvps/src/store/mod.rs +++ b/rvps/src/storage/mod.rs @@ -8,8 +8,7 @@ use anyhow::Result; use async_trait::async_trait; use serde::Deserialize; -use serde_json::Value; -use strum::EnumString; +use strum::Display; use self::local_fs::LocalFs; use self::local_json::LocalJson; @@ -19,29 +18,36 @@ use super::ReferenceValue; pub mod local_fs; pub mod local_json; -#[derive(Deserialize, Debug, Clone, EnumString)] -pub enum StoreType { - LocalFs, - LocalJson, +#[derive(Clone, Debug, Deserialize, Display, PartialEq)] +#[serde(tag = "type")] +pub enum ReferenceValueStorageConfig { + LocalFs(local_fs::Config), + LocalJson(local_json::Config), } -impl StoreType { - pub fn to_store(&self, config: Value) -> Result> { +impl Default for ReferenceValueStorageConfig { + fn default() -> Self { + ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()) + } +} + +impl ReferenceValueStorageConfig { + pub fn to_storage(&self) -> Result> { match self { - StoreType::LocalFs => { - Ok(Box::new(LocalFs::new(config)?) as Box) - } - StoreType::LocalJson => { - Ok(Box::new(LocalJson::new(config)?) as Box) + ReferenceValueStorageConfig::LocalFs(cfg) => Ok(Box::new(LocalFs::new(cfg.clone())?) + as Box), + ReferenceValueStorageConfig::LocalJson(cfg) => { + Ok(Box::new(LocalJson::new(cfg.clone())?) + as Box) } } } } -/// Interface of a `Store`. +/// Interface for `ReferenceValueStorage`. /// Reference value storage facilities should implement this trait. #[async_trait] -pub trait Store { +pub trait ReferenceValueStorage { /// Store a reference value. If the given `name` exists, /// return the previous `Some`, otherwise return `None` async fn set(&self, name: String, rv: ReferenceValue) -> Result>; From ffa8381df42358682d25a9bff124f108c554dd5b Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Mon, 16 Dec 2024 15:18:47 -0600 Subject: [PATCH 225/298] rvps: fixup KBS and AS tests for new RVPS config We can just use the default config for most of the tests. Signed-off-by: Tobin Feldman-Fitzthum --- Cargo.lock | 1 + attestation-service/config.json | 6 +++-- attestation-service/src/config.rs | 22 ++++++++----------- .../tests/configs/example1.json | 5 +++-- .../tests/configs/example2.json | 5 +++-- .../tests/configs/example3.json | 5 +++-- .../tests/configs/example4.json | 5 +++-- kbs/Cargo.toml | 2 ++ kbs/src/config.rs | 15 ++++++------- kbs/test_data/configs/coco-as-builtin-2.toml | 4 +++- kbs/test_data/configs/coco-as-builtin-3.toml | 4 +++- 11 files changed, 41 insertions(+), 33 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bd4d0c5904..1bfa144d5a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2842,6 +2842,7 @@ dependencies = [ "openssl", "prost", "rand", + "reference-value-provider-service", "regex", "regorus", "reqwest 0.12.9", diff --git a/attestation-service/config.json b/attestation-service/config.json index fc2406d105..19951dbfbd 100644 --- a/attestation-service/config.json +++ b/attestation-service/config.json @@ -2,10 +2,12 @@ "work_dir": "/var/lib/attestation-service/", "rvps_config": { "type": "BuiltIn", - "store_type": "LocalFs" + "storage": { + "type": "LocalFs" + } }, "attestation_token_broker": { "type": "Simple", "duration_min": 5 } -} \ No newline at end of file +} diff --git a/attestation-service/src/config.rs b/attestation-service/src/config.rs index 48ac206fa3..7ad6dbf046 100644 --- a/attestation-service/src/config.rs +++ b/attestation-service/src/config.rs @@ -58,9 +58,10 @@ impl TryFrom<&Path> for Config { /// "work_dir": "/var/lib/attestation-service/", /// "policy_engine": "opa", /// "rvps_config": { - /// "store_type": "LocalFs", + /// "storage": { + /// "type": "LocalFs" + /// } /// "store_config": {}, - /// "remote_addr": "" /// }, /// "attestation_token_broker": { /// "type": "Ear", @@ -76,10 +77,8 @@ impl TryFrom<&Path> for Config { #[cfg(test)] mod tests { - use std::path::PathBuf; - use rstest::rstest; - use serde_json::json; + use std::path::PathBuf; use super::Config; use crate::rvps::RvpsCrateConfig; @@ -87,13 +86,13 @@ mod tests { rvps::RvpsConfig, token::{ear_broker, simple, AttestationTokenConfig}, }; + use reference_value_provider_service::storage::{local_fs, ReferenceValueStorageConfig}; #[rstest] #[case("./tests/configs/example1.json", Config { work_dir: PathBuf::from("/var/lib/attestation-service/"), rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { - store_type: "LocalFs".into(), - store_config: json!({}), + storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()), }), attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration { duration_min: 5, @@ -105,8 +104,7 @@ mod tests { #[case("./tests/configs/example2.json", Config { work_dir: PathBuf::from("/var/lib/attestation-service/"), rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { - store_type: "LocalFs".into(), - store_config: json!({}), + storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()), }), attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration { duration_min: 5, @@ -122,8 +120,7 @@ mod tests { #[case("./tests/configs/example3.json", Config { work_dir: PathBuf::from("/var/lib/attestation-service/"), rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { - store_type: "LocalFs".into(), - store_config: json!({}), + storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()), }), attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration { duration_min: 5, @@ -138,8 +135,7 @@ mod tests { #[case("./tests/configs/example4.json", Config { work_dir: PathBuf::from("/var/lib/attestation-service/"), rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { - store_type: "LocalFs".into(), - store_config: json!({}), + storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()), }), attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration { duration_min: 5, diff --git a/attestation-service/tests/configs/example1.json b/attestation-service/tests/configs/example1.json index da1c7a3290..1c3696f8d7 100644 --- a/attestation-service/tests/configs/example1.json +++ b/attestation-service/tests/configs/example1.json @@ -2,8 +2,9 @@ "work_dir": "/var/lib/attestation-service/", "rvps_config": { "type": "BuiltIn", - "store_type": "LocalFs", - "remote_addr": "" + "storage": { + "type": "LocalFs" + } }, "attestation_token_broker": { "type": "Simple", diff --git a/attestation-service/tests/configs/example2.json b/attestation-service/tests/configs/example2.json index 2000b5c780..d25a0c4f3b 100644 --- a/attestation-service/tests/configs/example2.json +++ b/attestation-service/tests/configs/example2.json @@ -2,8 +2,9 @@ "work_dir": "/var/lib/attestation-service/", "rvps_config": { "type": "BuiltIn", - "store_type": "LocalFs", - "remote_addr": "" + "storage": { + "type": "LocalFs" + } }, "attestation_token_broker": { "type": "Simple", diff --git a/attestation-service/tests/configs/example3.json b/attestation-service/tests/configs/example3.json index 4ed2563df4..30814e603d 100644 --- a/attestation-service/tests/configs/example3.json +++ b/attestation-service/tests/configs/example3.json @@ -2,8 +2,9 @@ "work_dir": "/var/lib/attestation-service/", "rvps_config": { "type": "BuiltIn", - "store_type": "LocalFs", - "remote_addr": "" + "storage": { + "type": "LocalFs" + } }, "attestation_token_broker": { "type": "Ear", diff --git a/attestation-service/tests/configs/example4.json b/attestation-service/tests/configs/example4.json index a192969da2..3770a887d1 100644 --- a/attestation-service/tests/configs/example4.json +++ b/attestation-service/tests/configs/example4.json @@ -2,8 +2,9 @@ "work_dir": "/var/lib/attestation-service/", "rvps_config": { "type": "BuiltIn", - "store_type": "LocalFs", - "remote_addr": "" + "storage": { + "type": "LocalFs" + } }, "attestation_token_broker": { "type": "Ear", diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 663dcc03a8..a25994d110 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -82,9 +82,11 @@ attestation-service = { path = "../attestation-service", default-features = fals "se-verifier", ], optional = true } + [dev-dependencies] tempfile.workspace = true rstest.workspace = true +reference-value-provider-service.path = "../rvps" [build-dependencies] tonic-build = { workspace = true, optional = true } diff --git a/kbs/src/config.rs b/kbs/src/config.rs index b42b2af104..851c7e5803 100644 --- a/kbs/src/config.rs +++ b/kbs/src/config.rs @@ -124,8 +124,9 @@ mod tests { token::{simple, AttestationTokenConfig, COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_DURATION}, }; + use reference_value_provider_service::storage::{local_fs, ReferenceValueStorageConfig}; + use rstest::rstest; - use serde_json::json; #[rstest] #[case("test_data/configs/coco-as-grpc-1.toml", KbsConfig { @@ -293,9 +294,10 @@ mod tests { crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn( attestation_service::config::Config { work_dir: "/opt/confidential-containers/attestation-service".into(), - rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { - store_type: "LocalFs".into(), - store_config: json!({}), + rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig{ + storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config{ + file_path: "/opt/confidential-containers/attestation-service/reference_values".into(), + }), }), attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration{ duration_min: 5, @@ -423,10 +425,7 @@ mod tests { crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn( attestation_service::config::Config { work_dir: "/opt/confidential-containers/attestation-service".into(), - rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig { - store_type: "LocalFs".into(), - ..Default::default() - }), + rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig::default()), attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration { duration_min: 5, policy_dir: "/opt/confidential-containers/attestation-service/simple-policies".into(), diff --git a/kbs/test_data/configs/coco-as-builtin-2.toml b/kbs/test_data/configs/coco-as-builtin-2.toml index 070b6190b7..42fc5a7f5b 100644 --- a/kbs/test_data/configs/coco-as-builtin-2.toml +++ b/kbs/test_data/configs/coco-as-builtin-2.toml @@ -17,7 +17,9 @@ duration_min = 5 [attestation_service.rvps_config] type = "BuiltIn" -store_type = "LocalFs" + +[attestation_service.rvps_config.storage] +type = "LocalFs" [admin] auth_public_key = "/kbs/kbs.pem" diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index f42049d6e8..7be20d03a2 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -16,7 +16,9 @@ policy_dir = "/opt/confidential-containers/attestation-service/simple-policies" [attestation_service.rvps_config] type = "BuiltIn" -store_type = "LocalFs" + +[attestation_service.rvps_config.storage] +type = "LocalFs" [policy_engine] policy_path = "/opa/confidential-containers/kbs/policy.rego" From dcf80c2dd8df2b32655b18967d2dc64326ff7b3f Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Mon, 16 Dec 2024 16:16:58 -0600 Subject: [PATCH 226/298] rvps: adjust docker compose and k8s configs for rvps Adjust various configs to match the new RVPS config Signed-off-by: Tobin Feldman-Fitzthum --- docker-compose.yml | 5 +++++ kbs/config/kbs-config.toml | 1 - kbs/config/kubernetes/base/kbs-config.toml | 1 - kbs/config/rvps.json | 9 ++++----- kbs/test/config/kbs.toml | 1 - 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 7d72c7f7ab..1e1b7e34a1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -52,6 +52,11 @@ services: volumes: - ./kbs/data/reference-values:/opt/confidential-containers/attestation-service/reference_values:rw - ./kbs/config/rvps.json:/etc/rvps.json:rw + command: [ + "rvps", + "--address", + "0.0.0.0:50003" + ] keyprovider: image: ghcr.io/confidential-containers/coco-keyprovider:latest diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml index f4f17b7044..c5823fec51 100644 --- a/kbs/config/kbs-config.toml +++ b/kbs/config/kbs-config.toml @@ -15,7 +15,6 @@ duration_min = 5 [attestation_service.rvps_config] type = "BuiltIn" -store_type = "LocalFs" [policy_engine] policy_path = "/opa/confidential-containers/kbs/policy.rego" diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index dbad9b0555..5d1b228d1e 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -20,7 +20,6 @@ key_path = "/kbs/as-private-key.pem" [attestation_service.rvps_config] type = "BuiltIn" -store_type = "LocalFs" [admin] auth_public_key = "/kbs/kbs.pem" diff --git a/kbs/config/rvps.json b/kbs/config/rvps.json index fd0bdac3f6..13e84414aa 100644 --- a/kbs/config/rvps.json +++ b/kbs/config/rvps.json @@ -1,7 +1,6 @@ { - "address": "0.0.0.0:50003", - "store_type": "LocalFs", - "store_config": { - "file_path": "/opt/confidential-containers/attestation-service/reference_values" + "storage": { + "type":"LocalFs", + "file_path": "/opt/confidential-containers/attestation-service/reference_values" } -} \ No newline at end of file +} diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index f2f0d26dd6..386d18390d 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -22,7 +22,6 @@ cert_path = "./work/token-cert-chain.pem" [attestation_service.rvps_config] type = "BuiltIn" -store_type = "LocalFs" [policy_engine] policy_path = "./work/kbs-policy.rego" From 9074d2eeb0c6dc5dcac1f657674ef9891c2f51aa Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 17 Dec 2024 15:03:03 -0600 Subject: [PATCH 227/298] rvps: update docs for new rvps storage config Update all our configuration descriptions and examples to match the changes to the RVPS config. Signed-off-by: Tobin Feldman-Fitzthum --- attestation-service/docs/config.md | 9 ++++----- deps/verifier/src/se/README.md | 10 ++++++---- kbs/docs/config.md | 9 +++++---- kbs/docs/self-signed-https.md | 4 +++- rvps/README.md | 10 ++++------ 5 files changed, 22 insertions(+), 20 deletions(-) diff --git a/attestation-service/docs/config.md b/attestation-service/docs/config.md index 855e5710da..801bc6a6b7 100644 --- a/attestation-service/docs/config.md +++ b/attestation-service/docs/config.md @@ -74,10 +74,9 @@ If `type` is set to `BuiltIn`, the following extra properties can be set | Property | Type | Description | Required | Default | |----------------|-------------------------|-----------------------------------------------------------------------|----------|----------| -| `store_type` | String | The underlying storage type of RVPS. (`LocalFs` or `LocalJson`) | No | `LocalFs`| -| `store_config` | JSON Map | The optional configurations to the underlying storage. | No | Null | +| `storage` | ReferenceValueStorageConfig | Configuration of storage for reference values (`LocalFs` or `LocalJson`) | No | `LocalFs`| -Different `store_type` will have different `store_config` items. +`ReferenceValueStorageConfig` can contain either a `LocalFs` configuration or a `LocalJson` configuration. For `LocalFs`, the following properties can be set @@ -110,8 +109,8 @@ Running with a built-in RVPS: "policy_engine": "opa", "rvps_config": { "type": "BuiltIn", - "store_type": "LocalFs", - "store_config": { + "storage": { + "type": "LocalFs" "file_path": "/var/lib/attestation-service/reference-values" } }, diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index 1df4d87cc8..54298b6725 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -103,17 +103,19 @@ insecure_http = true [attestation_token] insecure_key = true -[as_config] +[attestation_service] work_dir = "/opt/confidential-containers/attestation-service" policy_engine = "opa" -[as_config.attestation_token_broker] +[attestation_service.attestation_token_broker] type = "Ear" duration_min = 5 -[as_config.rvps_config] +[attestation_service.rvps_config] type = "BuiltIn" -store_type = "LocalFs" + +[attestation_service.rvps_config] +type = "LocalFs" ``` - Launch the KBS program diff --git a/kbs/docs/config.md b/kbs/docs/config.md index a6b9348b84..ad9a840a7d 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -143,10 +143,9 @@ If `type` is set to `BuiltIn`, the following extra properties can be set | Property | Type | Description | Required | Default | |----------------|-------------------------|-----------------------------------------------------------------------|----------|----------| -| `store_type` | String | The underlying storage type of RVPS. (`LocalFs` or `LocalJson`) | No | `LocalFs`| -| `store_config` | JSON Map | The optional configurations to the underlying storage. | No | Null | +| `storage` | ReferenceValueStorageConfig | Configuration of the storage for reference values (`LocalFs` or `LocalJson`) | No | `LocalFs`| -Different `store_type` will have different `store_config` items. +A `ReferenceValueStorageConfig` can either be of type `LocalFs` or `LocalJson` For `LocalFs`, the following properties can be set @@ -276,7 +275,9 @@ policy_engine = "opa" [attestation_service.rvps_config] type = "BuiltIn" - store_type = "LocalFs" + + [attestation_service.rvps_config.storage] + type = "LocalFs" [[plugins]] name = "resource" diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md index 94625a0e24..494f86d77c 100644 --- a/kbs/docs/self-signed-https.md +++ b/kbs/docs/self-signed-https.md @@ -88,7 +88,9 @@ policy_engine = "opa" [attestation_service.rvps_config] type = "BuiltIn" - store_type = "LocalFs" + + [attestation_service.rvps_config.storage] + type = "LocalFs" [[plugins]] name = "resource" diff --git a/rvps/README.md b/rvps/README.md index f2fb5fb491..42d5526ee3 100644 --- a/rvps/README.md +++ b/rvps/README.md @@ -77,7 +77,7 @@ cd .. && docker build -t rvps -f rvps/docker/Dockerfile . Run ```bash -docker run -d -p 50003:50003 rvps +docker run -d -p 50003:50003 rvps --address 0.0.0.0:50003 ``` ### Configuration file @@ -85,14 +85,12 @@ docker run -d -p 50003:50003 rvps RVPS can be launched with a specified configuration file by `-c` flag. A configuration file looks lile ```json { - "address": "0.0.0.0:50003", - "store_type": "LocalFs", - "store_config": { + "storage": { + "type": "LocalFs", "file_path": "/opt/confidential-containers/attestation-service/reference_values" } } ``` -- `address`: socket listening to requests. - `store_type`: backend storage type to store reference values. Currently `LocalFs` and `LocalJson` are supported. - `store_config`: optional extra parameters for different kinds of `store_type`. This is also a JSON map object. The concrete content is different due to different `store_type`. @@ -126,7 +124,7 @@ A client tool helps to perform as a client to rvps. It can Run RVPS in docker or the following commands ```bash RVPS_ADDR=127.0.0.1:50003 -rvps --socket $RVPS_ADDR +rvps --address $RVPS_ADDR ``` Edit an test message in [sample format](./src/extractors/extractor_modules/sample/README.md) From ca5adaeab201250dca57b9b2f3ca21056481bf81 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Dec 2024 01:17:52 +0000 Subject: [PATCH 228/298] build(deps): bump scc from 2.2.5 to 2.2.6 Bumps [scc](https://github.com/wvwwvwwv/scalable-concurrent-containers) from 2.2.5 to 2.2.6. - [Changelog](https://github.com/wvwwvwwv/scalable-concurrent-containers/blob/main/CHANGELOG.md) - [Commits](https://github.com/wvwwvwwv/scalable-concurrent-containers/commits) --- updated-dependencies: - dependency-name: scc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1bfa144d5a..be2802e921 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3002,7 +3002,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] @@ -4543,9 +4543,9 @@ dependencies = [ [[package]] name = "scc" -version = "2.2.5" +version = "2.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66b202022bb57c049555430e11fc22fea12909276a80a4c3d368da36ac1d88ed" +checksum = "94b13f8ea6177672c49d12ed964cca44836f59621981b04a3e26b87e675181de" dependencies = [ "sdd", ] @@ -6066,7 +6066,7 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" dependencies = [ - "windows-sys 0.48.0", + "windows-sys 0.59.0", ] [[package]] From 83ed64ccad1cebeeb5bc86823b3975408ba4fa19 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Dec 2024 01:39:09 +0000 Subject: [PATCH 229/298] build(deps): bump clap_lex from 0.7.3 to 0.7.4 Bumps [clap_lex](https://github.com/clap-rs/clap) from 0.7.3 to 0.7.4. - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](https://github.com/clap-rs/clap/compare/clap_lex-v0.7.3...clap_lex-v0.7.4) --- updated-dependencies: - dependency-name: clap_lex dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index be2802e921..ac245c772f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1122,9 +1122,9 @@ dependencies = [ [[package]] name = "clap_lex" -version = "0.7.3" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afb84c814227b90d6895e01398aee0d8033c00e7466aca416fb6a8e0eb19d8a7" +checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "coarsetime" From 826b143f8c492f103aa446b8d40e031a500440c4 Mon Sep 17 00:00:00 2001 From: Seunguk Shin Date: Fri, 20 Dec 2024 14:10:48 +0000 Subject: [PATCH 230/298] ci: Push AS, RVPS, KBS and KBS Client for arm64 Support cross-compiled build for as, rvps, kbs and kbs client on arm64 architecture Signed-off-by: Seunguk Shin Reviewed-by: Nick Connolly --- .github/workflows/build-as-image.yml | 28 ++++++++++----- .github/workflows/build-kbs-image.yml | 34 ++++++++++++++----- .github/workflows/push-as-image-to-ghcr.yml | 2 ++ .github/workflows/push-kbs-client-to-ghcr.yml | 27 ++++++++------- .github/workflows/push-kbs-image-to-ghcr.yml | 4 ++- kbs/Cargo.toml | 7 +++- kbs/Makefile | 2 +- kbs/docker/kbs-client/Dockerfile | 15 ++++++++ 8 files changed, 86 insertions(+), 33 deletions(-) create mode 100644 kbs/docker/kbs-client/Dockerfile diff --git a/.github/workflows/build-as-image.yml b/.github/workflows/build-as-image.yml index 948527e41e..97d97f04b4 100644 --- a/.github/workflows/build-as-image.yml +++ b/.github/workflows/build-as-image.yml @@ -13,9 +13,10 @@ jobs: strategy: fail-fast: false matrix: - instance: - - ubuntu-latest + target_arch: + - x86_64 - s390x + - aarch64 name: - RESTful CoCo-AS - gRPC CoCo-AS @@ -31,11 +32,19 @@ jobs: - name: RVPS docker_file: rvps/docker/Dockerfile tag: rvps - # add verifier flag to arch - - instance: ubuntu-latest + # add instance and verifier flag to target + - target_arch: x86_64 + target_platform: linux/amd64 + instance: ubuntu-latest verifier: all-verifier - - instance: s390x + - target_arch: s390x + target_platform: linux/s390x + instance: s390x verifier: se-verifier + - target_arch: aarch64 + target_platform: linux/arm64 + instance: ubuntu-latest + verifier: cca-verifier runs-on: ${{ matrix.instance }} steps: @@ -55,8 +64,9 @@ jobs: - name: Build ${{ matrix.name }} Container Image run: | commit_sha=${{ github.sha }} - arch=$(uname -m) - DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} --build-arg ARCH="${arch}" \ + docker buildx build --platform "${{ matrix.target_platform }}" \ + -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ + --build-arg ARCH="${{ matrix.target_arch }}" \ --build-arg VERIFIER="${{ matrix.verifier }}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" . + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" . diff --git a/.github/workflows/build-kbs-image.yml b/.github/workflows/build-kbs-image.yml index 5727e8262a..562f4b3eed 100644 --- a/.github/workflows/build-kbs-image.yml +++ b/.github/workflows/build-kbs-image.yml @@ -13,20 +13,26 @@ jobs: strategy: fail-fast: false matrix: - instance: - - ubuntu-latest + target_arch: + - x86_64 - s390x + - aarch64 tag: - kbs - kbs-grpc-as - kbs-ita-as - rhel-ubi exclude: - - instance: s390x + - target_arch: s390x tag: kbs-ita-as - - instance: s390x + - target_arch: s390x + tag: rhel-ubi + - target_arch: aarch64 + tag: kbs-ita-as + - target_arch: aarch64 tag: rhel-ubi include: + # add docker_file + name to each tag - tag: kbs docker_file: kbs/docker/Dockerfile name: build-in AS @@ -39,6 +45,16 @@ jobs: - tag: rhel-ubi docker_file: kbs/docker/rhel-ubi/Dockerfile name: RHEL UBI AS + # add instance flag to target + - target_arch: x86_64 + target_platform: linux/amd64 + instance: ubuntu-latest + - target_arch: s390x + target_platform: linux/s390x + instance: s390x + - target_arch: aarch64 + target_platform: linux/arm64 + instance: ubuntu-latest runs-on: ${{ matrix.instance }} @@ -59,8 +75,8 @@ jobs: - name: Build Container Image KBS (${{ matrix.name }}) run: | commit_sha=${{ github.sha }} - arch=$(uname -m) - DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \ - --build-arg ARCH="${arch}" . + docker buildx build --platform "${{ matrix.target_platform }}" \ + -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" \ + --build-arg ARCH="${{ matrix.target_arch }}" . diff --git a/.github/workflows/push-as-image-to-ghcr.yml b/.github/workflows/push-as-image-to-ghcr.yml index 3a5f4e780b..44a94ad8fa 100644 --- a/.github/workflows/push-as-image-to-ghcr.yml +++ b/.github/workflows/push-as-image-to-ghcr.yml @@ -49,9 +49,11 @@ jobs: commit_sha=${{ github.sha }} docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-s390x" \ + --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-aarch64" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-x86_64" docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}" docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-s390x" \ + --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-aarch64" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-x86_64" docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest" diff --git a/.github/workflows/push-kbs-client-to-ghcr.yml b/.github/workflows/push-kbs-client-to-ghcr.yml index 22d5c28d14..76355c5957 100644 --- a/.github/workflows/push-kbs-client-to-ghcr.yml +++ b/.github/workflows/push-kbs-client-to-ghcr.yml @@ -13,9 +13,15 @@ jobs: arch: - x86_64 - s390x - env: - RUSTC_VERSION: 1.76.0 - runs-on: ${{ matrix.arch == 'x86_64' && 'ubuntu-22.04' || 's390x' }} + - aarch64 + include: + - arch: x86_64 + platform: linux/amd64 + - arch: s390x + platform: linux/s390x + - arch: aarch64 + platform: linux/arm64 + runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }} permissions: contents: read packages: write @@ -24,11 +30,8 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) - uses: actions-rust-lang/setup-rust-toolchain@v1 - with: - toolchain: ${{ env.RUSTC_VERSION }} - components: rustfmt, clippy + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Log in to ghcr.io uses: docker/login-action@v3 @@ -38,17 +41,17 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build a statically linked kbs-client for ${{ matrix.arch }} linux - working-directory: kbs run: | - make cli-static-linux + docker buildx build --platform "${{ matrix.platform }}" \ + -f kbs/docker/kbs-client/Dockerfile \ + --build-arg ARCH="${{ matrix.arch }}" --output ./ . - name: Push to ghcr.io - working-directory: target/${{ matrix.arch }}-unknown-linux-gnu/release run: | commit_sha=${{ github.sha }} oras push \ ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-${{ matrix.arch }}-linux-gnu-${commit_sha},latest-${{ matrix.arch }} \ kbs-client - if [ "$(uname -m)" = "x86_64" ]; then + if [ "${{ matrix.arch }}" = "x86_64" ]; then oras push ghcr.io/confidential-containers/staged-images/kbs-client:latest kbs-client fi diff --git a/.github/workflows/push-kbs-image-to-ghcr.yml b/.github/workflows/push-kbs-image-to-ghcr.yml index 47bb6882b7..7360204bc7 100644 --- a/.github/workflows/push-kbs-image-to-ghcr.yml +++ b/.github/workflows/push-kbs-image-to-ghcr.yml @@ -39,9 +39,11 @@ jobs: commit_sha=${{ github.sha }} docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-x86_64" \ + --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-aarch64" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-s390x" docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}" docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-x86_64" \ + --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-aarch64" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-s390x" - docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" \ No newline at end of file + docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index a25994d110..3209f89d1b 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -72,7 +72,7 @@ openssl = "0.10.55" az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } derivative = "2.2.0" -[target.'cfg(not(target_arch = "s390x"))'.dependencies] +[target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dependencies] attestation-service = { path = "../attestation-service", default-features = false, features = [ "all-verifier", ], optional = true } @@ -82,6 +82,11 @@ attestation-service = { path = "../attestation-service", default-features = fals "se-verifier", ], optional = true } +[target.'cfg(target_arch = "aarch64")'.dependencies] +attestation-service = { path = "../attestation-service", default-features = false, features = [ + "cca-verifier", +], optional = true } + [dev-dependencies] tempfile.workspace = true diff --git a/kbs/Makefile b/kbs/Makefile index b6f4d88041..cc7c8dab5e 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -3,7 +3,7 @@ ALIYUN ?= false ARCH := $(shell uname -m) # Check if ARCH is supported, otehrwise return error -ifeq ($(filter $(ARCH),x86_64 s390x),) +ifeq ($(filter $(ARCH),x86_64 s390x aarch64),) $(error "Unsupported architecture: $(ARCH)") endif diff --git a/kbs/docker/kbs-client/Dockerfile b/kbs/docker/kbs-client/Dockerfile new file mode 100644 index 0000000000..6262612749 --- /dev/null +++ b/kbs/docker/kbs-client/Dockerfile @@ -0,0 +1,15 @@ +FROM rust:1.76.0 AS builder +ARG ARCH=x86_64 + +WORKDIR /usr/src/kbs +COPY . . + +RUN apt-get update && apt install -y pkg-config libssl-dev git sudo + +# Build KBS Client +RUN cd kbs && make ARCH=${ARCH} cli-static-linux && \ + cp ../target/${ARCH}-unknown-linux-gnu/release/kbs-client / + +# Export view.txt +FROM scratch AS export +COPY --from=builder /kbs-client . From cb1029cf7f7eea7f12cdd1f91c50aa6e68ed9b83 Mon Sep 17 00:00:00 2001 From: Seunguk Shin Date: Fri, 20 Dec 2024 14:33:18 +0000 Subject: [PATCH 231/298] ci: Improve cross-compile performance Improve cross-compile performance using rust cross-compiler instead of buildx Signed-off-by: Seunguk Shin Reviewed-by: Nick Connolly --- .github/workflows/build-as-image.yml | 4 ++ .github/workflows/build-kbs-image.yml | 4 ++ .github/workflows/push-kbs-client-to-ghcr.yml | 10 +---- attestation-service/docker/as-grpc/Dockerfile | 14 +++++- .../docker/as-restful/Dockerfile | 14 +++++- kbs/Makefile | 45 ++++++++++++++----- kbs/docker/Dockerfile | 10 +++-- kbs/docker/coco-as-grpc/Dockerfile | 17 +++++-- kbs/docker/kbs-client/Dockerfile | 8 ++++ rvps/docker/Dockerfile | 15 ++++++- 10 files changed, 107 insertions(+), 34 deletions(-) diff --git a/.github/workflows/build-as-image.yml b/.github/workflows/build-as-image.yml index 97d97f04b4..fdf0befd5f 100644 --- a/.github/workflows/build-as-image.yml +++ b/.github/workflows/build-as-image.yml @@ -35,14 +35,17 @@ jobs: # add instance and verifier flag to target - target_arch: x86_64 target_platform: linux/amd64 + build_platform: linux/amd64 instance: ubuntu-latest verifier: all-verifier - target_arch: s390x target_platform: linux/s390x + build_platform: linux/s390x instance: s390x verifier: se-verifier - target_arch: aarch64 target_platform: linux/arm64 + build_platform: linux/amd64 instance: ubuntu-latest verifier: cca-verifier runs-on: ${{ matrix.instance }} @@ -66,6 +69,7 @@ jobs: commit_sha=${{ github.sha }} docker buildx build --platform "${{ matrix.target_platform }}" \ -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ + --build-arg BUILDPLATFORM="${{ matrix.build_platform }}" \ --build-arg ARCH="${{ matrix.target_arch }}" \ --build-arg VERIFIER="${{ matrix.verifier }}" \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \ diff --git a/.github/workflows/build-kbs-image.yml b/.github/workflows/build-kbs-image.yml index 562f4b3eed..4491b908b5 100644 --- a/.github/workflows/build-kbs-image.yml +++ b/.github/workflows/build-kbs-image.yml @@ -48,12 +48,15 @@ jobs: # add instance flag to target - target_arch: x86_64 target_platform: linux/amd64 + build_platform: linux/amd64 instance: ubuntu-latest - target_arch: s390x target_platform: linux/s390x + build_platform: linux/s390x instance: s390x - target_arch: aarch64 target_platform: linux/arm64 + build_platform: linux/amd64 instance: ubuntu-latest runs-on: ${{ matrix.instance }} @@ -79,4 +82,5 @@ jobs: -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" \ + --build-arg BUILDPLATFORM="${{ matrix.build_platform }}" \ --build-arg ARCH="${{ matrix.target_arch }}" . diff --git a/.github/workflows/push-kbs-client-to-ghcr.yml b/.github/workflows/push-kbs-client-to-ghcr.yml index 76355c5957..5c2a692a50 100644 --- a/.github/workflows/push-kbs-client-to-ghcr.yml +++ b/.github/workflows/push-kbs-client-to-ghcr.yml @@ -14,13 +14,6 @@ jobs: - x86_64 - s390x - aarch64 - include: - - arch: x86_64 - platform: linux/amd64 - - arch: s390x - platform: linux/s390x - - arch: aarch64 - platform: linux/arm64 runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }} permissions: contents: read @@ -42,8 +35,7 @@ jobs: - name: Build a statically linked kbs-client for ${{ matrix.arch }} linux run: | - docker buildx build --platform "${{ matrix.platform }}" \ - -f kbs/docker/kbs-client/Dockerfile \ + docker buildx build -f kbs/docker/kbs-client/Dockerfile \ --build-arg ARCH="${{ matrix.arch }}" --output ./ . - name: Push to ghcr.io diff --git a/attestation-service/docker/as-grpc/Dockerfile b/attestation-service/docker/as-grpc/Dockerfile index 26fe023e0d..8b6a48f233 100644 --- a/attestation-service/docker/as-grpc/Dockerfile +++ b/attestation-service/docker/as-grpc/Dockerfile @@ -2,7 +2,8 @@ # Licensed under the Apache License, Version 2.0, see LICENSE for details. # SPDX-License-Identifier: Apache-2.0 -FROM rust:latest AS builder +FROM --platform=$BUILDPLATFORM rust:latest AS builder +ARG BUILDPLATFORM=linux/amd64 ARG ARCH=x86_64 ARG VERIFIER=all-verifier @@ -18,7 +19,16 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/ apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi # Build and Install gRPC attestation-service -RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin,${VERIFIER} --locked +RUN if [ "$(uname -m)" != "${ARCH}" ]; then \ + export GCC_PACKAGE="gcc-${ARCH}-linux-gnu"; \ + export GCC_COMPILER="${ARCH}-linux-gnu-gcc"; \ + export RUSTC_TARGET="${ARCH}-unknown-linux-gnu"; \ + export TARGET_FLAG="--target ${RUSTC_TARGET}"; \ + export RUSTFLAGS_ARGS=" -C linker=${GCC_COMPILER}"; \ + export RUSTFLAGS="${RUSTFLAGS_ARGS}"; \ + apt-get install -y ${GCC_PACKAGE}; \ + rustup target add ${RUSTC_TARGET}; fi; \ + cargo install --path attestation-service --bin grpc-as --features grpc-bin,${VERIFIER} --locked ${TARGET_FLAG} FROM ubuntu:22.04 diff --git a/attestation-service/docker/as-restful/Dockerfile b/attestation-service/docker/as-restful/Dockerfile index e0e0659b7c..735cc77589 100644 --- a/attestation-service/docker/as-restful/Dockerfile +++ b/attestation-service/docker/as-restful/Dockerfile @@ -2,7 +2,8 @@ # Licensed under the Apache License, Version 2.0, see LICENSE for details. # SPDX-License-Identifier: Apache-2.0 -FROM rust:latest AS builder +FROM --platform=$BUILDPLATFORM rust:latest AS builder +ARG BUILDPLATFORM=linux/amd64 ARG ARCH=x86_64 ARG VERIFIER=all-verifier @@ -18,7 +19,16 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/ apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi # Build and Install RESTful attestation-service -RUN cargo install --path attestation-service --bin restful-as --features restful-bin,${VERIFIER} --locked +RUN if [ "$(uname -m)" != "${ARCH}" ]; then \ + export GCC_PACKAGE="gcc-${ARCH}-linux-gnu"; \ + export GCC_COMPILER="${ARCH}-linux-gnu-gcc"; \ + export RUSTC_TARGET="${ARCH}-unknown-linux-gnu"; \ + export TARGET_FLAG="--target ${RUSTC_TARGET}"; \ + export RUSTFLAGS_ARGS=" -C linker=${GCC_COMPILER}"; \ + export RUSTFLAGS="${RUSTFLAGS_ARGS}"; \ + apt-get install -y ${GCC_PACKAGE}; \ + rustup target add ${RUSTC_TARGET}; fi; \ + cargo install --path attestation-service --bin restful-as --features restful-bin,${VERIFIER} --locked ${TARGET_FLAG} FROM ubuntu:22.04 ARG ARCH=x86_64 diff --git a/kbs/Makefile b/kbs/Makefile index cc7c8dab5e..eb9251ed48 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -1,12 +1,35 @@ AS_TYPE ?= coco-as ALIYUN ?= false -ARCH := $(shell uname -m) +BUILD_ARCH := $(shell uname -m) +ARCH ?= $(shell uname -m) # Check if ARCH is supported, otehrwise return error ifeq ($(filter $(ARCH),x86_64 s390x aarch64),) $(error "Unsupported architecture: $(ARCH)") endif +RELEASE_DIR := ../target/release +TARGET_FLAG := +CARGO_ENV := +ifneq ($(BUILD_ARCH), $(ARCH)) + ifneq (,$(wildcard /etc/debian_version)) + GCC_PACKAGE := gcc-$(ARCH)-linux-gnu + GCC_COMPILER := $(ARCH)-linux-gnu-gcc + RUSTC_TARGET := $(ARCH)-unknown-linux-gnu + GCC_INSTALL := $(shell sudo apt-get install -y ${GCC_PACKAGE}) + RUST_INSTALL := $(shell rustup target add ${RUSTC_TARGET}) + RUSTFLAGS_ARGS := -C linker=$(GCC_COMPILER) + TARGET_FLAG := --target $(RUSTC_TARGET) + RELEASE_DIR := ../target/$(RUSTC_TARGET)/release + OS_ARCH := $(ARCH) + OS_ARCH := $(OS_ARCH:x86_64=amd64) + OS_ARCH := $(OS_ARCH:aarch64=arm64) + CARGO_ENV := OPENSSL_INCLUDE_DIR=/usr/include/$(ARCH)-linux-gnu OPENSSL_LIB_DIR=/usr/lib/$(ARCH)-linux-gnu RUSTFLAGS="$(RUSTFLAGS_ARGS)" + else + $(error ERROR: Cross-compiling is only tested on Debian-like OSes) + endif +endif + CLI_FEATURES ?= ATTESTER ?= FEATURES ?= @@ -37,25 +60,25 @@ build: background-check-kbs .PHONY: background-check-kbs background-check-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(FEATURES),$(AS_FEATURE) + $(CARGO_ENV) cargo build -p kbs --locked --release --no-default-features --features $(FEATURES),$(AS_FEATURE) $(TARGET_FLAG) .PHONY: passport-issuer-kbs passport-issuer-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(FEATURES) + $(CARGO_ENV) cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(FEATURES) $(TARGET_FLAG) mv ../target/release/kbs ../target/release/issuer-kbs .PHONY: passport-resource-kbs passport-resource-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(FEATURES), + $(CARGO_ENV) cargo build -p kbs --locked --release --no-default-features --features $(FEATURES), $(TARGET_FLAG) mv ../target/release/kbs ../target/release/resource-kbs .PHONY: cli cli: - cargo build -p kbs-client --locked --release --no-default-features --features $(CLI_FEATURES) + $(CARGO_ENV) cargo build -p kbs-client --locked --release --no-default-features --features $(CLI_FEATURES) $(TARGET_FLAG) .PHONY: cli-static-linux cli-static-linux: - cargo build \ + $(CARGO_ENV) cargo build \ -p kbs-client \ --target=$(ARCH)-unknown-linux-gnu \ --config "target.$(ARCH)-unknown-linux-gnu.rustflags = '-C target-feature=+crt-static'" \ @@ -65,17 +88,17 @@ cli-static-linux: --features sample_only install-kbs: - install -D -m0755 ../target/release/kbs $(INSTALL_DESTDIR) + install -D -m0755 $(RELEASE_DIR)/kbs $(INSTALL_DESTDIR) install-issuer-kbs: - install -D -m0755 ../target/release/issuer-kbs $(INSTALL_DESTDIR) - install -D -m0755 ../target/release/kbs-client $(INSTALL_DESTDIR) + install -D -m0755 $(RELEASE_DIR)/issuer-kbs $(INSTALL_DESTDIR) + install -D -m0755 $(RELEASE_DIR)/kbs-client $(INSTALL_DESTDIR) install-resource-kbs: - install -D -m0755 ../target/release/resource-kbs $(INSTALL_DESTDIR) + install -D -m0755 $(RELEASE_DIR)/resource-kbs $(INSTALL_DESTDIR) install-cli: - install -D -m0755 ../target/release/kbs-client $(INSTALL_DESTDIR) + install -D -m0755 $(RELEASE_DIR)/kbs-client $(INSTALL_DESTDIR) uninstall: rm -rf $(INSTALL_DESTDIR)/kbs $(INSTALL_DESTDIR)/kbs-client $(INSTALL_DESTDIR)/issuer-kbs $(INSTALL_DESTDIR)/resource-kbs diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index c2dcf2746d..ca5ec5b328 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -1,4 +1,5 @@ -FROM rust:slim AS builder +FROM --platform=$BUILDPLATFORM rust:slim AS builder +ARG BUILDPLATFORM=linux/amd64 ARG ARCH=x86_64 ARG ALIYUN=false @@ -9,7 +10,8 @@ RUN apt-get update && \ curl \ gpg \ gnupg-agent \ - git + git \ + sudo RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \ gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \ @@ -36,8 +38,8 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s WORKDIR /usr/src/kbs COPY . . -RUN cd kbs && make AS_FEATURE=coco-as-builtin ALIYUN=${ALIYUN} && \ - make install-kbs +RUN cd kbs && make AS_FEATURE=coco-as-builtin ALIYUN=${ALIYUN} ARCH=${ARCH} && \ + make ARCH=${ARCH} install-kbs FROM ubuntu:22.04 ARG ARCH=x86_64 diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile index 143da4f80f..419dc2660d 100644 --- a/kbs/docker/coco-as-grpc/Dockerfile +++ b/kbs/docker/coco-as-grpc/Dockerfile @@ -1,15 +1,24 @@ -FROM rust:latest AS builder +FROM --platform=$BUILDPLATFORM rust:latest AS builder +ARG BUILDPLATFORM=linux/amd64 ARG ARCH=x86_64 ARG ALIYUN=false WORKDIR /usr/src/kbs COPY . . -RUN apt-get update && apt install -y protobuf-compiler git +RUN apt-get update && apt install -y protobuf-compiler git sudo + +ENV OS_ARCH=${ARCH} +RUN if [ $(uname -m) != ${ARCH} ]; then \ + OS_ARCH=$(echo $OS_ARCH | sed s/x86_64/amd64/); \ + OS_ARCH=$(echo $OS_ARCH | sed s/aarch64/arm64/); \ + dpkg --add-architecture ${OS_ARCH}; \ + apt-get update; \ + apt-get install -y libssl-dev:${OS_ARCH}; fi # Build and Install KBS -RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} && \ - make install-kbs +RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} ARCH=${ARCH} && \ + make ARCH=${ARCH} install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/kbs-client/Dockerfile b/kbs/docker/kbs-client/Dockerfile index 6262612749..5d3ea6a0f6 100644 --- a/kbs/docker/kbs-client/Dockerfile +++ b/kbs/docker/kbs-client/Dockerfile @@ -6,6 +6,14 @@ COPY . . RUN apt-get update && apt install -y pkg-config libssl-dev git sudo +ENV OS_ARCH=${ARCH} +RUN if [ $(uname -m) != ${ARCH} ]; then \ + OS_ARCH=$(echo $OS_ARCH | sed s/x86_64/amd64/); \ + OS_ARCH=$(echo $OS_ARCH | sed s/aarch64/arm64/); \ + dpkg --add-architecture ${OS_ARCH}; \ + apt-get update; \ + apt-get install -y libssl-dev:${OS_ARCH}; fi + # Build KBS Client RUN cd kbs && make ARCH=${ARCH} cli-static-linux && \ cp ../target/${ARCH}-unknown-linux-gnu/release/kbs-client / diff --git a/rvps/docker/Dockerfile b/rvps/docker/Dockerfile index be466a121d..3a0afc91f8 100644 --- a/rvps/docker/Dockerfile +++ b/rvps/docker/Dockerfile @@ -2,7 +2,9 @@ # Licensed under the Apache License, Version 2.0, see LICENSE for details. # SPDX-License-Identifier: Apache-2.0 -FROM rust:latest AS builder +FROM --platform=$BUILDPLATFORM rust:latest AS builder +ARG BUILDPLATFORM=linux/amd64 +ARG ARCH=x86_64 WORKDIR /usr/src/rvps @@ -10,7 +12,16 @@ COPY . . RUN apt-get update && apt-get install protobuf-compiler -y -RUN cargo install --bin rvps --path rvps +RUN if [ "$(uname -m)" != "${ARCH}" ]; then \ + export GCC_PACKAGE="gcc-${ARCH}-linux-gnu"; \ + export GCC_COMPILER="${ARCH}-linux-gnu-gcc"; \ + export RUSTC_TARGET="${ARCH}-unknown-linux-gnu"; \ + export TARGET_FLAG="--target ${RUSTC_TARGET}"; \ + export RUSTFLAGS_ARGS=" -C linker=${GCC_COMPILER}"; \ + export RUSTFLAGS="${RUSTFLAGS_ARGS}"; \ + apt-get install -y ${GCC_PACKAGE}; \ + rustup target add ${RUSTC_TARGET}; fi; \ + cargo install --bin rvps --path rvps ${TARGET_FLAG} FROM debian From 0eae444028f3ac1f2aa6ea5a1477f3e2f0f870f2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Dec 2024 01:44:54 +0000 Subject: [PATCH 232/298] build(deps): bump tokio from 1.41.1 to 1.42.0 Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.41.1 to 1.42.0. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.41.1...tokio-1.42.0) --- updated-dependencies: - dependency-name: tokio dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ac245c772f..60999abd6e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3002,7 +3002,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.52.6", + "windows-targets 0.48.5", ] [[package]] @@ -5347,9 +5347,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.41.1" +version = "1.42.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" +checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551" dependencies = [ "backtrace", "bytes", From 898230a55e00963d9a8f4f05712ea6762d4e9d79 Mon Sep 17 00:00:00 2001 From: Seunguk Shin Date: Mon, 23 Dec 2024 10:35:27 +0000 Subject: [PATCH 233/298] ci: fix failure to build kbs-client on s390x The official rust docker image supports s390x from v1.78.0 Signed-off-by: Seunguk Shin --- kbs/docker/kbs-client/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/docker/kbs-client/Dockerfile b/kbs/docker/kbs-client/Dockerfile index 5d3ea6a0f6..257eee6a38 100644 --- a/kbs/docker/kbs-client/Dockerfile +++ b/kbs/docker/kbs-client/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:1.76.0 AS builder +FROM rust:1.78.0 AS builder ARG ARCH=x86_64 WORKDIR /usr/src/kbs From 80f801ff741d0b59050efa12af333357630dd782 Mon Sep 17 00:00:00 2001 From: Seunguk Shin Date: Mon, 23 Dec 2024 11:24:26 +0000 Subject: [PATCH 234/298] ci: fix failure to create multi-arch images Disable provenance information to create multi-arch image Signed-off-by: Seunguk Shin --- .github/workflows/build-as-image.yml | 2 +- .github/workflows/build-kbs-image.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-as-image.yml b/.github/workflows/build-as-image.yml index fdf0befd5f..c7f08b6a94 100644 --- a/.github/workflows/build-as-image.yml +++ b/.github/workflows/build-as-image.yml @@ -67,7 +67,7 @@ jobs: - name: Build ${{ matrix.name }} Container Image run: | commit_sha=${{ github.sha }} - docker buildx build --platform "${{ matrix.target_platform }}" \ + docker buildx build --platform "${{ matrix.target_platform }}" --provenance false \ -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ --build-arg BUILDPLATFORM="${{ matrix.build_platform }}" \ --build-arg ARCH="${{ matrix.target_arch }}" \ diff --git a/.github/workflows/build-kbs-image.yml b/.github/workflows/build-kbs-image.yml index 4491b908b5..95f87c9076 100644 --- a/.github/workflows/build-kbs-image.yml +++ b/.github/workflows/build-kbs-image.yml @@ -78,7 +78,7 @@ jobs: - name: Build Container Image KBS (${{ matrix.name }}) run: | commit_sha=${{ github.sha }} - docker buildx build --platform "${{ matrix.target_platform }}" \ + docker buildx build --platform "${{ matrix.target_platform }}" --provenance false \ -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" \ From 0e09d071e4d394c3f9174543efd20e2dc0aa039c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Dec 2024 02:04:33 +0000 Subject: [PATCH 235/298] build(deps): bump zerofrom-derive from 0.1.4 to 0.1.5 Bumps [zerofrom-derive](https://github.com/unicode-org/icu4x) from 0.1.4 to 0.1.5. - [Release notes](https://github.com/unicode-org/icu4x/releases) - [Changelog](https://github.com/unicode-org/icu4x/blob/main/CHANGELOG.md) - [Commits](https://github.com/unicode-org/icu4x/commits/ind/databake@0.1.5) --- updated-dependencies: - dependency-name: zerofrom-derive dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 60999abd6e..3d8f533794 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6391,9 +6391,9 @@ dependencies = [ [[package]] name = "zerofrom-derive" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ea7b4a3637ea8669cedf0f1fd5c286a17f3de97b8dd5a70a6c167a1730e63a5" +checksum = "595eed982f7d355beb85837f651fa22e90b3c044842dc7f2c2842c086f295808" dependencies = [ "proc-macro2", "quote", From 8e1a6779a1c09232f52e9a95e92e45d9f320ed13 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Dec 2024 01:23:08 +0000 Subject: [PATCH 236/298] build(deps): bump hmac-sha1-compact from 1.1.4 to 1.1.5 Bumps [hmac-sha1-compact](https://github.com/jedisct1/rust-hmac-sha1) from 1.1.4 to 1.1.5. - [Commits](https://github.com/jedisct1/rust-hmac-sha1/commits/1.1.5) --- updated-dependencies: - dependency-name: hmac-sha1-compact dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3d8f533794..d4b31be439 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2184,9 +2184,9 @@ dependencies = [ [[package]] name = "hmac-sha1-compact" -version = "1.1.4" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dff9d405ec732fa3fcde87264e54a32a84956a377b3e3107de96e59b798c84a7" +checksum = "18492c9f6f9a560e0d346369b665ad2bdbc89fa9bceca75796584e79042694c3" [[package]] name = "hmac-sha256" From 6767378a6c980dd7c7367654589f32009e951f7d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Jan 2025 01:34:23 +0000 Subject: [PATCH 237/298] build(deps): bump eventlog-rs from 0.1.4 to 0.1.5 Bumps [eventlog-rs](https://github.com/inclavare-containers/eventlog-rs) from 0.1.4 to 0.1.5. - [Commits](https://github.com/inclavare-containers/eventlog-rs/commits) --- updated-dependencies: - dependency-name: eventlog-rs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 6 +++--- deps/verifier/Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d4b31be439..e409152748 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1803,9 +1803,9 @@ dependencies = [ [[package]] name = "eventlog-rs" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91edfc8fc097ee0f2b61f8d5abad0cc0b684cb8b9e34dcfd64467de8e9ceda08" +checksum = "2f63e89ae20606137075d874615efe9b6c1beb82c5b86d438e0bf2bb11b60519" dependencies = [ "anyhow", "byteorder", @@ -3002,7 +3002,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index 8d7c37fc4a..e7f5ebc3e8 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -29,7 +29,7 @@ cfg-if = "1.0.0" codicon = { version = "3.0", optional = true } # TODO: change it to "0.1", once released. csv-rs = { git = "https://github.com/openanolis/csv-rs", rev = "3045440", optional = true } -eventlog-rs = { version = "0.1.3", optional = true } +eventlog-rs = { version = "0.1.5", optional = true } hex.workspace = true jsonwebkey = "0.3.5" jsonwebtoken = { workspace = true, default-features = false, optional = true } From 492d4dac1c856ce04045232d1c2aca15f47fbea4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 Jan 2025 01:43:56 +0000 Subject: [PATCH 238/298] build(deps): bump tracing-subscriber from 0.3.18 to 0.3.19 Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.18 to 0.3.19. - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.18...tracing-subscriber-0.3.19) --- updated-dependencies: - dependency-name: tracing-subscriber dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e409152748..48a3b169fb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5619,9 +5619,9 @@ dependencies = [ [[package]] name = "tracing-subscriber" -version = "0.3.18" +version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad0f048c97dbd9faa9b7df56362b8ebcaa52adb06b498c050d2f4e32f90a7a8b" +checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008" dependencies = [ "nu-ansi-term", "sharded-slab", From 9db6d0b3b132740d62a7f9fb95ee72c392bc3db6 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 26 Dec 2024 10:23:07 +0800 Subject: [PATCH 239/298] chore: update to x509-parser 0.16.0 and asn1-rs 0.6.2 The two dependencies have version dependencies so we update them together. Signed-off-by: Xynnn007 --- Cargo.lock | 47 +++++++++++++----------------------- deps/verifier/Cargo.toml | 4 +-- deps/verifier/src/snp/mod.rs | 2 +- 3 files changed, 20 insertions(+), 33 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 48a3b169fb..dc10921516 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -412,9 +412,9 @@ checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50" [[package]] name = "asn1-rs" -version = "0.5.2" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f6fd5ddaf0351dff5b8da21b2fb4ff8e08ddd02857f0bf69c47639106c0fff0" +checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048" dependencies = [ "asn1-rs-derive", "asn1-rs-impl", @@ -428,25 +428,25 @@ dependencies = [ [[package]] name = "asn1-rs-derive" -version = "0.4.0" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "726535892e8eae7e70657b4c8ea93d26b8553afb1ce617caee529ef96d7dee6c" +checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490" dependencies = [ "proc-macro2", "quote", - "syn 1.0.109", - "synstructure 0.12.6", + "syn 2.0.87", + "synstructure", ] [[package]] name = "asn1-rs-impl" -version = "0.1.0" +version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed" +checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7" dependencies = [ "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.87", ] [[package]] @@ -1517,9 +1517,9 @@ dependencies = [ [[package]] name = "der-parser" -version = "8.2.0" +version = "9.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dbd676fbbab537128ef0278adb5576cf363cff6aa22a7b24effe97347cfab61e" +checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553" dependencies = [ "asn1-rs", "displaydoc", @@ -3340,9 +3340,9 @@ dependencies = [ [[package]] name = "oid-registry" -version = "0.6.1" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9bedf36ffb6ba96c2eb7144ef6270557b52e54b20c0a8e1eb2ff99a6c6959bff" +checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9" dependencies = [ "asn1-rs", ] @@ -5131,18 +5131,6 @@ dependencies = [ "futures-core", ] -[[package]] -name = "synstructure" -version = "0.12.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f" -dependencies = [ - "proc-macro2", - "quote", - "syn 1.0.109", - "unicode-xid", -] - [[package]] name = "synstructure" version = "0.13.1" @@ -6295,12 +6283,11 @@ checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" [[package]] name = "x509-parser" -version = "0.14.0" +version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0ecbeb7b67ce215e40e3cc7f2ff902f94a223acf44995934763467e7b1febc8" +checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69" dependencies = [ "asn1-rs", - "base64 0.13.1", "data-encoding", "der-parser", "lazy_static", @@ -6356,7 +6343,7 @@ dependencies = [ "proc-macro2", "quote", "syn 2.0.87", - "synstructure 0.13.1", + "synstructure", ] [[package]] @@ -6398,7 +6385,7 @@ dependencies = [ "proc-macro2", "quote", "syn 2.0.87", - "synstructure 0.13.1", + "synstructure", ] [[package]] diff --git a/deps/verifier/Cargo.toml b/deps/verifier/Cargo.toml index e7f5ebc3e8..710df148e9 100644 --- a/deps/verifier/Cargo.toml +++ b/deps/verifier/Cargo.toml @@ -18,7 +18,7 @@ se-verifier = [ "openssl", "pv", "serde_with", "tokio/sync" ] [dependencies] anyhow.workspace = true thiserror.workspace = true -asn1-rs = { version = "0.5.1", optional = true } +asn1-rs = { version = "0.6.2", optional = true } async-trait.workspace = true az-snp-vtpm = { version = "0.7.0", default-features = false, features = ["verifier"], optional = true } az-tdx-vtpm = { version = "0.7.0", default-features = false, features = ["verifier"], optional = true } @@ -48,7 +48,7 @@ intel-tee-quote-verification-rs = { git = "https://github.com/intel/SGXDataCente strum.workspace = true veraison-apiclient = { git = "https://github.com/chendave/rust-apiclient", branch = "token", optional = true } ear = { git = "https://github.com/veraison/rust-ear", rev = "43f7f480d09ea2ebc03137af8fbcd70fe3df3468", optional = true } -x509-parser = { version = "0.14.0", optional = true } +x509-parser = { version = "0.16.0", optional = true } reqwest.workspace = true [build-dependencies] diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs index 2dce3b6886..0898783e0b 100644 --- a/deps/verifier/src/snp/mod.rs +++ b/deps/verifier/src/snp/mod.rs @@ -4,7 +4,7 @@ use log::{debug, warn}; extern crate serde; use self::serde::{Deserialize, Serialize}; use super::*; -use asn1_rs::{oid, Integer, OctetString, Oid}; +use asn1_rs::{oid, FromDer, Integer, OctetString, Oid}; use async_trait::async_trait; use openssl::{ ec::EcKey, From 8533b14a25ce7da1fef8fe5ffdf389548af63867 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Jan 2025 01:48:54 +0000 Subject: [PATCH 240/298] build(deps): bump prost from 0.13.3 to 0.13.4 Bumps [prost](https://github.com/tokio-rs/prost) from 0.13.3 to 0.13.4. - [Release notes](https://github.com/tokio-rs/prost/releases) - [Changelog](https://github.com/tokio-rs/prost/blob/master/CHANGELOG.md) - [Commits](https://github.com/tokio-rs/prost/compare/v0.13.3...v0.13.4) --- updated-dependencies: - dependency-name: prost dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index dc10921516..fc16695045 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3871,9 +3871,9 @@ dependencies = [ [[package]] name = "prost" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b0487d90e047de87f984913713b85c601c05609aad5b0df4b4573fbf69aa13f" +checksum = "2c0fef6c4230e4ccf618a35c59d7ede15dea37de8427500f50aff708806e42ec" dependencies = [ "bytes", "prost-derive", @@ -3902,9 +3902,9 @@ dependencies = [ [[package]] name = "prost-derive" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9552f850d5f0964a4e4d0bf306459ac29323ddfbae05e35a7c0d35cb0803cc5" +checksum = "157c5a9d7ea5c2ed2d9fb8f495b64759f7816c7eaea54ba3978f0d63000162e3" dependencies = [ "anyhow", "itertools", From f4708ca36393997221e2332ef34d22ae9fadf7ee Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 20 Dec 2024 10:13:01 -0600 Subject: [PATCH 241/298] ear: fix typo in policy The SNP executables should depend on the SNP reference values Signed-off-by: Tobin Feldman-Fitzthum --- attestation-service/src/token/ear_default_policy.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attestation-service/src/token/ear_default_policy.rego b/attestation-service/src/token/ear_default_policy.rego index c035ef0a56..0739bc3a3b 100644 --- a/attestation-service/src/token/ear_default_policy.rego +++ b/attestation-service/src/token/ear_default_policy.rego @@ -84,7 +84,7 @@ sample_hardware := 2 if { ##### SNP snp_executables := 3 if { # In the future, we might calculate this measurement here various components - input.sample.launch_measurement in data.reference.snp_launch_measurement + input.snp.launch_measurement in data.reference.snp_launch_measurement } snp_hardware := 2 if { From 4473595fb4675d0d21c50b71b4c1fe0b4c2f6196 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 20 Dec 2024 10:29:38 -0600 Subject: [PATCH 242/298] ear: remove min operations from policy Make the policy logic simpler. Rather than using the min function (which I'm not sure is even defined on TrustClaims) use short-circuiting to only evaluate the rules for the platform that has TCB values defined. I don't think there is any risk that the policy could be tricked into evaluating the wrong rules, such as the sample ones. Signed-off-by: Tobin Feldman-Fitzthum --- .../src/token/ear_default_policy.rego | 52 +++---------------- 1 file changed, 8 insertions(+), 44 deletions(-) diff --git a/attestation-service/src/token/ear_default_policy.rego b/attestation-service/src/token/ear_default_policy.rego index 0739bc3a3b..10fc2815dc 100644 --- a/attestation-service/src/token/ear_default_policy.rego +++ b/attestation-service/src/token/ear_default_policy.rego @@ -14,60 +14,24 @@ import rego.v1 # For the `executables` trust claim, the value 33 stands for # "Runtime memory includes executables, scripts, files, and/or # objects which are not recognized." -default sample_executables := 33 - -default snp_executables := 33 - -default tdx_executables := 33 - -default az_snp_executables := 33 - -default az_tdx_executables := 33 - -default se_executables := 33 +default executables := 33 # For the `hardware` trust claim, the value 97 stands for # "A Verifier does not recognize an Attester's hardware or # firmware, but it should be recognized." -default sample_hardware := 97 - -default snp_hardware := 97 - -default tdx_hardware := 97 - -default az_snp_hardware := 97 - -default az_tdx_hardware := 97 - -default se_hardware := 97 +default hardware := 97 # For the `configuration` trust claim the value 36 stands for # "Elements of the configuration relevant to security are # unavailable to the Verifier." -default sample_configuration := 36 - -default snp_configuration := 36 - -default tdx_configuration := 36 - -default az_snp_configuration := 36 - -default az_tdx_configuration := 36 - -default se_configuration := 36 - -executables := min({sample_executables, snp_executables, tdx_executables, az_snp_executables, az_tdx_executables, se_executables}) - -hardware := min({sample_hardware, snp_hardware, tdx_hardware, az_snp_hardware, az_tdx_hardware, se_hardware}) - -configuration := min({sample_configuration, snp_configuration, tdx_configuration, az_snp_configuration, az_tdx_configuration, se_configuration}) +default configuration := 36 ##### Sample # For the `executables` trust claim, the value 3 stands for # "Only a recognized genuine set of approved executables have # been loaded during the boot process." -sample_executables := 3 if { +executables := 3 if { # The sample attester does not report any launch digest. # This is an example of how a real platform might validate executables. input.sample.launch_digest in data.reference.launch_digest @@ -77,17 +41,17 @@ sample_executables := 3 if { # "An Attester has passed its hardware and/or firmware # verifications needed to demonstrate that these are genuine/ # supported. -sample_hardware := 2 if { +hardware := 2 if { input.sample.svn in data.reference.svn } ##### SNP -snp_executables := 3 if { +executables := 3 if { # In the future, we might calculate this measurement here various components input.snp.launch_measurement in data.reference.snp_launch_measurement } -snp_hardware := 2 if { +hardware := 2 if { # Check the reported TCB to validate the ASP FW input.snp.reported_tcb_bootloader in data.reference.snp_bootloader input.snp.reported_tcb_microcode in data.reference.snp_microcode @@ -99,7 +63,7 @@ snp_hardware := 2 if { # "The configuration is a known and approved config." # # For this, we compare all the configuration fields. -snp_configuration := 2 if { +configuration := 2 if { input.snp.policy_debug_allowed == 0 input.snp.policy_migrate_ma == 0 input.snp.platform_smt_enabled in data.reference.snp_smt_enabled From 8623ab73f652bf97a92db1075129fe7322a4d273 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Jan 2025 01:35:52 +0000 Subject: [PATCH 243/298] build(deps): bump cc from 1.2.1 to 1.2.7 Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.2.1 to 1.2.7. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.2.1...cc-v1.2.7) --- updated-dependencies: - dependency-name: cc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fc16695045..6763b34da8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -957,9 +957,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.1" +version = "1.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" +checksum = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7" dependencies = [ "jobserver", "libc", From 118acd4742d76a27bbb3442251b6c4a3a80dc2d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Jan 2025 02:02:10 +0000 Subject: [PATCH 244/298] build(deps): bump coarsetime from 0.1.34 to 0.1.35 Bumps [coarsetime](https://github.com/jedisct1/rust-coarsetime) from 0.1.34 to 0.1.35. - [Commits](https://github.com/jedisct1/rust-coarsetime/compare/0.1.34...0.1.35) --- updated-dependencies: - dependency-name: coarsetime dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6763b34da8..8c18858a9f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1128,9 +1128,9 @@ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "coarsetime" -version = "0.1.34" +version = "0.1.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13b3839cf01bb7960114be3ccf2340f541b6d0c81f8690b007b2b39f750f7e5d" +checksum = "4252bf230cb600c19826a575b31c8c9c84c6f11acfab6dfcad2e941b10b6f8e2" dependencies = [ "libc", "wasix", From 6b09dacfbc4c282aab74ef4d0b5e721bcc0d583d Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 7 Jan 2025 16:29:34 +0000 Subject: [PATCH 245/298] k8s: remove token signer from k8s config The Kata CI does not setup the attestation token signing keys. This causes the KBS to break when we bump the repo version and pick up this new config which had the signing key specified. In the future we can change the CI to setup the signing keys (although we are already testing this in our Makefile test), but for now let's stick with the existing behavior. Signed-off-by: Tobin Feldman-Fitzthum --- kbs/config/kubernetes/base/kbs-config.toml | 3 --- 1 file changed, 3 deletions(-) diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index 5d1b228d1e..592a44079b 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -15,9 +15,6 @@ work_dir = "/opt/confidential-containers/attestation-service" type = "Ear" duration_min = 5 -[attestation_service.attestation_token_broker.signer] -key_path = "/kbs/as-private-key.pem" - [attestation_service.rvps_config] type = "BuiltIn" From b68ca1f7c86c4e86a507ce801e1d4ec2c810ae81 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 8 Jan 2025 01:36:28 +0000 Subject: [PATCH 246/298] build(deps): bump yoke from 0.7.4 to 0.7.5 Bumps [yoke](https://github.com/unicode-org/icu4x) from 0.7.4 to 0.7.5. - [Release notes](https://github.com/unicode-org/icu4x/releases) - [Changelog](https://github.com/unicode-org/icu4x/blob/main/CHANGELOG.md) - [Commits](https://github.com/unicode-org/icu4x/commits) --- updated-dependencies: - dependency-name: yoke dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8c18858a9f..87071b6497 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6324,9 +6324,9 @@ checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" [[package]] name = "yoke" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c5b1314b079b0930c31e3af543d8ee1757b1951ae1e1565ec704403a7240ca5" +checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40" dependencies = [ "serde", "stable_deref_trait", @@ -6336,9 +6336,9 @@ dependencies = [ [[package]] name = "yoke-derive" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28cc31741b18cb6f1d5ff12f5b7523e3d6eb0852bbbad19d73905511d9849b95" +checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154" dependencies = [ "proc-macro2", "quote", From f61e818099fd90ac4278d36ca25f8b9c49a413ae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Jan 2025 14:36:47 +0000 Subject: [PATCH 247/298] build(deps): bump quote from 1.0.37 to 1.0.38 Bumps [quote](https://github.com/dtolnay/quote) from 1.0.37 to 1.0.38. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.37...1.0.38) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 87071b6497..baf4de377f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3992,9 +3992,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.37" +version = "1.0.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" +checksum = "0e4dccaaaf89514f546c693ddc140f729f958c247918a13380cccc6078391acc" dependencies = [ "proc-macro2", ] From 81a00226b44f2b43be732662078dfc2657ca44aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 9 Jan 2025 18:30:01 +0100 Subject: [PATCH 248/298] kbs: Bail if the jwk sets cannot be downloaded MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of just warning and proceeding, as done right now[0], let's bail as the current behaviour leads to an unusable KBS[1]. By bailing earlier at that point, when trustee pod is being deployed by the trustee-operator, we ensure that the pod will error out and kubernetes will take care of restarting the pod till its startup properly succeeds. [0]: ``` [INFO kbs] Using config file /etc/kbs-config/kbs-config.json [WARN kbs::token::jwk] error getting JWKS: SourceAccess("error sending request for url (https://portal.trustauthority.intel.com/.well-known/openid-configuration)") [INFO kbs] Starting HTTP server at [0.0.0.0:8080] [WARN kbs::token::jwk] error getting JWKS: SourceAccess("error sending request for url (https://portal.trustauthority.intel.com/.well-known/openid-configuration)") [INFO actix_server::builder] starting 56 workers [INFO actix_server::server] Tokio runtime found; starting in existing Tokio runtime ``` [1]: ``` [INFO actix_web::middleware::logger] 10.128.0.32 "POST /kbs/v0/attest HTTP/1.1" 401 218 "-" "attestation-agent-kbs-client/0.1.0" 0.279838 [INFO kbs::http::attest] Auth API called. [INFO actix_web::middleware::logger] 10.128.0.32 "POST /kbs/v0/auth HTTP/1.1" 200 108 "-" "attestation-agent-kbs-client/0.1.0" 0.000334 [INFO kbs::http::attest] Attest API called. [INFO kbs::attestation::intel_trust_authority] POST attestation request ... [ERROR kbs::http::error] Attestation failed: Failed to verify attestation token Caused by: Cannot verify token since trusted JWK Set is empty ``` Signed-off-by: Fabiano Fidêncio --- kbs/src/token/jwk.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/src/token/jwk.rs b/kbs/src/token/jwk.rs index 7f66223edf..e5360bf710 100644 --- a/kbs/src/token/jwk.rs +++ b/kbs/src/token/jwk.rs @@ -93,7 +93,7 @@ impl JwkAttestationTokenVerifier { for path in config.trusted_jwk_sets.iter() { match get_jwks_from_file_or_url(path).await { Ok(mut jwkset) => trusted_jwk_sets.keys.append(&mut jwkset.keys), - Err(e) => log::warn!("error getting JWKS: {:?}", e), + Err(e) => bail!("error getting JWKS: {:?}", e), } } From 58b8b1f9eeb6069cba0de0c068d03adc6c2f3648 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Fri, 10 Jan 2025 16:41:14 +0100 Subject: [PATCH 249/298] verifier: Rename user_data to report_data in SeAttestationClaims The EAR token broker does not insert the `report_data` for SE attestation claim because there is no matching field in `SeAttestationClaims`. The absence leads to `TokenVerifierError(NoTeePubKeyClaimFound)` after successful attestation. As an interim solution, this commit renames the existing `user_data` to `report_data`, enabling the token broker to perform its task correctly. Signed-off-by: Hyounggyu Choi --- deps/verifier/src/se/ibmse.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deps/verifier/src/se/ibmse.rs b/deps/verifier/src/se/ibmse.rs index e8cf22477b..4708d156e9 100644 --- a/deps/verifier/src/se/ibmse.rs +++ b/deps/verifier/src/se/ibmse.rs @@ -90,7 +90,7 @@ pub struct SeAttestationResponse { pub struct SeAttestationClaims { #[serde_as(as = "Hex")] cuid: ConfigUid, - user_data: String, + report_data: String, version: u32, #[serde_as(as = "Hex")] image_phkh: Vec, @@ -217,7 +217,7 @@ impl SeVerifierImpl { let claims = SeAttestationClaims { cuid: se_response.cuid, - user_data: String::from_utf8(se_response.user_data.clone())?, + report_data: String::from_utf8(se_response.user_data.clone())?, version: AttestationVersion::One as u32, image_phkh: image_phkh.to_vec(), attestation_phkh: attestation_phkh.to_vec(), From 583ab690a230348b2d7839b177fc3910d3ccacba Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 10 Jan 2025 10:52:24 -0600 Subject: [PATCH 250/298] snp: add report_data to tcb_claims EAR tokens expect to find a report_data field in the TCB Claims as a signal that the verifier has checked the binding of the report data and the evidence. The SNP verifier does check the report data field, but it does not report it. This should not affect the az-snp verifier which will insert its own report_data on top of this field. Signed-off-by: Tobin Feldman-Fitzthum --- deps/verifier/src/snp/mod.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs index 0898783e0b..d1923cc7e6 100644 --- a/deps/verifier/src/snp/mod.rs +++ b/deps/verifier/src/snp/mod.rs @@ -1,5 +1,5 @@ use anyhow::anyhow; -use base64::Engine; +use base64::{Engine, engine::general_purpose::STANDARD}; use log::{debug, warn}; extern crate serde; use self::serde::{Deserialize, Serialize}; @@ -318,7 +318,10 @@ pub(crate) fn parse_tee_evidence(report: &AttestationReport) -> TeeEvidenceParse "platform_smt_enabled": format!("{}", report.plat_info.smt_enabled()), // measurement - "measurement": format!("{}", base64::engine::general_purpose::STANDARD.encode(report.measurement)), + "measurement": format!("{}", STANDARD.encode(report.measurement)), + + // report data + "report_data": format!("{}", STANDARD.encode(report.report_data)), }); claims_map as TeeEvidenceParsedClaim From 437159a9562a8cf5001aa359069adf3f7fc2c358 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 10 Jan 2025 11:03:33 -0600 Subject: [PATCH 251/298] snp: add init_data to TCB Claims Since the SNP verifier also checks the init data, include the init_data field in the tcb claims. This will allow EAR tokens to contain the init_data_claims. Signed-off-by: Tobin Feldman-Fitzthum --- deps/verifier/src/snp/mod.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs index d1923cc7e6..1daffb4a72 100644 --- a/deps/verifier/src/snp/mod.rs +++ b/deps/verifier/src/snp/mod.rs @@ -317,11 +317,10 @@ pub(crate) fn parse_tee_evidence(report: &AttestationReport) -> TeeEvidenceParse "platform_tsme_enabled": format!("{}", report.plat_info.tsme_enabled()), "platform_smt_enabled": format!("{}", report.plat_info.smt_enabled()), - // measurement + // measurements "measurement": format!("{}", STANDARD.encode(report.measurement)), - - // report data "report_data": format!("{}", STANDARD.encode(report.report_data)), + "init_data": format!("{}", STANDARD.encode(report.host_data)), }); claims_map as TeeEvidenceParsedClaim From 717c1bfa93c8be590b996873366e417d69858420 Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Fri, 6 Sep 2024 08:49:31 +0100 Subject: [PATCH 252/298] Rebase upstream v0.11.0 Signed-off-by: Leonardo Milleri --- kbs/docker/rhel-ubi/Dockerfile | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile index 2c4aa2410a..3078fe4111 100644 --- a/kbs/docker/rhel-ubi/Dockerfile +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -1,5 +1,6 @@ # Use UBI to build. FROM registry.access.redhat.com/ubi9 as builder +ARG ALIYUN=false # Install build dependencies from CentOS or RHEL repos. RUN \ @@ -31,11 +32,18 @@ pushd sgx_dcap_quoteverify_stubs && \ meson setup build --prefix=/usr && \ meson compile -C build && \ meson install -C build && \ -popd && \ +popd + # Build KBS. -cargo install --locked --root /usr/local/ --path kbs/src/kbs --no-default-features --features ${KBS_FEATURES} && \ +RUN ARCH=$(uname -m) && \ +if [ ${ARCH} = "s390x" ]; then \ + export OPENSSL_NO_VENDOR=1; \ +fi && \ +pushd kbs && make AS_FEATURE=coco-as-builtin ALIYUN=${ALIYUN} ARCH=${ARCH} && make ARCH=${ARCH} install-kbs && popd + + # Check the sha256sum of the Intel provided RPMs on x86_64. -if [ $(uname -m) = "x86_64" ]; then \ +RUN if [ $(uname -m) = "x86_64" ]; then \ pushd sgx_dcap_quoteverify_stubs && \ echo "2621eac23cb756bc238f88d6db5401f7efed55d87855fc2b7e446ddfc1bd37ca" libsgx-dcap-default-qpl-1.21.100.3-1.el9.x86_64.rpm | sha256sum --check && \ echo "57da5fb2253a99bb2483d19b6f30d1170ebc384e2891937e2c89fa55886b7034" libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm | sha256sum --check && \ From 32bb5e49247a34314319cf27f6043bacba544c70 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 22 Feb 2025 00:33:58 +0000 Subject: [PATCH 253/298] chore(deps): update rust docker tag to v1.85.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- kbs/docker/kbs-client/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/docker/kbs-client/Dockerfile b/kbs/docker/kbs-client/Dockerfile index 257eee6a38..a2f3b31e4b 100644 --- a/kbs/docker/kbs-client/Dockerfile +++ b/kbs/docker/kbs-client/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:1.78.0 AS builder +FROM rust:1.85.0 AS builder ARG ARCH=x86_64 WORKDIR /usr/src/kbs From febda94ff212848659621915076123e0938c2ba6 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 22 Feb 2025 16:18:11 +0000 Subject: [PATCH 254/298] chore(deps): update konflux references to 793879e (#57) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 55d6912eb5..397e152c7a 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:397b72713668243d23c5ccce9b1353de95cd40c1c0a672f4bd8c94f820bd2ac8 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:793879ec8643707d152533ab77f83227aefb154ac686d8140c04fc1a1375f0f4 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 67cde87959..33c02d0071 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:397b72713668243d23c5ccce9b1353de95cd40c1c0a672f4bd8c94f820bd2ac8 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:793879ec8643707d152533ab77f83227aefb154ac686d8140c04fc1a1375f0f4 - name: kind value: pipeline taskRunTemplate: {} From eae88ae60ea588a72c09e9656e7f873b39dbc927 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:06:35 +0000 Subject: [PATCH 255/298] chore(deps): update konflux references to 1fb4306 (#58) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 397e152c7a..4fb1207231 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:793879ec8643707d152533ab77f83227aefb154ac686d8140c04fc1a1375f0f4 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:1fb43067d1a89084f54390e6c263dbfe23b7dd6c10bdfafb438cbd43ebbf7f3b - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 33c02d0071..2e5af8bb56 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:793879ec8643707d152533ab77f83227aefb154ac686d8140c04fc1a1375f0f4 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:1fb43067d1a89084f54390e6c263dbfe23b7dd6c10bdfafb438cbd43ebbf7f3b - name: kind value: pipeline taskRunTemplate: {} From 1c68cd3e133df16879e551138f468a6b082a93d1 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 15 Mar 2025 13:02:30 +0000 Subject: [PATCH 256/298] chore(deps): update konflux references to 68ea6ba (#59) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 4fb1207231..ee184818bb 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:1fb43067d1a89084f54390e6c263dbfe23b7dd6c10bdfafb438cbd43ebbf7f3b + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:68ea6baf573b7e5d3a47c34e7e1b8f1f1c28bf3546573314cba222f3d79b1cd5 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 2e5af8bb56..b121204ee0 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:1fb43067d1a89084f54390e6c263dbfe23b7dd6c10bdfafb438cbd43ebbf7f3b + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:68ea6baf573b7e5d3a47c34e7e1b8f1f1c28bf3546573314cba222f3d79b1cd5 - name: kind value: pipeline taskRunTemplate: {} From ce52c99ae4be099bc72e93d68bf521ba41ddbbb6 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 29 Mar 2025 13:21:22 +0000 Subject: [PATCH 257/298] chore(deps): update konflux references to ce2fa48 (#62) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index ee184818bb..3d9868317b 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:68ea6baf573b7e5d3a47c34e7e1b8f1f1c28bf3546573314cba222f3d79b1cd5 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:ce2fa488b0ce0ba713d6756a4f86f06f1db1ab803dd344fbcfdab4e3dd775952 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index b121204ee0..e98efca934 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:68ea6baf573b7e5d3a47c34e7e1b8f1f1c28bf3546573314cba222f3d79b1cd5 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:ce2fa488b0ce0ba713d6756a4f86f06f1db1ab803dd344fbcfdab4e3dd775952 - name: kind value: pipeline taskRunTemplate: {} From 981d9f07f49dfa407c977184ad885c92cee512ef Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sun, 30 Mar 2025 07:07:09 +0000 Subject: [PATCH 258/298] chore(deps): update module github.com/secure-systems-lab/go-securesystemslib to v0.9.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- rvps/cgo/go.mod | 6 +++--- rvps/cgo/go.sum | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rvps/cgo/go.mod b/rvps/cgo/go.mod index dcd4b373aa..d79700194e 100644 --- a/rvps/cgo/go.mod +++ b/rvps/cgo/go.mod @@ -5,8 +5,8 @@ go 1.20 require github.com/in-toto/in-toto-golang v0.9.0 require ( - github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - golang.org/x/crypto v0.14.0 // indirect - golang.org/x/sys v0.14.0 // indirect + golang.org/x/crypto v0.31.0 // indirect + golang.org/x/sys v0.28.0 // indirect ) diff --git a/rvps/cgo/go.sum b/rvps/cgo/go.sum index 60801c5d7e..77908c5d87 100644 --- a/rvps/cgo/go.sum +++ b/rvps/cgo/go.sum @@ -4,14 +4,14 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU= github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg= -github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI= +github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= +github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= -golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= -golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= From b3e2a5e3c718f21c77f8ec2fe1cfc73a4150558e Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 19 Apr 2025 09:26:32 +0000 Subject: [PATCH 259/298] chore(deps): update konflux references to 4e6f788 (#66) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 3d9868317b..c01c4982fc 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:ce2fa488b0ce0ba713d6756a4f86f06f1db1ab803dd344fbcfdab4e3dd775952 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:4e6f788acfa10d0bdc69426019f2dbe31f7b4587aa1526fa554ba4628fcc66e8 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index e98efca934..9c16dc5d9f 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:ce2fa488b0ce0ba713d6756a4f86f06f1db1ab803dd344fbcfdab4e3dd775952 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:4e6f788acfa10d0bdc69426019f2dbe31f7b4587aa1526fa554ba4628fcc66e8 - name: kind value: pipeline taskRunTemplate: {} From 12912f017b86e86aa771bc80bd5749a31eecd3fa Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 26 Apr 2025 12:52:54 +0000 Subject: [PATCH 260/298] chore(deps): update konflux references to b507376 (#67) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 2 +- .tekton/trustee-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index c01c4982fc..79e6e73355 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -42,7 +42,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:4e6f788acfa10d0bdc69426019f2dbe31f7b4587aa1526fa554ba4628fcc66e8 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:b507376577eea0d2ec53209878c39db26030062c797d608994eb1a836cb90693 - name: kind value: pipeline taskRunTemplate: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 9c16dc5d9f..931fdb9085 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -39,7 +39,7 @@ spec: - name: name value: docker-build-multi-platform-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:4e6f788acfa10d0bdc69426019f2dbe31f7b4587aa1526fa554ba4628fcc66e8 + value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:b507376577eea0d2ec53209878c39db26030062c797d608994eb1a836cb90693 - name: kind value: pipeline taskRunTemplate: {} From a8bc09a58362e219aef525549b6e4c0cbf780bd7 Mon Sep 17 00:00:00 2001 From: konflux Date: Sat, 10 May 2025 09:06:05 +0000 Subject: [PATCH 261/298] Konflux build pipeline service account migration for trustee Signed-off-by: konflux --- .tekton/trustee-pull-request.yaml | 13 +++++++------ .tekton/trustee-push.yaml | 13 +++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 79e6e73355..0cbf519e67 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -34,10 +34,9 @@ spec: value: "true" - name: build-platforms value: - - linux/x86_64 - - linux/s390x + - linux/x86_64 + - linux/s390x pipelineRef: - resolver: bundles params: - name: name value: docker-build-multi-platform-oci-ta @@ -45,11 +44,13 @@ spec: value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:b507376577eea0d2ec53209878c39db26030062c797d608994eb1a836cb90693 - name: kind value: pipeline - taskRunTemplate: {} + resolver: bundles + taskRunTemplate: + serviceAccountName: build-pipeline-trustee + timeouts: + pipeline: 2h0m0s workspaces: - name: git-auth secret: secretName: '{{ git_auth_secret }}' - timeouts: - pipeline: "2h" status: {} diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 931fdb9085..158f2f6386 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -31,10 +31,9 @@ spec: value: "true" - name: build-platforms value: - - linux/x86_64 - - linux/s390x + - linux/x86_64 + - linux/s390x pipelineRef: - resolver: bundles params: - name: name value: docker-build-multi-platform-oci-ta @@ -42,11 +41,13 @@ spec: value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:b507376577eea0d2ec53209878c39db26030062c797d608994eb1a836cb90693 - name: kind value: pipeline - taskRunTemplate: {} + resolver: bundles + taskRunTemplate: + serviceAccountName: build-pipeline-trustee + timeouts: + pipeline: 2h0m0s workspaces: - name: git-auth secret: secretName: '{{ git_auth_secret }}' - timeouts: - pipeline: "2h" status: {} From 05c32b0dd982975ba14f5b1131fa9bff9ce8637d Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Tue, 13 May 2025 09:45:04 +0100 Subject: [PATCH 262/298] hermetic build Signed-off-by: Leonardo Milleri --- .../docker-build-multi-platform-oci-ta.yaml | 576 ++ .tekton/trustee-pull-request.yaml | 14 +- .tekton/trustee-push.yaml | 11 +- Cargo.lock | 1200 ++-- Cargo.toml | 2 +- deps/verifier/src/tdx/eventlog.rs | 2 +- kbs/docker/rhel-ubi/Dockerfile | 14 +- rpm/redhat.repo | 6058 +++++++++++++++++ rpm/rpms.in.yaml | 10 + rpm/rpms.lock.yaml | 2052 ++++++ rpm/ubi.repo | 62 + 11 files changed, 9467 insertions(+), 534 deletions(-) create mode 100644 .tekton/docker-build-multi-platform-oci-ta.yaml create mode 100644 rpm/redhat.repo create mode 100644 rpm/rpms.in.yaml create mode 100644 rpm/rpms.lock.yaml create mode 100644 rpm/ubi.repo diff --git a/.tekton/docker-build-multi-platform-oci-ta.yaml b/.tekton/docker-build-multi-platform-oci-ta.yaml new file mode 100644 index 0000000000..5cdacdb7e8 --- /dev/null +++ b/.tekton/docker-build-multi-platform-oci-ta.yaml @@ -0,0 +1,576 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + labels: + pipelines.openshift.io/runtime: generic + pipelines.openshift.io/strategy: docker + pipelines.openshift.io/used-by: build-cloud + name: docker-build-multi-platform-oci-ta +spec: + description: | + This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_ + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:04f15cbce548e1db7770eee3f155ccb2cc0140a6c371dc67e9a34d83673ea0c0 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "true" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: + - linux/x86_64 + description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. + name: build-platforms + type: array + results: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:737682d073a65a486d59b2b30e3104b93edd8490e0cd5e9b4a39703e47363f0f + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: dev-package-managers + value: "true" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:9709088bf3c581d4763e9804d9ee3a1f06ad6a61c23237277057c4f0cdc4f9c3 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: dev-package-managers + value: "true" + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta@sha256:3db5d3a02bcbbc034080474c06bec8388bd6abc71606503ac4832f6890e71503 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - matrix: + params: + - name: PLATFORM + value: + - $(params.build-platforms) + name: build-images + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: IMAGE_APPEND_PLATFORM + value: "true" + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-remote-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:468708e0a5dc3a314d71ca0cf2db80c6d7fefae98b292b10fa1cf07ea3787d9e + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: [] + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-images.results.IMAGE_REF[*]) + runAfter: + - build-images + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:95be274b6d0432d4671e2c41294ec345121bdf01284b1c6c46b5537dc6b37e15 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:9fe82c9511f282287686f918bf1a543fcef417848e7a503357e988aab2887cee + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: [] + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:5d63b920b71192906fe4d6c4903f594e6f34c5edcff9d21714a08b5edcfbc667 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:712afcf63f3b5a97c371d37e637efbcc9e1c7ad158872339d00adc6413cd8851 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:7c2438c6201ee803de361fa2e9182fdc759126d5bc010abbbddf5aa40c7adc3c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:a1cb59ed66a7be1949c9720660efb0a006e95ef05b3f67929dd8e310e1d7baef + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:62c835adae22e36fce6684460b39206bc16752f1a4427cdbba4ee9afdd279670 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.2@sha256:e88c8eb990f8238f59c178644ef31fa4701c4caa96719e4b5267fa970516a529 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + workspaces: [] + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:0b35292eed661c5e3ca307c0ba7f594d17555db2a1da567903b0b47697fa23ed + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:a591675c72f06fb9c5b1a3d60e6e4c58e4df5f7da180c7a4691a692a6e7e6496 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.1@sha256:424f2f659c02998dc3a43e1ce869e3148982c59adb74f953f8fa91ff1c9ab86e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:61c90b1c94a2a11cb11211a0d65884089b758c34254fcec164d185a402beae22 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:55a4ff2910ae2e4502f3841719935d37578bd52156bc789fcdf45ff48c2b048b + - name: kind + value: task + resolver: bundles + workspaces: [] + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:c0798ff85ad04f1553d349fe34aa4918597fb35b3b74e344dfbd5af2f3494300 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true \ No newline at end of file diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 79e6e73355..86ec770461 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -36,15 +36,13 @@ spec: value: - linux/x86_64 - linux/s390x + - name: prefetch-input + value: '[{"type": "rpm", "path": "rpm"}, + {"type": "cargo", "path": "./"}]' + - name: hermetic + value: "true" pipelineRef: - resolver: bundles - params: - - name: name - value: docker-build-multi-platform-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:b507376577eea0d2ec53209878c39db26030062c797d608994eb1a836cb90693 - - name: kind - value: pipeline + name: docker-build-multi-platform-oci-ta taskRunTemplate: {} workspaces: - name: git-auth diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 931fdb9085..760e104e7f 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -33,15 +33,10 @@ spec: value: - linux/x86_64 - linux/s390x + - name: hermetic + value: "true" pipelineRef: - resolver: bundles - params: - - name: name - value: docker-build-multi-platform-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta:devel@sha256:b507376577eea0d2ec53209878c39db26030062c797d608994eb1a836cb90693 - - name: kind - value: pipeline + name: docker-build-multi-platform-oci-ta taskRunTemplate: {} workspaces: - name: git-auth diff --git a/Cargo.lock b/Cargo.lock index f8ff9c587d..9bc74d3b6b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1,6 +1,6 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. -version = 4 +version = 3 [[package]] name = "actix" @@ -11,7 +11,7 @@ dependencies = [ "actix-macros", "actix-rt", "actix_derive", - "bitflags 2.9.0", + "bitflags 2.9.1", "bytes", "crossbeam-channel", "futures-core", @@ -33,7 +33,7 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5f7b0a21988c1bf877cf4759ef5ddaac04c1c9fe808c9142ecb78ba97d97a28a" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.9.1", "bytes", "futures-core", "futures-sink", @@ -46,9 +46,9 @@ dependencies = [ [[package]] name = "actix-http" -version = "3.10.0" +version = "3.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fa882656b67966045e4152c634051e70346939fced7117d5f0b52146a7c74c9" +checksum = "44dfe5c9e0004c623edc65391dfd51daa201e7e30ebd9c9bedf873048ec32bc2" dependencies = [ "actix-codec", "actix-rt", @@ -56,7 +56,7 @@ dependencies = [ "actix-tls", "actix-utils", "base64 0.22.1", - "bitflags 2.9.0", + "bitflags 2.9.1", "brotli", "bytes", "bytestring", @@ -75,7 +75,7 @@ dependencies = [ "mime", "percent-encoding", "pin-project-lite", - "rand 0.9.0", + "rand 0.9.1", "sha1", "smallvec", "tokio", @@ -91,7 +91,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb" dependencies = [ "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -122,9 +122,9 @@ dependencies = [ [[package]] name = "actix-server" -version = "2.5.1" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6398974fd4284f4768af07965701efbbb5fdc0616bff20cade1bb14b77675e24" +checksum = "a65064ea4a457eaf07f2fba30b4c695bf43b721790e9530d26cb6f9019ff7502" dependencies = [ "actix-rt", "actix-service", @@ -178,9 +178,9 @@ dependencies = [ [[package]] name = "actix-web" -version = "4.10.2" +version = "4.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2e3b15b3dc6c6ed996e4032389e9849d4ab002b1e92fbfe85b5f307d1479b4d" +checksum = "a597b77b5c6d6a1e1097fddde329a83665e25c5437c696a3a9a4aa514a614dea" dependencies = [ "actix-codec", "actix-http", @@ -229,7 +229,7 @@ dependencies = [ "actix-router", "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -255,7 +255,7 @@ checksum = "b6ac1e58cded18cb28ddc17143c4dea5345b3ad575e14f32f66e4054a56eb271" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -323,21 +323,21 @@ version = "0.7.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "891477e0c6a8957309ee5c45a6368af3ae14bb510732d2684ffa19af310920f9" dependencies = [ - "getrandom 0.2.15", + "getrandom 0.2.16", "once_cell", "version_check", ] [[package]] name = "ahash" -version = "0.8.11" +version = "0.8.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e89da841a80418a9b391ebaea17f5c112ffaaa96f621d2c285b5174da76b9011" +checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75" dependencies = [ "cfg-if", "once_cell", "version_check", - "zerocopy 0.7.35", + "zerocopy 0.8.25", ] [[package]] @@ -379,6 +379,15 @@ dependencies = [ "libc", ] +[[package]] +name = "ansi_term" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2" +dependencies = [ + "winapi", +] + [[package]] name = "anstream" version = "0.6.18" @@ -431,9 +440,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.97" +version = "1.0.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dcfed56ad506cb2c684a14971b8861fdc3baaaae314b9e5f9bb532cbe3ba7a4f" +checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487" [[package]] name = "arrayref" @@ -471,7 +480,7 @@ checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", "synstructure", ] @@ -483,7 +492,7 @@ checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -515,18 +524,18 @@ checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] name = "async-trait" -version = "0.1.87" +version = "0.1.88" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d556ec1359574147ec0c4fc5eb525f3f23263a592b1a9c07e0a75b427de55c97" +checksum = "e539d3fca749fcee5236ab05e93a52867dd549cc157c8cb7f99595f3cedffdb5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -542,11 +551,11 @@ source = "git+https://github.com/confidential-containers/guest-components.git?re dependencies = [ "anyhow", "async-trait", - "attester 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", + "attester", "base64 0.22.1", "config", "const_format", - "crypto 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", + "crypto", "kbs-types 0.7.0", "log", "serde", @@ -556,7 +565,7 @@ dependencies = [ "tempfile", "thiserror 2.0.12", "tokio", - "toml 0.8.20", + "toml 0.8.22", ] [[package]] @@ -569,7 +578,7 @@ dependencies = [ "async-trait", "base64 0.22.1", "cfg-if", - "clap", + "clap 4.5.38", "ear 0.3.0", "env_logger 0.10.2", "futures", @@ -606,21 +615,19 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=27b8245#27b824547dd75ea4e2b2fe4a1eb9722d25f81c1a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" dependencies = [ "anyhow", "async-trait", "az-snp-vtpm", "az-tdx-vtpm", "base64 0.22.1", - "cfg-if", "codicon", "csv-rs", "hex", "hyper 0.14.32", "hyper-tls 0.5.0", - "iocuddle", - "kbs-types 0.10.0", + "kbs-types 0.7.0", "log", "occlum_dcap", "s390_pv", @@ -628,33 +635,15 @@ dependencies = [ "serde", "serde_json", "serde_with", - "sev", + "sev 3.2.0", "sha2", "strum", + "tdx-attest-rs", "tempfile", "thiserror 2.0.12", "tokio", ] -[[package]] -name = "attester" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" -dependencies = [ - "anyhow", - "async-trait", - "base64 0.22.1", - "hex", - "kbs-types 0.7.0", - "log", - "serde", - "serde_json", - "serde_with", - "sha2", - "strum", - "thiserror 2.0.12", -] - [[package]] name = "atty" version = "0.2.14" @@ -682,7 +671,7 @@ dependencies = [ "axum-core", "bytes", "futures-util", - "http 1.2.0", + "http 1.3.1", "http-body 1.0.1", "http-body-util", "itoa", @@ -708,7 +697,7 @@ dependencies = [ "async-trait", "bytes", "futures-util", - "http 1.2.0", + "http 1.3.1", "http-body 1.0.1", "http-body-util", "mime", @@ -732,7 +721,7 @@ dependencies = [ "serde", "serde-big-array", "serde_json", - "sev", + "sev 4.0.0", "sha2", "thiserror 2.0.12", "tss-esapi", @@ -747,10 +736,10 @@ checksum = "7c16506502dc64f7111f7241ca400f3ee0f54e69dfd1f4be5cef29b96332f22e" dependencies = [ "az-cvm-vtpm", "bincode", - "clap", + "clap 4.5.38", "openssl", "serde", - "sev", + "sev 4.0.0", "thiserror 2.0.12", "ureq", ] @@ -773,9 +762,9 @@ dependencies = [ [[package]] name = "backtrace" -version = "0.3.74" +version = "0.3.75" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d82cb332cdfaed17ae235a638438ac4d4839913cc2af585c3c6746e8f8bee1a" +checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002" dependencies = [ "addr2line", "cfg-if", @@ -821,9 +810,9 @@ dependencies = [ [[package]] name = "base64ct" -version = "1.6.0" +version = "1.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b" +checksum = "89e25b6adfb930f02d1981565a6e5d9c547ac15a96606256d3b59040e5cd4ca3" [[package]] name = "bincode" @@ -834,6 +823,29 @@ dependencies = [ "serde", ] +[[package]] +name = "bindgen" +version = "0.59.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2bd2a9a458e8f4304c52c43ebb0cfbd520289f8379a52e329a38afda99bf8eb8" +dependencies = [ + "bitflags 1.3.2", + "cexpr", + "clang-sys", + "clap 2.34.0", + "env_logger 0.9.3", + "lazy_static", + "lazycell", + "log", + "peeking_take_while", + "proc-macro2", + "quote", + "regex", + "rustc-hash 1.1.0", + "shlex", + "which", +] + [[package]] name = "bindgen" version = "0.65.1" @@ -853,15 +865,15 @@ dependencies = [ "regex", "rustc-hash 1.1.0", "shlex", - "syn 2.0.100", + "syn 2.0.101", "which", ] [[package]] name = "binstring" -version = "0.1.2" +version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed79c2a8151273c70956b5e3cdfdc1ff6c1a8b9779ba59c6807d281b32ee2f86" +checksum = "0669d5a35b64fdb5ab7fb19cae13148b6b5cbdf4b8247faf54ece47f699c8cef" [[package]] name = "bitfield" @@ -889,9 +901,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.9.0" +version = "2.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c8214115b7bf84099f1309324e63141d4c5d7cc26862f97a0a857dbefe165bd" +checksum = "1b8e56985ec62d17e9c1001dc89c88ecd7dc08e47eba5ec7c29c7b5eeecde967" dependencies = [ "serde", ] @@ -927,9 +939,9 @@ dependencies = [ [[package]] name = "brotli" -version = "7.0.0" +version = "8.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc97b8f16f944bba54f0433f07e30be199b6dc2bd25937444bbad560bcea29bd" +checksum = "9991eea70ea4f293524138648e41ee89b0b2b12ddef3b255effa43c8056e0e0d" dependencies = [ "alloc-no-stdlib", "alloc-stdlib", @@ -938,9 +950,9 @@ dependencies = [ [[package]] name = "brotli-decompressor" -version = "4.0.2" +version = "5.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74fa05ad7d803d413eb8380983b092cbbaf9a85f151b871360e7b00cd7060b37" +checksum = "874bb8112abecc98cbd6d81ea4fa7e94fb9449648c93cc89aa40c81c24d7de03" dependencies = [ "alloc-no-stdlib", "alloc-stdlib", @@ -994,9 +1006,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.16" +version = "1.2.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be714c154be609ec7f5dad223a33bf1482fff90472de28f7362806e6d4832b8c" +checksum = "5f4ac86a9e5bc1e2b3449ab9d7d3a6a405e3d1bb28d7b9be8614f55846ae3766" dependencies = [ "jobserver", "libc", @@ -1026,9 +1038,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" [[package]] name = "chrono" -version = "0.4.40" +version = "0.4.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a7964611d71df112cb1730f2ee67324fcf4d0fc6606acbbe9bfe06df124637c" +checksum = "c469d952047f47f91b68d1cba3f10d63c11d73e4636f24f08daf0278abf01c4d" dependencies = [ "android-tzdata", "iana-time-zone", @@ -1041,9 +1053,9 @@ dependencies = [ [[package]] name = "chrono-tz" -version = "0.10.1" +version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c6ac4f2c0bf0f44e9161aec9675e1050aa4a530663c4a9e37e108fa948bca9f" +checksum = "efdce149c370f133a071ca8ef6ea340b7b88748ab0810097a9e2976eaa34b4f3" dependencies = [ "chrono", "chrono-tz-build", @@ -1052,9 +1064,9 @@ dependencies = [ [[package]] name = "chrono-tz-build" -version = "0.4.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e94fea34d77a245229e7746bd2beb786cd2a896f306ff491fb8cecb3074b10a7" +checksum = "8f10f8c9340e31fc120ff885fcdb54a0b48e474bbd77cab557f0c30a3e569402" dependencies = [ "parse-zoneinfo", "phf_codegen", @@ -1105,14 +1117,29 @@ checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4" dependencies = [ "glob", "libc", - "libloading 0.8.6", + "libloading 0.8.7", ] [[package]] name = "clap" -version = "4.5.32" +version = "2.34.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c" +dependencies = [ + "ansi_term", + "atty", + "bitflags 1.3.2", + "strsim 0.8.0", + "textwrap", + "unicode-width", + "vec_map", +] + +[[package]] +name = "clap" +version = "4.5.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6088f3ae8c3608d19260cd7445411865a485688711b78b5be70d78cd96136f83" +checksum = "ed93b9805f8ba930df42c2590f05453d5ec36cbb85d018868a5b24d31f6ac000" dependencies = [ "clap_builder", "clap_derive", @@ -1120,9 +1147,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.32" +version = "4.5.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22a7ef7f676155edfb82daa97f99441f3ebf4a58d5e32f295a56259f1b6facc8" +checksum = "379026ff283facf611b0ea629334361c4211d1b12ee01024eec1591133b04120" dependencies = [ "anstream", "anstyle", @@ -1139,7 +1166,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -1324,9 +1351,9 @@ dependencies = [ [[package]] name = "crossbeam-channel" -version = "0.5.14" +version = "0.5.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471" +checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2" dependencies = [ "crossbeam-utils", ] @@ -1352,29 +1379,6 @@ version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "43da5946c66ffcc7745f48db692ffbb10a83bfe0afd96235c5c2a4fb23994929" -[[package]] -name = "crypto" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=27b8245#27b824547dd75ea4e2b2fe4a1eb9722d25f81c1a" -dependencies = [ - "aes-gcm", - "aes-kw", - "anyhow", - "base64 0.22.1", - "concat-kdf", - "ctr", - "kbs-types 0.10.0", - "p256", - "rand 0.8.5", - "rand 0.9.0", - "rsa", - "serde", - "serde_json", - "sha2", - "strum", - "zeroize", -] - [[package]] name = "crypto" version = "0.1.0" @@ -1464,9 +1468,9 @@ dependencies = [ [[package]] name = "ct-codecs" -version = "1.1.3" +version = "1.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b916ba8ce9e4182696896f015e8a5ae6081b305f74690baa8465e35f5a142ea4" +checksum = "9b10589d1a5e400d61f9f38f12f884cfd080ff345de8f17efda36fe0e4a02aa8" [[package]] name = "ctr" @@ -1544,15 +1548,15 @@ dependencies = [ [[package]] name = "data-encoding" -version = "2.8.0" +version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "575f75dfd25738df5b91b8e43e14d44bda14637a58fae779fd2b064f8bf3e010" +checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476" [[package]] name = "der" -version = "0.7.9" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0" +checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb" dependencies = [ "const-oid", "pem-rfc7468", @@ -1575,9 +1579,9 @@ dependencies = [ [[package]] name = "deranged" -version = "0.3.11" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4" +checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e" dependencies = [ "powerfmt", ] @@ -1610,7 +1614,7 @@ checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", "unicode-xid", ] @@ -1664,7 +1668,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -1739,7 +1743,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e9b3460f44bea8cd47f45a0c70892f1eff856d97cd55358b2f73f663789f6190" dependencies = [ "ct-codecs", - "getrandom 0.2.15", + "getrandom 0.2.16", ] [[package]] @@ -1795,7 +1799,7 @@ checksum = "fc4caf64a58d7a6d65ab00639b046ff54399a39f5f2554728895ace4b297cd79" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -1811,6 +1815,19 @@ dependencies = [ "termcolor", ] +[[package]] +name = "env_logger" +version = "0.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a12e6657c4c97ebab115a42dcee77225f7f482cdd841cf7088c657a42e9e00e7" +dependencies = [ + "atty", + "humantime", + "log", + "regex", + "termcolor", +] + [[package]] name = "env_logger" version = "0.10.2" @@ -1832,19 +1849,19 @@ checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" [[package]] name = "errno" -version = "0.3.10" +version = "0.3.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d" +checksum = "cea14ef9355e3beab063703aa9dab15afd25f0667c341310c1e5274bb1d0da18" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "eventlog-rs" -version = "0.1.6" +version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "606e113813a3db3f1f42b273d4fb89ca8ef1e2bd5b97befd08b260ae5708be8d" +checksum = "8032cb35e23e548f50306064c37de06e04eb51378bce8ad99f0a7f119b30204e" dependencies = [ "anyhow", "byteorder", @@ -1879,9 +1896,9 @@ checksum = "1d674e81391d1e1ab681a28d99df07927c6d4aa5b027d7da16ba32d1d21ecd99" [[package]] name = "flate2" -version = "1.1.0" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11faaf5a5236997af9848be0bef4db95824b1d534ebc64d0f0c6cf3e67bd38dc" +checksum = "7ced92e76e966ca2fd84c8f7aa01a4aea65b0eb6648d72f7c8f3e2764a67fece" dependencies = [ "crc32fast", "miniz_oxide", @@ -1895,9 +1912,9 @@ checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" [[package]] name = "foldhash" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0d2fde1f7b3d48b8395d5f2de76c18a528bd6a9cdde438df747bfcba3e05d6f" +checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" [[package]] name = "foreign-types" @@ -1989,7 +2006,7 @@ checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -2050,9 +2067,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.15" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" +checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592" dependencies = [ "cfg-if", "js-sys", @@ -2063,14 +2080,16 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.3.1" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8" +checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4" dependencies = [ "cfg-if", + "js-sys", "libc", - "wasi 0.13.3+wasi-0.2.2", - "windows-targets 0.52.6", + "r-efi", + "wasi 0.14.2+wasi-0.2.4", + "wasm-bindgen", ] [[package]] @@ -2131,7 +2150,7 @@ dependencies = [ "futures-sink", "futures-util", "http 0.2.12", - "indexmap 2.8.0", + "indexmap 2.9.0", "slab", "tokio", "tokio-util", @@ -2140,17 +2159,17 @@ dependencies = [ [[package]] name = "h2" -version = "0.4.8" +version = "0.4.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5017294ff4bb30944501348f6f8e42e6ad28f42c8bbef7a74029aff064a4e3c2" +checksum = "a9421a676d1b147b16b82c9225157dc629087ef8ec4d5e2960f9437a90dac0a5" dependencies = [ "atomic-waker", "bytes", "fnv", "futures-core", "futures-sink", - "http 1.2.0", - "indexmap 2.8.0", + "http 1.3.1", + "indexmap 2.9.0", "slab", "tokio", "tokio-util", @@ -2159,9 +2178,9 @@ dependencies = [ [[package]] name = "half" -version = "2.4.1" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6dd08c532ae367adf81c312a4580bc67f1d0fe8bc9c460520283f4c0ff277888" +checksum = "459196ed295495a68f7d7fe1d84f6c4b7ff0e21fe3017b2f283c6fac3ad803c9" dependencies = [ "cfg-if", "crunchy", @@ -2178,9 +2197,9 @@ dependencies = [ [[package]] name = "hashbrown" -version = "0.15.2" +version = "0.15.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289" +checksum = "84b26c544d002229e640969970a2e74021aadf6e2f96372b9c58eff97de08eb3" [[package]] name = "heck" @@ -2199,9 +2218,9 @@ dependencies = [ [[package]] name = "hermit-abi" -version = "0.5.0" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbd780fe5cc30f81464441920d82ac8740e2e46b29a6fad543ddd075229ce37e" +checksum = "f154ce46856750ed433c8649605bf7ed2de3bc35fd9d2a9f30cddd873c80cb08" [[package]] name = "hex" @@ -2235,29 +2254,29 @@ checksum = "18492c9f6f9a560e0d346369b665ad2bdbc89fa9bceca75796584e79042694c3" [[package]] name = "hmac-sha256" -version = "1.1.8" +version = "1.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a8575493d277c9092b988c780c94737fb9fd8651a1001e16bee3eccfc1baedb" +checksum = "ad6880c8d4a9ebf39c6e8b77007ce223f646a4d21ce29d99f70cb16420545425" dependencies = [ "digest", ] [[package]] name = "hmac-sha512" -version = "1.1.6" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0b3a0f572aa8389d325f5852b9e0a333a15b0f86ecccbb3fdb6e97cd86dc67c" +checksum = "e89e8d20b3799fa526152a5301a771eaaad80857f83e01b23216ceaafb2d9280" dependencies = [ "digest", ] [[package]] name = "home" -version = "0.5.5" +version = "0.5.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5444c27eef6923071f7ebcc33e3444508466a76f7a2b93da00ed6e19f30c1ddb" +checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf" dependencies = [ - "windows-sys 0.48.0", + "windows-sys 0.59.0", ] [[package]] @@ -2279,9 +2298,9 @@ dependencies = [ [[package]] name = "http" -version = "1.2.0" +version = "1.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea" +checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565" dependencies = [ "bytes", "fnv", @@ -2306,18 +2325,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184" dependencies = [ "bytes", - "http 1.2.0", + "http 1.3.1", ] [[package]] name = "http-body-util" -version = "0.1.2" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f" +checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a" dependencies = [ "bytes", - "futures-util", - "http 1.2.0", + "futures-core", + "http 1.3.1", "http-body 1.0.1", "pin-project-lite", ] @@ -2336,9 +2355,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9" [[package]] name = "humantime" -version = "2.1.0" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" +checksum = "9b112acc8b3adf4b107a8ec20977da0273a8c386765a3ec0229bd500a1443f9f" [[package]] name = "hyper" @@ -2373,8 +2392,8 @@ dependencies = [ "bytes", "futures-channel", "futures-util", - "h2 0.4.8", - "http 1.2.0", + "h2 0.4.10", + "http 1.3.1", "http-body 1.0.1", "httparse", "httpdate", @@ -2406,15 +2425,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2d191583f3da1305256f22463b9bb0471acad48a4e534a5218b9963e9c1f59b2" dependencies = [ "futures-util", - "http 1.2.0", + "http 1.3.1", "hyper 1.6.0", "hyper-util", - "rustls 0.23.23", + "rustls 0.23.27", "rustls-pki-types", "tokio", "tokio-rustls 0.26.2", "tower-service", - "webpki-roots 0.26.8", + "webpki-roots 0.26.11", ] [[package]] @@ -2461,16 +2480,17 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.10" +version = "0.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df2dcfbe0677734ab2f3ffa7fa7bfd4706bfdc1ef393f2ee30184aed67e631b4" +checksum = "cf9f1e950e0d9d1d3c47184416723cf29c0d1f93bd8cccf37e4beb6b44f31710" dependencies = [ "bytes", "futures-channel", "futures-util", - "http 1.2.0", + "http 1.3.1", "http-body 1.0.1", "hyper 1.6.0", + "libc", "pin-project-lite", "socket2", "tokio", @@ -2480,14 +2500,15 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.61" +version = "0.1.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220" +checksum = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8" dependencies = [ "android_system_properties", "core-foundation-sys", "iana-time-zone-haiku", "js-sys", + "log", "wasm-bindgen", "windows-core", ] @@ -2503,21 +2524,22 @@ dependencies = [ [[package]] name = "icu_collections" -version = "1.5.0" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526" +checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47" dependencies = [ "displaydoc", + "potential_utf", "yoke", "zerofrom", "zerovec", ] [[package]] -name = "icu_locid" -version = "1.5.0" +name = "icu_locale_core" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637" +checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a" dependencies = [ "displaydoc", "litemap", @@ -2526,31 +2548,11 @@ dependencies = [ "zerovec", ] -[[package]] -name = "icu_locid_transform" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e" -dependencies = [ - "displaydoc", - "icu_locid", - "icu_locid_transform_data", - "icu_provider", - "tinystr", - "zerovec", -] - -[[package]] -name = "icu_locid_transform_data" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e" - [[package]] name = "icu_normalizer" -version = "1.5.0" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f" +checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979" dependencies = [ "displaydoc", "icu_collections", @@ -2558,67 +2560,54 @@ dependencies = [ "icu_properties", "icu_provider", "smallvec", - "utf16_iter", - "utf8_iter", - "write16", "zerovec", ] [[package]] name = "icu_normalizer_data" -version = "1.5.0" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516" +checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3" [[package]] name = "icu_properties" -version = "1.5.1" +version = "2.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5" +checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b" dependencies = [ "displaydoc", "icu_collections", - "icu_locid_transform", + "icu_locale_core", "icu_properties_data", "icu_provider", - "tinystr", + "potential_utf", + "zerotrie", "zerovec", ] [[package]] name = "icu_properties_data" -version = "1.5.0" +version = "2.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569" +checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632" [[package]] name = "icu_provider" -version = "1.5.0" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9" +checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af" dependencies = [ "displaydoc", - "icu_locid", - "icu_provider_macros", + "icu_locale_core", "stable_deref_trait", "tinystr", "writeable", "yoke", "zerofrom", + "zerotrie", "zerovec", ] -[[package]] -name = "icu_provider_macros" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.100", -] - [[package]] name = "ident_case" version = "1.0.1" @@ -2638,9 +2627,9 @@ dependencies = [ [[package]] name = "idna_adapter" -version = "1.2.0" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71" +checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344" dependencies = [ "icu_normalizer", "icu_properties", @@ -2664,12 +2653,12 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.8.0" +version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3954d50fe15b02142bf25d3b8bdadb634ec3948f103d04ffe3031bc8fe9d7058" +checksum = "cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e" dependencies = [ "equivalent", - "hashbrown 0.15.2", + "hashbrown 0.15.3", ] [[package]] @@ -2728,7 +2717,7 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "93c8bc48d598fa48310e41f65a706e0beb2a74f5f9e5a26c5c2ca6cd83416fcc" dependencies = [ - "bindgen", + "bindgen 0.65.1", ] [[package]] @@ -2749,9 +2738,9 @@ version = "0.4.16" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e04d7f318608d35d4b61ddd75cbdaee86b023ebe2bd5a66ee0915f0bf93095a9" dependencies = [ - "hermit-abi 0.5.0", + "hermit-abi 0.5.1", "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -2783,18 +2772,19 @@ checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" [[package]] name = "jobserver" -version = "0.1.32" +version = "0.1.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0" +checksum = "38f262f097c174adebe41eb73d66ae9c06b2844fb0da69969647bbddd9b0538a" dependencies = [ + "getrandom 0.3.3", "libc", ] [[package]] name = "josekit" -version = "0.10.1" +version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe0633782b10949cf7d5aca9ec7c87ce642cbe4fff7d34602b2ec2e890ad56e5" +checksum = "65635870648e8d6bb111e81d52f80ca4420e916d1018d6e4cfbdd5d37d6eaa74" dependencies = [ "anyhow", "base64 0.22.1", @@ -2803,7 +2793,7 @@ dependencies = [ "regex", "serde", "serde_json", - "thiserror 1.0.69", + "thiserror 2.0.12", "time", ] @@ -2915,7 +2905,7 @@ dependencies = [ "az-cvm-vtpm", "base64 0.22.1", "cfg-if", - "clap", + "clap 4.5.38", "concat-kdf", "config", "cryptoki", @@ -2936,7 +2926,7 @@ dependencies = [ "reference-value-provider-service", "regex", "regorus", - "reqwest 0.12.12", + "reqwest 0.12.15", "rsa", "rstest", "scc", @@ -2960,12 +2950,12 @@ version = "0.1.0" dependencies = [ "anyhow", "base64 0.22.1", - "clap", + "clap 4.5.38", "env_logger 0.10.2", "jwt-simple", "kbs_protocol", "log", - "reqwest 0.12.12", + "reqwest 0.12.15", "serde", "serde_json", "tokio", @@ -2996,18 +2986,18 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=27b8245#27b824547dd75ea4e2b2fe4a1eb9722d25f81c1a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" dependencies = [ "anyhow", "async-trait", - "attester 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=27b8245)", + "attester", "base64 0.22.1", - "crypto 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=27b8245)", + "crypto", "jwt-simple", - "kbs-types 0.10.0", + "kbs-types 0.7.0", "log", - "reqwest 0.12.12", - "resource_uri 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=27b8245)", + "reqwest 0.12.15", + "resource_uri", "serde", "serde_json", "sha2", @@ -3034,8 +3024,8 @@ dependencies = [ "p12", "prost", "rand 0.8.5", - "reqwest 0.12.12", - "resource_uri 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", + "reqwest 0.12.15", + "resource_uri", "ring", "serde", "serde_json", @@ -3043,7 +3033,7 @@ dependencies = [ "strum", "thiserror 2.0.12", "tokio", - "toml 0.8.20", + "toml 0.8.22", "tonic", "tonic-build", "url", @@ -3073,9 +3063,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.170" +version = "0.2.172" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "875b3680cb2f8f71bdcf9a30f38d48282f5d3c95cbf9b3fa57269bb5d5c06828" +checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa" [[package]] name = "libgit2-sys" @@ -3101,19 +3091,19 @@ dependencies = [ [[package]] name = "libloading" -version = "0.8.6" +version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" +checksum = "6a793df0d7afeac54f95b471d3af7f0d4fb975699f972341a4b76988d49cdf0c" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.53.0", ] [[package]] name = "libm" -version = "0.2.11" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8355be11b20d696c8f18f6cc018c4e372165b1fa8126cef092399c9951984ffa" +checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de" [[package]] name = "libredox" @@ -3121,15 +3111,15 @@ version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.9.1", "libc", ] [[package]] name = "libz-sys" -version = "1.1.21" +version = "1.1.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df9b68e50e6e0b26f672573834882eb57759f6db9b3be2ea3c35c91188bb4eaa" +checksum = "8b70e7a7df205e92a1a4cd9aaae7898dac0aa555503cc0a649494d0d60e7651d" dependencies = [ "cc", "libc", @@ -3151,15 +3141,15 @@ checksum = "d26c52dbd32dccf2d10cac7725f8eae5296885fb5703b261f7d0a0739ec807ab" [[package]] name = "linux-raw-sys" -version = "0.9.2" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db9c683daf087dc577b7506e9695b3d556a9f3849903fa28186283afd6809e9" +checksum = "cd945864f07fe9f5371a27ad7b52a172b4b499999f1d97574c9fa68373937e12" [[package]] name = "litemap" -version = "0.7.4" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ee93343901ab17bd981295f2cf0026d4ad018c7c31ba84549a4ddbb47a45104" +checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956" [[package]] name = "litrs" @@ -3196,9 +3186,15 @@ dependencies = [ [[package]] name = "log" -version = "0.4.26" +version = "0.4.27" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94" + +[[package]] +name = "lru-slab" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30bde2b3dc3671ae49d8e2e9f044c7c005836e7a023ee57cffa25ab82764bb9e" +checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154" [[package]] name = "matchit" @@ -3233,11 +3229,11 @@ dependencies = [ [[package]] name = "metrics" -version = "0.23.0" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "884adb57038347dfbaf2d5065887b6cf4312330dc8e94bc30a1a839bd79d3261" +checksum = "3045b4193fbdc5b5681f32f11070da9be3609f189a79f3390706d42587f46bb5" dependencies = [ - "ahash 0.8.11", + "ahash 0.8.12", "portable-atomic", ] @@ -3255,9 +3251,9 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" [[package]] name = "miniz_oxide" -version = "0.8.5" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5" +checksum = "3be647b768db090acb35d5ec5db2b0e1f1de11133ca123b9eacf5137868f892a" dependencies = [ "adler2", ] @@ -3295,15 +3291,15 @@ dependencies = [ [[package]] name = "multimap" -version = "0.10.0" +version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "defc4c55412d89136f966bbb339008b474350e5e6e78d2714439c386b3137a03" +checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084" [[package]] name = "native-tls" -version = "0.2.12" +version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8614eb2c83d59d1c8cc974dd3f920198647674a0a035e1af1fa58707e317466" +checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e" dependencies = [ "libc", "log", @@ -3377,7 +3373,7 @@ checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -3458,9 +3454,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.21.0" +version = "1.21.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cde51589ab56b20a6f686b2c68f7a0bd6add753d697abf720d63f8db3ab7b1ad" +checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d" [[package]] name = "opaque-debug" @@ -3470,11 +3466,11 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "openssl" -version = "0.10.71" +version = "0.10.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e14130c6a98cd258fdcb0fb6d744152343ff729cbfcb28c656a9d12b999fbcd" +checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.9.1", "cfg-if", "foreign-types", "libc", @@ -3491,7 +3487,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -3502,18 +3498,18 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" [[package]] name = "openssl-src" -version = "300.4.2+3.4.1" +version = "300.5.0+3.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "168ce4e058f975fe43e89d9ccf78ca668601887ae736090aacc23ae353c298e2" +checksum = "e8ce546f549326b0e6052b649198487d91320875da901e7bd11a06d1ee3f9c2f" dependencies = [ "cc", ] [[package]] name = "openssl-sys" -version = "0.9.106" +version = "0.9.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8bb61ea9811cc39e3c2069f40b8b8e2e70d8569b361f879786cc7ed48b777cdd" +checksum = "e145e1651e858e820e4860f7b9c5e169bc1d8ce1c86043be79fa7b7634821847" dependencies = [ "cc", "libc", @@ -3553,7 +3549,7 @@ dependencies = [ "cbc", "cipher", "des", - "getrandom 0.2.15", + "getrandom 0.2.16", "hmac", "lazy_static", "rc2", @@ -3628,7 +3624,7 @@ checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.5.10", + "redox_syscall 0.5.12", "smallvec", "windows-targets 0.52.6", ] @@ -3693,9 +3689,9 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "pest" -version = "2.7.15" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b7cafe60d6cf8e62e1b9b2ea516a089c008945bb5a275416789e7db0bc199dc" +checksum = "198db74531d58c70a361c42201efde7e2591e976d518caf7662a47dc5720e7b6" dependencies = [ "memchr", "thiserror 2.0.12", @@ -3704,9 +3700,9 @@ dependencies = [ [[package]] name = "pest_derive" -version = "2.7.15" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "816518421cfc6887a0d62bf441b6ffb4536fcc926395a69e1a85852d4363f57e" +checksum = "d725d9cfd79e87dccc9341a2ef39d1b6f6353d68c4b33c177febbe1a402c97c5" dependencies = [ "pest", "pest_generator", @@ -3714,22 +3710,22 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.7.15" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d1396fd3a870fc7838768d171b4616d5c91f6cc25e377b673d714567d99377b" +checksum = "db7d01726be8ab66ab32f9df467ae8b1148906685bbe75c82d1e65d7f5b3f841" dependencies = [ "pest", "pest_meta", "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] name = "pest_meta" -version = "2.7.15" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1e58089ea25d717bfd31fb534e4f3afcc2cc569c70de3e239778991ea3b7dea" +checksum = "7f9f832470494906d1fca5329f8ab5791cc60beb230c74815dff541cbd2b5ca0" dependencies = [ "once_cell", "pest", @@ -3743,7 +3739,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3672b37090dbd86368a4145bc067582552b29c27377cad4e0a306c97f9bd7772" dependencies = [ "fixedbitset", - "indexmap 2.8.0", + "indexmap 2.9.0", ] [[package]] @@ -3787,7 +3783,7 @@ dependencies = [ "phf_shared", "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -3851,7 +3847,7 @@ checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -3911,6 +3907,15 @@ version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "350e9b48cbc6b0e028b0473b114454c6316e57336ee184ceab6e53f72c178b3e" +[[package]] +name = "potential_utf" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585" +dependencies = [ + "zerovec", +] + [[package]] name = "powerfmt" version = "0.2.0" @@ -3923,17 +3928,17 @@ version = "0.2.21" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9" dependencies = [ - "zerocopy 0.8.23", + "zerocopy 0.8.25", ] [[package]] name = "prettyplease" -version = "0.2.30" +version = "0.2.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1ccf34da56fc294e7d4ccf69a85992b7dfb826b7cf57bac6a70bba3494cc08a" +checksum = "664ec5419c51e34154eec046ebcba56312d5a2fc3b09a06da188e1ad21afadf6" dependencies = [ "proc-macro2", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -3947,9 +3952,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.94" +version = "1.0.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a31971752e70b8b2686d7e46ec17fb38dad4051d94024c88df49b667caea9c84" +checksum = "02b3e5e68a3a1a02aad3ec490a98007cbc13c37cbe84a3cd7b8e406d76e7f778" dependencies = [ "unicode-ident", ] @@ -3980,7 +3985,7 @@ dependencies = [ "prost", "prost-types", "regex", - "syn 2.0.100", + "syn 2.0.101", "tempfile", ] @@ -3994,7 +3999,7 @@ dependencies = [ "itertools", "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -4024,34 +4029,37 @@ dependencies = [ [[package]] name = "quinn" -version = "0.11.6" +version = "0.11.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62e96808277ec6f97351a2380e6c25114bc9e67037775464979f3037c92d05ef" +checksum = "626214629cda6781b6dc1d316ba307189c85ba657213ce642d9c77670f8202c8" dependencies = [ "bytes", + "cfg_aliases", "pin-project-lite", "quinn-proto", "quinn-udp", "rustc-hash 2.1.1", - "rustls 0.23.23", + "rustls 0.23.27", "socket2", "thiserror 2.0.12", "tokio", "tracing", + "web-time", ] [[package]] name = "quinn-proto" -version = "0.11.9" +version = "0.11.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a2fe5ef3495d7d2e377ff17b1a8ce2ee2ec2a18cde8b6ad6619d65d0701c135d" +checksum = "49df843a9161c85bb8aae55f101bc0bac8bcafd637a620d9122fd7e0b2f7422e" dependencies = [ "bytes", - "getrandom 0.2.15", - "rand 0.8.5", + "getrandom 0.3.3", + "lru-slab", + "rand 0.9.1", "ring", "rustc-hash 2.1.1", - "rustls 0.23.23", + "rustls 0.23.27", "rustls-pki-types", "slab", "thiserror 2.0.12", @@ -4062,16 +4070,16 @@ dependencies = [ [[package]] name = "quinn-udp" -version = "0.5.10" +version = "0.5.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e46f3055866785f6b92bc6164b76be02ca8f2eb4b002c0354b28cf4c119e5944" +checksum = "ee4e529991f949c5e25755532370b8af5d114acae52326361d68d47af64aa842" dependencies = [ "cfg_aliases", "libc", "once_cell", "socket2", "tracing", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -4083,6 +4091,12 @@ dependencies = [ "proc-macro2", ] +[[package]] +name = "r-efi" +version = "5.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "74765f6d916ee2faa39bc8e68e4f3ed8949b48cccdac59983d287a7cb71ce9c5" + [[package]] name = "rand" version = "0.8.5" @@ -4096,13 +4110,12 @@ dependencies = [ [[package]] name = "rand" -version = "0.9.0" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94" +checksum = "9fbfd9d094a40bf3ae768db9361049ace4c0e04a4fd6b359518bd7b73a73dd97" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.3", - "zerocopy 0.8.23", ] [[package]] @@ -4131,7 +4144,7 @@ version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" dependencies = [ - "getrandom 0.2.15", + "getrandom 0.2.16", ] [[package]] @@ -4140,7 +4153,7 @@ version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38" dependencies = [ - "getrandom 0.3.1", + "getrandom 0.3.3", ] [[package]] @@ -4172,11 +4185,11 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.5.10" +version = "0.5.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b8c0c260b63a8219631167be35e6a988e9554dbd323f8bd08439c8ed1302bd1" +checksum = "928fca9cf2aa042393a8325b9ead81d2f0df4cb12e1e24cef072922ccd99c5af" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.9.1", ] [[package]] @@ -4185,7 +4198,7 @@ version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43" dependencies = [ - "getrandom 0.2.15", + "getrandom 0.2.16", "libredox", "thiserror 1.0.69", ] @@ -4200,7 +4213,7 @@ dependencies = [ "base64 0.22.1", "cfg-if", "chrono", - "clap", + "clap 4.5.38", "config", "env_logger 0.10.2", "log", @@ -4326,9 +4339,9 @@ dependencies = [ [[package]] name = "reqwest" -version = "0.12.12" +version = "0.12.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43e734407157c3c2034e0258f5e4473ddb361b1e85f95a66690d67264d7cd1da" +checksum = "d19c46a6fdd48bc4dab94b6103fccc55d34c67cc0ad04653aad4ea2a07cd7bbb" dependencies = [ "base64 0.22.1", "bytes", @@ -4336,7 +4349,7 @@ dependencies = [ "cookie_store", "futures-core", "futures-util", - "http 1.2.0", + "http 1.3.1", "http-body 1.0.1", "http-body-util", "hyper 1.6.0", @@ -4352,7 +4365,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "quinn", - "rustls 0.23.23", + "rustls 0.23.27", "rustls-pemfile 2.2.0", "rustls-pki-types", "serde", @@ -4368,21 +4381,10 @@ dependencies = [ "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots 0.26.8", + "webpki-roots 0.26.11", "windows-registry", ] -[[package]] -name = "resource_uri" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=27b8245#27b824547dd75ea4e2b2fe4a1eb9722d25f81c1a" -dependencies = [ - "anyhow", - "serde", - "serde_json", - "url", -] - [[package]] name = "resource_uri" version = "0.1.0" @@ -4406,13 +4408,13 @@ dependencies = [ [[package]] name = "ring" -version = "0.17.13" +version = "0.17.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70ac5d832aa16abd7d1def883a8545280c20a60f523a370aa3a9617c2b8550ee" +checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" dependencies = [ "cc", "cfg-if", - "getrandom 0.2.15", + "getrandom 0.2.16", "libc", "untrusted", "windows-sys 0.52.0", @@ -4431,9 +4433,9 @@ dependencies = [ [[package]] name = "rsa" -version = "0.9.7" +version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "47c75d7c5c6b673e58bf54d8544a9f432e3a925b0e80f7cd3602ab5c50c55519" +checksum = "78928ac1ed176a5ca1d17e578a1825f3d81ca54cf41053a592584b020cfd691b" dependencies = [ "const-oid", "digest", @@ -4475,7 +4477,7 @@ dependencies = [ "regex", "relative-path", "rustc_version", - "syn 2.0.100", + "syn 2.0.101", "unicode-ident", ] @@ -4531,24 +4533,24 @@ version = "0.38.44" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fdb5bc1ae2baa591800df16c9ca78619bf65c0488b41b96ccec5d11220d8c154" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.9.1", "errno", "libc", "linux-raw-sys 0.4.15", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "rustix" -version = "1.0.2" +version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f7178faa4b75a30e269c71e61c353ce2748cf3d76f0c44c393f4e60abf49b825" +checksum = "c71e83d6afe7ff64890ec6b71d6a69bb8a610ab78ce364b3352876bb4c801266" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.9.1", "errno", "libc", - "linux-raw-sys 0.9.2", - "windows-sys 0.52.0", + "linux-raw-sys 0.9.4", + "windows-sys 0.59.0", ] [[package]] @@ -4565,15 +4567,15 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.23" +version = "0.23.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "47796c98c480fce5406ef69d1c76378375492c3b0a0de587be0c1d9feb12f395" +checksum = "730944ca083c1c233a75c09f199e973ca499344a2b7ba9e755c457e86fb4a321" dependencies = [ "log", "once_cell", "ring", "rustls-pki-types", - "rustls-webpki 0.102.8", + "rustls-webpki 0.103.3", "subtle", "zeroize", ] @@ -4598,11 +4600,12 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.11.0" +version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "917ce264624a4b4db1c364dcc35bfca9ded014d0a958cd47ad3e960e988ea51c" +checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79" dependencies = [ "web-time", + "zeroize", ] [[package]] @@ -4617,9 +4620,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.102.8" +version = "0.103.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9" +checksum = "e4a72fe2bcf7a6ac6fd7d0b9e5cb68aeb7d4c0a0271730218b3e92d43b4eb435" dependencies = [ "ring", "rustls-pki-types", @@ -4681,9 +4684,9 @@ dependencies = [ [[package]] name = "scc" -version = "2.3.3" +version = "2.3.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ea091f6cac2595aa38993f04f4ee692ed43757035c36e67c180b6828356385b1" +checksum = "22b2d775fb28f245817589471dd49c5edf64237f4a19d10ce9a92ff4651a27f4" dependencies = [ "sdd", ] @@ -4714,7 +4717,7 @@ checksum = "d2ee4885492bb655bfa05d039cd9163eb8fe9f79ddebf00ca23a1637510c2fd2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -4738,7 +4741,7 @@ version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6ab8598aa408498679922eff7fa985c25d58a90771bd6be794434c5277eab1a6" dependencies = [ - "scroll_derive 0.12.0", + "scroll_derive 0.12.1", ] [[package]] @@ -4749,18 +4752,18 @@ checksum = "1db149f81d46d2deba7cd3c50772474707729550221e69588478ebf9ada425ae" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] name = "scroll_derive" -version = "0.12.0" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f81c2fde025af7e69b1d1420531c8a8811ca898919db177141a85313b1cb932" +checksum = "1783eabc414609e28a5ba76aee5ddd52199f7107a0b24c2e9746a1ecc34a683d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -4808,7 +4811,7 @@ version = "2.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.9.1", "core-foundation", "core-foundation-sys", "libc", @@ -4866,7 +4869,7 @@ checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -4875,7 +4878,7 @@ version = "1.0.140" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373" dependencies = [ - "indexmap 2.8.0", + "indexmap 2.9.0", "itoa", "memchr", "ryu", @@ -4970,7 +4973,31 @@ checksum = "5d69265a08751de7844521fd15003ae0a888e035773ba05695c5c759a6f89eef" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", +] + +[[package]] +name = "sev" +version = "3.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35156eab65ff1b63432b5a11a06b770e92120033e2831c7dee064865de5dbbbd" +dependencies = [ + "base64 0.22.1", + "bincode", + "bitfield 0.15.0", + "bitflags 1.3.2", + "byteorder", + "codicon", + "dirs", + "hex", + "iocuddle", + "lazy_static", + "libc", + "serde", + "serde-big-array", + "serde_bytes", + "static_assertions", + "uuid", ] [[package]] @@ -5017,9 +5044,9 @@ dependencies = [ [[package]] name = "sha2" -version = "0.10.8" +version = "0.10.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" +checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" dependencies = [ "cfg-if", "cpufeatures", @@ -5056,9 +5083,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "signal-hook-registry" -version = "1.4.2" +version = "1.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9e9e0b4211b72e7b8b6e85c807d36c212bdb33ea8587f7569562a84df5465b1" +checksum = "9203b8055f63a2a00e2f593bb0510367fe707d7ff1e5c872de2f537b339e5410" dependencies = [ "libc", ] @@ -5118,15 +5145,15 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.14.0" +version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd" +checksum = "8917285742e9f3e1683f0a9c4e6b57960b7314d0b08d30d1ecd426713ee2eee9" [[package]] name = "socket2" -version = "0.5.8" +version = "0.5.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8" +checksum = "4f5fd57c80058a56cf5c777ab8a126398ece8e442983605d280a44ce79d0edef" dependencies = [ "libc", "windows-sys 0.52.0", @@ -5160,6 +5187,12 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" +[[package]] +name = "strsim" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" + [[package]] name = "strsim" version = "0.10.0" @@ -5191,7 +5224,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -5206,7 +5239,7 @@ version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "515cce34a781d7250b8a65706e0f2a5b99236ea605cb235d4baed6685820478f" dependencies = [ - "getrandom 0.2.15", + "getrandom 0.2.16", "hmac-sha256", "hmac-sha512", "rand 0.8.5", @@ -5226,9 +5259,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.100" +version = "2.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b09a44accad81e1ba1cd74a32461ba89dee89095ba17b32f5d03683b1b1fc2a0" +checksum = "8ce2b7fc941b3a24138a0a7cf8e858bfc6a992e7978a068a5c760deb0ed43caf" dependencies = [ "proc-macro2", "quote", @@ -5252,13 +5285,13 @@ dependencies = [ [[package]] name = "synstructure" -version = "0.13.1" +version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" +checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -5288,18 +5321,33 @@ version = "0.12.16" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1" +[[package]] +name = "tdx-attest-rs" +version = "0.1.2" +source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.22#2562057f6a3149c03f5985826ffaba978ece58c2" +dependencies = [ + "tdx-attest-sys", +] + +[[package]] +name = "tdx-attest-sys" +version = "0.1.0" +source = "git+https://github.com/intel/SGXDataCenterAttestationPrimitives?tag=DCAP_1.22#2562057f6a3149c03f5985826ffaba978ece58c2" +dependencies = [ + "bindgen 0.59.2", +] + [[package]] name = "tempfile" -version = "3.18.0" +version = "3.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c317e0a526ee6120d8dabad239c8dadca62b24b6f168914bbbc8e2fb1f0e567" +checksum = "e8a64e3985349f2441a1a9ef0b853f869006c3855f2cda6862a94d26ebb9d6a1" dependencies = [ - "cfg-if", "fastrand", - "getrandom 0.3.1", + "getrandom 0.3.3", "once_cell", - "rustix 1.0.2", - "windows-sys 0.52.0", + "rustix 1.0.7", + "windows-sys 0.59.0", ] [[package]] @@ -5320,6 +5368,15 @@ dependencies = [ "log", ] +[[package]] +name = "textwrap" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060" +dependencies = [ + "unicode-width", +] + [[package]] name = "thiserror" version = "1.0.69" @@ -5346,7 +5403,7 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -5357,7 +5414,7 @@ checksum = "7f7cf42b4507d8ea322120659672cf1b9dbb93f8f2d4ecfd6e51350ff5b17a1d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -5372,9 +5429,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.39" +version = "0.3.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dad298b01a40a23aac4580b67e3dbedb7cc8402f3592d7f49469de2ea4aecdd8" +checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40" dependencies = [ "deranged", "itoa", @@ -5389,15 +5446,15 @@ dependencies = [ [[package]] name = "time-core" -version = "0.1.3" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "765c97a5b985b7c11d7bc27fa927dc4fe6af3a6dfb021d28deb60d3bf51e76ef" +checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c" [[package]] name = "time-macros" -version = "0.2.20" +version = "0.2.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8093bc3e81c3bc5f7879de09619d06c9a5a5e45ca44dfeeb7225bae38005c5c" +checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49" dependencies = [ "num-conv", "time-core", @@ -5405,9 +5462,9 @@ dependencies = [ [[package]] name = "tinystr" -version = "0.7.6" +version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f" +checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b" dependencies = [ "displaydoc", "zerovec", @@ -5430,9 +5487,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.44.0" +version = "1.45.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9975ea0f48b5aa3972bf2d888c238182458437cc2a19374b81b25cdf1023fb3a" +checksum = "2513ca694ef9ede0fb23fe71a4ee4107cb102b9dc1930f6d0fd77aae068ae165" dependencies = [ "backtrace", "bytes", @@ -5454,7 +5511,7 @@ checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -5494,7 +5551,7 @@ version = "0.26.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b" dependencies = [ - "rustls 0.23.23", + "rustls 0.23.27", "tokio", ] @@ -5511,9 +5568,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.13" +version = "0.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7fcaa8d55a2bdd6b83ace262b016eca0d79ee02818c5c1bcdf0305114081078" +checksum = "66a539a9ad6d5d281510d5bd368c973d636c02dbf8a67300bfb6b950696ad7df" dependencies = [ "bytes", "futures-core", @@ -5533,9 +5590,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.8.20" +version = "0.8.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd87a5cdd6ffab733b2f74bc4fd7ee5fff6634124999ac278c35fc78c6120148" +checksum = "05ae329d1f08c4d17a59bed7ff5b5a769d062e64a62d34a3261b219e62cd5aae" dependencies = [ "serde", "serde_spanned", @@ -5545,26 +5602,33 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.6.8" +version = "0.6.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0dd7358ecb8fc2f8d014bf86f6f638ce72ba252a2c3a2572f2a795f1d23efb41" +checksum = "3da5db5a963e24bc68be8b17b6fa82814bb22ee8660f192bb182771d498f09a3" dependencies = [ "serde", ] [[package]] name = "toml_edit" -version = "0.22.24" +version = "0.22.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17b4795ff5edd201c7cd6dca065ae59972ce77d1b80fa0a84d94950ece7d1474" +checksum = "310068873db2c5b3e7659d2cc35d21855dbafa50d1ce336397c666e3cb08137e" dependencies = [ - "indexmap 2.8.0", + "indexmap 2.9.0", "serde", "serde_spanned", "toml_datetime", + "toml_write", "winnow", ] +[[package]] +name = "toml_write" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfb942dfe1d8e29a7ee7fcbde5bd2b9a25fb89aa70caea2eba3bee836ff41076" + [[package]] name = "tonic" version = "0.12.3" @@ -5576,8 +5640,8 @@ dependencies = [ "axum", "base64 0.22.1", "bytes", - "h2 0.4.8", - "http 1.2.0", + "h2 0.4.10", + "http 1.3.1", "http-body 1.0.1", "http-body-util", "hyper 1.6.0", @@ -5606,7 +5670,7 @@ dependencies = [ "prost-build", "prost-types", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -5676,7 +5740,7 @@ checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -5728,7 +5792,7 @@ checksum = "78ea9ccde878b029392ac97b5be1f470173d06ea41d18ad0bb3c92794c16a0f2" dependencies = [ "bitfield 0.14.0", "enumflags2", - "getrandom 0.2.15", + "getrandom 0.2.16", "hostname-validator", "log", "mbox", @@ -5792,9 +5856,9 @@ dependencies = [ [[package]] name = "tzdb_data" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4471adcfcbd3052e8c5b5890a04a559837444b3be26b9cbbd622063171cec9d" +checksum = "0d69ad05cd8412d9f6e7df6ac91e50ea557687cc1b734339cb6742e547704663" dependencies = [ "tz-rs", ] @@ -5811,6 +5875,12 @@ version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512" +[[package]] +name = "unicode-width" +version = "0.1.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af" + [[package]] name = "unicode-xid" version = "0.2.6" @@ -5842,12 +5912,12 @@ dependencies = [ "base64 0.22.1", "log", "once_cell", - "rustls 0.23.23", + "rustls 0.23.27", "rustls-pki-types", "serde", "serde_json", "url", - "webpki-roots 0.26.8", + "webpki-roots 0.26.11", ] [[package]] @@ -5862,12 +5932,6 @@ dependencies = [ "serde", ] -[[package]] -name = "utf16_iter" -version = "1.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" - [[package]] name = "utf8_iter" version = "1.0.4" @@ -5882,11 +5946,11 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.15.1" +version = "1.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0f540e3240398cce6128b64ba83fdbdd86129c16a3aa1a3a252efd66eb3d587" +checksum = "458f7a779bf54acc9f347480ac654f68407d3aab21269a6e3c9f922acd9e2da9" dependencies = [ - "getrandom 0.3.1", + "getrandom 0.3.3", "serde", ] @@ -5902,6 +5966,12 @@ version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" +[[package]] +name = "vec_map" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191" + [[package]] name = "veraison-apiclient" version = "0.0.1" @@ -5929,7 +5999,7 @@ dependencies = [ "az-tdx-vtpm", "base64 0.22.1", "bincode", - "bitflags 2.9.0", + "bitflags 2.9.1", "byteorder", "cfg-if", "codicon", @@ -5943,7 +6013,7 @@ dependencies = [ "kbs-types 0.10.0", "log", "openssl", - "reqwest 0.12.12", + "reqwest 0.12.15", "rstest", "s390_pv", "scroll 0.11.0", @@ -5951,7 +6021,7 @@ dependencies = [ "serde_json", "serde_with", "serial_test", - "sev", + "sev 4.0.0", "sha2", "shadow-rs", "strum", @@ -5995,9 +6065,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasi" -version = "0.13.3+wasi-0.2.2" +version = "0.14.2+wasi-0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26816d2e1a4a36a2940b96c5296ce403917633dff8f3440e9b236ed6f6bacad2" +checksum = "9683f9a5a998d873c0d21fcbe3c083009670149a8fab228644b8bd36b2c48cb3" dependencies = [ "wit-bindgen-rt", ] @@ -6033,7 +6103,7 @@ dependencies = [ "log", "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", "wasm-bindgen-shared", ] @@ -6068,7 +6138,7 @@ checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -6110,9 +6180,18 @@ checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" [[package]] name = "webpki-roots" -version = "0.26.8" +version = "0.26.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9" +dependencies = [ + "webpki-roots 1.0.0", +] + +[[package]] +name = "webpki-roots" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2210b291f7ea53617fbafcc4939f10914214ec15aace5ba62293a668f322c5c9" +checksum = "2853738d1cc4f2da3a225c18ec6c3721abb31961096e9dbf5ab35fa88b19cfdb" dependencies = [ "rustls-pki-types", ] @@ -6151,7 +6230,7 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" dependencies = [ - "windows-sys 0.48.0", + "windows-sys 0.59.0", ] [[package]] @@ -6162,47 +6241,81 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" [[package]] name = "windows-core" -version = "0.52.0" +version = "0.61.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" +checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3" dependencies = [ - "windows-targets 0.52.6", + "windows-implement", + "windows-interface", + "windows-link", + "windows-result", + "windows-strings 0.4.2", +] + +[[package]] +name = "windows-implement" +version = "0.60.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.101", +] + +[[package]] +name = "windows-interface" +version = "0.59.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.101", ] [[package]] name = "windows-link" -version = "0.1.0" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6dccfd733ce2b1753b03b6d3c65edf020262ea35e20ccdf3e288043e6dd620e3" +checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38" [[package]] name = "windows-registry" -version = "0.2.0" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e400001bb720a623c1c69032f8e3e4cf09984deec740f007dd2b03ec864804b0" +checksum = "4286ad90ddb45071efd1a66dfa43eb02dd0dfbae1545ad6cc3c51cf34d7e8ba3" dependencies = [ "windows-result", - "windows-strings", - "windows-targets 0.52.6", + "windows-strings 0.3.1", + "windows-targets 0.53.0", ] [[package]] name = "windows-result" -version = "0.2.0" +version = "0.3.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1d1043d8214f791817bab27572aaa8af63732e11bf84aa21a45a78d6c317ae0e" +checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6" dependencies = [ - "windows-targets 0.52.6", + "windows-link", ] [[package]] name = "windows-strings" -version = "0.1.0" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10" +checksum = "87fa48cc5d406560701792be122a10132491cff9d0aeb23583cc2dcafc847319" dependencies = [ - "windows-result", - "windows-targets 0.52.6", + "windows-link", +] + +[[package]] +name = "windows-strings" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57" +dependencies = [ + "windows-link", ] [[package]] @@ -6256,13 +6369,29 @@ dependencies = [ "windows_aarch64_gnullvm 0.52.6", "windows_aarch64_msvc 0.52.6", "windows_i686_gnu 0.52.6", - "windows_i686_gnullvm", + "windows_i686_gnullvm 0.52.6", "windows_i686_msvc 0.52.6", "windows_x86_64_gnu 0.52.6", "windows_x86_64_gnullvm 0.52.6", "windows_x86_64_msvc 0.52.6", ] +[[package]] +name = "windows-targets" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b1e4c7e8ceaaf9cb7d7507c974735728ab453b67ef8f18febdd7c11fe59dca8b" +dependencies = [ + "windows_aarch64_gnullvm 0.53.0", + "windows_aarch64_msvc 0.53.0", + "windows_i686_gnu 0.53.0", + "windows_i686_gnullvm 0.53.0", + "windows_i686_msvc 0.53.0", + "windows_x86_64_gnu 0.53.0", + "windows_x86_64_gnullvm 0.53.0", + "windows_x86_64_msvc 0.53.0", +] + [[package]] name = "windows_aarch64_gnullvm" version = "0.48.5" @@ -6275,6 +6404,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764" + [[package]] name = "windows_aarch64_msvc" version = "0.48.5" @@ -6287,6 +6422,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" +[[package]] +name = "windows_aarch64_msvc" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c" + [[package]] name = "windows_i686_gnu" version = "0.48.5" @@ -6299,12 +6440,24 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" +[[package]] +name = "windows_i686_gnu" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c1dc67659d35f387f5f6c479dc4e28f1d4bb90ddd1a5d3da2e5d97b42d6272c3" + [[package]] name = "windows_i686_gnullvm" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" +[[package]] +name = "windows_i686_gnullvm" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11" + [[package]] name = "windows_i686_msvc" version = "0.48.5" @@ -6317,6 +6470,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" +[[package]] +name = "windows_i686_msvc" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d" + [[package]] name = "windows_x86_64_gnu" version = "0.48.5" @@ -6329,6 +6488,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" +[[package]] +name = "windows_x86_64_gnu" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba" + [[package]] name = "windows_x86_64_gnullvm" version = "0.48.5" @@ -6341,6 +6506,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57" + [[package]] name = "windows_x86_64_msvc" version = "0.48.5" @@ -6353,11 +6524,17 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" +[[package]] +name = "windows_x86_64_msvc" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486" + [[package]] name = "winnow" -version = "0.7.3" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e7f4ea97f6f78012141bcdb6a216b2609f0979ada50b20ca5b52dde2eac2bb1" +checksum = "c06928c8748d81b05c9be96aad92e1b6ff01833332f281e8cfca3be4b35fc9ec" dependencies = [ "memchr", ] @@ -6374,24 +6551,18 @@ dependencies = [ [[package]] name = "wit-bindgen-rt" -version = "0.33.0" +version = "0.39.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3268f3d866458b787f390cf61f4bbb563b922d091359f9608842999eaee3943c" +checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.9.1", ] -[[package]] -name = "write16" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936" - [[package]] name = "writeable" -version = "0.5.5" +version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" +checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb" [[package]] name = "x509-parser" @@ -6436,9 +6607,9 @@ checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" [[package]] name = "yoke" -version = "0.7.5" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40" +checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc" dependencies = [ "serde", "stable_deref_trait", @@ -6448,13 +6619,13 @@ dependencies = [ [[package]] name = "yoke-derive" -version = "0.7.5" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154" +checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", "synstructure", ] @@ -6470,11 +6641,11 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.23" +version = "0.8.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd97444d05a4328b90e75e503a34bad781f14e28a823ad3557f0750df1ebcbc6" +checksum = "a1702d9583232ddb9174e01bb7c15a2ab8fb1bc6f227aa1233858c351a3ba0cb" dependencies = [ - "zerocopy-derive 0.8.23", + "zerocopy-derive 0.8.25", ] [[package]] @@ -6485,25 +6656,25 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] name = "zerocopy-derive" -version = "0.8.23" +version = "0.8.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6352c01d0edd5db859a63e2605f4ea3183ddbd15e2c4a9e7d32184df75e4f154" +checksum = "28a6e20d751156648aa063f3800b706ee209a32c0b4d9f24be3d980b01be55ef" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] name = "zerofrom" -version = "0.1.5" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cff3ee08c995dee1859d998dea82f7374f2826091dd9cd47def953cae446cd2e" +checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5" dependencies = [ "zerofrom-derive", ] @@ -6516,7 +6687,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", "synstructure", ] @@ -6537,14 +6708,25 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", +] + +[[package]] +name = "zerotrie" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", ] [[package]] name = "zerovec" -version = "0.10.4" +version = "0.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079" +checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428" dependencies = [ "yoke", "zerofrom", @@ -6553,13 +6735,13 @@ dependencies = [ [[package]] name = "zerovec-derive" -version = "0.10.3" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" +checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f" dependencies = [ "proc-macro2", "quote", - "syn 2.0.100", + "syn 2.0.101", ] [[package]] @@ -6573,18 +6755,18 @@ dependencies = [ [[package]] name = "zstd-safe" -version = "7.2.3" +version = "7.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3051792fbdc2e1e143244dc28c60f73d8470e93f3f9cbd0ead44da5ed802722" +checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d" dependencies = [ "zstd-sys", ] [[package]] name = "zstd-sys" -version = "2.0.14+zstd.1.5.7" +version = "2.0.15+zstd.1.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8fb060d4926e4ac3a3ad15d864e99ceb5f343c6b34f5bd6d81ae6ed417311be5" +checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237" dependencies = [ "cc", "pkg-config", diff --git a/Cargo.toml b/Cargo.toml index d0f79044bf..c9b354458d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -33,7 +33,7 @@ hex = "0.4.3" jwt-simple = { version = "0.12", default-features = false, features = [ "pure-rust", ] } -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "27b8245", default-features = false } +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } kbs-types = "0.10.0" kms = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } jsonwebtoken = { version = "9", default-features = false } diff --git a/deps/verifier/src/tdx/eventlog.rs b/deps/verifier/src/tdx/eventlog.rs index 55ac73e9ae..5387766d6a 100644 --- a/deps/verifier/src/tdx/eventlog.rs +++ b/deps/verifier/src/tdx/eventlog.rs @@ -71,7 +71,7 @@ impl CcEventLog { } fn rebuild_rtmr(&self) -> Result { - let mr_map = self.cc_events.replay_measurement_regiestry(); + let mr_map = self.cc_events.replay_measurement_registry(); let mr = Rtmr { rtmr0: mr_map.get(&1).unwrap_or(&Vec::from([0u8; 48]))[0..48].try_into()?, diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile index 3078fe4111..ce87010edf 100644 --- a/kbs/docker/rhel-ubi/Dockerfile +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -7,13 +7,13 @@ RUN \ # Update packages. Get CVE fixes sooner. dnf -y update && \ # Enable additional repositories for CentOS or RHEL. -if command -v subscription-manager; then \ - REPO_ARCH=$(uname -m) && \ - subscription-manager register --org "$(cat /activation-key/org)" --activationkey "$(cat /activation-key/activationkey)" && \ - subscription-manager repos --enable rhel-9-for-${REPO_ARCH}-appstream-rpms --enable codeready-builder-for-rhel-9-${REPO_ARCH}-rpms; \ -else \ - dnf -y install 'dnf-command(config-manager)' && dnf config-manager --enable crb; \ -fi && \ +#if command -v subscription-manager; then \ +# REPO_ARCH=$(uname -m) && \ +# subscription-manager register --org "$(cat /activation-key/org)" --activationkey "$(cat /activation-key/activationkey)" && \ +# subscription-manager repos --enable rhel-9-for-${REPO_ARCH}-appstream-rpms --enable codeready-builder-for-rhel-9-${REPO_ARCH}-rpms; \ +#else \ +# dnf -y install 'dnf-command(config-manager)' && dnf config-manager --enable crb; \ +#fi && \ # Install packages. dnf -y --setopt=install_weak_deps=0 install \ cargo pkg-config perl-FindBin openssl-devel perl-lib perl-IPC-Cmd perl-File-Compare perl-File-Copy clang-devel \ diff --git a/rpm/redhat.repo b/rpm/redhat.repo new file mode 100644 index 0000000000..94febea6f8 --- /dev/null +++ b/rpm/redhat.repo @@ -0,0 +1,6058 @@ +# +# Certificate-Based Repositories +# Managed by (rhsm) subscription-manager +# +# *** This file is auto-generated. Changes made here will be over-written. *** +# *** Use "subscription-manager repo-override --help" if you wish to make changes. *** +# +# If this file is empty and this system is subscribed consider +# a "yum repolist" to refresh available repos +# + +[rhocp-ironic-4.17-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-e4s-source-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (Source RPMS) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-eus-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jdv-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Data Virtualization Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jdv/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.12-rpms] +name = Red Hat Container Development Kit 3.12 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[codeready-builder-for-rhel-9-$basearch-source-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.13-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.16-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhpm-1-for-rhel-9-$basearch-textonly-debug-rpms] +name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-rt-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[codeready-builder-for-rhel-9-$basearch-eus-source-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[discovery-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Discovery 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17-tools-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openliberty-textonly-1-for-middleware-rpms] +name = Open Liberty Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/openliberty/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.4-source-rpms] +name = Red Hat Container Development Kit 3.4 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-tools-18-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.19-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.10-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.16-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jpp-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Portal Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jpp/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.19-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-cuda-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.12-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhv-4-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[pipelines-1.18-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-nhc-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[codeready-builder-for-rhel-9-$basearch-debug-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-datagrid-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Data Grid Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jb-datagrid/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-e4s-debug-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (Debug RPMS) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.19-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.16-rpms] +name = Red Hat Container Development Kit 3.16 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[insights-proxy-1-tech-preview-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.2-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.18-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.16-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.13-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[osso-1-for-rhel-9-$basearch-rpms] +name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Enterprise Application Platform Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jbeap/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.15-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-5-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-7.4-for-rhel-9-$basearch-source-rpms] +name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.19-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.15-for-rhel-9-$basearch-rpms] +name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1-for-rhel-9-$basearch-rpms] +name = Red Hat Service Interconnect for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-6-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[osso-1-for-rhel-9-$basearch-debug-rpms] +name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.13-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.13-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-cuda-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.14-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.4-debug-rpms] +name = Red Hat Container Development Kit 3.4 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[fast-datapath-for-rhel-9-$basearch-source-rpms] +name = Fast Datapath for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.10-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.14-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.19-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.15-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-maintenance-6.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.15-for-rhel-9-$basearch-source-rpms] +name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.13-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.2-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.17-rpms] +name = Red Hat Container Development Kit 3.17 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.15-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[pipelines-1.18-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.18-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.9-rpms] +name = Red Hat Container Development Kit 3.9 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.9/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.2-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1.8-for-rhel-9-$basearch-rpms] +name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.3-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.13-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[codeready-builder-for-rhel-9-$basearch-eus-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.13-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.14-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[amq-interconnect-textonly-1-for-middleware-rpms] +name = Red Hat AMQ Interconnect Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/amq-interconnect/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.3-source-rpms] +name = Red Hat Container Development Kit 3.3 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[network-observability-1-for-rhel-9-$basearch-rpms] +name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.8-rpms] +name = Red Hat Container Development Kit 3.8 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.8/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.19-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.5-source-rpms] +name = Red Hat Container Development Kit 3.5 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.14-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[application-interconnect-1-for-rhel-9-$basearch-rpms] +name = Red Hat Application Interconnect for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.18-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-eus-debug-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-utils-6.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-cuda-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhose-textonly-1-for-middleware-rpms] +name = Red Hat Middleware Container Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/rhose-middleware/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[insights-proxy-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Insights Proxy for RHEL9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/insights-proxy/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-nmo-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-rt-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.14-rpms] +name = Red Hat Container Development Kit 3.14 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.14-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-mdr-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[pipelines-1.18-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-6-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[insights-proxy-1-tech-preview-for-rhel-9-$basearch-source-rpms] +name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.15-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.12-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.11-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1.8-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-e4s-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.4-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.15-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.7-rpms] +name = Red Hat Container Development Kit 3.7 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.7/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-7-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.16-for-rhel-9-$basearch-source-rpms] +name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.0-for-rhel-9-$basearch-rhui-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-1-for-rhel-9-$basearch-source-rpms] +name = Kernel Module Management 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.14-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.14-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.13-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.15-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-snr-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Self Node Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-snr/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-tools-18-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-tools-18-beta-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhdh-1-for-rhel-9-$basearch-rpms] +name = Red Hat Developer Hub 1 (RHEL 9) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.4-rpms] +name = Red Hat Container Development Kit 3.4 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-rt-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.14-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-datagrid-8.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-mdr-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[soa-textonly-1-for-middleware-rpms] +name = Red Hat JBoss SOA Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/soa/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-tools-18-beta-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.14-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[amq-clients-3-for-rhel-9-$basearch-source-rpms] +name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[wfk-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Web Framework Kit Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/wfk/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.12-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17.1-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.17-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-e4s-debug-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.15-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[insights-proxy-for-rhel-9-$basearch-source-rpms] +name = Red Hat Insights Proxy for RHEL9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/insights-proxy/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.1-for-rhel-9-$basearch-debug-rpms] +name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.13-rpms] +name = Red Hat Container Development Kit 3.13 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.13/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.15-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.6-debug-rpms] +name = Red Hat Container Development Kit 3.6 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.18-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.18-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.17-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.16-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.15-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.16-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.18-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.0-for-rhel-9-$basearch-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-utils-6.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[network-observability-1-for-rhel-9-$basearch-debug-rpms] +name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.18-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-cuda-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-far-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-maintenance-6.16-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-utils-6.16-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.17-for-rhel-9-$basearch-debug-rpms] +name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhbop-textonly-1-for-middleware-rpms] +name = Red Hat Build of OptaPlanner Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/rhel/server/6/6Server/$basearch/rhbop-textonly/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-eus-source-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-nmo-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-2.3-source-rpms] +name = Red Hat Container Development Kit 2.3 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.11-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-eus-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (RPMS) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-1-for-rhel-9-$basearch-rpms] +name = Kernel Module Management 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17.1-tools-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.12-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-cuda-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.16-for-rhel-9-$basearch-rpms] +name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.18-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openjdk-textonly-1-for-middleware-rpms] +name = OpenJDK Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/openjdk/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[discovery-1-for-rhel-9-$basearch-rpms] +name = Red Hat Discovery 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.17-for-rhel-9-$basearch-source-rpms] +name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.14-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.0-for-rhel-9-$basearch-debug-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.17-for-rhel-9-$basearch-rpms] +name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-datagrid-8.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-coreservices-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Core Services Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jbcs/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.18-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[network-observability-1-for-rhel-9-$basearch-source-rpms] +name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[insights-proxy-1-tech-preview-for-rhel-9-$basearch-rpms] +name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.2-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-8-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.12-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-6-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.15-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.15-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.1-for-rhel-9-$basearch-source-rpms] +name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-maintenance-6.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-cuda-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-7.4-for-rhel-9-$basearch-rpms] +name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.16-for-rhel-9-$basearch-debug-rpms] +name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.2-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-maintenance-6.17-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.17-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Service Interconnect for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.15-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.13-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.13-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.15-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[application-interconnect-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Application Interconnect for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-datagrid-8.4-for-rhel-9-$basearch-rpms] +name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.1-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhv-4-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-5-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-far-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.5-rpms] +name = Red Hat Container Development Kit 3.5 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-rt-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-cuda-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.15-rpms] +name = Red Hat Container Development Kit 3.15 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-2-for-rhel-9-$basearch-rpms] +name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.12-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-tools-18-beta-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.0-for-rhel-9-$basearch-source-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.16-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhosds-textonly-3-for-middleware-rpms] +name = Red Hat OpenShift Dev Spaces 3 Container Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/rhosds/3.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[insights-proxy-for-rhel-9-$basearch-rpms] +name = Red Hat Insights Proxy for RHEL9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/insights-proxy/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-maintenance-6.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rodoo-1-for-rhel-9-$basearch-source-rpms] +name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.14-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1.8-for-rhel-9-$basearch-source-rpms] +name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.13-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-e4s-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (RPMS) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[fast-datapath-for-rhel-9-$basearch-debug-rpms] +name = Fast Datapath for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-e4s-source-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-2-for-rhel-9-$basearch-rpms] +name = Kernel Module Management 2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.10-rpms] +name = Red Hat Container Development Kit 3.10 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.10/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.0-for-rhel-9-$basearch-rhui-source-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jon-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Operations Network Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jon/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.14-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rodoo-1-for-rhel-9-$basearch-debug-rpms] +name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-utils-6.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.14-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[fast-datapath-for-rhel-9-$basearch-rpms] +name = Fast Datapath for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.11-rpms] +name = Red Hat Container Development Kit 3.11 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.11/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[codeready-builder-for-rhel-9-$basearch-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/os +enabled = 1 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.3-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[fsw-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Fuse Service Works Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/fsw/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.17-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.19-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.12-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.13-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.17-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.19-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[amq-clients-3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rodoo-1-for-rhel-9-$basearch-rpms] +name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Service Interconnect for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.6-rpms] +name = Red Hat Container Development Kit 3.6 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-nmo-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-7.4-for-rhel-9-$basearch-debug-rpms] +name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-1-for-rhel-9-$basearch-debug-rpms] +name = Kernel Module Management 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-cuda-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[quarkus-textonly-1-for-middleware-rpms] +name = Red Hat build of Quarkus Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/quarkus/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/os +enabled = 1 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 1 + +[codeready-builder-for-rhel-9-$basearch-eus-debug-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[osso-1-for-rhel-9-$basearch-source-rpms] +name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-2.3-debug-rpms] +name = Red Hat Container Development Kit 2.3 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.14-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-8-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.5-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-2-for-rhel-9-$basearch-debug-rpms] +name = Kernel Module Management 2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhdh-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Developer Hub 1 (RHEL 9) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.10-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (RPMS) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.15-for-rhel-9-$basearch-debug-rpms] +name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.13-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhpm-1-for-rhel-9-$basearch-textonly-source-rpms] +name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.1-for-rhel-9-$basearch-rpms] +name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.17-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.15-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhsi-textonly-1-for-middleware-rpms] +name = Red Hat Service Interconnect Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/rhsi/1/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-utils-6.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.18-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-coreservices-textonly-1-for-middleware-rhui-rpms] +name = Red Hat JBoss Core Services Text-Only Advisories from RHUI +baseurl = https://cdn.redhat.com/content/dist/middleware/rhui/jbcs/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.18-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-snr-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Self Node Remediation Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-snr/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-7-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.12-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[discovery-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Discovery 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.18-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.0-for-rhel-9-$basearch-rhui-debug-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-2-for-rhel-9-$basearch-source-rpms] +name = Kernel Module Management 2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.16-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-7-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-mdr-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.12-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.19-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-eus-source-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (Source RPMS) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-2.3-rpms] +name = Red Hat Container Development Kit 2.3 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-utils-6.17-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.5-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-far-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhdh-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Developer Hub 1 (RHEL 9) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17.1-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.5-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.3-rpms] +name = Red Hat Container Development Kit 3.3 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-maintenance-6.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.3-debug-rpms] +name = Red Hat Container Development Kit 3.3 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.16-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.14-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.11-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-8-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/os +enabled = 1 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 1 + +[cnv-4.16-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-snr-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Self Node Remediation Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-snr/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.17-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-rt-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-nhc-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhpm-1-for-rhel-9-$basearch-textonly-rpms] +name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (Source RPMS) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-5-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.12-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.4-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhv-4-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.13-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.14-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.6-source-rpms] +name = Red Hat Container Development Kit 3.6 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.13-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-nhc-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1.4-for-rhel-9-$basearch-rpms] +name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-rt-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[application-interconnect-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Application Interconnect for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[amq-clients-3-for-rhel-9-$basearch-rpms] +name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (Debug RPMS) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-tools-18-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.12-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.15-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.14-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.5-debug-rpms] +name = Red Hat Container Development Kit 3.5 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.14-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-eus-debug-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (Debug RPMS) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.12-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-cuda-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[amq-textonly-1-for-middleware-rpms] +name = Red Hat JBoss AMQ Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/amq/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem +sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 diff --git a/rpm/rpms.in.yaml b/rpm/rpms.in.yaml new file mode 100644 index 0000000000..aace2dbde6 --- /dev/null +++ b/rpm/rpms.in.yaml @@ -0,0 +1,10 @@ +packages: [pkg-config, perl-FindBin, openssl-devel, perl-lib, perl-IPC-Cmd, perl-File-Compare, perl-File-Copy, clang-devel, tpm2-tss-devel, protobuf-compiler, meson] +contentOrigin: + repofiles: + - ./ubi.repo + - ./redhat.repo +arches: + - x86_64 + - s390x +context: + image: registry.access.redhat.com/ubi9/ubi-minimal:9.5-1741850109 diff --git a/rpm/rpms.lock.yaml b/rpm/rpms.lock.yaml new file mode 100644 index 0000000000..2e6e588eeb --- /dev/null +++ b/rpm/rpms.lock.yaml @@ -0,0 +1,2052 @@ +--- +lockfileVersion: 1 +lockfileVendor: redhat +arches: +- arch: s390x + packages: + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/cargo-1.84.1-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 9343822 + checksum: sha256:015d8303af3cd97dc7f188516364f6599f8359b08c43380afbcbff82e2fec5b0 + name: cargo + evr: 1.84.1-1.el9 + sourcerpm: rust-1.84.1-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/checkpolicy-3.6-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 351280 + checksum: sha256:f2637770a250890cc2f6168a6457d92b6cefe53a8c5699e3b789fda6020d0311 + name: checkpolicy + evr: 3.6-1.el9 + sourcerpm: checkpolicy-3.6-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/clang-19.1.7-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 88784 + checksum: sha256:2baaacf48f9982ec103f07cc42c8ba9f74c07bb8f635bb169c90e2acef053eb0 + name: clang + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/clang-devel-19.1.7-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 3830312 + checksum: sha256:d25cc0783ce1025a3a3c9de23fe16b26c36e069abbfb224b14e40a3e767f30dd + name: clang-devel + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/clang-libs-19.1.7-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 37332908 + checksum: sha256:c7e6ff97cd3e4b8ff7014a9c60f847231608e0d2d2f19c48cc3743e4f7203093 + name: clang-libs + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/clang-resource-filesystem-19.1.7-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18645 + checksum: sha256:1e31b8384287326d29d85deb768ba6504ae1d2bd3d37cda0440b48d7f977672c + name: clang-resource-filesystem + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/clang-tools-extra-19.1.7-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 21605429 + checksum: sha256:e2fc410d1d013c2664dc83ea9265de2ca512f0a356bcad08d0165dbca9fe97ef + name: clang-tools-extra + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/cmake-filesystem-3.26.5-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 23417 + checksum: sha256:7ac89ff59d4c39b0cb1b043e3a98e6b279de695c2a1400f066244bc051b6ef0d + name: cmake-filesystem + evr: 3.26.5-2.el9 + sourcerpm: cmake-3.26.5-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/compiler-rt-19.1.7-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 1792169 + checksum: sha256:85b62e2424e12b3bc9678b886e2cd321d98e8739e038e931c626380a58ea0556 + name: compiler-rt + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/cpp-11.5.0-5.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 8598616 + checksum: sha256:92f3044d78cb814b129227a00049574f2329707114de205a74903442272876ad + name: cpp + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/e/emacs-filesystem-27.2-13.el9_6.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 9758 + checksum: sha256:624b6683efb3e254eb8f44a927772ec251a841803b7f693f9c6ad0651e694557 + name: emacs-filesystem + evr: 1:27.2-13.el9_6 + sourcerpm: emacs-27.2-13.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-11.5.0-5.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 26862907 + checksum: sha256:02d5e8f44d5cbe3c8b9aabc76b0321d6b501bfb53ff0f5ca87d76339a0a3120d + name: gcc + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-c++-11.5.0-5.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 10700633 + checksum: sha256:4151570b0ce73fc9d0b697e6582ec8b9cb08629025b17d680228ace3d8621b15 + name: gcc-c++ + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-toolset-14-binutils-2.41-3.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 6318631 + checksum: sha256:74127134323de8295a87ca15d66753aef3e6cb60de1ec724f0325a27715ad253 + name: gcc-toolset-14-binutils + evr: 2.41-3.el9 + sourcerpm: gcc-toolset-14-binutils-2.41-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-toolset-14-gcc-14.2.1-7.1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 39525304 + checksum: sha256:cd61dd9ac8b609ee96a125731bea09f892309441d7493259caa8cd41fb490834 + name: gcc-toolset-14-gcc + evr: 14.2.1-7.1.el9 + sourcerpm: gcc-toolset-14-gcc-14.2.1-7.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-toolset-14-gcc-c++-14.2.1-7.1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 12648797 + checksum: sha256:cd11adf80e757c0b3ed94bd5c8d2b331fde2d525fc941d612b7e3cfe57b913c0 + name: gcc-toolset-14-gcc-c++ + evr: 14.2.1-7.1.el9 + sourcerpm: gcc-toolset-14-gcc-14.2.1-7.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-toolset-14-libstdc++-devel-14.2.1-7.1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 3926411 + checksum: sha256:64317965413f3f7ff881db43d73ffdf51fb778087604886abd5388d2309dbbdb + name: gcc-toolset-14-libstdc++-devel + evr: 14.2.1-7.1.el9 + sourcerpm: gcc-toolset-14-gcc-14.2.1-7.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-toolset-14-runtime-14.0-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 63169 + checksum: sha256:b553dfb079c3109a901d054dc23e7e6c21f2527aeab7b7a8a9d4b5b9eb199aec + name: gcc-toolset-14-runtime + evr: 14.0-1.el9 + sourcerpm: gcc-toolset-14-14.0-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/glibc-devel-2.34-168.el9_6.14.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 43394 + checksum: sha256:e9751a71c8231e366bead94e27acb937ffca292b23e93feaeae2422f0e6f8b60 + name: glibc-devel + evr: 2.34-168.el9_6.14 + sourcerpm: glibc-2.34-168.el9_6.14.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/glibc-headers-2.34-168.el9_6.14.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 545348 + checksum: sha256:313b196cef60c688ca2189f8bc3b94eff54b1610088a9bdef422d2a54b426bc6 + name: glibc-headers + evr: 2.34-168.el9_6.14 + sourcerpm: glibc-2.34-168.el9_6.14.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/k/kernel-headers-5.14.0-570.17.1.el9_6.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 3671885 + checksum: sha256:588834117164357cde3790541f872931129785dcc44763fbf8cc7a42583cda90 + name: kernel-headers + evr: 5.14.0-570.17.1.el9_6 + sourcerpm: kernel-5.14.0-570.17.1.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libasan-11.5.0-5.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 415917 + checksum: sha256:91d33d57fe341c0e7bb8add0807a548a627c198e48a1ea3165996fb0be0091f3 + name: libasan + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libcurl-devel-7.76.1-31.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 1002927 + checksum: sha256:8d1cb508dd85e5ec6b5b7c299edbfc7bb02b5dc6926fab2c78779a902a727cd2 + name: libcurl-devel + evr: 7.76.1-31.el9 + sourcerpm: curl-7.76.1-31.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libmpc-1.2.1-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 66959 + checksum: sha256:5d57ddf803a764bbbf229ccb71c8b4fbeed604b39858174d8ffee1b24510cc8c + name: libmpc + evr: 1.2.1-4.el9 + sourcerpm: libmpc-1.2.1-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libstdc++-devel-11.5.0-5.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 2518321 + checksum: sha256:f078c48270e8744e704b45e166fd080daecf8e86f5273b6f21d63f23d0b64b4f + name: libstdc++-devel + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libubsan-11.5.0-5.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 182931 + checksum: sha256:99d963811e5de62be130bfebe8033eedf97b39c0061a62c650ab9fc5177825eb + name: libubsan + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libxcrypt-devel-4.4.18-3.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 33073 + checksum: sha256:b3f6b6b72b5c96a8527e6dd46c421066f94d48f0ada76bbc638bf89f81b19360 + name: libxcrypt-devel + evr: 4.4.18-3.el9 + sourcerpm: libxcrypt-4.4.18-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/llvm-libs-19.1.7-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 40096334 + checksum: sha256:92c4382e1fb58523e6673d97c3afbbdda42fcbba229adf73ac0603f0ac0570df + name: llvm-libs + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/o/openssl-devel-3.2.2-6.el9_5.1.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 4650765 + checksum: sha256:2e3029dbd402015ec123789ce24837a75cf603730f75cce0b5d955931bfe2a82 + name: openssl-devel + evr: 1:3.2.2-6.el9_5.1 + sourcerpm: openssl-3.2.2-6.el9_5.1.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-AutoLoader-5.74-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 21821 + checksum: sha256:52cda881960f48be35a47ba1c54f242efac1ab0d1fd74b0e2bcb48a1723907c8 + name: perl-AutoLoader + evr: 5.74-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-B-1.80-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 187245 + checksum: sha256:5ece1abe7dc859bda9ba38a5da302a9e06738ed32fcb1a65889c7d0b4e595f2d + name: perl-B + evr: 1.80-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Carp-1.50-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 32039 + checksum: sha256:c51470a55b1dce42f944bdea06a10469f5a42d55be898a33c2fed3a99843fbb2 + name: perl-Carp + evr: 1.50-460.el9 + sourcerpm: perl-Carp-1.50-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Class-Struct-0.66-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 22914 + checksum: sha256:45347749c36c4750c9083d4784700fb85c3a4c277c3bf69873a1c6ae97ee6c4b + name: perl-Class-Struct + evr: 0.66-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Data-Dumper-2.174-462.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 58967 + checksum: sha256:ff0d38ef2fba9f29f6a94f6241a674b131e8270c6b3c1a43c1209eb88d796b29 + name: perl-Data-Dumper + evr: 2.174-462.el9 + sourcerpm: perl-Data-Dumper-2.174-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Digest-1.19-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 29409 + checksum: sha256:e0b8633f818467f9e1bf46b9c0012af7bf8a309ac64e903a2a9faf3fae7705f9 + name: perl-Digest + evr: 1.19-4.el9 + sourcerpm: perl-Digest-1.19-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Digest-MD5-2.58-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 39755 + checksum: sha256:038edb5a5a8fc94c33e75ff4e7b6b1332c645e6f516a2d86e420dd41758db033 + name: perl-Digest-MD5 + evr: 2.58-4.el9 + sourcerpm: perl-Digest-MD5-2.58-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Encode-3.08-462.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 1840299 + checksum: sha256:fc7d3f9d0c72ce6ae2b8725f933fe1dff4f2449eebb752a0d8f35b6e7275c31b + name: perl-Encode + evr: 4:3.08-462.el9 + sourcerpm: perl-Encode-3.08-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Errno-1.30-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 15297 + checksum: sha256:2cfe4e77ff58094df267115cf4f5bc2762e8fa36ffc0e3ccc04b4030d9ac36ca + name: perl-Errno + evr: 1.30-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Exporter-5.74-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 34509 + checksum: sha256:888e14ebd70c2b69150873236b0df7c3a29c9edd488fd8488527c179e798b409 + name: perl-Exporter + evr: 5.74-461.el9 + sourcerpm: perl-Exporter-5.74-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-MM-Utils-7.60-3.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14176 + checksum: sha256:51d7199c10886580e6cbff82546a34f26b2d5b894dcc338e28b1b55938f50ae3 + name: perl-ExtUtils-MM-Utils + evr: 2:7.60-3.el9 + sourcerpm: perl-ExtUtils-MakeMaker-7.60-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Fcntl-1.13-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 21909 + checksum: sha256:104f949af49259a84832c1b272d44120d86433facbf798bd764241c0c1977ab3 + name: perl-Fcntl + evr: 1.13-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Basename-2.85-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 17916 + checksum: sha256:746f919f1aebc91a28f00e20eda7b41991db9e50abf2fa22cd7f8168a8f9898a + name: perl-File-Basename + evr: 2.85-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Compare-1.100.600-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13854 + checksum: sha256:2108ae5f9e3edf870a30a717b6cf999be70b36e50b715b02d5256cdf07f91764 + name: perl-File-Compare + evr: 1.100.600-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Copy-2.34-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 20838 + checksum: sha256:d547160cfc5e02e3381116185cc5c125c680c2fab6ab7e6696fd95b8e4fdbb4a + name: perl-File-Copy + evr: 2.34-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Find-1.37-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 26277 + checksum: sha256:e388937b023c024de285a5b50fe3f44722c18207d7d854aff302f4ad3c8742f4 + name: perl-File-Find + evr: 1.37-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Path-2.18-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 38466 + checksum: sha256:d1df5e509c10365eaa329a0b97e38bc2667874240d3942195eb6ce7a88985a41 + name: perl-File-Path + evr: 2.18-4.el9 + sourcerpm: perl-File-Path-2.18-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Temp-0.231.100-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 64150 + checksum: sha256:0a81b062391ac6dac3ec28ff1e435001dd798cf1ff19fdb52cfe1e0720d5de03 + name: perl-File-Temp + evr: 1:0.231.100-4.el9 + sourcerpm: perl-File-Temp-0.231.100-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-stat-1.09-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 17853 + checksum: sha256:355aba30d043f829e4e7e70466564ba85f65f7a2416aba0ceddfc9e59288aab4 + name: perl-File-stat + evr: 1.09-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-FileHandle-2.03-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 15921 + checksum: sha256:480ac4c1de2c1e1f94ed8895793b93d96bd50dc95e6e4fa9c39a82a24998f717 + name: perl-FileHandle + evr: 2.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-FindBin-1.51-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14336 + checksum: sha256:43ef0a61ba09f0213bf7eaf3af905d98b4879fa3e383f1340cad23de1ae46f67 + name: perl-FindBin + evr: 1.51-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Getopt-Long-2.52-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 65144 + checksum: sha256:055fe33d2a7a421c1de8902b86a2f246ef6457774239d04b604f2d0ec6a00a14 + name: perl-Getopt-Long + evr: 1:2.52-4.el9 + sourcerpm: perl-Getopt-Long-2.52-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Getopt-Std-1.12-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16222 + checksum: sha256:c9c6209474ec44ca5b070ffb147589359c551757f95b358a8f35d2627c4950cf + name: perl-Getopt-Std + evr: 1.12-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-HTTP-Tiny-0.076-462.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 58720 + checksum: sha256:696f388a50f5be81596757d68251067449203e1c126ee8c23a7c5a0ad1ac5418 + name: perl-HTTP-Tiny + evr: 0.076-462.el9 + sourcerpm: perl-HTTP-Tiny-0.076-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-I18N-LangTags-0.44-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 57020 + checksum: sha256:5812d857fdf616511fc9f4b7ed463f9e3126d85166d56bdd7c7a64d8c2db41bb + name: perl-I18N-LangTags + evr: 0.44-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IO-1.43-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 94321 + checksum: sha256:9f4772af37e381d3f124b8f74523ffe2e6e6f09c38c8e602e6015e01167dc81a + name: perl-IO + evr: 1.43-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IO-Socket-IP-0.41-5.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 46457 + checksum: sha256:4c80030ce256198584c4a58171b9dfe3adb4a8d7593110229e40ece76786a32f + name: perl-IO-Socket-IP + evr: 0.41-5.el9 + sourcerpm: perl-IO-Socket-IP-0.41-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IO-Socket-SSL-2.073-2.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 226003 + checksum: sha256:b52d5b6a5081e3c142b2364b3f1ef58f569b39052df045f24363de9bb4f9cfd2 + name: perl-IO-Socket-SSL + evr: 2.073-2.el9 + sourcerpm: perl-IO-Socket-SSL-2.073-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IPC-Cmd-1.04-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 42803 + checksum: sha256:353b04bed7229ce354a4d63ba213c4e18fe739c4732061957946b84853d5b3ce + name: perl-IPC-Cmd + evr: 2:1.04-461.el9 + sourcerpm: perl-IPC-Cmd-1.04-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IPC-Open3-1.21-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 24124 + checksum: sha256:422c83bcdd2f84d9751fe4ea289e6bc8bfbc41e6540d6482671317fbc2ff1a17 + name: perl-IPC-Open3 + evr: 1.21-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Locale-Maketext-1.29-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 101003 + checksum: sha256:97cfef112a414049f85495cbec570b8c63d7260410f72cb2e1480a67fc7e9e68 + name: perl-Locale-Maketext + evr: 1.29-461.el9 + sourcerpm: perl-Locale-Maketext-1.29-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Locale-Maketext-Simple-0.21-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18568 + checksum: sha256:20fd5bd35208c94b669179c7e6a295a6fe6abee69e0ce284e0ab25562bcff9c3 + name: perl-Locale-Maketext-Simple + evr: 1:0.21-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-MIME-Base64-3.16-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 34885 + checksum: sha256:8f97e46c1a3e84b84b9232f2f90a4b14193651907853c54453b3045ad2028d71 + name: perl-MIME-Base64 + evr: 3.16-4.el9 + sourcerpm: perl-MIME-Base64-3.16-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-CoreList-5.20240609-1.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 92615 + checksum: sha256:fe85ea513ac696ce4d4bd5565259d89edde346d5a049d0eed153eac988ef73fd + name: perl-Module-CoreList + evr: 1:5.20240609-1.el9 + sourcerpm: perl-Module-CoreList-5.20240609-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-Load-0.36-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 20052 + checksum: sha256:ada066ac44fd73ec87ea376a6d6715cf77b086354217fdc7a197c909da3bb099 + name: perl-Module-Load + evr: 1:0.36-4.el9 + sourcerpm: perl-Module-Load-0.36-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-Load-Conditional-0.74-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 25464 + checksum: sha256:58a5364d77607678e4e628f5bdd3d33641e2f6083c2985c1bc5045401ae65a60 + name: perl-Module-Load-Conditional + evr: 0.74-4.el9 + sourcerpm: perl-Module-Load-Conditional-0.74-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-Metadata-1.000037-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 39221 + checksum: sha256:f053b34c911e5f3daf16c0ffc5ff752f47a0d016e1cc1ac51d4425fbe2a1ac15 + name: perl-Module-Metadata + evr: 1.000037-460.el9 + sourcerpm: perl-Module-Metadata-1.000037-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Mozilla-CA-20200520-6.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14781 + checksum: sha256:99030bfb6a1a2ac41e0720841abaa8ba58c26e91640f4058cc6133e227e928a7 + name: perl-Mozilla-CA + evr: 20200520-6.el9 + sourcerpm: perl-Mozilla-CA-20200520-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-NDBM_File-1.15-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 23301 + checksum: sha256:fbc4a82b9b58f387cd37d933cc9b9cd806fffa907b0badb95319c0afe7895edc + name: perl-NDBM_File + evr: 1.15-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Net-SSLeay-1.94-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 420925 + checksum: sha256:09b0c78a08dd574bd18a2624d7465c232f837d163d3092fd5269c7d1f9ba2b9f + name: perl-Net-SSLeay + evr: 1.94-1.el9 + sourcerpm: perl-Net-SSLeay-1.94-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-POSIX-1.94-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 98473 + checksum: sha256:c3bcc3c44cfb5891957a91beb816647f9c029ed1fd5269bf3dd76ac07c3a1ca3 + name: perl-POSIX + evr: 1.94-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Params-Check-0.38-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 24764 + checksum: sha256:a6cf1009e3f1dfe50e00421b11d43c413e7e4ee8c6931195256a3cb40e1baf7b + name: perl-Params-Check + evr: 1:0.38-461.el9 + sourcerpm: perl-Params-Check-0.38-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-PathTools-3.78-461.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 94193 + checksum: sha256:17e3e5683430884d109b66e962b48609e5373cb931508f1b33dd50cc723fb3f0 + name: perl-PathTools + evr: 3.78-461.el9 + sourcerpm: perl-PathTools-3.78-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Escapes-1.07-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 22564 + checksum: sha256:42fa08cc02a405933395316610a56e2bff58f6f7be16e9a063ec634747199bc0 + name: perl-Pod-Escapes + evr: 1:1.07-460.el9 + sourcerpm: perl-Pod-Escapes-1.07-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Perldoc-3.28.01-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 93727 + checksum: sha256:db3285dbe77ddc822d6bb847f857ea7032786cf7996b26d6c01481903b6d26e0 + name: perl-Pod-Perldoc + evr: 3.28.01-461.el9 + sourcerpm: perl-Pod-Perldoc-3.28.01-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Simple-3.42-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 234403 + checksum: sha256:2752454ce47a46227c6b7b98a5d9a25dcf3a992f27109a726744a66cd93c7b9a + name: perl-Pod-Simple + evr: 1:3.42-4.el9 + sourcerpm: perl-Pod-Simple-3.42-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Usage-2.01-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 44477 + checksum: sha256:c170870a2d1ff32048d13497fa67c382fe5aaf3d8d21bae639356ac28003dba9 + name: perl-Pod-Usage + evr: 4:2.01-4.el9 + sourcerpm: perl-Pod-Usage-2.01-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Scalar-List-Utils-1.56-462.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 76007 + checksum: sha256:91ab5182f214cab34e0d60512f49b47cb955880c85473223235a1a7b3d363587 + name: perl-Scalar-List-Utils + evr: 4:1.56-462.el9 + sourcerpm: perl-Scalar-List-Utils-1.56-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-SelectSaver-1.02-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 12017 + checksum: sha256:c4f02fdf5b501ab67b4824fc4473ba420f482254ad82e90b546d9b10a5464820 + name: perl-SelectSaver + evr: 1.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Socket-2.031-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 59192 + checksum: sha256:fc509d48144bfdaf80b150ff406951d69b4d8c70ed6906a749907b20862b29c2 + name: perl-Socket + evr: 4:2.031-4.el9 + sourcerpm: perl-Socket-2.031-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Storable-3.21-460.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 96993 + checksum: sha256:9a59d8714da2398e22eb689f445e80c7e7842b87c49c6ff0112e8de30f2a738e + name: perl-Storable + evr: 1:3.21-460.el9 + sourcerpm: perl-Storable-3.21-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Symbol-1.08-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14535 + checksum: sha256:2364cd3b0a19572b16a1379c228046a405851bcd0676860a6aeb9bcb3869498f + name: perl-Symbol + evr: 1.08-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Term-ANSIColor-5.01-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 52228 + checksum: sha256:996148d460395369394e9d4721e9000c5b2fa34ee800390a4a9d885b6db95b23 + name: perl-Term-ANSIColor + evr: 5.01-461.el9 + sourcerpm: perl-Term-ANSIColor-5.01-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Term-Cap-1.17-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 25043 + checksum: sha256:015a6d02b9c84bd353680d4bad61f3c8d297c53c3a43325e08e4ac4b48f97f17 + name: perl-Term-Cap + evr: 1.17-460.el9 + sourcerpm: perl-Term-Cap-1.17-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Text-ParseWords-3.30-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18680 + checksum: sha256:4d47f3ba0ce454be5d781e968cfe15f01f393e68a47c415f35c0d88358ab4af9 + name: perl-Text-ParseWords + evr: 3.30-460.el9 + sourcerpm: perl-Text-ParseWords-3.30-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Text-Tabs+Wrap-2013.0523-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 25935 + checksum: sha256:5ad6ef70bbb4ba8d5cfd6ee0b3dda0ddc8cf0103199959499944019a66f7edcd + name: perl-Text-Tabs+Wrap + evr: 2013.0523-460.el9 + sourcerpm: perl-Text-Tabs+Wrap-2013.0523-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Time-HiRes-1.9764-462.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 61416 + checksum: sha256:dd4edf12e362c0d60b4b0e1a1704a9a65d1f56178260c5f69ae206e55de34e32 + name: perl-Time-HiRes + evr: 4:1.9764-462.el9 + sourcerpm: perl-Time-HiRes-1.9764-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Time-Local-1.300-7.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 37469 + checksum: sha256:e8e1e692b6e52cdb69515b2ad44b84ca71917bea5f47908cb9ae89b2bbd145a1 + name: perl-Time-Local + evr: 2:1.300-7.el9 + sourcerpm: perl-Time-Local-1.300-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-URI-5.09-3.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 128279 + checksum: sha256:1635b7d818e4f70445f7207f13e058c63c5d1f5aa081cfd2583912ae45f8e1bd + name: perl-URI + evr: 5.09-3.el9 + sourcerpm: perl-URI-5.09-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-base-2.27-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16674 + checksum: sha256:dab1d27f285d579c9783e80817f98a2835e7bf06842d704a7f85cfdb7ab4b0a3 + name: perl-base + evr: 2.27-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-constant-1.33-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 25865 + checksum: sha256:8ab94e13cab4e7eee081c7618ea7738b072d8093631d97b8b1f83bff893cf892 + name: perl-constant + evr: 1.33-461.el9 + sourcerpm: perl-constant-1.33-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-if-0.60.800-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14343 + checksum: sha256:714022b8937ed9c6d4638b99aef0a8426b782e7948019b50b06d9cd2e32e454a + name: perl-if + evr: 0.60.800-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-interpreter-5.32.1-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 74659 + checksum: sha256:69d043b4a38e8afe1cd666042f8b2c2831456af0b31cd62fb424ea39d5d8e526 + name: perl-interpreter + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-lib-0.65-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 15294 + checksum: sha256:945d08e30ea6f83a8d280462213c5f19b02c356a9fcf05c13133113affc038dc + name: perl-lib + evr: 0.65-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-libnet-3.13-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 137289 + checksum: sha256:79156f91a2ee21fb96f10e331047c55ff913e36f9a13ff89d0a479f0fc4dcb98 + name: perl-libnet + evr: 3.13-4.el9 + sourcerpm: perl-libnet-3.13-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-libs-5.32.1-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 2271578 + checksum: sha256:076ad9f3bc76b9385f0d7c36852416f7ca82b28719c1a7b0494119b04a18a87b + name: perl-libs + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-locale-1.09-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14021 + checksum: sha256:35930019be1e37fa53b29cc9af6326443a96817024120948ca89556b1db06eda + name: perl-locale + evr: 1.09-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-mro-1.23-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 29629 + checksum: sha256:a1cc6373ca3cd555000980381295bcc087c6c3e0f91743674ef6accf0f38d53d + name: perl-mro + evr: 1.23-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-overload-1.31-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 46643 + checksum: sha256:813598b9d9a3ada4975144cf0dd0f25906589a92c7708556dcbf464501d72848 + name: perl-overload + evr: 1.31-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-overloading-0.02-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13658 + checksum: sha256:feca093162af099f769448e95170a357f2d2bd66da36299d1a999782d57da51d + name: perl-overloading + evr: 0.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-parent-0.238-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16286 + checksum: sha256:a9b2ccc25a5ed5cc024935ef573772e203ed363f67dd5acc0d2ad5907498c463 + name: perl-parent + evr: 1:0.238-460.el9 + sourcerpm: perl-parent-0.238-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-podlators-4.14-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 121317 + checksum: sha256:0401f715522a14b53956bccb60954025ad18a73802f7144ab0160d8504951a98 + name: perl-podlators + evr: 1:4.14-460.el9 + sourcerpm: perl-podlators-4.14-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-subs-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 11986 + checksum: sha256:df6327eb3774c2254fc45c630cedf3b32b3bdd7f146bf25ffe0342f9904dac43 + name: perl-subs + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-vars-1.05-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13347 + checksum: sha256:c54caddd2a5adaf84088833a9eb126e772b6db090800c3293b819f432ddd6b6c + name: perl-vars + evr: 1.05-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-version-0.99.28-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 68117 + checksum: sha256:5036498e5a93e0c493714c023c150add5d962926d7a5d7a374ee2321137df4c8 + name: perl-version + evr: 7:0.99.28-4.el9 + sourcerpm: perl-version-0.99.28-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/policycoreutils-python-utils-3.6-2.1.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 82931 + checksum: sha256:fcbe07b75cd10b0a2752d558a8b7750cb13b59473439701d8c568195f05c3805 + name: policycoreutils-python-utils + evr: 3.6-2.1.el9 + sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-audit-3.1.5-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 86794 + checksum: sha256:86f2ff5d8522aef9565c6c7f7ec3804b6d3e8abe95341d8d4e97a4e625817d4b + name: python3-audit + evr: 3.1.5-4.el9 + sourcerpm: audit-3.1.5-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-distro-1.5.0-7.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 41452 + checksum: sha256:5cf4276217a72649895226707d4c0e3edd6ea64b66702793fab3907177c73069 + name: python3-distro + evr: 1.5.0-7.el9 + sourcerpm: python-distro-1.5.0-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-libselinux-3.6-3.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 190360 + checksum: sha256:9b63e1e8127bef69a37c2486fec1b7be29c1719dd8f23b92ca88abae7a9d466b + name: python3-libselinux + evr: 3.6-3.el9 + sourcerpm: libselinux-3.6-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-libsemanage-3.6-5.el9_6.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 82324 + checksum: sha256:e02938adb70a3b7533980c3f0b39b06b3d2e5fb51066e3aabb81ebd041a58253 + name: python3-libsemanage + evr: 3.6-5.el9_6 + sourcerpm: libsemanage-3.6-5.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-policycoreutils-3.6-2.1.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 2216589 + checksum: sha256:7dbe7be855cc83e372add890e9e0c5256ef57132d9731b5db204c425bf21b194 + name: python3-policycoreutils + evr: 3.6-2.1.el9 + sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/r/rust-1.84.1-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 33187606 + checksum: sha256:a0650bfc4f62ab8d4a290449cdd32f987ae5d106e39a78fa59330b157d74c874 + name: rust + evr: 1.84.1-1.el9 + sourcerpm: rust-1.84.1-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/r/rust-std-static-1.84.1-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 41258551 + checksum: sha256:b03b19fafc2da5ee842d47c8aa3bd7d0f241512803ff2ad0fb0e9b511808cc46 + name: rust-std-static + evr: 1.84.1-1.el9 + sourcerpm: rust-1.84.1-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/s/scl-utils-2.0.3-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 42078 + checksum: sha256:7cca48a078a95be13fdd27ffcce12a35a962712ebf44de2b6bd2a948fc93a806 + name: scl-utils + evr: 1:2.0.3-4.el9 + sourcerpm: scl-utils-2.0.3-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/b/binutils-2.35.2-63.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 4761844 + checksum: sha256:ba70deb6c9b7003dc263aace0b80c1405528a34b6740d1dabae51bfc44eda6e2 + name: binutils + evr: 2.35.2-63.el9 + sourcerpm: binutils-2.35.2-63.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/b/binutils-gold-2.35.2-63.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 845926 + checksum: sha256:8f053eec2b5d8ee31a4e6d9ed8f951dc34547bc0367fd2e2f41a229c5d9b7fc7 + name: binutils-gold + evr: 2.35.2-63.el9 + sourcerpm: binutils-2.35.2-63.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/d/diffutils-3.7-12.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 410465 + checksum: sha256:a8015025ca40048059576a71f398c47d4b563e6a91e1e27a453f9212312df259 + name: diffutils + evr: 3.7-12.el9 + sourcerpm: diffutils-3.7-12.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/e/elfutils-debuginfod-client-0.192-5.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 47079 + checksum: sha256:04e1d2dda2356b469252a7b2324b3070ae52700bd9d86bbe58222f611eb1d83d + name: elfutils-debuginfod-client + evr: 0.192-5.el9 + sourcerpm: elfutils-0.192-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/e/environment-modules-5.3.0-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 605410 + checksum: sha256:b091c6f3976a51a421b3e3b373816ce843317e7a396167d572cd8efe6e9b7728 + name: environment-modules + evr: 5.3.0-1.el9 + sourcerpm: environment-modules-5.3.0-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/g/groff-base-1.22.4-10.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 1100747 + checksum: sha256:b71dbcd97e524881fe496c1c98db06bcae426f52ea27ce8c8e4107cb962287eb + name: groff-base + evr: 1.22.4-10.el9 + sourcerpm: groff-1.22.4-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/j/jansson-2.14-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 47657 + checksum: sha256:3da6821430545cab897d8119cc63c24c7dde32a8604b89f4fc0dd98beaf2714a + name: jansson + evr: 2.14-1.el9 + sourcerpm: jansson-2.14-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/l/less-590-5.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 171249 + checksum: sha256:6247768a946e7bc82094bf4690063b740c5ee9698692468145c8a4d3c95c6f7c + name: less + evr: 590-5.el9 + sourcerpm: less-590-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/l/libatomic-11.5.0-5.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 27863 + checksum: sha256:3e81dacf0b4a4e02baf95e00960776fb0bf148d3fabcba514cd6b3e4749edd0c + name: libatomic + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/l/libedit-3.1-38.20210216cvs.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 107657 + checksum: sha256:7e6661f35f325ac458e1c6ba5e18ccb49685a043cef5296155be1124fd5e8d86 + name: libedit + evr: 3.1-38.20210216cvs.el9 + sourcerpm: libedit-3.1-38.20210216cvs.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/l/libpipeline-1.5.3-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 52473 + checksum: sha256:9319d8a68483d71eb367f8f8d609f3f2154aea65e17345ceba55bdb32a74722e + name: libpipeline + evr: 1.5.3-4.el9 + sourcerpm: libpipeline-1.5.3-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/l/libpkgconf-1.7.3-10.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 37876 + checksum: sha256:fa1da3b44d85663cceaa0faf8eb5f2f7325cc83c381d6018f303edd06cab5938 + name: libpkgconf + evr: 1.7.3-10.el9 + sourcerpm: pkgconf-1.7.3-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/l/libselinux-utils-3.6-3.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 197292 + checksum: sha256:315c92b1796174b7c43dfec36440f8cba66e223cfbed922c6978a4bfe4983c6d + name: libselinux-utils + evr: 3.6-3.el9 + sourcerpm: libselinux-3.6-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/m/make-4.3-8.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 553451 + checksum: sha256:09c0e578e23112cb98e2234f9587fe7b6def2ae6a4b16e6d52559d546389f4d1 + name: make + evr: 1:4.3-8.el9 + sourcerpm: make-4.3-8.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/m/man-db-2.9.3-7.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 1241607 + checksum: sha256:63d99f31062dc13c164dc9c426cf4e037f39c81830866bc15fdf1e437508921c + name: man-db + evr: 2.9.3-7.el9 + sourcerpm: man-db-2.9.3-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/n/ncurses-6.2-10.20210508.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 420996 + checksum: sha256:a3063a87b4a25b32475b0125f64502dbfad70cc3c565354a2b45c965553d9a58 + name: ncurses + evr: 6.2-10.20210508.el9 + sourcerpm: ncurses-6.2-10.20210508.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/p/pkgconf-1.7.3-10.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 45258 + checksum: sha256:a5f966f792cacc4696e4187593a915fb56452dd272cf4c81d930968adb3ee00c + name: pkgconf + evr: 1.7.3-10.el9 + sourcerpm: pkgconf-1.7.3-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/p/pkgconf-m4-1.7.3-10.el9.noarch.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 16054 + checksum: sha256:91bafd6e06099451f60288327b275cfcc651822f6145176a157c6b0fa5131e02 + name: pkgconf-m4 + evr: 1.7.3-10.el9 + sourcerpm: pkgconf-1.7.3-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/p/pkgconf-pkg-config-1.7.3-10.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 12411 + checksum: sha256:ef854bfe75102d994afb58510121164c4b9b8359b7d983cd8904c425a175b750 + name: pkgconf-pkg-config + evr: 1.7.3-10.el9 + sourcerpm: pkgconf-1.7.3-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/p/policycoreutils-3.6-2.1.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 250884 + checksum: sha256:7644ce00b6c873350865682790524f50ea81f3ae72a81f4547d6f9bdfa0fd49c + name: policycoreutils + evr: 3.6-2.1.el9 + sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/p/procps-ng-3.3.17-14.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 354331 + checksum: sha256:540d734809d1a9ef380a47c5ef3039b2ab736bea53ba8f34d2456d654dc92f1b + name: procps-ng + evr: 3.3.17-14.el9 + sourcerpm: procps-ng-3.3.17-14.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/p/python3-setools-4.4.4-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 599860 + checksum: sha256:71afade33b960abc643c3be442ee590ed1c845f07f4877ae65b76761104cbd8b + name: python3-setools + evr: 4.4.4-1.el9 + sourcerpm: setools-4.4.4-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/t/tcl-8.6.10-7.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 1120943 + checksum: sha256:2c05d698a7cced9313984349224a327b06d96a5bc696645bdafe7a41fb159da6 + name: tcl + evr: 1:8.6.10-7.el9 + sourcerpm: tcl-8.6.10-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/v/vim-filesystem-8.2.2637-22.el9_6.noarch.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 17723 + checksum: sha256:744aceed764a5a4f5e4f12a70237ff74cb93c375aabffe4dc245e474628775c2 + name: vim-filesystem + evr: 2:8.2.2637-22.el9_6 + sourcerpm: vim-8.2.2637-22.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/codeready-builder/os/Packages/m/meson-0.63.3-1.el9.noarch.rpm + repoid: codeready-builder-for-ubi-9-s390x-rpms + size: 1550746 + checksum: sha256:cb174ce7d6adf9c7a4b90ecf3360307485f9c1e4bb006c44190de9cfd41511c7 + name: meson + evr: 0.63.3-1.el9 + sourcerpm: meson-0.63.3-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/codeready-builder/os/Packages/n/ninja-build-1.10.2-6.el9.s390x.rpm + repoid: codeready-builder-for-ubi-9-s390x-rpms + size: 148716 + checksum: sha256:cf488d4dc7518d6ca1df602e07f5d5962ad50e035a40c2b4d22865665af357fa + name: ninja-build + evr: 1.10.2-6.el9 + sourcerpm: ninja-build-1.10.2-6.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/l/libomp-19.1.7-2.el9.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 763030 + checksum: sha256:9f1873d5d8c60a9bb2e962e4f48039e18f3d30b34e7a6b579ba6711cb849046c + name: libomp + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/l/libomp-devel-19.1.7-2.el9.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 671940 + checksum: sha256:f432131cd4cdd34d72522fd521347fc1abafe2cb3f84d432c909667bd4aacd6a + name: libomp-devel + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/p/protobuf-3.14.0-16.el9.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 988184 + checksum: sha256:d0a40007e676d188faa8c3f51efece90c57273453979156422e3327e38b45cb9 + name: protobuf + evr: 3.14.0-16.el9 + sourcerpm: protobuf-3.14.0-16.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/codeready-builder/os/Packages/j/json-c-devel-0.14-11.el9.s390x.rpm + repoid: codeready-builder-for-rhel-9-s390x-rpms + size: 52883 + checksum: sha256:c98ea510c031ce3aca1f4d679a4b04aaf608fa285af67d5849b1c685287a5a91 + name: json-c-devel + evr: 0.14-11.el9 + sourcerpm: json-c-0.14-11.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/codeready-builder/os/Packages/p/protobuf-compiler-3.14.0-16.el9.s390x.rpm + repoid: codeready-builder-for-rhel-9-s390x-rpms + size: 842471 + checksum: sha256:e4b7a8b602a99992a82f4b3617120ca1b965dc38c7ec865f99552f685b257f82 + name: protobuf-compiler + evr: 3.14.0-16.el9 + sourcerpm: protobuf-3.14.0-16.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/codeready-builder/os/Packages/t/tpm2-tss-devel-3.2.3-1.el9.s390x.rpm + repoid: codeready-builder-for-rhel-9-s390x-rpms + size: 363546 + checksum: sha256:44c0b03adf59ead09603ff05865ec07381a1b607134cceed3b933b22e67c9d1a + name: tpm2-tss-devel + evr: 3.2.3-1.el9 + sourcerpm: tpm2-tss-3.2.3-1.el9.src.rpm + source: + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/codeready-builder/source/SRPMS/Packages/m/meson-0.63.3-1.el9.src.rpm + repoid: codeready-builder-for-rhel-9-s390x-source-rpms + size: 2073677 + checksum: sha256:54bc08131f4ae18919b3c45a4337182a75eedec96b7fe03f93ee11998c7cc285 + name: meson + evr: 0.63.3-1.el9 + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/codeready-builder/source/SRPMS/Packages/n/ninja-build-1.10.2-6.el9.src.rpm + repoid: codeready-builder-for-rhel-9-s390x-source-rpms + size: 227908 + checksum: sha256:0461eebf9c0def0b11f42b9f7e7a455a945da6cbd4796ff015eb2a1dcbae175b + name: ninja-build + evr: 1.10.2-6.el9 + module_metadata: [] +- arch: x86_64 + packages: + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/cargo-1.84.1-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 8292467 + checksum: sha256:7dd011cd79a635654ade4e3186c5f7545d692de81157d1ce1d42656eaa6993b2 + name: cargo + evr: 1.84.1-1.el9 + sourcerpm: rust-1.84.1-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/checkpolicy-3.6-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 365931 + checksum: sha256:3d12bc7e21276434108c97561f75d1854283afb73d4fface3b836acee09f8d98 + name: checkpolicy + evr: 3.6-1.el9 + sourcerpm: checkpolicy-3.6-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/clang-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 87057 + checksum: sha256:45e1761db186de48ef401d796b2a676f0f6c396fdc576340d22084acbec8ee65 + name: clang + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/clang-devel-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 3624143 + checksum: sha256:d54b4289e69788f126103fc0cdcdc2c9bb980a3d15d9132421737ceba5916164 + name: clang-devel + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/clang-libs-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 29661529 + checksum: sha256:3a409cbe5739165938c2ace75b9ad316389770d1e6a5f4dd8102088a83efcaff + name: clang-libs + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/clang-resource-filesystem-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 18667 + checksum: sha256:06ddf82255d3edb962691aaa0f6e32ef0730f8328db706af17ef91e08f694a94 + name: clang-resource-filesystem + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/clang-tools-extra-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 17562988 + checksum: sha256:30e7fcaa538b7cd50694f5094ceca049bcae2a01fe8f07b8ed29b8219955f733 + name: clang-tools-extra + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/cmake-filesystem-3.26.5-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 23450 + checksum: sha256:49fafe6c2b29fdede611a0a78664021d13f7126599e37ebff92bcb06d18f58b6 + name: cmake-filesystem + evr: 3.26.5-2.el9 + sourcerpm: cmake-3.26.5-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/compiler-rt-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 2740021 + checksum: sha256:94ebf353f9ac7f6380ad6aaaf6dfa9a45d97d09a1ca8b707ce2021cbb7ecbc28 + name: compiler-rt + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/cpp-11.5.0-5.el9_5.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 11229073 + checksum: sha256:b5567c690d46d4f5a2cb13be6a4f962dbe8cc7e821b9d3baa09a4f10c59014d9 + name: cpp + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/e/emacs-filesystem-27.2-13.el9_6.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 9758 + checksum: sha256:624b6683efb3e254eb8f44a927772ec251a841803b7f693f9c6ad0651e694557 + name: emacs-filesystem + evr: 1:27.2-13.el9_6 + sourcerpm: emacs-27.2-13.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-11.5.0-5.el9_5.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 34006000 + checksum: sha256:03c99bc1021dbe54dd93120ed6b5249bbb02dbd5da9e0dc5d8c4a21d674fb1fd + name: gcc + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-c++-11.5.0-5.el9_5.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13479598 + checksum: sha256:b8392274e302d665bc132aee4ed023f8a777d9c446531679ede18150d7867189 + name: gcc-c++ + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-toolset-14-binutils-2.41-3.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 6705766 + checksum: sha256:32873da3e4e6b748adbabfc861a470cf819488e815ed13e91d74d10a1456588e + name: gcc-toolset-14-binutils + evr: 2.41-3.el9 + sourcerpm: gcc-toolset-14-binutils-2.41-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-toolset-14-gcc-14.2.1-7.1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 49305209 + checksum: sha256:58e12d4e70fc72055ca88c1d5f9ba05ec6db5b30b1adc888f0812046e21d40e8 + name: gcc-toolset-14-gcc + evr: 14.2.1-7.1.el9 + sourcerpm: gcc-toolset-14-gcc-14.2.1-7.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-toolset-14-gcc-c++-14.2.1-7.1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 15461279 + checksum: sha256:4e452996206ddd68550f05f61a645f3f62da573c3d44ed2caf008cb58ee61ba0 + name: gcc-toolset-14-gcc-c++ + evr: 14.2.1-7.1.el9 + sourcerpm: gcc-toolset-14-gcc-14.2.1-7.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-toolset-14-libstdc++-devel-14.2.1-7.1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 3829766 + checksum: sha256:6bbdf338a40ce4775a59d19368865f0c538be548f00a85c79fc9e8a2f411d226 + name: gcc-toolset-14-libstdc++-devel + evr: 14.2.1-7.1.el9 + sourcerpm: gcc-toolset-14-gcc-14.2.1-7.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-toolset-14-runtime-14.0-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 63200 + checksum: sha256:fccde11b2c1cdf323923829f70631dfa39bc76444bfd1e00e399c21e99a68d30 + name: gcc-toolset-14-runtime + evr: 14.0-1.el9 + sourcerpm: gcc-toolset-14-14.0-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/glibc-devel-2.34-168.el9_6.14.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 35566 + checksum: sha256:1565ca914cb58037fc9f50af64be3a43d5ae854b5d30f01882eb06d57c44d52c + name: glibc-devel + evr: 2.34-168.el9_6.14 + sourcerpm: glibc-2.34-168.el9_6.14.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/glibc-headers-2.34-168.el9_6.14.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 554474 + checksum: sha256:10579e7e1a0140841209c023fdb9034aae1b3723ab5807f6e6c61e8dd2dbffa7 + name: glibc-headers + evr: 2.34-168.el9_6.14 + sourcerpm: glibc-2.34-168.el9_6.14.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/k/kernel-headers-5.14.0-570.17.1.el9_6.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 3680573 + checksum: sha256:03dcb738b60220f6576812e7d4c7afdeb732b76d5d48b04c0603cce638b4ee9e + name: kernel-headers + evr: 5.14.0-570.17.1.el9_6 + sourcerpm: kernel-5.14.0-570.17.1.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libcurl-devel-7.76.1-31.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 1002994 + checksum: sha256:9293a5052f85020b71bc2c9055ce5274c5c2d6ba9f117f39e089e006f141bd8c + name: libcurl-devel + evr: 7.76.1-31.el9 + sourcerpm: curl-7.76.1-31.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libmpc-1.2.1-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 66075 + checksum: sha256:b97b4e98c3c6f41dcfc2ceb4ffa1aba7a338b7cfd9e6c4f63e3160dd3cc033d3 + name: libmpc + evr: 1.2.1-4.el9 + sourcerpm: libmpc-1.2.1-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libomp-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 697249 + checksum: sha256:fa7adbb02b4e72ac4b2d205250d4a6109ea2136c5be3eed43bf505f19a5dd7df + name: libomp + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libomp-devel-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 670405 + checksum: sha256:e8160798221be20eb1dd546cb845fb19c07412237df02b4604d7b9f030e96b9a + name: libomp-devel + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libstdc++-devel-11.5.0-5.el9_5.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 2531717 + checksum: sha256:84695eeeb1daa8ff74baf7efd9fc57fb136bec7e8a2ca56c105be6d83ec22d07 + name: libstdc++-devel + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libxcrypt-devel-4.4.18-3.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 33101 + checksum: sha256:c1d171391a7d2e043a6953efd3df3e01edc9b4c6cdb54517e1608d204a5fce18 + name: libxcrypt-devel + evr: 4.4.18-3.el9 + sourcerpm: libxcrypt-4.4.18-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/llvm-libs-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 30399454 + checksum: sha256:168c8d2d7ed92d3a77c2d8ba898b3506a483a623674072d057606cb29d2e3b87 + name: llvm-libs + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/o/openssl-devel-3.2.2-6.el9_5.1.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 4650823 + checksum: sha256:30cd1b3dec089a7da71e9167532693bef7c202a5dbe3c010af2a9387106a0b36 + name: openssl-devel + evr: 1:3.2.2-6.el9_5.1 + sourcerpm: openssl-3.2.2-6.el9_5.1.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-AutoLoader-5.74-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 21821 + checksum: sha256:52cda881960f48be35a47ba1c54f242efac1ab0d1fd74b0e2bcb48a1723907c8 + name: perl-AutoLoader + evr: 5.74-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-B-1.80-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 188182 + checksum: sha256:1d9743f0a5ba875908984dbe875025aa51bc62fc9d1bec3fbef12f6688c1d771 + name: perl-B + evr: 1.80-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Carp-1.50-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 32039 + checksum: sha256:c51470a55b1dce42f944bdea06a10469f5a42d55be898a33c2fed3a99843fbb2 + name: perl-Carp + evr: 1.50-460.el9 + sourcerpm: perl-Carp-1.50-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Class-Struct-0.66-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 22914 + checksum: sha256:45347749c36c4750c9083d4784700fb85c3a4c277c3bf69873a1c6ae97ee6c4b + name: perl-Class-Struct + evr: 0.66-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Data-Dumper-2.174-462.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 59910 + checksum: sha256:6cd912e640cbc8785e33dae9cf07561509491a0ec76a81c01d6b7a77ad08668d + name: perl-Data-Dumper + evr: 2.174-462.el9 + sourcerpm: perl-Data-Dumper-2.174-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Digest-1.19-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 29409 + checksum: sha256:e0b8633f818467f9e1bf46b9c0012af7bf8a309ac64e903a2a9faf3fae7705f9 + name: perl-Digest + evr: 1.19-4.el9 + sourcerpm: perl-Digest-1.19-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Digest-MD5-2.58-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 40274 + checksum: sha256:2a6b21a144ae1d060e51ee2b6328c5dd1a646f429da160f386c2eb420b1220b4 + name: perl-Digest-MD5 + evr: 2.58-4.el9 + sourcerpm: perl-Digest-MD5-2.58-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Encode-3.08-462.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 1802386 + checksum: sha256:d05248697e48928be004ed4c683b04966aa452ae1e2bd81f650c6de108b46956 + name: perl-Encode + evr: 4:3.08-462.el9 + sourcerpm: perl-Encode-3.08-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Errno-1.30-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 15331 + checksum: sha256:891006d2a5ec8528b1e7fe181a3e1617733b1050250b381f29261b70e83865ed + name: perl-Errno + evr: 1.30-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Exporter-5.74-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 34509 + checksum: sha256:888e14ebd70c2b69150873236b0df7c3a29c9edd488fd8488527c179e798b409 + name: perl-Exporter + evr: 5.74-461.el9 + sourcerpm: perl-Exporter-5.74-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-MM-Utils-7.60-3.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14176 + checksum: sha256:51d7199c10886580e6cbff82546a34f26b2d5b894dcc338e28b1b55938f50ae3 + name: perl-ExtUtils-MM-Utils + evr: 2:7.60-3.el9 + sourcerpm: perl-ExtUtils-MakeMaker-7.60-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Fcntl-1.13-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 22098 + checksum: sha256:726645728dabb2f1badb1c4a6170c5db29118a536cdfa482c882aaef6ed97fb4 + name: perl-Fcntl + evr: 1.13-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Basename-2.85-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 17916 + checksum: sha256:746f919f1aebc91a28f00e20eda7b41991db9e50abf2fa22cd7f8168a8f9898a + name: perl-File-Basename + evr: 2.85-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Compare-1.100.600-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13854 + checksum: sha256:2108ae5f9e3edf870a30a717b6cf999be70b36e50b715b02d5256cdf07f91764 + name: perl-File-Compare + evr: 1.100.600-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Copy-2.34-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 20838 + checksum: sha256:d547160cfc5e02e3381116185cc5c125c680c2fab6ab7e6696fd95b8e4fdbb4a + name: perl-File-Copy + evr: 2.34-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Find-1.37-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 26277 + checksum: sha256:e388937b023c024de285a5b50fe3f44722c18207d7d854aff302f4ad3c8742f4 + name: perl-File-Find + evr: 1.37-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Path-2.18-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 38466 + checksum: sha256:d1df5e509c10365eaa329a0b97e38bc2667874240d3942195eb6ce7a88985a41 + name: perl-File-Path + evr: 2.18-4.el9 + sourcerpm: perl-File-Path-2.18-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Temp-0.231.100-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 64150 + checksum: sha256:0a81b062391ac6dac3ec28ff1e435001dd798cf1ff19fdb52cfe1e0720d5de03 + name: perl-File-Temp + evr: 1:0.231.100-4.el9 + sourcerpm: perl-File-Temp-0.231.100-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-stat-1.09-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 17853 + checksum: sha256:355aba30d043f829e4e7e70466564ba85f65f7a2416aba0ceddfc9e59288aab4 + name: perl-File-stat + evr: 1.09-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-FileHandle-2.03-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 15921 + checksum: sha256:480ac4c1de2c1e1f94ed8895793b93d96bd50dc95e6e4fa9c39a82a24998f717 + name: perl-FileHandle + evr: 2.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-FindBin-1.51-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14336 + checksum: sha256:43ef0a61ba09f0213bf7eaf3af905d98b4879fa3e383f1340cad23de1ae46f67 + name: perl-FindBin + evr: 1.51-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Getopt-Long-2.52-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 65144 + checksum: sha256:055fe33d2a7a421c1de8902b86a2f246ef6457774239d04b604f2d0ec6a00a14 + name: perl-Getopt-Long + evr: 1:2.52-4.el9 + sourcerpm: perl-Getopt-Long-2.52-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Getopt-Std-1.12-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16222 + checksum: sha256:c9c6209474ec44ca5b070ffb147589359c551757f95b358a8f35d2627c4950cf + name: perl-Getopt-Std + evr: 1.12-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-HTTP-Tiny-0.076-462.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 58720 + checksum: sha256:696f388a50f5be81596757d68251067449203e1c126ee8c23a7c5a0ad1ac5418 + name: perl-HTTP-Tiny + evr: 0.076-462.el9 + sourcerpm: perl-HTTP-Tiny-0.076-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-I18N-LangTags-0.44-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 57020 + checksum: sha256:5812d857fdf616511fc9f4b7ed463f9e3126d85166d56bdd7c7a64d8c2db41bb + name: perl-I18N-LangTags + evr: 0.44-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IO-1.43-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 94663 + checksum: sha256:dc85c28902667c1bd3c6f19b6a08bdda5e1d25b11e832b269e15fde94e6ab52d + name: perl-IO + evr: 1.43-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IO-Socket-IP-0.41-5.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 46457 + checksum: sha256:4c80030ce256198584c4a58171b9dfe3adb4a8d7593110229e40ece76786a32f + name: perl-IO-Socket-IP + evr: 0.41-5.el9 + sourcerpm: perl-IO-Socket-IP-0.41-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IO-Socket-SSL-2.073-2.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 226003 + checksum: sha256:b52d5b6a5081e3c142b2364b3f1ef58f569b39052df045f24363de9bb4f9cfd2 + name: perl-IO-Socket-SSL + evr: 2.073-2.el9 + sourcerpm: perl-IO-Socket-SSL-2.073-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IPC-Cmd-1.04-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 42803 + checksum: sha256:353b04bed7229ce354a4d63ba213c4e18fe739c4732061957946b84853d5b3ce + name: perl-IPC-Cmd + evr: 2:1.04-461.el9 + sourcerpm: perl-IPC-Cmd-1.04-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IPC-Open3-1.21-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24124 + checksum: sha256:422c83bcdd2f84d9751fe4ea289e6bc8bfbc41e6540d6482671317fbc2ff1a17 + name: perl-IPC-Open3 + evr: 1.21-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Locale-Maketext-1.29-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 101003 + checksum: sha256:97cfef112a414049f85495cbec570b8c63d7260410f72cb2e1480a67fc7e9e68 + name: perl-Locale-Maketext + evr: 1.29-461.el9 + sourcerpm: perl-Locale-Maketext-1.29-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Locale-Maketext-Simple-0.21-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 18568 + checksum: sha256:20fd5bd35208c94b669179c7e6a295a6fe6abee69e0ce284e0ab25562bcff9c3 + name: perl-Locale-Maketext-Simple + evr: 1:0.21-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-MIME-Base64-3.16-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 35058 + checksum: sha256:3ae8affe13cc15cfaee1c6dd078ada14891dde5dca263927a9b5ed87f241d2c0 + name: perl-MIME-Base64 + evr: 3.16-4.el9 + sourcerpm: perl-MIME-Base64-3.16-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-CoreList-5.20240609-1.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 92615 + checksum: sha256:fe85ea513ac696ce4d4bd5565259d89edde346d5a049d0eed153eac988ef73fd + name: perl-Module-CoreList + evr: 1:5.20240609-1.el9 + sourcerpm: perl-Module-CoreList-5.20240609-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-Load-0.36-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 20052 + checksum: sha256:ada066ac44fd73ec87ea376a6d6715cf77b086354217fdc7a197c909da3bb099 + name: perl-Module-Load + evr: 1:0.36-4.el9 + sourcerpm: perl-Module-Load-0.36-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-Load-Conditional-0.74-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 25464 + checksum: sha256:58a5364d77607678e4e628f5bdd3d33641e2f6083c2985c1bc5045401ae65a60 + name: perl-Module-Load-Conditional + evr: 0.74-4.el9 + sourcerpm: perl-Module-Load-Conditional-0.74-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-Metadata-1.000037-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 39221 + checksum: sha256:f053b34c911e5f3daf16c0ffc5ff752f47a0d016e1cc1ac51d4425fbe2a1ac15 + name: perl-Module-Metadata + evr: 1.000037-460.el9 + sourcerpm: perl-Module-Metadata-1.000037-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Mozilla-CA-20200520-6.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14781 + checksum: sha256:99030bfb6a1a2ac41e0720841abaa8ba58c26e91640f4058cc6133e227e928a7 + name: perl-Mozilla-CA + evr: 20200520-6.el9 + sourcerpm: perl-Mozilla-CA-20200520-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-NDBM_File-1.15-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 23899 + checksum: sha256:fbd179e177943079b17db7c887b77dcca46b009ae41d85da5c16e1f33d20a1c9 + name: perl-NDBM_File + evr: 1.15-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Net-SSLeay-1.94-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 428188 + checksum: sha256:d8ed17b9700c4acee11a339c9e0814862ad5b20e072c1414021dcb050c7da90b + name: perl-Net-SSLeay + evr: 1.94-1.el9 + sourcerpm: perl-Net-SSLeay-1.94-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-POSIX-1.94-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 100044 + checksum: sha256:70b078b5b692c8d8b26600ae4868b50d613289a89c50b702109bce542d2c8888 + name: perl-POSIX + evr: 1.94-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Params-Check-0.38-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24764 + checksum: sha256:a6cf1009e3f1dfe50e00421b11d43c413e7e4ee8c6931195256a3cb40e1baf7b + name: perl-Params-Check + evr: 1:0.38-461.el9 + sourcerpm: perl-Params-Check-0.38-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-PathTools-3.78-461.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 94564 + checksum: sha256:0647785b169c4bbdc65adf06d28981ce7fd1c9f93aecaa4e53a4515a21ebbf81 + name: perl-PathTools + evr: 3.78-461.el9 + sourcerpm: perl-PathTools-3.78-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Escapes-1.07-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 22564 + checksum: sha256:42fa08cc02a405933395316610a56e2bff58f6f7be16e9a063ec634747199bc0 + name: perl-Pod-Escapes + evr: 1:1.07-460.el9 + sourcerpm: perl-Pod-Escapes-1.07-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Perldoc-3.28.01-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 93727 + checksum: sha256:db3285dbe77ddc822d6bb847f857ea7032786cf7996b26d6c01481903b6d26e0 + name: perl-Pod-Perldoc + evr: 3.28.01-461.el9 + sourcerpm: perl-Pod-Perldoc-3.28.01-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Simple-3.42-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 234403 + checksum: sha256:2752454ce47a46227c6b7b98a5d9a25dcf3a992f27109a726744a66cd93c7b9a + name: perl-Pod-Simple + evr: 1:3.42-4.el9 + sourcerpm: perl-Pod-Simple-3.42-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Usage-2.01-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 44477 + checksum: sha256:c170870a2d1ff32048d13497fa67c382fe5aaf3d8d21bae639356ac28003dba9 + name: perl-Pod-Usage + evr: 4:2.01-4.el9 + sourcerpm: perl-Pod-Usage-2.01-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Scalar-List-Utils-1.56-462.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 77262 + checksum: sha256:7ce874bde7d9ad15abf70a3b7edbab77548eb2eb8b529c1e48b2426ee7f948f9 + name: perl-Scalar-List-Utils + evr: 4:1.56-462.el9 + sourcerpm: perl-Scalar-List-Utils-1.56-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-SelectSaver-1.02-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 12017 + checksum: sha256:c4f02fdf5b501ab67b4824fc4473ba420f482254ad82e90b546d9b10a5464820 + name: perl-SelectSaver + evr: 1.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Socket-2.031-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 59776 + checksum: sha256:762751146305f9aea53b74a21495a610e7bdde956fa3246565d265b1128b56a8 + name: perl-Socket + evr: 4:2.031-4.el9 + sourcerpm: perl-Socket-2.031-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Storable-3.21-460.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 100335 + checksum: sha256:0097fdb40a1f83e56d5bf91160c07151b7cdd64f829fc0e328cdf3b43c2b4fa6 + name: perl-Storable + evr: 1:3.21-460.el9 + sourcerpm: perl-Storable-3.21-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Symbol-1.08-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14535 + checksum: sha256:2364cd3b0a19572b16a1379c228046a405851bcd0676860a6aeb9bcb3869498f + name: perl-Symbol + evr: 1.08-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Term-ANSIColor-5.01-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 52228 + checksum: sha256:996148d460395369394e9d4721e9000c5b2fa34ee800390a4a9d885b6db95b23 + name: perl-Term-ANSIColor + evr: 5.01-461.el9 + sourcerpm: perl-Term-ANSIColor-5.01-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Term-Cap-1.17-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 25043 + checksum: sha256:015a6d02b9c84bd353680d4bad61f3c8d297c53c3a43325e08e4ac4b48f97f17 + name: perl-Term-Cap + evr: 1.17-460.el9 + sourcerpm: perl-Term-Cap-1.17-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Text-ParseWords-3.30-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 18680 + checksum: sha256:4d47f3ba0ce454be5d781e968cfe15f01f393e68a47c415f35c0d88358ab4af9 + name: perl-Text-ParseWords + evr: 3.30-460.el9 + sourcerpm: perl-Text-ParseWords-3.30-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Text-Tabs+Wrap-2013.0523-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 25935 + checksum: sha256:5ad6ef70bbb4ba8d5cfd6ee0b3dda0ddc8cf0103199959499944019a66f7edcd + name: perl-Text-Tabs+Wrap + evr: 2013.0523-460.el9 + sourcerpm: perl-Text-Tabs+Wrap-2013.0523-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Time-HiRes-1.9764-462.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 62596 + checksum: sha256:ce04253e57c1db4fbbc3a3d3e4c0751af9be7c1c7f236be3690a2b304410b172 + name: perl-Time-HiRes + evr: 4:1.9764-462.el9 + sourcerpm: perl-Time-HiRes-1.9764-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Time-Local-1.300-7.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 37469 + checksum: sha256:e8e1e692b6e52cdb69515b2ad44b84ca71917bea5f47908cb9ae89b2bbd145a1 + name: perl-Time-Local + evr: 2:1.300-7.el9 + sourcerpm: perl-Time-Local-1.300-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-URI-5.09-3.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 128279 + checksum: sha256:1635b7d818e4f70445f7207f13e058c63c5d1f5aa081cfd2583912ae45f8e1bd + name: perl-URI + evr: 5.09-3.el9 + sourcerpm: perl-URI-5.09-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-base-2.27-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16674 + checksum: sha256:dab1d27f285d579c9783e80817f98a2835e7bf06842d704a7f85cfdb7ab4b0a3 + name: perl-base + evr: 2.27-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-constant-1.33-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 25865 + checksum: sha256:8ab94e13cab4e7eee081c7618ea7738b072d8093631d97b8b1f83bff893cf892 + name: perl-constant + evr: 1.33-461.el9 + sourcerpm: perl-constant-1.33-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-if-0.60.800-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14343 + checksum: sha256:714022b8937ed9c6d4638b99aef0a8426b782e7948019b50b06d9cd2e32e454a + name: perl-if + evr: 0.60.800-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-interpreter-5.32.1-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 74840 + checksum: sha256:359a94a09f0082a637c5bc2aa4ddac23dd79e929daa38dfed85d0e1afff31fba + name: perl-interpreter + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-lib-0.65-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 15318 + checksum: sha256:89bf58fb4d09ec404ea98063d4a7099ff00b59e9a9e0bb04067f48e3fb581083 + name: perl-lib + evr: 0.65-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-libnet-3.13-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 137289 + checksum: sha256:79156f91a2ee21fb96f10e331047c55ff913e36f9a13ff89d0a479f0fc4dcb98 + name: perl-libnet + evr: 3.13-4.el9 + sourcerpm: perl-libnet-3.13-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-libs-5.32.1-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 2303445 + checksum: sha256:d20aebf4d96f4ad0e7dc97b63bbe41baa6f927a34eac9068a22f1d62e71611dc + name: perl-libs + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-locale-1.09-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14021 + checksum: sha256:35930019be1e37fa53b29cc9af6326443a96817024120948ca89556b1db06eda + name: perl-locale + evr: 1.09-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-mro-1.23-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 30125 + checksum: sha256:3cf76960b8c866deebf333a9dfd64a7dd9f4689cb82e37d0c0ddab2c031b3651 + name: perl-mro + evr: 1.23-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-overload-1.31-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 46643 + checksum: sha256:813598b9d9a3ada4975144cf0dd0f25906589a92c7708556dcbf464501d72848 + name: perl-overload + evr: 1.31-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-overloading-0.02-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13658 + checksum: sha256:feca093162af099f769448e95170a357f2d2bd66da36299d1a999782d57da51d + name: perl-overloading + evr: 0.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-parent-0.238-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16286 + checksum: sha256:a9b2ccc25a5ed5cc024935ef573772e203ed363f67dd5acc0d2ad5907498c463 + name: perl-parent + evr: 1:0.238-460.el9 + sourcerpm: perl-parent-0.238-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-podlators-4.14-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 121317 + checksum: sha256:0401f715522a14b53956bccb60954025ad18a73802f7144ab0160d8504951a98 + name: perl-podlators + evr: 1:4.14-460.el9 + sourcerpm: perl-podlators-4.14-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-subs-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 11986 + checksum: sha256:df6327eb3774c2254fc45c630cedf3b32b3bdd7f146bf25ffe0342f9904dac43 + name: perl-subs + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-vars-1.05-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13347 + checksum: sha256:c54caddd2a5adaf84088833a9eb126e772b6db090800c3293b819f432ddd6b6c + name: perl-vars + evr: 1.05-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-version-0.99.28-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 68996 + checksum: sha256:8804f201f3e2fb54f75735683c65a571f17b6ea8715e84eb813907ec5027fcc5 + name: perl-version + evr: 7:0.99.28-4.el9 + sourcerpm: perl-version-0.99.28-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/policycoreutils-python-utils-3.6-2.1.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 82931 + checksum: sha256:fcbe07b75cd10b0a2752d558a8b7750cb13b59473439701d8c568195f05c3805 + name: policycoreutils-python-utils + evr: 3.6-2.1.el9 + sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-audit-3.1.5-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 88009 + checksum: sha256:023ddd2c1dda3422bc1b067e562b39621eaefdf778efd0dae07fc144ba188fb5 + name: python3-audit + evr: 3.1.5-4.el9 + sourcerpm: audit-3.1.5-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-distro-1.5.0-7.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 41452 + checksum: sha256:5cf4276217a72649895226707d4c0e3edd6ea64b66702793fab3907177c73069 + name: python3-distro + evr: 1.5.0-7.el9 + sourcerpm: python-distro-1.5.0-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-libselinux-3.6-3.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 196472 + checksum: sha256:7af821a0ee7c7b56df79de25fe35cc2d0fd6f45df5c3bcec2c5e72d7378ba265 + name: python3-libselinux + evr: 3.6-3.el9 + sourcerpm: libselinux-3.6-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-libsemanage-3.6-5.el9_6.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 82730 + checksum: sha256:8a17df19f0ff5dbb98fe608999cb2370983d8565658df01d0993b3028cbf28d6 + name: python3-libsemanage + evr: 3.6-5.el9_6 + sourcerpm: libsemanage-3.6-5.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-policycoreutils-3.6-2.1.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 2216589 + checksum: sha256:7dbe7be855cc83e372add890e9e0c5256ef57132d9731b5db204c425bf21b194 + name: python3-policycoreutils + evr: 3.6-2.1.el9 + sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/r/rust-1.84.1-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 28050444 + checksum: sha256:9ba3c53fd811af2f294e31360d75e33e4cb89893130c7b3fe0c6191e20a09f3e + name: rust + evr: 1.84.1-1.el9 + sourcerpm: rust-1.84.1-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/r/rust-std-static-1.84.1-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 41211472 + checksum: sha256:73bb90884432e2b43758f1043f107a570b5d54b38f17d5d0af51bac103ceb4f5 + name: rust-std-static + evr: 1.84.1-1.el9 + sourcerpm: rust-1.84.1-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/s/scl-utils-2.0.3-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 42223 + checksum: sha256:164d245bec95c7dcbba881fd88ee567bc6d5859329c91ae05a6ad5429700bdbc + name: scl-utils + evr: 1:2.0.3-4.el9 + sourcerpm: scl-utils-2.0.3-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/b/binutils-2.35.2-63.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 4818636 + checksum: sha256:4eb918b63dee7daf32117df2e3fcb02ad4ba3d96cb25677cf55315deceb7e22a + name: binutils + evr: 2.35.2-63.el9 + sourcerpm: binutils-2.35.2-63.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/b/binutils-gold-2.35.2-63.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 753176 + checksum: sha256:339d9bb2dc0e41c4756f1a4f82e82f6654818b72de74f1f0377c76277617352b + name: binutils-gold + evr: 2.35.2-63.el9 + sourcerpm: binutils-2.35.2-63.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/d/diffutils-3.7-12.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 411559 + checksum: sha256:2d4c4fdfc10215af3c957c24995b79a26e27e6d76de4ed1f5198d25bf7ef9671 + name: diffutils + evr: 3.7-12.el9 + sourcerpm: diffutils-3.7-12.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/e/elfutils-debuginfod-client-0.192-5.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 47282 + checksum: sha256:e5b1a7a9e1467bfe00913e9b22ba5665852f8c61900205a32d3043ace9e1c7c2 + name: elfutils-debuginfod-client + evr: 0.192-5.el9 + sourcerpm: elfutils-0.192-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/e/environment-modules-5.3.0-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 605644 + checksum: sha256:0bf2c48686d2c9f4d0f4d2cbe80a64f7d3c26559dd3cf6ca798a6615407a58ae + name: environment-modules + evr: 5.3.0-1.el9 + sourcerpm: environment-modules-5.3.0-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/groff-base-1.22.4-10.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 1133828 + checksum: sha256:4d8ff13569b3b231b3fb847e9e22615c6e08215d1f2c0c78eac2e345b9efd394 + name: groff-base + evr: 1.22.4-10.el9 + sourcerpm: groff-1.22.4-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/j/jansson-2.14-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 49137 + checksum: sha256:4e9aec51ee46d7265d6edd1245b5d5ab5e8336dc2a4ca17f2cace2ce8bae3761 + name: jansson + evr: 2.14-1.el9 + sourcerpm: jansson-2.14-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/l/less-590-5.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 170758 + checksum: sha256:a726061c966a134a5e5b42b60e4162ee85a2cef8843b6fd28e08264ceebb54f4 + name: less + evr: 590-5.el9 + sourcerpm: less-590-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/l/libatomic-11.5.0-5.el9_5.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 28095 + checksum: sha256:f319f76d1b4f3c82cc2cf8eee5b3c170a1d6f5c1c72d7790141307159572578a + name: libatomic + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/l/libedit-3.1-38.20210216cvs.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 109330 + checksum: sha256:9e41ff5754a5dca1308adf9617828934d56cb60d8d08f128f80e4328f69bc78c + name: libedit + evr: 3.1-38.20210216cvs.el9 + sourcerpm: libedit-3.1-38.20210216cvs.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/l/libpipeline-1.5.3-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 52912 + checksum: sha256:c972030a8fbaa2d981f0e5fdfc42d6d5173dd047c94d86ab7732e3e53fc4e97a + name: libpipeline + evr: 1.5.3-4.el9 + sourcerpm: libpipeline-1.5.3-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/l/libpkgconf-1.7.3-10.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 38387 + checksum: sha256:4feae5941b73640bd86b8d506a657cac5b770043db1464fbcd207721b2159dda + name: libpkgconf + evr: 1.7.3-10.el9 + sourcerpm: pkgconf-1.7.3-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/l/libselinux-utils-3.6-3.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 198410 + checksum: sha256:e5d79885864cd5b2a307065b43ba1af1523ec7ac26eace2717c70ede1b6e4c56 + name: libselinux-utils + evr: 3.6-3.el9 + sourcerpm: libselinux-3.6-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/m/make-4.3-8.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 553896 + checksum: sha256:561f0c2251e9217c81a6c88de4d2d9231a039aaab37e8a0d2559d36ce9fa85fd + name: make + evr: 1:4.3-8.el9 + sourcerpm: make-4.3-8.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/m/man-db-2.9.3-7.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 1245006 + checksum: sha256:1eb7770a27102f59012f704e90aa04b130ab4f46fec983a7441ec9e8810f2da4 + name: man-db + evr: 2.9.3-7.el9 + sourcerpm: man-db-2.9.3-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/n/ncurses-6.2-10.20210508.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 420158 + checksum: sha256:1b5e5805334bc78c977d7acf02256021a9216e26348a5383cf86dfb0b0c91101 + name: ncurses + evr: 6.2-10.20210508.el9 + sourcerpm: ncurses-6.2-10.20210508.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/p/pkgconf-1.7.3-10.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 45675 + checksum: sha256:bb47b4ecc499c308f41031a99e723827d152d5d750f59849d0c265d820944a26 + name: pkgconf + evr: 1.7.3-10.el9 + sourcerpm: pkgconf-1.7.3-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/p/pkgconf-m4-1.7.3-10.el9.noarch.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 16054 + checksum: sha256:91bafd6e06099451f60288327b275cfcc651822f6145176a157c6b0fa5131e02 + name: pkgconf-m4 + evr: 1.7.3-10.el9 + sourcerpm: pkgconf-1.7.3-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/p/pkgconf-pkg-config-1.7.3-10.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 12438 + checksum: sha256:9a502d81d73d3303ceb53a06ad7ce525c97117ea64352174a33708bf3429283d + name: pkgconf-pkg-config + evr: 1.7.3-10.el9 + sourcerpm: pkgconf-1.7.3-10.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/p/policycoreutils-3.6-2.1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 251967 + checksum: sha256:8dcd39960d3103f7a4ad2b9f7a0e15469ebf4da98f6c215cddfffdb830dc12b5 + name: policycoreutils + evr: 3.6-2.1.el9 + sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/p/procps-ng-3.3.17-14.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 361526 + checksum: sha256:506ad778f63821e8d9647ca8e0a3ff21b8af9c1666060d5200f9b26ee718333c + name: procps-ng + evr: 3.3.17-14.el9 + sourcerpm: procps-ng-3.3.17-14.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/p/python3-setools-4.4.4-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 623460 + checksum: sha256:91946d729d2b03b4abe1c43962f22d110468db0163241cda7b1d549c615d0261 + name: python3-setools + evr: 4.4.4-1.el9 + sourcerpm: setools-4.4.4-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tcl-8.6.10-7.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 1152092 + checksum: sha256:2062dce4bed26d3684de4dad68f32307ebacf5c7d50d3aa7bf6470e66fb36df5 + name: tcl + evr: 1:8.6.10-7.el9 + sourcerpm: tcl-8.6.10-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/v/vim-filesystem-8.2.2637-22.el9_6.noarch.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 17723 + checksum: sha256:744aceed764a5a4f5e4f12a70237ff74cb93c375aabffe4dc245e474628775c2 + name: vim-filesystem + evr: 2:8.2.2637-22.el9_6 + sourcerpm: vim-8.2.2637-22.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/codeready-builder/os/Packages/m/meson-0.63.3-1.el9.noarch.rpm + repoid: codeready-builder-for-ubi-9-x86_64-rpms + size: 1550746 + checksum: sha256:cb174ce7d6adf9c7a4b90ecf3360307485f9c1e4bb006c44190de9cfd41511c7 + name: meson + evr: 0.63.3-1.el9 + sourcerpm: meson-0.63.3-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/codeready-builder/os/Packages/n/ninja-build-1.10.2-6.el9.x86_64.rpm + repoid: codeready-builder-for-ubi-9-x86_64-rpms + size: 153299 + checksum: sha256:1140bec45c316942f870c28fdede79c185a2e09adc48bada42a5610783d56400 + name: ninja-build + evr: 1.10.2-6.el9 + sourcerpm: ninja-build-1.10.2-6.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/p/protobuf-3.14.0-16.el9.x86_64.rpm + repoid: rhel-9-for-x86_64-appstream-rpms + size: 1057844 + checksum: sha256:b1708ff32307536de8c9edcf530f7a057533566f3013297cf2239534b24a5ef6 + name: protobuf + evr: 3.14.0-16.el9 + sourcerpm: protobuf-3.14.0-16.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/codeready-builder/os/Packages/j/json-c-devel-0.14-11.el9.x86_64.rpm + repoid: codeready-builder-for-rhel-9-x86_64-rpms + size: 52905 + checksum: sha256:1b9a670a0090f796d9b8f04508082aa56e1f857f6acb84f3c97d5b22101fa738 + name: json-c-devel + evr: 0.14-11.el9 + sourcerpm: json-c-0.14-11.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/codeready-builder/os/Packages/p/protobuf-compiler-3.14.0-16.el9.x86_64.rpm + repoid: codeready-builder-for-rhel-9-x86_64-rpms + size: 887388 + checksum: sha256:8aa92a0fd3e1ca535fc29fd0ebd67ae08f45b6b05ec77c9bd90919fe21bd8337 + name: protobuf-compiler + evr: 3.14.0-16.el9 + sourcerpm: protobuf-3.14.0-16.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/codeready-builder/os/Packages/t/tpm2-tss-devel-3.2.3-1.el9.x86_64.rpm + repoid: codeready-builder-for-rhel-9-x86_64-rpms + size: 363565 + checksum: sha256:d97da683d45f9759fdb33553d518d4ff238d4c989d3c01bec47c1dcf9a8df9d1 + name: tpm2-tss-devel + evr: 3.2.3-1.el9 + sourcerpm: tpm2-tss-3.2.3-1.el9.src.rpm + source: + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/codeready-builder/source/SRPMS/Packages/m/meson-0.63.3-1.el9.src.rpm + repoid: codeready-builder-for-rhel-9-x86_64-source-rpms + size: 2073677 + checksum: sha256:54bc08131f4ae18919b3c45a4337182a75eedec96b7fe03f93ee11998c7cc285 + name: meson + evr: 0.63.3-1.el9 + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/codeready-builder/source/SRPMS/Packages/n/ninja-build-1.10.2-6.el9.src.rpm + repoid: codeready-builder-for-rhel-9-x86_64-source-rpms + size: 227908 + checksum: sha256:0461eebf9c0def0b11f42b9f7e7a455a945da6cbd4796ff015eb2a1dcbae175b + name: ninja-build + evr: 1.10.2-6.el9 + module_metadata: [] diff --git a/rpm/ubi.repo b/rpm/ubi.repo new file mode 100644 index 0000000000..a7d531660c --- /dev/null +++ b/rpm/ubi.repo @@ -0,0 +1,62 @@ +[ubi-9-for-$basearch-baseos-rpms] +name = Red Hat Universal Base Image 9 (RPMs) - BaseOS +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os +enabled = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[ubi-9-for-$basearch-baseos-debug-rpms] +name = Red Hat Universal Base Image 9 (Debug RPMs) - BaseOS +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/debug +enabled = 0 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[ubi-9-for-$basearch-baseos-source-rpms] +name = Red Hat Universal Base Image 9 (Source RPMs) - BaseOS +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/source/SRPMS +enabled = 0 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[ubi-9-for-$basearch-appstream-rpms] +name = Red Hat Universal Base Image 9 (RPMs) - AppStream +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os +enabled = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[ubi-9-for-$basearch-appstream-debug-rpms] +name = Red Hat Universal Base Image 9 (Debug RPMs) - AppStream +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/debug +enabled = 0 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[ubi-9-for-$basearch-appstream-source-rpms] +name = Red Hat Universal Base Image 9 (Source RPMs) - AppStream +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/source/SRPMS +enabled = 0 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[codeready-builder-for-ubi-9-$basearch-rpms] +name = Red Hat Universal Base Image 9 (RPMs) - CodeReady Builder +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os +enabled = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[codeready-builder-for-ubi-9-$basearch-debug-rpms] +name = Red Hat Universal Base Image 9 (Debug RPMs) - CodeReady Builder +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/debug +enabled = 0 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 + +[codeready-builder-for-ubi-9-$basearch-source-rpms] +name = Red Hat Universal Base Image 9 (Source RPMs) - CodeReady Builder +baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/source/SRPMS +enabled = 0 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgcheck = 1 \ No newline at end of file From dfa99e4cef58aa3551ad4606819c1cc2be18ce44 Mon Sep 17 00:00:00 2001 From: Pavel Mores Date: Tue, 22 Apr 2025 16:22:03 +0200 Subject: [PATCH 263/298] kbs: import prometheus crate with a thin wrapper The purpose of the PrometheusExporter wrapper at this point is mainly to store a custom Registry (projects that are not tests or examples are generally discouraged from relying on the implicit default one) and supply wrappers for several common operations. It does not encapsulate all of the prometheus crate at this time though since setting up and referring to prometheus crate metrics seem non-trivial to put behind an interface. Also, PrometheusExporter is presented as a singleton. This seems suboptimal, however the common way of avoiding singletons via dependency injection is a bit complicated here - some of the classes that are likely to generate metrics don't even have constructors and are set up using try_from() their respective configuration. Signed-off-by: Pavel Mores --- Cargo.lock | 22 +++++++++++++ kbs/Cargo.toml | 2 ++ kbs/src/lib.rs | 2 ++ kbs/src/prometheus_exporter.rs | 57 ++++++++++++++++++++++++++++++++++ 4 files changed, 83 insertions(+) create mode 100644 kbs/src/prometheus_exporter.rs diff --git a/Cargo.lock b/Cargo.lock index b192875021..9b6c4496ee 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2989,6 +2989,7 @@ dependencies = [ "mobc", "openssl", "p256", + "prometheus", "prost", "rand", "reference-value-provider-service", @@ -4024,6 +4025,21 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "prometheus" +version = "0.13.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d33c28a30771f7f96db69893f78b857f7450d7e0237e9c8fc6427a81bae7ed1" +dependencies = [ + "cfg-if", + "fnv", + "lazy_static", + "memchr", + "parking_lot 0.12.3", + "protobuf", + "thiserror 1.0.69", +] + [[package]] name = "prost" version = "0.13.4" @@ -4077,6 +4093,12 @@ dependencies = [ "prost", ] +[[package]] +name = "protobuf" +version = "2.28.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94" + [[package]] name = "psl-types" version = "2.0.11" diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index d70eeb979f..edc0bb4724 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -60,6 +60,8 @@ lazy_static = "1.4.0" log.workspace = true mobc = { version = "0.8.5", optional = true } p256 = { workspace = true, features = ["ecdh"] } +#prometheus = "0.14.0" +prometheus = "0.13.4" prost = { workspace = true, optional = true } rand = "0.8.5" regex = "1.11.1" diff --git a/kbs/src/lib.rs b/kbs/src/lib.rs index ee2b961c4e..ebeb434eba 100644 --- a/kbs/src/lib.rs +++ b/kbs/src/lib.rs @@ -25,3 +25,5 @@ pub use error::*; pub mod admin; pub mod http; pub mod jwe; + +pub mod prometheus_exporter; diff --git a/kbs/src/prometheus_exporter.rs b/kbs/src/prometheus_exporter.rs new file mode 100644 index 0000000000..bc36f4c141 --- /dev/null +++ b/kbs/src/prometheus_exporter.rs @@ -0,0 +1,57 @@ +// Copyright (c) 2025 Red Hat +// +// SPDX-License-Identifier: Apache-2.0 +// + +use lazy_static::lazy_static; +use prometheus::{core::Collector, TextEncoder}; +use std::sync::Mutex; + +lazy_static! { + pub static ref instance: Mutex = Mutex::new(PrometheusExporter::new()); +} + +#[derive(Clone, Default)] +pub struct PrometheusExporter { + registry: prometheus::Registry, +} + +impl PrometheusExporter { + fn new() -> Self { + Self::default() + } + + // This function is idempotent - trying to register a metric that's + // already registered is not an error. This doesn't matter much during + // normal usage in a KBS binary, it does however in tests which create and + // tear down KBS's HTTP server repeatedly. + pub fn register(&self, metric: Box) -> Result<(), prometheus::Error> { + match self.registry.register(metric) { + Ok(_) => Ok(()), + Err(err) => { + if let prometheus::Error::AlreadyReg = err { + Ok(()) + } else { + Err(err) + } + } + } + } + + pub fn unregister(&self, metric: Box) -> Result<(), prometheus::Error> { + // Ideally, unregistration would be idempotent just like registration. + // However, prometheus::Error unfortunately doesn't have a dedicated + // variant for an attempt to unregister a metric that hasn't been + // registered and this type of error reported via the generic Msg + // variant instead. This makes it impossible to handle it here + // cleanly. + self.registry.unregister(metric)?; + Ok(()) + } + + pub fn export_metrics(&self) -> Result { + let mut metrics_buffer = String::new(); + TextEncoder::new().encode_utf8(&self.registry.gather(), &mut metrics_buffer)?; + Ok(metrics_buffer) + } +} From 82bf0489e7057fccb63cd37157bf0a12409757c2 Mon Sep 17 00:00:00 2001 From: Pavel Mores Date: Tue, 22 Apr 2025 18:37:14 +0200 Subject: [PATCH 264/298] kbs: deploy some test prometheus metrics in ResourceStorage This illustrates probably the most straightforward possible way of actually deploying metrics in KBS classes. The user class (here ResourceStorage) stores and constructs metrics instances either directly or, as is the case here, collected in the PrometheusMetrics helper struct so as not to pollute ResourceStorage with prometheus stuff too much. If another class needs metrics it essentially replicates what ResourceStorage does here. This has an advantage of being easy to understand at the source code level and also fast at runtime. However, since it assumes that every metric is fully owned and managed by a single class which it's pretty much private to, it might also turn out inflexible. One of the alternatives could be to store metrics in a central registry for anybody to retrieve and use. This would need to be done manually though as prometheus::Registry notably doesn't offer this functionality. The reason might be that Prometheus's "multidimensional" model makes labels (at least the const ones) basically part of a metric's name/id which makes them rather hard to hash and look up. This route is not taken by this commit since it's more implementation with an unclear benefit (the way labels are used kind of implies that each metric needs as single owner...). Signed-off-by: Pavel Mores --- kbs/src/error.rs | 6 ++ .../implementations/resource/backend.rs | 57 +++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/kbs/src/error.rs b/kbs/src/error.rs index d66bceeed8..66e940731f 100644 --- a/kbs/src/error.rs +++ b/kbs/src/error.rs @@ -75,6 +75,12 @@ pub enum Error { #[error("Token Verifier error")] TokenVerifierError(#[from] crate::token::Error), + + #[error("Prometheus error")] + PrometheusError { + #[from] + source: prometheus::Error, + }, } impl ResponseError for Error { diff --git a/kbs/src/plugins/implementations/resource/backend.rs b/kbs/src/plugins/implementations/resource/backend.rs index 600bc99f85..d20fea58ca 100644 --- a/kbs/src/plugins/implementations/resource/backend.rs +++ b/kbs/src/plugins/implementations/resource/backend.rs @@ -5,12 +5,15 @@ use std::sync::{Arc, OnceLock}; use anyhow::{bail, Context, Error, Result}; +use log::warn; use regex::Regex; use serde::Deserialize; use std::fmt; use super::local_fs; +use crate::prometheus_exporter; + type RepositoryInstance = Arc; /// Interface of a `Repository`. @@ -80,9 +83,53 @@ impl Default for RepositoryConfig { } } +#[derive(Clone)] +struct PrometheusMetrics { + resource_reads_total: prometheus::CounterVec, + resource_writes_total: prometheus::CounterVec, +} + +impl PrometheusMetrics { + fn new() -> Result { + let prom = prometheus_exporter::instance.lock().unwrap(); + let reads_opts = prometheus::Opts::new("resource_reads_total", "KBS resource read count"); + let resource_reads_total = prometheus::CounterVec::new(reads_opts, &["resource_path"])?; + prom.register(Box::new(resource_reads_total.clone()))?; + + let writes_opts = + prometheus::Opts::new("resource_writes_total", "KBS resource write count"); + let resource_writes_total = prometheus::CounterVec::new(writes_opts, &["resource_path"])?; + prom.register(Box::new(resource_writes_total.clone()))?; + + Ok(Self { + resource_reads_total, + resource_writes_total, + }) + } +} + +impl Drop for PrometheusMetrics { + fn drop(&mut self) { + let prom = prometheus_exporter::instance.lock().unwrap(); + if let Err(err) = prom.unregister(Box::new(self.resource_reads_total.clone())) { + warn!( + "couldn't unregister Prometheus resource_reads_total: {:?}", + err + ); + }; + if let Err(err) = prom.unregister(Box::new(self.resource_writes_total.clone())) { + warn!( + "couldn't unregister Prometheus resource_writes_total: {:?}", + err + ); + }; + } +} + #[derive(Clone)] pub struct ResourceStorage { backend: RepositoryInstance, + prometheus_metrics: PrometheusMetrics, } impl TryFrom for ResourceStorage { @@ -95,6 +142,7 @@ impl TryFrom for ResourceStorage { .context("Failed to initialize Resource Storage")?; Ok(Self { backend: Arc::new(backend), + prometheus_metrics: PrometheusMetrics::new()?, }) } #[cfg(feature = "aliyun")] @@ -102,6 +150,7 @@ impl TryFrom for ResourceStorage { let client = super::aliyun_kms::AliyunKmsBackend::new(&config)?; Ok(Self { backend: Arc::new(client), + prometheus_metrics: PrometheusMetrics::new()?, }) } } @@ -114,12 +163,20 @@ impl ResourceStorage { resource_desc: ResourceDesc, data: &[u8], ) -> Result<()> { + self.prometheus_metrics + .resource_writes_total + .with_label_values(&[&format!("{}", resource_desc)]) + .inc(); self.backend .write_secret_resource(resource_desc, data) .await } pub(crate) async fn get_secret_resource(&self, resource_desc: ResourceDesc) -> Result> { + self.prometheus_metrics + .resource_reads_total + .with_label_values(&[&format!("{}", resource_desc)]) + .inc(); self.backend.read_secret_resource(resource_desc).await } } From 8cfde1adf02f9df57f2380b43a25cae6d03729f4 Mon Sep 17 00:00:00 2001 From: Pavel Mores Date: Tue, 22 Apr 2025 18:40:35 +0200 Subject: [PATCH 265/298] kbs: add prometheus exporter server to ApiServer A separate service is added to the existing actix_web server on its own port. Its handler responds with exported metrics. Signed-off-by: Pavel Mores --- kbs/src/api_server.rs | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/kbs/src/api_server.rs b/kbs/src/api_server.rs index 4859acb40e..209f37dea1 100644 --- a/kbs/src/api_server.rs +++ b/kbs/src/api_server.rs @@ -12,7 +12,7 @@ use log::info; use crate::{ admin::Admin, config::KbsConfig, jwe::jwe, plugins::PluginManager, policy_engine::PolicyEngine, - token::TokenVerifier, Error, Result, + prometheus_exporter, token::TokenVerifier, Error, Result, }; const KBS_PREFIX: &str = "/kbs/v0"; @@ -101,6 +101,8 @@ impl ApiServer { ); let http_config = self.config.http_server.clone(); + + #[allow(clippy::redundant_closure)] let http_server = HttpServer::new({ move || { let api_server = self.clone(); @@ -115,6 +117,11 @@ impl ApiServer { .route(web::get().to(api)) .route(web::post().to(api)), ) + .service( + web::resource("/metrics") + .route(web::get().to(prometheus_metrics_handler)) + .route(web::post().to(|| HttpResponse::MethodNotAllowed())), + ) } }); @@ -258,3 +265,15 @@ pub(crate) async fn api( } } } + +pub(crate) async fn prometheus_metrics_handler( + _request: HttpRequest, + _core: web::Data, +) -> Result { + let report = prometheus_exporter::instance + .lock() + .unwrap() + .export_metrics() + .map_err(|e| Error::PrometheusError { source: e })?; + Ok(HttpResponse::Ok().body(report)) +} From e8dce7c2eb2d16e87b840e4ea3533fc71c40ac79 Mon Sep 17 00:00:00 2001 From: Pavel Mores Date: Wed, 30 Apr 2025 10:23:22 +0200 Subject: [PATCH 266/298] kbs: add some conventional HTTP metrics Add a total request counter and request duration/size and response size histograms. Signed-off-by: Pavel Mores --- kbs/src/api_server.rs | 138 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 137 insertions(+), 1 deletion(-) diff --git a/kbs/src/api_server.rs b/kbs/src/api_server.rs index 209f37dea1..803b991041 100644 --- a/kbs/src/api_server.rs +++ b/kbs/src/api_server.rs @@ -8,7 +8,7 @@ use actix_web::{ }; use actix_web_httpauth::headers::authorization::{Authorization, Bearer}; use anyhow::Context; -use log::info; +use log::{info, warn}; use crate::{ admin::Admin, config::KbsConfig, jwe::jwe, plugins::PluginManager, policy_engine::PolicyEngine, @@ -35,6 +35,8 @@ pub struct ApiServer { admin_auth: Admin, config: KbsConfig, token_verifier: TokenVerifier, + + prometheus_metrics: ApiServerMetrics, } impl ApiServer { @@ -63,6 +65,7 @@ impl ApiServer { let token_verifier = TokenVerifier::from_config(config.attestation_token.clone()).await?; let policy_engine = PolicyEngine::new(&config.policy_engine).await?; let admin_auth = Admin::try_from(config.admin.clone())?; + let prometheus_metrics = ApiServerMetrics::new()?; #[cfg(feature = "as")] let attestation_service = @@ -77,6 +80,8 @@ impl ApiServer { #[cfg(feature = "as")] attestation_service, + + prometheus_metrics, }) } @@ -108,6 +113,7 @@ impl ApiServer { let api_server = self.clone(); App::new() .wrap(middleware::Logger::default()) + .wrap(middleware::from_fn(prometheus_metrics_middleware)) .app_data(web::Data::new(api_server)) .app_data(web::PayloadConfig::new( (1024 * 1024 * http_config.payload_request_size) as usize, @@ -277,3 +283,133 @@ pub(crate) async fn prometheus_metrics_handler( .map_err(|e| Error::PrometheusError { source: e })?; Ok(HttpResponse::Ok().body(report)) } + +use actix_web::body::MessageBody; +use actix_web::dev::{ServiceRequest, ServiceResponse}; +use actix_web::middleware::Next; + +async fn prometheus_metrics_middleware( + req: ServiceRequest, + next: Next, +) -> std::result::Result, actix_web::Error> { + let start = actix::clock::Instant::now(); + let api_server = req + .request() + .app_data::>() + .unwrap() + .clone(); + + // Ignore requests like /metrics for metrics collection, they can make + // metrics weirdly not add up and distort metrics in odd ways. They + // arguably are not very interesting either to a user of KBS metrics. + let is_kbs_req = req.request().path().starts_with("/kbs"); + if is_kbs_req { + api_server.prometheus_metrics.requests_total.inc(); + + // Consider requests lacking a "content-length" header to be of zero + // size as this seems to be the usual case with KBS. (Streamed + // requests would also lack "content-length" but they don't seem too + // relevant with KBS.) + if let Some(len) = req.headers().get("content-length") { + if let Ok(Ok(len)) = len.to_str().map(|l| l.parse::()) { + api_server + .prometheus_metrics + .request_size + .observe(len as f64); + } + } else { + api_server.prometheus_metrics.request_size.observe(0_f64); + } + } + + // This is the actual request handling. + let res = next.call(req).await?; + + if is_kbs_req { + api_server + .prometheus_metrics + .request_duration + .observe(start.elapsed().as_secs_f64()); + + if let actix_web::body::BodySize::Sized(len) = res.response().body().size() { + api_server + .prometheus_metrics + .response_size + .observe(len as f64); + } + } + + Ok(res) +} + +#[derive(Clone)] +struct ApiServerMetrics { + requests_total: prometheus::Counter, + request_duration: prometheus::Histogram, + request_size: prometheus::Histogram, + response_size: prometheus::Histogram, +} + +impl ApiServerMetrics { + fn new() -> std::result::Result { + let prom = prometheus_exporter::instance.lock().unwrap(); + let requests_total = prometheus::Counter::with_opts(prometheus::Opts::new( + "http_requests_total", + "Total HTTP requests count", + ))?; + prom.register(Box::new(requests_total.clone()))?; + + let request_duration = prometheus::Histogram::with_opts( + prometheus::HistogramOpts::new( + "http_request_duration_seconds", + "Distribution of request handling duration", + ) + .buckets(vec![0.0005, 0.001, 0.005, 0.01, 0.05, 0.5, 1.0]), + )?; + prom.register(Box::new(request_duration.clone()))?; + + let request_size = prometheus::Histogram::with_opts( + prometheus::HistogramOpts::new( + "http_request_size_bytes", + "Distribution of request body sizes", + ) + .buckets(prometheus::exponential_buckets(32.0, 4.0, 5)?), + )?; + prom.register(Box::new(request_size.clone()))?; + + let response_size = prometheus::Histogram::with_opts( + prometheus::HistogramOpts::new( + "http_response_size_bytes", + "Distribution of response body sizes", + ) + .buckets(prometheus::exponential_buckets(32.0, 4.0, 5)?), + )?; + prom.register(Box::new(response_size.clone()))?; + + Ok(ApiServerMetrics { + requests_total, + request_duration, + request_size, + response_size, + }) + } +} + +impl Drop for ApiServerMetrics { + fn drop(&mut self) { + let prom = prometheus_exporter::instance.lock().unwrap(); + + if let Err(err) = prom.unregister(Box::new(self.requests_total.clone())) { + warn!("couldn't unregister Prometheus requests_total: {:?}", err); + } + if let Err(err) = prom.unregister(Box::new(self.request_duration.clone())) { + warn!("couldn't unregister Prometheus request_duration: {:?}", err); + } + if let Err(err) = prom.unregister(Box::new(self.request_size.clone())) { + warn!("couldn't unregister Prometheus request_size: {:?}", err); + } + if let Err(err) = prom.unregister(Box::new(self.response_size.clone())) { + warn!("couldn't unregister Prometheus response_size: {:?}", err); + } + } +} From 378b654fcab3dfd22721e1a7c6b91ea1d59c0455 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 4 Jun 2025 18:16:07 +0800 Subject: [PATCH 267/298] kbs: change the serial and tokio macro in test The macro serial shoud be under tokio::test due to an official example https://github.com/palfrey/serial_test/pull/122/files Signed-off-by: Xynnn007 --- integration-tests/tests/get_resource.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-tests/tests/get_resource.rs b/integration-tests/tests/get_resource.rs index ad75a55750..24315c6b26 100644 --- a/integration-tests/tests/get_resource.rs +++ b/integration-tests/tests/get_resource.rs @@ -20,8 +20,8 @@ const SECRET_PATH: &str = "default/test/secret"; #[case::simple_deny_all(TestParameters{attestation_token_type: "Simple".to_string(), rvps_type: RvpsType::Builtin }, "deny_all".to_string())] #[case::contraindicated(TestParameters{attestation_token_type: "Ear".to_string(), rvps_type: RvpsType::Builtin }, "contraindicated".to_string())] #[case::not_contraindicated(TestParameters{attestation_token_type: "Ear".to_string(), rvps_type: RvpsType::Remote }, "not_contraindicated".to_string())] -#[serial] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] +#[serial] async fn run_test( #[case] test_parameters: TestParameters, #[case] test_type: String, From 4168e9e8fd4c70d750c17fb220944556c632dd54 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 4 Jun 2025 17:16:40 +0800 Subject: [PATCH 268/298] kbs: refactor the prometheus module This commit does a little refactoring upon the prometheus module to try to move all prometheus related logic into one separate module. This would help the maintainance of prometheus logic in one place. Signed-off-by: Xynnn007 --- kbs/Cargo.toml | 1 - kbs/src/api_server.rs | 120 +++-------------- kbs/src/lib.rs | 2 +- .../implementations/resource/backend.rs | 57 +-------- kbs/src/prometheus/mod.rs | 121 ++++++++++++++++++ kbs/src/prometheus_exporter.rs | 57 --------- 6 files changed, 142 insertions(+), 216 deletions(-) create mode 100644 kbs/src/prometheus/mod.rs delete mode 100644 kbs/src/prometheus_exporter.rs diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index edc0bb4724..aa592295ab 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -60,7 +60,6 @@ lazy_static = "1.4.0" log.workspace = true mobc = { version = "0.8.5", optional = true } p256 = { workspace = true, features = ["ecdh"] } -#prometheus = "0.14.0" prometheus = "0.13.4" prost = { workspace = true, optional = true } rand = "0.8.5" diff --git a/kbs/src/api_server.rs b/kbs/src/api_server.rs index 803b991041..5641f054d2 100644 --- a/kbs/src/api_server.rs +++ b/kbs/src/api_server.rs @@ -8,11 +8,17 @@ use actix_web::{ }; use actix_web_httpauth::headers::authorization::{Authorization, Bearer}; use anyhow::Context; -use log::{info, warn}; +use log::info; use crate::{ - admin::Admin, config::KbsConfig, jwe::jwe, plugins::PluginManager, policy_engine::PolicyEngine, - prometheus_exporter, token::TokenVerifier, Error, Result, + admin::Admin, + config::KbsConfig, + jwe::jwe, + plugins::PluginManager, + policy_engine::PolicyEngine, + prometheus::{REQUEST_DURATION, REQUEST_SIZES, REQUEST_TOTAL}, + token::TokenVerifier, + Error, Result, }; const KBS_PREFIX: &str = "/kbs/v0"; @@ -35,8 +41,6 @@ pub struct ApiServer { admin_auth: Admin, config: KbsConfig, token_verifier: TokenVerifier, - - prometheus_metrics: ApiServerMetrics, } impl ApiServer { @@ -65,7 +69,6 @@ impl ApiServer { let token_verifier = TokenVerifier::from_config(config.attestation_token.clone()).await?; let policy_engine = PolicyEngine::new(&config.policy_engine).await?; let admin_auth = Admin::try_from(config.admin.clone())?; - let prometheus_metrics = ApiServerMetrics::new()?; #[cfg(feature = "as")] let attestation_service = @@ -80,8 +83,6 @@ impl ApiServer { #[cfg(feature = "as")] attestation_service, - - prometheus_metrics, }) } @@ -276,11 +277,8 @@ pub(crate) async fn prometheus_metrics_handler( _request: HttpRequest, _core: web::Data, ) -> Result { - let report = prometheus_exporter::instance - .lock() - .unwrap() - .export_metrics() - .map_err(|e| Error::PrometheusError { source: e })?; + let report = + crate::prometheus::export_metrics().map_err(|e| Error::PrometheusError { source: e })?; Ok(HttpResponse::Ok().body(report)) } @@ -293,18 +291,13 @@ async fn prometheus_metrics_middleware( next: Next, ) -> std::result::Result, actix_web::Error> { let start = actix::clock::Instant::now(); - let api_server = req - .request() - .app_data::>() - .unwrap() - .clone(); // Ignore requests like /metrics for metrics collection, they can make // metrics weirdly not add up and distort metrics in odd ways. They // arguably are not very interesting either to a user of KBS metrics. let is_kbs_req = req.request().path().starts_with("/kbs"); if is_kbs_req { - api_server.prometheus_metrics.requests_total.inc(); + REQUEST_TOTAL.inc(); // Consider requests lacking a "content-length" header to be of zero // size as this seems to be the usual case with KBS. (Streamed @@ -312,13 +305,10 @@ async fn prometheus_metrics_middleware( // relevant with KBS.) if let Some(len) = req.headers().get("content-length") { if let Ok(Ok(len)) = len.to_str().map(|l| l.parse::()) { - api_server - .prometheus_metrics - .request_size - .observe(len as f64); + REQUEST_SIZES.observe(len as f64); } } else { - api_server.prometheus_metrics.request_size.observe(0_f64); + REQUEST_SIZES.observe(0_f64); } } @@ -326,90 +316,12 @@ async fn prometheus_metrics_middleware( let res = next.call(req).await?; if is_kbs_req { - api_server - .prometheus_metrics - .request_duration - .observe(start.elapsed().as_secs_f64()); + REQUEST_DURATION.observe(start.elapsed().as_secs_f64()); if let actix_web::body::BodySize::Sized(len) = res.response().body().size() { - api_server - .prometheus_metrics - .response_size - .observe(len as f64); + REQUEST_SIZES.observe(len as f64); } } Ok(res) } - -#[derive(Clone)] -struct ApiServerMetrics { - requests_total: prometheus::Counter, - request_duration: prometheus::Histogram, - request_size: prometheus::Histogram, - response_size: prometheus::Histogram, -} - -impl ApiServerMetrics { - fn new() -> std::result::Result { - let prom = prometheus_exporter::instance.lock().unwrap(); - let requests_total = prometheus::Counter::with_opts(prometheus::Opts::new( - "http_requests_total", - "Total HTTP requests count", - ))?; - prom.register(Box::new(requests_total.clone()))?; - - let request_duration = prometheus::Histogram::with_opts( - prometheus::HistogramOpts::new( - "http_request_duration_seconds", - "Distribution of request handling duration", - ) - .buckets(vec![0.0005, 0.001, 0.005, 0.01, 0.05, 0.5, 1.0]), - )?; - prom.register(Box::new(request_duration.clone()))?; - - let request_size = prometheus::Histogram::with_opts( - prometheus::HistogramOpts::new( - "http_request_size_bytes", - "Distribution of request body sizes", - ) - .buckets(prometheus::exponential_buckets(32.0, 4.0, 5)?), - )?; - prom.register(Box::new(request_size.clone()))?; - - let response_size = prometheus::Histogram::with_opts( - prometheus::HistogramOpts::new( - "http_response_size_bytes", - "Distribution of response body sizes", - ) - .buckets(prometheus::exponential_buckets(32.0, 4.0, 5)?), - )?; - prom.register(Box::new(response_size.clone()))?; - - Ok(ApiServerMetrics { - requests_total, - request_duration, - request_size, - response_size, - }) - } -} - -impl Drop for ApiServerMetrics { - fn drop(&mut self) { - let prom = prometheus_exporter::instance.lock().unwrap(); - - if let Err(err) = prom.unregister(Box::new(self.requests_total.clone())) { - warn!("couldn't unregister Prometheus requests_total: {:?}", err); - } - if let Err(err) = prom.unregister(Box::new(self.request_duration.clone())) { - warn!("couldn't unregister Prometheus request_duration: {:?}", err); - } - if let Err(err) = prom.unregister(Box::new(self.request_size.clone())) { - warn!("couldn't unregister Prometheus request_size: {:?}", err); - } - if let Err(err) = prom.unregister(Box::new(self.response_size.clone())) { - warn!("couldn't unregister Prometheus response_size: {:?}", err); - } - } -} diff --git a/kbs/src/lib.rs b/kbs/src/lib.rs index ebeb434eba..adf5dfed01 100644 --- a/kbs/src/lib.rs +++ b/kbs/src/lib.rs @@ -26,4 +26,4 @@ pub mod admin; pub mod http; pub mod jwe; -pub mod prometheus_exporter; +pub mod prometheus; diff --git a/kbs/src/plugins/implementations/resource/backend.rs b/kbs/src/plugins/implementations/resource/backend.rs index d20fea58ca..107dffcc69 100644 --- a/kbs/src/plugins/implementations/resource/backend.rs +++ b/kbs/src/plugins/implementations/resource/backend.rs @@ -5,14 +5,13 @@ use std::sync::{Arc, OnceLock}; use anyhow::{bail, Context, Error, Result}; -use log::warn; use regex::Regex; use serde::Deserialize; use std::fmt; -use super::local_fs; +use crate::prometheus::{RESOURCE_READS_TOTAL, RESOURCE_WRITES_TOTAL}; -use crate::prometheus_exporter; +use super::local_fs; type RepositoryInstance = Arc; @@ -83,53 +82,9 @@ impl Default for RepositoryConfig { } } -#[derive(Clone)] -struct PrometheusMetrics { - resource_reads_total: prometheus::CounterVec, - resource_writes_total: prometheus::CounterVec, -} - -impl PrometheusMetrics { - fn new() -> Result { - let prom = prometheus_exporter::instance.lock().unwrap(); - let reads_opts = prometheus::Opts::new("resource_reads_total", "KBS resource read count"); - let resource_reads_total = prometheus::CounterVec::new(reads_opts, &["resource_path"])?; - prom.register(Box::new(resource_reads_total.clone()))?; - - let writes_opts = - prometheus::Opts::new("resource_writes_total", "KBS resource write count"); - let resource_writes_total = prometheus::CounterVec::new(writes_opts, &["resource_path"])?; - prom.register(Box::new(resource_writes_total.clone()))?; - - Ok(Self { - resource_reads_total, - resource_writes_total, - }) - } -} - -impl Drop for PrometheusMetrics { - fn drop(&mut self) { - let prom = prometheus_exporter::instance.lock().unwrap(); - if let Err(err) = prom.unregister(Box::new(self.resource_reads_total.clone())) { - warn!( - "couldn't unregister Prometheus resource_reads_total: {:?}", - err - ); - }; - if let Err(err) = prom.unregister(Box::new(self.resource_writes_total.clone())) { - warn!( - "couldn't unregister Prometheus resource_writes_total: {:?}", - err - ); - }; - } -} - #[derive(Clone)] pub struct ResourceStorage { backend: RepositoryInstance, - prometheus_metrics: PrometheusMetrics, } impl TryFrom for ResourceStorage { @@ -142,7 +97,6 @@ impl TryFrom for ResourceStorage { .context("Failed to initialize Resource Storage")?; Ok(Self { backend: Arc::new(backend), - prometheus_metrics: PrometheusMetrics::new()?, }) } #[cfg(feature = "aliyun")] @@ -150,7 +104,6 @@ impl TryFrom for ResourceStorage { let client = super::aliyun_kms::AliyunKmsBackend::new(&config)?; Ok(Self { backend: Arc::new(client), - prometheus_metrics: PrometheusMetrics::new()?, }) } } @@ -163,8 +116,7 @@ impl ResourceStorage { resource_desc: ResourceDesc, data: &[u8], ) -> Result<()> { - self.prometheus_metrics - .resource_writes_total + RESOURCE_WRITES_TOTAL .with_label_values(&[&format!("{}", resource_desc)]) .inc(); self.backend @@ -173,8 +125,7 @@ impl ResourceStorage { } pub(crate) async fn get_secret_resource(&self, resource_desc: ResourceDesc) -> Result> { - self.prometheus_metrics - .resource_reads_total + RESOURCE_READS_TOTAL .with_label_values(&[&format!("{}", resource_desc)]) .inc(); self.backend.read_secret_resource(resource_desc).await diff --git a/kbs/src/prometheus/mod.rs b/kbs/src/prometheus/mod.rs new file mode 100644 index 0000000000..06e03a8d83 --- /dev/null +++ b/kbs/src/prometheus/mod.rs @@ -0,0 +1,121 @@ +// Copyright (c) 2025 Red Hat +// +// SPDX-License-Identifier: Apache-2.0 +// + +use lazy_static::lazy_static; +use prometheus::{Counter, CounterVec, Histogram, HistogramOpts, Opts, Registry, TextEncoder}; + +lazy_static! { + /// Resource Path Read Metrics + pub(crate) static ref RESOURCE_READS_TOTAL: CounterVec = { + let reads_opts = Opts::new("resource_reads_total", "KBS resource read count"); + CounterVec::new(reads_opts, &["resource_path"]).unwrap() + }; + + /// Resource Path Write Metrics + pub(crate) static ref RESOURCE_WRITES_TOTAL: CounterVec = { + let writes_opts = Opts::new("resource_writes_total", "KBS resource write count"); + CounterVec::new(writes_opts, &["resource_path"]).unwrap() + }; + + /// KBS Web Server Requests Metrics + pub(crate) static ref REQUEST_TOTAL: Counter = { + let requests_opts = Opts::new( + "http_requests_total", + "Total HTTP requests count", + ); + Counter::with_opts(requests_opts).unwrap() + }; + + /// KBS Web Server Requests Metrics + pub(crate) static ref REQUEST_DURATION: Histogram = { + let requests_duration_opts = HistogramOpts::new( + "http_request_duration_seconds", + "Distribution of request handling duration", + ).buckets(vec![0.0005, 0.001, 0.005, 0.01, 0.05, 0.5, 1.0]); + Histogram::with_opts(requests_duration_opts).unwrap() + }; + + /// KBS Web Server Request Sizes + pub(crate) static ref REQUEST_SIZES: Histogram = { + let request_sizes_opts = HistogramOpts::new( + "http_request_size_bytes", + "Distribution of request body sizes", + ) + .buckets(prometheus::exponential_buckets(32.0, 4.0, 5).unwrap()); + Histogram::with_opts(request_sizes_opts).unwrap() + }; + + /// KBS Web Server Response Sizes + pub(crate) static ref RESPONSE_SIZES: Histogram = { + let response_sizes_opts = HistogramOpts::new( + "http_response_size_bytes", + "Distribution of response body sizes", + ) + .buckets(prometheus::exponential_buckets(32.0, 4.0, 5).unwrap()); + Histogram::with_opts(response_sizes_opts).unwrap() + }; + + /// Prometheus instance to get the metrics + static ref INSTANCE: Registry = { + let registry = Registry::default(); + + registry + .register(Box::new(RESOURCE_READS_TOTAL.clone())) + .unwrap(); + + registry.register(Box::new(RESOURCE_WRITES_TOTAL.clone())).unwrap(); + registry.register(Box::new(REQUEST_TOTAL.clone())).unwrap(); + registry.register(Box::new(REQUEST_DURATION.clone())).unwrap(); + registry.register(Box::new(REQUEST_SIZES.clone())).unwrap(); + registry.register(Box::new(RESPONSE_SIZES.clone())).unwrap(); + + registry + }; +} + +pub(crate) fn export_metrics() -> Result { + let mut metrics_buffer = String::new(); + TextEncoder::new().encode_utf8(&INSTANCE.gather(), &mut metrics_buffer)?; + Ok(metrics_buffer) +} + +#[cfg(test)] +mod tests { + use crate::prometheus::{ + export_metrics, REQUEST_DURATION, REQUEST_SIZES, REQUEST_TOTAL, RESOURCE_READS_TOTAL, + RESOURCE_WRITES_TOTAL, RESPONSE_SIZES, + }; + + #[test] + fn matrics_recording() { + RESOURCE_READS_TOTAL + .with_label_values(&["default/key/read"]) + .inc(); + RESOURCE_READS_TOTAL + .with_label_values(&["default/key/read"]) + .inc(); + RESOURCE_WRITES_TOTAL + .with_label_values(&["default/key/write"]) + .inc(); + REQUEST_TOTAL.inc(); + REQUEST_TOTAL.inc(); + REQUEST_TOTAL.inc(); + REQUEST_DURATION.observe(10.0); + REQUEST_SIZES.observe(1024.0); + RESPONSE_SIZES.observe(2048.0); + + let metrics = export_metrics().unwrap(); + assert!(metrics.contains("resource_reads_total{resource_path=\"default/key/read\"} 2")); + assert!(metrics.contains("resource_writes_total{resource_path=\"default/key/write\"} 1")); + assert!(metrics.contains("resource_writes_total{resource_path=\"default/key/write\"} 1")); + assert!(metrics.contains("http_requests_total 3")); + assert!(metrics.contains("http_request_duration_seconds_count 1")); + assert!(metrics.contains("http_request_duration_seconds_sum 10")); + assert!(metrics.contains("http_request_size_bytes_sum 1024")); + assert!(metrics.contains("http_request_size_bytes_count 1")); + assert!(metrics.contains("http_response_size_bytes_sum 2048")); + assert!(metrics.contains("http_response_size_bytes_count 1")); + } +} diff --git a/kbs/src/prometheus_exporter.rs b/kbs/src/prometheus_exporter.rs deleted file mode 100644 index bc36f4c141..0000000000 --- a/kbs/src/prometheus_exporter.rs +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright (c) 2025 Red Hat -// -// SPDX-License-Identifier: Apache-2.0 -// - -use lazy_static::lazy_static; -use prometheus::{core::Collector, TextEncoder}; -use std::sync::Mutex; - -lazy_static! { - pub static ref instance: Mutex = Mutex::new(PrometheusExporter::new()); -} - -#[derive(Clone, Default)] -pub struct PrometheusExporter { - registry: prometheus::Registry, -} - -impl PrometheusExporter { - fn new() -> Self { - Self::default() - } - - // This function is idempotent - trying to register a metric that's - // already registered is not an error. This doesn't matter much during - // normal usage in a KBS binary, it does however in tests which create and - // tear down KBS's HTTP server repeatedly. - pub fn register(&self, metric: Box) -> Result<(), prometheus::Error> { - match self.registry.register(metric) { - Ok(_) => Ok(()), - Err(err) => { - if let prometheus::Error::AlreadyReg = err { - Ok(()) - } else { - Err(err) - } - } - } - } - - pub fn unregister(&self, metric: Box) -> Result<(), prometheus::Error> { - // Ideally, unregistration would be idempotent just like registration. - // However, prometheus::Error unfortunately doesn't have a dedicated - // variant for an attempt to unregister a metric that hasn't been - // registered and this type of error reported via the generic Msg - // variant instead. This makes it impossible to handle it here - // cleanly. - self.registry.unregister(metric)?; - Ok(()) - } - - pub fn export_metrics(&self) -> Result { - let mut metrics_buffer = String::new(); - TextEncoder::new().encode_utf8(&self.registry.gather(), &mut metrics_buffer)?; - Ok(metrics_buffer) - } -} From 2704291b8e1e6a059c710cef9696208129116099 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 22 Jan 2025 10:36:45 +0800 Subject: [PATCH 269/298] kbs: move integration test crate into kbs The integration test crate actually play the role to test KBS APIs. It would be good to move the whole thing into KBS crate. Signed-off-by: Xynnn007 --- Cargo.lock | 27 +------------- Cargo.toml | 1 - integration-tests/Cargo.toml | 37 ------------------- integration-tests/src/lib.rs | 5 --- kbs/Cargo.toml | 15 +++++++- kbs/Makefile | 2 +- .../src/common.rs => kbs/tests/common/mod.rs | 5 ++- .../tests/get_resource.rs | 7 ++-- 8 files changed, 24 insertions(+), 75 deletions(-) delete mode 100644 integration-tests/Cargo.toml delete mode 100644 integration-tests/src/lib.rs rename integration-tests/src/common.rs => kbs/tests/common/mod.rs (98%) rename {integration-tests => kbs}/tests/get_resource.rs (97%) diff --git a/Cargo.lock b/Cargo.lock index 9b6c4496ee..e352170cdb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -115,7 +115,6 @@ version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "24eda4e2a6e042aa4e55ac438a2ae052d3b5da0ecf83d7411e1a368946925208" dependencies = [ - "actix-macros", "futures-core", "tokio", ] @@ -2750,29 +2749,6 @@ dependencies = [ "cfg-if", ] -[[package]] -name = "integration-tests" -version = "0.1.0" -dependencies = [ - "actix-rt", - "actix-web", - "anyhow", - "attestation-service", - "base64 0.22.1", - "env_logger 0.10.2", - "kbs", - "kbs-client", - "log", - "openssl", - "reference-value-provider-service", - "rstest", - "serde_json", - "serial_test", - "tempfile", - "tokio", - "tonic", -] - [[package]] name = "intel-tee-quote-verification-rs" version = "0.3.0" @@ -2982,7 +2958,8 @@ dependencies = [ "josekit", "jsonwebtoken", "jwt-simple", - "kbs-types 0.10.0", + "kbs-client", + "kbs-types", "kms", "lazy_static", "log", diff --git a/Cargo.toml b/Cargo.toml index c9b354458d..fbfb6259be 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -5,7 +5,6 @@ members = [ "rvps", "tools/kbs-client", "deps/verifier", - "integration-tests", ] resolver = "2" diff --git a/integration-tests/Cargo.toml b/integration-tests/Cargo.toml deleted file mode 100644 index 9bd63f5dd7..0000000000 --- a/integration-tests/Cargo.toml +++ /dev/null @@ -1,37 +0,0 @@ -[package] -name = "integration-tests" -version.workspace = true -authors.workspace = true -description.workspace = true -documentation.workspace = true -edition.workspace = true - -[dependencies] -kbs = { path = "../kbs" } -reference-value-provider-service = { path = "../rvps" } - -actix-web.workspace = true -actix-rt = "2.10.0" -anyhow.workspace = true -base64.workspace = true -env_logger.workspace = true -log.workspace = true -openssl.workspace = true -rstest.workspace = true -serde_json.workspace = true -serial_test.workspace = true -tempfile.workspace = true -tokio.workspace = true -tonic.workspace = true - -[target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dependencies] -attestation-service = { path = "../attestation-service" } -kbs-client = { path = "../tools/kbs-client" } - -[target.'cfg(target_arch = "s390x")'.dependencies] -attestation-service = { path = "../attestation-service", default-features = false, features = [ "se-verifier", ] } -kbs-client = { path = "../tools/kbs-client", default-features = false, features = [ "se-attester", ] } - -[target.'cfg(target_arch = "aarch64")'.dependencies] -attestation-service = { path = "../attestation-service", default-features = false, features = [ "cca-verifier", ] } -kbs-client = { path = "../tools/kbs-client", default-features = false, features = [ "cca-attester", ] } diff --git a/integration-tests/src/lib.rs b/integration-tests/src/lib.rs deleted file mode 100644 index e29db916d2..0000000000 --- a/integration-tests/src/lib.rs +++ /dev/null @@ -1,5 +0,0 @@ -// Copyright (c) 2025 by IBM. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -pub mod common; diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index aa592295ab..9f2a930db1 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -104,7 +104,20 @@ josekit = "0.10.0" tempfile.workspace = true rstest.workspace = true reference-value-provider-service.path = "../rvps" -serial_test = "3.0" +serial_test.workspace = true + +[target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dev-dependencies] +kbs-client = { path = "../tools/kbs-client" } + +[target.'cfg(target_arch = "s390x")'.dev-dependencies] +kbs-client = { path = "../tools/kbs-client", default-features = false, features = [ + "se-attester", +] } + +[target.'cfg(target_arch = "aarch64")'.dev-dependencies] +kbs-client = { path = "../tools/kbs-client", default-features = false, features = [ + "cca-attester", +] } [build-dependencies] tonic-build = { workspace = true, optional = true } diff --git a/kbs/Makefile b/kbs/Makefile index a92cded386..9b32c253df 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -115,7 +115,7 @@ uninstall: rm -rf $(INSTALL_DESTDIR)/kbs $(INSTALL_DESTDIR)/kbs-client $(INSTALL_DESTDIR)/issuer-kbs $(INSTALL_DESTDIR)/resource-kbs check: - cargo test -p kbs -p kbs-client -p integration-tests $(TEST_ARGUMENTS) + cargo test -p kbs -p kbs-client $(TEST_ARGUMENTS) lint: cargo clippy -p kbs -p kbs-client $(TEST_ARGUMENTS) -- -D warnings diff --git a/integration-tests/src/common.rs b/kbs/tests/common/mod.rs similarity index 98% rename from integration-tests/src/common.rs rename to kbs/tests/common/mod.rs index bca40fd914..4f2d395f5f 100644 --- a/integration-tests/src/common.rs +++ b/kbs/tests/common/mod.rs @@ -70,7 +70,8 @@ pub struct TestParameters { // Internal state of tests pub struct TestHarness { - pub kbs_config: KbsConfig, + // This variable is not used thus added an underscore. + _kbs_config: KbsConfig, auth_privkey: String, kbs_server_handle: actix_web::dev::ServerHandle, _work_dir: TempDir, @@ -197,7 +198,7 @@ impl TestHarness { tokio::spawn(kbs_server); Ok(TestHarness { - kbs_config, + _kbs_config: kbs_config, auth_privkey, kbs_server_handle: kbs_handle, _work_dir: work_dir, diff --git a/integration-tests/tests/get_resource.rs b/kbs/tests/get_resource.rs similarity index 97% rename from integration-tests/tests/get_resource.rs rename to kbs/tests/get_resource.rs index 24315c6b26..1871a71dfa 100644 --- a/integration-tests/tests/get_resource.rs +++ b/kbs/tests/get_resource.rs @@ -7,12 +7,13 @@ use log::info; use rstest::rstest; use serial_test::serial; -extern crate integration_tests; -use crate::integration_tests::common::{PolicyType, RvpsType, TestHarness, TestParameters}; - const SECRET_BYTES: &[u8; 8] = b"shhhhhhh"; const SECRET_PATH: &str = "default/test/secret"; +mod common; + +use common::{PolicyType, RvpsType, TestHarness, TestParameters}; + #[rstest] #[case::ear_allow_all(TestParameters{attestation_token_type: "Ear".to_string(), rvps_type: RvpsType::Builtin }, "allow_all".to_string())] #[case::simple_allow_all(TestParameters{attestation_token_type: "Simple".to_string(), rvps_type: RvpsType::Builtin }, "allow_all".to_string())] From f2c4e5751711baf964f3cbe4b69ed460bbd95160 Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Thu, 5 Jun 2025 17:31:45 +0100 Subject: [PATCH 270/298] Update Cargo.lock Signed-off-by: Leonardo Milleri --- Cargo.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index e352170cdb..5f8e9ff7cd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2959,7 +2959,7 @@ dependencies = [ "jsonwebtoken", "jwt-simple", "kbs-client", - "kbs-types", + "kbs-types 0.10.0", "kms", "lazy_static", "log", From 3d8fc40b417ee86b0d06323d6b1bea38e9685335 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 7 Jun 2025 05:35:31 +0000 Subject: [PATCH 271/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .../docker-build-multi-platform-oci-ta.yaml | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.tekton/docker-build-multi-platform-oci-ta.yaml b/.tekton/docker-build-multi-platform-oci-ta.yaml index 5cdacdb7e8..5733fbcc0b 100644 --- a/.tekton/docker-build-multi-platform-oci-ta.yaml +++ b/.tekton/docker-build-multi-platform-oci-ta.yaml @@ -22,7 +22,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:04f15cbce548e1db7770eee3f155ccb2cc0140a6c371dc67e9a34d83673ea0c0 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:002f7c8c1d2f9e09904035da414aba1188ae091df0ea9532cd997be05e73d594 - name: kind value: task resolver: bundles @@ -108,7 +108,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:737682d073a65a486d59b2b30e3104b93edd8490e0cd5e9b4a39703e47363f0f + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:66e90d31e1386bf516fb548cd3e3f0082b5d0234b8b90dbf9e0d4684b70dbe1a - name: kind value: task resolver: bundles @@ -131,7 +131,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:9709088bf3c581d4763e9804d9ee3a1f06ad6a61c23237277057c4f0cdc4f9c3 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ecf57d5a6697ce709bee65b62781efe79a10b0c2b95e05576442b67fbd61744 - name: kind value: task resolver: bundles @@ -210,7 +210,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:468708e0a5dc3a314d71ca0cf2db80c6d7fefae98b292b10fa1cf07ea3787d9e + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:cfeeef2f4ab25b121afdf44eecc394ed67f3534a1bd14bef9e7beef2ee654b8e - name: kind value: task resolver: bundles @@ -240,7 +240,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:95be274b6d0432d4671e2c41294ec345121bdf01284b1c6c46b5537dc6b37e15 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:9c95b1fe17db091ae364344ba2006af46648e08486eef1f6fe1b9e3f10866875 - name: kind value: task resolver: bundles @@ -264,7 +264,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:9fe82c9511f282287686f918bf1a543fcef417848e7a503357e988aab2887cee + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:c5e56643c0f5e19409e86c8fd4de4348413b6f10456aa0875498d5c63bf6ef0e - name: kind value: task resolver: bundles @@ -291,7 +291,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:5d63b920b71192906fe4d6c4903f594e6f34c5edcff9d21714a08b5edcfbc667 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:ecd33669676b3a193ff4c2c6223cb912cc1b0cf5cc36e080eaec7718500272cf - name: kind value: task resolver: bundles @@ -313,7 +313,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:712afcf63f3b5a97c371d37e637efbcc9e1c7ad158872339d00adc6413cd8851 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:68a8fe28527c4469243119a449e2b3a6655f2acac589c069ea6433242da8ed4d - name: kind value: task resolver: bundles @@ -333,7 +333,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:7c2438c6201ee803de361fa2e9182fdc759126d5bc010abbbddf5aa40c7adc3c + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:302828e9d7abc72b8a44fb2b9be068f86c982d8e5f4550b8bf654571d6361ee8 - name: kind value: task resolver: bundles @@ -359,7 +359,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:a1cb59ed66a7be1949c9720660efb0a006e95ef05b3f67929dd8e310e1d7baef + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:9a6ec5575f80668552d861e64414e736c85af772c272ca653a6fd1ec841d2627 - name: kind value: task resolver: bundles @@ -382,7 +382,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:62c835adae22e36fce6684460b39206bc16752f1a4427cdbba4ee9afdd279670 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:386c8c3395b44f6eb927dbad72382808b0ae42008f183064ca77cb4cad998442 - name: kind value: task resolver: bundles @@ -425,7 +425,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.2@sha256:e88c8eb990f8238f59c178644ef31fa4701c4caa96719e4b5267fa970516a529 + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:7c845b10d257b874f645ea30deeff3c1ce2b38e7b6e331564f32c8684f41b520 - name: kind value: task resolver: bundles @@ -447,7 +447,7 @@ spec: - name: name value: coverity-availability-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:0b35292eed661c5e3ca307c0ba7f594d17555db2a1da567903b0b47697fa23ed + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:8b58c4fae00c0dfe3937abfb8a9a61aa3c408cca4278b817db53d518428d944e - name: kind value: task resolver: bundles @@ -473,7 +473,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:a591675c72f06fb9c5b1a3d60e6e4c58e4df5f7da180c7a4691a692a6e7e6496 + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:a7766190229785bc5db9c62af92d46a83ea580a111b4b64a4e27f6caecae9489 - name: kind value: task resolver: bundles @@ -498,7 +498,7 @@ spec: - name: name value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.1@sha256:424f2f659c02998dc3a43e1ce869e3148982c59adb74f953f8fa91ff1c9ab86e + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:9613b9037e4199495800c2054c13d0479e3335ec94e0f15f031a5bce844003a9 - name: kind value: task resolver: bundles @@ -519,7 +519,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:61c90b1c94a2a11cb11211a0d65884089b758c34254fcec164d185a402beae22 + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:1c6f673fe100a49f58aaef62580c8adf0c397790964f4e7bac7fcd3f4d07c92e - name: kind value: task resolver: bundles @@ -542,7 +542,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:55a4ff2910ae2e4502f3841719935d37578bd52156bc789fcdf45ff48c2b048b + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:d0ee13ab3d9564f7ee806a8ceaced934db493a3a40e11ff6db3a912b8bbace95 - name: kind value: task resolver: bundles @@ -560,7 +560,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:c0798ff85ad04f1553d349fe34aa4918597fb35b3b74e344dfbd5af2f3494300 + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:80a4562d5f86eb6812f00d4e30e94c1ad27ec937735dc29f5a63e9335676b3dc - name: kind value: task resolver: bundles From 5a18088d1fc3d1320bc9a303639b63973dbee52e Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Tue, 10 Jun 2025 01:51:16 +0000 Subject: [PATCH 272/298] chore(deps): update docker.io/library/rust docker tag to v1.87.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- kbs/docker/kbs-client-image/Dockerfile | 2 +- kbs/docker/kbs-client/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kbs/docker/kbs-client-image/Dockerfile b/kbs/docker/kbs-client-image/Dockerfile index 68f0f36618..ea30b97c00 100644 --- a/kbs/docker/kbs-client-image/Dockerfile +++ b/kbs/docker/kbs-client-image/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/rust:1.80.0 AS builder +FROM docker.io/library/rust:1.87.0 AS builder WORKDIR /usr/src/kbs COPY . . diff --git a/kbs/docker/kbs-client/Dockerfile b/kbs/docker/kbs-client/Dockerfile index 046a3ff9d3..e77ab8afd5 100644 --- a/kbs/docker/kbs-client/Dockerfile +++ b/kbs/docker/kbs-client/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/rust:1.80.0 AS builder +FROM docker.io/library/rust:1.87.0 AS builder ARG ARCH=x86_64 WORKDIR /usr/src/kbs From 9e24cb75816a8bbbb1c2b0f3c587360e9bda6626 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 14 Jun 2025 05:45:41 +0000 Subject: [PATCH 273/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/docker-build-multi-platform-oci-ta.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.tekton/docker-build-multi-platform-oci-ta.yaml b/.tekton/docker-build-multi-platform-oci-ta.yaml index 5733fbcc0b..33129c6f6d 100644 --- a/.tekton/docker-build-multi-platform-oci-ta.yaml +++ b/.tekton/docker-build-multi-platform-oci-ta.yaml @@ -131,7 +131,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ecf57d5a6697ce709bee65b62781efe79a10b0c2b95e05576442b67fbd61744 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0fea1e4bd2fdde46c5b7786629f423a51e357f681c32ceddd744a6e3d48b8327 - name: kind value: task resolver: bundles @@ -333,7 +333,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:302828e9d7abc72b8a44fb2b9be068f86c982d8e5f4550b8bf654571d6361ee8 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:8a2d3ce9205df1f59f410529cb38134336e0a4b06ee1187b3229f26c80ecc5ba - name: kind value: task resolver: bundles @@ -473,7 +473,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:a7766190229785bc5db9c62af92d46a83ea580a111b4b64a4e27f6caecae9489 + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:60a7ee6ec5d00920389f03befd328cdaa159b7122a94ff3c87da287e0f32420f - name: kind value: task resolver: bundles @@ -519,7 +519,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:1c6f673fe100a49f58aaef62580c8adf0c397790964f4e7bac7fcd3f4d07c92e + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:0c411c27483849a936c0c420a57e477113e9fafc63077647200d6614d9ebb872 - name: kind value: task resolver: bundles @@ -560,7 +560,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:80a4562d5f86eb6812f00d4e30e94c1ad27ec937735dc29f5a63e9335676b3dc + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:ec7f6de651458e4a5842b145e761b0d86b03b52bec1515d6d8a1b8cf107af95c - name: kind value: task resolver: bundles From 9644cdd1b535e2d80e34f7301869d1fd75b959fd Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Wed, 18 Jun 2025 09:40:55 +0100 Subject: [PATCH 274/298] Fix docker-build-multi-platform-oci-ta.yaml Signed-off-by: Leonardo Milleri --- .tekton/docker-build-multi-platform-oci-ta.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.tekton/docker-build-multi-platform-oci-ta.yaml b/.tekton/docker-build-multi-platform-oci-ta.yaml index 33129c6f6d..e4a91d4f37 100644 --- a/.tekton/docker-build-multi-platform-oci-ta.yaml +++ b/.tekton/docker-build-multi-platform-oci-ta.yaml @@ -397,6 +397,8 @@ spec: value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE value: $(params.output-image) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT @@ -510,8 +512,10 @@ spec: workspaces: [] - name: apply-tags params: - - name: IMAGE + - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: From dca55a7160698699a400e068e653e97596ddc35f Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Wed, 18 Jun 2025 13:08:45 +0100 Subject: [PATCH 275/298] Fix hermetic build Added some packages and changed base image to ubi9.5 Signed-off-by: Leonardo Milleri --- kbs/docker/rhel-ubi/Dockerfile | 4 +- rpm/redhat.repo | 7508 ++++++++++++++++++++++---------- rpm/rpms.in.yaml | 29 +- rpm/rpms.lock.yaml | 2954 ++++++++++++- 4 files changed, 8187 insertions(+), 2308 deletions(-) diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile index ce87010edf..535e77ab55 100644 --- a/kbs/docker/rhel-ubi/Dockerfile +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -1,5 +1,5 @@ # Use UBI to build. -FROM registry.access.redhat.com/ubi9 as builder +FROM registry.access.redhat.com/ubi9/ubi:9.5 as builder ARG ALIYUN=false # Install build dependencies from CentOS or RHEL repos. @@ -17,6 +17,8 @@ dnf -y update && \ # Install packages. dnf -y --setopt=install_weak_deps=0 install \ cargo pkg-config perl-FindBin openssl-devel perl-lib perl-IPC-Cmd perl-File-Compare perl-File-Copy clang-devel \ + rust gcc gcc-c++ \ + cmake glibc-static perl device-mapper-devel \ # These two are only available in the CodeReady Builder repo. tpm2-tss-devel protobuf-compiler \ # This one is needed to build the stub. diff --git a/rpm/redhat.repo b/rpm/redhat.repo index 94febea6f8..6324ecf801 100644 --- a/rpm/redhat.repo +++ b/rpm/redhat.repo @@ -9,1542 +9,1542 @@ # a "yum repolist" to refresh available repos # -[rhocp-ironic-4.17-for-rhel-9-$basearch-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/os +[satellite-utils-6.17-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-6-client-2-for-rhel-9-$basearch-e4s-source-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (Source RPMS) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/source/SRPMS +[cnv-4.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-eus-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/os +[cnv-4.17-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jdv-textonly-1-for-middleware-rpms] -name = Red Hat JBoss Data Virtualization Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/jdv/1.0/$basearch/os +[rhel-9-for-$basearch-sap-netweaver-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/os enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-eus-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/os +[application-interconnect-1-for-rhel-9-$basearch-rpms] +name = Red Hat Application Interconnect for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.3-gaudi-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/source/SRPMS +[gitops-1.14-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.3-gaudi-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/debug +[rhel-9-for-$basearch-highavailability-source-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/highavailability/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.12-rpms] -name = Red Hat Container Development Kit 3.12 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.12/os +[rhel-9-for-$basearch-appstream-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/appstream/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[codeready-builder-for-rhel-9-$basearch-source-rpms] -name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/source/SRPMS +[lvms-4.19-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.13-for-rhel-9-$basearch-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/os +[rhel-9-for-$basearch-highavailability-e4s-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/highavailability/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.16-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/os +[rhel-9-for-$basearch-sap-netweaver-eus-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/sap/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhpm-1-for-rhel-9-$basearch-textonly-debug-rpms] -name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/debug +[rhel-9-for-$basearch-appstream-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-rt-e4s-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/os +[rhoso-edpm-1-beta-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift External Data Plane Management Beta for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-edpm/1/source/SRPMS enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[codeready-builder-for-rhel-9-$basearch-eus-source-rpms] -name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/source/SRPMS +[rhel-9-for-$basearch-highavailability-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.17-for-rhel-9-$basearch-source-rpms] -name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/source/SRPMS +[rhel-9-for-$basearch-sap-solutions-eus-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/sap-solutions/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.3-gaudi-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/os +[rhelai-1.5-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[discovery-1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Discovery 1 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/debug +[rhel-9-for-$basearch-supplementary-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[openstack-17-tools-for-rhel-9-$basearch-rpms] -name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/os +[rhel-9-for-$basearch-baseos-eus-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/baseos/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[openliberty-textonly-1-for-middleware-rpms] -name = Open Liberty Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/openliberty/1.0/$basearch/os +[jb-eap-8.1-for-rhel-9-$basearch-debug-rpms] +name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/debug enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.4-source-rpms] -name = Red Hat Container Development Kit 3.4 /(Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/source/SRPMS +[jws-6-for-rhel-9-$basearch-rpms] +name = JBoss Web Server 6 (RHEL 9) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jws/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhoso-tools-18-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/debug +[rhocp-4.18-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.19-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/source/SRPMS +[rhosds-textonly-3-for-middleware-rpms] +name = Red Hat OpenShift Dev Spaces 3 Container Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/rhosds/3.0/$basearch/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.10-for-rhel-9-$basearch-rpms] -name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/os +[rhocp-ironic-4.15-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/debug +[service-interconnect-2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.16-for-rhel-9-$basearch-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/os +[quay-3-for-rhel-9-$basearch-source-rpms] +name = Red Hat Quay 3 (for RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/quay/3/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jpp-textonly-1-for-middleware-rpms] -name = Red Hat JBoss Portal Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/jpp/1.0/$basearch/os +[rodoo-1-for-rhel-9-$basearch-debug-rpms] +name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/debug enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.19-for-rhel-9-$basearch-debug-rpms] -name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/debug +[openstack-17-deployment-tools-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17 Director Deployment Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-deployment-tools/17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.3-cuda-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/os +[openstack-dev-preview-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform Dev Preview for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack-dev-preview/source/SRPMS enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.12-for-rhel-9-$basearch-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/os +[rhel-9-for-$basearch-supplementary-eus-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/supplementary/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhv-4-tools-for-rhel-9-$basearch-source-rpms] -name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/source/SRPMS +[rhel-9-for-$basearch-highavailability-e4s-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/highavailability/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[pipelines-1.18-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/debug +[rhceph-6-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-nhc-1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/debug +[jpp-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Portal Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jpp/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[codeready-builder-for-rhel-9-$basearch-debug-rpms] -name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/debug +[ocp-tools-4.17-for-rhel-9-$basearch-debug-rpms] +name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-datagrid-textonly-1-for-middleware-rpms] -name = Red Hat JBoss Data Grid Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/jb-datagrid/1.0/$basearch/os +[rhacm-2.14-for-rhel-9-$basearch-rpms] +name = Red Hat Advanced Cluster Management for Kubernetes 2.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhacm/2.14/os enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-6-client-2-for-rhel-9-$basearch-e4s-debug-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (Debug RPMS) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/debug +[cert-manager-1.12-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.19-for-rhel-9-$basearch-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/os +[rhwa-mdr-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.16-rpms] -name = Red Hat Container Development Kit 3.16 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.16/os +[rhelai-1.3-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[insights-proxy-1-tech-preview-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/debug +[rhel-9-for-$basearch-resilientstorage-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - 4 years of updates (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/resilientstorage/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.2-gaudi-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/source/SRPMS +[rhoso-18.0-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift 18.0 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso/18.0/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.18-for-rhel-9-$basearch-rpms] -name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/os +[codeready-builder-for-rhel-9-$basearch-eus-rhui-source-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/codeready-builder/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/debug -enabled = 0 +[codeready-builder-for-rhel-9-$basearch-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/os +enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.16-for-rhel-9-$basearch-source-rpms] -name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/source/SRPMS +[satellite-client-6-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.13-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/debug +[cert-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Certification for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[osso-1-for-rhel-9-$basearch-rpms] -name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/os +[openjdk-textonly-1-for-middleware-rpms] +name = OpenJDK Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/openjdk/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-textonly-1-for-middleware-rpms] -name = Red Hat JBoss Enterprise Application Platform Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/jbeap/1.0/$basearch/os +[application-interconnect-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Application Interconnect for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/source/SRPMS enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.15-for-rhel-9-$basearch-debug-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/debug +[network-observability-1-for-rhel-9-$basearch-source-rpms] +name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-5-tools-for-rhel-9-$basearch-rpms] -name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/os +[rhoso-edpm-1.0-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift External Data Plane Management 1.0 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-edpm/1.0/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-7.4-for-rhel-9-$basearch-source-rpms] -name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/source/SRPMS +[service-interconnect-1-for-rhel-9-$basearch-rpms] +name = Red Hat Service Interconnect for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.19-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/debug +[rhel-9-for-$basearch-sap-netweaver-eus-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/sap/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.15-for-rhel-9-$basearch-rpms] -name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/os +[satellite-capsule-6.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Capsule 6.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-capsule/6.17/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1-for-rhel-9-$basearch-rpms] -name = Red Hat Service Interconnect for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/os +[dirsrv-12.3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Directory Server 12.3 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.3/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-6-tools-for-rhel-9-$basearch-rpms] -name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/os +[openstack-17-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[osso-1-for-rhel-9-$basearch-debug-rpms] -name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/debug +[rhel-9-for-$basearch-rt-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.13-for-rhel-9-$basearch-debug-rpms] -name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/debug +[pipelines-1.18-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/source/SRPMS +[openstack-17.1-deployment-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17.1 Director Deployment Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-deployment-tools/17.1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.13-for-rhel-9-$basearch-debug-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/debug +[satellite-client-6-for-rhel-9-$basearch-aus-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Advanced Mission Critical Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/sat-client/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.3-cuda-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/source/SRPMS +[rhel-9-for-$basearch-appstream-aus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Advanced Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/appstream/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.14-for-rhel-9-$basearch-source-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/source/SRPMS +[jb-datagrid-8.4-for-rhel-9-$basearch-rpms] +name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.4-debug-rpms] -name = Red Hat Container Development Kit 3.4 /(Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/debug +[satellite-6-client-2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[fast-datapath-for-rhel-9-$basearch-source-rpms] -name = Fast Datapath for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/source/SRPMS +[jdv-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Data Virtualization Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jdv/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.10-for-rhel-9-$basearch-debug-rpms] -name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/debug +[rhelai-1.4-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.14-for-rhel-9-$basearch-source-rpms] -name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/source/SRPMS +[rhel-9-for-$basearch-sap-netweaver-e4s-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/sap/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-e4s-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (Source RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS +[jb-coreservices-textonly-1-for-middleware-rhui-rpms] +name = Red Hat JBoss Core Services Text-Only Advisories from RHUI +baseurl = https://cdn.redhat.com/content/dist/middleware/rhui/jbcs/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.19-for-rhel-9-$basearch-source-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/source/SRPMS +[rh-odf-4-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Data Foundation for RHEL 9 (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhodf/4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/source/SRPMS +[ocp-tools-4.15-for-rhel-9-$basearch-source-rpms] +name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/os +[rhel-atomic-7-cdk-3.7-rpms] +name = Red Hat Container Development Kit 3.7 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.7/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.15-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/debug +[rhel-9-for-$basearch-sap-solutions-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-maintenance-6.17-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/debug +[ocp-tools-4.16-for-rhel-9-$basearch-debug-rpms] +name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.15-for-rhel-9-$basearch-source-rpms] -name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/source/SRPMS +[rhelai-1.2-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.13-for-rhel-9-$basearch-source-rpms] -name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/source/SRPMS +[rhel-9-for-$basearch-resilientstorage-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - 4 years of updates (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/resilientstorage/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-e4s-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (Source RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/source/SRPMS +[rhel-9-for-$basearch-highavailability-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/debug +[jb-eap-7.4-for-rhel-9-$basearch-debug-rpms] +name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.2-gaudi-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/os +[ansible-automation-platform-2.3-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-supplementary-eus-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/source/SRPMS +[ansible-developer-1.2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Developer 1.2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.2/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-gaudi-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/os +[rhel-9-for-$basearch-baseos-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/baseos/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.17-rpms] -name = Red Hat Container Development Kit 3.17 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.17/os +[rhel-9-for-$basearch-resilientstorage-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.15-for-rhel-9-$basearch-rpms] -name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/os +[satellite-capsule-6.17-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Capsule 6.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-capsule/6.17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1.4-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/debug +[rhacm-2.13-for-rhel-9-$basearch-source-rpms] +name = Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhacm/2.13/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[pipelines-1.18-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/source/SRPMS +[rhel-atomic-7-cdk-3.11-rpms] +name = Red Hat Container Development Kit 3.11 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.11/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.18-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/source/SRPMS +[rhceph-7-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.9-rpms] -name = Red Hat Container Development Kit 3.9 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.9/os +[service-interconnect-1.8-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.2-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/os +[satellite-capsule-6.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Capsule 6.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-capsule/6.16/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1.8-for-rhel-9-$basearch-rpms] -name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/os +[ansible-developer-1.1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Developer 1.1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.3-for-rhel-9-$basearch-rpms] -name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/os +[rhel-9-for-$basearch-supplementary-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/supplementary/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.13-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/os +[codeready-builder-for-rhel-9-$basearch-eus-rhui-debug-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/codeready-builder/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-eus-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/os +[rhv-4-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[codeready-builder-for-rhel-9-$basearch-eus-rpms] -name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/os +[satellite-6.17-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite 6.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/satellite/6.17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.13-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/debug +[insights-proxy-for-rhel-9-$basearch-rpms] +name = Red Hat Insights Proxy for RHEL9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/insights-proxy/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.14-for-rhel-9-$basearch-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/os +[rhelai-3.0-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/3.0/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.2-for-rhel-9-$basearch-source-rpms] -name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/source/SRPMS +[fsw-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Fuse Service Works Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/fsw/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[amq-interconnect-textonly-1-for-middleware-rpms] -name = Red Hat AMQ Interconnect Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/amq-interconnect/1.0/$basearch/os +[rhoso-podified-1-beta-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift Podified Beta for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-podified/1/debug enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.3-source-rpms] -name = Red Hat Container Development Kit 3.3 /(Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/source/SRPMS +[satellite-utils-6.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[network-observability-1-for-rhel-9-$basearch-rpms] -name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/os +[rhwa-nhc-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.8-rpms] -name = Red Hat Container Development Kit 3.8 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.8/os +[cnv-4.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-e4s-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (Debug RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/debug +[rhel-9-for-$basearch-baseos-aus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Advanced Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/baseos/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.17-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/debug +[rhel-atomic-7-cdk-2.3-rpms] +name = Red Hat Container Development Kit 2.3 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.19-for-rhel-9-$basearch-rpms] -name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/os +[openstack-17-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/source/SRPMS +[service-interconnect-2-for-rhel-9-$basearch-rpms] +name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.5-source-rpms] -name = Red Hat Container Development Kit 3.5 /(Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/source/SRPMS +[rhelai-1.4-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.14-for-rhel-9-$basearch-source-rpms] -name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/source/SRPMS +[rhelai-1.5-cuda-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[application-interconnect-1-for-rhel-9-$basearch-rpms] -name = Red Hat Application Interconnect for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/os +[fast-datapath-for-rhel-9-$basearch-debug-rpms] +name = Fast Datapath for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.18-for-rhel-9-$basearch-debug-rpms] -name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/debug +[rhel-9-for-$basearch-appstream-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-eus-debug-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/debug +[rhelai-1.4-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-gaudi-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/debug +[rhelai-1.5-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-utils-6.17-for-rhel-9-$basearch-source-rpms] -name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/source/SRPMS +[rhel-9-for-$basearch-appstream-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/os +[satellite-6-client-2-for-rhel-9-$basearch-eus-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-resilientstorage-eus-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/source/SRPMS +[satellite-maintenance-6.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-cuda-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/source/SRPMS +[satellite-6-client-2-for-rhel-9-$basearch-e4s-debug-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhose-textonly-1-for-middleware-rpms] -name = Red Hat Middleware Container Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/rhose-middleware/1.0/$basearch/os +[openstack-beta-deployment-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform Beta Director Deployment Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack-deployment-tools/source/SRPMS enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-e4s-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/os +[rhelai-3.0-cuda-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch - Cuda (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/3.0/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 @@ -1557,3326 +1557,6420 @@ gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/os +[satellite-maintenance-6.16-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-source-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/source/SRPMS +[rhocp-ironic-4.17-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-eus-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/os +[rhel-atomic-7-cdk-3.15-rpms] +name = Red Hat Container Development Kit 3.15 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.15/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-nfv-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/debug +[rhceph-7-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-nmo-1-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/os +[rhdh-1-for-rhel-9-$basearch-rpms] +name = Red Hat Developer Hub 1 (RHEL 9) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-rt-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/source/SRPMS +[rhel-9-for-$basearch-sap-solutions-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.14-rpms] -name = Red Hat Container Development Kit 3.14 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.14/os +[openstack-17-cinderlib-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17 Cinderlib for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-cinderlib/17/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.14-for-rhel-9-$basearch-source-rpms] -name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/source/SRPMS +[rhel-9-for-$basearch-resilientstorage-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/resilientstorage/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-mdr-1-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/os -enabled = 0 +[codeready-builder-for-rhel-9-$basearch-source-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/source/SRPMS +enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[pipelines-1.18-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/os +[rhel-atomic-7-cdk-3.8-rpms] +name = Red Hat Container Development Kit 3.8 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.8/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS +[rhwa-nmo-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-2-for-rhel-9-$basearch-source-rpms] -name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/source/SRPMS +[service-interconnect-2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-6-tools-for-rhel-9-$basearch-source-rpms] -name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/source/SRPMS +[rhelai-3.0-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/3.0/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[insights-proxy-1-tech-preview-for-rhel-9-$basearch-source-rpms] -name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/source/SRPMS +[rhel-9-for-$basearch-supplementary-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.15-for-rhel-9-$basearch-debug-rpms] -name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/debug +[amq-clients-3-for-rhel-9-$basearch-rpms] +name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.12-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/source/SRPMS +[rh-odf-4-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Data Foundation for RHEL 9 (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhodf/4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.11-for-rhel-9-$basearch-source-rpms] -name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/source/SRPMS +[rhoso-tools-18-beta-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/debug enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1.8-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/debug +[insights-proxy-for-rhel-9-$basearch-source-rpms] +name = Red Hat Insights Proxy for RHEL9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/insights-proxy/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-e4s-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/os +[rhwa-nhc-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-e4s-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/os +[dirsrv-12.0-for-rhel-9-$basearch-source-rpms] +name = Red Hat Directory Server 12.0 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.4-for-rhel-9-$basearch-rpms] -name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/os +[ansible-automation-platform-2.5-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.15-for-rhel-9-$basearch-rpms] -name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/os +[rhel-9-for-$basearch-resilientstorage-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.7-rpms] -name = Red Hat Container Development Kit 3.7 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.7/os +[rhwa-snr-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Self Node Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-snr/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-7-tools-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/debug +[rhelai-1.1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.16-for-rhel-9-$basearch-source-rpms] -name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/source/SRPMS +[rhel-9-for-$basearch-sap-netweaver-e4s-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/sap/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.0-for-rhel-9-$basearch-rhui-rpms] -name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (RPMs) from RHUI -baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/os +[rhel-9-for-$basearch-baseos-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.16-for-rhel-9-$basearch-source-rpms] -name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/source/SRPMS -enabled = 0 +[codeready-builder-for-rhel-9-$basearch-debug-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/debug +enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[kmm-1-for-rhel-9-$basearch-source-rpms] -name = Kernel Module Management 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/source/SRPMS +[rhel-9-for-$basearch-sap-netweaver-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.14-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/debug +[jb-eap-8.1-for-rhel-9-$basearch-source-rpms] +name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-supplementary-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/os +[rhocp-ironic-4.18-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-eus-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/debug +[dirsrv-12.3-for-rhel-9-$basearch-rpms] +name = Red Hat Directory Server 12.3 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.3/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/debug +[pipelines-1.18-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.14-for-rhel-9-$basearch-debug-rpms] -name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/debug +[satellite-maintenance-6.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.13-for-rhel-9-$basearch-rpms] -name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/os +[rhoso-tools-18-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1.4-for-rhel-9-$basearch-source-rpms] -name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/source/SRPMS +[rhv-4-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.15-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/source/SRPMS +[rhel-9-for-$basearch-appstream-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/appstream/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-snr-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Workload Availability - Self Node Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-snr/1/source/SRPMS +[rhelai-1.5-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhoso-tools-18-for-rhel-9-$basearch-rpms] -name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/os +[rhelai-3.0-cuda-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch - Cuda (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/3.0/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhoso-tools-18-beta-for-rhel-9-$basearch-rpms] -name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/os -enabled = 0 +[rhocp-4.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/debug +enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhdh-1-for-rhel-9-$basearch-rpms] -name = Red Hat Developer Hub 1 (RHEL 9) (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/os +[satellite-6-client-2-for-rhel-9-$basearch-aus-source-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Advanced Mission Critical Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/sat-client-2/6/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.4-rpms] -name = Red Hat Container Development Kit 3.4 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/os +[ossm-3-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Service Mesh 3 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ossm/3/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-rt-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/debug +[cnv-4.13-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.14-for-rhel-9-$basearch-rpms] -name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/os +[cert-manager-1.11-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-datagrid-8.4-for-rhel-9-$basearch-source-rpms] -name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/source/SRPMS +[rhel-9-for-$basearch-baseos-aus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Advanced Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/baseos/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-mdr-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/source/SRPMS +[rhocp-4.13-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[soa-textonly-1-for-middleware-rpms] -name = Red Hat JBoss SOA Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/soa/1.0/$basearch/os +[rhel-9-for-$basearch-sap-netweaver-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/os enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhoso-tools-18-beta-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/debug +[openstack-beta-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform Beta for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack/source/SRPMS enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.14-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/os +[openstack-beta-deployment-tools-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform Beta Director Deployment Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack-deployment-tools/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-eus-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/highavailability/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[amq-clients-3-for-rhel-9-$basearch-source-rpms] -name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/source/SRPMS +[satellite-client-6-for-rhel-9-$basearch-eus-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-2-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/debug +[jws-5-for-rhel-9-$basearch-debug-rpms] +name = JBoss Web Server 5 (RHEL 9) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jws/5/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[wfk-textonly-1-for-middleware-rpms] -name = Red Hat JBoss Web Framework Kit Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/wfk/1.0/$basearch/os +[jon-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Operations Network Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jon/1.0/$basearch/os enabled = 0 gpgcheck = 1 gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.12-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/source/SRPMS +[rhceph-5-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[openstack-17.1-tools-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/source/SRPMS +[rhelai-1.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.17-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/os +[rhwa-mdr-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-e4s-debug-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (Debug RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/debug +[satellite-client-6-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.15-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/source/SRPMS +[rhel-9-for-$basearch-sap-solutions-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/debug +[rhel-9-for-$basearch-highavailability-eus-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/highavailability/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[insights-proxy-for-rhel-9-$basearch-source-rpms] -name = Red Hat Insights Proxy for RHEL9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/insights-proxy/1/source/SRPMS +[rhocp-ironic-4.15-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.1-for-rhel-9-$basearch-debug-rpms] -name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/debug +[rhel-9-for-$basearch-baseos-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.4-for-rhel-9-$basearch-source-rpms] -name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/source/SRPMS +[pipelines-1.18-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Pipelines 1.18 (for RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.18/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.13-rpms] -name = Red Hat Container Development Kit 3.13 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.13/os +[satellite-6-client-2-for-rhel-9-$basearch-e4s-source-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.15-for-rhel-9-$basearch-source-rpms] -name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/source/SRPMS +[rhel-atomic-7-cdk-3.17-rpms] +name = Red Hat Container Development Kit 3.17 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/os +[rhocp-ironic-4.12-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.6-debug-rpms] -name = Red Hat Container Development Kit 3.6 /(Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/debug +[ansible-automation-platform-2.2-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.18-for-rhel-9-$basearch-rpms] -name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/os +[discovery-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Discovery 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.18-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/debug +[rhv-4-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-gaudi-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/debug +[cert-manager-1.14-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.17-for-rhel-9-$basearch-debug-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/debug +[rhel-atomic-7-cdk-3.5-debug-rpms] +name = Red Hat Container Development Kit 3.5 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/source/SRPMS +[rhel-9-for-$basearch-highavailability-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/highavailability/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-supplementary-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/debug +[rhelai-1.4-cuda-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.16-for-rhel-9-$basearch-debug-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/debug +[satellite-6.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite 6.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/satellite/6.16/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.15-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/os +[satellite-client-6-for-rhel-9-$basearch-e4s-source-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.16-for-rhel-9-$basearch-source-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/source/SRPMS +[rhceph-6-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.3-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/os +[rhoso-tools-18-beta-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-18-beta-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Beta for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso/18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[pipelines-1.19-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Pipelines 1.19 (for RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.19/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.13-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.12-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-capsule-6.16-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Capsule 6.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-capsule/6.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-datagrid-8.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-capsule-6.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Capsule 6.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-capsule/6.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-e4s-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/appstream/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.16-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-cuda-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.14-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.16-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-eus-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/supplementary/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-eus-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/appstream/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhceph-8-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.17-for-rhel-9-$basearch-rpms] +name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-e4s-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/appstream/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rh-odf-4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Data Foundation for RHEL 9 (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhodf/4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.16-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.4-debug-rpms] +name = Red Hat Container Development Kit 3.4 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/baseos/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-beta-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform Beta for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.12-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/sap/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openjdk-11-els-for-rhel-9-$basearch-rhui-rpms] +name = OpenJDK Java 11 Extended Life Cycle Support for RHEL 9 $basearch (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/els/layered/rhui/rhel9/$basearch/openjdk/11/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[fast-datapath-for-rhel-9-$basearch-rpms] +name = Fast Datapath for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.18-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-2.3-debug-rpms] +name = Red Hat Container Development Kit 2.3 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.12-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-e4s-debug-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-podified-1.0-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift Podified 1.0 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-podified/1.0/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-cuda-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.13-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhacm-for-rhel-9-textonly-rpms] +name = Red Hat Advanced Cluster Management for Kubernetes Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhacm-textonly/2/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.16-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhacm-2.14-for-rhel-9-$basearch-source-rpms] +name = Red Hat Advanced Cluster Management for Kubernetes 2.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhacm/2.14/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-e4s-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/sap-solutions/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-client-6-for-rhel-9-$basearch-eus-source-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-mdr-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhose-textonly-1-for-middleware-rpms] +name = Red Hat Middleware Container Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/rhose-middleware/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-utils-6.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-eus-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/baseos/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.4-source-rpms] +name = Red Hat Container Development Kit 3.4 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.15-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.12-rpms] +name = Red Hat Container Development Kit 3.12 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.19-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-2.3-source-rpms] +name = Red Hat Container Development Kit 2.3 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-podified-1.0-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift Podified 1.0 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-podified/1.0/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-tools-18-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.14-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.19-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.19 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.19/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.19-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[insights-proxy-1-tech-preview-for-rhel-9-$basearch-source-rpms] +name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openjdk-11-els-for-rhel-9-$basearch-rpms] +name = OpenJDK Java 11 Extended Life Cycle Support for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/els/layered/rhel9/$basearch/openjdk/11/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17-tools-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-eus-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/resilientstorage/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[service-interconnect-1.8-for-rhel-9-$basearch-rpms] +name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[dirsrv-12.5-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Directory Server 12.5 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.5/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-podified-1-beta-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift Podified Beta for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-podified/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[amq-textonly-1-for-middleware-rpms] +name = Red Hat JBoss AMQ Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/amq/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-e4s-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/sap-solutions/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-e4s-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/highavailability/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[fast-datapath-for-rhel-9-$basearch-source-rpms] +name = Fast Datapath for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[network-observability-1-for-rhel-9-$basearch-debug-rpms] +name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-18.0-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift 18.0 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso/18.0/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.5-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[dirsrv-12.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Directory Server 12.4 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.12-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.6-source-rpms] +name = Red Hat Container Development Kit 3.6 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[dirsrv-12-for-rhel-9-$basearch-source-rpms] +name = Red Hat Directory Server 12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/dirsrv/12/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-stf-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform Service Telemetry Framework 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-stf/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.15-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.14-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.14-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.2-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[codeready-builder-for-rhel-9-$basearch-eus-rhui-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/codeready-builder/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.18-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-maintenance-6.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[pipelines-1.19-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Pipelines 1.19 (for RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.19/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17.1-deployment-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17.1 Director Deployment Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-deployment-tools/17.1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhdh-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Developer Hub 1 (RHEL 9) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/sap-solutions/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.15-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[codeready-builder-for-rhel-9-$basearch-rhui-source-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/codeready-builder/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-far-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Enterprise Application Platform Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jbeap/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ocp-tools-4.15-for-rhel-9-$basearch-debug-rpms] +name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-rt-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/sap-solutions/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhpm-1-for-rhel-9-$basearch-textonly-rpms] +name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-source-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/resilientstorage/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-eap-8.0-for-rhel-9-$basearch-rhui-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-stf-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform Service Telemetry Framework 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-stf/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.16-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[soa-textonly-1-for-middleware-rpms] +name = Red Hat JBoss SOA Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/soa/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-aus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Advanced Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/appstream/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[dirsrv-12.2-for-rhel-9-$basearch-source-rpms] +name = Red Hat Directory Server 12.2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.2/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[network-observability-1-for-rhel-9-$basearch-rpms] +name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[dirsrv-12.5-for-rhel-9-$basearch-source-rpms] +name = Red Hat Directory Server 12.5 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.5/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-gaudi-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17.1-tools-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhwa-far-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-developer-1.0-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Developer 1.0 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.0/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rh-sso-7.6-for-rhel-9-$basearch-source-rpms] +name = Single Sign-On 7.6 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rh-sso/7.6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.18-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.18-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.17-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.14-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhacm-2.14-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Advanced Cluster Management for Kubernetes 2.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhacm/2.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openjdk-11-els-for-rhel-9-$basearch-source-rpms] +name = OpenJDK Java 11 Extended Life Cycle Support for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/els/layered/rhel9/$basearch/openjdk/11/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.3-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.18-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-automation-platform-2.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Certification for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-e4s-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/baseos/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.3-debug-rpms] +name = Red Hat Container Development Kit 3.3 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.13-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-1-for-rhel-9-$basearch-source-rpms] +name = Kernel Module Management 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-capsule-6.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Capsule 6.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-capsule/6.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-eus-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/sap-solutions/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhacm-2.13-for-rhel-9-$basearch-rpms] +name = Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhacm/2.13/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-eus-source-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.5-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-beta-deployment-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform Beta Director Deployment Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack-deployment-tools/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.10-rpms] +name = Red Hat Container Development Kit 3.10 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.10/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.17-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhdh-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Developer Hub 1 (RHEL 9) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-beta-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform Beta for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[dirsrv-12.1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Directory Server 12.1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-aus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Advanced Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/appstream/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.17-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-developer-1.2-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Developer 1.2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.2/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.15-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-highavailability-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[amq-interconnect-textonly-1-for-middleware-rpms] +name = Red Hat AMQ Interconnect Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/amq-interconnect/1.0/$basearch/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:// +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-2-for-rhel-9-$basearch-debug-rpms] +name = Kernel Module Management 2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.14-rpms] +name = Red Hat Container Development Kit 3.14 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-aus-debug-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Advanced Mission Critical Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/sat-client-2/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17-cinderlib-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17 Cinderlib for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-cinderlib/17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite 6.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/satellite/6.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-tools-18-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[ansible-developer-1.1-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Developer 1.1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openjdk-11-els-for-rhel-9-$basearch-debug-rpms] +name = OpenJDK Java 11 Extended Life Cycle Support for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/els/layered/rhel9/$basearch/openjdk/11/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-edpm-1.0-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift External Data Plane Management 1.0 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-edpm/1.0/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-podified-1.0-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Services on OpenShift Podified 1.0 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-podified/1.0/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-18-beta-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Beta for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso/18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[dirsrv-12.2-for-rhel-9-$basearch-rpms] +name = Red Hat Directory Server 12.2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.2/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-appstream-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.13-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[dirsrv-12.1-for-rhel-9-$basearch-rpms] +name = Red Hat Directory Server 12.1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-6-client-2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.18-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-supplementary-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[osso-1-for-rhel-9-$basearch-rpms] +name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17.1-deployment-tools-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17.1 Director Deployment Tools for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-deployment-tools/17.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[jb-datagrid-8.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.14-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack/17/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.14-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.5-rpms] +name = Red Hat Container Development Kit 3.5 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.18-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-resilientstorage-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - 4 years of updates (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/resilientstorage/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-17.1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17.1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack/17.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.16-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[nbde-tang-server-1-for-rhel-9-$basearch-textonly-rpms] +name = nbde tang server 1 (for RHEL 9 $basearch) (Text-Only Advisories) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/nbde-tang-server-textonly/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.6-debug-rpms] +name = Red Hat Container Development Kit 3.6 /(Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-1.1-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.14-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.10-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.16-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-baseos-aus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Advanced Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/baseos/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhoso-18-beta-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Beta for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso/18/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.4-rpms] +name = Red Hat Container Development Kit 3.4 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.4/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhelai-3.0-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/3.0/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[gitops-1.12-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.15-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-atomic-7-cdk-3.6-rpms] +name = Red Hat Container Development Kit 3.6 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[openstack-stf-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform Service Telemetry Framework 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-stf/1/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-ironic-4.17-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhocp-4.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[kmm-1-for-rhel-9-$basearch-rpms] +name = Kernel Module Management 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rodoo-1-for-rhel-9-$basearch-source-rpms] +name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cnv-4.19-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.19 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.19/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[satellite-utils-6.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-solutions-e4s-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/sap-solutions/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-sap-netweaver-eus-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/sap/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[lvms-4.16-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/debug +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[insights-proxy-1-tech-preview-for-rhel-9-$basearch-rpms] +name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[osso-1-for-rhel-9-$basearch-source-rpms] +name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/source/SRPMS +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[cert-manager-1.13-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/os +enabled = 0 +gpgcheck = 1 +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +sslverify = 1 +sslcacert = /etc/rhsm/ca/redhat-uep.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem +sslverifystatus = 1 +metadata_expire = 86400 +enabled_metadata = 0 + +[rhel-9-for-$basearch-nfv-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.18-for-rhel-9-$basearch-source-rpms] -name = Logical Volume Manager Storage 4.18 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.18/source/SRPMS +[rhel-9-for-$basearch-sap-netweaver-e4s-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/sap/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.0-for-rhel-9-$basearch-rpms] -name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/os +[rhsi-textonly-1-for-middleware-rpms] +name = Red Hat Service Interconnect Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/rhsi/1/$basearch/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-utils-6.17-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/debug +[rhel-9-for-$basearch-appstream-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[network-observability-1-for-rhel-9-$basearch-debug-rpms] -name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/debug +[satellite-client-6-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client/6/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-e4s-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (Debug RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/debug +[satellite-maintenance-6.17-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.18-for-rhel-9-$basearch-source-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/source/SRPMS +[rhel-9-for-$basearch-baseos-eus-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/baseos/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/debug +[rhocp-ironic-4.13-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.3-cuda-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/debug +[amq-clients-3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-far-1-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/os +[cnv-4.16-for-rhel-9-$basearch-rpms] +name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-maintenance-6.16-for-rhel-9-$basearch-rpms] -name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/os +[ansible-automation-platform-2.5-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-utils-6.16-for-rhel-9-$basearch-rpms] -name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/os +[rh-sso-textonly-1-for-middleware-rpms] +name = Single Sign-On Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/rh-sso/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-supplementary-eus-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/os +[openstack-17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack/17/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.17-for-rhel-9-$basearch-debug-rpms] -name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/debug +[service-interconnect-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Service Interconnect for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhbop-textonly-1-for-middleware-rpms] -name = Red Hat Build of OptaPlanner Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/rhel/server/6/6Server/$basearch/rhbop-textonly/1/os +[satellite-6-client-2-for-rhel-9-$basearch-eus-debug-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-eus-source-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/source/SRPMS +[osso-1-for-rhel-9-$basearch-debug-rpms] +name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-nmo-1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/debug +[cnv-4.15-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-resilientstorage-eus-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/debug +[dirsrv-12.3-for-rhel-9-$basearch-source-rpms] +name = Red Hat Directory Server 12.3 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.3/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-2.3-source-rpms] -name = Red Hat Container Development Kit 2.3 /(Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/source/SRPMS +[rhel-atomic-7-cdk-3.3-source-rpms] +name = Red Hat Container Development Kit 3.3 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.11-for-rhel-9-$basearch-debug-rpms] -name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/debug +[rhelai-1.4-cuda-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-6-client-2-for-rhel-9-$basearch-eus-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (RPMS) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/os +[jws-6-for-rhel-9-$basearch-source-rpms] +name = JBoss Web Server 6 (RHEL 9) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jws/6/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[kmm-1-for-rhel-9-$basearch-rpms] -name = Kernel Module Management 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/os +[rhel-9-for-$basearch-appstream-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[openstack-17.1-tools-for-rhel-9-$basearch-rpms] -name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/os +[gitops-1.14-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-e4s-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (Source RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/source/SRPMS +[openstack-17.1-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.12-for-rhel-9-$basearch-source-rpms] -name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/source/SRPMS +[kmm-1-for-rhel-9-$basearch-debug-rpms] +name = Kernel Module Management 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-cuda-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/debug +[rhocp-ironic-4.12-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-nfv-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/os +[jb-eap-8.0-for-rhel-9-$basearch-rhui-source-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.16-for-rhel-9-$basearch-rpms] -name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/os +[quay-3-for-rhel-9-$basearch-rpms] +name = Red Hat Quay 3 (for RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/quay/3/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.18-for-rhel-9-$basearch-debug-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/debug +[rhel-9-for-$basearch-appstream-eus-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/appstream/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[openjdk-textonly-1-for-middleware-rpms] -name = OpenJDK Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/openjdk/1.0/$basearch/os +[rhel-9-for-$basearch-rt-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/source/SRPMS enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[discovery-1-for-rhel-9-$basearch-rpms] -name = Red Hat Discovery 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/os +[rhelai-1.4-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.17-for-rhel-9-$basearch-source-rpms] -name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/source/SRPMS +[rhel-9-for-$basearch-sap-netweaver-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.3-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/debug +[ansible-developer-1.2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Developer 1.2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.2/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.14-for-rhel-9-$basearch-rpms] -name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/os +[jb-eap-8.0-for-rhel-9-$basearch-source-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-e4s-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/os +[lvms-4.15-for-rhel-9-$basearch-debug-rpms] +name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.0-for-rhel-9-$basearch-debug-rpms] -name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/debug +[discovery-1-for-rhel-9-$basearch-rpms] +name = Red Hat Discovery 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.17-for-rhel-9-$basearch-rpms] -name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/os +[satellite-client-6-for-rhel-9-$basearch-aus-source-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Advanced Mission Critical Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/sat-client/6/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-datagrid-8.4-for-rhel-9-$basearch-debug-rpms] -name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/debug +[rhceph-5-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-coreservices-textonly-1-for-middleware-rpms] -name = Red Hat JBoss Core Services Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/jbcs/1.0/$basearch/os +[ocp-tools-4.15-for-rhel-9-$basearch-rpms] +name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/os enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.18-for-rhel-9-$basearch-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/os +[dirsrv-12.4-for-rhel-9-$basearch-rpms] +name = Red Hat Directory Server 12.4 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[network-observability-1-for-rhel-9-$basearch-source-rpms] -name = Network Observability (NETOBSERV) 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/network-observability/1/source/SRPMS +[rhel-9-for-$basearch-highavailability-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[insights-proxy-1-tech-preview-for-rhel-9-$basearch-rpms] -name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/os +[cnv-4.14-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.2-for-rhel-9-$basearch-rpms] -name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/os +[jws-6-for-rhel-9-$basearch-debug-rpms] +name = JBoss Web Server 6 (RHEL 9) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jws/6/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-8-tools-for-rhel-9-$basearch-rpms] -name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/os +[rhocp-ironic-4.12-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.16-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/debug +[rhel-9-for-$basearch-sap-netweaver-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.12-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/debug +[rhel-9-for-$basearch-sap-netweaver-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-e4s-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (Source RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/source/SRPMS +[gitops-1.13-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-6-tools-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/debug +[openstack-dev-preview-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform Dev Preview for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack-dev-preview/debug enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.15-for-rhel-9-$basearch-source-rpms] -name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/source/SRPMS +[jb-eap-8.0-for-rhel-9-$basearch-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.16-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/debug -enabled = 0 +[rhel-9-for-$basearch-appstream-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/os +enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 -enabled_metadata = 0 +enabled_metadata = 1 -[gitops-1.15-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/debug +[ossm-3-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Service Mesh 3 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ossm/3/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.1-for-rhel-9-$basearch-source-rpms] -name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/source/SRPMS +[rhwa-far-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-maintenance-6.16-for-rhel-9-$basearch-source-rpms] -name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/source/SRPMS +[rhelai-1.4-cuda-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-nfv-e4s-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/os +[satellite-utils-6.16-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-cuda-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/source/SRPMS +[rhceph-6-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ceph Storage Tools 6 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/6/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-7.4-for-rhel-9-$basearch-rpms] -name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/os +[rhel-9-for-$basearch-supplementary-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/supplementary/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.16-for-rhel-9-$basearch-debug-rpms] -name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/debug +[ansible-automation-platform-2.3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.2-gaudi-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/debug +[dirsrv-12-for-rhel-9-$basearch-eus-debug-rpms] +name = Red Hat Directory Server 12 for RHEL 9 $basearch - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/dirsrv/12/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-maintenance-6.17-for-rhel-9-$basearch-rpms] -name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/os +[cnv-4.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.17-for-rhel-9-$basearch-rpms] -name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/os +[ossm-3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Service Mesh 3 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ossm/3/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-eus-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/source/SRPMS +[dirsrv-12.0-for-rhel-9-$basearch-rpms] +name = Red Hat Directory Server 12.0 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.2-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/debug +[satellite-6-client-2-for-rhel-9-$basearch-e4s-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.5/os +[rhel-9-for-$basearch-sap-netweaver-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat Service Interconnect for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/source/SRPMS +[rhel-9-for-$basearch-rt-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.15-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/os +[ocp-tools-4.17-for-rhel-9-$basearch-source-rpms] +name = OpenShift Developer Tools and Services 4.17 (RHEL 9) ($basearch Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.17/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.13-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/debug +[rhel-9-for-$basearch-appstream-e4s-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/appstream/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.13-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/source/SRPMS +[rh-sso-textonly-1-for-middleware-rhui-rpms] +name = Single Sign-On Text-Only Advisories from RHUI +baseurl = https://cdn.redhat.com/content/dist/middleware/rhui/rh-sso/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.15-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/debug +[rhelai-1.2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[application-interconnect-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat Application Interconnect for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/source/SRPMS +[quarkus-textonly-1-for-middleware-rpms] +name = Red Hat build of Quarkus Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/quarkus/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-datagrid-8.4-for-rhel-9-$basearch-rpms] -name = Red Hat JBoss Data Grid 8.4 (RHEL 9) (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jdg/8.4/os +[dirsrv-12-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Directory Server 12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/dirsrv/12/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.1-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/os +[cert-manager-1.13-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhv-4-tools-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/debug +[amq-clients-3-for-rhel-9-$basearch-source-rpms] +name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-5-tools-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/debug +[rhel-9-for-$basearch-sap-solutions-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-far-1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/debug +[rhelai-1.2-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.2/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.5-rpms] -name = Red Hat Container Development Kit 3.5 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/os +[rhceph-5-tools-for-rhel-9-$basearch-rpms] +name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-rt-e4s-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (Source RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/source/SRPMS +[quay-3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Quay 3 (for RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/quay/3/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-resilientstorage-eus-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/os +[rhel-atomic-7-cdk-3.3-rpms] +name = Red Hat Container Development Kit 3.3 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-cuda-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Cuda (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.4/os +[jws-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Web Server Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jws/1.0/$basearch/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.2-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Ansible Automation Platform 2.2 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.2/debug +[openjdk-11-els-for-rhel-9-$basearch-rhui-debug-rpms] +name = OpenJDK Java 11 Extended Life Cycle Support for RHEL 9 $basearch (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/els/layered/rhui/rhel9/$basearch/openjdk/11/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.15-rpms] -name = Red Hat Container Development Kit 3.15 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.15/os +[openstack-17-cinderlib-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform 17 Cinderlib for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-cinderlib/17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-2-for-rhel-9-$basearch-rpms] -name = Red Hat Service Interconnect 2 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/2/os +[rhel-9-for-$basearch-sap-netweaver-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.12-for-rhel-9-$basearch-source-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/source/SRPMS +[jb-eap-7.4-for-rhel-9-$basearch-source-rpms] +name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-e4s-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (Source RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/source/SRPMS +[satellite-client-6-for-rhel-9-$basearch-eus-debug-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client/6/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-gaudi-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/source/SRPMS +[cnv-4.15-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Container Native Virtualization 4.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.15/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhoso-tools-18-beta-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/source/SRPMS +[openstack-dev-preview-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Platform Dev Preview for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/openstack-dev-preview/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-eus-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/os +[rhelai-1.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[openstack-17-tools-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/source/SRPMS +[codeready-builder-for-rhel-9-$basearch-rhui-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/codeready-builder/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.0-for-rhel-9-$basearch-source-rpms] -name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/source/SRPMS +[rhoso-edpm-1.0-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift External Data Plane Management 1.0 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-edpm/1.0/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.16-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/os +[rhocp-ironic-4.18-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhosds-textonly-3-for-middleware-rpms] -name = Red Hat OpenShift Dev Spaces 3 Container Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/rhosds/3.0/$basearch/os +[rhocp-ironic-4.19-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[insights-proxy-for-rhel-9-$basearch-rpms] -name = Red Hat Insights Proxy for RHEL9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/insights-proxy/1/os +[rhocp-4.18-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-maintenance-6.16-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Satellite Maintenance 6.16 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.16/debug +[cnv-4.19-for-rhel-9-$basearch-source-rpms] +name = Red Hat Container Native Virtualization 4.19 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.19/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rodoo-1-for-rhel-9-$basearch-source-rpms] -name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/source/SRPMS +[rhel-9-for-$basearch-appstream-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/appstream/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.14-for-rhel-9-$basearch-debug-rpms] -name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/debug +[ansible-automation-platform-2.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1.8-for-rhel-9-$basearch-source-rpms] -name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/source/SRPMS +[rhel-9-for-$basearch-resilientstorage-debug-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/resilientstorage/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.13-for-rhel-9-$basearch-source-rpms] -name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/source/SRPMS +[dirsrv-12.1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Directory Server 12.1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-6-client-2-for-rhel-9-$basearch-e4s-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Update Services SAP Solutions (RPMS) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client-2/6/os +[rhel-9-for-$basearch-baseos-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[fast-datapath-for-rhel-9-$basearch-debug-rpms] -name = Fast Datapath for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/debug +[gitops-1.15-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-client-6-for-rhel-9-$basearch-e4s-source-rpms] -name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (Source RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/source/SRPMS +[openjdk-11-els-for-rhel-9-$basearch-rhui-source-rpms] +name = OpenJDK Java 11 Extended Life Cycle Support for RHEL 9 $basearch (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/els/layered/rhui/rhel9/$basearch/openjdk/11/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[kmm-2-for-rhel-9-$basearch-rpms] -name = Kernel Module Management 2 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/os +[rhoso-edpm-1-beta-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift External Data Plane Management Beta for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-edpm/1/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 - -[rhelai-1.3-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/debug + +[gitops-1.12-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-resilientstorage-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/debug +[cert-manager-1.14-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.14/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/debug +[rhelai-3.0-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/3.0/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/source/SRPMS +[rhel-9-for-$basearch-nfv-e4s-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.10-rpms] -name = Red Hat Container Development Kit 3.10 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.10/os +[jb-eap-8.0-for-rhel-9-$basearch-debug-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.0/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.0-for-rhel-9-$basearch-rhui-source-rpms] -name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (Source RPMs) from RHUI -baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/source/SRPMS +[gitops-1.16-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jon-textonly-1-for-middleware-rpms] -name = Red Hat JBoss Operations Network Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/jon/1.0/$basearch/os +[rhel-9-for-$basearch-highavailability-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/source/SRPMS enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.14-for-rhel-9-$basearch-rpms] -name = Red Hat Container Native Virtualization 4.14 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.14/os +[rhocp-ironic-4.19-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-gaudi-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/source/SRPMS +[satellite-utils-6.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rodoo-1-for-rhel-9-$basearch-debug-rpms] -name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/debug +[rhelai-1.5-cuda-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-utils-6.16-for-rhel-9-$basearch-source-rpms] -name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/source/SRPMS +[ansible-developer-1.0-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Developer 1.0 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.0/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.14-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/source/SRPMS +[rhel-9-for-$basearch-baseos-e4s-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (Source RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[fast-datapath-for-rhel-9-$basearch-rpms] -name = Fast Datapath for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/fast-datapath/os +[ansible-developer-1.0-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Developer 1.0 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.0/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.11-rpms] -name = Red Hat Container Development Kit 3.11 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.11/os +[rhel-9-for-$basearch-nfv-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[codeready-builder-for-rhel-9-$basearch-rpms] -name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/codeready-builder/os -enabled = 1 +[rhelai-3.0-gaudi-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch - Gaudi (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/3.0/os +enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.3-for-rhel-9-$basearch-source-rpms] -name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/source/SRPMS +[pipelines-1.19-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Pipelines 1.19 (for RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/pipelines/1.19/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[fsw-textonly-1-for-middleware-rpms] -name = Red Hat JBoss Fuse Service Works Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/fsw/1.0/$basearch/os +[rhel-atomic-7-cdk-3.5-source-rpms] +name = Red Hat Container Development Kit 3.5 /(Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/source/SRPMS enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-resilientstorage-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/source/SRPMS +[satellite-6-client-2-for-rhel-9-$basearch-aus-rpms] +name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Advanced Mission Critical Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/sat-client-2/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-eus-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/source/SRPMS +[dirsrv-12-for-rhel-9-$basearch-rpms] +name = Red Hat Directory Server 12 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/dirsrv/12/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.17-for-rhel-9-$basearch-debug-rpms] -name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/debug +[dirsrv-12.0-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Directory Server 12.0 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.19-for-rhel-9-$basearch-debug-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.19/debug +[rhel-atomic-7-cdk-3.9-rpms] +name = Red Hat Container Development Kit 3.9 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.9/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.12-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/debug +[rh-sso-7.6-for-rhel-9-$basearch-debug-rpms] +name = Single Sign-On 7.6 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rh-sso/7.6/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.13-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/source/SRPMS +[gitops-1.13-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.17-for-rhel-9-$basearch-rpms] -name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/os +[ansible-developer-1.1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ansible Developer 1.1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-developer/1.1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-nfv-e4s-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (Debug RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/debug +[rhceph-8-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap-solutions/debug +[dirsrv-12.5-for-rhel-9-$basearch-rpms] +name = Red Hat Directory Server 12.5 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.5/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.19-for-rhel-9-$basearch-source-rpms] -name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/source/SRPMS +[jb-eap-7.4-for-rhel-9-$basearch-rpms] +name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[amq-clients-3-for-rhel-9-$basearch-debug-rpms] -name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/debug +[satellite-6.16-for-rhel-9-$basearch-rpms] +name = Red Hat Satellite 6.16 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/satellite/6.16/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rodoo-1-for-rhel-9-$basearch-rpms] -name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/os +[service-interconnect-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat Service Interconnect for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Service Interconnect for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1/debug +[rhel-9-for-$basearch-rt-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.6-rpms] -name = Red Hat Container Development Kit 3.6 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/os +[rhelai-1.5-cuda-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-nmo-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/source/SRPMS +[rhelai-1.3-cuda-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch - Cuda (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.3/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.4-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/debug +[cert-manager-1.11-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.16-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Container Platform 4.16 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.16/source/SRPMS +[openstack-17.1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17.1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack/17.1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-7.4-for-rhel-9-$basearch-debug-rpms] -name = JBoss Enterprise Application Platform 7.4 (RHEL 9) (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/7.4/debug +[rhel-9-for-$basearch-baseos-e4s-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[kmm-1-for-rhel-9-$basearch-debug-rpms] -name = Kernel Module Management 1 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/1/debug +[cert-manager-1.13-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.13/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-cuda-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/debug +[rhocp-4.15-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.15/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[quarkus-textonly-1-for-middleware-rpms] -name = Red Hat build of Quarkus Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/quarkus/1.0/$basearch/os +[rhel-9-for-$basearch-highavailability-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/highavailability/os enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/os -enabled = 1 +[rhocp-ironic-4.13-for-rhel-9-$basearch-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/os +enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 -enabled_metadata = 1 +enabled_metadata = 0 -[codeready-builder-for-rhel-9-$basearch-eus-debug-rpms] -name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/debug +[satellite-client-6-for-rhel-9-$basearch-aus-debug-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Advanced Mission Critical Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/aus/rhel9/$releasever/$basearch/sat-client/6/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[osso-1-for-rhel-9-$basearch-source-rpms] -name = Secondary Scheduler Operator 1 for RHEL 9 for Red Hat OpenShift (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/osso/1/source/SRPMS +[gitops-1.12-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-2.3-debug-rpms] -name = Red Hat Container Development Kit 2.3 /(Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/debug +[ocp-tools-4.16-for-rhel-9-$basearch-rpms] +name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.14-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/debug +[rhelai-1.1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-8-tools-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/debug +[rhwa-nmo-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.5-for-rhel-9-$basearch-source-rpms] -name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/source/SRPMS +[ansible-automation-platform-2.3-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Automation Platform 2.3 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.3/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[kmm-2-for-rhel-9-$basearch-debug-rpms] -name = Kernel Module Management 2 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/debug +[rhceph-7-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhdh-1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Developer Hub 1 (RHEL 9) (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/debug +[codeready-builder-for-rhel-9-$basearch-rhui-debug-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/codeready-builder/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.10-for-rhel-9-$basearch-source-rpms] -name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/source/SRPMS +[rhwa-snr-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Self Node Remediation Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-snr/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 - -[satellite-6-client-2-for-rhel-9-$basearch-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (RPMS) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/os + +[rhpm-1-for-rhel-9-$basearch-textonly-source-rpms] +name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ocp-tools-4.15-for-rhel-9-$basearch-debug-rpms] -name = OpenShift Developer Tools and Services 4.15 (RHEL 9) ($basearch Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.15/debug +[satellite-6.17-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Satellite 6.17 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/satellite/6.17/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.13-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/os +[rhel-9-for-$basearch-supplementary-eus-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/supplementary/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/source/SRPMS +[wfk-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Web Framework Kit Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/wfk/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.16-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/source/SRPMS +[rhel-9-for-$basearch-resilientstorage-eus-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/resilientstorage/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhpm-1-for-rhel-9-$basearch-textonly-source-rpms] -name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/source/SRPMS +[rhel-atomic-7-cdk-3.13-rpms] +name = Red Hat Container Development Kit 3.13 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.13/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.1-for-rhel-9-$basearch-rpms] -name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/os +[cert-manager-1.10-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.17-for-rhel-9-$basearch-source-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.17/source/SRPMS +[rhel-9-for-$basearch-sap-solutions-eus-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/sap-solutions/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.15-for-rhel-9-$basearch-source-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/source/SRPMS +[rhel-9-for-$basearch-supplementary-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/supplementary/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-eus-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/debug +[insights-proxy-1-tech-preview-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Insights Proxy 1 Tech Preview for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/insights-proxy-tech-preview/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhsi-textonly-1-for-middleware-rpms] -name = Red Hat Service Interconnect Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/rhsi/1/$basearch/os +[rhocp-4.17-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-utils-6.16-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Satellite Utils 6.16 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.16/debug +[gitops-1.15-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift GitOps 1.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.15/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.18-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.18/os +[rhel-9-for-$basearch-appstream-eus-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/appstream/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.2-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/source/SRPMS +[rhel-9-for-$basearch-rt-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Real Time (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-coreservices-textonly-1-for-middleware-rhui-rpms] -name = Red Hat JBoss Core Services Text-Only Advisories from RHUI -baseurl = https://cdn.redhat.com/content/dist/middleware/rhui/jbcs/1.0/$basearch/os -enabled = 0 +[rhel-9-for-$basearch-baseos-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/baseos/os +enabled = 1 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 -enabled_metadata = 0 +enabled_metadata = 1 -[cnv-4.18-for-rhel-9-$basearch-source-rpms] -name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/source/SRPMS +[rhel-9-for-$basearch-sap-solutions-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 @@ -4889,1170 +7983,1170 @@ gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-7-tools-for-rhel-9-$basearch-source-rpms] -name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/source/SRPMS +[service-interconnect-1.4-for-rhel-9-$basearch-rpms] +name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.1-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.1) for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.1/source/SRPMS +[ansible-automation-platform-2.4-for-rhel-9-$basearch-rpms] +name = Red Hat Ansible Automation Platform 2.4 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.4/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.12-for-rhel-9-$basearch-rpms] -name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/os +[service-interconnect-1.8-for-rhel-9-$basearch-source-rpms] +name = Red Hat Service Interconnect 1.8 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.8/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[discovery-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat Discovery 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/source/SRPMS +[application-interconnect-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Application Interconnect for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.18-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Container Native Virtualization 4.18 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.18/debug +[codeready-builder-for-rhel-9-$basearch-eus-source-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[jb-eap-8.0-for-rhel-9-$basearch-rhui-debug-rpms] -name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (Debug RPMs) from RHUI -baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/debug +[codeready-builder-for-rhel-9-$basearch-eus-debug-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[kmm-2-for-rhel-9-$basearch-source-rpms] -name = Kernel Module Management 2 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/source/SRPMS +[rhel-9-for-$basearch-resilientstorage-eus-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/resilientstorage/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-eus-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/highavailability/debug +[codeready-builder-for-rhel-9-$basearch-eus-rpms] +name = Red Hat CodeReady Linux Builder for RHEL 9 $basearch - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/codeready-builder/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.16-for-rhel-9-$basearch-rpms] -name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/os +[satellite-maintenance-6.17-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-7-tools-for-rhel-9-$basearch-rpms] -name = Red Hat Ceph Storage Tools 7 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/7/os +[jb-eap-8.1-for-rhel-9-$basearch-rpms] +name = JBoss Enterprise Application Platform 8.1 (RHEL 9 $basearch) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jbeap/8.1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-eus-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/os +[gitops-1.13-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.13 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.13/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-gaudi-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch - Gaudi (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.4/os +[service-interconnect-1.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-mdr-1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Workload Availability - Machine Deletion Remediation Operator 1 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-mdr/1/debug +[rhel-9-for-$basearch-sap-netweaver-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/sap/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-eus-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap-solutions/debug +[rhelai-3.0-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/3.0/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-nfv-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/nfv/source/SRPMS +[rhel-9-for-$basearch-sap-netweaver-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/sap/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.12-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift GitOps 1.12 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.12/os +[lvms-4.17-for-rhel-9-$basearch-rpms] +name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-e4s-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/os +[lvms-4.19-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.19 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.19/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.19-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/os +[rhel-9-for-$basearch-baseos-e4s-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/baseos/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-6-client-2-for-rhel-9-$basearch-eus-source-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (Source RPMS) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/source/SRPMS +[satellite-6.16-for-rhel-9-$basearch-source-rpms] +name = Red Hat Satellite 6.16 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/satellite/6.16/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-e4s-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Update Services for SAP Solutions (RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/appstream/os +[rhelai-1.3-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-2.3-rpms] -name = Red Hat Container Development Kit 2.3 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/2.3/os +[jws-5-for-rhel-9-$basearch-source-rpms] +name = JBoss Web Server 5 (RHEL 9) (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jws/5/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.16-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift GitOps 1.16 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.16/debug +[rhwa-nhc-1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-highavailability-e4s-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Update Services for SAP Solutions (Debug RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/highavailability/debug +[rhocp-4.19-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-utils-6.17-for-rhel-9-$basearch-rpms] -name = Red Hat Satellite Utils 6.17 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-utils/6.17/os +[rhoso-podified-1-beta-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift Podified Beta for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-podified/1/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.5-for-rhel-9-$basearch-rpms] -name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/os +[cert-manager-1.11-for-rhel-9-$basearch-source-rpms] +name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-far-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Workload Availability - Fence Agents Remediation Operator 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-far/1/source/SRPMS +[dirsrv-12.2-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Directory Server 12.2 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.2/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-supplementary-eus-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/debug +[openstack-17.1-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17.1 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack/17.1/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhdh-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat Developer Hub 1 (RHEL 9) (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhdh/1/source/SRPMS +[rodoo-1-for-rhel-9-$basearch-rpms] +name = Run Once Duration Override Operator (RODOO) 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rodoo/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[openstack-17.1-tools-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/debug +[ocp-tools-4.16-for-rhel-9-$basearch-source-rpms] +name = OpenShift Developer Tools and Services 4.16 (RHEL 9) ($basearch Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ocp-tools/4.16/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-eus-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/baseos/source/SRPMS +[rhocp-ironic-4.15-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[ansible-automation-platform-2.5-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Ansible Automation Platform 2.5 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/ansible-automation-platform/2.5/debug +[rhacm-2.13-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhacm/2.13/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/debug +[rhelai-1.2-for-rhel-9-$basearch-rpms] +name = Red Hat Enterprise Linux AI (1.2) for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.2/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.3-for-rhel-9-$basearch-source-rpms] -name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/source/SRPMS +[rhocp-ironic-4.18-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.18 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.18/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.3-rpms] -name = Red Hat Container Development Kit 3.3 /(RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/os +[service-interconnect-1.4-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-maintenance-6.17-for-rhel-9-$basearch-source-rpms] -name = Red Hat Satellite Maintenance 6.17 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-maintenance/6.17/source/SRPMS +[rhbop-textonly-1-for-middleware-rpms] +name = Red Hat Build of OptaPlanner Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/rhel/server/6/6Server/$basearch/rhbop-textonly/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.3-debug-rpms] -name = Red Hat Container Development Kit 3.3 /(Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.3/debug +[gitops-1.14-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.16-for-rhel-9-$basearch-debug-rpms] -name = Logical Volume Manager Storage 4.16 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.16/debug +[rhpm-1-for-rhel-9-$basearch-textonly-debug-rpms] +name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-netweaver-eus-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sap/source/SRPMS +[rhceph-8-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.14-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/os +[dirsrv-12.4-for-rhel-9-$basearch-source-rpms] +name = Red Hat Directory Server 12.4 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/dirsrv/12.4/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.11-for-rhel-9-$basearch-rpms] -name = Cert Manager support for Red Hat OpenShift 1.11 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.11/os +[openstack-17-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack/17/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-8-tools-for-rhel-9-$basearch-source-rpms] -name = Red Hat Ceph Storage Tools 8 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/8/source/SRPMS +[jb-eap-8.0-for-rhel-9-$basearch-rhui-debug-rpms] +name = JBoss Enterprise Application Platform 8.0 (RHEL 9) (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/layered/rhui/rhel9/$basearch/jbeap/8.0/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/appstream/os -enabled = 1 +[cert-1-for-rhel-9-$basearch-rpms] +name = Red Hat Certification for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert/1/os +enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 -enabled_metadata = 1 +enabled_metadata = 0 -[cnv-4.16-for-rhel-9-$basearch-rpms] -name = Red Hat Container Native Virtualization 4.16 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.16/os +[openliberty-textonly-1-for-middleware-rpms] +name = Open Liberty Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/openliberty/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-snr-1-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Workload Availability - Self Node Remediation Operator 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-snr/1/os +[rhelai-3.0-cuda-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (3.0) for RHEL 9 $basearch - Cuda (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/3.0/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[lvms-4.17-for-rhel-9-$basearch-source-rpms] -name = Logical Volume Manager Storage 4.17 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.17/source/SRPMS +[dirsrv-12-for-rhel-9-$basearch-eus-rpms] +name = Red Hat Directory Server 12 for RHEL 9 $basearch - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/dirsrv/12/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-resilientstorage-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/resilientstorage/os +[rhel-9-for-$basearch-baseos-e4s-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions from RHUI (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/rhui/$releasever/$basearch/baseos/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-rt-e4s-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time - 4 years of updates (Debug RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/rt/debug +[rhelai-1.5-gaudi-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Gaudi (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-gaudi/1.5/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.17-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Container Platform 4.17 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.17/source/SRPMS +[rhwa-nmo-1-for-rhel-9-$basearch-rpms] +name = Red Hat OpenShift Workload Availability - Node Maintenance Operator 1 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nmo/1/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-nhc-1-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/os +[kmm-2-for-rhel-9-$basearch-rpms] +name = Kernel Module Management 2 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhpm-1-for-rhel-9-$basearch-textonly-rpms] -name = Power monitoring for Red Hat OpenShift (for RHEL 9 $basearch) (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhpm/1/os +[rhoso-edpm-1-beta-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Services on OpenShift External Data Plane Management Beta for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-edpm/1/debug enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-6-client-2-for-rhel-9-$basearch-source-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (Source RPMS) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/source/SRPMS +[rhocp-4.13-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.13/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-eus-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (Debug RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/debug +[rhel-9-for-$basearch-baseos-rhui-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - BaseOS from RHUI (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/baseos/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhceph-5-tools-for-rhel-9-$basearch-source-rpms] -name = Red Hat Ceph Storage Tools 5 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhceph-tools/5/source/SRPMS +[rhel-9-for-$basearch-sap-netweaver-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP NetWeaver (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/sap/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-baseos-e4s-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - BaseOS - Update Services for SAP Solutions (Debug RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/baseos/debug +[openstack-17-deployment-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17 Director Deployment Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-deployment-tools/17/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.12-for-rhel-9-$basearch-rpms] -name = Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.12/os +[rhoso-18.0-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift 18.0 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso/18.0/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-appstream-eus-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (Source RPMs) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/source/SRPMS +[rhocp-ironic-4.14-for-rhel-9-$basearch-debug-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.4-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.4) for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.4/os +[rhelai-1.3-for-rhel-9-$basearch-source-rpms] +name = Red Hat Enterprise Linux AI (1.3) for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai/1.3/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhv-4-tools-for-rhel-9-$basearch-rpms] -name = Red Hat Virtualization 4 Tools for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhv-tools/4/os +[rhoso-tools-18-beta-for-rhel-9-$basearch-rpms] +name = Red Hat OpenStack Services on OpenShift 18 Tools Beta for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/beta/layered/rhel9/$basearch/rhoso-tools/18/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.13-for-rhel-9-$basearch-rpms] -name = Red Hat Container Native Virtualization 4.13 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.13/os +[openstack-17.1-tools-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenStack Platform 17.1 Tools for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17.1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[gitops-1.14-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift GitOps 1.14 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/gitops/1.14/source/SRPMS +[rhel-9-for-$basearch-highavailability-debug-rhui-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability (Debug RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/highavailability/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.6-source-rpms] -name = Red Hat Container Development Kit 3.6 /(Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.6/source/SRPMS +[rhocp-4.19-for-rhel-9-$basearch-debug-rpms] +name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.13-for-rhel-9-$basearch-source-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.13 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.13/source/SRPMS +[rhel-9-for-$basearch-appstream-eus-debug-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - AppStream - Extended Update Support (Debug RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/appstream/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhwa-nhc-1-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenShift Workload Availability - Node Healthcheck Operator 1 for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhwa-nhc/1/source/SRPMS +[jb-datagrid-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Data Grid Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jb-datagrid/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[service-interconnect-1.4-for-rhel-9-$basearch-rpms] -name = Red Hat Service Interconnect 1.4 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhsi/1.4/os +[rhocp-ironic-4.14-for-rhel-9-$basearch-source-rpms] +name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-rt-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time (RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/rt/os +[lvms-4.15-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.15 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.15/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-supplementary-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Supplementary (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/$basearch/supplementary/source/SRPMS +[openstack-17-deployment-tools-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenStack Platform 17 Director Deployment Tools for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-deployment-tools/17/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[application-interconnect-1-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Application Interconnect for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhai/1/debug +[discovery-1-for-rhel-9-$basearch-debug-rpms] +name = Red Hat Discovery 1 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/discovery/1/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[amq-clients-3-for-rhel-9-$basearch-rpms] -name = Red Hat AMQ Clients 3 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/amq/3/os +[rhocp-4.19-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.19 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.19/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cnv-4.17-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Container Native Virtualization 4.17 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cnv/4.17/debug +[rhel-9-for-$basearch-highavailability-eus-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - High Availability - Extended Update Support from RHUI (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/rhui/$releasever/$basearch/highavailability/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-6-client-2-for-rhel-9-$basearch-debug-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch (Debug RPMS) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/sat-client-2/6/debug +[kmm-2-for-rhel-9-$basearch-source-rpms] +name = Kernel Module Management 2 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/kmm/2/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhoso-tools-18-for-rhel-9-$basearch-source-rpms] -name = Red Hat OpenStack Services on OpenShift 18 Tools for RHEL 9 $basearch (Source RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhoso-tools/18/source/SRPMS +[cert-manager-1.10-for-rhel-9-$basearch-rpms] +name = Cert Manager support for Red Hat OpenShift 1.10 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.10/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[cert-manager-1.12-for-rhel-9-$basearch-debug-rpms] -name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/debug +[rhel-9-for-$basearch-resilientstorage-eus-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Resilient Storage - Extended Update Support (RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/resilientstorage/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.15-for-rhel-9-$basearch-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.15 for RHEL 9 $basearch (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.15/os +[rhocp-4.14-for-rhel-9-$basearch-source-rpms] +name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.14-for-rhel-9-$basearch-debug-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.14/debug +[dirsrv-12-for-rhel-9-$basearch-eus-source-rpms] +name = Red Hat Directory Server 12 for RHEL 9 $basearch - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/dirsrv/12/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-atomic-7-cdk-3.5-debug-rpms] -name = Red Hat Container Development Kit 3.5 /(Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.5/debug +[satellite-client-6-for-rhel-9-$basearch-e4s-rpms] +name = Red Hat Satellite Client 6 for RHEL 9 $basearch - Update Services for SAP Solutions (RPMs) +baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sat-client/6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-4.14-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenShift Container Platform 4.14 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp/4.14/debug +[rhel-atomic-7-cdk-3.16-rpms] +name = Red Hat Container Development Kit 3.16 /(RPMs) +baseurl = https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/$basearch/cdk/3.16/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[satellite-6-client-2-for-rhel-9-$basearch-eus-debug-rpms] -name = Red Hat Satellite 6 Client 2 for RHEL 9 $basearch - Extended Update Support (Debug RPMS) -baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/sat-client-2/6/debug +[rh-sso-7.6-for-rhel-9-$basearch-rpms] +name = Single Sign-On 7.6 for RHEL 9 $basearch (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rh-sso/7.6/os enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-sap-solutions-e4s-debug-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions - Update Services for SAP Solutions (Debug RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/sap-solutions/debug +[rhel-9-for-$basearch-sap-solutions-rhui-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - SAP Solutions (Source RPMs) from RHUI +baseurl = https://cdn.redhat.com/content/dist/rhel9/rhui/$releasever/$basearch/sap-solutions/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhocp-ironic-4.12-for-rhel-9-$basearch-debug-rpms] -name = Ironic content for Red Hat OpenShift Container Platform 4.12 for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhocp-ironic/4.12/debug +[cert-manager-1.12-for-rhel-9-$basearch-debug-rpms] +name = Cert Manager support for Red Hat OpenShift 1.12 for RHEL 9 $basearch (Debug RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/cert-manager/1.12/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[openstack-17-tools-for-rhel-9-$basearch-debug-rpms] -name = Red Hat OpenStack Platform 17 Tools for RHEL 9 $basearch (Debug RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/openstack-tools/17/debug +[lvms-4.14-for-rhel-9-$basearch-source-rpms] +name = Logical Volume Manager Storage 4.14 for RHEL 9 $basearch (Source RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/lvms/4.14/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhel-9-for-$basearch-nfv-e4s-source-rpms] -name = Red Hat Enterprise Linux 9 for $basearch - Real Time for NFV - 4 years of updates (Source RPMs) -baseurl = https://cdn.redhat.com/content/e4s/rhel9/$releasever/$basearch/nfv/source/SRPMS +[jb-coreservices-textonly-1-for-middleware-rpms] +name = Red Hat JBoss Core Services Text-Only Advisories +baseurl = https://cdn.redhat.com/content/dist/middleware/jbcs/1.0/$basearch/os enabled = 0 gpgcheck = 1 -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +gpgkey = file:// sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[rhelai-1.5-cuda-for-rhel-9-$basearch-rpms] -name = Red Hat Enterprise Linux AI (1.5) for RHEL 9 $basearch - Cuda (RPMs) -baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/rhelai-cuda/1.5/os +[rhel-9-for-$basearch-supplementary-eus-source-rpms] +name = Red Hat Enterprise Linux 9 for $basearch - Supplementary - Extended Update Support (Source RPMs) +baseurl = https://cdn.redhat.com/content/eus/rhel9/$releasever/$basearch/supplementary/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 -[amq-textonly-1-for-middleware-rpms] -name = Red Hat JBoss AMQ Text-Only Advisories -baseurl = https://cdn.redhat.com/content/dist/middleware/amq/1.0/$basearch/os +[jws-5-for-rhel-9-$basearch-rpms] +name = JBoss Web Server 5 (RHEL 9) (RPMs) +baseurl = https://cdn.redhat.com/content/dist/layered/rhel9/$basearch/jws/5/os enabled = 0 gpgcheck = 1 -gpgkey = file:// +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem -sslclientkey = /etc/pki/entitlement/2255514471793686508-key.pem -sslclientcert = /etc/pki/entitlement/2255514471793686508.pem +sslclientkey = /etc/pki/entitlement/2881982249673081096-key.pem +sslclientcert = /etc/pki/entitlement/2881982249673081096.pem sslverifystatus = 1 metadata_expire = 86400 enabled_metadata = 0 diff --git a/rpm/rpms.in.yaml b/rpm/rpms.in.yaml index aace2dbde6..340e907829 100644 --- a/rpm/rpms.in.yaml +++ b/rpm/rpms.in.yaml @@ -1,4 +1,29 @@ -packages: [pkg-config, perl-FindBin, openssl-devel, perl-lib, perl-IPC-Cmd, perl-File-Compare, perl-File-Copy, clang-devel, tpm2-tss-devel, protobuf-compiler, meson] +packages: + - pkg-config + - perl-FindBin + - openssl-devel + - perl-lib + - perl-IPC-Cmd + - perl-File-Compare + - perl-File-Copy + - clang-devel + - tpm2-tss-devel + - protobuf-compiler + - meson + - cargo + - rust + - glibc-static + - gcc + - gcc-c++ + - cmake + - perl + - device-mapper-devel +# - git +# - tar +# - gzip +# - jq +# - runc + contentOrigin: repofiles: - ./ubi.repo @@ -7,4 +32,4 @@ arches: - x86_64 - s390x context: - image: registry.access.redhat.com/ubi9/ubi-minimal:9.5-1741850109 + image: registry.access.redhat.com/ubi9/ubi:9.5 diff --git a/rpm/rpms.lock.yaml b/rpm/rpms.lock.yaml index 2e6e588eeb..f1e8eb5e75 100644 --- a/rpm/rpms.lock.yaml +++ b/rpm/rpms.lock.yaml @@ -4,6 +4,13 @@ lockfileVendor: redhat arches: - arch: s390x packages: + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/a/annobin-12.92-1.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 1108217 + checksum: sha256:049154b35135532fe20eaa1f5dd0b994cae63311332802bdb2918393dbdda67f + name: annobin + evr: 12.92-1.el9 + sourcerpm: annobin-12.92-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/cargo-1.84.1-1.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 9343822 @@ -53,6 +60,20 @@ arches: name: clang-tools-extra evr: 19.1.7-2.el9 sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/cmake-3.26.5-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 7291387 + checksum: sha256:5ab2189c547551ea8848b86c53ad91584eea5b03682a913399345cd4bd14f012 + name: cmake + evr: 3.26.5-2.el9 + sourcerpm: cmake-3.26.5-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/cmake-data-3.26.5-2.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 2488227 + checksum: sha256:84da65a7b8921f031d15903d91c5967022620f9e96b7493c8ab8024014755ee7 + name: cmake-data + evr: 3.26.5-2.el9 + sourcerpm: cmake-3.26.5-2.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/cmake-filesystem-3.26.5-2.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 23417 @@ -60,6 +81,13 @@ arches: name: cmake-filesystem evr: 3.26.5-2.el9 sourcerpm: cmake-3.26.5-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/cmake-rpm-macros-3.26.5-2.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 12250 + checksum: sha256:1c74969c8a4f21851f5b89f25ac55c689b75bed1318d0435fc3a14a49c39d0e3 + name: cmake-rpm-macros + evr: 3.26.5-2.el9 + sourcerpm: cmake-3.26.5-2.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/c/compiler-rt-19.1.7-2.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 1792169 @@ -74,6 +102,20 @@ arches: name: cpp evr: 11.5.0-5.el9_5 sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/d/dwz-0.14-3.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 133334 + checksum: sha256:0bcb8f9a69c0c3f99abc799bffe83480a3d1d021935a6af54d998270f73a019f + name: dwz + evr: 0.14-3.el9 + sourcerpm: dwz-0.14-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/e/efi-srpm-macros-6-2.el9_0.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 24452 + checksum: sha256:1a1fa7561f5cef960b36c6a796d8a6fb4af70511118dacbfd5f707181a6c02fe + name: efi-srpm-macros + evr: 6-2.el9_0 + sourcerpm: efi-rpm-macros-6-2.el9_0.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/e/emacs-filesystem-27.2-13.el9_6.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 9758 @@ -81,6 +123,13 @@ arches: name: emacs-filesystem evr: 1:27.2-13.el9_6 sourcerpm: emacs-27.2-13.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/f/fonts-srpm-macros-2.0.5-7.el9.1.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 30140 + checksum: sha256:f8c6aaa6af574698f6d1a7eb8e7f6ed725e4366dc14553bc816f5aa305675367 + name: fonts-srpm-macros + evr: 1:2.0.5-7.el9.1 + sourcerpm: fonts-rpm-macros-2.0.5-7.el9.1.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-11.5.0-5.el9_5.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 26862907 @@ -95,6 +144,13 @@ arches: name: gcc-c++ evr: 11.5.0-5.el9_5 sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-plugin-annobin-11.5.0-5.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 40703 + checksum: sha256:adedfacdef3f3e2990a7b8fe93d706880cb85d8c577bdb559525036a66e885c7 + name: gcc-plugin-annobin + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/gcc-toolset-14-binutils-2.41-3.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 6318631 @@ -130,27 +186,48 @@ arches: name: gcc-toolset-14-runtime evr: 14.0-1.el9 sourcerpm: gcc-toolset-14-14.0-1.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/glibc-devel-2.34-168.el9_6.14.s390x.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/ghc-srpm-macros-1.5.0-6.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 9252 + checksum: sha256:80fb1c39b5d8c23352b8928332fa0794e679e054ffa3f04a34c2b18bb7e28c93 + name: ghc-srpm-macros + evr: 1.5.0-6.el9 + sourcerpm: ghc-srpm-macros-1.5.0-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/glibc-devel-2.34-168.el9_6.19.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms - size: 43394 - checksum: sha256:e9751a71c8231e366bead94e27acb937ffca292b23e93feaeae2422f0e6f8b60 + size: 43102 + checksum: sha256:3c7bf0e73dea7f7ebb33b265cd9dade705dc82260726026025a0a679f9e9612e name: glibc-devel - evr: 2.34-168.el9_6.14 - sourcerpm: glibc-2.34-168.el9_6.14.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/glibc-headers-2.34-168.el9_6.14.s390x.rpm + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/glibc-headers-2.34-168.el9_6.19.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms - size: 545348 - checksum: sha256:313b196cef60c688ca2189f8bc3b94eff54b1610088a9bdef422d2a54b426bc6 + size: 544939 + checksum: sha256:6d2da2ea92e96e26b0bdca4b06c29adbc13fe7f8afb91b732e5c3f48a407c3fe name: glibc-headers - evr: 2.34-168.el9_6.14 - sourcerpm: glibc-2.34-168.el9_6.14.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/k/kernel-headers-5.14.0-570.17.1.el9_6.s390x.rpm + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/g/go-srpm-macros-3.6.0-10.el9_6.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms - size: 3671885 - checksum: sha256:588834117164357cde3790541f872931129785dcc44763fbf8cc7a42583cda90 + size: 28143 + checksum: sha256:c1cbc05c812994c77b7f7bf80e76039c94d6ba887c9169228833e7e702aa095a + name: go-srpm-macros + evr: 3.6.0-10.el9_6 + sourcerpm: go-rpm-macros-3.6.0-10.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/k/kernel-headers-5.14.0-570.22.1.el9_6.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 3676881 + checksum: sha256:c9d2e5d6577d219d2edd0a94569be0357265ddbe9e745ffeb3f382ea250842b7 name: kernel-headers - evr: 5.14.0-570.17.1.el9_6 - sourcerpm: kernel-5.14.0-570.17.1.el9_6.src.rpm + evr: 5.14.0-570.22.1.el9_6 + sourcerpm: kernel-5.14.0-570.22.1.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/k/kernel-srpm-macros-1.0-13.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 17792 + checksum: sha256:7e891fa264fb538bf4a26aa94e91ff0c3084bf2613e2061dbb6f4f0c26856777 + name: kernel-srpm-macros + evr: 1.0-13.el9 + sourcerpm: kernel-srpm-macros-1.0-13.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libasan-11.5.0-5.el9_5.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 415917 @@ -165,6 +242,13 @@ arches: name: libcurl-devel evr: 7.76.1-31.el9 sourcerpm: curl-7.76.1-31.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libdatrie-0.2.13-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 34848 + checksum: sha256:835b33519221e93872d8cd4f2a3b7c5b58d84ae616ef77c87791b5e16e8a9759 + name: libdatrie + evr: 0.2.13-4.el9 + sourcerpm: libdatrie-0.2.13-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libmpc-1.2.1-4.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 66959 @@ -179,6 +263,13 @@ arches: name: libstdc++-devel evr: 11.5.0-5.el9_5 sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libthai-0.1.28-8.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 217030 + checksum: sha256:c788fe7b1d4392c6c89795ba77285922c6462f8a6ce7c4ace94858b6b0d1d76b + name: libthai + evr: 0.1.28-8.el9 + sourcerpm: libthai-0.1.28-8.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libubsan-11.5.0-5.el9_5.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 182931 @@ -186,6 +277,13 @@ arches: name: libubsan evr: 11.5.0-5.el9_5 sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libuv-1.42.0-2.el9_4.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 150561 + checksum: sha256:7badf8ffee70ff4eabd9b96701d8926752c961e395dd79ecd70460056b88024f + name: libuv + evr: 1:1.42.0-2.el9_4 + sourcerpm: libuv-1.42.0-2.el9_4.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/libxcrypt-devel-4.4.18-3.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 33073 @@ -193,6 +291,13 @@ arches: name: libxcrypt-devel evr: 4.4.18-3.el9 sourcerpm: libxcrypt-4.4.18-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/llvm-19.1.7-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 28704932 + checksum: sha256:9638a803dbd9237dd825bc78ffab5e5ff14cecc02db7c4d5665574579423d25d + name: llvm + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/llvm-libs-19.1.7-2.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 40096334 @@ -200,6 +305,27 @@ arches: name: llvm-libs evr: 19.1.7-2.el9 sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/l/lua-srpm-macros-1-6.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 10476 + checksum: sha256:64946edfd54f7d4668f7fdcb7be961ceaca8cff7d0bef438bef4e2498ccf3cd6 + name: lua-srpm-macros + evr: 1-6.el9 + sourcerpm: lua-rpm-macros-1-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/o/ocaml-srpm-macros-6-6.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 9270 + checksum: sha256:783710ad3710e594275fb23d280f030a68279927ca82ce38787f4c93971eaa88 + name: ocaml-srpm-macros + evr: 6-6.el9 + sourcerpm: ocaml-srpm-macros-6-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/o/openblas-srpm-macros-2-11.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 8807 + checksum: sha256:091911db0712bfe9b03952046191438bdd9b1080558e0c1014611d39aa80571d + name: openblas-srpm-macros + evr: 2-11.el9 + sourcerpm: openblas-srpm-macros-2-11.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/o/openssl-devel-3.2.2-6.el9_5.1.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 4650765 @@ -207,6 +333,62 @@ arches: name: openssl-devel evr: 1:3.2.2-6.el9_5.1 sourcerpm: openssl-3.2.2-6.el9_5.1.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/pcre2-devel-10.40-6.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 528585 + checksum: sha256:fe8e92c82f3f3dfa449505185e8ca242710170e8de1bf2d195513b14801a74e0 + name: pcre2-devel + evr: 10.40-6.el9 + sourcerpm: pcre2-10.40-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/pcre2-utf16-10.40-6.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 207477 + checksum: sha256:2c110b29a9444e443c0700c543af47f38114ff7ca5d41363915d54fe991b13e6 + name: pcre2-utf16 + evr: 10.40-6.el9 + sourcerpm: pcre2-10.40-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/pcre2-utf32-10.40-6.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 195777 + checksum: sha256:d5814c3428fa5978362e0ba8fffb6d2ce4b1ce609b6e95b3d2227e143bf72526 + name: pcre2-utf32 + evr: 10.40-6.el9 + sourcerpm: pcre2-10.40-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-5.32.1-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 12537 + checksum: sha256:b7c1e9ceebe3d4f22f8d0e198d1f9b337c858018e343e618b2cb4b2b701a9eed + name: perl + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Algorithm-Diff-1.2010-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 52041 + checksum: sha256:3d252e247a41978a10faef66931ac5fb2525c7fa708d8caa537d368ef5ba62ce + name: perl-Algorithm-Diff + evr: 1.2010-4.el9 + sourcerpm: perl-Algorithm-Diff-1.2010-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Archive-Tar-2.38-6.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 77744 + checksum: sha256:5cf97230d350543cdf34f379dc04e1383f89591ad76768b5a2738b474cdec404 + name: perl-Archive-Tar + evr: 2.38-6.el9 + sourcerpm: perl-Archive-Tar-2.38-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Archive-Zip-1.68-6.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 118766 + checksum: sha256:2237a7cdfa30cda2ad475cb6ee5796f1e4cafa07e8760e08bca8d252cd6eb51d + name: perl-Archive-Zip + evr: 1.68-6.el9 + sourcerpm: perl-Archive-Zip-1.68-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Attribute-Handlers-1.01-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 28435 + checksum: sha256:03d4f6339d78bf32658aa68b713e15a01ff544e88a7565e8ee595e053b6ec8ea + name: perl-Attribute-Handlers + evr: 1.01-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-AutoLoader-5.74-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 21821 @@ -214,6 +396,13 @@ arches: name: perl-AutoLoader evr: 5.74-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-AutoSplit-5.74-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 22186 + checksum: sha256:d962ffc07516d9f0ed0d9a5c21e16677598afa8f10a40c6555ae9a35e6a2d43b + name: perl-AutoSplit + evr: 5.74-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-B-1.80-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 187245 @@ -221,6 +410,48 @@ arches: name: perl-B evr: 1.80-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Benchmark-1.23-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 27531 + checksum: sha256:b19c10012210bfdd3566986e4222cd94183e56e496d3e2ddf03743c45689818b + name: perl-Benchmark + evr: 1.23-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-CPAN-2.29-5.el9_6.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 589480 + checksum: sha256:a46e7bb747f0b5dc26d8eda788b98492576048f5df271d070c35118f8d980b9d + name: perl-CPAN + evr: 2.29-5.el9_6 + sourcerpm: perl-CPAN-2.29-5.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-CPAN-DistnameInfo-0.12-23.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 17060 + checksum: sha256:35687783ded44b01c37af59f66499b42e10df074c36608fc3f84bd4ae082c852 + name: perl-CPAN-DistnameInfo + evr: 0.12-23.el9 + sourcerpm: perl-CPAN-DistnameInfo-0.12-23.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-CPAN-Meta-2.150010-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 210745 + checksum: sha256:ec35026baabe720d7c880f896f84271f0c408c56d3fea6d7c5d22580ac175690 + name: perl-CPAN-Meta + evr: 2.150010-460.el9 + sourcerpm: perl-CPAN-Meta-2.150010-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-CPAN-Meta-Requirements-2.140-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 35205 + checksum: sha256:eca17976f76fd8d31eda995a9ced2d813c1c94b9efafa1a83454fb120be62784 + name: perl-CPAN-Meta-Requirements + evr: 2.140-461.el9 + sourcerpm: perl-CPAN-Meta-Requirements-2.140-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-CPAN-Meta-YAML-0.018-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 29542 + checksum: sha256:b21eb298e56bc6623257cae1434198789e80ab92b818af4e29514a7bbc6f5910 + name: perl-CPAN-Meta-YAML + evr: 0.018-461.el9 + sourcerpm: perl-CPAN-Meta-YAML-0.018-461.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Carp-1.50-460.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 32039 @@ -235,6 +466,62 @@ arches: name: perl-Class-Struct evr: 0.66-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Compress-Bzip2-2.28-5.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 73613 + checksum: sha256:63561c2a32e5b8db57310f28f0ecacd0d6313dd39e482d3c2d0068aad49705b2 + name: perl-Compress-Bzip2 + evr: 2.28-5.el9 + sourcerpm: perl-Compress-Bzip2-2.28-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Compress-Raw-Bzip2-2.101-5.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 38220 + checksum: sha256:724d43294e7b778d326b427592dc135536106acbe37c51c152a1e92418006be7 + name: perl-Compress-Raw-Bzip2 + evr: 2.101-5.el9 + sourcerpm: perl-Compress-Raw-Bzip2-2.101-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Compress-Raw-Lzma-2.101-3.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 54099 + checksum: sha256:03c2232e65e3f6b72b5c093ec6c4174fdf32016aa6db8295794a91bba0477acc + name: perl-Compress-Raw-Lzma + evr: 2.101-3.el9 + sourcerpm: perl-Compress-Raw-Lzma-2.101-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Compress-Raw-Zlib-2.101-5.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 64620 + checksum: sha256:78b518257c483956118cbccb1d6cc3410b436317152e8a14e2f5289029ca58ea + name: perl-Compress-Raw-Zlib + evr: 2.101-5.el9 + sourcerpm: perl-Compress-Raw-Zlib-2.101-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Config-Extensions-0.03-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 12815 + checksum: sha256:840607ca387a3076f9ee0f40060f6a2b559779ec2a4647e073a5e24fc713e36f + name: perl-Config-Extensions + evr: 0.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Config-Perl-V-0.33-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 24943 + checksum: sha256:7ec321ecb6f37b6be09ad182cb66fdeee9f12138f75fc48858bde2177c358d1d + name: perl-Config-Perl-V + evr: 0.33-4.el9 + sourcerpm: perl-Config-Perl-V-0.33-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-DBM_Filter-0.06-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 35000 + checksum: sha256:b5dbe5adabdd6602224ee8178743b4f34b80d585ab838cb3ad1f2cae99b0e9dc + name: perl-DBM_Filter + evr: 0.06-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-DB_File-1.855-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 84019 + checksum: sha256:bbf9e756b7fa6fca35ba34875341c84a967fc00de39fa6516586f8fe8bb9f27c + name: perl-DB_File + evr: 1.855-4.el9 + sourcerpm: perl-DB_File-1.855-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Data-Dumper-2.174-462.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 58967 @@ -242,6 +529,48 @@ arches: name: perl-Data-Dumper evr: 2.174-462.el9 sourcerpm: perl-Data-Dumper-2.174-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Data-OptList-0.110-17.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 30694 + checksum: sha256:1455a3e90116f504008f8d27db57acb65c3389440dc6e2d605f54bf40b009a10 + name: perl-Data-OptList + evr: 0.110-17.el9 + sourcerpm: perl-Data-OptList-0.110-17.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Data-Section-0.200007-14.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 28030 + checksum: sha256:9fb57b4fbcfea93de114505082261abd97f576cf78e1a205c255d69d8eb6babf + name: perl-Data-Section + evr: 0.200007-14.el9 + sourcerpm: perl-Data-Section-0.200007-14.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Devel-PPPort-3.62-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 218818 + checksum: sha256:21b91196e9b6f052db4bea8839b4a64801a931eb1f4df44c66acda557a3edc09 + name: perl-Devel-PPPort + evr: 3.62-4.el9 + sourcerpm: perl-Devel-PPPort-3.62-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Devel-Peek-1.28-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 34148 + checksum: sha256:c128f86d7bca152c35960daf12dd102c0e0d59bf0d234116c70be18ce283877b + name: perl-Devel-Peek + evr: 1.28-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Devel-SelfStubber-1.06-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14932 + checksum: sha256:5b39f719f3e1da497d92b87d597269686925bf08006f8e2c1c92ec0bb8cd9482 + name: perl-Devel-SelfStubber + evr: 1.06-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Devel-Size-0.83-10.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 34748 + checksum: sha256:f932c1b7c88669289ce5d8988ea2f7e18008a47699661cee712377a4e6ae921b + name: perl-Devel-Size + evr: 0.83-10.el9 + sourcerpm: perl-Devel-Size-0.83-10.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Digest-1.19-4.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 29409 @@ -256,6 +585,41 @@ arches: name: perl-Digest-MD5 evr: 2.58-4.el9 sourcerpm: perl-Digest-MD5-2.58-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Digest-SHA-6.02-461.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 66199 + checksum: sha256:07733b7a38f51154f07b24b1199d2beae019ba97b0b8666ec39148ead888b990 + name: perl-Digest-SHA + evr: 1:6.02-461.el9 + sourcerpm: perl-Digest-SHA-6.02-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Digest-SHA1-2.13-34.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 56515 + checksum: sha256:d0a7fc978c880803e23e34bbffd9824ca2b407d445271a7d6e361eac2843cd9b + name: perl-Digest-SHA1 + evr: 2.13-34.el9 + sourcerpm: perl-Digest-SHA1-2.13-34.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-DirHandle-1.05-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 12799 + checksum: sha256:b50fdd94649f82218308bd6d0ba5d6e20f658d6fc448aaa1327398443dfaefc7 + name: perl-DirHandle + evr: 1.05-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Dumpvalue-2.27-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18822 + checksum: sha256:60e541f90705e444171f50078c0f1137fcff5576124cbb729768a99386e2016d + name: perl-Dumpvalue + evr: 2.27-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-DynaLoader-1.47-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 26393 + checksum: sha256:def32acb0c669f4ca0ffe13dfc95e8330d1458523ff6279a0094949fdaa607a5 + name: perl-DynaLoader + evr: 1.47-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Encode-3.08-462.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 1840299 @@ -263,6 +627,34 @@ arches: name: perl-Encode evr: 4:3.08-462.el9 sourcerpm: perl-Encode-3.08-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Encode-Locale-1.05-21.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 21500 + checksum: sha256:58afacf30f4a476f4ba6646a6419122d2a729bd59880611b631527502dcdc269 + name: perl-Encode-Locale + evr: 1.05-21.el9 + sourcerpm: perl-Encode-Locale-1.05-21.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Encode-devel-3.08-462.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 45159 + checksum: sha256:a0e7ef9f5d70cb971d9d1568adb25dda7926ee3d9b7caec64c278c1e1178bd6b + name: perl-Encode-devel + evr: 4:3.08-462.el9 + sourcerpm: perl-Encode-3.08-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-English-1.11-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13988 + checksum: sha256:51234583bb690fe57ac54a9efca0e4ab51e75f1ad6133e9e1b579b9f851b6575 + name: perl-English + evr: 1.11-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Env-1.04-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 22160 + checksum: sha256:92fb2287084a3c88a6b2d2bd300d1279251cec59156c1a9a3e0fa8fda6c546b2 + name: perl-Env + evr: 1.04-460.el9 + sourcerpm: perl-Env-1.04-460.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Errno-1.30-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 15297 @@ -277,6 +669,41 @@ arches: name: perl-Exporter evr: 5.74-461.el9 sourcerpm: perl-Exporter-5.74-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-CBuilder-0.280236-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 54624 + checksum: sha256:1f03cdbebc6f7b1b877e170363ab4906d194aa5edbaee17df724ca7ffc972011 + name: perl-ExtUtils-CBuilder + evr: 1:0.280236-4.el9 + sourcerpm: perl-ExtUtils-CBuilder-0.280236-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-Command-7.60-3.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16489 + checksum: sha256:642338ff95d94e2c6e4b7de47cda7b772d1fbc204b2869925bd0326fcc4b0e26 + name: perl-ExtUtils-Command + evr: 2:7.60-3.el9 + sourcerpm: perl-ExtUtils-MakeMaker-7.60-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-Constant-0.25-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 49788 + checksum: sha256:49aa4d69ad3bfbc05da33c2c88eb82815c76c7b605831012fbed054d9fe2ceb5 + name: perl-ExtUtils-Constant + evr: 0.25-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-Embed-1.35-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18371 + checksum: sha256:cfa0a13f9d7f2b99c40d17f77b03460ef765c5e046c69d46efe057e42d988f33 + name: perl-ExtUtils-Embed + evr: 1.35-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-Install-2.20-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 48441 + checksum: sha256:2533a1d97d45dc79c07cc51409c34f188c042757a2811b04dc16892ae2c7443e + name: perl-ExtUtils-Install + evr: 2.20-4.el9 + sourcerpm: perl-ExtUtils-Install-2.20-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-MM-Utils-7.60-3.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 14176 @@ -284,6 +711,34 @@ arches: name: perl-ExtUtils-MM-Utils evr: 2:7.60-3.el9 sourcerpm: perl-ExtUtils-MakeMaker-7.60-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-MakeMaker-7.60-3.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 311769 + checksum: sha256:2286e5004cb6436b7ac8dd436c91b4e1d36c18b9385d07a24fc167c930c9dee8 + name: perl-ExtUtils-MakeMaker + evr: 2:7.60-3.el9 + sourcerpm: perl-ExtUtils-MakeMaker-7.60-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-Manifest-1.73-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 37829 + checksum: sha256:f7cf7fd259fb8a6c27537dc98e1ed4923b26c2d8d8fd6b789e166ac104cac5bc + name: perl-ExtUtils-Manifest + evr: 1:1.73-4.el9 + sourcerpm: perl-ExtUtils-Manifest-1.73-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-Miniperl-1.09-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 15866 + checksum: sha256:15a90a1f4c0b11048633e996d9887b83db8a48031e1ba2560e72573c328c4cf5 + name: perl-ExtUtils-Miniperl + evr: 1.09-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ExtUtils-ParseXS-3.40-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 194711 + checksum: sha256:bb7e4bcfe24371bbe202a9fa704360a7bbc5d9f4103ec36e6e571da6eb76a186 + name: perl-ExtUtils-ParseXS + evr: 1:3.40-460.el9 + sourcerpm: perl-ExtUtils-ParseXS-3.40-460.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Fcntl-1.13-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 21909 @@ -312,6 +767,20 @@ arches: name: perl-File-Copy evr: 2.34-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-DosGlob-1.12-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 21602 + checksum: sha256:a5e442a88effdb475abe3c200af14806efd698320d8fb8ba3e35a9822d3c44c2 + name: perl-File-DosGlob + evr: 1.12-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Fetch-1.00-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 33372 + checksum: sha256:8c46735b0f703cd53fbaf915423b63baf98701d81406b30b84e42e53a0efbb6e + name: perl-File-Fetch + evr: 1.00-4.el9 + sourcerpm: perl-File-Fetch-1.00-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Find-1.37-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 26277 @@ -319,6 +788,13 @@ arches: name: perl-File-Find evr: 1.37-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-HomeDir-1.006-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 65857 + checksum: sha256:68f539b86abb7ab910286188ad3742f4338330f3246f6da07cb4ca5c83d8e80f + name: perl-File-HomeDir + evr: 1.006-4.el9 + sourcerpm: perl-File-HomeDir-1.006-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Path-2.18-4.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 38466 @@ -333,6 +809,13 @@ arches: name: perl-File-Temp evr: 1:0.231.100-4.el9 sourcerpm: perl-File-Temp-0.231.100-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-Which-1.23-10.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 24163 + checksum: sha256:80a41f9f823312dca2c9fed97f6568a88957572277b75920fb76f20a60902e7f + name: perl-File-Which + evr: 1.23-10.el9 + sourcerpm: perl-File-Which-1.23-10.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-File-stat-1.09-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 17853 @@ -340,6 +823,13 @@ arches: name: perl-File-stat evr: 1.09-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-FileCache-1.10-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 15108 + checksum: sha256:1da22e9c110f143c1dfbd827fefcac6ad514d6bedddb6d3d4152206e0abfc886 + name: perl-FileCache + evr: 1.10-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-FileHandle-2.03-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 15921 @@ -347,6 +837,20 @@ arches: name: perl-FileHandle evr: 2.03-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Filter-1.60-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 96696 + checksum: sha256:c9ce86cd03d331fd63b8d5c2370bc93c20035cf1b10d61ba383f923e1e3820ed + name: perl-Filter + evr: 2:1.60-4.el9 + sourcerpm: perl-Filter-1.60-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Filter-Simple-0.96-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 29899 + checksum: sha256:080a1c4c16acddca179c0e2ab8120fe01e374bb86d0a950923a610e50fabfc00 + name: perl-Filter-Simple + evr: 0.96-460.el9 + sourcerpm: perl-Filter-Simple-0.96-460.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-FindBin-1.51-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 14336 @@ -354,6 +858,13 @@ arches: name: perl-FindBin evr: 1.51-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-GDBM_File-1.18-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 23614 + checksum: sha256:50d9686fe14e1daf5cc497b1171e42f09ece69fe8c5070053db9432595e569ba + name: perl-GDBM_File + evr: 1.18-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Getopt-Long-2.52-4.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 65144 @@ -375,6 +886,27 @@ arches: name: perl-HTTP-Tiny evr: 0.076-462.el9 sourcerpm: perl-HTTP-Tiny-0.076-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Hash-Util-0.23-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 36459 + checksum: sha256:194fb0c89e378b835d6fa639fcff7730b31a50c96c5a579baf1d679589d94f71 + name: perl-Hash-Util + evr: 0.23-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Hash-Util-FieldHash-1.20-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 40578 + checksum: sha256:92a8baad6d5680756bba12ade9c13ef800dd67543f49a03eeaa53080e77907a8 + name: perl-Hash-Util-FieldHash + evr: 1.20-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-I18N-Collate-1.02-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14785 + checksum: sha256:440007c7d78ddc63839ff9bfe8b82acbd939452f3ada8a1b34288aabd2865150 + name: perl-I18N-Collate + evr: 1.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-I18N-LangTags-0.44-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 57020 @@ -382,6 +914,13 @@ arches: name: perl-I18N-LangTags evr: 0.44-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-I18N-Langinfo-0.19-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 24474 + checksum: sha256:af51f47a303ce01da44c58b5f7dc00aaa7ce5e74fcaebfbe3ec42bf83fc93a66 + name: perl-I18N-Langinfo + evr: 0.19-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IO-1.43-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 94321 @@ -389,6 +928,20 @@ arches: name: perl-IO evr: 1.43-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IO-Compress-2.102-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 280708 + checksum: sha256:ce8f2004395442fe663cb9efc56f9af2102c75d746f2ce393e40af8a26ac6871 + name: perl-IO-Compress + evr: 2.102-4.el9 + sourcerpm: perl-IO-Compress-2.102-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IO-Compress-Lzma-2.101-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 84153 + checksum: sha256:bda4c005c09e886ce2273a3f418f0cd92521ed0b8fdcdaca7b9fc0026f2a6c7b + name: perl-IO-Compress-Lzma + evr: 2.101-4.el9 + sourcerpm: perl-IO-Compress-Lzma-2.101-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IO-Socket-IP-0.41-5.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 46457 @@ -403,6 +956,13 @@ arches: name: perl-IO-Socket-SSL evr: 2.073-2.el9 sourcerpm: perl-IO-Socket-SSL-2.073-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IO-Zlib-1.11-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 21809 + checksum: sha256:87d7b757a570fb53d72b2dd29558c2b4a8ff33196a80ad10f76999325acaec07 + name: perl-IO-Zlib + evr: 1:1.11-4.el9 + sourcerpm: perl-IO-Zlib-1.11-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IPC-Cmd-1.04-461.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 42803 @@ -417,6 +977,34 @@ arches: name: perl-IPC-Open3 evr: 1.21-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IPC-SysV-2.09-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 47649 + checksum: sha256:ac4411e71c11743182bff435b7ec7f0c050614d3a0c9e41ebb9226bda5b9c441 + name: perl-IPC-SysV + evr: 2.09-4.el9 + sourcerpm: perl-IPC-SysV-2.09-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-IPC-System-Simple-1.30-6.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 44255 + checksum: sha256:35792b1aa241cb17b881b1e44940bc295329a575a2a2d183757ef1d757062465 + name: perl-IPC-System-Simple + evr: 1.30-6.el9 + sourcerpm: perl-IPC-System-Simple-1.30-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Importer-0.026-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 42526 + checksum: sha256:1afb9008ad841ba4fc207af8ec814d06bd78e958cd2b03089c7b82c71a311060 + name: perl-Importer + evr: 0.026-4.el9 + sourcerpm: perl-Importer-0.026-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-JSON-PP-4.06-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 70596 + checksum: sha256:17f547d40976904eb59449f0cdec890e34632a28a083fc46157ac1c67e9e3494 + name: perl-JSON-PP + evr: 1:4.06-4.el9 + sourcerpm: perl-JSON-PP-4.06-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Locale-Maketext-1.29-461.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 101003 @@ -438,6 +1026,62 @@ arches: name: perl-MIME-Base64 evr: 3.16-4.el9 sourcerpm: perl-MIME-Base64-3.16-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-MIME-Charset-1.012.2-15.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 54488 + checksum: sha256:cf481c2178bc2a55c5b455749f38f4f96ee71f32dcf458c34d4f1bbcb996feca + name: perl-MIME-Charset + evr: 1.012.2-15.el9 + sourcerpm: perl-MIME-Charset-1.012.2-15.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-MRO-Compat-0.13-15.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 22804 + checksum: sha256:7921d8fd6d4dacdfb4a286fe4355516f20d660681abb49af9983f7527429e351 + name: perl-MRO-Compat + evr: 0.13-15.el9 + sourcerpm: perl-MRO-Compat-0.13-15.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Math-BigInt-1.9998.18-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 198900 + checksum: sha256:b90555cc3da95e314e931de2348d7c89da7c16023fb9399cdfbbcf9f1aeade7d + name: perl-Math-BigInt + evr: 1:1.9998.18-460.el9 + sourcerpm: perl-Math-BigInt-1.9998.18-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Math-BigInt-FastCalc-0.500.900-460.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 32035 + checksum: sha256:df95e573bdf21c06a1083c80ff7f19dafbff3ccc7d272d5791a30a5bb2decf42 + name: perl-Math-BigInt-FastCalc + evr: 0.500.900-460.el9 + sourcerpm: perl-Math-BigInt-FastCalc-0.500.900-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Math-BigRat-0.2614-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 42414 + checksum: sha256:c31888896769451095c352ea97a1c88e2bbbc27d5bdc1e018dc8bae680967fb0 + name: perl-Math-BigRat + evr: 0.2614-460.el9 + sourcerpm: perl-Math-BigRat-0.2614-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Math-Complex-1.59-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 48567 + checksum: sha256:f53531125d6df72f4b50be888b7c3352a4032a5207a7bad774a2658b46d4edad + name: perl-Math-Complex + evr: 1.59-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Memoize-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 61549 + checksum: sha256:8ca298bbaff33a951e338d0213560610bd06cf5a3783bb83c34318e9d91b5a72 + name: perl-Memoize + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-Build-0.42.31-9.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 274094 + checksum: sha256:9e33e1a46048d262ebe06f98c6c7b1579cdf92db57b0bb4228d13883c232d82c + name: perl-Module-Build + evr: 2:0.42.31-9.el9 + sourcerpm: perl-Module-Build-0.42.31-9.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-CoreList-5.20240609-1.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 92615 @@ -445,6 +1089,13 @@ arches: name: perl-Module-CoreList evr: 1:5.20240609-1.el9 sourcerpm: perl-Module-CoreList-5.20240609-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-CoreList-tools-5.20240609-1.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18135 + checksum: sha256:2df9f5a5329e94c19bab88ba530149a86438756c7404787b03745f711adf3368 + name: perl-Module-CoreList-tools + evr: 1:5.20240609-1.el9 + sourcerpm: perl-Module-CoreList-5.20240609-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-Load-0.36-4.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 20052 @@ -459,6 +1110,13 @@ arches: name: perl-Module-Load-Conditional evr: 0.74-4.el9 sourcerpm: perl-Module-Load-Conditional-0.74-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-Loaded-0.08-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13935 + checksum: sha256:6651d40ae9a673262240d750f1b4236eb8db8f9a4a81ff3d529be1e65ea0a098 + name: perl-Module-Loaded + evr: 1:0.08-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-Metadata-1.000037-460.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 39221 @@ -466,6 +1124,13 @@ arches: name: perl-Module-Metadata evr: 1.000037-460.el9 sourcerpm: perl-Module-Metadata-1.000037-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Module-Signature-0.88-1.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 89282 + checksum: sha256:1a173631124cdb77ffa2cb11ceb8de813f6e4222e5bf9ae657947211480858e6 + name: perl-Module-Signature + evr: 0.88-1.el9 + sourcerpm: perl-Module-Signature-0.88-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Mozilla-CA-20200520-6.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 14781 @@ -480,6 +1145,27 @@ arches: name: perl-NDBM_File evr: 1.15-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-NEXT-0.67-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 21511 + checksum: sha256:85c96161deaf2161fbe1f0d6e46e57d78c5fb839301c94d0782f400066455326 + name: perl-NEXT + evr: 0.67-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Net-1.02-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 27619 + checksum: sha256:79168b438837b36fb8abd5184859651788604c116be0d271fa633276a69662a5 + name: perl-Net + evr: 1.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Net-Ping-2.74-5.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 53027 + checksum: sha256:fb74fb2651f62421538bb05992af5251887013a72c4412f5c2421992204c03bc + name: perl-Net-Ping + evr: 2.74-5.el9 + sourcerpm: perl-Net-Ping-2.74-5.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Net-SSLeay-1.94-1.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 420925 @@ -487,6 +1173,27 @@ arches: name: perl-Net-SSLeay evr: 1.94-1.el9 sourcerpm: perl-Net-SSLeay-1.94-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ODBM_File-1.16-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 23495 + checksum: sha256:73d3bfe6b3f387399ab38d004f6854a8fa54c328636761b4a7257a2d054c4709 + name: perl-ODBM_File + evr: 1.16-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Object-HashBase-0.009-7.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 28938 + checksum: sha256:2144d4c29ea4acfc0d872bf09cb4d9dce14a64e60a45633f1a31ed3a2b125ee8 + name: perl-Object-HashBase + evr: 0.009-7.el9 + sourcerpm: perl-Object-HashBase-0.009-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Opcode-1.48-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 38619 + checksum: sha256:8921cf9c45fe52bdf72d725ad982918351bd816475592ea357eeb3bc5858abc8 + name: perl-Opcode + evr: 1.48-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-POSIX-1.94-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 98473 @@ -494,6 +1201,13 @@ arches: name: perl-POSIX evr: 1.94-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Package-Generator-1.106-23.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 26822 + checksum: sha256:2c9b4699185c30d1da293add16911555e93b7532d77e59aa07e2c9c8d8eafcf3 + name: perl-Package-Generator + evr: 1.106-23.el9 + sourcerpm: perl-Package-Generator-1.106-23.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Params-Check-0.38-461.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 24764 @@ -501,6 +1215,13 @@ arches: name: perl-Params-Check evr: 1:0.38-461.el9 sourcerpm: perl-Params-Check-0.38-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Params-Util-1.102-5.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 38351 + checksum: sha256:de0b607392a3994f5b3e5a01a8912d15e7b9a1a069f83695fb2e1372cfa6e84b + name: perl-Params-Util + evr: 1.102-5.el9 + sourcerpm: perl-Params-Util-1.102-5.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-PathTools-3.78-461.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 94193 @@ -508,6 +1229,27 @@ arches: name: perl-PathTools evr: 3.78-461.el9 sourcerpm: perl-PathTools-3.78-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Perl-OSType-1.010-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 26284 + checksum: sha256:64f37a98e22fce4ee9520da6db13ab601e21e34ac9d3ae7f85fc7a63761c492b + name: perl-Perl-OSType + evr: 1.010-461.el9 + sourcerpm: perl-Perl-OSType-1.010-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-PerlIO-via-QuotedPrint-0.09-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 25566 + checksum: sha256:31d1284cda8a84f78574ae2380474412788de756613bcb11a85d68c94af9ba0b + name: perl-PerlIO-via-QuotedPrint + evr: 0.09-4.el9 + sourcerpm: perl-PerlIO-via-QuotedPrint-0.09-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Checker-1.74-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 35171 + checksum: sha256:7410aed54bb1c0a18b7b0ec33b6067475383b557defdd295b48b3277229d31a1 + name: perl-Pod-Checker + evr: 4:1.74-4.el9 + sourcerpm: perl-Pod-Checker-1.74-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Escapes-1.07-460.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 22564 @@ -515,6 +1257,20 @@ arches: name: perl-Pod-Escapes evr: 1:1.07-460.el9 sourcerpm: perl-Pod-Escapes-1.07-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Functions-1.13-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13990 + checksum: sha256:b843dc0a066b663fd00312a2355f0b512b84906a34bbeb1946bcfd9d0f85ce3d + name: perl-Pod-Functions + evr: 1.13-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Html-1.25-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 28371 + checksum: sha256:8275355aecc93d59cf27acfa23cc8567b5a9aff8dff0cc60a446f65643638464 + name: perl-Pod-Html + evr: 1.25-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Pod-Perldoc-3.28.01-461.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 93727 @@ -536,6 +1292,13 @@ arches: name: perl-Pod-Usage evr: 4:2.01-4.el9 sourcerpm: perl-Pod-Usage-2.01-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Safe-2.41-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 25655 + checksum: sha256:6b4297166c836f624884960f3fd6627dab8238e8665fd660d7fb97287743a16d + name: perl-Safe + evr: 2.41-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Scalar-List-Utils-1.56-462.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 76007 @@ -543,6 +1306,13 @@ arches: name: perl-Scalar-List-Utils evr: 4:1.56-462.el9 sourcerpm: perl-Scalar-List-Utils-1.56-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Search-Dict-1.07-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13596 + checksum: sha256:867c49e05a2766e22fd09d86b777dd3f97d36b40057f63f360b9f278549f521e + name: perl-Search-Dict + evr: 1.07-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-SelectSaver-1.02-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 12017 @@ -550,6 +1320,13 @@ arches: name: perl-SelectSaver evr: 1.02-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-SelfLoader-1.26-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 22204 + checksum: sha256:e8d612dcd47d9769dd1502b92ec7606c195273aa9d61ab13c7bc5e7a07359bb3 + name: perl-SelfLoader + evr: 1.26-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Socket-2.031-4.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 59192 @@ -557,6 +1334,13 @@ arches: name: perl-Socket evr: 4:2.031-4.el9 sourcerpm: perl-Socket-2.031-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Software-License-0.103014-12.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 147494 + checksum: sha256:c225b78b513fc8b90a0b2b773fadcf65dd2defe2a147fca67c52971d2750f437 + name: perl-Software-License + evr: 0.103014-12.el9 + sourcerpm: perl-Software-License-0.103014-12.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Storable-3.21-460.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 96993 @@ -564,6 +1348,20 @@ arches: name: perl-Storable evr: 1:3.21-460.el9 sourcerpm: perl-Storable-3.21-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Sub-Exporter-0.987-27.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 78523 + checksum: sha256:4e2535cd4d456f91f346e6d690c9a22c4b2a01318f9a5b5f761e1170d815bed1 + name: perl-Sub-Exporter + evr: 0.987-27.el9 + sourcerpm: perl-Sub-Exporter-0.987-27.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Sub-Install-0.928-28.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 25233 + checksum: sha256:4ce03d243d1331188c5a2b0e4103dad6b930ba36362cd353f0f3cd0998784e82 + name: perl-Sub-Install + evr: 0.928-28.el9 + sourcerpm: perl-Sub-Install-0.928-28.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Symbol-1.08-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 14535 @@ -571,6 +1369,20 @@ arches: name: perl-Symbol evr: 1.08-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Sys-Hostname-1.23-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18963 + checksum: sha256:89f77debc0ecc1e6c6cab78a5d83dc4d2ec6a4e8e5f728fbbfb058ede3c6a47f + name: perl-Sys-Hostname + evr: 1.23-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Sys-Syslog-0.36-461.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 52359 + checksum: sha256:359472155f87f9205f820d217dcc01d94ac711b8a39e9b2700968baefff5831a + name: perl-Sys-Syslog + evr: 0.36-461.el9 + sourcerpm: perl-Sys-Syslog-0.36-461.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Term-ANSIColor-5.01-461.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 52228 @@ -585,6 +1397,97 @@ arches: name: perl-Term-Cap evr: 1.17-460.el9 sourcerpm: perl-Term-Cap-1.17-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Term-Complete-1.403-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13574 + checksum: sha256:1d500a1e9dad3d67fff08ac6a7219152a9082f7a92893cfb653171ab198f5e79 + name: perl-Term-Complete + evr: 1.403-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Term-ReadLine-1.17-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 19755 + checksum: sha256:2cc16944420d5b8a3318982fc063e4ea2f3d387e1a255d8d08a15f839d8204ff + name: perl-Term-ReadLine + evr: 1.17-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Term-Size-Any-0.002-35.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16309 + checksum: sha256:e83c29bb60e3fdac1c7aa5d3cde8a6b237812a14fe8f711bf6e127ed96d929a4 + name: perl-Term-Size-Any + evr: 0.002-35.el9 + sourcerpm: perl-Term-Size-Any-0.002-35.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Term-Size-Perl-0.031-12.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 25151 + checksum: sha256:36cf80e9d0e6be56c32c5aaf0e6633e45033540fd790d65748924d10d01f6743 + name: perl-Term-Size-Perl + evr: 0.031-12.el9 + sourcerpm: perl-Term-Size-Perl-0.031-12.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Term-Table-0.015-8.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 40852 + checksum: sha256:3e0c26e1b0e31d17cc133829ad8d6e22c86e532e9b6a3c26f48b7ec447bdfbb4 + name: perl-Term-Table + evr: 0.015-8.el9 + sourcerpm: perl-Term-Table-0.015-8.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-TermReadKey-2.38-11.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 40133 + checksum: sha256:4a052241c855f5cb09d3661f3bf794df2a6170c3ce7f1f89ed64d868a5687599 + name: perl-TermReadKey + evr: 2.38-11.el9 + sourcerpm: perl-TermReadKey-2.38-11.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Test-1.31-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 29295 + checksum: sha256:5c8c76bc8d054ae19574fb973541cedf9e56f92c79424a86219e4c1eb65b3227 + name: perl-Test + evr: 1.31-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Test-Harness-3.42-461.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 306138 + checksum: sha256:7980ae9e28aed0aadef4f169e8479812a2a6bacf05ee53001f63d021b065fe40 + name: perl-Test-Harness + evr: 1:3.42-461.el9 + sourcerpm: perl-Test-Harness-3.42-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Test-Simple-1.302183-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 645034 + checksum: sha256:04ae40e07d57934e5dc3946fa638023ee76305dac04bed7813ed338b0a4c2ef2 + name: perl-Test-Simple + evr: 3:1.302183-4.el9 + sourcerpm: perl-Test-Simple-1.302183-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Text-Abbrev-1.02-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 12713 + checksum: sha256:b172427e49212833e48b699190ad0d34432c102478e869f4974a3f323d0fa375 + name: perl-Text-Abbrev + evr: 1.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Text-Balanced-2.04-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 51500 + checksum: sha256:67ff60f60b6dc900e840ed51ff3b1cabef9e43aa48cba81ad97ae9423bdca5af + name: perl-Text-Balanced + evr: 2.04-4.el9 + sourcerpm: perl-Text-Balanced-2.04-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Text-Diff-1.45-13.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 45523 + checksum: sha256:5141fc840dc2989b44df904df2cadfdc3b6b9d38a7e4dba2c2db3c14e3dbc060 + name: perl-Text-Diff + evr: 1.45-13.el9 + sourcerpm: perl-Text-Diff-1.45-13.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Text-Glob-0.11-15.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 15921 + checksum: sha256:079d5eb4a606a131eaeecfcbd7f7d39a21c9c49b97bd6b84f7d08986dd11dc59 + name: perl-Text-Glob + evr: 0.11-15.el9 + sourcerpm: perl-Text-Glob-0.11-15.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Text-ParseWords-3.30-460.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 18680 @@ -599,6 +1502,69 @@ arches: name: perl-Text-Tabs+Wrap evr: 2013.0523-460.el9 sourcerpm: perl-Text-Tabs+Wrap-2013.0523-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Text-Template-1.59-5.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 64485 + checksum: sha256:3c7350777e9d26fe4c02d52e8c4d4e0643ee32f8abfb9e22fc28f5325702924e + name: perl-Text-Template + evr: 1.59-5.el9 + sourcerpm: perl-Text-Template-1.59-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Thread-3.05-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18516 + checksum: sha256:b1f3ce55b43fd98a9d445cc4bb522d60adcc3fa42944641448684d2f8c24077e + name: perl-Thread + evr: 3.05-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Thread-Queue-3.14-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 24804 + checksum: sha256:88d838d681ad683970eb8566e8936faabffc3495dd1b555f083a1cd00538291a + name: perl-Thread-Queue + evr: 3.14-460.el9 + sourcerpm: perl-Thread-Queue-3.14-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Thread-Semaphore-2.13-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16298 + checksum: sha256:92f0836359ffea1017fce7dca7d4ca3555e42e38690c21dc92efdd9a6f6110b2 + name: perl-Thread-Semaphore + evr: 2.13-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Tie-4.6-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 34318 + checksum: sha256:90cd8a8c7c31137b4f7ed03b1533ab79f88d3c4977e2e795525d5e4ead55212a + name: perl-Tie + evr: 4.6-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Tie-File-1.06-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 44505 + checksum: sha256:20fb32eeec0d12f37716a9f955c64305ab14a2ca53b18def3268125b102f318d + name: perl-Tie-File + evr: 1.06-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Tie-Memoize-1.1-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14721 + checksum: sha256:dfec0d0452c982fa468f3e68ea24239ec9588b6202bb9fe4b1356780baeeca4f + name: perl-Tie-Memoize + evr: 1.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Tie-RefHash-1.40-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 26260 + checksum: sha256:5519a86c145d83a1633a127f7b0b6a371e6b2b8a647dabff45c2754388504a44 + name: perl-Tie-RefHash + evr: 1.40-4.el9 + sourcerpm: perl-Tie-RefHash-1.40-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Time-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 20249 + checksum: sha256:0f9b8228482876a79e8369500b750ea0047f2ac715fa40a41b794ef6026292f3 + name: perl-Time + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Time-HiRes-1.9764-462.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 61416 @@ -613,6 +1579,13 @@ arches: name: perl-Time-Local evr: 2:1.300-7.el9 sourcerpm: perl-Time-Local-1.300-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Time-Piece-1.3401-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 43555 + checksum: sha256:191503dcd3d8f986c278048900877583e613060dbe93ee7a5f25ab4c5faa52f8 + name: perl-Time-Piece + evr: 1.3401-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-URI-5.09-3.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 128279 @@ -620,6 +1593,55 @@ arches: name: perl-URI evr: 5.09-3.el9 sourcerpm: perl-URI-5.09-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Unicode-Collate-1.29-4.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 785136 + checksum: sha256:7b739d35506eae140b014f33d20db87bbd1d3d49f95002de5c07e3bab1a35f9e + name: perl-Unicode-Collate + evr: 1.29-4.el9 + sourcerpm: perl-Unicode-Collate-1.29-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Unicode-LineBreak-2019.001-11.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 130851 + checksum: sha256:101d364782f537de9fce7ad2cd0a253b642f0d729494dc5cc2a54d2adc784204 + name: perl-Unicode-LineBreak + evr: 2019.001-11.el9 + sourcerpm: perl-Unicode-LineBreak-2019.001-11.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Unicode-Normalize-1.27-461.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 96377 + checksum: sha256:be1da9f35d5c829879d150b3c8c025aec5d8255c6cf6301cf81555ece69a03ed + name: perl-Unicode-Normalize + evr: 1.27-461.el9 + sourcerpm: perl-Unicode-Normalize-1.27-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-Unicode-UCD-0.75-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 80630 + checksum: sha256:72dddc4fff3d829ab7b7e5f32dbc027f26f772ffa8f0274224b1cba1d47a778e + name: perl-Unicode-UCD + evr: 0.75-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-User-pwent-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 21758 + checksum: sha256:27f572e65b4e0b777c5fe567483f774b4e1c1200ec225e5d817c452812858842 + name: perl-User-pwent + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-autodie-2.34-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 103286 + checksum: sha256:8c4a7c8fd5074801946cce0b0b2f47337036e7f64e4cb9c833d9cf1de1f14edc + name: perl-autodie + evr: 2.34-4.el9 + sourcerpm: perl-autodie-2.34-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-autouse-1.11-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14134 + checksum: sha256:b165ef7e5bb8a2b898bbe2b88fe35bc005ef77a5ccf006b055448dc9bed17040 + name: perl-autouse + evr: 1.11-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-base-2.27-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 16674 @@ -627,6 +1649,20 @@ arches: name: perl-base evr: 2.27-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-bignum-0.51-460.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 48635 + checksum: sha256:a25963adbb78901e2581a041252bfc96f55e534403e4af513d8728c62f0b4800 + name: perl-bignum + evr: 0.51-460.el9 + sourcerpm: perl-bignum-0.51-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-blib-1.07-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 12768 + checksum: sha256:de430b1a162b99600aa6e1def89526c266d7a45d2a0985888859098d06ef4f0e + name: perl-blib + evr: 1.07-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-constant-1.33-461.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 25865 @@ -634,6 +1670,76 @@ arches: name: perl-constant evr: 1.33-461.el9 sourcerpm: perl-constant-1.33-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-debugger-1.56-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 138187 + checksum: sha256:98fe7aa5a1d244e7f61145396cdf6f9248c5f61416ba9bbd1e6cecd0800b52b5 + name: perl-debugger + evr: 1.56-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-deprecate-0.04-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14963 + checksum: sha256:4a233b89a6a942448705a26eaa555398d7bc64e710d8a78150f4a96b2207abc8 + name: perl-deprecate + evr: 0.04-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-devel-5.32.1-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 696446 + checksum: sha256:ff5769a02af6a412f659f3aa3b5ff08f6d7b8ad1222c078c00212e27c29f1ec2 + name: perl-devel + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-diagnostics-1.37-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 216999 + checksum: sha256:c5beafc6150251bb39d8bd19b30cc658b604603e9244aeccb9d747fae73fab5d + name: perl-diagnostics + evr: 1.37-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-doc-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 4804041 + checksum: sha256:a107369e340680c1229420021f9b9bf06699efceb6c31197fd870fccb2a12dd6 + name: perl-doc + evr: 5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-encoding-3.00-462.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 65970 + checksum: sha256:d516419a247fecaae2d60fb6a80c4990e07353e463e06b70a0d2db1f64723c35 + name: perl-encoding + evr: 4:3.00-462.el9 + sourcerpm: perl-Encode-3.08-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-encoding-warnings-0.13-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 17234 + checksum: sha256:4db8e5730e9135e68ee10c0d5f8ca2095cfc5f2b548febe6aad2caaba61d8921 + name: perl-encoding-warnings + evr: 0.13-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-experimental-0.022-6.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 24376 + checksum: sha256:ae48d202863aba2573c70d803a9931de4e3c4b0d3e4f2df561bcc1bf78dc7920 + name: perl-experimental + evr: 0.022-6.el9 + sourcerpm: perl-experimental-0.022-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-fields-2.27-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16577 + checksum: sha256:25f2bce872cdd91240c5a42b0ee6990db0b51bb51bdcee6fa441aa4889b9bd84 + name: perl-fields + evr: 2.27-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-filetest-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 15022 + checksum: sha256:3ba9775352bcb0aa76a6321ce582f028f23223743eecfdcd8458da05636f8436 + name: perl-filetest + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-if-0.60.800-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 14343 @@ -641,6 +1747,13 @@ arches: name: perl-if evr: 0.60.800-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-inc-latest-0.500-20.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 27665 + checksum: sha256:22c41d7117656dfff8d52bc8e557e6f8d11d2b5ed377173f56037a2ac8bc9139 + name: perl-inc-latest + evr: 2:0.500-20.el9 + sourcerpm: perl-inc-latest-0.500-20.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-interpreter-5.32.1-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 74659 @@ -648,6 +1761,13 @@ arches: name: perl-interpreter evr: 4:5.32.1-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-less-0.03-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13545 + checksum: sha256:268da168b25a97a8be8c736217a60e12ea54b0a67261cf7dd8199297a3dd10e3 + name: perl-less + evr: 0.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-lib-0.65-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 15294 @@ -662,6 +1782,13 @@ arches: name: perl-libnet evr: 3.13-4.el9 sourcerpm: perl-libnet-3.13-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-libnetcfg-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16729 + checksum: sha256:c9e9bbf74d825bb623ae797f35b38d31ea03aede18900bcbe624bc95de2c389a + name: perl-libnetcfg + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-libs-5.32.1-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 2271578 @@ -669,6 +1796,13 @@ arches: name: perl-libs evr: 4:5.32.1-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-local-lib-2.000024-13.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 73510 + checksum: sha256:c8f58afb9e8eb07bc57f92c384753ee4f4fec10fa7ec7c091ad9f15110a10026 + name: perl-local-lib + evr: 2.000024-13.el9 + sourcerpm: perl-local-lib-2.000024-13.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-locale-1.09-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 14021 @@ -676,6 +1810,20 @@ arches: name: perl-locale evr: 1.09-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-macros-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 10809 + checksum: sha256:4afe9e549dcaad11ec3f6ac2d89595b8d8ad37e305f4d70f7de2ec70d1f90ded + name: perl-macros + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-meta-notation-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 9810 + checksum: sha256:a6ce87fee7568af4803818fe9715c3253b5b6401e88c2b20bdc07eec9d664bd2 + name: perl-meta-notation + evr: 5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-mro-1.23-481.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 29629 @@ -683,6 +1831,13 @@ arches: name: perl-mro evr: 1.23-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-open-1.12-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16871 + checksum: sha256:52897741a5e6d526aa0de31438c48aa0f1f40c2fdd15720c4956e79e01830898 + name: perl-open + evr: 1.12-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-overload-1.31-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 46643 @@ -704,6 +1859,20 @@ arches: name: perl-parent evr: 1:0.238-460.el9 sourcerpm: perl-parent-0.238-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-perlfaq-5.20210520-1.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 388755 + checksum: sha256:e5588c37edf2bb614ffb7526deb663bc406effb86492637b4c906c5fe06f0b98 + name: perl-perlfaq + evr: 5.20210520-1.el9 + sourcerpm: perl-perlfaq-5.20210520-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-ph-5.32.1-481.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 45114 + checksum: sha256:5b87f68d1b69bcad07390cf34d2496700f32808c2dd54399fd0d78ce5033bacf + name: perl-ph + evr: 5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-podlators-4.14-460.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 121317 @@ -711,6 +1880,27 @@ arches: name: perl-podlators evr: 1:4.14-460.el9 sourcerpm: perl-podlators-4.14-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-sigtrap-1.09-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 16091 + checksum: sha256:4c42029372306ee2cf559e3b4f899c2170d2088f26b66a0f29ac1d8cb66b5387 + name: perl-sigtrap + evr: 1.09-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-sort-2.04-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 13868 + checksum: sha256:f4aedfdb824193f1aa0f45ee092e2f887f3734065861a90b4e089a6e1f9cfab1 + name: perl-sort + evr: 2.04-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-srpm-macros-1-41.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 9639 + checksum: sha256:fa6a45cf7cb8b6f8a28ce85be31483eacc7b0b4c01d598123ec649867b67c8f4 + name: perl-srpm-macros + evr: 1-41.el9 + sourcerpm: perl-srpm-macros-1-41.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-subs-1.03-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 11986 @@ -718,6 +1908,27 @@ arches: name: perl-subs evr: 1.03-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-threads-2.25-460.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 61664 + checksum: sha256:129a9239763d667a074133a62564a3ee0e0b16afafe049266083edd081df9e1c + name: perl-threads + evr: 1:2.25-460.el9 + sourcerpm: perl-threads-2.25-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-threads-shared-1.61-460.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 47922 + checksum: sha256:83816aefd6d15b0c2b6efccadfa67ccf50832c6849d2664d5c2d84e01d7da75b + name: perl-threads-shared + evr: 1.61-460.el9 + sourcerpm: perl-threads-shared-1.61-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-utils-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 58445 + checksum: sha256:3af8e12fe87b871c3a4ed52188ff716b8d9b62030d8ecc2c019de7e4a65f2809 + name: perl-utils + evr: 5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-vars-1.05-481.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 13347 @@ -732,6 +1943,13 @@ arches: name: perl-version evr: 7:0.99.28-4.el9 sourcerpm: perl-version-0.99.28-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/perl-vmsish-1.04-481.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 14503 + checksum: sha256:e27e656ae98a4d98e95a9bb6fdeaaae819bf692e8169d8a58ca2e0c564dfe3c9 + name: perl-vmsish + evr: 1.04-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/policycoreutils-python-utils-3.6-2.1.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 82931 @@ -739,13 +1957,20 @@ arches: name: policycoreutils-python-utils evr: 3.6-2.1.el9 sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-audit-3.1.5-4.el9.s390x.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/pyproject-srpm-macros-1.16.2-1.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms - size: 86794 - checksum: sha256:86f2ff5d8522aef9565c6c7f7ec3804b6d3e8abe95341d8d4e97a4e625817d4b - name: python3-audit - evr: 3.1.5-4.el9 - sourcerpm: audit-3.1.5-4.el9.src.rpm + size: 14828 + checksum: sha256:1bec3715412a73295a9cd2cdbc147ebee0fe23b50f4146bddc08a5761ed3928d + name: pyproject-srpm-macros + evr: 1.16.2-1.el9 + sourcerpm: pyproject-rpm-macros-1.16.2-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python-srpm-macros-3.9-54.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 18705 + checksum: sha256:cc14196e07f9c6383f5bdf2c1171e7d41256326324c4a03c98d62d81413f3fb3 + name: python-srpm-macros + evr: 3.9-54.el9 + sourcerpm: python-rpm-macros-3.9-54.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-distro-1.5.0-7.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 41452 @@ -753,20 +1978,6 @@ arches: name: python3-distro evr: 1.5.0-7.el9 sourcerpm: python-distro-1.5.0-7.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-libselinux-3.6-3.el9.s390x.rpm - repoid: ubi-9-for-s390x-appstream-rpms - size: 190360 - checksum: sha256:9b63e1e8127bef69a37c2486fec1b7be29c1719dd8f23b92ca88abae7a9d466b - name: python3-libselinux - evr: 3.6-3.el9 - sourcerpm: libselinux-3.6-3.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-libsemanage-3.6-5.el9_6.s390x.rpm - repoid: ubi-9-for-s390x-appstream-rpms - size: 82324 - checksum: sha256:e02938adb70a3b7533980c3f0b39b06b3d2e5fb51066e3aabb81ebd041a58253 - name: python3-libsemanage - evr: 3.6-5.el9_6 - sourcerpm: libsemanage-3.6-5.el9_6.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/p/python3-policycoreutils-3.6-2.1.el9.noarch.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 2216589 @@ -774,6 +1985,20 @@ arches: name: python3-policycoreutils evr: 3.6-2.1.el9 sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/q/qt5-srpm-macros-5.15.9-1.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 9344 + checksum: sha256:1dbb5db859d110aa275cbacd07e2576dcbe321ab0803f04d85dc3fa1a203ef10 + name: qt5-srpm-macros + evr: 5.15.9-1.el9 + sourcerpm: qt5-5.15.9-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/r/redhat-rpm-config-209-1.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 77658 + checksum: sha256:a9e214f1085628ce546a11eebab20e0fc769bf15208bb12b947efa109b1d4dd7 + name: redhat-rpm-config + evr: 209-1.el9 + sourcerpm: redhat-rpm-config-209-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/r/rust-1.84.1-1.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 33187606 @@ -781,6 +2006,13 @@ arches: name: rust evr: 1.84.1-1.el9 sourcerpm: rust-1.84.1-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/r/rust-srpm-macros-17-4.el9.noarch.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 11243 + checksum: sha256:8e91d6d5122b9effe0e3539ef0d55e57c4b3eff68544e46a413129cb961d5941 + name: rust-srpm-macros + evr: 17-4.el9 + sourcerpm: rust-srpm-macros-17-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/r/rust-std-static-1.84.1-1.el9.s390x.rpm repoid: ubi-9-for-s390x-appstream-rpms size: 41258551 @@ -795,6 +2027,20 @@ arches: name: scl-utils evr: 1:2.0.3-4.el9 sourcerpm: scl-utils-2.0.3-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/s/sombok-2.4.0-16.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 51525 + checksum: sha256:1e6e424ba9e43a503c97d6c95c34e711450eb7f0ba92a560c3995b1d9cbae44a + name: sombok + evr: 2.4.0-16.el9 + sourcerpm: sombok-2.4.0-16.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/appstream/os/Packages/s/systemtap-sdt-devel-5.2-2.el9.s390x.rpm + repoid: ubi-9-for-s390x-appstream-rpms + size: 79111 + checksum: sha256:55a568bd100f7e693b0232ecf8225679af4ff7716f5319e392536a11f666fab6 + name: systemtap-sdt-devel + evr: 5.2-2.el9 + sourcerpm: systemtap-5.2-2.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/b/binutils-2.35.2-63.el9.s390x.rpm repoid: ubi-9-for-s390x-baseos-rpms size: 4761844 @@ -809,6 +2055,20 @@ arches: name: binutils-gold evr: 2.35.2-63.el9 sourcerpm: binutils-2.35.2-63.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/d/device-mapper-1.02.202-6.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 143587 + checksum: sha256:b1e91781c8931f038645c2dc8c661a9bfac2885418d954455d69e2e1a93e934e + name: device-mapper + evr: 9:1.02.202-6.el9 + sourcerpm: lvm2-2.03.28-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/d/device-mapper-libs-1.02.202-6.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 177606 + checksum: sha256:ceee03256200a2708ebb4ac5964080efb7f380f44955fef19cd9386f602c038b + name: device-mapper-libs + evr: 9:1.02.202-6.el9 + sourcerpm: lvm2-2.03.28-6.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/d/diffutils-3.7-12.el9.s390x.rpm repoid: ubi-9-for-s390x-baseos-rpms size: 410465 @@ -816,13 +2076,6 @@ arches: name: diffutils evr: 3.7-12.el9 sourcerpm: diffutils-3.7-12.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/e/elfutils-debuginfod-client-0.192-5.el9.s390x.rpm - repoid: ubi-9-for-s390x-baseos-rpms - size: 47079 - checksum: sha256:04e1d2dda2356b469252a7b2324b3070ae52700bd9d86bbe58222f611eb1d83d - name: elfutils-debuginfod-client - evr: 0.192-5.el9 - sourcerpm: elfutils-0.192-5.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/e/environment-modules-5.3.0-1.el9.s390x.rpm repoid: ubi-9-for-s390x-baseos-rpms size: 605410 @@ -830,6 +2083,48 @@ arches: name: environment-modules evr: 5.3.0-1.el9 sourcerpm: environment-modules-5.3.0-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/f/file-5.39-16.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 52878 + checksum: sha256:66c999a4e1fabdc8bf5202fa9e852a2e9fb371bcbc99fc5148091bfe4536f3d9 + name: file + evr: 5.39-16.el9 + sourcerpm: file-5.39-16.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/g/glibc-2.34-168.el9_6.19.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 1763997 + checksum: sha256:051da630ff1c7c366958d1efea9449cf96f07cb2996e9cfb3a58a610c1b6d42a + name: glibc + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/g/glibc-common-2.34-168.el9_6.19.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 315343 + checksum: sha256:ca1dbfb5fa50aa129f0a7ea4debb76bf93a41e801dbf8831bd1d0e173ea9a333 + name: glibc-common + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/g/glibc-gconv-extra-2.34-168.el9_6.19.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 1741558 + checksum: sha256:46736e82513b1d58f2516d9b52b4146a592669307d8310ba704c53e5a9023f9c + name: glibc-gconv-extra + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/g/glibc-langpack-en-2.34-168.el9_6.19.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 623848 + checksum: sha256:5f74d328dff1429e6e82bab4049a0e2ca17c56520a551c8fa7fe8b199b10611f + name: glibc-langpack-en + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/g/glibc-minimal-langpack-2.34-168.el9_6.19.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 19697 + checksum: sha256:7eccb539fbb83cb0568ba820c602908621a9e9e555dbe0f273d8e8eaa3a489da + name: glibc-minimal-langpack + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/g/groff-base-1.22.4-10.el9.s390x.rpm repoid: ubi-9-for-s390x-baseos-rpms size: 1100747 @@ -879,13 +2174,6 @@ arches: name: libpkgconf evr: 1.7.3-10.el9 sourcerpm: pkgconf-1.7.3-10.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/l/libselinux-utils-3.6-3.el9.s390x.rpm - repoid: ubi-9-for-s390x-baseos-rpms - size: 197292 - checksum: sha256:315c92b1796174b7c43dfec36440f8cba66e223cfbed922c6978a4bfe4983c6d - name: libselinux-utils - evr: 3.6-3.el9 - sourcerpm: libselinux-3.6-3.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/m/make-4.3-8.el9.s390x.rpm repoid: ubi-9-for-s390x-baseos-rpms size: 553451 @@ -956,6 +2244,13 @@ arches: name: tcl evr: 1:8.6.10-7.el9 sourcerpm: tcl-8.6.10-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/u/unzip-6.0-58.el9_5.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 185386 + checksum: sha256:b772da82fd038a447b98428d31ed3d3c3208a4c37960f5d2fadd0070df64d157 + name: unzip + evr: 6.0-58.el9_5 + sourcerpm: unzip-6.0-58.el9_5.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/v/vim-filesystem-8.2.2637-22.el9_6.noarch.rpm repoid: ubi-9-for-s390x-baseos-rpms size: 17723 @@ -963,6 +2258,34 @@ arches: name: vim-filesystem evr: 2:8.2.2637-22.el9_6 sourcerpm: vim-8.2.2637-22.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/z/zip-3.0-35.el9.s390x.rpm + repoid: ubi-9-for-s390x-baseos-rpms + size: 276776 + checksum: sha256:ac9f81e15ac141940073706ed38e3efd1d2278642d80dbd2945b28f0e6ffae62 + name: zip + evr: 3.0-35.el9 + sourcerpm: zip-3.0-35.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/codeready-builder/os/Packages/d/device-mapper-devel-1.02.202-6.el9.s390x.rpm + repoid: codeready-builder-for-ubi-9-s390x-rpms + size: 44746 + checksum: sha256:c0d5b369adefe3760e88f3ec1e7726d25562272ed8b00f6fc3fe6a3fe65ffca1 + name: device-mapper-devel + evr: 9:1.02.202-6.el9 + sourcerpm: lvm2-2.03.28-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/codeready-builder/os/Packages/g/glibc-static-2.34-168.el9_6.19.s390x.rpm + repoid: codeready-builder-for-ubi-9-s390x-rpms + size: 1186955 + checksum: sha256:2d817b7453464dc866d70ca9c9a15372151634c81319fcfd363048159defb8cb + name: glibc-static + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/codeready-builder/os/Packages/l/libxcrypt-static-4.4.18-3.el9.s390x.rpm + repoid: codeready-builder-for-ubi-9-s390x-rpms + size: 106736 + checksum: sha256:c1b21e2c2dadba8339f04831ea075af70f0c3d04ecd1272d9b33ab340695e589 + name: libxcrypt-static + evr: 4.4.18-3.el9 + sourcerpm: libxcrypt-4.4.18-3.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/codeready-builder/os/Packages/m/meson-0.63.3-1.el9.noarch.rpm repoid: codeready-builder-for-ubi-9-s390x-rpms size: 1550746 @@ -991,6 +2314,20 @@ arches: name: libomp-devel evr: 19.1.7-2.el9 sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/l/libselinux-devel-3.6-1.el9.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 167224 + checksum: sha256:88457c68a2be10ca0cf8afb6bdb07cec5eb5b639513f415290703499cda2216f + name: libselinux-devel + evr: 3.6-1.el9 + sourcerpm: libselinux-3.6-1.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/l/libsepol-devel-3.6-1.el9.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 52608 + checksum: sha256:faca9db6b005c1f8779696e7ad86fd02aaa7ff9a2f94d8eebc442268a0b5bebc + name: libsepol-devel + evr: 3.6-1.el9 + sourcerpm: libsepol-3.6-1.el9.src.rpm - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/p/protobuf-3.14.0-16.el9.s390x.rpm repoid: rhel-9-for-s390x-appstream-rpms size: 988184 @@ -998,6 +2335,48 @@ arches: name: protobuf evr: 3.14.0-16.el9 sourcerpm: protobuf-3.14.0-16.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/p/python3-audit-3.1.5-1.el9.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 86479 + checksum: sha256:6576fa35ea5dc16df9ed98237e339694e3b4a196e27b0529553ba779a142d0d7 + name: python3-audit + evr: 3.1.5-1.el9 + sourcerpm: audit-3.1.5-1.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/p/python3-libselinux-3.6-1.el9.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 190855 + checksum: sha256:05e502adfdbb4b701ea91f03b98b9e52e8233ef74769ad151836276d7ef49044 + name: python3-libselinux + evr: 3.6-1.el9 + sourcerpm: libselinux-3.6-1.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/p/python3-libsemanage-3.6-2.1.el9_5.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 82751 + checksum: sha256:2287b678643c11bae079d8935e6928b585ed9aa3caf8d23dec9131e96615f92e + name: python3-libsemanage + evr: 3.6-2.1.el9_5 + sourcerpm: libsemanage-3.6-2.1.el9_5.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/appstream/os/Packages/s/systemd-devel-252-46.el9_5.3.s390x.rpm + repoid: rhel-9-for-s390x-appstream-rpms + size: 688179 + checksum: sha256:5e790a3a8dde81b2547701163fd7a1497680d6ca07d9f709938be090a4cbad59 + name: systemd-devel + evr: 252-46.el9_5.3 + sourcerpm: systemd-252-46.el9_5.3.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/baseos/os/Packages/e/elfutils-debuginfod-client-0.191-4.el9.s390x.rpm + repoid: rhel-9-for-s390x-baseos-rpms + size: 40103 + checksum: sha256:b1ec3a9997ad37b240f68a81468d7cc52d5e6585f19bf36c86378d3823998462 + name: elfutils-debuginfod-client + evr: 0.191-4.el9 + sourcerpm: elfutils-0.191-4.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/baseos/os/Packages/l/libselinux-utils-3.6-1.el9.s390x.rpm + repoid: rhel-9-for-s390x-baseos-rpms + size: 197252 + checksum: sha256:6172f1da939db3823defa499e1dbbd163c3800340b0f5d276da100b84066729e + name: libselinux-utils + evr: 3.6-1.el9 + sourcerpm: libselinux-3.6-1.el9.src.rpm - url: https://cdn.redhat.com/content/dist/rhel9/9/s390x/codeready-builder/os/Packages/j/json-c-devel-0.14-11.el9.s390x.rpm repoid: codeready-builder-for-rhel-9-s390x-rpms size: 52883 @@ -1035,6 +2414,13 @@ arches: module_metadata: [] - arch: x86_64 packages: + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/a/annobin-12.92-1.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 1106759 + checksum: sha256:3e28996cf349e045628002c66c1ff0bc3977f97e30dfe692f56211d64183d324 + name: annobin + evr: 12.92-1.el9 + sourcerpm: annobin-12.92-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/cargo-1.84.1-1.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 8292467 @@ -1084,6 +2470,20 @@ arches: name: clang-tools-extra evr: 19.1.7-2.el9 sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/cmake-3.26.5-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 9159462 + checksum: sha256:f553370cb02b87e7388697468256556e765b102c2fcb56be6bc250cb2351e8ad + name: cmake + evr: 3.26.5-2.el9 + sourcerpm: cmake-3.26.5-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/cmake-data-3.26.5-2.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 2488227 + checksum: sha256:84da65a7b8921f031d15903d91c5967022620f9e96b7493c8ab8024014755ee7 + name: cmake-data + evr: 3.26.5-2.el9 + sourcerpm: cmake-3.26.5-2.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/cmake-filesystem-3.26.5-2.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 23450 @@ -1091,6 +2491,13 @@ arches: name: cmake-filesystem evr: 3.26.5-2.el9 sourcerpm: cmake-3.26.5-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/cmake-rpm-macros-3.26.5-2.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 12250 + checksum: sha256:1c74969c8a4f21851f5b89f25ac55c689b75bed1318d0435fc3a14a49c39d0e3 + name: cmake-rpm-macros + evr: 3.26.5-2.el9 + sourcerpm: cmake-3.26.5-2.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/c/compiler-rt-19.1.7-2.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 2740021 @@ -1105,6 +2512,20 @@ arches: name: cpp evr: 11.5.0-5.el9_5 sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/d/dwz-0.14-3.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 133177 + checksum: sha256:9b429a1abaadc0fd63cb0667ef5bc5ec4db4debc340f7f5742a9252dd8301a30 + name: dwz + evr: 0.14-3.el9 + sourcerpm: dwz-0.14-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/e/efi-srpm-macros-6-2.el9_0.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24452 + checksum: sha256:1a1fa7561f5cef960b36c6a796d8a6fb4af70511118dacbfd5f707181a6c02fe + name: efi-srpm-macros + evr: 6-2.el9_0 + sourcerpm: efi-rpm-macros-6-2.el9_0.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/e/emacs-filesystem-27.2-13.el9_6.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 9758 @@ -1112,6 +2533,13 @@ arches: name: emacs-filesystem evr: 1:27.2-13.el9_6 sourcerpm: emacs-27.2-13.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/f/fonts-srpm-macros-2.0.5-7.el9.1.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 30140 + checksum: sha256:f8c6aaa6af574698f6d1a7eb8e7f6ed725e4366dc14553bc816f5aa305675367 + name: fonts-srpm-macros + evr: 1:2.0.5-7.el9.1 + sourcerpm: fonts-rpm-macros-2.0.5-7.el9.1.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-11.5.0-5.el9_5.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 34006000 @@ -1126,6 +2554,13 @@ arches: name: gcc-c++ evr: 11.5.0-5.el9_5 sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-plugin-annobin-11.5.0-5.el9_5.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 42533 + checksum: sha256:9af134e5b2e2fae5a0b33253abdad68c0cb854f14e2668853c9b42e00c098a5a + name: gcc-plugin-annobin + evr: 11.5.0-5.el9_5 + sourcerpm: gcc-11.5.0-5.el9_5.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/gcc-toolset-14-binutils-2.41-3.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 6705766 @@ -1161,27 +2596,48 @@ arches: name: gcc-toolset-14-runtime evr: 14.0-1.el9 sourcerpm: gcc-toolset-14-14.0-1.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/glibc-devel-2.34-168.el9_6.14.x86_64.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/ghc-srpm-macros-1.5.0-6.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms - size: 35566 - checksum: sha256:1565ca914cb58037fc9f50af64be3a43d5ae854b5d30f01882eb06d57c44d52c + size: 9252 + checksum: sha256:80fb1c39b5d8c23352b8928332fa0794e679e054ffa3f04a34c2b18bb7e28c93 + name: ghc-srpm-macros + evr: 1.5.0-6.el9 + sourcerpm: ghc-srpm-macros-1.5.0-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/glibc-devel-2.34-168.el9_6.19.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 35292 + checksum: sha256:af4689df30283c54a741414934d8955cb951ff7dace9d0b4b2715631a299d7d1 name: glibc-devel - evr: 2.34-168.el9_6.14 - sourcerpm: glibc-2.34-168.el9_6.14.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/glibc-headers-2.34-168.el9_6.14.x86_64.rpm + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/glibc-headers-2.34-168.el9_6.19.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms - size: 554474 - checksum: sha256:10579e7e1a0140841209c023fdb9034aae1b3723ab5807f6e6c61e8dd2dbffa7 + size: 554238 + checksum: sha256:a6772c8a603f5322b126bcd287932fccde7edf392ced7de2632bafbd43d1549e name: glibc-headers - evr: 2.34-168.el9_6.14 - sourcerpm: glibc-2.34-168.el9_6.14.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/k/kernel-headers-5.14.0-570.17.1.el9_6.x86_64.rpm + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/go-srpm-macros-3.6.0-10.el9_6.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 28143 + checksum: sha256:c1cbc05c812994c77b7f7bf80e76039c94d6ba887c9169228833e7e702aa095a + name: go-srpm-macros + evr: 3.6.0-10.el9_6 + sourcerpm: go-rpm-macros-3.6.0-10.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/k/kernel-headers-5.14.0-570.22.1.el9_6.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms - size: 3680573 - checksum: sha256:03dcb738b60220f6576812e7d4c7afdeb732b76d5d48b04c0603cce638b4ee9e + size: 3685565 + checksum: sha256:d25bdcc8e855c3bb18210fc4207cdd19a095421abced48c446a69238963d6d34 name: kernel-headers - evr: 5.14.0-570.17.1.el9_6 - sourcerpm: kernel-5.14.0-570.17.1.el9_6.src.rpm + evr: 5.14.0-570.22.1.el9_6 + sourcerpm: kernel-5.14.0-570.22.1.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/k/kernel-srpm-macros-1.0-13.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 17792 + checksum: sha256:7e891fa264fb538bf4a26aa94e91ff0c3084bf2613e2061dbb6f4f0c26856777 + name: kernel-srpm-macros + evr: 1.0-13.el9 + sourcerpm: kernel-srpm-macros-1.0-13.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libcurl-devel-7.76.1-31.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 1002994 @@ -1189,6 +2645,13 @@ arches: name: libcurl-devel evr: 7.76.1-31.el9 sourcerpm: curl-7.76.1-31.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libdatrie-0.2.13-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 35144 + checksum: sha256:21eb2f4481898f6de999b37c3dee2763ed6d530cf5a5147acad2da48871beae5 + name: libdatrie + evr: 0.2.13-4.el9 + sourcerpm: libdatrie-0.2.13-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libmpc-1.2.1-4.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 66075 @@ -1217,6 +2680,20 @@ arches: name: libstdc++-devel evr: 11.5.0-5.el9_5 sourcerpm: gcc-11.5.0-5.el9_5.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libthai-0.1.28-8.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 216254 + checksum: sha256:289d4e53a6d59ba84dffc9ad5f8312bf9c14dc7528556e1a0e94c71428ead7e1 + name: libthai + evr: 0.1.28-8.el9 + sourcerpm: libthai-0.1.28-8.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libuv-1.42.0-2.el9_4.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 154427 + checksum: sha256:e1fab39251239ccaad2fb4dbe6c55ec1ae60f76d4ae81582b06e6a58e30879b2 + name: libuv + evr: 1:1.42.0-2.el9_4 + sourcerpm: libuv-1.42.0-2.el9_4.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/libxcrypt-devel-4.4.18-3.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 33101 @@ -1224,6 +2701,13 @@ arches: name: libxcrypt-devel evr: 4.4.18-3.el9 sourcerpm: libxcrypt-4.4.18-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/llvm-19.1.7-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 21907619 + checksum: sha256:f0b5ab76a70b0a497aa301abcf9921fd2fad4d31f263cff8d50103444fcf01cf + name: llvm + evr: 19.1.7-2.el9 + sourcerpm: llvm-19.1.7-2.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/llvm-libs-19.1.7-2.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 30399454 @@ -1231,6 +2715,27 @@ arches: name: llvm-libs evr: 19.1.7-2.el9 sourcerpm: llvm-19.1.7-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/l/lua-srpm-macros-1-6.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 10476 + checksum: sha256:64946edfd54f7d4668f7fdcb7be961ceaca8cff7d0bef438bef4e2498ccf3cd6 + name: lua-srpm-macros + evr: 1-6.el9 + sourcerpm: lua-rpm-macros-1-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/o/ocaml-srpm-macros-6-6.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 9270 + checksum: sha256:783710ad3710e594275fb23d280f030a68279927ca82ce38787f4c93971eaa88 + name: ocaml-srpm-macros + evr: 6-6.el9 + sourcerpm: ocaml-srpm-macros-6-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/o/openblas-srpm-macros-2-11.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 8807 + checksum: sha256:091911db0712bfe9b03952046191438bdd9b1080558e0c1014611d39aa80571d + name: openblas-srpm-macros + evr: 2-11.el9 + sourcerpm: openblas-srpm-macros-2-11.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/o/openssl-devel-3.2.2-6.el9_5.1.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 4650823 @@ -1238,6 +2743,62 @@ arches: name: openssl-devel evr: 1:3.2.2-6.el9_5.1 sourcerpm: openssl-3.2.2-6.el9_5.1.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/pcre2-devel-10.40-6.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 528624 + checksum: sha256:f2fa0c49019f12b9c01986c1d05ffc83863ac7b47b8e348d6357e7fbdf3b17e3 + name: pcre2-devel + evr: 10.40-6.el9 + sourcerpm: pcre2-10.40-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/pcre2-utf16-10.40-6.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 220256 + checksum: sha256:935664188bce50473e3c148fc9d71167d3881fc2de9ccc99394c03d00e8ff5b3 + name: pcre2-utf16 + evr: 10.40-6.el9 + sourcerpm: pcre2-10.40-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/pcre2-utf32-10.40-6.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 209174 + checksum: sha256:d50fc56a1e9710b3374826c82044d4624b6c5949db0178d5774f575a5fcd6934 + name: pcre2-utf32 + evr: 10.40-6.el9 + sourcerpm: pcre2-10.40-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-5.32.1-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 12557 + checksum: sha256:1c5f769a69ef07a81af53d662894591c35b979c33ab8144f09302146b922ee03 + name: perl + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Algorithm-Diff-1.2010-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 52041 + checksum: sha256:3d252e247a41978a10faef66931ac5fb2525c7fa708d8caa537d368ef5ba62ce + name: perl-Algorithm-Diff + evr: 1.2010-4.el9 + sourcerpm: perl-Algorithm-Diff-1.2010-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Archive-Tar-2.38-6.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 77744 + checksum: sha256:5cf97230d350543cdf34f379dc04e1383f89591ad76768b5a2738b474cdec404 + name: perl-Archive-Tar + evr: 2.38-6.el9 + sourcerpm: perl-Archive-Tar-2.38-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Archive-Zip-1.68-6.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 118766 + checksum: sha256:2237a7cdfa30cda2ad475cb6ee5796f1e4cafa07e8760e08bca8d252cd6eb51d + name: perl-Archive-Zip + evr: 1.68-6.el9 + sourcerpm: perl-Archive-Zip-1.68-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Attribute-Handlers-1.01-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 28435 + checksum: sha256:03d4f6339d78bf32658aa68b713e15a01ff544e88a7565e8ee595e053b6ec8ea + name: perl-Attribute-Handlers + evr: 1.01-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-AutoLoader-5.74-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 21821 @@ -1245,6 +2806,13 @@ arches: name: perl-AutoLoader evr: 5.74-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-AutoSplit-5.74-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 22186 + checksum: sha256:d962ffc07516d9f0ed0d9a5c21e16677598afa8f10a40c6555ae9a35e6a2d43b + name: perl-AutoSplit + evr: 5.74-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-B-1.80-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 188182 @@ -1252,6 +2820,48 @@ arches: name: perl-B evr: 1.80-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Benchmark-1.23-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 27531 + checksum: sha256:b19c10012210bfdd3566986e4222cd94183e56e496d3e2ddf03743c45689818b + name: perl-Benchmark + evr: 1.23-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-CPAN-2.29-5.el9_6.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 589480 + checksum: sha256:a46e7bb747f0b5dc26d8eda788b98492576048f5df271d070c35118f8d980b9d + name: perl-CPAN + evr: 2.29-5.el9_6 + sourcerpm: perl-CPAN-2.29-5.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-CPAN-DistnameInfo-0.12-23.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 17060 + checksum: sha256:35687783ded44b01c37af59f66499b42e10df074c36608fc3f84bd4ae082c852 + name: perl-CPAN-DistnameInfo + evr: 0.12-23.el9 + sourcerpm: perl-CPAN-DistnameInfo-0.12-23.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-CPAN-Meta-2.150010-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 210745 + checksum: sha256:ec35026baabe720d7c880f896f84271f0c408c56d3fea6d7c5d22580ac175690 + name: perl-CPAN-Meta + evr: 2.150010-460.el9 + sourcerpm: perl-CPAN-Meta-2.150010-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-CPAN-Meta-Requirements-2.140-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 35205 + checksum: sha256:eca17976f76fd8d31eda995a9ced2d813c1c94b9efafa1a83454fb120be62784 + name: perl-CPAN-Meta-Requirements + evr: 2.140-461.el9 + sourcerpm: perl-CPAN-Meta-Requirements-2.140-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-CPAN-Meta-YAML-0.018-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 29542 + checksum: sha256:b21eb298e56bc6623257cae1434198789e80ab92b818af4e29514a7bbc6f5910 + name: perl-CPAN-Meta-YAML + evr: 0.018-461.el9 + sourcerpm: perl-CPAN-Meta-YAML-0.018-461.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Carp-1.50-460.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 32039 @@ -1266,6 +2876,62 @@ arches: name: perl-Class-Struct evr: 0.66-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Compress-Bzip2-2.28-5.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 75359 + checksum: sha256:ec290efc1b75d09f29bde0a52758ec46b959f8273a89f8118e062da98862c9d3 + name: perl-Compress-Bzip2 + evr: 2.28-5.el9 + sourcerpm: perl-Compress-Bzip2-2.28-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Compress-Raw-Bzip2-2.101-5.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 39060 + checksum: sha256:bcaa6bb1dc582507d04551f9aac3f7a049f26e48476b1b08184f2647466adde5 + name: perl-Compress-Raw-Bzip2 + evr: 2.101-5.el9 + sourcerpm: perl-Compress-Raw-Bzip2-2.101-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Compress-Raw-Lzma-2.101-3.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 55819 + checksum: sha256:da1dd21f15039f8c3c6e79f40b201a73d28fc11825c771dd51cc4a14972d4b23 + name: perl-Compress-Raw-Lzma + evr: 2.101-3.el9 + sourcerpm: perl-Compress-Raw-Lzma-2.101-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Compress-Raw-Zlib-2.101-5.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 65949 + checksum: sha256:c638818fb0baf3c36166b1d0a674fa63d58aeacaa9edd91b2519278b112f33b7 + name: perl-Compress-Raw-Zlib + evr: 2.101-5.el9 + sourcerpm: perl-Compress-Raw-Zlib-2.101-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Config-Extensions-0.03-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 12815 + checksum: sha256:840607ca387a3076f9ee0f40060f6a2b559779ec2a4647e073a5e24fc713e36f + name: perl-Config-Extensions + evr: 0.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Config-Perl-V-0.33-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24943 + checksum: sha256:7ec321ecb6f37b6be09ad182cb66fdeee9f12138f75fc48858bde2177c358d1d + name: perl-Config-Perl-V + evr: 0.33-4.el9 + sourcerpm: perl-Config-Perl-V-0.33-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-DBM_Filter-0.06-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 35000 + checksum: sha256:b5dbe5adabdd6602224ee8178743b4f34b80d585ab838cb3ad1f2cae99b0e9dc + name: perl-DBM_Filter + evr: 0.06-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-DB_File-1.855-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 86215 + checksum: sha256:8c99c19d93e32729c6eefa704e4a3f9dc08b2c693c525cc3717661aefccd18c8 + name: perl-DB_File + evr: 1.855-4.el9 + sourcerpm: perl-DB_File-1.855-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Data-Dumper-2.174-462.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 59910 @@ -1273,6 +2939,48 @@ arches: name: perl-Data-Dumper evr: 2.174-462.el9 sourcerpm: perl-Data-Dumper-2.174-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Data-OptList-0.110-17.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 30694 + checksum: sha256:1455a3e90116f504008f8d27db57acb65c3389440dc6e2d605f54bf40b009a10 + name: perl-Data-OptList + evr: 0.110-17.el9 + sourcerpm: perl-Data-OptList-0.110-17.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Data-Section-0.200007-14.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 28030 + checksum: sha256:9fb57b4fbcfea93de114505082261abd97f576cf78e1a205c255d69d8eb6babf + name: perl-Data-Section + evr: 0.200007-14.el9 + sourcerpm: perl-Data-Section-0.200007-14.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Devel-PPPort-3.62-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 220678 + checksum: sha256:5edf31d2993a73056802f4281108e4636f33e5c7d5cb910cdb45996475baee73 + name: perl-Devel-PPPort + evr: 3.62-4.el9 + sourcerpm: perl-Devel-PPPort-3.62-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Devel-Peek-1.28-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 34594 + checksum: sha256:a135b356a365fb466f72e04f172d0aae507ca32508afffb1ae565b00f0e34968 + name: perl-Devel-Peek + evr: 1.28-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Devel-SelfStubber-1.06-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14932 + checksum: sha256:5b39f719f3e1da497d92b87d597269686925bf08006f8e2c1c92ec0bb8cd9482 + name: perl-Devel-SelfStubber + evr: 1.06-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Devel-Size-0.83-10.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 35096 + checksum: sha256:84738fe6f546dae38e113c340c66f3b8adbd466328f22dc15ec481b793cdf922 + name: perl-Devel-Size + evr: 0.83-10.el9 + sourcerpm: perl-Devel-Size-0.83-10.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Digest-1.19-4.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 29409 @@ -1287,6 +2995,41 @@ arches: name: perl-Digest-MD5 evr: 2.58-4.el9 sourcerpm: perl-Digest-MD5-2.58-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Digest-SHA-6.02-461.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 67580 + checksum: sha256:251519573b1785a2102bb235c3a3fea5f6d7b949176969eb0a0fcd69883df4a5 + name: perl-Digest-SHA + evr: 1:6.02-461.el9 + sourcerpm: perl-Digest-SHA-6.02-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Digest-SHA1-2.13-34.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 57553 + checksum: sha256:0f8d777e8c8cab429c3963c477ae16fa7233c568b88e309ee89478ce81b7b3d6 + name: perl-Digest-SHA1 + evr: 2.13-34.el9 + sourcerpm: perl-Digest-SHA1-2.13-34.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-DirHandle-1.05-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 12799 + checksum: sha256:b50fdd94649f82218308bd6d0ba5d6e20f658d6fc448aaa1327398443dfaefc7 + name: perl-DirHandle + evr: 1.05-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Dumpvalue-2.27-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 18822 + checksum: sha256:60e541f90705e444171f50078c0f1137fcff5576124cbb729768a99386e2016d + name: perl-Dumpvalue + evr: 2.27-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-DynaLoader-1.47-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 26423 + checksum: sha256:f238e85f5fe854109793f966e7e36f14165979aee78fc2de39037b9f69ca3178 + name: perl-DynaLoader + evr: 1.47-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Encode-3.08-462.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 1802386 @@ -1294,6 +3037,34 @@ arches: name: perl-Encode evr: 4:3.08-462.el9 sourcerpm: perl-Encode-3.08-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Encode-Locale-1.05-21.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 21500 + checksum: sha256:58afacf30f4a476f4ba6646a6419122d2a729bd59880611b631527502dcdc269 + name: perl-Encode-Locale + evr: 1.05-21.el9 + sourcerpm: perl-Encode-Locale-1.05-21.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Encode-devel-3.08-462.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 45176 + checksum: sha256:8c5dc8e93efddb8ad14fd0a98b1d076cf0b6912b4542a4d4ec6a136f0f1ea797 + name: perl-Encode-devel + evr: 4:3.08-462.el9 + sourcerpm: perl-Encode-3.08-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-English-1.11-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13988 + checksum: sha256:51234583bb690fe57ac54a9efca0e4ab51e75f1ad6133e9e1b579b9f851b6575 + name: perl-English + evr: 1.11-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Env-1.04-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 22160 + checksum: sha256:92fb2287084a3c88a6b2d2bd300d1279251cec59156c1a9a3e0fa8fda6c546b2 + name: perl-Env + evr: 1.04-460.el9 + sourcerpm: perl-Env-1.04-460.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Errno-1.30-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 15331 @@ -1308,6 +3079,41 @@ arches: name: perl-Exporter evr: 5.74-461.el9 sourcerpm: perl-Exporter-5.74-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-CBuilder-0.280236-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 54624 + checksum: sha256:1f03cdbebc6f7b1b877e170363ab4906d194aa5edbaee17df724ca7ffc972011 + name: perl-ExtUtils-CBuilder + evr: 1:0.280236-4.el9 + sourcerpm: perl-ExtUtils-CBuilder-0.280236-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-Command-7.60-3.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16489 + checksum: sha256:642338ff95d94e2c6e4b7de47cda7b772d1fbc204b2869925bd0326fcc4b0e26 + name: perl-ExtUtils-Command + evr: 2:7.60-3.el9 + sourcerpm: perl-ExtUtils-MakeMaker-7.60-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-Constant-0.25-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 49788 + checksum: sha256:49aa4d69ad3bfbc05da33c2c88eb82815c76c7b605831012fbed054d9fe2ceb5 + name: perl-ExtUtils-Constant + evr: 0.25-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-Embed-1.35-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 18371 + checksum: sha256:cfa0a13f9d7f2b99c40d17f77b03460ef765c5e046c69d46efe057e42d988f33 + name: perl-ExtUtils-Embed + evr: 1.35-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-Install-2.20-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 48441 + checksum: sha256:2533a1d97d45dc79c07cc51409c34f188c042757a2811b04dc16892ae2c7443e + name: perl-ExtUtils-Install + evr: 2.20-4.el9 + sourcerpm: perl-ExtUtils-Install-2.20-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-MM-Utils-7.60-3.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 14176 @@ -1315,6 +3121,34 @@ arches: name: perl-ExtUtils-MM-Utils evr: 2:7.60-3.el9 sourcerpm: perl-ExtUtils-MakeMaker-7.60-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-MakeMaker-7.60-3.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 311769 + checksum: sha256:2286e5004cb6436b7ac8dd436c91b4e1d36c18b9385d07a24fc167c930c9dee8 + name: perl-ExtUtils-MakeMaker + evr: 2:7.60-3.el9 + sourcerpm: perl-ExtUtils-MakeMaker-7.60-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-Manifest-1.73-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 37829 + checksum: sha256:f7cf7fd259fb8a6c27537dc98e1ed4923b26c2d8d8fd6b789e166ac104cac5bc + name: perl-ExtUtils-Manifest + evr: 1:1.73-4.el9 + sourcerpm: perl-ExtUtils-Manifest-1.73-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-Miniperl-1.09-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 15866 + checksum: sha256:15a90a1f4c0b11048633e996d9887b83db8a48031e1ba2560e72573c328c4cf5 + name: perl-ExtUtils-Miniperl + evr: 1.09-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ExtUtils-ParseXS-3.40-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 194711 + checksum: sha256:bb7e4bcfe24371bbe202a9fa704360a7bbc5d9f4103ec36e6e571da6eb76a186 + name: perl-ExtUtils-ParseXS + evr: 1:3.40-460.el9 + sourcerpm: perl-ExtUtils-ParseXS-3.40-460.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Fcntl-1.13-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 22098 @@ -1343,6 +3177,20 @@ arches: name: perl-File-Copy evr: 2.34-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-DosGlob-1.12-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 21769 + checksum: sha256:28b3031b8b1d406e5e19d15ed59d0a1933d05e71ab397889d93c46f1c0e9e450 + name: perl-File-DosGlob + evr: 1.12-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Fetch-1.00-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 33372 + checksum: sha256:8c46735b0f703cd53fbaf915423b63baf98701d81406b30b84e42e53a0efbb6e + name: perl-File-Fetch + evr: 1.00-4.el9 + sourcerpm: perl-File-Fetch-1.00-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Find-1.37-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 26277 @@ -1350,6 +3198,13 @@ arches: name: perl-File-Find evr: 1.37-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-HomeDir-1.006-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 65857 + checksum: sha256:68f539b86abb7ab910286188ad3742f4338330f3246f6da07cb4ca5c83d8e80f + name: perl-File-HomeDir + evr: 1.006-4.el9 + sourcerpm: perl-File-HomeDir-1.006-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Path-2.18-4.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 38466 @@ -1364,6 +3219,13 @@ arches: name: perl-File-Temp evr: 1:0.231.100-4.el9 sourcerpm: perl-File-Temp-0.231.100-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-Which-1.23-10.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24163 + checksum: sha256:80a41f9f823312dca2c9fed97f6568a88957572277b75920fb76f20a60902e7f + name: perl-File-Which + evr: 1.23-10.el9 + sourcerpm: perl-File-Which-1.23-10.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-File-stat-1.09-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 17853 @@ -1371,6 +3233,13 @@ arches: name: perl-File-stat evr: 1.09-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-FileCache-1.10-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 15108 + checksum: sha256:1da22e9c110f143c1dfbd827fefcac6ad514d6bedddb6d3d4152206e0abfc886 + name: perl-FileCache + evr: 1.10-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-FileHandle-2.03-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 15921 @@ -1378,6 +3247,20 @@ arches: name: perl-FileHandle evr: 2.03-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Filter-1.60-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 97662 + checksum: sha256:f4fca2ffe54fa291963cfdb816ed4830f75b5be5f70964a73820e4736b242792 + name: perl-Filter + evr: 2:1.60-4.el9 + sourcerpm: perl-Filter-1.60-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Filter-Simple-0.96-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 29899 + checksum: sha256:080a1c4c16acddca179c0e2ab8120fe01e374bb86d0a950923a610e50fabfc00 + name: perl-Filter-Simple + evr: 0.96-460.el9 + sourcerpm: perl-Filter-Simple-0.96-460.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-FindBin-1.51-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 14336 @@ -1385,6 +3268,13 @@ arches: name: perl-FindBin evr: 1.51-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-GDBM_File-1.18-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24179 + checksum: sha256:ceaf8f3ae86e8fbf66b792512000219dd1bcac1df3992a72aa6c85e934388958 + name: perl-GDBM_File + evr: 1.18-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Getopt-Long-2.52-4.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 65144 @@ -1406,6 +3296,27 @@ arches: name: perl-HTTP-Tiny evr: 0.076-462.el9 sourcerpm: perl-HTTP-Tiny-0.076-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Hash-Util-0.23-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 36417 + checksum: sha256:cab1ae23cc23573b1d6408c1e0ff06132639bcaf523dd53737ae3e534015c6a7 + name: perl-Hash-Util + evr: 0.23-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Hash-Util-FieldHash-1.20-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 40953 + checksum: sha256:b00cc5b1a6f8d3dba8ce93c582d596f4674fc6a30c640478c3896d10bafe7aea + name: perl-Hash-Util-FieldHash + evr: 1.20-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-I18N-Collate-1.02-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14785 + checksum: sha256:440007c7d78ddc63839ff9bfe8b82acbd939452f3ada8a1b34288aabd2865150 + name: perl-I18N-Collate + evr: 1.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-I18N-LangTags-0.44-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 57020 @@ -1413,6 +3324,13 @@ arches: name: perl-I18N-LangTags evr: 0.44-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-I18N-Langinfo-0.19-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24714 + checksum: sha256:c528e99a34a1be0cd64de1ba8ccf0d3960e69b1f9ff9fce88116f34cdb64ad1f + name: perl-I18N-Langinfo + evr: 0.19-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IO-1.43-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 94663 @@ -1420,6 +3338,20 @@ arches: name: perl-IO evr: 1.43-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IO-Compress-2.102-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 280708 + checksum: sha256:ce8f2004395442fe663cb9efc56f9af2102c75d746f2ce393e40af8a26ac6871 + name: perl-IO-Compress + evr: 2.102-4.el9 + sourcerpm: perl-IO-Compress-2.102-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IO-Compress-Lzma-2.101-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 84153 + checksum: sha256:bda4c005c09e886ce2273a3f418f0cd92521ed0b8fdcdaca7b9fc0026f2a6c7b + name: perl-IO-Compress-Lzma + evr: 2.101-4.el9 + sourcerpm: perl-IO-Compress-Lzma-2.101-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IO-Socket-IP-0.41-5.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 46457 @@ -1434,6 +3366,13 @@ arches: name: perl-IO-Socket-SSL evr: 2.073-2.el9 sourcerpm: perl-IO-Socket-SSL-2.073-2.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IO-Zlib-1.11-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 21809 + checksum: sha256:87d7b757a570fb53d72b2dd29558c2b4a8ff33196a80ad10f76999325acaec07 + name: perl-IO-Zlib + evr: 1:1.11-4.el9 + sourcerpm: perl-IO-Zlib-1.11-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IPC-Cmd-1.04-461.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 42803 @@ -1448,6 +3387,34 @@ arches: name: perl-IPC-Open3 evr: 1.21-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IPC-SysV-2.09-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 48576 + checksum: sha256:134cb54df211888941ee8666bd96b9026c73202f4e56e6f664319627d2dbfee3 + name: perl-IPC-SysV + evr: 2.09-4.el9 + sourcerpm: perl-IPC-SysV-2.09-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-IPC-System-Simple-1.30-6.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 44255 + checksum: sha256:35792b1aa241cb17b881b1e44940bc295329a575a2a2d183757ef1d757062465 + name: perl-IPC-System-Simple + evr: 1.30-6.el9 + sourcerpm: perl-IPC-System-Simple-1.30-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Importer-0.026-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 42526 + checksum: sha256:1afb9008ad841ba4fc207af8ec814d06bd78e958cd2b03089c7b82c71a311060 + name: perl-Importer + evr: 0.026-4.el9 + sourcerpm: perl-Importer-0.026-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-JSON-PP-4.06-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 70596 + checksum: sha256:17f547d40976904eb59449f0cdec890e34632a28a083fc46157ac1c67e9e3494 + name: perl-JSON-PP + evr: 1:4.06-4.el9 + sourcerpm: perl-JSON-PP-4.06-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Locale-Maketext-1.29-461.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 101003 @@ -1469,6 +3436,62 @@ arches: name: perl-MIME-Base64 evr: 3.16-4.el9 sourcerpm: perl-MIME-Base64-3.16-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-MIME-Charset-1.012.2-15.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 54488 + checksum: sha256:cf481c2178bc2a55c5b455749f38f4f96ee71f32dcf458c34d4f1bbcb996feca + name: perl-MIME-Charset + evr: 1.012.2-15.el9 + sourcerpm: perl-MIME-Charset-1.012.2-15.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-MRO-Compat-0.13-15.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 22804 + checksum: sha256:7921d8fd6d4dacdfb4a286fe4355516f20d660681abb49af9983f7527429e351 + name: perl-MRO-Compat + evr: 0.13-15.el9 + sourcerpm: perl-MRO-Compat-0.13-15.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Math-BigInt-1.9998.18-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 198900 + checksum: sha256:b90555cc3da95e314e931de2348d7c89da7c16023fb9399cdfbbcf9f1aeade7d + name: perl-Math-BigInt + evr: 1:1.9998.18-460.el9 + sourcerpm: perl-Math-BigInt-1.9998.18-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Math-BigInt-FastCalc-0.500.900-460.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 32582 + checksum: sha256:d09dc3590797f1d5a94baa1f24883e2a2f19b80cfa3276f3f8cec41d4ccd4d93 + name: perl-Math-BigInt-FastCalc + evr: 0.500.900-460.el9 + sourcerpm: perl-Math-BigInt-FastCalc-0.500.900-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Math-BigRat-0.2614-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 42414 + checksum: sha256:c31888896769451095c352ea97a1c88e2bbbc27d5bdc1e018dc8bae680967fb0 + name: perl-Math-BigRat + evr: 0.2614-460.el9 + sourcerpm: perl-Math-BigRat-0.2614-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Math-Complex-1.59-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 48567 + checksum: sha256:f53531125d6df72f4b50be888b7c3352a4032a5207a7bad774a2658b46d4edad + name: perl-Math-Complex + evr: 1.59-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Memoize-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 61549 + checksum: sha256:8ca298bbaff33a951e338d0213560610bd06cf5a3783bb83c34318e9d91b5a72 + name: perl-Memoize + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-Build-0.42.31-9.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 274094 + checksum: sha256:9e33e1a46048d262ebe06f98c6c7b1579cdf92db57b0bb4228d13883c232d82c + name: perl-Module-Build + evr: 2:0.42.31-9.el9 + sourcerpm: perl-Module-Build-0.42.31-9.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-CoreList-5.20240609-1.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 92615 @@ -1476,6 +3499,13 @@ arches: name: perl-Module-CoreList evr: 1:5.20240609-1.el9 sourcerpm: perl-Module-CoreList-5.20240609-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-CoreList-tools-5.20240609-1.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 18135 + checksum: sha256:2df9f5a5329e94c19bab88ba530149a86438756c7404787b03745f711adf3368 + name: perl-Module-CoreList-tools + evr: 1:5.20240609-1.el9 + sourcerpm: perl-Module-CoreList-5.20240609-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-Load-0.36-4.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 20052 @@ -1490,6 +3520,13 @@ arches: name: perl-Module-Load-Conditional evr: 0.74-4.el9 sourcerpm: perl-Module-Load-Conditional-0.74-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-Loaded-0.08-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13935 + checksum: sha256:6651d40ae9a673262240d750f1b4236eb8db8f9a4a81ff3d529be1e65ea0a098 + name: perl-Module-Loaded + evr: 1:0.08-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-Metadata-1.000037-460.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 39221 @@ -1497,6 +3534,13 @@ arches: name: perl-Module-Metadata evr: 1.000037-460.el9 sourcerpm: perl-Module-Metadata-1.000037-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Module-Signature-0.88-1.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 89282 + checksum: sha256:1a173631124cdb77ffa2cb11ceb8de813f6e4222e5bf9ae657947211480858e6 + name: perl-Module-Signature + evr: 0.88-1.el9 + sourcerpm: perl-Module-Signature-0.88-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Mozilla-CA-20200520-6.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 14781 @@ -1511,6 +3555,27 @@ arches: name: perl-NDBM_File evr: 1.15-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-NEXT-0.67-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 21511 + checksum: sha256:85c96161deaf2161fbe1f0d6e46e57d78c5fb839301c94d0782f400066455326 + name: perl-NEXT + evr: 0.67-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Net-1.02-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 27619 + checksum: sha256:79168b438837b36fb8abd5184859651788604c116be0d271fa633276a69662a5 + name: perl-Net + evr: 1.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Net-Ping-2.74-5.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 53027 + checksum: sha256:fb74fb2651f62421538bb05992af5251887013a72c4412f5c2421992204c03bc + name: perl-Net-Ping + evr: 2.74-5.el9 + sourcerpm: perl-Net-Ping-2.74-5.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Net-SSLeay-1.94-1.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 428188 @@ -1518,6 +3583,27 @@ arches: name: perl-Net-SSLeay evr: 1.94-1.el9 sourcerpm: perl-Net-SSLeay-1.94-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ODBM_File-1.16-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24218 + checksum: sha256:643142aad98f9ed20444345e9dd3a0864203e339ca3e2c27b8f54b06d1376924 + name: perl-ODBM_File + evr: 1.16-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Object-HashBase-0.009-7.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 28938 + checksum: sha256:2144d4c29ea4acfc0d872bf09cb4d9dce14a64e60a45633f1a31ed3a2b125ee8 + name: perl-Object-HashBase + evr: 0.009-7.el9 + sourcerpm: perl-Object-HashBase-0.009-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Opcode-1.48-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 38723 + checksum: sha256:cd4117212a4033a7f16c260cad82d7032385ccf8122168bfddf775991d4cdbac + name: perl-Opcode + evr: 1.48-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-POSIX-1.94-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 100044 @@ -1525,6 +3611,13 @@ arches: name: perl-POSIX evr: 1.94-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Package-Generator-1.106-23.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 26822 + checksum: sha256:2c9b4699185c30d1da293add16911555e93b7532d77e59aa07e2c9c8d8eafcf3 + name: perl-Package-Generator + evr: 1.106-23.el9 + sourcerpm: perl-Package-Generator-1.106-23.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Params-Check-0.38-461.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 24764 @@ -1532,6 +3625,13 @@ arches: name: perl-Params-Check evr: 1:0.38-461.el9 sourcerpm: perl-Params-Check-0.38-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Params-Util-1.102-5.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 38828 + checksum: sha256:a0a38c672e520e1df5aefa9e5212e0fd5754e3e14f6a6e68b53aba5feb330e99 + name: perl-Params-Util + evr: 1.102-5.el9 + sourcerpm: perl-Params-Util-1.102-5.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-PathTools-3.78-461.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 94564 @@ -1539,6 +3639,27 @@ arches: name: perl-PathTools evr: 3.78-461.el9 sourcerpm: perl-PathTools-3.78-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Perl-OSType-1.010-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 26284 + checksum: sha256:64f37a98e22fce4ee9520da6db13ab601e21e34ac9d3ae7f85fc7a63761c492b + name: perl-Perl-OSType + evr: 1.010-461.el9 + sourcerpm: perl-Perl-OSType-1.010-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-PerlIO-via-QuotedPrint-0.09-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 25566 + checksum: sha256:31d1284cda8a84f78574ae2380474412788de756613bcb11a85d68c94af9ba0b + name: perl-PerlIO-via-QuotedPrint + evr: 0.09-4.el9 + sourcerpm: perl-PerlIO-via-QuotedPrint-0.09-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Checker-1.74-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 35171 + checksum: sha256:7410aed54bb1c0a18b7b0ec33b6067475383b557defdd295b48b3277229d31a1 + name: perl-Pod-Checker + evr: 4:1.74-4.el9 + sourcerpm: perl-Pod-Checker-1.74-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Escapes-1.07-460.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 22564 @@ -1546,6 +3667,20 @@ arches: name: perl-Pod-Escapes evr: 1:1.07-460.el9 sourcerpm: perl-Pod-Escapes-1.07-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Functions-1.13-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13990 + checksum: sha256:b843dc0a066b663fd00312a2355f0b512b84906a34bbeb1946bcfd9d0f85ce3d + name: perl-Pod-Functions + evr: 1.13-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Html-1.25-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 28371 + checksum: sha256:8275355aecc93d59cf27acfa23cc8567b5a9aff8dff0cc60a446f65643638464 + name: perl-Pod-Html + evr: 1.25-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Pod-Perldoc-3.28.01-461.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 93727 @@ -1567,6 +3702,13 @@ arches: name: perl-Pod-Usage evr: 4:2.01-4.el9 sourcerpm: perl-Pod-Usage-2.01-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Safe-2.41-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 25655 + checksum: sha256:6b4297166c836f624884960f3fd6627dab8238e8665fd660d7fb97287743a16d + name: perl-Safe + evr: 2.41-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Scalar-List-Utils-1.56-462.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 77262 @@ -1574,6 +3716,13 @@ arches: name: perl-Scalar-List-Utils evr: 4:1.56-462.el9 sourcerpm: perl-Scalar-List-Utils-1.56-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Search-Dict-1.07-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13596 + checksum: sha256:867c49e05a2766e22fd09d86b777dd3f97d36b40057f63f360b9f278549f521e + name: perl-Search-Dict + evr: 1.07-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-SelectSaver-1.02-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 12017 @@ -1581,6 +3730,13 @@ arches: name: perl-SelectSaver evr: 1.02-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-SelfLoader-1.26-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 22204 + checksum: sha256:e8d612dcd47d9769dd1502b92ec7606c195273aa9d61ab13c7bc5e7a07359bb3 + name: perl-SelfLoader + evr: 1.26-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Socket-2.031-4.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 59776 @@ -1588,6 +3744,13 @@ arches: name: perl-Socket evr: 4:2.031-4.el9 sourcerpm: perl-Socket-2.031-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Software-License-0.103014-12.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 147494 + checksum: sha256:c225b78b513fc8b90a0b2b773fadcf65dd2defe2a147fca67c52971d2750f437 + name: perl-Software-License + evr: 0.103014-12.el9 + sourcerpm: perl-Software-License-0.103014-12.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Storable-3.21-460.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 100335 @@ -1595,6 +3758,20 @@ arches: name: perl-Storable evr: 1:3.21-460.el9 sourcerpm: perl-Storable-3.21-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Sub-Exporter-0.987-27.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 78523 + checksum: sha256:4e2535cd4d456f91f346e6d690c9a22c4b2a01318f9a5b5f761e1170d815bed1 + name: perl-Sub-Exporter + evr: 0.987-27.el9 + sourcerpm: perl-Sub-Exporter-0.987-27.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Sub-Install-0.928-28.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 25233 + checksum: sha256:4ce03d243d1331188c5a2b0e4103dad6b930ba36362cd353f0f3cd0998784e82 + name: perl-Sub-Install + evr: 0.928-28.el9 + sourcerpm: perl-Sub-Install-0.928-28.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Symbol-1.08-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 14535 @@ -1602,6 +3779,20 @@ arches: name: perl-Symbol evr: 1.08-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Sys-Hostname-1.23-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 19159 + checksum: sha256:11c22454488c2605fa6ad0c190e81ed27b7b984d13eaed8cf22302135d9008a6 + name: perl-Sys-Hostname + evr: 1.23-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Sys-Syslog-0.36-461.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 52721 + checksum: sha256:b43b2f00357854a3bf0a15e1d41c0494083bc6550b50796b773f4a98ad126734 + name: perl-Sys-Syslog + evr: 0.36-461.el9 + sourcerpm: perl-Sys-Syslog-0.36-461.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Term-ANSIColor-5.01-461.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 52228 @@ -1616,6 +3807,97 @@ arches: name: perl-Term-Cap evr: 1.17-460.el9 sourcerpm: perl-Term-Cap-1.17-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Term-Complete-1.403-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13574 + checksum: sha256:1d500a1e9dad3d67fff08ac6a7219152a9082f7a92893cfb653171ab198f5e79 + name: perl-Term-Complete + evr: 1.403-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Term-ReadLine-1.17-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 19755 + checksum: sha256:2cc16944420d5b8a3318982fc063e4ea2f3d387e1a255d8d08a15f839d8204ff + name: perl-Term-ReadLine + evr: 1.17-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Term-Size-Any-0.002-35.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16309 + checksum: sha256:e83c29bb60e3fdac1c7aa5d3cde8a6b237812a14fe8f711bf6e127ed96d929a4 + name: perl-Term-Size-Any + evr: 0.002-35.el9 + sourcerpm: perl-Term-Size-Any-0.002-35.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Term-Size-Perl-0.031-12.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 25188 + checksum: sha256:883408c5c76d852a64893986206330ca362ccbbd3535d5ad2fed94ee6e10473e + name: perl-Term-Size-Perl + evr: 0.031-12.el9 + sourcerpm: perl-Term-Size-Perl-0.031-12.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Term-Table-0.015-8.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 40852 + checksum: sha256:3e0c26e1b0e31d17cc133829ad8d6e22c86e532e9b6a3c26f48b7ec447bdfbb4 + name: perl-Term-Table + evr: 0.015-8.el9 + sourcerpm: perl-Term-Table-0.015-8.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-TermReadKey-2.38-11.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 41023 + checksum: sha256:5ff266e740a93344e1ce2913f4bec0f38cfdf721841e6762d85ac21d716ee9f8 + name: perl-TermReadKey + evr: 2.38-11.el9 + sourcerpm: perl-TermReadKey-2.38-11.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Test-1.31-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 29295 + checksum: sha256:5c8c76bc8d054ae19574fb973541cedf9e56f92c79424a86219e4c1eb65b3227 + name: perl-Test + evr: 1.31-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Test-Harness-3.42-461.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 306138 + checksum: sha256:7980ae9e28aed0aadef4f169e8479812a2a6bacf05ee53001f63d021b065fe40 + name: perl-Test-Harness + evr: 1:3.42-461.el9 + sourcerpm: perl-Test-Harness-3.42-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Test-Simple-1.302183-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 645034 + checksum: sha256:04ae40e07d57934e5dc3946fa638023ee76305dac04bed7813ed338b0a4c2ef2 + name: perl-Test-Simple + evr: 3:1.302183-4.el9 + sourcerpm: perl-Test-Simple-1.302183-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Text-Abbrev-1.02-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 12713 + checksum: sha256:b172427e49212833e48b699190ad0d34432c102478e869f4974a3f323d0fa375 + name: perl-Text-Abbrev + evr: 1.02-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Text-Balanced-2.04-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 51500 + checksum: sha256:67ff60f60b6dc900e840ed51ff3b1cabef9e43aa48cba81ad97ae9423bdca5af + name: perl-Text-Balanced + evr: 2.04-4.el9 + sourcerpm: perl-Text-Balanced-2.04-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Text-Diff-1.45-13.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 45523 + checksum: sha256:5141fc840dc2989b44df904df2cadfdc3b6b9d38a7e4dba2c2db3c14e3dbc060 + name: perl-Text-Diff + evr: 1.45-13.el9 + sourcerpm: perl-Text-Diff-1.45-13.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Text-Glob-0.11-15.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 15921 + checksum: sha256:079d5eb4a606a131eaeecfcbd7f7d39a21c9c49b97bd6b84f7d08986dd11dc59 + name: perl-Text-Glob + evr: 0.11-15.el9 + sourcerpm: perl-Text-Glob-0.11-15.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Text-ParseWords-3.30-460.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 18680 @@ -1630,6 +3912,69 @@ arches: name: perl-Text-Tabs+Wrap evr: 2013.0523-460.el9 sourcerpm: perl-Text-Tabs+Wrap-2013.0523-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Text-Template-1.59-5.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 64485 + checksum: sha256:3c7350777e9d26fe4c02d52e8c4d4e0643ee32f8abfb9e22fc28f5325702924e + name: perl-Text-Template + evr: 1.59-5.el9 + sourcerpm: perl-Text-Template-1.59-5.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Thread-3.05-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 18516 + checksum: sha256:b1f3ce55b43fd98a9d445cc4bb522d60adcc3fa42944641448684d2f8c24077e + name: perl-Thread + evr: 3.05-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Thread-Queue-3.14-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24804 + checksum: sha256:88d838d681ad683970eb8566e8936faabffc3495dd1b555f083a1cd00538291a + name: perl-Thread-Queue + evr: 3.14-460.el9 + sourcerpm: perl-Thread-Queue-3.14-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Thread-Semaphore-2.13-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16298 + checksum: sha256:92f0836359ffea1017fce7dca7d4ca3555e42e38690c21dc92efdd9a6f6110b2 + name: perl-Thread-Semaphore + evr: 2.13-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Tie-4.6-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 34318 + checksum: sha256:90cd8a8c7c31137b4f7ed03b1533ab79f88d3c4977e2e795525d5e4ead55212a + name: perl-Tie + evr: 4.6-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Tie-File-1.06-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 44505 + checksum: sha256:20fb32eeec0d12f37716a9f955c64305ab14a2ca53b18def3268125b102f318d + name: perl-Tie-File + evr: 1.06-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Tie-Memoize-1.1-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14721 + checksum: sha256:dfec0d0452c982fa468f3e68ea24239ec9588b6202bb9fe4b1356780baeeca4f + name: perl-Tie-Memoize + evr: 1.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Tie-RefHash-1.40-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 26260 + checksum: sha256:5519a86c145d83a1633a127f7b0b6a371e6b2b8a647dabff45c2754388504a44 + name: perl-Tie-RefHash + evr: 1.40-4.el9 + sourcerpm: perl-Tie-RefHash-1.40-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Time-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 20249 + checksum: sha256:0f9b8228482876a79e8369500b750ea0047f2ac715fa40a41b794ef6026292f3 + name: perl-Time + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Time-HiRes-1.9764-462.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 62596 @@ -1644,6 +3989,13 @@ arches: name: perl-Time-Local evr: 2:1.300-7.el9 sourcerpm: perl-Time-Local-1.300-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Time-Piece-1.3401-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 43751 + checksum: sha256:0842dc9ef3112e634b3e2b9863f86f5346c83a2472af0450ec89ab51f1daf07f + name: perl-Time-Piece + evr: 1.3401-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-URI-5.09-3.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 128279 @@ -1651,6 +4003,55 @@ arches: name: perl-URI evr: 5.09-3.el9 sourcerpm: perl-URI-5.09-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Unicode-Collate-1.29-4.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 782467 + checksum: sha256:caf9c911bbe43ca8cae0cbda64acef1ad39ca30ca8d5d9bc9fb26979f5ed0b9d + name: perl-Unicode-Collate + evr: 1.29-4.el9 + sourcerpm: perl-Unicode-Collate-1.29-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Unicode-LineBreak-2019.001-11.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 132083 + checksum: sha256:64b6093e21079433c7d14f0b98a86e8bf032cc312abc1207f4415b8acb00f18b + name: perl-Unicode-LineBreak + evr: 2019.001-11.el9 + sourcerpm: perl-Unicode-LineBreak-2019.001-11.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Unicode-Normalize-1.27-461.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 96049 + checksum: sha256:9254f16bef6a0598320196378370728a4881557f5bfeca1ef864a0a25c93f4c0 + name: perl-Unicode-Normalize + evr: 1.27-461.el9 + sourcerpm: perl-Unicode-Normalize-1.27-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-Unicode-UCD-0.75-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 80630 + checksum: sha256:72dddc4fff3d829ab7b7e5f32dbc027f26f772ffa8f0274224b1cba1d47a778e + name: perl-Unicode-UCD + evr: 0.75-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-User-pwent-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 21758 + checksum: sha256:27f572e65b4e0b777c5fe567483f774b4e1c1200ec225e5d817c452812858842 + name: perl-User-pwent + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-autodie-2.34-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 103286 + checksum: sha256:8c4a7c8fd5074801946cce0b0b2f47337036e7f64e4cb9c833d9cf1de1f14edc + name: perl-autodie + evr: 2.34-4.el9 + sourcerpm: perl-autodie-2.34-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-autouse-1.11-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14134 + checksum: sha256:b165ef7e5bb8a2b898bbe2b88fe35bc005ef77a5ccf006b055448dc9bed17040 + name: perl-autouse + evr: 1.11-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-base-2.27-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 16674 @@ -1658,6 +4059,20 @@ arches: name: perl-base evr: 2.27-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-bignum-0.51-460.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 48635 + checksum: sha256:a25963adbb78901e2581a041252bfc96f55e534403e4af513d8728c62f0b4800 + name: perl-bignum + evr: 0.51-460.el9 + sourcerpm: perl-bignum-0.51-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-blib-1.07-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 12768 + checksum: sha256:de430b1a162b99600aa6e1def89526c266d7a45d2a0985888859098d06ef4f0e + name: perl-blib + evr: 1.07-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-constant-1.33-461.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 25865 @@ -1665,6 +4080,76 @@ arches: name: perl-constant evr: 1.33-461.el9 sourcerpm: perl-constant-1.33-461.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-debugger-1.56-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 138187 + checksum: sha256:98fe7aa5a1d244e7f61145396cdf6f9248c5f61416ba9bbd1e6cecd0800b52b5 + name: perl-debugger + evr: 1.56-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-deprecate-0.04-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14963 + checksum: sha256:4a233b89a6a942448705a26eaa555398d7bc64e710d8a78150f4a96b2207abc8 + name: perl-deprecate + evr: 0.04-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-devel-5.32.1-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 696653 + checksum: sha256:101ee7c6e84689808d05333bcb20210e3efc45d148786f4658f729742c53a817 + name: perl-devel + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-diagnostics-1.37-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 216999 + checksum: sha256:c5beafc6150251bb39d8bd19b30cc658b604603e9244aeccb9d747fae73fab5d + name: perl-diagnostics + evr: 1.37-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-doc-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 4804041 + checksum: sha256:a107369e340680c1229420021f9b9bf06699efceb6c31197fd870fccb2a12dd6 + name: perl-doc + evr: 5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-encoding-3.00-462.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 66000 + checksum: sha256:7c5ea804da141c742d05b6d6627481f05310a37e396a02af07e52877afcb534c + name: perl-encoding + evr: 4:3.00-462.el9 + sourcerpm: perl-Encode-3.08-462.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-encoding-warnings-0.13-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 17234 + checksum: sha256:4db8e5730e9135e68ee10c0d5f8ca2095cfc5f2b548febe6aad2caaba61d8921 + name: perl-encoding-warnings + evr: 0.13-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-experimental-0.022-6.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 24376 + checksum: sha256:ae48d202863aba2573c70d803a9931de4e3c4b0d3e4f2df561bcc1bf78dc7920 + name: perl-experimental + evr: 0.022-6.el9 + sourcerpm: perl-experimental-0.022-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-fields-2.27-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16577 + checksum: sha256:25f2bce872cdd91240c5a42b0ee6990db0b51bb51bdcee6fa441aa4889b9bd84 + name: perl-fields + evr: 2.27-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-filetest-1.03-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 15022 + checksum: sha256:3ba9775352bcb0aa76a6321ce582f028f23223743eecfdcd8458da05636f8436 + name: perl-filetest + evr: 1.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-if-0.60.800-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 14343 @@ -1672,6 +4157,13 @@ arches: name: perl-if evr: 0.60.800-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-inc-latest-0.500-20.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 27665 + checksum: sha256:22c41d7117656dfff8d52bc8e557e6f8d11d2b5ed377173f56037a2ac8bc9139 + name: perl-inc-latest + evr: 2:0.500-20.el9 + sourcerpm: perl-inc-latest-0.500-20.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-interpreter-5.32.1-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 74840 @@ -1679,6 +4171,13 @@ arches: name: perl-interpreter evr: 4:5.32.1-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-less-0.03-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13545 + checksum: sha256:268da168b25a97a8be8c736217a60e12ea54b0a67261cf7dd8199297a3dd10e3 + name: perl-less + evr: 0.03-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-lib-0.65-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 15318 @@ -1693,6 +4192,13 @@ arches: name: perl-libnet evr: 3.13-4.el9 sourcerpm: perl-libnet-3.13-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-libnetcfg-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16729 + checksum: sha256:c9e9bbf74d825bb623ae797f35b38d31ea03aede18900bcbe624bc95de2c389a + name: perl-libnetcfg + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-libs-5.32.1-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 2303445 @@ -1700,6 +4206,13 @@ arches: name: perl-libs evr: 4:5.32.1-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-local-lib-2.000024-13.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 73510 + checksum: sha256:c8f58afb9e8eb07bc57f92c384753ee4f4fec10fa7ec7c091ad9f15110a10026 + name: perl-local-lib + evr: 2.000024-13.el9 + sourcerpm: perl-local-lib-2.000024-13.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-locale-1.09-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 14021 @@ -1707,6 +4220,20 @@ arches: name: perl-locale evr: 1.09-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-macros-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 10809 + checksum: sha256:4afe9e549dcaad11ec3f6ac2d89595b8d8ad37e305f4d70f7de2ec70d1f90ded + name: perl-macros + evr: 4:5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-meta-notation-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 9810 + checksum: sha256:a6ce87fee7568af4803818fe9715c3253b5b6401e88c2b20bdc07eec9d664bd2 + name: perl-meta-notation + evr: 5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-mro-1.23-481.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 30125 @@ -1714,6 +4241,13 @@ arches: name: perl-mro evr: 1.23-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-open-1.12-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16871 + checksum: sha256:52897741a5e6d526aa0de31438c48aa0f1f40c2fdd15720c4956e79e01830898 + name: perl-open + evr: 1.12-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-overload-1.31-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 46643 @@ -1735,6 +4269,20 @@ arches: name: perl-parent evr: 1:0.238-460.el9 sourcerpm: perl-parent-0.238-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-perlfaq-5.20210520-1.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 388755 + checksum: sha256:e5588c37edf2bb614ffb7526deb663bc406effb86492637b4c906c5fe06f0b98 + name: perl-perlfaq + evr: 5.20210520-1.el9 + sourcerpm: perl-perlfaq-5.20210520-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-ph-5.32.1-481.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 49514 + checksum: sha256:091fc89520aab20f245ac9554ffe25cf06691133832421199455b983537c3e06 + name: perl-ph + evr: 5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-podlators-4.14-460.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 121317 @@ -1742,6 +4290,27 @@ arches: name: perl-podlators evr: 1:4.14-460.el9 sourcerpm: perl-podlators-4.14-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-sigtrap-1.09-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 16091 + checksum: sha256:4c42029372306ee2cf559e3b4f899c2170d2088f26b66a0f29ac1d8cb66b5387 + name: perl-sigtrap + evr: 1.09-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-sort-2.04-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 13868 + checksum: sha256:f4aedfdb824193f1aa0f45ee092e2f887f3734065861a90b4e089a6e1f9cfab1 + name: perl-sort + evr: 2.04-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-srpm-macros-1-41.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 9639 + checksum: sha256:fa6a45cf7cb8b6f8a28ce85be31483eacc7b0b4c01d598123ec649867b67c8f4 + name: perl-srpm-macros + evr: 1-41.el9 + sourcerpm: perl-srpm-macros-1-41.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-subs-1.03-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 11986 @@ -1749,6 +4318,27 @@ arches: name: perl-subs evr: 1.03-481.el9 sourcerpm: perl-5.32.1-481.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-threads-2.25-460.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 62702 + checksum: sha256:22546db61ccd2c69020c7ec3b04449b3589e1220dd3a02ad38e6d6c773ae126f + name: perl-threads + evr: 1:2.25-460.el9 + sourcerpm: perl-threads-2.25-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-threads-shared-1.61-460.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 48850 + checksum: sha256:3ee2cd37764da3452fbaa301f9bdf3ae1a2dba47b77cafb0ae5d31a10196b971 + name: perl-threads-shared + evr: 1.61-460.el9 + sourcerpm: perl-threads-shared-1.61-460.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-utils-5.32.1-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 58445 + checksum: sha256:3af8e12fe87b871c3a4ed52188ff716b8d9b62030d8ecc2c019de7e4a65f2809 + name: perl-utils + evr: 5.32.1-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-vars-1.05-481.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 13347 @@ -1763,6 +4353,13 @@ arches: name: perl-version evr: 7:0.99.28-4.el9 sourcerpm: perl-version-0.99.28-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/perl-vmsish-1.04-481.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 14503 + checksum: sha256:e27e656ae98a4d98e95a9bb6fdeaaae819bf692e8169d8a58ca2e0c564dfe3c9 + name: perl-vmsish + evr: 1.04-481.el9 + sourcerpm: perl-5.32.1-481.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/policycoreutils-python-utils-3.6-2.1.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 82931 @@ -1770,13 +4367,20 @@ arches: name: policycoreutils-python-utils evr: 3.6-2.1.el9 sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-audit-3.1.5-4.el9.x86_64.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/pyproject-srpm-macros-1.16.2-1.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms - size: 88009 - checksum: sha256:023ddd2c1dda3422bc1b067e562b39621eaefdf778efd0dae07fc144ba188fb5 - name: python3-audit - evr: 3.1.5-4.el9 - sourcerpm: audit-3.1.5-4.el9.src.rpm + size: 14828 + checksum: sha256:1bec3715412a73295a9cd2cdbc147ebee0fe23b50f4146bddc08a5761ed3928d + name: pyproject-srpm-macros + evr: 1.16.2-1.el9 + sourcerpm: pyproject-rpm-macros-1.16.2-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python-srpm-macros-3.9-54.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 18705 + checksum: sha256:cc14196e07f9c6383f5bdf2c1171e7d41256326324c4a03c98d62d81413f3fb3 + name: python-srpm-macros + evr: 3.9-54.el9 + sourcerpm: python-rpm-macros-3.9-54.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-distro-1.5.0-7.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 41452 @@ -1784,20 +4388,6 @@ arches: name: python3-distro evr: 1.5.0-7.el9 sourcerpm: python-distro-1.5.0-7.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-libselinux-3.6-3.el9.x86_64.rpm - repoid: ubi-9-for-x86_64-appstream-rpms - size: 196472 - checksum: sha256:7af821a0ee7c7b56df79de25fe35cc2d0fd6f45df5c3bcec2c5e72d7378ba265 - name: python3-libselinux - evr: 3.6-3.el9 - sourcerpm: libselinux-3.6-3.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-libsemanage-3.6-5.el9_6.x86_64.rpm - repoid: ubi-9-for-x86_64-appstream-rpms - size: 82730 - checksum: sha256:8a17df19f0ff5dbb98fe608999cb2370983d8565658df01d0993b3028cbf28d6 - name: python3-libsemanage - evr: 3.6-5.el9_6 - sourcerpm: libsemanage-3.6-5.el9_6.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/p/python3-policycoreutils-3.6-2.1.el9.noarch.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 2216589 @@ -1805,6 +4395,20 @@ arches: name: python3-policycoreutils evr: 3.6-2.1.el9 sourcerpm: policycoreutils-3.6-2.1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/q/qt5-srpm-macros-5.15.9-1.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 9344 + checksum: sha256:1dbb5db859d110aa275cbacd07e2576dcbe321ab0803f04d85dc3fa1a203ef10 + name: qt5-srpm-macros + evr: 5.15.9-1.el9 + sourcerpm: qt5-5.15.9-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/r/redhat-rpm-config-209-1.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 77658 + checksum: sha256:a9e214f1085628ce546a11eebab20e0fc769bf15208bb12b947efa109b1d4dd7 + name: redhat-rpm-config + evr: 209-1.el9 + sourcerpm: redhat-rpm-config-209-1.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/r/rust-1.84.1-1.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 28050444 @@ -1812,6 +4416,13 @@ arches: name: rust evr: 1.84.1-1.el9 sourcerpm: rust-1.84.1-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/r/rust-srpm-macros-17-4.el9.noarch.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 11243 + checksum: sha256:8e91d6d5122b9effe0e3539ef0d55e57c4b3eff68544e46a413129cb961d5941 + name: rust-srpm-macros + evr: 17-4.el9 + sourcerpm: rust-srpm-macros-17-4.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/r/rust-std-static-1.84.1-1.el9.x86_64.rpm repoid: ubi-9-for-x86_64-appstream-rpms size: 41211472 @@ -1826,6 +4437,20 @@ arches: name: scl-utils evr: 1:2.0.3-4.el9 sourcerpm: scl-utils-2.0.3-4.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/s/sombok-2.4.0-16.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 52190 + checksum: sha256:830082e28c0d9a2a1e055f0b01e460e5aa54336f57c2a6885a1f4c748f55fe11 + name: sombok + evr: 2.4.0-16.el9 + sourcerpm: sombok-2.4.0-16.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/s/systemtap-sdt-devel-5.2-2.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-appstream-rpms + size: 79141 + checksum: sha256:e02a565f7999c72dfb631838b52893942f63076997f276ccd4fefb6c4ccd46e0 + name: systemtap-sdt-devel + evr: 5.2-2.el9 + sourcerpm: systemtap-5.2-2.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/b/binutils-2.35.2-63.el9.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 4818636 @@ -1840,6 +4465,20 @@ arches: name: binutils-gold evr: 2.35.2-63.el9 sourcerpm: binutils-2.35.2-63.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/d/device-mapper-1.02.202-6.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 146604 + checksum: sha256:fef2c0542d2e66f9208e25c34f82e6735b8b3396cd46e5a2ac4c8f54e6c0c1df + name: device-mapper + evr: 9:1.02.202-6.el9 + sourcerpm: lvm2-2.03.28-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/d/device-mapper-libs-1.02.202-6.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 185301 + checksum: sha256:8b48aabdb24179ec8e28b1d5d8da85fc7ded64e30fc4367de3c455b895212626 + name: device-mapper-libs + evr: 9:1.02.202-6.el9 + sourcerpm: lvm2-2.03.28-6.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/d/diffutils-3.7-12.el9.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 411559 @@ -1847,13 +4486,6 @@ arches: name: diffutils evr: 3.7-12.el9 sourcerpm: diffutils-3.7-12.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/e/elfutils-debuginfod-client-0.192-5.el9.x86_64.rpm - repoid: ubi-9-for-x86_64-baseos-rpms - size: 47282 - checksum: sha256:e5b1a7a9e1467bfe00913e9b22ba5665852f8c61900205a32d3043ace9e1c7c2 - name: elfutils-debuginfod-client - evr: 0.192-5.el9 - sourcerpm: elfutils-0.192-5.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/e/environment-modules-5.3.0-1.el9.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 605644 @@ -1861,6 +4493,48 @@ arches: name: environment-modules evr: 5.3.0-1.el9 sourcerpm: environment-modules-5.3.0-1.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/f/file-5.39-16.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 53222 + checksum: sha256:64f29bc71f9c26e6460abaff21d8e43738077cde4fbd6d1b96825a50ba0abd74 + name: file + evr: 5.39-16.el9 + sourcerpm: file-5.39-16.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/glibc-2.34-168.el9_6.19.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 2053633 + checksum: sha256:4037b95b7736a8ffd5c45327961fa1d76f7b81603b0409308a0d267329a3ec3d + name: glibc + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/glibc-common-2.34-168.el9_6.19.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 310722 + checksum: sha256:944abf13ff74e185182ed3831c9cea059d40c365b2d901757640afaa810a71d8 + name: glibc-common + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/glibc-gconv-extra-2.34-168.el9_6.19.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 1754220 + checksum: sha256:58655a175ca0441113749257ac099d6e5ed6097469ad3c5e6df530bc504570b4 + name: glibc-gconv-extra + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/glibc-langpack-en-2.34-168.el9_6.19.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 673009 + checksum: sha256:0cc92449b850548c57acde439dd06113fb50e0832d21dd9ad62a40ddccb04da8 + name: glibc-langpack-en + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/glibc-minimal-langpack-2.34-168.el9_6.19.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 19725 + checksum: sha256:d2020520c34502da293ceec484a9fada3db81fe462bdb0081e1e412fccc873ab + name: glibc-minimal-langpack + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/g/groff-base-1.22.4-10.el9.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 1133828 @@ -1910,13 +4584,6 @@ arches: name: libpkgconf evr: 1.7.3-10.el9 sourcerpm: pkgconf-1.7.3-10.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/l/libselinux-utils-3.6-3.el9.x86_64.rpm - repoid: ubi-9-for-x86_64-baseos-rpms - size: 198410 - checksum: sha256:e5d79885864cd5b2a307065b43ba1af1523ec7ac26eace2717c70ede1b6e4c56 - name: libselinux-utils - evr: 3.6-3.el9 - sourcerpm: libselinux-3.6-3.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/m/make-4.3-8.el9.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 553896 @@ -1987,6 +4654,13 @@ arches: name: tcl evr: 1:8.6.10-7.el9 sourcerpm: tcl-8.6.10-7.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/u/unzip-6.0-58.el9_5.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 190785 + checksum: sha256:009698f3b4432b9df219fd2f894234aad1cee8c4e4e61384b4e293ef8e28e9c2 + name: unzip + evr: 6.0-58.el9_5 + sourcerpm: unzip-6.0-58.el9_5.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/v/vim-filesystem-8.2.2637-22.el9_6.noarch.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 17723 @@ -1994,6 +4668,34 @@ arches: name: vim-filesystem evr: 2:8.2.2637-22.el9_6 sourcerpm: vim-8.2.2637-22.el9_6.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/z/zip-3.0-35.el9.x86_64.rpm + repoid: ubi-9-for-x86_64-baseos-rpms + size: 276200 + checksum: sha256:ef28011ba191f53260cebb1e42b0148ae65d9029940146699e802f501dba009c + name: zip + evr: 3.0-35.el9 + sourcerpm: zip-3.0-35.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/codeready-builder/os/Packages/d/device-mapper-devel-1.02.202-6.el9.x86_64.rpm + repoid: codeready-builder-for-ubi-9-x86_64-rpms + size: 44773 + checksum: sha256:272bbd4f92346692a8b0752ae2885ad671f7132065e0071a63683c1334a96c8c + name: device-mapper-devel + evr: 9:1.02.202-6.el9 + sourcerpm: lvm2-2.03.28-6.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/codeready-builder/os/Packages/g/glibc-static-2.34-168.el9_6.19.x86_64.rpm + repoid: codeready-builder-for-ubi-9-x86_64-rpms + size: 1512149 + checksum: sha256:6bf359e6f1b509c78e7e32cfc2c899b334c606a40cd04862a9a276f1c6b32d12 + name: glibc-static + evr: 2.34-168.el9_6.19 + sourcerpm: glibc-2.34-168.el9_6.19.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/codeready-builder/os/Packages/l/libxcrypt-static-4.4.18-3.el9.x86_64.rpm + repoid: codeready-builder-for-ubi-9-x86_64-rpms + size: 105711 + checksum: sha256:e2b914f5e136df3c90367dc222e9d893d0c34662f9f2d496b0cadd7d277c579a + name: libxcrypt-static + evr: 4.4.18-3.el9 + sourcerpm: libxcrypt-4.4.18-3.el9.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/codeready-builder/os/Packages/m/meson-0.63.3-1.el9.noarch.rpm repoid: codeready-builder-for-ubi-9-x86_64-rpms size: 1550746 @@ -2008,6 +4710,20 @@ arches: name: ninja-build evr: 1.10.2-6.el9 sourcerpm: ninja-build-1.10.2-6.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/l/libselinux-devel-3.6-1.el9.x86_64.rpm + repoid: rhel-9-for-x86_64-appstream-rpms + size: 167247 + checksum: sha256:44b774df2bbb010b4c0fffdfbe73061af0d4a4d6386f04027deab349c02f9ad3 + name: libselinux-devel + evr: 3.6-1.el9 + sourcerpm: libselinux-3.6-1.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/l/libsepol-devel-3.6-1.el9.x86_64.rpm + repoid: rhel-9-for-x86_64-appstream-rpms + size: 52617 + checksum: sha256:3c9725a32552afb8244f619a94ff1c9eda80b883d1311b29df734ac18a7432fb + name: libsepol-devel + evr: 3.6-1.el9 + sourcerpm: libsepol-3.6-1.el9.src.rpm - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/p/protobuf-3.14.0-16.el9.x86_64.rpm repoid: rhel-9-for-x86_64-appstream-rpms size: 1057844 @@ -2015,6 +4731,48 @@ arches: name: protobuf evr: 3.14.0-16.el9 sourcerpm: protobuf-3.14.0-16.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/p/python3-audit-3.1.5-1.el9.x86_64.rpm + repoid: rhel-9-for-x86_64-appstream-rpms + size: 87632 + checksum: sha256:93dd7a77ab7c2bbc0b1ef7ec9714ea83018fbf0ce019bd65c2650c4abfbaad34 + name: python3-audit + evr: 3.1.5-1.el9 + sourcerpm: audit-3.1.5-1.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/p/python3-libselinux-3.6-1.el9.x86_64.rpm + repoid: rhel-9-for-x86_64-appstream-rpms + size: 197070 + checksum: sha256:84aff2ff0c48ca4f5d77223db53a26a16c273b03a9674a2608e1db5d8cd32710 + name: python3-libselinux + evr: 3.6-1.el9 + sourcerpm: libselinux-3.6-1.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/p/python3-libsemanage-3.6-2.1.el9_5.x86_64.rpm + repoid: rhel-9-for-x86_64-appstream-rpms + size: 82828 + checksum: sha256:b7f5d62cbb163b3c13f0db87e326dc3937d206b9c22732dc75de3b7fae32248e + name: python3-libsemanage + evr: 3.6-2.1.el9_5 + sourcerpm: libsemanage-3.6-2.1.el9_5.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/s/systemd-devel-252-46.el9_5.3.x86_64.rpm + repoid: rhel-9-for-x86_64-appstream-rpms + size: 688213 + checksum: sha256:53099f82d23ed024c7ad6ec88f8131659190b20033208c9543f45d7ae9f9dc34 + name: systemd-devel + evr: 252-46.el9_5.3 + sourcerpm: systemd-252-46.el9_5.3.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/Packages/e/elfutils-debuginfod-client-0.191-4.el9.x86_64.rpm + repoid: rhel-9-for-x86_64-baseos-rpms + size: 39913 + checksum: sha256:9c26ab1eea196541d9cde34a96acbf8647746ccd0447ad353dec5ec4225826a5 + name: elfutils-debuginfod-client + evr: 0.191-4.el9 + sourcerpm: elfutils-0.191-4.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/Packages/l/libselinux-utils-3.6-1.el9.x86_64.rpm + repoid: rhel-9-for-x86_64-baseos-rpms + size: 198772 + checksum: sha256:479229e7c3d8cb005dafd637b2973fbee0bb507cfed8e72f7076318513200abd + name: libselinux-utils + evr: 3.6-1.el9 + sourcerpm: libselinux-3.6-1.el9.src.rpm - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/codeready-builder/os/Packages/j/json-c-devel-0.14-11.el9.x86_64.rpm repoid: codeready-builder-for-rhel-9-x86_64-rpms size: 52905 From edf609c1d1b2006ab504d40865c270abee2a7b48 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 21 Jun 2025 06:23:06 +0000 Subject: [PATCH 276/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .../docker-build-multi-platform-oci-ta.yaml | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.tekton/docker-build-multi-platform-oci-ta.yaml b/.tekton/docker-build-multi-platform-oci-ta.yaml index e4a91d4f37..d840207800 100644 --- a/.tekton/docker-build-multi-platform-oci-ta.yaml +++ b/.tekton/docker-build-multi-platform-oci-ta.yaml @@ -131,7 +131,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0fea1e4bd2fdde46c5b7786629f423a51e357f681c32ceddd744a6e3d48b8327 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0e512b12775b2bcc4eb47bb34b7a2db2e91c3ceef04b2f2487fa421032d8859a - name: kind value: task resolver: bundles @@ -210,7 +210,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:cfeeef2f4ab25b121afdf44eecc394ed67f3534a1bd14bef9e7beef2ee654b8e + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:28d8a4f7c1ff6e8bb09d89b06c7c8769093ac7e9325ad9edfe7b2d766f643b87 - name: kind value: task resolver: bundles @@ -240,7 +240,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:9c95b1fe17db091ae364344ba2006af46648e08486eef1f6fe1b9e3f10866875 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:3cf3dcc0bf7b674b940063b4d55e41fe7d43636a1d82572e3850228aa5350fa8 - name: kind value: task resolver: bundles @@ -264,7 +264,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:c5e56643c0f5e19409e86c8fd4de4348413b6f10456aa0875498d5c63bf6ef0e + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:f0784e8e0e396f40a6523693825b5966c3c615ba3d342350165e83cb72a24ef7 - name: kind value: task resolver: bundles @@ -291,7 +291,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:ecd33669676b3a193ff4c2c6223cb912cc1b0cf5cc36e080eaec7718500272cf + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:270a79138a98e43c366d3722978cb5940d2bcb822ba6b60377330f863b7a1e62 - name: kind value: task resolver: bundles @@ -313,7 +313,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:68a8fe28527c4469243119a449e2b3a6655f2acac589c069ea6433242da8ed4d + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d354939892f3a904223ec080cc3771bd11931085a5d202323ea491ee8e8c5e43 - name: kind value: task resolver: bundles @@ -333,7 +333,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:8a2d3ce9205df1f59f410529cb38134336e0a4b06ee1187b3229f26c80ecc5ba + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:95ca11d147ee97d98f495477e9f42afe94ba3f869fc81c4e7b241ebd21e7395f - name: kind value: task resolver: bundles @@ -359,7 +359,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:9a6ec5575f80668552d861e64414e736c85af772c272ca653a6fd1ec841d2627 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:e61f541189b30d14292ef8df36ccaf13f7feb2378fed5f74cb6293b3e79eb687 - name: kind value: task resolver: bundles @@ -382,7 +382,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:386c8c3395b44f6eb927dbad72382808b0ae42008f183064ca77cb4cad998442 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:9cab95ac9e833d77a63c079893258b73b8d5a298d93aaf9bdd6722471bc2f338 - name: kind value: task resolver: bundles @@ -427,7 +427,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:7c845b10d257b874f645ea30deeff3c1ce2b38e7b6e331564f32c8684f41b520 + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:dda889f85faa30eb18db4f195bc03428e8913afa14624552d2cb9f714c786dbf - name: kind value: task resolver: bundles @@ -449,7 +449,7 @@ spec: - name: name value: coverity-availability-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:8b58c4fae00c0dfe3937abfb8a9a61aa3c408cca4278b817db53d518428d944e + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 - name: kind value: task resolver: bundles @@ -475,7 +475,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:60a7ee6ec5d00920389f03befd328cdaa159b7122a94ff3c87da287e0f32420f + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:1e8f18f892e16f5d0fc0f42ae8512e3c78251d43cd9d9f7cfd3f6667242bf619 - name: kind value: task resolver: bundles @@ -500,7 +500,7 @@ spec: - name: name value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:9613b9037e4199495800c2054c13d0479e3335ec94e0f15f031a5bce844003a9 + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:24ad71fde435fc25abba2c4c550beb088b1530f738d3c377e2f635b5f320d57b - name: kind value: task resolver: bundles @@ -523,7 +523,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:0c411c27483849a936c0c420a57e477113e9fafc63077647200d6614d9ebb872 + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:517a51e260c0b59654a9d7b842e1ab07d76bce15ca7ce9c8fd2489a19be6463d - name: kind value: task resolver: bundles @@ -546,7 +546,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:d0ee13ab3d9564f7ee806a8ceaced934db493a3a40e11ff6db3a912b8bbace95 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:5d8013b6a27bbc5e4ff261144616268f28417ed0950d583ef36349fcd59d3d3d - name: kind value: task resolver: bundles @@ -564,7 +564,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:ec7f6de651458e4a5842b145e761b0d86b03b52bec1515d6d8a1b8cf107af95c + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1b6c20ab3dbfb0972803d3ebcb2fa72642e59400c77bd66dfd82028bdd09e120 - name: kind value: task resolver: bundles From d1add04afb19817335b137594bb5415113a52bdd Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sun, 22 Jun 2025 05:45:03 +0000 Subject: [PATCH 277/298] chore(deps): update module golang.org/x/crypto to v0.39.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- rvps/cgo/go.mod | 8 +++++--- rvps/cgo/go.sum | 17 ++++++++++++----- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/rvps/cgo/go.mod b/rvps/cgo/go.mod index d79700194e..32cd9f60c5 100644 --- a/rvps/cgo/go.mod +++ b/rvps/cgo/go.mod @@ -1,12 +1,14 @@ module cgo -go 1.20 +go 1.23.0 + +toolchain go1.23.9 require github.com/in-toto/in-toto-golang v0.9.0 require ( github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - golang.org/x/crypto v0.31.0 // indirect - golang.org/x/sys v0.28.0 // indirect + golang.org/x/crypto v0.39.0 // indirect + golang.org/x/sys v0.33.0 // indirect ) diff --git a/rvps/cgo/go.sum b/rvps/cgo/go.sum index 77908c5d87..f7c532d332 100644 --- a/rvps/cgo/go.sum +++ b/rvps/cgo/go.sum @@ -1,17 +1,24 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= +github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU= github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= -golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= -golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= -golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= +golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= +golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From df638964e952066daa72d9463f44af1f97635cd4 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sun, 22 Jun 2025 05:45:09 +0000 Subject: [PATCH 278/298] chore(deps): update module golang.org/x/sys to v0.33.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- rvps/cgo/go.mod | 6 ++++-- rvps/cgo/go.sum | 11 +++++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/rvps/cgo/go.mod b/rvps/cgo/go.mod index d79700194e..e2aa64f577 100644 --- a/rvps/cgo/go.mod +++ b/rvps/cgo/go.mod @@ -1,6 +1,8 @@ module cgo -go 1.20 +go 1.23.0 + +toolchain go1.23.9 require github.com/in-toto/in-toto-golang v0.9.0 @@ -8,5 +10,5 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect golang.org/x/crypto v0.31.0 // indirect - golang.org/x/sys v0.28.0 // indirect + golang.org/x/sys v0.33.0 // indirect ) diff --git a/rvps/cgo/go.sum b/rvps/cgo/go.sum index 77908c5d87..7284b9103b 100644 --- a/rvps/cgo/go.sum +++ b/rvps/cgo/go.sum @@ -1,17 +1,24 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= +github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU= github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= -golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= -golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From 2dd5aecd9f7fd696af92e1a1fa638821251c5f7f Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Mon, 23 Jun 2025 12:36:58 +0100 Subject: [PATCH 279/298] Update digests Signed-off-by: Leonardo Milleri --- .../docker-build-multi-platform-oci-ta.yaml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.tekton/docker-build-multi-platform-oci-ta.yaml b/.tekton/docker-build-multi-platform-oci-ta.yaml index e4a91d4f37..9a5a54248c 100644 --- a/.tekton/docker-build-multi-platform-oci-ta.yaml +++ b/.tekton/docker-build-multi-platform-oci-ta.yaml @@ -131,7 +131,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0fea1e4bd2fdde46c5b7786629f423a51e357f681c32ceddd744a6e3d48b8327 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0e512b12775b2bcc4eb47bb34b7a2db2e91c3ceef04b2f2487fa421032d8859a - name: kind value: task resolver: bundles @@ -162,7 +162,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta@sha256:3db5d3a02bcbbc034080474c06bec8388bd6abc71606503ac4832f6890e71503 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta@sha256:d0cbc492da865be336d09926eb6e3494403dccaa4a212bbdf472d8adbf80ab08 - name: kind value: task resolver: bundles @@ -210,7 +210,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:cfeeef2f4ab25b121afdf44eecc394ed67f3534a1bd14bef9e7beef2ee654b8e + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:28d8a4f7c1ff6e8bb09d89b06c7c8769093ac7e9325ad9edfe7b2d766f643b87 - name: kind value: task resolver: bundles @@ -240,7 +240,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:9c95b1fe17db091ae364344ba2006af46648e08486eef1f6fe1b9e3f10866875 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:3cf3dcc0bf7b674b940063b4d55e41fe7d43636a1d82572e3850228aa5350fa8 - name: kind value: task resolver: bundles @@ -291,7 +291,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:ecd33669676b3a193ff4c2c6223cb912cc1b0cf5cc36e080eaec7718500272cf + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:270a79138a98e43c366d3722978cb5940d2bcb822ba6b60377330f863b7a1e62 - name: kind value: task resolver: bundles @@ -313,7 +313,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:68a8fe28527c4469243119a449e2b3a6655f2acac589c069ea6433242da8ed4d + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d354939892f3a904223ec080cc3771bd11931085a5d202323ea491ee8e8c5e43 - name: kind value: task resolver: bundles @@ -333,7 +333,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:8a2d3ce9205df1f59f410529cb38134336e0a4b06ee1187b3229f26c80ecc5ba + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:95ca11d147ee97d98f495477e9f42afe94ba3f869fc81c4e7b241ebd21e7395f - name: kind value: task resolver: bundles @@ -382,7 +382,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:386c8c3395b44f6eb927dbad72382808b0ae42008f183064ca77cb4cad998442 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:9cab95ac9e833d77a63c079893258b73b8d5a298d93aaf9bdd6722471bc2f338 - name: kind value: task resolver: bundles @@ -449,7 +449,7 @@ spec: - name: name value: coverity-availability-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:8b58c4fae00c0dfe3937abfb8a9a61aa3c408cca4278b817db53d518428d944e + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 - name: kind value: task resolver: bundles @@ -523,7 +523,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:0c411c27483849a936c0c420a57e477113e9fafc63077647200d6614d9ebb872 + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:517a51e260c0b59654a9d7b842e1ab07d76bce15ca7ce9c8fd2489a19be6463d - name: kind value: task resolver: bundles @@ -577,4 +577,4 @@ spec: - name: git-auth optional: true - name: netrc - optional: true \ No newline at end of file + optional: true From b13d5723b58e4a5e5052bf2705087039e123ad03 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Wed, 25 Jun 2025 09:15:38 +0000 Subject: [PATCH 280/298] Red Hat Konflux update trustee Signed-off-by: red-hat-konflux --- .../docker-build-multi-platform-oci-ta.yaml | 580 ----------------- .tekton/trustee-pull-request.yaml | 577 ++++++++++++++++- .tekton/trustee-push.yaml | 581 +++++++++++++++++- 3 files changed, 1145 insertions(+), 593 deletions(-) delete mode 100644 .tekton/docker-build-multi-platform-oci-ta.yaml diff --git a/.tekton/docker-build-multi-platform-oci-ta.yaml b/.tekton/docker-build-multi-platform-oci-ta.yaml deleted file mode 100644 index 6202fd49bd..0000000000 --- a/.tekton/docker-build-multi-platform-oci-ta.yaml +++ /dev/null @@ -1,580 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - labels: - pipelines.openshift.io/runtime: generic - pipelines.openshift.io/strategy: docker - pipelines.openshift.io/used-by: build-cloud - name: docker-build-multi-platform-oci-ta -spec: - description: | - This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. - - _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. - This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_ - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:002f7c8c1d2f9e09904035da414aba1188ae091df0ea9532cd997be05e73d594 - - name: kind - value: task - resolver: bundles - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "" - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "false" - description: Build a source image. - name: build-source-image - type: string - - default: "true" - description: Add built image into an OCI image index - name: build-image-index - type: string - - default: [] - description: Array of --build-arg values ("arg=value" strings) for buildah - name: build-args - type: array - - default: "" - description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file - name: build-args-file - type: string - - default: - - linux/x86_64 - description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. - name: build-platforms - type: array - results: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:66e90d31e1386bf516fb548cd3e3f0082b5d0234b8b90dbf9e0d4684b70dbe1a - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: ociStorage - value: $(params.output-image).git - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - - name: dev-package-managers - value: "true" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0e512b12775b2bcc4eb47bb34b7a2db2e91c3ceef04b2f2487fa421032d8859a - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - - name: SOURCE_ARTIFACT - value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - - name: ociStorage - value: $(params.output-image).prefetch - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - - name: dev-package-managers - value: "true" - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: prefetch-dependencies-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta@sha256:d0cbc492da865be336d09926eb6e3494403dccaa4a212bbdf472d8adbf80ab08 - - name: kind - value: task - resolver: bundles - workspaces: - - name: git-basic-auth - workspace: git-auth - - name: netrc - workspace: netrc - - matrix: - params: - - name: PLATFORM - value: - - $(params.build-platforms) - name: build-images - params: - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: BUILD_ARGS - value: - - $(params.build-args[*]) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: IMAGE_APPEND_PLATFORM - value: "true" - runAfter: - - prefetch-dependencies - taskRef: - params: - - name: name - value: buildah-remote-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:28d8a4f7c1ff6e8bb09d89b06c7c8769093ac7e9325ad9edfe7b2d766f643b87 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: [] - - name: build-image-index - params: - - name: IMAGE - value: $(params.output-image) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: ALWAYS_BUILD_INDEX - value: $(params.build-image-index) - - name: IMAGES - value: - - $(tasks.build-images.results.IMAGE_REF[*]) - runAfter: - - build-images - taskRef: - params: - - name: name - value: build-image-index - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:3cf3dcc0bf7b674b940063b4d55e41fe7d43636a1d82572e3850228aa5350fa8 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(params.output-image) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: source-build-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:f0784e8e0e396f40a6523693825b5966c3c615ba3d342350165e83cb72a24ef7 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - workspaces: [] - - name: deprecated-base-image-check - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:270a79138a98e43c366d3722978cb5940d2bcb822ba6b60377330f863b7a1e62 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d354939892f3a904223ec080cc3771bd11931085a5d202323ea491ee8e8c5e43 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:95ca11d147ee97d98f495477e9f42afe94ba3f869fc81c4e7b241ebd21e7395f - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-snyk-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-snyk-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:e61f541189b30d14292ef8df36ccaf13f7feb2378fed5f74cb6293b3e79eb687 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: [] - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:9cab95ac9e833d77a63c079893258b73b8d5a298d93aaf9bdd6722471bc2f338 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-coverity-check - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE - value: $(params.output-image) - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: BUILD_ARGS - value: - - $(params.build-args[*]) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - coverity-availability-check - taskRef: - params: - - name: name - value: sast-coverity-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:dda889f85faa30eb18db4f195bc03428e8913afa14624552d2cb9f714c786dbf - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - input: $(tasks.coverity-availability-check.results.STATUS) - operator: in - values: - - success - workspaces: [] - - name: coverity-availability-check - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: coverity-availability-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-shell-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-shell-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:1e8f18f892e16f5d0fc0f42ae8512e3c78251d43cd9d9f7cfd3f6667242bf619 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: [] - - name: sast-unicode-check - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-unicode-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:24ad71fde435fc25abba2c4c550beb088b1530f738d3c377e2f635b5f320d57b - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: [] - - name: apply-tags - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: apply-tags - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:517a51e260c0b59654a9d7b842e1ab07d76bce15ca7ce9c8fd2489a19be6463d - - name: kind - value: task - resolver: bundles - - name: push-dockerfile - params: - - name: IMAGE - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: push-dockerfile-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:5d8013b6a27bbc5e4ff261144616268f28417ed0950d583ef36349fcd59d3d3d - - name: kind - value: task - resolver: bundles - workspaces: [] - - name: rpms-signature-scan - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: rpms-signature-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1b6c20ab3dbfb0972803d3ebcb2fa72642e59400c77bd66dfd82028bdd09e120 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: git-auth - optional: true - - name: netrc - optional: true diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index e87159316a..176068f33b 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -6,6 +6,7 @@ metadata: build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" @@ -26,8 +27,6 @@ spec: value: 5d - name: output-image value: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:on-pr-{{revision}} - - name: path-context - value: . - name: revision value: '{{revision}}' - name: build-source-image @@ -41,12 +40,578 @@ spec: {"type": "cargo", "path": "./"}]' - name: hermetic value: "true" - pipelineRef: - name: docker-build-multi-platform-oci-ta + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:1b1df4da95966d08ac6a5b8198710e09e68b5c2cdc707c37d9d19769e65884b2 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:66e90d31e1386bf516fb548cd3e3f0082b5d0234b8b90dbf9e0d4684b70dbe1a + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: dev-package-managers + value: "true" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d35e5d501cb5f5f88369511f76249857cb5ac30250e1dcf086939321964ff6b9 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: dev-package-managers + value: "true" + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:d0cbc492da865be336d09926eb6e3494403dccaa4a212bbdf472d8adbf80ab08 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:37c96c0e8639e8a70eb9bc02dfd8ce81c37a03f653f2ca306536e64a58f296b6 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:846dc9975914f31380ec2712fdbac9df3b06c00a9cc7df678315a7f97145efc2 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:b424894fc8e806c12658daa565b835fd2d66e7f7608afc47529eb7b410f030d7 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3c8b81fa868e27c6266e7660a4bfb4c822846dcf4304606e71e20893b0d3e515 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d354939892f3a904223ec080cc3771bd11931085a5d202323ea491ee8e8c5e43 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b550ff4f0b634512ce5200074be7afd7a5a6c05b783620c626e2a3035cd56448 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:e61f541189b30d14292ef8df36ccaf13f7feb2378fed5f74cb6293b3e79eb687 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:9cab95ac9e833d77a63c079893258b73b8d5a298d93aaf9bdd6722471bc2f338 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:dda889f85faa30eb18db4f195bc03428e8913afa14624552d2cb9f714c786dbf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:808bcaf75271db6a999f53fdefb973a385add94a277d37fbd3df68f8ac7dfaa3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:24ad71fde435fc25abba2c4c550beb088b1530f738d3c377e2f635b5f320d57b + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:517a51e260c0b59654a9d7b842e1ab07d76bce15ca7ce9c8fd2489a19be6463d + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:5d8013b6a27bbc5e4ff261144616268f28417ed0950d583ef36349fcd59d3d3d + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1b6c20ab3dbfb0972803d3ebcb2fa72642e59400c77bd66dfd82028bdd09e120 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true taskRunTemplate: serviceAccountName: build-pipeline-trustee - timeouts: - pipeline: 2h0m0s workspaces: - name: git-auth secret: diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 31f0bcfabf..b7c4f0fd28 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -5,6 +5,7 @@ metadata: build.appstudio.openshift.io/repo: https://github.com/openshift/trustee?rev={{revision}} build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "false" pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" @@ -21,10 +22,10 @@ spec: value: kbs/docker/rhel-ubi/Dockerfile - name: git-url value: '{{source_url}}' + - name: image-expires-after + value: 5d - name: output-image - value: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:{{revision}} - - name: path-context - value: . + value: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:on-pr-{{revision}} - name: revision value: '{{revision}}' - name: build-source-image @@ -38,12 +39,578 @@ spec: {"type": "cargo", "path": "./"}]' - name: hermetic value: "true" - pipelineRef: - name: docker-build-multi-platform-oci-ta + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:1b1df4da95966d08ac6a5b8198710e09e68b5c2cdc707c37d9d19769e65884b2 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:66e90d31e1386bf516fb548cd3e3f0082b5d0234b8b90dbf9e0d4684b70dbe1a + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: dev-package-managers + value: "true" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d35e5d501cb5f5f88369511f76249857cb5ac30250e1dcf086939321964ff6b9 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: dev-package-managers + value: "true" + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:d0cbc492da865be336d09926eb6e3494403dccaa4a212bbdf472d8adbf80ab08 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:37c96c0e8639e8a70eb9bc02dfd8ce81c37a03f653f2ca306536e64a58f296b6 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:846dc9975914f31380ec2712fdbac9df3b06c00a9cc7df678315a7f97145efc2 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:b424894fc8e806c12658daa565b835fd2d66e7f7608afc47529eb7b410f030d7 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3c8b81fa868e27c6266e7660a4bfb4c822846dcf4304606e71e20893b0d3e515 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d354939892f3a904223ec080cc3771bd11931085a5d202323ea491ee8e8c5e43 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b550ff4f0b634512ce5200074be7afd7a5a6c05b783620c626e2a3035cd56448 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:e61f541189b30d14292ef8df36ccaf13f7feb2378fed5f74cb6293b3e79eb687 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:9cab95ac9e833d77a63c079893258b73b8d5a298d93aaf9bdd6722471bc2f338 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:dda889f85faa30eb18db4f195bc03428e8913afa14624552d2cb9f714c786dbf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:808bcaf75271db6a999f53fdefb973a385add94a277d37fbd3df68f8ac7dfaa3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:24ad71fde435fc25abba2c4c550beb088b1530f738d3c377e2f635b5f320d57b + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:517a51e260c0b59654a9d7b842e1ab07d76bce15ca7ce9c8fd2489a19be6463d + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:5d8013b6a27bbc5e4ff261144616268f28417ed0950d583ef36349fcd59d3d3d + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1b6c20ab3dbfb0972803d3ebcb2fa72642e59400c77bd66dfd82028bdd09e120 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true taskRunTemplate: serviceAccountName: build-pipeline-trustee - timeouts: - pipeline: 2h0m0s workspaces: - name: git-auth secret: From 15ad15db5a84261b4febeaf0013fbe29fb3404fa Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 28 Jun 2025 06:21:26 +0000 Subject: [PATCH 281/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 6 +++--- .tekton/trustee-push.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 176068f33b..ed1b4d758d 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -204,7 +204,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:d0cbc492da865be336d09926eb6e3494403dccaa4a212bbdf472d8adbf80ab08 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:5e15408f997557153b13d492aeccb51c01923bfbe4fbdf6f1e8695ce1b82f826 - name: kind value: task resolver: bundles @@ -247,7 +247,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:37c96c0e8639e8a70eb9bc02dfd8ce81c37a03f653f2ca306536e64a58f296b6 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:65864bd7623b8819707ffc0949c390152f99f24308803e773000009f71ed2d6b - name: kind value: task resolver: bundles @@ -461,7 +461,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:dda889f85faa30eb18db4f195bc03428e8913afa14624552d2cb9f714c786dbf + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:f81ade665c725616b918356c8c2fb2d4ed972e822a1a3181933cd0ada728a231 - name: kind value: task resolver: bundles diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index b7c4f0fd28..ba48c3c67b 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -203,7 +203,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:d0cbc492da865be336d09926eb6e3494403dccaa4a212bbdf472d8adbf80ab08 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:5e15408f997557153b13d492aeccb51c01923bfbe4fbdf6f1e8695ce1b82f826 - name: kind value: task resolver: bundles @@ -246,7 +246,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:37c96c0e8639e8a70eb9bc02dfd8ce81c37a03f653f2ca306536e64a58f296b6 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:65864bd7623b8819707ffc0949c390152f99f24308803e773000009f71ed2d6b - name: kind value: task resolver: bundles @@ -460,7 +460,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:dda889f85faa30eb18db4f195bc03428e8913afa14624552d2cb9f714c786dbf + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:f81ade665c725616b918356c8c2fb2d4ed972e822a1a3181933cd0ada728a231 - name: kind value: task resolver: bundles From c2697a7e2655a976aaaf93e3c5edd2818fd2447d Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sun, 29 Jun 2025 11:17:59 +0000 Subject: [PATCH 282/298] chore(deps): update dependency go to v1.24.4 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- rvps/cgo/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rvps/cgo/go.mod b/rvps/cgo/go.mod index 32cd9f60c5..40daee14fe 100644 --- a/rvps/cgo/go.mod +++ b/rvps/cgo/go.mod @@ -2,7 +2,7 @@ module cgo go 1.23.0 -toolchain go1.23.9 +toolchain go1.24.4 require github.com/in-toto/in-toto-golang v0.9.0 From 2cde609d4f56f315aa164c4ce8cbfaea4ffc9cc7 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 5 Jul 2025 05:51:08 +0000 Subject: [PATCH 283/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 8 ++++---- .tekton/trustee-push.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index ed1b4d758d..0c74b68105 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -204,7 +204,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:5e15408f997557153b13d492aeccb51c01923bfbe4fbdf6f1e8695ce1b82f826 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:a1ddc34bf0a169bb2e64a98caf9027b66af8fc66a3a60f71bb451ce36af6a399 - name: kind value: task resolver: bundles @@ -247,7 +247,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:65864bd7623b8819707ffc0949c390152f99f24308803e773000009f71ed2d6b + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:48b99ad18fd3bde2d22ec2c397d36c55e45ca90ddf1620c9e00bdee518e297bf - name: kind value: task resolver: bundles @@ -461,7 +461,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:f81ade665c725616b918356c8c2fb2d4ed972e822a1a3181933cd0ada728a231 + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:d3fdca2f0072e1c40e0781ac4b8f16b977dc77fc6e80424087941465bc27d5eb - name: kind value: task resolver: bundles @@ -534,7 +534,7 @@ spec: - name: name value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:24ad71fde435fc25abba2c4c550beb088b1530f738d3c377e2f635b5f320d57b + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 - name: kind value: task resolver: bundles diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index ba48c3c67b..aba9304993 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -203,7 +203,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:5e15408f997557153b13d492aeccb51c01923bfbe4fbdf6f1e8695ce1b82f826 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:a1ddc34bf0a169bb2e64a98caf9027b66af8fc66a3a60f71bb451ce36af6a399 - name: kind value: task resolver: bundles @@ -246,7 +246,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:65864bd7623b8819707ffc0949c390152f99f24308803e773000009f71ed2d6b + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:48b99ad18fd3bde2d22ec2c397d36c55e45ca90ddf1620c9e00bdee518e297bf - name: kind value: task resolver: bundles @@ -460,7 +460,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:f81ade665c725616b918356c8c2fb2d4ed972e822a1a3181933cd0ada728a231 + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:d3fdca2f0072e1c40e0781ac4b8f16b977dc77fc6e80424087941465bc27d5eb - name: kind value: task resolver: bundles @@ -533,7 +533,7 @@ spec: - name: name value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:24ad71fde435fc25abba2c4c550beb088b1530f738d3c377e2f635b5f320d57b + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 - name: kind value: task resolver: bundles From b13216f409b856295bb14c2f792d9cbc7a741d90 Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Mon, 7 Jul 2025 14:54:11 +0100 Subject: [PATCH 284/298] Remove image expiration for on-push pipeline Signed-off-by: Leonardo Milleri --- .tekton/trustee-push.yaml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index aba9304993..585d9ff9ee 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -22,8 +22,6 @@ spec: value: kbs/docker/rhel-ubi/Dockerfile - name: git-url value: '{{source_url}}' - - name: image-expires-after - value: 5d - name: output-image value: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:on-pr-{{revision}} - name: revision @@ -96,11 +94,6 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - default: "false" description: Build a source image. name: build-source-image @@ -161,8 +154,6 @@ spec: value: $(params.revision) - name: ociStorage value: $(params.output-image).git - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - name: dev-package-managers value: "true" runAfter: @@ -192,8 +183,6 @@ spec: value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - name: ociStorage value: $(params.output-image).prefetch - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - name: dev-package-managers value: "true" runAfter: @@ -224,8 +213,6 @@ spec: value: $(params.hermetic) - name: PREFETCH_INPUT value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS @@ -261,8 +248,6 @@ spec: value: $(params.output-image) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - name: ALWAYS_BUILD_INDEX value: $(params.build-image-index) - name: IMAGES @@ -440,8 +425,6 @@ spec: value: $(params.hermetic) - name: PREFETCH_INPUT value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS From b8b3137440b567c53c0f581d3eda3df539c95224 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 12 Jul 2025 05:06:55 +0000 Subject: [PATCH 285/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 36 ++++++++++++++----------------- .tekton/trustee-push.yaml | 33 +++++++++++++--------------- 2 files changed, 31 insertions(+), 38 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 0c74b68105..84cd9fc926 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -8,9 +8,8 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/cancel-in-progress: "true" pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "main" - creationTimestamp: null + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" + creationTimestamp: labels: appstudio.openshift.io/application: trustee appstudio.openshift.io/component: trustee @@ -33,11 +32,10 @@ spec: value: "true" - name: build-platforms value: - - linux/x86_64 - - linux/s390x + - linux/x86_64 + - linux/s390x - name: prefetch-input - value: '[{"type": "rpm", "path": "rpm"}, - {"type": "cargo", "path": "./"}]' + value: '[{"type": "rpm", "path": "rpm"}, {"type": "cargo", "path": "./"}]' - name: hermetic value: "true" pipelineSpec: @@ -72,13 +70,11 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where - to build image. + description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context + description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile type: string - default: "false" @@ -98,8 +94,7 @@ spec: name: prefetch-input type: string - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. + description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after type: string - default: "false" @@ -119,8 +114,7 @@ spec: name: build-args-file type: string - default: "false" - description: Whether to enable privileged mode, should be used only with remote - VMs + description: Whether to enable privileged mode, should be used only with remote VMs name: privileged-nested type: string results: @@ -204,7 +198,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:a1ddc34bf0a169bb2e64a98caf9027b66af8fc66a3a60f71bb451ce36af6a399 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:f10a4841e6f75fbb314b1d8cbf14f652499c1fe7f59e59aed59f7431c680aa17 - name: kind value: task resolver: bundles @@ -288,11 +282,13 @@ spec: - name: build-source-image params: - name: BINARY_IMAGE - value: $(params.output-image) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: @@ -300,7 +296,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:b424894fc8e806c12658daa565b835fd2d66e7f7608afc47529eb7b410f030d7 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:b1eb49583b41872b27356fee20d5f0eb6ff7f5cdeacde7ffb39655f031104728 - name: kind value: task resolver: bundles @@ -368,7 +364,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b550ff4f0b634512ce5200074be7afd7a5a6c05b783620c626e2a3035cd56448 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:abbe195626eec925288df6425679559025d1be4af5ae70ca6dbbcb49ad3bf08b - name: kind value: task resolver: bundles @@ -461,7 +457,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:d3fdca2f0072e1c40e0781ac4b8f16b977dc77fc6e80424087941465bc27d5eb + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:c926568ce63e4f63e18bb6a4178caca2e8192f6e3b830bbcd354e6485d29458c - name: kind value: task resolver: bundles diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 585d9ff9ee..4bb377eba4 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -7,9 +7,8 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/cancel-in-progress: "false" pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch - == "main" - creationTimestamp: null + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" + creationTimestamp: labels: appstudio.openshift.io/application: trustee appstudio.openshift.io/component: trustee @@ -30,11 +29,10 @@ spec: value: "true" - name: build-platforms value: - - linux/x86_64 - - linux/s390x + - linux/x86_64 + - linux/s390x - name: prefetch-input - value: '[{"type": "rpm", "path": "rpm"}, - {"type": "cargo", "path": "./"}]' + value: '[{"type": "rpm", "path": "rpm"}, {"type": "cargo", "path": "./"}]' - name: hermetic value: "true" pipelineSpec: @@ -69,13 +67,11 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where - to build image. + description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context + description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile type: string - default: "false" @@ -111,8 +107,7 @@ spec: name: build-args-file type: string - default: "false" - description: Whether to enable privileged mode, should be used only with remote - VMs + description: Whether to enable privileged mode, should be used only with remote VMs name: privileged-nested type: string results: @@ -192,7 +187,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:a1ddc34bf0a169bb2e64a98caf9027b66af8fc66a3a60f71bb451ce36af6a399 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:f10a4841e6f75fbb314b1d8cbf14f652499c1fe7f59e59aed59f7431c680aa17 - name: kind value: task resolver: bundles @@ -272,11 +267,13 @@ spec: - name: build-source-image params: - name: BINARY_IMAGE - value: $(params.output-image) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: @@ -284,7 +281,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:b424894fc8e806c12658daa565b835fd2d66e7f7608afc47529eb7b410f030d7 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:b1eb49583b41872b27356fee20d5f0eb6ff7f5cdeacde7ffb39655f031104728 - name: kind value: task resolver: bundles @@ -352,7 +349,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b550ff4f0b634512ce5200074be7afd7a5a6c05b783620c626e2a3035cd56448 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:abbe195626eec925288df6425679559025d1be4af5ae70ca6dbbcb49ad3bf08b - name: kind value: task resolver: bundles @@ -443,7 +440,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:d3fdca2f0072e1c40e0781ac4b8f16b977dc77fc6e80424087941465bc27d5eb + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:c926568ce63e4f63e18bb6a4178caca2e8192f6e3b830bbcd354e6485d29458c - name: kind value: task resolver: bundles From d847d6e477c040212c57a9a625f90e4acd5d5542 Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Wed, 16 Jul 2025 13:59:28 +0100 Subject: [PATCH 286/298] Fix s390x build Signed-off-by: Leonardo Milleri --- .tekton/trustee-pull-request.yaml | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 84cd9fc926..d0608d1ea1 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -38,6 +38,8 @@ spec: value: '[{"type": "rpm", "path": "rpm"}, {"type": "cargo", "path": "./"}]' - name: hermetic value: "true" + - name: build-image-index + value: "true" pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. @@ -117,6 +119,12 @@ spec: description: Whether to enable privileged mode, should be used only with remote VMs name: privileged-nested type: string + - default: + - linux/x86_64 + - linux/s390x + description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. + name: build-platforms + type: array results: - description: "" name: IMAGE_URL @@ -207,7 +215,12 @@ spec: workspace: git-auth - name: netrc workspace: netrc - - name: build-container + - matrix: + params: + - name: PLATFORM + value: + - $(params.build-platforms) + name: build-images params: - name: IMAGE value: $(params.output-image) @@ -234,14 +247,16 @@ spec: value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: IMAGE_APPEND_PLATFORM + value: 'true' runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah-oci-ta + value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:48b99ad18fd3bde2d22ec2c397d36c55e45ca90ddf1620c9e00bdee518e297bf + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:5b8d51fa889cdac873750904c3fccc0cca1c4f65af16902ebb2b573151f80657 - name: kind value: task resolver: bundles @@ -249,7 +264,7 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - "true" + - 'true' - name: build-image-index params: - name: IMAGE @@ -262,9 +277,9 @@ spec: value: $(params.build-image-index) - name: IMAGES value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - $(tasks.build-images.results.IMAGE_REF[*]) runAfter: - - build-container + - build-images taskRef: params: - name: name @@ -278,7 +293,7 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - "true" + - 'true' - name: build-source-image params: - name: BINARY_IMAGE From 9919ad544f110949b7a486c005bf5787cce290f7 Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Thu, 17 Jul 2025 10:13:00 +0100 Subject: [PATCH 287/298] Update onpush pipeline for s390x build Signed-off-by: Leonardo Milleri --- .tekton/trustee-push.yaml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 4bb377eba4..6489efdba7 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -35,6 +35,8 @@ spec: value: '[{"type": "rpm", "path": "rpm"}, {"type": "cargo", "path": "./"}]' - name: hermetic value: "true" + - name: build-image-index + value: "true" pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. @@ -110,6 +112,12 @@ spec: description: Whether to enable privileged mode, should be used only with remote VMs name: privileged-nested type: string + - default: + - linux/x86_64 + - linux/s390x + description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. + name: build-platforms + type: array results: - description: "" name: IMAGE_URL @@ -196,7 +204,12 @@ spec: workspace: git-auth - name: netrc workspace: netrc - - name: build-container + - matrix: + params: + - name: PLATFORM + value: + - $(params.build-platforms) + name: build-images params: - name: IMAGE value: $(params.output-image) @@ -221,14 +234,16 @@ spec: value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: IMAGE_APPEND_PLATFORM + value: 'true' runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah-oci-ta + value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:48b99ad18fd3bde2d22ec2c397d36c55e45ca90ddf1620c9e00bdee518e297bf + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:5b8d51fa889cdac873750904c3fccc0cca1c4f65af16902ebb2b573151f80657 - name: kind value: task resolver: bundles @@ -236,7 +251,7 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - "true" + - 'true' - name: build-image-index params: - name: IMAGE From 3132caaeb37c3cb994bf9a18a22ea8da9a09b351 Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Thu, 17 Jul 2025 10:33:18 +0100 Subject: [PATCH 288/298] Fix onpush pipeline Signed-off-by: Leonardo Milleri --- .tekton/trustee-push.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 6489efdba7..d577004410 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -262,9 +262,9 @@ spec: value: $(params.build-image-index) - name: IMAGES value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - $(tasks.build-images.results.IMAGE_REF[*]) runAfter: - - build-container + - build-images taskRef: params: - name: name @@ -278,7 +278,7 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - "true" + - 'true' - name: build-source-image params: - name: BINARY_IMAGE From 5acffd207eddde7f65a8d73d87e2d804292d6693 Mon Sep 17 00:00:00 2001 From: Leonardo Milleri Date: Fri, 18 Jul 2025 10:54:36 +0100 Subject: [PATCH 289/298] Fix trustee onpush output image Signed-off-by: Leonardo Milleri --- .tekton/trustee-push.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index d577004410..dd6d9a631a 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -22,7 +22,7 @@ spec: - name: git-url value: '{{source_url}}' - name: output-image - value: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:on-pr-{{revision}} + value: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:{{revision}} - name: revision value: '{{revision}}' - name: build-source-image From 77e75667f7f6a31b74de1f7d95a5cf64ea6ef693 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 19 Jul 2025 17:25:34 +0000 Subject: [PATCH 290/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 24 ++++++++++++------------ .tekton/trustee-push.yaml | 24 ++++++++++++------------ 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index d0608d1ea1..11d78b3261 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -56,7 +56,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:1b1df4da95966d08ac6a5b8198710e09e68b5c2cdc707c37d9d19769e65884b2 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:86c069cac0a669797e8049faa8aa4088e70ff7fcd579d5bdc37626a9e0488a05 - name: kind value: task resolver: bundles @@ -152,7 +152,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:66e90d31e1386bf516fb548cd3e3f0082b5d0234b8b90dbf9e0d4684b70dbe1a + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:1d8221c84f91b923d89de50bf16481ea729e3b68ea04a9a7cbe8485ddbb27ee6 - name: kind value: task resolver: bundles @@ -206,7 +206,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:f10a4841e6f75fbb314b1d8cbf14f652499c1fe7f59e59aed59f7431c680aa17 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:092491ac0f6e1009d10c58a1319d1029371bf637cc1293cceba53c6da5314ed1 - name: kind value: task resolver: bundles @@ -256,7 +256,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:5b8d51fa889cdac873750904c3fccc0cca1c4f65af16902ebb2b573151f80657 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:9e866d4d0489a6ab84ae263db416c9f86d2d6117ef4444f495a0e97388ae3ac0 - name: kind value: task resolver: bundles @@ -285,7 +285,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:846dc9975914f31380ec2712fdbac9df3b06c00a9cc7df678315a7f97145efc2 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:3499772af90aad0d3935629be6d37dd9292195fb629e6f43ec839c7f545a0faa - name: kind value: task resolver: bundles @@ -359,7 +359,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d354939892f3a904223ec080cc3771bd11931085a5d202323ea491ee8e8c5e43 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:417f44117f8d87a4a62fea6589b5746612ac61640b454dbd88f74892380411f2 - name: kind value: task resolver: bundles @@ -379,7 +379,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:abbe195626eec925288df6425679559025d1be4af5ae70ca6dbbcb49ad3bf08b + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:f99d2bdb02f13223d494077a2cde31418d09369f33c02134a8e7e5fad2f61eda - name: kind value: task resolver: bundles @@ -405,7 +405,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:e61f541189b30d14292ef8df36ccaf13f7feb2378fed5f74cb6293b3e79eb687 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:fe5e5ba3a72632cd505910de2eacd62c9d11ed570c325173188f8d568ac60771 - name: kind value: task resolver: bundles @@ -427,7 +427,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:9cab95ac9e833d77a63c079893258b73b8d5a298d93aaf9bdd6722471bc2f338 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:7749146f7e4fe530846f1b15c9366178ec9f44776ef1922a60d3e7e2b8c6426b - name: kind value: task resolver: bundles @@ -472,7 +472,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:c926568ce63e4f63e18bb6a4178caca2e8192f6e3b830bbcd354e6485d29458c + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:f9ca942208dc2e63b479384ccc56a611cc793397ecc837637b5b9f89c2ecbefe - name: kind value: task resolver: bundles @@ -519,7 +519,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:808bcaf75271db6a999f53fdefb973a385add94a277d37fbd3df68f8ac7dfaa3 + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 - name: kind value: task resolver: bundles @@ -590,7 +590,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:5d8013b6a27bbc5e4ff261144616268f28417ed0950d583ef36349fcd59d3d3d + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8c75c4a747e635e5f3e12266a3bb6e5d3132bf54e37eaa53d505f89897dd8eca - name: kind value: task resolver: bundles diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index dd6d9a631a..40cc72068a 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -53,7 +53,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:1b1df4da95966d08ac6a5b8198710e09e68b5c2cdc707c37d9d19769e65884b2 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:86c069cac0a669797e8049faa8aa4088e70ff7fcd579d5bdc37626a9e0488a05 - name: kind value: task resolver: bundles @@ -145,7 +145,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:66e90d31e1386bf516fb548cd3e3f0082b5d0234b8b90dbf9e0d4684b70dbe1a + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:1d8221c84f91b923d89de50bf16481ea729e3b68ea04a9a7cbe8485ddbb27ee6 - name: kind value: task resolver: bundles @@ -195,7 +195,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:f10a4841e6f75fbb314b1d8cbf14f652499c1fe7f59e59aed59f7431c680aa17 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:092491ac0f6e1009d10c58a1319d1029371bf637cc1293cceba53c6da5314ed1 - name: kind value: task resolver: bundles @@ -243,7 +243,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:5b8d51fa889cdac873750904c3fccc0cca1c4f65af16902ebb2b573151f80657 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:9e866d4d0489a6ab84ae263db416c9f86d2d6117ef4444f495a0e97388ae3ac0 - name: kind value: task resolver: bundles @@ -270,7 +270,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:846dc9975914f31380ec2712fdbac9df3b06c00a9cc7df678315a7f97145efc2 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:3499772af90aad0d3935629be6d37dd9292195fb629e6f43ec839c7f545a0faa - name: kind value: task resolver: bundles @@ -344,7 +344,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d354939892f3a904223ec080cc3771bd11931085a5d202323ea491ee8e8c5e43 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:417f44117f8d87a4a62fea6589b5746612ac61640b454dbd88f74892380411f2 - name: kind value: task resolver: bundles @@ -364,7 +364,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:abbe195626eec925288df6425679559025d1be4af5ae70ca6dbbcb49ad3bf08b + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:f99d2bdb02f13223d494077a2cde31418d09369f33c02134a8e7e5fad2f61eda - name: kind value: task resolver: bundles @@ -390,7 +390,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:e61f541189b30d14292ef8df36ccaf13f7feb2378fed5f74cb6293b3e79eb687 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:fe5e5ba3a72632cd505910de2eacd62c9d11ed570c325173188f8d568ac60771 - name: kind value: task resolver: bundles @@ -412,7 +412,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:9cab95ac9e833d77a63c079893258b73b8d5a298d93aaf9bdd6722471bc2f338 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:7749146f7e4fe530846f1b15c9366178ec9f44776ef1922a60d3e7e2b8c6426b - name: kind value: task resolver: bundles @@ -455,7 +455,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:c926568ce63e4f63e18bb6a4178caca2e8192f6e3b830bbcd354e6485d29458c + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:f9ca942208dc2e63b479384ccc56a611cc793397ecc837637b5b9f89c2ecbefe - name: kind value: task resolver: bundles @@ -502,7 +502,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:808bcaf75271db6a999f53fdefb973a385add94a277d37fbd3df68f8ac7dfaa3 + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 - name: kind value: task resolver: bundles @@ -573,7 +573,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:5d8013b6a27bbc5e4ff261144616268f28417ed0950d583ef36349fcd59d3d3d + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8c75c4a747e635e5f3e12266a3bb6e5d3132bf54e37eaa53d505f89897dd8eca - name: kind value: task resolver: bundles From 66e4b00825bf190406c8a85d952697c0ee88bd93 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sun, 3 Aug 2025 07:03:14 +0000 Subject: [PATCH 291/298] chore(deps): update module github.com/secure-systems-lab/go-securesystemslib to v0.9.1 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- rvps/cgo/go.mod | 6 +++--- rvps/cgo/go.sum | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rvps/cgo/go.mod b/rvps/cgo/go.mod index 40daee14fe..902c493aa9 100644 --- a/rvps/cgo/go.mod +++ b/rvps/cgo/go.mod @@ -7,8 +7,8 @@ toolchain go1.24.4 require github.com/in-toto/in-toto-golang v0.9.0 require ( - github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - golang.org/x/crypto v0.39.0 // indirect - golang.org/x/sys v0.33.0 // indirect + golang.org/x/crypto v0.40.0 // indirect + golang.org/x/sys v0.34.0 // indirect ) diff --git a/rvps/cgo/go.sum b/rvps/cgo/go.sum index f7c532d332..3bb7e1178a 100644 --- a/rvps/cgo/go.sum +++ b/rvps/cgo/go.sum @@ -8,17 +8,17 @@ github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= -github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= +github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g= +github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= -golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= +golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= +golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= +golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= +golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From e800f97919fb334719db5f37df3ac497908240e0 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 9 Aug 2025 00:15:01 +0000 Subject: [PATCH 292/298] chore(deps): update docker.io/library/rust docker tag to v1.89.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- kbs/docker/kbs-client-image/Dockerfile | 2 +- kbs/docker/kbs-client/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kbs/docker/kbs-client-image/Dockerfile b/kbs/docker/kbs-client-image/Dockerfile index ea30b97c00..5c0cfbaa45 100644 --- a/kbs/docker/kbs-client-image/Dockerfile +++ b/kbs/docker/kbs-client-image/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/rust:1.87.0 AS builder +FROM docker.io/library/rust:1.89.0 AS builder WORKDIR /usr/src/kbs COPY . . diff --git a/kbs/docker/kbs-client/Dockerfile b/kbs/docker/kbs-client/Dockerfile index e77ab8afd5..63556ebbc2 100644 --- a/kbs/docker/kbs-client/Dockerfile +++ b/kbs/docker/kbs-client/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/rust:1.87.0 AS builder +FROM docker.io/library/rust:1.89.0 AS builder ARG ARCH=x86_64 WORKDIR /usr/src/kbs From 3edb9ea098acbf7f88b44400a98c02e19e55c1b8 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 9 Aug 2025 08:44:48 +0000 Subject: [PATCH 293/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 28 ++++++++++++++-------------- .tekton/trustee-push.yaml | 28 ++++++++++++++-------------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 11d78b3261..7b66f0b858 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -56,7 +56,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:86c069cac0a669797e8049faa8aa4088e70ff7fcd579d5bdc37626a9e0488a05 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:beb0616db051952b4b861dd8c3e00fa1c0eccbd926feddf71194d3bb3ace9ce7 - name: kind value: task resolver: bundles @@ -152,7 +152,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:1d8221c84f91b923d89de50bf16481ea729e3b68ea04a9a7cbe8485ddbb27ee6 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:08e18a4dc5f947c1d20e8353a19d013144bea87b72f67236b165dd4778523951 - name: kind value: task resolver: bundles @@ -175,7 +175,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d35e5d501cb5f5f88369511f76249857cb5ac30250e1dcf086939321964ff6b9 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:be82c55346e8810bd1edc5547f864064da6945979baccca7dfc99990b392a02b - name: kind value: task resolver: bundles @@ -206,7 +206,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:092491ac0f6e1009d10c58a1319d1029371bf637cc1293cceba53c6da5314ed1 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:e38599be9aafc4622545e66673c5bc2292b323834c5d852f4a39cb7d01784574 - name: kind value: task resolver: bundles @@ -256,7 +256,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:9e866d4d0489a6ab84ae263db416c9f86d2d6117ef4444f495a0e97388ae3ac0 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:e1c03f2be119f8000100ac10cba614cf7d0d77597a04aa74bc72d91df183bc5b - name: kind value: task resolver: bundles @@ -285,7 +285,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:3499772af90aad0d3935629be6d37dd9292195fb629e6f43ec839c7f545a0faa + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:72f77a8c62f9d6f69ab5c35170839e4b190026e6cc3d7d4ceafa7033fc30ad7b - name: kind value: task resolver: bundles @@ -311,7 +311,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:b1eb49583b41872b27356fee20d5f0eb6ff7f5cdeacde7ffb39655f031104728 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:bfec1fabb0ed7c191e6c85d75e6cc577a04cabe9e6b35f9476529e8e5b3c0c82 - name: kind value: task resolver: bundles @@ -337,7 +337,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3c8b81fa868e27c6266e7660a4bfb4c822846dcf4304606e71e20893b0d3e515 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 - name: kind value: task resolver: bundles @@ -359,7 +359,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:417f44117f8d87a4a62fea6589b5746612ac61640b454dbd88f74892380411f2 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:893ffa3ce26b061e21bb4d8db9ef7ed4ddd4044fe7aa5451ef391034da3ff759 - name: kind value: task resolver: bundles @@ -379,7 +379,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:f99d2bdb02f13223d494077a2cde31418d09369f33c02134a8e7e5fad2f61eda + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:4bafcaab0f0c998a89a1cc33bdbbf74f39eea52e6c0e43013c356a322f94940f - name: kind value: task resolver: bundles @@ -427,7 +427,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:7749146f7e4fe530846f1b15c9366178ec9f44776ef1922a60d3e7e2b8c6426b + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:cce2dfcc5bd6e91ee54aacdadad523b013eeae5cdaa7f6a4624b8cbcc040f439 - name: kind value: task resolver: bundles @@ -472,7 +472,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:f9ca942208dc2e63b479384ccc56a611cc793397ecc837637b5b9f89c2ecbefe + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:5f81372e21a3c6f4a745b723e444b6eb81a11bdff8740e0ce4b96ad42924e45e - name: kind value: task resolver: bundles @@ -567,7 +567,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:517a51e260c0b59654a9d7b842e1ab07d76bce15ca7ce9c8fd2489a19be6463d + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:70881c97a4c51ee1f4d023fa1110e0bdfcfd2f51d9a261fa543c3862b9a4eee9 - name: kind value: task resolver: bundles @@ -590,7 +590,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8c75c4a747e635e5f3e12266a3bb6e5d3132bf54e37eaa53d505f89897dd8eca + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8640726ef7c5875e3b2e64c9f823921ea970674593f077cadfce3c45c9b9a2b9 - name: kind value: task resolver: bundles diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index 40cc72068a..aa2f760b3d 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -53,7 +53,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:86c069cac0a669797e8049faa8aa4088e70ff7fcd579d5bdc37626a9e0488a05 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:beb0616db051952b4b861dd8c3e00fa1c0eccbd926feddf71194d3bb3ace9ce7 - name: kind value: task resolver: bundles @@ -145,7 +145,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:1d8221c84f91b923d89de50bf16481ea729e3b68ea04a9a7cbe8485ddbb27ee6 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:08e18a4dc5f947c1d20e8353a19d013144bea87b72f67236b165dd4778523951 - name: kind value: task resolver: bundles @@ -166,7 +166,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d35e5d501cb5f5f88369511f76249857cb5ac30250e1dcf086939321964ff6b9 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:be82c55346e8810bd1edc5547f864064da6945979baccca7dfc99990b392a02b - name: kind value: task resolver: bundles @@ -195,7 +195,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:092491ac0f6e1009d10c58a1319d1029371bf637cc1293cceba53c6da5314ed1 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:e38599be9aafc4622545e66673c5bc2292b323834c5d852f4a39cb7d01784574 - name: kind value: task resolver: bundles @@ -243,7 +243,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:9e866d4d0489a6ab84ae263db416c9f86d2d6117ef4444f495a0e97388ae3ac0 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:e1c03f2be119f8000100ac10cba614cf7d0d77597a04aa74bc72d91df183bc5b - name: kind value: task resolver: bundles @@ -270,7 +270,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:3499772af90aad0d3935629be6d37dd9292195fb629e6f43ec839c7f545a0faa + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:72f77a8c62f9d6f69ab5c35170839e4b190026e6cc3d7d4ceafa7033fc30ad7b - name: kind value: task resolver: bundles @@ -296,7 +296,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:b1eb49583b41872b27356fee20d5f0eb6ff7f5cdeacde7ffb39655f031104728 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:bfec1fabb0ed7c191e6c85d75e6cc577a04cabe9e6b35f9476529e8e5b3c0c82 - name: kind value: task resolver: bundles @@ -322,7 +322,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3c8b81fa868e27c6266e7660a4bfb4c822846dcf4304606e71e20893b0d3e515 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 - name: kind value: task resolver: bundles @@ -344,7 +344,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:417f44117f8d87a4a62fea6589b5746612ac61640b454dbd88f74892380411f2 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:893ffa3ce26b061e21bb4d8db9ef7ed4ddd4044fe7aa5451ef391034da3ff759 - name: kind value: task resolver: bundles @@ -364,7 +364,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:f99d2bdb02f13223d494077a2cde31418d09369f33c02134a8e7e5fad2f61eda + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:4bafcaab0f0c998a89a1cc33bdbbf74f39eea52e6c0e43013c356a322f94940f - name: kind value: task resolver: bundles @@ -412,7 +412,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:7749146f7e4fe530846f1b15c9366178ec9f44776ef1922a60d3e7e2b8c6426b + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:cce2dfcc5bd6e91ee54aacdadad523b013eeae5cdaa7f6a4624b8cbcc040f439 - name: kind value: task resolver: bundles @@ -455,7 +455,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:f9ca942208dc2e63b479384ccc56a611cc793397ecc837637b5b9f89c2ecbefe + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:5f81372e21a3c6f4a745b723e444b6eb81a11bdff8740e0ce4b96ad42924e45e - name: kind value: task resolver: bundles @@ -550,7 +550,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:517a51e260c0b59654a9d7b842e1ab07d76bce15ca7ce9c8fd2489a19be6463d + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:70881c97a4c51ee1f4d023fa1110e0bdfcfd2f51d9a261fa543c3862b9a4eee9 - name: kind value: task resolver: bundles @@ -573,7 +573,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8c75c4a747e635e5f3e12266a3bb6e5d3132bf54e37eaa53d505f89897dd8eca + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8640726ef7c5875e3b2e64c9f823921ea970674593f077cadfce3c45c9b9a2b9 - name: kind value: task resolver: bundles From e1d6cdbaf5a10383e2315f6abc195c899689e0a2 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sun, 10 Aug 2025 08:18:11 +0000 Subject: [PATCH 294/298] chore(deps): update dependency go to v1.24.6 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- rvps/cgo/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rvps/cgo/go.mod b/rvps/cgo/go.mod index 40daee14fe..df04f63121 100644 --- a/rvps/cgo/go.mod +++ b/rvps/cgo/go.mod @@ -2,7 +2,7 @@ module cgo go 1.23.0 -toolchain go1.24.4 +toolchain go1.24.6 require github.com/in-toto/in-toto-golang v0.9.0 From ec1c067357f687751322a12105cb6cfae9ff56a8 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sun, 10 Aug 2025 08:18:31 +0000 Subject: [PATCH 295/298] chore(deps): update module golang.org/x/sys to v0.35.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- rvps/cgo/go.mod | 2 +- rvps/cgo/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rvps/cgo/go.mod b/rvps/cgo/go.mod index 91169a0711..acaa685a26 100644 --- a/rvps/cgo/go.mod +++ b/rvps/cgo/go.mod @@ -10,5 +10,5 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect golang.org/x/crypto v0.40.0 // indirect - golang.org/x/sys v0.34.0 // indirect + golang.org/x/sys v0.35.0 // indirect ) diff --git a/rvps/cgo/go.sum b/rvps/cgo/go.sum index 3bb7e1178a..22b5c3a445 100644 --- a/rvps/cgo/go.sum +++ b/rvps/cgo/go.sum @@ -16,8 +16,8 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= -golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= -golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= +golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= From 7e97b3f40d6b8507b524c956bd9dcbe53544fe76 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sun, 10 Aug 2025 08:18:24 +0000 Subject: [PATCH 296/298] chore(deps): update module golang.org/x/crypto to v0.41.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- rvps/cgo/go.mod | 2 +- rvps/cgo/go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rvps/cgo/go.mod b/rvps/cgo/go.mod index acaa685a26..190c52a56d 100644 --- a/rvps/cgo/go.mod +++ b/rvps/cgo/go.mod @@ -9,6 +9,6 @@ require github.com/in-toto/in-toto-golang v0.9.0 require ( github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - golang.org/x/crypto v0.40.0 // indirect + golang.org/x/crypto v0.41.0 // indirect golang.org/x/sys v0.35.0 // indirect ) diff --git a/rvps/cgo/go.sum b/rvps/cgo/go.sum index 22b5c3a445..9c43df2f47 100644 --- a/rvps/cgo/go.sum +++ b/rvps/cgo/go.sum @@ -14,11 +14,11 @@ github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= -golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= +golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4= +golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc= golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= -golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= +golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= +golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From bb10c333723a2957ecbc05918692081b94ca68f3 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Sat, 16 Aug 2025 08:36:32 +0000 Subject: [PATCH 297/298] chore(deps): update konflux references Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- .tekton/trustee-pull-request.yaml | 10 +++++----- .tekton/trustee-push.yaml | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.tekton/trustee-pull-request.yaml b/.tekton/trustee-pull-request.yaml index 7b66f0b858..16e41324ff 100644 --- a/.tekton/trustee-pull-request.yaml +++ b/.tekton/trustee-pull-request.yaml @@ -206,7 +206,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:e38599be9aafc4622545e66673c5bc2292b323834c5d852f4a39cb7d01784574 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:ca036c7232f63199824bc1a65126faad834bc3af030e5b8210cb057f4ae97d99 - name: kind value: task resolver: bundles @@ -256,7 +256,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:e1c03f2be119f8000100ac10cba614cf7d0d77597a04aa74bc72d91df183bc5b + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:fa90f4a5ac8485720999aabb00a1db4bb5da69b178acbc089870efc7eaf36721 - name: kind value: task resolver: bundles @@ -379,7 +379,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:4bafcaab0f0c998a89a1cc33bdbbf74f39eea52e6c0e43013c356a322f94940f + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:1f151e00f7fc427654b7b76045a426bb02fe650d192ffe147a304d2184787e38 - name: kind value: task resolver: bundles @@ -472,7 +472,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:5f81372e21a3c6f4a745b723e444b6eb81a11bdff8740e0ce4b96ad42924e45e + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:0819ec70412034b7bb7ad2bf0d42b5c0f6904fee66599e03489c33350340c0cb - name: kind value: task resolver: bundles @@ -590,7 +590,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8640726ef7c5875e3b2e64c9f823921ea970674593f077cadfce3c45c9b9a2b9 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:972990bea93c13f8afd279c0e0d4bd8c2665b48bbb3369b2c43acf194b851f5c - name: kind value: task resolver: bundles diff --git a/.tekton/trustee-push.yaml b/.tekton/trustee-push.yaml index aa2f760b3d..b04f1f492e 100644 --- a/.tekton/trustee-push.yaml +++ b/.tekton/trustee-push.yaml @@ -195,7 +195,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:e38599be9aafc4622545e66673c5bc2292b323834c5d852f4a39cb7d01784574 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:ca036c7232f63199824bc1a65126faad834bc3af030e5b8210cb057f4ae97d99 - name: kind value: task resolver: bundles @@ -243,7 +243,7 @@ spec: - name: name value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:e1c03f2be119f8000100ac10cba614cf7d0d77597a04aa74bc72d91df183bc5b + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:fa90f4a5ac8485720999aabb00a1db4bb5da69b178acbc089870efc7eaf36721 - name: kind value: task resolver: bundles @@ -364,7 +364,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:4bafcaab0f0c998a89a1cc33bdbbf74f39eea52e6c0e43013c356a322f94940f + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:1f151e00f7fc427654b7b76045a426bb02fe650d192ffe147a304d2184787e38 - name: kind value: task resolver: bundles @@ -455,7 +455,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:5f81372e21a3c6f4a745b723e444b6eb81a11bdff8740e0ce4b96ad42924e45e + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:0819ec70412034b7bb7ad2bf0d42b5c0f6904fee66599e03489c33350340c0cb - name: kind value: task resolver: bundles @@ -573,7 +573,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8640726ef7c5875e3b2e64c9f823921ea970674593f077cadfce3c45c9b9a2b9 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:972990bea93c13f8afd279c0e0d4bd8c2665b48bbb3369b2c43acf194b851f5c - name: kind value: task resolver: bundles From 0aefb1c49315378e738b23cb322feec29c172b9c Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Thu, 21 Aug 2025 00:20:46 +0000 Subject: [PATCH 298/298] chore(deps): update registry.access.redhat.com/ubi9/ubi docker tag to v9.6-1755678605 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- kbs/docker/rhel-ubi/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile index 535e77ab55..20bd152de2 100644 --- a/kbs/docker/rhel-ubi/Dockerfile +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -1,5 +1,5 @@ # Use UBI to build. -FROM registry.access.redhat.com/ubi9/ubi:9.5 as builder +FROM registry.access.redhat.com/ubi9/ubi:9.6-1755678605 as builder ARG ALIYUN=false # Install build dependencies from CentOS or RHEL repos.

    ZHvgrNv$!tVS{f(CG(ShOnTk6er3UU6Z znd8>Q{3&gS1Ro4!Gb_wk|E%9f5VMtCjB92|afhrN-pZkY8Z-o2d(pr&f&xuqa4Oec z?Y+9sBO8Dz!E*~pC0P?<*`SNB_~5SH_n2rRvb=z1FF@{5!d#N?|9hO{YkbN(_e2zbe(2Fx$QXmT!W}RIm z#9_sgwTi7`gIL zV@ChZ7>)!+ipr#ea1IfKde`1CPL|dlSW2H-Xo2kG>$4g7#rgb^sHME^v16HI9&-SQ zJBVUAy51%hflIGkEXh)z1cVTKdD;(Ipg}-uy&3 z;cRJ7G&Y)R5tmY0zgUOv-(Jnh-^|1TY?3PY{@KgC{F`}jJm?G~Hi{C_%@D(*Afl+Z z8wc!kzaIhICrT-Y6FL-7N_37WSj6Y^$r*2Ls&3yfV=S3Lgy_sB5)A|^_Ldx>H4i$j zu_TR^ZIh7(_R*Wvmk1@n-4~B(z=kDG^a4E_$Yix)+!h~FOt>{1#q#_t#tIN~%0DCL zs%FBOl#v!4XN_hL%=RFa^N{m_;)b9QLTEbs*>P?lWDByEU* z!)M0>w(hSV_~?1^ka=AqMI7RiK_3uytnJ8!n5($7{+0%V3-N~5D=BlT5`UFsO(K=R zc~)h_sAa{kA2xv}N{d{MJM&?bZk53p#=kU2CEfXu#ZrSlpb_iAa$?i#l+2F0cirWO zQsZ2VTpQap@Xpi=_iI%ns8!?Kkh6?w%hKTadS{0Hsr#_<6Y#{f&b{hAIpBmtKK<_& z8F?V7P9-P~09N+DzaN$>v7wn*I3(0`DU(-YfWKT8^|PT&MTp01`RE28AO;REVfxcd zt#a{r{OW1RPQNx}y=5DhVM=KVQhtCBi00*ARU%T;s+=+m$bpM5O!|mu^&@fvO5|6y zzzkn^e2M|kRL>qJ9c9$?(cM|kd+V;&jO z;j+M%-pd~yp-*0W&6CkZ2_91{mD7Bz{g=!5in4%YtW5|-DqdI6FoGRtl^8MA$%P+m zMI|mp9?gcx$z~PB%!oEB@ki)7R8K-%?UQVG_$Lduhmq>vG7ZtId z?5M7#jhF!H(CD6Wv(OIPKV3{+P>mMbK|qv5xv7I@W)Iv;MxXvY2Q9d_o*#{W%v@RF zFr$|&x+atbPNpCOeon)&pY&xC&6c8vSAe1b2wj{rM`8RBww!PDkPP;O1@~1s(Vd;aF+j2Ds!in;sM$k`2h^;Tr1eR)5B#9^z){@@EbX3^A7S);GfS+^gJaEp$;2%fq*Ox8}Lrb2=e%rlsZ9*q9n{#sUzs+ z8(oiyj~}bOimW9NNhsM{B9UTqQP7)5(ai%EoTv5s;0iV}+0VMiUXc=^qaC|scD}GG zf>I&YsRf4KCS10l2@s%teW*dg|2aUx<9^*q=u|bP%k;|nBq9s_Rmxw{IkR!7=TI@% z-Q$B%+$PquPyOWM=>sSPn&vV8%RWWj1j~tb1{))b0q}v)xd$}%3(BFl5ouI27>xrk z<_;a2Zg#B~29;!3YapZF$Y-JyyFkAIF_-r|P`=HSw_?@olA&kzAsrA?1s7oV0`-l6 z!F#=`d-WU|R?9}zK?C_OUs@*}JCJuht62}621qNs>6tNavb-V-S8wF#M-n)~Eh34K zsk(yqp$o;)BKslmOikRS5x#uHp{?-4v27T8^rjfHh~OyE(Br}$W@E`>QKpY@ZK#5o zsqQ&KU?Bah@Tv{qbj6cux5lLhU5r`^01Ybmhc!Yf?VD{fyXbffL*XM!SH(FX!2(y< zzC|NFguHk>Juym+Z3=3=OHvOhpUoI-)JC{B$n}sUbW{`w|HH6?Inb284cv+v#E&83 z9o#h5_y^!na;^0M!}zR4&h3$Y?}a*oqgmiX%Ok4UW?iQ5U(8Npi`s2^VTY3|GXB8sDG4WxS)IJxc&SOiV4LlweH zUK#hQOC63qy8m(q=bqV}j?o8hs&x*2R8tK|dqqw0h0Q|XQwHu@?ad(D^O#}Zwy0Jh zqG0Z;U6V@ub|mhJHpCsasUJaS=^eoS{}b)To2p+U&nU~g+_~ic?Wpj>dBXQtdiM(B zhs3}=RbiPfRsmM~PSsYf{9~A%GvRY6t~7TUwfD6w?BJ0Gp_&cc>`yfN5FOO#TX%IU zM0ks99>LFThbgx54@&%+?8qU>4it5$ombsf8wwGRbe2cr7w}U7nM`b7pG|)`Sp~iB ziQ3gP3T-VAyuX5BGVuS7F))dZN}3yt4?Ccus$@02T;**g(!=D*ySCj}hU-(6mlHGB zc0j0|Ci1E{&D0y3>NG5?Pb*5{Dz9$fEUu?Ix0&8ww}kO?U!&#mA}q2%O2@YQ4W8xu z@g5C143V)?r-JFWn`+3O^+{cXNG~h$)irgPrfz|QvCb>N7=%v*eC5pdjsrM9LCmBi zWskYOX3Rzhtw8jIHycpZ)(tl@+&uM01I5NeRsvcPsTvQ)8|h)_5vk{UOd4Gq;fRO$ z{oYT4NKhRX^P=GjoXrHeP>H~s>z7xot!1oTy27+256uwjMSgJkn+?HPct!8|7ZkWA zXyPEsg@Yk4b#ufVej`D5cz?V+VU&_<#Pm`_w6S?JJyMn`FYVfj{H_a-AgMYPGRJ`k z;>djL>m=dG7SLVa;=<(=)^VhWqCNGK2oOoy+`Ve(!T>T~inWoMu>emV#pKPiS8ndZ zy6WoFzzKw6eYVT!L!k+;YGv_(*JmF`%eCCvL z5cGu44{K&jdZKhrSNPI!M}GG1tovwC>~wwqgXqOW@{C*`ir2MBP{7%2yS_P#L0WcE zx{bVC8{6Oj{M3$l4gS>Q7eFAsr5@(bFWg_M$5up|;pjbcioJjdOLf#aTL1B53|D3t zE*ntR@`chLuvR&h$Z=p?O(yOU3HY{T({N>Hq)slmj7agyjt~ zQ%}26eMwO`73kcCF=t_&JfJmKKj-~WtU0WxX-*_9sdC;q|6ik5Bt_&Xsis>_Je61y zD+DV!fs%fz;c`2Dbj|%XYwD3nuXB|Z-PGfp`GCTcM`gdaVH22qu>Bi6G=HfL9X8X(mzXXNSN^@Ev8#~tcjnO3f z$Q%O76>qWF&vX}EgWH?L+55O(tH<{Apvf@$ydZA6Cey8+Om*}6=Pj6Me9kP6=6h+8 zGt0C|%X)BqM7ICr*8PTof0%_GRWochFZ#2a+YQU#xg?8k{YiA?W3Oa)WSA$T{L7e1 zdHksyxXwnqHIZ5(anRTw`M#R>AB}9AEtH?LK_4gF@+3tQk;BcxY4Q{73ov2v(tb=%1XO%L zS>~fDuV!a#=PY1SZK6wRobdA3kGcU4ZN;U*3-MdW>>N}3r+T-1DL`Gq)3{D@`?d7{ zB|^=S2|rom(7tT}5;S(0{U;VrWEX7Ce}Y?Pk*@DI8AeXUY%()U=`oD33qH^cz7wxU>YR{7PTMR@ZO(-pO zLFZ&MG6F_jn5p8?9Yvx^D*GX%g{JV|od^n45dg!@FTpV4&GtE**ZMqVO4n$Cfai*G z0Xzc3c)E#Geg!WGlS03cYOHBuHa1NaRMuzP(@m?Ta+YljK>;A9^2Lduz?Qvnu)T(6GBsO9ka2n%+y&a<2)18$~k zI%Cgs)7_EsK5T}ZH3S5R&g_JTTrF`*UbauE4LMIR#5R?3N2Y-ttu0;StPPNDEz;JQ z3zr_%SyzU&}|L@W*7aTeyl%7C@Pm;IhenaJLDc zg1vUPfmHS&Ar3Qw&sZ<1xaFvs=mg(3o%Dv**%!HWy@*IhlS@R@&elkY+CH3?SOk~#P0nACuzIcjQq{R*f2q2NScAm zF&q(<`2B0Go;Dcc(@)dOu>uwZ`}whtx%o`~46BwhgwExAfYR0#W**(~Lq;*{ZWVI~ zAL~P=Onnu5j36@(fwgX^Hkh;Nu5k@-0)Vg9V8F?GvTW;dXmB_#9;_+fe$(_qGF$fWYs zUnrox@jxI2Yxw06X%^&+(Xzeai)R5_78-It5Iyx?HWwXNb=GC>MoUJ^M^i1l6ee$R z0}O?|9p81}7{#5aaidk~+EO1*p9dKG<^#g@Vo(q5tKwY_k z))2iV90i+aXi&`%Wr_1@a?&P=d6&Idq`BTy2@qqRoN6Xw zVAa9hX`($-K8nhVM95L}ikEdgoz;S0=~ zm|%$UH3&xD|2VsAP|4&Mt424j1_G?Qz3i)o33vY`&_)LyW&oyX_3Hi{SsWBbd4<3w zIRXO`CCM>Vjz}n#B0pSkT+i3s4Vq;^&IOj7kbbxegsz^UvcgZ3j3FTDG=nLsc{D2? z|MxBn5Pc{wK&2RAkavh}vtFzVp(%NBqunr{=8zKpIl;HzMG%af6GSK2_@i45c5XUOi)emVw-V(T_qZqo9GN*H|%=w6z-wh}Q4v9Y?O zXi^p`|5Sao;>mSvqaGW4j*ciNXPAsj0E{XD?)Jd0D&uucys@Tx>dRJd`F z$haGof)I47*BxK#?P)t{%+$FY;(r1O=K)}U`ulCnl}h| zBdqz%XCA7k7!ga7j`l8zOf3TIZ}Ya72;-kE`y^lGI(7YK-sSD7_Iaywgv8)79t9-ebDgrV@dGhhgj$XgPMqL84`ssA=>3Iku1Z1bNf`;^9@jwe`*+yh+8`UKWNx zMT1@Qet~vCq05VGIM|I+0~;*E=78m$gG)loAJ>;h0*s||2afYd?U?1NeO39itiUcb zXqzib1(SDO8tp_~JktrKkp`6WMWJmWt?g9D6j(dIp;@Sx;T{mWU?2l4D@=NpbT_-< zy~$wv^Lc;j!|p4_+-zUJ3!v-16&~NXX0WU(kF&e7rhf0kjAX(^#RYC)eLmPj9-aex zMxe--O73y1HnpdN^iGbmHh9l;?#0miHv2Gr&te6{b;xq69#CP((#z2-V-?~J*Vths zB8mKG7~!(Xnoa>7wYIS{#&nG%V6t{$2Cjr~ z+nHh4@LA@5tmu=iugNsK6}EAEXFZXn#aa-fXpqRu3!PDwLDjC1XHnShX;lHsWSu(m$Y=k4~F4g7<~-Du4Xhi zRKlIqS;dRqM6-Pc+n4CvXP%;tI|CYVsEYdh!0HD@Or_jt+U3t9pppu-8pFhpkX1rb!K)|=iX!XjR9Z+R);j^Ui&P6%o_T|*cb^grngt8 zF_nX4?0D5;_W%Qwow?KB{2t8S^ULo$X0z_tC(%QHu^Sd-t(FGp&n&O`E^IXdSbKnR z5D}XixZ`NAO|c2rUczJ^MJ3(XRWR z0mq#Y`CQnfqeMF$+|OtXj`N@F?t~7u_=pSV+>MO1Tyq2!jQ@)tvp&kEI9Yh1GE4f> zgALZvN>I>i6fCX0y_S3=jYVgvPvva?+7Bi-uSg zUSn0K*8B~`tB%7b*TBHJ#|Ty)%>mSN_UOLgxau(Rh=Q90&Rcn3pT?N`sii)7c4PwA ze!7btu}#5nu*5V7U1910Rg71&K(z%L;F?-4@u!Kp35fl;n62{qLAyE>E8L_J`z#2APWLM}k4iwD$2dE5j=i#EG!v$dhGz?@Sh>Fnoh=8J{4%`f?CFpO>pY-C7 zyABj;)ZB%e=Z7EDES79V2dwXrKOFv3O>USA_;1>5A+cyf-HpXX^5$-?HF?~xme`B; zm<3HKSUY0AHpu8Nx_QOS#O~Wv#W?>LXR@Uw+znh4|mRY$i5(7GER~@=+oWYO&-c!NB>mVTF{x*4q zDVlBN0W=Wmj+)DX#U3S~r2#7`fzsN_Da!Q^tVE*;N}GC~W&&3A~HUh40^ckiJP$>s$HWtrB8E>7DfX>seb2oeAz(C0pc+09{lLH>SJ+iY29QlBt z7&%xJdN}JPu9aw`rWnzver0WjOG=vs+?l{(%@S8nbBN$Hmm51;^S40x+%DI=vP8}= z&m6twi}gPEA^OvFE;=r%skx3%qp0{-hL}>^P{uw#0++36RMDg!AWY6|&EJhrYzB9y6I%u|nsxE(R&WM*+41j_Y~)4$G3NBuU87r7QTG7cu03zEGQ`boOf zyJobNUmMiWZeubmp!Jhi0xpIK*vi`D0AYY5Lz3jii=I9z63jqdYJI1=F#5+Uh8;EK zZHr&H%Vz}MFQ4TAInHTs03%HwQp#W=ArUa41I#uHsOz?fpS7&KoVrk2*5yeGupV?c zMK(NaG%a4d!~rRN#U`h@Y1lY2coRKNOLzDqAP;`Vj{(_R7xONXXXKlvgw5H6^U~B@ zg;^a^S=H?@MH57xLg$p!$Ta<>rZb$yAMferxnkW7cV-_RsfG-8`TMHhJ+y@((mq{J`4@&_i7w z&%db;6|LjiFwmhBh*~hRvTUnc7$_4%?L38Pfg!~m6iRouZP!2o%It0vi(m=b-W=Vv zNg#&Gn*nYdrn@-r=Q9-g-aUI0FD(wP?ULSD(YHh9Y!)=2EWcxt?;F0 z_wq20cXBJbo$=sj*{|v(_l=z($d+Q?gBB@Q^C`Al;}daMiQ2)ee2_#R8d@>D-_n>7jhoTjjv+b3L1f})PW_5i zj+Sbd#=hl7`mxv}>4H!w&1=ZD|Lf5O{r?eAKd(3wS0z3;k_u14K-y8w04R_Y^wJ5H zZUhJ65=QJBSe6wR;Mw}MIWaV>eu9!XyJ&ftSODf>4tl-zOc0bna5hw|=YEO_RieCF%7c? zk*G1y6k@e~`a<`qfeyj0BLsjaq3qdh1T!}bUjYm>o5Nld-4~<#y>xZ(g-cL=Tew2NbJ#MrmF79Z$_uN3GeVQ2$K)IP}TZICK+JQfE|bSH00jVx`K zt^Dm7MOkXpi}#9s8F=d*-W6a&R(qcPoX0*bL35BU#$ZtFY*8{aFWWhIQ?v5xyL;s| z;E%cc+j{^yBYx**ztqTL;Fk$vu zFTd2!HV;eX`=9T^%o3vt9m=lDu+m1T2~m(tSQ}y)FdlIbLL1Omr!YalY40zM^-x@C zt|4ohZAcr!mmT>dpyM_J${rLlVGsuA)L48mBaH#v8&}u3$_;PzHH(^zmTaME0NOHo zm&oCYd+1J@cglSgx{o><2vHCcH?h(kePp=i2$i(S?)p`&K{X3rJ=g{+iMvg|Jk^EI zht>GefcJP9B=p44-H_A()89kv;GMFyLn!HhTr$g>!39o&ClQGPT%!JL+_bkxI?7B( zeZ6a-UliK?yLuu_rp+-jf?!IqUZPzog}7PJz8R>+7Y!(qd_RpRy|iO9w^JHP6ouVv z;bD)My~x8M?sHZuWO-MdKf=?DyxctTb>%v5qzbSq#`gEwG zX}US6Lq023Pqo(o*1!)`^^b`mQOKr%*|yCB;;_ba0sQU4==|fQ01G6k&SIQsfymT~ zX!v0Y+=CotjJ*!~kj<#k+WWT`GWpfOI4a&;V)JgIH+gTpm4=KHO9?OIME^-XX6H3j zkoX>akwpv@yfk7?Vm3GnB`z(f{xs{TiwW$c)CJ;+2^wsQ=;lFbp=BR05PJ4^|EJBn z*+7TB(WYo+z&Iq^xObvwXXcBp6AXXC_5jE%K?R7^{R(!HLT4q4%L*$sN}L-wqQ?mc zv6Je{%h;!BF_4Bv%#ZtE2(;h%sh#CJbTmakVQxTzXl-4VsYH()ZOyl&pTDN*i%+-u zx~h^He+-@f`;d)-<$?Rm&i4alkZR!g6GD$^G({lWE$5o-jh`lx2Y`O%M8t4hY`HGd z@KX?Y2&iSDaBbVw<Ly38-EHxGlilHWUng!UO}0*<_5u1qSFq3C#3$$R|S}hriT>Yvuqg&(^|k-fNL6 zL4ccXK@XO4Q8nKsbRN?aTJ7=H>;)sP!G^ z$@vk(aCzSb>eJX~&0e`wy4@%8X>|i9i5l!Pa|+hT9zFTYVvnlTu(`n*ff9ni3HSU- zAEfs(doM}BB+e(_V$`XX>fb#EwQ&G_T>OauO(kmz<}52y*~)7OQUwtGDS* zgV|)v-Q;q=vk}7oAiAn6C0enkk2nhoMruoOnK3>3^Pcu0~@ zUXBFj>-aCFT5?^3%XgQJIUALEH^6cR?_D8sqpocW0k@IRBAt* zi!_jw-wu_sK(+(MBtTFnrV3x&g%xK~NRiY9A_C!F;dlc_> zH|TrZ;eO|-7F99x0cDMH_u3^-g*!UQx-M% ze>ya(!BYyj9_xeSW4gll72eR!5r;9gF`nc@IW&FChc4ixH(>=I^Ay?p&AbyxM}i=H z8+wB|J=9QYRfev)BRAPU1p4ph9 zk%Q8-@2(QXP)^<^f?Bzu|IK#jbbvZM=|;vU#+v zy|}o{Ej+i)hzCfR&~0J%#>>x?-ZEa;_v1ku zsnjK?R2ip4elP`R`NM&BU=87NXmq4NVw-(bd^U*(u5d|bflJ_exR{P8!kZp*UFUKsabrPwh8L5lhP4f}! zuY7%4jTv;8Tcg8ZCCsein`u)yH;FyW@|`K+#JqlhP@3aJ2^J;%-XiI9(>Ri;<+FFP zr^$#|C)*+x5i-|gN<1bj&Ymo(YceD*H)}ELT#S9P#sCknyPYKyq3+{w_q3p9$4Daz z9^G#%U4(D3tc}^UvCK+1Ot4Ta5KeZPWXTPeI6P425;N{Y29#)QyUX1=`m)ANcJ0Kd z#UH1VMk()^<;8P7+67v*TLnSRG!!piTP3s_?Q6!UNmRt5>{sTljJ%D;ezg5MI^?br zh@05?r1#8EUkWU$*~)iHQ#|A%^rFkF)4OHCXF>>ALzGLBLg9%$PQX0>=oIBRU2tqx zQ)-?$pS93R1`U>6j9ZZ=UG7d2XDC&(?V_hu5CE39&1#_E-vXn_wtla=O-{|2-6)qh zIouW^K+@?4{;X>7DJFMvZ{DW!CBkQb8_RbBZ7??ABJgZ~@&v=o9`<#o=+d~! zlC6v<{DZhg^s(^7->M)2*>1eE7qaXyShe6e*dh*c_cXc{587v&scYT)$Dxas*@V7V z9QVfgRJ+ABA+LrqtYd6A8gI8UV;38-RqU!vhtF8aQLVpy;V7v(+y|2*VL5U<9j;0bfy z4s`JeNsQU5qp0(w52l*JQ3O9IVnWsEGsU=8r4rPzt(Zrj@8%xHBjn>$D&P2rI1!hT zMQ9!Gmw1oUAk7+4cx1NB;It#btSBXcf~m3LI4_)_!z8f*1Cs zaAd%)-){y?-geN?{ znzpJXWSC~_(^{y_&^~N$QYl^hQ1`TvAje!mFi*O?$j;CWHJ_m#6zdcjXfwzLQX~kV z6ITo0C~nd927YA&v+qHhCEK`YwRCLxn1*P&{BgOqCZ;y|;o}ft7y(K(lKyp_!Y6mR zao%4F*-|JNI+K7(@p$T$Ot=$xHjN44QAlctJOhuq@R2oV!7h;PXr0an9oLq>n+WBy z4y0Vn+k{)w_;$uHIfrrFiMn(l8UJ&saD4kc*GmoKaSP;L&QS-9=R4{DbmLGgO)zEH zdF(4Mx5XCtY_Xk~r+j3)T~}LeOGg@)893ma79R>V^2cnDl6Z6_HZMd=;I%;IT zE9@}O^B({_!a<}?M$NDOD>IzHt0x~W0x*kbgR;9HH%plRKSUv8_S~guf;&&xephY% z`;3AGEGEikxz+T*uVd}Eni{AKkEcR$b-(O479|RQQQPje;w*9%^I*)>m_n=ufCeGj zPME&SliYbuS(USci6$GxE4)`Dw-^$50ZnB}j-@cF!Xr;9os8mL-Yb_kU{~1KJ9la!{B&!iq5(_v(=4iS9CNTODLo7A!CMXQ zlP7$INZ$xkif~8kZ>Mqq^@+GsUrkXJ9r+j5CO)7nTz=gu*RNMFG1L^e07a+g`j@x zo57(tG&AXMgeowg6CTU}^E5dbc}rA7BeJG z-~im7#=L~i@MNO}{BiE)=(U^`Sx??JKez3grDzdA-*o;v&A;9ufv`ix9ldE6rag5F zSR+Hv-aj#Y6|*?%KlvpOeIWeR)`l+se=t%5O2o0ED8mp%7!g~|TG#fLUpfM{C>j<$ z7#j^*a=P=4^k?+L+C}sDD?JSzPRU<-|bS9@8 zZ*O$-$r*`EOxP-tceFl`wHi04>4Prrr)kRrPsyW;e4!m+2E~Jgi`^U=PvEPFxaPsOlQ2E>F;NK(Eq7EXFqqF|WB+skz6Z9fzma=$Tqpoxh; zsD>+C<7sJika==xtM1b9VyKM)p>HEME00CtQEP}eC|=Vrf=iz3_|YOxJEP6#j+Cy% zrn8l+y4psUsg$(;;6IC~C&%)D=fmR-ck=GyAo`ChkAalQFi-Yl);G%P*--!=^@ZHA z9IIy(7uL{xn2l;u*raxA0X#SCNi`W|Atl8!y}2B>PCq5#$K05MGI*vR*9aCD8H3-s zN#GF)J8r>1VsfeMHkRMXBxu)LYV~#)=QqlFa-t()I+v_Fux8sPl-=xb2PDp%|Ap^p94BTa^xWhf3=mZy)hrFw@&g0D9(Se=48JYkIBO&nhroHE;^7Tk%8Og&u_wb=`ZqHS9c zJ{$Z2%Z3J&Zh5o0Wmm)6Cq&*lJTnJaz+e>|5anb))HdoV3XaGK8&Q6o;3RsQ8yIvy z9LH@f!f;IzC_@dk-+v%3sMTeWg*sM9*5Ho3vAf(_@pcCP+*ux_W0sGt9Y9{M8TyS3 zO?|D5T5VDvnF@~O>^k9bv-*!(#AlpSw#OZgkZpeBx`ezIxN3`8KvMq35FXbnhXyTr zbm;XWSz}>GN3Sa9hCq0cil~Y9@`!e}!x9}&K!?sw5nfJ9V_&nzl3D6j=~)7A%1m7GBlkT#Z191aV? zToIX?KFr)=kguPz8Jz)TH^v1QT1(;LW53qNM6E>JzfrG`uHkfgOT{T1qAjMCH#HVNNNj*PeFWc4$23S;>?gUufLP17P_|Xo{c;zu68?N22cd?hSCg<8}#` z1|WadwDwMaC?KXQ9-86D_7J~Z3rrzyt|*O**NYbEngD2TdBJZQMAcJU$F^SLAn#(S4qk-Ei0QG2V%OtjkqZHRP=K^jnwU%yM7sP|?50LS^x zEj6WX=N^AC6^@k<+c^B{4|6fM>nKLCg_~Ywi-JuZ0&QU&M5?xYOlreTtElh$3fqJ&IW$G1x3n0?7W4xTuSNv-XH z=hdtxt+OD)7rvxvrbEJ4qT#}xl3?)&3fo$&mMYNjiXa*7Y|vj7--Jp?t~kKMH0CcP zIc+s!2^iOxMzZK}3+Mi3!Qi5VnZymUc{nw02D;31cC{31oyC{-`3nt8k=9K=3Oy%i z|5wOz&w4e-%E!+gP(yX*ho_>*GY&rKNj<}9Iw6c!l|(7;H-*zzJ4&IwbY#CL_$b8% zl{Yh5!a%r+q)lXKo@TKlC1b;>ARyxdYr-cVLoz^r$Z}4dwcJHKoG>{8>wy}JmczF~ z9;4EVcH`6fmD16rdf7M9UMK=_(|oKs&w}dMST||UiMB2E?A+R!XX15Mi6m_sQ{qDDASQ2)ZwOkrerf_gJ#o_3j>etJr}qTjZsP+Spo7;r`wc#2gQNF(Y>|IJwaeNN zbrC1@;oq*(96-aVdmo@)zCD(Xv7EU$n5$@IP1ZR(ur~DwvZP!5yz%9o*9zQeeT~w= zIXm4@5e*zJd*n2&XV@mdc?mk&z{;3r%&%hR1cO0GkJCVSsnWFPmZI=|@FEO)711K4n&cs0iS;||ItYAR-SlLU% z#QUV)S~d(@)KdNtaiIMd3Dh~t4`sxfdbbsO^lk^K`G??1LAEcd{y>j7eC2NhW+h=|;B5gAKOfQ95X1MC!U2|QBCc=-f@NQe+c^|BxO z{Rk#ml)&liT`HmM&0C12LVY7YmF=UBnUcsxP7_cqS`u7{V$Us&eNzBYix>SWONEy1ehyygaADHLe}!Q&z|2&iKCy!e_$J++U_LR< zfZ|r-H|~>7{FU1&U4T2oR>5Z@APT~^j5vyCy_19G4@4sb>q*<8@J5KV+{-1UiQlr` zLv))NR*X#hPe`G!&CwXBH?I~nX1Mpx6hBzN5z9`HIY3ZqONGWKUD(YMFaK}cLs*#5 z-z3F{as6vE&p10}=zVm2rtXem0@SCxdNYDK_i&jNm?cafsMC$Bex&{F;LIrAmT4@v z+Ix|HsFo!`uxYUml{ZyQf5{SBx9Um=Qd)e&MRxDZkh`E%AA)=$z+}>?mBe1$RJ}i? zhVVKvnfR6LV|7sNB!ZhWQ=0w-C!KIJ)@2r%j}OM9)>WfMzFz(xX3EV0=*PG<9ryuQ zDo8-f@~&aQ(>l!yY(}>=qQXK=G^$RGblJYC2NZ}8nc0q708l9^!-Vy3R8-oUabXra zMG%I6r_%W2n$U+HYL2r!`(pV3A(te&0MykJ-+6ETvmQ+89^_mIwLnYk8nIYeOuRMf zb;yGIIFge=qAXtIjG`|v5WFU%!vO920E%4e);6wEOq+&haf0Nu0AR&k7sciZz>5Bu zlt%(iVjVAzWhtTVln=90{M>kK0t9ul{Ja3;A+QP=qmjf>tFoT3r@EZATJ>3BYNWf4 zs>o5v?IEx-0?;V-5KQB`6fcu{eeF}B3B{ZT;*bkJwwF$cL zOq;_=A)pcO?xS~Dt3dR9X%^y(ZHEcP`a5g~H7bt^ZWwN(%J?X$0%F z}B}0=9?S}<-=z|J6OFT8!W?93fI#$xL-F1z0QnrFfqGfvP_H; zPX#syF9e+(yx4qZTx{6VCD4mF|3vqC!=+5$8YdduSYc?}D-P&HVLrCmIE>D%Q5oVJ zIXy@9{i)tEj7&yY*K-;rAIiyQ4n?TJW$STq4;HZhOKHfG*$1lkzYy)I*mIgO2|+|1 z&R!+xEkJmy#v21mwET4jC>@LRoiY{)80DU(0XD9|mCOacDs=!1t0|(xS{PPQ4$PTz zfkLy0<#QH@e1yTxK+Z_+3eX=Q7lV1$(GKg`3Deo_L#uNpFH6t4SJcZ$&S6Vo9Nkw( zksQ;6GLm!Z#O5X9$Q6r2+0@h(5RsT4NW?tD8KZ|feQi{x17pPXnw-R$Q{q@e!Z86G zO=Y%)?4VY$oFpFNoJ(7yEH0E^y4DV`vDrPwLKGzMF*2LyR@?ZX-*9GMxjHvVx?zRl zVc6t+f=`U{*d6Ic;&e11V^P4Te1TV*Z<_rbv3tN=NVm)4G4Ntqe7wXb46I#M@2L`4 z9_jQg%-%BPSv(5y-o*V!rrx3=b6l#^FNL*-@5(YI5u4$l!GAY$XolUsOfhdbaIhRB z!Y3!3^vt6WWrjV<0uwI8Et=$MJ&qAAHUGXe!Uk+|rs&&*ak!AiPtiSREWatamA?Gn zlFZb|0;?;I`20enC@}dPwO0P%#D+D-4y(_A+%v(WzcicaxZ7274GKBtLCtaIL*)>7 z^Moe(l{v8!Ex}lRn{QM2atb0g`}&9zsv31A&{R--7yaZhXE$<3k5&2vRbPI*HXC1y ztW`$KBc?=HXO1o*AL;rOq4e})xb_XTrg?F&dUmi14NgVyFX25A(eiFF}! z9A(>Ro_Yc>5pyO_SBQbZMr4PKHccT^oqg)OtbDg}9e%}E&_k{Kz$qWKUm@Z?EsxHDn(5x7f(j@!vz{_tb} z22fVe5J_${b{Etr0SQ&Y=2YU^7E}w(@Z6D{3b)L-8Svm8{heV~oH`IA{WZ?=AB`{U z3T^YH(d&qQ7XlvlHwU1_GeRN%7N7;TdRf~X;*6*Cf(Yqfl@lUX{QgFQeH zMmHtFC&{!H>30H~oH$h6#)Tl;EPR|4qXGmR=aT^I6Dn($u?bkaY%g5qE-&FxkP-2- z|Bz-}hLGm@uiVK6SfE8lj`9!h-+pgN{U+mxOXA=@cG=r*MCe(tRho#_UFTdepO*Ld@f2Br=Nv7uUC-9S(^2VeWG;59qV#}d z$>H^oR>h$I#u<0ei#zhycx@sG*JE$*tshxJldTSQvc#7z>Wu=3%Dvt43Tt$j0?KGl zg$qGlswhdX${~EN<0Vol2ng9w&{bUKE?kcpb?5sQuOVfN@MUWHpspq>yv#=)u>U|4 zEu*mB3O+(^pH8CPXZzH~e}FFuM`V1fR4_It+N{5ZKx_B!OE>( zXUz>UJ!S>MjE4!^UKWc!R$Zg$Enlp6LbQZXk64WYohHJsiouA_NUv6HYvwG*r{+|Y+h7a-ta242#pw{ z#%B;DQR8peKEI2BM zLyWR9HbiqdqbZ9OCOQ8gj-7inv&h|vO3ar7)nf*QEjSss8170!4p#9{uCE^wke?)L zFGR4Ecx<4hMJeWWCTBu~h0Gv7e4RmblZUmACo0~wiF@D@d(~19{#0Gp)pb0JCLkmb zb3`GpK0L2wEB4p)azQN-)ShbJ0&Xq||I?kT2C;FOdn~9#vsjKqXf#w`8oM)b4fJnb z1{*1F9pIm35euv`Q~Z)}@PzmnC+jLRJ-kGx!XglOVyVo!I`0i^ zrSUiGxq0`NGc^>c;(n>%#jh0)tHqi(~(yv8z2~L7S z#(MY|DKZ4K^x*6=Zb8?p@}Sk~LD8F6&E2)wpO{vAM?uynh3+#ufYZci$!>@KVpKhP ze+6&$!ZZiu2M2@fo7m+o+@7djB^;DHZy5}~Z-N*qeRg0^weWWhSv6ASAHn+Jc{oHg z#Mlw1QCNE?qlDgli9uZw32BO-XN(zr-VAP7Z0oUI z2VKn36wiLcsi$KuT$PI$q6@5?W2QE9 zG%IX4KEt=G190XySZ~K^{@=JqG`yHYl3A%|?m8lzBFcv~S>}W0Mt3!He?eY5c!z%g zX82!ALC>w^GS^SDaK$(xrAmhG8=;X;-^3V=aiS@5*o_t?|%)$(ai zKvLVW6F6@c4yaj99{jOvY~jn8g*Jd_JP53%W|#tyJrIk=4Q)SkfXJa zzg}FhN*1t~sIv6uX5n$e8Unao%>>D`kF|#6SKTQz*D>dl5$>vu828X;jAri9iVjr8 z)}s)A3L`J;-m&bq=2iVjXGN>vC$7N`cxPnn0d@=@?$ndBZePgOayhp zaAoOEa$;+!QN!A5QurGW(##KU9`fFQ&(*~@oG7S{YX?zfici}mJ=eebJMHlBX+-B> zZGJ9)sNF!21@kyE5-;&6pDweUk5BG^l{RhxXwq8=H39r1s{ zmvxwkTpt5#<4XC)BQ`r1_#}j9VHWvu*1KR2hQX1;7$dcA{7)PJ&=o+Rr}fkU2A_Zw zhUYNyp!hHuJ}EtIdLa7jTNYw0Wtmzr2L=tT{~89|4-O@-uLrm`?PT>JMo@s~f?%5R z5CrUR2hMwhT@gMI5Y5#ATqV|6WcFnwiMQ{hmn~R`mkOHA4mwb6Z}_zh<}PVbFjo)* zPqKwyyhye>Mc$@Hr|5j&lvT~r1~d_H5j+vn><})b11i%AR}Nr6QZO+93Lx4V?Is!% zn}h7L3U?fd8)kH!Ira;;{nN(~E9wqX#f@>t-@zwEaq9vapQkyI4&UeF1$fMz-0W<7 zJ`7Q_O89M!f6;%3G85IF!a?EcQ(Veek0*#Mv@M4}R@%2V3M zTKpqCL=_f2zT+U?6~{ASrUSlJxk1^TN%RBm9oIbVj9a~7R*cSegDa1c|L7z2#oVjf zkjD%bo{tn)wtsE71P#OI1ug#cmd)H>iz$)fDNZ!`J9{*mLrdemVTzx%Zz%sYYF7bF39t$W--oc#zR{%~|-tn1XyU9EJ*hV^};Jhms{6p${#BBb89%Uh5 zm{&B@GX~q;XdD**(H$Q)&tpo+SCyrw6-oy@$)?LtZgU_?5smMvy02ygaib4vx73hMOmUAy{6<@&cgp&U57 z)ppSKGbCqjxv*G8-ymA59IVax$`tW!t1jAMZIy5Ph05h+X1{%T3c!>_V`+H12F;ir zG;&WO2>`t{}{{B6l54Xt5FgBI`!V`0mp(^*=lWhv&Oht9&Z72IzBC!n` z@L7gn*bw5r(+FLU4xT=j$@zOGi{j~EYq@Np9|B%1{?v_+goy)7U7H(GJ^~C`GCYV- zC4(#leQ~sfJ3XRidBA6g1O1T>e5l%#2_+tnF4z8Jk(eAAm8wOJOGdonr4q4gKrqbF zCMU**FmrDx=HNS~G5_`!NCKpy5ZFv;b6H>n_&CArF#?w>2-I&^#zWNDQOsp}DcltJ zM6@Xd#yPV&Fzfqo?~*$kR=ye^n1MLqsxh~)Az5N?Xa@R7Tr(ga!P0(aoCGcnnRNcR z6aAzKt6wm(`wi5;b-H988$jKw<^9pUY$RP|=qHk@eK>SDUPQX?UYfCg!Gi7YdjH{3 z?>*GWk@j5ssNdmK*XUuse6Vw^e?4~&eI=G$n_rkQ)|nP7VOP8a*( zjK6E0P*UIZZju(e$B+lD&SFAT&^AS54aYo;g z`|clag>PO_>#2<69 zr(-p(XzFpGw_4n2O|h(Et5X&kza9{W1*Z_x3TXi`dW;h-Z~{H{(;WdRb)F)t2-Lz&YB!yh_734bk+v-Kg^@(Mxy5T0+wmu)i2Rv~?hsaME&Vs$;t zE>g*XYDTm@K@Tq)fil2uHLW>t2KuTcoO$%h4k%Iiyxc!BZjT(&n7ie$6$}al#bdfe zgqQLYJ=c1huG81V9uF78hX#g;xudQcs!%Wf4bP3o?{&>1@t*-pC#>tdIT=AYS7AVj zdX-SN%bI|Mjc($n3x@;xh^an>GST#>Iw;q7(w~P0JY+AaVL2t6tqG=i6_hl1S+Kw) z7JqEso>z{7iR)LhIDWS2+(BK4wE5|{)YDku1EVg0GS-NE!vh|-6LU-!3<-w2&eo!+NTs>#I;MxwN42o)%%DL%07h&I>< z8bIN2Y^1f|AF@o_+u;3;1)6e-6aZETaL#Cf+5{s*#jCOW+uP`#-(smayJ{=w-9B;{qmiVFCXnsJ>`37xty5mld5EOdMX`&Ca-*|m&Og~)$*=Mi9 z+1M~VHY@uL!H4zml@EohJlf_`2O5G1ucm4P1HFg$|x^C+Ar+wk_X8XR(d zwc)q4CRd?w_T`=4)5oA`STd_lvcLQoX*oD=YWSQxw5x^&)ait@E0rOV_7_tJ4J6v= z@{selIRsxax;R6onPiAGHpsT}r@SMvx@`I>MU*Hzy* zqCT=`ta>Fqk!5|6mvaT3%jK+Dp5<^s5}nAf^YOrd(>?lsHOPht7krcAL=qB7D8z?! zfI0|B^9mGDWm-d)&iL>%;g72jzodWsEP*zs+8*-^I$c+FLpV`FvTB0F;t3vP1sTu; zxJ*>3kU?$pSOWaV@OM<_oQ~b6$cs5ANufMw<3X3}4tA$}Q=@Ek?c}cE1iTtuiiZx@ z-8js;8U7llSmi&Y$Sj_ZM#ubeREf%kK0rh({&N`aQ$dg+xxm>-`1b59`6q`dcqf2wD z9dNdjp4|0_H+;cS63n!K8-UO0O)Dn&-lzWs6EoWNg^NJ(F4q8L{B zXUu#oBCRVAmSd9&AU_EeM;e6$jnf>x3do>8)&-S+PkOq3V22jB__Puh$I5L03-e$)Gfz080E3cnS(Gtjp=_Ni)M#QhD7;yvw zv6>P$v^IpX&J&|E48K_Ui$zu*P^)yIZ3~47$3+3|u8;`w0yeDoCD3V%G*kZXDmH@S zm=j{t29Gej6Z<$;ooISC8s^tKi|h{4mVW12#ue@7`FBg>RTr_#jrEl`r8ZiTt5#(s!jA|GYToG&`D-q!LpJ^vJepFNLw-<+gqJ}@1 zW~YC*EuJ6%Bh8T;MAPCKR)(fZ#X46V8=ySIHA=0L(xOIO>+?xslEqON^}03zK-YL; zi9kl$PeJ_@AZ?3-3p^%NLwF0o(Wm%J*iXV(`Te&&M+-`T==g{q@VH{zz)~%)#C$H; zYlfqL*wUi>tQG_R3}zQ0pN$?q`wp33=$ok|OG)@tP2!j^+g537v_)=wB!8AaZS z?ReGm&xCuN{5_$Ju?mK4W$<_ZdS1ME@$#Y25q+TIuzwpe#kU;SEw%WRY2r8b84G+&-lW;Y};KNC+&B5GHuc+CJGgiqwm zau@$3^@3g6qrA|=w;yI3?wSo7yuqGMBuuDsX0>iIz)(E%HIM3*NWRdvg^YgDfP5MH zW@_XW_{KcahGpid@TN&^;#Nmd4 z?%6(Re*ZsRIUB9(X}6_t*92jI-2W(x>%#%rPensF}T$IE@EWg zN}6AVL#L9L3p!Sabc5-lg^`^i#!nU+8H0qbkUKBX15 z69T^trmEAcz8NGxXwUKg7DewD!L78o7@zWd9^?7XXhD$UYw7&ko1e`K{C+|Iw?Js| zD|`N&S;*fqx$?DQejXx%>KCii?~nE7VpXbi80zz6kJr2$f2yw-_{{Jeel~D`0=EQX z_PPUjT@Thhj}`;@SW}Ls30iAgRWO0v+k{8@L1cU#f41A`n*sK3k{LC|Y zKfE@A+Ij1?bAFTIt_xK*|+vH z$GrV5W((R?^%9Bj9&2MYB7#hEq!vaGsQXIpLJkf=gl~!c9dcFOMiU8354IAv%s)9F!p$kSQBrMgt6Bm@M1PvC@TDSP!yjrv73)J^KtF{2Zx@?5XF;2k zEj;NeHo6i626^B5WJ1n|$se)Oj(o%yzb-qRKESR8#NX^3+{Nv~FKesR;s z{&;h>BfTX$r>GabrL_EU$s47Dk9e-`x&;{`eRv|b2SH^YFF;Wg)HK+sn>J``*RX*+UtcgCK*_?8X%DR8H`muG2e7OnXNB^hW@Lb|Cx*kqCfw^=vc zeC%PuDP)wVG-AlffTuYKVVsK8PHBiv2m>rTNkj;;0Of$A4^RXKPY7TTInr{$6VP+> z$4J5xhO7jPp8)`wKfOqR^69w6@adRM>m3O&=+lfA(&_>m*l`(fHvrFq7H?%owJW*1 z`ddKbugG7~>R5aznSw{;3puj)lxB&f5%QWF`>&MHI1}scxP^an=m z$mO%At1&rT$#;(rm8NNff6)=H3>ea6Q^((n5oA6n99JZM>P_W+r&HMnlqI=wLg0+q zC+;hN)NCLbo=h!Ce8SncD^cSE=SdrbC{A$PWRC_Nh%`ggxTGOQ`XSz+Q1~*KpaDaH za=9e0K{RJl^UjhNG6|!DI0(Oi%LtoThWUW-C|C(Q6DC_VCEd2?=4%XD_uYdKHOeTW zZ7($MIc+~%(t#ZH!s5s7V7&$Dh{d9)Nb8?rQhKL{pPGf@k{q_<3#7!JWKwoe!KaA% zk^3O!{SX+@`;?`f9ZDH-*8XG+KE<<#k*5-$q6(EJNC{mpYZcjl8;Pm3aneIBbnU4+OB@~VXrMg&<)2-861>eZS7IEL3h%?t*@0C$Gfz$Lqp zPo3&?Y;yE;j0*E~q;Tiy*dXik#(t%W3Vy}APbu$kZF@YEG8DU&W55!b!b*b0kykO) z(FDt)hB4JA1y_1U0De)Y;|!{li~51_g?ATBDgZCbAqb}`V7{XV%rRmybhHqG*ddK- zTx3#rksYV5wtJS|%8#lC`=jB#q~*7g;9KqsRa`Zmb&gUlJQW?2xP0a~8dZHR8RBUl zr$QMRN|#wod?@f;6KwpxFDnPtYRuKn1!uwHj-?3~F(IN?h6I5f?`&A96( zhVJGf=4J>b&Mh3j5oTJ#DCC^&1Vy|WvRyHXFeIIroKl@hkaS)O_cEe$i}@3v zprkW3q1ffd7a&(xXk2wKgE|?5G4`kd5>#B;`VZ2TDZ0lZ<`g}E`vL~AsEZXY&JJcR zNL+z1NhRLku77~m(8^(*A;Iq@TdcP%U{PeN$5kEggf_xJKeb{qv3y#>&qg^)x+@jekGx5t@r*cL;uqQu=>THZ+T_+W}4?DK1*QztZHm9`|4H7#ls3V~Qs~hL|JN{rmcA6nn>z0O6m~HTja$WYEGBY~bHrY0atx z03`1Ps9Y#0>%a(r=OONCE&tNSh4r4_*Xtf=)90we@dbv@#r`Cu5j_wV)lK8ifF^AD z+2#B#{H+&eifhOFrN~@xq_N{<#<;K};CJDKT}7@1=Xt*VXxg9ymiz< z@Udgo-?3caLy87i0UWqMVnA94f6|rH_ea@{O(K9Lbp{0lCAeOrJXP*CeJuw6WnYD0k1g3< zYwfGRwui6wmRs9g<3XDViE`U<%BKyX!$(tPM`yS(?g8Qr9 zwn8%!Kkg!t%4BNj%9U1KJ-qNt4nnGm#r3aCL~pLZth!WCDV7vL6%M>siU3GP^B|zQ zu86gIUx9*gP6;|NBydXxQBjswC5eq}NMf;3TO$}&#A-o^rH`)j2}>tNTcE#pji~2X z0|5clun=yD_0SYk5hnQ)>i!8OYyDbuV#&|3MN%zNHkQ&dO;stPHiCnyoDzo}7+eYg zf?>_Y;TYA5LM%6kaA{VN9q9rq=f8W5{;0??p!7*z6c_nF?VA{Fs5lhhZMKAEN6gSNBd>=F0KJ1)1^cdm8K-ACrI?Oo2H}=Z8?&ppq~9*Nk$6e zfSR$Qa>hxSBYbX;I;d$fkI+D?^VE&6DdHwZgaGz1`?Dr_*t4F=++W^{4{2;e3X{MS zMFa&%!{hHy43KbW4M|)h%DsdDs~|sU!k;7$UFx5tDZrnzhrcqUv6?=nJ}S8f00Q+q zvE$}5ZF4BeL+8-Y*#kAK2q>)ZC#l2zB_qlqskW|_B6C3U)}*ONX_9z9#1jh*y=mB( zq2fs$uBh=Osk*{KyfJME0n7Z{eKDNXQK^y9yBJnXvnKER$7dyHmqz^Qa@fSiP^|XL z+Y{Ff3jS~r6DU5bu@l4#3_~U_t<*TOP6v3X z^+Lz;`>{uI0<3#0p`9P|I=h6F|LmfbUh1&+QnRvA|yd}D*YY!&5)2slPZhTu>eQxNi1bP@%ibq~_N=G0^&4N7+-wiq#tB4Za!Uf>a6hV+)X}U0jKy-c2Q5Z$LRFti@tq4fqI~E z_|hsHWOx81aO<)#zefVGMmze@DH-;nI}*V115PbHJQ*JAv>ac34nxA= z$=G}!24J8zAB!?WXn+!s4-fQ)}N4#Lfqc-~Kkgst}Fj zan09`es-!Qn^Re}plDz8h9t(kC(hE9Rb?pT6d%AN583p`G)7ykjO|W{4UrFI%;H`= zCk;|7#i<))lN|nGZx}-8!_;W{+evG4VchLq>ybeAEE~kzKf}unLei+f&+${pE)G9{ zE65Q_+wBR*zJ!$t7@P|`Q$eZ`ep{G$x^os4gZ4Oc=m!Riii!e{Z3D?W$1T9ci7DJ! z$384E>~^%;d2g`Tj{;-mF%0OcQLB4u=hE*ahG z;rty_K3nmDapd=2ER26y2-B5a=W-sSQ2K>8by?QvT>lkh6;pZ@$^=#w~OS5|hy()R%v?>2})b*g4cf7|$t{-E< z=%hS;uET{$U${c{5o@#9KH|}gwM)T!NgvER?qP$CVTMasyTNYG1*xS&S{SVH%`m8r zbCh&Gc4zO77xlAyXD$rq4WY%>@L9{tFb|>Ek*!sqpjWEUFXH!R%Z(T_euWNKR}@hZ zfVpe9J{L?i8=6iBIJ@%X9r-MFjlnvjQ%*vzbkUh^U&}zNdr{Y>fgDy?_k`}%EU4t= z9thif0Kk}MVKCPWhtmg4O3{ExE4g5fh@PIrBxgBx&&t(9ewm}@K|_GE^Ce2jIv|n; zmJWj zFj+-||L}&I>+*~bHUNS6W*r+t8*D<_#2kiAXef$vi2c$CQyW9J`emEMxoz@}{VHQE z>xN(lUS;Ui+OVg$P!9>1Iz|!h_z!y+tknfEu**nrB0usWeFwHidbXqJ#?;NVOfhxg ztUAtBJ%_(y4?GomcnrGzgm=Q|0BJy$zm|IRoV$9O1W0N7px{zyu0d09W$-@W>EJU6 z13VM=mt=GE1ByFvm9^`jXP2`pi?X5E_aoD*#d-*^gGQ|Z=PiaWN`Of!jas3diufEg z!!ljf3$CU`p+6oWiRr9gqO`b31o?H4X}YKWSQc@@YuZyMBt0j~Ldx zNT*t!e*oDpD~?S2jxQNBc+jQJF>Z?^0+FV!0R+W{JGG)LyFrRZ6*_)aPJtRIb(%q; zyB%qkqn<%ALtNnLtp#G>^8E&P?ZWeej@*39k-4mT>@ba;AbCgX=V`{}RGF@tJ55T@ zUUP&cf*8rqbU}1#Gz9d~(tKU)DUiqkoc@6r{Y&D{xcIHkh=QR}q}*|U(1`BbEJyIN zud2kN*50*ufmhhMD6u=)74@_08<!u*4-XhWtxs{HgInrcBeB*eBwA=-mnQ&)2=` zJAc!`VJZHd)iPrF7gP?jr~x9dVppyB@-il~pbuRur6Rjx0h%<;Lscl$m@2fY!2?0(|Xu zj2;(_(-uE-#s_JBRQgS&F)}6YLb0bksU-yN5bsK`_AI+$nm-`B=k0ys zyBxhq-f^IH@Ho(%`cQ*1TbJ?(J?^5Ud!^2Uq3tXvBU8iEl=T$|MDKp*WPn&X6uuhtqrw>$HH(Y zm~S|pwDC$+wC2esaj+|iV88NkXok$=a=gQr*xmi9_J#*sB-m{eh2C=N8ZvRbU(ayaf=pC!g!y_EgULHLB+VjA4@fWE*r+JBq9{FARI8Qw z(X7wQzdZ`Uhdx4c+sa*6PD-e{VEG_oZj;!AdFdm~_mYU6S|Klqi_Z9x1hf@f1)Hmj zi|ov{_3r~vCiez*qh8f=4{_raCLgk&bijqDVOTHjA<=%s#Mv%|J~yLmxJwIN0uHcGD>T;HQM% z#8L0S@f)}iv!l&6yB97}2~d}hW5rb-Qb_JY}eq?09g?07ZcbLGO`-&aQk5%vCybRKGv zS>ICXh7}JMSs8ZFS*N{-p=CN!!5UPMHnfoa>tjL8uQsCNZ;3C%WD)P4p3s_;-u#61 zX8S{X60460@NYQYU@D2g8^FWit)Q|Oo2B-i{-=e*TncOOir#taOr(trkoo9h8NzQOIgzn z`8z}V))l)qP->=b6%#vS=riiJO~bM`VGq(!S1+uSG>Du6jo>RwwFC~sb}fMifd6!% z#3hvl!1k7`VDP!etMUeFE7Hi|31gMUE=YcW5$}O%C4^?vnVX?+$Op zl&sn`6^U%-^om-xq7(ok1h(cOY+WYXYY{Glg7n>hQ5zp_(N zRiWKHOH_0pQGI=X+okN;uC_mHk{(O2`h1cuwgf9uHv893yyt!5}tJuH6QARrOkE61=TmAOP_*J^cBWuti1g^~BIc0dFWpeI8 zK7xi+Nu=K!-X+o3Z-=` z#f_8qoSGt77v$-srqWy9bVhYfK(KSc`XtocHi|*{jJUhx_9;;0Cc2YD+j6n#V0BmD zx^g=Ib#=sW&vo)X!}gFtfM?=x-nJAz)bm znCRQhXD0$O-;=GIx;Kl%dxVA-;V>h@alm{%!n=Zbh)-;T;BSS`y;{L%Ior^<<0B_v zU&`bF5-FVa=nCw=A<%~)A<%*ZO^V4QEH@H9Ro>uusC>?bI1`P374ucg#pDgb0IK%|a4 z7%cakNuCtB3>6ZShSkheGu@pl;as*v6=AD70jb-Ozu&~_YS2^O!frvq4dR+;$aATQ zb6W!X1sTh$Yaj_vlbBxDj~&vZ-~E?K**(BbFk z8G6SBe!6imqZc4Pq<0S<8NV%-3ID*fGKV_9`dP}B&6C03)v&9=EvKJqmYj?FVVY(d zM2ahk%3}fqdW=7A|?itfJFRlK9=E;$RchEv=c$SMWT!r410{CxDDqAS0qGRU)A1J*ka752$_-)F1(W;UaKDd) z#N=FIxel~STc^jWA~J@evp;=P@}q=#uv>24O@Z%kuQ)E)R`0@P02oc-+&3BVpd{}c zxA(T8wM&oq-k`4`aunCSR05WCS0m1SMuYlXm(H@i0MOf3!qHKamxub9edyx=6@9Y% z0w1{8Z@*R7=?LobNgqb3^t`{FR<2&lwz_8kgyj=U1t?TNeAw{QMiz;5m#u;MZ`d{F zt76j{4S}7Pe$I=z?RUX!6~F=AvRxOc!K}EGe0T%9T(rK7YBp1Qqru+bq8ZX~X4F-D z*HyEWc?d0Fi}Xts2Va|~Ae)f3-TWZ1eSQRC4j|oiH*fJ|V^ColRU?1jcx~3MUX@n6I`nS4 zmoBAA6lp}juy!TWJXDAY!~6^+kE~qz=i=U7 zJeo~i0OV!uiZ|i-<{avlPX$J^@~xz0GO82$%HG#B7sZ?WnY0Y-t4y%xR2=axE8LJ0HQOTX59os-Jwr>3_Y?BsKgVMR90xDW9)IIdV($0Fp2LV|M$5RtkgZI&>h3{ zn()k&OLqr!rd1Dv6@p=UC9Qgg24Pdr@tq}%aH$XO`g2B~YMLASElOEoq%a%@p`H^& zZqwAM4ZK>@t^CT_mjWHE(0WSOXw=>H$i2G7>MTFMNHo=}_plti)v~5FCNEaP*delb z2r_AtSr>g5;a9yp5f1iTE%U2ob;w78H6%A&auj?uC5#AKi3bVFf!%n)GMB<>xU1zi zS&4;&A=+G!{e7nS?F_^wbBFEW+?S?d6mwI|&<7FsjL=|wOGv&4va}COg|`=+FECW% zCs1J_mtR$-6*$H43}}T<1*QIwH2nf>E!$f<+pKy4FA$3os|u6$<~GXx!d+sgaN|kK zy%dK`ATLydQ{7{H%WDI{tmrq$(?9p7ZzbYWZa<3i+X61!i_{3*S?no}v%XBSXYXeA zxIzJl1PkGX*|z@jd^F3A={67%1*=x0(+k(&Ko`r73Lh7L@BI>E2NXBa5)tI%Ky#_o zT51CcI0=Md0Ke$#nlVZadWWt^fawbfnb;LVHu;`oXmOZxWVsBDj+G~*jo_?;v6Jfg z6CM?`^E&B2X*xf(`D{UwYPkaY+bK6(+L%gB#nI!wkPTZMLGgR;-i+oc6)kBw_l&0% z;W5liOLwOgTVB?;YeZCkx3ywa2*RfMr;yM4gN2SzZ#;{iwD$|ujR`Ir=1m=WmZ6s4 zMD9-J+BnI%!pEFz7yCE(+jCtY)fM-)R&)q8p6Wtg?Mpq)x>cNu&0FFVJm#LGD~w$6 z!~8=Nk(2m7pe)+sV`h^$WXC9R5=@AB4@%mjs6=1Mf`y9D%VviL$f}UA1>R z0mOu*SLPR+B`~4)y2N~~yMlqaDikbQC|s1@=}&(>*mRD{Ybb*K#w@h$49};?;vTX$ zy>%%HZ#G_pE5s60=waZ&$gTN&R08_wf6INbin$Q5mC+FUbLW3!5c^|2D{H(8Bjr zvGwFtY+G-7Ng%k&nEb^_G;kJ}5~EzF6i4+zE8^g(@@eF#;Nf%FTqGenLp6^0*0644 zmUywoP&cg8p(>@5dEw{8{dhEX0r9b4FaUUI4_$a?8&*|-%FZ?qeA1o0Zm zpk3=wrW`DU4bPIjPXYnhf19?{{H6o=ub#22@c;~SarviQ(tC^M0ADLDBjR|uo@-aR z!nK+XH1=<-;$_04Nw~B`5v2IhE7OFWYXr^Wd9<#=O-He~%SjlA>~RHCFpBb>hzfOi zz>lHyA~o>>@+NU%H?uQH94a?xN|L9^XoB40z5Bw-0`~Af7;QcpylylCy8N|Qv*~v9 zDc$w~M$c#pQ+A{2jM|sUWj;Z_49TShg3;NsNI4!bn%IyZYD2*1W2Rv;&D_=} zbJLQ2QEu8;wlq=zXiWhv|G*f?GR^&Jsgb?#(hLEz*C)^;jUeU}vmXO}_Z1p5C%`%6 zfz4nj9P~mc2#NLY42k(W>mdHOC?pT{fQeA7x@_|EvWCCzv65SM1YHC{mXL+qBBlCI z(mCoyKt^yG^b^eZ^d@*wK!<+qnON8ges%%4J>VP2Zz}#E8)fE#yHmkaPHqs9^w1tS{LlnW5hBE8ZLrA3HG-8P z!0?Oe=3d-oH`|pAl>M?r zrM%=EMP)S6&=V*S?-ZwgLj&z)_nEy8BI`{TqAM2XHy3)thms8P5?nf?;IvaCEVw0q zmt5lNYS@OKj{ly1)I)9e5rYSxn*kw(0z?49xl8dH@2J;5Yj0)NgLq9tqNQY3r1oJ` ztveBCmPd=m41j}9%57oOiRgnxbM&u31D+TNHO)ii2ySWRx@tx`P3HQd~*Ae1fcQJ|ptA zzvV>DV*%Ww(ZdQdww^5enwWBtS_Bbg?-Lnk-&{cxATvWlSx57i0kP46<4iO={hVpB zf(kT4J%E6pqO*=nuTT2$eV1!b;A`^x7ekyUzxp*s-<^Z!^zXO$Jwy91-eOt*V~o8z zsA&hnQvlAA(H(}UIAMmOdhXRYJ6r6u)IwpB_MH!Ar`%{HHq7$i**ss^7=e>~St6=+ zrY&k74U)Q8%o8}=28=tHpu8RYvQRV^dd->VHmQvvCgTp55@f@9J$A^=v_pM@+Dr*( z{q5NYD|l4l?9=UP?gq!5puSZXi2G1HiAU(c&CgwJu<2xkXF@@8 zMw&Dlqn*9NXmF6Pwku>tyavo54Ya|PoTxCX>?7{6bk1!8eC_+w&ui>(j-eeqR6rMHDOvP*KkrBt;%Wgj0q%bwlhi?ze0XWS6 zcJ|dQ)@Ikd}&bQLr&*wAH zg{izcEAN^yDskd>NL5bFm9Uq}+7(yv`%8()z%~%V=459mruvbZ9RFn4(>&dql}^9uAXKh8F1IThyY97F7a1#u7tASTmjh62PPgzv#*5d>;V`u(B8*TqamjHY{X1@uWU#+XHufpe+8CJk+nFZThz5A zc#ENyhiAwR(LQ{^`$MO^TN`58fGI56mySJf>zdRbar_VHh+Ak*d#9uqNkWGkGpzlS z1{6=@5j+1*+Kl}U2HGG=D+^`&bYK-o|DE5+`Pm!J{H#Q#D+~)i&P-m6Gmnwuei(@G zwP+^S5|4cNIEq`8X~0L(0IoTnobcGqpYvJM8QNzwrrOo-$Vj@|+Qqx!^C|fTFEBDd z9aM{*UJ1yFqXXUda-Gj&u`V_(y;)n3Ayi;3_tlwgKVbGLFFW@~U2MrjE5Yx~Wo3=X>BfGiwF?xl@gOfP!vr#?-)W><|b=00dGej+L6ojq}zVA-(1KH-z@!p%D6=@ zrp^&Mw#Vw6CqYaH(m?GSp>mtiyQ7PORk~;!^hRw-sR--rU}(sZ?@cA}zHdH|nVHby zMW0;_f78&2{ceIX7dEx^Y9ubOkhd+3ZlUZFCG%{MJ0 zaewoiS@6cw&u}|oJZw~jA2bFW%;=hmq_S0K1!r*zyB(`qfkztwXK2jiMRVM|{ALY= zj*Ce}z^8(|=rrDI7Y(Ji8_4dO~%Ugvfb^oZN$Dx=d)%K zSLeWBbAuAr4;ogRC+;6_k5{S55B*L75sO9$YiM*aIbf%E8{q#$XQbF|zR^~I$mwRL z+}{j;7A}KG&yAf>%u(wZ8}**U_-=OA;fzs_9BEE^!P0H#q>mk>WqfI#}8D6sQ&{+Ce6FOU|qpG3>o6A zj_{}=Nu3+3a5=hg&*;{BzY^h2y;^JMwj*>7_KcezM^!kBpi*kwSk4hu4%m1eHG3OM z3pI!I=fYtG@TTp=ou((}*V7(F&E==+igWFYAU|lSyowUKTIE~OPFCmh1p@{2|DKSw z>XZIT?CWk>i3~Zv8zom^I;8Y;rWjvNp{{ba)4*?IzwWFUbpg?EbXaeTTym&*i=)|3 zE=PiQj9%rfV+r1!BS~!n-e7x6a7S~ zAtCqkDBNrdfAs>XS7$i$Ij+#-)S(LgLo%~Pfn7FDk+(%3pO+c%?GF-B1EnBuZgtfn z4>>}6k`yFClO3_YX>04%;1va69mVDZWE?(=%RpO3om-G?xe{iH7E96GpMv4g{4h9D z6^^}h{XE;eBQfEs?uv9>H4P6_Lb*_GjO?A_4t`yb=yl2{|2%Qp0443W_NJ3?nXZ`% zFP%wM3>&q+^zd6{qA+INZkYq0GEAy-Nt-BVJl(+f6HY5<*JxXugUN~_bDu#(_HU7s z6)D)Wj2hFoD6G|BJ(E*yp-Nk7XQR1a%Uqhg8S})Z6|2W(nqX-%sK+NJfnJ!pN|wWb zkW_mxbJD`e4#)*(Y#bGT)Sx$AR;;V1XMhgbF>1cM?(pnd2KvE#z#xgJuzeA|m`@0& z5aA@@qOwpWP?2*?#r6TXffD4?$XCu6ni>iTfqVD)3G5X(qZ~-6sB<$_>pLl^KfrjK zvf>FvmS!;Xmt-0%pj*Qm!P`Bz^TGFE$`2vS8X+Ca)tM6G!10vPk$UV~5iKVJ` zmy$oD9uvKxI5V(gy2*RG?v-qGfA1%hG)E@FuT zY4UClzvSSftEgp(gv3%p%9S-1x_tRPP#duhD_w*?c(s(^ue>52D~n6~FBXv2g$42h zOp2t)i{#t!3b4Zx_C`t)!mZJQsN%{eL_=G%*tynN@D{^tSm^@wln1zi9f#3oc{L_U%kLCJSJ$N7@Z`74OVkHz*^8hkYsmmWbi@@?Q4~j0o8NbP7~}Dn{}hAI zg-CdQBgFzOSDu>=)ZM1oH1U*>4=En{QlyL67@I9EQaK+>C7cdJ8=Y;@EuJBEGklvm zyaSvep$e`Z-1P@pO-sX;Si_bCFiQT#|)Vfwa&74JT#GD;7Bas5r`P# zP*iSFbKw)thBieL7X<~FU4FRQ&E)*E8~|cgK9+1*r$hnCT7k4_To@%Sl-LS{7MO*J z83A~aDaq3DE4ZIRlfHA9fxO+uEwt|M1yB2-N?&f+`j;$3Se=d+0>bBFLmZl~RxYNy zX$7<=xg8?9R3pAJ(^X2d znHJ z4KIrj4&F(Tl}DQocJo{ewM5=@-?Iq4$uNQQrh{=F3y53gO?z4R_dqWd8!DHDkg})u zsJ?!!oiSJ~HNZ_z))LVgP!OKZhian;{sv(cy z@6O6UO6Rh5j-tq-=7PwG?;j~ia|h{RKt$2g{z|1^$)jfCl-deZ`T1cWAY+qCwNK7Pom1(-Ya zVRv{nf#f<&t}@xEW}Qu_Q(n6s?z|e)PF$a~IQ=~`%bF#kuhr2_zt${q^}0TsrOa~D zL|yk4knK)YDwy)`AI0zz*r&EJ(8&pq4F>S>WgQ3>Fib#RLU}rFmLt%&N_u+& z&c>iBBiMg3OovQ=VeVmK*Lv{J!JF>JKT}k1bzSA9y%-#dZ-a!YFT;@wk-B&jL;8Io8m&p zpy+1xvk8~L8u?6Gh+^0AA=pSxtyd9Q_4wt%Ay^h<0gMbdjCP97cv{BUL#aflpIu;N zN*dV;WFeZVXIJYA!%Y<4*Huz+EH+7?Doo|O?3tRF@4)sa)JkVb^?mcJ5`IfeE%2Pe zZm3pu66kx$c_Jgdy`RM~+?*t3-`K!fY#M%E0UEZ2$Kgz0FP)Utw!6DEJCj81t5#3y zg3=)#*Hvh6%LD-}esCK`PEUQJAHomk6+k4%^d2qp1bi@`FcyRwS_1w8uhpvycW$FC zQIj4m#%HskbwVe`4uVBy8ZJFnw5!R)>Kw;lxjl^BTz$99sTf5HZ0H_#p>I2QTuTf(DoofF0={-PwT&CE$@02eTVy8DK8A9M#u)NkI!()I34kzX z6?5WaV$s{8j+VksypL%0NKRbH7>THkOoLm2f}(?zD2HEb2}er!nZn&ETg1Z=m^;tY z?4MZ@mhQlvH?1* zq)#Insrm8l>43PkUhqb-zKAB6eV;vf^=2Lb%V#U&5?R%mc2gw7fcM!0{NyNoagBl= zT*2%JL~}9kU@@jF(HRk~fUx$E750{;qKk?V3x{rRzGd-=ZGY z+n*-yWkp5*MCO@W4n0j>L}10HE-7@WroMsF*_3g#)|C~&{ZVjbI3 z|5sx}XWAF`5vcPdBao?t6*WywQCh)L;z%}#&NIr^;ph0=NYqv}u5uA%mx-aO>rC1+QH$s9 z<328)0qI)ew1iz1#xqzyNwkVXq$E;+bndKqi(FV`yoq3*Am%w~U3T}Z&$MqQ^YB+r zC~WrF0$Eo=9IDnJ)>F=T{l6tyU9s!97~SUk@oD?C+i9}wUbV45vc(W(Ft8P*a^ZrP zP7dHj=qX;?`;DI)Xs6Tim2^YVm}u^mU7IE^eC_k&*9Vb$C?~_G9Lm zWInqbb%1pKeR5TEGOk7A*bNy=y>+eO)RY*nLiK3biNgwnl#As$=kOMh3+-=9QCzn7)PxP;J`!L)KC#}~p~M&r@L-eb;YOhh6C9MxZ=^q?=kcuDD@SdhB(8$;S@33`@Dvw zEiE9$>WvnSpWaPgPrMNl58ln^}gB>1R$P3 z0x&4?<)^zCLhD1OVhvrv;5iWI5aN_Q%NlaxB!h@>3 zB{#UCBRs+EujNkhP0)QUuK-tyRm8y#{0ZsRrnBo4A^9=%Lq~y=zLDM8+1JRG`EN?Z ztE-NNV{|d>Pw3}aIQYIFXIg(uyk)S7ZM#pR)L)jP^O^J^1oc>^GJlf9v|J6)d)}`) ze+VX(FqAk6H<{&f*$<4tz{o{lyA_7#lp{B*8of4l(ojPr?PLm2yR;{sh=2k4=}$Fo zsc|b}O5N~vJ@3ECg7O>^Fj-?6jDy+YD)qb<+ z=oRA2%|Rq#GnT%r3-`(egdR#W#zk1LBp(l!cWUT<9M~bTHPc}jxxOl{`$!Gr?Jx|f z38@W;P?3Qnf)2I&|BmeIZQ(fz^j_rXrp%ezLu;gIewUBJ0@55|qwVV78xx0;jNqLsFE->76&*(#*4HlGOiZR{;WBA2o$Zhhkx>5_j^vcnROu2Vl7{q~*f?>9SqvlFMH8ua!IRKxHd8cZq1h zC1db~gP-G$2H($Xz|vDf509D(C&Z(=gxxD6WkEJ`Fgc;uPXlhFN>K)Q02nI_g`3kB z)xm3MQoG_5hS~?1IPXCN+GP<>n=EIUF)otP$lphi{*5uY4+!kj3|&IO`2|U zb0^U3iJLJ|b51O`iJA1~t~3}&W`gKS>h{gXA*(0i-v*9Wq%eyz3B9z}hwcAIN=-czds!qZKGDbXknz62B9k|= z+eIHoyk!VbeX&e%u!-?{m0J`81RU1tt4i}!DKhv-KZM?Zn(+Af=)K@dEy+fqZ`}_iaq!Gs{$iGVp1D7c zvA6=97ny71KnBSt@ui)n&ZwH(jP|!8@QY2PSI7QlmSgowE4^q(g_+)FmpJX4C$TCZ z>+yaQwHd(%vDO~Z3{wtP#9mXs%a6!KX*LJi!G|WYT!D;T{)=aQH#DUJE;RH=`eBBA z!`{$)z7}EZ+LxLCOdXLsaQeU@G1t*Lnw134HU2uW!5qfjy=9fk8Np1|AkE$1q+er| zSgjKdSpUGrt50TLGt#rLOz<4bC(}!kb{N6;CTlz%J2lAu4MJtY8pR6aG6BV8bkr|u zwJ&=y*?|l4*dE~sFpw9coK356wr7$^XQ$*{J`<4-9c^+i&dkct#P;~;yPLi<98u@z z(3^~^1Ggeng7dTNBm{82&wj!(XD64Y#O#J2l)zbaGSxv=7pPyj)MEHbKX^32q$Dqb z30BKGG{-vga}z;{74$=@k0@?r&w~~z{(@{Z0CVcjhJCwsU?1SGP{&TF%hD;Y;oW(H z%SZ!>h)@4aeF9q!)4gsi9zuM=#WHn#4ZXExOL<1L1u2CRij66$qLZ@pxaRW}7fmy% zl%aQu<=b+`Skio9=?yP824T%daLmi!GjW`=T{g##D$ESWNsy5W*{1SvKc=pGG|`$6 z>((Y@qfbW}hF&`Y;i|NKH;yn2RKLV6cv^DcQGCsLOfgtS!RaNguNP5)X-D@}+UT zmyznnhB}iSGA5uOUy)QU=bp8I&#LF9w za=H|Yye&WHlAI?U_VFYy;9H-aB2Qre=pY%n?0OdG$HyrMprZNMG}&)PSV<>5o1+1b zw@d)47{hg*m@I>CypEIE7>_u{yAjzpnz@WUeFCu#zPDMXHL+EkAqGMIW?wTt1vn<P6Yo`htWp?llD9oJyQh^7x*!Iih33*MeuQxrQZ_BU2ysea zpsO)*6WE{ zT>&(xSU*GiSrq! zD1!NYZV?kH^}pPvd~7iZX}L{FXwl~Jp#3APuF-AaV{8-wV(rbfJeW}YY=A&r`@%o*W~f8Epa!qXm5q=Sn{} z3EL*fUJ8?q!b%^12Hb?#YXa1lQ29Cw{*509er(iCm~RW6eb?S2{Eddb?ZFjNSKl$? zf$RjI#OwC_@VZFPqgeJ#mMpqD}`@5zE`i+bTl9^mnrH|@_ zJeVzrWOlcU$&u5Mxtzp2XT@MN@-&hCe@#vp6O5JTDvn>=vK$dwbML(ne(vo6_Y@D7wY-;s*Uz6zxsZA-?+!Y9 zholr@*qOFmD+f#9xu{>Rdk|dZl7XX)RfDgQCgo$5I#}{T?M!+BUwYxH-C>Qsa|nE0 zI)V|DYPL}nM{DJ5z)!7H$u-1U$}yI{tXoa@oo1RQsva5;4m9XL`JGpToReWdWA+@X zcbB*h{$$@kQb(dE$ubA^-92O>|E=w{&ZTlo9+tSoM*5sJc+UNk|3-31ShzDpIYQV_ zGyI_9ocYtzzx8#V8QT&o<4K=c|<;cPU*o|RfLLHd#b>5GLd-76Ho=S^R#3Y&#ET1H)_uNdVp zM!afdZN(~1x65MT>-{Tt&8$jJ{Xs28@z-#}|zK&3H zbbUu>a@;Tk%%0L-65eHs%5gPv8IwKM_I{J&pGkQiX<;@$$UVUQN)Cz+#68;GjPV}W zrnbpWlBDSaqgnU7LRu(*=%SelAY+*`DVSXAKe=$5*qDOFX?VT&1Bg6!?hZt6+lf_{ zQ!u1MGnmQ^qry5J@si0b^cs*g(5NID>67`WErUdWl*0G1Q{n?_r?@64du- zyrwB%YADjGP%6T4Yr2@W8o0QD zgN#C7A)}R0mren=?=7jJiIh_sc_hgEcl+aPoIl7j^P#0>UCJZGFq1Y zeUgz`yLmmaJNC{H97Xk$ATWD5s;db~G`)DCud|n^GX)auO&YBzNlU`M2&p&dhSGVS z7hzx3=r*P$K5&*sIXPiBJxHW1*>Rx@blEE?o)bEXBX&lmHM#jHU*NaqF25#@N++qX z#&>R;zTDRQ>K*Fu@hA*S{IhEY+c~z+TT;qKM^-yIZe3$Oshehde?;%(yuQpwC!N(~ zaq5vf09`LAxhRS@3rWXuyiqXf7MWDYe=V9bv?cJ+Kv7TKfE)nh3z{tX)M5a@gniA! z6F;jfIK3mf$6^&s`(H}Jn$y~)FscO;B8nnVTf*0|94&EF#_ognUT<9isC1sUs^W|A{4M(gHb|KQ z4KG6j=@dmpp`v1I^?;}sZdJz(l)PEs!vCx4^3gb&l$fY966^&2gL-OgBGqczo}|ub z1Ot7ySna&!RngLz&%#nYFtRj2&ryh+#U@|^obseF+ZQwO*pUMkI4x;~5`7{?FpO7} z(F^f>lPIqaQfmdZIH*Dgh8QqW*&)mcHn%V}G}S}INUFKLfi@}F{AIr6qx&ithdW+Mybjt z4QuaakV8SsaTAG4VwwDC#nwT{Z&r{6A2~|T8Tc1>@x|+fJW=A92z~Kd{0O_^*y%jD zrWM+Qt9F^?gr`w1f{eASBX}n5!lH zmF#q}LhI?wXBzmt{xL6Q$f zt!8p0U3uO20N;WuVv4GInwxmA`yj;-z&jp^DZiCb3Rq{1$aWeIC>`8yTunFaDUyWG zM|V$fFIUkT-N|t=gt`C`6q-0-a>gdGT6#0Mz=HcQ-=!=|)q+}Ligp+lRrbV{b=zSl zD4t2g)5oCJE-jj5a6(<_LpVk+NlY-Kh1nMJGGTAh(bwQ_bHbT5HXv?R5lE>(Rl2h;2r(@4qUH9b%XX2RO}cayyY^?w4~t=<}oDi zmMq`za&P*StWY5N{@@uoGNr<4_Swq7wvn(4vRPNs|G?#s4D!-;g#+I>@M44vSi@Aa z2x0yg_koN&ff_g{LRoj*n6tnM2AnFoQjJiD(FuJ>XeMlTX!X$zDN0z%d$P`4CL4_F z<43MSc(C6C3**$;4p|058d@gMFF!Pj&pbzZ|8358U(p`>PC}fhA1})eC8_c%{V&PrQ`+t^VqXre&lIFuN z1GVO-iBrQZZf=vJ&1(xgmOp;Pe2LE1u>>1)78M2mv~Gi=vR*EiI{F|Xa*(q(g+7q` ztafL91u!er@$|~!0@Ifh2!~Xi=D-YMz0}juA;%tf13SA6L?Y~J%&p5D58kRd*pR6| zM_P`WI$T`L;~PewF|t?%YZE+Q#gMv1z1lBK`JMS`WA;kbBwWZjShUdF#mL$Mj%ugZ z`-w8L>H&9~PG3tzG2jN-Lw)Ba8eZ%8v!Z@jb0Vvz9<_c+B}F-gzL6eb^aJNE#H=ob z8Zrr#dg2r?O~B36$A@3|4NVx+VD_I0h@?XgHH*`63sIFI{;PBtR=vIcXLp*^r)Xg@ z#YHBV7v3#-O~ar!d;3~gHfnnOas$AtkRJOyC&vM+heop?UQA75=vpaG!szW5n6TDr zSL&NNdUV5}1*SF~x4B+qqGP&A1u&zwJfknUVs=M}uzL*w<5Z56rG1DE%&%W@WlmU; z5EwVCu=hRaZnPwI4mW8O;J?ECh8X_^NLF?QCW)?Ry6C8hlTT6(COm>0+sOCI7`Id; zk8l`+nWR0ma-=1%Tl*{)uzw=Kdc$`sqhi(&dLR!ZZIf3Z=zTFv0EzpQxNlZiM} z`zXi+wcxfnZoF_n0LPE{qioNU_^2-hw!=Y-nCe|+KW0lmuGsH5G)qv}|F%eg84;lHsQt)P!7(OsrN`Cpr7_&XNF(gK@4>zV z&J*Rx1sK+++gL}#+_Iqgxry$_^f;J*OU91z(@c0fGGS5-*c)Zop zz)eI3DrrpzR43$JDE&K!#zMvXPc8V@)E6&Yyb`45SZT57d;@vd)^6!jaT;Vmwyev1 zoSb-{Ez6KHiNBK$s>JLrf~nPL`c(Lt0c(e$pWvLCe>ZjHkn&7Tg@y$PEKH0HRn6GWHb!dh-};BsY2!Vn zN<>6uw3uV~12*V-)Z&tv87VKy+SNelLtnJXfMozjK)AmFs8KE(L7Wj04pV(K7|#M~ z#5W7{;C6OuTh|BjC*U=6>(Pj=jF||1EX-WQ`z{#1&3q873F1_`mh$YWePU`lJg0_Q z94*$ecpT#x5YBg=sBtvrz~q=^Jo?lFkx_Dx-4eh1Qq-4KPp|6(6RSqSFbfg~2Xsq^ z=_Y)oR{b>>-!SEmba@55!`kX!%y#a1PecWa8|kslVCzQidVnc*wh4+z1_bONWhI_O zKt3VTX{|vhpd;@*6WYS%M?#CFHEQ+XN@Ft7`c6OZ>0Hs<*#P7Hk!mOOt)iW|*s(0QKk z)h2@$LoLgFiaByG*fU0woYpXj-_Z7;4U7j=cFi`8%mcHzxwWJPTQRK*eG$Kqn`1*0 z@g27MxZf7>Wd~Yjiv=%k7dnu7&mdlIlan+4;%N6nvTD~Rl(^x*M&-481%rVvOV3_h{p1Rz5(Ni#03KDo*%e=kQcFswC1*Kzmq8t1GQ7wNmiV)c!gYl6v^AWy#*vNJ~H-OT+HYe zonzy2SZEeWPqxO(Od&=#0!)kApj7nJi zL!a_A>I0>{*a$d)DG1Al+mtt#no3fsw(Sj+i&Y$D6H@BRCN?2#Dxp04n%OS~2>;tqP|W&^dG;k@dIHU6P~`X`MvF)Slev~hB`g#xhQZAh@~w#sRh&9JGY~3twRsS%uJZt{ z4^3rUg8(;}(+Y%QFGE%{-1r=mXreKg=tECfQiZEr(u)^$H$s!}#WnyV9`03MF`vGlN|EOh|c;?}-b^H`HNs zI=U&Dz$xKK2Yd4>AAC{YmqDIzN^()&L5{Adsw@%pLD;noPOz&x#1dzEqDaj;k?^Uu zzQ*xc^6_gxUqWVkf%+%lT;>2R=tan7PQ4=n2JAgVLaW8PM>}d(o%{UXNs_;>EP&z# zyN!ydB@OW?kn-`TtT@!!t?>*rQ?5j6+GUO~)$tB`=skoi=P)+4L$efz%bPkFOym&u zviv_s4IyYyCV4TUH1dXO6Z>WZzSb`>(QBjVN-!bU=FznM)ThA@gUQdLXU4jYDv*Pf zflZHvhrze4DL_ZxJ)qDtv@@2@yi~h`8HqTb(Z|%Lqh|_VFLK*>Uk@Vsv4i9Z8Uf~X zKWm|2yvWdfZO5CK$Rr5i~cE>{Gl5iF=VqX-EC9uzNrM>T30`|EarvJu$+&GpIuLXfHtWVa8RY=G`iGZYSp%$|J34hN+260~i9Q z`Floo1%DB?^R3vltG|;4nE+diJl?L2>HCx(a9t}lieMw@cwGn40Dm>Aix|iCQo^$Y zSKL~ne(MDvP;a%TZvmaQ~kvgup0J**qdgDCkJ?%&X2R2uq+!+{!U;0 z1bh(aXG?Ewf&k3ltH;WUaZDhjlCY6v%+s0ct7xt-iGzrr;u!}w5k2~TAZXnPkWCb1 z@hGbSZU}hueZK$;PXpzeTN(h{w!vgY>6r+7q@_!rS2?v>VWaNm|56(+_=hj|X{k=3 za|*c!5Cto-;Z$Q_Spr?2X8@5*Yd@1&S zV-fb5F?z;g_zPzBT<`%IiKeNVjX}p4%o2muo;_P^{2NR5u@+C;SJ(cWrc0BKbt>XS z%k)4t(Y;lyh3a?{)x)P7g%b{z%yGI@}xG_dL)pupO-$DsjI=9AOVtoIK znYfiz@B-php2*gD$77nYlo%+ch#w3#kJi0*SfHX^XJ#}5stM7l%=A>03540DHznuZ z=kTCNGbi-wYy*yjDf+M|505;)p_axJ=tu$gjcVEsO+V+gckjifxX7DE4YGZeId{R( z^)2VB>WTo`G|=Fi{2sIxP$Y3WozGsDG^t=e;rjOQ4>C5N765b3wAP@X);pI}F<``< zlgCd!5>)jB2&zN!IZ>HhhsTJvdP!C1C9zpykL!a9BOB9#%HaEG7QpZy#u02t*^|Ix zE^5*DSaF)M1`7DGysg@LHc|f4NOd+~F0f>oiS<8E6jOxPqDX=%%pRCFCrJ z7p2XFco!oa3X>$=0<0q*Tn9i>3X^xmEb9J5KfdCcV<^isZ2K57bmMyK8H4xFQKGMp!FT0x|1m;P3Xbva;hN2OBL%HicC;mfru={jQ@ydBkQvg4QIk#Y!`{)LL8dr~LH3!F^MiU?;rG*wUh_}kV1B@>9-@S;F4-tr=>#cITrm;fO)skHd&^k3J#4hTE8p9sVxTbAY z4d^$#i;w$aS}O&j1l7ODbK-#aw18+;;8m}>x8r!H5Tqwxt8}R(xJARpNQ|O(ba2>7 z10p)SS&G&zIyyWn{$gYyXe8Ti>OuNJ=yv#5<;|}~=zA^@Bihu%-BcG?hi5Y;Zo3*H zo;k;3%;ad!K$e5y6i3aZn<0T=@zSyNMj60}^fr5%?;xL)ThK9>os-{<`^S)`)4EmH zSaf(Y4=jQW37cgES}7^OA^H*3#=EEutW;As7q4-9JVjrc=tM)3_+5y#)6_7&n(TtR-_ z>bE1qP8A1aM|;G|@Z6^hRV@bTCL`Rxn?2w{lF=yK!(TCEsztjJ?X@#QVllCvl{j>O zZY>b~5%CliJoU9*mZw}+Yag#`yl&4wO`zUtnzfy`2#ZODLt zq;%WQh*citf1DHZ9eoa%wZ&O=@)F2`>V-kRoi{$>RvJ8*6S$$(OaItiRCaPTdq;)V zU6@;{2VoT9#qK1lOsGM&dvkvAc5DU^G|4!JmpbNh^bx>eo^eBc!=v>(>pde2f@>Is z?csLS8`8*99Z8KwEFN@(uegz?_;38QpX|&hke5fUQP`}1pB%WpC~G%I+B#!+`D2Dw zt>k_BSu!Ta-)ndo1*eercR}yg1E*u3ZB)JfaZiFemd^JIGOo9Q$XAdw=_R5onZ7Oym`Yr z%A^S102Spe1}G5g1!urJb9K+>Gs*~G%w?KRkbDJLHdERPAG%+}zslC+7JOPh7hTTp z_1%^M1xN*9UHZ7JoX;n}mdH6Q&286N6B{;Vu9FolbFw@bue381x%ID6ki~aVPo$b; z&NABcg!>xJw<@7U1M^jEfxm(984LwhVIO+M=1!7J&P}Jj#ZToyyx7zr!(!G=CeT#A zWF8XXr~yac-MXmp-!BWl5G1b?5Q0R%RHyqn)2$h%5_2alh=hnRVMcgh?h!=8SmVe4WF99q;vv=dd7LzGJ_ z02$!__ra0c)+e(WfehX4)~n4-SNgPJfnt;gI7P~xU1+g_`#xDVxwNC}WivpLD%~Pr zmaCB`;0Fj9!&CZKeOziAHW+1V2rFaeuu1%#2hM>oqNt7$YYP7n4Qthxdvr?*a&6kx z&~F|03&JjMlqS9xB!JdktY4IVlsA%9lIBr>{y$(7noJn6)yBsc)btzeSfqkwwVtw{ zXzyz2HHWcfUgdr@GHcpcsBN`Ji({`F+PqsoqbVxN%&>A-$~;m7OJer9&7i{a(5eyn z0JB8YOes5MxbKZ23QxX0TG#gWs1Qiq1cQ;1N9N#xcW^#@y>T|P_QD#>PBIz`8Ij%$ zXOY~LPE`{swt|+2rkGU&eXk!Ug2AMk1OHLCf2w7;bd{i@y3is}Z_DbNndzeG=N5*a zJzvOU755%S!;u1;n$;P*wwkqpa#49gn}BCq?3+i~9|!N#Qn9P2n3jasQZ_RI)3CiA z8#;6~n*uTOI+pdWhs|v=s@1Ebk@I0}8g$Khn%qXE`hC5@mf@RSl(PuQw98MiF!Urf zTc1NeY}xBwhMX#5FaV;Pge}R_m0V}hg5YaIP1zjVxYa(TE-&h(;wE2|!QXysOklQ6 z_jH{GlDly|?4MB)P@#@r0JKKt}GKhJ~0uP-5mOMu3^v!29pee5aD^u8?w zAXB?x(wf1$FaX3kBXN*;lbVs5nC>%Gc<%rXI!h1JMNLP$lOsRFlDw;q=l@{L4&h0* zmdRE+BW&@|Erd1RjQ~+;Q>IMcZ!hja>aimZKYkz0pf{CRW{3ld^OJrVs*P03xwj1x z$&l=bF^O9Fw_K@+J1k4fT&Vb()D)F8MNY4Jda%dW}iexb4u;XwyXtw1Od6=zj ze+M8FDM2j35&tSG&GJ&kuJ5BP5xv~PW2B8Hg4#7SyAQG+H91a~5%ek`-SyMuDjXtf zW)1;oP(a}^|F4(PF2tb1O2v14NP>&JHhHZ;*pwD5Nsmx6-ktddO`}k_9=7A832`8) zvs-i3{&i_sF=xTX37RSD2*B#h1Pz&iGR}VyTFxRar<6&VInTF-h->G__Iq~7_7AGxp)aGFx1o#-^7A}5!+^92Ig*AWQWqk> ztDs4iAfPB&PsG+y$>(U-+d)Mb8IgAg82Mlr=Cd5VEM*ZI=4nzAFRkIyEWH{^qdK*nNs+n-~ zzRFHwpuklNdZpin7BU#$DxoQ?3{M#8fv%R6ql5&VaHqbHj{}cN#j;(PfArww#o=rz zhg1-qKmGrS6oy>Ma#cd4er87sh z!sF6_jse8Yg|H5{z6hJEmie>a#g@d_zHZ3;pkPBSy(g0V!Jn_0_p1*E>gX8$Z z;$&cJey&K)PK`8WCup+thggDpaN+pOrwB^9Lt#z?DK)HhK;#9hvG%%T8Y|=oiZ=;C zU(;~*nnd7t*Hym`rYE_>h%i*S0!6}5#Syu5|s+V~#G6gekb zEHj$iGLf_d!&v*ZhzgkhU@j}xlNI!vER_gDxE@hYFoNx3oPj-N%e3IS7T(Yuk^Z936pXVsIU1a1w7!8)< z?Cx-uLz6-0^|h)H)Y8GF#OD(BH*<(_5>df@5L$IQ8x5*}zSar<(CadzdHD0l%3>}s zs7lA+5DjgO_ITfiQjY`$*0BpB3Z4dvpBUr9o%+ZYZVsL}I)+!F|x+mST}1XnD` zxAF5uXz*CPF!31+2eZi9r1Ty;!Ae2^DiG040U*U#W`!+{0xVr}wh%^c<&RNnM~9!7 zYu%y*XAj;;JnLs_dP6$2TDhQx4+T-{#L5Vj$)VmDYHVg}t^{wZu*JWT5&ST}X-j3* zwAhC@9|-}d#1n(3!>o;5JSGIw8L9KjOd>K&ejJf#`~%Qk+4~^GR_rPnmNFzX4OX9V zXUf)mM$$C|IUEygq|Y-jIvvp7W_}rOUI`KoYxX%Y(e&AU<=blswJNkKLeX&L=y?=7 zVm3RO3^#{k6Dnt@SZeKX>}8zeUJ^ObMD*fqWz^ys+yY;Dy;Ml?J;!2XQ!1JY5hk}^ z?T?j0%_THYD3xIyop}NnJ3&X2*#?o2c~4btF+(6!ybm0Oj>s$ygy4Az?ivaBO3v2= znX%4**-KW9Znc~6nD*kD3=w6l`}d9YGt-$f_n@B3r^2$t2f%~c*(R?NA>1u1lE&E2 zR68Wzt!sbDgC=`gwMub8oDM@=7)SE&{KMztS!?xyaS-FS0WvAv2Aj(xQC5@5m$0U? zr%IS`=akr83lyp-%GK{In-GsZdwww@KxN5#S1wA?XrGKZ>=O;NxmI)QlmpG5YeTb& zbYpJ|p>XVS8L9W*gQ6nT@qQY`XS!Zy9nn>p<&X_p)hDUA+9+-ybgdE$R~{Nl}(aY&C};Ru_KO%E`# zo}gmBw#F|8^rrZ~!SOJ(d)Cqa;3e#%83MjT=!>9tU{$O2$YWX03JLt+uJNGI-LalT zMj_=Fy%~sXjP1`=Jn<(u?%5)jAn(X3` z34@}3t@50a`7p3QHzWMNLA_y@j5e&|ONhTPpT}Z~N&|(P44KY|os>SP!<^Kd3~Puk z_NLpRxHkuPJm%@qI`~F+pII%&RU1J{wR&ayZ#JlI73B+K^A-_idVd!2q#t^>Axwa& zj|AC-{HBs*2;4tkV*?YKi)KFMKwgfYSc`3vFo1XuoVubaWbJPcz9;ASZ;m(&CKwAC zf0=QH0w?=6GOL+w75!nv$L-wypK|<~DsEdc=H)p2ybGm)M(n|!Zkl`hwlWYv(f-i8 z$>#CHAXSNn=tRCzHcxRG@5k>(V#0h7+yLd^Q2+2rB-L`+gU7K@?y8-K@f)fkB`^0n zB_JOM_R_LzkXI>Ps6r+~GsI1yap_V_?R{w0qF%b@mr!%=mZxmUBv&i5R8K&iy>*PI zVRl|n+3gOc0Yd!ND>T6V%`>FmYWfFohy<(bao#D&zd}aDk_8@tze;k63*_=Z?p^@a z6%oJ(GdqMl$vtt`MJfUa84FmMOhKD4kw&SHL7(r3ws%K*DuxsW1kC82sGBXEK31Qa z4|+5$&N1Dey%MMC6ymZYngpk`aw@RVL*N(%MgTl&He5HUC)5IH702!Y@On}Y#)W#b zYmb>pJSv?Y34{n?*cU%|ysm&8=se!ycnmovquZwBcIQFg8j*$V_xDg?B(S2GFLH3z zj!Ys%ZK@7-dtIOF4Wzu`oQ-F|9JB>s2{$nhDFGxD(yT2+)i@uXKvt{Yx7w!KXxCAi;1a6qrCfzq8sea84~{~rGB;kdwAt9iwGMR*}lmo8l- zbXEnrvSk>zOtaacI?sUCc{eJ_G3vpvtZ&D&)S)Mb>J!&_;8b5qr||NH2Y_8LG)tuYH-S&l(9JF5B_K+E~G zxgx%POu8xVYcwRt27=hd%s(|Q6TW_*a`UAJ5&&;#RHE2&)ChOw%FF7OjcgZ_Bz9>@ z(QxSPBU@fx3!c!7tqER6yeWna>fmw66wIGfqA#FDy^f9BQLIWRHUgZ>O+SsDwpmn0 z_sIai@ph>V1ni1iPqgWeijN3D^&f0nrdijd-65>dL&WBgR(1m)6$Adc*j5j82ziY9 z^Bsj^_u0`~*o={(ydwD6toC;h>Ua`q&Z$8KO-JEAH)KU(TojjrQsj@RUz zA~X9&GSh!pkap9_(2vV4>Mttvm4?GWU5v7%X>nk!5>h>CUi*&e9Jqgq=F>B#6=F69 zBprS@^`>w`krvV^P;t#lqb6#VoPgQyPD$z>h%Tj|;-QU>TnK#0>P5ikK9!(Py$$!o zRr-?XIfH@@q}=xqt{pv|q-HDHjhU7~T**-!btK(Ga*CPB{^Oy5=P^d89+|Mh#iS~4 zntJm}sSy6X?#Zwitm=PAYF(8KmY#V`t6`oj!RS+2numog*$uolHh1PezcV>)#b>%T zikJX&es7b-ICfntj=`ugPP08dL?#Ud)Wg+%uYSp9cD}V&>sKqz%SW&!urauF72Pq2 z2;qHaER>1-@o{dGh}f1$c}uhZl&5m2cwJUMI77cVnY3HrfnC~>vGR>)yEOZ*&wn?s z`hRhG|J_g?)1JH7w+H?wY1>LfW&#tczLT35rVyR<;$l06Svg}Mm1!mSw;^-9| zQ{;@{^ycD$G?gORHTFX$jJkH}+$@-c(~VSikC`GLTw~zm?=(Fu`aJ}-!RB7&kdk;< z3!;#R`9t_iG4y2Pz1KL}Qei8PIP3`eaU{5@(?4|>L2Hwp0=Kf^d}pNR34e#_it_g}_Fd>p%e9Kg<6GY1a-3*fV(W5*I`*Ncy6a9SjHgt0@!DSEv6i%eR zQ9;=l51IP)Ho(8Z+{IWu*yB!Y>;`VR45_Q&fq@EzXY<>j$mkkw(jNCMg!!Tij57@2haqmsc>PG^uF#+V8pknGVb4u^c?8N=RA)F& z12!Lr>d6z9TYw%V>C&xGW7KRkuh7CE663fHkl(EHpRs?88s*s#`S!STHi?|bgM3Ha zQ3XPA(Al%gj2Zg&I9ei{)Vu-bGNZpO#YXSG3gqF&ki=BEYeuJ)8hY_1M8I=)@$M{r z*!6*bLH+QJg9@Wh^mu)STbm^J_P9fi_D~fA z{k3EM-;}FdzW!Y#*ksXor1Rs>cC#{NWo)6v`SRlcZg@*38o2|PM;VaRs1%K?(_}O4 z73Oe7XPsjbRv1`ij~JNKtgy20Y(&+=Z>`kSRM%?S2rmbq&6v;h8tnH#v3zx1v92ay(ilSK6>sm>+ff-x)^ISh!A&fm0IzI?)W5Z zUU3Bn-_RvS(_dSM9D^J=(>IZ=c?wmMCG4%2+X+me`An3J_we+uJ z=Q$ZIAnA#acl!u43Fmcr8jRzR1ZTNK3^nqXfrlAa;my=+FB4-TW%9$H-e2TnP9uxY zuHeZFK?H(4)A22J*wXEkeqsbl7}}Wok=HpT5~>Vxy3^yZn^HaAv+G}mffoLc8mrX*L*Y zyM_Z*orf85^d^zIRFY@ohD!VN!;pxkNXbn5p*GKfl`8NsTH*{&PC=g?+T^<=$qa_cAnB{UbDDnI=FMP(Nz2g|6MqhqAKJ#b4L2OqO`EMiGW=LK2| zTlVVAw|b-(ny}zn1Vk9@>Aj<$+MEY#wQS#np|UfyGf}=B60tQSa8uNFv#2RJC#`6D zcxAD=3j-6#ea=HBIwzb;^P=Y`c55!AIWSKF2(U=OtS0fxW%hEwH%e>;57%Q5RD{i2 z2Z%g^i3gPJsd{X(@V)Q3hWR9gOp@^{u?qhn26=CdrGghEykKS8Hh2>`X%jYzgS6yarRjCWqie%5K}n;oW#DFhvM5bi>p)pXJKWJj9Y38bA| zYj`+!3@NgFbd9)Ydu@@~v?lL@nfWiXh#!TQ`^Es{qr<-eXU@}2oww$GiTk|V-bYs1 zckWgR`lX>wOS|<~LH2g`Jn;2de=3tAV(^ah`T#h}nwh-U^@No1iV*f!I@5Bq7v~%p zio;~*7u5tnEuiQE)tl_i67jb zJmZ$N!^H5&Qb35dL0PoyZ69t<+OF1(E=*Ca_5<*t1Qcp4HRwkOJOvi4$>Y7dORCgQ z+4WG9N|^M8-mDnTgwVk5TQQsUzD86zqkQb^65V~C*+_okg1impC_7SGYSQBb4Y{A|r zxGeeta+552?uPKgGK(Jw;tjxKXw;06G|;r#l}DB*W;UFH&Ns_bi(GKQ8xoF+Fayh@ z+1IH{OA#&DS-Qi;ukA>z%o1y*jmBw%FD?Nc_!dNu#^UQuCN=A(2>da@2MnQ?HTeVg z$iW0AnBvp@Q1EAovx2n)G%tg18j)0JtN)UpTAbc8`4*xC zmGI1x>Cq@SMtp?VWuqnQSL{Q>%#*(Gh7*|>a@rDS5$SGfMo~`3(EvBfMq&|v$}eW# z3C2OA89@Ce&|#{^#`FL`11|^P@{S(0eE#Tl@_n9PL_P}ArN(rb^UC__RRJ>vPPbH*)3$dxqn!L_>soshYL_l;e+4600oBYo?R6OvL$+nE&xxx z$@oXs4j$Y!|4HpuNGX9fl{?a`_>ZMH!w1+S5jq|&n=>}%-Z1};JqiD*PRGx_q3J`_ zE~_J3PTM|N;8L$Wka*4}MdDCnXu>Wih&yXLVWA;YbikkU@|!w;vdnTOEVyBD)9#g|uq;HAHWr zw|HS>WVjXdX-_thI#+&R4H*g+CS({af`ngRS`iH=83xbz3H~IZ=FNEa@>xKSAzFkI z_2k8}9OeAbc4dLjHQ|iO`4?p~4zi|xY|5faN>;+1+G+pS?5Tc)){X#61L18K%G)T8 zrwiGKd!*VT#4^A=l-E{sMqS&tK##dMMISa#GPO0H`$v$eLc&bt!W+O(L!y=%o7Qiy zP|?0eix(VVAClMw#>N`xM_0yaA=0DkbzSy)yM*-EFIFZ%hJO3geRcb8WM#^YxLyhZ(?oWk4aP+NM^Qt{ob zLUPt<{~g*%*Nn>c2FUGXnt&dIk1oP44w)XX964r&vNIjE**$$>gZ^N%a(PEAlkM#I z$#f_LA3JH;yrC^4s-AfV#w_ND@JUD0XdSipd5QIlHSySXYpEm?9KmHOrM`(TT z=9xfPeCeftJS$D#Y;!s)s4bjq_21u9+P9t@*{hB79nH^LZIIUNDBz;W2A&(OihHVR zSi9f=liXrC!6r-n2aM`k1QF00)6&1coF%wVliug_jq64W8OMty_7fi;mG~=S`T%sU zGEy(|ity&C&zHIaHDNNhL^W$8qmF1BQHiD$(bGqp`CHSzgYH*v{4jaNHL^uy0i$iM z9S9L7uUTeM;16m0XbAq?r0h?ZHLjs265gbM&1qCAsj7@fn9bR}h=6X5Wj*R8p*6=f zOy&~+_oXiMPyV&%2f3NX3u_Xo1ZSdT>&&OdQ{btmvv~^4XS^(&&@a>@iB6z*c{|sM z5m$`+`mDo{Gr(CJ`S#{&{)|pA7?o=zs@M1r%B=ka%aoAvBSvqR9TDpKCg>gnVw}cv z=8F${Y<0%Rp;j0q`aZs_)=fHs)mqv{d=LCWcmo7q+3Ftk_$0xXNDQI!w4Uu;O3T17 zrH6w2dvgdnFnE{Jr5)}`vb#-_4%(!nDKN>Yeogy=bl@}o=Bv^vk4*tei_8cy;>m5) zl)_vAc@0zd&c9ECf+D1MOfyq-*sSKSkqn=I{SXE|Lp9{eAiC++oysc6KC1exw8P(l z7r6}ng5uHui53tD1>8jLofJwmCx%T_U->C(X;|XALfic8WfNj9ikO*CtDUYTu5xxQ zQGg+~QREYjEW?S!x;t0q8i?w&+bJA!VhkV+3F8n`{3MXR6*C``q&cWs#8^~|vBBm9 zfl4`wA5zf0ud9n;FFhYLaZwS9w8P#jiuBYoeL*&Q=snudKHF(w85vTmMMK|pT$EPo zcO0{s7V)pC$BE}dAt=7K%}v6dufeN};n?e*Y$NT{0%4F-Z=<2UdvCNlxRG;~fQsWX zcYgg4yGLaxhqiNrY0--GZ4GV>p`w61H!Z*2E-kIj2?+qKcP$sL+%&MBdgo?r+8N1f zCnLT)YQ_vW7EA@VT1x(^ks`iu+|0O;fnYR;f3pqvD7%f!qp=tKY9<#|`k1JdRXob9 z!I@o{>^mN!FE!^mEnQfPLcS=LC$9@G@W= zh{SWISY@F<_pPY+lk6H^FNjyoaC0$pkimn$fJ1|YJC|!I6Ozvqv7YvL31h2AoyeJI zLel)e<#P$9=0xdp2ny=%_Kn`-i{q%|Yh1QyVPG(hoL`ojKQA8^`qv=_$RbSpQ%NXl z`Kyd0iWHKvU3b03O(Kk4R3cofiA~0A{>1BmT?5Nx{8nyrZmp668V#$l>p75#O(hA> zYu!86U6*kFP9ruq7Rivf^}pP{A<#{H~B*clsSlp52kbdDyu<$u4C6$S{ zpxXy#@4MO&Iar$=hyY&QdvR8fF2*Ur2u%p?V#(8Mv%?7TQ?YKZHwRDh*O<=KD$)xE zt7ab#@bzZ7#nB}}1p;HEnFzJzaZ_^MW*)gA)AdE*Q7H^fN2H(SzYBV3U!H@JgpCm- zxG|nihGN=0D79dFIhkrdMTDi|W9ki7DGng3xBnZoffq$~2D+*eB4hJ4GIU7z583b+ zAa2uNwYp-kd$PrT@pK*=P>)zrH|^wt_@J_M%~U9xDp5`!UtDIrL8)@-2pO5R*p%zKO&k5Q-TU1Ly2 zdTAEPM4S+(d>_4-IaakLN)cGYa{At6X~J^URq*FwAX&%S9V?OF>PTsf$!B#ABMyJR z8Mq^-{QLGNK7a0Os}3pOzMJb$VlqFuqwag8rw=3&-ceHJ5?ElZLo|=5{UP4rcza&5 z6_AJoQTI_Hl}gdKr1gZ^~3yR2|ta&fXq_O@E*Jqd?s<5M+tF|=DYj=$e>@4KVFiG z!E=Bn$MNba76$8bMN1_DttB=R=O#K?nKwxeQ8mwQaHUqUG8!1%AvrZ!lV(o=fy?cB zy93JRc30pr34q;&#m#58@p9V;)x~}VJWJxm5)omaS5E|dCDbuH&90+FTy?>Ir?64r z$?(g5N<(ZmMnj;q*1}O@&j<8P2ydMr!sJtx)=oV7@q9IghM9g__V``V47-waLvIWt zLPP!17pWs*vKvzd+qXoB$y*cs?ya6&H&2(_K7p`F#d;>M&Z`;K#w3m`u2T($ge+&0 z559VEsGZl6gJ2675&bo{;lUsGytIr8Hpa4iOno!@YBD_P2?{>sSw^MeT z*ZCa#Fd{|-pOlJq6WNN5S)Tpx5p`Adr!Dvt4&w$khofi}UY|AWIKrg@tTKxe5c#|A z{4V;1FX|i+^C${mWsV#sCAH3m1Y*`TkA_LO{X)WVyebSXdMK%*5{;h~DV=kSxvI6* zjuTUcruVqU9zR+Q@nLtfLKwHyWC9ucZSk9z6j4YS%q1hy>M9i;4s+n7^cuPE993w8 z6zZ863x0Z4+nh6FJ2*uRB!B#|9;KO+vRS(gL2bE!{PS5O(IKJ4AMp9}1d}nto}fq* zteIz*APmeby$@hv+@&AI)B<9TZ=^ZggCw}v&1P{(ywgrts@dXzwB6H*j?1BxZ8GhJ zslyTbka4XvxW$j}nv1@7O4Pb>0tK=-bC*JuR*cZ5t$AP#h~_73m(7I0jn;T-3}rDm ze3&M+IriCK(zE0pN-EOv`(qq)Pf3RPLq4}xX{G5N*~qHfN&{fI$SqZhx7crVi$4~A`Any;-h~9|pF(|Hqqk_b zynhC3iWZf2qDVDB5*~=1BTP5?fsjQ+xq8xelWhV{4TeX?!=lq~x838RPfO#H5hNnb z{L~M!p8fut6Ckcc|EW&EIEr7UrAg%`j;+Fczj(-!*ElKO#_%L0hmaXwnr^`YX_dnS zltQ*m{JF}M8)ct>1U0HsL1J~Qfg2ur>47(N{0c9fm6EWClnr1w7e}Zvxk$(ceCbew z>qN8iFaqa)TYv7!eteetqFzV|cSt$(hXNaFZ7@{(5UQRHj>yPjQsv*c4s}FE~u@m zpBmS!*lfEzw(0LAy zbnwSvs_EHn9I*90;&2fSt=-aW9UwLtj1_D)#*hWztGQ*)$eW`$Bjh4a`uYOdWt?(jb;vWQL3Bqq&25sH8GwziePy2%rd(<)AZNb4~mu_foyE0}chA+W( z5;4y5g0>$_tVln>%9xsmibL`HpgZrH1q`Cp@N~;(gqxJV@$y!veb1-aL~9z6CG&zB z$oB2W{MG$h`?=wLiQjgwr`;LQiTjbi>ArURrUOxdFDoq@y&LZ@Hx$deFZyggNiTc- z|2)Ut6)?e}`4!QVH)Q?-eigoL%-G%EZv@u6QgkE?D|e&47Q5%q`(u7O_cq0P2y3fs zMRYpaNE3Kv>(LvVzx%$)OZi#cZ(uanPD0yuD=oUe{2OT5WdHW>d2rY+1zSc;{7vgs z{y(n{sq%p;4GDc$P!IdY^A{QKT9FAbG+$Ztw43P_({*|GfuiOf#N8b?V3N2#1l+n2 zkqLE0m86o~+F*zmEJ`Rkk9D z&AW>rg$B#CagM?f?1)WcR9XkM5j|v`f#t`^NqZa`r0;=Tg~qFM2eajD(VDz`@aK>3 zGDNa>Xkxc5k_laEjHGlPoWNke-6CDA$njnvfI0KH)WpRNeeGu9>~vCw7i}~mrFX`p zx>GBL?(w2sWIluLBDcy_r7wC=dd#b(;7quSRBNWwRNrIN7w!5G zMh9RIevzLvB7{+=V?kl#w_5tj;RokN67#PCe_2fp?(cl%Dg z=2-6tnQ{ILY%VdUm~DXl(U0bie|Bsly&m(n={olzn##%1Olc$KK*y!f-;h=E^R%dM zuod>Tlbo4*7k^9`ds@V3BH^S9xVd~r`X2I(uh^Q;WtQ6%YPCzwO~+hR%M_VVu_o|a zmaH^aCTg~ygsr_D6cYeCw)5c-IdAgWuZo}uMhDbYKpI~g-{4GGKBWJTy7-%}c5 zg;yJ3fVFuK&!Acax@<-^)nR_S=u+{8aRg8OubXrJ@#svYaIGtkqaRV)io0~Vw(Pe% zs{B(*v7(iwwWk_qh9(H!-16{fNB81&e>|bmB14|nNI|=lW`02)12ymI@Lgq~1wjoF zLnc|TMNl9@=f{Z8a7A9sd%NGDG%6}8V=dSk+qiNhTBxxqBP=``V);8a(lAlS>CCuR zM@Q+feF+R3nLaT86ld*IJ!V5<>KRwl-HHg@Cp2C3SB7Mgfe|?b7yz-m#3Rszg`kt| z%|fmd*+_(sa16g_krY%~&%aNQLuH7to#nHU6_-IQUWq@#yn+CTb7#x`=qI;Pi^sxHg_uuLr9E? zbh1~59ht0MOU3w+uO%Uj5Rv>A${l#mQY>GSZKcku~PI$5fsd@E88?P`jhu}*hOhq6Phw_m?v_1Q=4tpVe2 zXQ~8mP^WtfH}D!~YLT)NdUzb0QI$Lixh$SiKaaFb>BphCYTA_@>-UuT!0-}sq0aQt&`HabRArJdn zNF3MF$1@@UD;~e`*y++4nx*rme4Y~^ojRQxBuBh9#S>K1(=UmQX=!X@jccILaf|(% zUkCKl-t=9WXHB95;83DX`e{wanm;RVN@!7Ap*s{27yzJP3{S`AH$m3-Pupt>97fz( z_Mg|BtZ~Ea4rEEoGxejAUa9vNZ{$e|;=<7Qu6IOfxnlkq-ChXUVv4@FhWCfqhYJMqHNkAH9T;V^MShlVT<6aILF8 zZXWsn(1^4%%MWP8wGJ@S0`zM+;tU^GywJuFY)VtX5za_sRupWDbQh@q3H7is>bgqE znOX1o&&}Vwyf#rYfPv0)5>_Ho)=6w|Y_~71wi`A91-HOpeKk@X4n3Wm_FL)aauE~S ziA~cz1EiEt)drom3SDmYC$eh!n$Qfp(I?Is z2o9?56cL;^x`-SOdZ|U)r^(j&_9zOtpT0B0u*Q`aEjnuK0vE`BS^Obp;7}h)dwJ@OJk9P~SH- zAM0jiGU`GSGcV9hIL_FD6il{RD7y$;Qq2;!?_Ra@M=zHf_(D*yBVukHd^Eb67o*lf zcl8;B)9MOCbs!2m>UR=1`FM{bf;9u*NTDL2s6tG7YPON}uDQw^4ACO_Y^b2cYJ}S6 z147*=9cC~~mtq+taw6E7qCDmKWA`46m5bSyI9QAy5onEizU}q>ER!U}&X7-DYwFpn?sost4#(mKTTy(~!SkB{Q zsTB5#0-aYJ4I1ZS^b+%aZ`f0w9XKh$DX4qUnrLVAljWu)67jl=X)23lCOVgoP>@Im zY9IqvBtmSwv}YS~WCji=D~)GFOz&IkX|`$-HuKTag};B40q#xq(gYc7I8b-A6p)#C z=+;+6sHdg@y7w|ABv`IW)q=1_cYTIiVgh=jdQU0niJCndHwGB|2>7YtF`4M4eCHzF zk%7)t(At0EAbfE+7-OfY@7k-{Kt-n;&vE}S#fDGo_{^U@Bym0d;BpbQ^Dd#zp|wQx zC2L23qhG1?T9uY`S4{;Y$?texRzhpJBPTGk=;ZXmG1jh&Oh}B+U@ByL z2b!WNqwT5k@|zgof7J%af=46lVhmFRc6B4izDVF{>Zh2)ers7l1aDz5xnI;*F`9V{ ze?6FH_<;t!X{=a(^A{|?A^mH_d@)_BqwH-u+AleEobcfQ%=|UkqVU^is$`B@k4*~g zj&Hzwp}raX6Kv^ZSS*_eJGWEuNVI(jiF`UheO*YsO~~(L6Y={k3k=vB;o!H6&r*`@ zK?^`Tr?u!b_*iQ@hBT(G`%4(_>CmkD@q(t4V!-f+?Xxgr@6z(h^|Qrq-2*33H8q}F z?e;jYW^cKY@bfqk!&QKAOtIZD+YBo&YWp zrG*uF+IXSG8O2SX#VdIJfq%xd77C4txUBzvd;4S3uTLQXM*W;ad(;(a-uYo};02SUujJD7WVpXd&vB zJ(@{Djo7vS6r>e%2UKt-OJ7UOe|q%I7GdfuUURoW0yLMi3*8Y(__~D8*hSyrms}XT`#=91prK!vL%M!+gnIAK>tyx= z%Dy*z+@cc$duhie8<^vyA9Fac*>TFpf&Q(@8yjL=X`%PyNa{mf(0j%v>g^~IF3uuX zaf1%WWsM?(4{F1!x8kZ#`R-i-DWDN3qwnaa7M56=IU_WNYqZlo-;dXQ;mr;13g>E7eb63}S9e52;(ddsU2heYp)vJXkHa;4I8w$FvxbhQ{)%}!H; zk41xrEGYPv%J7>@G>NQZytxo8fAEAVGgK>M$LWrc4DBo?rF#Bvu;T?ZFiUG3$kbyL zEV^nz)RJz%DWbUu!+=|Bv`|?s$%wbe9<7>N!j??R{xDloeOXQy^2^Ors3BRm?aRR7 zs#T`B%M5?tch4iWIcILv@qH|H!@V-lBf*!pZEKmh!KVt}$>C4G`mF*&7)VH8Z+GBi z*ZRf689t1T2+~0u%9iVB_`#+RU)Q4DQ?+*H%G$qr%59_T?nRFI>Y`Ph`|C6K0&CU1 zzz&mh)?4`7rIT0?twFsp7zaG-|E($n(hV0c{~bcvGlyG#dnD9ck&JT#PM zvSSceN@0v_G)Pq6>Mi0E_*pAz_#~Q(1hXe_TcTz(;h-vJbq!Afmd&5bqI|u?D1`7v z9eG0)X&GNq-HgRI77|_gbwd1_69x-vXYd5Xs*`!*8IFg>@`e&@6g#W`i(Jx7Z2?;S>_4Mhq1KT zdl;n(9stMBi}Xjj^nmf07_HKZVT#k?08@Cn0#44EjWe~GZ7xRaE z3!p{7H{3T6XSl`AM>us6Eb*y&;wR^PX6b-QHn?q|tt8ICpHQPPaeQVdR`=9nzJe1_PMkX5ZCT#AKn+*ZmpdR=q?lY^nUT`FFBw*dzD}J=d0C-Q@lB~` z7KsMY_a|lwwDbSn^<-;1o*duP?jTx30}bl`Y|N#CI6rT`^4fXw>B$mSuEs=YSg~#J zaA3;%dT9MBDkB8gX6ZLyL*Zpr+j9Fa#*+NW>g2Q)z{~`|Dp1Fiv@{A$YqN`qAA`qu zPF<+30m@#d3%0yOZ8C@nT3`C+N6-{6NQXzhuMYGv>vo5Ag{yk7b!uM-K~$&cX*tbm z^#BYpvZIO5Gc07%w}*+R^aU?K!6|I4EB|F|Uvt&XfMb9T2aN~?6Qi*T&i(4}$sQy> zU|b;ScV~Yhhx%Gdj(%#%Ly2Quc!j!GQEcJER3ho1T~WDSsDP>AZEs!Ej%zgzJ&C~z z=W54SnR5_GaHpq6RPrlPajsv5Wch^uN*S~h(aH%g3{hv@fPIe09TwbaGX^Y4nCKn1 z4<=+SUC++0cs4(tT1s23x4=+Z(;0}|%&QE|I|8V489GI=2Px5guf5%92WpEk(L5X3 z4^l$q-Jv{?LCkuQpg4d`eS=%ODX3WweQDwf+-2@Y>yM5by^(}Mf&eyP)7Q5oP64s4 zxz!3GP2z>iG0+DjtA(IMPZU%{(sT|qW-hMe4EV|V>iSkhZf9|tY@c~Wt>07 zzS}KL?-hU4zr2Ndnq-X;15E*8%MlFn%YFnu&1Rmn6`uTowPCbQL2|UVX z5k@#HJLo^_F?}Zek^180Ix3l-G=)_I*CY)yg+N(F9z2^3Xhx$~wQIGB!j)EmThS6R zs$M=cy;OuAw`t9=v(ZhZo$6E=lNy)+o+m!ZtU=8Xj0QX2+0oKe&Zy?hH5}Ioyf_Q8 zjE-RyCeNkF3JFz|+(cRJ;4?X{i(c#5?uOhz9qx;fD$Q$sU>_}R>~b=n=`Vk$Noi4x zRI!##Xgf?(3{gFjHdf@$C-*a%9NbfvFap}~M!)>`oG8o-$}hk>(>P~Pq zItYWqUaTuiZ4I?3MrG12Sx5}Zs3WqTIod2Y{lq2U&K>zk}dL%o$?5O$k+!#P37 zU*?z~z>zR8k%?JJ%YslRy>fs})lGHM{ZRy@H{jyTH#haROGN}n_#4`^C2RfV zy8f0%Xvl$QF|@#u%=o|3^H=h35|Kco$&xM#Q4skBeFSE@4i1HvbqP3Nt4`?x1qj-z z21v2Nb;+tSp0g!I+{6zMKlDba+-{xy0f7Yq+T(z*EbZVVuv#x>%-L7oj}H1r89-!I zf^V3O=7-YMYoc*t3Q*sG$pe*4ha&q{uBDzBi;vEZ4mfY%WC9H=yy|Q1Q=t#yhGObi zPj!!CKzSolyk$)**u>JArUDlcQG>S4pd5PZfBS`1!lb+~-#&xHXh)~sqXXSr`k3dl z%tS3@b1>Jj^4-=jtb68{1%lmNHe5rrK<}?F+!vxQvn* z7`7ll-67i_zy9XO1PSl4HQT!;`fNW*pL=os8-d5&Au!pFy=1UOTy)*P~RLsmxv>tH277Puy^kL410?$5ozgKLSC5&qXB+S z3@LCI_J)ugO_qbpjzfY=Ei$>_=JCaz#mxChNa`Mp8h$-JZ_!a^)F{VR{tCQZn_zA} zQep+_r?4`I{*~B}LBKC~AO5~90ZtYBSpw|X6Vh&r$=1PUk$w=R@(yXcmVvkvaDif3 z17PzqwzUY}5s_@>MJ{WAOPL?QJQAd5a`S|!P8%%0*tISbFGrH6Vs$3*5$HWbf*n>* zdh(*Gf5C#PB83fVl^>27iagXC0&2coeDw9mc1tYm2td6Bd3xu>rda!gr~iH&V`oKc zej4gZ1EXWQ5~~K0ne_lPayAs8Bbd$HRbKe(6p}X6senBqtRcZ}4H-qfC~BJZ00ZIe ze&o|Jmt(z&rBTQtvX&>@uPXIA*C{kL3?z+iV55J{n!ys9?cI35Jy^jY!?y%pnv4Mz zT5a<;?QCf!#r_mpgniR=MoWOE|FJ=Ik+dih-b}nUa?jD-mu|s-d-e=CMiQY5a2#iP zT@n_GfIE)&7@#9DMiT7-pbiC)Vt4Hy?8jo*M}+$-tzGIHnTy4bB%#Ynvar|DuU7@; zX4BzUoi?Ap1wVaw4x}{}7(?_&SGt53Lg$c;M#K$Q?N=(TgKGgtskQC71?XZCj{mV# zL_~4X9@1tlQlxJABhys>GsPT0+2XG zi>*N=S^*Qx_N_Q1q&_pr$B2^GYi%vbOQup5xJL81F~7+Nx@MH%gA$#*=R*N6rD_l7 zxJ=WZPtw%GwX5y{Ap3RU&n2z@ZinB!F4NrYwPn#+0XwFHEP*^_#J0vpwT!gP%_bgy z{~s#ID8l^WJjpwx*!PtWtl=UEit4@vxML=`%9v-1* zR+m56nAZ^OZvL(|^CVdIGeUmjx^{$Mo1K6|g64NqT94A=K$VPADD6xjCTuGZ*ndKf zk|V22NR{}6gDyApzKH>Ao$>(zIvUK3^?B)32ZyyFI_|_URCe?M=c=RjmC|osf{}1# z!U7_)g@k?t@1WBJ_%0IaK#ivQiOyM@9)_fsPS&4rvSPSMqyy_R?X*pW1~BC4KPRn; zFFobI4qOX++`S0~`V}To{zrGrY^wiY6Sypyxu>zYxqf~6_w`cnCJvR-DKQ&_p+4d| zo@9R@?B2?llslBmFo~%i2h{sI0PDk`&@coz_Vr0u{WoeV^ZTNd&L+7F!96TS@JM456=m?U6?fbgKPmE+G9Vgj-6 zO7YhVu#LMG0@rw%YQzs(N~{Ajw&Y=gDub{BWqxQ}iZ-4W0AZ1#>fRIV$f0_mxouTA zgiE9G(EJ$J0wwf0{|LWqhfysM*YJjjSnn>ocNNJ*#{!&CnzF-K{%f& z?l)X`?eK^+eh$#6+_iOwaO?W@!Sk%voR%SI*(N8zH9?jq9A{YKqR}$Yib~Q?kf5+UV6o|_BXHVuKfkTK{V9QaX zV&nD;e8^57WH<19>L{;@V8BkmG5%^M@Nn+{urd;UdEI`0n$NCTY@kz=zH7VCiTs&7 zAF8bA;&wJoK^1dT>V1ln))^Lk+Rs#MA=g$eD%s_d5s$;s)gk+0Hn;uk%NS#p?Z;S2 zrqse+4VV~q8b=J)F54eA{1TKA943eUM42%k4gG+l;zig{(MD&*tedR^nx3)(`dN5g zM3K9fNemr|h;7bmqN06(#mzZZ1cFrPfsx1hR7I=*wzSxD$$j;DJm!Uti0fCZU{ELH z&tS!;KY%iSCx@@^D~}70|5>?{w3lD(&n(ZZU0lY!%~#cHRNlEj2R_qXqlYGadtO_D zg;nPU4PU@BkDgcj>Tnl}FztgO#_aZnr&}??&kBpu`g-8LeVZ4IN8zw^m^$Lh!%#2c9%b_0%JAyLb<>fu znF%9P+`X>tbp-mzrlJ?Z1jHjS!}4_we*eYzi6Ax>6$EZ@!n;t_^}x^t>wKQE`v5=- z!TK4H2kb$64n>>Yp|AF%f6dXS`Y_fyXs)ktbGVC90f=jKOR3kb0y{nVs2$V0nm4vp zyY0DAcHb6T7>A|RVwq0=D;kWD#2Qn`uG-lCFupgj z)Q)Z;cyoPjFB%nv9KoQ^LIF@{BV8`-_7M3Uc-cCc#)OVL>-QvOESKZ}Wg0ZiVLLMq zqPCCJd{U@H{^T<~3D6p6a@++{n4H#S4q+xiz6dXuj?8?UcvSQD#zm^v)R0?7nDJ94+w0opQ9>K9w#AMAt3 zr-;^J0-5`C&9Z$vcwP^+;C#x8Cm;9;937F{2?GMEw7}FZLapoUk|XEn>^U|;YP}R0 zI=T!WScmmwt}l|Nz?m_0PxHC6=|>R0Qhi-(0@qq0JsCVFAd+!WhV4wF zJ_7-L`^Ezzd7UFulUP#j6hB}-6lN8m*gZDBpJCi$s@oPTox~piNRlrVDg!&J(f_)c zBn%M?-mV0D0o(dA{wqGL9vp(0|HvBChUae44c*F2#;}8V+7f;PTEU{q*@uD>Kua?< z%uNda8J!K!H2U}z7*r;}-k8`h9 z!khCyq%jkL4m49;(G)kpsoJNmavjolx>PT+2hkkLX~yH3ewWNUb7j6q@biPUh4w8H z^5Wz;9HP&ysLu;$jF5+G8(O$wi1tD{7c_Nn-fy=manPf&n`NU8&N_vM>lm-PUH06gkB! zm28;J75y*~F!7RDUSwhQ*r}Q=H+UgZ;)=qC8dy2{DTuKKEAlwyZcEO0mk3!kghZEX z1f_Q_VIs;R=48T`Q%0?4YE5HfbIJo|bY9s;lCNx#+mqxuQ0XXgcW8} z>s=`l5r~KDLZZ1ECh}`ZPpGdhSE2Tn1nK$(vwbTrWy-#a{MJKK4A{CfMSt|yLDqjU z5yZ4<5K&Vay`W4Yz8{mqP(=Cm`lP-SlCfkzA*n{n36`a$JYw%Jn^qa$5u0Pp|EIz1 zuq%j%C9@1HLGKct2z?9`2Je_-~7vTFe{NNQJip$e#b zfMEi?H@=$mDEhwQ)iAqK* zBZc(`y>eN2SIc~y#_titto_FTU)LsxQCuk~jO2A#G@cY4LSJ(JK}B`@xOHHYxV~I) zf1+^jDiP%4L&pqLntQ2kELVB0@t`n$% za|om|l(R^9*$(JS84B#K3Y~L*c-(T2CY+wQ1+2bXL1WMsE(U7EC!*q3at9(4J`A#r zm)^|_hGo8&ifFURO?dnbhYNJk%do5ux?;Fs5#}44OQfZ6#}n@GnP_qGTo!5P1!S z1YA0SFwCc)2C_ zUt?&89c~8n;LRZEbSju~^@NNDk7^s3A{F6LVZe0)b2Vp4n(qIDY6E)G#fZDqwDWA5 z?w&)7w>ZL?67(G;jtscoUaYWt4$`0qoDQs<;(XDlBIg^x^+1!jB^7dqI^(T6ilJ&< z75b&#BU%PW;FsOO!-zln%%NDJf+Dc02I{BO5Sg*#LAzn-nTt3jM9;=3!=7^(5+I~+ z-O5iY0R5{bivj2tiJeEmLI4jbSzwNRFicP=zc%&MGFD6xZg zKHXSjzJw(r_VhJ~F5nZ;W>XjVZQcoGW(Q+ttqqK*JMi*gsEefQx8SMGah|RQA``=b zcl_TtvaikWf4Nsu$J~|d90W2%&rZ0TYUMb0C_v=o=<_{l27o@B^n;WHYLLWHXxBMO zzdaf-lVF1+Ef(@uO)+NV)+jn`))|Qy&2}!rkXYEB2YG3YiYb%L>j?!tsf(XHoCL)+ z9#|D8;fEe+)E-I`Rv&K%9El+lB0(_v60HH5_rhwN04ZA$T;!T`@1t_W+&EUswn)lj zl(Ay2OkgY-A|IG8qJr~xOaq<0A^Mp#7iYS?Y+wT6>+Ido=p0~0ivCCTghjYl`xo?$ zYJ_9)zFfofSDkH7q#3(sl1&(VA?FwQ(1;D5^;boXA%(iYhfvx6!^RODP=bV?zaHWL zaUTMaQ@SCl^^E_ka=xN9^_&Cty)7W#nIxq+l=EDWH^scmX)e48pkmH=72b3kEkci) z&}k2z^rv0b`MIYu5v@6ogV5XG6-Ur6s2yE!_4>b0sczAX%4u9yFHv%<=a?tcyVm7) zf^wi2Wv=2j+$iqB^nuCVwVz^9n|8{^L_PG!O8Mfm-n zkZ!wBVjY$mg;Z(O4~nyu4W$K^o>NO@LuJ80E|rhd+dQUZCe4x+s;ha^8fRqdlmHS} zYmMKz`CM%Akj@l#Co8>qUD0ZHXc0qJW=Nz?clmP`%DSC_w9a#Fr#qCn8Gu!$BYf?% zX|f-%n!rhb890mW6aYW+9xi##o<8odQSec7^-hU}P+!s8bYLDssXR@_#Xl1%rnvN` zQRCH08$@*!xFX^}5NB??636wllHBRl6q1?PO)p`qmcOFZP$)!aTk`pp$i%02&2{sH zy_-6FGf&S_)LcK2LAFG1Un<@WS&qbJ9yKnpjf9J(mlwCD_$KwD9o4Oup9fq1Js8Y# zISPJ51k#w?6ETdriTd4&1|sn4CX?=acY-k*K2JjH-Wf|k$ z3d~2QPsNNW!xt>V?dQuAQ{V>(morYTwLcKLJZ8WjKYY_cD(nOamX?S@)pYrIEU1_i zg(Hw|7YEYaH3K%rr#e8L4pPp0kAC98>V%=i#F6TM4EA=Hej4w{7rzJP*x;XnC~azH zrm$l=afU*WN;Ub*IQ_`T&Q$;Taqx$Ymnt|uhWBBuFj`KN2J~`;OTRxv(S&@4`GEBN zBEG9Hx`<^NZO80@@Z-jEe0)FknU%-Ic>vkQtcW@?xIO8A#~tU9X_E7)rh)0#UHxhp z?_GmRr3@T;g2WER{I3%|JP}zN!%5RgMh;`wNU01KcEcl7jv2|uqFOfJGIQ~>s8<)- z+pALWSW!2TXTPxg(J(jjYWF~mO@3?3H+h6VDtWm!$SN*I%7yvAAH9AK;zkWPc^b zCeNo@mHhGO$TO)Q31$2SZ~AZRjsI8>ph}QPer!h<=+CsH+?Dkf9uWhTip8Z9T{MiK zWIsnmUGp;=6O;xStFN6JmTm!ZIfZ;GH>wkjO{2$*$V%r_6-CMua(hfR`~0ci$t9yy zo1ASmx+>S${m>VaI3}GKj>%)_vS4jgEfoJ631Mm z=*)pwL|s`b2R&z4bP^R`1xmnlHN?P=-1VFUg7-Pu{cYK}*$Sp1u zSYgVQ{9>kkNzD)bC$E70)h7psg`eDdqrhzLUA%z7fv_KO1f|)0AgV;Jm{dD4M1Z5> zGx9G%x89F8RgJXFdMX-O`;vFuJH5-{cetN)IBTDhXMRc)sfKb~g9Thfswa@<^m2vJtd@n+Vzz1@P)9kkY%|$&#kPBQGRdc3apjOq2W3{D!upejSHv=KYz6zg0 z``vUjli8A50F19U& zOVVq+yMJ7EIhol?dTu3z-Y`5@^;DR19Klik8H>GS*K&3)7U^M(%^}b3I0yL-V^$j_ zB6|i4FB6%wqLJbrECJb6sSR|`rE;HQ0w!KZPDHSxnmTX=ghq0k44#?fBjX)E-KYC> z(kgBt2&mda;5*0 zS!LwfJ+fU;8?;b1u)+=1WTX2Da$_i{3FqxJO@j>N*%dJCMg}JaOMcl^Th5Na#d}0i zgHAPecF=wKrE&7~n(~U=!jo1lwT2WKt`JkH&le(WSAAS=%w4EdPAzcUj`V#8Ze+;oc@K3BI0d;MMQHc10z`c~SsvoJH z2y`p_h{D{$R9>4PKo(80zL7t8g;kodha|m9Uzo98ZX49K+LG=a`L1S5+4i(x5y+zM z3?g!snjrp^@c>;A8?Qfw#!r`B@529qzKNGm(^|LOWdG?VTPYZZI39MKs!vi?~_;=+TN0&Ewnp&d2rB11_C38e3K6I9P4E zp9|Ky$GBSG{rZh;c)!RZ@al7IXD??0>qz`{xPQ zI17%`+H5zjqcXW)HIux6c0-cXRt}|z3LE~Vl+isww zVx$;HuUFWhhkp;1CElMewb?#q$Y?vXQy*!l?(nqpckTe`Zv-X<_1nKyZXts5Rb!DE=`QPbyw+p=)Rdko4xC*awW5AupX4F45pi7(K- z@mi7wv{@@(yAK(+_^g3Ig3SZb)g4_uh;gp898enTv^SFmPu$Nj)V-466wTRd=s<^H z+OxA)>1G(<2{l{xaqgOSROuM~nth1uM@Q-)C1CD(w4Dx5)%x<{xW6+hmJcb4<@6;K zn!z#Xrb^sj6*g>Dz z2NsQ@Crp?SWhA51@<5Q3f0}EzJK+cF&JJf7Nt#PinLL;%RD=I+ECPI=moL(B8sW%T z$s;yN%k?f=9N=BR>eUS8HK4It0zNOewzJ(T#$tkKYj*R<-f1)Lc-nO)(C~FesTLz~ zh=>DADmI>NOm`XnCI}#Llc0Upp!itKn0zOw?s1Kss-W1ku;1PgqtGGluAPq63#<}~ z438dRG#&>LYfo$6cdf#r%nI}l%t+CBzVoTL#LNwqWp>5h)&PKqyr`7MW}?CwXD#4F z633_=W97BaVX@V-1 z%Td*gig0u&a?lI}*c}{%7(LWE)44J{9+cTWiZp#6n z=7=^9f0FPr!c+dSd>DQWJJ~0JU14d1H+i13tF!9${e5#VXBPzhlh)kT)!>xu$_@9B ze)8QBZ%QU=@{OG*K=ewtdL`t;6fy?G8;jF{YjSgto~b_mytf>YJH|U8q&V}vDzBI`= zR}&=^qOGSsuRfFfsHKNs9QM^%Q_>&I9-mC zs0O@;U2B|-OP~lY;{3Os$i0rIIF!ymf+-@@l33sHx|4{hfk-7YTWv)mr;^o!*Oxq7|hhqY+f%m_kNfC)na z&0ku$I~b(L8<)dnvn<3ofAgqGtsEnT&F|HnLyj~i#AKMvDpTjo%8>M-eG!{#Ibu_m z&H^|cEH#S(;^y7{C?1_OePGUPoK`1$dW|XO_9S#DE5q=CL^sMiv3^!G1rS?pmAD;E z-Js;Z7Vm>@w*#0c<~045<1Cp%_Ft`wK*|-kL7Hh?duz!Ly}cte2-{VR&lcwlmko0) zc#ss0pt8CMVRaxwzb$4WDVm2N9N_-`Ez)?mL-VU)_pMEN1?q)1aM0x1Iw0ckRl8$a z7>~|ur@1c)dXiw;(f+9QpcO}fokY;JJVf5tQc)rs^x#||02__M;a0EcGHg5~RJ-wI z4>B22nKIgAYMw9R2{X{J5cDK)s4$_ZS5j7Cm}aNG$PQH49pNqV^vKp_OH*r-Gz{p0 z!OMzRv`-OV*EI)R!w1QD!a8BNH@4ZTsV#=d@nAR)w+@9PyV9`aG)7+Ng{FO1R?FMi zbxp<+!m&7mu3~;o1u&&@u9zCZL>d-rxZ3LE9e~$(p;(d$`l2*93^j06kBs!5FPimC zb0vGsBefr0O$TB|g*A<%-+)iL2y3`{mJG)DWAPqUv)Bi|1{rED&i&+GR}hR60ehao zvLOszCF)G#XoIW4iWnfq{VR z=mt>h+wHc9hH6zim4}S*vC#mttu7XKQe`-2=s1K0l;2ISCf}<*4aJ*qWKDAOvbQWV zNGK~QAt_q{Pk8O3?n7mOjp10Y=UId{S;#ZD009A;7J;CSgOygJpTo=u=jP9C9C?t1 zkNo>ut{x6Bj51~>TEv?9E2OL+cc62l%GeBtjHBK`;X z1bi=e$YT6e8BzW0!)Ohv9(**slSrEWPQWo}@>0DNwhT3PK?(<_%eEjQH;4hca^f%MkVaC6IA9M`ccU^jD4E=Av8r@&toO$oCsYMAHRT!NeNPZm zJ`g3d_h6djd%)p=p;3@W=UxwT_L)Ci)6Yi#{M)6a#zx_YJw@#XCrChuzHioH+e*sO zUa`(oBwwVagEEukV9C=-aId3iX6SOqSw22T%_guQIPz2cHIy$h!H1^z84t-$q;s~m^`F&Dca}@MY|^x9Bo1ry%I>5@Xrgt#J5Jhe-ckoGZ9*W%FXm@<>^Hg z=qt=*@IN>MWkE|_yHC<}rHBb;w~(ll%@jkaD(fz`q3TDP@Dz}fqIE9XJ)y}hxK}5q z0pKonNbRfZ0p8;#1`&+{R^M5GFw}7q!rLLa*jyt_PCnx;Dvh&^;lk zvdHDG!yasL@F>HAM?iOT?i8Dh$mRxRF`#-Tw!zN3qHaE{G!5A`aRZ0G8)N1ty`Q0L z1Az@x_q{)-eA@OX;!Rp8qiD^X>l(g;VofohWQ5Due}Id|_e2VVpeznGaJ@r5`Hj+U z1XvVIDlc&sZx918v7*@bOdOh)C6hmey;GqjW(N7!@lGWQSB(#^6F5s{NWxdX#6}s7 zEULh$ZQO9AODy)i()9%uM@(^@tLcViVz)ocN(9X4RT?X6ety?AHC~RZjE#=qSWNf% zi97A!EIM4h1}2+Uc4!@RuQ`2^VAd2jc2|F9~r=PwSLlNXt0Bw;3r^ZPyznK489i&a-W%OFg~`X9F6N z0Ygkzwxlw(F^3paqjjhW1C<{rMhuJy5+n9pTb4w8hA6>494MKY0UT=8B`{I)whD>* z8Rz3JLcp}|W9!Y7dvqpLaMe;4I_pctK@4T$R}kcc*P&bXn`*TVo(*D5dFQeCtdFf; z?{RyV@}E629X+LuJ;uu}GWJAQ)Q?xShhkzd(AG2Z2SlV7led#CJ%BqWKXc!Jd`2vF z5aY6B4vdWg#EYI`;C!ZO8<#Xc{5JlM2JI2;3s`hU*RF7z6JqY1$|hpyMy^v(ytFJ9 z9~uwW+A&XWm(?7&MZjyOmRqcG@>Za~{6*CQGy#JCfK7JJVa1bLplTow_XVOzj4OIl z8Lupl*$W-kte4c#@#L#lEPN%zB-&T?W-wEq#}H`1aT{S#SrKNHY2vu>*(i7?4t*xcj%@31f!QuAgR` zvT;0@0I?P`G8==j&IZ#jgt&6X4Kl9M7x{*kO;#DfD01~^{fLH(sYQ>u%v9P5yK@lJ zq3lTce7rkS4(2iOOs1__Ae=LsNN>IdxS^W8NWcmF%Ez#uh`aqE45X!Nq(l4fETvIH zFWrag8excI@rQQC#53#Vs#VlE1(nqK{C2iX5Z*{+6U7AGe;)-*;=E*jx}#aci~Ap! zusysN3}}BNEbj(nWSf1Ks-&dsW|J`7<+}HK`j8f&_FPP!{@iW{lgCzoFS_AkdEnTQ zbBy6R?s(?tHf>-y+`QcfuPqg(xIPbes6J5y;xInFN$yp4C7HEq#~CnfFW4DDpLFPE zQtBl*#CYN^1k_yd(9PGv#vvACC_`#NaKl-tZa*hFrbG8R@`p9T4VrHT?{lA`&2jpA z%l>R8KnB_%0@?&BJ}E%bfo@kUU^JwQ^t#R|Ec!pTQq}{YLObB=%R>U;A86+wa@~g+ z^RNEn1FR1$N#4yVh7vqN0F^{dZA{+o%!_)gVz4-Z8G=512)9bT=4NVAlDm>)lJeQJ z&0M#9+45-d8|=v(j(=`#Jv2Zz)EpO}^)>;Hie7$aS5A= zQ855XrUPA18+c8CDf|P49+*>1;L#9(nr)ybfEB;@ov!T(02>X-H68TW>o06ck|AQ1 zfn*p)1i%gmg|3U(>9!D>uc@OeTE>>^4T_g7&JnQ9o@h{m0H6!!0tT|4TS3oX6R;ft z^CYk)OqR_cQp`)U!^tHxjRs1w4zjgO*>9Mu*S22yoz#N8g%klITT;US9 z0Cz4wv~tf^*gRWwbDE+i`SEukw(MiRil0zO%VrB|u4epTZ3smrHO84b8Pu)plE?GN zY0o)US&Qp_J5aWGS}i0Xc0oXXn^xg$t1F}b%_mW1dD#pX)bqCD zv)AhS4H2E}Yp)`{bU^<*oSf*=PRRt>>#UiT(gklQ{5-&>C?k-XO~~4PyBnt-mn1B& zYQ{hL68AMs!n_kBD^P^^j3Xj#*aKDT%WK$K%o|-T6nNK{fISCF#T_!p8slZw7X^!y zcU&@u9o1}Hi#>9cg@nd?_&H!(Uj=vq(An;bSiJaU&lmN=5r z%*Ir>k1>%OMDmm@LP0fY+aAxH9At7${Y7#BD}uBz#Fg?xtt~-%e5io%+NJnZDBOeQ z;(q0cY!q)&=4zpy^#vwP97(as*-AHMFNNqfSl1_wrbU7sLfIXON|KbB-N7-4@l_VQa*qU0*UJ&%z z1B(8n+drbZ>WWKJh3#|=_1s3)z#PoaU%7yZvqC-m4BjD~i9~$3`{pxh%}neDPnQD( zqsAP7zUZ(Z?zF8-0&;2@> z!S3OuM@9ZO&qHmZqc$2*4IB_aL~xRD)=-8Iz3 zr+JO@R;9E=brG^i9n3?O7bCZ`##W0C{Z$_Rh5WFZE(|J%*J;Ak6*_$oqdH|TPR0&* zJR4T^I?qK{)Mv|4rD)-uqEuf@8NF68Gr5Q;zni_l$_f+N9hjvTtQs0LFk-nR7l%>H zQ@46R5(A1ve#72Ykr0s7xlkk zT)_IY!yydB8#o%-AvLdA2`l}ioxJ47fc0APae`>Z1eBA1`B5D(Pi1#EsaC+g;O=}Z zy;(KZ1dz2z_MhuE-Q={_n?8>w#95cJPLXRTi*{N{J3coP%ZfvkRC78Qsz_%KU^1kk z)cuQ~8i>%F`3sKqZjGF}4>4Go*dQq3*5->H@mUe?5)>!h8oRJ3mbyAE)(qK5=1LIs zUuO*1Oa&<_VT8Rbf=rqchV-s+hrRka>*d#n{!<=ncKyt2Kv2IFiCdg_zL>a28+3{G zg<32kIeaPr*KiIIxwFVSGw57zUK`BtF%WzUQtlj1Yke9t;@^-jjXh8E9GN~tMGoKb zps${M^>&VxR~5(>JMD}6DCqI7d# zwqahWmS|xM6u^BqBF7E6jGM(eP@G-I&fD(_C zGjzhrxDJYIIT?E+dUU1#gDM0{6br-VhUjw0zKe4&o8U`5pKqq5}sT z6!ddi?XJE-4W|Ass|)ElmChji^lx1-ulCps#Ham>fYO3k)9gp;yfJ@T@euBS;_G=) zTG+~5_Kf$7Hd>keZByI~!f2w^7ExLy%lI0kCO(dhFIzmeq_J|@QcYQo$_E)D60+^? zLRmYf&mKEPQGl+Yy@^|!_m}jpS=bbREJ7Y{T#}r^o=7IY-0Xm^L%shH9W-;!|#AtNO^u5n|5N>W+ll@L?V&crx?5BV)2@xfq+Ksex* z)ss4~LGwpS4=h?Lfm#f!Y?G>}Rk=e>Q4#ecz&h~78>9JDD+IDp)CvI^tTP~1t&9`EyI{G0ZAwuB5o8N44 z2WerH5Oa626+axXy9u+A$jh&=KZ_64_*do}qS&u>Llc;=Ik)`%I3=f+964WRu4&pI zC0xe>i`W#{_h?YL{1p_++^Kb`WzLZj`BVQH z?l*wPkv~p>cb@k(#OB46|Ip4oe2nw(P4O{OvA}p(RNqPBU7$cs=+Aj0Xu)=7>(k90 zVjMvGbv@vyvJn0|rEi44q{5d#|6;NjIB2WD85cFpJiX9Ca!Gz~kQdL=9NKykA8fpM5)?`DNbNit!n zcgI^MZvLXyH+P%F3|u=*kk2IFktB%vTRJ|v|KZw@OEeRYo!}45ZA@_wNM zK6MPT`~i)Fj4}^wQXH^lJ2Pek5rPj%-J@2A1d}()uGTdLlF4?CU*ho@q(S@4l|l0{D)x?jA+K(=ug({L z@p##XXOMUdYA`h?3cyg8-HwyjXx9D=Dpx)ZHuxI$=q&Yi1W7X z|2j50hzQHeKe0Ge#EAxHN%-sUc`4eOo^=I_TZP_RV48gd2i9Q+OEh4}WtwddR&QEU zutnx{nr-r~!BTs#h|Im_ag!&tr)Q-0l};QdFt_aFg#!~$@Or`SJNgXRU1uhSeZlTP zVi*`KO2Yx8Gmg&phF{b~BLJEZWFc?2LDI&_2tgUYOOH6tt6H)ziJXQcs6Y^6?|tnF z(UaL3OKd~DoA)Ql0-ZRa@XKG?gwS9C+h0=W8$&koSp;ROjS)lR&-Eya-<164)y>z& zd;=M$#NyA((KsV#Zv3fSC74sTV4*FNz`x3CCS2qb4WwR~Is0g?fCK0fuFFBju&jiY z5m~0*G0uv*&Cg))w<2^XWYM@~9Go+Th1BVCL``sQ$);M42^cD2ukeA^wH^>9FKT9VIXN($S0lFaGx(z(gWNCs2!Q2TpPP`R1!Mdx0MQ7w>jP$8#x;U|jV&=);aw{o-tF8(<^y_Lgs|HZ8JIQdNmgvGDMSA8G5CFn;3Rkyf3SU{>%i zzYIS$Dg*;@K0cKmP&vN7#@5W3KTtsC+qtPdaa9S}rE#IxMvaRKs_-j02-qN_ys(Md z=}|lf-MynvjU2&vkG~VP_<+UmNk?D=2bdET9#g zGU0k^3OK@46C&1rF*bo^RRBLV#(kU`$}&g5AJe0S4Lv?72ROSG-@yP|D%KpSz<(@y zJz~B#OqOsfX@2e`VCaQb6j?$|ugOR&Duang1RHaEWq1Ef$h0B*b#$+X?}-By!1ET5Q@ENG6~aF4*!RLsg}u^#4cQIpiB=8^q3 z^Wgw(d6^tnn=v0SoB3%4fPhN~%aB|)R?t>*U{+L)h1H5k#WFzS3L6mILj+oyNI?v9 zFL`MA3Bfn`-NJZ*gFW2l2W@0_)dTO{20>Vo5u3eIubN$4v-c*>ZU=Bs&LQ2Se6UC8 zOR?7>mQ3s^b`o`BbT)7-sH#hWZ1+(D1&NZ2n>{%qWl0nzP>|p_pt3xc#O%otDNB|h z0dzuqn>LU{FR^R56?FH+XN$lj2?z)XD8UK%_vh7N&=3rmtBgR{k--b1eMvMf-Wa3n z|A853q$t4=UWD<>b*IE9iVa zo9Mnbv>-NZ;Vp=bthwmAO&dNhTveNafnUN~gIo1?%;&RI4G+E8NUC=uvy?zq9 zE|s20Umoizr!g2^Fk^NN1R$&!!|KmG*n^i^9f_S zIq#{`t8)*viy}zbU2-)s#EtV zm@YKw(_YBZ2c`joQgiSP0}_LgHEC61QTAxD!7eha=Uil%ThR^2)zt2fjv<4e8Vn!& z_=?VcYPTP{c1vL=#131Mz{QWr?#6DJ59x!F$?$nqkf%E zdI%kjJI)wl2by84%&0UDc%w-B1oQ*c;Kc~I)!+s=qy%1P0 zsfCSmi!?ESg4kdv(`3c2;*_@(wnXsFnAweibxy`UTSxWf9XU<=+uR_e%9LKI-^?tn zh0Z8|$iKVeb1UD|$CgL-SQJCa$JT0r2b|TVAYnEa6jX%-2K4y8RmtAvB5>}3I_7S^ z?Swwmz|Mq1Oe03BoOCEH&2GMH2~;0~s(1hRTUYA1)NV>`v!{GjT{ZGC2tKzfFtlQc z(GK-@Va2s99DyA0UtJ9QFGg0~tiYb}#sy-TvMFHzG_76Xt``2tag^fJNC0eN!=5bn zsqjH1z&Z#qY(NCEh{im75I)#CvKF+$9yijGo7y>eYUgop;32iAQCtbL@D&FZH(`U@ z1ie5oL^52XA@*I8O(AS(*=A2bF8p-jut9JLiSu(%EdP9POfXS)br`|;h6{FCg+GDO z3^V#AvRe99b(b~@Yvf)oeJAThxJ_cel0SF+mX1-cD8U5pYTAn7-J}u>x(D}qM7Xt) zMVHm}av{hT5pFkNIS_8cWWUJU=n@;FiMmwoHykYrF#w2q3I!aJA>JSltO99d?U*(XXc<}k&1_WlLx#IHiLloW6$jNqh z-&Bq3M$%=)N6LJiDQMipmxP)$7}*%HiK@uym|NqH3yGkgHkV5)8Au{P-azlX@)eO8 zs{5B*OLO6O?u+x)tYgDVoTMuU9xv>Z#uTOy=-$I;KjPTiKqz`JHR@ABCipbXrGWj* zI~GEZ0rFzh@jIj5v;(FFG{FS-Y=6)M^3)GBlr@=E(}YshV7RMGC@Ps=aSCYamBeFl z3XrwN7;l5ni9!RyB={C0K=Akmqo>j*jNl_9kQq5Evny;YqcWy8SL{{(3j4${M76E{ zj52_8LoM|T-@3b`MF1rk#Z+8A6G z3px8io*=RxYIlfG+mOzw!y}k4vp$Wo>zb~hAkJb?OazF7zOQEKf-&3?)WMJ{e#Q;H zge6&!7@={Z0f8iE#{!a?N&I?VrvAh6k5J3EmTEwDdOiDQctR_(3+7v=ThgE*nXg7;Qb~&Yn8Oon|i`eTcSOb5JE6 zAL*T-*Vp;b!7KDzF+XjyN%`idNF2%wNoQ6sfUFP%Un%9Yr;Pgcfbry+{Rtj4S#PpL z)sMjoO#mC^iQR|7gevRfwzOcq*X<=kh~&{y!jraKQdL0*AR^zJ6u8#ogXrq_ZIaPi@Ghzzfig= zkqyQT1BM@nD@vY`DOsL;86*8=)0HFK&t`i;T}44cb(rAbM_C%-t)&|9LgfmS0IncK zQG4J5Nt7iMDNX=@q~wS?>EjVa+XTyxDadnuH|DvFJcqNTdTIYiekVv~uGrA3TdbOceeG?%S(`Hs2Udz!ojlWS}7Ab&a<>_IiL#J|KqddmXCnUI|+=`FuHUWRifKriG5#9q>;gu}KFV~Q$1KXt< z-(9ZoIpZ*%dK`03y?nm(N@|(_ivhP+3x4oJN!Cb~r(9zDfel!BDl?DnUxbCjm(}x- z!3n*sjtmqX2S}NfoNvQMLvLF5vcK6d&ZDIgrKpE1|`0NS$wfC8p)-&FZNL&f74HL?uc|pW3w4vi-{#cvBJ8&Q(?S zMuPL}wF$;Op4Ri8u}?byI)zXSI`bJHWtK+p6F8_UteTn*Z0yi*}~bSq$iG}-M%W85#7HqFNGwon&WW6MM88M{;k&sIN^Yq*OqkIWO?W+@$ z2&1AV=3S=fTH%<|*$A<(o}g6EM7QYXph~mpAoi6D@c4!kk8+hU?F7(Q*~AqK>2pk_ z*;r3Z*Bnni2ZgK~Hy?ooa=48iX25k?pFEWY*%BACk&SfF19Vgx>mn^mE+Z&Aw<8+#(! zI?!8rhFc%{X`7cOwTI9t4Wui@wd!!urCvIyqbseN;JJ9ssz(81AQ!Hb~!CD4%nIU6eE%vNkn9Edwu!~a_bE5&l4Fa6^$(e9)DeWDU zN|j~YgHYs=wUt#9?>L~D6qjM2yypvC7iRprD}oKhD5!Wv$-s>VK>B6On(u*0gHN>?f^wTQ)vPY%Y@30{a=%6#+_4kk_{mqxlVJfY>Lu3MF zrKalmG4_-u%2>L>_{9!6$&TIlwfbQuXoUm$Q{%pt(j#Eg96dbW?& z5Fm)qq8|7=r3dyhxg~1Yya5(#Gpeu6utls7ckgqSQN5n5(vN8r@+NC(WVvvxL#2)s1Wjc)1J0)SX+0=bWKfz|#zAV_}uU7KI>%pS}g}gByn(btR zIl_F7avMwfoAL4LoazNOcVhc2rRU)zysL??OhK>aZ>oB8WRUUIzx{3|qFSnOs(4~{ z?<-szCMX!hoFMOscyp&Aq}rKKE$$tMrxWA4BTHb6tD94@Js6F%QiV0Q(eBB(Jb@(q z-SD_YBrf(%7Q~f3n)Hz8AHG4no*hOd8QW!ihOiO>i^tNUOBXiH*C#?52?X0!hr<|M zz_>!8M{!6OpcOWW`o04g>ruk$WbOzip+00ct9|!W5lpg|&mQmyqY+Lb&KX(Kzb7D_ zn-hjD1)Tm|CDRPC%SkqtzJbn?K0mcv@<9rqa8l6<5Ri)v6az&KMMmlg1(i(*xjxxE zM=z}(8C;ty=L`v`7eNjms$QVai#7l#?*eY#dWyDCyB#7)h1nZag)O;NZGV8H{IEHX zqkFmY{hTPjSp?M+_u=zsnkygrGfR&~myQvzS`P&0^Y2wakw~PoLkFn93{5cAYtf1r zQZJ_1N~$sokJ&PufkXl`3r>QR0PR&)RhaEB<9mhR0_LRG`#Owvi4OrHh@#yoorU$5 z-is4qio+~-EMp%W^n2G(PRG06tU4rUSVxdSU;Gu(5rH0ei?cX;A6bkbl;-MwJre1I z^@CX52J}8IK4wSGIpLi*V;TY~dkL!s>=y>=m6@V%)$&v{bH$(!S2BvYpuWYu$ueEaS6$?9;>-cUY07t zG;0h4^3uq~ado#eqK*(K+O1+!*H59}EKPn<Jc0J7N!HQ3j>MQmi9z^B3n3bA1AViQQMoroo7rB3ZVLSd44 z7;dle_OdI{*mVF;l5Yh^`FF+vJu|D{ATZ1|#)`;=+4Y~txO3s%on+_dvMlM9{zMP- z<|*9$IUGem?QU*vP$@muhW3X38sc;FT5aBjXDV2fc0w85Tlnc3o`OKrbKiH}yw6tM zyh!FFMYHo;Oj3AR!hBw;6VFG(yhg*x0U~K-qnVqWH7p@i>XT_U-FPmy$mu$6 z#)h zPOfyJS29_gL@x{J>zztPnDpn;eM}ZCJl_9srWNw+HL_w6d}_jN_PtzS31y*TniY1^ ztFoBsT4ZU%t&&&j%5J6EcnB?u?rr6S#EjB!qB}2Stiuh2t~5px6bNLQ6zHHJ*`Nzn zYy@o*VG9UQ@wX7?Vi?Oczq|xcTIrS{rWi_3 z)Kpk$9tuPa2?CYH#1K^R357*#0GlUIhY;mmbVeu;7s!sT7; zaO+5>v~&|PYV}smLoItnqR7g!a$iGk44lwU1?ve=lqITrnh1OdiH{7Q=t(iM%ODT~ z3;*|hS@w{reKlczGn}uW!(URd!J*mBIv+fHXhLCrV%|OwNyn#xP^Wf4&9lDAf(mao zX1XQmbIT;%cBf-6Svm#omphlH<73MstHT3Qyc9iL%E#6S(aQCUki%^9-K`+Q$5Z>w z5D1tONW;u&bhDG>#1SJB2@bO4tP&D95lY=lCnThwUaLqeMr`TS8ue5XS$fcFp1WHG zGPu31tauR|iHYmsqo>t+&6^&w*kwqswbK`jh5ZxV?d1y&e&5=dPU?y_PiUz*Wz8Y> z>MlSUWELS5iFe6Zvxjdl?pg}{eZ-zRn;9W-5JgNOk@H!VV&vzQ>sa}sTBkrUx>Ik{ zsbAWdPT3H^1I`Un*8C=^)ilh$lEK8qa)BWh4rT(FnT64{3|ZXG!A6r&S=gktN>6pT z9}ru5)j_X0rdTY}>>N`WR^4ja{)XmIj2pAjc;C2nPd4<4nQk{mS3qt-oj@ZmZ1J>) zP&RL1uH2KZd&u)$KU1~I22p2h;X#pPWfjH_)N~#vAIAa7|3lvNTeC&&gKDz7zT0GgsFQbBuT7HBG8rrazL-1D`=sU}E*6Bk3~BEehv4xXA`+nD(_Ku} z?yw757Wvj`^?FhTy_t2-F?(5&ioOcozZM2d* zuJpjdfL=Hu@YEDd(qS1-0TcJW?at^VH;PX-spLh2&MsX&C_uE4uf4a!@1pPKm@bVc zTO2gZKj>PVkyy_>>LJobSA48D+=lXuU?JSXbLLb;plRvMOV10s_}0}tP(cbl;n3AV zV12jtLh3|GN$CP#zCjR?1e(zy<0UKi2XNR{aB#*?H&YsqE8UKmGo%LKs@(Y=X~c zEuv}H_|W_^u@g z=LH-As>u6BADAvC!FJ~;h?*dq)Vn`w%8pyT;6iJBq!2%y@vtIK!(C5H$sv%9v$(c#hi6!=0+qU{530?trgtiA z!@j8+_WQh6zv8W%7b2+ESyvA>Nl!_r_2aMLnKt&d|DTjR^@< zYz$Za{#rdR*(NMJ%vy^dm`4fmz)`Lc?EJ^%>b~3i@b@zQKk2eS$u;XkF-xBgL zpzfJr#*XSH)Ln!C=?TSo*udvdfqC3EeWJDK_z z^MN-VqLSJ1%@?l{1OB(U`yk|Vm&$0&%zKxCzH%mDKems zA8R1V$U-hqs};!&55-U9)|t}4UIfglmgOSZ=()));94aMNWvOG5cUakiPnK+-uP4q zoGojO2r9$@&zU>PKsh%UWp)zqfif;oY!^^aQaAWB|1(c3^TAd8H*RT8oHl8fxHE2r z6saxJa?KbIM(!RYeIHb@9yu`i+rlf~VJ5l3@&E){K;@@G3a!H)scR<-OsR)B=%uf% z5ro=4#u=(Mmc=aPuO!d0c@#v4MDMoH8livXxE|%0Bo?jo)bs#6~Vt^<%IH87Y2Yiuo2DU z5kyb0AdCM!;hke3*oGtg z$ zoLo&a7Ay@r3-jL$uq%&mCxIe=FRba36x;a-wZx< zD4n}>$S92ww}C)*psBRF zli}q^)a}>u2}z5w&qP@5)LbRO+vv^&o-!Zpl^KQis+W7s5)&;~v zZpk2^n)Yr5b5L}57EJ~`MP3QJs;2}rd+_v*nB_|T0=oB_)$oOhXZQs+557a3=EGTg zQr)TfJ~b_Of@$4-LDl-l+EW1MQ9|*LUe-b}9l+@&eE+WRRoM{Eq#+uO_KAKFOwL@S z-wZSVQ?u~7=j<4H(grqv$IwxBodgkUsKS!-azlpNQyu9tE>*=-DDLofXsA^$=D)sT{T7=ghtdSm@aMCJOY$eI}^tD&@F3f7)x$0SLw8$P`38lDq$l?rB$|1>3x3tS` z6rpJZo3Jvh47hR0^aiIU_yE(owydNqai->(AtX2lA~WILVf5z%^94fXFY5Uimy*`h zd`YgW1v~JOP#f%}O>heS1e@vM z#nOLZO>(hQW#1LdgWf}PegiSaeaIp%RNFN5aiPO%T%g@U6;;pvDM{_;=4d?FACrDe z-fcPLo?-6|;lOm4*Tuuo_>1VNm$h#RN3Q2IqzxPnW6gTpxIC@S`FM`?Nx&s z$cK^rc`N~Bj>bcNR(N?wk~Y^Akx83dCj&s-9tUFRjj)BJIi{(LCl@sCUo)2N!Sl_b zPWx}jQ*zC&~AMZK#t_|1wCYf~>eZ2PxG9H(I_K;KBYhXztx*(?5X9l$wUyVI}cf(*xeZtjzj(})u|fS&(`}V$~PX=j@A$M z#Dui$>t7gv;oXNO-0i`*8faeg*V1&Q)KaH{^Bi>AOOwya=0CSsW&!=vpbF+eJpDESHRAV>)+u6{| zOo$CFtBG)5y-&vJrVm*-Yq8}`L~_L>x3$v|mzw09fOPAw_{>(Dqap}zC}j&ES4LU| zUyx;<0(dZQhF)wKTKb)Hx%T@J^rjh5>*|3Ptx{>)y-l)2t0%WRgiMkS0kDm8y0rQW~yAJ)L+)cRw3 zB$~i8bQ1ex7H<%c|C?hLEH6DLGg?BIYWxCFXXENuU&O)R%C@DzSVMmS;@qISF<%Dc zQFTuL61FgN!BI-`qmgs2|0UyfJGZ6?PW@U!-VUnNu%*9*n@XO5;5 z3-*0LQKSqyf;|?B!v!<|n{Ft8v#W^@jq<-vE(wpo3|kaPS?fmt4I8~(E#@dUzI&Ys zr9Tjgry$V031?USgT3Aw`hB1LI?=Z~W+I9m0`TM6p0MZkKug+a1DbB2&4mcmIoVuH zy;!OQa_9}SS^Hn#VSsGeYQPu57YF%oBim2Gj*v)%I;8O#yT7N0RRTkzEP6Z{H+#4& zx5cXwMtsg3&inT5Z!U93qtU1KGCE_80QqCg%?4C&hCrRDtf=-`k_b$&&UF-NUP<8r zl*9{Rto-iC0>r*246h~R;n6i(Mn|Inow;Q+Dw!; zR7+RQkMN)CUeMx(n;eF4@>-=E*o{>j>9 zk)@g<7lMug*Ak9`8(#`p52W!J;VC=mT)yoXkj4SHdi?%fM9EU5YrTEHm%=JWG%7fv z;GzCP%aeA88I{wjLuEsqCFuo5EqJnUef7jd*X(cm^ncbf>or{yIH6Ex!|%6wLa%lD za|u_oGl|j-Rl70fD>=!ugIr-pf8@73)fH|5Y+M=ZkO0?Od%M7ccqqd7EL8=-^C`iH zn^<(-UbwOT$L-IQ992;E{d*7{>KvGi)&SGh`aV_Uv6C8f4^(uW;utml4$#U0-z`7~ zsILWIXd7tE4hR@3hB%&8eGM?(T;KrVun_L}rFxndoY6p%VEw`DK-M@P-0c279BoDE zlH}?3`qFVMxn()q2uab?H&xI99c4!~#6`;3CD+`rKqWS>=cU#EPd%cj=zlyy< zP3!a{!zs7=ONvWRUqlkv_h@K^I&??@15|CQza^CQ81YM6V@c0vQ7bqBk{HqtivQIJ zkDBXL_zNu^HnrvIfxlH9^4G=#7@u%;ibR@DIKi>xD|@)t)msLi7AmC4XM6HFET zU}N0+vh75uaD}OOTeks>)geAk-NjcZ@J6ta=*ceg%(xk(>=YGq>h|4=94oo-DKyn# zXUs3v5TcSV%l!$3h|j^_NpCxjgyq`F7ltzehDU$}O8(d8$1EkJkY>UB;Fx)s3ct8)W(%gj)46 zjo|60JtmO^j6WEj?MPIRYttj{;)I{@86s~5FMN+rgEY{eQ7B0$-Hj6dZ@42o(O2_9 z6$9ew??}6JSOwF;??rQ24UL z8(_C|{Cq3KWf|5|8LM2~eF*Dmp-2gZ-3+lZY9&595#Ed9l6&7+271pQyzrYa9~vdA zWo+zf)wN_)xD`%XyzwtATpUK_V+%nd$fmhYy$Q5Pd_(Ui) z?X_nT$%~b0$%=^gp|7X{8NZ9QgdHI=IVT1^Zn1hfO^kP;YP%J1I;fm3dB%=NJbK zY4iLILF?_ko>+a*z3-F`@*4LWig&MVtGg^BaU?0>45Ly^d_@~}tEk7S^$A9V63`-18!>u&Dox4i~P36F0 zN8k)ERs88>kHFi0NA#~94%#(AmdBnts4{UT-odScnr%AV^Jm))=OMb<``hY& zJ@(;{2=RR1QmhLDp+`aU>6qw|Z@Qy%m!pIe(vL~<25_|8G*&}neNdKwJV2_A67Jl6 zp6uVB9R(n@p8gw}Yt2f)ibK~0Y}yX#)h$mcM%t?U~JD8y0K#ENUaPl>~0eA)%U{U3XEM$cR&I*&m{$Ta*oaEPO+zN$f|W z*)30DabV~wYlSG+63>@5gE&^51GDs4pl1_B8j;!k6%4+~r_I0lEpk+<^vfWt2S46s zb9$mWm+C|YCG-4G`xdW>T7`*{ixLTZ8~J8dkED~WvVr};0(##E$7R? z*gI`=3~kKb!o!@X;_5AtFhdnfi^RRzY)psz4aOq~?IHD>t9?k?pZJ)1|>JGhbNcYS(xR%iX zKPvf}G-o=!R^rnFvjpp@6i01Ce&)lW&S_3c;ovnbxPxgUvTA;;BM$*e8pIP6pIFn~awEZ{GI=tW( zpWKOd0WU-9g3I-keU8NK5_5EC>17B(6z@jHr-BX(w9~~%S`P^MXt2EoYONAk%tMc5 z4TmH)We=-T9JH7?&vjksWSJgt51MmxyGBiTKII@YsCRo;7%#(d328#=E*Qe^WEnzP z731eet#+h$sTLwSPMbl1-4H9g_`72#a(;R7Elw1uOK@e9^c!Ik$u1bVS;v0<{bFS9 z+UD8fp&1Pr-x7la8C_!%IFQ#O^x^y640iL`wjrct0(3k3%VaZo4@B?`Y&FN`e5q5W z-Zlw(raqqDmU5NnFQNP$QnGKY90mLCVzyzSoDg2%Q-r_FWyOtau*GJVt2! z20&?U$x`+g8S~^!|EJXzp?88qb2M1o2gN5pVlFBuf}gyM4bc_?5ebiZM76-`HNb4p zapiL%YRAIcABfN|Jms+1JobvGMNPQ6bwJ@T&zZaq3|i!7ffg%+y+Dm~>qG=A$%SM* z8e=n1Yqof(<|lD$@*H|uOrZ)C#*yv6HPr&jG2FPh_y)>+mgl@9r`LBpwv+=&GE#i5 z069R$zp$7SJ;M(mHTZ^`ma5~yw3G8;*pKnV&aAr(m&l%6>ZoF6@yfm3DWpj>cEOvR z1ybI@#^#6@P(X+>b)zT$R?6^yOvDQcnn7rN6IIL@6fayLn3%PkI{nEgQ+_(k=(ETE zC>%__ds=&SsIVhq20{S_nX)ET=-)(!yZ1Pm7A?*g0oxM?7Jnwhag!yU>9c2nJ0!Tc znZinu8Q}DgwpaL=_SogyAJ~zX_Zh49BZ+)G3xs8r>qg0?ASo8ZODWJqd<>4^pKPgs z@ZjC5jmIK*fRK(ICQ^;3DPR#sFTnr2j}I+@s9my>%UpN-uw3@`hul`V7WpXdXEFUi zz16+v_FO%iWTMvI|D;y` zWZDx#zV0`k^|^{U_wnM3zH9sR2Dt!|W>52O`qOk4P#T?Lqj$^sh!+_}Tk}9*1l$6RwG`gp|+M z?^Jc8a*nycm+m%9gGKqGnrsdk(GSP?Zupg;p}MSCU;yqRtbwk=>+GLWG%TBrXN$ky zrxU5fVs4hz$WxEsWYxM*2iNyfcy>Xdt@rqG%)~GXY!X@?txbfoS2R_8zo@?P8>Qf; zc_d+he1vd%Yesr0=dnJ$xoi4jL)iFR3weMjGQmv_JD0n;Me%<5tSgY5SvI;UO@JQw zto$u}GjqWoXmSJ`ua^Uu0-i9pE77>D8tG+Va9Jf{_OEerQ!1Tr_a&nWxq+zOx*ZoYdhRWqR!%BRvn2YYO(z{QDNn>Z!>3`(_EGn zMem^}!wl)?UzPH~WN7m`I5&!K&Is&s#(%!d&9|nXfV}NhB?Q~qv?IE)X&{*~km5}l zy6?KanVe+^6!C7v4Dcd5utr2|Q^2DM_8+Sm4H(!Q21gu9M>H!(h~9ATUCqMyLDvbZ z=({p-mo2&mWQaC__~AzVfS6J>^56tOiAi~D2$^dA_%T3@hKk^fa@my;Dado4yrdt> z7U9gIQfP(7v=HZM(5EBnTg>Ag$?o^yzo}{2Rb-n5qn!l$j2J*kut2is6R1{YZ^*q8 zzRv*R7cGup2L-EKQpiUYV~EKVujKu-k!2V{1iOJz3_O_BkC%HUO!d*|EZx#Dn&fA2 zmOd+gMIz@WhG!pdD#6!cWd%s-ZsBCM5IIoeUGd8%Zy@;YY1ygertjf=2^jh!hyI7j;0K z8+-6D&?oHu6Gi?(JBUhZr3zr{mFP)SuA}tnn9e`64buI`_!Rf$k`nRF)oZ<0&V$>H zV8A?Dxit#fRAHxYK41*Zm7G}*nAx3^1ef0;XJJa+EyTHfG129$>P=IbR%6}qQdD(# zxrg_8r#nYx@N~1q%T1}HwjoU05p3HiF&gqM@mvC8SWXm8*>?}wMjs3}e18l6ATo_+ zt!}p<3-I*9>nT@ShR1HQmhTS8D1ZmasXTthYFBmZ2udry!4%b2BGz=sDNK|^BjCeX zH4R&7RN*DL(i_uOspTg zm%&AT2uEK%kd7nR0pp?XnV}t@+~_CMtf2z`=*F?G6b7sBumTJ_nf?Zb$4#0CXo>%%jd`lORUk|!cmVH zd)HjlWcaj`l$9#W0eIId)a6BzfgLK+(Lz!F^G68X-?bl(am6`D7ia~#nhWl#Qyy>(!R98_Rh0tQR?hd z2`S&&(jH6;i1xKXd+z`m5m5>ua&r5T14mB z5`vlo2f!PprSTkiewFnYukCdX=X}6`3}lhb=0x4jiJ)^@mifctftotnb4rwU^6D(t zz!rQ$L-F)U{yr$|_r${wi1#>7n*EB{hbA)a?~ zku{g9_J8f>b~lmU$>d#F#qG-iKV%Y?s8#_ZDjc2IN$NMH3nRdQtc`tk(@8cL9IJ-) z8I;pr4*6CKOq$lB8>0BO4xBgB?7Pc?mL)b2eI)j1H!fpulO;HgC^2}lQplj0dHIrz z*H5KOmm?L$UPo%{!U=OKVZ|78|*FCpSSWYaUEjY)kDJJ`^@CYe0fR^uA<)_qtwVW zihV1#V#&CaWP>KO!Bsd43toKux|us`Z}-~j!;!<}Of&T0>%Dw>*(#{2Nzey^|f&HBCi-S2oh8WsEzIqcvLDZU=-cBC(09`-k)^@rE1_4<2RdSyBY6`Nz@ z%}Br7^g=t8omIiPsmbg|CS+}PzLR;Ho49vpRh(rjpE&|40osBiC9pLv!%rALpUvyj z8d{1_fk(pYqnhl*wB31qKI!jmOA6klSO!4fQ>q$}$%GrZVu*D8MmDIgO^$Id(+8wG z7N?`Coc6hG6_a)ORiJzq>B-XUh@mZtdGrvje!@$JmY%DFa!q(8H_*2&dLV7xtc(1a zXx<=p#9at^RSRGd+J73;P31zLPj;uZu<-*pSRQp>w}Y(#6;bq&h?HY_8~VCod)|rT z+U_pFvbTPu%B>rFLAva~ZK+z6I;dqO!1*EHHWhWCQcn_mNhhOxcNYgcNIrDQQ)!9O zd&paU+-?-Iet0h>uVEeAdZ9|!y^droT3w5PO2Li;Afw|1zSRe+zB~J@oL(CKx{RcE z%G2hL+ZVE%0!bK~k)=Og$i-gHK@MGJEz79B+-nwyJ?N7n0X9f__Lvk4fgF2p#StXF zG(T0?9||pgX~_I9L=Z|-5J@XTaTL?xd*5{6i#uYHkFvZ$oVoVz)OO}sua`{SSA|GL zRx>%J4Dsx?dZ~GbUm7clR~i(0vuzj|(N z<%P`w3^vmDlKFY$72ivy-q5B*yhtfPGVnb1Ig~4 zLJ+c=53QslWtx`sG%hGMZ+ElNAR+XqU8}@~z~yRcReIG`$ub$iaI+RuDu)4pMMh58 zSl?$>6swVg3_+Mh|0Q7E&Z^XO{L=WH=e$Zho`3CdC>K}wi5j3(;m2t4G@vuMgFZ}Y zv=S5>yn=F|0Ec<%`xTS%pmKw$Qh*$O6@Y>tiDLVRw1ZYmroK)eqy%~ySJ?(fTgqa;FqTO*G?3ZnVCS5f}5+90Y*zW^|o0% z3jp=`1?Lc=pCmddSJS|{<^NH|&W&>}R5J#8Dp_())!5th$96A>+k5 zRcNThlx%8D30#_F3ekV1EKa`!!bNFYjK13ig>tp4yK3KFbY|_qXe0P*zS{6n{<3r( zbuU>v-n`OieDGA|j2pCgGME|#5@#%JMn6BXSG(^BbUgT+NWt$PZn``TC6!)-E_?Jw z!(t_9Qb@gq^oQv=!|A)s`Xby`3}6?kk4)QoeD`6-&KnJy+c5u(Sx?{2>GxJSO>o87 zKXc7GTyz5f@J?&*Ix$lBN(7HzkqZpo0ffLkN=#_+d+Tu}vo>Ra0VPSsna3zL3*!tn zQrjZJ6*LINwR@$f|2M%%?$1-$6aWq}oKp+R681%VJ7sjAJsG`6y-3b59&d+MxgI*R zq=Ddh&M#5$Q{2fMHe-`LfU+sEQ9GKRp$_H&vRs`VLPay@pxqsD(#!gEKi55o>U%tq zH*A1n;{0}TA3-s5uM9iG+>quo>f>;42}0K3yFn&Bf{O-nqI3S`W4uXTn%+5FU7AYv z;A%dum^;WkQQ-ZytB>`@YYJzGw|6_UE|%=cKs0E%g1`{g;q2xZMGr_m=`rSMKf&4u+~E5P|xi zj4(Z(3D$c$=8_r%UWOBDzL->KXSNVF2s!~AK(}q{<5+!0AB2UnDAkn!BkBcf+u`Q_ zv>5x4Az~ziToNA>{Gj)M$m!1qtU05G{EtF2{Hc!Dr~hk^2HeRp9$~e9 zNgA`Ofw^ElXkAWXXlGv~jx&6I=M5EcV#Io5v;07T5MSyzIdM_7DOqe_;(nj z`@KWR8ttKKXN34>rB1Vv384Qg`{DHn{fQ>d_j~g@80d~o{4h?-Eq?DJ$Z)H+`g8#V z?iMv_xz-&O6E9&87;i8>Ps&7UdX@OKH=;&?Ze{yv5E1lHBdschD@0ulR+HEr#l`4drT&FdR!$kBKKcm>`U$4%th7{PjF z!^c{)3dY^V}_=BYrDPfkbpST&F17X9by5iR*v+E+7VX4Z~A4L9qwa5E`jW z)si{nqUTD6FY~ssuL?$9@|OjWQAsY+)4V~AD~nKmf*uPVfhCUTH4WP15gfR`(w@=z ze>(C^ttJUC2QT_;v;|4rf~PQ6_hdZ0inM;g?{fO^HR=5>$mc53TIi|apc?2LH0zZn z2-}Mbf)MotkZLx+{ABq1(7um6hrOk-S~rYZJMHsZ91&-hC6FNw^McfsbZP)qDERQ` zJ}qf$-%1f|g8IuMBMW7baNgN|3`WFznc-3=)Z_B*o$ zWlk9HD}fFtterNZ`MHeguWTa|8ZEaGb<;+w8sgkZVYFBLlpLkYL;DJ0fIo z;!$fIcEorUmxi*4-0-4wXSssN%5`=HHy&c4As7ck(dlT(x11Q!t8x|V$N_U82tC=l zmD8QRRgDselJ>Q{PJ)*1Vx3g14((5kv}9xwp3+QL=?u>~@cz5D5fi6@$;jhps|MjY zhc4bsh3}+zLwcg#9uMFyOpuk^pcZU0f(u2tA2fR}n{&pG41!66^72X;8*czk-6$8G z<0mvj{!Iq}sv}fIw_ACBRGufXES=ZdZ&0|TM6POrH%F;&Y43tI z<%OOWQ{PatW_N@1Q8D-v7lbO>G7m@KrOZ0X(%?>m(7(w9XKz11Kqj-%|9Ls{b|Zm+ z%!*a{ob+l7AyzGqZHgHx!}9dMqi$vZul#E^(Uf?n16F=e7Nweg1}~H*0}x{$)hUSK z@DL7{dRbqkePeLD1AL5sjKiKMpP=L%Oo+9;rP|^sct=O%EnT_MR^j~ncA02^e8MzS zc%z0y7)KwL&okr3`zjsM`-_TZ8p85SIwMmZpEKbcZb}c(&^Jgqh@^=8d>*4}`jmI# z`G8JwZy7=|v1%GUTW7%&rS0aniLf#MzA^Jdkd@?QbuyM`AL$R|ugQIc4IZCD6^d^8sf9iPL2nlkVUd+GT30(#Z1NSv!OyQv_U zch4@p@@yz3ko-hukCme1Ho0-7#eoqp_qek`TxJ-pF5hFgDPO3_5_H<%q+qNzN|0k2 z&+~_1+I}gy$@qlrCMa3n5k91wj4v>ZD>K&#ajes63roV?+j54om{`7Msx$G#YJR5k z^G7f-k+$kIA3GJGU*^;+zS{k4tOj>=bh);JWf|~t+$m7n?oVf2f8n)=YL#jS4Yca|dU6V+Fao1r0{IuzGBXtT|VEJPWnW%s^(*58yb;Xi#bXxC7O zk9Exube!Wwbb)^Y;1Rofn3)*oKQTaM`ax(b9h+J9>YNTaMjFer5tTV}o+KS$Qkm{=))(ZM#$T5Z^T#nCOzLHW4#I+)3%z25gxDeRj-vR zc2YB-kLv)bt(^-eA?hDwR!7EY8yxoGn?O>WEhah>(yuEW?W)XYt`2etQA&h}Gj&gO z@zQp`Z?k*!BzJvnmpL_UiJDcqp`jVtjJ7CGv^0LOZ*w*{9p->YME|8M5d->6zAEg| z=l&KQ%XNx=)x4`u_DCD+*iOjU3gJ1XYcl^5&-@@>7<5?-8dzGGxkXt)f!P)JsDutN z^2Vy46q|~Q z+$ip+e*V_8LkZeMaOd1YPP*vP);Ps3U~TE9M^4TWUtj~dF22~Uf=6LS;qcJH2Egrv znw~s(iyv@SeDv|b8;8z6C`A+NjUJFg;2I-j8YWGY_-`rub4Q&m`pkSvv>M*a%SeIo zo0$npiy};nR%7!lqe?RN-{;6g%F-W{W6HBS-Z%9ord>0=qp5Car8=Q5b%TsEe=eSh z-tbU0(=^kDjC4QkP%8r#2>k@>Ool?xxJvhrsOF6|{NRI`X3RbLu_41-72O1n--y`V z5w4n@qphhA!d*37uj-OR+6VDJEG!7FBl?bQbV&`Z#bJkfl;VN1^66E*L}Wp4`bD1= zdk1Vu6sv>rQGCnlPQEEdWtpBqN@g$Z``_W+DR&29bjz+q!fgDaUjcnv+o0h+%B z->JOw8N3{pubNLna~w>_)5Xb#lz=T_t2AuLztZ@y!bnSm6z6Zok|V3(r@lbmxa4mZ z1}|Mw>oJ)1zXN0WN{Lm%P4M^*zLn)8GAvddj61G)|Gdl}s1pasL!OmP7*7ktZ7wLE zA(*{55@X1oJwYVoKhgXu&HV@wwW5UYXKFCIwxowOf7ne|r&^951;?JsIBJ7p@8opu zmRx>Ko+2ks{o_clLx=yG#SZS(CbMVbVaIK3;7AysWcF@8aZ`xdqz*~RkUMtgVD=H@Q8(9SWu^2u zb`a8dDq6#PXPuee_#yFY8)>eaFM;)VVGu5ciICs!&GZCuz(cvU&;NoD$@C_sjF5WF z{O7gma&!cdzCi4AN4XUzY$LM-WBP6l7ZZ52H1aY2!|YFR`V7PL3vjUFhLSB=W(F*V z&bdbGyBTMHqX6P~o#bXmRkDwwD!}i1Cm9D>jn^tuy$j6o#@~z#LSIHe4ci;-*3^ssn98&3x#4Sx4pm~NdE~>Ae2I>OY^^S80bnI?P90eD02-f*N1nNGF8sGGQngrMY^Uu=a|4(_NP~g4ofI#{QHXby`P|O zd2-Jr<)}e7Z9q%q1Cv(Ykl9ZoGr#aud^& z3ck}J5M(pX6m0iaWpR?pJSjIJQ+*GeWM-1B4a1=o*fb|WL~s)uXw(HK2`;lZ&>63` zxjR?no)OI7nK6z6LZmF1@i)z9{lF5A;43296yLIJa(4O`l zBlI2@11d!4DdrY#pcy{**0sM>^?5!M?VR@vSZ9#ysVCDW3_P)~BWTHu1qm7;Thl1@80@)|b z)`Gp#`%{W@B|V2R1JG(4b14vG5eB@zzwZNikaVW72wp@_+4kS*GX2n%6vY$_Vw=_A z$a-@T3YGBbLr~^jLlzjDPYqnE464ZAA7))MDGzMCu5if>aes+o71ALwXiBuK`TbuY z0VnE4{+xkh_7nTi}gQoM6}kREJzz^A1w(@Q-1! zl~_tG+d%%pmoFdcg0Q+RXIcW@m{ZC|-8b$@rYURtGHqtMlqu5p1UQm606X;7u!ZXc z%-fKQcWgKo3kR8NdB%L|I0WQ!^Zc!6TLapj&SrP`*xHW1Lf+6XxzN<%h0GwU-d+`K z=-p8O)Uk374#@+Q-GFZOl$@XoI;8}5;GYvy4x<}@d9Z53JW~;FlsB+B7Yezu7s_J8~2?Ngw?@ z{#i0L4Rg%;^nQj9B(+Iw&Rr!E-S=!PbSZOZ=ur34y8Lj^QL9C3m2+z~V_1h|mmd8L zT@V%#lTP!whOiRv9jthpEFU1sgU5=TEtUaeb8a;if^6)hR871KA%MPkrf5VvZzkOw zYXiVpoW(?MBmQ+be~6BJMt7EFA0OBw-MG?Rt`#il1m+eW3PHddJmlG7usw&owWq#Q z6W1J-A(P=YIG(Jd~1V(m_bjtG+7@ZXY)AiwiN*V z&bji!d^2^UseyJEQg^6JC=K`^{z~r*E~0SH1MJUeS`2LcYk&SPujo1OhcUkL-RR0a z`pXM;%-vUQWN%UZOGe))K-LNHWqPNTY5I%Q_&+`&M9tU){pGe=d)rh`%x2sIr6SC1xFc@zGc`Pt(l8F^=WE@R&Kf6lmeB~8gh)uY9g-fz! zk3!_r{4b0s091+K=vYnR1@m3@!aUsSH&+)kk^!v0 z*KPWsWEzFU>CmySiKrGdE!V0s-Fkl5;Cj~F$`kmdFzO&ryPu3Q0__Rs0YgM+Ey|d^ zlH5tz}6fm}twp#P*6<+>xJPdY~<7Q^X29$3`;U!LLl)QvA# zXKDTcsv-KL7pXRJ_doB2N(iX+%UEuwL({%@LE5cO_GMm0mj1YGOQmsMs`nxyG zQD_qoqgk7MV2hv;KRY2u*<9jUs6ztd&Ff+EY1b^bK7e*>DD{5{|G2NS{sHF{BO*;; zfGr?;m$6B&U7L7~*Y5c-8WnysO!YW;ZB}|?tp!$+g=ysw5=V>KoYO5`v3iA@9+-J#qC3wbnJ3Nkb6DfteHn6WJLH|@P%{Rr)25_m*AyFVkm+(MiMl2 z63Ug_C7x{$|DRZfV5_8OHSLDIHDnpDT+X0lHsz@V^G#brsQOk#i8Tf2T$^nSVNQ)% zi$3Hrco)9RZkg=5o8`@ier`jpevEofkEpdW7jRZ$9_GPiv<2;6$L?yS0>uDU(L=;m ztvjtkS`_-}W8t68xy5OtT@f`^;@HAg8E>&V2x1P?F9_fmjJa}{wsQGaXa6#vVj>RL zK|D$)KU~0$&AIC03VIAyZ`_8ivB7$Wd?a>$LAg^pE8=}~a#NgNWec>D-FyKAXs`49 z{BZ+s6O}s^KQ9Y;Gr>Gsy}pmB#sz>BFpi0Zti{S~i(?bc6ej#Hld&L7th{P{SpWHW zsd=BL#Q1R&XYsrHLV=#O31TQZWj8el=CQptq#*UgHGj}%_?t<=H5JW)(u}#90<(1$ zOwAmRSG#);G@)iAP#!Hi$SUUS!35H-y4z~Upkz;Io;9o^l=R74D~fzfht35q_#8=b zi^4cFZh6F~8*aliQ^Rur*R*=P-`v<)nCGoxVBs>T3E<~4W_$81c0u$a{MG~Ra}5KqMIuG=3` zTCoHX4ijd-unz6mdh?Nq#!rd7c%Y67kQNI=303 z9_@v7Hgo8^0G*rV&a!zBy^U%!;;Nc81!MRVR(ak>$=~Qj4ua$ayTPX}czXJ0O(28m9T9CU8j( zirOSxo6Hr{ag!AR6(&GR~7~*={aQ z95PV*-$FV^@L@&A3 z+vd=|jLl4~dcTMDQKrQYhfvYnSmd|QjFJ)GqlqLX1cOLss{+l$P%MlbeJS#Kh}&)` zgS)3N`g-}AX!=gMIe1_%LZMssA0`*Wusbfd)&A^+uw#5nh9oflS(0D?_TNp>nG{NX z90rL4YZWko$L@X67F>~jy!`pu2sWzrex}}peRdrqZzRjZOrpHic8(0~)9=QV2sODy z#|i2>^yBR6sSP9xJlXEyKX4j&=l*K|Cxo8a^sMPGh8*gGW~6Q{-bN98 zo=~p_BQ%j)g=hw9jNv_MjB=s{vUyUP_AV9{;_PDx4tSAS7>=%YKE*C%p|$kEW7m_u zM2kye94eV7!ro@@F%Cw?xZmyuv$~nl0o2UxruUz8?h3eNVGmcnbuZFA?swZP#;L3V zwPuLs9%4pjnTetHKidg(%0=iFwT+PltL{6*Rl~Orf zcIla+a~OUw=l8(sPjgeE(^T^Q4cY5Z)iX(mMouj_N z>LtAW5N_`LWhXP<;2ZN~@`qPY?Di+|JC3YSOpr!JEz&uv+>iM=|5e|#TXxEQNb}3m ztDXJCRVWxy0yK;Ps{r*r-vi|X`~%!CH9&89LmwO*vu|XP(81Uq0ZDs`t15dLG_l%( z!Idrn9yzNZtZoJ@;>O~sthehJBj8L3DPlc7Lre0=Ni&zBR2Fv-E*Sh}Sq8|NQ4}$# z=hV#|qVz2Gg`ESw=Av=RJ3m`siFcZ``9<|x4g~O-_QAa>uR(eh&=HE=?5xtEj4}N@ znGYKn;|-h0)O`_1xG)mmEkn3#_9Q!pkK(-4OV(5`lU1=LWXCw&GO56l;*lxQbE7dz zjL)rzpMqtD7*Ud?Z8SuCgAuBP6>MJ`E*glql*t7#fZM5@l8(dlm?NXkWh9F!l?<{p z^Qj_sD=AiuB3d9#>G-MgD1Q3B$V1D_p%?TT_&O-6V928Ac?95_>4hANUVV;yV-s{E z9wJ=hy)i4Ax=0Q5qZF>`F97*Kh<)K_O2x5~6o`nd%Rs+CvMYm4$U62zCS&#+e_t_h zfaBF6A4O4s-~&NR&a+|TsrcsTzG_?IVfaJ=D6%LOOrb((W`j()X2b7@#xbhHPPL5u zM9b0z+Za!P4ioYW+&q78%vC7C^j8vf7wl)U&&yUU8n5Ta5Ws{Gr_|KSLv=taEzkIy z8JAi}8-n*X|F;i9?72ru#>CyFC%9{{7h$E~Fy=2R}DV^;F8Wp&ARDi)pW@&#OvuVyc)2#6lYOVm2xa$4gZBGZJ|q7H3U;~C-O&aR!rz_U3CP3>VMu}v z7E$y|#5$A|Op*oj1hIt*xh=9+(0`>v0vK0&d9bdqoJI_FpQHm^J@9q)wU_q@bMWxu zSqqW`&l$1f)(6jFmb5vfqla2m41yy6O34O8vS#OZu@pr%Cqd3(CyuKw?&hCusK~-Z zQEtZU2`EbZ64N0p*3(U_hwx(|$)tgGfo7_nh)|-SU6fn!E`rqO_KSzJ7nEL6GhFFk zF%~?F>PuJ2Fg*%pHo1I})sMLX2dQJCHv#y~J@K64Td|DU>>OBhBgDR?R0=LW;Q>}I zQT`J$LBc6pEoi{vltxjci^#nMS{6nj)&3;MK#=G2nGNHzrOV#zgtB0Qq#?bxfx`en zD?!=A^KrD+;ka?5CjriRZh!xcc9V-ucUdgKQYg6E*c>^h7Sy`q!n z3Phk7bIEOnunIcaQpmHwmmrHB`9~DZ*yll~uNAkdGN;~2cRCFwASPz#FU4_vfy_#$ zp*Gu!0@o4Sy~R@-5$41W#~jujb|8Eg$YTn%UPChlW^sNqGt|JX@(s&=49g#Y0GTlx z>FVm+y}XPrkd#7f2u*oU-P#UPky_16f0^KVPu(I-({1=X(?z-r8S)1qRO-*MCzk+F z=h6qH4Moc8oIz$-psq7;A+1n`NXT)q>84eW-akQVoNK7*$qv_-qzq!f?SbQdDLuI~ zY=ziLD6t*i8O5i|1z5D%S<^NXNS=I}G&@0v7>pTWZMKwV>(lq<7}=;In}bc^l(7ua zkcyzqW4IL~mlZG=(xr9)=~O1oAEy+3@=rdCinYMhYR*bJwZTGvJ_DV9eq%w$qA3UU z#s4z}%1Ke8CaKNCGvA$Pv3*@3IaY2qPbGd3IS zd{+NrfFF8R`>_*Y4D;xS1gGf^mYr|UGhkm}>SzX7UXlGr2LSRSNU@c`P67yTBG}Pv zBus=b__+Xw_p&`Mc!mvinaEy^dPvZ=)B5S9C6L#~`yKiG>qe#~fhbGNRJkK&KSCzP zsm(P{0DGv5_Ru9zg5}22e1F0E005 zU;%6nz@RZn#}v``4d@VUI$m}Oe;CY(aDkBB&fW~NBmFTu(wVUjK`X3XAVk4WFXM3W z!xsr*!=I57=a=r^%U4%W*b%skXV)M|u!52*z#`;J_==N(!z>gCnIercphnnjSiw*O zII7Dkkh2rTIdPvaZT+SnLYTU2S%Z#GVt$q*w7^EQT>StQrBiQ3r%1@p$1#p{x<|XX z8MF44nk0Z02x6BRJ8S0!_?ry~s3`BDNsllb$=*D0A_(rvQ;$Uu{44#6PW?g>zV*S< z2N#oS!QcA#4dfa-peK&W;B`+fyZG?Z_&AV37V!b@bYdj)q6F;n&3#3|b@#1gtuFG~ zWYt2qU&A zwG06R=h;_2dEp>`3?e9NA;Iv40R`F^7cj7jbA{cv-}xE+E~Cr}e-jX&#zD(~PJ#p^ z4jZm3kUD~&dIAw51w>>p!|M%@2#VCT6$dZs48D600_Y$hgUrIL_%azm5O0P$ML9GU zz(9@zK0wI1Q{prSfGmtTNn0q&WGuNkxVaOwD0HXygWH@h7L)^H8(*+JOkZr+@@Jp| zx13^+U@kmpVs)cP6C}n;PssetFtFl51xOxbpUSS*LrdO?a7FNwG~Y~J(jCPG68AcE zpiK_&q5}j3iq`~A71%5nz(Gfe7#OcILpYsmSRDs12?2(hcVnrl3Ja7`Wc7F;vGGh6 z`uND$O;4AvC?4QggARXO{&7JAW(=Iq-cr!A$tZx8r+Sc{0!awTb~R&84!296f;J3D z=q3*pGn*BqAQN5{=*eL*iZ!UYYKqF*OjU%E)j1}0V4p#uemn^yo!$7MluWkCVC z`V5ta=6}Ukq@&1UY%42dw|PK+sd ztWbjy@>*b%lyr@`v&Dx8YHcNRQMkjk3r{4O#tZ>as3XMwfB{Pf3d&3pW46vIHrRFS z%lI*rx%2k`nA|n0P77;wl;$8dSOIa)451rq36exdf+TIw$N=2gGh_A;mc_`JYarZe zu0n^F0SagZz;0!g@9&qM4~koU8yYJ0lX^=Hep6KQ{b~^ly@`pPCJPPJ`JZlGBdYq8 zdPT+~jH?U_NE9VmaA5wMbq|*^0xp{_rYf*;)U%rE)SAW7`Yq7f!Mb^;R+PU6xu{x2 zNiZQiCh_Z94%=0DBz>Dh)W_9fp)POg-i1BR_qOdub2m)JVFx(g$Uj6s8>B#z^J9PD zPBL`Wr%j?9Oe+so1V?>`ii!kcm=JZ*Wa-km17pD_0h!-{}0K|GWVCWs!?&CgO?L|ydWu@s0k-KMn$+bfaZ z1AbxL{Z4^boV@siPGxtJMk4 z(Y{39!Lxh)-%LSZ9T6JviL3lGBPcLLMxZe#fE6bR7mO3i=2*~$cfw}@4LG@LChywH z)B8N9oQpsv_vo1WtLnQD1OgobcC>cF$Pn%=wO7Q545&8<(=Dm9f>()Qfg!|Zl4c92 zaGQOx&vYMggFzC%@Tku&?>&JI&6un8msUm^l8=uVROKX%mj%3Y(kJTbW+(5i&JWdb z_-X)*<)iLbVF@gWF5U)Dl-a^wxadw9ys&oN1D%e~?FuT!u?s5DfQ}#@p_&?w3^+E% zx_^1>Xq;hDs0J|GaouW+38;O5d{_uUPCXgczuKGNAvmrQsP;O!`TB?cMhN2qBwuwE z?ma<30KW_YEp5p_arHLP!x37!Uve00065E(qXgB0LOH;^ar+ z1^n|;rpf-9yu!&Xz|VX+;TuEB6?0#D)4?a)&v!l?A+J}S4Sd5*uIx{CnL1gx!>?O;5;je)D5TvdpZ(TuLgL`coP%dV z1bmd9(?a2D`@9@*_Sy*}?&A1S&XIamOtU-Hjd_Q#8)5iKiL~IPaiK@KWc?fT1;rUl zqH72BQz~akH@#y8{fY`?Cq;S@tn{_ctj6oXSt~&zrOCDY#WX{2A2e+Th`bk}+ThlaHM$^E7Qe%}yEV@fqEy`s0T zL_P9Skj8vkJAc$_&abYz1X_Wpv6Xu!uFohk$GbVYT3ftS$>))_zz7pbrGBkSk{r{^ z?TT9;h5X?)f>@l@Qt09Z|Jue&%<2Q7z(_!>EgBnZnghInuFXwE@i66A`_8{SHkACF z1Ja|?_S@hmjtc>p6~9Cm{r4@xl@#N;c0GPJEUIc!=e6N5;ij;|%twD0V_Wv`AEl@e z!a@Y*4Y>iu2gr8AY=KbTCXEGrscecqTm#r~{7YFQgg4YOH?$hhL z>^$Z)?BfIDlC=hiB7)AJUW(%IsDbQNoB@RTT#Og4VtK^w?9v?g6Z^bEei#Z_kyD|dvZIV3LY zl=hB08R;ZJPRO>(GS|MqsC3k^hA##6l5JDgxTf zX7@uQd^EiL8av$B*@brgdxTtQn@CjuFp4}2nKQkqQi0;||i z2yfuX;;BDRc%TDv$cX??K(N2;$Pys{xOWGxcb`_4^NUWp(!1KAHUn@3WZ7?n;e(l! ze%(iM7h?_72{$7|qT-Y1HzcH=GUP?f4djZ{*P2+6bT@vR6s1vrrX||#c?lXgt=6$a z@h&*3;h3DDH+MI~i4+M&322z4(dW5?WFV-uf`s-WtfPsD!RYbga(*5`d63z2zKq_c z+Gb(NQ59%EGGV=@sJ3EkIU&gJEDkHcz;b!c$3G3k(0_t{YD%PW)&Wj1&XxN4q!=vG zp9WiqA3-~L%UKZY5}oh(2#<)1H9$>DBuErLiHHN6iyOE^p{@x7+AVZ6T>B8pMeBw* zwt#z4P)Fmt1jKBY&}up48*c_c49xVc!0TNX0DH01i_-b1(}~{>#@h}GNhNV8kum$8 z{=;Qx!qu*NwI^t%NLFa1sK@!M=sYg1QIsNSPHiW-&OD!q`irt0cdUG^(q~a?b9xTbtMsXYw)ri zOL)+7Np@lfECLKQ%Y=`^>&8q?Lq#Z<(EqWgj(FRIeK_%z!t@m#QU?&1Q_a7vS`)e* zaViJY3NEhH7NBL>hA&I85*O$m6%-BGD|uLOveU_}^cT{eY(OMcqjCGW!_V7tNM#LX z8ea-?xMKjke1FYwCNkItvMzkLcaGR3Udg&Bw8$k;o=sTsFrE)jR8&i<|5niV*ZyyK z;G3O7P|}C8@)n}Gzn}S`nnNAv#cNmROiBjG9xHt+clT*#rSZ^2SuGtiUB2lU+;8|z z8F#B_rj-k5z{<0y}R0Oqy%i2I_vl75&Msm#f^!i-;S z!{K^9aPo{E<4Uj0QikxtpZ3%EIZT=Xg3MiXwj9{_nG8EVW<&;m><BK- z_kQSBVL-f>C8Ools^IkoM(jm08h#kfd--M zHohN)XLBhTQx{@*v1`6z^NJY%%0u~Gu!u6j$!RDu3^re8fxzBo+XL6ArdLGP88b3Q z)iWi;B%mv0^p#mso*X;-h$4(c17^Y%f9Nj&w#7}}|I4d@LC_LKb+GDO7)y!qMu&Hm zl9?h7f^K6XG0baB-v!+&a!;Rb`)Y0Lf(K4LCmI2Cu9$R*pw+}|&Q0!x0MOt|nvdaF z=iF8lgE^Is?pt#7OKPf*KOGL6 z?}A{CgdylnNn%4p4)#1dw2nZ$AhyTn{JR9b5&`13J!3#B9$3SIyu7W(ohW}~As~lG zMmI7IPg(KAxft}()^vpWlJb55ya9p*Sb0sLnT z;i?7X9rI@ZEy|~yZ5icKMyFW}azB^ENcY@{T4l1m-HQ$- zaer&faa8#41TT$?Y{_5cm}|_sYIq;yCsk`DsvzUjbVu5L4i+kT0>+x>Kmo^HqI@=# z141->i_`PMU zK~C@)Pbit#oG~`=OOyxg5z8e_7Jn*cjj$W@<0Pp~+?t`E{=%+!l#jyXV0XA)pYqZv z8Cf4|Y@?x5Ds3IJ^QKDp_SUA?;8L>G7%uUuZ-gNoRz{mWM-j87x=vEW3m)>JXu>Mv z88sPDG;)yNpn#k}CmxuK6KU8AYbPNj>KvVmi*`Pv-`G_!DFL~J1zuA5U^B#~dF#n=$BCcz4c5#8 z`1b=Qhd8vo3(rcPgQXk7F1HQsNdQ5s^yy)}NBi^4s)R_RMXK@d=5i5XJB_wP>x@ln zDeB=zmYJ~&=r)QE-fMe4FY1_Yn)a`VAy_qYR^d*Bm2p;wKjoeA7%EPdfuTn)F(}gH z$PX4a)3qx20ir}r9@yA-j1rqFsvo0&zxwwdkNto7-`{&rQXO9=7#lvy`D!*zqAZoM zvxY?muuyNW4alSSgo}G6?&GAMF)SUb0vg0IkQ{PR1%N|HZH#+WmZH%fQD;y&_#rQX zDX&&RGt_Th-@w+D_Hf=`SLV~fALqbaJ4Ct<6^}nI!EdP91uGBzDl=SC{JLjs%G8z5 zXPMdC_Z?X87u0N?0ocU7vU76IRF+f!^3H{K7RXjUmWdHPG|y?6S*|@g2h6*CC6P{P zFM;PEKVLLkeuAtI#CdeutAC1(nW>fUwBP%IjUJC%3(c^xAnCEQy;%~73&8^;V56R< zq(3=>?g`>O8P}e6l+Prh*1_KXEkgN5?;fxHJcZOIdd0`##c7!vm_s*#9OnpD3oK)r zFV;n-D3E1h|183s<<2~I;+Nc9b+KR#4r7b+_~lRZ>tI{)N}-{P)3eR+W3(LP!S$Os z^VSc!^pJ^h#tn-pt3C7Hao@MLuqhf06mWDFB^V7EDvsMDpe~RorN@mN54PJ|lhS<_ zc@)oD0X*{orw}8a*Ml*slKg4NJjzi-)4oY(V}nV}YS{XPfw_50+!D|TyH>PUTrW~2 zX(gnR7NMlZ_$ylfMwyIO0|i?KPnn5SfHF_qPq+O#D=j`j#1WTAJ0F+HRJ5RUMP$pB zuF4Gqz(Gt*bHNpx%fI^q05KBaSbIQn*~HK2nH15us#-O#AK)?A?9*=FUi}YgHHaK_ z`SYrJ04vw>C`%v}pYxdv5No_yaq?c-hi+N&G&Do+u~4w4Z{RW{O0?-Vk7lFCBklA< zVdAc5bx|s=Zc-2hf@?ZWi~IE@v5cA5;raZ2#d=h>{pP>+2C{*PRL^wqHRY9@L?rgo zXMTbbhr7uQuQu^TmgmHq2qja`Qd8ipKagPG)qq|l`!yGWl;nBP~p6n%&5yvy~T_tvg_#a z@pb}c?0KDU5kM#qC4BqXtJXRCwvHcJ{AHlJwOA!5OJ8gGx)dogOI`xhk3xu*E8Hxw z;Z){vRphR=5|!8}uNZQjAwnSTgbu3XdH*A$*6c8J5@bfZX^j|8rp1fSrE3IQ z!wAR!=tuoW_kPx9(Kx2m(!}rOy(9#T;Tv3qlb@5a3Y5#hrssl9RF9kYA?QH1`T;I4 z4gOU8lIk=)wm4VxWAI5m=&)Bso)*`g_-L|ZOk&Dx5%gNn4IDr>rKFM6kA!A_c1mfZd#Qx>guo?z*VuEFR~j;zpd`94 z1s15&G|Mb&xSHR^-rRT=J%T3waOvI}CBJ4yb8V1T0(tRm(ij39<25JS*XC-+N>FlG zg;wE80r{1Dzn_|q>w8DkW$(}XqiJ##74_-B?J>_Z|87V)LMEPT-?p{w3js_0s0J-J zV!k-%av-iyb#gZ>HG9``IiQP1#0ffb_{-W;x9tnFz-2cpQ|4c2NBP~LKmhRpklg5u%_xf1p5{_{K`LR|fqc zYBZeI%d$vH&WckUlfpnjJlpOX&dW||`+CqX8>$RDcGoQ@N5JTAtZ<^E%!1*}$IU<) z^ZE((s8|>(AZ|A7yH*BX;9^T~spM4zi ze9(_x7&th?hb1KMXPxj6H&<5n45P}UJMgp`Y>+EDg9o6rC=WO98V2`Q(PwsG@KC^n z@y4q#@m#M879D_s9wq3EWDO^0-RbiH{LrRhL&P;020+Q=eWzUpTcu45gt7s!$h|Nh z1BIyIQre_q!+IHGtaJ-fF32vlkjWj=-oZ~04XSfF!_Ts_%A0=iG~pqum2q!MWV@6b zp*5R8el#*xa=wRx}Rxt%higk*#Hl*7nLjOEXHJ=88j3VHuy_I=d-s8=$Ffh z^p1$hlxTuHIpiJ)HelLqJh?sQ2|^^sG4!Y7HI(Hi+(Lm8MC(`LAr4cemH_ml-iv`#khsIdhj}@37S63hv}OWnft?kz1#QU(-mk zAT@CnxpSfv&aEY%9!Fw=oRNbl_-X|IxIpeNB{179xelI}Tl21hCfnrdusqQhh7WKM zNj6C?Dx>gaK>HR z)ajce4>4;L!0&99$kl!D$c0(9PU@91a zdU2gLBs6zo>oEGZ-luN7v7q(Ogu!55`dsDPxB4d2uGQZA1U>NMyy;PQeNgN^nh*Ba ze8qQ#sLKH_%V9WxPlw~fwz&{jH7ZQ_`Q%}{ABRLr<9#Y>65UibPLy{v(6 z)|mA%U`E@h)z%`0p`|9iGn-u>E6&o5smVT5+@n305ALwj0eh^{@KR%bQkMGdq4fNg z7Ku_vhxowlrgQDaj#BLH37AOdAZktxz=LP;MQqM)h0afFL)>_|XW~W$yKKK$9}SP+ z7*wybQgZC*Ux*S$`2`Ow-RjQyn5oE#VCNmZgNm2($;!x-GbQw(eg1)- zQ~|PPGU1YplIet>HcR~*3YH_YOZxY;#cNp^O&ABIYam=;B9Tm~H}#AT-FHTT z${P8y4MBDz00malo)hzG;{5T7)_=(b4Dss*|FwK6fLYlGb`+tWd+77Wq8dCQ5)=bM z_#1636X(PXgcl9xWK*HJBvT}q&i-5)XNLk735?-bT#I$L3H_s+y0bRba&5FXsPpxy z0lO|KwHe_+ip19%7bCq5WnQmBW`xBHwQ5)dy31XpyG{6U_{s`oTKM;i|2eK9_*^zg z#`M{@a_(=_luhr};H#ekTl83TE-WeW06Z~`3+m0XcnkL_$YmJ-^X@mPPh1|qATE`X zZBQKGf@Q*^dxMgBxjlBG$W&EojA#=#rr7TC&D!kNo;ON z2b`7sdfW=LR239Ye%A4EtWAU=i`7ccATxM8bQ)Mu`V^k##{yfCKhk8k5*p;z@D}=z zMPjAHe|VLpfImswfn-qZTnr)4Qx!hg1Oea|o#TZQ;Z59+g$7V6gXSD->%&B+&k5ww zphq@a<}e^{22w<^YwP7(8HH#SswrFp)9_k0sa4sG*;c(UCI`RooM3-~zQ`O)<~t`n zJUIzCrH;l2q7GZVMhnqcPI(JjUPNJ7em;P~ze)%6$uOQK%wQ&V6`_lpfMPSZq};pS zL5f4^7d)TL)i03#DP#a)K`1sO*FvtfNO8lx9+A4;z*3~%Q|0(Y%eIj^E|b*1)Ay?i z7vjTm==xLisI!}j@qUNYFAcTOTn4}Zwn?UtF;=Qqa08i5>qTKN53G?2{QiOaygL+Uhycdm90BrWwN zfwL!_Rw@NcNqBTU)3e`o_O8jbLvef+wABFnRp6u(IvJ8ohSf~~S6u@sc&+yHj%TJ- z4`(;feA+)vF=e!gP}-}!#RtQ?Fs>RTw->8TZ*zM#;kPkr)?TICKGy#ach{Z_79#d< zbd1obUN^dQUKAi`cvwaeq-(dJ>cz4Skv;|429@A=(?tG_STuLTMYjxG=&-d}?BK_+ zz&U8iKpK?1N1x_I>ntZpQBYLY;E>rdm#Ch~8*O%^AQ-?PfDtz)L9H`FD$*UOWYP5D z1^?yqdK@j6AhI3G6G@&W7j9H_DP!73{LH~w(!o!3p=754ex{*;Bs$Ur1779OusA*} zqdr#3sLC(LYi54l&ZQ7EQ4ePZh4&z}zd^Gf-lO9}zRVfzcg(z#A&xROBJS`yAaQXs z97h-DKxLczK8z4X+gZP$o-+{k2Cs-l`t)NrMF})cjC9jLSec=w0VoNeoV(}khoI6% zP;qPz)w6&s-EVo1-=3OnLhz??*E#_bn(;r1n@RTc3GSs?^}3iJm5>;WK9Z;v{X#*E zO%yB0>HYE{s4L&LSd{PRQsq$!90q71^qi^#m=-9Jphxdz2dO1RkC|Cl#P21Odzikx zUslL@I(1itnQ*Lo>M^&uN{vi7(b(x!;cB*e&QQBkIEy6{MGPqfHO{MI^{nu0d6#D} zhlu$Rn?3U+&^Ff&8hGG}r;T0EWd(KWkwHH4A+Ic8grX!I9}bK^#U9mw-R)Dko%Dps zVGll{v52iaGGqQz7=|iiJ@iLu3@ULJnqqRAA41AnJJ?DY#*ak^13wz$CBD!^?}l}t zb-gxGryj)mM`!Y%Pmx$tQyo1wDqK`VC^$=d_ZW@_2o6jWzdFDI9hnzWgL7-D?Rx&$ zrAHmtca#g}YWSsM@i7AqXoM*9IOf)E87O`ofRuov+&y}qSQd{ryrZPm2%q-8;dI_0 z5Q^=jt%YteWG>0MC~;;FKxZc$ZGCsnw+BNyWI%$n?r@vKR?P01u7?qv7ri-RzP^_V z|K)+s=H8LxE_saFf6pKOGY^$rv;}}+*w~zRYWvfx_oDSV{=!wb+O{Zy$kvz6)9z7) z#bYMz;-ty!2EL3!Ics&keH+_QI!PJejAZy!Pptq%)BF5kR+eyUnB^pvW&(n~Rw!;2JEE+MG9Zean3wP99lH=!uem*a%Ve%$v+phjK}Y|*>2T^emZ=g`LcnSpsPHq zpu;J3zyabH0DuN9!c!s*Yc@lZk-dz1K{uKFCNcg5bl2l*gKJJmce7hfn>~FZV78)N z-SWM$F(!N`JVZ5ZeyF9+0uw6H6_OGOO^!jhjP_ihXzA9O(LT+VmMu~wOfeB{LG$M? zv@9#b-m3X;wDeVEbS80_72j+FEwfO;IP}MRrR%$<9cNf9$6jvaMeebw0YHB@#DGQn z8@mfnWnp)yXi88~Dz82lCp!yeCe_1CY)>)RM$&3ff|*^s4|3`D`M@p5upym+YHzOK ze30R#DewQ$N4^)?@OmAc5PFZT%9^(Lh*jB3Fsk*C@(R0;`f@?qn%C^}8K6H(b}F2h z#jCLokdw`lutcx0f<5+!9oovgc`(MztW^R%y5VqIZ6_xPjT{Rh5?UN4>D&FPNyYU> z#N%4SR%MHK6!RCW(pPm|TDfx&2rK@EsG&VC-a(mwFsikgX&nhc+^cw+3qZ$_yIv6FuwdML8kk$HvgGlT1}mlw|TZ9a6Dvqxv5c*_UQM)7Ksj z#V?y^R|!AnCU`z0?E3v|_}C5~>D1@pWsp$F9pJIuUTK#QFQn$a`BYlpETUYm)I1tC z?MFAtupX(w-amD7l#%L@`j!EY!Lov9pS>nAHPvr#sElD{qq$9h=b=j-ObN`sRF|1} zryyEPKZOO%&H$@^{2uNB0Yj$o_H&2;1}rd@vUFmC`-nX=_ zA!CMY@aFX@?TR*FI~e!IYWz4K8hjjZc7T;PE73RvK-i0{!{4>K!x^>VBs;FJ{_**t z!Q@J>H7Vdl3>)z8&58lBIb?S4K$Al;18TJy1RjTldF055b>ACeSA-H(0JyJA08qmL z`vS7hjX4`TK=}Z8?}!(pks}$88Fyz3;;G0SdHZ{r;@g~+yojmRMIart_a&*1j=()6 zZ;oT`On?Ce_NPe&Hrdny>(c}Si)<!zkGEZww){R5Wcmu+SVkT-9o~T-16_@q2Zc1-!wcg9J@b`Ql7B*>3 zkeNkK8gk$PT;`jcfCXYD5l?#u8RLIc2*B3Q-#f}P_4fuZQ*et(M>P$X9op#A0nRhk z-P0oTi9sCpfZp=R!2t_YTIxN%e%9{?TM@L#IYqJpP+dF$-38hcN)gEW zMJr?SjW=LREkh_3!UI?b7|hHSx?YYII1tDd+AzY_c_ICZV~ANd)V%<#0v!b*9O?)Q zKe|&C+|l3@jb>1XLkM$@v02IoR%@a2Jn3Ov96!%h+ocwnuW3f(-j?^zkvn?hlOhBq z(E`kP9yT5b4%ml!s!P;CEXg?l{Z-pw2HdKj1-dMfU@CF~;LLm80oYAu@5qe=L^)0whmb~A$w*jrl=nD z(w;3QY4`5vo^zP#dcIi&Gb5YGV6N&NS>TsdU9aKZyoQZdZ3T5w=iNJOy+QLdRtLVi zD;uP6 zyMa?mggjGzsfZvpa4;#qD&((}L!UVnGNAynsxTB1aHD=o*v2Q3;f103$a~ra01adT z{AUS20|uBMIA4Z~CjBx*f|$K5=SChzl+DDDBZp$$HN0I0mB{N+t!efM3Vmbp80Kez z#Bz4WzLZRvt~XYPMSu{|Uw(hL6+yP~Arc6T`q5+~0IM7MSy&?AAl^?@RG%RWAh?G$ z?{N;>^ZYSRM4w~#? zS1sZQ@~*p7ao~t>%v(Qht$_~Rx)80r_2$-@@0`~>bm^R(&x2QYbqfoy1otfhqIUCn zx0`@PR}6ym$KfH8yU*WNlrXTwoU)`R;VYttW?!I9P0o__X^fk5ykQlZn%*_U_jVw) z8VDo8gqzacjK2xwE1_SPgXlbx2|*2kw{inoHEJACV}UINvap&o6v%Nv7OPoffgMe3 z6KlW@1rBJIXkrb}QJq?w3S?<(V0SdJSv6=hn+jwtP$R3^<4Pl|)ii)cv&4?;0(nvZ z3oMWgps6B<0Sjc+z|z>N(JWDd2%~C4iRy+D_=Xh-Z1A9CgNGLzl3XI58@Qg$5(ZqG zIktE-bL*{@&B88_ZI+leWgxJjgw}?p)&>HwH4?zWqVXXqDXYc;H4;F8MhyeBvdViZ z$h(L&13V~;n{GW}bBjA}b=jI5L&epUMS?{DW77O2RP7lJF1{?W)=HYhg#*AhA476MF^oh`?>XfmfKy&>BXy+hvEPrS{FsaAZ@O(VMF1g?~;{ygyJp})ffG5(g ztAre6w>5ldKhnn3k1PbAhybt?6p%zX=RN@i)aPDxZHb-HsriAXs{#mv?w&=z@^pnF5-+GoR`F2*^CvS9GsNjZwK zUT_0q30as$_XFA4x(XC_w$!^chi&Tb2k`N;6|e5u@)m~TkB@yMWdExV)-z68shCt?NmgcCu0lnGh4JSpH1W* z-Tv>9{hF;C#;>KzlVY~|l%4OzfVNUfi$ZQ-o|y<`30D{hoYHHPZ43&n2PpOpnDQ2ULL=$#gw8!XddQ9Nme|hE@@5RmGoUN4ps=k4b;X zVq5m+)(=RlJ&ic#9^nL`A}}DWS927My4GtZ%zU6ORyQ#fhZS@>o=H47gN&F z38jN4WWnhTc($u2CVEo%xIfLXsA}S_wauXi$bEkY?B`JtpQb2Tq^@*SqA_&+%gevH zvptUZ3EsIFA3HmWQFUAeKsOcgXi7fCNvn)^jyTAzQ| zewS)7vn2yAJYs#y$JgU8VOFA^l_h7GIN2|t_?1O?p4EpPHGYH}lRa@T?J^XfitTi6 zeDNIvXDw>7b!<>6UyE(C8;K43Xkr_>fJ6SExxhyR6X5f3@>V^o<-MK;-nc^8;s)wf zlsf%v!SIevgvZm#>lg87s&)#yVf<01S-D!;neMZSsCMA&Q%f%030=ANX#CHLL>%e2 zBhC@Q&IUUk-w@7q!ag27H9@#4z%6j+*s3LC}Hs&aC)~yh( zL;2HsOHPN2)#tL4X-0G?!1v@3UwS>z(=l+gA3aY_Q1r8&$o|0XGzq6^6qOcncKL^F zv8IxEUaaMi&~(&NKAc6b2Tu;%WP#V49;NW3%6Se`tD&E-lHu`0j(MM?i{8B9W5~?4 z0UZ2>nFcxWbU}-(jv-0Tv=HVD@t0gt3_9S>ST(Tyf@ODU(ZwrSYcS6-^O;|{yNsU5 zIaP!OQ73*@4m<}f!7u1(mpL~dcW$D4%(nxeoz{lGC6q4&%)0i|Alw6fx;&b@V5vQW zN%3WRUvN<}c-U;??B{NBIxO=@L%bTUAuHM9C%i9p=Z@-Ydjf|%#+OzTlV=MC9B~?LB>kt`?!ZD0H zAGQHHZ{gwF8nHAwVhES_z`=q-4ri5q^QIssXBJohf!zT811O8PuL_XcupUg#nsq=W zQqSPLX6o*<7J#uf)bDHQ3csroL4UMHPPfJ}Kxjnh`}s*>qnUWdbo9j}WnEy~-e*Pu@C8=>w1y zoS-pRt0bLb=K#wek(qu-oa{*Gh#OkMk*5fRTOxm|Q>H6#$tii(l)z@*%q$mP%U5{b zLLq57=Gl>NU3&te4$cl*A~f<5 zaAy#*a(I}d-=$;c(FfT)q^vPa1p9BLLMLdl8pVyNqtcH^z zg>h^y5T;bPH%k*YLEFQDv^b-VXeXXT{YB4!qFa}<3~-h4e|u>VMfU?QTAW<0G2yWNpjF2sjS^?6AkN#*<8jTV92WiCJ6-y0t9Hb0@vOourK*M-5 zzB#@<&KNY8V66C~7hDw)3J;R~emou63-W5_c7_Q>9Jo{wKdIuzT6MiF4)4`g(m6Kr z`^N5UhnZvsERFq;SZYW|1M)cVF$b`COd4_ecc#F(q5>v`d~O>Brl%_{#gEt)S&V2X{xb+O$eKJVV?lXAuAR) zz--6e3?fbjH8gY_t5D+xvrt_8J=8JXh$hc{1%BL}gyrgG#E4#EvvMMpnxgxe@iArc ztqeR=y}?#mg7zWwf!@fr*p1_9S>V8TS0zsl2ho{_qS!hPCN?>$`S||+T-cluH;7$D z=l@Zf8=fG3M4PZW*KIhcAhH>!|3dlUU zEby@Q!*Gx>wFzq5Tlnq^?DfAac;4*J#rcR|^V zrGB8sn;`tD3@c{J85%r%oct7w^iPWX${4y@M{a4_?r2hdxxcE}UAKrixmYv%*jLi- zK}umR`Pa%hGfgJEccZN}Q|(w5^vRgzZtz&xu%xC2;Y_vV>_j`|7Z`aCHu@8B*}{^{RQ9$-$PGL;!qMkUHiUc=b=Q zQD}+thjm<{r->}oodY9(4Bw+4!=d#Z&p$(m4Y8_JDl#6UMLCj-zD`Z?Q5T0V;CGAcSfSkWfST090YQoeoz2A(Y>- z%{OqOY6eINhrl5NP5_#97nB}^IUu>>xyA9&7U}JYf&yeNczdp4PwQU5Y^0JQo$E{| z?xzIv1v(@pcqq&K{wP$FjqRMFz?zOgO(gCbsw2S5 zMxa!DR)7pb)~BLP{f9xxq5#k!PxWqNOR4E73*6(tZ=cpfrnQUK00l29n?}kPmU4akR{R4uZE*)_-PE>zTpty^-cIIMezQ9XdN!`jF@?ep;1{D)x?bcfYPz|? zcqdF3Oy+FW_4I227v(e84i@_&(Tv|g#eRSagm=#fA3;}Tv;Cb9%e(=|AY#4~5BF7b zc!`;^EU$AWBy4`up7d>CfzX&e93Ax?b`1LhXq(?YsEQxjt=?}58;A1MMp&<7=CafP zyjh$POk%@!Ezri1dn&(s#D`xTG}0DwR_wgT%~db&pP0=Bv%NQXsU_->=W^+9?=xn8 zGi13H5ry8%ya{73(Z_|`n&!6|3pcVGXe!Ua@k6sm$W&NX!}dkk1JyqfxH`Vwp+@mn zK}Bg+x_{D=l-3*=wAiWrE1yE3d5bhRfyFUU)rA{I<$)aVtBG~Tkai%h%a|iO0a*vU z0f!0GC>azTS=oj@b~$bco#z^e<<|2d^0Q9(EQ3RAbBdA4Tx43jX}NPYeR7gzKq>T1 zyE4ywmMWGF-Ad!4I3yBVZqrdYVw6j>s_uBQBBa|i&% z^`QEaLhbj**q~n?G49aqB;?)3Ujt*h-#%vCBGQ;-1ZF`X)U7}$g=m9^k%yJ2rC{93 zMZ1Q6ioZY;o`axF2^gdGkh<`x(GsRz>+Z9U@f^8`C&(Bj0A)};07pP-M03mDyuEOw zO-vKHym>t^Srl2Yb|*Y;;lqfBw?$Lu?8=M~Yp?onk)8b2O;IqV|L7u~Gpu9QYusQz zuNCzZKdWEStx&r1)Dm+Tx=e_&dwsUjE!jA}pq4~sZTXa+h*$cGoqq5`v_8*d2Z12) zD(E>BgIUpNv$ZpjJ{sI;0tHu8aMCHntHmJ?R5Xpsl1?n0o6uA7tGY?Ndptzk0_J>! z4%w%0)n$+!sA2nW2UflXWTXv>6HTxo7;b|WR~89~^_^n3Wll`ZV=LplA&404?HE5$ z_nCCH(UrEtw9s5QMWdas!#56-ix57Mndj3jMdQXHT3|4SX5*MNjmXaEgwH?;OU?$@J}cu7RwlDe77NJr!A`Av2E0cK^30fQEE z-ABUj9DRDO#+9iD$S~z=%CiV7f4)optiH-p_N--~Rles4-CDHd<9ss+_cHH*4e^vYp zRT%8;o!QfZub}|QWXlDJ^jQEdqly*67fbnO+&HKm!<}%U=3v!Sr*D>-&8R z&P%EO2dP8AF~v;M7_IVSN{O`M0!UBdyF6Dzt7t1Hk3V}8d{&%z(>N*l1o{M81&Kc5 z7YimVLZT?5fC-$6f*(UeGs^x8EQnqpC`STt=$Y~1Pzs@$TAmdlL|4478&Tn-<_(ho z9GH<{*D&IG)EIo@<2&f~qsi?sTvErE$QNe_XKZL~l(r-WRU4d(BpR-!^u0$woiw>9 zz+VIBv#7TsMf7_7c(3uXIeY`7&~J@~9C%}`1YZQ)e91cxp@DUd2xfaIi8j#$$Y9T<>#84=6^5~y{t)aIhk&?(0(g5Tk8I2y+- z;5%={x8R$|d&WEM9e!)y%y&>EoJhk+D3LxQ<0Ah^uE-COM3G5IMo2A?Ng(YY+aS%5 zTgWJ+5G4Lc=CR7-kjEI0W{>-$(<9R30!KHFU>uz|@^FN6>>aZlJE&01q5}v5l$fGU z7XhMyHezJNSUX|20cb~2obz3lk+sLf*uUS0t<`Dt*$h@De}%z2*Opcm)>W5l6=GXO zH6;ZiN(=Sml*L|~n5tB06Zf+FF+2T(*;z5|&fRMJD)kw4I;YQQ)0w4mQJvAJ-gG{r z{}|YlD$QPVzfxV-LbF+CRxR~)veRGRZl`VU!U~aZnXcHep9k}~U+(v;Yr2fik;Fu~6>LZ62hw{OtUiB*rLVBvBr{*;A#fcU zj*6qrCRp6mmtkm>y41r?=yKonCzuB}r_rf23Z_ECQt@=BKBLbt|8(j&*?F86^Tqui z&OUK*s+4b1snn+U3FVj6rT7_!?qle43XVdjRH?H{9Y6VHQ_O>x;hhRy@=kqUhO0ae z<@Mbu-osF*lW&5Z;-zycrY@&pDIc9K!_=s=DxE%`V%_P~#bI!Cr!JpOFm(x*^3bId zJZ>(>(<+$SoQ|i{X_y*rhNt7|a@Tq4GOUB4OPvaxF2Pj28Rq$FR#cc+7#}W+J)L^9 zNB{lb^Izq0k4Ep~HWOC8&W6adn5^)h9meb@+N=F5H9=f!x_wVQ8qEo|4lZJ-6zB^R=Wv%UE5 z#d|NF_TpeKp5(>7UR>$LzQF(h_wxpmq+3k$Bf^QPe$f18CUQ8<-p{-hwoBFTP+43Y z|HHgkU>_2X6)Rs;eas}ndH>9_dnQfXMcXweUEW`w;O{Sf9`e3thxssn-gAE^=UK53 zdOn1CT8eG0A5DsQ{6`nfSrC}+-npBl@AqP%LqR-^ePHq@Ef;&ue#=hrzb5OyU-AC? z{8t&v4ew~OIz9CM;)91xj0lAQxE*M`Y5x45cmM1AYpw3}yOjm8{cf?c>9P}+I-FbG zfI<`r*CVz*MR?A{waU|D>a;n{#slIn68lUv9;^Ak3@(#>wz}teF`8GCv%WZ<%=0Af zH*q{kq*PK8mzT}wl1O==jQ>9SPj|ohza~2)mA`T)D>KKFKAWsRm$Pyv_j=vtKN+4( z=2r5L=GXae9s|R<+$@e?v-mp9`|m<2JW-+qL4or_!-s_0gpYc}4vpTqG4H(hF2u|7 zF09+$xG|zjgmmA=BAx|RQ8waa8v zDbMjF^qE|v+2VcegQ1gON%lHjZvWx^n>4GxWB-{afA_We>SnTHg=aFcR7_S_D-KA|+3@T2)zDWzqVRL$garsg(19@EkCI$iiK5 zeHch|o0121NEJwk;6wsMH!w^VF233jU9HnO_O|RE6br>HN_qexfFxu~hR7T+cEBc0 zp!h(*^FO2d2qkw1chjBZX1bT|93%mbjH>QjgPZ6Ag|WNH{d7Cs8{9(~Ft{tYb;wq0 z23?us#$cDUJK$pnfQ}B&j$Mupj{&hzA=jO1}`TP~b&uj57h3dFe zoxURL_a0n6=iIIpJ4d22lkM}_FY`H)6p~jS&XJf`JeebX`Rfu}$OkOg2HQHa$Tgn) z@BfB0J12*IUM=p+XmOYq^SRhrzNXbUUaeNE)habgg;JkXCsn65snsb}3Y|Wu&Z$0a zPODO?bSjlfqf)5!DRoM9X;WH_QlrzTG#ZUUqtB=_sz;mADikV(MxjvX6Y7NO&?dC{ zq&}xl=`;F-KA%tLQ-3y}RVURsbxNI4C)D|LI-Aa_PSvNnRFCRV{i!$gYO^VAMw`&) zv*`?iLWe^QHEGO?F_@&27>;?lA>qr5y)i;QvOFQ!po8OMV(~?nBm(=6V}b#3X(unt zat#YYL>Z64w!EU;3z$QrQ5m2bjyULkY}5cEAkmBq-H7l4BhZd4Hl#N^7K}!g=q3P8 zK(W6l5tEYQK>!xWvBsGf0(f9M^zd>3*E@ztj6=I3VCF6~tuh{Pu`$EIH4MxJYhdxV zb+|pUfuMkr>F@{`Cfu$W0|ebjq0#4%QRmfB;|cUj6^^LTscy*(yYH9*j`qB9=In?7 zM!8V{V|Xc@=sNMDt45S3dtF2vWMLwVDR7`|wufeJyF=%gL4$ED3W1z7;tA^&XI@N| zk#-1`(SqVt0Zvm`1sW#)d{|7td-|1PPIBuw`+Modf4P{o#6)FLE zX4c4YX-+}2Gv0NRIYF~205~8*;zPClM(zNcUVAZ09++} znlBLuiHuev8@_39IU;y1_Ft%V2{OdKu5W`CQRX&A5D|t@R}ac$sfqB>^P`P~L7<4= zz}0fZmn|Zec(6lLXLuqG*r9t4cLrWr*0QKYCa}Hi#(7IGAW*!(l-y7QAfmmXkyAZ| z+bl1<%K8cjpUg|eaKae|R$bl!)S#3weL3^)PP+jFwN0-8Y*6Kx9#dUzcD#y4a-}XO zbWvO=WahfymRBSkl5kyED(K{rIOOP3`k-C49!qecK>%!^Yk7m~hy$VN*-#o+i7_ZR z%?eJgsW%>NBmh=%LAXN$CCKi>)}i8(@(&4tTR@nS0uYPS+iF9JbiC=;Y+b!)7MDd% zwiGxnXhShYwYmTzAjJ-Pq?H59A$842iIy5kxe;%QqE+27w7{cgEuN`8|LMh;Md-n( z&66Q;Su-F5V6>s=&Jt7cH9$yUEvt#64PS$yF;*P9zAZkh5>}L`=93h;NGumV8tSe9 zRl(|7QVKLd#Q=*aFj6VnMZwjYbrrDy4L)2cDT9ZlZGpwz5y|S#{aKpG^ zgS!w3b9ub+Qq=QSas4HP1hUY6xE_GO0a0MrJQZzGs%`Pe@awMZ-97+bz-UndB2lYM%@&bB}NATmPwepgH)oR>i9I3216MW_okns zR_&Pi0H@8=PG3eb-d#uyR$%K`(+Nq*Kon7djSvS?VKaz`PuO6klEC0d^YEcTz(Jc@ zV`D@X2qQ*K(yHEhg&5dAh;x$0h92^1Y$@G3b&vsf>CPr&gU>`4^c^yJOvGa z){JV~uZV?#Y!VehNI{e|F^wo85otbDtZ~}JMBNStpsyXmwt>i=omYF-qXSL%DMjmK zKBDI8y`f#eC}nF9O$rK30bATe03?Ij(WVW>ZMQ@9UU8-qB$R`P8YgSq4iOc}bAXz@<>DjdRe^Vu#A_;4p>2kK?1h`|2(rF5v z6AZp0MGT}NIDJqhax(I;RkedVlWo-9amaANkZrP|Owt7gB(f>Igds+<>14Zl zjYph2(QN*9gjA&C0(+)?CG%oq4_joZ^Cu?C4R%ej6d+w%I*Qckr-VzYS;LfNw(?LfkFZZ^OAf#+#U#FPqS4 zb((CMgPC3Jlve87<$krYPg$#P-;=jFQ_SZ+lM@vf&HlD`H2;++&&-U9hD02ByO{VH znweLZQPBqhj+ovd5jgYb&EUM>&upKWUZ>0a73giaReT#-P5ZoD4*NSZKdXD@de6u5 z^c5Qi_aD}-NUlC+(9q^lt(urXHf@W5c4~QM7dqtqPc<>XL@F6t7^yW`L!?W1NurkE zNC=T9u0-${KmgCC`mjien-@^7CtG=gWWi1 zTRfVaBA{?{Hq<6~qpas^rpAn5h$B_XED6@oga9j?%-VLy=%i4(VzwPzj9TZum`xy) z#jwDZh_b{s9wDSBwXz{o=~;#|UuO2EVgyxBUFLLv!`dsZbW`Gb+o^H zSdF@D_}b0{05JePfio7VU4oXm;T;3C&hSH%CS(i-IEZeEQ^VMIr@M4Cu^uZL6njge z;}T=zMSwdvGzVf#oEU_8p{QCY*@ z8;qnH^J&6f+rcAvf&OAg<;Y^V4T6B}pel@-&!odI=4XiW$vgbxJ&`zbfQ%bI`-P>@N(#Bg6g`*;064C0vh>TyzDC^|ZrB2mPaa5E0Vd4P2`wz+ zGA4|LktC2Vw#;E#FOqboAgr(qJ&2s(VHT_zeRU0}oS8KeBMlDxestGt`68Ci?YiDh zxFSTW4z4Bm^{oMV)zpY|F|42;1geFgWy6LTD5=Z9K1F&=$f>hJ)*~~Wm>TF%E=?aA zQu+%I2DCW4VOj@WnK?%iYU!{jE5paH8EFnbEIgNeT)GFtkS8jh{GbomV-e*bxJJ`; zA1HY-h75Y_18+)G)gs!70n1v$&v1s+$a048Pg(91IDpN>n0&;ZG z2Z@Rt7jljpmMovK248^+EUe)%wD=VxtN<=F6;gcdjVyv>h|2PXlmso&0QSV#jpN)I zFdNkI6R=?#B|_kgSAe|{za-+uS#E(w3K0AmE3s^O6Nf;FPjkTluC(^f^GVonISE_Utg?xBgJA>C9@8_5I>3Z& zxL?Mc4O~NM;T?w)sFR4h7%C$&A|eV3lBAGf41;knARv{GWCDqz?5bcSka@EsvV0y& zf)GYA7{nBDgdjqQAw))`Mnq&NDRe{koeqjFB07xeLKc$FjT%kGK!jJtH|jJoVLNrX z^AT)jg-vA9U8Rm76Gz<@?HHj)C3x{Sh)sn5;N-(HU61njtSq@+7n|S>Y6FV8=Ve|c| z-x6&x83EAu*i!_t48R>>lX6BPKjcWAe5sl}i#| zEyy(!{Nkqo_gxR#T`PfrmXBA8ZE)%2ggsKr4`QOR^RtUbo5UHIwauPZnov`I0Ffte z{lC6naA$~a0ZA`Fw5bG_&nI93p zp07tQOTii#M0OF~!-$H;IPVOBeED<9yyk?}n)>4y!S<(TSC4VEz^_Yv;MD>Gc2Jor zKW=0vk84dBEj)MBOI#P#+b=q@^3?tCWfd4iAaf6lVL#%LvFmw)Ep1Y|>InIFc$+tV zok~$3*hCmQS5uFqZ-YQ=SiR1q^w{7&Cjy<+%;?)>yz3K>5}8>W-c^FelvN4U##m-pidXqiAjL^ zY@OM{H$Gjz+M`1f#|_O`d19D&LdhZfMYdrMf9zz|1YtiWS~KI!`3X;?=R(wov`beD z6suXybOldF!viP?LJCi~%T|7&A*bDT*-xuOKpnTp?SocxA6T-^R6`jWih$eP)D7u5 z!?c=gc4VS>R{+H5&dPER|J>k3;H)!N={K3to!$UW57d@!IRm^Q3V%nRNQXk@Po0dG zXsosXZAep>v34&e9yX!mGDi1Y)XkT4vV`%luuTufSMGZovX$eb$F|2scl17!kKV!H z@69=7Or?#5a(Xg${~Z_s>H$@-z%_~d2ado3sUrxWQ{w)G{f$Eh-j#36u%F=P5-c;t zd3I}#0PC7Sk)Z^XKnTRnHmzmJx?yWB-PRz0$)@2WlQss}H}m?qKj#qy?MdnSi71U? z-Uq7J=UF(^`vY$tk;D;?rg=R|t^{vjc73YXE-QW27=u!mZw(NHIn{GhZZ8h-6z8Uo zl<3?;t)jn2BlONdgfpUyZ`o*?0|>x%>bDTDdNJJ+ohhWyjb)s9O@-ub^4p!Qqp9~LG1#v(F0V;)Ajp#*T9LVgjI#R?eNZ?! z$oH<@Yx1E12g0xi-Mz(d<$&fB{(k4wV%fAjs9d-E8}ran%+PrIQEqQp00Va18ai&+ z^HBel+-+ZzkPLxQmqEbkx_gWL<4Of19(Jjlj`!~Ud<&OKDpA&B)G{9VBqG4r)KIdx5 zhaUCufzJ&W3##1s_YMVa&#_GPQP;K`Ci$)CW1yx;&xaN+p3 z(M(Imt}Z|V#8Xr1lFRI`E<$%Mvm8DsiSHCL;JzflTY!53dH)MN-XKdWCFmF!77~7C z@VN5w0hqQQLik(k1p*gh0h4PV0zjuv)M&t##u!%CTPzRZ-Qcs=GrTjt#uB0*@%<}I zJz_NM%3Ez22lALF^Nk?g^2BgH9w`RjjwTQiG%#D>jH?wmm+2_NAQi5ABFu%@Wg2_) zv{c>@b$N_HE?YGLpN^SV%Km9aM&Ad+MW&(vpLkSb3mLaeC+E%bEQMB;SeBjsWL`D!I)~2?6K|%_Ys4 z!`Zq)eaq!Bv-`16j5C4ZD^q}Pp^X|sO7W>CV;oG z&B|ZFK?kIAy}0wk%@CXNGHwQAZSl6RUqwq3H@gbEM?`#$4;?1&0rNJS;L32L2*JJn zra|mzMTai<^R220pd-RNyv1<9%DZf%%w|%2g8Dlb9mGf*TsCCnwXTV1#2>}Y_m0eH z_$aa$PR?`j4Zh%PL&JlsbJ1BLcUy;izT-!$lSl{4XmPoAasssjb2^=;9n1RgeMW2S z{Nt_>Fqxr3)G&&`3w&E9R(0Q@_QFXv0)k0se8UUN6(hzc4!yyk>z>+%8JOMq*c`mO z^DaY^al``N(`tw$u1na<0Xr`l-sUsbA{w_|W&`vLhNi~M_)GBi1^Je}V zU_Y5Sg_VoIJGvo7{AyR`4(n)WW2`fayPVa6OGn`bDIBg#ZEfN!bh=YPt1Av($c11I zdq z1uX_0-loUV=W6KvLf|bnr(@W;@(|LY$v51nfL27qvX%q_VPF_fCtb_hlWFj`@Zb8- z%=Q_~Y3&z5Ro+{nm+v&}vS~_i`uPe8q=48HpCO+Wd^0e9jb5jLn@QnW8Klfo=7kYk zGh>X8N^JHHj~(iR;2L%dWt^wHNhp)d?tSzkcB`>i;OelAB=w2CINPOkjr?;X4X1Q? z!xpC*TPGR!QF5bit{uUg7w8vnx=}O14%ZAZ!CzK6x*A81JI(a`SiVQH#Zrk1(}Y3& zg4!bea05m@W(PB~km1rw&3bIL!COm*tX2I@$uzG;LQ5?(=sv-f-7ixonhqS}Cs|Tz^elxeYUaEYE4>Gn! z*Mm;!Ukd(pD&OK>iSC#1BV3I<=QlMA$8?lzA2?rs2h)yls)UpB$u`9LsN&*ZAj_bVgoxH7dE785%&|817tG?zPuyLcau+_Jmmq^hGB$d z&DKflYc$vf?;`!>A7KRA--`C4w;qq+1`}=s94KdiZH7Xef?u<)-}%o zh)uHVtCZ2O2Gxxb1eWHc?v7&9<<$}qQ-B9FNOzXciA1F?rSl53){pXanXY0Y~8;Zg=plH zs@SY@Fa}ekRX00r?*V*M`a$u>i1nHQA@TPavJK9lnY`7@zJ7b&pSUNc^h=~g4WUtI z-4)6Pie0GA!Jd*?E(8k6oq}8yblciE^zQ%sk@qlYW~#T|OJyL0LG|KQr6qm`Ib0GO z1HMNf0|bvO%Wa>{u~spi0tR++gd8kyosBM}`2T3XTXHr+V4+L!av2x%+bZSc`(|^Q zE8BP@32&(G-;B}79kSTBHtjtIW*PrHAwW&lf^dcx5J;UM( zUaL8qSQF{K8|1q}03<84FTrGZ0&l6>4xO#QNR0f?hC$fz^})JYt-O1SF_nAKUaMm=5f^yjB92I?L< z-N>)$GY8jlF6#6Xr>zAW1GRWxpzisI|Li?SM&}a z5Vg47dB!!_KhSKPo=I$LtRwU%ztN##2Z{_0ZWWnda+!L7Mwv_I|X0<1BPMC2!6&t18 z?3Kk_CwiD-WM{ZLfqN^ecyKxhozdj8p(msHPCJocq0S;py6WRzy`0sBHx}X9>{(Df zEP?Hb4!tc6SVUR`^Nf@>3B=BltJg6cC#%B0>F%$OY~dz3(5<$ty`^0P#5qCDhGlGt ztGs_t@kTAYTqI3KRHPc_ z18fEUZv>1?0G4TqJ1|SEF~GpUz`($OC0y1Fu9;Daj7U9px8WZNeS3CegXTddp|*lw zryjEE{|#*FW}df4nTLY#9!J(wbpU+;cL3odoI z={b8>j&8_zEI-9`Q>LLsVxxaF71EM9Q%oq1f6QMVOjzDZ6Q#9Zjo*;yXY9U_A@m<<~=q;v_+MhQ6pwJtwG~Q`Nmx()PIl0YEEdLphk#ZNQtU~ zJ?`sSvfPX(gfn_onp6avT~^9xX3R4Ysbg|Y7ZE%rGX|1W&rhs2YYZYIb*~l&~OHomi1lp*Ba2LcKga_VELmc>amvr};7K0k7^2}1rBuSD& zmNk+f1fftWg+Z2fTH84CcpwmR9LFF-j8TXnA}~aRL_|bLf}}~(0iO&C9@f6Rx5tH* zNqQf5GeSp%qy`I4m31(tIW~W9Wk^fi!JyE}c8B&?pQ=uE63E@K>AP<#NDGX+f^stI z?uAdQ_wp32SN?P#^v4EPC^Il=B|fnqeZ*lAK|71e&LbV8dyj(3Y~31aK--b*hh3PD ze)TQoiaa0JMHg2%&pB)m4QbXy^z!$`T*-0Z6R!_Sf+ zc5xp~kQ#sbWn6Xez`!WH5ktFIN?vBHUmffK;8x%juj03Zkgy4WtuaML?EB+~$k+MU z@uz*HLPh)AL{-VodY00n7kScQYS~8y9`k3y0h`{ zGa!fb_H}CqWZ9flTR1GU0)K>D(QSpxcF?trJ(p<*GZTW~02B}e=YR@zKm|cK0V)WE z1E82-vsh?=ACkxk@x>_$5H%UJ7a#xwCSZrOqd|x$gcX($O22`~GUe1rXHWYrslN4P zQ?m?t=Ns3iXiqsMCpM@E8}d%Yl~(GRB2KAm(mMqG0BaCwQwo`iVM zssmsa!rFwVl?@m$#u@TQQwuGl>kqhe`76i+Rp^NJ4PA_GJDH{d#R;BAw7cW>rAasXyQAx=gUzz>0NM3Ci=(pn^%SdW+Qkc zjbERxqxil1<>dh{tkD{3YH2=MWi?;ado6%Hb1@t9|k zlDCC+rytBTCXr0-Ak;Nk0>ryfJsv;$ z+S8lE;)iYS??!hrXT4$y!E*%&aNJsbMvpS7Mhf6$traHby0vj=nBIWU*w?hK6@YAj zCD8QW+?jgEHP|ibw49ZkU(?~mXeH#KY2iRj@rMzp=oYfi(mC6lbHy9e#i7dnRfOHF zm)Ej=s`tp%1NItadLUF{sIbzQ;w0L^PKdqQH}tlNL%}2VnYArcIG>VH=TA2&yW2Tf zN-I|UwFW1Z%kMZ?^C+Rhf!JVN;I3S>>C%UBH5{jK851hFW*Vr?gP+|BC0u40v*~@F zhL+idW(XUPrnrq!=ZUmepN?$7$AtBrJ$J8d+S`GF!_0>g#@#r*B!9hCa3H>Im8904 zM$#Vnw`mmF0ZT=`v6&0#ve#SFfn2mzDDt%y3ARn&?W_W>F#DB?ti{h2;4&W^g6>i^ zF|R#!2n>w0i5G>MHP$kaS=nvL&?BB+)mf6YQmfd~Vk%?UY+nK8(wToCj!yg%bg{Q% zb$Bh?Hns$uzVd26h8aLHXjK^R9fRfVtbx;hb9B1PjB|+k3ZgqV=4oE7bB`*>1Fs?fJPYsLzJzV7>j6 zu_$VbxH(@2;QRrC(`BEI59;woE%&|xlV5=_mNRRfw~LMA{zPtsXPt8pGJqRbsfz?` zz`TSXPW>Zsoe5v!y>9I5x;Qvh4;J2CRa>=Rrcxg@KexzbB`pcml?N0NeZpOxL#2(z zri90@X2=iaguVmOjQ|m7W!uhqx6g6Hfy$S}zgGo}zh>}@;haYk1`f9GLttfsB}GAk zQyXD)pF993+t?qH(o`9>NB|NI=?cdE@pj#!09AD!b@*k*TpM+-i|EKElb^*WKEoc+uNN-Jn2Ox} z4R$EIvDA^rmN6pnY1DAWfSYFEd~pRH>${P}Bs!K&*}080E7s~&`Gn%}=v0JrdXP?A zs4V0;84z`mw+(wsJ-f$byJYsxAmf%4@H#2#8ic^J>X$KT|2FDoRB$prW9 z5Qz4iDNH+Haf7J0c>Nvn1Y+nek1WFrAN#EP|I7RTn8yzcHzM0fPtEMj=jG)EqvM8v zjv(>j4+@ya)5-^SOiyeo0JfrrOyJNs2Qbt>!jT!Q=1?-P;egyQM(kjV@GX`Euh^bt zF-!sMqrai)1N>?gSiXG_aOc5G65EyP+Ob|?HVY$>emQLrl9TF`%w>kRv{tNK#+qm^j6Idy-k0X} z!eWYfg^*Po@&;ipS2Kq%Xt|Qum07Ph#oRhi)gH5o>I{Da<9|^m5b#qETpNDDFKmNP z;E6i}30s$hHuD>-jb>7-={n{VlcEZT3OrV(PWQVY1O#bM;0v}PZbx>x!r#(<%!bB1 zza~>(<|e*NyQzGInwl7%5Zco@4yUJcp%R^^;PBy~03dbv^I91@W1C@P?2YVMn+Owb z=Rqhs4?%VgRO)<$&(9Bvt99-{L+2fECnq0|rW}m0P%&M(GO1Ta{V9@DgOtgX({G7p znzt)|dTvywqnh`4KHggOT#2~MYqhn(yCr*i7VPf%Z+Xp zl|_>&=5HRO4V}vXI{FW-6Bh_{;ASs)I)`DP^BAZEIkM=Zb0ZI}%_Qu!r6G4f4iOI5 z5$W8;j0~M~0W64uUKyAh!%~nH;aTS^jylf`p*mM#A%|2W=M#aAsFBgC8A%FC>46xf zsAFj6NUH;KdX8!pV#FxH3`sDOqJolwLa74-Ij{`)QSSLmIc9Hf^m&gIOhfF;y9`rM z-oP%aTvL8BQa1;B;6H#jVo3V=~G^o+c=nnBcBs?dU z*erfOdBYwCo~VQ8&j4hAdS3o`#^;F^KcEcfsJ7f2Z!$gJ;%IOMKYWnslUieY-u4S7 zQf>o%M!_FAbOAA*zh@Z{Qw8a{s>s%8RaJ}_gkzcI7^`xwY_FTgfqX>K+M~$J+5ixV zvoSoTm^9y2C33j>9;eQTu*>ck2ldj?q3dZ|^_{xtRpdMDQPuHcH2!}?v<-j)IaUwj z!vV+WQ*PHMLY>B4>(q1n!~TDV_K)~rGBexp96LYF8NB?H-of~SXH0NK3+ztLGpP280-kW_(Cgm~qs-bms>kkQFtB{G&`7cxxGS5gwuK6ovKUNK*Ie;*sg7&h(&nFcA+P= zCE|T!_5lW*Za9}LfF3=%A@dS zL#kIxZR3_Kf;5NN>tteS!(@=?S^EJ|=#*sRBK*EM2rJWgfj@cojv_$BSx^ApZ{e1x{kulQcp|cS0enmdPO?E^xLMzG+!WH;TRp83Oby4=~rw z%9`VXNXbeOg(Gb+Nzd?7X80Uwf&wHH0MrX+B`R}xC1Y4RApt^3PkCQsb8vNSWpro& zJXcNR|A#>2|C2uC{~K>VY_hDPN7bl^k2r9%-#Re)IqXB znL%N2a${&MLmcbkHX1)e;6G?R04OPNVr*t%D*$pUZ*WFQOhss5{_-G(u^CAG+?B}fXArtvLqQc1HqhOk})Mxv(ausx{m3Lf=Ce=DUmYDr>LZ`I9qr$@86;x z+>G(95-xgreYAHXGIp@k$6y8@9r4oEY$bNu5}1Ff!9m8P;ORX;`3O75g<5Rt+;@)8 zEa#d%q8%Kop>{E3(EoJmIOP?J?kEB+b%mj#@{;&hQ9y_Jhzc1IcHh8kNd!~I(Y9?c zHO6g_GN#G+%{|)6x|ZEvl4u^$kt?YzZhzILy1%OFn9TlS|6^ZU>LSv#JdsRK_OKz| z9NLjq-^`D?LA8ji$Z(z>?XNTEg1fr8`{3k&q`vR}xnLLZfA$PA`HGLueh=OkXgRmg zcWrU_G`mcM;Y>Gn51bf~6yEoL-3njQ(j-zx2|G)FVNmU){QLMA(o+ zKu-~g&K+1!Y^V|y0*pWaG-A+aXn>fg(->$xX=rEsj7~#B0ZmU%R00D80+{6g$d=^) zNSUCQh;nmiX=Ze6RYqS;MNMOFVQq6RaB*i(Q&UVJZ)A0FMMG9lOHe^lK}|(e09ZL+ zHZosENkvRVNkl_cQdUJnNJB|eR8&__P(@BpO-V~GWM6h=b7^#Jc|$<}V{c|*0B|mM zZ)I|Bb98WUYcl`qRZwMPaBFa7V|8#cX=Gw~mI12Wow(cS#EU=F z=B_iz{0GZ0jkB}K(hk;RoXT)B2yuN)n*f`}XhN>dp(^I1faWNH|1T|q#)T-VU{+W< zNb~S~yS({C9QwCz7?9*>gzDoV_Y4cmNr6&$mrzUWJ~pN+&H5t*mt{cqMF55J+TlgQ zB~!Fzb~cF^4x(2WXF@(?4$fQ>c!w9c!MX;^!lwSZg@hzn#ckf5v2~3(z%f07x>0jn z+dib3s&}W>lsaVhqw-(kZw9p+swS5DkTu#{Q%lvA^{)@2$dWf~gskDaPB0m_7Bs*S zF$2!&*^?oJzV9Jx*B$cO--f0qFmBKJZM%!C;h44_0Qj>qa8*8BK}@M889|0&8Go!0 zM;)=#fe2mN-L;37f}E)Ucrc?ei(os6;xchXtRqatl*`?XJ^2<8s5C*!>X>7^E$v-e zs3kg~3NG=7fv)7e z*e=;*S|KtnoJ?wyh3%hkwb>TIv^!$%^w0^8|2rRe;?UHMP|;|6lev9gd~HxiKx$rS zi!~w%yt()yecm`-R%0^k!0NxL&v+vJ@(K3DUcl+afe3$6EO$uQ&4|Vo~@_7s2kWO+ong64~$EbM(vEv#!gEby%BY7&K)3h zswO*#fL!fxHCi*Yaqbx2n6NFmqXzP?&2lyODuJ7Ts}k$hQx_z5{>?@ztN+CR85@*p zUsTx8sxLu^2+Sp`1!-c_22r6DuhMl|(>8Q}lSf;6AIdw3^0uM~%>G7{2v|+RvXLfr zzgwPIDJZia7H({;1SO}>I<~KCf5Q+vh%y4{1Z8D=!-B>=j1>$#atI2}1+SpOzM_s# zvL}ZVk!A0?k@*jbrGZLNI@Id~sK?zR&L}2}Iki+4@I-tsw|(IU+|s5lhz_Mb>tfY> zv^fHm+sTwVw}zJbP)rdW9Axll&qe>DraFPQ!9Qz=N2BL{@lWI1f6D$0y%6Z=Cg3zS z)<&xDhqB^F)UO_jz8!TS`NE`JvFnbN&(%_5w+ku$>{w*soCQz$ktrw+Mn)lbk%19H zf&)P&JW~}Y(_Tj)HoQ-_;XHU=(gEOQ`H#=0_Vf+!Pm;Opc$4fX{L~V$@v|-`B&YRZ z;5h3Z)nK#HN85NH69!Bf@_y2MXMn2rf4HSb&b74u^dd9^Q<7Wh`vI@U`%ON5Nss{# zfiwuK5NuBg%YNW^Xv`CD|1($iB%&MbQe(P0dM8Lezh-gU?|Qp1>+T3nSfH?XtwN=s zn4KQy8ylOzMPIPe!=<*55~D3hF30YMSm}n5Ra->GlMz1S3s#T1u=s<_>(p&OJGi2! zH52vgdD>zvl7*H_-|Rezxa_9x4!}na2>XjSV^C1`!nf z&{ak39LTFclO%t4Cte3b|LqZRg6gTqcz3F-YRA)3MbT+4j^QAw`&Zkc?y0;!W(ts< zgN<@-JN6^hCLkyv6G$B&Zc}%3W-MXEFxXC{{${6hJqvcXzmx04uP;d@YUP0e{^=_O zqv-2A!O!Qnb0QP6I%Q!=uc1Q3dat}Id7+V3E)xaxEtzbBG&#j>e|sX~Mnpk=X}q@H zInXBn9joZ`TP4Z9af~^7qqSkC_mCbAf|p2Er+~+(@v$=^B0(7i1qB634q+IBoKsAp zsgoJzVuFxoIpl~jqyiF=NJ0t_;Y%4N;*BYJu@RT!7y^UfC<#g!F)J_Em4T@}4Bn0?a*7E;tN7!&Ito)stO*(t zV1;{`M3-Dk9s#qdmDel)6ov+in`}?XS}f*JB5GBNaqO;=q?9;~vRTEU8I2?667MH5 zk0IFW0>M`6V%a2ju1A69^{|VHho%4*3j>3FvQdXkH<89NQ;GrdgFi7=|Ut zx#=oM_Xqd*45cRtU9Qu0o;k7!Eh0kIR9upg8;abKQcimg+1V&&1p{f5G)ud$0l8L)tb&FC2xe}b7^7x=)8PQlndEo<3!FS|2URHPJjLsb}q|F_>zji$6zV6)qn$Z z>Gc#oR*cd=KTUiMOCCYU%nclBylpJ=7#EUC_H94VLs zromGSQBD{t*sugDS<2F%LnVOrJkR7oIEM!lv8f|z<31rZ(q`MUayV>23k{Gdtt@_A z^fU+~vZ#H=jGj#67fc>*{q7RLeORhi_j15;ZzRUJo=(lIBsEK(naZQ~({>aB%^1T1 z^c|BbHqED_Mlh4njkk}^M{VJ#VwaQ?)o=RjcxWDI`QEfUHNL|8XjCpIiFE(=q z_B=2sE+6N+^gpL8L~8c*VSy6piIeuii>jkXBW&b01 zt=4gie0&*U@R=KgBtv&0Qpw=0S&`IGDL|fJ{4@@G;-Y}-bmG2Yy4rMImmXM}g_S}y z5))6VExqiO$k=CISiaS-7V1B0PhyjdMltJJ_r1K^!xm@DM|v8L!#MdzL1vtnV;0(D zA(sLm9_bhj?fHB}+n*#Ly8NeJmjehu2Q!a*0muTX$MeUC8_PseTx-CS*!aSe^iCA zOzVb%H{HqJ+L$V5np%;YVr@=PsNHiL5PF$nI3Kmx2frp55)Z&#JZGt$;bGGB2__=` z%5WRx^$$l_aZZYdyYi-3?~Ebm#qa55HXm#$nZUwFu-n%R=C>fwuZaVxZ;fA~!c}x# zJVhHYER#mrx8#NAyyPEiSsy-+YTe7Qyi6~YdVS%jn_^vRS&KJd00TfYBf}H=wFQZA zJ6^_(HHZGj4Hg{1Nx`j3kuPxnAOPUf?j;FQ2KC~k`RyW~A0=*ipyISumko^#hFjT3 zc*S4J5Ha{Qd^|spwT~fA`eG^@bq(y*TIlMGhCJ2^?bSq;i=LUcy z8HhY3j`IX}XXowU@%^fK+U__(Hfj?t7CO$uXYa`?vg6KtimLxK z;VPU}a0A!JI&ZH4KbiK-go5Qj_W)rCy1Ojyy!VF%iUn-G4E|y*cO#;S;ED&X6YmWW z(Q)0401(G%R~CgH?`x;_hc014`_e(UF#lfstnA9LUIGAJ-kl@*^%GR!y1I1Nud(dzp$BdygJsl_4Gqo(FGDXmw#xb>SYL-FNvQK@cN{bY^O2c5P;M_ju-Z zwrQCcW@hGxW^IRN#%iBxlo@xrpK3!wO2La|2GIlmj;PMnf1S`M#nUK0hm08P$Z4%hx!qgDv>I5)@^*b8~| zVGPWyNfOf8-;h4}h>MC2O#cQdrkF3^q+KRwCntSEFadX0r)T=)BbZj3bYmsdQxmTT zW+r5Lw^mf~0BOkFN1%l? z{&v#20JqogG4*htAPh{R1y*M>OhvErwV*q#o!4G0ajBDHR((`c_xf%ke#kQwRXlGf zg(aLZ2#{x1^+Q5FjVFh7coJ85 ztaf<>2=eaQ^OCR)WAH##hBC3oQSCVj;`jakv3YOFTTX1go<@Lc< z;cI?;h69CC=^bI%?ofBbKkWALp=&0Md3NC?Pbp43`m<{>T-U^Jd9`h-L|`ur+C(PNLE0EzwkO&xL zCr^q00p}P7AOwvlyuAaqB%GNTD}0R6mjJ_J#A*RJ39`4$8z{_LhmvZogZ(IYo`K@Y zi^rWhf-zYk_kDP7}&hCqz{*Cz_0e zC}vZ8XJ=AlYH0OkRN*E-Cu?M$_fleKE=BKG9{_l7X8=7w!oRQx8^8I7_@Xif`NZ;>*RmR%Hjy{-$V%a=4R%}SG&8gLUNb2&=MJJp$|M--4*7r>`#=Pu z4v@o;XULPgxuq9w{|Myf+bNX>TtI!DIk?c4dzNrZsOiZI0A1Qg3ch3%-j2aDt|;ld z*Zk}X;Q#UfjTXX&XPCAC`S6RhsOVtxDU9GsSC{~Aq*I(Nt=-nTwHAG0v^L?{E3s-; zERs`mm+YkW6jzznD+(FT2L2|k6;R9Z*<7jdYBr;|2muENr6$HbJ|&`7pa*H6R7c|~ zqt~3D+2lWdwf?-3*OI)BIZ&@b@`0my~_o;HCYT5 zUKi>}>p$~xi-|q;ng!4U|Na{86b}&!|CSR808@cX1r0zS)88 z4v7vCd{G?mat3Ft>o~7YNQ^*qGykqn9Dx=%-yi@aCT>o(5N!&UO_Ich4kmHin{34g zpJ+|rW`xDfC5t$a0vjWS-_f7N{q{}a6&l;Oj}WKQ!21<;2w>jv?(|e8MzupyG^8Tn zc$RhaGRTxQ-cmvU$x(d<)g%o(|2W4>Ahyj-Z=KZH2d`ffZrQVvb$Il9UWfBye}DOGZM0|NjZG`LnNY!<-O4LsL%3X{>&m0zd| zrSuQT+j}a#z2!Mj^uW@S&DRm5TW9+enXX_1h7|ERO24DD$WYlQ;pcXoj_fTN1AFpw zLfT`SZOs4vw>@dsjBF>S0GzwZ8G!gxIU(q#ghD<;y0D5@Vv(&KUnym~#jPn;2*#g&xP>ANrJ zPDe-q0&cgcS&~1zf*6)D_z*wjtem2k020;IU?hM@0fZc+LvWRZld=WoN7^t=w9c@M zyV1HiNk?}3n2SdjP0EPJ;*?T@pd5*E14-O~e^0+RPfF_EJIa+YP1TI-pD=n<|HdBt z0Bwpaok@AXtVFJ-Prkdk_j0b>wji(?d#A4(G6XQlSs8@(0nJPlKJmw+0ss>jP~q{K zW8|}usN0c$K{&QB*h}TsIXE7X-n3l)caLLy5CJqmnYE->`PQF#Aw3C9OU+F}Vj&9x zfFY&A$nKx(TuYjDJ9|fKf7U`S@$=nhM`8Mz)~qMUsiBv$a)K{x)p}K`Pf)HgdlOV& z0bNL7(1_i$Nox#XWOZU-L>%5q@pm0fupjKgYs;Xk{A}+DBRY1?_0yjnh<7ov8d`?2Fx*e>)1Sy;}V0bT)j-)5%GErse z>Ja1FUu;6@#ZncjoT7SIW9&%S;3#VVfB*hpgR<1>AV3bpRefI5dn#pB889{6b}2&8WifJMP9VP?M;MW0iGP;F2esdb}De^D$6qRG78NzGz3QV1D z@2z1b0ozl3?C2S{_YYNCXT&F{&71Lx>zh{K!4OvZ=A!_B2Ax~E6};4L`x@2pbF1GO z5Vy2ZH^`xH(ApvqWAj>3H^R<7rtOAj84C-Rxa@fGd z;Q%G$nevb~63p}Jo;n)Qf3UM48*2B?8wJPnN_US$I?R#|x=G0jU>OIv$y3S{f$I=a zFL-oHG6nqu@av&shN9JepqUY9)R{&%=rley0M#G7Y;m9oPomA$MX?-Q40&@T@dA?m zcjpWeq$5l-2eybTs_&>zl~n(PD7}c{M$&jH;s+C9EzR7t3agZB+9}GB_d5Aluh|1> zmzI~SLy32ZR%eM;e|UO$cBWJSLtfiL@2|3$ol*Y$II!WU(8vIMv$YDUFYSFCePFXp91Zh;FGX$Hd+TsVH8wsatRv|<|kMsYG zC2+U`7r<5!h)ZL+#>XiZc=^*o0D-#sAK#cW#1EVp6GLNznFow+exr;4A9KhPOB+u4 z;ZOoGBb7RoWVKBX5M5}Q7~AZAS`F6Uz^YZp0F~*f?3*cj)W0_1Sr|_NrFv?6Cdyv* zFU`0XN0$Jzt;tT&{%1@E=9Rj-9RUb_qi{R1hcF4K{8fQM6kElzu3Ab3pqn0RsXcN4h+3(w7-8c6Og$|1Hsc)!Vw}g zGJw_*Tpc03H)Dvk_apmEBH!lCLv^592S;Q?)q$CX0Dd$UqTsmjJ`>$3MO<7eJr)1_ zfR6wJ&B==3;@($EzcUa0=K}%k>Qx%pH|Ze$F8~L5zGi;;+`Ft*pkkHIhYJS+oBZ1? z&M4Vg@_}0x_!pQ+I@)(8qr_!hr2G615eTUL7qm#Gg;W`wN6?S^5Y)K3uH5FYNT55v z(q4?vHbFrhnn|+f{90rQGP!>|un;@TqZjpRxDuHv`*G@eaUO>8>WQeFA{D^fVo% z(Xr~_Y<-(AFKwJwD5r!$W6%}8hBQEes)*TMFP$dx{1*>tMrw54{f!j4o0+hgvm@Xq z38Vn5b8rB(;WX3xS?i0dS0_mXW=&f41Bki+QrxgKDLN5;A5ZZcF!vdqF+|R70RFH3 z^5Ze`mf&&v4f&WX{-@MGE;SzKhNu|xp`mLKQ_bWoQ#gdBG5Q^gY-lnLI4+UegvI_fm_An=K3|V0@)4TZYeC$T?fD>l45&qLSV1dV_VN z4I7X+p%o4%SD_J87QkK$)Z2V2zhdKFW`K6StsskGC&Ekx^NI?p_FN9|EK%O^fnBxj zbo|3ih1Us7qYAa?lCHp#>n&O9Ax@ z0*)yJa(F+nh-IGmx&%2E?%s(Ja4RASNOC!uT3+XCRr$j3n5dlPuZJYSqCO4}_jLev zDBrAQVZ|WCoi+%D=LC~#W_aNfohG+|pMH@1TE;clsydVBv+KQ8c9@2|WgP~v%u}%T zJI*{lC(>X`YZuY-;VeQ&_`K%jW28XxcLRNaE$cI&^r1OL*qFkWPvb)3{u+Oqj_2!2 zd=H)$E6y`lYcXEV%eFvhH@{K!yyp6?rx%`t^SR2x{9`3i9({9k7LWckakdJDc7~yp zb<@A1|NJFa1^Oy5W>m5C%LCS@P@@bb0Rq&RhZotp6{~GNXK1dD7`u|s&j4JMnxe+p zNK??}V7vHKvB^+h=~@;C=82Cv3JG;sZJ_)C*|32! zpS4xqZuDRyegBK(y3eQRSwnZ!6u>wkyjUP(ka7FbQYMIyoeLPmX=p?> z-m`ebwp^)M9x7L31)47WA`(5qIa&qEr$Rlh%*jV!r_^F4Yt?BMeJOW=0LEG!p?EhI zSdGpri%RZ}B99oBIH?aJV{UjaN@aA>9ci}gdS@%RDhNID^00(`>2R{%6|tuz+<-xbNZ8#mLeME3 zxKozQXBRm#gsPz0WV!+W`~XpvKDl9z9GV}JnjxUJg+T72+HzZ&vla8Ww26_9@d@Ep z897nxev^9^Qoy}CvA+j3bKi(PEHv@&MIY2_P(J_w#)Xasw*&;~&7MBXW+RofLY!oQ zIR!tpA^0e-U~5f1x}i&6ckky}DE=M6C!+tT-ZMzE!G&r;XP`Lp=tp{N>JaC4ha>77} zzLa*K(PmKkQHF9ZF)yd$KIi0^js?-f7hsq+piv>51vBw_sAgy$69Xn!+r<<5r_d(!-R4O=C0`gtIRVi#bR9-l8 zb_%yP7v4&iCM<7Vo|wOqlH4iy^c}q@niPEL+A$Ng@VLMVV6n~}eu15OLmhmO>JDGW zV@-kdH!a^-8V#~Yu%~+L>=|mz#VKT>0nbpVq+(osYqq(b(YLtt`7%)YyZ^%L~ zWbId#DAR!;>fs@l)np+B8ReXS=MSgpt8yeTN&dLr?7>F4u^5f04zMtg_I$q}>qDW4 z0QCO~{eu4x5(gP8mH)`vcw-O|?Q0~>)pPlGp&ofi5t-ijHWX{gv9!`CQ$<5ZFIQAd zQy?I3c4c%RGB`FcIZjDaR4+9)GdMLeF<3b+HZm_VGdV9aZZk1~jiBK;L zul`WA0G+7XB5Js#VHi`k@d^XeHB7;*TW7a%__^e7i8 z0SYH6(nnxqnnxGmKO9Mj8m`>HPJ&YY$_-2}mTo3@ek7IscT~LyFa%QZAoW-p3nY-r zc){HE>jQ?|L$p0bOX0XzGo=Qn{?~CR7~-`pAckM+{W8R|XWKCs-S9B}3410D z*hU}4(3lR^?*lduB3J}CN8e#7O_IPQ^;Tz4kI%OHTcR+v_z)*C-QB-VX1k0smAqN-+ zaH;cPJ^U=Iz;l@c+wqXHeLR<|B8sC!!#JpPfwrp~rFd2?zpba@=Zj?B!tWBcYJxqeYN-Csx z+y>;p)|-CRt{;KqWxdj3J*iE)5}cK&_B8XY_ZP%(ldD( zzpWK>aFYnSy9SS0)&E{kRaQHPy%=MBDEKzqf4zKt%h)cs?90kd0jeN5ow-l|NJ?lF zggYGw0ZM1UXR!vSki>xkxh$hn90+A`sFF;{G>IH=7KWitqBJvsji}+GNs{&rfe;}| zGKH8D5q0CjXdn_&5Je#+z!{9gVZy01kunP~ zntg^LgfU-vrr8+HF-9I3D6XBEZ8#fW(2|)3&=%AIcTypd6AYf?OaL^-?epL8>bJX& zqY-7E=pQyYZRY>9VTvOT-eUf|#Y15k=QvRt@iccSj`JJoj0nf2#0ig-Qm~<3aJF)6nsEpa5IIu7dQ; zL86#Uwb7Uc6hl`an8a^B34j>{PUrymEg5m1UbcP$@({7nYRDk&C2*RN49+8xES`zr z(@B&YY9t5jFizs?ycyU6hK_#zw`mkY=;j__P8>xTGw(ef(2!n+cC; z{tx&_70+lUQ=Q@WR4qu~Ha8b^A!fzUG_ZpUtA=pHZk~Y#gaT1ZQqJT92n{n$fQN|! z#zgg&HL#VEnv^4G8X2Jr8x53l(q~SX39+ID6Jzx|@Gky-m=sKT!U2Hw0%7zu&I2-h zI(tH@>B3`wQXPaxu?G!vpzl=km&@n$OC;-{GRC?t3ILW0$JumqFam{;gH3JB*K2l= zjH}Gfb;96mQA&TYfCdNBAQp4+*uZgn>M9A)W8$hSotB1V<*3a;7US=;`HeNEk2?n1 zTO3@3Pb+~E*~DgCi&gazw=@K)T{=`Em7p7`e|anasLl4ukyQj}8+xC~d|7ufHB+;@ zpkf*a)=5Wd-%oFrgP{I9PJ|^!holjITcNt1Nm!}vLO(hp}qqJc#TH{AI;v6X*9tt3`77HVSh>Ru2=^G zTd6ku4NY7YOeV64jLF>!XCTdC$wYYrcIavhO`>~+Sh!riHCOR4ZB3LHCki9lmm;uE zWm^u&V2|ZM0fKl;L%BBvY5-^eb^xPKBn0DWxt`EJ-TbGiy8f~%D&9#*`nJhPr5k-7 zSo%`Ft^|f1N>4Y|JW?f7Ws52GZi#LdOIN3om*%g2Ri9j`R#jKuguTg3A#Ie7v`Jyf zN)7=EI}@;^6Oq!DR=kb9E46ljfOt9q9aHsmME651m{Qe#dY$hH?nw8smW4Rb_R+aT za`c{S>vmI1ZyyY5VJ*aNpp03kmX66xXB^6y&6uTP$uoVWFZ+LVQkZ@k83@ zgZKSbzUj(WfB%vu7W(5_p4|gt9-dAwPoo!wWE?(5+L~4*65;`*!^id5prIoJh6@(3 z3KS+th`_O-kpba>g9Z#1a1|+x zOB6TFKTGtB>gT^=Hks&hVuMD51oe91py6a-f4#uCv?(%PJR42Ug6b*@x^nJvl`P7t zUB$M@QG2l?d3((GdXlEIOkr$#rjH?d8^byb!OPLVtCcf@8>mvvlC~ge?_x0qgJF`x zKnhYLH7RuRsSxUvvPLNp5s?X6P*9M1EC)7#d;N~LOkaQtB$mF9+`F_PZujRW*56&;kqXZ2BTEQvMds4b(7R>$D_cQ z+|Kw_!|jnWVhvakWcoy=DQMJy>@dVr9D>y2!|IjTKY#qLiNQzPDh&@W)0XG>``k8t!qF?Le5(1Dv2vk|% zv>}>5?(=pXXPE$dD@`i3+dohkVvKm4-x!8)7CsEyGj&{!d4|az8!Z`q=E7pcbXAp84$n&p4fkQ^qo$v`%sfRvjD?Cu6 zHCuNmEwrOGJ*XUXAo$Acia?GZIZL?+Z#0o4;)E4Ap<_W-v*82Sb{Ql25~>R8j9(4R ztxv>Ve!-=rS$h$9uV4v{Hk}LncaFCx3Z6z?J3x}pT3>vh+v(et>2DB zUT(L;47MZA{xnP24P=JBD!S1BMb)@iXaIULN*WE#|0b(&kUf!sopZn3#hY8w`{j1yWGs0i2CAlqaUqh}nkr3bb_w zB|-x%2xLi#{Qf#xVkV2|>9`LCT)6bh80IR9CL!AeyWhT_EKsd#gmLR%!x6Ih_o9WpcV!vVie6;u~Tu^$`H1Y6_(HyW`QEv zr6r;7%Vd?Rq)$VIEX_tyzjl>G_P_HC>n0c+CFNJx8#oy>EC#uTCF!|gd3ga+s&=Vw?Az zW#vn6+|OFsg0>uYdLI%N#}uy+#B&qlZ%%H@3LOl{tY|XugIzm{U%Fh(*pxE zD~NLD1_YX#T&WZ{J`s;J##W8quo-?vYUwVdWQO3-HsOth;Bmbw{+f+6;_UGjLGkvk z8Yiq%pmjQfjWXmgLBCk>d1alv{x__q~VJHx_ z`B3!MeS`Iy8yLWP7N867cH?*rIV_0houspXOi^ALfW4cQWtx{={X{x^PY?K4?F<#S zm2q4qd?|^y#NSn#wH|;t_&$G)J^gRrOXhDc#MnQ$A|PiEP|O24`z`@b1S1f;SG$6b zW6GHL#?8ysHQjSYhH^#_>j4nFF&g!q1lVubI2;B&*p%HR#$8S_T@zv^RYlM;fCO=; z4&#r{L<2AA1SQhC9y(X?_|jMKbfNVNtsEIE8CCS=-8c?<2N3AusF%{`5%R{gUM!)X zF~Fkc_GGP~av**hYXSS`)`|Gz09mv;1nIj6;IL1HM(|Fyk3$q!yL!gpU&jHwiJp+x`)9JWHXICL#r$?2=XD-55J1b>- zeh44+mJ$jdxoX50Xur=NV@1IYkM#3WrMz=7K|tSjp0Ki0e5LBUV{URYXRBhEv+mHt zArK}qD3HeC0Kq$TO=Jux7Cf39%CyDU=K*#7;eH?Go%@8o%N>JEE`cAo6dN%78_;x6 zn6(5b6+vS-zbO^|7;CEPtTOroGcoqoQw*~^N_JJ*CrXL~l=T35W?&RQFi-2zX6HlZ zLqQ2kLqS0S=u#9H#&%#UiOnuwL~BaUeyQ;hwxXrG4_^BhO7gT~tn>DSE!c^!S`^Za6SK>YNShrcGok5%R=Yuwyk{bLvgWKMHDM)IjNSZXL9rRIz z`7h24@k2|?fdfBH?7iENn;IUINGwKsOuCu0?UZmGQ+(SxZn>M4bWBwT8gOf{4xhL? zq$jZuc|kHZABA$KTe)qdDxNZh(jie6o^WzXJ)HFO48B0qE(3Ee+$w`9iG!kD8Vk-c zjLFsIOs%>!JM+}@dz{=EmT{)%Ld604g2MEouVI~%3`rF=6lP&mHY`@OFo7b4Jy8OM zfNPqSuKbKtX5w_N$pLeRB)xb6(J&EE1sXCyBnU>R_fQB~uz;h0GfJq`g9j?1LNbei zac1FM6-KK%APX=w1QH@p2qc0?;3%MwT`2}e282k2N|+!DAPR^GQD8)X0wfF=AQ0fg z01V9ZD3tz!Atp#LqpDpdfCHbiFdtm#e2@cGpA?qONqvTP-QDzhk*X-=X!@g%s;>pE zGk#u&+hHBAB)_S{IGcIIFOx&$CP6M^`64^tzw>qUWA(fknfyvs-`D;x~w5CqfqM`0LZvLuoZWKHBp%n1j_P8%)psiI|`lIvxSn!A>{VA}M-S4)i zE1f+_kxBVYb<&}#jiwaMs9lOvTkyTyi_Xx_e^2r*RzK9V;!N-TKyEj#gN~j}g=vS0 zfkIW;lxm$9qi~9*ZIvk6+*X;)ofAp5eUyopcU+H=Udl< zZ#?v*)sGIBRTPG)Dh#{q#%oCQ{Zm2P_o~KN^LrXl_LIxBs)Kg;39V_t>OMD&KHT}^ zo?Gl|aT87l5}%=|dy5k_k3%EF>5U$W^B*9;Wf=Y+aANaP`jVu|wU8mtmDu5zTlxv| zk;^E>RGy^K`Oj^QZRH%T^kt{ipzaT=eH{W#NR3*mxruS!v6U_9V+_Tw=ftyPO=|9G zFB_4KN*qX;L=%cejU?3NRD)9UQ|`~S3?!Ds+nj%YU3%S2t5hc8#M0Tdw?kGW82v>q zsYD*LkURUBF$7(3+a$bUGt-o!DAKj2=1BgWX^!WQbpuyW2HLpP#zwxCN92HUAEg*i zXRRaK4hA61(Hhmr!gV7hB8fsZB5kkp9xfzy_;~oHsirg4m0hrTVW^baK;k98SJR&j zH-GKsvg_qIDO_2qi?hxnx3LnWwax!ocah~{VY1A$&Tq&&*1c@tjap?LIqY3`?_2&s zJAOFFtbS4Y1A)pA^+O;(aUA;>nyJO>erDFoC+FM$rd@Jcs}w_JnUb}u)xjjHNE($I ziReUws-0SWVQ03=csNTUIPBx*v>34~|ML@8sjjFKoSsI(#|7zhF+0R|PJW?#b4%}X_) zk{57D=T0}&`<4adcbcE0oWTFZD*(|Dd@J>rgmloQ$C`ma7^nhGbiqP};3Ry^{g;}n zLrWsg&A^eFg?zn=aA!@uu=}CPfyj`#=Xl9{J;n3?OW~(_1-gbc2uGL?9EpM1H72gIO;@ z*&1g>p#7HA89RcE$?(j*^40*tfj?qUYgk zfTIbSOPd${yh}m^o{`W)R`87O;4a8|$_#S#>2Wv1OL|4&OhZu89XWa-d=TwawL*$$ z=gnFMiy|ly^w1zQbcGjEz8RS_*fPE;&lbFnnc_WGy$T1Vhe{=0*_ zYK)UK^u$(QPM$~9nR40}B9g0LC;xy>pD7nFroWq!xMkZwb@2%h zXtn^9`hkG=fHa+BidMkbvV@6hNJz(Hvu9#AJa@`=`bEA@KfjjFHL1&&PV?=tv1*1mKkqE$Gwh1P-?2H2^kz z8LIj_%FTI>VRf%4n2bD|WY%9&yau>Z2hz4B$+Nh(6@V|GZ>i^-XK?uH)V>`EZl&FR zOxp{*gD(_t+I64|zfVIHpsAaIu?ASqV$pluZBcrt;$bVg%c=&45?Tc@qaTnU$Pgkz zQ9&aFC{*EU7}Swf2r6<#l6EL}Hm3hGXswWWa|^m7pH}@2eeRd;N_uOQrI#nG>ge2$ zxuJ^!&rJXoII{s-WUk`i#?|E&FOT|j1{MU&alO8Eo~5hNCpY0?F858Bor^FU*kkmk z?9??{CC1E++3ub(sQUhv5R$wpk?(SBk~cHr`~o*Sp}bvx%DMS5N)&Xq1p`~;@R$u$ zgo2B83wVjc{_|;AG9iH*Eps93srodo3YIlP; zEK5%l9TD4JS?rwS_&vBel2c`KyNsHuDE7GmE5k~50qs0{lS zlp&9T`sF5Yd9TZ}e%@JO6)*LBC%$zERg8(cB71t1+)r5xoM=K8%O+sZbkaT3ChBw@ z9O>94`ax&DvhPVkgbGGY(8!N42WwU>-!3d5t^!HWM)OyMTu|uc zoVyEGVnSecIMfe!Mq`kLRutvwdvB!t{vc+J zyHTlA(Kb)~a%fRaS{Jgt_5ql_5@UpTuEvC9MNv5b6fBQu(3$bVne?}(Ja%(qIkD9~kzqT9)N&#i zfiSPZO(c5j3HRq!DnoEI#siTW#k|DJ#Rmg=Enos1&8bLZwrZ65U4;36NRz>%(N73Zo6V!rhx7;iyyLBcdY_FLQ;RC*Sp> zqNe4)4PXQZ81^&JPG~<2L1T%@NF+J|3W|7a*DygQ#nhmfm$%wmb%4o$pYM@Z2zIa} zej8DBar$F@PxX60TaN0WVq~1c9e#e%J+{@@Q)3X3N(!S<3gIhCCSRUg@*_jBZHCaL za5xDxaYc4EDp5~S^7es;(B&1EhU7a?)T{hPY}ux2 z&FX$os1W8Y`50+cR?OgC9;_F^ zpzX#fXh}>7AqdeZ35Q_+g9L`AFH{T=%@7e6A~T2KCQxl!AYBnr<45bb+Jn;-14&ko z0kqu|p}byuxD#+r^0)3!RRVC>1Z=Jl6aROBFVyW&z&>Q`GkmHmFOI@S#4l_Xai8IA zARa`rOof8+wD7cAvE=wkU5Zh$PK_{Y*w{$_2Fto;{t^fdU%GMB$~_GUGu*kr!t>)! zo>fpqZ{dAYXdrE$qMQ+E;l&s~%2Mf@R9=@^Jl$uNX4Gn5Z{c!}CP(M#y!`B7!=*PANqdyiVvr9!5?v;IB(bq7U?gV1C+lzkO@1G%o#Dvxj{*iYnI=ZBW!LQ>{A z1^#a7K)e~u7FGS?uh#T)dzCQ#hJiq(IHVE26CUqr9!F&f^)@k;z2AJ*q=d#=q;pK~tZi0_nxpbYLfylyZaguB>PB|x#C*yPFzjYj1(E@)J6Qg&a@QqYRFhVV|TL1d~a}Q#bJn$TIhxMyOaY$%w z9u^z+#?lxgelo+~Acj=Jo(D>Q-8zHaBFI&E=gP)vt5Y6wDh}43oz4<h7pO+0wWLd-(RDKdid8UUCIw4NI{x7HUw~{b)nKQKfEyv3hrl zG>6Y+m~z-;0n~*0UaNxtX8MN)IKFk9UDkHJJ^HR%?yP@+NP_P1zPyITwM+4pg$0C_ z2|$#kR2fB05?|JXerS5c-igY|hRQpxgX24k&=Owg9T1aMa1%n}vk9b&xMmd_v7U_1kj`YPiOm3a5e-OIkva6K~PBlm$!LuC{;Gl z1%Ul?h@Y$A6{?&qL1-4;8iplO3ORBdMjeOXikcAPkp7PGOI(?nf@9I&oiwZ zjZL~{KxVAZi64Py5+QB9i%^-=&8}}4`_41CECydVEGK3Fr8@N zav{TKF|f2?Ydb0s6S%o4^dtYf5pBc+aE(eqsOoZxLQoYK=Vkd)px0q9hp`q?7iERt znNc3>#sVe?z9r%yJ#bRJz_i*`O65yCC2=BTY1=)rJmAMGU@OS)q>*c}a~Lkp_*4zW zOQo|)Cme!F{S4vQ_X8t_UNkuaf!;$fSSV&2Sn7&-#KetZ`GC=mE@$Ni-Z5c80q+og)aBgBvza#~%W;ybx) zdxHvLY=wru`?sc{xe21SXSzWKx_ib?D5*-uUql3gmzhoMj>$OQqfvL15$Tz{p_)ID z|3w?HY(FYNI>aY#rq~q{04_XE*mD)UlJEmwn9vF<_~iR|%Yb7X3Ao*q@J=0wSzhIj zte>2;TH$6(01fv z--VFxn)5XH>>bJN+<2rENaV|e0hqonhGqpN`a}J;Gi{Jy*>qU_xHJ^qBtgJD6AG$D zMpbX~d8HOms#H$9Qz`C(n|qmIqtf_#u$(?k#jp#)lo^ghNYcn*hsYnyLe)gU6lZX1 zASPpf`B5R@13=r+O40$IxM83-bm$UlovAqial8l)P7<(l@*TAF8-E6&mrJ$~hU4J&=gvsQr zGex9tS|f(%Gh`INi|TfRMtrBtzYP1Uo?MYblW%}xKzBC2mFX6a}(WWhipyL+9R7jsl0X6S>)l}a8$0aE7Pg0@1FBrZ>hLomGoQHtX4OmOr`p|+R>>OiLth3;QY<@@v;A(2g33fbW^I0=O# zFpNjm=qoD23A}COMOW+}4>uK?;l);-*;yx48$Q$L>*(eNnKff!=`=ljHUl!0f}aYm zow6Ts8eQO+Q*02K6HuO=?r{sWqo>&*K2AoCY#W&tTObj*)*T%J;#)H^Z#^xs?*4+4l8rQHhV~+y* zB%x*4d&w!YJ-JO+JdOOKATHg2@!(ea3CUdY^Z9-S^#h3i9|UDB@O@eYTKWV^4m6OfX(D$o5nE+U??nfFu-$Xm#0r; z?S417lja`m+WeX%#;P{5&UoxeshlpXd$XI|15=X=rmDK-0ONyo9p{17a-;*c z8>0NIKMF@jX5t&X_j`2%VZddZscN;MAJ0?f%nt#=9Sa63@$BTl(FAiU8A1*lpj4d@ z0R$<2vI$h{AvwXI=p1x%H?F9sXl6uNS2)6l%pC{Yhv_$@$^Kety<^z#MWXd|s;I58 zN;Vu}uv#b0XHjsqZZ7h2lZ$B+<4_WkR~Xl%+g8TKn{tXg&jPP<;CU?ZhX^~O%l3$& zZ>anLG5{E`IK2+pC}$!elKg;0fd0IQr4GWlbK_MX-|Emqddd;v7sBr*OnDjzSfd{o z>nlr7SUuH3YHa_u70(SHo=9m1vIJxf7VO7>TlzrC*V?I*zC z4;YAkc#o_cWa~EoH{!W{0%zvJotV`$z{6=KUKXr>8U%nEw(qN$j+P zyfmP-!>DxX)ZuSim9wsczXttbe~{)|81CR{Z)YW;9u?AIDge$##=1-|VK4zDyX1h^ z_K&tDj6xttD;daKBZ~5rfqew@ick+BaD;C*lYB^A+iHU9wJy|ALlmPsVVn#MO@SkG zBE*|MzGnw|(>%YKf^K>j<4-+$Vk#)WCw(R)0&;f)bigoc_w#82>?XQ4(b)M(!-Px= zaeyr+<*K{N=`Kl`YmbC4@2LRPdB8h$JmjjsT)DF=U+`o~>kdd!gY}X0;N|g=0>rC!0G0xGC0`kk3@B0-KDj(~#@1;jFO^ zP+oKD;#}r$l_K&6f*uS*Yp(*|z%M~2S)_C~Md$yZOuo#)Mm0&P9DjKt~&7 ziaZ7wgp-9m zrOGcz{ntX<|AGyEfCXvWr5f%?CrMVD&AkZ50F5&&2+R^t;IdppcCV-`Xnfo9Xir*7 zXsAVk0m?fFi?cnetZT1bA=h7-1Emw9eVrA6&)9GEWKnz=cBhd83A~DRM25G*+f2AJ z{eTc5beLLjfyep89q9%Lr9g=4u{5mgXzA}!dv7E>G}Z%sFzQBH_?~J&WZkq;9=@S2 zhAZ2fKDaT!^oBvG?TM&HWdU+XG<}@n@CDAB)*@(>23!~yTbyRg7F44QvN ze|{cbj{Vp7x(U!3ay1Wu3pZ{BgRwWFBHW)+5pSE8+#5ot)wp+f?-?b+=zlloeM#Ww z@b2JQtpLf=Uj~B=0}{&+Byq$w*Qj$4xX}gW$2bl`KJ0*I7UG6WnO+rW796*6Z+S2b zn*&Df{mcBH)$TUjSr3Ev|5FhiXGY=Dj9EvUfOENDef@JiCV(@HBoyBlYOE(wq_!~& zX@+53^dM4SRNBguZ?TKGIX>eA*7YMkz{k-Xfh9Iz@iz-(@HbKkQL>z?ANx+Oo|zG^ z(%xmHIvBZ9(=-`|O1oi8E|o7M1$sXB95N`stI3I!u6^hzAQ7|#_}k`Xuu(V~4^BR6 z;f9$?MdQI}LS-Tg_Xl>!^H_BOuN!Q}ctg>tUz0PG{(}3T4^}252QDWhDP5y_zmqj| zy=7D!QL{EWFu1$R;O=h0-JJlzEx5b8yIauU65QS0J-9mog2N^6Ip@3QyKCM4HEZ>B zRqd*$yK8sZ+*oH5x_saM^M#fuHs_krP)|_Ih85LRB4qNUbsOtp>zKlR@k!S^rRt)M zLK;qnKobU~gyrtwE*7x9ktR&LJVrDd%5V7(e^eYO0AM5TH>+99=?` z8m2ijq?s!m2U#2TbTlH*#ire&$TTkS`M$9ittIgDt}T*zpASfIzAnUgvY06D|dUs-eo1|mfx@VlwxzgeFB z{^hhQNAw4jl#BS0uKTF>2fzC0tYJFkssVl_-#{;~A(ADWO)sbI+lR{^)yGRj{pxEj z$$=ZMXYTuVR#f|tHKI#Cs*;&t|Ga+o@OYRz>xRGbQ>=Y9iYs{F3BBE;QIrKdWT6?O z11ba~}U-c5elI>MKVwBjWrClp8BPS4tV>?)+hx#*{XCf~n5YHnj_Z)L+^#lj(JE^DPK zt>G$Sr0S%q#ly+w&d#c8<7^KCx!c$Sv{Y3z01Cp=);28M3`XVv5lJOkN#XCJ(n_MT zqAVa*HW3z9VHQQl@1F8zlBQ1P&d&C(tSTT?kcYXcov5mY8>{Vi6IN?mfKy{~XkC+6 z5qy|;B7~>%&w6LyW*<0sL80PE#P7(-R=VF(^z;o3jf_o9&CD&nTUuG$*xK1UI6663 znZ7+#ySTc!dw6C%!sH&-JXllh&$3_D)&A*;$C-|NxCV_pncZGy1@%8f$ z2n-5#k3t9NpT*#*d`zPQ3C9t=DfRC?V zg$o66>f&Uz8d@MuBI;2|nP3!)K{aB>lk`|Pi{eD@QCVG6 z`|Cf7X<%pjC*uE~_;ZUZ>zi9yd&eh!-~cc%XNR=(JZu~w3@jMX|5Ih3Is!vjO09i) z<@xh|-`m$eaQpFh@Kdh4hq3X-&xJbJJ31x1HMqmT!o#VltEeh#oX;;TEw8R^{7y;# z?7x=lwSU^yj==;30}vK|YPPJLKB%;^>YsRZ^$m?p%`L5M?H!$6-5Hr#**UpC{+Zx^ zn*jWN&G+QJv<3u;Y!QO#l-Uq{tHn52RoG|9oaeH75Sl)pG*38{11vh0sP-<|D;-2 zRQ$8F>hmmye?UoT8RjQiKaE+16%qyx4*tIpS6M|$_J5&H|5GjhIikkK{|gIq^Z!t^ zvby#Ops>yVg`88f^NY)?>zhBfclUq)OZz>&;h(nsXV_7Hh>*^Ig!=k(f8@m{Bqk-N zRD_0wM?`}Es%vfmeqI+99rJk`g%13O-T%uCjg)L|9-Vw)adQjsKYaf$wrBrg`{lp* zKKML7J-@uZy?>;prGF}b^b-Xjl7D8fOefS52_yz+)oEezT zR8{B>=vir)snpeIt81K_ngLm1v5%2*lDvvMe9}>Mjt;g?4fzEy0pe*Lmyr;_4cO~I zfE$9Q`Bx29KvDu&dMj}Z$XYMCp*Y5`t1+s(6e6{$DmpGQq^Ghr(Vfl_%iV4edzDg>&Wo! z$Jq1R#2ug=%+|&(z1ZpHnKRA97ZHpV$(iD+E|jCRU&W4%pgw{H;egsKdm);W#u>Dsa$e=>FMUP7$MN#5wfwussgv$6>vf(ks1BfOrO=&U z4gjJgYYv`3mMm!45rY1Q|BRpqe>c&k|3`Oi{gV@BltQa&HP00f!}}gDe``YWv6;{v zRa<<8*ziq8*JJ5-FsBJU^DIS=&gU`qKhSzhF5tiD5Se%m5v|YRa_@O=Lr3<2%=dl- z7hWfwra&^na~zV&!Ry=}*Dfcnx6aO^tmSKht`^8D(&heD`Um1HdFy_=c~CQy8e0f$ zYuvBAE?HlyXMNCEKSGWV11{I^&ZtW+_=Q`2IAR%R*2S^0`w!_B%N<3t?RShYdx^^0 zf-Q^_^Eo^XSgNPp#TXl?bEc_w&0|3s&Rj?sB5{29RKdU7r#{CI?eO_MN3K8nb#sn} zHpej1%u>6j6ITxoY??_2Yt77CEX>+-7L$FAx*je)1NFT%D1FHg(^iQtMk(cSXkv}; zz;!li{}||Swm;+WgkkExF~WQ_LOe70{cZid>+-@noA{(o^0t|j0S+%RoFGc2={RLL zm;j5X6>YzXE~XbmIIo<=vipIKd)YJwU1|kZfNVVoR=QdR=++y$+M==PZm`RNZAKWE z=7Q*{ma%W$JXJnby#ZG zZR$Z8`>@yQp|n@GEglf=`K>5cVfIeIa`z-o%gyo?f@6q-h<;3Xwhoocn z@EHGmN=+|1$0)%-4BlDEPFG~9CE^prZK0om$1KM(*;B%E_#Z@LzxTnT!>WD}BlQC8 zXXGrO>LopWL_M!c)}gWwQNEgQw8S3wo9pkV6xRDzsJ;k(S6>|BKTu|{uU>F15a1xb zYfkD4^ROH|tiLQF*V%wwsaVVDys2*V{uQL$^bz)VZbz@AA0PU7{SfGFx9)gV#{NtJ zl^0!#!wkbnM3+~^oih6IbX%A`4Q(tZXk!ujYuo)Nog` z^2e69k4tBxpK1qB^$q@B^2(2ICpBd=C=a$;pQzZ>*$@$EesuR93zUKGSf{VhAn$2aN7J)0bAB{&t&6ej5 zDi39=T~J-jKDEn<2V54j9eu?$3uCRBSKU+sg}~ye4=;2+<_Smw>(eO@YG`gtpR0O0 zQm6vPr;x-fdaU0o-LD4P&Z@gC3UG2T^qH)d`E>qHPkzVKg`8ZfN7LBec@VD;;$O(n zhPEFPHt~LJM`dY>iUj#{MwlNsll`*8in>53_T_={9BK+9c2s)UmJA+$0W0VOw z1GJng%PpMUT6oI)a8b7gOL z4mX&QzyE<7{=I=uK*g;C`&Ecl7QAp_y7_VBTgdcoHqrZXWw&W(gw`f33s_7<9?YC# zfWgVpeeFEgVCJs8$!Y7Pk;uI~cDmXD8AgIcocnCfAENpkD;PntH!!Sx|96~T-r2%Hc^$NzN~yk%pbFm28_>P5^0(JJY`_`dAVHJI z3~=EFO#R2%9n5w!zG0lc{eu8Job&Ku9InIAy||`Ys)Apswiv9 ztI0{qE^RK(EzGAw40F+QvU4+Vj4S!0PIMtAPYZL`F(A2lDU>ei0Dj z;}z~+`+dE-xp8@MdUSrad$7O0bhXuUdw)c5=}dy>9;e7e4u zl}*ZM3V6S`Y_tPE4+W+I9v<)Sp8irHqavYT_MszU{Lb0_SyGr&T6_Tni*~et(KoQt zW{U$m?)Z;8Rpo_>23WT~akYW9hf9u6N=!+(ozZXF8tE9u#7bkLNCk7PA2s?(NeyY3 zKk z@BwBQV5P4!*jJ_*RR;QCWMvIW7FJp$f4`u>(2(@OHef46`q_R`7?4r}s5)WQ#O4=8?e|=T{oHb>~NZ{r0=w;A9F5SXY zCy@Jfb6RxXX^LIF8{NCzKnLdDW3z19*f%W5H&pV4Phy&_?Fuz+`0M>~HQyfrw+Ej2 zj5Pw08{-|xYCCv@skkf5TCPKJy_ST|$!K=pHf_r04i2JWI6@Q4xyyMkiz2>?kUoR_ zH5-IQ^jm8t1m>+Csh%IF)#EVS*j1Cw_V-*9HW3Cq42aVJD$w*=Bp zMnAjbo_%--w2t)?k=ZW7W(4Bq+hKcd)A8@HprYgb%!>GV%`Z_l>pe$s@F=*=hM7Oa zz93m$M%+rs#SP>IH8m&uZJS4;XE&*C{;-^|`4TgD*@(lBJ>JQF`+;s4n&Cb{qNq(X z|2Al!E`4luFLl(#^SsON6q3Udo(ijEu4PJWS<`;iryCYY$SM@GbVHO0U6>jkr zTKb}5^7Ssy*D(WE}Ml`wvs58arDRv!bEr283`KXWIpgMmbsBW zD6*?AcopCtCilH`2rR{3xqE#XB;;+odU@I7xbTji>R;xg;&%9~WO$G5IC>Z&d7|Kv zEk27A3pSF9zll@|_8Vf0bpm10gGe?^ul zk^g+$eB6QMj!5g?RJ4BDa?|W6up9Z2X7g72O%Wbp!w{HP4QYt=7tjnf=P?6A_2GTL zwSt)Rm@(?jUbP;#4An0G&CAQu7{;xWGqc@0O_o+a=d2as;_%VC%5VS9`P<42ug=*- z=a9bUomtqZ{`XO2nWgi5vWE>XdGk^M`Z`J~c)x*pdN9wuaub)XkeGuwL5i5us^S_?l6Znz@@Y8J~G_TAa^*r?phgk|N zOmf`QuhJRLtv?t=KfXr?HAUaT%@a4a0Vdz*b`QE?&mRTMN_^&SO0a9RyR#d%mWiqb z=eJ|Sf9KWiJmS2cHwXq}_!dpHU+~8?zI4mfQ{KRGp1A3MB)|WDO$deF3l&6p*1$5@ zc~jpce19$7!e>Q7{6LS_$*UQSWCOm(xI|ln+Eqn7r!tnZ86w_Wwe=H^U~8gf$5w^j zBWV@~Z7!D-j`8+;1FnDzh_?(lX-uuYriOEB?0}}$R&kW1d9dvg06+=g{<%lZ17M8o z_Da65N2;bGB|^wpD5zti3X2IrSpzEu zqykz2i(+SJA!akzxXD7<``^#^g2x9r3Z#BkDo=&tkrQb@R@Z;C6Msd zWG~}q$EGyTG3UDkFQHU{v;`YHEiPutXESGI&e&YVk0-6#D&b$|mL5mGW)UExbv+!W zD8JZ?LeMQexDZhjyDiytKbYZE9JqMK=;bdTHFkPdy`8^JMBR`48r>l(<-QROhW{+& z)JdP21sjAxqw1QBTA_=B~cRnm}oZ=EwwrX5W3ZDk!u%tyAVH$kZ>CyKA0skhlX~ygJla|+xGr2Yw zp1R^cew(K|URO|vxXik>N&$Tku$-tMe*2lc&|YvzSPK*aW+ekC3Q+@pe*gDA+`7Urbbv0_9Ws5Fuhks(wbRF_Hfr3@k9-i}0btj=a}M-$v^3PDRCq?T2@(YiMW!qN7WF9%rVYu=aG~k-)5AIb zD*q`r)+cq3ThBdrf=@%(9Dc*oR&Ibw(1?9|(eQLS4sK@Mp}0A;gy?!OOHggZ4M!%M z#R8YNI|&q3e{-y?TXdZBg}K@>dk)WxMm*&<4b_Zzdf7E;31s4$m$qBDq%olx%*M^}Oz9^mQkjTiU5g zSAmt@RP8vg`l@HjME=5h#O_eL^eD~H!9#WVA>wBNY~uHXpM|;WR2ePBleG^s)H=`0n2a)E^UI6XSEk&mRC_6?%^G1y4 z;>0!=e))>+dzhI;G^vz&(_hrG`(u)U-3$OQcp+|7LzpNHbG#%vnW}IdR5&Db>U~U? z!xNP3zcvIpSu@}0dZ8TCzZ{z|-OPAml8~NkI{r*NYdo^&HK=j)m+gP^?ITGyl-g(s zicDdJKS&@IWxz4m2EcP^S*&?{MY_WW?%??5k0zVnpsQ@ zBy9`@Lnu3YR!lC0Jh@I(?xyJ9ef%(X9;n-mm`(d&nzN0af z1G6Q~O}8TuE-3t(=I@y8hBcI4L;hSUSeh|}@|@-^Xg8*n)$z1Bu`sIWHYj)1VXq(i zJQ3Gyy*5_Ad87P3d9KyN0VD67&dkwXKdnmXeol$!pF?LH73i4i8?>C=6N|%PsK-RV zKiZO@_U`a~!PkCLlz0{vzceAs59@EvEhjx9mWlIOGgX?uQMVoMOza8f;RdN+Yw zO~Z>Q+5E1hx_o!)H`eYNe68!bNF+1+o&D0iPlhaK7$GqO>E*)}4_m<1WD9$_ly(y> zQNN`{YkWbSr!IZM%*>nh+k;IFgziy{KDbZkzS3_u1w1`0C)|0qt*iA{_;?A)=H-MO zMkn~uNW8kqv!`xm6ggI+NRE+YNk&(^{-Q2-XQlB-PWix?vK zPMFF~)6pKouCh|f%BB%o9%7PPE})zl4Ndt%ZiQ>ekfB1R&oRR}j?4)0-G}1{O3PbZ zFBd~;=;5f-x3p8zmz2h?k#uVRCPJj6L$kuGeNC37SR7khYJ-IweCSdXB~~(uY)W5CYkdRNgRFSLE1cQ(pYbhlKfFU&S zv{goC7Ri(x*be$b;n(Sof^iWxOQ$HH`358J2tE>Z??DrXf71|`S1F!%6#h1V+Ssxb z9HjIZ&}XN8$r&L;6bmIPBS!L+K!$r{#5LDCOUJb|21e@6yZuuHR<*js6cz`b_C6UO zc|h=30*UbG8+|5%#CYv^d8u@{v-bb|kQsgX(goJ-uh=7r;#KC791NL`I}E>{UahjAW<-r>uLpVxdq^8!b$AzFurva;N++PH7IZ(7&zcR@u<(>3Y}db0~k0M zG&nc{BK3qgI68(4EF?4x@Lv=P0u{{!(&1l>0|$=`jDQfx3=Z!p>e#g_dPGLIsX`F?R5&1vn%c-wIKpBv^jgyMhawF#ptk!VK6D! zD5FDyqVv1M0gOHk@#GN{M-e+AE`pmsyF8SW?c~~`_@t%`jAy^jf=6lgnDLB8d>`N> z9UlYtjqYEg2`@d-j~iBX=_=L(Lo)A0Z~8NwJ|&tpMpX}3V6lsUBm`X~#Fvb7z25P& z!uzvZk9!%NJBuM?V`tn9TqBqXr_?nk4i=EIrbOCRNKL+@tRA!PIr64TU84xu4W%qc z*RH6tUN36n)e7Uc^|fo~h&ZakN<#b*RK(F1z_xq|fUD@YG9Gm{`;i$Fe{Ej6Z8ARM zV69OPNAsEpG`Yyziv4M>v>=y}&TV5RfQ>i5Ek|oF!adFtT7rIHz`f>x3ca_HMqdxh z&@NnWI=5nch+6~lNI0MPI)%Z=nM2)CmF~W8qgyW7j$*bwp^~euuBN62;>x>$2yTU* z53Rln1_2-tg&97BjEas7EX-QQ79t>!iG`||6bB~@D+@IZfWhA0Nf;z7BBCbB%BiGb zW@rrpG3axMN^9CVS^-!&7(_(GM5I9=Q)nOrEsd~{h_i&K1-gT?lbZ_^7+7BVzgSh_ zzj$XJem+3~DH#E+z#6fq3ObRTLHEzA_jy@PgRs#l&S903cXIIC?mMx+;i_3#2M7sURlK z3j%!hNpdi=MB2e%fuaqb2#2Z80xR%{CC7^X9AjN7riI;TP{W(lY z8r62f?gqcd#A9{3C@D-H!4Y}Yf!>9})(ZD`vj_Eb9MwhYO8%g!;=?xlpj~zDGwy+? zrg!okQxPIHt`8U!jcxz-3w2msc?dw1mcL`I45AN|bZ^yoiGQ9(DEsa3!(o-iLV2A< ze%x38CeScFke}~q1yq^&G+kAD#79sfPe{WX3?m%^Yi0B-szF6L&ug?q0xn49iAhAu z`tH8-brDM$Mm}I~v)WR|?tXo}px29mV9xvj=@p!&_6pDxt%d;UEO<7AKO!b>%VViu zkLcMLj+|ANQ%oin@sg{bQram#^_9z~dU)E|2&nXaz)WS-lyxFp15=3*sqoC{m!hKrJqR20~3*t)Zif004~hM z0-{qtq@E)lcjk;@9vTl*xxW#!l2|?&%Vii_!|s|Kg?>LjU+EF9)KtIDOk)SfsxZ@z zWI6|gw*#>n|xVza7!t-8jQI zt~ErYFklf!W;Ic&lw>>7H3}*6-N)%C6_!Wb;5Jg4q_S&n542J?>$s~L+>FA2GO7KI z?jG22^G}!Ka(hxK3lhqc-wX*j4Eu+BuCaTclZZ4lH{>>t(o+f~V_42-1vV1@{_Z8( zn@3eO;Tdz}8mjD=fFYRD6#v1iC{4KHK^b(Bt0H?9IgbWC10AMcuOVLGIdX6{RC*X- z57s~mC>Up8@t1Wn0SEYZcmhoTfxQUMYVE(JWJt4|iNd)%n>j`6C?YFID8>Fr<+Q*m zlJ2os!aWdg;sDFKJYGiXhBi~r?>WH5PtdgGYvaYZbx&Ewu8t#O^Er0qSt|eb_AEej zv%|E6LFNlu(Nb3mS3@{g1FYjUF56VujANpr`EXbd^Q@Di*{Jbxjjb1G^ETh+fjRq9 zKZ=5xXgf~k3i$(V!2)lTiH@9K^%fU#F0f(XMZU4J{IdMK^=~NUN&4}G5kv?^(p5sm ziW;NASOcgRjj}mrATZKlXsD$U@j^@y>J{X^kti?Vqnzlka#^XZh!UWCnu+292ta zvS|xei=O+^-dNCX{2(m9s%{T%gEKs5J;vk5mBO@TY8eyBTkf&KQZwDC zL$cWmr7L_Y%}kx;NGO>p-0m=ZDRT zrHk+D2WnS7j==Ya9N}#VswGlC1+0Y!IaPBQi;d9}RlI;eAlS1h!lDe`di3SMIgvMA zQ+_KIOose46ag`uuVe--^H^(gDs)mgDT1gzl8Vkq%!$Cvyq-?@!poO_8X1Zl6)OsK zrw{f=0*5t>nYcg`!B^amoDuZUU0`HNppf;{y~R%VR7P<;pXPOXmx8!u^P&v?YQU1y z&ksxBx6H5{!H!mE^yi6kU$%Yrw;3Te{Brx7$DdEg120lWL$Bfh*R|{Vr)N&R86$29 z9~5_toSdj=v{M1+nzB8XkZ~4w&0PKP#@4|h4;?6}KcXZZe?AKebg<}~jq8=z{RAHC z;K8Sjl%Zi|4c8zeeH8g*CJJ_ZCNi&-^$s zacZpi0o0m$V)zLWznA&+TomI;id5f2mWaRYmTXT!R-85<-7~aBc9xP}0@6Um&0~qI zcWFO$Ln z<8TM_231i;?9e~a`CD*v{|Z8<$XQ%Kqo{+GTRf#<50~kEZ!P3J(NR9b!;G*9BWz9Z zH>A+Ar8Ec-9I)rrPQ9P%@*ws-GXfnR(Qx*KrF2KEOw@b z_MdaA0f3&h>MHKyWZ-5@uK^NDL4&0u&6&r_+j}nYaXo zC_F_H5^7Pjo&YMw5s@NE%uh(hf}6(!=FFu2D)5>fo_wgok{4DGP>2ZX)a%dZbhdUV zvX3uu1jSg+!zALn@5l)l1HFtny!vaiD3gpkMxQh~grY2%LQQti1FtFYI?Gt_UGeGQ zqvhKxrSU9*gA$uy4Ph33m$jDJ1S{-QnS3rCUxvWQD+(bH_{ciZ5EQ3WXU4MJd{iE2 zw4!ScgNMerb06f=C)l74v{8Zzg>y8>_HtR9E%@c#VisF;T$J4r-EoJ$J@$Lq$jf&&QD)x0*SC@m z_T*%Yyh{lryzLes08t2ICv`DOaGLXYoFjaSUCb=i2XP>kWgu}GR#;~5XaVFLT3}@2 z<`ET>SMM8b>8@(5D4e>z-?R2ZCA+SMa(a;`@)5}G=ua5RgPmnI%4&7j!k=7Kl)t3g z46&4sPyuU){l0eJ!fy{rCX_5H8;?Pm)6igqz%^5Gli)MH+R)3RBXX;%Il-B>!&$mA zj`jtF&^spPA9okXn&Fk&N6GdTDq9cZ9w*L{LuD+5a3I~;=UJj)^%mj6SaT7{xk*tq zcGR-hBM|V&l&>f#j%DlI+A&&O2F4Y;W4Mn5!+;M*KYw(^pIIvvJrq85{c(2~TFHg% zg|t9Yta5r+l3e5&PG+#po%TCOBB`y20@aS z^nIkOuD-ZZ0g4j1B)dT1w!JM9+$+Ll`EA+L%t){d@GOt`LGemO*x>;ZE^(I$~E<6R4baeNJ@P*n;dy{__>5c<~)FuDTz!GH~hW~6U9?c=mGnMT@R zUlUf&nJ~>M+04Ua8e$O{5!MN%8YN*yJ8t<(#)9b{lizPR3H4_K537i+ztCBA3cq-e z_@aLopfGW=0+^VZ+MAzzC|R6*Fr!@0)P`T1oqU)&imQC?+?-57hK!Cjf~s^3i~s=& z7hC=>#=LLNG&%(X~b?$1f~*#vvC^)VQZz25XMmidI0+STAjW43oxqXKoIC z=p%CIL?oScBu`g4^|cutOp_^O35&JS_lM2H7q`WY_lsW|2dkIM zRuy^|a-F%Sb5pZ)V4>wCZ*fjxEwj_ydZn0e5yrvKGj`mJrLb>7#sR!D$T%OfUESEX zGwu4=M>8!SSnD&5Kd`1}>IAX+XKJ=En`bKhFe_%th%tZ6{Ora^nkm%B2or+W57M}6 zeDA6$gL==D1JstGfM;ccR@A_QFoj2c1F3n=3!ZZlgGeNYlt(4(CQPzOcIob1kL2JeSVyz4XL7d4cGPJN1&q1QW zcmI4r?3jR$10Usc&e&okJe+9T3@RZ3TM`R7qQF-?F^MJ2)J+0;+;T0QGi+8M)Ccy6 zVj(hPENv+U_Jf%Z6dd8oH}4PI<=}4p0LrVEU(t&T7+1nKt#|DoZ8k4{h97F_)17`M zV0`FvhxsiUmvqfJC-(%SY%ZH6!Aq)Sw2LY+kD;W)2`$j#Y2O0|>Vc9mxD2)m$)MSb z1(OYLcdtyv47@w>>15CT2~|*dH5GpOC<^m3?+=zQ^Ecta{_eJFdCbBh5HJ+T1neNg zS_3g*a0qCGV~odb6dVu$5zs@1wp-ZP+$w7|R2kFjPp6<{jn1NSt)$%7mc5P%2QipZ zW)dji1=j9{RT2HS9eK|UJM}d6UG&QHs<)_p%ZVI)7?S4wPqf_O1iMY9CT0BzOm$w~ zX*4BVee3B2Ra_MP? z)fL6O0GX^sWw4q2rFUitJOM~q6AVow0 z{laD?7^x_+p!VY5?-pIW1G{&$#fp9$c za+;@sP$iysmOf48L<}E>{w3dTn5C>~HtcCg?2;0Dn=%KUaT%CRO__zsu|m@xfvnKfWpInqu-zu#qh!) zl*2D(9pnaqA=Knut4nEXlR?q@ZO14kZH6Wyls$QjCq?&EZ)~2&pU-`Vt-IQJpVA;S zA3w1JTfJ2x@+ecOI})G{<^zGey6q&>WvfxGBBJjb*86oZ^4H&m1k!}@gx|4q-T0}n)}B_L!LpT(E}&TbFWKoQ=| zvTzaW)q1c6%v;xTS8X6VIiGft!L?Y|LEf?xbO&(37YB8$GEdO+Cj28vQx^Uf3VG1dk$D-wNkbeA{NNU5^j z>302&g>gKU5J3}`c(gWz%%%@FmHbVy~4O~cBJM&@D+rm#1%ueXq>svz67<>g;E z3Iq;trI@5D{2}OEF;1ZpW;P(oN0hz_?dgj>T zSKi^X${7i|zzWN+p0aK&xu*t)@Il??pVL#Jm?+}+&Wbi=nOpQ)Hi__@yellxT*6>r zxjeoonU><8=$M)KDETEB+Nf>zxSzM~gHr_)n$eTZ7S;v&_P}Qm#oT=3 zT|0+tIDSzo{RRJEEJ(y z&O;*8w7gQcc4EV5FlJLDQj5Re=cJJKeDQ)3Ch^MxoaC)@!PNE*hm{H9pXTn#qd`gn zg>TpSG5vAilTUoPydOn(s;)}8d+?HVmD$O5I7iQ1@XbM}TYrr4vJ{Ak5vbHAcAu7i z;91+|DrVy~^KDnJaz$qaZI>=E;*Hn@2VL;-taqE+Sg#fcUVp_tclaW=p zJ>|HvR?dNQ6z5yPlt)!Ek_*+ezvb)n!#R?7GYpN~< zSNA!33vM_lqeY)AnEafzqXieNU11lb`d`(@z#(s8gZ%PWJ_b_6NuiC3_WP>nNdr*u zFHgJA?#JqT`z;>Xv+{utMpoZzd}t;oTG??etXzM8tF@i3^h;%g@*J0q0mDWE{0b<* zZJjk!p63v5wA^W*3WGf|IYmMB%Ycs>GI18&VMU=I>G_@+yNFp&&vi4crs5^~Vzl|W z@$E{I4U$yzhuCub+BZa&@-Vpfz14}Dfjh8G<;RSj!%KrA@n1eTF~l%?+Lc+7UNOD+0}LzWWAmn zWx+7rME;C>I==kz;Lz23FOmb5Dr&-Sw?i{}Fsn$V54p)ops{N*X*m?TCT_8x&29?< zcQlP<(2je=RAW`5KL(L9hlyvP%kMtozxDguUOK)EOV`u}%w%1$bEl(e;do0>N>jQ! zD^nyeYsbR5Pih`ZutOt7Rlm1@0pqFN^ zyO_c0&gOaXi(`XbW;i}?JY-Jp8ko+9I&1T~QGh8a*z*4@$62ql!}WmetiP+&K0MR+ zsgkFP0gO|+2VEZ@1ZTCP$ya;5Qr)_}LC)1u?m`ReQ6Kf=IwY@n8|58>>3XwOZm;*y z<9GwG?PEO^3weUpMQc@7s0-F=;~YMiO~;+RN@am&%? zW4wwffuB*Rrn8v#5iCwYoZ#KQrTbNuvZK|9I6<1L%3^{S+8F20yEn^UH8!iZQJ#YF z(7)-OO%)m?0!Sw$BM0i}wtKVByMp&TPoWn)kzIb+y=FIA8%i^Knr-alX?2Z*#kP#- zg}-JMz4g$vnn&fUE^2HSIgsh4JW}HUnG2wcIPe?MaH+Tf7b)q1{2hrL*tXsiS!*4( za{R-pf(Ao@k>pz@nyxvF0&3K!51c#xu7kT5A;e_!xvIZG5}HuDZ64TD%Rgq?M2#sM z@tjY;LcAxouZS3PTQt6ftxT;>ig171fiGO)Opj!kqZ}f3zd&bL$N_6GYSe!m7-fYQ zXQ)B9n*5ei_KRl(%tbN#*vpsaY_?|%^@O=1a7+q&L%yUUymDJ>oitovkm^w0ftGB6 znD>n?vUzu!VC-=UYxWqd4Ob9#&H{su%y1?TD}p||HT4Ky9ydvX@1$T8)^|XwKf%UK z=#afMG50Z`+UOBB2+%zBcY=ZA3E43sKko|mV%Xvm(}AmgmpAI5%Ee-IZg98%Pl9b6 zmrrv9Jc3%QjaMzz^_S-Rj1eP?yT#M;VMH@qy=Fl_IWOnoNCx6uYVB#Q=#~}l@n1Hr zh2;xceXZSlVf0S=iBkupth5izCJAZ5cz;-Vp(w*9JIc}SVhzq-y=1iu znf?_Om!tEoEK{o+tB1$^LmY0jvvd4IXs40A{M&kd{@XAZt^=rGN(mUuB~S6XG3LZJ ztGu7n7DAC4i8*=0zZ)K&$x+g~!u)>oRfWR%`7~{tk@M%PuHF5qMk`?SRxG(Sb(QqI zEgj`^d6yw+^9|!~r=748=`U~hEYh&=rz6TI;G-Kkl@tJMd05b#)|mOt9DySGy^ON% zAPW?bT}VwMq!?U=eEv$)s*1gQojaa_W_Gn^R!=?g{@XO&o*@Tv>fSaZu0-hitvg-` zZF?%AGRL`6F~JXcr%UgF zvt^Vc&J=fB1u=Ny^=tN>w>hjekW@V9a~}&=stQ3#yM$`i-8bhgi^7iCpZ8|Ye^X>h z-u2l6nR}rXVI@vnN2lvxoK&L7j%43h*ZwFIqf()Lb~2aA<_YH=N6l*GIz3s+Lz#E; zjHD>YaLm#>rcRt9oMXhinnYB8{+lisgY}(TZB(UC z0q5lQ38Z;@Zu~YS+MXz`$RBTAc{i&ho}=Ub@}6xN0!=WJ&CQTx1>hb`=(CH2?Q^^^Wew?i2Wbml_rCD!$SdJSKM?uS2>Iai z2h+q28;`yXzQapm)6)a$U@7VRE0CN5Bm*feAj!Z8r5kNbq{}yHgoyBe9@8!Gm0JBm-TC3U$ z=Hs^G$*k9-@XPSrBXpl1ceUc z+SjVXg#TP)J}kaLX^A&9!dsv&e%Mht{80XS!+Fdfk(I@i*b+6 zuu@y#dU+@Tj*AF-bSqw zl*$7fj+L@kLdaJ+o9hOg5={RT(#GgyQu;Ijf)$9j5NruJpLt3JCx^`t|QrNHiXid;Gyo&tdXP4RIoeW!w=>7oZ$V zUlyV8{960VHX}9NCWPyW5xJL|GtQyWOJB*mr`i-tL4G`|WUmkb`-r)01JU>x0TEMUNo|n&xI=C-vV#?9#TwP26+Z2fdoM?VUW5 z+f)1)x!&)LF#PGwu&e>v`+lR(HMMRbnlEYbRU1@PF^fw?bHS)VA6tE4&d}Gm)6UAq znzcyKe@i^jIitM*d(wxBf?59EFz}^dKTPg z;JUc2zkc_nVl>tqC#f(gl)h33LjP5yNpKXqXEkJ$Hlzm^l%SFW=)5 z?C*MPgzE{B5<376o3QY$9*a8GwNQ}&Dd4lS2;WFQTw#$ZJZFhTD9g-7WE+`I8A+&% zP)i@<6q8;p*fVo6GkAS`c5S=<+_zE_B+7tREeJGE{VtXW2vk<$CD#RsZ+$C({x7pw zHdB(t3B)u;RFHiV=>&@-?X(s!k}@+FRMX1bWNqsVs9PNrqyHc3&Z$Y1C0e&_+qP}nwr$(CZLPL#+pBG?wr#un z^uBTb!g)AZ^Q|H(A|vW0bB;N_*m)VjOo;e&(Ce?#i6_l`K^KVeFFZ4EU%*;92-H00 z%`NX(T(BbwJ!oRMH9%Befh)!tMw-u8hywu`VNl8+96XTk;r7IaAgX_6QK7VrSxmeftx> zW{wc2b*|u$doPXx*N$HQ7?vN&oqSP@lIfuE0HA0Y0(fxI1BeUj1MAUOeGhl&1{`S*A0BJEnp$!d9EZxj3Jxm?k++6L9Z6RRH%|QqPu-O2VAgz`e*h)D1 z1d4J4A67qn4mgAU(Eo(9#0iTGZ=X%7c&9Lx4ifWT%cMdJy${Jj&=r_btdTUjX%|Y` zM$eNvy*`_SS!AFs73)mtnzkm{I7ldbU3IMMp^B-O#pZ-0{Hp?p>0X3-In)4cZxRKY zqrr=x;D-kqsOtd+M2@oNN<e`7zzaow>Kzr%9G zr5uU0Z!?0c#OTHTRO6E#UGOBx+UWoGnAUp4-zsO00RPL_fP|n)9&o8|py*$L*&+o? zd*qduJf3}%zsoIKOZ8MgcG1NXtek0xP7UJM>Apg?XNh90N(kets8IIkr)(;SHB^kw zm8M6|J!xHqet_z zu}J75NolzoCo(qfY85&7=;0ZcY0alWzUA1_+bX|zi(V5kZdOg;+srj%j3Kpi6vT*? zZosT)B5TpkW~qkNG8<5^l4t)b{FKMZD=Bqw{GVMhbyIwp)b6y4uRNffqf#o^&C?eSLy+skG z@q%q_)q?WLiuD{Pw#2G9g6a-~*e`(@{Gcjel6+*Wq@VRfP6-Q`yXUUe_XwSWM?^=S zaA;$CZd{KQh(r1KoWTpdj^l*@Kn8~eFiBid<5fE#+Q>O+eSQ4E!K-nE^5QMmvXOJr zLYb_=TM(A&{FztLCgGxEgK02_N`^mCZ(c~d#?DRr6Cgj*Z&*mMsbwkcj)R7Uv=7yp z+|Iz8aa0Wfq4dwL)=vw+D&)HYdF3&b0k&ba^RwI=8Vw~C;XK#3SaZf{fkl8(A zXkG%gWd)aK$se2ArB?bK{}4jVcHbPIqIRzRIgy%Svp-*g%%fcKsb{QfET&>4<{xE9 zDPiq5D|BJ+misK72->ZmOJGL*S9T|r0V4Rae(4XVFpW0^bTY0zx zl9qeWGB1N2VKvZ>Pb229Xqp3Zt_P^g8uRY#68=Fa2;HQGYo4UEuyMw$hG2^1Qf2WFCVj7Xy6XhOi82=Z7c zD5#_<7O(|^ak>rinkm!xW@Gv#Qimzo_?lDtCQ{Q8N#>ea`WjQ?G)eNBDf=2(<76U6 zcz|jwNS#O2c@}&rP3a6sl=%H}u)G%Ocfyj@XmcLn^-SK^T^_t06oYX`jpM#bvY{j` zxw}q$VRzWEm&{vhqXs>=7xyT>yB=(APzxdgS2^%tJrAE!=@4I6PO?{KC9Sr%GC1E7 z!SaQZen<33EBq+Xi$8;nvwx!y?=I+((p1m#KdgHA@U#(fJ6=+Fq6z$?KzERPjl#Ee zmLr|hh665vz3Pf78$Q(hMfF9EC=8|G$_IIz%r?&XAd0hmGuc8?Ah6pdQ3c_i=-+$~i z`c_umySTi`Lx=(c?TOW0Lj5=s&J~K*zJ`Lw3%hb~`r%mSTq{+fGe1d793hbY{pkrm z0r&9t@DVF;l3_}p09Awm9)qzusdmv}|CU!^f^Qj+J#qU{j(*;4h7uu?@G=$9GbkOP zbx4@R@Y5v7%@;xkZpZcIBu$ASx4+Z{B-0{g`Wkn6V6zifAkSa5-m_`A#&9 z_3!5Iz&G101zGVS>>s1SQ@y8NpNb~#GCOa`N5FDZKZxVCnWdFFMuvX&(t1>>7dZM@ zS(Tjw>~?<;U1vHiC1&Ipueiu-)+-)Oe$T#hZIrM;J{o-|m}o)A?d$|Y2N$8y5@X}n z5FelGOn3L^Sa0ti*!%mH9&79E27CKNm5~tx1qO!SsRY283UhNcUuxjcf${P8a9`gW)c5zs3r)?qadGhv=-XSt%bJ=d^Q9&Iufjsn z^SV0XzU*w}m*V2XG^gKtl>UC#!M3(NoUbq5+T>&zD>5=0EjBhkL4N)xpqH0m`Kc)j z9TpbF$C8qHmZPILh`YP}WJkv;=YRim<#|nX)Y< zm9ZovQ-7+V5h^u1+hsjBH$ruDBY#v`d4=}z5jG+$oV6+|Yo^M~jF=J{8Z|2_dWP`! z1_A~I^gD^_pMR^M;32}pL)w{_Cw)*}UihG>sQX=16wogq02&n^&tH?2MA)5^;~>Go zaR>7BWW3Ye?LN@jTIagHE@VtdNWg%AaD?^q^9A?t&}X}_5GXS}je!CKL&l1XJVbwa z*}JE&&svzC9x){%LdS`Yo~%ARta@Ko_8H{o=Oxa|J63IC(s`n*%S4Tdd7SF(+@Eh? zfSC~(m^&{oU*x~JDPl%Mq~b?K#a)$<0393=5i=ns_LuVd+Iq3Qoq`7irOb1CyL(?x z4-FR@y2fo|V}pBl*F=qp$wiKf3k44fDrrMf5(WwkOu~kQr2SAwCr@{9u*Yt3QTV31 zdbrfch_gH~k+C>6b&>t>@IKnpbD8PnBwBcE%ubV?eZ9@r7BD6@w!vh1IeS4)PI9-R z;$O3kP4&B)+5`CG<1Fd<`NS^}@fhdjC4N?0i+}+EVZYqjc^l#3A!ScWs^dgQ$3cRF zqkdOf>ioC4IbCsdbdvb=w7_R;>onWNg^v&)KW$4|+HkX{2R1A^8a^~CYB#~b!AFRX z&vCe=WvbH5Ea9Jo1Q;kV@C)GcGY%3Q++dNRp_M)>Ywer5y5(F)2YO;ySf<9n02etf zE_p|8?i$D5-UagOD|J&w1`#tN;zF0DWrf4q8hB(}9CKMp3T^A3KRiTuc&JI?;o}5n zXW^1FGnGH8stO(y6eV6eJHYWVF`BOh1&{%ekyz-ku%_#MeXESezYL;~&|JHPMbMC- zAZ2}Krj|P`Egm8~y!T{%efg(~itS2Q7Y!F0nz4_&_r10K2m_!w_4jI(+eFZ~@4Ke> zZOu|)U3Rfkf7@3w85{r06idm`o#Q`7RFJ>KLl|kGS>Q+k`xoSmu8_erSlD)2`AXa? zO_T@pA_r&})g(ml~p4tyhJ5VhSQ*`;LVy1T$&j>s7k`7qw&rL3ur&_-5OQ)Uss0&hh+4<5ezqiVV(Kz0UPjTx}u zY-Lbb>Guk!IMwfi#H&xJQ}Z+C{muNUf+r{!c|7-V-MH1{@HU`q4t4ErO3RDcqnU&? z+hR->cAMY9N$cW5B-)90cYgTc9%cb83=s*G97X^{3d@o1ND*~uRn?Uw!ShuT3za=U zNj?E=TmjE8mLu$)NbdeB68mHmZf%BzCI}5z{sRR>D$;+OOVl9m;6QF-?sAAMYb8n| zko@uRihm72UuPU`AF6jpocvtjGIO;xvo-pq^DLPR4J`p=1(l__0PO4m0Gwe3z$oB= z-~)b5kqiioZ0x@>Kudvah??4PK!k!Rz#iaB7{DvoYiJ=5U|?ZD5dZ*!c4KQ-7khhS z1vya_Wnn=MeF7dqA!R-&04M+gS352O0w`ZmSp^kMc`*WS9#Uuin;!z+o1X-}o1Zy> zD1n)D_1QoW+vv}c|U6xAwe@2Pkk$O zK}i)e695g%o1gYu4~>inCje&vC5?cap8$V|gwwHdS7%o_5o3EsP8(MyBReBICIw{` zKm>m>!h`({Q88<=&%c6FsPO=04DTwzPKY6RL`xsVai^1Eeasp6-@3~F!aoK+@SW)V zOYL-U`o6vxBllm+zLxgvzhcmzS|RO6a#39eF~4}~g>?K9xX%HMyWjQ##*c!+u8qh9 zz~=d<)bxrOG)Y5Gf&oSJ-J^^j9wB%<%Q8ip6EY549|GJ9etSrU$`S<^IC0C6OuH_k zhOnI20emIJfFH2|STs#--5!>%0Wpf;K<9`tDFxMikop;pNH(lN9C+FhQ?evqXL?N~ z%J8yc0fzRFdj#pnw&5r!{qgB@^Amq_fn2%C3I3WN(`xx81}z~xjtPJ_S%4b0D(kzs z945Gum2Gx+SQXsDZas!ovXpWIOT4YDc*!-sbwBI%XL}B9P%5%9M9go%k(c?=d7AlX z^jOUyR)xIN2qx7g+94eUu}VV}Mj8rZU7s^+XJD%JXa!nPY{;RHKHnm7wXF-NU^GMG zZuX+)2P{e|qJgUWxX%%HJd^RnuCC?;DLFp(`Xx7jEe?P69wG+JsQel~`~2PKkAZ&Z zT|^L;qzAZyO@4zddM1@lMDxD(2*Osl+gK^>pk z2KBJhy-P;7?>kwvVFi1e2fTb!D%?F%@60*Adjf3k%QfW}tA!pYImx~i;q(ri?NiwF zWWxS37%q0=ekz-b{D<6(s-Sx9Psuw6yrXC1S*f)nWuc!}VK?EnWEi9t$9Uvm2&BJy zoXwDduf{0N%g2XAa-2<1u!-}e5P~7P-uHS=#|nFCEbhS9v<9ca#OX8tOvC}3e~T0oR2S_S0c)HU82qo9AV^BS%+2pb&*x;p0Urlm5mKT z7VN=w@$Z;P^^M=>R`EBMJq$+bfNKKYmt0{D4R`6iK6$c8Co_`AUzki$1b=Rqr2e3t z4D9P%dgSIJBT!$f%a-UW(olV_$Ow&&v_;3P#Jt7_r%>Sm${9XZfE^J*@QRebNaD_? z!}^;u9DQ|_eusSzyyCgg`;|ND;`F}1GejMIRDCRL+m+Tked~s{p2|mc?#6uLsTb4p zOX0o-Gw!>WxH5bfgW%#cJ_-=1O>T9|CLfuIRvd+ z;Edp)1X{)J$APDrG$l*+aiP~%rHrU55@Ku(yFrkC?iq@K)|;BYvb^xO5YAB;pW$!( zGO1NuW7HDD;}`>YmI0_?tF(HY&1QltURvkygjL5a9x!BFB1ESf-tgK~K~kXI08OjAB-4rybK(5GyxAWu&1r((^yDasj4Z zjZvl*!-gDx>-8xW*Vs6P3PLj^8sIEzdd8-pBJQuePI{Yg$1@#G8R%+Ek(T3gYhH5) zSm*H57$RoCh{0io3JrfN3SVH zzY^`Ia1a4tRoq!)cMRLS6(N1!>Q?oLqr)=>&yPo0v|sh9-5p-888z-9sZY)_|1|+N z&&`(dyY*Z*l$^xyvQSnZ?)o|GpLD{JDp)Qyq7iD_)7m2vxKLk^(qx9vxk zZf#&pQ*Le6?af(yLk=P9i1(Yu0WztF(Z*mj-{8Br5m16by6(>wZs!_%8Eo$Fq2R## zYbGT5xS!zAv+QrDL_>NOifIs*{>%NB>Ag>&TnAgI>#;I$Xv{7rIkiJ|G&@-p7eqL<-tEl^|N^FLP@W8(vQ z-#5NLBr`e5Qy;%EFM@1)6{&2rGr=Pr|L%Br$qCdp>$0S}3N=(-YnZ^DEKK1J=lomh zn5^_of3VSi6GTR(=~B{lC^XTAZQy03&4NZUZf41e^%PY+mn7!JS6<<66GFg^>4(G` zae0-bF`t0pZ;L?6sywle+-z9@9dd4y4`Dm{F1};_VFwzxWV0V zLP4I#CLC8QK?`m}QAXwMl~l*R?$RiiXGg}5TleZ-e;MD>08Nn(v`R3#Vg_F+kP?jS zWBmG@*}EIWtzocjxO!DvpsS^>C4lS|-}1s7~f`N&;q56ObKHiX7d*=Q)b^YXr= zj=6I83cCxyttY&6O{0512WtlLd>xaiiD{ZW-}S>|*4m7FTps>TjgPsQ&>qrc>OkcW z(H-asc=^1CF^nnmGwX;0ujSoSZ1v~c>HEqOs43;UdoM5%&?dI|!%A%$IY;1NinAr~ zfnMJquh8ly(s+Mu%Q$oXDtHg!A`TjrJrJs``gM$A=>Q8b zjpcPkG)oC{J|hm1&Zw+Cnq@$X zoP6$43Mdm3!P0GD)oP_2FhQ?ZDGbWUr@?nbDQ^(KJ;%A~T?(cQ5IuuUr0%|kMHv`or ze;FU?1;KgqhH?9^a}YU0vaTS?2@u*wXk<5oAw?itM4|&@R9_QB`fx}7E`U`pd3Q7o zbm!>v2Fn#c{G%BzdmCN}`@s1a^HhIuIK2J%}p2rJuXBnxGEexjh-9Eg8y+ zze2Uff-J%-XlBQaP_d~w63f@n^5lH6GO?Is&Saa3uUuyo`A&IYcqPUYfTOS!U3Vk? z4n&!(ZP{1Mu_=}g+YWo5XixJPtbUzhLI0HYlRQ?@JBPT*(fi7eoRf1FVRoEEhC|PA zg74O3bzktGB_5r05@JNKirVH&3=G~v*RXwO14HfwrHLG?tkEK{kM6v2 zrArmvTD|S0ZQR{}{Iq!JhM$`=w<)`RlX{Le9RZgr_(OXsYHmjg4Eg0p?kZxZ>Iq_Y zK)=PXm_t;Y7b|oC*o688L0lL)@*5O->6VeVbAH zOcm{3Zk&53|48<6#m;Jo9kzHMDQ9c0&d{1PeMonPV*Dm?d>|Geyf*7cejH3`PxNOK zYTMfL$a#(97}wVw_z^tSaxdlrBSYt6mIB60g0eA^fiTH$}mlhGKL$YalxtQxBTzc~omS5D!SvueN-{-4{}TX@{@ohJ6g$PAix z=LX0ee3n{YhS-uqfLVuF@1^1f$`aQb{zJRhf5l{6*T+?8|D7jG09(M3v?Fv~!)~rx zJDRtr)W<(R)KCn~anIi2nq#9A(@S9XBEXn}uyuL>$>@=mVTCoZNlUi}r&!JERtOsh!hKfOq;5?WN=#u7Vo~DbkSyj30!ZGg9zKZa_B2(Fx zdK5N2@lb>j zp(7$%iwgPdZT~u;HO)DgM2jc(7{8--X(nc|cskU|Hm>3_BPq5{es&|h690_qE5mmI zSj>rSWg6q|WbAOB8}9uVv%^%;>f_FFc=U~ApH$?ciP&q4_m*K=s)@5;(sgLmRu+pCES~*GD-80XOfv1x9)v8%h}GlpG9(@+EImwfqsh<&lO&i)8UcN<+pFLm_2E*JuDbPQ^IB@?SLK4&1e zeE=@XdcB%+f%bC3tKw#0CYiNfnqqO3jP!T}iGcd>&P>-xq&wV6QIWf>RQlBTO zx5t%a>~D2PTH*`AFAIao{{V-N-OhDMU+<|0tOUbdqnA@hM zIe=3x=XNQD5~w{G;iT0RZ4&F62J6p~e3kQ~S!OM&;;>1qXMpw@7qt5T4DxCpUMiYV zNFL)$`yi6!)t2N%YJFI9Twk?;J+|unKwDq2m!1j9JdXP58M(ED9*Pbs+S;=2$+M&A z-`he_GhhpIO*dht-fV%e#CbwUDH8ob<}U4p26CA)kAjc`qMXOs42U)w9cCG{AS_&m zA4eiMCJ~tWnZf|hWCZg!wal4V;9^l#v#6|2?m#4WCU#(QHgX1Zu(SL80saB}2K@T| z0{Z&=1pfT^0Qq0AT2>PeW%+%c1Y&YUljwaQg%EX@C18!$X53V>1EqYPUPq{%Upm zgJIsR7Qz=pLx7TJcKZ{McG6%;zSa%H^m2)~hq&jmzZ-S%-yFSP=!Y4NCGbS&a+gex z*t)tpq$4pI{hXyAA>RBd%sF7>Lr2_^(S5jx;UV;^=+ET+P5r*P%_eX9c}18RUqn0l zAB)(U2wq#V<*%IhS;&+i74p4tDYq&KT~~Nys_rCbiwIF<&BwuxzXF-$HzvzD8K9q` zB}ebaxt{R>nUQByg$vn@JZsP+6&J%c{HOI#fX@5!x5ZA6{AZUmV>&jQ&56f*uoL?} zak*P?BIouq_wRULunZ=aLrI??I~Dx88iX&ZGCJ|9cH6SW=^cA?%vW13E)T@y5Zys` z;=MI`|4Y~*`1Vg7`U`%DL1n}@nD+y}9f0b~AJxtnvQ~ZIwUSn>8+;Ts ztje7q+4X#D2=hTjfHOe^oVndEPKDC%^fCBn7Kk1!UeBMgR!n!KAin1)ddXhlMQd*j z=*Izj7k#;(e*);bt*=YzdAZ177qPxmgPArMe|qbXSrXA9IpE$r{v=6xKLb?Y!#5gv z+%adiPl*u=$ETZyCQnR*?{o4LCdqJwr!5 zYkh1x(}^ZBlf+&4D@Vc9-G=ThZD3MlG}Js|y#&bon7Fb2t2Ff*AL_ICxFv~26ZW0l zK9IvCG&^z!#I?7bmr75gqwdkZI8o;s*_KIq+TE#D#H%A1oz%$syGx0s9C@O37i`N2 zIXnd4KhKDn@XIjC9f1lbcX0;kzpjd$S8Xr7$_ne=7$dJ%WKm5i&4h51Wfg>lh;1!RZHAU=ndG>&W62(EuFUjQTC@`w67)XcDkDF-J_%vcmn#gZ-FzSaC?Ed zkt6KauAf_3M1e5rO0!OAkBl7KSH=yLSK;vin8NgE<6};2tlhx!&wP!qD6Yrgrx)?s z7mij-vl&cgN;E9I*ilWdKhCN%SyJB***X!s*lDQ4acT|0`G5XA7$&wg4aTG-op4Qj z*tG|QJIeXr$MnNxdD{88M|8SSP>Pz9hU523L+TXn1)ctdJlwh#Nt7t<^5xq zd%eK?Q|ldK^tP63Midkv$d*qU_9nE&c%PYzj+2QyvES^aqIQH#9nf7tmHj5- zd25)j05?YrNHXgoIXi(BYL#92IgZzL%Iun&+!iRs5%5oN-&uV>JqxuhvEpE=sAJHk zlLvxecscUJsfaGYlB$oC85EXMsbr1D6Hh>#p-vD2%eVCEFqN_PM~mXYdrE@)4X<5 zNHfLk9-*FmK+-w2(Y4L_l8^>Hb{3Um7NObg{F?Bl;8wl03WE3hHfbsh& z0&vY;0vmVdowp~Mm~$G8j7cwPAnq9Znf{$Zmn0U)n8(0V-DLTNddlIO-1-LXSe47R zm+U=b{W#)o^I(|}2_kk6od7grZ2x|i$Z>O-EX%VnU(1yd^E@jwe8d3=I z$cKp&BUn_}avbG9f&c*pCre!}%bKLNSG^-}Im)+iN*w2!8KVvGPmh!Xe`HB3njO2O zC&hd!>UD}iieLb+EmET9lS+br|M;(RNGI5GTM?Pj(<4$!k^%fGNdSKQQ}2JOiLx>Y ziLeSYF^LM#r>3TCs9S5SE=Dn6;sziv0AKN~=h~y3YcW$ilz&^+tW>~STnrabnft3u?GD*mAjUSkpPIGc5 zx&cOyIC4Z@oZ;T^5N|+=t=N#%xNLb){t5@a>mm$-VbJ?+X()MtNW2V4Bq1!D#vepdcxZZ8s=nsnc62jfX@l&z7kH>^KC1OEXLy4YXCV4=ux&O3L;T+ z1pi;NFhdzv`L*zKG$2A9BgxFXm_kO{<>DcbMH}Sym^hte8eT!WvH^+ju8Bqb{p*mH zkR9bQj-R*~71atH+_sGH($&v*p#@oqoh)Po%FiKh*7g(Q!cZ*+5NRfwzVNfV1QYtH z?!E71&#AU{$I3$4`blpnb5&$;p%a`a1Q_nSe;bxL{%bKppV;2A0QMt_kt`AM31-0% zEg?!~7Qit0GLEIhRk=D!310}%Kd%HQ&eOACtmAy2;U{<=Uf;`2 zpTK`OdPkjX2sAfiw}k!RK8-A!RR4OV6f~|ExMAmX^T#3%V4&fr^TfC!Q*V{IUA+BD zo?eeD3O{_Jp~(^qhDfvtoM%AFY=OONZmf;n4rfQ2OM1QA1xRsb7d#Xw$Qee#9aGj6 zJ+MGA4$R279+hDZ_{7hg#lUgB&msElmDi-pQxEGL{sk;Dl^zxDxUs*ld$j<#qn{$L zUA27+mfMzWW|B?gtxrpG;rB!553ELy@68DyP>kN&2(UrgqPZ333i@SJmLrulrEddJ@hUf>he4m35 zEWExDb=?RINj;0pq|cn}tQ^ntiA^LRgW~Ti%M^_bUwfpWmsWahKM|un)DMvk@C#|3 zC2ml^WPTeO9mqoT9*%jPK=$XWKpwzk-Nws*2@Dc~*Sb^HvT0Khks0j(B)8jW^Q(ej zEqyWTIXnw*U&vvo;|6{=+&{yEE)t`T3YYkX)RBzvaejf5Tw8md_UW}If6kKm7#6Av z9A0GSAhj5!i0O(DQDd-YFDZmncBc)!d{-9aE1=X|*^%ky_X%4*VPf|W6Tr*so_7lm zXy8tXlO0uOBIoF3YI){=uaA)tzTrHTuz#|}E`{u_ZwteKV=@?Ga#c{oi?yI`No(u` z7=)(pNVcWZC6DpKmC!_X2kdS%vdC^S84lGGIfVQWA=}|6QO>m`(Bn&eB@-}HedcNe zC#3aTk()j(_{m>CsiPv<;`&ef=vjF=+buq#bWfXe@%!?O3>qjIPIrTw@*#>_G4$7p z-^Z{;A35kiyxjQ3(M3%d3Cq@B?LqyzDcNlG6o7Y~QPrZ92g;WQ1}ZMNovLM|lvuae z<3)m{@n-p#nEE7$wLOvhr-L8m{FKsB?W%oM#oE%?V1i%jr(o7LCpgqm7Aqo*mS^8v zB~n#~IGP#miu2kX{j` zn7ZIK*nZ%;9sU5Iz37L8X4*v1`2~lFL0uVr5J~jyIZJ<$VXY*BpoOvDXffoN40A1P z#R85THpMd@DVRcHWT1xszqGb@^+X?XDfVTh-DGi)NaE| za0zU`M{{33okt*Rbe&w4Bz%K`rC(}3*(Ni-2xVNO$yYPPy%TK$n1U^`X1j=IRg~hM zgIOG|*go0#Og?$xO$E>%XB*)0ogO4;nCD}2pLLW zK6z|3p)3&7TIt`RNz2eI@0QUznozk^nU}7|toXEYAw8NuDznT>W9(Mb=uo`_ENhnJ zGGfEyHhNp(+`X1Vr{h{ZefpUjjavS-K3`;{Vk^#q!HxNadP~ROwWyJ3{VzZHkke=^ zo*HTEVP zoi;SndbcQ~5{yY6b3V)%D|~f6-v`29t}j<*@iOLO6v%cJ*5#Hg%a-vK1H7)(8DANA zUFoYWtY%#H!B6YfZ*eF{_L0;r?lLjxNLw~t@h4(77b_w;72~U-ry}`8JJZ5!^2Qt? zbR$#j1}9VV87&qLXDEF<}v zIK#&aFvf^;e{93R8}g?_WLKA`-&i2~s4;8z`%AWC4x zygeg0){bDlkiVt=5WcTq7)5;Q7l`qg=4exIW=l(W6?}v;Ac|Fr2OI^{Cd+p57tvCh zJyC!+e41et*=k?fzW-l-If0*-;|WTg*d2k<_A|l&EV(ym<#!mW2ise*8+sxFBB)y6 z^+AXr`?})sEH@FHypmFH5n*x@UBk-_Dv&W$cZU8Wim@;pvN*p$dzW;=gqn$i>%5XP zCSnI{EJ#tt-vtg1rx34h)Rb0bqjN9esU#e0@DUyxg3v z&FpL)oop~zTU#3&OG^t242F!%)YQbp(9pm@*$f22!Butj)fF|hm0)lU4Rv)@RV5__ z1sDt(jeLUfv4{u?3JAa;U~nHF7>wP$`T6njj*fi;oRX^Ay}9qq~ThjTA-ZZoZ;9ZSem5a*dP%9Z%LSl|1NL{2niC# zTn?TfbtT88(=+#_D6Gom`D~!NxZn**T>2`QlzLyPgC!^So(z_$+)MVCK@Yaw#Z9>t zdfJ)XgT?Mt@qiKE1S)ot<$ql^RJbX0JL~)$oofpME4^~7&9mNC*OTQH1XFAjc4JRd zLV}0Su?7C6<{VQwaTxv6%2TJ7BpB-p#K=Ao7;$8Md|4+^Pdc9)2#-5L*%~%84a7j^ zb@v>>-_y>{2gt{5HY@WeVbITQqYPwYO-lfrVJiNS#pGJ(JWDxE{|$wp*P9yx zbBbKHZ5~VmT zQDzeOQi^e0Hur=`{Ok?fY8_iQpNRdtN^t;}TxF?0vQ;$g%<>AzW&%NE`)RdmugNIp zkHSpLTSxop2h>O^s(g}cWc2t+bJx|UM}GHEZ& zF`JE6Jo+jjW?IZ5%PT;@Sb?Xs$qqL+OG$l+2hf5k6PGi^{{TNgz`vhBDz7un&)jL7 zYTkO$h%OuS_@PUL=|f<}dAmCne}t0<7=rfu9jjIosuh%f&_n{p4G+l2-4>GB@CkVs zZ0f%^*!yK8tT zh6KU`IQd1~7F*NJ6PHCXRz29v;)rR-I+)8kTtegyOOu_}|FjzH{@FPnK$@D1BTUlm z#7bO}JQn?>tyj{+QsxhHux^vVQtoQ)rUDKDiD$DVX~`)Lp1Gv%2>G?Zk8tyJj(R-* zd9$z+r91OmvyImyCeeMrn@y_+OE3Evql$fm9@5htLu$VUnW4qUA^KIn?`+rt&YweLLAm9c zyVWI$SuGpyS6l@z1qK1$C<9i*$JX(QM(u3CSRQ?oglurH;EW$D7{LskeBgLDKde}< zJ@+t7r>C<%p!|wB!#i%be5&qtD_9W%g zNORJtcb+cy^kW2@G-zl6xuK&T$(oMKV_sh?3Mtq+^aC3gXfgQis^RoyMg-|Bc)Zmb z{Bph{_j5-$C-q*ZJ9l+3daq-Y)<}RQ;BOC18;H>Z;Hae_LK+xRJuUQgwFJfWAWg_E zG>;Iz;_Hd{EjIBJYG97nHcy{qv#Y5f1@$^}R0!-$5BxMO1Emv{>qB6*jQsG1{(iCd zAO#rlwO0V`q+GD>c#^wfDWJfknZr!}Qjt$R9I0Y>GzJ7q6usR6g%>vycsB3sn-Stv zPwJq;q7^K4P`?D^M#4(d=d+dJB9n$L9CU`6vFe@RI<+Uf%x^G5(KJcAp7g_rB1#Awk6NsKZ{dJB*$p2A6eB2KF-$=F zawEb)wIN4Y^l14~<#EfN+KsD)kb&Sq8$L>LM2^il`yk?$OhQN$ch!$G6(8u-kl(00r^dq1<(f3m zdf9@H_pxN8dPS?_Vn7`JoE`ir=$aF(1j1emm|MB(F!07bQrJpP&~ZM#IOhjR3hpK~ za(MKQU^ElA7Uz1q%>zNpa2g$#t0vA~uTeZBJyG>>I2tgfluw}DDA+TE2*u)$-uAVu z+*I8p6x$7Z`|!jrMx_@vkUfLcA@Fkumtj$7=`PFN)yfWsbKqmaTXE!eaEq*Zwwd0kVu8%soh^AGmMjt^)fBc z1eBANzDT36G6rCPPyO!1SOqO#Ku`r3qaL0&F*(5!J+VFVuPLTR4ebPu7%**_to^DH zCuXw@fHWxA7S1EL?w>1m(o8M}29d;tRw- zcV1gV+O7^_n%Os1>G5fLtY>!AST`}IIm4M3?!#QdLARpJnnRV0JLrxM2SoTnj`H&& z&A4ZGYR3iD9HO><=r?DbJ5}Pxt-OA0hkn0-Gh;c7Sk|+f`DW}h*fF9>l+TC7OI5sE zPH?;oOFB(0mVN`^jDqEhyPI(Cyg^({c&E-uTTG15u^k)ecCZ?7!YJV(cChB&eky<# z+HI%!v>5u7&-CEFH&}y33exCn!@eouNM`Ud8A%+QawzWRyI^Wj@b=b=3>w2WS5JF} z6o;a8>)AgxVc@+DT!JT)@J^%RYXh^BJ_9tqwH7T)Nr%Ukx~c$ej!OLYFgUlU7Y?Um zojN_C^&=O|phT>&9u#_m2JH#tL4JBv!8ME@VFQzsg~D8^7=RYaeoA6=xB?r-jZ}@T zn0b``K^jw%)Rl?zb(N+NT)BA+&((-

    *DLQ>?=%5GC-*ZUaKNzCe|)we(63M2OW-U zUHein#}3Mf55hCRlZU_g;=8Z-K6{73@cpb9h;4h`N6VMVeo67TVo+xEq>!7>Y!7%2 z*38`nefPI^O@Px_&TtWcDAI1~1LnjV#FkJq9eGD$arizZVOp0rIC>I4?Fg9-cx}V7 zZ;9)@3_$bh(dwqn>CXS6w%j^i-LHe4`T=L4>W2Zj!AhKa&5gK26xc`HK7SSJ>y=6` z$;(L^-MCJTw|d7c8+l<@Td@7-=7-n!F>OwaC)5vwWXV%J9oH|l+H== z4c`&8VDwjx$ufZHVnW`4{{Ot8X?2|BL7F^R7TVm}+*BQ;n0K-A_n=9z*v1ynY=vGi#iy{vHG_%Y+IUYtQYdJ5mL z!RG!?I{L;j=jpG9SK;S9pl?NVpLa`@h4}snScY!*?7!Rk_89IFhb%o60!{Xe%6pWm z_PdI9bq=8S18sAvyzt$C6?xgiz$>@%7t7lgkc%s-V&HCBe%1eJa*mdEge37(+JW8v zaPj=Uady0()=XxvXSP17^tWzi?3ZFw?c^w|UQ5qb9!84EWiOwv=t z4*1EV)qNQPF|RUk$F*X&9?saOW zq^*Z#83%Ij%N=ET{+eUxbI?=Vl5{8dZ5_QdP0yRZ7oI$+KToO?mtO!=b83Qv-|u0`?*F=4s2*uUsLzIfub zy+{M}P4bxb%PO>}58if2X86s42%_K;SilScbi~GcnyLNK;AKWn5L2enMi?`{1n{Hx zYQV;ICja@bn>yp-&H7g3+JC}CKGjHed!U0on)s$W`_Pst<#;Q0PMLUAK!V@lB$VpE zj!w2G`99KCa7t|SvQ>bdxKzu?A6*8b4=V!^E3;Ea55;EJBK#gHhkPEL2%%mC55osg zIF&3nzCL3Uj9wxmq#z&R;f>$9p$8E3m#{g$@$1UbnOM+`y=G*ydjMZkqL)#3r$@!# zDYO$<-q)`_&7S+7vPJ&a;C$bDy|qNxgEu)xX0ZvjiLR;1cDi0~NHtZM4f5XT_&To9 z=0>TB_Y@~IpQFdSS~tOJ@}(wYrpapJwWeLsB%GknO+eT5v|s|}y=F?0MjHY=c+Yk~ zz3xcs|0UBZ;mp*%gYd2eMptvk;|JvzRQs0)R$$fTQ8rUQl$Cf@{$t$|f0yqs$PH5) zzEggq2F&0;OTLTbpURllkxJL5h?S>;-9V`HY4`HgZbh~>X;n52&X{5XZ9epD05;^4 zo;L-4j^=1%`RwyGx95P$5f$NNg+zWgVR^-5n|S3or1t@=p`=1#vhI+WR1Hsbt8~jn zXi{@DZvJhoKf01cCNEk`NP6$>=XW#@5&U79o(RbwI@U7FT`?~&PieRCC5j+%R+9~; zj$QD$LJHez*Ft@y=nxErn;{gQEdv6+$mq0^&vPOMkBfXjh6m0|@CvuzUNSF7Fp1eb zORrid9lqu>boT48=6XJ2j1=w@8eW$C1823p=F_^wu_Mjcna> zQkoNZR_B@9Ko2UDYcnX!^o_p;#Jx`jsO3@%v68e}X*h+JE8_$uV|QT3P;yqFT|CIW z2EU{2xgJn-M(VDIl_CaNKzVlt-U>EBuu4zvXVmF}x()s&%2z}GU1ttt@ zb$1BwuE+mbIY7=H$IIsA-yRPP_mS}P1HOZ>zNUnBERIzVPwvp19kb!!(>7CyuapsF zT!Lyj>)Y6H|A)^&BkejY=k~M)jw`zwZpZu~v;~Bjpj@=uq_^K+{g3YL#-Fp9YfgM1 z1$n6PcwR&vz!sybG4l2E`*2XMPVL)%{&F%V4_mMAZG6ic2nXOMkN+-Qvzs;rslI=5 z>5P-$_K17%AxtJLwS+eE`CX#b}Q-S{6ici>yzyG2n^G8B)q;rJWJE zZgt<_q9=6&P&w7uM;+p=4_vPQe&hM-5+3;01WL2YPiJck5RXDp&q1?&OO^3?d5={F z6Fi~2tPO%2n`8%~^CSATHSQ}nvKoF(6pDWN!y>#Db6!55jo_(q_v*#ER<~MS7uKec zAG*Hiw`T$f1a-R9H6ZNT#1_tEf4a1vqa@FEpzJGbLND+>wuYc-32;y2`??)l&sjOP zAHJz0eC5kRpE6v(r+66oic99}HpZAeprLmF@S&X4M1GHdPlrlp8%H>Yvs|@q9m+G* zOF*NMuSe*xw(Ab6qKYX2rm@@Y6vRV5ar?1?Z@3Zo)5H#>dWQ?&m$K@I&v96~9}{s> z$jY0lfU=oaS|10XhVD54lM=%?$qV$DiLelKak;$~1E&SaXaET(bS5`cmk-~5-fWfF zf_U8S0k${*(Q2VXNbjF1z#G7)k9m?Qznu?iESR?g<;ngK^dffR=9et-qBa@JtNGI> zG+niJFKh~hQ(x|AJqq&YV4tJS?TN+{hi>F&kj3s;M?Ic^cRL+nX|;Ikw)&2hJ2_#U#9)pb6Nm(OVcu?LCAgz#R7K_dE4ZzClQ^jgy6h2f!ta1MXX z@uOUrJJqGBT_N2ttK_FE3v$yR`~v0$+H%B5*F_s<2SmJZPJ6i6gJzsv+G4LZ-{ptBkjFx!e zPwn^x#RrV8E7Wsitx&XRul;IOP&{i^TUdW2`(1>BnCk#ZjCMZMrc`AE`UlgjQ$b=( z?2?>NTlD$wWkpo%Qva62B$5rfrc9ruuAoPrnL+^nFs?QC4I=lvE7-%>i|jD%L#zDe z@qreinG$ibuiplG1Vn%7wH41<54mtu7bes-_X|Y$az;jObU#gsE7be{W6g1eTh*Ts zI1&c+H701M<7Yo>2Mo;dYy7BNVVPPklK9TvY?;>KvjN9VDAaV*~( zU!S*Ths0>w=2;AoSo3;4c6jLokJI(K=|2Jw47LJ=STuOTdIza_Kzgu3!pHj~8%`m= zZlQL*{gw`U5Ly)s{~zc2&(YZ4cdNvgZ<7EXR62FMBP{*z0-$G4*9uj`X9bu z^&^UUJk2}@Q)zIq<^Vs|2((6wR7ON{p7Db3BCm4s=-sgD=AaqHHGB%TZ~jhf)=hXS zeiWX`t(h*|mO)*BHFNYnJ&@Xtl+^IptLAVx_4NAI*w#mOenwr3-N&jJ>_%aDKuu>B z9-s6<;|!O&d}Ib7@`23{`nD1&TBs#0G)A`>hOu7l>_bMKOU~*K2pMI`bdK`A8Gcun z4fRP+I7rkoq5LAh1fySA?Hh$oRXHKWrbEKho@X>r(JPCiYzfhub49CjaB2w92jf}zso>_me3pDn{eLj#_XjWfXy*w@P(aRb{X0POJ| zph$X7!0;WBJM+ivKoq(#68o8>?srBzW&cCW&G(xXXBN!Ts#-YLF;PRB{17~FKDlK{ z#_+l!{3s`t!}?u@W&xj8pmwKlgL7;w((yvX{EPOFq%?NGJt;)Z;_lI;qvj7K0U3_8 z&2UY^(%Acy=d_i@X9nF#zDw+!sB4BAK_%`$R$LsW=?rj7PBe5Ql~I%VdjZa3J_?za z|6|ij0{}tfj+cCo-SK8ya%qFasK@Wz6(D-jz1+=sN(|r-WeCL~cNu4)!w~z^0pO(V z$+8}eMD<6&dr<>XF7wvcAawlioL*ha#(6pX7Mpa95I$0)!}lG>W$3rm!H6*R!yXN0{!DYEc-7SzYQz2T^FF2L#+W|p(_4g4+ymOR_xvZ0?24$RhM z!u=denHvLz^n*Gc9P?hObpUHjHN$gu3<}oV*U%Hpc>c%fliIM)-@wQa zW}nTO1?B{%+ojSYMA4I?8`VyQ?<>U6Rp#AjJpPv@d=(-8(CogDue*77vbH7g%a^aN z+wU6}a%|4G62pY#zWoP0Xjsnx0h@t|c1Iu^qtm;!QMpQm=1kHvMP zl+>x$Z&36xjmnuSviT=nQ)|J1tlCduS9h8Z>F2hA%5oI_kRMEq*8h-f=BEB?52nf5 zM= z4~mXMCIfmwKZ?rBBVyZGU(63(!Ohv8HWk<%7%uydd~@z1U&H5+F^wpNmjNy8h$*hb zz)IJWfq%m&A2uS1(K=S**ngP|<5n7`W#D-2lilA+xV$)>;PlHqkZ!<`J{Hc2iOHVg zGW`AF&QIp1AvGU1W>V_F&>Kp|CbB41W7wiLBDGfdy8Mxrb-_6K1w_TBx95=sW|pRIQsYO)|^zFojNRL zEe1dB;1Wk!AsAQ3b2px}VoAKBzNf$ApSw8Elo6?XVZMxW6kuta_G8hNx3>jP{|!(o z`1+QEQniE3BkR$H<|AIZA4|_6{0gN^H#W2{pO1 zc;*rHL^;%t*JYXck*bvl2;4A%`4cA7UJBaa8!qy%>#3u@{%X=@hF=M<5KM>IwIO`E zKN>hDX>LR@`xuHBN{O53l0M z5xq`L4a6kCF357ej<#GLd^ScNnK6X!y8yZhQjJaPrU-}Dxa9-3kTrtHxrHalnYc7lXQa;Pl0Ivm5#c1>ieEb{ zpL8vJ{@9soqiH&w1n#*A-^}9aS|{)SCM@hIcq%?Jgg%~)HH9J02+>F2!DJ??*0Q-J=coQ(MlO^IYz|ES>s{TSIN^Uih$EX?pK*sDS0qK5iaZ8o-YdbY3zB zC{j?^xub%P%8*&QZmZfIzq{|?`9jX~$@2GzV=mwIyHf#vb0FdHqGUaAgqbGd z>zpa5(t(h(l@BF+-pu*O447B2G#Jg*e%I6UlXW2U5v9}aN%^UG74OWOKAUWNwdio0 z$f-JCSUu?P^!~$1))F8hG<xQ@01Eq)KP!Yw>H} zsQk*)P1m*@){pFc;PVc`bEnyOZ~kPlez3Bw-bDB>wv=6JpluFBf9YqXhXxYpK2+&~N6G3<8L~)uB)Xhh-P+EP z-o5CZbQrO+gZX2>g@CTuL!S0?wrYI_*Ko)DJtyQaJQWuxHvq233ZmObSpS#MkuT+n z{&D^H`mNZpJkioi<~}ThRotctV;o<53$$^`KKd$R*DbVrqc#uRamLUkYtM2 zlyMB)c)pxYJ5VToUvCTWRoauBfD2grSJgtfXCX)$-Lmlj(?>as1CX7=bG=RAKH%ch z^UvYDW6yJ)+@kL4j@lQ*<1pR=HFG2YPu3)l-wkf59p1g#qxefKLgx>fdv<6x4p)4)!eYby)V zA?QrJJzfyx4(b+uZU?`Py*rukm&^SeWS2}#39AV+Nyx#tlbm+EH@^Y;%54wJIjE*yco| z1J&g}e>hF`{R-iU_;13xjYpdiIX?%tCrN&wA12L~_+Br7@_?+VvBT{IVc-D%14>4l zwqy3%dytfMCN=_U^CQ^($47rk$k~9&6C3zXl`FvEMpwv+#Nqp_BcA>`1orZ!|MS|^!c~E@6$ShIJh2L^m_N;zU%W=dEo8_#bmoDo&)0g z!HP8_YrYWy<$l;uIrl)G^u--CD$i`6$1a5XCN@B8rxzULu}5-Z!&r9J3HO;$+-~zx zW^!iMKRNKl=zh;X*SKQ>VHOxpHc% zJbKm&cBy_})_}8fVS9+{4U2jIw90>dDH#9olD~2DKcoWl>+_Ov zy>6uS5IRZlt}L=v|L9;0oo!bXUR2&?1?b#WAXZ6dMpDc$%7NhA(W?o?4nWAYPPXlg zE?{G6J3$5jZ#b^rU*H+V&Qb_I9}~}Ve@B#nJ9KLx?I~vQj20V|*#}p2p?K#i1kW5kf z8z;^-yhxDGTWX&jevj1!`{??0HvonhWk$7;x9;So?PBX8t^;nO)&TYZ#b;ZUlZxW7 zRlL9IkUfb20bv-#;i;FG*@P^z|9?UEuyeXm5>h4fVHLkT>jzB|Mlh1|&HO#g)F2b~ z@Sp=1>}aL0z5Ef3uliypCI6KWaSCG{cH~MLq)cPVY)0?Mc3#h6zlu+k(eoLqpGHLH zhKzHIbWrb{y#4*yPuxBdP;cS&B^UuH;ydp18JZ^68-lr-NgSF=!PnOTCSMR3MK3R1 z{j<*f7Q$QxNAHqD#B-bM61{pl@A5$D1Nry4bjZ-OB$v|uETg+w;mm*oiSG?KD3rbf zIQLAL$wV?!pp#WQYsY*QXo}p6=|QOPwMOgT4oDu;tmc7+D~7LN4XaYo!#s5a9@FwO z%C(2EL%EWVyZ@;^5}v_8M^G{#4nM$@g7{hc;F~;i8^KsZyv}1BdYhm2?w|&MOKO60*ZtVpw`~$Pz$-9A~_BQV^ zDRXk`BV^_QKRA8i*NY`u`9B+yk@t6b?Kc0{cmRRqEqvq!n~GBdZER*!b(}uYo&xW)k1|l- zO3C{*jXPOvI2>V{F%bZ%H@xLdg^P>n!(r$kCBl$Y;*~mTI;?8q? z|D_tMLB&IqOF)I#k{8lQr}n9W6W^)SC)Yn=N$bZywD?dR1=R121|T_3qmTWPW>lid zU*@N1NTYX9Q#BpxspJyuHOnZ`fNmbR*13sxHsz+j{c}}A13&wC{A|3d0C1(O0N@mv zS|a4YEvglJdFJ{H^3nT7f3 zUtqaBPm;A!9BpT$c`oW}VF$uMoysCZT}tr}2;2*_PQdsC!ofQSOjs6ei-#wi*)aKI zY;fLihqU6RfAj)C)Me@i)v`Ze4Ug}>i+MDH<*i{*pTHu;It@gNL(~R>I5C5azN2uS zRvg*}d7Db-w8KC{zgym9PxN*^6mj)5&uJg@%Q?hb%QUAy1@j(#vFX4>!XrFCKn=cv zxJX@2q&#*2r$HM`3n)f^?{9un}V+y${4Yl%)xSR&;!i*i z?CWd4GBGDF={wu5bNt?(dX0}yDT-T-5x8)HUPrg~b=D8|=nm4Im8!gb3rTyX3^*}^ zL7*$%J@K*D`F#}9T{d6PZ=8d$t;Ef6MGh&i68QET@Q3_S-dA#XD&at(jBkeNnbE?q zV=YGLm$JY1e&XpHN04+d^HJ;IZ-yePt#55`9Y6Yx1p(#J$n(x#P{p`H5!6}1;vl-~ z`SjPPmtFd8I=hMVbQulz^A%s{=ph^~G+=OM=5;)9x%l6Zjl-!~tYeQ4J8=HG`4s=e z?NI{^NWky=$2Y#MdrwTT7QSwgT6$-9=!A*DnFt-65X2hM&l)Fi8~*#AKm*hr`%|R< zD-Z{JMDNl#nHVeH^YXO`T&88I0-`PFD%_f>t~cV02Xa7Q@3uy@xPfs8(Tu$nlE1wS zY2-M`jO+#8^klIXs(=IPnfnmyyji4vIQa*?%n; zj`o{KXoqvhSIILyy)JEHow7f|S}-4?r%V@{CnZb(=B7RaXUKK|2pXcC$p)rKkGY8M z!uLFTh9OYG`S;zx_(kxix1_U8kA@KABpq&!pgf1GUQP z(`T0|p~Gjr3Rd}KW(?$c2p32zEGg|>m&>W}$fLmFj%mol zjShiN21gjHUHN2g`iZ6iuL9906J&rwfItWzmEP&_%1;J|*oZ@uaC|a9r#{n4Nh!_m zOtQr%Qw8{halAMD!Y2d63P|@9@Wx(ajZ#kypUjlf^rd5i=_0X~V(sy6JUg@5Op~lO zzz(m^o<v6XV4~(QC>9ohKVR%V^}4%j{iKm|5XN)0On_INRYYaV#1-n7+NokI7E3MxcHu7~ z*ibw-V@6g1f*`>KM|poR^Qg#10z#9FpUe+TA-}xk-s5jc3!lu=Wm?h%OMS_Ly-xB!y2#hh$YK!?l%__Pu`&fNyXul~4?` zK66q9{$D-OtwMw)7r1wpzCQ=RZ4_fpC_52D9z#tx+|cj<+E;LkDg#fl!$H9DrZ-cz z?A30p-MhF%3HRRYSgbx^!)iL>N0_9N2?OSR8JNRh*F6!GB5RU(JI`V#CDc7xZD8y% z>ZHK3mNI?>nXHy=U3COef_{6=Jd)in79qKCiZHQZNVPk zk?8Q4H?N1-GdoER8d8GWJ9k7kPh!h;#nEw3l1|tX> z`J)#lvw}3mVal%zT3--Xid1lzzn?SfE59K4=etWmg$4^|;(+lS%Y6XSwFq7lIq`kH z+qsF+lhj-6B4SD?7f{=ukCS1t0VP?r-vgR}&GJVB!CJ!)A2ps_!~ zH(V5swZRS@o~=eIkBAXwfh)x4yF5AS*u3v&(>`4K3>`4sJLs}lj9RZH9S+ySkEx6a z!U}Bx0d@Qs=-G@S`EfXy15R;@xbXuA^GnY&FyVU>XG2w(IcL# zdTxjsp-zI_WB^`AO|1=4X@0*+KYuPs9{0ZfOvaLYIhaP4aRyvs1@kZH(oA?&fHaKu zX=$Yjv47ez^4cG;kE#IQUQ$wypAE2;>4h)B-yo>+;6s!-;iu~^!N&`HTV%1BqrC~{ zmQ?TH#NsvB&?k?b+bA=I7IB~o$i0PPFX`Y-8UyCearTe%y?x17A@0!DZHkfJMdu$~ ze|TT;`+91VnOdtc39`(6xbNkwEciQU>irtaabJ|kDgE~V-JT1ZPeb8hecwD9aF)oo zX?LU=<$E-Na0;C!Uhx6%-GII*Fw|qoe?WKH0RlNG7~}}%!2aG~*!vw}A$CA6(NXJe zHa4pjm4QGWFl_VAM3cuHxs+Beq=3%(*@4(Up~&7}+&>U@a|o5=Zw$zc^L95-M^EAS zdT)y1t2qA>&Uh)=Ikc~WJXi#PUPgkcQ16q^i+l#iOR-rXqUW6#2YNqFJ*faI`YaaX zX^Q@QpXctJx(wQn;yO|3wy2MgHTB5Aoq*$yFbg+o5Oq{4|0813?$Q1-a694}JG(%4_!36-W0hIyG1pv+h1+@hL z=>j340~x6W0JQ`>`~(Hw1pt->1q2}wUULQ80*wLv11W?7^vnna(Fy?D2nEFo0D=i( zxe5UM2>_Q0vjO8<1i;{i>mG^$kOGwh znFIx-2C)ai2+9fA3g-*;4EzlM><$JG4iLBz8zCz)>;_cNh7<_Pj1>vfmloWp7v;Pd?%5gl>KXun{u>1D91#;6 z9R(UAD;^)j`7<9RJ3}BTs_#o7R9zwqE@p2dc!4DI@QNh}Ig*+tqN*pdx+tvh!YKto z#?C4QM&s`*`v~tW2ul?mEmI{fE;lb&JunGiN-=3$GID1#dv!E~fi;biHkPC}pSU=v z*55e?vHkF$2)GCE5<9>pF+4p=Jy&BsZ+t)Z^t(U>$cd6c&8V4o-L`GW^YhVG1@#bf1+z{ZbO*RNDs{g!LU#tlQ(Jfl%42JJ zb9;J&i+hupeGAg5x_$%Q)YN|l;Mv)L2j<`Efe7sg_7j5jF+GF*N?L>kgKX6Xg$;SI zpoR(+gV={3jhBdm?5F~Xqa=m)4KkesDI<|2NeaUlataUxln4l6gs6c8B7u~ml+mQr zb`m_n_(l%3Zia1WyGR<;)7mEJ9KfZppcVprvTVokNIh(Bs1f<87`J98RD#G;{5(B! zbSJJ6(Paq2u0wzk`SA15%$DzN;HKduYZ5iaI635nY$oBK7tjFNyJ%MQ96h~rm{|no z@6+faD=4cRP*fr=#fr=DyAFwzM&m!Zqyrcn)iXd*DzO0;$}rkbfsqV&TNi2shJ7+@ z@PdWEOq~c<1DZna6d1y40;9_(dSfBG3GUi@0a}1@`ShR- z5+ChwkfW5w81Msao3XB6#B`=LrMpceh zWo?fIS%8s{3SOzXk!a8$l5$9seC+*{h8g%Nm5@Z13z|!prC*q^XPLWhn#OpW(TJRt zouHly?y#Tuz@P$z$e|3*q7~Jn2p;0>q$UCR52Y?FH>N^OrwKM;aHv0pl&MImwyIIg z)vF3x@!zauGX^2818w-Oa0L3V2XhLrdJrVB2!TPeiAGSfky~f9nRIxye2BIIp_rey z1ER9HxCN!Y!?^~k&bkP&)VsLa;JgXI=e-Ka^uE&o`@h``z~>pk@g>6hGQ$Oh#0yZx z8ezsIa>p=m$UBh9MzG3J(92wg%x9X-a<9&P$Ipn{(39`co(KHWsUy?0K-9lm)yj3& z)sffWso3kn+4kSs0fznC3=;j^7cbo+Ox`W<-#BLALxkZ@pW;~%qT^&Rde-KJ zQ0I_%=$n}7rt|8txa+(Q{vPbd;O)`~qwd`+@90JF^IGx#bn*#@jq?%1%T(=7YxEdz-F0xk;{FB2y) z8$B^2S28PdGl(=ho;5?VHcQAiQ{FgR^EqSwI%^37I|*|gJbX4ig;YL{aX*)aK%k*P zskTD0$wSse=|uqqMh{0JNH%!7& z^W*Dm`|||{Z3zR59vN;7Br0zeHcD_FWNdLKdWdo`oU3y=z|V9-VAUXXOF5__c2wl< zcU>t`cm!toc?D_)2neKl0&f)z$sl_HaTy(aav>&t19U4jegtI-hl7fPi;;wnmZF6PldiXh37C90z=sN<&^`@_t0>}$*YJu1wFwD}1h^9$j0wCj zjR?g&PL9oKkJWhwkOSR|k>I7blHFk#Hmk|n>APSj`E1HZpn~Xu6 zj7*)3SDuVwpNwsw2RnU*p$S5mq@qi(yrWde)TCYD?4@S-1Pi8b5FDp?C^V>nKuoEM zSY)b`aD1zrh?K0QpscN~xXc5$;`Xlxx(o~^u)#xFvB*w*AhH3^akB%^b+prYwFugO zwh7{rx9g|4^tieG#JUOwjnumk?z|fMy(9(=zAg^GI2XV|9KlR0!d5%OU`51gS;cf| z#(sXsh>*yVnaP~e$*sz!w9Bw*)F8>sx~VN8&BWKv=Fiyi(Bk*e>;Vqa_6E}cjtS4Io84rp-fptrc*o#^(BX{P;+Er}@8qfg59PEE z=Ds24$S>&9Md{pH>gI0i@Pq97knIGIrS1;0?-;%CBG84`s6$iV0|Ofu5lxb0XAKh+ zKoH>R2r5hiv8%Pm-T|I{xzv}_KD3Mi2Bk&iGVN|>Hr3^ozr691K(z=Q0=-BQ*0ujV zwNYKS_~eb1c-?lpGZ*UmieFzz5o>F|dt!P5l?5g;4`!s;XE3@|-NjI{xuY#k0t=*t zL7s#C^$=aA%yrJDm|Xdn6CTlRi%rhBh|8^+w1-szjs<&*Rs8o(vn)_DXD>r!vB0Lj z8>oH@jztw{9F!+Hkyoo(Y_S?f1nF@b(hSyY!l6zhToDd#x%SbH@LN<|H+N!ABjx8C zIEKTFA>c%YHSa4ppbsCNi(n*byus>&aafQW_n`n{X5)3lqo5)S7vx;*c7D&%It5v0 z)@dg7qVM0@qC#AM&6*Xt9WOMAR_5i|D@z;lYwEW=qP=ui^|&wOAzddX6>w+sDQECG%Q z+%A+2I4aZwK_aHw?XRX3GHqI8&L3fSD#FWs5#1of5zC-wiGC*~hJJ{|#2Q_&*XFDH zBbbprav<-`X#5_*NWz=&ocdA}%$oUV@4`Fwrx1ue!-I^@00&EUu{u zX#l&t_B^w!P-bTLGi5`H3IZfA?X`83XH2!ndCX^Vq}#UpzEMSuu_pW|ZQS;#7Sv*a zXQ?Z_GmbWCP3-QO6m+?=J7$C{y4=Nd?>l(-rH?q#et1C6g02TAn|-LQaOEjoY~NUd z5O4I@hu2W+DLt?I^^p{P^&1fn`2D4kf^3Ny2)-MuO)x0%Z$Nxy5LrYf0_T1ZadwG` zste?k0Y%Y$0mCWbzVUhLsXD*H|Gd*ya6h+g|L4Wkb$X5rv10#=d|}qWWn)`kx?`rr zZcQfSwdKiecROPtuCLhjlnF7l^0zN@WjjmE_>D1^C}P6?6!8#GfmKs>XPB2F7=jif zJ}2`mAOSPue1_K%lw(qXjs*QKl@>;-1#mbh&Q)ZH#P5j`%5_Uf!mA>-YFnNVfAt1R z-3I(5vC>*m+gIT9C2ElihBL57p6ecD}<`jP%S$6Q{2Ho-XQo zcDdKYm?x+~!0cds00RN{2Bj7yR$Fb|a)>EM45E2vABNW&$72H1-;7}LjVHoIh8SI7{@R=L*s~q^i9sJZD z0Fdb)1pOcg4HF>@9wHDgBNRd;7*-`5Y9=6iCnSw1D4!`TvnnviD>U6KIPfhz0u(Ml z8ZSgLFi1!-OkOfjax+wfG+322T&Ff*yEkOYIB4KGZ1g&C1r=)Z|py_Ep>m7gpdPSL8fc=v8G|?0AM+@Sa=ruUz=OUHr?{UI3BpUj+SN z2oM-y3?X6=Gh-AJ{VaIl6+U|D-YXTY&cyS^%d3Q%ydVO$$dxM&M1c|MEjlO=7 z*ngGgfSL7yoeCR*1)&-vg9xT9gbA)oTZIBaQHEiChXJ>ls)!1>#L9`n==F*M91n{e zDU3EljZj^VYIl!>jgXd~k*Kzk#L|=C=ad7?^_9;69hL{u2NjnH*)v9%;ZtRq>2ZOY z1M!)xn+Wu{!<-5H+vc4GlKu%Eo(>@_pBKDUFrXmc$~>Vd0_~zQB}Ah;OQZorW2FN{ zaHaxCbf-#us0dAA_o)e0YpPy#t7n)VtO#(Ut$410xvz-Cu#nHOnA)9?@ke(rPl(Z#>j=M%8&x z)_z*ogJjrOkM1Lo}g?CBRGCG9La?m<%T3+!Wb@b`t5@dA{mxbh9j+Vd6b z{PZ0SBOdi7FF^J!QDXNsbA|YqsrkFj`rq;U10)svCprB~T>d?6e*Z;}pa26+v1p_L z169nB0$Anu16vU#1qNOlBnV_JHVJG$ND6dOS_^z6E-?&*a)=F#V|NY-l!}-Sov{$6 z#L*G1-x3S9`V+wtCKL(GAr;jy7T!M>2j^B8?rRwc^?e%sj~fM*p&Sjf9TmSG9nK#m z-5@ROAvOCV2|WuZBSsq}22UjgRWBx5xTN4GUkIfzC}lZADQi<_Dh7IkD|bAVEPbV{ zErYtcE(68RF9wO=@i31CC>b%8E#PB)G7^XVX zKs(uJJm8o;=g2UiAYl zhG!3la3U^Xqu%hjtqCy}y0cl$h^#8ZoSurlD?j*zqZ1_&fmcZ z;_v}7>JlTv@-#-o`dDej0-1V?#tNLR#}dBK$Qt7F$sz*FAg$Vy6g1nL zSRmY@cs<>!T3X(+X=&fNnBc&`;mCX92GEV;*68Hj5Ux1o3FUB@=I+4g=l7&E=m46% z=?B*82oCcQuj>{LHS8Y}?FAB&t8#yD!IV92V0VP9ACR14_U}z|D zeklpui|IWIjrOIbT-bv%QSJy@?k3uB)bSWalLU+>D zLwe&xed~Zl1%O9G{6-0dS_eEwjtD+aNS76HNuVN=N~tfkOR^FhOuHm4O~f`zPR&?s zPu6;lP~V)eQRu$WQt{#RQ~Crwaa04G8JtxNF2`0CL-JQ1SZ`P-gPK_|uEkn8+3;IJ zumoI7*b!Y+UR@|FUuHN(U~f`iVR&qLVu6N}V~U`yWRtqbWt`O1X5QXs=;&zj@@f41 zY6d?HYY3$#ENrbuPi?hVUv9l;Z^d_jaLtL4an+fka^0)5bLG3jbOY_xbp`O-b_Vqo zMCEq~`|0s`1Dysy6?q8@F+h40P_TO)c%XbG$nbqGTtI#UH)DSXI%;%)3PFjNfeTBu z!-7`f@PlCvK_G-|I34#JjoA|% zj^-&ckMloBkN}=lUXcxJYmx#Qa2TSln5a}l_`Uk2{DtGI%t?fsF_Q>npD?9 zn+IK(v788G3iqYb1Nr6Hy(r!}ZQsi9J;sby-b z1+i~;tO>S%hpoSlo35v`ufNN%*W$4X$nE&D(gQ>avk@7z2;3$twK6)kOG39wV7Lh6 za)G(*ikG_dpQXF}uCBbexV^%{zRb+O*4Dt_;KAzi!u<$E!w3YQFT@Dg2(!f$Jvhc3 zL&qdh$Sh~cG=0hiJcN?VL8!UR21e85%}o9eM$S?xI?q^CWzb%KkkMqS(hF+A({_P64)uq&fZ-xs$$2?HDX6JcEMJ1|N=wnX zJ8}bP1Rx8Q#oX<_uR!ipKQPyi;m*D5RU0SG`c+isAIV(PdE41b>yiSCq>V0rMH96! zB3^Scn4{u2@zx>E%w*)EFl>3L${J%#Xqw@+FfhWYsl@MSjLv(@!wS3imK*1rLI$&- zl6KLLTd*{3zX5&iyrk=hv`KAS;|1?9dYupiIaw$hbds^*hy~u7A$wrb|fN8x7DpiFG-#p16)zcxf z&q!yZWTow#(Ke7!rS&{TSnttbxrBIai}_;F-{NvX4E0}W-&uQ15J8B}a)_1{b!djm zOPOldHT3y{;06DornPLo%C>IvM3drW6De2gKxo86L6f}5_T}QIEf-=NQm^UikONJZ zc&PozYXdD!l(q4@D)*Ei(2^BLk)`MeXA@pXuw!AoTaq*dn99sk615b9iSKO9}9-Y5Mw?)I%)VI~rr8X?81BHSC zR&Y2OQKSuOzCy@J`RE{-3sSpy6MHHnOhX=#1v`xls0vwt;DL6G=muBB6^gjTHds8f z;4(lc&I1}801jv_v0M>KM8OO+0JMJtJ{e%CcKZL?am{%c{TMwoHQVAq{87Ob_oDd# z3z&Ocw>p+}Jt6aeTV2|H{%#u`eX z##o@_KVd2={MYGez4@CsM<^@Q&jK?|2P(Og%w$rus<1GZwfXGf;V}Q6D0)fT4;N{o zC<>2vOpJu?z;RD3tnbm}qn?f)F0Uc3Z#cUF2~j{}6&K(=p#{&?W?W#?bAZ324iNvC zWmPuYQoCAg=F*+d>g^m8?pJ%o(gx#}4)qPqe1XWxU(?44>3HbC+UF-oxKg((A*ds& zr3@1QF52@rrb;8vn+P4s$*FKN*vu#QZ2W@z8-q}l6~9lf+p*Au0W{|F(>BS0XJ=Oj zMQ;WX4dRaSxowX6q7#tc3X6X|6h0BnJ%|T_g9q%jx*Pg}R3_#b==0hn$0wqFH{gO~ zFvz>xANi*%65kA$-#sXN@T&Wfhk}O#Oz%@+0!-cyFbE|3BNVIkp$3z-pd>-q7Ipv* z0scd6UQs}!sPb|p zu&q4J_J~0BNeg(lt~^j|`4P3RoibfX8`#9r1XzmLj_FaSpoeN@UDkiq%8+UL*O=$w zrt?Kboq#GbBc7811kp542A!zhV}%Pl3vS>DD=;!K3E%?e7Tb}bSR_KRENmD{I5C9h z-z0c=4zXRC3DZ$kwxcx4crf-GqOd@x?F$$P2tHW1iLR(g!VsEhhlzVmd^ z?f{^RBrA=dljRkba_E6o_peV};8+XBBzw3Wlj*s_Nv>+;@TC+n|Yn_nn*`7HJWv z^#|jJYq{l)d7V|w37b8q9LI(y!Xoxa_BPpjZ@HyR0p$bV1D^wzywhdyN4Lt%!45DP zW0_0*yglnSNkz1P*fZBBa3xukHv7l{8#w~3S=ErK1#e}3;L5Gamp!(;^I~U0Aq}bw zXk6;Ru!dcyO?L^iMUNqcqtTxS$4TwvJM5X;xHX+Yj<#d*u#QeZ?@5JkxW7X@t(_Kh zbLdwGeJ*5qe1rz%Erqt0+p}yLNi1dWcRhZ^+#-a@R(!uo*^g7nQ(k-leJ||?cb_3c z*9M(wxZC5xDB|mBq4*4TdFtrC+fc{Tg}Dsbkdr})zJ+7a7_Dn0=7zx^jNFl5VMXdH zByAM(31!8{N+CQIa~^KIScSO zE%K9w)7}`|K=e1NjvEqy&t8S#ZZaGTd@S31sw-7pgc96J7^_{ygr=h2DPJncw5;O^ z&j#;`uVJs6p5l!x>bs#*9R{pCrPJIO@J4tvB=#Bhx}bJ;Gq?18%*;V)6PfFmRhnjq z40yFI26*oWFO~DB6~*Y{lT7ZG+R86{pbC0gy9^{|>U5W(8-(BW>O_2Hy6-xU% z@Mc*79;{Mu6jeLrK!Hl4t^DV8&&_19b*wGABRyw)2RInEu|r0S^Jdc;ALU=W8#J5@cXMYbF1j{v_J<8xKYOQ_Je zduSvdw0m+K|J1orC(QQ68;igR-hu!keOHV5zh745Wys=71NeDNFWK5 znDGVzSWQzN7Vt3@<<((7WERs5M>LL6#Lwr}My`SINKN>k|IFjzJy&euH@=O<)-_y3YsL$5J0CNlMiSV{E>2HP*9n} zQ36>#KRD>ig9NnmgOflSqA+a5FLZ&D#sJq4AktCgp{FLaLPUo|SV}X`nzV+V^nM!* zF)(`;04FdS5t$PK6L87zC->{s5ek8ngi4@E(y=4WIX>ic8NJUA3+9X()pw=e^e=Bh znULgA<_R_@+!spX>YMy60AxKAmt<4dw*Ow*v%?^y^iIMMOe$GaU=4CKOPj~4DY11k->u|FU*Za(1IN>7*wbegN+V~5#*e#1m_T?0OiE^L5ahFy^?&& zO~#@S=MjUZ@aEzD`2(osb7%MO?&jp+ux#A!+(F~Vg!!@_qgcRMQ`^$3pi%LyIaAHb zoNyFpKr~9o#?m4~yol|vFE11d4X!PXb%n1Gt5fRul=<-4O~#?(5FR291?%c~44FeW z4-Zfaq>ay=-Jg?_lk;o!!E`LeF5p+WQ8(yO4IsY78lD|5n?khQgqrA3B_ z?R5?N@3%frj z2ZwFa!~+{QG=5ANGBT_$>zdk@Zp26xv@_MLOiaw^gexH%OL_446&WJ7!@f||3#Gxe zrD4Fpy0SW@j#yZ~r`%)&7J;~`3P=P7fhO?g;T?~^3rI^Vh0l{aa*5ppzx>fFqoP+r zQ$!TMQRyXLq!4zUJ+;iFX;(y&+uf&^7nkLNICjlghQQ~j;Kh;NrspNtY|!+^F!uPG z6GpNGYP^bYwk#9u5GKgJOoIEiq^m@3aCWC}_mP%p_z=R=Lg>Vcdw= z-wL?GAiC@O@^2lvnP!!H9+ST$8o5S_#eOdHccL+H#`0Ys4EM-bdfln2)w#Zw!2n02 zx@J#3QeeFvbb;lwe1_$RgxqrRSLOW)U~i+G2heb7;9tWfx8mcPolt7nCNt>qg}Wz`8;k@m}z*DcC%0fG`_gLRkZ&pn4GOqtyiHMT2R z6HC9&Xk2V$<&$?z3BL~5LPk#LSP!k~jLJ|*g4u#Z>#4tBSNY8^puH!Zs=lbD{l90^ z6)hS~d#=(~7AJvmMn!Woh=Hb^oAGA8FGWzB!nm@J28NtJWN@89{lE-0OvB?c7ydo7 z%k02b*H1oGa5b5K%beH7THZcVOm#QV$$c|rh>-cwLf05BFOVW^Ux6O4T)NKIgvU%dqE7s$7h82r8JH}wgDV~V35lW zwkDB@uM8iM6h~pDm_>>+4!yimfpQieHd_etcvTK$*3~Ud*WE#S6gZnhPt*c4nKsfc9`1C79;=?ZZ!S z0gO#xxOZxsHii=k(E#~_GPpFtN#iE#}%#9nw;a_s>J&72Q9N?l+DVUcq6Qh%! zOwGVELHXw2sZARNnu5~^N9r=0!zVm4;2i3 z0E4YOSRSYt)DJz^#5UE%OYJ#6E3^T_-;kl+$h{dluP*+)5x|-k(cO(L_es9@e)j$zz{{VP zjJtQ0ioXFYx;r64DWP=-RuC8D1%03X<)MU7LaHEiP#%PmB%a30#Z}mKP_s_%(-eA7 z`bAz0>u=g+BmInl{G?kn+F9)g-N0X)`r3v+;f}ah*8xoe8)ZVj@PY2#G5D;xukFv= z$DPej_%J}8#73ca{6DQuVN?Tqaui*=k54LY9(mgQ!8%?3{>kgXe*a*xT5+#@_o29n z+vQiOjpF-AbE$5R42Sj|J?`8o{)U59;P`U>dAsQJtFJtFNu2m#--YjQ*mgU4j=l!{ zDA3=+h<@e0n)tnaWOYkj-XqQP{Wjj2wJUHceoqrv-fOUI z->cXlt{17kg4@U=uy<>Vjykc0f9$Jc?46}P7pnb;tio$8?yqE=F0{7l4X7_J)HcD@ z!<;#zSOrvTm4(lD4UPi3S9AxySfA=DehfS$p;Y9$O4nDke|jlJbFu=`hv+Z`YBU4a zt5n|MT9Q6YEE{CE=QRZYqcZCCQ+HM4&4{`cT19$llwQn0^c`?sZg=221PV0B;~7vq zebgJc4Y|+P)1Ei@KOE0*_x$$aKVJVc?bBO*$Kr5r>(4*i&sG0;O+)L4XB#%^$Meru z8+r}D<;BkyHx8Okmkc0v>BZm-07MIx{hF0TD(>hlc5v>r$N@G-xJIV0#Q$rwQYBN#Y5ksPQuNse8v#%9 z<#$l#TZfP0`7B5^52!2YehlTCe%Jftr_+lg`g(e><^%nPA{V zg+##+F*$nfLyI%?wl^49Dg4-c zX@L3*eZV$yroNQ@pbWqbXpwyQ$ZWA%M5Gd#gnMX+1qSaA>)$sXX(LdOn(pB-;)*E?pgsPb1>+tE8EUvbVRlH@7z3&5fM)ErzQm$H2bP zYOFhjtJJt|+vtssj3@O@TwPT5=|pkRstDZ*+-S$cNT6n6mB9FKw z;4&v^g@x$NGhSeK75%*7!6$4Hmcx9l$m6jecX}NYNhzL{|gnP$zOO zb$Gef8Cr(!(YRcmyjI8-4_pgtRGw5xqBa>5@+AXnL`D)}SO|wbcHEo+vzX55$s5R}>w6y}rzitUFj>S6ll zUbPdtO1h}fB|4c%6;NgpGF?FD9~2L_d3h*FJ|V$7xYwM@bGF#-*Qt86p7o9fRmrzH zkFWbR z7Ah4HXFbZvOLCftj;gd4u|%C%Cl9l*wR6UuZdg2<<##lk748ycV6x>Tgz84PwPkNi zWF&EKa9fBD>0tWye`;`>bq$;^$u`|~k~!P53%RW&bH%VGnFi0Bwi31+^Lnm%O;@bK z`DJB+vw+!1xP9$?%i2}87RxsQ#j=H3&`>m;*3nKXE1G)cr*&j$O+L$Nf?QA^o^FlBYiQp4ORZQ zwZ52~vK~;+L-+rPpKbs zmjZgEEjGb$yEl4PX`k&!6l6DDnrVab;;?(pw){BtLAPramz&&~2 z9a1^~;1hdl)EZ70;dF)%Vf z&0~IGv&;-hJ+(?7Sdkjzu+!un7Y?J|oO;Y7QMJd;)n7zM)T%Ff`YtbAI#}b0Hd2$z z+i8{Kvz3Kyx`8g(HL~SvJND5n8yJ(1kmF438RG}9)G^fVd|9_(={eMJM#ej}5yLrS zBmChEAO383`-jSuQw3uf*W~(v^{K<^StIZ}s$`aSjFxRqm1F)qgmC5<_~QXzs``P{ zpj!dZNxr<29+< z({98V(+0BreK`3wO}?4Nf{8bF+M1DpKqJHt9gBWyI5|1+{o;nEgP6u<9>^*3$7763 z(CMr}_x5$IDV=G@=VPBj{zKWobJyfQS{?imERH1y7+EwlZu*&Lv75v8*N%ARVG0T# zcHZ>Ev^^MqTuu1a;Z76A&!;~c6V7H-GSd#?+SOD^gNxy#SuyuUkRuK6d8fTI94@O#MwV+ox~(49;|0dIu3a|=BV4bw zYjiNitL|8dhX-MJd(yEJ{?SDZ2|v7IA!9NR5%N?y24E`0Env=;c_yeEXtfYLfN3<}M^c?O~sYSiwNC_+d%+-rP&8Q{MK8|}-O!_thyw@8lz zTNdFoBugfya3A?R{?0pQe@zb^CXEK2H}e>t%Qi=VV_h&ZiaP4gzE|5RMB{9Eu6z*v zp0}uqyBkM!%`AGI4R#65#)0euyfH{U+&dg^Hx4t8efGWI`b2T7QBb6p3tiSt$XQPh z`%G7p&p%>4#gg5kvEZ&=Vu$BUZog+qJeaPxm>vo2PDrMQ!xK_}OGW4|L?4 znmR^^D+Ah2PZP(DP69Ie8f*HjYO+L{Y7fAI4P&fXt((pmMJix>DwEk=781P;H=GW7M(7pFVE{DAf%>kiIZhoo?B3{J3^#1lSoLAb>y*Ye1C0 zwI?@y5IdLj9%6z~uUs9&}A zuONBCa?00Ra{ws;;aZXo>>xuP8)6nZBOy zSGRxV-8rJ?_ZYgy_&M?%m?KMRJ#{svR|J8MV8de$=q4vX*oXk-G;80Ty`X2J`yel$ zhJuPVsHqeos0yc)xNI$6)3j`jm#omzHBz$8%C=1G^57aeQ4VW_!)B!0a=sFE7()^e zkHj9)lf!<^WYjrQeWe+UvQ{GYHx`l{El{(autYT|8vzDV;oWdC@U9|XOmwFO*45ya zcg<3kcHmf-D5<w8hH1tu{9RxT&_c9|G21~I97610RvKzP;w(b!qHDGau&eimrv zNC|Xl3U1vpb#p8xE|spWsbyIOVgts22)Vta@;cU8%#OvD1>#B?>y^ynThgp6YXM+` zkZP4NTtdb!5OuF>R57^)E>)LxS7~CiYyV`j1Sv4lSqsnNRIMjN{?aJJ8=&2FCt(=C zUhV2=!@;m+9f3)&=~!kd^dv@3=<=f9mvdn=$iXW& z5zrRtIMM^XX0$68H~2-Zol<7SsNc|Hy_Q6mCQo;XCRzgO=*vS-&V-^DkQ(k#C}Q~Q zhrm0h*(7JkXLdNx&$T`0)YP4r1pAUfv!NXi2aV-}>3+f)Lv3cSm8U{c2X~`}>=?D* z3PqjPLc`!AafF#rv^oRnCGlp6-xx)M#R- zZmo=>PK|PMBr-e3xR$^l**l#n=rfT7pd~5|z9me26ShBznIDuvpa;p)BXjhrv*fYK zJKz(-NoglVvlP7vy%~e>KC<(i?{Rm-{Ei7XW)99XvxnR~XZDcaCxS^yV?a}*~ke=!XNe&M{JS#Xqv^-9`WnQDS`M?2e)+_%{TBcfB>ND5L01ogtfH;k`q;=aa3C z6eE5?7ptQDs>9g@Z;^=ntTcXYXMs;wZjk;c&WsgLZbdX$Zi!|_pC64nxl(=aph!3Cps4eCP;_Y@6e&}ERGxB{R?}Q? zWDaA#Xd9j-7qGZ!`IB9as>E8y2PClsO-{+>6Uz)q!%*@(F7raN1yF`457Eq%@P#vJ z2UtuNozmb6v2im4RSgkGl?B4Uj5(-Q^)wSJRzpHuI?1bJ3J6fpob=7@@|biYELl8#`1PKKM-?|aPsRm#Leh&F(*ajQWGU>7 zbP>YJI3BaGIl@UK#vmBNYY0(hLZUI_1knU-NEfn<0@pSty8vU&c$x9$h{Z!>lA64D zMD-QeP1lAwPl!IwL=zY-f}^kt;r(uV59gUQu9|y5iZDISNCO=$kwvka(Cx+!tmp~^ zr*WHvsQ=-~fKc3=FFBoX+-A9R4=Fnm$tv3(m!mvU;;N|N--tmb7%g4 zNI4BDad9H!YXFf}$P}Cz>p&MvFtyns6n;-=U)UzF{T<0Pz*o-l*sCdvQ5z{Ip*FoI zYRi*ISpY*zIW)*sc6+(lPe>ew&8@rP7yj;J-hw>hwx#o~DH>*DP0;M!@uUDL!Z7TR zFTbz~rcm+EM*W7uINu+~xWlC=+jXGwLcw9kXnSWjs0Q3e&EP;+&_9oh_A%gfN6diN zJXFpD^L^t63Ozp^LxnNW2_3#Fgw+r(r{PK8TtgfufDP=;5TE0s=8ds|RgQ|H0YK2o z%?Cjh;PeL;BF0nBAQo1(Ga>Ui9)n{lBVhZ zbH@CPVM^|NRCBJ@hbJ1;C3o;HXj8XoEs#nYk{*>_b+<$Ggr!#n{())4$)A#T$u% zO^wO}GHlv2%<`6=@J5@aX1bhLb~U60orL(2z!U1f#6n({0+odS#@L+05&7N)T5vOHt=vVrL5b>g9&>L)L9}>N%y=;2A-w7OD+Z2grx7T~^#yZ5qrk zx;6v#F$}u$!t9@j+$tDhO2Yw;FRNJ?4QAs9)ZCTd;Q)>rhcH=CkXwhQaSxD>E}_*i!K$v=fSi_tFMfY6SX9 zLUZ!rR!MqA zJjbT4VR^c&@u>rIf4ZCrs%u)IF5?i@f!U%iZ;$C3PBNFV%5>m{najD&bPe;&Wi2!v zm?O>Q>@;1|RC5{Enhwlhb9tLh*KoGEjOC^SH{M*%{ibV}a4u`6@4#H@FK4Xpn)dq3 zIN5h#R{P5v?z@J&&1FnC9k})8at=6M!-jKNGfoHQl5;s@PS>>OT*gVK1GDN}-mud( z+;%S7vuoJH^+QH_Z(hS`pV;2bJK8(OSYZ-PfBcgDr|V`jJrR+!ffC(!NSk?%U_CHB zx+iriQ)*L)TpMUI)f$YihCZ-5IW&b%GeVA0BATry21aRvlt?(|aZ9MP<+h3)SD89@ zatFxfDNC(nQy&wdrW(ONe%cZa2ezimQda$6m>v-S&S{_;qEmmLcfb`4^Y(j7CyL$% z-5EM;(1p^qNk5hzO**Bv*Ut21w*`CY%Bb;yRfaHyV#g}e-xgQYYqy=6SUxq1rvDhQ z{VDf}10jayMj?eu!#@49bYx!DTJYL~K;Q;iU=6+VUwH`7Vub}yvvgzVgZ5S^SScyy z1OwqAI(Kwh;K8@_^XRuUVR?wWA_4S^C()as%NP)P#S~XcI#Xi}&VZbTLu?W~Zm`35 z|Gv0~EcA+>IH-3Bb~O$iT5xt7vzFsfKSr(Faj0uFmv-xM=q5!5%8=RxnT^H%5GD?T z5A1EQr~yzL1C>699OD}jWT!PA-QdzDxD|0(fE#k%om*f<=h2_>s$DpAou=$2<6w5^ zjT3*i3EU4{hcedPQ0M$lT%Uz$2Dmf zpFxf)|3g=IjK&XA*WexlBF0lWn0uJL_;Y~cLh%zZu-{G5M8^?WGBAo-5auD zQ_Ca68uj|D^9cSlv@*X*dC~{HsRPgN`hsHap@a}^Ee~}u*jBOo|I{5B({)gglszYG zh)@Te8JZmva3l{Myl&?>DnB3~+dymMzChREQJ!-GIDwPzXI%d$^mR*^< zDN*jp>9=^$@pyWkA%~u(?3@hY;Y#c&?~GxW>QK=Tf9T~}_4x3?WM-zFGE{mwv!>JT z8^8dc&aQZ5Hw`}O0!`L&NLkgf7X-LC(8jz3gajJ8i|_%cr?kI z5^`)2mP&AF5jM)`$Vx6LiNO)`z*OE+XBQ5$A`iycX|iU|jl5~(fSLq4V6Gdk`!>IU zIyfRC=NyrIDSIv>->%`*NisKwhCYvvc#kY$JZJPD0;*%5wKQL12wn6Wd#^O%x$t-s zc?J=8>Gps1p7eYS^h0`CDKy!XfO(+bNNqyh?f%8l3ZS}?c6`H&uU4fcw4 z9zrq5xKR$vcIcw^>Y=}>)6b;Y!nDZW#@K)q>YdW&+Y90Nd|hyT*x3U*SUwNZ2Qq~X zc~g-%l>v#aH!ZP6GdCHTc{^X!?94Td&IJ3il zowwYUW&OgLvq?I1>>v`bhskp{56CXE3sqd3lhr1$2yFlRB{W(IMg=VHChQm+DJqX0{S+#Tlu;Q`?R9ELNC@e3far{Lbd z<&)!xtK{@eWeQM}1ChFRa76VSj=n8W8%>0#vqOZ3)GI(oOJy(O`UZ9mR~O*G<^huA z01ys*w3u-zWb?S$Iv;+a3+Keac;F-)eZ7hi01C8$GSx)q>H3n5m0Tm2W6W=_G>5}7 z#WqVKvi&uU{hvwXCk%0`Z0JO%2H_B!H#R{VTF(K^++W-EsepnCW{+(FY^6_2*FpyG zrD|J10*df#AhKirlC0^OR(I&T3fvM%BzFjh?DrQakikMe56Jdso|$LDp&;;g z#z#Y&4Y0@5P4C{YEu;cmRw&68Ze5lVP93`e*S%nxP(E;*HcO?)#pq`M5{UoM=8mr{ zi^Nj%iKqk;Nng{j6p}+_@JO2ju*87HzdNJ7M?majz#RjO+VTKaNCW(KgO4Wy6|U^J zz`2VNn-X@4}KH%j}1|UJo#Txz6=C>tSEm3nw79f1VBX?Ho1kCXdHOn z)1S;TPwl09Pv8gBI60`~F3FTPR6}1YQ1ygC!R>)raJ~Z@y zzbzLC)WQP?K-tx|Qh1sX@&Zc0DcjYw5C z*=9VUiiP7Aeo#ROVk4V$_Yg210>PW*pcblM%py;lwM5^54oPXecAj86O@eYV8G!W! zvrv5UIZh}iur-cvFtU;BiVX}EWYxxb zFBNo7xnf+EMh4ewW;h`<*c5CA$yEZh3a9Vw7?j{7lP?$(j5ioUcaawXb;uBkzrq&~ z3JL=5^+eb@dV2t!BLMxX4!lsQ_6Z##7=Tqw0>DB)-THtd;BTrV&^JA|5~_;%O>7Mv}>`kDMD zshu*P2HJ)DFIdSo1{w)ReZC*rBrk~>3dm4uz~q|Z06=kM!k_Rb@}1IH!UX?W?LS=x zx)S>?<=&qYewkIe0pAamw!1%0bj&&x#~2h9qe}*KFec`_X3N6&l0w7i6-@u24|xE& z1IUSDGldNT*kC}O(5kRkXcdsg6~LBLZWB!2H5mkT2mp~J1^68v+!H+5tVaL=a5$f= z1V}yDW!cPDjd^`L+!3}Q`60-##!12euOZ*eoE~&sFlkW0SwzTb&_0lne`v0A0bCxy zgacf0LC{TWsKe8kV}k0M2>mAT01j@IUAr3U!RP&}KGzR`*Rdq8UBOzjehD&=C-9->A7l?u5Kq+&zrCecR_ zx>I?rlv>5llxi13jSav@E>wql5CJQ&|5RTT+{5M;BPf@=S@*g&?`4cY|C%fGHuHJ+ za&YiC{4#8ACgXzMErj9y2gn2Z`AU#?GX|H)AH5m4L+*G_x;o^L!>3b=jM!^L|J*X@ z!~oy(V1qV;~G}!=mAByki?i2d)E`4mglppdM&Qpfd-&9DELCIiNWh z*)lFbK~IJrak!rU`TB$X+~N6ITkVGo^>b|7Fuc`xH-xdFixvK*B92=`s%^MOABn5^ zE6MZ8#jSLex?Yz)858Hq3@{q~0XxjSWe9X#!!d#1#N7ap(XIyZ1Hf|#f7~Qo5nV(5 zC@z&(TmgXhu&-0s`BVA8vjTpBeV;mtGbul{?})BR{4(mvZ>I89``!{=TYVG!<`W*p zzE@qR_$v4ckG1d3(ky-pj%FHy+Pi7(vU{gpbUYfDoxwjVV>iIL)-d*c@pX)Qx44dx zHJ82&c+K_q+`Fkb;8C1qUgMWhwT+J6V-$_7mu=$PQhR zFY>18V{U}S&eqXp=sFK}r7tdG{@8|~>V*mIwv6rpayjx>j^Q!*2EhF`lraQ6q)p4g zHw;5Z3K_`kH{~;Nfdg;LDn6Jc9@A~1wxO$oO6?X5)DjDu?U)vyEQ`ktSPcjVonaFI z!Z@5^;v&pa0TU9Emb#YAKrk>i3tWls=Ju$FxK*VRH(-ti7_y-Pr{;j_(P-$$kBQMl zmvOLW=zG8*(dfMAAg&rA_^VXd2zr$oLt|}AWZ;&joi=J45{IGyjtkqhX%?-SLNSmG zA!?CG(9d|EsqCRoY%Eq9)Vwx48=KC#Ji=tYT9ft!N>uj2=+7M)M4xj`P&ZJKGhZxP zu=Z4-dCAFvHe3WgT}0V*<};vg45x6FA;8Vqbhzp z=BUrC!-fV;&u|(o`8n^95(n^>1CChNj#jC5KMz53Q<^j$gXkDAwK?l^Su*+%X@#sq zqt#`|SL%3>-%bMt8?d6-l8U#m++VIT`j*SxLyOybM86eOTjR>#6|u3{D>$*~|MnLX7SK23A$JmoYlbC+?kD)8OOP zDV+newCG&iF2>%2MrT9qrZ2d#wU2L+FaBv`Lb+qB@!v*0HuB9m?d;$%q8l2qIg;?c(naQGz5Uh-P}vVXf|Yn2f_U@E%l=e*AbdNF6xbUyCNgAvlF~H z18D`d{+|L8$iNf zec-^n#Mlipej9k+{#5S8d18|6ts`Ihj^~8 zYDUc(YzELV7#;AOxF}K+I#c}v$NXGPH+xj4T+7rRUQO( zK&A~)DzqIy+VyP4$#$EM&D3dP^oF5_CBM)4@DZvzNxgKs^zS$tpjbneEKA%ecb1K6syo83L9HK5%7*jbsP@k4Qa0u1zIQ8&NP>TwKCDN3nQMD!7xL*?ojzSn7?e=h` zwA%yJ);u9*isu)qwY-cjY$(U@vFnFM`3f`ItCW00LV!S}ei%rGMniSyOcA#nnX zX5nIRr*BRk=5Au_)FKDwqhV!gL+*Bg7_&q3wgu|j=pjPH zdI*Tk?K#vsTs^<92dFjrG>^UX@~y#Hc|X`pFzHY5$u|6moO?6A8~W)=@_kvzV1<$k zJSGk#9!PQR9tt0cFdy)H^)uaFiPFK2fL@dF#tvt^$-T^sXg;JTZN;58J!m5-F^26S}|e>APdas z27rMhUor+efQ(e55x*1Pyx4O+1`jQxCz)AgrBw29z6971s;LD6zNbOAuJgO_z}%pA zOmK2>BY-sI02{Li6-katL>h-HDx3-n{DTb436D2Xm<^mC!Ez|(fY1)|+N6Y}>$|6F z0u!*#%DvLBqMc}_m=P`W`lNkjM7ywzCU2E57WxAQ2x6OhvEZH%cwDU`%;+A*L;pL( zfhqxehVpF|mK-a~veBc(-&KWpIL#h2(%E%<>D?PwNZxHmLnxWP*weVVHjRh}4BMb% z!o?8KSUJ2wI>!zO%B^9+Fb*CEl>?64S^|DcAQ~!q9W41F3tpuz#!A|147^$9!NmzW z5V4J+?vYnh_;?Ug!K|~90@K3sJ$=pZ`I2H#{dy!|E(K2>e86fL#FEWe4nG*r zvyNv&DjVvQ~hqTAqQ+cA>*LBI;h1~Y2!Ws)MgO*VFryLX2_cCQhT ze(z`-ZK&}(;G`!Ab9f#K_J*Ctu<{uRzs^7t9wc(>IJNRwlDN*o0>N&koSzmew1~`=xePcSm`jJ1oyKSf3oJD zYeWUXW?+QoMT1HZk4(9E&{(gh1AKAkAk~H|VmR%!*5<+R>VclSx}fCmCIj|DaWL)= z*e~wXq1Q0$RvOzIV1CP%nt#%V!H{8b`oe0U44^Ibcp7T8r!LZ&%K9c-f2~!Rplq!y z6J}n~YGp=Ec9;`8h~@gs7}a3Z{jDBGEqw6u?fWNz6vR4!gW^aGh<1?D0bTls(k4X_ z9+a^Sm_|mIHW!+&)?D&U?!GDe!^gb?AaAWxm!`>0cOSHWA@luVu$9JBD#}#ufiM=v zd)=D<>V8Z66>`=&1X*ub@&W`;+&HrTY7^oR)?!fp*tiWm_GPpycvxxo%wZ7Lb&CfK zf#!_S1y(b$o}e?MqNxSbC=$uwBZku}v-~ZrmRSA#aU2v9jl{z{%O^j$5Cq_56DaJKgU%WHhM>YxEN1n z)nv4{yxnr4W1HQw*Lz@`rwx4K;I5muq{COJSw>cBp_mWd~6p z|0&=UAw^TGbSi2GEeQDokAk3i2!7RN|IA~p6W~(>bSe4(ECMnK1>d3biGR|X-6&ZN zK^LHP;`0VNB>*SDCMv*1hd2{_H&~l=&Yhq|J_Z_BaOMoW1eyXpGytCJ3p@tCg7o*2 zq$QHFj~?JZfr36^zxN=2v}{P`9c(Yg3eo#Q@FTcn>jf+X=LWw?x`ZXbszepiA=nV; zzq18*3xLgH_yS>rsCkO?mu|KEU?y`<^)3u%34jiW2!qdvx@Ep}QLe;Dd9#a<&NdL_XT# z4=$_`3g9KoSQxTfe_P+y@`H1j247HrMrqQlq#r`#P2WlXe=MwG zaG90Nxx!j(VI7m6=vMg`b_Eoxs8>^HRbap56);lu1>p0Q^-0Y3pPl`UmU z`3m?Rd`NJQxX~_>CrF7_p$$HC`4M&OG;yy2)dC!VpLBX)jr;+qk@|#U54H1$tJE^J zOL&3vE}c!Q(>G#`R-+Cg#agNjVh%j^-}kX50CX9ZWSP z&ma#P2p4*&+%vNqaqO3Z8>d9S-53sri_u5Rma|YQ+i^uaG&^&xbCYXE@^Z}K*d`Vl z65jQ!iCD2)lDaq~LNiBkW&vl=1||XFVs;DllBc&&6h~-3m=|QkMf*IBG)UT!!H!Q-JN-&K6 zn))^)zb}jm+o=?I~-B#FmYJPw=A7nruhm|kn6IkVt0g^I~2xQ33`p{ z1dc=Q3=qdx9&tIZB-Vg$cDzuM*frC}PlUGCi2QDyvZ{YS3?B9t{rh-^g#@bN zW$be78FdFz+JV8*6`I?O)6S4w4Z?4l+cy9&Dm6&#F&N_}Ma`Vtf*;VQ5k1$@D?f5l zZ}uQxEC4p>lhF|A+&~EV=omWmLy)X(yn{>_H9$qcQybC)WGGs)T1#Mnp_rZcjjYfq zGStbn__@~REz>~QU3u5KF*pHMHW>L7nmjv??f<+T3@pUfMWrFdVK5q_;y5|tREOGM z+5ci9ocpJ~g-fQb>FYLbaY_(ehv1E&bvwVj94WWcoqC^gW;+-M9ehVX zF$O+{&D#faVVwLG>r!;Bb89dc8q;2TF>(y35Oc-)mKv(x1C7ZvMgoc{F%)GxaKF8T z8G|PbAx);CsP3a7x`a4jgUllAwWDL}%QeTrjm+Xztilznx~?#Y6YdO}f6Q_troh0( z+k4n>`}bS&;QzzBfM&PlVrFQ)jz0S`)$~zf=)fRjpldE>an6^e2`Yjxm-UB_+Rc|2 zON0?{DFxa0P#@zVc`)DyYI5Jq?art%ac}^uwqasF;=~Q)WC!$aqQ;5&%qQ3x{o9D= zyf)|r5&;*%S3|NwZauPr9V(6CZ^=DSp$!9i)(v&u1M&+7WvYWiOr3{vX(#=XWfFav z)CC;A9Jo8m%bn?9a&}lj*swHpEyeJ~V{E}# zX7s|Xjxh|g$)Z^K;=2b1=96o+QeR_D?}aJP_4Z>92Idkpaz@%vz;WII)VpuYXR-$> zWnIm`lRVUofpMdT>l4#2;LFuZ1B>YQSlyX zNYwE9Xoh39l1{^ib~;wF-~2a9Y;JA2thQ=t8vA1(n`z7c<>+g-1K;5eIWm^&)6wXN zGz1mLx0A@uM0@S5#fEGSYP0);ZnfLm4Oe27pz?wIj_|~5Jl`B=c*Ju~bG%Embwgaj ztBvQ5cMjPTr*gLYoAZcEx#C&Q@0LS6@9M^PhqI0BiDQiqL=FcOt(v7W$VjCR4Dm?a zq~<5h0TMqJ41lM(%4y>R6k8*Ki?J)q)`1mZBdr$0mGuiXXlnaRO09u3c)G%@OJ;Xz zRe#T*#VDO;gseVNd-{}d6BDp>Azq_*5~Th^|!LF3u#<4w8tbaKUBCWyx&1o7prB%xmw7 zwu$}+xoLyYx(^+9iZL-2zb|n5njz7(1uY^~9oKTBJEumREg7!=*MuV&Me2QXH=FfdNeE1!FMBzzW*dS!jM#E#+G#M)c6e<9B<9mVthX8Z{aS6C;Mk@HM zh0;B=P}{F-hQ&)hw@?iSXv~n&z={=^>n>qEnVLPc4#9fBBL>*^T_$k0!aME@RVV4e z1JyTqQ0*ibstfUQkwtJ4#_Yo_+{LDc-;(!(YsXZejT^b0u*rau)58ns0LTiq6p8=> zthWRWx{`d!BiBP3(t=)_n+91@u9WpPi3t9Pf+=ZeXH*oRO1W0J_uD@*&>8X7F&r-% zjMr|u1q5TsIUw6Y@>P3a96=cv=qO}3%Fv|BV5Bx6cmrMOV<6pvWni-LgEh=zx#^S+ zj${Hp0kTQS!k)rU?1K5aX4;)R8 zh+XCBM)jHT&}~2K*RJw(qx#G^c-znVwW~bcs6I0W-uAP8?J7?N8{CZ9nVRuJUxFI)YKS(rG`(;s_7|c0!0D1W|zz5<-{}NgzWKiBOnLbA;TQ&(orD zdw@R8`kWgh>>&31=!N|60T#{B)g4)O7qdoNan}sdvuuVew#dkQMw6}Qx6l-h^HRF8 z1*qHWeYvASgzU=gE+4U?rFE5dPZ8Soe5*8v_JvVDkJ4xc7G$)}8=2aZJjcbFdLcY_ zwl}bn+1ZQTpHnEg*&_oIV?OUA1JNSqZO3e#Lb#=l|0OHY!GfmAp!M;4Qwc!mLM7sy z$K~6U_1AA`4-7>GvYysDn*Ap%w}{;}&PrdC^BeOv6yFmOgP`oZuLi5BqDwFh(s3cf zGr@0_Kouq{;Ksf&EJVE5W=$9K&5P|A7`po$81jNsj#Y)rhGh+kxrU zi+`D*1_mP^3@Rrlc9f6i_v|dlI4mk?bpi&Uhn95IergdM4Z68svtHpJS4m%)hN{vd zNSlPfja92@h_7?h{-yCbL|Z9qs6IC;_%}`$A{dS!*uZXLKjh4JPOPLCOMT65B0oT7 zrwW6k8p3U8hd%=!cb3%^ovpzkm@|WVM&YK)MW>1*6MTNz95umq(EhvWIK~gf#jFt> z7#BGwpqf^KxT?ILr3%h)Qn=N9<6HW{)X9ibG%H_QjFs2YpSIAkFb+?Ip?mjXHc zg4tVH-K46FqaB8&kgl`x{4cN6f9_LOh(Q$wk_?36z#5aI!T&`B6r|1J`kPJ(jrg_Y z1ntSE`#`OFrWDdmf1xhvI8W9v;Au>Rmei6O(GseWm1&=AZ$#UHBWG3DJ%CycF!(Jm z6awEjh-M>i_lmkC(2MPnFYB0-R}UUSArt|gmSMLGMQV?Z<^HS`*zn%Q;YPs}^)^hf zK7e?e?m|afs;UFX&Ov0c3sGNF8wvdJ6D3K*RJPe80rn~ZXR@WFQxJo0U66;^LcBqy zgH8_90hhp#htZGwyP(kw9&%9>m<3fwLKk72Ej+k2RQSM$|Lr>vcYzcIEDsuI>qh<2 z?O(yC{`3~Q2GDR~-c47x(B1A9qBBrdSD4I!0dy1qM-xa%07C#r0JprD-#g?b{aiWh zjkXjifCvgPgW(XNjUlTb2q00A{K?Ss(OnZzZ?61uWE=9ra96-0LCOl0lp~Y?a0QTj zFp?v{VMbj;vI0JWz=jRF!MRlu6SS5Ynp$UNlxKT6RA`}Q22*vD9 z!N?4-*UOs5k>c=O_>+ZR;9sr>Ef)YE+$QeiCV;_3fDgG#JuVHdZ`Cyh`3vbcjf0Wg zAhDT@oD6>PYt0)Fxv>zGPsH$VgVm77tttYgC?)z>PBC zR8JIy^mHt}-@HA6D7f*wZUZt3I0RfE2?a6~NFWj(Dx`J;^oi1$*HGpDQ@W%h4F{+J=A^L_u17j%q#2BKRPKknMl(AtfSp;l5`V<>uR_*))3NySM&tyF`}p-H&k zDjSB<@sxYEtorvHYM03ALGf#ikg>&o5B*$sZP_s1rw^sym`s*@z6Hh$$u?HZWElbkS8e=~XQeOh);u(VRwFFiIR@csl$adLo zI6q6xTmX2ylpq@AN~Rhm@5vU3q3=$jz$hh<0AK)eNH8B@Cu{)VETAGLA;21RZJ=izz#G6B zKtLcMK!9%mAYi~LuwX28-~gf=0+7q;00L0V{0Ytju*UNT1O&+wA_c(6EItMSkjGaC z03csLYj+6b16F|qVT1*4g9bo+v74ynE-$Q z(8|it%MkDYurOfFFp$j7K+wRTkkGJz^8gYW8^9T`&=H`(pf36F83E|eAh&?IwScs; zu(%-7>Hs(aNm&ADc>{@?1gyFR$Jhqs?Ev)y&=4Nt%~qTO;AjIYI?w<@&`VO#SYps> ze59}lyvzwiSPCsME;2AMWo$VvcsMp+HZ(3|Wny(_iwf*6{Wp48S^xk9=GL@E0stWa z7IZJ=qvU2g@BUo?KaoX*Xg!Ih+KS91FPE5)*WUxE7d7K<&#P03tlkT`tZ~;@Q3CVSlmh!1}WDfnNK_3O^ zH)M%fk#qr|OF4&UbJuQ81Qo9k|MMsZGWpGIs*n=Qdj9QJp8T!IaRy+xuH-EE4!gDS z6G6WBMoh%1j!5%Uuesn`X-(J8Jk$aw<%4tWQ0q%-#T@I z2O$oN8aH^#@XvBwgrE!vB%FCPAajvilJm@0pffTMd$9K$w2`g9rwH5llziu+<_3J+ zp|>%m7BfiDS7~g(Fv0c*XmCA%jVU7rvyPnZx`|6(^)zEk;485GAWnz}~+ zPfHXf-a}pVbO|CO5uNV;IVz8&*~G8JM*MKzO40#W3}U7g-mb&C?2j<9 z|IR=HTHkYNu_~Di)Q6tyIw1r!(q3lu%JeDq9877gc#&9{L!|k+!f6zA7&fH=H9q+d zS^b2mJ?g8K>-AKi$e*xpLy!dhxq=CZbgHPyVhG<16$+EjVAD@BWjnMC1fVOLG1V$} z(}WVT!9P1|G$Lxa;R^DbX-}s})gNueOM#(hQ6G$>%`UMh=fo>7rmx#sy zElaa6*Z>91T>DykCNb^{Nv1NKJC!d27EL$H2P*b1Dd=imn&OUE$pb#%X$wAjd8ufF z|L)lpnO-cE#)N^&3{JxV+c?B=>@Rvj)nC6=%jh2w5q-w=r)Qql7D=CfFW0HrMwF&# zlsiB>#jSes1Su=jdQQ&c`?c>q#H^6vjb<`TD;mzJHVYSrh`&$PJI*Ht? z71Z;{!wOYQ3%6zTe2frjG1Di+_u~5{i3al)=^_+haKTY*}?MTEQ{-N z?fB89;llB~4mI!m9HA|R#UbsQ|MY1b_#B!v1jDy9Eb&5{;Re61yoKo4EfSm3x zCXCL-#SSIkw%v_maag*BT=RoIP-jo67WSFRKH9)lsGbgjT~aoUA>vbESqBiY6$w5k zk=dIVM9Sc7KR^oZ{*Q5|-|L^nFK$2a#Plp_!yHxmv0L;)qQNK-T_>5XsE{iUifm(N z(JCy-B$j_-lPUak9HvhIvl?SEh1G$ZN&{FMn$MOXo&IeFB_2z`OT z6Ft~6Vw8ML>P?g|P*j}}l?b-D8B&O=qIpcPY|FO+_9OeL zNX5T3$CD#ddN$sq(2v4UX&!UGTr3orH(E#lx=`z6gf8i#pG?x9Y6&G_UnV~StGQ~ zwaPXP4}4<)D?rr0MG~LhTWVK@B^76buWcuW;Xs~@g1BwHT$Fg{Amn$fJU>?=4CcnN zH=lG6wY-nC%gcxW=8k?_ZvWdT`5T(b7J!`G60?&1`JTqY@*QkVOXnaR;~RB=QC#?? z{|;lK3fI+Bw*C#K-dN{98Se)%Bijz1gEg@G*{u(w`_+kHt`rz!ao@RR%4AlJ9EXy9 z=kc8d@VTtsFd()=ju*UZG;m@rC_EO=!6MS7Y2cXkIu&ix<8i5JJT`CEo~h3Y7e^-z%@#AmZ2-_tR7-D3 z)#GFwHLgqw`;>csgFe9o2`3GERfqH>&|3*YNm=#$VWrG~A|_jJ4_yy}C_350HQ>VS zR^Zs1{{}++WXa$@wwE{z*!X<&zVwFjF1brWuVy>?T@G5F#I$ zG3Hz0c3{{fNMpssC{s@4B{ysMQ1k;^h}yW&<_jAFRE^~sU)daAC5@UH&K)w>bwZdc zRz2Y+0ZuCA4t~3OZKtCq0X9m3k4WFl0uEwQ zO4^X5!*M%6G%9mJPi|W{Vp*guQ{gt-$jHxsh$V1kdkbBCMKG8_!qNTU#w-E?ZC@XI znFu}ZW6EoLDuNu5y?{<-{V{MNe~eKf_L3@CcVT)Ctxr(lI;pO(kim+zijlo;D&Uof zG}KSO;=q($r<)8xi4*ppBo~5>I=i41E5$VZ9(jv)XwYEMYI+?I2SL)G!w#eAl-L+r zb%38EEtnF)~b>fWQ!znZpC-KX+hUJg3yxQE%g(y`L zz_8EiV_!9;0zcL!lqd+1TNp0h1P#8nzkxpCDpbwJAJ(pWYVietf*^0%h$hn>Iu{4w z4)II1Bwu3!=+p;*;UwckNR3iG)pPYc#&DT?WYT|rBLFy)e;dbV>1HU>?~|1?)KFRa zS_rZ7=|D`ps6%h?6SIyem*RpD}kMK2#P3G*YhO^KnnDJrlx0*5LKgvyE zpe6xoy_x@SW3dp$1b<+;3#;W9%zyf{1wO&ybWJI3r4$2HDm^M6BLf@wInqJdk05b^ ziXjZ?vDe)? zL*d%H8gM(T79aNQAX3d~P)%%Ggc8QEbS2f*^Gf`TFPA1Uk~Gx%(3w;GHz~I~5zcdh zaI4)c*%Okii#5*1XM_(_T3#QDY&s}2Zi94H#>c{Ub%#rQIG*zNLV+=OVG}^9z;b%q zi{MsWYH-|qxa87ZES7G%>j4GTVq^n=Q9|2f`#(pCbB2R44Vr_w4RAv@!BN?x7YKiS z@m9RD!Qy`cD(q}SQ1B1Ri0tGkD9Ml%>pkdY;mv6S)mljw;tZt;QJ5vMA_b$5z~dpLI#?6gd|kjzHpFAqE=YC|!w!z_M*GCaLr>;)BYY zIneH+seD(eu8Px8F4Om?0pj6$_w>6qU@$_BG8jS5^nzoXcL-?@yzVD?=xX7Z(i}4W zGpy!1*~%@8rV>+OXw3)!u->|p9}VZzJ{E%rE78}oOVeRqLah${f68EOz(E|u>*}hRI17E(6kYnlu$uQ zNIsks*BuwG-N<92l~s;&u9V5EZ zCN&3`S-r99E$K71Ttll_+X#muPgjKt;*azN;16+O)B{A^{JdjIVZ-$8Xj;}+sj<~r zK*W141lLmb6*Mg)y#`G!ifFuhB3M(vAYgI<>_-iNp({e)+cfC+Je3X;!*RtLrRSiUrv!KrJ z=a~wKUR`zy6C55mi6qK?i2&K`zOA^ZAHE!je5h&^Ke<6YG1P*K&X~M=NIIFxL}&kQ zEo>|XAIuETMIi0S1W+_{vI_l+rpqj2oNmBRRy+EOftY}L7T~DTSe*rVEY3USiqyR^ zp}2MMD#K?D!X^>8BIb$dX@MIrXH-GHCLM(RHel5T_*|tIP5!lPh9$i78FxTk(jLnx z0y+Q5Iov%UTZKH&n`~rtb|{aZ6cpgs2J(Jf`@O9bKIb~KfJS30ZGTFC?h2TC<&d^L zos3>JO7qK(pPSG4Z-4_rJI|uo!bOMC3SA$LL2PC+VB}kDaH6@`&GCT?9R2$z4ryACXJ>e4$ryMi9fqNlv+@Q8PP%igi$bE|{s(_ytD~L!(X~ zhd;Db>baIrjZSm77!9lo%=ZG9$X+-`S8h(`2Lrf!s#|-5=5hfujyRH)(%;itAFR?F z4rsRW*9*13{r*@ioFd<^8qZ_y9QU6YbjBVhi6$%Z1Fs*0)ob)s6wh`1#?uq>` zz%5d~38UN5_V#yn^LET-t@+dCQ-e7ynM>X2qLfZzK=KFkQ3iN46Rp6bmwm+7G_};& z-P!&1Hd1feW3}o@l@8PTErdTj{n_&x(Y7dE->&;qi|8s0oSF&SYSt1T<&4(@crvdy zwL9Z@G3H%o43&}9+7BbSuj9Ei?_W}JHp;)IXLQ8Z^q}Ks(@}-)1#nUY+#I+q*&WbE zz+ydHPa^Tb_Il;}p&rSgJa)RoHpFXNKTvs9hdAlT5?Q_*A+P-9YtR0Cl?~7!iFCA* zaRb=y44T&d{K_7Q>pFdWtNKnwNcL}Bq(gx}X9$Sp&zQo5r#&`1uoNo(z_cDxY2rcA zkxeYrgVYZO$;aA?TqyKc;ds%zs9Hqq+_x#r9Z|t0T36e70_*gi84YjdD z-l{!k9R0B=?SP!p_~2*S3et|ysv1{vMLoWkEV8~YxnXmi{sBmv^hM9!Q~;u-d(tmO zEdmhsh)0o4+ayOtx=X!B_)h7?&wzw0O5xqc9`(<(Wz~|c6-#HPac<`w}z|9G+h8sI{N z!u@QBMS6tsA~~=2qr@;I!im1kRC*@c!n$)`Y}*^JAP@;@;~8(#Yq9sI)ckUuFi<%# zfZ*eoT}mLBo)B40YrWg@@@((JLBG*M>w5tcQtqZlG;-MdlA_o_+OTFiypiJjX+2HrG=$5(OjT4me*J`JuqL#@p(0y~+G`gqhTTl5C`cMfg#$o6aSg6+ zJDU95gE~HTuJ<@R#bPT2ODKtU%_ZI-El8$-uRT{&l+w?$e>DQE&FpFZruq)&|jczI06ty;FiC|X4@fG1PMy#uO*|ErVOcW<4> zWK(HeQ~B~ZBOOoT6{H4`6d{-MNDrOKLMz)O{q|?VCh~7SjAAu#t8u*b$VN{NTf+n< z(^`_+6i`BzLQZ%tsf!t4E;uTR*f>678*rvBp^>u$9bu}QvuVgo^3*_}fABoM7sg(; z%n*#Eg2e&39E^d>tQ#Bp*qSzONRgKV&O5SIAE ztz1~HqeZ$JpI1eWw~?l~9lFL56$2|c-d7<1*a8?{-tH`B+{GBtb2mH1}>rP$tXX0Rrr&lFk8QrJy zEsEd0@P@Aq2Lx(26;`jVDC%0z?o3AiaZGOt>2I zG$CzKR(oD?N`T(&W#@GN$9J{=9m3Y3k(bI{p^MzRJ_jN@>Hc67a^?SO(%Wq!;Vv?0 zyX#eC>TO0s3nAWNuEm=OzQ;u8PMi7#`*&b{^XE%!Ono{A*U}j`Px-I6Qw#y6q-_OO zpN>0cqZdoNM?Gxe19HS!9yK!VJu}@{!G0{eAM|kJw4U2yT3Fgt*8(P;SqHOA;j=c% z|E62eF>t`TZiBYI2tb+>`wtRi6y>I1PlL4m7vx|iXrRJ=dm}d9*6B51pR1kbQVl~K11tFs(dH*wqoh{xjQ==nCF2C*-xndl^f zEnj4FfC3=Y!jhbFGdG@=`I-O<=`ru&H|ACI?MDv*GvzCkU`|1ggoPsQQN`=Z(`ok~ zLi;|`xci)u*SVtESNHF`8fel4Q@5e>4cm2f56PDoyWk6KT-jSWnh3BVoPybs0$1bE~G}yR~I?jn@*`!E77JkTDDG6rj;Th8H*8K#k^BjiVc?C~Ea+X7{Gi z)&!BM&d%&hCHSXQg}??{j2G$Fu6HFQYbGLtu>T+%ixNKrr(?n<);}=++*@?5Qx!_sDsa&a&c&uY8gDP+YDYin+?T! zh94U3rp-H#cP;IzfAAje&|P&jcOxMBq=U0o+#S}O+n~X3whE-K;(Rv+I+(@5-=zT@ zxV|^LELHkL4I3L~4yzvxMWJG)sX$W{A@vFjWVhdP40|TY&c;9?Nr$R4I1`NH{4j2K zqy#ne%+uI-i3m}*{@7!o#5?T@5FT)e*ET??+jlV2TJPlHv`Vv5&M2+|aJ%6zAfK8@^$nn=LZ_$K}>QDMT(p+d_s=J*{90%1WRjegy9`)BWpwoNrFOmOO(arDpH3&sMnags9Y< z1FZL`)#a|9gM4rGzG%O^7OdGm3mBVA?2`}CMI9VugqDbWXW#O?pv>Bcn5ahK;S+ia z(z3*6)J#K_)eM1sTq_F9~>Aw*h(b!%yrt7n%O;*q9?fyu|9#P+|o(gaFVYT|`|z|3Zkp z+pY?feyJz0-1ESvlXX06U4Oz6_em&d_-wggf3j_kVT7Oqpfw@IWuuq6-||c-Hy?z& zrsRG%D+A_S@*%?;Ljx&VY*1#LS@bhqI?lgYI*PjRZBY&b9+&e_*i~A2?T+0!oxQSG z9LpGtbWa-((e1^N;1z>$ocQ4lZLNwGa;L3}YspyzsDvOZ!l0dpfzGT$a&W5?U>z~M zzcsOF{i!JlioLSsVn$gfM&u>IN^g5Ff_F;>O>Y^rEkMe-A}aR7Zxwt5BC~oPM9RKr z{o(igaK%;Ew+&1-jnFnO0M>`dYwvq=_y{$foyP#-*>FXUaioP=U0@|!Tl2wWyhU^# z0jLpErZawZ_~FhO29-B-f-?H}!|9E==IAvtU{M?o8Z@o-QSBAUb8r0U_TN4^z?@M1A0=s zR_P#-IHqb!XY}q)Fnl7Q4C=wWbAefSvpGbZ79UE{SvDFkdJ!|-MB~QNta>>S0R3T&_VJ-ylLDI3wV0C z5*oDHe|^#Bs7r^rK-Bxl%X#oqj<%Xm>@9%*9dqTU$5~)x3pAyg3qn%e->J`?)49Jb zMLkm|ntAuluwt(Kw{k!N zxiE9Pb_UZ{#1U11N2YZg31I8QoTN%_bgS0pCPPAX(P4dN)O~X`Od@F3IFR>=G+~%0 zS*;4JjAWC4P*3NRTJIn{Rm4!`Dc9u-Q3;ZzW~KCb4PwP+O+|SP4R&^rf3+${Kv@9) z6p{@f?iFHgudFJk4L@_ff9E4)&Q1_`+^fN*#oEReD`fT z8>G09^{vC*R0);u&TZPu8^4-AKflmv-N8Dw^{u{^Bb}1T+)IDm(dmu$w?E!;@CU_;6YH zuaDm<-dX&zgE~?+(P&HcT||i+dT9bBC`kB(0ZMz*5>lC&fuT2@00?C*+a(0%TS}hT zkr*QO?&?tzj4_+5cZ0wlu?>2)>5>#;7x1x+>@Eaab{NtbN&93&dRQKNZ&ndjHAPGw zkI*fKXHU0~sWE5BS7D9i8eei7{VMbM)e8jCna>-y zfgJq6)@23@n^E$pdj_$>25t_Mi%;Es5K_FnOZ8<+7s0-d(on8KAYUM-Jkm@%NSod4nqT-ci@v(g|3z$bzp=*C9^8X0M`U%zx@;dDbm@10ACA7$0gu*L z38BB^P?>J1R;hpJv8WOz;_ z^W@pSX_~3kJfal%^KumVyI>5qAadDMxUt& zLbcSZsh#Y>3jGW5MiDnR<+fSdEKf;(GJ%^Dh*N}3Zi<`3uQc)?B@1oS9(rYPtp^2{ zu*-){l*F86Fyu_aik622K4JoS6h?Pd#)LCohR!LUAe1F2n2C@sj{jQCkDR8!A?I_z zc%9Uve&jxMn~TiD+@vBlo;rBNjPCnU(!cbC*PV4KAWb4Xm~Y_>m}rlV-(xLY4n2Ne zlZ}U>$T|kagk}LYwo%kPiDhtEOD49MLAX1nR}0b`6HoYAA#8Mnm@V!s)gUHNNiCk} zC5=;P3GK#M)DxYtg^y?~U872=2>W@nf~046l%b~IwLWH5Cl+kGLFOB3jS8TF_ny1y z0Cq0$4JzMf3WB+ht$?HmLWv}|0uTa{F6W#d!RiS>Mo)DJ_FaeCmREKwrlH^E#*o%A zmLf;|M2D)w+oV|}M8e}KUe|Oc?Ipg+jbLlV4Ij*c@X(F8i07IR@RsCIFXDwM_Z%Y* z*onhn=Q%U6OWnhg3AuprN|&|1wS);PPv{Q*d5F~+u`SxFLYzs^o!}vEUzYmxTPJUy z9H2$&EN4Oc?&HIGErCPq{`j4DiWxt`>{SlEtjr?vVqD^e24T5O9KfUMFNb!^-@5M8 zFH-jWHH4|DWI`dDNR4IT!S<^Y>ERrrcm+SUNIWGe0+YtdT45!R`zEN^!knh(w&a_7 zaQ-@ymMl;A-ak}Rc8Qs91~C4HB{OOU^_t%eZU|0R2(_gOjO)GecVwG48+v=h5NQ8f zG*!z)MUpO%G^o1+<(1{B?Qn@D+u+AqmgGpqBhUM$)Ua%j|Is1*;;fI~$mZ0n8>d`# z;2buR?raol(-#*|Ul7XruN&M`^<=_;0K(fkBC7(hfq}G_XVijHqx^lA{ z^F;&%R~;8jF#EDhud@YqI`LuGa1Dpb#h>c_V-Lp~M2Vy=;CG=EH-y@?{Re{B1k#!H z30Ep_Wm5WWN7(zC4)(iVbwi~*=>Kd`tQ*M$U{|AKmdtsHCzj#53v_x6JpTgMw<-O( z)a)4!)f)z`{1SgN`_EeOKA1p=gJ>B2v&)*R=N}vWc=)<@4LU*7j5GeXmE&2O%7IZ% zt91$(vzNShgh>;$##KCWEhswu6uz|$Sj9VJ4=gCLyG-QFGNwU!I4FMSkmke`CTF08 z&{v_b`l;NV;UL_fd!xR&^)f%cst{u0Tf{wCn0YQ20c;O*p4Q<0@J$4k^JBU&LHQ=I zp=c99hVje$kD`G-JfEfhSW*nyYOyqP8)0q2@^c07V-d#0(4kRyFc$T7C8dIX(o;kn zkfbHR)lgx4Am++kNn=QFRC-J`Qa$5LZq;p}3B%;lILH^=3geB&H+JRJhgFEMLS^TM z(OVwNn>BdoFzETV>xl9N$26nKB#VbJkr>mL~A$sQ% zZ^<3(RS!qZ{uj#>H=5)X9;#naa;xN~c+Vqb#_VreAt)E=0Q(883>>6UfkrClzY!X);D9dWEL4;Wkla+E8xu=9P~UZ| zVhCh4hL{DZrl*86`<@|+KibXtT$lNBf}Su>Yso8%g%vm(sqYTeTmi9IM+>7T28g_2 zm(g~I`3bajyN1lgbH8YAo9(2Xv;QV|pNXYt{pNsGGp>-V6$?}1BbB!9mGTY)_pgOZ zmGo*rOcky@TZNR~V)(ViVc`rzepRU^c52)hS0fPLLVUUB{*kKi3B*ZcE@32s{{LX( zI3{Z~9&t`LCnGNM)JP-{<{ZGaLIXzrtsx44p&P)q8PZwE&&j=pYpY2!=6ZP|UISP{vt&!vZ3yWf9w%(*{$ymZROI3#M z8VA{hK*4>}W*oBOBO-s?)DPLm<8FwPP_d|{K{L5nbDdJIKIdyYnTh0*jI%EEid@tN z^T#*}HW#GyN3#}lE1dm3Z|cQ`#5YZuoJ-yg$6%QGkN##Z)~QIivbVG+Bmfp908VC$ zejh0kV_d*V@@ZO0iHJSOyY8%{cicfEI6lTBCn?+^oU7yYF>NoCI8}0My;vX{d*!mV zDy<{xbrVmePQ`dF!{UE_K|ga>+ucjSt|%}DaX2yyiMpWeN)=<^N@ z;3QA<4KG8sOWmG)sj+;ZKX)RQKzENA7agG7GWPL7!pZo0Xv;XAxdP`;&b^J1Jy6sZ zPArSDei^AE-q3!D@eTY#Nr$3Fh-~t#q{STq&Jp63w#h=|!1JhpRDMB2TwD?m}aKsp-H9rFrr3Y^ZpLkh61t2sZK-rHwKC!=>nHF^5W%0Xga%OTOPa$kF0UU?Ax`&n1NqYC( z{Al2J1dWfu-<^lrt0HIQt>#+YV)c-&Rdi<-EU|8b6wsGmB=!Y;*0XxA^f9mK4 zU!3sQ)xaZT04r(m7m^5NeNgqNM+_n<4B#{Z-@*H9h@yaNBL#EwJ z8JR0MROJ+)Le@cWp+me!djhjBnzD8L4@Abvg4u5F|AVXI_Y>2~BJL;M!I@gwJsOW& zm#q@7n(hLN&O29Kkn%m}Ee~qAyue>k#D_MW9=%L>1NL31T%)I(A+gUIr7vFLD9Jx5h?QfD?BKj%l6G0gJO;{Z0gm9G zo5XTs4COCmF_(`;Z1TUqzP85^KoL?&n2fh@2<4J>5AhK5;;`Z&(NC!2_0Cm$(BMN$*@h|tzr@dBd zvEp~q1b8B#TK3>bODOFKq&?(4C=Jk9`pDD(YLH4+A)MbHT1hV8khfrZEV1>k776Oy^8Skh;G2+)3E-9hb~EJYH~Puo=%p}Lt0V^OMB!XyR6}Jhb1WuWq=YpwG`^J! z&cN{}du}xiA51rF*xI((iKCWnL*hhhySN+B*CL9<2S)07D>tRdS}_J=Qs9lfhXdYz zrEh6ZP{-pwPw<*$YfB96BSr#OsVvR#$oGpnttso@zo&TI^|fKhggzUOn|o{6vAali z3gjwrj<4l~QQl6sHB!#?;?C&?crStb*N|46?dB%EEK;TVq;xmG%m<#*)&z6*+U?Rg z)9i&$vhDn>OdvzS+*FZ&@z=1Joxd^w)Tx4QvADXNs<}y%_rh{qWY6VY4GACdPY26b z+pB6g7c3&{sda~QrENitY-?R-Cx^9xGZvv*bL3*i9=BnN>QE1-rjm?aUIz-R{^RfW zU;L+&6E&FVcEf1lwKQvAZ-^UHaFR)>&tC^@lNW~%GFYfyk2iC{Vms(IQz2K;&DgLg=MC0juJ>3-DVI^ zoSfF&nTcgo&Knv;z^78d`xvTDO{&$_rv2A9)nLhs-NpooP80WG_F0siWcsR8fo*z@ zEYJbru@emRhklvtPjQ8X(tOjozyklWnLD?pR>2ZB5l}Zk0r6GO-NJ5cUCfjq*G8*z z`|_-OI%Px6gU8}EAP+yy=CvvDcTZF~C*y#$!m`f?#OY;|isMDV_gO1VR5~$(d3lqW zp|9m7>hR^G3I&EO$OJA8@8@4B4L>iYMDAG$rhCp1~|m zyA_4=XMbrDQdDGBx=Dm#cE|lT(iLd79Q?d%oKhh~JX`qvXiIMw-RH862iV>TDz>^? z5P+AUeMuYKus*4;o8O_8Rt(L-Z4oSApEPJRXr5Mvxj$GW1lLxJ6R zyA}3!hho+o;fms!@XsSuLoFG(}Bpi8{e z)mv!0cOX%;8JNJ}G$-}@?X+me_pod>0t3D9Do>7Q=^y6@e5lu6-jd3o^h}?%e>q=| za)R(q=B_L_RxQd^hb}=OHYgG)L2no-tB7~R<7(Z;|9MGAO=*jC?9lujYJ-qUGCb9)^k=!>p{0 zKm`B*7x+emDM109ef^=g1JxqlkgeZ}R*Sxj|%etTm*vZB81T5!A;^oWZQDzIQk!EQL|b8c9_i)MUXp2 zh9(&xLzBtUd&-nFeTe{No#qg-Vw*X{W({)+W2de?Q9F(Mjd!>3Emx2x*_rqUX#IW6cUOF zf+-9DMF6HV>j z>kA~2t!0y4`Z)03Cdciy$CM&$=J)xvJbPpE;STHA0RdX%(we+xfANRC*%H?9ov9^J zMcs`kR`y#1%f0r-^wg_ih=msDq1h1fCv0#nYZaRwwweGlBJCxl%D*g@we-xJMv(lH ztzu7WMJr4++Nr;KaXbpo@5$3A%e*NcROAFKDZ?-Lh6a^#G>{KDIDZ2H{lP80)O$e9 z5}Cp{3FTlq6&}Sc2Axgztz|>Ma6^%_=$l?ALV!9DlmczFgawCN^916|;s1edREN9` z%u@MZm^T(m^SOQ9rGXB};hkR)gKlE>7f6=+SUT5&bzhw$?rX9;@)uOC(ySeJEG;lc z&YyV`G%4x5nTEpAq!BwQYp0h8%qlS!Qui4E<-j=BT9vCb?As&`DK`5?gPB(Zm#?v; zYop+t%KwliS(HRyDBvL||?4#?YJ# zV*3xO>BUc6YePL_6VSEz9We-90+xHT-C1OG^qQU;U1@DnZ7-WZ1Z>+f?S32%^G446LKU->G>PLWG|^_i<4| zAdQ-w8ndxrpq@fca0cX+9<+J-$7vt)vCdu|{h{AH+!l6k{HhaR1gDz<4u3!HQPH3r zw+8_*W<&*>mx>He_0@P;AYZ!@3Ao zuqR(?CL`l-kk3X?3G=(~9SuGxS@z8?J%CXil&;q=#4xc#asWxjK;$o||Ycm%ui z`kWO;>fO)Ew2;w326(Sw$0r|aBIo8GYv?!i8rJN$ix%|tDb3xl8osl(pZ@yHa}9+C zvW}FY+Y+qp?}cemJ(R(jBq}<~YDJYge+as$SW_zZlY}0%ntz^tXPM}X7#{Ri+S4TK z(+n@Cxz68yWmOf9j9A=Pm@scTZ=2+mD}}J+Q%3vYv23!(;T1~Aw`@T-Ty3-O^P{NH z_v>+9GR9$jD5bz7n7!Xb0}6GnaL!*H7r+=pGiR>ni=0iNrT!)Pc*SfSti#m~oM8{h z+u1hf0csrGCO}5jy`3afyrJeKn_GN#tdDN))3N`Rm!_gl=N#P63dbPiH7d!UF*CXT zh(g$V%RmrHjAJ9JB@La@@dzvY(A30w~`sR}jzG^>y9{>Jj%GUa3FyR-nlD}}U zocI|-SE*zug+-rf7Wdbr->LYw*pyPbem+=_$opzN?4R4Wy^SfxnuKqp*+{AHyEWPJ zp%g{X5_ZEiY2V#9d4{Pj3~C+u@R zqrm80&~<9zQ2wj&(f6jn%0&--$x!FZV~pdasvc_*hhKe9wTi(>PsaTsBvG=!r4JYL z&WkkSRhpuEyv}p6`BpQUBS`4~7HtCprhhPo@wZ~TWpBmspUeMw7+P27o?HL1BWMQ~ zZ`jU@t*Wto+<=jSYRAxARw?7nm~yZX`#{{J4iy|~vC2_iqa6w8djo?<^BiD zff`kG_#|WbMsh8H87XaC>4Pe2)qieZ>qji*_nh~sL@@P6q}R5*j4^~WK_MON6@q55 zvz1+`o{ov+@-6c1txKRjf;+lKnS`teAx@(5R@glc1(CZhaH@j)EQWzd_OZfcWc?*7 z$FP;QInIpD#hotcHPX&$o9VTHKS#Ns6bR%*;BrcB{&SbRS&hm}z#}eBAr&0Q_ssz{ zrDsWVSYt+RR1dJ7(e)3LdFXd8nq>Krh?q5QA|>gx1$I(_O_g_JSj;g}Wjo(J=d&X)6Y%L6Mga_|fV&^CGg=2smZ~C~UHhqj2E}+dl|Cs;%Mz(j zuJ#{g#3F}w|Ch;&w-rPJ)ZHDA4Ln|c-0aLL2`Nl3<>I?Q;??y#Whff_K!RG3NRp<< zpj5Vd%Mm*ZMYkmvgql)RbERR6& z`}$Kh99+T!v=`%Ufv;wKfI6XA5n$p1kskR&%5H1{98pb3KmGBGD@F_e72KiUocT6g zfxq7@T6QDWI;2g<>tODA007Y$P@kIHQ{Ki%2?n$g6cAFvLlxjf790&&VFgRKKQ2;7$#WxHS@V*D}yR$NE9HH{R_}*+?YQ zTlbSt6s2;<-MX^mq4ph}p_Jz{Dv_7uSxr~;+z2C#{-MS{V4XsBGRzYR?mEHXXE)Ec$yIx}Mp z$5J+ISK;4j8aZzztzW|Pw3(3_%>(2FqwuT^s1SSe_v0tK6OaXV`cdnC_|2_eezaS` z+1M&H3m`fIDYjFwY+i%WbaUuHDFPaK7N*EyeHrigw@oe0`Ojf1Gas^VmDAaqg{f~K z1&HONigrvUwJZk_hgxtb83{#0W&=Kp(NGNAT&&yyCQFKNT!LmE+K$%aP;qVTDnNgI zyNau&lE9yMWS^FUfH8(A)p`&&Pwn&JxXT{PTpW7MjOQA+fhIpn~*D=ysev^hhD9sgP2JFH?IH@0a5oWw)vKh~ z*Q+j?3VEEg!39=qp2^j8RVW{^r-~K=v2ALTJe zAgSE!l%_WmnuhwLuK{9q6()ifmdgl;RD#Mdc=nGu8Uh}780B2-UIyLLp>HS;N@ zZ!|a=kGR{8LHHE%c2Sq?9UOOAV>9;uZ+y^d;gsrvS<0oJY0n54Vxx2l<@XmDSHpFc zqgatByP(t=(n8P^9=QPp1GNaka6&JmwhQZ&nTirNbq~Yyl@{)SPU(!jlKHyS!o+PR zww_*2*Rg1J+DPHNYK@FxRWm&E40QR_*EwylZX6 zX&cKqY+pRnAoXR+&Pg0LHeFhcsc`*nUITgypK67MyBZy&zaD;Aw63{5X-wVH*TAzXff}ND(Blhj(Wm_qY^JFl=0SF|t$`|}Y0 zv{bcoYTOZ#4qpKxzbg3uMzE6~IE}$BqLWkdb$!*=r2?8?A&>eV$`;yu;sJYtxX5@Z zt2&djx+1N{xmI0;jzXnA^e@K3YG34_asmScO%l#lwuU4iqn46^D;Fq^V=E4nS=p2I=zV$wbqlD={&NSAy*JOUkI6QRM zC)f8NaX99oafQaB+7vJDq5-IefENulDANY`x`lK|8tZ_x2 zj%+#t{LiLK`x*=ihqCS9P6}*ACrMGfvCCzV9%o!35>*~L}cGxog}$nv%%I3A7!fxnT*` z4|u@Jl8O(VzQxX!Lpj$@YLQ~3f*3SN3vnoq%!==^7zV=LBRPipEUDmIv-(%ZIyxb z(84sws~OMDN3r6v3&kYcK!%k=f@#3~!XC5?$336_I63gv0JOsE-wngADL(9FV&IvL zAHI=0$&czfbA*lGI0FCcVq4L-hcZD(X8wp3mLj_fId8-dsg!Y9)WdUtK9lnkig*;N zU|WJWS0QU^kvGz5M*`~Pvhz_ou99i9Bm9CLvfj)~q@1a(>^z^__O0%bDAQhWD8y;y zCPTxmSe%A11 zYcOg{vGbVndGMsB)urLmSjw*^2|Q4ACjMRvTeIJLdc;kj)F8AP5ko5jx1|g0f~a=H zjhz&V>*S+olEE1}hIRQ)RGcm8BVUu|traYdzhKA^Zs|$r!@;}sk2vAzTx^6KW^?1B zg75Ev>d`r{e|eGpAc!)DBkXK}_0hr~;aZZmm>P70%<}k9C9<=krc5Rl4Ulx__j)_m|=(soetyAr_{J0I$W)=Sgwv-UuN$b9*93*TK;_h#&l{qJRd|-)s#!wUY z9PB?+9iWXBz0Olu0cvaJ(y0=J38AIetnHVoGlI8C1On+^+M#>U)#?CNy+J+H1jpJ& z^=WVlFjQ8<+SaAI1C4S2W(31QQVtpkVF|`o6n;DG3|@;*UHq!5mVC*py(9$>b@jk( zn%M|DvS1vA936A91E&LfOW>n7Gb~TLsHJveZ!eVJ?FvI;pb|nZ&$uR+`XXd@Kb?{D z*{Jn+axT0C3H;wWKN>t*7@;j8zQV*6_#<=0?vP${dh~E)e{-wPr95kz*I~5EdA6IC zEoRYS+tpi&Wu_iUPlA=~PQ`ufXE9(IiJ}ealrcC#o0qDv%nhr@KSs!o9mR~r7SR@` zHC&Aje{Iwq=x5X9mV8m>zq-LGxU-I!=I5+19^2f9KY9_6H&P(Wyqa=Wl=V>Mtuh|d zYAfdsW>W3yu+6c7qxrMKVy45=dPf4`T{P$uU(>VMiAL6`$>U;ZbKcb*53va?~Zt z^z!Q3+g1*r0EB&_MX;m#?B7pzn^P~bH=%8mN9-(S?Ie0p-b(1SP|yYy#K<<>l1dQe z7C2p2B!K^|mDDNjJIK*F#|+sl6>FZRB@x$S?FH=vzgpvIVH|Rl%ppaK&k@jzcn`iF z&Vil7Of>c(k&N#w{i$JH5D0cL1!O0n?<< zZR;*VRt0u90e4yyZ~;#=o^q&rMx}CnGxwRmnVFW@D93qM?x)jnOU@i2V(-~f>pj!t zgRY0JCtDT$-u6gL00m-lER}q5>wQmo%um~Kcg~b6sBPIO7^`KCIRGX z2c9-$a@hgy)5WMZjIW~WAOU(&FTv>DxjGxvB?I;iPMhq26caqk+F^mVHui44T3$K+ z3~UxIEXlJ)A-h$%?(G@UyONk9?d*6v;Mm}_;<8Sje)489zq@(T`yzbqZ>89k zW~%t>gh%C6JK-9;Xf)nFq#^pB@GGtv0*U-j-^?cIFW)b-)WQVY_wo?bNVo!aJ3!^wrtOyYz~0Ig4rUlPQ}g+ zwyfh&j>J_2fT#pC%OZmiCnj)z@d-u28Y7EmX!5{g9unr-4RxXN($4Bq###5uX4^S9 zmDV-W^}bE}zd?(G0mEtm!{Kd@kzp3~8CnXlW|2=U;zTxv!}0d>nRUBr?~PDqH7QHd)bSuEM(<;uJ$?uda<$d(~+;VfMt#Se=5spme;2FU3x)3nwSl_LQDad95LggvKg^1W+`q;w$W$BOO9~hE!X{ zC-z2t!*lv(^n;-&))q|f<#3rQ^U}KYxT53fX?B!0cOjPL~CWNq!r-bgLPX7L*Ep zM{(kipL38o+RmVTapnv`mf9bSaZ62*;`kZM>_Nc8oj;1&3na-zAhgRr*3biI=zz$t z;Bs!&9GvHwGngPfMSte)S*b@X3zg``+SzOCCkkNsNmqw)cEK-Kw!rV92M1o&Hr~q4 z7a!RaG}fC)H=(x6)halWt>C0d4|r7AleQh~7QPq`X&k4Jp0*)xVjX*kwQC$cNL$xR zDrinJ;3uJH=hkp8sc0KtGumzF|wxKrYTL2cbC%_Sx;b6oJ3 zE2<5**%dxG$=}LQk<4_Jz10asxNnQHmY9Z+Ve%d8QP* z&j}>cfN++HQ%C|c2c#(Zpf@caIvBQ>EUlCGW4(~a5UYB_noUGzcGWpK1O>Y3c z-qlEZi8IdH0Ha|8J4Dy4 zmD1c21|I}X_ug_(doSHC!f-u>sVaHvP!OfAVbLW-f78e1MPNW1l-(-DqTk!}p*sBp zI|AtKgH0AUm=^_@U=7%Lv+uvO{^jBXGDSfc(AE6T1X7WD{w{Vsjl27cf}e`Hupu=L z6=}fuS3+m?&G-ic&e{eZhvuHU(5rsWM=cXW`q2F)`UL;^n>&~^Fh zil!ydTvL!^^fH?8*sB3OX~9|((A-ULG;+FMFKpR*1>Ct@xdnwTSY1O{Zfavb!e7fB7-Yvy5Wpi+X!257{W_tiZA!A9KJ9%c& z7{LZUP4hH8l#UIQuG|w*y0&ghkxMmcEdabdWBB7YZC-5wHD6)_*KR6Y#mv^$`_(SzOW*(%jK5aFd~nBAJp|Le)bD(#VNV@lokM zUy=4W147O_RWH%9Pvf3hrdwJ*2rRRD01yM7yepzCP))Yp=5v^CYRM2f9q>|piXj-X zO1HRgs%1RVOtKSdME-z`>j+^p9!s!(c3b!MT8oOis$i2vj2y*09)$Y*(Cy@`Rlj6- zOoKDQ^F+8lDIMYJqPzQSupcgHQ)5@<93;2(^HHFS1OO8<`^EwMin@v9!)m%!W&pKu z_`VJZ;cM82$Zb&}Ma~}&#$(~J$vVdwbcpyWdZ>i4yCu;Gew)i^N0_^pEw)L*tT<+Y zy49x(pPY8FL=kop3SU;XET+&OCYE=>d$A*3@q0-J1nvuh{5viy7#mA&^{*1>7#J%Omxu|bImPxC2?yuvKM!M6U z2*1-pV(JQOq7a!Rn^hsucVW3mJ1?li?kOe*)2%4eiz^AbZswl4Imx z{IG;3l3lx6RyFd0141c5kNl{CX)*D7f#{k)6S>C+2dn=qu}7KP-MW}Hd)~J_-R9*pz&i1^3humS zItiNZZ_Hb+t@F9Ds;&gT)RN<32;oMlRvKB#+uqaNA5n_<13{Jg$6ReizMkaLSCLH+ zD&p#8eB;S;P@$9xz-aXQdE^V zK+~9i7}v#Yj_uB5M)eI6`et3gsCIbfj~UOR;Y*!>`?_A`Yw_etJBLr`&G_3jU~Am; zv6^~|3!C*BGlG7K0zfYsvHZIhZ4iMn_{GVcV_c+y`s+2CTABWAFuF&$ZNIn#dM&?}9^>2S%UGea32lod2p*qSWyzVR>= zvywhH=9P+`qA|FXzQs#M9k zUNh=!mY(nU&rVvvX;KX#0s4=x`Z~B^&bZCG3hvvKU9!wJNZ()KAZjZs;C_U9WYfo% z#0ira);_X8KEH}&zHv!WuM@J1$rIjadIEDqU|=ys9TmRKIIE*7^#u`%KTe-PDn1+z z(hwo{Ni>7?jpSWVUPZ~x>YQzW8v$#zY4L{oKDN=Tf%6m8$NK*wSRzj`lkOUHNjONtB;Ajj9d6)jS2&JR{^gxjFw@i z>dJuZ}nOJ>P3p32`yG-0e{=3i2e^*4yA z^tRQx?Lyk1MXl@qwKE4`pqTju9>)qZrj$tehSelP(E#%nW@tZ$c(QAopA*kcV67%d zU0(kl z7<;Hm@nNpYWogCD5N@GZ0HPD6IJ-)p&ok2LgfJ=cev2#d3EYWt6vmwLmMS)8x;CCX z;!)|!9JqX^QoY>!A@_C7)8kgUoxbo4@_Y{IoNkWVwnB7pT*m$poZgG1M4|nl{72B!#5y{Bn(~uBn9t(ZK4g8V15KAsggB~p5ZOTk8jpa!^=)&NdmsJ6O=3>HH=Av6{qFE z<5pGFs_EeBj)LR>@wlQs7=~HuWQ@cLk8#Z~IYX}vVEq|`lc?|_ME*Lq_P2GvAm!ya zV|7xSMdRS9F7T0)D6*S%35lN8HcAvcRaT$xmUedZz$d-2FgCm*k9g0py;>H3v-RjB z0I|558hM{jCQ6Xk&k-kGgG^)63@h4K+=O_0dN8p*A%|8~A2)%47;@baOf*zK2b=(7 zi(3toYWEzwB78!~=+VP0C*)uHmbAjU60=XG-iU1K;whI3Enx@vASd>X@17;T*Y%}k zCYUH4{@+l;Ht(Hg| zU;aYs4b2W{Jzy7E<}Y=@hW-)!>WStDJnU3+nMH>l@0>h9bre)dI4hY89V!7;!Fc=$ z^HGf9NE$|zR+r?$b?-ZC@+Bl#w-iV>QM@x6nWo{i-+k~t7pJWY1pKf3M%;K{M!83W z`!n+VA~&=T@UuHht%*uQy)@qQ0PJp`6`a(ZOYw2fO2qYeAfTBtGx?BExp*R&F8oj& z#~)n0prfmHvbSQB4+@YC=_veU`-=ts)k`-@sZRa6(V0{K zolF!V5B7hqYd~4|zwvO<#gaopuoAZ;(?Hby7{XQP%3dszn~BtX-LDegGy- zra2+Z*zg#@C!oL^_4Hc(Ci?sSJB#b|(It6MdGO#>Fbk7YbAAr-1~9E3hfN~w%R8}? ze!pTzkA?QILQb=_Be{U|de{AStZYmYg&*X~=2Ppy2gUMsT_6+~DRD<7tS-W-x;K^k zZB+~0G~k1O{=UfrXh^Wvw(BlJ$6QNDt0}1|wmVKXJP8LdlXf!-n2eSY8Oj6W$D;H; zIe={x;yLu&N_jEY&g69|KmByWxHjf=tBmUnN~~qlxluMYA#Un(+O|hfqM@5OjuMFn^zW>SbI|C23gvKmPlPC1UZe|Y+Aj**XcZQ$k z4o!fiap*AerC3+=eyg(|DKsSrlPdkFMZCOoS>psDJV@?}UagFR9z)DAdA9yz9!>Eq zETpo+{u;`0#u|75g%`UU*nu>@dYm$t))dScPuo=!Gj3S5Xv*0Jj()r8{ zYRfsl(}&9luBa+*%Ia`p7p1E~IlJbsl9TinKYWT9Epg8~brTpPn(ZjJ(em=lk2 z*LXA-;37+nx&m104`lK6Y>o-^Si8D795``iWF8EMu(Rt;m-fIgT(?Gl!43$dtv z!CShpYlQST=D+GsSh- zr?ym8N_^!vo;%1OIifg^mgxk!SD(izicgU)PQ&IbzVX3vys+HHK1#%vajpL6N?YwS z*CD?a_;KN!#e1{(RHj7hvSJE<62Aw0Fc`OoAELG+s=a;8;z=(E#Gq;KvZnwa#3+ z>>J|3m86)}9%a#lS;sp-=ndp32>G^iFy^r!f6%mL#U~~fwPo)LC_zJK$^N--QFT_w zbbBlHa-5G>h3;o`g&xDmnxn!in=MI&Tgsv~w!^qW#eJD8TiT`$l=hY?XZl(s8j-qc z>`N;l*u~W0DraiU>c0KWZWlnF(nk$iV2UaqX7IrZ%fwCCA6qr32V4W*G3<8I;gdI; z(bef==0cfF({B~2QJ(~9&@L`McY9JLF-(~#|AaMiEH>r0fVAL*er$*vQf*)k0F*w< z2n2_EKjOF(n4dl%SImddpyxxq0$Evvz^iJP;{e*}|r_$ilNsq?(+2so3P7#}I&bVHyK5a~ZUjRaCd z9K)9#del?~nU;eZc7mnj%JPX3!HNPx5S8x|D<*mMC4_p8#})8|AHuqT$~m+~N|-VF zN4kFsY;P*nKavess+7e%2xsKrUZM2zZDq3A#1@IR^6 zj?{AU1ojNjyp-_X*+adY6S0pnXzA|>WdZrUX#qWhxu3n1maEOtzC?BCO7yZ9Lr2U7 zAu6BXWC=59p9aX$AMlQbVMe4_=jl3ya`?z+Bj)4A5GUCy~umT zx7Q54|&Uz0+Nwpcs{*`fn$e;PO8i>zgf1 z%nX_!33z20$@;ThbaBq2H7=MM(bFupu}NT~#g6tusx~?6tW6BuVZWvN#Q|ZUj>f@v zLvvoYHoB<%zw79C>llA6+2&$|5iBX_m>V*)IMbSjO@_BSEsnhVy~9nMOx@r?1Gl;j z%pgZ5E$EEaEPQdvy^&p-d(J39fOyi$dO;Jy1zofw^Coa$Iu*>wMU3Ds_tFd~SG}kF z;U+OZmTXMH$Jq!{G{r`ve3n3fulG;1>E>pGafe%Y8?*nCn_@Np$1zc3jT-E4F?$in zoi3yd;+#O(Ii(NZmrRrgyU$4auE~>tZWk+uEK<5|vn+i_5KZ~3;GdiTiuY9Nm&bW6 z?#9WTpn*V-hJw}Flsget@|c`%cI|K1l`j+p2oOyR@X&j*i5QDSS<|i@v60mFg7~b5 zjyXy0&{H_ITb(`r=b8LZq64>6%uaJk&00)kLYVNa#^oK|dQ z#7yO)epqsepC6_dBLfLK%_=3rytsRiCYC-%o%o3-gKhQe_Z$7juvH&TsEu@*$2bv= z9^(1x6IDo0Hp`vIBanzKcg;ietph2ITZ>)->?~Z0T35HdCF()F+1jsx@HJo9D3qx> z&O0}^tErW_${%{dU;~i1rkDn#A8GE`_=0HaHWo`ya#0ZM7jVuO9Jv5f9yi`z0G0=ORvmQ2gBIgyNgW2u)~5#ApneW)iiMqi%6KjHJZ)C2i;cMTf z^!qo1g(8&2-kbF(NSy??gGYP${!K29aq3nH1aWACf-(U?dPt`vB251a5Ii!mA5p+A z6vImI7f_;24}|l=&_muu8MWWLpV`3hE5#x@4ZN|)?Vv27kqBlV$=?Mn0Fs!6#Ee-~ zuccFt{O9Aw8v0Y*^^CX!a@}DyTshOqoTN(w;ufh=jJS^Pxo#}t8>l>4X>uy(-@9Sw zxks<_Dvzh=Ia|8rYnw8$jgHb@23N(qvR&WB$@L!NDzp+uWboqf0iw+J+6<`DTvV)Kx(Qoxo?W4oK&lqi~DA4QF z(ZQW1%d<1Gck>>YXuC!TA@5w)+Z#Vc*m`)7V$7e6bns%k9iYb_UT45-bXq?i7!#oCz1MCH9&)Bw?9eW1 zTv(!!9`dmW(+_U$9eD$$C1WevNFGg`u1C!CvQ0&=Vy7*+IY4_xMq215IBurkKKSU* zVrR&r{bk7qhRrRAS$5m3KSdXub@U(Xyo)*#DdPG{EIhI_7{01bI+6Ft(K z7}Zx9qG5=wJu=D+e7bDuccAR|qAJUf{xy>b8S5Ivc0QOMxK0M`%H8+&DQFX2^y&e@ z5D8p^WEYVDTij^vQ-_8|6WZwX)R&T5v>74{BWJI8UD&%{j@t-8(fV0g`lXfTk4xrX z(b*IY5kSpR2Fz(s6HVYKq5_6`AizS#q*53%P}iUBq?z@}Cc{7%AWR@WF4a`f=K<_) zdRA0^sWO;RL{Q@`E@&+YwEzIjH<-X;i|nTA^SJz$1=mLy3JFJ(yPB>w!^a*^BJ2na zY$PhAOvNYSuh`Gzpyd;@`<-cIv`mQ^gp;(FU_YM(LurJ?TaPp6SIj_skw4jMaA*Bl z^13nt1&Tpine6)BwUm)(Tv0)DaI(JYo&Yk9N$$8Tj*i|x8uVEIL4EW0IYD%JeEI0p zrQ?t_a`HOb^sTFeL~sI#;v{TPu}E(sbfe^GwA`=^oR9opHG%}}WNf1%p!GC=+5f?a zIxC3K$*}YY+mj8A1y1fED6eZ_@W@g)?k$7|MZm4jg6wrY|7uRk>>5+Z36mPPvdzT| zLn1@CBY`UwEo9w@wN=gE^ zMPunp4dzr@$0ZO0=WT=rZfip&z;KJTOMOWw4^(8OaDiT$0*P89@vgX0Fj79w0Sw~R z6e)rc&2LyapWCGPFCzsYOdyWcDTkwuS6j83 zg*^MF&)!Kv)n$upBoMJ7WEll5HXYkJB92y`HVXt@qiGzhta9mAOskrLcDl)8lrdBb?NSF4@R>cZ$L znB{uZ0=`nppXZ@oQ^v9%&=MO?h{F8>QD{zvYG(7tzBSoP9P8V{S;w#h-!mHs4UhJX z2zlZsE-TMCIqylap>1MUOnZEXrMO=eR7Rw^9!Rr|*p7b^o~ zKXp)#ANGVWV&BOQEouT!(*QGdEhS&QOU|qUTB{Wzt_Pk}UuD^%%6nIAaqSOMt;48-#Rnv(Ac63=af)X6*Rgnly>{2-Q6y%b2SyXA-Ghd`FYXNtcD%W& z7cgh6DE=>9&m?S~UqACv;2QFg->3y;cLa)eB*PDe1~nGrSVTyIug;wWye%G}gR< zP~*f%0e6aqV^he5)AVj|p!FQ@qL6s1T&>99E}8D3mmL&u%oF=q;^raN0!gS_@<-W@ za3_@Zy3c7k>Z}uhoZAU`^c7k74~|pDhI`$}|B(VaK(Ip&afLXqYn4S*IhIpV%Q8Qd zuKg!{SHahoV5l{WJ6N!fRV_Y*nEb&QxLG~FXdT1q+cJb1ndrkq4PH}{%^1cf5>LPK zX2^9PfU!(|nd-PC{dhOc1CVrFf663J_rO-sJcu75iW5-9m)W`woP$C_4>%5RM{GxU zB$OYkdOa_xJVz)8lUs%ExN`s<2;!)Oqf=hEGM6p%|%1JNNRiM@^YRbV#_ z)+(!*BC^#lUie^_KHe?lC=@K|MV5|qMIX*R_!CifSqXRbJe;w`02d^RsdUY{WWwDT z_s3B5tJpij*iSXIws#yQbJ>LpUY>)p0TQ(zR0moG>fR?E{(R0`$h0L=fBT_I(-PfY zdP!^E2)!BER;95K8Nxke#Gc5x@c+0I!nUo&haCe49V~E?lZ;=x)lzi zNHu`wwmm=Q*g6%`>t)ErGqz*V$#e}0jY7)L^@xZ(u+@Di{9ugo7!LVI$vU;TE}h0+) zyaM-5M!^$ah4>#&cw$6-$cOt9fDU^@UWtA8+cu#Qh&6x#=z4~s5oh8O z1xJEz9ih+_9_Fw=4|6w+Yyct~hb;*N6h`j>vV4c;OlAD_cYb!tx39c{mXkLXybW1* z=nqSsNE+aaBtmh^Gb=*&aP1QvaRbku@S`Tm;xR)b5RL~gx_#*Tz33)G$0NE?B&oek zP<=S)*pnQMlGu)1gMGjy6|-$TZ_Bq=78NE1e@u)PD7e5umr?WlAe zaAnO_Jy()d$HquQ5G2G=h+c&Jy;W|X?I+OTFnpX}zjaF4R@~d^zQ7V9e^!=QMpkL- z3gm?9#dQtW{xWB)4lWZqqcTR^in|_@%gc^T-f|Y91wb6j?h=~Ktj@Pp#*0!U@j&a! zGT8|?XT-35g>GSh`TyUry5K_ccANFPQlcuQ6AxcFrDZzR17-->%{<=@e&5k#`?uy= zbws=$5;5Mpdfpby9VHcMzU{zw8ks>zyb;HY^v5+_=MEo1i3&mY5r9n`5zoH- zBuCQFR=^$r9gfYh48W03ZFPQ@dpy#)1q;en7%5hq^-PhwnTkPA>U<>LYK26`F{Q02 z8LgfmngF<{8S4fo;$ay6Wv#9l=Jg`yQB8Yyy5If5TOEUCe=NiH4cv+u3T8xB$OJWL zsx#ph>ug<;82q`f_ye(xuzt?4cwGTbZT##U;NAj59irOfh+yAxa~WnFu-ga6FlAk} zR+H;AB>^>U5p&7feDhe))lLeb?KefK>c-`-g?Xy741oP6%|Sn;$EbL7wfzXwVIZ9S zyRzk9s4C%eBWEsXSTY9&VNql&bq!kO)ai1|sP!ha#1%MSVy|v$ZybMJJ-fi^534T2 z?fu*W$Gy#yy3RV#@@nsAseIiKdGcpqY3B&&2F&otkBU_i%GC^D&ZUbMta!b{McUn0JO%6o#~j&$cdX66%r6UO3o=SCRT4Xeyj7^{r49RpC6U7i0 z>a6?dlT_qFsIiPE*ju$EO7N~P|3k-*<;P6n{(|G?(upw=ooP2RAkuHsRwzm(g*dL! z?pErE@k-Fn8}*)@-%mrkl7cZ)UT1F0)jnSGZV`;gU<71>n-Eq_Tm)HR(40q09}`ar z;Qcz3YF=_NH`_H8akOjNGV2mHqoC7+B6#{VSgIcdYDR0%mM{%dlUExqbl9>lW6leP zI!O&;FZ;O70_pXUgbPU^N`FU!s8Z!^f2u6UHZsUQKsIfw@1Z@?9U)@)wio{g)O=Iy zrBp1YE9xDtHxaYtsd_#C2w0_+*T2~Ln;kVK4}-|$HEg=Fxx2H-JZ7n9xO$-5rfO_3 z+J_gxR<++nhD};7JP2%$=>YG!hFI$-cIKq&<`4Dr+3Z?|XX)Ua=0eKh{1BAB)1`6C zf9H|ZiFb0VAMfwB7`a72swdt6$%b*CcQcUOWWyp_EG;2$8GB$b<$Z8}zRBMI6JU;= zY96wk=1G?LV9!k8ayQir(Ow#dMP1b>uSP2AS6|L)ID`Z1qpe+WI3b6E=~`_#bq?yT zTJ;U@pa28dS|lX6oLAo|XWH2ml1*w|T+)D1w~2EYUU&bqY83;WWMG*UpcrHZ{4rtjHKtJ|`uW+eh@ z^$3k%RyUO=?beA-{*7Bg82L;6s3eZZj6dc2yoYU(U0EW0t@nedMdf`MnuE+}&&Z31A^fbxQ`$1G-x4XvPuF3INNgOL0dPf8 z*;SMGr=K9KOB`PNIGhUU3jgFs82)p{JeyE7h^s+0Wst$BU)CG!iCg)eaz-;u3ussm zX_?Iy#Qg!JSSa*R!30n)oW1L?Ko{rB_D|9q=vBKIF)!X)NhOGxXU4-IK4y;#ZnbK7 z0$E#AZut^h|M?&1IHldQy{M#_i-9HzB^fH~SHXe#fFW;qx<}z5YKH&&6qb`w8-G`$0SHoJFN#)<)`8wZ0v-U&i9M)f3e|vuT@Ab# zve(2Pn-Dlk7O1US2M>HjVmvLb?05=DVrIkaUNYtCn;*mkBzxeq_F*GzKHQZSnZO7$ zn&CIltFTJmZ*B9VQdfp3!C5OsbO2M}nMQI+b9S|G1o7%{fY(BJ^u!rJ1_fO)bG>>D ztPqWOJ5n2TiO$v*asU&C{jW`aVW)a$Qzz46&0}(jv3xILVQB4N;RFR`m_K+eh;!a6 zU#>DA(Q`ILsh>o|>^fxdWa0V9qId1P<$E;qAn-|Gr{V0HZc06&k3*_ig4-U$s*S_j z3j!qr-q9EjfX}B9>k9Zs#m6PgCj_kP-iR&r9D>z=|E&dTnjD3n2j1NOTGsy|&-3*F z8b(WzghaybiEzFY8rxXf@X)~f8FjJM8Hwuxj*9D-p3Fg|xT`Kv@eRnp3Kntqr$qrt zh8P5&a$fFeFJya0)^XOT(>%dlA$|R7vJ}TKX=SGOje9Nt+8)6#&K>9hey2QKUlJQ}| zqusw-xc=*s@i^ZK+F*+m0M=f(N8?aqJtF#BqE{TxTBc6TEOp~Frc%DnVuHkfx9gvA zLfW*u2+7={vyn(^=KABiIB5Ltf1lU@aItS@^u?eG+N}|pLul9Uzzf++{Q-ajOjMdN zVcxH-jJ+R2+gY?3xwSiKSzvm*Kl+vMp3;-~+ek3yPt-N3Gg40D~%z6;U&OjsWDC~)-9-n z65+K4XIk*DyRU^7)>kVMRQCW2snDE;-hZ@p2s+g<{qd$upl|{i^{lb-(XCbIo+KDx z49|)^(P#?g3iJX`TX#=+8vXh`iNWpK_|n4vI1#lkzN1{1Q8Q^`DCK&DN`p-+;|}b6 z=2$-zu=}_XfI^`zAYXC%SnxCF$Wkz6kN`Y;=W0+T#ndhq4}7dKl+c3r3^39=q@>V! zjog6}G<>>y74KPQ)(9?@EWBoN)7fz#)?W63ya;h-zrl)Ae@7W0_M>Cm*Px@Y)bm-2 zkRm{_Ya~zDa3cmFd&OD$gqT@d>!`KBFz_&0D+)Iw6%GTA11Wb_?W{vToxzpMdSWLa z>nPuYS2KB`mq{5WH=VSEE|DA*P$dwi=;pbj?cF4yr?^N-K7QOiA=(ViA!DTUZY$UR zjJY6j%y--vPxZra?Ch5MMTuV|xCpzDU$I@;T|`;&wuW@`m`$7hTCqaw>wPw~U(}I^ zY~{Xc!|ve@_x_d1U{5v13}q3FY){%c#K%%4S*LhzOxvAF|G9-3_!Hg^Tt#g@3aKb% z>Dj1uFIF}hB1@`Y6>XIa(Z-77#8x0A4$|Ka@vd><=dQEE&NX>Q!nj`6BC$+0>ZKJ95niuLwF;wB0mp>LhM!{m z6JGO&pSuiZE5iyVQYld!U=2&blxldF)0KHVv?#UE&fdg6fS#amV&u2<8m5=xld!D&U{ey?WsE0xQW?N$dZT%)k7tZ=E_W z(hzDV#_La5fUE(1f!k12oe5-#DhOy#JWq;GXj|H##!@r`NqLcQYEANqU$dsw5BLB( zIdK$kC%l2Y&!nH~HlteDYOlr0c*FdpZdd_MINll05IgH5Gh=Od7D0G=i|Lo(fl5-u%3xY1T`&%z|L<<;pdaKyiDZ-dH4=^R_QyT}+1 z3nX!2j~ns2vUu@c5H9Z7JxySZD8ri9WvjEGA_r2TvuU__2Q{HoFBKz}{0`1ord5d@ zZP>&SkeaZtm%3VCh6$t_-cifdQ#b>Z$F#cHI7XE9-?nH-OzIj_uP1v@UKw?s_=LMP zdI1&nC6rla98pto6+z!#&1{=0X)duipMz8)2czZhi8L%)n{kWzJ+@|~Ia*n- z=e+>e3(pQ28>Bl!PwFTKJfxjF6s;MEwe*^u{BMO=|0|Acf68rFtgDkFTFV?KQU~d_ z{*_C)OzY84GesKS*IENtYw%+{7jxh_@;$e)HNDHv3OwE-XL-ZYI+1m4dl}gAV8X_I z`INvcLIXT@;Ck3dr7f-ay`fHWm$_VtPW>z#!Oj#C_25hxFD)P*m3}B#XG=2#XWyGR zm98gTLWCzYJj9r>&NxgBr=tU?U(x3E*=B~ml*ey43*0uvp!0QlaSq_?sHt4J*=^X@ z+X1+#wf~`Ud8nZ%x}wLJ9Ws`^!{9vzJ1(GJo(sQ`T z()_V2d}o7fSdNK3ay|Z$m@<4NCm*~gU%l=IkH+fb!|fWqqD-KB0z;agp`iO7f!V0-5ft%+$p^)Sb_cdsMZiVqyDu~wF7&uBN~ein-6 zzy-e4h(@oGTjFp@57pk*Xy(!7VpGKs?-DcxS>VRfr)w$tmb5m}72qu_Y`Q2To z`X)mnfnS6>EFf1CDGWz+jK#h2V?)(Dvv|{H7hM?y1Z6 zS&n9?Ak~OA6{NV44J}z^-1u?7z$8PA4jskJ-DDV{RgmWQ@A86lA-Uk7Af8tRJzSI{ z>~$_PV}YsZZNeGCs>*G0}nKCOlE3DaIrE76Wp z<9^+|ATW?aM4~J#B;Mf$-p3|UUfGj2^05nIWv~Ho77}Vp^7hR=gvIRO?Q1r8BN_nH zpnloV-yixzBhAi4e^TSMZg4p}Vn>LMTE#Wk*X`U!=Za~0)n?w4K$fo|MZ?At5?aGarG#9SA$r@sAo(d)SekStFXU$`AF0ixh5T; zY9sNaQt*!y$B=(0%yKC2N>5#m#|=a;6%bbtS9h!JDse2kcm=3(h~0OE`eAfyv-ZIx zbo{y(!o%$^x=XGwlA43)7E+8OAH}Xn2!9!)+dKMj8;Uw;uP)% z?)l*rtnU}e?=@!8Y+9OWzLt$0`Jkk?T=2pd^n{+_=HN?@7fb*$Xh8+*tV9OZk9S1= zVqA%&J$V}EzPTS3!?Pw>jmVIk7kdQ40+zM2(X4WJ`Lcm7G7T)z8rSAf?i1a>gH!POZ@8L*_ZhcmE<)IC za-JH1+uQVH zf`|0_ag7;;om$|BzkHFVH5*1oD&SCrzPMBF1J!KuAl$81u$$`WE~H}!W>?$#t~Ox% zch5(;enbYiYX~m%?#?>F+}-B*(7=a3_hFnzOo6+bJcnxH3P*>^*$BkJByTm+jf87m z9|fgHFqL>$S*b7wF^eqAiOkdGYN^aN&`T14%)8Hyp& zp+I5t(iphKnCbc81;xK5cUtTHat4lu@*fzYGXhSFT55T)Rwmp6-8L%^C86!r9FyAV z_^^H7%{F4&YU1X&0}}g-@LW-6;fLqk3)8SQ?P*@Y9*o$2vO!Y-FxerlRuGKodj7aC zuZF1UnUJ0fi4;IO4@iQ3qkb#r`Ni3qs}~6M1S&%;vU!!+^q8-<%{(`}y+%&}B|zH0 zOv+We6mXc1B41zBh$6#~KuqEiwn9a4+WV$E31tQ+htnG^BL$|e1mDnR3zo-fGKtB; zSL?kd`D>~iIOpT(p4M&ZAAxSHv&LUvC}02T?cE?Pi8%f<8n+PyLYyRy0}K{n9QCi? zy8DGHs1hm8BW9!^V9tP zN1uN$aRiHKy8TvKo$p39lA>bpN5Hj0#n3U3HiGnne!N7)nYbXY5Ogp8?tZa!C(wgT zm&;mdpFiP#ZTp^i+O)rox9$1I1iqPMMWA=BFzw8zaJ*N*`kI28vt{pA7Mxfw|0yT% z6FtucdvOMi8?&bQQNu$?(L}2&>GGpyx(tQ~~btjTC#!ihB zp=7%1EswhuRCkXVx)3c>R@NEb{VIE(yR^mngSfnQ{M|@3%$@}umaMU&)#U5|h*IM* z;pld!UoqOW4Xg?u_>zOji$Nl=Bq6lnxUfKs48t)?&MjEkcT+5C^^rd(&Fp!s=lF|l zL0uaxaEsme7A$KAK#jN|3s;W1-f z8_B~F$wdgC)eIPrM4Cp6Vpy9&Qbr7Kl>2jrhJEl@Q$@EDH8%kx?R6@Be{_*`VboEx z$D|cgOqaDQX!GAl;p4Sz^N%sn{}UHLX3fMmAI7;`;iTZ+Hux5@ARqXjx5c>#C~Cy; z$BZ7ZSFbH|CKq<*#yLC&&f-KQU7gQrfW#E_Tv?iuw8x0OuyWiXSH84Ud*8eM=7#XZ z69xkQy&)ZDVtRRzUwOwf*LT(`$63>*MH;^vy3TAV@hquFH7fMETPVuLW*On8FKiez za@w3VcK_#(fYM0d%ObYB*msQO_NAhS=(DwrbN@otLr(ZK=tYE`5L>9uA+k~r6TN(L z{15yh^s!8&f)xq#Y*`FA*63y01QD8E(~L{33&_r52wc8Aw#A}lo=DKy_7`*{thO$F~NtRp)1aNZRl+ZF&k_o4nW#k_1z8G?w-l!%vo?u%U0W0>Mn}?4Z zt+9?<eQm7lqux9B6sUM%r}R1fr~+aX?3WCpf%H4>P!X#Z_&0V=`v__9w3o0 zX{wxk`iSILf{sO+wP7H#mcS$O7jav)XD9HTgy#c?lr&9k0uZ&@FPMpXG7Rs@+Risg zyQdUGg?XrrNV{&Yl&pBwYA?|D(&?qg*2E+K@YUkpE65v7pOep%XzUjeC_$m;+pjR+ z2F}|01}Kf3Y1ZvvFe^d2e5Z%n*ouyKrvL9q&#p`GS=Uh4qx3>Wd(Hxv>pnke*8s(8 z+w#;YnyVfp3qMAno?=`-c4$a0!x%>gYQmc5P^z!~FJ_QOUkW{^U4I)F;6_V>)A=|f z1KhghY3#H~iJs_k;D|k8apLg+PCGg0y%A-hP`GrrRZff0gz20iXZ?s%=em zrYGB^pv+n#Bb`%O1N@omW#P$VyKwC?nGPX#B{!oa;OU}Wj@tkD4vd||&f!&U%aE1X zIhH(KO$po6T-mVGyXQA?{2<0K0g%50)pEc_9TG09RhGV^+n){}#wPUgn=0{2cYif5 z?#r%JcvOY-$%>F%7=-Ra6fk;uv}ztZWvX~p-39|H*flD9qgD5gVLoblL4irB0m3+M zF(mNr#3XGU@s)|QtrH>4g-~2xjl`~NbuoVkWfcQ!dzxM9%8vXdjUU}|k%6NYKsmDE zt+Mx5%Db9LL)>3o14=JvKn1Vj%X$CBbLfJK3jN;UIE}Kvm_PJA->K6!_JyOC9r1HC ze0l9_{O~8}tG*r*Y+>t34#aRXlDcC`J9xqiTRF|5Iy>Uq>$uyaMH3hI=;#)@9A z>XN43xY6*$Yz-r`3JVavCyK})-9&wlCi0(P%8eQ6N^*w01RzGE?rEw3jS!p>pQGyY z$Z1$qi%U_~HK98?YwliNP^g4Fdj0*%6OsZssFM*2w*CEU7zcrZ`fwOd-&?2#0rgrh#VBfJ966l=Vd;ZG80GiU%Wwhz>J!OY#j1X1DcZwLGelGoQ&0s<$ys^C z4veLLm0Vuw0|ETv=!rMcG=lf)uU)?7{ue?F)_vMz`{h#r=% z(JG7Z5IQ7^Z5WR&PgUR6lTtUBu(+Iw%%;))b08U7lAdDvG!DI0F)91p|f2s|Of) ze`gl=wRC_qBAMwrvsKLf@)deVVKl!HlwT8y1y62|#OAxGtaDvs9J?0BZHBza$AZKG z(H9;0iw8HKb)1fy z&3DYmtI#N0Nx;ln%_Q0Lx*<*gTa};N5hcj=`l#Ph-25hw&~f+bPc}UB{^el2+Z6fc z?f#9_udHG@-6Vn*Z17|o2aU~@gV|_vVh~@AEPF2M?F3ir0st_Dq}Dk))O*B-U*`K~ zQi3Nh8ek-GkCYQR5tali0a}Q7*9c7AsFBa|6J>VihsLFDjSL$;geDQ~!Z6$IP^Of0 znSQ+%Ei`aCPF^#nvm%Aj0mB6V7TvY7sXb6=i+1#OCo%rJ9G7l@H<@me9XiiUhkUIts);@B$Kek)PVyk0XfF_R%KeAsC$9cn`gCW*VK8{&X@~hh ztUtQNGXOphBgZ(|mr@@^zAdvqFDsKAs_CT%V}l?RovW1gtvt7{Eh*BAELz(drIO;s zxMgGCM+}582+wOH(5u$^H^rnby}as{N{{RfE~6^n{`*Y2f1WAcLNDez9Lox&H_*@9 z1hSSGSz91$cY#gp%d=aflRwOt2 z-GdjOF33%dcYot9$UWsWv02yy&=fU71TKKV4O9S!ED7;_8CPJk{6#o1pl5} z$JfIx-TZp;L0gTSCAwP7Kx#&?wg{-W2xR#uU=>EvMkrzXffX~OS+JV?o0cjeyf*n8 zq-mU5isVA&OAkgpSy>-WO_C(ig>i9F&+R5&;)U4?xOC6k$GE!(`xZ5=W_$X)=evQ~ zv6PQs%H12YOeVUS3=HD1(qoOp+J~?pWHqY_nH*BIt|QmzDUnTCr5N+8Ve%YztsJm4 z-~sCdx3HFoh3}vex^RcS*fDh9UBnLO?rAxQLy;(0ClHNGU2%{W?QcBOfoM7fbPt?s zTUM-{59{E#>&M?Q$v7vCM_J*70NmVXnG<-2;F84p$t?}IfF<_>2-?cUtBN%bV$0WP zJx16H4wvWnZq@V${F8IL#$835GX*_*t*x^x_!iCh7wkpRG~`)zGiYYPuqz!-!nc%j zMSd1Mx9E1J9_?B2CMCYVl6gQkM`uU_id57=XK-wl(hp=k;!1am$o&~2*j5>Wkd+UT zhd2Y{&^g67*VLSLELM$`=x8`SGnE6fZ8K)dvaRH_Gu%sLo`M(yRu+kJymT0?&u??c z=yY01`+V^VM8UsW@uZmPivkF0=gDiHQj2W$iT#Fi=#&5~ik^K295lcsP}umhq46Gx z)@lq71aV+tUsp*q&slaO^QOpKr(4Kr25{JWXCb(60W{w4=5&AWjOB{Y)8lN?($tr@ zYbIuT(vAAE3ex+^ipWG!7<}CYtx$1brvUCI{1Jw%Ib%ZeFio^qQ;o zxdND7uv&p{uXgBztx7cNR|)xK&Rv;p(n2+Pih-xPKj3jVh$Ad^d@pbXuM)hrb?B|S z`_exoMnwWaRSksPS!SYpVmse=hXRZTR$zLe=)$TFJ|q1zFo^Ku1#zMFvS3fp?yF@wR(QqKI;hjOWJRlk~hjW(jeyOp{0R!>q7}s z>%GCr2`RPasvveW&c<8ZIgW8!qtCr`h1`Q~(g8*ZwowL=9I5ycxlftx%^r^M%Pbj^ zfho8G%4H()CxL{LL>m_af(j4%Mk9Egu2@hVH0*80lP2;A_H)lFxAzV8rpTk_NequFFeuN zvDt`@7djC!df=dvF+Vwa(fsl7&@FeNsKqrdG&klkY5?Kowf#2fEzfAV8#a1yjdSU` z*6`u$0z_8O(Qh;ORWltvn`dHx?+X=-@?`d=c>5T%@*vFq3f%3R-11Eo9xS84h5EsV z&v6H;@5QZLH;;s)TM9)9i|6P!W*J(2@HycgCM}}bgL}mR5j)1*CPud(rA1c`;v!>4 z0B&*{-9Dg=PR{?%i1nQo7yKHsb8X_j$hv?}ZlPOTQ{TUYako<+rWvJ}%rbstw#|hq zorWyG#M6N;RBJ4PR!28-9Wdpc6Gq`t;WLvKr^qvDXt~#g;#W^_Os@bt9J$XWKK?X5 z8|7N{{F<+|ZLV4`uV?v2EIj#bdl9#;bJ+`B9KymRD$F@dQnil-FCV8Vw#_dT{lqT& zm%k7JQKfa%IArXAp>6anMD_%{feGyFL}Q&JBmkbei<2NV`y!dm(O^7WBGxZaGwatT zi!hJJ2Bs}H#a-1!HTB5k8toQc4fR9p0oiW*nQZ`Vj3j*iIY%*d<+CCKMMG-wIf9b; z6~#OV%HT^4Qm=}O)%0~`7d@}tUL_!cK&4WEy%1W(YO<-ekUz;OHr9;ZYn|`rX1H)A ziptMFA>sN&;ik9GQZPYd_^EXlYJ&9D&`k0qXpt?Bu`!2TpW>6Bu|SRYydLusE*!cX zx)1R?Ppk$!^>?DdU>J&Bbd*f3mI0QJ`0D6#mEYUNBF4p~jtH{M1-sE*UXi8t=ERQC=>(DexUHe1^-P|rcI-t&*>rG4uxbX69|jeuHvN)iK+YHu z{zSR63#1cMv{nYgoX=KFh96qM1YqJ8I&M`Zc*UZm&t^XCkkU$7Bq3d3=<=bxKumVv@ehc#iqSOS@Rgr1Sl1)H^Fbrpi&D7?7CC4nl8p2Q~|FKFr{xb4q`DK?F z-s3CIyexOXnxZ~K(QuzfD1)M>b)b=w;opVPg*svR5g@j7q}r~a6@gN@n)(z{BI3pv zJXatsPowaoUdpdiro*-?MO21T!Y(KGT{{CHqq|n6NykuWjy2-AzgxPm><4?8F>he1&g+5>v_<~^O-geq7L?O4fx8%ETa zjVayyHGny-f<}wlE(FW@k$Yq(lIy~6_vR0^aaBa^EHGA|$lKr(N;p>bc{Gu|n|Y^E zb*YWxT0e6PtvLY5GrK%3rE4~hhb0U;=#e$P^EXyH&Pu;cl@S4pmGx1yHr|yzi$ylf zP(REc>!LUJaTT`D5x4W10T_xg9T_6T^AuV6|@blq+#I!^GW)wIjEhH>bSJj z^LlE;VEc)#KqR=)UWAf`wIRbPpcO%oU=RbBoVQlWYI9sD1s#ZKAdaX|iiQ?|du#lP zjk|!+f2vW&=S!IEE&j&Osj1cza$OdON(la+q9I%-@)rXfBZeyM$UD+!ZtomgLA)57gp%pf# zK>$RnC<(;dK;&3Q955r8Dk{EWu~UmX1F-kPKJuUmjOZ1}#rf*&Wwj(VZs44pO{crw zUPM_bV*vQ!MGJ6&^UMG@B&@`lwvyOclR^^~Pt7YN*p4W*C&x|)ovPM^b^z&Zk3siE zza~G@Y&sVYs^cdbYoM#3Hc9ghD-Qj?0|xJZrLph8;^4~W?&C6YT;a%y5(wo$?aELB z^)UhFntW<(itc(Sc@~qOT-SYRIKT9B=n?&>hw=u31rUg$3ZI>!X}tgJow5#PfXNgk zmx;?7o)&U+YBim4I@=I4Mc z%C4)(DTs1%kF@*7{xBx-EH*%3T}BuF)9K7jcg^H-2hguEcI_L+wB5o{MQ^63obY1; zSKL?kd>b54WmW+}k>ZC_Kkkb8uJb1AU;5GeObOlJMvYtV_ z<>RvNXV6s-oSYq#M_@%*Hi~|+?D--zlWBMy zMk${dWM}j`a5}3TQp{&&an8 zy0zXPUYT|K_QQMl9{5$?uF4iSYp>77Tvrchq68xApOghF?ylB*Sxr-gM%n?f!tb&27PZr77t=cM5PnX_qr`IkImBkY`hkBhi$`@y1JKug)!R? zTDOuOF4chWXuEv}d7=8-)UDdh^m^%F7QX%3Ux9qXG6V+`f{&7qo&uY|X%lB>G`a=tV?@CttbP9Z6r^@%c&(;_=$fT(ov*CG>hS|4DVTrUIe$Q zosG(8n$b5x%2;Fk6aLpi?p|*#ElW-CFM<8hBI%VUjakPWFRaijE zcx4Bzmr6MUaA`DHVyH1^cbHn%b;cBV)_Vg8V3dSZsnt`}y`YjR)+aIUBtFGVHtEd> z2anAavfNpm(RyhtMH*2FdSFfA+?f93UaK=Bg>0kwG zp{u-|(AkN`FNm*|HyZ6oeY1HdAFx;e6A*a3lT;{a5yi;ul{`XUj{#%|(p>h@X*AGh zP9(a(Z*2chOJimmU^UCYD4uUZe}(#ph9794;q%MchsKu`JP1~o^ezoY2x$K|M4bU_ zoKq$Sn)vZ7U|MkR4+FVh-A^8Eo;;RA$MA{1BLFUrEG(1qd#B{N!Vk_YKquFjOhE)aUeB%f$9|B5@2hrVVPWw&C7&&!;kMlR3S=U;pV{g4G|qi< z&?8EYQmGws3zT5o5vWS16mUJw(moOMNuIS;E5UNhl`@)nJ9TBH<%!novn#uh4vXFscb9OyF zn@}zvg7b{$x)xABU62H;DCaZTG&c+cGrepy#q3#bJbATWbW)4~YI^Bg2m7;siP@fT zxk;ggLIdCTsX(BUSBmBO0IPNms$77UALNWcxmn}$noG7*eU1**s4f3ED|vvGTlf58 zT!b2#tG8Ukq@>tCQY|7wz--0`PgbdbeTrd_6)_B0E&94un$O-48cS?`S|hRif;>v3 zyES2-pdizv8r~!CkvYl6=!z7sgM6&Z&T(;cjb>5+;3%$7o%+K&b#T}YHdY=gMKxl+ zh%H*U7MdSf)`#WPNo=J+7nfu;o_n8&iw9Kv*@T z{rkY5H1Zg<2W07Y|JTdOE4pI~#Cp3%o#q?Ca`yCXKq*t{Gj$6gH7xnXOjM9}3wmH4EAdDD$?|OC7rG z2voNkF^1kHMn1c)cFcLJ+Z1d`Ye_O31J7;w&?o2?dgDnyy4AG|xq&0{GihO~Uwr8$ zNMxP$>u+N*mWUeSNmb!J0AY37BZB8?gx9e;yAg@H?w)je%M#45yJ~$!%WD}OyWtq~ z{d|XN83{m_ncmzmjcw?)?kTOPvPzSH+VVBfn9?H%kgn0YrBAx(|Ed`qWbSGQF@J6^ z$F;C9cu&$jc<~ijL(Q#7T*tk2-ibG9EHmTL+GHLGZ`sJS=yNv5=tcHE5P4OL@kWaL zs{B+PPJzYmun2V88hw8Pl;1+cl3wexiY-v_iJL9~JU4m5F3XE}G?)>`m z(o)%Z&k3L}5y$&i(|m%(ta5#0Rg0ggTfqp&o_RBIB||vPjd_3m5!qwId*pSuwgX<2 z|6J65J+3Tg(lXEGH6hjK{_G8JNzBuCjv~rVA5a;)iIG}dY__RhjkilrD+GUxbm)Sv zm|{&(+|+Y9ifuQ3NBeaM$oMCO2-jQ*Y>x%81J0h=y&{CH8SSx#Ap8o6Gsbjc_7AaZ zM*wKlO8@0W5!0@CgrDuU4L--*dsKd?4aWC*)PZ#Hpu98$TBO}Em(p%6&f_hjVcgi07~OKP@XeHl;X#4xejk* z>pwp*Q=_;F{lHDVQV}|3=PpZWyPLECAE&djL^&UC|ERcH45o!)zOe)DkM0t4r+s7wPBgs7!eEIV&G26}FjEB(EdS)o4voHvBe zCLpq}j}_!C@n!W*j26BmK-Z}4&^WN~KnAtH<_kv)zB6O~sgyV0I(H0oP(2P7uG9_J zqF|RV=#avJT>-|#=MHIf0AQ(Gj2pwx!ba&vNfG>XVO5$GkCGo&urU-hOhE@--Yl4G zeri*5Xh}3mH~7xnmaG|lv<5dHGj8A zw@l5kp+F&uQL7mJhwGT}(FquiOzf=}{1T@bz?xl( z6X^`E?UY9GB-WC=T+vkUbj4FiN;p-aDfW;AQI|B0*)RmhTab9VyO_t{C&WIA$Vx@2 zHt=ir74*?P%1}KGE6zY*Up!`ePVPg?x!*{QiQp|tngfZBnJoNbpo?z`5FfkNTdgp~ zyMp!yOpP5{SGNwKT!VNVSk5|Wu!i+;SyTEt#odsfQhP@(tKHM1im@Ic(&aSCK0O4X z9?2#-P?q9cY_VTl4RGUuk)aa`@~U#<8mq##oi_Z6&>;7&x=usI@i9Hj$LsaCrdu;W ze66~o2a_;rsL8MKW++vyW}BLFIQnDAz=fUWvAS@)LP3Uvv^scFpR5QsbMR7p zy-^a|X=4^pd5XJ+Oa&N?&eE9nM}s%c#9U8x%#~SXd-x=2_`_D;wEfKCE_n5Jh^IgT zrbNJVN60i8pISG#D)vAJ5& z6Tt*`f%)cv$-Rl+N3!tOoPw7oGj+a>&oS=|aokauMus%6+z!;+w+%p_omW{}Yc5cZ z>!*3)_KvXbFG_=zs3)_h1r-+a>;>Z=YkXG>$krJnwB{b(_~V4NVohY7?GAr&ki1bk0dzT^n*X5C;{kPOuw@ z2sxT~E7Al020U+yI+lw))SX$8KoQf)@2^bLh6D-CZ?d?0tOIFS5KfIOBjYL$>Os&! zO1nt8O9V(0R%TGHuO5pKiPT=6xg7eMs$_kaF>%*IvVYFq3$@GCO=My#p0j##edML$%uGmW{IN;FaIqaUYu`3crNS5c>mH$U=Wp8bmPtBd#qEdD? zhJTsbL~Xd?IU0&h;Qrxc-#El;BKA;$dOl|dA#zsZYa|FLzwU6Op7gJ$+$}``MKqm1 z;fD4@JoRgqL}Cn_#64)@lgvg&J&e;)&vVLW4*&3Ilp4uDU%^IaTnQ8i++H0k_@2eB zE#}L%5wc_L0B2MExX|KP@L%(ZalTyEjfEPD+o2C49~7V1>2#+H)52F4qq>Ge@%w>! zLUlWAEEyzFqEww#%SNXduk`S3xZgyKCq?`r(tcg>wuBvPlNJbWH#)7c9MC!^I*TH7 z8U3EVP@eJXRnzs!jxNO7#qs3pk9QB-2`7Ng!5|ip&U;gbM_WFK*ana<|sAb|Dy6rEh&9g?|5Y zy+I{@V~Ol@$t}1K@BZh4KfP{O^SONH*_1rLlqJ;*2)cS^ZnAk3ZXk7tS5Gu$`GpFg zO2@7T_WXMH1k5NG8*Pkr!3J9Uv zTTr(Hkjej?jjeMaUp%qaWU(-FqFlpaNfXycKx!H*UVygTu|Yn}n#&-5SJ6R7EC+zeu2Ic00j1F4OceXku%)$@1hZ=`UozdVG0J ze9&Sn!G1q&UIy$EQZGL!nPlZP-71L`FVdQh=7BQ9(gu8AE*07NU;}9FM`^D~vnz7_ zP8Y@tKR2+Ua}&K)S(N8FM)xU;5d2kqY|v!fxXn9v^`Z@r%WMBT#al=;Em>E zu+YtyaR5GDPHz{R*6exA+H$4$%+fVwLfk_=T&BR zJ19R2hwMLvJe`>8E{1?CSv&~yg!Apew}Q$6TVsw%rgp*=&2%*LRZ~|#?OOdlLtRbt zR^^>@GLn^PYF=FZr?Wc~#g!h_Xl`TxK~Caf1lVjH6-a)!5jS0zMY~}6Z>CwZ5lg+b zQS_KF=~Z}OAfPkMp7B`})6!2Z{1=t(g*j9q9Cq!= zBWO^P2y0Wub&MP zDeg!ayG+@|=J%;R%DtnwSbzUOjsL-5X>wHY7@Ga74cD(JW2UQv#w_#$ASB@00cKc%=m&+ptvJHQ8(z znyoZ0aq+YW7>dcpq0lJGx)=S?xojvcf6~cv00OruP%wDRuj=u3<&lFf)Fy%SnjXch zS+A1}X?`D+MpV&!^lH%PyY5&43HL>h`Pr@&UwIdoZ1@uuclB|#KY%a#tuq4*lN_}1 zk8a^Jy%=Bn(6^;<-qW$ra?O4$J+*HO(C+jwzBQR`GM3QuZ>t*ADZ@gY|*EA3m(-N2yK~_=Q}!Dmvre#Ki!DSz!Y-^P}^? zU1~tRn5Lkb?6C}}x9A+ENjT-f>e-O6SJ>?Wolx^elxP9LA>GXl$qRI%fQq3cjDZ`P z3^qZkLV__VIJ(LUFrC&tvt0E;i$3lN6Ds6*f61qnu$pMMwDBQxwHm~IfS3@&seBv} zo3!f2A5I8VeRGtAz>)|IrL&pbMqQ?D(8heeSxXH)bill7hH7Lc&Sjw(G;@~r%=YvY zDdeZjuPAwXVcF;XI{{B#AbjN58l_{f77;^mQ4L3$&485gjx_eNpYn=z4vy=ovG#(^ zdQDbNzhnD*uhf`xIXlS$P!6>AFc)RZmLT+QIzhX4IQ4)hHDQO6ugBt0nm;ALQOW|B zZX%+Y?w_luqVH|YP57>ZIT|ve;ffU8?ZiqBo|j98V8mbkq6H$tgtwS#SoJhgSb3wM z8-s*u?@hEO?P|0cfqAqGaWH&UWqB4CUdNNqg%JC;!^8RG67=Kr+Yd}l-aa@DCxw4H z?O$%Zuw1vsVe-~(%LkDHqN5x``T!^AFEdzOA9LnqsI zMp5BhiDwNqsm)ufP1MUcYZ%OSw%5y6yH-&njzXrU0tmE5c|k3p>+Q|UFu%spp9Rkp zu#W@p7Zs4~uG$3+ zvB@2%;fD>hU12_`C`m+DnwKz~A|7kW!a?OJ=5xMLz=hScVh{63=1h{}JIK!KrxIv) zAmd@Jn5PyjM&L|JsyH$G9m&giIqm!|H|67qfZNnWMb}-EW6VOBQi{^C#?HO2nUH5s zql^Z5C}#>5d`k%~@Ul_U01zU~(rnu|W~PJDYZGWt`xt9`HE%`{$ zLN<2)K%<|8QbpMrh`FNSt0-v5BkFW@kX9{_k#W#MZ|=^ramHPwFSSN_1lU!Pqz6SB zblpYx^h*_)NMX1>g*687yuS3W&*HwDDl5kirbjesUEH$J70ssD;8*Wm@q8~Ac*BL=;X z0Xn`ov#1f_sk$hT3B&+IMa5^;`zyxhh$k(@4GM$eoms6w#Sj!yqk0>BWx`;CZu>Qs z1L!oao+Z!@rje<&6XPk<1&mFAt&U&|0Z#i>D02AXqTijhLKka*6CM-cG_~6=v_KHU zy}y|MA8L2p%>{evyj%O9RJlyE0F+-b`?w=@ixF!!+0`<7YH4F*%YdIH8_>H}*21A4 zm&05|g15KGvGQnDi11r&?u+R@s=Z|^#A7PK1=m#<#Z1R)DP#Xk4@v#{BXJG6%C(m* z+|=4+x`8Sbj+KKTwFr>hz4VGIgoG7=ouNxQVl6@K7Cg|MEK9R}+{-syL=hUblbgI( zCf*qO!-zYhlVCuFIhIGa77JF(&=u+upJ`x$7SENm;q{t;pj@mRg6vUf7go#}p-}`E zuObhm*GFqu;%Lc8-C$}KYxVNOT#(-z;k4I}Mc9OE-tqXa@K9O#CpQqZ{AcO~gXUGY zEwRr!KXD+hP~<Db-i|k4+`1ry)wV$ zozaSBymwSC8^|z7$I+a*XR4?6;%4p=#9WMYi@7E~J5W9tGE{Y2=1EA8ldxZ&oTh_} z=)w6SQrEr>)EsvyTZ5>83GrOLiWbr4hbjl{I3Nx(1gP*z}Oldc=@<|7CSxl9GTaV_>tPRn(e zJuopYjYF9XTiC$Y*w!WyZb)r6QAv<{GuB8V{DNOa!x{5TPabi7HURh(D#NDpXcRY% zyD~_(uLwiu@gL22p-jmOpD^X1Sf1b5Aa2Y3JuomV9zWD|$b2pUz#-H}oCU|47a>pf z5DYON68k=0ZO}3;)w8+yPak4>zu`-?7+wG`w^} zj)j1gydhEVzN9HsVd$uAEv-Q&F1QW#RiDU2%j+8}PGB`(ywSTO z{M#dUzCtxssn0pZjo){$w9b6UNa2qbm7(qVd3R;Sj6b?Y`Wq<+EdXk#(XWoAwEoS! zhe_;8AJ5@@U#^aZH3M6F7%#X{Vfb^@o#6jKM9OmjDK_ORLDT1Rwb33aA6PdQOt1F) zDZeLUL<%Q3Z(fJ&>>suGz6m>CxtRmqFU1DQ`TRSXtA~-Kqut5k(hiX@2kC|M6e5Tk zLDO7N3T2`tk>Lat#rmS_;pypev#eD951?#r(Em}Ff(3TJXe&dk7CJDukdanPP8qTd zJ`QOZkWJI|*sM6dJLuP3wDUl{(2w}F(JE>$5L`_v9{Ww|uX)rzdFFb^DXtwBzkFbT z9icoS?o5LUn;5cf@m!$0Gxd;9pY5OLdeg)SMatd`wa)hH#TM&Mn&F10-cOFx25&p9^EOLtuLT-ZKw^9NiM$tow8mpw>x-=u7cIu*GpZj3is3 zu|rGN$Og9WmVGct!p$^?zYJz_9kBr~mY7Qc=~Ijd*0J0O|J9oyMqxNYZLorfA97yJ~WmC1)PHQXPu zDz+?pYa1{Cx|JBcV{w`F*x+IZ%94#Ez>0WQMl-xUGrYlTljJ~Wk@fapkn2YbN@;d$ zci^g`y8F#srJ7ai7)1G`YMUV!BOOG145w>0mgt&F6 zxosdv`>pba2_qah5hk#X*;#!nv4itocE@vK)c2!4uT)dIFIZuuuLxF*`2D;&Tz^2MrFt(?H;} z1D`N(U2R{SsmT5lN#pEo_tciGzotsvl!D9VND35w$^+mRL!JH>ViQ=vgmhpp`AS-2 zdaE;r`t)xteM=z~D_ba8OJGWUBz7eHH53k2o=gq5!B9_;xsAvxhs}^|@4b0Y3((GO zrHFB9Z6TF64NmS32l()c3G|on9h^7q>>XM|>eeDGRxFLTfzLRdQWBLB^YOKpKiA)9 z^#WqGQ^I-L5ix7OtiB$8>TzKOqk0kk^en7#7a_WiUF7s@OXqV&#qPLF>Qx`G*@ij% z2?@OcA)7Qgd6cA}bsTRRL=_oQc<;6^)MbW_pM2`;dGcDSzs^CtU2v;8tbplOZFG1D zibP*Mgq@b-4S&G=v95d`0kUcunc@Y!3b5_b;fgU&&|lSlo%3w2j($5ZY)@fWQ+uHyO0fZIAfeIUiMHc#*099tir>7_rpBsEL| zP$`?K0A?aH7JzXeJ?4abFd(PbPRh-`x}Qc5QjWY2QwyaL(5*$um>d-FgxIf!|G`dG za{VRWFC;5Z-dW}t8e}9NB+nBb2$D%Vv(PJFZvqy>Rq%sOT>JWdLNG`4k6hQJ03r4+ z!rc%KHdqkw%4}g!3$QI1-Q0LQzl!_e{g=w-w36Y)4GH<0rcQrdtNMX@gnOONqz%{q z;Ap3mdo%(NNdp2jjz9x2C0D|o^xVa<=of4hMtvgu<93gJ7!BDgul%qrmYF=n*f5p6meT_=e16ZjQ6J6IR46{4$b@gi?<#&9|4>T)2?Hh* zuuXXv7&!Q;eo2?shl~KEk|!ce9ONk4y3sc$ND?=+-|?AFi(`MK*We9hZn<{?mv0vO zv=`R=ejfNOKRioV^F+Nkw6fLa=`4DNmg7$#I~q|p9puX}U%Yk}Pk-lt=!$0;e|QKk z@^cF7+u`LKZrVc$7b;$^g35Au|NqOrSSoOrwpw^@AM`J?ba^|KI`dLNC5NcpdQ;A# zEd0r?3be+1SNUqK zVuDcXB1?p>L_Vbi`<^B4g%0;*P z`EPe>s+b+)OH`dfj`v=4Z6YIO10*QCHW_S3QO1lP1iyn3oD~&+$FL5!(+1u)p13yf zcl`;AU^vYj#~c!BQDA>|;7#R})N=o+HR7m3=pjS*J%A2oe;^|dq=D^Fdy#hDd9b#Z z%hMV^B#A zEe{@%{?Qm&i0#SW|FF{U-Tbilmqk z-#81OL3%cRw5*<}%hnYq%APu2M<0V#XTWC6H1#g~%=_K!M)_3{%ha&gn(}&_D7@Uf$3)ig4TCK;^DIK2SX@*d7A!jOsbsK*f<(4tn1;*1V8Uaab zDl@Bk6mec8_8%L+M-84o6!B50ALVTZM!N3k6XN1Wm^(5GJyE4H)+k&wJ( zpj3uO5doE7X4sWMMVi@a!bv1N;e8uK=B2M4w7Rb0hY9P|a7Z3e`T!q5;J+$t?Zihl z7^NO*V;ur4oD^XO6^4S>t?>5c_)$Tm90lNb6ud5 z?*(=F_H|@ZVn#P@OJ={Ir}wY(TmBvE)#>#XG;R>nt41rXp;Lb8l%|NeqqLo{CkDm@`3)}_iWWkKjwr@utH_TIdiFCR5LO=5>Cd4p z#-hIC%hHs?mOk~|d1RfGERXED4oG@iO+v5Ii`I!M2u8%}Lv0eEn*@A(0Yu*h-A5_j z)VFH#fXFai&nxba+y-$9KX9^)EYlQaf{+&#`k~!Wpz6_84kzDt)61o2Al<#Y<2j_J zUi*bQ@>qNo3?ZJ0?Q81$ftv{Py$gn@_xo&{P$4UbVhM;6v@9(sQJxfPx)W>3Bw?=B z`*BBlf&95)I@u>jLr@^PqqC%oQhXMMQoD2HjJhFksyFx6u!|8&oRDN?On zXHJTz|0alXI!?TXw929zev)(XZPGfu)>YX0wz?Q z%!nlxa7Q@a$BN8mR<|S<1E=5}7D|T5=61$$PA0Jui@)*BycHS;QR+3{q*I)XTZ57p zNN9qapMP78CEA)l9hc8m=sU~Epw1Q@?e%H21%0A{o_jXu; zBQuYoB?I|qWuon}-#X(^6Eed>5MC@OLh6PI*^sZWdv;pYN+eY=wxU!b%nW0wf9AoA zgZWX6rzX>@MWGz2#+2A%2kRocII!t&%jef+J+S4ssoEp}iC>2I*ik2EeK)NpRE3j1 zjL5F<)Jn~qr9=`h6<#Y}aF`@*hYaB<@Q$>d6|D#wsLp(IiKlK1tV3XI(OS){N+<{B zJ=s8pK+pjDzi$`hV?3=&K2>6*KnfO%L^;2`HR{SS3HfMD={0H5AewMWw$vhZtINqz zxXps_y*1OZUnn%}=7f5)H@@g2F5clDN@EKpyQo_|w|M0?%>;+AckFKPL!~Z;iR6uD zE)@r+0W#ts9I2vAPm!^@?AgH@5cdGFCz%cH)pC64^ig6T?{weUnvgER^obhB$Mw%( zsYr-tNEdJJC=b7VtXG9eRZ^qY&7oEcYqh`Z?^y;}+pO-5jD8<;&VxwV4`BRn^S{R> z#H?NdBwEVI(dP3KM~3yRqI=Z>Ow_X#Bv_^g6NK(J;j8(&7ONFXaQHfu2$2mRl7#|L ziYU*q}&dKs`Me@MGc?SLA6P} z*Ln@>Yg$4iCR;QIoeDJMkU!GPZ-`)0WPIkA6;r(Yq{JxJB_aT(jxBPQH_a4ubbQex z^dcwY`g=5mCzFiA&~l>a$tu{Rkh~^ej+1P&bgjm?(;$Damd^WyNB65m{kPr z#Ij#o$WesfFFA9UQFP~A9NUR|JjBz0^G&6kQfyg{Y&&Cp;=#gm-lPDpm~#y*AX`mE6B*)F*wi3f0*Nw6Gz1>dt>HP-BBpGC5;n>D+=uDAOsrO8Sf~MEt$W#6EeOY4>z_oz{i_RM@x~ zl8uG8UyIC4OW#OF>v`X0IgXMYAnV(h_K+*#aQ!T$F6hr%=#w>nrf`!o)Kf=PqxUq( zv~_IXCV};}4u8j?;k1FMMc_&fiJ_-(RaDDsg}o9Abfo@`>~9K@w;Btucze;|%`g$f z!l;V>n9MknnXn~bbc4h-gSYW!5)vEslHH-gIWaJr_!IHFU$&9Wbp!xoqGPFg@C1W3 zjdr5m7$LfsvU-r$^qG-@E>sVQ!9edi=Cd~WrJ5uH#33f_q}5PNdLqU*`1XUPNm#u#|#HUW&-^Hqb8xl z@>AFsM>4y>4;cA$;kpTQG7eTRPxCoSF`!^G!}zG*C?d_+x{)RO!gGRx$u4k(6=d+v zet3}-m&rD;c8n`|`UfsP)k2cC`68wQQ}pW0f3kYWOHI?yGK*Zi07=!@zhhNrfV@vq z&?$&ie{z5agLaAE0jY`eu!lX>>TfkH4^aKLky*MR#2Bu=hI<5;QIzaEItvv06I1cW z3zAHtY0FZn+6HOd8dsl5l@BpXxote_VwrQ01v-`SvSKD!S#Iqb|HPE)OxZ_pHn{pS z#ovrUOv3vf)fl3oe1fhrwg8R!MsZ}ZCiuqMd5#gC&&2bjM#yCx`>G7G_?-;X7Sls& zp~ib`BsRE`&gY*n7wG#Sh^AfJYRrK)v@^@op+5Q+p8!5ar_*|-7OyK=ZK`xV76F5agwuocmc4r_)fF~msWqjVr2_p2Cp z%V`n)I7LZ12D!#DYxYj^u(!1CLbE2ZtfaZE-cO+OJg%E6Xfm~QHS{V}d%oSb(DPeT zD1K&TIkLg#3bBOQ>DlOwCZgaRumM??wG#Nqhh}!?w!~>H5sYgf`@&X?8)xScQtAIE z67Q5~VWGAkjhOz;`&NHMsNmn#=3dlYKW8_;y(-OVV+wwRt;4fU=w@^V@)jbpPIGx& z@GP&Y-Yfx|O_KUmEZDuHvz|J7#&o9q9KZoU7oHHeMBGkl=zZy1#Zw?FWd25QftO9hTwOH@ zWbl|Wk_06B?nK4`u76}`B3-&oQOBXyQm3ds_Q8)yyMONQK})9967x{DyT!o8LjQ$x zh@99hPkzVi8`SDz3<}l3TAGrMw&?CY%_L&I#j+1PWiF16pkoaP;zos^R&`>S5mee# zm*O3O0M>N%ITExOxM3Lw8K$1v^qv0z?49#36_Xi2%d&1nfvioT{B6-NrOcKXWOej&x#PVI=7+efq9I&f9nhY*{TWlF4RT z)<%U(G-k;kHduGEYLoUzV%Tl67~^gq2WOp6ROyHrNIz5C68Ceg%Yf8dE%qmOlc+M- zo@}0l`+i~QwydwuM zIWC<9v(D0aTi2>`HFYj2|0NIB#&_1rzKk!$O%bvoKlRkyH3AoR;q58|VCPMOPc3nQ z*FU46g4Fw2p6Pps@fu*^y54@$ddNwz*zikhZv_8NzfoDFjS0(z`gTYZ&}Vja+d3|} zQI3+US#ZNpdn}58$4tjZa}hoy{ofF1I!xgc-&gk#PV%2JM|%AMfNF|fMgdOH??HMr z71IoSE@yAo&ieU{*&}ge}q>>%Naj7Bm#HhRRmi0d9QC zbAw(sI8o5%g?%SKz3`B$?>7!{#oiHJIUMJ4^T4B^qrX2i*J03ezQbjwk`5cYY5T?X zA@kaX-Esp-CDCBLHP*wI!d(u0OyhHDe|*(-*;d^a`dXY77GPV_Izf1hZ55XSsj#OL zu_3}}q)&v&6`eFanj${{)|>5DZ4k&y_fjc4J}a;YpIRc3c_eQCVOa^~UhW+lF#MYp z^O+|%iz)(*7~kUC(W|P7kjBT?#n6+VxwNjv(=zfYqkKQycUq$*jtGsKfj^aw?Od%{L%W?0}a>~Fv~EW1(NsbfHS zVF}A}{s1)xslv0Aae4(~gKRajiXVj@({1LRZ6%9Lbmw2==J&*6UZ*rR2Qy5x;cS*28s9%CuRBlrYyp>@9j^(;P8^YU3|5P2-SQtV(41sM^75ks<&83 z<|CJ)$7kNF4x4(LRFvXLT(ddTh{Qc@aI9PD4=(7QUjB$gaio;{(n}}sN_5;Kc+=B--I9Ynh%(E; z7Lf)DICeMpZBf^qSt^#4hS9kQE8v)n)ggWvWw*c45|8|T@{ ztkwvJnqO^rL1x*yY)pJGjgiuG%XkH2yb6^?>H%WNE=dK0TkM87g+~xzCu|LaZFFR$ zDY&9Uu)?S|uyViayD`d^+V*F?dJ8Yw;&0My|BR?3I9<)stlO;yb+Xp*i@sdQzMi+L+#K|GcODa=OIE1*gEsWpPVqmqI zVKX57IYsK1nvM3(WU7i1Y|?QPaeC-m5k0qJ6P#IoMn!Yg?#p;elq)IWL=rd|a!tv=@$9)$h_U5?tKgA5zRAAM}&HiuM5N!mU4NC-17P*h}j2fuh8|W zjCxo1pxPu`(*hV&f1;bjO0tki`OL&>Z#=0rm2sj5i081cQ z-+`n|_t&!EJ3Vu$P`Pbj5S2?YFw|rt17bP#!6NEtrxL~@>8`N) ztUxsi7LfmmOj2~@t)Au`Aj+sAprLk`SNcDeDX@=IY^Tr<#MI(7_70gVW>o|`)~|Kt zr_FrX+Srtn>%U$Q4_@nTyg0&wtBiJw{L#@z`wJv<3F5D6K3E|<=4XG^&&QRd$FWa`~AR&9P_N8w>jlGhCUAN_^{X1%}7xy6%gzugJ-|{GE zx|zI4)Vxys_u}Pv_N?}I?@O1}Sx@hn=Ne;h*5v4S-!{%yV$d(wPKY|UeO5Uh_N8mB zNu5u>QX<7YK7C@EwO}v~yg$en7AxwUyz!$x9z8JEa0U~mqH6=3CoRzQChuxFkc=VS zyfM%UEdft^!^nlv$Wap(nZ0*Hcn3uOp?@9jWqMdkpyEuDXAms!qGKRwv z&m4qILQ<_`{`u}?8`dI-`X6GQz$eiNfs(&M7}-A#Th-$7EZ~mQ!v`vtKE&Q_G<2=Y z*)O_?_oYDI&i;|~Asfn&7A}`f4|!K|0&WkSV@~`Hw|;pMT2(es>UyY%!Z~#!C;N$N z7v!bi3pI&8*RhGn8kR)o8dxxGd@Af&Dkw9|{6byc4M46(0Fbf$UzT$x9Fa*dABA@S z3=M6o0yo*V^X=4!Bd^vd4&z5P?#JbxfB;1?411h;MP(II`~L7XuMD)H#I5l9gfZh3 zSg`N>d1mi(Y#%Y9W5WEN!js0i1bX3vOlbs}Rrwu=*cpO#D14YG8AOvyk_CyI=tRI_ zy~*Rf2=j<$|1iaRyxhTH*;;hbI0-(OS}F8Cvr|JqQZ>=ww$WuXG-#9pKyidJDKQ{> zi4If7eGObmJoutn-_TPNM>VZc9q9JlJ-pLr#VUd+oI7Ll-n~l^pa^u}^zK5ID=Bcr z)zJu@YABzHA!0|*Z2!P_T4x4LVM>RZpn?ysiY193)>IS3)asMo_19&rh;#d34}^G1 zpp)e_Xpm*ciaI}#vH5MFgjEES^8O7^tbJqRS0mVlabS}UQd(MZh!%gn{<>dg%I&+= zPm!rtk;CTP!QNE}>~yw_N{GP{pPc*EOOZyfFQ&QxGl6x6YZK@65SG%i@P;@*I-6W+ zyUzLnoybFKiYaJtb<^Z3jm6Xt?u}lYh>04Ma6z)9c(;Iwf2p-%BJE16>~{>ei}0}% zCjcqcqqW*eLm6WMqo*c@yu@LQ^S%|-{=3{eq>$7lYZvoJ76B0P)y1f`a4UWTmX{FfK-=E%uqe8 z>%V=brLQJCf(^muz1J+G%`txhs}SF$3#7`Rir=p6kHCT(@&rmqVr~ePnn#e{mNAZ;QEG6$w_pKzJ7e{`G}oV^2pb;$A?^&T^Z zDEAU4ejDLXYG~`BIYlJzG|=y~%y}mY;bdkun<~7Wb84*RC(Ak6Bpynqj_Fz#l#)IL zQ|-d+P6G~1;hswI-o)#vf{CT|BrISUC8rRaF^@jZtBbdAI@hl)2^7|LRGH@7RzGra zlY&UhJFU!oN{h3XO`4F5;n(UU^%cft?J2Z5`A|_ceXZII+Nbw@yRKEWq?Sa-U>)Ps zEBx&~GILele4dNl;_cS*k<48C_VWi)#`VLU=ka%E>-5>bd6wSp*CCRfQu&ytEM}A1 zDhDfWd&zoeZ?`M6_RE+!_rTO7S^$Tez@EGc0m!ct^Q`E$sdk+16CL;71*EQXFbV7y zjjDH!{ZO-=aj1csH9RiDN)vS0xHHPhIH79N$6;^6{Aqk zjHoU6C<-?1k^6_ztD7K8xhjvC3Rfn3xe~0`k*$U*!4*!MmtwtoAkn`KG625ive&`) z?*%`@y{5O2b2A(9EP*4+$ocMqkQfJ_1((nb;MIEw_zp>lL2TSZPXxc)D=KDDZqL(j z$!D%un6P(udUFDpl!NjDtyB!iu4zlv!{<}y0%FamUcC+Kl6*c1vY(53c{}YnO?#so zePWQ{LVqi-Rx=ICLKUfa*W3-d-{XJXxt!K$6usyaiD27_=xBG?Zh{81q6%H9vRsIw zG?^qkj^u`4N+JEPm3Pd^u7PRN5&p!B&s_(ihs|WVv%%GGC&U(3*kbG(_?T*bKX-oM z7<%#O1cgXxN1W|mTsx(N7VpvbrGZ^T4viQ}D2cY@sd6rf>&DbHV1_XIDlF&mga71KNXiLO9{tt#1X~(Y@*#~ldo>m)N;cMVAp!bJ`(B=E zp<_LncS0qj0XOG?dT5&*0h+vpf)S=l=j6v*n%5^!Fijg{G&6Dt) ziu;}VhrF?sJk-kXY;&JgT&~18^n|RrlJo@x12J!21*FK4`#|W!->Px$;)rR$Kad=N zJgHb+Tm|*Yp%>3b3%H6NxJuY9eFq@_KTpgp_JjkWet?Q=26q$_R8XeOxDfa@D@HrZ zAh_W_zK$J^ODf3Bcy=+f;cT}{QNrl)vzf-nG68_11y=mK|A|%CFP4nzf2xcvR!Q?C z>YL@A%zZ{+aIwxdo&vfnaAlwFRBQek2Z*+;-X$mN3JHk)*ObKGlwDcuSNx_Q?En+F zDM{P-vm=oPFP?@`>vf5Zc%vBBW$8RwX+DJc7LE2vA&c34@(TLD@`nGAv|*LrX1eL) zB8ho^HdyisL&-s|y)cmI-J)MIPU%Ez%#pC*DKnUHspt$DiPXyI@M7gv39EqdUVR2j z4{O%v7wmeyH#2T9rx1hyBToXsu4_4UlICifcS9wmZzdFh`zGjE#>}y?DS%oZFe^lm z)18B|Y4BefS|hleV&&%M8Fur(c2^HGdIi!RH=esIXUGD7<_KA9{N_mgyW z|EhEccHBxT_1$AvLlTK&v^3FUGl#j!IX(i1t~iUGSJY`^m*)})m=BgC52jf=c9-dm zLS7%^*v=dtH`H8ovyLmY=Zl!K+K-R9_V^#eE%st^&^R|bTiSLIFcY@#gd~C;vpmS8 zq7@mvBesPxHnq9UlZRpc*HJG-)~W7^S_SYC-3!zq)qkjH5pt*U*_cAU(9@^+Q7hYf zFo&X2-Se>PGr8d0GekoUNkM`o@b<_{;#oR<>yN+qTA3c*D`}PvD`O3dNR>0&+eJ?U zFwm>duTNqN3?=4Qf9u?08`45!{0QRo!=}DjfF`ALSE!W0*Z5}%zsq_evb|oPgIPcV zgf^;6W;!M2w5_nBg1MD;>Z^s({6lZ`?O59+y+jMGD+8l89ob|fQ!Ln4eM`|)u$sOk zg4G=8d#gIcJ>Zw7kPCDiVvm5rqm~yC&LjZnkzx^Z`eaI!$exQ~sl02{_8fOLuQil2 z`bTXRv}dd-jqt^`~2WX){4a2u^WilAdDJ&5lNq zrYUu?i*aaM8CxH@31(=6w~ovwGUm%DAD6tABIG+dvxzazKxmLt znDA=6Q0l+6-xQy0-XxYr4RJ_+n(^D3bO1VbDelMUhY$cVW-Gggj=$K!fisO258GI? z`>v;04LvT@sH`f+-|eGwc;>H)uyn7W+YE!dx*UzwjUp$~D;_WJSfeu}aVo(~?9HKN z?F@+yIOfsPXy{7c`JyWmfZLZh zP%nG2zAT{S{MbrLG0T^kwI5OedSGY2lW@+M1ie1WhZwWH+ zEmfE*NUAgUxyhF<_UAO&8ngNq2QhLJ1E3FT9KJI%Yq%K(M?E6R`*|gEMXYL~>;yFm ztlJ`W!qQa@6crsyP5ec+LxPA`Vepeod(TsnIlHhAyAMlU`oH;= zOB$;qFBFDzlG76~QH@_o!Y+;s(DjkCVe9XG1C9zwobtC&0o$E)rQ@4y%U?AYlLkGB z)KlkJGkv2hLlDV4$01{N$%MKHtfsR4Io5?1e43&;$o|0oR0A9S98ro9;=?SLtK{(E zkahl@+d16Y>Z;hqc3bv%WlDAa;pvO5?rY8YwV3(O!K~XUS^<-)(5^G)4WZ}dX?U0j zkxy|v%k%^JBZ#I+9t=2dePQN0EYpLQ_Sl_?C`(_R2HT8#jt38=z54evkC-n}H{zlj z;jksGbwDL?y}4Cjtlp@$_d`ErSb>UkK{6S6dCnL0pE7YOt~%L$5T zbsG5r+jxGWRgjN2cAU+782cPPLzf?;;C~ID145rAIIB)HlLjFkjZA7lS5snu5f{^U z?FI^%2P*t=i4mS=EhjaN4yzTPR!;Wk=dJcj3 z{3~A*=Uex2fGoKlAbQB5#}O!t6f#&iGe|(9XgGE;3(M#px%Q$JcH}Z)F>kSpOx^csPUu+aS{C&HCt~_ zfN=O0wJ1UjgC#vc?~nLsZR$G}mu_~%GtpAin3z4EmZr^iO&dO1Z3#Yw3+lH6cx-Jd zS^dn-=j;=p?wC&7tj{>8WqULGohwKUuZF*MK$5ZHGQ*mn7);ezKeuNH#>woW-acK7 z05#K6tecDAQW1q%jxBJ$pqzr_cSZpZiEa1_+sy{1LF}{QdzLn+W)q|Y5RwXs9Xx8L z5Hm-w`d^ln9Q7|r(+^WnW%AK)Q7$en5Pt;tu71;v*dm6BrJ*&kY&A#tdD?YFQ)R)k znXWZkqu9sAnr(;P9EObJ6zBl_(#S&lxlYEhcF%bpRGuIvzbxQX7NC*DcleQz3u*sf ztQ9Wc(LVD&3v5VJdC>=^HJh`yqUr1l_@IfS8MDSHIi1|Py3cV6V=~B08uk% z4?6X9AhxJpo%XlPN63Ps|E@L6T+q;?Me{3_St}vmSL&H1O&Sn${KYA9qBL@yZTeTU zLhC?BG^9G!7SP(PbY}A6qxT})O(^d-dfwQo8o2`el%n9ig04Pc8q{ibRkXbT7@odG z!bCLa_Jv2WI&RapQt`MI0;J4M5Dp-Tv^aImXh-8sw8!zu6#4h$B89ldilw)@n873s zK{qrMF%a`arlv`bQBc#pcCeYk71GP@oJ{lvn3Dusen%P#vUu2yD&!k16%{D>0S*i^ zq}VS-J8RpK02cPMjvIEH`_#JLtDEEQmTZ*eB6z_my}2M^MIqNw%f&t;?Mv;4viM)78U3*0mxM%KRl92~5-)q+ zgsXaP$3b=T4-us9`gYB>WDxx`pl@m`yaWE%VQ<*Um`W!)$QbLn+OV}s_%Lpy(4;8V zr4p|dK9cxI)>}T3w~jpo8IBRueP3|BAP5}Dl_7CuhBR0$Ub%EJYy0oK?nip1g9jw&|LyC=D%7b-LZ8X&%fwX~4*gU>Sf= z^DAL!=6KN$P6;iDVnG`r9{Feq`*1*yBd;|QYE%^&a>es^Org#o?GjKJUsYwc5iPz> z`*6ru3=(8BS6^U&mE9vB1DK`-X-2C0vbzXALe1sccJKTGBPjSDEN=1aEHeh`1S`Qu zIbluUQ$W%C2UwA2qTBN(YTF-5p$E`H{5h5fyH1OPwSI|x`gk)exthjDsfQsXm-I+C zxXCv`5lL}(vDzOeXI8=LzzbMvn(R|U0uM)5Vbu~dlcKCv5pqz9a(4&nO~=$5xYhTN z2d=WAx1!Vu8tk%N490XWU5^fa%f{35$|bkN&FW(UvXu@zQmV}?!iglQh;dq#hq8JK z`R*PrvuT@qRlg3_=h7Rd+>V0NB zy_|3EcCYW&TsWccU=9V)8}$0W1T$8JizDa%f&tono6y@{p<&{uNpPgecj+k+S716c zfoNV1_pOWC z()tY~4a8^bSic*)M;TjAHevoS%y==bc!39$E|2%nP ziR5IDdh@lV6wn6F8=KS)U7cc8a1nfZ&#A3c;oFNg+Q4sNyo9T4bBu?Wvmc+99}Hm9 zF!qzuCBdmj8mg{=_XZw$ZpWI&?=Z!3KwLO~v>h!;&s2BK~J*jt`iX z;_MMauAW=@t@9Qe9hJh3$q~SuOG(hxCEe=;F4?r^TPb*Kf@nW@DhWm@ zzl4~O8fdS5cHnf{xV#kr*<%R>fJ`yo!7IDQ+-5_UT)r9J-#*^Ap^JOCd6|F8 zGJ<39{ke7}>Vs(6uHi)Zgocrt7AHFhG+Dms$NhAZ>Gq~8hPY6Ge<+=hQ1Rcz`Ew|?|dnO$b>n164#zB*j@Y=2yty~(16 z7AHj7MRzgFNEoWS7#^yFrpq%SI*(u9zI7K8NTs<=z1o0I1G-=6()gH@{!|k`oIpNPoPN;pj9C4}4+^Mig$1Ip}*)MsoQ}PR#$6m~C$lB_@8>9@kBSE@& z`j`&8b(hd9e@>aiH~)SG!H*iIA3;oo);2x3?cJp^Pr{{VD-@t08}QNJ-ZSO8^cA@= zHtB+x3Qoj8Yg1&AQ(QdFSG0`(lS+Hp=3|3J@1QHO0t4j=mr5& z`_67x{iK#m>x?7KnW#qmNyM#yhSz32y@VlXlq!>41Mp)oFDZwC%YYV?=!5g52fx_8yg4{?bbhcO zUgU6$2Z;_{GKd<0u(RYOWy96@V!pW|jMbx84`w49*(eMpU0*Glk~e)(9`;7HVUFHH z^ZV6dE_}^{Y|4bskE%Bf((t)6SRJ!&wA=47A;+mbp0c>QxxmT{pN#z5f$NZ>h3tGk za`OC##o56vU*~qfD`?Ks)u#BL{N<5o!&>cC2xg~!dq3_l~=e(YJ+!4Naxq_dQ zk#$H;jdcw-&KR=U1oHM!z5t%#V}HgvV*IT?^mGALOV#AzIa{OyBa(nUE|`cwaUH_Q zy6FQ3>u26WKuC<_l2i+pFpVg#YyCF2AJQ85XU2%pUfP6%V5W86zkhIbU8op<#>Ds( z6zyl#*Uyp7BgO->Z()AXW zyiax+Dt!{C0Bm?nW>8d!)WCo#&(BRM&_;>fd{8P3WX|my{=GldwEkrkm{ys&IAWTV zvst?}<>V3V`br>kuh#xOlO2W1T#5;Q-BLSo1!2Gy zjz$G4$Yf{uU1(B=4NrmTKSPzA*m?y#G}YESXYn;|*B`G?exooZod?C_IvK2vokT{0 zQZi1lC3Sy4A&af0UN;ecZX}oFX9Vw%Kw{8N(&`@i*>CyG)kN7Gvk3F;B%O_;-GMCV z4maq=lAHxD65t%a24@CbTCyRU5_|;&JhQ_tc=Cx{y=A1v2}MT(K(ysm58?L>9jc}6&sI#+2V@XcA=5Sp$7ZXBM=DMFU(ZY*`jJFNA9 zAj4%@6ppH#W$A;)Rn%}qA}O9YH#v6gJM*N*cn>O&>_O_1v{)DJR#J%%rKEt^^Dien zf#p|X{z2FRdq$J_(+w8W6C;B9;XxA=miPD;f)=rYZ)T zq>N1>OGQPryhR=xOQt=1ICbA?_IP_7)HOf>F*;AG@ePZ15`A6IeBD%rrpn6jLR5y= z2C#YH=sJ@Tha+UHX50|XM0-4-abuL%pxMDqgvHEgnf^TQ>p(NOVY|*YrzGcb2gmwo zK9nMwwFMtVJc_H+#Y6~IKgc&uT^mWAb+czCzU9^lj@;;f=kp)U4~jF^1ZS&aq_K;S z)cKC*f8cyK8SEg-QasYMqE`R*4p$_5 zpa49?g_RyvyPWY?(n6oF0`-OAG)1=0lx}cqbOvqDunke*+^OVPzjgDZUi+D6e=}8Drp`WXA z%6)YmBP7T(27W{^&i*5ANz^|mHhQ!hDfpZBWM%&>r!_3As|e2jxy@1?D$=9dcF$^O zZ#G{Y09YTo^?o0@V1HQMG#!oe=hB5hY#!dX-u%k9y zTMl>6tGj<*<~$ko_SQ2R!QN`O{(_9g-pHPK{K5>Ih(k{x*p4Re8xh5PFAIi22sV}{ zyJMC{$XbzqY84riS@(RR{@tJbAbB<+T87~D0L)Ph;_6bkhzEDe&EtCLFd6@@xe>OvxKu2w_cWI`WOIF>5chC5$8l&o}g&d zM@vV~0{kx8AY;E2e6b2!2~IvyN7ZDnvyB)AGKCcRLcu)lH!l6U-F+{OGL(-|M}XIm ziZ<}hS->M;R*wLMl<9UR8i2Rqc||?N|Md+Rm4{(YCPIRYe}*RznALP?Y{_C^Sk$8*1;>ea@*ezM!N#h%<#Q4@L!BSbmINhja#Fl+c%=H{B%2Uox?5#`&6dFCZ7(5=`*1zXsLA{fIA^SR_UO?bJinlNha7QOsSK+aZtACR8Oq;P z*}9&nmM;fu3H`dTh?Q*fRKK>P)B(r3gdhlvA(E2BoD!(cH-+LJrR8wpHt|^Tpf=c{ z&HTr3c;Ozzva(s@FPV1ZW+0Cv-UfobA(Vo`AV(Kd6JC#QWYF=ZtN6~h1v6vdkB=%Y z2yRLY8G=(gr*%XRyeoCF?Svzm7cB7gO3xHO;2*MPPv5k33STYNd0A3)^yiGllBMFfgj4l2=LV@LE zsz)k35-~#o5ub-B=tb}~vr0fn~^0us%v-ssEajLbEg zr&h$RZjS0j%YFpQ0N%Z;#er8fqkbNKzQm#Fu&0h}LBcYN7lF?L{yO|r0BHD$gkm%( z4B3PD1zS+$j(H62i7B4|`%;;|#jWW_v$<`!86UJtA4=fL-%qEpK=u-mF0b77z(@0n z%f_)#-9gVL?F?J)t^Vp(hW^7(xVUVMVQ3(8tr`D!A@ka3QOmx-ZgP5FsgWI~sN>jf zTZSFQ0Gs_5RJ5;OjAS_JU)-D-RiIZ8*A0x`2#oF+}?2co|^Lgs@M2Lv01%@6YBiBfR zyvES$2`;YtTwFBPUD3xfuKY@6tKLxIT7SbH6#+xT?zFr;CMC62Bk%jL{$zI~Q11T# zDoxOIx=F4Zj`FzX;5BK5BVJAJh*5Z>*{FF5h?`cPCA?{ia7W+wbXZ39O^mbS_`-5YfnERjQEU1Qe4_DMm5ze$l-s z%+$|wzbDGg+_cDN3C#X#?HKcqO(E}-pYz)4eqY8VQMZ*klB5iLJfE!EgO2i!QnM!6 zlSB}rA!Zm>c5nOo0@?1xDpQ#iHZK@f(Wc%y{%dK!dyv5VwpzW?yM;FBOAuVHrqLZ)XOa0rv`CN{T{WaI%iEvN) z$^txqrUqUsd%uBPE%{Y6Zx!_w;O@8*7{KYo0yt6R%}y4hQ`0*8bB(b3=wbTa5W%CK z7pD_uYiLS%lu#4s^Ac%efIc0YPrFK<4dJAgBPp7~O;+XfeUcuPr{?a$^FiJSjiH7> zUbgm|KXdjhEq=rx&qdfTt9=T;CV=?z+YCGWYl7IV-M`WyrL`>c|A6wq&2Ywir1Vcd z(Gd8z!Bo~wvv1TRSPY98=KqA(^C4yv~+Tb z383!U8`0^Jl*xO{m%3fUaiLv!07((}>VvN~bcgBDIzZ)TN2xckguZ&~b3 zsc$L5{o-kMu^Z_=;*K)*E8DTB;I{0Py5DvLUS_t>{Pzm}=^$k#w2Gl?Xs)Iw}HREq_y znNQ6~{lnpBSx1gkx?v6tvy?sk4dzO9VkA)SG}{{T!0pIm?VhXVt5Oi)!L;vZv$qRfT=i^!l27IX zpIOULasOYI+U_mc971Lr)Mcrba>T5ReBK~X%!$CfjJy97`?7VW)|KmWep2Zs^jyO& zbQ56hP(*c4u|-KU&IHu1jj0|6Rw{o8(}#_OoAX*!Tmi#bKT(y0`MV5;n)!Y)c69?d zI>ZQnnC=I(x$Js*G#Wx7Qwp`23H!YBq0Rcz(THbvR5L(zi_I zw0YMH+blm62jN9bqtJT^x_g~?bxyuWwf+pLjOdx(*PwH@gsJQuJ+djAf8cKSbfi~_ z=wrlOL9l3{)KPdOK#fSzh~xP}U4;;yGH%F(?Ce-0=(Oh8a^|uvzAo#gW&_ z=;sJlo;L2%_GC=>J;S!baK?-^4ve|2q4(Ft%m6V!&c8PTSfAw82*HZA{|AQaCTB>! zVb@Hu_jyGJlx+QALdM1P$K}9JDEL%$hO_h>Vo#azjVEw@6UKKYn;LIPzx~z2i{uf} zR7bEzrit$I9VG@lQ%SyRqO(jdTK&2gxeG| zAU&1!&^kq-1aV(igw;fX5-nbA)gJGf^aqcpug#xWLpb1pnbonD4$yuoJzB3euvTnnA& z-iIXS3D}LwLS!>7M7ti#n;X2JR&A;`C_AAgReeAs(KW?{@KinJD(Kz14B>lfb&61( zJvwQjGBa4@2@`h3Z27-x3a8hR10n-*V#N6O;zmlGS__f?QP(h{P*dPBR`MRwj7^O} z(9m0;a1CRN&VwUl+=FTq6^}fh`$2mlZV2~LDV4X+F4e+;Ue3?fl(FUg)R_wS~ zSa-DD%wlplT%|Cp&V7G)-`BW zprcXk40+TxvN7|~`3$)wj1cH|4cSeiEF;6QHVGxiP*jqf<(#Tsor9IqD76{I{Zvwo z#bb~OhA+EE+V5q~^cTz!9lxTXC=pLnZFKLZn?`w&)Zvu*7aBsIJ>XFEHN21p`Q=Zd z8k-I+3*_hiPo)#buqeC}wk2*)lw9aKpV@^q3F&@3iHZp^IOxm^o5NoOZ2Yd`x|qU|0f-^Q_#$!I`>S7N zVjQee<^|wp#Oi>zgFebjz5U1Gk*JS(&V!?hKJVEb(*b;H?kQZ#PiH>K*BS^Pogd{H zuNF~B)FKxgf00;_srVe*ujS)UGC)9bIuR6=O#%ci?3wYJ&`QG3N@jNZa1uZYZ}~>%4tg zui;6(X0C^pA0X3|SuYJr;5%qN4HKQ5;Qi(NV}bZq#Y$MJWLB|;mN?_D5LM3hm*jrC zSOpUgl&nHOpPO)e!{RjN-`D4EeZOnbn6Km%UeI#t9?A18&M#$$g3t-erdvY+xCa>D ziJu`LX(}>HqkIHHU?e=DNFFDyIy;bzY~g?ICAwGM_W3H>wvFk~=c$1d_2jHjZde9o z9AtchBL>HUGux(;(1l2;9|%FMM5`c!A5XKH=7t6e)v5(CFo;*)jR{ZYjs;l52tfCD zPPY6)_}K)9@)Zm!M{_f2DKLeIjsXyc{KaJ&{`KZg#r$1J=IK@q{#L}c?`@|C;Ey1*8Xi!Q%nF?qJH-?;s zr)ouU)$>j%U)#QMeIxxA+&pb^@_+^NW+kSts?WO~3C7Ay?TKY4ul`nKgN7`&lTg;S zn`>3muzlL2X;Gb|ib;r&1$)|8fa{gN?oq*D4_hgH8T_?8>p-x6?BvC?+0OL1Em>Ua zR`O|p*n2k6g%|7eZ4N|`7gJk&K~!D5U4_Z|Kp?7b4cVuu`9uV6_(%Csp?fs1Jj>Is z7HrSbHp`>a1LuYZNdth7IB?xhqo6`{_rVbQ=F)U&(iYkN+%XCw+z!0LhGSLC;&$<| zl#|AWO)@w8fZ5iMaITP`m$2OMJJHW^u}vZI+%Do#EH?Q{T|k(GnmYc%|3yd)iC4n4 zQ7s-U*Ah6g-kjpa|5&h-AEu=i0@9l9%(x9X7o@bL`x&?q$JCnA}6H5u8*Rqo!c@O6X=#m;s|1yQ>*)-QA# zuKNa4%y6d7`_-7;!)|%61iE!N7$`MBaj27Jl9g5FBI5~4ocgL(wQh#~Q_>Q2R5&NM z2Hu_3OA>o(?(`Ym2{VLMYZwgmxv&PR*vZbGsLcCbsS-g62JDA`G8|)BzwH^|8}ziF ziW8p-8opf@MAYPTSJ1-s-V=H6ACBvmsDeJZ>7w_|7X{gv@rWQFFNP_B&8{BY^|kMg zYXbTOm8#VDZwQ4f5Q6UfiqgxtGn04G=4;#LHAcq1z;_D}v`v+Y>$_zD$KWeK2a-w! z3-XQfOyo_ylK9Dh7kcK|^@~>8p)!A!{kkktCbOcp0g6aTpn$P6TRb=~mWb=rU#Qck zha-;FIKv=8+$62}^NNowYU4Lm(aWg@&bXiFpxgAO&%In$=GeCs}dI+AG&YiZl0 zaLk8g7#YHFmh9zxosM#H&NakY@i7@d4ss6^w4SwCUi2jX)IAM+W=sH@t~sT%+?mK5 ziVZPQlS-jj`9~nlJS1ey4Je3S>Sb&JM?cJAa6wbHtuW2gCO&*<-XVdgYFd27DGx$F z>_PYJ1eS+TB)z}N-ITJ8zO~~_LG7sWWTk?dOW17a8gB=NR<{Awn{rUhbopIZM<*&j z_T0IDK$zQwVas-UoJ5`pNW0cZMrjn=5l5^c_yp^upxagLMvl)%dv3@e0skYCW92TX zh}5dg=q=18oxE!9rXc;W0{NYkbXP9aHwU6EA<|t1c*zT$dH_KS3b=1s@lhMBFF&;fC)a=PIAk)m-Uho(1tR{p(w(RR zqcqF&X?4wR&(s@tRH#dI9IA~RKbpfSl zNmVG#K>bWJX2ANg?1h{)5``rH9tXraBsn@J1>N3j*G1cQVF!-6KZ6cu6S)@{K?Ls+ zL9KMA9yX`n4%@#i5s`Q3t>k6(MqW#%w;A@xgoYjji#ll6LppXfwOJyJE0@>|Fy3~W z@>!C8lT=NPdo2^BS?+nv930y@HW#Dnv43VDl5Y?ci@&dwevGSSMB{^DO?2KQmip%}S*qUcVK zgGQPtUAQ|`ghAV656i;`Dy(_1Ph|CJHj#& zv+EFRFA&pYtX2R{vODsT3KF#pROE3A(+e=7mKEnO zrX*q!ZP)$A`Jn?-@IfVnU;~++t3#RhS;pG(p%69kHtI)8B5_O9AJYDMdO?r7h^buO z^Fd5qBa>@^Al$h@TP{B60(2p3*OZPS>moi30o8WjApn|8J}CKE^$cZ}1>FQRqboTt z6E$KAck-n-Qv_)itDpt`zC@1<{+i&sjnlld$SYJlH%~B6a-7iwmJ>KWIBj~cWg9{@?ITc* zlsVM;+drhF>STx1Hpbne(fg)L4HTTwvwJG&oIFWw%@kT_vaPv0^4U^Y-M? zcYRTn$Et_J!}(3xs2~c^-O=xwZK%<3ISrw6PyBMze0|xU7{j*ajWF%xqGMA`t)JMw==|!c{fo`x)wWL@ZN+~} z4?qzg1{aEmk~{^ZIG|tr=EEA!(|J}TVUA5$G)@hID7uhoyY`5(1VBe+AT?L_flIoQ z*j-0rY2Gz|6dtNd@YN?l@bjr${0?2>-;L2Rq+h(PEJZeV=L30-YZNHpt`4B|K=T(o z!soBV*jnZ`-EIro`>Jl2NS9u(U$>3JF(VuDhGY=Wq-LH!Y5$k{6+Wx{xu}1=*d4BJZ{cluhODBLWyj!!_mT42n{Vd_ zVqR}G;OF>0S-k}i?VcePb|{pKB9|{RI#_cl$bjdG{znm^nPWO2dm+ znuG|6T&?3TN^5oLQ)!=cCXld|5?r|&2HcgClmaM4f>ks8azM$xM^G$=p83y1InlMd zUooA^#1BQy;pc}m%A3QYC+~vzn&?B%CHTSAGtnZk`EbmOBR{u-$-vRy*&x82NIC45 zsWU0Fkf=4hKolly!-mZ5!H2H1mQU%ZKE@iaI^LaA)wLwYcP?%2%i|}t4j&VO->Br8 zKgW|{9%JUk)nojZ>=kT4FCbZ=22cY`HD=9XK?R!tTij1JLbb*ADtsC$*oO&1HFp)` z9i8=Gry(ajfAsI|@SU?X~gR0d+%59{rUtTB;sZ9y3hcjF}yZrTe?xu0Y zilOOFCaG~ny^}asC9P&Q(?EGAzps_>K}WzCw=GNC?yKUh(~aNvCA~<@r|$^bC&f_O z6+wx^8|YSiwd;Pg?_4p`mrx2mhDCAD7L43Fxz&7X8H^FF0TC#L*ob1{1Cx75>|--o zzoD%)@)z-@2j=1W6vVAKAEFL}BIZvJTNy|MqI9F<>kFpWSMQka22ont_8B@2zQG;y4PQQ%XfcCBz6A5OptaYK$UM-#{Bjy~peT6j$AkJxpwnsHPp28>h@VEr z#6x|GEB;2_)TLBE{ZE{Bg8G0dbs=*@WUftrTi#M<4tIW!)GRq%Be2z`*OVwJOjd!% zb35+;lB74lWE;CN_zM=K$;kBs%7x=`J9rUX{~39Nu;Ex*PSD-1RI2q#EGHrvz4%DN zFv!6B&%S>EZ7d95FkmNU47~`nxD^bJR5g&p9G z``}KjpGGfSZaFU`fn4@)D5_|lcLhQ&SoP|Uas*+Aed1OX(vzM7>968W;lUr6dr7N#hhLS@-$i-FBp-4oG zeWkJLnqR|$xMEx1omvnk9jz=S0U}?g1DleZVaDCtF-^fw0DQE(OmyC(PiS_g8W&P? ze^CvQLR^J)4{Mngc@m~4!EA+&jA*XUwUaAf=+5q&iDI|TUPatW$K^IE4xpl{nX|kt z${qSk^YltYP69F3M+c|n%F{|OjoXKA)=a|U$IUBMhxW?(IgE|j8uRj~N&wyqZ3 zB7Iw-U%>-e?k^!fZ+S7wWOfD1JZogDR_a+%%=i+*nOnzaE;TLfUk00 z>MsJ*5aagqNB67wpWpO^pT2LErpt)%qtH%7!VQp3?@IEFWKdR%U^k=Rmb|n+7Cz>= z*`&DF{#oJhbEbT^RqnnwaXnpX?wt*hDx5D&&lwqadV=KMe(^5Fsf)1Ia)i~obD#u2 z09yfqNuRqmihX{D7|jzKI!XL#bbHn`Mider4uSy55sZ?E3H8--pjPzDv&YYAvqp30 z-n$!Wd&3R`It9}ubAIQiJWh@+73az(Es_+LPiTJilK<>6sv&Fn3$1L!no5hEqG~!+jQQ~ z)WUzW3VHys^~H#$jsw8GdnR%uRSH+qu>&YAVgaUNNN$wa_OwBw8XWclv(t8Vr`$j$ z>j6xrhvb51!2NJt*-Bp;s#I6bDR~yH;Gj}(V`V~r8)gL5_>}4)B^*;)ZRcUkW5{I5 zxk3I!p^BVg;9UUFb`DH!WUb!Zr5{Uy_k~kvKex?44=Qz^@6~_R6Xm0b_i#?OA)&dZjY4EbGzL7YGZki`PBg*^l?)NMJc!{CmV>GDLf7h69xr0dwPEpcd{m!? zfyfMCD{zHU(i7H}`OZskJfF*87&AV1RG$2<>Y*o$&Mz?rnk*Y!x1b|F2~db-%~=rA zrH{^IVOp*JA4hM9dEBFeDd-0U^ib_&1}E=A^;-y;9bn0iQ!Afo`$Yf>rj-Tz35YCQR3)0PeFmW|KE&j-kwtCmZ&%|5>aX0}hY+P>OwCDav1bQY`f zKG6x_BV*Ojf<*xWtZ&BChy1(pVMFkqW; zQ3Asc+-w5hya7ZG!9KT0`g1Hw@v~f z9!Ov$-o0MUu%L1^F!eV3w#W={1!FABytW-iW}p4-YJ$72z~=EN8$?gT3~M0RmLGp|HEIw{O<$|f_4|!ZQy@1P4q+FN z0Xij&N+h<0us$cO6#P~liJ+B35v^BZ7-)F4IL{-M4cPo=izlBT@x(+96^g+6y5h@_ zJ`@9=sEh<~6ybz|^c+{c0NQ_Yk1txS$_MzS*996igT@ zcggJ`8A#p{&oMlvuttXelKK4<^BI;s)zFK zdFfjRCly}56U60aqrsUJA{Re=8u{f=!?(}$!l$aM^YOq8HB_xZ|H@`AfnO4N^%MN_ zUmd6-1Dy~=*sxj{;VYY<4-?&{ZxEx?1cH_)E0__z|EL7WOEJ9I2A2CZWrelNukhq9P-9#VDHE`S+a^aTD zWrbW&s0U9CwY2!W5U1|@ev3-+Z7)wPHAFJrk7<16Epi}(991GSmW`-%Zrz8C72!=wOm;;Qu4|h4& zS1cN)*7?NRyT1OPC+R*`asoYDc#$;Vy zP8FCo)p$wtNV{5@+m?C@wgO+Y(p$0sOQi-!*wIMHVv)Y(4$2SjHl%b>-CE+Ric1in z{UJp|!_BFxmJZ|u#|iz_JEiF6DA3RAe5-|%Pr!~|UDAOmrw^xJ0l6HyAAerW|D!>| z{1K4Lvq+-_Zcww|GB7t0bZI zt;Q^d)j;IBK-oEmG5YD@CF*U-bNpfZnbe?#0pix8_T);+ny~aX{=BPc5cA9+3+jCW zSpC()G)=CV@>ZY?J3<$>_Mf%2k(wlrNo~Ayt}toF!5TPN3nRwcq_gdhJdx8P2+;&6tyiZ;&`A#dlt`=LW>%!Yi{W%HX_c@C}v0hAJx7pG2hL^$4;-UAftBEq;D{8^q zqg6V|HJ5KOrOir0mJ}8v5{Z&wtf;6R zO9{}AKBKJ5ih|&aOLdAtl2(NvAaf$Z|F>mDvlMLm)^VZ9$xDIBCl)=H%EQXA%nT+r zv-MR&!rUyWSS0R{fnZhL6uj$j3t#6z6c6kBYUSDYB3Lvl2I1Dg(H}S8QJy(VzaWYN zHX7*pWmn4V-EvTBpyM}(MqIyJC9R9!JwO{Ar?(?^$jDPIeQueae@JKB2Z90H zX|5l=YuE_sC<_;gls$Pd6B98VI$zA+w*BTv&4DXz3;i%NSQc?_>F4{vYM;PkR)xvS zvM22?L0Mwn`E-2!OVK*qQ}!tjb<+N@?OR{GipUR2vMz zFk)&xu=b3$d0>?vy~S`K<N6N~`c_;s- zYj?!EOR4s!lb^JKfquGHNU$7(JnIcd=wvEDU&1>`U)3K_U*g{;w*o$7#uEp}KEGx@ zywz^Kxxd2i@)D40f6+EWHE2rEN}bSe#s%lfsfD`@$$&6PbpoIua3yPFx8jEjjQBM_~whk_}wHor86#$47 znyo*4(OgmRTxrHSwOZL==R=#a-=R_Xykop)N>BV}gBuP_@3;!CBn@2Dq-&EB$Nj6w zHBecoz&jmRWIVX?j2 z68ivUQ~I#puh5rRZpFe!!3AL()j{kK&h;j&OmkqQHjySu=-c+~`_v+IZ6q=V_dG{H zoy9AsLp52!_F>aiWmZzQ=MeHek071G1@VlyB5%C(wc=DxgP^o_9?(fonTe&*@OrL1 zP@n`Bn6}wvfuFK=HuEciwZ!x8XG^1%GeDp_fO7*Lkl$i&`)C}~C&#qi+054hJ1D?sfG%3FV?{5aTpB+VHOET zsLcM)hkZY2%)s5q9~UG#-W@~7uzDVU#+7DVZh7qStMNvHt zlH|b3)U7sHuPY65^t7l_u2-Ql>qGp?{cz(CwYm(%-o-GBIhy#QyHVuf3O7*KG2rFz zq13-$E}&6U+%3RBKsE06$&CS--3}u2DkN+ABKrA4z-3J4aXnInBLqd~`QuQC>pv{$ z>}?hWDoSYOeO0JZJkCbX@CF;yG802jaj;Lx;^=pKSa`%hZ%Xn@93cAZql+?TR`NL%m-Lj zU0V$G8yx481F}Q>d{6t8NUETVQy}2Xd|UdCHkufZ21AG8-WQT3ysiY`q32L-UNUk8 z)J)8wTTWED<~p2e#F6`FE*%+KXeNY)m(RpO)D-b;8_7=PVg8SX5j6T#Hgv25(bMN^ z1{NFF!r?TI-+D-~V!j-~kw?683-e=4@L=y)dcq(W4`GGy4G=tD&et06$JB3lSb)yw#JEQuZS$=!%{F_7^ zI$hD>UkEx;q=EsnUfIr!ew|`Hfy>;xEcCuq3h+&rkfl7s}_s^b|+iQuj z!|;YpLi4k8CtsTAMcgO3y^FEWEz9PeEUY}1D;C>n5e}_2nH-SB{uV{?T`cA#zYWzY zAbVS;yzRgYv%P#;2E&`Yhx70JLWgg2N0VQh1@9~t*KNbe127-3&2l$e&nw#{g+*RH zdPoY0)a!CRdq6jjhWq!!wV&W}uI#;fw`x(hFr;*L815&iE2Vv~P0_i^{BNx_(&7HG zp7IAzc@1VW{}1k6Nvjj3l+Gw)&j!%}7D|`qVnK`>#r`{T3SgcSk^tF;mLJM4O|Sp~ zvEBsug%(x0lcKT2XZr#G1X)@DE^}yebaHfIVgN2~Z**lYXKr;aE@XLbb9rrFa%F5` zZg6aL04`~6X>(;`04{W8cxEnTXkTV>VQpn!Xk>C@V_#)>Y-L|za&lpLVQem9b8}y8 z3kL!o$jBrFG4}ueZ}9M}1Un0$1K;@Cj|fyg#jok$OZoZKu8<~2w+@H;3Wz~8H`vjN5a`kW3HX| zFD~xV{Jd}&%F^X!0qoXI3D-k-|7?L1Qp-nx^Kisk^M2<-GQNeh-q0prTgCeY$+|}( zcrBqXC0+oO7Y`f)nIa`D6MqDH6hRsSx(rSjzY7=$=@5VdZWAgR_yzF;nHKXI;s*4- z7YhY#0)qjI4dD+C>=uIt3m0n;7t#nl4Xh7O7QhBNb_y}C2NCvD8F~)n$P*)r3*6!k z{sB$}{3{By6BQb56iWhq5ttRh8M_W23PlDBmH-!n43Y>74}1?CuK)@P7*YxI5FaId z*{)9k{TH1Xj1gS``WgNSQxtInltmAu?Gvq57r_%o6kY*jOB0N35f=k{7pVuoY8GA& zszU>c57P^<%?|+j-23(gM2^LJ^u5b{I(-U=ht1%^6n#bQEt2 zmIgj@1|AnJ0&WNcU=%M1<`ugMZWja35?T|T2F(%I5@J{fj~9Lk5eK$082b)l7&H@r z6r6-3e%o)b$K+8Ap9b_gE~>Iu)G z7ZU_324@ry3y2eR7o-aTFb|>@f)gzK7Z;`ie1jI;F&fJaGZmo<{Rk0t3lRH867c+? zxDol;U%(XE3L@x$1_|w)_{L@o;3>O+{wxrwTksQ5nU(N{=n?uLx}d`W^a}aY&>el? z2mLVpa0dxm1Z^=gMQvxo`m+Yo$qLi8 zcoR(5>cU}T3F2-G#$URPty$^F?*F8t5g3(@_Ai0a7iX;xHmtR4DCOpJ7(>{4Zy3Ii zTMNf4Ae8+slW^3)bXq}RZrxL{h5AG?!Ods~L17+Q!ryH(nLA0 zvnO!&mK=P-(_i~Mz<=51Y4Tgb3T@!v<`cuc2Y$gm4+VNk9gV{?E`J~%GY3WFvKsvhQj=^i~zAydmDflQGKAv3X;yO7R zjMf}lRCgG0^mnT+h33TTU3H&ti>#!h+t=s}Qb7i3gF)hMYf1-I+7>sR11lC6Zi#5U7?~_gOxQR_6=MCDWTUR0%8ekEP)TK+q(0<5MH%mtQKx zL>#Km1Dtjd15?~u8tEFOMz5%s2|SB-p7po%sK`xIs>q#8m&cScp%jO=m;7UWs^VR~ zgniW?bRHr+&S@dtb)k^%CCJky|4}yTu>{P~LCb|49W_^yBV^Gv!#JetP*tWkd!=*V z(GS*XXO8Br|B$tj5S^yKN2hB5(E4xC=oswE6EUnjQZg0oXy^!7o}r_c*?e>qrU25> z3zF(vXCf_(@1ygPQT*ucj?8n9j(UzFI(jXykB$zC&&>^Sk&!r_AS|8i zQ}2q~YMivh3!rmTm`-BYgIYPh6!zVSvlDSrO`LSJWPthU|=HSn+RvZosCvn!21%4a;IX)nBe}NQiQt{e9f`6$DAPG(w7?5j5 zzz&TuFX;p;k>GQxxeI?jbZuLB2?iM9mlIk60f3O5LQr0mOehTA=1&%I4*vE1DqtMk zPCqz=Wdory@mHR!|0g zjaa`hYzkIy0WNei=JX!a z2kIhihtG(cH=#vO?AhblK)2JdivO$UG_WpqIQfF!Ze0Haw@kowbY#|j^2 zGDHT&8!Git&5L4~Y^x~dN;se)e04`<)OF`r9 z!iOCUBwqWIux-!7=>VVA0uXbtB7V5kF~$u3u`K3B^p;h-o#Tsg1YH}w7m=kfhm(2K z`fIa*m{S8Ci+lD38Jh9b`dijWEoFwP_f$T|>r?`C`eD5PfVotBTmJI zFzkWYi#+HnbVfR8Tu`-R-mDJqZc^$sNqkMIsy!l%uoJ!FW?x(#u6rs=(`s(X4!%z& zTGr#T9ocsq9X=>|gb}GESI+)R1^T~c`_~C~j?u0V&KJcf!3pOKDyy{nj9gc9EgLSn zJ>_wP(>)u#`_9vzo!;xx;bp3?+Iv?HJ%G^D1wA-dglM&uOXi5?B)mNmR7o7H$Cga% zS(~tv!%mM|5z4{0*#vi@VWMgY&Ib%WJRsxBuTn7-6t(q{l`t==ymk#n1wk`1E>s^B z=mNJ-w1I{^f*QV5u7`toFRhXitV_heJvN*zSbgAl)1Yf*?o(G3hC) zR@6NxHY|{ZajQ-7J3=(I`y6yAT%dg91+7isBRdqJ;vY7aud%XGhMR!RT>2T~9QO(b z{!dEfn?vAER^8)IV#tptn)j=GF(rW2s8Eg4W-$x_!7!$blFmpZ(F6~&5t73iih&@a zC_w@vq)Gw_B$&yF!h&fH>VAbS7%8{Ysb-(9#33+FA0zCs%cGG^b$@Oh? z2wl%`N)R7~=qgeEAm1t$0)$M!8)Hb;1G4;fTfjH}uWQH9fp zWZX;Lgd08)@*vl-*I{XH(^c+tI`P@28yYuV9~s-5&I;vpi+ay5d}$&Is0Y2b>C>0Cf`goUVlW(#hyhT+ElQwv1hHy4ekG)xu&P$h1XQupg*ARZXDprW;q&D#%m}ilneJxif{JV5C#cu?x zVLE7!SEUl{EZGvwv7v%AGW^-w&pcBqjW=PxO3e8uZC)q8l>A#@!dsX;@CDA56$1dZ z=0j+KR?MF^P8nECyJa%dFIy>Zf<^<#ybp&h3(|mo%m9}Wr@TT;j_#~JKYGGI6@M;( zbQFW_jWm_MtfF7-P*`p~buOmHAmOrn;IQSXRS>bmv;FgA@56`AZQ(=l>xqU6+A660 zC%txu2;gP26P>V%Sj$KmA7uCvk5Rff&Kv$Qu%McH{yOe29|wn<@ES604>Z7% zPlWZuna)Ed2-#S-H)_FrOXcX9wfxw<3&a(ewv-;wLo+86xgwolumyY*08|WOI5}xw zZ*opcQc_SdbW=oMF)?RtUv)(>I4(IdIWaUYH8nFb0|WyF0|*HK3JL`Z3k(PY2?-1g z4G0Ji5D^jz69WJg6$Taz2m==i7zqpr85SA^2?+`t5&!{f8l)Oh;28j{Xcz#yiGL{- z0LppMuM_~-a^-mr0PBi99}{eilKMAx0$2QG}HV^k`}NrcSeVwk52{LWJ{rpGZqwodRH z%;4?X0l=H@J#O65%pmLs2%Pn!&K2-Zokwe4Yg?^0r3YXLFnWFpVwwXETCI39( zkZrUx7b=yzsQarx@0%Oj7;e!6UZ z`ss+!#gkdF=XXWi@+5>3fheXvU0F+cj!&09`E=A5YQ_rc_;h^Yr*jMcPgi>Z)cH_8 zBgY&0&8MrKO;P9ffdt*OKplQO{;D%Ty@LT{`Vi0H`ZZMNTbWnO=fN+L@ zFzJwtppv+di3z}fi~w0s=?L)X5YR9H=2}}ITL4^KTwPsVUS3{bu;|d|umE6?U=Tn6 zVIT3{%Y0KlLCW02=y5I_KAAPDg0&;Vty2!Ie^FfibD2PNnf2nc2#5G5cWoG?8& zLP#c9d0<~~Er6DYW;-UBHK@N6uw%eI&}Z1_Mfi09XMGS(Ad)DWI9EuoP`hAYaL{<% zh-sMdp!TqGz!3?^*mLNATksYDXmt=NV+oOqjnkfornsJO1k%+TPs@ZIUH*p2v=0BoHgr6{dPpHQ`60iAHUc)^GUnAV`;!0yQV*bC?g3-AyC zZ4(d}7$G<+Ku{Q9Flcxnh&_;?DX>ns$THYk;P5*DZfFP?L@0DHKuu7ESZG#wmw=F8 zpnNep(a%eu1H7?(yM+Lc*brkYU6;*mIZKgCY z5D&Ke5CUbSpb|2Qpa3SW=QtM`m;sRii~*-?29mXzSoZ%7@nD|Fz9+w8bN3MP)idT3 zavqGjSnZp2!GLrSr85PQeNM(S|4>hF@A(}ZPDoe3(QL9Boc2aB%bJu%ejq-N{f3SO z_Y%6W&u9?xg;`sbKu7ibXO%>Z$+vNO+=~h#iRbGmFLVo!ds0OX12kCgc@g z$`FiSqL1Y`Zo5bQHODz%8ZO(lcBLxL5GD)~k1Z3;KgCc154D@fZ_-IPqQ*2^l0(3c z+_q2(2;E63G)qRU-_G!^=di=c=iqE=AzcO*^R}&PY6TR{j8a}H8PPw8FQJ#Qi_oj^ z3PLLT0j01IBJk<@GrR#k4M%d18EtxO4tsOBo7fVn zhP2X2RVIicA0-ige>gnE`_cDuz`M>aQ}@kju@V@MyMygo^OVGinsG=gB;tbK%@BbT zPia?^-;jiM&Cj~*2E%dd+AnKd>V{@9(a0z8IR8VEQGX;4!*A3v=o2vdVy&erqXz_- zn9BIbcz6H4kEHM0@#rruoC|Zf@XfYq`7HMGwl9lCMZHcb<+x=@b>5R*QYSX6+Gn3=MMTD8WWADk2S^s~^F`(D4tq3floa z^)!=+-%Rcnt6ECYvus3em?CQJ4YBw>{ZJ0!*6lfU)T}0cgYD6^!p7^SRP6jRE0L-! zg7`D=5_U*=1E+hEFi{;i|H*@3S8xB;ln$!LB=4k*b^f7UkMDULUMH;EXf!fBzi;ho zrgA~eu`(^n`1|n9`W;M%abXSn2Q8zB!QNH`%c@lDk>3BW9 zcc1ne`fZL7pS@)61J+gBbn0Bo5v0@;@yeGfha{g#pOlj!a09aa)S2cy&I1d&bgbOE zD8&-IPM6!=_Lq8Yj;X+LuFhWNt6R$CEMm5iZWrSK?FXcQBm_7qYOW zXgMo}dfNr;nI{#kB5)3tqa-e(px*=XjdXm!4cWAv88Cj?xPGiECe3q}XyhI(`tT5s z*M;P7Zab{5n`0fYoXdW#c6xf5VaP4wi=S=CtGil$r^2&(){>#Xu7=^Do~g-_SVTSYZ!zTY>?HELPS~NIeHjaO_x8b>vY`n~lF60P%+o*2 z(f@m%cjJ$QbqczW3}3x~+Vz0|RS#2bgSS2VV6adsdI5roQ_iVWGm5dr zOFmj(#`}60{&g#|UC=1zK{3`#x_>N%0IH@`&nZ~`-cb*fj@MzwIZhsWlWlXR(03YV|!Y`XIs zL?Wd5c5izsGKS>cIbCqzEjdk5^uGlzf3pUqXZH}FHsb+W*5 zT|VGC1@&(K+DF%_xzOhd+w0<*&izr1lEzUd{Yu;;m?)SP;ty+&BG}mnJF>c(9ONgoyPtAu`43R^WDzkv6I44?rGTB$1zDT!L2q1+V91jj<0iP4k{2XPKr7k6dq{LTsrlq_(J99KuHhZg! z*JK)GsIRy(emWXGPQ8F68jXyUE@z9J4FG`(FqI-7RS|P{oZ-UY3@t8oHB$9+2e3~l zgCVxzvB9G0tp`MsvgVP%py99=>SL%?Mu6pDKO==egN8mYtRFAPT`>sAfWH272HZHL z{}`XApGcmYfPsXah+oWr;yI--L7B)!+lGyf9wAWHwA?mKPNaejlbfiYK#Cx-PM(Y4 zpp9hM-Hf*YF=1L(QGmcC1*eDx!C}Yio(o`~rXo?Z%lSX}Jf+J6JiKgQLogVy3Ifld zL7Ht9DVzH>+kzAnQv|rlq5!vN;&TV4jF#z`s0+r1Cg^t4^dTMxrsPd(Qvo( zLBNy(8w*M}cK7z|Zt%?1Jg9u6h3XO_LCJUNQWb`K1jKX^fQiCJSCDbM5_K{On8}1so`)Xui!H<=@tO}jecql1`J{pK6UcxJcJS)^BcynIsU_fZySqU|v@zt0@~Gu8mZ^%mC`kgU% z1{{waJfAooE4Pi0^nXJDzBY%t#8OJ029n`wo|C7tk=iGBt5aRn zeAGM4g~{DR$i~y8?mH~~!snixImgaeng}YbF-LHSC3Ckku%wJ=ITu)_Nd+M4YbE<# z$lm}XKt}{uSHIE4!?3QXDg;7=~pxVlR1Q|i5E9RT!YnjII{Nz9)d{@zfs1L+WuU+mra3*E%AeNxIfsU;Or4PG^IZxjy5$=u_;#hL39Cm5Fr zz!P!b=W(J2#{)+NCj#ddaq-#p>>AmKkqhy^;Z5s<`5U`?peszT=ND_z6F@*-7;yku z$UL@2IWHYKzJKpU0v^;0w364T`|WB#}n#o{@l=mu0@#f z)Rx|ziuywdgY12QPcW3H_3y5NG}aA6zNd^|BJ1Fr4wYX-5t_3!Nh6e46kGnunVan| zY{sriPN`x>1*A9*(#VD(6e8{-M}IE835-F%y`PHhbwq3Eb_2BLY8-9kAw_KoQu@nE4XI%%ugo;sM43>Ewn4YouMy9EF#68?75Cuk_~d5WIL5N#@gtI_ zHm=@Bc~usvrttq-eHSpd?;uJpG*G|{C@1qenjBj>8Fp{SA(W5A_R;PpbhzMD4Cyg( z!y}QAH|v6`_1z5^`E9G42-)uhU#Q%xq;^q!UY1HZKDZ2E|Lb8D#6_QY&dgfiEd?X? z?-wIprosz|q=yjgG`tiAKJY2Quqa_e===@-{zFK*YPgo^$4>@jmj>6xOO(X79_@fG z0laJ741>{NFI7)1BhiW~N_BK%V^kzzVWVxL#zb-aR8!8MIXk03|8*cjf%y|vIgA+( zRO2HLxnD;{=J&}7P4Gr=&vtp{mL-v*!}H-KUt%L<+rPo~A6Gqeo*XPLnV%t8Grebm zkF$W{o2+ZlxkJ3=@uIaj!MA9|2#5#wMlT5(f#zPMl@OC}wgW2G!yl>_-{JZ z`D@Zue3DtGk>Cdhnv^27a(E5EUlM&I=fIsF)gc)1{6nEIAw6d3riIq={n{$+jg_iA$sI%XFpv5XM~(e!no zX(tuy;+}&J_4fSHtZTHT<>2gAC^hqe6%bVV&XoRmD(MQ?V_)3iOp+_L%6Fp}=hTM~ zY~M-a(hK8_H)b@BbT;jXh^;K3mSda11g4BZWd)G(`OvGmy9+?vKLjS-M}gNlRoGj{ zxnUV|{@%(PQ6>IYOimG#W>3a##qCCw4T>B*pRg+2@;F2D$C?B^A&aFJby1A%0CK-b zCO?fYeu11DWXDI*WpDr_25TXgE)Z1H+)dE}k2M|QH|q)MF`Vf3+m!3^+TDt0`HALBo&cT`$vxtF)a_2Lt_%Z^Y+558B~0^2^T29Iz$Q3uyL zI+~!!v|F@w4&xQ^_!=;0HxxClir4S6a)-!MfAysvO9D`+r|^_yUwROqD(DSo~oKu3ibv3v8RyhA6%5}0+S{Wl|May zWoshJFcw&1!y+a5Ga4M-$gm#o`z=r~hX#|szM|{!f4jl~Rzsmo)Ws3xmoKu$`jn-B zQ>a6HXK#O`hK_~Y5i$L=L6L87$TH=Z4;RbD1>B`JGR98iUTGw(rn57motH_O{`Q6; zND8G1QYKO-S>xXYwIL+F{ox4Tteo1ajZ^av=?Zb+pPqbkWZ`!srHlGpDn++UV;)|o z)^E>4`o62Ph%jaHkaZMWAlTwpL5+lXeooHl6=6)xEHJi~a*4-ga0$6*R3&JlxKms- zJ(>&|ZHl$@+y$etsj$SB(&fK*Ck>=W$Pk}*k(ds_(03HVzjVAd!`-%N?@l}r9n5gP zXa>d>@+xLfK%Mjr(-BuAIjXD8x+6e2e+b>O)?p><@y&*BXGGD#aCXaK$h3_A{(kFT zWZRcXtOOtNEk-9#c61yFF*B6W<=i4z7oZjgQ28|S@^cGL*j@5|c6)Hv%ZcWmGsrqw z?S5|?HGm)bTY|#88CKjk!C!y5U?T z(cbJninizy#HC+6sF8|rjO0&d)J<^M@y~L4TK3dyFdtJ48gQh&G}itOJxwb3xVd57 z()nj=A8AK>k-ZW#iEUfcXY>aXekoE$NT zyXu|{VDx%`LW8||J+T)2XayIuli#vKrf9xs9uRzw?WjCRaG{<)T>UqX zbyqNK2-5gbLLJB>?Tc}f*k4AlA~PAs4UMvrCx6`Qo>W^@!-~O1tdgm1$qtblB`NJ! zE=gE5`$R`;Paz!4dbb-mWWj+ex~|jkKTSqG0tCS?YgaaoR|YhUU6tsNU7aaj3m(Q^ zhmjz#dC*?6a=^B{0q@AiGuQl^4H*D+h#>_|H#FkFa2{WuYc3$pW+=BDw!LA45iPdg zjK(lNh-f6*jS9xp^ynDtHqfwi(Snb)Tsr}Og4%A8GnNmA(d;+Pdot%3=1%ybKd@U z2;Po^2<6|;%cuQWp+^H-SPo809{^c-EETdTFr9ZS>qMT^0j74B?IOonn!`9T3%Kc6 z(m8)k2)$H(bfn~p{r2yD4q|w?Ne;}(H}E$?4$Rk0zV#9e@aK=(@7)(Bj5RT8jp{1h zQTQw!_=;V}=qtL1A>_qcbr*E4Fgmwk-Jx6_$(}8C1r&24_5`pXC-jf2(6wRGHGet2 zF7Dj7JrHN+r;_2PQd~DJs9WSeFrz=>_d96}uwD~)EZ2U!u-MKl)}`*&px)e3sLXKKFjIZ>8;c!Idt3cBNh zzXf;e@$Izh$;x6}a8srm#A?-tg)=p8V7hI{33Du)0` zBLjvQkgdg`gx{q|S~?6nzdWwl}h;y?sj;mb`U6=D7iA<*CZnSN;+0oJD` zQq|N;nDPtdWGJ?)ZErxglGH9j>Ko)6xRg<-L(u;)7l|;B1=*#b(H5&~*~Z@B>TlW| zVS_pl=75U!2vT~?GQ52X+(eWgPHLyu9#?5Y)qx@%_xlIZ-?_u);K5IgGI-f^ zq@S8lQhNBFVX@6sx=B*@M!)>-*QQ?NnSH|LQvY+(L#uv-M%ORWljZecIfIA#OU&2B$n}NNFT+&I85g_Z)pjLAX{MC$fz3^p zCX|B*y|IIo*g}W(qts3Cy=@#=Tcf$;3`Ivy(%)q*4$}JgV?m}afhlkJIO`u|0Q`g# zaN<3MN{W;K=LVi%Yo}UoVvaTwqVp{_pg1U0^P-$wiMwJ(b(1A@OGiw{_`(9Ss+NoG zU$V8%WY!UqS=^>BZv{2nx3ZiB8B;jwJl9nlUn{+oWy`-xIQ44(y`0-~Y5&AWLC$J0 zEJ2h7+D}+&Nz1x@1NR7;pi&J%^7UVA4+4O~AOS%xg@i!?5gGMp9wn}HUSa3Sk~H=w z1)|Bqx`?>VT}ch~1H!U_it9$MVzW8Sd1cM z_a3kV@|D~;lBu?aNg;4F(@0}Z%Q8GvNjf^JQf-aSadkG_@9^hpKF5Y?;LWT>x6X^h z>t90(CgKJJ1>IcLk^A74r(o@eKboqF#a$3g14Qe@f_p2q)x!FW(1hU4bjs&iI@*_l zt2Oh#iP5_SDcTJq;txih&{{A#nSWMi)K;)x1m-yeXr%URTPhseAoPchvPL`kYt=CV1)Fc0Fv1>g=Z!~04{AzIaTZE&Ea{=ne| z+%*I?oB4UYS=|pk4$pi=NhHqPmxaA0Lu7m!=D}ScFr5a1)@M5fbgWO}3v3t3;T$SJ zijKXA9Sgmd(;mbW)^oFJ8uWIz%cNpTQotbIel?mgvT?-0oI6~|Yj^{HrSn0zSwDwC zp|w&fbu&;;AjQ@;Itn6&Aa8uZ26Xi0ulXBM zYih9c%;~31EiDFq8}lG|a6#0Sy@q%>MEhP0VeG8h*BKlf?qLLxUl&~lx1N@xJDsp2 zbxd#m;%V`Suyk$eQN>FGN*E8J+iS`lHE|r>X2N#ydxB%t1hzK$i~(44?qorr1JGLh zNwA$caMO(>t5v&Uhyr~RWMns9#IM&fvq97N`2Jhjv){iO!X5+ zY}CAr=7`p4;;04aeeY;7q!2!@hbe(8LPDpjBfGKm>DGCnf_UoiwUJeYVswZeGl1k=yNN zl|&3lc5s95(dxGBdk9KP@No#iDRoIP$K?f10}6E2q8bjfGY4k_yIy`@js|JP928ie z!JI{Mj6WE$9`0s3#y<2mX;<%Rd5X~m3;up1qGFPB;|mbSXib}vC) zrnPKE^Pme#xd5War@-vYY-p(v?~dW*5#)9y&|0^o|~n7TKREl(CeKvazTQ6ky|5Q}2Ga^S;YLFVI@*zC~c6a5jt!|7Mi{e>iz1!U) z^7L}G>`j}4fpvYT@WDvec7v?jxd5X zBgt4*(d)AN^18+B_SJ3)fTpI?2i%hvo(AQeDxV0_tQ}8zncmH|r3_07&!irU4*qnS zU|&y$p@0F~o-|7pKtXX;PXI0Y6pqvmUO@}+MBzKbaD?9jZ$e>Mj`AO5s~+ZJ@WvTQ z@`L`BufgiXaMLo7ND7}y;~|v`_5^DJvj}72Nnhz$kf#1CS6fy($(JdpWEdG?&(X^* z(u}<0RKwK8jmoY4D$0qSetfeGHzS%l?7AxA?w8aAJ8JKlrtW0UeGg<-={iMSYMfxK zp^3^L2Wuyz%X$RV&tpB~T6^e)UlO%cN_>+D?0%@KAhgwCD+=0}o=#Y}g5h(f#QXX6 ziaih_cj-t{2P7@cHb{mcoN(gD*w*jG+v=*OFO^ca4YrK}$7KFXQWVWNkq#OUBX976 zyYEA;BA1FWDxW}vG#qclmbfl8x9Bps8rsTau~?c?pJymInnIruSZa}_ggmNTlh7D0 z$4nhDSW1NN2^3L} zEe-=*0g}yT(>AMlJpHiBlxfQa;(&*eC?bI*Xdady;0-^e&gOUyo9Q;m>X2yc!q}r=G1u<0I=ad<`o@cXHewoN_fy(=yB)@~Re5COGL`lG=wznKJ&^k3? zTV3Pu_z3)UIw`j9|9ZFGc3?i}w3k>jp<-Ui`p@s>>NOudSq|z+N>p#Z^u@#5s5V2U zf$3U3XZ-7X;%cVC$N#eEVKrSA#$KYEK_WG(?-8NES%(Z#lyvf?o72HKI7ndqn24}( zhYgPok7{+dG*tgLE}r7~%j_b0JEMsfct-}PcB4GHoC&%y)|uXB6(d_fIJS}oLIGM| z=rYX*8(k;dTyE)@i@oH07FImS&Z2C`kY{LrsOj|t@Q5t~e`m*ID)os zPHsJSMmhxv=;zyljXs%(F2$`Tm#6d@%PY71JrXcO$kxKb|Ob7+wKb)8QZ6}8=N2(xTf)Pc3 zE(ru(8nqm%hi=$r`*T>5K*b)ynafi#3#vfY3%WC$T54Hq(r*&N)UH936E8g`hi(%^ zR+Ps6Hq@%a9lKUL8pjbQguYaoLu`=)tqClF_M`47IyWVjNr=TGu}D&(RoNx!1_4}f zSTS;1L<}KqmS5BnDk82>$fUy#EU;w3Rx^a9v%972h40Xp9oZ-22o*QVU5)*cG)t}s zM?ZuR5RG>UvGLoL#>Ur@g8`^S3iyy>F73OgZiBKVQxcKsFbQhNSdcaKxkZ%BkQO|w z>vTJ*Xp@LP)O)xns#22BBBOxvbU~;xrc_r=c*3d;lGHs68GM$-%+A2$tHl0NN?%sD zwu7~G5SM^J`uOePy}MPbQS$`brvU~R5jq(MU87PWM!ACyo;g!dZDym%Vh;1vIkrRA z)gb|z7oja}XCmqHBV>qx{x6yv!=a*FsrVM&D@x@Q;syp22o~OyR5C54vImrUHuVjX zEnMgllZ*n;frAVUHza&O#ITGVpOR%3Cm$Xd+icVh=1Gkf=HC)~otM7tQf#=uS-GY? zlW{viwT1QqGY&uxdU900VTqd3k`-@z>|q7*%FVK~m9Ns1XwMme|J&fNLHL8Kt3bJ5 z9M>Ad6sBy*NC1_Os)N4m5YLs>B&&K;X9W&GUYi>TW_GNSnDms5l4p#t7a3VO(toSd znL9!|S?WZtf-v`l0880~Vh2k3Msqo%Vo-tT#%KzsW3K_Irc^6jqg4Y_;i|+XlmU5? zA0Q(;gbu}qsnSip3en|eY00RjF}8?EZ?qw$CfKIfLYb62rc^-+nBpJ%vo$j`)J4Om zQmFx=A6DTbaoKRi#-Y9B8P-s;Z9WWPB`7-HCeBj_@>CkY<_2LQ*_@7X9}wmcU~?ro zU8>HTi=*ix(ThR{;;xJf1$)kCidmeO2$L8E526q$2MGrYXB1jX2?^G2W>xG@Qego% zMliG(3Eqd#bC*2#G`fA#QtFv+QHH7!-YvG1>8s<_ZnD+9$~WvW;#YZsbhK)ot|NsS zg=fO-trQyS4i07oG* z0fH_<4uV$1oqDW#I1DV9#9=>ms!JU5D(G#r?nJz3d<$^(!<1dDyfg>c`1y*l84+J! zlMnJCKgw|vd^bCIIWeh6*(qo$!R9ugE3Vf~*DYCX=xB)SoVM^PXGa-&ifuKAIRZH} z+~5#b*W=?=2QQv)6VEzM1{yl*+Mr7CrtK2L9NQU!MgFbWC1m_@?;bP(`Zkm|oK-ld z=o-j)<#+mIT}7l8YHhSn{6vIlCVEUcx$11Xewoj=05ifpcG+o)REnh(FL{*K$D|9L z3ylqh1(9h^NrZN22skVUp6aouwjj^PNRC4u!{-pX_b{e3?M0(M+FOwl2h`Sx;K<3= z@m5(=9Muhtk?tPWIg>FZ3OIFN?cRD@!ZKvtAjmASgF>nlhbKtxv33s0HC0n35>4EK z9|!0K822#b6DWr1o2u%_){0hh!37|Twl5BjnPD3hJrKLsjq-^R1@icA1F2uCOBF~gskVsUfi!Br-?oRS8xbRk{ki#hlo++2swyKxD6guZI!`o#d ztnl22pjF!q!Fr;uM14VZX@y}?L5Krcajqba_LqKq!l+xcs1}IYQXQ0S%l;|W$yT*t zlgST883b7jVE6Ip!UUqSA=lG+&7`U~^8u(_gvbn4IMhf(Sug;34_yLWWNZ!zvu(M@ zWfs?AqjXZW?7nvbA@hhlAp~oC$kq5|R&Wf_{N&0@Y#|KX-{f!^t+P zd=_q8`z|2|vO28?olr$t0ujyr?V=NCy~K8fG?cZUAX({1V@d8otg_kF_s z;&$8UP=O|pPcmAjW_~P&+UKR`pBQ5+(PCdyyXX@dc)iRpnnX)La0RIJ%dZJ09d4#PYz?I8RYq&d+o+Im{L!5 zQB&54f6>Pb>09*ut3j12rJIyvq1!=@3VH>_0s}vuKTgI^{J*Q>_HeQVuC)dq!zNAM z=V8BUH$r4zRv(nUKfNElI>Fp^hW)dP-VYEL3OgL++U1Pj<7=Pl|8jrvXn1F>7e zoloZ34>~vB=0H}>wmZ_V3 zT;jZuW)t_I#2S>1d76@b2KxWL!Aicmd0osRCMFvEoEZ6Y(o-5_d@hgpB!1%$E&18L zPA?pU*`JfLsN7|b=~V|?Q7D(hv`kI?c-TL0Nwpqz7xv-%=kfTl-+3|U(e(X4Lj>3+ zA}2w24L0^|n~O>OF`CZ`IgPr0z29!Ckgg~U5PJK$+iu>eWcW?s4QghhK5r#teh@mt zA}zkAS07ZgfhecNpuKa}z;Tm*;p75Bz0Ps>%x!X2;@6#A#zMkh`?`19C`5yLrQEN{ zixh9j$li`)P6a(DSE|$>r~U4WiFZ%NO+tD^7EN+VPLtY7+cbrvR)$&};~T}X%rTr|HN^0l?$SSb*VrPB$l)5q2>gBaHR;(PM9ZVWJ@C27E+|pRcfmDcOp&aWrO!pz0C_XcKWLG* zV&waD^4#lw&?xvR`1@x4jsTNfu8!L0DzlH5M3u4AM3UL)jWP`H%G0HH*0)%%v*Y8i zRN|qM;iA-Cb%Rl>pLnq0&kV5u925>E5ffHTQ=5; zGD+*i@BLwq+4f3qIh=VB48(dnz?MEmlhfZ29!g@pS1c}sg%2?<+;6hy2;5dOUfdMN zk*3aOta)*22XeFq9+OU^8iiCWoI~DbsaTXrB@6-g8@~xN-*gp zmdCyx*_Ka(RDA+jIf{rnej1#mV(NWbOb+fJ+^tKT98e@cKNZ-mu%T{d(AV45N){Afd* z=?nUAxW~VAzdf1tpwJ#~yHTLuuZwwm328a8a;nG@NO{c9ck4(avb{f~ydqxo9%gTB zzy`&Pbe!)UN^Qthjx|uC_k1bCjS}dfKzsP(Hh;?@=;RnEKSkE9#jE3 z0R|95T{||QV&cMrhKpo&3XQdt=EYs2BO!&H&J>g8iQo`Gg*p6M^5`;cWaNUw904`T zNAYx)v?daa+WkS5g<_T+s|{LJ0qU6Sf3>}i+FlhGRkFUNnP1EmI(IBiME2_eR~g|o zG}92Zksb?t#?6)bI<1jW%+)UHsl(36AU zDJEW=q#4Nw*J%Y9&@H-2RL$|uQ_XdYtHhEEi58(CRt;(X$aToH#L#7OUp{U>REIeo zewh8xM(WM7dAEvn2t+tJ%GB}gUI2c$tRVdX%{#*rG$X@D3=+9)%?9ZKbnUvFjaP0r}rNRHmKZU1g6akYSBUxjX#9mNK4*#&=uz30=41qdpw6oU||F$C?l8KT$ha(r&Ev)PI@DV9m+76bS`>_-xsClv6uo z2D|}HxS9CVo{!iYv=`hCOq*VBx7wh4iLL}Qf2ZV?TIEnmkL)3K`Te?FZlm1YIi)I~ zRxT7^vWahdKr8sZrUxVg5fEw@fqjl8EUxodpb;dCLbf%I@5*R! zES_zqnQ1kX)fCJlHunrNmtZHcULs8t3fIEquw(-$`wPcBo;4B%r{6Onp0$Ct7L+!s z(F2r)NWka80tIg*$^*?I)BD~aC(*hCaL~=(Ky&((m<5OoczN}3u>1lfwtWjQoS>Do(E_h^Z37$8cT^-f?B3WOfaFF;h_oR`;ERD zHX8G4sJP;@q384WZMKc)w%gjpU2)E|D9-~DWi&QarVzrI~n8=FzY znS!6@DXm?mIr^Wql3w`(nC@2dPNVT05*d=RR33qQyOri}mMK!WBZY%+Z79fZ)j&rl zY>K(!x8ev!HY@6PTNZl;H7IO=eHqpW(n@PtN}VJt6%klYfgmmrkvaYGe9}@*v5p}< z?}ow5lDG#{K$>X9T*WNMSV=GI+BgX6&lxZl3V4N=^n5vg{)xV}mbdt?anJ2oTA3)H z=i&QPz%{e6Cw-)MwEwm4{nR%6 z?-F?E^wH3dnlKGmt}EofltxO0Gp5eh^3KBF{jKJd}X)s(4d_(UMO0^2HWkH2tWMz>}F+K9pm2h7Aq3_ZrgwRPM@<4db^Eq*>& z>EQyW!*hWckqs&h)y?}7jq1tryUOaJ2x5-nP%V1~qzfz-#~5b8++y4*zS&Ha1L9qy zNZ5i~5Y^{&CFcgQ%MRC1rK;od^BcSDJ1eb349KP+0)(3moS)ErVdr5;B1A>Yw-6!oZE+BC zJvB|cKooAUITJ!8G^f}c7z2iTOok0G7ZQ7|mJF{fFw|0OB^{)Pux zc^!7Q>PlGg%DKJb#HQc(_X_*-ZGKj=9cHJGi4NOPrnc}C%=YR-tb2ITyZduXs_JZO zQ&Y|n+fk37u}A6f5uqlE=ngp%`0j5*Y4Cr^*aHUx-tN5>{$s{qT+3KMZ2Z{92+4K> z-rvW!9cH}BpIOKUe->1}Z5H5AR%mqKj}?y4p+BC#tpoPkB+pHgRe|~z`?#7k0D82* zOkAvV_eo{vM@0Ak=!1apf23mmKT^3J{r7E^;wNO>z52!oIxVGdFWUUtw&zhhmJ8&m=t7M~rZo7p$dPFs*q1Ou2*$U0N z?y!{bmH%Zex|8-=#k!nfk&@AmXrxPEN-JrywyCiiV7P+`BJ6~=rYpMPmERn_BUMjD zNJJ2@BNYLL3-fd-9#CnSxa%-sV$UEj88A3n#2uLpcIoir zRV!Ii^v#rG&Qn30nMEy(KvxK}y?Gu074%PZ&-e{*qF0z`(%{>HCkcnp5%&W}x9fFD zEDaWRna=k#a3*1UoxI%qQo3Xc^ab>iO}w$%`G*&ti-{5Ibp#{nrS2WNTCRzQ(vvp> zg1s+tarU!7qZ-`-Sm_k-UT2-tTOAwQ94$VJSUY!&_J<+l#O?2Vvz306Lnf_ci^{wj z{%}&_cHrn%gSH;vfA`#{nb6d^!^skbzt2`J2Kq55C50~V-D5stqCsjd~ zq9WOrkc_q--pLb2?To9>5{!a;`3g1mXL&77w#;gIza$15i#GMNR zp#CN7a`B@7IR}IE@&VHS5b)!wFSLLoZPacKIyv zN73+OO{j^Gx*0W{jEg)7diqyRdgg8a7id0_qaV3eeA;WHDW3BWA#rg+~vOA)X~)g15zv<7%{QHAU+i^YE6AxLcY}*jtgw(m;#9 zv0G8JJCuhx~Dr1FDS?ZeH1>JYDAdOi390GBD^)l|i z=+x~mtb3QX(x>cEwj-Ku|E?TI>pmy?uKKQ21DQA~%5{-3f%UN9<9SjlE1!tDV% zMhvY#DsGV`vXUe9wR&9)StN8sv;@^cvJH~&V{hX3BdjKHMbP_@1Q7bf3T%>0q*-vG zmLZV-?Z>-(v(sc^x82JkUD(9-EO5QoBp1-s%n@5*l^4LCc!aw1L#CXuZV?82%(BV@{qro-#`(~G1 z(F31I7TVz=oLa!>PPL>{<#)VA904nI1lK7VM5&J~o$csMbD%FFxx>n|7SP=0LlKI7 z@Esk&hO5N2;{};AgnUoURMShGmf*DznnhYu_)3qBvfY>wb!wWmf+d&Bp$tN~eGR%E zD&375$u%mrvWZ)X*3#gF*t=`ThirkIGnwr!;cK*rOd)0JcK{_n==H>|KGw;j&xv-P zunWYfwFD_osO*a~I)*z{dC6KI@bDt7Yz_4l4r}wV!N_MB*3xcu^(1EWhr= z^cm|Hm;G6Rv(*|H17U97 zn^tmyVt9NwjU*8a)od?u?_Xh55tLP-#DcyL1dw*ABG1Xti-9exlx((Wgu{^|oWm63 znd&{TZSpP^4v;hW1D}DCl%cYQHMbbEQgz8x&^@~(1VskCOZ-!kL&7|KEL$kw!Y*U^mZc4-X^|4W>em>l62Du!#%_nk*{Ad7_(DDJO z^~PyrbmprA=qF}E>2n!+JvSRYU?kaM7DV4LBqpW<4W)9jvsLDhcTDs@Rpo?=v!#c# zTJ*XRb@%JslEO<*`wSW^&G5bWhYGTDQr*7K-8!f;Nf>5`7%hgd3aP?%qU^$Dpuxq& zKJa!-=||~_mb(Sj%5yu9U2|ssO=zLO_qouZ=4SnBY=ZxKz2cNpgTKYXEa0kF4VxJ4 zZv9sQQF|pu=c+koEe<5C6Kar!HTCW+YMgb0dt@1!&%D=pE|8Y3yIGM&6sE=l!vG4ch6cBo%IqVBTKD6gMFih`TeUA59gAZi6^A^|qkEXjP%Ec(||EfaH%#0RPU_D=cV}Pk=W*DgLa^TeQfPHCi36!iR&#^GzQ{K7+*!zHUeh1~Tdhok zz$9DvPP=Y3K@q{OCSl?KQizs13|0;DYZbEKp5KXz^Vy^V09VK?0{FCZ=%v*8C zZBn>n7@$+zLARP0`!wi%P)OMOQu{+=n2<-F--ry7uSIc+`m|C}L~ji#P9aqt|F}T? za8Ahqbg`61(f&Jfmmt%O zbQdQvye!*&Tx}Zqh=aHn*!vy%MFOSL47)KnSKfRi5rPWvv?olr{9YzJrsP>`=iM|U zLf%)}dYu;$9Obp06zu(+*cX}ZXhLJ%Uhk|XopLV9Cma2{fbnG()#rrDW5s{>1HY#L z9CfboD$Vn&tus#uUuO6A3kl)F+MFn%@X?8oU*=e+*btoiN^yvIB%#D`be-C-e3n;M zQ8q~@1%b@?+xlHL%cYVaOVwP;Hcc%Pc=qM0%bS^o6b9zs83iZ?qP~NQNIbjhmLbF~ zaRNP<7%5yRCdLld<*DCc^T9 zE|-8_q8SE6`m5=r;*kiZCHD?6$N>;l)w=6jk@uwer==lKcs4^NmtC1g*X#>CCkS-+ zW%|9L=0zp#>uyZ0VQ+xC_H``ci&}ciU%8egV%qtM4%0{vViA>V{G>;}p!5GrHUgT{ z7)ogAyT1`j`xGsRV;4gs;&ITxI+{O2nTUo$z}mUXZi6?kL4M=y>9!dTkbs86ph-se z6JERIlotW)>&Wu?r-FlVGzj2Pb#!&HbdYEmc?7gn z3#Sk%S~p!pDBNhK3^XgI`>~xWVqMOyTc||&c1YHCpy%0KW_yS*3%^h&QMZ$BIE$6W+R++(Y2U{lL*h3lUQccgRx&7^c*Edb9&Er8nMv_T6;6k@aKUz#Y(Db2q-?@L1;&Pen^Ef>T2jh$EBkz z?XGV@ET$;(D))i|HF3kS#cR!Uq4Rut4;n)Nu-GWS#ENJu^`xv|Dz%zW90b(M-w~Kp@)5Bl3q6bmBzy z*bg2kJ17^!vg%5zY7A=D&U|OvCOyI?tFwb_#O0$Oc?9b^AxUG2{84est#cemV3_u^ z*5l%b%#ZtnMk7g4EvMg{lU#Q7aSyo;?r{Ik~NQ%WY}o-ILcD^3a3K3-7t?Gi0i zj8oA21GSmhQZC~0clIhK(^4MB!IuzNlt9Kpk*qJ-D_=N>#gb+Bm1|8+YfW^JHHJ!p zIdkLgtN=03_euPRePgW5Zfo(U;AO`DgoVQ^wy}=- zHIzg0w^|3%7$$8P+h{-3FfoWLR7JwFb?!J6aX*O_2P6z4u*2$G&3lnZ{eO*06#nlQ zX2Y@*WK#iG&8>tQ%^34YHLP4QM=VNKMgR<&IU>H|o(Uze6^lq3s50%@R0&DVn;sYT zpOG_ciT7cg+t3V1x|>oMN@ox(cr~dxCv=T`39xH9K2qTXDGFWNWpCV&bqTs~l76{ z!VV{;2h^D~ps<6a>nWVdi2BU^y*~~PbEfSH1>uFX$`mf%Ok(%sO~%72JuI9vT5CBp zDIM7qd4MlD60ef2EaE6}(^26hklr9&H#ATrGuNL;YIm!+3?I{F4B1h`R;lC36^s9? z0p|rKOpH=G-4gB6ro78|S(0@DdK+86*nxfm!`0YhhAVRQgZx{H1n$>VGSRs`iptj7xf{k>G- zF^lJAclw%aNMqH_7AKI|0Tba5Ze_Z;$^;eD3)`%~*P4u;GsPKyZ-GmYq&fCR&s|^F z9|E`Q3_R@Gpp{_d2RUGt(Re-R1wV!`BK?0vy#sJ$&-ecw+qP}nwr$(?#6r4sTM&ZmI=$>mK!`tdfV5o zA6YjeViLFzqq)uM7W4z7&)dKsq_hL;<~N{5gDLoa72nvvag*RLgk8}Y*)XuId8`0! zxiEa@(@tp%+c~&TbSv?Mtx-g-ZXJbUs#hY$Q-Ziw3r`QZK+vww?84RBRE0wwvM&lx zpJZ`#TE(B;YDVR0twM1Zt75%yAWaRT!$Wp`v+>s#O+5web+;mgpcnZF`#TBe&1N=8 z@iHJe1@mz{Q`0WtIj>U;m&y=&PzufJ$J^g1azO_1v8s}_e;kWgw$0`ADDdj^>*K$a z1Nu^%>?;{U1s|0R@o6)&mzu{oE5F(G%2Xe5CfE(go=FIBSm`1p)tY@gQPZ*#`o4Fw z9`ILM&d6?2!azb;L|9@A+Y8h;I^tRXYV?O^V8>cCHT=-@vKlye2^_U% z3Z7slSg1K|ydH^VWL?#$0|8<+(5FxC&apTa05O! zKKn~;&&I6DKEzn*JzqtUXI4da4ampG9Hx}5RYs2BZc7OtvUaG1nXNcmttV)TmP@hj zjy?;-o#n}OzfKB)2>2&GOHQwOi9o@Xs)Q{gs0b3*iPORUk*2g%(KkxUJ({A%Csj7? zc}iz{w+?^lEci=jYq8M6(tX&*g}mxIq7%=JUWB&i=1@OxB$dOhtaimK9AY+u!2&h{ zZK5a0!-*S4#+rcAGURNL!lLDp@Q4~G>Jo61a<^IAp-ICJI9bZPzgJ$5L!dL z12-%=2h=*o=zwYlq*$?+b=31#+Ar|P1d7F;*3cU!{OVy|ZF)3>(uwioQ`p;`t;H2Z z3KbBZ7)oboXr`EJ4&($Wxy=TficvbF@B^Ih>%TK>5tZ39LZZ+HnQ)NNyTaw)0UprW zjNxegM*)OTqwE6iF0h^aU~N0tFcfY+93E}X(G?bEhbVMwWc6r9F9ORnjPG%1#qkA) z9#L!T2pAdaL8mzAP*B?|?q#{hm93(ERRy4o!h9`3_{{vpBoD_PWYa)Fx^8S#_13B8 zAG?lo@;~woeN;Qa=a-q+-JTUmsxy0SrURcXM)BF$Anb%3+HHP_aI zjwc>*QYI2%PNgYaJ)uM1%{xN1)4c^nI5D(MDq*0W{cHym*MmSBN9&kOrpRFINmgH% z1CMJLJTM04T9%qr2}z-TB3;W+G2dXj9fvTjxZ@zWR>g-w=%z#xYd`D{n`&3m!ZEqd zsiQ0(jyT-Q}+Mkhf5G$q0Y7{zAw=y+RKmA8sp!U8_UFcRc> zT=ZsyqXjnN7Sg;wy?1x#pD4NMWSNLT8pdK`Ces~McX)CxgbQnlDZ)b7-n5uJ=P$w}|oe95x z&K@=~`4sAhTHrO)=8dc%jO^6uPCRZIIXp#ez~IZV1kdD41$Q~J;M7(yWF}>D&zrT7 zOhMZ^?iv&~&&YpT(_80>B}3u-#p*fsY2a7Ul`{xQWe@jWx=|rPaPXMEH%Phc(tesl z*^F&+&=aHO6=I(ABU!eUqnO~yE*(KO-3%NC50coeEDxUYle8ioG9?8a@<9a)lR&i3 zq$0xG9awk`)tRR}2@bkOmyy~)lDVlGu*m8d|5FJK=6?QoE)uAlO%zaH;&#}on~e%G zUbe6w_vms54|RMjfk)Y4^{lxAN&G>TuIxbPT@JgPSOYl6+pk*0q zL9sXMHZ*cEJe3~=rPDhmAc(E=H!G9ZGYZEz-suEfBhBjRsTbWeX`e?VuqCvv9uSUc z($bBY(?Er6OiHTNYUWn_=sXvin8j`K%HWE4*w3j}COOeKsah{3m>fFyMAmWdFpF7Y zR$4{HAb0lHN>5ONmJ^PJ*taK}u^`1;p-AMaa!P@Fy&y|z2~^?Zn)GNhMA%clWV4k5 zr`n6=Xog5unvH9(C&jt&<2jgVh{yb4r_cS0U}Y4wS*woDPWC1;8j4GQ>asb@+G?Hf zn$~A{R?uNlAjcZ+E}oB+II`S9#MZJpQ~xTI(+bKvv7EDt@lz-Ii+Sq8Q-eC6?BJ%e z7MSSgrXSO(1T$8$2!?`8q28#irG(#7rc^=X~!)GuxLJ%uA}0?0)u&#B}Iw? zmK`Vb$E?XO7Jv+cQ#)yn3Y8cz;MzWM5|$2=cNk1bro{sMEV?|I6@K)zgy^jmdLzA1 zQGSQ9ro3VONV83L=Bp(|$DToL1^e+G)2b&tE%eo8hFV-C+7oEEPKVSFiAm>~PIF8u zRKuFL%>VG>RR>y{IcP_`9|Erep8?Me?4|l2W{tz(U}n8T_uC2cMN`NVG#^l)e)r3(zMq)9sfhguJq+npjYR|t&@SC zS70Ef)!-8)7^5Irv4psYof?F>`GeBOFYcffqipy{r(3p%7?e+is0TkW(dSaR#u4`@ z7VrnnHy3W+td9pR*e&G?E(6<95oq-!r9iuS?Lg{Z@{AoT+GzSz*}*`qYtiHtqtuAZ!J+Cpc7WiY6K?gxdh3^6PlPh49VN_oo85J?VSTjwqLiQ+7N@rM7eYc`T7cI zS30E2pancg+y*cPI%`-_;(;=D=7rY5bUZX@zd03Gaxb{_q*ax*bJ;*2Lotd{N6NuL z&wMeAjZ+#eDQ-|UzZ%VimZ=1HI51-vJm&4e?6IlUw8y-yy2}d9b3)*eS&3&L+QBt= zq0AHPBsuWP67E6_a2zIv-xa|-NVV@wl50(po*H|lONv)AGMTSWuml(!RrTcP^1CKv zVX-Q`hut3y%Sl*57mXUwq`5-fry?X7D38S{iGU8GnangYk?7g1R^fqXt3yAj@Z@Jj ztKPqslE#?be&n#m!u#oq-L;dYiH=EgW5Tmc+oH8A$b^|@>Q_i-g{=rH@sX)?Ta1NM z55W=Z0&+1mYG>@#F6N0$c zC3ZPPQyaSP`ZGs9?0+UIO^AF?5>!SPK}vM*6T_pT1j@qEf~paB67nbvRgfQ5dsQVB z_VMWA3dbSAT;r69F2O=(Cp98D{3SgnH9O&gl2|F*j2{L7;$bDK2?SSCHyv+zP-hVk z4@oj;%N18wfdyw~G5;YL9ji4($IBSx6U3btWkqYDk(4&J;_dh8qeSX%I~wH5#zw}+ zm1YQiiARTrz}DMMych^FDh{tkQ%fgSPwcls%UAGO?oF8=O{3#6fAK5!TWxLFYd)sQ z3@bMnh9TM~mwgSg@c;FK3xAS)LG%{-nR>rKd00}Jg~hs46It*C9N)x!o|4YOP>ruw z-%3ZzaYyycT!W}-hxV4iw&|pyPK22lpi-MzN~5AnhPB9!O>$CfWuZDA3kum7LYQek zI!J|wCY#KlPv#q7P+k`Uro_iJarH{Z6rtoJbt7RaQ2LunM2gGhQuqisE%A>P21bP- z-8`L<03>89g9zV_n~>C^fVevXUj^A5nHFb_4a<;r3I0P60p`8Q`?eewI_0S}8_m(G zHUB>2`hCJh`reY`nL%J^P}zvrUw@8FuR&*aoJwYJkL5VuE#MN|u4b7yg!HmXK3!+$mv}GKF{EgM@bkWwqm?^dMDocfLA%ds4 zJ`m46b{+qg8RjsC2gVLdnO-?I8zr0%0fdMVdNPV_qjM-r4K7QC?HKVpJhr`G%Z#(u zrKu^5f&%Uxn^?ZVSR(_)5XwHa%m{D^B`pfyjzVMRiy{fg zepqC9xRI1_r4b9f%sgq0)^q|LoY&g5&<54^X`OOKPu+hks5V7dj%Jl?HV@ol5d4ej zN3^Wz7cMaR76U9e9J-gKW6Nm8)I3xrB-t-iyUe*$Oe6J5%`W^9wtp=%f!dk`4hi3RR&KD`0(V9fIwgRHe%H=1l494V ze%G__r^bSNB3GE#KfMtU>h?gh7<@qUWFbUPQhLk3xRtoIm)0*Hn%#m7q+}EWf(TLwainBSB1WGQO{`Q&**WoZ z0x1XahKNeN`glHZ3=>o$zGE)UMDf-*(u1)Y5ZFl%yEXjfgV_np_r*XaHiG8Eg(g zCI;aIj}K@e1KK?*VkeOo$pjZ!;Ni>D*eN8oCRw@{vIA?g4KA&)G+$zy9Na8oGoD;$ zJ zbw7q}Vt;5BhlgSfcbV<8HWU&cJ|}9m0`Eid=zPA=@Rr%L1HF8#4i2nk$1`z|Ea)55 z8BjgASWv*paSL;E{+U(LmMjQc^GYgl>t@_to#0=vyod1uuSA~àz3a)g zNtc!q%09dAG19=%-43V?_4h;T(vlRO~PB8&huC;UNwR2%UMw@0;G$wzJX>zO8%bz9rwjBp|t4 zhI=?5^nr`rdSQ+?{I@x04wziTu{?QImVQf{gUD9E$GicaWNfV|=Sh{Z3M$KOl@}nwKgdL(S{6MArSi@ln(GBDO$n zNMm1jspXrs5~KL%&3w|98G-0aL|gmjKnfA&;jtSjead>#H+FWi$rq(+AP+?b?`&@t zzpyceWJaW-^7<*X)#uP!hNq_0=B3SLcDbXW=_)%ne(I0h+k!b4C8Nfer`a%|WSJwe z(kBd(*i*0-iE%Lh0u~{YiMo*p)JvopuHwq{3j$vyEyUT8amCt9sLHex zOqfGU6$W9+hm)7uj%kOTvoUaAI@lQ}=;-Gp8Wnq%wLo;=5Yf25^SV?ZX1C;1wd+6{ zcr8#THhGB5PO!>_13Ih>>Z%2I#Fb8Ybm6f&Dqla^S@^^4Wb1CA+ zfVk74iZ}AorDB55&&}Mw0u46`$BO<~%eod_&(j~=^TR3C7s#8fV7AVR+O_!6hN)$X zYXlG%V^w2p@S1ZOt^^-}dYckUzXDpjkNor$jF zdT)+B9i>YrqX7Z(yyn0upQ^m6_Lb^;(Kc&{o*wcUk&Y9r?n3D90|?p_@bA}N95+;w zFo6QFXLPDouTxr0{aVK~?gn$N%~g5PDABVoU1-fg;*C|-agSdcUDG{3OeTM3CsMV( zcq!B2#Uya7+ZCK2Zx|K&lI+@bwIOzn_n&k6mv*Yv0wpyOq(%bKNDfg}PA$jM6naop z>pkougy*yK>1c%DOXf6{0|%#wD<^efIBEJhQoP7s!q03a1%=z_~iic zva%4z;z*2j`mjEtY}_K%Vt~@l1}rGSr0D(>W~@M!RFSxMOC!`adH#D2_A}i=`9)sy zp-ENh4Z=u01e^U}W|IQGb-X!0`2Dp`k%Lz)#k;u4`9TV!prK(ehmav?M1*E?#L zHxR-!OxxTBB|BR1)96TRe{}~gbBX!kA0mo{pprm*4WteG3pU|s?CQbGWy|PTSgQjG zP@37mJjpKG!GW*=DQWZGoG|{X!^ZT=@sn`7TnuZ&r*@;vi4*w+0#uo8gQz#*9{W57 zbZMed`cdV63J*wvipu&}uynIJ$1{r;ZKLE;#?KNZ8tjr&)T;xrb#!*pl%)1rW_T_~ z#zPD2;2mPWF6arn0w{P+bICu-W(>tc=*m_QBLXOyT29FBhr-jnbevZ*>|}zhA!Wj! zgV;8m6aWQYgI-#=;VR>U5g({*XOl`D37sJqdo|3%lDa7vT2eBPTai%iKxvQ-C`$dN z#i$Cm@rKR)62qluM|vmmW-`=*Y{IU%)(MSp!u{CoueEqt?ki#0A`XmQZpBa-vBGMVL%sjcKieyNjZ&foSuA%Vqe6Gw}MvnAtqqCVX#0gu_N1%b5L`_cY;~CSaz`(C&7GOo@@htB=A0vtvM^6 z{M$}41-iFj){L2vD3HW7y=G0_OE^@iFV-$`Dp<};l`gREXq^0m2e>ik7l;aMpLO!s z4zzX`F!X`OcGcfYAdsDBplJnhQ8utPP%1Dzk2~MwL-zA4aHW%cFh?Q? zBR>Z`LYl)ZLT}w!(-+ETrWd*&xoCA$a4zJO5kjtWD0i@M?(1~_Qm(4Gk5Q}(|-n)3n1gTA~n;H zSA0@(uuJYSTP_->9;4L1x$pF4r|bJlH>HoF<&Wr1YdCh_d9%)-_K~MtW)hkJGH!1= zky>AC7ZKJCwwg1CRN*m=YdCi~r`R!%fJKTz89nVaN}7Qy*FoV!ni;2pjWl;k7w>xv zF3EDjmERU0-HdD#;Kq5J#!SM5zmxKDEjva=;hh~a&&&*8w$`lOPs7TdM@G4a+umiW zbr0B7dlWjw1f;3qHe3?OLbXFW{1n1cyJu5Bd#?x%8Epf_9> zla>`t`lyW2JnRbW{)I=8Na7ieuEQl~wjIc@0oqGlSgDZ#5*CQ469T zHXtMyK5m>+k_$n&FN1OfFi*oKAIFMi_(goW?J&D9jas`sH>k2ab@j)=^O{ z>YyMy<8JFt?+Ge_I&SN@=P~@snJ6y3BAD`rejp>n8@B~rPa7UlQ)awJ_nM)VjBR%C zlN`Q|k8$nGq?vdw<_NHJq?5*1E{48zMuN933{_7pjCyqk-QQX6WwN)iqP%o-y*tLZ zk{21lC=9F~;8W$w<0s4D%@DZB2a8VZhzxZgFJ#d?pq_KYoD8``%UdWJaC$IkNYw(a zL|usxjN!JldYiEB>R7j3z+J=8y-c~`1K<#rYUF|0^MVtY1V@L)^6}H)F(3$JTY&G6VbtD(yC;(clg6C% zO(zIA8ggIl4r;ko;7k=09I>cjr+O$m_Oe#wBIupvlae~B2CBr#CV2_c+eT5Rk%JD0 zhV4!a4$<0l{Wlm13PTLI6nR?4?B8k>4^HZb)dqA@J^m~+>}L_QUVe(6JM2uK-(}jb zXqh%cKf9N|UD+BGZ z@7M$X&1I*pwa1URbpBO&;V&Clj$J|Jr{84UXAwkRehJr|wnnd?F)a>?{vb!1%Xj~} z{qRBT<=4RLNe}4U)$0l-Z_~$WUcg^KkmBbN0WsR`vfaF61e~d0|C#;Y@$};-{(l$z zi%mDbxPsus=ka`uVdI6LicHvNq(hBjWP$njV8kM>4Y{WZR>1HmSu>8q))5tWoVU8^_vau1?#Xw8Hhed~ZPsUDj;quriWogd1HU zf-5V!EF`xkXv+$cTQ@`nlD09rhiLP4Mou|JEt|HJ3G{)zaLFjCEpN69JJI^g4o1=X z+(;ev$!r_0HY3Ja}{ihB!m*ph{Zz zYU|=FNkMr(;Bg#9Kr~@$e2Z_{YO$3x>_FON;Xn_h2BK`rcJR&Kf|C!J@$S4Q>VLb< z&9CL}dFwWRv%8#e3rEygwpU!aE~!I;6x7QMemA(Css;DBz784$0)=CGFYMo-k@hdT zsWj|OV8RFLPz>R-BgHlj{@ZWyNoetaifQ0Yjp_ZYA zexB7)HvscyF=w4o(ZJ8^e!q`OgdW~~QOgdtZHi1ijK_R%G~z&mPiK_3?Px2%KA4tK zdQ>t`PytQ^K7vTt_n{&{WM^7GqKk2-6(cl#b5O2Q(T>_9Y@ot5=8C;0fsW^b?~ZF$ z)`mMUO@9+gx~$mBWozUv^>mL9%HE=>V};(+khE zbYWZUXI@}Wt-Yduuq&mue3!rC(-OR$OY33R5V4oZm3vmtQQ%tjL_duKk>M&0`bk9> z894uhWK!a>;uG43MEDfUhdH(Jx*`adh9&z6Zr_}!K{6q-H&nc|Gs#^i8pDTO-_E`Nu&bc$)_ z%LEaI>rZ~Bjw&2NJdY#|!i?W1^3JQ}J>jtYq3&JD;f+`}NbuM0L>W+)n!`xOpV8qm zFf{PJ)x2$>1r*5LC8Om_EVyr?P59UKw*oSmpVIkWcdZv)k z3>$DDCFZedR1xIjZ6uf@XB`n{>~+^x1~%Fv%FdxLqpIR59gf^82B6A7ua-y&jhTCi z$gbUSM^}Sda!itP8x_>Hpk+`D)S1CgDxjgt?V&t2;&1v=fR72Bw^|IjUfpREZ-7(} z09-}iY#+9i6jL~zfMn4|guOSOBv&BYO-Iz*=Hy0byQx_ZK8Hk(u#)drA#RLW%1XeI-NU6!+8v1i%{C~DcPuZ$N=I$0{2ubF&cZyJXYc&~{L zTSEW|ps7^K#jQi)|8hZ7t5yG@z)Gc4D2j}Pdz7_cOWB7;PqW$FAJ%B)gTyq6xmYZbOd#O*A^Y>6qyCDFuWv<91wfO9AS{-I{9}}r zES+bX#&e(jGxgX1D{1&3ql>Aci;KenR)dTt0?%cF7+{PR|5w^Io<@?!a~=INBeef> zqN9hCNG0R(xLr#=o(*D0#{hyQOe#|%j#HV=u&(hx5mBevuSpm$*wgj$y>!Jiy zCp^c7QOG|73YPqzA2($hf=ntAi^Xh0rt@E+W-bwfL9f#a$oi!tj^uP)%wvM{&x={Z zqQ@e@&i=x&wfexZtpy|kudXYJ!n3dZGqs^Ml|_IoU^N@6f8i$)KS~SP(m1uy;j^2r za~+_@8BU9&g%1`HC6Y((RB=Tzc#vCWo0VZj{qOcyp+@m47mG!qsBT7;!(?~xyG_53Y!jh0_m^Et<^;)f4C?32rBmDIA?G=VFjB8F30(8vj%Hl6#X z6)^IOz>O8Mu1w{n_g#+T0c8a4;v{VReMcMXjD!S!o(hJs5cWo93qPNPUJl0mzUJXy zG!B`BSI`-uvfuAjz!Ntzn!_K(y!|4P_S-BwDzTb^6zUqQjTI?)Gq>J>(6LcTfMHh3 z$4MWjOn|e2zCW$V<$VGz__UxQk2;+{Ux1<33NGf~7M=7`m=X8GC3+qQ25BlDd*C9& zPw^oViQjK`?wAEr3VsmMb3PKo8g+#As5c6zf%})QOs;t|QDbft=iKL`?6wdy5KdPl zvjOQCkPJ)vlCU3D@^27;)7^YPEM_1j8kdp|#DDUqQ}X{kGbw8CCF4v+GGQ|PHa=w7 z*k;esciKIot3N;a$X3sTIbbWZ`$m~5hG+B&U3bRYThpU6+&WrNDrla4*A&KW`^Em0 zNSe{ab;RhKetT(!wKKEz7HnGT?->u*VkoEyK9MfGs;rp|hu&ilC+y$m>K-4x#yy{m zHax%0b`9bRJ~}FzMB|fAhN%nKE4ni(u=~LoX#mHp#vaQw1a*AE6<VfC)d@4(4GhnYrD2%@v6Y52L=W6*PZjdh?yyJED)h1Q(3r((T5&HoDN5%ihv@o)aX zicsH<^r$~$3^rGGJ=rwfjwsS<#ddz%_!6qr>l<(FYJLMkkkyy+d){=;^C{uo^>ry} zct?UuWZS(68|MJYFd2Pg`#_lvq;_5w)c2bqGt%$-!}0jIvs?qMNr3TYr=Xm(!rPuE=59{-b>A+L z`wc)8OJy+Y~j#lnod_G}c`Iv3#1o^7+s?fl;NlEhKBLSB!Tss{clVZ`I~&zapT;&rOAovjY#Dd?$Ncd)|2I^M%7 z7XJeCVD(8@F$&_`gBHCeCV9GU7gm)+{t>++Y%^5q&0QE13s_`O1Yef@1`t2TQBtwF z*zQJ973e5*TNz9mGgVmT!iqv09CL2W69Y=D*72!M-G%wq^*qCvF4O5_$oRnp9jG_tfUZVV1!H*=~BQ$b;qbEMg z$7EEfg~tu(TQeyHhvR|HTj!+PdIo3v@S0}mcIGv zpEJ1iD)-3g7&K+=&Rpf~$&``Rn}^JMb7WaTY9RStnIiW#&+tqRzF7x`(qT{YRf`#g zQB=|4QiUHm9YpT;$ltUY$3GHXGm8$KM8<*_vT`w6a91;I=0;szjraKCVa)NKx!^Tj z(PIM2G2Gn5k+vg2MOs`oHAc2Z-nU6HmdV!5tm#FAOZ#rJlCjU&kR)3D{xl{j%f=R{ zT^7{&zioAPxFy38rD43^)rzyVDV*bde!Dy=8=d6p&F4oCfW{}pR!VXG=x00BYf<)& z2)`I^#{DcC(X?wdSUFWboY1beZl`*MKGzk~-Zew+v7s&>52{#^hdXIBpmQv-3;sB$ z$Xs(2p>&UY?f20vg`Z)1C`7E6qP}0ej|vuDke8jKOitG?F-t>Na9~Zi1EQEnOXdm8YxYsgSBHU z;V>uAw~xp(qCj}MRN$j}jzof!qZ3)M#XcXC*Ogc49{*ZuJVovWTJCfuq?;=w%Uz9a zxK$1dgzk2O4fotM^T~V0J8b{vVz6DF^%;@oLs^4)3gRmK6+8XfPBCsT$ZKl_HS6xb z$A;gN^TTSAv{zOB37Kh>;+W~oyssx%pD2Q;l!KwXDW;-fpc7hRGo&(h6vbD+bAL^Z zB+@MW-X!2xz!9G>k^FIlKP5wW-Bc63&&`!MB2pytnsH$J?UiO0QwNaX3r|17pSh&Y z9KwsCP?YtfFS?zNZd4h+oXAtEOd^R=pS(7UfK%8o7rK$E`@OkgPj$qQ)jb|^F*C%K z%Zy;VljN{flR@1U@)`IcUoy|8Ij0nv7hdTDa*P&)^>ZzYT#$~?det6ouMM`sQ%GLx zEgPpd>P9%U-(9*vQ1sG&$)LeEdaGZV`FIF7tT&MChYB(N#Kit?lgVxo;s~ZwllCC> za76n)na`2Glc5~X(+v$E5GWVlHGz&ZU+8Rb4|<$!>tJFcA;HK`7W*<3K8$%u;8qy?%3j3}it?5kHPrS4)2geM_^ zdFXN2n_9JYwyA=qCJ;q};L7%DGhGj01PT>vY9s2dwf3Hr9|2; z5;Q0f_Qj^BLVUk5J|&=xM@v+Ln%o@~;f?5TT^Xs$@HtcH27hbo0}YOTRMvbyj5TM850<;gP@C#C%^ zqilSSzvHop%R`)H5DH`??VV`f+MQPx5W!o7G8HYmmhKh!U?de=4@+3eYbf$q*R;)w zwzY|lL!id{Ti5GITSlgvz&v~GO=Y{kh%!Qgb8VIt>4}O*xp*7WRaKVS%a%=5(9tkv zR;xybtfG|YRxJiV@^c=(9ttdOvCU|j_F82#w%2)(t!Cb&UW}!sE92e-m zN0pH;hc&Djj&*+qi!nTm3$etky&KWRSTr-z#CQNhWy*zU?W~3Fgg1pl)QmhN>rz=} z&_$1L1v`57c1k?u_AF>K&)$Moo;JanyFsNlVw~xUhQ&9gzP+IlZu}9sVy`_IdWH z7I&7Z!dNo~Azr0QpXzdn5cSf}H)ExtZwd!20*Mxe42Dmp7Se!@=S-EHHQCMA={Lo3 zlJ3=@{kzbdsV5xZk)1Stf@W#ldO}JTVp=G;wjEuY?~PsjtC(pP)I2YUoVYiTDYCHG)|aW&lQ2tb<1=Vi_Q?~F>rONPa7C^DJffhVxAR|eNGinDVJhF zV?ri*zt8~aZ11dx%0=a-0KfuM3~=HlE+{gyO@s#&WNVr_kqtF zPWjp$%M%1pwa*wUwXPg)slIjdz=YB_7jIO8%0f|Hx6%S36ejKk&4wOgaiVTe%3DlM z7$qrOuyHS1(k?~W$1m8N`0X%eiYXeN-Q*Rrnc7ON zB_f}F@1=*URFBez?{v!ef0*yRVHZDlRZovtR}HorbCm{u!bN%ZjOb4PW`EMk$D08kRWq zUJ$#yp6!gXE?Y6-@}tn)bZ+#KRsS^1wde(E-|<8283dVhHI4@#djrF2{4R4^H)*b9 zCVmZ~H;{fX5z4=HS~-?27v6_h4h%lQnD!mj&9Cnl9U2IoZZ|&Bp9T?_)*v9;ssUmG z5I7JFkaZ}F6CN_$CK?c4^43LFvgrt-H38;lq|IEQ3?R$_7$s;SXeR$}>&t&@)%#bS zfE8@O-xe| zXWOjg?Vz$+;%L%jNn$9{WKpb1V%@a=xyS&XJs7fBDi=v4)gkdx*jlg%Sdu6L_er9t z*iE7+&t2lbH%Ovz|5*59c9F#R){*~cXHvvrXev^~CJd!WWGf;t)TN0cYwr5%WWDY; z^?))Bz|04L^OMLz6X!_(0rZK@68}-w5=mc)LflS>0BcZ{!Vv%0cqte%SWPe#NhDFQ zoI8^bC7U5kF^KR{@S!BRvps;53DQdcUILoMMOs^xCgybn9&->&#F=Yur`sI~KSB88 z>tUR*_;vh$&JQ)7#2<3I;{5+W2lx=n*A2Wqc>V5XVSjz)yiV7k4uO{q>U7xb?RsgZ}6cmp=PKbO-B{s%j2mjUF?F7xMdJ@gMm_2c)D;F;{yQ0#wozT>j4|9PtD{H zAR@$b7zWIgPJlz7J>iPp^j}=7gDkJtmP5T5JysXKim;lZ_ z*X6@S_lW6n+);}#*4RncFcdOSI@+}~Xf4r^<^B=IX;A7q=s3>>xN$N>giOl6em|ef z>(e;JE3hpF!=5xu_5h-KX~vR7i$aet^e;juVu)(Zf*>B__TcBWAo}`S$x#Ts0=rbD zb^f_8jXpsg+ z;hHeX7i3h(i~9etxl6+&KlR0bdfcp2gHnL@SKB61Rt@3z5KWq7zHwTsa_mCq)C;dn z8pw0{BqIvXNKygK$r>$|c`s^|;M)PK1M7xXRLRQL^Zqv^1O5%ks6fs{%^DZV@_LHN z6S{CBOikZc-)jRYI#C7`U-sQ|>*NpO$m50nE9X3{T+9!H4v~NSI*Xyd53#rCipr8;R3o~E{{IW_h$w*W=d_bFLxJpFh z0)K6$=8TSO&JdDC8Sz3D2{EY(GQp=hs5euy>n>4e*YDKjs<) z#{0<&5TIx>>@ZLl(pHzBk4vs3(Bd2_D@$?rDj~~hn~1>BP#Kgrk;?ELv3EAJN1%DS zZMx^F)0ONxGF5f6TE@!^=Iz$t;#%cUQH^u?#Q}P7aZ4wSBABm-P6(_2M2sBbzUlD~YoM|K*7ngd7grF#P z;Dl|`)iEc`tY=Tm+jCm9wRtFf14i-qVU?2&U1Sn$1W9KvFY1;PzTtwz7k~-hbwK3n zD`66}^Lx0a(q>9T*Yh&%n3}{T=!2BZbKj-B27&?rYDcD7JqNv76{>=^3>ec#)ZewXdtQm?Or8mD$HLjlT=-s?AXt~$ZJjpG2otSSXmXO=slMgn zdR~e5kPgT08{spX2#TYs4JdjGU(Z5zQIjy>WRUBdTV@&FQl$O*JV*aP?XZ-dc2KYE zY>A#;xh{NX8jRP2N}+NfhA2G%_aF9G)Vs^VgfR~$m7I^uhIcl&-dqW>srCuchskIr zBJ`q!X;@1Hh@fMGaFW*%NhwseS54tB7Hdqkwkhb6* zwd^BPAhW63qI?m8IsG&<(rJcjFlswKbGIP#2bgqep#0X+t z1zqY-ZA(Q-1ycQ$ZP)QCW%5?o$T!_a5ID}nI=IW~_W?x@#-UfW2Zrc1LB@p-G6_kSKhV`{{=KNa6ac+i;%rgj3O8=I}X4+TS;9Zv< z{opqyUjm7zZf}%y4|~pvtpjgJqmRO9>s>{~fbrb)oAUM!jdH3p-=_L;W|ux-k@{Im zTwG^`Ajl3Tk13Y@olA=^^;#)g~>C(A9W zD$U$}OsV@N%jvOp9pZoR;Ox>f0!pzgbEXM0k83=b0~FhiHmWYrOUXIp%Wd>tpqo?Q zStj90A zuS=nMN7{!6myU$4>ulBfux@$>x^xT67`|$0&)Wa*DO^51sX1I-mgjQ_;RVobgV3)J~&BHic?swyLWG*79zQE-Yr9r-ql4 zL+J;#mEw7R`;mZ`G*Z%rWIO{R0uI>6Af5e0Au6i2+F!!&N!g4=qViHfDWTjzEU17@ z1dMQ)R=yq*OUi_%k>k>D8;UI-a99*90MMBSXK#q~sBRXA+0h^K8OxoOo-CY9jD=a9 zj&}%3ss!qRrk9UQ$bjGg;{B;U>WqMR5jSjrq(_Ign~SXX>kG=+Q5uhdlFd7EB+MLY z(W*xH9c5Xdaod3nnM+dLz(6Ptvn>{F+1oVYmFI$GX^y?uDbuR-m~LxF)v8YV@zsk3 zX}&|0glQ!!LNGVpKaph zO6{0pF%yqW+s%*U%AAN#Ek)ZVx&ielMb>2#%Ehq9y~WV5xAAqLV6X*WEChEvMa-7# zFj~jKLw@fRB0?NgV3N3sdk#bwK-lUm`A|g&p5^Q{y382npy*UMo6}UYeChaEJ=0uF z!GwE)sJcWh(lQbyuijH+-IZ}mY$5-Tuyc&@B3?P+6r z+TC}advo7!Z=O_Y)lT-us_dMTTIaV~2X|0m>~mw>g7+$Vf8l}N1<#Vmm?F|{N1cC_ zW%$uR8lW|HXPFhn4+NT$v*a$Xg4J<_GjqiAvxtHejiUira1T=qF>mM1ZSb9JLE}fU zxhXo1lmvnPk|lldTb<{GNRx~SaH6gtNYB>-REQ&94c}6u$D*AX>WG|A8DKsf4m`|!e%srkisRxDaOx%AWx11}@)a01@d{YFj z1FSOupTh0YGyj@ax z{%pCkYE!UyEt8R`e+;fk12j!K&9Di?tYmA;!KNu}wHrPayOPbh>y&i(nW=kwsAm-7 z)qbdeF#{pN!ZvAUAnWwk)jf_qxRPG*jGEqVsn9>99ZcBag@Y&E^Qh9x75)UNxxfxx zWM8XrUAH6d<8<_2d1EmZxs~e@k!Pu&xHT**5_m0+^`D;PYBg&$V$2OhK zRgICw*XkVbvfPVTwy+amJZsUH2S&aD(o{irPZ{7J#Q6kezoomvhwvura9L9>Pr*k< zngj?)Z!$p)&#tu<40q6KViRtyPPM`CY%iqNuK$yr-04}-+MHD&tlpU^o$d(4w@Lq+9ny-7!PC84<8Y-$MBu1oef3cDfG8qUiGeH4YZ!8v0myKp8wxz&E>>V4$5Qo9a z^{%muKm|TZ!XHd+7SvNsLu;Wrkw8maRCmP#^jD;R2gj)O){xP|8?@$G%DL?`!|ps_ z(95Aks&GqzI;q6Yd4oLdC&i86F}swLi9u(w^7OaX85sC`Uoe`X;R4&z-h|!SmVVD( zCX5|-O_B7Wg!qW+V=!Wn^V9!ZM9yjW20^n$>TwF(=|Sy@TVto?b%Yrh)Vp1ss#j$9 z7Rtd?)~GeKLhZ>5w*t+rps6MAa2hSbWZ5!GjX_+*FK@HJiwNt78Nwi~BGxrW98`rV zAf)4eh^c{{n!o$L!q*^J!&3qNV!DR2#BK)vRZbRC#_l=c9zhgF7=V#^BfbYOEM*D3 zGHEF-+AOYNVyU;)OP428b}Vm<=+_#QvMjY@7mwi-aEbdXEqBT2js?*KV+2qeAoj)g zq;$o0RBnf6g=&VVN0AM>0x%?y=GPsSQ4}sr3N%JOGcuKV=`&hL^niqB63h+h%j1{R zd070RSi_AHgM)P<{9*L;ke@|ed@){uZy%Xp1ZfNzvcdpn$y5j1OvMEP0Ioh$IuvP4 zf?l_8;L@~{585npRw~;%J1#<;$2|=FP2+WKGG9)%2$Sbvrt3^;BPcCLY%5m3pkQ^?g$RtQbiH#&gdIIdf zPTkI_Q|JIM4|*3(A&-cf#S!wI0928dmnI}xLH-<}@NnSd$ij*TuL?Z_5K-Ewnajc< z1J8`en`OAgIYmVd@)ct1W8`Lv2htlOE7uycoHe^t!BG=7g`{nRA})gx1E zYxE06|Lv9%4CzEdql1vE2!U-O7ntP1X0BZHBysCw%?3V86JGBRGAS9M_kVdrb~;ew zVw;eCB(pXOuGfLk<5j6o#aqP_fGl@?UN6LkY z1!5vR8t#MZ+A>88qo-cYlk+%|m;qKR;!x=8wMnUwahao%nh%fOV@5mHA{N8OeD z?KRi5ek_K2wq=}Y`E^xn*q}-{wgP4iS`{V~BVTCi;tT{bBq~VGTkD+EPTmYYo)&&e z-WrhjieZzZ2C8TC zExC?7Nfp>L6a`?+cqINAY8O5jW^8&tH)gWY0DfIp)N{X+)pO_w2jHd&xr4(%DQU3z z1u0|AGnCw&S?d}Xxxoub@#r)xAgKr$D}cd`!imUEjSYqcl93FgNt{8DPKGmXitHpv zgWo2PZBMqqc8=w;JdZ(u&-?9hx675gD{H(j+_K{8A6a9Aqw{OY1tK)5(#2>8VYmw> z%NTkVGAWuHB{2{}10ZCG`1czB{zabT?BN=TH&E_xP=ZuiYOUNC`ug z{%h#3|WhN2{lyq)y?z#}5!Ix+W;f;;2k>5(*9{zVFd#`e_)`%-VZU8{-j zGb?$uASmMg8u{yz;XUBVeGasvg5^y=D$cGQTC*+t5OW+QTwxiQwoK!OjE;JrzdY{c~TVDq= z5!3PnU1wauKgINg#+K(=60vdgtFO;NCv#{*K6Xvs=MtA&t6`Q2b%*J{Ms^>hCi{Hg z2e|vf9ek@Dz?Lg)PvV5f=PLW+WeoH3f2VgOwM0DqJzkZ_ae~$I^b=#nJp-vaOu%wZ zx3LW0HL2x5c9lD|tKP$EC~30sL;6!*bYPxr1$^eE5;MOVj%A-m_<)VyDbUWgsm!_T zEFd+YwcJs=mv_C62!ilMWaQpHITumemOY!#FsQ%D@t&{Q^2>HGB|lL?YhiTS__twlO?vAnIp&rP$Y0}V^Xu|WIuchtoquTE%dEE& z_2&80h6`#Yg4K)Lh$r4`j+DETrODTqbT)N|XbXoE+T9+06S&xM9i()QH_SbGtc<*| zb8FT_Ll?g)tQr+yg({@tR|16L@< z?~?+J1~+w)xvX5z40kR?NuZeY6{{J1`a<9cJf1iQ?o{QGrL4W)I%6C3xU2?ZZjzS5 z3sOn89f?-*kq|~{q3eq~U)*)e(POc!o)8(rUfr|}NS!lSX%V}|PgAUBXKcyjksEd9 zWyDsu>$<=0D3*Z8uyDUu=pb!$VoD(!y9G8#VY?O27qC8y)zxX_C;eRZ&K_1q7k9Dl zR+YFbCu`^RiP@gYVy7|J=BQSIPbS=)4i^3#JQul>`id{Xk;MIW9>mc>YR^svRd^Ij zq69?(WTeZ80i*yj03}YRe_0Ckpz7``l6sl{axm1kZqKx~ljZ)Cd@-K+|7gdxaePo- z&J!jXApE9KALG{Z3FG@yy3(@y+EJ72or^G489fdQ3x7t)HLRLjiAW}|na&kuN?Ta| zno+jG|DJ-Sin+)}FH+EjvTs{(wC?@~bu}X&r)I{4`_uT>=*~HBJg$)gsa@RMYO_mV z!4k`-I8aXBWAc<-ZlDB`bDz$6lL!j8(+O&)W7He3_qY?OuPl&_UYC7rj~R<(SWl~6 zO{AS*2O5yxJtT*RI^UN+P-Sduh_nU235S^}12$duXc$dAN~0D`YDGkeUxACQ^xL8} zd0tN4^;2%3wQPl&9lhI+CEMsnaYT5W=NCQ4XmdNFQ=+$_a>F#7!Xqv{ zlmzQzZ|``?Y9slf`1!l8<;|i*32rQ3Q1+grte9O}e=vV{f?2kMnO#+g`%yTGPap1u zrzd>Qv#gh2+Qu4|A3~dr^@mv+j?UdfFR5ktz zOW})di)6VnIzn973_R%gC*2h`Un;!IfE?}D*=23wqF|aQcW79{B?C0DdFgQo5OR9dNyT zI?_#6C@hQz6+~Lew8PJ&lT2DhYeEDHCnE^Ukvwy|@nWT=eZI%NzSh+~$L4PlE!btY z>;GMe|IMqXAf;Swd$8j;mU|LK!tv#w(>99TgQR_@r(?mF{gzdIcZ3r))imzvsDHlW z>n3jMd*kAEhO!8P>@6w~+1IPTs_W&|)tUvW5TyO)5y!?FEQ`v^1PL4*DoA($4+<27 z!D40&iZZaRH%1B>-c%GW83QDh(P9 zJBQe9LGG*g22MaqQv6NlETu;vc~exih-($>IHD1jhchni@N*z*9L%XGh_>5 zD`p#EJ7ouBCuf&nw`8y4FU>x~e#-&JLC@j9k;u`+vCN6W$;zq5na zg$W#qcNoF+hNAF$D47^(MNgBIbe&cfv18hbvy5+nt>Kg zn+Y^I)N!t6wN1*J<}}S}*==Gm#y-3adg=Gj8Dcul^d71`^&FxxMtzRh9+rB^z9m1~ zzQsSIUSS>}jvUO@#l?%A*x}=ZO%@@E>c3dA zPBAt4l>KR;Kt*$dvxSi2bMfzassg>OT_pKN2OaRFw+OzBJTYZPkYRvl{PoY`=wF zTmcDsYy$!e3;+oJvwsu*yZ@Ddf1AfAihs|>UznvPK-5}QDm;jYvg??%nRkpY2|rz+c|npC2=nyh&>LQstJbMY%`u*CmX~V&s4;?FFcX|K z^qRku*h+8wTbzv9+vg7j1G*-Yo0K;wYEwDJyNUz?hYA_fde>e#Y<9Y11)#?*9{U^W ziS8*}*vB<(m)4^U_owBJP@dUdIO313gC!rc;Q17)23;TyIuvO69Qq7C;JiMZ0vX6B zU-ca8`@0lY9Bice7W$Jkdvr4{28XqWc)9Pj+7b$gGNatlgI+7)x}yRbT;r; zSC9I~2$1iO4$Ls4zYBkgsELHI_*2L#3@m;yb+)!R)Q>yyb z-k-1~!m0L?h4oDyG0VqOL?H^I##J6emRuCdbh2li_Xh_(xc#@UmKDW{brS^S{C1-I z-493)I`lXt4f`~tcvRPmf30TzmP{7dc4Et>@L)KKNyS+ES@FqmuOkTHvp(#)1zZ0G z9doR^+*A`k?DLA70=$F+zkVX{Ug3z; zFf119&UgW!)qyfBKCF%|8jLX=^fx0Dw=@mls{dm5fnv5u%aHtSk2}T3^lH)jZpYYe z_=ZPeE`3;**Bc^5Uu{YzN7zH1!?o+n8oymrrt4nX_3Z{Ch*IvBbFbo64~iPauf4a= z#3vT(Ml0cV<&)QUks{MbE49V03*Edvmd*T=-s@h%{gLDMuZslg@?xOm0G0Uja^bIy zX5`*%VoH~RbN65D%NIH4Tg=w1NsLxL3n5vlt+gX|RJ~1fCmlEB60&OR--14OuB{R0 z4-`E#x7CU2Z2iz$0hmm1ir35h*jfaN5|SIr#zQAV!+DR3Bz>{|R-;kG!tW`gj-lP^ zM@o~W>ObU5O!tMsh4%(DyWoom7y^=Ia%(E9U2mZ)a>3SsuQQdd0oz&hV!%Lqb%nN* zF2p6eRL@RO)w1fYSa>sTxWlx8zqaApf2fs1vuYJoOqLDf{)vGr$Hxa?#yd-8T@ceD~h4(~gaLfaw@ zJhUBi%#^%#JMR`0_I9qt26rc_PX=!`xeIBWKGaC~7I~xsP#c<)%Mk;d`r%)8J>Ym~ zBCpQgY9MvoJ|R@0HLGq&{JAk+_p>kV&R_A;gJc*#MWew)VJ>Gv^dUyEsvh)w zj?Lk-I(bG2g%87|e;hmou8??a%H|BMRw=WJsLMs8`{ccUt0wTWkSAK9Vvt+7w=*kZ#4* zXL3Ofh7pCvy7T-^$RxGDmqb3yhJd9?nEi^3``!mi7f;TG_*W0Z9`{QlIso)JG*?L1 zPu1^$EQWwAy<21e{vUDQEggrk+AdHiRmg`$l0MEqF*hzPE;p_)t}KazmBSJ&0sMXG zHmbznaYsUQOi;neipp6GzN;xudK<~-on+~hf#4qe7$6W|9JA^_#B4U;ItLrS33UQAGr z)k@apb1^4zL6ojC7zu=s{(f%t&VnFNvdE8fzmF405!Jyv!@Czg4H{)&{!4-*Wu#JX zc!e0y5}iaX9?VVjOE8(A9Tx6Xz7#|nF$o_()BC0IOFR?^xFv|B9^4U@%X_MO{O?!$ z^b{dC%9DI!eMB^n{TT(uavhw>pP8Z+NlmH}IY0-s3*08$)MLDB&-E-5pU%ka#j&d) z8Ad^eA=2OzSq>HVWJf#R#KT9@+AwSazB6qeDJ51e7A?`Ac(xySqO3Lc^i6H@zCzRD z6O+}32@dS}FV#G5;szNrZ!}-!mu8j?VYW z3NC$^%9-f4RIpFsOXY2KGLf~7Cdfd)I}5uUjQz#j{lb1%Cbv8a#)VQ+PN!P*Mk@OH zJ#OHr?^yuYYo0rJnlZToSCXoVl5?nvo2gi89;16(5MG`EZ5SaGqp||bFXW*xbZd{I)0!_K#=6FH1GGvW1?v;Z%)G!Vo z!OcxfU=7c$D7=$hF8r!_3OYCzhlI_DWo)u-;P;+JMwr1AaT#QoLijnpp@%KnDzf2L zpL5H$j@HiR?|Etk)?t!k@_W9Q5!gT|R>~n~SF`Ot&~BN^!DSL&F%e!>fJNFD^Go-z zGVsT6&sVY3f!*~Dc4(s==TiA5O-0{Et6f}hg zu~+!vKA-nVygJ^15@$E1PJc%ztMi=l>&}4yoIFOROpimj@uBDsm!DMi_S$5KeD};X zsy93(?5qeRw6w)kbq|o4ov*2!$310KIR9w1@dxMy-|ZZFjb0uw<*ga@)sJj*eNoK! zXGs)@dQ(?(F^%VyBiQ%vZU<0L0!teuyB`{ke=7*`fbNS)zzy7|WWbGSWjMvN^mIe= zx7U5T%kuj~jErXE=}u7Hj33?K-Ms|kv#SG_4#5&Bpd9+;dTyPQ)UJv}7vT%p$7GYy zklOh1^ecvJ3LX+--AAN6+&E_M5a{kj%qq!B{+%o!t{8j3UTJNwt#uAaxo6VW2jL9- z7mC5S2pKXp&UmcuOJZVq%aJcPpxZG8)Ikr{9ROo7>Sb_MchByEU|-O!1`0knZ#d-kWLsbo(LjVdAu$;%ycHbTCOGECGgB`{UDG7dKNqo z!Pw+e_-gDur=4qPeI&%hJc0Mm&xs2ix6{|8R%{2cz`5U9C()nX6E9Xk7vQ6j!%wIt z;@^fEdLba}byY5!8YRc#g5z>Pjm$FlKLSUS1*xcp=?P&^Vn(mZptT7P$PuWO?ROw=tkolFFr5%Gnh zX^BeMynOhak9CQ%WMfR_c;ekPF4Xnje6x*H za14)4$(&m?BfSSn%*-}QGm^mQX%4X%S%q$_7=n9c8$@6TvXlgEU4;#DOlb>bd)P@> z9_e7^xe3C;9%u!M(m(oWcR#5tf~vO_MsS170j1R>!}F)2c6#==rb};|0kIBT&-K+B zCC~uhiFjEBYUpIr$(_ho@nql8JZj%V`|cUlj9UzkluN$-24ho_`0)dYjL$o8p>Slg zJlIV3S2_-w5hYLV3s<}FUuXX|nISnbIY}|y`PskbtBIKXwvwN%+Qzh+tb2}jXmGxF zU=LWbdo0m(!5ryiXt+zbA9gm@q-+^)kqt$1ZK0)4J+2HLt>In*^%0IS3kxG25|h3^ z9^=N91a7i=lpC)r%`wMxl6v2&@tLHsS!hLB^aqf z`ia`rHH>|HEBgy~yYQ=1SqV%^eX{+>jL$>*8&AOLs&{zDW zNq{XHU({xfa-x#@(hCMh1{N%MykH+dhRP)@cn3=@z*U6f?BKfE-#2#!HvCW%+pV!V zoPhw>v}{nbexQtr6ndNcyop(4@WJfJ}I z&JaVEjefZUwPCQ4K zZq4;Jd&)6@L@l9SDYzBYq^x4h_WW>!l3b7<`CLO6f(;&d%;VSJB7yL09tfg`{o=Dk zE=q}cQbG#BHmWh(N8EDBTPWBJ;JT+GRa{^~H8g;4*PXl0Utr3RT0!>q8rnoTiHI%D z#j{nAN$+c9_|p{8&d3}AXMd)`J{sq^_J|%VWqu7}X(g#OzVzj`#S8E3V_@H|c%$cJ$nj; zQOXr}jovdcG1Yw&?>XvdYT@(ECw72g6bSPfNK#5#T`oeZ5{kxccn}^aG)k~9rKD7i zM*WOZqjK;GJ3T4re2E+HIxocIe~KWephZ||?aZ?2e2lk+kHjvewsS*F<=?UjbXYRv zyHLEf#(+Je%uR;TTrfS;DQ}yaB&Lz{9$?KPlra(?w~IbtYHfpK1dPG{m?F$fo-{)t|%c&Z&05>&Ga4`>lex*!<|?zC+0=NNXyJT>Lh zT=rYn=q=Ra!CHYWWj>dSFCiPQO0E`M|H^;Koz6iG#XAw;vTqJ$4L$9Y-J2y%El=ww zLsOe%??m%TXF_YIGp9Y(FXjLf+l0XsePQadbw}x?B;2;s^}9^U+HCXRymw6*W@GJ9 zD&C)s(XPNb#~3G9?xg)~>;%IR#1pDv8U&s53a=~~wy{M(1PeYGaXfIyNW$sFocnH@ zL##DWXTz@OpsBn<<*dSgC@h6qt+%L)C_oPsT$+v|Np;*Y+>rMQ5CT4r$T)Zd!ROs(mfXweYw$ao${o zLR_0Y)bUUxdNVm;Fm2jI^h4>mTQ@Y>D{FpWt4Y)F`PbIL#VunstJk>y6wn>r^Rr4p1>r}51a85F1`0#Z?u zvCzUQR|Q-URLD;>)XZ|8hHzO@aA^hz695emWL)d^Tm&16#dZF|LDU7SrUuST6kf=9 zWU@YBsDR><4rgJ%1}~gWTz)H}TYf1LR10IU4_2q{mGIENG7B>{BVR3HbU6R&+`fIj zh=1|SPa@R)MBHB)unVwSq_Ku(h9z!=w#4G9CJ<^quw5o&L!+SSM! zMiExFN?SVa&5XyyTk6ewJz=0-}(EiyKX6!Qwp+Io>rM4jlqw?%-LrQ zVOVdlCaEj`rMidZ13dIM@9>pG&C12GNuIlauXnBP?%QEUr~w5=Zn?R=9DPa#&IJd@M2(|WqloT1IH)7+ZuR7sVt^2zYb-pFJn%pVuM|AOcgwB zffpN3(O)#R3x^@!a;sf+;v4EHFi2$9Y$Cem)IW%qP4B11(wRG40UbTv(U!RJH;C$$>x_Ys;X=d=PW6NW}+?aiowO1v{G03)#@ptM6J-443Gl##Bt+`8z zuPsnC3?RMlAtdHcLeM#yiqQA`Pv4B+Pq!;LY=^rIp=Ay+lsoxTBiNhfW8(DcT6}}s z@Ym6h8CI(t-Q1twUSux?7EQNVpgU=)xS|NPY5#Spb*Za+($EvN6vs5!Pu==@2Edu z!G8~^`}hW|1X3i!(|QN#>SI(hon7yS!6+-DwzFlX>z|={CPuG2K_ocmSb^W7ABaLt z3Tpk3bU&5jY$noofY@~0*UVK0%OL0$a* zjMg_tdx)Lx#a(G6q2xZk#C|MkgK-v0Cq1mRBh({ne_jpF=IaAox zWpN=iMapR8Z3BbbC|?wtZjt*ImLF#Mf$nltw&DZHh3LPNGL0yf95uqKTj@lYA&~h7 zx#@OBb!p+_=1%b-{dKARmYdK&<(@f9%ujs?^pqvpqm|J3+)m(}xXlFq9wM86XpdJVRfsbCU;;?^y^)Q(AHX?Etgu=bHw?#e&G_uS%yxc9QZNDn`UWxeHj}XaE`Y`WFeO)ka4wx%WrgpU|%)2gf zeVySo;wsyh8xs+Pv7p(9C{$s1L`=hZvY6StZ{#FBQ6OQgxLnCjGv*SbtL$;QYxK{R zuXSY5I^@rHrdcfZ!c6)Dj`~c&tx0n|pK=CPHa@aRx+2DtFi$WBpYT@gXBw3Mv|;vX z+`aP{Oo_M<&DsfY47Ld~s`QLj&tI-`yk9Xl;&_ughOBU?TT$W$1P#ybjoa@D>i2OF za*Qi6%!wRh`rKWVhrB8RhR6GBVoaGQZ54GI(S?pu`6_!IC4vNps@%eRLouV_u;h*!$t?_TuBc%s!8eg?fLIgNLGDP;m()2SYlSXXf2J^fDoyAMVlL z{>`8B!YF)%-5qQLwBd~H@Gktg@39LBQTJo%W+Y3XFe1*P@aGQ;7%TBTQllKLjnPtC zx1W=sh6_lJ96YBzZ#kdn-S#!~@QASMU?a!p$=B8?^D~%!XgLpRK_@!W{&qNt_;5*b z9WUM~!?Te?W(m9nHL1pjRFgL~Hi1Hv0p?dFh6_^`llZYfE@My8VuggFOtPNlg(3pJdiZU4s2@YVFyXV zq}U!tP@6gyHJgR8(0vP$RL?I{)Qd&D8KF}x!)wH6R>Q|6Z^#%0#1h!6jw{>U< z84lbtdj)?IIQ+~afXgHZH8t|M=~`9N>=0hH6T&_d;5X=;jv>yGziXM3Zp%LD;WVAV z!3?RazH(ocQJe)_6HL=~$zlE{Jcxw>61rZQYb!+93+o*9$RH3mzey=v3@p}u>l4<1 zaN*%nmY(xx(7>Iy%=;_D&Hv%02m@<68dyESzmq&rirukri!I+ayGW<&ZuG1jABt?bXIrXU@G_;-f7=_qngudS^u-;BiF zPgRk@MaUT5W79Uc&XBg@RBBR`7him3G&GBTC$HPPUYsY{yW2eC4amcN=L79Cv5RYd zyuD+G>35e!>Z;DnFCb+yIEY@{+@2-n^uG-~)SsoUhd9-?-ZR@nrL>9S2640J~SPWq0KUt4q|B$2AhDuQ&lv)E0>CEhr4QrC>$r z2U9}jL;Bs{YZ>Ulm%ZShO(i6kEfa6Px%c$j$(&3xT?iXH&mg0@Ub5Y4_BSy#^;=vT zf@X1E2vQ8PA1~5_i&V~_9eJVX8MPSbL~rAj&XTx#WXFg`6_>QhB!wtR;=A5NJSLKA?D4H4?d%9qiML-*s7?u60!V#xlq%JeMFA|zN zNG4_WdKh#?ZV?z_Du&JxK=#y~<>xQRfYSQ34usSoD!W64E#?m{WdW>FaS23>E$>t0 z2JN`i+{oH%i{Ddt642QbO*qJ!xV?xnbUAz5BSb?dx$R(!n)2tUD;qH42i49j1nW1( z6s+dIF*(BY>Lp@gu5(yoVi4aNviKxINSPgVgAiT*!D6c7o@t;1U18*G%d@6wN4jUB&VF37pjr@FB#2M%Vp5oqShdskDJt}F9qsQ0xU2MV30ZiBTl@+V?+ z@>T6(T?RIx6wN^{y&w*ydCm)jgp3$duC^whD8iCQ-};t=x%{NMvN}lsrOm|=tidV~ z%;A;9z=niqNhhs_s-xOYCp*ui2_kaO3(=CcpKC$^EV$t$I-`oIrz@@?m= zw1hymUm&(jv=uhFP3CTJ%O#!7-1bw;fF4k=sIideo2 zXFCj@_*Yd5cF=u~zK|`u$pPP-_3l1f{Y8;RZuIP|(j@xBc0na33V~ei86U7#vYlP3 zTyA1}Hkvx7-HPU8RCZlb%IjGI4kf-^b;gy9WZ@Hd+ilL;I@E~^N5@(i2=QC?cgDaJQw;hNpTvkq;bQ|>%jEtzOv8IEkQ?2N~!e^9W6H(`lWZ9 zruI(8wB577Wf&MWlq5jet=9*i6g@{fOg4FLaHK0bI5qUj^l7Q_)MG^KzCs$0vnm6~ zwp#Q@*P>K=%JbFUKQwjB%%Q&gd_(C}ZtSU43+E>(6?b9sL|ZO4GWmlxIa7qrU2LB% zwaK(z@c2SkFF3=7{AjeCC5P=s7%j}iwBwIld^p>rRzmcrp+;P-S&iOjNV{^ExiO@$ zC}kt>&u-CW=Hg0gR00y*PyyNuwnwc4l6W`T)|4dO@AsUIuYm&m=zy^i99NK;-?N;)IQx#fizG!kijWXjk6E93`S$W} zQWL(f4IrhH5`OT6q1W|n*d=nO5@2=dWCbib6`)-|nK&Nrk@_$(a8gw~pFss?x=|lA zgN%A$Xku#5b|B^ysJVvS1<4o_$}v~JXt7@jRdxmo>Rz}(HjDZ4JC6KNQ{Xj)Mnm5$ zhylMG_pM1-&#}Lt4R7bDd#C(|cWiKsqUz6IMLk zGB@W{XdqLEhCFPcwNkCXrwK2Pa?nCPu5GhG-uKB0PH$4@wC9pW066}UdIp-DHsY9qy5p=9J^D3A3&-ka)52;l!C$^zmJN*y8W1-k77i@w3n z+HMN&IIQlvW_2sBRCaSRO&#=o7n$YK5C;j%n5cca)>musVE!3ohZ7(mtX6boiNeAp zU(af`eo{$Uk=fGc;o)y7CM8x_)U#%szbCRtksnLqL!|WYNKL2W@dlD!`fF(_JkFjq zf&_w=(D`QbJ?rP*!%$j|Q}XS&kXRzv!V8s-(xn}+;e;^Jh%&Yh3FxH?JL}Gs58nW_ zC7Upzmr@ql7xRo(;v`0JY1|an(}I|Zm9ru&tKrBK@FnTqKWt9t${@>qARR?zO7OEx z)!`qwVBYAtQ*;gAqSMr*Zf&rw9p$Y6^4z+<2AHS*-w4&xHwMra_EY?td^iYIVMVWH z{G6>t^^#?Ud|bGH1dzBjMPmet{QTi%SY&4=vG-q}5|xh<8FszXyql;^Pv)AQrpOZU zoXlqcLDuEO?3vNH#CY$m)kGd?$>HNh!8r39(|kEtdu@&Je(fr|qw%R0J&XpIm(RpKRM0d6H8y&H{?PA?vlEd@ir>CPMho4o+T@_%55a zNHp}b^~f!8VqJ1IAa-3y#bEE?3L{`Ck?{eBoFBmN6VTMMS2e1+l#6y3I;Mm$3qbdw zYtaJOSI%q#VaF!n=~ryxLu4?ySs~Tp>ITuX8>{Ba+1CRx&8 z>D$tjGCs^WP{72nS3$`ZK$9VMj_x;+OQN&Hhg)sr!Au?X@Fj@t7k#>+PxG$Xuu&gy*TP`(@6pZz`iM~ zyugB1VnL&3`wN0+v&8VJ$-mptag#z7(=7Wr!GL9T@wNtLjY;J=wdkNXThkM^f@2lK zvUop>wHq&SqHvZ>s$W9(d^1{)P`4`%daChOV(JGs4?K!@VzIQ=)aCfnBtI7Bfz`ur zd@r8l#rjvwnp%2R{K5`4iU?C`WM?^XpG}7kb(QUXlhA?KZ-O<16xPy z;+G8uPv>5qMse#@!SD`EA9aKnUQlH}h4?7^!j_Bkkhn0J^jutf8=XxpyoqSI4Ki_q z;RUm}?oh5cW8iIKXhITZw%3*K;ghwX!J*Y*u2+8X?B*TU6X3N7p!ODzm+gWeTu`d- zGX~$@;hyO}r%p`!7se_ZN}>3AYj=ej0R(}z@{q7MlSx+Y{$|2JH;r>L@5Tt(z) zVVYXujxT#%V=Z7er+hT!ed>K4Cq_HnR*qLKqc-5DsIuiZSK9NP0J4Jj$@j(K;4}SZ_Sln7pDL;kcl)>vJHkPBBqb#Ro}Eti zY)m1sHlA3n47LIgw#W(F#D$eQ!(NTCUQDnu+Sna1ShgLk7zvAag$2BURnK7`(b!5% zYA{XW3OlOhK{D^E0d6pc}0UcE&(BQgDi)>urtq6jK^ofUU%CS7LlEs1;BRq0c z6&_(YBDu=xk}pZz;r=CEs{EMgUV)kptEzIUw<=in!fCJg+*kbK)q)55nGjit`rzPs zI8XzQrpULmn6%A^-U{Ql)6A^iiszfrcpwV2**F>(n#eU_Y|@tf0crkDm$wB9*&OFqsPXoAq2`)WFJ-Yp*J3| zE(s%vrgbDmrRZpilImn}KhWatA?=L2gf_=5Lkoa=h}P>C)E2qf+9vlFt<o)x?T*nkE!*gxRy+!+#T)h10={Lm>Nk+~@$IDDd~<0_-)CE#@dI_p-IC(Om#;#J=@^3FQ^JD#M4!hJ{6r0t zSeEaVVo#IHrQNe)9x+iZ#RtPTqbG~%6CLy+E%-!7Eu+86?h;%p{6~G{Zn;D`r~DNZ zE88dwnd;gyEeDnd%TTmZs5xw5@T$RbAjoKt_6cs`moJwJN(Sh~21**ZIH4tvGp#-3 zNl~=U`Ovkxi(ZDObt3()_w{pk($_zwdvZxddrWW8A#|U9p&xY)Jw>- zj)mXV^yMawQp$dBdD)7M2Q^DB=&3mR@>$kp`F>`wJol5NA`qJ*>0k)amjW#myb zN;Cf}1oD5NJc|krjigMojPUvlmqECD@PL+mOgUiams1ZU14TEkG-O=Wl;nCJ$awUD z3~)~`zc8~dUa%{r23zogT?*9Uz=sNWe8EPnR{-=M{mfXf@JBlMM@+E2k1Tqy#-Bj~ z@66g^hBUj)i7+r=860)QC|j6%?ZxH5ox*jph*b3UX?54Yof}|I%M-q9ExLR=@U-XM zh>4P(F&>CoWJ7~{%U*oCqKB^^3a=kd*yNv~`KeJE!8R{iU34G@I1{Iy8_6}+2xJp)9@L-h!vwo?4jr9lM zTdjMSR>=4116e(H@EvQZ80U+&#bl6pz^?L#a%9kMZ0MmlakInJs)y1!XqtBIKOp?& zIR=+rCJLeBSZ0g28Z5k#G4qvhK4$2`uo>g34{|X^55RqL0m%8tF|~2wYFglIRtF9j zx@+L4_exQA)wrN9#5cNYVxM>6YdU1bPr6#bfuHx{qrgc+6@YfKHF89@O!aoYMu@oE z)hqGY8lIh}%()@dxjC-y9L-#lxw)@lPt6Y0hayE3>||?-WKBJp@x&Z>NM(Twz|n{U z5Xyy}hwlf%wADB--HIZ1P!i{iS&+p%q@B6w`d>%vlO3~j_AT7DX`ksi9f0obMZKv@ z^{ejHW%M1Lt&6+4LvpKFq4qGLh!Iuwew}nU=p@f>-iS?9-v0@G-#ZHO|EP?#utItz zM|nw;U?hu=Aa@f?6!m{oe#obeM~E5^XeIJ>4^XJf+`NJV`IKd|72^HIX5{ztcAM!G zxt-}020%|vARTz<$TrG}|Nd@)CL#;@-Ahr?iseGruRA0&qd#Ie>6IT@cU1#ThvefO z5pPq10(eDU8}Uqx(N{`EynpOwV=y5IjQC^|Mh!+(JvmM=w2%8}KOj7LwEX=*98bfD z%Qvg|z@QOc-kkPR*~h{o0DK8|BeEg6=+S7iid{h}N z^nn_YglPcANH3w|r&LFy48nk|MWQ-&jNYTWb#gCvbZ6}BPNjcxLERler|A*;Psh-a zI#e&wPjnYOt=Dx!OfDAE{HF_5;XL~8@p0tR`m@Lms#-kSOInu9!caR#KV``zW2xGV z!40iahiHnthE2R3Rz#m>e50qGj3V3O0G38-`^z{mXOvv?~04X>e!M!3eLjBqG zL+gXA)k$*Jp7X*aqPd3!+%13A>4f8zSTRLnL3kx_7UM^4q z3?C2bPVp|Cb0%t0SMoNI@T$P!sNgmj(X@enk4h-<^5z80PdYi}sGL|^BTYXcx9bp` zZ%`5id+Q^}bqLQjmdrW~XkEi;-Ggf_8%@4w4Y}LBLlR{TsXW8>}(uNFUM-)h7ab59eCr7@VrO4%R4!ioMsInR#areTB*rb zC#EYb8_ealY)&k+gO3KDT&^Z(TO|(Xwk!gQh>#ADmC^ry6?G%dd@8xJNIi2A)fqSz zJ;gHdoT-@@!(>#uXvHFV|A5ViuPZ<+XsBfVNq-?a-*(WBX~=yp{{O9K8_*mY#vma9 zo%)Y_m(KoI?;@`E93`F*`th&$64luMwnba?a#ZH_r4~U6CM{5#PZM zI+VepTKwYn$aU7y->Y_~e~s>W=G>0AiEq+p!qt~;KE>er$b1)&vgJBLuRZHXN*)Jh zxZxWFYsi-kBz6N77v)Q`m}3IH$gl?+P}xH&)5xGLDfD3lEOv@nk0!-xMOku3D@As2 z6ByC?lyxHz2YHzUYZUf^+>f>Py@_bGpPa|=$tQkXr&P!rGT=2ptS8e4)Oz6FGumqA zmbEoX$1w}$XtsO&y-h%9DTZO*+r0H9u;PYX;Boo}IEA1wi9y@g*tQ|5b8bE>x7vOF z278=s2UlbYDNEqtWm}H0lch!{{S8iQZX<>8#B*!L;1*YD7fZ*n^ zvf)c~*MwZ>6T^g3{mckc1ho^vzyk{q>z(=1^3FRn8v0w7tGaQA_zSsF}8T15>f<02T6?9KLH0@h3ucZ>dR*jAVGIVh@w|m`p_81 z#)@0AvS$;iK_M^_A5uEc^oQIU10tSSX=%nVZcz>Wrv{5Dz8nDwLADQzSS)P#L7~qy zN~KkBl?U=VxEhhCX~fkK4iE9qL$Z+y$j@Yspkw500@Kc=QNprmNR`YkvVow2Xa3~p z+YR1B7csM@QuN3F3ht~@dFx+vOCbL81F32d<`ndW<$$hBn|nH9zFk7}Ec)cp3?;HO z{~(!?PlBY0Z2FE?74t#3A=$Cb1D%j25I#s|wEv(Pra6T0(NsJto0yA;QrW-pU>0BR z7a-TXCT$-O$RLoF?aCAkPw=iq7aIWr73lI?T74G2$<>>ZPmR7KLbESC){hN>Y!8oa zquTg;Lz`ic%36vekE1FnOb(t5Xk+(peszn(PdA=+_RTn^Bc7=yaeXahF#QYUqGTP* zlrNGyeoJdd%F@^dV8bQ|2EA-edCM0TkIZYZdn-cOD`B9Q;dwe3H^~v*PjiQEbjAAe zS-tlEXLQR@QhapHJ){=Qkhq9?HwSVI1I0yQM^Z%WB#nh$A4HRUNSq}7rO$`|Bw0v- zLF#GOstF)Oko3^vL48OO3K1klgq9B+BKmSw`y!WRyU{=KOEh_C2qVL#o21&&sf@$6 zPKs7mqn%--7$2A|%yOpA~& z__8sLTHsK3r4Tx7%@aPGo2D#6j66nX!XLDlv`)EUtS*K|wD>nB)YF}~)W7_N=~7sW zXqxr`yFy;1eZX>m%O~+EBvO9@7C}3vOee@APX3rDX zIZZrn!**sI=5`*uUVzlWr?)tg+zh&dTh1?OKtnPRh?~~k7FHcfdK6o{TIM3d3yJ8l z5VpE3688BH-6q^sF1QoJgNRR~HIiAaZw3mCcv@y*d}TPuv6POn{f;ek0Wo7sp`wSb z-A6Tr4M%vV$PDSuUMkFk!Xo`qRAUaP))4DBBB*N&b(j&BHKH0%1l3AIQiIK*TRDsF z*r(7P`~>3^Pk7ku%fUXLEA+9UEL%Bp=pK1S>t~V9IC{isUgE= zD9xuD-k9U?tD29QC*(a&Bl-Zykh{^Y$4&R1y>k!@4Vv#Zl;1vS9s z*lPU^LqwIsEtu$S>(VIL_iG^!dU07Z&v3Q}SNmMEoFeHjdP~8U#T9Y|->3^?3#`y0 z=W31?phi4(TbCAfTP@*!*B*G)$k_p5F#-q_u0>+!j zi}|n4+L}_kymeLQmY;4F#TrkwDdq5YfW7s0M+(ih5|Yir19nTfVxgEjp-dpQIEsDi z=U5f|h6q$1hJyDfM!@o_uDE^PcZ@YN*%H;Jw5$<8St5j?dDoe4V%%)M|5SZh^Vbwf=Dan-3sb2fkk4IWY&^@1~F z3^1E_(yCd|^uRDm6C(yd8eZK6&g)rL3fm;r)JCf%Q1MMsvB@Y~X}|=fF&D5SdZ;ug zZVj!sCuLEsor$H+`9x!IO5&+q_1m-A#tX?A`%ea%ygvhnsm+46N}0ZTq;YA%a)c$f zt)|hKK(uVS+wxA9o!l7CEvaP6Ew3rJFLCn7URG7ajt7}@Nw~kBV#&}%8hjHALQhcI~Q@87IXr+CcUivE9Acw4u4WTn8p{sMFurS z5fZXGnv8ufz+nbO1RQx22MyacF%Pta$4fda!CxHdCaJvtP9htNMnXrsKNy;jlVIqF*0RrdlIcv3sA(0%M3UDz(sQSdHWI~{NNoi4Y{U$Q6QVP$~c5A&g(;C>K!nx8p3X+jS%hK zof1{uZZ(ZZ!;NO8vMllR&gM}8`%FE-!&s%O5GEnmkQZbif(}UH13QDTLp-w0B2bm@@)42dNyTlwo1;QeL}TgtvjTfvau5A~>b=Y~^#>-*6*dy95?)Doz4}QGGb`Lb z(OKg2sQ14XI`8W~tDvBVy{eKVZ7I+J-^=bbDC?=N(uhYD zJ&FwYPG;w3rI1fxrIGjTf_DjQO+x4cWD?4JQ048?H^ zEo`VxiYUDnUJg0rNA^aXg`Wnoqy1XKGKB_mxI9F*QrR>Iun|bu&CQt@$42RG$i=Be zj#w-80&N(`9wfK`0q#8!ZI|dnXhjEn44TmRF?@-lxpHxW##b7~8=VB2OU6(_lpfwZ ze9@}jS~>B8xvVFHckpGbM!e6tvEgxO_`-|k_t_0Ec9v%AlecA8+U|ozIJ;hH-*6_{+zy-e@z1&U?Nr%w z`-N=ar`xhMrRUjnjmq<>oIT5)-R-kWbJxDU^*`$w#vM9nTaGoBp~7=(8!T=7g=dSW zijRoK zi#zIY8=NP}5GXzn_@qR6sS=#4!;|9kG^}fneSkhbaAnFO7@$yqHc~v(@|;k^-qN^> zO~}AM8*gY)0x`6uS7srxk_CuVdrnX(3=q3>^cTbxg@c~d>4n|R&;Y)3m-(%O!1{jl z3b_mWhhsE!M2wy}{&=BE2kSNPKGHAnT{J-M;na!yde?Xy9_Bg$9>EnajU5L-A3-I_ zAq|u5shO_9q2zAhj^O*TMp@IY(!qQEn6-;{j|E&e-_ zso$gTa&QM=l)P6FTeEQz%-?u-!pjE;C0Gil1dHARAwE6o&&<9hR2&$fDCT?L8vhI7 zKLI9Mz5if^+P%NxyK;1_(T*MoYMC$WFLzbro~*7d>NF|L65Lb6rE70bf-S1AOO`s7 z;^7eDB4N$qfF(;)ub{tvguX?caUq>nHTiBRL5vt=1ckzK z9vhh;NT+QZ{Ss3x&wbzb{`&JPzOtq5+HXwjh52qQb2CE-_Z;lu@cgX&u0VfoNB9jc z1&3|A%TZ0!ay;arz(y(<*3x!E+XXEo+ocv_oiUXTF}|y-OB=gHM|}4E=*p6 z(E|w{e*Q+vE1xx-g{Obj#M$C%X=nDZqu62nVrcD7QaK)=%-h#Be%b=Gp=j=Cdg@4) z%GWFVSAZM@Uw33jp`ML)A%+2u@>_C(HfVTl<5mVY;wXkh|uP=fkirTbztDK)f8oLve=+ zs3TO>(^gHAVGNT~5EK-P#$&-)Jdk2gf{}gWG6K0$0S;P&5DP>`L=+`SS*1c_^c%X5hu?^=ob6z$uII=opEuK23Reg#cV^zE~p7ErG>2?`n}L$ zIDH4%0NUp1<@{?o-T<*DrOxOvyHK@Fo3=LAj9tDtW*bkhz}=6BcaS7QD0@WO!$W8* zszo3>YYa$Q29_5jsiMup@vRy@sVc8QsC>E7AxIP+2^BP$>k7h2Bo9w3zFb;luD_M6 zb34oD5J~930)tyqh}9hUdT#=^{bAmYeH%!mm8? z-y1-%3qo)}o{_!YL9Tu6dw{cxi2K=NTLU=Fi?eQ22C;4$H#>l#t%^K`6q>4x7+&A9 z!qt2Xt4GN~=v2qU+HP_#|wjPoGkH#SNmiI)|A!S0tcVPW+4bodu zE?-}a53@ECXWcN%()@uzgFw(^@vbVbO6G-g*?|n?O9^QhC9lQxfoBt>pwZtCTdIwe z3}`RA5$o>{6p=397m~dmxQZdulZ;8>E4p;?a*hhgP*Te^aVf`oIa-&EGzb^V&9F*j z$+x8je=klLrc-c65L3^!<7#=QL*9d46O?Me>`pe2yH&FX6h|TW+T8Gz(JV7GX`@dn z46*cX#@@J4D7H;bQwxmruruN|yIFG7-UhpE*qZ!nL>!GonIE`)UeW9D)=bg$o+_3T zOyku?*7Pubm({dud(*0(9SS8r@Nr9OWk)oqvZ9x$>^QNwRTnL*FzWU&YEOZbI(v5QzlyR^c;H2cs zkh(<-cK*f|N-0~ku2K-tI-d(F%YpMxR0C|#_r<4dV2%y&+6*$3!+ zK73WCQ_PmX;FKY-7~D2VuP5eF<_L{!zZm1!z}IusNQco!H6KTPt>sV z)k78Nxa0<447@w9AWmoS20)lAs>P?~*I<^b59ofXdjl8#L%Q$MV6SR}u;)6SR(>6# zfgAi*gaTx@pS9%zk_^jX4IIZMXx9oE5_I(J?CJ++Ae29A zjPS0#lh_gLMc#!3xIeZrBLfphdu&Hi%25oKGx5SjHG2%i#DHpT9?iUrnWnnOBH#_T zundIBC-i7T3<2V=L`*A#+HLZw%m$XlW_JIHr8g&jV({=75S-sWydK=iW3Lx6JH|lI z5Ar#E>*B5c4tq-0z#Vrv^2B1tklXD0*U`I_N|+< zlEnLT`r*YFoqn&yFLg{BkYjh^%9T97G_N?IF&U|58VqnZ`TZjoX)HkhO#Bv90|b5` z;2sou`UJ!N!o^r~t)o>fB>VFuL<|1JYJ9Xsq)OB-Q?m&s<;1jv;18$AUzJbUlf!>3 zY2hccg4W|W+{D_;w{fR(<&7OHuk#+ zlxh`|v4h{+-0&+tOQHwEk2BNm|MA>&sEJx6#B)%RgA%-9n?7;pdVpV})fndi^`wNB zN0wM&ZyPEH@RToKfei^+y}ZPs6qeY!Zl%c%Zpo_BV|QSF48Myt!4FPjka=j$=D?WY z@$0u@YnR{%>~OUrJ`2B7LLwE$Xro4L`PvF|NvWRZc-+DVL4eH>31Jo(43Ipls~gYF zUe9LB8p*H42p!2m@-$S0;M^X1j=+8j>~o^+g(T8%>jVY1^P(HRn|;mA{D>_?dqnuhw~z+zAIM(AwB7@?Y!d54ILuz5FkV<=^DZX{`T!^O zGO2}W)k9nB2^I!vLQ<%&g*$vSqedzk80qk^t7Wxka1d1$&ZTu2v~g88=04ZY0$5Kg zwN`z2qGBO?^)pIrK`E~uhw2aOP2)0i)Izztpr$%orMGJotU8{fkD=wnw+7X?Xy8nK zL{2bG`9pn0z=(IZ&?8j7#S%Xj+{DOf?zrf(v*O8lsKaa7MMzf=wCVoziVytA_}tWj znB;KFDy?gCmW3`&+?NOW3>->`-&O7nv+|uhfw^thT?xHD8fVXv=Fh6Q(&26PXE^tOi@Plk3@r2 zE}PWii<-(1U3wF>@cC(oD&m+(v@wIBPb!&GmbpAnXJh)1hG681@+=pinPJWC%ea}~j!KTAlKlJhltL;B9nmjIp%`=2)^!atPY$ksi z`Yo?Z%40XO_fU~41{td}LsDP|VrnsmBpPANwl%je_=eAYJZ^{lD-*9;51N%`uMQ4< zuBo$TWtOL+kHLov*VeFIk*DEO{&R$&K}flK#IX5uBDiL$B(4ce}!9R1W z{(-YeGrvr)1+fRlJrIWtWq{SgW6RU`Bko_YCFRq>yt-;zhN_F!PM;m<+Hea5?&s8Y z-tIBR<-*xR`^rCz4uCf{VY zNU3bMdE*CQ6GzZwb+BLJ4_1bKk?+Q~w@a+^_%SA!And7qm>RkT9I%fCMDh!bq_w1; z1_C1Le`sdadzT12aXal67G0>3-|T}eeKG6B{Tvi5f;Cr(KRgjrbhHBDkC*vmm)$9V z#M)t3i;*Ap&idMve|rei6!JU32tqY1>8LJJKJ?gxEHIJuc{J*)QG33)gAY9!+;9K> z1|(EBRGLP!_vui5QQ?(+N$M4JC&b@(Mh4jUx()5=kDJ$4HONLR)blF(G+Cl?!s|E_qK*6*Q2%`yD^XFxvetxE85es}QxJrL zhcoB?ASLR`;j1heh6}PkV#=3@LxfQ0CH5X9&$+v77wrgK?nI9vCtm`RaYLpTcR7py zdeDDuNVo|(r{Qe-cDPdKbpRy%9TA2Lv_=lxrF^8 z`R|tUQiWX#?r++y>X9@~SXyL71i&e~)u{`9yt}b8YAifs&@k`ulmjYK+-`>x+EJ5MK`su8=4sdTp#|De$z-QWd(M&OKF)LL#uPhFQL z6!>JyidRHMVcfU=TjqbDNokmi-8^%WS=Hh$yj0alE`4wIkm5TXArJOFnY-b2{g{n< z#4&P3i8d?zh-Nu+g0HZ1=%V~PCa=rL10Q9YQC^0UC;u@d1*gnf$Zr_w+S9gefmi>< zjLHETs2?*@z#P0R^UsP@qS_iZ(udvq$JHb@@R=|B8Wni8RV*myM|OO?UqVM9$2cdw%E}(*7ABs7fFwU z27~}>5o^GEBj+w3Vt+kMS%Mx8o{pO5Vm*F9M&Nn~S@6%lPe_{-NRV?}!>m+_q4wg1 zMaurZEf^IDAVF3bc_E3%B|$%VcA=9*!e+EcuNFPy%(!#s-~lV{R532Je&A;W+q{Yz zVZ_G6khkVl`NQhv-^h>x$1Ku<_f&X){IEIIin-_r_@c7TE?^xl)rdO1xjmC%(OsFq zG~ISyG$(-@P=*$Wv>uh^k{Bx2GgG6*qIA;cPzsYP_yfZ!<)#Y8jrmjo7B&^-p#D*Z zXYL=6_chI6D)2owk!yq&vk31rd3{}?1>+PdXkOTpAK?X%L(sVS?W?It2h%en+fGHT zL?262Q`aOH>=9knD_kMlyg~B>Yik88VN%nLg9{JFe|U&J(LrSH>nLs z#w!>t7AiL--r+|RAk z0vp$Pe+f#m>D^GKuGV5I(Dy7zqHT^li$yG{{tS}X=uhBpThx_4Bb99YqT%%@7+48r;aB2a9bo-9iaVfJO3)b1;$WP?$Ff zaH)S|38Y_=!#N8UnR;->bq}FeJtF!zy9+(BBr(y#7}1YPhR*-I2k2Fo$m)E}OLq_Z zT#ejfE!7Y-w}V{y^pASHk{aS-sX$d>fR)=b7QTO&th!LL#*Xka^!LvAru&0-nVRBK zZYLuccOrLllZm4r!9}!(qt~izMJFxgwM-$Y`E^8O^F|rYQ|ou{psAnzJB&@C&*nx- zx=T6{!630A0S3F4U-w+H#-B9S(_ z%0vr9UQw0w_a5M*)E=x)A>Nv5Gx-+T)aC`;wxHGQvZOcwm98qn`kDwvW!Y4Hj^s%1+SKAZ zbczd#*HjIvFYJ`UZ4K6EuTc{4MlQZAjZ(gmT@+z5Knr>9l$d^=C2 z5LcE5NjWg72~~Z5f!GW(^voH+@b^Y3XKY05&iCAqR)Y!MfR_&@$L|9sPbOt+LE(2 zRM0X!bT@ZZ#}dDBNo+#4Ej&X@2%LwCMu{_GzQ89~N#2)?^a?+lS0~Nxoa&SI73x>- zNK1wG6{kT1oE2e*{9#EP`$=JZa3Niiwt0{w_E0HsV8Fo#H+({Ss1jS4xK=17YOu2J zT^|&Z7!L+ApEOpq&B~wG# zQI&tH5Z2m)FLF9-E%q^$x(W(YykIW8_*tCeif&B!<|KyeqN3BQmN^!Y|Eg`ERA`^H zLm?kjNKMa}Rp3%*tXTfe$T?h{p?a{l(HXmT#e7)$3>=z=TEPI584YpG_h!OM6g3md z36zBLgotVuLy-Ul$`gO}c(~{uiUohP>+fX*_c|w&@slBxCz~WOaOOew4S(mV!zLe51kw@H-6T*b&C+L8}y3X zA6~Ok>c@J==qZQ*7qve~QshN7d{n4x$T=)s`H%pJ6EEDrk$*IoE0UAB3-6(39GsTP9wcb;1X8&R~KJL0jy zqqlza^e-RQ3*@!u_Xg_Vz7#O5oL5j%45qQxL23)`0Vg|2__Y}BVKv-Pjf+mJ5j)*b z3f_?<6@NbXw@T*jN`LO+YQKVZ@b+;!zfKJ^AFa%tzRQ1(%>K8wBcS|`m_tR{`jwi{k4%3NIjpG z;C2lj@&iR+eDKOaGcH%)hg|8yJzhX(@sOx!>x~Kr5__9OfjikIX+AQE6?U;G$Xd%` z##*oI<9YevOUAuXM0%`4LbLeav=pt>K_i`d6yVVPL1<8X(2YSlI($E2cV_zZ^G)}- zd-gAeiTQC7!1LZH3)c_G53az<<>+yJeuO{j-8g`7^g%b&$v2|6>H0xy)8&HEyG{h9 z$-v49`Q+Ck0M;F&@4=vQz6*LUMQKlhs`SX$=)s_O*iF+ME+B0P#PL0cC_k(Xbhl;` zEfzlg8aK1Eti#dn)DPv6MKnLk;^1#4s~S52XRjF%e*%^yzJqozXYiDJ-0iET0E8E6 z(LN$|%B;nn!*LBUZ}N+3QQxU}=GVP;izS)u05vNAgw7QuE@jI5M+TpdjQTo89a#uJ zRWPnB#qaC#v*Pbq#U~9)2}fV}UhJ#%dVYzQ6ixtEknbC|SeY0GZ%RJXF0;jsM(90% zTCi%C;wzv*0p=K|6(5jGnIN_wM9&OoNCWf$$P+dFiT?`hL{=}X&eW5hRD3@za=+kJ za13e;?cGIxBpd&xyE(MVP)<*QY^u7DM%xGSipE2~kH>q{DDeE*E|QoE68saF?1Nvz zS|U4$qv*u0|OJNC9z5UE$B@0-EBqvL5{%J0(9t+*{4(7)UR->MttNRmMw zv&*^b8_Un8jy=FXfDQq8O{GUM2fp zzraN5#|#&O6anmaVCPXp+%mgoxl3Z{Z16K@^S~lE+KGlR6?vmNF)d0(p~?H6q(5*O z$bJN*b_gYvI2D8xFeyS#fNJH!Nz!XvpulOrDjc)LiXsZ;8GZzLOPpCz3lMbFILa zEASjr*%_zE3z+xkXsPxsx0v2TD9Y)`Z3nEQxij)wtO;9>S5^&rm$o+7+{Ys;bOI5- zE{T8FK1-h@9=Tf0k2x_yuoOYFjICWV+E1->6_7wC9jFML<*ek^L->|+moLtX2%6=c zSo2G6fw)dzAofF($A8;8?5!th(^X&MH_O7z?!GQb*4nqdO_zq78tDcrT$rq+DF3nv zLHhEcFm<}{rF_HeLXm_U0UL5C7iG)SkDW9fRG8GqD|&7%%yPIV7fJN!h}*>gsVE}5miSpRcOmrXS#J^-Db1j z1q8S)@jZeF&FwJkL1rgO=Rx5%0%vC=Ab{kI1ftu3ByB}5!`<@184oMu|#H>_F9V7FV~ zW}2iYq)rZvIizmcbvjrJA+^Ko%0%RCb(`dBvQO}*6|8zf+$`U@sI@r6&5~uBsx zk<%Wma{xu&n6_V?SWfG}3aM~p&C0?;G+543d60rMKT!sPJT6pMuQ2o0TqFQpYcqEf z&7JMqb_7*^QL2Fil?lp%iVqm1e!~S`K3LHKSP7y3p_RdTUKqmZ2r$}PV#&l>fNK&P z{UOO1Fkk3KD=a5I6ht3qyw!)fBvLweBy`DjrOWSfDWJ|UOWQ-UP*XL{3&RB^hf5iH zH+0M&b(U&4Fpk1D(e0D{C1+Z;e~8BA*JbZ|p+ z2#4~E!Gnn~YaG^!cpiHiC4F zf5#|EGW%JqpD0zvv_rwW%Wrzh6Etd>7#tc`Yyhr5&qK^U_Ux*OQOg1u{AH6o4`vCQ z6QxDY6dzHxP1ro(fdQf)rRVI~twhRoVJ{ao25yyI z@4NCDUR4tqFVDYBQ;=JkZGrwF4*@_@$Laz;04NZFl9T^-miPQ}uxyBF>iA18pw7Zn z@!7GEm3F}ggT%zv9D~yZv+#a|s1JFQJ-yBj5;ZK_C#%>=5Ce(;&AP7Zx>?tCy;av+ zbX98hCCqsDkc%^DN&BBP9zRUF;f@0onDD5XAxZl3S)l0Gmr}=iX4lS2iNR%|N!o%6%RYg@``O z!}}}?>xVtYnl5S9J#fm@3+eD1^ytLga{-ambkM$H_>J*F8W05ya2=jrpfC7~M|>CD zFDkwf){5fb^SwlJi690D5nLdiL62{Z?p_e!rgk*_jI@3!2^ z*W0JLk=nd*Y)FR2!+Wh)pFBQ-;50Z&b|5gX;X$z(5%!lF)*(#wwJExRdzz_2ZP-SdbI0k zzsnas5eN*<>BOIFUyFTi^v+7(Fr#_X!kG{UA;bYbF_Y@xeSPpvp_jpXvimE$8Dj%` z5_db{$B@hLo9r|%@CGIy4_eA9(`G zzKyVDAE0WRN8j)66jF}?g3K<5w5xNa1a2qjS`2ijJAQ3GyD!Xpx46`)T#W7)WiNUe z^K6botB2A@*0+V;f$rgb-^-obbU8MPK`#wvT(#XYi~p8^??-~DmY~pTJGTX-0rw-~ zl~Lijs-H-);|=q)>LRC%dENEFMs;M*N@9;&8&tUH`kgU3tH#(TG~W$ojW+Jj10ed; zy18W;&nwd=oOdIgtVv=L?^Ngnka|Pvu~s-R%mcXPjjjPO?{(wL6hMK~b+7_0ThTk* zm>mSEpIX4Ai&fUA1FaVFvCv&|3mG>0j{8`oktDVo3L^p6pf)~cF_7FoLgCoI#itxx z7nyno+jt$~5dNtOlVs2oA+Qq3o%yJ7X;82+w4&R{_CsBY3n7bO5bE&_LiPJu7i|9ep+5f>10RJ19DivcNrR0v8&nlpu9mw8 zE@s^`UDXR-RZsM5${ir-6LB;jL=|j&qIe82;*+TT@%_l~(TWdLa9TGE1^>=xq*21y zf(B*wR2foYvFynP85X$k@q^I4Z!?s4j6W;7A;C{&BFKli%5pXVj=N>v7E?TT7+MOK>qQ28(vd66xV>}QqDYbVn4|Da z$t{@4&bMA~#z*j{rNYwMw+F)Q6|Y!#e+4i^<7-KzChfv>NEgjMg8~IWNEe_nH$ehY z&<~-;cn`1vzeL8Iyk!7*(=pi=IDxbx##Pu)lLtnGxF&-v_C_UZ1INs;wpU=xxl2@zBzlOTW8I}^EV zrjPhmP2(|@t2mm|e(O!)mK&sP%t-7@5Z1I{%z`FZ><^5XU@)_0ZP0PW1Q+(k z-~gc;+UISH6Am*y4up>{?h^gOd)03Yf~HPPp62b+=SQ)3Y~MrK-T9EqAp3I$;Hkso z0}So=6=?9GOMI}RERSiBBpp`Jr9(5?B&{!OTpMk$ua_W>)dv>)lG_}*%D1+N@TQmY z`==`uEAWhFllu(|{K3lYH!3DB9yBE}w{s8aWZYtsxzJI1q{Bci&|5nF^?yiocuYyh z&0t|tk!lk+Qv(Ix-P8>CcCkSTZ4+=V0BD*RLT2v0YF4!%s>h_`^g%kZ$YV4klxupi-MAbcFvD|igj}$TUFFeBP3-!NpX^LQegz@s zLZ~t#O-t|YS}uo?C8?Ha&$)B2aB3wmmZ=h@D(q{v?C8<(Fo@==FPk5Y6 zZu=2jq8L3onu)md1E738BC02Ak(@HNDQ8(V-gC$X`n^&4HMZ&(vkpxSQ$QHjIyISMnN@{7WGyFIcP&ik zZXIfB4 ztCvHD)iV-mgt?4dH=Gfwbb{Ax*^7144$?8Fbbt*)ykNj>Cku2KayH2Ql|g>Uc}2NK zK!%)3_*98>j;xW|_;Wj&3th;M0DO>A2)vT?jk1z!XG9mRj^~zg)1HWITtGU-s|1=^ z&jnsXe_xG$(B*!E(ODX2Fq`!S`mc^UTQY#7U|`t0tyzjHX9;$t}~lL)1PV?lkHH-bnzf z94X;ipMG!;)Q3Ls4U685!FVl|cfbs7r`ieqFritFtj{bmJ6|RYmR~3x^g{AynH*i$ z^&^1JLrdk8p7gGaS8mXJN!;{t2FchPW_^cc7H4zh_HvC0HVaM%eV9;zzcGnlB(@42 z^2+-BqI;NDt9KdXHWYrrp4u$A{Z_?;NAIzCB_Dj*GLSL(Q6t#OGc1X@Rlm3SYA9-{ z=$L?*+6bi1fTq|bRi`j*W2Uqg(^jWhc7t^Uk`+DE$0>8lN$7s+xjDJtDzH*Z0t1qz zC{Ra_i=$*r5ffZ&RF4AMiIJb|ae1JP?zvPPhz3d}Jr*t9juz(@MDEXhlXLgB1F?#@ zDWd1Ci*%FT`*^g+%AEV1AtZ>KpCnGN^Y6aI@7;H&=~F(~fKN*Ww6VuU4hrkOkwpeZ zuHB&0t1IfYjf%-%AW%lUA(G1d%P4zCu-Hp(gN^`26}?#8dTt|&SBgf%S`LJR<}g5r zfp3Ne%Cse<#KA|^$B|hRGb`WB%}fK`i^{-PQq_yXq^T)O9|g*@GHC7|fF*$7j0zG3 zkU;sx4E|OrTl{5NNh`i=y?`b!tVhZMWk^ta+MdzUcXXwwVr5B^-^sdVjge)nYdtHI zXSpMp`o^rb@?Cr?z8w!R1Ti|hQG{)CM*YJmLNh`)LcO8VaOw|7SVg;rU>hjK@j?LZ zB^*)#IORX^<%Hw!SRse!C}|BmR>Z)6>U07i4YSe^Y`O_96rJ;K`~lQt@6knD7VJh+ z9?UORMz6)N0B3Uox zuhxyT-0-a_6-?Am`pdcJ6f%D6ajN>|_87zL{@!$^`z$@O>c@{wt@wbI zMk2xMHN4(7d12b(KG*?g?8S%hB^E1d22ZTT6U<^e#VFmyRJv-Be76y-uV^c`mrTb7 z{pJ|$jGy&7P zh1You;}hX<54RW$O;ibd>g;>ICdDN&zf4x%V}u}RDQOu4#1ixq^^o|KV{+R2Y2e>r zH7tllt!Q9g(ffYVRTdSa!DcV7WmlIn8b#8yah{9IrL0uKQKZ}#!T9f9?*+H9PsqIO zO}_(h(brcI7QUBOOPlh<%=+S0->7oNUuu?H1ZyLt#cu*D!`bxvE;Gj2!4 zjO>0K=7?V``xErR#PHn7i>B6 z6+td%GI^=gP{BIm7%Hm(AE(HOwEZ@3l0zN*ubldjx#(`2(zHQP}PcpPixxo_JsQkg4R0dFBow51%o#k1kW&jdS-a0`9@%o|AA?gFfK)b0+s!Q09|V? zvQC`j5(xG`3Yx~WOg*=~H7|`sn!^xYUoi8NJCd{mDIasLD&P8bK$d*$k_3Y<+XN?q zKInM`+6r1eifM68+CqHGjAa*6*sdR;WW6jQg)Be{0S$S6GVH?`vc3fvQV@P}f}gj4 zeK={1Yat1k?&mFQ&b5UW{Sgv-sv!dA^m!dxmo429X??c0@4bp;^y z)%LZi(8JC?G0h|?ouSL0+G$2H5$#zIm6nts=Ly?}iV%mP-$nakvX{Bd_WK{J!lZT$ zjjiYnQmS}hKnK%6V*v5}QyynWZpqNS>CcjX7-eA(*Yt$OUG|7U|q; z=b2uk(dgUurl*L6c*9(7nD?2!Tl&-4n=VP`nR1yj{Dncs7@c2oI_EFRR)6W)BeTOy z4yrI_2du`@FhYMIb)zB1*T4gd%4O{*ZKFTG>qEU%~n^~zwdB;krg9wevh{`!5X{DlEkX+LOfiVvy?Z{DSeZL+OANL9KLpTQ z7c1Ce6&Lo6Ux@tZ`~>@1uplac?|gmuK{SIG)JTBxNVR=1&wBKj!;1#f%b>_==GRH; zHAnRTv7)`6MOcQ(hHjb63Q6YM(%Am21%Q8n(K63xnv*c9{yaFle3S=Rl_EiD_lU61fsbluV^MbA#T z#qp||q!iO+Rz}MsO;1Ho{GrcRxqU@?BWxD`5ToZGxRTEAnh=?KYic#f&s8`-mEX!V zi)ZX2)r$QvaYpQi2C*3#a`X1Z}kOLMeW*tQx(# zYDn+ksydTxEK`b?O0feGRS?6x7NKnOeUdhvpthg`!8W`AxXEjJ8>J;-;A>{9M@rkOrp>*6`WOad}C=a(+>@tNEJ*U9kXrzl84VT0qU7jBV(C6++b?y(_ z)w7KuO-k{olcV>!#plVI}whAk@= zK3_TKjFu3poO42y52l=RB#=x;=bV&r$;mmVp~yjQI&#h(VP}M)b8d!EZc6nD6Doew zJ7C;T91h09)G>~}U>ig=V#Ekjv*^$vDrziDZ5K(Aei-pM`U+D&VJN|G*oId^2vbMd z-Zkwam#FbBpoF4xD_2Sj``R>S8L-HW{A;23r%0=l4hD@JD^8 zuw61Znl{E16;c>m>V_vs!dzhCzz?G|6+w-sGB8Y+%XuwEyE@oX`g;(NkZ!R7oF=F= zYE&B3^jNa@Kbfaa+T<8T6Glre@00000000000 z002CtFR4HLdc)3BfzKrW56(UyVb^wIr+Ta!7{PFAnlaZ`U~*U*&o}!LgOyZi`m?N^ zhlp{tlMm@P&tUtSxe9nV{WNouo2@h(EhpYTJiy|uar`~>564;X)*8?JU2>XzpFnKm z*GL`D4#{HNNY8o34kk8P1<$xsS4RuW^T>#Zn_Iq+f>)4oSEsc=5HT2k097kfk%xcq zysIfB6RHO&FGi=WC1-9MZbrP}*inR!kjTertrBVY<}+k29t(E81m9X1;^9fZjBY)f z|5Q|Fd&Y?7VLCHj=+E|ms%=&Ncs>3@-1lY_H(r(l4T-*Ig}$!W(rtnV#(MF~`YX)8 ztnYXKN>zIU$f)Q#=vqokS-J!H)&JX&EwC7}jLkl3S1Rgm_P7#qy*&RK0#FE;SJ=Fs z>GO>~7`O zm*%^}yI;PQL(3*sq=LjBqLnqN#ICao1}0R>l;S2pZEHC1)z@QYUIhzJaX z4B->fhiH+NCA^$A^t#bS49=cXKE5;2?(eZtCK#E(E)Xf!D@{4aZ>8-mntuPXrZ1)c zapBhw$|G$+dki|6M!hK%(XI4cckUSu$TLY)cMF>1hYZNm$H>>$45RBog>U!C<;`+G z9!>Oo;Pq&16CWPf5sa$fESgX4dX?#XPSP(Ug=alLlE?#klZxR}rb<*oQnA-drUu(2 zrJa}JkYLB@PT7GrwVfa?RBh~a{8?ai$hw{Cb?(9c{A$|BHXDqDz?!gK5lh)Aj=79n z;jlD#yLcp6#Yh(+x4`N7!)NiLM;sNffeny#wBG`E@&G?+Ceaz^?Yw4@a#`Vq%1s^t z?o|E;g_?aj^uEt)PJg<&9KxXkGtn1TEE2%nL&%^Vg-S3&Y?;Feygjrb=~$)XkxRso z-Wt{kr&ej9D8J_O`<9>NTYC>tEA=S8B@@GCZfhnn zSB$gD%vk`AA8OoL*CYc`-}~8;+4}30%W4{lQy5$bVa4TZv(xN~3fh2vGvwZn3NI)S z5en-&YwOH1ltGJgL7+y`LCgEirA}zPh9hs zfU`Gg|7tG^i=91z_wQ(fSlY*n5EnZozmO_TyxCWIoNcqG6%$;zG`*$L$X}=NC_+C& zb3UdpJ?{3XUXp+}yztz*t&ky1sVPv#BN7p9x=*kiL zKczIblKhVsF2;@4G$it&Yb+g{A-+`kNnpPUP9rH38NR8-4d5OKw7Ke0dUbrfAAd#0dJoy#DHR>RXTv>aM>BkfQN#FOPu5w;n4){sSat~y#i`A}j+glUr} zmIOHQT2%IEOnUMM6C1BjwDZ3ymD7vlADHI4xdziV8SVdO%U6E`H~gZ$Ad4{0 zOCk3$jFGUkyJ?Uev=VM_dUW5sVoqy2k|BST4EM7(Pjw1?DbT^e_uc@57Uiauz z?@&zJeF2d$RPFca>%o_RqGsKdO6#`TgZ@>e(K|LIpvsEhgI*a#6!Q!(N%g!~00M9`tT*ST6+% zhpkQ>HHYZQ68#t)b_nREgL!|{ZJ-sQ zqyA*5+0K$tRCvgQ*Ru9X^6M`Jjwuv;dMkf0X{Rsb5wXdQREKjX;|-OZ{l)wi_5^`E z!9nB|tkDNDAyq$$VA5<)=TUU?0J7_fyM=jwlWq%Clc*n_T2;p%%0u#VHYoXHx*;Cv zMwv$P%sx}IyDc+Q-F%}O?SvW)mw&NS5uvp2+Wt@0)JxIb%6Vrez*R081~X9GauIU$ zl5taS)Zs2^GkXwVDNtrd?y5}`uOlSW} z)z)6My|-g0Ey^K?vPf@BG#OVhj|j`cAQ@|Efn!$uPTE%AXYk?XDY`HyBVQRr9No#L_)`b9}Grl@4*!HjTzJR~!v?Pg%v zWUH*)J{(Cm>`lJCvS+c;KH9aTIDAK9_{G_v$W3xS^tww&_<)5Z-Zfm-^IUr#VvYW8 z=izo7`d;U>M&iE=0DG(TP4eFB4j^=S=CoBgafv*RVJM>KjBS}VWpXgY zc?%qnG3vjI7MQ~I%U=+vN$IBjonf%5g8=KdXG&-}^KmAZGN0K8ItnJNN~6_QO8=KL zpDXM15g_O~Lu7kVDhmP9Gyq}7k3 zhv{;isN=KasI{7$)~=rEhI@>HW(P4^!TW1HZ<*&hx}jJE9v$H?d%W6tI(RJS*oh%A zGL=A<1WET!17OdpvTexETTW019!H|;a;X?|i6Axl;cjJqM#UNto|O0u=iblzG;h#9hDa7NU&E?TQas(~ zeYO2E*aRUxz1s*UdFlf{)AcuOuEA@EJ4+`_Zb>h#`0Mmc1S4sqHQV&R4xlq_d4_wr zgd4|9^##226M$^&@_Sp}8fnnJtQZWxQlUVj;INCw-)QpmA!&d zdAfM=x+ufkyzx#FEO0WsDLZQpBO4l;3Pb#E8`8Bj3B4wlWfFpDR)y z=k2zTJnrDFm@2KW;~!8S zRu6fH@xkioaF~$9bwnXl=^evXnR%*cU*rT6nC!O|Xz7v)YaD$bwK*Rge1LmSxjDp~ zoP$<}9Hss8UWL1dN zFTUT((DIcnEHJzl@^Q5T5yk_EEzeh-E?M(;mjMCIXCY?HjDg3c%mP!URe$ zU={e(^`{w7^ia;}5=cw}<`n<-gYecXTXwPaVIP6;6XySR2V~QKcrmuKU>ksZLD*cbrh)eCz7aeNq zlJuOeeDi9}pJ@lXiyYJ?03Y6^pFyM;VK6?OYIpRPmd4oLJ?z9$pANAZErn1v5LTxl zph{F9MGljvjbptjH8agr>hVM3jI$@Kw;vk1t25=ZvRt!p3nDXwPIZaMIybQW$1bsc z#PZz1k`WiMkA@tupPpW9?$?)RFnqAY(^niN}Wfz2L6gar9etegwxRa zvu6$YMly>IMomM%d7`K?iQI`o9WOlKG+P%YZ?-*tS;$`AfiIe>@_Z?#XLUtF7X_${ z{4K#I+NJynA-2TQ5f6bh&Y3>0!8rO|;qS5w z2HG0m=*r9kjap}MY!LnBA3OM$sWsjH1^pY|WsD+RUqO}*{!#C-b4Z|=?VR6;icJ$3 zm!iRZL2ZJ6qm==PF{sDwcjQb<`jTHScUrHJ(DY8b&a_jJ&-dP#OAF8}QFvk4skbQ% zGx1Iq)lxC1cpuVGBks&IqdFe;zNT;ve3pN+6nq09QK4b-I`ZEZ)u~}?E*YJ7dfrU= zE9HixuZO)*p86Y%k#|-^kxE;aibRmp6kQBxWIUostQA`zfAA~-g_*{M9URUe;rdJf zRklwu@Cr8l78Bx&Cq^Tc4GX85vJ`unK0L`DCURfWVpAG%)ul{Rh7k*_?Myn7&aGL9 zQ#dZE&NMxFrz&fN{#~~%AWi!bbgpD6xJ1>AHPlYi-Rax?*GhzLS(eVEy;C`MTZnw; zl8|4pYkY_J-~jJ~e?rX`awRhhUfX{J*3e z_|)yU!O3~Ed3gBebBwzR$NXjP^ld2XpiAQQN_Kh{V=0nK327GQ7tjx3Jy=v)H!|Mw z(dai?#H#N!aZ6V!mL6%@z~E(N8>f@^u22H^^!W7nT(3by*Yiliq$_){rzN+QjuETP z1G&@A1T%h!S7&Xggaju1p0>xfW9&>jI2aBsz&ef88{X#HtTY^(=Ev~0FcP1L`CO!{ zL@>4`jg_^Q%ZF?;KR$>&f&^IriV?{$GQtwf*f(5U*W%-2ZH>m|8OGwzuox2{bbfqS zfE|c8`Gf%(J520zf8KW3R-2N&GPvz+!t51QdC$e>^z^xA!D@#I#~z2ujf#G(bu>bK z_~^kGC(OQo+l=m9aw4a*?^T8;##Bg%vu?NeTV34&(1oePe!3TpSfZZguOKxU`$G6L z!IOYNb@H4o%G7vSCPtcLTaBMzB;6ub-i*lqd2}njV6lgw=*Z1Lr(>k9y!A$^#ZJn> zpm=V^3%mB>u91s=q|Q2Ufrh6rFsTxUrh%@WfO%hG$OL}f6?8npk*gR;UqF5Zd;T1s z4GJJh`p`Wamh6Y|_fjSoX6H?0JeB0ts*TpGJUtwYfP^&&&KD=@)MccS4nP{pk0OI5 zZJ0sZsqsOklW|iV-&c^KyzdDam09`UXOQvT!|iE4N8FE$yfLJI4DL7}8@3XqF-_ z*Z@>5lDGyy(83zms=*{r5W5o)6cL?WNTXb|wBLPwgy&nF90kXtf;~UA z^uKW5Vp)74nv@nlhLVZ$y3o8z5Drg)Haoi#b9k}=9yUAET49QoanXQQ7fF*;xG^pY zE#naR21%s}#)a;e#@n3@9XBUDmE z>#zseL(9FW9FdUt?s!OZKX{{5H5f)dALH7IdgB|=Ak%%MW4%KEy$IVB(O&1r<}wo48* zh;BjiAbOepL>s3Md3AH;7g{hg7K&Q~rYgPD6RUHnaYSXRA0+IZFJ)>}*yk<#hFZP5v=9%(v1u5;XA^m5a1`^q*`aY)T>o&q9wVvP zP=opzs!WX^l;DU*JHF#=VBJ%tsC|;?)e0`gMhI#nQpc zYtLKnU9eRSQ37G(ktmXcM)5-f0ayK+A3J1MuQCRtu&73|!Yn*vw%s129?Y|QU~RB( z%(0&C^I8VZ7UOY3AKUmY)61;-Z+lCfkW;_s03+H;h4R!^iQ(;3{pBB{s zHw!|#r&W^6ftbid{S4_Ew#IMhsJrD}MC}OsuuLYl5$aFjW8YC99$Z(g z^Bi%#)+azGk>m~9u60Ut>zS)Ob?|KSktM~5u*Ipch5cTjv!LCHquJ%Uf)KYKVhLdj z7>1~;4mv0eF#!Y;dBT~~Z9)Ajr%9QwR=YS+Hn3fsA0IXn;Y)ZPU{W^m*7~4*e^}Ea z#u0dM0A4YK4)t`w)!RPkndVnJwCKP=?bc0`fdwhBCCD*6L~t*6d&FP4Ak~f)`CWUYw@Tmku0TFYuG&yR)&=E!Fa@kcbRfOLFUitsWHUMl*hU z6mVZXZg)OVHy&=Yh;hx4GO1^O0i`2&$&46$$3Ltv@w4&QS!-{AA-BXlBJ3w!7$_q5 zCv5oO72H5D(_M*3@!)M)P3Ak{XO8@({0^#i;FiuPpP{A&FY}Y2o;Z}nk~0J2CVpS> zO`B-1s-qT6?Pf!W91Z!JhvMnGxmQK z2Vqwd2ytFf7AmmHIs4F+7+k8F^fW5SwNzh)D@MK9c>@!>d$L{OgJcI5cY9sQF^QIw zKbrCbB`uFBm7?<27;%vuJhjme?EN5p%X^T0z)^wGTB;1U9K<#iIC>HQX6mCRQeCW<{?ph3}xF5($U)ky)R~5CJ)FiI{w<<5x$# z$w#Q?U{^n&X51GC^!#%POYT67e;88^SHIeo6iRqMgz1e(>G_fApN^2$D=G3+2w)OU zHGv4hG{H!egyn>d?tsykXSz^qliuK*v4DDu#|lbQF9i_va!)TfNn-~3H*8%&bPB_G z??P?b<-=3*)$${}VI%Q+BL8gK;7E6h-6SS<4cdTfrZL3@4iN053(JKT6&A%K08w1I zB?w=bxAoAvrv{l<;j57XaAuDiNB%S^`VuNKc`8@h*qZb!4Bf=4ozB2dm?`i|kJ1r# z*d}x@CAV|%d<)>CG-YE^ml9}z^T)n@4)(c)HK}~;?%rme%;<)WYD4;JJI@`)6xvLt zRFVldI!%gdZJ@0{y)9l_v;^>9C7gdg6a|u}>t?KdH6R=9HLS$O-&Y)nwtA8(WX5pg zc~D3$aCKFkSg#DGBwraZWE$j{-jtT%nnlQ<6-dV2p9+ZXrzklIFvV(IsD9|}UZx1# zb(N8hR;aEh#k}(b-45rGCYDOIMp|kAanDlA?JGhU8Cd}`lKM*zEsUbf%YOFs9_Q8E zMuvur6$Kz?OP!J(f}0uiPAZezDxGxCeHMK!K~G7ERf2=3rQ8|=OX8XEEb;+B^(}3Q zyjJ0*oAAzfWY-t@5FL)>UPhOyggpj)E3(9p!^%oI4W-X=w>dv8B z7p1L&i-8G++Z>u*q&o2k^DvRb zquQd|b9i1jFWCN7pu-fY|2cCKpYiva zI5`t!Fw=~udh$z8nfeQsGu>F*wQdCTXN%>dXvtuaXb;}7glYlrqc^#*+)_D{I-zAU zZc;&2Q?Xqb1m|2#5JYNa|CHcTuUxZhxakyinwngl_VbV`$DHa+_1Uei6ciJI)|A!2cpz%2y9 zgKOMODO9s~z0F|tc4LlMFNT8*95CQ{bs0)ZV@$Cs%jdvO4!0aqA@~+ufP^COJXqtE zG$Fh=2IbU$^hNuAv;#*E&>IwiNy$DJmFbIs@azS3-g8=c`5q~Ym7GO2=0M@+iMuvT zPzrUa`TB)^h~75?JiT6Hw@w94&7CZlvayW(LVGM;ce0ySGR$-_CRQ939yLY9Hq_Y# z#NYZ~d%{e-c)9^&CBiS<(}$B(0%lXMU@R^^qppZ+(G8m6;IH0G&V!soaY6~^B_~Y` zQl#HkWn=lSeYj#f#enTdi{RI;M~_ui%pffs1kQGpEG}k>;TIMgGBz?`dso4yt7#oc zGLs38;hV-)awwF)Ds&LdC$WO{l(pU`7M9IDv3h&margxo6s z^AcW0DeCfM)j-4R$cbXne=tnR(9Zqf7!Y z8hmT#&n$1>Ebo~ILY@|d>DOjmS#wPOfjrwcH?DVU$cK`2N5bIHQIx{=wtw*4>X|~I z1Q#$hH@1$nwol)Hfbyg{9E}OP4hU}#XSha`-h=l+zj5vvDCd&;dJE2%{{BNhoX3jf z?M;zTPuf@Y*LF<;r7yj7ZtL091&LAP6Bly%Dogwz_B}#5io?gRy7E-)*Lg2r>D}}C zq(@r#@(~#oSwtpHWVT|KU~yW*d@!VTE<)$sOQ#2@42hsq5{b|DGf>bZmHo)mTm-sL zO#}+}0^iv|cV_qe`aDDMghDp6Gen8Do{YLCdEE71-S~&idmI0#^nqLt-=`*;1v8*) z*LtRMWLh_Lxpa;r_ZhspyY%7`p z0nXTp$rMv)Rst|(!sip8- znzZKLae_QBUlwVK4oVr%xZicnZ%Et>aH2TVXdh!0fTMxy(vYFf?2G}=#KHG@5bzt;?FtVn9ecE^Q{QlPq){oPivX2`quM2XJ@*6V7k zlu|B~5*B$rHBo3!f5cS=J+pJqA4hex;kvWdyZXkv8sIX~^58k;nnv!ID@R0Lv5L%6 z$6vb#595RlzAcuANGtrQWjFAN1T11vPch%UdcLNRZ0;z_g+f`Y#3bO2IM(NUMHrVC z;8j-%j~qBNhTj!8GIq}JdJe#$2T5FJvco_u7-F)>&fyr1b{fC!BixRUy_d~I^hs5- zC?s^XKTcrAQgLF|9RBU$EVUUYG@)IUEU7OE!kv{IRR^@l`3)6kU_NI! zxnImCON#S+cjZ&OtcVG4- zl?UxAX49>dmP%}iIyM!N zIE7^MHx-t+%J#LQNBRl8)@3kX)dbD--Mq;@5V)|sL!5>-nO z$jN9$v=2Yua_cTDxq!w4;F~=TW10bemjV#A=D3f~VPIcFsc81G1ho}?m#6FR3oki) zL~qL(-ENM3iegQEe&h*2nW;d%7@{%%QTBe`F$VH0m@jYqPtyEfYFhWfWIM~95Z_n{ft%#p6JLX`j_ehG*-Q;&E97_n_v&p>RTey^aegcclWIrs zGk@5)dI5)P`27$x7Gb39&f~Ji~(MQ`l9PDl_f;18bU3b_DGGNMXCA##FA(l0|-MG%&I$E zC1XztEo1!i&o+;BRTOnRT!G+XQI3jsSm8{jI!@+99SCZ!sNpwQoHJnS`F_jOxS353 zV@Q94P;hwPMAUmx%5Q-!QX}W^cF~PyG~Z~wLO50S7v1tWC+d(Wayo0Qk&Y~c=snOr z1Y+o~?}jHx1D`)Kh95k)E9ao*3g(&AjNGSmCN4mbFBr=Bx09FNAD{%W)CocI3;Lvyw>buTXt}O~GWB>lMz7a^tWBE%DXT@}!^lWPMk_l|r8fiDk^*h?VtR(OWLVoI z0xZYf#?ds(7;czfu+r}_qsAlGRuwmFT5di6vc7{w`F}7Kd}HE}``z(ng2=`%ddW6S zZ}M{AEcbX;SAS_qkyaLHuufbt9ZZ4x-=zAk_}Tjrr$O#sBW(!5rxNPUcd$7sowh!k zq>;{U6yl`kgkh2JG{S$Wss-=&5p!1so=HvTK!ox}SwFrbJ2VYWG&zu)j1|dp)(nh+ zHSj65pPY*gk^uA80^o5!SoOXK!jvc4eu<3uE(x6Qy!O`I&lxyz64dbavu+GPQg6Fr zwk>+FFbin_kr$!=VBWeKF}unc>8f?iyR*r;#kMv$@KOvF84Hg$rLVYWPH+6Okwte? zF-D3Tx%|?EQ}i{=5Qzlaeh0{eE8+n#Zot7E`s0VkU$`7S-1o*Cu{4>>quW@~SfCTs zc$O|Pr<*%?GorRgcd!u1)9Vn0%5=F{+*+-<~)y-4ZvR`K*5P7=5=dNFv z5M?RX=bK@Ww*)ecG5n`pkqpEf^eWYr!b|s-sFU4Rpb?8B=7R}H^Q{=NP@bGHbVT3g>+YTACFS@Eo@9#JdCldZAM586__Jt~VG)yI{;-&Ph z0LeN&d)N5X6X0S54hh2~E~a$B*!7!nUD5itl^1-QTQRkqaJKa!T@kBlzKiu7dX4&U z(EVVDxC5@(d$Lly*az0#on`h2F!|85mD+FBf?Fw1up|&+?xTnV&~wmTS+-Xm*Ijjz ztbYgN(mgr3#K3p)v<^$0xkXo^U9l~jww3J<*?8*1E@}xL8tZoY{F3h*3GPwu$fnNA zU@nS7=z%6=ZLAmNztqTiz`)vs*~OFrSx4dM01H8$xGkX~gOWI|PA|kY8=2i~xJ#%v zoMWOHYCMVm0o<5ADF6ci*KfLl2es>ckmx<}t&`*u6SRCM+tql?Yq8#>iQ3$NsD~~B zkm|oKs+5Oj`nt|*cY@@+9DL$^KD&a?H@oXwI?5%XD0%az=oSbbw>RuQl;|* zu(Q7_It+Wu%*FkXR!=UkmyVfF+vz1S(Zjq@T+ni(B2m`*%lAvoRnjs7772y%i$XFFZ6NTwMe-eW(eV~@+i(#L-eb$kR+@e1dTSWz0`P@D+Xqu-3- zScyAr2&yh&_-~c;Hkykp_`SyS-K5<-I(>9wy9&MR7~%0uq1+;|u!ZLF{EJf$vWyXj zzvs8#Xagk#pRKB+Q1yg+DrAuLp1kQI9J{qQWLUqZ0}u4&1|;))aQ>WaO@>~i%}`us zpapl3!Y7WIkt1-w+QWp)1%A!7i53cWy=*`5C;_yYmqy|;^XSnD-TLnIrciW`Sw~CcyDAZwtIv%# zYwO1Hz8Y8Y#o8q1CEobE+-Kd#+`rvZGUI%WLk#x304u=;{W|7iHM&P}Gca|cX)S7$ zc58}RHPE6ejC;S}hg0pK;gbrcbq;sf!*S-=NfM60TWRL>aF;irA=;`1)$cZJ6Gzmr zL3v>nk0xD5(dg}>Qb9z7IN@Bj=0SkoXTbX)tucQ6vLB{5+JADm z_T#6{<=XdzTcLS0%&cNYVIi0YSmXCe)awB{r*M$!OT;(H3Gh=sIZj0`yjWOg;B>?8 z0cYu$2kQ>5vN4&mw%nL04TPDTxgJg2h{RLzIV$VjJV@E>lO{kj>I~1sbQgDq$0BL~ zcx7g0I?`s;Z_p6k98vZ>klYNJ6V7V81w>wrm1YFR>^ZUIJ6!{uQOu{{3YCQ-3%TYF z78Y$Nce{DL@id2yxkh4gQ%(5U)l zF@TPzKg)2)5wcVFT+-f(EF&T}tUWBaID5$tb`XPwy-enPLCZ@ll*BMI{Y+z_w%u)P z0=cY{qMf6-A0sflhwQsYi}zM+u|;^`gh&^9X-EgseG4s0W-Z-{b~AHJYgj3LR7yku zH$ce05Mm+Fy28V8&^J+cWZtm@m6)S-fZyf;|0#@aitrBR?}Dt+n5F?wINYt zgn*lYu`@wY1Q*Zmgp(6qdNlTnL3NGuF9uIKWR{==o6QW~pwv2ZDu%nD2?4HseyA)3 zM7yLh*?F&eDkY|t&czW`0$VqAH1k-PPVRfA?!=3?1#?l75)<)3Y~C%oqzg4j){`hC zU6NZf!&5=}HI~D0V{w?<6uTLSgy!HQ^I~&*YK1@*qqULQj(EABrsu1dN77C#P(NP{Fn(|I0AdDVbJP7!JI~q5LNof<= z08GNJII>U~NdF3zp+K878_Fb@!tqp&&Sa~@zKg1)K+R5maCPPYv&k0z8!s1n3#E%T za#Y2Epq9?y1J>&|zdu!;12XhHBLr&W#1j;xwDGnYI@=8>^!7cIpH!1+8h>4$sPA?? zf6D~Mv)B#w#AS%?huVpSW4$uq`N{vtOQ`4P!!jqLxc$@jX_uR_(OUX!Xr9 zJ4Fdwd6rjHlt8w18ggL7FGyAV^-at9mB~wc2}nRYMp^H(+g@+_gYG)pe4jXnAeT=7 zIYXG+EKgZmRyQ3evIER(%-&W7uaqdHWsUxnMDDM(r&j8!8A~fD9_IHWZ0k z7%{X8-)(TDg^R|&{0ll+%_<|?3oZhWcU_-5TJ^dVkhhGGR4z43MzZ+6gf~SBlsW_D zI;4Lqhpd-^sy{Bm%JkLVG(EgW0J)jLf9h#P%yus2S9@>m5J1_2O(FuT?I4! zWTjnnPgy`|Qv3qz->OA}EAZgmcsUIdlxzr|%!rdtB+$dUu3X{p{>Oo< zT*f)#eW7;UR|?owbs3pCs4~g?Wfs(B*ICV}VJRYqrAvz>8y3O2F6+n~-M*j_Y-*2%Smnc%uucFOjjx@yx>){wB(=bL zYcqAX(`NL9JFs{MmF1hBY-yi`LfwY(Qsr*D!EVijZj{kIV8QWeerzfOWX(t`O>>}a z0B0=`QyyT}B{aRJS!d+%Z|5GqL9JS0g~XH^gnaSIP`GmRsnVnw00$>p;O>BCH}C>i z%by>kn%0Yhht^ZN$3&RHK#q?@7i9Yp?@t$x`aE_w;(UBpJ@r!kgBj4YHl^KN( zq{Wz!`J719^j_8#7Er?r1G0jXU|>jc=W3>OHHf>wd8r=2Tw9RZq%F7h<9CKf#7UfqG;|%G zB3N7_-;4`)P2sa^P(wmzm_3lW1}06fjwyXf8Of5KXux*mJfW8{9LhGIO4bY0bDJ`a zMVM9H)4C#G;qd|$Wt83o zYucAH>-E{Urn^=<3$(iua9agXtsfxt(wfm|geP~L5^2N~Imb>ueYoB7Me#MM*kt%Z zu#xX~osXQc+s808dlsIf^AO=Mf@vu;9w-k&n%5Dj1#?dT`GNdYfTR`tHim2a?XMKh z6b?d=%(TM)WfvV65(QsIuzJ*6BHXiP55+_d^|MVO%$kdWdwDM=5%tSyK*C16dmFL_#)VyCE-;Y-nP0R7C zFZ;O(jjr@LQyagXTol$HwmeJ>Gi^oDV6g0+U!PyC2j&Tf$;jB$jzrYhzmh2=W~5Da-Jw~u75 zExTOsX6D5s!(pI0)s#o^bKHB!;cKF&>|d(Q5<5a260_ip-O_JYR-UiPNr zMS$LVcMb|OfNx+$W>>Xom5a*r;gd$`d)S?z0#N;rPyel^h{`ka88aTA-s~IigQ*fV zL#J0Chh<{|)|=NSq;I)Erz6hd-l*EZaN$AdlhRoTfmEHfyWXxW__%w_U+D6JiM@&K z{^4N?NWbbhCyrk6!L`0OYfKY9Olx9g>Ro{~Fo+ra*I(o!{lR19Bt^oivhYIsFu`X~ zyiQmV!~#XFXt*yMUr}WDFPZ_@{Tl$f7h@q45kdQ?+a>+W1MxkRsW-yhUPrEQl7~7z z4ha?VHV3G$L7{z5Cjs^WKDQX!ub&lZzWVn7W9f-FeGN*IEJQ1%$QMkeA%+U4k zsyfrK(+s6U`?6x)4`>FKM7VVF1D6%JLYq@ncr_6R2^&xGczz$tDOOU6MW?X04@Whc zk?8;Le7s^jhe#XnlrET?VeW1VG!8!=qw?(?53uy9+7jfkKi5%0Tl*7+>Og?@5-b#^ zfnD&eatx-l7Sxpk8ZuZE4mAK$zwrr0=BPpCZVzdJ@zV#+!>Bpk;y<7a-oe|Eqb6Fs{x<)76~hES`ioDX%WDL@7FB1F=rfwe6=imt^!DdtU4(x#f- z2g^p_*9UnljTt0TtRwL9lziJ`G6)X$z4CNnD@%Uw70r92HxOcQcvWrbEY{5muoOt_ zc2+CU^5OfDm(T~5&^AU?uRrL}jHN_~sLYG%C*r{=g0;@kmyXAh82i=(xjd@<$FEkD zQ4a1hLEKdCY>qR*3v8%ZMrBT@;bO}C$mZ26(g-#l8_;Rv-C@a%?g)?P_eO}^O>%t9 z7_o2aRpi{JvJNXVl^nG%9*bmfXE>5eTm@-Y0q6&66h5XJ)*ff42{PjK_uEd9G%NM~R}mBP^YQw)w!`!azW_T=h$PTRQ;e1!?vrxl zQn=?cRKPXJlC$E&r^kglpx=n4tgz<0ZRXMnL8?pb+9I*l+wx|loD=gl0YdCHd4*TN zyb%zkB?ny~)YPz=;|A*><>tHL_hcS0c=$wk5o_z3Ue17i6wZNRRg$MtLBVIh<3Mk? zta9S2S=TY*k%_bt<+`5R_rujdclD#t0s<@2I{wT^mtK(MKaN#r%@qXxf$>@fN~=^y z1BS8?A@$gf-&{AW2ze`2pX6=kl2RlYheWGb%`(=s(<%VphrZpx2)FV_HRKD}5$qcSp;jh&kaEK6k zWobeM{Bz1HbXrNy29_X=bS%7qLn7k3Zl&g_x%*u)7op54KYn7?5*L?in@xL4Q4FQ&f`IlATo-*Du}tq!p-p1}P*u2h#G=+dr9X z-6n;Ry#JX0zUO_}e!Zk}&wjLL5{mmav-lTCI9Q%dEm(}F5wK&R|cqN1%gPM#A zcH_kHMnn1j&(BN0s}Ih)4R+KZenGSn#|e{-0D)2uDxXR*)1wfLfP0od$fitPKmUjv zN>A4PbCW4$r3nq%uP^0)UEk>oceT1B81h5z{AZt^wVDV`CjtI#bk()im39-WU{)kp z4E1#Yqt5FXNwMoEtml|wGL#d;fGGRcH*7Faa`$=?|DuG7aVVUDxn=&CTB!C_8EjL& zmD7C^yWY?z066Cp(~8p!Ur;*bmpHY^Ttx=*SW_~G>0p}WQee@Bk>X0O=RbAJX50#~ z?*UF5_?>|-4oDopNbaat-J#w?G)uL3a-ok^4C9x-6pW`7K)O!b5(_}{Qubgl&|@eB zCs~FMKDHuXa+n+DIZPo^x7d``awQw@5k)O?QJ+j18<9MnMWZ1S8Y=>Ni zrR0NhfwJt4dk$}1j)Gw830G8F+LHpS8kN9zOOe%NqbY1T_2^sVK`y*cOOkF7fGXuu zaCI{HN5W@NKdx~c05~`+me5{=UjwqZrT%_WJ+taZ8~7e<%4lv3YRwZW8; zN}PIS`E)#U@YkBbXuT@Kf|ki_MFt|}{UslQgg)0uE*Y`Y1nte%wKs#I?^5ZZIau+P zhWWm>pZ)DPTh9stxin6l40YO0@*>+%A%dm**JIwA2UQH$q~lk>XqvFMDki z&VhBZ;NS@+z<7I>rH>YZ{+mr_9_RG@8FNRVt~`#oac+rfN4mV99z zB|F>_R>6i1p^RzK1iO=k^Y@a$DKsMw+r+~#nt(zim}WQ(ivHSzSC$CT^mGp>A* zIHp=J%@@0Gj+_&e;u8}y@TjJW`l1Nqum+ReSyR*{@gW1)%2l>U`J`EW0L6dyXra-g6MTXU=oB?z ze_+AUVBh%w0DrWGZw&{&@E@(dhrrYAKQ!S;49)2;-&v++b z-gLHoI8>(xE&KWmhHNkG=)R<~#%jUlPXS)UI&TX+kK`?nG7I=YXZyGH<;ZT% zVV33wW}~UAgArYZ*yo6FEW;s#?xGXMD|GR^*d#a}g4pKt9-e0}Lw4`mT6L*GB^aw6 z#8Q3chy}}xC+UY&0$@G*kDU>r2k=J@ALYuCiA;M(Nw^Sis^tl+lWshsA+HIHQ-pbI z&uc>aXM2~H?3-?9{(is)3R9otRSJ)xavX@xqJSDL7Q2E^vk}t31vU5M(bh=kQ)Nm1 zQ|mH>!*eI}Op`6niV8kQtUbN`f^(`_QSd^uQYI{s5MuDA!Iy`AhjsA<{8%QYAw~?D zbe}hiotxsbLL2f8yDR{w2<7%`f0`Z&7?j*?B{HIU@_Kzy)Vg(s*1;0L-<9tmc668h zW_`!zHI7F{?jO!o<)F|0h6 zagAr!jzJ-oXV*B}KmxYqg`AqbLJ^_*>5yB+tXj>sewjlRa$AM(<|;9AA#EA6o^x53 znly?O%&6OYfG$=GgLjz^GoI(arLBJB4Z@DzQ=ChqWl^E48m>rlj9849H|bR3ktS_O zFJY}5E2GZG$}AMvC|-s+ye%$6Dg)pvFn;F2fA*>ys%DUU!r+iT)J=fBrcv;HK0DgH zSoJuvhRJoI^&!I*b7j(>Dg56#TI)r`TNHI~;}bb5r5N6+mwi}rt|z_d(S-~ywfFri zU1VRntCBXL@^JOe9Abaf(aWnAI->3`O(!7~<+!L8!;j<7bX%P5aElZ@88krZ;^DVvoFY_(IHCV@ZXTGTVZ1|e)_5~qU2^6aXiQOQB^Ifj>N%!u zsVtxMJCp3(Zu%iz)%v92V7TGI;X`_vsOg{&884ROZzEr-aqXM|z{)!py}!;?A;@IU zJlqh@-z0Cxm-Gve33JH^PspM);RYk3(WN>nkACO`tDZjmbZM z=_2YU8`{8IKv`K-Ghm%;j4 zoF^SUki*xI*i0HHiDM7}v~mLKoXKND5Fl>r3QN^a+}TcYL|n1J+Y0eDTlaN)*}Meg zYu;^vnXh1gJv)4`JQL*RV*;&E9fFnkB_)(&6@dE%aa32Jwn-Tl1}O$U20&4-9Zh>n z^43VPBNfMdB6}@0KY5J$fMjdkv?{}~FWAirdsk`$ep-6lM@AW{1dZ%=wZEpeT)+gS z2*lKdx|w{Q84B&tYETgeEa@K2DnT=2T6`*4-c$ierK;)yFpkD&-{sdRW+vTZAG^wz z-)253+9Bl7+;E^4h+f*Dw%L=trPAkEK23U+#DbQ#&lE|Vp2KKF-x7*NCQ^(&BRGTR z%ZWH#XK$HCP=Yc}AM=FQ<|E=D3)GmVOVxF!n6h`D_C%$fGqA}kte_pEmgM-wiDalA z81t#&nucjgpXSZghcbyw-BsqL4k3Un=47ERZPclMxd zMmY_Ad+(b<#VXS3aot-sXJl^@e3=@AWXv>5U!P8yV=2TwJPe{4G9AdTzGpTJG_SR4 zKe|fo`{`JaNO+j9FP_biq1hLUy?i>;2fy$O_57JeCOA*TOeSxp@ozx0{6l0Sb|XJ8 z+fz=p7c-3<7<&2unQBF~qFU`o_;>o-KA`>N@%Vp3vJg|u&fK@S1YnJQ(3~l)&G-oD z(V4S7?V;n3#B*pY1@I(YC@~WR$cP&aQ0V@ZAp>!j9~2zYe5?+<962BB zj=09x-u%52pDgBR4blkS-GuB!ci0-*HZcc)yL@VGj%9Dxi+>o?eek2&nzcVpOLJs2 zME>#HzcYM`-r=)|`P9X~eKCT?xfX1TY82u2vX56cWS{y(ath`2C)D*RO-{q8FzQle zD1KsDUsaNHW#yI>`5w!oeQ^0CmXuu{tTX_y$g!)r3&poYonNCqM)T(X3(8aNaf;$C zF*;I}AIrKWmV+oP2Ltjr;EU^I@|l}EpG>FCyL!#C(m(o)PR=4xw=-!I>z*=ws(fOp za&{$6b}N>LO#Q;?`O$2eAszX~-t4pR7jtmQCcb=j+D0#8V=Vw!2{DmAM+sYkuYn)P zcLyjp|J>*0&*JxRK)#RLEiotRpwuvw{?R#K=3$!QmK!km)w>U2)K5s zTn3`&IA-D&|5-#=yrnS(Sg|zjasa%o6zg`Y_U1Dq@PM8oZ~uvyyNsgXE64&S%K|V& z-bQUmV}$Xoa^ga99hVh9?e@!`7ii1;1Xzwg%J=uV%3=n*oChBQ;}Hsci)Nr42g5V| z*KTiCg&K`WA@6(C;mpT)--sc&4aMh6yp9vLG-XZ+FqEjtK`HsHSV;DSsyhU*FmE9z#TlkC3?o!cv_%H%yqJ z(fzDu_Z6C>eF@p9v)c=r*FmdEu-Ut*iV(6jjc=E#Wp0?ON!jRCZ1~vn<#Z4#RM+9_ zOz`KTs+y)U;S>MsmH9;xk8N&r(DNiT3(9U3ZK3SS^6J}zzH|FW`377<7OzQwU-0A~ z3BQLptR@!RTbj|q**OVW0GU0WQSdKn@#G;=pMHWuK#}IkvPE`&o~1n{kL)lbSRj6a zKP9PHw9`a93&HWzyAtSHH`mQX8*$07z}Af-qWsb0opOcsDX(bZGk=C~G?rP-d|lqk zu)O1sI=|017Sco-ctbb}n8Cx-*qXD#Pe5m-c z*v$za33w8-3iwW=(>Co4qA#{Q@x{!ir`*pvnq@v4(0Yty+|*fG<@1ky@8kFQH1Oga z_LfpNm8zOwXVGcMy5afEJOa;OVP41TCM`&>NhWCrwH>4usfJ9UWP1t%-~myV$+guE z(!_=Q0(CxP(RX%Hbfsm2&)I5k`U(^{g4vVkB;Zz!EH5SNBZMXOX+LGRj3zykXb@V4 zL^kd$6khD+Ac#}{*SOF9hAT@$w8kIwxOhuz2zY~H(%H;CvJW2#_GZJ3N0If@ zOF>{ZF;%NiAE$I>xT;;6QngvcbTZt$Lfc?JtC9@HRsCd@{@5+8w0TfakQTki-=Y%P zEx9Nmli_RNQW}gP9w8#GH_t0;$-t(m_$5F7T*PxHo<~IO$eg0s$$fr_#5O zNV_H2LUs#jw?u}S*@gy3#8scnPii7zI?fpAaiZWeFa$>j%9OEz351{&x-|$w=C;6X z$c=)VlUofpweO~Yo1UO}P)hgB`S$FMm`MTgmz+q+NSR`NVWp5ixfYo|hL=3mqIW(nRW5=MHyYgDgk=ExU ze6y3fN&`7OIX^ZfISAqa-@e2R{jR@! zk+}?Ln9RjkVq|bmJ7+fMor5y>1zaeG;L4D{W(ki{LYHD_j>OOB3|R347~|z;T!9j! z%ShbE_Qf4Z+GVi3adWc4~fjTfRyA7l{tf8Gwgr7bSReG1EKy+hyM^#6L(QikYQZ`2KFxT3uSP z1jC~|*8;V?Lr#(Tky#y4bgq!h)vDA0HSs4Lsr!t$(21Nn8C(ykZ|lmR0GztzY(WJ+uN=!*sct zbIT_clASfSqiCSGJym3hCHQS{Ir^p`t4QS=`3t#DAYRxi zF=!8LF^4mxk-6XC41`#zqSWJO>=A3!;v+PsVH=6;3uNm%SK3?J$hRGXmRSeTL}CJR z`At6N?_;vo#ie6pr9_(98Fh!BE%D2aeiIzmIGWMSuC3!;h-i(d)}t1mMlVpKk7AN} zpUn5u8ZiO+q6V4H>rUO}@8FUK>|&*b$={NpjP|87b(<|o*upeB!yMt)_3!Z!8N~=X zLgGM1Xg)!Ws~9h;=T%qM>_=e;a=l9RJRUJYr~q0zE48{78RHtf&{W=Q(bEwzVqlgJ zumF?fFAgA>pcNO#a`wSe{5L_M;^JPWrtPON6ggMfNTfhBM|*chOyRrCwTqkY1u5b1 zQTdnNaUmG&U+%t)A~+=rr{{XlFNEFiiW2 zdIvKKkd%)$PHXfVfMLS4>)Lw7O1+Gk2_ik+R9Us&{5nI=nSfK@a2T5V*p4&~IKwMO ziNqq8_S6RnE4Gwh#iC{0$cz)Q_AJ?FnOX)RB_K|llWDWz+j*ba75M85**U@&E>bRS z1RLv@^`mp-g83CE=<~EDa|lloS0^A4=b_R3w!WcLkl@=Gm=s*BP=3h}@|5Ah)Crb- z#7rllmBRRThA;kDgq#KI$FHAb*sHZl#iPz`m`U4B;_Sa|9jB}Li*J6D zZ=H(r&jN&#rKsljD1L`84KtJ8S<1J~Yb{cgiD#MxSmsv*Q1e%8bvQY0Bc7T73mO+1wADw=;CZcy`QH=}K`kJ9fn}nikGZ7F zT|#;MdyCwF+|uB)ys$djrbew&CF*MvT82?jGDDIK5jh4sgRw~F7}owmbNs=ql{ui& zM^d(d0KAN#HFY0ITjsfp{E#WPSo53o&jNea(}?2W+s4hS@ormid0W!ExS%D>{{9;& zx$wB?G&Gn32y~Aokew#-3kie^hIji#V_#zw0NqD|?ejDokl@9elsYVY;V)wB45BnV zKJ1BND;R$t$=Bz8IJzT{B1&+$-z!%y^4GkdD~18&Fcl?!^}~kc-uL`O7Gb}fGRSq4ZC@FP{!g%Dvr_3u~5$k7bojc@E^lx+hG z`~8N=I!08KJvD|pI_{?`DR95owl)^Il#Y|f$_{#5JvtSp@bGN#@I|OqAUjUo7TzHF z%?{%jN^<4~8jw1QVDkGS2yaG2u|I*zD@r9oWL2%t6)R?RLo@e{E+FmrWicu~l9rD1_Ur5qkYJ8y)7>L} zFCkmYtT7`)_N>cESCy_XU5s7_9AgQ0C#6O+{FKuwKh-tY}cc z-5>&lKW8s;%vqfj8bwgYO$$6Sl`T|BRK)P1n6^L=H7IvTh~YkC96YNpM1rUxY6R1! zL+H`rS0NjIdv96p*>&qUzed@h^dlFNu*_bfb77Dw{RdbY7`?bhA7_S#E_MsWi%it9 zUZkC7H);rxBMWR)RFu>gs)bdSkt)9dKEOVdlp8pUu>CpcfHc?~n&DoW@&{CV694M# z51ZB-$4Y%JBZp6Z9sT+h7Y^?}JGEgSNtOUKuQ%Huh*9!O!`0 zHey=Jslq;S1Xub@=M5FMZ>ky}NA)jGZXy2WP};szXVqPTFvp><*uX=OB*Pp;%yH{S-()A` zfE2cnV{;LpOcF-$lo|*{I_k~RVe-`TgGB23$EKJc)((;`SQbS(Y%%t2d;)bJFbR&2 z1VRJp#yUg|?)s zTR+9j#paB|kA$}@969nhHumIZcIDqNtqiA7@9&T;SrfdQ->O~e7#4eV3Oe~Da0I_$ zkEOCSL@gOiXi3vHjjOMBqt3Jg$nH3DW@Pl5ty$>17<>x&Q?k z?5yA?EPz0ygvKHeq!42$+lMBTXp+Q6p=(VNOPh?L{SwY*-vC%VmA*2?{S(>nw^SV8 ze{QHygj$BfZKMZ}I-klY;a6YR(J?32>V zy2IV5jB&c-q{d0n*~IM#kSQ4)kLDjk;;prye%==wOrViHw6WJ%-z2k>TF-DqGpLh< zH|-7~XcD^FrGdRLT;ae#l&u#JP*J#55x5kipgErB9#cb*qu$6ks(}+6A{-yp7)Thb ze=$y}p!Tr@GR&JIJ$`7!N&t$4XG4xO9Y>_1mXxH1Z2t3h%9Uv{Z=^Hu&gnq($lAv` z$AD4%Sh5DD;?df##kT{!G~j(gvisd_kpeO0yAcV=LZ`#e1|cv4;=al=%FpQ)^aJ4F zqtzJPnd`O7ddARqh(j=lqf{lKLp?#cO}1L@dhFemv7}mB(JiK;*ZtmXm7XVq6T)- zRaX4CZmEn=C4pM_fTTdwkr`A^rP!HR&+KAPz4OnXDFb{X&~+Jv)+mqat7hHEfC};8 z=9lT2)TvTU*lzx9hs?;sSY0&=ili3sp|Ju|3{i{I@8DMBNOg!R5JXpg03i>lIUK;d zOyDA~bBV^Cf9Z++q$cTkS=A^miV@vvf~yJqi~N}giI2H&)0drgpY9b# z@yw4OnYS&qKZ@DRD05z4rFZsErk&Z?I3_n8Ws$oH#vni*s>T61NL>!Od{e!k7fy7X zGqqjuqYXAEl%OlS>I%2_yXp{nU!Qe-cCjq}AwI`$%MZ9}EX_y?}Ng^#$93XY~ z%-+sJ?Ct&r1TR@U%~?Z!M6m{Um>Ama0X-YH_7qbWLrlnz2unzgHY|)hn4PGK#qZ zGlPPzykJ=>AP=o!O79C%-#5xvOy|B2P{BTcXB3k|mX0}w_2w(c{4xo{p6>g35?$&M z2uu<3ZKm))hXn(}e2I6+DZPiQsw-ri6$+lUD_S_xK=YYs%ZPr6xQZJUb~_c9@6-Kx zJoE|Nzu+}>RzG3qrwsgl$!%tz@Tu8fF5J?2dTaDHZ~ft>{!I=1f_Q-!_D(e_i2iUk z^Be`nmk1LgNMIc!u!zt9=5TzzH2XxY=wV*9?RyqD5 z_&>oz(cnJ|K=kH7S6aRtv5ggm{pQ|W&(7O1PCSYrxr~oA1gi@b%uo;y0#J>2+juuV zj|=Y)11TXxJinb-ekdLbk1EFc@5e{yUJDkF67Y3fGI$716!7U>^kRE7fUy5O`%a?* zFerRZCA&-8Yro0l?1F}3&cA)ZMhFa3!Z=D&Gi<4f_RRd1APe-|2HMZD6NF6}x(Pgb z7EL;sLYhv^XJs0KqG)!KLKIPX^E{^G{^^BO6?H}x@vtQn^{3`F_6NAGu0K-%O5Dp2&V!?1YNa8dM2wfjUg-2-0sNiu> zki}p|F@%s|U;qIC0DuetU;qG)`E7+NZfogJ`Ml19qtk$48Y-}&Y6h+jh@R!ED0~6x zDN(!zDXY5^9|H3ZmpiivR5csPg+UqMYf{nAv|eWc95@U#tr#hpW+lzZfT^DWR*{j? z-8#&x7~8Vhn!RwZnNM*WQAAN9$8315{`w=$*+F&faxJ1|E1h?{}c=B*{3$ynlVqG_+|M+LP!z7`n9z@vgDqk?RxEy((Ja5Evj zDayG-q2f>@XUUt9PAfRxRAM3rhAHd~>M8k`HSxn8JP#y|xMJrXr2<7a0N~8~m@9YX zJ!tg&njVt#!V3S?OT-gC=+cmP{L!--lm#P{F{4CS_*_WlFzz~ zykGB4IAlv*ubW*d&M3bEw`t@Wiq%g+UxTcto-?NA zx+0Q!z?m_|*Uk$U(+nVhi5lXV7u(f5z2>Q-6`Y?zjqn#WV3VfA-j9p~-FXq@QL$Inor8Ea$Kj0KhA%vx``wId#&;s-`e!)GjX_l$uzh=Tz@4$U1n#C@A{ zg>De#v8+9g(G*Ju!!yUA!4qbY3Pm+!Jfk_R^{X<&w!WiTFd4en!nKd&q^&%O5u%Hn z%{J0}7)`wYS6JQ;+l}pR0&xzHs4<9;El^AadZ9dLN}~71M7jnWx!=kmT;lRv z2+(4Wev$?NW*E(sFs;#XpM3Y1hh1^l^SfNz7{SF}&bRb9&QxA-6ZWg?_Yvwq*Pm}a zPy_uq!h?cH%T*am)atjysE`6BiYLuENzTJGpFdLE?-6DQXu9SagvWp)yQ4WQr+#Q8Pt>sy zY+6nHjE+slT_j6qr%8NJb|Xs}A5)(B_#7!`t1m<_)1gr^7%1mrV?ZpQ87GtUU2!T1 zQFMb-8IAIWh1$q*Wpx3BbpBR$eKGxOG2%r;BLxMP$jh7)SV0Kb`mE%eF1{8{^Wi{z zE@)EzGR>QXPX7x5>f}uUL$!g`sV^Z4tBi+-hV%1(&P+uHAn->5L}trVC5AfjUn`Yv zHAa$(!QH@W7g>5n(`qY=<#-%q66|x2G@mHRB#?6VxU|m!=6%}z7UlHF1P~%9Y*jgpu!ah-T~mFUSZ+pI`F&ngns?^w~)^ zGy@psU>h2MMR*VQbjMJmc9_Hp+bdWzTx8d~?5h~sxHLxBr*Iebo>&<^v-_fBkM(4^URfK8ynrCp@2GEoWM< zhJ%3Oi|UczT(J@wSjA6hoKGns@6u##lH@x;GId;Javd@G7^cF9k>DWJaCWVYyrH`U zQUmq7UYPYaOeof8LPcdDdt|s|lLJp45rhq}ri$f8TR5&b`Hm%0J`sT3EX8}6SQwl^ zmClEkX=mqvTs+O(WTU#-n9M@85%H(fEr{-TD0ZvzP_ErE7!&4%NxwJXuGW`N00&?A z6uq#~4&S@bnIei6_V=gDZQY=6;S1hV$6|s=!dVMJQ5*+6$5$XXm{@G%lE5o7;*Tx@ z!2qU0j|Xo;3f|6Sz>I&$Jo2$7`d*%itxp`>SjkNy-6kZLJB{mu$odQKk}N*=`0G*jQ>ZnGrbzT7PIupAdO;@53=xo8v$MA)NI7<95#uh zgOLoDxfCr*BtW{8^7<#8-w-1=(%)%O@X(w#n6(LEmitpn+#XB8OvCrUVw7hN<7vfv z#(4&L$JaGYZ?di|O%JF$gb7oYnv}QOwW9=hm7@H;mx=O85^VREwXrNE+5t@&sTv=y zbqkc2Tt*nr_|m(7D0V@G|Igd+vJCdp0=A_&jM_d)A9Y4 zOm*$Yv8a96Rtcc22!d1 zzgDh%{iy%ckzaUkw5iPanzZd+yJT=ppJo=WwrccIhg|FI1erFLi=cd?VBT%1 z%T-m(RZm69s3Uh>eWh0q-y@N6bDpijC%M&xdBBt#%iza3Y{}q*$_vRxyzOLrkz24; zOiG;)h{@HrVZPyvMuv#$nAl$_!YGH-SPA-!ht3tU>}_?CAv;9>tTnN`QY=T-CT4_Z zHGkMk1oUNMd4?=>z~TpasZbJkqE9gtWpnD~ixM;>!(7o<96YC7es z2PkC2u*a?eQ-9ZfYR;ME6YmO_=v&f6y0sr7V0H?KZTE~WU@WjWM~&r*F6;WVWg|z| z6fv1|_B4pgy^n}V(wJ#I4Jk7M(>#3+>#B=@ooE$Iz>pWIN@pAR_G|QZ!X&jAn-_5l zt?=})5%T`hiin$=f`u?S%Yd~u67X9gxK>#TB{#o2p&O3`PoSc3-r7CYsx5coJe0$r zM8#WYgLQQbQ@KGv#T|mk(r<$0_|C#Nn--=;=CYNI9cg z;7AgF0weV63%ndFBcKdm#};u&c?L~Y;R0~{uiYBF{slY!#8voqp1Wl6a?2k;PUC-B zk4X_&SU&oAl{U$tRn%MEMp$@Jp~U*4JN@D18G{@2B+7tYUfN$z0ONZD2N>l3$lBDJ zDhsNHd-mzXr^#c_ACh2es*$>oxoQ@@(dCG}f;xQh1}|7J{zzy?#L&WE|Y;YWxT{Ym795!m%{jpj5F-YJ4sbY)| zNn!!R7Kk0GicBBf*0TnxY=O{!lfE*`^wOiLyG=HllR*(+2legBlDC8zkS~8kG1K2r z-YWv_;2f8G+&=$o`EkonV95;%YR9Ar-=ei|m_%)1%_0~}i@|E9f$5cU1un+vjepkK zvxH3-AOeww7R5`~W~G{&GDl$0?i{4JCJ_!zTK7U1m@ue&dVRaojg<*oFSn`q1SUL1 zt;qH(ld9grp|`hEj-~{r{WIVq0%l@9;e_1suM4E`x%xe(lP;0@HSJsI_I;tL!});( zKx4{Y^bdiGF{eQ>*s*@Hlvz^|Ljhsge&m$e%yBE=Tw-uN#H*Th5>Z44rht9iVKLTt{o%z%r3? z$;jM(Y>4nKsWwxeP}U9USI2oQnx}2^`M+X~rp1z*bHw%xQ`8X}hmgV7ZW6s?Eo{~2 z5xbMdhb@!mBZggf+q8kb;6#~xLW%DsDb;&}{W(!ct8AfcW8i(5K%pHXdl2ODKp%u{ zbRR=00ie*-ydQ3i-cNM-nfn`VKn zVbL@A;9~PP06>T13t#?oJjdiHn;n1u19Hj-t}RMkzmB+m+c=x3yp#VOtg}ZbkS6OK zYN|dEgQ>Jl?x`%Z04mzfI+1SaQS*gEJ9YJ8P^osxH*o^94L~pCS76*M)DFxKz#}`V zAd!?iwr^a>YLi7_JS#bqCk1QeNdvjvC;MZAhZf+cI-ecz@_jh(leK}^N|L_SP0r-g6Af|8dL;9xx$#%fN`kxI+ph+NSv(i+@)dLt!x z<+*vbZb4&^g#qcDL&P!~(h85m$*WmEq24PsXs-Y#OvI=4nO&$aZCR}fbl96ozGz{k zkKJpU1_&ZjOdU0 z^n1+sOw7VTkc@aplfo|W<^2)C93QH}wA>o0(Gw)^pzBkm4uKfcVcd63gaQz1J-8Y;fq2+#d<&lO;9!bCtr8bPb~F2RLQ2J(&g z&?lC3-bMO)t~embt=(K@lj5)c8hzk#$fNy711kUg=|JFfk=d^Jxq&gdNE=vfJ!ron zANSM#5fr*^JiW*CHdR)*6Mk*>ftg~AM#DN{v$3%fbxS%XZMd^EeXM2gybVpQ7kg1!9T*b9|X6jcugXJ{?uC6>^6AOBbSx}!n2D>NF6vba@0ZXzO@ zTDpw$Bf4E^2u|)-`n>2J6iY+Lo`Yz#Kew-%NH2Ml z_xueoK)af~YJkA$n)d{Hgs~%tZ=q zOiyL@J(2;nNyC&ATpGn4cNs2!A5vD#3ic6jQhE>%!GanXH72(wXR1pB3vF>5=$QVG zqT>oTLa%hRXF2dCQ;We*7BNy+UoGyJuQEP9iY3UVVHrM(k?zIdioZv3tzPw_EFdHo0Q4${(bDK_lxbPr2%5~8TgU&d(H7NX z9{<{t7=!UgXaJ@IzfvPGe3uT4s(w%)J2h?A;Q=ZHA_@>-qKK~7a5}`6m=)DmFX>sk zhGdQP#mI%SVigPCSs04+#N=gHr=H%FJeR`2O|7au>qy0!H&1_FRRmDn2hv#X&b+s z!{MS0NWz}H^*|oaxA#Oh*_N^E_{t?w1Ik%ybXblYCWTTa*Gb!pSljtlGAAMkrdEd( zY8+WJo;6#`VM1$PuRJMSTn6_OW9+dUdZ@sORUZ`zZ ziOJakV$s0^?{t8wglQ$_=-%Wbe8)z$s*u2e!JwE;yFuV6kASd&sCfOS+bdJ5#Kz46 zY#e=aO~{?l_p1a_Xh93oN5_%T3UG6 zRTC45RN(Kg?x00_rlo-3kh#dJ8jea)7m9f#4eGefWU2Sal7Puwm7KAHpf`n1{$s2A zflOlNTm#!V+Mw3AvPfr{oQnJNwV;hOv|*sOUv* zzj3?Men_-On(R1jXS9N}Vi0 zh}|iGS7O6^dXma%+fL|=&1k4?P8Pv>^cyIN%2OL!h*~r)H@QtX#aJ88usd6R$1@&} z$d7fP(-wWja1Q3K7wgy$%YQv8Pk>devA!gX;`iIRm;10&Vi+)#nE}8Z)c>$FJkd^63l({akL+0oS0J39+J(K$Hk?E5X9qOc5<28P z#HtHXBVOYglKJ5^#&XgCFT9FdwD9G=Ji!iM=igUcDrj&T7Q2VsV4iPkOKs%S z&TwRWol`rUdc!~+aMjL&d?RFLNC~B#%rAbF*7!f>=B^5p;*Bnc|7S_kNEyq%8M4S3?bS5>p=O~ zZuYV_zbI7r{(XKNQZ$3g5#lk=JH{u=G~w;Hxdw}U^Sgdwi|>*%Cmb$cQ;L52VSZz@ z;03L?Pq}5=wYzl(Ra@NF08r#0s8u_BwcV|^N!$;2rjsk{y}e#0zj1B$7k3n8q#RkE z7FGSmy_mG4ly{CuW1IS`T`0!){b_MtsmFbnFW>>D1VX99j(@CENged=UQiS!_1|UU zF=#!UG7zP85nOze0}l3mJxw- z(6eNVSx6%d=WKU2P@`NDXSw+LGP{#PrZ*DzL~dkD(IXqvSK#>iTlimjIY z-GsN*Z$0QNc$X`~u+YAnzB?O#0cX7XCE||)+xajzuk2_j&Ns*L^wUZcHT!YtO_z~K zHfym90vg1&xXopyjY)qb?I^%yolJpAo`e?cZQfnU^N*vCXpzxE3P@-t}I$t{+D% z7iZBtAJQJz#b>M(*i`9~N4}sNL0W4Ei}*o{YXA31VtqOF{D&dd7lswT)E$mJ#~o}x z#9*AU(e9<1j-&WaYP{V|ND}W9Sh#vyFAZI#A}@Qo zY3^xaI&zxCp$U|hj@p!1xViU7MVT_DUUmC>cP8d0`|G?o{d6v*_&_UrXbEPJ`gw{= znFcad3G1Il8E}T`=bPe0TtV^`O|Ac90<+Dwt8;fImmhH%1Q}yR+HSg@(x@elzCgI~ zcm#Un4eB*lqMe$<*7*@5xxy4^ZIDuT5R$6@I8>y3#;?fCAFyzgf>M?UKo_DX@|OjM!1 z8_RE25;%p(Oq$t+b)WSxYd^* zv``zAi9Pxhc3IJOsrE3jb{|8($ee=3^hzF}K)oCqll6!mhpxI}^#9?wWGPNlViEa4 z<`Kj9z_ixVzbl?|y%pUk(_PHP=gTFEXS`#NU!V0H1tUe3^~0olf$up1Z^oeqfH9 zq$)iT`-YsO%p>1rBzot6+ct+V`w)o=I>^@AnW3Xq4uYlw;|O(=xqZ_`cfwf}(XgBE zKI90(e5U{^&qh1$Q4FYG& zVU!5sb|1H^Y_xCo<}|iQu2;SoBJJGoU`d1YWZ0`5tN;eT0{4a&MPINjvWkzL!LXLr%<)xQd!}6X7oET5|Ujg2HeLVw#FNv~|4w9OVST zwx{@Ul=q)L9NHT;;J{O)Q+9m=b*yJV*S)Esmujx0Z|xsZqx8 zy}RL7r&atCe>M-KkkK@?21OszG%>~ZJQ!~W=BNow@7E&$(qhX@uqU+-Hw3AFLVc#A zjG$gUhxeaeCj?@`69jh_9xcp5=tUZ?%OCK{DoSKcfIo}EB+XM32&8^}i(IFpvP9=X z;3pi<87*zx`^qaAaDaL@K_fN}KAABREX30g67bP*mu^sEXnVnh1jr%*k+iJ(`CZ#) zV^o-bR!_o;F^l4Pdn*Z)YQ^3Z|Bb#q!riTGwiAXgi+{MmQjyM}M9-WR+kJ@RXsAhd zh}I@XG$2>ctIsQklp8k6Wcf=GoE&_x`A2huw!4V*Bv~kY=BS}nE2|H#$b{Aktm(k z1C#tn!3NZ(YQTOg5<{Xb%IK(c?8La6_5j9xmvx)kjp_N~x)U`a>*mSmt+jOOrfmgT zz^}~ZNx0*8aKXF1<@e6FHs9%?oXTOp*dCHdXTH#LAc%IO;FtQIu3)!>IMqII!?&aN zV6mOGf6D{+7WNgR;G_rl1*N!z*${GnVr>S}TKI)l%8-GP{Vzj)!@eso6+ce1(D*~; zMvm>ysrh10#OZ`E0q}~(s}t#e-s-YUOmC#AYwR;r;PGn~#Jn=9=ocaS4rVmEE0Ya=`4H6O3$fWg#@I?w4~0VM07^$?Ipv4r&?WdBNT3IdAjlVQ znf-dk&Cga+wQE6*#DDaSMR>K{HDH#bFz`Va@M;pnw3+C6sX4g3mu9hne|2X=JpsIN zfPHA-b`)?u;HzU2W#DSdD;UG=_uw#QBce9}c=f0ce2foKv~{d0izE`#ssS?rs9HPL z=A$^|TO(~@Q_5K5ptH!CIi2dcfFlA&bfm$^(My_G3#PdeF`VZ>f(E_+@+>PE(F1v> z?Q0nQL+Ggr`W5@B!T?}cn*bn?mv_%>75KT;i*soj3fBT=aX^d*6`w0FIC_yGmxUj2 zTTj1I&0z)lilkAaD&xqC7AIkIIr~8{&{U##gT1kH9_N-11PFdI>q)C04rE@uEEFX` zCDq)89HAe4E$$n-hQTIN=9&l6i5t9_G?VYsHOU|iAb#vs5iD)3Hw`Rp7^gE$v5rZ# zfYe)G(i^t!o*zKT3G?U=3`wlGft3VEc`-22!4agpixb;nCff$9fG>mO!2}8N{c)d$8#n8vTLkL;@ETi;#tMb*D!UA{EK+jEbodvl5#i54 z5|pw~?lKL|$gI&}GWUR&64qGFchF+#T$ zed}ftnl^cp-Ei@9ED-GwUB^smaS0j5lLj2GD`fY2iblL*HEzN9L8PsyTt;6VRD&8W zqko<$ueeru{U`d0Wg_1HW_y+frv%YU{Cp~abThE}A7F6i%$Ec3uyEl|n?38T`z|X@ z7g%0NArV`p%|>go2IDgs{gTqp0#pn29Muot6_-rQKY|?euxP2OYE473M!dL@WnE}9 z6+RYG#*#I(bKm0ZKbac@DzP>QXlUJ3wko*?L02MbyfNlh(po5BP|*@><%9D}CCXxm zV}My|QKPLi+*JP70vA?^{jU@wz5=^H{^h+r>-~=p5`BmH=H{Hn^_R~}zD}czCTR0t znBUDwSX5$kafzDG-7_Pa%cHxDC7bekgV>0|33Z;XP=BlrCI~rnOR#W3434eOpps6C zV=hl?oQJT0ybXi3$+n`GUN2=3ma#~!4`C-~-V0;=`2`i^%p!6A$3AJ}#Y5Yfl6@PK za6s=^Q8ZL)UmJsQC{p|GM$+!{4zC{L}?1xvsVB z!dQjh-Fnm%Ehlb~4N!j?#4&GwqY+1w>dWtzzVt{932d4j$QdR&UER;&CYrj$ZQ$u_ zOp!*xee949FqHc55ZYTd=G~9$BIQfd&FvoaJSvN`ftoXDb}%=QVDPc*kDk_?36^c& zZcZVEp4`i*d;O^stmx`kF~lyKHgQ!NNM^Zt3e{H7e*0s04`uksRaZwvP*2F3#XJ(^ zJrD;$Ui*td3kP`2*LPx^E_zBu-yryz>gyzqHLE!=G@HL%Jj8+$_%bqa00&qY&rl0Q zMvAe%yXLYrl^+`p7JG!j4@<+x%2MrYz`r#kirHeYTzn&{WLHc!c*kCM7zpU`{n4S! z`Oaqli|g1v>b7K>8?-aiMN zJ1vl0c?u#kw0hXmHIL8w#t3)@kV&F-W_ad0kxXzXD)+dK651W* zFO(zCv2a%jro3fzmJ|7V`b31%DNBG~Gq-nzH0J<5u`wJ+M316PT0w}7s3bj-9oJo1iHmhm#EB@ugAtdo{%D zzRh*Zp8SyXLm7(e{tZ*DzuWsBqF@xoJ|a*5IU~k2DgyEjhGh`b1BBjHf=C-**}K=7 za}S3?YdnY}9w+nR!21{w+K=$FUaJRjm#p5=`Pk}n0$|+vOU|TOw9pPTLx!97o~RB_ z-A@O2o5`~qWf3H|gV;YiKxrVgr|Y;*sSn?V)F z!-NnBBBLs(PPrtbBYvyz;yyK=_fls$luDfVK1>=NM#CC3z+aD3SATJjn#(s_M)Z6) zRcg|!nSg%kFZkw!88}u1V#tu&GBE$PHrjjZCl>_4!(f$T*garo&{yy|#q^igU^WWpCw~*@^!u)7%14l+-Ijg01E5s(4sb}qe&?42 zrxNoRPa#x-OghXz%QeW^L3(SgN`VkwTc1mfsl1%sQ?5$lavU!yLHJA9ETSg~8x-}F z)kmNQJd5+(TLXVQ$0;0sv9y7GHujNxmI>4QR^Up|^4M6WuO}7X{3+4jSd`a4-;e_z zDo=Tt>0=FuP3|0WJ(JOutg}TU%&^~r7+z9)$<_u7Yf{?xYLZ}EJ4!#+>k1BzV^?)- zdk_M&5n{hTi7+APU$j^g|E-KeT4kh7K+i;JEb~%rndOh{C0f(xz`LNNjWscyftTRG zDuV?viZ=5^$I-He39*D7h74nUPRd5dQY{ z$R8>-Tz*bUZV&;RayUbrK-L&~p}e0)5$%Q1UyK_{Zy93pKrE71#@k-Cjs*&?%S%hb zM?Bs)m*=K$NH#$-WIZcnoA!|DvtE$t%%p72y7ZFuLmgxPNN}4ck#Q%0P%V~-gh;67 zGO}9*$eUYgndSN?&pDzoWpbQNrLw9+N7#fvbFxTVWC{*VbKCjE{2h?J0*~s=a`yQv zNcFsOhIKRsU<$(@&45uiXM)C;Xbn~5tOIHE0&BA9LIyhSZ~D8_dZEG|-8U(E9KDGg zCIt$^_|nv2nZPiW(f)`Q7YoAvmN#EoAqm{Kp)!khET@EAf%?kEm>Ve7Fxxifm@`2x zk()-8$uIlO1=?e(_gW=YVpg|d#)1$8vuOk3K`P)S|3>3Xo|Vau*E4%CZ?}PQXk<7# zoUg+tj4pOZ(k#I6j>U5-)p`yIEZ|(RM0z>f&{^a7pyy}a)LZiG`YK+iqtQPH*@$yY zlgA_JoG+vc-Bj%w6;oq(a36NT&q_z8wl`eiiCkG*c>5dEEa!Yp|NpfcgfoLJNI=aY zdD+z%_Pdv+*>Xy-O^PIpD#dB@R<4b8RmIedv0Qf$xXVVb#+#YlpsDRw&1z=S#WY_u;s1QQ#i8gKUQD6en<|h?f3C+;F{vA7 z>3>MhdTG5(XYbZKS*qNdA@|5u1ibHm%OsK_oFVaqkzf`@0CMcJQvV~}cc#C82k|(@ znK^+2+Nl$eh=rG$B;7}u0Ujm_gk=PCBS*zK%<|tx(W8FM z#lqw7B&TcFSVio%@H3|bKdk_e{eqso{Z^v_L~0Y5EZowCHCgV^{^5rb^VjtfM@7&Mct8e|d^S=GwTYulB z%f?t|wcxc^7xth)0!iV1R6?fzA|-kC9A~)9*I?MBUDabM# zt3n?AV^K228SG56KP#*0nCQiSa*czJ5B%K z^Pb@|uR@6$%CvV#fJMuXyC@oE(5Q93jm60zK8@MIktJhZG&9Vpu(!>bVz61XVs`<( zkHc+HcQ4JPA>nSlKX2AU_@Y<`qhf}S%&wdymsE6TO|m2wWnJ~%{FE8!l30ZrjPexorb`OTe~3 ze)`GD@>)1nOZtyOJ_IN|!9m-i$3-I>p%PKA{pf9s_{-nb3U4*>5^sd=lP}6`F*Kdv z>RXFEn$5+%>Ra#0^|!XwQ@gV-WEXX;pxC$VUT%C*qUril9m<+pV~3JMor}#}t9R~M zWE-D)IT|`Gtv|_9V3)tM8@+*)ERo+_9o!N~aklT3l=Ipwj(&B}()`EVg1-iN1E+21 zd+SK`D*y%EecU%@z+*WY8=#pJP3W_o?>aLeMNsiGou|625jYk2%cDDGiToQEx%`!6 z2+}RE{;>c-2py&G?w!zdU4E!azyFqhtEF9?y13P0KcGjY!;FA?DFgAg=_TXGuyLpR zLCCwu)1mPw6ef@&92uB7vc2^I^tB7)R}WUDy)m;+4Rv2tuj1Oc9?}i5a^mJgYbIbk z!fS3Ej9L!+KJ(TWjQvi)hI92Mkl=9$mJ_pr;4Z#Fl>)Dca-Nj1L>2M$U7H z!JEc9yvznd@Rb%15=Zpp{&X)U2I{7^`u`3)*yO&qbdg@B$b$QaDTBRtxPwTNp0OYj zL5D@iqtp@3B^e!g)4Ovf&4!HzL~bbuCPDT++F=y{G_UHfGx})4cy37b##Xtu#FSxS zocNbZGw3DIal)Z0{9gD{H9h7(OwTt?Vx?SRl$BEyV~jkcm??P;UY%t|_=fN@5$w19 zj%^3mh!pMDzU^9vEK({yyKOQFdIVtY@lC?GM@3n#l zRYUb)rpZv|StI@#Tdk-_`ijOY6-x%mq-RTna z)^+H$9v^gY0?MF0Wo522BQL`f{GiZxCnXZA$>kK@F#4Xd>di zDH(mXJ-%5RxoKReD0$)TqyzQ*i_bkfvhs04Y&)!y;z8S1nmO*U)`@YYyy(qb5u)Cs zUf7BQ^FKjrjMKF#4M|B16oE>^Aq~R-PY9%dA3Wd&(U-AnqQ=1+y}QQcom$4&!;jDE z`6qE!6>REmRu!Ju#dK$PF^!%yUx6W6q&~$+GSPfVt0V$R2$Eq*u1U0HTCRYti6mg- z7D_=g^2-VyqQ*P1zjZH}Q@?Nvx|&3Kim=LEK{l0rkpZgy5|R2?MxEJC!0b=%ko#;@ zuRd}*Kd@ltQmKG@=e>T-M4~_Q)(N-%kdKRpfO~p{YADX+FQ-C%3+m-`7OVPl0AbII z?u-1*p}Y8qEZ?oR;9a$_L z7I-;Cp4(r3b|~Xd)J}fjBLl2H4J(#TRa0E$)i7%zI>8xg3>xx{29{EBx)& zy|o!(P#PIXb-EVjn@D9)D?>#&4$x1(h78V$G!JDPFrZ|BROTQ8nmW!wOCyw{7M@tI znqDyZO{Pqv%%w~VnO>P@nRASn(IyI=1-@1 zGr}fYmg_c(cQQij3$lyu%UeEKd43{8-fT!XYPs$@atP{7kpx=`6`IJ|oMcf$8Ui~Si zErCtM{<1N!!Po_~g|KC?!9<3Y`Ui3SiN3Da(KG3(eD-D9MpGc)*T*EA3q@3)AROz~ zA>(0O8p>d(W#6N>JDg4}$Rgh5v3D2BS$*K(46T1VAkmM~0@1(I@`~=`% z!l{ji)KWCveFx`(aAli@%`it=OA2q*?ei1&sa!^ zaAd$R58YIO{+aARkw@J4ae-Pag&r?PH#x_K+%syHzimsa+oP?h^xye_;IkDDK8bT-hk6=)}+eCI* zS5kT+3uLT9u_b8iy*oL#l%0=8CGBY=W2G3_8XHKPP7EiBf<2JiQH+-d8Pflag9hqQ z&>)IsU$M{;^v_q$hXj$Vs~j@)gcJ$0GY1px)7f;OsMLqVr@P{}d$fWSQRgeuEs(2* zqEmFV>s1z=j@@|ub^au21r526|5g&-wq3&>SmdKVVoPTp)cuG9p$QWM1i9?f011!} z#HRCvDG<<`=Ldq&Yaqg82IJKTC)>Rq6%c;g4A!0Cujc^D0DyTfz*Y%B%ZB$4*91nX zB(a+dHp$Y=InNLWh=gb6$h#KRaN(2lkhAtsA7d1BsmE2RxxE41$R)k~P9@lpC#nZ|wm7N2)_fmqsijV+I^CEQwsnQ>pms zw0gRu3feFTpuCxo8;MtzkUjEmOilTO0sPjJk3I-sWlx01d!5EDnSrQT0mm(eqLF8@ z8jXI)o)0B`5kF2MNdU>6Hf%iY$lPAZ*O>3j>x^>5$JcYk6hjCoyk`<5k8DVG9J@yn z@+Vr7y&e!s3AcSDrNr*{b8%2I>fT17)`nj4-D`8Whup#n?^q^@A1iFu8_nMQ2&*fu z>lB(|qd^q(Eeud0Gn{584Nhqb-SiRyPTm5i!Pii0XsBy#O>-&EoJqMNu=E|QBpMF^ zv~jcivXqR-x){%7nW#WJXpSp%8g^O>fTU1)sp>x->yAZt}=OZLryH_Jv+Wc?{v!X!ey1@Od(^{LF1 zOhEQ^3T`vgC^&C$RUg<(*lZ0g&Jy$9?S(vAH}6e>L@3BKy?5dExCsn$%GldUii4@IYZQt{jc<2tNy6vruV zh4C&vo*E7diOZtZn+Tm`;Hu~oanQ->jyT{VbTbO;nl0Z?x zb61Vz;20M;rXiC+XWk~=lYx^wY6)vL|NZ%uCrb}B2-;OqJ##&yz;bMb-LnWUK9i>QfHl_ zV113hMO{Kz(@9WF4OtSiiphZO#AOXf%71hz#p}>`EoFbR$`N|k!v075ktWra5}H%I z=y$*6%jbHn&h#Or%?o@U!ikj%l9a-RxJM&fE?d^mHA}N|^XG?i%P9btw7N2!KsO|s zj6+8veeL3QWef6<(G1q6%d7xc)uM0{7GF52TI6=mG|sj1LcTgbf#DO`O!z><&cM#M z^okt_8rzuOcmL(=t-_Oe`>CNtg=T_NsHLfk@M1Vkq{slA;QjUta~hBa=US{&$uA1( z88oZ&GnEm?BLS=udWcMy8P|sTv?=pKF=$kd53TWnIqQ@(JEbMfI_*J;R;3erH*g~% zTFp{bj>TjiUi6TDs-DTiJc`m$N@+DqTNs2F!D+_`e_;MhWF@#H7vApl`501|=%xz= zs(!iB{XAQCLCYD3u=qO(Swa~7St z)ZNX4p|#Ij$p373eri(wq<%@7aw7l-UMx$46Z5G>uXK1iM&%|=)w$&y#-W5O&k`yF z!!$lZxMBeZZ$LLr6^$x)V?gzR&Kmb21K(0(#4DESk}a!HY;8C|Q_KMKDIPf&=4^nb z`i(%-IV@T*C`tw zISFpoP_!`5LQ~4A?hdY^++t*$AW@9mb@oWR=^KE^$uBb1I8sa3oRL9*l50DnGdnWVzT2D zbdkr)l9RC);r@6bdf#{RdF);Pu&y9|mZIwKa9>>SJs{V2Oek}}MLMXtR|6_*(UOnJ zn0|p!RwOuozuO*>k-&GQGWw$Ex>A5-v;BGaIWgDV5`L2!Hjp^7<}Jo-M1;K+5xsKwQ~Xs z9p8o7oI{I~0*ZVuYAOKbZF(#u?Xe6ZEKN|*Y=-8iZ9@f-4VZxObG)3+E`@!!Aq3wB z7y0X%L3{aS=_}!HM&ns*FQ=Jdm3tj~!_UptnK}^Q)Q8ath zI{*`HHS(xhG}fIe?E=~(AJM1C-elS9e;B1DXOPcXrE{18m=1m!y2nM}t34}0H#l9j zfF8t>47?DNCdRQ8=OAj z!MskYiKf@gQ>ct5)TqQA?G&QYj7UCcHSe~sRwbMbAQBF(3Uprzm2d^pq)UHMX*!&= zsPtNrE;8nNIS)PC1uqkN6$|>gTnUQjLY9Ib7Ec&E=;dez-C``Yfr%NrG4l?wBCN-X z?oY$hPEm8$*@8C|f53rzDsIY67l!UjRIZ10&7CJV!o3Brd;r+LGb`Qm%&dn9BExX$vFX7q+JtE6ffa)@Bw?M?< z%FAIG`{k(fkYDz!!a&TEaqmU|riOE6m>_?M%48Ov34e*ELnf(`$%cDYTV-hSq1K%m zP8eX0)j4`P@5ix`K}_i@i4W%6bzx^~GN}DO)G|GSz(>L63$bh$yoWjtMr=`vM z2B#7wg3mFPc$ija*lrx0S)Y`ZJ}^1>;DH>Va!zq6Q!}*0#l=$6lsQ_Rm;tUC@t){jq4^u+)- zmr^627m8CL>4Lf+A00khwW%MiN-7*fq3!b^nIKJCb;+n zP|Cn(sO^EDJH#CWb&E|5sv9Ee-`0j~BjmoZ_^Y;L3?L>nm18boEkGl~Mu8^lK0}*V zccXn*(1T}}?|bDQ=$JkWz~wi;d%XldkIWCpcw`vPS;uHF*-4~zwti|b0?g%u~r@#s*?f0xOLU9u;m)3(^5=pg@PH3HN)4Q>Fs>*^(zjXHT;p zU_`W+u3Y)F?s?(i)^8CFnRR4EjW~_(d`R5u&@1o_!ogf9IuWBX{4f5hBtZ zJ{)%w0!*l);PU{AVvKPN2#&U2NF}bSN{lZ5Eh1ZIasGWg@B#I`M^Wzfx_7SgLj4ON zh>0Ji5$!{v_Vw{B7%u(JhZ1U^j{e7)5B(;YBIGejiVyyJyGwYsM_m2dP4Yv!Lyt1) z)*r#P@gPivcXxSFrxwsn=V=YDvC2iZB3^FsIGZ1Hd z?HiIB(HaSANZO!kS1gWbfu@aff_He@ zNPAXiIB@_+9|HcyRp@PwbiZ_312FrY5=lS29H(YztPjpM7Y>Gg*QaMFus;O*9<3q? zOxJK2K+vGa_@O5)1G4*srT6*jhjQR`bt4HxX~<4~^$m+#pPzr#gBVrhmYHyC?3 z%v5wFNuV~nRX85T-31u5^5B5zh4E>-MBF4iKHrVH^!6k&dG&@=S?NkXd=PI#`Vs|Q zvEq+PAV5I8K<>15UWDjOcE|46%OvNx$8+!$=}XSK14L*+{t9`by(2RuZ;Ijz5nLNX zN|9VE1F^-99IsLYMv*DF3L`~E#9A6Ojx?dbDeOCHd@18io%l8oAkag`lL_UnLsz6g zoRkI9QjHwLLXLRC?Z7JftOUG?3_#rqj|JArkW?R}!AoJw0N14~elT7Qa~8$1i{Ua~ zlzttMw?RX626pe!Hj?L4=8jvpHP1;`V`nEgtny z;g_8;KJe~`zALU@8F#-5^uQ>RXvl*O@rEJN@Uuq?;T6`N)QUq9PC%G)NB*#fI#9Gw z-1<=u-S~{bLSE015TWuz7DW4Gs;AJT4sY+l3$UHuFXb?d6k*`T^QW$4ZSLS2FP9t; zrAefbpUD{G>J=lclf)QdWaP-O=>C&BE#4WV3zQflv!D^|mmOS3APUESc3}0$ z^vY1^e06|1(p$)}MhMOH?PyS@P@5_AmRF^~CNL%6GJyq?&ETc?m|-#p7?cZ%4lY!~ zk`5+4h6-Cq>Y<{eF?B*4z_5o8G$7uM$wRU_3&JDkz$M3m!;Ue8atP`X1E&@xSuoIJ zalmmgkwkpPNIBsZtUruDvpd{ZthNMB#XuFIvR{jI=NU1;}I$;YwMJ zEj8VHm*Y`0c2vX@t}Q%jqVS0#_`(%UzF@{eeFE!TM9#C`YxNs44B4s7ykNGNXynk- z2ZZGVQTAh;sJsbNdp^_4EJkLG-wE%zdCf^8iGrwl>wUR@;NfJzbbN03o-2!P^Tn9F z!fgm?CM=X0>h%}Y#o}!kwDhD<4G3a<*hz5IiWP=lfSPr~$|#tpuztE?WoL4{%Vj|H zpB)LTyx$o2j%jOx%-rK@LzD$oS6~=PZji6V1*Hd$FMt+zg#bLT zFbmQqf2*Mc88-_cTnJveqk#{13l&K>zjFE>bo&kZ-;QnN0+?C%UO)1B5B&dL!9l_~BI<;%Jl>$ehdhy+Zy_?KwV<{d+4Fd`* z3ab!i1!6@Qj$`dikuW|g1G%>>0VEUpc7-0Q7-=_SW^6qOw7;KWORdk?I3wZQy=yZO zfI-EDF%7>lOF1cC(5AGIwGCl_00`d^TRGTd;j!}Vb81>?_-Z6;;}Syuie3ck8ccV5 zdwq2kmh7l>OEV8;1puG{gLME95DLYju_(!bBnqTL?*nAU28Zb7VTo7}3GyHYVGIQ+ zV+=6}0RR9&hKOjU6~e6@H1(_KCf2V4mLZ_-AET^~e6wS|-i z!Yx~wGCaZoM|iV$icqtD3AxzV$W~QTo!WJ=xCI(ZZ!Tn7>GWmrkMw7XUh`Z9kRHz4 zL#qSAQ-DFe*uo=$(MT&zdzVR1peXAf4kJq>{paNv+Kalu(Nsl^qNp#1BPY*`Ohwl2 zzClb`eEe8u`G!|R4(`aARm)7KDcx~;hF!|66r)A=Wq@NcPjA8Ir8#~e0+*_B(kXy~ zTB`3+_a@Jm^>5*5kAE_H_9haz`;_%8i%Sn}q0YHWY#tZJW(+6%GCrelEKseP zcF4LYxiHXf;Qs2Qc;46s9k^#9iUI?rjX5dyprF~IlH3!U^w7&<(coW*a)librsW#{ zE5_Lm=7^nZ;86)iVlQisF}PH2o*j5=K;=+HbDQVu{~N}X)r4bkriaPnOePV%^69GZ z2nEns+GF52Sa$O;wZ4^4nw+A&2!Si_dx;|2IrjP2ScX?r;Lj&|oCuF5UWIv)QJNO$ zm8QrKyi_W?t^MNQ%gFbsNhW1`;WTK{_}oaPA7cFQ&k-I>OF~-r0!J?h?$>(VVolEh z)p>ifdCbQ!%C)uNDFR9-`1MdslM92{;>@G!f+-%GYek98j~XpXVDv1%2V&SSWQMF` zM48<*DPPZssOUAqj3O902zE6r33jV?e zoi^vqe|%gUCP=1Gupmn2i;_>`{@jXigC&I|p9b5=@w~-kLxEg0kf{HLw_lmEGVazw z@7Bfkv}LiVSN*<3DLcT2CflFVXTImLgFwfi+98V_<#LgLz&WLmo{o=Z?<@-8r>C7^ zm)Is?RCxVbX7c5eV^e%$Z~7-h$7oJ@Pm|ts=56tit)5#(-H}ogXv_ohu`Y0--NV{SUeOKuuf9PBG+2fDzU6r~aLeYH z;m|(fDzg+Bhvq;BvVwtpuvcl8EZ~#Il&UD7L!Un%#&9E>k5rrW0+5Nfsfji81Z<-g zWf@JCEil9!!zr~Q4(2~ZoA-Q-3*>XGPNPu>?I`-zM!KGhF$`FRrNMEB6YbxLG&j)R zbs&|w?yqt&&NnsI9}`fp)URh%*?s5Cv?p$Lne5!bU#F{gofEn2C?)kB(5PG%`d*R5 zu0e_?d(UH)SPe2<`x2a{OeMdRVtve{mX^!*k2&&;T8$<*+Nd{;`Aw9OrZ;>!+Byj? z%l~GC3txUM=6*Ejt(%H%W{qJdB2e5wpwOD7)F;K#EYfFYOgdgQW>C*nKuNbKI+YZ` z$Run7r}U%&V@WzWbcRlDU)Mv8iUd0PinKO9ZymA;YXbhOXcqK`b=4dO_kmcrMr{jvAdz}J~&&b;NZa2~2 z(TgZ3pVw z8G+jd9qJ8Tn=#siGcGxsLo_=Jw@+*3Y~Wn^ed4tzHWBenG`c-$3;|aOkLZYsQ-|3V z;AK!Dv4TnE4lM3FII;fvzCjOm&n`UnsKm^_e7gan4|1KveG(6BStKuq9di5j?m1^v zuavi@lEe*BVQ!0+wL9-bxufufmxpVf=I*8e!g*HHQ(~y&%ikLM^L%SemyI+P5C;X z+z#aZpv-7V|I=R_o!)JhchU{G)Xn}%6I%XerYviFWYz*(qYpR`|3j~#H)q~|6o5@0 zLG&|SXEhTK-Ev?{#c%jB$XCxL=5*13RW`isJPlQ~uQ=EXc_1|-2ctpg+*0CT)xMYd-BuM@KYMJMctRd`V8LC6j%Q#*%Z2l~zpD+Ic43 zL`1oaseFrYuA1a8>M2XvybbhL9sJJ$->d|L;0B6{i$MSv0vx@I{G1tnX)83;G6mZw z_*~&DRHs2W;*X6C8)W5yMo#7kcHj6hp6lOd2VPF5T;fJ_&(}y37JDz*z<$0Eh*4X znNMCmc?N&K|M^gPIxR~$mM?UofWU$YOS*d;XWaJUNhcIVpGqjdkScBZ5BEV{to{$4 zv1e}D$zd9t7WV_G6T37O#^%#g=B0sWe4*)xZMtzr{KLX_ep`aUzOxphcQ6(vWoPoD zA4}a8&smSPgAH|~9?yqE#LEYkz(2h-@fUw5VUdZxsU_Ok6&|}}5PXNf z7TB7L@=}UifoK{^Up^u8e!uKbv$L--BF9r|nVBk)C34TyFBnb{!nWLQ10)o%35UD< z9T<5n`{WQYfytS2b9siW<1q411K_@Vju|}$W5Kd6%t+DWeY@+xwX3qwB#LWzZhI0H z{5)fEGPYO{fr0<{7luJZ_|2fN*ih8^oqM6L#*{@d;?czb6IE=b?!i=V?4;l&b5e|3 zC!t#&P6w*1U?ZQ9eymi7f-ClBl2hH&RHnE%f1W9FWIq*KW}hjF3uG{SYVYor+3q>b zdB6ZxnCPDP``L9k@TQmr6&mX2;jI^wTxy42iKD4&-qhAxuJyHT4giBY2omNyG#?Zyf}{%peH`pO6xRBdSECDYnr`TzQm|| z6!Eo5Z~xW)_4}r-1C7iVI zzY)DzUn^qdLbBD%1=})<4*5B1RElEJ7s8++DCa}meLCzVShOlfLUWiXA-c>QZ&>Ec zj-Bt+>s4Unb9rv=K7bQd7SN-9Pfe<9&<`%dCbw-vg~JUJ3f`7g*K`oK#0CMA2P;@3 z^aQyb>pNXTI(n&ZAPqk6aes;J)PVr#;|#I@9+@!~Tz3(ZV%8_&NUH7#zb{1T4af}A z`!z8Hm@UB6qu3R5CX}ykvo3v@2M!hC`2rLDw0<$$an+w&RniyaucL|fn&r_f>Rxf* zl|c=%zF1wBU@K_mnmz=)7ZlQ<;BWOz1HjNp0*MvRmH8zzk*k+$@DPb4kS$vzYY!JT zUwNlJH|Ny{Qq6fNV=?ifL9NTQ{(KCyb^%CPZbAMc@5ieHbx5560*UJN)^;3%Zcz^L^Z<>M_~PGQaz~ zn4go2ynK(b`17BDYjYVV4_9 zD3%ry#fr`HBw*LKMoo{=0b;L@*zXI+)h;eKTi5i6{;hDs;tXh<#J;u&(j}sphs#QD zs#HBG`&w4;G2EO7SACqKALK9hBZVsnuz^#wTrfvyP=#^pTb|4W9$pr%Fp3@?T+r?V zgYa|+O>Pr1ewFIU6TQCV@QPQcNE?hj-RW>-DhMGF>=V6pe5zkPh=tZFoSZHy_dv0J z!w{AAJZ79@=lCuj$n<}=xkKu9@=*NP)aL-#pfSi7te2k|{pVR|93i9$VS|JOp41+< zYsB{v5c3PvqS?`g<_N-oCP5y*T`|?DLr2MtBaIW?{bE$1E$oUV9tyB0nO;SZ(XM*$ zdo&bhJowW+KP&RZuLu1FH8lj1OwKINbF_+zBF60XRdXo{vg;NCzmYIx7 zbUCi_>U7J5GLbB|#fN%B*^LeKq^Y2kgtX&Z75lWn;LnC^5YNmKdm)mwj@{}pb zm*+8xVTa&w1vjJaAhJ+Vo|15&q9J!eQTS1UeD#wa)I;bxO|-T9XgfbwOfYu52c#~V ziw~$~85f#bylwNdOCs8rnesL@JMw_K5mg(F3GAsJqyT5k;fNCp_io*zlF!2UkfXgb zNe|GqsNiO_TD($8prcT8o}uvE_OGE}0DP3h89mhqot4{^^ZdzI?#Q$LiJYmxlDH8) z|C(wjdD_$$5mT$Yr-#TY@G&{{votq?+6;7>u-5Kx&A}H`-hD^=y7eb+Ih5}Bngl#3 z4P--WN60mHHa9MKWRx6&_zRp_uw>T1Mtt)$r&tMa*Td;}Xu@D$YkCJA)KksD(1~9} z%l)|O;QM{_27rBZ%kYgdAP=%bIa%8d)b6V@D5Q*tEkJ?sSM5NyFTR2p7WP3}?tXJL zCvrXrcNS>R?PXo) zfltTSU(q6fN77iZ+ywF`595XDgn$Nc6f^ZWeLH)eD?*-$8)~xy#L0ZbS}|!g88=Lb z7xiMAVeaYI=j^0mk1>>CNIB9SCFFV{#rXHLB?}n&Oro}uGcuyNXY!vb&!A(LBAcZ- z$cw!0I6+6gV5~D~Qn700i312xp8?&xAw{JaJ%K}S%Y8%@OlW=#Jlty|d28+8KhIAWuie_b$L=aoRgxnb*;f;8}-N5SDmlbl1lZT)+;@Z#1Z zSz6o#zg%scdYX|Q1Y6jelEC=MKflm_3M_h9a*2=9z7teEn4%~Qv?;Qo$(-)c_aSN` zkEs`wXIaWk?d#EWiHbLg8XBN`N;YjZ#lCu7NNq{~4y8%n5xK8W`*1;7OBStU6E8a> zbo8jw@q@FoiHMH>ea>I=gT}KX1EQ1;vz%3O;q5@NLOE`bO z?@)RsF&4ztujXz01nH{bj}l6Zu@Fb=6lQ!{w3JBuBrMU1znZsZakzZCe(6f@){hBV zIXBK}pOj+};*Cl`QgroslD?p*A2Kn4+FfEsYgZU*RNo8{7mBoWC}p1M)B{~Wnn}z< zWMla|=uqzcSV z%yYcLoUEU<_s}Yt*tXEZE5eZ)_A>YKLt_iRq{VL*6xOTi57WBLu7$(t zp*MfFu3x*d_x*F^F2>0h(N68~;oJdqmfg2~CDbbiTp@e_SG>zz3s!)DHgw>J0#HO{DRl&KYaRi;8vZ^%MY z)i4@=HrpX{XvFy#HdrtocQ%3Wmp26@6QuJRuE6~$C%-5#JLJEX%E2k{_tsN5A%^7c z1qsvRZ8ez4$46bPFxCUX@^L=9mAa*Ph%HhrOkY6P$z$EpB;mVezy1s&8DZLHxu1X5 zq2u7uO8A{Jw|S?8$yrF&yv&evJ5iVGI0tt5z3=)$(&J3e2+~GMR8ZHJO48*^AL+IV zq%94^%c;#zU_}G>L5}@j5fH#u(Mzu#Fw|uRlptx@^DNwSe3%-OrxC`9f^ei3cjMf< z&>#^b%mc+^ShAucxCH{K+Ue`ak~hq_p>=hOm=7@}7F}Hm4X>|PIGh`KrVttkT!=bOZqaeuzY9+$6@-CT(Nevt`sZ+v*xG#Q)IHh{Tt$cFPWF4diO>0<;F=jJYGrjdfk@X+P2)vJ zw&k!O+mRueAK2^*_GUJ42L}c|44aM^GL3O;N~UNAZ|#h|<6TgYe1np#QJt1i z#ns^7>F``1Tlvh`x`Bj&CaL~-bcx*V+V07Pg*8Lv##A8v5OM5=!I>QO20SjLK2gVE2=*4cjcq=M0ae3eLG{)M0fVm5Fp;9Bw*xdg_n~uhCql|P`1h1p zbkjv%BnjY2RF>yOVGgNqfNL0TKKDc5QvyRSW~q2BBYQCMgHLp_Cae)+RF>e(ydw(u`V@-hWhcXi4LA|evJ$3idNi{cYrG+&Vo7#>ta7nBqhv( zxa+S-3)Dtq*s+FxX~Gpff1`W9vL+0C)=krb16- zt(b4t2vvCdl%65z+=fQo;sO)261sm!mj~96($U%bD$lrCSi=D@W4Q-}&hUg1;!;zH z+`C(syKN9CI1i9yVQA=oz8V(+okvcuoI$mG8!0!DwikW?G>Pw<;5{aCa(T5yi-@#5 zpG6_T<|I!d+FkN;unx~qqn!b~b3=j-x9f+N{~15*yc~ej8?`ihzmQ_$YB8lP5AViW zn|0RJI3GUTs11`fGe_=L6n%r?;+Pr&@YQA}@FrCdNHAV8M4&OpD;_bwh9O}`{=3k% zyl|!3l+aB!VctiX3@9$dX}j@(Gp8yG4j0_)P=}=X#w2+xyH28j=rH?!Sf&2R)1GGu zWMbk>Pm+CLEnFq;trNLr<62M$7{yRoheHZ*`+J9Yc&2*4+gbMkYN?a)BjGNGQ zKa%;U{Wc8j73~Gj2OvX0S<1__dxNHFST~kwH)!C=qfxcSPP!Hm)!Pj7w?GU5bW|B> zB%QM!1f?{V6AgC zp->>-D>pTkS7yvt{JJEQWY%&^puZaPUy6XkE~}dmAjH{zRbWx;yXylr3b7A>9uS0q zc(yy(RMrKP2GISwC+Ko|&;gm8BO|3u-&ra1@eE8z;xK?y1g`^xbm$uMPPq8I+0V>{?@ zmpNcn;u9>H5W1M`1AN!B5a95L6!ld`+vlN+|7r(gLt(*a;&j(%=(@VbBII3-cN^cl zJeGT6FBlF86k8^G*@Ds8j}Ps}5%NYtx{(%{j1_3@b^ypZ!Zb97KG1`zI9T@zP5g`0 zv?j;nJ6rG|a{x#wp_HjL(mY>~wt7`&;{E~_tI|x&!o?O}uwp&`#HJxzGZTs^hPehe zF8`zGd)Ku_oPbVRUG$R%E$7Y}tS}Ca*Ek!~+Taam=%Vss7JCdoY`_S$c`|s1wmwJ)$dl4z7x0`#k^vf{CdkJtm%B;6pTmFUf?!rB$0ccgG9n|K?dFU_qZ}!M!=_B? zPE`Hs)Wi&#HNfr`hv{cIkPi>Kkvq!P{+UV;Ia4;KvT8fIGM8j7&lA z)B>JhUIA)avLEtrhC=0m_ouW<-@9*xNyEylNe&S zIQ(HL(#rH|wP+=_3!rugxN8to+e~Ms&Ko|Sxyb-12*^93F@+Rp=m3(E%j-l?ikmdmKr(olv}ig54mDR6SaQn!q1`i zF$}-Qv7l?w=>AKk1+c)>i6vDm4L$vBd0p}LTsXUkilNb=#^OZ1G+@DWK*s>!K9&Q$ z{a9-ekMs`N%s$&x1Mz<-IdNtK@KfvW+aC@6j&HcuxHP{_G;*g3qj-ZsJ(p3AND@?_ z1rVthOSZm0BNw^R3x=^X7uY-1cq0dz0IlagrJpP+^Rxd4q3jb}c&;d&Emw8L< zx<%19G80j=u~IVRH>Rzj_@LrAb_44m?;xI{;SFLpCxA?`Qn+T5wK%W!8dC>*2j;-o z2nT_J%8(%5fwrdu9YhUq>ssP%N@5#|*ANLds$yj>Xi+3q85xvDO&Hh{or1g}vQ87f zYOYA+A}^70hrJzG7?*{aX4#ghF=C>aP$)|Rep4Qq4dTUAVrI1t(c3j?A6i3Vxuhvs zY7S^nZhXVSrAO-9jWutHK|Y#XYiycNR_VX^a8}nE&p%%&%RXz`qvwrumuTix;a|&7 z81j5_KG@h-l|TgLx`R_4I}!+yIHEwU%~6;#=#P!0pB*}40!127kR#l?k-RSr>2bw` zZDEW<_iSleBAa#eoJo|yc~<5#WE(= z$b&lxXDa|J5#wFVI#vW25Y6f8Q~$RJio%xDg@SXFIJz1ed zX#gpaegpvlipSsO$J;%52&fcqEQ!4~zf+1PwBK@aUy+p-`PyJysWq5x=ep5?Z@#^J zi}BOkt%rpE8Ok|oL`}$pvVH*+_?45K{heTUmGkO;_?n*LcMRMY)G0CTbJ)v%S<5xJ zR6@~2bT~z+q;XGa%F-b+ zz~kgg6^`9bdIJ1OjL=*ACjUF1P;ec)O>z&rkK~EL3RK1Gxc<<}^P=lrw1Y)fZ zJ!61A?VB%WKORUmDh!3U<7oYQZDv8?lI+tKU_C#J>%J&frYb`qb#L3+yTy?c#gl~} zVPuTER8Mg^tv`VP%e15bH;!Fv7{^T(AV=ZTKMVjy1 z`GI))RoXnV2b}DF&%{s8u&y2vT~exg;vmacE%@40Q=;J4A9R1 z!zuu}hXdsUBpE{`xq#dPpZ0Gy!tyh$fJLf`HA#e?0m5V(Py87bP%`kRqMK!kP$Wl) zGvq^Jfj4`Qasr0J(%XT?WY?6h=ZL$e)_%iQgV7AEzp6|~Rr~bo`>1$Neef0R1Nw6W zNGv5326y;OPrA`P-4d~Eug=2rHcLx2bab|(HMbJGqLYF9S>U@}PHA-&(s`Tc{Z-by zTr45q2}cg>M%CyXmq#tdIj;`+DttUk+;j|7lvfrdvHzPmuNUATtBW8zZG?BGJbV@V z1kO%9B`K=?BiuI(?q=MDC#3d2=-)9a1)?Dp&mhvuaZz9|K)jTL0A)d#KFaNSqh*6r zzLocJ`59MM@6%makd;RdGewNnu@9Uakvmkp+qV2YB?mq4@ju8ZyC}% z>-o*t7v(FC*1)JpkJ=-~qB5_LqbTX>O2nk8&CJod*WMIV;MPSax0w=svdw1QhT7Xj zU-kQTz9tvkig92T64%!!>W|Bj^)IND6>cz!(h~XnVG47vJpnQL&cJ1E7;K$~?xTO( zf%={z$0Tnw`RZ3VPA9^TtJ&|(;+faJ_1rwKi9`qBsTDjC)Co5pD=lD+RGz`p(E!pq z5Pi7BI#ZFF#dZ-wHuonwi=4QT9{T%v?nabAv_doVHo)J7OG(2P+W(;mN$af(s zd+Ctn7#qg|4j+d?7K3|09DP=3!B1Eb@O>sy9JW(8POU(p{WI86S15nJk^wC_$iw&JURL0hGGfDLN1kYwMTch+to@sMP zVI_$J=soNL%q8XA_D2wkkiwOIU(2q3WVzex^f1YM^kehafneehyTizmIkAvu)=s6G z+Dv*cc?+mHp>hf*1o|BFTlqUN0A|Q&;AuYOqq*`d9HCID)r0#YU5mM{NzS?*tx&x(;QiF;o^N>~%(=r@nDp~{~xyg`0M-=i6#TE~~deGk(* zS|B?NHS27!p?JCDl@Cp1T?e;O*h4!7Hgaa;uN7kZ@7@-eaEctl!B?u%S73nTlNV63 zf2B*@v2W7sj{bV$)K&pd%77ECia)zqAa&@iu9pJA>_uI! zj&=QT_c^P3&9gxuR$N~36~Y`k!5Y*?65Z4uI!TX_Gk%?|cl`5lmCSKQA&13>7|S6$ z%Aw_ojcbOJ70T+~vLRvbC!Az9GR}fxd5%h}iOhQ4OsMKs=Td_uH_jiA z=dnwwx_pY8S&m8UTL2JxPj3cyo@bT|NVk^gEZ5A0s;igEXSrLjuH8gB=2rPDBY<750~~ zQFJI^ZmLLf*z%%CI@dS|D(h>-fdQbvYbxxFoPq$Br<*m8jiGEDC41(Ipttf=9%&6J zlM@!#W$D|Vc~qE^nWYGjWToTD_?#I)>*jrC<9yEd8LPG)#alD!;8=L?H?5{ee-f0= z*65^x00t3elgs5k6bm=?CZiK$W2p$$k(qS8@>ogQN3T*;xg60c!W|0z90Al+j(H6o zDD{$4vFYSV-rOi;07Jad<*r#Nk%vtS>Q%nE_K$L1TtA$haZf*A@g0C4&0+6Z*n__JqB<`Y>CadG%^{eM84P72r0`i^xIvm%2E%MvWhFglTO2sk-B>Sw>HwEPV{VTkysLQ9g#`I!WZ>)RNhMn+Jr#O7d6) zxwn%HjyWWsjaj#J=jVE1vU%n(c!=k2_7_M~+f&R%YM*l4yXjI1h9yQj&#|E^5T?r# zwWehPIH5BkHf@~10Ww)WG88$Yjw>Jpfs9$OmyWgd3@s+3^f{MLU@nqz8!VQ02tEY7 zVVjM-vXmO3xB6&twMhLyQ9m&37~ndyvH1r427tE+ zTVc(~r#C3e(GGc^Rw_Ke4Mh1?6;$uQS9f(ef!R#-tVNz_82G>m;K-Ql=vxF$xI)WO zck`0yMI!)DEpmY}Pq?U&v^?!^C}mSzWl>_nCuTpP6f+}kJRyFp+xyI$ja()~{wJd? zo7I{lRcr>?hSodR|PX>AZP8*^7$6G!a;{Ss?iuTbx- z$>(!GwwZR6#bBZ=KEvjgX>ejqlkyBpyDU=lf$=?}_)H*r1in#`g7}P!hYRtLvlt2w=1zp5i3||c=z%%)WqPRlfr6DoFqQ{A zKW7e1cX!7Qv1Vg;7398a5@twZx&hbiGXr&Inw4gP&nPzY&X6?NBmWQ!BqJO?hok`i zzIHOH@4D^zgIgP0k%@9_62F0$k|bG5Vz1zpbvE{@pY+}e?UPz$TdkSL_O-^&!tKOy zIY$EOM-f zDepzC?v~J@))%*7`Ne5}ACE;UgWt9A`u06b^-my$iGWVGz}E8Pyarx_y6oYg^?4 z#ApO!4wYJMHZSIIhYa~hsnApIU8h-if51a}+!I-06>5Cqgkx^-EVff*3RAVy2Rj;^ zZx={4Q0$ez`*XVhUqg{dB?0+vBV28d&UPbQO-Cg+oMKI~5z0TZNMc;r&ZzM-#$EKD4o$9cHuq3#mAqSkwm=}V@nBfYb zpKo?VVW1#M)+#y;SVv5g;&8unzN4?NB#_Hivs_rco-cP7W1sy7raBxXJsZ)T%XzlU zlZ?OpX%_tkC}-jiHl)j;3|(HFMgbEnXk0(A4H4rk#KiUm%0JFCy&6WdBGxVuBcGTZ zoH`>0!`!1M8;n5%YSHf`jnL}FG4-k&QEFkUYT8l7FwJH=_qY0Y_bUzR2o$xYyI^FL zbdex3fhKDC;|i>%7K2M|$M4ORthogh5lHHdAq&w)0SVmK;Q*}gr0#}uLGPs~dz9-4 zGZY3_A}&f|Nom&zAwc?FzuqfJQu`!TRWP4ybYnTJ~Z zFX8vSX6<0uxZ=OoMb|1n@&f)eSYobPd4mig#n5d`^~s?xrnxO+P&@8n zh(1fSEt@g3ZRz}MdS&jjRzG0c3$mh7c3^m^=`>5iDJ_9dJ#TNw?7t*q$o?i5@%5~6lMVar9;fV?AO5+|b?+~cDA8G(d4qpJ}Z zVQQukY9@vFb|()W69{mqMk9}DkB$rK&D1S}!|=eGc71{z)^ zi{AoY%ZYnOGJ*`~H)qm|M8gcY?wiv(yQHj%`z^E52$_lUy^Yd>Y8){W;P=+l5Jr>Y zj8B@&sjpIA41NLOb6(_~{ru|8>;^lpE z_%?v(#f)qWzj>y_Zc~Ne(4D`YCS{O3Z#@n{Mrz=RCv4gi*Cyr%Dk=opTLc^6QcyLK z^kG z6-LzNq;Zf^mAm31{Pp-INQW-@_CPw}je+YXzY3&oy>tM!9amW>SgAW$)QWh@O9h0u z35R+por6=%!>f4;+~1zV21`9PHgvd?pu;+Wnm-^tTdx9;5@x4GaTq8F#9^2dzCAze z>tpj(hLXeW#%@ns9#s@iNs)@Bti+0^V$`k0-}$lffE~v54`BuP5shQlBmz zKnQ0$mitY%@mSlS=DUOb)T+=hon`3DZ(4={8T7cuE9FOSxEN#0i)HQ$G%LoC17?A< zVI$MtLrqK|eiw-D1fgRbz%6NOyNN8YiS76Xo!9|I$EcIONM7BjuaKiyD<5ov7RU4E zc^7HAMXD3%pl5dC9O07GC2pg(H=qP)=ov%BFs~N4FOd`R1|gog69SGn;cmTKY`k+x z)C5f4NJ1yXytp!6yZ{{-x@PE3Iy!N?j&)f96$7L4M?P`tUS-n=S> zoDHdIoZJtm3I=kfN8&=iN3f*c-8!!>W7-gXllVoFAok#0^H||ZH-^J_D?QF}snM{B zxpJ>R@J)&oe^`KN+tCAH>qs-eSlXo;Qn7Mb{VsKV0=8#UxzN={d^WsN$w^pohAm_5)#toeh|a9p<%n6 z+Br@-4Oa8oTJL*02Oe`81oVvVP<8(OWcuwwZJ?KqDG4EmRPbF?;mw{2+)%s!&ecvE z_Dm<{$q0F*k+~P%xTC^yNpc^D=5|BB8$y#^Ao7EoY5z{C+Mi*)D@j2k@agjFW8#K6 zVbkpU744lS@HYjU9|K44CIWkB%aLc2jwtN?fgaiiM<4T0_fV>SWA?7l(F*MPH%UpL zfxb2^Qe<~aHa*mhGAw^kCU9K(L9b8Em0EvGi!8#d%Q zR_~v#8q=dzL?e}rHHqY+xlV`Pqv_@lA|EX^pL=PIyTeURYGd$v-=r0Aa~Zc)3Z z;@(|Uh;A=*R~@^zipHWxd1_yN8pJ#vRTA@|{VipQ3**Fsxa~S4SH+cqgraRjv>^E; z3jGy{W9|Myrh^R?CiImkW8d_rCcMH1Q!0$D|T2K)(|ggAKk4 zsvv%iJMoO#E%Be#eKwnu;U?ik=6n9ls>~a0>f1OIJFN@6-}Tq67L_J^MMpyYcE?|bg5H9VpAKGul7FvGsFmbC%n#DSn;JCKa5 zz}KHG2wT?k!-hTR&11=BVnNy-AU!ssj=G#k4Y4GSo_G*T4{H;tm{Jm*7kTn&6TXUR zd=O858%iVz4kX^tTj!j%NSc$HEX~DeS}vLcmb=Z$X^q+fbO$DNd6G;uCtGVvXfCsy z)~HUsWg~rM#N1sEAp~l032hYsX>9}h0@)01N#?UF6!F7`sq_ zZu5FE`XUwvCJY}b&~K(_xT`%2duB46WOzWM(Bd2Ai|xbg^AU%ZGmQ#KC2p=JKtIO9 z81D}?ewFLP6Rn;9wZQ$a8$?Hg*SKutYVYQnpw$`nQ-;N9;Dq!KpQ6JHL6R1^1m=g( zusV*(-XYpN5X3$<#c?WD$ctpKF95wOR1nv)n7hl=v#$0rYPyesP<{?le=7^W;^v9? zA!c3oSCJQTLya2fE}B;O6cOKs!XMT0Nom8piu|7=^;?9ETXDgytZ`giJXZ|AqW*Y~ z=Ms=Kzs1>EjqJw;!F8=@*#M2b$CRKcxye}XvU|k2hi#s?O!aWMw1;cVZZq7e`z#Rm zHfZm(9(Reh{5#@iySm$4@~~^<{Wf{SP32>-8^yolz_%O%t+re4F@NF7W1{jH*IWiR zr%~rK19BPO+Q-K4mTt-Ni*dII^IEDR?If?xe;9HcE8oGtAUR-2 z;YDWdyj{O#)q9@U89w*;=YKxsym`iOJgbK=+A$NBJa`snCO4ms2)2PX2=ax zeoH6m3$u29pg|f#R4a&>v!T=7ul(NVUK|*7q%$a8`I$x5fOOQ89Dsbv1?dd9-5Z+W zYhF1Y=H7f(IZxt*EFvHCi%Y1Rz73x*er(V;2XrK@h199X>hpzd-mS@Wnw<^oK~X@s=wh%ZB)T}PLkDL~0IC7(>H3nn z!)mn5z=$-xgMP@^xvXJb{E3{%-_S@l5!!XU*`f*H9y*#qLdpd8%DLzU>0ogdDe8GL zwS!-rxMX?I#bl^?QEE?7lv_jXC{h~iOhZa;MA&1LvZX>b5x2W)wf5bz*{@{!Uo0HC(vK_KBN z9l6qo9;Fj^gH2P@^oUE#x$tA88L-@Aqsu|geOj6}yS$uZLSiC2+uZ{;v6RTDn&~q| zOcFg!3G${bG@DMC^XXo?E9a>Iq)F^$e&~6ClRt<`quo2CfXPv-P6krV9&V;4I#sKv ztE#7N>9p_;OeTy1!bSJr~nyq3H}hofS5tUQh?=Kn-QBLKp)APM4s|nU;E< zw473%=9cp0N>h5GCge@6`4Sv>W;2N8`9_g5C`S;G9LVxJAFEPta;eb11N%MiQUmlG z5>efE_}CF(=2LlM@(%G$oLGRCZotI<1k58)iDT--I7{Lh(0-ukgJykA;`I(gWYV_p z7y-f|Z*?A~-p4Td4wKGPlTQ%)i%^ zFy&Q^x#%AN@zcEFGA`zj;Y0Eh75EFzrcKIIqI@7n?;ofxls^L}%3`(f7gY{9rNWi1 zBz_?yEnVM8jz~t8s(dBJANp>o?Iibc9=x%_IYtQ(<|k!CyD zL81-z`ZF_9cDii-+lwTm9$vA3G}_5aI$sGhDT+0&tR=}uN;(mG_+cbJ9036G3p`t7 zB!Q%LG7~52;73uw)lA{X8F>r6Omy-CL9ZX9APcFpsh=C(LM5H-B-5ko%ccD%pwD!6 zEqe?&drL+PxH>?fMxo}#&FvBc5cK8}rei<}2LL4ZQwM~EzRcS=YAZfnZ7$gu*Vt<>HHIAhF zo&;?$v{M@iBAUBS`{7=Ei3AWS@~(T(o9C$$0bj5<0h^=|QcC(Si?=fKpldPCX?E)P zjx`o>`9kS2sY|=xwKEb~M9O>&Mebz>Bn>E=gW!7LT?4718VDuOfqR;QA(*&$d6q>Y z&c|H1GRZ@{NC)EN8aN34tdN_Hp)T~XokQR#qvH9icL0E~osb|3lyvN8)*mNP1 zwAE2lSlX}*!_}RTS}5s5Dt$0X)M(&%5OC0*YY$ChVUeT}Yu8?;U}%vwCWZK-dD_&cnRihHIbd^xWzP{ zl$$dE!+OONNk3W}_I9(0z_5ajV{)3$t0R_TU zH>O-A(0^DJ(8pgkH=KlxsT5&WabbQ0g|I&lhg`zK9v}QKO&Ts=fNkFLYE=TS+t9~j z{RDXmx5-!YOA4RUVe(?$PulhVBf z{Qd+OeO%^w0fR4d3KOy(m$OiMupZr;;{huO-r~r=vGZn2KoY%JDcGB-s8LsKxgGxj zN6g=|kIz)IzWf;nvfGZJjO*}YO3=Dj2kTo=_-0YRfQhqR!PaK6N%x*@z6BZl#n=iP ztKBH%K2DS1(Mq#oEU2O}bM(s2A*y}VP35($ACdR5TlZ1utQ3IZQ)ni!wr?&B9s$Oarc7;_W{ zV8;#36s760=WY| z-C}S{Qyxz<{POL}|21+t*fh6;JEL&S8@J{TJTp%A|3;fF9uTc7-DeqIM($+q161$> zZORA3D6o&`gVt^H5H#So`4h!JlfFuCmKS6!I$Pn>#ZH1le>>9oeW2C*efmKFj7aQ+ z0d<(Ks{z1GpeQc>ud<6r(0D>Xf947FfH%(RO@w=_?=B$8*t%Tfr?6V?WK&$BRd< z^s!$|6&_jz%U7X9iR@pY>cvM_*s1+GBQ|}UXr`o(6<^R`K!JdmQB@yX&WO|d(7hho z`uLFMz*`?1Dv&Hx?Ov|FK89S<$Cxiha7ulJu|Mw=Kb?|%e1PP5E9q%GC~+fc0WDDd z|2Bg1Y8yWn-NmlTL$QO%{t1t!yZ^$=FG^CXrz|>k@^@0Lr-1`c#kGNaqHSP`Sa}xd zp&B^Qfy4r+!}h??kQ$29V~n~$7|R$*Mkpf=L?Z)OJf9SY{WmH{Uw$b z5J(^8swig(_(|8nMjyp4n(?=(QFov3YtYtXMyXUG1$r|nddfBh4|9y=HLVsrPZGW{w_x99bKJ$g8Z2Eo^mh9%z37y6R%5wap_s(_bzq!Cz;)i{BFf zD*S~35Chfhl)9R`BVh2H4jKbAo^Q}79qr>vBY2S&{zjtbkcF}bz7s*CZQ}<5o$)zC zwU0xwc9iw;WgTuL2zNE~p)k%{w}f4r8_>uLO701p{xi|>&*xCQL4;w%O(DvIDtOfG zE`zv02q1eP8}#ug>M3m>Yp(rhXjX~4ipt{|G_qhpv7Jh286h_DPVQHSjUwsEbkF(83X)-4LdM7{=`27Z|Rj^}m7NkoUXY z))J?sb@@Avd`DQ_9BMjQtv#$o^fZJOhUEeo_aX#lOD0hZlohg;vKa#~n1g?EXdMiL zMdpWUjDm2iO&3vZMpPGuKnzEclw_NnNAm+$!@`6Y3b;U?E!;t;7{e3e6w@IFF2>T( z5bj6u&IA!Y(>p8dQ^qm~@Y%sNy8v{T+_Ubot7@}Cro$Xw=`bpQWTm-?>|hyL#2y_6 zMTZW<$ms^|FD16{cnzF+eTq7kB;OM6>|@s!Z~xM@2UE)TobW%3{;O3_<`#bY<9VXH zNGf^ORXbShh^7(_$P5p-B#q$!8#lySiRE2NGR9pCS_T^7HZNdxwUOj zshRHIt(%0dZO>}gPXeTnP?lR=JMs2#5|?sZjXo~*W8G#f(QPuG^^{CMC~8)rSEf7k zxiY2M?Gd3;RvWrKgQ|~BGpwb!t^-I@N0wQ{tZl*2d?BW}F1Fhuu(G;+w$*LN)DBM7 zNg$-wBdPJRy57YiW$HSL>w-_AJRelWCrC^P^yy_Cd|zAi{Ss3zE9hkb=r&r_y2_Nb z6c%=NQB0^KIX&WzZkJt&@KoZwq6>42t}mZh0>)QK;1`En@E4dFu?1T=5-Yr-40B#; z0wOd@ST0bh)zi5{Fa^mZIB`_+$&arhV3TeF#*;1WFl%Z8BR+5&6l>i+GmH;; zSMCU&(f4$4kQoV%ICiQ(ep8``-EB*CcVPC2xp>VHKLZt~F~=Cv0N2M?0qI)HI(P4> z>>_N9C7k-AG6 zqQ4aMm{3k0GtIV}3kf~ATn>!&c4t}e$oI;~ttsXR-LCVRtv$>^wA*w)fM0nKhqn=A zPE6|I4n?|sha+I(#k*xf8{XxR6UKw?U67Ouv-mG-xAFWYlz%xb7wUO1SlN)yyJ&Uw zFjru=S9s1I=0(|Vx4?U*dN{-%jsX8z^f9G)UX6xh8hiksa$*#i)ET|32*khS=;5v; zLXm-@J?wSG&zQ@Lp`Lu|=*x^?evCs+MP0z-&|rSd>b49Y`a{(1Jv_*fjcP?ulc%Xt z20#-A4O0;-j&uyf1_<)fX^O+g97*kAFf3lcD%BXH6_>9emm62T3~hPFoDYC_izpkG zV<^OA4~r!kyY%T{G7@;v29KlS>88{w(|Gj)Y?Ax{r!o!iYmQXb?0EsKs7z&9dUym3 zeq>;&42gT2A~QaG&8jCbSdI+xH%XQy%90Db4Nwo8SvdFbS%n?RMV!&gEO-89)917u z`2jR)3gyWn9tYgh!z3D*vSMbz8;JO+I`yYJ{uIv9>)7gc>z+SFHD|7Wtl;bxI6W+b z=27Q-DFnQMjZa;|kIXeB*m|xt_|k@M55eM3F>Mz)nbg*!>9(tnZX=R)`!!3q6T7Ww z?^$)b$eY)!?O-inxRaZ`}q!&7)%aA1@xrrOk)g zZ6i#ox_!77{&VxJx?VNQ1JUXBkzLy_$fr)|cB5}y66u4qc02a7+cRvx*Dzq3?~(Sb zdcKu`{dd%DBxhd8k2!RL1p%@KY#F59wM2v=PC3Y+l2EYuAlQF$gbZNUdbt0d@u3GT z;9axKqI5pUk^gbR3!(L{cHK_&uLf9j8`8g0nnz!8C>xvb=fa$4t>Incx*h3>+_3Ft zQYQX&M7Je<5F!7n=UKnrh`AKj7l}3NaPbTRg?v!G%A^{6kPc3jXx^O*vpC?_Y!tzo zy>dmpmP@@CI`wL`>Jy%bT-L#6R=wbdzBmOEW^Wa)>-1~|evyq|RN}_d?r32R;T66p z;8$mFBJ7bE^nfkz$l-|q0|>!0ym=*IW*>cDX$5Wp^1&G9F~fK#?efHE|2=7SHIO@! z`9XymWAydP*`S8isDaTzD3S#rd8t-MQX)ERX_is7Y@k)jlVq@_s>VRF`!eKEMJG&( zb3l8h2Cd?9j~_mX$NykQ{`Ww1YoO6#t_e|yj0DdEveKdu*i~5vfMPJhcCI{d#W(>i zjSk83V^?X@36V+2l?(`pB_6U{%!UIM_=iOQ6lx(ahLnc_Y8rjbQfA%tOq*quWJ^7G z2n13Oip<>jrd1!c=_H|uigN3nf52oWRCfBqM3*Im)ex|RLK3s2n4VaTh=;^D@i+@L z%kTg#qG^f?YRVBG*9A|tQ>#%Sju5&gLS>;Gr?}PtOT?aU zn*3)CKAh~vSCBCK%SRCS2%-O*!1Djv(itbw-wa0#iUExz$77^Y`{jt99TU7I~u;B?`nby=_ zRrN6k(7QJ8N8#+(3%)#`$JN9>iwDaS3Y8DuLS>HsUJJwpUE85Vk9CWe zm?V44OgeEBftXY)z)fC5ZHBi1GK)NhvlM1_69G6|tyhqh?S&zZOe08<+U z2&FMZBLe_{V5F#I;>3bsfze1P7?1;_fG`vahXTP+5CcIF17R3Nfg}lX3AF-&p*WqK zmq-AcZo%1U6A8fci$9;R#Lx-Vr_AHqm#!%UccZi1^02`L%k?bYQS2_r?^#!8aN zmcl0^Zp`e?rs=uDZJ`}LLx_+NZ?ssHImu&zsT7oJ7J`!@MLKZN;sRoYDEr?x>_N^> z|4@XB%T$B4ynvOE1rVv`tF{tyAJbV-2|)Ap8f}%PJ;Jy2A!$C#`+ts&3(yEKfZEsX zpQm1Jt^zy|pYP@uSF%s9?J3$8E8QeDBX#|r;na{#}b zy9FH9T2e$b0|ih@aHQn{Xdo=L?%=7ZKxFz$A>X6q*Re|^hHeX_Lj`&FL25LLI*pS816*+xgzypoHh2BMTJ+TG$Q?4g z7`lNgQpxku0Psjx*S>G1j zAv@VhS0bg-oaW50aCP7h1cw~Yjz!7DBcT_{Al!QSKW|`;uI;u2v zVlche!SCR&;PRMhV|34uHn{(BT4``%rR_UrR7yacfA@4N$QW7v#0Uh{(m_Be>MpcP zg@Q!{NAj5vioTT!4FE@pV_5!_qLK(+xbk8YcIvMS&SV_VfMHAgl(eO_2tAs{Ns`vL zg)GPhrGqfKtHUMe*3k4_j~&jgJoRGPQ$9RbJ**rgobkAew#4OgrLX27e1eGQ7EHv% zf^dl29PTH_leb{+huXzSUMIA@A7{`TPE<%(>B6E$T&o{7HSgOFX5B<}=x-O}IfqA% z*}6Dqp#zW&5c7`^ic-VAFn~%lDnm~Jxky_mt2xdAw%d6!#I`vqn$JF8w_x}CTCoYB za=geAF5sS64qCnl(cb3CcPM&mkl_d$umo=q5wUVZUc_%61U8@<3?vN8-;jjb(6t)@c%bA5<*B1$fsBAcK31@|(9l!*#>+zNMyjPw+l6Cv= zoEKrve(9+_B;bLm{WyFKf@BFGl$iu)-IigZ2cdttP2%{PExlYQJR_y1d1J#}H9I)c z5r#!%UMcc$iX|0jZ_ZeXD94pHsz{&LCcOe##2;Fy-_*{D^s#DYgRun#C?Fn&Y6&zT z!VzVI;R3`7=j+TG!R;J3DN5#}h{uCX;Q*zXNa#SI4cW6jz7(|ZRj+bCagSwt(t{wT z1i;Xahtd-KBo8esZT7Zlf2)U6fin{2wc;Wfu$P} zse>;P>3NA*NOnksgd%e0c7Q-`qDg(pnGZvR&RB6qVJzd^(5onue{@*}s^7nq`@toN zXpA7JWkfF=#y$Iks)91p)E+6*15{sGPxbW;}u4@5chM73gvi8vm=Yw#|L zp_?hqpPbJkQ=V9(&E=W82J~anHF960gcU^R z+PNiy`|O9PkKW_G0`E ^P`GOcGNX|d^)ePi`VXBZ+XBPZ})Tas+2APyq8;;`me z!SrklzUkPLDBlgIah^b=Ok5mpM|C4GFkwYwgZ-QiBwdmh?c8yY3N9{3YK23iSp@*O zr1Zp~nClV63sUg6^g$jmkI1o@9~4FeeqZ!~N4Bb{%C!xbc`MA!NJ?ZIDf4g`Evo=6 z%lu*_{Ea&rX$0&zaD=LC%V{WXjH|ixwZ0!?8oAj3Sz-s??$_$dbER##&lZ~+-;9%x ze2X6Nfi=3+VjUPhW1+z+=YWwfCIKlr-1(j_MN+fG8Xno^fg4&WiN!%=65MnES3y|Z zI-nfwQ;Oa91Xc-iPWV%(Dc!g8ljNo88MRX-uW%;=moX{fi>i#v0fRFzkfkd68~D0I ze{ali)>DlhG_Sb!IEwLgX&?5AQui35Al;whr~n7^x3`rrjw`Z*2;-4g4oFpr!(h8K zjAcOgjjj+aW@VTb8eL}T)GbbN_$IM>?a?ey^^F=fXvza2XtvhH6fR)opHr@@s1f`r z&(Vx8zm!vX%dHItXaf%Ct?A+}bJ8Hh+i z*+yyAX0v-cwVl+XDhA6@v&5NXuv$5Ekg$eN=}W8$glQVrYNdT3R^W*kT=N5M_V=Dx zy5Cb0tc0PhPjiTdOH_FSlYy{}w+Bb*0oy0fjz!D!t|I&GSt8CD$E0<5yU zx2A{`|DCIz%9M#`w0P{Wpv%{L1yNwXwt1#BDmmglJl5IFQMY$>KyaDh{Z|rzeeFiF zm8ez%ON5g@N5#CU)r5x1UE)oI^0ftvGCw0+F5!`L+!nf%bo465$D*{I=I2ImcQ$~PbuW8r>$mMo(K(9$U*G8V}x&%T_Yd1h??Qe zlvc1L)1dP39?f4WxipC+kfi48(Y@7$4KXHUwP0pVWonj{ugctdd<2x{zm4*UDzZ)j zj*rtNq}`jyhQIB=E?Q!-?4i@M#v-9{+=H9q7NRgVG57Zt3{PPvpnt19tw`KpJ5e9x z$0Xa5Cj`vEUfmM!0`?x{wvERYQ`pqe>RL66`XPL+3VJrupfqDdKvB>dp%F@u7~@0Y zGyrTJYqvWfOlaGmq#Qn1{NP)~6y|~Wa;O;gsEON96F(uRu!>T7I#t%!{61ZDhxxfV=X&2Cet>s|_q(${fNf`+%5qWUDGc)`%R?I=epengQN(^qV%<%lw{+P!sP3I3LD)m*6@j6}nMcnTiH?9Xj`n@Z-zYGBN zTWN!#l2}h-o}Z@@g%oUf>X)*c)#M0bGtM2RFlh+BzdXu-($03hZz1U;0UZDWp8j9l z0g(v3RT>U^r-6rP%t@Yd5X;F^ZhLEcvDi1)r7>9Yop6D9MYgT&WOTgO;IW}WU8@!- zUK9})6)|nGJg;*w7w#_vTa&PP_$6cbLza-xl*Vc>!1gY}9fT*nVP)jj3p6S7%u)_l zMR6?Ag9kd-U=_yUd|Zsa(UW(|YB!UluS(YdJNfKBES5;N`g4{TUlcvt3Hys=GKG>m znAGQr`P8CQ!(0#3&*Reuz z<F^c@4`lXW>qRsS&2xvrCBsT(z%H5em znDk~e!p}nfn}HpwPB@xRpQv2g1Jx=0Q7}ba6gN!kEvu=Yp{SC%WOTu=?IE-?2)WlS zV?7JfMmvH))T|X^urJF_x5C{oG#ZkvE)=TZ9%G>LLSnG1uc*M%T&K=wCHlrvbfa{# zcD3XPP*F7<{x5h7i7Rfw_JYhCf`TEmJexn)MMX~#f}{>ZKTvHEhx8sZ_?_Xcq=|@K zz_s?s2dNO*kC7^(+-C^F-?2x-lt{!3Ydz108P!QCKzCN=ghbKM6z}>LL&sYhQIiNb zDRQFPxGXmK*KuLQK1M@TGvPh_!HCCll?8NslDnX8d17(UXViAY43Eg92kh=;X(lB! z#k<#l4Py#$UOHVE`O{GyznRomqlfZ^;OK=gH?z}~850`DVNx2DGW5&Bz&T)Qel zG`^{@s|Cb|+pQJGokYp>sqSG^PvkVe*Mra==4wExHuLiV7pki5?Bb0^^$ZQeEnp$O zoxK6F)Dgh8a>FJA4=2VXWgp<2vHfn5-PK5c*K7_53aD6vxRP^2Cv`@cAz5%UwpK}a zO*F+uDIxnGEdRT;EeG++pxWJ*Z`O`6P+$g5G)r`#g+tyZg~IoDo3jTjYLtB(bebW@sp~M7O59aPU9rs>A5M_BCSVo&5f<=9^`ox-PXB-xo ze2^B1spH)a;v!OAr2?$Q3p~UntfCuKjd(Q-W`D*<&BdcZn6Ht~LnmB9d@iPwIPlFj zPKX)sIP{L)1F1?4b{6UMcU`(ZC#x(+BA$HUTofII{)aj<&w}!1D`QyvjH_Fl9@}v$qs&_Qhw<~Wmr6mg}!nZa|HNtc}cwoB@p$rI2)s6@8iEEIua)vAR zEl=X$`Wg!0a6tM@Spp|d)=aCTD%kGw#(Q4odd(0tOO78bQPO*)`>*Fh(Tyl@5&;H8 zZRi4e+#NxX4c+a74x0&!43OexE7_-(r%(hr6P{Qo)lDVQi0@FT8{|5cSd+%PAcL|H zZ&`Pj2wjwik!taQ3WQNLvKMd)7Vr^JrUVx(P{+K|=ja7&kTblZCWC3YH_scLoYx}$ z18w{RmABSPDQpoo1j$C_NoN`UxX@>h0d#G*VOkd#+}!>L1SBBE0qZ zQYg_PaD*KTaFKy9`#=&f^Cn`)t`4FTT@gka&w=XBih~d+CggEdetZMAw>+uFGy!=- zYn)iBB?UIm!u6{BMKaIBy}sp1Z=69JF%$~$dbB9k81kW(qcOgQXl~0$ZxR>LXd@V^V+<3t(g8q$U|tN{PG)1KQ-$HxaFVw?sl+!Rly8f;JRRI0 z9R*YXCV+RqCa?rwOxPp}ie!E(B4sf%$)y7?^-2cjtNq2U@G(!e1{a!yjQH73nlHIY zg&#)AO}8X`oRoHBBW}NypfQP8>(Z1JL4ojv_&^6Ao;BqXeDAuGe$)7lNpyKLhbuoi zAKwqa2Qp6g46wc)xSOT%%}fVu-fY!azkfn0n9ujSs=ytVK|P=lqsjh=)DuU$%`+bZ z_?O!^7?U=uOVNy!7k0KgRn`9hnuvd+U*z%5kodDQYHsg?1ODbDkMq8&v~9MWID;q&Ig<%FL}e;?xXY9Eb*KD zN2S1O*}DI1?>GFa4 zsPS(8py{18QKPODON}+K4NAbDD4SV=CfiPKSt*MJI`HyMQ(T!ss5-5>kVKO|TLs&_ zr0DS93RB)Z)hS6<8s4}aDQNvR#&hU9`-@Q z#KT$pc}?~MFBA<{UgqF{#7$dm;@M1lHC)&xgbd-OI}OUa(;vXNy|%mq-r9yPKi!U8)$OW5}~jNCce!Dxy3J_+7?qL=YkTEH(Nvr711lkM&-pEkR$12lKw7(tP%Hw7UP z4jQju8yqT%k#2ZAXwS`pjQ1?elwo{*J5|HWRDbh10(S6Bnr1typIn=IBD4106f>-?`zmLOThy2==Q$P$}?s0TEWk2A2*208uquYd%fryL|5DZlYr^El?|rCC8l z;@YN$`_T;5l5B}@PnKR-=CfV&^@?WCl=m+2W6@$yHw)-K5tucoOvIG44$m!$5ET0e zu#hm?UZry%PPBFjj11jIjo;as4v~2oo7Pvpv&YrRU5^mV{Y42*}3ujdjx1cH?f3DBIu{DJBgzV@jI zE8}&pA^m!%%;%G)^wpbLg1q$y9GgZpi%p{RQ2^#GBVlm7%8gD>he$2gV_kj<9RPEH z+oz=^O0>*A@a{b6xi@t@sxSt?#y9=6Ppx&mIW-WUiMR=8661k0e301Q(%uk9dmQzHJk|NF zBIn$Zp_PsACY7<3uYns=Me9JGTNcf_{091H;71is4VxiDriYt>@LUUdj3XZLK%7Xj z99J_8-`hey!0l)`4hNdbS#|8`z~Ve9s55r5=T@#Judb(##&n5=%BLxxN1<7-tdfxd z8EIX?I@t*N3iSbjS`YGndMh9L2WQ(r2bS0om1OkcGTyRxP}JbLtU{82W(O)sc>R}w z?f8%aR&^P#Z?Q#DA)sK|SdB_HVbM1wzpQ}6LyYBIf|LbBfUk*vM>AyG<*-{h1#!nR zCP_6gLN2)cx%i%i6}a7c$?==^$wSbZ8R6iJ*^*r}(0+GwCTYmD@38gu+T*q5?G=m` zv6>cCRvRH1ZHj_3$T9#N##!dE;s|rL6dc62v0xdOWPRivd6rcY#Ylk~5jQ*WEN`mI zx+<2B0hOQ-kCV6t-D#+SkREQy~vIp!N0s2x6Pc{$`&q)We zY9W?mMOp2(?N}^q;h?a$o2~Q_c56$ZJqkt4j@ce!+t7i)+C4?!zsBYO^gz5*?gZ}y z!UTsexcrULheeR7IaKCHgmeV+!XSF#TDiC~m4M$;8v62tb`>15!4*;@Zss=f;bFm? z07M1U=bEI!iAhe))t{0R{>q@zb&qAq1MXWqX2;kbii)Q zls1<%T&nHn^p{=U3R+Bd=Pkpo@F}yhEz|r_Wo^58vcXWhOR1S+6_(2!eA`QgJruiz zk$tIsvjtHH)+F3sF7I9nF!md~FB{*sW;J3syer+4tKZiZiJ%l1FjpF0;Ow_mH_|rP zF1D^<5p?0|@wY~aZHPn|YJmkYf9b-mgLI_AFp%5iKoZp!hxqfCOjuaVYx#7c$YtWU z3}rDq1C7t@{t^kcDaDg{k22w#cNq)uS)&IS017as5g%%N^G4;|0!qzWj>BQV;4T$V zv06oJ{3J$0b1f{D8dJ4neBi*k#f-mpY|Ie1oYPhf&k8?2MjCGr9ZH%ZB4=8Js_2iu zHW+10t!cjI)|O5kt3`P&o7(}J7`iLC^SAH^femCUg35nUz@<{eop{aiw@ALZH>q$> zaO&?Mkh}JiPaP?lwDZ5v(UBE5&!%O5v&)D%7P0qSGUpjpZfizv*@E1KrgF9}`Jph+ zf0pL?4rGscmh(Z5^E%kWVV?1A1`Yj)bH;%}G~fAQY0 ziZh@hv7XcIH&0l_B-H*(>eSGSVR|r>afuGUsmN`VO%-OAZ9;>;8m>k_`~^~En*jAIW89a~8*^ZVS=?6T#Sr=H z)kaB=S`-<7^X~lG=)0ubx25;cuDa4q$`UUqA@^ zM-CIRo-?3aPdpfwF`V|()a@3HevLAf=`Y%yzaGl`4f1}aoP){&!n2biJWI(Tu<=Lf zHjp)L{1rU)H*MZ|M>}upL7b_(Zf`61_P1v%TTUN;*Fg6yKm`bnV9zPh zCw1_mb$;mFRBmSR>tz<|3z$R{{tjyK_e9_pJlfjH*+Kg3Kp_bJCZP~Q#SWa4^cRI8 zl^xh+YlGF_6m|Zx32wnGw>RBQ&vaA-@-fown5oK(0c5v z3H~bC+Ct`R@96k769A|%MTQPELGX781HHRR!YnAW}3j4!!9L z?=bd& zvs2Nmq~jtvvXK*SR|9Jn570kHG;0TJ#G!3yw)L_yA2`~NWaJ}J-UeM(F)p(E8YX7# zm7SQj52-N0ZSF(W?N{2oBxOU1F+ZW05vaulwB*6Yzk9m@h4GQx*QLz~D0h>wo!A%~ zJ=uw;+c2>icCsZ=%u!dIpYE!p?tNZs1-9m{2kv$J-H~66q~mXdk&%F*!s^VOwcBLn zzDLV7j&=^gYCjNx>m^6{TUZB5RpZ|CFeA!rm+UvD$BT|1c z9R6IHzg+{iR*4H)RteasXb@Zc4I<&$!2y=8EB*DFvJG%O-Q3f0eeg{<2MRpvpO(UGhGWyN{s?KS(Q8h_TE| zt-nI?=89^vu!REimne+CMUq_HXj#oJaJ|KXkng2a&mMwl*IX135g^M71t3dF&BCSa z-Ckh2Vfp}aCU0-Y9eNA=$i4-Y-k6`2ZxOf+!ThQ2De)m8h><3Yu>(pgTNRs;Gk#D3 z@D8vE;2F0v-HhW#Mbg zHJG*S2vsd+)rMr9DznDlr8-DQFdyfp%uK5A*FZM2X+z;oo#FEr0h^^UnVFetGV^SK zshHT2XqaF$J)&QncBSO#5&Z<=j`$^b4w!Jc@>8O6f6$u);)<~ve@ScNrQsOXUYzyx zOu{ybxShg@jJaZu?bv3mF*v-EmB;Q4CFRT%-vmjNR+|Usmwj#)kK3&)M#Uyq6)3zSgKgGlyM?+z*m?2i=@nDIad1(}0@*iV z+9BF(wD@8pv^Aifag7d!VG99a`_qg`$<7@1;Y z1Dg%SW(%=IcUYqU9`f!TvoTlWGq&zD5&OyLPRrYmLu0lW)I1c&E}`_s{Ym8EWpV1iY$D} zT7{6P2E2i&aU_Gt@)aVy)~1;*ye8|jGCjbcr?T0Kt^RUdpzKjAwP#2-22UX_R)Vh$ z+7nK7Q9-H}9dKjG5cA%FBvp_a)?k`|v4ip%otvMN<>#3BIijxLw4O*Zi5f*1oLFOu z;JLt57~xq24psUsve`%+$*#KxSl=}#$7hunGrkAudzJl#QW$P?<}Ik<&Y#Kz6zlI; zYS&yr64j=G>A^(3W`sV%Zv?-~Z5}k0Q+UmUC_e0yut5U{HBc+V86oYaj36(y_iBC2 zkYk9}Yp|oIh13(rZ)p0uY@-J*4f+g|vI@8tGXVC)4JmAz^k0VZiZ8hh$5f6N8{otK zjvfrp^;{O`Sr-^#-M$CoqaB5N4qjeE8f^OJ!^Ya)zQdM=&Nv}HO!LEdwoQ#rN_F2_ z+09EfkLv%Xyoc?EDW_Vmfl(KLqLnIjfiC*V4w5F|!hN3L+QKcb@8?I$+&`f7~=}k8XtkegD z{MDhZlU#941E@`bvMpLEjq5wtbFO`4?_~TB>IPf-L4*g91*aN*nbdc^Xy=4+eM5(? z;?oW$b%U=*Lo}N}heitru9t)!IpKT|NIvb$4D^otAUd--4qex|&dc(!upP3>!xxHI z+x)W=bqIr;xyJEpMrVrxg!vFkwqv2{2zs;?Y==%)S-Q62I>(FHfCeXZ308gZXP;_( zT=M~unrb>qxrQp77DZLhqcOTpGy{@Ef~X5x;irZD2tBU`>lyQDc-lLs&ldJ-qj;1W ze43~09b0?R64;(i^Vihi)x=lZ;QG(C-`0+A#PlKVl)&r^&=6Z-`OUhoZ zcImKp?Zb7J9YA%&xb_3GGwC`|YuMxZ&z-bQW4Ltv!!@7=t`>t`3u>_;u7kJ+qPrel zOJWZnEwxt{je$;s31IG~tF9qaNa?ON*L&`9{4~&APTWte-UW?!6EOSv6?=98F4sj| z^KAoG+SYj^Rn-yU+Q=T37oRO$bQR(K^lm2Rp*HYp;cPUzi{Nd)1+iY5u|T*fTpw{g zI3FN$jYRIF6T^jeqlta+-vVbMEX;>s_SI zNEtQ~(yik_EEHxQAg50g8SwGtV7x?PAkc>!n~xGVVTnz676Vb4jZ|j2Hq) z<7Q6VpC~)IRRQe1LE(k+75C z2zx%{WO36-G1Mhph2rq75}14lN}DcYS5dpA1$+4GCU)c8@F7MzT~noPrGgJqH&2#S zC)%6AbsOQaEj$+2b?h#}V>`M{x=^}LU^6~lN7$@S16J6eN7o_lZ85GNUWBC9>j&$v z5xT2bvOlkWEmP}Nhm|viM>vka1GB*+U=~A^BZemBSWmO?j#%YT8KS&nokQSph+(w@ z#hUsC)3FNh2J2v*0bfXz9IOWl?~QmOhqB9&1whFMaBL@43uaqE9FDEv5D;bpMqWCz z8F2Y6*-lwDw^J%?_+|inhyZ~o0~zMpPna6s479*D0~aM=#6HNbBQNB*%8pvH3*1jp zGWQcIoap(HvKEP-(7A(aHeOG1{$8>Tfi909nK<}v!-#_%(EFsAkH!n{19X1~A!n1W zo~%9lx3as%lK6lZ!F2zEtW}knsN|-?5=mnZRMwqKnRK`3)#4onuVJqu*PR*v-GZI0 zzEi=B1D;CTQ=uU%@FFK5@#CrN@m+zG7<$5vBwj!f&u+EIPlqvnyin=uI&KuT2a5Zl zrPq=0lRWL=>H|4?HbI-W%+w;T*z;_Y3pvW~v5XUFXa|pF^FeW1Q~v7q*`P#H7}D;q zhAm{MySD$*a{Rqp4!vu61hRz7sYt& z5BQ-ypJg-ci^^o%BwIW-O^zaShb&Y2EZYTd1RmavpNZ*<|2{s^J) zMm@BTZ;m!)482k28_@9t48T*iu>BE{7E&4=h_ zD*$Bpq&*Kq@hbYeKm-LPo4}9B{s1YAWpe73M7wf|2S7|Kv(p87RPe+4{;!G>G3RuMbB<|eUTlGt%E0b>G=gj2@1vPlKmAwKviZGSsBk_aPovvpM=k`d2~!AJw1XM^9+>yCsG%w z>J|mr5vQK@A|hbGQz3p-1UL-ZLpeRDAsklE6fRISvn13!o1xURUtNw}joVZ@GKRR>owOOT&ra{h}cqyxK2YsrAj6CQ*s8SRPfM#RcDGq%QOLm zU(S$84N{>&nd<^g8D2reQw{KFJ}<}i7Bf5qS#T48&Nx8c3eG_*m@K%=**8%AL>{h7 zxEApeo~p0_pjz|~q9n>dKRRajLKqBV20mlws{q%$V(DL5aY}*Flz9koFdDhXI=vyq zGEN&oiWn}O2G3hH28;}-MCdJNyH5bKD+NkY?1%&af&%1-q@m*hLPEh|p?FLl3V^QFp6Rz2w^}9qd<&8%ghD<0H6Y76IvKxb fm?s! zUr)uZfBYfjml-SddPF}XBlr(o_t0HBnDD#3s)Da+?=Ur0_UUkw+v~<+sXrv?4*(5l zmS5Laml2?J)iVEF>Fey3v8>Tz3)EMWT(tlZ^k0p>&hKd#EPom+KGYw&q2t)=Bl&DZ z_&h<(Ehwu}52(Mbtcq6_BQj89MyOTPj9i0__~*@hA}yLOjG}u3R7A9HoQT-&pV>B- z4TO$4(s;jT*{`#G=nXBlMN3b~BBI_5b35YKVnI@g|16f9ID#E4>1XPI-==pZ14j(F zsfd_}&mPnS%IhhMhpIyHj_87hQ3GIP28>%(tqBVYk}ZF8MT`~@onn)TR^B%3SA&mI z6*3>#K`Tap5@3_(i@zhp7oJ@{MM!I(SIy_1^l`Xa7I5pq7*(oma)962;AVl!@vyk6VethRSupazTA`y9{!Cd7V_CiCX@ya{M8sqACiL_(*@CfY7* zSSaf9^o80GiDilArbbcm+o8Fk!HM&(s%W28wIzYTDR*wO#0h#Nvj6-QgMwLS8s~ts z8is|WhaV+1xq~PvqYHVckzG15gDW>~>qK}Zni`3p)iw9(3}y+i6d&>jw3PmdADH=A zhQi1cSt9T6G)|5iOR1g__8xmF!gkqSm9j5bQPd5>Sq4yW6}lGUG6_bPrrg((m`s$) zVde^3tc(UyCIUMV0~su2Dj|tN@;heg!nK!^Bd`e&V=^+Ja&#hs?Lr6A1AhC>7psTeR`k{2#mV>~@TbVC!pL%0(WO?X)Q17MVtovnKkc`A z{8HiMc!#*fHq|r{!4fgxS9Kab%_4d2zm$~b7HeC};!PO| zmD6Qj51%HEHG=}>R)9@2b$s`vN)NJh6k|)w;OBnEgHl~ke0I=)$V88#SjV#&%>fgs zm8bnQ`Wpqg|4OiXz@m8u5wkmXPq^OY4Ge+$fL8%UkN7e=T1E5xuvLK*^VQH3lM}Y4 zj%lFzFSmW;k3uo!a;!d*E$#8EL9YZ2J59FuNHeMB2RfK8BLSS<|2{}DdWRa==b%4f zDh>#ffq7tO{^-JM!r7*HwWdC?;y?=UB&(S7*Q%X2O@j(2?h$)eeB(;BIyqN)2? zf+E)i1H~w@@TFbk*WyE^#Y}V8s%)}wK9Enbtotwm6hi?hkwSQui#jN}s0b#o?)ACvAOS*LMF=jCw}zfD5>TxN3AI_w zDf!Jb@3}jf@6>Ybv!v{#+ExmD=64&^9dQON0lR_@l(+cw3%Fp!-iJ_G=ZzqH znv{Y6I@JYwfV}f~HYAgU8rT{Hj;??K4vf5=sqnKAwf$u~e?)IaQOn5(oxV$Vtm%l3ryQx|)|BFh60 zbLYqMFgv%Z*--{J_>g-(ius}QsI|js z;IJlI2Q7g{G*|QLM_U@(eAAbl*$0-Jzps%Vi};CCJtThFzRI|Yml2>1{>ba?LJVlO z)MnUFypjJ0d=veK>;=bJGqz0++e_x)6z;HfPGNA|ahr<^XsE0kjQu<|G6p9G022Bc z-0s03(~!Hb)VjKBI2@kekr zxE7QnJ1rqK7n2RR8H!Mm!6=pM`f@8reA&c_WOT9uu9H9BJY4V6upTh`6 zbCpvb-pYQl8t#q%~ySC@JLG5Sf7fi=OSWkFY-vkVz z#?)T7?0VCHjJ2ry#^Bs*$1qQq&L%A2>Qd`)A zh;I(TkL1i{GtZ--?vlD?03f8MV_BstEbp zTh@WmW#+kogu+S)2s1Yuc@Pd!G$t|@-*nYwL%7?q%qtdrj#?|VG=d9g!rybE&$u#Jr&8h#!^IMVK^5G(BibAnwKeZCv(c6% zR9F2r9~HImq!<~jayze?YkYx-3Qxloi`QeO9@{Kbn$d;tE5_=fc`L7$zcCj(c0eBrx^Sv7r z6;MY;=s=@@*^m6YweCR*v;GH2$t)jX8f5dB{+%S_Y>YVRPq&p2t$md+0aB^iGn^^Uq$j~h4%0eH!P6_{l00Y1RJEDw0&fMe0N5Xvxj zs@l&YhY>bt*WqF-@goW0XRsoum9n@WDz zTjf32JvNyQQwoHfr#Sm{Kwc(|^!}1y3eeP;P3mKp;6^2*5ZlBDD$2OHA1V(yOHt;n zViIi=!)=I|Zz67OGoMkx>*I$*g+YRI7Gs2zgKW{>146BE&MTNu&O|O8Xxw9MZyUCA zeUo{t)**1xP&p5hY}Wy7ir(X8RtNN ze!sk?gQoUCQZn}q2}wXRR#{L_jmIAeg(;kk&uZbI3)>ba6>g~lezGEmZMrpmC=A&*<`3u> z+Z`BqGgrFU&Tx$VniBEsReHsR|MV+l5Ej__gKs-)|J*TIu7}!)ps0Mtkb*MiznF^F z+#K zox{#c!SWFxn`?ARo*XHZY%>6hZFJoYS(Q3@@51EmP*Jbv+o}=vSOe{vHyi zM_yrp3s;OWCF-&wf`Pm3>O_U~$~7Z4r(YR*9J+58s6)HE+j7rLn_VsGQJHX;S~*oW zjiOGjVk+DNRb2PO)Z1FVuFCm6M?aomS^Tr_%V$FGRd~~-zYdUroiQ@L^dH44B2qw? zgTbK(ZvnC4jlm7tyqb`a6wl*6Q|D6ICdmvS-gyDsm;hR&kS9bCAgoab#PllZOKT{I@?4MeFYVpTT(FOM#*vh1WdMZ{a3}37|};0HTr6ByAK0 z*Np5Kj=E#-UloMeES2j@&qsX~iPNN|-vctON`?{F_MU2>H_bp}&UQQp7bXIsGtCja zduOl^CW7URuAWV1p>@#?NHPGe3NOU6W3;&{+ypzWYqDb!Qf)4FoaR)G(~)Muj_sQ4 zm@Y#aVw#mAIs8y9acE5v!Yda2Fxo%ue(rWe%j%krVAaI8mR{tTms!K5k9 zzcB1kdtC}~p3-=~pN}!bX~M%8>=z)+RQd-X{Jy3q#+O0mLcsJ3SNfFEJXiZvwNF*e za|$lR$&X0+;hgwKh$}I|5n1p=wHRmvFG9zce8mxHo*3ncKKh2xpdYBn^`gwGTfq!` z0Z2BSRKUz&P&B3;3V*O$u!S&6vcda!!dVJB#kzVO@59F9PNP&D z>kbU2^q%kwpT~SbZkm z2l>J|!v#~W?fcj}LS%%U-exLFr>~^GkpD4jFq(GhePJEOGWlgV1ejCjkS9X|O*6A> zqF(yliTRohQG2h**T&%`LeG}KPf#@phfMO$`Um<%C1pJc300JlL1G6#(G>O&0DO$z8dT3&AM z-{yP6s4w93&bJpz4bVqn&W| z9={)P^l*y34bY4ifdmZLOaF;MJ8`r31US+NeAXUhm; z9g6cLwp~SGJUi}s5=M7}cFe}zFP0XXh>ttz~u@`GKb1-bI; z)-1_l;kMyX)FljX0Ks$$=j~{S&Dil*8L)5<3|=%l-qKYx99;0qr>J}rci<#bYS5RU zo1t8$RIb_Pj?3nJtArmay2GyKanEGu-MPF{j5&dPB%|BPrc~X z+ff<1&3HC7mmsT5LT`2BtB@qwWN`c&sQcNLp=O*=Gh(5AC+x4%sT7pACT>|HTW0wx z!~LYgonBPrdQs)AR)4+Z;9`O&GMj(vT@=D&t+)V@FReU>wf$sj>_!m!hQye>RnK?0 z>LMt&iSt(59ygy=ymC#xklo1mE2{^957sJ{;g^14~SWSg2 zhtdbx0yCebz6UOGV1QKD+^{sA$rSGAE(2>f>4%I!IK#%HwceSu_+^J1#(efGVk#n z<{s++j7bj(WDF$O6+y)+eLRtHto!5?-3o3FxUJHe4;hqwQMF`{g-6b8)@`|vg<-T= zRaq}~6U27>P@?SyPC>mJfvv0^n*Ob3V?QZz(QGQS?>WgI}t?5iLdv*iCqAWlEYS>dkF!0mPiY^LJ`e-^GNxtEHnaT zD6;z6QXK_$Un#=&bIQzJ^uI{obrMc0Kzz0>s#w7!BbmUkfKQfWG1@AtO`pH0B1Lv| zBO{^kZ8*C!h;%j+OqxTIiVl{+)nTp>UP4>AUh@dcBDkSNgcV+R`GBfYqGaDho#)n7pT?wYXppP z?m#JmBsm591b<1}dGbcQBgMUSq;P0tZlw#mK^GZF-syl@wG@wKv(vdS6`4!PdTcKW z3qY^2tc&d62>}4JPKApwajb2a!tS7?ROphot&AeArE6Lot3yPE2`wf>Wu?{8 zM&VmW$oN+X?!k=)IG%UvGBWDQ9?sPQiEk(T>EK&#b!7+srR7~4jyU(iAKKqwjR!nz zk8UFp$jG-307h~wFq|vJxs+6?MVza`#)lOmc$OH!D%Y|GUTtte#|X4=trdZs_Pznm z8KglV@@Zy6pY%awWDE5ZOD zDFF%ZhM{3B;b4R_|4xZxIiij>E@ z&@QyIpHW`>>GY%iAwNW2vrnlSd<2FDti$6oV{?rG1KR`;$ik2*BO)R)74%2Z2$f;N z4#>2oihbPtC^IR3YMuw@r?_`i%(x)wgy_NU8kLs)5oIe+(BZ4j6bJrUbf0{tB6?dB z9g@YE8fJ+!!w!Qg%xtjA57pTD%aYFA7=b7Wf!cd{5THzNlh2-#{L8h&eP5FUoeL-y$*VxCMcMESNMhD;NGSM|cN z>S6A;-2z?x&KhJ!8HTK{6=~E3^@@4YW%uAvH`lvoOrev&4EIA4MJ@DL@Xpm36f-~F zA*<0#_^wsI4`)U83dHplLYrW=9Zerd&#g>w2Cj>yhb4VB#=6`}ab7-~s)ax%uvTio z)o9mhG%%Dn+F%i@QT%lhJ&r^oh2BEfl~7Sf7km@t!l;~rQEQmu#@$5ju*6Y{zUJD_ zHi#LPxMazkL4{)eFdE1Fw~m}>&AINZ2R2ouSSmtJJ~M`H%6@Xkb3$v*rCKZlW7CLF z`b4BQISX~X7i~>XjV}5c9LZbYMCw3h9Tt%zY8zd=YBzJ@r1w=-X+T563`}NohV$1D zCeFo2f)eGMPN{$<8VgA-&g+w3TSZE0qFeM zqodc-C0pV^XN$={(=7COmNXe^Mz!xcJs;FcqO}U`M5P&JqN51pz|{l8quYG#V^``*PFI@)2(jN7&Hfb{{QUSXMp6IItq@Yhpq#BcHZp> zIP#_(g>&Q}vv}SC=Uw!(0IaS);?1+9);c75#U!AFal7(vjLx$7uV;GDr3Uyz5;Ojwf^P=fy%k5sRTgD_Bk=ACqI z@g2*quE@~I;y&t*7W(=!%X8!wUL`OaOQV-Jdky31|2xMY;r+^u&u9M00dIdp^pbRbjgmXbP81fYuj|D>WsWlnI3(1pL6>pUX%44SU1~I~5>7J)^RpFK;JO(HC7*IABg)bYPxI`uUA6Y$p zfHy~h(FzWSW02hq%D52dB?8D{y2vP@LBsrd>W3(JrXz%Ds6YlHH4NA(S(sIt0h}2S z4V92`%H*%ziB-_E92w=!SEneKQRfzynm&@uh@-6ZIdwMhn1TK5+COEBn5N~!^8*4<|JQ^YcSFGV*UE5$$i|XsV zyVxAjqR%9|@#vTI(1yJMOhgvR7`y#k`(Yxl6WOHU*xo)x%$$UR$r zP+&oCyeSWM8@AMyOxE6y)UkKHWEr*7JPZp@H6P0sS=~rnJOA6TK(D-(59fvJuG+!YLIpmExhp#b+la@pjNO>Rs`$dBENe(@ zjjDT|b@o4RL2)=N=OQm!*Dn=f#QDY@7Iim;1WhyAcbbNQA&yAxoRE-~tSwYJB5EzZ zo$f%!u6@OXcmhM zYi(qNlkX9*#cBBJ_@DIwkJ2f2;~oxL$&U>pdLF(Jh~R)Z%x2ewj8f~S6F?^Iw0fV* z1J~IfWCiea>*l_}9&hZgIJeZo?aP*T@@g5> zJ|i>8(A#q?@@ttIw!I@hHr|p~7VTyi9&Zs>>%c9OMk&;PmAfJ5Ag9Fj0D#ss+2Ejm z4;%3BGQu?EwIbD)FJ7C;NWKbynfIZ#`Ew>9idw#NhwE`@xiqsZWHv@zxf0w8v8d>o zkD*J`uQ^=Nx@G-qaaFW-l$#0ah6}Kvo)WCtvQ7(_^C;&N6o9+a=%bON>)h89EfyXU zA6iGP^k9h{AZ-H|zW;L7!fX$~+vcdw(v8aqzJVl9ZV^tlQ6R4RrA28Y%u5s}`JfG>jf z8l;_!=MX4$=3chQLa4DoO_1rL{;jl*LVkd`U(Ov$4abw&2#llv8gO_UJs_gi0gQo0 z>%Eum1{E+s$gco&Xn_JUktQK{C8nEmSC!u+2VP-$(SXO-`1*y72^T$yFn}MH18-Pb zDFdScrU9@4XkiC6!d_V?Vg_l+7|}Idy|GK1UC%3M@Z&J4i%h{N*^F$q7nvf-l4}j7 z^S0in)V&8dKuy9^DI1>9%I*qQAF5UUX}(+#traS~*U1 zN89aDtGd1Ij-W#?*UoV}6WWOU4@`k5=t9MFsUgD=$MFcVl$q3CZ{neEVIZ7e$Tv<3 z9I2jK=-i0;ylK5>h610i8^6q?v*r2mSPIsq=4pV@?iA8HJ!05K{ZTzpT@P8vZC>Zr1Z$KZMwrLlTX@d^jmBL-Sq-631bZCD3}_i|q?yZmUXt%pXPE z2D;GWX)0rv%2lOpusO;$V@b(JyM3W+W9XB3&N_bd8voQlju#MVabg3%o3`0rvA~?P zc4{B9WFZ*#iQNW&L9L7x?qh&h@P&w2Kpb#w_k8rg(Gzd{@(a7%%AEV{k$Ci^ICrol zZbw_X1BMlBZEF-v*Y;k|d!PF4H_=H!YUDoPy2&h!_{6Q!7z7Gev5095-Y~rF-<#1I zvRe@BCW?ZF(NO_|=AtQge})3{?-H}LapA8H%NN3H{L*MHZl9Ce@vWWBmwTsHW3Slk zwcElhi@jd4UAk1aN~`qHXSh~fD%HdEnE9jtO~DtSV1Ro=bF?P)iB_0r!@$XsWxJD- zL<_$!5UFD6=L@dMbNr_z=ARM-!Rsed;bqMT%f2ty*=T5EUuqSTZoSkUd2-E3g`cPU z#kgY66#K#}wL-s4JSB9w7wP5;0=(6sTHe=0Qg{qA&+#!`hmOcz*|=OLb#-%pU@%_K zU-9#JHk?Y%VNWFrtMsd-u}d!WcOI1Bq?KAKD&^T?abZ#M5JPyvGWIDMDYvIe9U4t;P*dac8v7IpuQTio!FYKg!@wr~Bfx8$Nqs8o8R|@uY+gRm0RuND zS%eXpn1IYbSw~q|S!7u#vgESxvIw)v&8lV?6k}6H^Gowh)C4_fX-+36m$N!W!#Tq# z=d^R8arVjErEo1VEi_$=hL+rRs)~mvzO5Fy2|9spjAD1I1TJ<1$aZZj%65%U4+DgV zer->|``iu$Nb(`?!9ZTW0vC$NQpko)hvc$winy@;ZCi{}Zh54|AaEoyq@nFqG6D_Q znehW4m<-?^UENopQ(%IvBfA)-4qocm;F?@0o10D3DXYbo!s-;q8_%q^Ho97u_7H2V z^{Tf4%k!rVsE5iIiV!tkGR02TGr7}%&9#Uez zz9$g{CF%~3@lnc;B<_3a(v)The&^eSgifyT1d5>OL1P3S6eX4Ue@tt>5!2wm`J}`0 zk;c9+IRv04v!s_vus7USAAm-|~7t*U9WVp_LCQkyz%zCmhQKiw*aK4O51T?wiB)EPJ28+)}r&ze){ z8J!6^lqXBd$$Z;7d{l1|sE|mIK*J19;#IjyP@kV827GtOdv@im(u!`=r#?MR&6&R=t=jG| z^Ei$(q)x&5nccI+9F4=N@k6kNdetAdZ;iFSU$%O+c8^Es-A)~n?f~-RGw!%2_wl*C zD4$mwyLFFqHt&PM%(L`Kw1sP){wcEXKEb7k&JY#y&31H9v)B9wFVOQmwpGx9wv-`z z$WvKZMc0SJMzqUCN<}&N=&JlRq@*>|$}2gPoy_)KL)d2}rhKDuFnp)1J4Grp@i7g9 zep{FlM;P@fI=I(ZlzG7@=Bpl!w1hW@6^WfKAU;4Igr;&{&OU~`;J-OX)+(NDK*tuN zO`v(G(}R;6f8LEUzW&Cf68|VkMzZZJk*1Ck6wSAm*l%9aePCZ^mN}GN%+e_t^YWO+ z>oZ=s#w;4U^PojRhkG5gx<2paCzQtZb3*j zF}_cEO$LWvO)NP%S$G062)N#7_XzD-k zE+It&-@FD2yPLZ{(2OX~QV07O`5R_{1r0zyim1Q|?E0iBV6>?%rEH9H_yTYt#3Y~t zx@zGxnSHtXWS-tdp<0)eP}c-lFM-eHJXSTPaR2RD zMN=zV1sNl*kjkL=RuSSL0~cG4Uw$-ec_Uju0@gPNI5<4HQN5eWL0EN@Y9xf=&+Dnl zv_^+V#SI9vWjs7pxq+0J5bv-#U=uWUcgLAQECQc(>FY!2WYvQUo0Q}TcNktP#_zH0 zstM0}t&l-}P?uX5@;QeYbk4YlBM6QFKH7>3sJt*SjhL%WXg{gX2}`}`&li&?@QvOx zOE{`>dmE&!Swsmn=B?`(pGH#ir6&KDiRD|)fKkL?=-dz8bkNPIWt#TsnLWE-oXZ#J zG);`2Qy4GuWG^mvvEd8+$Ft_Yd}5R~a)p)WK2W8JPF)2gs-cqz4wS261yE+XvUpYL z*%PPTMaZ321zvWFyOB8}Bc( zZnL4}*d5vWEDaFu6XHIUW%ZLNQZOkrpn<(Phg?O8jAZp{@qjMahHhByk>F!Ut)B%g znY$+!&NC3d@y0vN@9ewP+x!2VpG)Bbxq&^v&| zmO(f*IA*?);xAYsARQH~6b|K!q3ANI7~Z2!Px6mSqaP(~%)ERQizwcZfq=!XjK1m? zMe|W~{~Hn9wk{wq?*65x)Jkn;sMvk8*lLeclz~}G>AY>~bL9gs7VeMB273m%nk6GN z7x$nj4k^Mx;L$Z^DUVTdXrI)o>!hzpe?W*Vc@)s^vTA3`IBsi?xEpmtSha2I#-6@? z*-ivT{`tw5xywVp?L$Z-$H8JzzW0zkHFdst_BAz;_TlMK)n#!RMeT(y9-3}^-F_j{ zXFZ^}U3j6|uBF`yPLIv_j*RbOyj-%P`y@3^f}aq9?XED~E9IQLWJq(FQQZ5exM9J| z2I@t=m;6{oe6_e8a$SJ&M0<v?<+JAxcixqXa1pcibeA*vqgzq8#Te5E;Mz*BgvhGAOF#Dd&*IdBIYImVboqS1-BTvwF6!5|}v*m@0owtjYE9O|#6{z`thkAYow zKAtF^#juD&%9-J&B`3VAMoTFN8&fWWB{)k)XFh!)f3rZHc#6Ds;ab9fbwF`!UId}jDHcP6Y-wD0p|b+m|e@n5s~LpWcvnT=?@o- z(@|xk)=w77vUM&87e{k_n5)U8^?f%4;i!o5NgkSEwX^ zHU#Te*lVOQoF17GTU`JGFaao0Q;gU0TUdB}L~oh}bt)c^|=}iX9DNy>$WuB{Eq~W1F6y~H9e4qt407<)v z3uNu3fhb&Uxpx4Sh5rdaEj6o(6d=9o_i%W~W#oiE3^-R9CLE4qyNw7ZA7)Dve1B-1 zWfMc~lDzYp^5lpS4I2Si*XTZReHc=pEfS+mu*w7iW*Z5-W+M7;&}fXKl2+!37)>Y% zYeYEHBqI$7nCXsQ*T~gHM7Kzr`#ljMIfQ^$mT;`JHdy(GB?t^?gHdP0GsMw8VSgBQ zwmg#MM*>N!w)+H@>v7?Q}^Mk`<=Xc)c!+-YRVLtp0#-!-X20hyv zBE`}m+aQVx$n*Dh1k;)xU36-Gw)pYlDHf@-S^fqmf~Ve}!M@NXtm?H{nkjKJ<&O+* zfUa=M&kodgH3E8hVb_MJW^DTJCK*Q~bD=ES)VF-3k>?GLprUnm7%gB$ZzBnC_KsJm0e4u<< zM7-*x|5&10s@>1{nGHsOi{T^J1|d@+PO8T<#tUQWBJe~$gGd|fDXlAi=|adMnQQPcV$k2rC`>E~D_@ongSH0*>GYGi8pgH+{ildNXBm zJEna)`YPQ&!p#*NEmNmLU^u?vEHk)t%QVuDy&hS+OQ(X5IadJv)YB-kIwFEk-i`>K zbQD=^`QY!^J<#f%C%B9IIX$q8MwxqawgZF;Bur?dBZ6RhatiU2DB)poL_M?{c3}!T`7>rj+DE}yGL2m9ouv? z6P`}1ffNB~>C^>7GfVq0`yRm%dr>b+8f9YyD4LTj{O^Ko(K56L&9NGb-wrP%i z5Pu+_=M8)OHpsxy&YiEVeP#Yk%PQ5AhKasO<5T=7F2$|! zw9bA`xV74ZS)+&Dg&E{?hhEw>HzFN(oxnC5UmnJUx9% zeHv2y?UiPxBpR`0ry$xE)r@g?MdL!Z>ZO^IcLZc2V#XK7y_XH4EMw9X-3gI#*n~xG z%0WcbUX-y`k(5dqtv;XwsPHzEV(aDrh}nzyvkahAMB-(3(lwJ1@`=8hTPgJ{89@)Z zL&xiURY%o8(Z%)@5~^s(m_XDB;0i#DBb3Z9#th~Fp*gMiSu7B$5Im%(v75pPErg4} z2t+3sLDrI7_C&n7u3dN?mW%#`K#Rh}CpWV}=lxpT4NZ z+~76w-SG@PT4GHXVzL2XFDWte2kj2>L$HU1;ILVI-QtkZ$W8#n|72D=>QydFz#B_g z{s@vLXIX<>IgurpP>5nm)79j13VEbcV7%`^WLJF}%f=gamk(?9?GnO%cq_`0Scswd zs#`U|4)xDnyE@+EFpbJ-Yj5FswcNP}V*l-9DzGBK@M$`HdG-%~n0R}V1dWKmI&S4v zSDYaQI)3CIqRQmhoX3rm^@U%6bkIQ~bsw!vuCP>oWbb6i22^rED~6){ zdjk28`qBbz`lpJ2h9*`@86*x%4lNFRWJHqAyIx=g9bFeYyCG0MfweA?A%s6Hj7qnx z%*zeOuXoXOwIQfYT?uakEn!0y+I~;xN*=E}bkU!wIY@2D9&)63#C1&vZzxo_YuD)z z{EKzr?1V0Wa>hE@BfAdCEk`q1#sIKEA7ZFt|Uwzjl2 zUlxDMWm_+;Zmm+MVR>|F>I0I;xSVylCf=4=wNWa5KLrbioV|cxFkRY)u&TZR$i^+T z5f;vpWmy4kk%fa0vNx_57Qi_80GJBw1@3~AsCoE`@wM+9z8zb`%0%@zUvp754DVao zJ@R1>c6s1R^!t?90v~;#(56teI%VMHrC-z3RK&%7!*Am;T@I_I+L%s!&;7KpE#FHg z|7zbO@af>25K7*C1Wqv{H#sjaJxp3!*bO#uabGe0kA6J%N_7m80Ave{MC65?1aNWo z_Te2d^GBK>DS`y{MUFm$@Sl%G^zffX!h9uX(^ZKxIrY|cHu>P}e7NG)nZl=8KI(i$ zXOkM9=<`Dotm}!f(tQ^vZ4{~DD5wq1_?4kf>r-(F*(Z5a=RdIC=-hK z_=sJ?EZoGY>=Br$NZ*^TB6ODc-uxuBFmo7(Sn?oDx0B<>a$|56Qce^cvm8V=$VI+E zoAXH}VTqe$v%Td7e1HkOlB~pU;GbgRBn;V(?Z#xgoJPAJ@&||_NfgJg(UVA$P_o;l zoJg}XH;^d(yfes)c1M69_HcNg%TrE_^O5U`G(jEUQPPdgQd6`dK8}1d)LOPucEPt3 z8avBB6^WG=wX?K>@05tTkU_Qn-B7BZC6g~T4QKWAHO<{Kd(@rDWt@rvN4apK*mR%Y zFsY@2VCHfCv-fmmnukLsi?`ObaT zZ|RTZl6rUq&wt(^E4YOer0syDR23Ciqe>`1c5<4+gkVkbwp#B6!^Z1+vZV#%F@QPql@NMDgB5`ey5p76;ne2#||nh9}pbxnzze7eJn zzfdPgY4EO80^m|=wALqlwo*7Hl%gjQak!rf-}x8s**ps{e4-O4OVCjXBguj-MB;m;3y# zLX<`+K?kVM=hW-H(_yDARDkJ6OWZ;ys4j-soQ2JgJ(MhM5#b>fWWWYK`)Mo2%Uidf zz^zqb4rLEVvV6a?_t1(9AG$cj%alI4Bf121V02wNDs*1x^w2RXr_$$DTvV65Hx06P~)+2jM+|h*7)xr(iV=x-rumBv0q~C+huPHvGv-9d2v~S zr>P6udUV%>Sne&m=$Loh(3srjOk$0Kh{%%TZ?#D}T^UYXwIX#r7;<43EO2_%xN__D zfm1|H->6=zR_dEOZ_aPn{g*k3)EL(!Bd*Q)phLiV8WpM+9@ILB-%~w@cry)nE*vrj z+j;qaD!9gXyWCw^Fk1~8v;aduyuS_s!%@8H;^cq(^}-6f(eA_Ke`|Mw&jtLNK71jLRIJBW9ZJ(&S_>fC|s{gk~Qk32_G zFhJ_22YzJP>ufi%6`2PrG~lWJzY9s+_qhvg_J2w4zzWj1DdVH;L(TX4=8-#(eMA2(|2Z#96Z0zJQyHN95MvH4!)!HgLPSkUydvj*%gU|hZ~_8KFAi3M*>3OIXx zg!4rxqkS4LOE4vy(nBA(wA52ZsaCOeEs%Rl*n0ez72Dj@#>oclM_!pRbW(t1_TszZ znExh_;N$$yDK>t-3~&~~F)n7Z!7^+1)VP7t51Ky|PLGo;PrSc`*O|LN{&;=hUw>wh z%p5+l@u|%n@7jv)Z0jh~(WC?-@b=|xvBwu9Z;N#nA#t}RUyg7*;djg^dp>AM9Z>au$bozFPp;#E7 z1oleIW#{pyt=BfpD~^*RI>NlRTivQ_txf#Vi&nQdOiLi02+ zV|dF|>NE;{Ht$FAcg>qtmTR%r*p01NR;;p=5bz1r!{IdNBq3dFX+$B`)*nidwkcyW zM{Goe?&~1-h_$YYh%EO-*nvQ78S6(rKsrk# z96pS>$z1bm1k5X?n01c3CT%D=D}gAuJ@-a~JHUTjxCbxvkrV(RGOv{oF+-hnbLC&R zx%KExym2N^KgYeoy`8Qv@IYTL0ir;1NlM9S%hl3hZ8qoPx7nKw`~W}lDIxM|3Z3J} zgxU5jer#8#2j{}GQ+`?3pz{gg`t*^{x{og2!(|pIz~ttHn#)*#uBAn#iliZvRU$h# zX*I%^H4X_OIkw@?bM!u86gtW?<(N*G8zS$RMwoc;C{}G1+)e?#&td!@8;(YJB;%5a zUHbHmgU>8)52rPr<#a#ad9yr*W$i)ZL#keZq;yRdX1YK_oY+pRz*)X&MYObFcUK4A z^Ye6pnkMa+)4<{Y@#f)Pn)1jHw+tr(ww&{ILd&R7Wk70AZ9B`6jgc3rYugUi#P-Fx z??6%V76Qp;lCHyJT-;eK{*T}PMTvZESFb3h=4JU)NqcTU6}*5y?E*N9!2rW- z(CI&>PktEQy!-km^QSm&!27O}rHKpo4Ki#Ky8A~O)@s`ybsB{}lg-ETKWr7tfrR`MF&!E&IbA`M7#R1;r(x&U)a`P}K(x}Gy zn~C#2=83^zJOGZkk2m$~4RHG4H&Wy~0R{T9pL~q`vqNVeEc88MgN< z4InV~>hU(P1;#clWFK!8Xke_K)(6s)I@So}55@dCI_t+fPKr0@-Wr238a~bQa{n=@ zKku{+uS9XzQ^_>AzSr~l+mXe{)iJE;VGGx4*}~BSEzbyA-)8&lCXTB;%SgfYA#Rs+ zkkm?+NS5&hLn6XLjC)X5vkRz;$+u)uW+k`2*Jp>EoP~GzUX7gJD;aly#>SfN+{gUl z9Jaz|M9dgzCRoym$acy$gM_%P^G+Ntw1)|Fm?pbNhKQ6=Dz7uFTLOoJ{XIjtyVo z8ic;hrQer2h}%BCoweoPV22EE8|Jh&P~W6aGg9DTG2Uij0Qp?U>StTJ#{cyXhEY1}`UetP0nTV)4% z`Nlb`3joGE_@Vbg_kO&w1`Pp@kVB8AP;f!P1_dn?xGibfhhy+)mjY=Q6;Ria*vp5Y z`>Ar;oVZ=fEpEEAYED@M;axS(}b_>X?o*8ivj~xc=ZiDF7pa+Q8QxAk$@!<1lT;8_6W2Q zPl9P@gdSCaH1`4b+e#WlxzeCZ13WQZFD}`Mm??W<$b)ZwUz`asb6~dZHW)D~i7ioV zCn(ets47rfpu*5#8WCe}%m*uDg2;F+j^RFUG<&A5RPeQ{%yk6d3h{)BZTM%T322Ev zP<2WOO5mFe$~^dBg2hLS!Tr73Z$DtmtNP6nRDEG*GBP~+jx>pol*cTqNHoxHk9jIv z?^v9{Qw1;s?1?Mp=mYQx1X4tP`N<5z`a>6^&k)aO)SkZ;iw1`DeqWLW0ZtHIn}<5o z#93?rIV3ENxt|aRiblIDyuiFvex`-1Qeh5_k@}bF7aPc07KJXUg5@&YM_6$~x3rpF zQ@R)|NE9V`e2TfXHC&N!hYu;XydRPCA1z%_e2F6aKcwXP;H-T7aALLhq+sUXTjzMj z6w`x#!j64HkO@g9Kq>K=RFrt~KoMM4aQ4Tg2m4jaDw4vBc#*@i1tw>r5D_98Im+vE z@Tc%wczln~lTc&Qp4zHg+5uKR2gP zPqpI@m4$C79u2s{eTWdQz0?qWxcJ4yoiCzb-KU!O9r!7)lqHni7yN@Y-qlwISzB3? zS$n_kq~k~R=Zp99>ehb6;Aau>=Mn0(8sa@jSSmtWkd2WPK+B1y6eS`da{wbddMTqd z;wEb_#zJoyZy|aKX=um(CY2wAghQaH{$jc_$b7-qh!~lWE zmc<3z7`8KM*eXP}75x#?Mxd<$uEGLU+n5hDTM)8}KimDKUN74BHH16 zkds+xyLo75`3`h$U%c=~K}3+wDY;;^hMU=OO`F@>{m51wziFU=25Q@q!M#B-Ko!7h z^`sT#pFqx}=N`UcYRET>0=SJM6wje(IRrzUA4E#$8Xbp`Wn7IolshmgOmo@oL=eKc zQ7}G0@>zG(Rio$Iv_cq|Qg^ZSu+d`=<5G#}0eAy}jO2roM%E)f-~>4Y9*YbNf&j3a zck_8G&9LD&l?yVqGYQ_f#>wYAvm-qN>`~7vApD76Nvl5K_>>w=R#kCf^AyA#o3e9w zR!vZ04{VP!tMDxZ?Ga>&yLe{B;Sfi|eb3oqC2XnNB^PU?_X=xT2d8sk4u`FiiS^a+ zqbZcoOfGF00FgxQ`7z~(7c|h1v=KAOQOm2U1$Swp4agT4WY#bTuvy6{8IZuE3v3yp zd3E%g%R;;k0Yj*ddu5S9x1L)~C|XlT4+28@k!Ldl{+rL7uPsL#oER{GM1b@G5=oYT z>I}hx=)@ie0G=3)&=0YndkBP7Dm@~sLRd-Fo?sAA5J#n)r|Qy)7)>ZgfDYM&%OOe}!G|9m&>J#s_;AkA?O=kW63`dvjG9xYwM?W9vi{*^J&eupbsp#X@)L_p z>}PNtE(~0mJsljNXR|qph!j{R9Z{M41P&CSaw4+TzDu(4lw~XU=Whq#a~_CU7RI%{ zDGH=`vZCqjeuIr=S@^*Bu+LkCreCqrGhoBlBBZZYR~LwEVSbqNcf8nq>c|Jg#MH5G zjJ=oIdU(MnjLJ)wz2`wAHz!^cS477x$C&{``U+Ra-Z2+c&6?Vx`$5m+Wv>0YewA-9!URpNW#jfy?wRu4}PQmiFg&M0a*Y_kjL^yGgBOWu!#f@8pI z-g0c0(_#5RbNIvO7C3ZJU?a$z;Xs0eNsaDVnhmuaJluNhUO5Vsc+ z|ASR8V#Afk^Q~1Ii6lw#U7K|sC0=t@!UAaI($u+>?En-3w!=`w7Z)UB!O!@ih`=#) zc46e~>bTv(?^;D^m~|G_OUm*M7w!T}Sd{G~<1 zuN-{ojQSz0*F^f}O*}(5U1wK6u}F(a`7$r`IJeRlM*WN}sgoh`<1g-2QemvW^qv`I ztnfT~#X)!}S+HWXeJtg`r+B|wzaCAXlMqX@+jOWT}~ zk#?VAL7ZJn1#dAxB}L0piIXb&jH)2``#R~S{0OoSzA4F#4hpEF z29ergrY0z}&?2eHpHj7B-?np0MKs0S zalzN!z}5W%sa(8>n{3cVh~mph*m*YI4+D&RdWXH)YXvY_-A759lBtLB zt1koxF5bx6-<)NJ2rtRrr?2(2lIs%-4`u6^{#zM`c;)!J}=z@?B5_&$;dPp#5e zQ-x8-gq5bI)7SW8RMz~vp=0{Df@kz=1KhD8uzxwb4-ltL{pz;4v1h+%ltChMR+Kv> z<)~jwqJ*mY4%R6A0*G&QauDN2QOx*(Gd|m1X~EVj=|<}n<4%_~(1Lo;{6-}sapSklzidL^0xK7;RV*aw7Xm^*>$2QUXitnlD}va=1Mqw=N!?;ew52%pYa~op8C}bM3gmt zokHs!fA238yRa~^G(lazv0k(Qt_D^3@Yogi6e)9m;<71=BWwBDf<>6M7Ghx7ZqRrW zzJTfdA}Fj0)`8pYFt)ZJ15p;@E+;v>X!rep3Yw1ZA9-gV++&GVkdmdBdu+@cH*vYP z{xHwbMN3Re?Vakdb)mP#p@h$YQ(zN-Dbjau-aRm<+w7Bi1-KE_|^OARO znMR>K*Ivhcj+rjoap^bjyTSu2#tu_(p7g&>5q8%V{K7#D4Kh<{UEr&$30$Wn6i40U zR6mo(PjBjOaD2*EQB=v$wpdN{URG0yK~pJ;CWA(!Z#8Yuh10g$_!H#3MLl~6^JkL| zhthOF1IRE z097hkJ%LqQBV)m%;FDm4ea_>-qScRdpX>_CQT^70&Kwo^eUk&Jsx$YeLLVceQTl~H zRSXl{su%;C=q|y)OYsq3DCc%1=rSG#CqT5j{Md~5j|H9w`g$?)(a3S5f|yO%Eoxz( zEe7&YvKg0+ix>RI4cu^GgmpWIX!#S1R-R^v{fsKwrUsfGgaOU`7#PFG=gkpk_lCtI=wk4Yw)-p zwm@%!_oz2;7N6emq66i~452ASwBYLhve0c{9KeG1P!-d-*@qnA-sE{xU!pN+WKEZ? z7LC^{CkD`o{bgz~!w&y6g}HVRg^84ecogWts`76K7XJS5%P}dDTuBV!Vnq^;1;JP3 z5SDaCP4XeAP>X^3Qq1CExvfenr4 zTpBk?3EygHiEFK`-7mEj-8~A$3U@%VT_G0SEsRXwj>leMc3yU8SYTUxmEj`bkcH`* ztiaLA$yu?`2q3cjf-5r{151yu_{6F=5+S%9Y^-y`#M#q^?*>=JbzFEmIZ%RNGopH% zn(bG%048$c{&*Q&b}%*Bi#!ZZ{76uXIPthoniq_~1@s)TSjY4J+sF;{B`abjhXcdr zU^0*hiwdtFTFs+nQR^?$p@F93=9O!6J-6o7oSIMbXq7sRLZ5gOzaP*4uu$*~ko>p| zhi$#YX>f5l$`(8tE-*mcK5N3!xx+@fYqrlXmQdZF$E8+2}Z&RUWwE1v?z_+iXK9 zsCmb_5s)8AHoX>H1&GmA=+(5X7Oe+JS`(bVr5+k@h5?>di-?o?K!I?H*bCQMbmr&E8Q9gx`u zy5x2qGuidOfvgVC^G5EbQjjfqGHt=skB3ya>(Mg|P0EO`!;AxMSsfV1s^$iiOwgIryTd zSGo$oAJ_kD@+T%ov+`BM%LAcPKp=p171FR}VQusxlw=h;Px@MigX?v?_83r4KyAzT zeMbCl%G2Q4?4r*~4#{{XB7P3zFAm^?Xyv2*$h~;Bfh7D2=Drh-JU*Z0HWi?n@ul$W zL;eA@B9aeoOT@LRvCdX=LUEV+&ow>$>V?r0NV!0ru3#IC>kby%WNcTbN?L2HwRaN%V{RuKoG(OJgievexj!%zPj?nUl< zc>J>_O5cxrq#0aJh{I!n0a;1-U*z{v(^;z_B}LJb=tcbWLtA8w3Tp-#@NkI4K;om- zV822>hY9!kaAI^bRA%+a$VaiJ>^V7*JNP!yLvG_vUdYyZK!V@ufk;Y0@ku&6O7g`e z&L;%4?I&phgpQwplEKQ>C68{blVuzWs7B#_=WXyi94X1Pl$OGq*s*R z^h0qnNxUbFCQux1eO^Erq+TP{nfgcqAV&<%Y4hv!L0L*6Io*H#%kZT0DZ7IAG(vGD z8AqIFWft?nbC@gB(&>j23JJ%T0ITDy^?{yFMkPYftB`b#-_sS*R-W^OUSf=k*M6|G z&*`xbl4YSJEFh%5oeqrOui4pQ&4sA?E21ki6<|v;Kb%TKC=MtyuN)X1^B(CgqkGmu zSV%|=Y{Mms3Aoh2TrRli2{)7tZe^VoG`Kf&4(mi6x^ax|E#t;6)jtjs4@J0Gkc|Mo zKJ~1zi4GC`2?X#`J_)#nz$NlBkOaJ$p&ZQuvWtcQ+Yx_}D=*!cn?QRq%`!agO2Sit zv(cUF;}Xg`RD+%YEP{uG8a6zDbpcXCcf5l;6)!_`=y%<2d(AraHG!AWK(#o4t0q+O z8h!ov=-+h(cllnb0>eOvB-hVnvwkk{0RoFE!gEs$sC4HuE-W-rM`` zB1acMExCCTGj4GJ06y0at=I!dJ*0 z$Kgdp?pNS@gKt2i%~Ya!5Wzl;4#*o5-f?`Wwsx}CpQ?2E4ayEP;N7pys3Lq!sVtxQ3Oy>ugj=QhL z8XpmCKTa3>ffEQj9j6#+92)WEbNal!gN14LNM3#&9E9s2=yx;G~oZ?Lv^#`QB#P*Suq-cAC6ee>0Ra|&h~ zryiAGQdIG?5^sHT;!kUCutU7}YG{$m*H&iN?wDJd zPghfkg!?rS&)!5pd|}l)j`osWk}_A#Kd*X6I|_ORq$fRN>Pa|T>S18uRO)5Vl6oV~ zzRrU7tHcCZz9$ntX^9|n^uv%?Gh zziQ&{UBQZ&*|T!;euZbiD&+<8?bm0SHH-xkOg`@U@+y1K(VzjCu&2+6<`(GATT$g*>jAbfsO`^p8vHfg(eJ2}fBv z&w?9$3l*W2O=>s=IS8njS~q#(MTX}&qVGpsZ-LszigaQf8s(+0xi1eZ2+!O>Q#Fyp zuOKv`GMDro$h6rChH{<>H0~fZ>LPE@^k2(k0?PWyiV_IYe9qE*(4RSts8+`r`4V#r z9SDn3V%ov0-_&YjPM{h4d_T(?N*<|+IZktlv|?P^9Q9$C>5xuzLND#8kBnjRDw>Gi z0iJv`BNurtFjQ|MB5EXDF3yZor55?PeejDlZE()=m0Tx9b0#z9(f$h~ZAgv_z##<}Rbr4* z2oX8pN*#4C|L_S@OK7{7j#D7Hg4|2U8}~AD$_(R)9z~P{`Lv$^{=G!&>IslL$m$Fr zqy-YyS8!4T4KOqk4n_a^vOh^5RfHZGAA2lUHh@&<|MGTgWB{p+uM<_@SVAN4`uM=stQk%LoWV#=dMyJBuXkHs3U)x(XBA zpi~B(wHg;RvYOfo6OlP7*&q6Vg`zJbn4}b*imc!S);cms%XoF3#NXlUfON(MwU8t< z0xjqPHlCabBtz{4qM3}83eo5SSXyDJg(Ye%OmSk+38XgMhDVl^;DkxH*8u6Am5Vr! zPo}=jEU0law;1*EOq~b)3`%j<>YLq;gaSIFr?&fgVM5{v#sP+#wpvSFk~zlqnk@^B zKnOaD)mCrOt1E1)@0KhEF%=koS+><($Z%~nmmf?_$S^h00fb&Kp{)iw+%ns0FJ4S? zL}(`%OizH|31VW%!$yc{4y>eS$Pw};LqlMpHc}TcNeMt{588dBBV4JE)J`SDDy*95 zf(sAd2Ks?|526~+4AT@ywE*>#i4Ka=uTwkKjdIlJI2~}{_)?gt^{g;aiKCQ=K>bwj zH6cSwK%-7lN;Fg}sgIbd@JXOHT0ujJJifI6mCPS}+_#4V>ODwY4H*J0l}5e9WM!hgsdY65Dg(wPpE9i4jV&dI1xfFr$q7qj7oue!I~)8xQWsu4K;!iNhC;x+%cj@Iz)-SisHO$s{<@SLgA4~(N<*; zs3`!&1Aj~56s03}C}>t_EGSUSynvLFa6 zsWHh=sV6)mK>3>k)TD-xL@o72MMnT)R7Wt&O(+vX3W~(n3O*~U(5Q)4Q`7t)@nOW5 zf&?>Jf`q7}#7HbjRGHXAe^`PBk#tHi#Df4}2{ z%&JgmRD@Mi5VS$0Ra7GfECE+E=EFTi4H_iywo%Z5(~KUm>cktrZwNiw#G9K9 z8l)_kswxl&35lAjZ%sfJscNXbmeZ@PajeGLNJ*MfSFNCc;l3>txp4tV0G1RvbqJVH zXGr3`D$VIY0F4@J$c2$w15}=2Z@`8+>rU+mZ7u_ZXg;y1HzW^4JvlH!tu=%XTAf`| z>s1hN)mur_=(D=_VzM(r3>L)CdWTO5G}?& zqhl~Y;Cul7O)Bsw9&~I$77rU1_zC2P`C0eOe%`NxSIO*66eG+b$j2DoQUET$@7Ueg zU|QLBj8F0{Z0i-a_1bQ&c}0n1wqj;~L^7zz_>*x*>891KTC3HnqCyxUFe@0iEiu4k zX_hvq)9Q)@zsbf|W>yx&u8tg?-7+z|e6*uuj*$Z)Brk`pc(qx);QshC)Xc#1mAdtY z>ZLUefSIvvsTlnlcr~QojBGv8BFv2nO)(keM)mn=2EK&$UlOeALQzm*(V&H~+i-Rf zieie-PvfSw0_1e1AaM0;Tii`B@@1Gkfvd#VB0F=Sii;b~iGC5`iPk>OApA7FvW*gd zEiLVg#~D}+=o^}!=(H{FRE~dz=K2j*p`qe~-FzP%g$;h%Ma)id?3uY}aZZm=>EJH* z)!opoT6&25!f16X7L=}^fvH;Ot^LOcJj^?zhuJhH$hJ_`Mx*6m^W`K&l=+T=YK;)+ zw4^rZ8tAnt9HATtzRt#=R_#uNK55E932GWxlraN+y}(UvAo+?YxYZ#%mKKFDofW^W zO=>T^S}YyQ+FP|)W&T|^WL9O|rkumfyaL7T{fDG-N-jwjT>-ZTnSHrvH(az1MX?L- zEd^|Gj;kV!{;?gzXf-LnZNz1ll{+(QfZ3@JjtGh6Wuy{qDho^Kbf>8baB=6F>Pfgl zz7F?NggHs!B5)Sg=fUOi{Yq+-y4BojLYvc4x602BX$R0&Xdl@K*i(xNjsbp)rjRg; z`6=MX@L>SG2In2x)sa`#;r-^6XjNzN}ZX#pfXZ-vhP;KE$=I#dd;q;8)Ae!zc}MWp3ULmMNXIR zon6@!Gt{C8o?6v%mu@;ReoLK(q2IuSai{R`i?`Klp8{uz@h0x$ajzSLg^+hOW^rOV zI!~z;c#E^E)M*u37KV$*wkWfPC!Rgb;AHlhC*=yhj4wY>-zyj}t-!y{l3;Xsd8Rx`c;xUbz85q21NBbb%8)n>eOyT+ zU>ElMF%qTD)KyaeFQf@Ys2&-29XJ5~q9Pf5fKv>(Je*FBr8$lsszp`d4!2ZxsA@|L z=4S`bB<2+62mCon;;=)Cg!yZNL_ti_^c|BZPCfbjcpyrgu(%QZm(}I9o()HCSr}1} zBr}p2(ZkwoY2#)N>+9J5MLh2=4xCkzqX%!q;|iFcSx&AgAF!qv=pzuw^vSdS{`WsR z(CF9uCLQeAdnubW)yE*&%8^8jAVRv>=jvl%ORc%2y<|{fwKA?~Txe7auQI=D&Zw|e z3`SkNSRQn6q_p50pQtjPi{ldU-*eMn74D6`O*ljJ9C9{b2$ zC=RfCnHwHojm=f45B=PP{xW__|2kRUD+6P>>?)0FjWCqPml=8|2K!;IaxlR|wa&~8 zdRa%$fgqxuq1EV&=d`Nzc;VAqQ@^EN64*Or!Z{tm9RVn!vuVO*4no(8rKOoxZDkh?edqueX zutXw!S#$eH)sY7YZgXOoUZ|>&=LqsIgW!(C=}GA%Nx@) zM#9*x$(MQ)S9eNqteRo6u6F~z)dvGO?hcCkOk%J*2LQ~>-0huShY&U z5#UYy0A2vh0uIHW?az*EQc~gZTnEr_P7@r3LOr@Xsj)Un#c%w1H*qqVpd&1YgtQb+ z87QKtWn*5qk}H@R*;kqiv#|-V{6h#ly*x2tu0))ffk9glV>D&ZOlZLj-DQr4*$-_e zLrks96^1(qcR*5paU`w{U|lpC=n+FQh&S(f%6duj6jQ`8G-<)|pSr+@yOJ-KG+1l2 ze6@p&T@Rjxu(NocLAPSGVL^euS08JFPSv*r(5YM1=ydD31x<=;m={xY@q6$QACqVq zNp6o%SbPOuV8-8gZoSX(M|eM}NJw**52t&GWI{`rCE}eEloCV+5=cRlB!H`}=py;V z@>;HibrDN0RlW`$%(ms<6s>#^k{RS>c&cMhI7%69lsCS*(=x1vQPGBn;lrXH%Hr4X8^u0xxq|L(0 zy@(jUDKPfSEAX~3xvFiA-C3b8T)GumYfn36C8Y&X$26CC=7qmj{?rNr}-cuwz`D{sC7PA04k4!U|_DT;rkRNiX?KSP|^%#!l#qo_p!X~+NR z6&tlc7*7r=*I<-yg3l5YuwG7E49!D!(WfREnOdw7fozdqbvQ?0`Ig6{oSBo$-NN zn#|tf4*1ODNPcOGRXtb){eRhwjGm-VZsV=%A_@da7n)O9Ow-*=K_v$%{6~e2XWAq` z!~I3a#t^GeyJ51(tdy|Z#OPXP-0#yEsrNb6ey&IBld;BhS!V1YO?}u|aDv$H;0f4e zURbs|hyBO0iVd7p-ot&c^7~R|39PA!b$T#%i;G(dh_8n=##R(MP?r!(*Peu zGxhD*QW;#Et?gy=76UYm13tY)j!=`sqmQSDVvGyb_p#fCxlTyVE#~LR$(;TOQQ{sL zdgNm_f*Rl~!6vvL?;%B!CLT?K?0NJE<$1b4riQQJ@U@7U0R(fBM)K$>T{DZHj4Ohp zS3-UBE84LcG>=qBt6K2TP8dOLH-vF^bSG|8zarfs=T*pwcrvJG8I?m;D8uzc?E3tL z2Ps7bw{4?P5Zx7<`&SeJkj4!+b4PtC!XL{OeRbNH{J(&R#7+mj6|A``=er zR>C=-58hwfT&6iYRbJExW?{#k?&t;n(kF{8YFG>4iR7{8nf)b&A*NR5ei#Ko>;S819WAxe z^YN$N)C7)IV2ejS!uJ27*InbX_Za(UfIc~!VR1mW!4zlH@Ko8YqvbvMh%e*KEr3n` zmI2#;E@|#nn;3D-0V^9%~^X< zpszO;e}ug)<_&QgB@dZ|&T}`bSWp+WW_}{s1EI(cV5f(K?P9`sFz?(={z~Wu#0V~< z&IjP~v#QroeNU&ia%8m~z^#C(dQLcGwm2vQB&ol<`L@}>wnkQoa?J4vS%W0y5PxnG zUY#Bd^6?qu3uB^zVf>(Hytz4bPa6W6Xqlj>tC+#<2sclIwTtnAwkTcWxk8_MulR|v z4mBWf?!B1tkvOUqK=tz4lK11{bnvkaB#cf6{YYCu7Wzl5l(AljiIub{e^aP^c#~(1 zoEnuaBGdnD_K-hdJrmD9Wrkj_h5G{bhLyyx$r3%WC+MDFfFs~} z{7OMbn2+FXuxKMn`!+frHmJm*vXX)YJbF?mPk~0-XEJ1mi`~$^1&TA;d2`Q8-G2B! zn|naN?tv!)^8?k@2T~XYi9UVqbQ7u_xD0jSHwju#=P+|S5WWK#gcc9Spch086HvCN zApc%Kel+(>O}@b@i2v)@64Izomh4HL?Wuz62u&?nNxCAw0!qU}_gW>tP-@HP7q#MC z00u$-M3t>DLG>5ayKOAjE;?|%PAa^&Db0u@I(!MR-&48SrF4MTkX(|CrXbDlB7afE z3z_RFBm`J<{HI6x)JRjCFB5-(|5Y<(EQwD8ukIBEyl(Wh1mM#^=Ve3UStNEk%t zIO?*EE}ulRvl;jU_*f{ASAZ0Nf_f95U>p-F71azLx16U1T*>iEp$bxlLAOPJTXW}%~1w*q`_OO@5tSE<7ltD9o@ji5*%5J71^Fc&~Z zs&X=h@ggA#N;FA0Fd1}}Z--DJ-!$O~uK8Zk1#T-S8ybO@$eP??_7!=LMf?+~BR8kU z#M?B!i~nJn#=RlRx;3h07GIQ&_umdX3gWgbd?N&RNGeG{nvi7srlJlXit>yh-&#u? z*3e&FOc*irX)Pib#lMcidC(*egb3Yeqqo1Grkq z7ys>1dZqR18@TRq{}|p4fvujNfSon)k5^&#kZpcW{L@oO#4T2tu zl?YS`YWPB?I4fB!BDzPSF%z|!XXI((W+cl>#u17}M06fU<;=$RU!QFqE`kr%m!HEf zx`XcYPe5e8a_tQ(EL-J~ywjiTT$3cte}|yAD`PRL-o`#+32hXt6P8nQRMuPHCC-JS z(&d0gMpKiy*$G1iS1es;YGLSSGMu3`sPc+eQKr{rF}ZqOiL$m7Qc#rUQzYKMW0k$a zm_eJ-(}q_8(RwUpIKNfP7oqmB_m`HuOcSw^Xs%910GZU0$n<0flz7I2!bQKreAP2U zht@seA`|nNCEB)nK9j5!FpGrAouTR9(kmWBAFo2h)4fw};P%8=Gpot#bYc8sP1~%T z+1uq&ayoM zM5r9V<-$I0p{|eW_^(%FXIo_@>g%959|W#@A;E~QEA+3;E@C(ZeeZWIp6$-#_BAVitUc;fsqNN z@35*p+)oujx|Bgi!`gi!%7b{+O;+=mAz$}u#)^q)@WGxgy3j}k+qY!&0r5B`?|0CY zorBxsiUuor`bhk&n1g857cjxs_Q_f-u;#5ocQ^3rInqC+BLfF!)mPA1ALx(@_3B@5 zm6Xe1Ov7rVQ+7Ib+!6K!*Mu@pR5a`D)h9f4zzIQ9fnJ6QW(16*NHF0?8C|*%()>VNDFM5xNXhXn()1kt0Ip%W~YOoaaIi>ToHpIrf{J2K@(4p=gvH4@pFXJy)#}u^{)pe7mIi3Em~wq-btL3&>T&8ipPR+ z_s};LpRXfK_ot>Q^!)mpn#(?RJnkWnD?t5<*=9=hh>4+jBk%J6j5dUUvC<7R0RJnQ zL2M6dvs6enbwJ$BuV)?~&ogi=0l_ZGwPS?Nb~Z9zu<=58Cd^~-LoSDDOe_>X;?QZn zyG|&;EMb?OY03_NLO#zjGM9Iz_7Fprv*KR6!0#6Oit)qpF8EON8(-*lWS;QFv*|?h z@OPj|_8(V4J~hxTMkDTEv^idq2V}voJruUyo}o!(R;vaKfNMQzZZYFRa393jcc=$Q zvGK4ty#eX)eCO^9%g0FOB_A<|m7R?o+NMx8Mzcd174-+DkqJAUe~(bqHiz)Jdk4c4 zupI@k?+Vk=KD!1wPvRNN4333~o+T)jp?MUVe<0+=w1~6vj2Fi~K^?zUAq@*pVv9?O zS%N4bP1nS4a;(O9^6>fu$W1y!GuPPTT<)1L*cx)W632gJAwF z$lfH6{in}#6Vb^@r%$*X-7a(9@vfwjx%@m|v^gsQnTCMwgpJPa|H#<=6u91LQ|(`B z^0#?w?)Pg>u8O|$64?skk2U$9@*1>f&W&KL9LgxJZ%%!HjB&mP^?Z3?mm~9G|Bb2l zqTv36Kg{-h?IEbdMD6`w z?S#E9v$GMatzqd;3NOdtK2Xv(;fubJRa7zMx7v!)wDpyYLi(dX)aqempu;pVkXyng;%j5K~tSxykoZi-jGmmz} zlln>aPV+O(wK%yw;m_%GuC87{`fjb0y;UsqwYdQ}tp%DWYPVY$E8t{^VrI%tiEB4e zp6?{Am&eWr_R8Wfex<)9&fpJFnXxZYz3bLGuCOH6=iqOt#_jkRO`j1VPY<*IJ1uJ< z@5*hjyok>1=$>d_G%K^}s}waLuY0ue>4LFid|Eo)dpw44a&0mgFkkD2$ZlQGV)r94 zux{6VYnk9qpP~o*U$^K-YXQ}MukwK>(Q?7kI0ZD>)Iep8L@IQFI0an!4XF!Qia#DI zVFzMqOAM-rPF=660Tf;mgl-(lUd&D5hl|_@J#A;LuMQQQ*ieXB88Lp5%LRk*lFm8) z)k~2E#v0=U$$E-iAj6KzsI)HS4@xw2@{}FNJ629(gQyr@?n{V|uc=9Mz%bXVE7Qgm zrtZvqDePZddX&62EHg2A{yqFYBYxWx9zjw(`5WxenOo=%tU#|((Ft&#!`v{Jk*4py z?990|FOwFH+H-=+p?=2L|21mJR9$HY`0Q~Ow*JVtzMrG21AR4J^Y~sE)H%k|+#x~$ z1hYpUX1YDxSflM`Ez_;@r67oKm)=($(~h&hbqf^wek52O=W4*w_78k9t$BeGd+&$ zH_j(g(gqIt(X;b)W>wz7604RXIbBM59Dz0ikL+-Nu!!3_?1X9#<7cjUIdiaP;gYBw zZRKw$e0QYw7K-H!zNzvg{c?7B>bn+1nn{SWfG^M17H51gsynB@)4*{G!-Xc~aY8Pe z-0d+n6den*n|bVvWqq)x^#+?ucxss`29ci`3|4M*2<5O6axuqlkNYi*$W430Bum?RWX=uGd+Nhg9=9 z?InP*fyWMX&y*0Na_Ds7H@c210sQ*Spn^fOU=rHpTJm-u%$H3if2YSn9Xl8FF0&s7 zT2HE4A&mQiA|gh^+dDY|6T)j_jHDljvW}U~A0E5IZ%R#Z#{^_fA|nXR78bDB=T9S^ z5jDYz4?tvazA1=}t36Zd^PyAY*yR0#1g;{wX67Oe~dIPn-g^h_{}aAHtjMH0ZsS8lB8X-gUa|ckXv%-9J5M6JpMhp&baR27b_@g(mBj z;yEwx4S$OC<)vp`a_G-3AYV$%yTsz$TSZ2dgEKe~ogK5khL8T5-3CBX-RDa%!|;B< z{-zz#ojxzOjlP=W2=w7%4u8N;N{^AH?j&AZmT)Jn(*o6`DIc9IF+ z%MWkeG7Q%`IDrX#aShoghPOZGJhbWuQU)7Y*kg8kJcI5f3v3UbFgPkf$uLy<_c0Gd zk~CLnWVA%*kEt{CLENW+qC)DR!yaYBcU{}N<`YiQVyC#sOJbR1>0%n+-`2it5{bF}^E`Jeuf?Fyz^VMEg>h@14!bw2@=f79PfHh-;nlc(N30 zO4g?1VQH);%(-vFe!K*D{?hs^U#25jRQ1@r7Y!ViM)uT)A05|T zXEUK|?M>KuQ*L-`6K$ur;EtQtf$$gIxxYXyY?TB^Ga6AY1(#JF6&>HwxJXo3LpLwq zmnf*ckPdt(;7%<29n!Xo)OrV#`6ieY_TO5+80C$n6^EtiBMBlVngek%8DbA*KPJy?yga~$}?h4u?_d4D@~q6$hPuzt?@{1P#k9eNcU zwZl%AbT6p8u{NU-`?*^yW6^Tp2+aKqf3Fi}BekK8(8!3NIA&)DaXM~U6fOrL8i-+;Ym`|WZOrcN{EDc- z=PJt%mNU@gG`3Yd6M@zoXAuaP2tp!@!EIBK_{cTH2s@oB!b)PhZ{bVaz+OLBDnSM+ zc*Mz#q4}!Y;&h;TaOngz7Y?yCGm{C&AaLLp*ScN{3}PFPQshvA+eSO5&5JfbYRw!W zmB5gREw`Y$ekNnELT}GRid)OXH3omgLPa3F3`DzP+h1( z+jZ77!WI|S-#Q6f_d{wAWofoP;&jz$82<;!y8dG6F6i;!2vJNo8+CsGOE!eYqc*x z_Dd#eaocK&=z239M#ZZ_*lZ}V=@>JG)`2*lhMZcWg5^Yo?3P&nT-I@v0Sctflaq}+ za~b(R<`Ei!l_k`Z$cb^%pkX>q=|-svw*PAH#HcfKNl#0h zmeYx57Ml^j>2ro)$xCjDLd<7O`sAkYq{-|1r6B7PRBsz*qX6I$j+zSdE`jxEIDW%d zY+aRD{X>1LrC2E=1WN)gt_(i+4j&c;$1+3HG7G;75O4kARcn6qN4JxF{srr=T=Giu z*B$J2>4!vf?aApu+;>4qkRx=g0c2(tO?yTr`pfylAF1>}Kym-Of9Do%rx9+q6dy7~Y+mH_S(SWsk#?Kx znR2IZlfCRpmN%m_3fuH<6%*uYc5Q3*co+-70%;CY z*80YbK(&#js#1ak+ry1!)A`Q@e8~I|bReRZ)%iFTX8VE_J8h2p#AvQXM_VIL@_0az zkI~ez6p3g4m!tyBAJF>i*EMBkhC%JyfO1%T_*H!EZtm&yRMWA4FoZm=u+gd5$q(kT zo8PT#u)%|szAS?5V=1IY%XH*WXri|zLp=bXCw{!_cqZMA9I1A1OaSF2Z+@0mDe-}C z!Y87F1hYz_^{)kx4k(&I7m_(o!y%OXIE71hj$itWT>!-mD%$3s#AE?jn7>PvW%D9! zoDw17y|I?Nj=>`I2LidkLMu(Zuw+NY4vJ+u!jq-zaB8i)))_28yo5}xxC)Yq18ANh zhS`THfCJ6Scljm0%ghZd*<~!5xw=3R=R3F}UlQi$!!(OnZo%(0!+azQLWNkVg+LI! zj7m#Xvbi(o76Cr3* z)aYc=+$y&kMvW1>KjnTn3p>oL%_`R1*gwnUxP*2vyDgPx9TKSFUWaRYYPr|>BrC!j z~_kR`4?+AK1_FFuQL zw>AI><_w^efFE*6aGu4?O*fV3h*|@egK{~j*RBWmQP*%0?G^;np^ia^k%Cwo@0_>g=*A1MM0H8kHjX=Qz!CjeI6cp)gSOUpk zj+2bpMdx+g_=V6%akanuWcB_bh$ft4xR0oqL!h}v$-(lpcbF(BARe?dKD7kV!>T-V z0F@8ik4v|;5TqN%zK#39&v5hp(z8Okl8y*7GWzWyJs`YpgeYlBTXeE9P!WEz?1f-M z#=g=i*;8SxmbMUjBh8HBc5iw&KsF5^Q+q7VBwQ(rA{hRg0ivFN{>W`~eHoH( z4IPzfUVZ5j{Ue9E_n~u@2vX&KLXKs-I3ak1&vnbb7^PM9*+@csv^wWU!bos0nKxZ9 z!N`V8k&i!=b!=2lTEGKBF#LQvV1XYfd@dT!Dj?212E9@3w}lWWm0-O9m5Z5L_JR{X z0&2Dp2p!(+9MsBBBNQ6ERViAjmLgk~c5WQ}}jF3sJ4YtHC<0atvqTS!}wQ z#&F9%xV5P|>M)Nyr_%A&NgZ|_U!gnjBmO6dbn&K-uRKOnE9@luibcS(cqL6(Guz|e z8&LKR^PP?J;GaY{S5aD^Yb5{#AM zFO54VKgkN7v_cUvHNUg07Yi1k!a8cf6(vc$@F zSsenK{walg+cO)+age)jpzQcsx_Nun+QaCz_{(we+be^2Ej4tLcl;>?w!i zE$}%>feKo0TE8BBekoN|PL%T_S90cEb-$awvaB}$}?AVj8xGtk4Mz?7uNy!ZbF#2S4Ed)L@)!*LfBo zB8dR)JoRY08_(Ev>Mr z1Xc=tnj{cGAPWHQp3~~|kw9u+?R~m~H|jc3Ya1`-4>IawDL43T&kzifAa>;3ZNn}5 zy#}x9{m>~ZZdcR&YGGgHiQENbrq~;Xj5gbifi1FK=|N3m{u_z*DMPeeZdJWhGY3xGNOzLo4F4G`tpAyW3$Pi;NG%sT5OT z->@#d>n10oO`Q8kOS3%q5-I(a|0fph@M8X>v@gG6eQxry+_{)QAIj%vBf8SPM+p*% zt7HwuKPnEfSOnY*c!w8ti~qJyI?(=)7%8Ok%%dAdF4>*&Mv*wU|2mh-O8^M*UC!AD zmx@&rm2D7M2GPU^fdzVC*2q@CHiwb>5xM8|AZBXc*T9d5BCT(L0c7!7dpRSrRmefN=(AR)oLee|-i zFk7I~9T=7I@6k;Q0YANG2qeS*tOowJYsl`28pnCy#1s^R()FjnGYJ+by+MfwF@+FV zpdxzm->m`Q%gQx#x0|*g`t`JU@6D!f`YD~gHYGH>^iz!i7EyN$&y(LyU7h6t_jI>a+ z?L6T~=1PVd$$5Y*iYU)ef6Xwi5=`jFnn z$n6^eh*AXIr?#FBKy9K*;%#o0rFV9`M19axCEkxo;L+1qZ-3IV%=FgdxLn6k_$~=X zm=-s@Cifm^R2gWgAqd_`E`rYS_^Lum{>OzG$p&$n0_aBiU3(ie=c;bp^S#Pk@r06Bh?`B{fi<8?7Upc;HwflYFRJ5QB()fFCACop_mP{Dp>sdQ3fvuxnwz;JvQZC4WSy!Rkgj zt$KL^>2}g7(f|!)9^HolQgvOdu-T__4DiM5v#&6bF%bscM)@=gv0as8tOg;6=R@l6xKeb4Y17dy@QfU$vp8nW9=Nmcj%PqOk#0j&edN{RUeN#>J!McqVIJ6~aL zCY04>Rp44%&D5$F8)1c)aRlnKDllrp2k_MV8M&7pwYjw6aQ{&u5-N zQeA@&ET5+s7>$h^>(AfQ<53~#y#8Q>w44H~dK^#Nu4-xV4U4#4t)I_%d@V{pSfd7- z9~d?RP`6gGc5NMzT}fHo>Y`_KuZ*oH`1mc+2G-bj;Qso|s{Y~=M(5;O^Z&!t?i7uz z>Xn{xBs~)`F*yCoqy$sMlU%d5mQ|4`Vry;0J!3z-#y*a$N}{iEV5w?f!wv@i@OCw> zk$a?>v7Blrl}5q~$U?ugmH%JjR9N6d90Emnxbw^>uf@dh%?I&8tf-Omq8#7klS5z+ z#8DA^>AKgHmxg^pc{t=Pw`p6+$bGMCrW7h}9Mohc54B(zPoKIgZ$4?bZMiwC(7!q6 zJy|SR00W#AGUA?=Dy9pkZYs5%dI_ID(C|I0znqn>rHlQpJLP>IoudsQ<>-#lAJAe2 z)W8Si*_cjbNW8(ZKQh}Wq-K_45Sb#1lPM$jnzje`Hgs*BS~RTyq-LuK=98%pHz>6F z%*hSPmXL>~WyHV=+e!5h3}T=x_lpB2xn9KR5-Xi&7-PTHCiQS?GV`EZp!5w4-1XU+ zEHo(SZt{=FO<3Jv)cia8e5dy42ztQ^bV|KftZpp@*SlvH@%L-W)PmSYVU1RvDm50- z@@G)uxI?!@z`&(D+PtjkrCZ_P#Kz5y8?KKy__=)FL7C>NY9z!@wBXlB#0tKP0*pau z_^^+zSp6f>e~{Oy&TOhoAvP#jRTA5YfDCdyB?K19l8q~$m*TOW>RE*6pX*omWV@m# zvS_&`TcEhA6h&1%dZSWDTb|c!$}6`bklR=_4g8L!Jrgsb zL5}f1dke4roqiNPNBNvXfN0*q?($UBy|j!{H(TG%u*kG#rc;#Bxk3?b=^E1HtA^^_ zICVd$Eh=Ar_EloQ1I!f9!H^&jC)dx_4X14`D4U0zNvSYxPJ}Q5V zO6$_sKUaaW-yDeY0>6>SCLiT5sVS{-azo|=tz^sFWTA06Td@Cl1!UbabU}di3av8r z1`v({2>&r2F)8k!d&y6~9mBerI=iGARtdHu2}ZmP)T!c9oWf=|+Vd9L1T`|Fy)bL~ zt*$-Q}>CLbezW^icMia_~iSyu@8()S1ASdp#w>-M7pV+ zU3hT}r98kal!%tm6)&^i=|_$9!2aw#U6)uF%o=#V&A6i;`eDNT1xUQTl_u1B6U|?x z!>IcxaQQl-j?}z2+~nnLfuLiwno;-|KFAb6_rQsS{MGL#1C^j*mt7@0*bpe$4e7~M zd;7KS$;a)4KD;pzK1u9p0(uHa&Q50|8%d98zOlfas>CScSFQzT`m;TMp}A@SOg zx*s)#)=ADs$WGVD5>vfNDQE28fK>*V#0yE{6Ps*48qGIjq~Z^76|cmko6|7Yb;G)x~|O)WROQ={2+>9f$$tHdXxyiTr44oi&rZgfpIMLdtpA0WPI7 zV?XO~JJyi7uc>|t8NtXU?z1gD ztTvEsua01KC-#c?D`FdE;ax3dz~o~I-F1WSybN1n1hy^2aT-`GoSfO1$ydgKhC2Mr z?pL3ZN+h9_T#ii+UKgOj8D7j^^O?KYgo1BkG0{*q#?7omjiour4OLZSJ1)Vglh4@+ zN#i{T<)*b}awmB8xe&BY~*(M=(C z(H)`?NlwJF@u-Tm=|gq6!^>=GirqAjQBF1OZH-bU?7LbojChX~wkn0rC!Z>&Oi2^S;R##vQr0e+aa}QIE|OG!9;TFE)bbgtK;z zin-)QV;ZZpfJ5J=O{URCrkJ-{fGun-1Z4k`ZczF_kZ&&SB_^!jer3Xd?l)8*y;^N(`ZYTrPpcj_pXEliI1vCsL&!tpUZ#?78 zi;zF)yF^+>pGGp^R}EjmYxzHr8#r`HH%|_Bsqc_PAoS(0F|IDwu>chh^MIJnd2z_( zSf1+{)^;wq$;v?C3c4$f7oa<1VsXRwEU!VO$-1pl5RwwY|9YmdHsSyXKd8XOpmcv; z1^LUi%b3Gz8HSy#xDV5ZyCk*%OQj#+^_gGl?`J%M^I*r1W1NpdplFaWWEfh+gwpEN zF7kU{=AbTN9@MSe`oWjG7YY9f^+otaG_-{O1?(^!K)l{lMTK4+kn|r%cp@3i>Mvcb zl6j$ID}3Sc|NAAJSR~vcyTU}vFz3=rzkob~5uPjgVgtk#iQX?3FA)qzyCzJ6=6u-) zLRxR<-d}p7BzG{6s7vb;IW<#3>BcRAJO%0%lLpvsiADf&4npfBJ-Qa~f z%(7|lj$gdDo|-ea3E{r`+GYR$qR3Tn0A0gGt9FRT^AwzX0-Bnv|M`|z*!XSTz;dR~ ze^y$}nT*wz4l7bSnYjNCZ>a=iSIs<*JD_4bS%?GXGiJs5)^4&X%MG+fn2lPUAT%_V zZh4QyQ~HDOBz$l;4s#^74yfo~Ci-4Aa6QK?Yp3C=n0f|Dc1_>`(jm`yT5WiO z*FClu$7VI8>^8P>XQOTyN0-3O8`2rX719e*X3iv5gM6?1y6~XM9W;0 z;~P6D89*<2zKGY|DugPEM)1!xdV;6;WJ0uesp-N+nnc2UJy{8CC2!CX%T|6ZQZ-CL z(DmR`FV8mf%kl>m)k|Ea{39HFT`_sdhH0W&x><=kL}Mb?w5Nl#@_B_yjy}TY zVp^DbgZJj8mX5DPEjRr3rJ*{Lx)dT9%yEoa+VP2|kj+SyQG{1nG5pOnWzzpOo8_10 ztO@UCo7g8CVGjd@SR_b-wrX2gN~uJ^083rC-j-UEqufI;f-By6hl4KRnPf z7?&k3c7)H&i8yo?pfc>t9~fu;Nh1m7uFN;bPP**e*q84*jLsq$ZQ-GpNH}ORhyd%7 z-JUCHR8{|*YD&I4gZ5S62JFn&QoVVX1(;*+fy#7N9q9`aLpETIN$Tg=agMbyi&9-%_Tie21J#YBosa6ffKr>hh6P$?DCXYCb6zcZG)Ki-hbo zKj}Y(LQ3dFo7yta9EGO|1_|^O8vu_EaK5r&iP(lfS$aS+5AC1AF?1b#RZKus<~<4f zxAE#wrQFVib9a}(;vZ{rKAhlB6wE#TU%*}VzfG+^=bN+QlV1N%Cy9=j^Z;k7?alqo zSV+;7RmKi+0Kg72RsCXONy$r}P0Uad(*ZPoJwyUlP3kjFi29g15ry@tspQ5GH~pUq zH2xNa0!&!?IP&Tu+G1ew`V;w+1|e-Hu6MK^iRD4{3OS9n`lg&&Y+E}}BpzM$;4zR2 zI}VlUPhQ3YEz*8#GZpsvEE72W3`sWp_4CXHtv#`wlQf2(ESxP1;qgCD!ZKSlytQ;! zN=*??O;ZwJWK}E!D+%hrBzdToSt~)q#^=Pj>7S#0t)ke zP<03kkCYudl=pF_OP$`*tc5CFtRNm2CVJOH_w|BA*LEJ`?7(`&qmO8$B-}>PgE?uN zF2a~!agO%|8)6PqTzGZ#=O*QDYZ_KAl2Mvs;xlKn==%%F2NJ#XT4K-H=OD zEn0Xm%7$*^Joz{T1sfymo~6PLKaNlGaftQKFnTSdbKb_;R1! zoJJ=qZZ5hAOiQd=8UY_g@}3a#lR6`{U5Dpv4?6R_^Lelt3Nk0Z zi8Wcw5g!m6@5DBXttaiFJf+eZMshHWYQ-v@P`%nN;R9SCW4i6@8iWkiY4yc%l)YmT zn~7&vH;>L}4CIIOHnkLody_#xVE(==j`=^X%sfhsQLAG_J+?&S{s!tL83a7$&QQd) z+fFrQ{hJ8fFHLw=cF>@C4+126bBO!6n=tLZDuX_!dc^^fA~7rG ze6lyb_6CJA7YsXW@lgC-9n3a(5XJd{{wF5wwmsbJ&L?wo%Kgu;YE-~U)X}CWO|OA@ zjaV%6e|Dwuoy)D>e3|myXm8XCR9V~%_QV2DW##MoUchLJ**buJb?LdXQpY#X_Nh72 z_NU}J=ySTNg)-Kcq8$@HAU*r3>zuH|M+Ua=5(>ObBWqD)mu*R)za?BS z&Ps*xVG_!&{^Qzzpts@_${y~?F4=-E-;H6=G+|) z5!&+3!x^*SsBwT#b^E(y;Fk=l``-Du1Tm$1eGW++C-94EF&7bkYe@p60jFc*R=Q7^ zH1FpbTuSS1*Ehb^ND+0AQk{>mDjstI1eaqxnEI09V#SImJnRGGJ2KM=(9QP=Hc%vR%u%HiP^MF=X>WxV8<6MPhPY1_<6aEVh z0v~*$SO;G^SD0HYolYk^CdLI3arCr_e5RY~eL8(L^m&w@)P}*rb}00lSJng1T;pzHfB*m9^s^P2@+VvVIhVwoaI z$-^@BZB@GYu#_jKihQ(*sK~BQpcsq_>St~LPUWac`@~Plz<0KG9sHK8=o%RCqLg|i zxB@Pcw(C8_E+I-{i6sZh@L{bDRFtp1bEIuUqe_Lf+Mzx0kGBa{Hn$U(TremrMo52v zLLyWQZ&;a`kpBs|irXTLjjR?uS$-1^ns!U?FEE4Imbn-nyT&ynUxg&PyTeM}s7&^z zoL(qEY*muuVQ>NA(!vv_*fDVRNVPUXB=*V7NK;_kxjH`xKEiFC>@)H#B_`MpCRk|x zvB{7C|5hL>c-m>a>{=`IL+1I05!le3Y_QfrhB@K&88-O&fZmkB)?227=tSZbIS4wu z)&d>?tCt**^In6ake%&MSW59pW9%Be*k0Q(%=#$TG10yZ^iP?{ z0jELLj2k+tD56qq%Zxm-cE33+*?gEh z1}7lalK`YNJf3dxD~>3e`L^zz!-cc5Egw`Jt_VdniV47YJy|tuhA`Q|Ai$GXRtv`Q z4nAK~R0Jd<65=r&ioxpk*i7?C+SAG{mXd?%d6jg6mMQorW}C|NtRo9J=T52ihWpnf z{%2f(qIaGPm~5v&;lM4r4V{og^yqrV6BK#hkqErgJkSxDl_D40pOEWq1_wIR)()%# zEQPoHaKU1ofEo$91XSe;W>hou^QK5I-CglOi6CgRUke!)KUvh&9nn_Z2!02S-UcY*yE12jT?a&q+j8>|Ad!xnpu zv$AunzG0QyS3Z6OwZl1#6BG9?MY)uc$%LEkDj`3As=PF@D1s$V8KO39Yj7=ifsJYQ z%%h<{8hE#w?fhhTwOods{f;Fr=EZpn0LqVplH)gfAT^Bf*+H##s6ZwIXplfiTwQ;U zF^>AlSN*ekt)* z&{d!Ty8vd-aITD`Z7(e7uT4tkLHa2cCHn~yed>9IFXI=fCNRE4rd$|JQxZLp{9uDM z?vC5SZHH1OzIy|C0w`j31ksR*!3l#b5AZ)G*yp7PWDqQ!)42xFVvLSmNtev`XWb?2 zER&gYgrOd0U|#&&n>bND0DYUHiIpd8hy2na#8ASZ@m=lr@3yEQ+`iLYn(iUHKmIm)M`GmfOPPg zF$SS#>q;r>2IJ%)6qLt7cB;%!!ng-LZqiRA96Z^kujW7yDvs^^6|1zkKlT^2;jW-e zWJd21n5*IkO#%z8&aWYnCMw`&X0N&wb|OPQ(%$CL7IEcX^jSiNoj3JSu&@x3u>ep>tlGn;)b06n9~=&qjgXxG#2+EOkIi}ZaTdXh~nj6MI$l;j!QNYlX?!PrE;R?zQZQF0bg zRUdFB^kxHp=8Bq32?#TTb1}LQ*W1qwIXTfIcdaNg&~>LmJdVNL{B^t^cEWmiGRlGCr5b3mAPk~0hX0q| zi?_7Wgf+#9S|{~~0G9u)gx*BI zT0`RIE(0Qval+-eregRP87|ei{_C*i;WEpYSe+|h*jizuaoC*8k0w0m2y6FZh|qsy zjEiuqDyT*=8>--IYF2_Y)8--FqF2b9x8O@bSWRg$l%=$B+%>sHQQ8=Ca&4+m$fyF>fvB7FD{jxi84j+ zYMklvG8c%-rf^ShLh(Q1M~dj8khcM!`X}N^4?CvudwC{oOZiROsziILA5|vxPu4eq za~BF%mBE;?)v`w6J=Gn)jaBU+)=Zs7&tkSX`PF5H!T<~Hyg#E)U+%RS>KBuBV`Ra1 z7yVZThNWwiVR6%b3#qsq01o@> zFW7DV<_1b&`XvlTTbI9AK!lug0A9t8R7a6uWms<2$D}~6Xs25j_Aea8DzFtO#8s18 z;PiXgQD=EPkrde6Eqj3;^AQOdWbD#K6J8pGm?ELDwtf9y88FkRhi7qDa%7UKSq8j- z9&oIKmLhAqkXH}=>TG$Bo80o}cJaEvCxBTd2*3PLnnC0yK35(z2*gZE{0LCQNU{=K zIJ~cU^0LM`@CFMpdXffR4%`QH6$%4o-6UWGybHlI&=3fsMRDX!F8f=Chpm0v*pbX~;tMLtw5`7zbxnTH_oP}aV|siq9U zR~gIh_;BBCC^|E$ST)NR@2Klu_Ba*BVX7-D6jI9@REN|WKM{I!d&(&=*;We-Qf35Y z&QA)_?=KEgcogv0@vJL$1f~{}4`;)f^J`+G+SDTkR7Gz);`M*%DE>8^$0t$G4lkU? zCjQ-?aY|my zwZ8rNm50yVA~I%HhMp9uXweRZzFQbb^xcq~vy5(zX%%pmW3Y&KK%r+obYPzSo5Ho* z%d^qxSP$f%BBNW$cEn(sdH-Pa(@%oC+zSg>Oq*p^daIeRh4na3uLEC&wLr6#HQ)IH znHpS_AiT+Xo;n=E@;2QG_=5VNT(d4bY%9H7?7Zv%b<_z|%85HuH7eSK1h2vHW{(Bl z2apMXOnv!1El`1IHO8hYRi4)$U2NT_5@0q0{-;TN1vfq5)mNZoZLq`J_=$O<;a<6F z9}^ub6nK+mcz&-LzP!K3zmJFVMOPT=*e=j zp}4di!z0tB*3E{g4XikCP-K}|fDo9ptyW9Ep)A%7B8i6K#`TX~08$rh57<9p2Fdr0 z9sXlo--@Q!7h6RSL)EDA5M1X^*>9**dKU;tSQ2=QOv=jrp;{AfQiXb5Qn&3??Udvw zv5NY2x5#{yt%dOho(=}&+N&u+OueQWwvg>pSM;7W1e%kYI(Q2Az6JF$`K7bFavG>p z5a%(`G9@GbaLY_j#9_?Ei%vsj*kDV%IYEh2F%)MZ1&|9&JG z1333!U|h*oOH8e|5L56uG#`!Q(pp~}8}5=DoP=Hp(P65dqMYnAkln?PD)Jj#TH`q} zN1O1jYlO~rj>9gTN_6?Ln_x1>8AAEGT9v|_dFT(L;s9rlQ`dpB@ zVqidXwv%4t(=#4KXA0XplP+5jFAVWC0a=oXefP!metr!fP52D@yh*;Iw?T_QtCF#%$p0K`Yh&OvM*Bqrq!N%kEv6o{2zA*grYIE{a12NS6q~@a zi7*(0UL2$+!LEU?rvZSu>%3=k&)cdBO&g}cy-BsmFgyNIL&0pllW z`)ds;$ABM2?eke~Ty) z1T-!@c^HSUZ}wfq2&pL^i>+{6*Md|rG54Cb+B|m;ya3YXM9I}Cu1z)Tq@tEV<>O{` zO44Bc|D|@nNvvOYOFpSCZsFkbpeoBf)&tAlAxtl`7GVy<_)!!3+novKbc1?>{hb^Y zoPIckUN<3|zJRmrD;l0_+pY+;YX}({egHa>Ug)}mDp%R+c1sHh)kd3b;Q0MjxXk;?k_k2$>yALoB&QhvA-s@B3P`K z`Sc`u0K*KUPYXH#(dSJl&vR|ynCHkX1wgix7r!odaLKWYQRo-(O2{wD0Aqw@9ON^T zUjT4!dS|QitaiGr1xPk72llD($u%lIkf_=xct4_8u1zW7W>{G5R6I$-t%9MgcZtJ4DlPYYOHGLxGI{$~P<@oGNKR`d5 z7^Oj|gN4Ae&8Q0TXALLJ01SQ9%Gy$>F+05NA7)(wMCNe-byi(z>Y#t-DQ<*{+Ou~n z2m|HD1^(2mXF$gh$&uTXfh6dI?K$Sb@$^fB;)_I zXw(006WP9RBsnIdmk=K8jWaRQIzPR}k-GyG9xP@Fxqi0sF!^NCafdB`{qrf(@8Fri zc1?Sr4DdG;nLPUydp5ypJgj3N+HZ)d(*6b3ou zymmBplfpZ#+8k%1JxQbpiN}{5!ji1X*S?NDliXw(>N&TikM>FZX`S^IJX$Dq>Rh4^ z$9HGsQfD|)e!t#^60Sk?ByOR7!_SI%e~ZrdADbVhHP{UF%3CO{HKY1yb)H30y}W5$ zrAW5qrcEYkoz^0}ho!=6nTT;Hi-x2XS(ut|=-q397ziX#IM9X~dN>hGB=8GX1DmFT zjdy~}^N!gatHPj|=IrRh0(k4>W9G#1Jh0U4$Sd)_L5EDs#m*Ga0l@+;-Q%>Kfj6D? z*$`S*4IjeV3ATI_Kb;2nPl==r-T@S5FSjB~or`?RD6hOx_b8mO6;_-TIvNjlu}B$N zQT6snlsNEtToeE~ugOj}vGWz0F+&Lpeg7m%1d@>~Zsea_yJqM37=}Jr-`E~WM4e14 zu`H9$+ooexdQM>9P;cI}p1SsiG6w!p!3^|MReXrS9cp2g;2n-@`UCtPN5fC0uvAJ( zDZi51?O&z*-&^8n5^? zCB8>eGAxHhi2Wo;F^`*+^oOkHNyD(t1#zgEQXN^HT|_d)W)SYK3a(xWL9eogd&5TL zPwacS!%p8R*AlEx!Ll>jmV?b~uz^Y_cO-V!Y&cBB{Dl!41?h1d(IcJy`o=2sij9jq z;%geHq4aH*tSRlZNgN0M-$Ly=cM&Cctoo8J6S)`;MZKdLskI#nahZ-aKCTgMS+h^y zd%hi;g2XKg;{bQc)M7TYeLnn4STI5UlslD_VfK<2rG-F$22kKS5pGwE3jE=R;Z!y- zmn^(t&&Wf(o}}+QU$N;K?qrJU3Mt$GtTb&4VbZy%k-^aRmmU)HZ<3hO03esdWRFCN zc~U)(y_v3vfSx!dW|WQ8dgc@b?rSrl!3qTTDt|_5_9(|$B0%Xswig_tVJUPC?xEN5 z?9TPTr3HL8GZc0#7Kfw873qP0dU>_LVv>5*%XiH++_Xs0-H@Ks1)U|2nNbG@Q!q9fj(ezwjzGDZ|Wm!8L=I2lB-}C(`L$1t@<`60Fp_RR^)yy zA2&x?UR@P&wLTEtf5O|Y<`Da62JIPPwC%|)Z5wToQ7J$4DDabG@4WA_s3luX+3al5 z2pJtzXzW?F)SuU1X(Jp4{lu4-A8X^u#lJ_{-)8R~HHQFwGD>lr-r+{-3zrtmr2}n0 zaNtLnOz6*k%eFy1BL8eluyfqa5R{<&1E7gngP;v{r2hz>)~LQ05+c#oWE{4&rvFkF z-ls=XWiXEcr3Hx#%6eFBCMyB4AaPJ5MseyiDV(Wy95)NGx!NOmwpz>v@j{TosN8Ta znYv7CIm415>`)$q@ZYWH$$Y<{F6h&2V{NJzE0N6d$5ahk{%}x983?rnDgqE$BSN({ zSeT%4N7JHDJL`}U?=P~TeIu4G3Ygod#|krIuIngDb-WiO2134cruSMfQe#1H9MkMtVJt?{70y4mC*~)bqpfGiZ|6f2dI; z{G~XbQTUUi>ghhZ*(oxq;c5%6iwat-dBWrFV$} zVw%+rsJ5o_0%D=f$PBX{vhr42*I*Lnk66O#D1g;xo%(ILyk1yntxGvQlY9B*%U3Gs zX*liK0Gm)A=oFs45T4+xq)ui>-oiyX;EDA)uUG~ry2dZd-fqT7WGS9g7uF1F^R@E; zA9qC1M;(Rs2~Ds<7JxfXIr2}1wBJHIBq#rPPHiw$NE7jh(X6ivV+si8!-4N3lVh?X zm%$1JNCHmA^=hYZ0~ZDfT4sX0&rZsrHZbGWYWHw+kr&?O+Oeoj51Y-+(>ee)7;fp{9r#33h7SJ z8u{=l89{0qQcG!1{t#qHdX`v6U%|Wq$ep}mUI9ATE{P%PDd#RFz7fL8@jfu#Li3C? zbnd}QqMAthlb^lU9BrZlo=9!fJN`FrQbYZ8z|rI3f@Ctl%y|NgN?9ndV2(|t-OsTM zKkFBAltk;?g9DF8VJVK%1MsoJNM)Z~dx~U>1*zW8Q8qCu?&o(w7H1xsexZ(;Y;VUV za{d4_MjK|`wpwia$yvw+dD#COWeG3!ZTbqGQV8_pgS)ur;XA(r=y_7;+O@jp7x zIJM4G%4L&HX}G<;QQpSPXrg7N)UCulCj~W{XBo!4Lxbn?1jje$z|8OFy5m_x;%KqH z<<&)ZV27}&%HoG7PsNCTZKj8*WR?RRV$E>tJEj?RS3tqoj28XVZjOk*rw8l&)gVhZ z$UlMnNZdRXy<{yzxMiJAw8XP0rGHA?qm*c1j?oqG`C4=XwrVU79F|yETZ&u>YvIsnbNyqf2M+tllD?SwJ?7v?w zBGJxQmX>wUcgkZ}1=ojf5Puy1gMWMB&pmvXPF5%`=L91DOecO7B1yRY53Y4NDF z_)Ah{3vW;l*s`cm=k; zT-?XOQd?F33WW5jVChX+oXxZA=6VgqiHUD0Op*7D%m}9v-83EbpE%d1Bxnlds)vCO zVlE&FAFla?0O<~>=?O{37z5knXhf0~ddjO5S6=OPwJ|7qobJF41x0bof2gOfa7n? zS@_=BU&cK1BKXv#=7iR)iB7${R5JgVfm6A@?^k4mxgjqwKU!!;v_?-m$wy2e& z5zu%)VlH!cW7I3fX+qL`d=(G*0KiEx&ahdC%H3C^AJnz z49Z7=>YH;2J?nv9Q$O9KD3%|f@0wE;C0``+LE%SYXIFbkMt&f!#dfp}oOrzAg_oa6 z)>Meig(z~%hKIe&tSaYA$UK~1rj}tm<8@bWQZ~Mqp`nxm98LPV+3L8yb{n%{gG|+~ z$_yC~SdQW0E6zR0LVZ`?9t#&X@&S^QL7Y=8b5E2i^HKNnk$ew7NiC#ESPyI$iRxe6 z9@!WPQaJC_g)s6k`82>y1FvDc*~3yxvbx2uS9n5W7i1+0jBu>$J)PmK@Qx!yCR^W5 zxWLf&W1(Zfji{`=OARvQPN3)k6r~g1jtX!T-dfJWEBNPn?dvbjIX&UPwUM2Cw+WwR zBFPwYk*vXW#aLg3(NT@?$DxeAp(A5^9&4?DfC=hEykkbI!sL>Ad5i^D?;x9Ufi(pJ zXw30g5;5U{50kIyO*uG)ikx7a3TC<%_$nRZVGiS_!6Glv2q z7?RJF#WjAFEyo{k;1w1B6mu>56yo_TT8T6N&2jZPyr7I`@#>SE zswu{dXekVeDl|k0oR{ z9Nf~`gu$IDpI^G)@O&eQj+!>Dsq$5h?;`o_~? z$Vp=E$n_L_(1JwU{l@`lwS~^scGv^mRQG+#)R-B8&)y22i573uy}WOr0eT`P5(rOL zxQLOpVrrNCS+Zm&8K2%0M_m7`U`GLoF%}gLSX%F^Blg5r^OfrZR~QHQ_=>BF+WU+d zL2%~W+Fb-bs*#|)ZI8w01Qn}(wkjUp`!66V`^G>KrE}Mf2M%>nWNa&2bO&+--+!cC zpm!Mh4KMOv5!NYOnE>}YP`<9Kn47ixd6Siu5K6$gNguq92L_ zeZ}`;Z~X2@k@OvU1oP}o9OtOnP&!vmF4%3LGts5`r@5C;Bc_rTX7D`UgOmu|XG>ga zk%o9DEU>+5^>rM3XHa(N;F+&JqgY0N9-VA zjESRGN`=uxjoyy66&oBeNsk9ILF>J=CH&?HBy+$>ynou#K6R?hQ_<-i&E`mdxEuyI zbxkFT0Uzmq*dfXMK#y6C{8MSI0ah<0kXa&e_I*Zj2iXsCKX`*Jf++X zalphALWQ3)Ivotf+@})s+OTf$L|Dd$AN3A@peL5OOt`IDj>GL=6FXz|k|#=nchCLW zKLe>*u=~eT^j1Y`@49EKmG8p+A4i^glmBQib$BpO1DGtrE;o@UZ%+(3-!M6qd%~|A zqEA7J;wd+812y`x^3tPj6o8|VqrhMckOxAN@7^)g^cb{s7gQ2ibl2Yh&YCM)QPLr?BCaX`xcJ$cP1kqMcngL)&$C}}wpdhl#{yDf4| zli&010v9VQZnY;oaklt3wEIp>F^73+lh(Bns->uuz?EaTp}HC42)X5U{5s*b%2%-p zS*>YBD-_vGw7VIOGsT#6S}k|@$0IZsboOFa$_`!H6jFhAOc3Y6JT63OJV>5Kay~Ku zH~G(R^k=00g|@irQ3l~8fLi9)iw55f>t8kw9ar|$_3^CIzC}6Uw)Fv~Ma3MxC~5AI zNSLKg+^S1XT-=gbY9j7PCy3XprGwYt)5_EdcPm0B z=xB@%IkJ>-7-EJ34bJ<)!z9Dk|BPi8V*-3E4(`+3h_qhhyw9A^LzPv%H{zkYKqfp9 z)(cIa={*ucs%CJL;eS6JXY<-nj}0e`FIP+SXqph@tJ9o9`rIv4+a|EV9ry-Ea*WS( z6Vxj$SY&Q0l;8@e9>=Rz=x8E=r)tC=*HxIcnAih@X*lPx+;E#eubl8c{=d|voYLQ6|V`5Y*Xz|0e>hU z{mS{^OgcL4>`NEg%xYKBFWlE3z~HH{kc$WQi%{1Au$#NR(HAW(KLQ_7nYa1}?d&&u z!c{Lm-{xo_Ls%6!tx z0b;U$N+g)mR<UthK=`2T@3hP7`RF9#^VRFfzLk@JKHkej|U?VKq;HlYhoRy^YM@Hh2YH!z+UBP?(_6q z8tjkPUYys&{%T7op`Pb{NQojW>qR2)s<<*k5~A|D-r-87@JbyH-@`;P+WRDcxw}r2 zT>+1sLJKl#87Mx(?&G~hq0At)JVgB$^{Yx>lIh3`8dUR_QuHBlT=Z~!TGpQfI0~i9 z!7SvONN2^0idwLF;3-!VNgc!Pq&zp2lQ%a2vl=Jda-J4FvD7=q4D5RNiT`oR>h{h> zr({YQFdODH76crjo6j0^BKh>^`Z^VVT8 z1MMvrXD@m_?ZV_bneJ~KMT}COLUKxkQyC)0Tv-pRuS(SyoQ}&Imefa!q+k?DCRR+d4EYGiQx%G1i$p_)U zJeqO@N`%3@1Jm44$sxVy=K}i_v!__ojx8h-z1f)QkMOso4 zE*w=&DQ2IZ`(l=B-l1hOya^6!?rTuO`4OCvXnZ8f`l+yo-$ak$gnv)>YzOnN3%oH* z%xxSvpH_S{O?>0@hy?C)%7^Wt)9!~+H3aUo$)@E<`YNdsfF|UMZ zFKJXy#i8eVlintij^8!(szO+fK#ig8MgZ6g3@3VSDiK3Wufq%PMZOdEu$2y{nfB0W znV%Kuih8HK3=PB&4HL!67nkVSD@!Uc3}e0_-+@nsq0F!?pnZqkZv>0uY~c(d0;T1y z*^9tZb#Y+C53IU&;IQq;K=rAlh}`B^@Q}DjB@E_)O&ki?_0rm+qEjGsDjdKYvhTX2 zAfQnX#AByNw2+g&ao?lVO&B?Nkk7ZwT&q;Mx$QA%dFQ2}WuNNjSCQ6$>jgB}b92lU z^s4i@*CA>nCswb+Gbz0p-i>G>*ty<>X0-|G?2OpQN8?@e5dko~kRQV^qS zB#dcXUzsbzQ7s>HLNT6s3nRgCd5bX5QbO_UMQEoQ`Nsq7lRVMKLwpw+rM>TrBFHB6 z877M2%P9IKc*k*P@c;u6>8MBNm^JU4a;%j&C`i|P2|<_HKINSgth&mpUbxp|&pxQ- zdgBAH67goKUq3=QYXtNLS_Y#@Xe@gn&lL_3l{l117-k(6o6pO+mM15|-}E%nb>{#$ zl{=uh=?w;5kfc7&9()u8`y|y;xdVL9YLv$K(+Z3WnYq7>AtQ#L#aPL-eZP3q-^5DKxWDWX=4V?*9zMR26_6r)<;+GC z=Lm2O6!ZD>GUiSNd}0m=x08o%;0l}@fF6iH;0WA+s08(=3I^`Lf>H*#=R=}M7RePD zL+YLs6L2%n&&fFlZ@b;!WV*pggTv#k+u$?Dnt31Cxb^zXZ3JwC0s5-dW;GBHjO&G! zJKYC7xFm)7D^pJk3s_i7#aM~@C(c$hbcB#zQgOh(Rpe@@prE#IYebI*e@p>;21o{M z20{RbI2O@?%;UU^3g=!poDbIEoa##e-?O9Ov&;K<{Z68fci<`rSGwD!vKqaAO+}6$zdd}5<>KNC_}=Sv_gPCMPDl3 zC&x>v4JYZW5F2I!LtPmc(qQuFYmmdxF&VqsiuFZTgw`?_!Gk`?EPw~*qb9LUFe_rP z90rCL4MjW^OvYRBYGc<|HZ()ulTx``)U7>qbMz4~{Zsf!jT@lvAynWz z&E{Or*0+XB*>r8SM4VVLhhxh59}*wufHU5U5dhwtVexKaPB>4*VgE6X+Jgbuew{X8 z5IIf_3ii@ibiv^9u$v1?1Jaj6){LCFNrP4U9`0NNRYIo)t_`TdduS+Q8y)~0lC^|d zW$O?ntN7l<0wXsj8ezmUUcOnVY#VlQVh3gcp4oo8_Fn<-WsTPFF+I)9W3=L*x4xx)^M~FXXSh7t-q`LTeXR9#(mSjGmBjv&KgGy$l#&oEx^V z?_XH)MxJ>ov*3d4Kqi~;*8ahlWdljI4|`Ct{md+8r9Lr^=GO$W5&xhbm}&f(Z!Ahc z^?9G(28R}wzDAcFWPuq6f(J|utAm*|f$8X+X2`JO}XI1*cnD?{l z#by9G=n6>3OUw=}gB`E9Y#Cl)#fkBKBWl~FPC!qWL$3Lu69!!pTMeI^pTl8|2 zjEg;*Xg{eS0{6%fGWL5(o(cin{GEOuNkh>#6jz&c$kKy2Euab^m|A?ZRP2+KZ;o(| z9Rh>PQZQ@M&8LWwu38^Fh&QBWreQ>;XbCR8AdMn5PL6 z%}AWMpvhX|nUG1S##|_3I@wxY02ZC4?KoNDL4#kA9!fIUtC6E2dJv9v%4lvVZOqL3 zIyi_v;tt@n`N@Ye(>6U5857#?oA_}Kbr=D8W0S{jbugjR)IgFa3j$RnICUSV;CwXE ze(!1b0g0q)XNzxcF+1Ys@7mFRGnpJ%2+7W4nHMq`XzDk+kRaikHGFV1tFYsI_Bh(3yv&{g{z17taDjX3SiHYuV7Aj0r$FL7 zCp1crD(5t}RgxKxZ0N{*7hw&q#1Bp41JJK;jrR+I0ZT8hm)XD&L9;C043Viir85;l zz6MYOG=pysz*HJ}GrxLpr}u){pchQW=L-)+AKBUmq5q@8;NkqcFj6Twxp|c4pBf+l ziQiG` zGM47quYM0?GanDJ+~%$iq5^j}WH2VWG~PASa|zo7`z=^_lL>&xs+jwB#d9}=U(@VL z!B3dc=iLJ$bcL3I*K_=-z|nW`4c*awPv~3vs;}^n?B6t#FL)|GL7cuwB3BxZuk#(Q z2&{?Fb-%~1V~Pw%&v?-Ln*7yMxX8-y{7B4XM6;Jpf5m4ypdr(d8ZGp;(|cfb9;gcF z8kc>C=uhIaY>{sKCg#`yJ_~562TEEc$^AURA$38j{uhNzL*JwQr3 ztk+jilF$c{d@0dTx{8aiMW%%7W2;B%(l>7jps5eJzyx_$0MAQhTcb;AK(k4L7;s4~ zp^DmWQ87u$tt$CSK9j%XGnr#7+%Xu`6at5?V2%ZHA(z1xO+s>%398Xy*z6)R%o?PU zV~8NAg(o`D%q~(=T&K;i`8)fMz#|ed4}Pcrf*@sx5EDXOIN5=4Ae`kx(tT(lL-{Yr zt|HRUr0CXP$O%6g`K4xDv;W!&L*>NK{F}eY=lq+$Nu3S187f)_mR@*!Fwl<3`9nk0 z9#of|(*N`rAoRqaAC^1%x*?+nyRl>ZogPEvk7Ca43r9Hop5IAVj5|aifdb8AO9uk; zoqXZ_A9bmj<$opJ|Chf1I}uGWlTsxmgD2nr0CY-09A(hoPJd3vP9;w{|DVy|bL#&) z%er%|_H6ops`l*vs-W1W>iE>N!tko?G0%|7iM&M@S9#FdF_Xit)P8TJ^YAHnh^O2ZjS zQ!Au`rEZA5T7z{8)BT@SX*OFo>xS6MpUivBoY6 zDgul~;-P=ij5!$tK=QSQl~A`X*0MTk^0}7Xs%t5D9(Uf3#Eh?lfi3beaJ^sBAR)Pl zuWJ%UVcStvSCGMJHHd0h#s>Z0j!p$bm%>Gd_THXNA*ppmeiixjhac;TAC_(56mO-Xu3sqx@vh4G;Z< zWpyrjs}5Y0(NKJJRhzW>%!G3V1~^~vSbwXydYAL2G0CvEnz-xwD(%|~&zGaS*7Pli z^eIwU&bG56a!%mO>+pu@zGJwY)9f+e{A_~?8Jv$;5&$ae*BKlL79UJ>a&DIB>B-r} zxtD`YK(c!Q?ZAVs(kZs-^J*kUEo}v-yFPY`-M%Y0*aiw5cx&Ty8+G%Jamo>y@DR#* z+6y;L$~eUbM(|GWIDcCJ3OC6)iW)fEpgcG>7ZsjxUV?K8&gsr7=Lupt*V^TBwx?)2 z$+;IZ4vF&`2so=b)3_pdZeVJq@<)zMoD1^HF0jkziiMc zaqe}4${01o#5sdI&cELn&ckOurlzK*rlzJ(IM*p3kn>>Mq)=K^a$U;d9NhZHc}{Ha zclHeqFuL`&*EF1q%f?MvO^#2dIByV}M8&xS9$oz|P#)YnrO9(WR|n>31PdM3rWy#~ z{7#Z{pBQPJQ^h0!57@zZRq7h<>%scE{|HqGfsaWe8`STan;KNIg8S(RXqD#Aw=Z z*HsY3WjEOM;{1w|^PWgA4xT9KhCv2=Ul2%CO9{m2=P+xkJV`1~xr7R%`6jega__HQ81TuP#UB zzRiV11cZdFHGthnSRt*{K<+}yB8l9oImkv5-MBx}tIy@2abvomn`m^pnu861!BMkRc&pw{0WDgN)eQg)3>PS%bK(&*~6Z zHCo-_gcYL{DhmjDO=lKfp!DchQB$GCo*2 z^t#bn#FW8qC)cw$HSAG#bqZEiN~7vtl~<8dWBdCdL8RV>ZTNdegz|| zMl0)Dq96dJ%wl~j3rnd}o_C3aiLBcRfXwLbzfdz?U(>gYY1q+Tmsn-R?=RI}xI zkw3Je*aD}Dho#R-VcH|-5lzqCC}veENV5GDgC{TMJS|Y#Nka6yhj~JSffWD@Sn#aI zyi-1^$q~f9ELy0{fW*RP5?hAU41^gLcS!vRN7_g}Yfnd618Gr{ZYc#!>Bw ze}G|*U5R55L1Cg{Fv4n#?{da`b$v`|=Qnn&+ZU10R2au%jXTeP2?*j+ zh~e;xv+`n+coVcc43bHy$Hd8#CaIj{A4)b%osuXYCoc5B*nNc% z8WGqQ`4wY~$li%{dh!%YAe}Y2KfU4fcQefT22L%*^z6g1uB#(~c7{T5 zhWon-!rw_ekvVv`jpmT`JDO2FKwga};aq6*{TBt@L2>;3jRx>ns_#T=9AET@Ec6G~ z2H%H^!Z91phpAZgjU{Kq!SBUpdIVDvpW|8+7NB{i6md@Eaz>=!!mD=IdZ3qJ0CW|z zw1~u-Ml6}Hr+6^{)ylb&?W_ppoLE-h5Fly7Z$_OX^9DU4hZi8o_gj?H*(7IPuORvr zFyFP^HBl8pYBg)S8n~8ZV6$4`YKFu{YFi!K8i6MC*`;5Rg*H>I_cYIpRstp~z1!h8 z??TPzq8`9Q?YCI#z(k@+Sg8AM>%h@Ehn$Y%grXLubQ)Z(=XRp6pbR!=mvU-=`^2sxjr{gS_t1QQaZXaq>~t!4R^ zX(iD1zT`LZh4?28VV=5Q+4Tt65S-iVHS&BESop!tcdQ#ByB=u2(SfFG&~0?+ILP`9 zTbja5$Ls_`os6od-7s^>(L>mcf2NnB3IkbK z!~K+9!&2`<>^Yv=XghJoVe~8g6ow$!-IR9cijOjRN!bg&H7}wsUQ!K%1ze=B47=1C zD)Vh!EqBQ*1A(Xe_MM>s_v?WvQOs>uu;ln|Mjv0HjeDAXZUth zs~7%+JWyhzp;d6FLXPrik@@z-9#?~J77_#9-zcVNp9J;>+40fEIT_R z=qsCAj@>f0vN08~Axm4H7aB8!Up=E)869Uf36RT)y@8-K8C}k8-(4xz>wO<4V;vfIF~~U>p%( zEU+LnQ@LdaVnW&9<=h-OKEJt%W&5rU-<5B}a%b}3(-(csk6%#u?Vx-9K-|}c?5;cC zayj)!=9~NK!}{`kUDxvRIw*V(p7(*^fr!37=xhF5ET6-^U94>OJD9$=P}wWk;Tu5l zJvY41o)0SWK$Sj-f)}dvLkT?3-FG_CAA$UzQ=Z)-ezM>vD}6c+-n>LHs>L%{IU1V;M|rf0ywH|5qqJhaSJ zP4uAlVe?^9?2}*jrenW+tvqsixO;P=b|O^WvOsOL*Ka#*x9znoAP^u@AGLMdUfaKP z+y0{R`vN*@Bn$nvf9Z9%?YI3)T?A7nWtr?r${mRbzrYGO$cOv0*G4O9r3yDFYhU8i zF?o0!7%=0E+lf%UwDc`J-TlI0#4c?Ovd;GllzQSR&kSPCgxcvdji57Fq!aW7fVZd+ z#yaUpznSbd2|5ERf74Yb?RF;Ro~hP1>w4y`2cO{S;X2wT(u-EmzcjT{zn@^}Vckye z(KY>B*E#FX#Dou5sh0)-OES4jQ;?{kNVU3WA7Jmq(3>;>Px^FEA-AdNlr6o9mab{( zbI2WZ5nPiLis_rh;=Y;7L`_wL^UVPielrIHmoyFxE%v<>34GafTlr$B zGZq}`nBI6_Syh@K)`Pt0im0lucPefNwC+gNRd{20^ZAn%pqrb(2nPXQsYlT@&_uz_ z52PS9ZY`f)2)X<8__ykfn+|Da1NTTfu^}y%u=~(C*b#5Vy~uTX+0sqTD{&9nI9}ZdUu=q7y@-(;vH$UIhhsQ?Y~o z2+${QE;Tw5!bL(YT;@n2PVH5oFCkKg_3>Um>gn)f+l|0|8|tkEwU=FQ&FHC@V9(aB zVy;{1^)|SmDZMT7EXf95atc<0D#Y5eJU-T4RWnjVYrvnPzb}a$N;-t{J%l}!y&;Vd z3n0?yK-@t@#L%6HNXQ0U!=s5k&u9C8;)RJJ(u5Zq$cE!$&}ZE-}?Vqk&AN=hxHBdHG6dbHY|>W~;c zdy|WMRz{HVD|poRHzz^RZpzpmm4~DSA&4|Yl2eEK(W6R{E;|IZBoW<-CXJ-<8cl%HU5C2VW{)CU8h5A)5 zZ7=Cdp`_ryeYX@3QC)(x7eN^VcRnsUXf)}?t+*$rJ|Vj`vo-1gD)VNPoF*Se$<|t1 znT&K=&I3!e)?A-s9lWH;P0sfZ zP~4rh4R%<)i1=h{7K$BM+f2B404Vz_M?+NnfelT$+^LqnAfn`PJ_JVyknu){^Mc;=PS^3zMuM>~3y0x%nmnX*GPeFku*O@xWAZ9&#_$WWm7m?@*e#mNaU=)sFs08*Bl zfdPlM{2Do6k<1?9XP=A(!%{@aH#M&5_^()coreetPM~-0YK; zwZ9O&ndh+$rAfat82T_e5h-ZCG`@Z7ywDr6#}S!em~I=kmd5I7RH-yx?v4ryoF2TK zzfWqUbxg_lpKj{xc;Gf-`)^8PK(;H3<7@gs4{-t9NTDcKE|&m6B4pj;Y%ta1=zDwlt8k%pm% zBJF*oh8u^&B$#(h-R23|5hkMrr*aoCX=lb$U=t2?5ela9U|!db9vnkY0X*=XSyl#5 zFBYHUE3jWO{vQfKBbQuXd9naLcHk^MqP>m&sdZ+!&ph?>NS9nf2|+ygvyVxFMuKx4 zb<~kU)*GS@K_TXr8H36t&Bnl zM>EU@9PCA2WLS$)o5#p%>ujIFf-}(i9`H`54^K7GqpI~w9{-+-r&x2sJ43rl4`&=J&URS&UR>Eh{fMl-qdv$mpuG-nqw&mE1iEw7bc4`NgN zT&~zOK9c=$e1ELDtCb~8M)En0!S1N01U=Nstp5hnwni~;pGb(OOre}dqZY7hget0F zuwCEB#s7({m%&WjP>`)>cf!NbXNTECNaT-38{KV~s(|x!dsZEz3@?2E=rLWm;k604 zF5RQ#qGx{-=G(W~vbUzCdpxc71|e@zqaB()EGKlqRan{!x(Tq%$$c9u8y34xag!Lh z%mdyCOdcP(fZ71yHn% zG7_{I!a-OWp#h_tu<&1XuSy-Q!~mxkt$pt@&P|Xpl|W<4n7^1FoHhEG{(phAAuWQ% zhlmRtIrDrSe-5HsCwCo4GCnV-@9)jWrSF!Xx|Xl)a%?co*t$1sjY2qYXtE(bxhnJz<$(U%kN?{X z$Aafn;y$|QOe3?|{P?Oz5=UGThAng5;u689ie!K4VU06Gdm->E z(KoidBYP}L^fU$tN>)RJI{RFq74*$hwBckS-Kd^+qQ#Qg4qWl-Exb?bNW|zw9Pe=3 zZ>z>G>-@ zPVU2=(M8+2p|@Ga)Q!lSysiJy5QmGM2VFMMK}rg-%??`Z(t{jbRUbwL{j6R_>0<=R zL00+zqK5^hE%S8Bj|-qZN#^!0#GFsGE#*cTeII%*mesIdkTV+>#GN*V(__$XPfYF~ ze<_2h(p99qbSb>kyto|_8mO}L&t@}q;WmsA=3GF{ab_VIlnW-M$UGL;i(kYu7QB1x z(lxr}Xwl1gTHizzYY0}&yJ&dpCjK#i%>v$FbI9yL8~C^Z>4k&V$gMSI2)#8imL~XD zoXhh~-G^>O=j0&0s=GVx?KJ&P18nd9(+oz-&x1*gPb${xDbN|o63G&>B*(yXc>;|t zT<>ajr<7<41?u+k^j2LOg%iBMgq1c%VZbFZkPJ-*<^lp(hfAzk;!1z<;M#+Q4Tj8c zFgbg&@J^{hJSIL*LPF>2UwSSYN{Q{t^kpF1!4U??#;o)s5Fpd{u5_h*solNOUBABsB)3);N@w&L(kv9p>@#)oF!U)> zmoU1oTSB|23_^2g#vzN;ZJ&A?*3E->q_`jKNpyKycL|XKrMtzekU=dCpI(qWh;G zpbdAp0HCAAZi+|RE-Ta!t20}wLJm2a3P9JWC7>`S-bc)`hQn$ z6x>m)3HII|3pE$E2at z?o-8_y7?O??^>`2fOd^JVuZ9`XSFdV1vr&2jzG0*GPE4xkg=UxdY0Oo&6Tz+Ouyzx zl;Tjvf$GuE=YLf8RDI-=vb`z6(K{eRr4J5MK8;Jg>kq4|D-WQLn5gnOTL6$jF+9M{ z1~$#@cQ@{|$B5Eh|8m3}xE~3zPHPNKjvoIs6?kIE{QE;x?e)WSWdkH77z6SCWY;6D zDv;BtIy<7|%aNdjCxte;O}N%7#x0eDkc7}l_Q5u;|BW{@kD!Hq+`+hji2FJT+(D`^%&*y zbF>)B)-#1VB1=j-0UW-;*&e0S-3bm-*%QwAw3Ml1Q@^=7Wdjq8q$6N#$ea0Bk!52W zu-f_2ucQ1QY2HP2RW*Z8a89BT=7-wq@G$8ReeJt5QSg*r5a#;lQN3sN`9M?HRTKoH z2q@bUP$q2ph&n&lSVLAg-jIgL3Q!-%Wy6ip%{G3j$BQtQ_UTu$#5BSl_ z%q5fLOGV!{JY^ z52*D&eLP%6d%~19z&-Y^{1G(FsKCGHrXw8;Awq-7uIAg1fDNK$rbyH7Drn4Xx`>LN zS1-e}$#`s_8e%M(y!Wn%3fJ=}U`6k8h%1`5!SK>~XvL>_#HT)7o)eG!DoE`OZyTuA zktr0syHNS$Jh>G?r^t&`aDeuT@!3Y^NxmXtgx$3N>J+85NCp~dL_)f4^!169Sj=daiquL(jRtMUR)#_LUavFIOGmK%Rxmr=n7EUC0xz)kkaM3 z@n?@e(MD<~;EmgZGL7!jfNSN9GBv7feSz7-Q9b7RI(+7>6nrXbZ8!^HS#SDwBOfzG z_Yhx|qhWK(C<`d?f)Ar~!*DY8k_nc0x!je=7 z30zFRCI)=7xhs~Dz^u0gGn+`0ufXgow4Fqh zwm12O=MJ?S*WX>0;b~Q^)oaa17u4rah6wqXZcaJW(hRhQk%HRR%w6$ZE*2L5XU3;#OP!mGrUfg`Rk! zMQ)(l7Re9j#%doyLwMm|IvPkX18G>Ic_ZHj>61?p_#JPzlSAbWSy{o2L5zzLW)+Kw zJ`1akc#N2crpPYaiaTCND>GEl>V^nN0hFqlYkYu}F3NNmjjL%|Yz_Q;G zY&|S!Zvu5CE>L3-_aqfGxvcEFb*Sae5dCu0Da}S$phB!14TAVE!oOlT;)-d&$s5svK|XaiItFmKtRIhO)IQf~;b(?7wll$#t8OyRhAk{yphlRylnCjMO%HU_$EreQRemix(oH?CkPqPa zWLBXBpXoT-8M_5vkIS*-S*5{H^-9J~*$wT75krey5FXnw&-J|Ub?o9N_=W@?)`MhC z<@77Bp+_L1DR6~DrH!xScwk4NtpxQXk_+Ce2t`pMnMI zsi1AX#s`{$82srKx^EkOq@5ZcE?2fj;6RzC%nvIX`^Xo`ti?}cumFKG#bv$r2blK~ zO|f7omN>muO$;P=KhtqewM=WOkrTHJPTur}n7YdH@pCxUl!=)+HzqrlD`^CU6j{-VY)6e>Z&y$ts)ZF*mm+9W~;ooQtpwTubmDA0$;v~zR9gCapfYn9YV?) z5RImu-VT|8IlM}5Wn&kN_aKT7^zXS-AG5m^NGpVB_w07d`Na^C1)baiqg(yvs3H;n z2kGl}XzeBmM_pA^3Z_s^3=-Yc$kLC&3Hdd$*QCNCQKw$Yg7(beJVX_|-a=BB2+cth z3cW*SXjm&s117AJ!63s?lu2+TW`RO0U|B#;$a~h2^OHVr?C0Ir1v#=6v@Jv!-)K zGZTwSrS-fSdtW)`bIIiAN4sdXp;GO<_|^s+Cq}C=LBvt_L8Bt0y&cV0mdtlMb>Y)$ z_Y3rb3ZI|BpC2&LE&zVT@Wg-)LLoo_MU!AXk6VbIH8sUa*v^#g1I!YWvKcY(B)1@x z@e_6{Ia#)~R22o}A(}fvbEA=Q%zzJPZ_U-7g)z85#QesPSqE<+IuYgfuQ7a3+~SaowISevCS0K7?1U~N9gVT<)6rYv?lP!??-Agm4vkwplWB{N9jd> zs%b~7&GWHHHKoDcfhy`XgM%iFfPV&u4WIJ)ZrfPbE}C*5EakgQ7&r+~vC^m0X68WB3843HJ? zAn^bTE1=mlV?XLD;=fwF&D{85T7TAe>y|$rfGe^!{S%(eq9vD+pFSyn$&xQR>V^GX zY7N*cz*S-(9{QNEc31_#uwQ**6sgKlndzGHoGFi2>8K632%FPLKgN9fLf2-GH^0eo zwUVgRk=?`50k+*8U=JqpuNksi=+sQ(JU}DJWqE1AK9m#fJjDW(eGL4T$Os_aRw+ct zXky0F%qWpj!c@{!I-~#ewu^szDzd_x>y!o61ZQqM;2RPm3t4~H?-Tm84*emZ zsv%g1{McW@axH8%$f`ifo3d!%`4()N{+|@TRz%y1^JVW zh={d2EOrpsY0xG|5Gpe~Cp>o!fWjyn@s$U7r;gPP3a=`xB6VFiUDP*HCP+XTNqfu( z4aM-Ggay4CdspslMur1G0A8yj>vfN7&yRbiJTb-V*c&EQ)I<8#0R)lzid@b zFIHdCUbWh*Tuq#Ipt$g1x?jS+cxl_1OSW3Z{Fnz|u*f*oV8;BHMmdhp)__l~*b~I3 z9$Fdpl(#2?dS`jq_GJPHBROVAhdJ{IKuXz6vX<3GZqWEyF}(PX&%m_)-ZZH*^6fzZtz+)uV_D2Ucr08DGV0>}zOEzrCsVU$ay ztk$y~v()}zM$A=TKKV<^xu*q@ImD4a^O!dRwHdHCv!!Y%&pui?RS4q`rPcbzICByC zl(#lkJQjp{z*nqC|rB!nf!lJ0~i@7E`jw8c4# zMSeMUye~o%lX%Pp-Zt1*lc6Csc@E=+Vde$Xv|bg5%w_{>&qhrTN8OqEon}^^Hb(1p zvB7`dP_ybmt9kLAb>;(X{|QEn5D1rb&_|}D-nV(r0j}B;&a2t7w;0%A5Fb=k@5dJ; zIj1l&8_>yjW5$N3Iq6>`%X6K*pkipCu*PI` zcH$LgS1F@+Ge`XpV8i~h_oLWQ!8J@B`uJ~-7zoco_Za;xY>2$~`WD*9jAsG&|D3Vh z8vUnm3|-h*HPf$sMPZu8U7yiVF2ZeM9!DAhdd57q?xfkPqLHy3m8%}qJ%gNw!$Z$R+bylY!bRMFB%TSKDI(4N0?8|<}7fHu) zc`|tP5+?0}MX?@v-ykP4%I$1)E`o_0q2qUoJdOu$_aF{8GIPC{BXI-MapOd?z@-Lc zJ2Q`?Zt~iD)tkKyt<_1>4fz^nSgfb|ZNR2Zcpe>oq=tNVgr~0b&v-7};OS?uU0De? zyVB25H+cbv7r3AGaHIT<*YRfB7>FhU=W%31KRM|Z{&(i%Op@<`^1se423a^y_z^BQ z(kKAd)$jNmTI`|5Tm7?aoF4p$7DC0&ugG+MLX7{}$$F$pdeDIB_|zu(97$b8)_jjg z)B5abBl>ml!6dCAJdlthNn)7dk8eMI$mPZfd33JThayYoSywV299JUd2Y4P@AT+Jl z<9BfBa3qx5%c^?do8y0c4{gw)-dlVgs!~~NOe)IdOu*vpf3>ooU6SU(yb^6`Sm>Gn zOCPBdLy-S8Ig=qgQNoD61zk7@WYVz{8L&&=eNFndi|iW$%U9$;HJ(_83vTiza503~ z!P%Ao#})Tf7sL>FpXzZ~HYZkrpk;F-8g`+m%`w83juKk3rw&$PLM)=y_{MQ0X;bMZ_lPxaHa{B ze#n=Lldo!;XdEw%b(+Bq&iSqm@o2&i4=1Fkij8lV(vSN#t#(Nla(TAC!+`1YicT3( z>8rLecwg?{bdo<6@1|WqX7zze++;;mx2j1fbO26%)dDy4J;pT9Pi6vyg~2I@r+YZ9 z(F7d-_H-YoH3HL0nmkS?J*F#u+VRra}VxPW|j#{`9r+r+OtWwMtY?k8_A zGwe8|Y@0ytrW6}WyFD=2Ojcw@F{vCA0B5~!7zC-5`QSRHRKNkDtWS>*4-(m))F4I^ zK4wt16TjdgtD*x`x-;Ms=Hq>zAsZ4~& z`|)^09!Zsf-s2Yy;=(VGd%V!cL;XA!8ib_`#eq|GajG;ty2ykwu z5Z4v1Ezr?rTm9HE`uB_Z5jwn*m&mR~lzs!r&iz{O6J=ZlDqj(IE`o=j zFb(5XH>~iiET<|Tj&f&bLK)QB-l@gCTvNaH(kRZB6 z`Usw1LCQ}kG3lnQhP(tQo?^^`&f^McZ~O!iFRr!5(XwDgE^SN9+Kk%jdc9*-2rS6IUqLH?4Bx8T)SrC(tVyeU5nY-~ApR99vI-w1 zD_`gwd9t-6y0!cap5MX9YiIz*h1OdArK9fv<~4kQ@r&AeCipe{fhnU^@c1RX&YkG+ zFU>0#pv!8P<6AGj7npQjKn)olWAiWFa}aJZNrW8Yi{^i6^YsgYFYK?B__yn+D8FAwGx>nP=L? z-alnfy~;_GzhZnn_TKocVbWlHaD7hf(%T zgoF%3#FwsZ>YrMBsi93PypM{1>hYzjHrc?qKz*G&e@cF-y3I)qQsY3GKeZ(Ep7H4aNL>0<2Z$epA?bSdXeZyEs9V^pItC#MeMjKfgrdyi?3 zV2(yoJT_d0p}@r2X$3|kOhf?`0t2d!W+n9SRF}e)s zw_%Z+Ac`=blfK6x#vpmD^HFG>c=P5+mr=e6G`k6ONb$`IxFINLQ?C4taS+;s%*%(s zF90j@46ZKWq$o5{<1qTGtuA`mOWW+o0vqyf2j=Ln`C3api-|OcHnTn!g+BlE(yw0? zQ3MB$bx0Dk)1iA+v7$II`b?&qBK?Z3M{3yq^ly~9wr@-OHo6!{ zRha>?mu8HkE_P7>(VY+Rm>8lMTZ*WN%iM^YaJ)bm)a;KO?1j6#CcbkE1_~EZ|zUPe}h5{lorB_SWv;l2$s??Q@3ch~81i zJ7x}UK9=lxx`a#GLFrrP4An7sESN99v#sxm9|k16TznqA?-}thr|0v0+1CLIJ$%n; zT%jZcMj&6Y=>#2N?%_}*62h_^y^oj}fe})-V!$Mq74o>(OraVdfBB!p$2J+FX$fKe zYT=d0MRK1 zJiN^2z0lM9j6uX|3RK@y`9h&-jugCRpFR4YDTt#S-Y4<1D*h*Q36idG_CB7UoqQkx zmgMOQ`+uywbTqg?nWTIFv*io$u`|*Z)(Cw80zT-9)aQYqyq2ItdWl{mT(TLLT!GY(h7wF=T_ld z$yea`38-`jphwW*E89SE+&1YB34A4++!x72b&ZpnNq>Sh>yX~nhV$BMhC6IXPXO4bso@BGamW6MZrq9_)8u=8Loy4qGpgq?gFU6)i{JXKg`|)=~{w|B8tkg!$7P)T# zv+M*$QK@DC01(swBJ-(XCqEVisA5k{NSOh5San)b^TE_2vw(dl0h;FYyRwQ=@m#i# z&rX+^rvBCu$=qJ`H@7^pX#GT`O!ZxlR$1J{e>bUr!r6`)1e%*gV?d=yAxE0hj}=?Y zo(wflLH)o+lvqSuOe{tuDk3fxD;5=lV3FnTV3nWNX>F}=VkN<^hK;-31cPlQ{$-EA ziSX3D9BO^ygF9*Ko3zk|RU$U5lbK`OSx+#2+3{+?rc{%n`Oqa&CaL?ZU^c1vUf`cq z{-)g22FgK~eUdb49>nHROF#y8AArZ)7ttG}L7c1H8C~fz^XWCco9DC|iV7OiCp>V5xONRyPB! zv^Onr)bf*XpZv;uB(bMsN%1|z$VB0U=#?SsKNTRC*U?&1%1qhkM!(q@!Jx3tca#lX zV7`#Th3;Y)I9+1P8}`lJ2YJzlUg$jF(;bVcvLhICj)C!?u@(wh5@WK#)6CbT$Qx!DDT_MVXBjnzvRU;di$-#H6W!1E0y{ zklHSC4Wfj^PL%myfp+l)*Fj?JJ1(slBR?+xtBZ32EY;@)s@wAkqNoX$Ue?S2Wdbdn zM^9+kHUs09*ZC-o#Gi6`MSl}YcdssN=fFsLclXF%&pPV(d5+MUZ+&9aCJ-eMS`pOM zTdyTUj(NrTZYI{>0t{#P=jv|VY2+GG{Pk-yh~0m$-8--NAB}jF{ga-_3G9RU#PW%e zG}mnIOQSQ%K6+Fwe@5Vs+Fapt14F;XH=5COlasd!2duZVpj)J07X6FWP(!LY(-WCa ze~yZ|##n`h-&k;LSN%n4CLjcT--~JnrQcLrPfZlDE{;GNYhnA6VYk$O!w6yk5iyOWSX@%@Y#D=WBR7`0vo$>9~`Z!OVTP zmQIjaOMaP%e*i}U0ROO9#t}Uz2rCwm6HeU=GyMJ-7_|2Lx6-d!o=0A|<%HTLsOeZd z4u3cx!Loa43fn;20vXg$h_M2S?q(m>IFdV!DLlcZhLV;h_Tla8h`Uvsmj`jfE(M-) z!8cD#AI+gpe!gO0R|ER`P^fhQ)@1^ug*ZIj&G;>MC&WG{e0e%kF(5-Na={U(2RoNJCkR{&`xyREsYDFec z{*J7;AJMC^a@2JyW#?$99CXsilc4(CW@c)-g7@}aOAYP^PcamwhY87FWG_O1Wo6_e zuvVG0Dewi+bZwQY9H&B_X<_v9FmnlDGU&jgss^EO(oR--*+WpgC?G6@!x z9CZ-u18a!V0jYCq%+n{?es_nlmO~n4kP~T^E%hB{f)0`#cwZ@iiOpPz22COHppY5) zMs;H~s@!QF8a*Tc)4tFS_xf_VoZ*GEjfXTrfB)%T~9B>LO;=&DRf!vT&G zg54#EqIlHzlyyih<>m2ks~#T z4E`ofqzdQ-SDFI7Y#YkR$FHA3i6R4uZw{^VfC!TZuZov&(QMe$Ujvd(%e=*uo2xy# zeJ0R>AK8tA&}#_Y-{V3_(4@qWwQ3@TIu{d?N6j+Cq0mrHg#cOSclA&3f(4zu2wRp+ zsuh5cDG>Xqp*H7O(Hz#81*Q>aEG=^+HZM|9%4)9xzPnSL#LnVD>rzx z0Yn7)Bt>Mx8=f=1xq%}}YE`|3RkLYm{c1o99|Wa1Noz!U6^hd4yLk{fDw~YBdBEST zCXD%pqf>%@e(~0(yj@)&L<;1IU(Gi_^0iNbCUL6ah3UD`gq1Wd42r8)Ezv#F5VOq( zv*WLc=E*yVP|Wc0s7vu2yMZ@q;o6O*KD&0;+_kdFWT~DCWPT%b%e(t zZ@W{|4hPv(GxPo4@em*K%#URx3zR`Ks(TMu7%o&peKS+9zGK|`f1gy0J4W(^S09>2 z?`p9Pe@ywYMM4SFz?@MXoHs}}H`23Se6za^FkR~K+{Jq~57#cFyb3Aq2m~fvjRDH; zfafvV6*N`t}n^%5{m-H z!H?5odBiF!D&V|a=>kaMM}d<8a1@^M=W+^z{h}BddFvs?u|b~3alu=X1>dnHDgPQo zdD;36j9GPjfg)VN6e_8ArM}hWn{e#?vcwhxvmo*Qu5m_MFnB-l@A2dg?Y#(PL(3lWQQxR=GEzCpVV(0A)*DH~G_faQn)xN@!f z%10c=k%YAGGvU4%%{qYZtIZ-%eVUDf4x|HK=||1EXw<&N(h1BPy1V9 z96T7gW#~OE57Jt!;1>pbPimi@f_a}>qCX4IoJ{b*Q_2L)qsq^Z==c;sbVTuRy*u$z zkmXTT*l7xNxYz`#)2dDDqkQL5&AUM=KwOppUNWSoL1KN04_>gF^4$%g5u ziNrx{SR3P9nX~YcYuy0az3nm}nx!19JJ0-~`RGq2s;9 zFb+sZseAPtOoMGE1|k;Et0?C=!pehkL2Zj#V{6~Azl6}L_|X}Q+JL_t z>YU>09KL@BY2cFBly8pXlL-sk$BQWR?bcBO13c#o9RdFtdBdRBa17GgdRX9eKyMbM zklzDvW~lpsL$ue|Xets{P4=A(zy*@tD`5i8g%9hDYf4qmX`!dS+%~+VI!UJD8Rw}# zUl4KexidmHG-LI6S)jf0(|)8oZv)Fpc+iZz zv{)uEgLp<4PxJOFCp-~6O)Mw*eHABG@pwjMG}S9e1GOiINJK3Mh!2#mr)-RQFE z1m&sAAg%#aK$Y+JmnNjz4vIQ=tcbJb8GJW<=VHMN_PSJ9HZ>Og6ApB!Q|SsV@~+`S z&uwBQ97!ZKA)2r2gvpq`NUzGw0+Wa;`9)sK?W8zOsyQuG zR25PfW`$LIM%q%XFw7?0AJqw@be&A|Di;W4)%pb9eE3a6la$w*iJWgiR=IejWwVVA z260%kF)&y3PsthI4}Z>*PAYaTogRB@af_hfDbg0;EH}eHbLOU*-M~2cjxE!DJl3ul zurEV12-H{yO^4Ig1bYQ4A=c4fMqc*x&!b(g~;7c>^Uz z1q|jkFlz|sm_pV@iI|TMbJPzNGTeZ>=7pea%9jbp2^tmU)tm!mH^SZyk9K&BI`oBM zR#8+a(TVN0>0zsdSrYRCUb9q`fiWp*jjhECwhS}F`=yKmQ%Ea$cQs<+q)NLh&gC9E z)hqx!Q#&2r^{2*4_>|pAFoXVLb5@YZK<7$2uutqF19qiZ?J z3G#+udBJjgG~L-!*4}ZHoAT4AOaMtF>&u>!^^cGIw4MWfN-i&m(5TR?P-}rQk`)15 zDNWYkL+ZYeOb&abt6Y+IT9`K<8Ak(}^3fPPWH2g=HD9^;lV9Mi0XCJ@mjt^}z?%<0 zeXDy5d`q^U)V&&fN!_=6O0F2Y3YDLna=VKw?R<~3gj~BreC1Ix zZRQ2sMN6Aq0eji-D;%|s5lIh9a@Q|Xh3$gkfwwICOI8dBPAyBx32Mb7I!F^*kS>KQ zoY@cQvQdZpnseu$SE??$eN zDLKCAK2r-_R-1$(1?)W$%NZL>7BZY4b18wra8$i!EsZ_7-)u0>R3+ex&?Z!KKj_kG z3~06RZ+3<)&`=1r!&8GSe|;lqn6|4~rpB^GIVXU^uD}}#!QKe{nS5lx$GkIa@l?}z z(n6-beEU2QKvY~Vho#r_=(WJ8phYI!3(ZD^W=o~(P&>zYYHb6EP6o%qxp)O-fIXo0 zZC%mXuCTu;`bdWS5w88Z;f+9j_~Tu2(d1~vRvxc)esp35I?>#;avce_!votPDGi+g z8XMjj7&>Tp>>xaP2~7A- zn?te{At$5WF zEnieS70VLRBw`VW8+Oi&h8v|uRVM4z17jO7ktmmQwPWOHXJ zB0~pUw#9GQ%CKV(W_)fl4V&x$hi(x^%jr1z1RQ)%JvtpTL#D`5T&s1rR@trv@*;pq zjNmviKGXv&Iq3F3Ri#|uaxR_yI$(Rzn?Xj)1whm3d}#em0QVO{aEa4r!pC#I9e1a; z;~u~gsN3nfC@}U#LCXYRbQl6Hf+o9XUEc|0ne6tXeW5~WV|#Y;L3hX9Uc59l%3gpx z6eCZ-$Tc(wbwI!-veZnByfilG${+eg8CcB>QMN3*N82TNDMPrBz+xO#b(1XL z9^xrA`hLpP=;+$a4zu~9o!+n3D}C7_vTClt)04smLgle2tzhowqvOxQU*=iX-BK2R z#HIp9HyI}~5!6JLL0v#o6E=JO#Q?|Sd7O`e7v8rZ!;u(1<4b{xh0aO24gRM9MCVj^ zQ@cNkKdP@*`e<$Rk6o(vXJ%aQ#o|YM-0&{F{WIC2Nwu;th^7)>V?#BaU+L)F%1A;g zgG>&{b#y)>jr;K(e1HXM-xl}cuddZTg?baZooAKk919kLm{a$*!1&$7FaA2b^=h*3 zw)ksLHQYw6@nWQ+Em4hEP(?j=Iu~Mm|HSy&ym($JW);W5Z&a~KsVV!l&$w^w|AP0Q#qv*$st$_)S z5wIGoHP@%;Cjz~rSt_{gk)cQ-F}&ayMJnx61YiR&I1~dwH!F!hq1U0fptoYUcmlT1f}Uf4#UYSI-5TC6=Jaj58(b%>Vzv^wXI zg%+~e<%Z=y8eS;W$;TU$T(zc>#)N%z{sE09IsnFb;)b1j@Gkv@bD0o?2P}c{y4HAE zV}(4Wd>sKBZcuJ9H33jqfJ);3bk+aY2mdaG6;tPA z%*)$g(1%+py$29R``aPA~`cDgXC(}TYucgu}2I&HaE zb`0wD<f&f_IwSq{&6ZU;14_)Tv)_Vrlp9+d=s?OL<&1+Q|j~~(MI5dkG;G(_=?5@(0-1?CAR`a z-v}8nbinWxbXi3HYvh4bYU>;0v@uVgkM?lMEve`MP5n?f2(mLTeBasK>mW~G=@;p8 zOKSPjNiy1b3e>ngfbKWx3j?WQrPDuJH{}!_7EE6{K2VM(Yv%uSO?!$^d2^w@aKA}+n{S8@VC2#3HuCs662D4q z+iwf8!T{@h!9X1kAe`+ZMGyG%Rf0{RK@5+EpAc&p+E9!Tp82OKmJUjt2i6Gx1Lwh)w0gmt8D7Y03pry^U33NfwIPOb~+#Bisd4)9!> z{)5kNAc6qE?L+K|z}`ski;OtYwxNY@094ia5LT~;yms!rgybK*Qgl8*kZZtuA>yZ$ z`v`z<)F6r3PE7j;2-Z56S@IGJk=7JZFnA;ee>7GyyMGLLqsY#`bLTVRBnV16adZ9% zGf9qSNtW6l>3)*x3dp?(Mf^%nAHm6zzV#3|Uuo|p{CI|KAcY@cr*j&^K)!(s|Del3 z;BXF5g_WGcXXiDao!c0&>6}1)11<{VP<4Kz_Dp`SG}MG_H;zB4=bOH-)T7Ci?U?jQ zeR|*yVmRN_8Ro?AaR-L2r7Jr7l|T zVGbve#!F#Q@hD_e?Fq^Wl)m;)oQQ!x#kW92B`42Mss4l&Q6Q-vO8gY|Pk4;dx-I7( z>X6H*;%r~M#9=CH1TG^`5PgBoBS-n zw=%MVmN^UbS*LIHwl$N!%B*bW)Bj7BD>!@)>b2w^i^eo-Yu>(gACZ0jahGgkE;l5#XBo3cbbx*j9Mnd*lt?vc; zTxA={mfr#^tI>dYFv^ew=C1|9EJ#7bfY=rc@tFEy*M z|MGeXvO?+X>igR(f2-w|%k4_?6Pz@L*{27zVtKH?;F`3P%)M7+4Jf9@8|7GvTszAs zbY`L+Bq8!z^O^x{N?a7~juBp0XG+B60Wc$_NKO!L(yMoTdc8)Lb*SI&#G{v7>p&vS zC1bM?q!^GHwV)Czh5Ct?Eg5Q2nZ4wcW)k7`)}Ssr@fBPRzBc4`K}Ote={@|0{kg^^ z?=^51LsK;m0$%TpV&@U0{D&?zm>||QZgotldr&Nb1OlS7Oeq!}uU;0Zs`?vRlhO_wvSoLJFA?!qzyjY4EE!7{<;X`QI zqe(AT`mIK0wj}#&E#>N%(qvCGO;_zv|E*LaKpr9;42VpiX})jf_hdt(gFm)u8X;jS ztH`9(kod9BC-DNu0u&!!e#iN~1kR686mzMvY)bBz25Bd-i5i?You zt2&cc%z)f$1m;+Aj-rh(+$?*-Kmq!^GMXehWZx^C!N7iTLF00>)w7ororh;1V9YDC zdDZhsJ7CdFOTNQ|l4CH|n}wsCYsq9~9c;J8`3r29ant`Y=P*3;tYZz=Ml`_GL2jKZI3_%pOW3*gUe{8?eI>@Z;T9d;bSU~8ZJM4dgUPm|kkL|)P76&rK` zy#3M#huUl_i?{hT*UHVeN?|&2jM;EG=Gx3(74un0bAD8Q6q}sKahIVZ2N7-X(3MCI zC+4z}Ap$veqx7u_Kf?vHt%w$Zbbj2xjh!90KA4 zP)7hsK(@ai{9fH3g7rhb9stsp5&s!R{s6P5IUv&*QK4Kl0*_{4wU>Ph7wAI#=0=;tlLC@YvY8ZCWKyjJ^W997`|1QJEcDojwZPJX@#ED(JL?#hv8?msjYV zt4F7;)H;ncv@7tukWXZh*S5q?CwUK4>G_d$Ao&Vh4}9&ILi0jnue_NmN+plu*0n>^ zoxxF{U8x<2~GSUyJu7FGuBPGG4V~n4H_=7$(yah2INH%OMP!&SUgj;aJ zFOW4@YTZ;*yuL=AuJG3B@Da~~BKjyy9erR|?}M0^&7sukFQ8604fb#iDQmq0@iX`% z;Z11ehh*PDi=?b%rVg9?2UGk6hEdFD000OIdL9|ML8Lt_n^0D@y0uKsfx~J`I;(nY zSdK%E>}4hKmCepz1<1%#v1d-0M5ejSe2+G zA-S)O5I#qD>Il2}bG;a9;Wn{#eDGlv-)B^@p1qDl8;+5Y2(I8rmj+HQKABTXpy0Q3 zhMHUD@+B>nG+{IF7C=eq!02+T)F^Y#jH0Q}qy-o2;Aj&J$39b=LQ2B64MQxsfV_1^ zUbn~D^Wo#%lC2(IhVUKc7{ckW90`4{@~fPmh>+@`I7v6)SiZ6ZXf*~{Y2D(NN& z;}0^!fh=+Y64K0lSql`|DhY|>P1Cn>+VX{Kl|m1GKGp2Akei}`DRIV$Yug}zQHjpS z=E0UD+Apf9Zza!a1j(sZLhAyZw z)qP$q_EUw9#snStrv4t_;o^I3<1u_VmIbZr6EwA!aBs0^TW}EjNna*z$T#Q^jaP0K zxr+q-ybEu5v%#Jq?>ajk2pC^Zn`n}0RGUzNk+1d%IdI%tNEx#+G>NC@Pq|sjn1Vi= zEEElth9&g*Y+y^~@)z=3P7w#YP|OCsRTVL*n_}Qq_ZXKw_UwbMBUMBQnWMoz)3)f~ z=?K2vl+sXCn2i@q;dO585Wx6wX6ddjgY8db`-FD)H3(vlYzWOPxYuIU zH%any&E`gFDl3f#ix#&>y6COvOaxpN$D6@5N6Dhcg*5Y8gd?EOaVhsHXF1}fslYdHu?+f>9$$;VKT|qhV z(XCkp=wok6xDWM;$$jmuP?aBMxO?;iHUGOrq)<(~12We4k!);wDg|xXow9I=iqQK_ zs8fB(S%rk@RFT4UogxLHQhv?`ZW}Hv81fhrX;H2>}Zb*JMi-_=4l5VVuwb zcT0xgX}|v$cBhf_zGB)^77->;6s3PJm~QK;JLBtYd~?R z8d-}%k9jzkmidWYMKXbE3u&{|J5SiHZyAA4@yGuIZ3*^+dR~(wBzvA>DEd0v6eqM(N}o@^nj8A__Ci?CGlIwF-gLh<4>NflkE&^{Rxf z#>m1prR})9FNt}R*7ul{KF$|*vkZ4>!?v3j0|&q8*~H+0eCdm^7DfCZE7-!Kx$hLH zIq;ZC$fdAXCRV9Qf-VM5dbry9X-qWu4T$$PbIcs+$QIC1ly8RGjeDG)5En?FlTk%y z$Ec?uwY6i|Mk9OCCN~RS`b>BF)Y!OwmMK9$EJ{9H$Ve zhc)&ymAlZaDWG#T)3-cG>ROtX?A2Q7Akc@))FRFkBnsu-6)=nqls-poQPtYOku9oz<~aR;1Uvl)O4h3G0!W|p?B)yD#DI_MWVbU zcr(Q9sZnrpjAJy-?KMM-li6nUS2e(#2nj zL)&(ue_BYTz$n-+F8a!IpL;-MGPLi53RELZhiP7G>;HT}X@hVQmQdYf zr^W^j%yhv6smXgLSJ##GCy?N{)p52^J+@XD>m67Q6dku>W?5r}77N86cv?Q^Zv!@U zGzG^gH}QQsvWBHVaO7_hiA0z;&h&p5N$6O~oNc-c+k)~*PJ@Lb5od!r!$XwgZI~2} z^^tE)EBwg=LAM?>PCj3E{wP(gx zQH^*f@$M$0z}#0hI<8Y)C^2|-2F8KywgKnWXe^w%5#xMDhq@#FUY(tR(tSS`RH!3R zmY%5roYDIGu@s07faD8(*1?6406F;_&nl`Ts{jf&U_&T!(F8`CmY+Ya5R4P*wqNiK zY&auBn*?K&%>`#yYLTqxsGeE#t$15I*ti1D>g;9r9Pt6jEF^beo(G93sPQ#*20oRv$*T!N zuD&ii#7r0+{k}Fi#NM2?T0-VTccxP0t`?aiyzVYyxy~DR^0FY32A-`!Oi0Zi_bt!w2X>*KC!L$-$aP8;Wt z2%!*QjKsvpmn&+m0C+y5L@xF@27RVPxt&V_auW6?o7JI5@tl!RalcqCr<7w>$26*4 z4}|8as9bcTM#!KOj>y>Y|A-%t`8$QL7#0f_r%Z;Km99>);y1xlP#(p}VbMo%_rbHv zN!xl@ua+AwHhUiGt0EW#Hf1Ne zfshUaI#f=@nlqM2Y2aszrBd(99xzCRNJwz*BhDg40`R9%|6+9orI)9_gJc9%NG>HL zP7U9pUH-%|21kao|3fw}$%@u`03nEPl&_Ad#Fey~JCtFFol1gDbZqd&qTcZ8HwE#C zp0+}?CXM6<`*s4XLNRa;V91DHd^J!Df{`N0=dC7kwc%c|!#1|y6xAWjq;d{eEv$Df z;U_nu5+4oMH2J-$mr%w~OGv0yQP%Y{jc-rvwRlDV8?A3b1O)S;q@eSX(c?P&5Aw>R?Vm9A+=W_UsNXB0P9P{Offs!!u>*F$& zRk_6#1a+CB?FR{_8rD_pUD^1#HfLqROAR$t6}#Vngh=v(nq5KdZxixhinNU(=%w55 z{K4-K}Gcj;;V3&bQQ0=-j-6;c^cuR@sW83`1 z!V!09`&npwZ%eYC?k+J(d?B_b`0C+97&au2@@c9M(`{+5$GeBpJ;F+Zfo0;_gS~xn zl-B;lWFVi6g{^{QoDq%Q_J%f-9pW03kn(EvOQMFf>OL$1~21oI;BGm6wU z*`nGMWkcflwR~zZ==X-!Z=5>@|HJCP5d*Pl(kBlb9V$8{N@3!w_fE%80><13Pe(bR z@X>=-ce5+?BYXx+$EhOo6+pU+s#;$^iSkf_jEr!$E6MzO91d`eFcC!hg`}%MfV`YW3tA8k19%)X9M z3o#2kIt{Q_OcrvoZKV-&r3P=wFJKII@P*JkuxbQ$d!#?GC`u&Wy6&pLRv6ybLQKqf z^x{G`$nG{b{xuVa&9izZm>b@?p`YcG@R1Hkp7dCL$3XTo(UTb zKzvy6q=@gzqI*wKh{DW|Dh(hYAHej$2=-M~DN=gj6AQ#^Nh#771*E$D)Q|h6c}Z)e z^nef<7z&qAg|3;7`2Y%T(B`D^vTSTc6gISz?p2RW#`0b;EQ$ap1Lq0#5j6`3(9z3g zD0l}w?VF=H2kUeZn64M;kiOgouI6ehqXksZ07?wiJwXr6>v9+vVPb`hB1Evfbb^--`Mkp-qZzTxA@V*qP~q{S$Cxgs zfu0-_Muh=KUNJ8ndE)&Eoc9PqJAFKhIK5gPht3J4L`+mQ*RK#Pow;l%1^nxlo5?@lruA z9rRKxo-y91Xuc0Nz7sA=QBn{Wqv$bMT&v_r5f%`5B-C&v9i0lz>m@5Hdtl^-{F!cy617x44-?i~vpGn=1_ggy&>RgzhgHM$CWH}p1>p+6ZH zFn!rT+cWVUF)6En@O}u|XMmav6B?hd3DEvT!jrL<^cgf=Moy0KJ)zlTUi@f1G3k0k zWhRp6M?(Y`$T@n?GWQce&(zqvmL2b00`LP>!k_QQiwNoamb$DSKnrh9N7*`r=Kts< z31Hl#dowdf>MbBggSN>{S82MS@rB4ue=VxiX9{b)dE0i{OqBfKFh6zXAR0MJD?e4q zKvmfSi}ys$9!;P_{l?XcqD7y{W(O|b%XGcN_zZlfphyP7dhgPfm!Z_&73cDW2k(nB za?puZli6wFa0I?7z#2_k4w8~D*yW$kTvg0Go;j*TzEGGW@a3pCzAjlvDo1@%*HyEL zdlbly7V ziD^F`;RI;m?a5KsWyS@Xs%dMx_l8iYd+O9SkXV`I0v{fgU>m!p@pb4;*EV*S!12T- z*=pS-nOm*9-MPA<@Ehk=>u#&AuNe;uMmI2YYwB**Twgh`3eeW^#QO8RvL0<4_A<)cK})_dfTx&+93jb*v->7yg&)O(F!khsP8yQLUFmnz>S)PV)pPQA5Z~lM?_IbNi+{64MeO*86~3kL0|L8 zY#=~-59xj2*gb--zIJ*(h{7(!z(1^9u|uElMf; zw2(fh&^KtV`H(#9IRq$0*vD^kUqC8OJpB0w6t@MRU7`G7FGW)^Mi}h~?Dgh)0SO*p zs{ymLkP)xYiuU6&6(fcJvS1H)*QgUP5;iz4;8b6j*x|N#fR3<7V-Ye^sARW15TjHE z3l5o^R|M55{k>CJ!YMBREKpOLSX#mRj3@5s!5s;3M;SivG~S%i#=9KgJLMPZdu5tZ zuX%6k@h+8dTYtQP^xlc*_P#mgowLF_88}Xciz_z^EZ@t(u^L&Z@<8@(SHOD!cKBnD zKT7aPGA($xL<~#ETfwoFc)4Vik9pyeKO77ghqQ9aOowc=d&0*9HY;-F(CC$C?+lQ> zfo4FL?pbof#2Df zaL-Yq_cd7l+2)@#{BwwZPI>P!cZ12vxG)yq_bAYEWAOb)sAnp9rU37xbKWa(D@0*^ zm2hhz#Et+v7=DT9m!N(*=N*UxcR%laK@L0%%rW7tXjJmJCwJT@J)hac@#VROxG?5-gt{eiDLBz2l_AA5k;b^KV% zfX_>!S}jkPf_b_aK1aQuGaP>W!mZ=jX-#u{48!PS4@@10is$FY694Wu0oy(WaBS=NJWXDUk#<;}8ADf0gUM~}oVE?P*xG@4XOe6j zj24mSMtXxdI-}-Fc9>8dHW5&4gNW${5h{bartuaSCq?#A`A2gvbZIWt$%w>hM=mQ1t;6-Z;18ivZZ2d`Pd zYi!y{K^s0_mOb_*APWF&5@vl?)MSHeM%~LM5vZk1pwFgQ7SLp4eHOcxX}Syo7qiLu z8ZE2K#E>>wVjxwQH8mQWHpAg&c9{!pC10miwHcT;?`n2gqE^gagB~vC-^V7lK4v={ z8V&Ptoh7`3f%HEXVxfPn0z9R&!V2DWi70rkn=zNO&m8nx83m#s&}?s`L2(o6cJ>*P z!YeFchHHm#h;&(aSeZb60a*o+lzbPqkgB3l5)=AyQGR1F@{<8d*teljwg%dd2GP0i z!vU&TF|>fPH{!lfiBNtc`UMfxA}GGI^nFvHC5wa064?P5zPlLV@-xMz`mJU1n^CJ; zfi=tb7RMgQtK`$;6__x{wMe)ybYgf&J}?=FwE#}8YRJ_Nxk@7QG{uH-u(eu>BbyhcMy0io?R)W?g6f+poH)yz zZ^$1hBR?3lz8Sx}WOqdUWSH^oxjo)IZf?D5=-;&uLK0h1O zz8$~E{7fNzKYmYE;VS$MrV3Z#Dr`-pv?^lwhWw6nE!fNUndlB@U3LLBic_FQwek+8 zP>qDEK6=6ws$)o7i?OdF`%1L0yh>?f35~;!)#?sgNM%yRoB%$mR`xUp3*e*9s&-a| zYGsuM0Gux2*jt93#dy^p`}e+(qE>H_Ss#L4aT9N&U>XVRATUi7)k2C=+C4I&BV1unrL2kadPu?) zGxtc77W(ON&_ta*UZjw5}2kj=dm)80{(N1Cwu=347js%qcB7%^vzZgK+z>sUz zp!Ms5C8$-ocH@p#h!yP^>;YW9d;Z7@d%~E$svynKL~2#4v{6uB1*?#;L8Og5^fglg ztGk4-i6o1}u#f-{p0L%9omO~!CYyp@7ZoLG2|xWPVraulL~EqS3T4nyi8QTci4=Xr zq$gBO0K*luc9E3!5*rugGC_2iJZg;$cBI!8A+s|X+RHN@+DmL)V=sww1sA^|yg_4X z$T(UEsvYTeBo-)6;Q<|)qHr&}m8OxlK_Ja~Oi^eobiFo8^l_xt1oZ8sMm9g!Nl{ZM zYo#MBm97)CroflIdTJ#!a)yLfFIsA>v1Jv~P;j3#>7&mhBnb}N^f_q^e7z*2%H>9Y zrYpoeNkkAUq3H3^Jph1&M#{}J=vAYQN=P?ZP}-7ZjvEEClO!P0GM44ac5tJ-8Nxo% zV#bwH*h)v*3C|sKr(hfFAiIS?(-PvAQg;ewW2xK?jo8qjpBkCC__>2~y)>pRGe|>Q zCJT0k1dTYA{h|P>i3@2nQPBnlX(+h{9hzy|P*U27OL4B7sv0UyJK<0)bg6Wc0*$Hd z3wZtHwiD08Sg}jknPs$sR|FWLh0>%stGYCZnu0$@`ys#?50w*;+UbP4i6twxz{6*A zhQ9DTjP^8CwL|Nq?c)}VSlYobEv*$|e~wW-yYy!ZEtMLLg}njWQdk<{xK}y=Dq2Fv zo>FQIg>GR>IcZR{N2QP1x_oS6!{@8n=Oen02|&u03AO-ex@y%mfHA z%ZvbmfE=*AiM=e}!>bd&>)Tr<;W^ZP_Z)*2Rq%NBVD(N+tCGj>WBCaJ^qU#${l*uv z1&#zFIqNV5ASi110v*rXj=7z#>noqPb4q?`84Ly7zXbwC4meXnK$&?v77bLnqeaWN?`FC3m-;d->NIA8baPETFCdnJt!_{+45%0PD1C9p<78xWq8AqEjfLbL4% zVf#AK9>-Wy>R^w1EOio@+fdh()$E%}bjfHSR6I|9roijFX)D!r5wnskJ<7doLwYTB zP3$R+Y|5@F8%3oqj(bn;?*C#d)G-UZ0nP?L8!SpW-XeZ6tNGjEDgLF>OUy_@Hn4*h z+c+VsTiE|7O|+;!TikN0@p{|_QQ&L>EA}WfWe!T&P-WsJvwf{|7qWCO+lG$4*QK1D zYaiaT-qun*gPm!O+|tfV$2F@=*8tm?86!*#B(^Ja87cQKdLVQcL44Ds>5|Y3;ITbs zJrh64GU?Hvgr$Ut`*LlVQEXuUYOG*TaP&Gow5)kX2loSbpn}|cv|&Dw@-oO}Yf}Y* z183<)mq1j&`U=J)-Yje`(R$bg*?&(IFyriWx;b?Q)ei-VkOo+AAF3 zC%nR{jyoCc!dgj-E-WYX3KIogAYe!=B_dQ8BG-Iz@hDBy%6GGJlPFG{Q&8xYG3M&y z3W}LSzD%73woe5Laeg<2efCB1HGZ#b5P!oX-N*PhRg_CDS{&YE6aEOVmvl z{OuKOoI<}dYxdGKBG_U{O<5+}F(uIK3&c$sRReXE3$4+|V@ zqRYzs3E7=&a4t4K-~JUd9>$_4>YiRaQzK0B+0zbnfy*pGhOya%yn(Ud_Q^8^TCCaD z4xn=pHkaBI;DQnh41o`0RY*O$&?dYfa9OouGkej8lyGj*Xhv%8hYxMgQO`r{G6}677>i4NT73MVGsuIB-25ox_*vj?A?^$mIh%aFM2TBAz*Sw18;8YngC_Q z6Us#%*i#+0Z9-rTmdtpIjEyfUEjW3{sihh@)(Cr(+3Rt~m`PrDb{JE+?iOq2KnIAYU-*;+QsJq3+%O;61Dss9IVmwT zs9YCH`xEFpG2i3GNE(91?xG`eg%%ARf4#L+n=gR4$4WBfZOO|3FJRGElUEF;8oAj` z&MoMD$?SP%+^A;SMQ72MuwchFE2_B5G%iTfHEd79Xq<2e3lsO{P&RgG`iC5+oW55z z!{6N4z-36t%Y=-#1{NMsnE}^14$;Ia03euI>RJI(H-%?&a%Ekqk^oI7K{Oe32;PB) zOf~E;X9$Y$I$6@u)U9>w%(d3IU*D&|TGte3xRRBfxft(|yaW?wYxah|W9JUYR@({Z z6Btr|R8>{F)F!Tjv26=Bi+n@pjL>7!d~Ui7%Wn z8rGmMQu8`v7O{*>9bUc)*J~TySru}XE~*ef0epH@vyo#xG09MjU?chMm|G*Zr+FYp zI_v6s@-1{G*Ay_>H8jZ#V9FcVVhIr<6Exv=O|4o#(3FZ96ZgTS4zkZ1;)pdGrDh&f zxiZ@?fUQPvp9_`)2^NYA%X()l;8tc#>w57|m4x_EZ&@$=jXZMmOL_cLA0+wZ<5@f|A8 zBi+GfP>X*kUhYn-3)t`m&Vw__afBRsB{rU5rlq0CY&Fag3utm(NvsPJ<*$J5M7^x! zKO}~^n3%AMKEjZEh;yMaR^{-;fA~YcHBu8h!WS&1znDp#WjO^w+2Gz)P(4I8M=&EH zySVVk3x&^={P{M2Dm<^5teP>c#Ygsmxv*gL-e4FrQMiVb7X0V!RmF|i(vMNMSe9jy zR7a6@8t~FgYq!0F+fY2HWmWD@43E*Qfq56`In;4N-RFK%HQN#V zjp5*k6M9SSux^hqLb&ej`xinCu=fh#gn;AX-ZrkbSqBol{Jo84=_67!H~b?d=MnpE zz#qh57}pB!358YB2&;kB`UVP?JI`v96-V;1%1xJnkJvKUmf(ZRx zMS_Q?fLOZXNpHqfjk)=$c3=THLYb@VlGezqEsQi?haF6F#azJS$c8Q*KrboU7t>NL zO;9ZL1o+JaHKBkDJhlq6KW^+_3$pbQxRFvec&v5nvM(E7Lmq~8h^p9#8PtRp;>Gxe&zK%)nBM>Z~tu&vN{_Xpe|1 zjE9nTu&5JT*tVmAXM%ju#aS>}>kK&f;Gr|YTXae`9BrMQAMfao)5id6{7)BMTNAIh zu!;WRZK$UP{I+Vztd`Mv4S-x`%)tF19H6~!PKU^cNLjuv0EKqOcXm-{1teCm!SoTe z1S@X?nKMujRDmx;Vh1uLgR39(B9?FE5$;3g-A={fcA!rQ2>k;^N_ner|3_XMO?it_ zLPO;srp8GL8<5D`A~#3j0^VBNPN|M?!0FyN_Q4zrv!!x3yU!zap&}6P6lQ{C zD-U@~Q+atc+Jsc=dcl^z_CUFotwV$f+?wL&7y6p7cP1cw-MP_1u1U!3c+A@n4yUD_xt|LmLC;_ zY|KQrZ^s?e1IYv012>kkQMYWg&ojYv=^gP)E7weNOdp(Z1MZhovOrGz!`{4KTh;z7 zD*G=<+`-KBA(yzeXeVu~(92qufd@v=ODTG4M8+W-^hHaJ$j*2tmuBbO63q7HnUyl! zxA8LDAj%VHod_B>T7XVg2uj07WpIuM&7Er#n1}o3R~CRb2dJIG`R;;--5^0d-`yCi zBkNm0uq?~FC36|F--Y?Oqi?jbloc%BwWFPqKyy3CFUd9Maupy2KIZ&@tM;lYd;Mq96pfPDm{GKz}U}) zVLyyG6itc0tlFD0)NQrAOUCwgz-E1=7L?hw-c7(Uqvj#&y5<~AT+nZyR- zMS#eBa?6jRZ@hRBTTf)ZBIg6uUdq&bMVnL=XU5{<2N}#*4oG5AB1?q9_oQ&p$V@35 zq|fu5`6pwp`GEt>h*(K2h`z9|y5~6aSn-2I4`pnA3-g8pRQa5|j$_VjcILF}4{qly zOp;vGVI{fM_$g%7z9Vy6liQisIOnyv_kqOGU#G6#qvE^zY6eO z3D+}gnVc0lT)nemhbyO#TKS%nM1q&^fs~`Z;1l|&;=5K!=<_^5ujND?wI5eL4n zc#-p#G+1E%r_7fUJ|dx84-|bLBudmky^HriQt$J)dl$?Dz5N@&k}5cl%KJp; zMWHrxTedFQvJSGneG@~2W{)q88Y)9u&Z^ron%b77&}K#sGvfv=3$Mb+KcTpu`V^LX zPTcN!QO7oH%ZrCi(DBVe0Q7od=GilscW)i@{AK?wQm*~sj|Us!@@(Rq0(Nyi8XzMv z7hf4vG1=dP^J;cw;M!w954|gqE0b#kSI612vVt;+LiWEY?sxN{Q-E%bE(l%Wo|zb6 z*|UW#`+vaMGX^{RbDg;?$TJ%ORHFV5sAT#B% zVC=D6lg9Q?Hz4@2B)HB^1rc(Wmm-1fTS)3CVY@CM%R$A%U?0Hepwo{Zvh%P5|KP$P z4cPBWKDhsJg@_xM3DW6FlX` z3+s5Njt^pey{fNrHkILrR92soLJCtsaYHtl8`N*m<2I(&JBN7O8^L;KnVF5*dUtc*Dl{&8mMq|jYt;O}&@@Mtem{e;-?uVfC z4X}v2@@$?}FfZGqJo`Bq*|K(OKa^!wvqK0VTmB@nKdMcvImFLEPGF-6EaQTg`BJf; z#hv|}5B5(YAf=12ze5bS|3jE9JD2?h0L7eOuEx(KV1>UB{ZVNDwll_lJYirN^M0#% z|C|c;Z=o`4cv1IzN}zbT0QUOa|AK-#`{O+L%lBVx*-se-4gyjl2|PnXo~zJ)EVBJs zP%=zH zxbO|ist&7IHsWw}5i(`hs4+YC6L+)dlVg#fQSjKLyZIE71VoE;^T<6Dl8_EyGDMGj zd<&ooCfjt$sK>GL1_c9f@B$ZHa%z78*-$nxSp(HH%2+SpbnuR1z-LGioQ^h5kToyx z*_=0Ley+ zc%3p|e2iPJ<=)#FHOHH>Ov9kbE5W!Ow96mm`XsZU5&-7iO>l%&e2v3cwd%k-@oKy@gO)rJtmo?EzQY052HP!_%CqLU_E+2VXIP z-Z6)S-h-r*gz3IV9cUT%b+WlZk(^q|h_}cqsF6VG8ASBwhBrzJQfVsHmruW;Cd_g# zCJhMYn+tRoke12lBw8+Y*B&7qBZB54fu{fBw35vyOB7>R*;1o7A|;W>cGnI!>4jD70m`nk6_9gDJK6;QT#!!mB#qW`vU*2U8z> za3lctLlGRq(HE(N8t+FELe-s=}fo4X)RWH^iheZyP96mXuvVRW?3to|_sF5Lf z;FBJS1i=!YZ16x)n?fTc=-3EFpd^D9rJDM6u5!Z7T7VC+tYb4egeA~9o!L{~iKRrk zoeOCcgmdb0w4D$Ki&&7~K=ry!B~J>t5Ww$T2vVaU+-q)eyec7ZlBh6+*@LM0N5gkx z^;)b%@<{!q_6VE3KbgW6pRNI9Bno1~zeMYhycC{?M~G4*TqMTr;G$ln>rT^x5^RLQ z?dD|ee-m{yX7IB)d^C_@b#j&}KVzu(Q8E$L^|}zzx^M>{={eqt%*Q)Nb65%VnOP*0 zuIs17bsb3aG<JQkM>8C!n*e5|*sRH1vm9>oKzAh1J0*7Vbz3U2sr_J>m#`3jk&i`K;N^*KYcM! z1xFt9RU6!Tdq8k|+i*ZZQ@|A(a~zPaP!`7l>N;Su;5w*tfd;|#sq(R_+n@p;GjxR* z_!y+qmW%MVY_zzw<)a7uD(WrPki`5-$y0bpQgRh*Nn)-7L(&l~=nSpwInBdrpHi#m zOq*v<9SG9S@rbFBy|o+_TP$U6NZlLagNKze3Cz z^!;S`voT$=Ay(VDttV2Q)Y;lq+1g#%+8Nn?;jy*jvi$|h`xh{n_u1ih)CJ-D95oxN)YdF$W zS)hj;X&SsLX;v6zDy7h+VF^sP1aP^O(;*~*oeUG04%+!N$r}kVD01;>p-0$qxXz&V z?GfUf3Qq}(9FF>gNQY2H=hd&NVWFN|pg^jzP2(1=;9?f3Rg4VrFoIh(g$5YlVIHYf z@=Om2m?D-r1sbSZ$oQH7s1m?&32Z0@I8!*%X`G*!Om;%~#^=b^7=ZkRv!G%%#L@Dq zpvKCrFZ9J_F#O6}P%A;madQ@XXJU1lp-xNOI}%B&WzcFK^o|Df8RgbhEx70%XLJq_ zW&p#eG~Mx~0Ok7us<$G@BiNTpDrOikMxc5VU@L(35%5mwz>;{U^sra&lohOvcd8OA zgwuvJ69;ErwJ7G4V$ETC*zbe@r?s>jSU1H+><-X{Iua)3Oq+b3r8$&j-~A zFg!O@#-3MbPo8Hvn&`C&dM!$?!H^pwN2uYha`A7Od6y_oa??iD3^^t{?E_G5fw=&* zk2!LL`Uk9kFn!n9m^TaOoH+(_V{<>|_@dO#&^gRGJagNtt3$h~hb>onc?xAh^B6OV|9mM(|8znSWLhmin4y3t3VpE!tVtmK6Zmo!fSL;M7W zVX8;~000mJ%riwI_YUBSPQ6$@_UEmGx*W3w)LDa^TplRw;e;C8^DX#2;wDn@!DD+r zHzX3=(P*+FB_#ssf-Sm=tp&EyvV&}n#JeaQ)su`rb3NoOz~RtN#wxDMZb`paSP>gz zNQRmHfYE`J$lDP^#}v~ADy(@Z=8Cb+XVlg56%k#6xLYNU+FkXMl}$8& z645jza5sxg!M48;ZTbIMsFDLX@Ots7QICCQ8zmz+1GO{uuQLJk8Y9*UH!^$Nu#~>n z{y{UVMs`s@)*c_+e1g|7O%L|ir198Rd`170divFJ-V(o9~Gol75Y4g6?e(o0*K zL{t-z_+w~@YfijlA@i&$iaOJ569Ei*Ir4kHFEv&@hWHrbYyAMtAJ6&rO(Q#F@vQhi zmeCja>ey31w8KS--lTF2&EoA7Bf03unn1M%r|r} zl0Mb{kbl!6ChT@nq^<5$3Rd`YpT!^SrpR%tmC>KclYL$&u{PW&Wh6ytJU&jlW6(uE zl{Z|&6%=?E+e95qBX9lNYa3Ko;!>+fE{xG1V%s~zsG-FyO_J0lvGO0AI@y}Y16o5+!@XEx*L%KOc zzj}T0%fPLflV$26D390#L%x+lHT>x`w4|h_*b5ioxymZ)YF4<(tUV>NhQag517X*9 zOr42ivfR|`8XX=xsvAj$YL#@bkHF~!i>aI(nn=^^Kzy$;o!?kX3)iRt`JEP{MX695I^v5amZEV|P{<&c!np?#7a#o4q^q)#m z@bjbj2SCkjRJf@iC515)jO)K@fP>>rL?{o;j`0n;=CwvzlmD*{Kq**3E zgn6JBGUhmSjJt-@K%A|RZcrLBC}w)20(y=O+DL+=7vs-7_*2-kNp#aMFVGxKHIOf? zTYkTmBr9bDrl40@z8d?@^P7ilFRi%+wTkAeBICwGFxQs8z7jmYQDFuRcNT-4Mh%2% z>Cs0E8@nz|Rs9h5Ic7&y2DWOrVrryASUbj-Wj00*7wu?3Mj3_7I-`dm>>TXD8W`I* zF^!6Nl?J?wr7urK&R2&Kf6NO|&566lWS=aHR9X3@mkjtXk^{{z6_w~+J>u?OI?8%D z%)H|%(x;YS<05b1tB?e>9-iS0-i_r+{;j4gs&weo0FGiH*FXi_8eu}3rD3^&W7xzo zkeiF7)Pl;g7;ehTGyr3LP%!OZP%KugO-3C)BKK;thPalfDah$XJ_VXD8YvVzz#B2b zipqgNH;7)Mclu;ZvY(@PW+qp;Xp8Cup1_5CqWBG3LhbnmW^+|~R^U|MV-kaH1Eka~ zx9d%#Jrd-Eb~#5sdw11>QGgD0n2JQEjZ{}CeZ=vm)Tm_wX6^O^0!&;5P9C4gO1G#@}s=pq5~c1LRgXS@e|;d#BZZgVGIB;xm30qz|@s z;0Y}!Nc*jMGvb5;S4iH>@%$W{_9}?&1waw2q9HL{(|Q#NOQCZFB7-QS?n_dQ+7^_Z z<-g#AmT@(Y*CsYa+r-C7tN`;ssGC#qfFq)`*8_F$069R$zu$x-_7kmO!zGWH z`#f+_Qmr@v#F)=4D%Y!X0Cyhs0|ALrw(tOPB<5P++W7bTHu;y#qN`HbR?aD5a$fis z{}yl6HMF_lF23dq=&{M5AbNhOH*daW22ebm0A-|LwX(ASYqHB=Yiu2n(XwYnKPsfb zS_=B$zZ?2TStQguY={EhrjD?s%SkZ8Fk6a5uCTc_4)Y!mocDOiT{WG~4J5;|sY17e zI1R~~#Ipuejc0P8$ZB;jchUo;h(~(Krp^RH-&1T_b%M8AmFz-d5)A~m5ET-7%Tuhj zDy!;QESc8VF`mq<523PzprZv`4S0+qd1pFtU98WK+cuEWil%n94_^#lpKDF(y$hsLyB{Z#Vf{#uKMtvJa_fVryd=j(k;KK=2HMPd|*4q3>zQnci^@QD+dsuRS41tAI&2D{0KZ_}Fkq*ih>H z3OByD71=UYQ5OH|^F5YjBQr^5TqKA>OMu{JB#S*jcvY49=e4ZV&&q;AKJ9sTu888{ z*m~6%Fy~!_)pikZPGy6ti6Ar^Oul|?(kBq5`)agy0${#EgKLC)#Ii=<(n?IVyf0ssgm`_f0gAe84%lWFw&E zNu57@;sm1gf_4M(mdP{LCFNUP_!?g-(pkn(0azEw96$?K{rmBk!>RqYU>|_ZTR-O% z_C*Ox@Etdcy-{MD*h=-;~$u9 zr^5`DiP-pRf4eT|b;e#$y_1Jbt^(AJ7?E#fzF01vjEjD|sm^S$q+%Chc_shytt@=o zDCGFI`90qh~1a3e7B` zw_IMRXXT?w2>~SD0Lm?eMnDh{7Mg98W(1W~RuDnEeLT9=I~?m_V_~JENrhAv;q9Py|{8Z5xh6Wfj5rCxke&)1z#; zlgI{A4)|!DG0oO-;8E5bAhtot%K?i!Q86bP{f|1<84OqrK+4u}^hiyQ{PIL9vVM@V zVx};+R&&Q=HR}La4`k8zRlHd?qak1g;Z_=HT#(73jCrZ__!BJf)Sy`r$JbFgVFLQP z7}gqIbDAA}2J=y5!c=dy8fu|%Ei_0Awb4RfED7MIh3;sfbuARFg~C{BGUHXA0?&BR z?}s~=^2M4~WKEOOYUaQn0*9Uy@jzS_DQh#rG~60jNhX(^8kAVOJ>KnMS2Bmo(N9EaX__5z^57y;_eJNkVOO0NiMcB+c-YUS5vo+hRW>hWCu<|F{A3 zltr$Y>;DM^Q@dWnnzSS)Em8z4%t5Uu4A>Y|Y|fS^y55+gkS9>L@=^Z2U z1R8(M!LLE>A}FRTMK7VuOJJbrpTx{a)XbGS1ZaT0S|r*-Sm@yV>GKtEcFbohVxI3ato~MFC zBDQV%oiF;s{zwVC0^pHO?bQ&GJfHr<+#%UPf1ynIx_v&Yq z-=yK20%;*jUO}f+p7Rr|zgD;ZZgKyPII^EE@}!YGc{I2`uFHPBO$>UXC~4$zEfS?- z{|~|aa#1uMovTH0v?zCwrQ29~s2;8c>1b}2$!);UMJ(td1V}w!-|2Yi4B3G?xw5i| zX#d{_jRz)MZcb4nUqU?t_@Amsvr-8DO8nDBV?@t;uneVKMj(D4k8tb0EOX8X|HvPx%iWBguy#^cu9lt){oZ`I->X6vyHJ z;DfiVLH&r1cn&YQ56 z_!~|P5z*8NfK3iJ=WPiROmQ8aFG0j&nO_1sUJmE!ZGA*=jECx3gaolrupjWxW7saDpoygm5E{ z?nE)kC2-$w0s$LIUCxK^IErfVH_sPfOAds`o%{(!u+bl%OW`~8Ak8^k<2S*wCgDrw zCqTjhlySNT9_K{?m+uh#CQ5nJht$YZ*a9EjIUOM95o7@ak7N4@hVla`V6k_igQH{K z1JUKW7F0S9tfzn{b3R}|;h#>xNKWp9>T?p34qYz#PE(l^5QEOI&;UlN`VTXo3*;Vg zImv%|k~LxjHebOKR=|J*x!`nZUNWEi@=q=cqB>ymP-fr-O&o~Tdnl1saJss$uqbz$ zJ*e>(^57&J4`oC42oFV-t6Jpi5uEhrp#mUV|NI3w*v)ziVX&J-O9}E9rXIr^_}$_| zk{n1D_|ty?eg-Nmy`cr|v=lu(MMy`<@KI?RP(Ftc&w&euz(Zp}p|i+&o}b@2EfwHK z;P0RZmJsGW$bglo^xzuT!{c~5nA-T=*>|w=ACACFH9RkTxe`C8I#CefdhmyM12-M| z-UFw4aUya(!MB>i6P|nzjw6ZTbm&yC7hwcXz@}(ok+rR0S#zG$oVPaPmDtv4ow-a8 zS_8@kokCYExd*(6*IyjH53}x2N^XMT(`MQizr6|>UZ^Ur#4-zs-CE>=&Silm`0glp zE#&#$oVm<$F0($?0RGo!NgR}y_kxr2t<7eA9^;tJX!>TA7IO$&xN|0x-ZzIC=Eaca zOW0hdf-O|Wm2|v`j6OjbUJQGDiDqnR<(y9_?5eQ5$pd~D6yFSU-dAURLFs@g+)vM& zK?{tb$@}bN8;z_m&>V2l|6sftwA`-?!{Cg@eYreV7>zR;7e7bA8Y99SL(MwnILpwQ zWx$waxXnpMSYrsv&MEV4gREqqtQROE7w?SnPA%(|gr_5PPp7XQEp)Ag&b812TIkqP z1Sox|=TNRV`5+ZfMbj*3*h#%SDuE#iJCDNhDNQLNZ4li?kCNLXc07_O`U{F73Okp= za;iW>+?;XexD*fXFx_zZrpX0>OG$35enkx9OxF^B>b&OyjMP)_xLQ|LN6 z2ev%`_4f>Q7@~i8RI}pJ@u{;TDk^azeX5C9$$1AkS#BMl^4wVre#w>|OM%uwo^mQp z2NAeI&27LtIC+R64^J5Bc!#~MMfiP>pK+kvYRf-F&Pj6Z9B~hg`>WvXUqkzJL$u!x z^HWZO9gi{NB3gLW9{?!1k7N7;p8Zy&?3m1p{YBzd>(fv}+(xfYZxo0qClgzX^hOB| z1<-~7be!YfnR5_(vs)LI5rU7XV}(X%iVKZd1UQpjkR!W*F1tX=AfL-h)3VaD?5oAK#OboJ zL7NCVWwH7IY8`pvCzVfv~n~5#b1E?>Gzi3S=ndfDDI{_rg zEzbn6jYhrj&MoZ_f(g;auRY&shl&7c8Cve77cIl=Es@6c(6mTQ){SL*ulC+6JkML9 zZy>sgM?ay4X~q3>$GOg=e9}ny*s;(?uXuf&4oGfmbg@ zskvMyK2Ff(x?6yXW*a4REwS_(1vn|jo1J^#9FQsr(E+8iV!s1<33tYIAuVemI z^{zYyb!Yx)t}iaSFz0-Qq=V(T7X%lO7VnBeW4Ml;gu(@aPT%J+?#aSEX?Tk>_u_Oh zhj>@z0Nz57Y7Mgw6x2v1bO#;}gF1^Rm2}+93huS1*)~Au+@NlJ(6X$5qLErAfx4NA zP&WtAI4P)^o*9CyLucXXVq4rmG_o##xPczR|Gnj1qG>>w768B`L|;EDj0wvA(L+ed2Ks)1}2e@3qtrkLLPUd69&?nB%Ybc?(<~s)S1gi}SFe zmx%aV-)lJYw>fXt*23)xjg*?ZH+z5AVbd;;WdV+LIY1=WI3Z@-b zU&|eLnt2?W$HDD*?oE!Jgu^C0vtu1-6nC7bz)rFR!L8LM+(9q1ouf+uX|}txlEEFs zCjAL8ub|3zh}aBgv=i15z%Ilk&;fUgLj`wS7w5sI?0C)H@z3peM;POdksR*W?#V+w z>IzoZEZ8+G=Vhc*P_#mdW*pFzS*U2oN?d5DFMfF4k!~c&i}0jW;y6*=+&b_8sJuu@ z<w)wEu))r8r=vx}K;{2EN9?$rLw?8NW&Ea*c?)^SFg4=Dizkp$d1*yeGxW9=9+|l3)X~3j*Z6I4p=A7`Ct=6nD(GxZ}GxZIC$( zDJd3JHJ3NPZ3-{Ddj#>VO_3+F3eM^TgGvI!8uRQTnFXN(@EFx!8{!# z^`a$9)|g=c&SYj%FI8r;IM;B_H8aD|{24u@j129Vuj&necYNf9dx*d_b39ON5DxOd%U)c09d;{n?G!^EB zN9K_#5;`Om#W#MesMzuJY{z0xJBHzB$7x|>JAPqdGR2O=5`eH{7nqYkJc$?!hju(R z-SLedJ0`2M0f1SJuG(|y|()qQKu;#SXBRkTp zp=d5H01d?0C$qNnaXOF?E>UMqGl^v&KigX2a_a(H%&~9%#BGqbNr`s$eCZHJ4{Se- zZv&A;_p|jpUFu|mZ&2FA)BY6!oINvKu4|CcOZOFZc5QBYTuOR~_XNukhl9jgBV@K7 zi?haRTQXB{xvUQS+Zgq3*v3cAM6nu>+J|8qflmb@8#eEijD2f#c~NoXR14KMkf=2# zuv-n1yRw|#m1Zz2$ZL#)1}L8lLlOgS1XK>M*hXeA#IrS4sIAowMqJY{#h?QGjH0SI zD5n;PxP;i;sOA<+`FnAxFFXaZV*5MHvBr;D!MO1f1bfNIGKh>E=%=z``&R`!)e~H% ze!{is#>Bdhqx>u?1~O?y*EPrV@Swp#<1UF1TPi1$c4{yJ$DWg^s)t|KrYwPT%Tu8w z8X&spygUx1&dARTy1I*i*}9WvI4<9;_2Z^d8V!(ko?vo7o6hKNq*ow^Hf-NTgAo>D zkPm^30&c3CRC&2uBr1Wu-kpNSIKFX>f83h@d(UcPta<;N;vhwKJ+)7~DdC$B?R)?G zrs2}QWAdxk@7?4oI32sDveyWB+?&_G-}K<1nvkSgRoB&t0HJooo~l8;nYreIu=aMs^Wd$s59|LlNm>7 z(bZx4VO}gU;x7Ne&YQMoEx$P)$!Ja_3g-GatH&@>fl&MB3Rv$fX^ZUTQaa1oo(Xw6 zbgvUEjKVh6xV4k^&8a9ih%(nICFXGPz|xS#2`ou_u5txv*7qMWqK`AhlICjAk6w(c%ssn zR}uX}q_AMMZS=z}_M=f3i32J9$=3F;@KOl30nq=j#Uc;)UEj*RNF*U(;wfeehtlU(A^E0Iw|*U4pi>bVz(t)v-U0 zYLheciuMrtK|1X*b)LsEKpohN7w7kmR6=q1TFMm;(LWk8;RrNSeD2?l9+p^`;09Vx ztO~%W09TCN7M>!kz=A}BNwC`8nJ&4b((mLX;(X?HXQy7EHEIR<3*1!y9a7EFjVfqe zBDXc$kM+@rLg2r?&#^ISAZ_=2hLUm-VRV#_YybLl+Vfh^3VRBbrZ_Y@*S5(&HRS1{ zvB!UMQR+Zt+!u}26j3{86B}x-k`GGr;1Ua|(tlh4Nj>9*J)K%i4q2MS)p_ z*F|dTm?BsiO|q`+e;hozCWy!fZGk{i9=vE3aslPedegOLKM96cl1bL7t$NG>nQux& zdQW5`KM|?s>uaSfPphe8LJKFh$j^KN`)Vvn#C1?yL>L!U;>AI z_WX6CQwanI76-A~aJb0x;oWnjfkEHGffx8-js=-meGM~R`7;FCfWQ5d6iaD@3AHQ6sI4qj?h#aJUCUq2$EJ6 zK_ttk=EpuzT^rcwDotx;G^R)7goAh^B!lDW?tSsYOoQX}D0h4iKO!l3jOMZzKFw}m zL`Ub02k|2%fyL6DZSkj>2IKTdp70PqN^0H`^9gx=lmxRDbaG_CLhO_3OqpoZ;H5OyLPA=)&cKEw3Xmja|i@E!|+bEFMGCxdC zZd5K{c`5}oHSN1gJj`%Qs2%9BYh6>K7Gc7IkvajTES#z#az(^rK-%o|K(|QOS>}QA zI&jU@2VXmL;Mw34O8EGiZMz)eOp#1y;H2*On$am2!XnLW8fYhykIOWrzOIM2HNZN08CLg?bMT19ZiNT?7Ge+Z|1Q&_Cud}z(;yr9^l z;h(beD?qg`Fd%ows?kN#&hYWAzBEy2{C>2{#9F@Zts5$bkec|6IzlSOH2~R8!a&C5T|Mf^iv`75`hkGBAz#M#zA9S&0NFX1s!WSId*|6dal zenZ7=$LR|w&jt%^<_aJ(mj4K{XO;Eftl<%1J=B(1S(np7_aNYS1JO0dT~_;eCt+uW z!@xV#%2F&~lE4#+bim-lpT*&chO%{o#t>8adT_*+Xa5l#HAa&%l!ND`OkTw3ed)2} zi;WuMa9i*Cg&9>)COnkFX#{T0bf@L{4&k@#_5B1Hio#oxnVxP=1vEzvA`_IMh1fKL zSje(MdlAvtAjANtZkr$6G-nIL|E6G!hwOG%B&Wud5%?6s4>M0$qFT2}0lR&vKNjI2+H_Ce(t4=P#xS29d%wFmh3`yQ~)Zg-y8+)-y? zg05?r>ckg|Vq$q=RG#zgusZgPOTSHL^L^ZP4qVK7C`|Oo)Tgeglpfd8#_dZlFFjE9 za_NVA)7zwO2^oo@I|-s}OWBoyK-rv^$d3I>Q?Le(RiAAq8pt1*^p5@zcO=Ky6sZ-_ zTG5DWvhkZ?Yx#)FtV2~-4!!uk?&(ut_wRee)>qE0kL#%giM*7msBSVlhdxGU1k}<1 zsuyuVJP;7#wRD%VYi~pD>@90izS;f0E4%ujnlRbODo`T*&sAs^e$ZG}SroNP34w{c zjV?f3D>;zuQRNC`2krv|1Rey=rt>`+9ger5c2PAMn6vrK4)Z@s7CCKrO33-`@}ASd zXI4Jvf%*T)Uuww(b$DC(}vFcUG{I@%^${b ze#kKSfmPO9vdu4}$y@$C=NI|K*mD-XCz1KHnm)7WFOj?z4#H#3y_IWzKZj(ju74Xm z=+=Yku$nQy0ZEFcy3C*FB(E^?nr^ZR{i8~P^Xqk(9}mZS{#%>;{y~@GWVCruCi5S% z{$}EDPJSlVZw`9SqR&)&P72RS;xoU(Kug$Be#uZ%-HEfSQ^ElVD$18#@SM)hLh|7@=uYSiB^$<_IF2QkKf_6=U z#{;3RYiZXtE>ttZtBR)gE#Q0f5ywNN=6jrx`h$!{;(4w}vaW7f*S0cLAV}`$jZ`3F zTFn`+Pg+pXY{VDTUO|TMXpyU#yt;sU2PyEv1y?AOub(+y?073256sQ*d0yNV>xJV{ zdZhQErs?S>&gZ@E*FE&%Yk)&2i!3xDV%pJoWtNv(B=C2R|w)6X@_CNFFhL9}51dNWY-u5i{P0*uR$d z;p8997eZr;sL13Z2yzjK_YaYR&0vdAEL|bYE}ABj82v&@Uns>F+Vh1%-;e>eD20qa zR6!1-BTrHID--#^n`_hBpDp=9eLusIiZQZ9FCt|GeDYD9pI!Vs_Hz>lx21&=#taHr9MY_XDHo77k zeUXg}Wur#fs8c>FdPE(Mi1vs}{*B%rPQ`A2SoTRSQu1bg`An`V%Ov%ntAudOP%awG zhCq3zYqA-jtMGYdm~{_>Oq64OBUv)hT9>{-$@vlgWEaW&2Yi`7PTu@x3T5|i{xfrO zQUK%wZu84IoIe1Y^OvENk!r|DWuJmpY-CeVorP|r`U)TC4CL^q0f>X%(P78NMYQEj zj~clu&pk#uZqz#ynH*hdxeV-}3pXhbwOZMpq;bz7^3i8Ie-a&X0y)wkYO;bIv&?F0 z0$|7r#LV)PgRCI3vCs_Js7*%7Fu$G|^DD`djq=C~*k<`cs1aTiNH=r-UV-|7(;7?c zpLpb?81jqxm&}omN=b!a&cEjoOvakuam6eXJ<3>(GE#y0nFx}RB*-luCNokzwcrU8 z7U;d8z(Y0fIsnmvazUC(1nGoCiLRLj{g-n2G@*5PKXlMFozjc?hRA;wv!+Z?VX0EikcKwAq#>m#2*J@r#3i_s)aG#;K{j|7Wjo;>IQtyb=RT`vegY7oolhG88o_A z)k2^#?I6m#n6_+aHfaZ!-WBONNN)@v8b>QlaT{(YzC;8nP83TXmP3%9hG6DiVfulf zW{P{81Tw;dA*tqE$JLh~oy2qCnMqm31~iy7jdmBM>&Q%EW&xV-m_X=(pojs3Y}5GH zVw46nG>s6s;+h0u`3^&2TCR4qQwIl|GLsUZvT-EwF#=p{g7wP@PJ`V=Nbf4l$yyf! zGiXvrc;aDOW>O-et;NJ1u-tHo@-)d+!53+i9f8ezWEp!Z4bv1@-=XAXk7Pf#o_@OW zv9R4W=VmLM>`_03xxeINi~0$}wN>JNm^0@=NJGK7@(L%rhLN%s(NR?Ap}~Dv0wBwI z^za|rdxX(Z99-GzJnkHbSs^rSq4hEg4&;xU4bc?_xrNYpnc4P|e5ojUkj^H9Q$(N& z4~?n?e*FkkVT}90bhJEoXEcrB(tlV`;V9=q&Kw9KonZ=w9K)blR3U(Wsb3ECs74D z1ChqCM?NFcAdqMggJne9=nJ5FM5tE5vaFIDmNk;Y7UeK>iZg~S`ha3-$`);)I@0f( z54uH~ZUHvB6hUA4UA4ey7gk0g)X_6;{AAKg!uduyZ@=d{|CJ1}0i}0@LNAqzsgXbgneCVD}-t+N$K4$*1>Mv{jCD~sB;4h>6Wp(f? z5g8}H(z?g;bI|++%=2rx;A@3cwfgNTju&y^NVGI-!>0;qfXKVH0zuc6l1p~cF)@FnZW z3pUJeCuDxQ>ipFU?#9DqNWgR4o$5YN);LOH{OQI^{2-`1G@^lU(|8GFxgd7>?%gykXk)No^}<%R*xJz zm5iFQ*jh{RmA$Ri!eJiqmFu>$LqWTz$pw>VYq4>`{MO==^rkG1Bil0yxKoJZ2=@R@ z?Vdk33>Hy#S{cbs|0KQ}gzOlDTt2?i&-gm6x_1&casBHqw^jIO-CE-k@Ngq!f&JI`17(4ZQ!?Jx>HkKALi63C&O|aNl4(TWP?*OFS!wS2%JCd2MIx z6STN&L=P|$4RYH6Au@Wa{Is4X2g<`c({T z6m4LQx2SR{OC3g|yXc`0;PI<2wyF_0xs{P|9^-_&$fFV5a4o5RMQ58h@t%Eo7Lo%h zxcmj74nW$VJWErFpiVHyv4kj%0i>CLR4=Zx=vqQx9KxK^Mlu3$W?;O-hgbic)6s3S zyYo3fpIhT|i?DUmiG&tS6s$Sv)eo@`5nk=#RU=+?^QxU!;lyNOUWezpDOuulQ=G2q zbbm0Y2e>m%J17Qo5_%ni7|4;=o$xvsUWdc$hJhgQu9*fZ3(tcZiO@GVDt%M;&%#kctR7RK0Yh<7RDMxg?W z7Ro|n3jA(>K@raL#P8hv&d%@P zz;Kx;sntW0&v!4z;XOkt#o zsA+&pC*eUvR3CV#sj&_a~xD?C%!o*Ah-EY$UKHaa>|Fr*+h>^q&cmg)01eTHDEx!$zw24RV zoRXKRbwDZyjNyP@4k*N}c5y%`ZWZv*`sr4GHzCu`iBq(jK)Q5P?6d`#y*72@-Xxi6 z_lybh zv2MN$Fv(6y^li2>ZDOcvH^FYjX7g6@iEUE=dl+N4foSV2wTeV-VktWfv9-uX`fU>K z-z8wDAoT3EKCNPs_|1;$hEx1@D1L*TEZ9y46#;E0qb_7#4aF8`*l7YLEDH%}yJczX zcz#jYZjr4W2}D!3ivjJT6n2+juw#(z5+}Yo_dW&j+;5@n;vhSvw5)Ps{eq!|%M-^t zb6EDzd!^dJvR_PW7hmpOm(tM<#Yek{VzU6z=Apn&5vN#zGRKZ+`#9zrK;_~=sUE_s z$<4yjH2@2kq^FY0B3Mvm*-5I!*y*AI6 zt2bu5$j~z0VOc!w?kRaQbl6nHw2enL6+4Y(?iUgPhzO`;x5iUKi`vkqDcGDpSI!q`Z%BM7~c z@PH-K^Z03dj}pa5x7(C`FNOB&`KiB~SoWkIL+w(z&+HSJFlZPp5s%AT0n;}b4K$OU zN6)tRC{cuDyJO0|K8@|#!^LM@Cpau^t{-*#C^~0FU+GvqlJ&c0Vk0KQavgru&vBNi zx-s|lX#DO7W-AvMU)L<1kzz## zZ=gn5R7nU@=a_IdOFEnqM55853ev*yi2z>BY!E_3-qf;{Wa#sEmzIcae}720RLv+&It@HK3?_^YLZe{%DQ`{POZdLO|iY`~LEWv3eX z>p72e(?8(G#tCzy;7(sbPiTB4KZC8swJJ7YEL{b@B9{P1!jT7x)tWqj z6Ss0~A^Ld2+7aVi&i>?oHLRo)^2=~*P;##PSI%MwwWP4({vp4_6ec){n-2LJG)g`K zsX@Y9mywI{i{{dD8XLK{#Jf=)pi!dr+zF3>X~jL?>rd#y2e- z?hs(y?QxZR@rQB=UW!k^-e%?Qavww|PnDFfX+Mftx-H?{!x13S$TNGik9*fg)5sZD5 zDYAm&6YG57isEhsfX8I(US9)}f2N}WAO=|$x*dMg;iYaG*WHC%d~(R7x>y{fnIpTD z5jaKXeIW19VFp@Ykmku$2{S_0+@OrW9k+=%T zh60NJJ_3}ggT%OG4x@f!1cGfBW?RL219nCyBWng#FI{(k{Ca6RM(%ay0n+CzD0w zc%OIw(bH!Y0rvbuNB{pW`~N@vH^y}xr{_7PZw;ujI9-4}7|K<~m<&hx+zc--X)BZH zCfaKc*$q{@3zNEhcf`OpK$NT8EQn3mR&B?P2(77cSMf*S4Pu!9fJ!)bsScDI;R`c+ zUoACThZTdQR!d{pv^%;-PMXTWzFnxV-Nd=Ez2TlwQQMi%^F}H+xfH?snw+?GI2GDf zaeWN4Z=0Mk+y*Vqhh<#Ogb(r`R~cYXniJ$SpS_1Tk^v%MZz!Fxqum%zBd(nm6Y8GL zAApVcKxz+S7i3-6M9V=I3T)19Lx69aLre@eJNH~mv=h-xp0^XN91Rs+UE?^WR@mH% zD`Y>NO$-8dabm=WIR3!{RJwm9S>##51az?y5ud32)$#o2U3(!;Zl9 zp#JM$a{elh{M&a%;?KjGHYR8$K=uLDsTBXn8z6IJOqROz~S^E%o|UD`&`6N)8STTh_#Bqb0O5Q3%E(Z=JLrq5V6n}2|S~>+V@iaf~R@mqB`6>M; zcB|%a>%_bDuY&V|@C2A3LaWH8uy~euqv@DlJDeXCw%~aR=r%h*Wi~YmY@!vwDp@jOx>G7hGlyA*-3trS0GgNP zrFm&ynwMVqAbejfB^D&Q-ggBZE7yqkWr3ZUxPqB}+SzG#ihWd0>6#(Da3vMjN6`;> zE|cqnN7&~3;vN3`@&v%cq-Gmv@0;SQZHAhmxHklNU#OyUzN`YqL9hhE z?;Ci9V~&zd;K?Qyn4{1t(KgZKY?*<@G`8!oKx(GY7h`&0D4f@v^}ZVJx>#5-k{nkUiCu`@3qP{pf+6IBar3@Z;<_ZH zu4I2*64|a$k*?5_u2AOHZErTw9U7WVbhECriEdU1qPaL%H!{~4irpc-S!>qnW+@WU zl~w27X02}4=h(IE#5?4p1>Ye=?tzrWFy}g1Y)?uwGR5|Fv-$X!ix7Y4a&g51?Y=29bbk?PS|KMuKzgY0!E zcRe1R3d&vDBRfZOmjioEPdwO@CUDI%9wf1~Nwj{_UnYBL(W9cW7Z4(4agVZ>6+Qou zy%Zo4We^W0&Uza3%my@qp0nhvhgt8<;gO>|nfe{&?3JTCdUAHlgEA<3M;$3yG7|7{ z3hd0Zco6RA1DLI*bZ1t%6u~AJ5B6;trDx5pG&ei3rVWGG$piaRyEW?=V3XiE%yJHU zM8e`GTDUo7Z(`n9ik}?qHFM?`3(PH^@ED#v#v8{I<9Iu`jQRS;xZgx=&B)kraI@J0 zD$4OXPZQ*A5P4peE1VoZQ{-l0ls3D-apNe9TT^j2khj}F$N?4~F4&t2;wWq4D4ubY zEpe35_;8C$(dG<{4+*!M4?1+jh*i6dQ+%ixA6}WsJj`StX0o=KEP){=J1(VY9@(BC z_8T-jhTS8hr@=$8N&A# zyYT#QHENZuLSpswR@H&dX#n#w)-V7+K)}BV zr1xu#@GP0J`^`Nk7{3Ymm|0D?hNIxo`I;x4BLPFyAP2u{p?eg)n+CXwq0Td-IzJ$c zs0ilq0QzqZ=pg0a%sf zXqshgrBPz13_HeI=Z*;Qz&&{2>UR=;rvn;D>3d>$Pc>a9rtb|{If(iu5vT7Db?S)q ztwGy&6dNK7BZy=LI!I{WCA9QCwPfnnw^SPur{v5jpCd8)cTFImIBf{Afz=VRhc0PQs+~x=x~}`PR71OVv)q1CZ*z zAFV`C9|@wDOwdW9WGV@c6jx>|c{WK&X@OE}zZGU+Xum3z)k+b6S|(z|+oAsH9nFLR zSE^E@+Vt6|1Xo(YeO#{rSn59>E$DzM<=N*WEiI^bu z=N}C(ti!J;4#Vpw^Uo9Rv*BUcFt^x+IZ4E^L!KXIWEuZCO#j=Av@ zx$ov(qzRr=7MDR7WW+G2wjR>%J98EYC)T@Z zLP$oi2p}56c-(qZdY94j72E7xENA=3;NFu38!;KyHlozKjdq}{dtaex6L@y6(fPjwKes4T*1P9#lj1N3(=7B(XAX7}0h^7~3P`2K! zA%T||!b=455>j{xE!QT_nZVJErCUI~B~Dy}s~fqN8J*?I6>0+))CB$FC){|Gsw-3@ zm5CG{1u`ZejtM~Hhfs0bq;7mH<+{*Z=t{YJnsEZ>;y?wqp)_J~sJWUUVAzH{+sRwe zCLA)$O*4fsvn?q;fr zrG>k}=CR>{QS|2bC2{$_B5DA>?*}EiOsqmvQGv+$AP!7Y+rfyvz_MDpxD}AuVT%5M zP%D+tS0c3^A6Tor&{7MI905WjKqFmajK;i1%f`q?I$U^u$&^sLL>?<~s#yPT?f=An zNontHgIm5Tx{RxKf@}wpoeKccwsT|4a~|}#lBIfQXcxT=Dh=)dS(foCoX#DxBK+GC z&YT58iT#oegr-}<(>}5;_V`V*jTk@B^ZTZp+<7L7Njy||LA)0f@`9V+gu^$fzzl5HzgtTw|WDzMIN~_C>~T>C_kzE|#knUT1&;mIt90Ui@-)M_X8}P?Bm2 zX_*@E1j975Nb3rlj(GY&{1bOW5RyA5j)BtCCK`m?HeHze2G8_HX^Fl&kvt+g143G* z-=OOK5?8GQ1;Y(Q9?l68PQ>+C3DQ&A6#LMqn!c%?@>EMht9C@hL7O^@ZHUoVwGN71 zLBYl#K$pF09U!~HR_FdS?F<&YSXE7-b_LVE|N1)japG`|&X0JtLGL{-JBQK4V;h~6 zG^z3qRl^%MX*A58M+jV`DT@6gAv-De5RIQ03*8b+JBA*ws(okZ56s~S&iZo|`%jMO zq@`C(8pOOxqjhwOtx3cx21~!g9lFA!jsZ62fk$05joLwancH&CIFK&IJ$u8P{@TTM zl3ao@#xM5S9I`Gn*Cz`0J9N%0s_D-?aB?j6|bDjHW+#Rr*)>vbp%~aVrU)O}OS=~`SPD;vD#?;-Ew}s$+kl2|yK_$p| zZO%5UB-@kG+0E(1Dp{$y;+Q(OrO5UZ2UUux+v#(6N?9k-x|eiaOC{Y)uswyft(4X{ zXg^JM?u07+m8OfCB_7gQDQ=_ym%Y3es@L)q4{;+6Mgmg9{t&i3%+V&r2*&o5XXjp^ z;_{fI4T7uM)ZJ8c(pZRz=(Y#X&cy(NUm&BQj3${nK%_!C7X%YW;zCL4Fug@6_+V)H zCXRnw0dl6!Rl4(C3ct&j@ACLweBKKM$-F%x#F`NCb#Z?%eML0O9`9Iv#~kmd_>PpH z1%P*?^IuT>7c8E{JN%c^2h;Olwj!U%T)poB3XoL3FW!|#+k4*!nlCjBi|~Do65rSA z?;#t!?+31~`95{I05dL8GSK8FR4JURsN)fmq$WR@BGQjpOnGnmckmx zDu(c6%k(L;UY-dPp0cxhz8MZr`9-sBe&vR*r28{jq%|^L_{!+ZlLYp@Wj=krx?&1m zu%`UAKH%ep7s1}w0(ZrZp{qEF0asta=%qr=U7R%5b@h{XK23s8lf`+gbG&8*OYiHa z;SJ=cS^LVPPXqdDkidL=B>-K@`tY8wEd4V+DZoCz=l3Y%3=FB{U$It%Gjs z;Iqci?iE{aqE29?kl2hM1VG;^l{Z^5d0R@UZDg5hl?7WejG%q**lx)kXJ|FMGpb_t zc~rPHlP%-GS%hlh*EUkKck2SZU&~;pAFz{^-mg4*PjI2lbbncQRzj$btH2h9#h#VU zt?e08BV!)aJwc{*FUB>>J5ofplcR-EZD5qPXwsNbQ)_aCi!qrAqjp+V{Mu47YHe+` zZ`(?%j1X1DBU?&S6B)EHO%QN`fybUcmcveK;7Y)C!d=NhJrMv239!=u@Y5XJWcmeX z>&+JLq@IZC1LoDWwk+SaH(bivPBd3*{IL1 zeYVH;(ld>YwZy6xxUF`r%0SnD5qYD8yQ|*df*9mkoTxHlJO4R@i$H*!EgKA%jcjw3 zQEqE#1+<59vj|Y&Y>1nK2U9a-z>Fb5GVf3s%nvjBFu4yq@?qK!lQX2@yhD>Az6Ig8 zXuyYsq0qp00roCfxP_`cZpRgal!tF#h=la+JHSewopiIrcuaRUM=4+zR@`$)Bb8v$sF1 z>zyj>(L`*)?4OAFXDK2S*Mwtr?H6EgC_JeMA1t408F!{ zIrud+8UYAc#Sg?zdiW@029W6?%*6zARoOZ4Y%-p0#j`O!+vGdc+4OA)zKz1S1u*2o zw;_I8Anf(x+vI#3oZhQ|@Ei!adN;v$L-IFB5NU$HG{9d{f8+9RP_Eg5zfRbwdK@^s z^3v}39><)=!P)zVEB^-dZ%gosI7LtlkpZ*#dN>6SSB1e$z+fw2usawm2^{7FhgspU z3vieaI7|r~mPIp&@;d^5hv@U@c^(&f$96~oD-rGeYV+gjd>oxh&zCzjQ~EkY{9FQ+ zSy&`bhvDf2c)Blr#Nz3gJYD|+)V_czUqG8LK=gZ*eH@jK({7$DCzRAl2%*J#IVEiY zFXy&gOK?ka4!Um>Hto&Qj^WwMF4DiyRo-(@pd=fF3j6` z`8x`KNA-7Ke^&ZOJYS{->z2dO>SOLW@rxww z1yimd5O-APv2A_&J~V&CNeD{V7rE3=L!f&*c5VicTS1FzcWNg<@hQ}|q;0a$kVC2i zh>EP#!pNR>I{$M`&_AKW0<2S|{;WK>32`4`h6i49`uBgvXZ zgV@h5Jts58J8sb(c$PPFUmYAU$BF_Z*-HEfs4Kz;{38{Bfd%fZEq4!OxicWaoQ}E$ z_`&MmMxrLkeSZPheorULAH?Z#efIOh`u9a61QcR*II-anBn7zSYG4JeYhFUbnTT4h zf$2?`h)+~tgLTmWLc1gd;Kk4gQ$|9&@F^gbL*Kpi z*^x0p_t~a2^Au4Pa{(sp+-h?s8ztv(eYJR4CakD=1I=LCPk(F!+p+T7@^wX$uygX_ zYmI!I=9W?_l*B&}2I8Q5KobuEJ2t9R=s)ptt7a)M#hf{wH@in}XqG;$l&CBvmL>ZK z%}4ZWC|5#;F7qBUpdn%a^p+mSf=eojKn(G-0&7U8Yu{s(f9mLIHOMK`(G{X2jbt1O zK{abdMM5#R9yV!V$kvjdA^Hxm*)kI=%38QTW{J={HF)t-*;xPfWp%!=o55m}Z{qSR z{JlV!!E(ShiYbkND-ik@`HbrVXvls0PwR}u%gnDu7VLBV=qJS&gucJIv_RK|%y9}b zng!r&{RpTv{t4h~%m$;q>P)~tnM3FFuN8LakN^|bcQk-9d~IWE@s|CB-dC6gkH1Ob zmGB=127Ys&{o)Z#{`()Ue&?LZTl5USwGtLC1h2Jk`{yy%I8Sdb>2^1(M^wYYNg|#NilaGW{#Lz z!#8cEwgQYFMu@D2k0d22_o{C(Q$Z6(X>Gz)&dCrCMzybsxcUo3qnKY2U`W-z#2~{> zv#2IjPZzl~V1$1fKaCQauLsVD%I$9!qCP_%(roSc9tTx{m5yhvu?{3VB@0W;I3 zDU8pCQcry>5aOjCvSk41)#DHbW`D)JKYP3`Y-hl@sU$M*;TJB*2z2V=;PCDC?}KwE z^NheRljvy%ivG@i!KuFrjuVf4wR{c&!2S1Un!0ne0TSBHBGpfGyadAK0nECqI42$qM@Giw1W_Z zUGN7cSH?A02BuhNu$t;$1@KLY5D zA@W0K%KOJSsUysM)7IlyC&3zSXB{ahY*b($w080Q_sHKJyprgnW=qyAffG#ZtJ*ak z@3a_AM=p=!2cbVa{%r_F;B`G9ZoHMwhgT9_RtAZ2KUaW@3~{hY1gJB|g@nW)B4$$y=)TX`|pOq=B`L zflr_YR`UDTA*PdS+aq2l^SS2GmGr~2l?h19G4lvejkF6sHoJ*RNsUKW9wYy)*;9qU zPIU>95^JFZ&lp;1w&6mz0&wpzw5Ue|yLfYVH(IGWrOMpYe$b+vYA!e2w3Bo7iEh$C z?s82O@gi-nIjW3}HUgV_7-thjK`KGNO91b{K?0AM|#>qn1Sc;xV!n2DK8;Lz{^!o#!dh~LCV zPIxnkMjY2;C}}L;gnf}UJGW^8^d$-sa+JuQR#%$4 z*3sB`862YJ8s+p0;$Yp1W7)-rZMR~SMS*2RsfvZ_EoHJ%i^FBtmQjWH@RJNQU)Ap* zo9$CYn?A!=OY98s^vZ#Xd~0&8!t!bIMClp)AhB6q(2Ew%2wiDN6t0jU$2bwW?}mCF zEv3%B&LjL;@1ZO}FUDePF24-^*q`*PMa-VA?RVI_6yqKiGDF!KOIjN1*hpPz=d+ap zsxsJ%g-!>sq;8-sM12Gb5m&W;h{C#_c!(L8no6^9E{f?f^bs#qGk-Ed&wxfwr?Qvj zNS2@@=kSWX{l-FXSwdE+_Sw(X88FjM`v~G;A`C%Yo$k^e-DO8q;4v&gyeh<7CeU^c zEb>uxv`Z(HPW>$JmJ-Vfpc>|WZK(AODOzn}la@^=PYm%BPZzkG%XkCUarVn%+^Osw zoDos%?K)HWG2bMfdv|?m)1(Ma zXr&MD&BDL7ZxK*HE+mXhaac85;x_=;>GB4j83;{4ovQ?SQXAQsaM(WK&>mj7_i}}k zkcC|W(e|}D9&JZ&V!(3AkMLNjmW&o({>)06eh{0JTp&u`n#f}A zJ60pn3P3K(xZ*EB+KkRIQFp5znbR+$=kZ=c9=!(!mWo601uipsNIk;ass{v@3j{s4 zKe7B^lg@cnt7nMCw7#}UWN3{~>`{3Gb^NHmi(EHS&qVDCIcL^1M>r## z=m4rL#YaC75W=}RGCLs4L;h5abHcRx0^kKEL>5AG_q$F5ojkM>W>YeFb=%kAbDJ2g z%mDFlx;n~U&4MUT#J_vQjdpniQUqrN9E|Ru19#BW{s6eKiFf>UV*_xuU96#fWWy=3P&0gDEhC_okxSc!P3u^x%@U{8Ql`xk1insc$osyshA}{C zQ0zmL02iZZ8AktMh)1Tt-AKVBb^L7;9hy}>9l?B355mpszFRP7~(xZbO z8nBiCH`}Bo%)m~7dw;OgBo!8J+LE|Ygh+%;d9M#y0z1heLi}DR9!l{^XCaCTwy@4ms9&*$o`{H%9Or6zx_y#K1j7HlWBCp zqVMsp{9X$Ves9R{EbjdK>IytU@ZVTGzt0T~B{tFx`5^QC9}7G=I4X$F%J;L?kQ>tP zeA=@hm_y|Mi)~atuAgi&FD+5&-s7m|UX-%Ao-v{j96LmgEdpg@EeEz2;TxG5_`#!y z96!{BCF~W&5r*p7{Go4SeyCkiSLB$7Du@p*$F5l^ILa4=NGTPFqOb=}5Q<<;&fusz z5CVJ~DLYjeC9EluiozdF6a@={;tZZ5LO}?BK!Ac1hR~#@01msMBTJ+Sn9Axm!(s^h z&LX)m1V2B;4`8m55J0b@2#}zfkj`MS8+mVVgerN0@K|MDBwU4=Cko3=k+vz~Z0%y;HZwL zB9-HVB?H^+V99(2)xYn++)}V6UB>U0qH@jhKLi-PnRZ;W?y0KHqbt38YQsGj^ zq?u(RK>8F(uXd%+{CTw(R4}~WIQK;*U~c3^my}ToU%uvY)y&Dwow#BB^zz>g>Ugv;KB$F{LuVU}KOyJi>U?+jc>rV*{5->xpErR5Ry~-XTXoq)Kwsk`^?GlE)xUW7b5CEGqQfNCJ`Z)x!Y7V%>#uQ^?#<4qB*favWQwgmjOYh(^ zcX_8cf)Y;i+nO4ty1bz>iED?e(&@52?o%^LCPCKWIPE)sKd&OdzEkH&O6aYURM?E| zdHuPB*Y>PC;)&`lc61g=vKgM7&)gPr3%P~dLTQ`$qY4q z;*}7+QWpDj%=SQ=5RYw3ZO=w{McmK7etuNERp1d#U{DT0j(jkI-~l>i(dt+`o}`Pk zp&?hYp0}X8m?EDr(d(4>23^!CQqOx~H#FrSpNQ-(c<`@4AvO97!@I1s%WfxuDkJ^~ z%9C<7s@whOFgo-*HnRaatD@T_fQMcACN-K;95hn)%fvw~voRlzFOX3L#>j+m01k;t z-F6vfJ&#jX1Jd!_cn3VFL~WkP2QDH8F2WJ78p0LC>gOTMer_W3=Nl;e{A%(@2=i!& z!q3ql=^{`m*vdSc7aJd28+#Pf9 zDcsoK$^J%6VVE`>3`t`G=In36NE*}mYr@)D^LdYKJ%?JiaU)I1at3;h%^Oa#f0&O4kl8hWnx>y`c>Fn9=FeB){d^3}&pEJt zJge*HC!YMg&BD(?-1vD1rXwRz8p_;7i7Smc@udwn5SSZ?@#6tqjMXfKr)$4a-K3CF zFy%oSRosW|V;1KrG`cruCv!AUX?*F5ymVz=y6yuHWV9Fn`kD43?hEXZLNgUMU3}{r zfCox1kQT{gvBWsobV;z8@u;gUpi36cj9qV?)LV!4*6pZPN%Ax$$Aowp5I%wkFN+Wa zx1)gH(fFMueuoCX1B2gP!S4p~J2Bkufh=T(){260vj?~t_QVa`OwdXN4sLeYgbM(r z_rkhZi3>nxYJ`nk^DR;O~jl7?7}lmX^@eRbTwcR(?~6d63(~9VEJDgq+6-#YQ7Ln zgXnm$qaX-6;w8pfBaM+Z05Kww#tE)Ll|;Th#>M|z5Zwyh8JXk+R{YdZXTxQNEO5D^ zfS9S-C}@*TF31r*c=8WEqSFRrBbKofrw%@Ty|WWd*o6iBlAfLT_;DmGyU>Ye(1hXJ z3B14^WX1UQ87%mNETG1su2F6fZxsoXCCClrNI5*ptxnqIMLAOLGs>+}s>ly?{d|F% zpZ_%d(e7iFvhwFiOpFTC(2=2F^bAS*7Ff@UlR$=w(lbnIe!pY;JrAJoeGK+Hb83kE zeH)IY9EIqypxu+nyoS!VEq^}f7RS#MWd581-p^w&KbNvq)!6;KI^^d}Pd^v3`#DdM z{ROYOCJ4<|_I;B6Z~3f$y3KEd{96v;<+Q=^&6Y}zi}8o14<|ShRV-Ga0&J@Rcm&3% zhr14Q94`oPIJ`hE{NXwB6+KpF0J*}r2*gvyhp#YQSxX{v)ra1pEJ%*;0XuxJLyT@C z`=X5r0DW%-FiX!!n30#F98FmQ0=B};(F8)@6H&vLK@9AY!i}%Myzhrp`2K(_IxV8G zq2+vj=z{I{f^@Fj0b%9C7-kL&M#44><^@*pk;Q@w&j+_!>Zoe)5aA<6XlIRlHSHgO zd|zbD_kw-j{~bWj0sie)%$lx)$a$>eE%a3O=stS zlKK9~mp^(%qFdyk=jz~rW1ky?ey-C6JO_x+?NNj0c++~WeJ<1&R>rV{t|QS&&~>sN zIRoI_>D5DUeOaBkvx(;sGIz4^J=eMO^Lr&PZCCAG)*9<%i{CGC@;!kbR+>GZdWjs? zG7V*lz7MSIB|1sW@NC4Y>t{-{CoN-L^bv+Mo?8v0G3=+17BL)9T>Z@Mb6krNWyYn} z%3Fe+#G;3Dskpgc=q47s03G%kVCW`3y8t(2u535E^D+F~siRKkbBj=XZdH-Ibw*8s zn*D|EpJaVsM6(wOdx@x_oMrvQnH-syGLoih-kOe^KEC$@R$g~^yI6QZya6)k*6o7k z4T08!SZBS>t``v`FgF<>sO!YJQ4KL=v!TYE)|*^H=wP$gfz!^6dfMi#F%7$qW;Bpm z47qFS=B>``sXL|Anlqn_sT(GBCI%nh_0Tj*4Cq4E=tK@@8XexPx<2HrcVc@djF|?U zS3{XsL-)l>y;!styW_=fd9n1nb$z$O-YpsL*5SMLhJX{_YH*Q8R}AONMkh|2n_2?) zB22Rl-yL(->+bm6(3)BTsXMvdG5t;P8E5yVasay#tGSP-OXjWic(rFNXRoHYy@-Zh zM9JLOq#HTJ+ zV57cm-)Dg1w9bUO$M8i|d;vg1E50a=FVJ{c{E(}qZq)p*aR5FKWw zm?>)S=MRwaZ`5HNAD4Njd!hbCGUeL<2QvTRcq^e$Klit zWo^TGBPZSmDA9{I>Uy6vMIpKf(fdf57Ene8YA0!$Nm<`+>QMZExv6G@8Z_$7=5^8F zb)UexOH{fMZgiaxbfuKK5n^;HvECGq51{y!=u&=pRdB^^g}qQ{{$tav+&T-r<0MpX z>2#?u)T2u({Fs~4Wp!v&7YeYO=83jqO^A9vO=-?L^s>$YxlVxD>753(sP&D|*KOLq zRYhL6$yn~HBM#0&+`4Sgbe_vQ#T0P8fK{D`5%Q;JXHAJ+`hp{c&6JDEpWVY6)ueRn9L6v zVUTI4g6INiAA$qQElfp=^dI|`lk-(`u&TTQ15?p9 z?;H>;#Xfb=gXSdnl>4FsN%2*f5ZN_35 zXNsK6`GVnytr3DV3xrrN2^af`7pNG7L~K=^f-?=rNhnF;y?DkME+QB*YHXK98Z@U~ zHr|`UROrw2&{TN=RJ#+o74s$OiE;*O29=lwQU6jm8)CbjQMyrMFOuP;ZU95~@?|yz z)2*fYBid|;zj93P8~wsvU%0RrZtsOteBmtLxcQCKdgJEaIKns1%p3P#IS8*@_Lb}L z%29dc(7bY=qfK%#wJ?*4Nn*6b*oK#gimVibN*Ol~F|&LHz$nH>MgRg5ajwDS!vXPX zdeO@G`5E`!?0Lk1EFymfEQe;X_$xK?^=_qoH{{rANznc11EZ$PP}3T_8$fP1cHA~7 zXeSrI`ha@HL`H&CB`Ws;d1b`%vn`|A)KXQZLrF~XQB@fZOKP65zpEJu!i_M&tvSb| z<1R?bP^`;p5VHdw{trWU_Qf_NWTl)m2iHN0*yA0h`Hm>5_0G~xn4cuh_P4V(+zv%6 zGC4Rh*Aukuw7JjCcz%R+;6?mh=m7NXMX_3Ai?VOvVI1lRsSXf*7m)NvYx=71d?F;{ z4ue4(W$inaL`wtdK$c?|*2?zQDb5T7&4*`M3FOlb6t)6i3JF(s@HA0*&g^$?< zl&lP~xjyA@K`?IUJ^X-BYliP%su9K(xN!1Nn<+8}N{jRncKBdp$k<492QjwOTr z&3e=ub*&sx0>fHOPk@xFIays!{*| zS=K386@dxOB#1BQDhq+BjCo~9?bI^Vhu9XiKsNQN6o+9_-=<7fMVv4_3Wo#)9+0=Zf3Wl;wc-cwN!>)bJJ6aH@XhMj6kJ0a7?kn2-yMm`ZjmKfJ+@5a-})5e`lJqb!NkZqG#;pveJ`P zJ?k6s*ofg|&xy#}#?K9~j>j#~o+?dqrFf?4bnTvRc#l-z-v;Uqfgu90pY3{2jYk)r zp7}fi zPUSl&N^M;cJ&}Aj*?E+Zp@}h$WBXpM9c(JeQllSveI}#16@zhJ>bK^v3o>!x_#ie? zMl$+OqVa6Te?zlIhLpac7TG}qlzT?%Co64o2}i{)wbr_IlK~_z!;`6a)-i#_fRV-m zZEXp!zkgH6_^;JOn@{w1EZ{d@CJ#85Z#ia-NP1*0jpSUTv{3$g@|05-%z?52nMl{F zPG~#{aLmd>ShYIr#cQgvV5|zBMS`6fY6|g4($oqkiU5^iABgSprXp+tnd6^dk8w;T z5F82b3@sLh6|(*o*Y8#!Sj8P^0Aed6P&F_)|`?5y|%P{avw8^Q-mt$CdU%^x3a%2Nm|Q2T(pJ(q0Z1bLyP!9|JA zFSMzL+6~9@eg*j5I>5g3LoDJ|=k57C0Rv5+W)i%Ggm797@gP)@Q7kH!o@1!1@mA{T zlB@$}mz_vwI&I2)i9Byp0}9w6aNkj}E4!hoKG%z=pGv;v#9SbhU0J27q8Lst#9#Ax zY`~QDt8@ud(G6k>yU*}VR>0|c$0K4)&S~pw02|WrRo6YOpo}18$VT>27LxL%4U9nC z2uB_9J!AN(s-IBSnxfIj$b&?d?3iak0$T6R(!3F2F2ZqkB_<3)tqBlej?cmDYu`Iu z!o5pMLI|#q*4BhV%Htp4a5xdpGh&dwB}atM2LF<^P;0BrnC`Z8gpv=%CYF%skhVy7?a^7(%M( zy|xEW13KzBk%{o47J!opYSft6`dOYLGo#p$qDa%6WT4!moRVi@<@2wP3vcc2$7 z*=BWOebt&OOFsJmNe`0*6;f}Y-GqVtuy49p$FM9-PNHsWiyf#p7qdkHX3@ZSpFARP zeF1`7GzS@XRA(8-)tyRk=|fcwBQVIXfmDUh?EY_&Hjb>gAOci3WLV&7XiXLjnE0|_ zRFV5FL?YtFJ{4jSp&AwevmtS0xwDsB#?6TK>uK*2V;}bWiUKPT0uQzy!q7C+zW0R{lYIM7azksjQf(^RWq$H64$cWlgla*3 z(?4KPRUrbZX%PS|oe@UGbpXCeCitmuaZbF^*PN!Fxu@ zpORsATmY{b=76q;Wr{2T7YW90zcggc6#4+E656NnUA=Md4JvXfM|jj8e!>CdvSA}3 zA9XmQ!wht93G@*G+Ho~lJ`fOsz3D;hO|VdrY2d2dO;x2YwtOW6DanQ9$qE|Cu7>Q#mRuqLxKFSJ7js9h69(f{3um_7dk5e|-S6&_I- zs*Hg(%Aln3LT7}UFgQ=w9cMEr5Lm(`X16%Elyy30j7ySKsT7MZ*_t=18-#5RTohO9hcP}w4aJ`Ig9}~*O>CX~qH~9e)xoRMx%=`P zO1LYymYi9Fsq@4uwo)3=dBXR{SeJxvF7fUG9yF)(M8~63U=QCch`We?{`IO#Vg6 za}3})3h*35V8RwDRDiptfV;kcyBzn(xxu3^1cuYx(NF?T&4O5+|2Y`zMptlI8+q6Xuh3z@KGyY!!;v{;ANNGtiD_ChZB&+^46oe^~P?! zIjm9lAHR{Sm1ItIdq!?*#xbuFt8hAxW3IJL;j|czDW$EkTL{!Ge4|GjX*pbIQYGCk zR6(lnOS@T27=DRm79%-}>72!+&SPTwfzYUhH0c$(|Gj0{PhMv;W4K=HQ8hOr zKIISZT0C@7i5d8j4VDArEx1R6&pf6j7~t&K^_4hyY95CZ#|>hm{z-`88}aHO zD1NhX8kEkCn^%a9y1WYwSEJBgniLm74M%JO8YhrIM3d?wr~!#x);M7b5lzaApoS#2S>uEfh-gxXf*O?A zXN?oECJ=cX8n=hkohbNY#~iUUP;Doa9+opD;=7r9TfPU{J~v5BL+@U0f#it+6azD4p~ zEk0{>c5(DFGG`Z_^NXSRg#`Y++NLtbCnDn$j(owHFop14VEC>}_z5=rWE+0cjXAUt zKtvp3iWiW>eXQK40QVt^N$kZTLg_X*SFSo+a<($?TSdZXd`uj0%~prcRTTCS^)=+U z-HCII__@x)KIWpjD!En9<%qTwfp-n(dBb_%x8XPgOO?qSL-V_+;ueeZRgL)yEDShb zu?PnS5DrA~krm#n>}&LhM$K4Fe#R;Xn%b_Kh4YTWc}`&|2EtMla4)d!YAN4w$obg@ zt(Y5rMnoQPb04PstZOz)XNU?iq zTt9EAFc-?3XPlU4q~Jth+-%fM0`LmTe+-d%Y$@CgggDk3+nuBRjIQ-5Yd^s?yFI*myr9x;Ce@qWZ-{j z3Sn@)R6d6(I>!CnyeS@6K@UzBB&+ptEJm{09jAjKtASqaC{BTkE7Ww$a6;=f=?lgP zQ9~n2Rht#u*R4?K=N@`(etkh=pHQYZ9S(ULlAO`#+=_H2&)&psC&cbl*qsz_Eko`U zgI9?EMVcPru1C=0PEWW*mh@f#4QM9 zxVRme+~&voKG<1lle|W7@m4}U1`r4ACa1}gp!k~F>GxOl#gjBQYDw81>gTuwXr2`zv zU|~VlY6J(XBZ5|$Cb8E_tJj2vDoJBdI+B>sfByw|U&{9WfCQ_P#kr*NL%gIOeu!lD zal!M#_^h2SW}cS8aC4BwMv%&6uvtzoi^dK>+y~ivm~TKWIkoyG zqXykZ_Dn}ZMy(|~Uk4Q3O=6`&qLy^5A92)=cHQ`(cBJLrH8LWkiD=-d3ffPEv_&4l zlP$u3pkT^5t|SAK+g4Thd4XvBfG3#p2;q@swi_%@9m0epz?(V1n`Te=P#rJ;YX$(U*}-fGfZ6!ionTr? zb*Ib=c(Ze-ta8UpbH{88n9URW4H(a#S{G2XLD?SGE>5=p6mPjSHD-@4WCKCGA}%Y6cTvHcD{7od>=f~)vn#VCIwK*XS(3gOX_52d&=QXP&)yfvAPVNW5B}%P z7bu$v40x`MnWqiuBik!tZu|c1y8DU*;7lNW)cOffHfu-U0EI`e`4i@MWtNZLfDKYd zO4Pk{IbP`vq{s82(-{gc0INTRLF;k&1Be~JU7Q2~J#&D$-1 zAQQ;%`$Lu9 z8-i2jpRy0aqBGdwNP2_!&xCFXz3&)gOBi>pBa}4oLPaVJHCjQu(3d|NBibqCFehMp zAv?BSAiWHMY7gjMAd0VbJdlbEeau}lPXrZPGyFHJs1yR(6Vd;zTiWXTqNCY+{cq?S z^*9`ygX}L7qdB}}=a!4-f7O0`C)HWOWZNV@;12m37&Rpc!>rsUT|z;Y4oH>`M0UwH zOD82Z;NdknU$g!RdmkagtVH%q4`!tfFDGqlMl`#GXX^m7bq}(23$k^p*}Af9U6yR! znQR?rw$3yr!itGrys3*u#n^fxOP0HXy72XF4zSlxMC-e(Uh^;KL=qe;H6o4PF1bWeIHtXWnvE*E-$)3+qoHI%wFh+oTUnXj4NE=1B zb^Nep@bs)fuw_Uf!&v2lOk0a35o5>b>oHSk$5_;UF4|Wxv;%C~DpJ^BmmMy&^MTo0 zruJ0=?GXRbbb# zp<^)9gM9W2OnQtadr$5$%1)o#Z*=H4raBZ2-HWk%sR`1fz^$J08TA{YHlJGe3emk( zbP#21K1{EcM}j^hK`LQ_Ia_)(e`wQ$snL}6M7gLRS8FtWGGmKK8f$VRmKqYOW3!|tnn8Z6(JlKLadX!?kvv*|=#yozhrWf5- z;h*}VvYID8;Ni$Uo{aW4AO2B!GUhRle^fiB_Vjj7_2oP*Q+gN;qyF)(Jo%xMkZJ4)tD4)7B_4bJ~oWQtCZWbDg6^0Y%U=- z)lv=kR)5i|0U7_qk+m&B4cN!&q}~ibzN}Ge5{a&U5vpfXU#s5y5uPoNOq)xH+6w3! zF@UNqgQ`u_!M3#)!mu!LW=7HoF#Pk9Wh$%>&Fl{5S=+u3?sC+loI>_Qty zY|Um&?HP8}AY;~S?7pKH>1y>GBhEpyIC5s)#;?0|9;iK?t>azkYCQ^tu2z3S)ovn1 zv$AH*IYuvW+XKQ5lhi)ek8~iY+TPZoJoO(vPqF{V`z;z;m!hEmh?6siq&D2@WStCD zTN{$~vwlYBVVeeIhxuWJL+b?eGdoOpo0ji z-RyDhkTy;Qw{WBRH0ieC^)re-8 zY=KB}AH49K30xa#OZa?YRnl1}`qYV0xKG&IOJq(U?qemJ#0?nztpb$BuR8vHL>o%k z<$iVxoW7b52^qAe349#4H5s&~p=v^_I&!ft(+CD*0xSlGRnCOXNZXB9dK-h=eA$hG zp9KeIbJvF#>@z@*7YbH9P>boR(E#9|Fg-u4C%^R}RV{`Km<;_EP{n;6-VWauAA@Fxgc63Ekd0e%B%7jS(Vncz?zy8r>YjsY3u zFHP;IN5JGaeNcaysx1j?NiJZ<4q!(U*1HZinoJu_DKF~cSt4Z2aHE-L4`n+ObOJM+ zs0=4^!wF!uatAm8#%-Cw+pDX}rQllh`(eau*x~bCZsYuHN(8l-!r%J@KL*v1Gipr$ zJYN7?xf-+=(I&gH$#m>9ELR$ubtKOm39{)OIhU1BQ^(91E3&t#_Rn!)vt`<1KnkmHnmwQw;+ErbtEv00IO&@kx`^gL6Iby&%0VwV6q)E}k`VTA@Z0?EPsZ3hR?mVVl|QPn^>`-}-PY z=>PB*OVgLm`udovVeX++MRi$>{Vuq{r}uYW-05&8Yor1TTimV)NXUcBqmrm0zMugs zq0w-Pa0N}iD^cL6r*kYpm_iFRYTifzjl0P920SGo^DCHy(KU^LDIkK-PKTN%USZ17 zm7@Xp<>U*I9vTj-LY+<4Sv$lzax+tWdMjILf#BEy0|u(oZadY*x&`-s)2v+ft z!cSm*z~MMcw1^k!VQUF2 zzd8a7yVW#G1bUuZO0(^_U28m`pHcw=xdeUJn9=YuSaIgwc+{o$EwY8n>@Sc;_`>;> zFy9GU(0CK&54e@Wi~FCus~sCBT)hnthC~NQ2+a2>BGno^B|_Ey(*c+IMuD?3;*d{a ziMU{al6XQx^3SMh@jE2tfG3dwb7m(zH3D@6&TxBO@d(6<_aWMn3pkLV0pWAPQ1JDJ zqgFveQxb^%UExKxJVrvRqy6nsj3=P1U03ABLcVUtnZOUX{Uv3cg-gS*8He|^GwW3k z7%iweaAiA9*l0~8EHme#1i(fet8MH8N>$`<5L)QSEly((Z21l=48sj!1yuzr$_X&f zDcaSeYd!Wx!@@=!%BBPq7PWp*Etfz8&cQnDyTl z_D!<8sn1w1X`pS}kV39LyWjZT74s>Hr5Sawex@QLNgSg70<=T2_w}QMiUu(f7A9lh zACp#daX@5HP_$qL{PV8FCm`|}%PZq#9JeGPPEz$jdY_@UMH)2lTQg)ZsS-z6N}!&N zti&kW8}_|%-6R#Pp0s0UVS)MfCQMAh&1eV|b;qjc7?dcSTXYD!x;TUq02#}kIT*+m zWjUlO-{f~0;DZMs4Kylp$ENg)l-^&_>hyU_b37@UqROoNfb?L?!?E4p&wkzQk&iS?q19b`CYr3e4}S z;tHhZQXFODZF^j_4Zz*{A0JSP;Q)ptfcnIg zWRUNbyHMAr$UlVggZCPopMu-L^52M|REY+1KLUEJCS#1DVs1^!`4v+ScG238_{e!MHh z$2)<>YEt6VRMG4sbRMTyW13PilTj}Mrocjlso^^O zK!Or>g4Nb+vif*^G6=nU{cW=6Avq{bRxYmyI_9e%>>J^8*-*{~qeNw;y`uvv#!&l^ z;9PAtz0*O%6_F+Y3+AN*#I9bDamH_>BYO|I46;9a=t39|TzJ&WbbJO>B8M@jc{?`D z`K)ciwT+@!+}VBvdPfS+L;9Zpbna$vojAvl4M}xhuWrboKS2;>49KSWcJ~x!XKxqK z{4Q0vrA|62l}#Ok3$KFVRDqJapVFvG+=Vekl6C{;>_!gbidu0ZtWeaxJ+M-9v4|_M zJ4Z1rkVt$W#!N_?Ol+0|D76w2HJE0YE94m{PH;}B`U=j)LMZ1%f<}n35lizSy*EM( z3w~VMI{svXhc;^9{a4sBkvFThi_XUO>@y6$*+Seu>uYIe)B$awE4}Pp#+i@Iv8Oo0 zF-pjLUp#4i|J9;xe|eVoo+!a=pBsrXut9`9*psKO*rp>RbMRhSi?+KLGoiU*8`k}g zyyo~{SV2ppccCI|Yx=?3~opuvfu7h5I}ZM<}p(tt|ELbxRF?PQTEL zJUC@qicT&HcAhPcbN99s1C@PK)X>&opzU9zg;uioK~Q)5j%hEktYgMv`i6mqNyeRV zn~{x*X^6oqC0gni;V58DHz1{63<1?<%eYA{iT*ld@W?(6PCI=BEG6?IrBcFN!5%JTq8zIhCy@<;nFa2y0%IOo zn(fmx?j*GNCO-hNh2d=?8Q=PZsoEy5MjX6Pd{XN7-;az&5Ug7;#;E}YYb%U+DnN?;@6DI_5|x)x!yoQSh{DH%W@iA7 zn|e+S!lrSVy;D9vQkWF`7RQh%lj3f2p}ut1?^K-o(D2s7wF{ z;qzHFhHVg55{E zs@}#BSG+w-h9f;n^7}!WO=KHf;X#2x+D6}5lVals$h0E62_~bCACyTA3q`TS>?IP= zuYwMxNX z9jnX%bl8Fv6QF%ZGqv4Vg>W0DoLt2RcUb?>_doYgeAbuMEH}_jI8R7(R*-PLZ5oiZlZ_{AXJbciN@o(825G>v<3}Va!%jNR*rYFJ z4u=Dy4Ej)NsBr1&F&dCS^z9(^=c~3zuPk?F@c%4ihHzDxFqi_vmfv-N^6-`x0B`nm zV(|K}<*87qPi&k@!;Rn8sH8aHvke=HVW&drQP_t|-Z5gKLxHgw+iS1_M@6{~X*<0~|r3kF7! zt!XH5KbGQIO#WEmj~#x~p4Sofkwj1S#3d`?6mDFNfw$KAWCGYuoOc~K@ktPv23(EX zqapE09`Kfrt4aJFR6hCfSEExx{f;#^^Au-gr%d}M8*ZjW4E9vhdv-Og$Mn?zPgdxw zB)ov(GM(1NS@3L$eh}yrA@fyw??s)>k6)dBHS(*HU!nXO!mm+UlLf8Wg4SH4HQ#7W zATNYUrgG_inlr(JAd1#>pNpF2tMb+xp2iO5s_8^+~n$sjkPlLLGHsO41L&cEFik8f$o~1 zyJd9OjqXAbv)N`Pm#sOQB1Jy<#!TC=a+##F>3X@Uh;SfhQeUJHvlTr(F!AQYHS4^{ zG$T63Svm7z_M0U3O_FgYqkyrM%w?i+Gngf^rspVYdWiw2n-%i2cw5OSpqpyBw=OqV z7tE#(3)dUre?@m!75wJSBcVN5yt~-o5!hF<@L!TtTj~QI(dDmYTe=2gF+HT+gK4R0 zy04c)crUHoOYfcnkzi4N;N`Efnwhq`J&3K^nT$sdBbJ7!x&*G+=Jmh)lN-2A%VHI#pYnB zkNzX+1)oZ5AfN*|SqO^Hnl6RGnt=<=%;47?qZ9ho8jFK-h!W&LRrO32)j9F{Z0@G-0xVx616xS#f{oAFL<}hA-5ccP!`g5W zh;#tha6UG)2$pi(8s_#22^;IdhW40p+8UJXA!sg!z^9G!h$MT64;@9ucRZ?8xfmN6 zYsg^|bc&Yo-Dd@5tQ+x^LBc1`f){hyb`iGkQ;d#9=XMtX^mSk&Ns!dnL6RY*s%^y0 z#|rq^1UZXJ^rLbc$=pY-9%Rxn;frS=98db`weS=K$~YA%dc68aV;4b{vWC z1TbidM;?3~n6>hbi}O7K`yOr1RvOHQRZdvOg^;rryXDrbvewi0D9`uE5wilDnLWM& z2z&!rca1LJLP2&)6MzBFj?#ja1nsC9Foh!-Fa@X zrD$MA*iv_Jg)JYPgDcQMD)R6w<{+F5Puwtp6Ar~hFdb6Lo}$CN+Eb12lA045!b^v4 zSSO91YY7kza$^HB@yV$UlD72~PUEKnc{05Of{VP;kXU*Tbqhzb z6-GB{I_0F5M#%VBB$rSR%Ll#2@5xzI+^b=|yXFt?RoH%8l5BJ4{8}y@AZt)7V$_$T zKxDNDUbfJwwliJNB+61;l^EN6V_K<=K)BNPd@HV&hxO6I3C2yh3AVm$xSa2J0U;At zZ6nOu(kUb?j}#297*ZALrVD>W1eoiup?Nx2uJMm>XM=dPWs(f%s8@fN-bwH;n*%i_ zSv(;tJ|x$$&ht>*XG+CWkWLQ*E*}L9)DyIzAeXL=Oj#duclZHaJP6gIq}IoIct|rS zGpaE(cqdD_EH|a(&J?riJ$3F@#ma81B@4mjHWO-BGv$-G8C(E(8^9p)YMAR-Jj#xZ z{4gx)h$d*3Ki2V5Uh7fwRdh7)@PkHIcb*~d> zmWeMQ56QW9Moi_AxNFxN%1nkiMzlx!eafv=Ie^Ff(OY&c9uC6hmDfh{Y|glrIU$tH zegJ>E5oUG!+AECZ6MtA3gF2Jls1mJ_OkXe682OOS=e&V;%sw`M*7X|J4wP?4#4HjQ z0f;8^`3I@jGx-H3aLtmUO5cbjFi?@4kGe2>h{*4!fXzV2d%90a^5F0#oI^aZ-O@ob$g{t=jD2r~+yU{8A2cMf!E1Ku11KCoS#RTWhDRsK5!EJ*jwGFeu zt%GK5V-S;;CfWUA-Fsp8r^)Sgcsd?l%mg8ZOQ-C1#{gOyb(mFA0y}k>7MX+74-u{4 z`yH!9;1ktEx&p`^2@L9*aUW7DDQgFp5V+pJ>Cd7ybWdfbJ z!ku1{-e3j5Py&OZxVFDOUA96J+o2@2^G*-S1~rdq2%oe@1tl(!Yu;AThAc%K%C^Gl z;C2F?qG*R*?X2q%(C5RPvZK{<(~?Mh(pcM=xKQ5L=cfCbRB(y8SdmQ9fHR<*CU&*VWrQe1go4Fz4#E=2d_wu^tLNIu8M3w zvUIg7c>)h3q7b!HQaHP~>MfBeUY+14y*HVSaU2(E^*66fAS}Hs3u`4S; zDH}jc_DN9owID-H5uZqYqJP153z7P%?5gBW4r1MI!P;{1An$F-dpVR`0az%$M9#CK z%OlJ}xz@{jHRnfi8hCWDHW`F$vvfq}%)gdDPFd{+RX0<|mUr8Fk3W>Fc5JL!}R; zKGgcq`QM8F7WHq;e}ne|>s~PLrMoz}mR30U zTvshmH$&5NxEZx}G#$}S<%}eT{tzNd!V9TM0lzgidMRK$N-kSc$I(ZVAh6v zG8>&}5LL2F9oC3g9Ej+$DE%oW2Xk2G`f%%LSc3|!7(}Q@myNj+fe|jS5!_~0Z*iw@ zZOMW|yXrB9`tUD}+x*g9)X{ez>H$(!Rey7)JQVvfus>t?Gv4Q_J{R`8hW}RG2Hx*- zZUfHedLPdDaPfN$-|O8-?|V5vZuxP}kBdKU`f=6os(u%CAE@pF)%S`Y?A^up!v5EA z7vo)=el-5C_`jyxxOD#9@}KWNm;ZGBGydoFpVfb2Uv2nm?>5HUINiqTHez?ua3{Sx zY000eF^8IRs49P}{KaypA%}Xog(-KMa;GZ4Fyt3r{`B&vC4X}69kn;}!=xWGKZZY+ zezW+o_2c=Q@aFL5)Xl9QMiu+8c`Jaog1>{e0_)#Vze)Y3^_%mH6(5hekJNp9G3h&_ zwo=sR6@RSwV^Qz4zH|P9jJOh!NPPz~X@p`Z2x1t9f*^)L5QGpy2qHQW5fKp?aS9zW z6GEYpSZCq7U;m;3ePYp(0JO}qec_Choe>Fqyy%UjL{`uGp?3qxooxD3Up$N$4;4M_ z)$>smxKsjh)g^D5IXUoo{#62S0VL{4-!`q5BoIwelFMBVnq2(B3IZZ0H%sT5+66za zE_v0YDike9Tr7{HUao2K_2YdikAVQ-;YrsfU2aZoyWlRiqkz(ffj_HL2fP+i0O2Sy zVr-NJch^^&OLqgu*yBd&WLE-#a1SPgkAoo>u@F+zE?%c^GmuhEYr0JfN*Q+1C_|b7 z4L+RJ{55PZL>kh)Y9K(yu``+vhPgsv|Z!hUOX1^NzwM*A{^KR`9UaP=@aVT0xyqPNEbR&D0?elsQ#ReVZP|2-be%nf-Z6w z;cyZ5&w-LPa-u;g>)GIY!L?;V`=J+wFu>nDYn5nlra3Eeoyw_EClZ8)n2b2HuJX-D zw4?LUQ(|Q$Nf?QIU_*b{&{lcnuO&CICr9JKqCDHoI84%(9;N+sv?t*#!{{~93nHzU zuz3gARoWz(;TmMm-1K{^(IZ9_ZdDNWZG?;fB=)@`EI^@IU*bt-NIVCIS+RVd7}PzM81l}3wG2g z;#k22w9FKu0GObI1qG~dJCt|4qqHBml3$yMsFCa|Zc1IO6|ySsZo>||O-S?+g8Q_p z_db^?(TPKl*_kXE3_`NPyVMqZe*lWEOesbXFpQ@Itw)Xoub4Dn;^uV2{rlgvL7Ru( z4d3p#M4gL$`F)6nwn)8?h{l`}F&ah!v1C9cH0&xOQ zB>=Mui3y9|A5#$j0YaZC{l}wX%XG>tAcWDo`f?fm5ZKk>P8P zA$vuarO>HkZ?!|jRSH>E-m1%2-=5l9KX?FFZ$fj;lT3?R=@Fklu*CZ=reg?wN zI$`zUAZmOS%%vYZ4N%i-SAXVd%`%WsP7p5zRDMqnyjlbESFBmK2@^sT+F^lpBD2+2SJrU&EYVrFkO2r)jXgqw9hJ zK)>;2^AMHTzJt$qxnRWjhAF=x$SVVg?i$k}ro>jlcHq`KgNydsp}`(4eZ>a65?}dy z9k8N3#Ay=N*l+@%DwNmlQU{Qz#i$$RpoQH}Tt4A?NaJ9b(KWqiDD;e+?8-APjLgyL zOswoo(^JHKiZLW)v?QL`Kr^JGgGdy-%*B`0RXuGSmU!R>5*COn4tRs-D!yJtnU}CW zZ}iZTgVBPnDWAC+^j8?USl?4FObm{bnAw@8n^FFXF)AYPGa${`+dFYJ2;NMFk4-*t z;F%a8hXZJN7_Ms`Bl6Fr+{Bb;jx#Sn=c%KL7KK_&hhLbB3oF>z30?^ZDbI432 zol+W-oTmzZ)aI3hd{Wfl2xPPu0qQ$pi( zD$hF=H5muqw2Qf5uqk^unLuIVPSjW0`=++1C7_pMNxc%RQ9yBL3UQadU8%%t39-ka zsQ=9JPCuLiSvZCezjUNioZw26F(Q|}4_QFps7L+yr8WQ5gh>DrDDZ09L%DQW9A8pO zv~J5b6bym6ROB=9JXB&6j1q`=){bXVp;ugR=+u`WotDUznnSgHlhj8=I>|+m;#zy( z^rp?WoJjK3}^p`++<5lA;#^`ky>Ms(haxZU?XSAY!{YZ7e9> z4Toz`>mre{mq>|A5VEay(KZT_t1}n>$M2bzfBC-CBYz$!I3mBdJ-yF3Ixf(icVQ5qDdW$F|@a_h^i=4nH_C7!5(ST(56l+LJ-r8-9FseHnS;%wc{XLNyv{Q<{pDSyg%6N=J7^j z)=>}JK$8}akE6A}}eIAEBDb%MW35F z0&TcFMe0D>;qWqt$`7Y5CRNN80ykn)Jk4$7VDX^jNHQ_p9DI{j1gZ#g=-4qs2IeH4Z+H78 zseyYY>FKDIPWuN{GX^V#%noCe;pkOkY_j}j`nq$Dlw8oryj-J~Fnk5CuKNaeeC47a|Bd;9C|*fdMc>X z0ycR}!xApA$LwXD;b4%xUgm3*_re8mBM3NB4{n?RM|#fyh)t5NN<$m$Td(&NJnz3Qvv>$pgUzS9Bk)~iZYT*BZ*9gH+V@I)|RYZzskjax; zx=@2kZ{K8?P*WR-**s{;s1S#6xEBxe95*ZvkT1)*tmC(-1$NW{!(oISm%wp+3qIR2 zB*Zi#$g!BLT96|yq(R2I&{a2X;6u9zCxQyOGEWL&ye!Pwy!Xif3>gK(aWG^F7c0?BRuUB1JSdj6r!%Z(uK<>FAJq?iwMVE8`w9ZOr7cadVq)j1xS8mx zLO}{Ns=4mFRH$w$Uu_5aT`pp`TI-o^73+syf>$}woZWki%Im+Cm&yL~oN|RsMmPCM zd{vVW8EE(v$e9pf;`f3TqPr2@vMSbL!Sn=;fNBc&h+U@vO`72N4c(FVwzI-v5w&Qp z;!WmN8AN12j!{Rd$!i?oZ z$<{bajcI_8_rwf@&_#W4z6H{e3&D(h-6Xkgkh%l`O@kq!e_V9O6YYq<{=tNE8>p%b zm5>fmqyQ~=cA|GG`7t=o(V0mGLXt&&a=!)A5rZnmb;?T;kC7Vqkjr5QFp{M{x!(eG z#6%JM)8`|Nj{|!rg7TXQ7x@-QkCLJAycVbxMJ~Q(jKzWPi!buN(ouR zR1N?wfS@F~gtpk^Ymg9o1Ep)^I{ctk(BSf0h_imE^vUBeRa6w~6RB5N{qqRWAqI6A z_qB&H!5Y*@=T5?U4$A&pn@c`YCK|nG$1!E6Q`wJNkC8oT&@>3`S z-C9X0o6J_*k*}hpZ7M;xSWO}hP}SpVc8im@sf29N67&k!^IXpiKcseb#y(M`+~_E>`i!43zQos9?r% z?|XAhv&+`b7F;NTAAw?S8Jx?QoZ9(sBeg0L6IT@fiq%n00m+qg1*%r#;_3hAAy8vUlvwr&z`BR ztC*?~(NEK-i1=#Lfe#Ekcj-g|)`6gvI=%be_6#!iIU7N%9{nN}Q=U;G5aojCJ=>Ku ziXyC%r8|Z6qhx>Y#rvvQq}$4l{U=wfx!arBi6~ybbPZ1x-U`U|Rqv)LSVkv!zWCPW zK>G8HKB1a9%PbiX<(f?P)>mrDbh_>x>DujV4rS1ja%s3|BK~@I9HVxmXx}*=FK!=< zVvnL|vxZGQwMAW$;@6<}GgXri8DQ8dwKFS%zEXtp%*Cdhip}EwO}AR#bsOXK!S^!E zRW`#@1sN`3ii{dq3E=EaOgMEs2FAo$e}zn&BNeZzt5+P4FzO1N9Q^Uu15H%S@zNUc zZ1ghx(%PIqyF`XOOkK4>Li zQ~vnOO03pW(WmUI3(&YloMrnO?WZ3O`Qiri>wkbYSQ3Hgd6{_R zm)A72gfcYoEzf?_=r8B2SW_`?39f5$^fsrg-`^yv*iV^Ua>y;V*{yhOvAdz@N`kiuI~%IYDRpp4I{Rdc zlQfdeQxgYjrspOO5UCbE6SlVbyH9*}4~_N#ICy2~hO` zfnJVNE}e4xGRXyJmjXEJY1o|zQ zHNIVx$e?-avRnms7)F=)0v87a00M;roD?Svc&atGC;yEsq8NP^!%oxr(-Kb#ItSqyRr=A)abME+VMy!OlXmSa5`RiA^|FRr z{hk!8ULXLS<~Rpwt%0Cy8!v1%vd)NsoOHleYy2)X+AKuOWvj@eT5;h+h+KodGzWAQ*3oaymHP=gR3Axt~x6Lev|;-9u+2hV^~G3OgT0bglSFnPaWW&euGI(fY@ z6xtzHa6z+Mi?n}DZLJ$ffS$x*9zNK~2U9-`%NF^#cxHq}{35ne449L%dejsEdGv>6 z5)qwtSVldT3q1_63sJa@7}z8DI3entW2r|0VdH>&MOH8vgpgB@_+w03fdu$dfn2_Y6Nq!N^-tqH}QqM@w2UxJ&@rz$L_>hAo-|_T^AKexY7m!eR0Dalz z8Toj)#6M0owhn*^;Tc!EksjGPoSTECor30JCl3iB%V3lkPttGf<7J?3C9UtiYmcB3BN76?^y*SJ~HI(W1SyH)T+}=kr!cZ%cf-9mHXflPV+4$lF_~L|@ zTyo63*`#@KWJi0^F@*09el`nCz9?k!k;)P@{ElfnR_XR&)s0x#OkU1-;SN&P_l#^w zi?V}opHk@|E9WX3PQQN?k5`NE#w2(gSb212JtPqwal<~ieokCCH|~?8@gQog z(=~J0sdd!m3$5D&5^EjEDZjs>1GT(#(*C7jMO|_dxJHP8{#_da-FLErYbCLViHaLopohsWOUB}ueA(95{?$c)xv{eJD2O=DZJ+nyDCN=|%;@v- zaXdE`myhy91E?R9k9(t6x#p2b@J>86fAkfc&AyYW}yUCX_H2`KnnZGN=0S54NPvgb}cv6&N1;soa zn1kx*CA?kx;kGj4Zp!Q4yurbjVn!Zv@Ofizr!#kGVa4t15R9{M@-{Ut_vNS9bs#0Q z{5mK+)J4xq%9d^3K1=Sv@$EF&j}R7$-_DI(A;asjJzj))iE8lb?|#OPtK6-Q)6wkV zEyWs&`8zNl&FWfCeNMa^RJjQe+)thz&GSm?;|Y>4xOggmKSjj+L5y(3=MgZDEWnwB zc^#K;3J9FT*w3rvrDGk(jjmwx4r;s&e{LD6J&6}A{HJ6gW1#VUiof?_4zYG+%y2{Lv(7Y^W%{`fZ`@FiJ?##+G3CSC8ufz`vSYuiJMlWz#@!32--=7(Ug(4<)a$qZqS+f=}hhPU=Rish*68}doZXWVJ560 zy^z!gYx5GynOfueAwc$#S`KWDC}{8nI$J4Eb+<6c$nP6K5VP4 zE3;vQuwiW7Kw;on^Y&#S#5!@_mOiZV%jAl--r`^6e@kugUaD8?mynb@CsFvGNoKY4Q6Lk%Y@6%Vu_sEyZ z7xLR#A87DxEu$4Gb0hT$z_LZk+5MUK(~Qu>4`Ss=!Jo$Ckr;rm6eZ}-VC!to_9n;( zuw0Q=udvR_Z4qQ3(L`be2^qD`5UY{erpe5wnR|}FSlbwxt&D1$Cv$`{wGEjwU&efm zvjipe4O5iYEm2W@6E>IK5?Rd>#?&`~b7aV6t>iMWEs?lJuruc+msQR}Otu(!Y6Mbq zR>)&K$YV6fV@%{RCGuE>8Uf>$$P8Ibg)7byR~*gm64!ZKYrD1?7F}l(wN`JNVNB2W zh;dug(27oF1T(7aNQcYZk6i!tL;NlUpaEkVIunwl6MO4 zinM+WwnsEu4Yz9!4%eI>t~o@=3|@OmboH3H^r4!4Xsr1}t@%vNTrdW1-^_K=f(!RO zCIou|hCr;Np>p#dll=k_gEUFfW(J_uaMvR_LT$&rVF5qY#G->D6mA&jT_7|r{I;=P z(mzI(n0a9f*|{}is#EfR;A)kC30s>J+-Hva{?XbM}~GUp2XG;7~LeTB2Sneyq8y?MXB_FB*rg z7;xP)QcMrqLwcpV7R$pLWx;qxV$5e|1o9&n)p$=J<@Zrhl zxHm!RAlFwY*rzvBgO3H1f- zGHB|?ij-M0YT3&?B@<7zicrnbZ~H~Gmi^W&85irtqI2DxFi<)30U5gx-;-BZ!048j z&9f}NAK&l$_4#}P`+UD&-_Q5sD`@|j<^riusc42umpzAliS-*jqf{;7!DxyYg#ddV zY&0UuOf;6E;kC2>^Y^6?L>UAtnidh*r`06?HZ1o&{?DkT3=Eb{6=!(^uh>eY0L49%-T zEkE?D*P<;ViGc}Xeb9m!Akg$+`Qwv_7Onq%RV42t>|mr4r3A+F7~#%+A_FP%!DT^z zxvyatQNdJYRC*x3ZD+~-4KVRX6AJX@zk*4QQL<*&c0sZixYm6@pn?15|Kg%WtG8Vj z$^QlGFrf`nL-huX3bLb~|0buFANtj6(H4{lVbqjVr6;ofq8ad6S~ zUzbJY|He{YB5}-E_6#dQ?4phHZ;TlztpYUV-z#s?`rlVY^8d!t-!&mj<~eH#qx}g& ziH+Y5_R_KmUsIq%vta0qHUKKVs6YM}Fvr{)J3sH;ie?=9(*OC+-ysxXx|75{^29N< z_`x+qg0U>?8Z%AgKBOJ+rI1b`ye}||y*1!;x6e!d9wxC3|9h`oD@b)09L065B11OW zsEvX08UTHvx38e4*0wlfFEpNr3Uf$dm?|FW)N<)CU@FTT(*%7sQ74fi|M8H{oL)N6 z91_DP!|e;&Nh%dLR(JmLpTaWl0tnr@_7$HKAm4jW^SYRS?C7Jm0|e*G{$yQl=BT;? zHr!7{Bmw5$kg|hO6au=i0fG4r1y0&97XR}of771oxftiP(W7pGB)5Gi`Ujq8Vq=$nh z^RNMc1h0(y3#67a=dyG>pzSJB6ck9M1DH(@{>%fAaBl0PF*P_#)S}WB7)q}s8j;i} zGc|mR3zq6RT4=>MFmf8;VqNADu@so!qfGleOf;#l`*|h-teI8|(LAKW^5>rZ&HxL=}t(h?xx3V!{;=AS1FbkfGO>1O<^t z^}6zOhSls9VDmk=<*eyZuW3stP5e4Y-A}0oyiazpYJd^RnQB?v6oY!!RUkA-0*is# zzgcCgWQmNC)R+ch7A5V7Q28jJo?>*b2n1;fNmZm^<_fY5=**E( zN^OtBz_)*ZoenGZS&Z~1*8<7Tr4d}h&P`&oO`?XieJ(q4|H5*DsMnqcsm^Q>!_SHX zM{Aq5J5dPhRrbU0>TCMYmoD{qHe0F*8DSQ?lwt8m`I^$SNBzSOu_xY(U+LJ?pgfaT z5Th$?Q{u2*K~WzP+e)nWf@$om0J`nmH$V^=%}ocbqt!@SEnjc+YlJY&ky!}LqkRHJ zHAempa+wh;!>}cM-da9B^$E42J`K9GziTPv!gHaU$mQ8UA_IQ|Yy(^aRNf0yX$MS4 zPfKD&p`p*&=u|GJ>1n^$I(r*hSA(j)#WtSIluzc!3iBnBxe~~HNn*ZyF`MZ!tBIT` z$>uUtzJRq?@!fDi9_+LC=y6cBuLd&RXG8ZX(S6D~%%;QN;W=8{sPfPdF^(Z{8{B)! zV74k4ElL~*vsuDy5WsAmaGDP|+xTOyV!0r*C5w4d&1?o~ZeujFq4uo24|tlbQZiQMqkNaH(P^vst- z)t7?_Z<96NCfs)c_+=P6*>(-3UlHLSL%$t_c4MqLxAV~3N62@y#sTW>i@i6h*Cu>4 z$G1bKchH6xFS5hnM1tcTgusmj>4t4%{xUfqCIQl$QMOp?2JRbR&tk=YsnBDv*)uM^ zPPll{dM;CI?OvB*qUyGtRszNcc(r?8ZDd^M-K*?B(5xNIt0RH00Bjur3Z2H14Xhj{ z+dX)JxCd8z+Bgu+#%vs;FBp4*ZjX`LkTVK%TP1bQ4k=rYEe9u!G;C{Epb-iFbr?Ff z7E18j7Hn-^yu&C>3tC}ctLsKXc%3y-FVIVMRi|xL&=?W5K1@hv% zEjK*|ksgCdkAc{iqQrO!uCS08??b#mC5{F$-t#&&_TF}C);L8~Izrnjzg6ss8{nY< z1q0Hjbl*k6Et2+-*@8-KJ4rfL&?#pS(w@Bz_}1$n_X=vav(W2$=ZsE-%V17~&O>V7 zb?JRoy}`Ab?L6kJ){ZUp5)0|j8)ROsN83R?J?%On{aUdlR1sH$AHkdOG|D`UJgGb> zKlSHQk8oA%^3d|s>}KfdJ{5jmesX?#Zbd&wdjTW5UMXU}LQy9lZ{3|JrJ`Q)lCB1{ zE>vhlY#708hI%%BrjwH`~n4iW*1n$w z$%*HnCpCdgi+zIdqm*C^l*}3AR=HSFc2@liH1iy`4S095sNK=i{w4kh@ZmTT~b_<={I1; zDr`LGZw|mE_nvBd*SNdh{FL^qEO6K&Id2pUek$>+Xmsc)W3^G3{nQ-zuMX@$8w~gZ z1}uxkU^q|*?7%1-hy({}fCInaK)CnhlOA9PSbUF~U?gqc3P;t>+Fx-`rD4I)Y6t`1 zK(3B9;$==**wGYtnNxoLhip}ysSWn_R9nadv>kuEgx`58E!>&NP$fu6?Z zpQ8cMxzhF-U*`g1rDD*z6gP?~UQ|@}5pJZu^sb<)3L==WN_BurSc#F=FSJ#P{9B{$ z9`r#U^g-byS9qEWk45A^G>O4@D7v#xz6`;XUd|lH z%{D9>E>=@Q+*bJ}ws(zLS|=@<-TlH1@r-~`3{-x^=b!j{5*OC?3;79v09Rq4O5*Al zTJz^BG59%Y)Z4K;M_CL6>f9z=xj`_H@v2I5Ya5(W!Oz(hC7G zTmvu`xayXMZyfVmD)-ir&B~od=TGQ;hR~fB@3ihaiank0dntJ?&Ix0yz4jRavUb`RMwQd&=o(u$5{`YZ*&ne#A7sboH_rTX(&zZ)@?xQhbWd20I%MevFn2 zR)6U2fl50$Y$hXr73~0oRRO>JPy`|zKl*v7J$!}pi4kK|-Of&S4EE)XUc2(d9J{bc(GQ&rL(AvWiZbf&k{*hb8`V(A-vOePKxs@mV$#Fwv0nyj=5!N1n zFNJUL`I374irP$v%$JeyWu~;Q^5a*y9ZQXdM-K}gkElx`7dY?&l6{hPl0>W^pZa?t z1emc~zNSU8vixQW`J#@wPW)vCzs%m35k&Lw^MReHVjZc|Kdt;fxyZ8snM>z4gXPT# zz8OTVuh_g#jFlqBO4AyI*#pV_Dcx|!D&MJt?{vdYwu$#oQvT!{t+9muCl=xN0Zh=c zV_WUK1gZ~!^C!q{tEiWd-Bw}NM%JZ3cz5=3%9beBx^%fumP{k2+gLr(V!gvH%ubOVG6}`&B z9)PKz_~}&}Yph#U_Nu-gOfZiD3bIRSmTy{o3|Xf-Q#(uao3?-Ch1MmU#3tm=pj08s zBj*m0_fAUU5?SIc7V`I>EiQC^NdBcAw&XEruiRLRY@<|$KEo6b` znZ-qla(8>zxPgRdDPYOl0zDvwOte$r^45*sgceasvNsI3YyrLXAS(b2~*u*>)&Uuv_>+U&-la&ENIP_ zM7wB%?2VL3<*yK}UGyf;JRQlb?S3HP6H;Ct3N4UI1p!S}M}G>HGilJCV$X*|uA zM6)H-oHVBgVJPuX205SHZ0TlJkTzdFJ(MJzNZ^b~G%HnhA)X(@2eVR)8MDYs0mJ*& zrZ=1j!Cs1&_l21wfSMJ+nIousDSX^-$gGBE9{Mn=f%?NS?$@2hE#9bl!w7Hq1S{^4 z*h@uIsvAzwvN!fp7nN!%7xh!b_@C3fChqMIzy9z=4=0b@UXZnujk8Sqi?jaN!P%)6 z?GY8=fMhcp9Dq|0m=fgYh)T$y2G3uPs+t%am{iN2zvC*0@yYwdDg21ttSRTH9h0{KKwIFTf}CvKVCb}Ub9q`5Ri6`69cr|ibF%hHRj4}M zA;A6#)Y=X_eR$wL%;_N|(wd1!{zCnX#rX~0idW2fMHIZU>b4<7{gBat$^NJgaW~nt z?(47M;7Ll%aAM?;p*3&56;9G020Z?iD_5c=199GT^Fcg(N+P!e5^w$SL0B72P~Ka` zd=OufwIw+I)@XrqXV+s1_0rXvLg+7kBqwK5hQK5O+g}WYe0oOS`{*_GYCa2g!hCr-Sp>cEXH8cGJLX=W8B9bJj4iG1IO7l001=)BZ`V4V_QT{A8 zyA7R)Ix@=`2%$MR2o|jEQWx*Suo*FAPzG@iY6^;dYS3X0=X&?xZ!1&?@$uDW8+0_p z0MR&#p)o?Q=~7w+IG5Af#mfIm#J@xm&TIeNgjj=o>ptC%$QQ=`kgiq1Gp{D#-mgKf z5P+WZT)VJ1Fs2+Oe^b`vrtpHs{%s~VR|!f3LhZ>yufj|B3~QTbt^p9XBZ{e*wK&! zh?_VsRutF!aUP5lMfSYxXr6ryI|1>5oXZ%iR>|>Qj;TPvbds|}pQY?8Wv*cJEeY>a z0*vA+{Mu_9tO7Xc^?|_ZQvOn<^4{!OX3>gc{iRRt74wk0NNf?qv+3MaRaC?ck6o;HLYjBZmsSN zA>PWWO#EpeEaHhA4SQ<_ft19B{-q`P-mDoG^ctVt@uY?-!2Cp^d;XAKwBym6x75`- z8bZIx5Pj|gE%*0{yfpClwhQ*tP6lA4Y1`gzIW zW6r0{qdE!Y(jrgoaY4alb>^{*e>foKQOf89WrBbp2G$)bOQo`|IJBZzlah;KQjVw# z8x+GS7FOOoH=ZK_7pqlD@K`wMaM&;0L0u?KD6DE8_sr+5a2^P0WnS*JHSbH762o<+ zTksI-Qfr%IfZjQ{9vfs~+pr_k-)Cntu#9o1U_FA5I;n8#7?m0Ir4T#PO1nQpd3 zo4fvi?ZGI&%CWpxP(Tbrt6cz5&V4DE=yQT$?POp1%~n7(`+NP9)sW+hKK)udpsWo9 zK%PQGsLJ83wq}N(n0yFH-dS^5$eqRIdp`3Oe1nKFKc>WtbMivi=lc)C5VW=iw8XAmp1s z+~?$cN|1<)6$i^8+Ab|@Dd@w+@u`MmpHonKd|L^=I;i^@vm28?p(6kgN54MXYyq-? z??bqu_-+us_*^;Y8HaZoRn#&i930rafEc!uPjz*r8iWBsWb})`=Q8II8QClrdvqRQ zD5TDCl5#fkoIMjT>>;7weONj+x6wTX7u@f5Nzf{P@sJaMbnJiUKcu zFl#+hc+XKGUNnbydAf%XSLbhJVt3XOaMRY@?ig~LM?(2>uH8S95~AseXRlX=xxsw$ zH3Br{Ai%M&0t*%(Y=GfNc>@k!EBaD;qiq4nHv=If2Enk)5%-+1`^9qZZz~v|zUl~D zS*)yUhIbZ?jIaANwLOZ-$J|8BB1l=U#9~O$wMuStLk~rOB^QWus_-+z`$`JX;`ak#jGgH|qcs9bL~c3V!fKayxpFR| zz@&=y!ZB&l-dmbOE{iYQdPYuo@ z={cRIZG+tL>%eNUpW_}`il7g~NU){n1O#{tScfk%35-~3iT;;~Z%I5U&>-B5hFXl- z5)(mA)-XcVp?M%S(v~pkj5_QvuNEDn;@6#|*BhblAG;zll|!R(JgqHb85~P1gyZK^cAF$|6nPM#CgvEZcO$yy z(EpV_Lm7AcQ6~IYaRx%Zp31E@-!n{3$}cJphPau$v>PDoUyxkF0gC^TASUe&+rIS7 zOKhM};XeBU1A?|eAcoQN-udb`(8aa)=?fV}UVqIul@tFppC}9}#t0my02<^_H9-&{ ztxX3&t%UjoNshYv`DARvXsVjCxT4O&6s7mewjXz|t?gyyB>aU_YaV$rI+?l-5SR0)ZB>LCF?1408x1MX#adWFG!4rsw`dPZXuhDVVgo%~Xa#%KbYTD1adio)PO z5n(VDtT4EbiEhf=XcAr0!C-S>rEy4?bTHT)erX(XdxEzoxtQ1`%XlQ_*v`Xz?N2FR=4F5G@IKvoBWOF0p@n3}+#QJIm1OR9&|^hjL&7H; zXem7HbV0lLqJEw3t%NuA(r#s64fR2%t|K1Q>^Tnzb^10!rs5P=+2@S2{^0p-_bQ}( zAn=@&SUn!U1awLhKEkpiaWNmhv&uRN;^yh-wNXEW_8<};b63gXht>n3w17tS1I_zd z#9fYg^~$^-nfc2&rCj(lCrT0^DjN}A8wJFOV`BQ4;&-FSatjbP-!|Mh{MyeT5Ihsi zFLi<>WzFQ3Z9XkVkR#fz#Qw5*wI41B`;f%ehp(2wuk|?KmjjOJ7Y(|4I3S;Xalo&Q z=@(NDXy|~AS_bB~-Jy4GjIz9V=#+3wnL<>U&f4 zp;FmP=6mDzp^Vr+I3!B`Ygoe~|BqP1z&S}Va$tbwpy&@-_}{1Mr{90+tYX(V zgPzv_WUc(#L^V$HdI(nVDW~bfH@Em!IkRZcx0;!IY<;Z}tYZUwtum@>-oDm7EMfI8 z2=H1UaIe)1mA;VUi}pysy5?`cykjjh;)!8bd~?M{mxSSpU3}8Z zyGf5>$S-0!WtJbBDgf$-Hc;^Jqt$N_ugu_+ZN9nlq)j=<3ipP2QZefh2fE6vtyUpF*4b)GFdXCELn#v*-@5EM3#)3 zCF^F%6tiSlzE1P$tf&_HtJT?#TwllYPb9zY1(m9Eh1JG^ zR-gD=YNhF2b9x-q%D)x@rT&K`Lk_v$PZ?UDR@?+7eW2IV7{e+-?KMPaphgV&ahEMV zxI(ihbJ77%k8-4`|LJO&m;5Eo7tonRg`)##PvLEgRob{~}QA_KPH}E1aH7*9{{x7(N|MP_h?? z3)0Y16??I?LUF}j);t6sViJA`>4YojvKT8Ll%bC@7|`tH;jA{{`(k<|ehk2>09*W+ zp^Ap}j9}Z$$0U19D$h8^`o!WH9eYHKuYsM7>WV~pJL-qnr*O7J;)YpX5y;uRe9q|= zshmxUvkh@YC*s@&{BTGM$$Uw}yGL1Yb8;tN#`$5Rx4rN#TOO3)h(XSE;6f{3THtM7 z9z%uLTSuMYZJJ&s5=%=jV=_6S)wN0@6{yXOndXRi?zZGsfMh~a9R-pyrl%veaknXN zg^fDpZbqUM)l``C#0mUL9EKa2mIS&lmZ{q0`q*{pz-qh4eQCjH+_>2XubVMt;?I(2`lW1cGZA_6B~a zyyn@a!0s>G^5GBdw56Y-^wW~=aHbW}GzT^tD#`|eVc!tiP-R=nlx_i}L3p>6EIF>S zI@xNNPZ(Mg+n35vRf zV)KcFu~=h1EQ?3_7i?AsGy#dPxkg;nNGOcXi$F_}a?wjD#CVE~7*HGgrJ3rP(s}7v z^=U@{my%#>Rf)HoB(n0>%Q3j1?}C}AJ7=;$-iAF1*eDA=;7DT6plvaRU>g?E*)Nq2apa6c7-UNuhWspHcCKPlf zVC`n&#b4Lo<6oX8%c~N?D;IY9k_{d=K_=t_(;z6c<#Ho(p^-De3}DTdM7mtr0~Xm( zi!;Fqbo03f4)*|&1o`lVGojOJU$t`DK^h+iZwnQ3shcawt-5TkyWK^N5phzCaw$4h zG7{Vf45m5V7niHbi9;UeLaA{OZUdy(dB}x=E;qT86P0*eqb@>t_Bvay%bfdRw3ii$ zTn9E$L}$=uEIx(<5T3X{`WX*uqT zxJ&k#PUF?!diM}2hXQAJ;e(BgMaiFJJx2*I%i>@W{N9uu7PrIjcGzJQM=Av1vVcJy zJxSet24yWcZdYa#Y1~9KJMx4 z81v#Lj=Rid(DkOiyXAZpTncwYXzmi^dVV@i$AN=*C{;c;%9?`m!DMl@NEkdAx90+S zsqwxupMvBfH%jpbb{^4#9snO%Wfvi^3n<(LP;DX8ouOSs=v1g=E~UO#f-E~0`jilx zfVoes%1xi{_r-@}!bFZh$fuY(*933FbF;oDOxtJ-Y_zhC*2Mn^mB>zn_&cL5ayZBJ z(-;??h`mJeEx?7_r=~&!=X1cf?5N{ZP~6C0l)R4sMy$_Hz}UbCVn0xWj-sPzJ8h@! z^b>95TfZbW`BBrUa5V?3QDJkt`PvuIcqu20J=Ex?ogOxZJvZ&-+ZiHcc9!}nnjb$!(_&{p^iwoqei|47&6=np zId9|nV{5P!gQKAsZlWWdhhY*-VsAjyT?1^R8xMn`Z6mOUK}R<4qZc!oKsE~hD$VVz<3^XI>&8ae7>POtcqpToE z?RlA8WQa%MJpe7PALKOZd`3|o``}U&oW=w*y52938F48cpZ)p>gx7CUJjC0T?3#Mj zbt>*0_vYtvL+~ zu~jw#6$PHd0mmvJo>9f)IV>GZOZ(_I-hq;9 z>6SyLBWZDtMZ$HUA!1sX*2S@a_zn}E<&CRq4jjwTkG=<`C!l=@WUf0bY?|0Mm}ElO zG|T@G#X@_9&Sx9n)ZWgXfU}oy<0!CRLKcf7!@H_DkQQ%V{-eZ_5lfJ$ouWUX2aA(t zvw(_~G`$4<1Z2fcdZ_up?f4Kw7qTSR=U)lLKAZ`x2$eTgA1uXJ2*qXzua0cOw#U`l} zQFru18{Wbo7W?^hT%HZEfe8>fZzW2|l`%50gH zf?%w-!)-MBQlKwsaV$A!T5_hWoae%)9PlP89fm-tgFzz8Zx{oE{URx-Mv^4E0h4l3 zNDv7HqL4@=5~U!Dq96!jAcn$-A%rMom_jzTO$Vw1H;ga`d|)629Q3fE3A#vxL$nP^ zhl89;$3vW>#lt(tLk)K$u(k&GX~G%*agLDI|1;O4ED=4-xy>| zbZclIP%_oT)Dz1lnWQ=~^|BDKt2ldb;c&!1oV#73Wu&rwTYG%x2~79^db|j^CUMhf z2yRzbddbItO5PuqM^@|ASdJNFTFEe(!l;~2o~juy%`e2gqd z5e@D3KQ~3lzBoB%AuS0a)JpXpmEHFZ4WYlkMB5jqcPp5$;Awa@o}wUF1|*bQ@Nq{r z^-ye5P?~w)1?~M>(6uqqOCxmtfFCT5Knv)ChL!BXik)=|kfr~Fx?{0`w;mU&4`FPXZljDvFf^KopUn#9JrC^lebEJ{cOp0f^uN%k( zL$qF}=5kAdExl_XcA&>OLK#tQpmL4W7CqepH=TJC+msTX#M}l1bPYnq(PbLlTkBIR zO%?!y*M*^``didW5uYo3qB?5;7r0rA1KF*=Ft;G|LE3s57}Q-jSgT&%OZ{K~#HzZSKf-_RN`r?Vdw>SW zWvm-scfGjl741j#uW>=FD~vzU^;5K+H@IXe)$|ex;I(T&@mN7v=ZXfA5C6_6`kJ-4 z&EYo4WI|rvBxct;2T*t*_G=A07vR(M6c9%k>A+E3CG&EV9Gd98Kn&MO>vY;nmrtTW zkic&^h}n6KiIHb`)6(D_$=v7zqIPO70R+!_*VgIrAj8b907T?O6C_{rGHaLF;eWOL zmoMA`T9_^&fLV#(h*k*o^08|2Oduq6J3RBuh7(vM*`571uC9DWO z^=XF0hkty6P|Suninhs@HMP?1up@jeh1bG`Z5PGtl#+h(oliao<%bjJ-9gH)s3G$l@{!28B3n*p1pRH4?`h zrq16a)l8Ji*T)VO!Cxm~pqK)3tIvSa_A(0sv}^5~xbKhxP!0t z#mv{2my>$Dj+cTl!FAV&mp?m8HKGV1*5Ur#}cimgm${*7S=9jmg8aYY7tnvPW3h8MTkjj7G*uLDObbyepdK@0$5 zFG(Y#IT%MhZf{GCjH|t~8Df1H4V1+O2tbrRtZzlBEvotoDAXV@L~B*W$@$sv@Lbdc z6e)NBYi89mF;we!p0ny!pq$~(CY+rdDUc5q755P1p-JiIeI(TX1gOk*Z zrh?-$H?SiM@yC4P7xKYsK}~KctZ3IPFUfa*UZ1JcaIOyRl>f+a6G$c`UYVT%nS`LUHoCqOf=YY-^ z2a8keq0KKFD)$@G32KqZ?V0%)3YeHE@_3Sg>SHTC3= zRowbOX0WlK$P4|2NWy5%o{nnQrQ#4NjxTT=N1{Q!yFM||uT7jNNGhfNA7Fm(Oezs{ zZ+R}nK@Nx>H{3~A;MbP5yfS^@GrYi{@%*TP0k%$;9qU$UvY0W!6eWgY2#XphVo+%q zSxPx!G-|DrZ{s(EdCfU%A~+Hwqa(i}$)Odk&;y>=3_dZ<2Al8By=Gc8<*GQ)>7|2+ z=CtsPx&j7Z7DX6h(~dli6B}t|SGYlF$x6H^p0KAbLdWT$<*T3^A4BKDUPi^*Y95h?lkKpy$W#OOEKWlsW= z3%MZ%R9OIuZ=@PFAYe;lFAP=)l&{MClJTctM5B*p!ah>Xep}uLjGi$Qs+Gv&m`>5! z@=O$Pri+oX*NuvL1Ot}=nE{mnLk^mE&=Uu}G1C!gBWmDF3eRpiSXv(UUl0!Z312>T znfBe{$J7os$BmL6maob?Jg+iht^={#1jWr6003%0!#HS>hvq%>#6xe)8i?RGWpQ1U z_|7q|Lvu3u2IO8H7gdjMxO`1l^u$E3_}m`$`7*>T156HlgBOE(fx*~r&tJkDMc!!h zMt|Zv!fUF(et&QLRs0)yvoSbV94D&}azw#Xjse}k2cm&M4<7d~PbX(u5*V~>0>vk8jVB*HVx&ZaYoq9b>U6tP9^wyr z@rM%ehc_SOd88)P#>!*9aqG+-v&1oHz+xD$s>E=s6}+743b)RK&GrQaw#VT1mst#A zkFnTaeN;y!kD~!5Qx&Vph}Fz+JxOpq!NhERyNxvL4)VpzvEk^#u=qVrnKGdpj&qAu zE!f#++bvc{{jy{wm18a4e$LW0?Oc=l&7zrtp!N|5M_Q^in4|P&<5!i}s*%+8=H(6E zxq{}mn6RQqdctYn07(}>?1m+-AgP65wP6_@M9k^9!IM(o+~=y?AP4m(MqaVE}eK{jw91WisxMHH0|1& zR#IvK)A}fS3on<`7l}%$jkD42>-hh;Bnk1WA{i#Vlos&%yWm7G(DdnG%$fkzm z)Av&Xd(1}Uqm?_m>QpRik72@bgl&aKRnnZjED-geyyTVbi=7ddUa$!-n1*+&kRjUZ zrQ`)8e7Q`#*fcLz&+A3t^=kVy^wvMJxHp;jwhGQds1y+2w{5*&rVy^zQZhPWFvb+NFDQn3E(TgGoMpTnWJ>QQgM;xS`_yDYfV=G8=b)FPM)v%y~-JgPHAmnmjpe*Hl9 zba`|Z_3PxNT>L-)#4MBR`rO z+h(_M*`e7(K@qds)6u7&DJ(my%+dMwgDcTOL`GU{ zHMFMv04tkg(3e#Zh&YYFRs#Zoaq=l`yA?QL^*3RrY`4T+Z8NgR0Cxle0ocYE+id2b zQdTP^cqR{(32JkXZBz)i+gXsooj zQ?Z}yrxSM1sc_)MuO}fg;NYe8DipjZ;kkU{*kH(DV=7JjE3GKcqjC*(eW-Vx+*{!hXEw0Jd@La()~6#Wwk01&eNdr>A^ zu#=~V99kTM=MywEBr8tj z@?zwtHCLBcz*v`8Z8lCiNY*GuEr0{H>rCD^yOFYR`8Gbtz2LJRu? z=l|V@lB7-LRA(&8br=&o%dR(G+~K-T-P+{NV+F03IQbwHQB+-o-neUP#8Oc1yBmNN zkJ?C|FX2!oAu2bK!Oqf1;<5W893S3H1~`V z6uVvXCtj`#=1$RdQJ`|T9ZUCYh2|nk3RlercA4OYthf#kW0Sdq|JXd;Cfg|mzlYp}deZ07YEyyb)IgOGDeFV0Z{(l#QWd?$3jk$Rv$ zvA6&nzdnxnpJGI(6;#}084@SF$#B;Ss{+tCcuRdrWmbXV)RXt>lj4CR>1zQ^7KDr_ zM$u(Q`MfFVgcjvMZSa(XRtVQwaAv0qPWdIIPJ0`%?E1KAS60sx9WgVa&u6s z0W!w3SKN8Bw-{s<3?sytjd0aiN7aieeFsBIt1n=B?v&unL1AfQM)bLB7+s3I8`y|T z7hut_K4PTyOg%JP00ccgE0RP2Nt09ZX^=28Ksf86kn5PuxL|+iN;3E8^uZkNy2ASZ z0q^L^?dVv_P5<%INR4F#y^9d*eC+|lFf=H_Y%@uG+URq*?ineUnuW=9yNO`1>@B#{ z=w%`=eduf?D3Y)2?Ekvxy$H8 z0bL6L00@W<0RTf|Y2*RK`tc;^=<_*y=pg8O)l=vyA4ywXKqiYHBY(l;1?cY@=>JRs z`^1R|IEdo?ASO&9;4t+l-~bT;@+cbUI3S6M?Lj$`0RBvg>Y^FwbX!Sg|91$$>#aRW z7X>ym>x$^KW`lY+c`1t;BXS7nu^972#qUU00(2xOi9942{uq$90onHY7epu!KpIB@ z(g9c(=$8SX0Z@%@5bp{}DeXA(0gXsW30EyS-*jkM>sVdQ0Yw45Nh59;J$rN)=moV! z#|5$i>1FNfHFIY;p&!RM#TV!}>4WHCA3#V@gX!@7ycBa5=>O88#)D`VdpU~mEx_voJ* z;!MI4WUNg44`b+@6b5k&aX{;Ezaonsgb(LpFl;0!^cd*g=>WJ6pQ2t>gwLLuo>!9c<660trNoIRfoq{slrS&0seFpQ3&XNMTa3DEp=$-?gfJk)KL^<$- z#vp4D4};D`Od9 zhymsOx%cQmNrEzwPXOtv1vN1;F&xK3cIcP|iDPqhBnJXMLjm~d01W2nTs-OjAhCr* zNQqN}AgF?ZS*;|k0dgt=1fnpA!%&VOVi0299x`#5XGsnsMHDh3A|fIpBBG!mNm3dP z+@@snnEN3Cn=pYHrCg;T1yr9R?uRxz+y{(gwmTcMwe1_jv>X}XO`*nYMqT%{pj#%0 zR7yLrju5?7McP(lbjD}ff8{S#&6m_8_ zR``bgYxF&i0gE-+EAtZ2TKt{LA^(1~V**kI(1IM=JIBq^iaf;Qgy?3u&Tvag@uL>+ z<9aoRopbV43o>AU;yunYw}BlC4IR8;&B_e&7isdsqJyu^giSca;G6r_Jn?fg3^u>2MzlQ^k&)ST^tTo#A%m z`jfdMHc`r=h$)~^XZMKg1L#-vZH9ArNRjWu!Ia)GoR-dH zdVm6g!!uD9u4<2N(~2XF307C5@hppUw2+XWeAY-|Atx-K)KHUQG1fM_9|+mOo}vyz zhEuA;l?pCNn0cxBwKEzqOb3bo4kLUF8+T8kf_#gdKHuP8omAu^Gi13IyE&04%;c zys|o_s!^agF%WDiYKqKuKur)YM(OwbcW`J&aG=)LTSCsqn8RiUxKAOr?iv8(miL`p z%9!QQ2qIjDu#5)b*hr}vPBLXIGi#3P0G6oJ17SXbMyiClrN91b?$O@r{z%B=-hg`f z&&RAj6u00wq}%4tsI+ecjx0tm5ehSh(Yz&WT+%f1n}oFv$sI*Wj9dk+4hfLM*LlNs z;G>L>da@-%1S0%Nde63#b3CyydR`4Cv1lPs7=Ef*s~`~Jl9NTwfLH|ecC@!)T!S)g z`TWxGfF)b63}p*SMeBtgmCqTt#-4d}8!x#~C`Zmi8qD@e?Ey8j>pa#}XYqeHW9K=) z5cRez>(J_W=@YAvgcQ1hY$HL!kQ|h8QFHP1U09GUwV<=?8g?2A_#i;)B_2nDN-Uwr z`FpRs%?EA3->70Bh&yoKEFPSc9`U13jAVloC~ORvJn!>no9(BHm7Y#=ddq;ZV%VCk z(vwV{=k+@fA=~xiQlI74nsUAqxE+$nNUrhWEFHtx zWV_L4Q*{{Gd%|%%5Aj~C#KxZ}$>by6mnn!eteam3c6E%@R z!;{4LeWE5rhDN3=B5X5AmTr3NbmmutmUsnfASh~Vw-joMqMlWD;E8$=MV&m*Fch3S zjAwGJ?h7^sAr&g>(Q_UfQ=gbX#;b1XG<-5?{zt1hfmpDT%(bKgO?+8~{~O)g$D>O?Y*~~T*ebBTUh4G~k#hN#E)6YC_K;3y(SPh31)By+5~ zjW1@Q4LrN5Vh7aI3xA%Qfn2L~Ns`>ivn*4p)4{!+d?<{0{s`1K8+_O(8roM0o{B=r zQ%?RYDb|=pQK$h*Z0ll_QdYYOIrl$s#gdfs5$C!{3yNVve zgM}JwyaE6h0=4oh2F)m0cMi=G#mxOz7H|TeWIiUZPmA210;2e1x%gd2;Tms+#HAgJ zf>*$2#$!xzjc-}V0L}cdIenTF&*`}zpM-s-4KaxvcbcuC^@jp`tcvwIeG8E!tC;U$UH9tnP7a7!S zzK$pN04xLW@$OBs989uDxv8bRW~qVv06|(>l4>YA;h-n?=x+|k+%sM?@%t2DRYx!ifIl)G@*KE>u+Ow)uc~`pZHo8U~n<>+m8#*Aakltfx!y2HDZS*hinx(Q8 zxGMe5(rV;s`JF}bKTLhh#}fnoQ38EVXQG=$MvQ%KXuw+@1Ng6fI zASCW{QbuIRhdwjtvs8B~8}Jl0eklLbGxY>yoA8Y zEPbGfgWw6BfY6d6MDtmKNgf=s)F;3qSt%L1;I0u7NV0XuxHT@ZF9gt+px_-C z3*_}!ST79O7kItY^UH5-Idf|eOo#zY1L`?K$1#1uRuMF~95S%ei`)``)#-Famc+NW zs6}w;41y(!;L16kBoT;{@<_k5L>}p%6s%t>4`Yma)p56~f_f-x`` z0b_-~8~%cLR;7O!=nH8ud->qX{Jxh!s5t!|$B(nbG=uULd1UptuNdXWIWyD3y)nuLT$wHF ztb*7x>4}?{KGE{V#U4SZz%5+ zT52qQRrFLE&&H$SQOA@5^S=7*?-36ehA-0jHiKT!3HG-8RDECx#FB-|JTp~fE7SRkGb&Wq8o=X9M`XFiP6cQN&KO#GbEHoW8Io=z!Roy6(w z=A?+5PMDW-YaEJlk`Rkg%95q4;x^o5~4~bE6BC6-k57 zOC&Q^B5vcUdOIASOK%Y}d>O~PAtv;89xqP@NX|l$Lc%PA@901qrgL*bbAq{BR zIJz;_X+t-#;xONTwb#IyZ-W?U*R)3tny`zavr>}IW$US5{sR8Oa(##uA1Elm-hQQyEA*SW+giH=`KB>0F)0J5;O{pZlCh=a&$)l44XQ!@Jhx=c1 z4xjz)luJn<@3 zY8hXyolVfu9u=lExjz)qH5Gg09O5`v3Qw!;7qy7os=`%B?6&}JKpD*`KW-xxBZ|VI zt#eBe*yC!Qdf{oRfref;>hp2;*yqW>6J=p{W)KR(kEEw-N7iYFf zfR6@4KvQ^pa?XZabij`=@VC#EwF(1)P|=NaCcC{rW52))&U9|4SUzo3k{V$R*I8Mz z%v#+(C>&Q?ZnYH8r+#j~_st>+kTrV$h0k8_F>8IX`Veqr_HcPSSkI%3IS|d5cO`|X zPKE#6NB{`nA*RW%EcVe39}%%&C3|Pzc}n(#57?6At}IQnqF&%siveG5$=L_!I7GT3LK^|Hd2cRF6I3`1 zQIi_33x?BrTAdsx!sTI`jOHrZbtB!)bSyH<9st0)!>rJqm3@^|L?>kWBv#2=y=%ul zOUD}zlK%_(ubqECr{;mvm$;x`O2+I^A*l=TK;`DF4~ZH>%2UZlB;??28|TRzfsj|< zbz8>C;A^A+wP~{PXMNH~L8WL=h+5FthvjB3q$Kzc$r_gshP>xH$6<1d+xNTv_YGN3 z(pDrHK(25`^1}+xAQy)n$4EiINfX2~Ys$iujRrba7}FEG7KF~lk9^GVCUU{)!NPce zBZf-K-_ZdFP?r=A6uB-*(PVi*MB`PMynzl{TiBV-EV7SW$v#9s(~n%q+4}X+bk4Z*LPp$3 zq^~AirAt>c;~EvdZe?&5(HIX1;767$N+eI8N#-Ic{!fkFG*T{PN2nN|j+rcutw}Dj zfUyRbhz^kHS5B zs;-I$(!J~*RhLSFqn#R1G*n&OV-5sai2iD`?B1j~)Ybnajv1;h=t1&S#wAa(JrZ}Y z$U=!fWh?*@Rjs3Vtg}!<4vT5*#kM(&k{Ix^S?#92XVJtx%Ele+hwKdLSpwt;L@)M> z7`a%53^&M5#FKI7xN?>Q8*P){)b0)4H~i>Peo}wM3+Kw$sRpy`pj|JtLZ@cW|2Scn zwC0#bIt)U9#8ZMETgi19KMy{!>We<5d%9RZd;blWjpq}64LHo{AIZdEFnTcqQ0ccf zLWM7VuK~;UTp8Plxf1+0v&O_1x5Hrt?!%vnjwX6L^bazWohyrTi@}1~%6$Qb4bEj% za{Gq$gOnFgAi}U^GHw5?Yy-=*h+1!|cf{gg^!hRXGYM_JFTr5qF*i2ucqfwOhkU1% zC$s;0>QOlUc*pNe-*KH`NuLfF~$!MfUS{ z2n}-D*DCvfO?FHZX*U%;u$&r4!}QFXZ=JV26r%FqHl@gHVz+vU0UTohdVP2uHXxpp z4o?XPZX#svQh0^G*!8KfP=_JlcDLDxUfuK=b)Fthuba(r`Q40y9-k5bx8i=ti6H^l z0mlKq0eDVaJPTK?-PMwTQ<3B5X>s!?aPiD=^V+z1Ex37BE}jAvlBi3-E-l5(P%pDb zla*xe71QmSHGK_RUrE z2|mMe)og>$a*XLnCmrKN$6fZk}*Mq-P29gKOE+2Y{_E zxyl!)KF^j}vMaPyy5^1eC#j8KyDvE{$I(ItPd7 zQY!R{hf;M8ir@{i{LG1HI~-Kypn=}7>t{~%7fs_TJruL;LFQBr-J^ZRG{i2|1@|KL zhwt&H<~N$gRessi=A^h;g(~%l+P%>rz9XLl7hnz#{NwwJh*oJl4AUz<@k3-OtLQQK zQJ5Mjv0@i<;u#$c?7aqlBjS4eMnI8|T6aF?^c}PIb~7Q~f+3SN+2XW2au+BeDGyCj zkviE(E*w4@BU`89nr>(XARv$xfDoYAiJtXue~iV!16KSZ3HBwHV(<6t1K8drS!AK3h$Ooni@zXgX30SOH6$#uPv78UuT)B_RKStZ(Y zO%{{rjR6OBmC*KTho6HZaOjMs9|VTpBG8{{dW$9CNi2Ayo4`seC@4X;fN7&0MH6wQ zNeUir^oP*N6)+;WuBpVyGL50WrCqn0w*sp_=KywtE_)tf_Fa|4~#feJv90fe_;+|MhDsvzKGkvW| z5<`}V9gFgm1Gs5H=~$-X;z?kYBMC>HXQBkcoohaQlB}#)mJ7qK@?=H3TYo*sUN_>qp@=hgggufM* zBUHhFiKdsGFz5^tM(y<3+&JsM_IJ6T*mLPUmpgRlA421Ws~H)vR-?=9^3EK zeGy^r1;_suzl+R%cxXR^5wGWOXGFl)bNRNx%o0%bhIn(icsTbLC5YFy&YRMCM`E?G zuA!m+5PJ>c=~BfL-*~VjN;okC#|J~dJeVx0g7fi2t~}; zi%ErfIkkG>)Pq^ET4}si>)O@_N_y=y_&_~gJB(JV4G3MxxGp4-A0whd>5iBu8hJ4| z=ArFMn&?VqUA3|4C7|y@4%u7YdL!A7wP`*JsXBt0TbWQEEyt%ZKzyBu0QlU*9^$y6 zKV$kb$~>_bTspGiIX*&VI;dd^m8lU6!D<#)FY)FMN*4h8p4uEn7#4;B#}JmNqwZRU??x zH=GPe%+m|j^bAwo*64G3I*wAOjct9#q;XVg9A^e7cF}A@@0Ko`8)gZ+xnN+ul%&^_GU$E%CZfufyVXSxd^M*cZ8-==#OvjyS zIRaWPgO(Ga<=(cgTyncVZimP3uCx=@@xGFfx?&a=VitN**Yw0>Yi0ws>L%1y#Z06O z;n#KMTGqG1`X19;W)0tKZN1g#ofcoUMX0aD zR{`?y`Hs%LRn%*h`q*1ddq+X9vQqz!?&uq z?TlpSU++bOWM>0ZdzEPCInp|_f685qcKW8d^0wvKN5uLcGB>x5=YvS{Tuk2g=C_Jo zH9Vec%$p>=Y663ys4|&Y_XjdIfe6)%NRpH!9pZQtNkJ5ZP!PpY3?T*)V+bLH5JCts zM1*FDW}E}VK-ilDUSTQUm#%2CB?Y>)E)3H;1d3|RreO3$VL~H_KLyJjG;6z;h96EA zp2GtM)D!L3yuLbcSzrCZL8JCE{hxX;7Ram)1|b%jV-WPoeK@1OP^jx6O%m~6sP7+f zWRg0)B4T18*8z3%uu6X{Rj5Lzoe7fVP;-gOs~QG#TYGurK7ZrvqTgdg;DByNaO%`8 zoI7^>;y4*%%l`*i>VcACRa7qY7qT0Rm`!*jLE^t&n_|4?onEWW%+Y+;{KoVmH_hb> zj8qtWDuqIE47@)h`vl+qR|;T7*~yG)engtSawdtHAc2Ns0Eb`P6e|;T3-~5~B z3oAYD;#-l+zi+zO9j>L^91+qZBFSWyjBXz&xq(S)lnG*S99q$gXc|G#s*xne=|-3^ z6w+mbhae!YVI}tTeV$QFpMG#A`#hlJ%eixPRNkNZFe<4Ax$4SEUCoQ zdYzb@TbO+D1ER=e@C+o};w?7*W=N2MZSZ9qkL)Mh)Tm^4?@*`uQraZNULLz0)EgH_ z5j7FI*K&sJ$!{&JvwNyh)C(*E!B|CImxd}eJYOqKovy7MD|$JeHa%JqmJ_)e!|0|I zi7}UY6bMR-DT01}Bf)MZi>#)%6ZFDBSuj((qd^4%L$ZWvK2_X@rp_8`D z;&bJb**Q3Xl8ZYQP40V12!M5c!9@cVysYqUWGid>&S5Qdh6uCkn59QhQeZ^2+Evb$ z9-_1m;7skCp(7@_K#eaH+6VC~yX4576rOk1005veIshXLzK}f; zFNg>Tq~*(oEWlHeYaPwiWI8Q@kY4rlrDC9@#DB)+Y;zbPCJ-+1F&@7om<&Mz^4WDo zALT=@M;~iuLMG4i@A;_^>G5imHlKTLH8W@qtBga7a6t9U9}Qg?W_t+3SR&i;h=mcg zwoIy7g}+#(0@siHG<*DN7tD(&F)w(;Q=s4KiU`7NQDU(|0|w1wq9Z35*TIpym$ty~ zrd?Twh<4y8=FfPt!&iJoX>H;>Jq40X?dP43kZf1Px%`6W5GqLF(7jW?~>C$6hAr)?Tyup}}=G&W8MM{U9Na zWR`_x#G&&ITP#nklX8!BP^%L+O%mR+fE`tkp~Ru@(Y`(9&@_-Tl#;jN7QKhuPeowt z8mv!%><_dHIT<5T|A7bg8F9#_x3cIgW@x$AnwcZyrv-z81`X715U~MV(Eti2kwiZb z5W+d>V~7pyza(zC$&zs`oR4nVYz(SmLsy|Hf*?-q$58Agi+$v)>lwY*ylj}ZfLP+M z;$?)nZ{YTcaRNsKI0PC5A!H;{ubY}$=CWCA?erdl)3%DMUxwfg5yEFR$F{=Ouf}1AV6m-K-ydn< z1$8`VFaso*fgleIcmdqts=pcQG@aGiR|51Og%|XY0iV2gZSvokyX{OG1`c9k=(@Rg zOh)0Wir(KLAGQdyZo0~o#v@~oK%2FL^Sq$`95i+ogSk{}eiQJ}5L2yCo*A2j-X^hX zx^-o`WwuTHY!hGGgxcOB+gn>q5ny170EZdNkSeEYsOqIEqcyarX9ygDv#u8<>@7+d z$;{@G+FT-Dy$U`|7-1t)xy^`IPjMeW1Vf-Aw;@`pI@1R)8Nx>~_6wS=q>63iqpO+ZXNmPEi{Bo=7Pu+!^^5>Jd9uMyXFnwh z=gCw}>*c`~uC`a+_JRV(?*~r8Aj?1AzBWF8aBxziEH8bC!&i-!zZ!xm#E?rV|Elf< zrTZ()*N@6Zv0!_t!x#C} z7-ENsJrG$z0f8!9e)QaEr;Akh?g&P?qY_L?JK~ z8Vof$037wgOjzprlM9Z@+G82usLE{89yY$Wt3 zvh_FN+i9quBEzTHQNNR@Eu+Vi)~AT`VMAN3=fkqLn%1iz+A~0mZ8-i|oNc4%$&Q}PgRAERr}ku9e4-ToS=+v$z{&lxE!VWE{y%u% z*in~CV%7iE`DX9S$c0IZZQ_Y{F=6A#>ZnU8b>79^&Y@G6PI3bI6^^f?TGL*O6X;gI zAdf2w2czY!+TIH9LwxQ69DJF%58d)thPwdxuRz~`p1-R4t0G+U^h3{l==M3=vTC0V z9rB!DtV@>OGm(=q@*{vY2+L1n_G`9&l>QN+yJ`s^6NHmF@}mj<%#rNi%czroM%2nA z>_II*iP(e2Z7Ri2^5j1Y>(@%4H!%5560c@)gQ%pX7<}jC=eeKf^rD(CisnIsJpXw< z^hz$glBmZM<7k9lj*~%2j@Bb{NcjCSY6}{8>9L!@?e4r270Ny(RqYb1!+~(WRc)=vUMypGbIlf;` zJ4-`v%)ad9`vAZ1%J)5fpXNI`efY=2cpsl~xaMoJcvgum@_kIDbnRJoQ zyWf)#y)pR)vq@1IP$OB&B(b+`w1JPZaV~`bN7_cDb*Ji7J!YEfV)xRuo@<6dqQE)v?0UI@htW|BYQ0@eRBaA!80{GsZ7^& z(l`Bjn5Ru4Mh9bocPx3c?sbts-YoOFNPx>0c;`=IEM3$GdYCSK0k=LT!3zU+1rlA1 z0WR<0q&i$a*FmZaqpE$wkBY#4Yo4)c6%5J8_7Qm5{g2-~Dz0{#^ zddfVMWFA;D=V&*x?OIA2~z)w)gK&f{Y(x{m#M3h*~)VrO8d zhE*+h$#ste~a%dg$tg>hbEJ>Y%26PhE60^-(o6pi~#p zjt)8KP%Z3Ou`W9AC>?JbhaM_ZsPe+7V=q@kX$iynn!UY&!rKPgMUT{}**R-JGdOF~ z2S9!l*soh%)>*L33=8GgFYm87_$wPe(dYk?ypyb_qT-#j{d<1j+{4X1s_4Uw`8lQkhD2`@ zvWBDpY!8L?9M<1E@``#71?m-tUh(PYpm{|ZkHy2wNqy?yXEA!iF~2wUerJ9!?7OlL zh3*CSAm=^`gm=Q@t(gAT-GAx*7nJ|H@?VetrTJZ_56IQw4%@62!0n>Cu4C!}le{11 zH<|iD7tdGueyabsKXA%tqdwdAd?lWb#q-TQAK;_NJ_^-OA@nJhK5zgZNCvuOItNq* z-IL>^{S+YoiS`NB{Jh?beiq4chK2{F)(uucHVXpkz;)IjW;*J*Lu!*Yt;o@J3{IfToIQNP0S6T9f z1|E^}Ta z16@>NQ&@bY{aGYD7sp2uz)MJaH@E)P3tLIEg{TbN_okrH$&wy4LoF=$K?A-rf)>? zXQ;fRf~Va1JkzJ#@QGPkX{@FbtUa4&Lql--$I-7e^OI<_($s&E^P}$u_l~FU80Q~- z{!!>3i~cd`A1}~Kk)KKTZ%Y0x@ZS#qt?}P5|80SP6MZ-LFL$hU*9dfpbiBn>o7zY2 zWeu-#K(W@9vG(ZUk2U_X>ct4~o0u;(CabeCTz^9kkMI z=7&%6?_gvPVE7%}@38clHoi=hp90((Ao(OCubg}{3cMM_&(x6RAG&8H^7ENNtV5tY z85-OR0{`K3OPTl&D*gl92fu}mb$qa7ya)4Ix8Pc5z1DTbv*LEMinS-QKQXD*wXX77 zXBq#6eOW-PmF%(VCXtItwOo6M=x+A9n<;!F(W-5GpOJP3RG-DPGgkbR4B8n_u0GhV zK8o}{%WbE3^|3`eSmSD^bhQg{wfpLQ0l37lzME2jT?Dw;jl8K-LPs>G*2Ts;c0shbuDmAOfQSk*2@Epqj)#HT>o8I3(K z#@m7L5z>lLhq!wJ#HVsSHL3@a;XysFo+l4da`jGm5SF_a#2H|S8&Zo`E5xabZj%%7 z8!3DNQ{RT^gNXd<iWe<$|7>&~xa+vN zg4Vc3+j?NQg%{llW4Gd^TRHPvxO5OM6r-7k%SFRLn_E9j)5;NP=i1C2xU_MF{gChl zueuM2Zh+GrOzS(DS~shXyv#%A{IxgF=K(vQ&oPj$mi-t!Q4(dA4=vt=SJZ( zof~EDiE)E{OXx}DBXy-{=m!YpAjBR#HOtDKa^ada>K4Z6 z@8=A{Oco0Mo^(!;qoe~-_3ekiEd)UK!R%Sc^elY;U7yM(uTbKtRCWbbI?xVma}E3Y z8})`;_!8S!QDdMEstXnA36k7HDjh)sS!m2|LPi#vlZUplIz2+z^e%`0WQWg^5P88? zZ!{qf`3&JqX$;hf@e4Y8ut#Uy(HTScAhvfo)827u@5Z8Jdm|j}9bs?mT?;190N5RY zaHpg0h`0&0XpPYIMWxPI+8fonV`P6^Af-dsQUKQwXC1p=wl`{U73J`z9anL%Hv;L9 zg&lISLt1KoaArFfBHAH#{7FoAoO>jh9tmrU}?ZJTa>wuThs%@bT=}nEfD$C4?d;GrwIAfA}SbMcjM}rlccC%Pa7!cjQRjGNZi9!p@EgJ3Cal7nYZ$ zaTs3QMk&|fhSSA6sEp2%vId7ks6(-#sc&nOy#hiQn;DU$pde`jBO+lW5C}x#fIu7) zhoUeFq9}@C7zkn*hG8g(Q4Bc=ndx+4_~z~fIF|Ki+RAz!X%M}xUcgcPRx@Q}m%)M< z%OI%L2|ok z1Cw*JsNZ2FapHSm%IWHERQ6tVEQE>Bud83kbw2{dihwfs1EgcIe=mXdi+0>`IVw&(O{HR*UXb#RKIVwERliXkGmZ`bUU*<`t3x$_@cX|)ilHutN9V4YjBE+w4}e>hov3`4 zwLQNdRtYPCoIHd<*I$`UoUa6Ibe=-*MTw$Ss{m7nXNDNV!*nD`{oAZQQyV76Z|b*9 z8(Su9cm=eIhctUlKg*fZQfOwQ z@2i|()1Hl@V#i-TJ8Q6zjZ1UKP$cuU&36YoHRXRtMe+kq#pP9X0^F5e-l(w1C2*8z zcOx|Jw|MCy5#1_1*wLjnZKzF#J2w}91K+@=>nNx$^6QpN*M7R`h3^8cd`kB25e-ro z4}{>LlXj`CtM#Ov=I(*1_*bC1%t*WoEBO)Pruz}27l$WiySpEN#2X|pQjp?~4{hxZ zH{Spf**rjQ^$7weeMp|v#Zi^73qKs<0zh6%t3r6&X)&7}KB<0cKni#Gy6TLqnyr&$ zo_6|5flj?kByipL{Mp>Noz>dOsukwWS6S5E<)PX;W<&P=Gfirrnt;mCjN@YjY{t3zbgHz;p%>usuG-u!_MHMI(XB@+!+{9>m3GEK(^QmT8HWCvt0}qK-s|G)$1R0xd z{#SRR^z}Xxj3kaZxDfaUW1(dCy;s5Msj|_8AIvQBZEai=17fcjkRmcHGybt_OlvTh zGom$Da*K{Q5PVMB5j@PpzcmAC4&VnbLzWTB4Tn`A@9^v2a`}fw%S9?+c)jjX!7ps( z%-!Av_ojO?vqgpvnCFIKgMCE~M-O(Bm|E*rM4QMgMyOwCI@Amu?^i#IeE$AsQbLX= z2@WfOHp6p%|9Tp3vIAq~yh5wOL z@mEXh`^7~GDPSh9(0EJ4UiZ6*?`f|R0by!70KL1cjcN^+qzrUw4)28aM7Sj6570W* z)!edL6wi7d^-*~!CFeU%NsIYnWG+|TDo6t=v;h_;`2p9O|fBF@N0Ols^sFnZ*&73d`War zh`_1022~@fgb(*Apr@?LjRCeM|A_)y(P$H5Crg_ zF8m{b+Qw378Jt3tK`XjKh|JQ)E87XZ8zmBMRJae3V5NZo0uXC}5q9}N19-R@V7XpW z4LBQ|8gNlRV*ZEeg8u7F2J^d;5g9a`$6I8d6MhM?o$kG`1J=dXVXLCBqQ~$$6!nPX z(Yi9DFB*&yFp>RCliM;hqXSD8H!6JRH)RJ8yIH zpVJnMjdCQS*@VEzCc9=Toirr0=l;<%Z<00Su+cUmNHc02pGgplUf1 zuH}O|{^u|;COcl9!ew&e(G6qEOQXat$$g6vUEHQz%BR?H(H~G7cqwzD&dhu+9!Pyu zc3ZnrQDft<+m6sGlmWE@n5a=sLzDtWz9XIvbp;+CRGd4vA~|#FwPO+t8dptfuyhOr z2jIj_p>B{NtYqP`m@tzgqf7#fpIlJTapVx^zu>CMj0*<#wPswL)ta|NIB0{evo-)(ik-IFm7X zhJ~j%{0g-L2-(YbY^65G^{n@}1LUUIPJy!` z2Tbo7@eFra?KTMIp$(kso+u#T#I7k39#|9_%#5O7ioe9g9G_ZIK;5mbL10~$G zG#OY(^fx0~ud(lEM4wp1b8su_o2!v62w*oZNaFTq0~vL3E?w;IC~B+<>`n8FNk%U_ zNRc>V`I=|t*bPI$SPCZvoU5*TN8NV|b7VT`&_EH@faH-;70f6A2E5rrKweThmI#?4 zKo8Ku0by98Fb?GbK*Rt#K*hffF){lATm#xO0S5{#@xU@A-^}j=5&(E@*XRjfC+L9H zGthmq=zfu?T^XdGF+_SS4-T1T?mtom(8e%<63L4Koh7LN?I z&F_mWm6zWg8EURLwx)ZOVWkGizVxz6!_8>85&it?Cs{ww`Y8v;!N^&%9JVBffyrTV zGMa=e_LQ?~IqM^%!O3D}vRYa$tGj^Vf>svGkxTGpvAA3&SIp4?wz39i8BRIrEp9Mg zR9E%ETgaqBwFnr*)vLr;r(VUrYStu9wV}`YtkHfoZ4%i9%s+m^RN@|Nz* zx2qTM7JzWB$waK0p#Vop?sGh-zhD(k{7`2x8HvIz0y69)r}06 zTw1c07B^lwP@iu4klT%fFTNk3;zzgQm=lft=;cP^g|Kfe;}NGXBfRHsjPo}0qZ>GE z>X&#&9{q?0zhKKREHNRAu9#5m2i#=+@z0C0Cz?9Zkq3cYpfLyvuQ8!3N=kbjwFxF( z3o<9kQIGs!-BxRPEQ=T-jmL@_8duT}0plFh5#)_QE}5G`pd{g@F(hx|aD|eTUy2Wg zXKV~;LxWmPQ|C5n)MY?u*3jr6b*j_748R(|XhVoa5}QFM3ZfnOvlS}yL8xg+qD5`A z_sz9aj8VQ66coo8#V2D3%OsRkogEnNI(vJc){~PV2@=&A^-6UT2N)IUQVps31us?! z?9>5cayU?!_|9zGI1SSnA~y&Jx5Xy0Y5*HrfC2y$`I?DhbQB!M{R$;g;`-AMPsb2( z6jsAi?w$H~hs3RkUi@OAbL#*YvrS~9q==X6xJDE=QpoRYDo5QEQh2gn;_OsasTHKg zbxh?nSv^qO4olED#<^-uB~al^Y>~Re8D)d5YJPZU83)31WKs$N!LIzS;A~L>h}pxZ zS|%xMu47C2OK`s7DLiPa__!U2|NiOMXl)v@W+^rqkkAzuw&BAx_DS#DI71vlh6c% zl{HBiq>}~cEXaf&=^%fF!fZ>e&CqtI0H6S-09p{b_~qv36>5OCZdFr0?IHTK&DfB< z`J9yD(~M(^bD7XvG~W``TO~ffSmU?hRu?H@4Na{bfaCn^B}F|Y^x9__cX(VMW1n3l zgM!?fNq{b@@tT+x^SbfnejU!ZL6Cp1*tkZZYrJrcApT|{N=E46xgrl<^i&AH0r`*> z9}43+rQ?9~loP)RZJtLxJlerUq!43b^w%Pi4^4QK=+P7|poRBXKOXH#YAXg8>P#*u z@)HuVXVy+*Rp}jLY@G`Q_PK}!7rs$sKGy*IbOYCC8p2ETxx^2bc)Y|dpN;HXq6#6H$IIWYEfwFP{cG*gNde}D4l|p*Wek(ESC<=D@>F>nn8xp+cW@kZZ zVvqehWxP>5KYQ3D^cm@d)0)`EzMoEO;=Ac*55dTE5$HCjby3Pqw>hl?eH_q9yFT`; zYI7frmhP`jvh3PQPd4`vPBR%< zZ1y(bwzCcz=rc$i{INxe`n5|6b2#8PD#-&QteGwAt6n!@v1HEkVa=@CS5@6~X3Kne z#E1+c4M05V0L-Jerz0g+nE&tgAmKbVzhd!nAsqJUuuljzhoI&c7N2D}slY!CxPp*h zdjXz?IkHVtMM>7U&NQv%gY44k@@rNZNAesw!jUVk(vekaAWyXJ5rbDTn0pk%ilt2s z%s@7GNx)rF@F|4?xyX|PbnJMqI*C`~U}e2(h6H>y&%yBO9j9085V%ZME|Zt{mvUBp z`I06^u}2a3qh^Ae4qir4C)>y-FmGweEN&rR9Xu@^tizzZGGWWCvaNs}^s*T1!f-E# zb#jzc9g+objRUvUSb<)sp&(B85mO|yDUU*i1LBAfNr4mtK@5aJ&KN@oF~$&L1Tqr{ ziOh_+IR*2&WA!fO#K~kqFUfZwn99u6IiCN>x^RS!D=XYnz43K%VYo3O6)`8CC8P5X zh(m@h0Pz=Dk_rvs%rtn>oJ2-5 ztl5X}kDZww2dcXy5IGibNBMA4QvdnYYuebRY5ACO(sZs(Bsb|4!Qb&}BN~V!O!Bni z^CK^XL5E^TbZ7udp6q8loN_SpEa9M)h>J$mICPYLWluG=m><;&l%oH(N{Bx7y> z?Miuwu$ONY0tcg*#${Gs4lK|ojnxDLCaXw z$H=9ub=Sl=m>~U9cMuZR!|9jDU~isz(cq0h9rc0bBELuc?Be#G1_X`##^%>K7qDn!$M9@_NN7 za&g&%&Bn}*{2pZp)n!U#tn5IiS<73QD{shRnJlLz`RYTUUB$Jlk?CkYI$M^GrtNE8 z9nG`1A?Pcz`dXR3wy6`j_3Be!p{BQe`-;zA)zRI)dX-48UiG)Ex4_WTy4^*C&Z4Qe zh|*oq^%iXa<*dH8#J_NWriY!4MQ3{fXsQV)fL~|PTW^EvYMUJ{ceO#i%}9r%_BJiO zO|!T0-e#y1KxU`(LU;4itBTz^r&lq%i?jX$s>i+QF7CREzD}cRe^csjV7-O6!+6ly zn)+L|!+`5=k^QZ*6TWsCiybaTZ;R@2CVE?jE(g`&B!4INx$whAhWkz}&@&y|l8+f@ z5g$rWGaa4NyN{K;=T)|TpQw*9-?RGBZ2dlE8n`i@ia7YFkygdm+Xdss$aWT?$ks2{ zieL-wZNb1Th>hXMwenmE|6}rt_uR%fVy``D-{D$6K~n?*`+5Vt;mTRy%6a&Dy)3wL z1-Nom0h3jWHTEQu8;IJdkTAd3%}yA9J>tN1_K2T_Ry1t90`NMgUYnUSi$_xVDw&&Ty~8EMG_v3enz&j**0 z%sh}4JBU$EaJhqs75Wf>J|v)_gz7{9nz8dmEN86X%?74~a<|XN z%|}lSo4e(0wK$;T6)kU6qY$YZ$2xqy6UJf;Z5scGOy$W+)*ph6x9Ik^a6fLC>T_qI z%4mMtF%GZ@6^cy2&HE+A5%BCS1NIaxu#l~mG8ky2N-r-NeUYzNg3^Wr+f+0>WQd+p z=E$Gbm2AN4jm*UpMC{1A4VeV{ZE7l^p9JtKPiC_IA2#ly+gzY*LpeuNn%YX%D+&8R zI3LYe1o8nU511KKaI(8xZY~0j3Q+Pns>v)!U>pmVQ*;tLfTSr52f_k*!VX=qr?=aV=}imir~7(4@8=}Ssi6i>m)8}u(}`r3sXlHpJ;@I$8V*dC6C$XP76YnP*aNmIyiMe2W9 zlEUbENjqtZKvFX#t|jCv1UZW%QmO*3#>Um=xSAbT1H#iBnJAkGYVvxB6=r0q_3^a+ z^8qSZs`z+wy3iZS1`(Ien*AhZmiEz4UTEwV?F36Z*;;HK$cgu%CmRjQP7Xe=&fa41 zKoB#Wq_c(}mf;rJ$?tu9=_i$Y>+kvU|G;K=OLo%pKCXn;v^Gl<@`2)=dA`higryBJ zzeZy|lJWt9yr`mJQ1X)w(xym;G)YR8F~VRN$uJnlKo|v43^K$JLkJ;+7-9%fM5cy> zYSI`KHJddw=zE`(vNL+tOV;9peU}e16gPoDsxyE{e*|;vtv*Rt*zVPTM8XA{$yKyS z7wpu!dJ)+>FpU$2GH&;-XBQe_-Aec!4-U2cXw9o!C1{h}HqQaeTSc<+fTKGDQy<|| zMm}wYIQ78r&(n`fm_+>x$@kiRg}&t95aJ1P4$7LOn`JTtgt|Am3@eDh3})E>ew20BawtVt!TPG|tMQxu>qL1Uwg+-4aT_-u zL0UyBUK{{M1W6-!S;^A8pol9bio_I%KY6-p)fdSK(M|P73yHl@B5Mdg3iJ!V_fScP zTYkAi(yQtDcBut+){ao<X%0~D+j9lMxUSEtnmCt6#~|H z=8D{DgyT7TQapNq&shnrQ)cF{bg(Lc?#I#8IqAP z;z^K$BZ$-*j0(vpAtHk8`V-9qA_(Q0QaDG5mk+%J1@xp8MA=d=)fC4G9+LI2pH6P z`rG5&oPTx=@Lf2O67fRjp^Q5Ke)m_`%N0xjL-jM{g>1Js%lfc{C5Rt;`dp5biNhsK z1DNdbORrDNM`rR^fbM4yQ(vFVBTB?YgQpp|xvz)wk&~dpMMxUC*(r3iMA3|($^A1* z(a>^66ME;f$Q}JXloFH7XiH3pQ#EDq6$T)iT(9i_!zAov+YHu18RN zS**tBMfzULy&|W~E4su9YDs+>d`>+_E0Yl_HFZ8AQBfsa#a>}c;)CVjfa1o>(;<~u z(dqL%$|EzwpFLx(?Lk(G2xd2I@<$o^TyvSdx06yZ5hm$`&NT>M2djv|@j@ta@e*0~ zUn?-?kuB8KUaZBO^H50l!FS}Gg z4FGZ47oeK9+R9Xg%c~5$&#XV(MH!_jY2xd`yyP$;V;GefGBL^V0q$LyI72(q0^b7e z0v>|Q(KLO6Ruk%HmvQKc_%F6b%Xs4O1jgZEjKfnIhew93MlOOXZH(5LDjdWX7oq2B zKXJBnW}Jhl6KAj$$B5^mXeMAiNgr`0&rxeWa5Xt6q2wW=U|(w>!Khq zfM4XnP!vi8i`R%~atg^gBa|2e<|Ba7!QuuXs2gu1gTF!aH=5oKkRQWI&M@a}kt9C6 z481w$BdD^{q3nf4_S%#u1j^MadC2i)c#+GZeuj^`{gr^A4bv8s`P%!ArFow$|4Z7_ z2=g?&_*(*Oo=o~pnwRhg6X64MeBhwJ)iLz+qTv9Xt%jVT(ocYJy*<+KoU^fc4@-Yz z=x+m#d2S)suv6HyYRkC%U7$sSeO4r2^wv*Xa#h zD_V=e?f$+;lMhnkdzkqkjbDiNgp#t=o_hnH9a^4p6l8z+;}PjT2b@QFM8Q8S^N5VT z;;x5<_H4jYNT1MsArRgwhbO#xAz^RT?qv&lAz7ZV%@f8i1oRUL_(Z!;T;LOZeB$OO zYJbT4&V{{VY_FMqtDNuG;QN)q|Cr*|HP6GkzTkncc=KfM19|aedvB)V4Xg8KQeW2g zKs-N4(q9?)E0Dh$`Qd8vSIWO){&n-OZgnjF+T*W@e{K9jxIeu6L%qM+`2h;rPC!B+ z^ApfGe~_5@Bb?A`K55Nd(O&j|N5E=@T17YKl%S=`M4A<>^{Us8^R(-Nn&8G=1CzKV$J}^q7AS!q4#VG~)aU?9UCL1^qYc{6y7% zQ}S;SXp;nKInlIhm}u8HY8{!hN|JOzdi{avv;xv%#AMULvx2x6iyo>D)9G2D?$u?h z1e!w~hSRmqe#O?WFq4bkPQ(0tQ!MPbNxBkQkSHfZJBdLI#`PrOH(%B zTy-3*iC5PeKTS#LT~+fx0rM%+y!FOghrAW?@9MO7WS*b<{JA?%$EU?IYTJBj+k|@9 zo_^q7b)-}+ysG43X8g;}Rd}_{#T+y~pfla8LtISEzu4$XPOnbt3OcwL4x*0(4RaRvEI~=+h43lfzJr!k};pTDVJ1=Ll5K7C-5EC&!R=#pwVZr`~V+*R`oH= zH$d8q)ejI8e+I>UabGm70<1!Zqao4i)0mk~Cgo^vyo}EwHD;8P;d!W|hA(5#qZmfq z7Zn2o=Sg{*nHiiUoyLZjvGFt=epUev35_Py&4gkM^0-zr$X(UjHw%E~0=6r&rAN_C& zOK>_#7bimUyC_e_`l$nsV#Fq9z$Q-cI|@(6;V3(9_Gh9#rqqr;vLMX-12$l4QZ}wG zyXK}N8)W0&z|=aPFoW(kmy`fJg#k~Gz*ZRGsl!)Nj@H0U z5P`26;j2j<#e|Mx#i2B{6eW18&zt7JR4At;%od5FnaqKydd@TnQ;TGc3~9?2ZyL&Y z$%f$278UK}E$D%}wy;SUu}O@)1v37#NJk1?xd6-9)&RRGgyqPC z;4n8Vm$Iyq09mCmEEf*jDiUqH1L*qtJM%F%Ia zoMuoN^CAhDO)J|WPE`iANz}og%s5qzA+$M%a^O@^VRq;%M;wam6r!SYn zYPWIo3$gjs(y25h5uGIhpIZA9BHqn{WuWG*0k!6f+itdGrC798jkcc29)YDvvrJ%F zq_k|@q8^H@kpkPJ91y7c+-$gO$5LGum>bxzSEOJ7-~>;yZz z1gKw-?Ko?2uo$!gayI9i9mjC*3o_WWAJT?16xV0tj|2RQ(R^WE+KmG7>6uq!3(G6h_)TW|< z$06=8UwnQv?J93Bw*U+QXiE<6Dqr>_(8d&__@gMaC-r=QfPsm8INcAg8*|37LcR^U zw}nA;;N)(}nG2=q`O52bdN zRmoEAz(f_YR43exdYNXa9ACg9S*kHw5J}$3;f?Nv`&E(6LP>Wm%C(kir6Z8|n4VVf`XW*lAsp&7?@(CI;g?Ff@y-n%V{~e*~ zPf1b<(5wYO>=#0=44}Ztke9oU?UUZKBKT4GWChrWH_AH*Ao@e?2ps8#I3>_BNOGI=AZ(r7t|ozPOR4IJ#w( zDQG?}Biye6ypZpRSXM#!D+!W*HDRJuJ!cVQ`tN%!Qv3umELsZvxlP3Z>>+`P519>J zWON3!(!htc{f0!_Z;Wuf!lIIHQm!`Z)FFZeqj#}F?EfD#B?u19o83MK7ALjZjl1k{ zo{1dci8*~c&V+EwL>L;0z~m(q4*jt;TK*TrRqUg)OM<^LqMkt%sp6H~7c6}~j|nIa zwDmuvMt8({JP@860EL4p-rV0lZsLL~$X!jg!1DJTOsz5ZFN(`t7k?M@UFf{Ktv9n+ zjcdolDy5Wbd5S9>UqBQxhDwr1v1;VKX)Q2r5`lm3yDyReJ^aSjhGOmV!XT)h8Lgev zXVYU`{Q{B@?0}9;ouAdWAyYZ>J?R?|cWTt+dkHMZ;f>0#q%35;b zB@#%SFBYK*>Ay6CfWG%Ksc?7%b};cBOOl@iM-kBVa`^j*7y26G06Fs{RZ>CcK)L(hRjk^Qo|g}op;f0 z{JNaFuSZ{l4x&*#RD6(3-=E1ZiPZ1(;&6;#@#UV}I>H*8U~}Xo1P4BE;*LrM>K688 zZP#`=Su%h2Q^WnfCWbjJjL&IR58^jp029##Lp5<3-eF5a>F|}4`CEe}ZuRif*RU08;&@z%@?Bu?i5OF|l%6>PJJ2e1MDB-GWwUN+o>vVjxP-KZs{HC?nc zkW?k9$rYn}*x&U2x*{0@I-#geyHZ>ZW|#hOOtT|1W|5!4upT{B2&HMGoE<>Ox5xKL ztz>(iPn#)S3Ea^_rZmPcF4zU#{K}^5 zCGMXG=2svdECV+8!Ke#tO-D9kBB~ZHT|g-&4o)3urcXX@hkbVTLQJi!R##mb9%-u zkUvzVF~*qasCq2gZg|@WZ3w?pT2|m}229we`BN;bgMwHsK?7guKow3tcy5GG3%W{U z(OdrF47PenCUzq|tQOJbDBHq5c&|RUY3qfA(6AEJ)-8l`5|70rq~li{H^ORsK6`7N zm{Ak|@&(XOLEp$2n`_RF(KW3Uvxyy(nR3S&jMLl4$>HgzxVKoUlkX%C;4YH>lqs|Z zJsq^`22v%maExg5Atm~ZPhL51__dq^)w2J;mvS26TpB}L_4x{;X|8oXI@cMhq?qSe zc9dnsNj#LAs|2rNGlvai|EFX5-wB`NH9O|I)038d&Qnqhfj0C&=du9`k81fOE{~q7 z;d4WQ8!W;GAOU^ki9jH_h$?b}Yk7PgEKde;oAOWtmP&~KgK`-O*l6rlkZWt$ifG@w z2waYp&J4d@(VPM;fk7Srmvo2>*Qsr!xTL=%9#g31bX`=tU5Ms4qHpFmtBH3A?kU_s zkDZLE2EWcatze-<`uVVmjG zqpcYtW-=M(zr3#LUx+SNLH{nHpD3ft7Gv{T^tv51=m^Ox?&-6!J!bb>{2V3Gc4sNY zZnqHaPaKQ)vSJGXTAQrKCzc)!@<_;TR>yx4dM<`&le_HtTZVMAE4tYo-E3Yr>tmNu z+93_8V5Kb1h;9!9?bU5|$mJN|axU;Wo?KE*Kf$7(u<>B{ycfZJR%NSAzG9Dl;>{jw z&`*GN6c+Yc9hXzL(S|yTz>Y#mM-ir@pzJ8(4rT|RWFzDObCYH1b98;K$JVgO=bYJT zCpaaZ-WXzU;CwM99*kVI)u?`vb2~=3Ph~MGkcNjV4*LL%>H*h&+g)bB2ItRi#K8SlU z3ijJyzf0_Qbo!lW$Fp|4rjFOu@kackC!dMleKSBmhVUJC2hPpml4~Yz6K;b3Jh`P8 zZt2M@f3K;@T|xE+G<(C2y}_{Ojmlk~ea)jG{KqOMU#4lt4bb(l$QV*|#81<-Hw5`d zF;-s&i|LURxw=I5g0MME*lcj(Y^pp!j4UK3d-3Roug2`nTyD3we|*C?6YRDt8R&~_ zU`ZBAjkkXCSBVY6Oy9fedtiKXPyQ<0Zgy4cq+E9~*7r!|Fv6g|?=I|c&N|K+D1(97 zZzg0g$nEAS6LD@g8-35jv)S`$YU~c#N2A9-;l$iBE04|oVrq*}i@AtgkA645W<*@z zs|geH$$K|62zYrle%{TqiIe;_RvpIPyD5D(JobmHU*p$d;OTw4_bupsXuWSo?;GrW zVPXQtdLQq7+wSH_j{znVVL8viL5p-R4w_|ukn1r*I~*Px#TnmIfxqCMJMwe-!fW)LlD8T*K--p3aYK`Z$Uyev`QI zaH{k<9tg-lL|=yp3SH(dA>`u>?h#vc^5pobv#?8$ejIJL1To4cHOgin$P1VJG}#Nl z^{SUFdpedy`-JDuq0?^+=r@?QUE3j|-1K0VptDO{_8VThX1~E^+nHK56M2vDlRFZ$ zIT8Kjov&l}WY4+y$P%1XOP55uD?pYq(v6Y`&-6eny}I!xWhD|;PB0w4(hofLJAXSb ztKV6&^FDM0Tl!Ifx7;E|W2+$XlUi?y2Zold0?AM2{iV_0p`zEhRiODvLzw{)&*s@8 zk(taMQ*hVWRi!|5>Rql~d`vrZP44o9_{^Zf7Lo}BKa*|Ofqo^-VB_UIWuDJua&@=y z62EflGxKZ}83G$O9_Lr~y{6Pw;c5BkV%{q-eC3zdtlM@~LSbfK+2=K{V2I%;K`vS$ z7Y+GM1pBVdUo!5+dqwswwa5m5esgf!nPTAyQvD_Y`!3Cs7npgSNuILM;q398ZN2SpzA>Vb`pMVC`_TG@^4C;HPw%(=Oz(sc| z@t=M+3%~E&ev*4{eojHttU}W)NYgCN`Iy)(qByFfwZC_EizEF#-7XMtK2}V%9PmDV zG8HFJWg|bJAU}YVtAOOEE4k`VeyUN`sq*9oUAk1HT$L(AfD)w}l%ZnC3l?__L3v5+ z50UHdsj|fudX~Z2fjmPQ2udq_^1F8MVFkoQ+IzGD=Ha?_7_|l(QSlHzpyIT) z@J)iY$Q)f-`=?q>^TGhKu=_@7dB8-iK1jkUFrf$z47EDfpbFe+p%l_JE{mIqsZ_Lr zo0$hgjICbd47r*{4ti`qoiL@eP)ZMi>OxejQ+}FD1@);=!5&xhs|`DZ`UHbYfIFAG zicg_Y4}Y#3K;t^%Sc%kuJLlj~F;*fHx{;yo0||#d!kY}NMg-wcHR};f>yZgCKLhhc z7!M}Q=dPg)ELs5;HG?_9bOcxW&j?tw4lEi8gMz_%7{HyC@E$sN&xei#q@)Qfy~J?M(*Y_^D^G9y-Bs z8fw{;^-v9t17R#yZz_YW?kk7oAfP5+aG%mYDCr-pz@<`fX#yBa2A6917|*vgkbe=M z_!!T(wdB8uPxPljxHM0Xg0Y9rdR-Pah0&8b6c2254{d=>344r!Bf)}C^WYxDkr1I{ zdl}!i2Pp2LDGviaT?86CjK$2j3JSRj-oRNiAhN6f`xu)*;vR73`$ms|n#^#P!&xm5 z8J?fG}v6@VsH|B0Pg}7fgxCg2ZH8xJ8-&Zk&VY0Za{XCiNCY1wsXr7kjyn3`NEN|s|7Vm0&=6229LgC zh9965jWC^b8?Z8COVx^fpsWCGEXSAh+0(|Is9zvB6D(C80w-;#*hZuKC`*kJID%{x zO6~(xH3SuC;yAN`X|xa6)u2q6U3tx+ieKcEgg`phRf}k-&W3WTUWK+@V6yH+KS-X*1_4bC2h&V zY(;EUY}vMDM=q`{l346%Y~jO2(v=AJ!lv^nr99CB?*fGlp>EaMTD@dK8T5XH4Xh&q42PS6oaaQ~{_t8u6otlNX}bn9;OG z>=-w%%s)b6Nc@7Ke}u{txzMYd>W4(Yn&Gh>l*T9a0emJ_Xs}Q>0AZeq3ME_#6Smb8 zj&et?ZxUDdMs2HC()mpUq2#_0>6^SU95EruzWPG94hcZlLbt~ChkknO3;p~dcrilNt2^rtk@^O>k0SX_>UP#2#`O){ZQ)O6 zyJD;Rf`pgi_)m6)ckaHWIJ9mA;i2Kjqr1`vT`j>GM`He+rAe zh4xZP^lpDUf}O0}T`5X`OpTh@(BlL*7+#0_8$DqIJBgsf9d0l=|EH3_0qb!%T+!rx zYL(rjNBtGS4r0!4QF|<$J2|?VO^c8OTGNbe^TxqBRR z6FYDP6ZzSge<1k`>Uve5QG2Smzw<>uW;q(-Q@*`j1#RZeQ}%euBu_czDc8IgoUc^; z$}?XXsnHPO8Acxq;_+_iGz%Up*cX@KFq+wjStItm{Y6y`z(I^PT5yH{VI2skMR>#%$enN-0;@wHNVSE5O<2oj>Uytk9 z$Y_{&o6&QMey8<2NqlGDqg&Zi7!4rkuVj1{)MG8a!TT#K@n4cRjq|4QpBBX{oZ=N} zPx|6XeZ(^qtJX9x)@s!{mLR6l_IMyU2cbmHVT!Zqc`e8gakM`{!+(nTPbK_qzXc0V z0ZzC331_NSGQ-aU^cE05t4qt-YB@Td!dKN=w)C^vUqJ9#h*wWx32y`a3vRxG2u&wR z&yn(3B_7nUYBlrlpksdP>nqsNbYOf|n-ArR^$=q{FV7uNwVn+<*Xy|uycVL4RQn2t ze;R;}REk-^h*{{6Ck1&260wb>c*Yjq;gf^N({{G6HF`c`JZ}41IPM`-OAc~4qWH!b zJ!$l!huTh+*hK;HUXffmGk2fERDN|aXc*K$=V*QYfLzO ziS=Kgf0+7C2s{=ijv^@rAfm>s5d%*8#eoMjrkXeqOJl}yU<rYwUIkAz>~dw+R)*qrRI!$vcXR~E5kIhJ{g@)12mwfJH5Uv=+nNO1?o;2 zU-tDGh~5keXQu9K@@0cPgA+cdP+o_0Ki2p|0JK$Znr)(-L4wusRnd^D|J<7qSSc+sDckJjR~j<0Q# z)v@L^$jGoi$#k9*kM<{fQe_vtC3I&s$1uE3GHfDlK zwHZT71nQ`9*+wLEQS;nsn93NrYZ#Ii8@JYMFhQ=R0i%_)*1BLa6u`QWhC-2syT#Hy zbW~=k)Fmekp{7x6H4*vOew@t7`70o1PTpw8NyeA z2%8zy0a2i)rZCw?7a-|fQz|76R;Cda5j!N5rYH`WGnm?x#2nb;@MfVcu#38LMDc4| z0rLuOwb~SSbqkyGwvO8T#xA&3ne+Ih*5F;;Faua3JKks?qi^RCbES#9?7qb1r)c{U z2R=n!oQ38mKm6p2pA3A%cu1Rz(1pSL9qGbYNN}PwdH@YCO!mq!4ly=j^zJjkGWnKb zy`#EEA3cDX7jA@w6v09+z(Vv$U!d4RUEF}j7J9^AK}DuWL@7arF!F)zHT6>j&X6AO zsaE{PN4L%6d)g-yriJKvN&8r*#Js1k{9}j~%zERsw|s<&?7ysf?F_)hoe=!l?(?>};QK--P#4%4a6QeTQ%#5vzk4?_-!QBJ`RC-ZFZ+Fqy{5 zF09xD_5%R+V|q<2NBZz`VZ7QPZRCj-TzgObyq9%9WrG&1K}xFmUY7YbGk(hHx5@HT zWIbf+A!aJF`<#1(MTla!nGECQn|Dt z052b{6s_*U&Z+=DL&}QYee00wBz4}@u9pBh+Hm{!F{1~cvKC^s{-(}({hR>e*1I33 z2Nyq6fVcbg`mv*z5bzSPMiVlC16h!c>9R#qW2=P27D)>@5HqeY1IYpVuY+(rKjuad~7aRZp@dm^f%Wl2c?-_g1%eYN4Zo`b*KI69c71z9C zWwz_BrEeFAcCx4qBj3~dPcbLvitTJKqa~j^yoyuso2L zh9baMtzr!ZVy;v93HG1Pdx`8w2>5FWAh}9MiSbqb*CPx}=qOwssOhhoRv1mR=qTI= zx{KfV;g29OvKIl%bY9|Er6uGy)c`$1_VN9Cp;KR6e z(T;#!B57s#9U)SRMWVivk5~={-@lcmM6N zOE2i*AAk&DL?^QO0&MY_pFaxvqC&kz=nDwOBqZO^xfq0+e|tlf-tD(8Vl){@k3REp zfY0T;Cv!GkF>5x?cH-uj#(cWxO%Ssk?feSnQ!Ml5c9tBR-*L{W&74Z+Nv*ld&Dozj zFU*sbb4Q)EK<3WN`HtU=HJshRZJj#vQ)oE<;aQn7+Ws z(2RD!Kr8Mb%U#BN)Kb%yFrvEA@|mi{a4BRj5I7i`kMeZlW6Yw(xcMf#)63qa3_abN zoo+Fl&OROp+|vQe)>M`>_4RS-LxIhTIT`f{w z0z>@k=oHnA-cv^C5%iig*43lp`jkVf1W)rsBj2Cv(;lsoC|@aotLIIZp9!IP!R2~0 z%!-i^8cQx8`v!b|N{~z&{pjSSdc-2aWX4l&7Ky;DbRx)+`vov_-2yAy>`RkG{?Jv)H&@eAh1R0fHl4>bgBsymv{CwK z@uC`_sf>tiV>2dePO};r5V0ULcW6IejotNlMAGh*oDxMf6q}^1JFBJ@3EA?;ikep+=$G?&0>AWkD7^5JY(f;y7BxK#5boOhKFH+=I7~KjA9xrS5ZP~5hR>sSPP)aokf&Zd7482 z3P6aj!$#z2>fBvO6KLZ#xA`3eFj;Q{F9n1@b@3jd&ylIhH#)d8Ip?+A3OGitoH_0Y zJ3P2#@s%ak@=jBux@`T|SYnJL6SKZ?G2ijHa2aI(3S?Y5hZUi81NorbYYQ9qS)z*x zlp`8LIbF=a8R46z*cTuto(y_F_ZfPA>>2d*>@n!|+-KQujD@u(P2Bl)SM$5BCM#XkE?aW$i^r*@KIRSeet=5eK=fsv4LS2ZZ$RN$^KzUj}n`8UPn{iOwYM`NyO#RhNSpIB|)NaN7v6)NZk$ohbabv@T-+W=g zKNM$~%iP10*DXI$OfV-Ivy##~7KouDj2BN}bkV7Ep=*};%FFD4J$n91s-fpXArrGV zVdjW{BW|Fn2gLCK#I@5Hb~-QJE|PXYyz~VCwHgHZ;4sogfoF<)keG*O{|);v)hvvM zp1`!mvxsH{*<6^Mg1-A%_Lu@|HBv^sDrc~PUPZ8$wE8PG03|Y`i77I%Eqdj|A94UpH~p6@7JqOM8Rir%6;( zNN@}8LH^B_8d2cA^=lBtiR3)a2`G>w>X~v$;WxapmnFl z=;&SiPR+h^!+XR=7|5J&ZeKp5rJKKYyBeuV`yZw%)dZXA9^#NHN5k@EQ#@tBNT3OH z`zk}g7gHji#v#RYyZc`524>3TtR%hhYF%Jt^H8(CLUhgxtc=_aG~7w?h&){@tCdRp z`6SsM+L4tlH0LD52F-18x4+rGG36_Gkds`4K^b20>h% z`EnTfF^4R*A?6Cf^aCuP_V)3MC~(Eb#xt3Z*O?p`G1@(mg~<$ukv??ULLF2%W$}i- zgIJCG2jbDwRD?j;b8~bw`J)~vs4S|45X=k|RrEi!g!!76mX`LY zO`0?&K_Y4&;AGGjNWLU+D*gZz(C!oRz~rx(6fBdJSWo9@r=)uJuxvHbK-JwE&1vg5 zy5z=U5|Ud-!DKU#I(&=EM!hL1gCC#HgJHgsNX`%s^Lj&0>9VmLQvrag znMwmrP^NTKfOIkv;rMWl9eDlf_;e9!` z>xZC^z2pWcfct)h0CP?`bWLy@Fl;*t0QbFjd8B_8h%}}^UeN@QAhmz2s4mV-ICyNS zH>-&JGiQBFQQYFAa+X%o6btLRIj9G3x!oky8Bn8~SLEig(>aZ2{l zN%B=}6OBp>N~4EA-`>5%M#BqbRfvBe^byowTv-m@kAaxP2K zQSY6%R`!2FsnzF)Kllb@!h=EY(>{Z)hp&P03DrspWYEAlNcTIX!h=)lw`kSfDa-m6 z3Gn+d0W1njVnN&^d;BPizj(?2XQ+rh7ctOB3VF!-@`i&RD`LXpy9zi?E!A9_d}J@F zk;0*WHA64vZn`$}B(E9};UHVDZZuFhxpbYQ3au97$;NIP>EE<>-<>dwU~sjM zkvl#xSTqQUM^~LOZLnmX!vg1Wp@EIs21nwiaC*hv1KxO$?ofssc5rlE{WR*vpxVsT z>6OFl1a^7h+~c*m`@lBFz2=b2ZoWHiG{{419y=1*VOe4G>yH^Qs@{7hE)b{cWG|HG zali%?8io3i^S%ATg7S%uH1$E4y(ZGg4WZ^3AyHfy?pNfkaVQK zlBS21%20UczSo4e9`n*FKds6U;MnQd>sp^jSwwKun?wZLCfp%4C2Rzcwj}K&Ec*@; z>#ji69vQJw!UTq@pG-P^54 zkH-6H{ahCU-rFT+IO@ccHdYJ3?BMJS6-7mj}D_=DM;+B$oWBMkF4+h)Y zV*wX*5Ks9I!p_gN*DQ~|GWVx?II9Z)=knV}6aydbbI6V3Ol z;4R=90gsTmx2c7V8DK0t`6v=IKe>avDtd550zfjD1r=f<#POALg8_QUr>9Kg`WB?V zjKR2AUtne^r9AfTxu6AH^{sNT$=(!n+96P{6!l$o*5lQAGaav%ASn097??c*4Q^b0bwbwJtHjdag zNmViK`?ek^T5mjrz~5V9*;KG^cP@ylD(!ne#62Y#k#iBIuZJs-aoIPW$L3f#CR+#2 z6@bge1^GWh&*w*&u4KdS`MMjzj#~oU4P-=yZSDp*qAXfj%%Xi$#MTIMLpb%8s8(KH zVj@YARvc~Cl&w@`tE_B=wFV+vp^&Y_)}XSL96Oi9&PlOzX?8Bo(otaPpuU;+BZMx_ zr0f55SUET=^_HP%y|e211gNb7SY++|ec%~D zr!6KCW+_`T+A(7pv3ZagEA0jUnp#TEeCgr=f!I2> zjFtC;TmIxrFb~*Rl|ruC8v@{oPzR^klBRdL_~r_Bj$QKggdaEpmUrpB69H>S#L9uQ zbw9q^5d^}71^0^jKpwX4O|N;dbBOesm0tVGURQeUPov4;URBl(!yD#FHUZ;Mg8ZPB zy(9BaEy6-f9_8o<0c9vw77v7f3aTcMK*yt?J>e9K=a-XUIca<3g*0NABQe<#-Y?Ny!v}op$m^kDc}pm{!SSN9(fe3FVyq* zpH6Ielq_$k!RA#F;1uzP1P4-@*gQXvyDTNeO5ACozdhDdhH)u&|GctFwvLLeGxr(A z|D4yNmmuPwaW;iOPZ;>N0HkeBUJjCn(`56)tWx1I$EyMJ&>(N6SH+Hh=tIZ;vT!Iz zd`b#$QDlj+dwcad!yN;Kk54J|mdnu41N9G;X8xeb+d+IeI-eKj^`Bc1!@$Trh>^ZQ z)W13R;2w-(X^LL)a+4Uah%AWkXzb{Y?&wC`gwZTIqFCBoB^Z1v_>_JwPRE^NZFo2( z>_Y6M2xescERP!$@O0V94ma*&?BkZikjtaNedv#)ljI1afsbqaIB24tD3KrME_t|t z*^<*j47c&s%!g%tS>L05y_GW4n~n^>kYhSOX1VmNG*U9HML zV|p>^)2ZX&i3=fmImqeN;LqwjndOU(shi%VbrEHnmGq`}gFC{>pAf^oU^~>(1rK== zL^TwWyP7x3C0}qrcGBTSnRjcsPv!3l?XcKfdGvEYxQI%x=PEl{;Y#gX#1ZbHjQj+4 zck(W>csxE2e2}@)@a=qDA=k!vCIV0A%w6E^z&ta`m4#2I@J9kZMEQ1r*(={fvwN7# z7C>{<)tz3Acohk6zH+bh>s0wW?_h^#fq54`xn$Tik16NdvCz%rK(1V)ZR zq7ov(8ZricG6sWklp=>`a~<4ZP^(fk+{zi;g3Ki3b^-zogOB%2r6^L4ax)Xh{hEFLb^DrPD? znToF76E+V3N3KGPr%kTWlx;L+8%GYSDA}b|{#s+ZqCSMqE?dAuKIAhMx@_a`3R3dO zMoMHOKCGMH?*X}^n8J;?y&b4!8uNR2h+y#}ApXvjZDPQ-DKxUix?!q`BA)W>894}P z9?xC&BFDN-@O#+kMSbwZk(Bs6$UkIQxETWaFRA~kc#JMTmYs<3UPQRlDu?04B>fjS zj+A>ZXA=A1yqM${KuG9&u~zDVL_ZByic9ywkm#3X_iDJ)Qli_UojT$aB#9y!j3Pm_ zP`qdox6l%H@axH{j3Etu7!GxA&0PVCbphE}*k$`L%S1k4Uk1UC)wxsi!?3|eR^Kn{ z;_xK>vE#)ED1Pu~385B;0f~KvB))mkA?7a$mr=lv0a_e)-fZs25K2#-A;Qu`M4hi3|>&A9E(LDVO->@X=m$`3xmbhO`=>_%x(1OXD;C zo=l7e?6NtQ9JxXR;%dj?gdCI}nkuu*;mZJ@4A`HExDdRVQKDc1iE=l-%o&WPU$E!R zzStdNUuOAe1UQYRH=Al_)9MKG7*}*)2CtUp^yE=9{;cuU+Mv2TYRaP_-%OfQ)1wR@ z?MuBw!SYc0Qxyo;>lI!hRVdM%(coC^dZdxL6dhcO&0V@p*?P7G&ai>fP9^td&Qv?cZ!6ITOWL<_ z@N3&`-2IurZ|m}Cmi$K1uOWR~-j6PR;0X3}KlgJ#_wV1o1@|7jB5GwXYNdgV z<Zt zSM|b$xDXfOCw}55ZsI0>;wOIm`0;;{sm}_$Ljg>WTm$0|(St9(_~QFoXz#&L2yV3F ziKxJa7!Vs`j0G{q7z5&rF@EA^4bxJoU?_%GD%DE0f)DW_j^ZeeRxyl-5vvv`T!^9d z1Z;@?R1}i%6L0)jF^e!#vxO<=hVTUK$In9;={FCK0H0Rm;32lGinJn^he$D}rr!WP z1RwoI$VEJ$;gnni02mMkq~WwU0eTuvPf^s9mO`C`5WI*N^&25hJ@gwfN1CDk#5s}@ z90&*U4q%l95BUHnR&12Og~|mpVnNcYBPrAnsf(jDN0RjFO?p89QWs{7jBt#NP8lgp zM(Sg1EW}9Y1V%!0G6^<}(<-e3lL|SKN)3_9I7+ROq(a`LQvpb2nAI|`OjO6}SU%=s zKIUURb5Y0Cv=$oAfnBu1N2u9FVZL;A9HiVuJ=8R_h-NN14hpm#0!LwIJJqp}k*6@g z7vQUEA5^re2BMO|QPZSB79D~S9hP59J_nX`=%V96PYxSn1+MxnbdN;?JbwksIz>H+ zuC|ew?g5Ihsw){e3qn`2GTj8Y1Tb6)&ROJf1(;+H3S;72j(g6>sEP!5 zLHi{elX}`ujjKqU?hnpX8bTci4;H;CeVWZzL2GhMFF;*iH%x9m=SeEj4&QlN#m!cf;yj&)YfieN!6Ea zMM>wkmuSc_#ekBO-ixB`yw3u$hsvQh__W{>eO56n=D-z*rH{4HBXWgUzl<}o=#HFz zmaa9^-MZww)E)R1!G0|UARn}DYjx@K+ey!TBuss(Y0p{rqgj{iP4aka;EbDBG>0d2?jR z%NX0I9)Mxrxb{qkXKn3{2Sc=5+;|e0J~S&32_w9!10RYNizek`G71mbyjmb#=X|{e zL!UI_$75Q(JEYUKhl64dE*c>^`s&#PFyJiM-W~Kk>hRuqS3va1Hc2Jcx!}~sEjt<6 zfyD_J1U&7c_10UZz-#BPu{1Bp;lY>Eha5sgbQONhzb)oTRv`M;<^vcKKmN@DE{O2xi)de)f&a{mXCa#bl<4u+EkBxmfT=b&-dJ4zd{GYlPI$NMv})=#WfxmOjAke zeqey90v1CICv5aS!QxSIC?ZYd@^RjM+9q4&#qi+z$u@a|$i)};i%UL(UF)SL^yG9V zo?{T&q65vSD3P;7P<|>l@Y1Lm9zX~-1d(v->g@_CN)7gHT9`?ZTToS_2?&3f2>if+ zsS0EM6vek*zqq?)FIilZF53#28S{Hbwoq` zt!z8xZu$qty?9yYXs;{tRmRkH82~{1Lq^YsKL%?~7#yKDmVv0bL2lp67 z3nRYg90Zz_lY_r3O$$YvHvJ>DF}x| zoQedcweE{eRAsnNN-#+z10BR#9VSX|W#DR>T( zX=UVYQjS4^JAjsErte6_vE-(lHgq(W{A1(g-?^^Q!LP|hXq5N54CTe+BtPfZQLay+ zKn6&h#zM-$AcM<~^j`69aIemhH;@Fl>&%mm7JWoRX%5tdH9uf+e2*n)IDV1Vmd+HC zw?61*c4U39N8q_$T+~x9_)EoJmoB0N02)PB<4K=m)ep38p$KT92ZSD9U|Ss&%=Kuk`?a;IE++WWzzQ z=DozcSEZT=(~UoFjOox-)Rj@xjdQLHuExkKW9X{M6?68bdp6&JC%}OB9RPX~&`T_S zn;-l)|K_DHeZij$^OJ1;@8LWil%d2jl$w{gG7)2j0+g}d@={|iI>YV68*poCp!sA6 zOZvi>^K!BnV50|6_rc;|eI95!(Dc|W(id=lHDUdqPK8# z2i!|%Ghabw4Kl)Nr17mtKJgPj5hqD;h7DH73b2MhEP)D3h++vVe(@K7@fYy~H#|Y^ zN=V`v6q)|R*gwUIcYpj~=Y|sv$V7ucgv!K#f(8^Nw>f-9YLkf-@eIX@liftA%@BC; zsRJdD-MD?7uhW#1_*sUZQ}A;Oeg;0jo?p+e=U2`W%Usk9#g&^FpI_hjcHYk0`8$93 zcmB>7zT-RIB3?dL!%4xViwPp@$^{&TAdk_ZD#gX1d@PQ~80$gOuEcY(v928SxeT08 z1e{P4PQ!)A@V;cxezsi9oyHcI0itTfV@&ns1ueqfMaz%Si?+c<8@y<6Zli!1gjy~` zjgLKzaKvXMQIEi=G%RnLRI_|;T8z#VE|F@FAVka;nej@Mt=s#NRHQYIrOv69!l?!3 zIBL+S4D+$czT(J{7+kfXz6xHos!Jpek&q4QjTgDm0ivdq|A45u<3IQh`j3^%Cg>%9 z@f$zSHFAx-FPf_P*&r(5B0DORhf};as~aRR_!VLfx;A|CDHslARx!MD z;!qG&(lsNrp`lL&x{jVR*>mHmP`c4hC&;xL#0%8ev?o z$VQ~Z9O&+sRws5n-U^ps2+-pYpgW$09op7{YFZJ_uhw!F3{X5yt;pzCbgJzW-hEz_ zYh`h)0lJM@FKRh7i`k4z<64!DrKHW8UWDRMBY0|otH5o=%d5cI>w&#qn)ec!>0CS* z3J>NeZ_#kQDw~eb{VEdLFy?+iH65o1gZE&tV5!QBVgi){BD1LhUA9A@&+mQsJp`Cd zD_i_Sq-z1GGW!i)*J0vWIxy9V3ufaH(NL8F{T+<#g+}u-?k;dZGqxW_`e6d87&I`O za~FIV$%_K2>nOgMzsEbIX3)xUksoG)AJZb+<;YJIY#=$7&sHW9%TFpRh>PXJn27-8 zr8ibkBirXJGZnFxVQe2Z8$D&FJJ#~bR#wSIeo?jO6U0M$v>Y%P>I5cZ){iZ|udC-c zF&VZW^}d#1G$B2w3@+oNAN61~zJ~O|XmEr)?9G_H8618mU?ND_?gZxJ(2#{r6g}R| z9n9CFA*+~gN_&t*y)eR`QTsDQa1ZsO58@A81iqa!JBuBoh7ei_~mDd!z^B%3GrWeX@WQ;z+!mGk28q{&|h ziI$?C(Et0tPxEQ+j1*Bys?L+=Atb%T1sY&<2t9H2QCF-bqsa!R1L; z+(@g+Y%_~qw4u2mdAK7-1Bl9Dk-&R+AmYo zXf)g>fsH1Fw`G_pPMf_*TT7`ATvVd{pe~fl7H=V;GQqTzgI#;x_&nJu8+r->U_i_A zA)HJr3Ts(Iwq>VJE!*er&b3O*I)=6EA*+Dg(>Z+u`za{etmyPpqO{k%BJGufN^klj zcxS*|NrvNom4mm4^M5zShkx$cS7@X722zpy`P(M3}D=X2{LItNW!1Cey-2Y zLH?XW&{Ptr&2`hJk__7Gm?sxRyIH#++D(&|wR~&Y+t{*>XII1tJoZ>mcLmch(R^%l zEa>LK)Ot{?`S$c+5KKc4hjx(C04<)I>_G^+4+306ME9+IowP-buL~5`;wwuA9lH-d zmLHErt>09+B-})g+DsQPgc3BhbV`fqDCb-}y%gc9is>_1@Qt-T1K18)Dn!y!5c&)i z-&kxkORpt{i^|vXq{VgBh7$o(!!c_#Mlg;njb_?}JTQ(pt)<-_#^I;MSSX)N()J4z zS`=);9WEv58_xXpTFwiH>d}1C%?sXs3$@Knl*stBIqs}w|4`c(%z7?>T1ziZH~Orw zv{^1pd;LqG!@fK#T=AAPU8sf0M!;OU3AMU#tqYN09buS46z0-E z4aiE_Fsz-D2VaK8WL}VitsoCmP%4Ir0MD0sX$;aVAKA#FReUs(KFcjWUJ2v$XH2Ko zs#P4(baGnl@JqHVxga%##^l(pP?U7Y=$I<-!!n9u8CSQ-wG=kE>Z;rBSW5A_lS?z9 zNtXzG_>_&{)Pbua+YO4PU7j5_G>Fk|Z=&3N6Y4Emb1P(RK?WBohtDZ>k`X>9)=8XP zBsZ3nxeNq34>0FV$!^h`l$Z6OnXfDBX?e3GZ`LO3-FP$0_d%5P7~hA9oJ7N&kYrkU zMXRjoE~j{E>c?r?Om5euO|h2uF?f-hx(@6jefS@6{>R@--~p4Vm8P*YE2XlEX)K&8 zR?*KJ{rF^x4|4cH1g#q4tWQ%)Hh-*8M^>mTE0hFQ3uq`ih~rblub{x%b8Q|WNhxZvZcl7aORkk5uoX|yjqv5jCV@um6%wfD|@xbB|0_# zp(=9;4C+L2hQ{jRnv4(^VzE>wz$;nuY*b5iIlRopl0?}@k%gqP(=_%_$_|p%!Z~}zktW)tZlJ^{Q-2!5mBN<5wN|FvU zi=oNX6bjawftt=0mo^2j zT%L?H5A&iZa0O|;5t^~_^(li!f<2xbuRbs>_Ha`GWF0NDRknFFqbg_I5ryh?ewWWw zV31V`snIleSBYI)%tJ;6P)=#J2I^x_AN2_~8Fpq3Kx(*e31S#(j{+V#QF}wz z+=n=Rzys6hWOV<+Rb0d|xuAe5xQs)ChEhQA2YPKIZI$~l&DjeW3Tc3e_%1Zk+@*<6z$Ru>AR5+Fx{BAc4n+{3?Za03eVa!U zuRa!jW;t_Xy8v{uVjh80=QloMF>{&iy?-Dwy24d+9t^!6%cg4EAp8pwX)>C(3n(d@ zC)=gR^GE9+gv=acN=hHTS)MU;2w~Fmxp^i-*`{HHs9IfCH`ha|59fBgTD;qMT|Tl5 zmy)AnC+LKM$98$2AEjr_B=1sWB2IkTm&$+)z|vC*nWK<`#-X=Jd>`&ZU#Tr(6rdEv z`XyfEOB;8j+@OovciC@jQn$L1U@PAo!x#M)f)8c2?LQY6mQYA;0ivXKpqoua8wniw zS5#BDKb7#PI?!aM4XcDFxPG0mG}~eka}}l6TQz4 z`UDP`tUY5Ko!YxY!2PWR(^|n%hL2>2{#Z!5DnM0&?8v(SaDlcC!NjT2Hob-4>-WR!IN4aWEJi3-_Qr|Bxv5V}g9~PBv4pH_$vQ zSo4&V>4Tx~=bk~&&mNPWpG^8b_Zaj(c}e)SLICI`8p4!VZ@oKl2qK(EJSt~;{gn}J zRxG68P+hO2c3J^1pXYZEPopd49&NbBYG70>I6M%!rcx_F?qLX;SDQLFR2G16Pw*Q8 zGD1elw|ob@eNElJ15*Wg9~hj+6U94#H?=J#f;P*~Obhkh2-9`eXH4%YFCe51xTBOz zY3*78w#pgSxDx@?p`fNfsD{nu(#VzdU6qi+nC&FgE2Lo$cOaaK2W75^nr^%S6x7LH zTA2w2NP{6XaSt_!oT&c#13I7^8=WO1hrf*gzhI*l1}IR)gw8-?e*>EE%%FdwxC7(3 z9~mDS}Ypd>9I#Wa7(WR!J5?hW!Fm!h@ktiIyh| zO#1O`EnvpsH1-&y5#R!b0Q*g+5p;}%P*7wFIvLeSX7yuk3qCvk3xQf_@KLLVfpq_&m%rW#wyw!-k z=tj)J4&qt@L!cH{Q-rl7*V1?Z4jn47FllUcfN256JrEeqNe2f*EJBc=kflKWKO2^`+g0i zjveKGVgv&>nd{6ug9L5_a|CPzO!Nt|dF~S8$GlZTgWJ%(^Y*EWM$te=1$o;LZ6Z&j z7<)`i8HOHbk*q4BuQw+y1d;d~tJrRaepX2umAKZ`?_9w#(!N2qZ? zH6P~6g(&&UID^l1y%*09W9Uhw{1+sj<8v{&zZAg5hJ2XOA7Yd~xBbh!EJrUU>%V|r zDL5V0Uv|!V4Z^&ws`6qOQ_xNMFFi|J=29^yA6xt}3m%in_2<6~@iFX=dGVNWt`WS> z#eY!~36@1Nj`NBg<1tW9_NAJmZq{#ukt$$N5wYWwf$~&<+eLXW9-a&wC!+LThQ;mZ zJQ%onYh~F3qQbm&A))63n7Nc}a#ub)$7j}UV}4hM$iSuBLC$g&sM}=^Fje^-qMqXs znYlmOR)qR7_?x+u22^P{-+@Mh632s@xqdLpI9}K+vw(fan)u4RvskAb4^Ql8l(TGw z=Xpo-)=G@$eVOyZQ@;?Jw;xdG7YOtVOnv3>j__sPj`$eO2haO6@;t3H&(kt*Np$c% z3bTC0!1ZRtk0M-eZinm1$(ozDMh*ya9$liy@Q~wtlyg6kI-)ocJX_Z?@2f)f9t>hg zsaV6jxgf=Qnr@>zZ>P%k2F3nLEgY(q4J$xzZqxn zzB!-9Ge`#k%!+=qg6>M&UjDY1!tX5oc_Z&`W!y*MZxU)REuEzmdnprpX`{Ke+KW>Q zDXCp#gSQ~`7uq%j-nQhjEzRh!EJ3?b=f2?g2fi1z?;995vq&UeEH0c$V8yK(%{TrdK;P`#V%v+=`G>3^f&xnuj{ z6doPYU`jMtknI%-c(lv`4;?U4%Lt~`BD!_Kc^%!lh&}KJNV8Lxk--5$Wf>|wkZ6PH zl4bOHU<-Lji|4>Ir+zBRGA2FH%ymG)r+rD5*out43LVIcZ{yp-l08wFwtm{&K>C&&3f=h;*<_M*iowV2l(hv(%$ z@qCgiz=I_H8xL7HH5ms@HlfBB+P0VEEh83%zMP8}Zv^PZmZ zV3F*h8()Cnei_`)$^D=nbPgS(ms>p8_~zqS(&2H!B@YMkI?G8^;tLC0-S5-=OXKAM~!&4G;Lw#_bn2Mgz}@u^}BeHN=i8NfN-R zl0SFq;8ac@A_aFJ{74RIz`}>@hkfAg32#;HLu+D~KLmV7 z>T<9*zyVj&nx!N&7X*r#OEkus*qNn~mJJ)r-l)r}G0AF`fSb8RTI&IaADqnG5N&3z z(Tz6=bc$uAUPXkw7q)niM5={iJWx{bK*>o9`F$dXKjh+LF5XC$m`cY~rk_anM-uqh z0dM3~TcTR@e&1dsU3|kdSuNO8_Q%s8A0%#(Z^p$c`RDjrl5d1*h0W0I>@w7a^x5 z^_feBK5Qd&W-b%GeIzyZ@i^}rkotnD#&D!FOxViN*vj>oOQD3!ddkkc-7?`WU03rN zPQ!7y+1R2T4sM3`ROsld9M70!iH*|e8PlXuDRHyyFOF>}R`3`#jg{c9fPIxZSHoZQ z{3}4-N`>o}*EsW4Ai!lPV=*XR73IfP7;Rx1T?LZTxgDa?N@iOOb@q-TT8Yum1pVv@ zoXPoEuzV}F_!;V3p?mD!504K&JeIzZN&z-Nj`sCd%xEk(dMSm*lE0CWg`uOZc?GUw zEo_?UNiz+gJ6P>J7CLJXCW94kiQs8M;w?&=sm#;V0430=Vccz9p<}_*qCBIghGDt& z5;Y7s{|Jgju7wp>`}!+yS}SX-A&J&9qP6BcB$sb=0qARQk444i;iHjF0qBOkBEI9rf+{IU52c*(R!QzmEIzTn+G+Q~ zXz9{m2B737cPnzOBMpVfje8QWWywzNc4jL8q8JGtBJT6*`;0)!t9mUSo=}Shd-8;uD;MLHkSV1zqQOp| zkj)=msa+HN28|B;`^xTn*BB>&%WwG+U%t^{sWF&L{S<$f%AfQSbOPW!mlaxyP=Pyo zs!2aJ>8Ln8m8GG$yrlt8x#6qKae)3L1wGY+QNx{Hv=rzPVH#=-W@98dZ=2xUM-MHv zbqOcU@3h?=832L(sZTy z!Y;sOcuObjFEA_yx1jl6sJ~@+CF2)Lyq4d8E&bNzRmN*UzWTzeOZ*p==bG{hbbgEJ z)rFhbpO?J)Oq}8j&e0*RTHiWDSj8+@#W+~SR5)%6Ck9R-Yy)i3j6EWRyaS zrxeONRQ;G1zGDLSp!&13vaQn4lj%Q0L`vJr@MoDd5&>g8+RqVFO-G{qvcWBb?$K`0 zKy@nmvh1TZ3Go)j;nCc{Ng;CfX+Q|v@g#%zX)E5W%>(z4=V@eC&9q%Xjb?pd#|}b_ z%^HBKPs`Tu!&B)=i*L4r`}Sss*=;d7#H$G*60?e+4OoqbO5 zCI1?0Vl6H&H^#3uK3dh4hcCJP8HpL&#NA|GUT*5!n1LoAIa2_C2G3jzL}smm%D4OX zcC$QN(5ES0t8W+7nKBUo5tQ^+U=|zV5xFWUaxf~;s}3UmE34m zvj*BR>j2uWI_*ja@T$91*9dUcXft+d#m|8kE-dQu4R!&6;KIhPh$dYTYr0K$upwa= z>fs>_x=e@g5WwsrQ#Zj?_tnZ~Wwo*;vQXKkEC{%W9QKA$H^ftS$V^Ps^)S?hfY}Yf z?GjPxiZJU2P(b&A7JP^y0$J=NFK%MN-6#e$^|_;ETd{s5kj=RDkzNuuKT>nfgJ#S} zR*`UKTY-GZ5Sx+vk=+SSTY(FYSLYz>C6=B}feE4#P)lcAfDsobU@0ucP_E)9?+A1( zIO)UXu^HR^7PHgTJHKT^saO{{F>7crj_C3}f56`vg5I}ee8NUO2frEvq(lP>o z?3_H-&{_BjXW=ZIg){^Nmv~K(W)pdy)sh>JPl>)Ot7bSt5LvLV4-(Z6di}bjMeACgN6!PZ9DSrf7pluarsS1oSs<<4rkih)dmPcAV*Rn}_3GTik0kwvD{4_hYZ& z*lUh^P03qr?6od1j548kw*Co%4BJN3EAa4A?zRoaSMauNG_dWEHrt2~D%@->ehS!T zE3(<{Hk;&TYhd#M?mH2??a1Cs+ifs*Ti$M)63T6`_0Trof;_6xyfyoVlI;d$RF81G zeeJgy+byw#5bSlif4uFtwEY$ccXil)2liW@4VT?;i8L@boE_L}iCCI34POL+{g+@9 zp#4zJk23owQh(uhqO)-oEEQ@sW`E0T){^b@wgqxCUDX8BZX<7F4n0ly+R`9&E4&VeC6OHMpD5!`?Bu z=hF7z(VnyJKs9?X&&pyA4!g4p&+I%hn5=LMQG?0qY`v~+=Z_V9EaGFQybOFk)tL7N zpMT=&?FhadIB%Q1hsYZU;=b#C11VlNIlh4%-$4Aj5#5A@n~-ti&21uCHs1+2?Fl}6 z+=GiA?4%Q0qo?Fk>nB1W_0c%4=CZR@ZgVDQx|f)%8rD){)9@RUfN}Q^0zw!>A|jH4f+P>8({!#RHkX$LG)nDAIs&MYWdbrV=Tx4xDFp#YL!Lb2csMluIbl6~GT*6HLl1W>qFNyTpJn4goUa%!e}U(r zo@)%qWy631%$ouL!rl|5MZ4L=G>Kj*Qk*fA51UIxqOYn1cT~#LS53-ctxGtgP(Cy{ zLD^ugcUrfMp^EM=h5SCWX}@pHw%oDcPF+vB=;OKKJ>h_`@`-7+ZIUN5z^*;|d*uh7 z9!9Cc1)|zG`xV$<9f}+Lcvm=|e2Zh=NsA$akLhl)&|vO0Fg(--EH^gfgm9oZt(r!1 zmt~w({3%nirD2B5q|b8|uBbFC+5KkzEVNz87o2-%zd?K^cEs4UKhj|%dHAXX z5h-UnTRO~YQ8zhH--@Aqq4$^;1MQyg+(s)(i*uMm<{UW zFIp_x&icatY}S)c2E{{X9M8+Z0*C;SFo_CPlWJ?5f7J{K;3dieLkeeS;Q@?(M)Suf8lkvGZ|JqZI^3g4OW*EB$e z-XM0Ye)_fy5_I6oh}PH_4yn<5pGZmZVeUr#?62v@lAJmS1R1hTCd-PgSOdNWEV$VB z>C9TzNgo$tpUL^5aj{F#@~mVE^vgRJkj@lt zTPhjm>5JSrF_Sp6uh%LyiSMRmT4d8Nm0gWnH}7f=4jzNHN}0tR_s{%pgr1wMvXONW z0?N=U0qIxApcFqKB}e3$=6C0QBsnD@mCiX2PHds_P@#kRCTrzLf<7~_MeZ9CSq-5@ z9~Y=I%ne)PeqMvhGX&A}pg87r#eH=&uzHxHIm>0qB-(NNXikR@Pl8w)@${tH-KFTB zz84!H|ESmm(F#~PN6@z(nv=PJG*TH`yp#9Pd1=e|cUkCFD+(`pv}l#kuZAL1@erLC zVVO@l4D;U_2;A8FJf1HPkK=jVcNt>PPR3xf(akTB{Mx3`a4z=7`J$dIxULx(O;KnI z-uGLH=lkm{OlZt<#&Rh{T_GOqWEj|(y}`>EJ+ZfFn(mFI_@$9>RDVEeDCjp74T2>n z{EvlmL+sH%TwDy0hu91gNFfR-ptdU?n7>D6$a`Z&WA<}_-l@@4=0B_lI=`qH(hGvR z@HFOtl#}$x%nrnvMn@ilW3sH*0fVQ3 zw~Owfx#btA!M;9r(GEms{CfetbQ-oHFRlvE zRj3|8>c-)j402d}h#&2=~j{Pgz3FkCTGiaCfx5sUjNaN3YS%$l@0T>fwDJZkjE z^c&@7dn>+hjLe^(yMCNEnsEmIN_V*m4yhBc3E$-Nz__=u;N)#JQh=sa#Vnp1 zCSP+tkW4twE#Z*b5EAi{wYxt0k&+4*y035$I{E@=T1U*Kiw<{Eemh=U{Fw(sNE?&^7`gC9hA&YcuttBa#`1p~Ny)|A ztm@Sx4w%RfYL-IMg#DDb@>0D__h(a4`FbxtTsA53j9yX11Nb={-^zJL*H6tMDFt+d zRPKCbFgBAUG9}Ai5kbX2{ul*HB}^)vVwJb{eguoC-s|<9geg_ZJUE-4x0uR$mfM~1Vj#XikNI|;xXaLgj? zM2SmZ9hHA#0P_BY_08GnXK&AN7C?JB^TJhz8=>NEXQJvUb)=sL5K#wlS&m|ps`@S1 zH5nc~ZKbzt-bdYy-)N$*P^%%^hW7YFx3x1xRM+0LXb^yH84W=6cIta;A^Gd;9b&Au(l>_;Eq zE(N8b8jLw0XY9a@puD5_?V}4Qj9USFESw*S1X@@P#y|OBqPzi0T)mf@(Ipp2%t8Cjz3~1ak z^+VtBG@xg&AR4u%Dhby1(3N&s2 zI+?&ENFd5;(*Xv>tW`SQn`JI(XYo4Dbkzqlp*VCR$q9001Y^qDL?{Og?!BkFZ}Tl{ zxz^fM+Gfa-)7WM>_6c!{gApA8fERd-0WAVO0zd*rCUhm(p5@&Rts4>SOOCofN$J>;sCC7huGQ*#HoXw2Dq4N@mrY(Kv_WoCz2t3^S07u8rCJfwB+G+%vPk zqRc%-Rn7oEpwVBH9BS>dyY8OkQciEA2cJ9gkKtd`@LbC02Jjm2JQwS^VZRvp+zfbA zC7-hEQn+B|!wg6tA+V1z<90b<3Xi>y=>6%8@XYWGvIkK2MuM~7i92yCZpBWTZ^ius zsC(h7d*QB&;fLlfO~{mGSSRm;+-unVWIx%ByAdaR)5Wnci)fma@@5fWIAOzX4$r3a z2>+Yhgm%FHHaQ@L{l@fU9&v4`Lo8ghFtr&ub7)YOE!HP;F>@97P{lE_||F@NRe;V zcHELpAn0b$bTbKqxruLPnwp!4W~Lo8)7_R*WJ|Hm(kOZzW~m3=oSiO*7~lD2p7T5R z6s0fooSW{-rlQ4B_{~#qQW0%?((0R$QI8P_Y2gMK(iq8U3c#M4q4`xfJ#quvQ+(42 z-iT;&G!ja3J}1*7Zdo?f4%h4Cd;?6yxN%~c7}`{DVK7z+WH_4e@m6C~$tH@t#Uc6F z)hUvZhg~HLhq*G6g6lD&0XMX(S^8D5Umu(3XyWLEgOhz7;?_ED1*}Pssdor3rNmws zIhTw2Ltb5gSX}^;y63R&k;ZXm&7-64@u23}HSe62AUWq5eQsM;)l4 zbL{2TJwkQ#TK5!*Da+~}%-Tn@29ZGRldVAUaaipJyyEWS zwgcDE6LpBC8VJh9O6zE4ZDdqODeI_ZT{Gr_QyoG~9c7?4sxdPK(hD391B26LYPL{0 z?VYi*!%0llM^WmZuP|HuaPeeU%sa&1tN3@YVzD;{1D3naYFX~f7$tWxYFfGQkvOQ- zWGVTTcqy6SuPw1S*GO&IS9@v7Az|t7>ZfqZb}?ic@=Gp$m96FW=l4{o)MuUtxkdys zSQ$T3A(2ML-o#p^M#E56)P(tSPclg`YK;)I@<5tWbBtOB$YEJR&_Yz zw~D2vqcz|oEj*U~l4;uOM_LfI<+Dt^WLInXkyonVC~lM_M~ve=Y<8Cye)hDS*)xtf z6dP5%DobpY0MrLnWB8-=iswp+$P2?t6MYWLbBkjyGNB)0yAa;#(4JfjdlAHr_|*IA zdY$yyMcXs5cErq{ZR&O29xjCbk4RsNF(N{Wj@o1tglS1KiY>j1h<@Njyf}mgE5T>2 z_61<>q8DCG`%TgO0gDrn z;zTUyB~+GKOo0QK(hOnc1sAQ{5{TLeaLckDkVcdX2H*#!9|#43&N3tq$b?sM)&wE( zgBiS5#SRf4NF;A<6m{GRZlibt-mq6l;9P6?%L#7Pxl@b)Z>W)D!MWZT$`h9P?RBS^ z!b8Yw-+suE1Rj&GZ47Ud!ZhR$8GJ#d9al;}1pI^mJQWRJ>Bvr(@{`-;Qj)M<1kvpmk;@)E;Rq>I6&Mu-BuyQjZY&Wr^f9b{1KfkC^)W3S zM~<$B?Q%f<0v+9JL)^iJsx|(!^m_WW%PSD2S~L&DWYB9oK^^ z`oTuX@viVZ%OXa$$fA0?fI!o08(D_&Ur?4~7Tsgy^cjM^3bRw^{tfNf29T+?rVqqI z&e)QQ4Pwj#6co3+*0}WDH&X-yomi?~V>Q+6sWYECdW;91os# zT6!JkL5wy~|5EToKRKbDD(R;i`bnm#OZ1bKeoCXMTr|}Q{ZvU)Z)mFgbsmBs37R(z zua6VN`65X}3DVR^nhJ)7lB8Pz(NI)0lnuH?_3g->Pc>+pw<~lqiz;oH8#2PXZDe1r z@3DGxLNxXb6+Z`r^MTh3x-XP~pQHRc#JUzF&^C^{r(22-abymW9t7a>;Xw|Y*~uVA zW(Ns5hfvPZ+d&)SLRa0r9`vz?2Z-4f?7SV3&M@5&qbzX}82by8mu*0YiIe<}ILRa( zCN_kzE0|+L5es0|XspcVy40ixN7FUPlRp3=GsjocbLxW zwS9JpX72gf=I?cNc9`|`ww!H{+OzQ4Dts|a;O#KW-(!Gg080l8lzBw#DwzjS!<5dj zUQ_HO%3VbFkL|V1WAO(ymB^Bn3%I)dmN)eMqs#(5Fp)`czOmB%%zD zb)^GyObraqT84rfdb}gv-A&z{h)wYWXuqzcTZG8C35v0O)+v6Kz|Aj3*4`52|HRlY zfF!U|Z)#z6#HA7wECmcuyH?R(*~z{!y=R0F5Gn^u^!H<+R`U(sVYD>QAR5hQSR!;= zz6QdhQ|UZ|Xwsg+uFa+!9<)`=HI1o%onDU*mXj|E;!Vt)MH?AgWmH}dj{`)HAxNF8 z3ExD0lzr0~G;#&&`?Dbu%($ZY=&nGR4faJMg%7<(gY%^XlSaS) z!_(7Oy?gD6;zrYuSnr(B4^1DS7Pmm!rMMA$T%)Uj8i}OSz0@zy_^N%w~}W zN_7g-BHgWNx}j9lX(~d;an(HChk)?R?|2?#Fzo0YWm`8o7Az|q5jDl&sqdR(wN#oQ z7PE!Dmw75F4|rJhP!WTbTteX-oOp^M@3NG02tE(dfNRlrlYhco^uURvOoP5yd|LG> zgG3V|5uQz3As%m@{&_R#x#rZSu<&$~b&N zR0LB-{cI30sXX`vM6w)w17=zVzX3AwWU%+K$3X96pUK|G9>c!RJqA6V3HAk$i3fvy z-W1y#(4=Puz0W-iP|p__`aJc_?_tGlusB2eq?Q&d2ppk;fo6tLVBcrZ<0&OWL@=?ViBhQh2C4*WA z8ZOAHfSW4=nYtgVH;mhzM~2CY#07`>=B^x-cqVmNqsuC)$#+DSTZ%%I3v3b)EA0`L z1r!DhNR3jIke3uHd?b(pHD(Bz+{HWs>c|l%9|X>jP$+aN>n>}UK$QrB5CPhE0jMA@ zw45hVx2m9EG7d+(uL@ZMVK*d>TQ$ScAx67&Qf(SPFlNfNQI%lm1Z&Ef^@)oEeP%AS z$DVeSVK@1U)1UaQG)@daV4kGjqC-8dj;8=lq(Fp&%HTvrN)@9DID|Oauy8lE5(hbb zO-P(Fh6g$=mvnwl>O|8b9}U7RW;RXj9f2L1B!Fv*aYuxR1G9yuZVN*dIdwu!MI*4F zaczWD#N=O^FIYHGnScO;v|)k?>IyAk?!~nRRP7JM2b4BUD$ZtfMAYB~6Cry#rlrOZ zCL+cLdtRW-FsY51f+KYW22&IUcORf3mgy%*1~!qlq^XxHch?K)pU&Zx!`Jqou5&9C zS>pawNpH;gr}n2k<1!!ez9daFxR67_2_}^>yvaGA)`Lq8;=1_%B*y6c2Rl7E+>i7- zfR9HUd-R5Ros37L-}KRn>>_`+?Bz|H_1&~xxpBX}SV27F-#z*@ht1pc{x$uA@#&bl z|B89B@}Azw`!~IVACLMmvW|o3hd})Q!)85cOQp?HZKs~9*ehyO)D%0NvVJTjE0sxn zPWL}s#VT2qsI1nhDK*=rX1BkaoldbI3WY+U(C72%d^VrVXZ~D1mCxi8`Gh*3PN%c! zWIA)_(y4SNok%CN`D{9y%_g&%H(_^o*DLj-56{T^P)tu->fpF&q`S2<&s_vlWd(<3)-pZ=oFR6^p6t#kVoM<|Mj z`iDF#LuWO5T^TUfYgjTGbSddz6(ve>r8}koA*72+M-|%*D#We~SFET|9=Mx9@- zA~J(AONxz08KCx5mIXO6O?=`=U;z#)5&Hm&f(1kgNr1K64=i>*qyr6qh&AOB78;50 zuplT(U_U7_ud=i&a1xgrUFE0(_*5%Ga&B9q?41k#i|!MA8t^I z0HsPRNgAbq>x8PID2q~N76{uzG?Z@$3M95jz|2))Yk0CXfXa|d*9Ez4i7jL**fkAq z2Z*78#a&ph{levfIT4Yob)foV=uPiTd$t5bF2#+b*6E9l2-G^Hop3~FYY(j<+r^C9 zD~p{s%LC2U;1BLpwl`Y1!0N0gI|4`>kPP%6*&MbUONg#QR8{1{>_)O=pt>;@K&J?6 zk4oHuFCPH{rOJa2fZ%wzNA)Z4K)J#rmyjTd-y9y3ti+oPpsL)cU80NaMS|Y8T*62T zfFcgIW!N%53!u4S^1?E);3r12Mi7>T8p9G}6ua21jG-+ckkYUms1E?5STbX(P;Lp| zmABSZk)S9%B+RHVWg1%znPREEOlOM?|s zDrMLyh0LgoEoB(KP&u5z;vy47aT9dpltw1R*);P&-pR_?SadyqoXMJWM5r09+Q=lt zsR6T~LyvLE_jbg{q{eo*xFG^YTRO%+up%`OmmDJikV0B|d15Spprt5WGXSuum@&~% zTw!*N7%J?1Aa$_AJ)%WgGIwm{1#J!y@)E@st4TQ+8(gt=bcUW7v^udEUOsS2lpn;p zHd>=%0cbIzDQh+)xU4l9Eg|IE&VJTQ@ch8YbR_E)VL=SqSERKztKlkcMB5r)Li=G| z>{AoktO4|Sa;P3MW$`MO!$hsNW9NZU4y&PZSn_S>e9oEH6+b7LqI6wkcI}GUit^()AsBU^3e?>a%rTKdD0!nUp zt%<$~h~(2+PtZ5Gw&=~eJp2SuWrb;ybG!_*1S{SUSMXj-0>CjfV}&;^@-%K7X2Z@b z=2ZY{!6i&jnOi`HB{1xOB1hJ|z#4~L!9YqX`Ba5@XkZBMcaeZL?9Vjvw=ifUMIV0j zd}z^Ycp(#en8_n4DlX{xZS-;quLjY#Mnlv0AV-?%9q;ia8oE1|5 zk*Eqe-Y|q`z>YCiu)#tAo+w)EfY}-5MkfO~U}=K*6BbSnR$T+CLN;~-^AQ7CYFG7$ z|FmphaZG(;AGqIx38IJMG?)umuy|#OlkWcL=&nJ;J9uHTA5cQRu7pu2D!G#Ng=2#a zuSKS(ukrrGxhDGHi&>a+^yCf87XT`%SmlUO2uFdS;gE+=VK{*>2eQOuSP|9{4+!D` z%1Zd?$eEx6CIi4`6lD;C)p&yQy!IV!z$TI`rFZr1p_=q~#iEiu6Bw2wR29zqOg1mOv&seA(V=>!Y~1O=jsZuIWPzBix6<-Irm{r8`} zR`37J?_^_NU+>jq^dI-SF%90yfB!4^*%RF2C(=7EbZL|NXH2q6g ztn80cy8e8boHBi?mFZWr-zesJeFqzjWZkOr*oBdBy*>Bxm z#g@9vX;+y{B9lp^mzCG0#>`5e+GS>|dbZlltLUZj+eBx(P%2ePJzKj;WM0a&9Qso3Z$je! zCFRf$!5w?i>D?(C)qV)Em1R^SGwM(yQmg0nvR6$0N9yHxEJ)rm^g#rZRS#Gk)<^^vU9blov4DSr_;Fmsz}jG`joYOTXehjD&YuHIBVl?e0aJ*FCOAdvTsDZ@>t3 zZ$Js}3gy&ZNAxxkYW(GX=zO>NrSu&b%N@p=cN+F-AcnoDlf|5{V$taTv!Kf|MeJ5JCtc zA|fIpA|fIpNs?qZW_Lqr+Oof))I!HgoE=JOy%qUTisFaTta$utOie44ekto$ zl;RuM6{Qx?Md#hAk90xoQdVDc4)g3aC#xmY$#!Ni9$hMeFNz3Fi4@N2I4Ka*T4q6`^6E}oo z!ZUtMnB2!CJm8pwf`9^0=znA4==rzBghRTZC#zG>3cB^Mk{<>BCc4G!jCwq8184FV zaV$q^aCKhRJ8;#q&x0>&$HtZ#w_)8=@QLo8!|&s?zhjciOmZmQ#)Ie!&b+q zcVooyf0jMdC2(r5rtvAIOwlTpv$`D=&h+$G2d5Uqv+cqKu{!c`q6eqIc)5hcw0F#r zc9Z_xP*S?(8A347<8=7B^KoAZ95^L-`Pt3n)hLiBvIvjE>5;n^(n|M=z-W4DW5sfx z9hk-T0#sMtwh=L=VA!)=&`bHIWXclJ3lWeA!?mfWJTT#?1())?MC?QC>Uo zU5Haai!M%%M+T<`D^Bv3GUtI5nj+U0uH{`=tr-kQ9T91837&XT)4+eu0Q?h>+ea4yR4j6A>g!_@n;MXNg5pLF5)BbO59vBQ z^czzJe-`}s&Aea|^R30EoDP2=IO%?ssN?d%db*NxGW!M5cFBPlvMJWcSd%_D{0yo< z<2`g!&&sIoaS~1u#z1*7mvG8pd+CIs39AIT4^tPGEOU3s{;`|tHFM)OH4k?YGTdfg z=r#_}sDwi?kuM3Oe869??Q=U#J{Log}X=6;o3>|1nv~%OIgaC zAk+9nu=Yp67$l#!$`IibP;N=NVV6626~O@v?VW9tR`5aFJhi%?MHu1ys>zWfDnf%N zm5rSWdEe9;@eCrnoD>N#aeiRrVg&5_qLhA#_cwS$J)1*jM`@eFSe5bqxh(o%WW+07 zSQE3{M9e6sPdGLrWL&fdUmOMTVR~=6+m&d1!(RgjlwWQo8;_x)tAuElna(F?YNxVX zHWezzb28SggNZ5l-J~%OlF*N>85KT?z%E*ZeODauDy7*7 z!e(L0YKR7xnKo{Sa}5hyW7Isi#jF7WEY}&6U1e_616Qg3LyZ_9J&M*9^=#fHj&kj6e`_I@^{lnSb9$Pn%tY)t->4GZZhM7tQnh zqgXw|JF@9SA=%Wh7lcmUCvxXy=tAeRinEN$3%hrrFA$3RcfG63~?HR;c&Si_cPot0nF307CdZFX(YX&_uqJZ5nRXWMILf z9OR`aEi2o`A9;?2i&YYezFm7-pQ}?!j1ki*U)q^Iup+f$bF;OTN7(`cyYWw7BZG4b z0JT{nD5V~g?K%imm2K9+Xki-HP1hI((w+@4n<{B$uI!@aeaCzV(Dw5 z?joY(W22frqI5LLraRFw))r68eB2=q@Y8ONrORd2gS~IlK6oD+;ES4Y*L*R>=fxi1 z;mNnmlNu8S@F-mwc#%Eyxpr0j(|X@h-NbG6cGhO7yh z!-T;}sD$y27%hi4T$@B_R81O&Bc|T5Y+j3+Ytoc1v23^SXf}fZQw-C`m6k|xTTlr6 zU5K7=Q00cuewY~5)QEjYRm?+?4s=pYoHaG7iG!Sc6qGK9J(`8iORLy4QIU{VSm2Q5 zjs|&y&0m)@SV`3}nB^(ArcQIjnuIj6Nzm@zqjVCo z)6qOY;+W*&RPZl%^bbno9Ce6D5Z-f?=JeqaSQFiJS0VX@p=tR}HD?FKsGr1NAW!f^h>$6Qe1OmU(n2d>0*)5z`<_SHVMy_#2DJ_uqKkMr-8M%$!XH+h^M`V%SzVc$>ErKXL z2O9@|!6lud^X<+w7SwP6RAAsk@I!EQVqk;i|4=|M5CDjR<^Ldq&kLr_&yRzpQbO;b=q08>X;07F7eP%trHGBY$aHa9pqF)%SQGc+|eP)tEoUrA0+ zPDV*bRZ>AjNkd-%Qvg#L|F1t=>N1)=>LplGz8pG z=>L?2Pv~f6cw1cnbZ=>7X(=usQ#v49FkMAqPE=!JAYkbK$Vg#d=>Gt80CZbaL}F!b zWH4I*AbcQcWLt9pbZ1>4TVyUtQ%`VX002Z}001{dbz*dGb!KvP3g`m>poRfJLJxqJ zm;mAR1pvyLI{@ShR05^c=!yUUWIX#<`*Qn?`=|TC``r8X`w{#s{6_p?{CoVC{IUGY z{O0@s{Tux?{ZRdD{e}IY{kr|t{qOw>{w4lD{#yQY{*V5t{>1*@{`vkC|1SSY|6~7t z|C#@@|IYvD{{sLX05||s0Brz>0HOfB0N4QX01W{r0YU*>0e1nC0jvSX0pS7s0Tu!= z0!#vC0)YaX0=5Fs0_y?>10VxC162cX1B(Nt1Hc2?1N8$B1S$johyol4pw*B1cE3KN zf8nmWcC1w}Ao~`J>NU%Zu(KcOsnXZBuwakx9(1SI)Lw zc@jK=H&**iHk1&;PnbwJZ|ati$2x)~%Y}5;^q0Sv&CiCQ<*X_fm`)4?^ zJ3q$K-_*#2y3NxXCq&)FmdPc%&Yx?Ogr#DABy6nP_S#^tbcpZ#^OJj20JS%#1LHM(~@&(nIt5t4$1(7 z^0kNk>lzV~WC-QF%!p8L3Cz5VEM*zuSQod^06?5#ti|hit%M1b_;@)#fwL6{$$QS1 zz;ImZd(JX`k7$7DtE4#6)kPwj7bYi9pC|jo)G?xC?WnEDj5uZ9u-j#;8jc9ZgPI+2 zLirtC#8~GWrYvbqlIo3c8f5MP+Ddotnwg_*qJ?XHw0n37@^={Bd7TXd-GZrm^v^Ym)y0W;+C`HTvO56s60fcq}hC%`w&E=r%X(C zyBeH8w(pLsi!6j!rV#HR&?zyI>E)ylo1F}tq5GQ<=PC3%V%Z=ltcA~~dR|LJfGypu z13=^uc`tn>zxBul{+TP!mMc zKLD_GKmb!mR74PfKVXt zDCz&ekYLa!=>X4?>HiCa>Hm}GrL*JjgX#Zw%cO_t{}kDb>Hpe-n23p^iM_85gM;_q zhsP#th3$wH=!X&UHq9li8hKIiHVkjNCS#fhiw{Q;f4vdj|Iu)4flUchboAJ zDX5a<)(uHgsAR;0nA~G@} zX_MBtj1FVXYxDY{%d^UUV8{eU&4Larvss0p0}9R5Q=|L^9GXNwc|%eBEaG>j@+o>^ z<;qVLsQmg>j;pwS%?}R#Wp@rE7aIU8tak#;yZWn21tj&j$CD2dpY${TI`q zvHAXwLI=xLoZhoabBaLurl$RnA7g4N_K(SQgnnPHbFe3C8k!0wYx=P#W*RK+HF&V5 za(J|+!(+6j=L_00V5JxHELF=6j0^CWm%(+L7tdX+6oGe=$$6T%PX?=*+mDz#pB$kI zXHXGc;0}FfoLMdJr!>P^$6jC{Lh``VBTti&e`(N2ySh0`>!AZ3_dYlpi@IGfVmebK zg$<>L{IU6ZL$IsfsMLqF368S=V~T&C%`sy~cPCTIqB>oW1VDvPDPAxtjraYmFCws8n!#HCMT~p>h7>pfZ3p0=R5n_X1J3aAVzUWoo zz90E4CX4CjG{>rWC1@N3#g8UQ-}2HWENo)dp)C9*d5ZW;ay++Yr*aK|HW?*F`Am^V zJNMrHhQy8r6rR{%#5LJ4z6+&v_k5k)V^ua0=IAHu5rBE7S9^7@L6A3~gnwO^odBm+ z5o%&AxayDO*H#NYAnS#6(q%2)6V;y@B_K1#ht)UMDw7qZ2(jT@s)=m!GlQ(3{VGB% zy|=?ATSwVbI3d#Xh&skIYDxkR1)Wu|Y7@Atp=k!Yen-w;(BgoCi<0f#$UQ)=*LCV1 zk2lC`7iw=Wc7@;;V9LLNQ)U|+Ad9u#EoHi7H5TZ2gAA2}oh8VMy;;~m%W3hoF3(Ti|4`pMZ&%R@@k zVOLHh5WDZxh#%dH$s3JwHC+v7CuP~AZX-d5RP08%P+4;Yb9hxHd;El9o z;u?lB5QGn_lEcRElLM17Tc%GkKGp8$P7I@?GsGp?BeOjxY{1{sZQ@xLU=YAqZ=?S^ zw~ztlEuNzd>@C{FYRTZKSG}V|iQP_s#pqb)t)#w+k zf^CyrkKYtgo(;iX5A3)Qpj@YegVKQ!f}0&&Hgffw7sSd+FD1vSz6)viKsI}Yp`t23 z>7a;j*BB`3%%XFSXNoCeIjWuE-WU;2`UXZkrW$ujK>+=izI*rOJ3e?!-Yh@$@aM1M zVOHR|dznng`ByQY$CxA@gAMpspJwG+ zO1Maxq}@iHK@E6{b4KD#kWIT?A4OQe^f} z_TP;Rbj-0%)KbI7EdvH%0<3o|r9t`m8v2GdC*`L{bm|HdZa2^&=Y+Ds0zNT8lxe`!a;r2f*2EPC3X*+`yWK2+aM zOfHCK9ugR@jkTK{RUO#yX*M;pMY}}vnLBy#&-rZhp!3;8o|5OaQKmQg3jSu~sRn?u z{ZgLtKh+8rvNDIE0(Wm^r4k#_;m=F)7fd_mI!_o^7T5SXXk)xR|~Tx z=4ygO^z(HFhp#eRKsgpy#OGHQsrR)-SbhaE*8yf8n7~oK5}>gJ7^h6 z5~vZ;MKTP`pRo~uEyt1r+G=?|SZ9Br62KwAp3!LgLx zrXpVv-?rksEd_2o%b$uAGiFSfa)vh8azYzyy|UyhYB^^l8w<%8+Tb{4)+s75DZNB0 z@tj?vgh~QY6NhKbK9OW8TW6Krv^<++b(V?9!az+RJR1Uq5-o<1oL%+kW;f(M zP$bI}eVyIVX@1SfjK_QJNPh`mE4tuO88x49UXBYJHYga5T!TxcYDC&9mtWIdG^#VX zwJ9fSmxDyp7W@@GJ5W7;v*!l1E-qY{X9i4tKks>gf|!q;D?U14g48pDH0cL7h3MJC zJ?qfOI4|^j24Jq91JIsvI=Fn^?w)*!3kB0ti*FB#Z=Y_weKV>V+IhR~c$)_I7ESD} zisGJc%QVLKEt%EZ6nFbUS0F(J3vWXZ9#U^Z$aucDBTzZoTM-IK{5FFrj&C)D{ca0= zRpg6I`-USHlHDehcHQ0GH(Lf`cANGM@o#w~)s{DwztKioswMl)3kv4+TNhZjcd4j; zJ95FvZ$($f4h2N-jN6 zax4XO{&8uXx$qm7=D&^mMpnuvBpvEoNE!~Gm9(Mh9bR5R{XWv~@c6Zl z^x*iDq;UVor1e3dB9k69YAnrwkfvT8(bPLL7)u`+(9|8?VyTq7Sb9aLBSq%NSX#p& zQ9G7Kz3?4Nhx{yVM;gYB{>joj4?fCL$62h@q+%&M!`O`%0QP+(eDJt1T0K%D&m_0_Ur}o)98DYOihV@~OS9{jI$k z*DC_yihl(tM>N9{M1(<;APm!JsB7oX;KxiE9mx#9cc+lVn`vLsy!SjV(1PBYjvtH) z@_E#9OpG=3R4~dw3At2uw?3Z zByJ`u9QcpBt^jmB?ixS^#w-6o?z-uGDpLf+dECjUQD{uU8LLd^v~MeCd31dOs4}%t z<0qRkz%Q<$IN6k||D&l5qZ-~v)9yDQO?gpXp+y?ew6kwLw$yM)|Jzz41`PX!t&b~K zUl5OGSb@QuT|Nnn5HFKwIlmlH(Cz=u`;eNZpO*=r7aybJJix~PN8&xlt}g9=VXHXH zhy%O*R(<9&MgCKT8FW41ZdiW2DSMyxzpxcl_^S6%Y5b^N90yoR`@q6hS8?<4JAbwX zfL~^cu74{{LJAz>hna?SziQ=^IKf9XMNTq1A*<;o0ca&NgVnT_Tu=Xh)pXL;qkC<` z1;Ka>8Y%Xa(DTo4txRAzf9+`!^2Tp%N-(ZX6+5w`OV!$xAI#je(_^EwgYk#{@PFeJ zfr8_7GlPKdu`;Ea^ktmN?Z0uF&4s;<)2NU^3};nvpIAj`o)zVrv!awOpezOvm?!`D zDmRCdyH|O`f2PVV{Z5s|0}h?*OI2RNSO2qV8GN~@X+OWy#&oh|M@)Ocpv&PHWte>? zw3N8>u3160Gt>0A^83&4l-`}+DGZW-t#aS2H>Tyd-uoeyJ>s`DU7yZ=X&~ej$&XZd zKu4+^@$KW(Yk#iFOh_>VQ0hrvtE|jsW<2y?*r^aYW0ZC-FzDXA=lPY?z<$lg3p)kW zS5-+S2Rp5}JCE-4yjvY^i@CMaY5nZi;zG`4YU#BM{Qj%ekEy?PYHWSD_IP4pj&02M zGEzu)O0(B82I^0KuBuOd3g*k5D!sSLVE%QUy7qRSif@8m>gh)D;`eMfS^QR1PbJw@ zPe0d}s)P#Rv&q__{iUZU4^1NIR&9RXnv~$2p16#*vrkj)gPx-NROo3O3(bc<-C9MT zUXV*0RidR&T`a%!snw$C(-+FOA+^#Io3Hu!GvMl1>L*z7neKKF=wgekp`1r1MBsje zAWZw&@FFmfKpKjX4(E2@+L}zK{r{d~JHV$ee7-qmM2r2-IyU?3D0y`p(CEK=dUAdD z)bahOT6Z@2^Tzye@;+vi(<;DaYh`5F(%{*i7BaIv)w^nYT0+?1SNH@WxFq)w0A4_$ zzjRU8yd-}bVmv+9(e_>tohW|1a!klIVtD}erqKX=p;uSx^CbT|0!Ni{I-&E z$__3R`D}m1>R%hVYk~IGAw^HFLn^WEoenP{vfQ`NNwIMuU9kv}zm922XLk^3Vcz)i z$b*3g^W}&c<^=04Un1k>%kB4T9?Xd=EnhZB%aB&Gp3?`e=Ntg-IZc!aY8|AWQ&~ml z%!qVOFa$d16&(%P(6x9qnE!|9w+A9x0V;PuMB@~QXgw+jX1b!LE&fGKiAmZ;_DPXs zQB%g&EEmPU{gc;i^ph1U&SOk*-JZ9Un{u1}P6Xxg3r&;V!q!TQutjeF@hLre3e{BwoK_JNcNYCQ2$NZQrHsz zMOyz(;k`MAELy%nLw|u}tcd=`c>O)cp6;)ToWHjb$8}Zo;oY6`bAgyFrn^8`0k@V*Y)6CY!v#plTBhh}zI7_!HW4{n0QGoiF@oen zS>Bqy-GaVlLc$oo$T;fxd$GpDi#9w>61+&_7t!&>y&(GS_VyT+*83i+en~#{dyMK^ zOwxdFF9c#h8Zf@Q1o_q*eybmvlL_lmkMCcL?<_%V!(i5UR<5Y;C^O$sit<*UXuGFx z6-kfXw-1$(?VCqR7unb$q}d!+@H^~`S+qwByb6;MSYX zS})!VUkri_sA79fNsh!+7!HzpmctlB1cV5PfDl3ie*!avV;BTN7=#c+3?YUPLIg%Y z1Vm_vA%qZv%uwAFI>aQaltamCb&WiJIt@NjQA;cn0~aakf-_)<1b?dUokriNcVXTnGLVv7XsK9b`(GQEZIyCAD6Ud3y-rLyU6d;W=< z-n6=?>B2lx(`;Q*Q^DpTlbW_->;7m?)A}FObO-<%5en17{Snj8gvLkgbn^b8i|@Y6 zSeF}zi-)~He|TQg`p_id1tuFKeBn`d7t>D`?gY5>Uwo@H3m zKQeZp9Ld-*P8o|p*Z0G*8f^La>6f~0`lS!sx9?TihA_!?MmAA^ucF}{5oY&3AO!7$ z``#obci$^p0l)W!2EUgrB|dv8+J2|(S;JFSV@tj<(9@uG(fhg3eqUNIz~G73hS~%_ z#Iz6M-xpVF?a&Y4+qiE#p+ZXafItP$vBTw~3_ZM9iRxYf2q zad|2F+G=4f+g7{UgR32wV{o++&!*KT&V?z_vkTK^_4GC1Wn1n4*J`&NvDLSM_7LvDP4jI?ur{Ezpp9rt)|s8o^nwm0(LPc?jplxj(qYhH(R&HE6ud3BR8 zsTTC3DDBatD3#JJwbH`hm#RGsZdu|zSXyBJGa{N5e~ef6u`#dzwNth$7ahvJ)w;c8 zKRld#`hf}VW4r6PiUjkLBu z{oAO8_&X|v^OsaQp_WwYG+8l7+0Z*H&3$%l(786aLg)3rv(lBv`3g^Ja?Tnfe74dk z{3E<1-gkEGNBj4-IC4*2JUi~at&)}B+bRU`ZEyY1S1Wt@zhx?2aQq|Pu75zK-P?dl z8vtMFlYfDw|1+?(nMb5`vjUdBYVR)SdVr<%a6b!o9H=4tETwUbM%H5Zk1L(`-v#Sk z@Ts_9P3m2gQt){std87gQ5x#}|8A^BSy=mDZ;Qn)dg(294ec8TJ)D$_!L&7Q{d>2R zq~~^%U18xP-bQE|kq+Xm%0Rq5=x=G)AK>c8qq2!*f%(rQijA^YsPLM3OI1H_DgB`p z1|M7;F?+0GR^<6LEwY7qj0O@+ihsX(xsV9F-GVqBqIq!e_^^Qibq^{gq2AbkI+;eX z4o@YPZ6$@@cb!@1JGHg+WlKZR52`+GDaRkT^oXLqZYk{J^#7KImSYX%<ISD zy4CWyV<#YT$8H!hB{G{C*i0^+nN2`nl6)lDEBo>x*msjHAa|2R@+QdE%y`Hyb}2#j z%`Z&$%J_Vzr48n3sVY7;+57f{KU#_!{E{~oJM?{)Mk#!|r7IPFXXzb9XJ;uts2^DB zLaSdR$u$xv84{h5xQiB@y|Gk}V@fRL{FD~?8{RpHr=Cl3vZ#V$6(7SC!r=by(rO*= z(j2V-^uG&Ji}b=Ygnw`<<^Q@=@9u?T4mHCuxxLq5TC%}H;;G|v-rH0Tzp#|{<_B~! z0IEZn4?I9>Z4MEuBDuriqChrMKxy-5k3K@h4tRthKYi{sE2n@ELD)lt@}~Ehs zR)S`^k{l;7B8B~2#920X<>xmpB*P&U;vY6|PY;~gUO65>XC8|1}QmG8>bEI=k z3USD$Z6ctPL8G6~ZB2YFOV<0$$8<;B$Z@=<4WGQ`Oqvvq(bgP}&7cX+!8tC2CN%Trm`s^5V|a6)#XxZ^28N!aeABjk zBj1c{UX=x|Ka|TfOE(m%-XiM?iK*M`Ha#_|7~vJ4>n2oTgRjl5TD(q4vQ_Q1m;@cK zzpT2fYP>!d`1-}_x(MTI7VPk~iZ=xW6LCY6^;^M+3%?VrbH5Ro!`}x|^tSvw^zsow*H#NT77{@$5B5mmnd zjBda2iN5|2q}C#cPV1-FoJgX(N$bXIO>d_5e2wWt+#q4y8=a+v{or2H3y=<0ZX`{0OjAQ*S2g2 z67Lsh*6cpo>Dlaw)IXP-^c5^^MW@A%zie(|#vY#w>+>kgsSJzzU>1^vmiMoajAwDe zTuE9PutY$Kdz~%>Cxp4lffH!=Se;Dvo5g4Nv-eee+bzu=p*$j70Ph26!?|&coM&0I zH5A=$lcUDw29a&wMEPE>+Xr*@!^1(d0-e%RFwEf@&xKx?BL8G@?}YUpxSksytU5LuE?62z)6QBm2isE@9>d5g@!IX?&0!$0lm5(_AfHkU;+eM?_#ZUt zL&=hARYq-v#R0O2S8a!eUJDV_;s5-7gCsF|!JeTjXi>ud>zPa#lC8|0>S2n@_Sqg! zhi#E?>31oI`!g@o^y!;*K2Ns zSBRYJpcLfukNz}r>EYhp)+`;615l68#W%;n%U7I!X4*lQ@6$kv9%iowBiRPw2r>_G zn9BmCBeEX-vqD(ya*!^%!_``7;u*Z1&|I+vCAwM~)p^FLR+YS{+p{?^ff>F;23VU&JZv0<{6yR5S5q7F+nTPXD?( zbHzDW>os#wwMrK4gj8b~x2sv*%hUhqmk0tya%BXbmT^m#t&_)ES^; z!53oTyFRz@q=KHGQ-I$*pK#{51T;d+#wHj9)Sbm*Anf&SSJ&d$TNAA=Hz&U4@c9ER z?7!L9?ot%ZdVa-3&+&5yr`QHQZ;+--7@(y#N8#sIdhGdvbw5|oVtv`zwe;+H0@KUY zDY-q@Y4LdhH`uq5n9m95{(OLo_MEC+PoH@TiK))6V5q2b*KuB<_{+=G>;O~ld} zua&m$#kIE~dM{t5gsK7Q5EY)Q$>+=-w`{L09y3?_4)D1hy(Lyhqjfs-S4Y`f8J*5K zIZS+CcZjmEoW189nK;@F+QvP_p0hE>(%ou~S)-NRIK#0S{N@dFz0{rRPMoPmsQYr} zF%f>>p(|{Etg3RQxigJ6#ZbXY*T}-ES=ydxdav1h{A=41@7WvCe)>|b;5O~Ht@ z-6W&kSqT4Ll?}7C`c;_iO+E+Xj_t72w|-H*e9`do?V`z^vzrU+d$)Me!mh!=6D;n6 zcQ5K@b+KYgt+NWFSj;QE2d6KP1-A37_Wrbw%ajeJ``jm6Y^f7n1VepVn!IbB$+{$1 zrFx}p56-^!NERces(-x;zF{enu5}_P3#-q4SA@Jk)~?hS^MF6JkIuu&W^e2oRj!`T zXm>6QDlP(ftlk9&=CHobzDF8}bC1+`ZoNOUfId41Xdz3rQQad2n7H{yW;2tI44~uL zU4M@Rpm}Z9BW-u8;tmtd*QfS=(QV3(RbRrTT2ggJt=(O|<_yXl&cL_FqR&6=87+3# z)udv%YR@xiv>4N?W05Q8u94k6k6o>0!F0pqYUxj%Og8Y@>iY>nw27AG|lEHYYDu--%XhE=bRI^dYGSYGJN zEI$2SH(nV(TztKIxpiIUz`rN$bh^s~%cv(k0=+-^6{h#b{8qWR(XDrB)s`W-`4C|Y zGYEq_qOW}96=v~30~@rEnK{tfVTbI-s9c}}w%ERwaEYnz8*_Y0#R_&t!0ux+!7b$g z*-l$$4f&B$abTm&4I}U1PbZnqfQ2HPT6pxxWwg|0%Q`o(I57Ol*>5+|j5lmO^3>*j zcs@370HR~pCCy|Wzt4`nmPos97}S{Wb6(dj6YKV?zrHy=X-(9+ zO4Hwu*nu;I#?--DIO&n2o0cu?KmIlIIRialg1EN3X-8Ua%4vw)n>|>HwYgn`Ert06 zivzm*%1s4MU$!^0xyNcu`?bm_gC|ZJCwW65<}y|GYtK+k_lG*3Cfo@uxBC~Gs&50Mxh@j=^^o9u{5Hy1{*c%%5h4XHmp+4ylj*$iMLib|| zdZFAXZMI29xOr`5)^p8&K1YPFVH$1&J}yI8vCKjD4Ni-TCkAujjE_R?e`v(|g7k*X zY+`lNqm(XKs7`DQEX3o=(KK6D&P-}6^hYuinbE+I>ro3Td((e#cZ_Z%Z#JR+5{l*j zvn?n3R0kI_q4v+Z*N$+f&HBi&cmA^4%e}J(JsTDfXy|X~fWRNd-VoEc?PRTq=S0@F zDK5~GnAF-c(tg3YAZ>{~=pB3`{{jsira{O2qnO@H-m_U|^t&mBuXdm~UGk{W`D&L5 zqUlM8TBuLPoKCK}@rD`7yma2o+KT-WFSceuv=V4KLz{{!Njb2)E&0e;JW`i06hBqHS~#C`Q)`2}A;d{~$!l`Vslq zF58ZumcmYT52;5EGYAWVu{?jdLeh&ME$#&0&^^6LOdHsyq4LsY0}A=d*QmKVlT~9H z?K;zdu#OW5+_{T}G=r8AUx3_f|8HbqsXc}k11rriZ0ip&?iV&m$_vZIt@S6J=N4EC zKeEW2BSoYRi(C5@eZZZ&HfqJ}_!0HtRq#QDm7>ENTe+R!Ol+UbvxgFJs4o3m5qAhZ zgrGoV&5P_0d9eP?hb#4OJ#3&T9-=I@!aC%D2M&1rTqu1*rFYnneQcL7G&n=-v<&y| z7|nr-LH2FyYR3Nt!*;=rS#3e`9i^MPq|1T?;wylu(LJ>57SE~*^7SR|Dw~3g@=d$w zqVU9nss8PRUF1#JRMR?0s8`)o-O?$J0FC(FKe`9&{F?|jdXd4-ZQYif;|`?F4xkPl zHkkuF<@eU2jr6Ruf6F3w{A)*DV{>yVW&mUPf;n3M2E!EC>v?oc4lMXJpZWxx7Ka4Z zsViwB>+^3BK$jB)m1`^2m0xh&(5ru|68FD7Acg)d=Z*PqRJH@r)}eM$4Vtunn-Zy) zZoq%TfemOW)c#wP8`C*WHrLmW)@Fo69T0}nhRwgVxGgjN+XB@|b%`F$A*mE+ey6_% z2;+;rq=#%$^Rz&Isub9)Zb9-BjM# z=_*;H?`aT8mfZI;$WWe%XI<0w7m+ z>U#)uL=xzG2f+G08%ChFeUE_H^gXD5GX0(apX+-ynd*B13|(7i-($@jTuuGb)}6Xd zX3UHKb|&VwrdJU69vrJVH%(-&^BvVS;UtS`Cep|A?3rCuHxrZCy^TX@rkrn)4XQLs zXH4cS;-U9nukELEoIzP$N@yDXw?6MKx%4QilSZk2?cXZK3G%ab`dnhwX@kmCK+{xwA{u_8BMR zHOAE+rzFJb71zgwaplH;xOTy)N!*JGV7`mXMc=}=Bw&4<7MF+vT`Z&(N4|{ai)wvW)X zN)c6vsnm_K5Dnr1E|`BDtsC(mJ;Urc8TfZ=_UYqlt@ec+7dq9)$+l7rA=0SOkK2+z z=&?ZM7mzt6xhc_Fa?5c^>J2o=kdq6aH!}hd+FnF=#jtt=i{U_ zAU`gOkMxKSX`5$vr@kf>DK$RFr}WNF_lY#}_v2dq6(w%!6qP;>MxBonpne}m(?0`e z_|??}N+ysJZ01RsCpioWCDZDf5%_i70=K%gQ>T=TFqHyhux*QRBGozNJL0_wa|1=? zqqZFx4DCtai+zf<{ zmI16Hk`-jXizWIz@kL+UIV8fyOM zgZcD{UAl0IR+{I^#pZu9EA&4dn*5&@@ASVc{AY&wKMbnW|FFm)W&fXRR>_Is^*;x2 z?tfDF)BmFMAWQonl(|#k|DMpQ|Fv|||D3?k^S=Z#|K9=H=!KpC86cPR(f=SG`riN^ z_60zA=Oy_^BO?9R0k3<_tZ_>S5I1@AX9gSMTf{peaCDF(S@v31f)KoLH zOf1^Do|vCx?yi(2sW25Uxj|sTzw|9d)CA26NM7l)Q)*0QIFB$0~Fz2Vbk-hRKDgt%9NHW9Yv_gIXVVHZKm#!OzV{6$e`qKUqdEQ2ZZY_ z#I{0U>8eZ!T-ta3L>mZ$2m*5zLu*@VTWVWsdhY^>od*Qc9h{xZ+a^sch2kHO$ItHi z0P0-cHfdrh1!w)`0Si~%TGi7J_``d4tOFcuRkw7CeZZm)v}HN!)YKfEntVXag|?68 z;lOo0{bo(>h}5l~bvyaBK~3c{D((T3ywIjOhI6#o*l+3qm;6y5;?KQqkB4?EG^roO+rOHU=gpKEWc@HqU|O3KU(cM28P zna`S`@;jL+OTL+9_N>~_8j`*-;d*uhA{M#au#b>J9va9 z$D7@>T9*6|`O2P%?t3%h4NHYI$$T0wOa3{Oxd;4o!}8MBDHZOV-}fV4`TkOfkB|%V z-n}hXkP`?315?m=fP;2PBInRRD|r4tH~R)-uX^X5dM@y@L~haGq8s4EpBu2X4*zTQ zn+2s@;29YGIC+-$<+v0+)8wG!9F5H*nOWiO%@6gqu^Z{7eP?_S>?}}{T@WDtbYybaR_p~gT{Zv(34cU&D$ zzA-W5V1tPlipnQM*vO(hME3dV3`<#dYMrns>fO2F|`2 zKKJfRfMWvK31GrUx!cbyomZP#ELmjuQN@wK`8|jGK-+UekWz7(ITm7=NFpBuz_Q!! z;H0?MI?&1J_V~7^y`b3W@s0%=&%@z$ZDr<$87V%}SxhyTyIqfXDeHyKz>!9J>it|2 zTtO%1_r`hJ+n*(VCx63Wscc}++v+k|9K*^b^>o->l(kR7tvfIiMHzphij^BX$!uxZW=sD)e(}%>ope6P) zGX;+9-tf;3VLs>6O3hE(I&QnTJ_#y&$p>JnUC?Y~Nz(sC3|FUUUU$XyOiPQQF^yi9 zDI&R!_m*#1A({)~Y7E*l6wF^Bzr3&>@uF@3e;_S~3hduek2bi$R_@BvmPVM1#)$o9 z5(s!&>eb^){|I~O?cHuJC8Y)vP8KWC7A?OaqMc_In1cbh@p*F?NOuM9vG4$J$MF_x zh5{*bG<*kF)&xv*GTNDi6M@FYwHW?(`!Z^``q0vX(P_$$Q@#Cv7Be>Jo}Xqh%1{>R zvEg3p;-i)u6w4xXmtnJlFdH!AbeIh(qi(^RTWkY%mDP8HWEhm4;{Q(=+G!SJmkVN( zXKgRQS&Og8w<}M*ul$ZFdSt*kv=upj*n6PWgJ(EGRYPb4%b-yz8BQd2!VbH8c=59@ zfY|h{Bc%1A`EXMCGeaflstMQ{q z_B%87ACuTIVRu^vHf+ns!(OgI#~=PkoZ3eEl(HtD+}1941e@A)f|JF$mNGL?t6|H3 zuwgE)ZlcYHM+iq`#?UdCK~efo5HJ zuTJSU``s{mgXrqh>QW0XAWS4#4QK*vMzjj-=K|HHf~z^?-Pv!bVw9jbVkp1jl*;{xSwmRMy-8 za#%B{!%3PLpI<$f7F_(cw^qtDY(;Nm)nmG}=Ql{jf_%<BY2d1>40| zlzGQpZI!(U9GL`#B&x({C}0g^{9P>)3z35~qo zZCr^~j1x2SoROLYnR?zuxhEzv0wUcZn&={RhR{MpAcPB21L=T-(9&toiU#U_#6IkP zZnXKx^wwAz5Z-ixdpx142gM)caq*ycy!yN-!g%n)bxfkj)5!tzY#gzPCv78r?@$Nw z`5QU6-Jm=DhC>cmC~i7Q1ibEf8@HxM?XrRE-mDO1WA1coRDo521@X*(IvuHo0HRK# zV(TM$B7F`7X>`=!jM(?SW@Io1ukA0o9N5K6tZ#L^>gQa*83tSE+^%V*OS40rtum@J zr_=(%E@+ceYjEbc6J4+{&fcvVmVr|6NQf+(7vL%~Bq?D-Q;2t99Nf|`5I#1cxl z?C_(Wgak;yBce_KV4fQ>Z`uHJrfZ%T5kZa+8i<$6^8#=mAm{-C9&+YB&v&Tvf!A{# z>gGhxZE6k<;BZ5W&hvS1&ugePSq4q>f&VN!F`dKS}A*uL8O#s#z^@5f&^GNZtt9D(Q^yp&vU465UAiOJx>76o+BV- z>T>|Z{rmtO)Vt>fygUou^dC^JGZiS)VJfa{qYHRH-A>$kZ~?B0$}8fg%$N5~lVcjpJ=qblocsIY#&Cwaz0?K>k*a59oItPd{mLN1J;4*cp~cN z$a2_b?AAvOJ&oa@v;BrBEwV=&WcsKBJfz-6C~bto1}IfPQKN=N?Tp$O^b4O)V4is4 z$t*8@6c(MlkD6llWGS4Ym{923JM2W1;p9c>WDsy1`2dLyYo>s@@7LySR(GDW`IZ;cS6B9)~F@gFXNm%1*9uJRhAL@>aGihW| zBCm{lC_7#q9UX`e<)9hHAzj=gj<=BZ$vl|e8Y|PiAU&F!HMtaLuZRcjnXVYe(sVI~ zYyq{Xm;2&Nnn7LZhZVQp> zA*F4yAdR@ivX07{C<9l(kLPqPFI^QZPrm75dB{ZmP$kqDypv<_fDaY%0D&Jp)CbT5 zN%K%J_vMaPbF?OxVh50eq77ngFX^0%aL}DuJ7D|PX)uX6(AKFV_D~tft%rKiM)p1w z2JnKO^H3Jh@pkS~K$UpVLrnk!K-AJBu-zOx4+X&-E)TT;WqPRhkUHi<+ehPmP4+GG9cb~Q%=G~59NB_ zW&gAV2TkvA2>V1*;3#isy{u?655>(ZH(t6bPUR?3x_Dog`=?s%L~??FO)8Tl2Y{XF zpCEyc(3){D&5db8cSif_pWK6Ugc7k%|Ah2(KjMaL8UDhCAev`VS+fSMiV@dC(@|qV zapa+YdP5D@Ke2Jwm^=SeB@H!r8EE`GFo0nK4-Y$%S`xfBuODNdIXC zF>3xv1&qRs$ua-r!4LeW4xs+04LYANU=!E7e-Z!~FB|ty8CWE))7ex>VZM0Dt;k{1 zKfS!9Zsc?S2?N?cK`-V%QP7pL(G}_@=t8E}=#tE_=$~9*5T9{T|4D+`DYFhsu|*sw z)8LpbNU>21Ez9-IKe*@8WRVqd+>?%l^SrGSYHQx+gas#5h%4XDzP_EFH(4sBlC#f|VGVf+f@LkhPtx>QI}xNRJ}=5Gjxa%>_U2NOd)sl#z? zu)zKsbT*xQuQPH#(s3cU@9PUme$>|Zqjt$mdX7W%3PV7GVlO$0Oe7WY@Z zAkkMj5O2P!ffwwn7@$mFr2zN&Dg!#sSGjQPTp)Owx2&e}z^mJ$TQP{=%u^h2SyQ@F zI4OCQ7Ok80a(5*z?&z2XUhxXrGOb$09-fmY165Vy+ojSj3%Ih)PE{An0=_w>sxc_~zQUN*d!JTj@-US}uPJdY!AGfi?|>$!e)K zX~rw+cK76IU$EXRLl#|YYvdTXSLYh(Vk<_SnepliNJP1?(t;}KEbtAFRW7^f6|suj z6trjRR7oYp!x@Sx_%|M@brYBgsn>J7wwH9yMRo8GTcK=%p+URdIuhTT4z(8@G0NjNh(=bq4 zx*T1Kw7-Hr2n+Xr7^Jsc!C`>0Mysgf8)6RE@lHe5U7Uvs;%fm_RZyvl3A`Yk7gynCrxx@uf z>)$faB<61zY$V?Ew+lL(E&pag-s&}-J0S_*j=sq=IA-#qTay2+0yso{{w4w3**7`> z3V8i3f~oX32Pn|){?>wt%-RFX zni|3TRBgN})uj>F<~pd-F7s4rD50@|>KTkooqH-XBXwlF z9Xy62EW3#&#UCiNeKb#|7?u>q!)Y+;ERk6vTWl@h(mujOHw#3rh*m_Iw$T#99P+AF z#3)|ZclgbYWf)S+Rhl#j1>`XViOIwbkc0B9!-++}m_lASM;c{YiMTSv6(M46BVAl+ z^m(cv`pi@D0Ab$Y;kpi+h~6M!2zfo#43$YC2teAwTI@+ zdBj3o;i@oaATduBleMVf(Nm@Hh&mAOHVS~i`t7Mss6|gDv*}Zr@Q2Ilrz#Lh9;S3#yN3I$KUK<%-SN6xm6SM25mxNm zrkQfCIB0cGcV&lFr;<>0uw0xKr7P+|yyu2O2Pkuh+Q|cJuZHLo?n#%#JAp8ByyjNS z2 z!8v!@SOZlX4;mKx86OB5cS3UOSh!&GZVCZJai8 zB%}wj0TKG6v(i~B>vXCO8-C0_I-@oC*h)XOM-|NT;Jo7zWkE%73)}I2eyWa{qXr$8 zsM?>Jqsmm6h8!;r>Vx4x!wt$i&0Zh`P$zqUuIo8@-k61*(Ng=g$u=I6#ulh{bLXdo z%wQweF3?Y{0jGlGlp1d;jf_UbR>4f- z`lqI~;Z=UKWh(rs8oY2}8YUAT`l*^OWaxtBr(%G7FI`$kQ|C{?z{N{`;oYB_naS>g zZDEU-pOV>$(|#%iEh64OC6kTz?A4CLV-`H=r$FfFPgP)X{b&;X)C2M6rvQKj%ugAR zZ9M;!Yu^4Fc0~*B*Jhb$DsZcdR-6(|u|k`amm?cR26ZmhVD8O!Rux!P;P#DQNh|x) zd#I?gxK8TT{xpS)wMnImUrH1jiqzrr#w@I-rFII+)A;-#5r=96rk z4RfNU_Gyz#5vfNKA!*|6N92*#ux88D7mSOJz#ut`jXWGqqhm5;Lg^Ceu3MzW>9T|? z-k>5+sVB)9C0t$#k%+VlxwOM}uFxi&bd9=Pb>tvP2!eN3!nAvYL?E^%mm&=oWh+PM z@$i^;)S_C)r9;QH=a6#TSvO<^9GhF(OS$oOCL0EbFSUlnX(wAn7UdbOGpLB5BGSM` zoqZ`ZBv8&7&^p1V8}0q@OiR3^iowon<*uX5HHxot8uM~uB_5Y6Juzl zEFH(4w$?|P2m{^D?sQB9u|!Ow)9EuWWdsl`TFK92bi}yUYlsrG?F*|KptLBpFFltbsBwwZnV4c|5mkdMRgIbc5`ys}+aR%oquIV1YWk9J-nvYN$0j#JrRY+o{K3 zLx9&p?s+Mh0}Hk3rBv7`;1FNx1ifEs1ldc8aKp<>g7hG37*R(dMODajSMguH=U%8;pn9zh~X6j1bPV@$@@|d(9rPQOSQ-bV0gv;QVT#F zg`m$%A@F!!pf43fJRshqhrn^WWa7#~+#kAG$5B8Jn1{XtCN_3!H+4Bc9GYflt6JIs zFaOCsxQ0t!Fb#1D7d@^f&hQK|#u6D~47ht7O(iamgW=um3(p1q!sOaEJODVvZI)Rb z+Cr2ahLYFas$9yKv{|S;ldM2HS3!~(-pWcfg(%d0Gz#~Gr5AHh=9K_rA{hbJt_YCO zJT3(I!Slev$k-$BaUEO^Hts=scB_U-+;y@UbXLE>7>7C1VmrkkGW84UP68~bTU}eB z$3dvmNX+9ZkX=(igLsZoeB1;tcU>Y-mVgnM9e|3|t;Km<1dG7%EAFnOX?LhvDSI3Q zPiNa;*}*9CdfWqWi}T!Mlc-U2;QjC(os(x$%j|sH{I~|<)jc(5&c`tTV;q)r;7V&Eo(7 zWsq1j4l8vuIwbAm4uEgSt9Q}_7_1|vXiCJq3IK&9?f<+a$Vjv z(JY~0$87?U_-O*!94N|z0m72`W$N&p!BCzJkNwedYgI{t5^t|P%4=vXfAxv<7Ib50uCv~H(Q*GoNaOZ1e(Xg5tK5*7*n%T_D@l9eOioWQ;C8uD=T6-TLN0?C!68@S+Et`zswL z0booQ@UL9R64JjifeR9F6Hof9n7#8?BFt+3DunLzR~qD?zsg{Xn7_gRUhr(3_E#1} zsKxs$3NX-LNsvYCuOgWIuN;s_f7R0I{8a-Krfa#~*6PyCf5kxL`KtxG7c3scaizaf z;L7UEUnOt_%U>aYahK)zS1eY%{t5tn0X*scOjKeHpF5UevX-0cYITX`StNtvDX(%I zO@m<-EYp?ELK>1G(FZ&w0^5jqLbu=iB06T z3g|COyp2iM6m`0d5|`8^PSgR_Zdwv6*>QEIO$pz*H+H6r)g_5Z-feHK)L|;g^U*w( zb~Q*W#Vs3&RJyb|ByEJ`<@Cv88+JrX?$~yjY_3H#XwGDfIPj4dxr>fV-}1&vmu81L zTV+&d+DI8;jL^@KE&-E~xQGE*I8G}L%Kqu z(xl0uXyKJ1@(_gBK{`R+j1Ym$KQxV6v3*RVS`!3@c|f0j2M|TvjyU7>2Ra^+?DQNs zao8dKV|xk!N9=EPCj$5ZWE(!Pk!{^bt^t2|&#ux#6^h0U(9IcksWao1!Go1eZ#6~@ z1A?)`+d2IO_9E9^b76Go0^T+gKI*uTvQBMgcZ;dB7E_8GUVZCw8^tuzH~-+Cn}Y)s z^oeJ5orrbg*d}Pbfr-5YU+PM{9h=0S^_ebKmx;todaEP45jN!9A*>KJP`$en58~Qv znG0!Pk+|qo14PXaH9yq+P=h0HFb~v+@7x^;Rh0*;~mBz?E-rMFK{`F*1Y}Sn__WD1ju+TfxYl zZJ2|*0SmFW!XQ?_?^{u@!UUGTl>{<^DKlRxy!d*xtkluu5VUUv!IO0zZlh)QKk>tvfNQ-HlyOPAX8wG40hrr0y_ARE>PefoQeeuQ z@bXp(U>jz#NFA;~Z-v0?`i{(eE0#{bl?wxzkV-`5Vl7m{DYq0$N;e7#RxwpE9P*x& zL&0?fP(~26?xv^i_gXt7Un9aP<0D0rHXnfk1x0 zzUmK5>w2t`%U4+#GT@D3bPz`8#mf!;DVRl%KWQl@a;O9BV%8cf(38a@KJZEkECCP!i#}WZ{eENl}MiO zbh-_f8&<*VoW4rt=|1#TCctV*px}Mg2v7t``zjFj&sTk562;FmqW3IhpVUv+`Cb^5C;kh5DYP5@{EM6PU`Oi`1Exy3SzGxr=WI%k_`Cb82q zawy={c2S4PoN>f_qfOC>1K~@iB}1@RVwE~=4`q90oes5;Ob`Z+*WSt;H(g5Jm}E<0 zm%6%btgJ9@yyRAl1UB`gO>`ldk6g_inYQjApb@xV>xwkO`2c`$+Qgj|sIzU_@FT}D z;ec;QBkYE}LTk*VTZN4@q8VH0ma&HI$lznZp)N)hFM1bwi@I~Q2%>^Yfun#j`bCXr zbG0^?B2OAmq~S!@1jW7Q=5!Se*K09>l`_z4EfJLff_kSWVP$6^LAPGZ2uErfbE=ctAVv)`X&T8H z;{18p7@+1yo9MM@^v!F*P+`J&n#sNZhSay$B0x>rE>QZ#0BTI9plLeHrv;;MPpC4G zzLp7Ih!AV96={&|nK^R476>tR(Sp0RbxPAHegJv04HvK1@&Lk2q>Qgn=Tkd~FtbN_ zFsAlkHw0N0KuZ02cUh4uKlLf36yrLY0d%B$0f*tI& zDtNqOq7+D;*O~x}m)CN!ORpt?71}tj6@V)uuuS?^o!5F<@nC+f2cQEw_F65n7T&i_ zGi4-^=77&EdGd9vTgUWUpLAbUJ>v}YaBG6~q*YTZw z^I2p7(V{!HStf}T@n?9C& z7Wym=`24IF8(2Q;f}ZqQ7ChN!QBVW?tO>fM&yqme&x(MCn9q7erq6=l{d|@KHS)6> zfKH#aK==8qHv`OPDUkJNC2)B@3jrBkpT$CzKI?#5Kg)m^elB35LUW2V1(pH>DKE#h zUcjojXN6-NMu3)ji#E=Lkt$Ub;y#$CPQ@B7gI{K(Vvg7FQsuFT2jN+bia4AG$5bd6 zSU3(l)u(vGi7-&L#T|ZwXR0XCWdJUGtD!_CPQybLlqlmm*rwJZObai(RX>SMJn4Ee zZ~wtPw39b;tU5_f^d?r5my>7R5XM4Fmr1m3CaVC6IVQJhg-hg(?`z4dM1>j6^eCB= z*qE3ka;b|X!%}FOJwo!BIFiO#$of>CN#i3=hHDfa&e>XBnmOth#Amu<97|JUCOpBB zhvQCK<0DH{fo2yI@NW2wj@U)URc~|0Mjnk1X^Ul6r`k*zl}vc?EzNP0O{zxoMn+x_ z&(RadEUbi<+2bOQi6d!@g{)8InKUZ$WcUjS59e&HF3lW^9xLeu@tLj|$I{f831bp@ zIPRo1KC(m=Xm$~icf)6N#4aPa>TT|L$fNNgZL!SiRGTRyk_a!pr8#c0N!4iHXvpi~ zH+aUz>Jox07VcaNwirMg}t)0keC7c8j(#*|1eG2zpG9mBvM*1G?Z0X+|vL*~cQI<5)08McQJ( zFg6(77f?oZrj3*lrUEZs7m^DKX84S5L4~*s<5VpsaN#$c>ksUCtSnwmpFFlEP(Y)DyVFAcz zEYV}RAP2DJdwK7%Sl}zn*<+~yZ5}HH1zeAXf~Gyz30UW`WD;94HxSP*pCV?B^ce5?kd6V;EU zfUFbeu?&bb3y9IU$8x z$P#r)Scbe@thg$q z%P!4~k?_U>@pw-C4s8e33#X$J!8x)VQ}4zR@BOiEbTBCvdw@z*e#Yq!xdp}5#iuZT&#NZZR(Z=@BVz`ccQozldQlR+Tf zlX0x1Rn%PFru8+dL6V9`_Y8)8!ZN3TOT0(dj>nV7bN7k4)N?0JbmBxOO>{NWx=?1q zi3Kmo9E;!*PYF(5Y;GO_^A5VRTBXjT*#ur3H3Aat?%q%XXyV#8ygQ{?1RUaa=fIq8 znn^LEOsJHlaTuKI1=C6e6a&IMr=y_(_$FrV zWa!Ry+nrg#*nwGPRkn5kW5Y;m(nd$w4s!^4-Ke`@prOHi9e^3R*cRA709uoqo#qcw zSP;6{!x2h+^ImeZmI+N=5Oa~MHwEiApdVGXdO8u$q4rzxm7$BbAxeXDAZhAyw+3y9+#Ro6|}t2Q#iNkMh#uyeCUf>mu!8n<81n| zOa(VxQ2uc)6+{Ni^%23omZ6UVKZ}b=z8SZUsm9C#ulqh_+kvPVoO6{!>%@*FJmO&I_;$^ji==>-W&L zN&MXHuO49*yPw9JhcG-h2k(cQ@^g4iIPGO>1!YiM(2WDU-NkepHh9DV83ps$k&Hqg zh3!WWw9OEN=}a59In+e43l-7%8RFVta?p*WIV4+#Wnbcb3ym@`ke@cBU+g z*?`aD&n}(2Y2c|=XMPbisC+qiC9ef#`2yeS;m&rWq@WxYB$Hv5v0iLX1BY(Ni0uzZ z{ix=*i`Z6pSKIgM1}56j8ZJXJIBHANbCDWi!PV|yyNxuks+-?-Pxq8b9UkeFf(%|R zDWS<>v%Vs$xLF+drA}jlzO>k`)JWODtimu3N(jqd?OjN19AbD+E?yjI6!06PRRB*< z#3$!resv-yIz_}=BZZOUdvyRkvr4F~9Mqo;@EcjMG6~jxNjhN68*p-hC7Q;@e(}>N$CO_KlaBjLB14P}r4{6PqSO_gt>grfCT<{u&s{Dxk7g=tj58xgm=o0Sf^oOowkgy4#=rn zE9_?jRBz4(j1A9Q`OEl|C7~|6(}}t#6zj1WzOC!V_|tDDB<7J3dv!sxmOB_gOo-T1 zw(GIQf;SpdQB_9arWsCX$FiW1!U1huuNTS!=pf0jP5*H_F+FLn>%Vm8l=C5GwyqGkZVCqrTo~z?_)Mp zKd2FaE(g1f@)z-pA~u#+aJC-M_|s73OYVpZVZO-s?8-Ltj0-us8@^RGc^(cXzvu5wpdn_=QTKSWV#1#vw#(Lmj{Yy)IxO9kJ>6Dvqnn5}Sbwq`2U&k^K0(7gNq1WssVk7BVh#=Nl6>;q z7g{#vXo0^ME7@8(s4n_HZF-MyssYND`IYfn(``-k-YzFH<%T(8sW_--*n&Ab_1X~C z<*|O(Th%}yYqO$OFolj|k}b)7UUcF#sjTtRA~{7pKJ6vJvkJY4I9c6%TMc^AZ93EC zh#Ra|f;BL!!;mBPDWfsec@}+%XCmaWxDAD83_9A6vxp&>f*aG%iD@9AC)qZH%bpg1 zm+Q!EvQ|eZWSSigxys9Vp-T*ibpU+DN~#UbiF1o#Emv3cb$2XV4t(&**!b_?RCN|4 z3y1b(ENS1Y*f%why1mrGyeM0+90ET64i8t7@=GY!>Vv;=j2Jt+PPnc8=DgdM9#j1v z;$WN+Nk0z@?p9mi#*Kd&%Md$Vrmy4&%W|~}PKK6xAKS32w>7=n3Gh(ae3<~gHA}qW ztK7ug>aZD?UhnKU^s?ul=!BX4WwwkXCQ>o+iSLF+{fTSF?Ia}8v z_ZaA>s-uf&!*x&fn9Z8jR>w@Y(jDtu`N(H-iJigOz*O^*B`6YQ*qFXIgFEXeDaIgr z-AKN3cdQ5#%k3$KBO;$H=TYBo{$prIb;0=}1>G;UPjzTZ{r3t^cyu?5iE@tDFHtnG z;$*ciIzeJ)nx8CO_8cdAv)$)LMC+ATF+M?Z!M7^C8pcmRLpoPPAOsz~Jv0zkBC$tI zTKnVyc-g;+&X*D6aK%v9k?`;B!O>vjtXy5Va-Bn7?xaW0oSCIhQH5NuE*=nW86@SK zz0K1$-YD{uagK)!c>B_#1(k>Pl|dU=`241?t+1ty@id=MB-y|);>~a z2S?~~#ymk4n2eUY85|Hdl5deWTQ@> z?x>l|;&VH7XV$Lq45(GbSs={p>0%IMR2Y|L_r%5sE$=y&k8&<$fo&2lR6Lu7w}gW2 zQ)!c-o6)$z9WrXO+?}ExS(x1r=LIi|*x00cWSm%NJJG3HFl~&PnV2pe9S=5XE3|Wt*d&x9Cm?C!8eSo=-)poS+RKIZfg!MJ1yu+iRUmL zXjzb0lVlGv`J2c@xE)txuW(2E5|=BQPF1rX-+RF?s!vei0={e3%w12yKGPStlv@L8 zul87<^@LfYZiZoFz6Og)c5O#7-3)(bLG37u88=qrY&j|A!ua7L(m0xqx?fB!3=*a! zsTQ}7HJgF2FYn7$WHhkaWC9kbne^6iGAIDda9}0)Zigdy*3vYLoR4$~7-WI~+4jsX zXb&8B_hZo;H%ea3%b3S$D=$-37<-W*4&XcuE8HwDk!MCbac50DiI?U@f8z`>HU{Wx z77%T2E3OH6Wa$!r_@ep3JyVo*Qv(L)tOnE=H{)wA^Vsu#%qAC@jhrp>vXHY?Xi1NU zdWM>l)Tl{l`qqWp#vjM=ZhnLzLZ7{!YR=TDSGYqaX2r53sF*z`SKQ-mdp?`5L)#l$ zhA*F?XYBJ7xYuOwV^U74r8}^3t#!E4?2@Y>yU|W&=td=%Zx`8( zvCMk-oWhy7tsBJVPnvK`ZLmf*{hlFs*QSk^gInxx+q`=>Y)R;I zk}Q5Y&g|6Na$K~**esyzUSAH-3(IuikFz&KdQzJokT=^nWA@&1L-d9T{_WHU12@7O ztM0tPAm>hopoWD5GiZ$;rGMF;W1kdn9G;%`S4ACAzOI1vOKx&{3mX7tJ<&v z5rZ`*+dIqoa#}k+4AN^C^4or;ew9@tzT7g~s)C4n243B2&kjmF8EH`*!xe+! zZ+=#}N|YWkD^s&L;O9QRXW3=|thY`!c?ZPs1m-2E4^97Z4+;)##EzqL18qj^%)b}V z!3DQ$Sjif(F7S$OIX=>Ow)0nNEXHF-Nt1ac)xuTc`FjQi81hKCA-QJHu5iTd-{|S} zxOp*%rZqjD9Emv}I9{yr8p>KQtYGvY+F{#fhng){P6cVO~efwa>HU<_>oig9vXo1V)92DHKb}`dihe2i+JZaC!KytG2qN+W1_E? zJLH{A2CoT|hQa`M=m16d+ozDDf>Mgu>Gg8v+#jM#QOh# zzA~$Z(s9f5{R5hSFXiiMwmyiv8=bj7 z|El15VC4<83WozEK{wWO*d4A-=k$DUP0Merqudbsqfu(=FuI-W1G6kHcGrzMST7cC za8#{bGn0WGkd?RGs>iO&4xqhl+<54EEAVIAYjJrsF~)OKIQB0V4{tKbHb1QDHmdP( z<(y>)F)rHDC_bDO5AQg7Q@C1&;z%tD07nmI0W9rO-{DbE#4~WapDM!!ADw#ahMV}Q zv-5ec|0cu1EuNXVC4WbXA!^TFJ@@!1^Xt~Eb9kep0teTeOH?zknoY{w_ zeB+L_oP)hr-E*tB*eSEip81@A^O1XSIs2uvsR+Q$bO_d0{y22v?12alN~OB9IGZ7O zxx9$wHYo3{0eAZu#@&&TtT}iFvin$E=vWPG0Mp*gKrc27kV)AJ+j;L~JJ(JC-v%Mv zsue_(#iS|Ap1R=sl{O0tO4l9Nnd}v;RGGo#zE^4hsrYDxU{=s`F{^j6j0byd@#duY z4Gic4#8${IMJ(;-vDo%8n`xJ1pdS9n!g(&Ujmgwz+d`Qi9_n{2eijfnt-Y3(O+#+5 znRZTWjJBM5A|!Tfcz@k#GJY``5N?$jW2~*6&Egbri3G2g#I3P5Dj@ z*YBZX`^r6fs(nbXGNJu&nID z0u(NkF}oX0uEb;2`nk2k+j(OO4Qzkbrt-*b#2DTzn;SW|eQ7ZCdg+{?24=I?YPN6| z3tgG)V|YCr=Ie3_Me*|QqZ%_9wCVY3ScUFE268b` zNyQrJGHGYWl}#7qZ|7Zu*UE8@ymXw!ca6im$Tqf8%#U*QXuxGTGt>AwagU_4_QI>3 zo*2*uc@-|plH+#LC{0urq0@57jfdKxpEHgcY`Z1Z5~7VWSly{Mv0)i#pYE<7f-^hy zwtVvTHM+)8f{8zL*^CCs0rJpFZW3l<#$(sKeZZU!1&{e!Ph`(S;Oi}HAFY(1O=dHf z%X9Qi^_Dl1)xh@pPUGS>8na=@5byE%+f2Cd(K)eLWxc(A+0x=S)pO<4B;=s-2Gi0v zDrO4M`GKR|##}KlI1|J!=nZY|opB??dh`w`wm80M{fwiiu45m45su}oV_dai(H>ua zgN?8`dQ&y)_ye;WHfzRtY$^kyWrWzlK7Nmfa+u`N7#$l}%~J(0D6X1eT{1Ys4D8Dm z$lFX}aGnz=q6-#*PS*9dUdWZN9o+=bHkNS=0;1cap;Lx&KQ%OOCDh!4Kp9l zwmx-i(zXDN8s)(c96*7g z?Ie2QJl-@m#}ELMY~L!GH+r%-SQl5&MYcjm{tSdt^z=qFqAi!oYPn2zlK1mu%n)W+ z?3Y&CsLxwbvP%BO|PlUTk!f|K1PXjVo8 zPiHNzUfuCXeBP(65*-li*pN_cNwep)hZ$J{i*dXhY;~9!U`yPh^#js9Ov4;9sRX;A zAg;)ScQv!ri9Pbn#GR7CeGaLc=c(Ku8$2yd&csId^XJyw^Sdz&-J{ z_9J}>ePJ4SE3$AC>H+I7fg50*Vku|~o;7vJ&s?=5o<7~K7@FDDWWR%LFsWKMSvnP* zTMb4Ml!r3@hpP!H2`*I;^P25-(UBb25-k!Y)vtB#GXKiu|jD-N3 zyrd|O0+|AM0z2^LN1?$LME;sB}UVxQ0#t`51tN}3TUw& zbWJ(w!eFBFqiFE@j{>35k0Qa&`B5Bbdi^L1yd+#yt=#!h4!ES|M=@X@)vSnR3C@x$ zZdI#jt)%92H%yhEYK`fW>4~+t=jPZ+Nhh=teC>?tM5ZS>%p{cD-6xrnNV0^JtWk}G z=H$2p$?KncgeQP55=jya1p075Ao=5JNsF~wdBl&)#QUIn&>0;+hjAYBj_Bfu9dwST zb8R|FVG{6)TM&-d#FMnq=ibOVjkr;7pSzie^H?Dz7R^SjqJtPwBd1Z(h_TNBEpmn~ zqt8BP6_M#ikK;_P4&c|k57?@c`EbF-a;h!z@)L#)_T$ezzlfz6z5A3g0jB^fDODx1VI@M*|hJM0wj696f>~=QtXQiy0g-ybwkujG2Rc4Z5RYC zxPK{OSTLqfmtik#>`Uq50WRJZy?!ZE%pM1%h(ur;Xbq8u7M3rirpv%}Yzz&&F9nAF zLJs;;2*AM1&V4B@yjox4c^B!9$^}^9OJB+g+viJ(U744{9QsmZ-i!hwUDX=)(J61-z5?~QPWTHr4N(M9M zOZieRs6^fJo-d_>1714+QXY8tOKEvj*L*22=Q!?8byotemzSaxtWOFkzoULqm?$OB zCKZ_{MUu*<}u}lVY@Qo|H5eV8*09DPz1awy@})kWM_LCuIq|gUS)z5M9xeLZi-; za!L-6=}EBx(qM`Vai(J|WPP3#7HUj~Ps$28_EO+Ioobp=VxANfFz!h?AromJtHG2O zhLqQnlELdw%F7OVQYhdxqqICJ6Tlp=?WLTb6qm{Kq(~5FE&#RZNr`}3++%T`loxc- za?SmuK=AJUc~Tz8f_YLHs7FuA0zKJtGiVhI= zqu6-TLVL9RC^@`*aj-Z)$_<^^AZyTi1I;c5Ik>tdh_}768i}OoFdSNJr;xzBeY!_r zyy4wkt$o)rsS{-&+fhfL+%WUiB|tKDB#p17^?M_5?s#2nP?EIoggluXq=uu7WbgMt zA|N`_&@y}U1NPB%z8lrN$_FLVd(7~%an3i7PHGq#UN~o+>XEeL@o*d+6N9VTW*xDp zcRB~x(7aGwbb@reqfW$uHj$R2zQEw3aJ)AjkG8QfFTB3H@p8K9CfWOB9RUPjqc-t1 zcF?1n=Ehh!qeevo{@k9LBh7#@7s}XM-!0!=={p%*sE>i;0A44C)ZHitbw5*Tm=?n5 zkgON4r|0N-V-+U5fLz3;p2Ur|(DkuA-K@T_u*J)Q*R0@*x9{Dm_t4#(@V?6+nZC!MdA`%gydZ7g2@qY7b>G+ln85PAg)XVX z)#tk`;pICEbA{Q|Rk)YWx)_ZlxO`8+YF?CszMBveBl~v|@&~ZzJIn~MzO?c83?}Wd z?-yJsLd*9G9t9Wa`vkiC9ss!0XD35p2(IrDK;D~p(l*jJ|9pR88f(5kaC6@ssQDIs zZ=j=Bf&lY<0g3zmD$#eAZPVokue7l;|Otb=EQ-v@VjI&PE63KLX__UJSXM1!Tw zIV4tRpk$LOBQ%khL#!bf6oSDO?ewMOjJd4Sp*9x~0=pFC5lNtU^yr?sfmq<`HVp{; zgZoi|zLY&IO$B-AT*o68QD8@;qZ3UqN0*}ua*5;ZZixN_SjMtU9&-=x8P>6r44Bk< zPW&ia%TsY?))+31rE&eHo2ikyh~bjAXa$9Mr**LWxlLPV;#8eZk6}!`Cu;-a6X;33 zJ!jHHr!QQ)31>@GJIRTUD`xVRcv0?bPOb4m0T2^@Nf(yfN-7hiwx*M*FI>FIBP9>- z8LqQQq9k~zTiT)#ib%hbWwZ$7{Skk%up)QIhwQq}mR(DSqg(2M1;(Q2*#U{V-8wkd z!7E&{jz`BPvLYtS0pH+m*c$#KyY>KYcO_2SL)zwAaVX7%UDDqyFEAx2m=KZof0r8CxK;n z;G1#;*Lk!z#fT?_khKehyiWY^wz|eaZ%P4V4-?iz%bRj@dFX(4hixhg$KeiTdvEA! zn3(%0+VF0ccCt5I_R1@44}{v z7eLr4==DvRAjNYCy~jpe+&DX*C8S{q>@%R_01fZ%QIq&MY(Sj2(!&JYejTemciAkmxB z@_>5BclM2*$q~B<;j*`G*Zih55OdxX2B<3+y(tU4pS^=?f_PKEDGFT5C58dwHF0kW z03MS@y7)~wpz^#a2K*4;6xV&cfQkxEi*5Sep{1o1;D$G+@&QVU@;>RoN$<{y+~h`+ z&7?Dd3gCeyWAd8lB{1&rE~l2jpxo2l$eHhzyr{#woH9YYg|JUY35+)H=ISI8Z+k11 zB+_(Ph|{PfrfwLl`%_v47)8QNZr2b1B)8d@g5oh*qF4z+Mvu}T#> z=g6P<)_FCq@`ubrwIZd>wTwee(k&cM#~y>&ksau}NVZm&t?`O2t?Lz;TtSyR8kf^Y zF$i-x+7Y(V#^!b1wo`<2`-#i%(ArwB;>OuPDqV{5%4iI%tnG~y0Uunvh1TaIKBk4( z6o=~47%MMU+ZKIe=;S6hgQB=~FVXv+G@Nsbx#DN9Ez^6jOxmivL90WTw^jUsz3)JJ z8AL5HtC1aRF7sG}H;thklARLC)F~a@*4-PiGr}}Tzq>iB3hdoZCRTh|f zBR*S;-UdqBIywLuiM>w2YeAMqKQFUD@0Ii(LPy#H4J*{4Rf@8*dBgZ&iBH5_Sh%5U zK;^&-t!C~S(5vs6+u4apaK=>^9L}sG_*eR%giABvBW(lSW=d;NT_G@QL9-BKei2_r zJ7?m~0hy=uW}f>b-96^hzVW(@2l zHfq~5Pv$I{4f9+QQN2NLyJI^N9zVh}iw5 z_m!z~OE#nyb2e??Rj$xE-nwvhocDjP=b~8~%m;HLUeR%Zmt$@OCnKK8-U4Mp_}WhP z&cXJ^w_92>G)vpT)j?Q`yeYVty_#j_l|#|!uw~4ydrrI4(f#>2el>%)`0-++fU}hp zhuHT%f7*nv4snI4LBwE^?~1;n!>)%{O%ASy?-uWrGHoqGGG-Z_p&@ymukwX00FwvP z`3ByYI!!cffq&~8XqmgYO5bI%5Cdj7g&+%x#kaEzpbO zEdyrqtl?O0m^DRn@PYTJLpeGtRyv6LnPR{O+v{|=1#55JoBZZ>`z}rQ&gK?l&aI#` z4aMBTx}si$$$hb7VtI8c-0aV{(>P^QNM}O0@S`rDnh%{NqAy--X&@>^8Pzw8&FUwNbqERI}L5Lb5>O;)r%4aUWma2liS&de;P{2Yw4KA4z{ z{@jS;re#NV1cx0KZrZ@wC^v)ab+gitM9n7_u@Ov0) zxnc5^>M`_U>>-|vGem_Ge)p8LgU*mu_YkIVKUcB3E&i1Q{DlGN8h0$4tAODJFL|pw zIX5YbGf=D9)yZKQx0#^1uzPfDX0h`&P2mLfUORme>y&5%N;-9tBXlQRox47wV3niV_Iy75Kl2jpADKTU;Q(j zFYZP+@_m@Q?mwI8?u2>c2)qGS5+b?6u(KL4@$St6$YRWL4=L2;siKdpB@1|1v%=WL zaw25dhqX}Grlk~fUo^#l;8H8?>ijyvK(zu@Xj6={MLn=)6I6&Y9J;xz?h4d%XVj3h zMfU<%oce}8@-y)E;69ba%+nx$>l>#!2(z^BHE2Y)qAZ)BH{a#P4z0IP3%Iz=1D$}0 zp_!1ivY-p(L^%NKQHT*40Tcls0Y87r4mU>*9eAHk(dG^19OA%1+dyw{Z0M!tB+WbO zcl%^&W8i>czAy~05>E)`cqcWJ9%E2>q2Al1O$wrLzr>* z$eaVrKLrHn!MnMGchd$3I+vL`+Mlw)1iCzs{wc6m!)1hE-nzC9X$k<+_ zyucc9AkCk0!Ha9S{uB%9?oiiMVUf5$r2^R0k+u-79Zr=K7R2(WQ1EVCDPKFQJ97dx zUYutni#ws}^QX9^0rRIw(CrS17Rd>rZh2=KhqHj%`q_ zXUzO53_Jzw(4T_9#Q9TL%y=09m&n>FlRD9+4Ed)V@NSanPcZ=YXd2xg5fjW8dN(wZrgG0X#ZQ0Gs%<4rHNRFc+ z49DyV{eSqhq>mO}A8&{&VIV9P5wZmv{=434{!8Kk{58_oI?KM_{ zD6Vf#vq80+YCsr2Ub|~sX2NN7Kz+RQZO?#s2jQ8mMrKqTr**Sfp?xzw^5K#>ZJJ5a z2$J!BdJoUpQ^zuFkCxlJF(6XMTPTa6M;5Ppw0SWW_=@f(Ws%5Mkp~rWira(7ODj<< zqkxsqWY`_At4%0i)i^~@U?+4FcBZQxOzb77k4~ZvBkBXX38EF7oHBE z7-mV!qcQ-QWR2>5R92`&h3*vfqY`^ZornYB&h9)aDby2oWP0T-Z0ndNl9Y)(IfoJx zATBp`_)#h0@jNOdOcH}@k4lt9j|vEQMv}Pqqq4yq()Ce+ExkM{0-#KfiUu@;NaUmP zGBLQ3R)ky0orU639n0l99( ze;Uc6Oc$qArF5HATZ$2uKP4(Mainc6)FScPASa4w!gns>K{^v0b79gYb*Nh|%S?$- zf*-*e5l3(W-W8m4NUlnp5Trpal0KR_h6F-w8W7r}ZvsG7XYAYDQ3;yy%D9oC#fU^X z45}}%PxJzFG4UbOqoqpFG{ey!>bP?Rumm5SZ691d?`S zClESHGU;gw-)LNjJ9?(Kuy{2ot>9Y8Ek@Y-AEcR!ZW!)Cw*i{Is{d|&b+;JnycLBjkUzBODKcOZLg z55Zs^@-+B2ZwtF4`;RHH_rntpUnOARU|$uXhf6dMM}VG0gN zLw&uD{>_zSY>`p_J`sC!O!BaH8IqkIhCvdTx7zv-_h1R$^ONgKpT2A0Gd4wwDL47WQY-oAtGSckZwd^qo~K@Z#1*<%WAw~%ZbXtAhmKJL6+0TE|J z!f^H9#&?@zbcNhN{Jh2mwGH3N{)%puVW&*^l3yUnDCmeS-4LvLDHCkle^tN;X*aqWO80J)6hUi_|aY<~RM=HohtytJ>li57* zd%Wafw;SuldqZ9q-7~OZR3>j2IXnf7Y5?kAuogWq=G6iDUh|tV-h^D5z8GzUlN{-H zMv+lwi`}%}ApdmJ=M&`pLI)kx24W2n^$!sRU;wlsG&JnU~p$6 zkSf(*y~QSPPTsN!>9P&9S73l{;L4#)k?FOfC%-?y6&`Ky4T_9GqKtspwH1e>_+H4* zWIp#6Z4H{#!F+E3t+t_AF0Y)PIJi1H8+_wb-}(TdtE7 zdT4W81HapvPznGP{{4+yumH1=7R38fTH6S?`)^A=FnWtuA%Xv99d? z?Y}Fzb+s^1gIP=GZ+T)>o-wl}=W% z_}_S990;|9F8^IYhO+-H1%!l!1Z<{7Vd0BJ}UEFk+o&mFsqjpM@YOXQ8uqD zJ-wqs`?o1HwULyl9hZzwd%H%faui=z778PvHm~eSSXgfnBg0>FpDFFK! zchPckNE|}o=fDn+YX{Yx+p@W3qqJ8D*lN@F)H7+?+x;HM03xlR*Q5(2e!|owfyxU= z#RLZ)i=Whet~=la_k9jEGI^?l{hKO}s>~y}(|Cf>jbumR-WjuQORs(pRa0BqGxN2+ zOdN2V?^y_tt9;4*KE+)3YT5*3rs>D`C7#IYAhuP!{eA?EqAGx)@0rp_byolKZ)Btk zBIv57vlsaO1J{dYQp@l=^ZkWiw?XhM|Gq$D=rF%$SK_DdD+r@nT?xl?^baQb`>A0t z0h~qV#q)hpn~i2Qg<#2bx9=awUNtrj1gU@c-hnJsKFtDNsWCU(?2T_{mjq{3;@}Lz zX8MXppYTI#-4G0h&fY?Yf>CQ9A?&BoComR$7YzyEu@}hn+pvJDMAMII2Rw!q`$oOx z6Ac-S1xfW8-y=AFDFZRwgeUFyVd$(qod!6ozs8hAqn7jw13vU#xY!(w#?|%W;LvI{EHEyw8}JhBp{Lll%IM>k;SxwDNsNNJFKwUU zlqGJ>nRSf`w;jg6BY0mA){_@kK@#oXiw#ofWWJZe)q3bxMWHp1C^RO!0jYA=r$CCDz7y0VUTAwC{;{MbZkf z9I4L57Oc5em41=Mna}MA-ZifEN_@X47^S(D%^7{KNP?_=XP;=ACs%-*+@o5Wyzdbi zznEOE;yIH#hwl$jgJDcJ4SoB)p}RJlH))%jm04#K(>m$Yy77G>ne(Y&QV2JH+aDh~ zQ~mDyK{eWOElkjJNtdDH=1X2ly>w0(p>us7Xh}wW64_|K_^jl6Kw-gI*voqB9=`u0 zr9&Eedt`=Q{(T=T+Hn?B=Ta~7JzWiU4BD^V_j|I*UK6&HV@}9biU4xQmUNO})?>bx zd*C!OD1KXZK;Ostd|jNz(+O+j_49oms81qzevhXnqj?jyx&u44aim?KWBIp(s0B}0 zuN}Cb#dmac>hNl-@Njsx(@7dPqq*f2b_ixVf=qQ-P^;Ph_8&0M2E2)zSUc!A1 zv4inpey@gJLo|PR(@5FSJbQ{zq$n|AAsmEisN?cWqGC1%a|aOygAz5$k{Bbx^8;f^ z5QbqK267ODK}Z>-h*CyKL_}mXX~w5vkgy&=CkXK&IF$w9)KP=K%De|uR7yr*l%}y@ z#!p5MPv4|do4;L2t@3Y*jSbB|pD^&YTP4nnhERX z+z&A>i9*$a_6tBfJikWQrUCa4F>(K;45#yf@E_O-GB6{WVX{(7bXCl&KQ|~7ZUsV_ zcF^zEPk~pK;A9wlCy9vKdw8ao2l8pTY~LGEeXBX<`BL8jUCn^T|DDwN0MC_g_MkjT z>^A)V54iG0V6wjGM6Ws$Y4mH4YgV1!TZ zdm@6|RUM_2a>;ekew1HMmJ%hz>PZ)Rt@u{geFTV}5t^J+R=DXVY~SFZ`?2c)gDGYb zbL>zjnc$}SPGeW+GhtVHHFg>V(KM??Gw^Cp6^uc9*axAFXO>$9^L$_)UAxoN?|6dz zKJK6-C-Gk$s=x}Gr`R*O$Ls#;Adin_=Bm_*?UzIe*B;gPRdsqwu?zj%YB?Yi5rcuh z_3q$kL310_bF~}Fsicf%sBb31z5xp4mHd+;RPbsF^DSaz0XiV^o;blGaf3s|9+6Mv@DtR|;CCQk$Gp^354HO` z=#5@KUUiU28q6?GnybboFpu}-m&)H;arGhiINVFiJbNJsycc!huQx)!#h!W>njm>o z$K)vqybO2DDZyej5F|ezg419+oPwiHd|aG=q~+i6kh>Ge!aogqkQiCLpoF2_y5-Qb zZb4BS(j2PZ2n@p49gA^LkW(}LpU+h7kN(;HCUL+1$2^mq@EJiZ_fV5&4x*cQb}z5d z)0_Db;n&>o8@#CS-^1SprRya=kG+_Ioh=>bkr0Mtx{(esqtrkE$ zBL;zky5)l_FJyoaN%e`Xloh7I?q(_UkO?==kGD@pS@4g7_Dw$XEUz7Hc)Mky5!_GG z^ba1_;&L)h@Sc~lzV#rduZ`umBYAu!3v!ocOZ1^gY=^^Sl~S`C5#JYq1YrT zSEV|lr!+lo5pb6Wh_oL@pfN7~q?MMDuX|D%|HpBj0D~}h{@xo(TCtxW^gnsm=c8}! zX6WzaC6yVIWL5~gLjo?52K8E?Bx|^&_+EKCbIx*@sKV~;h(lief!)HS2L(0kP7#J zeW~a>GWf~+DP^C+Ko&Ji>XR?)!aR|pY6#5{3sfjvpHb$9j!ZV5>K$>!*kU(KeRR77 zy@cD;DrWG0joRvf$zoxCs$bqrG=lP;2#vn?H)fxiz#SB$q5(#x1dj{NxgdlQ<|nr< zevvxnXnyO$Zi(_w3r5dRa~wk89G@5qgnc#L=YYgTlhK&XPj|nL=nGthz3gi?4}Sf_ zl-$DiP4pXAz+cHMVrVv>8TVKA5jg{jtbx+R12Rj>fD^7<(qN`1$8qFIvaR$!RnP)V ztaXQK3cR5P(F9PWdyfuTSE+r9w|fsXdTiP&|cs0FCu zHK(uD>2U*;85}BaY5H|9J*`OGeOlIwT>LSETv4ED8&E~T`k;+w!b{6mhH=UNAAESe z{~hN}ckG+U9VStq7(%ss;D7pyVe+_S_^|MZnBf|XhM)Atp~;e}`%M=_r8|Ieb71Ia zIyF4n2_$Fg$p1@7|9c=``tLI|bmrhg=fb+mlpU55f*2Kd7X>z9uB}S8DPyIz@PhjL*AOYm%vorg+?xY0%bw(=`5jr^%?x}-BY=oFuR|t3kSI-^2S3<(yY7H9 zNJ0z-3^TKg)_y3D|HISiRKOGLC(iF-bHbm>f6ltHIwqH^i}L0(l(){ac;jat>K@8- z+_@M3+(8WXJdV(PS3sYpk^HJM+ycdTTs=rqN8o7>BzzIG9yH`PXNc7PX z+iN#?wlT~(?L7G&$s8~kw*KA{VvMv$D6sXa9>>0N+BS9qL5Unxb;PzlY$oY~`8^ z2Ns_NiCuJBZ-9RTf~S&UV@AX-lfDUi(bs^a8?RMt@J~|EPS}>FlbOgsYu+F*&dsu+ z@6r}Nj!fz<#BKm;WbhX~AZFG9QI1B=^F!s2k?+QxjlU9xe@R06J^{&p@OLg19mz$a z49Z=z(`?}&fCBpV%i(+snrXzu5}PEg3}yjr0dE1{pU9AAzo~-obGiwlC44UeE$|)? zMDaaNw&m8)fqY+ep_WoXfL+jB-%q>5*au=kx9_Fhd&|#f6XK;lgwCGCd;sQkMAj1kk(VK`G$-++o98e?a0KSa63Al@1cm@x~kxN2^E&sX9}n9 zBXsYk$uu>B?~`ua+fW%TJ@0!6$>fbSPw9+&zGv!&h1h5rz2YJ<7q6|7sMY(+_X8+2 z?-6y>M_nrt+ih{#QyJ}h0oSkcdNttt0BuuO*_NW6DSV$44&zR;cqAiN`r?dUXYqaK zTN3az-1uA9!UJFYsBa9f+RlMc&HIe>xfaxZaieV?)-xJ6?uq`sc%a#7PWoa*%loFk z&`{~WFE+H5Z7Ju}7Z)0XyOF+lP+iup3slmcoEoj3D1^rE-(Uk}2+zhGQO#piYM?H zREK^)Mvf2n(24xX@&uz4oF+X5v@E43h=m?8+b4?E@73nIc2?K1$D1}&r#w2L@3}O? z5a~O99@3m963Hk_xy?tZnMghKN`*$G{m7F>;tWGYcqMI)d52a)jPw1Js4g7H{U)@2 z|D@^Z_M<~HLA%miVaxy!^S!tBQl(i*_12c}i_FO~2dwhRhi&Lg-R}Eshb!@=)xx`o z5ff^C&%=tuzlO!{agf#38pOQy@b@=}T3lxP-i9?h2cfUa?`vp1*)VS5hVNr|$vJW& zG5Ed(nOE0IqubxB7*pDeTnw+Yd$k)A0du*FG_pLXbxW0{oBe#n)za32$7o#aGhlZ( zG!mTy=+BvG-e@)L_Yyzf(6wQFP0&;Td;n1Txl&Ku80 zvqOh`FUSrzz3>TE_<6w=fG=(}C?VMQeyYrA5h_JcGNcjNztl^V(@!AYG4+< zhP-xGr)+9%t#=vY&$YeTe^2MBZVeDXl!iG0x!5r<4;zR3zGPi3Hs@OL94rNL8`!m% z3pv8|eVd&4Es@7nzG|$Yo&e`CJe+c<-;Etn$V=QkFFRy250Y$Kl2i1vJVd*htE2e& zk1OVnj`i{U2;I@7)Qddm=U(42^J*T(fsqW2Ki459yTRW>VM;${PGuCSs{zY686ebx zE>#FxvdW9C(?RGo9O+Y~UtN(@&(RiHbX^e;c}A`+DXUg-`yF}G% zDMCMPNQPYlp>eW;mX+819EY(-8Hmeo5XZ@{nhg?O$^!lD<0&fZ6ZFQO`%(d88x2D)L2nYMHN9^aSmn$51*gs~7@w5ECaYbh6t78^B#*bY+b%v^k#sWVa?Zq5WVqt|yk2M0xn+ zkbRukMh&v9=)Q*+O@gZ(gs{bJN&1>D#XD=KB;7Kj1)HYufd=PxbA#Q>lwUr=I6jOq zSIxT^IBCb@YV5rbf^Vbw6dW8cE>Z1j+8*?~HGH8NTo{}?2J&ps7hdn+!Zf__UX4q4 z9+(A}?}*d6xcV-9@k~*wu?igdo}Vv=Fq&v%Phx!~UmRjdfYp6^bd6f0XWkeD+k8is z_MLN@mfu}&c-$~x5h`p8pi>zhelyrlDP!&Z{8YwuXe>GhnQIbQdYet~4qt2s91-4a zxBC3R8>iU>YFpl(fS&}KwDTHM=K#oDlKA=*mbMQn9WiM8F3KiG10_esDf_H5+tfAH+p$86}v*rBq?K#l`M z+xpNJsp0OIcXL_CaCuad?71#TS?jUrflj${;xUX# zJBwT~>yvGDJ@8-ac(}>8J6p}(alXHFZQgkQS1`9PSsm-(2bPCs<5fEc?r9v>(O~#Y zLR)l7Y3s=qEYCfL%jS)8)rO8kaEfw;*OB`!7p+VPTHf9=yP3s9->5vV|A>u_p(ao{ zOVT&1)2Sd&+2dkxk;;~ye z2k;kgf_l@V19hffVc;tDa=5Dn&?B}*H1VbF_pk~cI0|0PD&Hr)JRox3z z3-E3o82$YqP}p*J0vVSJMRY!lmF}>c&NGT+=Th-lQvB+fIP;}upm%gg^briHJQX)7 zIJ_V&b4c!X1@c1ktJATeeplq#7fJE+tigYp=aTVNcVAd^Edlvb0?f+<8TcXpkuRja z&(-bufBlP8#v#z`#LK`5o%2H-aGL^7GW(2#a}t!xdOA9Va&U3K#Ha6N3>m!t?ALFg zz=+$o^$$?&q&TxZacAx1D-9$`l4;KuPCV4tHr_o`TUCYp?qumMha)(vSo_@*RgByZ z{IPUF=k*ghWV5l{WOu{a*7J0auvjJTTNe}PdbodO;qWSM=s3XMW*(ho6!w1I6QE-!xhh5tFx zE{j5TCjz5Q}g-?!XmW6z25OFeTlWl%=Y-t=E@(V;?a5f+@qa8C!vaDv~ zd!rd#nGHsv^ztviL{BFmrlQ`fOlg}XqJQ%RW=a6=@TD92ML<7A+jvvPd(gdEt+YUX%)rDN%+P*3Q*BGwy>U?%# zsu}kGTdRoPX*BtPZIN?@6@oL+G%rjtEVaaAMZ^D)#MVOx)M`VUCpY^Xm!~LB>;5~~ zll)B8jN{nPXyXC_r{Hsd@JhZd?}=5KuoEWo*?t6wPC4U9lpKw-zOhb@vUsWPb`3i8 zoNP|mDsz5DGr1&OhI6DezXHNT^bzU(!^`$@w}zekH986I8=dax9}q0>!TPxNSgz$} z2qzA^eeQFdrS{kD)|+P>zpxIRNdU@6AP_;2p3DPcg5|;B{Oo{~jGe}LNme5Y8N=>M znVr7I@$onwJHx~$`4CK{_fC+hIzV`r?8PLp{D~QS+=RzsE?PGv?*Q-s^8h}7v$Q`$ z1NCNv!7?|@li96fg1Q%z^Zbs-Dw5=kQ+h1n>Tgt=HXjBQ^I&A0wb2%)wzo^S-^-Qq zU(8aBkoOYGb6z|1UC>rfJ|EbwuUo6VwXDRnk&>QITwHE4*7k&Oo4(FW!S2>i0 zS?_*k7mF*8)C=MC*U%qnYadI=_7t#{)Bh(%ft0BH9hRpL*AZ(u`X#GQE0s0+QO3tV zK*mqp7ciQ!r24aBI0KNoPpIqFx(~pv+3s!)nV&Rw-)9!?Y~GEJ>hgPVvA+5+{f-K~ zo|ZkF`8+R_OzIJubro?1Wbx=+i>9LGl*jX;c$BK+3imqer_+WnR@*ZDF%9}VDZRt= zxoJ1)Ml)}R-B9+M$d+ht+9c6HLjjdlgs{B zBjnM<0X9;SQijKT=S$b3u~zTQ%4U3ghpv69wXZc+TbY?wF!!IHYVL|;^eK?`A@ENq zX}Rl2>PsMZ-0q_%>_@m^BjtzCI{pW+`Jp`#+^AH{s%L5%)qiT(ye%(nL#kYs; zqJZLT&QJ*06(0!!nX2(05C%oxfXVhlaH|FX0xlD9gzCC)uSpvyR??xAi4w8rCmB>pR`-+sSCsQw&W+TUPf(ctrCoOiG7t7uH8YgrV6b|u7Xf_Ee;;W9qT zcWmjj2vTWAk&xQy5;&c-)y zO(h}}H=;w}DYSjH+I8k&920lLJT7U zVvK+&BOrtb6cNZwQQ859Z^#e8zR#eC(B)C7{xg}z7aUfhp_>UR0_<=BqeLqT(Q{Ie zeDCySr;bebT+r@|!k;*waWRM4>Qrggvl%f7{L_){Mc~`e>=Gbx#EF}zw!`1LD`=Ga z=Yn2vRj~7=4Fxtez>o$!sx^U8V;MVY2Qp#+1xV!Kd%sg1go3*}cWlk$qk0Cf0$?@Hdb<2I}{%^dJyJFD(Vb(Y<0faKxq8v{0DIdYxm?gUBmwQ=dOhb>G(-P^eFG;J zZQAcp)3X7dsLkF1Tlb%$;RB|fsyMeKYxjZ;{td#w1K*5opTz~)hWD=_f129>fhc<1 z4e5ITx^v;@_LK>fi?nIC1uu*d$8`WcUQ00z<_2<-ONRr0X{zctuN4f%i0fgV&(stl zf7dtheL-z6_v;PXx;@$+L~9Rliqoh8rp63;J!Mp94$68}oAihP17j25ak^Hu`!g3P zHwNUhA^6RYB3PX3gTqsrx`*^l9on9(gK9KZ`EJYxQrY!&XSUN14t8o`Wd{AHO})3L z6$;@mAskRK4kO1I9V?XOgD#nYEBH-glzRhG-rY3X-y06#%eYBvbS2QmBNaFs0n0CM(+eu za^>=v={iqX;p{6W7~qS^oSK=byAtt8%Dr#BJaB5!03QNYkNFbi-7l1(3N{<$4w3f< zRShl%3SP|Rm%)c3krl+mCgSCNjCvQ7**zW)x5@Mj$oKD^PG9Py4vji(N#$eWcHbeV z*n;}1?fWtLV-O$I;DaBwjD;EbW}Y2g?`o1B0}5Y?0CgXWlya}GQP%1*N~SOlKFBiL zp^!Pi`3D4gR5*V|oy)j+vpiI4!!h%utwi%9rTn!luRv#=)Q;DfUxbYZCi^J86#ivE zcy2GeWU%fj=2ms-L#B%XuBhmYPz8Z&UOQI946$Xrrp!-g8Z^s;x^;rxAd@hFw*MiN z>FG_N@7C9GS}Y2Emty~l(8uegOqpp~112_S-Z^AHoC*#NOlhJrTIKSw@K~7RzhI_+ z1iF;$`l|F;0*3eW__0dOGwxlm+gh6ZuK~i~PKzP(T#b@XXn#*1brnkIoG>6~T+E)d zJi@$eH2P(_3T=NDL?Z8YlW!h+_P_#LN9HmaX3kkDn8HwlJ#F;g&a>bMvBx>mFT#(X zX^$B|xg2jCmj9G^QS5Ubb2{cH%r#QBidQESdW!d!CDQ*7w5W{n-;t7s0ZBbhwp+we z9=W@mQ2wfGfd-n&7XamMGsv<$CMOeJ4~zwpONZ6|jiKSO5B4^h6lPggf+I}FC&Y*)S zT2#xf2yIi+zQ#aHk)pOiY@^yjAZ`Iw5PS!(@?+J-9O=e7cYbzd#ow3=s zNX6GIr9xp+^XXcMp&Q)ST(a54p2`u<*Tk$@fT5b%hS*CU`(f4WSa`;MMat{2CWptD zXO=XA*bs_#S~TZ{4bZ$uv<- zy@+}d#F{n?4^&vPc**kwQT?lz(WhSey;oO4&u^k9A$o>Oqb~$}+ zS2?vdTVomCoOd5IG23eFJ-AM*&I1`?`{r6#N$D#fnM$ZM1#P>iMMPpkvG0KDdJZm{ z<@R(8P{+Z%-2lV74Kz6>`e`7^DtcyqhS|7*k*sk3kY~ENpA(b`k&t|;4K(Y(UWUv3 zF@RE1_y||3Jq+h+l>Q6k=Jw`1^LiIP)PKa!xA5MxP{Zc8Uw#Fymdj>WN~MZdB${QR zt&Ss_R{^zAv8iILTtEqkEmKDGY-FV6mnpRmufY^LC=|-ix7g*MfZ8=xnPNQV=2E^1 zjD)Ye{#Gs1v)pl?<57S75>B)EeG=mJM^I$*B8>QFX!$?Ll<&bs_8qj~*B}w_Gx%Cx z#zrWNN&E{C>1eBs`xh?s5*z~3@+Vc;M^J+Ek`~6eQr%HyPCtHb4K;-G4vcSe!D3RH zo`q!0+xTSt4TQ7@cr4OhdxeEuC!I-=gnXu6B^Gfj(ut7Bggk@L5T{JDH zN*@5KeE>S1=U!nig%s!Fx-2W3>v&TdP6{{&5SPdIJwgoDArdhV_2 z(rOf=Zl`nN!gNezo15yEuqXQMm8>bUPlEbbt^SB;>aPddd+8RVbw}Kk?ZVXBGs?7N z9$jxFgtK7XUgP1&fwjMNGMlTW`Zz{q?#8+bZL>jCmPp??X;P=oxdcceI>Wj zPeQl6B&XR&Qi6Y0a~=|y{f(gDw_(qTV;LZPMg+)V^brvN^D)=fuulkvW9iU`aq1Vu zlcKRT6z}Ak55&f?1aSFR`g%R`(c>X=EC7gahg;j|s~KG$ju6Mf0?J&k0^!^GZ_qw2 zj)g1N+qhnb)EwE1@sj;v zu&-|)4AsnSZtB1Ij819nL2cx64s9H&Cd>XbyKL-t@p)z?7oUXSn{wK3ahcuFYvBn8 zls^_3*~1|GRdm96Dm1xF?tBz3oMS-NLlMrNP|I0nLec9!9JK$5@Fg?76CcpKn|vJW zo9Jd5TXQt|o{3ZbOT0|5i9+CxV2gV#7q^^OA`{H5HA*qrd=jDUG(8gH=Z`3JyY)tl zt4Z@kjAV^_HvSi)G?_%dT4MeWDxTBqX%t}eg0HS>jjZGw#WF7IeRyYAeLxKicTyN^9uMh=dQM3bw z%nig4cd23$2F;L|&jyoAtw;k-r~y}#sophoWHEXE#d1OJ6Ou*%~A8Otc$`^!0E|iXix4Ts)v;gC|!hb&pUuCZazn&M16I4_AD+ z(#`0bhmyTTqGptHtf;>LT37kd1C(;_0FuF&==G^N8S#>Xl`aPiF4HGDF0E?IS!Ozs zf$qa^96bqMS|(o#u79Sx^8J zx$Y9Yw?%W4P-V<%_Xu=s1Xc?!mD*bblPCm_V@aU1@f!q{eP13{b#4k?4d~qyocT?% zN;eg=!?_Wl65gNvtNAuyHi14SM(i$DKD+?V2Ja~^7YlWMZm-PT0kE{21s302>_InQ z3h45IPs%IyqogFxCR3IHh}5X`#&e4g8KVab03zxU5lsNy0pt=806+i$00vN`U`Z5! zVGIEPK?DHA5L67nVH5y^EMwOI7jVt*qo1n-wm45^c75ewWGAp$$7m6TBCx25zw?(> zT+-1UC9H8H?gxHT`5Opqk<-H*njPG7)?d>%+*+)>`g+ zu)`k^7n*9c1lpTG35a?n54h~ z!Ly_qooHLOrwZe?W3F8IPH27q!}lX$-x>{uuFjA3?)y$8;Qcl7;${ zxDw7)VDAQ5%89KXz5%V}6B7D+{9;Mv}iJh5L?9GjYh z_dO56%KrB@>X8PrP6AeUa|FpYhQHjXJQlJ!49qta@FZW_db>qpJ-aZe{pR-q#YpU9f$39%v zD`sKr0{LtPPGA0q==@D54Q39%Z9!|q&Z8W7s5S)65%NNL=l!U3jMtVwxR2zPU!%fUeC4#KwhOpnL|g}gRyJdt-4N_y=Er^!Dy z`wtfzp296uY1 zj2qSV5gUtyJe9?N1_ZEUq2dBg>(C66ac;szfMvm`;!!zSpy|f=CkmzF{)r9hGGqRw z-5r1%5PkdzyZUYPxcPV>(uCevn(s!O8;@8-8aA=})S8Gh$ISA7oAjlDQdJAm#PK$% zyc}%2S!?1Zc0DozRDm8?UD`3`f=d<{c5{Yh71*h`nMRpMb5-z{`ypsG;aPN?qEjz8 zwuR(W`2VR2#B*wPsIY3H6608JLlYRLbln8kc=E!XzeC=ve#ggu8!>+nMGq@f;@rBz zxPOT!^cyGHAhm(JL94AEv>1wC)?!k^q{mVO(SgS>G$1^LpYH~EE%`nDC%DnQ!UBg1 z%HXaPfmO%Q4FVf@+rBNCxTS?n=OROR9E}*zNOdUM0OYY5KCt0+g)7t7U?tVjQLDhQ*!s8B!|jXsFsZ{{p<|F#hvS> zb?X4~^@+$!PmBlkXRjnW3+2vmLG#Muml^za)H5a3ylu7oRfuL}u}3CLn!NKNMyyw8 zf41m3#U$N+vtR$fggz72pC_+SD@l}(PxucI{hnrK-ro1d>{uM5*qHxFez|aRBwawm zKLxPg(pc*nb_~9F685ujZpdcmOOPq6XcZYD(0%Ojn;wM*T(vJ%(~E#_e`WsWK2QoA z=sF1T-3{nFeDdcZ!b@XO>wkfZSWvuY1d-OJSl8on3?2jL?+tTf2}HzkF&aFZ65N{Q z#LiGw)Wubc#GhGY|1G$jvU(TQ5jrwVo`nsnIm7Mg4!ki$ajK}Ig?wN)<0R*%0jH%0 z?f8O000=^@FJ>{=O0Ca97{>@I&kbW7{xs%WM6Xdp_8gB2ev{C?3fr6I#5&xr=oEH+ zshXQLa=>QRjU5%#J?%k>Kbf3HjQZdT);MyEg5k3Hw94A=mECb&U z`(1q!`GWo!UO@d#UJA0j!wDSY)32Cjq~D8s`TF0zl<{u#-2~fSZR+bp7&=lswA|OENU+kTfXPUBD0Z(Sn)|xW2rS?w32ZW|Sz?j-G%Js) zJKHCN55F8@RG#Pa!X&vRGMrTuq_&b#ZUNDcBqD*iu~i+bY5l(raz zGukFaqw2wWY_XL$92^?LZv3Ejw*S<%O7A{~6pNol8fs}y&AOF>-yd7gm%S8noU%VnuP!B~Hj}j7TOf&1*12mLdHW4>)*? z08F^DXb$N&&J~?}{3`qy1m_dsYw9wGWAa^M_Y4611`5$*bi&IbC9c4)KIn~o76g5J z{xfCd^8xAiBR+;GFO8D`q(?CLcdw)!!vj9FlyLtR;m^#w1Y$?#avNS9EEduKl7hF~ z-YiT+E zx481`kB0F`**Ewp$B3l#Ks(QHh4H>? zxyB)Rz>k&^BE-Hc;ZRM`HW6gb0~$Zky8|moqd8nm#J>+zeCw^}GDgg6w;m3G5B=fM zBDzp(w0S=XB((#^%jXGw2$w^&9dzbWo~&=Q_s&rql^aSDh$d>jnm_D;eO{}wdy48D zPoWuD7Q8dHNW>AOWp00^qNP4;7J@*gOS4?J8z1Dh&%nvIX{Xr0tu{qsSPQ`yR7&jL zD(`2@ysz8|fA7ugA9x1+UTm5DLl#L#rU_Fc1s;M*D%y{;T=!Yk7ZXGVk9`lD8r%fA#!qnL&8X+|{amP)nWo*)n@hYT=HIb0jAg4*p7Y*9=4oWi*lU zKgF7}cyu{oJyOgP^IN3qxse8Kbl_NgzMnpKBJ0j1<(g8ZzaEmr_T)m(5}>7`{L7MQ zY_wF)e*2g7J7RoakNlQkD@h5nqpv<6HQ{vY&>cFv_HO%bKe#emqPZ8=;!O7NT0%DBTQwfaLkN3q@N z0O5ofIcYm60yY9P0zXIMm1|@4=xc;UB}D!FIa8H%IXhzAg{{=rG<&!!#ft#X2R|1A z`ML|}Mtm%{whMx3-uSNk#>fO zpYs6Y$%bAMtgkCLZfz(Ht8-D1ybNs$=-yP#;_RAv-!DJU!M0Z@^7ExFYm;$tB;kR> z)9ELh`T3Y4nhMRIPf4qGkPhQx_3UVZu|BHUT@0HpW+NoHN;Z1 zI_E;esBo@jc||U1ZJb2%ayJug-o0$}=&j7N;6@!&eyqucTvXCoGRHFithbHki|TsJ znW?zz(M$Lh4QTQe4QwiXJ8`P~ip$5WP0>j?gSN?vshC^A;2vgwRk_jSs|n>%zG_}Y z>Ue=Gm!T%DLgqzVFDT1lV@x4oP9Q$IGGExd~vqjg!~7MOM*40oWKz#j+7w z$*qnd-zV*qGYYMy-Tm^gwTyX@Xf!Q2^e-=%ZCdY&&cl^98?KP=k6I%S?wap!AWbum z4l^Tz+wdU7jf~s+9w&9J`HGwwQk%o){T1N@#6yO#Ox-aqpqrtZ_h-~~i z(k^|dodxn5HV~WlCuvI&E*c-J2F=6YWCC&N1jxmea#P4q~ zg|ZgtDC9GgLC<}N{?Irz5Rx;Ls5zg$+ z?`!CCc+#r#sNA?w8d31#q?&e(F8t6e6A8`4#R*$K-%}uDs}1m>Qbb^bm5?)J#B~~; z=x3f)v#aHdEAljCy&1O7VU64!-^+M8VNu*BfKIjqOTIXQ9kr}fmw?qR>SNh@LmK?c z?sN`h)pG$+ne;`4v#wRC)#|#$BD1ZlM*!zYsK19GN1ILP(;qMs0rW2KDP=wj(K-?<$lE{oEgsI7HkHe6UKhQ*tl z)NMm&(-Q~kbp{>XZfFB@@bfl8`Nq-0a+9dKvWFz-FYqqF@gfjBuq1!?FIKaVZH|GT zWQf6O&+)yLb~wdNSAJ*|FTPD}n2=m0%#a$6Y)L=#x_s5-;OZISs?=y<=KChgEIi1-`{w&#OEqh6Ib0}7 zry4F}nq^x1K(B>&Ri-BsUXv*VsVJy995|!WbU-!3cj&(vmE9;h-O92G@6lrl$>B+) zd&oN4T)$*Oueb*YaNGpx`x4r!{DE@@>KuIN93eacVt617eBrJzfDM`-x1S|mo?+XK zPyxKSnmi-8sM4nwQQ-=RX{CZb!N&?mynDMHf!za}#%qbb-@qligUe1EQLCy-*=qE;KIO2# z7&l}W_jN%raTBH1{XpB7J9I1c^B5bzHb&CPDQ1AMQPEY7lAbr~Out>V!v&>Ve+ z7_GaCROfpgL4qi47CzPx@Q0Hw$yD2wHLD5*aa{v0xEVZ`)0r(;*LIjG+m>Z2w0Jf5 zoS|zP>1|{Ld&0af47~`$={hEpy<(&Q$A21wb`@eu-6ZbqWARSl zL1EIVuH+HXvcvdO7fx9p`qjs3As?`B?Azi`XXg-#njW21fq9dlq=A3@X&i;&Zj&5P zo_L)|UEMk!_|p~1DH{5n;11YBT}kN5d@!U^-OtroJB}I_bNr{q9Vqh z_Tdpf!Nqahgu5F+%KYj3ig7UfX{%~j#Qk|{Vy0lVu|v<5@9#8)t_&^YgsAT{JTktY zV^!ik^cTB$$&iUI=V=e=tVy;v+ypw2RSH2D!OG^OrE3j+e}#cJ5QHGj=3>X`v_Y-u zca$3QQQ3Hr6$;7dEQCLK*dw}%un`I-ub4|$z{s%a08W;a1b|EYSVpW(cFY&WlAIJG zuo5%50B*c0hD65}2Yiq9i{eR5j#^u?%GonXglf~P9}0z(TXthARHy;IaOV}wb6+5@ z59&_Ok?(_W4tYrU+q--ZgwJ;O+#(O0?hb(d{SrGxB%-}2BBO*SMa+Bjp>cdhd4eJ- zZ`_{m$1tsGTJQH$S>+I=7fdv#10$5hsJMAmlkb&FL`5yy$;}J!2mEp4yhOt9lSpFq z2(Qq4Bk1-d@qHHL6L-see+AndA_8OwhwrFEV~i@g0~5yy5EcvMAW4#rL3No2gDDIJ zLLkL~3F38MBy%;85it0W^;1IKa;1eH#dunYs4x zd|w$i1OcPc+ruu3j!z@${A#6jOFLshWN+dPn1s58HqhCi6Ms0R*ZlR(`0ZE67I>Pk zADfeL6h4e!@T**I$S&r^S4L0&=6yj!@5=OU!Srs61tQ$8bE`ov6v?|U?mLiKPwS7? z;6gd#EnfntduwwJoVN%62?IPL*W1=f-$ViY{s5raH#@m<13K1T0K1N&LwZApAZWOZ zI1BVe7itkocn!h8T_cdT`<{|M_R3n*%iFctwmuS^zg-BjU^%sN`4&5FlUj+gLWkhA z_urn`HM@tDn@Gws<5ws8;tJYnd&Ty!b`kiI)TcGJcb{7bc#rZ>pVzwfUs=6s4DPkuJOhS!hwJQn<> zd)xn*#BD*bdNVCQu^(Yr{{wr^y`H%bP}LHAJltJQPZWThjoplsMn9WAM!p@Kcgn|` ztBv;F;@Wb!WElLHUjvd9jVYw4<--^`OfM@rVy5+P#+BuUy)Q#=xI`bYC&J;g#%CN9 z-BoSlDn23b9gtZV{L;(H7>Ujl&R_y3lCgd92)3TqQ{##g`}021cto00JFV6_2_gDX zI~P0rE6!!6J-v4;oWgS`eKFg~`qV1*HhZ!c?~w`cy@W31X-9928*hOP%P{vvnYZD2 z^yMFe(ApgJTZc(}T-^`>lphJ=Uw``f$D&ZTB409;03~GN%O?J|hQm`GSpc4>!uMou9OL1L z%Ke(LX>TP&&f9o*<5S5xfAS>#;7xi7L}X=0t=yh9V_QEalL&b7g=VUX^`=PJ7eH2B zK7cY0(I2L84H&U~Ac)T%OgbYIjd>(Yk(g{c%eg`Q%p`-Jao~$HU8${&r{n1mT=R9$cKU z7;&V^2aSw`^Wq`t~8^r@ZE1j8HGF%ZMw#_ZWlf5n^~oQT!ed} zn>Kc_J3ueQpKpVr<$ci4}yOz2SllYj2;{w@yKD z&daXX8ZZB@qzx%8EP6y(-0+CQ!iIfPa+ZM&@yR>+#!0R-Xrtsra(1lT!L8IOIy5Zb z;P7xN4Dq*lVs?ZLU-diy{jH9Aor`fL#X=?t9Z9``x<9!_+j;8E36I;h@C!t`y`~OU zq}P9UCn*4%8WH7`Rpt1mrX81j6?7_p{0~;%z6I~j#X=r|T_gO7Zv*d`yZP#h`=O$y zMB|YQ7g%0OJ${9Lyoys01Ni79qrRGAc{kX~oU_VcQ%;+q|NVUjFA<-FW|%0kKb&pv z+;fRD><99{vywrKv8vu_V2u#aqxZfKMJH9`I`2x=Ov;!d2OMm#QUNoSO7FiZ{WpW_ z0%qUAiBJWK#$fs%oYvoa7Hhw?Ul%P5^^bJsoVhqiy%WFTpFWXzO*QuLQb;y<*f_?# zX}tL&$3nV05^s9|KtR90uI&TDi8Uj0{X6(;ull&ZVgNn~Uq7?YCYBV^&Uy2ha&rVc zh^AjcFqJze@VL<{?739#_O2c#*v@r!=ih1Ow+rI1Qyc#xOy&$nTgun(L#(I11xJ}{ z`x3To&Zb~?K&QXL+Z)bASkfWD;A0SgD>-x+p6XML9VUGJoA_pG@zxcU83lNx_uhX; zKRcmd5Y65p3dSYY-^<)ftLrKEuJk<3tKmG$KVa>@DwcB-XTX&5tHUq=!p2mnOtbtk zc{Q@@RmiR@VEA9~LPmH7Ous=@AGAIDswojyov4)rdz8is(!$3DrtT(Dq?w#xYPA4N zm-6fXn~=)xO#7?v+3wed1?(ALP7GvRHIOr7U)@RCN9>OK$yyIjN=oOuv4985j6N1D zdI%_9+u*dk(_7xofz@KhP7RE+pL`J*%{d>bA zWm4v3I9+`deyu&Rk(O-YI}0BhaWH%5pX; zbZ?FOP+O~jP2sa@0);VnQ57lAO1+_3@jtw>TAU2r>uPdm#QbBs=Wm$5ZKljX)Ly40A1{`wH#v*}2Lfr$na&6QpMF^USt+ zfA{lX_0tzVF^+G_8EQHY53jVv>GdM{O!eU@(VOj0b3bkqPpt3rN;D}uZ@7*`l4Yk{ zG6Ou4AAWpq&THunZVEn6M3J@63l|gW&Zb8Hf1nZYx;cz@`I~&!vp;A2#{nTL_`$?% zEH+{gjKB5iH!aixQAG^qdlAIq8Z@Xh(nKbs*;x}nVmj=DvE@t|fSpO5PstS+cxLq>k=Wv))K4{^%7mU9seFIEwc#$C8&%hx zi1`PI|E^YfVwTSl)975#*~b*#XvvmO=-|E5spGl>C)S?AKT~%CkJ~L^qbXqjg`2s@ z9!C+EarjX1{ zN3Tb+{9V~+&h>i6Kj(cCdw*wnS6OdWN7|lPRncGUr5%~>`zU)9`KFQWAEPujy2h@? zkQ`&5<@}9jB;;>+c#N=>_04_Mv5|j+t!IO5gIV3b5|Asg`uQZaG~sM@Q7#2z06YP8 z*crK69U}wGY0#v)cZ7i55^AZdDAD|AG2XWyP9M?zh(^1LI?a{^p1j1&e$OYgM2-iL z`r}PA1dOoIV*09HyUOVEYKhE(F`#NT#-;av$m8PfRz3rk=<~Tsn0z17fP~#aSZjb=`+=e^#0&jOr4+HA+dwHmLJ|9L6 zwny3OS5Y#XqsIq{yt&IC$8@XMN|v3|xwGh|pH$M;PGBS^b54_>uCHrth~T5w?qLc) zL5flwIOOfyQIQ0Pf#gaAJM9C#4l_vVH{g4aJ23w?q`P9>izQ!QS6YN=po`Ud_@%V{ z2QS0a%8?)xPx@RW>Lbpu7o%{D^Q3{5p;@a3u6Zysq|0v!_}J!|M)jqDABeDWAkr>3 zAn$0f*9TlMW0>TQoTP1%)t3SOrv@Y(+}>k-eDWh8_e*6VKasnyp)4|(Dd9sOtDBI2 zg6A(h$CDS0q|Y37If;b3#C^QPp0^2k&W=d>)C6(jMV;=yDhsfZxBgkl;Y)>}t8N@~j`h>HWi5G!=k99u=AA`Ltc1}R5dfWjF z!Z1YlMhPjK+z!zJ$pO&;Cu&TEtZs$Bcgj}HtM@&zT$qi~4$G#^>t)<*oeVgo;vT<| zWnNz^?_;=Vh}5dEORk3lT{h$ayBJ|?YA_mWHhRignCf>STPIB&MPCC48*D%(wpIs3|sQDy60U}pGhraKoXC?_{u1Nf>1^({24@K%zs zH(HZj)y3DfxUQRMrox%F>sD~Lidsis`RP@JWiD>f-T3VGwrqaAu#?N}RM@O4%p&I9 zl+St=?iGcb>QLaS=j&vp6P~MySxiz_ELwzE&{}GXpZTJ`5TK_isrxbUVZXja7AJnM z_{rwp*c|1|KI$|#F272uwsd+po2~>FmweWfaKW*U%jrmf$nI+K>=|9X8H7$(Fd-3% z1KgizlPW{Vu1WxGku^BhAfI{fC?o!RrEr;O`E$kx!dg~?$q6Y&cPZ&IbopC zLzFFBx(2p4gp|+;0k9}uUr%bogzFN|mLSEXT6Q+&NDonFTg_0f6m4RGLZ4KLPT9&w znOuRUBs>uktJPgSeq+iUfyW2SQ#3c0(jLnQ?o_Xu2V~D3-R82zU-2>~v_2R}`L}U- z5k?k?D_d))uhSQC$LNPRZy!XB@<7N~8tCylxM($!zo8D%)4-wq3+blz{0V36O^8F@ zO6qwLHY|Ud(m6Wsfd_|Eo&yZYZ${Eq&t{vRKc#U4`plrUVUWTXkZP6l;_+3=o3CIt z`4NP|(Sh*LEwViY?%c9$XC3_nZ-k@S#^p7p>@%d3XCTx1Pc-{&{yHaU-Zv4^x+dz| zGkH%PlMU;J*)7S?Vs5Xb4Y1cpFHWcAMN*~grcc6#*l8>5r`O^+8N*=febcJY1IuN;ypmjwd;mVH%x@pEt+u%%1lE^pv_C)E4LHdt+!KV6NI-QyS3&#*xe?XpHF(x}v$ z(o?8fBQ5#no9kL*ABuSLpqQwgVaYlLz^+&pxjq-w(B?n6%;?mrmTadjL1O44y19M? zBh@9?cVeP&kLN@l{U#v%lF}5fAI>?BpXV*Pz;3MBsr0FYma*OHnaiqmEhV7LPJK9& zKoZV3wIzv{Vzq5aBQcTu4tB?En6*NoMyVDxBk>wC*BDUJsBB{5*ouUVT_0711OxjZ zQa?vT(y$wFv8Bi-fHg==Ffy>3k#O&g(+DoPQ`Xl5VrrN5*7p zL#9XMBaus}_Uv&%xztk+L_jb5PI-82O9r+^c7$aeH&=(a@@;L1N5@*rN~NEpkdj05 zbO*~saGGj-9OorNYgi+S9F^@R^=_D_XTx@Rx$O8fX1R|+B!7k=9T^;226e)Kfuz^# zvc3?_Edp`vIpw8VRG=1(>xvuo;aKs?#BTDFMKQmRvWvURRpZ6Jy8;^wNX}76OqtA1r%tJUEt)o=pK9 z7bK5x{rwsdqgNF8P8zG1Y1Ha5OpoQ<&+0Lf8HhTJT$Wwet0kFyi3(pBi?{ zsIsAT2wo`^&j*3bKOn_0^_!qveg`7e=YUiH208dMXx$%!TK*Sc)?cOeeG0hvOCV}J z34aFmKY~{LL;v{=+|17aTKfyIE}U|38H=2BAy?~UAM{+eJX^_1CU%5=1vViQK;<6+ zZ`VTq(}ZKY&0e3%i24TDII#aySetbEp2)p{nQ*h3m%U_p^#=%3xa@$S{RQx5JM{xt z)!)q;^8QjlnpRrP9|h0M_DXh3>F0Bqjo)$!Xxmyh?UG{<%5MpW@2GPF&Gm3&=Mw@V zDvnIi$V{07V;Lj}0fJCG1#u99AQXcj2q6MOh`@18V zz%M@P%K`#B@>FB>-E38}>fg0kpN++S1$I3~#_ayjg2Z}0Cbc81aUoI=>yFN+;B|VP zW{|X?VL}6DSE|=k@?%IF`xLNr)XY&KwL7l$#9W+M)eeg}VvAjzcR^Jg2u1;E>@M;H z)_k{z4M5D&|bTZ*(}+#fOg3t>Hat_c_YWe3;=Y! zm%Ex+18Kb2-T1p5)qiuu2{Bl|V~r7(nit#5dT>8t9ypZ5+Zp-pxDOR1r92c9)$cjX6Iv&7JENm=g~}$_yWcB0k!awG^xgaDL$w zf3}D-g3%^X%rsu0s7gL;R=^~#;BU=`EjX3-mnaip$YQEQ|3(x0Q7oHup9KXtUyhd? z@_6@ubH1{h?^v9q+R#<@`D*G}9t-R>6Wj^)BBf>sIvwT#s^R-MvasW;9@@>Vm!wIi zAHam=fivl=mtfCK0oqKD74)-f>syw)P7zKDDS4ytYJd-&J(CNv*7I0dIAH>wgP|_u zd7{+LFuEi*#{uUJ6hd#}3K^Fp9FA!Xy)ipo>S^`|Ci=K20(*^_h*atE(i*r6{KPs) zpN$yWK$u!7bg7`<)aT2j!tbrjp*zTmcg7*3mlUZl-L_)`wSO#?`Unnw%sIHIGoBME zK@|9#t!)Ek_+Vj_TV~(fE+c3URfPA1>vppy9PWWYdIwfYM46ZI<7-jVRYb2D?vAL7 zI*=^*$SxKoT@UzxRRHDJO>0u^MUcNNd9ar!mmA_Uk$jLT2T}@s z9Sm|*{f#+j4|yq?u4?sqZ|YHDUfv)={ch;R2>;TnMZ_b^Fq4kWZngJtIK!4O@Tg<# zpNyTli8S;%@piMuJrm8SKgx?8^D^h*HYGnQ%A#`aK>_&bvhKx{b|L|t?lFdTdXGg6y;HP@gs9?&A+T-jYKqvQ`=8Nm%zw8PUH9(W)CF-8EJ!9 zf6OILM=j8+zjgy_TD)LoJj%J;zLeYj>(;nM`~j8P)2ZJjen+i3Ck=U7(;O6eS~*JS%W4{ z7VJ$&7j_0vh z*mcD1;}EN(v?d-+_{;xGoiz5q%I}c(wNn8{$uQ*KaS>l0EAZ(-f(_WbTX?x2lVJ>M z?~$Abr0J_vq+u5sa2k-1cb&=ZR<(Y&aB@`L_9da=5!cHd>A(LcA{^Cx0K*ty5pRgn zXG%U(mk2&__=hlk45yf{$p&X(%g5{X{PU&*Mxe!k{ln3P5rc~ zG{nP{;5LjjMP9wr$oM?5?N!Zy^{pn3?KOfngq%5EgB)eixg1MGHd<~A;-NustAV&F za05XVO4i_sSdriI2Z2-a4U9h5BgP3`!^1v2E|54B$Sg$e(9tO~@Tx|Z9^iFF7|vp& z9U1o1$mk~;xhKNfoySyI>2q>2&|Nm+=U%|>KJuN&!l7`0WhQiml`7~@xE!yTI0|&> z`C+IB(O#AY95B}cv)~tISaTq;pb6+)4v@hMW=hL-*KTWF6gPjrygnK#r6K(Fl=ZLZ-yw0>0Wz1(ZhA~&7!{Dr2^z+&8th8dGv6vXDyHIk+InO z@Ht&9+SkCGW9$@Z6G?`QZwnY=7+N6aa?GNnr7TB7{_UWdvw z71Z^g;{LO`Q*2{O?wuN54`zR&VYDZ96SbL2`tBI?)a)s{MqC*+eWypChaG|Du%5{C z3`sqhA=jbau|Hk}m#-k_B-1=PsfPMF55DMF^2OI(?H?`7ikS-^ z1kG^3rGD<_3TQ%@fyk))NSp_7>O(iBSrjq3-ka`AYtR9`!%xzjYnbR?aJMt-`APu)Yshh39Xg7B^TY0Y9y6+%;do%^qlO%!$RMZhUX#aRgHnAADS;Vn zjDnf?Reixm?1oB@J>)A3XRi(jk8{OST{XJva}mXaiG!mK87_kHr>rxl|AfZ~YB!A< zkiJJy=_3R9nI6b}$60c%pSIZ+5-6a*;$%L(95=(!ZvHu|7Tab7s4gHR97A?Md!Eb# zTPnJS&mFJUqZs@dtulP@d4IrWaRm#skKt4#Vq;!~Z9Y)e%TYNE6B$Op$2o*PYSvCg zW#qP?&~hlwdLf9mGr#9*eH>~p5||1s)1kc^8WUkvE?mbz@Y-@^a8&av-_`7$i92cb z|KB|qqc+#kZ<#^A-zZ*Tbf4>C6yq*D`-tLmKU$MVbSOXoS&xN~UY4tqGb-t@C(O&F z8zu72G}kA#OZ>Zp%MQs(&?qu?^2y z`#C-^I>ZRB!#+W(lPJ?GX}Z{hk=G$nW=1hQYlQPTIbJ_}yh%WPnRb3UA{-czJX(wf z2O91JaO{qHP^TO6%hS9Ct@;HoxqhH?;P)(AFW|gk2mV6MbQ_I!S07WmtnXb?M848zl6g|1j4Gf_y-Q%(+$0de#r^jPu+oje zHn#{Ql@LTs`3}K2l2eq%gt^HRNMbX8Gr`8RT5s&~?$N~LUSh1rl|(ToHr^k|yjue$ z{l$Oe7x2#h5NvQmF{m>CsvJsZuP z1UAkat$o0{8GzDnBtow|in^QgfORhbdv67(Xjr)ukYP6hR@A+1DhRxd(5}0PnZAQ~ z*Bb~9ggeitdXyDMM47enoRz3kHW0D(6#Y&5y9(_do&%&eEirPrDq(hKS$_k$OgHAD z_m7R`zUE)Qq0Nm0#?6xZhTBIfYtlP18Sfru&yB0w+ zRQe~Yg7m3usc_J&`T|Cc07Ye=Cw=_zphz_bW~$`4WG9okb|;$AY`ppb5?hW#^dV)u zP>!?%EEnd2riBCM?3mH_THa`YWFFZd(iYm#D{7&;h_(i6;c~M;@<>ogh_Ak)#t=t( zcEE7lC`|@fRBfdCjH(zF7LWj2ooiJx_hoTv1&NE2oiDYhk}9B)G`?GNv*Z*J&7)E~ z@^H=&)0GqxJNZmXgZf4wC{(@8SAroFEFBtXN-wQOuo`blr71k)h;B<+P-k$l8L7th z%7`gCJ=Z0BlmdNK->gb94$zTd_WfJxkj&Bvn`8_))oD-9`)NcKF^tIGezjRy3>Buy zCDb3PAI-lFxt=rhvP>sLNl`)(SQeu$5@6$xNRq6XxFMEblyEw6@iG1<57hX zlHa5QuW%RbQ6^!GTe4>7%w$N-7iylx=^cHMz`$BtLyo@JLXuD-qt#oJPAyFOXZe{H zA#9P53I_pJK|)+~dnNBM@AfPVUbHU=V0}^f7M9YHoF8m_C#1^<;oQXxT8TZ-IreMp ziqZj1;^GA6fMfLtV%s9sQ*gzD150xQATBrHbS*kBuc{JI67g1FP3k;ZTsZQF1ae^Ra@&Q~_H(e9%THHl|_>O>t(Vh)CoWO5#FTnrUpHVfd*Ayl_EWDme_{`g%Ny zFooB^OK}U?iJF!82K#oaM`#o696IAM=wKWMA{Bo@ z5WbQuad8(+Sk1R-8xKIROp1;>!4b_Dyi_G8mBleAO*;WyqJ3n)vIfFQtMi2gZ(`eL zQEA1QSj``3Av=vvQK;fecp>5*uw>e;S-T@TH{zwk#m~g<@eY(~JoJGE2ityq+0e%$ zj-%JbWYyze2a`g$b0s~9j8=FB-Z~B86rgDE39z4s;^K-(^1&}yI%h)Tc?m1{14L^^ z*)jz2&a&(Pn|ydsDuildSCoY4LkbzdT9BAeqzt!G7Lb`o%?4I195?B#9$Z|P-LpR# zghN+k#}1jnkP0Y2&FTnCivXH)fGr}hyM0yAe*Mn(%P5GVaSkH-8* z5WgQ;SDV@hJ*Xrk8#D6;44@33A$n^XwrT-sF zeIV3fmZTVhp}Tz0r+-2J_M9QJ?}gn({xxU63+xsD4(PCSr_V*d`Rg1a+k578gsOiF zIm(X%lK)zaqYvh*H5T%zReX^@i#RMF3yF#6h+Y^|C)LL%>FsLWQU2`5Uqu%@m;Y3R zq*W(0ZacKz@6Z+PPm!6w4Nz6QbUz9%NZR_>z|wvw-~c}iNdLd!;(ivWn0E3rCF(zs ztr@cWCosKtGSOka;2n$Yl5B#%2~KWCVzyBE^zQ^GTcKY@Jf8$;WwpNwm~wW)S=o~4 zSV}Ns7CzAHxF#e$1!dwz>*gdc8}^xSgRe`inlVqZjlYDZuXettNq@w`7cHs(J214R2qE58RD?pFfc?NtJwp)a+ZGP6H_X8z(%^uO&x3R%k<+4nX* zs{Rt-;&lUF{sY2F_8q|1zX3H1gW-t#2~Z>QE&J&oVLHD7=+qw~bN-3l{~xx`?|~XAm5L))9+t0Z<-*XG{fAtUc3qFJG&vL(^*^v2Hvw@~X51uF&D zY^mb`Z6GZhBz)>y--P24cX%pv@jB1|MZ1XGn)jbL9cN%;Oj$K_j_d5lCwRCV8{MVx zI$bvq>;g<#_49va4{2@L6{kO_{^4+#Vd<>!Eu{5`^>9uM?nVa0WsR3h9T3!r{#>Ee zfKDrnH5(@QyM7s);67S9)QfA|+(S%Hmub1CWYHCi5_k9*n zLWMCRRIub7Mun!}QB#-rt;DR(ttE~|1l3IuKZ6Mt9M)hA2RB0ukHddFWKutrs4*^s z3vn)JWeHi|u~S)vJDarRgky{>N7zhm*6GbKDBixw7D^}4Y%H=wh+yarj3i`WqXC$@Loo5-jt-O#S-kNi zHnR>hCJmpW6X8-&H2Vd&L2HfPH$?ITK`sy!nQRZ-%Q}<_2J&Gl@4_f+b!)FPx)F0) zrTYF8RIUGZTJO9@C8|o=$JMHa|GBBBOE@(xQ<@2`ZD4LVI0bcSp zC?HotPQF~$ww#R+o1frQ2rWfp^Wk z9kd(*mYyduhE`(83ekZ=>2oBmRBiyybMqqj$OqnpPEUrTF*hRTQc?hbW%ititbSvX zC?5j;fOKWHLVjGbeIk|C*o48?l0$?RnOsr3f;gM{%;~db0`kr)af8oN?7*O&_pQ@8N5v&&Lzs|OMzE^ z_u~obqrqwZ8LKOF{}U?cH{%XVT9;w1V(`eY^fW{YgP8VCutsUw1RYCbFa2X&WRKpc z#78u3M+RfZ3z{f7GeiSuhzImC0AOGM000Hg;vhK?1i+yffPxSJVgP_*01RUgjs!to z+5mRD2q#09&EIg-imTQWpbR)Zp`2bh84JRZPr|rvzyln)oi7D%z;>pUG5)_>tF>X| zGI%m8Y;M>-BAvdJF@=-HvVDxdzU1Z}_R~+@O`Qj=`)4S5o}(R<)blVV7WFZ}tboNy zM;L2Qa92f8ccPIs;L%JR6KQ#l2~WCuhE67)-9uEjMIq%!O~!!e>fv^Zgvu+8YUT2X z=r`;M8Hm8fn}p0Ru3AHFl}EYXH59W+T_p^uDLCM9dbO+v?^mvWzKhC_7;>O;Dmzbr z7UE{Awj`+`l;NCrXny8}FH@tBS?jhtz$i?Pt2tBc?*DME!1a5QOaTj53|w8vUj6G+ zrj42# z2Q%{8p+4HhP7M`rLO;PPG&iZ}^*kDr!+&}Z&#Ezd8PW$b<;bVps`o#DXbx|cVs>CaAyFgUb5TVZ#B1GhuR zKdvQr0xI!I!SpoZJ=!YwjE&-X5^d<7Fu7SvF$5m7P3f+*$dA^?yGB*PpiIt5TC|hM zSWM2uw~lSbO}YjBsLd%3p&eI{z__Z;@44TW-9E603SzGks<+RmYh!2ujVw2njjJQk z(M05vF9qif&aPhklcj#rNd3B01r6)rziSyLQuSlu*K3#O*p*L44Ss*c?JpgE`-8K0 z%PjRfLTpE63l7P|gYLKE8R?-=^O|-M>H_oUb-E{X=n7L?1He4Dg{Yq~yt`CN=G6hi zilNOT!ug73pz-iqOMZ+O-xh{BE=263$iK61ePrgJKtLRj9isag9TY8+(Z0+-fe`n_ z5np2Jj8dx$Q0jYtaY~%)u2ATJDo1a{PI%Vmm`Vq-G{D6@Oud-JrrKPwS)0h14Caje03PMw9~m9X}(9J~d1mJ}&R zw?(FXUlTO!m6iL%0;4p4-ahnkUk8gfCu_@Z(6Ij-9s4O$>8Lmk< zQ0K2nV+fW0GFZWx8=q$7a3DeKW}^A&i|+I(#6i7-2LZmxRdxFAdNY^DZTg7mJtCvd zlxel~Ay;jg(&ZHns5w;J`J8E2Zl_MPBZ~AC7i)!=JmD{QJ+l6=Zwr!n%>KNYOgDK|^&AXENN3_^-ni#6(3@YEhZl(- zA-DzdkhJMoWuR<`ddEo`R#*HNZk-&U$%)U;-a+gy>?Ho-c6E3u3thCoeu_p@2$0hP3NA+nN8B>#5T4^t>v`We zPMA5dSJU~?O_;k*%InL-y56(pG{^RllQ1iI_Ty+1LcOyEbtRJU(RBHNl{y(qK{_gC zD}qj6B?Y?E>geui9rY3`B~DMDkoEmougHEWD?8JEay5lgfu3!2S?(dU*FyTh0(o}B zZtrn=yfqUppIob#=!zQJhal`iv0!_TnQ>}i3}4%Nt{4!83&cG2)Oi-{@jbNff{TrfEY|O!o{3kYE z|M^z62O+qBheG>~$Kh)&TzKR4gz_Ak`${PYITx*qvhJ!|WnP5pLsjUb3qjw3mt*9{ zJ^~%H_Ph+m%6%9XU&#{EF4X4S4(?ru*YV`_^3`WxEaj;-)^s|VkGU=BsPsb)TwF3@LIe(iPUNSEKL4Hgb z$RzuGJLN+Qi?QRrKQ`NK`=TzA%aqF5PsY-RAwMIlyRmDemrH?c0F8chM_Yp*&8j2X zAvo2CdQ5HzO<1wP_b2018{Fehjc>Clt2&;Q!2>^Q`6CL6jZpXMpg7BXHuqM&9^i4G z8t7!Up*+lS+tNpHVU~wT-^eP6Ej_^=6`D>SAnOB?-qTMCP(4=GstvI)pE+uLoVmCS z)Sp3AaRmRS)*X%cvb8Lja_}qfZZfy-LH+#sXj`fm(AcV}^bv1W3t}CD(_GMbvbx-~ z?Qw6A=K`5ZOTJV&Wp%311w~CCv*iO~DbwJ|<;1zF_4>6#9dj$ij(cC_(iAiNr#_me zZKkN?@2U*|pa+<-8rq!6Dstz{D8Co=Hp%R#6NnB0l;;D;j`4A*N6rdW!vb2_$`6hL z>!^noY+@#5=_{P%^!90D6-))LvCAoinnqGxZ-_+z?qlj^8;vuCK7Jf^M6 z@v}NhP^Jfz3Sm(x&I#21x#9sm%Q}K|YbcQ{Fz#y${y}&$HoBo_Qjo{?ICkLoH|*vc zNCoB5td4*MpR84%Y7FOn!vn8p6|OgI{KTZW&vL{m&Ll6-zt@PUrkkK%2z%kP4YX&N z+|HLd;YU-TtJ=br&CLcAPE^m1rX?5dg-R9xzUu)!jzQ|zo3*2D`0;c6#SC2PxMQt@ zEodDd@^nw=m%F?>Xx6*8LR0f(z8nMU!%2UF&NsJqeggz`vX(^VdN4v>d6>}19BJO8Rgkvjp`~EXfB84}+Ie{G-d>pN;lUDFPj30w zOJt9C6W@)6l)SB+r03C^$yy>WNBApU-JHiR;s(uc>7TWF$D)WcGb#_mVDdq*u_T)~ zN|u8gg5oD?H7S`-=k5Pmr_Jo0;S0FvygXmxBvUEQ3>@YQj(IiT{0YN&=4aM4qB)qT)BulbB(|{y z@b10J`?CxHLZPN!uy1aT0?9kSDYi49FYxRMXrH+Vw$rO_fK<{Mui|@E2l{4#nG&&1 z=*v3wPE0DQ(!N4P;+@`|_A?^Y2!D79^R71mbH6Z-N>~XQz4%r10O7(|d2ReT-bq}<<@H9-@!KjGU+>Ei5%ONm2h+8wk!x;9oLpyeTrYaE>|rY_+jqqnR?^q6ZSONQq%$Co6smXN9-4kuw2cr1 z)K)Q(50qflo4r~tM)^VF+S1Npe{>I`A9vF=bm8eq9fvH>MVUN@em9)^hD zh4fVpxhD3!|NF`7hac}?l=-GL01RNbzQpB_CX#ma4^T*0AAZa2z3ZEEKT0Q~L<-%y zW4RsuFh(Q?zY3+5pu>-T(2-PBhfC3HqMsuS9>|2Q+TqdFvBUTmS7QX$KhG_idtm=Z z@z7)CAi3doEL%QYEHReH8_IiIS3~VyG{hOMM!XQa8n3R#yZFw2BgGi;ne4#%uN)O$ zcXTaXAGHX<`T!y<)@j^x zukD~m0!DFwhE1Z)u!Bl3USPJJi%<*h*V~v7VihFHvRSdb(aRQ18ONP-g%Esw1MR61(Q%;H`Ob8JWz!uBWU2 zSv{S5_c9a1R&2vye2!)$It|heg)8f(bq1llGE~7zHlj#s-_3##!U`cO{R3Hdv6y^sD-e7vbH{~&pU=O7+nprVjs%nhw$9Ko-;B5vugf{vr1^)$)c+8t? zk}QUhHxUwl{092QpQuh*Dg?WAZ|Wu|nLs|rvg?}1BTdBS+&eXujvvzEkNqm)Wn8+P zF6IsH*1Y?{L@&C`ZD!>P!E{p2L$Ejoot^&XD8`u(Fr(>@Yl0r`B#au}UDX$OJM)RnKFqha51mYEv zNR><8kTUeG#{t9k2mxCa`mqt@^;a>TSU5~06h2`Kt5M0M+d7l3KA4`wLqp-|(SGn@ zk+Pm46YQRs>;mBO2n~&*N(}Rm0`N;A{2ExlPUZ6#nVd;ifZAPN75+BR8VaofefAR> zt^%6jRL~&Qni>LCNIxLCp{!MBI2AMqT(wSM70?ZCg@6aypIEz1I8lm?hF}=Ty#jH0 zKZ5Q9PSL(G-rkPfrk3XJoYnKx6qlN_{9JtcP5s|ka5V7ag19sQrTX6iS~3EnPYyA3 zIyX@_Gt62Zcl*Q|cVh)})*d5kXsMt^CSMFALp_ezeuq6*)p=7)xB2tO88t9EJZ`{e zhKv=FyAbwYuU1zo(@pyG=h1TNbzLIe)5qLjs%lTW3i+q1HpX?|ee*hBU6VKI6xB)a zV6$KsuOw10{+WkeeK@Y|Z{$&DtXD}s0ImBRY5=$H7lYE-Sr5HQ?>b@{)(&dV?ce_= z$kBfEip!|yFMahG48}MzJ>!JY&rA76P?q)wtxiHkgW#+|3_eA{5Y)W*^S2Nabln&~ zNq#cVUa3OYg!*XEch;z{&#Ek8EJISm!7J)3kUJGbg-;YR;0%pPR(h#0H=ebhJI{Uw z4K9)^4zTF7P7ReXfWA1_@V6}ewB&d*K%+nXGM*P~oLqzJbZ~CKz{p$q7;VafF}#j%cJSk0!CFR(%r1{B1s__V$7Wx+-W> zJDB?4;8`8&ww=Bmc6!N^jwmoI&7EEe!Y_u|VfrzHe>@!XMv3CpV+IjDEKa^_2i3gR zKG_g;S#qgcM-Zo8F#y-4=v{)n+3bXWD~xl92yX852V>*q;NP{6n8csU;AFjM|3{); zaGDz3 zx4M2p4a2p@*+8_cdL;zlssbZ#yeVZZWw3NO8USAv7)iA)4?o`m@&^3|O9!eR0ny~a z2@bQwj>)SR)oElM0^=KNYmMi`;9!0+*f@T|t75i{K4&653JuhmF8T?B@1BjT5XH?< zXmRYrXISTIe8Gp}O{#jHV|f*2;8TA>F7euHjaDveW23qgF0klLd@+{P!fr=rq6MeE zL}jJ^d2GQSt5s=m3JW+~cB|}DT(71KeUeJjrs*a^cpqiDWjv(s zaEGeraK<(xksUQU0YVq@>t9#vIB=E{aQXl~pMvogr8!aT;7&5#GpTd|$S-K|#5y#c z1_{o2M-6!?DPZWq+XwQYYGRA@C?Y{+OHnHr5>#{IlfM_xB39iI+EH~W%c zwT>v^G?;2I$@NQb=87DSK(Y$au}B2cB`!v9;oVAjZ8FJph~!MtIXITgW~n7joavyO zi$xC4lvP$`i3E+Sh=!FoJg=o|9}a&!=cm+w9!QeNCe}$tmkyN6yjBDwXLT{1BlD9} zf#mR&ktK$}+u->Wwh%?;`D@BVktPrh2`Lt@UX&{mS2ev@O7YW4VN1RO!BH=`$M~;ypR>dI&&sypv(zT z-7R>egK#Tpk{e;&azHMk z+>bISa4Oe9=#=-dLGu}qv4v=^lg}Mzj4pqH%;$XIpL`Eag_X+nkc?*Un#uDJjL=Wci(8zr^5;=$q% z7VtXD%xs;wMJ_`WPY#008aurxVcF&OY^1uAx8Z6|qV08|-5*b-PO3R)V~$npDubVz zGXH=i_8DD3uO}rzE+o18#rQhzRN&0l=w_``u7=ufA?6#%#PXJOGh-+QGMy}$(Igbp ztB@AZl$^243WGvR=_vDRTy?WSIhJ)~zjkx^j>=BdJn~9HITp+4eO7FF7$7ghJ)|5A3<$M;4|p^187g1UlYk@? zi&rAls6-lRuS-%r88cUCvE)^u{SxlgCX;*$*&ft-XYeysszMCMlC@a>=J-0_#GU*L zD$HEPWv!EHzT=QO5k)Vzz!ci&zGsF$?_@eQ!d4&ql)<@_4pcudB7x(Ksd{zaAz4iBlA-Ob0}2&Im#d4wN8w= z6KxE(nc!Ye+L{@%3Gl+_7Ru>^<`pI+c@nBUYI7tk7t<_nz<0`z0Ckqo^0I8%G)j~k zVFKkvl%mE6N_ZE3ycHm!S)tplHL=AF9kAsj=gx`1#4R=-qEg8xtZY@oq!8S)Uiz6J z8G=bj@*g-p_aOwa(zmkl@(_tU^jdij8@x90pn-Onv^jXHDon0}rNWA3i-K277CFy> zRlH`Ju3ujCtk(SU{QA@cEphL$O9P zj+zT)N6sj$T!yk_n>9IuMo21m4g*=w?r1|oWy?I$Uumm(lj>yKG)i=X@HVBYFn5I( zNnWhI-;-)jU!l`O0#`nBIzuHVL;$w}Pu619_gkwZ3akRIb93M{HB$hREARl4&1hWl zD4`Pmz4!omc$YGb}qbaWazi7M*QPptNB?qvO_dT^mRaNyHPV3 zOvMx_-VR#$y%Y%~r`gQMtWSzXX-pTILYjcxJM*+!oMY0+Xz27*Rx&d=zmf~-(1DA| zS}fIl*C$d5mOCO2oPJD~%mKvA%oYV7O`+_CMj-LbRzAZzQza@iakPxYito4fkXo42 z(Qwf8G%F+tPPFZld@*kIYN%MLHB!B|d)kyx+4ASWVMMLWj~o&fr4e0z94uu3AShJ5 zu?V!x55W!KjWS6ej?n!dkMiH(e=YiM*l=?A%KbqA&Mg&1mb6U(-bnV_cvW!d<8jwD zqn>Gb2`$cOr6^U^gD1pfihUgu?TE zw5^8icVM$W2j*DT{55DWJ*}_C>dr9PoKVuYfiw-)*8oS`xX;Eu8m2Q;GJG?*zmmTU z^OLcOAsxf}oLk#q_+rFiv>yyqwbC{T$C9;JpHKf6FN{70H1B1+0H-ig2MA;+2RSeW8(hvflzRZQD*-<^=}zMZb%b=WAR*#|rHH;T=T~Br*|fR&NrYwwTx9RfQfTK6LjPkfMl) ze*xOeK7AwJ_`Uoh(#fqdar+aIqW=&r`x77&|ES8o5GI+=d<0N|8Ux_kD+wf;Mt(nBO4)Kp)G5$WeJN@3n7 zfY*|ZTAnhcm|fp}96D8uM9R3?it`5mBEQFPtdc4I0T|ccy~5AQaQ5?I*sv+jrOh8s zeHXg;vmm;BZU6Km+E?9rBBYV1&qk+ig$ysUIwIXguYw-7cuI#LU8ars_IX~VQy~P& zmU*N0AG|l>n~Vi)1@Yn z;K8yFOAYBQNIf93^-`Li0+DsXW=m#3i!K^u{Hqm8*W;G)(=JV5WILtsu*h}i<)|se zyn`cG;1MLBSY}0{LR%>{lHZPtZb~4cGmB~TeE4Pu$KNX0-q011*Xnh284xLm$I4a} z$CQrD56J;Bu%wKAs~KulI*mv#$Xz!mO0j^W_OVE?*}SZJZI(_&6;OC@Y72v^%p&Zy zIvrg`mqX&2foLiEj71ty9FrD`mRe($cq=*x5Y2`y8PKAOfC!R!R@-uhjminZTIqB+ zP@igFE+QXDQ1_{BXcd;|gY6ALdw+Y<#3xH$gfIbtHf!OxJfTA&kGuMy$^7B@qio?I z5vQZ!WH2ZN1L|$q5)v+(W?5%r6uK|0sCOU;p1y|1*3}5zQ*T+Ho`wd6lj4r90X5Y# z@B>h1FSq+{ST#M(k<`&Rfhyi(pD~K?*2S1H5q+SssTG{{GEN_zj2=wB2@dIF@L<)& z2*q&wmh0D}$<LmSJ$AiNj?jR(yAAm2|>m2aJx>p)5Q2^bLt>jXE6t3qL}d6t69s zu~U1yaRPO?`(lru#2I*YnK-DX7e?7yAbS>z%4^3X_6lhO+ z7O~HXl9kjGWuA@&4m44$8GSest52X*+A(?cqS#V8s=PWHy0&?P&I(c$Bb8X!V&NpP zrR))C#Z;=Ofh2{;A`J&Kq0pOrudz-=xsjDL&^oA5G{xunX6q_5Ih~{u6wZJ{WfT^8 zOQF>)k`2q9m*WGQZp;kH0|t}7R(qn1}J3| zae)Mq)aBoI-AQqQkOvDoRG@-&7};;WNazV>3mq_@AcG3qKjM1J8gm6Nr%}J3YmO9T zNGvuEXt8>1ID{E3jPXJnCKF<~#>Y>akbvmuT-ZFeR1MFVs|76f zkeGqUrUnh1C@7RojV;EQ8yFbag%@1tz@`C>#IPXzmqD;VQ)j?7GoFouNFmZ-t|&re z5j9%|ju?6EU@f8t3o9BmaIqJ<^2U0^g@zs;3JV($SAd>c4=A8LtqDq9*Z?l)7&p=dG>LSf_} zL$MF8hS0W5T}Q-0;b$%ejH}eiLmJmI%y=gbM_db#l(P`Tv1BP0>NeFMP2x&$-7#@o zr3gxw5pW1UL*SJn>jUp1VI9MS#ECH2aTU>V_zN7NO95=lMXF{O5gSjcynI{fvn6$fR@#zunPc{4$g5SmU2R-YYS(4B9-~(>{sxFJ0dcC zmuc?I(uQOTmwT5&ETqZoG4$LIVI$mKHoottkm>S)ZqK{f-h`9hnZVlYOXx^mmFTfs znj_Ld0}9c0CnQxp@a-xLY6YEW2<}SgfQ0{h5=8P}cO-CtvihXco?7F5kb3>$Zp7tI zBr@ZP>QEbyfRhHGLf-$)GK4}UJjvW<*oD^`vQHt*Rs+rw8t-8CJZ{Gk$Ws>)n(~+U65>$nI8d`8`U3qs6P@n|y zJ3DDf=F078a4Qmg%ANg;l(U!dO*3H>IHLOrS)& zWwhCsxP-eBt_fVb3}riIk%mggE}1!n{Lbui2)%Xp~Uth##P7@ zuX`!VL?LO#RI3|xD(yyio07Q~afU4Wmg_gfejv@)xv&%)Hj^2k=++rsB8}o#rd|N18BnB zJx{g=;FW3k>&`Jz?l8cu9RRbuZ}rZCrTj-&vVR4OYz5HztFS~VQ)PVpr@*a0rbKxN z-1@LL{=JNGfcIaX{au~=e}(+|W&Tk}LjA1|%aBpzgga9R65nUShc5wbKOqeOzY@m# zr(~W#2*vV`5Q+)%=WhfH=if(!KalkFiJ-QB2n;AKv6K)|d|00?0lj_{V|S{u_{^>i#zP*iREd`84QeGYCOn219`I ziqb)$F%U+Sn@_q^UIVABq!B8 z$DU8hj+z!|7o0+x2+?6?ESR)pILaiF*<>u19|~L1SS}`|3v$xIxBz+7#>gKmBYN8M zLc~|fU|M)7zD9}aj)~KjZV02m5F1+JI^&`3!{P~d2p22 zv3doYVn(q@p9dxdxMnP{ix86!e%a6`EV2>U(pBXKKP=DlXPa$#_bcg(uSFu409rgOGf5H8POg1tcb^wzM3j*H2fcODCm0)3MRBK>8q!S}(XtBWpAkwgocVRX7@WE)% zRInK;Z#cqa2w^giGZ_mO181H&mJ-^-2!ml_V`7*D?BE;N3#SU z)pzP-3Cwjmj+cIB-vUVjY`q~DzJCHolu{|Z6Hu6MJ3m(61n%w&S>t{QI9x_Dj2B{c zz3N4+Za)Y`?Tx%(Z-m+17vTfL7sGq=Qn0Q{R}p2KgZ4v z6e)cSBqn)c!*8aCK@FV@?&T8Ow}6JQUjbVZae5Vu(w>hQB>f(1-HW)j*MrmgJY*C8 z=}$mGXQ2!nOV-CJ7G>0%AOyV^m;wr0tw;e)dkZAu#ag`= zUENQSVv)GQXx_8F0kf*7{JB5EJbMPrxPAdBzAsxetL=@jLWR;70pdE4*M2<_AR_hL z53%)QH=ZI@FN8(zMOE8m=cv{H@WD?{A68Z>bgLQOvhmt9%Pnki`yM3f6fivx7*)SR ztki=N_LPDws3?U_Q<1$6o856eo1OqMNsj}j##}gQ+23#oh}%8)!F>!V3fuY@I6QyI z7xAx;;qzW2(P+y@AyxT8c#lVdQB%)^1n z@Nc9gzXpZHmr)V%WRNZ&25ZA_{>WosjpyI+ZP75!DXZ+Sbn}!KQd5OffHpmly>K;K>RCy!o0pKx)MMU`S=; z`EV_cD>%mW1(DgY&B- zsx9+%gPEJ_5s3u9Xdrh|;7bOu{aOLrzEUuV_Y#%%pZQqbY*3D69og@thmq}Nf;E2G zafI?k$BM$$mk2N~I8IodNA=Yaqhcl; z5bYI)NV7gKFeEHZq3A%G5Mef}UYj+3sTB-rducNKtQy%}EWRq>edY`L(J+MV!oRjS z@vlXXK3&E;Um1@49Z}_##UI@(#Zzz0Zc_AxMaJ^F!ropJFv)M`0)WcXJOrP0ePp*+}LHH@Y={z_E~LC+NHUNngKs|DNBGI4PS+;;>0k-S)l zPTjp&_&hI-ruebBj=&`o=e&VVyOQZjL?yjD}Bhm1|0^mA0Xq+Q#sSUW(g;#EuAg7S!a@XK%vFh0s$m_ZQp)2>S;zGGA z*AQNp{#-)ftXzMXWS2c@T|gL#CY9?49+K-MgVNQ5*(1hWI+)#By^$m^*KzsLabh6R z)NQPD;Q$7ztMrMvYLMx;=of%48n8;P+2YQl>jiSxI-RK51sInco-3%t#&c~)0OMx^ zfJcI3kSYQIARXiq01ylW0008BD3A&RFdzgl6axSV000;Ra1;W7B+b#(0Ou)E>-VkG zX1VXRN?2*1eS;$QwAts*9SPs`C36-%MQiN=P@SakZO6}&gVbG`Y_zL9b=Qgvq@{bhW>3hRkynp%T~7GkL4I>=6^ zye&`7u`=bD_>y<;Y->2Wv+R=~q?+E<*q;XpYuAFa1*<>H2rEjG@97aGskqo6J`s!) ziu(K9SHo+D^pAWMCd8Lh*Xkdzm(hP4k=-0}((aF`UiGV49lm_Jt@K0YV;9zv_1pod z{@n6=Ole2SmY=W+;iL$deT4Ie9T{_B(QnMwj|?>FF#_owls{M-ys-v=OmkA#2>&_f z(dbL2BUSJc%3ow9p(a;PbQ7r{oo3~Y zP=l}8a|A<=0ZU{PCoonYdpN}fIUbH>g@r*$=$hzmJrdRF+9-Fzsd^uQaN}EobJwex zyoPu91DCIJ|7uBrUC0X!J@Kfj<;hrQNV(zPr(5{SL$xaKR_*UjDt-JGWt;d*ypG46 zdbLHB8H*fu;~9(e#iYsv+)Onj!o>RABii{R4Ydz~INP?-Zl_##(W>a56jNgui&yAe zTaPPSQ4d7ra)E@+yGdE7VkUdRV7sCG$>I=8>UD1FtlGhSOh@8cItEK7OUf|syw87_n;Ytyp&rO^6U>R9xGNdaDh<*O53hXB-)-AgvCDRcaexCMyFoLHxhd^bx9G># z6JJ*l6|KqHvo|Wu5H+#Rx1(|&k86b1ZDFCzT*R4n zOOpCwZ__4_(tFVzkbe%hOoY^A3QRNe-5hL(2tI7)VK&W9UCOKzC#K&uV&8e{<%WvY zkPjwm3!K<|>XY;7H~?^PZt?`4=~sEGnMC8pK0v(8Q{9k{Rx6*tQsx8=kc+74rXP%k zQ)z5|Pr}(s$qt+WJ%ZL*OTD!ZF~xE_e7e80$J~J=zQ7oWak6QPe=@@TnocjZx8MTu zmcxmZGas1+?{`G>#5vPn)ab_}vfmgff?K5I!L=YR?4epg&P_QWZDiO$l->ZCxi=Pl zm(bKxS;(}=J*J0G{{}d*ufuZ*uiGvtJ|rSTT(b|<$tQnVwE}H0=;a$akVaz(nl?LP zqxipxvR_o6gQKdO%-_^03QE8sOe6Z{H2(T|7kANaM=52yj%%GoSJT@yIIKtD zsz@E;Cig($qWVWsRfei}9wJq8{mIKWr5gP_YX)u(X!0{e;8g<2KNb;WVnygDoB5`O zNHqGyD~A8aBiNQ|GLD4#6KEMIDaC*=Y`@!#dIRX^dr)$7bg3^{bBM`1vL zWuVDkkVJpZ0tPzXc!D^@HjgU)>ftxi`1)Axnt$z3Z^pJGQ{KV7e`bZ^XFEv$Q)I?= zfL(0tzYnsEgI3>MSban_#kJIYbPC5;;ixn;;7#@i3inzl!}sT6js9DfdS^n(jgw&O zV;W1DEq;XEYlnxsJHz!JJ}h_CKv8p8Y5NIf*hk?iy9(nU@WM~B7hy1uVRX|&kFYbF zbSFF|#_3rSK<<4|_D79@=f-w77!HNxG&0!~h4uqZpABOj=B5}v)5dzXtG_HJ04l+Q z#h7;$zB>iG=Sc70^!=j$_*D=e2AS@ao@1qf?J4$Xw(@HJ^p`Y-yl%dDD(m;3h=qxP zExj6Qf=!cbBMi=+2JPp6$+M}7{EtqoEye`}zmv59<~8Mx4&JBxp7 zT=*pYu!ds4*rJBnrb6?>IQJsJpB*~>?_3VYD3T^@K0JvC;Is;2@S%7C?(LjorNX4M`rikGH({H4r7sH<-m zV)bVX>BZZ*hU2j?knGEQ9VK1 zOvQ08F|ym%2;9)BtZCLeFqv@TF_i*i&qrrq*i*;buMw7?qrJSbs>+Q$q_2tkG({(g z+5|}Ere=)y15)6Vh-!Vaq@P+pQDjaPrT&|kv<)j0ze%<67@w`9u?p~GYkJQq+SMdd zh9&B$3Z+?dQPT{6<|3c?P<#Co4JJ@){KoyDZgHYr$bW2lRH~7Uc)yRQUBJFJ4?p7> zEZ?@b&QG7aKz$_z-=oq1h5hPFhijdo?n@5r;)M95ga2z-SAB94g7r)U!tFUAz$P`>c=4axVOnL`xE;Q7crV>7M05x4wmmI3Jw%M?(hut4*WMb4fJpHWErM+<7t^N zT^G(`li|KWG6c3*AmYdqN!nul zQm(Fz<^&e5vb6&WC^XX9gzq8{)}Nps!Fgijw+Ph_uW%WW3@0;S%??BEdaHXt(W>gLXjkE*$89f5uRvzRxWYlwZ0FS-tt^Di^?}kr7 z9BIJYUXb?ZLb)FfEXMYF)u)hk>33e8+j3(SV|Wo+`iaENPbbY*r&dG;Pb=;xIb?Vo zW`ZDyWND&K{{tFSaB|6Z!6G`$`>B(J;C;1si5!Co626-&^Sua*dmJ*M(^c>-5c$bQ z^mXr-BA#S~Xd8yb>~&^EGw80P7=U6DRt&G9P&0#Q++x=6gm|Jq=6E=FompLsw771v zEyDWTL0*SKf2G4;X6T(mEKCO0#q?v8-@-j?gWsdY_YQp6s#lht@b4Lf|EoE2${ZFl zfBKP^;|}T(*K?n1be+|BGKk@UJK!N*BsoU9Q$j~{<0&vRPAuIu4+&MR=XVdi*2 zeL77_0D3jLTwQ{mzz)HpuPub=>ikgrH+~zix)L}nf!~v7xtbQ62HzyN*~vE9(JN}m zeDgH0xynB5QOt9GRlYNU7G6O?jdQiX3=2N&ZaL(rmsS7JPMK)arJyxQkSMWCrj>YE z$n3{@64yU=s#Ol)KG>em=L+3U`}iMv$m3q^LtP&Nx+WXGZ`{_qu3OaaP-u_<)YKMTcy5=t2aW9uzI zNk351ud3AbO4VzeA`_dU1U^d9_=AVmaUX-3uokqn>8UTK@kk7`#%&xv%2WztXIsWg zI_=U{SrL*CVkV$WF$d*MKvQ=QD7kBlG~?b|HXy>rZ<^FC5UGBUrr4d2yZ&?fCLi_5 zRb7V_1Wl8qWP1c5_162nXVpW8wVjMF&J^bTlsUBhM@Bu$K5A=L`f3a`HGB!terzh# zM?vyxl>c1~^X=33sPHu`NBI`mj?tWs$Hh^22p2 zXPv9LA)E5IhZR&Ya_5SiL{+sr2l2d}_8%9hbKev}9N*Y!UZM%V+-QqykrCFJaLVYE zKFr4O!mUprtp0UA6hU*o6vl>J?A66?xvG-XM@FTv4I z4O6y^m6OJlh6erBrj;hnkSe;) zuVe3bs_Cu+evZXVmzY^TQm!5GEB%#27 z8-VN|!ea8ngiy9=l%qZ*_cWR?n2$eal{BO}cgSM0bG<$gF@HZ5f|#kR^S1j%M=zbK z?!KcvIMLE$8TyQdcz3B>N%6`<;@Kj3BFphEX;R-shtC^RG3LbDCT}1>yV$G zRccGG94BQL$D^}pY@g@I{xk-0ie+YOE@GqUzL&21>4Kx4M$nBW`gO53LPhi3GF$2J z7%IUgGp}p)wJz#|iH?n9ya9tKPRbA5&>}g}!5s&boA6o|2zuCfn--8TH5) z(;CK&Q}Oh#XmWmRExPChXc-5K81_%op=G|DC~fp!wT||3SN@t zGzDFK&MC^rBtqa|I0W>#hZQizN z_FRVn@$ffITYdBG!(R&5zVv1nqXvHza$R!GLSG7%p7d7zqlA6I^TRgtbG_6$e$WFy1vV_rl&uuajM@kE6hvUL93De|!H`>UTfZZfUr za@0>0oh+MK4&)I1qSdJI+YYcyfEKYkbHpk3>G7HCX~&R9KMC_u8_cT&Iw(%2op5&j zi&hP?ej9V6od=!t{I_EA<$OLECQbW(+fL8-V&08Pi3MeOd>ACjIC`|E^Kw1^t<&dS ze{J(k27(5{d%W8OYwY@OGe6h+iLp+S@bIw6mb-*BTt10*4;R_%>MqFnU%ySa5B)7Q z(mw1jDM}YlQe+=Xiy@?egO8!K42KVctZcm3G*mzEuUz`e?Rv<0Z?E13oPk*9yorQ7 zkRtnqnt&dp(SB9%MlAM2k9)su=I6Vz=N|`xreW->VzP~<8MsIFAIdDQV`bTDy|!Ux8hO#mT;GF zoXo^$Gg9}m7WM2cTe*I~#0Tz7@h(~n0a!+$jffN8mdGkg60pdY@$l@ln5-kA6}NR{ z{G!$A`rY=0K0Vf2dw~7nPoCXUkBOrEO~F2kN^m3CBJyp1La`Y&!4Z@}D3!-AM81kC z@@&ufC!|V;=j)@)D=DTbAoCobixC+r#l6fulZOwie@Zx?{N+xTxZe+U{L!EM{By$ zQ4iy(Flx^A)`nZ8u3^drw%BL_)_RSd;TV9e+5LscP=(w|I+48RQ_lO@r0KD!my3F- z!EvaPhpKA3?ddPOG~;*}wG_Jh_q@&-NQYMgdN<~-KT3OMc+9i3|BKXDA6=}^w{qd3 zC2Y=grHI|Y)9DurTcU&JVpH_|iUn_34o=j7C#m+9QAsyCkkTJuWlWv#am_^CEGy0S z)GXRA8Z~Mj&dhLhl(c6W^(Tw0DdF*!CRJQ7dCbI<{9@(fSO(A|DJ~A8^S(4s5o7GF zq3b6eo07_D)soaAkLUyY=um-*^|^;M{Me{x0{fIiTi6~Z#NgG~WHtlcAaMdd!i-ry zNuk)VCxCTL$3XSMO>I0Yv3}d9HG@*-Y%<4VEfvDvX~;d*Ubx7zMo)YQOOTL z*nWba>XY}S{-&O`mun}K1{}5kj%01(8d}G-#78LoK8C+ejV~DPYaf` z`Ds{<`#$V<2n_5b_nC1w1#3bdwvw^ca)8Q9zx_FeMn=nWB|PemT;yVp$mG zJ=aIa{9Mraix4%{$`tppl4|m>kLB}`UmZ*Lsq^~m+_A-WGvSo~vFNoNU-~gbG&sol z$TC3i9daH!yXn=)Wj>E?iSwnAO&*!@0R#s)btrVWq^hByGt2V|32TVz3som7HCr20 z7i&D@k@8X!t)`>_rdD6$(9*OH-HDbi>(o1gqDq1u^urRXvBv1YBti3d<(IEByrq-|cl<8JUyVI?l=h#pL_=^`l z`LJ;9PF|&%XA0)RNWDQrX%TI*QKVmFF82ZCiAgEbt)q1v4+G~g&P@~jwF)PBO-^aR z!4xvbx4|ZUQnXQck|Z!OON*)bUS>b+r#Pt_Lfj0IZ1`jxC|SlS;n(80w1~c_{=+rd z4~kedZu;`;nW|!xcH!(z5C8~(1W*9ivhXu`;TQVCFWd!RunW837uG^;gV?+93&mM~ zVHbYkFZhCApopO^`~_aH3+saOPf)6b?!ebGwV$Rl|6`U(F8G*FsSx$s&*7tgmDh>k z4~+d*;&1XTSLc$+KpOe%)WUj5X+j@ikq?4tKl;KV^stW(Wm{ z3J=4Z2^3=2R7js4N|icQT1il4e;Jz8jR&$y>j^sd$=F{$UNWZN3speUYd7~zb8**Mfv z^M!ElhpLXO@FH>psky2GGu{|JO{aYgjD&~k@^91(Klz;UF)W0&ER+4@Hh>|ifu5M2 zgHk^k3vl6uUEt?jJqL{9N*KKboL5Bkqg4-+fWxj$y(tf>F%_0g63cUYA=rUaj=;Sj zRg{0UcD8+(LtQ)w;B$%??rlJT1@fTrcl`U13%e|o*PjZH#gT5vP^^9oM=sMwb8pL| zlk=VA1*s0uV0VHO(w&|vG+Yk@*ZwGV!+Z5?pfIUER5;F2|iXTWXP=oJE& zYq_M-&33e^!6g~3I7nf|6HzJ0>$-#@dS1y$_xfZ0KYCWpr3cI zL&}WqeqHRWQ8;3%M>=3-a%HoVJ~F{xY)LTfZK8gp!Qoz9SJQ55HGg~;fd1NiuL%tN zch*}`e;PLKw&ewu=}9AldC(u>Gn9+{TP>I00F|iow;~Ihv^h4yU?rc6F#$UrkA?KB zn^KnGjbE}^Loxi;jzo_ z5LHw(RpnE!8O+)&P&N#PNx+~yetq<=*dEv)zl#`1J_}?Nc54|A_JPPN2SNPlvcN3G z(lpy+s^h59IDTF7F#el=fKst{tCjK_pb+W!PMYcA8? zm6vjJ(5$MnYDV`zeMwycMEi?OGacl8IYaXeQ{Mo}*2j|PoTo^$aPeV)`U9UBQ+%y$ z5$Ed%bni2x(0NP;qgkKRopLPXBo)??xJka>|HXnkclwlXklGr1zZY`ei}zWAX^k+Ft4E^_UwocH@Midz@pXR(Q4Kh>OY>Qm3`VY|hA$GS zH4DWRYZj(kRJ*U;aX_yQ+fY2o8a9Q)?1LYLd4G4;LC*3Budbvx5nTu{hsz92%E;>@ zdmV@#8Z_7g0TDicFoj{ryPIUve@(2xHyBTaiK*HHlKA-f$imw^ohxD05H~kDz=s+i zN4urooWH5&_3IpTgI=pm=O|*nf(>9IYE~K?p*CH=MIK;OJ~YGJ2xhd0WM2P@gCEvn zy{Yw;l~+&cJWlVtERWA2O(w5)wfrO_b!lq68=gxA{G1Eoi$@rKPv+#LGCRRW?;3>r z1bZ3d&k>>GoDa&}x$jF3_T-&gbZSFM=}aA_B5fm;eu9JY(r`gI=O0tpAFh{gvpQ98 z66(2WSa~Ce& zC$ZnpHy^^G7Gw<0buAT7IeEhm#p-eI`))YW&?^KTd6LMp1<0f zR`#R?o1L^DiU7B8$dXaiVXw7C%o__bussc3+C0Uw{+4epcf9F#tWE!U8VqxuYsUe6 zY3XKs$wX}EMtg3b!SJH(oGm=f5yhlbB=_z4|4p+!)A6ZZAzd)EcoHtQo{zbpoEFEZ z*Imp0XY81@;KsesDOtI`zt-vVKEI~<(;Oa&L?4^^x!&*Ad9yC~s)Wg1?92?v>2}zo zyS(rLPT0?Q0?FanXgn#9$09!92>a&1tF-qod^V8kaR}GpclzUeLi%D`iHDb)@@&1y z3GVUaKKCX#T)VM8S4cHUZuDk7V~tGs-C!dL(`W3 zcGxR8*^hAE?Oq1dA0akopYn3Tcf=-MX1bV9WU75kGwIIeq-^k(bu{7&iy_+h&U>#0 z*Fc>0dwmPAMjQA0uuqG2x*>9KD)4tmq?>U;F3`me>L#4$r<}y1`4Ap30|C+H z2~Sx5bhC?@%$z5FfuGMY1fKXHju>TB#us`>$sq^8|CT z&C3L>n@lD7*gl}nNvq_x3?v*)A~OT^ujV`UD8`e&#A_-Qszf?(1@vO~-p8QM&dUR2 zJO3{L6JBe`vjiGPkbs5bA*|0NDH)T9SANN|iuD(Jo1UZ{2~f)Z8nTNSdyT_T(9uh} zQT&5Ri@j)~HS9@HjC+oV(pQg`Z#L=ej7w`aVwb8_^E0d@U#a{aW&j93954 z7Qqh2JaL;Ok%rQRx*`T1afeI+=BI!PW7Dui*H`PjS^6QJudL#1O5B78e4f6KUYqpO zL}3mGOr!wnm^>jjAgn@p*>g&Xp#R<sgv4R~00s{gE0<)Ugf$XyH21B7j;EG9izN201mylqaxW{y0NjDci zP2CcY(<#XTQ=@gIFVtaRXO;FzaOk=ucD$yVhXI?oX4V-2M->=B+u(6t% z!9#233xg_YQWo2k4CQz8VyO#$BiZKv(o!~z(O|CJ6mQV>%=9~A_-L+Bjm{l724hx} zkx3Xn&TXD`a?kxa(IXK3$(nA*3mxhNx2(B-m|CwxbafOyyKs?Ztjk=<@!2&`F00&r z(r{E-2zwlIo_07;b~mxW_BQU@tm-B7gP(m3b@aIU7#-b5E0kRX;@u0=)3vBz+OD1@ zq)VB;MG9ZnVs+O%X(o&CpHLl3y6IO?z~KKh<)D--T4!-Yshl9jZmgLp2c=}uI+v~$ zFEs&!e^U-hZAfjXbg}5p8HjQyTHWHD*12?hmF}dCC3q-W-I`TzDMR;9s38G^|I?I% zQX5hmGB;Oz?9aT&5iTQ{#}%)>)E+%nT;!Si;b#UU=OTMoVV=IuY2nq_mk`10O57`! z3{ra%A&hcWnLL?gGi96>U zdcbL3@d>Wo4%@C|*+GZa@Go1#phjE#fO6V_Rk%)ug=^hVe?;TVR9SiD^W`(wO2m?J zx0POj@mE;ah+aiH)nKteN+SMy1tH zK?P?@c_~Vx7^^zL)i{O6vf(my$1E;&yKJIg<*&c@_TGyTV z8#wl+RpNrFnXnU2WkjaOB};EZ5}+;jHJnKK>f6odVL)%Mma|6ziPDc?!hD8ydlBB* zhrpU1gc@x`dk;384$1LknMM`cFWthv1KE_}t_-*AdK%%Ou?)*Rm9)o@ug9PWkAC?J zM%!0_ww?kaM7u`gp8TA^QAmrN5hmC2w1E+5IF5FCbu16{*&ryK#du`B1YpKTFofsF zuH-`@-u1`c0reG!8qjo1%mP7#X3Kx4$|GQI`~hMbgYL{5TQrnPiI$PfFc4z2@Et z3FU#STb&bH)i*H(Fj!r0;t)M4n#uls%!4hDL^ssLI*rN4cL+cz#N zm0PXG!E7ua%4;5xtjPmS{}l6}z_nVs!Ev-M_wMfmjzU`GjIgJXtN)}8(R)HV`A*ni z{j8ING#gIzoRqpv)>0^4gY=q^wpppIg*NH>L5h*70s2gC+N}<8YFM;>Fku>?*-|qp zl$3_l&Z=Qsk4cM`Lej;qWmud|`b#<*COH=>qCwtPuF|_#A6{zJE{~6$q4Ab{w;VUo zu3WkwdMP{5S7HWNvv0UmnhDt8hq|R^qujn_(dNV1XkJ;}m>jW;uJb*yPm5M{N~!0R zOV`81)K5YNSk73iX9OJ8@JO{yzeq-=j(lsSW9(@3iGa9C)PEQtd;R(iNLT(^=>&bQYQ;$FSGpRe`J(&bw*fD34ED z7Kmizvk2)MXA1)fa8$4e?R#z!*Z;MscnZsCh72M3(wjQ-)*K6Zze=t8_FQ4fR&ue* z$@LO(;Ljr$Rf?^`1xevZCZ(-We0E8Oq7l<}Jz<`1nEkU0WZ|k5Ew3tTrXnL<`Ni08 zf@{T2B5S0Yz-FLE#YM=^&Exv4Jfs;EpPNyUOH5;pUixdvt+rLBH#BzQ7*aWtub48C zNchn_7ZVrNt+r{(ztT)Zx)=<0=cbR_NrY11oHhLM6*#&T9r(p8k~UR zndJdG?w5)`zPpd#w*C1)ye=T&|AEFo4{hl0@JE}PnetDjze}!ufd7UQ|2BL)EA!XT z$$rZkx!4bb$JMR>LMY;6{VcS%uezgO!XD-qL6-f~{`?PAYWUf2j<7mpqMrjj#=ilI zcD{L-Ujy!TdwvEi8ISOnVg4=1O`n1kMnruc^OK-#JO2cCjB@@Z2uuF~JJKJH{%xb} z3W13_P)DhG$*j*nd~(;A%6onVP~)Hd55&qlzW_SGPrxSjyRKw&**Us) zcjimE$f?Y!^R_XGx2OcDb<9tbM+>qnIE2Uu01yv!GZ4T4000P+#2}&=01^lSFpdEb z1OW(81^_Y$z%Y*CcmNOR+qolGEpzZG;k!YIR~8W7J!@D?`m_}eIB+Z&XNkZ_bN~zA_Z$Is3`!LsjpmRKbxwp}-OSOmz!xr`F!dmfo?UL@} ziIAhGo&4dhzC9Z1{?Sb7C)-;>-Y8ujRgQWXF8wtgO11W>mqGUx^JCtiPgz(7!B^4G zwI=BHKrTJRgOO(@wGu^lPr$I~zhz&vyYQF}h|EpBGW7lISFzEHW`(}@8uWi}xlM;= zHE(v~{%EMXd`-gNDbPmQ1%A-nd|ok4k*qLv2zh@8P);*W8(^x!eaD zHwwWw-aQir2d4&NK~`1Lny952DVkV%1dTW>8;7nlzTfF^9pe4fc4}WlHvVI6@T+mX z!>R0XdCQJtkj2c*|5Vja*FZkNk)KL4^LwaEjgTi{Q9lhigAM!5*LV!>nlt|~9RnEGoWB*h@ zM{K7C75w5~FwTTS>p!hhEgs^T7soWH#h<+{J;%6ubh(bia8VU~YnwSwQfxrj3g^fW zJuxlCA;UNfq?FIbp}*HGC2wE`9Ut#}(M@-4FOH1e!%`kAwV;z>B#!0_6zlwV#o8J)o0AvLj zrG22mU;I|Ch}v(Oq2DlVt^tnFWEjoUpY2p;s%^QS`QN*F zK+HfuDKA;)-Nv0+gbtrFh*OU%IM;Hl4cmYA8U(*4u^O~0Jxyny`nlfQk~=O^f246( zqE#C%++TPm&o*4BYGVBM0IEjrk5{qc^D%b`#gxC0A-{av+ zYxIMg{H5oh$-@#aW_9&lix58V7_K+aG0IQj-8t@}A46Qd$+qs>fgXoZ+Yp%D*?|jm z1|JoOdN}U{97hj($HCLJc>)oa2ws!EMMautLk^#<{c=sN&jsF1K|G4EfNeg=vl7vm zZ{!63@dkJd`@z#CK5@z?arQrYM23JNlm{G9Z=qH?;=7c7)D_S-6x;T(pA+gScFj?T zcg6DvmWv4OrwZa{v+zF=I)~Pe1k9b%`KX(GG(5Z$U$|p0uY-#XxchlbLCK$zC3wjJ zR>yul{3oe9_b@uQo5g%E%+%KNJdFACV<`@&uF>*)nQFOvs-mw%?&f*_x4I#6CR&s7U_*ZG$XYPy`u@e& zFS>tTTTX~zhfw!O(TR-1PS@JE?y+Mo1Nu%>nFj^cL2WBs>9^4!au3%S{CiTnW9tVn zA9eyKm+r-GKJA*jS05UAy8x`ufTz*o`6qAsBMnA!`)5>KP)5qo9KeG~=%S(isLcy0 zf_+vWR|8u8$U(L`TYr#;}9 zx_g|p4#I2h44y?8*oc$4P#5!Mqzt7Eyg!Bf$1+yS30w{6S+p_RF$^s}a>-{D!dEzJ zqlHRuEe{|6W8res;9bFCZc8``@AwRvvK-8n<3ihOucL19;eZWMu-eJ{BG!Hmc z{izS@qw1Hd^scc(Z;6NWimAFvM?dHoMsk5S$yqku11$3SyGS3r0sqBA!q&6_i`HoM zOF8I2cXp@M5+C*8nFx4;_1MMw3+ZhD;2Qn<(pvwIx8@8%C>ABtC+e_V#r4MppF0^% zuxJoGU4k*#nV4ETiszlS5t#a;WPLWXVSoB?9sP}_YxSGN;+wVCZ5;>$M^4EAIE3~n zC*YkBA0qm3=|6@L)G_V^Gd`s@lXj);lsg>DV~h6=U8M}FJRbJL{_t7fy)CK`smyLwp(O*hWct0^t?v68x%QZ{2CJY+)=RG zugk%M(W|a%-^aV!1wCE5lUq$AhEANTTV~i*`9KHy_zpOVZvMhriA0zPihD6iy;2J) z1{ScZA8ti82URwYrgHTU98gq)o^WE>(92yimW$|`qvd&15R8C)@A9xSSTS3BfJ#RB zsSx`m0r z*m~jde)2@4bDXPQ={~uJk3M?TRQq?~LN!dbY=v%xR`1Le_^Jr}0(7|8M_d}EA8se` z7deEBiN2(dPMCx}y)ZoVAna%|kgZg_1~3!5!Qrc2Nx(l^<8gVP4vw7b`pwmUY%07@ zRFs1srP`Qnc4#@Ggq0z5#D|>H=+1MoI_rNZHNn*;Z(tp8{qZ{0@e}!MCr`e8(6Jl= z@=Td3i*OYYHk427Rx6Si`eX&3_X_IR6#wlp{_PL*4r&)i^ZwZawP<$1lOBfZzZShA zSFrOie3~A{(t~|*MIRNQ=AoqXVR#d9c_Nn{^1;OOsI83hy@y@;*yQR-uKGc~5qxsB zQFFN!ef;J*RSUF_d@G1!Ve4~X=Hpj~w)QN1!72RG{S8oJDPnYuWU>zfGNON&_g2rV z-~K9OYgFAK;F)W##M?vq$#*ec7`<%!piZdJilZDdU4*^~F*!ovL0)qv|G^ybDENCP zLCtGY;0C}ccu9C1-__}d(LhwdRyzmCXC188zCKQ>vgugb-Wi#bZId3+PH?|i(T^ey zml$*(L89P1Y>4VpTO`*!G%;y>!k!V$4T@7RC5inYqRmneFdsaIO*n#clX**KmOfkN z+iffl>n_xA#D>8U8l;Xxs*Qcy_#`^EguUYq>IlPfn+*D(F`wYIV>C#N1YJK4hC@P- zc+Req8{u{!ZPmnBAO8^e;pdRptY{W98y!4@Zn9is=>)|J!p!7alGIc4{yvS`pIsu z2A`$}5dDH*CtFD~i)W-xo%13#zK#w%>U>o?-CXw`(}pbAj}x?0x>t=~Q%t_9b5Wdr zN0UXBX_&$F9QT9BEn)x%j`@cGWOjPB;COosxzUwRUnkVi(#dpMRlN>gcSk40*7VpG z?xQ-wJ&p)*xK-)gZ2E2DV486_kBVCP0GyIO!pN&nA(kEVlfbm- zf2r1;rheh9$37bBIH<;OCS1z^iaE7GP$0-*C+VaTH3rk8G&GeAQ*mJfTw8buKGy5_ z+1co68%EN9an00Br?$@SP)SLJzpx%hQ-GGodL1^Rq7Vumju-Sv|5pFE)(9blB(k?m z0VV_r1n>iiUcGoc^CeWmh^z}dY+cIE9?C8yXAf!+kdkB?#~!{eFkzy^;rL@7{VX3^ z=bOX#&7+yeH*bI)sB5lhPXBam0DSQlQyn;jk0@2#WaM+sM=+m+J_cDiv5C(;r*cj< zUpPMTzEwI{F{&|1c9Dojyw^uNh)i;_M~cykNg=O`Jnng=+qj*yVLax2w>%QM4GtR6 zLh(=_Zu5_M4iY>x@ooWaOt9n~WFTHjC%^(uTE1Z?m^RPt)V7C&b?ijvLNa!uyD;s- zAP)vo0ho6n96K56z~snIk49MPVZ(>!;hFd5e#Y^T?Is-$f1Fe^fs665>*6C1#d6Rt z9-_hE00xi%K`PEW)II8pqsG?9)0005xziC#A=x9sAeKs_qJk{t<-5mHX(|x&EQa}> z^_CWSiI0e8LW0_3C^@V4;v^YbVp#*VSTl za}N;!Zpghre;@m-xR>`@#^;((DyCR`j(z#q_v0(aJ-NrAfNkOGN?s8;?bH!nbGpQ3 zzFD>lYpWSoEw5H;m?>S1&9ijSSL_99A1S|bLjCawFZ{-!t4|@&b zM>*AF`sH`sMwVC1WAW|c7Mn&zvm)4c$nt)_ud2o(Ar0u3s5513ZU@nXxwV5@F4Q_u?Lx3Ky)jdf3*Eky$4g57tMnk8|Ek#6 zW`lM=_c(a>(+LamkArh3%Pf@p_{c&tRIdK9@Js?)#lj<}Pb}o}{gY#NIH6J_051%e zws@(DgL(e}u|>Ahii3zw3bIhhNjVlKIZ0+A*+)sEoP&SH1G1UKA`aSlqH-IhgH`)> zAcE9`;@6Le^R5aY5eNgD3t$Y;x>4iq?9bI)BDy)dHFr~BeBHT02gX|pGe6~-xjVBP zXkR$MX7rg_A!P~<(3YA7bSI*un3L2cgN{2WPBq>v&~o(^#m9GLqFvdTFSI+dt*w8+PPPEug{=SsdT<9eC&As46%4_+Q<6gL?kmv=F7BSE zgc}2+?dwfzO^vn;&P>UbW9Z5=Z(q#Dbg|+1GDFK1o+!0a3mThRnHdZv+Kn<7W+(2r z%+MOEQcMfjS5%h_TQh!~umg0#PRAG=W-G{WLS5nSJ4zJNd(3WkO8B-zZemb@cF_KF>uUsw_-72URmv9!yi$lSI5hbFJ zHV`qB+=OD2K()Bc`vG1s&?B@@dO}glakr=C@!(Q02N>f!NexQG5000 zu*gkE7Mi_e;zzPj%Y|)U0%Y(&1rmreT+SqqKZ{AO-_KC=W3tZ0Gm~#FGBFvZLfvw5 z%58!GR`kwjls2rJF_3$1KNk1m+%xkSf@cgobfDb=*Un_fOnw|^rXF5;^Aef&y1duK zYF;8Ff{3?EbIzp5OK!eeUfOdT16Tu`XngjtsmN#7M_P**DR(P520MS2I+Q10vXFZ zRC4t<51m|zHi%nxa=WTYsNB^qvQt>m0wWPjH#%wl3-eR+uj@yz(1;$E-Vpl`QJp?Y zK1#kvAmE9>6y$SDn4f4pMy_+ujh*8ZVG;(BWSJ)!FTuq$A8xjDsy{FAc* z`G}13&yCgCCQk{51!;pzudB;(+2nK!gvIl%@p-YY$&Zs#nG=b7c7A$L0(uFj^s;Yj z14#Du_=v>Gj1Q8Whx6I^e=hd$2=)=m>mmBZ0g8iZmeaI7v{dW6W!KSHiP9+UI(vb$N!2-@(5W9&(H=c6{u%ix zCC*sMKPDgT{2Tkj29Z!DfvChH+SidqvhST5!=HHKZa$;eGYK#qpo;AupxMuCs$KlD z+2z%SFdI-HR?M-^*ZJ4(B_&>D+v5>YqQjUw_^{L4+^@|Y)ZBb?hb<3CO7@7tO@*4k z+Agf(rbIND=u2fR6x0AS%uR59HEx>IBF*BFJ+zY`0M5}RqLuFL%VQ%7E((h&y1CW#iZq;6^mZ3 zVqDLhx{>5s$f6X{i$x$Nati4w&(+Np?i3G=l*g3rl!+^k*CSstsH}di zF8>(aB;y~Un@9Wu@>0u8Pd-vI6Ovz&nSxxj^HQYOK=w&Gont01-#Rm;P4L22IwjQ; zkxw^2y{bu9&9pW(FU!1Sdzp5UhT2>5kxnh^eB81npMP$9XR3&2&n2&b_H3)YMD;}b zF4~jryS6783K|_Y2${s>kB^o9M8DlnS4XecxH>lZ$f%A|zD4$xUcvmBA?LQ>6h0<#G! zG=zVuiM5`e@vNFC;u48o%WMM8sUTYg20U03*1P6wX7}rR#4`+?yeCj=e`WrIvOqKU zo&EfCWwtSp%SSpYR_7SF$3Q0_Y!Ukd6&EZA5~zC{Rfb<+91j6JqKj&F6mnI~)aSh# z*)hqI0K&v#+5h^F_+#~FR%}znGJ7{!OM#P3)K+)v>*EHfBmMzR%Fic1zkU+IfP7PX zTqldvv(d*v+vBn4pg-=X*os=Up4Hxz(<-}z_SEwlRSMV_&Nx5C?3;9KuH7`NW|fz6 zXHi~`y-f0Q$k?ThL+W|u540zk|7*>W1Tw2)lse9O(m)9NN2?_b;Mh0XvwuxxJnwSB$Xwb`~ngdh3oOld@#Su zpYn?3FZBDl4i_p!HgQT7#a;!u8aln9)+JlHPQkX4F|b!E&3gs5{&))=1h6uOzdCDZ zfmnQV8NMG9I6c;Zh~JB;a!D<@lo0v2jB`p!*? z!ZCk=!mNDO4&6$_auP2davY0`=-1{6Q$Qi^@5Pi+3I$y5BG8iE2RCc5T+ zS2|i`YbaBa!p#KN{z>=YQb}f&l|+BTOhIrp*3}=WBc%W9 z7gJxy1ko*Phd0cHp@d81E0%y4j&Z8rMMoA3y~_DOUf1|uuW5eW>z5Db6c2^7c*E%y zACm9K@A7@~(R|lz7qDo2fPodcLODI+I^@g9b(OpeXJtvDWX`#ls`ac6j;Gst8nuZTvma@u^M$iLhe>$9wBHOQPDA#nCi&GqL&L>ovnRso5G8pbLP$)JKO zg=JzDeT1vEgm#YC&iBfCSq0xX2VOmIz#HgLRu?JxTMLAm`CkiUgE);K#1v8wxK+rj zA6H1PWK8{>7P7aC1?xCfRg+i!a21u0K;kO4i(urcGZ&%9Rc{xe##MJN;)<&PU4#)= zB|23hS4ldR8(VFi%8ISNPG!WD90HI-+;NCEgP=1AH(SB&q^UAneYuAhaM7J)roY*EG98TMpa|0 zNhE5ReFE0b#W1}xMB}KiJBe}BlsDxNmT?rv22E*FuG|gz| zb&Snc2%$s@LvX5ctCkApYKF$t2`3p$;zo@f>W$sPQyNEA`OuHuv}W@h<#iOMC>A5x zeYA*P!f@#tQ?yelUa>EosTc$N1XpbXK`suSISBWlmmwKA$iO%vFyT2k_nw=Bihcs} z`NhFCFLQA4%S#~++MTpxA(XvABzrYu;gF|&WT6t^&e`CkZxVZgEFBwz6R+G35y5GP zS(pNWgwM@;#YT)P7rx+7<&I@4n-uI5S?3Bd3r~Pe;#5I9!+94~z{GI5m`P}6VArkk zHLE&4#UyfogYG$8`w;CzDId0780SMc5AOLBlmqcT#B-pLKV3N!4)qDle~hktc0NS& zbL*}u8`UQtAG>ih`$x@NANt4~+JXbAgX!pRG;k9oe!rnWJc!esqmhTfg z3DOR{W_D`9jVEYCqOn!X0M&*=YiN&jPKOK|ATE}-i;NNIK_)3Ce+0n%RkxZz_kZS0 z3aVPbd)N{v7x~cxVCIA}+!etCEkm6S&ETL!tthOavrwSHl$vOZ=6kb7=uY;_lt|Zi zz;`Ay!;TxKhqi$xuQKyJEkVkypnQZ_V)QUEaD{V?QgE$Jl%lFh^yg1^+r&m|_)I`9 z`DQ7)!< zgALoP7#H@#^di|e2TfAxVu0~gF|qkr_jjhhn>p;On%|k1D8D%St8CRqC^HY`e>Saw z4;F$}2l+rZu1+?7K%HaB;#Q`F@ouSV849U>fIV_E$L0MBaOm;_0BdW)`4=hC!DReWm+o zsLd3rd(U*LX-__T3TDq?jaBThkEEJbz5d355({Xz4Vh%rYb5z=PP95q@)lZCxQ<|IGsJU1EKG{^GQ>eeVs5 zyQ&k2iV%OMO`bvpPC+vC!Dz=8x#R~)U0T_rCF@qioI6OP1B$2R;hd_}F@(ztC!V$v zskiLC*1vdOp_-gO)UW8wC$D<$vCz%#&IZX?)}6q~6LSMgy{gzrKyAK3$dE$>wx;OR z_B);n6DQ>=g;d(enGtgN>@=o9q5HEO$y==*>8KdI;#TjE*HSd6`vvb$ zxNRkjNgT$`CtbWFZY(Z-vS^mEm=7;akbxV%H_W9FT&@W5r(S~C54*#N6*MNGK!C`r z&C*um;a0Bjl6}BoEKH?3N#EY9EC*W|kI}RKnFLnI-+TQRvj)*fk;W%3I!V3BIj zP|*+D%((ZCKJ%3ceTcMZ7cnr|NDOS@igSAvHTpWQ=_PL|n8z+d zf^L|6o}*ElTLgnK; zAyfmm3Ub0A5m+UB&C{fX?O3c>xKcv>ht|p5Z+Q>F1hL!76S!-1$VMzcvag0QdfTFr z{Izrj$OSvl+QoxEjpFA*akp+}(D-0|U{)5KZ%^(n^tiMN4!s zsKue(%ZuR3BwrRS>Hr1oAZ+w+VPvmZ)Pr=#*yYgJ`buO^XCHqli7AgA^&v<-a)8d{ zdT?qT0x$XFV?FP=eK?R+4IH~YZPCE@rg_@Upt>ssS!r|omAu9&n)8|rf1ws7z`2yd zeyrs5p9*)-811C+u#bE@_qh7tGA@e?@hRgd+zJt}pjTrjjp!+F=mloJhWj2FoTTU& zc4>qks0-5J$wl@K1#9=XvGl{qU;VB2j{-cx+uSv!~iD09#mU;6X$ z?pZSos7CXJ*Sjvi`$}Moy4<=$X=SwOGIuHhIi&4eemw7X^H%=$McwB8poZ{?n z{@<+z?o|xs$rgC$dhHrmZ`SGJ;GOd;n5G6iIRMI7loCW>UQRl9Qw3Hy_}ps$qwb4d z=fvV-Hge=VUl>{ahvSNd5FY6UOpv@30FIuC7-kt*bXSiT-hjl#Bx;QiqSi0;Yeu`Y^v`lgFtN6#8%>f+LWRb8a=BGyl=CT9I^nkc4;UpK)plu**(f0xxWf7wm+ft1q&#@n)3B#e^g2Cr zG_BDw&59j;lBa)n{gX3mpWA)Qc9Kf`keZcN7L;lnVVGF#Ph7zc<%;g`t5V` zuJO%{${s4|;nkDCJjtntUq_7`nU6qob z8rSt*Hko#Mi#~Qy>h-kGpQTf=PT!s`&&4eB%k>X^-@J&Of{|IRu^i#;8+GgyFFKk0 zb$t@~|Gb+@9inoZLC1S-5;>+*yUFI!nCdnfZ^6lTP|&8mO?J!Vt&wKE-iAGx*TEz} zx@MPO=hQtC=d!u_SIxftQ@ZWCnb&Q=gko{h{WR71wUbTw6Hq&udsnM1gb9Tx6g z(XK87KfM0Qb^j;TXb~cxvQem?YZ`TWu4`248A<;L9Xq|qaNvXb+~T1=-|5HcFQ3=+ zt@>}jd=S_mFoQ&|_=vudMrcDU!QJ_O`40y~CCsq1$FYTMK${wk`!B80wrlr7!lBlE zIZiOuh(q5o)ap+L`2FY9KC*LdK#k7v487sP^*5^TmIA|O6_{D?85q(68SNR2fQfFP zkqzD^1-F8kr%kz=Xw0WJsh;cFtW7ET4O{&#ze9zHstcD|ICfxN3%?Gu(?UN_r6Utg*9Q?+`48I{0GJ*9x#H+SzgGi%Q2Rs{YfFG8t)jTKhp=#$}M{lA`~(Aqv~GG`8a zy&wYb@*w^|Q*g(o3QEh@`&A7}nA?ARdAnfT#PFI&b4M5IX`XG6PnbP-lCHU`zuTMD z&>=+NE$*|TR>Cr67^S^K)k=?m<{gogrZh`Oi?|FKijW|g0b155>At{_?B!H9fIu|3 z8HIlLFZhDo4%_>SB(1@iGFjLg?zW;&@R%;u~Vg&X#W3U5gt{mQZi+uXRw2Dh5Q4W z3DDm?^4tM#v12f?h#A_kj}gz3G`Wq2?jBD?tk2PLhhPL=j8XH zMj!4@nqsfsNc(PwT!!J+XzW%TqxX;KnLZMo@$C-0V{sJUl{o83oi1(H+k`xwv!j^Y zyzChE!UVJx;J2@*ol|^UfSUGAkQtj3s5|%+{Cpt!tqPf3bDL>}JTR`&=M;BwY6Uo^ z82R1*Y;c@zkXe-#OniWZ!k7p1QluFM&?-5S908wknw90}0|3Jx6w+7=$)w-qKI zjRFrC`|GS*gU#pJt^rF)#^SNuH_trz3Tct)lyX?PS-Uabsc2vpdRI`=ku6#~AC+@n75g3;-vVo*^62%aTzhEf9xq^(m8zR|J-L3lu615~Sy**9EU#}v~Y;e5Qc9`FQis`4V^UJ{f(bor`^!*SR z6Cx8iNETRN8FPdloUACr;Jh-?2)#Vt@J0+298fn}K4nsHT6UE&yCuakf^MkN z!QbMHWx`C7v~NNR5CT*I5g4oporg;MH3sO=BfLC@FJ`1m?&M_=ga9svFbn{Pf=2NG znYbCkHXt0TFf}{>HKfvq3S{=gUO*ltH>p|yZ}0`r9y|l+Pc&59t^VwTI!d^F$7NNUPIFo z3z~ai{pXF`)^*S`eo6K+$<7!@DNBxHd*x*Jb8cdLuHrUa9U%#a>8Jq00WeszHO(z~ zJcm9v%g8?K{?OdxBOIM9Z8V>WQ?l`X^*AH?MFbhN(ZND>JS#n21FS&aBvXfoJW|od(rWrA8 zkd;{xHM$$Rg2I%WJ8(#51RS%1oNoYBa?eBB zROMyxFunUw2BB~fkQ{jzCyg?qJ-SHF7bO5w;$He`78rChe@=>Mm4u+2tF^Y$!SKul z8P_7>Kkcx+_*oex1EO~hk{QswB=9e;86`T&MG(GFI9pg|<{5E#z9oDC8i%01C6dUU z9vUU6II~T@XUTxnmfx%Dng1lc_W+~S_zULw7XSJo@V@&j5WoC4F#SSU{!MuQSfBs_ zWAP*$8vzJzAOZ(=ECYQq1cW#Ri$DgFM+ccs2%uC6r&|iHVhgot47_j+2*ZUA%bE|< zuMpeB5#!Jj>)R9a@f7<992Enk5*7<97ZXGn8(JA7bQ&vw8#9a?JDaH;L%1GG#UE4D zAY0)fW9%Yp{UdV|9VB}xC4)3WCW};HCzEY=D4W0{$SI?ODyx<&v#l((6usdNITJQ^o;3rW%_b`-wIcOCh~CU^uU(|H9d;K;vv0x$1- z0WtIUd;&8203>|_GzAZS1UDHTe>*8QfIk33flE|^M_putOKXHraD0UYQ;3m<30PKB znuiKusu(GVYdG_<%5~!;ch?GSCk{axCQ33s zQ%Y7`Vs2%6hHjFkcf8Pg<^U*x9W#ha)hGauC?x=pPm@!cS)y#KfwYpnp2n`w$lBE8 z;O^-7@dBy#33;i&2`iExoHV9L zuwA-p#DC6=*q7p}?7;Tc0ITQ<^c4CY3@j)iDl0QEMK)DDY(s@gnN6bzz$H+sv@BA> z%~jx7>09&wEnXKFVId)8FE405K5R@(a9LS&Vq$o2Z+wJ=fRmGisHlj*z>L_~km~A` z{r#86kZr_9DyK}B%~<1EY2|BH1IeAF+3GOCqz0(QcPx0dQ^{C zpIoqDz+}^C=WP0L3o>*acrJWGfLDZTh=Ponkgb%yn9!Wzp!%d1GpH{=tWsdGc(jSQ zm%OE~z{kYb$m-1d&;WH1Ml5^u{#!)8jNH`~Wootr8(MB?L7! z2u4N?R8$gXW*2;X9FLD7p`j+U$Sd6HG5ilUHz6}UN?b#9bV-MYO_-Qbva(gcz**1F zUF76p^!;WAH*O_08!J0kcXNbzo}_}p&)n(u12_;JDmO$?UT1K5f{>o9y1|S%kJ{Rj z;qRFZIUu1eKdDPwv2%vBlAXM@z{S|(&ie*B*Oo6#;JJ!e>D;aI{~r4#qyYr3J*5K$ zN~Qt`PNxG3R;UOKylW<@2^Gew9?+{Na;z|YtvHCTK$EXXp0H4++1+oVS3(Xgx_nM;Bd0xb;;s-;NySy79g*>I9;ouj>P*#@Fnr@&D}xJ{0a7Ebj}fJx=hqUvTllfs*nF&7-vQ)y3BI z-RJoA=X%%`xTW6LKdDG7YC;>7_LPb2(?!ly=fc8dmPP;9o3m0-KZbs zw;=7tA@$WF3H{|G2C?-d1`q!w1r-THCK`CapeG;5@F*n{9Vsg7f4) zdExyvXrl1fQ+q9v4ZZSX345cmvo7J-N3)~!7P47nx0Qb*-z{#@_dl(H*LxGdfPY-=%vs`kY8#~zQ&+=N2&=^U6?&2y zPgPWsJpW#b%8GeZa%4=Bh_j_?OU!S+B)cxyiB^B2k=MY_LB9oF3V5CIc+u}p-wF>e zxSIG|;iDydeZZ*&zmt~_ECrI{+{|eZPg*LEbtw~7Vy;Jn(KIq5_eeIPPq1bb(bzA* zSSt@B)m4lkvt3SR_=y%v{lX+2uvs6KX%2J}mjk^drd=07pQ$zil6#eyOqFADdVf z)f)9JQTwRw2@Y5YFh)9>9AK^yjG1>Mv-*c)mutz&Z{{HFVxk< z4ni)6ol(m58J1WQ4fUeUy=A21ZUhdFdJF=gG+ExNkuG94$9H9-CZK!yk8QG}x$ z3OO*LXl)R4mi)m~#>Rf0(8MBN0Y@yeo0C9>9sD-BLq=u~zUy@oIEJ?bqN|TO@*=IW zrN@|JEZNHU5|2gw>-oRx`;%6jwvzVnLT(u-ed_ADv~)EX2FYu(@rR~MjUPmA)$pnF zs(jC}I^q#wm?i61*-27-S}M8b`M;`LBhIl(D{-1N_Xx_>@jB7dj$Z-~CodDfGjEsP z95Z*t?cTq;pUY}C;#SYTN@tQ)GXcDN9cG~YIg@aX;X~EZqoqvXSiC+qe_@T@rlL_g zFqK5o;s2>$j!}Z>tmkJeCBmN|>=kL~KBT>}!7H_rY0PtD2S|_{x-$BTw33i1g)I zX$Uv+#Tw_}MSJ~?Oln7%cdK%SLLVu^K=g{|+S1*+=={vk2?+iMtvYHD#(E+duU^C^ zOKc^vUI_b|BR8uu44;*`bUYQWK~Amxj>YcCn7!m()7V4;>V>ecXrnA^m^OlZBP;<4 zdzC@>?u=@NFo<$y%sViPJF&<&Rpd~XQLZt|_EAGD@uJ1O6lH;LK#M6(FGSeoBPjL< z9%gNd z!C^pXEkti%!FEbSeTcz?u#4D|0K%ClpjfAfu4hEGxWc^P!wAF5Fwt1pfZwR*(CzT_ z7{vQP0}7O)<(E4Dki zNxWgdd%}>#q{z6-%Ffr(=hXYx4@lY<-K9>qCpG9nPe>*4TU+{Wd;_zHmJFhz6}7`2 z&)p~K=`j2VNfaO~I7CD_SXe}CY)^ocTC1>LwZLb})^OtPc=`uQ6e>VgY=W4hfUUfV z#l?`-)tTkxqV@Hw1xqCWv=zN2#x>7H*j3?W>UHyl{FMc?rLYdz#TNj^ASfnKEO;`Y zILJZxM<~ZlSW~-8#@6lzOdd8)W_DSPpJTYnZR7BF1WgiwD~QL8I!KpbYQ$;s%gs z;|G?gT5d{U0d)1GYp>{|jgM$^Zlt zaf1OHj-Ub~tF{9O0K(J+GwAXKJN*t*216kS21_eE2nSJ5SqWIi|0D_nU(*X>40H{9 zgAR<651FM9vb+(;(GuL^6Y1|1_WczFR1FpuAQvk$7(7H7O;{RaZyS4q9E_Eps%5pn zR3&iB%X{hRh6h!V$x+)886hVwHa|?9S!PuwrE`F;jheTow7|j6$=m4C^#WGg4;O~R05k(Wgg26v zI-{dKt3b;@17EyF7ROG=Sr1rO)iGe=Q)%yYa?;yOd*tm+g!T$fjTkIXmO4&QpImTJ zsD6=Bv7xk6y2LS5!`WO_%t81L1zKP)5+7kWEIDF9MpI)-U~ObmdWU6Pl$2(kXQ*hhX#fCf#>{I7W#;T` zZ3kNqZFLtPZha>&Z-qBNaE(b(afIBcqxAj;Q}_-jC{EhX0~C-daNs}!9nUGr{m;?^ z@)+Pu;=TqzbkCeFlJ!8%DRZ{oMZi32??zMfnv8nw@qMX^lMEqYTZzd7%!=cOZQMud zJ23xTzB2V7ij;~UV4qVf*mJ{yWZkH7!`Hhr)xgGa7Kfs8y7@|`Uv1t-09Ea7KDtQH%o>T-;ZFKa*pPS2b8d0wKK z|Cf=*o+50B={X!O4FEhtOxY%r#-EjRXT(xsCU43Yo^oW*Sd0&Xej#(7q&0-;XC>Vk z;gpcepYnyL9NAMWTqs6vl9#@1BbP(xr6zORnQni&3}r=^+M9KgD3eyZalqEJGnv`` zG`r{JU8TE?^eM9Ut4I2m$reo6|L~+UnVH@_yW`~ywVy4xs`VvJFH0lhkN>BUf4T%r zl-*d?^Vw7FL5e>h;XlZ98#1m96MliT`w+u>$n-Wu@CBs)hivB|!}k!$7l`m1WWA5F zL!7~>!(rQVy5XE+a}K2nhgi+hmgl<3IfOPGYBfhOnzecOrFT7)EsOIE7B=5#@BRJT z--KDxHZXewRB#>|Z(_Lpv{{|=T4%2YWQ)y}6qVKXk0M=}cUWR{+7NMn(0Ch`o;KD3 zXYrVoKkbP{al)dRY*SwRlp`JEYIun@NR6~_nVsf2pbESKNbOWuGbp^1S zb_TW4U!`}usj+y&#?^TV%kcnQdejiidkEb)V0;PXh_HR`99(___alD?`YJSl3IVxE zSAh!)b%TNyp|FD?&ftU!EcoSxHUeD@hCnJchYd?lScq6WN{@{hCs2wsrD6&{hzE0O}*FxbqK1>D#>lnCJf&6VjtmI?7sm-;A}2m`ug znG1QE6qB0=9ax+QB%qxvfSw37t)D%p(4a>6AkLvrNN}Q9zoW^d)1}>}=cn6!J-Mt#Q@XTUVY|F)ymY;OzKFk)z?{LRufn;+!wAIJ>%`2M&d9~o`S`}% z|HtGFVaV(w$@DqO1^hrx%K^J&b<73^kD$#Ay35WI<@V1Q5Mm(!9y?4VW-5I(kU*zP z!dA##+hy}@17mfA6@4Qxg+57*RaKR4ZlGY#Y_xcggv^}4@W{{v(Wuzu{D4s490*+O zC=_V;G$3?D)DVoAq_99taD0fApazfwm;nI0KnlhS)0Eg8m;-Kf0H7TUyVwB4%K!k7 zP746|+5ZpP9RLB400JNq3>|O`pzt6j3;^H;0DvS65FQM09}GaF0-&^^y`siO1kXp@ z0MGyez{$W;GluddQskq17?EDP$8L+egx&prg!vqD+ z2HOYh2=oa8^$HOS9}Ff9Dh@CYI1u9W5kOY<0T6%!5MtnmqL#0^006Lo0FY3p0J8)E zux$b$1Hfls(Ih6@2?DTk4}ef0&~R`d@NY;r0l+#D0RjUA2;>6=4F*dnXcH+SCT?MY zX=o=_Y`Soi$dT5Nzu;idi{Xg!iUW)k zYbA#^iARl^FluOPuwZ++fOW*r*8pe{y2nsv?*%~%6kueKVjne0Vra2QC2s|RVwI(` z@LB=8V9nrQP0&yC?c*i?pjBU|-X#*Fa9yjn72hR-Ym_SqGbcMuSO`KUgk2|S784dA z9Uv$rD3e$QGzS0x0nkzr2tPbO2?~bkBnw1f3=Lb>B|K1g@H_yY0KcHd5WtYRfMDRm zK%lq)F!0Cl(7+(zP`q%v@VXovn;^fy#g<&4l?5nj-~-Tj%a|bi@cxkYumJE-^!gkF zto$SbU;*F=pbo$WAO)}xpkPoi0S-_PzylxxaIg)KFz^hZV3!2Q1Au@Azz=i+GB1EG z5@0dVEkHmp5N$AMP-YU4V{l}I+^DnUt$m|u8^xGJYDPwaat{L(Kp;R80)(Pr6eSW8 zLWm%57dd-I&mFz$Mbng|Kip{ z(am~qFuqF_ifT}fT>kLt>|hFV8+6&F1`o01q@`? z(z(CCtmcD36C*D1Tsmih>v*HmWmg^DHVn3r3!S)Pnem-&Gd|5jKCH`In@91`4|MG^ zbv{rXwK(ev3>w`B<-0=GxAQxIJgSH7D!!ze{)fvx%-HuySujE5J#JFr`W_OoyU^p!s z-kUNipX1>@lqp{aPADuTv$>QUaNmT0zH@lDmH9um&jwd9}upd zvJQSA(O^3$5F4O)#*UNt4k=u^$6qA3J!_#NL=Ql*lEBqy6#S$=NP|j1AtC8(3VhPC z&5+RNAV|&~G~49!Zvyc#JpVHqK=OY09mE07{}`T^=0L3&1&3|`9)~RbWRaLEdrjwq zIGFPV5;+<-Tx7(M1B}CA=}=cbYp8pY^R;#XR)1=atVCkkC|xujE-bdn!3Ck4pmUIA zi!C{jBU;xBUkin^@=F*x{Kf!}EPxio*$hVG7@JzBbPV$Z`Bllv#5Hnjkl|5`EEBGCr`I9B0o3ycHxFSQYyK^*}nK7+F!__3( z;o7Ahu+0#@CW5WnLl~h7KTacpe-v;OXgpvf>sYvPnh|`Xz@kCpfg)MP;KkF7@PiIm zG)R141j`usc-oQ3mw#022^(hs&5Es8)&y-lvw2&-1^7fzHoOM-pvOpojZOx!n+I-1 zyXJf4MWkzVS=eRT2p?!=C;ZQ(U;KNns-dXp@YyjY{~pjQT5q0a`SagA4&o}{lMso- z#9kKr^Y7C33yQW=fG_?Q;G@5+uBb)8cMQWT43-Nth5=t!?aTh3*vOfw(4tHYvcLV6 z839wWs}_D$NebD0hmz6RTyP$q*3@TrQ7CvqyMb%$l!jhAX1<-{Lnt9_s{EZI08uwE zBL!t{(HTq+B!QZipfXq!Iil;b8N@nCRKkr|6AvXFSkXr{teBPHV(0|0A|4l~^jBMh z%NfYuNVd@pa;000ruIBH zq6&5Xa4Uv6^8K3kEq3e6noF&A_){ur#S61#5J(S|$3iH-M^%??CI z-DIE~;5ERti3^awc2;T!=-6A6)veN4jqT)%nk!*XWA(#;wXsozL_|bHgrq+N4Fnqm zckV!-hPFjLGm|67NEIE0tVxRHmB5j)AXzM|txX6RTH^}_W@Gc}+B!ij*M3;tD&^A& zbLmP2oHPngJf%rnAhnG8^m-ONJ3#CnIj!TkoHw_1MFcC*u#wqnXi%W+*rJ}9RncjB zA_`fP^vKwdAvl6$u`n=HOl(ArFBsUX>&6WQwoVXBtNZm;rQCYjGPjaj#uhEKgj-K( z5~Ox(O9rDpy^d$+0T8=KE{YeGkxnim(jC9TLLwY=;${7)5}1F=tU=opvLJEyB0k8uhJb~1A0QvB7sUJN zy5QWe0=(|55ZgqY947@T;l67@U2uAyuwLYR5{bGGu=!)Mvp_8QZRre*v?$9%zdDxL z*f{Ej*}@xd^_!cAIUo{#-h`Xm7sv8_z{B{Q4&pJ=O=3kExHA^m=vo5fD6aM|inB$k zf_2e)U5t7AP;l_Kc{|IYTN6HZg=`FAwXH!8+`^wu1CTdw!P<*IRiVH*1sz;JOU`if z2gX|+J?zZEqSuCbBYnc5!1=@g?=0{EvH|D9eor6ci_n2d&u`}eV$H3QdlKpg7Q%$m zLhYfBNKJ(9;XJMgug|4hcb*Rp;oaN~bl=C^*Sr&?^Qd~;ms9cZ57zs2SPj?vo5{M# z;3mJ(quV@s4xM(95aT@;`R4pzird_P6$Cpt100o$6(>S+AaLReipCIyy}EBfJmCnK z*A@%&cKxCIw15MC`^_i!BfL$}1}A1)S7K?~e5%fkkCv z4X;$VBd3jRZA%s%!4V)~Pegzqj1eI}3hf|-V~_$e{2X9t1>T9f5rVXEVExyJ1L}{R zA;)EZXiA;~v~+K<1d|zKqQ^ARpv#Gv2>5<8KG|W&^qO562J>ocP<9&rLMA~EdU^9v zbR)A{LI#6J=;P~pMQ+Tsy{DI#2vP5o!VmEYa2+%XHl0-WIbT!cw7FE`RJm{eW|Ece zhP}euV9{-6cn#aH+5+xDmaOKc2@^m^bG8k+Ew$)ED#n{cfK3R4zmwbYgZA5T>4L_( z@IV>tI*gV9u`w@QpBMgT{gVBdJ)5@sU_PfBaIWn)2*UwiE3?6{X*DxBZM|Q})cm}B zo#}hlDA8;Y+AvoSSMzz$UM}4n4;GW}Tsx~$gB~|V!?iaAIWioC4KQDzOcsoUOIBYR z7;%OSVFAfCZNvy>4TIUnU*RNvF+rKOe~AA6)Vc{Z{l^S`0h;il&7b*8T8*W2G*18l z1x}o_r&jfnDJmJN*9;{JMnGp7{Y%d{FAX-vS%b|u_>PCsdEf?83_VaE8weZ43Q+w= zUFAH~Nw|;Y?+$Vcc>g|b#Ao*qf8;ayev_IE-FwI-NDn<9|2+~zysryOXw8JN#=CoI zM&Enf$iU72TWnW!zw0E#_j*vpHl+WEz0}^b(FV^t$!qAp$9IwH5%3SgXb~;yuThwA zIgV+0UQN_O1@*kWK z59D8Paeaud+MSCecp|N{OwNgTfNq!f<4S%LbwE2x!*M&WrS_o5Ln>D1rKy#F@^9aH z7gx1*S&s_%CS<uWkOgHq_aui zEJ;(D_$Q@pH-t&(`Gj4l_o;w7%2|)6uueU?cY1FUA44&w`cp`nGYe~x-+BW{HE-dc zcp<(>(n;mC4`nDm{50v>xkEadn1OfH-<$hJ?HS;#7`T(0)_m(1k{{%yICJoi(30`| zaY4K2J(YnusN4Ai(voYF)4{so*G7Y6?_Sm6hp9$AZgP)k;|> zlD!muWuH_2XS{-^WWD(iT%QL zRE!0{{=wJgR}HN4%ZyT??vo6i0mYC5bvjM3+{Cm%t7AnTA60K$8#wS3jUX9F7gFjV z_y^Sk)>^Uj%26y@DX28rE~QA-XaHNpnAoL-LZ zxxM6LMzN=q9}TseIFp+EV=kG2xP0q{R7KpIv%y|8Lp$3QI& zbDpVNZB4hdXZ?Ob)mj~9UBRSWx(Q~*YiYaJ&Mxd1^ViaI0B8P!s$fp8pR|}^TI2v) z4H>j5ehyR#!{89o3?J8|YTQdiKFlJt01XPj)PRNkeUXU-{{T=)3L}q&3(L?;%dpFr zae*wZ)@qRt;U6TKt%kNmm2+lRMMoiPYmy!r3zFHy!obiPUu!V1SJ&1FW5{C*h^5u7 zQqm23Jef(Okn4+gieQu`L24QGS<&lwc7RwRd*tG{oHvuk)f2ZB4I7yq9Og_#?HiSY z2_&u|&L=;e^Oqy6;p!6>D8lT8kX;-&LW{`CPfub9A78rIW0*kwL-FB>SXk&G|DKjw zy?T$+S#e^AO~}}ncanaK!>)t_Wlpy*Aoc6i zG$_(_xo5gR$D<|^cd-cQ8jW-~ne^l2#P;7WZ3lzeG~c|NZ{sEuvT0khdVte(V1|P+ zVbXZ-!)H!}tw-(-9GCNUv%D~IQD-A<2%a)6YToATIfFt9YIiw9G-XRl6CjVeawL$| z^gs7Wf?U;L#3Kg^b;Q)NkW|pNK?W8EEaF47B-#-DL>IA=;3HHlMU@=g@hK9A>Dmt6 z>g>R_%QOTAaicm0)@i-4CI@(vGil^{M2)z(HxSS_Xb!l5esRQjO0S9G{syYN;R3p$ zif?FQiKr08*P=Px$Gd?E-9S{q5aGf;&`i%@!o|Ry(hF;nMV`kKuJJZ98L5oY62478 zIJr>ght&zcUzw@M*hQFTKOJSO*tO~oR}I>MdI&QNy)j+GE3cFm9L1q9XrBhKW)P!d zSe?qK=Bd`f3CC31D4O)lZtG?=n;tx)cK%)l*VR+d5hAwN2_y#x&6+x;$q+WIWw>1UmzQ0oR_U- zyNrc`p`;U-66hcWQuwb36_yczIy5v?rqa|GF^ROtH3?cIDpASU2(}Xz$Rz*3P%xYW z?9`FPTCo??SbTN9`WHK+{o*t@j<<2zSflXZN&4X%7TtgrA8=c27bpu2g`W&~C)8B2 zk?&Qt;vD7^7esrqy4bae>5%IRO#nZfs|Qny1Yc&U5g7_?D)CGqa8d<|c4(aQa$eP} z!n#!*cGZ~v6FQQ=Lh(8jzIP@Dq#VRAttw5>U9V27vRY(~Yzt^sDaB zkIxJbcjM}4Gpq1o?B_}y0N2p%yDa1eTD-mdsB>_ymZZk=I;@z-n@Nk_ih7bvKcxAx z@yD2X1a5w5`{oO-b+|a>78CFNkpP&`_bzAGQ;k@zx4rz`-n+t-#p`SO2ri<#m+%BB zAAtuuOu3q&HIzF{*>@NX<&2|-6L!q(k#I|DauXgupEs?YZm_OWdWuWuW!nFEnm?$zKn`{IWY<)4G~Q|9-e& z_*&*4X6NnUWXo@6<1@VjJ$KRYH2KwR4=|lAMuRa=M`i;K%G~jwulnyA-j@HdTW_QP zy5V3|Z}Puw{6UAKliWC5PX3>>AHx{Z>2>s9&OylkbVEYeeR#w59H+JJwX?(3K6h;M z`LQ{T_fmN$=h1Qgf>q(!dawvtuG{T-wAXZOzk}!e?9X6Te|Qo)7{flCz3E=M$odx> zyXXe=yv6B;V6j@C;JQj=b~RmBPl4}nZTvrng40Q{_v?&R@PC2HFh(!d)hqgAuqvMp*uOwaIl~tBsauHJ#15lEAz_WJAY(oW6o!oj) zo=at`k|sAvSc~M3m_~ST`Rgg@BP-pUFY4eZK6h3PE^2) zAlHZk+eVLj01wPnb+scc?1HeTVm1)L6>=iW%tOc5*f<9s(Fq8G5kkO zpdYokg}U;DB^E6#+jeUO3VeWgaScPv!elt+fG`2BpcWO-1g4*)_A@Zi)m8ihquiiw zge66zCd95tD1H&wW`uWQb7d|+Com&CeUaJLw_DEy_R~p#D?x$-I+ALr1PPwq0Rx&M zqo8w470qZM52Pjl0024#000IR2P`v#K!5?@kN^Mz01$$NqX;sPQDBUL9C=#+8Fg&1 zc%WApKy(_8I;Kha2Zz9BZU|t{Wm`PW*POXir#~L z*G$p5^B;DO&bih0diGGKqoh0@?Qc?PG!J$Z6@h~xDF}`(a-#ExM>4-KqepNPTk21k zydQerz$Xgury(7WS(}t`VNdtMOzF#wHPN5|KrMn{YChq@o9UD=Ou=S#S=`9)?_$}2 zuF@)XprYJLtI+{O?U1&p@`wpnf#$v(-Cz;)80782drJU`p4L9C24*%t+~Uw=VCbY` zfn*497!;+9G{HuiU9e~btA$#X;=GzS*cIMII^s?_7($iGoD=dr+#X*XB|JucZ4raQ zQz>B$-6%8>Ntm|{?+AkJi0bziIyP|5Z1BSdIClF^hQcp*n;$TJwmJ+&kR$t&ys17u zqz4!W1T-4p>>4m;khBAWq9Za6xWABtlozWkOGN`-8ZN=y`5CY_?a>+AGVWT5#CwHN zsiBQ%_&B(U&T3TI=##2P4y-zUWg$f!+n{ldhMjBi=mDs4d+UwpJ2X^S`st|Gf=97*>C=B0i?<lk#{~PNq&5lW7G%b^od)Mb3m&yMPCC((WQ}aLO0ebV zM|r3S!c1x>T=F$G>!W6?+XvO^S7y7shMQC!6Z9I4IK=HZ+OqWO#yWvBLp={6@s{z`7In&&T8LSX^U!!1?;#1P%srl?xr{ zXM@Ml5?EdoixVy#1}DbYfcy+597IW(caWHQ7n468FYHO8X^=&G4>V^WKQ{qgE~hdf zVX!dz%%57B6dS4Ww>uepBj4fK`pFsDjjC>Rds(M6a1wY}AMdwuF436V-{Nac7{y{g z@%6y34~a0~&!K5-Xl|msI1IyE3>%!9V<)e7&6K(^Bg-A9N$i%Kiwheme|!W%fd**! z>OaOjN1(g z!zdl989JQ6o}5k8J%detYWSf;2ON@S8<2v>U*50BK3&Z}T7VEpUNm#4iyC!JUTm z5#Uuw$MmjVf~dd zODxGW(DldBxUc_mHXPhFTT+IZONgnAVl_T6wmlXAz9R7+$HN-Np6 z7=KvvRue9Yh1;s2-t=0U1L95s<7*c>3Ji!Om}j70*G{QjSq^*s#~@#oB3cD57{e@s zJnCLX)+=Z36<&j?d_*J+G3j8`ws8tzj8P47nhZ0v~8^} z4~Mzzo@sd*VjN)_<{LtF8A1U^n>@zd#|f`#4NNU5$8aeOjweryimW9&9eCL_;pHcX zkn@jQJDUq_58=1zy@va1whE2QnGvGMTjIaQkmWXB?Gl5?RV`zZc{LLKXd2n4HPO%i zV!MKzxx&&QC0u4gTdF~A(=NwxWtv{Aj9)hH^+({YKlCu&MS;P$LfUD>?H_f(Zo2Y_ z4bPp)?maAy^pdT8`0b+dO3`&;eWtzhKGw+~E3bmlu)~ouC^>Zctp}~pio0JvQRe*Z zEi?X5a7Ur%c z(;#x17!)eS@({8nWE$)kiW)g%G7VOvc}CRFz`G57&;u@>!5V2r2L1XiV%@*FtP{1k z@g}`|*jXb_s9??|&*K{4p`=6NJ!u(qu4fI&eYCELRwr+f*x2W?Xk{PUn)QeB-C>XC5>j9-Tk>QP0b0j$OBr_vobOenlgnX_!b{Jt8 zt(`c$r=iaEL`PWq#A68%kmwHug~O6bP?@eyS?hU(VtfoFpNosu=84Bo=d}#?NdHaY za3Z2J0HBrd!egis8GetA(lk=N&qP_K9hs=nsXXTehB-D{e{q$3VuZ;#STiGSU1ArR zHOW92UxhluYu80>hiI2*ma{mP)5bt=TLfn&x~ANcTVb^0rj-r8eQ+HnTilDl){?q- z<`Yr83^bw+8PBym#9%Y6Ooi#Zmqy-1v)Q>Q%K8Wfcg)lx@00EoGe_WTt%r((>FL4^ z==2#kexi{>g?hF7h0MQQ&zs2cfN@yozO2CEx%hCeuMx<~M^if#+aAYn4>e<=NwkYH zXM7M_tl8+dNcMwrel!`!guR-LXT-TlMyib=Oc1&B?W4=aWjvtfV2Wqe{BXOVH2ZZFbtmUO?WJ9`;_1Dc-SsCS?>?ql=fpw4)yF0Ed(OA7? zS{O7Wq=z!*i^>};NKQXJ?tsJ1H-?-h*lEh~*r<56NMpAYP8D3&k5x|jSTpEAI+&6r zHpYXzH8E=l`tBs(&IpyR!x|1D+vM;^W%`bySpBh7BvV#mWATa4Lo5AQ8EZ`_qh(Vb zbm9PG=TBz}oDRBo)6&jrq)qH)9AucjUj$}+AC+n@o~Zz#znF}dT;MdL@9SZ5%e!;& zCwt2>on%?{48I7B4Q}yKH>8zN#8HvUAhr3(DXQR_G11E{jLA&U2U&!#uLc%;-^Y%F z$t1~?e9Nvm{E%EC}5$KN&64E@wT8h1SKr zf3ILvA=ZgFaCQwOxK3<)MEE^XA^!;5Xwo8RfGYH9e>I+FfCr3N3=bOqUD!PaBBN$v zt_{PgzF7jSb)orHd36D|%s@A<{Z*HRv$34Qy=C>26)h6+S>>ANyQr-<3nRl&wE*AC z^((jL42HTvL z<`F#D7OlFqF6KZMgpCXHEZ!>IWVAjd->&UgOIoFGL934<*seF~jIZ(BD6cg=OtUun zNa$<53IyxveEJNbHz8YwJU$VX247HfAtJ6i4o_7IS92Lb3N0wME5$}1qy-pai zEazlJxD#EyxX(5QD}F^2v0#JET0~6Hn68`%3(ibj+9G1L=o6o+ES9vtcN^{0o^F*f zn!4E3tJX{ud28wF?W>KdA?t6H;ftrO^HC**XST`&Jwt}Ir(A#jE7~?(_W;a(Y-G`)Q*eY83CZdWj6F!fx(xQkw>gTu1k6~g^^i>|#<(Lt*adcI-5cbj8NU_gQQ2%{4vEidIbIX){80Egq zIIt251%60hFG#XZD(*gh$Cdc$=f%A1qur4`KG2CB?JUU&5S%Q|VJ-FgP!p!TnY#32-dr#++f34TE+UU(73JB@b}^3ZSy1#1@UeA$N=7y2zFQbPe)%18;!(qEE_x!{|fMSQK?W8%@&|`GN z6&2ff;09ET)85u^IuzpzI%y8gMMvjhc(yOcmUD%$vhi+;_?17%lKCQ}r@v z1$*BcpwNJ#hUNi2jevmpG^mlMQuP}L*ek}(yF#E(g)zHB`5x~3fw{yr{E`58eA+tA zOcWGYaDWm~^iUiZqe0e9ZXLkzv^gl;F>L!fq+!B2){fPsk!VdM^|)|`eKQsJ4eUmn z?8`8hS&C_pO92N9JXV0oC@L-pm!Fq%h#cek%)yIxlE&@}X3zF@ZFX6_%`>wWwHAev z*3iwwJa%sTc3@yhYz-wtApQo2D1b?eG}txjDqAj1@8^3V*|zOyVH2E zdve9S643EES`v*xn%mytr+4EpT)$`E1T^^it^iTZ(yX!zpQzqpPhIWw`w`C)EP1k} z*>-5|;OzmdT3Jbk*vGrL9=mn7=XQ$pQ4}2fx^op|Jn|;SbAezeoHQ+niPqk?X<27v zlN02n{a;L(QqXt4K!>4o_Hr6b&b32@@RfqRIQ|4{dQ%K|w|2e+jdYDfGv{VVTfWRX%kpchy=A>SO=u$VY&Hj71~MFaVBhMfJx2YGILXl z1!PijP8e?!W-1cf!dxY(p>~X6hwM)2>;7gNMxXDZ271XaQXqsW$ANs$=2B;C*4x!a zD<7+p#j)nt4%0=|;c{;-jhZ7nBo7!MQ6~AB3Gribhc_B+8ryZ}5u{v$B*6*cbRk(HwuO&L zBqpTK;uV77@a}A*%@aCrMoL(a)D#PbnNSd+dThK%FdXN8;c9SmmvB5c&d?m8cRP!O zB?(P)%knVf*cBKpt<@zjj3K1lj3s4)M4|9^*QaD2@t2I{#Ipa=siE7(2d8krVU%RD z5NxXU(RmQVN);7bJ7&NU0tBR#(52sm66$I4)$(CbWDem-LN^JQW*Y6ra0i1B>SN~> zg<(85hS4mcTL}v?D&>OZCkaAmda<}dVI0pbV`zrZyO~AGf{dnJvixMgaR+s5tab@2 z@KGk5d~QZcWqkBQ!uUBdj%Ep`+aV=PNNANMqqKz*pA|?X*Sjk&$IpQm6dK6usQwa8 z2=~mwV29<2A>}1pKM8CQ6Al+9nZ0H%e&u}Dkv^pOAds#?w5MU1x5mvPwRwjeTNCTFQs0g@nu$za(8O<;lqVdpZ z_$_!EP$lOj1K0{f8FpH!AwxhnPLR=g*+AH~8nP3`L)JF(d?)5jwDgmxJ*azLMzopN z)@PqkCjPM0Js_S;0Z-@md%zjsAem|;B+klV8TjXVw!f15I2+nQ+=uqh42yBejG^jt|`VBH!?GiKQ zVH$@sB#v@f63UtZk+VdZo}tZO~$veSmfrtK!6bzfbO}z zE@xq1_wR*V`2()EOJ;%zOvLRb@CM^3>?>GTVc)$RLXoR1I(ZIOpu?KEWvxP`MpNXl zpROePk>(EcpMEuFUT>B=V95 zrHB=#_e`bM%NFl6jm#|l0VIVyKKcMCP}5RC*>s=1fSClk`R#$zoOM2~hmlL9&-ick zgI(ze^us~Nm<9aE?yBiq;3>Cj`nYgIIXBFE)_@!Hw&}C3l~2b6xNrL4hApz^L4g)Y zl8C1@KvKY?9e|$SX+vo-69blyi2={cOo8$-Lktk4pUGqo(5HX!{HT3gSO0q$`h^Vw z?jD>k)0`tWu7L4H}$hOk_V)KGj*mJ4Qj(3Rv@dw>j!h?>mVLm zjtREy2;2JRQzQ>+&Q@|Ct^2*82O!#Myn0NDJ_;BtIqM(X99ZJLy{$ve3s(_1vH0?@ z_3N8@q{bH!n2;=d5ypmWq1XU5z?6|nprWnem_}W}#283`6c;}fq%`0G1C{7PM+T6g zO&CAKhArXP5IW##GEfsl1ZF|VAR;guz=UL>n*cq)OWV=+>;{QDdpenB zAmJD)W+e!?LXLTm04i1gHz+o23CD(z0St@?6Wz?DLH^f{wFI?TUHu~tYWY2?R5t@_3 zX{&iqW229dNl>l6F+Z3S^BlpVgaubDtk}uJ*)u$MUt~=4qKCa>*nPB}E)GYqx5u*| z+oVQST8DeV#HY z4j*cqfqE~%i6{P9WCV6F<8Rntv%%;C%KZm4wXZFEHByXeS#qj|GUEC}lL^#EhySL_ z<-qGsH~%K%oB~jc>Ul{Wq_Zx~3H8{ZhwT<&HN}v27gFDLW_%9y)3z`g80Mc#eRQ~5 zF6HOGikL4EH}UMAF}g#(Ti|gEd)z_KJ@B~)eeS5|9{AjYUUyjg&;t*B)1XH^!;Un? z0n&$AOh@ZLy~Srb%0xhi~ccAqnnVr2bgHuZcG_P z5+@L1YY8s`M*SP{H?qN|Z~=NE6GS~EL;6z^{|1aB-~~3YOW=x)gp9xpvPX5?A0V`U zb%QAZW0Q`=Ug(MLIN>%KY+=|PzDN=_vq?RS0Tu4K+qP}{?RRf-&izrztd;qz zY9(uBW{hvl97yd+Ciossn)z^82YdAbiy?XH537o4!=&YJig~aCmR(;vjLHTc5~lA9 z-rgx}%=5|v^#ELb=g%_}HHtu$lYeCusf)f9HlO~n1%u!-!-uyt zz=dlTrYvts!bWL*PL3~&*8y^Jqa=(*H$%H%9)|zZEdE=58GHN;)(K%Mz$*ti9k$MJ zE>QKN<;Md1L8-onf*~;g;+~r)(2-tE`>6^cKl|GvQ>`U{2rZX%iVQx+auAR-_1UUT zHuZjJG|D)*=GgjmP0ch+omCig-{K&dD}h5(5vfwVFB$)KE$q(_t+1R2fr;|o$sE)W_k3J_L` z6X+=6?iYnOpJm2go*YW%&LfF_x(Dd_h^+P9q_)`&pz%FTmrHO-mUUYF<49*anQ7yM zjCa?_-}0S>JY&OOqib9+)e4|i&Sa-^G!&<~nOM)nB|R52<;t7-M^-`duYytvKt&~7 zf4JsRtWAw$b9C#1+57@M&m?<6Rk-d_?DvY`68K&GKQ1$EI&0B9ZxC}(etV(vD_|fb z0#K=dAOg~4xIY4*sEC3jQiKSJq>=^jj;>$526=`=uX&H3=ZhTTY7~HDXj2{Q+;;te z@q}*m^|)C8wSvsEl{J{H?4oa-R3xSCIW5E3w-g7F7x6J@(3q&zQM=A(d+5!sqI2yr z{hlGJC7Qv$r0b>0%`GLWkTcR3f5=rM%40rD&N(}x-HreP>3T3{g^(YinT-?QY+Rab zJ>0fZwku})K>uoAOBV-4lL?K172X~10H1gCsxqz@1drMtBST|#DhX6)Lwi4IsXh4^ z996=U_7u8Jzacyah+FoJ7m>tQk0QN9j6Gs+z+|h-WXlN~$0}Q(GI)ikk(9vg^FIqF z{Zp>~*?WL+{XwzY+)W98g2zkgm*?untpqQKha_+k`Vx1ld2-;f{WhGOD$U;>E^Z#2 z{#MhpD{ujsjCpANniWlugT0n2Qp_ZXn`JBYVRW=+8M2qYMevOadJ-R=Dy)Od9lCI+h2>`LSgJ#EHi-T<-M< zgQg8$k@{No-hjasZq+-@U;%9W`SvbH_dgOxBnqc^@H=9fZj)b>XZ7m7H~^;`xP##d zb#mA+r5t~sYo)>kyRh9Ha2MY6b`HZKav>nm4$!vrH&#;mvBvQVs;(Q-lFTO?GT;Z- z!X}cgnm5`@!9QbipK+1vo6Z>o2Nd>dJB;+-JDLXSD#|Jg^h8dtyMh@&QBWui))sS- z2H?MJWBbjW4e?bID89^l>Q~fjCN8*14^F3!`?@-BnSXAma!}%`hUwK3PaO_+jg?tjEEJZ5S^Gwp=cTh+zXZWU?D`?F z@ba-`6__`Y#xA9I&K`k%bD3XGY8GPoBmTabg~2)l3uJICBr$&V_3tO(4@F>knvGuq zmm4i*5hAjx1=Um0ny@HG!`SK=zo*+2;#E9EWf{2=aNw81BUv2(O3zWXzGQl`>v^p&K%1!CpUH8nJz;OLjg zGa*ajC`|3P+S?L={PkkFYG&Lfh}p%;qFpd0laQ2tTzM|i?*fB+6KAV2^HF(g2M0WtC?fB^{% z5P(4l4)|y53I_~iK!CwC65s`owmqUhl0Ipctc2`JEv5%y&DAiSAm=%CyPSM2<}WN?6yMS494rv4Ee4ve1=hiSp%vDQ4rpO#|;L59HQ60F|^Uz zl(FQL6x7QsB)XlCM%JczoA`4K#A`yULjAo?h)8~AE{FkU5yoo6T_*{^!c1ED^z$IY za*U@1@JQ|tsDb$}5fs9I-aXO2p9gd<4NEIGp!T6k8u%`oSsWnE2Sn`syP2qa%OY9n zPP;$`1IXQUWzH!h(b++;48k6c6qaDfq}kf!r?x#ZI$#buDu^iL&lE#uI&8`jks&dJ zU|X-smgxn59unC<&4q_1=mC@5~-AUT=c&4 z9~ta(W10l=*czz~BD2J(VVR&STx)>0LuH6r4cx(Z;B@h6D+II&f(5FNW|-1MxN-5LT%lmOGv)LJhD~3h6+oR8uctY^e7`Vu93{0 z8lf`War|V-{MCQp_2p`uBSK@KhNS+KZ!f)qS*}f) zv3D%8X~qV`2-$^xKaqFADH6^Om&jdtRQ{Dm8Om|}faZ;8lNF*x4)gvJDc#AGn4VPj z!xwY8G}3}Yua?cVIaUCW5iyLa_eF(;F>d!NUa3gX^1o_6%_bDfSt@y%-Wb-%e47KP z@@E7Qa^OokY_=z2yy8xIN<=QzHpI3sSQOM|ZWdJTLMRg~gu;5M5L!UOWuYcKMoL;C zPDPiS7dS>*r{o8feeR^Rpq7|r&B?DTwdIBgcFeaat!wO3>=On*?|fWn;m`d9KF8qh zkN-YC|LbhKJ*$*i+UYx4*b(y5mT4Xdw278@)*u^F+Nq|+4x)&*K`d8!#!Kh|U=R%? zk6#h1fHI+l!cysqYD*&fLbWI16Y>IeX)-!#x{wnU#9{SNxvzhpxP z-UHmL4!bg4`sdwtve^6u{aN~hw9b4ZNMjKwsGvPC@E$x65{ZhioFbG0kq{9<7~kGa+BIfO=NUa*{%RmljV-)Cqky(O zIl$xd-CZBT-QPd*0pq)?T>EOM!EeYggv1N78LI4Ebp+_K{JhRisdDN zcb7d{P!6L386_IIRxNa@!k3sCLw_DWS(JIdawzxHv8z*T6dl2XxaGL<2Oy)C#6XOQ zHauu{bk(buhj9fcO#1!G+Wa2KZZWiIf7(cHhVWg3;pMTuA@|PHc^3cQKwGSV`?0Vh zQ_#&r*bo7AL))HQVQ~2>Z+$Cbgb}T~mbC6WZ_=D_ltz;R8bpu)^9s4*HG)!V&>u-x z!}1*``j-T?iHgn-$?7#%IgZhKFVl`(a}io+A0@_7p<&S>#>uCFpAek^ZTY7D2p)W8&Gn9YYF?j1}C7Jmv*c7` zaL;g<#4EM9gl|p}!Bso6nV$dB1kL!UV|tg*mD)W@@_F z6;|CTzfE9Jh8D@l5^O9{jbiYqUsUX>giTW9KKZ?-Idt>*N$?;j5K@)JzDK@^&_m&c zl2^6@du3Ap_6LP-*)mHQE!}ep@JNBYif`@jcPF^Q@Z!LD{M6j{I%O%!DJzeoB4(o> zDQ$gHO z(x;QjF0lA_^BA1At22R5Q`pQet>4iy|L0ZDdH0o8Oh)?kdYev6WCY`J8P1_sBpHn= zcr-J4$A0j1dp|aP))mmh34NO}sx@aXBf8VcLCkGGBAs=wXzYEz1Dzh4ZM1l-T>vtj zt+P0e17O6=3qmkD?dW(XGC_C^@`cyJ$toyWjpSMjWqjP#3?34*dNiT zuF4$}#xIRp>V|~Pueapjn`GnBBay~x|Lg>9wxclVAK7;Pjn`lzGcp@`2OQQ~99-u{ zENKQUC#WEKNQS5)hz%&?;~T?QGHv`3PZMztyf92`5<1^jH}Z>>bLV*hv%^X18M4%~ z83eNodzr3NKN@VbSc%j|^*GOuFh<_<=agp=(i~3O8I_Vnv zr2XVE7i>e9L?;cmJXmLLYE030JAL!5JwY&R+Zsp?)o z0od6mrT`WI#sFrCA-jM^31N(*jDnCvFvfKZ8l*7tgWlyy38Xptgp<@VoPj$NKKfdv zX$R-%fLia8@Ou!O||+B$BH1&98fW%f?Frj6XRL5=Ok4KaD=XKH$W#`#0j*h zz!hA6@Dh-T_C#6w0Z1}DfMpekm>lxNHk%287pJprp$sZUA*Mb-N->>j)jf@eP17Fa z#$_nra!IPVdc~W}^y1A(A9Ew=gbNG8eFO&P*^n55DwQmtP`3q0bhuY+O^cs*(7BvD z^fp)f+yQAPd(&c8Ugz>5{lMZGF#xE#^AUk48DIg*>`{EfnrPm{7%WIH`+-8PKX4G5 zZNTZI06QFMB=Y!y=x{3-23M)dg`tz{Zo@G|rXzD+FL1K8fZUWv)6Gj! zDG7YJSSE%3nF)#CS_ZE~tXzS@z?*Nvlfd0DCI)kPp_~B3)i|sMpWNd?;LhqN4P21T zz+Z}(z+AQwK{#?$02OB$fa+NA!)T`~Fi)~be63_9DFcK{Q)LLDFA68SC?#eQ)a0;W zjr=cC^L8Xh*8WKqCD!Bti!xSKk^F~&<60mkGO_&CDI__I=|2tvujQ)1Yqzp|sM!NP zgYW@2AQ+-8he{5yOJQFW)8gNVbQP0K4FGw7`L{91n44d{Bb7=T7nUaCW4J_b$Y$yk z=uPAVm6ZT>1+_8xXByxj-mZsDIdN+j2MDb@*?=uCfsQ+WY+TJZGtZ~gzLP3XE>2-= z%-=gzbIefkI352-53O2;IYN%H)|PX8spgWY=zY+C|DP6i+yAtb!D8>arq*dMQ$!YO z3%;%3pvvo6Kv~e|iZaJgtFoOjEg7MqjXM%m)mxi1166R7^ntl-hoECgaOc z7iD*~8v3>R1F>3=FdW8we?V@qf2aMh5_KE2jh_NE|6RlKM>8e`JG?_0wU#H0Lvjam z8p6i@zPr(zEedAlaq3Ig1PaP8cYH8~e~1c2ILj7dEmoWc6oNzuPC_7n2vT4mA^{4- zKtvKv&X5QXM8s+VgdxNg8?EU{+yvoP)Z!1+{dqgS2!_kwFb8Bbdt>4h?8Vw_3ypp&;aEK8G7RitV&qE2WFr=)0y@x3v1jNaG2sleZ|(n9R&6uh=l|v z5^ww%c*JA1e$MU$9|~v&w|As?k*!x~d><#(6kD~EP#d)ZEBcA{iVw}ZXBa3l3>pCC z#>N-|5+}o!4FQ*Eh&+ZhRfiINWxj2mHe()c|h5p41X&2kzSYQKC3VX0LY?GxbRmt7-b zzF*F2K>@@RIN6poRNBYMI%Pk`dtLdVWO<3Nn!kJW1xA-=IEN_bmP`%PW2N?2gtCv# zg5v2{`3G+ty9kbXU~0oXeQOG(*c}IOg{BG&VoMhGlwiaV%`fCUPRi5V@`6?X0{ItS;(F^UfG70gt!V zM*Y_KQQ!-sz3O>E>-=WF+sZ}Yu}onC`~j&(iH~b!69#bC&?wxZO;l%eM>zJpj+_3H z$c%>F9iSfZR~WwN+vjp`mzoa;2pL6tvM=c>DQ^F*d^mr{mGaW zJco#!P3-*S`gS!tXVSbkc4xYs0dnwh>6fVz)_`;^&GC#hdNVjjl4RF}&eVHn_rU%U>XfcA!#98=s%bV+Jj0PvwQr&DIz8j3EY{C}iS@oVj+B9ZInA8@{ zrU5iDCZi(K#Lh6ai(Sl3)chekDd3s8dXQf;;N@@e@@E;#^TCdw@QP_Gu9p2;;ra`> zl#qhm;f}*i!4x?^$oWcSL7v=4g2&SgHf40`2)lCN=6FOwH#D3EW)|}U#8`2c&0gq5 z1jg!dx{8Q7_$97lasSsm(7K*5KX~8B(J8~4Y@hO!D^ft&_g`E*{1CC>*uCalSDBETA~4;N?B>;(-#Ac5S01> z`JRM}wjw?1j3_I=$gFtRci^hu(^X0c2~AQ16I~81rogDGY+Hmpz&p>C4AJH zW(yfIy7;EN6Tgd#0o#;k(UwP-&mLWSm4e%?<yAA%x)i(uerXaM0@I(5wm0~DhH7b6=2LrGBNm#ddM)=w4T z&3|A7pZ@_acn08OB0q3iH18z>0!0l0C@W%Q>WOHbo>4%am|GNJJuj8gBlO&@C{V|r z6(qpqi%a0~6}@$r#@TUCuKsi4{QnyGf4@wC4K4=O6`%kSL77OoxR&LM=PMC#4Vw!9Tw*ZkGMpRs(Y#uk=53`o! z1rft7q!G#n6UN&Pq)3Q2vmD0R5ccZnl~d869^)Q`s}j|KKy|g$l7+0DcO4Wuy0eA9 zn}LtKu(0+yG{mLibR3c`k#0I$Y!&;J%o}gZiDpXeMYHh4sW!Hgo8+{HwSyoR*Ry+Q z3=cF@^WIQ~^il&11q4n}MqH0#8yPHkat=Y$X0J^0R)<)y&w+rEjT}CpNQ7Ap3$O$! zDX*fbYy8L2);%n#q)Cl^PZWTU6l~yPz|%h^l#evVu7}b9a)}i^l0qCumpoL1oB|v0IgkpMflo=pAApd8ft_DmzFOVjkF!@$OnOme^U%`9-uF4+ z2gDBo7L%ZkOIUhw!}ReF+$SzAmy&f*ZdLojIp`NYyO@fhtxs%j>*Vh3H{>@u36rd* z#lKVCYXx`EB_bjwf=bk=1P%ZdA&_F({=xRouFPJ{+_x>K`iGH~$WW_LO{}e?NfBKo z(jH%M&SB6*`R|^I<+FN0)0wt0g+{h&iAqvGB=(A=wP_8G#O#k&iJD|*Wupq3Zj?2t z^deP@)Pm|i3>Jm=R%6@qkN4S1C721;o)=3bSJyL_O!Rt1(0dK}a8`%2GW)5`zyC&C zYmZaT(Pt=T9(XxT@^;o37?(?%%uCen)n~jN*)Zpw9W;7r(jfwX>v@XG^;&eGD)4mF z?)Tc)EM7LJKZ~)PK+|WqiF2{#$yHT?b?U1?F2oNY^Pxo)6Gb3UR(qEfY@LmT0Fh33 zPm0e_s!HXBjc`^^2mr>>G+4_%j+M4fu~GlRxQx~O-}TvgYA&0AS(sXWivnech7@;Y=~s)4zTg4m+Nk}X(=@rKUkAy zui!j0sRKWRgS`R#EdatDkevF^e=Ln^+>|<{V^-v6y2Rp_5spNqE-Ddv|Yyl@G5h5a@ zS z0N3d7CdqPARTu(Ngrb273T=Pm9T5_oBInb{nf$irq||beSpH1q1I())x5_h&ACGCe z{AwRz4?%xPW!b1j*@a>Xvo{%gfVT2^XDf`ex3y}|1U0%bOu9&oEO)^LxBBznAk{i9 z&1bOL<2zqm^++FlAYq1yCS6+x20jCTZs`;95^l9y=Eek+)bKGDdiH^%w^JX9|V_k^}}~01_4kEXM5l z+Iw92M!G^$0Q@Y>08Bj0!n%S&0{(oW`6B+}1pRXc0@B8N8vPYelmI{o)meeSr2!xf z!JxfCU;tCi;G2yQ2xlSwmBFciWo z=^*(P^{xGXH|ne61xi>2bs_tgpy+V{JwwAGaX6W|Z5M;@%aKF`>6v-x#N||th_mLq z&SDZ5S#0!*aa^NoKnQ<=95!89Yrt>bqy&mLL#DYVag1GJ5F@^BG0ESG`p%UP+u`26 zEEdWsLGsFsJv2_1uE;6T)l8uXUxKT<$M~eaYF@iw5^Z@IZb?+&`E@~JBz4ipqc%rU zD;ZJPjmhMrh?qt5X5m7sU-d#uUhdmwI3~W@kO}CKak8UQ+gFtr-as)F%-4q1trky) z_|}%K&YI-DQ7FYd+ke31u8QwU6xOB7j~oK3UfTN%nc&pVXwdT>yH25fF_>#z1bRVU z|J?B;-iCu4eCUyns?dr~lSC4)RmVh|0d-v!zHAD4Q3E-mJdb^v)-B|pf@D6{r(ZNk z@7u9kBVE<{^%pLBJs*0T`nCtXUjRcOvRT8DM|^oX-|xG#Vsg-G^yA`xH(VjR^>2oY z4G0j*dbY-jD|Q1_u>%})8R!6?vrbXWv3SqwBXaOx!fQUUPgTXFgwsw&JKo^_Wz??;T`p5ugGEBW(iWE8f z!6Vnh`E>qa2Fb$eD&>B&w{+5lVr}t~P>-gxId(|W)@M1Q?xeX!IzT^s+nWlTb5`G! zH44q~$?DfKV~mg%772;Ln!Ec>U@#lo)FMr1vSitHM#;bxLjtj_a5z@O@EF9x4okao zkV-5z`)^TI-NQM;?jK&ty9*3`;CKWG61_Qi(Hj4kj)o=oS& zeUHzrl@-hY^%skc_kWI24+nY5h>BtjrwpJ;Ga*>{o_g+<{Pg`)X|(WH7y+|f z2FCeh@fT_cB@Q#UcY(zMmJ3mgl+x7+Gb(zlfj)Tk`dv1P2;kR;TG6T$1LlmqcS(K^ z-ut>Nn||Jxe1u#LvrL1@3cAD;OVH_{l%a=!VcuGDUVk7_lAQo3&cSrcz0ivKFk7** zhlQXXTm^lX5(Cy5j{j%cwntq^`}!wyUrKO-0ZCT7k6mec)8Oy+fVI`?v~&<{Km_A# zRe}wJ$HTIA2gvYN95c>Yuj|`2x_-nP(FT#&)yeLPBIHb#yOLSEeepd2nrHS%2jOb6 zxV7Xmc$G_3^rjbRRPjUhUtlE0{x7fo0y36<0$I`5lF=uDNF1AeEQ)v&eHBGaM$k9A zk3pxi+JKFcs@g-;v@_#xT8f>Nm!FgaXc5?mdJryjJv{EO9hlKT+mTB!A01VuGJ#@{ zCPYNC;b7xtukRL8W9w@W_9?TOJ$eRgq91zZ;f!jX)ytf-6>oZYzAE1@GQ_)Yvx9Od z-tvw?tcIHX40h=+#YRhQzIaY#2^G>5q~(M}R1}s-Dg?!b0CPCOaYYsnWB?)lcE^*M z15@i$X?TK=VNAt>Z|3UpmIAt~oR%a^lrriY1~sL*xOlvk`mA;?Uh7fMF=H9_OZUo} z6hvT2ao?iGdwid~@K?Hkdo$f}9+1T+*8XkyU{YYe@YX%z(lJS+(kKTf&in{*DWOkZ zo-l`mDd4M4i3W}ZW8GQc4fYfUfep7+Q%NrUDxW#$~{397}A+xG0ryAWI8-PIgI+q^L)~{1-Uh< zcxk-&#OC>%GJ$`|vWrM-_q#6zFDsw|D;a};0mc=qR$~IimoqQ(O)8IEZlURb$ad5L z?-cGFd#&DRBba?;sfPlWm?lxtG?0_PPYngx&ZRNfe}0jJA{mwQ%`W5v{+NWKq2j4D zi*zPJ#RBMrzOhL6@SUFn7;yJ-OEA6`g2geif0_T9AG6@AxIxbU=v+bhP}Z(#pYR9} zXl11|N;kI=W?LNI^%IWOHCU0+7ly4IjEnKPE>!R(UAST9#aJkHR7ZVn>}C%>E-G{- zS5Li3CYUJ{1n=hY5c$l&=!3#=LSFz;ppoEoN3xzcTK_)njxl& z9GjA{6dKO?AKR`GO~TRf4DtzizE2~?E91dwJG8~yv0CSLlEeiOqcN3Mcs}>nE3Ci! zNg(mP)1I^h*vQaYLsCQF3M*6vRH#m2C@WidL%L$kyNjTtI0pXYB%lC` zHC{R41JxsEs}_Dw1XUYNw@=wGX}Xpyi=AW}zUvQ4ii9{U7$J*fhF z-u<$X>%k>pIOFFNLZnO(!~|=Tlg>Fn%0pzv{t|Dwv^LFaSDW&Bn<9{nX9Ai<^=x*+ zjJ6_{s0X5OyBMtZVj75~IkN7VgfD|SMg^}dlx2N1pyZ%Q9`w&X`Z@0{Imo@Q0?;1F z`0Fd$Jwbg@56ZEm!%+5ipf!=#RhV5Jb!VOTZoRMOOE} zZa+>NxicpN>TjC&3;5EKKC(ZH()WRvb*2hTr(8lYc7zYKYbkY$`Go%tP7){ew#{$4 z;>#NcdBJ9-yY3*}C83xtpM8eApZVIP>2ot)=|z#Fd{i>VBoczlv2#~z_e;lzzyax8 ztaR1-yp7WcQPh)}Mbq@4q(de7G~ls|tnC{#`!$Ty{{l*uGv`-2wqd9;MfUafd8mNN zoz|mBY5AwemB`rGLp!f6QtNU#`KL`$#rn<&WrjEZF&w?AGh@#P-5*fGQ`%9*+}SRz z8&^ihEMnb@W!O9sE<2?5UDGtrw?IoUWQg4eyZOQ}+J+u4eHnRId{f{n4HfPchebqo ze6-&!WYbDNoj;t;)!?co9Cd1kh?y+#xja_j7)iFZ!$Cq2eOD|WjbQ+hf zyD6R9Bt$Yw_NC^Od;Jp)%?8}hQ~kiG*Q}4Uvh4*g_1d}?sRgs&^RP(b>v|lj2Tl7i zMxrXnBcR z%eE$-`XXN)7=|~N)caTf`z6vEF?^k(PIymyJ6kRQeJp2g#HZTh@|zO7!YuIu)I}=L z2W9k8x^R%OE` zS9=#NsDrdV+gq1_KQiT(k97k3E2(J`fFUVw8(`)a0Oq!GWOm`bvmf|Sa%t+iU<3mg z0}=sh>Wb%)(vK9gOV4bBD|?@(cCNc2!4h*ssbs3kF1>NvoWw>x^MXT>C@6N@)5hzG zo}t9N@w_4*PQXjRNdc8-A9JyOZ+v{8(H>K<7O_5=veEgaFG-YA5A_Ox@DW%bk}&k8 zmOcI#EE)TZXwq-Nfaqd0!_eAK#XKmtEOnD*GKry@zB6jBp;8ZjSJ>$FLj6Br)_r)K+;5Nb4C0AY zo9#D}nIx31L^d7uNW2O-nYK0D#Cn$yd01hs%l3x=m(1L>5!y|ukGCF zF?<4dUc$baFgD5|5S?46d7-ie9?Jc+&Pg?)$Op(Ob=Q^4Gf{QGvTn(6*%AheVmw#x z*94rwdWnhlEwR<44@wE-(Wc5D^WdjpKm|GXwS9WJAO03Gc#|Y15~|F}c|Q(jhKnOw zfHC6mie_^TNM4HRYubdt_T(71$<7TNA_YFG+9g>W`O(+6ioyq>CLG1oJc`Wpijp9I zz8BoNYk*v1p-Ce6?&sJoZz8{EXusC4c?O>lR=ERHkFfhSfErkTg<)ZE7k)RD;*BZ0Od$VvrBs>2~R0d@?d*4icHVN|VjOx%>&Jv4mut$UgUs z3u&;e5-v-6o`yHix%;J0hN}y0o98o0_D9eaYOMQm`-;K?+i<4}kCYD{%x}1>%f)>V zT*sz0clQiKP7xHzf}4Tb;2+C!wAbOxD$25?y}nnBRVK*+bBg=$&y89UVUw7{6r-oK ze;D2$*J@Bi(*`4fYI74{-%4WM*(+0JU$!O&JKHPIShPU4`hu1e@2w1rUMf4&w&m7i zo|?Lu<%UZQ*n|ua-tj<+i`Aq(8Kgh}Opk$x3+v~URp#Xzl=h-Ho7}%s8rA?LBRx4g z0+nra3qSHZ!EY0i;o#M(NAxiHZKh4{LQ)+p;)@wuPs@$yuz~mGS`e^~2bL#-9BIO^ z47ROSZ0&otLAW!T2CO`u@4X;k{AECni6@{~v(|Ox!dumZ-+i0(NsjYCT19;2mj++w z3J0Z&6^h{7w1a`_nE!UKc-N#8W z$6V!i^d4XmC9@OQ4c`nK2-pToz#mIkC`j1}B0Di@7yAtAhH$%SDt`v?mECh!CG>_!t#wU* z5uZQw#Jy~mW|h=Q66LA^%v1!@C5?&BWkcI(X>vjDA@SVNQi*6st54}!XK%K5Twq@= zTwjos3;PR_hyl$o3ioCp7~3mr-K>P-y!PEPlV9%Y_;p`>{13lfU&)%18ge7tkRXp- zv=iGdlAH7$I#);}`}iZjkz*Nsw}3YvuorlWYt6?~Wy~}phfLdG6t%5_q0Oo}R? znAW2om+mYc9gt4F9+Z6|ZhfaKMz1|x!RtgMvh<8FRku%1lJZf`bS|EKKdE z)3=T_aknQ7HvdoI)iek0_vFjcQ8rAIylkIbGbjvFrRU&)v&c6I)xsrC$Zqjldt>zk zZT{IZ*Wmpk`(PWX1cn=-g ziOw$rY~+N|8zkjfEy#Zd;d7_b3YyNPmxFjH$wpwNX7%70l?0M%4BjyV*o77ER=2E+ zv}P_%`&Wp^ukE22EbB3lT}K;f0vW#MCtV+j3C(_2D!#?RW7rttP!ivF8W zu(h01cidopNcVBN#r=yEGU$a$E#S+^-16NPq8nAwqg8&bH%X`VB)E|U4Gl?m`=kzS zQYOqy(=5agy&V#GS^3k?|D+=Hyd$JY=V6GISRzB+m@qyjZsgmR?H9=ZimW3s7U+cF z7sp{Vho^Z%;k3&mVC<>_%+5Jpkxo-IVG3;*v_uIzbIlVS!$ofdR^LDS8ir25)Lgnn zcHsH^zHCc_=Qu?qJQ4?bW2O7UoYUWRJfiN#n+P?H+f@uaVD82#_IQ_78A*BDoRyp0 zuG--pEzU=P$j+dryZ%stpS#?l`ms=5_pn9zN=0)6n@1eW4NWj75KYY5<1S@6*c-hI zy!xxxq54#qwe+OwS$r!nRVkIz4m|+}u46rX>suLCE~$y65-hcuNrU1lZ+ZhDBj;|$ zyn%y;KfeoTt5beVLpmbtMk+?IOoR5 zwvuY4YHtv2^PQe!60s(h>3xwsk@rm#G{&h`#jYW{Hz7KR{QVwj9jx+*ZWU?;xE2Ab zAPidrBNw4Yr?{sswVZ7}=Ii)4kn`7t)wdo#1T-rzJ{MW+>9g6qy-kxZprC0fT(yWm zuRhqcWDs9|NyLr6FROSj`G(b*FA99@k24?b+^_?i!rM@}7RdOY+R<4z19fBGF*@Qv zUG|RuBopdqP^{X4<($OI(E@@Pb%3fZnin(U3+Et*_%-1JH#yLM(M>P4F8v7YmGd+PDtWg<|!B7*NHwMVU= zA+mhyQ~%56_L*(wVA`SUEU03#M5h6@OVzJq_nkStw$Tl-&wJhfF&5KM#Q;22^O@fY z@#~j)z~h)Yn%@V{=WrbuIw&)&!wv-FoikoUE-f!2@vM zD~x$D*8#T4;o70<)}&+|sxmgvtVdQts|5hf{YJ1N24~(!Yd$zMA=N1dE9o(x} z13_h6B73CEk6<#|2o5^ChdiJdPLPx68j=8U$*lOWm@eOzUS=|R^9WW|7UXzCmgAJq z`kc0l`&M$uOvGUJAyc;8fQ=7PmelC-Sxjtbt}IUpypV_2;XW3A{#3CoPw4iHPJ zR18H{CeH2wDMWpJ4q+unlrre&tvQQ97!!bJV!dMCMffFubaYQsOKc0I^%sp)2oH9C!F%%(Wx_{L^2(FEh^6aG32LVGExt&W*738N9 zz36`bDBv|=3r6Mpst<;0P%FpI(lk4&?j6-fu6Lx!4t#ezeM|J41M{4M%9YA?D-hGs zfk%Df%+OJZ_iis-rdPB|5S}cN5*}QYHlT~D^XC1h8kR?WlW2^!!eXQO=^Yf@)Va)# zYe=|I#oJ$Rr3TKQazmJi<0e+uu@DI3aow%`waev*q&ggK3LlFM9>3f6>w-a z&oFZeJ66wlrJZi3ktyekwp|>QnXUBvU*+eJQ2jlk;n$9KplI1(Izor2iFvnwDPJEz zdyQ6g=7iyHS6sN&3U7JUwgFqZU>kjL1=mM&CT6f33n>C}r6fo~@KeKLq(3I-E-es1 z(g&`e8(fZS;S{c~xZqEpWsNy< z2NT$lmg2HIC{D-j9Ve_N20dWWA#>c+)Rtl^0OpgKQMZgPzKvE4>^KEotK0P8%B}Hd z3nibvut})PM!k1z9_RL8U0#H(FCb!Qx|d&g7@)6+3*pD4K&fB&N+)^6gQh~!;3$xp zBIsn({o6H_21#$^NL-D60XD`@X@DW{p^H{1MRk=bvW{1BQlf{o5y3_kSRXoIHUpT3 zjb19o4O|QmfN>sWHcg4RN1ucOZ?m&?7T}UfX}h06>1G58=SqVifxct*1y;CynA~ z*C|fMFjhSFQAz!K)>p%oqsk_f#ETg}i|M^ihK)dtIY>~n8yMfjKpi=V-6hWHMd^IG9(;|!+p7^h z@VA)3oTnKcLRo_2am*bz?d@ zh#A^_w~a+hXu0e76s9}Juig%Fw++S>F$Cfx5R2g{X8gP(UQIYmamGgQq{8m&$gz!O ze4k%npClO#B3H0&cAukUl2Q2tY2BBDv9hN;$Q3EY57e`UbA=J8KeQ)qE4S9FBA3j& z4k|fQ4H+De8GlKkP1d{7tWWy1I>P?E;khPBE+7Bm{=GtRPm4!;K@66?fs^_P^$Ark z8y()dJDsrwoU{(Z9Y=5NK5X3gC4We+=pR|sz(WhiKca9=O39}BE4e9aVHHjAN5yuF zPo1_6K65)-Pal(le}!}!e!!(3&!$GN`OYf{h%LCHidXeIT4&zV4}d>LAZuJPYy3J1 zDorrObB(4!oYQ?s<~n59v_-yORF1`G^Jo1d4!LgpsR@%DovzYhlALE?l4F5YPByY0 z#aPWk#G26e@01ZmZba0hiXO`N=`F-}guPUueQ*wQ4{H{rBMp3f@E*1Ek};EsGSX1H z8|JwybAWC~9+S)43=heDRyN>{=R(~I^kgJ~!7fEC@(yEGO3`Vv=?#{R?qO0^P(Jbk z%TvK~BW!u^2Qn>9YXL4lqb`x0Bqeb9oVm*k~Kb7jc&7n-69r7F6nF?+^KjKll|KeG5+yP2qp;o%Uoy=meygq1$?4nagFPrdoDD0vGQO_<;^$FUMXOY2jFt@wii|lDVr#~H8qOrU{_(NAxjmM zcwpSAwZ4+RnSbaic2ajYTSr5;p5Rr;{Z4KxIlKy{FcZ!k2QQqIG?Yqx6W{v9hWbZo zadhVR24k*bGm=R+qx4p5Mugpa?+8l$`>e{lF6D8x)MAK=3LHol`ZGBKWOcKmk48Te z!de&dv_~Kewp8_geVsA)W(O<2y)!NMXRhu>DIih_KYSXr!>{0*ru@U!9#*Xp{;f6_ zna9jKrru_~?n+a->xar(^#CD79T6XyA&fNJIzzSxCtQ)DQo1M`EN#{a2VeVNtwBf} z!l-CkBEg6Qo-k~^bB^2Es4)MgqLbs>faQ=d*lm20xV1gxLtgW*el;yGA1;hA>E*$WQ)pcHaE-ov(s z`+-TX#V7i07xGnZoyfhdq@ej6VyAEZLcq(pfyBrkIdUv8KNHb1gI}|-=6Jph>lkAg zmS(Jr_U$I`y#<6(pT@Kzck2`=Tc+^qq>TNb6pJxhjB!IlDtt@5Rr-OdeslG5V0upe zlhAi1O8Pu}kTaaE=V{O9jqV6ln?G@SRyO=qhHQ_muR8W>WdUeqC^kPUd|!#d~EKVga1w{3qc1 z;f@ZEi<0pZ=->vqG}YD8(H3Jx1p?4ml=A#ExM4jpi~mz{+ii> z@3AeORt4~)_xpIG!VhU&4M*OW>cz7wa702OY`gJDdo>t|gQ_LhG;0EMIeIs;%g2SB z6jJD!i$tda)*0ge11Uh(zl9O2!kGJ|0mo1inPc+;socaf&%d)DNF@dRE(*U_7eG{0 zypcSq;cjo3LV21o1#7fznQ^T{=LYrMxkWq91QP^(xe+P%mpqHGAGA zwaL4ut}KK^?LG99KLYq5TPC5mjmcYVfx$_3geD;z0m6Nid)feTuTo?p!Zquh1%$O! zl${7SEs-XNHFJeW2&^9zG{}y=Qv0A`A*v2{D)OREluwMIGg}Cp*!|jl;1k4qz_7Th zKkm6Hkh)_wh5L=~Ucq8%qiq|yq)<;8(gk)kC9oC@^mC`nZT}gHuZK>Id?kgu?5`Gk zr^tdih(Imh?07 zX{QPMZPj{^AZpQu7i^fdXrYP(aC{U%R?5*Y4?JSnUE)2w{}j+-)~L^jW3&JRX&8`3 zg0`l6N%D1J#n$^BaDn+H1i~!lv0O1rJq+;s_fx8%X^=(f(2CgOObBfKGIHUgNl(vKxe^J+) zFdTAwx|GaW1#CWthC#@_4GxWKn(tRx8Q5S@XY z&iKZM(;`g1f%ZgO?~g8h_@ZW(_ls2hy)5JGlqE{o)wUZO_~lK9er1l#J=eP$zpfG; z0R>q_I~!9gSpI@GGo;fdp+(lEaZQgT=gF$oG*NOZt;qt_;kdpQ$4iQ6|Av3Yq4=Qm zFyc&WzFXl?uWr!^K*Sy8HfvCs0)4S^+BSVx2+Gq}Qxh}d_awqZh+V;!u-l=O6nFWY z)T|b#DLD}jZdQ*D0sR!8xPo0M0~6QD`H&{TPqmA7cl1|6?=20LA3UuRw&t6uv9FMN z9h*E^O$!-Ez7}Zh6}nQQ01nhg+o#uvaKO{tZ`5Ntsv`GC4*q1=8kcF^iDff`;_33C z{R_f~Qjvw-@0zqv{X5!vvdRa|YlIynI>TpxfWTqzg9-ogBZ_hv62+#x9goI==$adl z&NMr%zw4=&lf7MV>1KTas+!t74$W7zNMy2FqL0|a5Z1z76*y&`sE>o zQSUta`KqM+2LAT~ULN`cDGxeHhsBB<-u-v$x2dE6RZT9{-;Km!n(aN(Z|?^w*K)Y< zb_hrXdNrzeozzs+(_tMTu7QHZ6YnFW!mA#G9@r-oZzmmC>|hNUEpP2l#q@VSO_Q?I zt87J$kesl{Jc)_ihXu4*tu`CvCkHU_7zy-L0^wrnD8iT`MXt-VJ=mUaMKGW*JlT!%ePIrwR%14LkR(VN)UU_=&f60Ldo!x!FqR# znk%bDS1>5GdY12tc~?axGc~Q3h78$)n@Q%bb3s>U0a?EM7}?kDXZ}@1DqaW8?e2J* zgGWwNBW6<7*3R|`muOLR3kD>vCi7?aaVkwJ%}R;~Ddasu?Rrof5qj0&Y_ruBHqz!T zI^Jwd4Msy6F036G-Bq2-47f|&V)u$Ib$wX;esYKW@sK#xcpNBC!9<=fUBukB1sDY* z)UU4Oj_Csf@0a;&l6y8&JFdx&jSgI^_b_yGHy#X`YMP4cIxO*T2DSI1cVb`;2=VN^kn;Eua6T2Z4pY}(}(Q~T~bk63~8x{KD zY1G@`sqL47S)geS6lg&ih^4dTL0?VP8^)=dXbT-Uj_n3U;)V4av!0v zV^nT4E^P^K!ScqMFS)(ws2e$hu6qaO(8?N z%fGi1^vvr_YInpa7lo=XxB8f1Gx=Or_$CJ~5nO%FVS@M9e%5aDeO2){W44<8a;@#- zGP9SjUMz0i^Dxm8Ea&Se4EUXXX2{q&0g=UG!0P!5Al05^T&p{a?EK4#K8Xg_sDV6IGf7BC@- zE?wS!A|M4TLG_B!oqpUYKrTp3Y2~qe1eh~4PV17rnJfmjlry}YI}4~Z+N$lZ!8nhB zO>HbZ3#_~&I{z2F`BilV#J_3vo^2XL1t>S!vD)AP|4?MvGE>@V+(`s3D`JW6b0oS8E5#- zq>N9<)2mbD%dn>XT9E;`jR4)?jGyJAxs+G~&Az{7i0(+Hr|qTXlUef7HWi?~Xrd-InF7U?(-N?9AeOv^?MTTK~xxEVorp z9X3BM;pX?hM2e$;Q3ou!9~AdU`=%iiJoG@@tm46&-V&Dai~@t;O0N#o5R&3mS)mCr z$B~^W67MPN4gKl0^oA$EkEr>inU}hvnkqsji(y8k z?MPIk90;&XTpW)2_2O1B7doGy|C{V1r#3*-9hWiB1gzmvNf#JBR~M$i*lp+=7kbso zNvDw3q|$`3C6MQP^7>g-8U*ttH$m8nmTN)jBP{;>guxGE6Kev9aS^P~ zTSI89>MC*t4vQJ2-*lu_jxzt@-`K4An5aFfz8Hym(-dB99$wX zQT=Iy&xZ{^lJv=qi9CL3vy_k6FATo!Y2&A1{2lCCKbZZQtE>uRQ6=`E6Y5riQB{MSWM5r6R(;#6h%(ZZ}$=C zg~Z;nJW{^ftiB-%JN7Y4rmCG2f9~n6z6KUCW3|-AnaB!C@cY`G^-s1X9&-oGjH?3u2e6MAoPBtf&iN@27uM1uQOW(Vo71J}J^D|)%T92ePlM?SE)nyA~^ z!9I!oQsPqtVkNk>p949w8lkPMISKS>_(2Rl;Vh?sVV}z#2P{=ln7>ys#=v#MNfa7J z?w|?h23=M`9?eOsTeBxtd+T>Ww^27ZlBwjAN4~UVf6*jH z3SG&68LBFmIJA52el)yQ1L#aw<4sE=GjY;JH?eQZg(QSX&?hpmg4RI7fT&gL6W3Xt z29j!n+?n5sJ5}Lu#X9=oA^9vQx<~aI76(xar?TO)Ar&YC|60MEe=cQ4Lx&ssdm{tA zoQ75}3eL@h&Rms~5B7p6HZu81Vm6jILm5k+-Pw=-MWdtufylbKvS>agGd7B1B9 z0g3G}{g)I$URR^juNPf(z0)Fc+E7bChtxyXbRO%5cVwb$pzqFhEF%PaR_8P=@mN@V zDU0sSv1r(C{+Bbl7AJOFJx(23hUW~eZ($wk%`o;-zC3!1W!E*8CA~|wW#7s6T?iZt zbM&Do4JjBgPnQ7&kXBJ&0jwv9TKmw7qUW{!;d+mN5RrSzT=$&8gUr0UoHn_&Kw}D_ zs~sao%S4V(!f&kWOhaG>?bX;hIX;0@D3^3-^Fd2X(9g`^VwE$E^D@ z*ppknQraOQ_74HQb{gZdL;z5~6z0ZloW9Ls_CbFHDdZ_EI@oLXTIuY3-IH~C*kzkjO4I{5Y zBXQ5Ty_Z#)$z25o-dfER(BMtY3JCUz$IoxG!iyOLbGYbjMS$aruomfTS|O!o{#R5O zozZpm;(H9a4=M)8=VD$M)C(lR7yYX8aAuR~jo=cKeo7YSeg1>_*>Rdi!0Kw?&A3 zig7`KveBq&nM8iF08!$#J6e?56hS3T=ZC?E=?-5gr!6;jc2=62zAg;>_|MM5#+*rA zQxX*k&_5>o)80h0R^~Y$^g_*~diZ19-(HQ3Upj?EXBeG&ZwqEv4n>c#pq+T?0{l#u zZ&5W4p{`WmAEgGa3Qk4`rEUT}f%U|h3a7v{(5WlV(U1-ahG8};TEZcM)JgqE=gBNo zpiIW`4(=lA+kl9?;apx%d&xkr%}8zG>uz9<8mSThc|HZ1=2 z98jA}Q(7hjydBf4WX7V`15{4q?nNrN#rKdE42hGmjYvH)@jonR4gW8g-GmrgRICI$v*z)1`kj zb=o3x$Jz@C=y|E~upL_lRu*e-qz}fvZFE7*Zb357t`!Cegxt2%B*e-OOh!aOwUNHm z5V-wMhx%aHgbMAO!JNaK13-Hn#GDmh6Ju-#0Z%(QMi{pIY-o_ zAAIoLC1?&wm3ltCk!WM)=v5uN_VZbo%Jr_{gr-Sr$mL}VIt(|`X~Z6Q2=|`^+}jMB zTO+eDM+yru!pcT^X^R`{eHj5}clD!v;^Ztg*PwDb^Y(iM)ZCBV6unNp+Jr!y~} z`*N(NkkN(|?9Y{1$IOa)NsAv+#*KM7@9DLf559iQZJ}Gt+}>E54($_J3T|hOE`4ac z3EYK_WKrtxN=3`8O=+FU&sw7Z5uEcwU ~uT^}MIg#gxjER5j0!2d!NAR?$p{7cx zU^SXp(O1;OGGW3^`ASgHk^$aJEzHfWX0vNDtf(i!8QT(1F(Y+{Kqw5pUPzxgTzc`F zvL|40g)V2INXZkeExyK9<=iX7sh|`f8T(c*cKy`pwr;4(1HDI7%Q=Tfi9U8op2Xt| z9ih59-^tFI=%)iEi%<>3Xmj~czge5@1enx!o|bGGO*?|OWfeybq@|-g_iA)OVFXEr z0huZJhOUH-y%3FBiPj&XoK58cF84VKRi8?i?{%lI=&DdBDE+$Gbs%!jqR{1|*)3@= z4_=KNCw(dTtU~tC;^PardXs3`Q;ZwT`H>VSq_t_Fki;AAIl%F8xUR%ho*vHLQ=Mv0 z&!^IJoN2Fz3PezbS<6kbl>~Imo>_D*gXBYG8AN_yEBs28-D=`vclUy0i0Y_$TF%wTDF;KNk~;p)5>f1-UTy*@Om&}K3ft2X;;{i6^&U7 zB5gtWA|)$W|LbQ#rk;|U%s)BHL*k5@T&8h_83=kb(w?>9WI!gs%mbv8rFc_cJ?Ko) zEEmlv-~YGYVELY)9(A3skuH9(xe#~X3=C*QyU<A#SQ5rJ72NY*kn$n*w6(Px|Qdo+$mrM4uT0upZ@%w^dB zaB``iUNPvQo*vJkS8BcWQarMv?w?p&R_%&AG2_J}#Z*YyRzy8oK=m2SGbXMny-(Q- zo@^c|7dwmme+b?FS-T%hwtzHX)vQ|^hxBLsSHzH-wQ8yeF>O97mpUTv$xUN#rg-~b zvWaVx-R=uOpu8el;1EYAlpqB()GJV3&7A@b%cCnJ}{S}jyC`ZdK zqs)lt=GLeD<#2B2<;lM=(V>1hX|g8B%%yGbDZG0w$56H}eh6z3Wb9{hP1iSoT3kiq z9I#)D@7 zkL8Nq(&D~61RE!WL?))QE-%G1K;jH}w1@z&iO7mqNr{-j@o^Wd1#Da26RHhCA87G7 zLNu7IyFWXH@(2L~P})$0vH^0Ln8cHyKk7Mkmg0mKyQ;ZpIjaC>To;Vh_*L+&=^zkD zGbRPICRh(COEI%B&>&3^1W9v73bg8{HHB$Hhze%13&w*nzL7--`f-tyTjjl8N(d)7r7XjKVpP&Vr3XKP%ZPWIeW$HnKxZFrCg(~9I+GPb%$*)%&M>tu6T<#Pp&2`kFG$_I!(8&H9#Qz;;bO|C;@RKrsudD>rSs|=+!o@E+ia#^Kh`t0kB`02*H@1MDf~UCD}}XqEdPxdftD$=S>iXsW?Gg zJHeP*HAITuWJ8gxzr-l_RaQY>$sLa!f~DleQ6br;Q#UXSzw6tw^wWaMca;L?TmFgf z0ry4+YZXrdvPc>-t4FM9>E8DLNB2xxeE>3&&uxIX-H273_DQ9Pj21?I{H0VRx78J^ z3CPxFu`nogZIhX0V5jR8oWb_0HX5t#LFGwwNK4Mw-XwIZsz+XJ3(*O6%$e7JnSiww z8P%QMNh!#!8v_zJA0V;$8<9|-9YmNfg89UUJE9we9}3f@GaZ(s17P}?@T@w9HXVo4 z+6j%djizjLK8?Ouf)9pjG8W1}Mv1ha>XUiVM0JrLhB_;#IuxxzA z3KB*wE?vm;CXfVw#246eNlwY>j_e_x1^DzW2yEIa=jwm@24|t;KA{)W)cr=8TQcn$ zAu)3fHR%nXt&=|nhfTpdbBQJj2o#APSQBcNb<8CRG45y|XuyZ9QnROg6;6D`4X(?5m zZ5m!SXoLv}s$uMAlTqTQS(*`Rn#*YcLprBVw(J!xAw6$JFSgU5Rc-0&0E$J#O~>9= zSXRBruro?e)pi`ZJ_u9zCG$`C)7 zs;C97{(!z^iXtzGfu_i;-~{hxpjEAO#~$-C`k33pOd2*&fWc#= z3tH%$@f?!meFFj07?f-629S6c7HMa~#dggR_n?>TK2LJ9*@g)TdhN;!{X>Ch6*c$s zlMlr4&(%i)+&iG-%Le+jvC95=|wM1zgE3eP&#(yxH?|8 z;^x2Ro#ko$FhGTrJtdY{AqyY_hbuEozrzF#$!f`K@iZDdXvsz@T_9NRu}b#|2-d{q zk>fTm)X5+>3{HFgOn8ZSMUSbunm(PtiksmIUQd*+R?s<6?dxtnK3)yshvK^UQ3IZF zi0+9dyyfwut&^t)|H>hqy|8JBQ<}=>s1J#q4BG?#EIxL^#*K_%|E5PGge^g%3oOU) zY7A1;$-6Fg{oBM3-ETaqJ!&hgUWsKq8;))s4SvjXw42CF>AlGPvbM3D?N+6MjWYF7 zDx!Gm8V`wqECJdSdC4$HQM8*(e=>6!^4}0f$35*1jq&k)q|>+SCgOM7lbS@To@9f@WB&LFy6ujrOX_M=vHi zb%wg49Ol}0;!voWD3~}cF!g;<8D08h3Akq`zo(Z`>CzOnZdl>WQlBi~PyS4EkmIWk zi6@f_Qr9$i}iu)ENq#yV;F7_#5M1bTGnso4lzUS@;gBtRrS7~ug&o{ot0RpuXM}y^kACP{s1-;7bxQ{ zJr}r6r5mPDZ!(;AF9+Gbfg0P^#{J0vyhUEs(FANY;g8pgmv?O>;Ki*kx|Ytzd4v!) z`b@S3BG&|t{!1SlAQ~X|B`%nT^p?Gx;Jl0C6GN94t~$X10Ieo@(AorODa{F1Xy$O2 zrVu&Z;Q2n>Gr1|vw02-^z3)SS<8(DG`HdTjbpy@;%JN8lntsTF_=i*~@>$XTc+q=u z9bH_OtE?4DlWBirHrg?6=>cduZeL$&lxxq3=Dz!-WZR(gBZ@f`6gW7p#+zrkc-Ydf zPB$Zc+b)VRM$h^@&@M14L*z3p-ru4`Fae_6#7~L&m!eX)hK~=_$tZ;UgUNib*!lL) zUyO0ugf`8S%MR}0DTHPDiQ0-lvDmL}x+gRSFwJO1h}K^ADcU4Ay{JEh|I6g`N;BKvtDd^pSDMha73g~5)MwDLmnf*gxr0gQJiMEU{7+N~ z4-yKsdBNcAJ5LFZQiq*La->-f=#+EcAa)jK?kwS_vsd$Jfp>^huX_p(1D;E<$-V=5 z^@x;Ig_mIeAy`?+eE0WZa;XF$uu5U46DUt3URSBittwH6yW4wuC_A|DAA8nf8V6*h z36eo8sijGd->UKLd7d%Hq31w{eaZ;Qt->Du*2~0e7@ki(fLSK!rtvU9di4`oTeU*f z#|P4tGhrhTO3wqEDMDLf1Z|bobmRU&M%-|D^L25Ls7dubzdIX54D|Z@3%%~so_g3b zHs~a!;LTys2QYKOPFz?4Pkj{$sAD=H(6;1IE?5lwzaDux?z$fGG4sL$@|Ze^(iw_% zHT9Gyslh3hK*gS&CYD#u|73b9vw_u6Vs>TPJ|_^3e2efS(bre0%YUq@-VqW0XK{`Z zm9zI*ad`~BC@m!36!a+fcjX)@f#0fPn*nX#yzMDeYZUeO7gel zz`s{)4el;yv;pq)FuU5&bYBvsX2;hycyed$DYW}t#o_oUWT99d%=v%y3p&k~#=;^J z#htVtMDcUCLEMx|X{fy6zj*`{TkiDV*8y_Z(CuEt)655e*2K6cw}y4$x+U1wcM zcUz3KTO%<%vLhh!qiVw?RwAeUBdbf*@E4*fgKg)H;`I%N->J~&@Gp;%P0>zDLi>3! zCYy^y^-+=^OB~{{Bv7o z+8?tHdS#%N&l3azz%fusGroyu5gs0J$VbOxCkvh$k>`D?bt%_(Q5Yq)o8X*{@z@*x z(10W!?{xc9r|I|SYaKKJfPs3mUsS{W{OCZDKnkb{AYV?8<>(k1f$lmCfIV5iBnl`N z6x&p|ejJ|$+!npM=iVKQosU>K177n+(6~oWjgLrLo>T9&_5EG5@X%#oX_pkUokESy zPZsieI-J;gpu0K4ZsiYq*F5j%;f<@D&r5hT3f@_RsWr5>47`6MWMB+?w-_(Fq}R3` z7XewIy$b;f*VW(1=Jc@#cNy(qo)7pZd~H(e{>YfwV3E4(FDLT>WDjiQa_iP(C}+*x zY7xSof?eP3likp8gmz!Qb}M`EuW(7v@j_HCk+eEw(ui)b;=g#8W5##n#RkuahV?Ie zPIZj8ME>M1Q(`M0t#zfFFNezdzzgaUF_ZOJ=na@)nhvhJ8h-=fTnuP`0N|sqS(y;!fqFBxK^0*k<%PW8;o~dh>U+PeXn~;xR z8AYlp0W{pUNYU|~V|$XNSlrp*B0PeMV5-$^h>dGa1a~9U8fyGM|Ci2k0ToO@{^2P? zEEON6^wQsjDdx?_1P;KZ8B#3S;I>COdkvF_UA%(L4SBM(y#wY7jRuKg*%+B!>&+tX zC#qR@A6&Ki-L0EkS%Ly#AZe>q0|I?|j7E`GjFwTz=^P4sZW+aGO zYf|(AC}jrXRUh5K=4(MLgWF>19nX*ypsGNiNvw?8NwErW{antkW9 zzAkbI8W$}SfZhoT)s62>Mkr=}jemmN6Z9lH_o@By=*fD-A5x>~ZLJ%@c|npDqHpnD zY>%@|8)5nJdAEO~D(RslJPU$4RoS**!m^XW-c1AaS&*Q*nqZLq$M8RyLZmK3XJeIl zt(*J78K(^MT9P2*aGCThopeFP;jT?~mC<^CvILg73=G*)-f_|3`DXpHWhcfF6$ru> zE&dDZX6}rgKs;GEGA4iLGrSN`sBO#1DhX&#X>qGwt-Mb zrNf5IiKA!q#V_n{Oc&HE=7sa~_mX+6C6^4k2$;H3hII8Z^xACt-aZr-** z+CfFIllO$cK=4_UQEb?b`~#_X+p)E>LJO%S+4gPznqM-T90>YooYD+1AOL$>?8`Bl zxMKn5+scUuKfIYyf`$*HrlcH*wJ)eYfo%rI*FXL^#aXMg&L_S#Yf!bd6rax~x=y!U z^-{XTh3|7Exd+pn3YFr+&C|$lcH!}aZEd2f`KTPR?n`k@`x=H)k!H@BxoM4NT0kp) z3o|PyZq6{6(F(cN@(x1U0dJ@#mHS1+Np&Rqcr{YK!SLj){8<2&0WQMKLpd zU(xEK`lOmS*X}-Fdba-WWiwp2mkzrkwNPBk{M+)9!H_4AsdgImmVpS&05C`U`gMP} zF+mMAOH*CNYJ(9_SwvwdkCrQi+&V4ZB|Hjg>(#Mc(;PGIhSb|y$~)Tsh?R=8ldvH` zT@v#Mq2a_@CvJ{$aF}Y>Mb76spV_1^=5XP=scQO`f3uZ{ACpIbc=GDQf(M)ViT0S@ z#i!wkF7(-EF-{B@4s&$pgN1>$%b>9tgBV4nR zGmPf35a)vow;v3VTin~Z+YiLBldt?B(`Dh7Skh(XV@?I{TaRAwteyr$md-`6VI3Z2 zFG|s48s{jk?!}{7X`uR^UU=nZD8CUFL_lh>_C&?)LhCbl2tqUJa}m% z>ngSdv`tfo^AwC2YehfipJwd3>z7q6N5?FzLf&?Ltecl3yEwxrW*2%2jRRx3q`D)o8@QmR?4wUBv_k|`!2bVPTJt!gMgx9ymprO6o2a0?>7BA zl5}qUtx7RepS^$h=|z5LY9`i8K_}(N{9^CcTQ=;eWnSIta^O)ieq(WtV`-L&+oD^W zdg&{7Z@mbI`m^Z7kna7gK>FNnGs_Ij2fP|9UwKuwEtOD3df@qu{f$)TJ|q>C2y7YB zPaFnR;mU#HYN{!L=?gKG+1(8wJPWWhZs@SPjzhdVY&U^4qo3TEyRQu(L8Qo9~E5Wa$`ojkL;J=xvEk9N^%Wgcj zlirZZ(ei6BwG6JQzHCuZWMHsFg3c_zxezkLBfp8Sr6}z9!VgzBe$4aY(ledBRlTEm zoC3j#`zoSr*P2V80CJDc6f1Sy)#CQ#o~5|VhrB<>lQAPC9OZSGeMbTv52bh=K6Sfq z(u;}jZ5K?A*7&V#x#%r2lOEl8A*LO-mr+OHwJnS|5B>%85A&UaR)m3Njp>kf@U@4r zU0{)Ld`^f!TuWla+m~%ALx*QI6Lr^>SP^u?XYpkDd0}jvnL8B%w(}EQneLHnljCg!DBBm zQ4`VRQ^DV?JMC~zMJRtREP1fzB{<6076zLe`ORFFzj_TDNW!}SI14kNKRC~{b9y;S z{}>8tx6_&5HZ@lyh>{Dv1~0WU)*N~_u>PUd0mc;1Ndm!mTB#6{)?OPV!$ZRtrJyox+kw9li2%s?lrve z+oM~sX{MWBaf>%{?<$gN6X4R0Hm*)aleCI-8RE3j@501I-XzAugpBgB=0tU9!WhG< zF5U$&i;hQUv``P223HM2fPzRohUYBC+EbeRLzVxm4=#>mng2FWx5{ZnD zBssCd&hLn{a{nhAhpTU+yx2FEnU z5JTZ$T_x05SIV$=?)E*#C?f%1Er93Q0wM!O8lhN5t1raB9yADtP>e|2>(p6JwdN+o zE4*I6nUIf}D*Ff4J;0J0gc7ezYl|4GH*#>h<=%pm=)Pq(0k>%>{>s36k1t_z3gEO; z{ts!2_8L9zop*KC%FG43Jm)}I0udnGs0pdkq(c;#4S^^+{#UveijhwQ%t5r5g(e1C zv?6h7>Qx23x-i}KYEy$gzl=>6_ z4wNkpg$%b8Q>-XN0HRu)%*clg40GK=jyCF~4=>Fm$2g5_hAmeIy9g}OXUV?rO`&X` zZIksUp0~y*eo(T`ieO(^r?}5}kHZKA--%VX&Ic}Z>UPF#TMABg=8_jXI+uYDQAl;$ z%zXNNL&kv({)bVP$9qAniDrAz4UlE0_l!F2pDl)2EBAKZHX*GY3W1L(cG6iz&@uMh zpimI6vS)Kub@*9Af*B{_QLQ#cksh?2H54m? zL7*VxC?g~gFahotezvSZdsD}~F_9&B?MA4ZN}wxa+gokx&sRH!yb<;`pGzV-&$gRd z5a!IC)Re-JhKJ)YRqQB-0y5#SY}h4q=m; zzHNdy)hj*~GIARW2j>a?sW5W_W+$Dt=1F~^@3nZK6{ zXM(-gPtE527T4l9Dj3-1djON&K3=~c%8826j^tmOTtI5{7^MI6Mf;7V3D>o+;Wx|=lQK}&-OEX7D6y-R5W$`$Ug^BZSXRSwQSskVU8xxKK|3_t0c z(WEbd7G1)hm>~{`0V50Jxtihxs!9T+a5h6$@A0O^osMIkr>Ygsoj8c@qKZO%4W#pC z>=7T|M0jb7j>$0H_dwmKIm_PSx0+alXs*%KA<~Zo7V}2da@hNq3F&LohBZ!x87M>_ z@?I#S$BMSe1?%NSIv*2#CO|PT22U7l8_DpY(Xnj35x(>4eepsSxf|6BDd4X2YUNl) z6_4BlU51VKojRkuGx8$T($REPZ_26yT@fa{Z~^VyI$s~<9mKwAzc=e=ImhArnuTb% zmMVf>7QuM~$Npv!`!SHgt8(z&{hvU6%b8L9dmAStJ)vWhk0Kj%nzM-bHj}Nj75O4e zmi6+lj+}Y`b;phYswc-ZPI!Ux4Z#0X1p(46vV9BUMYK9O+4gB}tpU8c17=s8?LgIZ zw|*qaIwaYxEO?b7(37~)D_bDEh#8txAl^cW?qlQQw9>s#M-s$up3r=_lRg3;+d;)g@75Tw1Mc`D%$uWHmJyqf zdc!K(wzGxQm6u-xb|!n^Xa!_;;5rDelLmZi7M&e^#9NwONC{yWtLo)mNx!rDNn z)6w3iM(I~^yF}VXG*E6bydkLY>37)iv$hO_@O7Z1u;s=)&o4K@kpOIIBm(?-IVqXN zhHhr6=^$X0RjDNNe&i9h9yQ_?mnw%&`X7n0d@1$~#X_Z@oJ#z@8X_zkZ86Dzu>&E@ z>s!hz9MI~u)Pq;@z`&BR>gi@0g{;lRR9}(_AlO1+=lQ*^xYy)-)_v`YfVV+A(i}bP zb1|+WI*N2bN9tHe zrG2d!H)dM?)?UhKR;!CXSw}b74Qh=}15V{^Bzl7G=f$XXyaJ_(Z?O~=7KIap|DqSz zQ4!N9r)$Qq^i5Tv541xSZ%`jtH&Qm6!p>WB|7zXcmNda~DK$W_Qos+}q>(SZgCpIyMnKo%h{MfE!AY zey_$ngiZ>)2HT)Fc~sAM_l~E@ctx_m#!h`-QC^05zq@F#bHv&nh zJBsZwvwx4ARNWc0RAn4O_VEkQe3775tc9si%^~fb)LtA4D+Plj2;En4=wK%OmD*#u z&5ZXyz=1pQ_25s%<36(MB&|{)&PKZe{+ykJSTNf@60?{ulBHby;;kqZEYP!-ts-!(39K!1S%EL4nqH&Q0!XrML1->JcPZ)UkD%ZEZ z?5~F=n{MmZ3F00lWYotH9vQ~;A8shD_tvfbgQx0{&fHhd$Kx5K=c#UMB9(tT5Et?A&u**g?o_e)aWtgN zY_x7r9}{eKv9~mTT;hAOGQ&cT#qwL>k`=Rp=EZho(f}W#m4&Oh@}W~vdp6dy z^??RdMI;Kc6jQZUwezyYXzO|(k!*w5nr@|O_L}TvkR_$vXZ|i!p*2uvW zCDB>7480ia`yJ>Tl^@TUx-ZT~(z z5N-{QViJi1=}2rrtbGev_Sx+~>zxT!onGmpa(}m^*m!MqZ8Y$(dG z&=qQu|LQ7jK!PiSNX}orT8UpkVFXji`r00Ksu*DMZLgwQCzlOb(rIVIvmih$bPO8R z;20FPX_=-ySeA1u(;JSb6UvX~a@tl)#kIebp<`T4!@;#`Br2PC(Q)!)A$;B-QCm`j z$-w~dokIOb>3f#oruF^<;~9Bz4i$`UqR~ZMSTni0DpGJ^=uQC_C-v>B)N%RtGS$84 za|AG9cYvAdCX30OpN8Rg z)Oi;C|6_s|kL=wW%(VzN>Z`G^McXkU?ebECe@y!;wq(%w`$Yb(6vvW9w2rK27Hx0F zC3+l%Y@ewW*u$doNa_DDG`v@%HFvIp(Q#CA1`ItmZ*Y7qAdpG&R~z>T&9_?!+o7;2 z+igUnYi-VFKC82vCeMn5`#!mKAT}J=x8_yZfLId)5+|t9;;(u+Q`z0O<`h7UMX1i< zr+n!k2yQOMpkRAcCLRT1D;mzzYK7q>O+LnxGB9P6;_-TBCGe3v8T&!>XJmIsrre6y z7(8{om0D8aWX2BelD)5Pm|h`DFOW&KL;zOF8>A;5Gi(Db026JgJnkA0Z zH4X<2`-(k74AD>i8rUMCvlA`@|NEFv4+;KZg9C7}I}a2lD4+^Kw2Va;0cx=1*NLQU zZhcrQtCkLYa5Z&=y*6}myyKF}zDwt_E+=`)_=cSW2+U2Tzsa&e6g$rAVetEEKSv5r z+@~XGbbo0*jmC+{Xe*I0OZu!UmXaTk>GvI@dE&Sjdg0=m6cLr|`15U}{b^2rb5uNW zjwHk0!GN;Tg#L$^`a?Gh!=I-BO_;<6RmE1{UN4oR7L7Y#c9(&4U~IS}-1W z^>=Z^!B;wSWzFxb>5g8ld5G_Euu?Lwbi*0i6w9J*WaE(6lwG8ZG(g>j}>Y zf1c}pA)#>O%AlnS?w(lA>FYTzd))CU3BjU|UFW!ZGUc~zGS!HtFOWCi+J-Ye6Nh8V z?cB(vqmFBfESUwk{!my^7Ou1rCeQrj%!6)F)_uFdWEg2s5Y{lefU;=y_&Ql z0<$n8QuHHOL1}TjEyDBT;6E&X)aHXI$dR#!ZpH(qOj5n#l@`>NT9MWQq2h8!q6HJf zCNi4BvVX_%G4}ClJ$UHehH)|V?#9P{APZZCa3iA;nqM&ju@W2MpqO@wTb_`&-!bX2 zvKt;mcY#KZMhUMNDY0-n{-rfHiB&B_6Sg(qN|3rgqE>s0QaMXPBb~1;eidC-8R~0V zl19K%8p5BO1YQH`ftglDTw6Yz%K@`L@or=;_*5Q+f&M2SqLC^VntE+3)#LI%ZN=9- zp%9mH#pe3R+6!k7FHG2?+19$5{qPLOi^&=awFqbmjrb8XP$uA0vfMA7ILPxpM*YSP zfLW~{+#(T1#ZLeuK-|CkL#7*Y$s`fXXxQnaWIv(13VCY9xP8^pd`-?MW8zF2$#vrg zcZEr>;e8ku>Ytm*+$q)3Bq=Wjj_Y0e&^u$$W|U)lHJc8g$^o%8cq=604Z}KsRTGLQ%Hot~5wwRI?{2QfcT10)#d-bsw@ zeZWitZ$Ad=>Cwo6y#-Sms~*-lubFPScKtJkKUf4o?qqO!Uv2Nw?eO7Z7Q9x6hb6!{}RV ze3%)msyt2Vp7I|FG!N9=nt~cWqb}j2xM-AEd~(7@HoWP}Nh!Vb|83ApywN>037Pi8 z6k47Tkxh;Co(xO8^+zQ2FH2F`3OT6U9oG1iKdYj4)omM}ay9*oa^5EPQ)AbztrVz* zWNF-k78ttWGb`3L=}BsGeg`-4K!_i`KtkLxOpck(lwI<%GM-Kh@1I*UC3>#1YEyTN zK0+*Ir?>CK)NzcDhiE&?Xlb&(rco0j@%b!F>*e(XT1tYAq50FZsWX*}$jmSPXRQLU zZr_oV^=~eY@24bOXwY=gAXkd3vpNO-+&lL=I@5yufVm}=IGfiWg)V+d0?Y7*>1#I9 z?Fs?td_1qmtfQKW{Oh3JG1)X1A!oaaLF6cx*uQ5pmV#Wf>Ph^+WBV1W|NiKoYJ-kxhs}12cQ{f`XYdHGXyX*Ga>0F$^$v8G!LlW$t!lH7^5(cUyEfEG{ zUY6pM>cDrb#?vG4!IXk6Ji!Ee)F5_AgOx;h2*S|^C2>i{m+{!9RXleOg1Lc$IyW;~ z;OGYq%sr=9S>09}!5%!ghN;5uVqH{e^eW4%Qs=h0$vIM#1YWOD6G|kRbg58<< z$QKKOnA7GSnt4mmPZW@^iyDWJ3}|+jtqo*-9DCkA9W^{}$CRbR2u%M>GJ(;cb)l0a4~so$ zIxq+PujnNkMULKa!iYalSaxeLD+St~ce=N8_CNb_oR;bo5l*38{Y@(tyiu?}_yg*aOJW?f~&_2R~)NQF%hSBRt5@{2amZPP^ z06=*z)rH#NwL&f9&Edk1_{%twlixYk{6Dw8&j+~%OEzRfd{5k>V-!L3`7U%-cgK$k5X0fQ+Fs{j6OUS>>8wWO!k$V zx`>vc{-1gJM1vKe;~I;h@}e-9hoIe-jFd|K55XarURFWff^ecN#>7fWEo4q`T6V0w z)YzaFV*unny)EwYdTBI)=gBqTzQsN-MY_}e;?kq|!@X-88}V~ZTRN|e3^1K3mY=MUJk?s{ zUMz>u@CLHJGo6X)t6$<(zY@on=1UEGs|54^uQ zK3{CTyPxrmTqGnEn}-b3zxjt|oVk{PQAK1~Ca6|T9$!7BflN&kYNBKUCtUf*(S77M zvExEEuWn@m9|_l&MsTLy(ccBG?$` z#s-qmn?w$)U+8E$61I6+)v*?5iU`WS-Y5m+14@vO0Yvw=yuR!VK$4N= z+OcYv_6{$GP)?t44oO-lr|&FjB3I#}>+X@-myt>BaJ_#M-W8Zm3)iQR6#frLR>L)4 zahOUsUKMmnhldy?GmF(aoZ>?fNOx_0?Cvh#9%u<9ttU_obzZ`9zCJysCxaQJC@zn~l^LBJXD9-a z@B1|D8sM}d?>f|KRmwrF%IlDI@+YN+09ZH&2sr}SQD}v~Xx{D_N*64~sA%x7jS7Cr4B-5j%l#VGkgb#?o2MbM#O!j96#?J;e%Oqh^3kPiYxVm zwI{2u^O|Sou>m>l_fm2ft`MHZFxfeV#`Eu$wlWFLNuOEMbh0aXEY{u2Z`)ZF>QvDR z1ZP->C99E9GSmkjUk!QV3LLXGkjqCtCtkxlmuG)5$IpQKgMFl(^%MA|9~Y}I-~JN+ ze0u>4u|R?-FnJPxwE=jg*tlMd6mgEP)YN%3==um(a#xzS?r5r2dBI-ASrV5DG2|n6 zHfBQK=h8cSynkZL{`BRs2Yb4SLu00cAo_&1i@tA|Ox@%t1Vm6bw}*X0SpEt3Oj=d0 z0m<35v7=+3=vz}VR}A;Nll9RHe(pj~VL;+U zZ>S7_`g;Z^y`kBmy9C$WAOEFmplSgoe6J9dP;4E4YTSt^*a1o}iWWAOn}r+PxdlSg z3hZtb<`B>BQN^J!LE5GiPRhAwjIOdn(gKibyxL_4ZKf_`PKoLR{bd)O1vXR@@CGx3 zn|FEBZguM~YOr)DPW%U~Ab{mKkET=KX|-KY>vrR+uykiEHxXXLTifSeq`|8T7c!+!eih`f zCWe)U;t1d7*cYRfig=oLl(?C9h;3G$gW|qH^hIFyV`(?qV! z`$!|;A^L4Vx(~Tvi=$`GTvuq9P8iOr*fa5;5l+9Y@1ys`CO5Gf;L*P1TU2ED5hNf$zL1Q+Wj zBiOUxv#~yNE~)1LH#g^lOepOH@}!Em66Htmr!2a7i529iN8GDj)dDb=3k8UnN!U#f zz*h@904c_-Eue&>Nmf=^#)7v0*3YD1UK~Bx9|# zJ<@xif-cpJm~&(ZD@7sd8G&$c@bQ?GLhp#MC?s~wuW$=xN9C#RZG;-fcbM)O3W`CDGX9(|ULE^R4;DksTZ6QH%)%4mfEyd}r4@BL zR5_SF zeTXNrWwNo#84v4hX>+!)6j$7u;is{ZFEsZ24<63IwfO$I8Xg!Tw|wnNM{k8lXT%n~ zz(vKKanC7VS~V1NwvAkyPgAfp?ck+=uL3pjOKJas8a>shv`1BaU4$dbvnzU42Sadg z_rsj4O5U#UyzPfG;7OvZzOHc0K9Xd#iy(^1*(WfsfV&~l5EDS*?;J$JY3CKglD0yb z!n^CJ)8p}zaGg-@UVS1oof$Zvg1_Omf+DC$3`U8akanOAGACR-sCB2-J3+4B{?o%YGdtYvmR|f^&`93b%o)KOryjw*vPoF6{%js z%voav?^v@UrY~#SflPkf;qpR#K{WiMHEP}xC+OTUW*q+zx64ZNNTs4;K=1A#oCTfF zmnLRxV3(pe=2@-zy}2O%IaJQb#^JGYudEy1F0L;9G8g^EB^0`gq}}{-mVOWYz(2Z|ACSnjn3rXhs5u=?5Gf4U46&$Q6M<-`omXJcsTBM4skPy*Uw| zCN2X<)Qf=;P{Cs+5Y^EzH%xy8ASfG)xcP;0~;@5W0SFP!&=G^A*hwiqslg z<3?32l)0KzFoJ}BIB%ZI$_nalD{7I05{(z(C$6~SJsC3Qyb<{Vf$B@1qG${D8F zKD>8MJnG)I6kYBCvs**Jw_Lt|*akc=MP|gy(BrjcQsZ*}-K(~j%DP=`G~wvnx5CCd zcKj2=`OXFC?TVdD&HMR28K;58-Fw8I00hKaYNT&T9UjF?u)H&N&Yv zMF6*qPFhG|nCeq}s-~wGBYO6cGrZ6>DRo!isToP^kjJr_F?A(;0X+_4#J(Gdy->i4 z2aer~(1cJt9UxIBi^OQu;lW=lcs1n2R!PsxW6r>F|D>*NAp_b1y}HzxqaxoSajCws zocLS7VV-wt!gIhIVSu`+l`F^XQh`Djo*g~O)MsC6wDn{{OJAQ;>6o`v}_!0BMsa6ew`tpYG{kxfZETamV zhoq#5A=jWx@d$RW00L)c>>b64?=5z1A`g4%jP$kLNgiOep6(CZ>KBsF4Y&oy z3wU>>EBH+;1izE?t3*8tJHoU!-ZLD7c<(x8?ZGEVq?s$K=DI?Uw|@$OVV3wIQ6pVA_2t*^&fyR zwEr7abzALT(d|S}#r+Y0K+=fut{YaQy^TODnt*$&h;w&GAr!h0m_>~@mU}_DVAE{o zR}Cf6>~R@YLS)x8qqPaQG1*?;9rFxkd7=dcrv`W6rz!~wRKP0Xt@!k^x{C4XmKfhv z4s>dB_6+CWm@BxdKo!JF$W;xv8yRd8T9-wn6L2<7uqvV`LINl@sh<2Yp0v=-!qQ?Q zs@xqw*S=|yCZNOsDkgQBPCyMTL!sIF8;Q;-DT=pTwLL8E4av<%Ti>M=AYL7%MY3yr zcL4PIPrTegquOkj$~e=$lA}Eb!Z)ZL@p1?z75Fx(KIb6C8@e>_%hIH33{aCOxT2QT zkHSA*o;r`8T1?B+GM^IaDVb2Wwr^8RgEx;^?m8%sb<+GDC)m+8&}%8}X)07_E^8}= zlQ@8u5Sp4F^xO()AifW2Oij=6J^u|9hEz*T78Ecj02a@tZA&ry%<>|(b0T9G1uo;5n*TBk-*=ni%me>+09H@}BcRbF{w+AQxyuHTf`V!m@wf6)o~ z=z`ibY2BYS9nurKQOZ21eg=szQYU$8`&Y;_!j0DtGPA;#y7}k)l1HcH{8MzHIy)nm z*kW;~KfY?AfCWsdM{`!)-r=vT20U00>3M~qTDz> zPEG&;JP$5Hl?HV-@+j4I)*Am}ETIp!K(x&kHro_R8%9uVCfueJB2@$+#J^R}%-F5l zG~VUeKj0RPi1b80*bI8x%rBcdEv_4T|0}R%xuKyF{k3gyrfhds7lo%=2Bek1VQuR# z`qb9__ZKoas_A`FRZm2UqKCEqHsJVJ!YZj!gZ@`L zJX@f=Tv$7+pQ7^2rr6;W-_mQ_-!`pFt4kGGo2Ey3YVTA(8TY#oQnr>aqQTn};`kPm zTfrbZy>Y}FwL7cTl<%qQKwD(N*hyChuo~`W!ZR?R^iSKLmD8Vk5br)z4aN=HFmpKS z8jq><_d7Ba3*IT^16?lpMf*tMB;z&J{0YRITTkK?$D>96QRW>_G4ZQcAG*>Ve_Lml z8W9(dAAJ3j^?wuaz|jA~t;P)dQlPskc)6&P5zoJ=Z2McaBVnbU*mepbQeFuUh_lfAtM5A_JLq^_Bo3x*DiGvN%z;H;$qx3M@ za|pjgh0CE;?v97zJmBPmQA=C7W{>UtkCg9QR$N1`HrybP_-8PdhtUr zqotlw?Go@@Cy-js0wQ1_QP9Yb`>1F8O@$!`uoPau{zYbHbUhtfG*Q`L4z9?W=lm2{q-Am^&vDXGh; za0_-FQmaDldGrd#a-z~;F)W}t)uwQ!fgYf9>!0S_g3==sf`F@+Z$L?Ms}X~)(5rx<`OU-&hg%S&T+TI^FvV4r<=!koH463M9Uw+A>V_NHZ;ravmZ{feau^eYH-;}HObixF;ntR3DC;^I%)(b7f)|dQi8WbJ+4hhsV80p!Y0s-upiJN27m@$nR zT~05-?JT|;WD(-5k!X#>3hCt8z#Ab7m}TuegF-QqH@rQi7Y_i(Ny8m!Fw-=d0}qGp1;LoumRDYZYWRiACcIhUb6=A)V|}9A>;5i% zm4WJ*<=BicZ*N`j~2#xc#q z8`F4QqKkBB2%TX*KJME4fg$Y4?$EGZ5;2N>cPF`_WE)osbrMUKEmHgC01VQ3fBIOm z#8p}CWcF|k> zzl(j1Ae?+{J%I4MKN;vGEP(R!)TzU;?AgvQafw7ZhC#|d@8kaD{tAn2kJOECBK$Ot zK@CU)dM2*?966gX$9()UvyCY&vPDin28xuhzq5@ZI-{k2S(^`2xU^~Is3sEKc(UyC zRSIgKO5Kgus=@q<_?t5}UVk`DC^mezYlYk7)oWfN$x&-c3e17KE)%gLQ`u(8j2ra} zdQKwZa~4|9o#$jDH~JQV{xdiD4Z}uDwtJQwn>IbIGqxtS+8g$taaK;ko+DB*7D5)_ z^oB+e8a`ySL2ty8b^5c7Gpy=4z-R$M89)Yc6jlT6*O@H&{1(_+#4YFwouKO(->OSC83;}VMC1?Q%RxHSkbjp-sww|pkmusD&4pxpiLiK z2BUI*k!xfFRn4QFBc+VbIm(Zv!y0NM@)$zDmAS;ptc4ipP>n- zwcCg`=WyRBJ$cCxSACx`BTTGFWu;2&HnN^LHb97jMA;J9puku9Q`HamlfFDb-sLGZ zhup9)?CDTvUR)AiBwV6lA6?a96pL)C;DY+uTWBV&@(G2m)5KNXEf@EWi+f1kzA|JTjg~8ae-Gp7yt2pdLr_ zeD9(84E?1{sQ6v8FY?c_nqrQ=2FPz0-(nhS5}{2ezJzJ==_R-J7+sIvs~b(7JS$%j=DxNFxMdmB5lGs78{Pg+g` zxPq`^L=({pUOLieUeFYx;I}$JBJLPPs6R3E3jL=5X=PfNIz~5ViGKG7WkC)|P{CK_v{EiuTe8;qc@<;V|3}%!;kb9cUx59c6+0a#g z;P3hqfMUwj$|HYMsx->ogVdKQ-B4xSb1vTzdO2nK*$5vq>)Q^?DxsaS<<3lH+^^gR zF51#LumP<F=F=m_(NT?jx;ti|#pQ)Z_tA?!LtyOy0Lk3aS`(|5 zHnDs-WS!PT$l;IuL;_L1hZZ+!HXxA(xJ1oZh|z8(L?Se%Pv7r2Rh&iA03`&goQYV>+c0@}BQ$I}`&?lEP_!bO>oSS#FG@W?zdKHr5-g`u9b)78&yNeDj71$fB z?Em#bf(7s!;06vt2TVHfq@|Ejnr0j z(iCc!H85IH6tci3hes6;=H!cdAHB>)0|0yTQ$Un#a!}+<0rX1HNe@pGtew0Cqmb=! znW4)BgRcZaJc=y`9v}inV5lb46eng*?wRf;`!AHo=B}(uD}u`N)JJj(8A^Y#ft5;a zazR-<;Gm(QhhYw6dw1;cIus0(@`*VG=F}~aUy7K8dT>2(Ym7p9%0l62^G@jeFZ=j! zA>k+VC51(&0sU$r`Z}pT3?~wOVO!>i>^nYJGhuDO{cGuh7es&sM0q%9kCBSr0>j71 z^5u~~5{uh!e$V@S1420&BxHj(nhzYuQN2RQ%^9ZTE; z?5o(K?sUZN5IgBtEVsf;LOW&Q08mpX?Q&!17>VV7M!1U)N{?AR#u4W9*jy6Z6i^9# zDPBIts-sc%w1SkN|0`pU4gNUl!dcmy&fU^%{q_~$H zQxN;|)`oY|OEJAXf8fiOwY(gvf^ERDUjXiS6uR#o3H`va#DX8Q??J#vR9HQw*v(tx z9v8{W2){h4I41m`Lr=v)Aldw3I=<;=Q)_Q&#DK$wE0sebd|)+tQ-Mm@qHQRXr&kl%05@{zE^r#dA=>YfRNPSo@$=syTLt8dmRRJ+1VtYb)#qX@ z`gKKGW4@YbpV&UY&4t?%*WR7hMs8u~tG<LoP~<_nfn;Jk z1npc==OxGVe<&kbsD}s|B|PZK#jUT4t0uj3aYQdlZ{k~qVWSysGK8EFVJ2clMQvv2QCrf z#oS9#nhXO|s(qAC;j^-J6OmRtNP->PiuAXQh5Y7_W^h7uG zFzAWm4^Vo*pEhVg8y(nh=tsA9AIPw&C`CQ^%c=s!!)I3zAV=lQKy;&tu~GrgOZ0YA zJHt`^&)S}eP97_uzZ(a{sc!HKxA~!#qs)WRygc`PeM2ag!;<|46Z0DBHgkzqs5ZAX z^)#vmTFn^&7NIf2MjBvaQ?hbA#$AtWg4I?A$&9~}KZF4lxDjLcd+0$k&G9~ImjFbnFgTm101&Pg@ z(E0?3Y7%}Nm_Aqtk%Mgzjx%jgqLJqhr8sGcD_u)?{xp2P`qD@=sQ#|$%j)B&XCe%( zcy&ZNZ1E^ZtjO5}30CZ0hMB!!Z}auYxP#df8=s=V3$~=M2H~|arY#C`&akSs<_XOc zOW}ka5pl(NYPysO+t`~^B&M62m83I{faF7>6HhILJWS#jy?&H48K|lSy8$DsEj!On zG&PYYxM3RNoIl7Lp!Y6O>SI8Q&yNp$R@3D_a|Jo1SDo~l_tC70GVUV@B*AAlE;m?D z#vN&gyAI__%0_D$`8R>J8_W$FJIy80nSBqu50w$m1Rh9GWUVsc7Ki6sx_QJC#$%yV z%_G7-Tp_aqni^$1L1|IO@AAJ&bWCFW+CNvBk+w@m9|+-%xjF3-LoVFo8I`478n!R? z9t37Q4#DlveuiX=-c5h5$xZ0y@i`~XIB<(zSlLx`+^fhNrV1dF`CrfCUP;bNC{J|L zj29heKt%+HR5PWSbcjZgvk+4Jy_yRpvtv{_Fwli~rWA1@6$|?8=WoI1=%wyN89=9d zv3<{}o!^`O>*&2!623VxGXlX^$o?sW*TNh=TyyY@CG|tDYqg!UVXucxZz}6623<;1 zoKAs<;U%Q$r!Pofqjw{dEQ6$M#|Xld_dWPbm3fFucshAjrrVD2@IgN+VkzZ$;5mo1TzcL41351gg`2`2cfrPM?=5Htz(;ax5~wlxot;Q`BskdPnz0A zO&yv>kY-JMiilm@fB&py%tw5a#IGTwJD+S!GdI838fi(ykjT@W=Y{(!Sy&^Gj@jDi&ldA z*w7Un_Rp3TRW*DZBaxJU3G9K@@fr~G+|V(R{rL|SdCYF7@4E>*Ev9OlRU(c03GmEb zoAqlyn9rhWF6Q8L?Nd+~M>R?8#h*Khd%$w>$Qsc)ypz!d*rB3mZB{l-g8hruilYk% zNgW(om$xH&8(+m;6>33v4gr<|PA>*zl<_ab;OW6Zs<8rUUfpHL7ILTH%)yH@urQ@%Nb)KHhb-GPe>pwO zH{jhK>@b`K^z}p0RSksm>o`W+U~xw8#Gh~ugFrYKX9><|NeU5>fe2hFCGb%A46+QVKZ{N>i5-G^g;l^NPT~u zWKwuUJy+_{MrE`*8dvzf`t|;Mo)55QABih`VAdh?j?9D%7x*^Q^?Xn9#n@9xCr0*3 zO-~q^QnhqtzBruwEw9^&FW07oWVMww+FEpGaIaJhg3os6thl!2SMS5=>3@)xgLW$j z$#;31M*_V`)B_@L&%@%zGG0u( z{@@_XBuWxL`WUAAtNG1Cr;l!b0OfUQ!65D8RS|l6IZ%LmeP3Gn5+b7~tjdo!on7;= z1*m;35_VUamasNQ#qE!43^CIjr|LcWId4=d)aVYeMWURqIoFXATaftn+YOn>RtpaU z&DWF+g@X*_$QHk}A%)gW<@Fkr?T z_PtMRg)TkmB4=k(ri;K3i1}q(p> z%Tt0RS1;*8z*N^BKW-)NVUOsp?}7m_P`72QU3XgC`~)HFw5Y!CT_MStRU}_s1t2Wo z7CgR&^R{1DNz*!LSw%Wx5Tp6;jKKTwwO z_m|Y;b$V_qeo&(E4<`6Ps8~sxkC3YC5W^wxHxC+z_pYpe^J zaIktsUrEs2AyBFEwHtxWj&ag#Iee6Pem8)xL&KSq$$MeSE)zY3E0c>>wVyn$eyc%-P64C!;cZ>&RQ|QXHCwk3~%^S|;Vs5reL0FAjJDgnUz{X2Wv~PaJg8 z#0gj&b?2eP*=`UrR7l={RZ`~<%{NI9!d?3t?L6UaKz|0$s0*-KB(y<-HI0cBifxr0 zkJFGgW*F2ULX#xh8IL_XJ?()a&H4RPk!oT-z}OCipDHmDJ}w@Dm_e7_xmM-_aZ{EW zq7xW(3DGyP0iq%0lKX3*e8N^`(yPCY)H(VHtLIt<`{uRSlQ7Cw=vV1i(Gsq}(PnuJ zuYsR?CEgPQ6Oe~>p_NEpoO4XAf2^u3 zBE%%^O^T*9eZ>cSyrXPpr~b0Aoo)VFD5r&dvG~ohsz&tMRT@yzEsR@I6mA?a-)&Bz zyr%HK#PAZv@6rLmyIl$uzLzr)nw%yy0A)r7?0U&gjyy#+wpc$;%r_HHg@vL)kQ2KH z#*H#fG)JT)sPnCZsT%f4`)$+f3Qz{x6IQWup%N6BYN%a&rFRLmyOjKijjv?K4n#d5 zJKMc`$;QS7-NYkTRACl^m$UXRf0bROe^`Ky|JD^86n+203!1Z#VLztxZ^l)tuR&8) z$|@T4!*t*>G_uU&>~?M^*67xxeecao2EWXN z8ey!Zj?>#)Js{b*SKyZ6TeMv$jHLH>B&f$GHF_B$QDErn#3bWI1&z}J!RvpFDDpP5 zFWX2MUh_D2ZJ}kh9%c>g&PeMe=DSfbZWg70G){22cP4KZ0;H(yB+3BAQk`vHb z)v}c+U8~Rbga>Y?ICD<+jAEB|F+Q*`Kc2gvt&e54G3AWn`SoKGi~PlZ(mnIF4XUBQ zzU<*M;sBbHZa!}GD-F{GK5Ku`IJemq2zyHif=kSbh?3#{E$*e8$J`7(>jEM)M80}= zEXi?l+&YM?Ifx|Yv8APA)=haW?}Ad9X=ghDreKh?+-mbY+Heg5FJnI9^$R3^==5@t z#kMh$d-15KP?uf&2!(ddJg*kzHaPWurx^8xb{oWwmcv3^3O(TBdN>G z_Z%rC)@$zzUx~EjMfKS0bFb^_f@>E0Zf09*^m_|XH^zs)!OxAKr2&L)^m-t858kL= zv?Ubtpo>giw53F@?l4=Q1Eqhu#PB#$2K6FWCW)Ds(GUL3P#ykboAxLC6iOzU+6Q8s zvgPINV`!s%*GB_ZzHPIC0!b3+LoGALWMnAsYpSZ##;(+_4=KQy{ddjGsl@6&V z4BX}4%?|ivb)F3=YqFJWQ2?^m#H=4U*|BT^glA!>8{B*#!D=>pJXw>*7amh8wG;78 zhEa)%Rt>xtO45hzN-ftY)})Y<)dDX-=6dMOHTwH%IHS(BhpfxE{V}JfsoegP%qt5x z7tt}ublr(au!~|)W0BBAnXC6X+g7A5rY!7uY6bSbvS8X8Q5LD9-4&oQ5|7j&Y{5vC zQ5MW*5WNW*Df&YFXFn-roqUojtVP;DH5bD@gQim@=g@R!_|jYNNiMdYXfXCc-Y3>@ zZ=*0vP6Y>O^Pe|674i2bAPPK2G^ajSs*h09IaAaOOQ|W#qUEc(1WWQvehW$3^6!e) zP}`MJ!F-C1A$s~`qL10BjY^`s>&{Q`tMVpr+|{Xp5K3^i@7-*DEql|vzcf=u=g zH=?qFdYX4qBk82DZYJUj(zqm2id2--Ia-4_9eW6*tNv{crwF}8pL3efELb+dF27K; zT2_X`1e`%ab~+ce?;^pF?T0xYqy=7B$uQQ`1nqv-S6?S=;e-rI6R4O5q7^4ng1qkjeXcq;wA4xCZfXY)i?MT+I13y} zwYTl6QBkN8I9fB(44wGt`5fOC_ud&RgTI%zmeKqN)h+t^{HgS1z_2JQk*6;VM@xwE zv#{6;=(vgGRaItVvnc-kx0kyp3w~@g*zCcXoNMnct@=QYEf^BW4Z)zBj=~F}pPuT0 zoF_Jt1FN*T5$DQItBygT9&q-z>;*h)pJC;r69DKG@NxEj!$@=JQ=z(bBkCQV?i7be z6RWoAxJ!SVRV5L6==i1#WwZPR9-{kKB!8Jxrqfzv@{Qe)ndDEwSB@E~?d=9PRP&ym zQ^TZ|Ob65(U>`K!!tJcGfr7aOGZQ}gwwOs&!_^qpHr{GfnW!;)dHHITcE0VLgCPht zDb`dvQRoBtbGHSje@WM?6{HmDYnPyrJ@r|A%=H-E^y$P-J6k|t-Y*2;Rm|^yOD^I@ z^8AL#xEk4o#TG1CeG6#Lr6#BNL)F@NdN#fGbnaB*A494Di!lr8PiuwVo1pN$vTXwG z(w0Gk_sBOxBi3giDm69bjb?wr;7(HR0=AoeocMf+uI1OJC^p>%ET7T`e03}$yab}SK2Z0MmfX0lb*Nya92{s<65gWeLhzl7 zp(<6_bKi%K^1|u=Vu812z~@OnYiA?H)R;4jN33M>_T%Uk{alD+u@spI`6cTRAUBL} zsCf6IOeQdaklZ$wQQ7J;Cj=kFpQ~Mf#Pk(*Zf-2(qF!tB=}(YKU_O)ePQ{lwVg7k4 z$5OvBKU+2k|Uri;`z;w1NuU+WORyLJHR{lL4x7BLPH4>4!MZ=1Fu`8_m`_;Mz#=P1eQugWxRMeA?&w{X{Gy5;5oR|(9v;yZ~%HIUK@6g_thbVhSEYu=5-QgnCetd zNy%x#CdsCWH6RHE4yf7|M#E2Yav}N(z^)=8KcZXW&T+P+JfXz$ERv~bgUbS_a@(Gp zRWA|l{a$dtn0ryX)tp@%6(vh^rnB>HV5&7LDp%5eY06W?L?BAT&o{A|IjU}34NN1V zpu2jZwUCLi5M)^?#d@8)YstvJtLhYnk?1#JAg~9k8Ibc(smy)wq0zPn*A_F5x@KK+ z1L7L#L~+8Fyb8t75LUMf1S5U?DJM7s|VOalRuk-fhTKd?u9sU>%+e zlxbjymt#4$mnDdvXvEH+mJ?1Kv`J2Q!X!?XBt}Y4)1`-MD3dlG-V)`3Kbaf@04SC(KdysCEviZ%tM#z?^3*-*|JO!!fbs=%N z6_z2gB$0auT8S{a4l`|UiJrk(@7}T2yTGKHFXey4n)cF9`Bc$Lz0BV91t( zcXdPS^bo0!W|;pYmbP1{M#4x{nVQ`L*8(TPYLGv(Q;{vXAb`3YRf+2%bMl76@hvw&y@m6gKGSpMW$S9j5Hg;Q$x0?T0U6JWo zO7#3fzlcxNx?wV+F!obboJ+iybh*%#q35}POV)SO>3x@6(&TONc?WVkI<>XZi zd$vftYeQ0D|S@(w3WhRb|bl}yMVpCBLf6!Z8W8suOmH9Z&f{c!9DjWGf}{bo4S0c<9C zXOBB&e+=+a_0&Uc#<&EtcO;#R1abV-Kkuxnj?#51>uq~{LJf_V$B0cQpc9< z145kVIU2=Cwr8U62uh1G1~n;|h@gfHO17$PrYo8<+i_oh0{1eo_hh^j;LuQV2Z@UG z`7D%Io_M}Jv(J~nmXMXiqr1umGh{{ty8<`-PrNhMbUq~TrCb>;-?SIFM8xGX+c8nk zV2(D9r)CKl4A8G$7FD1m>q+M;UYp)no^ZNAg}(8~d#-%8VJo1M67VUB;frN^6*v?E zG#p>dLK#V*t5@`YS9LlUA1k{#XBv3e|#3 zP2=ZA#NR~CyZAIeNeENm7@mkYDNT?<=>SWEmVbzdKaM?*bIPpM&CH17sDX~{t= zA0A|o5y#j%XPhs2o%jV_epYT<@zCd46~7ztw6lRIXLAyc^=lj_VJV=oi?{*lMpcB- zotKnxI}&C5Cl&Z10zzHczhCRCD8nLxl z4el=A1Ibn|iYvbMbXTZ_l|%3;3fg@g{mw!v$75vZLrc;;-Lwns`;;JpKZUdl*S>!a zwD)t;)T4`{C1xT{=dKj)7CTOzcJ`<{VwTXJChSIZbY#|&$4U>3R9bs(CFyaJ!ZV11 z`1y@xB&04~j;*Vmc?k%~N(*Q&s_QDAOTM0xjVu6#ObfJ57(0yoVbtr2a|jCJ%_|hm zfCDkV(2T}_e%anwrM{o9%6}-H+VIN<_dP3aiuKRkz6+<+yELE2DwXFI6$(4OXxdeF zylr^7LMDS7GI4)ORuZp;ciSE>&29UJ*Yp?Q$v{xWKs^%SR3Y+X4F6E+rrXCW{wxbe z=1>sl5BHZft`9{mYCYGNmUSZ5l(5-WMv7RHTal4X%f0AT-vT6w6q6b}<#k=ZUPyzp z5)%^tTNYztNfX2#{FBvR;XO&f8v6bKHLbvl(4a2qkuvHLFv!b5aXJ-|W%E9YvGo}SUiy@$<2N!;ql8}|cE_U(3*(WKmxQ$0$s zUh^b9an!ksYOA&2@i%B3Jp~Z3R&Z)erBNI-q!pq!O^F0hwKDXdra}5f+RHU`&7a>N zkWRlcTC~6#gRrnS21~@|9en}oZD_aek} zEfRS=1PNE;nHJpcf8EA~==LmP0xn516wtFCkp8aavv=JxDb{)1p()#= zV*L1}duv=vf9$@GaYQ{DqfdGl_=Z-_{7Nuka-QGtg^DDDfGQxF@{D;8es)gXC>PI( znawU2c*(eSEv)!1CNYe6c8QJ6yjXTeOM4M}c0*;|L8}X=Z&*@o!K-;cc|{j=q54Sv z3N&t~0Pbmkf@aeHxi#Jto1qj< z>=k0Pkofuxj<2eE83L_F!z1LQLQm^MDlFZTD!QkaE-Fj8+f6rz0+4 zN{Y)+dOmyY4S_$d*)9rIyYs4I;ld&=4Yu_bZRX6p`Db$tPb0~Gq-@U? zp(58ib-Pi==2o2ZX9E|ShH_F#A?^ybNL8G6k-M*2sfPYF4PAtX^W=CV`}qey`!}FQ z%7pkk>SGGq^MzabqRW9@8=fB?GM?f?$aL+W=i-es5t{*JFCHMa zNw20|2qXGa1F=AKPX$JHB~`^oSU|&=3zZP3A1wj%rC1)e)Fp*RR5r(&(?wveIvF{$ z7%?esIY0PrqN^Fj@#lkq6M(s}+}|a?*soDbY3SSS0vALn?DL?ZeGJg5U=iJ9_iFH& zS#)u9D4{wT;)c*vBwz(dypqv8yixM=O;}KH9)#UcLId#_~D1;hRcZ2h|s8ij%DbQAW<&0*fy9Xu& zwDONMT2@X375x7`;An(${`E9J#7$n%;W0CPVIW8#Aue^X$ZqtKTHxAVuhbPX95U9AGdn;`Jhw-bNHO&9TMdWEf{YI%?V028NESR#1X;g#C+I7FC=Cu4G`_zn#(rHp zYn`ecW(*&b%g}gqm*Nl-CcHl7&)MoN8-Qm-DY@LX8^F$2=*Pe^p+iws55m{iCDf%) z1GoPkpf&eSbJhWaAy+MaOn8ILARGDdsy~MzoS-@5#HL}ZxLD+*Xdn}nt2G>4?DYmK zX%j#puF`QTp7AT^tl~Podm3yHd;FaHIzpwGU+_&flZuUY68c$uo?HsbddRk$X|~UN z5KB@#IIychYk!jew?h2l>2ay;bz9k!eEsx|3q57v)z7AQ*%80#cMeP<8c&@igWBz2 zuz}W_eBJo8$$#>J=_q%x&yFC%j>zPefQf)>bX8UKf|^9gk3Fw8(2ykTEx+_*SoOvm z!InleY<EL8?*^NkOtZTbJ!Qj-)UXv#E|snkmk$Ek?%c^B=J;0vk4HL%MU+ zumA=R0Y4UtDvYU1v*jO-OlF_LPb!y2ZOCu!G56Zooi#xn?xNNeiU4q-^G8%BKtC%e zbF5Ckv$BoT@YXTmK8_9zcLT`_=$oW3qAu%EERl-oO+@0G4uCFB2;s9UaAO>Eq_`*Y8e3$cplSS(UP2b*@*S=kKheEW*e!?M zF5i?ATFjDQiwDs`w%WJccd`3^6M8dKV2vVqqEtl!?!$UWDtBuIrdZTfJ?sCY;MA(N zQ=z-EY43t}7O9c?w((ukAGGeyLCpS-h2Yk*~ ziKM$O)cD8p7pyAYJV_QmhoIdP;bri2<3o!iW2&~LsUW;CH-zUJ-TFV0?5HSu&MwM` z$X#Wsa8D3cU5|b@IbUoDwe1f>%I#NOp@Y#M}%M)yxd(#$itV6W3Su4DC&W2HgO<|lT z>xbN70K^NN8KRG|I0NB4Gu=Kc3(5)J$xP%ZA>v~!JX^>E8HOXiyP8RmlSsz^3?Y&9 zjevcJhz4bjn#@8dUb)o<=e+Lahu+6GO23cbeTpcM@dRBLkIf$QdsK?yf3E}VMAVMl z8>F#N7Rc%&ei60s-5jb171HR*4=SX7;0eMHrt{&y(RL#eyh)t-r-|+WH*)R1G?uI~ zhs{(kBsp|-DGH+&h3awZvQ<@VpL=lUI&Ti>*-QsG5)DjZSV=pMxze`I3rn+XeF%wd0+);R8mZY z-Oq#;Ja@U7;N5d#@^Y$?Yr=^w0)J9OW#x=M*rZQK8Fst# zf*DN?Gq_|b<0)9Qp@Q?LXfq=omV(na9`%O1Wa5;TS-4!ou?Qsl>ANOq*8TGmiOPu| z1OhWMN;syeaQ#WHBGB5wW9RSkf5BjcJd216ZUr0ARjV5z9!0&1KeEqOG7w#37?22Q z^Q`i&6f8!v@kaf@))i6&w3Zb#oCX#_#p83E^wY1w2abH1wOL8@*Qad1^NbMJ5A$&^ zpHEA#(EWRRA*1Yb$q8`saknu5P5R+GoW)2H&AIt@$T z;?GrnJ5#M>eDwau&}vv-8}b1hgOLZ55(MTmmoQ54WfR3C{@IHBMO`u7j^Je~aIStZ z%D5ZT0ynESWkA(hsIHjbnRFX{AwYIf*w*yq7VT(`C#qafoovX~W=;k?BFtyJ)W=!4 zy6$@cs>ym+ad@qd2#GN@BwB>quAB%v?e%cHe&hTEThlTyDMq+Qqvb_(K2UKhFf5sR za!H&>A!GdeNzACB<$F*)JCFr93tlPHe$*co=kAxITq82spgZD5a_Ebvk_E7e%hzheKC$ z?=VC#96pi|tkA)4&HJ$0G}u$k;fOFJ^kO`+SWT^?)2*5W#mZ%7JVCzd+QmAXs)g=x z@gz+2A2A82Mf`x8XcSE%*N7yQ+rk&-R zsr(Jt{h6s4LbZ~W4_ld%K%zn@7Qo7kU(D+s7#n}*c{Rrag4MLM&C|6GPwD$60jNm5 zVkVlP4WSn~)Zm^JKii55%lFn@?VipLtcvcmk(W6IA`AmYnY@8>FK-dulR}08bV_M= za+bAuWs`my z$u>Su`ZNxUF2Q6#BpAQiil)X=^OC{~7siwk&});=PO5u_7dYYjB>|}-FY#7T$y}L* zmnN@YV+(Y$706XeUIlvJO6heM#o@o^EuHcy;w{-4l{74T8<;UlU~=w5apnc7?z`Ld zMeuvrv6W^Ytfcs@fD4CBNreckHY(qwC~>A1R4qeL`PqQ==8VnU%k!{!U^6Jg^6{6> zoV0Sd=S8}B&_U39@ysF*xrNv8-i<{XZ$haip#fmYH#Fi=)FR1ywnN%~txWMF2KyFbYzwo9#0TwbX?N4dbza!Ku zQ0{yN*r`W#^s8puG9jkATOQ{$%Z5aM($2T$fI|i#kvZ?d*r}ks8bvu0rXDr;;&HRv z%GiU1{4JnymbfIEQlWgyGZ6C<@XI4;zh@S5i7vfW0lb{Ia38Aa8#{{M*sb&(4pp1n((%Zg8=baH zv-`7R5l||`mOufDVW*&+;%eH8wy-V9yS@;sSOz<_Gn=f{>Kpu)WV`DBfTgZ@^XZ*( z&sduWm!S@m1D`Kzc6Cc}1=vqfb_nofvt*?f(neVBth>kLm6+8MkEFqYZFdc}CE0%q zIad7W$~4-A5>D}wi^_~=)L1%Kt)7z|5?}L$`tph|OeYR8wqB@eN4~=|=y{cS^CG^w z)3icm%zzjKkvn3XoVina-U-%N|VA#R>v}LGCAg&`vLK>{m`HIs4XnCAH2uv__4L33VobB2&-^ zbmHZNzlc5{(LqGeZ&JqDCj&V2M(CE6LuCSynTwH?UFcJc0(K$=6S-*q`c$mx6<;choXKGrMy{}?-bsUuTjmynyAe_E4>NNAF1q7r zmCpE8jWnFvGy>j~AxIO&xR{M``rPD+)>!oehmp@mdfJV$2hMBPyZ4m3Wnu&sCH>>? zL^2QzlO+H@BS2rc-r}GT1KEd>$L^w8K`;+urFvdjr1L5(dm)l^Lvu}k{cFxCj7Iw_ zS*ujye|6)VISKi?YDN-rRGvkR@|LuOEH8@%lc zmr?XDowdw_%ra;I_P7dAWqW8Lww@dyE|dc6A7TiAuxq8w0)H1dQ4S_^efPDQC$9XpY#-SfSia|~yLemmyo zQ+QhA6+G0_aSOZd1mV7VG)O$LiqjSOlwha4nb`yc_J+Zo5V$ST2E}Z46y4O<62zg+ z_6uddsBdQ1M$_G)^GfjaS8t*FP1j0oW3hP3#au)?s0ZsX_lUoA=}n(_@X+IW*x(}= zG)lG81g}sZ4F4dOW2(jL{<(Q8JRWq1P?swfv)e_< zN=pC%Z~|Q)BSQ;o`&q?TyTXL7E{us~P2vAbMg~z9F?D*@w8`(RK&MiqDS)15fp*SY z&65Etty-7LgliMlP{C`*a21Ej*5NN#N&K~Yz_U~ortIYy6~e^DXU`J@SaWxAn6P~q zH-C-PZ57;@DkzInbkP3CDu3!1a#W92^w1*N(Dk4Prs>%#wL8v!46gG_5$850lnYe1 zfR#jeM;Q}LV{#h!&PwK>Ko%+EY{wu*H@w9W5r6O_Tr5-eEs)p(HWprlz5Y^s6yR~Q ziV1MdVrwif=Gc+meoZ`8Ygn@deLZtPL2)^zG6SVcs=!XKq(0SFud$^N2cVtr9n_!* zoyHJZKO~f$XEMDTEJeE0Lf`bL?87GIK5*~JrdQ!hK)OWNa}&(hrrwAe0>v18R~cI( z6RVNry(03-xBpH)LyUyEX(g)v33aPL`N5VyKRGGz$mU=~kze-hyHSMU^^Z%xahW7o zJpX6SA;!ol!yxWC*i@nb$NOHtUy>H7Zb%{aR(knpzAcP-^@O}8+x=zfSuvMMNyX`J zB@t7Qr}kS1ZD6xaAIH6{y9n!&=En9ld=7MjYfFXTgZN_z)Il1f|2_l@4=2Kecvmi~ zUN;hHVh8kS@RYS!6X{`#Om?P_r<7rZ#Gkc!yqL^O>%gpMRf+@?WZiYGo0>`RCOFDY z5*NP+x8IdT`qjM#sQp3rRyr%vvQ|}c*AoLV5^XDlYii=}8ya6^vKwxu)Z*pgH}%5H z8KQR4N>3L~UHYy{yij)h+(P-?7NLGIVpYe&Yev#6>Ohe28bHUX>AySZ-|)ApzpN76 zYjOxvmQH6DA>1`3xOP8lAV_Q8KUR0)W4)m?K(f~vYut+&%tp3YKIs@0C|!NA+IY>+ z8c%9u6P+5P;gstgm&`_X_6&|+Vx2l2b7Qwii3AyVTn}~x$G6r~`*usitSwZT%!ps8 zz_}aWQh|6%rVxSl!@fgZ|B4^U)$eEpM6pAzfgF-OfXw1SeM4}q#RP{@Fv@7h6?;tE zQR&ZFMN=kY?r{a7 zdsU~Ws|C$3=+NqzJWgAC8Z>1m`wk{e%wHv^;`+V>dx&Zm}Wn=U6fHG7>>|sLy!?ZOSO) z$c*_7K88yP%457r;>PXUG-UN-Wxj-eKdBTQK6ZGGSkUKoT|OcRIE)hzkOn3O#&|vR zO$eLQTdbRnGy6;0u{9iwdf+GJ~8J-_&<7vr5bE12ELiqKr{1#tYttt#n z&@I2n@9uQb>@{Kr(p9A_(oSi_|HP}gTv?BRCeP{dbmjk7`dA}F*fa|g0=Mx5rD+Y| zK8&ak)w=1lb^Otgndhw#YLSu^o6GI?m7zb&pNRl{z*^RQr3#-eCpZlXZZR zsgWSE)Bp=&8=z)mzq0mQxZ|OX#4RzG>(yan85E=oO97xt7(4+o{w^bU!uGNCrjHqS z%|kl>506^)MauzR@doX^$0dj|lr?DzVH$hhaG2{n z*ROo%^wZUX7~m(-cpRTRnQo`WQD>5H({{_1##-_MZ{kAj?lLw}fr1|W5L0uoIwn9^W{A+87+!j{w$2{=9d4$ zF(tp>Q{$lNiLA@|H?lXVmWRp7B0YBKv~ZH~Irb1s;?)THEoBc5fDKM6&*^g@_6UaA z8MCT@%y{Ca>1%`2k8lI|V;wtYOA^@%o=nf3<}NlmWePYSXDDsk#&RO*+*aXwE&3ua zFQo(QB?-5LFVtW%7O{@@*M~B${<&W+_hdF{$lf)&6#*tvV4K1?UodB-x~WLmU%sz& z2DsJZOE=jYG;WRd1R^p_JZ0r=MVv3< zNtX4u{WMh~b=|#~$f8?9{6&w0DDCXCuU!10w-a${ks&a6Iv%z=<71R)&TN(%U}(Aa zUK%j2Fa8tW%nje4@-8*F%tQGFM}rJmZP;Ks%*>1AVyqrjB=C?=1of>g?3BR6dRYEv zW@XaVw`in74A$-Dk>W2{E0KP#;eeHuF;Zv?*+$%AwO_!Z_*k=Or@Pi6rh&H*1l-Dj zP*mcyr^VL_t@M2g1BNWy)-(Q>1@fqU$p}wtGt%B{ypRTmtQ;{>j{SV!G7IX$&upT z=6)fZ>mu1V7nQC3ahc9Sh~O?1uNRAcg)T>ODFXYuKabN9 z<}tPR+Icz846|$fgIMALO!CMmvuatPnJcLCTX>6 z9VY$61{xyGb3Es9pc52lQ7XJ2rJIe!Zk(grxcr zOAyDu%%LeUOAl+Q)0ccV|0IpV#8vuXDBYQ$Ijl^9{oGqGU+3x;6`+?WBOmHkLjAt7 zFQ=q3(2T>~)?9%!Ubetgi+Ieqv@mzMfRQhg5s=~V$nY3j>z7#J)}`yYgb(dgL1kqU z-N@kBCbt!o6k)co6guphCZl-&?bp@9JDLx~BR&T3?wQ%)&_2>ll1F;vN~h2tCaSgP zLsDa$?rzTo(j3-)NrcN&%lLT~exw$n^StOtU7bXO%PiV?$R z;>bH>OZ9^z>SpRcr#DiNonqGiA)uAl(rGzP{!FznyEo2Kn6Z5cj$>`kxk*Rd{i_Ir zNd6xhiSoFMj8z*`PFY%vZ! z@ESHxBB;3cAkyTyC$fw#!S|Q3SyqRd{rXr3Hj1 zbK;Mrh0a`cVB8_#;Cfh`vkx4702CmmUCuLcgli!g{1G4Af;5F%cjX^?kH^xv>Ml@V zc(FLJEUIR1SQEI~m%~-$LV5FzAJn(36~h14d~WL{w)yWIK#v4QnhD&xHm~WNZK44Y z`c!vbhW$bdla8S!xo|0wjeFl#2Wks{N=fI!?N90@dTr)7UFtc}S?HlTZ{C8uieo&a zjipVHC1#2Tg{PVhk@o`Ih`j;XOOoPE2cNc7hwZ`P>Iwumq9?>Bs3aq%Q*gSORrn9?B5i z)DK>{@o3laV?#)8GyjITZ{(~RM{@WEwq(XZK2uRb2nA9@xjBe~cNHH6K#Ze<_WOjX zF)2Ci0ul;>3VShjTMHT3dGAQ0BL3%fRdc)pp`Kz#wC=}OmuV9PhvJHysWeqiZR@uP{X5)Q@; zQcUi`eYJ8>!WGTGE(V-W zL+AwVECVj4y^Q>v_b=W?u_=Hxi!lC*3Mspa7_I~;=>F!3lUZbM`}d3fy8;)z>Oo&Z zlzVfC{!0@QLK|BdC)Sgum%L4krOba+7o-eLA0P4ih&@!}Kfy7;O|IFR01R}c>pg~NPwILvi1k<4{M6dyZLo}wJB@q&--ggk`7x50qR zZ0lA01RwiE7@{^|EF+mt+L^q0j4y25ip3Fw7`&!0bRA~ij=5mN89dads`rxpDm6Rx zFenLL4(duOUXmJxDbO{x+Z|H$)M$4Y(-cZ9M%Rg;jl|XZ7+aWy=*3m{B3zczG}(w1 z7AP%E)efLVIx|eC=6y2#XTVDU#)2dWF?l(*c&(0<6~M}Wsd5F@G!*K-Rsey%?T5pXCF$HCPybF)EyQS9$bKTDXJZ@fvz(c zXjA|~*4n<0*w(yz@qc`iPw#@=@S%a?n9L~zoy z9`4z25PThDpN1DyNR(-C1bYjKbJq4x=T-vcA z0I4Zm-dGx_L4TgLv%s~dAjaYH?=s&JZEL@$yp)`BpQlVgPT*LPfYvFC0-UU5k0KaE z$o1HVxoZKIikS>t2+~P9W(O!-*^78x1{;PYMOVAn#LfQURBQQ{2N-#x8p{yn2q1*r%)E`yse?E=^@OkgkDkZvVE&$RE?0!*YRWi)m0Ia6=FD?5&)@F~=Y)t>ixD{Zw6T0%2;CUTocK&hVeO1Ok zz#16lD2+g2YAlq;8t}z^YMbR@&bJw z_Z_nsdqP*IlVAo;6XVTr>gDNv^3^bgCrwOlqZqNM8TpuIJTJE*t2zFIzyV@IF8H!o zChEZ4Zz$P=`B@nIHL`3$T^Bc5D${^u9siGIbEl6pIinl%63UM7(;QzJF_S$!z!Zux zN0Mv!qp0Q2oq1ei=*}$%2ZaQ#>Of(Kk+{AE%J+$~2ZqX+^_l7?*CL`YwzBTR136TH5gE@H_-GRTra6?-lNo=<^Nnte;i`a7QIi`WXW(z znTmO~42sozljYJQdTQN+IyLWMvjZ^D?0Q=-W1^xQlR4z~KC~Heb>XU4Jrjd)m2s;cwaMyB zgw&*1$D20-$}H0Ypk0OU&a+WHWu@K>6I3)ni6{-jk22w%LaP}DO=o`-yU4;4%7?(pJLr#8R){9MMAX>7Qzf3g%eO!|zv?Z{%f`yz+HZATB-QsNAtxDYvvXyEW zH3V|QI&guVPihbQp$NII(w1kH^vxH76m~yFI~OxNMikf}0Prx;4)Qp%GU3WlCBuUI zh35v+T4|NoZYb$mvJs!ib|)b_tbx zW5q64qRV>Ap4Ul4=&Ff-j%uB556x%fgS@M0J^@s#mbx`u{Xid8-%t*9!#xk$90WTQ zm~5$Pq9fs$@tV0XiS`u%c;qWvS=PR95(oBSTfU0Yc1ha8JnAxZ9kAuGf62gJ&-vtB z4|-YdrSB4K;rF%A3=f9neGJSW!Ql=QtspZBtOsjeT@4Em1xq!pdqjQ=6+7h@lM)|w z6-5`HRsEWX^HW@#C=;Ef5OXpk@^-Ts4L68lkrIl-ZWcE?l>JYdmjmF8G!t-e2)dcT z-N_>YVpUa5zlvO`Oy4&=dwH6@&Y7>uMumy8+Pk6BF~0M&@icERWTxk8Q$qc}mH{=4`&oqPDyj>-TnZ8l zMhG$;((_Io(*NGeTU-_dY~MhIf@g&n=+Q2E(CmMqZYJysDy8H4NaYt1ltDrsJSHsD zO5!EhFaruM%JN|E%DC6dUM>_fwn4}kBidv0C5DpPqWghl3vds1+VCNyloiI}$xG_>Y*$Ncad2uFnqN%NCOf2$ILb?I)69x}C zyNAy?z)w2X`s2+0{--(o@Gy$$1y2Ld=t`hUk)EE6-U=D{W@f#dp8(nRJSwF*4+Pmj zJbk`snt*H%SrTA`Y7fy&m^sUl)SM@xTL&5Q8a@WY>y?DAKVzAD_3e>u{>sxa_7)f! zZj}A5s08YXfGR-zSmh%)$UR;RS+S%Z#w~w%vG#MF=HDi|bAbu9?fdRFvP-`@>k0@g zvhK(Os!S)URr#NSd%_>$nqR(eD(Z;#5SFRWn;d$PJ0zl#r*rVyidqcxo^`uS<5M~~ zk+1*i%!v)TpX!mW>Y(z4b&dCRzRhOq856;|{a3yZn`^@yi|2O)G%xE>&T7;WG3Hux2>V%b zS>la0_7@c}Of2l7^*dXz+Hi-kpU?AUgUac&_qTRSL(Rg`8-4ersI-Nlu(jyE)1_=F z^Ij9nQao!F#>*FNNs2Y;HmXKjsj;Sv zUHuBS(oAAs{ZAAo9L$id&@2l70H82?%K!Ks^;jG*UNJZ^h`0^UeV_gPzvXs?52pD&#cM;M&(S34b+o%P^O4u~xNd zFWPmsR?oMV0QV=>s&VGz=gnMbuGrU?U=^A`hb zXyeDhE;LSe*&7JI?oDa^N4Tf6F1Grb(K&OOc34(kfx;?2pOYuc(LnGb6y4o+&HnpU zR`5%CgUu(hLWzX?Mg$}a)7Nqg&}y`UrL+0IkzP}FyYpLtOqmxmRl-g<3_I08>Wa&q z!?uw~z&E)3J$J*ro7e0C^)ZKgyc~O`d|+n3Un2|1EgU_k_9Z-n=zTRRr+dV^4qi;R z1VF-FC|BZ6`r#}#kOmE#i=a!^2^LwJ4IZe?UmN5`qY(!#1qy8v3;SOt+C%KNAOZ64 zCmBXuR0=Dj57cabLK(~pMF3P;TQZ4o<7N<5c_`mS^zmrs;AQHldP(thqFa!gld_80-ZMy}Q zy^DHZ%Dk;F4BOKqBoj&kM7FI)VGFp=pnprFknN-$4`XgEC6Ch%Rw7Wf8c0L^Khy-9 z08F#)xhV#ZF5WW0AsrXjDE`YEeD^gc4Rs^GDazk3NP!i6=I2Gog_x5%q=j%Bw~Y4+ zIU~&f1+wPVwSXfc83Ge0nuLvO`MQqksZB<|&yRk5pM*O#wBbHT@Yt3xgyiKDA*IXn z#(z0rzza$uy2%+IujttD2C+r9AOlY62qQ>2b*1quD+nq^9`9C)f7@lbrLzu5LUlg* zOp?sM0lj+Jp?rD>;ICI|%Z-MUJ{#y2jm!$QFObf+-5lK8VdO4EQ9Q9B4Mi})ERc&@ zFHNzedrF)`GK#%aNAd+FAujQoj~lHZjNjS7wvEqLIlG-{oE`e&_XbXeAydwD?^zmx z6`IAI_+?(wK>w*?dv!~f9bR$dO-9YZinxCg6$K&4tFw-3`gpgk{LXfy5S-NoqWJNi zV56L>!B4fuJk-J6=|Brtd|Fajl}ak6fj8yin>hnPy$7$TKdznNorf{ng1y3f#`Gb& z@NspzVj4%GdmPW~*ZUjR2_6^K38GpWdaP@oQkR6-q5L&S<>8lo!xR}cdMtv5!tibn^(03KX8w&&6|jWL;Uf4kYSQQ9xp z38f9r)(OL^h!b?O_@|hVs+`JI0lE^ELQg0KKT{!d>9rfm;WVcwD!`SekNGC?0p%^E zrhsw)vN9AyxKxtUIOUk8Q}zF5*JNgzk_NxE>obN9DB(+}b# zCO-;zCpkq`Pp3(!rb)431iFj}x=E~+SHYeR-rR~m@eeveDX(*qvp|I~2);F2 z&z0X|TrzYlA=GmY{moas35*j~56t`H2Du?K$Ut>+1xOB9JzXvsv3j84xLDjcxUuGc zAy=<*7LNcSf~*k+tsZ6Y>Q!Pv4Bro~)pqm7cdu_24!|QthbxOy_^8ZOc`W)t`-xT> zpy4}20`yM=oP-E1wwi&!cfhUdOb-5~2xFq?R`;HmYa&Xj_j%;;27WZ%ir>o-<_7bE z_SvpaZww=YqLxY^EGZ3%osg1i^AKeF=dV4=qvfP@3Ww)U4qt9k9$$?ke)^sBmxtrF zvzmdv#|eJ^-9~bflLP2a?{VIlz_?~aS+xp(_}@QWp%2`94~%eD8tg~XdVenlN*Qo9 z(KdXHPe=yH8nv;XDL8lcR+M0l2@J%3TmKCZD#NJ~+3~fH2**M5fcSkyYc{!i^6*_G z0PUR6SwO+pOg}TqaDbE7r8{EKz z?>0m47AK2FMOS8Yo$KYKmabCcI;vUs!VMK4vL>BXk(NT>=B_P}QO5f3tJg}I;@Ps% zPIB$@7%HvwYme$o;bYWps` zF@xqlLE}}M^7VU){r9uDnp39dI_mn`o8wP?RCC)SZH*q`bZwV@-nGWq^&hdw9SO@t zN^|aI)uUB(VneYZnhW#aZsODbdLfMQ^Q=p)=2|($RiJ-Xb_B&&-3@gF$Y@5CN&}Cg z=l3Q<3*W(}WD~njhzmyJyXXn-*FPD^ud%yi(jvm?{zFWOwaB*Ec}@<;v-1xEn$CmEKgk4+&o2k;(+#k&GmLW{+EnS{mLuG zXw9axF@Tn-y#FZU*wm*OG3d-k;hT@G9dhFGjt@xHDTqZdj-i z#lA^{)_zYcfu91)bt-&+)diG{+|J)R_sHkl7;>=)q2BgefY0+(grELyL>3CfexY$1 zV(i1@aC0lf60lA)>Hd6aL)l}_Dtw1yFWMVu(QpjpLUe41!LZgqT?FLH8|+jqIx?d= zZwB<0e;#ce#0ZQ|LQA4jAvuX9{x{;gocN6kws zgz2n1Iq7cyzhfBOW}C)F?7q;yb}0gsD9>e~7mYTNYex z^s+3@j%FVjmzC2{b4V_{w!g~t+Oijjg0vZX-uA7`wO}0LpdWtd$ z2&Z~k6b%>lR_A0Vd|xpcR*fWub@ue*=z7ki!i(rQH~~7`a1U@EUx;0BTK#_AQkT@$$`{YAV2$9nZ^mDfKn&>#21dRxWck(1dUo+dKQM|nuoeQ(BBGZi zom-VBG+pbXaOG~kLja+xBW}cwN)ooYm&h0#8YX;O@m%+|RXJ9BWw_t?7f^kYqzs&{ zy)aWpKJ3to*k5r*$(yfdTvF185L_%_N|K=BD|xVN37NlS*p%^KC;7 zv5(UNo_z7o{DVM&v_pqo`xH^RwI9t0iFl116rC0zZL^pb?)9b(csOd!zFD_H#vM6Y z!kzHeMH-Lhn%{3T)<;09FA|KxBxvnJZCJ{$jf$X~P>`&NT&dw;?mDl;IU)=`?Dr%}y8rjo-b+W6(aw7En~w8t#ng~xsRU_rMD?R97t^qdG7uhl08WjEg=SJ`=AsrL zI9=t4{Pz)At5n+UBlrZG!E~`2+$UrwUpGA09#yi#t8Zs!4QZDlC{?Dvw4W0c0E0Fb zsW9g&%eZ9zv!B)^L6yz@gHo8H+xC%sZ5q~VX063-ZYk)}-=mxrEP5N>xhO8C(WDA3 zvh4ZG)Y(0;ASu#ea;xo2YzYq}R_jO9AmGtGjTeztBS}lxhOZ zfv!WaNIc>#-k~WFmia%bv~#}UqT2iQ5JDfkvg zBr*D$A)$;~3;U<$Pz-&BYI{ zqD}t;M-K1sv5!5OCeEQzLeua2zEu69kvP2AxZ5{vJ_(l#*cKAe*&7Sx zP_xxmfjm=({~}*CDCAi%WSJ~QRQT&MzMti5tMb*5ZA#j^ZJyx6T(@nGVApk9e*zkr zoLoa2yXI$`i6t_)aDF~N ztP#_@`z^3MbG71Y$9fur5fbwom~ZMm6hOEx4D4cr7j1g|Ll-R~3gt&mN2v`*Y#P|` zuBT42xRD^4@Qq=)RL*ev~V?3vn4@JQn++zg;9t zPpE`vG8{iqRY;j_5Y6dWZ$9zscjt2cX}t!ZQIP|{EbBh|fO-O=plE0f;wO|M&209H z2Yi>wn0_)yU&PVXp+aT!o8Nr#%WMSiLY-2ut+1u6O5m5T4)D+^oHCyIstR=)KJ?4B zy0qZ~vCHQIdhQExAx80-`u4TJ9Y#Bizsy7XJMBW++R%T|?t@uQ&%@`3JpT#gqkJP! z9cxZDJa8H%!DagsysEJ=x=LnPed-ms;2J6Vh$MS#Zno~T*o{@w!47Wbt`fMJKZ`y7 z#e^^@&T+#kDyI28{|_ZZdJBTQiTYpg)ZXOt197A=rdlkV*r^U^Rq7xu8tj}m8gzD< zIK*H1g|nXcVX`)o0G2-)Xy%# zxCD`te5iwcYu>8dJ;u1`5~|4WG4P_j;llT$Hfembms9aJi70c5^exeUS*+x9u6PyN zjy`X(KmuH@kB@qy>Ax0}01%I+n+H202~)sg)^p57rjT+YvGYfWBf<~I6wxK#jNP4?xo1(@y|)6(XXoAn!L8wyFMCSex7=JM}doekTP z)^|N=;=M>{@+7g3mq|}K0@O&3oNTQ7xzvge;?wke> zzS4R#859Xy4upZfQTJR3FI}Qi<8F8Ca}38Y1vr?mVk0eU;N{Z{I10o(Wf!-Jq!jSG zKzyYfz`7H0V%Wv6M{pK%K*0QTo89-p$@i>jKtq!6$%r9Y#I>rkB?E&j1YcGyMdhpv!s1~fK!F_X4ya+Pb}w~vQr?rlZLg~KIrOd{ z`1^te0H?Y_6avO`d6+2*_SWfj1z>1iebDFiQo#ilFxyZi*%zxCUPEXP_ei($oPP+8 zi+7KlJBUbs0$_q>_IN7*Yis5hiUndlQU($KQ5*BqztU4j1g#hy2>ZkULD3O)*a%wQ zJ~d~x3lwgZQgIHJY@Xw*oYNw4ZN&W^MXw&JoHF84qla(T z4W}J|;&$US)F#krk1X#kN~B&bR>-;Gs4AF5S~oM`$>_OSo}v+O!FaLqDX^oWTcU6N1A(&xVK(I&p= zH6Ly_B@!Wa7x-xb77JJ@qpfS(l5@#TsxclCq`^+Nd6+!h-NX@_5?o;)4x}8xY*q7= z59_p}Jd9nlC1qQ3$nVin}pGTk$YS0?zk<8rkTC(_q_FP$O(G%7pUuaQYfNlzP~ zFPgpOxM@4m@`h!`fUG!^sPox-GMJ~AkL}=oXl2Lb-}yXE@4J&Y(7)4(V#|E1Sdh28 zkD4no<{%kvk0fYF?IQ>%4*RR^q1s_N&zLPH@ZMiE*VQb!n*zF&_PJ&kqoiDX=`yi^ zb2YkWgBYE=+w#g1n7pOQxkyu7(!JRF!?g{^fSdk#QY$vRNQ>efsWx8WQz2#C88|HU z3_Nfn-tW}oSAlqT6bIuRy7)Q&ZiEj@Bu!e;#@$%R$P-V=>Id?3;)}s~UGge)bM%Md z0=W>qe<^FHk7okoHxcCX;d^ah+)&nvyx0&CK3RQEScZAftg}p__V(XS+jU{o2u}=y z?bk*74i7Z2+cs^bUEjLXe^)~2&$vGRjTDPO6P1JxM2A1SMF=})Ie8Z%Bto@e~2tS;*AWdD*P>iFmQV_=gv1Sqe9$r_w zOEB!zAuh&tZ!?HR{aP1kw$_Fc(XXx!G&<&zPlOfTxC+ZFMni1JtrG{M{d`$lMhoR4 zvW;OaZ3DqZI&-pdJLIz1>WCh9w4&?9a0ZN%q@uQNaM(eX&;OL>qhsP6u?CSv_X&3E zUhe!b79no{lhA3%fE?)$GAbOSvPg%M37@6UEfF!F#>VL;6!KW~x*Wt3}=@tYe0KRI-*npG4gE<41i$VWv4ofe$oBKV9 z*l6D~1cC40PVyBBax1l-`u95SCOybc&r6i#h8O@V-@s=5PELEsNmi!}d8NbH5x5aJ zj`i+vpBVXwjr#$+Cs1R!I%cB5-K~;5Xg5<8eU^1!PRH5e?SNx0-YzkYRH z`ge;PRjZas!ZoLEtbR90?$t?<%+|Pxb6DX(bFW77%MDNKq0cq(wUKbWpwg&H0p`w7ZDVRgUZ5G_2nnryhrD=if3hxB9v`{>m3i*t}? zE4LL~#ztC3ya@x-x#j`9V$pDjY84eduoEkY81yi2jtX-bv~r4qGdjVB`>e(g3*Y&Z zpn`Tm4rcfGQdbMX{)A|5ybA87KL-!`X_p<=1K|Tgh9)iMiBBSPgpBb*U3^(H+KzB@ z^-;wF$DB>Vz3$O^v2=N!Kd())eL|}qk1XOZ^Qqn-ED)b1dxb3#`<8rV)l5d|YN^g%-32B&xgCkV)2^;XcyuA^4p*iZ`bVQB#o z#picrW^dYOkgWU~IUfPKhDjRCx%0(yQrQ=8i3zC2`cicmafdT@keH|k*I%InTNd;G z-F!`g71{F`r4TPm0)Rqho$xA>Nf^GcUdHegaQR?(aYxD>t2{Zt9}ta z5lm^2`RLXtirh&o{sa&t2!CAgKZ68_ZTN)>tr(`0({MBW06f=yh#Fc3O9S+Fc(<5! z@P44lP79roZu@m*j@$qgxRYX2?6wd`CH(mfHul37TOj26u2zx^=`$B#B!IBji!_df zRU9#{9#A~&L#^j0IkUzw*4;kWM*1L~B;^#P=n*&cV|Gt`#^sQ{*^Cv}cQD2e<~S#T(%ovgq+hsr%WHGbHWF zJ-088_=w4O61tB+q%eEXR5oi%UX8R>SkKwMl8uI^+(JRkHp1Ztjj^_VBLHbw>~v{4 zCZ(-I^T~p7y~TD&n~MYUr`pE-@0|Sfq_sMmpu=cPsHV|SRlZftL!fzXcH{ta;#(z! zKaMxrnU269JJ6_ARZ0u~g6lEb+q}MJ7kuz`Zddk%4GEEUa}!GaE?8U0&MQjVeqSg& zPv`*(rz&5JaF~3kY+HF$Z`KD}_G5!fR4Dnn+yD@h^U(kF3VFxsg4r@9Y>evb+E z=G7C=XXb#-amb@COkZ@PiPNFU@T#9Mv!95g>{_EAqmXxha)(?-JMu;8-)wX$0*tkn>^KoD=6@5`@eZqgGNJC{c-D))FfuT24Hz^$Stv88V_6?3xs)=-dBC zD!*6}af@#zOom^Uo0I+T8$p+9Sqj!169FOb=BTYkx+P$fl3&d*JsAvVGc(ReNjkOV z^Ex1Boj712c|NW_*p}mrikfQ(=CCi`{SxkJU$+`wS(qA+PFFxtVA^U9E16sdYfaeVTVSg6{hStP@>UqPwSiy66*J=a08H(UjaMc+NC4s*;80> z-%vwVuC9Un3CKLS4m^DNC61v6xO|+tuEa}s5j90p!O5l~_&0oCazAA-V9*5l-oTx{ zq&A{G#ep(MRtiRH62LkP=XS1W+@|p2YWk_s8{4pZ6R5n@GrggNXX>e|S#PnYu26ce zSX%siT&KZjrK7Um3e)kPV_VbpOojp`ZZ?kc7Xsj9^AyPa?5aboZq+H{$czKSv*pFN zV^Az@vQ|{(i*zH--=*AKzpQvcDmb$YeM#fN*$lZ_*-}XKB zxCKZ8_Q6Vgh(8r$jX47en_ipT8L&a+VbWZcTR>;WkCow_Oa@=C=LZ<>8U=j^=_4si zst<^(Nz>_3L~-9^NpTvZTV8S?KX_|?LQX_N!EtkpjO53_9qK(U&Y-Ei+-Rq(t$cEI zOA=ZQ7Tw+Cd!PJ=ahb8za{{1&Eg$<}Iu3(>4(dDf?UQA#IM6LGr*x1lT)9zHprlC? z4HP2SKw}sZ(|z|(cXYT^z^R9!iu@lQQ%WRw+KDi~oyUdjzH>%}x|I;9{~ zwpLu`VMEat(8s@U_=m4Gju!wfR+m;3pwf7iC2)*GnHk-&pU|u<3z$@~fCi_F7(MEK%ZyQUhqb9h+uorCw;W>e#vRV(mdSve zJK7X;b9+Pm&X}08NOokog2pks2G}K*Ip-{tQk#;_w+TZd7v=Al@nAFsx8{ZFcCxlK zOIB-YUN7s^C$!@kQJAkw^Hj-TDe2M7iCf>exFu?$Q7wa$((0M}W*4_Q;j^nqA-b$% zM$z!Gh?FbO(^sOlFa+`@ybUYP)18s}k(xYhKQh(x)f>(cU&bmq+GwPLp|YTZJlc|t zGTmKo6faZ%!>7#xt@F=9;GM1TdFoK9At9GFA6aSv`8lXcVa4s8fYzC0Ko=7zWCj3G< zgp__jv{9|x_2N|!Zd;?4%FA58e+=z%e!tGXeKyZ$-;PGqyv8nV+eqFw0wO*xKp%gIn7RCv0@H@C)kLI&sg?WyX$T!zMfyWU~a27sJuNa+m3R{LW zQOXmMsl?#+wBlrj$aBL3`90qrLs)anVBLEH6;M-pWv%OUzbm~NdfaC2yeOc+5Vm7t z=Z);;c!7zsmq$r6S4nL`x#0N?Vich4E2?K}g87=YrP7l6Mu-XrV}kBPVZ6(6SV@Yo zvX@0HU2)nnx&AZNXY-M>+`&Ho@Qa+^?cn)@?IXmea5x$~j#+zTo*tm>!AIGVLL{%sK45jHcp?9fK z*ecoC%|OO_QB?{fdUf?2RrP#GDDc5nSV*_*(L@8osOE*YQh)z^l~ra3R?GSGrap}UNKQp06FH8c@+AsuW0A$JXGgZn0BynGENuo>qdwZj4nw_ z?A=TX3v4xu+-rDruIkncKfZe#Gp6ANWEke?17UY&wj@C@GbxZ=;WLi3AChvv-Bz+P z?lSbf+4&gkcU;ok&@Zl^JH8*wZNG%x_|mlK3IAwgt)CU@#z6E!6kq>=QyFOPBeO9!; z{UtL#!!TCD0;6R@y3a#3&6&leb+6cOluQ2B{bnYEwZq{x{RXffO=o$iaK5Td29T_* zx136@wfNt@lBaXAE2&skES!l3LVwxd7r#S66nC_qm~QCwh7T7~i`q{?(%g?nwfp`5 z7DznZ5V&Mf7orR1ahJ(nC6Z(KINQh?Xmk?WGGvqAf!U(Lo?PZn$R-6M#SDnnP!4NG!}W17 zX$x&e_9TjJb0fj7t%A}{GA~|HgQ(}D${{I0Aib;82$5{)+Qrh3^!pzv?&V-eT@7rg zeWwi`&C#GLu3-Ywfg<@^fh~=*`l^{?NTz!~feiyLoqiLwpUruZNlm@mn;4@|;heDi zX$A0YH!_`0gPOPAsTa4Idq3u3J&l*TPjuSiJk<2lbR- zV77wYjtqn&k&jfH$|``J#Spd7tzoaJ;k>)wChyZmI&0i8??RUB19n%A0NC56E>%c? z5jh*7T==hIFBEyg{Duoq3Z2gT{X@HRT7w>`%?6IZCB3}1?y*(g4ta>>0gi&O!onch z{o+PbFW@8p7&>U`0J_9w$<47WnaC6|4Tz#^{S+D;NT+ODoUyi^sd>5D zPa50II!O>~+KP>6dKi6|8(>AJ0w=ME$p8au-AC?ochz_MumXbpE~85D8X%mgpldAW z_f3i^aO~jdJ8OF&7Tp-jcEZ{+x~o4j+W?KMH&a;c6`}p8u!&)I)Rd8tunIpNvuCFbwTzz@3xNKaq0EyXDp4+5^~hgyj$`p z8Un4_KVg;ohY=F14~>YA?0A zP1&FGzo;jQfFt5{JNz6T7+wSygg%gE?`6Jy6L-fB$nlYih{PD4cCG$M%ttW$?N$cy z1PKH=sk@BUT##A@;mJpF#KDrn&U9>&8;{B1tcY190 zw(i1HgRcoTznd=q|fnd$@RV6|Gk7(4C#97llqy^u%C2LAgLV+30y%f zxEzqcm-K!_1G6!7hVdLPFie|6q@iLgjL_1}A=1k-p3B|vkR7C!pGhT;V$S$V&QS)H z2|5B!LE^@gF5pL#MU?2>t>fYQ_X;kt^(v)b5Hf5GdB=8VJ6OtOHSM5~%Q}Hsf{h#3pzyPM-JQWl%?W-cb~J`7SX{a6x5|1J3Lod0|}Mg$$dz>0?o zJ}lf!&a^?fkON?&NHISs#E7X24B9B9+P)=bHidO4XJ@o3$Z=|~asBBYhHLNVuJU)1 zMioQ(`>L4yDK~3;8hv;(<(EI%OBk)QUjWso*BGC2=|g$Am7OSC@&s&dSl!5rY}?5^BQ!N-^jKNT@3)$&I9X`XpqCD%>l1FugpA-7#zV|QGIV>kRLP;O!Ew+nW#g1D2#}*p$ISuD6^o*B5aMHk)Xvq}0 zF}{DOWOe}u)#ZgT7%8eI6=ryF#3$1od5=HA zL=YMbFtG2DI2U&#^HJ_)PPhZqOoFtIh`~qulF3mry4Hrp%m7(}?xo5r@oF07RAeMJ zqN;?S6cD24ZNxpNTk1U!1KuL_OKC&X!NOR1VuS#$)GbLcBCoa6=$-d(c39msA$t|W z2o2Fu5$xe5GCNvyOTQ~A|Enc^3L^k~Rijon=rF-+Co1^O8^6mr%K}Tb$NpSm*6;!t zmty2rurbFE?LCf?z!G#JelUnfXhfF;tR4|eBIqhcH@EMlHn|2GtDYV=3kGD;_LG;= zh^YqGx|${q;`*MO}h(Sn9WbATDE%&3|9|8vbU4-0;OE-HO5l-IB)!D1f+OWVizkLsm z6Yd&L>y}$gDH#`zZ9j{}kf{diT7Il8+Dp?EGUsOb_jUi4(5^WfF^vt`mqky{(;((m zrBn15BSAjEw{lEQ#uNUjHvEPk1T4z9l3eTL4vZvN*@86ZJf3pe18Qy34F8bgsn=oi zneR$H@EnmzoJ#)T5AU{vk1UN(8ysBqft7SuU>$dMVeRSCUbYi01pZW zU4yVusIkH7o)OxG7StK7E%}s>^;_2=CS93wXYIl7R<9_1T>fFv>MClSR6sF3H?6;W z(Nm#Mp7wDz-WY*I$(uD|+-0h&VT5L`Ond8?)l%cqwej9zZLA8_UVPh?H zz}Rosr4w$TaSEgQh%%kfVrM~69xAz7^PR*?Ft2sNE$xBNnj_@MZOLEw!mBmqnK(Hg zSZX$`CIxY^EcH#g(R=>!h7a%=>^DnPV9=eOPMR=^$~x#}P{XSsu7muv$g$UIIG^#Q|+WYfF3 zxk%F+u)%Y%-mTEjIrV33?IDG%lJFQ3@<>6({;)8mv!Q^w%EqFPO;a4-L|l&BL~n?6 zPHRJju<7Y^$Z*PeP>J~%SW$w z6b&(Ua{vd*B4?`Erwm}H(wG-{o=l^>Opv-4FsnCLu^w9X#IWaoNLrAZsULGRQv z1?n^_+gqgJ)sbZ&8AhFEW&%hc#2Jbd^I4Udu#U6E*y>=?qAfDA42m2Kb|aKb-8z)A zSce_d1BkKOKGCydh2)=J$3hU#lQ4r&ixP%7CXI96GJ{J?BxpW|TNehg8p6X^4YsB$ zhv)*Z>oUpMK8FN8CV=w4%O)k_mGE-SF7r&0&=*eirPf7e&G%F+ z5%Vg{ps!l=R|fFLfE<7malApf<|HZPKX-1U3M$D2lbn#R3<~(b-HR&$)At~I`Q@#? zBs|&&f@wC_|>N_s4KjGn!gz#(N1p5!P%Qlo8sV28-;T`s66UIop*a9|BMu=C_wOG^oGYh8* zsG}x*K2)F~5tJo$OOQA}Rh)QRW2#!Bq8`q`)ceuo)Cq}HUKG{{y_a7lN9s z`LKYgz~!3hs<1P+6Vt6v!v#N_+cAYF_{6%MR4AVDSTDc*#(H;_hwk78bhb-^|yDA`gwEfEDO$a-YYmpS{N zv`=(rw#&KRkswm3vQyjMIQ{3~{3trITO`K>6TXz?@_3N@>Ttg7P*hG5p0?YnPP$^S zc`3oNR8X@XqO4+^?^8i#rD(7eQ$Zx3?0!x)8tNI{{wpvU-MK)keQ8Xir#Btom#aB^ zH0&*IPOQ8{jVlv$zf>VYd&OHi(K9gPqP2$f+mW08{;>m;*(+EUWX4C5{5k8`BrUxG zU`0>Tlr1jwuaTJ9#?J`9HNDFOmzSR^@#OBD46iRugkV22X?k%l>p3Qpu*mN?!y+<_ znP*#CilybVPK2m-uMwnX1m{y6`d^nsu(>@9XZitsU3Rrnly@vwd}12NBl>w$tJw}&Ck zc|=%&4Au(eAaW2uO)IC>!Lq@gZ>8wrCnn0&?wgVRdMh%Ue2_zE-j(Bf%{ino#Y?a& zO##Enydr5LCMAX4_H1{f3*5E+pLq}pCs5<^;|S`ISs(Roon(S0h6PjcKdN;?x0aF5 zoP`ffZv(BG6V%PpA{hT5*d}I!mEEE5B~?@t)B5<@mtF z6vzvIMyVV2zD#k)(q`0zjP-Ody%;gaNU`Vb5_J4iy6sS9-_<0>dO7a)z3I6z0yGwx zRLVp(P~zmhJu|RWi8%{eaVUFPWp9$Amt6tE^_fv;H8aWy;W-o(#GIuobeTR+(%_-q z!dxdWEYl{P&lEIcrd-T><1d&*R?+=*@s*@eqaQ;NjZ}K);(-X}C_;su9>hb-308Cw zEmY)j!<)(Tn?E$YcV)NnR{!;j-BGE5d7Usar7C#rrIsL#K!dd2S0-$9WU_p|ZbP8U zXn%O6UvAJH)7Q?uBwtL);ryk>b@ur1h?zNl%-oCZb%M<#Q4<&UKE`f1>WNTHaWWSP zW(&vp*n)%_gwF)_cWWc_6}w350@OtLFIgVe!f&(tT6J-Ujd4mP!i`N~L+k8Kq>P#J z3|kAvHM!jxY1*;gN!xVf7~W2)XRQ29~0& zx8HZhZ^uB04*scWNhbq~f!y-iE!l1N({ipKUS8-@!Qc$Z-upe(Ejt2GY$k4mD=52f^5qq|`O75ynx~j9+w;TVgTSzLdI9JAXr6)ln zk(_7w{0K--WCu}d$ix=F9agoP;rKsu9C$)@V#AAZfkl~1U))dd=DAlJ4^i~Gs z9;xc*#TpnR*{H1a`EDhFvxgX3l z{|!eeIvdaw;)UJp-p#pf6$W2bw-tKWYrQIt#Lc<{`*$b=OTL&f{TD9!g;CZs5_~0#yFA8R z0HAjaC;w@xj1UvZx%l%THqF!n;vEf(DExc}Upq8&(+YG#5o>euKP58FOg;Ml{-PAN zzIOZBEz4bNYHh7Om43`}$tQ@vb@CkEmLBJa=W`PXy|ERhVogHb&-^Jn!+!Q!xZRPO z9vy2Nr5$*sUfTzxX2OEiH}F91Z&$aKm2fsi{&qiUZSZD1taJ*i}tLn`+`O3<{!QSLdS zJ>Z)m09j`cRvRPLVF^|CvFAmB=EJI}9LuO8=htb>hX`VJp8Eq&l z5q+jHNPv*Dc;DtBvZT`+1$;Wl884S~607<)E}(-Wg_sV6hr|-t<;u_Mb<-{XjLctkRGrO?%cMx)vULTbGv(;MOhyMF=j!*1eA$6#w4n} z*Lh8&Q|qKw`JuXXTR8Z%nJLUv4jJboLv$UTL!~W&{bRSqdh-H!cbLrc8T>`D2(5-S zS-j|91_?YBEJ2Xw5@0~WT5>#$$nb*>JV58yP#yIRS;!?2iuul=>{@HaL3E=4YOF6D z*dfCp+)f|ok`oZ(vh71$teDj4;v?$j*sHTu%3ZH^JjID0F^5GwWotp_jEGT!MT3BZ*5k!{;THGBh48WU$I$NZ=*;3 z^{omZ8dQ_FE%~g#x2Hi8ex@JJ`e{zuq&-YLqfH&&9Rt)R23R$58eQ2sN*KX-IbRV# zLCLMFrL)W@9~W}wmto37thA*JZtnmpHL*2> z3|-f@=r{l1L@~UmB`CMG2EX=rBm-z#C{b z@|d5;K9J@2iFAus_&)NNq)Xd;!Cq-iJJE!99Ku_Jns6f~>|pPEXCb3Fc}!e2hzd8S zvoI|5gKG+y0S_N?{)C01P?lzLF{mc_Ina5Xzz&91%goq2wyw)m2|Pi73%pm68f0QK zPQWZsv)E6G}GjR-Y&!x#P_Yj0)XY*x(jm)~w!!+hXvQIeTRUQw2H9<_~O zZ~~Nfz`>J5UZeT}N&nR*fq%2~F(|{kD`5|-G05MyXzX*kfNClR&A zdSN4R-5)MM&Wa+^A_!;j3jN{kiJR@pY2pV8tUR9%(Th2JcKdygqqo#f+LyL<&arP$ z(c0i(m)-@OZ|v%$RPuv06=eJxNNsJ+#oK2e* zmJ(}qHk?;epl5z_V#P%d_MmjYtvG46%9C#e$LjFeHo+zz+s(>^bW!{VhJO?^ssqy- z2-VZ1&G#ws#m9$7ZQd^uSbE0RowG{Kr%U=*rG;rD*xLrmanhXfKvQ_cg9hS-!hHFE zJ|eZnRHk6ZEh9t6jt+UiSQR<)1Fe(m=ZAuY_woP8WrW{@)HbpM^oA;cBOL25&eV&a z#j^G@N9409`2jVz1GDop4&86zYAFl@oqR7Ua4UE7?^Hh3;4{53^7);{P7b=Jpe9b- zatR@4sAUla6s4~n5Sua~q}t}j71sqyA-t3vpR}w6Q)=VYLlT*MQTB_7Z=h-yu%1_@ zUMhf9B%AAL$>(+e)z7`Hg%4)aZ{g&7JIi9wu=jz>UtFQ&5c)j-YM4L|hk+7+= zXn{PPw*I35R(9Ki$Y$ofB#yACAZcjeA?_XY2*HuMv|3c~puh8eX zY1@LT%1@u|%{TyPFJ{ku<5BlZfR)$ju~OLIe1aJ6Bq_(+>}rVq z#TZAT)Pw*+#tuf@3dp=iMi91 zZw#5*WTcuN8~wv}4xbsuyp{G7Q}oNR2p2!qbWkNf)ThNN7WCCrThi z0vheJ%OSlYaqcq{R4t_y%l$u155Ae!NMi~f6McO_4XC3BRHn0+6i7F4R*t5is(>zs z>Yls1J?bfH;_1nCv+!@4`@^myn^fFbq@O|$m$a3yO7hj$nZ?7U?}y_bWfyg+B?wv_ zy$nRiRAy-L_Mz$3{C9K(6&K_}xMHqNB16%|ry5Kz)tJR?L9S}^ccsxgvN|>I? zcn9odRf;1OHzg!Lgv=>tQrd`x1S@ysTCaC{7e6__49Ysr-@f9!Z$Pt2g^w?cd`R8R z@@psC6jbI2D4b2){3z5)P+)G~pl+c+6<(!_c6mkho5fADaN=rdI;xq00yb9Av8Wa` zMW0w0Bj+bwcWmfF6RXfX2h1s*SjHq3izKM^;YanDLEsCQ(-r;QS}<3J7_O2g*LlI( z(%^RtrPMKN6kpydJyiq%)9dTWqHvA~jBOmfVS?L2-N2nw!Vu}|P=6rr84VgYR<(}2 z#5{X?<*{hY=)Y)za!$;+rgfycU>1LyS5JQEFDR?YeRoosUXq|bWR$a24b2+YddL9I zgk|JBBSyk!QAmg$s?%>U9DUIUS&&*A-^vlBOs9uYwZ7T8 ziH!HjeY&6FKU+tf3Cr$&>+}e0TK0D zUVq`?F?4&kQvoiGjk81g3{aA!Up0;(QG32_vUpbtC5{}nq+%s#ofg%$Vv4=-tHHN+ zhih*twdPbq`i#=pLx!r#0`vR&Kl>6|yi!lP-7jiCa>g@87cd2qIru4+;H4S@>{&tf&{N2=Dl~$W>cErc2(4mPsd!fBE&N`4rK$2AZ1N%eZ=H zf&J=r2sTN)w`4V6QdfgeTM=|NE`D#03$%$zv*WQ9N6c%ThHwhI*2(T&yqhB zf>IDt$PuJ8Tk*qll%urxtX#9*Q6GfrvJ>l0+cf~=1yV86mazTZOHmCA$kZ-r6pWez zHva4%Ef5;$`yH1wT4qC?Q#+5Se_CeW*QfOSOWa3jgXxxo!o?FKXz2w_#0Md)acm4$~6oH=m#+a;8IHFd0XdopygqS&DoI|;Q z&~A|qUA}_jvYUAXonztVSG1nP44nKu>2;&beCsqLFM2g7d?uNAyZd5ylcJYas`4Esexrxa*LCEi1MB~Nn*T1Py0M06H zuDqN1A)%6G6j1tSJxNAeRdo(4^>r!kP(4GnC3(|I6b6M+<7)r+%2FNpyCy4-R*$l1 zi=P6q$kBe0qiL|Gf;MiI9@)|!i^SBu%w}AOa--iXx8d+Z(qy zqhMI8s@0|(kl_q$aX9<6+A+08F$soAmp4A<8T3>C%viOXx86QB}(fd}eY+YQLBOsacCt2%k zzsamuZDu%3>8Lrl7=vs&x~)>3`ml7J5u(PYU6~lpJhJ2MvVDcj{%}@EpvDX z4qs3<;>*=Bmd*4+EwfY6BinaL5zPV4 z(w(y7t%=&0bk*k;)x=s=o9cR>V2G&vN=f)`wD?JLA;wY9E{D3D!KFY2$I%-gQ>byiG9{Wq%XdDsDJ3vh!$hH*aLIVz zf8m=@>amYUQlBR9BHUo0FU}O4$qbUyi)RdnCC>g~Bx3&Qur1R?>5>Yt2!*c)a)7d% z^*=tCnTwg6Qw1YKVBU%U2K4~9D)hw{p^Oz)8XjHk@R$TR1ou8K1>Me#AWeiY7S8Wq zt>~m!IpOT>n;PA~4*?wNu8DvFu>Ir5jQ>Uh&PUu>s7iXH>KI!u;Xaz-uBdX9?Q{%T zBHUM?4seZR-;;%<;zRhJ`r5am)(MunDg}Zc0g%%zKnbvuiOs7&{_7_$YZLsUne@fe zwQda6uDZbKT`5-%#dTBirU`7R!2wE|>gfX`+4z*n><8+`eI*cP$B8%jONjY*Cs}bK zyeY*Rd*gsxTqs8q9UPR$EICtsQVRO8tVeEFr(~qqW3;VzavsF zFNl6a{HBpSAwnikD!u^#P1qtZ!Vj%_tGwMoQQm6fMtM%~PNFg^qpAYk|Hj^S zt!38C^G0c)iynup+OSnXrfd;lIS_xf$vNynt(Sv@V`-4OQQCqZD-S_%^;pUq3Z_JCQsIC_? z;2S?cNGzYeDw*83f87ueQ0b$Z-8B+6v^=Z#mar0xSnI;I|&W5at! z)^ePcRJXS8-(JcQGe7*(1Ym%3*kDJ76XX2S5ZfQtJPbWYcTstc-=uyO*h%o;>+ zOQ9tk$n)h6mRK%d=f}^{5=0zZ(fO-?SKWBP8TzDNn!TYT{MXvWc%!7J6ZKdbeCFz! zXRPj>x-+PR%c{m-lMB|*fMpaBSF57xQ$-^``jPR&g(uHDrQaFO`cR^gLOR=` zfqL9XAW!&rYZKImQWCVEtb6qL1~RiLZ%%ESPdL3Av*$=f50QrWuzvd{-myFfAFb51 zlry1%mjQ7H7186r^eB+~V*Azpz$UzLqpUb39lB->3?Qw)((C{D)sC!^O8mQ zvLThGcm5(&{2^fo)yF;Zp*1+||FmuyBivxb&YRJGJ~a1`5xB0X;3)Ih1l(N z#PIiz&CsQ^XkI~XcjgkOz!#0+&Vm$7?nG4^oLgS2Af?lkT+L&n^VrSdG)}ZU?NX+Lh#*Xrm3i84c{c)MxVAv7X|RyW$rZUtfh`gkn*BIij<>O z-Rn4yK>gwdhLTu(!51Tv^Z1-nz{>jUu)1q4VMaaxG6BPIRkuadIU(UIV>fT)!0{Sf zS1!LafYD{0jAcPm0rxvnH`cUC>g4BAN;Te(szq|x%akv^Te1auw`$jL`za2ObVsoE zl8&hY1x2Er#Z*Fdg`HA;sP0#}(`dBZxhx~$M>&G`kzDDao4nll7$Hk}VQIcfO1JHE z@8ASi9DpGse!seq1st>oPhy%GYow8<%6Q83*<*H{9V`zDIur$u`I$ z&`aM~pv*2>%qnK(Y$H_k#&}XvZ1Y(y56930@1YxLjU1s)BhWW!U)eBNViMnE`fuDX zU^=Qpy6`O<5z18wp~*|#lB~sPVW$fEfe>vTteSXGD4axYev7C3O$$!Ql~J;x5TZH% z=F?yT&rVeiscdsMSzmnAY{*>v9r7&iaxwbbR6y0se43-4Ko;{N8kgTQl3G_c^!UjS z?Ix!c%@CgVWaAGKEJ;!Hd4h6ce2jJZw5{afZC{wf zb)3Ih4^{3L;+Q?I_%6=Ge(BrvTZe-66?l~OjyzS={^)~}zE`7hJxi+# zD=GyINhm)cve`Z8tq##=s>OYK@{RY0T0ry3L7cK`r1KiUCI4amO>gEnA!!8g?7}CB zku~Dt0({XcZ1eA(TD{2g+$P$k+x5C%6j5fEPq>BRF!>znL3}+mn_PzebD4cIzGsFK zAGqip`0?e|5(YKcLGg*+l~a@D_gqRt050uuJ6u1imRQs`W)$~7&Ry;cvcDNj|#mrzzY6mM+g`^jO!~4N@fN1 zuR&NnKl!T-%9j?ra3-YhFxV2DngLh;zh~skgZ&C+`Pf!D1B*}vm%&5*rSqKhu!7j= z<8f`97a2-%-j$oXoffd=V?`-HAJKnyoyB*Zlqdj(MAuG?=37Lp*BQiU6d zPt@br1kvI4Jj}M)UbH8-q~nfU++=z$i(nCn3)3RL|L<<`y`p9TsM@5v;J)69?;I3q z96HL9%6jtHlypvyg3rZNZ2%}n`Kkp4X-b|!qrl>zj3sT)+kEwg*?2`xmEZM>MX)PR zE@!qO;k}89ea&sM80QEeE0kh^4l=>!>}za)<-TJm89CMi;LQKlaUTKmK7UdxNRwyI z_i#0PZPr9%`kdBx2jU+~)zA^&ra2d1<|6Rr1LIb6-l+CvhKgmF3w( zTxsKYxh;`)bh$K~R^f=Q#V&ZI{01KC4Py#&qgyBwoP+#9OYov4ZVDn<(7I0%TY-1F z5!-Y5@$I*mgZo|=>=_ln{%s;Kbnog^7I_W+Yv-?~ff=HPeg*jAE#meDyFgIm*7zF1 z{(ANl#4=S#6yyBB0HuV`5XkoZR^=W28$uEvx3~9Ihiju>H9wKfEdE-WSlVI37D&+H zn8np;BHs(JnZkc(C<-1Ips;IgVy0*`3sY2o%rCSWW+QYE8fR)r9{p54w*38H1U2A# z*}!~$E=2-3x;-^#2Wz`>x}SKe_HG-5#!*OWon@KE$v4qCsVWvyXvPTSIBBgwmUT!# zchT`w3NvD-oAR*Q_wZDd!OZ<>=DQE^?lAC9!b0++vNwiZ{bC>~x4dUz={+$vJputZ zh|tZvA%l4EiPOaY0Bzt!!Jq68JmjWm^CA#t))ze9QlsWsiA|!pn!|$cj(upA|mA- zJrQ3rNei33MdcHLDWIV3eqfb=`*FCx%Jzf0&3nTg(x->|rt^$9mQ zS0inJRjcT$O9|CE&rko@8F-zx41ULaU9!j?0!u&^77Za|k(_cf`8-s~+5m%FOIYAE za6JykncKoQ088g|vWf9A8IYMWllle)fO>^>`UKV4iK^cjB-XyPEj?DUkjTX7@Q?Xf zmzaJ-J{R@?1=lJ@$2o|6;<4-18M}@FD@P4>RKXf_n@n)nNGSrA^&vNySvfdoOW#MI zCyx_UDo(M66KxN-?fns)0py{FgJ)Nxud6j{y-TDP@9DhzLLk}!N@D^m<=$88HWR!* z30EExj)w%}ElKCOY^9_(&Fm(#LRKL`GuRg$AAnr=7#<9HEL*$>Wavf{0k2L8HX z73$B4&n9q23jxLQ@oo}n8g;N|Bf!B0P=I157E zT5;IIq=9pp3jA+Bmb*s;xkuf~g}05yni(x6&OTlZDD#2vFJ08X_%cF#u)g)3@piP; zaYim)Nrc^kkmLECVQbefS7Q$eiAO8>?YXn}G~8M}Q2bKBmZ8oqi)6b_2MA`mZi4$t zzS7{n*qSm=aM}JxmWm72?k=+Ou4v_R)$ds9_ae}21M^s2-BlZV42%rB_?hWZ&w=XZ zM_ErOKW%YDMPU>Iq6r%Rl=OC3$o1z#t4{K8ZVA9$HGpLP~tJ z5WT?P)^_z^i9S0+=k;*#EE+VTNgT=43TRdMOn`;x&IY>x%!?QeA`ze4n8BcUHMZh9 zy^Hnu@OIyBnqqm{9h?iS-joAasl%x%cmX9;UKv474)jEu>4NH~COL)0`%26YebU{n z@k})&sgq|zp|c8&#$q%lHb4+Hm0=VVkpPRn8MR8_^mEj^A8H(DgksUI^SV{uX?)w^ zZ0|^F6%K#y^~nY+o*7gVk|O0uSU;w&%*OZfkzPOajm09N5{o{WIaYJWgf(kAl0OW^ zPYpCQL7(fN0t}|A$2`RBmg_lis!TZ69HGL+9(`vq4Emtog&RY_`AFl-{n-cWgZoVo z*(DlAfyZNtUsne=v1MkjVeEwG(PsWQibMy-Ff-(S=DBNpI-adMjJ(1scYZX!PYXa%+V!YhzaTkPUqy01RgE74XFA#!f_Kce1<6tAS}Ir zG%TYXso2pU>zRu@ByI8Zz8}ppQ|!H?3`5`=COLFll@bH{11{uzYpGC3v~phgz(?ij z2rew6Tu&4jz(eQ?MxZ`esLGQ-?hEOFz2gf>q4<0MH#&;dt%`M+2*@Ncw`KJn#8f*^JtTeg|Ogt=?y`AMrPZxt8(PfLSUEZ zX_xR5+7=C2NYcZennrp#F06tFt%{)hxm&F3p}xOJmj}ttB##)a`Nfn3zbq5tdFi@2 zvwLI=es!?4<3A9mkxxriOx$`=HG{Gg7kEAZtmrwAp$4lWD;NKli0>e?JWe2BFdP{m zZ)IFZev3jU+QPWkYpzEhheL+EWbo_4UR~4sLWVS;FBbSj56__l;)6Wcehi!(M${ng2;eR@FGSoS$pYCA@G2*|SakR^DU zRn|)g*giBnXTOBtH<1^?l#I|nvA8$%6RnE^8cuIMbYyO0;Y;%7SJ|IR%?2J0r%L-k_@^wcuO>r(^201Y( znHe8wF434-ah)O~@*R5T{ZQ9Sr~C$s6k)9UrRK?YxBPP1q-qL@ zu`x;Pp%-Pqe&GktT)_Ba-JR>S83{~*ijySSQmBU`WRRJ?1MlVMadM&EvdF2Iyz@Zf z)iekDTuWu|oVkc@M)yw%Jv(-TRH9qt;pl69tYg>Bz}7C!22F6t(iX4lZjuxB8?Qn+ zgy59mjN5c8_03zdfn^y$b!Ddv&+Fz!TP+i+%VQ~#o$k5N}CtLvqo3P4Cm`{fLpDJx^WeLUrqgjO|YS_%jlnl&!;=Y8+XHAZAS4A#^yPrn<&N_ z-S1zc1FkCSZW+wOvqnF|=CFj@Njd0iej0cg?cj|A&rjC0d6v}J|BbUpi7YdxSDt9G z2E=SPL||W8x~*wDfIM|?7`+n#w!X+mk?#ObYzy1@Sk8|ll5EtB^Q|M9T)bLdkI77! zE{G?J=FYM?ZJ7r%Yq1N`&Htx3IYUe7LZrr4knj2{Dx?;tt*qD37dB`q0$H#2*BDT8`1wNI5XOPZ z{w<`;+=*D_xaHO$5;7Fh&LsyAP9{-xs@b`eGW>w~#mI*i<_`5bCsz>9*R4Iv#p|Lk z!7dO`Au`{TxbWH1tJ;$QTr8pBiyj(o&9Wyv$X__k-d11)pmglnlR+3Q-DUM$jjx41 zm}<5VRCXt?q-6I01^2T5U(@^u`|~j9Emp{EOi)aFijDXs53z9vR($yy4aPkcRyyOp zxSy{|D^FD|5JxY6X1wYt)kI(ipnetOh7Wt;%~BCcRKx8Nt=hi8EMnsZ0bP5p@F6Go z|5?ShxHN?0Av}M>p}M9-6f>b5sD&LEw^@As;bDQ4xsj$P!nAlsue>GV^ixCA01iRf zD}|bNj=is))WI+V+V7qjq4;w_#^c*?)Lv8L3R1@r=oeEsf)xU**kHx0=YrSjE_ZMQ za<>O@`T*W0U{Pu+mlwEYmvp`78U-9;%I|8XOb3ubh5(z7#MztEQy>$X6I|v9tEbDL zKlU~&lNaYR+Ync!M#%XI1*?iSZhwuJPkAqbT^45(KP>kpnXno=5;@Frt&b}^jdiHXXk2~KGB>#zi+q~4!#Dam!9+7e9 z>eU!0MTlIL?LyFVzjYnv9YtIWQ^*#>LX(Yav~&pW={T+k&bk@N#@kE(xZ@U7fW;Oe=SIBR7H*T?D!YW6dL)DOp z5}kr)>!zL~&@xmR&>Tbx0%kq|5|5=sOiTJoVJ|SH?BVo|i_!d$P#jXZyvyeuJM+); z03SL8qP*Bw>fzkIs#?xjexdYNN3@cedxv#A7ZP?`)+2h;Ro0B`8|JxJ4v>izo;oqb zz{Z&Ox`r4$9FzTpgax)?^=Io7^40b4+K>xcPBJFVNXWCWu_Ni*_i z8bXuFWQwku&@3VD`D#$Fd=uKrFZFZpF<+d;Hj!ufrnx=N5$^yd~n4yw23Z2rx}_oLio3ge z`+S`>x4vzwLG}@yqtyhp`&%7JQD3iUPR<0&Eo<<}u#*63MWT>@gc{!iiP4g?k=@=< zmb!9X6s8KA4H(%s)*t8SI{zSzq?-3L5bLNd*KBMG8DY*S9O4&^Hg!AXJhikG35cym zwpS-^e*AP<^@ar*_{7Zb_!f?~hl1t5BCbdK$gV*GF{N|v_%oU=;W-jM8QPM3fC)~I?@@UOd27gb;QMn{ChkED>^Tb+ zr~oJx4vgJg8qKbTUnM0 z$r=Ma30W`ktzAT3f>Izv8TQ0aL%UJc)M7V@f(ss5)IN z+mT+)^VZOYB9Q>P;7)=>P5C7vBV!t5%rrpWz8<<#i)33-98)a+Cx_xR7sG55hOO$) zY=kAKclOHgeTh;boQC{!hg?ca9+$d2=ZB-sb&NRCAKYuDq> zPw|%!bl&8MX7_<3jdF9J!MZgjmACYrb--ZeIFnOR)HV%VSQ1~4r3?f1yqlEinufw& zAYiL6F`cLNar7lfQeXDTD3lJ@DOKQ;-rws4NbV0<{jTKSv*e;3Y@wm|>K`R?6bB04 ze6x$|P@?!}I2lTwl~><$0Ovk0q$#A=S|^>w?(}XBwU|t&DEMwAx`r(a52Z75d>-&_ zYK3DtbzyCUXT}QFPL3A;d>{0#JPa<~g{%8Iz{buj8zYbvK0}1{i9c-gB`*$Rnrgr4cS`hTcQE8ngvFK?sY!H$=9Y z)HU_z@(h*hEJ=b$U~$iqmFNIU++qJl2$~DHM3##5eB@SPLDLVb7clw_-+YHH8C9%( zQlROlUP|>vsdFED&_`8l#j~~K(A|d-##)R(olR3yyOozJdxxPKHurIDPV7pI)ERpu z8&L?gZA30j zm4y0|l<{P;f)+-%GME`l_=yX#7-5G#UB_Ed*89^m7c*$?r+bacs8+bDcHl~v_A$YR zcGEum&iQu0+We->aG6fZuqIn~ z+dv54Y2m+4HL?~u;)!%zLZ!#1v20{oMGd2 z58ZTnWHA9Q;9_eEE3gRl(buVTM&tVxAb*7o;##1p(t$mXen0nR5Ga)}V?|C)FNP{n zYw(f1B*4`i$k}2>9GsKj8B;-Fpadg&*K%cEIJ?*(G{P%YZ(qYF#So|Nz1DKAz5Nh& zs;v8Eo`0?0qoZFjll=ai<)z{p(t=)xU_4Bl9qNIt+5YB4S*)XZdOFC*QEm(bTo&G! zlB5w?GbQUk*E1GCvk)&}B}+gXpvp9vy#Q2p98S;BDpK)m-M@#AoG0fz7-3i=~~s;OC{X_ zn5^D+fndLrd{>r$5&r9fV-!~=OIK5z{lIlnHm*#b8J|NydgtA4yYG+M@HnXE#4p6x zskU4~BrukkVHbiFJej+ZZ>p7)JT0(AXY9xv-el1wP;z(wkj zUu_fRd~W<{3f%W!y!4A{djWVUafnFBpFI&}K{j-5 zbYgqrNsa{G_{nBma-{z%cvQ3aH3H>JPaC@uy-l@Xd!$wsa2xl%DK@4rsPV56zJdZvu+J zwb3LW9F`2ufOu?F-9wgzWRHCSo%Y~7X4APwB6WptOo}zyMM<9#?jO-Y?fJ62l3#6y zAmd!#a(cB5Xe5aq*28H2-3uek0i)Loyw6KTQ$-&V*U-Z|N)0u1Nqbrt8J1SrNbqBQ zQ2{r=7Ol&0V2Ni=oQ>!xswi!ArLxqrpF^^DynA9l7=oVIo_*nzhR)utEtSL&kIRhc zjo9T0V*s*VB+8DUq4RbFqlQ=#5POp_RdmL?XmX*euLmYlj2KGym%XFu8v+GJlz%{w$ouQ~yTUG>kyaK@9~7)2~m_%lHV*rLh=Y0dA| z#StpGQAMB5adcmyy;Gu-9Rs`aF6_C};kCCOt&-yT+Cv-(T#kv?d%Ts?e~e<|;1{Mk z(UoSleos^OuaXj$F6MK~b)^o~&73O*kperm5IaC?%A_ictI;gn*C_m)EDg_wv{<4J zesA^i=)@fwxP+~RFY(A_-+ffO+x6R@>tJ+Gyx%kv0Nn-x&k8r*DHjV?;G03n)&QLi zud*|bBW}t5`c}8_(LSMnz(2B+1)Y&{4)uh$(q>i(yJUnPGZ}TH#&aauv?j;TcV07LT)I8XFEi#7VOm8V&>uhh}@jNcOd*!J7`JtTUE7RG+@Hn zn}b5*!_99k2vcYnraVpk`lkVOrM(I zVjUz2sZW}T;VJ?k@KRlb)Fdt4g7}1{$Px6_!R)&G5G)3VmZ_P;**H&!ep9iE%IWm0 zwYzXB9$yQ&?le|h#g~Y&9iQ{T{d>y@mIl$uadp3qa>ivEu&4JQr)^4TCw*&~ZEoEVYf_IxooBvQ zCDxQ{wJHHh<{37(O5Po4J|BGS)D-_eDzCW_k#uJ|x(vltC6-g!L-&}yEw3H>`?0Is zB)~HgQK=27=V7ieC9~$N!gc~LuE*G9#F;`Xw1dP;DFbD)wjW=VK7rH%KwB$#v!sRJ z-78J*Mmq3>O2_LT+GbOwi10SXc-?93T`xZ+3YDF{wLy#0!7RwbhtftiVM5tRwO49~ zncQ#Gx-r&|zVG5`l7lZcAQm)$YL7j8Nzy$u^y>D9a1F3HcDL7rs_={CFc%S0$`vrJ zj8Ud^jQHE{+0jV!e>0=|;}LrYoJ%U9&#wN)&!6zn21r^5UGsI#Y=MWr$a1=~c1{e- z-wm2&nETlxEIH(WxLj1TEHF4e2~V}JOghQFGt5?#@z8yE8D_0% z8M&yN<>-H@{tm|HR3Uu=l)1Ryzk-!+EWE^!&=`IHc7L@>NM0Dn76(9dzj8!jm}jh% zS=e#_DeLp0|Ixq!EXTyayT|x0E2Q)2zq*mjh-~85FUeUW8iE4G7Z$uVegd6b&&aPArx z-_;q{(G38~K74NM{p+5q0gV%&36^uf?3hzw5e|;(dE^VBqx*9QP!0`{^hk5E=qi2}Qe^ zgXcvuQZ=y?+((@zg1>^D20#+^|9|)a?*$un*P}yKTB4tMb*xU?vwGY0X_qe zMPKatFYvZy0@u)9xSFpFL2Z>EP8 zWOx<0YB0M%4{B~2%EvvG;)$KHQ@1SB|ETyu&MT{!DH-obZ4>TJBpiVxtQx0qP$c28 zArpMS*0d~=W!fctOV)X)CX7F-lrcei`}$c{>RFws#t9suf-l{8RyD`d!Aq266yu7Y z--X!Z$gEATI3{Z{I0yi@c>GTYLyu+ta@73X^tdZams&NFG6=c|3->)aWZh*WWWY2D zJ2QIj-^LfAnd=PpeZj+(-%c5@dA{XSWS%9X6vy`_R+3^J$A6@v$^g7CdB;_*-Qr-J zO97#f+c}HacO}Yb!g8@^JMCcy>6K+z%Tog1G{{bmaccrKTMV}zAPIIf1YgcdmCi|< z#>3&|&av?q<5Z%ywfM@t8}Sj?zL}G?j1TzXt5DP6&i;hr#5Vni`jGMZepe1@!VP6F zpCXKSd80Jk1@x>3M5&sz(r?~$K8@0Es7Ze|x0wnF!Tin;0yz{>c`uxdV5t4{S6Jms zhLcHOuw8memQ%iVX zAU+10vJM$%y5`l`!iCCQtXX}vIS6ddIA{m4k2_3usofk9_W#eL$3zZQ=AXohGAgnw zB@Ll?%)oog{DcfUOM8bc`N+dsNmUyy3p%#a_*_2VpMJhUz_Y<)UQ5KqB$uU+PI%&u z{c3AsBv>+Wz${QTbGfqEehMb55jLWYFq4{em!$TXnP_|+k`KlGwIqiC^;d%dAAQu| zJ5kOjVTiw-6Qs%KpT<1`z;5b@1txPa#c`16po&m6dYXFP5$Z=l{9VJKH>tk1@StP@ zFMA$4KFp>zSL8%_q}L)sOAX~ORgYHFCi2QAI;fY@dOuTzQH&rV@74*mwr z1}BY}et)BsHyEh{Vzt{E837HFay2NQW@s1_%Mf&RiieQyKdQFzIRQ~c$=S4gwUlX5QVg9?w81217u9UcZ_kgVTlTDd$} zmG4p(a6_m4u=p?+PM+M$gMZ0kc;hW0Y!2dH;k(=|g-hl=_}}59+1{?73vtq}qc~>7 zkO-u8spl1VAd#c~ap9Zpz;jZ}%{>R4XfK|ft-K*&Y2#~4=nR}AVS-~p9FtR!JlZ#8 zg^1#Qi4=VvY0HlVniX5vo3j@m4igB5+aVxMro{oj3U+P*7SHfLu~5DpqWPWN z@`dW{JzhO7(6Ed1ms-rj`EJ_GnZqVdnMY@4%M6LA$961x+7|ZLXzpbukyGc1QPkb4 zk+ki#YfOrhkl-a6G$9h<2e5RUitl%HK7wO_Wqbp(P{*U~m~3qs%!ekYYFR>RR{Fnn z6ZRBLnrg#6_GLt7zMjIbvoTalLLM&_cLRg`Nz``TILo|YkcqdYkqGF|JQY9L5QZ4Z z>|C?FW!4~wWG(DN3y;!f8T{AYnoqYDF~fMVF@;>L6`1 zXS@(G9$L;23r!h-PLx}gx#Jh!MCX_ePv}y>|5JR6PE)lOX&=IH;<^qOfJJx2uidbx zO*EPnpv|DEfBu(}B_5ondssm|$QScgh?N{5tE@tHQRg`&v z{1kn?I~vYuMzF2uQ=V|35huVlDv-0;Na)NcYaIyzTOXiE;r@{)ys&zd7pWcAyR9X_H^!uJ{G zERQuBWu{1vRx!e%r7Q|u^93R|jpOB7{vSSY2F_RP8zlky0ReKeSq8#p3qzq}*)s??tnWM`&+(h6Km-M0*!#Yd@wz*$NXW@DCH za@2w6!hS%E6@)x z!3+uR2tN1*YKFyFfd5RS*aTZpiZD=H*XQM$pv@cFQ;i5)ZChw>JC$Y$4BaCl4v{1@oC!W*{0|@xdRD-2nNMFiuqCX(%9nihsOWLqL zt&sz}&`o-dQWC?539~rLa;n0?_w+NKsZ!1Ar8@*GX!r(@Ld~9ENE1r>T#ZBV_oen( zKVUMKMj&#{p7P4tK6FSd1fD$OXp(qeAIZQ}icBjAdidJ4%ZEqo&~VK!98Ztl4J=lt z3`y}cq;rT~Zn`MMH8B$q2uSDK^Y#Sbw1jK`V+pISUo2(OlQrz#k@Ti3X2S;aoTQLc zaey5S(iKFEOt+A@fno#GQQK6m+gL`n%CoV{KTamUVD~gU-K4}jWCsU?>-2lhNY0p= ztGUj_Hbnp|M_{*8A8OxQ@vxhqRX`O z?axnzz`adNU9jiS9KJsltxxKmqbq3M+3U|sa-2Y-!ifW02K#Vy>fsllK~%78WQppe zr~@g1n4MhiZ22v0rzDFJD08tgV!EI_`N(o(pv}n9p&+~Xi3n#cRE2wpq?2)$(R&yd zimE%SUYnZL^M8u(?v*fInkgSgtYI`mkXQ@(=eRl-(}|$RPMh5nCom-_cTTe3$MWiH zM#55j=e{QZA};Ys7ArPBWH}D@cgt*vq5|4Q_SXf&#T&$)FYYVLR3im@6dj0t!NO2e z62kR5WQfm10)$OlP8d3-dTO%SixtUua2nd(i!Jg}Z$~#Y#|deo=JgT0q!5U$okSj` z(mwNfq&C)xNB0FmbA))W`F6#xT!<;SkB%c)-65CDzE0vI`kI#RvK})>g$N8|9KUcv zzybyzm)+>wBF5oAkRvV4^^wA-D~RRsBMADl$HbR#P)X!WKKTWF9m{RKEiwD9O>F5qczi)JPsj+h$r$8}suHm$g=)NzyvY9 zxPz@2Eq(#;b&)HEP}0qTtWxfrAnES%Q35d-E1+M{x0fnO-?xLNO*8jQTMWKa`zuhf z=%-A@16&75Le1{8G}6K>$PNZ^xiNUK=d``lVD=SOgu6M(lB%Lb-Bny4X)xt=af9Lk zF^$Jg9NC(r{jpLQ1Lw=*UD_Xc0r?6B^~RWgstsMT9n~TlCFzorD2D5*BVG8PuDr6! z$+9Z%N{2Z%f@F+q3T2JR;gANO z^#5A4QMT;rZsA>MRLUuv!!7aM{D_HKO1zYT0$};UCKRP;Ocf^#n!g~lK|*s8=hAT2 zfq>L;DrzTcji1uV9`$u>y+8&D%9gFXmfb$Z%T?Mh06Y@IS;>hzb~1LjlDnsW9Q}yX zgom}Kb5wJvH{e)-JuPma6odL@XQ|gv2X;PgNfExz5!wsT;^}$Q*HA(bhg8Pdt0KXZ zk#v#Wsjy5b@R?*18$u{j73$V${R{*5{$|2|w4yf~t_E381&04~Rr+=LL-$ z$^M7mEX#oRN@ynHy?EVfqNFY@dPST(R4l?f#@?eq5>@>kaIn$NOa~BhTr!V|>iz_r z>Hc$_VbJ+ex;rXEX?@ZynmT<+nfAJriBgh1=7g6@sN$YlfA#>|19hjeF)l{`3x`>M z5^?%u4%Qt~jw;lgIP*h z8_k_Qh=KCsS^?QS)VY=p#;=g)qfD~}PLRGL&>)`0jXZ{aacQ$Wp!v3_6W zO;wh}>KBts7p2{P1sqKB$+lAdQvMD({a4#^z<(;kt~I32T%i9jnxlZuM$s7(jR}C` zS7cz%f*cC}ay!WB2h%Ah4u%pY@nUS5jhq(dsK2^v+n#p93Bmh^LfMlv@!J5EzB1YM zs`{fRx7@YFph{SS;#4|xlvlG5OZ_~Gy+<`QbHWFqSK`Y{w0%<@lh|e%PZ(75 zfN=_Vdd8-VD>CZJ2;~;5^98keh%KKqQ3VuMvu7UQ^1kQ5h@Pj}e1u)shp;(e_2xz? zc;caDtp6kF?RV>_cn9ee@MqopJ}wPp&m@!(kY#tM01Fn1+5iwKWNl0E*C-F?p$gzy zX}hI+YBVT{gd-VF`9E3@9?nLLpt7`frGmU|U>Ch*+Hd#R(Hq5~=cwWSgcpKrK(kqS zL018s43lkyzP-YP2JX0O1cA>JvCYfBh&uvK+|vTW8M8yO5iivp6kxxBgC}%BTu>iz z3%G*oxA)Dye0-wQfKMCIG;}cXLHHwZWIV?jU98dO>qGEfTW@BuqPR0#igH_{an*05dy2SJ%&8ewmcm;;m_fsQyC!X zAs1V85}d=AY5;R=>f&6a0gi)Az4v?XL)cndl~_Av^-1|W!l9y-H6}QMlP`eh>@e)c~=P&|P;Ke8utphp_St$-M5tY!WDu^|t6e zb5FY86vn}Lo(turgdi_vkdkt6Qcr;noTFG~b7cw&LvL_-ASgpAATls9 zF)cDMGBHDMa&T`hAVF+wAafut3JOwXb#owZatdv4WGo;ca|$4BWpp|U3LqdVAai7O zb98iJ3M^@JV{Bn*ZDn#UbYU-VbaPICqo`56HX;&;1SJLKl+m;S;Wz;yMkyqasc<6H z4q^&e2CR%>&Nw4ZA_*msIH4ffG6&p+BniC%DXkRh@TEc(uG;!Utwjq-^@JTx74Z}W zG5lD!)u1e>N!xU8E(-0i0t^J7ts=s6mL*ylk;sZ=vxCy4`vdMk+kj`eAo+&6oADB( zY>6Rfz#R=pF2Q56h|fN5$PCHi5`kn{#*E&&yXc_JG$Th}b`b0_hlWx#JrV*)Du;XC zyKYRCx=DqsC0K)kic6iW4 z#)}(iuij!AXLjfTb4hIpO|#dCYYf9640tCK5XeVDG!#W3;M8LV2!c+Ln`E=qx+N-_ z$N(R_3_6F?I`cRMv%;uIDi!|bYs$|9Stqq)U81Sq&G;j2(Vae_Xs9ZIo%Dx{_>Lect*!~B{50hJU0*408JAZ^?R zEY7)0B+vJ7Aiy6KdnU>whA2e-!$clxjKd!gf<(m$A zsx@@@?J^-xz_Ov(7FPCuu|12n+Q;0rGEr+&1)XJ?^;-3F|N7$8cDN6%Nq5z~@Nv_D zzM_2@xyKL^cvksQu#u^i{P1fxVD?_~?5FkNH*%jPpuq;R_lg!%t+uSqi^XEWU@$hD zGC-Dr0u_-aQiMZ7eMu%&AVn-d9upB?5Qu|7YJgDcKsk#tOJI0LztkUuSOt<5+V@;s zHX4AWsG+$;Gb2foVGJ<{0#TfXmW`s6Y%u~1u+pnwW@rjhziLclN+1ABFl1$V5$^c( z!ZsPl4S%FFr--K-zu&lUkRF?Ny(U@488-kpkXK}~B}!(e88qVc%&a(40ze`;baY^F zkcjo76OJOgr&n%nV@t*IA0$ZS;L2Q<)|Qo-b>!^H+bO#in&@*4CH4dmau!5j&U>Y; zi3WKs8^o$z|Hy$J=63>2gkXmkPeFzhPgb{}C~V1Q$_@8V{FXNa%d-h1K$T3~Zf)d) zph|(c)|Ta|NY$$Y)wRC4$rXJ12Mh(7Pg7BfARb3`m?T>ufIqZpwxi}SzWSuJ)wKo^ zZFyb}Hv%#6n*7!KjJpirhpSNXX&ro~%7CgyNQi4#bz5yP3>V_PFXf#4FwfT$%U02` zNL0y$J(>YZcPZqKSJs;N6k|;(NETEI{B4qNV35Fb40udcIgfo42e)@dT7{B>&ZYjR8ps|B|g7{!8U;&;-idO&t literal 0 HcmV?d00001 diff --git a/sgx_dcap_quoteverify_stubs/libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm b/sgx_dcap_quoteverify_stubs/libsgx-dcap-quote-verify-1.21.100.3-1.el9.x86_64.rpm new file mode 100644 index 0000000000000000000000000000000000000000..602ae9c6008441b7d16c4680b16a506691eb53ca GIT binary patch literal 1565679 zcmeFYby!v1)(1*ScS>&>r1qveq`O0U7a=L#Eg=|4H%Lhd2!enp0)iqa2uPQ7cZ=M$ zUpe)i@4WZi_~Sm$edohiWBulsbF4APTx+f|$J%UFZck#O0R`Q~3FhVC&yRpZJ^1hW zxO*e{eUY9{_5u750U?M01Pm4s22PPKlBm}IdqGFL@jnHRs#npk>u}J}NE?82Ie<{- z#Q-M-E=&Y)Y=BS&Xp2q;a1`eGjWJgNjs=j*HQod`&>zhMAfP|y4!}|JaDagRn7aT+ z$)f==NCYa3gu{_=A#n*21Plg)LSYbLI7CcRNK#TvOhQ6PQV0STkq|+Hiz7uvL?AFB zsD!XM(jF`VwimL8L*Y<}7*bMLQc@Bu3WdWZC7?nGd$@=YQUVN>kdP1&14F=YKob(U zAR5g#vu^w6eC0OXv+3#YzpshMqodvC*GGx|Dt~$4FAx0XfxkTPmk0jxz+WEt%L9LT z;4csS<$=FE@RtYv^1%P^J@7|PRr@ zcn{zx`R+A71~^K7c#Tg14(JC=`)%J(fCF-L>T7&?jSa8yuWM}n8)Kn#1B7k|a3G(9 zh0+bAs?dY4G0JunesGQP0gh^)ag7N84)_Nhm2*P%C;W{ug03+t?*z2RSiHt0zvX{q z!%*!}J_h<@vR%t50S?%JsS0plP*_v|2l`|BU(0C#j%uF*a6k#x&1*TzAGZKZ`&*8c zbB*bKW4z*P%nfirKOSn{Q2HeR4(P{2^+#b;;tkM`cY2Mbeq(%;gHdvnT|j?)ifgO} zaG*cFF~CvdQNP9>*H{DKfIj@hYixck|C{}HuH^*)M~%noTHXb4ls;>Kqx#QXW1HWY zAOPTi9aym6oZtZ9DEkn>7Im92gH#2Eb9* z_qoOm*Vq@}fIUP5zw5D3dV%)DsD7yS{@3`)HAdNql2-wo3pfq@T~C7Y6EOD_$-m_! zD8B&qP&5J@&`*N$1MrMdG+krVby4^=zyWc0qZRR64NyaaGm z`>AV;ns=0Z4uzG_{!=~{?H~DA;1rdQ)o}Ahx^NrvfQ;Pjz5Sq`NRXNj)Dr=0Rc$g)5+Dz+sPN{_5YFH_h zkx*BDN&eefO8mEdoLmq{Pkt>^9excZbAB*Hz{^p<31zte+}#xo?Kb!G+eXSDZ6`Qj zGZIZ1>5Fu6_izPN32HmRJfWUWfQ^pc-X303f`SfC-i|&nR7b%-R0tZWnWKjIdxZZq zz<(N_i<6s=KbpUUn5~!y;NgE1Y2cItO|Ai$XB>7kOqV{zEyb=5i;^Jsvpf3OlSV9sCg^G%Sg}~x)NeCDQ1qLA?Ao%w`A1_Zq;8qk9 zK^=h)1h%LT1h#*CAo%@#K)}mg0Qf#2416Mh2nb)_w*P0XP_6EVh7yo3K^`A^#Z|~B0PWU6mA}FF%g)P zHxDpsh5yeHuyCPXFn=eMjV=iOKOQFj-@`-Q07Cy5#s4Z*)7H4HWGf^f{P)2E&V-|S ziv3g1zgPXOIRyN_wEw$My1!W~EbwRM3Jd*-MZ$lo z_s`V+nM~|YuJ|whae%{Zz5aO0|7EKFsaj1*$yQk4U*^j7-{TeGDAAa`oM!g0mdg}NfWc+jq8s2XJ_2O#$ON1Z-2z{MTP1nR$UC~G#wO;=h1$Zt5MED_SA_8Ip;6FI(C@LT#0FeMr zfO?1+@ctAARM~Dx_}IkE=VX468+x@t3VKOh_H}|xTr8n zKTv?B{7(t>?nP~YfVlLJZ}~v{ii(~8UV!)%6{Cj#QxJOnqkw-zrT_C+0;p^LP4C}z z3&2nTA-@v>4FW@xv=MFd!O&io#%$NP8FrA|YZgZVwZOAS980`WF3D z;Xk4iB|ZH+8oFv|-bkb^)WgFQ>f{A=vGs6wae@a3_(8o~(FCsp9>IT{{oU68wGION zM>P;7{qE-F2!!E+2zU5()b#H^tN53OKwKq=#;+#?;woZrz@b$3kmn}bn*@W>OJ`Qm2Fk^42?BZ@7NmYnHVam$O4!DUH`WQLea=b1!$qC zYXsu=@<779WdH6R;F%KiL?Rra-q(yD7%>9rhD7kg;Sj)7V21&B=J)Ufen z^7eFh18n|3)dO{NbB8&({h)e2EQ+0rmMG)8&cK*xSXdG9JmgD)1dr(^+etWq6KVdYuhm$*6An=@{ zK_suY3H-lDcpdFHxS@8O|6Wk{_Wvw@d(QrL-=ia(fVl$v0Bkx{v{gZ3BK$ze2hujW z4f^9&L4bZwG9T#oDEUA@aE;o!fgm7mqdP{XJbWNTfE(1+2@cF_00@Y`oRJ7V&>!0> z4P{F}3B+0!0{ictBt8%@8%`b`NCcXqk&=c6$Q$X8+9m&AE5M%lchLu)ZyTp0m1=@3LpxA$N)mwg9Z@yS2rD*Qg4-d_K{stE}Q{jpgj1o{#Bc-!+!pdrN}5OKiILiR98hzLXoDk>t56c@5b z*hB0kpuqMH3M^(wVI&j*76XIfP%(tK7z8Gc1S5r^U=gImA3nns5fimXAb}zY1y(nt z1WX7f1nlS#a3Qz|4A?nB#6;|&a1k&(Lr(xW}qx(-YDYZRvvG?X9-fzV3Y9%_wb!fWd ziCm_i{qka!Tk6=gO=N5LV|yubeud`dK9}1x+E)FVYe3C|;^T2hZ+k@Vs+^Nb`ofkB zSuk)VrN~zJWitu7+&$FKg4!7h^B=#-1HPA6qUiT@B^$8eBQu{k*GK)lHvl zt&WuEZ2iUDH-?N(QiEB##P_6)k!On;xYCX?PV6in-0*7=>?_iyU;CiK9*Pq+DY&%n z9IxG2?K%EFrB{Has`9y2OD)+iP1Yov9*&!4^0yv;Ms6@A)VMUiO}rxMA-0nYy%lfO zYrb5u#YIyW=aQfWH=DE+tZBqOp}ymiuw@2$uiwh&vk_ukc*fju`wixMd|t!T<+G~$ z&!gqVuM|=-?Nm(m7OWrf65Pfy)4*sq=Or8urUyC0>mHqfs>+xxM_pvc0+F4pQBf{N z6?Bt{BfU}QlJaK!sa&GL8=eRto^s(=i zzm(E4#rUQEyz!}Y19z1S6Nz4@^q7Umf=QoRq2>eF$Q0>E;zazd6=-5UITshlu6FSg zy`TIF_9=B-aXmSjwvQ?}(vKg+qy+noJ)cc8QGDUwy1)xM?94K!KT8WPvaKvtfB%k^ z58JkY{*EA$<|nNHUQRna79JSi$ZmYuo=GIWd;58a+arvI_jJmy8ZS~zlOhjjUz$S` zEtBVQtqwko&5fWHL|8sz&K)`o{Pitsie*gm7xi<4YRhn(CJjr)*}^G3MLMbSz|P}2 zgEJHB!J%5QFmyfg@S5B#lcFl~k0lR6@eRd|1DX26vm% zYfaDRNKUVox8u9k^gmIrIfvKY(*pB(lDBhx*olr0{A#TF(h%a(>#`mth_AJM+J5If z!8!*H);U`DFKXZ8mc=LKREjsrU(MEiDOIuil-rZ1?Dx{I`l8 zLu^-HNijTn%glr#rHn!A6SZFkE;a9%Mh8Tud7DM5e;1x)21Qk4G>b0n94MCK*S*0} zPW{RD9sTH(;@MFJQN!ZcZ3H9P?$ujc=@NSKQ^l|w4xAh0-{~e5aXCtMRbwneWuj>U z5mirlwVgOC=hr9lzAo8!^!yldum5J}UXh_^VPGI#Dv=r7yL2sN7+2jMX}pj&0wXckY4KXw#*B%bD-^<&sX%tK>$> zE1OPlwV<_(@zeo9?uq{5*1jRB{*kE`-&C3L!v3>uv576IFt_hozofPTcv^klS>JJc z`^N9|SEzWt)z+i=QC>)xl>>`)wboJb&}!ynHU?(a-nvge?;i_9?6H>NBgs-e64MvuRGm#gpwb*{<;Ov zJlHuH+D0;zE{L=!H)ZQe$0X>#@D<-`kq!{)UHs{TjFA&AHl$*nBvYB|6bBIYt{Mx*~mYw$iL!HS1PmOB@*$-^|u!Lww9QDljqG zcoLV6nfz#Da@pObRTDnhI9P+sUkI{)YcY*DrXQ#4KP97!gg%d)+nh^`i;JUV*T8>> z-Vxo+y)@-R3^ON;qX6MXf(cc^NkO>i`wEfVJUkjtMX+Zk2ntKsSv@^{-cfI~Y|zOa zzVMUIEeS`n@7uN?CfWMIKSh0CO3$zY^V^(g2z{iY9Y=?@ra_>b(GSnv0wc~sI?7mK49eRFkE5QRNdWyN* z?|fH^4sZGF1RS^ioF=d=>mITA_0>vn{$w%l5EiHv?Fqks%|H(A*9e)pHRj_7aj zed&g?F^+&Qr1NN*+rl&_e0Keavy9dgb&Up%~9z1iH8QPEGKgq^TOUN;zGg&M$~Tp7kbM2wBlBk1kHdjCf8l3?#D> z$y8fN2Cm*8mnkOBeS@ztWRN>!L4$a_Y)#!=UzndGV{zrW_fiecpZcM8_kO08hjqqF ztf%J6^Nq$bO+2#t+zV~SVo@3idxxJAD%e5 z3;s9;5f)W78U%QJOYD4Xz|JY1#1%h8TV`>A_I^Ho?ZDA@!GA1T#Wlbygeh$m_VL-Y z9T4Gp8J2GCR{1a`ChDT$jHQM5;F6RN;d7S#uHs6ah$U7>;gYDW6hd-QChpYMda2C=iP!zy znfP@+x~5ORL+?29gFr+AdmwKcP35Ln8!%eZO3s!>+1DcbTTxuit1ZpeI;9B@l2t&{ z+N;Y&_e_H+wo`&|E64dX`)^4W_Ou;q%Z$`kXj=-ER^CWo%voAYc+tFFE&+Q=5o&Qs zSW0t)W~e2oIkTEqTh_r;rm`yR_1jXj?4vTo>C}>Q&ApNupOV(H3bE{~@7}~sIf)k8 z=UNV;;$agtGYMsGWSyz|_8sG`twCHgl|CF#o08ay?gphq^({_)e&9B<8uP7$;=}kQ zCi&MRr-=u$JXAZ2!|J6}3xVR}j7GexIntKtyEHspK?m88#h9sI=QfP^V%a;vYf=!M ze!}ds3~2R?w<&poZa{LZI4cQ(yj;hRpxe>iMFb!3p;yPme8M5_dF@dZgB`0xf{U$= zje}X%F)(J7UdMA=z`pIZN5rcaG%rTMrRh5_c;e3`vaQ^o*gDX|&2v39aJi0d@s2VK z3HRuR2%cwIeyOCeQLQr;G?pE>Kt)Asc1oDd-Q4Q)VeM68mUCJ8 z$8A4t(}tbZoPp{0J(~i+YtIwE?EYOx)ns0&>% zF4uls?g(JLuV7ze#vY2Kp2Rh=ZjTTde)?q-@B0>8XM8d~m5Y=w`s20HvrL8sv6$NJ zJ|m%@t6XqgAukCka6IVDsQm%)-4F>kW8%t3tCn@TG1)$o?Dl2LIa^z}swR!jmHKcM z8F%)$M!x5kw{G1Mq@*uukbm|hUS}NXfsqw*;fCIuF;T0uHCu`>UJZ21+-|VFe47xa z#ovGFp|Ssp+O2xtMq;>xm_oZapxSC9&_E;qadshrmPK?v71XJWkl-%6|M$GFwc}$~ z+O@H%bflM8{H&PaFJv6h!j=**Ls%?gKZX`GlbDJ~F`pJw48gEwtUhE%3NpM#n_`MJ zQhPBlARR=o7Ib(qvoqrR;HKN_aoCer;w{pma*Q6TC$~KO&C#o;o+~&CAzU(6jCA#f zy2Fhl9AK37&-d0g-RKO4ROZtSUwPebt6|9M^_|2?EkH87y0DpI)ESxjLPEM^cY}hU zj)xePwqa3AHA%VuDw_>VoBPBAd^S3Tal8Cz^yWj>a%n|!Hw2dsN zo}@@`K8!j`f1JqgNb@{R2ehcNrJu3yVc}*^Une^jAMwc)~OQ|>GF>BVaal7 z#y3|57ppZ@Z=P)UYjt=?JGv%e*5vkF2 z$ybgxFg`r~gm@2jSDmR^wo;Jbmy;>1^MIOS7b+q$6XJ~CwH_%K2MI9&M@eSTkk1t! z&HOaB`ns0jWy?A+KRX@%$VWccL7tcJg#x7}1b6@QW=ap-dSkfb1~XNoN@bm9PW3J# zm#U0U)B7iO^l&3iLqX--ve8jo1Y}f}quMV)0{Nqb@rXj2S1aua&c@kH9L8ta!Ume* ze3lGY{f>o8G$n~fY5$EE+EH3-@52#&BSQZCVu3`PBqd!fdTU6hrk}97%l(%HJc96V z#<)9gR2SKgjTI3^78KEfe9xFOyjLDm3|i*+c{VlaA1B}>K%Y7#YVcMUxpRk{ zZPwiSAbLa!K~fq&F|tHx*DUqM{ZMNp_0_ALh0X= zLSy>&*v7n}{`Z?gZfnNr5P3Ooc3bu0ktG=xgNnxFRQ9JnX23baCfLY%`P@TuTC>71 zb-R7pW!dlVzD6(TKqhl>Insvbrc@tJt?#=kIDhZmO48q$xz{!dAPk$dnUsWYVjzeV{I2yx9X9_ zj4m$Qrpxh&2k*Uu%}#wnNF#F?{ocbRBQtaxbVKwDNh}GY?gDxwDXv#)e=6JYa6UDT zo1882=Jq5;=Eaq&*hd>%O~R7wHZ$lHk@gIF<4-VJZdG=V`78hRPTi$PhFPmC{X#t4w^;QY@6b zH}(N1n>>cu6#5GdAwSoqeM)k1J1q1BfBkKH_NPEhq8Y=>2)S)@L=3J^ZlCev1tEkB)9dCBS9uXS1s#@!ad4Vjh$ zi}*@q?uT3+>iArH=MgobHxU8MzAY<9JuAFx(|T+Ro!=hjY>SXh@$Gb4#<0hE2dli2 zVqmMz^x=}yn2HL4J`Jb58%I+Wk=e|2zZz!1$1XfT-x9xI&Tmht2DM~}E`gRhQbxuJ z);=p2>*j8ts)PmM|42UL0OfMfM~?O1IjoDkf0sa{WIUy+n^!LC(~KyN0*Q3f_bk(D z^^>F454{$nGP`$DwX_Ozzl{22-L(yj_WgWd*qFq)oyZ`=gYVGRHs!u?&)kT??0n4y z`4Z31Kf9st(+6YmkYFk6YZS}c=Sl+Ic%I(d5`d9XNg%$inl=X^hnCm zvPW-zzF5As##I@WP^SsanY5au(`*>zW0(XzsNVT$Me{Y#tl4w4>)T%Qu=eQ52kGPKj^fk5;wZi zaVyPxFc1XOPo8igZEQmhLzKSE988IwJu79Tn>tK$f8&vZ+Xrbp((7sNSby}$H^1g2 zucs(k@OUoM_wGQCM)v+=BKh6PEA#*}L!u4?$j)Tj3SQ?s zb{wWQV`7q=xO$;Kv#~cOL2FN$x~tVnA|UBx;Wp_Jz5LkvHOa1}oHdEo_p?ereG$3u z#r5?mwr-?~y=3W|ANigfxvzt~aE$j!8qt3e-*S9?H;|xF+h*|j<7W~}+JxB{f`m>A zDOjMzx=>TuA)`etkK(3yg6At|jCX7=OBB9{ESEOh5YGhNq=+dN>BYTseui~tK!1^Q zuWWj(hB#fd6?ViH!>mb=>`fIDdE{~VCE|zFj^FO>kI13HTI6Y#>bhr3 zR=?S-*JrIgUc-l}4UgS+^XMK7e(QTb8I(84EM{YAwI)d^vPQX|Ajc8z`HS!@BrCht z)OngA)@?kmO3E*YzNXit720azGo)kbx4raYrn@|FD`rb|*$oby0`kW&LkxBx`jj1R^o z#lZR?yKyOw4dX@s78F{8&R)bY9mhTA{jfjNgs@#^1b$A#R@!^Z@^TgJmJLP!HbdBl z_b<{)$&uf0m3AD5-q*1qB4mPLS~B&8b$%#(dk1HEQoj;>PWDy4q$26tf?uxi=)DT< z6M?)=NU(he!_O95I&V16>(=mY^xzj6}ptVhFMehy8qsSru> zXoG1~`j#I&BI#oIQuRrdjvh|msBpjCXjEDi|H7u{`+(eOK{0GV_6>L;;cOZyTasLm zomKK=T5~o&P_vZx>0K3?t~o|y9GL(xeS9Yai8%}V7V$(BB0oWBK&lG)iWS^@S7(*U zyzM*5ucOT4aoP`Wx7P1^`Ehk#%C3)9gh<|H5pCo^cC^Tzago6&jo!zALPEbBHO z;tg5!i|-}5K!hc^?DM@ob*1acC+`fwUV>00k0hJ{SY5qpDJH*Q;rpDH^^u-4z z)w9WWzrfu5#E;Xz(}(yzBA;ZQ)dWw14K$fezfOx$c5=+Ty|?f~M5agMdF`98K^nTI zR7VK>OMeb%=3;tXeXLz45Tt;5ExuQGtYlmPXk zlpiA#oM<<2CCc6SjGSdYK8pPn!bQ4#uf02bj*{}{)q_y>m?aJ8o#l1w1U9*naWm%}Enzv(O$`I*;tVx=j>#VLCa>Y|Ch%KXd4ohxkh5m~V9 zOS;=bVa>sWtmGe`d)nr&OkajlVr`rUM|&h644N|R9CC!<3Leus{BV{V!0{^$KY0=0 zYlZ18MEKbMjh-iGaL_3!WY^8w?G#k*)75EfPCZ%h*kChmqlr3qM&e5Nbp4=WTFvc* zWS}hdroPisz9lY})v(53E5S-%n)Fxl4$p!g!rV%gAI6+B#Ce1B)(9B!e)L!8iY=kJ zw)neWF2$q|9~ECL&kl-FJhLR%ajcdpVw>%_iSR?SXo%xd0i_gKVcu5Ni8!X7IKw)u z%wN{0Wb+&9l#?$M2*|RMY23wiO4i4^53bVQ#Go_ZQOGJxqIf3M9iZSjratO^f zhY^EehGBwXCo#SLNw?SkSg-Z%I%LDxYv@wU*1U$;o_8R-0MI~gdg zdOqIgu&C>?9^)ihZHbt;!Qa7fpkzVIb$@{-@QK7NP5~2wqKMq*$puuOM5|U+hC`(KIG{dUMLvv3h0*qd3YX(=ERP?N>dXQ`rlpI-* zl7qT2PNbKQ?c7NVVoLCHgj0e(>dC~d6xFwV@-COgq}O7Er-4Gz+~&9K z9I6Zri)9KVgfkrw?Dq^DkNXFX=5Ij*b0#sftiv*2EvoKPh-7mY5gb`QwqNJ9uu?K~%cdqiuCAtadO2^^#msWy4SqzACBdP z-FW#nhj{yPf4uXW(%u{qb}Bh2q4w04kqAv}aW~Di%A1>c)bb-h*V3;b-=T^Rl89np07~9f1TzYB#?ZT9dx0LC=Ud=w7(Exj= za1CKz*Vedn49~Y0DkHr*nt$4Eb2+a<*KuY@aTeiE`mJdsM62QQjr(VPcqVfZn$o?m zFE*YYuH3B04Im?;Ih{$eBBr_``sO&C-{T>KGb=ht9)7e&)$&Qk2_eJ!bF?$N>xM_o za@?`hgJVUxKJ^c+N*6xKcX8XClzAM3xv|C~{R9ZZ`>P`c?ORI(nIDXwxUw8Sq{CeA z_*7~I^;QwJW2n(d=lsxZ(mA($+d1=dm!S=(+s*HBbnHi-Z+|M@jZd%(&ynMuZkiaX z+n%%+m6R{V(wobZjYB$_JiR5wmZ|hnpf1KE;<27t?1jEnf165j1#d>p;!Q9ajmy1a zxtrlF;B3(2o8?%f*n5LaT-#l(ce5O82nN#^JELq^CThZm>Dn^Ou;`h4(S3HmRM(xG zKKG?dXT%K2)Oyo#af~0NCVOiM@%b@DoJ)IO+Oq_cwCaGK)KEqj4`tNE>=U+pKPAJ6`?1CM}C?DjRp9m^g6f*vECuwh_;!PCVefi^X}6C z?npl5$&L4ZbrbR%LmbcXmp`#AqCG(w%u+<~hBiHf$Qm4(}D5 zk(9=DvAkQ>TvxyP84jyD;ivi@A4vHrv-synC3cLNjTYdOy7LpmDdS@&or8y`HCx~8 zY6LWkzNA~Tr}&ceRz*sp}=Pd7~tXDs(X=Y&pNzH6raV$e}r{7~^^@Z<~jips(} zW;}(B3VALTipU+}L41q+2ZdpM$zqAOqOX4W`$=Htm5E_&i84rGoqPVjmUr$I9m9k(>#FGf zyxLCYu`|g!b)b>JyF`*35tcG?Ie1tucU}!mjR8gq*Cn59VY`qYJx@tiKii8lzcKT9 z&_Knt=GANWu`*{$;fJR?9O4h!Zl&GM6>R%h#kDs_G<)ZypX3iC_0#(wn*c^$AVX4q zHMA453BvH+zx6YE&1m!Ugi7ayyl|3J_>SBFwnaX<;#CG$rK;TgJ0>Q4^rID%(D_#T z37L%{3Xbl*Y5~h z|C+i;@pkfgwOvRc?n77}p@J+~aUWl`8_p}m18{;q)b0RBaug4V9)~0j| ziD|hhK}hMJe}R={%IKiWmJX&J)e3qA)8J8H1G9jtRdG6)@`(g-&DtLk)IC#Gaek&6 znfJ8Et}b2m!i1bv6u+%GvMQR6Sqi;gCSaw@UAi*2JN#k%+bRXCPs2sQxDw2% z%nqcT?LjV5V8%&jmrUuTEsSc1UqLivpG7M=GD$T^Vr@SiUV4~NhPJzWr*YKj^b z>=TA*+?tcy9xu4{4x_2b-`FnM5HULoO|{t2Rmlr<;`b0W};5C z-k*nobxR!g%6jjuhavfCvIPwtmJeBA0t41B5_O{)zUoIKXrcs+?Fa)y+O1feW(o8n ze+MgaaWQUD;Vd$-8xLAOrv0c)-*9ED(-|(ZbHG|s6E;!CX^)S7t{m?DOUXiS01J&0 z4IMoWjeib};YH^!)RdYo`Va+^ziw%oTZbrOWn13>oOF-lYz-pjs<;r8&G z7s_q+DdF*v8-_JMUbC@rnf@5g-N0c1qZM+uX`$ua$%rEqihS4g{hMYgH1_Xx z6@A$l1-5s@>HA=KAAeIHc*uq*LCMPPZ$-!K2bk!BU zVplrOC*-~=N-ZLU0~|(=xgPW_luCi_5ub>S)*ZHzDJNY_8Aqi@V3}tB#Ohp=p&74L z&{oJ<&|`jylN~TTwH%3SxG*kF9>p(#Y3XjE4>~auAmj;B(~Wl}&r~9ws&d0kRwm@U zBBk{U?J&42>y=_h88JcMu3k18^yQ!|PKDp;bKgS)#Jm?9+FmEHxTN;B7~W0iQ9r|# z!x=!+pKBB+!&+?~>Q_iM@O+owh5YQ=sNODal$=Ow#-Nt*S;ZpjQ&)rgPNFk>0#o6` z)MiD95Y`{Z)b3Ybt-wjLsaGwg(f!hz54WSoi_%%VR8rrI{C^pHno^fKO zO%`l=3iqNtOI0PPEBqDF(JFOW+nq#&C`xRx2?}zkFFkq?z4dlvj-~ic|f@ax$lof<*h8!qtXr4kQ3$aJtGvml$ilnrmFM>Ft3c9GANczLQb86vB3`xSVKIHK= ze4d-n2AA4=f~+-gOyKw7FT`?1o6C`CM{{rQ=Ly9wT|Pta zH_b`@mw_P$XrN#;?l^kBV+uW%XM*Akc$naM=;6l-7)F|eRncZ9By!>cI7et0}-;2#WMj^(W z@c|39CVC{+3#=blv#pX-WsD07Z^+L*Gsiw&_#)`_-!&DOE`Oq7!<>H?B>mdi;w$;w z{*Zc~#m}acAhaM+V+*uEVFBPBDI0+>^&dv==g#Yy&+hNcI87g|B~IrFCfy82e27|Z@|~>}F(EjXBFycLZGO{w znWd?6qGzm{!4)v5=@`0`<5A+2v;2v|CegSfjLKj8wKLQd z5t$z)W}JjM0!x+)hDzlaFdGQ#Q4JLMrwC0R05J}iQwEL{kT#z zTsW>uL{7cwLo<;SeA?SO63R+{QfQJ>tix|`;Y zf{uI7Ib|mn5k{dd3R7rr9Ev(8LMv`yjhS4Y;oc#viXu=Vu)m*Dk^OnCEKx}lWD{W{ zhbwh!lGIg`YV$}{I>}uby#{m3jB}XnVujlaZSezL2WVDWm!XU?;jleupn~D{n>P2g zTFGH>5Qed^o+hnR^i`-ot)I?kyKwn_Soe>2%CC9HDy`Qtip0fJ%e!Nf+9#xA9WQ#H z=jiEteLUY@GF5N3k;63Y`QVnkE*VlkZnWrNBF{wU{f~1MJ5QQm@px*RAa(gIU9M8Y z8~aow*ypcX+}%aY@Q(wF`9HY$piKlbAY7n}!|BTu#MEriF~-^PYN?tJexm>{s}V3vReWs-Fsh>vNHqT z71#?~#^<)*onmo8`!3`vTqLc_x10ApbzH7SA~L>Qo`fYVV#oKD<@YixX&KwwtSqE7 z5$ia$2>`DJn4JXNpfhpqeyGTQ>0;v;-H3J2Mvj8iv_?z?{$8$?btUAUrZ~WO0t%VI4HI$bUMq z8K5HmB!SL4LRRioYh5|G{b8x{C8jK<%$g{4y6B6fIM_%Cvrg;vJ6tI)E1U_kzKZ^p z0m6^cFbQ{jj0yHJk@XXj)td(h^lpLqchoX!7OZ09pun%%E7l7!nDYGr)WW#;@AIDr^r>|f&Cze)p);i|CvXf(d*54Khh^|!6sA7fb=>!r&L#f5 zo=Fn#^hMUObI9HIVn2cd?u&3RdG8YqhERlyRlc`bC{X(pE8k9EaT%z&1-(kt5!`=9 zzr5QP)iqtfsMPS@xj+!-!TgCUvoH41g)$th$E1#@)J@Y7<}M?!O_#xEbT&lNm+|8r z(QE!%Gp}O)z=L?2lH$F29@3|NkA|1IwGL?4tIziEcUe#P@GGAkt`-OzoI$jV-v>EL zDFH76BGu==5>=S6X77KCti{)Ga*->e5PbJh`WX#wn2?KrtWge*Z5+EACj4n`No~Z?(uVXj2jb~T>TKVdHI3K_tpvZ zNQu6m-m*h+R~>GI$G5U=UMaXgTcTL#B&%xknz2_lUG{is5qGvncr};jV^(wM7&xIH zO34w3v6D1SFe$u)@3ryO9h^xXZ05#Ntv8w5apsw9@k4PR*cSyUQYgb}~-LMNX-+Ki;=B*q-11`Mmot zyVW0)OKMOrsWHPS=GrQVM~)NYY2aYi^{=mF@ZV}xOhZE^Ub#xx-er}I$Dt1q^q$3X z%ILDIkuKo)6x;7tc^O!eRU4*hhtDcVhj$rl6&p2F#At~@;3erz_L2mGQ&ZMR9;Dh2 zb-&${;ro%&rCV^m$o;6nBUVH)lZtRAwp&;&e&NksD^503^+?T^ybFxa+nN&s+EuK? zZ&qS8VrwKTXynRi(yIzU&^>OD7&O&O(%3mH<0A${za6VPY@V0!d?QGluN*X(Fy)WA zF;-wfQjJcKNhGuE`mFz@oPog>_LqM4NbL@^!Fcenn)1qr`GQa35dmC*Njcpt4T2Z% zUqpALjzJ>A^!^Y*WGE6=uIC67X$N%b0gEfx8NXqYv zfsCJgitQ4PA^mnX=g;IZD)Mn1bne7|FneozM6k`NIN0$<-eg_o?yYLE74Y($h+AI$ zo+c;K;1J6wwCXPKKV38Q(!7(x9L9W_m*dIl?S5LXl)smWxPVqZYq68;ftWU12SY4H zX=8!6z}9U!zIXHmj_B29MqAQbYZ1*@0c3jWT`Q$ZouBBiGt4`j3s|1ycL}^vvEWU6 zS^+mJv@9if+1;ZwPnJ(Q!|aAr&HEX?Dmai~FC2RK;sx#Z$AMgo212Fjo}WLmr=T_b zV41%;mV*$nqC6*ml{C(KjD>mc4)tJ#!UPWRi8mqwBu=-}vM-fFDdI`j!? z!)i&&a{sBEDkJNQBr%LewNpHiTlsZ`qb^!vPc*m5w&0p9*@;g3(QD7}*Mvj6mf zRy(iWR-B8ikP#_%aktPU-V$Rid6QZ~dsd0&<|czlAnOnz$P|MjMAutOOrEYnAtRCY zh`uF-5KCtHvhY;{%s_FAvn=&2zK_LTpyLGo3^S4~JPorOZ{SV=*QfX&s_q4i#FZsk z(nOk(8ZlVHzwqkAJY+~Dm_({JDd*Ex@A*nnT)a%3j{Ab}}_NBM&X|kbMNo_#L;Vdx+lOJe|u9W=k7v zvBOgb)<*m%Vs44P9btuPv8~5_hjR)8(tY$@kT)q-!kZ>)G zNCP|&`Of7w)8<=u{MA95uLUHn`g@_5hGE!Hn?;sjGfcCRI~{aO&4f}Ha@Ry2j{A zwj~_n#I`Z9ZQHhO+qP}n_QbaBi6@>olb5;g*Ey?K_ujR?a;>gvA{f2<*+Lwcjojj@ zjn_Mb+lxFrbynVsT#^(5{z(6R@2oC_Hk2mi=HQLWh0e62e)r~0*6QqQ+Y?mjI9w9^ z>HYV`h1XHhB_+t{OUN^*;~_~sO4@D+#q=xAv(8Mh@o2~p^RAm6pwl?t+@CU35chq* z0(S}z8@lIl%E*)O%tONY_;+FC;@rr&lY?e^=T%S0jBa%Mc}G?iv}+_n1>zZmQwvAs z3t@upRrUe4EGFJ3xN>+yK4{Sm(*nHz=p~_S(x+{0SWT#pWLS{W?nQsQ+Dqy8PqGSorg-=VVvj zuRPYJV%!u0>D%4R+OU`!euBRDKa^{)PBPE7CBWXFqI@)M`mI;_M4oqh-BO!BU`y!Z z6@Q999H-yrkLxahe7RtL@p}I`n~^#iG6#P-9dn=K<9)k78t~rZF|FrM4!qIg)DJow zpx9}*hq!75y*I4?eEWPj7Ja&0Mk=ItztN`tlg%vu1odUR&5GsscBe0TwSs#jJi{$c z5`D1off?qFE*;6%i%XT4VrJK z-=1IPUW@1b!B6M4za6(rrR&wqUdqca3Qx11raAa?@i%$CUZ}MEen*pf{(L^qmrMEd z^!Pr{wkT~Ykz$$<+pW(z44mRukCo?ou`%Q^(X+(eH>fLH?Cea+G$c#UFINlkKh8!e zb+3OvOM>Va5Gq%0@yLpA+eH$Yg9%kaY^#93)?FFH2`)X3C`FQ|&ND zh$AoOZdp<$-%ltub%Z>7!$nQ{?M})UzM0bYsC+g`_PI({!f(7|Cl)J8vC9N1xT|eq zSC9^Itvj2OAtDgO%!(tjy-ZdcUKrW9x|uNjOtYfvY?*b*Yo9dj#b zY;ZIh?h6(?A~CRUKPXzRkr>Qc7CRwyj7N58(bsL78Dj=Jo!84_M1FdE*r?Z_+c=?) z!R!BX&UNcEsc9aA*5+j5HnWzU0XxBcson{-CH4;4&Vw4KUs3y>EVzlkQ+m_ibUB1> zG2>T~XLauC$CZ*-15T=(z)w?yzA=xtK~!RtKbVHq$hgyWVjZ(3+{(1F;OSub>g~O* zCFl*=K8zBVznQB@^zdfE&@iR75!a?1UMqtfq|^D?yY4LCMNiI2A>n>eX)z1G=qB20@;ZO&b`L(t%*_teO>z|j=cge@rv`Mlk`@FG%70>seLRO( zn}K_?ie~|0WoxTGu-6#kq0{bJV%|4JO!+9@;9P&;WbZeFYs5Qo@wXA~dN1<|AAnso z6K%lM9gA6Yuhu@!U%LRPxCuK&*!IB*(rK3vY2l=0L)}2AJ!xBoR>4*9%FTp`jU(8U zLN3!q)T5Fclc6hI0-65;3uDKdhyfA)SG~^=fcyRz5P;h@^w;c6A&5F+(x8e-b8B{i zxx2pjAcW>4XN0btM^MMDgpVIJV#%o{O7Je@Sk{-4C%CXz#ZX)cGvAmP$WzND&`3_6 zujNN+i#@Si#|k_k_e{<^(-vVt9yPO44LoyawyaQEXXwO6Jvwr*P*3zBS!s|!2aM&A znX_vfBsA=aY#DzPomXOriWwzvjN`D7KN7?SIrKL^V`AD93ieY2SB1sBh-pn=K^JM6 z8acEv)sJ&|$qB4+hnlhb3i7#Mzi!+Nrtfot8Ok9BMR3l64HqFE1u`rv8%`1=HVnO4 zszt%hFQ$lY&=(v^57MPiwL58lUU2UZ8gb1cDKknE95hZ5$ug$r-cP`Z*@OcbgcMe{ z)1|d448+Bsqx~`@HBN&+$6Ptia)A7*m)J)7@rx{HIQ*ZR?mRIZ|NO%%6i7(QUQ8GZ@z=Tzi?7O!q*Z)9$+1(LuKa8Ik;( zfey@IG>+E`zKD>alY$ok*?VoV+DUl|Y_)Oo!X!=}po|sVr-Ers*J+!#O`hQcQGJcN z4i0=pRx5)sJ7B5Z5RHQP1ITf4NUFh!&(u_7!yfaj!9mCtR0?wmyzJgnon=Ei_ow_v zJPua%#^tC?k#?}eVVs;f;62eYggyMG=rgS=t~+5V2E~}r@4=qzV97C?$9<>PFc5=OC(`}khOf^=6C+^OFps> z9f3;!=~8LNV=jJ!S!}+Q!~Yo*CHxlfMiE(8_FGol$0FRP394&Ct@+9>)wWCAbvTrV zl?k<=BiucaL^Vx9dup=WN}se1HJTTUcP&Lm`k;B$P84HVnf@Va-ct zg;0W$t$hSKk9?r{SFS;6xWiX^zDY(El9u0nwv>R41$j-?ww!O@(<<0C4k$e+yj0*Y z?gV?Zs>nW1oDXvhZJ)(}aNwBp^V7I^&>LWRmX=fvQS<=BPJ%1uZMXJm0?aS_XB;>p z4gI)mz=O3;vv-#*Pe5XG0|k`uK}f0Rq9{!QiYRfu>FsIR{<3x)6XvfgJ*jMOTI18o zi`p?~l2gv8bfnQcHc4iNH0z;N_{X(iZ`vB|Wf=@c{tqWE6-`@N?>^P&xs_y$&VV6^ zsf42s`q(J18)`a}!GJOYi7Tu!E+>ZU!5A5+atoM}2%sqHEQDinOH>ChZ3)ZWmQ8%x#8pgZaNmD^%T z<%y=1#w{?!iT5=4b5k8suM7(i_mZUzx@CF@bnQZeo|viD1v|ZXT-#*)Wqt(f>|6Q# z&t7ej+{Sj}yp1z74zHz`%%;w@_p9v9^feGbNJ%KPhlX6Ypp@fa(C?bnH;XZ4Y8*yb zs)CEoc(z|x1sy%I7m-F4v4(z)0lJ|*J_;PPem+2W{UZqk1|s+U0`uS-e=Qx*4G93z z=I6P(?c7-j^d`dL`(g=7e>5jUGn-`oQc5Vgtaot`PgRc?8SN@je;yQ4EiR6pTvV8miqzA(^O;njG%{c!eBCVAHsbpPrNN&%DBjaq)iZ{uJf%sU z^KNkWf-wC6Y-|!BSPgh(A??`^#-K1ER1UfYQPR9eAQadrrihd~=?^~N;Vm1FxHT<2&P&Rt6RF-mM$%0gGXTdpOrYy{9jR!dW_P~Rl`k;bP_Nn1E1aV#2%S|+(TR*y!P#6MUF|f8 z?P`5)xXURevw|C{eOwgXD9{BMT?D2TkY`X-6Q{iIF?6J7D=@;w*8*asOjoFMmV>+| z@dvk=nl9O>itZj{ONlckL#=o*;`ib%*{{ktG0Oh%(-;T@RFA0Z;6ad(BwB29wM z?ufFojXJ{Q>M8|FcYY>qBG_RJ=cLdhbfTm6GyAAymR>`e0u!EN9g~HTMz1wP!jA`x znsTGwTyfNpmQi&+qmtwv;W)S`OS``ZUhfVuQBu=B>0OB`(12KG@N(9{Fi-#@RvWxy z*oHy!>MRw9S&1m*VpwbxnU!^XFw(W~pulvyr_WJf8TewLCPtZ>br6`yEM4rrT_J)B z0s$b>B``=PgIqeku^2SLsJ3E$gclLz{?Jj6>T>AlnX}pXhc7VOF?2UF8EGB&A&NCw z1=w&PXQuHNAB$~|GIJ&n#1guI=)PJeh4(yFOdyO!qg|j13DqP^E9n8HnRXp`jRbpy zN63^o9-b+v36i5c8igHso8hI&`aP|}*u7b-p!FZf@VY@6O3GPM7QwY)3YV+{VwXU4 z(+-uW3b=bGsTf|Y6(*;w9H{iY0=$TzZmu1KIxKI)0l(Z&BwNo^abOYC)Kz3~Sl=CP z67@V1Z)i$tRAO`@LIwoxs{uglSzc{{nlk7sOXpbMJ8ce(q_Z5CY7WPP=W!vG#-oI=8kJfDp_OtOU$o(H-x7 zvuJsKuDNsh`d}})(i`-0ZB>MpOi+lQC4Iv;=U@k?)_8@rbr}rm(}a&@Z;S%wtLK{Q zB&547rQ!Rz6xxDL7dz6hM`xppm<%=;8P~y8!w9M)aRg^XctHwM9*(_%c4lSnX{xZD zOt$i~d5uaTH@t+Jo^upps;r8X$gBiGemRG{P7n7d)P{lpGsJh4QP6Z9=`u2TxZ?wz zbSnzr8?*wtLTOHpgIZ(6`4|~YDOj9l;)1&(9nhF}Q=Sj6!Glbm9AjdmUOfA5ys7p-Zs?CxGUiRG1yMLp`V?tjrELGKZGG}OE~bu?oI}|AfS3dN(*yw z{_-gSKYxtN@LNGoqXrzM?r{$f)OmArH?xL{nhZS}VRYWa!Tq-BZkx@BYbm#+s1&k8 z_&Qk~ugIf%G%gMM(R}9+#U8%Wc&G(^EV)P`mrdjLiA7t&){l->=y$CmucU%}av%>TY=q~NI%D<% zbzu%h*d1~5{oU<4UXwC})<+ei(|c}6%3LBf$78gBN9Cgu{> zRx*!0dKPr;(f;mPZci?cOQB{?-Y@L!Y)`I#SRR%6DkIpcaP09?*NaZyAfRP{vu4m$}rp;yXcsu8Hyf*0Sa(!)i@jgWsW&T5Jw68`*-k|Na zgdKnPV8+#T8m9NKq!3TyFP{|1bz@?t-SQ&V1CluPPm_q?*8jj~B_}?0ySuUbePw-l zem0i)kD^oXcC%8i$%1@JEe~WIg!HN(-BJ@Wl&v8_oTH7C zH;4N>IK&&7lttz%63&#Nx+Q(xKU$j4H@&#t3`?*kej{&Zh4`{o<`JKnM~LQyj1Kj7 zUak{9MnyX3KQ}@;+-%fwnv}t}J`M*tzk-Y4@_dVg>tm0QbEob{w>J0tCewgPs0Gk* z8}ygi{%R4!lc?k$6(Rm8o>z|-Q+qmOFHtFB;~bH`XGJ83IlDDxWyuOM8{$I|V)&$; zt&FSb)-u${yr+Z{r|uW`ACYe4W?a|=TbM$2Be(Rh?dV4O>hi|lC#||I!L+xlF%Fxj zR>TGzDIDDL!C&|4j+vANOjB|gy#5jX?zv%S*ua|0;_@OUF6*ob)CCja2Cb*%FDt%D z6ao$7Swpj4Fsv*sBtT^0SVw~Wx-Qt+a=p5YEP5@nu(r0U z4B8C@GB^i!r{?e~{BF73YDJts3{p}VG#28=x1jr(=BIq!Gy|_S*4I{s4xC>D3a9S& z$cO)Thm(m-*HGgUUYZu})1iQI7-!&il3>i$eyy>7A+ck>fT6!U8g=H^^Bn_V;{?2R z#mHs)dpk;igiP6VKX)u1#^0S@U4nxedh#eKcZc~oh;Pa;-%Q)QFKxcpwxr_U+38k?;U^#jZ+kli}g)ze7MAS zLwr9#ENo*yS6f+HK_EzljP1r4Pv^z`*{u|$mB!Rm%2DAA5_IMld(4yRfUChe-2YFP zl;Bx3{{x#+M-#I5-Wr3IG+mfD?7QziFh&HX_*ncTwhy7 zCE5nnE2tEb_98&|x{eVr(sIBspJ4pQH*##E01}8Wg8%~D|4#SDAsJmrweKu?QquXs zhkq^DPN9=()JXrhnWd!#a!5k`JGU4E=O3Eyw=`0LjFPSzXJa5Uzc8RS$6Qsf%))Dp z^|h4=UreM}40J{rZ;lT3atVmTWYbe8f`*i&h502}xH81(hLe0XRQ`#Iv^EG4W4}2` z>B;@O#|u30cpH6FmMKkFTUief@xKuI`9H)ybr;pw84^2Te7+J}ztu8Nu5z=aIfO}lxc8dJBUCcxl1$9nI7{n*$f{x$J%T|z^ z;k511#W$QPD7=cy(zBia_{O5L?joy(gZ;givWRgoUUPzVqfAdZfXj4#4DYFjKc^h8+Rvi3ySuA*F7dQ;*IHGeqwtNEg&92!W zhP$i^sVqe3p0Owa(4cyDKLJ=E`S}Z8`OphP|3w1ELfvf?tdGut)4(&O zZU|pF)7Nk{`r0xYR?yJMfTGTr>m%5kT{@uE#)~X1uOvZ!tmKn-jS#s12LwHBR0frW z`R5QU>9f2a-XL!F%AcE2#8#A`j0K%0MqTkb9?xtmjFLTNX*rm0SP>`h9D#<;%JOuN znegqb{5Cpv6)Y#ED2IwN2C==ql8~0`A!|iwKuTyi+YW#N2cjOg2!u$1H-jbo?Ngww`h&*#+@KZ@ zcQV-{BLQK*87M2*47-@&%`ALq8%$soBxZ+Dk7IobLKFf34#HH1Ool|9d<~=1=9*Hv zA+~qLv?W(cG-!5PH=PBEgG;l_hInOV5%W(&$vywcDl(+#A#aIVw$%9IE`!Pu2@7hl z9%X%mdKdKu+NG3B>G_b_UM`nix1#OvP@Nm6QLU&M=CT@?Zs?f^4;l5Wd&0JjDaZ&E z5Xj0%opiew%qf(?5Bx?GP%O@qwGgrdloccJ{E2zcuJS}~RvQJ5fr zAfqaqDKHS^XxB9>k-{YWNkxani-Qbr7j2BI%Asl;U5-qpBiLSzi4{u7k`a^=<7T$4 ztj7Ww(zg*|RmX2+?sB(a3%x-N69X=;6JjRl&1kJJ&+b+RA6}fpao{kMR2cezRMx>* zyFrB{07l&h!u=mqyB4BH|15p*NwX;qi@8iX&iDJye@t_+oT*8wzfH0*Kel>s7_2Rr zFm6IVd=4GtMw#hq`9S=hN|MfISD#` z3MSzN8ALOq)m=k{LIoU$Wi-?xK8^>2MVXEqJB@8<@tDrP5_`8XZ`01C_IGXmM{rXo4&QSHYCH;XrAs7?AtIq zlJ`?618R-G7ndgI2%~CQ$cSIYDT5h zyfUBfZg1q8*3mc6M%6I>MG6T8jy;Y5xRC||{QsOOt>&8%h4)nk$$!3^PX$Mv(+2+f z+p{49gNdk^J;oV|b6Naz-KK{cDguBhC0z8k%%aW@u71A_-8R>Qf5smbtYa*!pi*aJ z=G$MnvkzmU(Ya24lZy1%9HPvIn(;k$RIMK-xq=VIVn-FzB5CONcRrGY6(omYt7@7w zFb;EA1EE30Ln1+rjpSUI38e_4jQ9XW3zCJjfGD0xSVf&Q8b*5MdZCc0BFJHa?*ucG zoC?|Sd^bwa!vMT_3cB8VuAoYYYcqiXN^T9AbU~EtF9;gmuIQ#-C8sCoRMJ+YG7(Xec_)(e&K*WKO#%9QyTT}$Ys^+BBSR*9p#6cnbdR(na4;X9KFrZ z>vjfS`+%S|E>=wQn#lZq2x``EQdtXqc`Fed3~;)QGDpvc)r<}qo1Q>4z})e{x6Pk_ z`L`*EW|G&@)f=zo!z;6BHlA6dnp}B}^Cw4i3A3wxt?OnN$^& zQJD%U$P^>$!fSw57a*XCWJ%fp1Sl;eI=(Vq5%L&Ju?#Tf5NI`Uv{ks{0cj1evZKA1 z%ZXur5SIUfNPl;GIlT9#RTb=l63uZ%A!knr&*u3Bm{tdUEFE*PmYFEg;qeT*g-Hc- z4<&e-5VGmuFwC+Ip){?s?2s%luYaj=E18m^1u`Z!={Sjm@ORXGu=i~|#x7hEmoei^ z3aK}Z!J)r{vR1NAs9^+4=1keos*7_nD5)U$aa+XOJM*017`#Xjph2S4}H3${)1kZKKgc1S{eZltTegdBc_-5PczVqw^_ynm4|A=R6 z8H@K`J5NH$x!K>!q-1dZ4|B+Wm|sRh{^QHaJiOm_w_G~Ue{7M8e{FyIlQQ-n5#M#T z?}sT{A2U|qIRMi+PvfL~7A%jB50DS%B+fxVL3?*J(fx`3K7T5(bi0P&!{fMLN}^_v z2$^(~1biooHEQIH^kxv(eHoC56Mgp&vUEb}I3q0PqX!p%5h<>9+l zi4x5ag+I&)bg>exLURkAe5YwC8Tj|J8r->W)V zw)tCs%l7v*;N+ExWwG^cNRrAp1BOnkaS&~OYgB?1P zz3RRyv_DTRlpNp|bP)Z>+ zp#=t;I5cgLgWU!;Hexg-*nJzv@h}C(rgL_jA6AqEOSu{`k#N{-@+hhwV=THMJ7`Rx zj>73TBe!8Eg2}rel+yjx+kCEJYkG2Gzx9<@LE`ONR;Jt2z+nR#%8zjn@q6lcgY|E3 z`5K!Ji-6&71$lQ&5GAJ4^bwoDLVPu;RyWosQ%>sE_?UfCP5HL&JLHU}Nd*%-DN!Ix zZ5k5Kb|fnn6?RNtW%`d_<0$&hwqtL(+Qn?9G&b<*-3a$dH7fmZBfq6v7v?#lMZGR# ziKG~fTBTtj^-&Y)r)t-(sA8|-K72Ss(nM?8-hwgcR6qhi^QDw56i0!8^DIUh12=W4 zdDE4<#8(iauSWyxMCQfHZzay9m)K4e;x_3xn9FN>RV#yMQ7z<#lx71xN`%nx{iDt| zMzaZfGZ(Vw(xQJP-1e0_XF0Y@7QeA-?&4kKXt()Hof+Ri-jR320nGrp8?}TeTB`+H zNGo<9%7A`lozM~A_!;6Q+Ok|XHB<)iceD4<*z-L!D9=>gJr!wj$lYPN{T$vV?o198 z^=)o}qaXkJ%xA`YwZ+XtJh_{|r;M4SmemMO{0aAWJSPA(=n9$KF0l3V3}JaQCkyj5gweAc5ee5f}_g5)8n| zZ7HVnKo)(|tU~dVYVd1zUgn#o#s1POsZ8;*IExZ&&jc?WqnN})-f$NccOwBSrKfLW zfdfKQOtP|d%@?u(Q0i6yk3%m z*7p~#jzGFEFZ2gDymai*eQ*McSfPuAT`}oknyj8}9+LWi<^1sInMjNw=en}+?|sbU zAUQ|TZvQf-x z^kcX5X{_7keOQqJ2EbutW+YTovMXiwVg%NHCE0RgQBxC16X-^uFNfxAOF+?(D3TSq z$YS2RX@+US;l+;9V$#Kt?*;l=N7)(EYrP+(+hllPMnqYpW*jDx9RpI4=^!K!CQYIj zMLr0FpnZ}6Jt14L%r&M*IX`}!jUHW~yA@bswE2m9Ue@!dM<4!qTmkC#spDO5$kYv| zdE=|jTykI@#~;Tp4x`L-W*A=j%-jTzOzO!&Cd9y&8X2OA>J`#pD|8J}b-V4KIaS0O zTD02=-Qu|#8TDZ6ujhg`LWqHO(g=tb^O&a~#R%pKhsMXyS;(<-^CCZQ3sk@CNPiR5 z)fP~MFWLG#G}Db8LEkUD-X^7ZKT`Au#8x^!tenI+uK;T$e4wYyH(h-II};@YC+hcR zAjnX+Pz^nK?uvhBekK{F#h@3>rtcR^QK~*Bet47NryBQtQA+(zp)YA^cL4%Cdh$iTj;!5UX ziX8}*N&{5YY)Td|me@uamyz~@&;)3A!Xv{f&8mV7sqHgnu;KHA8ht98#c60V^a;_; zPmj8@br-$XCS|BhySBmQLqn&%-}+A=N~^Fa{YRR8>j>#vP8IvpN*~=*<;fwNc&~%& zZAE-lrm57b{gw1eWLv%RaejqI>dAoutF@x{w{8f!d?5(itdQ626sPb|RSGCWDYguU z2^Gkc=g{+gcx;`ARv{UB51p!BTPT;)wY;9hZKeVZf@-d%sX|@kcs3)?)2}YtEKD4L-V7;9Q4It zY%+yvg*!TsG;#8TTwBlxrMkd)u-c71f777pGc6d{GoNTmnguA8e~OJKiK%~?lZ5Hi zWBNrIjn|v)%0N^L$86oahv%O=Z>|H~-36CL*5(|LRE=1oC9#HrBe2QBI8}M(U8=CJ1z8Q>1Ve^8&f`FY|9B zH>wXa`Pp9PPUQhbIt5f~gB_^d0|*XLA@KM}R=BS3#)*TM5AUJlpa59p2>37P#mLr` zD*QcQpRhCdBU>B6yo84D0$ve+aPtKWu;WA_H6aGA{% zxO#FrdxHRj%}k(6Jpy#?vwa}aj$f43=_-*cUka0e81?^cpVXhX- zSkUW-*M4du4QX{*DRM5{1;rj;pdealme?B`NU`i$5Sc#<|6un1nl|-7fojrY z9!kz?xW)|6(a@Z7xVO4&FAZ)@0$xLI;H3h4-`Ecv$w7wW)trz^Q3n_9 z(%GTJXyS0B$BfKPd*!e$x^~Vl9+ex59>NnOrwKpPqhpSS#-@rRvRBBW`DA+gnuG0g2)yY{nbj2U*C5sFCXai=kDl@8=yf{a~Y+Leix}3hQ-aTWG-s-lU>6jLp z$HSIMNX$=hBL83*Sl!j)5*fT)BS z5wJAgseD=dX{0kDSwR=#O@UYM>Y(2c8!?hg9c5&I{s7|&0VnkYfHC{QlV@KLez!b( zBnU;6WDqlC7;o0GV=Y`U3MSz$PRP}opcmr{MhS_?~AJ&LwP7-&c7U1fDJf17Fqn7r0ZV`c~j@ z2)D2|IT31rv9R(m!wD#`8A?`d1fMMwSxgH_i}!to0u+eFoNE&L5K8dEMmtc9W`OJB z^h@3mKmy|ApJReR^nSs$U&k+qW?2TVmUL)h6Gu3uBt8qVg|FxhXe{&V$^~PtR#gF< zEkXyugoT(t%*6y<#Rk#-NT3?LTj$11F}3ojvF2JhIgxfv^Ry7M_OHzPB8MA*2aAFBssHE|~{LE=zc4UPYAsftv|H25@i-r4w=% ztKzAZ6fJLSKoBO(X&V<>*?WKnp?3qe2Xk6voOxL0%K)g@gNvx)QiK%Nl3jmGOD<&Y zb%FE{mt}1$hz1n@fZ&8gpsOeKYH^hX%|cbg&_pN1kp-G?FFB0RqB!m&)=6^^L|meV z4JDX_XB;p!nPn6p1_>X+oeMAp1=_StdE~)th;2rO%6zT>i6X-G7i_^&VYB*XGs%R7 zm!zJ&GfFt;Dlkr+QbH~*J8sn%&$})lq5w`_e$m*DemBl6mIT_9>|zeWhGSvdPGY+2{-mFG_9!31mGgKR=f{6k_5(OT97fdP8 z2o<6XESB^0$SKgnv5U;k1hOtti&v1JhC(99^Yrw0kXf&RW&3RfsuDw&5C92%RX6~= zU}`ejZzc*3PZdFTagdpp6VknCYSv?*Vdg3Y<$<3^RI)Y(vu&7gi?9kkVpbGLii`y| zOsnnk*LSD|V1nL1+o=jfQifNeTr*3SkAoOr;QItd(=E_YVL1jsg)q(*UsRyHvlQO4 z3AoqX9szdLF!=ztnzM`UU%%x1X_wo_RWkJ8d;Pj~*J|EArgy&Y(5dH(tynoFAD<5I z98ouZy?xiHjz@92R;!+0PB)if=Hn8PH3$56_W9?fck(VppPTp9TICccub!9783H`y zQfE^wMzAn-4igPdYV*-N#WB_2TjoaM=%~?R&I*pc&R6) zvku^CS}wm-5EWUN>}e*T?qNW&tZNjYGSUJX3xE6dT5aGbtD3nJZ$zsaeYWnLqoBL# zH)Z`)vutTffi?NMql=%Ci~+88RgcYRWGu}^L0uU~#zCEIB&i9udDbWhK3Ko@nL@ZcZ%yQ8r})u~ z>s0*$q9HRZIJ&QTRVfWBvscIaPH+_?6Ip0#YRF`4uWDt|&wvJJ16ET-QJ7Ib4@^pz zz#RY{XYFsfuzFrCj#fhL^ws@*z5URBWc_o_F1|PK;c}I-{4L}VK`o2!g(6AYA4gaV zgCZNl4oLVBGnPZ!dvt5uZ8&W`?h5S){g5ZlH9bnBysgMu!Ro2O}b4Uh^-efND2X{SIo6bhZ z)2RTdNcIV84fAR@2$NCSSvBjl6j)$J^7MW056;UbG@TA@d}%t5DZVrg2GNCWY%f~S zhse(jF2W%*qg;U#Lue?Z_7w*(%wI+iix1voxKF^g#{4f(_#n59%D@6&dCe-kA_(}% zE`V$(zJ_+L1a^xKMa6;LE*%o7c#zxWn_W(}E(UeXsFg}k*Gv-FMMEHXQ3Ny~T)$<| z;-fRRz>3TTQ*#YirqJMVSfT{jjy-3F%av5+H6EMxc00l^UjBF2NeG8&z!vt?YH5mv ziuLU_{6|WL9unfIsXgjq-_^9yX+YyDhPr4aKwirQIYV4`et$s79iQ+g4IMpTN_V5t z*{+xCkEJxPXp-*fUa#}F{2 z{=L~u?Y_5!H!2$=yj&;Es7Vc9_O%b8JwYkSt6DL@pVw3UgBhyM72TOCRfWZOAHO02 zp1(lqY_uz8rU9>)n8A6v2qD6bf=encvf&xTs47tr8@R-MxwP;lY)npxUil<8Hv%Z> zSlb!U(Ifd&O z0|}M})KT%opbd31LN0^{fPp(A+Yew%v^r^WiGYrfVGfc2^#H#Yj6Z60oM&>OGC{qC zdPaf~(sf=?YRPaOSLBMY77#4JUmri>L+&`>I@|# zdn@e=t>hnP@ox71*%Shui|YjG2s%S0%ewn!9&2x zg|MOLf|iG(3zq@CE?5me;bE%WK5_)Z3%H;wp(bG@^VZ-!1~HE z^@t>)P?!+To8IXIbnwi*P|TffwPKHWOdG2Ubg{u+AkJI>)0cMn44%ARabaHb_{NV71?!ZA^vg{)X&J^>6w3Pmp{1 z5xj($7-IjQ?}g)gH-CTJe~#+nzkzb@_5J1Yb)AeHk38M&{PFcY7bYuzuJhDAaidW= zAcBGQZd{b>v=6VFIEO`rlxgPi#BpeNufw7DYa`B3>6`13A1No1CXwam+uYB!NHU3= zP>@Jg$q_Q~DIS|Hvws>DgBS-3K_Jn_j|~%ti^WfkMb`g9Y6GA8S16H_;=?&`9-EKp zG@zD!JIHpn(aij8M`732?o;e zm4RL=Ch|Dz;q5RsuAqs>-EOwdM8gytmWT)sJL-3G({~w)c_Rc%Wbpmo;2j-m%r39MuR&T$#W*1R^XDs-jSS z#R=|J!K)p}eaSc;TIPFEJ2jIYO6#>*5HtN&brsNI2@o}v7heLC;FSCom^&_bl1RaA z*(+ol=wz#Z5aiv~rdMA7HOfq{BlETaV&f{q#Uk?%C&%je zno9~DT8yRL1rWthv4!({#wP^usISlu-}8RrRWV(1D*S<_q_WLWMx~xscs3A~3%X7T zV8=e=Om-a&gqS$59n$oMCc0u)CtA^4|0QvmBBAe_*Y)w}aeli{$WQjdz4uk8S-{KM zK85{^Mc79-QvJWt19`$Dy1wedi!<&H~1p1ZF{uO%G9J>+Z-hS8G%`0>eB$>nIbaI~9P> zNRwqrrk)gqET`adq=W^Fbz1>C5PjmTzlW`2egi(SQF|zz4b+R8u<^MR;5F(LsF!I( z&*dSS5RwdBAyN!I@guJ@Z8K7P^kz{|fIj-VPDM_3W+&|c?YeapG;##MIX^N`E9<&4 zBV+i=?dnjOP|A+?NQ}&pfY(_mAl4eh#P9AK@4U4KtTbbh}OC6%#gv{Z| z2!@eID2BZm!PBYi+M4cSYtxs#Y{O=YiQFvk0#2#2z`;EkDb2fMQ3|M!5PC=q=W!?B zm2=rcQ8jm*gV~Ne=b)a8s7ES@NKgJ%uGjPiCDl)<$f>tLfO3d=?~>bHAAfPNVduoO z7s$>_$OFAf+_^Ss@~KK$JH3vgoKUlrLhLYrsSEWTRki7_jqa@?cklrEucOC38y_GW zMt9#TIKY&uuWcbwxyALAc z{_QN}a>qW2`b@CH$NhxM4Rg3&cTNwVoDO^bW)xoG1QR1Q1|XnyZRUvoig!mrx9muk;M@7DUvXavp z*OTaFT6Gr>PV(t|FM_&+@oNWA8!d1h&A2nJ*&J3{W~u3IOtDo&7BTZ;7>{GXo(&ps z+!J^}C-#@fv?}c7-CWcW(yO-~rGR#*!FEG;5CkJA&mAs2p>M(c&ax_DQtwloI=^%Y z3cH=>BvgEUV{97NOCDdYRwBFPb@}wTbPRug{P6TUBQO(kKh4Xoc-f?H8PhZGv&-cY zJguA>lMa{HiAV`gnfkm@IJ@31{{IbhqJ4I{z%GB|zgOTG2{pT&-v3^r&c*$DLwaP* zuaNgiO0*9#vt|i=zO!;loCZ(LvG5Y>mlFZ8@0!|~obw!fg2$3ybL+Y_=zgnaIc&$0 zQo7c$g=Dz8ibRTdim~JKPwVwu@3fcAn{=D_UbDh_?edga<#Yq9j}l=Tcr0RGrVexm z|Gie%Zf9l!{UfJJ-Y}6JV*Pfx10Gk+qf%iy7Su@;DGaBtcu<#T{*5FK>z^#g(Z;!( z38!q8Q@CG{yABcF0-cY#%XVE1+QDfJYUo-$xG{Y2^^)slRcUf?0(u` zd?Qn>;1fILN~9g#J7}#XG0!Eh+gET@Iz)xFDGv+p{;az;>omt;!PB~jQ}L@oJyLIt zEA^p>u6Fy|$jtwk`%(VB=L*}Iyv;nk=2y-8L>1g;_va2gwHYy@E9YQTj*G{H05j+M zRo7YJ4j~J)rNdnaX_gwLEEPxee=J>NnC48g9^1BU+qSJ8?bx<$+qSu5+qP|Uch9rm zd;X=bRPO4kPU`MXI#mgLo=_M4$!iU*@ZHvZ_1awZ5En*nD7=Y0o;;oST6_DxyuJKx zSI>{Alt`3web&~e!c{ivHW)$tMFti%sv+Y;m|}Z>XZeFKrk@jc7DEh1l?P2h{d#|- z4-DB8DVwUFhl&zmAY?A`T!5ShoqvKdbst%e^{Z_p3n||u9FfvWFP|&}-p7emR z?6iUXr!5&Bs_1BjVop#fVqPP!Pu^xtRbS!-Ym%bJbNBmGv0S^ep25MOl8LZViq3<= zXrTUt#9((kCeS_}KtbOvLFV9nt0E7*D-XcErND00s9u#5#}HM+Gf(x%ziR@;I26om z2e^|LmGx0Eu7bk^UTPSu)VG~WIuw|R`_3V^if8Ie=K=n(p}|GSj+!w=-H@`$lU@J* z+v zgbIhR-2ZUbAHsODP0%M5ZB>{*FQ#YMNn!bk@)N}O$D{OY;`djK!WGealg;4&perJ`82P7^=FZ$FI|bEh`IdX$~= zcSLFuuhL3dM8y269%KT9{F|Wtf^GwZ_PimvS>Cg{*`|c}%MI3?O!6j^fV@ON1$e;d zJ^RIvo!$q_6^2AGjeJk_`X# zZ}r^c44k}LA!d5f4XSzx8^9740TBR<761&aB?8z25?~~R_yv4Q!NosUTZfC5BXq}A z)9p^Kfpw^mdyp`P&l!Q#HiY1O?EbUJysJ$wNgwpcQ0zQ&c+cSgd$pF#*z6wk(1#us zygx-h8uly;S#fcy3T=dqTnM3h zd8|<1R$xFzXC-iC6(~b&;1*)?sQ3enj>94UdJWvl3)l+PALq-wq>HZ2(&}xuHw5Hi z8S~NYpR}N%8YORH)@u3R{7xZryF-pt8UlYR`riEoBWFD&`nk8mC2yUf_rXuOh}>dN z1;v!!atdA@gF#-9!7y0eO1o|?_*_(4AL z2NkujEe`U@YYVXx()OdPp8^Qm5nZDhNyy4+y={@J6D8#%;GVHEMrpBMI-O3#a>nN) zjak!DVoL2DxVZ6|%1LwJ5PNaj=UO8gR8^o}SWP;jz zkY!YTUM)IbI<^fKegOnkxsr9nbfE&-Wm9sBdKQK^2+tET{ir?1((DO5z{s}ukz%+7 znG5KGi|>!!tR5eC1ncr59@oQi(%|8)T+J#{K<636)wQop4v16(0^?gh>pN6@hR+fQ z9ebY5IB8pPlPx^>XHfE$yyEx!1Zks$7#`_)$qTm;$11WFN15S9?^Cv9!MPItE35*# zNjR-BXxw~56z*jdT_Z#^Uz?d0Gwpg?U#m|-IX!_nzt;8U^KZkmgE<#R6z_EWH_#pe zW0&9S55I26s^;c8DF3vc>SX*d%YIxY6M8c7&z!{oXJXSMDD#O~xwJZ!Q6&@9o z!|aIW?&U7Fs6zSu_I@2aE^hxMnYl0lp;Myrjr%YEm`2PjRz7#%V&#C=YtZ$GhDKjO z{~?iS?z5QYb3-$BYgC-RU*s9B%IA-LN@Xn_%C5T}5pXyc{-!3PXJt}t<*+7jD;I2x z_7IXCf5vVeE}R5=Khc@;r&#OD@NDrg&3gc&C$p!~Y`aLSJhgZlfMJ|k$nzr@zUsuQnJIUhU6c@ko!G)FKFkM`zNZq7_k^6;3 zm%Cu^=Pt1LH0=*JSg(xh- z5$o9OZLYuRlkn5HO~>kht7%^&+eIH7noR%6vlGEpPEXU>UPT8q78414gg*8VCu zbFHWT><9ZJc1U`~cKxJ*IiX#VlEw83?Q9Wx$eZouV$bH0MMllQ#~9fFEY&j?NSQQ=toLltrKI1PorYn z4w8tCD+7OL)?N3CWDcCg@foew2EVy*<24hC4HCE1^+80(2u$Ndc!!mK3h`|ZvV!E= zrp@L3;v!<50bhq8oN$+au;5@=8C-~hJKN%UF@*;E4ky8HX9DAS!TvlSp;eBDkbVoz%8kuuGgck*ZMKsogzYp{X zGRIVp+A2!OwHu4lwc$0vj>sT!f;n-2lM*%2_-A65V833Se2(%)w7JdfAYb--5zQ#0 zm!0SD9;*YaK!(JW0d^XRI^w^+It9ms4-XV&*-HH(3M_NhU6IJ=rnar)7056%-h8fE z(0lz={6&(AT5_L2cjfM(pQv77ZMf>tlP~0UOEyAdOq@zEVY=--iYWtHb&+-YXwTP& z3$)3D3vus^b}Uzd5DM>RyNc$>bd3@rnvE>Vd0IDVhzp-0SIsMgPa&Ts(rER=T==qo zWS)HKAc7Vv_;Oe4w3PF*Z#|N%o!9vedhhkHDoFm)!5HyfIx3hL>@_NGs` zBad|rI7yD>p!|e_rZQQDZl|t1eV^&7ZZlLk`(wd*6 zpP_ilGRr2N7j@=`!aFF81y{eTMc@|``Bm%)O$^KNL2&CWOz*yh<;WIXaI2*B=sHvS zW&A<#OJ_AR(925o3FwUsI2GFr5mIGmv}@;k%em$Q3q&CHaxvv@Nt!;sNQEl`%=20J zw{a2ct{Wt2;q)oI2qU}+Bsc+*DQliYtAr|ylZ(#cV?QlN%gRtTecB^zBK;nUIX}-T zZzRSSKB3gz!CSgb<1;uop|oZBDQBQ~V4dhL*t*-*g`L>okyw7fu~CRL*Tb++(Eq7KJ&1S_XLKg|}4DiSuIpe50=IjkP=H9FmsM--My; zCzX#6bglU8w)IK}?L-26(Mkqx{>+Mpdz?sbpes9~A_Ob59lU2;{t5dgDw7+rR3`V! znjtPOiv8CKkl9t@I++?N!`cZ-5VF4tUhur1b7cRb!bA5rTgMGrg0;bw;SH9~Q@7De zUxJ&(zkhR-GuN5aG_7~YDfSBPCd9nOVEH3+t*6T|-0}HraiB4UuY~yGbX>B0RjajD zF;P=8f*04OzIjq-G|!xL<~w690O=PV#)B@`x0N9q~-&@vqo+Ya$5GDNpdwwY1KHQ)zJ*@Ot82b$RfwHhrLE-I z53w2ZWFr>^ZP_Vj**joP2Qu<+jobici>h_Xm6~=x-p$#ec3a%fZBY5L`m%si_d@|i zqoz(jTEEGknw#*hq1Vjf-up9ozja|(D2qYGzmwp%r#h9sxAY-3rXg)jUH^!sX(m8} zQl5C8yrsAD6d_xI;SLD6H(}P-o4?q|*{_c)#{t1%M1%%u8&j!Tn8;nl+j_eB(R!b- z`w%$$HrNTj=I6mVM}ubog>1)``eqcR-RsOffVzVA*D#<9i9n}~Z;BeOfCMvZS^z~h z{$>r7y{zpxISaIE?r4R&kkedGqr$&;rPWux^ZU_acRe+&!yQbjeu(b$tkUN6CL|cUkbWZK(4vNmIK$!$CJo~b1?}l@o%8KQ$a~iTn4+fNlbjK_ zfS{u&T;z8_<>LMCK?XrItsnB4_;hX{SdgmNLhNU6=b86VnmMXpYxk?{A1OsXvZU*! z>+p$|q7dbAEJ8dcR3{R5is_k*P?D2IDkgRrtOk)l&6T*V8*}5cgTIKEk^B^2I}+9* z-3|plQ@N{mjLUPbH$qnxC<#%W6bq0&`?_R(O9F2Lf{c(F^+9ecdf0=!v`OL_ z^nPW$9+@gqHl)}X^)Ax!f|#ADxY%|FOUy0RSJijvahKLs_+*E19qzO^#_2L(??N=9 zKfjAotF6T{%3L@(!0`lzGPd>eu#n?!2DC(J{(M(TV9k3fR?f}j+8sz1;S5zIwOXGA z-??v#;f~EfHrW=?Cpm@lKE18pXZpkqqH7Y6G0xE_v1D zC^B7expL#dWH4=qy2unhvHXEG#Dj$B@RyF=@{#ou19EzJsN@FMyThb$tIc%233gz_ z;?0{l=^&aKATTOd}&@G(S#VPQ|Z!2Fy zAQK4JUlw=pNj>Yp`(PH0zBBYOuQ>U1MpEn4$BmAP z)d3d=3n%R8^HqrV&8??DHP%;qzpAXLz<~~bf@!B>F78IGNjV!k0~_O}-JI5Q@ObyN zqc~{a%p_LNecfu(t{;hEYJ*60*wg%pA7`g_USI{&E48JA}A>evXVijk7^?3IjkS#!15qWz^L~e z3<{#~8CuE9_K0DaTG_5HQn#^jQ4=Me`;()q9W4!Yy7J<}wFs*Csyt0B(^Nvf)8=Q1 z8ElL*)8hRFF_}^i4P8+IK6-lwX4MMuo$cC;o(r!XO%gx@!`2b9mqn2YX?n9_>lDTa zN?@%e$Y60_kY2dToxk+WC5!~yy(&&4WQ&Rt6H@sUf+^V-RnEm> zaA#+N=#8Kw_G#$t?P@sLuhH6YyoQ3;mNm?m7MG*GY-rD#g#igVjtnuTU2Sd2+{#xe zt=j;81J#k2Pmjw}SvEK4#>K|MHtPpq_}n{NPZ4fhW> zfL3_C|K8dXDELpp5+Feh21w0Aou6B3nhneZ>H$kb;P>~nO;7FihNro)9%|dliYD;? zF+yz(4Gr&uqUN^ydTuaNy}M>@uC0HqEThHzCx9Jh%M+#zN277@W}h^+6{pPY2oM?S zrEs8?kzdL{LF2z!;*w=E1!ZRRkw7Q69IVHFh3%oo#%#CMWMD6DsHbn*te^%j6BD1K zf8EF-2e%VtW{|7w2;F0;i+^m>J8iqM3Y(_7j;>ls5lfG2lKZ@-TWN>|!UCon8M=G9 z=@~u207Kv~dzHg!_X<-{jWU&(qiw^^1i}kJ@4L6|>#0R@o_BMd#ksz!Dl6mEyEx}2 zoY6j1%ErjRFyQ+>6#|%byj#~~X0qt&T6uw>R;8Sl8SLwp)&vYx3=Z_;5Pt1|N5%Xa zAuTw>P7~l^{gvgEa9Vu+&;rC`I{ZzcMJ75vai(vb%Dr8;+Z!2x{|IcU^o&w} zM|sO8z?0L9V%t(TTT9`|YCxBSSH8%~eDVTVlF58RUE}dy8sz7_)!A;HmKAH+X~xc8 zdnhBRNLy!aPMw{p(mNOx{)6tkJ$z)gM?be>V|}frtV|K$uE>*r5S<{T`bJa$kl6n~ zs?peSzhDmbck|Y5tuHSuqJ^ApqyOKNASH*vduycPVb65&wk5Ir zUrR;86CMb8_sCS)p>+9%I@MNJveEM=Iuz!YK0BF=6iFQ&azYcnuW92>-a0K}OtvO( zrs4-0zk2cDY;Gjf!<;@iINXVzwn;RW7Z>LK04yK@%6E3KZ6Qq*CH>_pP-j1S)5BrH zpxp69(Esd%3eSR)Um;ZDuKdzlFJUN6PVsUOJ5zk{5rF>4n>%~bj_|=*HNC08O_MXpV*NsKP;>LAVt{^a4&^PlLl@A`T1KV#o+ zcUMON*5{oU{%e-HzqN6+vA4ooJ!@r*4GmoE^wh@M%JZ`?2o3;xtMUI=FQNCK0`wZb zoYD{#{gWp&enxuoc!v|XyS25ovA&Fy*aLg=;Oh7f?ghU0Jo6ts;s2kul<50+TB@h3 zy|uBnl9R!U{GYbzE^l32z|bTuPy)0mfL{Hl{kJ3rKgvIKNB`d&{NKpaPpAU>&v~~S z1UCZ&SA}_%QF(*_|291SXV2(B>@L*5wwJrTwTZ5(}op0;W(2QHJ2@x_Y>p(&O!~ZgdjM$Yor#&ei20 zy#>$#u3}W4{S)roX6~$D?le(uRa9wD`XBg!_7?+k`tgb#@Xq)}0$2tErW6 zbOLGcBbQ>ou00-Ot1~xzw4%b-Yp>fSH`u7&UL#cjrN#h}NlmicB}AV6wwZN;z0Pd( z!ib~9<2<+?ONDm|1Xol;br<3s%=EeB7(4=w+8?-<&1~LL8MgBKRjWbw*ew?X0SD95 z*0GX`sJxVv>9|>Sf{AQsC@#QI?;Anl(a~UOrqyuNEpR;3}Ts^ zjSy0gku#5tmkF`p@SsOW&VI`kDZ!O~s;!Pn=GUS!C8IO!mDEL#gYrpy8df0e_Yv45 znNVkYqZ@N${cKjUfIbQ+#WO0m%CwnTvP5{Z-T@|9WyiJtNm)lrbNpbDj=ZNxbH#!x zvXpFU-}JmBLM*zg9$Y`_Anj%QSX%aqENs@ZWlB!Qd_3lwi4j6J zkfU{R9DAxOyDJ+%Dlp-5v-48m+~~-VAmsH<(Dmu=>TFwDT%IVNNB2G#5hh|^u)ni8 zAlra!mMF>w72_ecPkH9X&^73 zpBCqr#>tAUHHF8T2%DLJ*y=pD+}ivPYkn>*61Y=q46b>5psx!+8nv`p3;9<(N#Eje zr~h>ZLbIOFL0Rj32?b5mkIxcWFq=P1BI{#1E>{NKnn(KmjjgK(Ph9ZfRZ$gbg$loDxSL-i(7#a8&OuRISzZiN zlnQ7K{ChHq=-f`S%a+tj}`#;(f-GU z66dqj-0vN`OVmXxZUF#U6V81=GsZx* zXp#x|359>|N|cR7w3d)?JJ@a$MYw1Xq$A z{tm@dr7y0b#1gUu3N?ZRadf|U3%ZJc#5Gg^H4tSZ&hh^4=2vOpWku`;$fpPdNi2D& z?lw2QZg7v@5<{CMBDLrJBmOjCgENM!ra)i@{!eGf*mHht$l(|z2SiIZiOf7Q?Kj69 zzAbX&9WgV)kzR(v)s=T>b@_O$iv&86<4#Z*e#LZdS?R3wY$6wFTnbExJ5gdU{%d91aMuiFk;4Gb)nc8NTE7 z@#!OMgZu(EwFMS<`hzVdVA{cr3o@W(``OthT^ZnYGVH)V5AB+zL_sAI=Bfcnm!>+# zWw?XWan1JacFud-h9jfZaw{h>dK*>vxSUeIO?Y;G_D_G8x z;iOn}hWGFGv(rBH)U^ma^7zTHxbQO$5DwGF@@(4xDKrytoTVWM88y#?tVJ}don93nn`Dz8h_x9iZchQkXBRj;MhgGif>GzGgA0&%#yogA74T#Ujk{;zEdCwGab7{5T)D)5W>awfA^wv3WBA;23XNnFu;_ zkrGjgk`f;;B9pBYN42tuTF+y$9ayz<*L(-BBeqEboVglgq=bl3h2n+ES%+scL}2mV zP)45WDaTMTE{0B|0Jy8+2iEGA6E6!LB+Lu}UD9cgSc_0&3No*+>SM<^3QxFS0{`BT z9*K-h9baBaT$~;=3iWYat|95(nG~zZ%}oFiw{#Odimq+xip|D&aI268)4dS>iy^8_ zP`W54UFTNUY0;pU&ga1J0UU5Kn6tY>QoR5UxjEh|dt_@}3KZ~9N}3%i$Q8Wf;EwQw z%a~vyS3VrthW!D&MaOnWHUTNDbn8#kQcpLjejni=eIoTnaKP5~+8>@+{Yi#MV|amh z15|il?r4FI)_Js~vA^fY7#6}8$Q1(U+O#+2QF`pP#q^AVER9&(Pj38=y zRdikw5d-*BW5IK%*C!O=0pSz}e_~LIpy7dFf=4O~u;hXU1=RVYKJsh~2C%Zr(bMg2 zo0dF0^i&NO+2w>p-|_(8tnknP|Hi+igtp=3#W@_ZjHt`Jg#p98PeAABP**!U8-a~= z709-WIHn8t+7#}aF+u10Jt%j*o0HlWPI}~wWi-|TY*SV9Nv{uq;bz8>5jMuQil>5fAE`dYn#46_SXh4DO5pP<0#YI|Th2RcA3Cmzo-6{d>zwhqq4oc&fTT zFI9OJbV~lcyD>DH@WCyBq;f^0pe?D=fW0;>Dxgc5w%DiV2{BPl0?G0HkL-+254LbJ zCqoH&4b#Nh#FTGA8nSpbl1EhiY8lDvPds7N=#oe0?Cgu0JkxlM_9f#zSK|8oq&vfB z8OC;XVNS?*a*)ImCZ0lEOB(S{w@zlAXjoxS9RZRsrClCScrnoniGoSm*+JCwqW)bA zH^V+&=mpC4baaDpiuXEMhYYKOS(*KVA^z!}FzqLu4Y)c#r8naE?I2yU@P)rD~(*l=v;{0A9g0js_!<6_;oimOp^a<^qiSNmD!BTJZA%z-U-2- z-5n(eKPL?>z8qi5?6%|k0K-}nQQfW{i=y3l2G4WXx32Ef(@iE^pXH9PJjT4|ENPvo z1)9JYI)LtP!pO(W^$cO_S4#Rl{w9J= zpGG0(r(U8GpskMR=oeSlPRAh;gxxDw>os&OZ`>#djglo7%w2X+yZLwC_-`%}cde$B zY^lcaj6RZ*3JwQ#mV`N#CNBCqTcy63L|(t-#uGXd@{`HMNK=#Ve(CORvGV46(^Y)p za|*t#MIOR2PIx8WO&gPgsX-)iuopIqmuk3&NQL?JEZ2bOaZqHKM;B{jSlWzMVo z8EsJqO#XA_58nv5oeGcB#;(chRjeNLnM7(_m>`T<9wAa|MN^wXOGr4xu{&p1sV~cz zLT`z56$YZ2`WBQEEna%3E+V)mjHd76;AcO&wfVnPx}6d(Ld~kdH)*3)ai@>sEH8pP zk)=S!OTepv5k4-QAMV;rtqMXPUPk4fgaJM+CeklDcfVBV<&#m5 zqhc(yu51|B8R9N}B_l;i#9i_Ddjo8CP!Qi45j8}9tlIe0cbWP8cukTPizfjK zzIP_$I>saE({q$H|E3Sf=GNHf!!;_iEiUZCVt%e(N0FP(Hc1(wbA#3w2x=esr@VAE zRN^N7HyKh<(yGkratvdb_95j+o6=EITy_7Wt2v2^>QWIW^~vMFLe>jRgu<+tj@iRW z`OfdiEe8c)U2*aI3rRlaCXXM<6w;u`l<{=Yh19wMmMyi-$u1?7?7KaJ#a>oy&+=p4 zrcg_Jy$>iNK5`vZL`)@D+7N8D0~fiFMV0Bo#e!&!RlAu)U}v15JjB%NBe1InXlbW1 zZ1qAx0>OQ`Vl7f|GrG7-pwxa|*oQ%lFT{bMu=tZhoa)DucRgxMdnEdHZ$GI952yHZk znL4aH=0ixi$dDTl352R+IdqKZgG~S0C7-BNWOotN;&%VTLtS0j zNt$4QIYgr{yFgdXqVOcFhqw>hkl`|-UR|ZcR|L(bSgy96g6#K#1r2@W z@l&jKXShSr0*P8LS`dnAVI~{J<7<>8C*(am6UMH|CI7lkBiKb1QL%W`15%73Xug`3 zg}n)cRcC;f*uXTyU5QP{aH6AVuA#2lc|+3_GIcN~Ufsz>FihZ>f;ddInGhLFTlQgz z-MXy}@E$*KfQSx7E2Q>PnuAk7fbU?QMz4CCqbq@VrI}Tt=MW@4oWek8RKFYv%%SQ5 zg7R5tg5IQ$Rld0cy?}8%{uHf+@hmV8uxz2S`*UW;0Rm%4I;G$s<_cDpqVW@( z=qWp5_sCNfR9?0iAb}2t{a|#Mwf?w4iUyJ9E33y1HLw_D9zO|(bZ76Rt|^TeWl8tZGSvWRpDSMZPyEEVJlO~)vy&|D_uYGdAI zFmN({&$U_SJc)Vd8tGNP%BYf8NOT`5VIr0Sx>?FO9^OPy4>2{T&JWgqeO)IMaKR>U&lGD`3dWasYv_lSSSM_2cp2!TX58*oCJsN zq@;-6H2rMLFCyxi)xt}8@4Fxbn+X;&{{d6YSdMCaP|M9Y-_WZ(DNgfVI)byEtQ>|8 zOZ~pclH<=+1U4hb4&4G`I0;8P$p=*#D2pNA-9Qv>da2VvsKMrECJeJfq^Si<1Y_5m z@rusEZCT{RWhIx?R)g5sy1>4`Tp+HDD&H>%J;a2uk3lS_u@P?yxnEY_%^@i`l?tsc zh`@4W6(qnPPpYGq7{tBx9SRZPp*C;!)jWS)4atenmY|QcX*j2jjG>kuwI?>IfbAlE z6~*j2ehwjgGC5qy7|9=pm{AF&&uDzR!|$C}4Djs!77}e%e7n z;N|TnI6MIbUY;Aj)O#@&`<#d@edNv>?A@naLz;r*WvNGuRKvOZK?a(x40B^OmXapu zNNGJ~L-uSKCpH6Za3a_G$@T71>ocd*($gU~g8QxdBLTE2Lvpgk@H$eGjNCR00*fRY zxk%l}X{Em^Pz+5STLtcCSJzpE(Ub1-SZ*cV2;>*fV;ivM7CK%4O(9ZM8xshdbgzAz z9X?RJ+ew>HK>jOY)G5h~oj%FC$^t&{6m=d;-qqBD;o`SbuH*69{vQ|8!PA@;U|sa7 zIBE?x291GcUK%M{uew3ZB6U5b{TVPd zTXa)PF}PN$a))QZp0AZ;NqY>eIZ*TNpSRfE8jN(jkq%i_A^0kgUeFy4q}$eSKo?Q1oYC1w2k7)d1@%$ z{4T_z!~vFei2LdjdK&VnzfeGPYudp~cEog-H7Oo1V*-mFOQ9?d%&fic=Lwopo8hLw zGQsA(2jUjoq#+*KvfBII!x@n`ipaAx9EcH1ofwR>u(QZt<%P+!a{~H6{u~G~$ULe2 z7K}i>bBWqL+b@PJ>cCr;voKAir8&>k%rA6}YQ&Mf&dq+W0V;{yxC&$uO=+jNJ^CyF;7Hg z>O~7oYU1ndD)TT{_nF=9O_#}bz}Bb{#Rdc44B&n)W!zTFWLD4Ju!M3Jl1CEOuX9`^ zpu`Y+k%3{{D_*v94LSv#gl@(NN=f>XFbvsmQ2`OPbBns1ysT~)=9D33vZQn25fBAl z=%BYLp3_={pI4umK&zn17>$KsMUX>`r)cwabN@5+sCAoB85Msg%$5TmyS}5TKB09h z3oBnosGS*PpsU1FLSZf_PCD+lcQUWli{VNuV;Qp3RBpsI9dWrRC-cG0>q=>aW{1Jn%V^>>bGDw3Q3*iW8ty zO)ujptC_8C>V~Q$`2jk;>a)@FVg;tAaRoK+@9uys&NW~RDPScKF+>|D+7B~i;gXas zXf7&Rxq93^Y9WMIOm*PmJ&1jvN)Ixo%n=$JlY;dHjH^K4&Tq2vLDHOP0_4!85|0zT z$t?QZvQ@~9Gy)wok#Jw9SW1RX!|zlP9&VU}N9J$VYppj#3k&=^@OM1(EO+{uEdD^_ z9^886m4c_Lpfoviv2*9`d@BNaPM+}5STh};;6%E+cB$itU^ZL0(aABs^JnUpziF%> z-HAY-lP+}PL^#=($04r! zACpsc-pzrVn>NpM;fy3Q6GKZJ%KDJT!EMZw9#;TRi^R73%b&mc!1qp_Q- znv+4%hlxQK{c=hBL4@Qz&E9Jz`HeISVwhfhecEgviG(=3XBIXa2ET3ZuQ6}Xeibkc zD&;SXJ94RI@4i@KrcF&KYk`F2KneJGeIq&5ZJMSf5d*mhhg^>BlDG%Mj%@TS-M<+p zjU)f_9<+W}oo2AJGaL0Ly26?w`}rKbHAstMm1hT%J)%Wy%K=ZpDW7>Jg@@yXgwTjP zNp!4%*biD8sNIxiJw-9n95~GD<=nU9?iLi(!#;*I?i|BGK;_1QC5 zu-<`^uWSNyN&I6;a_{@`1t50UMX6V4Q#J4J{~}L(vML}Dyc6$^%;#u%D*kE1C{k4l zT`A{E^3a2Zy7`W@_!%YU|7U1}G~V{voQ;Vv%iGBNu(KuKKzPqbrB{JOpl<&pCyIo{>bkGxWa_^gA^FYo@f^LdhAVn-V+OPgRx?V|4q~x#D>&I zKfbPqcHl1=Nm`P_AY^Ozm>Gw>PKJhzId-VBl#65}RkUlVsip-qoHLQl$ki3bjtDkI z-o@85$+Db{l^sV}nL*LQ4>2Y$k0D74xY#ZmZ4O5{_sH(YdG7+v=>E!_m{n;{JU@`d z>^Kf*YO#3o0cnzF3#(W#%)5IgXt>9Lk6|Xl$9B;-4!q&M>+@TL)3)cZ-qG+M+`0CK zK6u+jSvya(>sQ@8l;z%RznJ&V2<_cf>3(l#NWTsotyS;GrcYmzbv|Z*KZvZu(R*X6izLc{P0m;3MwWBKOR^ktuiKa}_#hXj=`90u`SZl|1@<0We!&smQZ*SxGp^v%ohVK%g z@&j#br0;VJzEF82sr{Yv?0$Yu|1;kAJ+Jg;OOcsS6jHa=Z%xEs8; z8UB)JN|Ypb@^w0Oi5`(gu<6qgxxTo9k-U#fH|KhoW`+Xno37>@&2QVMvYi)&8OA>3 zD}`@ESndvI7bfn{E%uak=<+}e;8Gh&U6a_O5(AN1F2u|rW3N#jV>~3t3~a<{YgkF~ zCyJjcH*u{cg~lS(xiQls%mPQqhX_R28L4N->cC@`yktN5d}uAnOLm1rxwbOQjg2H| zkif8z>&LDjAkU<`TFfGK0I}v02W^Hs%h*`MB!?~uNFdNiF$fcEyKJX}1h>E!RbOC! zYEZQs$CdI;q+!$Mm|smuLlpRL4VjZ~p|>=$z8b8g5#c38jgJ!wVd6O=tCa8`#D!O{ z{RZzi>%g0OGLB;5e!=Vt-Atf)!5IsRKi(*ocFF=DvB}Tj#OG9hCB0Pl?>HbwUO8vL z7T(QK8?Q7Z4@)s;hWy>jkWZ35@kBtO*{LY|K4cVOm(I)9_29Sm=t)`o!;PlctHUcl z3(*3;Ing(}X_Sf3f3HjUb5#awKKkdUKe$KnKyGDhi?cS7@5T6Q(0`1d=QGGC#|z%r z9zIHo`>++2iohXE2nk5kjDen==ZP8?J7W4~CSB)`SSSCfoLo4Q&3onOk|875h`{ff zw^?VDqW=44fd1ZfwtRDEUKt~~K|8skyq8>uB|n^+;36;e6Zs&Rc>bYiyG+Ejzm@b#s}VwW55@7LsG#;pS4V35WXToM?8gM>bi$(!_M!p?gs~2F1@10(%JW zy>3hx`2B~03;vjeb(5t(L-q=AfV6$Nu?>{QGkLTMy`R~XQWUXxEV|RgzGP^%%bfH^ z!|Ji$MoJP^-Jj2nU zb&a**BA-V|@lB=oK)*--(r`%J1xF)p=dZ5~T>L&V(>`^1!Q?8WB9r&KS-CGhw%s-5HR`~+Ho40PORd2RCTQ)DOa<}Wznf6;j+!;dyLa#UaYMF^eeISdmG;kaq5 zpIWr^FY<7WzHrT?TJjeL4N7YY7A3v!_Y9gUQ>FM8LtVNztt8%wFhBa{uHJbQj|N}z_gBuzZYG?3ABI)ODN1o|KI5Mklx zqR?#yU}fFIM2))^rDXR{HN#4QK@i2JMw|v(dX>t9g-aBq^OdlQxI9lceh_7HO~M&# zNwJb<5Vv5`Deoa6a#5%lfIK~>=3xnG&C|w|DnPvjrOV4<;6T37;3l62>@9E@t<{8i zX;8FER)L)iuH?9Lpqs%OrKmKLl#IvysAI!*jGUK6FNm22(>QHD>YRuA^6<^YR+uXb zB9jl?3JtdD?i0f`FviyEi7OqH1}&s@81T#?y2hApIz}}qM2U1Yso7jC9H-a@=~9~H zFqG__pY;B&XU9i}>!3?)qrq9NwMzbpeXm)~@2j2}+}Ll^rdDx^A883Lv9L5;R0 zX}ykJVlJuBI5&YO0OCMVL20tA$;6mmIj;e|I-q;em@P1Rl!Yt{$*h6KIxrA8Dyag@ z`2IIAY77JuD=RBf81TP5{9GWkhM4;%g1^tpr(M!riX$2y?W~%0W}^2NC@crPv~^{h zo&(Fsr@iP@aJ2gBRI-=cD5ZHCZLs4E&?Xc2t9P`rw97L&V>kwa>2}Pb zUqNXE&?Phwpf%VGA9>9Y6Ub&OWHu3da5alPwjNE3q=!&Gg1hqhymNp5(fu+#av?2} zUt;SWNt^j4s$8GL2lsPHLJD{^ZHG*R2z{aCE%6Tm01bZ=X;CzUm zm(Tq$I^V1K+pXvtT=6FH5)kXc+ywNHx;B$aRK(s|VNW}BT{QIM^sl&&^u%wl*Jh9X zaboL?8fRZpxXfz50hjrw$5B-N2^YmocO!OH$ZXBY3!(N~WqY3M*OKjwasr#no#fH` z@$>D(*7B+CE4D)l%Ftq3rRj6I)HjPo@i|3YTkgdz1+HEg$o?8Iyrxr)=aeoxqHtVG^besUC}7)D>4D%O!~=~!c!RY2))~O| zxkS-OPp>)G`jMP#QVU76wtRifn`1stO7O^bN`HP)R*wi-kw7|7X;TTE24* zS2jkDm4vC=a#gFtI}x6F`tRTe)8m_@JzxL69scfgVPxXExY888O?7GWil;ctjeo2N zy@)5n24$TPui3EH%&bRGTvIX&6IefoHp{ilA?U%h=gd`73y~|s4JPu&i!L1Ja@)#! z5{Km+-zb}n^QJcw=_8)DXey^k6(?rfK{V_pQDI+8lcE2~G4eLM>y5{K5a#QMzm71% zd&Y_-AL*2Lm;*y=FXRu2vX~|t#zKVZk_edjQRB36iNO+r%D#w1%TclTK28cKpZ#L4%U zKcse#y7-e#pHya^QzV>V`j(MKQMX5!wY$Ep7{af-t(l%uGi3F;3N^OH)RB3R!q!^3 zoX0nPvPe0)In+#`CD~973yLlR?NPVNp9Y56tW%MJSGW;93vwCwzlO$gmb6Vqd*w6# zEEU~G*zJRC4F>joXl^5RU(A+_M;}(YIrSIr*@?O+j)?_&^YzS18BN8hKGBX^iQQDK zM-V1e;*6Yd(NfQ3r(Tod4`>7}eAeI>xp9;}xzbnw>#nj1&%n3JNpM=(WFGzcyM2zv zmzX2cuPadft%Y)_7!^UqS(>003l<{i-zbWd!WU$f#7k+7iohQvTt|*UA3}Oflsti) zClIH{9}Dd%{63)7Vm@8GQh?E^_q$5FV$iaeV0DV`z}|LLG^q#CrO=5o)0_TA3SFNF z-)ZQ44Ko=!XS4+8u?4qpS{8}kwqbo=z0gvRwdJ(bQ-7GwhNB2&xKKTOJO%Md>@4~0 z1xrOx8I7SeNI>I^Uq~+%x#zn3+-mloNJ^~9LX~Ab<<^?IA%@(L1M8s#9;YLQwMWqY zj{+SkD>9%ok>hD#%u9fFLATKV>Nkza_A9~F_n$)Vr-TR;B=JZMf`0Z~Is4nbDu1}?&NubQ zTl-Re$hKia^%TQZR>&J?D9!%6)k6;&#EXo<>N%GO{`*U-&U%c*`?o1Mn4s!TPBRxO zM5u5aTq-C_@eo`+KO`ZBLMexZ{U8!_<$}EMTgdjMb(TGhxSc9 zc))J|CYCa$aImzTp3ef#*-kGsO8kmvk%pYG>rId>EQV$$szP2n%&h8)zT44=4c6O7 zn$DhzS+&C!T9u_UmdrE^noUYBmNXOqKBgd_x>_4N5D%uS+XYi;ayWBYvNsopH1Y0S zut7yCyb6s2SKE90TYOZd4Piq=HYl3ji7-S3iVi>vU1s!;K*b{6<9xFv|`bOqkG^3u5)!12fOi+B$bL#%A7V&Q5QNZUDd1rcd zGB@^Xt$!H%fR8^ceI6Y1`&ZfID;gx5HqL?9BQGq)^pAbsQ zo4k)GhtxS#7F1(UL5EsHoD0Q~w-KIn`*-WE$jawy%bE(>slxuJ)VAXHr{&Mq zxi#tFi||v6O`9G7m)GBOq}MO-*dB(Y1=RNAD!BM>ZZ<#I5qay+h4|yIIbi_$4#HnO zO9_Zt2l(+;XN&`L{T}%KREhrid>aoSg+)z5fEGaql;ML-Ar_n<002M+hya{^l$rw2 zq5y!pf~(%RZM!#Sly(+F6+gge9Dd~zj83_L0APgXgb{#~KmaHpsUz#5n4#K!cSQrB z2Vq2EC1Gdb7U5M9G!b?Z^%IYi09{r{L1bWZ2*m>>VDST-3XukrmXMB;o{^E0Nq|{` zMS)eFO^@A-!H^p?u_Q#FK0~1yfK}q0bh*t_=e-bnRdQRwD zA}J<)@2Z|Xe1zm`$)b7As1zIyG;8lkdn+$2V2WbWvr4>$EvtQ0{Ombn^YJpk6bN*h z)%;?2d5&J2n2B+Q0oW%3Hm|gRTERadZ4VuQ)sGf-B6eYR6aJ#?VeIAX6ZkFBuP~rK zq&H$VYCG;a;XN5N6*ZkSll7-)whGuZ-?`AgIKBj2UReRHg4ZD%51W9s4~#8D5aur7 z9_2pc0q3E>kpx)bMEy+f-0Z>@;(FzM9dr|Qn{=1;ujsz&vFWMvx&LMS75KLD4*HlI zK%gIB0P7zZu!wM&@Pr7Ih>S>_$O5PmXbKqWn0i=d*tR&XxZZd{_)!E&gjqyIBvqtM z6rEK4)Z;Wj+7&twJ(v-~^uP?*_`qO6WW{77WT)h2m(&d()PmqzgJ@QQq@IH;k%Gb*gGw2KhUtqAaL0hW*<*q% zuz(-EPj&Y9tq^MGFCn!nDU@{4@Avl~@I1K_*OSvWOVc*|HaxklT)C^+GmbMhj-jp7 z+5mrX&Fo3-M@jFBFIAVXfiJjK=dZ6(Rs8@;lkS-ewczf)?ZhZ#(JWS0GypBW0d~J8 zPLmRDkrZB%5PlFhfh#ki88wkQF|hQIbee=8RFH3{l1O{S0tdgFM-*gDfuy+MnxB(5^`!zk9l)e>7c_s;c590Q6W%f3s z_E9JHmB9AnME0kI4#0eR=LgsZ02%Av%Dni2_B$!?nYy z!wDw}{^LV|!kl1(`zR$Kh{S-8#B@>n8PFdhr8g|vMm4cggjvSCIH+MA^+@?Ko-eBgOq;F)F!30BB}Hw zp^PBzOjqVCGwN)0;v5O=Tu$UXO6Yvdr?&#Ybs^;LqzJTI3|uSepD%5iEGrr;PwK7+ zYN>RssWL06R?n%CNU7zFsiO?3$MkIgxHm#>?VCUr%|L^ee$Cbev4?;xu7C#D{hBu)K6V8_^^;;fXXMvf`)0c*RqSf}V*6&_ z*N&O?^LC5>MRY=ig+&I)pefxJN!=w0{R`s0cV&JsqkdE;ev-g`=0tv>gnq?*dVT|3 zze6rh08pU+mlwGBZ!hqFve75<|JdmH|Flt?q(Pw<` zeFQdpy#%jpgZtEvz<|VEo}WBZjJ+D=DlJ1mT*G`A%x;yFG#?cmJ3oyBup+phiLezKO4rlE$t+EW%T&BKj@^}l`U z8Bz^~L`auEI!HoVvPmr5iPB0TD)W+%f zeAf7}T_5M@bwr&@;q9_76yVqjjCP)MJ@s$<;pkBSY2QS=}Y`q7fwhy1X~@*^94dMO)-%Uw3kw2+c?) zc3E3zg6vlK`9Mw=E-^qZ3b%;%^0!pos~1i+_ND(^pXJQ>#<2M(8BuP`M@ZyEW%A}{ zg&T1=Z*efi@4{-tpI4Zolx!5zoPNq( z#R5|P6XukxFRZy&A$>?U&||(c--1P7o_GWX>c`O_cvGGGxoGtJDu6ZJGhA`bq9sE2 z5sOKyi8KxxqJN>>Y{Rulo+H}dU*x9v-LLX}1tO*xZfT>fU@icjVsz-Y&nzOkBA;=o zjq&t#=QRbPgrUTs7T$#r231WS4{Wb*@l+Zy()&8u&sx+&!@e0-V$!A;jF0VmfO)tll||1TDBlPG2S zRK*n%{%_j7U#>5zZeC5=CY{``r};Fvja8l zpaA@qjy{JrlphnlogJ*2<;maga?Q!5jFCW`Ksr5DjNmS9^m`O?RA>~ndQ3LlTo9*B zMJ0Cp?eT?6g|xrQH}{&SZ#9Kc+OEB*Y2gdCUlYp>&YUqus{Z7wcFLCGNN>TRI2mDYnI9|J~u z%*|-{q#`#ocK@iPZOdY${l7 zce~!)7?rLz_EWitSg@TEVUKp;2P_+I8U5AWx#N^NeDuJ2NP(W*yzI)W?C(~`8x@)3xtV#~b5Cp>T~JYS3}`I5~y zU_^Ny|CD?iu!O4?+q9K)_bR+LFZ`pZ*%9wI^}Q(ZY(Er=tYNM9R{es>H9pZJ_sH>z zIE6T-zQ!7AM=na=T?I1i{M6cuzqNM)*mi5_8g&R%ZzrgC?$nd6C5T)MI>t|*O_5!A z!Q>KhjK?2o7j0K6r_NmpSg8(?7INhCk7?pN7xzZ|^QJiNrilFYVqEr@B+6j9-x|)U zWBy8}cmDVFB$EfnWWmH$`htxgP8uz&T_f#T)mIl1l0qB_Jj81^jram1 zhh{O$?>>;d%%ZAqI5icqY1Uta6b)w$`8w3NSEahHzp_*OoLMiZt{q&c5svHf z$J+fv+FKr~Eu<2FAFzs1Z>^0nX;?eG=n)XCf4SwAa6faY3KwtG?%WXrO39U--t>|a z*_92*&06EUh3|Nwa&%EzRy*Y#FD%CQ?S-$T%t$1b4BSyrb@MC2FyZpoE=!@(3laEn zc_C?8WLW1BbpNF$wjT!?+qt9W3t5%M7$*i*n|t`$1-49}YB_lhJB2=b41sCzn>CvA zakHPl#wttYM91Z%XJyl-!B*qH7$EgMrm@$bOeg7HvCccfkn*ZQy?US(ts-*z(ls-5 z%&?t~lpR9JBWo5uP+l4GGbE@T&CM zQETtdPxJ~4uhUxN!#B_{@a(=WjM)uDQ?43^_RJ*z)FrnyYr1JGxP1mKzO^w0@zY#J)j1K zbhP5{7BuaaQKl-=CfX_s-d@BFk0nP+upkT^FjpO~Zp6IPCBc5Os*6$As!;63aYgpL z%qY{=^fZq@#eYR7%S7WG{Jpkw`YAi}mH*sKBRl|=#Rf?Kg>teA*XHkp*cN}bW`fII zpQMmx?oxbPlbh56{f*h*PUu5fNpaMK_{?Ly7x!!``^=B_ffWW_` zWNheZa_*h~%KM>W$;UG1;i*Hfpy)qcV$_=ZvX~54J(mgl>kMwoVBV5rFc{30K=iqp zGN5WflokKb=M$Z1>B!qSDklQc;6k5b|Ls|%2ptx+^wA94_fTV)FIWv)nc3O7XbC5r zh&^2b8lL)zjdC+A1H`x+!%e@|+g6*fSI!!HYwCIobyzY053>NJ?aPRwEeBRy*HY`2 zJZjIFb7(TCoGZjpP}^Eg6u5f&7e-P9XY90R4`Z!0cJvCWA_a?Jh5nrl_>k^*kWmiw z4$k~4#pTb~f6epkQj%E#M%2uFLdP$<#S7p}?1DJwW2m7$dhz($^=8AA^C^7V0QSl?Cj6i3_NRsjQF9^hNdj^XNAoP0(=D;`s&B9pf_N25g{^WL~s z5BzjravKI9^c1RH0TL>tiAKFBf=GY~IE~Q7iiL%5QGcK3?rBmDH1NmdzpfWOF$V9Y zi*twC)1pA7CZhku9Pt;60!82snhwj>Oy=@X*nloL1%1ho*a+n%!oCatej1^OHogC&MG8%X-|}! zrQh`8N}-SR71gGah-mY|-H(Kg(kYlmO8=>cu%^>p1Idfnkdnge+%VN}BCip5(SP~& zzh$q^_rl=PN~{f5LU?MZ=yPo=x!0t+Uo(kgLan)+LxO!OV9+?(-Ma{>CwPa)AXyTL zIj1UjNFYpr0^TDwHHxi%KRwtgFgW31i|RAWIUPszKEYkMSbt*{l7up@L>CYXkd;b_ zUAK&dPq1T?cxE-^#!Xa&P(q^>V!iR}w9eGk8qjIey zU?uBg5=O|I;v!jkS;gER-l$DCMlbIqp&`ksp+J))i-`f$8*&3X)Pa1U@U<&Jd&0mFmtBm+&K+NEho zk}`fdh2$g$FV+XgN~JO4r<0e16`q{sK|J9@d6nx#?va0{=9P%qlgDv!%9996Xt}ec zBI6#asj+TZNVJP5`wztRM$_~PE>Ne|6UfIK$T{8HsSyz&d)X_Q$^RJs>fOY<31 z_t7lZe5g@0Em+3D_dM=Wt~Yf#z4)*jb=+aSFSpFS(J@S-eAh3q%AXCNY5Ra{^ZK)C z-lX<7A86RzYa2`k7o`K2$%l$UjgxQ^W!b*2{a+p+ru8(Ju^w&=IybhHUJ?nf)^M3k zC#;C)f}rr;9#@7Pi@tjkErqa=Zqn{%=5a3_*hl(p{BG8750s1O3fPd*+-ACP8P%jO z9HSt#SC)H+w2u^Puo zouBY)31Hy*r_wUO$dy-z<3s5l%BDG!MTL^)7UP@Aq6v ziq3tt>aBOWZPVYo@0qsqys8@o2(?cj;WUpUhwyvB%;QAoq2&fUzQeERTIX6Ew-VRJ zPtietwc$SxAeXX?-Jjq^YqJ|$@l@+O+B3}1^?b+LIJo2fwh)jD`$B^Gy9)q}ML2?g zg1#z!9xobAM#8xSZ{X(fQl>}#EG*8|>6tchp7oKag>$qDx}UG}V%&9zoE6NW85eBP zt2Td>(JRZusha$wjJiwcV0j=Cau<}#d-%+^_nhhRJ@8+*ApK;_a0lN}Z930g2cOLn z8w$@^q(-vq<)c9u3NuaveE3b; z%ih@{o|`Q{y!fLK1I?!7Xo%-G@UZP&*o!C_u)q#g%^p6s1pxx6YC z>mYy87bh4VHh>9>Id-;WnIvr;Y_bF(b2lt=dEdSJDCW*nfyw2wZ=S8I#Sfk6cHQ6M ziPFdUc?HZTE|*@v$tP5za5~>7o>}*Lh2TRE=W%%NQ0efv{n2pfg8@3*_z~$or;LB# z4o1I5ObY`kC8^bMwF*R54|D=vp*rRP!J+m+Vvkai@1MJb7|To^5y{}Vm4CzX$!^qG z*Z~L4amlO3aV`uqZ#moWj1K=|Y&U0(VDce<23S_ER>XH(Or|rWRp~I2598eN*v(&k zHV~)=SusdL_0ppykfiKO7hD12?Em7Reje@Tux)ia3$?JxTtc8@Z{RpO8j(^i_SR8o z^Du*vf+9{pCk{?K?sL2Dg<`~UfCFiV*^2VjJUWvrY<;!hRcNF0lpw-Ma~Uq$s#Ufv z;qHowVJxx=+lN|7(truHbe_9B+%WBP7#^&}d%4Sp^87?cs2<{R9$){Vo`N ziLV~|bDv`t7XPerAzk!~F=j(kVn@5~>FVPFS8|WvwbzXSYXVu=*vTSgMQDbr{-7#g z(k6fD{q@T8o&VA1CHM+E)ARP;9 zUoaz?lns-DE*^K(J{9eysXjfHBbt9iGlpcN6{(Lo$Xdyfec7|rSEjF4gXJpl-_uQG zKZGI&zwzpWn2^r-Yp`tZy5w4x*kl1=>V=mh3Q4ia%4im&Sz#y`FnUMMOnlZeP2hc5 zr7c*n13dC0k6rH1yif3e;ppAKx9E4ey(3uNj=VhC@-te22LI$s=$Jfzy18EB=(6oy zn({%^b+#6-$SPFuWH`Sp#3#uk19>z2f~MAwpd+$Pn(GZZm{ zR+6Eq>}v54>&HYm^!_};2-3Ijpvi0ZpOq&9EdFVza2WUerqDWf10^Y;rkWByMYy_R zv9BG%jGXaw+E|FhjKo>tJYS1Tj_d8p%Q*z8isqo}*l87zi(&L*Fvaf~MO;l-hF#x; zaS8}fROv{5sM7)`sj3y!gMN67ZgNMO~U#=s=KNG z#%2HbuA27?cgzPVG;`08TU>d9t}r^9F_jfVPmFuotTUMNvK9HZk81m4jcPE-aRwU5 z=zHQ8GMFgc-+dqV{i^iZV?6Zpk7y-2CjRzYiOLiv!a-^Iej=GQtPx8^KV+$LHMo&T zj4f@*cz#hKVPhS2xt6rH=p3gIB`n$cS|(;-Neu3tnQ=QizoQPPb~5a(PtvPl?3Fa9 zfa6*gcPEg^OMDUQw-G|bU&JJVU&dHSqLjYB_pC5C_|+YM(Vl$IJtnXV;DP2xdI^RU ziCf@fa^g#vtARzs_=4rB5@iP4;hR32rETc%L~v*`!1w)wWK!3PuQo3A&ubpfAOFfC z0xhC2UYXQO##jkt`Jqt`J?k_=bHLD02o0ipr-e%}Y8%O9e9uex&X7^yWD+NvDn#DG z2>2V^@pMPNbuaiP7|H8@Eu6&9X|_Tn7d@9E6miP}!!Kk}4RuCy_iglUbaTi)g$=$l3ff2-8^c&_z0-oH`)vp>z_2H9Zv~ThE)yE7zGl4*Mp* z%hCnW>t?$|twG`RPOqRD;fN(KAd%^F<45L;!vactHuyN_|A3pAaqI8Xo+(ORszAD}a)P84Nh8cDn3fJOw-e^4rw+c(d#l)_N`b(hQPi(KHQvfzf=bd?wannaVtosvOxzAuKGJgz?8&}Z7IA@V>Zce6l<~3>hrsF*>xarpKd;OHT<>zi^I+D()A%lZ13wsbOFM(e03!p zvE!$t%RI@pmZh)yxWDXbP|19V{PRdRAc>l!!bEr!s;&Dgo|mG3G|nO%wFjQ9!NXy{ zxmYdXkBHtb0xjWX*ndlNp~lF-haIwhAwF$YI@xk`_HWzyMBMiemV~dK%l-`uLOLZ8yB?*KoLgyVi7@x*NLPq+CGl>w|7*L z)C3#4x_~d?+HeX2@>qW*(KcFVSjbNo=14u*i>pJIB@aGk1}(Iyr6@~#A92oIW>Vy3 zMlyl)i-)bLKouWZ>oq@9?;=m4MEz?4g57!lv@*AVZ*xnUtd4!;A__msRF|@u4yyC_ zvwTvFhD@C4#HVSrME(*pjI=oC3i(KI@T#?WQXv}BWihFS80ovH+K*Mn@NHViWm=?vt|x=UYW}R0DzQp*_n!Fj10WWDekPw2#zumR(NC9S zi(FI<5tHnEWXUKKG|O54x}vU^?e*5}gpfooU+wY~T=P27@hSbe&4ic|-+sB)&427Wncw}DliApZzHe8u!QZNPVh2UnF>`D& zHs>Km@SA1wWJkJxW&Gt&9w`ZT;?*i-8&n3;g#pwJimdICmg(WSeE& zl(N3G&8Rk6VTN#!QtRKZXmb356sr+oZpmx$72o)KeWkN}4E@HaF(ljsS&XIs?Zh^z z2-MHiwxi>KMi=&Z6@pzTst^nL3isyV4q~!$;?t}DT>55N5XdR~gU~fR6_=Lp8)5I# z7T2y_M9k{Eb@SY+iZ?8*ZQC0|B;;8|j0;JGrlw+EJFU;y#!?i@@q`B=ohK=nR!Og* zvF61x@;l*mik93e7G~@uUWMpgB27)Z(2(F+$ATIWj}`}D3%glMW6PR zT=65=mH`t`&d$f#cWCtfU^!m=^Y!^=JJv290PA8NMPLy=}0A z{R(gFMqF4+$TiLd=U?GP%xW=Q6L03QluGD&+%cQILzVEVf-f=VMX$VhqjWxu1^<;N zhF94JeMa@rA8w8Nf}356Ww5EZZiG3*7%d9QgNPt~YnhsUoL$ttuOY#SSUNUJU-yG?uxJAnV1Jt_t!p^Z3~1&ZoFYZw0kRj1 zy$ST-w5JtP_Ktc%(44$5&%LBOKVJ!joHa6^h0Lu*`*v?U`jrT{f8nDdU}&#{T0RcyxO4G6B^j;+mXeIh>b0Y@CDr%d6{FB zmkG~1ESkC#+m{33l`Bc>2|WpU)<~ClT}bc4(dOX{v;+JU+K(!jlC3dH|w3%1VaW z1Zh5MAZgM?Xa)$qror~+0O}mIEd#V1|JA})5%<5`Z(a`Q%kC|k^icFWG9T^tMAF67 zla+-b4>2EtMcdiM-M+Y>yzWKuJw+dMS%&T;z*peBBHvzMX{n{qbxQ12 zO8H<%34icNzcDa_>3lJXj6>@TH!TGPR}{m^F}Fp>DR!Se`H=nS(t(VT9JSs2^O;*? z!(k`v`4r=|plsl|3tbeWjV~~a#f0C^OTfCOPpt#xecknQsaYY6xX~tuxrpVD-Yc0Y z1xGh0E10kc1TxYhA|j zKg1jH*YTKuzZLm~e<6A-^u|dpqsg*&Gsw@(i@*k1e2I1}*ofL*m(7`D6vb(<}+MJ7S7RLQ?vtaZWbE>2GQ9rJVo;;i<{(~+;h7WHtsZ_^0Zq7`HMP_T3j zgg*#;PD3h&FZ?=4&#hO@tCThPu{q+9&1iL-l7@o-i{EOs;xCzlq@(hCepxp+0AcwS z4_>8)Ufeb;hwsTT^e9q5?%Sx_e2j93#-v?}$5DZvXfV^2Ip(b<)CtQ7p}k&|R?BBh z4~G$YrK0apU$S%I*0wgA5%yq$?R0Q`SeKEz-UK~%u79Oh*9Pkd4}~Y0!%v+4W%)LW z>Ny<-CkTS*Cg>0gOdwu5xrdeM&}YTmjR3JKINOu!P$^BNw7)MMN1_R&SS1VgXUXF* z2PigQ>Fc6%{P~E5{VeJ$4(B+eW1hubE!X)Xg^OYokCT}tr+`+Lh|k*8`o&R|a>9#h z?wvAY$C^0eiL2~#@W7G`>XHWmH|cQYt{0KLpTruR`&L__p36QJ$KUE$lTnIpgn}`@ z^pz^EQCYzed2c*noy+o@y+be7OHQyJEcY)m9-?j(EY#5oGJ=SR1o*@P!+bqh8*76` z3T{@eGYeYG(*z0sW{Bm}e(Z}cG>czG)Qr!GQ8p=8m`s3Rm@uWckmFK2Atn1KwBqP>dKmpmuq}#WrDy(FmV^fN zw_#nnRv=oSf0C8LKdfG-2q)!=!^?-WnvtZ+!>F!h!kfdr z8h3ugyHch>@h@jG=YZjWS-7War+kqfCceBX%yP-u$sk?=kOTnGcmYT;6Qg0-fEEVO zup>x7echlc{o)#E!Z5bx*y7i7r?*v4+3+HWA+W5+;T~fUaTH{8fpc)As4@6`EE%t~3>0pXMw)-;dI5hPbm(Se^vsI}vjvu8Qms`q<5oBoJN& zN0$(cxPK8(v82KytSTqr`q#@0D{1)=_TAfCai6ILCNbCA9prhn-(?8A}*{g?%=Rv7+Rf zGiaybtN+R8to~bpR?#Xw><7D@E5h#w+~LpPK_fk7vnv|WkCL@Cv9S#iB+Kp>qn9$? zW$f2q8)8&al{Wo^Nlj4jIjFS^D54EcIu8;2&+uFK_Mskz84|~-L1mgo>-4}ocWdvt zUbkzdZa?t{Q&jf??u;eks7hM9p*k_2+7{${M(UVygk` zG_3!qP+oaQZ9kp3@VtyMM$L#{aKer>N-;B)j!NBc{(?X*O9v={Y&ld!3=4Zuuy!8vejP7%+}jk z$D0n)>LIV zj)CwAeMJcIisUVE6%H^;@>b2N(#r~zHxt~SHBg_F75nKWvvl&4^jjWisYMCnYIj*# z+^ojBp;RW33SuB zi5g?-KgIniZSMcswDg9ki+trhmEvivMRh2}Uj&=E0`HqIe0oCghX2dn+8GPy$NSEa ztlX#fnIDz5gMEcj!?Lng$b|z;@B;)(;Iwk?+<5^Y)!rU#I8mi}Tv2=baC;Aq{KL!s zl=G7HRa^>Mt1*E9l2Y<+dkEW5xQe!bDm*`t zP5HW2xcAtkog_2HTNd;IkD<|a)Sv$KgxME0v+J{EJAR#G)wWg5vWUn0gEPy?u* zZnwC0K;{;0h7J>r>U!?HTLhi**i0q)Nprj!n?I?i)NP1=#{(iOyA?o^qQKrphp>QJ zVpgY*UAMYs(p#Z+AscMBi<0h^P96Ij@oE0a?ZKb~!Ow+?hD}%t^Rm@@%_0j^B1S#D zcuLbTj$$O^uPWn>JKWl~=!h}{e=Y_2Sx(2IL>{p8x-?0Q5m%L89KfV58<;=cilm%8 z)nI>5U$8l%SiN%%J=@42yRt(6@Xt`1I*4Mw?1P8Aay^E`8OG1XHPHNSXzR!mXCMz@ ztfyVXd^CzI=ppcL#QS!D9u!iD9g;sf23ckMRGlwETF)3gA(FZbl^jr0y;ckRYPvkfqM zLaPL#cyrsl{bQTa8)Ht^bVv1~``*!GVm9!YBnW8OIpyh51R+}`yd}ylv))^M2U*be zhSkr$uCyYkhaganXE#C1kt53QiH(J1&E4pjep^Ji55uqn_Le&rXL7w;Q9FTj1tHs> zP5B}|RQXKKnk%m5#hb@ejr1AgnhPL10mQJ?vc!JVp>N}UH+Y%sWU%c!)EI0(0oj_% z(L^FW7ri|2oq<73dd%wYKji!eE#C-HoTD;Eq0~ql9B0|1`Mi(jKMn}!=&%ax>ns=2 zB8@Q3iqy3RocR{p75VYf0GoO)=rW+yLj5_-$EWRt!{0=ih~+F--C>T6_Q1lhdxZDK zuwhazU`SchbNn;O>)c}%(qN(?`3lRh{)rGl9v1G+`bNS8$KRAe14Mbg-XZ@nYXSl} zR(o39k>PiS)_Pt;*sjpVah5)hwiuXC=~O;d=%`ZUR}pZ-^#zE8z~AhwEv}p2=i{?E zcs63os9x7lL%JL&_AVz&)opyWK2}0`eveAZ^zUJYEEp~djE)>hDzee8m}w>K?KTwOmQ{qvy*vvcG{wN z*PJ8FCRSf%nms-f%1F+Z90ycHBrRqL3zn*KxA3;BbtAuJb?(F3_8N6S~xhxil2;>ShGNX&x#wY9d4gTTbeAuM9?~%*bJ` zhZDRL=d9u?vX%61v4$wqS=~l(fS1w{Z{OtG4}KeKd!38kIDTCu#XM1qxzCa4U^S6R zo z@I(l<&$wHbgvv1yAtlF#jJ9$p(Usfb%r z_N9=4Y)~-|dn*?VAga9s=x82pwL6~VXq&vXR*#;7LL9$(UoT0M%Yt27B{!24n~>@sS>{MR|ie_&^I29ZZ}n5CD&^ z`FSi7tz-L5Ctfo}CpOP$-_XbhZBiK%) zCH!Dgea-4sZ{Fb-X2XnxzY^uQiLsRiaAk*_0g)SK$f8mI7tS}K0j9CHUg5JOd|#EN zMyB0N17I@bl_dM8%N~EEKDS|5jdYOU_vTttTBkgeQN`ikrv1WRo3|*G;DhL2BG@40 z^HWmBWoC+6=uv6)8CM6Gd0;l2;hH<(dS@8(E06s!on)>j;nFXKW*-XPiIG=zc=);%bZ0@{n3^Rgos|^jc zY*II%J_%~1`>0EfEC-tB+%-@(bN2u&cu$oMFt|DI_{CH6Qm9M0Qn5CRO{#So5D&P5 zi-880P}++gLK^JtXFmKo{$B+Qvdp}?3I?IgFA2m8J=j2pUI3Yq#xg0^72n%fW2u;9 zy*t<{4Vhth70)YK=IE9b z%Jz7edUvRnZFnGYZo7C+v@5!Ynk0te5W-gWYJ=@fzO~LS`B00oAivl=YM|;^97!vz zlri}!Q7Nc(%u3KxiIo-E&e04r4-TA-;K;5%cp=9~*T8xLO2@PR4EkaK>Is}u#Vxg- z&S)AzckZf)a<=jREI0@>#`+i8N)pmoyvnPXUxp2Qplf-0SamC-%Y+vmQVA#x&obzF z{E#lm%zz+F%32o;+&Q?wMbEi0%F>vFG`kMfYq80N3bj$5@>h9@M4t6!0iSa_$~B$< z_uxHGtiGTGb4#BJ%YciLjNTV7H!HbWr0U?4>D2CwEzVCk$z~TGXxlHenN?sg!!77I z!8NEvk39_L>{9XTGGXAp0OwYZii$ouuk6b}T!5U?izs;bt=G1-z|wJ0*?~1a+{KI7 zLl~tRfm~|8QVt)|lOJBw1qEXAG&T~5m?Rx#P4h6B%#x1VJL0%Wc~pQY06Cq9d>#T`3ftI}G*|_-Ivd0D3vh z?2Std22b^X;OkjWr$=_P?ubAw*a`ZoO*!h7o{^HBBlEe|XgNywdJ2FqIG!ifm61;z zB6(xz<7II_C^^!Tb7&#~cqP9ES!ybR`TV4Tf1f1XUwX52&8VA+uqB~dAaI6pwGiAS zSiM_)T1y`S^RRd>0ZG+s5QeE-oGud&B5vJ0cv6)=-nj6y8s_D$$OkNAR>>lt*a6o*I11Ck?!ia){S;1=h)%@)fL7gc^lPG3 zhI@RR0R%Th>w3P&=6vJkan?9v>o3ta3y|~xxR!f@VjywE_YfP9@Z&iZXcj~0&4_V=(#~IGd!dhLQD7x0srU2l5qO3E45X9x^E3$)IoS9Ff)GL@TNobC&_G>Six9q z=phk5UMJjUyQK?4QGf!`U$9Jham2I?Kg*2bFsT8SHuzF#S8zp zJ9{~K!elcYSr^8n9x=$$LGsA_fgE5a0FYr{^<`Z$T4wl%M6iwbwJUfB&+q(*ij1Yg zgRl&`g{@V-TaVc4$L%=6|1rgxve2!lFHULXouXUY3JiKdmw-lzfYy}b z&Z13m&_KA<+zpc~RajD4lnnosjl9DaYv`Yl{Xsh309q5ksU?Ds@U~pUfH@o=mj93% z5a>ZRFGzuT6cBoL(RjFXvu);#o!HuJbK>K2SP*02psqp&Fgq&#dO|N~Q0I-B2Y~?c zP#^mtu%koV=7!u$tlLgJi}yPLqf!uNplkrHn8x9E0K8RWVbwDl#yNiH7?YUhs3m1N z6|4y1233Va{pc+#=r!VkSNk7msYw^AB?J9^GlrM3C#E99!-3*jM&=0JtArjj(t;-E zJc!gs;;RvJUcWS_jrnsm8GqLz^`~{wjk3S2Fm}R`{i)THLL*j;yW9(~^9GdG92=hT z@Y}q)*+|~7u2>$ep7oc-xLP%&G|xS)$p0Ovn&v9yGksX-_VhDQGUOdjN?tf8tCRA` z2iI<=HoBGwv5n?>`;P;czd`mXl~NSX@s(nhRQNn(CQBmVu;)*4^X1|)mHmh-Xjp6Z z(v_kOP#C&%u}40&R5Y#suhHC8cp^L{#8k%Q$gG8t(ImFuY5crKFIuXvRjR{|{VUZs zKYmZyrLoDBM`NC~9Si&_8~Ho1N*KFElX~?n$2JOfatazfRkwYloCBs)TLX zIjG50yNumMqo^qbUI$Xkm$%`HNAaJjZAOiMVs_8z^40X?VX;E|Iyle^M1LOV#3Jya zo}yurm=+w+MjdW%;lPK6aABD%ha^z#Q(SHI+j;+|njtT61p#mxK!7=<3(1uair9k& zgKr^HZ5~@)q-KF(_^9wJNEARIU%{8RZgk9b`^@3I-Q@c{4>urazbjm^Y8k>qtvczm zs01koQ%*>r(1Cde?fr-V^P}1>l4(G2r>Xz)hCsk79lQ7IzQ#$SOz=Pl1XLW2!$8vi z$;1NgP2+-&(3mbTdzTb7aZ+)kkZS}4k~ZKmHEzk?``r>&>+ek35#Xjusb0YNw8d=- z8nO~ID}hv}*$E?wH|1&;f>F&qx3vs!E+)F6y{?v_%7Je?hWc=^+OLl`(Z?5hf+ZV5 zw;_4X^oLXJ0xU-X%5I%mIuH;{*BAuMFGF4+QQYx< zfw;~j{LAj!)Zr2VI;zenLn6~m@oOYc9s%(n&^l7pJpDP&G!Fo1!CuX zs|6Ln3EjO;>tOGu>#WvwmX0_aaYlQ+Ga-r*n77-zj*mY914;64O|y<52?We+wBH~4 zcN&jT1Ox%7NcFY#Tuw3}V>_NIyQC#)NkUiO1<=PWFRusPL>{AEsdct&fJ~(APUQOn zQ@NE|?*!O;SPLRN9BrIS%d74MtoOBDsJjMMW}+#Jp-ybH;VKj7&=`|5QR%2Vv{AqU z3PwtHf<;)5Tj@oLB7QoeVRsC63wC0RiJFzYz9$SNi4(pQ5<3}oM4FP<1)E3B00X!9cx4{`A$}EH)@jDvtU#!j zra7Aw_d|7}W}M$0QGQYKBGoov@HQGl^enf=I02_z>EW}+zxelh=gN0AC|AI7b~k3H zL%*Em^ZYBBXTL#dt_$V9u%qZ7j^dq|P8#2thMz>b4F3&@Vc5F`Eq-0Ol8rMx0oXbI z<%WB-9G&d~i|D58;zDfmhrr*e?lylBaz$_VY;ZB=^MicP*nz-}8+8?F?C$Bx0w`Li zjMUd1cir1pU6gxFio5Jgc2=LoiumoM7rfHcFyDfdOBA!H&tDYC=sGHu$?{y=JZx9y zs0x_#gT|3jQAR?D;U8yYwkXXx4sXsYw?j>M#gqkqCva#E>PK>W6AGW-X? z6pUhyZ?ydP)KZijWza_u9&7Kr7QYE+uk+XWQEvk|0XygU6bg5qbaqo~FSs`Dg=+cV z4-Q!k)4eUi2--OVDKA5HhvnU>%9w4H<=(Br=9RgU8Vj8rLj;krvwCZnFZJb0F%Y%w z2T!_Q)Q80AZ5HKRNk-V%D^H4&61US6-tydG@EoWEi_d{PJYq;3v`Wz(IBn`a$$>{s)rjx1ahA5;7bXNRfrB)T;?{sVc%%pygqN@f4_}C{x(PXcJ*ol%%QLn z4YdJLWmE)>FHQRQ9O}occdIwMEnQ`;EnYXJ?lsbFD+^J2iw?>f0iB~@w+~9_-5j>S zPP2GA%`ei*G6L6w37Kt<4};A44a*`Tjo_j%A%2ETHqI1i(ykzxgqrDsqztED#ir$n zAyCr2f1oJ=qs{T{YO>t^q>!hrQP#c20sf6!fjTHy3(AD)2t?xCd?;ZnvRjK=eLJ>X z&)eO=V0BvL)W^0g?jvWHH<1f`yRnOsmMR-&ZMoug_%@=Pa@0teMA>jfQdMB!Z&&2r z%`a#zce4tSIzqtCWYDhU1Fv$L5KDfR7F;s28W3beD9OZofesRM5u48cZFu1&5)wvL zvU!x2(?t2%AVmWgBX)=zJm&oo6I7Abk(5HM93Vt2H~?c$U4KYu5>9>8Qs69}e~eB6 z6biaYVbviLM}nhTn!*i8$xdWw!E(}$%MxXHE84fbdid>H#qvGzUV3{QWL9Q9fO%kZ zHhy3r^~xK@`|!G4?7S}tT`yv zdwPK6-4O-U!y8le=x~&wboae_0(I&g zNH8>on~G4l7&kR#i}0wi#Ac}LNJ^V(U|R)!I-7j7lt~}}uPBFIM=+(&lR6aTA*F!| zhm1>M)WoQ!a+xM7hB@&N3WN&>AVfhiV!5oZ)a72pg>;xh8P_jwoQxev23Csot zN1_27SYk&2uq6_<*DF*nOFTe1fO0}S9YbMZUkN~Xg02h;$0eQcQjE|MP+*cn{lLB! z3c>Oumr9VD%~R|E4F%;d$|@%FAx=AQy(&nkJtj;NdTh3*ssVt`gfLuQwF-=cUxcI- zTq%38+Y5(Pyj4SsLjN&o>?YkAb%f<(>1a+ zEX89}V6dg)LO4uKoSTiCf1rL)LLp*a#7IG@s%qgku7ZjA(IsXkCdxNP3VH7PO*_o}-gVnxjqzR!nIE zVT!y2K9r^~4)kzaM`5dLG0lu}JH3ckrNz2gDcE|H!rZ+?qFaDkdW$+_+-3%WJG+Lk zB7Ri3u!8J3KyP+c{qI;6tn;Q|tPTE>OrRU#6~lipX2g;6$P@ZrLu}cwhP|+Xf-cd? zO&3XHzVI8Tr_j9EhSTiV0=O1vxL`b7tgR2cb3_&v_^&PWYoqX#pq}Z9?{cR!3IFjh z67iVikv#uxG)elUH%+fMMp~Xcx24o&b|e8UEXHC{7eT$9Mnlm;c)T()p%1}m6}w5m zuGC;owF3v}4r^qUxWQ;W;oOyLr@hWtppstcAZhPdbOIokUW_fOj8a(rTFq1LJxAsf zChjLmFah0bzYl>S+=O){OpGXj!i{*s5K%=6674nMp4*46EfbIER+ouwUbqQB_l7U2 z*z4_j59_gaC9HSsmKIn0-K{y#w?Z^%eIDQOJr_%;yf%eI6u|Jg&Ss531b`A*1Qh=z z*4Zb@tR3$?hB?dm*UKvlxcG4hz4&DTB~TM#DSdSwNQ zM2a_tT0OGt5$w$@SjN3M2+IW(KqN0zwTa&dW2l9tT#^j9H1c?vdbz^b=p1-53RpB6%d(51 z1ssS!AUV)dllrj8<#(gpg`!9ajRC%rd})4peuaLOe!V~JT$XRsfi(=cdcGi1cIDE= za=Q_ten6zXlAFpC=*EqXg7RTm4H$$xA46S;D#K)h9Pf>l^InpVR80(F< zXQps-b42eupymvXnADA6hehDfeFh$DfAJ6ujTMd=4k*GKGWKI9NjV=v+wyL}Y9h6h z`bsUPzM!U4dr+^{DAX?0Hq<@TM$}H!1gPC=RWd9YmyCx@%ozY#1+u#Tp7(}f;it0rJ`*y-tUY>b-o2;d`d$_9`PBnbrP_Iz~%2{$%6Fm#S5%D=wL=AEBv8xyMpWanpDxmQhE8@ zeF(JJ?SlZ|8V~~Rbbg=YS){k`3C(uI*_8xKUqH}q2545W9;rpq69-u+9 z`(9RkW{IIKep?Us{)6KSD9?ib@HhU$YZ_MUKcytl0?a-L5%T?#DRr@ zMFOWx`9yl{;d3LH6^s!S_o#jzj#A+O0kPuu2PzNu2|YzSA1Ij37r!RbyDLm!K@03v z317Nqr)~V22k;TCak~QQgY~_1wFRc~AUMD$ZrdEUsQ_8I8`|=dA*Xs}+D$#M_oMJw zWZ1Et+V`ZleIzH>=&lO`iaawWW%7#pJY%*Xgr&lJhOmx&cyce8t8QkoevkKCC)?_kk3EF9Xx3`=`-wd4kqwtjH7%HKc!_vH=7TN4{9 zi>6?@7$KR^xkd7kmVY{p;$}iQ@{2h*g;z&oel!n;;ZQ)#}`GkEiWv)YbeTpb*)9Bf<5n`4$L1El`tb4?y|)9M8Z&@jgNx^@U;&h zLpo*WTr2qqJ{7T#O*(T8!N-C(@}p?*>aV#@Q?A+G5?Zm_G7d?IP9Yp9+@7!O^3}Eh zc*}K~%Q`*Qw&hN-jvyJZclV{JpM^c7+(uk2@P;%^dL*PAf;36T7{;!DCY~#O`7TFq zU>|DI=hI$?`jy+=u-!W=MByn2{;l)o*v!JVc5_>ZxaPA|V0v>?7p@)S3Uj}k!&_9= z`_MW_mnKG&Q0DL$VQS51(lqMkEh6|gP}GMOprMT- zuF|zx5fJLMjR-i=z*lO(GiH~u+mw_<0D)X3`+TouVhmUgD7TAH6a3b9Cvx8lcq4bS z4uQyhDQ7_Be$>T@+=p(skvrI?CUXDM%(SDtU~?oFWy)T9cp^#1nO`asmNm|0%w#^- z!fdsYdF1Ij4SpzE!ceaaeE?1qobJBvjxgZWk}~ORwdHWsz=R)KLzzWCg9c&*B|o_2 zQ{V72-ap8i_>Dbq&&YBXElLnWaG0$yvotFtY5}LhsKN&Bo`Qegz&ppzM07duDxOnQ z;8=uuoQ{1c#Erq@pfcRbj|v0Ed1Dup@GChyS}Tx^dyFy1oa524Dj7@Wl6lBtG7?!Q zqsd<6GcpG91~MR-1epc7k*uS}6Is+KYZNw`GAc8oGwOr<8%d7=6bss4(jen;^EX5+ zm{G>f`b>%a4Jiw}gn-#Ul2EpJWBg6pW@afTh5JBKYg91k*!0E0)Mc7Xr z-KC7Iq!!*ZA@E=Qv{W1&W|E@#2vOm1tl$IV4Ku_+K#c}T+Vxuqy|LgL^yH2!`4^U; z{z6s*67JEq#}uH2*Ti42vh+E2O!yp`ucQaBe9Bexb6~Xi2b!D!tGQU)fs3}jkI0#> zj}JJQ#@1Tyad_$JuXc5!4qa~fw^lOj)MV(LxL_D3@7D)zio*h9*(vVP$LAdtQZ6+y zY_yHtn<;I&HwD>7b+6M;FPv&nIt8)fgqb@L@Z%Kvl}KY6vr|NCSI z7C%|8D}VKKYDR}^BTH5NAa!jnRKFj@@ZI82+ti~CuEQgcDm{KZSSrxYFh96@K-ln-=l zIv#X=QgLwByBwVGRufq;eAVes{bvR5a)Yb}{Pq3hhmI;xC-1JJqOHn;;Nb=Mx$Ush zeT0C!ayqGWwE9b8btq~TW5#O7kkzD>6{eciCZH7-7*?i4tXx0$Eq2!d?_j9Ch-_c- zuumoKTR!$N&Yg|5b+`NOeGiPxeC;~!_9Z9wQXgoXPqfhtT5ADXz2cAX$RW_qj{_D8V%RnnZ4!kZV3qf?MeK9Z%+qnr?<>vQ6z zgRFTvci~k5FH8@Dh_}`Nk!Xp~0>x)|(u0*j3y}o-=ne?jQ#lQz8wP*A4hRgaxVJ7! zR!x#jqHqTa`GgFOjN~+**KYDf^X*hI$7pzPw^ePiG^m&9Fv#CIW)aA`{oP}h{@v@A zuk4D~z@!AMm6ZYWm0TfaOEJ8SI1QgLJg?;NZ6Lxpy%NcX340n+pHKx^xbRlsS>hFH zJ!Pqa(11zfnqqBKHQj_^gj&AzXIqD@k*eJYXmM=*0`=MYr9K_)v*iAnxw0URkUlV zb*5{ob*O8r)ryIfR<$m`R=^f8en?1?2Ya@1d2Cm_3lD<1F5(I1Fr3}nKXKnJL4YES zrKse?7BGz&2>?L@1w;A(1kxbM9E9u)1V!g($|eBCu>vX%2@F$!FaZF_5Ck9~kOlw& zuvcmrk)J?6HR8C*xx#dJhwmR?tKjf87YZ`$RdvPe* zf)5;++W%2ro9VNBJ;PV|dS>6!Rhgg5>oR=HuMEA>+YPm_cr(0btfX%>Vv2qH64*)+ zb-uuDW6Gly<+09bYXHaV3*hO$1@D+4x4!{o-#}f7@(EF~KDQ_9ePnoOij2$zYP*qI zfdPCq>RCn89Z?3fc-K?zAe!3F$qPbvnAlBx8 zb8oS0)+6AoYdmM?#CMnIo2`(QjR3`9X1Htaw5R)B%=FZn)u~BLhP}Vs=jb#O3@>CO z@7`B%DHW|?NvvGk{D3n;Y3gA3PEER754NMqGa}?M6SO77sy9_SjNLiQa|o=M8{3PC zv=DQo2ac(CK*Xd)(w*aY&bK-Bw3K=TB(AG*;vrtBg=H7rUx5q%xcT&ow1}IQqSnG0 zwc-d4p!ag=mqaDfg%4h`r&|rrSrNX8Ta7K{<@_MI0g8C-|3{^shgis#XWN^Tuz?YIfx2{h-A8OTafmPt$~QucQDZG||(f%fi9UJp&!lAy& zM%|rAJAID*d5aNn;+Xkd51Y=#__X&h;|l;6r~>9izOI)vsLnKu&z#URZKdxDr?5VD zMx4}@T~)4v`xygy5LRs*z)POOeM}hi;I?o})=i06h60RJ&4j|}3&vDjMPb?f{-Qz3 zYTzep7HH8#(39YjG?3N+zU8(*ia7sg&w>xehCaj?Q^LV@isX}mAqh`8$TvVoVmOL| zjPX7fU{&FPd<@BempyEn>J^4pL*UXSPHPpirU!vYwpM=|vS>`gwwQYbAVe}P+za}G zLlwHW&cp0k&1@RZeAfj?e;&wlT1(Tyn)lPhRx^NWBdis7*jC(J-ePBg5=@E9W|uJP z!L^k}a$4V8ctK%hcGL?>r7&oTRR?#rrJ6FBwAS&q28*KEYJFUrE276boMRy6L_sbH zC89_b=^|RB3Y3CcpyfoFE>k7COe^RTT1?A`iab#VXo;kLCmZ4_eFg2^(R6{0#_8dwLkZ;-0C{6Qb`x@!jgDx)(JU9j5 zTN@yaKCT?)<4J+O2ti?tqV<(0Dl{ZHpp2V@Dc60DcDk@uh;JMn6!~MCCo<1w4y{H= zrx$wvYse^e$>wC#Bp$)~T#13k#I(#~?@&;Jh0TcjDspcRB26FB$PCo< zEL{lCed@BjQK=FZKc`9lPL98YG0Kgv3oBJkb&I3y6-$P;<#8z!BX@h4^JREzl4Ryb z4JFetXXkZ3xf&Q9oUj750(zw9IBnzGZLLrIDQB!F3N`E?M(590=Fk1f`GiPKOpM|k+t(tSGl_frPvUHNV(4pp+VHP4G{AT1QLzDK}&_x z=Q9(guicy=<`op;ZS_2LBBZ+awk|pGn*Th>7s0HFzL?@4q<0KCyL>7*K{-$Wxw}3Z{>Ao?B4R9W?(F z%SBBHI{P zO0s^aoOy@#L&EM(y2M?9tKsrAWz()AZb2v)W}dk&QY+h?|0Ml6U}Q*lBe*;@5RxN9 zKoaN%8P|{M+D1(de;?YWxIQ6rG^DTU2S=&=8hLt4&q7(%X= z2NYuC0rA`-7njvW=6^a1)5YQJH388DfkZ35A|9vZI*sg;@|HGAAru5@FK zs2t;;UdtWOxIi%vWthy=U>b))vGN^Vk{+7qrumOJw==PGGUz0UND(HhUL1n~@%#SE zG3XQ9ha!1kl%&221dHhDDEcSaB`9`t_~OIn^&G_{;-%nS2e#IfC+F?T#FiKu&7dq0 zJZ8LP+8_iK$fIDiyKqUe5$P2O27-Yu!AsDJxCEU?GG@ey|B~>`7RVw9QKbnCM(K^N zK`kc1_B>G-RCy8CepZHY^Wf-J@yPq6(lxDxU8Ks+MlKIT`O_xv*npF_=3Q2B%HCu6 z2*Sy;i7+{cVD$Cc1vxY5Y5!*xfk<*4aU+D~`Fk-6S}e8i71iem5bnP@7z655D3gO2 z8T_kLL8+ju;0Gdd1l{N2>sipH*qLagSwB9mTaqs|L2G_hMT_y_@>(Fjd2oQ@ zAZn8|n(Zqq&%lMyO}WugJMK888&y~5}$hbl^JMp{VW2}r`hoOuUvJr<=?J8@Kk0|nn5(|U}V52H|b1) zfM;qbVksY%X;(a5;;WbrK)t3ot|KTJ$~2CwliF#UEKpU#Eah=o2W4!Bd4T@Q2%t?4 zEM}L&fZsl4L`hxCEuz(lw|-)Oqq8EDC0$W;qKdWghQ~&>ow4gZAKU#)8r4`S2u)KK3Q&E+>2*O2m0WjVpu^} z-a?#mEdC&1y~-B*MM-ytYDLx(C1kpll*H1#5anKs_8lyWmB4D+1K{pYDwv5E@M|cT z`C=x-aCLSNTbKP z2~O&3z%idY26~6)GyShC$J8-`@VSdV{I(&vn9;bW*Ujq6A7r#R`ynWp>)ymSo1)Pm!m+Nv%|Hp&r$Lxo z`<}anV?I+}j{(Ob09IVs0K1aF;8xt0h>CUeHyTmH)fMrD+$aO^4<#OiBgP_gHRK}8 zh7F9%^ZQj41?Ztb{)8h5vlYk&Qnt9s!Y_jukxnp|p`B|o0$tywuQ_3%{Zz@URbE}$ zrYfn!HY9z8Do1biR}yVX5g0E%HujlOM%hnGl){^YqML*s7L4tEW~*Un5K&_rep?UP z6Oryd7VyDN@E@+GP4IQ0-S`{3SEjxnVr~2Lk46Je2ci15DitpWU$c_`^&(P0SlD^ z`|;w65cquE*RI@$ttB0_!2)gm`ht)kW)}#`4-c+cDk5^21w?E@!m&m8)@4DsG=-BP z;4`OkK^#3?)NDtsJ9d2-(rwydIr*w7zvGv}XMS*WJKn=zeh(WsY5Y?1NrL5Zy$p!% zrf598KR@JsWCl-H?lnGVnMVf|DOsKug(z&xE+EqN<5C+f5dHZ=b8I=;`ufd9R_YCl8xSnQ4SHYeclgw)@E67 zyaZW>wa1;+5B?qRbY%-m31$PD-_@^ygMERcNU)ltNPTtINNr0^JFE5wE#Efz@U-gG z_?|bL2_`C$i;!x~qS)x4q5tgU_$k@aPtLD9t|@Z*5yfH%;Dn6GL8#Zf)lB7f=zv$1 zV=D~;{~gUs1bb0esQU)|QcCOw_Nb@2Y) z-+-3rjW<#e2hev?d?PrGrGMZ3g#q%=;NU~u7UuFEn~=HcZ@hX1PoiT-y&TSJlCmdJ z8}n796`MBsXU+>ZN3kA1_`-h}#F69IcVWm>-yku?+9Xz4($h%q>5r%Fej**#x*ygL zECB&hp#S5E7eftHYIH+{+ms_2in}W16k{14nr0y@T^H75M4I!Q*ccwcYF=KL4q&=4 zb`Ji7J9>#oL&Qa5b%sH!J6sH_>y)K*Vd==PHI9h;140nRj~XG7zE|h?YZpiR=V4uz zf{~9y8j={%10c$W>s4Jx$~$?!NN<9tc-_gaI9sj8S6m{ZziKF2{4rs%@H$0|6AqoZ z_SSR)hZU@V679Xw#pR^lNh^wOvfTbTi~L>!Rm~TXc4m4nhA&$RU#q>88jlyQJ84<**f4rp7hG`q#ifo$bJ#sJP>!VVi z>#&*;7gQeB@SnAJIz%V~^hC68a9qx|Q(sC+w$e7i>OqnYW6r=g0iasf&tIX-y2&_h zM-?2r55k1Di&&utuuwL9{dBq&A=}R)JW>I+8?2KD1}C3uw7m2Zps3D0mxE~!$Xoc6 zcneSdrU0MOvLkw9Q;Gwz7-K@eo1aC&;^plg!hit5OhrAH2TL)vWT^4D&v}i%XMaHW z_W660Qq~PY2N{5fppsGJVSx`cS`j|gE)V!}VSNRmax@60G+3Nj=PYO7gF-eh0VFU3 zdN^moLJ%M^>lzXGPdg%~Yb0+TI%#4bI|XF^0YP@6!kkM>mv6sKy3?2o#~E{b&%;nF zO{uXoe6oh_-Yxc2B#ipb+sYJg4CD*x3(h9kr9Xh8uS7)ZC~E@4H~@|AEr83)xAK0kCrqtohfk#Gx>Xad6iy% zIJ04;VZzBB4RAaHlZ~Y(_r{O2G`1VbxlZNe?zm#KqR{|S-65y8ym7(FRd!FUCT-l< zQD}sDS`fMg_+a2p9!}#@jcUgk4YV>IDxReHRCyD)xblvsCwIxmj~+PUr=D5W4vj_< z2ag^<)|_v~+8F;NcmBcM05MW)GT~MB{kX#JDkiA1vZ)nR09zHggCwgraP$D9qYlm5 zLk~(H58fm+qM9AVP}o9}fk==cD;vmN)Z?G-5Kw|K5C{V7NZ^YzEx`12(Qa4;`UYN7 zNeolQBL?D_U|+0)Y;baYV8M~B_TZ7U;lqj%1P8%B6l`>GayLvp^^68JN#)c_b`OH{ z8)$Vmsx)k*eFdTZ;A#Ml2kZb=K?cQy6+t3^6utjq%IU(CurDSOi5XgX!4kmL`giZ*?hZ6c!JDubzjU7Ld zPCY5JvTDUh1^bnKRYxu?T{<`_U6(6eV6jruk<0gF4<2(pRutp~9uor;%X*(b zidtJhc%{=4<7fOaU;j#1!&`S-rGqNUd68=`;Rn-HTYi>bndTg)hKuUho%}G(e6mp- zqkfQ0`msxaB=&(8-`ru5E*}3+iL|a6dCm$ z&a!*hh%(nFV4nt2*zan>$_IzI$ys*fm$dF4>R#ectL{ds$Qf8YIioJqUE0!(qj&P( z*YAs@V_jN`*3IMeo2L|i`R~+@qjgu6W4UpwDh5QTyMwq#&9fL`Ajem`o#f{LU4G=^ z9&zdQBNvyhn?8nfpGp$+m70~R?woT0u<~D%Ru=0SZtLg3s@p?-Kxt-qQMub`c6e%c zCni4U@(#$)N)Vnt3KH5@QC%(aLQw$&f(5!$H65k;0hP%DW9Z`H#Ul54^wRP#IaxWv z%mP$!$TeNLPD(c>)@JBDeN|_wo_avyH0PsN-I>+BCJigmY$>u<18Gh!La+65c5ez6HA9A;t;^0?aAuv-(Vo6==n1IBV`17tCObg6C#f%U~T%S)_nNEJ0B$O>`XQ#iyo?S_5uxAS{MWAZB3|8*L z$Fe+uY!o`3erXTIs-JXb-K_+f5%g@jIget*qk0@G5Awqj^R$7Ln>FWfoUFXf#?vnp zx_~q=D?O@lR15vCU9fba`khMUR$B(CYdmcPD^F!~71VFGqo7i^Rdh}JP6t*&_*OZo z`;qNQqly(AUJSu~y;b!5EiPU9=o1I{a1*+Gju?vEthmh6SoP5bD~wfl5o_|I>l`a> zcv{eMW-}i7*p(t&Swjj7()Wn+#9ZWwIav!qk>WMCdVtB8MS}Yaq6SCNvoIzP&{?@3 z@Pnj9FowYD1_Up%Tz3{kB^rz!5RKq0j&TbhCRbYv-Ia@oTZtA&^+wCg5diO~%~6u24jVT9|l z`D#{KN-7mElHr`gnS1K-Q8Qg0^)VZwueq$-3xCPaLyu*yP;Ldr5Eb0j_LmUxI93v| z0UayAQNP|UA8tD`vhPvdm5yz7&%;3+>=xomDxyHO3MP7oyE6pZX;xU^ukrICFX99o zL9wYOLGF}~-Xun>JKy(@pHSsk*Bu)MlVDBwb6;Q_-{j;SzEd8o+brKVP>U92$~-@f zmyT80`1wY4M+JU{04sN(=H-p~eU%d3aUkP=iHOo|n&VwekEahwAa|$Nnd9eV<|Fi}B**Gugh4ll!tgj`Ll+$6zKS*T(fUY=fa&hc-K!5y6b<-A67x~{Ju!sDvSwZ-Jz<3%?6BC zgIJ_}QZW!Lk*ek9BynQKPWk16pv)lk4g>T_=ybR~#6Y$R~ zfH}MbBVi@Xgh{|1Zh?f!L=?HfU?x`BfjGEL7`V`$p^P-_kYQM2$Ul-O>q!cLHeeqY^wZLPhzwjA}ecuzFnyi!acmFhDiM0I01xH-D=T*pwG>-M0j` zmjwgg3()_LA=_k}0o9#hB>3H$CGooe#sk9q-?=;b9Wzi3q@MhF zgYl3U6n{3$w)u0BDj~!S`7<37{%1BuEVg_k8IWzHpQ-{y4Kay6lC@7|8w24ZN#KvU z`gv?3L?J@?km5lKt`tWJVl1o)Fh+~ZM<*zZfG{FrdJ zbYscL5|kw}OL>;OOiU?$k~6c4`HA%>IrL{ec}>0@^>;|+h52?9g^4&OYo4GSVNj5X ziu+7^keqhk0SPI*%H;U=NAgpYQA*+E2vmwbVH!BKd?<6{;1S17>eCT8Y5GFZY@$Ro z@)Cktmy*FQ)Eo>zxzJ?^C7o;YrGr{@F)~w#6@Xl)g$D1X*uaagV$KpgM-Nac{#cJtz^r4+&ih z^v?VNxW13BC+H85* zh@ukpC2CC6nW#8XdZGqJC6Y20phRkfl$TUhDo(14)SVO`o8mtpfWH8U2fi1=6@b{t z_y)<0vL?VjjsToALi7j{Z5Rgd?yut1UdTjex0$fFA&SGQvo{XnXO;0*oUJC=9VU zJUIm75Q1@qfdmGXH*uDX@WMId#pC96;{*pDjxAm}@(3kwovr1u;QW6t3t+jp*u8MGm))w(Z9lQ=9=6Lk<_E4_-;Zofl+aejr&l9-747Cr!8F?gKO zQkN56P*mg1zuEvR`!P!2VAQ>10%Acd%~WucAr*FqO&@{qGhAm-g`M)?;nk6vp=RH6 zH-xVor~&f1yW(LV)OZ*bRlz1w2p|8xn457|Z>2o92DoqZRu)qzxqBdy%|PpBU-0kf z_&oRx9Q)lJ_uQF)ASV;y4jo_~wscqo3MY}sNF`bm3FT^`Z*m+BunwD67Lg!M@VOF? z92vn>P$E^Tw|aJhm1CF$Y_+8){H{y?u9njAoT`>8i}hSZLc7H|T)YQW1r9AB`Iem! z?r|YE-Mi;1d#O_4Z)%R_VS~_0FnRV}ru+l>)LlgR#!4RnFZ0 z10`%R|IIyB##qWn7d^ymkoAxc07pQ$zkRvKC_Mw!}9sj_wMAz(_^PMV0(<_>8Y9A|C-S9z{*WCh5jIz z{syvpo*dU-D3Dqax91FZ>>~0~ZPg5!H%Hpfubk?%Kh)aY^K(mQhT!99RQ0KkB< zIVXa7lZ{MVVKbOb&=Dd`K_X3q_mDh4Z$&mO#XELHJu<4d$VuNjlT1tT2l?5Lr-f9J zo(b)VB-T<+wdhY4^0d=Vn%Q(x?Z@6HqX^NO*ViVIY8<|jL>)xRA0*@-xhAUKrZmk5 zKyQx_rl8uA57kBL?y&n`uaCTM46@C#8B`TDyQz{?UUf%0k#hyszN{OM*Yvwozgene zKMvv53!g~_?)yd4=L5o>Ijy_$={QqAnH!##e(O>1Iv?|{6CTt()=|?(C7PGU%Bq(N zdZ`kGmm-3tTwmpIiMGGG-m&tLD~ozFQA3ZlVhNv2%;kH$Rd=imOYq>iQGEykuXX!@ z)U(`SsX2GxQKRV68TS*@uIdZH%69iel9uaAG%D6R*^ZY(fw%s-mB_NZ#N z*_9jWc@`AosOd7};I%=uICwp(y`XLnT*@1(XruU+NejVI{>^avSwe{%26-rbXV5xf zrkN{^dl;rA!eJoz_;g5VnN!ZdJ;W*mlcbH23^9`DhQqW&uBn_Xr9Bq;!Z|=~3Y5r5 zh1VW!c{g(0f@EO3lM*;;a}GbSWkgNDAAU_J)2YbaRvoLu6n39L@Y$d`{9d07JhkrY zZ8PBKfoDL=C?4PAl+AENExQvvl{wVvz?{3#9aLo!Nw{Iza+&56{tLQIdY2No%=NjU zXg^s5=>T&H!B002osI7>77-hT9YL%m8wH?;E-I4}yPO=iH5rM$$=>q&BrUVs-zT6% zE-Sp6@qSAvhauM~$e`>Em!tQ^|c~05)P3FV%bQ2Q!P;>BGCf#!d|3%$^Z!)}elXG{&fv&UCeSInws^Vok zd|%J_XCK_>PugONl5 zJj0Mg1cn)7pgTFs33&EF>j9oCots%l2+Ol>fM+3e%s``q!`~8UZbl$@%?`Nibe7%D z-J6`(?4TPP-t!Vc-9?qz%fc2Y2Q${l=8`{?yE_BsqVfkp3!$_>$ zm;Lhw3b=eW1NC_*9CgpvL?D>vOj?x9gucl4%9T#NSnsNLfb1kZ@~uJwIU-{Lh!L3& zK#XKgV33PsXds+(BAFLJ$_TGy%77pdUiRk*O5Dni38Sra#Q3V@c$bj1nGT`5yH}l>SdS+WFZ!V42<|pQ@tSqP5 zlK|cI5KlHO2kv-U8>&WY!^JAB%=yvRf*cB+%ip^Gr)*IO0_@2>x4DJBW>V*2A^LVn?_3HpGn&29HoUu(fFum z8gl&y?K1|!B1%i+xj5q-(X_pCJyZLXK}@$i5|eR@%O(!`;nRM?d)pUMrlE4^BdL*HUz?K&gh6D-Dl3EhWvAnO&`qlfDq((?p8;X zKiOOs{`O4z=bv~>DA$l2|F`Ubo`$2eT|*;w3L*<8KRF1jlo6#!;Ib&&nC}4GaX#0i za>K(H25ez<9ZZX~<+PtiMq66W1eKGG-xs&EF>!mv^FuJL5?J2Vj*rqN;fZ~V0VF!| zM2XM#O-|J8QXL4OFPWZ)e>hZR_)R{8gjDeZ%9qZV=Eo*)T}vSX|O4*t9uUmdC)8HChIk)kO21Be!p{3 zS~z~%j+HSPxkzM`mZ*r9=ty5swDFcUwmSH~>u9z_J#RAET8Hb-*?V!%`NFvQ{$%O) zjRBImhd&JYjs(JPAml#MLgBC?8oxmMA7rDEUKD0GDrBLA79aRLiJA8L)EQ; z5*ir7EBSw#;HU-;@bjpQvJd(j#IeX#H+{WHvOc$~ zq)s7~E(1U9BBpf_$-0QnE+X597WT1=nCz;VK5EVdWEZH*cqVN;A<3$o^CR9P&#EW` z_(zSuhwghR-81H}UQ=Zl^rW} z0Nvj&1!C?tzRU4luI?dqKHsH)a86X@Ju-nGuq1$dLA zUOC?kLu8ST?FSZmU1Ev6vquIPMaJw1_^a$NQd&qqDW17Id~$x z_|LC7zb}+q&5>?M+Wx{PSjM|Z@@e=*iB|Rg+xx@nIvX?u>e$=DMl~_AWC6n z6}D7O$4{Q=NmWjqfQ_eQbzG?Msx~BPr#RA*c!La67eO~+PWAq&=rm4B0_jbzkE9yaX&n7S=jO_zxxLmv}HhCM&o zU^&4*1Ep%2*FjVV^|11q;}Dyk@ZiGHKZ0T8M|5Wzc$tt0@ZU%XTCyT57ixAS+|NG@ zseWk3IW@+dRGl4y5#+Us;KP6GGs5eq#uE)IC<36`H@vT{4l2`^VQw}aid6&9v2q)S zC$O=Tp)P=Q4GQ$GB|@dF`VLk!JBA#gFK}-%1`>l?wi5Y>Lz@S$n{!*$U8LQ_AtBW6 zFDlhzG`XPwsw4|;Dz7TXN^^&>@_F#N$3QvnId7i0G3EqH@?MSp_uf`5_!1fvp16@? zbU^$~)S}X|ayWa;klA#gE-q+Dt>`ABRYInaY48@5!hWPj}XOO=MPm9*;E!{WjMDRAxJnpx1AIm z>gkGz|CB|E%wWl(?{=m{CC$$xh!h3np-RIfxUa9MFKgKwXmuVz*X^No4ae>fI$VY% z#26-1WgvSK_<6yJzdE^J?Wm!Co^C+2p+rV1a)QO9(90N+XDVLXAC~|_>1cEaMA~z`r z5=!exNvDGx8}YfYvYsP%S=mXLm6LaY0A%H%nLxp(-IGZPwUb@kYBZ?4$fZOs67Y*4 zwX!TI;U-fgcU%#$`ZZ}|@=syXCuGl9S<#9D3Q?$|QdkKMd;;=P9MwPohVY^iFHQ>> zyz!%2i0!+fSvikxghF@?t2-|ew}?;-dg0@kf^sqQ0e;-JRdB3ZY_i76eDJ3*GpLDL zZVT2kSwR$}O0^j0&ST~Rl;ACU5{|RDNIul#H;nw0$a11|g#JNH8 z+Rbyn@5!f_ju z<5jz)z8d9Hug++=bkN=6Ha1by(}b#_VMF{k6xcmTAtXM9=gZr=C9%nMHkTc z;R5szG|jjut)Kj>ekwO8MT=v4eB41bo4KauH#rG}-H*|!h^8>uY1bY3=MQ2nA7!mT zWRd&za<#eRpG_rJL`@@q+=e{#0jM1KN$7_Sy>6>wv!YWk z>7jdY=cCY#dhYnV>bg>0R9j@{b18JA-ILCU)(ZpO;Jyci%zl|3U!@F8Tg{#U7X@h%lBg00{_m_Y$){Np1Y%%C!c%% z;QGPWEPB<%dXDdL*6|C?=ML_=u2EF*FWh$g+%x(0gyrxnVC5lg*Um>vrZLoX;CX>p%l-jWd0a}1KFBEMRF`EK!bQ_orJiA%WZoCv3X46QvrrMyMYaiTm?MFvTt~}|+ z&n)`?Y%NWE*1X=jzkLatqqmMqPnr+cO<8%L+&yKC>T#>DDNAncjf zeXvg!nZ3;(`KBc!T;I`Mzm4xqTp60eJT(#19On>>btcxBVk1{13f0DQk) zni%x)Gu#8kvL_5g){vsWgpS17!s)pAy2q_#%ysQ5hF(RJzss_XyjS(OwpOcv@N}es zt{LuMbAkKV#RBf_PCD&w2JXi$pDr}!`1N`*kTU1I3tdjaRx!AghDn`SJ?Tdu>?k^l zy2n&qL6|PI3^XR?$1H9fBulS<@I5{T5mNUiRz6nwu=|L*8-nRM0VgzI3l&eC2GS=eaKOo#;7+Co@1Pg`Lm^?xQKZ{z)=X^t5cRHt27g|Dq z!Eo|<%*VM$B%88o6B_$olvvx#SUayo8S9!gfr~m!> zb5DV$*%_pm{^>Sv>icoo-GRv^nDrzGuTV(;4Gy$?RknenO|5ouuWjDUV+io1Zqeav-710jS zi0NIXsDtSeZ8Sfdj)B;@sueVo)Gmd#z-%-wgQH0W9K*I)d9X>tH|oG+n@y{c>&9Gj zcB&dXX z?Zm{W%$`1TNG;>*$Tb6j2d{NsAOhLr?Cci13;pgzi;g_8?t_1|?ktE%99Yf?LvAnC zOKc&5T)>qn_CY|`9=F+j z@TdiG&mR%tA_2%TGaiKLB$Nh|QzZ`tVRCbqwBFj5UOG{4tG-?xVm{L$?}edj;TAg% z>3aCiHV5SFxNPL$`9o+%ptHN|W_2}mmEE&DpDpW4lIh?I$^gy189iS73sw=hwLNj5 z$v4iB;D!PjgSEggqOy$kNn!qoslm>ecsFQDOk?&OLy|dxi}ug_j1p zEFF3_pv|EzIiLrfoCr&*XoE=_Y0BPwLRC>ML9}+jYp_agRL5w*M!?Hp`Fv=87#P4{ zuu8B1COEvo%7U6wZnc98k7haJVDs4e&8F2+2iFXfj#_hDggWR-)JN^GOzi8uQT93K z#8^wOa|T*mVigw`no$WaPqncC01I_Tt*Dh29}zxtO;*Oy^c|D*jh^g|$0c{ZCXXe* zP>Q+(Q2P-s)$!ervbja6#c0c|ws^3zX(m{Y4`+3Vki_o7H*x;`^i^?xu)C*tPy}C3 ze+%&(O^}1q4Pv(j8X^0#?OPF2nJUCrXwj3NX-2&l-mKqFGpyya*sLwTesN}b>W};L$B8} zRPP0{9;pUAz%{8uNNEZQvJy@H_Ym1lr5_5xy>_xBkoyVJJMnz@v2~Caqy<;L_wF}C zfb4|zu6^76vK75rmiHw zp=u?O5}y}$j5eV4?(+F_$N78^xfnEOM8>CZh(v~?pj%8_=_6M2A*)G_*Ufm{f2) zvI5%>1jgKs1*=--VJ-ouH!Q zI1raKDZS()Ilw?1od#0}=)Mg-o=>9ToA=ityVpM@$V+W}CoXo@JoUhb{ zjJ6J&^3MknG&wUnlTQ#HApgsc|6sk`FXQKaET-^sr25AuFM>FHn&`JB`u#XA!ttdn zRyIBb!OB|tq2f~)-L|TM4SBlQvAUhaguKv3L;fHC8-$WlWMklc3PH?6cD|R&MxeP?gaOjg@1lHVISfmIMjpC-sIA)K~QOyVO?P9lG{_q$7yg600=d{+sYFmul*YR6w=3(zxus2;XxWIKcxGi|Ve+Hk z8D=T_Q*;R!oe(h}jF~a5lEpf3cQP|4wuG$W zRgvk1e4KzGgH!0+B7p7WG;|_roDlh^GZq$lM4BjL^|kjoYqQd zbxdZ4WgB#{r7+G)&xXQ8AU>B4pHGD$V`Nj(RXIi@ma?D5#+H--Yk>0`9RaOz!L;A5 zZIY9Za!*$oCUor~s()aP(!&3j936K;~=KarFZb;3(fK z5ELNR90D|~9xpk`9jM=`L=@u4^d!VPq^T$66c4@ge}bOoQ|{@YDko8fU}fXr9ackq z$KBwF9NyMlu6%p&HhI*ef?#Aq7Kt&D6Y}4$1d6m%W|Zm@d3%DNVF?u83+zQhvsh>F zlFjh5^6{(024ZVKO1-HwO2$8`A6R*KrSkY!{P>1@$|Qcc?Rv#Oq+>*ck1*27Wl}kl zu?ydi$*JAJ6zMvj(z9SS<>y_InPI(N=WE@HY-wg>E~ediWyD01!E&THMDC3`{MSEk zrpRWEm)b!hD>74xIl_6dic@k@8M|3_X+cZ_OA zHAEPlD53i-jBSh)7;xgr--Jcb$#@kCutq`xu`^5s<`d^=#1Yq$I15ulE+38BmD-te zMuXS@encC$JuO`!cjGV~im?tR)Gx<(JtYZ$rDoHDe*O|f>la#(MyYIx#g8f_iNo^ABv2~j zgljem^YhH$RSY!L=!7JP`=ve4!D`VRl zvaOaPxt}-y#IzW`BYBYOoQ*_)uru}oLOjAj;8%rw5|P4hib6z7Isy_M32_kpsOhRFP>qq3nN$IpwT5DrB_ zKt0CbgY8KKBM6c(jF3Y@2q!sT3k4-?2|l0dyGz)8LZQ1hUZ$`_{#M;BX$n?7zs*u5 zAy8FoH(PSQYtmF%UhJK88o-W$l8*qLe_SNz-t+g;FS$g(Pk#L(MKx~bn3Mc;0%#f7 zw6y0qb&}zzGwve|vR)%A^(C;%(}WG&$2o>}-CN>K=8KiTqC{u3e!@!4BbAj6EB9q> ze9oz)zDJ!=z2{)3oqw2I0qpFYt9X~(O{jb?oEM3A&-Th`;`6;sKhh;Kpyi;ATPsT> zGw5$9SlI~$zxO`tJ+G84nD)Gs)V-ujTIDnUd!bNSm15EG7i_@^Pq`OZiNrx1L(b7? z%*E51p88~`8$5dO&`Xjbl)95vpTr%dMBbz8F6_cBLaNh{PpqR8CFxI# z-;KMaDT!eCQS_Q{(!a&>vV;5O;e54M3d`r;CS4y@^!lixNvu0{+1;t_8xKGt-!%y} zI~0&aOZJ?oDXlwFo~x5M)%kyF@Ihq{Coz98Ap0!mnIdNx(V8fdicBzyTnf zgkXAz$xm+K{EF(!CplDlWy{|(6Q|w%D<&Bu)40G9m8dnux-It6aFNvr2RpN|9tU~a z&6@1i$mC5XdarY`h_#j?cW`br;fAtKO|j|1I8Vhq+o~Nw zwpl+9Jz7*`(UDou5=rPI!5LE1R3CE8m}|Rsup19lo;lLUb;jerhbjRskqeK^ewI=Q z4az>#mOT4uO4;^!34h8|kz>szK{y0m0gQ0BzA8FX+9dLm-;(|f3fpi!?Vt)oNQv%L zqJJe>+QA7x&&JbFDj?*ODr$OI(^Nca)M9;(w|g09g99YUOBLG&x-m45;?;<{1q`o%{R_0V}S8o~Th9?$QJ`TEat++LS z1r{O=@i+0gsLL3PN5h1y9FsNaWMP|1sMKauWGh>!)XWF~003i!02mUC$72FT&(oF} z)Ml$^=odiJcmTy<0)q?zNB{r;Bme+F00002-pc{6i|_DurN<1H9HV^40A*xqyR^rL z3z|mP5F0a=JZTy&Z!~+YrM9kbB?Q{o^N!y+7aaTZc#;p(&V+V+eyg=JNz!SK?O(Z# zW1VKLFDQP9JYozbA1+2fSJ0>(|1;7DKir>%HaP9-MB=9d(=1s&p0dHuajVC#eKk1S zyfHH!v8?V^M4`a~Kba(v0B9Xg_K{HF}A^%;gUf{7uhh?v0x46 zjhB+2KWE{R)F!PEkH136lbhz>Vftrua=hvx${*HvRhrMR#c`?jQTdb&~afMt6 zbOrDHoN>x>Q|&eF6qGP!P(DoWHW((z}ZV5scIrp*1 z&_K#^xf$K5LZrb#lw-tM>w_LS`ZQXu;ax5PG?yiVwpLra?TN{gek3i3`>Lu$?zpAfh?yfbjtsWTE6+X%F$t1!$6~6 zbzbl>zML&&xB?{Htf%1>^4)oCZ{E1-LKv#ppb>PKR@m|@E+cBfe^`}3KT6vFE>0Ml ze=n}Cm$JrKVMTrj*#*day}Xsh;gs%#Vh<7RU(KKW+N5sJz$Fdgaex*`N> zmkAChpTp+oC%{Ygn!t!WW7R4|oQ75=C?Y4#m5D(suu+WylZZzH5uuYR0!dQZJfeHZ zwUOnob#AA&0f1Ykxw(smeS)1)SKuFl8DHDwd<@{v0asW9;4HW>TcQ*&rAml8h;zNp z@YmT7>&c0cFA1H-m;D)Z^=B$#dY zg$$e41j|cfkBi>msN0(u*!DS7k3<0svce(u#}VI5=>b!ND@80t1EMwJqGR^q;V6M- zXL{B>&k5v-|27JqG9X<3RUi)UFQA2EHD#!LfApB^?>}=^1Tt4R+j$!dHayq+0o)DA zSAkwzuRA1pvY!q;+j^141W(gCe6=j3d)H9JThk3Wb1Ye2C{p(nM{G|X|sui{5 zU9mY2J%x<_{RxUN=w>T#RA&Nm6l66#eF7wPLz-=a7WMKv5@vjhJruOil%s1|Kh%Ee z!2fLcR&s{Pb4(1h=Zbi=!=EDPvxPr9DP|g_dn~|S@SL#cH;URZuPfLt^$}{=)A9Px zUnoY8S{6Q_TEKAVzzDZ({Hie2}Dzu$qc2 zi81*fD1++5dKq7sHx<>lpig}XHnSJ~s4>uQ_`x3P+QW!K4c(PXa1?-n8Ks`NAsuWm zxGxknO8mX8Xoj6WqmH31AMUA@9DHeo7D^H;&;u7tqZqPF%PQ=#bR;O!8(jvrvrE05$95ReSb()-e@Esw1I-1Z9LN?C*#cn1$b)Jw8C3m1xJ-W zO^Ot(vo5nL!Ef2-t`CYuO;*dzuX<1X+5FRrrHeD`GASoPy$^0(ub7q>L>4E#heLLe z#U*oR0Xx_Qh3&oudMrRBq>O7HogMCKzS31pmk_!6w#JSFq$^^RPrL{HWDMjDHr)-h z7==&v7+VyZqgI+F)K@FDJ- zZ%jV%cI0DAVvZdiy6H9~(jjt~w`4A08(m{?IU*#$0?ijPQDbAQhTBU^(>87kW=Pq3 z^Ai7uZkZIqf_qrUG?vjKatv$)L*@R7F#;>Dy zhbbb|wKfwQ+Z+VriuuWcJFl1u<1rjd6Z8W4c1yh!I~?V%8h~J9MkNDiL#D^TOZy3! z!8^}Sm$_6jU8-op>OkNsUXGI9y!cg0rne#-K&+E!HV#v=5%D42wOg3KC73^qk3RpE z0|L$<11{mp_j7bnU9jAXl1MTP#xt$RM#AXu`R^I z*)=>?*`+9q%yP+`)hTq;JNKgJ8&a+r4=~or(Ke>lw zFX#|#Y_-+rqN-2@Kui62tC|Fx;XRA0=~hQ6ZlyYk8v6(^CtU$g!}7H6FucFO(dJw8 zBw@Ke&}6*yfT$YX(-Jw7xh!uO^$YdMh#I$=4A_}Q2DdkT!5v7rsB)+UP{DZznwd;* z%*gLy*Q7j0k((wdCmNssZ)Zr&>n6%2b z7tgm5Znz?C<5|?leb;Lc*X@*A1A>Ak}CfVbn4mocD;H60Niej&E z`fTO9j>-u0l&Ri1TB&If-?ndDNIV9$`8Znfiw`>q~s@z}joPhkc!c{(| zOfhvCt_j%RxD$&bi6090Ls(6rlYLLaQdly5s;83)F#_<@xssUTK| zM_SLPPP3xna=nzuyjEUm-wK5Pua(CrKfx2B9mDwA?YCxjjjF#HG!VS@;w2S+fE|vQ z@UQF(+krFEKspEEUE&qTP1!jq3Y0ocKY&J2${MLSIUJ0zgdm_0`rI4F(O}XLz+|~o zz<2Yzm^h;NQ_ip?Fr8ELtz&b-N{*=Fuuvtk--oCqfle)P>}imC{;;SXce`tpe3o$^ z7POm$1Ht<;ADeW)N)YKj(@o^2R8(k5g5Sk%2^2Lf_6Xtb?QMISmkdIAvMPy>p$Bq4 z&_BwordvBuq=LpzD_WK73}F;vA2wdak)>2O^31bv@sJHSBwJZm>z8F(yO)2nOT{eoagH7*idUBxzI|_V&rC z4pXq+o<4;7`d9%kAu=xl4nwJ9{XK^b;J`1@0UU>pNu--40*n+F5_5;~B0}(<*MA#2 zEu;)-T%ajA&XtHa2pBs@d^Y=l-q%e7{gCG4&K_gA6bFIh>v}!ti-)TxYSK|YZYxwV z<_YreC(8(pLmf-aoqZ}>14vQ9bZA*2n*d4$;=xl$jxopU8=1y(jn-&sZb#y4zbri* zoyTH4I)9=XL;h!)9Mr)9G!1YR5JRhu8i!0{$Tn?-ziMIY>wb+(a1V_7&mcHZ3`@|f z51Yc&TK0S~eiU`pLG-{Gr%V-G6(k62bj=&YkL&NJ6#J;6e&>&Ss6V{_jrreUf1(0a zl$2IVeaoGid<3OQWlLwEMutx-0^A1znsind56OFv1Na#q*vl+h7rcfq*~ltic!Pbb;^-pcvXrYm0|qeVfGTTP{yc_0-!B2S#Xj{8E<Pz%cu_=*Ht8aw&VnYhNm1(=>}Jv+@y06Jz+td=#K{aT zw>N<#;Kl{1JdZ0p>P>wpZs%%&@Qii^-Voo4TCw1!ImKrODda%k4(U{e{=n4!%g9oy z+Tg?$4EyQ61_G}h@a8pgGYygd*6e}41jiSAOQ6Up}GhP4<3(p>f> zJ@W!oWRL1RBkCZxvkUu~whB#hAUk(8IoS<$=az}@wS+T*|E40PIoU%9AVuYObxHlU z#m(PBas1Bd2uF!YQ0ZmY%#S$}1H_vHfu0z{ZQ)s-Od>1M6?$^*@cABtH4iv9tQ^Ez zFyM?NJ-Hn4R)%~TM4&!_m)pctC$1!QJ#3%A)eu2NGun1>%FL-iRL5fg{9?gH2m=*1 zE^?GgD|6m((mHlrmSIx`8qqO9O75RGaeX2fO~BO(0oSu{&|djyl6rWQQAomp z$H>SyHF;|mkTHAT@eaG5$512l{XRlhITQu9462`=X$}{n=!diT76xmom8;@VrfA>^ zT{OjEpFos8s~G_;^1WQ(OpMhb@e9!IVKTeZI#a1nVBL|rO2Rm0jot^~JIlH{Al#2X zDQpX6=vHk=J#3Nhc3iGL;QZuo|8veLF3z;9ZsY=j{QFpvh)#tIb`>l*qnMP;g=$Ol zXbLl(wBQ7cEy0S3IfKz}K?A*b_>3oG0uHjr#yI#f{2UXHA}!_b`tDILRdFTNa(TGI zJH%tDyo#UX-@#hUPyYACz01xMC?HHAa`|Mh7)mjwc8WBCbxnT~e~?kc8_Z35Wg*^p zEgq>tS-aSiI_R0lz7NL+O+fPMLwje%n8IO+>-Y9z4%axgU9Zv=t9hg*9$(=wjWpiJ zHFxgMlKjun7h}Mo_^^jNI^VIARFe@>BYTX;p!~vx?o7kRmalO{Im>8P%w5sgYbgHX zsCx>Cee4c<=olMn9!A>)hPfh^7MESh7%Aa}8K@`QYIV}vYQvOX1n4!BfsYRAoiN&R zZy*sbdYDadmMG5dc@(odgV?INQrRNkImvRFgGeDARkde%D+9JFOl&H}9xt1*zcE>+ zoqgI5QNd>(;_8&^&3tlq7Vo0LgFb+RqLr)>*e50Tf&7L+LY86z?Mz_^_Ju4FMhlUP zH#0gHBhRrwB2qIH9qIh|b5koLh%kdD2z=$P5Wgu+_(oFN0Z)wuPzLIC~SSMK;N}@-xO2TQGEUSyCN00zC+~r6rf;@&d zA%TP7K07yRE+D~&G|VUW)a4`g09+7V#>d@3a90v1tJS{A$0bCHP|)#Z9mAXs zOzesfE4ASJxGC@F8H9mMy~xmZ=RX0{>~RmifnM(mx&sOdMe}x**2FZi->xf$+rap5kIwj1f zomf31|A-($aFrCBZ3V@Lvv$Rl&^2MDOdNlbP4;yJPBB;$2%q4=?&OS0^+@S2*V2yU=V_p7gTfvK}9(>*IPPqMB&! zekP0Vnmo#2o3z@~T-Rgx29vN_0?1IzY>wArFHw9U=lKr{_*j6JZf}xI$Pq|_B9YYm zUiZnKS_??(f6t!irXPet zCwWfD!IDVS!JUXikN_Q;RoxW(|8dlf%E4T)dPs%!`|x@=GI`!D zVn-*HRwpCnDA%6MX^JqRk+gq#-odbw%AUu(V-xlsF37=2juV~2FjQ$rcg2-tc5C)> z6tf&@Scvq7HX8G9k|aBdtXm)!#}_dO;N}LuoMgBLgN>^CEg{WFGhY>GW?Xcc=nP0= z4){G#{NM;nJwwVlHG@Qmy8I6kNy56B(uanT>Gaq(@l;=`RxQ_SjRyYa@EamPcHeqE zd>OtPqLL?clj_KOhDpoi_-2{|%paC5S~?1_Wi z@V0Jpfp^}zt;rnj3vQ+D&~k`T{Z-O4FJLPJCX4v+miaKAM>NH|_~H^S7{oOr;v=@@ zWjqqZOpUz~_yii%8n`#9dQ`RK<*LMzzt};y5moAK6R>7~jN@m@Vp$10(KBYPBLJda z7w7h43j{@yT$B1r(30i_jT;Um=9v#XaqNHeO=V1+NhBIYWRH(Toj#I1ygiudC7<4g z`hxwWy%^~um;Oe5BKv9kFw#rj^y(m3P9@(vg?jD z<%pJqb7Q9a6L65RsbcKSabW?6n13YdLtDCW(e!kLEFs<}&LR+Wn(jIPM|Po(ofs)M zB}AJ^oHsYj1cs>|JvgMI_U4X}8eXP%dn`$f^pxT{X zwVkL~EtH4N3lw&s^>X+l3xmvVMd;>0ph~4+>JOLu9End(o1zr@wv=^0rOg1=iiJth zu^d7>W{0g6r)hL)naFWqbwEa^rXgs*C7Vf6FPZ?z)ayV@=6{NvaT8*i%MLSj-PYu{ zVrEWR^s2xx1PmA#nB0R59+AR4rDUq@9Tp9^`Xn}0#cckKgFE)ZKvM1;2tm)@9rn07 zJ1qsJ5W>0+oBW0P|Mv^o9+y5#ucF*AUeLhDG#KIVaYnX$oD^qjj8C>StWBkH`m(F- z+EbAj{+7L1a=^G0)Ht^a{Xj`x9qaP!oWsoPxFu37Oz78tv>9Ys#q(^Q+LWN;_lL#A zSw_=9Ed_t*}vZY?lWdNFh=VcCpC0mf--p2pM?7NYOvP8FvbKN&RUS zSRJ)pRL%ObL^1JHyxb-=H}nhZl|m81A#?_MlA*C*8b=4>jp)s~%YCKqZC)MN9+G8H zX>xsG*(A=`T8t}+h=WIFjxW4%T)IUf$nA+^WOoE2D@BFVA|La~^53cIcc&m!i8!>8 zg*Oz8piMc+{6YKt37Gb^EIA<#*1=VM{#Mw&>m-h9tpWIj_k`Tgzfxedq!%ZZIMA2C z<5s5IT=Y6O4x0mhU|it!!e*_SWW)JeA8ycLP_>MIpQ?#|i=JjrD>ivxhB)rs-6CZ# zmCX5V)`GaY6f2HY73+5pyN<*qs~-;hcPY6!et2EfRwCX)`g6ldmnw``0IY{cfQoSV z7cw}r(CxU2$w{pZ^o^k$+G79F>1LX~t|_H=* zHSpE%K6XSkQZVqa*L1m5=2@!POu87g9#vBvO`btbcF7&Fl`3vNc}X+YokjDc$qeWp zgyzf;ssuXkyIKfmPEWOE1kbAS z3EPn*l<~FT{_4c`X-3(NOCab;EaREhDil7-3KA2(hB*UgaB8rnIt1rC3BObu4Z5(@ zhybC)9xcGbw!wp6lOxIM8At^Ue;MaV$C_2ouoAltH^E#>Mpo(_6sMSjY|b*56a^mp>d!FrQFOMkrp=`c z{Wx1Qa{0nSZXHWCyOxh;YspvO2R^P{#5>7FSyeap&@ma#?tzqPoiQbO8)SCyE zZ2bsTg7Yr5JoP{hE<_eWpf`NU*C8Z44r!cKw-J$G$s}cjKdA{VASO0mTrV}{aYzca zia4sC^*WQa$RIz9xE$$&ZS>Eo+uY*r2C~ zRQ*=gf>GcpYJ~qtUlBtt+{RnfVUzwTsy$Qh0gNG#T)Wi?}?##VBj{b#knyQ(_BUG80?x1S$hx}NZAChfj}IdxalngJe;79U_=2mfQ9ymj7$=w4ua+g+9U6k#i(s$pY`7#5%t11A)y1S&C3%+{;7q-$4NS!W-0R=UQumP zk<1f^E?9;%Rc$DPbQZ)O-v;J{-4ma!y^aQ`*49}3WHY%ArG`8F)ZT_Ew-SddkO`G$ z8Z&x4h~~Umcl@`Nj`P*_8~?6_O1c6^F0gt0K1PX$^$>_`0J6w1=Y-mNMBG#9D8G1# zi;K_7(UDVCwuU69G!LZuJhRtI6&(X)yXo$KREXp7;#RGPiCr*I-Y%bR#Ic-i59}SE zx@Ns7RS6y1nrK0AEzMvntObq2&qAQ zyw18ThhF}C(b=I-w#%Y@+640T5L6MXOc@3t02P|1QVGwghb%aUv8(fl&@yZ|_f<6Ia{_uS zu4Q#5l}gi6YAE2IfI;ReB=yM_S9!ZcU%)vDTHy{U;#jluYhdgOG2UqX@}WI^K*-ik z)SH0m-~Bd$BnZ{``t%%}D1`AFG?{(qBQ#|q7Q`NA1*!xh=gZpg$vL1*Uk<0#M+XDx zC2fDnuR$)B_`ae$MLrjB6Tb1_&;?+1ltykgBHuP%Ous0-+G6+wL21ghX`T2L8QX#5L|G5CX^|r*aE?y8lm3vG(qX z;pet!WH7CD_PNT#iyC!z7PJ(}BpU%oIxfLnkFH+qXk$Zz3yA9S{XCrqos9+Kn56G> z7?5$vSgYN=xoJ6*hiRP(MSmk>(FJeOhWSD(aIYUBv_}5p@?&N~TDBidxPzMq^Z^43 zF7SVQASu{A!4QqrI&9!5jpsQFz>4kBCg4%R%j94r%!t(}au<#I-lzm^oVzM~n*?0Z zuVcMb1$+RdnN64Mfpx+rlIHf=3BqATj>nQfrFA-X=+UG@B1UMrPYti!NM~AVeo|Yx zu5rV>F4_#T)7fGTV~N+00ycDjyD&}MS=<($Sysc;qwOuOir4S~b2aN`AEfXW;FL4| zPirSxq7n`m9(+B&Mg9K%E^A8Jt?SEwhl$T`iSNm;e8=~F4qLpl)(Ja?6N0Y&)V2=C zp6mO1apzG-iK%w$7?wQSTnJK|C#4riP#ot>1F{*%x1Sw3`^WRid(tI)O;QS4V>L4_ zffXB!-UdBKd?FE47^#SLDz#UWzJvff&s-Bt?(C0-eiR;NWxZ6R4P$f&g zhi@PXF@7#r0KOb~6JsC3o>iqm4wIk}hrT@rFT@Mn^PFCNZ}8<25&%93m44Xd}m8pYE1EN(g8E1GQZWUok0I595e zp_|g+9E=7dZ&jBhk6W7tY?#c!c-7fzi_kxoAV84DUA=k(LoWd)081U!>n_*?zsGn! z*y+$equ9d89VZpY3Fy|B1vfBZE=tJ>`$b;?6S?lK2hJO<5P@BKgsFFI^9(Zy7hUS* ztSDBp(^lV!(CM6V-7n?>_&%UjtM+Wfha>W z6?86o3>h{VTSf^vlaqi_9e+%Y53e-O!FV|%SFh25x+z3#9Oat?Ble>FN*@Do!O)21 zqur1CU(F$V^%w=e)%a2@BF9F8$%>Lt7fxfX%zDuyDvuN6g+|+T`V1Jn1C-?5JFj_5 zD~z3hc26JR^`SvGEX)G?yG0M+ZHN2bU#tDYcWf2Yn}N2uC%<9o(P%=wgb=u`lf(p# zCgWt^DHIlZF_+TR`ge|Y;Q1UHKWMAhI;w5{HZLBYOO=rNt^*TU`ZdfzIhU@`RGEQA6+qX>{z+e zCi8RHAN03Rs_iUK;X2n7DBQn0y$Xp(NDOF*vQpR$02i>Ur_scEVQdJ*Rg(+vA9=i^ z&Ioeh{MCLK@&=jAx@zxH;Z9$AAc3t)&^3{-KsrOD`pQ5wmg4Y=vQxyydW;YxNCBsYS7?J;@yj)Dv$nVt8N4v6V=g1k!T~tXC(LG>igM&k`lq@n86Z&Yv|4w} zMGfiyy~Td1%)ct`F8s6~Th#s6KTq*<%ZG3aV@WJ^pe$&Ebw(q159Q~#Bq-oTsUH;k z0Po9)vB$tq$2M8m0REQJhe|Y|*|ELn_1|9X_uL?(MQIcCyK@@5vjj%Qyq7(LT1E0) z(fA>U4$mjrK6a!gqJP$cQYk2$=i4@v$dGda9o6BvLca-14uCseqAH{ zcJPhG%cX`2N5`bjVFD5CAtdzLL*a5c7_H?}RDrO}`KAW%R<10$XU!v0(c0^7-zE4% zy1Psb9G!C|f^N8p63fMx@fQ-~KY!dUvi+D?M1dE2XF`wjt$-d%CE>U>(rZXx0YblbpuyGY z>yP*G!&E4FznVmpB9I-;9Zhj6tG`U>nbtLdsyGanF(Z#tNdVL9rv3u9o+?2~z(FZL z77Atek`2kAxb-6fYQiG8TBf)QGuWg0iPJ_fnGyS3r>?{O3{9s`DQdvpcDbGEGi5!h?ZRj#$b_&sgZ)d!i61P&?IT&b)a=zg z zC)!n{j+!88b^Lg>-X^Y9&bu@$;n70GBm+y}?qCuM!W>f41<~Y3bT8lm$Uhc(4!_0g zq-A|1r0!atocj}#D*$fye;A`wK%Og9%RePV)J``(WsXRU)6JsqaoCH=q_~&aTPyzRbH0;>VG4AHYMSM>1Xa=cr&`^B>6x7Aj zQW`bU{5JJPcpC~e(}VRGz|zN*-ASLzF*d+jy;YqN)xS=(j7%6-aX6*jPEUOppl$A1 z3tDU2R<^;aknH-Ubq^U+pH_v#VCxIlROq$=jEnA9K+SewSnMl|c*51!mB=c}r zVgSOdMiaFYre8A?r4%4z1>|7bO;Mq4@8a6P%{_3qCO=7k>Fs3}{b*Q$Jixo98E&3T zSHVzHu3vQ9$Hsnuu-e7C`e?cqL+Imoci4pYS<_;T>;Bq7ktv7K4jt))9m+l8!8L1h zbH4@#d+tUa>=8&65ldtAx=|#S6zt&h9)BG4AVdY5Ei#_V!K+=SYjU`krdX2zDo*p0 z+}g2o^Q3)mTRa{sd#`Eo+LyYBDl5u}6RAr9@Jd^p3IiURX&-VX{^XS~#6Sq|4iM>r zfY5TSU`}J@HffhD?jMgzFn*Cfv15(VLYn@8fax9G&oMuUU)-7dO{1PqaeTCB=6W7_ z)GCsvNYXCmFb(~bL=7o51p=ZP00;s2+I1F7fY>NxpFz1a$>TiL151r*x)Pb^gh10) zcH{?no|AguY3Bnw&JO-o5iCZAN?8&FjaVC?8VtnbnmB)(^&A3fYBwB|UHNFg8k#FZ zBD6Q*ufStL?GU#*&CxuG9{u9NOUF)4&fIO90U!oFiGVqw_Q^N<&io8ZoaK(6GUSP=Q6YH74DB z)je%Ol*R=3_EUctxyac01s1Y{XW5e~plsng^)LUsg@5w%GWU@s41Pr5c*`|Mw`~y# zNlor`veL!Kcd{&jodn`>zI4FX1%>wr7)$9-miQjkC+s$MfiN(PAsH-6iBNZm=d0}H z@{acjF4C5FXkbqK#E_!Sg6#|Aq^#8{>$|(`ucYURo<84{iOEw3EW9oJAHJ$>YXljw z!S*k8&oMOYJox}I;L9R)%&d$Ow;o#^;Mbl`}H-HV0#~h6lqAI}y;q z1GHuAwf(_zMK(E1zipJB?t)I+{0x~1q3trjf65_4Cr3p^4lI;>5uLNOpET>3TwLO` zPS|zdET-1jSpDAM{(+h>UGcRbp0$TLKf06THZ%E~?LH5{Pp<*CG=F7N!GLj{Y*zgR zS-*^n+9-9*u=u`lfD9f<#ZwzBg9KpI$%*(rHiGdf$U1=XS3~0R_ySQbdKTD zq4Jrhlfu}HLbgJJZvYBfM%XJ|TAxuH*Uk~GYA=NjZmED_3%enp1ri&~?{Oz5CBEnI zA%lQK0)V%6_GN5>Sl2|(28WQnW(8?k$!V;hFy=D}`J%Pe|ILfQ{W$ z+*5LY%9G2w!WUz`(tEfoEZ>IQ<*3c#I+==o<~#~tN$#Zfa+~m`?6H{*>iV;dA#meZ zhw^U{|KvZI5)7B|1b`H3wTtP@epEO_@78dCC}_UNJIDL&ZLV9Q5P16a$VA!nUsTCY zm_*xa5zzWm+!xx8D_qvgHJ+*Hs3*k{y(K!sUO$kJGN(rrV2~>xi%J(5GVj;`(FuD# z6TIanNhrMbv!H=`6Y4Hmho*NcP1l|LLX;-5P7)^jsMsSWl>JXMVtJ$86Fvo>F(-v; zZ1u1g{EG_e!cikzYetwo%l z3GsU`a2$I|lkw?S2yqPT=<}KmM5(1;Qc3%iX435>Arm|SUH}`{*#ROqTDfX0>Y4h@MHf#-5y~FW9C|$;VR*dteR*0v{O!3 z+J34_4D=fgk&t-2-KWi5A zPc|nQ@&>U-#z%$d-6D@y&j4&2`ua^+ix#U>TLcyUVXBe8a&Ja9!sw-?<&Lw@(XP`V z8;X2*);MbV(@I%;F;IIKpNIo)_xnBwCo!-YIM#%zvgPPbs(%cDSM5H3Dt>2=qFUM6 z9eCN#E`t+tqm)(Sjeod|5(O0KqKXPVdQ{M$izYg>QKN!R=p)ByYfj z?92j#ZAHn}|4cd_|u$h?|Ngd9SU6L%#$A*ZUJxf!QeFvm0 zS3j`wAVMk$bM%HVl$O}X9s(^1h*$jel7g6x1*z5Qe1DLpWdZT@s6--igt2U(tg7e~ zu)&F%G8_UVD^Ev|c!Ha0&vW zmrGJVH~Wn%C4SpaQC6b-+4p@s52(0y+4zU+XwgA~E}E!NM~@B)6wyV6IyyS2&_ovv z`e@OMUeas!T6#3H&A~3YhQ!#X6o>TnX+2yqU+D>YWclBEAQB}KNW8{pK`gYx>LtZy z-2glSiA=UGg0Mz*@&1CuMY#0qg*3|A<(`V}RpD5Db}F)E0;k(O+8>jpByl94y9BH* z4N}H)Z-T1uB3p2?GFn;cKR0yey(rcIvJGfGTfpijK4pTohbRw1D-hRaO5k0vRxJbcXSs;>VM-M2jH{+S7b=Qc7eDiegOrF=%PX$9UW9?qKgK7w5Xs$ z7hM!6qelf5`s_7($$tC4X-WoGMB!-m<4Rs0{@s9Kg{R0Q;a~UZi_!RTUp0Rks(5zg zB4de6;Eu;Ewv4mySF{Avp?$Y$nkVmjM{6oK;0o(#Ma>8X)1_)$8X{d{!@3Y4QbyJ} zCX1OeMvI~8;^Ms0Nzg~g2~gwXUGaf5h`){<<+UCxZ!??KWx^-e=lBv|>QFlD7tsa1 zsRkQQqsv@Ybq}QH`z;hx&apziY_{o(POXCOL{4N8=tVt zX~uyOPr_)#>wkZ#Ys|{{DRwYV3D2i#Btdiv+nxM~`JtBnWD3lzCS{>jalt^X^2g}C z%5Jo|f+$J@j=oZPbKw{h_|*I zWH=#xdRJ=mA6Z!+%FXcmWA^-ZdLUzvlVJrRGeTzPlL?|hfB_9K7c`7Sp|OUBof=B0 z8eMsf5jBA1HJGU3>ag)W8~PV;77}_q&ITWD!;gmjga#f27(})5048=m&y|MyJ~Dn< zN7wG`;#c&EMqIJp008Gw&!Rf|vYzLDexDnH8+PXgz23++kN^Wbu@|IUyRczSC-X#4 zm9;PVhEc5*CkMXD{1GRPb*b&8yMgVU5IgAf^oxASVK=el3VP8k!>D97n_PoZz+My`R)7vPROT0&-ujB->*H|ae z$ut@V8iYYvuD)f%a&5GRZ-~1GAo0%7WikGNt)0lXwcP{VD;wd}xCcGo(sK#;7nsh~ z^XE1WG;E6prEr7G7YANlDeKh$gR1jk^=k!3>xLiaP*q+hw|o`Ky}}>pc_F)6VQYKl z=jlw_I~~$BYtt9H^=wzy)NVCUufwXUo(D5T&}!M9M<9^~d@n+C^j3icG#3p7or4bA z>?l}hXqfDmf4<%gS<;~e!HU+IHz#|v`YO-|xf;KRwc zOX45`+(rRzDrD8&Wwmjf{6wEAeYA27mhQnH0TT0%)ReKBVaSz%pg~B(726@X(cqH* zbI-pElF{wbsdQw{3Zh%>M<3}*^(0D_#7Q-z>W(h0N~$3>RT8&9-TFtp$9B*f$;6@Q zoS%M?+dX(AAUeA$W|!5-Fr-rNJ4{EiOQ@&aU4kBKo#oJgsa(Ga}TwN!pc-L+E@Ovf^ z7k`H4F$K@ChAV`Iq(|N~ykU)&s4Ni?3xEW|0|NmBX1j?{{6fTS3op>t5fe+s(yLU7 zQ5qtHJPr%IY%cDs2|;8mRY3%Vmrx!RZyyFJJeG=(p2etPnUa2^6i?TOlG-8~lW)|5 zt4&#^Y%Kk9L1cuK9(e)UU|0pMG=mvt*1Am98M?kv6c+~{G5V~NvS`6}O^^jaroeck zqBn7(u9Ho|@?fyFV6#h%rHD=)oPVR(7=07`#V`t7enkkx3WN!O5->tK4U;Z~ASL&( zotwC~-?v|f)!cl*uqz9AZIPFsN6Q5OQ1%BSMS)^Q~K3*N>OX)TKVu{4B(CElu~0}-+Z$!(k{wZ)G<)MqRuA*T3*h+G3IB-#Qj7^^e^ zJ7Z}HEMkEMHHNh@zbK9%tu-+*4q5SB`ZqBGz*6fXKCHHTSAD=3mlfJde*%jyX&D7T zsTqS3*{8Rul!J&JX!*|W)@GRBYTM@kS8?+~Mqp2+jZ@Ql^Dp7A;+ z7r`tMnDHb7x9c#Ae27dLp|I?w;i!;E`Z+BeGHQTHuTY))bOm|{Se_8`ckb4)VS>6q zxQKLy5mkTS+gb)@46p@Uvy7k@Vc;r?+$ zS$v7o=)I7lmQjfo&zZ@RL&xQn(=&)`xD3aM)V;+Lp;~;ndgy;*m8+ z4SY)x)b$-#ru7AiY|9b~Cm=|)B<%o#eij`fXnlm>(M+8+2gx)$Dx%pTG4YXeU<1Pb z0=<_(MH30@Rp99WzMb+m!Wx@Wjz9wmjkOrP_YE7<9Ymk2q7TEzNg0m-gJ}5C*c-#L zRCE8ZtvTl9YPNNj9jqDBxwX+$w?}(^)U9k%QsYpF+P>l7N0t&DedyRRDHDz4_<0}T zrzzPmDv%*Z##ov}p|8`GR+#wu2hM6kx|fJGwXFuNp0d|KsGfFdxXf1r4x(-yF_!jv zRm%@sPFi8h#YHCWb$W-wt3JKTJdo9wBFX0^fE*8{Sy~Fnj&g0w1-rFRQwhADds8bR zeS5JCv(Br!pPuR;WlBi>sPXgU6N~-np3<&gXT*uNEUY6?0JA(g51ri&3?7$ycP7v*uR3JwSPmrMC z98K}`3kQ&VKHVxu*VC&Zq}OOviE3N*+Wy&NWuO&(l|Bcw_~-X*$lPo6>RDDlo!ZgC zQRud>>njv`WeR<&r+ej0s~z1?H`B>i<}oyvL+GYHjb>thXz%1VTQC5TNH~^$^(L?d z?0oXol?av0eVtPq)fr2Ncv+$DG=6aK8VK-PaM7YOmbS3cEixd55v4`mm5P8fie5(+ zkC)_*+KJx6D;nS{u((^%u74uK#niRXQ1K9o{!h+!L6$)&p*&zmYxT}_672_*lDSDp z<>9Jj= z(TsMfm9r^jxZ27=ezHj)9B&#T8n1Vhqem?xy;A5OyJs$$b=T^LUDb-J3q2b(dqk92LBQ&Jt*}#+w1M3;}3_xb~ z)O?RU9r>!8^M_U1Xda(0*pj1ITf?$HHg-MMd4q?Fzwqiv_*SACv4yk9ajV$z1#C>(?=_Xd4KQCf%{!QNQqx7K4N+076i% z{5*Y0gN8nR)$?8b)##nQVpPGDj2mM}uwSDD8bs>-C}|kJvk=NM0kOm10LQ7jaUWzU zYXh4ef7=}mwHbUPJ-u1tk{Wa#IFudg^fFV}zTHf$|AHT9s;|*^db6TaMgkdm*a%|s z1qo>)5viwYGXw4dgdPorcJuMG0GBLCKt`ruMiB)kfEe*N#iWq%XUZ0l&%|8q*mF1T z=W3(&{WjwnIxRbtl1$CR%E?t?d}HtSbm+fP^Mr3Dbc@@Yw!{=Ie~yboSh0Xn!Il(P zrS2xiYtPbxbbF(o$?+iyp5G_Q9qT8_T_t{1wC?VK?4(3UEsP$|v;o;SE1;oAK?*m1 zv_!;Ebut_IimzO|6&>^bSoDSE2$*WVQoS<(ALpj816UFCGT}qTnconuiBJ`xfEiaucv4qx-l@_^x}Blhh@-?=a84 z`O<3-01f!I>7?C=bm{o4jc)zAQ#;q9pp1}kWO*qgX5%Goy=nB9C%?|>qTxUpFdwL0 z7@`%R&IvUk>7NY!9UC`g3b|&4yFU86J!*kRB&2X6QsxYLIHV`UDgVdt zeCg{%FPdWXdW#PzXuzG}mKd`xGe5#5Js1%{dXn(;2Kp)w0Jm%}R0%j15;r#~3D2JYI0TwZUd<;+{ zl>R3~1uhQU9U6mLz9`G`U>#)WV(}9!zn1i-!hi`wrbe7kWUKc4hUG0$4Ki$5EJDWg zCKeOYs{v5NMwahPu5l4d;)+S~Hy$WQ@Vhj)r5}tF;SZ+y1B=|NOj|kCc;= zhiR4&w^oJVAOq8Bw1U2=Pjfi9Pe`{S-Hh_&S1>YuqUJQPL?6V=DX9hY4ibO2{;l`( z=jG6i{)%&lmuwq=inOirjEZXjV7?$0$z1M8@*2P$6v<|i8SN7HB<3n>d$VFnIPiMo zg4AwBewRrAZAZSFm^*uOaUV_j$0g#!$hQa>wwk{=;Tu}`TwpTRKM3LknzjUEgOc!J zv}Cu?5Ojb=ng@}8QRGMRgES-m;s|`~6;4r`#Yv%)9YY^vUfRCXDbY25GM9i#A8}18 z7)~1y7`gVO;w}AVRq9~Fy`c%P&-S5B9>cx4wTYQE27N?Ue2uSf6(sPn$=*g(!P$%e zODb(qR|0cJ_*>ZvfC&dOiX4RV`B76TJutFD-pHD4D#`q-|GpRG7&1Em3lce~tNBzH z-u&gAGku-;oILn+A$V0Ogg9hyJ(NE z6joH>eHPWsEYt_$rOf|JgHEUj{7f_C9KXpc4Q_>qWfBfYGU>cPdc9UM(Pq?qre$)) z8oNAXjlVg0>=kK7TxRL`)FJn=;4!WKi0cRh?lH)`PelD%KnU>1k#G%VW?xs4j6(R& z<`Q26WVS+_DDFZ~d*MN?Mla)dAM0(}@(C{2U21>rJ&JL!Ahk4-nO^^!YBIoOG6$C( zz(oMW%dOIt$0_sPe z^d`MYA_|5i*PP5;jc`eC(#N!ffD<#|l512~jBs7%ka@hb0b+3UoLMFjyD8j{taKDb z*)k1m!zczB;g61N8sWl_HL|9%QX~K)To)b4gmlz>qKp6+T*Ejf-pUKyGjV$?H|jcS67rNvnKX4bgJq{@1!R%Gk$Ss*xXS8F6| zjeW+k5iTvo?;06O`z9%1c&K|7*hU2iGS`-uWFh;kp)W_57x~6hV zjKD|iHEN%EM;^J>O*XrnZHLf$p1RO{T0alXSN&Zrax9Cz=E-C-Sx2w0gzq$3i`emh z4|OqKTN_}(iIgN$-6}Z#WaYLj84>}| z6B8##lHBQk^ekv|V%ZYop$^3!8J``6)b=3YAKrdLAg&%zVY0%UEhbhGTuFxzZkY#y}QWei^xL}O3-2W@#)eDrP2)o~mi zo2z=U8+Whne~`Z1?xg5MpclivJz0R}wL|Nt&t(5#pO@Xrr>&D|Sk%WJHvX7aZp`le zt|@5&2aYZJf$udzc#Sr%T34T*<$uz{gwK^czNWJm@I~Xusri+SGCy!_Y~T0%&v_5@ zM_rg>OS_>!@iMQ^(V>L*I*;9d`L5FEK6q1lgjzfg9cWUdEcKB`7M~LIf>4jJ%S@TP z#&i&40bwym#n1h^W_(d%ovx%31nAL@j6Yi+&E=|K%z3rEP%k zM5wiC3HaV)hnBqa6_o{8-D3Dob!XgELG^Yz7mA+KLHFGD^3C(mwpf0%gkELVAfjZTXdOlcHoW_ImW9LUaQj4Jp4mCfIKj+tCOP#X}Q&=Sm@ClTp#H*d`3+AeQZ-r&9L zFaMh86r_m`-Fwknci@x1Bvy!^fCL^RzV`~}My5ATtN#?cw(C7xdFGCYL%oyPM+?5C z-0sk_KD_99Yy8^VXQIpu_-2CHv+Q@8XF@~A?2$O%Xo?G4wug$J8H}DfOAnm9^a1pJ zoJ{p<_`>vgN=iKwvQOM&^aDQXzdZ`T|=Yu@!i*I6`8}!;{pq89cpo<}F(6N}AX=`rK zlRSkpq6FW}qL|+Is^73>3ex4rG=_fe;o20;@e^s3jg)n(mCgV$Mb)7lqRrvoDIytV zAcJsdg9e0z!%>5bFGZ)`7+7b)Qc{ZnT%d>ujjq8GwsSg0#ARZbt{FYD%AYiTXGN(T zSq2f>C%=Y9Js?44D***XMcXKgQFGRdD0DM%w#;N&+g zq~GaxQaXwkW`2uoSs~y^JR9F~eSM#x7Uj}y0aKm^)wZg3KP7&1At;MpiR05$K| zZKT~sV~_8Sw3}&d8n?b;hAir2ixm{`o=`o_;o|unGSKKnT5J3}q+0$56B(JIIo_1d zkDqQV<#WBm9NInqCj#6b+b1Hx-FMaN5a8C!#~K3MdEGb9ZyXxMfu4EoOumtwS|9j+ z=6hSccc@2Rj&Y^Efk>0NCidEDMq`QsiPyZ$Cbcgzq~vP53^5x018YY181=z~a+* zjZEVc5?#a7)ZZ?d>Eh{)eqYD&`JBBH7Id9HfHn)#NTZBhy_8A3nXJ=dmb%quqCxIZ z!gE@cBlaX~HCPSD&elt9W69{EVG{93IT*gBxOBhKKhB}DyW}B_QrU+Yj~kpzk-4U0 zle>gS`%{ocnv{U``?|VSw+66L1Z`C1BaLGxeMyIgSe2*aIp#6DoOU|;2%`${efRuU zb0tn??W4M&Ourp<9l1C5^LxH$(C=>cx zXr>eqXDg`zjPFBnK%1zQR6J>o95=+aEocltM8rnknzSp?#hBoE^=o5}(le;$2Mnqz#UtSs!s zjU3u>UI6*)sluZ&d{@eAbI-={n@!t8RmbbnO5rmBWwCaYPG3Iw0C2zPjobX~IsKx; zqMuwUpQenQxKWM%!Y3$3N%CN$DHWK^tw(jEXP7@`8VcTjIx{{zgfpAp#{ca@aQpjf z>+2J{?TPoGpseZb-aN9Hy$DTFm$@RXLO$UNd{%xX3iaRC?60@^V5I3`X1RGiQud>)~2?*q7`vK*{ zevX_nAN14x1Z@)7Nx&z;pf+VTxn6kH;g(_jrMmXqWm)U@1s*A7!1R4 zhGtetC_^ZVk!iU+fGokksRyI_LtZ>K+33S)IMB1m!3MoVrF%ZJfbXk8u;nw*37q-j zylyhC8O6pnE?mYjEnD}?vt6;-Yli{$VHSJ6Vr{@@G=DPP7?X6!qt9ow31v2&%nt#c zIGapnb2s8fd}&ll?H!321(!yp5kK6Gd(4Ms5lK<-ZLAN?=0iWWgulMOUH?^d>#pZ+ zrsyEo*6t(V`|thr^<8=JXSCwE$W5!N;Ahkc$F3>}@{fsY_jT)}ZXb9(y`HE#RmYdg zIH=X^rRQP;Nl)M#5PD_zBFpJ<(epc-YQ!Hz(owtbka57b9=ZPJ!M(kO-Ns%XkiB3r zeI+M&z1}skigY%cJu{}=4WrR$0Qt2HlUaqgHl1*QgJbHiU30OOP=9}B^7rqrB}Mb(_as{d~^w*+lL zz;_i1ReDXFRS12-capy8$r%XZYI(H*X~|EY-dcmA$$CBpVmw+q;xm0w55$=`RpX4U zpf1B<15}8-#}~)KH&lqLDL4qURTD&5EX#x%Sb#u=-~dp8t#T)y0gTO~W8gdMiy$z3 z{aW%83-&1rn(krI-+O7Xm=fKC>5BvwulhRrw`T^*6BNL(r*cvPPbFLhvN*lZZukkG z5drlT##>ihojSBPA1`Ph??c@)-fyrO*Vx)S1&r$6?-*L*Bc?D8(m#z^l$2A zEoJ5sYV}-j;L6VmtU(ko{No3N;LWlEvX^EqRtd<_-{_rDxy3&KF*#^Wq9+voKxlq; zP6%^}FNx6LkzAu#T(nqlAmG_CECN<8zKw+d*Cw?MzPZ@6tSVV}1-uaZ^mO{g!oC(z z?W;%11^%6umKtF}9V+MA2xOksbz@sKnyQkz2l7_EbeCINtyYiw9sikTe7=GN8P|)y zbRz1>7LE#kR{{J1D0&=Go!(SJ7ccSaTRBRw!k09ER6NbBV{BD)RdA!S*m8HByPw_t zKv3iPrmyp--;)~^ePi>NK?@fV=vR)lCl;HE%8;dhTX^;T=Kp zT7FL=6h2U}yTGA>iV9M=v^>K=jeg1;o;gm1CisA$*?*w7@tQp{>eGFF!H>Ifn#$jI z<2O|~+CtP;)xaAvB-MzuI%QpwJ$kiH9wbd_g+$0UOD46OA(}=k2BJ);6RI|uW@fro zzy&fih6Ly>K3{059rT4jG?xVQ2B`E%65RpJ@3W-9@U>UUJizE&&o_eLiq-1(8S|Bk zfTF%L(VDMV#p};E;dx> zV#DlrtMb+AhB14!TI~+%JlkIF$|)j;%T;zvJC@~O#mr7OGo`J^>TH(!pgKm)0>JGP zquF#msoyecOvjF@$e(Rn__QyNXtwZMxE| z8IyqT=+o&`@u2!tL7k&SsbhKA1qLB3$tz1p?Q%6apACG8ts!)Q7*08(-a`wHNXp{t0xS2C@C{bWDwPx%3y>44@30QO)HI=k#s_}8;=5xy7S&_zFM zXU>masd`S;sd|*lTWc(5p6(bw>)+CIAXTOvlUcUY(NHVCLa*A{ACA)FJi&uz2_=1jsvQ^2lFEOu^UR;k z4rI!JeqDP2VO62Qgx8WDgccBUAm*6(0%8z+)w*7(pWbj?P_-N;Y2&v>hm zB`6nubh)4)3g{zx1Ns_K`9NpK;DEZBO9w4_T01_)-Q+98B?=ec2cZ;+S69%jxEXIH zk@Ug1m{Hf;`OP&~W$jg^2b@gLll1(Jozv;r?ujiP;epb|o?q!vxIq<(>1w4}4--#e zctk#eYwFWGW0iE6^wS*cqu3}<1)K5hT&5yUGeL8yf-rwBjbR)7wY6@Kz3acdwaxf? zdfzcyZLZDr-}vKr?f0Ed=8DCCy+)hXLx=z%IhU}u%$S+?X$D_i*Zw@dwv4d)T>On#7G#f6i z__gi6LGC-~oxZ&C(fzKNT;5B}5~9QGyN_fA>C_gZDpnBvxfYKX=4ddpn7$H`@$$vBiPd-KQ6>Tfky zKEgMmjT9Dl+dd1id%+^s~0mC9vzsusFe>LnaEM+`7~pa)tPoF6>jnh5R2KwC`~=S~lPwq- zQ>=@3@l`+NCOt0r&BfkC{pAEMkS+4?kgco|zEwQ+GK4xR1>Y(xc=6~UfQ0Ck$`Pl5 z857YP-P(bsk;8SWv+$awwf30RWP1#tnUFslb%o=*4SX_GN$Src44e%UFYIn};jm&=__2 z#qe!w9iG0Z;${R6zbXFL`2)q_7Xc9N;n$900lOx8ee_3q)NSg+e4Anc_?}Aq3IN}K zb%k_vDSoU{dQo+1fNhPRc^BOzjMHg@y_R#4lplrDuh7!hU_RFHT@`hkAllgKg>?N2 z1N-A2G+GK9`#RA+K`yeN?5)yNmH<6K!oLkwYhyLT`AVA>>7;!0+U66F0MU^C&~c@? zYBhe$&9kRSK)N+*cQQ?r4(Xl-o+@Ah-q%v#2KNYA70t(V6WNeR8n0}=qhgb4u4 zz7{0xE1>7|1=J)El05tF7I1~QvIZY^V?7^F&)kz6Dsm@q;yC(F9n5})7%iLLIcD^J zz3L=Sx9V^=IFv@GFAUfw;^I=$Jzp+d&9r7`iawU-9NxcF z6w}b-*+W3Rt>sMrgH=zkge7`Ggf7ZBUd_9DL|F)dibQwaJS}l^uBgIDCALPssyn(Hx`C!4(h$5m1j`4bAmxKWo_nl9?h%P(yo&k#nLjzbSoL}Fh-Avlq1Z$ z=u@iRec)`CBgv2PCGvf z_yZBHWAWHsx_FET3_@V^;(=C;*z=C9Z+KMh?x6A(mZsc<&KV!>4=2$&RRl&az&C|{iPo)fN`IhMaFyRCHo`Ds zt>{)`)`u;Y^BR@FoWr8-FJ&=WhxE!>_MH7et$(=Q7j*D&aS52+XhI{cV~CLt1*?9I zI?qpk9Za_t9ujOCJrB{UU-vRl;2R2pS~YC9tX;}@nC|$8fU~F|+B<;OWsRk>m_2|~ z6AZj@dg{zTQoQx?Az8d3I^5OT=Ejs^#FqHHhNoVuz3IQDeTF|j!{|+tU$6TYBbY>~ z(4k?Px?9R3cei>C>K6yW=tQMonu%O9J&WK9{K- zUF@m5GR~%64BzP*PWs!_Kn3HiA7C_Ujbd}sL|UpR`i`yf@Kbd$`_AVdzaxT(X|HDH z@>!SYFh{=Xdyd$XtTi2lZNfb@0fgZ@iG3(d3W>tu$i)Xnqhn!=Xhm)#k}SLczPJug zfg{sCv9y1vwnL`}|9|vp|NV(V?4PG6f`LQD(+}j4-kJK$9y^RwZ#Q2C)(rmreD4_PyS8DsZi zu`Dwa=}NrGjWTUE;J$H72~qs>zJ^GG z3kdb{0``N6-D=XbU50IW@m;z7GZHUfKJq{_0HTv}gSe}CpiF6Czr=NV;YpQB{JAu= z)ME9gRvO_O{w_+mJa$X~%xq8ol~(~H03b2*xl~$knZdeV&T|&yw!ae~fG z4oO8YA=Y-~&e=(z`~0M;2#S*n9M5Mn?(X?)o}nNXJ)2q@p3f$ZAJ1n~OWgC>{E42= zW`nF}lf{nbvnifZlovuQ3~dfa6fqNRru=ClMNh7!#$Qf0Mec0M9Wb-f%?Fh8w}ayb z7Ca(eAZD|YLc&r4hZAX4gj~lsVdYVv0HXSZdD3tE=1({S?*SjWqrGi3G)kDtum_A{97)FhAsNbg70xA#Gw0y6h@cA+h2N7ti;floQxZ?q&{ujlu-%HA&xdW--Kbww{BF5V)aAZquy{GQv0}*s--r%>9{mapDuuq@oE>41 zv7$9B66>VHxq)w!=egO!F?49L@?E{*yA#dx^gt0!gCYsV@0*Ujv>Y7Rnp51ZG&avw zg7jtW*f4Rb)9WZUdy98pel)s6*{?)+a776fF%Ueu6wIDXeDVn^EHLx=TyKqIoe4jf zE1=2zmwhm?(0qBvi6U|^CRYe8?+X_bA3qjAQrQvuXKxhki}F6H<+DgTs{xB1tFM2k zWe9b|X2Hb@gQlk-ro!=_?Od*KX{gnWyG1J3OkR^orIB)$Svw z7c&jU{+q7yQ>Ldi4keyOtkI>$KQ^}2*waX~FsIEwgW+J70L~ z?&-4^Ip6I}x5AzA);Y5zLUcJ2?`zfp4fk}vw7)c4P@1!xRpZXiGtGpDGg6s(>C1#sX2_#v=1=K!H znDXSqk{XC{JK~JMIr8SqlRau+07wyfV(Cw!w1MsUBhz988MFX#!oLQbEl@0&=u=4l zm{{fEV8+n8EG8?$>b)@z8DB|-^rKhtWW@RLab3%51`|XxS}jOe!IgoQ2_Z+so((92 z5SVGwQz26b0VN88HZxUbq)dDoOvqUgMM2t8QJr0{LIfyfCy6y$k)QGt2mz+1zm!_} zBFxdhs-!FQSxg~SF$M*SvGncCnX(j-CxK&Q>E9W|?vBOqM>_I-tB+;($ghhNihh$B@+?q+9u}2KO@gDvX^W`jdPG74+GVqsTe` z4>~K5qa2>(&ZLs-*!jGlY80J8pQ#}c*m=y9_8fPvlV}S|N)|0UOIUO1+D0-@EOw;q zBdObeU$Q<;@ad4qR}8o`!nQUJ(WDZ%)i4_}o?Nbtu&zWjsT^IZr%UtbQYz`IJrsOb ziDl-zJLhuAg2{cW37fi>LGDJCRW2l$a+}iP{uV<@?2IGeevDo|Lxe-Li#ApvD{ z5^k|2{62IceIAo!kPL?rwl#ab)3xa{88^2x0BE1-B&6qpbg!CvYD%poSk}9%?Y?ZU z#I2)FPY!zlZtaxft_e3k>`iXXys+f3Z*gn<$2T|1z+wOJ^;NNO6S_19(|&5bUt-{GwX?o*TiNBL+>*u+;f&8 zgd^laD5sEFFTCRGCVZaP$Lw;xIsDmnuzE@hlmOR$`*VJb!0V-P9>DAY;`gXukz{VG z{##GIu~}5Rv54RFVvGSl`O{xMu3`+^SWab~0tqyaVUKr)9Dejakx6O*Y&{%)6C44D zz*FHyQ-dfroJz0Q`|=As<)mNWD5^mM z^Lpel(+IA>o7T%sn{CsUiM45KOWtr1s&coiHS}ey zJI=Pj^10?Pl#_`Tc~gEm%g#eFnqDbp*0Kxdo=}=wlxt;F-2I2mYues(Gf!yzZA1Rx zr1Sx>XLhG&PBJ3(k7nK|=?XHpX_=i(X5b($UQV zZl+vEt}l_<&-j9gTi^`6o*@b;htCD}pLVPX_ewV6V0F)ee6?TJpY^bOJHx&&0w<~A z>G0@_>oiD~!I~4O?*p^CpQ@*`t8uFKw(#Cw+Dy+hr2v+X2mIqGpZL)Nqah=n=jHaj zED-HSPRBl8AbAk$g|{BAWk9pO-=-E#_%L)Ixvm7RWi6fPQ^`ZIy^#v}| z1SW~`U4c}2^D2QQCB6}&v|>+>JcfJoy0wX)08Et>=lJl(>EYIDYBGt4!-*^MpdHI% zuX!P6p+eXR0cex_FDe9QhvZD;l0>|G!MR>P>UAg#Uh}dZSRdo>;vL&P5o3xhX6eED z9+9Db-_Lan!&Ps)bqDfC^h-h>eY4ER$I|(X9=^fB8hm?=lv`MP5+nn4uW;r3DISW5 zC=o&wbOSMGC1XT$AB*#$J&DxF?FPX3Zp;C`?U;84|I>hHw8?diM*GI1*lsvX#>Xef zjfm6l@#2HY4@Q{`A%C)?1Uz$++Kxnwc6q8viH_*QJZY4;$E_HNH#oR4`GA@n)Q`ml zwVTd6rkis1lm2;yNqwH^C)EFm0fomDj`d6D^VyFQ-qCWlaGQ~x-+8gvz!z%^cd2>O z@!A-@?#^Yg*)ePcral73vRG_3PbTKk{2JY3g@uS~9*yQsMB7?*Msw%$O!sQWu?yT; zxPb4cvu<`DSiKHqgfZKz$|Y6r;gn-L87;s!G(WW89^_y5vXjGkIGl$@5f#j9iI*2a zY8RJFe!Vtn~ru^H!1ilXdPXED6Y?TW{976qT9;Gr# zwAA`p{Ar@i0}2dPdG-1p2Op5oiZFeZ6;a>g{euR3EK%TP24{K;RlUQa69n#+KK6D~ z(GLw%Ij>3mnIiTMR8P>{0r$q8e(lPmU3#{Q1vM|f)=r#RLa){_wN+~!NWzbH@zn$i zRD46T?6wP_?geIyU4lMi2#u(l$`s_pP>KUdNugL4)U)|%ML|WBlKiJ~(_n8aDSIUy z!2)!Zb?T4rR|BA-RwbEIk~`OvB@DiEMLusos}$X^8@W=Wc(L9o4jN0d!!F86NclW0 zD*lfZiwux)li#kjjy!e51KXnGHVtLB&KD+b>)^44FY!7NK5SFQhZdA2l2* z8Zmb3lZnczLI*{_?2(^6R1~yAMg?@!mtL>zPz*%-S;endR_qmf#X&_vie|;KVj;0u zkYDZc(_KYFZGN3Kqv%zWXa!E6KYvS6QSjWw{GTL#H@z|~W6Pp$OVq$YNWa{$;`h-5 z#m8YClqg_5`sg%Dk#-nrpAZ-pZb)SC0H0QiDHI+kGrF!zkbI_G%}~8 z2G;KteA|JsZbqNq$53fUI-K{3616KT9y^?&d7OPTxBgOas3c2B4bahsY==%NucMVCx*8+DZl1CR&r0W5nDm)#n zJxWn+t5!>V_~aiOX*>%n30vvws+OpDGD{)2#iFyX1Ygs?JG3*~85`n}nFIM-wD#i& z5eww+Ap#B#e|V*aJ8(ped$?OxKq)V&@{GhyEtC%GwIH&jU7hp_E{z%pt||Ga5qr^{ zK_(OSXmACx!JD3Zg(IDiSbR=KgvzM7DRsz*WWrAAmt9y0sq`SKQ%Q43;hT%-Wm;Qy zao8&Q!7p{BA@oLM@8_%R>2xHeo{moG2NahwzP2R6T(k=Er^;HVuPt+EZ6qPO`|qnH zL|3OzxhZ~F&_E&pQjqTc^HmDc+0l!ZSA)Jvf^>HJ>N>Q#)>9{u2+=L5(+QWXc-%>I zg`=3Yn46-{_N>U%Lo>s`Si5!2QV|ShKoGxkx6<*$koyocLpY1CYfSk#I$n8AZ@iL^ z$Td<^4SRpSQZ_o(Xw{KDnQ246CxxVIF(3=+{=U*fU7Gx4W7k^bhYm^iVxl`*qfeZmE%;+flxHNIw#SY!Y%}D#;O7Ob@W5 z{uq{6adZXAd&GtVqVdg`xNAr}5_4hW*aFdo85fA;q!YpQ$#=$^&CL$zp zm99xm@-@gVkOxRMe3K%cZ3`L6E5!+DCP*m`5%*bgU<3f4$RG>upD~g_rulpZEjdB; z+n$-2NXp6;OhtJ!5bzz)lyf(EZKQ*b2U~$Mjzvv~=s$cHY57M5PVJO(!>)^U!;I{@ zjPX0?j2~yBbMSesfK8PN5%SD*2GCQ^MW6slo++ARIW~PICA1hlrPS7saHHI=1|K+( zzN+dk`i3f~AV71pZY>|NWhfyfw;t?)hlf;v>>4Q}F_Evfl*dXP5Ai8%ODr{*U2WwB zvW!+B0dFaDnJ&TX>^Z*;AAYRSVuD%7a~$|_)6YC7$vxpHmRX#P&{va`D@FZf5_>J7 zN1x6n6T}iX)0NUJ5Lp(7u;HLv_gwH-sipFKIH$4cy|!6#ncCUO+ z>J-vuSido};kFurS|^|}^hFrtq)k5OK%0hsol@5Jm~_TV|g3Rrt(Z; z(mTM-1g3mfCAYNU#*eckW%^Yx%$5+rcm5zR!Nmo6w_7eUiHIhal*_^JnYa#YmR&t| z;@O2)S$qej*7#=HrBB5o?9+c_l_Hs_tjIEgxKsyzVuGwHB;TQ|TLY2GG6lvM5tL(W zgXpSEd(od*GHZ+cK;~9bTKZagbIOXvj`S${_Kv=D%s=YpgFnyvGFejZo(#7Ki($#P zH3sh&t=)R(+-{$kM4zzKRr)M$`ut=)4x&4RR-I-lP#FEYC#nl%pr%kE_R@>ZGd^r! z&-Zv8^#jt7aJstcErjT^E5=a%*oCs8FAHdR7$)Cm6Ev_M6QIKYe;)yxLO=#(_zBdz z2Q&P;2EX>x_f>`XL>t&xijt;Xpk^aH<_;vN>5UXBBp7hUAi+0JfcW&QfslgEiH;k? zRUjGI)!>CBpZ2xh0aTs*HcHeI#Q9NW1!#ZSdKHfV(_T&Y&8`4_ePs8>-UBmdyskO)K+gWkGO{n2rY>rGlll!<9GKQcYDs>g zKIIm9kqC160to+?@ra8BI1w#pQ{wZs{P|@<|66MEgs6|U?B9IECjHY`Npl507F8CL z?LGhp9Ds*!rUzZw#B&h3od%(7HcRmN8$8_$OkH_M0mrqEyTl-{xQBNwtqMul_E|P*{G03(4HUU3~ z5lDmeND1~7h0wAh;V8+Js?MzJE@EMD@+v(=9Z%&*a_eKQ=Y;RAx~K@0 z{?KO%pvw^&2Rv+kwCIT^d+s38Wa?<7PO`z|<4@+&7+EK2N${1*L$;zW!w~J?8EW}( zblixIz7rCFV2VH;lxtvoM-B@qI&9G6k7#q|D=(?o=Ip=h#H8#7f{P6HlI&~5TTcBb zu`|0EY}HsdrX=g>1?EmB7P|#?DVY%U#_I)QY^t7!-%oA`444Xney39z80uom%Cg-6 zneA>Pb><7$_Tk<^_o@Q7SX(_Xwhy3AWkY_Xd|@#`DXZS}#_K<5Vu)4GG+pilq+2R; zs0IYJbCe_X*wthpx@uW!O2kshLPCkEK2?ANn9b`S7S`^hBKXX(C%$@CfX~tKt|m({ zO*q%+j-Jr>N0qeM9t^4<4$h6n-`gV>0iceSI!q(5oLb2AC6I5g%<}^ibT94kl5( zl1acCRPSz`Fh1FJaFcDY4(z>hB zMDqNm81vRaPdjD}hJipMTV`C?qn{*;d^i z${Dz6MX6);4~!05QAaAuYp&{a=25BqGyPo#$}eFWv?<7mZATq-1hOL zn;?wqTrfk-na@5^s$A)$Ei}-@Z=WOtm)jpC;i(I)@Byo)u#qo3eIr~vv&ZVn8LPr( zy)cxkr-~-{fso`9jes?xPL5@hsn>AX({rbD`(;DG+A%o65K#F>-(3pnk@QdcEjtfN zPi;g%8G(Vr78?8@PMWqWAzyRjjx~ltkR!bAq{O5{Ks8^Dx@Z@|!$j>qb;d8;2(Udd9$^ZHt-#mAJI>G~M zRc3WQY|C^M>=MS$qqB-Mh5bVdv#;;cKi#ywl z=>;{L4L(RGr9$TEQnS5hC)!1SbZoqo0O^|i&;@d_jxZMSz5>dHSIE0>UW7D09jUyP zNkiTtD5Do|#XzSAa*t2X=wVZte1)F{eXD_24}LU@&yAn%>sCbJ`}p_$wsp%KrP}x0 z>q%j+Iv0P=#!r>CPlaPuj(tS!wo{c?2kA$&G%*}&Azf*M23Cix63p2lpP8yH7JcJrO_$|Jv&YMib(mm<2fANTD7gy4}2=6d|OLd zgwfxz^&B^wu$4oz_-a!X+~XbgG;MURXPvcbw?uS8+;Dp#LJ9Q8-Ktme5O8738mCVh zsXt+;o2!O&>XmF$pCTR|ciXBwp`+DqssmfrHn!It>mA$cj^2Z>S~#(L4cM(X-<7ns z;YjU;l^~4v<{LzKN4Z!GPL{GD^#nUR@DcqFJbs9*k&Hj;QKa6dm(v8i*asF%c%<8$9 zHkx6U@e7=b;;$UzbLBZklHO^H<@JPeHk-^1(QX%nDP7Hg3J3znIYi);SA$$b1FIc# z(H0JrYRD$hHQ+j>@Ja>Qk8*?JH`KlEak(mIPQCuowhfd}eE#C{mrzq5>K1HktSc0) zEu$;g*>wk$5>Qvp9-s{Fs9*s&cc^1t)A^w;_SaRFVKkwEp5!a&`H{QjLnD=d%n(8q z4W(R1g{ugz4c5i4ErZo^RNHtv(ks~7kP%^=BWC!)6}Oe4W_s;ZBK}afRP+KfPBoXL zx@-%Qtqm4qC1tZ4HX?-8kg*--Hn`p=xfBN`Uy6{=^n&|uZDm&cC2>hBe1@P!P6%LZ zi9mAh(?u&gb@AKbQEt`N83g*nl|In)89={IUdx`Mcs5u-vD&b373zoA63GvBg|Rr; zCY+DiPd$B!#lGl&Mbj`;iy#Xm^R6&)5G7*`--l>i`Koj!um{=)lW5rU5XC*Vj>G9{!$&=MN@m zBz>REvvUPpqAs~NF+>CF*OkGwc0T_QA*tt3evRd10uHVWeT@w=a3fP9%_v{uSbBj7 zjwD!5$IdU)ssSZ!N~8!bQ>MmxawoMEd13)2>pWpJ5#OuLUdKh?7<>^Y`L`&So3l`| zC{GL%Cs2lb7WZ}nP~lA9G>E7J(GW4QA-S(X}vM&F7SPgMi8!K>ynmTIk6Cjygdz_*WY5@{j)2aUmYj*idWwic6%?ePKY z^f`oHJ=KLy+R-vFkeJKghJlv?hPBVmuRMN@*VXo^k$$9bd5K6#v*HDu;j%O91L2B` zDAkWds{8d3PgIT_zt_E3QVMbHWePr-vewVXkltXkfJ|s{WCGXbzdbUXTa7HCSI}!L zw>HV$h&7H$FhS;nNm(4R2%thw1c*GySBQ@-|Bo~##B#-77XwK!6Lw3Q0S>@e*f>}{ zEsUH2DVD#&_t~7XeH)PSM)h_8d9c;K8K}9-pde6xi4oWAwlv}v(`#-Ka+4$6Vn*kg44Q3mLx12a7Jb-$ z8Y)2izeC%J#oM<-f>DCO&u;hnbBwsb!mj=0X~Z2q{-{;i!KxeckoLKWs8k76o(WHl z000080AqCk7#56%qro%`<0$to0CYy{XDJvUiLj$E3J^jD6p;Y|0RRL50DurjiY&~W zv1#knMoKSDlI8CsAG>@6&i&6awwqSOa(@ddHtqb!pXldf(yoaNEr7vL{P?>j$B6cF z{Ox*$dNF?FUKRM2xNq1C?0TbF&|RhG2BEL8ST~d#5Xyh5G)#(peNU6ZbKe)0?va9B zfpsHe_&`G>HHU>EvRvFVc!JaNKp31A%B|Gjb)7BAk5#V0U(nW*AHoOhf|-<##!xYq z>U70QV%}Nmd?1cQXPCdNCHG_HmrC%(9_OuQ+DXtN)ad&$%XR;R1}SMxK1#R;@jlg= zC*3k>+J2UKQ4AYlW1~5$G+&hr>KwxWpr1@(j)`9Gn*~Sw2F%_Xf(Yo|KJC-8SFADC_jwoRwhC71kF zQ~O2MQsb)GGg;W3n%ST-KBXz$sow8DNMo>4>hkB#`M`slQ}pD4sFO9JFQ?dPWvo3a zqQf8L?NtT+ldvex*zjf|y4?beP{{u} z2lWY}GsZdZMm>TE0bqtNH|@cB4dW`h%W$L5l&CfcKfa*P+Cx9EwPnSOV(d!ba2|8x z5xZioeMn|>He+X`+8@NhHlz-sWOAg4P$q`mGQPCI&ZqK z@1Sa9ToZgw;6Q=H;~Vx+R1nyRyEYM12?DR)E4V#CYZ{`$Wd8r-jM+AoJ!e)pR1EG2 z@=nItu2It%+tIlZMR=umtqwj)H`M;8bx@|mVoO*zB{8VyST$IaM-4y7%mZdb9ZBWo z?HB_L*O!ZI=>vpw=_EGaK+CCNQkIcyD3H+G+P1%zJl>vw{s8arDTQv4e0lZ2|FsSW z(AGg2HiFh`aJtcj_erG9nRVPoLHLuh4i{}uspa$^9O`D6MLYZ5BL8w<1ZdocXd@qyv}oTT(ha0_dKwH5oiO` zrTh%wgiLdS!kx2fy}3o5%NraI5D!$Qu z-%hBRG*A?V9ugMor^)+pBEW~%wj_`)XZuv~MKV0O>89JQikRVX(Tt8x!lEGoKm_WI z{1bF^Dv`YsW=My6M{I+|k%}QnQ~1uSA-JNW>wPtc1`9>GY=R;(fJA-KaUqCCc^8bX zdn8~(M`O;Q1@en9+`)K5n7^2IG9S@#PbbZwC#ap!(Mbod-8c03xX&t*hc1bKR~`4; zTZC(w&(#-4k7AxW&(EX4-T~q+sUit$A2_Z`u^Ww!)13%_ho0=!@vz{pNi+f3aLMqI z&T-y}ifmPmi){`=D{Cd^v5nw^5*9PANED%oE`bi{^fnK`c5g`82hxW>b9Uhy>KBDwfU4G4LXOaWlMg3!4 zrEG2cw{J*)fl`No+>X5MbpqMly+%6U2>c6>0}l2y{eDcEdMz zwC2kTDqg21k-m$$X9j(;T@)311PLVRQpluu2l=$z$hYRZTiexknBYaWoJ)a+NPu(~4!bXd@! z+7M3m$dp!P!%M3SRM`o|h|*^kJ8uw8U^tqmiWiG~p5QMZ;3=3D4A#0JLDe$LkE0z@ zCyIL@Du8pCtXzmZdo)%5q}wpeNqpjlU;BlzaRxqtW4+`8Htkz-6A(owzD<8 zvfgw@02AdQ2XD%^F>H?dmyrN=>9zaCkL@~OBwC_!`JKY6oAvQQjFDN{jUU6*{|lC3 zBtJW;b5WkwB|ZK1jOWcuJZT=+t5Z3tkPS<2O@~sT6Rb=D5^JQ~W7mP{4^rZK2l@Um z1F`=C;eJw7c#O{}dR$Wv5%CcYfwo1x&QwXf=eXvIvY0v+w?VZHxxi-QK>E=O(De4x zZ}Hd@Og&oT-VyIc#+SJo&B2g7&}+EFLtLqFrT098tCR`%Axd|Q!7#t?pf_74O0DPA z@C^3`qwA{H%o4x#b20P4(P_cw6`Sz?ZzjWWnt;~`Q?&Y7N-S-vS zj6l6-`M;$UY?rBaK)`1j4)E3Tk1_L$&384B8wA)yR9l{ECLdJx6OldsQ)}M_a_sl6=1j_LB8776{u`($SX~ zb|=Zw@S|TX6*?2tuYqNjamF@~*yAFi6?G9IUD?#fF}@al5FdyRA<)!bM>uv?M6I9w zn%pJM%cP@wcSSB`L|`bUD>pe@xNHSoe1!%333`f%*@iJQ=z@jky%3%XM5AGc zz+{%ZwkK_{2dVRfC4AkDvB?!avFL<^qPQxIx0$7UsSfAa{Df(tR~Cdl1ccwu^dJN` zBrJ_3IEo4?JasSu=rL**g;(tswo&XClp2i2`JwIpG1X7A3ygBMi^XD;B9fR zh4skdtHH$@8(4e1_gb-D{na)vkq^i8uDxDHKX`3)6&SaWq|RipHV5~|dWvyX1qUqT z&xLU{>WPR&Kf;eDZ>0Z2ClN`34IMs%i=X!u{KoVe^u8Fl7m{AWyw{@}--VcyD)xbr z#MnR9MA7)l#M2!|Zs|c!P!ySO+PiVU!>)5lTXDRR#z2vc^n_bR_m`Nxqw6u31jjfl0jZGD7bY430B%8(jcs%h zX+!^l0S*;;iY3}oGx#n~&tTy+gpSjAlrGw%u3+TE3bHY8JHE?xzAAuf)m#okOh;lJ zA+dJgla@*nna3mS9|EMfdcWEO@s4d`&7$cjY#R6yQy-x|AvmV8a=`ZylJm^FZ=sN! zL6dN~sjcid=V5+?{b(tdT2ttoX;?=?hi!^2bq+7A-o!c zro4KD6hszI8t#t;0%D4%_qNRK-OtBq1-uDnY&vc8(64aqe=0T+Sm!$pjqNXjZiavV zU{YQzc$^3rgh!btC?Hypnx%-K)}-%zG!O~gkBk?np6%vlUjb4ipGJLvgKm0>R-OyH z?b;mMDWJgyAr4bEsy2R+c_dccagkiI*~F*Qj1E)=}etu7{o(>6lV zXcE6!K4fpT!V=>noJQE}Lxc!KjAOs+`?!wB4ADpKv5F7tKA{h)fIPT__Nho?QhnXZD#6DTS?!=P;j&lj_+#fNmOt>_>h(on zT!?w|y4SRVQJ5&Z0)TnIAQ^wUrV#nr86Cmez@c3Pha36C^V>y^1a6)0dVbS=TlHay zChpHZ+m6NJ%8h3Wgu@Ez_@49luk7t`n9$C*miDPaJ#UC?Ei(0*;XO`8K4IF#|Ht^?_ zpD^uo!}_dm*>bDHq~Ty9Yc~IM@xe&btRy%4lTfp%(AWQBOlgKfuj&>~(Llq>V-UST z$J!j$Jszj*%|i=Zqy<4ce3XI!Q~uO^OT$6RkIdW2UR=yt!(DUMQaH`q*hV;bjzZ8i zG*-^RQ|9m^;gV^Q-x**O3d1led-<_r%$o{3&)NXT3Ve)~OEy{%W+0=OoV9n*T&yIQ zsZf9}?1?I0qJ$B zua?oAZ=;J%lYh`d_sJto_ta_P)4XZ9L4Y2CKpznc*a>6BYym)$n^%f2hm|4BP@^8u z-0hDe@__Xuux2+p^v6BvRegMP8&(7!PMOT>cpg1IQ+-ZA@7^mynL?u>gJBZ2+Xm62 zj)D9ELpe&0D^=3$^2dffFD86;G1c?}0P)rRXJYtorqhFD;=-JRz$Gog7R=b~=$Q2V zY|lcWD%oE01Zhq#OVX?hc|wfMiwHvsVe~_U6{e7#KPdd{DY zfagAX!NAdkq&Z5BBlPQFf^J-5pgbI}1WO!`oa};#*?XLhJma^ z9$(WQsmGG7h)hPPAC)FKVTmAe4TeuOz2K@ZIkeUhQJ;GiAwQ1`s(rO?{P}Mm;YvC< z+ESmTX4RNySqHP(GrA;Q>*4z&sbAIZCz61IQ0GcFF|?Gke~|jY>9$$(qZ>MND5=OY z#ki8-G0aAZuHEP(N37NfqDDZ@h?&7(<%oTUZ-SX#kr?LSzIh1r%w~uQHOZZtK{{4U z>^EPhzv{be07-|ha|V}M0S$L%Jx|OqJ_Zpu6g5jZ2!>XAq>JDYYODuz13vMCNTFOf z4LX$c+8-W3Fk_PvU>YKQt6-pH1=Ag{?$mRZ-G|RO&eawBp>fiX^8@f6WH3kNhZ|6` z1hu;+SXV!q%R&KWOIA;KzZw5jpfn;;AVyV88_65?-{>+TDk46{vm0M?#-emgZ+b{@ zcpY9xyj@1HiX17xG;Ot$z6E+Yj|g&~O9`XLHukD?Xm^il=lWD?Zlpf;VDe1zAI}Xw zit`ECL?r}r!*>CJ!RBb_#5$ar_86|aOu(8EbU4Wey@uqg2wn=3GK_IOe7D~xq%=B4 z#di|QYiopz6P>tbON=UUh74~?gw#UbUL)ng^=osk&b~p2VuyrB^BAS@uRYKMWES}C z%~r5CAn@TpfNVI1;^zuS8$a?ew)(8KAmkTwmrYRyz$=s!C z0=CrAUWs$8A$(t6Ivlo~fwj!(8N>eWz{2@P-<)Ms#EjOB@X%rPB7IJ_+}Oe&Kx4daHK0j2qzdm{CaA<@N}$;om}rVze2xkBJeHQ> z??7jqO3e){q3;a?m`o+=0iVFvpi}hRjJqq?9WZq~-dU~8!CB*^bJlJ77)8bG26XH2 zqucS_IgkU3*#8Kwij7zH-~I=2HlW8t5ja~N1O73;?0`6nxSQV!3NM*q0l1?p_$b3= z`bLHYZz9Jg^h+N3Fgmn^kH)?sK{@wFhp7|rd=aA(%7oO5#+80e{>@2uw~2_m5hLyK z)y1Iz`(wLhPXZaaA}8uC`)NDWO+3TIrHa*uv^A|NTm${PrO<7t)5}uWT`mPfGw&R= zL@}4#;j;hE**(Fc-^EQ=grjJqgX-luGlazvgi~~w_T%I$nga!zxPNp-wlBW+O8xU}a`N&Y2JSB3T)9sS*sxXp)L+T46v5?^C zqV}z)ahoE7{cYxDs3xkQ0{_#fcEAT99q!`xK$;~JlY~LYps$6S7-Q8lu`ak7<3@~o zI&}xQ@A|&{UwyewBRyP%8JL@hAoW@1FfXNqpwh{r4r6SVdAv0-Aetkw#9!1ypowE$ z*vM9=V^B+vPa)|vrZ^dglcMm);oOF0VcV6Jm%25z)%6yyF67I|v z?iMq907P*|CcJ#qEy83wt0I*(D`&n26@K zY71fvnX0B@aDqbE*}u&Zl1d7sC$KMg9FJ{NZ2Sg9L+eq$XX!g!0eNZ##>8YDf<5&EC8%A)HX{sSIo5nM35kzDT z5KS*O3cepI8%A(icfI7^4V-K3K8z6=`ZLU2A{3nHYTFsX8;#)4BiHm4y>RvlsPF6gxgtZLdfEC*h4KP z^sk`{jxYZx{Hr>#1%n9wJi$08UG^1$QVOJp5WIE<3yY5@pi`eC zczNGF0UGXbty0=tP9FX`h-YOv%fk zQ?x#K5Vl|7AIZ;9%tHkkDdaK8DCev#sL?G4)~ZaOOu?lSc6|~+94(Z(;UPHarT8PC znV`1nN06kR8JzBZXCfXcHTfq1=a0AO4`^AI8K!8~ks#j$zR0ST;hYQ<&yU~wT2M}D zaDCbbA`9DkSQ5J?7m*A&4yW97kW7ZdC+2PkzGv*T4AerS_)m;0@X&u)Nr*tO{)?A@ zycqou!fF_fk(}@_ZLHo?qjY(Df9O;fRK@Bzyd5LNCBzvaDH1VZ*ONesR zikrz@T?VQfT?*UUZ%NOBwe-fKXnC_dR8bz+9*qjx&JlPax2(&OowqfP>-mAfolDtd z7+i$W!;1Tjp2qMjwX-dfzLVR>zA-$oS@=$U@-*Vdx~5!OTcKP$2`zDH0Ol6m_{P@8yOLVcF}QE zuxMbAu?ld9x-^y^H@{z!R5-*Vxh`^arOUA&Is~xt&Luo*|JezD<(|r;2F(8Y7DA zHosb$_F${U1+H`yde$ofJ5eJ7Q~2<)55y*~Sald|F3N|&Gl6r+Ndm?|qhsJMJ5(_1 zr}Cx_n9iaa-vnd1kargk=L(L(yOvjlgjctCCk z-kKdHhmuI>bh0)6$qp!CS7I1v^Uqp)q@Md6^|zL@9jtJWD$9c(4$S2M`DSp~ubcVl zKjkVXDe;(@jXnkwPnEPJ&X))DA3VVBU+@s}@aI6)avS(F4|H)YbBp z9szHVK}k3fQY9LBfpkAaEKraO$!qK2_TJ<~3#iV5Y|A(2I)tF^bD69JgQPnSZu~QX zL?bCxh#f?L>Z;s)$$N?~t9W!oUb-0BSJhe&`qL*ROmf&(#}O(XXf1a`Z^Tr;(Cf0 zWNMr&qy6A89IV})K0x8HinD>%7e_Xf{KU#DVEKtD1Eavg2ilhzjR}D3cPAouk3zR~ zoy?#%fjcinxIc|+uvciH>sRvBa zMCqm82nMfw+Kzt;#&4UZUNT`MyYwjvx$EshyMw2eDIH(oE&xgD)pf8HqU8AWbPVp9 zn_P+xqf+7E1#!;^^>VT;(p#LXYOhA--TF9{jX2Gc!W=FF&7}-sVKy*GLq7uO(l2t9 zXk8z9IhLpkK;q47DA+cI$_)P1M7F?d&23GC?C)4`0XPQ8P6oaJH9*S0-CLXcd`Kgy z5eu zp-?4S5=ghbjSYyDA|l~4sU}_A4}hr|v5$Neg7D3l0;^qkfFyk~>^7dAV5Goz_97}DTZHqdg4oOt zHfJS*y-rhRrrn%epwU;zuhT;KUDio6U6dD+v$OY$4m-y{@?t(A%Uh(oV-4*KQGs?# z(idN@IQAU|(K;W!^r0h+WtDkIt;r0ZjMnfCJbPoX9+6+mgleXAnoU`DKH-+hTo;Y; z=#lKY);7Q?b&8|+!|vZth|${&d1uD9ToTVKxu{JO)|9uj*r6UWE&MHj%=o1R;`o zPRx?ouikkDcQ2DW$Bk(4nUlAeIMC&BVNRGgh}=!RKdR1Zu%gF;Lhc?i9Jtq&2(0Di z#GA+oJ|HxT7X2S10Nv*#MD859WaZBZczUP}VGDgQzz7ZlQ#;Rp(HGCp@*0MwtRotM zQ*HBk7+C#^h^u1+5@vN*jsen~V=lC9o!)LsYSE@&xjB3b4F`_*CLL4wDO0*AOykV& z15#g*4*Q4BAFG}dQYSD!Fs9(uO?MsMnH7nJ1$ro{T(oEP@?=%_Y`*SQ5b#CZgV;*( z6hu>=q8C~RwCI!7L$#fdC^K5gjDu!LkY5h$B7Us02T1oy$U5t^VaKQ2DhC=w?Gspl z%^Q#y?ZYlyr$oGKuPQ4ASOI5F40Mnk??gk%n5YOjJ9CA0>_zoq_6;eX& z^WE*GU*(M>)rt(N%%{u>%kkEpFN7>tdr1zM5vuHvkP^y7hLK}C)pZO_pL@P_2}>Rp)DotfqpE!!KgRxHWkG#xwwt+B z?sV=zDgvj*Qv#hjOVau_k;V)1gx%`Hsh-Fon=G5FxqEdyApBGJIj3WwTWo>p=gaRq zIT=MOmQEYQe??$tH=6rIXQuE8%V@*tin5>`gWn+vWui-;(geEMe>%PurRsp~2ewuC z`dG=rl;PSk44+e9)ebc%`a>3)Sq)S_XB zi6oT$-XR`QnNon_5(rRgmK&OE*Ziq0wr6~)oG15b__x>Pk2md$DbAb>%hf6f+;)o#AcAKPv?4+V`^t^an8mOz9}~y>6|7 z1mIIvxCy~WlbEC#de9~!!}kGD>M@T4W|larV1YR&+kq`1Pa`R$rti$wH><=U<-p-Y)K;}jPLiIB zDiw5QC4@g_rr*Gm5NuVwXjtnYLFgI~tWwE2$Krei!Ji5@`Drqj)%IxsCFOFRdb6+3 zBn0tIT1Lp2lHk@uo(Q%(SpgCNYX=PV0EK;`*PosXDk>^p92=@35R4~F!u^!1$;+vo zR(%&gjVCUvoLv;-ZBh}PfW>ux%^7H!Y2Bsa$E@rCCt4wA(V*YU*X38>I+74aWa(H- z-Sb&}^=q@O=+dVv&}sxXg&AFR-;;ld<)8c1XxUd}-5Kq+lf!Y#Q>&tMLEJ(#4oJgJ z;-Rn-`Ekf-%>gja=Wg1>M130qI^0f$iJN+b zEol@`tkEq;`1mnGUw?^nYgTBE$!6LJTK1pS9B#Z7;>H_!_bZx+Bg>fr?`+s_pI*P| z4$A_Zh*&6dW==2k;vw~ZwGQf8qsaqLV<*>eN^&H=jG1&*6pC&@VxQ8(LrXd=c>;)PtQhm1!J}N8Sdl0?_wRCdhxb?f_+iH7!0-spa%n!%M%ltl@&y7 z3m_{`&Nm|M@E{dx?%#A|0onxweCQpH{`zEr&QgX=Vora`NN-pdkERa}R@Jbm9qwD` zB+pcO?iEc==%DfYR;(U0w9TZx8KwZx$?hV3dOBOXo(EDQe!l(5$2le2gAlLduZ>mM z`}gr1WtR5|mizUL8>{!Mig2|@O)O=j@9|4(vLy?gKhes2b;{i0YU`DVY)1M=q$t3> zc}k;1rq1?xuf@%knQ}Z;Ld@SNDucF|W^+XoDKaJ`F`dpk@U@dd=##C;fc-Y{JmZ86 zHR4|K&=Yp~5ix7B7tv74k3OKEEi*b+gIB;san^rezKYEoC@)C7OK|)gO|3M0CL+{s ztj?CbA!-cV@$(JX9PqrY`YhhiokJ*QE%EOG5rA2|6|%gehAha2)=(y^6x>JT$z{E=W-YN& zm`I??*YMH-b$c;SV~RLCJw$gxf6Bbg;sIH0*EHV+L>Tjo>-t(kYsBz!wpk$_vP=lK zPVoF1YrFD?12kVqM%0DJ30sz+@c`jOSQe zYBXa}? z!%IguXB*mFb#%yQ1pAWX`}=N_sFe6{UUz5r6-C{g8CI3j1GlAIluCn}-T0uR3mF$R zMP60z0VQ%4=E7hYbN&0RJy&8rm^ruKyko#`-{FOA7SA2oLM0U09@^HDsovoPpWaKmI>F%EJ9B2a`>k5GiUhsAC2csgFMu7F!HF*(9Be#Dz8Fw+JX4(t^z_~03kz{2v#m^rU4;8Vq`CaCe8;3 zH){(XrGScDM||7;#Bg-TZ{J&&x|oCY>wgtBsPCfq#wec{ISI~9Sgy=n=EnJ@Ggoid z(D$!hr{y!z#sMW|jL1&2MDrUqZxI85#~DbXM+p*ce9eerLjoD9$NtM{05zw0vyvWm zBIQbvin5SPdCC-dv7<6mlu~A!q^^?!sv%|aveB9~9_I0KOD&mJ?vfTy1D&vuiI<`# zhUsTGmpQ-yvRn%BzMd1wK)_I`N@kfANgjPOLZhQ_0AGwk(WzZ(Zlc{_`AHJ(=je0! z4~pM%X=MD5!Lv-Fuh}66Dtb<*t9`Q(C4sUHON?TsgY2;YW!lkiPI83l8#Zrw0bM;h zsGotd&u+z^vKZs*J6)6p0>=SkgJR+)v=7k$;nsv9hS_~Vz_I|?XXANH&czLmw=e-v zW|mb}Z0u*ueiMNGW^{=jt+x_WT_RltToVWXHZQad(8b&o*Qp#rlhkYfGou3v<>zB zkEpD!y1wNdOFt_ah{e*DtohG|sR3{HHeF$j_V{Uw5bX{NbVK}M!mV%}w8CW7ej?82 zpqMA+^+wLH96FpWkmnqEr3*Zb+iE=klAMH+40Kkyn0@Kh_}~*TXb9SqhKfKZ>~aGz zdE{Gd1-1is2hd@E-Y@Za2N_l?F{hr|`igw-lC@3MF#6BRKKADdb$;|yT=yFR4FuUh`mUOBPMn77=7$*G7Bc+Q)cZW&I;RcG#o|RxM&)<{-fr= zzjw;%*lqUi@ww$|gctgUD_gx@$K%?h6jLYPAw36Dmse_!oyl~%usX6xT~M@YP9#gS zcKDq`hXT<0XSz8wR3nycv~h~UERpA{@j$ZuT#v=7fG~MCq>6RDb6un+!Bm)kHKMw4 zr@%wuKGE~gRWgYyK04yPvSTx(Oqz?!=Z1BwH+xwk5gaIZo*Wmvx?qHzeOpffTvIZK zao3I97HqL#rk3EAZOOgxe{r-S7lLk996u77kpjLgk|AtHc^F za{?y^C`Q2TFNq60Dx)~?wP4W>EX9wmdoF7>*0ueU=TXZEG!z0&;HgmpL)$XLaflSO zO<=)sAu#=|lWqW*+BdI|8V%Hl6PR}uvOFbO8dV^`Hb~>sZ)X9y@i^5eH;UC4QE@7XSJ@CF8Wg>1SM;{NNopaUK@pKs}xq0XnU+6GAcW)YB69 zjTa`$PoS3a>MF=o2Yz~^Q6U<2yeo8P)DW`yR$&X3z%O%1QI^XquHe*ZOM&H(weEl+ zizPgGw`8{}*udh{l+7Xb!lOhl>mc!Tw*o$@jS$#wos{#Scuel92&3@t@ACUAvQMR& z7@0buEqZ!w&K>bg*wM_+BvhwHgcF;fXYA zGg8n_yaz-e3SIS*W-JM#&0r$E)W45$`|SXTk!w7?nwm4Z!=gABa8kpEB0HzBY+K}+ zNUHL7Akqx+T_#PgTPXd5~zC9?z1PiGAl0Xf=EWxo{H$w~>ZFZHE-85;(sqaQN zbYQMtbMzH2C6pEuzpXv-I4679jUsdn>-!-e#~uFcaz&i${1k|O0)i#!^|M(W$2Zwhe(xf~XxQp+WqtB?`xF4V65~K2+Jw)SD ziX=EYYsTP1I{iY_C&Kighbfxs2jNjJTqum}g;=+lF|)qDj%7W}t-tqXLB@ZO?z1pl zD8}>78K<^?T+%L4y_Lth!outs&S+MHA%MCqrI{xqlU}HGp7WKP$82|zdo%gDaG$W6 ztrM8Ey100V`bSk<5L?k&`7k2KQ_<&b8ncj|l;Kjo`dwPC75cV+UtXM?9|(jOQ11z{ z~MqGP{65dslpA5@0AB#I1AHUdRRAUs^A4W9c1Si z-PwCutF*)?h6a6rFGMuI9--)vu*4}bfh@GPS6Wem`6)Y@Oz zbD3dQlI(aXE0$B|HKB@L-BcNg39lMpyXiSFn`o-|$(6kXRY<0i0C93Gf+5RzZ9tyg5 zQ~6PxcLnrtry;QnRcwvtW+$e{!yl_PiqPX0%smt|O<6YpS+a}7xI=K1yJ2^14*CF^ zpDBfB(;JmTp%nwxXoF~X08Fi^tvz9K@?LxW_nG?3wI)RPyg#z-mv&EMp5if4GL%E{ z$Zo^Y;FXQD>fWauLnq^SR1bgf^8GQ`_Bgys9?tc^(p=4+xVH zx0-26v*oDi3ANbutiU0%*}}l3QcMATZNBL9!*QT$E@0lR3Jgghaug1-t+tVE6C&jR zNep}r8us;{cRN~EPh4XOwC6LRNqxlQK}s3yCb8Hi)3%Vcvc^JdBPi`5Dk6mu&r>LG zQ<$o5dC>4@UenC|ta!PR?C?)r?lxo4q0b1%K~6$+Bm}HkM7bzq;6T9?I0blCUodTk z`CXUzXnXomx)lV{>Pr?Wa~xW5G6@GpK*>1w_ppmW6k|M$sgCIpA-8v4Z(>R9 zDpc^DB^$frv z=9{py+`+_I*72w(YjF{!eiXKgd{P=0I#q#N1GNg~@fpkNdsRk>PcaCZgGP^Cq2$h# z-lP>5`m1_Kiq={!ZC6LWG@-FANLcyIJky;WzD&3?d2nnH89Eqf?Ieq;vZ`)xwJ~|B zqvNNgo!TmvEd`38)eDjSA~*Pv-!6(;<;vz@O!}MCI{S5aiiR|dT{RS)=A1^usFlmr z^ifcU!6duh2W>LN+1Tn)&Rj8I#X;OP0$>tkomIo^)R_=CLYo#%epI85z8QF7RyRD% zux$nCmqgEx_IF_hFz#5G0Bh-X_Z{+QcPi3eX=Ueybe1)VQE(qv#G%7)mP&g^gONthfDd3OP3t8|IH`>kkYyKUFa~VXlG1( z%vcoZMV-twuryT+gMXPSApJq{GbPnZ70Ya_E6m9No8fcOgXZMwLDj4|G5{)6q6$k` zF{BI=C14_cf^fuX4NDaw)RGcToDZ32=o@6E&4moRrIUM3eC{tif1px-SmIyE^Hy-^ zDNq&%il&Lnz;5bh3}- z`u>DSHBykz6sneoh%|0^;-6y>KGTa2^L7jj{pFQ%i06;B6-`$gT3H4Z4}!qRpR0G` z;;{a+Km*OcoO?BboZo-k5p-AFO@VpbAy+c1qtI6BlC^+fW2L#tXkVFOiaImdt%U!+ zA5p+Kodh{`IEb<1qvx26GhxI~A+#MZNVw&t8^0$hlx$Dj$c;+3T!D0Dn@0F;M#i9xb}wO#IZgqEOrlNICW9EZ9Ias4ca)4?w-n1~CUNdG&1v-?cu} zY-*pKe{yW$Dr85N;j)H~Y(ohw}F zD8wG*I+ox?91Io8vx7YN1PLZ+(Ea2{8xA-*T#3BLk)nXIY%dSGPX*rI(QrG*s+~-zK#K{W zEej-%>8~a_=T@RQBL%dr`j~@fIRXd85F+9hOUaym$@_Kx<(P)b2Cq+@qdpcu9EW^X zS*Dyk4o{P~k42wSYn%|Y7yNLAjyK^g_TMCjqjgJg;!P z#Pef+dH8Qf-6Lolk`k{<%r-++#fV=_B4k=s@QcHY1iLt!X^GI|2n|^GU-ul2B+lp8z~uE z652^qS;*=zCTNJD8jII7y%ys(jy2H|gktJipY^6l_`gvQXa6j6+w3=KF zKmtYRVky9YcD!DlaWle_FsOLWv=^R;0!y@^pZZBioAkjgN@v(AZ)G-;YUO8#H?zte zJNh|6ZZ3<$MTQEtMgs#G$Xc)HR$Ztt;bj@FY-0+CAOeO69#*j7GQosN*XYMz&+v!Q zF?$KBlo~@3mjRUOaRta$cr1juz)GF!7S~7E;>`_WI=$2;rn4J3bOYWrnVf0gpbV$; zaB=3o1B{rPz9dE-);#lij#D-<5;VX7xf(7n+;gr_BwPbJ(w#_WC}j&(3<$bp1{3{; z^F=%jpsm2QnlYj`go}qm`64Qi6RObJcju@6ez-|q8J0HjmAopwIen5LZ~qk5b*q%G zV!T8or%h5apBM8As}h4;$l!yrsNc-~hcy@_K$Hgt^JmK%3~dFx6O{5I_oXnzMBh$n zaN4B20tm57Dh%{!woC{AKzxLHPakuX2CtS;e%8UE*IOih<}C}nN7>8)I$a4=;huy@*M@(A(t(qpQ^p}mtXMWsI%{JUa6TeUdfLb5M=yzc`s zbrOtWA=xEj7`F`qnKhc#DT=c4U(oqq5ML3YhZ!?{ zrqAiAQgzV0mjN94jPWP3b|6ZfYM76udICGxmNnoO3WRb-lkm<*{K|PV_v&u=g(F~I z076)|`#*ggjHfVwBEXS#4Ej5oPsUoxHbe}|B!@E#sFN%|;%Wia%8V?^OK93Y5ez+4 zJyh0|*m z=F~sc*lTbJ=!MAB-K2K^Et1$=YyC%x`?mfhZO5Oq^szQ-F>>&}?w7q;PBr{Yy+aN+ zW=7+PCk_PbF+zE!YMCXAN*E&T;Jmysu)EO-shYVXrH96Ptkh~3pBdQ z?rS`r52tNy1w9#L1S^||LRwGHp#uwqd=yER0k5meL$|SSj2F+dGMyq~#$vHUeX=fV z7LDxaW|i?`3G!BsW3lhvnuo~bodGymPaE2o;;+h4+FqgF4auUFq>B!-G5g&_AMq0oQeDp!qf;Q%wNL{#;uU%T&0b=mlbJGzduW+hloDvg%(mG#XI?vBl znY=e#y$02RHuIULLy}J-U$jP0Dkcs%-HG)BC+Q_X&!pWv)wvZ;=N9P_Un3yyT*-qV zbUSH{m_LyL{9P@T848xjrRJkFXN9wbXUku=`DEckng{ro$APghT7mYFYsGmqc%IU# zdxk(tny+g0kRJ^?tafssd+!_D1f1qzcuY%A2G)<1r%FVu4X(IbEw{JzJOkq`Tpv%* z{kyCs$G!;fBe$Ao>e8P|L_py+;Xu7U*X7A{>8RaPbmw`a7+t*z=TjeXKWurzjp1gq z-Uw9fmM!@EaKJ(6Cs>PJjZk@Og?Q{sgGY>%Q_rc>2st0<1(O~OB*Ad@@V@h!!*Y-R zsu-!U2X}ei6}-bdtQCdSk$)%Ro;zB|JD`+_7-*We%gHKVhJ<^1DqSDsYhqA9 zOJd=)Tqk403isHcqCAWI0A+8D8-nl7C}zM97Q>|>5&k8#yc6GP6W&)cwWH47%4V++@ucl$I$`RBI@6LvTBAIc+t|V`5ev z$?Z(XNqrblZdp;g#J(L-HKx%Is!N5be=1(Lg^Q)dwXp^4^6O_T%f%sD) zbNPPF)-msRCD0$&W6a34VD>_59U#Qys@F~72M7d zN&BLtv?kM9zI*B~xA{^$dwQ?8`hj#MscQ&&hkSm6dNI7D37yFbtKlKK07U*cH}GK} zu&(~6?@2nNt?;ql=2ldv9=ggxhJ#4Y;mf{+)vv$8;bpzMUUKs*|2`4-;+-}A(PEn2Dq@x;th6gszpZTZQ-bpUszltJi+;)d9M33!+N)`rNf zREdVvmgm^1+=@E8;az`dQB9|VzWuqGTihmY?*~{$XXu;y2DR{jQ$Y*nh8hmKUPY(J z>nP#Aqk?2OLpRFimT|sU1k+WY#Wx_OWc7+@y(RdN1qM#@%fa`A5ZzkQN4RnUp4Pv` zwVv)Q3KBARYLqE$h~2zs)~A7Ush!wR{c@Q0A8_^$hvNIcB#uU$+X-xpl@nkS+g(<$ zm03CarTDRp>?ALj;ZEo{JBw)|w3$ik(Nu_ev3cqLg}b_p#IF*VpVt8yRwB%1@>pTeLhA@=U=zy4E* z_xCFdVi14{ZctdKHOc9WjH4_eCAInC5CYv1b{@>y@FfyEnFnb?!bXXS=tiRhu+DQ= zF}?p^5xdR6y#ZhUu&ZPt)fT;zR1a)JP9bmD7x2oFzjgrr#H@JP2VMJ*y(_=mEo;zZ z$JSTJ%H%+yYky+yQwS<<*Tp##4@jug#tjQO%7tsD;vSz35rck)z=Cp# zO(Hc+9J0L?Vn^|y97pUqSF(>@oGyUK1&lQ1l}DF%G2J-isn*({CM3e_8x2K@U^K7@_X(R3Cmy+S4UW)Y9E z6TUh&d0_CVRqvwbZCy`1G~>HQ5lV%;y>$BBBJ^|6D3=4e0F(1~R!}@<_bvb3=$oq* zpYh70J`@`)EjovNdpvQ0j;m&Ocf!(Wvkqfd*=1$|+K(JvyyLeGa?V6ACgfn(C`Fka zkqG7+EkI>6+p@Lqx$28SS6}$q*0A@00ySG;IC(+*2TiE&96$D8;^!4%@OfZ`;<1x! ziIs_o<+5$(^d0~}nMzoNP{`nZ!fM#0=KkjTsM{qZ_itdgLOu<0rh_Lv-?3FdLJMi< zSXvOLv^3{jvTqOgmjs<>J*&Csu#pk6i{J*_-;Y+R`j~fmF6D zSGhhEr6~Du6NZ}C3m`oqPM!a4`YB5zjtZkOI_|QvY-sTLkSh{O8!Qi7k zWCq1_8z}?}UDOd&rFo9MP8_}AC6tuNGMlYBn|_|M77Y?A+bDx4XkUd52x6V6l`HCj zd?n5nX`9Duw!Bnm8Sh4Y?9?pXCwMv7xaP<=NzJ>qZV@(*fY>0m5;(_Ms{F-oTdEW_%N@U$~iYEida#WcM7zMU*S(|Qnyz9^Sq zoEsoZV%ZFBGUF4;U`8F_=D@;H{KixrZWJww?5hL-IwxeN!ijb=RRCZF$u2>LELBD6 zfs~A)I+o(IrJ|`=Afm(7HINj98}W7@mnmXr{5o93=#>;rCTnAx4evFsqU0nS6hBGL zrdQl*hJQyRK7rCUR$CK`7bjH6W-^|Gu6l9=QQpMeJE9pB7r$sUh1<-<6H4$>84%#j zt3_#J(ZX1Zigp2Y;9&QV`Iu9SFI4tPC*l)gW+~QMh_s`eJ{LKO-`#pAV??qBnB8SW z?lGo%i#({;BwBm+Es)h$VEjF29rQIGN#e*pKN)&SXDliJ9wE&ns)lGSQWJs$e>V|F zGL}8{HRB`zW-y&;v2>R!ZWZanuy1$&hEz-r$+3-P)Cgn^s5J|hiObVn7ip0A07N%< zP@6?Og*~N5o7Y8@2fvW`5iRg+C5A1{sYb|P8b zk8&yNPhk{JGbj8Wy>>7pMIb=>2GT>)XDH2QaNNEx$a_vCV4^Qm0$`yo9Wzo(;@|5| zLn#KrBOf!H=#Fwgya)ltcX{OoarB{!ZaRW=|XW?-Jx!yS->GTHSXxhXpGH55f(rx~k*kuy^! zq*Vt%$rA<~Ij1{x6K%&%HRJ-$-s`y}nZHZF#}P0&CPsdAc~ak)Ryl>5PV2dqw4X%# z-}fZFs=wHzy^dLDZQOfVkFA;S3=Zs!3M#H)K}{7hI=nZBb@^QV5>!|UuQ+6D0h$Oa zpcy-m2t0G(%BG7$*o4d0gnRekQj@B+A_#Y}eTjM&w;sj0qZB3?THqJDJxu>w3rp|# zrSWFkCBR(i54%OVU17i1Q?06{)5F!yb>E&H&9UTFOB<}jRNGKHQ>Ypzl!+Qm`PQt{nowx;^eC$R=ZU~p>W+tgn31fV611N8T*&3PWRIG%ivE&~sf^NK*x^=c zmFgJN18J;77S%sukrA}Rkl;EX*!_OgLYQ=lq57XgIM65epXYYG+$)=bM>+M&qA2dY zJ;Uqw$#&$TGHBy%Kh?V=Cq%6z96N|C=krcFB#P}ZU#NqDe5_&zrNo%xo!93fL3g=| zTU)514KP7D$&h|zv^*{(2GVv4KkoP9M+BSoJGWi0-S4KCxHD3qjRaE%oe`1jL?BYD zz6?J^+FvO#R2vwWK9LpZ6uUjuWrIH#guEbb`YbSSL7=BZMN8tbVMnu4Iy{Zp*rj9j zG)7XXtpmu%P@sn>kAkT!DhBuV4`g)MVmd= zda6kGG>?shbU?O_dS>cHnOd=rAQu&OM)KpyF!CaoqbTFcmE;CY0);VpzG@v=#n1Ym zWFE=Y)rYn_KM0!;o=u#Ze-yo)c86CYKSz6+-~$Qw1!`)q6m%+BbSAo{`p$^rzJ7W= zBs#h@Jy28v=Sp)hAq4#>J|6EAvzk1+CD;5J0rvT}Q!31+2TebwTF2Ew9<&lILIAtt zOM2Q2wuDeI?dsQD2#3q)*N3*?HP)~0OMK9VR*Chqr%g*RZm?%f&>cQ_@G8Cr8ha7A zsFx!J49S7xxugt;1uMg&Q$^OBn3q5WwL@=SE&(7v{HNst)>y^;v-NL`df|^s8M*7e zAjU=Imk_bXav@JM)P5%Qv?iW{GOX=avdH&}ikpp-gLDh1jr!CLM!oSs0C6;=8XmyJ zNx{ikc%v@fp(R6beV2x_R!Se?yv%>}93KBqI3jEis+5iFIL>!qM+tH=4Jk zd=7}x`54wyF~DOnBkUujg*w({Ly`>$>gE(i>>{rCg)Sp0XgaQa)79 z^JXV5eoIOG4QyTdK|wOhTI{#`A8j)QwVqpD<6#uuIY#C%1}YkEQncF^w8~dyBZ*%a zwc>#4HF1`hHI$$U1^BO@a{sCq%qe;RriAY_{2Cng zP4kvmbZU}IlteOuS>>4$8ruzVzC%eCw7BVLVmF6@ewHvr_tEF|f-VK^lFE*A2CM)0qsx###H&VRU}MhW z7S18?i>Sm5vl~v^#cAI=>=BB1AfsB#Jx^Fn=1qdUpNwK2Am} zZ}u%6H&qeb{wP@@Zgq>J=H$*%Q;!LaUWN0-Ei&8Z>o=u1No^10VNb>)UwE$7_|?oR zrY@;8zvj(0EpYitU}u)MyXL!7JaR<@~Rw;#T*W zFFp=C96^$f-FTQXn#XVGpMG7w5j|aXqiT!^Ce(-=T`~vqi`7_+RV+JBL`4P_cyPw1 zB~{9@8@hiS2BP8Uog^auDD$^BcL@kt2bLv1VH>)Kp$^@Eoyy8w^3zT30hf-*L)mk_low_`BWcT_S2)+?qls0?XUT~ew2EZ!M^|dS$c{6Wj?D<#7At+ zkGwZbtnDmhVUgo^f@zP|poAb??c#cv{bB)&4!RuO&ctYIp`iv&Zo~J`g zoXo$8DQHY$Mw775QLFLIfjypanVDq5L_7tS?`cGJB+F6d&aJPPz^`L10K}QT&MYw= z3I_=w9v(veAIl#!T5Ckp0ka9j*x>;-=T%!EHa-Nkfr=dSSEq={L-Aq$c76&|R|;45 zjsV%ogfDk;9zRWKrSSx#9zufgz-oS=CfQlq8L!QMjcpKeb>Sfz=Nnyb>z!} zo{tkljOOsM7O%muI9M8BmAL-e-GF=&e)Jto&=2Ae0(Oa}517p`W?L zU9M#!34qlq1`))@k3Bk70T%JWi0SS=j5!*hA4_+&?O(y3ub zD&7-O@Rl84Qn_WOKgHak>{xLf(GIan0yGIV4};ryFoqpZFW`Jq(!GG%GJzGXL+;hx z{#ZqH1SJOtgfPD3AgI57 z#L$kWtf>5m61u~-2HME%S#*JIL4wp*{jf`AB}Tdhtk!y>*vVCXr_y+?a-HMX}z=QdOX|JLhPY8`L#<$bQKk%=d*3;G>(CP9m+v_5m8A-`a54_8s_$%BSYjs&o08Zga5v zi#z*|R;i6MV^=cK2^|y2%M-pl@30mE_k?9@op}E!(e}MA4S}_2h3ifzl^ZLY?t$;q zmD@0^-Z#Y8#>J-#sAYNxeVk1g_nJXPF8$XEhr22RzJJe4bMK(f0mg%~Vq= zQ8Q{8)hQh zC(*8a9ZtdyJD5tF;EWr`g!-#oywcur`uQ%sffDB_)1_bUP=TJM z`O;D{0W;wY!cHid!^mcJ51gQhFlL_+pcN2N$yNj5-Nu(q``)ykE+B(D!%t6nx60Wx zZgS7uYJcfNo53M~mmB&(h)545q^wly+~LH8xrr+;V+PL#Z_taJ2idl7`^yprnc)!` zNm;x|E>&b=^~oq@!m1aC(L0#8Vl);UYQG>1C7=UiR_8#qU^vc(j= z`_GI_j~?J=g}Tw_xkgIOS9G{&UCOyo&yoP}3WA`3ZI;^1PiXE>V|qZ%hSa9vm8lz6 zf-r&&m>CnCS`e%sI#IzRYW%*L-D}kyp`q437QRuTvP3Mk^@+Gx&8&CL0R_mG9^iVE z5T}|dONo3`g`xQ^mT2$Hcd!^VOoO_nWECM%f!O)I1ehHk_|yuXKO(F1bl8Q`5gs32 z$PKjH(+9l>XDPJ8A_DgV2d#Fh+=HYt4pV|6TIg?i42;}ay#XW&30yX!DC zG#00W{SGt@%gWk2i^Xa1p8(`#Fev+AOPGvZ-{mex*VqvSaSu?7dOlx@)3SKf8Zn_8 z*PQFTjx3BtiEX>jLbM`FRNi?=L__Vou3e@hcc+yza5rkVenK8xruwB1zzJm_&;V0F ztiMff$@dyqDf_sL3K&4XvtN?#PENc#dcL`8+P0eIWYM{End+|N$vSL84}|7ZA@w}! zN_6T)#8!HT(GqAyz zSh$3GO@rAuQIqBF>0BqQrrYR!JLkF$Csx8+v$)Rqz8D{^Q{0Cuu+NErZWm@>O}44Y z)|*J#&~*T#3K;jT4Iw5&Y;B_e#?KNPUDtilA{^<)NG8`RH_k=<(~;{}fM2cUe!F3-=s~|2@m9dfu$=EiP^;nse<20h<`@BM^*^8NVPh zFi&dXPxLT|O`l7-JR^%)LQ;tc0Pi`IeZN$WiQe@{3m6Cx*UuT9h*HmF+#tpi1cGo< zl6qF4Er(MAS`YTBh9}|(BORKZL+wlMW9}ZwWLZDIE>Fyd$^ad{9lbz0A=kSRx0t6> zoY9|Ylmwv{7`pHqTOnTvLINxY&c)Y3u_ihpr$Z0pc=AJE{wxUIF&9(Bq5%I0o5_4O z$JjD0G~c*DJhktT}2rop^wL%OBZ!#j5gY7k*@3wHvl5&?&g+2;T=qs^S;R|8cGnVC<9xsvENEowaARgCXhkIHl6v<8Pg z7QqUj&dbUu=Hl7l7fNt6|2Xg|jqL4%xa&9VDa|OM3$X&q`p+;I1L;>eaKJWBeZ)ss z^tEbOvbb=|Qf2&Y|$58SnQ4oypYxF!xP zwm-#%>lWkqg{&9a+_+4QoJjBiLpx9nDp<16 zqtpv^cXdI^BmUP1glPscc^lRNd%V2Y(#=f?qet zsq|IcAbN21LtAEf>W9>1hs7DZQaD$c$OL9fiK{#Iu3!&FrBQ52FwDjJCqh9;{)CK% znS3Zj<-_zkoQL2cDw}_!{;Y$cJi9%?{MugYr{EPd0#2R8AeF}_@mVVmuh@wQ$OKDcdDhzpR>r4KJ&+>rVm{J;OQxp)a&18DU)+V*x zuL>EjpCCK_Kr)k!mGtCwZ6?P1$BhgF1++?t`Im$D$dPKt1{|(vN6{d7<~vXehF9CO z+kB7~gnJN47RD$94+%DIKMw=kdk?(>X3$(ujB37v4It#YCsS+08MphPUrRyj6x2MG zH|SqSjvYqT>#|R2FoIDSX$fAC_yMg%za5A?(<@TO`XeZfTv*F$PAfM{)8ZAPv2MD^2r)pijkd)I}Fz# za@kYK0X!3$1ei-?Uo7d~Z?7?qvmx&`>*C*J+Q6!hkWhhe@OaRGtDjW_ag_9Ub6s6` zItdf_YoildPfu{NvIV(u5~lJs-Mn7WER~%%N_x~DRo|Vtzl*8hnON>x++uUAFm?i-*29dSVhuZf?dW7AV8YBYA1_?98R zMo$2^Sh2bW_=K1=A_CG(K6^VY!qKZTuXJ!S>14Fy7rbn;H<@!s$9yq@ih06jl5uVK zyP+H;xd&+QXbR^fg#c-;L!68zUeEZT0L82S9W=DMwa3oFN?jbxifi;DV5ULeF7eKP zqg)K4yk#oXfeEY^iCXWfjmuZ2t2BB=wVGp z*kf1BFG$aQAL}My8$QR>K2c1?t=#B}(MMindb3>Y{11-NoL>0_6Sforfg+vcxyfTO z0KdwdepT4I2@qz-*KDhioKVU`chVQcjcT#DNX0HcPl{r}hsQS*ds!^eerSmJNSKMp z&N`$OgrNaz$(`J^`~Di`H&uPnX0of)s9 z#}!uSzEzKa^o?Nl5Y!+nH&f3r?xtAE5U&9hrq2MdT$WNQq(L1GJP5w``A&hn^;*dT zzZ~4$A_{}A%(;er|?y+N5Tzg=kPx?Qvgaa5t|!78C5)OIk&$ZH{cRSs%KY< zDP#S8;hv1zY&GMdfDO6Dx@*uBIF_XrERGRB4Hd5fvawkhuJn!;!^1W5yQJua!ZQ+J zzM{y1P!J@*9AnRNM_rjmw6GN#WzC~xtS$upP)uFe(adqPar5el_XTYUV#1b%Zo^?m zGhEehv;z?QX8+RJ7df#8h({%D(v1(V3YhXiAYyb8;!y5Sz)18-a;fQhs5NJxfTBJe z0n#Gh@kBk2r*LipY>TFZNs*ST!lesr7f``cZS4LimsZnl_4&}a!T23t3x2je;O^x) zBdaKpq^G=4_$5ld3My6Gpi(H*?$oA*R7_Q5fO30DpD7z5#+Wy2Q9(AEfD#uDcJ7%tqcxE7#|@~_4i z-X^70BSl?dY0@rKt#coNB||;&(HLa~lY+BN1`VS~7nbTsA)s~tx%CkBW(}EpCvVWp z7lFB_?dR|I%7=%XS5{w~h2bfh=WSm1t0B7vAhWH)13i|W%w|25gBK4DDl&QQ5(-@a z(_Pbsb8kzFESH^hBWW4mp>u<*9{M$W+}tjlyQQDg&?F8TaJS*9(+n3tr?ZEJinzd4 zu{!m9sn>ff2j~ME#?%_R&H{t&plL+@ofkw7D3(7qbV)Mjur7eWD=~vz_8P75jHBRv zM7LvNjC!Rua$U}Ei}Q%br^FB&Q=lI6Oi&$-OFI1Vl*|XSg7I3Z?d7e7sK5;#qox)R zNgE5>HY|oOPUa?;;!D3tVRrLo}kb600(f2+w5QXu?m{oye5D$Ax2jESH3C zxR2gXkF12{ghnz4Z+PSC_2&s*lcf_SML1d^aqQ~9$v%PXw3pGMkO%mue6NIYGk8X_ zm5JEb6d&gnMVW?!EB|j;&>l(JN+(<+8+ibT4UBP%(JTt*0sts4@hmb@0gL9t8{Fn8 zkeWb1xW=>qBHUx0h2Im53^gC6DYhUV-Efn1ziNscjnnPED|^TypGU}_1x8~^2oFc1 zAQAF0$Nb_vGBkG!=akD0wM@#Q25CKEdtZx&%HpME`J2T@`W-XzV}11qqd=7%-k#`sIg_8kJF;xlhUYUo)q*aHOXkM%cN ztc;FvKDQq1;8>?xda)8~eP)Qwo>X;x3_ZTANP+`2cmZL&)DHi>37~M7 zIF{_bS@=^vNE+ zQqyfvL>3|6S$w5=z_?8$dvLVeF)ltyi=Ks14@!p+xF?`7A+u8g1O-u~Xdr?3yldS* z^ZBBvbht1Dr@5@$JXp1sa(N3hOL%wYvybJUylbKlCrxe$Qi0@z)64HC$*vkd$;mC2 zP<0Lj9_btTKAlYf_{mY7CpKz$WTnTf0R(T{oy{)_v|6jm1JR6vuevdm0&XYJ{9z*E zn+JDmXv6_?U_S(~hasvr!4jKY@?+=Nu5Qylt?(D^l}-j0H&(eT>b>|FvPRd$M00|1hbh018u);Ic(O zMX+t)+)xlyZRv)m|7XiM!T^}|w9Dm_o#ZyX$Cy>P;3KzMq4ySeDw4p9NLu+bQ`*12 zH~m0?I&eQm2?uC?frQtQhce~pDQ$6?x*&+K|ad&|#4TngwTiS9}J6-1)Tp&FME)QyWuM{}j& zqYWu=o_O-4$e-C6OBsF||TCCAfhOBw0%JhA!49Ve@2zDIpXGd>y?7u(9WRsWbxf zPGUD<&{^}BcP!>{$fiUh_3fho$#uCRH-|}NfBpv(`i+@)O0emV3h99^*E&j+a8)b< zTg*eV4~#DteWjD_n~8xooNqNszZ~FOo{W1`@*My-W#Z|#PEH>{W7eoRLm-F^OiYWBXa#%~1KwaO0Q0)r-$SYU zKFSMyhmeK+4PVV{H0GRh1?OQ^$Rm)HXCbAN zK8Vb_%tHYteSLn&M2t%^Lg$;H1OWBIA5Ne&fBIi!BKTIl7WZz+@~c1)f33#299G(|wnBFht_A^ygPO@hNR!caz$wU( zPhb@qs+~j#B~s5u>6?Q>t`9r9C`U%RWsLd@48qMukq-JMyYQu%_z_7mh*mM-jmphL z?DDdVFOs4Wika3p;v-lxKBRhEKmN}&nxZ`D$Z(^{D2&n`V<1R|ih+kCi?~@govN1n zH&fTX>X>pm!V7;~+oZz(Baf1i7H4w}3R7u(Iu$oMN_u2ODjZ+1aw?idy`;qWWlh!& zW-SRRCgUWWy{(Ll!iad*h+LG6pz30W8yU$sjSoPwRj|>%apQAp2+s~<8X`y|;)R!v z91i3CS4trC#Hichnjv<3Qpq+LPJXVKLe9iN|6ZupcAhGUU$9>0|K}-zIkc<@0YMnV zLJ-Cz+b1#6ae$v^diWIIvBD!@k>b+u$ruQ{L>yu)367EvvqyXIbRwRA<|>C}HIgw1 z4U3L(Oob5A*2=Xo?|1^^>B0h2x})nE@416>eOzXGu9Di@lYh9?qvZ@ z#-#3b2uIGL@YIpfPgd8e;7#W6LHFO#^fhzP8p7;+8u(+bBkB#r6vG)qnIFLHbnyqD za&77ZSv)1nd||jxkW}utWc7+`43N)@P5!6@B~{4IH70IiVZ7CVcA2c^h@4W24d(Fa zX%{mDfETb%?aloJyeL}1Ff&XY1iZZk{uRWa4?hqPGV2VKA5cTr??I78x)45yKICDunQ_kPz?y2^8k)lN==O)@13nWGe46jLT%Bpx8(WCdZF#Tn{X8opMQ zuSkFfhn_$v1aR*->=Qk6p$NDTwSs!WmAb4}a)n24U*k$38XAWRh7-)xGj$*+i1g&} zbydkom?}t6Fv>_V93-6+BgxO9G+ws%%xQ7N*?f83^6DPynha3u^SDXz>4MOfC5NmF5-*qd28-ApALitQ2~Sz|IZAJ^njJ|c)=Qk*JSVXfPHmEuT=(pf#b!B z1*Qui3Q76_uhjix)y(hBJL;($qbCzoitZJynf7#ynSg8cjqT+hZ-Apt@ewPg@=h;i zAM+2;9V}SA4+9`YN4qK2hJ^T0~8}G1VzIQ<>0xEL-*g3T4BdyL@XVHJIVBiF*^h zlFS&ni8KnGCf4J+Xqz`r?DnA^7e4ZfaLLg*gpEDBFpk--Z{xv7NPTi&e{zYD2hnr7 z^2a{s6ORDVI{B{}h*rxHJWOhz)UjjE?mQ47tti#rjYNI@3Z{xeXwQr@r;N|Zz~l)O z5^)-UfvXgWWW6fxF8U7h z40Uz(?Uy+wi?qG1rB%N`U{p5(fCD`eiVU&f$3KttN>5x|OPLA$K)o!kBf~h=sdj-!n866(vVhniAx6)Pd)7vFb}C{;T^T)OczKVN=P32^jU-PQ00i7 zuBlHWAym|4X<-~iT?dNdxD@3CgoR*A=_Lu?FiMzy4j*M#@1z2f79&j5VP@L|&=OP>oTf@MkxJ;@+Hg95`x;RjR>h0DH}n(#sUa^+i%K(+*dK=Z)aQci~sjb{u&zhu?Hj&?-A z%wIr6z?ur>=FF)7^aw^F)YIJeo#xk5*I9cbJ0DOBs1sCwX;x>^ob09+py z5wr(-+>oaZ~+XHGXoYdWRCB_Ul#Z%5(In`JKa zD08SFO>t^2#qLKt+1PPG#SP|X0PDnsA_ZuN-CQwkttr9ZQj!nidQZ^E%_k+c3@>S) za#PQzK{>Dh)Hw5IL{F44Gr~XntSdbAgPs{e8KN(%$m_-3+Tt8ps~ogFP)389A&a4m zt2(R9-6LD!YDjd}1VGhXLb!L0tGqB`nS1VUOBZE!ByVdvJtr>%KnN`67&6c94S#ZZ z))}-yR?XQBzVh{pE#jXmHA_78n-fo%oY!p#oafDXoeAnF+)+bC9=b;K8BtB4DJf}E z7)X(lM$6HBbeJ!IM!am*758RSHI)-qS7cJwI>BE2bBTa2D#J^^ad)l-0Y5_dw}qzI zn2EyC*|v@@20m7}5sfB>NmCC@X zIcws;%TVIfl-J(G6miH+oXb`K6|N{U`(ye?I{8Pnk8}CSFyAWW?V~|eBnn5c5(pQS z2X=*eC20i^OA4naXy$RGu zFPKrc%snW>s~z`UtAbyY_*e+nUo_YE6Gz!ViR@wv9R1s1PCA_(iX@ihj@^Vte|+pz_k9 zuH|V=F1^|HqUJEntbx<=x?Z=ThC~HmOUty-^DBslL2_PSb)UcT2VF%i5EF?+Xm{R zpqj4j`dHI;o%r{OZ8=3?&RB@$g}8G%b$!exO^;OBQ?k(*J=gO%VcW$N5h8nH)B%Q` z-D3y+q*Vu;&nw-&~# z;xE>>7Xt6=X4W>&V+(;-vsKM_CR&&&Smf)A#5PZsEM)=s3}8aFqKgyWnljshKNseL z(%VmBb*k#>ukuRsf;4a3Uki`g(b`zz>eVKDE1z|dj>47=Q1Ar@smySqqGo(vl^}XP zbs9;kp3l`dwrF?DBSb{Q)rbrSk}`xjkO9n^vKA9gQgW2HaG48Okw*nshPo=AG68>! z7pNR<3;@VBvxamr-Z-^xrRmlp$q=RP!Vt;|9Y^jDQyY#&B=qBX!xN~;bO4hk+8|8E zfEqTcnwS$>WT0Ydi1`{o2oww!U3kIk)CV4buR*PlL*7r~crxijjCRWM=5!=WH;JDK z3n&DjuhCy&i3Q{z$;9&MXuKR;oIVUJlTBEOK$q_=5@sqDh&7{%Ut>wgu;ngbK3(_B zvX=#O^qd)CTlqi=O_vGRg;2fCt>8@JI3O?9p&l>dhoUO9pTrgHQ9R5LK`Y{y+0XDU znq=B4@uRRsFNJ#^sP*hn6KDcb|K?594(p~WL)>kXtEA(4PC|Jn+|DzILUpc0$q9kj77@cQH(@5QPZ^}_I%f=hJ!lq`xia<5)MM_n z{`hA=LvJ{PKmssZdX(FmCalO1I@43nQFFJ)q2wp&dKP6eHwr%-P{JC=8^#H3K!s(V z+zJ?S)9SIXOzrdYW)nAnjs3;FlklL3cNmgh%S@T*caj(W#)C5O@u*nafb0>`x3kkz zK49#d=ja)-V~S@>y=){Nr9mpHSav&6JyOm5GJGaA3e|h8emNI9_kP|qMvpnQY^JYi zv@b+mb(QptDB&Pp%=(mSSbfsp zJ>NE4XALnkks?32tS~e4b^;yqgl;Rd;Do!}V#c$!83S-jt2q)gUZn}a=gF$6l7gGO z6M@*#6*vU{t(|!Kvo1!-P8|)AZTP&@hI?HZjVj+Az{EnahP0}%ylMYf>u8LZE5&T9 z+=CLI&k^I$5#i9sT22+rS~?gL#uN;$IYl=^dJ3o6+9dp!rK_}3ut;Yh1;RtQZ9XVV zMb^3rGoeiOR)zdaR_|;{*vOAMPXn;|XJ)DDF)fItuHg`yr9jr!CiD|osw(Z0p4TYa z^WzRP+WCa_mfz*}<6K;Be~tvC3Oq6aKBk<#WX(1BxemZYVWlvggYWglfhG+XvWx}n zS>TOH)~-tn+jZt#mII?aGlPjdQadD&PTe*SKpN1e^DCGYKQwl&deziCgpM3Ds{iOY z?UX0Wc)SmJnL)9p##~_?`P)dzA$$~$23?vri>5~s&M0BQpWNc3by1%0h-%&G{jDZ* z3-4H);iJeDDdLptwvfpzeoUIL|0AlGC)=i~i!Zl6h4ZF8Y6hND6kL|!!aiM=RKZ3} z0$$WaNh2qXmX2#DC!aHL_k^eHrtH9~g%B#`H*e(vWxWGVcui+|!9oyvIe`UnbQI~6 zKHv~EUpL#Lu6~Zz%@!-rxx9vu0Xk4d{ej4CVT+g@RlZK(OxEXSt7Mk*)@-svjyiZ6 zj$BpL+vUe^t5X-IQ`jR5xJ+mJ#=+N;Z^%k;@RgLd%vAQ44K1Yh$QMdIutifnlBonm zBSqwOjJh&Qu|*%E0~cu3b0uM2-i@-LJDpfsXM_*CRO+0h;$I2Hp9!4h#{ve8Of6lP zBJ08ob^dHE;(pBX2HfrWUR(4&c=&diQY~Ct&~s*UKXUcRGvV*#^VLW#ordQ1o(D2@ zRG>4b&sQdEGq?~NY10HmA&5gFsUSJt`yYb29UJ5iJCow(x-(+0!;dOrzZ?8ZeIxcm zSgwygrIi6_yJ4^%ty9uRC}HWUsh(GPYq-GHsgjem7wkE6&*c>P=pjK4yM^NvN*}W* zc<=#%%RzGHej*E3Urwy&wb>hPn(zS=fwP3^!WaDD_=55rsv~6klP>No=|F*lBZ}G` zqwfT#2=ZsqOM{1@%#{jLI_#b#_?$rx5-I-Mzze6x>w(yAZLrNdG+mkA{sD6e{nDLV zn_C_eg_{KauOm{6t)Sw~A4}L{9sYaEj@YTwGVED0qG>;D&4#W&nVJ<8EQ8VfynEX) za&r!;vKauW^%CFMeK9l}eL!1|7-lN`YOdF`9Ts#O5koHJFZ7Z5XmOyr6pu6;lk*xI z8W}ns=so%qA|fb^W{%glkJ%%aRc_o&0c&bU5cqveJUqf`Svf`~pURqY zQ2X|3;IdGgh5&NTf4*oea0y69pwFJbFJIQ&jZ=6XAgDi5BD4Sy0*CBUOcCUQST(x{ zPe_AxVIDKRT^wDWmlawD;Kw>ykW2>i`E*Zu0gz59kZ(O9-Pqs3S17@oN`$~N9ldJg zUb)jn0boX-V+gh$G$h{((fZ_c;2awMoas;Kaj~ecGPjuiu08+=PjB=6WvU_e3~Wy) z63LN3hBNlL42X+K_OyK1k<$dN*<1{JIr9B2qg>ofD2<#C%71qO@} zJ}5xWA7gI!dK;zmKVFCMllO}L0p3cn*reuoS^}eA&$P&_Bu{Eq7676 zbJ2|$h7bxvTcCf3=lNh1880RD|4cR)u=r~1- zPT6`}AzO?C+*q6!X|34IAeG+&7mpS9G~dh1 z8YN9%&gDvi@Am;<%>**zj1xCQe)8>U{0RB?TV)6Ts-Zf~o3{7!_`tiEt!(|K5!t2x zVH%T87T4bHLj?+c%)ZAFL`i9kaCz`&aD@mrCzvpp`_!ih)Xlj!1o9;3Ka`3-o)PS}5V@9xm618F=J&+TcUk=*M zHI!=r8=m;o5$I+3$S4@4ueXAb8LX&&UiF(=pE^}BLJRjE4)I}fIJ}@%;pfo_1obfy zL;g=ol3?QedP~O(6{d~KXLg!y78(ByHMj3j^JjC=bZ?B36u%1guVlcmpC2WcEDsT2 zY=fMdwG4ls^$RC3ouf~c&m#nKo`4JgT5FF|&aj2~JNkHZ!U*C4`bj%TnhH{Pe0~P} z04^oc^yp{F(f9#N(&QD5>jIaW2;8-`TD`;bt>y|uGoB#8C+;IljN$9gB)Q~~kKR%O z;$j*Fm<-ZkmfXugyFWuEF1{D*74e7FZZe8Z=Xp{`nwZ235t)b%8A3`yvWZ}TiTNV} zSgp!|FJCRtq@)$;IrL6?yTS%$3C8(;Vr^8x=w%wbEGgKtJa{g`HtCrtM{ z6k?(vn<$)UJp6TNx08;tZR;z~G?*e(_H@Effn$cM0+9^AwXeO_D*Uegn4)-gkKu_B zY{35+l*69Z5rZ#C52O2VnZw|3W+o zM&0NG$$CUS`ZrFfCA|e=AeBg@`h9~~n#&U#NFKCnCY6cE{N{%|w*bWGN{yG&_Y%BH zz4m?YOZFJnb1-D&s+`D)yj^xR@>nDPw1ia#ptW3V89uoz)@MxdKaB@3u>P{m-HK|y z=JOvVyRNr<9I_xJaRW-3yQB4rxN zw~J%Evv6J5OKhGw;5s5%wm>EeE2KbJWKbY6L2fU=M+2r-N|N-0OrywMTh-gW9)=+j zi2x?~W(S1Ff6gl8QxB@C63}zDnvL3ZjFQd#@Tq>|U9eWDPlqb<-Abg=cnk5(Mob{Q zw3!rS@Q!>Yk^oPTp;bAJNJPr4ulP7gl{>A$PlqB)z-8$TgCLlnewwTpg!g0-1Gvun zoSMTY5qZSlgKd-9&TApBaNL6|Tn|J#2DaOH0(mUJD zc{lZpM(;eCD#LQo{Ej}2b2P2|HEJRatGQbC{=iY=!irho1I;yxu9#B#v(KbG9q^Bm1rGM(V)aL6Tn(hQx zJXyLb@YJ6ZE~<9)P9*&HXAx;1iwOQA06Oi-@bc--KG0jrMvwMR(mT)Fjx&`fcZBbK z3%q%-YvdU6hbI0WIC3A)Q*Wq3Z}Ytbg8-|BZcFeC52B0%)Znk=s;XBC6qo)vPXG7s z>Ik~tlD`TsnQzp}b`vVv=jO$|_o|kv=zYNnVqT>1ZNLtHZh45ec^kdcU?7Q}=6!eN%>=xPl2-<>>!RJ_U1y{lfRuL9bGfUlv zHQnLC>B~sz@z9D?`YJ{K^f(rXXAj~+`NIwbKR)x9{hP^;5Z2@*Y}EDYc^<((t|^WpfPMN9y4001DkF|Y8Gi`IdwAfHa60T*-V<;{op(cYR|I5WwLYPM= zW`bbm$mH6Dg*F_&$M&a5{LLd+tzOJJIJKG9^)l0#b!;^8>NWsJ&{G^MnqWg?a$8ID za;I+Un3bzrWooJ6c+|jMoRU0`X0qTSZ|lf0tOKxyoD7vru4T3p=f&&g2UmCSsNI9G zoSN#?ef2`4=7ddL3&}-djGxb<$p1X9a`nb8?drk$d}=1vXnc3H5h?83*{skn*qD0A z=*dB8ae7l&*xXYT$G`@j>xan`gs0}yj3*;cU7pxH1%jfXaK4-mD@R+nCC>Mr6`h{A zH58G#okH_Hlls#2d-3lG53sr`WTU{qn72lzjl!2O0}S~7;SNId={_Wo4fnce4Z3}J z|I8Bzgo6@rfIaa4T?7n2ikP7U@9f>{~7r;lDaX=haBhV}qX8<_?FNTw!deH!;;q7!g& z7ZRjk(mvny({Ot3omz+h1#M4)0Z2GJX1*$O+k~&ySH$alVU^64FH4DV+obf)SH~wr z(oYhIz@>dUEu2=m)O9xh`Sa-~JATY;Afe42^ZF63$RrekO>(y7a`2#k=yXIx z(z7K|dM~{Z>7W~X&6E*X`wr4SFRApFIOb^hVX}I3|3o2jv|nP6z%o89)f{u0vcl$w zZv5eXlm4kou7FViCjYEvN#;Wr>B%AV(NjN@8D*f}ffk>@Z0M0?L!qZa20b2oKdX;0 z6v&Wa?E?%aD5MR1G0f;>t1v>ZY@RuU@cKtPVY+{=BKg3x#|!;+e8psP)y*_$jjWGZ zsHl`32ifb|12I4qS7Ww zA7AfhMMGkr?VL^<&%_L3Um);SKmT#uqXW|TRPPmPDH})|h!F#}B(uAC6S=R|Sd@QgnvVY+izSU>ww8gwMR69i%1-kkSPN2s>xHcx1?LsEV zC0&!o7mcu|l1XEY#vB@c$)yWOyoOZ`Y7W0QQg1c@O2T>)s5K&P;h-UltO1jQuq-j- z3Q>^}SGy&0XEmX1RIm@2TUsQPJ7c5Hk6Nj97gZ$wWx1Sr!4TLg-Wa))VpV<&LIfVe z`WioQX}06|^az-++l0~ft1Kd@F9O>XWsjmqG(y*uy6)A_zr51vc3^I21iFk6k_(t? zn~&@5`P62b5+ltU9ljsfw+&DwRH66^<#KG`H=EWfwMNyd?Z>3BY1R+0)h4yi539UN zMcPN*7Q5RDkW7N-*vQ|UlGhEAqsLFsoC?uG133e)wZlsFYB8qf+yjeKk4eoUK5A2` z|M8J+9mAgM9DSs06}KZKH+IDM0nklEpV{XKwk5W;CFOkNrlTO}4>=q%Q>#K#3xAPx zTw;!eyhnhvP+ioN=5rs6bS2vt1V4_A!Qwfdg_q2683veJ zyy|s~f!$Mnw+XU-@G+(v50d0z%b`f3){_UClFBtH999{c$>qS@ebNcJjv;iyJp%jb z6nX^A{;Z=9oXEpR@(ZHdG{uZ4&e&yOuz0nUPgagfrGCdEh)uI%wjPxKe2&l2w&o4y zHeDwNljY1)ak5=bw`d}-G;-S*-PaU$r&f`9^wmc^n+F2?moN>#>E=%bGRs#7e0vJ< z$OR6`3I*-XjPedRDRAb6GkM#qaKlD6D3#%3$hFz}~@bMP)GK%r_MMd@W^cJOJ3;1}8<~x+YY#FrjE!sq4`Ur2M z$^&F?(WC*awjDmw+4RaK5n=L^s9<5oU@tpX$$Zv1&&DAQ7~TnvawG^h48JnqKHCLp z!}o*?q)4EU2|rgrCi3LyLeI5cm{q8w5=>3)1X6xl?^8cHTgZWV;1h9-bx(_;czIzI z1u9#1USs2oi-ZGK1yy(n7q0<>0>e5?TkG`=8CVPFE_X;+l&_ew&c|&DSdRjG5v-H6 z1O;d@N_la-ewW9a7gv0JTf47=g|w*WoZVB&uVIU`n@s5qzv}w=CCfUODpO(H)JS0U z;<#IH+1E99yXV32pNn_JD$Cj|mJSW?5|-7n?bocajKyDr(?B1F3qaV?7LK)&0{{XLlIqJ14vG!&bnF4BwYWY%7mNc&+vsbFX!)kGF+>l#*E6*Nq!D zcff7_LySXUt&GHVlepjmjYzoOdway&goH~GBD|VWmxApGAgmSE$KSbUBeV2o-j+jfm>YjC%f|+n}+iUX<;@ZISn_r~7UdKffkZ#rq_k5W{g8&*ay!a=`l8+SlR7JqA z#e_y7U#0s5klV6J8#aFnO9VCF1{}+AE@Z^#W7&O46m!+D=|ydV=hmeYyC%giSWCYU z>DS74FQT#Q@=1p-ehh&dExFUXAUnzXG_))RJw^5{h)jBk7RE^SQr&=gBH>Vxz%HXm zJwRY8Z!pFhB*=sz=}VyVM9i7o?h4v-BSC%IkzNjmUKjc6=X(oekM zDJcH^Byw*-O5JCc*c_TphkdM}Lz;~L-fi)6IA^`(j=<#-Za^^seia9G*60g;KqFy$ zA8PPVu$LYpPJFWr5$H2yx7(eUMiA@J+WHLi!b`u~J+IliSaENfi5_<8iz7iS!Jt-c z%1cmkt4Zl=XH5Z#cXe|Pw;ZxE2xY-cy)!7i1E#cn&%0VSb|}`X7*HUO%GOmDv=Zsh zKV_6Jmm-WawMrGgSt)(fy+EJrjtpb-$O~h za+dww3tsRjcV1w3jvp_SO`^go?V8~ws?z5|QEft)fWl|$&K882&H_2U)t`PQJDF0} zYar!cO25bY1z+qikXO10g3tqyzxhWVyUk*HCk0Rn=zy584GeXnH@+^NT0w`Inqj9j zXfW12ua!d7R{>miX-y>x9UYV2(eOToxErg?{SE7#mS&b|4`6FR zTL)R{11KN6#+&ruo>xSe%W+(js--2KkAnL*T0MU>CNV-v%-N{@id}^1|Eqnf9>S*21 zcQBEh1&9EDewC{`BL7;XAx}pg6wfWol%?s)wnTA5L05)|Jf-S`_(nfjyF82T#k$S$ z53wI&0EkdS9F#K?1)#{&9WfO7wcby5EMkO+xoy&uAtjoyHk#(ij#YHWV)3Wj9w34k zBIw9XRpg;(D)+;xn@nIaD`WzTw$Pohkq%ab!0lv0gpZwYk!1u2*zupNI7qi?W8W~F zOgwB9W9fuzaxKEcxkQ98f~>hJ$1*pC+#;bR-T`R=#e70Zz-2|koG<}<^z?DEOWi** zICtKvGC0gLSD8DhOb4tUDj0muHRL#+LV*@u0-pNcY*Y7-EDp2&)G{|-7g-jEX*Nf7 z=^>+CcyQKr+Xqb-U8h%eP=hdB3@#LPp?-%(zeZmw@p(-@`M#D8{kGq12d{zdvyE9H zrW1hs0WY-?%^SnX!C(_ShwucmFPt2!mpkJClQoI;+$L+oYydq#!oOB1bLSl%IH1#y z!iT8vcc3aMA)F{zT^&V%MMy4M*QwFhi1ny}r=EO3g{&nQ2wpm8V|1QSMICH!2xbuz z2D0{xb{8OPl}DV!+pv-aEknAzx-G|-@C7gw-^Gs#x>ST%A~FGBSo}K37&1(*-$mBT zm*JVQFLC~%IB}gd9O{(O>-UOw^mrsZ^m|eLf<19}sLa}YEh(h6QrRg$`){fSZ39d= zAds;_mXh!{AGtCZBM1mQVQ!5mPG7~|`zrnrlK2)<$)Rf4;5PlT4^2?3Bes5D-;a-F z#E)NRLzp|ffC$AQo2Z@)Lx@&mSU^~QI9>+{19qh|+CgUm)s|z{Ht<}-AzvZy^1Ke$ zqvQyp$x*b7s7tQAzi+K{zyziHcQmw_c z#aIAO@b&_DGDIDbvN!6Ane>RRUx{1*o^HoS$Ytg0&Q~9^)yyB2G4aXSuODz{^G97a9}~E=m3cx5$ZC03;dW*?PXBacS`j3+Y0muQQc5G3f7ccks>yj;$8BRR-<< z=navXOJO{j1FS~@21nU`>UBa^dv$H-s^0@;6C2<7bycyO1;~TxaXb^o2lo!F49k!B z)1hL03FVJOaBn3(UT<`3UKRuq%(Fxg*HVes>1RQ3VP0aO>;?5EMC;b}EX#3du0GRp zC`0{K6H^uUc3r|zF=F-6EK^vuDsWd#>gS2B&IkAM)OHA;?ABodR=l&Iv!c%sHYDUT zP~eV6#JRDsrO06UD2OGd?H@P`Qg~IE;fR$L8;7HUQL;=^W-LAxt;MxHKf_%ktBMiK z!v$l%H2r+AGahp9F@GG0=|TJ?Qvq9WDQwlAv9C!QZ4s)`Og>{*m*wNgIq z;jXEv>9w`$Ma}Qv4Aq^h%cM0=rYjox^%KG%`_!>64i~3^@746TK5FNDwDf>CvvDd? z2furas{Gwm z3csk~&RWU`WZz?_JE4wX10f(*VOrox>^bGOGx{c`@gsHIh*4*J3<$usq=f)mo7?fz zd2z`~I4e|EH3NKEr6OD}85wS5v}QLWgJb3<-ymDaR*A66in_l9gaxR$gxsXTC6M&_ zp2DDNZN{-&+V17aS1^zBM%uoul^;yQy<3Ar3vz}9M8t`wkBrVJyi3P&vRkaA<{@xJ z8g_D0*YdeeZj$f9zf6z&(ulcuLzHS?PQoJ(o=jW>5RBHKjm_wV+rE8zixM~;jEn?d zvhavSepOU>Jj>Fa8oyL_L{n(uvTbbE*`(8aB5r6)|!7C2!&K>8l1Gm#xyupv$1!90F@ zasE{4be&^bS1Xg2bKh3AcCeubLUu1|ZpU}TW=xKwf|UBhYexRyrwg>AN_v#f%9n-; z6{I!}zBm!WO{zF$--kY~zOcS7Yy#ywtlDbu6XJ75{(=5nxEW?m6?TPz zJPi6G;32c&=5Rczgzm}ixsAf_u8-N0?;s$4nAVKE;HEHQg^vn7UwmTd!J#LMqMz&H zvyMT#W7n(I%WJtzxA#wiKHoo6Tx@_+h6d=t9RUDwtvIpD*4j7k2%G4UTA?5gPiI` z%>|L6^$6)UFKV7s0f$OD*a9U4ZoQ>a2_5{?BWAZ;if{@9qz+!%*Ie#BJ?faE`D?nj zU4?(>OQ6E5GFH>#bZnEz0WM&}IlkmHm0_=30OIi5;r4acS%f`?u#yf2a_~h9Cp_2> zx%@yNs7SbOaFCn7B_&&OTP^S<5Yz~!BfzqOfktOzEI6f-G#hCU1EUcXijp)qutGw5 z29`c%sr`_22>G@)|@7Bk*=iV1w zg!FY^aEkQ{m6e&rgc8GwYe@#r+9WX*Jp2q3I1`i4aTu>E^%fuI2QY(}rHITz9Wt3H zMkw*}3+Yd?E;iexpGUZ=fRS##Sv~QH9N}|)JRU4G_S>>mbQ#t@qOhy$=wlUQ`l~FU zT_lYbtJJVTLpFYM>TW9|>ZvLC>QxM_qbrHm{O|C}+$p{iN6+C4^4u{ACfWZ0u1QtF zQ$K-#*HY~f;Rm|k63|%z|981JnHDaaCvo-_c|=ZIO1euQvj(8_gZxawQ49OeI3@{z zk9J~Y&DTp1pVl|4B|M}E+`GZscD!wF&u1cI-4Cgy2m&}`+)sc zf6USgrFU)*3bTqLw-h7*Omp-R)$6*JpyQ9h7C89^S4@_oPeDH8#c21qaks!{5_0u& z)YMHTpeM_b_2RfhDE>ye8WRW0HL6B_)7i?3zW_!~wtq6YMZ(Q(Lq8-Oh^IMeXRIte_$Im;y0^@Ykc_LR2i%1TpFCtA=n3v2bsr zSE>vb1FXU`!>?93Qy5S`o424<(V>wWBWEg~e4%TTO=bAjUsYBR5#&F$=8vR6zQfFp!>NH0u*d+aq-*k~x3o`sOV>z2`FyKL@2F9D>DYyYH^3F+ieihe z#6Jv`#6v}50Az?PidPg$Vnt`;-v`ItbaWj{FOw9=DJpXNUNwwqPrp7ot0Z*&sez@L zL_dRPBQbRb!fJfJTrzP%h9DxgC9AKc>qn2|h}VqV-7f#g27l_tH_{<@`WNc6Tsa zilTv2X(*m=LqW3gm$>4r*F9LT-Oc*LTiaFWW9VD`kTxB0jh*$Vf-xqV$vzqtcv}#? z!`y0aEhaTseyD;3X@O*ZIR+VHnqzvv1OQVCCcVnUK?B5j+t~7%52q zuVeX-GZeRZSErzSHs4VewY~)fiQiwn3K(Pnb_XvcT&1!PR_ZSTFrGvP%Y0Dql|Ba^!AO?Q|raRrKR} zarc_&3?_Mt$H}dXcRS7+8)#6aftUt#92_~o?cl`mQ7CUHG=#4{#;D!2tJkXSwylAk z9~=<3PuI9)={!8;e5W1#_`6^y$uTMa51tgOF~pk(VtSF2QX`@4(XKaXWRI4SfCg0n zSNe3eH~s+x?(3Lyh;&w@Yog{}O=)y`plwLMUiYIZAB`$GL-6JF=e24Afm?=?ZfjSz zpva7_i&SI_IG8b?IF%fALkhx$Z!fTd$;Oc-s_N05?hdGY>llx?+q#CzZSn~hev^05 z40q%cjZY^&qH&6o>%pA@B~+605dSr6gq6hpI*fUS>MqKm$%5nM1@ zRXQA8KJ1U?p)lc=iUTM%|L?#z3#dw!tVshKoo0m#Spbq#VpJ%XNT)+yPGEDcV1^I_ z3U7Z)?E~)pgLE%fmMe+E3^-9{f*(C&R7U}fXYAg3rliPtSq1f+?yGhWnMS=CA2OQ> zy^H*UdW?@A2qP)QdBWT<5WW?F4qCJvO>mO0Nx02aC~)`_&KmB{R`al5v*2dIjRinC zv=q9d-KqYQ?tTGCO{8vvz3K?mbVo6m4aFL)<%P=<+zFeh;lMT~O9MY)EM$xYQ5B%1 zO2RuWe}j5rh|)xK1oi?Xg#)u4Zz3N81ZSkGGDojkU?J~b!^LSH4?h* zklSbyx**Kv%?Z>Z;hQg98eCvK4P)3C*J!$1NX}X(kA+p^UCjXC>2I)bHY+r=g_l|F zb;vqWXbP++0Qh~}2lp0FjgeS}qDwjX4Hk(_mMQl_Hk5C6Jm{HTFdAE?^tIA>SkV}* z3bI>jER@TN7RHc3En>Gi@f8IG>RDW{nzE8$dEsz_>7z}UzthS>2FWBdi&h-qP~`V` zmL3N9QFCm2SfvlI9AN3=kW4$y8>BOZ;TU!GRN^hhe0-qtWI+yqjRv`h)!qequ;one z=$WQ5xeefd9XIjtm@+Czn=(Ln84i+~v^ia!M<@8qs(I3jfT&u;S7>H!P{jLeS{#9cs5_=PReS@e)tERc#ub=4b|GX~^L0)}=_i?-qY2BJVIozOaYXIbPPEA(tWZ7&WR8jTQ~x#F}PD z66snIf+3E8X|T*APCY+4Ks){>*F~Iu!9A(88l&L}n3l zs2xTNW}GQkG=ZWF%?1C#UJpJSMPcLa2!`_d?-Gx*klG`z%%Zs;n_9NAorxB(Ee_EX2FpXL1{=&em&{B-k22S^a7+!{C2?9&PjA*MqsTx(d_T7QyUXCXseNCBz7 z3q=y*)j4qIq2>~BR8tFqUW>QDRaPJhq^oY$gR3NJR9*EHVRY9;lGA63try?OhqKK6 zLFz~)%9u{acukO*<~6^|2vSI0q#r{;JVQDIk6dhQYVKWLHVK>-PBvMDtqHYG913NA zna*0gMQX8u5%;B-lGT>Ef|%Fzo!J9^1apepkXzwljLBtWrX_rL2u~R7R2(FCJQ4jq zSum!%b%n*vTBnFCy*xo^k1ll~>4&%06dXNK=v4d1;8~# z-~nxhvc{w&(Q{R?6eDG*43GlGelF1Nx@b|ibc$*7gh90eanrMXi1@(X$rk4VyHR!x z*`$`$80bIta&x+z{-+P81%;t>{a^O&JBxuVyJfg6W=iZTV?Rgw+ddEciHABSFA7NwyeMQ#7T% z3BFun_m-gYxwd>H><2%#7KFJOY?FzPjd{3^68GqxO`zT@%7yr0zdWCqL+h4O=?$^b zhm72N@+RV)L+3LnF$`xb%z%O}KGBp7BLra`{X|`M#Rn7357n#GnVNDXd_b2wEU;>7 zXsXG?jd>D7(H>QiXW>ufNq8Sl@`s8K=!zFH=g3W16&()exQrO~P&T=|Tsrlr<&`7F zHY)e6w`nRAo%IG2O+}d@D&)yD7~b!K?3?%+xah!e^Ie?zKTPCDLF~~3VMgEDU$sy+ zr(GV!7>YtKq996K5$LCZ@MDh!ehSvWOYcnCC=C2&8rzF6`r;VBr?!=-fM35l@00000000mG00BSTEBYs=A^bt`Pvb9szfoC!nwvU#WC+OJ z>}nnuxB8jOY>303o!Z1~B|tSG`btbw40McOqMErU*XE~kZcM0rr<=B@YPP+eNvaCq z5U5q`X^3`decjgfb)vHafcYSjJ4<7HGb{E^J|wWqJq?7#_@UY7kV8w9Ao7?zGaL!M z5F-hew=P{KoP8ND3ykfapMPpA!G5lm-BiW5j{+N6CYqwwm%&sR5$t5bs*5gpGFh!R z+8ux!9?K6-CVpRgj-fyoLk2_7sCR6KR$^)JtTn?iEg;ghTy+-H@8oW#%?Jb6487UK^R4G;v2kcF3(Y zrrUH}Xt5r@7&lDTMy5XY&?|J`a$>KS*jNU|D#=c9{8B=b`GeqR<=0B((fgd}l|vK= z9B_Wsn}||@R$=bxjm?I6Gi6!oVX~lCV4hYlXOc|QmFXh7A>b;qwodO-btg(WFerAW zihd|3OF0>LJDZLNJD{%;;Anl(?RNsMC#&4s!}GwsX_FqSTbpdEt2N=dx1l&4%3 z2d1mD^FUxwE>PBAw#%gl&efAK#<^;>Ge!r!zXM&Mhvh|7#2x5r$nWQ~3p#nPF?XWZ zcLg2JNG7n1!?q1R**pktWCX@(2w%-KGAHbmA6d#DV-ViOaY3#$ZKB^OMa706V@9fo z0g4=2lBI{Mvkr1}W-o{I%{o=6b)U$yP;#z${0$F_>K{sEUD0Q>Om<4CF|FYoP$UKz zB#gw}!NQ3*40$4i&XojtEZ#bgEe9b|LLG4w3PAp3Dm;1nu?f09??g|sb8RQ+w_;jb0;MfK2m#nLEN6XEOM@lntXE$i8p;soZX{*t2oFUJ5*N@$%Djj+f3>y&U#8(fK%KXko50L-2r;EJmJVBLJ(2h5pL2j|d@VJ2#sui@TRRga1h zGI@fdNakc~bwWT(Tnt`i$fn*Wb}Zg?r-XSsdAJvYgXMYEQU0MAS?{npHD#wt8?cW> zXAlk#y}U@pFf)}wv!;%4w2R_=KWYe9vp6s)nQX1sjN7@Q*m{z$RG9%i<6z1T0Ln%{ zaqGe#LrM{X=-iv)a|nvW)#q7hC1=VY_@L&j#11s}Z6Dwhk_vf-C3K|1fT;r{#fIJ0 zmbnyyFT23X*Q%-%|EK_XU92D=)Ae!;u;M7AiC1yp930>hXHrEm5gfO$E zJH$*$xaJ2P3Qp;g)z%&U_A_ZK_P#>KC>{+C!@V*I3nOD4WOc{K1>ox-(mF+2BsRZx zJkAE;3CQg)U*y+sBljD~MUVmPR$W55U6OI~WwoXSM(*{Rh~9E$5bRJWna7AN@8>1E zo1zewhC}7o?nlo4*13Kq$T6XH_DuZ_Tv`_Pt$k9uNgT#g1Y!0P*}^#s=Y|U!7m2?o zJv*4j>vRj9oC5V$JygU_TRLYWo~a~02wobMD>dDLjbx1ms#&5Y3?rHQ^ zYsJs+#uCRcX)CTBaEk^4New-Pvo*gyUA!o+N4x4;Q?~YcL^nlEE~diesSSw`kg2kE zJs}<*@vbcF9tVUdAwBn`X7^+-+M+PZv&5)V=m_j1-<``iugYgKR>*}A_at#Ab)yCZ zvE~uFNLmHC!i{>-Vz)qzJ061bhk}QYgh{<+1Qw@OJktk~HZ$^24Y>C#18RW@GNywF z>;w_FHvfQM-X-2$r4v5>l!3Jr4A;k0Wx_r#?@@MJE;;AC;!8AHb{;c$;HN6&I0!>` z7js0E`+y)u3c6r4*;jNtuL6N|XeHf^)j>ak_DLM93gCfd+SYL&Xs$M)1`j0iu7 zew>~ic#3ZWRBA|~w6-jU)p{nxmo&nG^>&Jyj+sv9p8~swIGwft z;F2)L&5^WXiO453_~pBmF)A&O%UVJU8)qg6lL>B|s^|Ik2TeK<*nIqPu`J~at(73t zOFG9mkQ!?&aa?zzP7w2WyM&0CPU6CAcbT54bR?A$1A**U(Q;fZ7%a-N3Pvob z$>sY9E$}Bcf0KQ=iu3!z4q6O(6n!Q3!;y2$sCC%=hyL}FE1d^;O#}=*V*1Ou(JXYZ zE?Y4Ne4`VRBM#q*7?8`#Z2;yuAwfrLKirm9uu@E30s%%p$IG=>@xXS{C=&ESe7Uh} z1I>NvRnbca17#JGqS5tn8j4HTLA&8t5RM)3R~g)HE+i2+aYqGFw3gV<_&G8)Idog- z7+2`msg^^9@7L86411W;Lqy;0u<=)7YA5WQoMi!L6YR-nN$!L2?8Km^8<3MA6d9t*ovKxh`ay|luSnUl zG2!7~YObvIjN7oSJ6BSqupKNupZ3Bxvm}K5D&Gv~E|kF&br34^+;I&(Rj{CdHi1RE zm`|b!AN=4h%;)ke?dUfM@a4eRhcc%(u7+Z;3T_Qi4UV^tdP23XLfFVe@NT{fDeB(? z!jDj94&;dWM!LPT7O{+jYipX1#|1PSKiMz!LLVjaB#jx~oh7wkwXQnRGOK;+KUHT{ zzwb~+a*6$|`WsTYf6la*tlD0mmkg)8lR0Qq-P^#_h`-0Hp z=Pjetf^ z{=nkqB^$M%O~&!aYX}PY^u0mZn`a7(D3FyBg)Tx2vx=D=SFUSPMG0Ci3M>lNT^Q!= zw{m%@Mn%C}Ikz4hufLPx$*`-J>h%l4Qx8D?5@xUbOUj;x!i@*{I(wMB)%m*R)6VN; zuTgsE(mzXUgI=sQ2f-NDsTW0P1j-~pH3{450{P3N3^kn5-JpBc^mD8?X@&?>foIZ- z&_(5DolFBuPSrN&W8kIkxcmIZW>V|5&e^~REnN}jz_6>$UmQwN0!5j(WRqk8M8zun7llt(+^uY1aFq->>Qaes6p;-XJ!X~_^ zg1}I3a&ar!+lVq5Q8Y5ASP>MOxK9#!T0hR-gv5w(7V;>wbMJan(p~0wQk+6*rXoei zWaD{|Q?fw!#}TSngA@<}sO)_l40kWK3bWgAu>D+wOjCfh>mW&IfCA2A4EsMb;fmr%OJdqYgO+_)qC;dBUYH@6DdLLJ9ME8KeVhAnV8GNfSX8hVHWAq-^c6 zM?wlBJW$RlpCZw77qt+0Azs`#Q{RTA+IDV*lmqGr6vkDNEToI(tHfL~jfSd>EgMCd zpXu1GDBZ(ca|L3>DYTQw7(Zm|y2NDyr$r#t`9S7?BuPLlz{6HTj#GgAmH%2fOg_7* z{9uYq)vrvn<@z0GUve|>bg!EA<>f`u@(*GuMmGGJ&zQYHZz=J_l5uh&w|><#6<>q~ zna|xRS6AEiN>k;Z{C%$|o??b7XYTxBSRsAc@4%+#@rX;!$r=mMcdmAgT$*m&8YI01 zRJJ7dbMPT!r)6Z+2jheVA@owh>-#^tf5SGOy5`M`bssf)tzQxj$cTbY7e$=KCF*5JMNb+Vq zChWEBk@y_m`M7zG2_pRp?6xRSr@A4F#th%DG${3z#5>_EVi?zl$w?ssf)8J$DJZR8 zR-FaK>!8GTV2&lSdx8yQ{$Jqwhv%o!Y5d2*4K#-%1od~6Vf0CuYZuux_AuybVb&ke zW)A*0RSC#5WzhcNaeylCs!C~LbHNOz$`1LR_@?EAbdwemud(F$nm$CT=of;aj3{P( zsU^4Dhc-q{wPQWbiHbhv9K!0gk>vXave0g96vn+(xJ1uq5*~#On3DH6iUxRo3(a*3 zb8_Z}XmpwURDCu-aciOFnBE3sB~f(frTsx-V}c8HfSPu}c# zWajNTi&oyR-`-qQKXs})_4FyZRSm4{c+*S&+B$uF2n%8hf>#q?tu%2g)r>bEyN#cE zgX2-6TK>r|JCU?Sbw)#G9f2=Z7PB*ZTO52o{MLjJzsAeb*bQyV zE954+vAl3noh4V&te7LR6PWm35#6<8x*3&Fn#sCqC(+PM&|1?+87J?; z1<3MSPp&5dZHJ&cfrp6H;T<03f4kH;L5q-%x& zofoWqdr1c%x2|&f!he^hoWjDDm4U$(p5H`iGz6j|iVMBQeg0j-cO)GQ z6sD2Ag{Mn8F(WsT*?5;YAb=;bqQ_X8pmm0uf@ZfZmEac${QHEZo2@#7=hj=e)poj) zWv(FAkEgLPcMx*1?6opB^d1vqDRJRiH}-Nyn2FiqLuXB<{k#UxDA0vPg-+L zX!Z+D6d$c|u2|#|3Jw@2Z8#1H&4iaQ~+E$yXQccNBw|Ar~|G{(q@Yo>6H1FlocnB2^=2<_zxY=|%` zdSN&E5OUyc502f=_7m(_C+XkMlC~B?M$b%IGvl_bTh=nzQ$zzM13Auuh*0E}w(liy zZ9qHYAMgnS3>2>?q(r$!_`qEdinFB2(%jG=nk=a2UhF~?_UMp_8(0=t^My+;;Y6s2 zhYm)Cvjaenuawg$V0bZ+WPplAOSw!p(rSwbpx&E#vUHdaGFZg8p0Y?^GQ@1-@YQ%K zvguwt1Xw5n(VQqta124U*3noqvLoka?F-Qdl!}OQ+k%K~l(_a^uG7FwTkmZB`EZ(5r{H zgOfM1PrO7hxRB471L$lk@^1s8#Oh1U1D6IP>$4ijsn6F~ot9-{^rIkb#}`j>NZi@b zK(y!q+14KoyJ;BV1lkB?Ja~Hs6YwHKpql8hsYwLtzc^7J8?+Mv`B0pys3CZRuApf7 zb)nYrTn7*NH0vGi>JzXDif6WEj%A>1#4)VfimFLri1?B01gmS;um_2v=#Sdy;D^C8O`9l4To`mGDUQ8S!G5Ru}g zAA|1$!UN#K7RMtbyj$RDAk4a{5lF>a_>_wg@Ig^27)uYn{e?n7Z*~G%uo4aC@ij?# z9nyb|=SI6F=MGwM53aUS3hplNMvLFWG2RmLys9*KHG^a?u11TmU*fE1G*m*8Z+~wv z$PX|+vd)2_ODkO%NDx~yyIFkR4w4Bd%Wu8-o25e$H+~o8t-pRE$i~cTHOI5tmlUK# zxwrcqBqBS~R9&L+{uN6rD0Ptwx<1FmueBIOw*5BFR3S(M1Vd2Oq-waD#7gS%Kz!j- zbiMU`7jaKO@4)QF*#e!4Qa1t_#8U?#ho#Z83N$EO&_}WYPqEXYmR<(3e3t;nh$+3` zNI_;!$*5~1Ro%eT7$hMNuoRLhQIBFRLcOB;+FX!#6Cu=Jg(A)l>tZ*zvvNefHgR8H z3I)4GO)rWrzjq(*0AO6DpOR_>#sye616g0&aYNyntkFfAi%yk5MTJQkN_1uwVq&o* ziR`|Um&b)6l@7hyE6_2-{Zq`e?Mfx-n&JXl^nuCLoCV%%aY5cGd&*<`Vu42Z%wICNT6$FP&=nOd=DD&bSR=(aP+i0e`nAnnL9 z`y>hQ!a=j<+$`;a^x$Fzqyn42zPg#6-7f!5tI)t@sD=t$1?UKI8kj@Jn2K$&G~3@0 z+E3qZtbIU!kRbtZgn7YFwgy`~_QQ!CxlBs5hjd@*W)K-Jb005;C$lg+W|w|-OMw9i zE`gLqyS5eHclAANi{|ki*a`*}c}2-hxe!Us^(j!clPS1U+6tVv$4?8+HtX`R^yt~L zAT=zlS3*+iv&uNQKMUfsBeZaH*mMdz#gTT_Bp|OHMb;eD6VHUV0H>~n_<;$2W<2( zvhe+L=JHZ&xS3{KJcFYT&~PV!l-t@gxeO0a=XrTO%sOL$ZW_@-+s})m*<#_EL^335 z-qhKyMQ__y{PIrbzz^E;8bwU0l&R-Qrm!F4g$;K5{;i?puSFVnckuMttiQ+E`B*n^ z0XX<+u#z@dBUEzXCF`M3_-G_;!Vcg4_`X>r_qz0yj8V31Fcxx$^@W5)$=(5!|B?7w z`Xtc`gu$kjSY>+8ZA{&BX#(0fSnmr+A@z{^`N;#lK8m5FG<)`vi2KnjH9eUg03N@6 zrkSU#dVF=vwGJHfTc|Pci%31MX^(8$y{x&@B22xTq)E+=?s(}S;J%N*PVaff<|)GW zAf4=cU*mIKZofW1$t`=h@lDHOe|$D}bRlleoE&2GUP5j z<)>zHYH{NjB=g{rrI|NX$lL~w44~zp)csZ-#_0r|U5iwhmAE10;Hu`R7aih*nU;X4 z`9NBTT%0E^8^l>Eo4pIT6Eu!GD(>HUOXG>mmdMndgJ4P{wS^at-zIjHWzya9qoPgKy&gvKJLlqu{^ISx|H}w& zCw~06N@_z<;dAJOa%@l^f&mIy`zA4;=d(NNRBUTWxz7TN%3dBc-j;0fE-E)E4arph z!#by<8e{=3(vAoQ>!KqU{*bI=41@Wz9=m79ogNBG`Fl5-wqPA88y9qRWK zq>Ya_aSs>pO3bDQTH8-f?`qF2q~QGeS3$w5eNkC>0vpN>?&7I?mHWK>fVXipO)Yq8 zigy#wOIhTX_kJLX?`E$K!=phl_v!}5!2IjRa{l_hep#><6|tZ>8?7QrQyKt(jV@pK z5Z=Uixb@@EbRSo%B7BY;oSjm!C@td0e5(N)kC5+Q5oad>5g<#%2_mOAf-W6X`@s^9Sfc5j4ln_$---bzGsYH}S7T;J({ zyIECKPX%3n7v;csrX);ycHEq-F_m)lLD_BE5p(?dXRhSawx9o&R4(+@2g>R&Ae>u1 z48lk{B^+g0H(M>V5oI7E=GNQ9$bbXNa{J%T-0^$f%2uBzeSJ}xTrHs01vSic{)%t1 zF@-Bq^z;&k8Y#B`Sb;788ZV&iSFH2~OXoOJDuzv=O)nOX@9e2g4m}PZJZm&dsvNqE zatP(%SZ^g>CmrfPm{^mdtR{$sfgmbN zY9_jj?v-gPQ)jNAMHP>|6wQPQCrUz_q$Jlt<9F#DkYXH%^*n7T5@?Lwtsry1^S_>k zR?H9oPcpkzW;GLzS41Sxp1M$j=2%hJ07w8$k(~~7?=z6*_R8Ub1X?Dl$S`vIXBcSF z0@Vs_{Hsjj3sRvq;kGw&^$1g`sKPKwJ!FyNg9P;Bp*abSDukn|Ow;{EYMiCz+xd?? z_8Wk9N9b?>+=07B4>5rx@K|m-+2M&hp6ikvQHJ8m^!+=J-_W>W!or$D0H~_h!$W}g z-IO(qO_C*;+>Qx;LJcdB_H;zW1;JyVnnUg20ZgkbnvSjx2`AdMB5RIbqxlvky0I=z zP*_eG9amNzNQ&ZYUSW*Y)Hy|*rJy*=EJoSxPmWH)w;PLzyJ{+gx zp_EASF6V(^lV-yZ*(ju3PaU|HNpZjSY8QmN(9dX>43;*cY;2Yn>srUN%|5r>x7cQC zK|+@E#!Qp@kiW$(yTzt3r2{OBJhU#jGIK}j-!w5U9>^6cXY;H%a~o7a z$spBpiYJ$GE$<7be>m4RioE)E{89@5j?krf8~81^try_{{BOw8l7hrUa1$WL!9N%0 zjqJBPQ%Fm-3Ubne30&=Rki^ePZb=c;;lkBUf~H{b+I3#swx1|=<<;z^ulzMFkmMR~ zQfGMTV6jjSx?$L zZjopdQl%m%0h`0pl2K_j)BCARKrnu($i$eN5wFpM(T~_RHF(BC9YlgXjH0fG^a`!0 zCRh*~eI!aNEHgRK9X7@r|L|Qz`F-ZGDTK8w1;Gj>igXHQ9W<1`26KQbgyH(jMHN6q zJ&SX)+4(!cy|riG{f$t#ih-d-?Vu6GJJmYd4>rJ|m|9heL;j}O*?m6hF8=RH0mbl> zXf_5Ev&Q$RBv-dmVJ6&K3!J1PEasjr&JQX?`x=J!-+eG<17&e8)Hd%5+SKZ`8+KUA*)l{YBSN&YhLBhjfZF%NA?rvC&SLIYx-Q- zc}aYJ43SG?H#Xv^EFGn5gR)K3^hbUAb|;V|deno)Vf;SdT(@nzPYlhiQx0Uk3$?VnNeYmvX3 zdit~Z^g-FCIX`_7j%;&u(CGcnK;jHPvFpYS3H7 zO0ho1nbL>#Uj#0J2XKtVOW>>Rd3g`w_sTBD@HArE5vZc>C)z;jhOu~%d+ze+JBo=! zi&+L4V;qP49K*-}Vzri?uGq(JSt)Jf}fAllIK}=s}^bC5?A1Ti)naRDS zhspndi`VNC|7syJ-oW5E<8?B?6Aqi%er7_%x*2k2gblfB;WkYbpa$=E=geh8lGh+x zpHh$xfD;hJWMJQ9TzA@oGOy`Iu#FJD_@^?MOe|TQ72k>$Op{q|!pnYU+g?!REW>L$ z-L=A%m8&ViP+~Oc#%?$5sXKF;yk~i|HFqcKd|_CkX^2B5zuqcOf-7YJ*Ozra&9Ux` zan7^Zo5oD8(wFt_FT z7kQM%jyB$0doaixR`NhK2ag%mWTkNzJa`myRuNa1U43nI^|n2vNKm<87l6^PhLAefH}O@4MVNb%|LU;h{EiUQXxu+lNx#9GA}82s}0EWB46}W)(r%Ut>Vzxx!4V;{T z2ay%1CN27+>m=6;Gt|I>5mfpMotyOo0Ucx?ZBX{DF9AmwI3_I_o)R>GV_lOQ5it3P zt!VUO8f=pWemdfiyi#PE+?WG~|}?!=+RqLAjpJ!?ThBK|X=Ws;)N8ot~KW5`;f z4?0TF8wR#^n}ie#NlSGj?ng0Il>i%KrGQXYaq;D-_8zKKn58NGU~?>%)EpD_u>QLw z1{q1&njX4?;jpf|gXHTskY3Wlw~4K;buRzj*!Gike=D-NS1kxh%GrS!A2+6{Z#i1G z1(VTR0TTg7@cJ~e(g-ACwPPALbNcduh)f5w9H+70SW=~&94aL2wHVThKC>lEcJwX2>+ zHN7$1u)3toXc0y{4DQIAc8iK@L`g*oOXKPgHt#+FS?sTO$<>QWBCNQ}Xhxw1bX)qV zdI!O~M3>+ekK>1z6S@t1M)sOAkT)?a;#2ZNWgiwM(KfL}W*f|qY)qwRUO}TP5BnyU zqglNt_aAOlZj=Jn_vnHYmQcfg&K3@iFl_|j>ZrC_m`Y5;kyo#yF@oARkzaLf@WTV> zc>P!wkNabk=;`f}#uWYdAKpl&ePbOShnJQZlJ973migKDZzl3Z(eoB8c$cS)N7H4+ z^jeXt%Pr-Zk;NKT)2oe*N;`sE6G%thN|GD^SjL^JZh!7w?;3b#;~-L?p#MpJxFt?3#Qu6C@_C z;ETj69nNn&IQjZ}K$_h}Vl%4G+qB(Zmj~;V)*I(?*)o64`%KqjOFK1kjqT0urQoG^ z+hm016VH@VHs=n^;`6_bpC2?eDI7@lZ{|D3#y-G;$-Rd~dIe)E*MJxwO`KM8*FyGX zG$&+TiApG|kO)J|`6iFZ%sb|%2guXoq8wF%qlzkmJ{)D(B{0l}E06$V6l!{fF`@hL zHj*30!RsNtf+-p9A{p)giu2S^o(b#nCC}l+^Be+x+ta$G5FNFWVw&}Gkj?ym>Gil< zTHe3v6>Scz?bujWH=j3%R^}O0mB=8wP-c}}u)0Q-_2BEcU1+132a{rX(I~Y2F|Je& zyRZJz>Ia6k@#kRG5`gALdjlKmOKyT5)f*`QP7yb`LdnkT7fzgb|8ibwN9a!`QWJcq>w zJNEKEw1OMv>PT(eaO?jyCTlynD=PJjWT~S$`cb-JB<W?N@~zCS{Yo^1st(niU{zv!vMlxv)fUx;xM`C zMMaet@B=1-zK{bU2^ctvP$seuRIF%b3cgqYv+)d654>p@FYvlEd=9QS^hBVV{`|T= zIX409xG*!~M=8=eIc35;gC*`jSeq!_j2jyHWU`s}i{CO5ObV2=M4anSft}SZ{TazO znxv9G%S}VjI~9eYg(G+J`A<2KF%PvvYVi>sZ|oiegd=nt)8O4hbeQjf_$dT_9*`DY zC8K_(=ecJzYkxcFu31c|%n9iuJDHceebWVQm5v~Pt3_l(hb#SN9dM>XG)Mg;4yc-g zaw%~DJ3z$08*EH+*yelQ%tfsa9s^lLAMCgZ61MOvVN1!UG>?pem{4O=WB;ri5>bib z*OVGcf}=3|L+dOZ-Iu-LT4igDivh$ia-PU!yDeHhRumP`cumnQJhhxrlvDJyI*#l| z4Js5aR4s&3e97Kj1vP^tfXxxYM^ggnSXs_5l7;4jI=$JQ9l$=iX&c8>hiFtObk8*Q z||&b3Y^&V_FB-C!Pv|@z3YSBs%`XSMO?};A}>vK6hK9 z<<(w}Zy5kv-bNee&Kg^vC)uR|F0F=T=mFI&40oU6)?@4CeX}-PkypzX+aF+eHZ%wS4|}q>3u_j4U_&ry4I$wriGy%J zG0UffcEIOjBG>{!ZDDKxayR$%{<8nV-UfC`#yc^BmW$7EQdLi;xR;Cv^C5Cz%41Xz>V9Q=kye#%dVIx8#H{ zyG;zT8X5SE3W`5~yrMd##+8+}Y0^Q}Vx}}-&iM7k{jC?Ch3nAZ-1F4tqDgc_t6kk* z_QFK7y_o9}tBQP>p8b{Z`1hmeK*8eG0VsBvB~-K%ckI9vNm@K~=l#R~_ksZ3iO~)k zSgw7G6IS|hLd|j75jX(M2lh&U30#x5aj>m=ZMjL*ut@0i(3WL<=CZjlNs)R{IMn*5CpbiIIhtgLFVu9VZ3_a6B#hm%{)%lv79=%*oYX|^({I&-@Z9@SK&C5Q*X<0 zi)l%*ZZ!eNX6>kc2h-?8%f-!$PwO?d;Sj?aX)TQoL9 zjsCp#H>Jn1*=K{41$@tL^Dce(Gz0+AqsA;Mh#9T1AZFt3Ql-MrGHg~5F!l}W=g6R^P@Do_!*xW0uohhF zD-jGUf^dj*0wc*=qOmfDJTZP7RG0y2QstnvSk8-LSe+gF{W7_Q3tiTA2Rd8`(s;;O z$z9I~s+|JtlJ%J!KGa!md1;KHV+M&dJGmvY1*+jfD2EgCb@JW~^GPCf<-ZdyVCI;e z5j&Tys*9uvT(@}LHRWN)kAsRuH_2>^YQ+@(%BB{9^`N5c(+f?1@P)^Y_dOadL(#~k zvKmz6HZW~aC*wu_!Awk+`XP&J+L*~ISG<@B;1u{GFB+ZHv7g*X%3!r_sh^c+Ng^?Nyal!PGa`ifATSc*Ax3GXG=Pac}*g{ zIj69X;3rqT{C=)$R(}_WxchUud#z_{gmbTE^95mkszD$#tZ1Q{NtEM!OHOpeO}rn) zPHs-{txm3lA^IEpLo@doI%RZXyDrsTeoF*ErwBy3H)Zn<#auj@f(ljy7&BvGbk4bHp6l;Ii z66e306%P48;Ad3`eXnA0Sz3cTW$ne_eG#Jvy>@0f@kl!VyA$xL^bZ>*whZaKWiO%- z_9~9B+~-o{-*<&~4;DO@N(EYR^_KVQJmZtct?AtOL8jtcBL8$@-$GLcoh+z34wPNk9r z)6$4?zsH9s9Qk0<@6q@hOC-Ck3JsTJ0nDhdekDvhh60;VY4D4BG*Ol_qLXmWGbD7| z@jZSZ`gm>v%|fq`=z z`=aoI4gf+7G1iDf5+n?W}Eu%jDb zGiW5ki*-CVBBFDkg@DqadHD1-QF^ARG1STCRfv`c9kf(T9d&28w*7zcQ^pm}!1)bj zJ5~`}^*}IoO7VL*0}!QF9Z-C|d8-J^RqqW3364%l0-@(lfBKj6#aD6&gXaB99~QGn zI3J!B#DxvMy+=%=jMyA! zqNn%40>BIOfaCMOV1S2+@*3vLcB5%b8HV!nXeqQH)us;H8^RCv~m-ui&!JWuVo!afTB z8-4;GhEJ13OPy`y&Lag1&W8woYw#V~9Slsfy`64u9U2v+rK+krk-!_L64HjJHD7f+ z+X|UZJV5sb@6~)G`nQX=%=J5|v3NWHaAA9?7duXYskv)*a5?WE*@Slx8|*=X*q#&X z<{98)>BB(d{X2=3K{aFH>LjQUNY zfY2Zk93d|>qU0!or1OS7P+8`5GBoZ9o+ig5yzocdHzfzvM53Q02Dpeqo}@4qiZ6Km z1a5lIxVpOlLQdI44xBZ6oTG4YFcf2EVr7`x?ZH)WoAdpTsgdSl50tJ$`+a`l0d^Er zQ&N~o{+wkgKK_Z-OHb`^9p*%T<{=306vkVY`S1?JRyD! zGbCP26VK|7BQTedl`LS{UlzYTWJL@lD!3|Uv{J(XnLIn_ax*4T-Qyz_Acs(6+01l| zlG9Ws1Wq-q1h9EAE-gUWTkY#)wi2G3FH_6>I@iXrxbch=4>D}_(9@mx8F#%wx^`*a z!ZDnohS2)s%x~}_k)iyspa?2zpA61A0F7 z`)c7X5|9y9%O&}WiQ|c(aHozKCR@``0wrrR8!1Rb!>-@C45S!Yb!7FxO=Ad94q{^+ zD>nzbEfddWRduC2Ar|7DT4(63U9a3UWW`kRaW4G!3*r%e=f}NG*O}1PR-sXYD~gLR)*HumHqs!6qPF-Aaw1(HDXlppUFsdIK?sNN`bw zQY3wi2BUb8YG9x}u14F`k#nyvmk6)KF!bUqxkpCSv!{vzR}j_;Jk@#T0YM(*w|Dbh zYFA`s<20i)^eCGiaIu2!`vmUPMnbI2Cq z6(viW34~`r#u-2$fK-0=6?&LW`K_=sp zVoBri6EdjLy{Y4V8HXEc#KNAE%}$_vR=Ebg8D}v6qnz@_eF@AOka|W-nx-oA8wBub z;-d)K6YPE(!51XNwO|N>?40Opdh?@Bt&HziL-dIc0MP&N0BoOA!a==Ps?P9UHliQq zHl`^Z9SH-BF1Lzv1!Yib{TZqahWk5FMdX(~-k=8Lwot3=usd%(s}4c#YeJMCb-S6U z6!9)hM!zD@g_1QnG{eC7 zf$JB;OK43CP9#^JDIvCRAb9-bav9d|`d-%YSp2rU`w z_0^v~!2=Cd@n!6?rX0CPJi21l3a0*oBX8hi`--N28>?QO^$qbh{Uc}Y3>mHS1V4m> zb_&voT7?spB>YTfem8#&_nf~*a&B?`8n(t3qfEjz5(dxnILzn%1kSNhvRz{nfj`f_ z7caJ|yY}oNVNxVzH^vn3%c%UKUBOFasDnZLi4}8eakye%?ONE!*Q7~Q(ku@`6G+mB zx`gaffxwF4MK)#(N7ECOW)>Y=Ew(GX<*5KH5c25HOXEx#<1rJs-U-!(CS0TW?zZ2u~EN8T$}zX|F+ndy1X6RhCt zLfH7?KiZbquwK6}Q1Ia@j4yo(q*fj`iz8Whf`- zMhY}-of}&|JGD9D5scqPa+8g>QP-dui~$G!yb`-cuK8BiT}cXs#jlm z68|}$9HA-`EcNu|-*;gd<|k0=3@rCTfKV`?nM99-z(t~F=vX=}MAI{y+Z$jU`hAm4 zjev^?VJlpO+teqNClwvFSF<8OkcI z{BG51HGaUylY{-{`;34O60ma01&zvk*=5MEpqZpQ%lMGnX)Y}df;Unx{P z+?KMlgdk}Wzu!j2tuSIs=IUgI0~1ud0dL4k$D|bNYu1I9b9tYyC_)W`?R{a)@{92! z5+KiIgE2cj5R->1vp037V(A)}v>3^ynoY_MiD69&j>lVz^O!acarQyT;AKlc>^Nn| z>pK`Z1DYdXuVc}NqZ;}VaQvtrQA)0JdurxP$HkS`AAJVFXK$yIRtLPTzj@ej)ATda z%i879R~p#3qP2jFsbY4)q$`a;4_d1Gk6iAV7ns;j6f?jPqX|06<{GNf$=W7dM@cYZ{+Lr49C;ihm1c=d>V8AN^e?3|2>@)Y(!`v}y6=Zm#I6L!I#O&6b;D5$qL z9C%%^vE@qv)OO48=v10#^5gUaHjA-p%U-lkx?GUc`Ty1m!?iVXZf38dw6N5+KP?z| z${Z6G5LNX&VM<$ZFP6XmmEccr9Nqlh3lY<=4$up>m5wBo|6DI^Ky~Rp);MUzD@ab{ zFSrDw+|wnSb()HqL=ZwsobRqMqXJr#TtsEF!eUsu-%Df4i2<4w1+FLu9Miflc?D^j zTzd9Z-aQSXbo6b)Mm%Ls^+BwDN4d4YL~(png}ql&)%T4rKo<+XI`HBuwvR2YAUZBu z*B*GBkbMQF0SLLX6=Piv;lmejkv1L7y8eM=K8dbaKe{p9xb*k8AHt7u0-RdJo&66pbw`|@B zYIJ?9mXc8|%p>Y0(xAuc^3&!}hQI zFcQK*a$~)RCC`mHIerohyZ&%DGP^l(g&4~HS1|}S`+^`X3T2O*!WCPti*D0xcJ%Cm z-|)SH$Wqv|GCm-+K*-|5EkKm-D`XD{GaGZKu#^RI(s#mtl{6b1NX3F{R`^a>trtqa z^=125PJePWa*e1Izv6UUqprQkh3;yID5cs{_uTm%@ekL;AsuI9%1l(2M~M*KCH`m2 zvO~=Fv^e=n_D2C2PcyPp{HzjclxmpbbkJL#q7LC5(gDh5u?H$13F>a~rdwMO{vq66 z`X@o9e>QlycQXy>cAN6D*l}S5TaqQ(10ZI5Byd>5uHSy1A;xjW3i+}Xh}A=? zrYj2}u_gd9Ukmby&M9{31~%_MI6Rd53r#<%1V@F=6ZgiKY4;LNnvJW=93P;HS!`PZ z^d=KEQZ2xD>%Hu2y6#3jJQLY&A_x8nR__XfK~`^d6jw@i#RV~?syHuLG_(^OUFrVZ zr|_AUfbxTF)~1YBARnp)-_YmuAiJB8q8;ks`0KNOpjp+XCiEq|A_{$j&l^SJ%5tcs z+qVfpY>ik5iLnE=6>vz}XX;s7nVT(*ofGYI$75S>pcxW5b?LA0a>LM}y-gw5xN|~A zriAXF$shYO#(yH}m4Cn^h$6LdYJn#K?^w!1Kz6ikb)=hW_bE;^{ zM&&3$p_fz~n|rD6Vd2R4_{`4o)HpgE;r~GuXj&KNi?$d- z2xL-_oc#7)`}x&`I}IljkCKApi))Mx0Bv_Rb6#@Msdll2`A#D{H9*3nD zRGH@3K*+KM-tx>0oHA`5J}8^~&c2j*?{V16i-D3e>>y1|U98}A1lA<_ZB2U{D-b@jsXo(=m*y2%G}4`6LL^S00Ub z$4%MR^TC0E0e5O#%ty0)^MTPe)$osUd2Z?oLJG1G!@UiS>>G5X7Igi_MF)!J<)M0h zA1QXj1CyV!>OSuM>7j>^PX6kO9*{Fl@ybM$+aY!QWa({WLTG$uAKnUtmdJ4|76-ob zz^|%xW7+Yzca!%-x%rWK6Sm1l{5jt5m?XAlZgYN{$h@*kV4rxIjatG$*NBb2-YF9B%`E!!x`=JQ8!AN98Sk3R6yJ4z4Oi@BMp?QbY48(7nNrE z0A^A?R1DNV9Y5KfNB9HdCwUp9!a%xaSVdlpy;YERpB$?%0aTX!v@M=UF8-^ z)!LWox7JLxc!_4=L_acM`^5xN5sBz4i3Bd@lx1>|Z4(zV4 zZ--oYCvYh;P^I8U#6a-ne9w7ZNqeNPMF3Wnq~z=q;%~x zbezkbj4iDUJ&@gT{!yj6A8Bby+V^2XM^Em42cf!}iCvzRoB5tEkps`!K-qoQf|CjH z6zIf{BOQ<(Q4f39*F-hMg@A=Zs zdWdjDJfAQPZ>xF672A3qpi*m7I3|&wej9!lLQa z=Z$I8;Vz(xF{V!GfWBc|7A*TeD_7qLu+ha z%pdyN#4I*{%rqrPCHvQU4Hr#Rk-N&?} z?R&7&l2fmS%8{bP;5_U+dRh9z!H^?y=KgNafVxx(Ph~ytJ{$ped(M+W(5O>K_KbMn zz4C^#8Cf(%BrMUuO%a9SVR0oxOr>{cPfjPcuv|;AU^+IUJBhWmPAHJ45~b6QYGE)q zDMC#Hh!n=+-N-wL@Y7>ncE46?-iz2zDJqTyZcFjgT!t%F#z0_}6uNBqM=bD3ldK+`>PMw@w$Hg3mXhJx{a@q_ma^hD*9lBw31i@ zFQ`6i-gPW}a#R`GrThv~wOf%$13<+FD3Zazv>fjl9mpex#R|eKI;d|z&RPaLr6-K6 zudEpi&IK4O_bYi?G+}yE$UFEpuKWE2%5X@O`_&g`j>?m$tWg9%HI~FZ3IDa@X6F~B zICjC|u*mx_?4{1jI?NXrkaVpkus3^RKT&|6P9FXos4!Dk1a8AWPxuCc2eO!kS~I{L zXAETidGIWT?T4RGGh+&cEHs4>>QO z_u3R>y@T0B)R#Y|&~42U!ctfV+B&umGpOw|^A9SM+Zmjw_A3Am_vEp?Aozv7Dr0Ko zfu?wKAiL_AX~qen}6#U zjhd4e_ueSVoSqQ?)%Z!jD0U#q`PPF~_$Ka1?hQ#05YDK7@fI;HF{$<=okN^4eq_y} z*#5PdFS+K^5}8j$cdS?LD`_SoC(wIFBz4h#Q7Y-Q>E-A356S>Rd)I#`Xf=PC)*<$M z@}$%CU2wqyMM^>gKPTqbT|I~uZ;{626@=*0h8Dq3Xd?bT-F+i?#052_T|n51)0_cr zKxv_q2b}T3xV;@lDga5$bg~Ouz?sSjIRL+VW0E9eJyz<(I)`ef&| zA9|SL1%bg;=so!WTZQZQ=R!cYQg;gQXyw;xBQYr4 zLWOPAbru}Tch=VprI)Bh0VIWK(zdRe6kQR;&%>4{)~Acw@g~ zEIx2`ZVo9KIUO`Kr{1{69PPq#lDWVcu>qNNIcBeep{I;;54+1SY&&+vV=pH~v~u z8r?gskQaqkH$AyBY3G{W_0$vsT20H+=0ew7U9Gf4<8l@fGM-8>G@JH-P&k1oNXc4Y z-`J6rF~N%VogmwZDF@MxQ%V^i68~{-?NpFun|79&^wTKS(8Nr1@=LI8{o$fy)l7c~6Wr4G>mD1tRpUJKYj}l-J%oSm+5i+83ZA3E=a@cvusO%^iHs{iH#?qR zoKZ3!=>@&#UqF`7k;k|QiNKME%E+rg6kpO4kce8JDA7PUzEH1Z@MvPTGG{(TF4Bjr{+BMSpB;EQ zXeY{54DlaQzr=Pj@sukD$SzCO>kahliQqI2Y6#2Ye!z_-W1(C5y)n)t9O3HNeK5U( z-tcJ35Uk3=P^Srq2D&{kKO@!nN$wpI=!w9 z<-IJ(@sHc8t(j6 zU$9jK6fgNp!xkkR#^9brM7AA9K7g+yO4X5egRNpN(j-kfox&_o+xAn+cT3V^8i>1U zLSblRo6!tSBr>Ogili6%$styMWWaf%bg;8F710(ysrWMr=tgg!WCRvP39L{te$qC) z@av>W7DU(1ZG}VImZ`#0nHFJRlOe}$*R9KQhvqjJzd9FAy=0PYnx?S?*V8&qrXjFs z*L;L)e7`(IFwBliAB*2WRyanO{7zFtD5D%MBNY0a$mLWJ$5=GQBx8~SB)yhDKdC_^ z(uh!+aBvp57T54B5Ygbtd2&jPyRTtfj2gC{nrLmeD}n|X=yH7Ez2rG3!QKcJO)*6e zg44A%T405V9E4fhWtjqv+Te{Xib$m1*k#~pr#1RQn3h?n8RG;f7Bu$#qFm{4Pn_Jy zVvUQHduT2h7v>@v*T@&JMYDrI)KD!}gc0oUe?`R^k|IjPHghRtUr?Fu< zyxi1kbzV)|D=F$atvA(3w5JB_u!O#X z#BJqaf)OK=sCb8kq#=j^=B2keq2x%k>NZR@Ma!Tc9)fuv_dkw{5d|$f;3xSYC%1X% z)~=(nOGiEyH?k)8JiRE`(9UeFQUPQFg3)bG zV;1^qUBq7Ul2=Y(#-DXE)|c##GThO<4*P9nU*$Mx;)2h-q)1qEYPcHqy#+iP+|Mt9 zgPG4{ZAEDpaC8aZSw&80q02`Z(0R!*YH=@X_qZHi`4U>b@83~a7~?T5G1GiUT13_E ze5n2w#-cGQ+nPItIX6_1b<>_X*;QT@jbxNKX($gE{0z&YwR5APgZyYrIDm$d4_t!? zM~$?{dq`f9S-!%=W7~%h&>|1}bzO454Uu zPda|=_wOL8s|Es$^8?gj9e5}737mM|l}>aHr%$#iKA8 zTmDmhL|J03RS#cUMaYbdwy`ZCyJs-Mtver+3VaB6ZY+DxSs(|o0f~RFKB8`)#+QZ zXp(M;Y4A_GM^3vJ^R^F%GTXebIN{woY&(ZDglt=yM}(3igC0w7khh;I{I>ZPbJs4? z*9dabd*qZrMt_3%SD8%fq)+o@&{8l0<{^Q=U~}%VN7JKwqOc-9XHlKXxq6UuPfI~v zCR~h3(Qmm=uSAhMzu`L@`Bj_jeu8JN+xJ;iCi2kt-q)WuJbUr4hDYSRb!T)V!>HBA zS0=jbqaxC=!h%z^FE%E_>)pIH1e0k%Krc0@(29XcYt1!{4^<)~gR2yEA{Zvet5>vu zBs0m2p{gR-3@u#C1rr;UuFoB6*l-8XE}1bszH^3PC=jOPLUFWT(Oop^Ihnl2_f}&| zjM%5mm9550y3aWC=u|GF2|K$CenNm#}Y#lO?G{-B@&7vjaEK6tx5Jdcc45 zS&si%bK#Jlkp;WJ(tfoA{KH1(t+7#fyX#Fc^M%mAnfT^~-I-33_4Ywh3lD>CL&f2F zpd>IkqH{5s^lAUm zc7+RbW?hJ(ncEe)?R|?(lRqEiYxUeE;lcv<0En2R@{WQc8`#yOt(_yB|9=h_JVC09 zHO?k-&+w*xp{gyNdfz|?$D*6W#NSL4L`^G;2&G2YhCI!` zpGmFck~Y9(69qfVCDIgTx}#SltR;BKsxc>dA)U6%DTvxZ7MBBy#=CKOL1o!^7S$PnYqHvxVS%hgp6?p@Y#;*(=|Y7H8I z6B91OYQ~p$r-;MjA$n7#FJ)2N1V=cM-HP?j+Kz`OUKd%J7AgYR=KZ-HdIKf{jqYuK;+TihS882d$2*{x0Zy3 zT)5F!VFmZOd$gc&DIH&8Uo_XHq`=%%%H->xS1_ZmyM(r;AQ_lAU7^&B_5tzP)N>4n zSvk`Xsddb=4^>+vcslMWptQIQVfzt#HF_q2Ky|Ds$HP^1;-54Q@ykHOE9P;Whh3^p zF&naSM3F~QbJoYn~^NwPC>Melemtx)rtx-}Y!Q09z?Q98lOcp9c$ z3kfi+q0+>_WQ4!ns+z`N60X8h4o=my5{v^^ps5~{3M-}i)JCWf0B2}SgO@$aMeG#_ zIw9QCG=gX=O?zlE&YUJ|NF^373Pt$zzmexd%~~WT1G+e}@fWJ$DKB)*DaXbPMNd_^ z?r8uv8$uSXKY4sYvV~QxN@xSdbgsU?RsNoWt`65FFtcZzYyL*MX3y=G-!eMhwp$q? zQ|n$3_pxxI1<*NUgwwVLX_641L5 zvUA(#XmoLa_KDl_5`3!Y_2O?|<($Skx?(eml!Hu~OM8?0%orm3yc9diTS^2#gGq@q zWN=Q8B+a2bT7l2}4~Xt&CWj5IMe1PWC0=RJ(IbiP$D0O%zL6G*KTJ5Jz=nBz3!^wj zw$nnD)ti*j9FgRP`aU8|gNMK>cVfB8GdM)^+pi3QZsg#gdHg4s-19-$)m`y>{i&i~ zTTb@CvVzOh|EM))c=|?WQX?IsuE588tC)_L6BJ+{{xd4NpGdcUVg@72r9COtIcqR1I{8@E{rAt(8n|Gn4cO|aQQ?K)ALW>X4Z(ZV*!rw>9x{jYL_fQpZ#0@fN$KA#Wcd;-ee=MaMZ zO|NkGaoQu{*Lyzkm6q(65WAJx+3SYv*S%zc*H29%?14SRzWus?jlYKP)Tj2ncRlv| zLO%VyyHEJk=-BIedt<-qH8YNUA*RUse=nK)`|S<**2{+`evv(rq51N-O?&mop8ucV z^|JH=jVBK9 z`203#aW8^SFvNS zbqE4nAvf?yA{5HZ!Y3Zx3giKjeRRyr0(9`nE33Xi$1JCawB{1)KGc2huv|G5;6)xJ(cG8ECcd(7!&knP|j%Q1na<|5HKYO&?;WVaF@gEJ5WWpHrVme{+ z`VW~>Jwf6!7b-fc-#qEyzZzO?FDnR=oAI3@Pi z&%G_QWz6xz7hAni+YH=gzb$%r_|WoSJ-IwGvv>0QZqpBrCOH2`jaL5T^vxd4>yFsl zkJCTaz zmkqb5xm3!~rTryxZly11m%)k)o;@YZMrj5(AGzhU~53mK&OS84E+K2YWS zgXt}4N%*dbkemO74-MPY#RL!Lt@k>-5Zp*^Jfkt(@%tRE1A7S4?eUUh@QQ;Uf*AAH z$-adF3&0+P{Px)GIYxn@5>Xjrm_{>!K?Cy|Ak1<*5ww9-v~3#rUjwubO>;_%K*%hi z@R5SvN_QMqT~R+RcDzqN;;G${_=0c#)+-PPP+|vC0pLn@6%G(awpRx^1XM&~(TZEx zJfKKD!!yUB?T!~TK1Z=+Z<-37^d11Sx}f${xs`M4(vGZO?*K^;Z2ddek|WuKk+xmb zy;w{pAS%PwmIWq+3cz<-=Rd8Hlsm04N3CI;esXRWJI)apD;-AfJCL_;1h`nHR6Dud z7$@uaB#2UahF3XruJ!lvclc;wNs?BLuer<#PQ6z@8U*$G*Ah0`*2WsF7eCwD!e5e* z|M9W_c9+$iyNt`ar+USsDq?K>{uJmp=W_%S+UNb3C>Gc@v>v*=g1~g{IVvN_>uo35 zSRfY+SR=|0%&U_4(NM#zn@SHGe?xI~K9epHD=DnSzdoPQ$5Si&h04p=A-A{ByK5le z#teZPG~W=OEKq_+B>LayNi;or0eYR^y_WY+q^-%*J%~%Hrvk-Yoy@PPMaZ4ah%{zmIZJx84N;;66k``H+3@Y>=CHab( zCr&CkKiozt_*Jh)S3-d!Vmc0<258iEuuJxts9K+#s4T;s_GV*jqQY)4jRF^oMkg`zNjFfYer;lRdArGf(ry|SvvMlWvYO;|I?9FWh zlX}VQl8prukS7%C1Hb1=;pNm=+d?HH>N)^(u7HKb>tL}?SF_csr`z$)kzEFe{~z(Y zxMeF*vFq4>#d9T-`a2MvMsTFK9n3z&+56n43Nktis=y=Qm^pePpP zfvPW4$Oz^yezERK)z0dK<5O!!z-i3I^YNJ7jHSZCEQ&}F4;zUpT8h^kc5x!L2EVe} zVqcfX> z!6Zgg{hkGD&lAf=5Ww=vQ2gl|YGW`RYvzQxS@fEc9<<>O*u3|A&-k9kRs-eX?9I*S zDd>7FvS)7gVz3_Bqe^|4Mmw;3@AcmCJ&mb4O2V*Hx1_h=>uZ6%x$MPgy{bo*^uP_` zp!WUe`_At*hH8|CV`pwk4?)+{GW&AKeub&z8VmuNUJe)Ez?GpH{Y^r~P02)em-2tx zotXp&iSyg1m6P5nvQx!4sK!}hSruMtwpT_x{A(vmh+pTl!S!M{k}yHY4(3pEr^f9Z zmUc8`l-C?VTXgV~qDm(TWt{qgA%gQzVPb#h?g!r2aax)WJ;2GElAsDv1GHzOA;&jh z=HtF_OMAMTT7(09RxOmoxVszAp=bchAxwEpkzJe>wWfHk3J0@FZFG>S{Nm@>(){2w zwTm)7MA&#dEAH`5y~V$77}P(sv4=w=@vh6rHv6s|wA@(Xps6u&# zRqH<$`fT$ms9N+;mRb>ZwLM@Jw?AZ!$!XEZCOeU<=K@Kbqz7>m+Ng6O*;KT|)?n+(Gk~*>56p$P?ul z?uKb22k;ZRiwP;!u?X8hG~M3q`o-Iwmv3k5m2vFAVmf6a)(q>(T{xk;MkC|-BI*1i zlxa7-hM*2pq(_@KRv=?>Dd#?O?K96IXN${HEhpYM?am#mRg4MO^wr6f5C_AO-quffW49yOIpZBBDf?YyzDA$TkALR1G(SgNZvFNqtr+B$k91#63ov} z3>J^`iPY2JvOuf2i@Qd_3KErWsrPmA0gveP|f-s3VXuJL*cLZwKP^reKe|trEO2{=#5rjug4+3 zg$Ny%)OTgv{4@@0u$a59l46=n%ERwt`QH%TyaV@L?Qaz`sHfDB!G|*ozV#k^adgR1JXt@nBQWX-#9%4lml{vzy|`mlQ?OGM@y zWI-GTrju#w;gab(uEUHjoFn$H@K_u92&W?)9>PEex`NR*{Qb_UvsEq^9b8TZ6dbil z?jRU~BrwO~{-1p&5%}Q8&>bANym_g?W4E>?>VT$6>omzCefH!NEP!rW+(}Q`-S|64 z8mNHC4jQ4M!7zl68tw}-Y=Ug(rYh~mI}R$-q;MLzxr=v z7fH_JIPN!&0DaNr2P>dnLFXJaw#J6BbeTjqqd#yWFhWl8 zm#15K$ZH@gT%f&XMl+`$A8RLU5G`_qePW3p0TMA@uKsEo`V?U9|ILa+d73&d1O#I= zCgSf&qUR=8JboY#g+uBZR?6KsDhp3oFb8d+p*BqY2ikf0?BjE)pbf91h>!H{$UIi} zq2D@!Z*9?E##g4uH@>mrNWm=}|F9%aXAMuj-LQ59bSg7p+Xe}W3O z44-exrq*Cy4PHhq`kXIbN|E~!GTc~%+6_2rwhoQr$C@ox?YEBq*eIwV4}8$Sfktc2 zij3h`8W9b4@46PP1En~;=p|$2?FCYmRf@=;8SCVLHbC1``}hv-hPiF6;5PSR?v*QB zC)UiyT~UrtC{SbNE{#D8gZ8ihLO{L0LJ~!ce@X7lR{+ffz8eiYDM^#p!0X^jVL_Vm zD^JqvH^Rcw6Onxgg0qr@hp^*$fDvlfl?#HX?lid@dSQ$P8skoX5eQ6zF-#8rI zw6{c#tyTA*>CrzdB~q~?y>99aFWh6WZ*H<-h@A0SM7b6?#bkZ`WE? zsQ5J)rtwd{14!HY`mK`zeQYn?cHU14&-rCFD?f|~;-G{bONfO9u5{nJpNpAX7$!>>~L~2+X)>X)+;z7w%*& zHTQ7wYmSlS!_g}cn>NaK7OR-E07ojrG}X${SW`VrntxNnJVxHiGY-h*Fkez9IM%yz zmakqAYI2aVLY8~{Vq6Wc>Kl}k`}}f#R2H3yg2wm6nViG|do{px@nqBH1q`{CMK z%+qUg1i7TlA#2`3wT%faZXL~AqjBAC&Pt6Ac`O{?lzduWFtmrtH@S;hWu1T#tt(S< zN64*Ri4=DkV_oQuyRv0o*i$BVdp(vv;7$*)rqxa|hT(B+R$Zt9 zjJyX3FxI}QW^qq5f_YyE*xS%9dVDN$<3Rp!4--#_rnYE~e~ z-ZKEDNIyD{FoVJlD!ysjCe^e{dJ4S%LedGKty?EPLReZsat^|YP09Blgz#-_A!G&g z6w}h9bqwh}+%}?H&o>JZCLhC6Gd_w+31T?03d%S#w4L746d~o>u8PTD z3C3SZ(&lM8(d1|q=o!k*pTEvhokot9D`2&0>?CI+U^W#&SQ-NdG@r@IK+OF{BrF=` zgI7>@POD_KsZq|6{X5+b;?VgwCxDI>c3ApSWKu1`j%yV2ymYd_2odhZLMHOMm^fN2 z=LD=l9s_)LbL7Q=7OhAKemSb514iW37mhl6J@PPmo*O;gLnG+k6osA=>K}VT0TV_m zGC>F{XDR39w__vQJdPP&%3oYXD; ztVuf6vQWc9DX7-mpzR=(emvncpCzF>bj&hnc3y8)F%tB7nt&f2OkdQu&zpm`BchGqo|`vm9xXNAc8+uJ+@w;+rc%_So*+Ua>RR$}qPI7ExsofkpG z-EV2ltm83e6qh~k{hLM1b_4Gx7WIYOIP{--y6Ux^`KqgZU9 zXFG49H@U@oU3=qr_JAQgb}C9NxBRa?Ad(zl(T+E%VB~2<>-efXQ#i9Jt0b!0(B}w} z<*w+o<5;$>AD?s>rLM$Om2|(&bPKc_33dl%eOf8hbc~(xiQdi4GYa_Bmqs5teaAq5 zjx#%}L&Jc#oEYfE=3_0M6XnJQ8-bk2%*_S*@uexPE9h%=HkzGPi(HjYtIv6>rZGzK zT~$#0mtx}LV{IH-=7hiddc0?%n`spo(JxGsyb?G(*?2wBr3)y*;Eq}?oqJP^UO0%8 zs*TKodY7d_zNp5lF&x*t8s=x+;%)Xtrb{c1a24+_|GAtoSmw+|OH~+_uEV8^7BFi! zoVp5*Ouk^tn8S`SHT=W$^ca{FrU-Q_GW{Vw=w`LLv9ThH4sfc37sAu zv(-l055w*{&V|*nOwZU8^$sG=8yy4DG`pvc@sZN-FOi8~qdmQ8|8>EL3N*fsSqon?pQ4m)#>g}d^^8^?xPmI&n}i!{wrmQD`ko+VTx2@ic}d=B>1O8>Vv(` zs@Fe8s!!cLGM}t?$2sEX|zsNSR+E0MJ^Nwh&93R4n!LXsiKQQh6@B zMx<_)l6hB^wKxL|BdhC0d?X3T2t$u3 z=W{>eSTZs?1%=w|R$w0O@o*)hrSKtRqu&H!9R6v%@S%Z1Cy78_F>P*Li8tH4(2J9v z`=#^nbQ^~s{3WCb`c(VAVH;;=R+I}%8pGriXRvEZI6#h$cH|j6+1nFLKa07>75xHJ zkRdXQeI^a78K2~qtbn%Q?uCUR4X4}8+DP(E=+9xI60jJ8CK;#bCRgGjLJQ#M=Q`}~ z3L7C2z3xt4VQb_@VzwwgZCg{bv3qGI#w~H`H-F8SJaL|DNIPc07umGQ%Bq@LnIgO! zPtu0BDdVxK2X7gO+@l4%dF_h~`GSqU&B;X)Q5y#s(l#4BTCUU$%M+lILDH<_?(Vie zpXXHAeSr7dRU1$4LCmsxD6kOsVMm~qN)2NZ{bfX`|F_&bnT2S&M`)JDFRGQKbqKi$ zqZ>O!IT(*Y)UfPXCjT%4V#fMpF5_`n*lLIEi*v^-B>EYMbRZ9uTYJ&#zQgeDeP^g> z9zpkscd04zXc(roH$6&y6xZi9brBluV?CVwsa7faH9{d*h15xVA&tGj$iO5>{ap;K zx7f2GWsV3)JIIu2TLu9mjmtuB>cMzf{$gD{L;^FJbA28g;%D%`X^2OzE7hbOBgjUI zbUOV-um6PP+3az&bfN8=i{;NLVa%)KH%39d+6=hb;@K3=9Ty7%pQIpIlGoF0{x+r! zW4I(lE;ZsOO@soRNuOYqo>xcVd7Qf9p7;BvN)HYn`U6kD3L=0~9a0ffx45=Jy{(7v zwvBR>^X`G8G57P@uK`?YlZs~zLESDaVEOzvRknf}uKnRJ<$_7D1jbLLC9;Qs*Moh+<|&6C;L_7XVvaY$Cs&1#jk@iCwTZ~Y79m*C0XIBg`rJQ5cOf5p`ec4wkXQ+W z^>1XQg~om+F;)Unrj}W(RWqB%^frD&hU2~z=GMN551-+XQo5_sSy3F>?)kkguRB@& z&{WiqQsDsjk|(>99y#=8iK|%U<$TjGPXBIKtpAw?%QaTvwN;$~RCshlUTHfK;~U^P zF;NyH${1o7t7}JAZE>J8VLp#ysOF{k5sTPqYTFh}GII43`;a`XWNQ`q4T|<@!W;n! zn-XPCv(G;T=TDB&olmYM!whh(|c6Z3`1LuCXxswceP`ZcK zd~Kg%+ze>P8QTJH{+OG$=B@z|g1?x{+1lY}`Z?-TW_63}S!}rq1BSO#Uf*=u$N`f$4ket~#esBt6BqxKfFn z{S%W5PeTskf);$c&X!yY5yc71Q4(%e*wDcP9-0z~JwDzBMPz2A`@De4i-C&9{62BQ z?mR7M`d?6=i~t*!Ez7Oz@<baEConzhTaw&_Pm0Slhe1f$iE&%1DRGcCU4^hJpT4f_^^X=R<`)JP` zC`Dq3PHu4k{JXW!=vbD0?>5Zhf$b0^SoQ_`?@ zWzY%(m>T__e49BAuuRKm*ETzKCx0-*yRymz=J?#r7_A)6AGQRJ9%MPfq`+imDZDA7 zWUg+w0Z`e4lhEK z#bpj4h+T+j)b=ihQK0sUtqUB?sF2e*!cf(BL=(m#=SK}2ZLAPoOBkIscxE*W(e4Et zfP@i)>^I$D{c0nG0mMXTVTAA%^~w`tQZ~MOqejkx(1AQ=VW+Hx41QcEr==r$vKNAg z%vfVZM?1X8rlfqYURrTZMi*g9+o$GJM@4o@qB zZ~HhCKYk(Q*kh`8imIGe>P$KvxooJAkz*CLNN&*rBH|N5NpvOk7OY>d-x3zO8&z`m>KKQEzqpdPd{yH)-E2kg8-&>1u zW1+E_@fPDkZT92r$|`9k#vL<^{2Sl$xQLpwIX7ajt%g=lhA-8nsOS^m{5~`;hv_#1 z(RPkl;KEJ8v4Ec6n0kNcRt8zO(a{gbC)qaG9WCO4d-eEjGG`8KD_<*Hy1QGYTuyu6V)IVIfhEaN(_fN=0X zPOL`su}>f3D1>!KhJ?wm;ois=Yth)|jm*Ex<8=pXMj4s}-eyDip`!Q(+gvYDq}thPXDMxN zz8srWI+a4zckI@LZn+1ubppW=<=;-Wsu^`E-E}&rmo$#W{jj%`t%wtGN;+mF3ta7D z9$+8LY}(u}R%(R^B-HNp0tg!m z3j?x6e@Y)119TA>%cMBMC_duL$W=4lT<6RJxudfUES8Z<393kRSS{_eV5aELtfi_o zmQNL>7hMOprmFdv2{D`lrNp zH1O}dbVmZU`T5(>6R82Dz6=aQdQmF5!mh)SN9cQ51wj$J9XBc-;L4K{iq~_!t>%I( zW9Y@eh6(+)w&)^e&a_{vn%_^Y8^Q4;p^bq-2YXMtcpzr{m$hqT z!H_g%+3z^t(5b=HQA1XF-^_fDZES@%sM}NG?-HgC$C`frn2D8Mg%1BjAr!jw%0NPh zl2sy^yHnwYDR2Rgccml(PuEqmdC+&fC_4C(*GMhENg|{|&318sb0Ni4tmWfFat8t{ z76Hp&JzNuIW=Mzpa!8`^`i8GdcO3)YiY%mJl! zqt2}kNL^kXU&N?LgdzfH*;HEZ7x|D&0f4Z|FE!*uHDp9PGGm!F7RoeHLjsD@mN9@` z!cLTw95LhP_$5M;&_@%WVS0&zg2Rj#SJ0FceXxy`WeY3K>LkN0OE=Py)9%((+HF5RgnRzO9pY}<=IUNK&ozOlClM%D160gGJMZ$ z`BkHuQG1kG6!uu|Vj>r%3OK4Fd$RS!ONtoB6YdirPmD}yKEZq9ZIdLXjFUhndsIL) zF`{C?ll;m4g!%-Ikih}c1J0fRf@0&2c~^D7n1aVi=8o=CNjo% z#)lXLkx`;i#-iwm!lk-LNgzsM2dbGA2VrbJOwaVF`6+x!R8S4L4M8TQXT=H?{(}J%BrAPkj*M@@b>gJat3#N^YDNlQ%3?xlMV`mws`IFhW)%} zknFKR7yUj47Tj^kxj2`62!QheLjhqsTj~E&8{@2QFlre2JRToU^8uMbA0<2~VD23x ze;JQ_@AON>qp57APPCgF81 z@Lrt%)!XSVc(Kq2CY(=86ba)6iX3{tslFZtyUdv#tbl4T&dm4yFhq^+Z6e%J78c}{H=8;0 zh5_&s%Di)C4Gs8>4Yi93f#_(W?yU`|KM;1Q4TYq-Xa~wCvcIbn2cF)R3VhxCWE%k( znRq9)8|5Bw^65h7(@jP9ANB?Nyp3d)->>*vHg%%Ohjk`sxq@vD(lXAS-M0*{EXp(|G7$yfSfX&Ql5@U!MB`9vxNF(E&5LQO!^O*;|5i?dj zBExv-aaIP;29%u|Vlf2#<`-o*Or2_Df5U{GMn44tr0J1Lcs9fqoA@qvP|&Vq>2u4d z6X)2~2syA3ZHsrd62)K^pVp!yz^;(xnm`H|)dtnWX#q)F5SbQaREETvWhldOQPzN< z!BPPzC6{E2-v)Lf~Osy`O zpFb$4#}ELqU0tA;PAX-qR?YIjTpY+1_y_OYR0D$*pEqAdMq)Mu{60lRWH>&l%_~#;v7c*2=-{CYbk1OS zcZIcR$y1>1zaWfDGBn2VhTAb1KigX@7M+QzbhF^`@RY>C!KlZn`WrMa9XfM@VXR(4|Wq+-(vannFhs13u9wnNQ-N4I%`N+dfh@9xwc2{^jZa#Ub%$nGp$bB;AS3;XOSdWgxyc- z*3h$Ti;_gyTxN8o!zAK_d`52br{_F4%A^dojG3x!F!W889NS!r8$w77vU8Z~mQu%@ zGHFIpk8NzT#)vmOV^#6B2(q3y4i^r!AF_vSSzSjctG6iYH%)pqSa=f1vGPWCOMF9W zlPEZLgS-=BP7(1@x5rluI6eb6QUc;PC;3E@l`;Rk38B-Ud` zhCF89+;>K(cq>_w@P;en3J@C0&610l7|cL0x`9sc?6iR0$-#3YQfA99kp?f$)&-yS z$9-h~-h0YWQ-G18KlYZJk#fKS#w|J&ox@LD@`2)-PEL#v*S54Q9n;sn(AC`^{ViE*B)nDN5GCfFk@_k`6q|dYrUKwj7wJf{RIGcK;dOs*O zTbsslzkU*oUz{=8AV#JaJYgqH)qb0(=3b2|I)u7=%nN3dzrl*Aa#q#GT+@tr9<>EvqPySP_x$IWF!{C z<tX{uE;e>&avcdC5n zP5uBBA&Q*}qssUg*GchsH8?vO7eVH!qs*|Wlh}U*QD=Tg8IBldc|(wQQ6VSCn?DRT z0+?d?-acMFQJ=rB?DH_t0`t*v8|iid<4_dF!NV(I{8^dZ6JB8)k_EFePKj8)QMdE> z2pGUGpEY)O&prY4$%;b4_2NfC&E25{AB{}lekU_ll;zc0bnajxFlc3XL z$@*insZ*-i^aYI(X4L7Fx?kA!U8)Zvqm}NuzVmdxm49$HKOojkG?%<711g#y{^{y! zkotilqJJs_8e`cPF@#C&SM`T|9|naL!6_^j2u#8~zGDouSSE^2Q?D2Xh?hTE78(ni zV%SI{H;@yg4JkG1$NT}Zk_K~oPjojr57!G=dhs_$*^FtfsDCR6uWIQw9 zA`G6vjO0X@m?6;E#^=NH$2+=~;akd7skAP1nLW#YS>+fyRxx%P7a8Y`*^CdHx{5p` z-54XdS@n%p#`JBYLB<#nZy>_;?XCXdw&HOzVJ9lt@F?_sz{EM|xe2zSFT@Cdy{8A< zYs#1Exsf2Cx9Dz3boWV1{5G2V!=gVp6!>TR&54@cq@i6Z1PFr5%}2^ENDr53xi6Rb z_yk(4aZn#NwICxiBQZ@b0)Q*351$SsI+(Dy&QmK+8L<@v@Zv6$bt8)&U0~UUvb486 zxX$^IiMXgeVj9F=UcF{S_hfOA*cKzj$gxx2_XiYDJjbK#S=)XIr(_eTnmy z7JobTC7MXP$JiI2IU}{e+9&>HH<|AW)SsNOHGd&I9+`e{Y+>NHl!&_ii6I=vqGyy> z&F%+!`oqTt0OBpB@^gsGz^-*@w_T6I-vJefA`(tr?rNPeJ#i9;FT`a^#iwwk!%*&P z1!dBkD`ngZuDrmJSjh@?uz^b~l-Cw!bK~6qrwh|V3__-Ik=BBuMl8@#P*t813erjm zu7nWS}-whU;!2Cp_u4I~`m0y|tu8!$Z|jhM{*kg=!F)nymEQJtvJ`6z0f< zfi_1y*tpqyA`nn1cybvzDY`{j7Au{6Az?@x#;L)XMGm6uYt6p(!eFv*_ zaXsF_N~PUmEP_Cu=kj#p8N8EGPC3gi!Gab~OIGz*a&wvC#UR>m6dlcrmh3fGz|A54 zF3B|#Kzh`CjI1@-gW-3n;$vpZBQ=_k%r=3w`swHsnm1Nsn{B$7i!=~Dr@uux2VMas zIUZi~?v81fGwrlVLu@oTa0b3`>hJIe3OaEq?sUVT`&GBsPCuZuAaacBumC01jSncu znokoLK;@UFDNnX0+~$b(a8lx-tm-G=Y`BHB;jn{I92s z3-Dc49+0|3Q>iulEyb}TfU~INL7;smjjTrwluRq2*{y?#(q_3)_sfVqNSkwQAb!%g zcl{yW0s^-D*$_e-gq=2Bk`-`oQT;z#4gantF~^Yf14lP=ND|t7tPM>g8>5Il_aV^O zZ)SD3c<YP(HKXX6GAfElpT{eiY`H#WNfiU2~kU zettlRCM^OV)QLS~o zk~Uq>RXLq`%484w2%RgPWFz1*+g$M#EJYsJd<0edh^i&7iNXK?_-w)y@+9FoIe`Ah zU@@DQOo@c2ylEe5flM>+qiHYmpDY(`?T6~m$qJ4k(PDd_r_c!A&ON@SKXFD;_;lj$ z_E8n5LCAeyh!`6~!KYr7@(Ja>Uv2m%ehMHf&f`c8Iq5Uu6wI5T7mF$#i@D#}ec zq)z*zeg-bLq=9EC&SyKP7>e(cYb9raK;0=wQwh@2ZS)L^o;oMgbwoV=XFFv}_n@go zbfUmfbfOgZlmM98*-7i__UW!Cr)#xNY_7BAY*Kuh)hZK<-BPJbyHCx(XmIsC*P=$8 zhpnX2eV_l_&xc=UfcJH@oPa4QS=K2xNa86#MRa8wuy>S+GkqX}$_-5L`1%Ceq36R2 zjZ8&+0j<-y*a8(jrAo1YUoRjK>J$*ECw1z1@_;+LyW|$#c_);nPA_ND_!P_5j9xOe zKhi($h5;sua z$22HC-b;HOplWY}Qi42IMw$}yuVu~|RyozfIkOFX1tVY37R@>z$*!?hNc?m3gsqUi zps@t8g{W^p$ebnHWI7oX5(ubwrB1J!bEj?2wyit9&669aI&Y4QEnT37hgHN4x_t)r z{vVFz%>9BpmR%oQ{F%YBzjH&N_zC?9Aos&D0$E}VISTwM1y>NRm@Fh@Xq<)#j|t;* zrVwQNaD1_P*u^kbPly(5f~+)Z)tPmsOGhxTW3~Bu<0Q5_-A6}>{6SYVS@MtRn1?}E ztc8SvQ^(qqAS?)X&31Nocz;;9*)0$*BO;Yby;haMQR0qBedy?h(RQ@iy!-%ih2npXYf` zhi5XG;wvHyRyTfG<&q%- zb5(6l&A9fE2SHN(!%|a!KKbl&P{@HrCXVBTK9={CoH=H9e&Ay^joRPFpdkRKsFMh_ z5I&@&W;=DOm9>NDblGh)4y~P$ZL;OeXy1($c@yulRpZcfvN)2h7xac&;@LTyq2KpI zUH?w!V4e#$n}JLw;BxuJ@ju&^%3xFI3c@25#kGSeqqw!Vb4sxidmcq92oSs0S&_8% z0(k2qMsoW^EystFrV>h8zcA;B-TfmXFi&T4DYfbL=8l}%WXTi}=C8`mN;4L-$8tTd z>6{2)sqyTq!0Rkk1;^X$6^LTCUP`ZtsyEE#SV{;fXUP=#@_9`0p^uU{LIhvsl+rX1 zr%BQ9>GND)!qOG-?6BD`d^bTyVO$|sf1%e60&B%C05 zWqq^dNKwd9ttyQ9*C6CQfd2mzH&0ukmp( zdDe`Nz$%97iH|jD$#w7&)uZTlgnAY%+~CrB1gdq8s>)L|VR9M)ygcc&q)z4`Fv84B zW<46efOV#OA!ceuy+}|DK-rWsBZFO`q+nPZ6lT8wAiVhpsTV%x%&qBL@O|6d&Mlql z&M!|q&d@3>gWuPV+JhYE$>uOgvO+-%9+wq=axfAZgfsr>F|bUVf7ljY3GoYBeLi4C z3YW>Srm+=58DV@r$?JR`HO-7lTXZ7?DpM5(iu$PtI|;d2IYD?TCSQA{Pai%$LV?yj zSP%4&DXlir8;9+nU?AYvi+5)yJ*)S#v@CA;Pp3V~?O>~#QK!Dcs3`pgP)lP&L z0pSgtcw%a3Wl25Pb_Zj%!d9GCxOCI=6y(cRY5zKbN8P#5^A#bV5w{CggEshxF2 zmtBfen>4daMoamf56N_~^S|f}+z#zaA{^Lin!>%fN2WJynTtOeP=22!I)-_Ye}rUI zX(PZTtSJDLHFKQ4WoGfxjHE;|}Blj@v5=Li(n>y7Nk zc*EX!Lg~nOD)fm?M&u z`G{>(tiQRE+%N&y;M3EcL@$MW)#7islG4C z-{A7sgp*qG7hd1lC?N2neJ3@x(g=XUhatwc3V4G|Z)J+IXG@ev`!)z#dtbCmief?3 z$!Qzq-CBq}CAj&yD)0Dnf)_1j)TpYppqW0py9s+M^__oya^9x6H6plckkyc})O#=+ zT!}X+jDBfk%)viqTmiVT#y^a|Cg2}n9GL|ekQl7+vW_j!(wOi7t8zKM5gYtj z_=#?u!C2Z0846BtkzhMRQ(%=xg`+cI+0xy`+Rs zaB_*v=y4>uvXg}GH^1m|>)w(+h3(*ETTiDAZC2!4*Ih=o{L2zGyVK9?65&z&p_YZk zNh#1|X8SOkawfiAcnps)QKjo`q=U!|winhL@8`m>y7bw!-pAbMV31GPk0@~>w=K;j z?zDs356*aV-CdT2?>mFWM4B`{jhP!7w!k`G%RfH(Et;;~qo)(UgUAOH5EZ67EJ7qo zS`K_-BGXbZA+izrZO<&+{nq6CxhsjrrB$ZSc;VfjWnlxDy%0d@wDA?)p#?p}k_9`fMI;6fNb_)yWD63^9q-xhG)HHKL1wk@#omP>rkAyOZsD^b3W*MkvP- z*qbgcj}cCyVjzy;W%QXaw9pjd25I8L1=>_%JA-5^+kDPHU5{Jb&tXvv3f>;QW*Qnk(nE(N zOxU1XG$_yrOQS}+VM~NI7O=LtpJ9k71Cih-=o>cLaQM!3nO3#HO5<4$!p8|-+cRG3 zYBzqkg=`>)bq}{F?QK~N6g9GD)SheDM&M-!tY+>f-w(ehp`MOOtOwE?>4Ok3_EowP zQs?)1y28(Bs3GkI<s&Pm)J`yL4!alNx25;aB7=|vt5&*_e+N%TduBVrP zvHI^hJ-;$({2UTU0&xvlU@|oveX%jj9`cEF5+^3=d#dL8!!n?d8t=FiwrXy92K!Z7$HQ;QigU>V{61Alk3K;Da&H8}{~~92#M0g6u=sk4 zZE;_Z9uiCOBgIaXO8BIoWtH5zZc63;2rakcFF)(v*+#!pC}7}_LmM)k(m_b@NBJg* zQ}`x2s;A8$ISY-4_1@b6Z&z+`=+Y_yJs5an^ET!Xr`0N7F!6FDoB2WR@0`34lXxLM zc{Oe=(0$5BTq%K6i^G=~ml(A%Y=;)?1Dtu3$h7Plw|L4y?=Uzm@C zEn!1CYT;^V!ZohVpr@P)L!286jZZ{IT;%S225N0=x7;8GA9`TzL57@~UKx&cN9_}^T#tzbH=3CozgO=LiyrK@?%1Sg z@E_{^BET%&{tE)`QExrlLiksyQs$jq-SJMJIv43^zib}69{%WNe|NN_RnEse{S$J7 z*Iz>;u~iU(+aevXD^BTB?4oF9Z%q86_zS3Md!u?sub`h$Ys(e5?8>qo*~6&2dK-3p zQ%7PMTc?G^qNVill7`a!L5eFZ;t)Tvyc8{}6tEqYS_eeP4$GDHhlF|JLMi`G7#zwT zaaa4dfmRtPm6eM+x#74vs@JGQaQh;T9{ZYY_W<6$Id$^98&ty?U3wcI0cFWT z*3i(<-7oLYL{P5^h^0vt@=8fkN|o-IBq?Vr({Q^dzt|l@bpB^clWjgk96@w;u`ge zV^rdx`3ujPqJwwlUTQMvucUo0s|hv<+`3uqb)~h=j`Igz zjF2fWW{C26ys=x9LfUvbzp_?KyG5=@zqR8$7Y%Z^DBWCz?)0!_T-M42D6_X{naC4} z!RY83q!GvQjC;l9lWVYUQ|vFoG3luSC4@?^*SDq5Qq^nW6FPR)U3#v7lftzcD*~#r z0$UD1iJ(%@!~UA2DmzlM3R$hk8rHh23PLzd4cDuI+R$;>&DWs8Q;kP3Uh6P2Hux*# ze-;b)NLY^@*^JAv4;xl*y?OgO+UWhlr z-N!@YrL0TRS7g(()+XkFVwx#g;Hj9fLMj;>mxJ}in=y$nzY94~ALu8*=L^lH0K3zR z9t=TLL3t76p4`r_x<__I6`3 za)NAB9FV!w;zUwFy6CxZ|JDxh>&2s+N_X9vH*-TOU=!xj@UFYdg6*Q12xT?*p8c1r zZD1YXY8S#4l01;a`ggtFpTG4=zlTF^_`wUzj`3rr&nc-5VwOL;kE+qA74-u zk`>H?m>Ou-__{_UvjL1`7S4Pa00Xg`-R$5$a2pyo<90V_!kHIPXzXPYyMTqjHJ7-M zKkc6>83=bQ0f(uZ0`3v$EWw}$l;O7}z|OB%q^*QL$oqO(eqsY**K8Hn}}XupbG#YDb~VaD zN~=ZHtbUp*%}g!Li&i7Z_Y0$#z?*+uf*Azn>`H>0&Sn$8`@TPv$vzE!TZ(&l3VdWo ze1=-enz5HB@$a#9{P~`*llX@WSmA^{Ih$GqR4BP)4Sx;`BPMIsvqyW}&S8vMMzHv| z(sk-(wDFA&;J+QjLFJ&+AQdB$p8^_?j|wPt3nw=}Dk$CA017$<^~x>HcM7bs?K z$Wu1e5My6x>Z^CA+yUR2bLX(p53FX#3_n-hGXKO)xhy1%KFd=IQPG_)Y`H$YSjpTy z_Dl#u?0ppnQR-5QSnkrbYf*$4+js}7W?O)p#GP*&a?c%b+eZ&#YkV)T_9Vti@mM7n zj_U+WVazj%P^hm@PI!r{CyeC|5@N-vmbgbNtz@;M_Pwy&uM^huu1D~f3a66NAHH-| zS=Op5t1hitx)=GNVj65rPGLR@flB-N*l;`iQZ{AEQx^+%44rTyOXjkmYT0emPq zoZ(u_1BJsc5lV51ul9V!ehbW7u#tv`@+&}oMJFrLEY-E8$`!vtMLlM23THIPxlyjv zZgus)SngiNZD%sy0I>SuRfU&(IIO{i?Pb~aB(~tIbc6O#A6}wMO0$|x5mFK)jnRk_ z&*jKu!OtED#S=2icc8H4ermV7l`n#dehOt@gA5=_P_sG6`xo5`$%=l^y+w48 zVj+?Y6e>!yHMtmSFso8+BW^yEgTSqV3s{8SZ#pp^DZ{ z-7hvT1XYA(F6|S`=fGStypunU5}ux1W?~t|L^<=6Dm?;`;#9^Pzp3VZLbwp;WxJ54 z z#bBjC#`aqdAIKENIw;toqsrhZKCaA7Cjsy;JshecegR>8TYy`@4UA#}1kqiqD;eUt zW=^|@|G_x+z@^cO*IM$3+eW`R7Y)41Iag7NpP6YZjtPI?zUA*=jEagl*@_EZMu@y! zf;GxELToER7dF*njf|?0?aX?8x1X?qWb2{Q0isfeI4-Mz?r=p=Z2S|*=<^9u)1V7O z?m<>rPE`CxuDjWymO53msV`3@MRJoGOsmBbWUEm|(Eqi7*GTj(HaFCk^Nvy99S_s>yh!(dFrky?-U;uNWyS|+T zCgXX>Jzmgx=HKBylMv(j)YA78+>CN(xiC-WR+EmE!3SFemOq2OKaN4wiQ9| zR^~Zf*HUKIIOzn3LWqd4%P|gLxT;eN0PrF3 zZoU-`>1-v}Erva~(fZi%StV6Q6SPW>qYHpY>K{RZjU+)DfRy0J!U4hp3~(XKfWarw z_*R=8sd^b|qn=dosZ|+UNwhtIARaYuR9j3fYR+ttVcFj^jR3KEm?6i#_HVY_sbMgI?3xaR2_@GzSNPCjtjRvs$!4w7um!M)6NhrEAqG4d^pLlYGcj-)3WsYvx3D>ZmS*7r!Ud$UZs$cDc#0S?D zW#U4h$uq41E{BV^1K4lGD{0W+a|UI=*l=EDu()Q*1n>QKjy**99%x;jH5qV1vt70| zMfsZASY^nR6C(0iZ`{)Pf4R0XPx_nBx_g>~CInn9*s96K>We%{{Z&D4Ru!!RR+Rqq zR8eU)Znyp}82Cy+6|KtvnP(h2mg2Ij!U`eQk;bd zI(!{R>+W+zn0)jI=*W5KE(N-i6|S{hE+)pI^ZvGd|6upydqVv4QS7>(mY}7d8chng zPuwV*0~4Qsuo)kf@R0CTg$Zk)U=88?V~%5n3%6UilN+5QfE7>;$Qev9CsJwAEeExf zgAcsV2xVX`r5eC3UryM_#VKY8ijV09P9K?vFRqCW5{E5g?&;ERQKB#*sBsYB2V2Yw z1C*!SqQv_Shx%>e-G>iQ`Q!>KGG31Azk-6NxKSAts$`oo0EnbxhI)_qo+i%&3(R&7lc%&ieD z5}-1NPq}|8{PTQ7JZt(ej)g@2pXe620i8hqO9J;2sK}_7pMa3>hUHd5j|H#53&4`U z*4Vco%*~#TvI8!Vn~=p+bMl~=lw1Lg)W@d0oYE}tW%+{AyVo2fW4CbCc= zf%8g(E%*>y+I!|@?GS+D@mYzO3kJ+_MwT>#1j@T@)`~-vL&CYDto&t?j;J$HNn6OS z+y=QYGy~}JSvkt6Y?BE)D7bO$lA+AXy}+ll!DllwB8CNY-V6jFkOa>V=KxsvgSSa_ zi>rg;=5f}2iQiaUF9U`-*5nA+h*O75B{3C>;_MFaa)nJ|{EZxV7#@5%I=MC({Dr8lZ(ze;Am3C4QhXdqyyyrxu;jTu zd+gv^R*&`2U~TJTc{qW34%q<0bG_*+w3XakTggSkhf;`NpOVuqo-#lgaTAN&fKMR+ zP+s*rl)79UkAa>70=(7I;HDgAYsJmD%Nb@h6pP2lfu7Ad^lVn(qvMt53iv9fP{DvB zxFi8M4y;sR21_p3&#L$%Wor4Io(~zTyp?9)tQpw3oNypoazld+8a6~Xtl%T&U;w}q zVkCghInfOt3at@9t0qAEJb*Hfik=~$ULEjM4TsQUJRNmDy_BM0(zujC3o~ZFckokW z6?C|pu#zHV*rjJ`e<*10$+k}h(32kxz1sSJNvxj@)rUfRhRUBA(T{AG-f4#BpZ+i^ zz+jz%B!IoK+EM2kun2@IO)MgL#~~1w5!M5&3}GlI1W6WKCx-BtGWk1o@A9Q)QZp$| z-RXG>C6w!YPlAMXz8xQBj+hh5;R|8jUgz6L+1XsH?kE1i&+>J%?zhPPBI#OXUm%o$ z9!1|yt>O1zGXCXq4<rNl2CkmybXnRBGpBss;ea0r zXO#`0wDvh{ecP-ua(bZGg3?5FOuCwMER{`Q;aI`}l=U`lg$V<5E6h&S6PV{759g8U zpTL}1pK&$SPNY7RiE17;{W0W{SC>@VHq}l4wP(ePJ=Y^?R~dx)H_JVj&8+KE9- z`@O;79%I+B8`<#&IiY}ka|b{dsz3lAy;mC){NXDPjJOZrf(#z|vda7}HQzv1kuxF8 zj^xlV)=Q(Hz#S+R6F=CU1{Rpmpne5mTtY^6XNR6KGanFtA1^j!iCJAdY)T5*^^>$klqvyp|F4Fc@MLQ58P?0HaglB}WMx!b$)^Nci^m5TWB6Fcjjg!|$_$ z>H5oOnIEKI8W*PG7lso*l*fPe(IYo~)t#b%y6}o| z<#7yr-?xl&6&u#M;D=&q}Uz}u01VYZY2bm{8BqNt=u zd{ve3Qi6?$Kd=uX)Tlwq(1R)VC~%a=EZ|K5nh=ZWQBJbH6i*Z;;Pf1@DN7yTWKM51 zKTPcIyS)j794x&=h$O0+lgmN3+w&|gm~CUO%_f~b1YOnKz^k<0(yG2M0#2*~#Nh*c zJ()m+lXisJOv^hNGM^zE%0g;ZBhN1XEQ8~xL`gDVna3%tlo@mh*BPvH5EM*HI;US>$lXX6zsLEr4j&u0^?Kw6cmibLZM(7MR_7e9fSqT%o0t-GSM7}p^!pK z83o3`00@8p1b_elIaqMgl8Roi!fBFpOX(h!WRVI`?I~Z!BrgSodH6y`jqqi zi+=^rO(4nQJ2(ntGh;s62=OBfU&0s4s#DwX?)q->`YY6LQF#=zwM;F`4a=~LgzJqC z%8;W-HTAj?HkRT&>Yactq7y|S+bpNX;8%bPkwU3z?L~OmL7=mYGjDGFS$TQmk@vz7 z(6Yl;RaYrT)_M@Y0uF`Y;BJuOIW^qW0FU6;er2nFty*FBY3t|rpry~?7Os|!22k{f` zbKJ|e%HbRcy+Y`$uI>%UQk5?SDpQOk#OU10T=R%-Q)(NXdl^noHf+kTcA4WJP?pjz z$E-Z$G<}s<{cD94i>jHUx9OQm3<(hu9>)~en{p8zj|4mZ zeV-f~4shWB7B8yl8k8hDd6S9_!n2!s+>jHBDM18w2b!V_dkf5hAXEu371={a!5t;-ae>KJ z6NY30lf4Sh!J>8ItKr&kA#R&~GF)3(Hb6|cxAzYhAO#oQI6aj}!z!!3%pUAC(jmIb zFN{9FUx5FGUZJGuv8c#L`T!DRJ z0eClH&K#4Ejw32rK?3M>R#(?Wm}3ES(eUMUX$UaRiN9!!_EhhRJ`7=0GpO98Illcix16*=R}n3R||HcydpSaiV8R= zIy;ODAREgFG-Dfq;?drb^~6oZ>%jD))QgbO2+2=oqWaV4O?4%-az8}$d0kB&h^%v zBl~EQZ6-sm5$9tx6g+MCMAwc{vd@EnxjLNfKYgK&#L$9UyJ14)`vmlfvcV+k(voHN z&S(QO2Wl)awg<&=5Ibz)cyCJ?S_J6itbUKMIe(NP1dWyO#UIH zf^J7Kk$?*GoctsfF_z%m?Y~Jm#|jC>9j1W)mF*q{ow7JjbF%FfbhrZUq(D`i+MN-| z(-XrVAUJW6v4o;|H4Y*>IiJB<0hyWrchouqusyNhRbNM*ZR4zj2oZI*V2~KkmfT{R z0L$Be_DQ0^%RknLf$pZY4D7(=c&uhu+%5-wK>)xwc~d=7P{tZlo6!yQnHq0=Ixs~C z_PZyz;G*CsWsI?3+{&*sYjjrIjE0v`?KdJSF|2cgvW?lOs9U#N0ZlXrjH(Em4#1dW z&M$*K5NbN?Mm8ES+-+JBjq~O5RcW>CFv$EMpxfC}|7S70RX#d?jMxOs@A39vKLe40hzZax2^h3~3WXRBk(OBJWJkQ~<*n`kx z%RkrmI13_p&Hk#4L-H+LD^+x9dL{kF8e$U4O^GOVb$hqnY;Yu3QHXn=l6tk>34s?%^UjVHYMmk+u3f+2mOQ}C9t1;ch zPFPlPq(U9FGzh0mA>8TAN5xeZUEd5h)FD#o#fI$x!0eCx$*Oxiw&~F<0vXzx6!z2r zIF6lzZ$IWM*ABT6?BO&vfdaIOc!k$;B{bDG&69{2?({sJo|a-nLuIG^fY~Z^|34G~ z(?37VR5SHwZJ8i$Qn(sn)d4+Kjo%%WIwf~N^ zESPUMOclOs*7})K?`JRJaFS{K6+ba6H-3tQ9%KY`K3DvwdHS`Rn{CVq=P2jpKg&hP z#$qm_g@lcSq8!3hYD=5USKr{ObIn&pRDb_sn>+EIJiJ z{K;HpKxvRh^QX<&gD^{nCJoKc05@2MA*>f1v}8o(22GS^XNcjYy|6WTVr_=~`$U5*>tdXZtj|>lCrn#+W#ZtsQ+W z$bL{912RMv6Nf;!b1tU^4O_(+^a~^$>J{y|NRdLzb4csm)f0|b5yuzo;<ZKkfb z;g%W*Pk*bO4sY21nCt$*>-gPB8D+eK-L#9&>bN%)8youV^hH0;S*4};74YO_^S(mF zKl|(45)TN|uCkqtX&y+=o6!U%9mXogz1CD@DqT>cPm!_PgVq_Z8y$1H6dsL}6{34V z?`1xurA-)i(D*WuaT9WUhjW&$Ao7AbVhH<<9L2ebBEx9kHEoxUn|Z*BSACfY;{?7F z^Sf(bMf02<;)a6cuj@R2qGoF@0gNf^-Mk{C-sqO0@`ynB-Mcz_3pQCyZ|RMOEIAXX zg`UXPSre~QHk`(!VJZh_tSTkh3%9{kcD}B;x`@$XHmK?rAjKdvn!TnRoKw}OTT5t7 zPWTKG5dGn>T(ws|og!3;}6OZC6RK73&MW7dDS z*4JjYL>OSF+;j(h2++tn?&YS|xt^(Ikf)CBj$wS9$Crnk@oZO(Q(1ttlsL6%+7)XD zXTCF0YRUP85%7n;pqO6nB#5g}*%|PueB;#9{)5V|Vatb5h-c!53-cGo+kFaEL>zGJ z3788c{Sp0ws9YRbNB(ge%|x(Ayqk2|EE&B%b@RX6fZr!Ru7w-_Es5wyZ z`&P?Nc1$K$0QwB-MZ!aHqD8ioD&OSCn3Swu$|uF@j^^S^$fpCL6?<98Dr+Mx!$RV8 z361eMlP5@%&L+Np^H8>MGA)=2IK}fNFWnkp8;fF!b|+O@?ye|P`qEusGCw`L5FYCN z1W2gbl}QdP-@IPp)O_{cw2-V zgxK7X!L}TqfXO$w@`hBm?~qMyH0FO3D5;69ZV_Z?wx@4$b7rZ7vo2C1g%ogYe_3=R zu0|^5?q8D#^d825Gb81>#Dsx7I8Csu)3)EZp;y^UE4o?nv)+B$a9|KS6pFZ31oB@Prv7K*1JS zOjHJHkb8oU`+xo2gz}pekf9VvGd?kJD%cM!hA!1%5S+?@sHLj!!*GFs0X zebHF-MsUrroh@LkB(2tOn;=#BnHu@ySwYM9uMe)jFe%ZVqB(zx^N;M;@TX)48=I1cRX^^;XomO{?5-4p` zB7t?kNAiwAq+w}sL#Geu&%&Q7-^Wu3+Id7}(N1P{eRz8yqYx~y{|zNe&X}rX{8gwu zh7CLr{w-R_7vpE?B>^ESU7NSG_V71uk~MN3%zj6+?02=pwS1}~m*=nqwp1lpwlYwq zDpA%;BO$e#1bM+Udhgl=^t~SKgs9*V