From 2d955a9fe9426e6030572d1cd0d055e04a20bc08 Mon Sep 17 00:00:00 2001 From: huyubiao Date: Wed, 2 Aug 2023 03:15:44 +0800 Subject: [PATCH] test --- ...pport-for-the-LoongArch-architecture.patch | 43 - ...Arch-dmi-virt-detection-and-testcase.patch | 65 -- ...the-uevent-when-worker-is-terminated.patch | 40 +- Systemd-Add-sw64-architecture.patch | 102 +- ...e-must-be-restarted-when-reactivated.patch | 2 +- add-loongarch-for-missing_syscall_def.patch | 165 --- ...t-Add-meson-option-to-disable-urlify.patch | 66 -- ...max-number-of-inodes-for-dev-to-128k.patch | 46 - ...umber-of-inodes-for-dev-to-a-million.patch | 30 - ...ber-of-inodes-for-tmp-to-a-million-t.patch | 25 - ...-fsync-after-removing-directory-tree.patch | 43 - ...m_rf_children-split-out-body-of-dire.patch | 324 ------ ...p-over-nested-directories-instead-of.patch | 276 ----- ...refactor-rm_rf-to-shorten-code-a-bit.patch | 103 -- ...actor-rm_rf_children_inner-to-shorte.patch | 71 -- ...-st-may-have-been-used-uninitialized.patch | 31 - ...-add-STRERROR-wrapper-for-strerror_r.patch | 102 -- ...2022-4415-coredump-adjust-whitespace.patch | 83 -- ...er-access-coredumps-with-changed-uid.patch | 386 ------- ...VE-2022-4415-test-Add-TEST_RET-macro.patch | 107 -- ..._booted-condition-test-to-TEST-macro.patch | 102 -- ...-convenience-macros-to-declare-tests.patch | 70 -- ...ghtly-rework-DEFINE_TEST_MAIN-macros.patch | 57 - ...-wide-define-and-use-STRERROR_OR_EOF.patch | 105 -- ...red-terms-to-be-gender-neutral-21325.patch | 131 --- ...ournals-in-volatile-mode-when-runtim.patch | 35 - ...-Drop-bundled-copy-of-linux-if_arp.h.patch | 227 ---- ...ix-another-crash-due-to-missing-NHDR.patch | 29 - ...ng-repart-with-no-libcryptsetup-2073.patch | 33 - ...Failed-to-open-random-seed-.-message.patch | 33 - backport-Get-rid-of-dangling-setutxent.patch | 55 - backport-Respect-install_sysconfdir.patch | 61 -- ...one-more-test-for-drop-in-precedence.patch | 66 -- ...st-for-transient-units-with-drop-ins.patch | 108 -- ...est-hierarchical-drop-ins-for-slices.patch | 78 -- backport-Use-correct-fcntl.h-include.patch | 35 - backport-Use-correct-poll.h-include.patch | 43 - ...alyze-add-forgotten-return-statement.patch | 33 - ...ting-config-when-there-is-no-main-co.patch | 91 -- ...update-program_invocation_short_name.patch | 35 - ...-error-if-the-backlight-device-is-al.patch | 43 - ...orrectly-parse-extended-vars-after-n.patch | 53 - ...add-helper-for-quoting-command-lines.patch | 105 -- ...-linux-Sync-if_arp.h-with-Linux-5.14.patch | 32 - ...g-allow-errno-values-higher-than-255.patch | 48 - ...ux-smack-_apply_fd-does-not-work-whe.patch | 76 -- ...-util-detect-erofs-as-a-read-only-FS.patch | 28 - ...don-t-filter-out-names-starting-with.patch | 32 - backport-binfmt-fix-exit-value.patch | 32 - ...Discard-firmware-init-time-when-runn.patch | 68 -- ...te-not-adding-EFI-entry-if-Boot-IDs-.patch | 45 - ...util-retrieve-bus-error-from-message.patch | 57 - ...rspec-fix-possibly-skips-next-elapse.patch | 82 -- ...p-for-unit-cgroup-inotify-watch-file.patch | 84 -- ...t-BPF-firewall-warning-when-manager-.patch | 45 - ...nnect-stdin-stdout-stderr-to-dev-nul.patch | 41 - ...-used-for-later-versions-of-VirtualB.patch | 54 - ...i-cancel-previous-jobs-on-ref-update.patch | 79 -- backport-ci-fix-clang-13-installation.patch | 59 -- backport-ci-fix-indentation.patch | 82 -- ...n-systemd-repo-to-a-specific-revisio.patch | 32 - ...rt-ci-replace-apt-key-with-signed-by.patch | 39 - ...tests-and-mkosi-jobs-on-stable-branc.patch | 49 - ...e-CIFuzz-s-matrix-into-consideration.patch | 33 - ...-the-system-llvm-11-package-on-Focal.patch | 47 - ...actually-typically-use-16ch-continua.patch | 34 - ...dition-fix-device-tree-firmware-path.patch | 41 - ...group_oom_queue-is-flushed-on-manage.patch | 66 -- ...nvironment-settings-again-after-appl.patch | 36 - backport-core-Remove-circular-include.patch | 45 - ...l-make-bpf_firewall_supported-always.patch | 48 - ...ix-error-handling-of-cg_remove_xattr.patch | 45 - ...bfq.weight-first-and-fixes-blkio.wei.patch | 119 --- ...-use-helper-macro-for-bfq-conversion.patch | 82 -- backport-core-check-size-before-mmap.patch | 148 --- ...argument-can-be-longer-than-PATH_MAX.patch | 69 -- ...-serialize-deserialize-device-syspat.patch | 65 -- ...evice_coldplug-don-t-set-DEVICE_DEAD.patch | 43 - ...ot-downgrade-device-state-if-it-is-a.patch | 36 - ...re-device-drop-unnecessary-condition.patch | 28 - ...re-DEVICE_FOUND_UDEV-bit-on-switchin.patch | 117 -- backport-core-device-update-comment.patch | 64 -- ...ify-device-syspath-on-switching-root.patch | 42 - ...-on-EEXIST-when-creating-mount-point.patch | 33 - ...x-SIGABRT-on-empty-exec-command-argv.patch | 105 -- ...defined-pointer-when-strdup-failed-i.patch | 39 - ...ure-on-setting-smack-process-label-w.patch | 30 - ...ANAGER_IS_SWITCHING_ROOT-helper-func.patch | 91 -- ...mplicit-unit-dependencies-even-if-wh.patch | 34 - ...espaces-Remove-auxiliary-bind-mounts.patch | 79 -- ...llow-using-ProtectSubset-pid-and-Pro.patch | 53 - ...-normalize_mounts-drop_unused_mounts.patch | 65 -- ...-variable-handling-in-unit_attach_pi.patch | 125 --- ...-Type-dbus-service-enqueuing-if-dbus.patch | 18 +- ...-automatic-restart-when-a-JOB_STOP-j.patch | 54 - ...ount-ExtensionImages-if-the-base-lay.patch | 34 - ...onor_device_enumeration-with-MANAGER.patch | 113 -- ...slice-dependencies-as-they-get-added.patch | 178 ---- ...tall_sysconfdir_samples-in-meson-fil.patch | 34 - ...ice-also-check-path-in-exec-commands.patch | 39 - ...slice_freezer_action-return-0-if-fre.patch | 47 - backport-core-timer-fix-memleak.patch | 61 -- ...e-timer-fix-potential-use-after-free.patch | 26 - ...-dependency-to-the-unit-being-merged.patch | 65 -- backport-core-unit-fix-log-message.patch | 112 -- ...gic-of-dropping-self-referencing-dep.patch | 31 - backport-core-unit-fix-use-after-free.patch | 30 - ...t-core-unit-merge-two-loops-into-one.patch | 95 -- ...-merge-unit-names-after-merging-deps.patch | 44 - ...-bus_error_message-at-one-more-place.patch | 36 - ...rrect-level-for-CPU-time-log-message.patch | 35 - ...port-core-use-the-new-quoting-helper.patch | 133 --- ...-path-with-empty_to_root-in-log-mess.patch | 261 ----- ...-stdout-stderr-to-dev-null-before-do.patch | 45 - ...-log-an-error-if-D-Bus-isn-t-running.patch | 36 - ...dump-Fix-format-string-type-mismatch.patch | 32 - ...ort-coredump-drop-an-unused-variable.patch | 35 - ...ename-in-journal-when-not-compressed.patch | 34 - ...ace.c-avoid-crash-on-binaries-withou.patch | 55 - ...-truncating-information-about-coredu.patch | 37 - ...reds-util-switch-to-OpenSSL-3.0-APIs.patch | 995 ------------------ ...cryptenroll-fix-wrong-error-messages.patch | 40 - ...bs-add-extra_args-to-bus_wait_for_jo.patch | 143 --- ...node-acl-use-_cleanup_-to-free-acl_t.patch | 146 --- backport-dhcp-fix-assertion-failure.patch | 31 - ...t-dhcp-fix-potential-buffer-overflow.patch | 102 -- ...ount-as-read-only-when-extracting-me.patch | 30 - ...ge-pass-the-right-fd-to-fd_getcrtime.patch | 29 - ...d-extension-specific-validation-flag.patch | 126 --- ...lidate-extension-release-even-if-the.patch | 42 - ...omain-make-each-label-nul-terminated.patch | 50 - ...omain-re-introduce-dns_name_is_empty.patch | 32 - ..._BYPASS_BUS-is-not-honoured-anymore-.patch | 37 - ...ding-when-mentioning-the-acronym-ESP.patch | 97 -- backport-docs-portablectl-is-in-bin.patch | 40 - ...til-add-ERRNO_IS_DEVICE_ABSENT-macro.patch | 75 -- ...make-hw_addr_to_string-return-valid-.patch | 52 - ...-introduce-event_reset_time_relative.patch | 87 -- ...-that-the-env-param-is-input-and-out.patch | 30 - ...eak-comments-a-bit-less-aggressively.patch | 107 -- ...ecute-respect-selinux_context_ignore.patch | 45 - ...se-_cleanup_-logic-where-appropriate.patch | 44 - backport-explicitly-close-FIDO2-devices.patch | 66 -- ...ated-read-handling-in-read_virtual_f.patch | 44 - ...imum-virtual-file-buffer-size-by-one.patch | 71 -- ...-O_NOCTTY-when-reading-virtual-files.patch | 32 - ...leio-start-with-4k-buffer-for-procfs.patch | 46 - backport-fix-CVE-2021-33910.patch | 69 -- backport-fix-CVE-2022-3821.patch | 45 - ...ectoryNotEmpty-when-it-comes-to-a-No.patch | 30 - ...hIsReadWrite-when-path-does-not-exis.patch | 37 - ...Empty-when-it-comes-to-a-Non-directo.patch | 29 - ...-util-failed-when-locale-is-not-utf8.patch | 71 -- ...nerator-Respect-nofail-when-ordering.patch | 30 - ...do-not-remount-sys-when-running-in-a.patch | 43 - ...skip-root-directory-handling-when-nf.patch | 105 -- ...wfs-don-t-actually-resize-on-dry-run.patch | 37 - backport-home-fix-heap-use-after-free.patch | 38 - ...ment-of-handle_generic_user_record_e.patch | 114 -- ...rt-homed-add-missing-SYNTHETIC_ERRNO.patch | 30 - ...ssage-referring-to-fsck-when-we-actu.patch | 30 - ...to-use-right-asssesors-for-GID-acces.patch | 34 - backport-homed-remove-misplaced-assert.patch | 32 - ...all-valgrind-magic-after-LOOP_GET_ST.patch | 84 -- ...other-with-BLKRRPART-on-images-that-.patch | 43 - ...homework-fix-a-bad-error-propagation.patch | 29 - ...ork-fix-incorrect-error-variable-use.patch | 38 - ...turn-on-cryptsetup-logging-before-we.patch | 53 - ...-fix-off-by-one-issue-in-gethostname.patch | 52 - ...t-variable-with-errno-in-fallback_ch.patch | 59 -- ...-console-users-access-to-media-nodes.patch | 33 - backport-hwdb-fix-parsing-options.patch | 34 - ...emove-double-empty-line-in-help-text.patch | 29 - ...ort-icmp6-drop-unnecessary-assertion.patch | 30 - ...ort-turn-off-weird-protocols-in-curl.patch | 42 - ...nfo-about-journal-range-only-at-debu.patch | 51 - ...ate-entry-items-before-they-are-stor.patch | 55 - ...-Only-move-to-objects-when-necessary.patch | 244 ----- ...nal-Remove-entry-seqnum-revert-logic.patch | 83 -- ...rupt-Data-objects-in-sd_journal_get_.patch | 43 - ...ip-data-objects-with-invalid-offsets.patch | 68 -- ...r-corrupt-entry-items-in-enumerate_d.patch | 93 -- ...rate-variable-for-Data-object-in-sd_.patch | 95 -- ...we-are-going-down-don-t-use-event-lo.patch | 44 - ...timesync-fix-segfault-on-32bit-timev.patch | 71 -- ...se-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch | 52 - ...se-fd-on-exit-when-running-with-valg.patch | 132 --- ...-fail-at-flushing-when-the-flushed-f.patch | 44 - ...re-SIGTERM-handling-doesn-t-get-star.patch | 125 --- ...g-remotely-reasonable-when-we-see-Na.patch | 50 - ...lso-remove-modules.builtin.alias.bin.patch | 32 - ...rk-disable-event-sources-before-unre.patch | 194 ---- ...IST_FOREACH_BACKWARDS-macro-and-drop.patch | 102 -- ...ECT_FILE-rather-than-__FILE__-for-lo.patch | 32 - ...don-t-attempt-to-duplicate-closed-fd.patch | 39 - ...efault-value-for-RuntimeDirectoryIno.patch | 26 - ...meDirectoryInodesMax-support-K-G-M-s.patch | 30 - ...stall_sysconfdir_samples-in-meson-fi.patch | 34 - ...-bus_error_message-at-one-more-place.patch | 44 - ...ot-propagate-error-in-delayed-action.patch | 65 -- ...-message-about-run-utmp-missing-to-L.patch | 35 - ...ng-property-OnExternalPower-via-D-Bu.patch | 45 - ...name-of-option-RuntimeDirectoryInode.patch | 31 - ...ined-set-TTYPath-for-container-shell.patch | 40 - ...ort-machined-varlink-fix-double-free.patch | 30 - ...r-negative-values-in-DECIMAL_STR_WID.patch | 34 - ...t_process_cmdline-from-crash-handler.patch | 36 - ...og-which-process-send-SIGNAL-to-PID1.patch | 54 - backport-malloc-uses-getrandom-now.patch | 30 - ...low-transient-units-to-have-drop-ins.patch | 89 -- ...-boolean-expression-in-unit_is_prist.patch | 40 - ...ge-operator-combining-bools-from-to-.patch | 35 - ...ort-missing-syscall-add-__NR_openat2.patch | 107 -- backport-mkosi-Build-Fedora-35-images.patch | 29 - ...osi-Fix-openSUSE-Jinja2-package-name.patch | 34 - ...-mkosi-Remove-Arch-nspawn-workaround.patch | 43 - ...SUSE-update-bootable-no-dependencies.patch | 31 - ...ache-LIST_REMOVE-after-w-unused_prev.patch | 38 - ...t-need-to-mount-sys-fs-pstore-if-the.patch | 32 - backport-mount-util-fix-error-code.patch | 52 - ...d_is_mount_point-when-both-the-paren.patch | 125 --- ...ProcSubset-pid-with-some-ProtectKern.patch | 116 -- ...mp-dir-handling-code-independent-of-.patch | 68 -- ...hole-namespace_setup-work-regardless.patch | 56 - ...ort-namespace-rebreak-a-few-comments.patch | 92 -- backport-network-add-comments.patch | 84 -- ...read-flags-from-message-header-when-.patch | 40 - ...ers-to-forbid-passthru-MACVLAN-from-.patch | 55 - ...ck-addresses-when-determine-a-gatewa.patch | 71 -- ...k-bridge-fix-endian-of-vlan-protocol.patch | 32 - ...e-received-interface-name-is-actuall.patch | 71 -- ...gure-address-with-requested-lifetime.patch | 50 - ...able-event-sources-before-unref-them.patch | 61 -- ...ssume-the-highest-priority-when-Prio.patch | 292 ----- ...twork-fix-configuring-of-CAN-devices.patch | 40 - ...ndling-of-network-interface-renaming.patch | 49 - ...c-for-checking-gateway-address-is-re.patch | 182 ---- ...g-flag-manage_foreign_routes-manage_.patch | 32 - ...nore-errors-on-setting-bridge-config.patch | 34 - ...e-errors-on-unsetting-master-ifindex.patch | 68 -- ...hernet-Link-Layer-DHCP-client-ID-wit.patch | 40 - ...x-possible-overflow-in-conversion-us.patch | 30 - ...ess_equal-route_equal-to-compare-add.patch | 68 -- ...tonic-instead-of-boot-time-to-handle.patch | 36 - ...rkd-Include-linux-netdevice.h-header.patch | 37 - ...t-nspawn-fix-type-to-pass-to-connect.patch | 34 - ...awn-guard-acl_free-with-a-NULL-check.patch | 36 - ...nss-drop-dummy-setup_logging-helpers.patch | 61 -- ...o-not-apply-non-zero-offset-to-null-.patch | 45 - ...gging-config-from-environment-variab.patch | 118 --- ...re-returned-strings-point-into-provi.patch | 350 ------ ...-nss-systemd-fix-alignment-of-gr_mem.patch | 43 - ...fix-required-buffer-size-calculation.patch | 45 - ...-pw_passwd-result-into-supplied-buff.patch | 58 - ...th-path-unavailability-when-killing-.patch | 45 - ...ituations-when-no-cgroups-are-killed.patch | 104 -- ...ssl-util-use-EVP-API-to-get-RSA-bits.patch | 41 - ...build-on-and-use-Fedora-35-spec-file.patch | 51 - ...ckit-drop-unnumbered-patches-as-well.patch | 33 - ...nsupported-Dcryptolib-openssl-option.patch | 29 - ...ind_executable-work-without-proc-mou.patch | 37 - ...1-fix-segv-triggered-by-status-query.patch | 40 - ...ng-PID-of-BusName-name-of-services-a.patch | 160 --- ...-PAM_DATA_SILENT-to-pam_end-in-child.patch | 42 - ...he-original-command-line-when-reexec.patch | 156 --- ..._NSS_DYNAMIC_BYPASS-1-env-var-for-db.patch | 127 --- ...atch-bus-name-always-when-we-have-it.patch | 57 - ...olicy-files-adjust-landing-page-link.patch | 170 --- ...g-to-return-extension-releases-in-Ge.patch | 493 --------- ...urn-parameter-to-GetImageMetadataWit.patch | 393 ------- ...able-inline-one-variable-declaration.patch | 38 - ...profile-search-helper-to-path-lookup.patch | 139 --- ...der-if-branches-to-match-previous-co.patch | 42 - ...out-if-there-are-no-units-only-after.patch | 74 -- ...or-extraction-validation-into-a-comm.patch | 245 ----- ...validate-SYSEXT_LEVEL-when-attaching.patch | 240 ----- ...t-for-processes-we-killed-even-if-ki.patch | 46 - ...e-ssize_t-for-getrandom-return-value.patch | 81 -- ...al-disk-start-end-for-bar-production.patch | 48 - ...port-repart-use-right-error-variable.patch | 38 - ...lvconf-compat-make-u-operation-a-NOP.patch | 57 - ...rence-of-the-original-bus-message-to.patch | 34 - ...resolve-drop-never-matched-condition.patch | 49 - ...lve-fix-assertion-triggered-when-r-0.patch | 35 - ...-buffer-overflow-reported-by-ASAN-wi.patch | 34 - backport-resolve-fix-possible-memleak.patch | 41 - ...potential-memleak-and-use-after-free.patch | 40 - ...-dns_scope_good_domain-take-DnsQuery.patch | 116 -- ...ket_extract_matching_rrs-may-return-.patch | 42 - ...use-AF_UNSPEC-when-resolving-address.patch | 32 - ...rt-resolve-remove-server-large-level.patch | 152 --- ...ze-empty-domain-only-when-A-and-or-A.patch | 105 -- backport-resolve-synthesize-empty-name.patch | 97 -- ...ze-null-address-IPv4-broadcast-addre.patch | 41 - ...anup_-attribute-for-freeing-DnsQuery.patch | 563 ---------- ...mit-AD-bit-in-reply-if-DO-is-set-in-.patch | 43 - ...n-up-manager_write_resolv_conf-a-bit.patch | 109 -- ...fix-ResolveService-hostname-handling.patch | 47 - ...re-we-don-t-hit-an-assert-when-deali.patch | 33 - ...y-signal-transient-errors-back-to-NS.patch | 140 --- ...n-SERVFAIL-before-downgrading-featur.patch | 98 -- ...s-writing-DNS-server-info-into-etc-r.patch | 38 - ...t-revert-delete-initrd-usr-fs-target.patch | 237 ----- ...rt-revert-units-add-ProtectClock-yes.patch | 46 - ...ctl-don-t-fork-off-PolicyKit-ask-pw-.patch | 70 -- ...essful-cgroup-additions-when-delegat.patch | 51 - ...ivation-of-scopes-if-no-PIDs-to-add-.patch | 55 - ...quiry-ioctl-if-host_byte-is-DID_TRAN.patch | 56 - ...ix-possible-null-pointer-dereference.patch | 32 - ...d-boot-Rework-console-input-handling.patch | 323 ------ backport-sd-boot-Unify-error-handling.patch | 404 ------- ...allow-numerical-uids-in-M-user-.host.patch | 75 -- ...ss-NULL-when-received-message-with-i.patch | 34 - backport-sd-bus-fix-buffer-overflow.patch | 126 --- ...ng-initializer-in-SD_BUS_VTABLE_END-.patch | 93 -- ...ugging-information-if-bus_container_.patch | 80 -- ...ted-commandline-when-in-bus_socket_e.patch | 69 -- ...-device-introduce-device_has_devlink.patch | 47 - ...r-actually-refuse-to-send-invalid-de.patch | 35 - ...r-update-log-message-to-clarify-the-.patch | 42 - ...-silence-gcc-warning-with-newest-gcc.patch | 30 - ...x-a-memory-leak-in-dhcp_lease_parse_.patch | 51 - ...x-an-infinite-loop-found-by-the-fuzz.patch | 34 - backport-sd-dhcp-lease-fix-memleak.patch | 64 -- ...ix-possible-double-free-or-use-after.patch | 29 - ...rver-refuse-too-large-packet-to-send.patch | 88 -- ...ename-server_send_nak-server_send_na.patch | 76 -- ...p6-client-cirtainly-adjust-T1-and-T2.patch | 50 - ...d-dhcp6-client-constify-one-argument.patch | 43 - ...p6-client-constify-several-arguments.patch | 89 -- ...nt-do-not-merge-NTP-and-SNTP-options.patch | 130 --- ...fix-buffer-size-calculation-in-dhcp6.patch | 154 --- ...p6-client-fix-copy-and-paste-mistake.patch | 31 - ...t-sd-dhcp6-client-fix-error-handling.patch | 33 - ...ignore-IAs-whose-IAID-do-not-match-c.patch | 318 ------ ...t-make-dhcp6_lease_free-accepts-NULL.patch | 45 - ...-client-modernize-dhcp6_option_parse.patch | 275 ----- ...estroy-inotify-data-structures-from-.patch | 109 -- ...-mistake-USEC_INFINITY-passed-in-for.patch | 37 - ...-pass-negative-errnos-as-signalfd-to.patch | 34 - ...f-on-event-loop-object-before-dispat.patch | 36 - ...-compare-hashes-from-different-journ.patch | 48 - ...e-data-threshold-if-set-to-zero-in-s.patch | 35 - ...al-fix-segfault-when-match_new-fails.patch | 63 -- ...nal-free-incomplete-match-on-failure.patch | 37 - ...py_safe-as-the-buffer-size-may-be-ze.patch | 27 - ...always-append-new-bridge-FDB-entries.patch | 39 - ...nstall-filters-for-native-architectu.patch | 64 -- ...p-drop-getrandom-from-system-service.patch | 34 - ...t-seccomp-move-arch_prctl-to-default.patch | 54 - ...ort-seccomp-move-mprotect-to-default.patch | 52 - ...ed_getaffinity-from-system-service-t.patch | 49 - ...avoid-crashing-on-config-without-a-v.patch | 31 - ...d-condition-avoid-nss-lookup-in-PID1.patch | 76 -- ...ble-allocate-buffer-of-sufficient-si.patch | 38 - ...-memory-leak-on-failed-normalization.patch | 34 - ...-resume-device-with-low-priority-ava.patch | 53 - ...oduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch | 94 -- ...t-efi-linux-fix-linux_exec-prototype.patch | 48 - ...e-is_dir-is_dir_fd-by-single-is_dir_.patch | 85 -- ...y-O_DIRECTORY-when-reopening-dir-in-.patch | 36 - ...wapon-to-reinitialize-swap-if-needed.patch | 33 - ...-syscalls-update-syscall-definitions.patch | 853 --------------- ...pty-release-ID-to-avoid-triggering-a.patch | 31 - ...LO_FLAGS_PARTSCAN-when-opening-image.patch | 46 - ...set-property-to-be-called-with-a-glo.patch | 111 -- ...imestamp-affect-the-show-verb-as-wel.patch | 76 -- ...all-back-to-local-cgroup-display-if-.patch | 34 - ...retty-print-ExtensionImages-property.patch | 85 -- ...rror-when-help-for-unknown-unit-is-r.patch | 39 - ...fixes-for-MountImages-pretty-printin.patch | 70 -- ...parse-ip_filters_custom_egress-corre.patch | 31 - ...re-error-logs-suggest-to-use-user-wh.patch | 63 -- ...-sysusers-add-fsync-for-passwd-24324.patch | 37 - ...-use-filename-if-proc-is-not-mounted.patch | 34 - ...ort-temporarily-disable-test-seccomp.patch | 39 +- ...native-architecture-is-always-filter.patch | 95 -- ...se-for-sysv-generator-and-invalid-de.patch | 210 ---- ...add-tests-for-reading-unaligned-data.patch | 87 -- ...initrd-sysroot-transition-in-TEST-24.patch | 113 -- ...t-do-not-use-alloca-in-function-call.patch | 39 - ...-read_virtual_file-with-more-files-f.patch | 53 - ...file-descriptor-leak-in-test-catalog.patch | 40 - ...file-descriptor-leak-in-test-fs-util.patch | 52 - ...le-descriptor-leak-in-test-oomd-util.patch | 54 - ...ile-descriptor-leak-in-test-psi-util.patch | 47 - ...e-descriptor-leak-in-test-tmpfiles.c.patch | 42 - ...custom-initrd-for-TEST-24-if-INITRD-.patch | 66 -- ...sh-allow-testing-against-specific-fi.patch | 39 - ...sh-do-not-croak-on-corrupted-input-f.patch | 44 - ...ournal-send-close-fd-opend-by-syslog.patch | 34 - ...ix-conditional-jump-on-uninitialised.patch | 32 - ...kip-tests-if-cgroup-memory-controlle.patch | 43 - backport-test-oomd-util-style-fixlets.patch | 52 - ...t-store-the-key-on-a-separate-device.patch | 44 - ...restrictive-portable-profile-when-ru.patch | 92 -- backport-test-watchdog-mark-as-unsafe.patch | 36 - ...case-for-UMask-BindPaths-combination.patch | 61 -- backport-timedatectl-fix-a-memory-leak.patch | 46 - backport-timesync-check-cmsg-length.patch | 29 - ...ng-type-for-receiving-timestamp-in-n.patch | 45 - ...s-avoid-null-free-for-acl-attributes.patch | 57 - ...he-directory-we-were-supposed-to-cre.patch | 58 - ...-tpm-util-fix-TPM-parameter-handling.patch | 52 - ...et-but-not-used-variables-as-unused-.patch | 546 ---------- ..._event_source_disable_unref-where-we.patch | 158 --- ...-udev-add-usec_add-at-one-more-place.patch | 28 - ...lso-rename-struct-udev_ctrl-UdevCtrl.patch | 350 ------ ...ot-locked-when-a-new-event-is-queued.patch | 81 -- ...o-blocker-when-failed-to-check-event.patch | 54 - ...ut_id-don-t-label-absolute-mice-as-p.patch | 69 -- ...-udev-cdrom_id-check-last-track-info.patch | 31 - ...t-event-for-previously-locked-device.patch | 86 -- ...-blocker-again-when-no-blocker-found.patch | 91 -- ...ss-events-if-there-is-no-free-worker.patch | 28 - ...to-rename-interface-if-it-is-already.patch | 49 - ...necessary-calls-of-event_queue_start.patch | 80 -- ...y-clone-of-received-sd-device-object.patch | 85 -- ...uality-for-timeout-of-retrying-event.patch | 27 - backport-udev-fix-potential-memleak.patch | 37 - ...uce-device_broadcast_helper_function.patch | 66 -- ...ort-udev-make-event_free-return-NULL.patch | 36 - ...start-return-negative-errno-on-error.patch | 59 -- backport-udev-move-several-functions.patch | 544 ---------- ...ndom-delay-on-conflict-in-updating-d.patch | 64 -- ...-atomically-create-symlink-to-device.patch | 96 -- ...-update-timestamp-of-stack-directory.patch | 150 --- ...-no-new-claim-to-a-symlink-if-run-ud.patch | 38 - ...stack-directory-change-even-if-devli.patch | 48 - ...-ignore-unexpected-errors-on-removin.patch | 63 -- ...-redundant-trial-of-devlink-creation.patch | 84 -- ...nformation-about-device-node-and-pri.patch | 254 ----- ...en-code-a-bit-and-update-log-message.patch | 36 - ...ev-node-simplify-the-example-of-race.patch | 40 - ...out-permission-handling-from-udev_no.patch | 309 ------ ...directory-must-exist-when-adding-dev.patch | 40 - ...T-or-friends-which-suggest-the-block.patch | 36 - ...propagate-error-on-spawning-a-worker.patch | 89 -- ...dev-remove-run-udev-queue-in-on_post.patch | 53 - ...name-is_device_busy-event_is_blocked.patch | 141 --- ...-type-name-e.g.-struct-worker-Worker.patch | 302 ------ ...en-the-corresponding-block-device-is.patch | 288 ----- ...n-process-workers-and-spawned-comman.patch | 176 ---- ...hen-its-dependency-cannot-be-checked.patch | 58 - ...it-worker_lock_block_device-into-two.patch | 123 --- ...rt-udev-store-action-in-struct-Event.patch | 71 -- ...path-devlink-for-multipath-nvme-bloc.patch | 132 --- ...udev-update-comment-and-log-messages.patch | 31 - ...to-clarify-that-the-error-is-ignored.patch | 36 - ...setting-up-lo-do-not-return-an-error.patch | 56 - ...db-don-t-delete-information-for-kept.patch | 123 --- ...evadm-cleanup_dir-use-dot_or_dot_dot.patch | 41 - ...elper-that-resets-umask-until-end-of.patch | 117 -- ...lug-both-job-and-nop_job-if-possible.patch | 49 - backport-unit-escape.patch | 23 - ...it-file-avoid-null-in-debugging-logs.patch | 43 - ...by_inactive-fix-return-pointer-check.patch | 37 - ...-restart-limit-on-the-modprobe-.serv.patch | 36 - ...ble-two-pbkdf-fields-that-don-t-appl.patch | 46 - ...er-record-fix-display-of-access-mode.patch | 29 - ...t-userdb-fix-type-to-pass-to-connect.patch | 31 - ...nother-set-of-CVE-2021-4034-assert-s.patch | 37 - backport-utmp-remove-dev-from-line.patch | 44 - ...onnect-varlink-link-in-one-more-case.patch | 41 - ...ritysetup-print-help-for-help-h-help.patch | 35 - ...rt-Fix-the-detection-for-Hyper-V-VMs.patch | 45 - ...ove-detection-of-EC2-metal-instances.patch | 81 -- ...t-detection-for-ARM64-Hyper-V-guests.patch | 35 - ...-virt-detect-OpenStack-Nova-instance.patch | 95 -- ...-wait-online-rename-Manager-elements.patch | 175 --- ...ght-error-code-to-log-function-so-th.patch | 32 - ...rvice-Ignore-missing-desktop-sepcifi.patch | 38 - ...-also-stop-machine-when-a-machine-un.patch | 18 +- ...mmand_prev-is-null-before-assigning-.patch | 6 +- ...lLog-to-allow-users-change-log-level.patch | 60 +- core-add-invalidate-cgroup-config.patch | 59 +- core-cgroup-support-cpuset.patch | 469 ++++----- ...up-support-default-slice-for-all-uni.patch | 75 +- core-cgroup-support-freezer.patch | 217 ++-- core-cgroup-support-memorysw.patch | 191 +--- ...-device-to-dead-in-manager_catchup-d.patch | 106 -- ...te-arg_default_rlimit-in-bump_rlimit.patch | 2 +- ...-a-service-can-not-be-auto-restarted.patch | 2 +- ...iles-except-system.journal-when-jour.patch | 60 +- disable-initialize_clock.patch | 57 +- ...timesyncd-networkd-resolved-homed-us.patch | 40 - fix-mount-failed-while-daemon-reexec.patch | 62 -- ...-umount-message-to-reboot-umount-msg.patch | 25 +- ...able-systemd-journald-audit.socket-b.patch | 43 - ...weight-consistent-with-the-set-value.patch | 28 +- ...-of-one-unit-don-t-affect-each-other.patch | 15 +- ...nd-set-RemoveIPC-to-false-by-default.patch | 2 +- ...tTasksMax-to-80-of-the-kernel-pid.ma.patch | 4 +- ...cess-status-to-console-when-shutdown.patch | 225 ++-- ...til-log-more-information-when-runnin.patch | 69 +- ...e-etc-resolv.conf-symlink-at-runtime.patch | 32 +- ...rt-rpm-restart-services-in-posttrans.patch | 14 +- ...or-naming-Dell-iDRAC-USB-Virtual-NIC.patch | 22 +- ...le-that-adds-elevator-kernel-command.patch | 22 +- sd-bus-properly-initialize-containers.patch | 10 +- ...own-reboot-when-recieve-crash-signal.patch | 16 +- ...ble-cgroup-controllers-we-don-t-want.patch | 66 +- systemd-249.tar.gz => systemd-253.tar.gz | Bin 10588828 -> 11987237 bytes systemd-change-time-log-level.patch | 31 +- ...-new-rules-for-lower-priority-events.patch | 53 +- ...at-rsyslog-reads-journal-s-object-of.patch | 34 +- systemd.spec | 743 +++---------- ...dd-actions-while-rename-netif-failed.patch | 72 +- udev-virsh-shutdown-vm.patch | 12 +- unit-don-t-add-Requires-for-tmp.mount.patch | 2 +- 510 files changed, 1139 insertions(+), 38819 deletions(-) delete mode 100644 0029-Add-support-for-the-LoongArch-architecture.patch delete mode 100644 0030-Add-LoongArch-dmi-virt-detection-and-testcase.patch mode change 100755 => 100644 Systemd-Add-sw64-architecture.patch delete mode 100644 add-loongarch-for-missing_syscall_def.patch delete mode 100644 backport-Add-meson-option-to-disable-urlify.patch delete mode 100644 backport-Bump-the-max-number-of-inodes-for-dev-to-128k.patch delete mode 100644 backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch delete mode 100644 backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch delete mode 100644 backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch delete mode 100644 backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch delete mode 100644 backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch delete mode 100644 backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch delete mode 100644 backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch delete mode 100644 backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch delete mode 100644 backport-CVE-2022-4415-basic-add-STRERROR-wrapper-for-strerror_r.patch delete mode 100644 backport-CVE-2022-4415-coredump-adjust-whitespace.patch delete mode 100644 backport-CVE-2022-4415-dont-allow-user-access-coredumps-with-changed-uid.patch delete mode 100644 backport-CVE-2022-4415-test-Add-TEST_RET-macro.patch delete mode 100644 backport-CVE-2022-4415-test-Add-sd_booted-condition-test-to-TEST-macro.patch delete mode 100644 backport-CVE-2022-4415-test-Create-convenience-macros-to-declare-tests.patch delete mode 100644 backport-CVE-2022-4415-test-Slightly-rework-DEFINE_TEST_MAIN-macros.patch delete mode 100644 backport-CVE-2022-4415-tree-wide-define-and-use-STRERROR_OR_EOF.patch delete mode 100644 backport-Change-gendered-terms-to-be-gender-neutral-21325.patch delete mode 100644 backport-Don-t-open-var-journals-in-volatile-mode-when-runtim.patch delete mode 100644 backport-Drop-bundled-copy-of-linux-if_arp.h.patch delete mode 100644 backport-Fix-another-crash-due-to-missing-NHDR.patch delete mode 100644 backport-Fix-error-building-repart-with-no-libcryptsetup-2073.patch delete mode 100644 backport-Fix-the-Failed-to-open-random-seed-.-message.patch delete mode 100644 backport-Get-rid-of-dangling-setutxent.patch delete mode 100644 backport-Respect-install_sysconfdir.patch delete mode 100644 backport-TEST-15-add-one-more-test-for-drop-in-precedence.patch delete mode 100644 backport-TEST-15-add-test-for-transient-units-with-drop-ins.patch delete mode 100644 backport-TEST-15-also-test-hierarchical-drop-ins-for-slices.patch delete mode 100644 backport-Use-correct-fcntl.h-include.patch delete mode 100644 backport-Use-correct-poll.h-include.patch delete mode 100644 backport-analyze-add-forgotten-return-statement.patch delete mode 100644 backport-analyze-fix-printing-config-when-there-is-no-main-co.patch delete mode 100644 backport-argv-util-also-update-program_invocation_short_name.patch delete mode 100644 backport-backlight-ignore-error-if-the-backlight-device-is-al.patch delete mode 100644 backport-basic-env-util-correctly-parse-extended-vars-after-n.patch delete mode 100644 backport-basic-escape-add-helper-for-quoting-command-lines.patch delete mode 100644 backport-basic-linux-Sync-if_arp.h-with-Linux-5.14.patch delete mode 100644 backport-basic-log-allow-errno-values-higher-than-255.patch delete mode 100644 backport-basic-mac_-selinux-smack-_apply_fd-does-not-work-whe.patch delete mode 100644 backport-basic-mountpoint-util-detect-erofs-as-a-read-only-FS.patch delete mode 100644 backport-basic-unit-file-don-t-filter-out-names-starting-with.patch delete mode 100644 backport-binfmt-fix-exit-value.patch delete mode 100644 backport-boot-timestamps-Discard-firmware-init-time-when-runn.patch delete mode 100644 backport-bootctl-Fix-update-not-adding-EFI-entry-if-Boot-IDs-.patch delete mode 100644 backport-bus-util-retrieve-bus-error-from-message.patch delete mode 100644 backport-calendarspec-fix-possibly-skips-next-elapse.patch delete mode 100644 backport-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch delete mode 100644 backport-cgroup-don-t-emit-BPF-firewall-warning-when-manager-.patch delete mode 100644 backport-cgroups-agent-connect-stdin-stdout-stderr-to-dev-nul.patch delete mode 100644 backport-change-indicator-used-for-later-versions-of-VirtualB.patch delete mode 100644 backport-ci-cancel-previous-jobs-on-ref-update.patch delete mode 100644 backport-ci-fix-clang-13-installation.patch delete mode 100644 backport-ci-fix-indentation.patch delete mode 100644 backport-ci-pin-the-debian-systemd-repo-to-a-specific-revisio.patch delete mode 100644 backport-ci-replace-apt-key-with-signed-by.patch delete mode 100644 backport-ci-run-the-unit_tests-and-mkosi-jobs-on-stable-branc.patch delete mode 100644 backport-ci-take-CIFuzz-s-matrix-into-consideration.patch delete mode 100644 backport-ci-use-the-system-llvm-11-package-on-Focal.patch delete mode 100644 backport-clang-format-we-actually-typically-use-16ch-continua.patch delete mode 100644 backport-condition-fix-device-tree-firmware-path.patch delete mode 100644 backport-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch delete mode 100644 backport-core-Parse-log-environment-settings-again-after-appl.patch delete mode 100644 backport-core-Remove-circular-include.patch delete mode 100644 backport-core-bpf-firewall-make-bpf_firewall_supported-always.patch delete mode 100644 backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch delete mode 100644 backport-core-cgroup-set-bfq.weight-first-and-fixes-blkio.wei.patch delete mode 100644 backport-core-cgroup-use-helper-macro-for-bfq-conversion.patch delete mode 100644 backport-core-check-size-before-mmap.patch delete mode 100644 backport-core-command-argument-can-be-longer-than-PATH_MAX.patch delete mode 100644 backport-core-device-also-serialize-deserialize-device-syspat.patch delete mode 100644 backport-core-device-device_coldplug-don-t-set-DEVICE_DEAD.patch delete mode 100644 backport-core-device-do-not-downgrade-device-state-if-it-is-a.patch delete mode 100644 backport-core-device-drop-unnecessary-condition.patch delete mode 100644 backport-core-device-ignore-DEVICE_FOUND_UDEV-bit-on-switchin.patch delete mode 100644 backport-core-device-update-comment.patch delete mode 100644 backport-core-device-verify-device-syspath-on-switching-root.patch delete mode 100644 backport-core-don-t-fail-on-EEXIST-when-creating-mount-point.patch delete mode 100644 backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch delete mode 100644 backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch delete mode 100644 backport-core-ignore-failure-on-setting-smack-process-label-w.patch delete mode 100644 backport-core-introduce-MANAGER_IS_SWITCHING_ROOT-helper-func.patch delete mode 100644 backport-core-mount-add-implicit-unit-dependencies-even-if-wh.patch delete mode 100644 backport-core-mount-namespaces-Remove-auxiliary-bind-mounts.patch delete mode 100644 backport-core-namespace-allow-using-ProtectSubset-pid-and-Pro.patch delete mode 100644 backport-core-namespace-s-normalize_mounts-drop_unused_mounts.patch delete mode 100644 backport-core-normalize-r-variable-handling-in-unit_attach_pi.patch delete mode 100644 backport-core-really-skip-automatic-restart-when-a-JOB_STOP-j.patch delete mode 100644 backport-core-refuse-to-mount-ExtensionImages-if-the-base-lay.patch delete mode 100644 backport-core-replace-m-honor_device_enumeration-with-MANAGER.patch delete mode 100644 backport-core-replace-slice-dependencies-as-they-get-added.patch delete mode 100644 backport-core-respect-install_sysconfdir_samples-in-meson-fil.patch delete mode 100644 backport-core-service-also-check-path-in-exec-commands.patch delete mode 100644 backport-core-slice-make-slice_freezer_action-return-0-if-fre.patch delete mode 100644 backport-core-timer-fix-memleak.patch delete mode 100644 backport-core-timer-fix-potential-use-after-free.patch delete mode 100644 backport-core-unit-drop-dependency-to-the-unit-being-merged.patch delete mode 100644 backport-core-unit-fix-log-message.patch delete mode 100644 backport-core-unit-fix-logic-of-dropping-self-referencing-dep.patch delete mode 100644 backport-core-unit-fix-use-after-free.patch delete mode 100644 backport-core-unit-merge-two-loops-into-one.patch delete mode 100644 backport-core-unit-merge-unit-names-after-merging-deps.patch delete mode 100644 backport-core-unit-use-bus_error_message-at-one-more-place.patch delete mode 100644 backport-core-use-correct-level-for-CPU-time-log-message.patch delete mode 100644 backport-core-use-the-new-quoting-helper.patch delete mode 100644 backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch delete mode 100644 backport-coredump-Connect-stdout-stderr-to-dev-null-before-do.patch delete mode 100644 backport-coredump-Don-t-log-an-error-if-D-Bus-isn-t-running.patch delete mode 100644 backport-coredump-Fix-format-string-type-mismatch.patch delete mode 100644 backport-coredump-drop-an-unused-variable.patch delete mode 100644 backport-coredump-fix-filename-in-journal-when-not-compressed.patch delete mode 100644 backport-coredump-stacktrace.c-avoid-crash-on-binaries-withou.patch delete mode 100644 backport-coredumpctl-stop-truncating-information-about-coredu.patch delete mode 100644 backport-creds-util-switch-to-OpenSSL-3.0-APIs.patch delete mode 100644 backport-cryptenroll-fix-wrong-error-messages.patch delete mode 100644 backport-dbus-wait-for-jobs-add-extra_args-to-bus_wait_for_jo.patch delete mode 100644 backport-devnode-acl-use-_cleanup_-to-free-acl_t.patch delete mode 100644 backport-dhcp-fix-assertion-failure.patch delete mode 100644 backport-dhcp-fix-potential-buffer-overflow.patch delete mode 100644 backport-discover-image-mount-as-read-only-when-extracting-me.patch delete mode 100644 backport-discover-image-pass-the-right-fd-to-fd_getcrtime.patch delete mode 100644 backport-dissect-image-add-extension-specific-validation-flag.patch delete mode 100644 backport-dissect-image-validate-extension-release-even-if-the.patch delete mode 100644 backport-dns-domain-make-each-label-nul-terminated.patch delete mode 100644 backport-dns-domain-re-introduce-dns_name_is_empty.patch delete mode 100644 backport-docs-SYSTEMD_NSS_BYPASS_BUS-is-not-honoured-anymore-.patch delete mode 100644 backport-docs-improve-wording-when-mentioning-the-acronym-ESP.patch delete mode 100644 backport-docs-portablectl-is-in-bin.patch delete mode 100644 backport-errno-util-add-ERRNO_IS_DEVICE_ABSENT-macro.patch delete mode 100644 backport-ether-addr-util-make-hw_addr_to_string-return-valid-.patch delete mode 100644 backport-event-util-introduce-event_reset_time_relative.patch delete mode 100644 backport-execute-document-that-the-env-param-is-input-and-out.patch delete mode 100644 backport-execute-line-break-comments-a-bit-less-aggressively.patch delete mode 100644 backport-execute-respect-selinux_context_ignore.patch delete mode 100644 backport-execute-use-_cleanup_-logic-where-appropriate.patch delete mode 100644 backport-explicitly-close-FIDO2-devices.patch delete mode 100644 backport-fileio-fix-truncated-read-handling-in-read_virtual_f.patch delete mode 100644 backport-fileio-lower-maximum-virtual-file-buffer-size-by-one.patch delete mode 100644 backport-fileio-set-O_NOCTTY-when-reading-virtual-files.patch delete mode 100644 backport-fileio-start-with-4k-buffer-for-procfs.patch delete mode 100644 backport-fix-CVE-2021-33910.patch delete mode 100644 backport-fix-CVE-2022-3821.patch delete mode 100644 backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch delete mode 100644 backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch delete mode 100644 backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch delete mode 100644 backport-fix-test-string-util-failed-when-locale-is-not-utf8.patch delete mode 100644 backport-fstab-generator-Respect-nofail-when-ordering.patch delete mode 100644 backport-fstab-generator-do-not-remount-sys-when-running-in-a.patch delete mode 100644 backport-fstab-generator-skip-root-directory-handling-when-nf.patch delete mode 100644 backport-growfs-don-t-actually-resize-on-dry-run.patch delete mode 100644 backport-home-fix-heap-use-after-free.patch delete mode 100644 backport-home-secret-argument-of-handle_generic_user_record_e.patch delete mode 100644 backport-homed-add-missing-SYNTHETIC_ERRNO.patch delete mode 100644 backport-homed-fix-log-message-referring-to-fsck-when-we-actu.patch delete mode 100644 backport-homed-make-sure-to-use-right-asssesors-for-GID-acces.patch delete mode 100644 backport-homed-remove-misplaced-assert.patch delete mode 100644 backport-homed-shutdown-call-valgrind-magic-after-LOOP_GET_ST.patch delete mode 100644 backport-homework-don-t-bother-with-BLKRRPART-on-images-that-.patch delete mode 100644 backport-homework-fix-a-bad-error-propagation.patch delete mode 100644 backport-homework-fix-incorrect-error-variable-use.patch delete mode 100644 backport-homework-repart-turn-on-cryptsetup-logging-before-we.patch delete mode 100644 backport-hostname-fix-off-by-one-issue-in-gethostname.patch delete mode 100644 backport-hostnamed-correct-variable-with-errno-in-fallback_ch.patch delete mode 100644 backport-hwdb-Allow-console-users-access-to-media-nodes.patch delete mode 100644 backport-hwdb-fix-parsing-options.patch delete mode 100644 backport-hwdb-remove-double-empty-line-in-help-text.patch delete mode 100644 backport-icmp6-drop-unnecessary-assertion.patch delete mode 100644 backport-import-turn-off-weird-protocols-in-curl.patch delete mode 100644 backport-journactl-show-info-about-journal-range-only-at-debu.patch delete mode 100644 backport-journal-Deduplicate-entry-items-before-they-are-stor.patch delete mode 100644 backport-journal-Only-move-to-objects-when-necessary.patch delete mode 100644 backport-journal-Remove-entry-seqnum-revert-logic.patch delete mode 100644 backport-journal-Skip-corrupt-Data-objects-in-sd_journal_get_.patch delete mode 100644 backport-journal-Skip-data-objects-with-invalid-offsets.patch delete mode 100644 backport-journal-Skip-over-corrupt-entry-items-in-enumerate_d.patch delete mode 100644 backport-journal-Use-separate-variable-for-Data-object-in-sd_.patch delete mode 100644 backport-journal-file-if-we-are-going-down-don-t-use-event-lo.patch delete mode 100644 backport-journal-network-timesync-fix-segfault-on-32bit-timev.patch delete mode 100644 backport-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch delete mode 100644 backport-journal-send-close-fd-on-exit-when-running-with-valg.patch delete mode 100644 backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch delete mode 100644 backport-journald-make-sure-SIGTERM-handling-doesn-t-get-star.patch delete mode 100644 backport-json-do-something-remotely-reasonable-when-we-see-Na.patch delete mode 100644 backport-kernel-install-also-remove-modules.builtin.alias.bin.patch delete mode 100644 backport-libsystemd-network-disable-event-sources-before-unre.patch delete mode 100644 backport-list-introduce-LIST_FOREACH_BACKWARDS-macro-and-drop.patch delete mode 100644 backport-localed-use-PROJECT_FILE-rather-than-__FILE__-for-lo.patch delete mode 100644 backport-log-don-t-attempt-to-duplicate-closed-fd.patch delete mode 100644 backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch delete mode 100644 backport-login-make-RuntimeDirectoryInodesMax-support-K-G-M-s.patch delete mode 100644 backport-login-respect-install_sysconfdir_samples-in-meson-fi.patch delete mode 100644 backport-login-use-bus_error_message-at-one-more-place.patch delete mode 100644 backport-logind-do-not-propagate-error-in-delayed-action.patch delete mode 100644 backport-logind-downgrade-message-about-run-utmp-missing-to-L.patch delete mode 100644 backport-logind-fix-getting-property-OnExternalPower-via-D-Bu.patch delete mode 100644 backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch delete mode 100644 backport-machined-set-TTYPath-for-container-shell.patch delete mode 100644 backport-machined-varlink-fix-double-free.patch delete mode 100644 backport-macro-account-for-negative-values-in-DECIMAL_STR_WID.patch delete mode 100644 backport-main-drop-get_process_cmdline-from-crash-handler.patch delete mode 100644 backport-main-log-which-process-send-SIGNAL-to-PID1.patch delete mode 100644 backport-malloc-uses-getrandom-now.patch delete mode 100644 backport-manager-allow-transient-units-to-have-drop-ins.patch delete mode 100644 backport-manager-reformat-boolean-expression-in-unit_is_prist.patch delete mode 100644 backport-meson.build-change-operator-combining-bools-from-to-.patch delete mode 100644 backport-missing-syscall-add-__NR_openat2.patch delete mode 100644 backport-mkosi-Build-Fedora-35-images.patch delete mode 100644 backport-mkosi-Fix-openSUSE-Jinja2-package-name.patch delete mode 100644 backport-mkosi-Remove-Arch-nspawn-workaround.patch delete mode 100644 backport-mkosi-openSUSE-update-bootable-no-dependencies.patch delete mode 100644 backport-mmap-cache-LIST_REMOVE-after-w-unused_prev.patch delete mode 100644 backport-mount-setup-don-t-need-to-mount-sys-fs-pstore-if-the.patch delete mode 100644 backport-mount-util-fix-error-code.patch delete mode 100644 backport-mount-util-fix-fd_is_mount_point-when-both-the-paren.patch delete mode 100644 backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch delete mode 100644 backport-namespace-make-tmp-dir-handling-code-independent-of-.patch delete mode 100644 backport-namespace-make-whole-namespace_setup-work-regardless.patch delete mode 100644 backport-namespace-rebreak-a-few-comments.patch delete mode 100644 backport-network-add-comments.patch delete mode 100644 backport-network-address-read-flags-from-message-header-when-.patch delete mode 100644 backport-network-allow-users-to-forbid-passthru-MACVLAN-from-.patch delete mode 100644 backport-network-also-check-addresses-when-determine-a-gatewa.patch delete mode 100644 backport-network-bridge-fix-endian-of-vlan-protocol.patch delete mode 100644 backport-network-check-the-received-interface-name-is-actuall.patch delete mode 100644 backport-network-configure-address-with-requested-lifetime.patch delete mode 100644 backport-network-disable-event-sources-before-unref-them.patch delete mode 100644 backport-network-do-not-assume-the-highest-priority-when-Prio.patch delete mode 100644 backport-network-fix-configuring-of-CAN-devices.patch delete mode 100644 backport-network-fix-handling-of-network-interface-renaming.patch delete mode 100644 backport-network-fix-logic-for-checking-gateway-address-is-re.patch delete mode 100644 backport-network-fix-wrong-flag-manage_foreign_routes-manage_.patch delete mode 100644 backport-network-ignore-errors-on-setting-bridge-config.patch delete mode 100644 backport-network-ignore-errors-on-unsetting-master-ifindex.patch delete mode 100644 backport-network-print-Ethernet-Link-Layer-DHCP-client-ID-wit.patch delete mode 100644 backport-network-route-fix-possible-overflow-in-conversion-us.patch delete mode 100644 backport-network-use-address_equal-route_equal-to-compare-add.patch delete mode 100644 backport-network-use-monotonic-instead-of-boot-time-to-handle.patch delete mode 100644 backport-networkd-Include-linux-netdevice.h-header.patch delete mode 100644 backport-nspawn-fix-type-to-pass-to-connect.patch delete mode 100644 backport-nspawn-guard-acl_free-with-a-NULL-check.patch delete mode 100644 backport-nss-drop-dummy-setup_logging-helpers.patch delete mode 100644 backport-nss-myhostname-do-not-apply-non-zero-offset-to-null-.patch delete mode 100644 backport-nss-only-read-logging-config-from-environment-variab.patch delete mode 100644 backport-nss-systemd-ensure-returned-strings-point-into-provi.patch delete mode 100644 backport-nss-systemd-fix-alignment-of-gr_mem.patch delete mode 100644 backport-nss-systemd-fix-required-buffer-size-calculation.patch delete mode 100644 backport-nss-systemd-pack-pw_passwd-result-into-supplied-buff.patch delete mode 100644 backport-oomd-fix-race-with-path-unavailability-when-killing-.patch delete mode 100644 backport-oomd-handle-situations-when-no-cgroups-are-killed.patch delete mode 100644 backport-openssl-util-use-EVP-API-to-get-RSA-bits.patch delete mode 100644 backport-packit-build-on-and-use-Fedora-35-spec-file.patch delete mode 100644 backport-packit-drop-unnumbered-patches-as-well.patch delete mode 100644 backport-packit-remove-unsupported-Dcryptolib-openssl-option.patch delete mode 100644 backport-path-util-make-find_executable-work-without-proc-mou.patch delete mode 100644 backport-pid1-fix-segv-triggered-by-status-query.patch delete mode 100644 backport-pid1-lookup-owning-PID-of-BusName-name-of-services-a.patch delete mode 100644 backport-pid1-pass-PAM_DATA_SILENT-to-pam_end-in-child.patch delete mode 100644 backport-pid1-propagate-the-original-command-line-when-reexec.patch delete mode 100644 backport-pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-db.patch delete mode 100644 backport-pid1-watch-bus-name-always-when-we-have-it.patch delete mode 100644 backport-policy-files-adjust-landing-page-link.patch delete mode 100644 backport-portable-add-flag-to-return-extension-releases-in-Ge.patch delete mode 100644 backport-portable-add-return-parameter-to-GetImageMetadataWit.patch delete mode 100644 backport-portable-inline-one-variable-declaration.patch delete mode 100644 backport-portable-move-profile-search-helper-to-path-lookup.patch delete mode 100644 backport-portablectl-reorder-if-branches-to-match-previous-co.patch delete mode 100644 backport-portabled-error-out-if-there-are-no-units-only-after.patch delete mode 100644 backport-portabled-refactor-extraction-validation-into-a-comm.patch delete mode 100644 backport-portabled-validate-SYSEXT_LEVEL-when-attaching.patch delete mode 100644 backport-process-util-wait-for-processes-we-killed-even-if-ki.patch delete mode 100644 backport-random-util-use-ssize_t-for-getrandom-return-value.patch delete mode 100644 backport-repart-use-real-disk-start-end-for-bar-production.patch delete mode 100644 backport-repart-use-right-error-variable.patch delete mode 100644 backport-resolvconf-compat-make-u-operation-a-NOP.patch delete mode 100644 backport-resolve-add-reference-of-the-original-bus-message-to.patch delete mode 100644 backport-resolve-drop-never-matched-condition.patch delete mode 100644 backport-resolve-fix-assertion-triggered-when-r-0.patch delete mode 100644 backport-resolve-fix-heap-buffer-overflow-reported-by-ASAN-wi.patch delete mode 100644 backport-resolve-fix-possible-memleak.patch delete mode 100644 backport-resolve-fix-potential-memleak-and-use-after-free.patch delete mode 100644 backport-resolve-make-dns_scope_good_domain-take-DnsQuery.patch delete mode 100644 backport-resolve-mdns_packet_extract_matching_rrs-may-return-.patch delete mode 100644 backport-resolve-refuse-AF_UNSPEC-when-resolving-address.patch delete mode 100644 backport-resolve-remove-server-large-level.patch delete mode 100644 backport-resolve-synthesize-empty-domain-only-when-A-and-or-A.patch delete mode 100644 backport-resolve-synthesize-empty-name.patch delete mode 100644 backport-resolve-synthesize-null-address-IPv4-broadcast-addre.patch delete mode 100644 backport-resolve-use-_cleanup_-attribute-for-freeing-DnsQuery.patch delete mode 100644 backport-resolved-Don-t-omit-AD-bit-in-reply-if-DO-is-set-in-.patch delete mode 100644 backport-resolved-clean-up-manager_write_resolv_conf-a-bit.patch delete mode 100644 backport-resolved-fix-ResolveService-hostname-handling.patch delete mode 100644 backport-resolved-make-sure-we-don-t-hit-an-assert-when-deali.patch delete mode 100644 backport-resolved-properly-signal-transient-errors-back-to-NS.patch delete mode 100644 backport-resolved-retry-on-SERVFAIL-before-downgrading-featur.patch delete mode 100644 backport-resolved-suppress-writing-DNS-server-info-into-etc-r.patch delete mode 100644 backport-revert-delete-initrd-usr-fs-target.patch delete mode 100644 backport-revert-units-add-ProtectClock-yes.patch delete mode 100644 backport-run-mount-systemctl-don-t-fork-off-PolicyKit-ask-pw-.patch delete mode 100644 backport-scope-count-successful-cgroup-additions-when-delegat.patch delete mode 100644 backport-scope-refuse-activation-of-scopes-if-no-PIDs-to-add-.patch delete mode 100644 backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch delete mode 100644 backport-sd-boot-Fix-possible-null-pointer-dereference.patch delete mode 100644 backport-sd-boot-Rework-console-input-handling.patch delete mode 100644 backport-sd-boot-Unify-error-handling.patch delete mode 100644 backport-sd-bus-allow-numerical-uids-in-M-user-.host.patch delete mode 100644 backport-sd-bus-do-not-pass-NULL-when-received-message-with-i.patch delete mode 100644 backport-sd-bus-fix-buffer-overflow.patch delete mode 100644 backport-sd-bus-fix-missing-initializer-in-SD_BUS_VTABLE_END-.patch delete mode 100644 backport-sd-bus-print-debugging-information-if-bus_container_.patch delete mode 100644 backport-sd-bus-print-quoted-commandline-when-in-bus_socket_e.patch delete mode 100644 backport-sd-device-introduce-device_has_devlink.patch delete mode 100644 backport-sd-device-monitor-actually-refuse-to-send-invalid-de.patch delete mode 100644 backport-sd-device-monitor-update-log-message-to-clarify-the-.patch delete mode 100644 backport-sd-device-silence-gcc-warning-with-newest-gcc.patch delete mode 100644 backport-sd-dhcp-lease-fix-a-memory-leak-in-dhcp_lease_parse_.patch delete mode 100644 backport-sd-dhcp-lease-fix-an-infinite-loop-found-by-the-fuzz.patch delete mode 100644 backport-sd-dhcp-lease-fix-memleak.patch delete mode 100644 backport-sd-dhcp-server-fix-possible-double-free-or-use-after.patch delete mode 100644 backport-sd-dhcp-server-refuse-too-large-packet-to-send.patch delete mode 100644 backport-sd-dhcp-server-rename-server_send_nak-server_send_na.patch delete mode 100644 backport-sd-dhcp6-client-cirtainly-adjust-T1-and-T2.patch delete mode 100644 backport-sd-dhcp6-client-constify-one-argument.patch delete mode 100644 backport-sd-dhcp6-client-constify-several-arguments.patch delete mode 100644 backport-sd-dhcp6-client-do-not-merge-NTP-and-SNTP-options.patch delete mode 100644 backport-sd-dhcp6-client-fix-buffer-size-calculation-in-dhcp6.patch delete mode 100644 backport-sd-dhcp6-client-fix-copy-and-paste-mistake.patch delete mode 100644 backport-sd-dhcp6-client-fix-error-handling.patch delete mode 100644 backport-sd-dhcp6-client-ignore-IAs-whose-IAID-do-not-match-c.patch delete mode 100644 backport-sd-dhcp6-client-make-dhcp6_lease_free-accepts-NULL.patch delete mode 100644 backport-sd-dhcp6-client-modernize-dhcp6_option_parse.patch delete mode 100644 backport-sd-event-don-t-destroy-inotify-data-structures-from-.patch delete mode 100644 backport-sd-event-don-t-mistake-USEC_INFINITY-passed-in-for.patch delete mode 100644 backport-sd-event-never-pass-negative-errnos-as-signalfd-to.patch delete mode 100644 backport-sd-event-take-ref-on-event-loop-object-before-dispat.patch delete mode 100644 backport-sd-journal-Don-t-compare-hashes-from-different-journ.patch delete mode 100644 backport-sd-journal-Ignore-data-threshold-if-set-to-zero-in-s.patch delete mode 100644 backport-sd-journal-fix-segfault-when-match_new-fails.patch delete mode 100644 backport-sd-journal-free-incomplete-match-on-failure.patch delete mode 100644 backport-sd-lldp-use-memcpy_safe-as-the-buffer-size-may-be-ze.patch delete mode 100644 backport-sd-netlink-always-append-new-bridge-FDB-entries.patch delete mode 100644 backport-seccomp-Always-install-filters-for-native-architectu.patch delete mode 100644 backport-seccomp-drop-getrandom-from-system-service.patch delete mode 100644 backport-seccomp-move-arch_prctl-to-default.patch delete mode 100644 backport-seccomp-move-mprotect-to-default.patch delete mode 100644 backport-seccomp-move-sched_getaffinity-from-system-service-t.patch delete mode 100644 backport-shared-bootspec-avoid-crashing-on-config-without-a-v.patch delete mode 100644 backport-shared-condition-avoid-nss-lookup-in-PID1.patch delete mode 100644 backport-shared-format-table-allocate-buffer-of-sufficient-si.patch delete mode 100644 backport-shared-json-fix-memory-leak-on-failed-normalization.patch delete mode 100644 backport-sleep-don-t-skip-resume-device-with-low-priority-ava.patch delete mode 100644 backport-socket-util-introduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch delete mode 100644 backport-src-boot-efi-linux-fix-linux_exec-prototype.patch delete mode 100644 backport-stat-util-replace-is_dir-is_dir_fd-by-single-is_dir_.patch delete mode 100644 backport-stat-util-specify-O_DIRECTORY-when-reopening-dir-in-.patch delete mode 100644 backport-swap-tell-swapon-to-reinitialize-swap-if-needed.patch delete mode 100644 backport-syscalls-update-syscall-definitions.patch delete mode 100644 backport-sysext-refuse-empty-release-ID-to-avoid-triggering-a.patch delete mode 100644 backport-sysext-use-LO_FLAGS_PARTSCAN-when-opening-image.patch delete mode 100644 backport-systemctl-allow-set-property-to-be-called-with-a-glo.patch delete mode 100644 backport-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch delete mode 100644 backport-systemctl-only-fall-back-to-local-cgroup-display-if-.patch delete mode 100644 backport-systemctl-pretty-print-ExtensionImages-property.patch delete mode 100644 backport-systemctl-show-error-when-help-for-unknown-unit-is-r.patch delete mode 100644 backport-systemctl-small-fixes-for-MountImages-pretty-printin.patch delete mode 100644 backport-systemd-analyze-parse-ip_filters_custom_egress-corre.patch delete mode 100644 backport-systemd-run-ensure-error-logs-suggest-to-use-user-wh.patch delete mode 100644 backport-sysusers-add-fsync-for-passwd-24324.patch delete mode 100644 backport-sysusers-use-filename-if-proc-is-not-mounted.patch delete mode 100644 backport-test-Check-that-native-architecture-is-always-filter.patch delete mode 100644 backport-test-add-test-case-for-sysv-generator-and-invalid-de.patch delete mode 100644 backport-test-add-tests-for-reading-unaligned-data.patch delete mode 100644 backport-test-cover-initrd-sysroot-transition-in-TEST-24.patch delete mode 100644 backport-test-do-not-use-alloca-in-function-call.patch delete mode 100644 backport-test-fileio-test-read_virtual_file-with-more-files-f.patch delete mode 100644 backport-test-fix-file-descriptor-leak-in-test-catalog.patch delete mode 100644 backport-test-fix-file-descriptor-leak-in-test-fs-util.patch delete mode 100644 backport-test-fix-file-descriptor-leak-in-test-oomd-util.patch delete mode 100644 backport-test-fix-file-descriptor-leak-in-test-psi-util.patch delete mode 100644 backport-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch delete mode 100644 backport-test-generate-a-custom-initrd-for-TEST-24-if-INITRD-.patch delete mode 100644 backport-test-journal-flush-allow-testing-against-specific-fi.patch delete mode 100644 backport-test-journal-flush-do-not-croak-on-corrupted-input-f.patch delete mode 100644 backport-test-journal-send-close-fd-opend-by-syslog.patch delete mode 100644 backport-test-oomd-util-fix-conditional-jump-on-uninitialised.patch delete mode 100644 backport-test-oomd-util-skip-tests-if-cgroup-memory-controlle.patch delete mode 100644 backport-test-oomd-util-style-fixlets.patch delete mode 100644 backport-test-store-the-key-on-a-separate-device.patch delete mode 100644 backport-test-use-a-less-restrictive-portable-profile-when-ru.patch delete mode 100644 backport-test-watchdog-mark-as-unsafe.patch delete mode 100644 backport-tests-add-test-case-for-UMask-BindPaths-combination.patch delete mode 100644 backport-timedatectl-fix-a-memory-leak.patch delete mode 100644 backport-timesync-check-cmsg-length.patch delete mode 100644 backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch delete mode 100644 backport-tmpfiles-avoid-null-free-for-acl-attributes.patch delete mode 100644 backport-tmpfiles-check-the-directory-we-were-supposed-to-cre.patch delete mode 100644 backport-tpm-util-fix-TPM-parameter-handling.patch delete mode 100644 backport-tree-wide-mark-set-but-not-used-variables-as-unused-.patch delete mode 100644 backport-tree-wide-use-sd_event_source_disable_unref-where-we.patch delete mode 100644 backport-udev-add-usec_add-at-one-more-place.patch delete mode 100644 backport-udev-also-rename-struct-udev_ctrl-UdevCtrl.patch delete mode 100644 backport-udev-assume-block-device-is-not-locked-when-a-new-event-is-queued.patch delete mode 100644 backport-udev-assume-there-is-no-blocker-when-failed-to-check-event.patch delete mode 100644 backport-udev-builtin-input_id-don-t-label-absolute-mice-as-p.patch delete mode 100644 backport-udev-cdrom_id-check-last-track-info.patch delete mode 100644 backport-udev-certainly-restart-event-for-previously-locked-device.patch delete mode 100644 backport-udev-do-not-try-to-find-blocker-again-when-no-blocker-found.patch delete mode 100644 backport-udev-do-not-try-to-process-events-if-there-is-no-free-worker.patch delete mode 100644 backport-udev-do-not-try-to-rename-interface-if-it-is-already.patch delete mode 100644 backport-udev-drop-unnecessary-calls-of-event_queue_start.patch delete mode 100644 backport-udev-drop-unnecessary-clone-of-received-sd-device-object.patch delete mode 100644 backport-udev-fix-inversed-inequality-for-timeout-of-retrying-event.patch delete mode 100644 backport-udev-fix-potential-memleak.patch delete mode 100644 backport-udev-introduce-device_broadcast_helper_function.patch delete mode 100644 backport-udev-make-event_free-return-NULL.patch delete mode 100644 backport-udev-make-event_queue_start-return-negative-errno-on-error.patch delete mode 100644 backport-udev-move-several-functions.patch delete mode 100644 backport-udev-node-add-random-delay-on-conflict-in-updating-d.patch delete mode 100644 backport-udev-node-always-atomically-create-symlink-to-device.patch delete mode 100644 backport-udev-node-always-update-timestamp-of-stack-directory.patch delete mode 100644 backport-udev-node-assume-no-new-claim-to-a-symlink-if-run-ud.patch delete mode 100644 backport-udev-node-check-stack-directory-change-even-if-devli.patch delete mode 100644 backport-udev-node-do-not-ignore-unexpected-errors-on-removin.patch delete mode 100644 backport-udev-node-drop-redundant-trial-of-devlink-creation.patch delete mode 100644 backport-udev-node-save-information-about-device-node-and-pri.patch delete mode 100644 backport-udev-node-shorten-code-a-bit-and-update-log-message.patch delete mode 100644 backport-udev-node-simplify-the-example-of-race.patch delete mode 100644 backport-udev-node-split-out-permission-handling-from-udev_no.patch delete mode 100644 backport-udev-node-stack-directory-must-exist-when-adding-dev.patch delete mode 100644 backport-udev-only-ignore-ENOENT-or-friends-which-suggest-the-block.patch delete mode 100644 backport-udev-propagate-error-on-spawning-a-worker.patch delete mode 100644 backport-udev-remove-run-udev-queue-in-on_post.patch delete mode 100644 backport-udev-rename-is_device_busy-event_is_blocked.patch delete mode 100644 backport-udev-rename-type-name-e.g.-struct-worker-Worker.patch delete mode 100644 backport-udev-requeue-event-when-the-corresponding-block-device-is.patch delete mode 100644 backport-udev-run-the-main-process-workers-and-spawned-comman.patch delete mode 100644 backport-udev-skip-event-when-its-dependency-cannot-be-checked.patch delete mode 100644 backport-udev-split-worker_lock_block_device-into-two.patch delete mode 100644 backport-udev-store-action-in-struct-Event.patch delete mode 100644 backport-udev-support-by-path-devlink-for-multipath-nvme-bloc.patch delete mode 100644 backport-udev-update-comment-and-log-messages.patch delete mode 100644 backport-udev-update-log-message-to-clarify-that-the-error-is-ignored.patch delete mode 100644 backport-udev-when-setting-up-lo-do-not-return-an-error.patch delete mode 100644 backport-udevadm-cleanup-db-don-t-delete-information-for-kept.patch delete mode 100644 backport-udevadm-cleanup_dir-use-dot_or_dot_dot.patch delete mode 100644 backport-umask-util-add-helper-that-resets-umask-until-end-of.patch delete mode 100644 backport-unit-coldplug-both-job-and-nop_job-if-possible.patch delete mode 100644 backport-unit-escape.patch delete mode 100644 backport-unit-file-avoid-null-in-debugging-logs.patch delete mode 100644 backport-unit_is_bound_by_inactive-fix-return-pointer-check.patch delete mode 100644 backport-units-remove-the-restart-limit-on-the-modprobe-.serv.patch delete mode 100644 backport-user-record-disable-two-pbkdf-fields-that-don-t-appl.patch delete mode 100644 backport-user-record-fix-display-of-access-mode.patch delete mode 100644 backport-userdb-fix-type-to-pass-to-connect.patch delete mode 100644 backport-util-another-set-of-CVE-2021-4034-assert-s.patch delete mode 100644 backport-utmp-remove-dev-from-line.patch delete mode 100644 backport-varlink-disconnect-varlink-link-in-one-more-case.patch delete mode 100644 backport-veritysetup-print-help-for-help-h-help.patch delete mode 100644 backport-virt-Fix-the-detection-for-Hyper-V-VMs.patch delete mode 100644 backport-virt-Improve-detection-of-EC2-metal-instances.patch delete mode 100644 backport-virt-Support-detection-for-ARM64-Hyper-V-guests.patch delete mode 100644 backport-virt-detect-OpenStack-Nova-instance.patch delete mode 100644 backport-wait-online-rename-Manager-elements.patch delete mode 100644 backport-watchdog-pass-right-error-code-to-log-function-so-th.patch delete mode 100644 backport-xdg-autostart-service-Ignore-missing-desktop-sepcifi.patch delete mode 100644 core-skip-change-device-to-dead-in-manager_catchup-d.patch delete mode 100644 disable-systemd-timesyncd-networkd-resolved-homed-us.patch delete mode 100644 fix-mount-failed-while-daemon-reexec.patch delete mode 100644 journal-don-t-enable-systemd-journald-audit.socket-b.patch rename systemd-249.tar.gz => systemd-253.tar.gz (54%) diff --git a/0029-Add-support-for-the-LoongArch-architecture.patch b/0029-Add-support-for-the-LoongArch-architecture.patch deleted file mode 100644 index 4976d64..0000000 --- a/0029-Add-support-for-the-LoongArch-architecture.patch +++ /dev/null @@ -1,43 +0,0 @@ -diff --git a/src/basic/architecture.c b/src/basic/architecture.c -index 409632c..e86aff3 100644 ---- a/src/basic/architecture.c -+++ b/src/basic/architecture.c -@@ -118,6 +118,8 @@ int uname_architecture(void) { - #elif defined(__arc__) - { "arc", ARCHITECTURE_ARC }, - { "arceb", ARCHITECTURE_ARC_BE }, -+#elif defined(__loongarch64) -+ { "loongarch64", ARCHITECTURE_LOONGARCH64 }, - #else - #error "Please register your architecture here!" - #endif -@@ -173,6 +175,7 @@ static const char *const architecture_table[_ARCHITECTURE_MAX] = { - [ARCHITECTURE_RISCV64] = "riscv64", - [ARCHITECTURE_ARC] = "arc", - [ARCHITECTURE_ARC_BE] = "arc-be", -+ [ARCHITECTURE_LOONGARCH64] = "loongarch64", - }; - - DEFINE_STRING_TABLE_LOOKUP(architecture, int); -diff --git a/src/basic/architecture.h b/src/basic/architecture.h -index 9abc183..758bd8c 100644 ---- a/src/basic/architecture.h -+++ b/src/basic/architecture.h -@@ -44,6 +44,7 @@ enum { - ARCHITECTURE_RISCV64, - ARCHITECTURE_ARC, - ARCHITECTURE_ARC_BE, -+ ARCHITECTURE_LOONGARCH64, - _ARCHITECTURE_MAX, - _ARCHITECTURE_INVALID = -EINVAL, - }; -@@ -229,6 +230,9 @@ int uname_architecture(void); - # define native_architecture() ARCHITECTURE_ARC - # define LIB_ARCH_TUPLE "arc-linux" - # endif -+#elif defined(__loongarch64) -+# define native_architecture() ARCHITECTURE_LOONGARCH64 -+# define LIB_ARCH_TUPLE "loongarch64-linux-gnu" - #else - # error "Please register your architecture here!" - #endif diff --git a/0030-Add-LoongArch-dmi-virt-detection-and-testcase.patch b/0030-Add-LoongArch-dmi-virt-detection-and-testcase.patch deleted file mode 100644 index 13cf40b..0000000 --- a/0030-Add-LoongArch-dmi-virt-detection-and-testcase.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff --git a/src/basic/virt.c b/src/basic/virt.c -index 7e88f09..de1acf1 100644 ---- a/src/basic/virt.c -+++ b/src/basic/virt.c -@@ -140,7 +140,7 @@ static int detect_vm_device_tree(void) { - #endif - } - --#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) -+#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch64) - static int detect_vm_dmi_vendor(void) { - static const char *const dmi_vendors[] = { - "/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */ -@@ -225,10 +225,10 @@ static int detect_vm_smbios(void) { - log_debug("DMI BIOS Extension table does not indicate virtualization."); - return SMBIOS_VM_BIT_UNSET; - } --#endif /* defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) */ -+#endif /* defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch64) */ - - static int detect_vm_dmi(void) { --#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) -+#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch64) - - int r; - r = detect_vm_dmi_vendor(); -diff --git a/src/test/test-execute.c b/src/test/test-execute.c -index 125e0bb..6e168d3 100644 ---- a/src/test/test-execute.c -+++ b/src/test/test-execute.c -@@ -284,6 +284,8 @@ static void test_exec_personality(Manager *m) { - - #elif defined(__i386__) - test(m, "exec-personality-x86.service", 0, CLD_EXITED); -+#elif defined(__loongarch64) -+ test(m, "exec-personality-loongarch64.service", 0, CLD_EXITED); - #else - log_notice("Unknown personality, skipping %s", __func__); - #endif -diff --git a/src/udev/meson.build b/src/udev/meson.build -index 4e80f9b..f2eb0b2 100644 ---- a/src/udev/meson.build -+++ b/src/udev/meson.build -@@ -129,7 +129,7 @@ udev_id_progs = [['ata_id/ata_id.c'], - 'mtd_probe/mtd_probe.h', - 'mtd_probe/probe_smartmedia.c']] - --dmi_arches = ['x86', 'x86_64', 'aarch64', 'arm', 'ia64', 'mips'] -+dmi_arches = ['x86', 'x86_64', 'aarch64', 'arm', 'ia64', 'loongarch64', 'mips'] - if dmi_arches.contains(host_machine.cpu_family()) - udev_id_progs += [['dmi_memory_id/dmi_memory_id.c']] - endif -diff --git a/test/test-execute/exec-personality-loongarch64.service b/test/test-execute/exec-personality-loongarch64.service -new file mode 100644 -index 0000000..0531ad1 ---- /dev/null -+++ b/test/test-execute/exec-personality-loongarch64.service -@@ -0,0 +1,7 @@ -+[Unit] -+Description=Test for Personality=loongarch64 -+ -+[Service] -+ExecStart=/bin/sh -c 'echo $(uname -m); exit $(test $(uname -m) = "loongarch64")' -+Type=oneshot -+Personality=loongarch64 diff --git a/Retry-to-handle-the-uevent-when-worker-is-terminated.patch b/Retry-to-handle-the-uevent-when-worker-is-terminated.patch index 39fa1d2..ef6b6de 100644 --- a/Retry-to-handle-the-uevent-when-worker-is-terminated.patch +++ b/Retry-to-handle-the-uevent-when-worker-is-terminated.patch @@ -9,10 +9,10 @@ When processing uevent events fails, retry it. 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 75e2086..023fe55 100644 +index c6d24d9..512192e 100644 --- a/src/udev/udevd.c +++ b/src/udev/udevd.c -@@ -69,6 +69,7 @@ +@@ -74,6 +74,7 @@ #include "version.h" #define WORKER_NUM_MAX 2048U @@ -20,7 +20,7 @@ index 75e2086..023fe55 100644 #define EVENT_RETRY_INTERVAL_USEC (200 * USEC_PER_MSEC) #define EVENT_RETRY_TIMEOUT_USEC (3 * USEC_PER_MINUTE) -@@ -123,6 +124,7 @@ typedef struct Event { +@@ -129,6 +130,7 @@ typedef struct Event { Manager *manager; Worker *worker; EventState state; @@ -28,8 +28,8 @@ index 75e2086..023fe55 100644 sd_device *dev; -@@ -166,6 +168,32 @@ typedef enum EventResult { - _EVENT_RESULT_INVALID = -EINVAL, +@@ -182,6 +184,32 @@ typedef enum EventResult { + _EVENT_RESULT_INVALID = -EINVAL, } EventResult; +static bool event_retry(Event *event) { @@ -61,27 +61,27 @@ index 75e2086..023fe55 100644 static Event *event_free(Event *event) { if (!event) return NULL; -@@ -1118,6 +1146,7 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { - .seqnum = seqnum, - .action = action, +@@ -1140,6 +1168,7 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { + .devpath_old = devpath_old, + .devnode = devnode, .state = EVENT_QUEUED, + .retry = UEVENT_MAX_RETRY_TIMES, }; - if (LIST_IS_EMPTY(manager->events)) { -@@ -1547,8 +1576,10 @@ static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *si, voi - device_delete_db(worker->event->dev); - device_tag_index(worker->event->dev, NULL, false); + if (!manager->events) { +@@ -1513,8 +1542,10 @@ static int on_sigchld(sd_event_source *s, const siginfo_t *si, void *userdata) { + device_delete_db(dev); + device_tag_index(dev, NULL, false); -- /* Forward kernel event to libudev listeners */ -- device_broadcast(manager->monitor, worker->event->dev); -+ if (event_retry(worker->event) == false) { -+ /* Forward kernel event to libudev listeners */ -+ device_broadcast(manager->monitor, worker->event->dev); -+ } - } +- /* Forward kernel event to libudev listeners */ +- device_broadcast(manager->monitor, dev, result); ++ if (event_retry(worker->event) == false) { ++ /* Forward kernel event to libudev listeners */ ++ device_broadcast(manager->monitor, worker->event->dev, result); ++ } + } - worker_free(worker); + worker_free(worker); -- 2.33.0 diff --git a/Systemd-Add-sw64-architecture.patch b/Systemd-Add-sw64-architecture.patch old mode 100755 new mode 100644 index e6d9b0c..2de2125 --- a/Systemd-Add-sw64-architecture.patch +++ b/Systemd-Add-sw64-architecture.patch @@ -5,50 +5,51 @@ Subject: [PATCH] Systemd Add sw64 architecture Signed-off-by: rpm-build --- - src/basic/architecture.c | 3 + + src/basic/architecture.c | 4 + src/basic/architecture.h | 4 + src/basic/meson.build | 1 + src/basic/missing_fcntl.h | 2 + - src/basic/missing_syscall_def.h | 35 ++ + src/basic/missing_syscall_def.h | 33 ++ src/basic/missing_syscalls.py | 2 + src/basic/syscalls-sw_64.txt | 600 ++++++++++++++++++++++++++++++++ - 7 files changed, 647 insertions(+) + 7 files changed, 646 insertions(+) create mode 100644 src/basic/syscalls-sw_64.txt diff --git a/src/basic/architecture.c b/src/basic/architecture.c -index 409632c..8314aa5 100644 +index 773ee3c..59a4e31 100644 --- a/src/basic/architecture.c +++ b/src/basic/architecture.c -@@ -54,6 +54,8 @@ int uname_architecture(void) { - { "mips", ARCHITECTURE_MIPS }, +@@ -49,6 +49,9 @@ Architecture uname_architecture(void) { #elif defined(__alpha__) { "alpha" , ARCHITECTURE_ALPHA }, + +#elif defined(__sw_64__) + { "sw_64" , ARCHITECTURE_SW_64 }, - #elif defined(__arm__) || defined(__aarch64__) - { "aarch64", ARCHITECTURE_ARM64 }, - { "aarch64_be", ARCHITECTURE_ARM64_BE }, -@@ -159,6 +161,7 @@ static const char *const architecture_table[_ARCHITECTURE_MAX] = { - [ARCHITECTURE_MIPS64] = "mips64", - [ARCHITECTURE_MIPS64_LE] = "mips64-le", - [ARCHITECTURE_ALPHA] = "alpha", -+ [ARCHITECTURE_SW_64] = "sw_64", - [ARCHITECTURE_ARM] = "arm", - [ARCHITECTURE_ARM_BE] = "arm-be", - [ARCHITECTURE_ARM64] = "arm64", ++ + #elif defined(__arc__) + { "arc", ARCHITECTURE_ARC }, + { "arceb", ARCHITECTURE_ARC_BE }, +@@ -145,6 +148,7 @@ static const char *const architecture_table[_ARCHITECTURE_MAX] = { + [ARCHITECTURE_ARM] = "arm", + [ARCHITECTURE_ARM_BE] = "arm-be", + [ARCHITECTURE_ALPHA] = "alpha", ++ [ARCHITECTURE_SW_64] = "sw_64", + [ARCHITECTURE_ARC] = "arc", + [ARCHITECTURE_ARC_BE] = "arc-be", + [ARCHITECTURE_CRIS] = "cris", diff --git a/src/basic/architecture.h b/src/basic/architecture.h -index 9abc183..3361eaf 100644 +index 096526a..4c4be03 100644 --- a/src/basic/architecture.h +++ b/src/basic/architecture.h -@@ -30,6 +30,7 @@ enum { - ARCHITECTURE_MIPS64, - ARCHITECTURE_MIPS64_LE, +@@ -11,6 +11,7 @@ + + typedef enum { ARCHITECTURE_ALPHA, + ARCHITECTURE_SW_64, + ARCHITECTURE_ARC, + ARCHITECTURE_ARC_BE, ARCHITECTURE_ARM, - ARCHITECTURE_ARM_BE, - ARCHITECTURE_ARM64, -@@ -143,6 +144,9 @@ int uname_architecture(void); +@@ -142,6 +143,9 @@ Architecture uname_architecture(void); #elif defined(__alpha__) # define native_architecture() ARCHITECTURE_ALPHA # define LIB_ARCH_TUPLE "alpha-linux-gnu" @@ -59,10 +60,10 @@ index 9abc183..3361eaf 100644 # if __BYTE_ORDER == __BIG_ENDIAN # define native_architecture() ARCHITECTURE_ARM64_BE diff --git a/src/basic/meson.build b/src/basic/meson.build -index 452b965..80dab1b 100644 +index 7aae031..f0a0282 100644 --- a/src/basic/meson.build +++ b/src/basic/meson.build -@@ -325,6 +325,7 @@ basic_sources += generated_gperf_headers +@@ -177,6 +177,7 @@ basic_sources += generated_gperf_headers arch_list = [ 'alpha', @@ -84,10 +85,10 @@ index 00937d2..fff662b 100644 #define __O_TMPFILE 0400000000 #elif defined(__sparc__) || defined(__sparc64__) diff --git a/src/basic/missing_syscall_def.h b/src/basic/missing_syscall_def.h -index 29dfd2e..10a585b 100644 +index 402fdd0..9680923 100644 --- a/src/basic/missing_syscall_def.h +++ b/src/basic/missing_syscall_def.h -@@ -9,6 +9,7 @@ +@@ -10,6 +10,7 @@ * template as the per-syscall blocks below. */ # if defined(__aarch64__) # elif defined(__alpha__) @@ -95,7 +96,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # elif defined(__arm__) # elif defined(__i386__) -@@ -44,6 +45,8 @@ +@@ -47,6 +48,8 @@ # define systemd_NR_bpf 280 # elif defined(__alpha__) # define systemd_NR_bpf 515 @@ -104,7 +105,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_bpf 280 # elif defined(__arm__) -@@ -108,6 +111,8 @@ assert_cc(__NR_bpf == systemd_NR_bpf); +@@ -115,6 +118,8 @@ assert_cc(__NR_bpf == systemd_NR_bpf); # define systemd_NR_close_range 436 # elif defined(__alpha__) # define systemd_NR_close_range 546 @@ -113,7 +114,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_close_range 436 # elif defined(__arm__) -@@ -172,6 +177,8 @@ assert_cc(__NR_close_range == systemd_NR_close_range); +@@ -183,6 +188,8 @@ assert_cc(__NR_close_range == systemd_NR_close_range); # define systemd_NR_copy_file_range 285 # elif defined(__alpha__) # define systemd_NR_copy_file_range 519 @@ -122,16 +123,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_copy_file_range 285 # elif defined(__arm__) -@@ -236,6 +243,8 @@ assert_cc(__NR_copy_file_range == systemd_NR_copy_file_range); - # define systemd_NR_epoll_pwait2 441 - # elif defined(__alpha__) - # define systemd_NR_epoll_pwait2 551 -+# elif defined(__sw_64__) -+# define systemd_NR_epoll_pwait2 551 - # elif defined(__arc__) || defined(__tilegx__) - # define systemd_NR_epoll_pwait2 441 - # elif defined(__arm__) -@@ -300,6 +309,8 @@ assert_cc(__NR_epoll_pwait2 == systemd_NR_epoll_pwait2); +@@ -251,6 +258,8 @@ assert_cc(__NR_copy_file_range == systemd_NR_copy_file_range); # define systemd_NR_getrandom 278 # elif defined(__alpha__) # define systemd_NR_getrandom 511 @@ -140,7 +132,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_getrandom 278 # elif defined(__arm__) -@@ -364,6 +375,8 @@ assert_cc(__NR_getrandom == systemd_NR_getrandom); +@@ -319,6 +328,8 @@ assert_cc(__NR_getrandom == systemd_NR_getrandom); # define systemd_NR_memfd_create 279 # elif defined(__alpha__) # define systemd_NR_memfd_create 512 @@ -149,7 +141,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_memfd_create 279 # elif defined(__arm__) -@@ -428,6 +441,8 @@ assert_cc(__NR_memfd_create == systemd_NR_memfd_create); +@@ -387,6 +398,8 @@ assert_cc(__NR_memfd_create == systemd_NR_memfd_create); # define systemd_NR_mount_setattr 442 # elif defined(__alpha__) # define systemd_NR_mount_setattr 552 @@ -158,7 +150,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_mount_setattr 442 # elif defined(__arm__) -@@ -492,6 +507,8 @@ assert_cc(__NR_mount_setattr == systemd_NR_mount_setattr); +@@ -455,6 +468,8 @@ assert_cc(__NR_mount_setattr == systemd_NR_mount_setattr); # define systemd_NR_move_mount 429 # elif defined(__alpha__) # define systemd_NR_move_mount 539 @@ -167,7 +159,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_move_mount 429 # elif defined(__arm__) -@@ -556,6 +573,8 @@ assert_cc(__NR_move_mount == systemd_NR_move_mount); +@@ -523,6 +538,8 @@ assert_cc(__NR_move_mount == systemd_NR_move_mount); # define systemd_NR_name_to_handle_at 264 # elif defined(__alpha__) # define systemd_NR_name_to_handle_at 497 @@ -176,7 +168,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_name_to_handle_at 264 # elif defined(__arm__) -@@ -620,6 +639,8 @@ assert_cc(__NR_name_to_handle_at == systemd_NR_name_to_handle_at); +@@ -591,6 +608,8 @@ assert_cc(__NR_name_to_handle_at == systemd_NR_name_to_handle_at); # define systemd_NR_open_tree 428 # elif defined(__alpha__) # define systemd_NR_open_tree 538 @@ -185,7 +177,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_open_tree 428 # elif defined(__arm__) -@@ -684,6 +705,8 @@ assert_cc(__NR_open_tree == systemd_NR_open_tree); +@@ -659,6 +678,8 @@ assert_cc(__NR_open_tree == systemd_NR_open_tree); # define systemd_NR_openat2 437 # elif defined(__alpha__) # define systemd_NR_openat2 547 @@ -194,7 +186,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_openat2 437 # elif defined(__arm__) -@@ -750,6 +773,8 @@ assert_cc(__NR_openat2 == systemd_NR_openat2); +@@ -727,6 +748,8 @@ assert_cc(__NR_openat2 == systemd_NR_openat2); # define systemd_NR_pidfd_open 434 # elif defined(__alpha__) # define systemd_NR_pidfd_open 544 @@ -203,7 +195,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_pidfd_open 434 # elif defined(__arm__) -@@ -814,6 +839,8 @@ assert_cc(__NR_pidfd_open == systemd_NR_pidfd_open); +@@ -795,6 +818,8 @@ assert_cc(__NR_pidfd_open == systemd_NR_pidfd_open); # define systemd_NR_pidfd_send_signal 424 # elif defined(__alpha__) # define systemd_NR_pidfd_send_signal 534 @@ -212,7 +204,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_pidfd_send_signal 424 # elif defined(__arm__) -@@ -878,6 +905,8 @@ assert_cc(__NR_pidfd_send_signal == systemd_NR_pidfd_send_signal); +@@ -863,6 +888,8 @@ assert_cc(__NR_pidfd_send_signal == systemd_NR_pidfd_send_signal); # define systemd_NR_pkey_mprotect 288 # elif defined(__alpha__) # define systemd_NR_pkey_mprotect 524 @@ -221,7 +213,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_pkey_mprotect 288 # elif defined(__arm__) -@@ -942,6 +971,8 @@ assert_cc(__NR_pkey_mprotect == systemd_NR_pkey_mprotect); +@@ -931,6 +958,8 @@ assert_cc(__NR_pkey_mprotect == systemd_NR_pkey_mprotect); # define systemd_NR_renameat2 276 # elif defined(__alpha__) # define systemd_NR_renameat2 510 @@ -230,7 +222,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_renameat2 276 # elif defined(__arm__) -@@ -1006,6 +1037,8 @@ assert_cc(__NR_renameat2 == systemd_NR_renameat2); +@@ -999,6 +1028,8 @@ assert_cc(__NR_renameat2 == systemd_NR_renameat2); # define systemd_NR_setns 268 # elif defined(__alpha__) # define systemd_NR_setns 501 @@ -239,7 +231,7 @@ index 29dfd2e..10a585b 100644 # elif defined(__arc__) || defined(__tilegx__) # define systemd_NR_setns 268 # elif defined(__arm__) -@@ -1070,6 +1103,8 @@ assert_cc(__NR_setns == systemd_NR_setns); +@@ -1067,6 +1098,8 @@ assert_cc(__NR_setns == systemd_NR_setns); # define systemd_NR_statx 291 # elif defined(__alpha__) # define systemd_NR_statx 522 @@ -249,10 +241,10 @@ index 29dfd2e..10a585b 100644 # define systemd_NR_statx 291 # elif defined(__arm__) diff --git a/src/basic/missing_syscalls.py b/src/basic/missing_syscalls.py -index dd45899..cf448cc 100644 +index 5ccf02a..a7bfe7e 100644 --- a/src/basic/missing_syscalls.py +++ b/src/basic/missing_syscalls.py -@@ -52,6 +52,8 @@ DEF_TEMPLATE_B = '''\ +@@ -51,6 +51,8 @@ DEF_TEMPLATE_B = '''\ # define systemd_NR_{syscall} {nr_arm64} # elif defined(__alpha__) # define systemd_NR_{syscall} {nr_alpha} diff --git a/activation-service-must-be-restarted-when-reactivated.patch b/activation-service-must-be-restarted-when-reactivated.patch index a71eaa8..b6ef28d 100644 --- a/activation-service-must-be-restarted-when-reactivated.patch +++ b/activation-service-must-be-restarted-when-reactivated.patch @@ -24,7 +24,7 @@ index 29524d4..38940ef 100644 + Service *s = NULL; assert(message); - assert(m); + @@ -177,7 +179,13 @@ static int signal_activation_request(sd_bus_message *message, void *userdata, sd goto failed; } diff --git a/add-loongarch-for-missing_syscall_def.patch b/add-loongarch-for-missing_syscall_def.patch deleted file mode 100644 index 19952aa..0000000 --- a/add-loongarch-for-missing_syscall_def.patch +++ /dev/null @@ -1,165 +0,0 @@ -diff --git a/src/basic/missing_syscall_def.h b/src/basic/missing_syscall_def.h -index 29dfd2e..629cad0 100644 ---- a/src/basic/missing_syscall_def.h -+++ b/src/basic/missing_syscall_def.h -@@ -28,6 +28,7 @@ - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) - # elif defined(__s390__) - # elif defined(__sparc__) - # elif defined(__x86_64__) -@@ -74,6 +75,8 @@ - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_bpf 280 - # elif defined(__s390__) - # define systemd_NR_bpf 351 - # elif defined(__sparc__) -@@ -138,6 +141,8 @@ assert_cc(__NR_bpf == systemd_NR_bpf); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_close_range 436 - # elif defined(__s390__) - # define systemd_NR_close_range 436 - # elif defined(__sparc__) -@@ -202,6 +207,8 @@ assert_cc(__NR_close_range == systemd_NR_close_range); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_copy_file_range 285 - # elif defined(__s390__) - # define systemd_NR_copy_file_range 375 - # elif defined(__sparc__) -@@ -266,6 +273,8 @@ assert_cc(__NR_copy_file_range == systemd_NR_copy_file_range); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_epoll_pwait2 441 - # elif defined(__s390__) - # define systemd_NR_epoll_pwait2 441 - # elif defined(__sparc__) -@@ -330,6 +339,8 @@ assert_cc(__NR_epoll_pwait2 == systemd_NR_epoll_pwait2); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_getrandom 278 - # elif defined(__s390__) - # define systemd_NR_getrandom 349 - # elif defined(__sparc__) -@@ -394,6 +405,8 @@ assert_cc(__NR_getrandom == systemd_NR_getrandom); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_memfd_create 279 - # elif defined(__s390__) - # define systemd_NR_memfd_create 350 - # elif defined(__sparc__) -@@ -458,6 +471,8 @@ assert_cc(__NR_memfd_create == systemd_NR_memfd_create); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_mount_setattr 442 - # elif defined(__s390__) - # define systemd_NR_mount_setattr 442 - # elif defined(__sparc__) -@@ -522,6 +537,8 @@ assert_cc(__NR_mount_setattr == systemd_NR_mount_setattr); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_move_mount 429 - # elif defined(__s390__) - # define systemd_NR_move_mount 429 - # elif defined(__sparc__) -@@ -586,6 +603,8 @@ assert_cc(__NR_move_mount == systemd_NR_move_mount); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_name_to_handle_at 264 - # elif defined(__s390__) - # define systemd_NR_name_to_handle_at 335 - # elif defined(__sparc__) -@@ -650,6 +669,8 @@ assert_cc(__NR_name_to_handle_at == systemd_NR_name_to_handle_at); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_open_tree 428 - # elif defined(__s390__) - # define systemd_NR_open_tree 428 - # elif defined(__sparc__) -@@ -692,7 +713,7 @@ assert_cc(__NR_open_tree == systemd_NR_open_tree); - # define systemd_NR_openat2 437 - # elif defined(__ia64__) - # define systemd_NR_openat2 1461 --# elif defined(__loongarch64) -+# elif defined(__loongarch__) - # define systemd_NR_openat2 437 - # elif defined(__m68k__) - # define systemd_NR_openat2 437 -@@ -780,6 +801,8 @@ assert_cc(__NR_openat2 == systemd_NR_openat2); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_pidfd_open 434 - # elif defined(__s390__) - # define systemd_NR_pidfd_open 434 - # elif defined(__sparc__) -@@ -844,6 +867,8 @@ assert_cc(__NR_pidfd_open == systemd_NR_pidfd_open); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_pidfd_send_signal 424 - # elif defined(__s390__) - # define systemd_NR_pidfd_send_signal 424 - # elif defined(__sparc__) -@@ -908,6 +933,8 @@ assert_cc(__NR_pidfd_send_signal == systemd_NR_pidfd_send_signal); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_pkey_mprotect 288 - # elif defined(__s390__) - # define systemd_NR_pkey_mprotect 384 - # elif defined(__sparc__) -@@ -972,6 +999,8 @@ assert_cc(__NR_pkey_mprotect == systemd_NR_pkey_mprotect); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_renameat2 276 - # elif defined(__s390__) - # define systemd_NR_renameat2 347 - # elif defined(__sparc__) -@@ -1036,6 +1065,8 @@ assert_cc(__NR_renameat2 == systemd_NR_renameat2); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_setns 268 - # elif defined(__s390__) - # define systemd_NR_setns 339 - # elif defined(__sparc__) -@@ -1100,6 +1131,8 @@ assert_cc(__NR_setns == systemd_NR_setns); - # else - # error "Unknown RISC-V ABI" - # endif -+# elif defined(__loongarch__) -+# define systemd_NR_statx 291 - # elif defined(__s390__) - # define systemd_NR_statx 379 - # elif defined(__sparc__) diff --git a/backport-Add-meson-option-to-disable-urlify.patch b/backport-Add-meson-option-to-disable-urlify.patch deleted file mode 100644 index 0b1760f..0000000 --- a/backport-Add-meson-option-to-disable-urlify.patch +++ /dev/null @@ -1,66 +0,0 @@ -From e5d86ebed5624ef62342c820a5868b1075deb300 Mon Sep 17 00:00:00 2001 -From: James Hilliard -Date: Sun, 11 Jul 2021 04:39:33 -0600 -Subject: [PATCH] Add meson option to disable urlify. - -Useful for systems that don't use a version of less with hyperlink -support. - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e5d86ebed5624ef62342c820a5868b1075deb300 ---- - meson.build | 1 + - meson_options.txt | 2 ++ - src/shared/pretty-print.c | 4 ++++ - 3 files changed, 7 insertions(+) - -diff --git a/meson.build b/meson.build -index 5735cfc7ad..a2ee15bf32 100644 ---- a/meson.build -+++ b/meson.build -@@ -278,6 +278,7 @@ conf.set_quoted('USER_PRESET_DIR', userpresetdir) - conf.set_quoted('VENDOR_KEYRING_PATH', join_paths(rootlibexecdir, 'import-pubring.gpg')) - - conf.set('ANSI_OK_COLOR', 'ANSI_' + get_option('ok-color').underscorify().to_upper()) -+conf.set10('ENABLE_URLIFY', get_option('urlify')) - conf.set10('ENABLE_FEXECVE', get_option('fexecve')) - conf.set10('MEMORY_ACCOUNTING_DEFAULT', memory_accounting_default) - conf.set('STATUS_UNIT_FORMAT_DEFAULT', 'STATUS_UNIT_FORMAT_' + status_unit_format_default.to_upper()) -diff --git a/meson_options.txt b/meson_options.txt -index 163c8df87d..b60261ac24 100644 ---- a/meson_options.txt -+++ b/meson_options.txt -@@ -444,6 +444,8 @@ option('ok-color', type : 'combo', - 'highlight-cyan', 'highlight-white'], - value : 'green', - description: 'color of the "OK" status message') -+option('urlify', type : 'boolean', value : 'true', -+ description : 'enable pager Hyperlink ANSI sequence support') - option('fexecve', type : 'boolean', value : 'false', - description : 'use fexecve() to spawn children') - -diff --git a/src/shared/pretty-print.c b/src/shared/pretty-print.c -index 137ba77b3a..7983c0a33a 100644 ---- a/src/shared/pretty-print.c -+++ b/src/shared/pretty-print.c -@@ -19,6 +19,7 @@ - #include "util.h" - - bool urlify_enabled(void) { -+#if ENABLE_URLIFY - static int cached_urlify_enabled = -1; - - if (cached_urlify_enabled < 0) { -@@ -32,6 +33,9 @@ bool urlify_enabled(void) { - } - - return cached_urlify_enabled; -+#else -+ return 0; -+#endif - } - - int terminal_urlify(const char *url, const char *text, char **ret) { --- -2.27.0 - diff --git a/backport-Bump-the-max-number-of-inodes-for-dev-to-128k.patch b/backport-Bump-the-max-number-of-inodes-for-dev-to-128k.patch deleted file mode 100644 index 02f65ce..0000000 --- a/backport-Bump-the-max-number-of-inodes-for-dev-to-128k.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b1bb976219e4c63d4b8099a2820fedbedf0aa8a5 Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Fri, 3 Dec 2021 11:23:36 +0100 -Subject: [PATCH] Bump the max number of inodes for /dev to 128k - -Follow-up for 7d85383edbab73274dc81cc888d884bb01070bc2. - -Apparently the previous limit set on the max number of inodes for /dev was too -small as a system with 4096 LUNs attached can consume up to 95k inodes for -symlinks: - - # /bin/df -i - Filesystem Inodes IUsed IFree IUse% Mounted on - devtmpfs 49274377 95075 49179302 1% /dev - -Hence this patch bumps the limit from 64k to 128k although the new limit is -still pretty arbitrary (that said, not sure if it really makes sense to put -such absolute limit number). - -(cherry picked from commit 4c733d3046942984c5f73b40c3af39cc218c103f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b1bb976219e4c63d4b8099a2820fedbedf0aa8a5 ---- - src/shared/mount-util.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h -index 36501c2c4a..c5bd881070 100644 ---- a/src/shared/mount-util.h -+++ b/src/shared/mount-util.h -@@ -11,9 +11,9 @@ - #include "errno-util.h" - #include "macro.h" - --/* 4MB for contents of regular files, 64k inodes for directories, symbolic links and device specials, using -+/* 4MB for contents of regular files, 128k inodes for directories, symbolic links and device specials, using - * large storage array systems as a baseline */ --#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=64k" -+#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=128k" - - /* Very little, if any use expected */ - #define TMPFS_LIMITS_EMPTY_OR_ALMOST ",size=4m,nr_inodes=1k" --- -2.33.0 - diff --git a/backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch b/backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch deleted file mode 100644 index 3b4470c..0000000 --- a/backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e98d0662ffbffe2c60492be6b4f5d579038d3282 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 9 Dec 2021 10:09:17 +0100 -Subject: [PATCH 1/2] Bump the max number of inodes for /dev to a million - -4c733d3046942984c5f73b40c3af39cc218c103f shows that 95k can be used easily on a large -system. Let's bump it up even more so that we have some "breathing room". ---- - src/shared/mount-util.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h -index 3622170297..ce73aebd4b 100644 ---- a/src/shared/mount-util.h -+++ b/src/shared/mount-util.h -@@ -11,9 +11,9 @@ - #include "errno-util.h" - #include "macro.h" - --/* 4MB for contents of regular files, 128k inodes for directories, symbolic links and device specials, using -+/* 4MB for contents of regular files, 1m inodes for directories, symbolic links and device nodes, using - * large storage array systems as a baseline */ --#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=128k" -+#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=1m" - - /* Very little, if any use expected */ - #define TMPFS_LIMITS_EMPTY_OR_ALMOST ",size=4m,nr_inodes=1k" --- -2.27.0 - diff --git a/backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch b/backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch deleted file mode 100644 index d2da5ff..0000000 --- a/backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch +++ /dev/null @@ -1,25 +0,0 @@ -From cac372a80177fb622806270eb0d810e4c6ad0c84 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 9 Dec 2021 10:20:46 +0100 -Subject: [PATCH] Bump the max number of inodes for /tmp to a million too - -Fixes #21626. (The bug report talks about /run, but the issue is actually with -/tmp.) People use /tmp for various things that fit in memory, e.g. unpacking -packages, and 400k is not much. Let's raise is a bit. ---- - units/tmp.mount | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/units/tmp.mount b/units/tmp.mount -index 516bd1621c..4e1bb8de24 100644 ---- a/units/tmp.mount -+++ b/units/tmp.mount -@@ -22,4 +22,4 @@ After=swap.target - What=tmpfs - Where=/tmp - Type=tmpfs --Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=400k -+Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=1m --- -2.27.0 - diff --git a/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch b/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch deleted file mode 100644 index 6847def..0000000 --- a/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 2426beacca09d84091759be45b25c88116302184 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 5 Oct 2021 10:32:56 +0200 -Subject: [PATCH] rm-rf: optionally fsync() after removing directory tree - -(cherry picked from commit bdfe7ada0d4d66e6d6e65f2822acbb1ec230f9c2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2426beacca09d84091759be45b25c88116302184 ---- - src/shared/rm-rf.c | 3 +++ - src/shared/rm-rf.h | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index dffb9cf6ee..5ef7c662dd 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -250,6 +250,9 @@ int rm_rf_children( - ret = r; - } - -+ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0) -+ ret = -errno; -+ - return ret; - } - -diff --git a/src/shared/rm-rf.h b/src/shared/rm-rf.h -index 577a2795e0..24fd9a2aa2 100644 ---- a/src/shared/rm-rf.h -+++ b/src/shared/rm-rf.h -@@ -14,6 +14,7 @@ typedef enum RemoveFlags { - REMOVE_MISSING_OK = 1 << 4, /* If the top-level directory is missing, ignore the ENOENT for it */ - REMOVE_CHMOD = 1 << 5, /* chmod() for write access if we cannot delete or access something */ - REMOVE_CHMOD_RESTORE = 1 << 6, /* Restore the old mode before returning */ -+ REMOVE_SYNCFS = 1 << 7, /* syncfs() the root of the specified directory after removing everything in it */ - } RemoveFlags; - - int unlinkat_harder(int dfd, const char *filename, int unlink_flags, RemoveFlags remove_flags); --- -2.33.0 - diff --git a/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch b/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch deleted file mode 100644 index 00aa7c3..0000000 --- a/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch +++ /dev/null @@ -1,324 +0,0 @@ -From ca4a0e7d41f0b2a1fe2f99dbc3763187c16cf7ab Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 26 Jan 2021 16:30:06 +0100 -Subject: [PATCH] rm-rf: refactor rm_rf_children(), split out body of directory - iteration loop - -This splits out rm_rf_children_inner() as body of the loop. We can use -that to implement rm_rf_child() for deleting one specific entry in a -directory. - -(cherry picked from commit 1f0fb7d544711248cba34615e43c5a76bc902d74) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ca4a0e7d41f0b2a1fe2f99dbc3763187c16cf7ab ---- - src/shared/rm-rf.c | 223 ++++++++++++++++++++++++++------------------- - src/shared/rm-rf.h | 3 +- - 2 files changed, 131 insertions(+), 95 deletions(-) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index 900a7fb5ff..dffb9cf6ee 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -19,6 +19,9 @@ - #include "stat-util.h" - #include "string-util.h" - -+/* We treat tmpfs/ramfs + cgroupfs as non-physical file sytems. cgroupfs is similar to tmpfs in a way after -+ * all: we can create arbitrary directory hierarchies in it, and hence can also use rm_rf() on it to remove -+ * those again. */ - static bool is_physical_fs(const struct statfs *sfs) { - return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs); - } -@@ -113,133 +116,145 @@ int fstatat_harder(int dfd, - return 0; - } - --int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) { -- _cleanup_closedir_ DIR *d = NULL; -- struct dirent *de; -- int ret = 0, r; -- struct statfs sfs; -+static int rm_rf_children_inner( -+ int fd, -+ const char *fname, -+ int is_dir, -+ RemoveFlags flags, -+ const struct stat *root_dev) { - -- assert(fd >= 0); -+ struct stat st; -+ int r; - -- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed -- * fd, in all cases, including on failure.. */ -+ assert(fd >= 0); -+ assert(fname); - -- if (!(flags & REMOVE_PHYSICAL)) { -+ if (is_dir < 0 || (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) { - -- r = fstatfs(fd, &sfs); -- if (r < 0) { -- safe_close(fd); -- return -errno; -- } -+ r = fstatat_harder(fd, fname, &st, AT_SYMLINK_NOFOLLOW, flags); -+ if (r < 0) -+ return r; - -- if (is_physical_fs(&sfs)) { -- /* We refuse to clean physical file systems with this call, -- * unless explicitly requested. This is extra paranoia just -- * to be sure we never ever remove non-state data. */ -- _cleanup_free_ char *path = NULL; -+ is_dir = S_ISDIR(st.st_mode); -+ } - -- (void) fd_get_path(fd, &path); -- log_error("Attempted to remove disk file system under \"%s\", and we can't allow that.", -- strna(path)); -+ if (is_dir) { -+ _cleanup_close_ int subdir_fd = -1; -+ int q; - -- safe_close(fd); -- return -EPERM; -- } -- } -+ /* if root_dev is set, remove subdirectories only if device is same */ -+ if (root_dev && st.st_dev != root_dev->st_dev) -+ return 0; - -- d = fdopendir(fd); -- if (!d) { -- safe_close(fd); -- return errno == ENOENT ? 0 : -errno; -- } -+ /* Stop at mount points */ -+ r = fd_is_mount_point(fd, fname, 0); -+ if (r < 0) -+ return r; -+ if (r > 0) -+ return 0; - -- FOREACH_DIRENT_ALL(de, d, return -errno) { -- bool is_dir; -- struct stat st; -+ if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) { - -- if (dot_or_dot_dot(de->d_name)) -- continue; -+ /* This could be a subvolume, try to remove it */ - -- if (de->d_type == DT_UNKNOWN || -- (de->d_type == DT_DIR && (root_dev || (flags & REMOVE_SUBVOLUME)))) { -- r = fstatat_harder(fd, de->d_name, &st, AT_SYMLINK_NOFOLLOW, flags); -+ r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA); - if (r < 0) { -- if (ret == 0 && r != -ENOENT) -- ret = r; -- continue; -- } -+ if (!IN_SET(r, -ENOTTY, -EINVAL)) -+ return r; - -- is_dir = S_ISDIR(st.st_mode); -- } else -- is_dir = de->d_type == DT_DIR; -+ /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */ -+ } else -+ /* It was a subvolume, done. */ -+ return 1; -+ } - -- if (is_dir) { -- _cleanup_close_ int subdir_fd = -1; -+ subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); -+ if (subdir_fd < 0) -+ return -errno; - -- /* if root_dev is set, remove subdirectories only if device is same */ -- if (root_dev && st.st_dev != root_dev->st_dev) -- continue; -+ /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type -+ * again for each directory */ -+ q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); - -- subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); -- if (subdir_fd < 0) { -- if (ret == 0 && errno != ENOENT) -- ret = -errno; -- continue; -- } -+ r = unlinkat_harder(fd, fname, AT_REMOVEDIR, flags); -+ if (r < 0) -+ return r; -+ if (q < 0) -+ return q; - -- /* Stop at mount points */ -- r = fd_is_mount_point(fd, de->d_name, 0); -- if (r < 0) { -- if (ret == 0 && r != -ENOENT) -- ret = r; -+ return 1; - -- continue; -- } -- if (r > 0) -- continue; -+ } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) { -+ r = unlinkat_harder(fd, fname, 0, flags); -+ if (r < 0) -+ return r; - -- if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) { -+ return 1; -+ } - -- /* This could be a subvolume, try to remove it */ -+ return 0; -+} - -- r = btrfs_subvol_remove_fd(fd, de->d_name, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA); -- if (r < 0) { -- if (!IN_SET(r, -ENOTTY, -EINVAL)) { -- if (ret == 0) -- ret = r; -+int rm_rf_children( -+ int fd, -+ RemoveFlags flags, -+ const struct stat *root_dev) { - -- continue; -- } -+ _cleanup_closedir_ DIR *d = NULL; -+ struct dirent *de; -+ int ret = 0, r; - -- /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */ -- } else -- /* It was a subvolume, continue. */ -- continue; -- } -+ assert(fd >= 0); -+ -+ /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed -+ * fd, in all cases, including on failure. */ -+ -+ d = fdopendir(fd); -+ if (!d) { -+ safe_close(fd); -+ return -errno; -+ } - -- /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file -- * system type again for each directory */ -- r = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); -- if (r < 0 && ret == 0) -- ret = r; -+ if (!(flags & REMOVE_PHYSICAL)) { -+ struct statfs sfs; - -- r = unlinkat_harder(fd, de->d_name, AT_REMOVEDIR, flags); -- if (r < 0 && r != -ENOENT && ret == 0) -- ret = r; -+ if (fstatfs(dirfd(d), &sfs) < 0) -+ return -errno; -+ -+ if (is_physical_fs(&sfs)) { -+ /* We refuse to clean physical file systems with this call, unless explicitly -+ * requested. This is extra paranoia just to be sure we never ever remove non-state -+ * data. */ - -- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) { -+ _cleanup_free_ char *path = NULL; - -- r = unlinkat_harder(fd, de->d_name, 0, flags); -- if (r < 0 && r != -ENOENT && ret == 0) -- ret = r; -+ (void) fd_get_path(fd, &path); -+ return log_error_errno(SYNTHETIC_ERRNO(EPERM), -+ "Attempted to remove disk file system under \"%s\", and we can't allow that.", -+ strna(path)); - } - } -+ -+ FOREACH_DIRENT_ALL(de, d, return -errno) { -+ int is_dir; -+ -+ if (dot_or_dot_dot(de->d_name)) -+ continue; -+ -+ is_dir = -+ de->d_type == DT_UNKNOWN ? -1 : -+ de->d_type == DT_DIR; -+ -+ r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev); -+ if (r < 0 && r != -ENOENT && ret == 0) -+ ret = r; -+ } -+ - return ret; - } - - int rm_rf(const char *path, RemoveFlags flags) { - int fd, r; -- struct statfs s; - - assert(path); - -@@ -284,9 +299,10 @@ int rm_rf(const char *path, RemoveFlags flags) { - if (FLAGS_SET(flags, REMOVE_ROOT)) { - - if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) { -+ struct statfs s; -+ - if (statfs(path, &s) < 0) - return -errno; -- - if (is_physical_fs(&s)) - return log_error_errno(SYNTHETIC_ERRNO(EPERM), - "Attempted to remove files from a disk file system under \"%s\", refusing.", -@@ -314,3 +330,22 @@ int rm_rf(const char *path, RemoveFlags flags) { - - return r; - } -+ -+int rm_rf_child(int fd, const char *name, RemoveFlags flags) { -+ -+ /* Removes one specific child of the specified directory */ -+ -+ if (fd < 0) -+ return -EBADF; -+ -+ if (!filename_is_valid(name)) -+ return -EINVAL; -+ -+ if ((flags & (REMOVE_ROOT|REMOVE_MISSING_OK)) != 0) /* Doesn't really make sense here, we are not supposed to remove 'fd' anyway */ -+ return -EINVAL; -+ -+ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME)) -+ return -EINVAL; -+ -+ return rm_rf_children_inner(fd, name, -1, flags, NULL); -+} -diff --git a/src/shared/rm-rf.h b/src/shared/rm-rf.h -index 40f0894c96..577a2795e0 100644 ---- a/src/shared/rm-rf.h -+++ b/src/shared/rm-rf.h -@@ -23,7 +23,8 @@ int fstatat_harder(int dfd, - int fstatat_flags, - RemoveFlags remove_flags); - --int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev); -+int rm_rf_children(int fd, RemoveFlags flags, const struct stat *root_dev); -+int rm_rf_child(int fd, const char *name, RemoveFlags flags); - int rm_rf(const char *path, RemoveFlags flags); - - /* Useful for usage with _cleanup_(), destroys a directory and frees the pointer */ --- -2.33.0 - diff --git a/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch b/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch deleted file mode 100644 index 4858ff4..0000000 --- a/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch +++ /dev/null @@ -1,276 +0,0 @@ -From 6a28f8b55904c818b25e4db2e1511faac79fd471 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 30 Nov 2021 22:29:05 +0100 -Subject: [PATCH] shared/rm-rf: loop over nested directories instead of instead - of recursing - -To remove directory structures, we need to remove the innermost items first, -and then recursively remove higher-level directories. We would recursively -descend into directories and invoke rm_rf_children and rm_rm_children_inner. -This is problematic when too many directories are nested. - -Instead, let's create a "TODO" queue. In the the queue, for each level we -hold the DIR* object we were working on, and the name of the directory. This -allows us to leave a partially-processed directory, and restart the removal -loop one level down. When done with the inner directory, we use the name to -unlinkat() it from the parent, and proceed with the removal of other items. - -Because the nesting is increased by one level, it is best to view this patch -with -b/--ignore-space-change. - -This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639. -The issue was reported and patches reviewed by Qualys Team. -Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure. - -(cherry picked from commit 5b1cf7a9be37e20133c0208005274ce4a5b5c6a1) -(cherry picked from commit 911516e1614e435755814ada5fc6064fa107a105) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6a28f8b55904c818b25e4db2e1511faac79fd471 ---- - src/shared/rm-rf.c | 161 +++++++++++++++++++++++++++++++-------------- - 1 file changed, 113 insertions(+), 48 deletions(-) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index 1bd2431d8a..954686ffc9 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -52,7 +52,6 @@ static int patch_dirfd_mode( - } - - int unlinkat_harder(int dfd, const char *filename, int unlink_flags, RemoveFlags remove_flags) { -- - mode_t old_mode; - int r; - -@@ -116,12 +115,13 @@ int fstatat_harder(int dfd, - return 0; - } - --static int rm_rf_children_inner( -+static int rm_rf_inner_child( - int fd, - const char *fname, - int is_dir, - RemoveFlags flags, -- const struct stat *root_dev) { -+ const struct stat *root_dev, -+ bool allow_recursion) { - - struct stat st; - int r, q = 0; -@@ -141,9 +141,7 @@ static int rm_rf_children_inner( - } - - if (is_dir) { -- _cleanup_close_ int subdir_fd = -1; -- -- /* if root_dev is set, remove subdirectories only if device is same */ -+ /* If root_dev is set, remove subdirectories only if device is same */ - if (root_dev && st.st_dev != root_dev->st_dev) - return 0; - -@@ -155,7 +153,6 @@ static int rm_rf_children_inner( - return 0; - - if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) { -- - /* This could be a subvolume, try to remove it */ - - r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA); -@@ -169,13 +166,16 @@ static int rm_rf_children_inner( - return 1; - } - -- subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); -+ if (!allow_recursion) -+ return -EISDIR; -+ -+ int subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); - if (subdir_fd < 0) - return -errno; - - /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type - * again for each directory */ -- q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); -+ q = rm_rf_children(subdir_fd, flags | REMOVE_PHYSICAL, root_dev); - - } else if (flags & REMOVE_ONLY_DIRECTORIES) - return 0; -@@ -188,63 +188,128 @@ static int rm_rf_children_inner( - return 1; - } - -+typedef struct TodoEntry { -+ DIR *dir; /* A directory that we were operating on. */ -+ char *dirname; /* The filename of that directory itself. */ -+} TodoEntry; -+ -+static void free_todo_entries(TodoEntry **todos) { -+ for (TodoEntry *x = *todos; x && x->dir; x++) { -+ closedir(x->dir); -+ free(x->dirname); -+ } -+ -+ freep(todos); -+} -+ - int rm_rf_children( - int fd, - RemoveFlags flags, - const struct stat *root_dev) { - -- _cleanup_closedir_ DIR *d = NULL; -- struct dirent *de; -+ _cleanup_(free_todo_entries) TodoEntry *todos = NULL; -+ size_t n_todo = 0; -+ _cleanup_free_ char *dirname = NULL; /* Set when we are recursing and want to delete ourselves */ - int ret = 0, r; - -- assert(fd >= 0); -+ /* Return the first error we run into, but nevertheless try to go on. -+ * The passed fd is closed in all cases, including on failure. */ -+ -+ for (;;) { /* This loop corresponds to the directory nesting level. */ -+ _cleanup_closedir_ DIR *d = NULL; -+ -+ if (n_todo > 0) { -+ /* We know that we are in recursion here, because n_todo is set. -+ * We need to remove the inner directory we were operating on. */ -+ assert(dirname); -+ r = unlinkat_harder(dirfd(todos[n_todo-1].dir), dirname, AT_REMOVEDIR, flags); -+ if (r < 0 && r != -ENOENT && ret == 0) -+ ret = r; -+ dirname = mfree(dirname); -+ -+ /* And now let's back out one level up */ -+ n_todo --; -+ d = TAKE_PTR(todos[n_todo].dir); -+ dirname = TAKE_PTR(todos[n_todo].dirname); -+ -+ assert(d); -+ fd = dirfd(d); /* Retrieve the file descriptor from the DIR object */ -+ assert(fd >= 0); -+ } else { -+ next_fd: -+ assert(fd >= 0); -+ d = fdopendir(fd); -+ if (!d) { -+ safe_close(fd); -+ return -errno; -+ } -+ fd = dirfd(d); /* We donated the fd to fdopendir(). Let's make sure we sure we have -+ * the right descriptor even if it were to internally invalidate the -+ * one we passed. */ -+ -+ if (!(flags & REMOVE_PHYSICAL)) { -+ struct statfs sfs; -+ -+ if (fstatfs(fd, &sfs) < 0) -+ return -errno; -+ -+ if (is_physical_fs(&sfs)) { -+ /* We refuse to clean physical file systems with this call, unless -+ * explicitly requested. This is extra paranoia just to be sure we -+ * never ever remove non-state data. */ -+ -+ _cleanup_free_ char *path = NULL; -+ -+ (void) fd_get_path(fd, &path); -+ return log_error_errno(SYNTHETIC_ERRNO(EPERM), -+ "Attempted to remove disk file system under \"%s\", and we can't allow that.", -+ strna(path)); -+ } -+ } -+ } - -- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed -- * fd, in all cases, including on failure. */ -+ struct dirent *de; -+ FOREACH_DIRENT_ALL(de, d, return -errno) { -+ int is_dir; - -- d = fdopendir(fd); -- if (!d) { -- safe_close(fd); -- return -errno; -- } -+ if (dot_or_dot_dot(de->d_name)) -+ continue; - -- if (!(flags & REMOVE_PHYSICAL)) { -- struct statfs sfs; -+ is_dir = de->d_type == DT_UNKNOWN ? -1 : de->d_type == DT_DIR; - -- if (fstatfs(dirfd(d), &sfs) < 0) -- return -errno; -+ r = rm_rf_inner_child(fd, de->d_name, is_dir, flags, root_dev, false); -+ if (r == -EISDIR) { -+ /* Push the current working state onto the todo list */ - -- if (is_physical_fs(&sfs)) { -- /* We refuse to clean physical file systems with this call, unless explicitly -- * requested. This is extra paranoia just to be sure we never ever remove non-state -- * data. */ -+ if (!GREEDY_REALLOC0(todos, n_todo + 2)) -+ return log_oom(); - -- _cleanup_free_ char *path = NULL; -+ _cleanup_free_ char *newdirname = strdup(de->d_name); -+ if (!newdirname) -+ return log_oom(); - -- (void) fd_get_path(fd, &path); -- return log_error_errno(SYNTHETIC_ERRNO(EPERM), -- "Attempted to remove disk file system under \"%s\", and we can't allow that.", -- strna(path)); -- } -- } -+ int newfd = openat(fd, de->d_name, -+ O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); -+ if (newfd >= 0) { -+ todos[n_todo++] = (TodoEntry) { TAKE_PTR(d), TAKE_PTR(dirname) }; -+ fd = newfd; -+ dirname = TAKE_PTR(newdirname); - -- FOREACH_DIRENT_ALL(de, d, return -errno) { -- int is_dir; -+ goto next_fd; - -- if (dot_or_dot_dot(de->d_name)) -- continue; -+ } else if (errno != -ENOENT && ret == 0) -+ ret = -errno; - -- is_dir = -- de->d_type == DT_UNKNOWN ? -1 : -- de->d_type == DT_DIR; -+ } else if (r < 0 && r != -ENOENT && ret == 0) -+ ret = r; -+ } - -- r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev); -- if (r < 0 && r != -ENOENT && ret == 0) -- ret = r; -- } -+ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(fd) < 0 && ret >= 0) -+ ret = -errno; - -- if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0) -- ret = -errno; -+ if (n_todo == 0) -+ break; -+ } - - return ret; - } -@@ -337,5 +402,5 @@ int rm_rf_child(int fd, const char *name, RemoveFlags flags) { - if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME)) - return -EINVAL; - -- return rm_rf_children_inner(fd, name, -1, flags, NULL); -+ return rm_rf_inner_child(fd, name, -1, flags, NULL, true); - } --- -2.33.0 - diff --git a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch deleted file mode 100644 index 8ba7906..0000000 --- a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 811b137d6137cc3e8932599e6ef9254ba43ff5eb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 23 Nov 2021 16:56:42 +0100 -Subject: [PATCH] shared/rm_rf: refactor rm_rf() to shorten code a bit - -(cherry picked from commit 84ced330020c0bae57bd4628f1f44eec91304e69) -(cherry picked from commit 664529efa9431edc043126013ea54e6c399ae2d3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/811b137d6137cc3e8932599e6ef9254ba43ff5eb ---- - src/shared/rm-rf.c | 54 +++++++++++++++++++++------------------------- - 1 file changed, 24 insertions(+), 30 deletions(-) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index 7362954116..1bd2431d8a 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -250,7 +250,7 @@ int rm_rf_children( - } - - int rm_rf(const char *path, RemoveFlags flags) { -- int fd, r; -+ int fd, r, q = 0; - - assert(path); - -@@ -282,49 +282,43 @@ int rm_rf(const char *path, RemoveFlags flags) { - } - - fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); -- if (fd < 0) { -+ if (fd >= 0) { -+ /* We have a dir */ -+ r = rm_rf_children(fd, flags, NULL); -+ -+ if (FLAGS_SET(flags, REMOVE_ROOT) && rmdir(path) < 0) -+ q = -errno; -+ } else { - if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT) - return 0; - - if (!IN_SET(errno, ENOTDIR, ELOOP)) - return -errno; - -- if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES)) -+ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES) || !FLAGS_SET(flags, REMOVE_ROOT)) - return 0; - -- if (FLAGS_SET(flags, REMOVE_ROOT)) { -- -- if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) { -- struct statfs s; -- -- if (statfs(path, &s) < 0) -- return -errno; -- if (is_physical_fs(&s)) -- return log_error_errno(SYNTHETIC_ERRNO(EPERM), -- "Attempted to remove files from a disk file system under \"%s\", refusing.", -- path); -- } -- -- if (unlink(path) < 0) { -- if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT) -- return 0; -+ if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) { -+ struct statfs s; - -+ if (statfs(path, &s) < 0) - return -errno; -- } -+ if (is_physical_fs(&s)) -+ return log_error_errno(SYNTHETIC_ERRNO(EPERM), -+ "Attempted to remove files from a disk file system under \"%s\", refusing.", -+ path); - } - -- return 0; -+ r = 0; -+ if (unlink(path) < 0) -+ q = -errno; - } - -- r = rm_rf_children(fd, flags, NULL); -- -- if (FLAGS_SET(flags, REMOVE_ROOT) && -- rmdir(path) < 0 && -- r >= 0 && -- (!FLAGS_SET(flags, REMOVE_MISSING_OK) || errno != ENOENT)) -- r = -errno; -- -- return r; -+ if (r < 0) -+ return r; -+ if (q < 0 && (q != -ENOENT || !FLAGS_SET(flags, REMOVE_MISSING_OK))) -+ return q; -+ return 0; - } - - int rm_rf_child(int fd, const char *name, RemoveFlags flags) { --- -2.33.0 - diff --git a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch deleted file mode 100644 index 3fcf1c9..0000000 --- a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 89395b63f04f1acc0db533c32637ea20379f97c0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 23 Nov 2021 15:55:45 +0100 -Subject: [PATCH] shared/rm_rf: refactor rm_rf_children_inner() to shorten code - a bit - -(cherry picked from commit 3bac86abfa1b1720180840ffb9d06b3d54841c11) -(cherry picked from commit 47741ff9eae6311a03e4d3d837128191826a4a3a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/89395b63f04f1acc0db533c32637ea20379f97c0 ---- - src/shared/rm-rf.c | 27 +++++++++------------------ - 1 file changed, 9 insertions(+), 18 deletions(-) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index 19f37e0f19..7362954116 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -124,7 +124,7 @@ static int rm_rf_children_inner( - const struct stat *root_dev) { - - struct stat st; -- int r; -+ int r, q = 0; - - assert(fd >= 0); - assert(fname); -@@ -142,7 +142,6 @@ static int rm_rf_children_inner( - - if (is_dir) { - _cleanup_close_ int subdir_fd = -1; -- int q; - - /* if root_dev is set, remove subdirectories only if device is same */ - if (root_dev && st.st_dev != root_dev->st_dev) -@@ -178,23 +177,15 @@ static int rm_rf_children_inner( - * again for each directory */ - q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); - -- r = unlinkat_harder(fd, fname, AT_REMOVEDIR, flags); -- if (r < 0) -- return r; -- if (q < 0) -- return q; -- -- return 1; -- -- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) { -- r = unlinkat_harder(fd, fname, 0, flags); -- if (r < 0) -- return r; -- -- return 1; -- } -+ } else if (flags & REMOVE_ONLY_DIRECTORIES) -+ return 0; - -- return 0; -+ r = unlinkat_harder(fd, fname, is_dir ? AT_REMOVEDIR : 0, flags); -+ if (r < 0) -+ return r; -+ if (q < 0) -+ return q; -+ return 1; - } - - int rm_rf_children( --- -2.33.0 - diff --git a/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch b/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch deleted file mode 100644 index fd51c83..0000000 --- a/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 7563de501246dccf5a9ea229933481aa1e7bd5c9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 23 Nov 2021 15:05:58 +0100 -Subject: [PATCH] tmpfiles: 'st' may have been used uninitialized - -(cherry picked from commit 160dadc0350c77d612aa9d5569f57d9bc84c3dca) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7563de501246dccf5a9ea229933481aa1e7bd5c9 ---- - src/shared/rm-rf.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c -index 5ef7c662dd..19f37e0f19 100644 ---- a/src/shared/rm-rf.c -+++ b/src/shared/rm-rf.c -@@ -129,7 +129,9 @@ static int rm_rf_children_inner( - assert(fd >= 0); - assert(fname); - -- if (is_dir < 0 || (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) { -+ if (is_dir < 0 || -+ root_dev || -+ (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) { - - r = fstatat_harder(fd, fname, &st, AT_SYMLINK_NOFOLLOW, flags); - if (r < 0) --- -2.33.0 - diff --git a/backport-CVE-2022-4415-basic-add-STRERROR-wrapper-for-strerror_r.patch b/backport-CVE-2022-4415-basic-add-STRERROR-wrapper-for-strerror_r.patch deleted file mode 100644 index 11968cf..0000000 --- a/backport-CVE-2022-4415-basic-add-STRERROR-wrapper-for-strerror_r.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 2c5d05b3cd986568105d67891e4010b868dea24f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 7 Oct 2022 12:28:31 +0200 -Subject: [PATCH] basic: add STRERROR() wrapper for strerror_r() - -Conflict:Modify the content in meson.build. -Reference:https://github.com/systemd/systemd/commit/2c5d05b3cd986568105d67891e4010b868dea24f - ---- - src/basic/errno-util.h | 10 +++++++++ - src/test/meson.build | 2 ++ - src/test/test-errno-util.c | 44 ++++++++++++++++++++++++++++++++++++++ - 3 files changed, 56 insertions(+) - create mode 100644 src/test/test-errno-util.c - -diff --git a/src/basic/errno-util.h b/src/basic/errno-util.h -index a71864ca60..f0d24d95cb 100644 ---- a/src/basic/errno-util.h -+++ b/src/basic/errno-util.h -@@ -6,6 +6,16 @@ - - #include "macro.h" - -+/* strerror(3) says that glibc uses a maximum length of 1024 bytes. */ -+#define ERRNO_BUF_LEN 1024 -+ -+/* Note: the lifetime of the compound literal is the immediately surrounding block, -+ * see C11 §6.5.2.5, and -+ * https://stackoverflow.com/questions/34880638/compound-literal-lifetime-and-if-blocks -+ * -+ * Note that we use the GNU variant of strerror_r() here. */ -+#define STRERROR(errnum) strerror_r(abs(errnum), (char[ERRNO_BUF_LEN]){}, ERRNO_BUF_LEN) -+ - static inline void _reset_errno_(int *saved_errno) { - if (*saved_errno < 0) /* Invalidated by UNPROTECT_ERRNO? */ - return; -diff --git a/src/test/meson.build b/src/test/meson.build -index 31ac149b96..86fc1d4fc0 100644 ---- a/src/test/meson.build -+++ b/src/test/meson.build -@@ -615,6 +615,8 @@ tests += [ - [['src/test/test-arphrd-list.c', - generated_gperf_headers]], - -+ [['src/test/test-errno-util.c']], -+ - [['src/test/test-ip-protocol-list.c', - shared_generated_gperf_headers]], - -diff --git a/src/test/test-errno-util.c b/src/test/test-errno-util.c -new file mode 100644 -index 0000000000..284f451002 ---- /dev/null -+++ b/src/test/test-errno-util.c -@@ -0,0 +1,44 @@ -+/* SPDX-License-Identifier: LGPL-2.1-or-later */ -+ -+#include "errno-util.h" -+#include "stdio-util.h" -+#include "string-util.h" -+#include "tests.h" -+ -+TEST(strerror_not_threadsafe) { -+ /* Just check that strerror really is not thread-safe. */ -+ log_info("strerror(%d) → %s", 200, strerror(200)); -+ log_info("strerror(%d) → %s", 201, strerror(201)); -+ log_info("strerror(%d) → %s", INT_MAX, strerror(INT_MAX)); -+ -+ log_info("strerror(%d), strerror(%d) → %p, %p", 200, 201, strerror(200), strerror(201)); -+ -+ /* This call is not allowed, because the first returned string becomes invalid when -+ * we call strerror the second time: -+ * -+ * log_info("strerror(%d), strerror(%d) → %s, %s", 200, 201, strerror(200), strerror(201)); -+ */ -+} -+ -+TEST(STRERROR) { -+ /* Just check that STRERROR really is thread-safe. */ -+ log_info("STRERROR(%d) → %s", 200, STRERROR(200)); -+ log_info("STRERROR(%d) → %s", 201, STRERROR(201)); -+ log_info("STRERROR(%d), STRERROR(%d) → %s, %s", 200, 201, STRERROR(200), STRERROR(201)); -+ -+ const char *a = STRERROR(200), *b = STRERROR(201); -+ assert_se(strstr(a, "200")); -+ assert_se(strstr(b, "201")); -+ -+ /* Check with negative values */ -+ assert_se(streq(a, STRERROR(-200))); -+ assert_se(streq(b, STRERROR(-201))); -+ -+ const char *c = STRERROR(INT_MAX); -+ char buf[DECIMAL_STR_MAX(int)]; -+ xsprintf(buf, "%d", INT_MAX); /* INT_MAX is hexadecimal, use printf to convert to decimal */ -+ log_info("STRERROR(%d) → %s", INT_MAX, c); -+ assert_se(strstr(c, buf)); -+} -+ -+DEFINE_TEST_MAIN(LOG_INFO); --- -2.33.0 - diff --git a/backport-CVE-2022-4415-coredump-adjust-whitespace.patch b/backport-CVE-2022-4415-coredump-adjust-whitespace.patch deleted file mode 100644 index 044b773..0000000 --- a/backport-CVE-2022-4415-coredump-adjust-whitespace.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 510a146634f3e095b34e2a26023b1b1f99dcb8c0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 29 Nov 2022 09:00:16 +0100 -Subject: [PATCH] coredump: adjust whitespace - -Conflict:Delete the modification of parse_config. -Reference:https://github.com/systemd/systemd/commit/510a146634f3e095b34e2a26023b1b1f99dcb8c0 - ---- - src/coredump/coredump.c | 56 ++++++++++++++++++++--------------------- - 1 file changed, 28 insertions(+), 28 deletions(-) - -diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c -index 50220c5ec7..9ce2b92ded 100644 ---- a/src/coredump/coredump.c -+++ b/src/coredump/coredump.c -@@ -111,16 +111,16 @@ enum { - }; - - static const char * const meta_field_names[_META_MAX] = { -- [META_ARGV_PID] = "COREDUMP_PID=", -- [META_ARGV_UID] = "COREDUMP_UID=", -- [META_ARGV_GID] = "COREDUMP_GID=", -- [META_ARGV_SIGNAL] = "COREDUMP_SIGNAL=", -- [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", -- [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", -- [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", -- [META_COMM] = "COREDUMP_COMM=", -- [META_EXE] = "COREDUMP_EXE=", -- [META_UNIT] = "COREDUMP_UNIT=", -+ [META_ARGV_PID] = "COREDUMP_PID=", -+ [META_ARGV_UID] = "COREDUMP_UID=", -+ [META_ARGV_GID] = "COREDUMP_GID=", -+ [META_ARGV_SIGNAL] = "COREDUMP_SIGNAL=", -+ [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", -+ [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", -+ [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", -+ [META_COMM] = "COREDUMP_COMM=", -+ [META_EXE] = "COREDUMP_EXE=", -+ [META_UNIT] = "COREDUMP_UNIT=", - }; - - typedef struct Context { -@@ -139,9 +139,9 @@ typedef enum CoredumpStorage { - } CoredumpStorage; - - static const char* const coredump_storage_table[_COREDUMP_STORAGE_MAX] = { -- [COREDUMP_STORAGE_NONE] = "none", -+ [COREDUMP_STORAGE_NONE] = "none", - [COREDUMP_STORAGE_EXTERNAL] = "external", -- [COREDUMP_STORAGE_JOURNAL] = "journal", -+ [COREDUMP_STORAGE_JOURNAL] = "journal", - }; - - DEFINE_PRIVATE_STRING_TABLE_LOOKUP(coredump_storage, CoredumpStorage); -@@ -209,15 +209,15 @@ static int fix_acl(int fd, uid_t uid) { - static int fix_xattr(int fd, const Context *context) { - - static const char * const xattrs[_META_MAX] = { -- [META_ARGV_PID] = "user.coredump.pid", -- [META_ARGV_UID] = "user.coredump.uid", -- [META_ARGV_GID] = "user.coredump.gid", -- [META_ARGV_SIGNAL] = "user.coredump.signal", -- [META_ARGV_TIMESTAMP] = "user.coredump.timestamp", -- [META_ARGV_RLIMIT] = "user.coredump.rlimit", -- [META_ARGV_HOSTNAME] = "user.coredump.hostname", -- [META_COMM] = "user.coredump.comm", -- [META_EXE] = "user.coredump.exe", -+ [META_ARGV_PID] = "user.coredump.pid", -+ [META_ARGV_UID] = "user.coredump.uid", -+ [META_ARGV_GID] = "user.coredump.gid", -+ [META_ARGV_SIGNAL] = "user.coredump.signal", -+ [META_ARGV_TIMESTAMP] = "user.coredump.timestamp", -+ [META_ARGV_RLIMIT] = "user.coredump.rlimit", -+ [META_ARGV_HOSTNAME] = "user.coredump.hostname", -+ [META_COMM] = "user.coredump.comm", -+ [META_EXE] = "user.coredump.exe", - }; - - int r = 0; --- -2.33.0 - diff --git a/backport-CVE-2022-4415-dont-allow-user-access-coredumps-with-changed-uid.patch b/backport-CVE-2022-4415-dont-allow-user-access-coredumps-with-changed-uid.patch deleted file mode 100644 index b9516a2..0000000 --- a/backport-CVE-2022-4415-dont-allow-user-access-coredumps-with-changed-uid.patch +++ /dev/null @@ -1,386 +0,0 @@ -From 3e4d0f6cf99f8677edd6a237382a65bfe758de03 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 28 Nov 2022 12:12:55 +0100 -Subject: [PATCH] coredump: do not allow user to access coredumps with changed - uid/gid/capabilities - -When the user starts a program which elevates its permissions via setuid, -setgid, or capabilities set on the file, it may access additional information -which would then be visible in the coredump. We shouldn't make the the coredump -visible to the user in such cases. - -Reported-by: Matthias Gerstner - -This reads the /proc//auxv file and attaches it to the process metadata as -PROC_AUXV. Before the coredump is submitted, it is parsed and if either -at_secure was set (which the kernel will do for processes that are setuid, -setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file -is not made accessible to the user. If we can't access this data, we assume the -file should not be made accessible either. In principle we could also access -the auxv data from a note in the core file, but that is much more complex and -it seems better to use the stand-alone file that is provided by the kernel. - -Attaching auxv is both convient for this patch (because this way it's passed -between the stages along with other fields), but I think it makes sense to save -it in general. - -We use the information early in the core file to figure out if the program was -32-bit or 64-bit and its endianness. This way we don't need heuristics to guess -whether the format of the auxv structure. This test might reject some cases on -fringe architecutes. But the impact would be limited: we just won't grant the -user permissions to view the coredump file. If people report that we're missing -some cases, we can always enhance this to support more architectures. - -I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and -ppc64el, but not the whole coredump handling. - -Conflict:Change 'r = fsync_full(fd);' to 'if (fsync(fd) < 0)'. -Reference:https://github.com/systemd/systemd/commit/3e4d0f6cf99f8677edd6a237382a65bfe758de03 - ---- - src/basic/io-util.h | 9 ++ - src/coredump/coredump.c | 196 +++++++++++++++++++++++++++++++++++++--- - 2 files changed, 192 insertions(+), 13 deletions(-) - -diff --git a/src/basic/io-util.h b/src/basic/io-util.h -index 39728e06bc..3afb134266 100644 ---- a/src/basic/io-util.h -+++ b/src/basic/io-util.h -@@ -91,7 +91,16 @@ struct iovec_wrapper *iovw_new(void); - struct iovec_wrapper *iovw_free(struct iovec_wrapper *iovw); - struct iovec_wrapper *iovw_free_free(struct iovec_wrapper *iovw); - void iovw_free_contents(struct iovec_wrapper *iovw, bool free_vectors); -+ - int iovw_put(struct iovec_wrapper *iovw, void *data, size_t len); -+static inline int iovw_consume(struct iovec_wrapper *iovw, void *data, size_t len) { -+ /* Move data into iovw or free on error */ -+ int r = iovw_put(iovw, data, len); -+ if (r < 0) -+ free(data); -+ return r; -+} -+ - int iovw_put_string_field(struct iovec_wrapper *iovw, const char *field, const char *value); - int iovw_put_string_field_free(struct iovec_wrapper *iovw, const char *field, char *value); - void iovw_rebase(struct iovec_wrapper *iovw, char *old, char *new); -diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c -index 9ce2b92ded..b6f3a2f256 100644 ---- a/src/coredump/coredump.c -+++ b/src/coredump/coredump.c -@@ -4,6 +4,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -107,6 +108,7 @@ enum { - - META_EXE = _META_MANDATORY_MAX, - META_UNIT, -+ META_PROC_AUXV, - _META_MAX - }; - -@@ -121,10 +123,12 @@ static const char * const meta_field_names[_META_MAX] = { - [META_COMM] = "COREDUMP_COMM=", - [META_EXE] = "COREDUMP_EXE=", - [META_UNIT] = "COREDUMP_UNIT=", -+ [META_PROC_AUXV] = "COREDUMP_PROC_AUXV=", - }; - - typedef struct Context { - const char *meta[_META_MAX]; -+ size_t meta_size[_META_MAX]; - pid_t pid; - bool is_pid1; - bool is_journald; -@@ -186,13 +190,16 @@ static uint64_t storage_size_max(void) { - return 0; - } - --static int fix_acl(int fd, uid_t uid) { -+static int fix_acl(int fd, uid_t uid, bool allow_user) { -+ assert(fd >= 0); -+ assert(uid_is_valid(uid)); - - #if HAVE_ACL - int r; - -- assert(fd >= 0); -- assert(uid_is_valid(uid)); -+ /* We don't allow users to read coredumps if the uid or capabilities were changed. */ -+ if (!allow_user) -+ return 0; - - if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY) - return 0; -@@ -252,7 +259,8 @@ static int fix_permissions( - const char *filename, - const char *target, - const Context *context, -- uid_t uid) { -+ uid_t uid, -+ bool allow_user) { - - int r; - -@@ -262,7 +270,7 @@ static int fix_permissions( - - /* Ignore errors on these */ - (void) fchmod(fd, 0640); -- (void) fix_acl(fd, uid); -+ (void) fix_acl(fd, uid, allow_user); - (void) fix_xattr(fd, context); - - if (fsync(fd) < 0) -@@ -332,6 +340,153 @@ static int make_filename(const Context *context, char **ret) { - return 0; - } - -+static int parse_auxv64( -+ const uint64_t *auxv, -+ size_t size_bytes, -+ int *at_secure, -+ uid_t *uid, -+ uid_t *euid, -+ gid_t *gid, -+ gid_t *egid) { -+ -+ assert(auxv || size_bytes == 0); -+ -+ if (size_bytes % (2 * sizeof(uint64_t)) != 0) -+ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes); -+ -+ size_t words = size_bytes / sizeof(uint64_t); -+ -+ /* Note that we set output variables even on error. */ -+ -+ for (size_t i = 0; i + 1 < words; i += 2) -+ switch (auxv[i]) { -+ case AT_SECURE: -+ *at_secure = auxv[i + 1] != 0; -+ break; -+ case AT_UID: -+ *uid = auxv[i + 1]; -+ break; -+ case AT_EUID: -+ *euid = auxv[i + 1]; -+ break; -+ case AT_GID: -+ *gid = auxv[i + 1]; -+ break; -+ case AT_EGID: -+ *egid = auxv[i + 1]; -+ break; -+ case AT_NULL: -+ if (auxv[i + 1] != 0) -+ goto error; -+ return 0; -+ } -+ error: -+ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), -+ "AT_NULL terminator not found, cannot parse auxv structure."); -+} -+ -+static int parse_auxv32( -+ const uint32_t *auxv, -+ size_t size_bytes, -+ int *at_secure, -+ uid_t *uid, -+ uid_t *euid, -+ gid_t *gid, -+ gid_t *egid) { -+ -+ assert(auxv || size_bytes == 0); -+ -+ size_t words = size_bytes / sizeof(uint32_t); -+ -+ if (size_bytes % (2 * sizeof(uint32_t)) != 0) -+ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes); -+ -+ /* Note that we set output variables even on error. */ -+ -+ for (size_t i = 0; i + 1 < words; i += 2) -+ switch (auxv[i]) { -+ case AT_SECURE: -+ *at_secure = auxv[i + 1] != 0; -+ break; -+ case AT_UID: -+ *uid = auxv[i + 1]; -+ break; -+ case AT_EUID: -+ *euid = auxv[i + 1]; -+ break; -+ case AT_GID: -+ *gid = auxv[i + 1]; -+ break; -+ case AT_EGID: -+ *egid = auxv[i + 1]; -+ break; -+ case AT_NULL: -+ if (auxv[i + 1] != 0) -+ goto error; -+ return 0; -+ } -+ error: -+ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), -+ "AT_NULL terminator not found, cannot parse auxv structure."); -+} -+ -+static int grant_user_access(int core_fd, const Context *context) { -+ int at_secure = -1; -+ uid_t uid = UID_INVALID, euid = UID_INVALID; -+ uid_t gid = GID_INVALID, egid = GID_INVALID; -+ int r; -+ -+ assert(core_fd >= 0); -+ assert(context); -+ -+ if (!context->meta[META_PROC_AUXV]) -+ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), "No auxv data, not adjusting permissions."); -+ -+ uint8_t elf[EI_NIDENT]; -+ errno = 0; -+ if (pread(core_fd, &elf, sizeof(elf), 0) != sizeof(elf)) -+ return log_warning_errno(errno_or_else(EIO), -+ "Failed to pread from coredump fd: %s", STRERROR_OR_EOF(errno)); -+ -+ if (elf[EI_MAG0] != ELFMAG0 || -+ elf[EI_MAG1] != ELFMAG1 || -+ elf[EI_MAG2] != ELFMAG2 || -+ elf[EI_MAG3] != ELFMAG3 || -+ elf[EI_VERSION] != EV_CURRENT) -+ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), -+ "Core file does not have ELF header, not adjusting permissions."); -+ if (!IN_SET(elf[EI_CLASS], ELFCLASS32, ELFCLASS64) || -+ !IN_SET(elf[EI_DATA], ELFDATA2LSB, ELFDATA2MSB)) -+ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), -+ "Core file has strange ELF class, not adjusting permissions."); -+ -+ if ((elf[EI_DATA] == ELFDATA2LSB) != (__BYTE_ORDER == __LITTLE_ENDIAN)) -+ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), -+ "Core file has non-native endianness, not adjusting permissions."); -+ -+ if (elf[EI_CLASS] == ELFCLASS64) -+ r = parse_auxv64((const uint64_t*) context->meta[META_PROC_AUXV], -+ context->meta_size[META_PROC_AUXV], -+ &at_secure, &uid, &euid, &gid, &egid); -+ else -+ r = parse_auxv32((const uint32_t*) context->meta[META_PROC_AUXV], -+ context->meta_size[META_PROC_AUXV], -+ &at_secure, &uid, &euid, &gid, &egid); -+ if (r < 0) -+ return r; -+ -+ /* We allow access if we got all the data and at_secure is not set and -+ * the uid/gid matches euid/egid. */ -+ bool ret = -+ at_secure == 0 && -+ uid != UID_INVALID && euid != UID_INVALID && uid == euid && -+ gid != GID_INVALID && egid != GID_INVALID && gid == egid; -+ log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", -+ ret ? "permit" : "restrict", -+ uid, euid, gid, egid, yes_no(at_secure)); -+ return ret; -+} -+ - static int save_external_coredump( - const Context *context, - int input_fd, -@@ -454,6 +609,8 @@ static int save_external_coredump( - context->meta[META_ARGV_PID], context->meta[META_COMM]); - truncated = r == 1; - -+ bool allow_user = grant_user_access(fd, context) > 0; -+ - #if HAVE_COMPRESSION - if (arg_compress) { - _cleanup_(unlink_and_freep) char *tmp_compressed = NULL; -@@ -491,7 +648,7 @@ static int save_external_coredump( - uncompressed_size += partial_uncompressed_size; - } - -- r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid); -+ r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid, allow_user); - if (r < 0) - return r; - -@@ -518,7 +675,7 @@ static int save_external_coredump( - "SIZE_LIMIT=%"PRIu64, max_size, - "MESSAGE_ID=" SD_MESSAGE_TRUNCATED_CORE_STR); - -- r = fix_permissions(fd, tmp, fn, context, uid); -+ r = fix_permissions(fd, tmp, fn, context, uid, allow_user); - if (r < 0) - return log_error_errno(r, "Failed to fix permissions and finalize coredump %s into %s: %m", coredump_tmpfile_name(tmp), fn); - -@@ -766,7 +923,7 @@ static int change_uid_gid(const Context *context) { - } - - static int submit_coredump( -- Context *context, -+ const Context *context, - struct iovec_wrapper *iovw, - int input_fd) { - -@@ -945,16 +1102,15 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { - struct iovec *iovec = iovw->iovec + n; - - for (size_t i = 0; i < ELEMENTSOF(meta_field_names); i++) { -- char *p; -- - /* Note that these strings are NUL terminated, because we made sure that a - * trailing NUL byte is in the buffer, though not included in the iov_len - * count (see process_socket() and gather_pid_metadata_*()) */ - assert(((char*) iovec->iov_base)[iovec->iov_len] == 0); - -- p = startswith(iovec->iov_base, meta_field_names[i]); -+ const char *p = startswith(iovec->iov_base, meta_field_names[i]); - if (p) { - context->meta[i] = p; -+ context->meta_size[i] = iovec->iov_len - strlen(meta_field_names[i]); - break; - } - } -@@ -1191,6 +1347,7 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) { - uid_t owner_uid; - pid_t pid; - char *t; -+ size_t size; - const char *p; - int r; - -@@ -1255,13 +1412,26 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) { - (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_LIMITS=", t); - - p = procfs_file_alloca(pid, "cgroup"); -- if (read_full_virtual_file(p, &t, NULL) >=0) -+ if (read_full_virtual_file(p, &t, NULL) >= 0) - (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_CGROUP=", t); - - p = procfs_file_alloca(pid, "mountinfo"); -- if (read_full_virtual_file(p, &t, NULL) >=0) -+ if (read_full_virtual_file(p, &t, NULL) >= 0) - (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_MOUNTINFO=", t); - -+ /* We attach /proc/auxv here. ELF coredumps also contain a note for this (NT_AUXV), see elf(5). */ -+ p = procfs_file_alloca(pid, "auxv"); -+ if (read_full_virtual_file(p, &t, &size) >= 0) { -+ char *buf = malloc(strlen("COREDUMP_PROC_AUXV=") + size + 1); -+ if (buf) { -+ /* Add a dummy terminator to make save_context() happy. */ -+ *((uint8_t*) mempcpy(stpcpy(buf, "COREDUMP_PROC_AUXV="), t, size)) = '\0'; -+ (void) iovw_consume(iovw, buf, size + strlen("COREDUMP_PROC_AUXV=")); -+ } -+ -+ free(t); -+ } -+ - if (get_process_cwd(pid, &t) >= 0) - (void) iovw_put_string_field_free(iovw, "COREDUMP_CWD=", t); - --- -2.33.0 - diff --git a/backport-CVE-2022-4415-test-Add-TEST_RET-macro.patch b/backport-CVE-2022-4415-test-Add-TEST_RET-macro.patch deleted file mode 100644 index 5a1e5d2..0000000 --- a/backport-CVE-2022-4415-test-Add-TEST_RET-macro.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 4c0acc0761aae0370e20e118b9db3b704e9045cd Mon Sep 17 00:00:00 2001 -From: Jan Janssen -Date: Thu, 25 Nov 2021 10:27:51 +0100 -Subject: [PATCH] test: Add TEST_RET macro - -This declares a test function whose return code will be passed from -main(). The first test that does not return EXIT_SUCCESS wins. - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4c0acc0761aae0370e20e118b9db3b704e9045cd - ---- - src/shared/tests.h | 54 ++++++++++++++++++++++++++++++++-------------- - 1 file changed, 38 insertions(+), 16 deletions(-) - -diff --git a/src/shared/tests.h b/src/shared/tests.h -index 872b9b2d6c..d1c96ef35b 100644 ---- a/src/shared/tests.h -+++ b/src/shared/tests.h -@@ -46,46 +46,68 @@ bool can_memlock(void); - const char *ci_environment(void); - - typedef struct TestFunc { -- void (*f)(void); -- const char * const n; -+ union f { -+ void (*void_func)(void); -+ int (*int_func)(void); -+ } f; -+ const char * const name; -+ bool has_ret; - } TestFunc; - - /* See static-destruct.h for an explanation of how this works. */ --#define REGISTER_TEST(func) \ -- static void func(void); \ -- _section_("SYSTEMD_TEST_TABLE") _alignptr_ _used_ _variable_no_sanitize_address_ \ -- static const TestFunc UNIQ_T(static_test_table_entry, UNIQ) = { \ -- .f = &(func), \ -- .n = STRINGIFY(func), \ -+#define REGISTER_TEST(func) \ -+ _section_("SYSTEMD_TEST_TABLE") _alignptr_ _used_ _variable_no_sanitize_address_ \ -+ static const TestFunc UNIQ_T(static_test_table_entry, UNIQ) = { \ -+ .f = (union f) &(func), \ -+ .name = STRINGIFY(func), \ -+ .has_ret = __builtin_types_compatible_p(typeof((union f){}.int_func), typeof(&(func))), \ - } - - extern const TestFunc _weak_ __start_SYSTEMD_TEST_TABLE[]; - extern const TestFunc _weak_ __stop_SYSTEMD_TEST_TABLE[]; - --#define TEST(name) \ -- REGISTER_TEST(test_##name); \ -+#define TEST(name) \ -+ static void test_##name(void); \ -+ REGISTER_TEST(test_##name); \ - static void test_##name(void) - --static inline void run_test_table(void) { -+#define TEST_RET(name) \ -+ static int test_##name(void); \ -+ REGISTER_TEST(test_##name); \ -+ static int test_##name(void) -+ -+static inline int run_test_table(void) { -+ int r = EXIT_SUCCESS; -+ - if (!__start_SYSTEMD_TEST_TABLE) -- return; -+ return r; - - const TestFunc *t = ALIGN_TO_PTR(__start_SYSTEMD_TEST_TABLE, sizeof(TestFunc*)); - while (t < __stop_SYSTEMD_TEST_TABLE) { -- log_info("/* %s */", t->n); -- t->f(); -+ log_info("/* %s */", t->name); -+ -+ if (t->has_ret) { -+ int r2 = t->f.int_func(); -+ if (r == EXIT_SUCCESS) -+ r = r2; -+ } else -+ t->f.void_func(); -+ - t = ALIGN_TO_PTR(t + 1, sizeof(TestFunc*)); - } -+ -+ return r; - } - - #define DEFINE_CUSTOM_TEST_MAIN(log_level, intro, outro) \ - int main(int argc, char *argv[]) { \ -+ int _r = EXIT_SUCCESS; \ - test_setup_logging(log_level); \ - save_argc_argv(argc, argv); \ - intro; \ -- run_test_table(); \ -+ _r = run_test_table(); \ - outro; \ -- return EXIT_SUCCESS; \ -+ return _r; \ - } - - #define DEFINE_TEST_MAIN(log_level) DEFINE_CUSTOM_TEST_MAIN(log_level, , ) --- -2.33.0 - diff --git a/backport-CVE-2022-4415-test-Add-sd_booted-condition-test-to-TEST-macro.patch b/backport-CVE-2022-4415-test-Add-sd_booted-condition-test-to-TEST-macro.patch deleted file mode 100644 index 1479550..0000000 --- a/backport-CVE-2022-4415-test-Add-sd_booted-condition-test-to-TEST-macro.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 0578dfe3eb2ceb8571b62a904dec0ddf410f6352 Mon Sep 17 00:00:00 2001 -From: Jan Janssen -Date: Thu, 25 Nov 2021 10:45:15 +0100 -Subject: [PATCH] test: Add sd_booted condition test to TEST macro - -Note that this will only report test skips if they use TEST_RET macro. -Regular TEST macros can still be skipped, but this will not be reported -back to main(); - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0578dfe3eb2ceb8571b62a904dec0ddf410f6352 - ---- - src/shared/tests.h | 43 ++++++++++++++++++++++++++----------------- - 1 file changed, 26 insertions(+), 17 deletions(-) - -diff --git a/src/shared/tests.h b/src/shared/tests.h -index d1c96ef35b..95283e2829 100644 ---- a/src/shared/tests.h -+++ b/src/shared/tests.h -@@ -39,7 +39,7 @@ bool can_memlock(void); - if (sd_booted() > 0) { \ - x; \ - } else { \ -- printf("systemd not booted skipping '%s'\n", #x); \ -+ printf("systemd not booted, skipping '%s'\n", #x); \ - } - - /* Provide a convenient way to check if we're running in CI. */ -@@ -51,29 +51,31 @@ typedef struct TestFunc { - int (*int_func)(void); - } f; - const char * const name; -- bool has_ret; -+ bool has_ret:1; -+ bool sd_booted:1; - } TestFunc; - - /* See static-destruct.h for an explanation of how this works. */ --#define REGISTER_TEST(func) \ -+#define REGISTER_TEST(func, ...) \ - _section_("SYSTEMD_TEST_TABLE") _alignptr_ _used_ _variable_no_sanitize_address_ \ - static const TestFunc UNIQ_T(static_test_table_entry, UNIQ) = { \ - .f = (union f) &(func), \ - .name = STRINGIFY(func), \ - .has_ret = __builtin_types_compatible_p(typeof((union f){}.int_func), typeof(&(func))), \ -+ ##__VA_ARGS__ \ - } - - extern const TestFunc _weak_ __start_SYSTEMD_TEST_TABLE[]; - extern const TestFunc _weak_ __stop_SYSTEMD_TEST_TABLE[]; - --#define TEST(name) \ -- static void test_##name(void); \ -- REGISTER_TEST(test_##name); \ -+#define TEST(name, ...) \ -+ static void test_##name(void); \ -+ REGISTER_TEST(test_##name, ##__VA_ARGS__); \ - static void test_##name(void) - --#define TEST_RET(name) \ -- static int test_##name(void); \ -- REGISTER_TEST(test_##name); \ -+#define TEST_RET(name, ...) \ -+ static int test_##name(void); \ -+ REGISTER_TEST(test_##name, ##__VA_ARGS__); \ - static int test_##name(void) - - static inline int run_test_table(void) { -@@ -84,14 +86,21 @@ static inline int run_test_table(void) { - - const TestFunc *t = ALIGN_TO_PTR(__start_SYSTEMD_TEST_TABLE, sizeof(TestFunc*)); - while (t < __stop_SYSTEMD_TEST_TABLE) { -- log_info("/* %s */", t->name); -- -- if (t->has_ret) { -- int r2 = t->f.int_func(); -- if (r == EXIT_SUCCESS) -- r = r2; -- } else -- t->f.void_func(); -+ -+ if (t->sd_booted && sd_booted() <= 0) { -+ log_info("/* systemd not booted, skipping %s */", t->name); -+ if (t->has_ret && r == EXIT_SUCCESS) -+ r = EXIT_TEST_SKIP; -+ } else { -+ log_info("/* %s */", t->name); -+ -+ if (t->has_ret) { -+ int r2 = t->f.int_func(); -+ if (r == EXIT_SUCCESS) -+ r = r2; -+ } else -+ t->f.void_func(); -+ } - - t = ALIGN_TO_PTR(t + 1, sizeof(TestFunc*)); - } --- -2.33.0 - diff --git a/backport-CVE-2022-4415-test-Create-convenience-macros-to-declare-tests.patch b/backport-CVE-2022-4415-test-Create-convenience-macros-to-declare-tests.patch deleted file mode 100644 index e5af4bf..0000000 --- a/backport-CVE-2022-4415-test-Create-convenience-macros-to-declare-tests.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 9cc615460830afdb51ad23e594906bbe60a3b25a Mon Sep 17 00:00:00 2001 -From: Jan Janssen -Date: Fri, 12 Nov 2021 10:54:44 +0100 -Subject: [PATCH] test: Create convenience macros to declare tests - -Conflict:Delete all contents in test-macro.c. -Reference:https://github.com/systemd/systemd/commit/9cc615460830afdb51ad23e594906bbe60a3b25a - ---- - src/shared/tests.h | 47 ++++++++++++++++++++++++++++++++++++++ - 1 file changed, 47 insertions(+) - -diff --git a/src/shared/tests.h b/src/shared/tests.h -index c1350763ad..f333ebd842 100644 ---- a/src/shared/tests.h -+++ b/src/shared/tests.h -@@ -43,3 +43,50 @@ bool can_memlock(void); - - /* Provide a convenient way to check if we're running in CI. */ - const char *ci_environment(void); -+ -+typedef struct TestFunc { -+ void (*f)(void); -+ const char * const n; -+} TestFunc; -+ -+/* See static-destruct.h for an explanation of how this works. */ -+#define REGISTER_TEST(func) \ -+ static void func(void); \ -+ _section_("SYSTEMD_TEST_TABLE") _alignptr_ _used_ _variable_no_sanitize_address_ \ -+ static const TestFunc UNIQ_T(static_test_table_entry, UNIQ) = { \ -+ .f = &(func), \ -+ .n = STRINGIFY(func), \ -+ } -+ -+extern const TestFunc _weak_ __start_SYSTEMD_TEST_TABLE[]; -+extern const TestFunc _weak_ __stop_SYSTEMD_TEST_TABLE[]; -+ -+#define TEST(name) \ -+ REGISTER_TEST(test_##name); \ -+ static void test_##name(void) -+ -+static inline void run_test_table(void) { -+ if (!__start_SYSTEMD_TEST_TABLE) -+ return; -+ -+ const TestFunc *t = ALIGN_TO_PTR(__start_SYSTEMD_TEST_TABLE, sizeof(TestFunc*)); -+ while (t < __stop_SYSTEMD_TEST_TABLE) { -+ log_info("/* %s */", t->n); -+ t->f(); -+ t = ALIGN_TO_PTR(t + 1, sizeof(TestFunc*)); -+ } -+} -+ -+#define DEFINE_TEST_MAIN \ -+ int main(int argc, char *argv[]) { \ -+ test_setup_logging(LOG_INFO); \ -+ run_test_table(); \ -+ return EXIT_SUCCESS; \ -+ } -+ -+#define DEFINE_CUSTOM_TEST_MAIN(impl) \ -+ int main(int argc, char *argv[]) { \ -+ test_setup_logging(LOG_INFO); \ -+ run_test_table(); \ -+ return impl(); \ -+ } --- -2.33.0 - diff --git a/backport-CVE-2022-4415-test-Slightly-rework-DEFINE_TEST_MAIN-macros.patch b/backport-CVE-2022-4415-test-Slightly-rework-DEFINE_TEST_MAIN-macros.patch deleted file mode 100644 index a32be71..0000000 --- a/backport-CVE-2022-4415-test-Slightly-rework-DEFINE_TEST_MAIN-macros.patch +++ /dev/null @@ -1,57 +0,0 @@ -From a40b728e1172cc07a09e12dd56089ab37c8c5924 Mon Sep 17 00:00:00 2001 -From: Jan Janssen -Date: Tue, 23 Nov 2021 13:40:27 +0100 -Subject: [PATCH] test: Slightly rework DEFINE_TEST_MAIN macros - -- A lot of tests want a different log level -- Provides saved_argc/saved_argv to tests -- Separate intro/outro is more flexible - -Conflict:Delete content in test-macro.c. -Reference:https://github.com/systemd/systemd/commit/a40b728e1172cc07a09e12dd56089ab37c8c5924 - ---- - src/shared/tests.h | 21 ++++++++++----------- - 1 file changed, 10 insertions(+), 11 deletions(-) - -diff --git a/src/shared/tests.h b/src/shared/tests.h -index f333ebd842..872b9b2d6c 100644 ---- a/src/shared/tests.h -+++ b/src/shared/tests.h -@@ -6,6 +6,7 @@ - #include "sd-daemon.h" - - #include "macro.h" -+#include "util.h" - - static inline bool manager_errno_skip_test(int r) { - return IN_SET(abs(r), -@@ -77,16 +78,14 @@ static inline void run_test_table(void) { - } - } - --#define DEFINE_TEST_MAIN \ -- int main(int argc, char *argv[]) { \ -- test_setup_logging(LOG_INFO); \ -- run_test_table(); \ -- return EXIT_SUCCESS; \ -+#define DEFINE_CUSTOM_TEST_MAIN(log_level, intro, outro) \ -+ int main(int argc, char *argv[]) { \ -+ test_setup_logging(log_level); \ -+ save_argc_argv(argc, argv); \ -+ intro; \ -+ run_test_table(); \ -+ outro; \ -+ return EXIT_SUCCESS; \ - } - --#define DEFINE_CUSTOM_TEST_MAIN(impl) \ -- int main(int argc, char *argv[]) { \ -- test_setup_logging(LOG_INFO); \ -- run_test_table(); \ -- return impl(); \ -- } -+#define DEFINE_TEST_MAIN(log_level) DEFINE_CUSTOM_TEST_MAIN(log_level, , ) --- -2.33.0 - diff --git a/backport-CVE-2022-4415-tree-wide-define-and-use-STRERROR_OR_EOF.patch b/backport-CVE-2022-4415-tree-wide-define-and-use-STRERROR_OR_EOF.patch deleted file mode 100644 index e1f7a72..0000000 --- a/backport-CVE-2022-4415-tree-wide-define-and-use-STRERROR_OR_EOF.patch +++ /dev/null @@ -1,105 +0,0 @@ -From f69ae8585f5ce6cd8d1e6f3ccd6c9c2cf153e846 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 10 Oct 2022 21:19:43 +0200 -Subject: [PATCH] tree-wide: define and use STRERROR_OR_EOF() - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f69ae8585f5ce6cd8d1e6f3ccd6c9c2cf153e846 - ---- - src/basic/errno-util.h | 5 +++++ - src/journal-remote/journal-gatewayd.c | 4 ++-- - src/libsystemd/sd-bus/test-bus-chat.c | 2 +- - src/login/logind-seat.c | 8 ++++---- - src/test/test-errno-util.c | 6 ++++++ - 5 files changed, 18 insertions(+), 7 deletions(-) - -diff --git a/src/basic/errno-util.h b/src/basic/errno-util.h -index f0d24d95cb..1e2e5b9f15 100644 ---- a/src/basic/errno-util.h -+++ b/src/basic/errno-util.h -@@ -16,6 +16,11 @@ - * Note that we use the GNU variant of strerror_r() here. */ - #define STRERROR(errnum) strerror_r(abs(errnum), (char[ERRNO_BUF_LEN]){}, ERRNO_BUF_LEN) - -+/* A helper to print an error message or message for functions that return 0 on EOF. -+ * Note that we can't use ({ … }) to define a temporary variable, so errnum is -+ * evaluated twice. */ -+#define STRERROR_OR_EOF(errnum) ((errnum) != 0 ? STRERROR(errnum) : "Unexpected EOF") -+ - static inline void _reset_errno_(int *saved_errno) { - if (*saved_errno < 0) /* Invalidated by UNPROTECT_ERRNO? */ - return; -diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c -index 3e2a85ce29..34def4670e 100644 ---- a/src/journal-remote/journal-gatewayd.c -+++ b/src/journal-remote/journal-gatewayd.c -@@ -256,7 +256,7 @@ static ssize_t request_reader_entries( - errno = 0; - k = fread(buf, 1, n, m->tmp); - if (k != n) { -- log_error("Failed to read from file: %s", errno != 0 ? strerror_safe(errno) : "Premature EOF"); -+ log_error("Failed to read from file: %s", STRERROR_OR_EOF(errno)); - return MHD_CONTENT_READER_END_WITH_ERROR; - } - -@@ -600,7 +600,7 @@ static ssize_t request_reader_fields( - errno = 0; - k = fread(buf, 1, n, m->tmp); - if (k != n) { -- log_error("Failed to read from file: %s", errno != 0 ? strerror_safe(errno) : "Premature EOF"); -+ log_error("Failed to read from file: %s", STRERROR_OR_EOF(errno)); - return MHD_CONTENT_READER_END_WITH_ERROR; - } - -diff --git a/src/libsystemd/sd-bus/test-bus-chat.c b/src/libsystemd/sd-bus/test-bus-chat.c -index df6dd62151..93e8ebfb1b 100644 ---- a/src/libsystemd/sd-bus/test-bus-chat.c -+++ b/src/libsystemd/sd-bus/test-bus-chat.c -@@ -308,7 +308,7 @@ static void* client1(void *p) { - - errno = 0; - if (read(pp[0], &x, 1) <= 0) { -- log_error("Failed to read from pipe: %s", errno != 0 ? strerror_safe(errno) : "early read"); -+ log_error("Failed to read from pipe: %s", STRERROR_OR_EOF(errno)); - goto finish; - } - -diff --git a/src/login/logind-seat.c b/src/login/logind-seat.c -index 43c72da11f..d8ad424bfe 100644 ---- a/src/login/logind-seat.c -+++ b/src/login/logind-seat.c -@@ -389,11 +389,11 @@ int seat_read_active_vt(Seat *s) { - if (lseek(s->manager->console_active_fd, SEEK_SET, 0) < 0) - return log_error_errno(errno, "lseek on console_active_fd failed: %m"); - -+ errno = 0; - k = read(s->manager->console_active_fd, t, sizeof(t)-1); -- if (k <= 0) { -- log_error("Failed to read current console: %s", k < 0 ? strerror_safe(errno) : "EOF"); -- return k < 0 ? -errno : -EIO; -- } -+ if (k <= 0) -+ return log_error_errno(errno ?: EIO, -+ "Failed to read current console: %s", STRERROR_OR_EOF(errno)); - - t[k] = 0; - truncate_nl(t); -diff --git a/src/test/test-errno-util.c b/src/test/test-errno-util.c -index 284f451002..f858927c92 100644 ---- a/src/test/test-errno-util.c -+++ b/src/test/test-errno-util.c -@@ -41,4 +41,10 @@ TEST(STRERROR) { - assert_se(strstr(c, buf)); - } - -+TEST(STRERROR_OR_ELSE) { -+ log_info("STRERROR_OR_ELSE(0, \"EOF\") → %s", STRERROR_OR_EOF(0)); -+ log_info("STRERROR_OR_ELSE(EPERM, \"EOF\") → %s", STRERROR_OR_EOF(EPERM)); -+ log_info("STRERROR_OR_ELSE(-EPERM, \"EOF\") → %s", STRERROR_OR_EOF(-EPERM)); -+} -+ - DEFINE_TEST_MAIN(LOG_INFO); --- -2.33.0 - diff --git a/backport-Change-gendered-terms-to-be-gender-neutral-21325.patch b/backport-Change-gendered-terms-to-be-gender-neutral-21325.patch deleted file mode 100644 index 44c35d3..0000000 --- a/backport-Change-gendered-terms-to-be-gender-neutral-21325.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 3ba07929636e1a55c71767e40e23bf639b7a8db5 Mon Sep 17 00:00:00 2001 -From: Emily Gonyer -Date: Fri, 12 Nov 2021 10:09:56 -0500 -Subject: [PATCH] Change gendered terms to be gender-neutral (#21325) - -Some typos are also fixed. - -(cherry picked from commit be7148ebed5d73c4a76bc6089ebe2e82d8fa33e0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/3ba07929636e1a55c71767e40e23bf639b7a8db5 ---- - docs/CODING_STYLE.md | 2 +- - docs/PREDICTABLE_INTERFACE_NAMES.md | 2 +- - man/sd_bus_add_object.xml | 2 +- - src/core/manager.h | 2 +- - src/hostname/hostnamectl.c | 2 +- - src/libsystemd/sd-bus/bus-socket.c | 4 ++-- - src/libsystemd/sd-bus/sd-bus.c | 2 +- - src/udev/dmi_memory_id/dmi_memory_id.c | 2 +- - 8 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md -index 54150e1ee7..05fbb2ac9e 100644 ---- a/docs/CODING_STYLE.md -+++ b/docs/CODING_STYLE.md -@@ -287,7 +287,7 @@ layout: default - with a more brutal `assert()`. We are more forgiving to public users than for - ourselves! Note that `assert()` and `assert_return()` really only should be - used for detecting programming errors, not for runtime errors. `assert()` and -- `assert_return()` by usage of `_likely_()` inform the compiler that he should -+ `assert_return()` by usage of `_likely_()` inform the compiler that it should - not expect these checks to fail, and they inform fellow programmers about the - expected validity and range of parameters. - -diff --git a/docs/PREDICTABLE_INTERFACE_NAMES.md b/docs/PREDICTABLE_INTERFACE_NAMES.md -index 07529e7a70..890bd3935c 100644 ---- a/docs/PREDICTABLE_INTERFACE_NAMES.md -+++ b/docs/PREDICTABLE_INTERFACE_NAMES.md -@@ -53,7 +53,7 @@ With this new scheme you now get: - * The same on all distributions that adopted systemd/udev - * It's easy to opt out of the scheme (see below) - --Does this have any drawbacks? Yes, it does. Previously it was practically guaranteed that hosts equipped with a single ethernet card only had a single `eth0` interface. With this new scheme in place, an administrator now has to check first what the local interface name is before he can invoke commands on it where previously he had a good chance that `eth0` was the right name. -+Does this have any drawbacks? Yes, it does. Previously it was practically guaranteed that hosts equipped with a single ethernet card only had a single `eth0` interface. With this new scheme in place, an administrator now has to check first what the local interface name is before they can invoke commands on it, where previously they had a good chance that `eth0` was the right name. - - - ## I don't like this, how do I disable this? -diff --git a/man/sd_bus_add_object.xml b/man/sd_bus_add_object.xml -index 31a3344bbd..54683e4f11 100644 ---- a/man/sd_bus_add_object.xml -+++ b/man/sd_bus_add_object.xml -@@ -508,7 +508,7 @@ - - SD_BUS_VTABLE_METHOD_NO_REPLY - -- Mark his vtable entry as a method that will not return a reply using the -+ Mark this vtable entry as a method that will not return a reply using the - org.freedesktop.DBus.Method.NoReply annotation in introspection data. - - -diff --git a/src/core/manager.h b/src/core/manager.h -index b3e7c68e6d..14a80b396e 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -195,7 +195,7 @@ struct Manager { - - sd_event *event; - -- /* This maps PIDs we care about to units that are interested in. We allow multiple units to he interested in -+ /* This maps PIDs we care about to units that are interested in. We allow multiple units to be interested in - * the same PID and multiple PIDs to be relevant to the same unit. Since in most cases only a single unit will - * be interested in the same PID we use a somewhat special encoding here: the first unit interested in a PID is - * stored directly in the hashmap, keyed by the PID unmodified. If there are other units interested too they'll -diff --git a/src/hostname/hostnamectl.c b/src/hostname/hostnamectl.c -index 283038c7cb..2eca5feaca 100644 ---- a/src/hostname/hostnamectl.c -+++ b/src/hostname/hostnamectl.c -@@ -442,7 +442,7 @@ static int set_hostname(int argc, char **argv, void *userdata) { - * dot if there is one. If it was not valid, then it will be made fully valid by truncating, dropping - * multiple dots, and dropping weird chars. Note that we clean the name up only if we also are - * supposed to set the pretty name. If the pretty name is not being set we assume the user knows what -- * he does and pass the name as-is. */ -+ * they are doing and pass the name as-is. */ - h = strdup(hostname); - if (!h) - return log_oom(); -diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c -index 378774fe8b..09eb49c37f 100644 ---- a/src/libsystemd/sd-bus/bus-socket.c -+++ b/src/libsystemd/sd-bus/bus-socket.c -@@ -300,8 +300,8 @@ static int verify_external_token(sd_bus *b, const char *p, size_t l) { - uid_t u; - int r; - -- /* We don't do any real authentication here. Instead, we if -- * the owner of this bus wanted authentication he should have -+ /* We don't do any real authentication here. Instead, if -+ * the owner of this bus wanted authentication they should have - * checked SO_PEERCRED before even creating the bus object. */ - - if (!b->anonymous_auth && !b->ucred_valid) -diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c -index 79c24fe703..ab8d4e4a60 100644 ---- a/src/libsystemd/sd-bus/sd-bus.c -+++ b/src/libsystemd/sd-bus/sd-bus.c -@@ -3274,7 +3274,7 @@ static int bus_poll(sd_bus *bus, bool need_more, uint64_t timeout_usec) { - return e; - - if (need_more) -- /* The caller really needs some more data, he doesn't -+ /* The caller really needs some more data, they don't - * care about what's already read, or any timeouts - * except its own. */ - e |= POLLIN; -diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c -index 64eba0d314..00e46f8b9e 100644 ---- a/src/udev/dmi_memory_id/dmi_memory_id.c -+++ b/src/udev/dmi_memory_id/dmi_memory_id.c -@@ -539,7 +539,7 @@ static void dmi_table_decode(const uint8_t *buf, size_t len, uint16_t num) { - - /* If a short entry is found (less than 4 bytes), not only it - * is invalid, but we cannot reliably locate the next entry. -- * Better stop at this point, and let the user know his/her -+ * Better stop at this point, and let the user know their - * table is broken. */ - if (h.length < 4) - break; --- -2.33.0 - diff --git a/backport-Don-t-open-var-journals-in-volatile-mode-when-runtim.patch b/backport-Don-t-open-var-journals-in-volatile-mode-when-runtim.patch deleted file mode 100644 index a1e4176..0000000 --- a/backport-Don-t-open-var-journals-in-volatile-mode-when-runtim.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 00e7f0994a39852ab1adabfb7e19ff2634e916a0 Mon Sep 17 00:00:00 2001 -From: Milo Turner -Date: Fri, 13 Aug 2021 10:28:58 -0400 -Subject: [PATCH] Don't open /var journals in volatile mode when - runtime_journal==NULL - -(cherry picked from commit d64441b669932ab97fbbfc71cb143045f690039e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/00e7f0994a39852ab1adabfb7e19ff2634e916a0 ---- - src/journal/journald-server.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index 30f04f5383..a0695ec519 100644 ---- a/src/journal/journald-server.c -+++ b/src/journal/journald-server.c -@@ -415,6 +415,13 @@ static JournalFile* find_journal(Server *s, uid_t uid) { - if (s->runtime_journal) - return s->runtime_journal; - -+ /* If we are not in persistent mode, then we need return NULL immediately rather than opening a -+ * persistent journal of any sort. -+ * -+ * Fixes https://github.com/systemd/systemd/issues/20390 */ -+ if (!IN_SET(s->storage, STORAGE_AUTO, STORAGE_PERSISTENT)) -+ return NULL; -+ - if (uid_for_system_journal(uid)) - return s->system_journal; - --- -2.33.0 - diff --git a/backport-Drop-bundled-copy-of-linux-if_arp.h.patch b/backport-Drop-bundled-copy-of-linux-if_arp.h.patch deleted file mode 100644 index 6453c10..0000000 --- a/backport-Drop-bundled-copy-of-linux-if_arp.h.patch +++ /dev/null @@ -1,227 +0,0 @@ -From f27585b58a308454bf3409a77c8b1dd12fc64816 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 15 Sep 2021 16:33:05 +0200 -Subject: [PATCH] Drop bundled copy of linux/if_arp.h -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As far as I can see, we use this to get a list of ARPHRD_* defines (used in -particular for Type= in .link files). If we drop our copy, and build against -old kernel headers, the user will have a shorter list of types available. This -seems OK, and I don't think it's worth carrying our own version of this file -just to have newest possible entries. - -7c5b9952c4f6e2b72f90edbe439982528b7cf223 recently updated this file, but we'd -have to update it every time the kernel adds new entries. But if we look at -the failure carefully: - -src/basic/arphrd-from-name.gperf:65:16: error: ‘ARPHRD_MCTP’ undeclared (first use in this function); did you mean ‘ARPHRD_FCPP’? - 65 | MCTP, ARPHRD_MCTP - | ^~ - | ARPHRD_FCPP - -we see that the list we were generating was from the system headers, so it was -only as good as the system headers anyway, without the newer entries in our -bundled copy, if there were any. So let's make things simpler by always using -system headers. - -And if somebody wants to fix things so that we always have the newest list, -then we should just generate and store the converted list, not the full header. - -(cherry picked from commit e7f46ee3ae1cc66a94b293957721d68dc09d7449) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f27585b58a308454bf3409a77c8b1dd12fc64816 ---- - src/basic/linux/if_arp.h | 165 --------------------------------------- - src/basic/meson.build | 1 - - 2 files changed, 166 deletions(-) - delete mode 100644 src/basic/linux/if_arp.h - -diff --git a/src/basic/linux/if_arp.h b/src/basic/linux/if_arp.h -deleted file mode 100644 -index 4783af9fe5..0000000000 ---- a/src/basic/linux/if_arp.h -+++ /dev/null -@@ -1,165 +0,0 @@ --/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ --/* -- * INET An implementation of the TCP/IP protocol suite for the LINUX -- * operating system. INET is implemented using the BSD Socket -- * interface as the means of communication with the user level. -- * -- * Global definitions for the ARP (RFC 826) protocol. -- * -- * Version: @(#)if_arp.h 1.0.1 04/16/93 -- * -- * Authors: Original taken from Berkeley UNIX 4.3, (c) UCB 1986-1988 -- * Portions taken from the KA9Q/NOS (v2.00m PA0GRI) source. -- * Ross Biro -- * Fred N. van Kempen, -- * Florian La Roche, -- * Jonathan Layes -- * Arnaldo Carvalho de Melo ARPHRD_HWX25 -- * -- * This program is free software; you can redistribute it and/or -- * modify it under the terms of the GNU General Public License -- * as published by the Free Software Foundation; either version -- * 2 of the License, or (at your option) any later version. -- */ --#ifndef _UAPI_LINUX_IF_ARP_H --#define _UAPI_LINUX_IF_ARP_H -- --#include -- --/* ARP protocol HARDWARE identifiers. */ --#define ARPHRD_NETROM 0 /* from KA9Q: NET/ROM pseudo */ --#define ARPHRD_ETHER 1 /* Ethernet 10Mbps */ --#define ARPHRD_EETHER 2 /* Experimental Ethernet */ --#define ARPHRD_AX25 3 /* AX.25 Level 2 */ --#define ARPHRD_PRONET 4 /* PROnet token ring */ --#define ARPHRD_CHAOS 5 /* Chaosnet */ --#define ARPHRD_IEEE802 6 /* IEEE 802.2 Ethernet/TR/TB */ --#define ARPHRD_ARCNET 7 /* ARCnet */ --#define ARPHRD_APPLETLK 8 /* APPLEtalk */ --#define ARPHRD_DLCI 15 /* Frame Relay DLCI */ --#define ARPHRD_ATM 19 /* ATM */ --#define ARPHRD_METRICOM 23 /* Metricom STRIP (new IANA id) */ --#define ARPHRD_IEEE1394 24 /* IEEE 1394 IPv4 - RFC 2734 */ --#define ARPHRD_EUI64 27 /* EUI-64 */ --#define ARPHRD_INFINIBAND 32 /* InfiniBand */ -- --/* Dummy types for non ARP hardware */ --#define ARPHRD_SLIP 256 --#define ARPHRD_CSLIP 257 --#define ARPHRD_SLIP6 258 --#define ARPHRD_CSLIP6 259 --#define ARPHRD_RSRVD 260 /* Notional KISS type */ --#define ARPHRD_ADAPT 264 --#define ARPHRD_ROSE 270 --#define ARPHRD_X25 271 /* CCITT X.25 */ --#define ARPHRD_HWX25 272 /* Boards with X.25 in firmware */ --#define ARPHRD_CAN 280 /* Controller Area Network */ --#define ARPHRD_MCTP 290 --#define ARPHRD_PPP 512 --#define ARPHRD_CISCO 513 /* Cisco HDLC */ --#define ARPHRD_HDLC ARPHRD_CISCO --#define ARPHRD_LAPB 516 /* LAPB */ --#define ARPHRD_DDCMP 517 /* Digital's DDCMP protocol */ --#define ARPHRD_RAWHDLC 518 /* Raw HDLC */ --#define ARPHRD_RAWIP 519 /* Raw IP */ -- --#define ARPHRD_TUNNEL 768 /* IPIP tunnel */ --#define ARPHRD_TUNNEL6 769 /* IP6IP6 tunnel */ --#define ARPHRD_FRAD 770 /* Frame Relay Access Device */ --#define ARPHRD_SKIP 771 /* SKIP vif */ --#define ARPHRD_LOOPBACK 772 /* Loopback device */ --#define ARPHRD_LOCALTLK 773 /* Localtalk device */ --#define ARPHRD_FDDI 774 /* Fiber Distributed Data Interface */ --#define ARPHRD_BIF 775 /* AP1000 BIF */ --#define ARPHRD_SIT 776 /* sit0 device - IPv6-in-IPv4 */ --#define ARPHRD_IPDDP 777 /* IP over DDP tunneller */ --#define ARPHRD_IPGRE 778 /* GRE over IP */ --#define ARPHRD_PIMREG 779 /* PIMSM register interface */ --#define ARPHRD_HIPPI 780 /* High Performance Parallel Interface */ --#define ARPHRD_ASH 781 /* Nexus 64Mbps Ash */ --#define ARPHRD_ECONET 782 /* Acorn Econet */ --#define ARPHRD_IRDA 783 /* Linux-IrDA */ --/* ARP works differently on different FC media .. so */ --#define ARPHRD_FCPP 784 /* Point to point fibrechannel */ --#define ARPHRD_FCAL 785 /* Fibrechannel arbitrated loop */ --#define ARPHRD_FCPL 786 /* Fibrechannel public loop */ --#define ARPHRD_FCFABRIC 787 /* Fibrechannel fabric */ -- /* 787->799 reserved for fibrechannel media types */ --#define ARPHRD_IEEE802_TR 800 /* Magic type ident for TR */ --#define ARPHRD_IEEE80211 801 /* IEEE 802.11 */ --#define ARPHRD_IEEE80211_PRISM 802 /* IEEE 802.11 + Prism2 header */ --#define ARPHRD_IEEE80211_RADIOTAP 803 /* IEEE 802.11 + radiotap header */ --#define ARPHRD_IEEE802154 804 --#define ARPHRD_IEEE802154_MONITOR 805 /* IEEE 802.15.4 network monitor */ -- --#define ARPHRD_PHONET 820 /* PhoNet media type */ --#define ARPHRD_PHONET_PIPE 821 /* PhoNet pipe header */ --#define ARPHRD_CAIF 822 /* CAIF media type */ --#define ARPHRD_IP6GRE 823 /* GRE over IPv6 */ --#define ARPHRD_NETLINK 824 /* Netlink header */ --#define ARPHRD_6LOWPAN 825 /* IPv6 over LoWPAN */ --#define ARPHRD_VSOCKMON 826 /* Vsock monitor header */ -- --#define ARPHRD_VOID 0xFFFF /* Void type, nothing is known */ --#define ARPHRD_NONE 0xFFFE /* zero header length */ -- --/* ARP protocol opcodes. */ --#define ARPOP_REQUEST 1 /* ARP request */ --#define ARPOP_REPLY 2 /* ARP reply */ --#define ARPOP_RREQUEST 3 /* RARP request */ --#define ARPOP_RREPLY 4 /* RARP reply */ --#define ARPOP_InREQUEST 8 /* InARP request */ --#define ARPOP_InREPLY 9 /* InARP reply */ --#define ARPOP_NAK 10 /* (ATM)ARP NAK */ -- -- --/* ARP ioctl request. */ --struct arpreq { -- struct sockaddr arp_pa; /* protocol address */ -- struct sockaddr arp_ha; /* hardware address */ -- int arp_flags; /* flags */ -- struct sockaddr arp_netmask; /* netmask (only for proxy arps) */ -- char arp_dev[IFNAMSIZ]; --}; -- --struct arpreq_old { -- struct sockaddr arp_pa; /* protocol address */ -- struct sockaddr arp_ha; /* hardware address */ -- int arp_flags; /* flags */ -- struct sockaddr arp_netmask; /* netmask (only for proxy arps) */ --}; -- --/* ARP Flag values. */ --#define ATF_COM 0x02 /* completed entry (ha valid) */ --#define ATF_PERM 0x04 /* permanent entry */ --#define ATF_PUBL 0x08 /* publish entry */ --#define ATF_USETRAILERS 0x10 /* has requested trailers */ --#define ATF_NETMASK 0x20 /* want to use a netmask (only -- for proxy entries) */ --#define ATF_DONTPUB 0x40 /* don't answer this addresses */ -- --/* -- * This structure defines an ethernet arp header. -- */ -- --struct arphdr { -- __be16 ar_hrd; /* format of hardware address */ -- __be16 ar_pro; /* format of protocol address */ -- unsigned char ar_hln; /* length of hardware address */ -- unsigned char ar_pln; /* length of protocol address */ -- __be16 ar_op; /* ARP opcode (command) */ -- --#if 0 -- /* -- * Ethernet looks like this : This bit is variable sized however... -- */ -- unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */ -- unsigned char ar_sip[4]; /* sender IP address */ -- unsigned char ar_tha[ETH_ALEN]; /* target hardware address */ -- unsigned char ar_tip[4]; /* target IP address */ --#endif -- --}; -- -- --#endif /* _UAPI_LINUX_IF_ARP_H */ -diff --git a/src/basic/meson.build b/src/basic/meson.build -index 9b016ce5e8..452b965db3 100644 ---- a/src/basic/meson.build -+++ b/src/basic/meson.build -@@ -88,7 +88,6 @@ basic_sources = files(''' - linux/hdlc/ioctl.h - linux/if.h - linux/if_addr.h -- linux/if_arp.h - linux/if_bonding.h - linux/if_bridge.h - linux/if_ether.h --- -2.33.0 - diff --git a/backport-Fix-another-crash-due-to-missing-NHDR.patch b/backport-Fix-another-crash-due-to-missing-NHDR.patch deleted file mode 100644 index 6d8be87..0000000 --- a/backport-Fix-another-crash-due-to-missing-NHDR.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 60630b5e812ce103e9625bcc87778165374a455e Mon Sep 17 00:00:00 2001 -From: Kevin Orr -Date: Thu, 26 Aug 2021 17:04:53 -0400 -Subject: [PATCH] Fix another crash due to missing NHDR - -(cherry picked from commit a3a5446b7675696f43c2d8a2a0b898d72228a53d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/60630b5e812ce103e9625bcc87778165374a455e ---- - src/coredump/stacktrace.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/coredump/stacktrace.c b/src/coredump/stacktrace.c -index e46b324cdf..f855a370ff 100644 ---- a/src/coredump/stacktrace.c -+++ b/src/coredump/stacktrace.c -@@ -299,6 +299,8 @@ static int module_callback(Dwfl_Module *mod, void **userdata, const char *name, - program_header->p_offset, - program_header->p_filesz, - ELF_T_NHDR); -+ if (!data) -+ continue; - - Elf *memelf = elf_memory(data->d_buf, data->d_size); - if (!memelf) --- -2.33.0 - diff --git a/backport-Fix-error-building-repart-with-no-libcryptsetup-2073.patch b/backport-Fix-error-building-repart-with-no-libcryptsetup-2073.patch deleted file mode 100644 index dd74d47..0000000 --- a/backport-Fix-error-building-repart-with-no-libcryptsetup-2073.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d3dfc9afa2297e2e15019adf974da8fb0ab7270c Mon Sep 17 00:00:00 2001 -From: Marcus Harrison -Date: Wed, 15 Sep 2021 03:55:07 +0200 -Subject: [PATCH] Fix error building repart with no libcryptsetup (#20739) - -(cherry picked from commit 2709d02906dd3ab5ecc2b3e19e2846b1714a7e5a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d3dfc9afa2297e2e15019adf974da8fb0ab7270c ---- - src/partition/repart.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/partition/repart.c b/src/partition/repart.c -index 589acaa49d..851c68cc4b 100644 ---- a/src/partition/repart.c -+++ b/src/partition/repart.c -@@ -206,7 +206,12 @@ static const char *encrypt_mode_table[_ENCRYPT_MODE_MAX] = { - [ENCRYPT_KEY_FILE_TPM2] = "key-file+tpm2", - }; - -+#if HAVE_LIBCRYPTSETUP - DEFINE_PRIVATE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(encrypt_mode, EncryptMode, ENCRYPT_KEY_FILE); -+#else -+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(encrypt_mode, EncryptMode, ENCRYPT_KEY_FILE); -+#endif -+ - - static uint64_t round_down_size(uint64_t v, uint64_t p) { - return (v / p) * p; --- -2.33.0 - diff --git a/backport-Fix-the-Failed-to-open-random-seed-.-message.patch b/backport-Fix-the-Failed-to-open-random-seed-.-message.patch deleted file mode 100644 index 7aca3b6..0000000 --- a/backport-Fix-the-Failed-to-open-random-seed-.-message.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c1b4ee2e0fd28a0c802a3694107613e1689d1c96 Mon Sep 17 00:00:00 2001 -From: longpanda <59477474+ventoy@users.noreply.github.com> -Date: Thu, 5 Aug 2021 09:31:44 +0800 -Subject: [PATCH] Fix the "Failed to open random seed ..." message. - -When boot ArchLinux from Ventoy, it always print `Failed to open random seed file: write protected.` -As Ventoy emulate the ISO file as a read-only CDROM, I didn't test with a real physical CDROM drive, but maybe it also has such problem. -As we use `EFI_FILE_MODE_WRITE` to open the `loader\random-seed` file, so I think it's better to check the result with both `EFI_WRITE_PROTECTED` and `EFI_NOT_FOUND`. - -(cherry picked from commit 2846007ecfb1fc84005b942167d394294c707d7b) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c1b4ee2e0fd28a0c802a3694107613e1689d1c96 ---- - src/boot/efi/random-seed.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/boot/efi/random-seed.c b/src/boot/efi/random-seed.c -index ff364695f3..3e179851b0 100644 ---- a/src/boot/efi/random-seed.c -+++ b/src/boot/efi/random-seed.c -@@ -245,7 +245,7 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { - - err = uefi_call_wrapper(root_dir->Open, 5, root_dir, &handle, (CHAR16*) L"\\loader\\random-seed", EFI_FILE_MODE_READ|EFI_FILE_MODE_WRITE, 0ULL); - if (EFI_ERROR(err)) { -- if (err != EFI_NOT_FOUND) -+ if (err != EFI_NOT_FOUND && err != EFI_WRITE_PROTECTED) - Print(L"Failed to open random seed file: %r\n", err); - return err; - } --- -2.33.0 - diff --git a/backport-Get-rid-of-dangling-setutxent.patch b/backport-Get-rid-of-dangling-setutxent.patch deleted file mode 100644 index cb35353..0000000 --- a/backport-Get-rid-of-dangling-setutxent.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 540389a690b1d6cb00620d8ad6f54077a90e15f8 Mon Sep 17 00:00:00 2001 -From: MertsA -Date: Tue, 10 Aug 2021 20:54:50 -0700 -Subject: [PATCH] Get rid of dangling setutxent() - -utmp_wall() and utmp_put_dead_process() called setutxent() directly instead of the stub in utmp-wtmp.h and never called endutxent(). This would leave /run/utmp left open by PID 1 or journald. This can be reproduced by e.g. lsof /run/utmp and systemd-cat -p 0 echo test. For utmp_put_dead_process() it would only leave it open if it returned early before calling write_utmp_wtmp() - -(cherry picked from commit bbd239f67a683fe63ee3698896fa503ff25031ed) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/540389a690b1d6cb00620d8ad6f54077a90e15f8 ---- - src/shared/utmp-wtmp.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/shared/utmp-wtmp.c b/src/shared/utmp-wtmp.c -index 3eeee24693..784aad2943 100644 ---- a/src/shared/utmp-wtmp.c -+++ b/src/shared/utmp-wtmp.c -@@ -215,13 +215,14 @@ int utmp_put_init_process(const char *id, pid_t pid, pid_t sid, const char *line - } - - int utmp_put_dead_process(const char *id, pid_t pid, int code, int status) { -+ _cleanup_(utxent_cleanup) bool utmpx = false; - struct utmpx lookup = { - .ut_type = INIT_PROCESS /* looks for DEAD_PROCESS, LOGIN_PROCESS, USER_PROCESS, too */ - }, store, store_wtmp, *found; - - assert(id); - -- setutxent(); -+ utmpx = utxent_start(); - - /* Copy the whole string if it fits, or just the suffix without the terminating NUL. */ - copy_suffix(store.ut_id, sizeof(store.ut_id), id); -@@ -339,6 +340,7 @@ int utmp_wall( - bool (*match_tty)(const char *tty, void *userdata), - void *userdata) { - -+ _cleanup_(utxent_cleanup) bool utmpx = false; - _cleanup_free_ char *text = NULL, *hn = NULL, *un = NULL, *stdin_tty = NULL; - char date[FORMAT_TIMESTAMP_MAX]; - struct utmpx *u; -@@ -368,7 +370,7 @@ int utmp_wall( - message) < 0) - return -ENOMEM; - -- setutxent(); -+ utmpx = utxent_start(); - - r = 0; - --- -2.33.0 - diff --git a/backport-Respect-install_sysconfdir.patch b/backport-Respect-install_sysconfdir.patch deleted file mode 100644 index c228b0f..0000000 --- a/backport-Respect-install_sysconfdir.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0062322638aa36df8190326a6afd38780fb7a271 Mon Sep 17 00:00:00 2001 -From: Kai Wohlfahrt -Date: Tue, 14 Sep 2021 00:32:52 +0100 -Subject: [PATCH] Respect install_sysconfdir - -This was lost e11a25cadbe and c900d89faa0 while adding jinja2 -templating. Breaks builds on NixOS. - -(cherry picked from commit 679de141122ca30388bba6d132f8c0dddcdddd15) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0062322638aa36df8190326a6afd38780fb7a271 ---- - src/core/meson.build | 2 +- - src/login/meson.build | 8 +++++--- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/core/meson.build b/src/core/meson.build -index c66538eab1..367c085027 100644 ---- a/src/core/meson.build -+++ b/src/core/meson.build -@@ -193,7 +193,7 @@ foreach item : in_files - output: file, - command : [meson_render_jinja2, config_h, '@INPUT@'], - capture : true, -- install : (dir == pkgsysconfdir and install_sysconfdir_samples) or (dir != pkgsysconfdir and dir != 'no'), -+ install : (dir == pkgsysconfdir) ? install_sysconfdir_samples : (dir != 'no'), - install_dir : dir) - endforeach - -diff --git a/src/login/meson.build b/src/login/meson.build -index b637adc9a2..da704d238f 100644 ---- a/src/login/meson.build -+++ b/src/login/meson.build -@@ -71,18 +71,20 @@ in_files = [ - ['70-uaccess.rules', udevrulesdir, enable_logind and conf.get('HAVE_ACL') == 1], - ['71-seat.rules', udevrulesdir, enable_logind], - ['73-seat-late.rules', udevrulesdir, enable_logind], -- ['systemd-user', pamconfdir, enable_logind and pamconfdir != 'no']] -+ ['systemd-user', pamconfdir, enable_logind]] - - foreach tuple : in_files - file = tuple[0] -+ dir = tuple[1] -+ install = (dir == pkgsysconfdir) ? install_sysconfdir_samples : (dir != 'no') - custom_target( - file, - input : file + '.in', - output: file, - command : [meson_render_jinja2, config_h, '@INPUT@'], - capture : true, -- install : tuple[2], -- install_dir : tuple[1]) -+ install : tuple[2] and install, -+ install_dir : dir) - endforeach - - if enable_logind --- -2.33.0 - diff --git a/backport-TEST-15-add-one-more-test-for-drop-in-precedence.patch b/backport-TEST-15-add-one-more-test-for-drop-in-precedence.patch deleted file mode 100644 index 0196b2e..0000000 --- a/backport-TEST-15-add-one-more-test-for-drop-in-precedence.patch +++ /dev/null @@ -1,66 +0,0 @@ -From c3fa408dcc03bb6dbd11f180540fb9e684893c39 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sun, 16 Oct 2022 21:52:43 +0200 -Subject: [PATCH] TEST-15: add one more test for drop-in precedence - ---- - test/units/testsuite-15.sh | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/test/units/testsuite-15.sh b/test/units/testsuite-15.sh -index ed6d5f838d..079c8b290e 100755 ---- a/test/units/testsuite-15.sh -+++ b/test/units/testsuite-15.sh -@@ -282,6 +282,41 @@ MemoryMax=1000000001 - clear_services a-b-c.slice - } - -+test_transient_service_dropins () { -+ echo "Testing dropins for a transient service..." -+ echo "*** test transient service drop-ins" -+ -+ mkdir -p /etc/systemd/system/service.d -+ mkdir -p /etc/systemd/system/a-.service.d -+ mkdir -p /etc/systemd/system/a-b-.service.d -+ mkdir -p /etc/systemd/system/a-b-c.service.d -+ -+ echo -e '[Service]\nStandardInputText=aaa' >/etc/systemd/system/service.d/drop1.conf -+ echo -e '[Service]\nStandardInputText=bbb' >/etc/systemd/system/a-.service.d/drop2.conf -+ echo -e '[Service]\nStandardInputText=ccc' >/etc/systemd/system/a-b-.service.d/drop3.conf -+ echo -e '[Service]\nStandardInputText=ddd' >/etc/systemd/system/a-b-c.service.d/drop4.conf -+ -+ # There's no fragment yet, so this fails -+ systemctl cat a-b-c.service && exit 1 -+ -+ # xxx → eHh4Cg== -+ systemd-run -u a-b-c.service -p StandardInputData=eHh4Cg== sleep infinity -+ -+ data=$(systemctl show -P StandardInputData a-b-c.service) -+ # xxx\naaa\n\bbb\nccc\nddd\n → eHh4… -+ test "$data" = "eHh4CmFhYQpiYmIKY2NjCmRkZAo=" -+ -+ # Do a reload and check again -+ systemctl daemon-reload -+ data=$(systemctl show -P StandardInputData a-b-c.service) -+ test "$data" = "eHh4CmFhYQpiYmIKY2NjCmRkZAo=" -+ -+ clear_services a-b-c.service -+ rm /etc/systemd/system/service.d/drop1.conf \ -+ /etc/systemd/system/a-.service.d/drop2.conf \ -+ /etc/systemd/system/a-b-.service.d/drop3.conf -+} -+ - test_template_dropins () { - echo "Testing template dropins..." - -@@ -621,6 +656,7 @@ test_linked_units - test_template_alias - test_hierarchical_service_dropins - test_hierarchical_slice_dropins -+test_transient_service_dropins - test_template_dropins - test_alias_dropins - test_masked_dropins --- -2.33.0 - diff --git a/backport-TEST-15-add-test-for-transient-units-with-drop-ins.patch b/backport-TEST-15-add-test-for-transient-units-with-drop-ins.patch deleted file mode 100644 index e265339..0000000 --- a/backport-TEST-15-add-test-for-transient-units-with-drop-ins.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 6854434cfb5dda10c07d95835c38b75e5e71c2b5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sun, 16 Oct 2022 14:02:45 +0200 -Subject: [PATCH] TEST-15: add test for transient units with drop-ins - -We want to test four things: -- that the transient units are successfully started when drop-ins exist -- that the transient setings override the defaults -- the drop-ins override the transient settings (the same as for a normal unit) -- that things are the same before and after a reload - -To make things more fun, we start and stop units in two different ways: via -systemctl and via a direct busctl invocation. This gives us a bit more coverage -of different code paths. ---- - test/units/testsuite-15.sh | 62 ++++++++++++++++++++++++++++++++++---- - 1 file changed, 56 insertions(+), 6 deletions(-) - -diff --git a/test/units/testsuite-15.sh b/test/units/testsuite-15.sh -index 8b44d76982..ed6d5f838d 100755 ---- a/test/units/testsuite-15.sh -+++ b/test/units/testsuite-15.sh -@@ -181,19 +181,40 @@ test_hierarchical_service_dropins () { - echo "Testing hierarchical service dropins..." - echo "*** test service.d/ top level drop-in" - create_services a-b-c -- check_ko a-b-c ExecCondition "/bin/echo service.d" -- check_ko a-b-c ExecCondition "/bin/echo a-.service.d" -- check_ko a-b-c ExecCondition "/bin/echo a-b-.service.d" -- check_ko a-b-c ExecCondition "/bin/echo a-b-c.service.d" -+ check_ko a-b-c ExecCondition "echo service.d" -+ check_ko a-b-c ExecCondition "echo a-.service.d" -+ check_ko a-b-c ExecCondition "echo a-b-.service.d" -+ check_ko a-b-c ExecCondition "echo a-b-c.service.d" - - for dropin in service.d a-.service.d a-b-.service.d a-b-c.service.d; do - mkdir -p /usr/lib/systemd/system/$dropin - echo " - [Service] --ExecCondition=/bin/echo $dropin -+ExecCondition=echo $dropin - " >/usr/lib/systemd/system/$dropin/override.conf - systemctl daemon-reload -- check_ok a-b-c ExecCondition "/bin/echo $dropin" -+ check_ok a-b-c ExecCondition "echo $dropin" -+ -+ # Check that we can start a transient service in presence of the drop-ins -+ systemd-run -u a-b-c2.service -p Description='sleepy' sleep infinity -+ -+ # The transient setting replaces the default -+ check_ok a-b-c2.service Description "sleepy" -+ -+ # The override takes precedence for ExecCondition -+ # (except the last iteration when it only applies to the other service) -+ if [ "$dropin" != "a-b-c.service.d" ]; then -+ check_ok a-b-c2.service ExecCondition "echo $dropin" -+ fi -+ -+ # Check that things are the same after a reload -+ systemctl daemon-reload -+ check_ok a-b-c2.service Description "sleepy" -+ if [ "$dropin" != "a-b-c.service.d" ]; then -+ check_ok a-b-c2.service ExecCondition "echo $dropin" -+ fi -+ -+ systemctl stop a-b-c2.service - done - for dropin in service.d a-.service.d a-b-.service.d a-b-c.service.d; do - rm -rf /usr/lib/systemd/system/$dropin -@@ -218,6 +239,35 @@ MemoryMax=1000000000 - " >/usr/lib/systemd/system/$dropin/override.conf - systemctl daemon-reload - check_ok a-b-c.slice MemoryMax "1000000000" -+ -+ busctl call \ -+ org.freedesktop.systemd1 \ -+ /org/freedesktop/systemd1 \ -+ org.freedesktop.systemd1.Manager \ -+ StartTransientUnit 'ssa(sv)a(sa(sv))' \ -+ 'a-b-c.slice' 'replace' \ -+ 2 \ -+ 'Description' s 'slice too' \ -+ 'MemoryMax' t 1000000002 \ -+ 0 -+ -+ # The override takes precedence for MemoryMax -+ check_ok a-b-c.slice MemoryMax "1000000000" -+ # The transient setting replaces the default -+ check_ok a-b-c.slice Description "slice too" -+ -+ # Check that things are the same after a reload -+ systemctl daemon-reload -+ check_ok a-b-c.slice MemoryMax "1000000000" -+ check_ok a-b-c.slice Description "slice too" -+ -+ busctl call \ -+ org.freedesktop.systemd1 \ -+ /org/freedesktop/systemd1 \ -+ org.freedesktop.systemd1.Manager \ -+ StopUnit 'ss' \ -+ 'a-b-c.slice' 'replace' -+ - rm /usr/lib/systemd/system/$dropin/override.conf - done - --- -2.33.0 - diff --git a/backport-TEST-15-also-test-hierarchical-drop-ins-for-slices.patch b/backport-TEST-15-also-test-hierarchical-drop-ins-for-slices.patch deleted file mode 100644 index a4cab79..0000000 --- a/backport-TEST-15-also-test-hierarchical-drop-ins-for-slices.patch +++ /dev/null @@ -1,78 +0,0 @@ -From f80c874af376052b6b81f47cbbc43d7fecd98cd6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sun, 16 Oct 2022 12:54:34 +0200 -Subject: [PATCH] TEST-15: also test hierarchical drop-ins for slices - -Slices are worth testing too, because they don't need a fragment path so they -behave slightly differently than service units. I'm making this a separate -patch from the actual tests that I wanted to add later because it's complex -enough on its own. ---- - test/units/testsuite-15.sh | 37 ++++++++++++++++++++++++++++++++++--- - 1 file changed, 34 insertions(+), 3 deletions(-) - -diff --git a/test/units/testsuite-15.sh b/test/units/testsuite-15.sh -index c3784e2..8bae64d 100755 ---- a/test/units/testsuite-15.sh -+++ b/test/units/testsuite-15.sh -@@ -174,8 +174,8 @@ test_template_alias() { - clear_services test15-a@ test15-b@ - } - --test_hierarchical_dropins () { -- echo "Testing hierarchical dropins..." -+test_hierarchical_service_dropins () { -+ echo "Testing hierarchical service dropins..." - echo "*** test service.d/ top level drop-in" - create_services a-b-c - check_ko a-b-c ExecCondition "/bin/echo service.d" -@@ -199,6 +199,36 @@ ExecCondition=/bin/echo $dropin - clear_services a-b-c - } - -+test_hierarchical_slice_dropins () { -+ echo "Testing hierarchical slice dropins..." -+ echo "*** test slice.d/ top level drop-in" -+ # Slice units don't even need a fragment, so we test the defaults here -+ check_ok a-b-c.slice Description "Slice /a/b/c" -+ check_ok a-b-c.slice MemoryMax "infinity" -+ -+ # Test drop-ins -+ for dropin in slice.d a-.slice.d a-b-.slice.d a-b-c.slice.d; do -+ mkdir -p /usr/lib/systemd/system/$dropin -+ echo " -+[Slice] -+MemoryMax=1000000000 -+ " >/usr/lib/systemd/system/$dropin/override.conf -+ systemctl daemon-reload -+ check_ok a-b-c.slice MemoryMax "1000000000" -+ rm /usr/lib/systemd/system/$dropin/override.conf -+ done -+ -+ # Test unit with a fragment -+ echo " -+[Slice] -+MemoryMax=1000000001 -+ " >/usr/lib/systemd/system/a-b-c.slice -+ systemctl daemon-reload -+ check_ok a-b-c.slice MemoryMax "1000000001" -+ -+ clear_services a-b-c.slice -+} -+ - test_template_dropins () { - echo "Testing template dropins..." - -@@ -517,7 +547,8 @@ test_invalid_dropins () { - test_basic_dropins - test_linked_units - test_template_alias --test_hierarchical_dropins -+test_hierarchical_service_dropins -+test_hierarchical_slice_dropins - test_template_dropins - test_alias_dropins - test_masked_dropins --- -2.33.0 - diff --git a/backport-Use-correct-fcntl.h-include.patch b/backport-Use-correct-fcntl.h-include.patch deleted file mode 100644 index 87940c4..0000000 --- a/backport-Use-correct-fcntl.h-include.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3450d8dc8ddb582816c6c481b6a9b7378706ab3b Mon Sep 17 00:00:00 2001 -From: David Seifert -Date: Mon, 2 Aug 2021 12:41:38 +0200 -Subject: [PATCH] Use correct `` include - -* `` is not specified in POSIX - -(cherry picked from commit f8d54f7810aeea5ff27a5db03e1aab7ea54c8268) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/3450d8dc8ddb582816c6c481b6a9b7378706ab3b ---- - src/basic/fileio.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index c28b17fef5..9bd2037f5b 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -2,11 +2,11 @@ - #pragma once - - #include -+#include - #include - #include - #include - #include --#include - #include - - #include "macro.h" --- -2.33.0 - diff --git a/backport-Use-correct-poll.h-include.patch b/backport-Use-correct-poll.h-include.patch deleted file mode 100644 index 6013564..0000000 --- a/backport-Use-correct-poll.h-include.patch +++ /dev/null @@ -1,43 +0,0 @@ -From fba9fd963bb3b5fafdb123788b3fabe6ed0830c9 Mon Sep 17 00:00:00 2001 -From: David Seifert -Date: Mon, 2 Aug 2021 16:09:10 +0200 -Subject: [PATCH] Use correct `` include - -* `` is not specified in POSIX - -(cherry picked from commit 2b6c0bb2a341c95223ce672249e43c743b03d78c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/fba9fd963bb3b5fafdb123788b3fabe6ed0830c9 ---- - src/shared/nscd-flush.c | 2 +- - src/shared/varlink.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/shared/nscd-flush.c b/src/shared/nscd-flush.c -index dfc47c4234..19e16d9345 100644 ---- a/src/shared/nscd-flush.c -+++ b/src/shared/nscd-flush.c -@@ -1,5 +1,5 @@ - /* SPDX-License-Identifier: LGPL-2.1-or-later */ --#include -+#include - - #include "fd-util.h" - #include "io-util.h" -diff --git a/src/shared/varlink.c b/src/shared/varlink.c -index 6b0b343ae9..8da568e208 100644 ---- a/src/shared/varlink.c -+++ b/src/shared/varlink.c -@@ -1,7 +1,7 @@ - /* SPDX-License-Identifier: LGPL-2.1-or-later */ - - #include --#include -+#include - - #include "alloc-util.h" - #include "errno-util.h" --- -2.33.0 - diff --git a/backport-analyze-add-forgotten-return-statement.patch b/backport-analyze-add-forgotten-return-statement.patch deleted file mode 100644 index c0c95b2..0000000 --- a/backport-analyze-add-forgotten-return-statement.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 53fd101c2144cb104d34aea8e68c7c24443107bd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 7 Oct 2022 15:52:33 +0200 -Subject: [PATCH] analyze: add forgotten return statement - -We would fail with an assert in sd_bus_message_enter_container() afterwards. - -(cherry picked from commit 5475e963c5e6ade35404384ba03caf79cb1bc2e5) -(cherry picked from commit e0ba044985ac33d5eb2fb0d09fc2ff1b2f9b73dc) -(cherry picked from commit 1316666e98accf6b8ab8cb0fb5ef73d275049a34) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/53fd101c2144cb104d34aea8e68c7c24443107bd ---- - src/analyze/analyze.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c -index 62c0ccbdfe..6452d23331 100644 ---- a/src/analyze/analyze.c -+++ b/src/analyze/analyze.c -@@ -1274,7 +1274,7 @@ static int dot(int argc, char *argv[], void *userdata) { - - r = bus_call_method(bus, bus_systemd_mgr, "ListUnits", &error, &reply, NULL); - if (r < 0) -- log_error_errno(r, "Failed to list units: %s", bus_error_message(&error, r)); -+ return log_error_errno(r, "Failed to list units: %s", bus_error_message(&error, r)); - - r = sd_bus_message_enter_container(reply, SD_BUS_TYPE_ARRAY, "(ssssssouso)"); - if (r < 0) --- -2.27.0 - diff --git a/backport-analyze-fix-printing-config-when-there-is-no-main-co.patch b/backport-analyze-fix-printing-config-when-there-is-no-main-co.patch deleted file mode 100644 index 4abd79e..0000000 --- a/backport-analyze-fix-printing-config-when-there-is-no-main-co.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 8621f957b6e3a7eed1c5965d332ad1c4c594f26e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sat, 20 Nov 2021 11:42:31 +0100 -Subject: [PATCH] analyze: fix printing config when there is no main config - file - -Since 8b8024f1c231c166f5c450905c8fd91d11704ae7 and the follow-up commits, the -main config file may be located in /usr or in other paths. But the code in -analyze.c was still assuming that it must be in /etc. Things mostly worked for -our own config files because we usually install a comments-only file in /etc, -but was not correct in the general case. - -This fixes in particular 'systemd-analyze cat-config systemd/zram-generator.conf'. -In Fedora we distribute a config file in zram-generator-defaults.rpm that is in -/usr/lib, and 'cat-config' would refuse to show it because -/etc/systemd/zram-generator.conf does not exist. - -The main config file is optional, but let's print an informative message -because this is a slightly unusual case. - -The file paths that we printed were missing the root prefix. - -(cherry picked from commit 0895e87348e5fc02f50498cad5922eb3eb172323) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/8621f957b6e3a7eed1c5965d332ad1c4c594f26e ---- - src/shared/pretty-print.c | 43 ++++++++++++++++++++++++++------------- - 1 file changed, 29 insertions(+), 14 deletions(-) - -diff --git a/src/shared/pretty-print.c b/src/shared/pretty-print.c -index 137ba77b3a..97baeda401 100644 ---- a/src/shared/pretty-print.c -+++ b/src/shared/pretty-print.c -@@ -300,24 +300,39 @@ int conf_files_cat(const char *root, const char *name) { - return log_error_errno(r, "Failed to build directory list: %m"); - } - -- r = conf_files_list_strv(&files, extension, root, 0, (const char* const*) dirs); -- if (r < 0) -- return log_error_errno(r, "Failed to query file list: %m"); -+ if (DEBUG_LOGGING) { -+ log_debug("Looking for configuration in:"); -+ if (!is_collection) -+ STRV_FOREACH(prefix, prefixes) -+ log_debug(" %s%s%s", strempty(root), *prefix, name); - -+ STRV_FOREACH(t, dirs) -+ log_debug(" %s%s/*%s", strempty(root), *t, extension); -+ } -+ -+ /* First locate the main config file, if any */ - if (!is_collection) { -- path = path_join(root, "/etc", name); -+ STRV_FOREACH(prefix, prefixes) { -+ path = path_join(root, *prefix, name); -+ if (!path) -+ return log_oom(); -+ if (access(path, F_OK) == 0) -+ break; -+ path = mfree(path); -+ } -+ - if (!path) -- return log_oom(); -+ printf("%s# Main configuration file %s not found%s\n", -+ ansi_highlight_magenta(), -+ name, -+ ansi_normal()); - } - -- if (DEBUG_LOGGING) { -- log_debug("Looking for configuration in:"); -- if (path) -- log_debug(" %s", path); -- STRV_FOREACH(t, dirs) -- log_debug(" %s/*%s", *t, extension); -- } -+ /* Then locate the drop-ins, if any */ -+ r = conf_files_list_strv(&files, extension, root, 0, (const char* const*) dirs); -+ if (r < 0) -+ return log_error_errno(r, "Failed to query file list: %m"); - -- /* show */ -- return cat_files(path, files, CAT_FLAGS_MAIN_FILE_OPTIONAL); -+ /* Show */ -+ return cat_files(path, files, 0); - } --- -2.33.0 - diff --git a/backport-argv-util-also-update-program_invocation_short_name.patch b/backport-argv-util-also-update-program_invocation_short_name.patch deleted file mode 100644 index 6ef6486..0000000 --- a/backport-argv-util-also-update-program_invocation_short_name.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 73be22c6f245ad86ef33d95bd4ab0a8e9fd121be Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 3 Feb 2023 18:29:36 +0900 -Subject: [PATCH] argv-util: also update program_invocation_short_name - -Our logging uses program_invocation_short_name. Without this patch, -logs from forked client may become broken; spuriously truncated or -the short invocation name is not completely shown in the log. - -(cherry picked from commit dd15e4cb57129b915e01495e113696bfe0b70214) -(cherry picked from commit ce4726468dc02bd7383cd7d90c8769576c6973e3) -(cherry picked from commit 7a862d9d1a7196a5576720959849f45fc68b041c) -(cherry picked from commit 9fbbd7bf28e5362b786e152a9ce4e8bd40621759) ---- - src/basic/process-util.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/basic/process-util.c b/src/basic/process-util.c -index b76ca6f7c5..10651a4564 100644 ---- a/src/basic/process-util.c -+++ b/src/basic/process-util.c -@@ -371,6 +371,10 @@ int rename_process(const char name[]) { - strncpy(program_invocation_name, name, k); - if (l > k) - truncated = true; -+ -+ /* Also update the short name. */ -+ char *p = strrchr(program_invocation_name, '/'); -+ program_invocation_short_name = p ? p + 1 : program_invocation_name; - } - - /* Third step, completely replace the argv[] array the kernel maintains for us. This requires privileges, but --- -2.27.0 - diff --git a/backport-backlight-ignore-error-if-the-backlight-device-is-al.patch b/backport-backlight-ignore-error-if-the-backlight-device-is-al.patch deleted file mode 100644 index c02cf02..0000000 --- a/backport-backlight-ignore-error-if-the-backlight-device-is-al.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a69c240157e2ca066130c12bb061e0065f2c2425 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 5 Jan 2022 18:26:46 +0900 -Subject: [PATCH] backlight: ignore error if the backlight device is already - removed - -Fixes #21997. - -(cherry picked from commit f0f65087834198d4dabf8b389ddc34223400aab7) -(cherry picked from commit b4c57e1b1c249f28f13a86637d8854c920bcf26d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a69c240157e2ca066130c12bb061e0065f2c2425 ---- - src/backlight/backlight.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/src/backlight/backlight.c b/src/backlight/backlight.c -index 7c0970a60c..5aeee0de47 100644 ---- a/src/backlight/backlight.c -+++ b/src/backlight/backlight.c -@@ -395,8 +395,16 @@ static int run(int argc, char *argv[]) { - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a backlight or LED device: '%s:%s'", ss, sysname); - - r = sd_device_new_from_subsystem_sysname(&device, ss, sysname); -- if (r < 0) -- return log_error_errno(r, "Failed to get backlight or LED device '%s:%s': %m", ss, sysname); -+ if (r < 0) { -+ bool ignore = r == -ENODEV; -+ -+ /* Some drivers, e.g. for AMD GPU, removes acpi backlight device soon after it is added. -+ * See issue #21997. */ -+ log_full_errno(ignore ? LOG_DEBUG : LOG_ERR, r, -+ "Failed to get backlight or LED device '%s:%s'%s: %m", -+ ss, sysname, ignore ? ", ignoring" : ""); -+ return ignore ? 0 : r; -+ } - - /* If max_brightness is 0, then there is no actual backlight device. This happens on desktops - * with Asus mainboards that load the eeepc-wmi module. */ --- -2.33.0 - diff --git a/backport-basic-env-util-correctly-parse-extended-vars-after-n.patch b/backport-basic-env-util-correctly-parse-extended-vars-after-n.patch deleted file mode 100644 index 5db2bca..0000000 --- a/backport-basic-env-util-correctly-parse-extended-vars-after-n.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 74583cad5a3bf4051b879b8b1ac53934027ef485 Mon Sep 17 00:00:00 2001 -From: Andrew Soutar -Date: Tue, 5 Oct 2021 22:55:27 -0400 -Subject: [PATCH] basic/env-util: correctly parse extended vars after - non-extended vars (#20941) - -(cherry picked from commit 5ef97a712236f0ddddec52665c0aea7d4e6d3c13) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/74583cad5a3bf4051b879b8b1ac53934027ef485 ---- - src/basic/env-util.c | 1 + - src/test/test-env-util.c | 5 ++++- - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/basic/env-util.c b/src/basic/env-util.c -index 81b1e3f10e..1ca445dab4 100644 ---- a/src/basic/env-util.c -+++ b/src/basic/env-util.c -@@ -577,6 +577,7 @@ char *replace_env_n(const char *format, size_t n, char **env, unsigned flags) { - - word = e+1; - state = WORD; -+ nest--; - } else if (*e == ':') { - if (flags & REPLACE_ENV_ALLOW_EXTENDED) { - len = e - word - 2; -diff --git a/src/test/test-env-util.c b/src/test/test-env-util.c -index ed4580e4af..3d5951c46e 100644 ---- a/src/test/test-env-util.c -+++ b/src/test/test-env-util.c -@@ -198,7 +198,7 @@ static void test_replace_env2(bool extended) { - "BAR=bar", - NULL - }; -- _cleanup_free_ char *t = NULL, *s = NULL, *q = NULL, *r = NULL, *p = NULL, *x = NULL; -+ _cleanup_free_ char *t = NULL, *s = NULL, *q = NULL, *r = NULL, *p = NULL, *x = NULL, *y = NULL; - unsigned flags = REPLACE_ENV_ALLOW_EXTENDED*extended; - - t = replace_env("FOO=${FOO:-${BAR}}", (char**) env, flags); -@@ -218,6 +218,9 @@ static void test_replace_env2(bool extended) { - - x = replace_env("XXX=${XXX:+${BAR}post}", (char**) env, flags); - assert_se(streq(x, extended ? "XXX=" : "XXX=${XXX:+barpost}")); -+ -+ y = replace_env("FOO=${FOO}between${BAR:-baz}", (char**) env, flags); -+ assert_se(streq(y, extended ? "FOO=foobetweenbar" : "FOO=foobetween${BAR:-baz}")); - } - - static void test_replace_env_argv(void) { --- -2.33.0 - diff --git a/backport-basic-escape-add-helper-for-quoting-command-lines.patch b/backport-basic-escape-add-helper-for-quoting-command-lines.patch deleted file mode 100644 index c405da8..0000000 --- a/backport-basic-escape-add-helper-for-quoting-command-lines.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 17d1b0d2dd109c5e413d8ef1eb5835344f9314b9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 7 Jul 2021 16:27:51 +0200 -Subject: [PATCH] basic/escape: add helper for quoting command lines - -(cherry picked from commit eeb91d29b0279d6bf8a3f1c4da54c9e9c0881a19) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/17d1b0d2dd109c5e413d8ef1eb5835344f9314b9 ---- - src/basic/escape.c | 21 +++++++++++++++++++++ - src/basic/escape.h | 1 + - src/test/test-escape.c | 24 ++++++++++++++++++++++++ - 3 files changed, 46 insertions(+) - -diff --git a/src/basic/escape.c b/src/basic/escape.c -index 2a3a0e31a1..fcade5a1b4 100644 ---- a/src/basic/escape.c -+++ b/src/basic/escape.c -@@ -8,6 +8,7 @@ - #include "escape.h" - #include "hexdecoct.h" - #include "macro.h" -+#include "strv.h" - #include "utf8.h" - - int cescape_char(char c, char *buf) { -@@ -542,3 +543,23 @@ char* shell_maybe_quote(const char *s, ShellEscapeFlags flags) { - - return str_realloc(buf); - } -+ -+char* quote_command_line(char **argv) { -+ _cleanup_free_ char *result = NULL; -+ -+ assert(argv); -+ -+ char **a; -+ STRV_FOREACH(a, argv) { -+ _cleanup_free_ char *t = NULL; -+ -+ t = shell_maybe_quote(*a, SHELL_ESCAPE_EMPTY); -+ if (!t) -+ return NULL; -+ -+ if (!strextend_with_separator(&result, " ", t)) -+ return NULL; -+ } -+ -+ return TAKE_PTR(result); -+} -diff --git a/src/basic/escape.h b/src/basic/escape.h -index 907b572bd4..e9d48d227a 100644 ---- a/src/basic/escape.h -+++ b/src/basic/escape.h -@@ -68,3 +68,4 @@ char* escape_non_printable_full(const char *str, size_t console_width, XEscapeFl - - char* shell_escape(const char *s, const char *bad); - char* shell_maybe_quote(const char *s, ShellEscapeFlags flags); -+char* quote_command_line(char **argv); -diff --git a/src/test/test-escape.c b/src/test/test-escape.c -index 991b135a33..8bda9cdc8d 100644 ---- a/src/test/test-escape.c -+++ b/src/test/test-escape.c -@@ -192,6 +192,29 @@ static void test_shell_maybe_quote(void) { - test_shell_maybe_quote_one("gÅ‚Ä…b\002\003rzÄ…d", SHELL_ESCAPE_POSIX, "$'gÅ‚Ä…b\\002\\003rzÄ…d'"); - } - -+static void test_quote_command_line_one(char **argv, const char *expected) { -+ _cleanup_free_ char *s; -+ -+ assert_se(s = quote_command_line(argv)); -+ log_info("%s", s); -+ assert_se(streq(s, expected)); -+} -+ -+static void test_quote_command_line(void) { -+ log_info("/* %s */", __func__); -+ -+ test_quote_command_line_one(STRV_MAKE("true", "true"), -+ "true true"); -+ test_quote_command_line_one(STRV_MAKE("true", "with a space"), -+ "true \"with a space\""); -+ test_quote_command_line_one(STRV_MAKE("true", "with a 'quote'"), -+ "true \"with a 'quote'\""); -+ test_quote_command_line_one(STRV_MAKE("true", "with a \"quote\""), -+ "true \"with a \\\"quote\\\"\""); -+ test_quote_command_line_one(STRV_MAKE("true", "$dollar"), -+ "true \"\\$dollar\""); -+} -+ - int main(int argc, char *argv[]) { - test_setup_logging(LOG_DEBUG); - -@@ -202,6 +225,7 @@ int main(int argc, char *argv[]) { - test_cunescape(); - test_shell_escape(); - test_shell_maybe_quote(); -+ test_quote_command_line(); - - return 0; - } --- -2.33.0 - diff --git a/backport-basic-linux-Sync-if_arp.h-with-Linux-5.14.patch b/backport-basic-linux-Sync-if_arp.h-with-Linux-5.14.patch deleted file mode 100644 index a72d4d1..0000000 --- a/backport-basic-linux-Sync-if_arp.h-with-Linux-5.14.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6674c65c74dcf52b6887e76642683b593d86cb69 Mon Sep 17 00:00:00 2001 -From: Chris Packham -Date: Fri, 10 Sep 2021 09:51:36 +1200 -Subject: [PATCH] basic/linux: Sync if_arp.h with Linux 5.14 - -ARPHRD_MCTP was added in 5.14. Sync if_arp.h to pick up the definition - -Fixes #20694 - -(cherry picked from commit 7c5b9952c4f6e2b72f90edbe439982528b7cf223) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6674c65c74dcf52b6887e76642683b593d86cb69 ---- - src/basic/linux/if_arp.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/basic/linux/if_arp.h b/src/basic/linux/if_arp.h -index c3cc5a9e5e..4783af9fe5 100644 ---- a/src/basic/linux/if_arp.h -+++ b/src/basic/linux/if_arp.h -@@ -54,6 +54,7 @@ - #define ARPHRD_X25 271 /* CCITT X.25 */ - #define ARPHRD_HWX25 272 /* Boards with X.25 in firmware */ - #define ARPHRD_CAN 280 /* Controller Area Network */ -+#define ARPHRD_MCTP 290 - #define ARPHRD_PPP 512 - #define ARPHRD_CISCO 513 /* Cisco HDLC */ - #define ARPHRD_HDLC ARPHRD_CISCO --- -2.33.0 - diff --git a/backport-basic-log-allow-errno-values-higher-than-255.patch b/backport-basic-log-allow-errno-values-higher-than-255.patch deleted file mode 100644 index 7e2d563..0000000 --- a/backport-basic-log-allow-errno-values-higher-than-255.patch +++ /dev/null @@ -1,48 +0,0 @@ -From fb824c90e5a83218e4252a2c21c7f365d0167458 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 3 Jan 2022 17:53:29 +0100 -Subject: [PATCH] basic/log: allow errno values higher than 255 - -When the support for "synthetic errno" was added, we started truncating -the errno value to just the least significant byte. This is generally OK, -because errno values are defined up to ~130. - -The docs don't really say what the maximum value is. But at least in principle -higher values could be added in the future. So let's stop truncating -the values needlessly. - -The kernel (or libbpf?) have an error where they return 524 as an errno -value (https://bugzilla.redhat.com/show_bug.cgi?id=2036145). We would -confusingly truncate this to 12 (ENOMEM). It seems much nicer to let -strerror() give us "Unknown error 524" rather than to print the bogus -message about ENOMEM. - -(cherry picked from commit 5f74fcd41cb1a1b26c23e0f2ab405ae9cf6bcc93) -(cherry picked from commit cd686fe4c719bfb894bd24d673c51f19cea64643) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/fb824c90e5a83218e4252a2c21c7f365d0167458 ---- - src/basic/log.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/basic/log.h b/src/basic/log.h -index 738c181070..8bfae8e0e5 100644 ---- a/src/basic/log.h -+++ b/src/basic/log.h -@@ -27,10 +27,10 @@ typedef enum LogTarget{ - _LOG_TARGET_INVALID = -EINVAL, - } LogTarget; - --/* Note to readers: << and >> have lower precedence than & and | */ -+/* Note to readers: << and >> have lower precedence (are evaluated earlier) than & and | */ - #define SYNTHETIC_ERRNO(num) (1 << 30 | (num)) - #define IS_SYNTHETIC_ERRNO(val) ((val) >> 30 & 1) --#define ERRNO_VALUE(val) (abs(val) & 255) -+#define ERRNO_VALUE(val) (abs(val) & ~(1 << 30)) - - const char *log_target_to_string(LogTarget target) _const_; - LogTarget log_target_from_string(const char *s) _pure_; --- -2.33.0 - diff --git a/backport-basic-mac_-selinux-smack-_apply_fd-does-not-work-whe.patch b/backport-basic-mac_-selinux-smack-_apply_fd-does-not-work-whe.patch deleted file mode 100644 index 94fd836..0000000 --- a/backport-basic-mac_-selinux-smack-_apply_fd-does-not-work-whe.patch +++ /dev/null @@ -1,76 +0,0 @@ -From fdb86800e854d5079c13d3a4597f73617db991f6 Mon Sep 17 00:00:00 2001 -From: Donald Chan -Date: Fri, 28 Jan 2022 22:53:46 +0000 -Subject: [PATCH] basic: mac_[selinux,smack]_apply_fd does not work when - applying labels - -Commit a7fdc6c introduced a regression where file descriptors are opened -using O_PATH option. mac_smack_apply_fd() calls fsetxattr() and would fail -with a -EBADF (Bad file descriptor) error. - -Use FORMAT_PROC_FD_PATH(fd) to convert the fd back into a full path and -call setxattr() or setfilecon() instead. - -Signed-off-by: Donald Chan -(cherry picked from commit a718364e9d9242cc2111c9860f2ab5bb9bb26db9) -(cherry picked from commit 9f596964f6e403b089450dc083724b48fb4b4bb1) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/fdb86800e854d5079c13d3a4597f73617db991f6 ---- - src/shared/selinux-util.c | 6 +++++- - src/shared/smack-util.c | 7 +++++-- - 2 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c -index 03cee76f64..832c29435d 100644 ---- a/src/shared/selinux-util.c -+++ b/src/shared/selinux-util.c -@@ -344,12 +344,16 @@ int mac_selinux_apply_fd(int fd, const char *path, const char *label) { - assert(fd >= 0); - - #if HAVE_SELINUX -+ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1]; -+ - if (!mac_selinux_use()) - return 0; - - assert(label); - -- if (fsetfilecon(fd, label) < 0) -+ xsprintf(procfs_path, "/proc/self/fd/%i", fd); -+ -+ if (setfilecon(procfs_path, label) < 0) - return log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, strna(path)); - #endif - return 0; -diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c -index 3362ee3924..8d88a7b49a 100644 ---- a/src/shared/smack-util.c -+++ b/src/shared/smack-util.c -@@ -86,6 +86,7 @@ int mac_smack_apply(const char *path, SmackAttr attr, const char *label) { - } - - int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { -+ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1]; - int r; - - assert(fd >= 0); -@@ -94,10 +95,12 @@ int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { - if (!mac_smack_use()) - return 0; - -+ xsprintf(procfs_path, "/proc/self/fd/%i", fd); -+ - if (label) -- r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0); -+ r = setxattr(procfs_path, smack_attr_to_string(attr), label, strlen(label), 0); - else -- r = fremovexattr(fd, smack_attr_to_string(attr)); -+ r = removexattr(procfs_path, smack_attr_to_string(attr)); - if (r < 0) - return -errno; - --- -2.33.0 - diff --git a/backport-basic-mountpoint-util-detect-erofs-as-a-read-only-FS.patch b/backport-basic-mountpoint-util-detect-erofs-as-a-read-only-FS.patch deleted file mode 100644 index f944c57..0000000 --- a/backport-basic-mountpoint-util-detect-erofs-as-a-read-only-FS.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 74af5a3696cd3747fa814a21eb1b3d7cae3dea56 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Thu, 4 Nov 2021 20:29:43 +0000 -Subject: [PATCH] basic/mountpoint-util: detect erofs as a read-only FS - -(cherry picked from commit fac2c3e97d80fb356eb50abb429bdb5ed36afcf1) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/74af5a3696cd3747fa814a21eb1b3d7cae3dea56 ---- - src/basic/mountpoint-util.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c -index e7a5a99551..7e57d9a226 100644 ---- a/src/basic/mountpoint-util.c -+++ b/src/basic/mountpoint-util.c -@@ -424,6 +424,7 @@ bool fstype_is_ro(const char *fstype) { - return STR_IN_SET(fstype, - "DM_verity_hash", - "iso9660", -+ "erofs", - "squashfs"); - } - --- -2.33.0 - diff --git a/backport-basic-unit-file-don-t-filter-out-names-starting-with.patch b/backport-basic-unit-file-don-t-filter-out-names-starting-with.patch deleted file mode 100644 index 735b09c..0000000 --- a/backport-basic-unit-file-don-t-filter-out-names-starting-with.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d21bfe5c06688a5b6aa0a0b4eae0b05bc45475fb Mon Sep 17 00:00:00 2001 -From: Anita Zhang -Date: Tue, 28 Sep 2021 23:52:39 -0700 -Subject: [PATCH] basic/unit-file: don't filter out names starting with dot - -Fixes #20859 -Reverts 3796bdc55d6ba499d1049f749072218879e619a7 - -(cherry picked from commit 14bb72953458caace048b55ead7ea06a592b864f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d21bfe5c06688a5b6aa0a0b4eae0b05bc45475fb ---- - src/basic/unit-file.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c -index 884a0674a9..0d58b1c4fe 100644 ---- a/src/basic/unit-file.c -+++ b/src/basic/unit-file.c -@@ -284,7 +284,7 @@ int unit_file_build_name_map( - continue; - } - -- FOREACH_DIRENT(de, d, log_warning_errno(errno, "Failed to read \"%s\", ignoring: %m", *dir)) { -+ FOREACH_DIRENT_ALL(de, d, log_warning_errno(errno, "Failed to read \"%s\", ignoring: %m", *dir)) { - char *filename; - _cleanup_free_ char *_filename_free = NULL, *simplified = NULL; - const char *suffix, *dst = NULL; --- -2.33.0 - diff --git a/backport-binfmt-fix-exit-value.patch b/backport-binfmt-fix-exit-value.patch deleted file mode 100644 index 80ba1e3..0000000 --- a/backport-binfmt-fix-exit-value.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d4406e94a32d423d8a73deb7757fb09890afe2c4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 10 Nov 2021 13:58:32 +0100 -Subject: [PATCH] binfmt: fix exit value - -Positive values are mapped to 0 by DEFINE_MAIN_FUNCTION(), so e.g. -systemd-binfmt --foobar would "succeed". - -(cherry picked from commit 52707598d5c0dbbc8a967e4874b0b08ee2486772) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d4406e94a32d423d8a73deb7757fb09890afe2c4 ---- - src/binfmt/binfmt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/binfmt/binfmt.c b/src/binfmt/binfmt.c -index 29530bb691..981218f52f 100644 ---- a/src/binfmt/binfmt.c -+++ b/src/binfmt/binfmt.c -@@ -189,7 +189,7 @@ static int run(int argc, char *argv[]) { - - r = parse_argv(argc, argv); - if (r <= 0) -- return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; -+ return r; - - log_setup(); - --- -2.33.0 - diff --git a/backport-boot-timestamps-Discard-firmware-init-time-when-runn.patch b/backport-boot-timestamps-Discard-firmware-init-time-when-runn.patch deleted file mode 100644 index fdcfcc5..0000000 --- a/backport-boot-timestamps-Discard-firmware-init-time-when-runn.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 9ee300a0b6429b7af73f40edfb2330cbbd7828f3 Mon Sep 17 00:00:00 2001 -From: Jan Janssen -Date: Sun, 9 Jan 2022 14:22:15 +0100 -Subject: [PATCH] boot-timestamps: Discard firmware init time when running in a - VM - -Fixes: #22060 -(cherry picked from commit f699bd81e8e18da2d2fc11e7fb7dce95f8bb3f9e) -(cherry picked from commit 3c5c13f82c760c7067bb189484e1f672ff6713f6) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9ee300a0b6429b7af73f40edfb2330cbbd7828f3 ---- - src/shared/boot-timestamps.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/src/shared/boot-timestamps.c b/src/shared/boot-timestamps.c -index 8786e89c0e..e00b37aa32 100644 ---- a/src/shared/boot-timestamps.c -+++ b/src/shared/boot-timestamps.c -@@ -5,11 +5,13 @@ - #include "efi-loader.h" - #include "macro.h" - #include "time-util.h" -+#include "virt.h" - - int boot_timestamps(const dual_timestamp *n, dual_timestamp *firmware, dual_timestamp *loader) { - usec_t x = 0, y = 0, a; - int r; - dual_timestamp _n; -+ bool use_firmware = true; - - assert(firmware); - assert(loader); -@@ -24,6 +26,10 @@ int boot_timestamps(const dual_timestamp *n, dual_timestamp *firmware, dual_time - r = efi_loader_get_boot_usec(&x, &y); - if (r < 0) - return r; -+ -+ /* If we are running in a VM, the init timestamp would -+ * be equivalent to the host uptime. */ -+ use_firmware = detect_vm() <= 0; - } - - /* Let's convert this to timestamps where the firmware -@@ -33,12 +39,14 @@ int boot_timestamps(const dual_timestamp *n, dual_timestamp *firmware, dual_time - * the monotonic timestamps here as negative of the actual - * value. */ - -- firmware->monotonic = y; -- loader->monotonic = y - x; -- -- a = n->monotonic + firmware->monotonic; -- firmware->realtime = n->realtime > a ? n->realtime - a : 0; -+ if (use_firmware) { -+ firmware->monotonic = y; -+ a = n->monotonic + firmware->monotonic; -+ firmware->realtime = n->realtime > a ? n->realtime - a : 0; -+ } else -+ firmware->monotonic = firmware->realtime = 0; - -+ loader->monotonic = y - x; - a = n->monotonic + loader->monotonic; - loader->realtime = n->realtime > a ? n->realtime - a : 0; - --- -2.33.0 - diff --git a/backport-bootctl-Fix-update-not-adding-EFI-entry-if-Boot-IDs-.patch b/backport-bootctl-Fix-update-not-adding-EFI-entry-if-Boot-IDs-.patch deleted file mode 100644 index c62801a..0000000 --- a/backport-bootctl-Fix-update-not-adding-EFI-entry-if-Boot-IDs-.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0028a3eb976dfa7209433dfa3a24b785f05fd352 Mon Sep 17 00:00:00 2001 -From: Anssi Hannula -Date: Thu, 23 Sep 2021 12:08:05 +0300 -Subject: [PATCH] bootctl: Fix update not adding EFI entry if Boot IDs are - non-consecutive - -"bootctl update" tries to add sd-boot to the EFI boot loader list if it -is not already there. To do so, it uses find_slot() which finds the -proper BootXXXX slot ID to use and also returns 1 if an existing sd-boot -entry was found at this ID or 0 if it is a new unused ID. In "update" -case install_variables() only writes the entry in case 0 (no existing -entry). - -However, find_slot() erroneously returns 1 if it finds a gap in the Boot -IDs (i.e. when not resorting to max(ids) + 1). This causes -"bootctl update" to not add a missing systemd-boot boot entry if the -existing BootXXXX entry IDs are not consecutive. - -Fix that by returning 0 in find_slot() when an empty gap ID is selected -to make it match the behavior when selecting an empty non-gap ID. - -(cherry picked from commit 26d54e1263dcb58daa6578595cc6ab1037315593) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0028a3eb976dfa7209433dfa3a24b785f05fd352 ---- - src/boot/bootctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c -index fa8c600321..bd96812246 100644 ---- a/src/boot/bootctl.c -+++ b/src/boot/bootctl.c -@@ -711,7 +711,7 @@ static int find_slot(sd_id128_t uuid, const char *path, uint16_t *id) { - for (i = 0; i < n; i++) - if (i != options[i]) { - *id = i; -- return 1; -+ return 0; - } - - /* use the next one */ --- -2.33.0 - diff --git a/backport-bus-util-retrieve-bus-error-from-message.patch b/backport-bus-util-retrieve-bus-error-from-message.patch deleted file mode 100644 index 132b4da..0000000 --- a/backport-bus-util-retrieve-bus-error-from-message.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 443f25f3cd34ce504a4850373babcde5d572335f Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 30 Jan 2022 05:36:56 +0900 -Subject: [PATCH] bus-util: retrieve bus error from message - -The error in argument is not input, but used for output. - -(cherry picked from commit 853b94863cf26d084454edd63ce987cc7ab0505a) -(cherry picked from commit b9e144629bdb7c3d4535fb0a0ad8639140a25034) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/443f25f3cd34ce504a4850373babcde5d572335f ---- - src/shared/bus-wait-for-units.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/shared/bus-wait-for-units.c b/src/shared/bus-wait-for-units.c -index 29620e0d1b..c867f1cbfd 100644 ---- a/src/shared/bus-wait-for-units.c -+++ b/src/shared/bus-wait-for-units.c -@@ -1,5 +1,6 @@ - /* SPDX-License-Identifier: LGPL-2.1-or-later */ - -+#include "bus-error.h" - #include "bus-map-properties.h" - #include "bus-wait-for-units.h" - #include "hashmap.h" -@@ -288,19 +289,22 @@ static int on_properties_changed(sd_bus_message *m, void *userdata, sd_bus_error - return 0; - } - --static int on_get_all_properties(sd_bus_message *m, void *userdata, sd_bus_error *error) { -+static int on_get_all_properties(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) { - WaitForItem *item = userdata; -+ const sd_bus_error *e; - int r; - - assert(item); - -- if (sd_bus_error_is_set(error)) { -+ e = sd_bus_message_get_error(m); -+ if (e) { - BusWaitForUnits *d = item->parent; - - d->has_failed = true; - -- log_debug_errno(sd_bus_error_get_errno(error), "GetAll() failed for %s: %s", -- item->bus_path, error->message); -+ r = sd_bus_error_get_errno(e); -+ log_debug_errno(r, "GetAll() failed for %s: %s", -+ item->bus_path, bus_error_message(e, r)); - - call_unit_callback_and_wait(d, item, false); - bus_wait_for_units_check_ready(d); --- -2.33.0 - diff --git a/backport-calendarspec-fix-possibly-skips-next-elapse.patch b/backport-calendarspec-fix-possibly-skips-next-elapse.patch deleted file mode 100644 index ec48ede..0000000 --- a/backport-calendarspec-fix-possibly-skips-next-elapse.patch +++ /dev/null @@ -1,82 +0,0 @@ -From bce3b46aaf8c7ad7ff7eeaafbf4b321ffdad9c07 Mon Sep 17 00:00:00 2001 -From: Gibeom Gwon -Date: Sun, 6 Mar 2022 09:45:38 +0900 -Subject: [PATCH] calendarspec: fix possibly skips next elapse - -If the time unit changes after adding the repetition value, the -timer may skip the next elapse. This patch reset sub time units -to minimum value when upper unit is changed. - -Fixes #22665. - -(cherry picked from commit 1e582ede3b04d12aae11fc5378a446a392054f1c) -(cherry picked from commit 8d4c0d2383e72f30753bf33f206387bc03879ff8) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/bce3b46aaf8c7ad7ff7eeaafbf4b321ffdad9c07 ---- - src/shared/calendarspec.c | 27 ++++++++++++++++++++------- - src/test/test-calendarspec.c | 2 ++ - 2 files changed, 22 insertions(+), 7 deletions(-) - -diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c -index bf24d8d5bb..238766c96a 100644 ---- a/src/shared/calendarspec.c -+++ b/src/shared/calendarspec.c -@@ -1180,6 +1180,7 @@ static int find_matching_component( - - static int tm_within_bounds(struct tm *tm, bool utc) { - struct tm t; -+ int cmp; - assert(tm); - - /* -@@ -1194,13 +1195,25 @@ static int tm_within_bounds(struct tm *tm, bool utc) { - if (mktime_or_timegm(&t, utc) < 0) - return negative_errno(); - -- /* Did any normalization take place? If so, it was out of bounds before */ -- int cmp = CMP(t.tm_year, tm->tm_year) ?: -- CMP(t.tm_mon, tm->tm_mon) ?: -- CMP(t.tm_mday, tm->tm_mday) ?: -- CMP(t.tm_hour, tm->tm_hour) ?: -- CMP(t.tm_min, tm->tm_min) ?: -- CMP(t.tm_sec, tm->tm_sec); -+ /* -+ * Did any normalization take place? If so, it was out of bounds before. -+ * Normalization could skip next elapse, e.g. result of normalizing 3-33 -+ * is 4-2. This skips 4-1. So reset the sub time unit if upper unit was -+ * out of bounds. Normalization has occurred implies find_matching_component() > 0, -+ * other sub time units are already reset in find_next(). -+ */ -+ if ((cmp = CMP(t.tm_year, tm->tm_year)) != 0) -+ t.tm_mon = 0; -+ else if ((cmp = CMP(t.tm_mon, tm->tm_mon)) != 0) -+ t.tm_mday = 1; -+ else if ((cmp = CMP(t.tm_mday, tm->tm_mday)) != 0) -+ t.tm_hour = 0; -+ else if ((cmp = CMP(t.tm_hour, tm->tm_hour)) != 0) -+ t.tm_min = 0; -+ else if ((cmp = CMP(t.tm_min, tm->tm_min)) != 0) -+ t.tm_sec = 0; -+ else -+ cmp = CMP(t.tm_sec, tm->tm_sec); - - if (cmp < 0) - return -EDEADLK; /* Refuse to go backward */ -diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c -index 4f1d0f64d5..bc5e56a238 100644 ---- a/src/test/test-calendarspec.c -+++ b/src/test/test-calendarspec.c -@@ -201,6 +201,8 @@ int main(int argc, char* argv[]) { - test_next("2016-02~01 UTC", "", 12345, 1456704000000000); - test_next("Mon 2017-05~01..07 UTC", "", 12345, 1496016000000000); - test_next("Mon 2017-05~07/1 UTC", "", 12345, 1496016000000000); -+ test_next("*-*-01/5 04:00:00 UTC", "", 1646010000000000, 1646107200000000); -+ test_next("*-01/7-01 04:00:00 UTC", "", 1664607600000000, 1672545600000000); - test_next("2017-08-06 9,11,13,15,17:00 UTC", "", 1502029800000000, 1502031600000000); - test_next("2017-08-06 9..17/2:00 UTC", "", 1502029800000000, 1502031600000000); - test_next("2016-12-* 3..21/6:00 UTC", "", 1482613200000001, 1482634800000000); --- -2.33.0 - diff --git a/backport-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch b/backport-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch deleted file mode 100644 index 596dc39..0000000 --- a/backport-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 52ab3b8f534eafeed86908ad38f4cd0f169e23ff Mon Sep 17 00:00:00 2001 -From: Dan Streetman -Date: Sun, 11 Jul 2021 16:59:27 -0400 -Subject: [PATCH] cgroup: do 'catchup' for unit cgroup inotify watch files - -While reexec/reload, we drop the inotify watch on cgroup file(s), so -we need to re-check them in case they changed and we missed the event. - -Fixes: #20198 -(cherry picked from commit 869f52f21831b611160c4937bef822ca94c802ba) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/52ab3b8f534eafeed86908ad38f4cd0f169e23ff ---- - src/core/cgroup.c | 18 ++++++++++++++++++ - src/core/cgroup.h | 2 ++ - src/core/unit.c | 2 ++ - 3 files changed, 22 insertions(+) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 3a6f768c60..5c07aa71d1 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -3039,6 +3039,9 @@ static int unit_check_cgroup_events(Unit *u) { - - assert(u); - -+ if (!u->cgroup_path) -+ return 0; -+ - r = cg_get_keyed_attribute_graceful(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "cgroup.events", - STRV_MAKE("populated", "frozen"), values); - if (r < 0) -@@ -3871,6 +3874,21 @@ void unit_invalidate_cgroup_bpf(Unit *u) { - } - } - -+void unit_cgroup_catchup(Unit *u) { -+ assert(u); -+ -+ if (!UNIT_HAS_CGROUP_CONTEXT(u)) -+ return; -+ -+ /* We dropped the inotify watch during reexec/reload, so we need to -+ * check these as they may have changed. -+ * Note that (currently) the kernel doesn't actually update cgroup -+ * file modification times, so we can't just serialize and then check -+ * the mtime for file(s) we are interested in. */ -+ (void) unit_check_cgroup_events(u); -+ unit_add_to_cgroup_oom_queue(u); -+} -+ - bool unit_cgroup_delegate(Unit *u) { - CGroupContext *c; - -diff --git a/src/core/cgroup.h b/src/core/cgroup.h -index ea929368cb..3f8cad899d 100644 ---- a/src/core/cgroup.h -+++ b/src/core/cgroup.h -@@ -313,6 +313,8 @@ void manager_invalidate_startup_units(Manager *m); - const char* cgroup_device_policy_to_string(CGroupDevicePolicy i) _const_; - CGroupDevicePolicy cgroup_device_policy_from_string(const char *s) _pure_; - -+void unit_cgroup_catchup(Unit *u); -+ - bool unit_cgroup_delegate(Unit *u); - - int compare_job_priority(const void *a, const void *b); -diff --git a/src/core/unit.c b/src/core/unit.c -index 47966bcf0d..7e3bd7505e 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -3616,6 +3616,8 @@ void unit_catchup(Unit *u) { - - if (UNIT_VTABLE(u)->catchup) - UNIT_VTABLE(u)->catchup(u); -+ -+ unit_cgroup_catchup(u); - } - - static bool fragment_mtime_newer(const char *path, usec_t mtime, bool path_masked) { --- -2.33.0 - diff --git a/backport-cgroup-don-t-emit-BPF-firewall-warning-when-manager-.patch b/backport-cgroup-don-t-emit-BPF-firewall-warning-when-manager-.patch deleted file mode 100644 index 15d9e2e..0000000 --- a/backport-cgroup-don-t-emit-BPF-firewall-warning-when-manager-.patch +++ /dev/null @@ -1,45 +0,0 @@ -From f4472e406eaa1087534066d09a4b7f2fd1de2a06 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Tue, 30 Nov 2021 23:49:33 +0000 -Subject: [PATCH] cgroup: don't emit BPF firewall warning when manager is in - test mode - -Support for BPF might not have been checked, since it's not necessary -in test mode (eg: running offline analysis of units). This causes an -assert: - -Assertion '(_error) != 0' failed at src/core/bpf-firewall.c:914, function emit_bpf_firewall_warning(). Aborting. - -Export SYSTEMD_LOG_LEVEl=debug in TEST-65-ANALYZE is enough to trigger -this assert while doing an offline analysis of a unit that has some -firewall/network restrictions set. - -Skip the warning if the manager is in test mode. - -(cherry picked from commit a42232a18c5716f69efc67c779dd2ef6c4b9d6c2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f4472e406eaa1087534066d09a4b7f2fd1de2a06 ---- - src/core/bpf-firewall.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c -index 4a92052925..c4989a3ea6 100644 ---- a/src/core/bpf-firewall.c -+++ b/src/core/bpf-firewall.c -@@ -911,7 +911,10 @@ int bpf_firewall_supported(void) { - void emit_bpf_firewall_warning(Unit *u) { - static bool warned = false; - -- if (!warned) { -+ assert(u); -+ assert(u->manager); -+ -+ if (!warned && !MANAGER_IS_TEST_RUN(u->manager)) { - bool quiet = bpf_firewall_unsupported_reason == -EPERM && detect_container() > 0; - - log_unit_full_errno(u, quiet ? LOG_DEBUG : LOG_WARNING, bpf_firewall_unsupported_reason, --- -2.33.0 - diff --git a/backport-cgroups-agent-connect-stdin-stdout-stderr-to-dev-nul.patch b/backport-cgroups-agent-connect-stdin-stdout-stderr-to-dev-nul.patch deleted file mode 100644 index 67decec..0000000 --- a/backport-cgroups-agent-connect-stdin-stdout-stderr-to-dev-nul.patch +++ /dev/null @@ -1,41 +0,0 @@ -From a59a7227a29a73e8e1b0d80153f258e20354c0d7 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 15 Jul 2022 11:02:40 +0200 -Subject: [PATCH] cgroups-agent: connect stdin/stdout/stderr to /dev/null - -Inspired by https://github.com/systemd/systemd/pull/24024 this is -another user mode helper, where this might be an issue. hence let's -rather be safe than sorry, and also connect stdin/stdout/stderr -explicitly with /dev/null. - -(cherry picked from commit 50492ce81589773df2d82b4fc8047778e86c6edf) -(cherry picked from commit 689487785f776815e71642f89685ff01f0bc4fde) -(cherry picked from commit d8464304f03e6644bfc6ed42e13fb3a460b9ff60) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a59a7227a29a73e8e1b0d80153f258e20354c0d7 ---- - src/cgroups-agent/cgroups-agent.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/cgroups-agent/cgroups-agent.c b/src/cgroups-agent/cgroups-agent.c -index 071cba3099..9126736235 100644 ---- a/src/cgroups-agent/cgroups-agent.c -+++ b/src/cgroups-agent/cgroups-agent.c -@@ -16,6 +16,13 @@ int main(int argc, char *argv[]) { - _cleanup_close_ int fd = -1; - ssize_t n; - size_t l; -+ int r; -+ -+ r = rearrange_stdio(-1, -1, -1); -+ if (r < 0) { -+ log_error_errno(r, "Failed to connect stdin/stdout/stderr with /dev/null: %m"); -+ return EXIT_FAILURE; -+ } - - if (argc != 2) { - log_error("Incorrect number of arguments."); --- -2.27.0 - diff --git a/backport-change-indicator-used-for-later-versions-of-VirtualB.patch b/backport-change-indicator-used-for-later-versions-of-VirtualB.patch deleted file mode 100644 index 24ab4b0..0000000 --- a/backport-change-indicator-used-for-later-versions-of-VirtualB.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 7459b7f4a63de87a6e76e9187893c65291b7931f Mon Sep 17 00:00:00 2001 -From: Greg Zuro -Date: Tue, 26 Oct 2021 21:02:37 -0700 -Subject: [PATCH] change indicator used for later versions of VirtualBox - (#21127) - -Detection of VirtualBox is accomplished in the existing code by *either* `innotek GmbH` -or `Oracle Corporation` existing in any of: - -- /sys/class/dmi/id/product_name -- /sys/class/dmi/id/sys_vendor -- /sys/class/dmi/id/board_vendor -- /sys/class/dmi/id/bios_vendor - -With Oracle's physical servers, both `/sys/class/dmi/id/sys_vendor` and -`/sys/class/dmi/id/board_vendor` contain `Oracle Corporation`, so those -servers are detected as `oracle` (VirtualBox). - -VirtualBox has the following values in the latest versions: - -- /sys/class/dmi/id/product_name: `VirtualBox` -- /sys/class/dmi/id/sys_vendor: `innotek GmbH` -- /sys/class/dmi/id/board_vendor: `Oracle Corporation` -- /sys/class/dmi/id/bios_vendor: `innotek GmbH` - -Presumably the existing check for `innotek GmbH` is meant to detect -older versions of VirtualBox, while changing the second checked value -from `Oracle Corporation` to `VirtualBox` will reliably detect later and future -versions. - -(cherry picked from commit cfee6b955154c30be31ffcf0e3b7b89374a52fff) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7459b7f4a63de87a6e76e9187893c65291b7931f ---- - src/basic/virt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/virt.c b/src/basic/virt.c -index 0243b2d2a8..cc123a286f 100644 ---- a/src/basic/virt.c -+++ b/src/basic/virt.c -@@ -159,7 +159,7 @@ static int detect_vm_dmi_vendor(void) { - { "VMware", VIRTUALIZATION_VMWARE }, /* https://kb.vmware.com/s/article/1009458 */ - { "VMW", VIRTUALIZATION_VMWARE }, - { "innotek GmbH", VIRTUALIZATION_ORACLE }, -- { "Oracle Corporation", VIRTUALIZATION_ORACLE }, -+ { "VirtualBox", VIRTUALIZATION_ORACLE }, - { "Xen", VIRTUALIZATION_XEN }, - { "Bochs", VIRTUALIZATION_BOCHS }, - { "Parallels", VIRTUALIZATION_PARALLELS }, --- -2.33.0 - diff --git a/backport-ci-cancel-previous-jobs-on-ref-update.patch b/backport-ci-cancel-previous-jobs-on-ref-update.patch deleted file mode 100644 index 08ecd81..0000000 --- a/backport-ci-cancel-previous-jobs-on-ref-update.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 47b12629b47d9dfc857874a1b680f60ffc0af0bd Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Wed, 10 Nov 2021 16:45:12 +0100 -Subject: [PATCH] ci: cancel previous jobs on ref update - -Let's save the environment (and reduce the number of jobs in GH Actions -queues) by cancelling old jobs on a ref update (force push). - -See: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#concurrency -(cherry picked from commit 3884837610168e6fb69fc2d5709f6c017a30beb9) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/47b12629b47d9dfc857874a1b680f60ffc0af0bd ---- - .github/workflows/build_test.yml | 3 +++ - .github/workflows/cifuzz.yml | 3 +++ - .github/workflows/mkosi.yml | 3 +++ - .github/workflows/unit_tests.yml | 3 +++ - 4 files changed, 12 insertions(+) - -diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml -index 486016abc1..fa86236c2a 100644 ---- a/.github/workflows/build_test.yml -+++ b/.github/workflows/build_test.yml -@@ -14,6 +14,9 @@ on: - jobs: - build: - runs-on: ubuntu-20.04 -+ concurrency: -+ group: ${{ github.workflow }}-${{ matrix.env.COMPILER }}-${{ matrix.env.COMPILER_VERSION }}-${{ github.ref }} -+ cancel-in-progress: true - strategy: - fail-fast: false - matrix: -diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml -index 5296dc7069..df1fb15ace 100644 ---- a/.github/workflows/cifuzz.yml -+++ b/.github/workflows/cifuzz.yml -@@ -19,6 +19,9 @@ jobs: - Fuzzing: - runs-on: ubuntu-latest - if: github.repository == 'systemd/systemd' -+ concurrency: -+ group: ${{ github.workflow }}-${{ github.ref }} -+ cancel-in-progress: true - strategy: - fail-fast: false - matrix: -diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml -index babdf7ae6e..f67fd23b1c 100644 ---- a/.github/workflows/mkosi.yml -+++ b/.github/workflows/mkosi.yml -@@ -13,6 +13,9 @@ on: - jobs: - ci: - runs-on: ubuntu-20.04 -+ concurrency: -+ group: ${{ github.workflow }}-${{ matrix.distro }}-${{ github.ref }} -+ cancel-in-progress: true - strategy: - fail-fast: false - matrix: -diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml -index ca1e6e0c30..aaf8fcad3d 100644 ---- a/.github/workflows/unit_tests.yml -+++ b/.github/workflows/unit_tests.yml -@@ -10,6 +10,9 @@ on: - jobs: - build: - runs-on: ubuntu-20.04 -+ concurrency: -+ group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ github.ref }} -+ cancel-in-progress: true - strategy: - fail-fast: false - matrix: --- -2.33.0 - diff --git a/backport-ci-fix-clang-13-installation.patch b/backport-ci-fix-clang-13-installation.patch deleted file mode 100644 index 5f08531..0000000 --- a/backport-ci-fix-clang-13-installation.patch +++ /dev/null @@ -1,59 +0,0 @@ -From eaa74c30212d62f546692731ec3cef498f3edb08 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Tue, 22 Feb 2022 14:43:40 +0100 -Subject: [PATCH] ci: fix clang-13 installation - -For some reason Ubuntu Focal repositories now have `llvm-13` virtual -package which can't be installed, but successfully fools our check, -resulting in no clang/llvm being installed... - -``` -$ apt show llvm-13 -Package: llvm-13 -State: not a real package (virtual) -N: Can't select candidate version from package llvm-13 as it has no candidate -N: Can't select versions from package 'llvm-13' as it is purely virtual -N: No packages found - -$ apt install --dry-run llvm-13 -Reading package lists... Done -Building dependency tree -Reading state information... Done -Package llvm-13 is not available, but is referred to by another package. -This may mean that the package is missing, has been obsoleted, or -is only available from another source - -E: Package 'llvm-13' has no installation candidate -``` - -(cherry picked from commit b491d74064f9d5e17a71b38b014434237169a077) -(cherry picked from commit fa6e263273905cfc9e4528e8175ace3d19d881e3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/eaa74c30212d62f546692731ec3cef498f3edb08 ---- - .github/workflows/build_test.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh -index db38554d97..1200fa23f3 100755 ---- a/.github/workflows/build_test.sh -+++ b/.github/workflows/build_test.sh -@@ -75,12 +75,12 @@ if [[ "$COMPILER" == clang ]]; then - # ATTOW llvm-11 got into focal-updates, which conflicts with llvm-11 - # provided by the apt.llvm.org repositories. Let's use the system - # llvm package if available in such cases to avoid that. -- if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then -+ if ! apt install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then - # Latest LLVM stack deb packages provided by https://apt.llvm.org/ - # Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh - wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg - printf "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/%s/ llvm-toolchain-%s-%s main\n" \ -- "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list -+ "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list - PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION") - fi - elif [[ "$COMPILER" == gcc ]]; then --- -2.33.0 - diff --git a/backport-ci-fix-indentation.patch b/backport-ci-fix-indentation.patch deleted file mode 100644 index 99caf2e..0000000 --- a/backport-ci-fix-indentation.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 6db77b2c9f31c8246ec920a189fe44873111566f Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Wed, 10 Nov 2021 16:42:07 +0100 -Subject: [PATCH] ci: fix indentation - -(cherry picked from commit 46573ee1319ee8ae5b292a0a737740eca1a68184) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6db77b2c9f31c8246ec920a189fe44873111566f ---- - .github/workflows/cifuzz.yml | 58 ++++++++++++++++++------------------ - 1 file changed, 29 insertions(+), 29 deletions(-) - -diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml -index 14d81a67ff..5296dc7069 100644 ---- a/.github/workflows/cifuzz.yml -+++ b/.github/workflows/cifuzz.yml -@@ -16,32 +16,32 @@ on: - branches: - - main - jobs: -- Fuzzing: -- runs-on: ubuntu-latest -- if: github.repository == 'systemd/systemd' -- strategy: -- fail-fast: false -- matrix: -- sanitizer: [address, undefined, memory] -- steps: -- - name: Build Fuzzers (${{ matrix.sanitizer }}) -- id: build -- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master -- with: -- oss-fuzz-project-name: 'systemd' -- dry-run: false -- allowed-broken-targets-percentage: 0 -- sanitizer: ${{ matrix.sanitizer }} -- - name: Run Fuzzers (${{ matrix.sanitizer }}) -- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master -- with: -- oss-fuzz-project-name: 'systemd' -- fuzz-seconds: 600 -- dry-run: false -- sanitizer: ${{ matrix.sanitizer }} -- - name: Upload Crash -- uses: actions/upload-artifact@v1 -- if: failure() && steps.build.outcome == 'success' -- with: -- name: ${{ matrix.sanitizer }}-artifacts -- path: ./out/artifacts -+ Fuzzing: -+ runs-on: ubuntu-latest -+ if: github.repository == 'systemd/systemd' -+ strategy: -+ fail-fast: false -+ matrix: -+ sanitizer: [address, undefined, memory] -+ steps: -+ - name: Build Fuzzers (${{ matrix.sanitizer }}) -+ id: build -+ uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master -+ with: -+ oss-fuzz-project-name: 'systemd' -+ dry-run: false -+ allowed-broken-targets-percentage: 0 -+ sanitizer: ${{ matrix.sanitizer }} -+ - name: Run Fuzzers (${{ matrix.sanitizer }}) -+ uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master -+ with: -+ oss-fuzz-project-name: 'systemd' -+ fuzz-seconds: 600 -+ dry-run: false -+ sanitizer: ${{ matrix.sanitizer }} -+ - name: Upload Crash -+ uses: actions/upload-artifact@v1 -+ if: failure() && steps.build.outcome == 'success' -+ with: -+ name: ${{ matrix.sanitizer }}-artifacts -+ path: ./out/artifacts --- -2.33.0 - diff --git a/backport-ci-pin-the-debian-systemd-repo-to-a-specific-revisio.patch b/backport-ci-pin-the-debian-systemd-repo-to-a-specific-revisio.patch deleted file mode 100644 index d5fb67e..0000000 --- a/backport-ci-pin-the-debian-systemd-repo-to-a-specific-revisio.patch +++ /dev/null @@ -1,32 +0,0 @@ -From cdc1cd4eb3f86f3100d6d04b1b5d12a2d87b8704 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Sun, 14 Nov 2021 12:28:21 +0100 -Subject: [PATCH] ci: pin the debian systemd repo to a specific revision - -to work around missing systemd/systemd#20056 in pre-v250 stable -branches. - -v249-stable-only - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/cdc1cd4eb3f86f3100d6d04b1b5d12a2d87b8704 ---- - .semaphore/semaphore.yml | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml -index 06f162007e..7fc38a553d 100644 ---- a/.semaphore/semaphore.yml -+++ b/.semaphore/semaphore.yml -@@ -25,3 +25,8 @@ blocks: - - checkout --use-cache - - .semaphore/semaphore-runner.sh SETUP - - .semaphore/semaphore-runner.sh RUN -+ env_vars: -+ # Pin the debian systemd repo to a specific revision, to work around -+ # missing systemd/systemd#20056 in pre-v250 stable branches -+ - name: BRANCH -+ value: e138f8573a14f8f094bd6c9582bc26ed62c1347f --- -2.33.0 - diff --git a/backport-ci-replace-apt-key-with-signed-by.patch b/backport-ci-replace-apt-key-with-signed-by.patch deleted file mode 100644 index ba60037..0000000 --- a/backport-ci-replace-apt-key-with-signed-by.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 84230ae4e3a10fccfb4750b832d2c70fe56df128 Mon Sep 17 00:00:00 2001 -From: Evgeny Vereshchagin -Date: Sun, 26 Dec 2021 01:11:00 +0000 -Subject: [PATCH] ci: replace apt-key with signed-by - -to limit the scope of the key to apt.llvm.org only. - -This is mostly inspired by https://blog.cloudflare.com/dont-use-apt-key/ - -(cherry picked from commit bfa6bd1be098adc4710e1819b9cd34d65b3855da) -(cherry picked from commit c92297a20c13b7e15b0026b1f36ebe99d86cfce8) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/84230ae4e3a10fccfb4750b832d2c70fe56df128 ---- - .github/workflows/build_test.sh | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh -index 10fa1ea9b0..db38554d97 100755 ---- a/.github/workflows/build_test.sh -+++ b/.github/workflows/build_test.sh -@@ -77,9 +77,10 @@ if [[ "$COMPILER" == clang ]]; then - # llvm package if available in such cases to avoid that. - if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then - # Latest LLVM stack deb packages provided by https://apt.llvm.org/ -- # Following snippet was borrowed from https://apt.llvm.org/llvm.sh -- wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - -- add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main" -+ # Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh -+ wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg -+ printf "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/%s/ llvm-toolchain-%s-%s main\n" \ -+ "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list - PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION") - fi - elif [[ "$COMPILER" == gcc ]]; then --- -2.33.0 - diff --git a/backport-ci-run-the-unit_tests-and-mkosi-jobs-on-stable-branc.patch b/backport-ci-run-the-unit_tests-and-mkosi-jobs-on-stable-branc.patch deleted file mode 100644 index e9988f4..0000000 --- a/backport-ci-run-the-unit_tests-and-mkosi-jobs-on-stable-branc.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 9d08ba9b3fa7542037e0522c10d63517366afda6 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Fri, 12 Nov 2021 17:37:15 +0100 -Subject: [PATCH] ci: run the unit_tests and mkosi jobs on stable branches as - well - -To provide more coverage for the systemd-stable repo. - -See: https://github.com/systemd/systemd-stable/issues/24 -(cherry picked from commit c76a83858996148fea36d1018b4707ce5334363b) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9d08ba9b3fa7542037e0522c10d63517366afda6 ---- - .github/workflows/mkosi.yml | 2 ++ - .github/workflows/unit_tests.yml | 1 + - 2 files changed, 3 insertions(+) - -diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml -index f67fd23b1c..489eb01880 100644 ---- a/.github/workflows/mkosi.yml -+++ b/.github/workflows/mkosi.yml -@@ -6,9 +6,11 @@ on: - push: - branches: - - main -+ - v[0-9]+-stable - pull_request: - branches: - - main -+ - v[0-9]+-stable - - jobs: - ci: -diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml -index aaf8fcad3d..4a19a6a1c8 100644 ---- a/.github/workflows/unit_tests.yml -+++ b/.github/workflows/unit_tests.yml -@@ -6,6 +6,7 @@ on: - pull_request: - branches: - - main -+ - v[0-9]+-stable - - jobs: - build: --- -2.33.0 - diff --git a/backport-ci-take-CIFuzz-s-matrix-into-consideration.patch b/backport-ci-take-CIFuzz-s-matrix-into-consideration.patch deleted file mode 100644 index e9dcbb1..0000000 --- a/backport-ci-take-CIFuzz-s-matrix-into-consideration.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 428d4988d2bc68e189481f7b46ffd1f84090aadd Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Wed, 10 Nov 2021 20:15:41 +0100 -Subject: [PATCH] ci: take CIFuzz's matrix into consideration - -Otherwise the jobs will try to cancel each other out. - -Follow-up to 3884837610168e6fb69fc2d5709f6c017a30beb9. - -(cherry picked from commit 8b212f3596d03f8e1025cd151d17f9a82433844a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/428d4988d2bc68e189481f7b46ffd1f84090aadd ---- - .github/workflows/cifuzz.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml -index df1fb15ace..8ab2a4cf55 100644 ---- a/.github/workflows/cifuzz.yml -+++ b/.github/workflows/cifuzz.yml -@@ -20,7 +20,7 @@ jobs: - runs-on: ubuntu-latest - if: github.repository == 'systemd/systemd' - concurrency: -- group: ${{ github.workflow }}-${{ github.ref }} -+ group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }} - cancel-in-progress: true - strategy: - fail-fast: false --- -2.33.0 - diff --git a/backport-ci-use-the-system-llvm-11-package-on-Focal.patch b/backport-ci-use-the-system-llvm-11-package-on-Focal.patch deleted file mode 100644 index 8c9591d..0000000 --- a/backport-ci-use-the-system-llvm-11-package-on-Focal.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 441c959460217ba81591ada9185bed2665cdc994 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Mon, 11 Oct 2021 21:12:42 +0200 -Subject: [PATCH] ci: use the system llvm-11 package on Focal - -ATTOW llvm-11 got into focal-updates, which conflicts with llvm-11 -provided by the apt.llvm.org repositories. Let's use the system -llvm package if available in such cases to avoid that. - -(cherry picked from commit 1c71302f70c7d0712d49b5214f5f29b4d6a2c73e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/441c959460217ba81591ada9185bed2665cdc994 ---- - .github/workflows/build_test.sh | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh -index bdcb71ba9c..10fa1ea9b0 100755 ---- a/.github/workflows/build_test.sh -+++ b/.github/workflows/build_test.sh -@@ -71,11 +71,17 @@ if [[ "$COMPILER" == clang ]]; then - CC="clang-$COMPILER_VERSION" - CXX="clang++-$COMPILER_VERSION" - AR="llvm-ar-$COMPILER_VERSION" -- # Latest LLVM stack deb packages provided by https://apt.llvm.org/ -- # Following snippet was borrowed from https://apt.llvm.org/llvm.sh -- wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - -- add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main" -- PACKAGES+=(clang-$COMPILER_VERSION lldb-$COMPILER_VERSION lld-$COMPILER_VERSION clangd-$COMPILER_VERSION) -+ -+ # ATTOW llvm-11 got into focal-updates, which conflicts with llvm-11 -+ # provided by the apt.llvm.org repositories. Let's use the system -+ # llvm package if available in such cases to avoid that. -+ if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then -+ # Latest LLVM stack deb packages provided by https://apt.llvm.org/ -+ # Following snippet was borrowed from https://apt.llvm.org/llvm.sh -+ wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - -+ add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main" -+ PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION") -+ fi - elif [[ "$COMPILER" == gcc ]]; then - CC="gcc-$COMPILER_VERSION" - CXX="g++-$COMPILER_VERSION" --- -2.33.0 - diff --git a/backport-clang-format-we-actually-typically-use-16ch-continua.patch b/backport-clang-format-we-actually-typically-use-16ch-continua.patch deleted file mode 100644 index e373bc7..0000000 --- a/backport-clang-format-we-actually-typically-use-16ch-continua.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 8282cc686bedb0cf3702ea4ac2856b39ae351ef3 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 22 Feb 2022 16:51:58 +0100 -Subject: [PATCH] clang-format: we actually typically use 16ch continuation - indentation - -We use 8 for blocks, and 16 for continuation in most cases afaics, hence -say so in .clang-format too - -(cherry picked from commit 92148fb77766767fdb6ad6e52747317dae2aae85) -(cherry picked from commit 4a90c12f4f09f23e071e649422754f04eda6d273) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/8282cc686bedb0cf3702ea4ac2856b39ae351ef3 ---- - .clang-format | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/.clang-format b/.clang-format -index 651249c701..c94866fcd5 100644 ---- a/.clang-format -+++ b/.clang-format -@@ -46,7 +46,7 @@ ColumnLimit: 109 - CompactNamespaces: true - ConstructorInitializerAllOnOneLineOrOnePerLine: true - ConstructorInitializerIndentWidth: 8 --ContinuationIndentWidth: 8 -+ContinuationIndentWidth: 16 - Cpp11BracedListStyle: false - ForEachMacros: - - BITMAP_FOREACH --- -2.33.0 - diff --git a/backport-condition-fix-device-tree-firmware-path.patch b/backport-condition-fix-device-tree-firmware-path.patch deleted file mode 100644 index fbfced5..0000000 --- a/backport-condition-fix-device-tree-firmware-path.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 2065d03c1592ff0e9027e1c06b40f55fb3e1d1ae Mon Sep 17 00:00:00 2001 -From: Daniel Braunwarth -Date: Sun, 28 Aug 2022 20:02:50 +0200 -Subject: [PATCH] condition: fix device-tree firmware path - -The path /sys/firmware/device-tree doesn't exist. This should be either -/proc/device-tree or /sys/firmware/devicetree. - -The first path is only a link. So lets use the second path. - -See https://github.com/torvalds/linux/blob/v4.14/drivers/of/base.c#L218. - -(cherry picked from commit 1037178acfd093fb10d8f5e74f3072f78afdf7e8) -(cherry picked from commit 254b77e73cb81265146de653563a7fe3f9936b56) -(cherry picked from commit ba29bb342deb4eeb55debfa7abb4ba97d50df076) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2065d03c1592ff0e9027e1c06b40f55fb3e1d1ae ---- - src/shared/condition.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/shared/condition.c b/src/shared/condition.c -index 6645f771dd..b0520566ed 100644 ---- a/src/shared/condition.c -+++ b/src/shared/condition.c -@@ -555,9 +555,9 @@ static int condition_test_firmware(Condition *c, char **env) { - assert(c->type == CONDITION_FIRMWARE); - - if (streq(c->parameter, "device-tree")) { -- if (access("/sys/firmware/device-tree/", F_OK) < 0) { -+ if (access("/sys/firmware/devicetree/", F_OK) < 0) { - if (errno != ENOENT) -- log_debug_errno(errno, "Unexpected error when checking for /sys/firmware/device-tree/: %m"); -+ log_debug_errno(errno, "Unexpected error when checking for /sys/firmware/devicetree/: %m"); - return false; - } else - return true; --- -2.27.0 - diff --git a/backport-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch b/backport-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch deleted file mode 100644 index 853ac72..0000000 --- a/backport-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 59894983693d36c6017ad995864b5541d7132563 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20Koutn=C3=BD?= -Date: Wed, 4 Aug 2021 18:59:35 +0200 -Subject: [PATCH] core: Make sure cgroup_oom_queue is flushed on manager exit - -The unit queues are not serialized/deserialized (they are recreated -after reexec/reload instead). The destroyed units are not removed from -the cgroup_oom_queue. That means the queue may contain possibly invalid -pointers to released units. - -Fix this by removing the units from cgroup_oom_queue as we do for -others. When at it, sync assert checks with currently existing queues -and put them in order in the manager cleanup code. - -(cherry picked from commit 13e721036bf4ba15eb255d8f0a14800f969ac0d7) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/59894983693d36c6017ad995864b5541d7132563 ---- - src/core/manager.c | 4 ++++ - src/core/unit.c | 7 +++++-- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/core/manager.c b/src/core/manager.c -index 8884437347..34891a8754 100644 ---- a/src/core/manager.c -+++ b/src/core/manager.c -@@ -1410,6 +1410,10 @@ static void manager_clear_jobs_and_units(Manager *m) { - assert(!m->cleanup_queue); - assert(!m->gc_unit_queue); - assert(!m->gc_job_queue); -+ assert(!m->cgroup_realize_queue); -+ assert(!m->cgroup_empty_queue); -+ assert(!m->cgroup_oom_queue); -+ assert(!m->target_deps_queue); - assert(!m->stop_when_unneeded_queue); - assert(!m->start_when_upheld_queue); - assert(!m->stop_when_bound_queue); -diff --git a/src/core/unit.c b/src/core/unit.c -index 7e3bd7505e..e469beb534 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -733,6 +733,9 @@ Unit* unit_free(Unit *u) { - if (u->in_dbus_queue) - LIST_REMOVE(dbus_queue, u->manager->dbus_unit_queue, u); - -+ if (u->in_cleanup_queue) -+ LIST_REMOVE(cleanup_queue, u->manager->cleanup_queue, u); -+ - if (u->in_gc_queue) - LIST_REMOVE(gc_queue, u->manager->gc_unit_queue, u); - -@@ -742,8 +745,8 @@ Unit* unit_free(Unit *u) { - if (u->in_cgroup_empty_queue) - LIST_REMOVE(cgroup_empty_queue, u->manager->cgroup_empty_queue, u); - -- if (u->in_cleanup_queue) -- LIST_REMOVE(cleanup_queue, u->manager->cleanup_queue, u); -+ if (u->in_cgroup_oom_queue) -+ LIST_REMOVE(cgroup_oom_queue, u->manager->cgroup_oom_queue, u); - - if (u->in_target_deps_queue) - LIST_REMOVE(target_deps_queue, u->manager->target_deps_queue, u); --- -2.33.0 - diff --git a/backport-core-Parse-log-environment-settings-again-after-appl.patch b/backport-core-Parse-log-environment-settings-again-after-appl.patch deleted file mode 100644 index 0612288..0000000 --- a/backport-core-Parse-log-environment-settings-again-after-appl.patch +++ /dev/null @@ -1,36 +0,0 @@ -From b246b5370e95756e9597d8ec967ae030b442e73f Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Tue, 7 Sep 2021 16:13:56 +0100 -Subject: [PATCH] core: Parse log environment settings again after applying - manager environment - -Currently, SYSTEMD_LOG_LEVEL set in the ManagerEnvironment property in system.conf -or user.conf doesn't affect the manager's logging level. Parsing the logging environment -variables again after pushing the manager environment into the process environment -block makes sure any new environment changes also get taken into account for logging. - -(cherry picked from commit a4303b4096d9a75acd09c5b897ed3d20c9bca6de) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b246b5370e95756e9597d8ec967ae030b442e73f ---- - src/core/main.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/core/main.c b/src/core/main.c -index b32a19a1d8..c64c73883e 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -2454,6 +2454,9 @@ static int parse_configuration(const struct rlimit *saved_rlimit_nofile, - /* Push variables into the manager environment block */ - setenv_manager_environment(); - -+ /* Parse log environment variables again to take into account any new environment variables. */ -+ log_parse_environment(); -+ - return 0; - } - --- -2.33.0 - diff --git a/backport-core-Remove-circular-include.patch b/backport-core-Remove-circular-include.patch deleted file mode 100644 index 14fbb02..0000000 --- a/backport-core-Remove-circular-include.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a203879ae5914fa1a676dbd480a7ad41ca0d8e40 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Tue, 24 Aug 2021 16:19:03 +0100 -Subject: [PATCH] core: Remove circular include - -service.h includes socket.h and socket.h includes service.h. Move -service.h include from socket.h to socket.c to remove the circular -dependency. - -(cherry picked from commit a243128d1fcfc378df9fce1b4997148a17ef23a5) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a203879ae5914fa1a676dbd480a7ad41ca0d8e40 ---- - src/core/socket.c | 1 + - src/core/socket.h | 1 - - 2 files changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/socket.c b/src/core/socket.c -index 8144780bf8..f362a5baa8 100644 ---- a/src/core/socket.c -+++ b/src/core/socket.c -@@ -34,6 +34,7 @@ - #include "process-util.h" - #include "selinux-util.h" - #include "serialize.h" -+#include "service.h" - #include "signal-util.h" - #include "smack-util.h" - #include "socket.h" -diff --git a/src/core/socket.h b/src/core/socket.h -index a65195f2aa..6813bdcf8c 100644 ---- a/src/core/socket.h -+++ b/src/core/socket.h -@@ -5,7 +5,6 @@ typedef struct Socket Socket; - typedef struct SocketPeer SocketPeer; - - #include "mount.h" --#include "service.h" - #include "socket-util.h" - #include "unit.h" - --- -2.33.0 - diff --git a/backport-core-bpf-firewall-make-bpf_firewall_supported-always.patch b/backport-core-bpf-firewall-make-bpf_firewall_supported-always.patch deleted file mode 100644 index 61b9130..0000000 --- a/backport-core-bpf-firewall-make-bpf_firewall_supported-always.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 27028ef0f0bc128d14f41e233ad256687fd7e379 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Dec 2021 21:07:22 +0900 -Subject: [PATCH] core/bpf-firewall: make bpf_firewall_supported() always set - unsupported reason when BPF_FIREWALL_UNSUPPORTED is returned - -Otherwise, log_unit_full_errno() in emit_bpf_firewall_warning() will -trigger an assertion. - -(cherry picked from commit 8751bb6f5e89562d438566c374b9c3a1059c9211) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/27028ef0f0bc128d14f41e233ad256687fd7e379 ---- - src/core/bpf-firewall.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c -index 9317edeb4c..4a92052925 100644 ---- a/src/core/bpf-firewall.c -+++ b/src/core/bpf-firewall.c -@@ -869,7 +869,10 @@ int bpf_firewall_supported(void) { - - /* YAY! */ - } else { -- log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); -+ bpf_firewall_unsupported_reason = -+ log_debug_errno(SYNTHETIC_ERRNO(EBADE), -+ "Wut? Kernel accepted our invalid BPF_PROG_DETACH call? " -+ "Something is weird, assuming BPF firewalling is broken and hence not supported."); - return supported = BPF_FIREWALL_UNSUPPORTED; - } - -@@ -897,7 +900,10 @@ int bpf_firewall_supported(void) { - - return supported = BPF_FIREWALL_SUPPORTED; - } else { -- log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported."); -+ bpf_firewall_unsupported_reason = -+ log_debug_errno(SYNTHETIC_ERRNO(EBADE), -+ "Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? " -+ "Something is weird, assuming BPF firewalling is broken and hence not supported."); - return supported = BPF_FIREWALL_UNSUPPORTED; - } - } --- -2.33.0 - diff --git a/backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch b/backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch deleted file mode 100644 index 08a26a1..0000000 --- a/backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 7e79bfce0674c58068d2a125ed666986544e790f Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 5 Aug 2021 03:13:48 +0900 -Subject: [PATCH] core/cgroup: fix error handling of cg_remove_xattr() - -(cherry picked from commit 0cddb53c85588fbfb8043f622895c7bd15819198) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7e79bfce0674c58068d2a125ed666986544e790f ---- - src/core/cgroup.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 2cbb789978..eab0929dc5 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -724,13 +724,13 @@ void cgroup_oomd_xattr_apply(Unit *u, const char *cgroup_path) { - - if (c->moom_preference != MANAGED_OOM_PREFERENCE_AVOID) { - r = cg_remove_xattr(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, "user.oomd_avoid"); -- if (r != -ENODATA) -+ if (r < 0 && r != -ENODATA) - log_unit_debug_errno(u, r, "Failed to remove oomd_avoid flag on control group %s, ignoring: %m", cgroup_path); - } - - if (c->moom_preference != MANAGED_OOM_PREFERENCE_OMIT) { - r = cg_remove_xattr(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, "user.oomd_omit"); -- if (r != -ENODATA) -+ if (r < 0 && r != -ENODATA) - log_unit_debug_errno(u, r, "Failed to remove oomd_omit flag on control group %s, ignoring: %m", cgroup_path); - } - } -@@ -762,7 +762,7 @@ static void cgroup_xattr_apply(Unit *u) { - log_unit_debug_errno(u, r, "Failed to set delegate flag on control group %s, ignoring: %m", u->cgroup_path); - } else { - r = cg_remove_xattr(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "trusted.delegate"); -- if (r != -ENODATA) -+ if (r < 0 && r != -ENODATA) - log_unit_debug_errno(u, r, "Failed to remove delegate flag on control group %s, ignoring: %m", u->cgroup_path); - } - --- -2.33.0 - diff --git a/backport-core-cgroup-set-bfq.weight-first-and-fixes-blkio.wei.patch b/backport-core-cgroup-set-bfq.weight-first-and-fixes-blkio.wei.patch deleted file mode 100644 index 26d4754..0000000 --- a/backport-core-cgroup-set-bfq.weight-first-and-fixes-blkio.wei.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 55af1d4ce32a32ebd3106cbdf1ef8b6cda55175f Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 25 Aug 2021 01:28:47 +0900 -Subject: [PATCH] core/cgroup: set bfq.weight first, and fixes blkio.weight - value - -Fixes issues introduced by 29eb0eefd14afc9a2424781a28b376db47c3c570. - -This also fixes the value sets to blkio.weight, that is, "default" is dropped. - -Moreover, This also changes the logic for mapping weight -> bfq.weight, -to always matches the min, max, and default values. - -Fixes #20519 and #21187. - -(cherry picked from commit 17283ce7b6035775f125585d1b228226942daf4b) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/55af1d4ce32a32ebd3106cbdf1ef8b6cda55175f ---- - src/core/cgroup.c | 55 +++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 44 insertions(+), 11 deletions(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 79e10ca3c0..8b5b403ae8 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -37,6 +37,12 @@ - - #define CGROUP_CPU_QUOTA_DEFAULT_PERIOD_USEC ((usec_t) 100 * USEC_PER_MSEC) - -+/* Special values for the bfq.weight attribute */ -+#define CGROUP_BFQ_WEIGHT_INVALID UINT64_MAX -+#define CGROUP_BFQ_WEIGHT_MIN UINT64_C(1) -+#define CGROUP_BFQ_WEIGHT_MAX UINT64_C(1000) -+#define CGROUP_BFQ_WEIGHT_DEFAULT UINT64_C(100) -+ - /* Returns the log level to use when cgroup attribute writes fail. When an attribute is missing or we have access - * problems we downgrade to LOG_DEBUG. This is supposed to be nice to container managers and kernels which want to mask - * out specific attributes from us. */ -@@ -1194,21 +1200,48 @@ static int cgroup_apply_devices(Unit *u) { - return r; - } - --static void set_io_weight(Unit *u, const char *controller, uint64_t weight) { -- char buf[8+DECIMAL_STR_MAX(uint64_t)+1]; -- const char *p; -+static void set_io_weight(Unit *u, uint64_t weight) { -+ char buf[STRLEN("default \n")+DECIMAL_STR_MAX(uint64_t)]; -+ uint64_t bfq_weight; -+ -+ assert(u); -+ -+ /* FIXME: drop this when distro kernels properly support BFQ through "io.weight" -+ * See also: https://github.com/systemd/systemd/pull/13335 and -+ * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. -+ * The range is 1..1000 apparently, and the default is 100. */ -+ if (weight <= CGROUP_WEIGHT_DEFAULT) -+ bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_WEIGHT_DEFAULT - CGROUP_WEIGHT_MIN); -+ else -+ bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_WEIGHT_MAX - CGROUP_WEIGHT_DEFAULT); -+ -+ xsprintf(buf, "%" PRIu64 "\n", bfq_weight); -+ (void) set_attribute_and_warn(u, "io", "io.bfq.weight", buf); - -- p = strjoina(controller, ".weight"); - xsprintf(buf, "default %" PRIu64 "\n", weight); -- (void) set_attribute_and_warn(u, controller, p, buf); -+ (void) set_attribute_and_warn(u, "io", "io.weight", buf); -+} -+ -+static void set_blkio_weight(Unit *u, uint64_t weight) { -+ char buf[STRLEN("\n")+DECIMAL_STR_MAX(uint64_t)]; -+ uint64_t bfq_weight; -+ -+ assert(u); - - /* FIXME: drop this when distro kernels properly support BFQ through "io.weight" - * See also: https://github.com/systemd/systemd/pull/13335 and - * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. -- * The range is 1..1000 apparently. */ -- p = strjoina(controller, ".bfq.weight"); -- xsprintf(buf, "%" PRIu64 "\n", (weight + 9) / 10); -- (void) set_attribute_and_warn(u, controller, p, buf); -+ * The range is 1..1000 apparently, and the default is 100. */ -+ if (weight <= CGROUP_BLKIO_WEIGHT_DEFAULT) -+ bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_BLKIO_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_BLKIO_WEIGHT_DEFAULT - CGROUP_BLKIO_WEIGHT_MIN); -+ else -+ bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_BLKIO_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_BLKIO_WEIGHT_MAX - CGROUP_BLKIO_WEIGHT_DEFAULT); -+ -+ xsprintf(buf, "%" PRIu64 "\n", bfq_weight); -+ (void) set_attribute_and_warn(u, "blkio", "blkio.bfq.weight", buf); -+ -+ xsprintf(buf, "%" PRIu64 "\n", weight); -+ (void) set_attribute_and_warn(u, "blkio", "blkio.weight", buf); - } - - static void cgroup_apply_bpf_foreign_program(Unit *u) { -@@ -1322,7 +1355,7 @@ static void cgroup_context_apply( - } else - weight = CGROUP_WEIGHT_DEFAULT; - -- set_io_weight(u, "io", weight); -+ set_io_weight(u, weight); - - if (has_io) { - CGroupIODeviceLatency *latency; -@@ -1392,7 +1425,7 @@ static void cgroup_context_apply( - else - weight = CGROUP_BLKIO_WEIGHT_DEFAULT; - -- set_io_weight(u, "blkio", weight); -+ set_blkio_weight(u, weight); - - if (has_io) { - CGroupIODeviceWeight *w; --- -2.33.0 - diff --git a/backport-core-cgroup-use-helper-macro-for-bfq-conversion.patch b/backport-core-cgroup-use-helper-macro-for-bfq-conversion.patch deleted file mode 100644 index 9fa8c71..0000000 --- a/backport-core-cgroup-use-helper-macro-for-bfq-conversion.patch +++ /dev/null @@ -1,82 +0,0 @@ -From d98169555c07668d999ac8ad62718da0ae9eec0f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 10 Nov 2021 11:37:15 +0100 -Subject: [PATCH] core/cgroup: use helper macro for bfq conversion - -As suggested in https://github.com/systemd/systemd/pull/20522#discussion_r696699984. - -(cherry picked from commit 311822ac28c99e2fb0e25286bdb72c9188314a66) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d98169555c07668d999ac8ad62718da0ae9eec0f ---- - src/core/cgroup.c | 34 ++++++++++++++++------------------ - 1 file changed, 16 insertions(+), 18 deletions(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 8b5b403ae8..6e4780f2f6 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -1200,9 +1200,21 @@ static int cgroup_apply_devices(Unit *u) { - return r; - } - -+/* Convert the normal io.weight value to io.bfq.weight */ -+#define BFQ_WEIGHT(weight) \ -+ (weight <= CGROUP_WEIGHT_DEFAULT ? \ -+ CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_WEIGHT_DEFAULT - CGROUP_WEIGHT_MIN) : \ -+ CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_WEIGHT_MAX - CGROUP_WEIGHT_DEFAULT)) -+ -+assert_cc(BFQ_WEIGHT(1) == 1); -+assert_cc(BFQ_WEIGHT(50) == 50); -+assert_cc(BFQ_WEIGHT(100) == 100); -+assert_cc(BFQ_WEIGHT(500) == 136); -+assert_cc(BFQ_WEIGHT(5000) == 545); -+assert_cc(BFQ_WEIGHT(10000) == 1000); -+ - static void set_io_weight(Unit *u, uint64_t weight) { - char buf[STRLEN("default \n")+DECIMAL_STR_MAX(uint64_t)]; -- uint64_t bfq_weight; - - assert(u); - -@@ -1210,12 +1222,7 @@ static void set_io_weight(Unit *u, uint64_t weight) { - * See also: https://github.com/systemd/systemd/pull/13335 and - * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. - * The range is 1..1000 apparently, and the default is 100. */ -- if (weight <= CGROUP_WEIGHT_DEFAULT) -- bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_WEIGHT_DEFAULT - CGROUP_WEIGHT_MIN); -- else -- bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_WEIGHT_MAX - CGROUP_WEIGHT_DEFAULT); -- -- xsprintf(buf, "%" PRIu64 "\n", bfq_weight); -+ xsprintf(buf, "%" PRIu64 "\n", BFQ_WEIGHT(weight)); - (void) set_attribute_and_warn(u, "io", "io.bfq.weight", buf); - - xsprintf(buf, "default %" PRIu64 "\n", weight); -@@ -1224,20 +1231,11 @@ static void set_io_weight(Unit *u, uint64_t weight) { - - static void set_blkio_weight(Unit *u, uint64_t weight) { - char buf[STRLEN("\n")+DECIMAL_STR_MAX(uint64_t)]; -- uint64_t bfq_weight; - - assert(u); - -- /* FIXME: drop this when distro kernels properly support BFQ through "io.weight" -- * See also: https://github.com/systemd/systemd/pull/13335 and -- * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. -- * The range is 1..1000 apparently, and the default is 100. */ -- if (weight <= CGROUP_BLKIO_WEIGHT_DEFAULT) -- bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_BLKIO_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_BLKIO_WEIGHT_DEFAULT - CGROUP_BLKIO_WEIGHT_MIN); -- else -- bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_BLKIO_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_BLKIO_WEIGHT_MAX - CGROUP_BLKIO_WEIGHT_DEFAULT); -- -- xsprintf(buf, "%" PRIu64 "\n", bfq_weight); -+ /* FIXME: see comment in set_io_weight(). */ -+ xsprintf(buf, "%" PRIu64 "\n", BFQ_WEIGHT(weight)); - (void) set_attribute_and_warn(u, "blkio", "blkio.bfq.weight", buf); - - xsprintf(buf, "%" PRIu64 "\n", weight); --- -2.33.0 - diff --git a/backport-core-check-size-before-mmap.patch b/backport-core-check-size-before-mmap.patch deleted file mode 100644 index b18b157..0000000 --- a/backport-core-check-size-before-mmap.patch +++ /dev/null @@ -1,148 +0,0 @@ -From d7ff7e3b6e2bd9eee809880d3632b293097e22e7 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Wed, 2 Mar 2022 22:03:26 +0100 -Subject: [PATCH] core: check size before mmap - -The data type off_t can be 64 on 32 bit systems if they have large -file support. Since mmap expects a size_t with 32 bits as second -argument truncation could occur. At worst these huge files could -lead to mmaps smaller than the previous check for small files. - -This in turn shouldn't have a lot of impact because mmap allocates -at page size boundaries. This also made the PAGE_ALIGN call in -open_mmap unneeded. In fact it was neither in sync with other mmap -calls nor with its own munmap counterpart in error path. - -If such large files are encountered, which is very unlikely in these -code paths, treat them with the same error as if they are too small. - -(cherry picked from commit 1a823cdeb9faea3849843e0b3dae0fbdd607e8b7) -(cherry picked from commit 6b37adf4a16c8f7e917dfd9f19dab259cda878b2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d7ff7e3b6e2bd9eee809880d3632b293097e22e7 ---- - src/basic/fileio.h | 6 ++++++ - src/basic/locale-util.c | 4 ++++ - src/boot/bootctl.c | 2 +- - src/libsystemd/sd-hwdb/sd-hwdb.c | 4 ++++ - src/libsystemd/sd-journal/catalog.c | 4 ++-- - src/libsystemd/sd-journal/compress.c | 4 ++++ - 6 files changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index 9bd2037f5b..ee356ddb02 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -112,6 +112,12 @@ typedef enum ReadLineFlags { - - int read_line_full(FILE *f, size_t limit, ReadLineFlags flags, char **ret); - -+static inline bool file_offset_beyond_memory_size(off_t x) { -+ if (x < 0) /* off_t is signed, filter that out */ -+ return false; -+ return (uint64_t) x > (uint64_t) SIZE_MAX; -+} -+ - static inline int read_line(FILE *f, size_t limit, char **ret) { - return read_line_full(f, limit, 0, ret); - } -diff --git a/src/basic/locale-util.c b/src/basic/locale-util.c -index fd6b01cfaa..b181646abe 100644 ---- a/src/basic/locale-util.c -+++ b/src/basic/locale-util.c -@@ -15,6 +15,7 @@ - #include "dirent-util.h" - #include "env-util.h" - #include "fd-util.h" -+#include "fileio.h" - #include "hashmap.h" - #include "locale-util.h" - #include "path-util.h" -@@ -113,6 +114,9 @@ static int add_locales_from_archive(Set *locales) { - if (st.st_size < (off_t) sizeof(struct locarhead)) - return -EBADMSG; - -+ if (file_offset_beyond_memory_size(st.st_size)) -+ return -EFBIG; -+ - p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); - if (p == MAP_FAILED) - return -errno; -diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c -index bd96812246..d6eb6d00a5 100644 ---- a/src/boot/bootctl.c -+++ b/src/boot/bootctl.c -@@ -145,7 +145,7 @@ static int get_file_version(int fd, char **v) { - if (r < 0) - return log_error_errno(r, "EFI binary is not a regular file: %m"); - -- if (st.st_size < 27) { -+ if (st.st_size < 27 || file_offset_beyond_memory_size(st.st_size)) { - *v = NULL; - return 0; - } -diff --git a/src/libsystemd/sd-hwdb/sd-hwdb.c b/src/libsystemd/sd-hwdb/sd-hwdb.c -index 53601765fe..748cf26934 100644 ---- a/src/libsystemd/sd-hwdb/sd-hwdb.c -+++ b/src/libsystemd/sd-hwdb/sd-hwdb.c -@@ -15,6 +15,7 @@ - - #include "alloc-util.h" - #include "fd-util.h" -+#include "fileio.h" - #include "hashmap.h" - #include "hwdb-internal.h" - #include "nulstr-util.h" -@@ -312,6 +313,9 @@ _public_ int sd_hwdb_new(sd_hwdb **ret) { - if (hwdb->st.st_size < (off_t) offsetof(struct trie_header_f, strings_len) + 8) - return log_debug_errno(SYNTHETIC_ERRNO(EIO), - "File %s is too short: %m", hwdb_bin_path); -+ if (file_offset_beyond_memory_size(hwdb->st.st_size)) -+ return log_debug_errno(SYNTHETIC_ERRNO(EFBIG), -+ "File %s is too long: %m", hwdb_bin_path); - - hwdb->map = mmap(0, hwdb->st.st_size, PROT_READ, MAP_SHARED, fileno(hwdb->f), 0); - if (hwdb->map == MAP_FAILED) -diff --git a/src/libsystemd/sd-journal/catalog.c b/src/libsystemd/sd-journal/catalog.c -index ce8d47ccc3..f2ad1a2039 100644 ---- a/src/libsystemd/sd-journal/catalog.c -+++ b/src/libsystemd/sd-journal/catalog.c -@@ -524,10 +524,10 @@ static int open_mmap(const char *database, int *_fd, struct stat *_st, void **_p - if (fstat(fd, &st) < 0) - return -errno; - -- if (st.st_size < (off_t) sizeof(CatalogHeader)) -+ if (st.st_size < (off_t) sizeof(CatalogHeader) || file_offset_beyond_memory_size(st.st_size)) - return -EINVAL; - -- p = mmap(NULL, PAGE_ALIGN(st.st_size), PROT_READ, MAP_SHARED, fd, 0); -+ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); - if (p == MAP_FAILED) - return -errno; - -diff --git a/src/libsystemd/sd-journal/compress.c b/src/libsystemd/sd-journal/compress.c -index 837abab76c..cb2e82667f 100644 ---- a/src/libsystemd/sd-journal/compress.c -+++ b/src/libsystemd/sd-journal/compress.c -@@ -25,6 +25,7 @@ - #include "alloc-util.h" - #include "compress.h" - #include "fd-util.h" -+#include "fileio.h" - #include "io-util.h" - #include "journal-def.h" - #include "macro.h" -@@ -807,6 +808,9 @@ int decompress_stream_lz4(int in, int out, uint64_t max_bytes) { - if (fstat(in, &st) < 0) - return log_debug_errno(errno, "fstat() failed: %m"); - -+ if (file_offset_beyond_memory_size(st.st_size)) -+ return -EFBIG; -+ - buf = malloc(LZ4_BUFSIZE); - if (!buf) - return -ENOMEM; --- -2.33.0 - diff --git a/backport-core-command-argument-can-be-longer-than-PATH_MAX.patch b/backport-core-command-argument-can-be-longer-than-PATH_MAX.patch deleted file mode 100644 index 8826eea..0000000 --- a/backport-core-command-argument-can-be-longer-than-PATH_MAX.patch +++ /dev/null @@ -1,69 +0,0 @@ -From a8a4d9a65902b8bfb15395479451070e9644560a Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 5 Apr 2022 21:47:46 +0900 -Subject: [PATCH] core: command argument can be longer than PATH_MAX - -Fixes a bug introduced by 065364920281e1cf59cab989e17aff21790505c4. - -Fixes #22957. - -(cherry picked from commit 58dd4999dcc81a0ed92fbd78bce3592c3e3afe9e) -(cherry picked from commit 9727b9ee7b90afb8fa0e6328dcb6c34b1522d4fd) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/a8a4d9a65902b8bfb15395479451070e9644560a ---- - src/core/load-fragment.c | 2 +- - src/test/test-load-fragment.c | 16 ++++++++++++++++ - 2 files changed, 17 insertions(+), 1 deletion(-) - -diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index 399a759ad0..cd07f3e60d 100644 ---- a/src/core/load-fragment.c -+++ b/src/core/load-fragment.c -@@ -849,7 +849,7 @@ int config_parse_exec( - if (r < 0) - return ignore ? 0 : -ENOEXEC; - -- r = unit_path_printf(u, word, &resolved); -+ r = unit_full_printf(u, word, &resolved); - if (r < 0) { - log_syntax(unit, ignore ? LOG_WARNING : LOG_ERR, filename, line, r, - "Failed to resolve unit specifiers in %s%s: %m", -diff --git a/src/test/test-load-fragment.c b/src/test/test-load-fragment.c -index b41a8abf7b..1a0a0579b2 100644 ---- a/src/test/test-load-fragment.c -+++ b/src/test/test-load-fragment.c -@@ -10,6 +10,7 @@ - #include "capability-util.h" - #include "conf-parser.h" - #include "fd-util.h" -+#include "fileio.h" - #include "format-util.h" - #include "fs-util.h" - #include "hashmap.h" -@@ -412,6 +413,21 @@ static void test_config_parse_exec(void) { - assert_se(r == 0); - assert_se(c1->command_next == NULL); - -+ log_info("/* long arg */"); /* See issue #22957. */ -+ -+ char x[LONG_LINE_MAX-100], *y; -+ y = mempcpy(x, "/bin/echo ", STRLEN("/bin/echo ")); -+ memset(y, 'x', sizeof(x) - STRLEN("/bin/echo ") - 1); -+ x[sizeof(x) - 1] = '\0'; -+ -+ r = config_parse_exec(NULL, "fake", 5, "section", 1, -+ "LValue", 0, x, -+ &c, u); -+ assert_se(r >= 0); -+ c1 = c1->command_next; -+ check_execcommand(c1, -+ "/bin/echo", NULL, y, NULL, false); -+ - log_info("/* empty argument, reset */"); - r = config_parse_exec(NULL, "fake", 4, "section", 1, - "LValue", 0, "", --- -2.33.0 - diff --git a/backport-core-device-also-serialize-deserialize-device-syspat.patch b/backport-core-device-also-serialize-deserialize-device-syspat.patch deleted file mode 100644 index 32b057f..0000000 --- a/backport-core-device-also-serialize-deserialize-device-syspat.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 1ea74fca3a3c737f3901bc10d879b7830b3528bf Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 25 Oct 2022 21:41:17 +0900 -Subject: [PATCH] core/device: also serialize/deserialize device syspath - -The field will be used in later commits. ---- - src/core/device.c | 13 ++++++++++++- - src/core/device.h | 2 +- - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/src/core/device.c b/src/core/device.c -index 9d694aa..26a6d1f 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -114,6 +114,7 @@ static void device_done(Unit *u) { - assert(d); - - device_unset_sysfs(d); -+ d->deserialized_sysfs = mfree(d->deserialized_sysfs); - d->wants_property = strv_free(d->wants_property); - } - -@@ -295,6 +296,9 @@ static int device_serialize(Unit *u, FILE *f, FDSet *fds) { - assert(f); - assert(fds); - -+ if (d->sysfs) -+ (void) serialize_item(f, "sysfs", d->sysfs); -+ - (void) serialize_item(f, "state", device_state_to_string(d->state)); - - if (device_found_to_string_many(d->found, &s) >= 0) -@@ -312,7 +316,14 @@ static int device_deserialize_item(Unit *u, const char *key, const char *value, - assert(value); - assert(fds); - -- if (streq(key, "state")) { -+ if (streq(key, "sysfs")) { -+ if (!d->deserialized_sysfs) { -+ d->deserialized_sysfs = strdup(value); -+ if (!d->deserialized_sysfs) -+ log_oom_debug(); -+ } -+ -+ } else if (streq(key, "state")) { - DeviceState state; - - state = device_state_from_string(value); -diff --git a/src/core/device.h b/src/core/device.h -index dfe8a13..99bf134 100644 ---- a/src/core/device.h -+++ b/src/core/device.h -@@ -20,7 +20,7 @@ typedef enum DeviceFound { - struct Device { - Unit meta; - -- char *sysfs; -+ char *sysfs, *deserialized_sysfs; - - /* In order to be able to distinguish dependencies on different device nodes we might end up creating multiple - * devices for the same sysfs path. We chain them up here. */ --- -2.33.0 - diff --git a/backport-core-device-device_coldplug-don-t-set-DEVICE_DEAD.patch b/backport-core-device-device_coldplug-don-t-set-DEVICE_DEAD.patch deleted file mode 100644 index 2f3964c..0000000 --- a/backport-core-device-device_coldplug-don-t-set-DEVICE_DEAD.patch +++ /dev/null @@ -1,43 +0,0 @@ -From cf1ac0cfe44997747b0f857a1d0b67cea1298272 Mon Sep 17 00:00:00 2001 -From: Martin Wilck -Date: Wed, 25 May 2022 12:01:00 +0200 -Subject: [PATCH] core/device: device_coldplug(): don't set DEVICE_DEAD - -dm-crypt device units generated by systemd-cryptsetup-generator -habe BindsTo= dependencies on their backend devices. The dm-crypt -devices have the db_persist flag set, and thus survive the udev db -cleanup while switching root. But backend devices usually don't survive. -These devices are neither mounted nor used for swap, thus they will -seen as DEVICE_NOT_FOUND after switching root. - -The BindsTo dependency will cause systemd to schedule a stop -job for the dm-crypt device, breaking boot: - -[ 68.929457] krypton systemd[1]: systemd-cryptsetup@cr_root.service: Unit is stopped because bound to inactive unit dev-disk-by\x2duuid-3bf91f73\x2d1ee8\x2d4cfc\x2d9048\x2d93ba349b786d.device. -[ 68.945660] krypton systemd[1]: systemd-cryptsetup@cr_root.service: Trying to enqueue job systemd-cryptsetup@cr_root.service/stop/replace -[ 69.473459] krypton systemd[1]: systemd-cryptsetup@cr_root.service: Installed new job systemd-cryptsetup@cr_root.service/stop as 343 - -Avoid this by not setting the state of the backend devices to -DEVICE_DEAD. - -Fixes the LUKS setup issue reported in #23429. ---- - src/core/device.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/src/core/device.c b/src/core/device.c -index 4c261ec554..8728630523 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -205,8 +205,6 @@ static int device_coldplug(Unit *u) { - found &= ~DEVICE_FOUND_UDEV; /* ignore DEVICE_FOUND_UDEV bit */ - if (state == DEVICE_PLUGGED) - state = DEVICE_TENTATIVE; /* downgrade state */ -- if (found == DEVICE_NOT_FOUND) -- state = DEVICE_DEAD; /* If nobody sees the device, downgrade more */ - } - - if (d->found == found && d->state == state) --- -2.33.0 - diff --git a/backport-core-device-do-not-downgrade-device-state-if-it-is-a.patch b/backport-core-device-do-not-downgrade-device-state-if-it-is-a.patch deleted file mode 100644 index 7607580..0000000 --- a/backport-core-device-do-not-downgrade-device-state-if-it-is-a.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 4fc69e8a0949c2537019466f839d9b7aee5628c9 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 20 May 2022 10:25:12 +0200 -Subject: [PATCH] core/device: do not downgrade device state if it is already - enumerated - -On switching root, a device may have a persistent databse. In that case, -Device.enumerated_found may have DEVICE_FOUND_UDEV flag, and it is not -necessary to downgrade the Device.deserialized_found and -Device.deserialized_state. Otherwise, the state of the device unit may -be changed plugged -> dead -> plugged, if the device has not been mounted. - -Fixes #23429. - -[mwilck: cherry-picked from #23437] ---- - src/core/device.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/core/device.c b/src/core/device.c -index 8728630523..fcde8a420e 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -201,7 +201,8 @@ static int device_coldplug(Unit *u) { - * Of course, deserialized parameters may be outdated, but the unit state can be adjusted later by - * device_catchup() or uevents. */ - -- if (!m->honor_device_enumeration && !MANAGER_IS_USER(m)) { -+ if (!m->honor_device_enumeration && !MANAGER_IS_USER(m) && -+ !FLAGS_SET(d->enumerated_found, DEVICE_FOUND_UDEV)) { - found &= ~DEVICE_FOUND_UDEV; /* ignore DEVICE_FOUND_UDEV bit */ - if (state == DEVICE_PLUGGED) - state = DEVICE_TENTATIVE; /* downgrade state */ --- -2.33.0 - diff --git a/backport-core-device-drop-unnecessary-condition.patch b/backport-core-device-drop-unnecessary-condition.patch deleted file mode 100644 index 1e8b7bf..0000000 --- a/backport-core-device-drop-unnecessary-condition.patch +++ /dev/null @@ -1,28 +0,0 @@ -From f33bc87989a87475ed41bc9cd715c4cbb18ee389 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 1 May 2022 21:42:43 +0900 -Subject: [PATCH] core/device: drop unnecessary condition - ---- - src/core/device.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/core/device.c b/src/core/device.c -index 44425cda3c..934676287e 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -179,10 +179,7 @@ static void device_catchup(Unit *u) { - - assert(d); - -- /* Second, let's update the state with the enumerated state if it's different */ -- if (d->enumerated_found == d->found) -- return; -- -+ /* Second, let's update the state with the enumerated state */ - device_update_found_one(d, d->enumerated_found, DEVICE_FOUND_MASK); - } - --- -2.33.0 - diff --git a/backport-core-device-ignore-DEVICE_FOUND_UDEV-bit-on-switchin.patch b/backport-core-device-ignore-DEVICE_FOUND_UDEV-bit-on-switchin.patch deleted file mode 100644 index f2b4096..0000000 --- a/backport-core-device-ignore-DEVICE_FOUND_UDEV-bit-on-switchin.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 75d7b5989f99125e52d5c0e5656fa1cd0fae2405 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 29 Apr 2022 20:29:11 +0900 -Subject: [PATCH] core/device: ignore DEVICE_FOUND_UDEV bit on switching root - -The issue #12953 is caused by the following: -On switching root, -- deserialized_found == DEVICE_FOUND_UDEV | DEVICE_FOUND_MOUNT, -- deserialized_state == DEVICE_PLUGGED, -- enumerated_found == DEVICE_FOUND_MOUNT, -On switching root, most devices are not found by the enumeration process. -Hence, the device state is set to plugged by device_coldplug(), and then -changed to the dead state in device_catchup(). So the corresponding -mount point is unmounted. Later when the device is processed by udevd, it -will be changed to plugged state again. - -The issue #23208 is caused by the fact that generated udev database in -initramfs and the main system are often different. - -So, the two issues have the same root; we should not honor -DEVICE_FOUND_UDEV bit in the deserialized_found on switching root. - -This partially reverts c6e892bc0eebe1d42c282bd2d8bae149fbeba85f. - -Fixes #12953 and #23208. -Replaces #23215. - -Co-authored-by: Martin Wilck ---- - src/core/device.c | 59 +++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 49 insertions(+), 10 deletions(-) - -diff --git a/src/core/device.c b/src/core/device.c -index 934676287e..1a4563a3d9 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -163,14 +163,57 @@ static int device_coldplug(Unit *u) { - assert(d->state == DEVICE_DEAD); - - /* First, let's put the deserialized state and found mask into effect, if we have it. */ -+ if (d->deserialized_state < 0) -+ return 0; -+ -+ Manager *m = u->manager; -+ DeviceFound found = d->deserialized_found; -+ DeviceState state = d->deserialized_state; -+ -+ /* On initial boot, switch-root, reload, reexecute, the following happen: -+ * 1. MANAGER_IS_RUNNING() == false -+ * 2. enumerate devices: manager_enumerate() -> device_enumerate() -+ * Device.enumerated_found is set. -+ * 3. deserialize devices: manager_deserialize() -> device_deserialize() -+ * Device.deserialize_state and Device.deserialized_found are set. -+ * 4. coldplug devices: manager_coldplug() -> device_coldplug() -+ * deserialized properties are copied to the main properties. -+ * 5. MANAGER_IS_RUNNING() == true: manager_ready() -+ * 6. catchup devices: manager_catchup() -> device_catchup() -+ * Device.enumerated_found is applied to Device.found, and state is updated based on that. -+ * -+ * Notes: -+ * - On initial boot, no udev database exists. Hence, no devices are enumerated in the step 2. -+ * Also, there is no deserialized device. Device units are (a) generated based on dependencies of -+ * other units, or (b) generated when uevents are received. -+ * -+ * - On switch-root, the udev databse may be cleared, except for devices with sticky bit, i.e. -+ * OPTIONS="db_persist". Hence, almost no devices are enumerated in the step 2. However, in general, -+ * we have several serialized devices. So, DEVICE_FOUND_UDEV bit in the deserialized_found must be -+ * ignored, as udev rules in initramfs and the main system are often different. If the deserialized -+ * state is DEVICE_PLUGGED, we need to downgrade it to DEVICE_TENTATIVE (or DEVICE_DEAD if nobody -+ * sees the device). Unlike the other starting mode, Manager.honor_device_enumeration == false -+ * (maybe, it is better to rename the flag) when device_coldplug() and device_catchup() are called. -+ * Hence, let's conditionalize the operations by using the flag. After switch-root, systemd-udevd -+ * will (re-)process all devices, and the Device.found and Device.state will be adjusted. -+ * -+ * - On reload or reexecute, we can trust enumerated_found, deserialized_found, and deserialized_state. -+ * Of course, deserialized parameters may be outdated, but the unit state can be adjusted later by -+ * device_catchup() or uevents. */ -+ -+ if (!m->honor_device_enumeration && !MANAGER_IS_USER(m)) { -+ found &= ~DEVICE_FOUND_UDEV; /* ignore DEVICE_FOUND_UDEV bit */ -+ if (state == DEVICE_PLUGGED) -+ state = DEVICE_TENTATIVE; /* downgrade state */ -+ if (found == DEVICE_NOT_FOUND) -+ state = DEVICE_DEAD; /* If nobody sees the device, downgrade more */ -+ } - -- if (d->deserialized_state < 0 || -- (d->deserialized_state == d->state && -- d->deserialized_found == d->found)) -+ if (d->found == found && d->state == state) - return 0; - -- d->found = d->deserialized_found; -- device_set_state(d, d->deserialized_state); -+ d->found = found; -+ device_set_state(d, state); - return 0; - } - -@@ -644,13 +687,9 @@ static void device_found_changed(Device *d, DeviceFound previous, DeviceFound no - } - - static void device_update_found_one(Device *d, DeviceFound found, DeviceFound mask) { -- Manager *m; -- - assert(d); - -- m = UNIT(d)->manager; -- -- if (MANAGER_IS_RUNNING(m) && (m->honor_device_enumeration || MANAGER_IS_USER(m))) { -+ if (MANAGER_IS_RUNNING(UNIT(d)->manager)) { - DeviceFound n, previous; - - /* When we are already running, then apply the new mask right-away, and trigger state changes --- -2.33.0 - diff --git a/backport-core-device-update-comment.patch b/backport-core-device-update-comment.patch deleted file mode 100644 index c52fbdb..0000000 --- a/backport-core-device-update-comment.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 54a4d71509c0f3401aa576346754a0781795214a Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 25 Oct 2022 21:40:21 +0900 -Subject: [PATCH] core/device: update comment - ---- - src/core/device.c | 29 +++++++++++++++++------------ - 1 file changed, 17 insertions(+), 12 deletions(-) - -diff --git a/src/core/device.c b/src/core/device.c -index 0bca0ff..9d694aa 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -172,7 +172,7 @@ static int device_coldplug(Unit *u) { - * 1. MANAGER_IS_RUNNING() == false - * 2. enumerate devices: manager_enumerate() -> device_enumerate() - * Device.enumerated_found is set. -- * 3. deserialize devices: manager_deserialize() -> device_deserialize() -+ * 3. deserialize devices: manager_deserialize() -> device_deserialize_item() - * Device.deserialize_state and Device.deserialized_found are set. - * 4. coldplug devices: manager_coldplug() -> device_coldplug() - * deserialized properties are copied to the main properties. -@@ -187,22 +187,27 @@ static int device_coldplug(Unit *u) { - * - * - On switch-root, the udev databse may be cleared, except for devices with sticky bit, i.e. - * OPTIONS="db_persist". Hence, almost no devices are enumerated in the step 2. However, in general, -- * we have several serialized devices. So, DEVICE_FOUND_UDEV bit in the deserialized_found must be -- * ignored, as udev rules in initramfs and the main system are often different. If the deserialized -- * state is DEVICE_PLUGGED, we need to downgrade it to DEVICE_TENTATIVE. Unlike the other starting -- * mode, MANAGER_IS_SWITCHING_ROOT() is true when device_coldplug() and device_catchup() are called. -- * Hence, let's conditionalize the operations by using the flag. After switch-root, systemd-udevd -- * will (re-)process all devices, and the Device.found and Device.state will be adjusted. -+ * we have several serialized devices. So, DEVICE_FOUND_UDEV bit in the -+ * Device.deserialized_found must be ignored, as udev rules in initrd and the main system are often -+ * different. If the deserialized state is DEVICE_PLUGGED, we need to downgrade it to -+ * DEVICE_TENTATIVE. Unlike the other starting mode, MANAGER_IS_SWITCHING_ROOT() is true when -+ * device_coldplug() and device_catchup() are called. Hence, let's conditionalize the operations by -+ * using the flag. After switch-root, systemd-udevd will (re-)process all devices, and the -+ * Device.found and Device.state will be adjusted. - * -- * - On reload or reexecute, we can trust enumerated_found, deserialized_found, and deserialized_state. -- * Of course, deserialized parameters may be outdated, but the unit state can be adjusted later by -- * device_catchup() or uevents. */ -+ * - On reload or reexecute, we can trust Device.enumerated_found, Device.deserialized_found, and -+ * Device.deserialized_state. Of course, deserialized parameters may be outdated, but the unit -+ * state can be adjusted later by device_catchup() or uevents. */ - - if (MANAGER_IS_SWITCHING_ROOT(m) && - !FLAGS_SET(d->enumerated_found, DEVICE_FOUND_UDEV)) { -- found &= ~DEVICE_FOUND_UDEV; /* ignore DEVICE_FOUND_UDEV bit */ -+ /* The device has not been enumerated. On switching-root, such situation is natural. See the -+ * above comment. To prevent problematic state transition active → dead → active, let's -+ * drop the DEVICE_FOUND_UDEV flag and downgrade state to DEVICE_TENTATIVE(activating). See -+ * issue #12953 and #23208. */ -+ found &= ~DEVICE_FOUND_UDEV; - if (state == DEVICE_PLUGGED) -- state = DEVICE_TENTATIVE; /* downgrade state */ -+ state = DEVICE_TENTATIVE; - } - - if (d->found == found && d->state == state) --- -2.33.0 - diff --git a/backport-core-device-verify-device-syspath-on-switching-root.patch b/backport-core-device-verify-device-syspath-on-switching-root.patch deleted file mode 100644 index eae111e..0000000 --- a/backport-core-device-verify-device-syspath-on-switching-root.patch +++ /dev/null @@ -1,42 +0,0 @@ -From b6c86ae28149c4abb2f0bd6acab13153382da9e7 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 26 Oct 2022 01:18:05 +0900 -Subject: [PATCH] core/device: verify device syspath on switching root - -Otherwise, if a device is removed while switching root, then the -corresponding .device unit will never go to inactive state. - -This replaces the code dropped by cf1ac0cfe44997747b0f857a1d0b67cea1298272. - -Fixes #25106. ---- - src/core/device.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/core/device.c b/src/core/device.c -index 7e354b2b4a..6e07f2745b 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -305,6 +305,19 @@ static int device_coldplug(Unit *u) { - found &= ~DEVICE_FOUND_UDEV; - if (state == DEVICE_PLUGGED) - state = DEVICE_TENTATIVE; -+ -+ /* Also check the validity of the device syspath. Without this check, if the device was -+ * removed while switching root, it would never go to inactive state, as both Device.found -+ * and Device.enumerated_found do not have the DEVICE_FOUND_UDEV flag, so device_catchup() in -+ * device_update_found_one() does nothing in most cases. See issue #25106. Note that the -+ * syspath field is only serialized when systemd is sufficiently new and the device has been -+ * already processed by udevd. */ -+ if (d->deserialized_sysfs) { -+ _cleanup_(sd_device_unrefp) sd_device *dev = NULL; -+ -+ if (sd_device_new_from_syspath(&dev, d->deserialized_sysfs) < 0) -+ state = DEVICE_DEAD; -+ } - } - - if (d->found == found && d->state == state) --- -2.33.0 - diff --git a/backport-core-don-t-fail-on-EEXIST-when-creating-mount-point.patch b/backport-core-don-t-fail-on-EEXIST-when-creating-mount-point.patch deleted file mode 100644 index 2aac40f..0000000 --- a/backport-core-don-t-fail-on-EEXIST-when-creating-mount-point.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 37e8b3a312e64886c6fb1401c741dee7c8c102f4 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Fri, 28 Jan 2022 22:56:10 +0000 -Subject: [PATCH] core: don't fail on EEXIST when creating mount point - -systemd[1016]: Failed to mount /tmp/app1 (type n/a) on /run/systemd/unit-extensions/1 (MS_BIND ): No such file or directory -systemd[1016]: Failed to create destination mount point node '/run/systemd/unit-extensions/1': File exists - -(cherry picked from commit 9d6d4c305ab8d65aab7f546450d7331f760b7259) -(cherry picked from commit ae8bc570a81e1286eb5b59a77ef179a500b95f9d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/37e8b3a312e64886c6fb1401c741dee7c8c102f4 ---- - src/core/namespace.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/namespace.c b/src/core/namespace.c -index a6c6963bb7..19942d912f 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c -@@ -1380,7 +1380,7 @@ static int apply_one_mount( - (void) mkdir_parents(mount_entry_path(m), 0755); - - q = make_mount_point_inode_from_path(what, mount_entry_path(m), 0755); -- if (q < 0) -+ if (q < 0 && q != -EEXIST) - log_error_errno(q, "Failed to create destination mount point node '%s': %m", - mount_entry_path(m)); - else --- -2.33.0 - diff --git a/backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch b/backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch deleted file mode 100644 index 1102871..0000000 --- a/backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 7a58bf7aac8b2c812ee0531b0cc426e0067edd35 Mon Sep 17 00:00:00 2001 -From: Henri Chain -Date: Tue, 5 Oct 2021 13:10:31 +0200 -Subject: [PATCH] core: fix SIGABRT on empty exec command argv - -This verifies that the argv part of any exec_command parameters that -are sent through dbus is not empty at deserialization time. - -There is an additional check in service.c service_verify() that again -checks if all exec_commands are correctly populated, after the service -has been loaded, whether through dbus or otherwise. - -Fixes #20933. - -(cherry picked from commit 29500cf8c47e6eb0518d171d62aa8213020c9152) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7a58bf7aac8b2c812ee0531b0cc426e0067edd35 ---- - src/core/dbus-execute.c | 4 ++++ - src/core/service.c | 10 ++++++++++ - test/units/testsuite-23.sh | 31 +++++++++++++++++++++++++++++++ - 3 files changed, 45 insertions(+) - -diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c -index 50daef6702..902e074bd2 100644 ---- a/src/core/dbus-execute.c -+++ b/src/core/dbus-execute.c -@@ -1421,6 +1421,10 @@ int bus_set_transient_exec_command( - if (r < 0) - return r; - -+ if (strv_isempty(argv)) -+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, -+ "\"%s\" argv cannot be empty", name); -+ - r = is_ex_prop ? sd_bus_message_read_strv(message, &ex_opts) : sd_bus_message_read(message, "b", &b); - if (r < 0) - return r; -diff --git a/src/core/service.c b/src/core/service.c -index b7cfc04c84..e061d488c7 100644 ---- a/src/core/service.c -+++ b/src/core/service.c -@@ -548,6 +548,16 @@ static int service_verify(Service *s) { - assert(s); - assert(UNIT(s)->load_state == UNIT_LOADED); - -+ for (ServiceExecCommand c = 0; c < _SERVICE_EXEC_COMMAND_MAX; c++) { -+ ExecCommand *command; -+ -+ LIST_FOREACH(command, command, s->exec_command[c]) -+ if (strv_isempty(command->argv)) -+ return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), -+ "Service has an empty argv in %s=. Refusing.", -+ service_exec_command_to_string(c)); -+ } -+ - if (!s->exec_command[SERVICE_EXEC_START] && !s->exec_command[SERVICE_EXEC_STOP] && - UNIT(s)->success_action == EMERGENCY_ACTION_NONE) - /* FailureAction= only makes sense if one of the start or stop commands is specified. -diff --git a/test/units/testsuite-23.sh b/test/units/testsuite-23.sh -index 4ef7c878a8..5488447a87 100755 ---- a/test/units/testsuite-23.sh -+++ b/test/units/testsuite-23.sh -@@ -27,6 +27,37 @@ test "$(systemctl show --value -p RestartKillSignal seven.service)" -eq 2 - systemctl restart seven.service - systemctl stop seven.service - -+# For issue #20933 -+ -+# Should work normally -+busctl call \ -+ org.freedesktop.systemd1 /org/freedesktop/systemd1 \ -+ org.freedesktop.systemd1.Manager StartTransientUnit \ -+ "ssa(sv)a(sa(sv))" test-20933-ok.service replace 1 \ -+ ExecStart "a(sasb)" 1 \ -+ /usr/bin/sleep 2 /usr/bin/sleep 1 true \ -+ 0 -+ -+# DBus call should fail but not crash systemd -+busctl call \ -+ org.freedesktop.systemd1 /org/freedesktop/systemd1 \ -+ org.freedesktop.systemd1.Manager StartTransientUnit \ -+ "ssa(sv)a(sa(sv))" test-20933-bad.service replace 1 \ -+ ExecStart "a(sasb)" 1 \ -+ /usr/bin/sleep 0 true \ -+ 0 && { echo 'unexpected success'; exit 1; } -+ -+# Same but with the empty argv in the middle -+busctl call \ -+ org.freedesktop.systemd1 /org/freedesktop/systemd1 \ -+ org.freedesktop.systemd1.Manager StartTransientUnit \ -+ "ssa(sv)a(sa(sv))" test-20933-bad-middle.service replace 1 \ -+ ExecStart "a(sasb)" 3 \ -+ /usr/bin/sleep 2 /usr/bin/sleep 1 true \ -+ /usr/bin/sleep 0 true \ -+ /usr/bin/sleep 2 /usr/bin/sleep 1 true \ -+ 0 && { echo 'unexpected success'; exit 1; } -+ - systemd-analyze log-level info - - echo OK >/testok --- -2.33.0 - diff --git a/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch b/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch deleted file mode 100644 index ad3d401..0000000 --- a/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b5162039b2309b78a9c1feb6cc1355988e02b6c3 Mon Sep 17 00:00:00 2001 -From: xujing <17826839720@163.com> -Date: Wed, 8 Sep 2021 14:26:20 +0800 -Subject: [PATCH] core: fix free undefined pointer when strdup failed in the - first loop - -(cherry picked from commit 1509274359979079e3e61899ce12fc8b0f0958d9) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b5162039b2309b78a9c1feb6cc1355988e02b6c3 ---- - src/core/load-fragment.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index 8fb3c378ee..399a759ad0 100644 ---- a/src/core/load-fragment.c -+++ b/src/core/load-fragment.c -@@ -800,7 +800,7 @@ int config_parse_exec( - if (!separate_argv0) { - char *w = NULL; - -- if (!GREEDY_REALLOC(n, nlen + 2)) -+ if (!GREEDY_REALLOC0(n, nlen + 2)) - return log_oom(); - - w = strdup(path); -@@ -832,7 +832,7 @@ int config_parse_exec( - p += 2; - p += strspn(p, WHITESPACE); - -- if (!GREEDY_REALLOC(n, nlen + 2)) -+ if (!GREEDY_REALLOC0(n, nlen + 2)) - return log_oom(); - - w = strdup(";"); --- -2.33.0 - diff --git a/backport-core-ignore-failure-on-setting-smack-process-label-w.patch b/backport-core-ignore-failure-on-setting-smack-process-label-w.patch deleted file mode 100644 index 4ee196a..0000000 --- a/backport-core-ignore-failure-on-setting-smack-process-label-w.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 4e057fc39be6ce27afcf0371ebcb7e224a7eeb2d Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 1 Nov 2021 13:48:32 +0900 -Subject: [PATCH] core: ignore failure on setting smack process label when - allowed - -(cherry picked from commit 29ff62473b119c0e1d3467148eddcdccc2c9b732) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4e057fc39be6ce27afcf0371ebcb7e224a7eeb2d ---- - src/core/execute.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index e324db87cc..2f2de4d9cf 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -4408,7 +4408,7 @@ static int exec_child( - * process. This is the latest place before dropping capabilities. Other MAC context are set later. */ - if (use_smack) { - r = setup_smack(context, executable_fd); -- if (r < 0) { -+ if (r < 0 && !context->smack_process_label_ignore) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m"); - } --- -2.33.0 - diff --git a/backport-core-introduce-MANAGER_IS_SWITCHING_ROOT-helper-func.patch b/backport-core-introduce-MANAGER_IS_SWITCHING_ROOT-helper-func.patch deleted file mode 100644 index 29f5352..0000000 --- a/backport-core-introduce-MANAGER_IS_SWITCHING_ROOT-helper-func.patch +++ /dev/null @@ -1,91 +0,0 @@ -From d35fe8c0afaa55441608cb7bbfa4af908e1ea8e3 Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Thu, 5 May 2022 08:49:56 +0200 -Subject: [PATCH] core: introduce MANAGER_IS_SWITCHING_ROOT() helper function - -Will be used by the following commit. ---- - src/core/main.c | 3 +++ - src/core/manager.c | 6 ++++++ - src/core/manager.h | 6 ++++++ - 3 files changed, 15 insertions(+) - -diff --git a/src/core/main.c b/src/core/main.c -index 1213ad6..df4fb9d 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -1981,6 +1981,8 @@ static int invoke_main_loop( - return 0; - - case MANAGER_SWITCH_ROOT: -+ manager_set_switching_root(m, true); -+ - if (!m->switch_root_init) { - r = prepare_reexecute(m, &arg_serialization, ret_fds, true); - if (r < 0) { -@@ -2899,6 +2901,7 @@ int main(int argc, char *argv[]) { - set_manager_defaults(m); - set_manager_settings(m); - manager_set_first_boot(m, first_boot); -+ manager_set_switching_root(m, arg_switched_root); - - /* Remember whether we should queue the default job */ - queue_default_job = !arg_serialization || arg_switched_root; -diff --git a/src/core/manager.c b/src/core/manager.c -index abc63a7..d3b7fc5 100644 ---- a/src/core/manager.c -+++ b/src/core/manager.c -@@ -756,6 +756,10 @@ static int manager_setup_sigchld_event_source(Manager *m) { - return 0; - } - -+void manager_set_switching_root(Manager *m, bool switching_root) { -+ m->switching_root = MANAGER_IS_SYSTEM(m) && switching_root; -+} -+ - int manager_new(UnitFileScope scope, ManagerTestRunFlags test_run_flags, Manager **_m) { - _cleanup_(manager_freep) Manager *m = NULL; - const char *e; -@@ -1799,6 +1803,8 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { - - manager_ready(m); - -+ manager_set_switching_root(m, false); -+ - return 0; - } - -diff --git a/src/core/manager.h b/src/core/manager.h -index 14a80b3..453706c 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -400,6 +400,9 @@ struct Manager { - char *switch_root; - char *switch_root_init; - -+ /* This is true before and after switching root. */ -+ bool switching_root; -+ - /* This maps all possible path prefixes to the units needing - * them. It's a hashmap with a path string as key and a Set as - * value where Unit objects are contained. */ -@@ -461,6 +464,8 @@ static inline usec_t manager_default_timeout_abort_usec(Manager *m) { - /* The objective is set to OK as soon as we enter the main loop, and set otherwise as soon as we are done with it */ - #define MANAGER_IS_RUNNING(m) ((m)->objective == MANAGER_OK) - -+#define MANAGER_IS_SWITCHING_ROOT(m) ((m)->switching_root) -+ - #define MANAGER_IS_TEST_RUN(m) ((m)->test_run_flags != 0) - - int manager_new(UnitFileScope scope, ManagerTestRunFlags test_run_flags, Manager **m); -@@ -525,6 +530,7 @@ void manager_set_show_status(Manager *m, ShowStatus mode, const char *reason); - void manager_override_show_status(Manager *m, ShowStatus mode, const char *reason); - - void manager_set_first_boot(Manager *m, bool b); -+void manager_set_switching_root(Manager *m, bool switching_root); - - void manager_status_printf(Manager *m, StatusType type, const char *status, const char *format, ...) _printf_(4,5); - --- -2.33.0 - diff --git a/backport-core-mount-add-implicit-unit-dependencies-even-if-wh.patch b/backport-core-mount-add-implicit-unit-dependencies-even-if-wh.patch deleted file mode 100644 index 4f4dfc3..0000000 --- a/backport-core-mount-add-implicit-unit-dependencies-even-if-wh.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 1bb8af46d1181a407cbc858025b85392f3af7812 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 29 Aug 2021 21:20:43 +0900 -Subject: [PATCH] core/mount: add implicit unit dependencies even if when mount - unit is generated from /proc/self/mountinfo - -Hopefully fixes #20566. - -(cherry picked from commit aebff2e7ce209fc2d75b894a3ae8b80f6f36ec11) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1bb8af46d1181a407cbc858025b85392f3af7812 ---- - src/core/mount.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/core/mount.c b/src/core/mount.c -index cde4b52731..9bec190cb6 100644 ---- a/src/core/mount.c -+++ b/src/core/mount.c -@@ -1576,6 +1576,10 @@ static int mount_setup_new_unit( - if (r < 0) - return r; - -+ r = mount_add_non_exec_dependencies(MOUNT(u)); -+ if (r < 0) -+ return r; -+ - /* This unit was generated because /proc/self/mountinfo reported it. Remember this, so that by the time we load - * the unit file for it (and thus add in extra deps right after) we know what source to attributes the deps - * to. */ --- -2.33.0 - diff --git a/backport-core-mount-namespaces-Remove-auxiliary-bind-mounts.patch b/backport-core-mount-namespaces-Remove-auxiliary-bind-mounts.patch deleted file mode 100644 index c02fa07..0000000 --- a/backport-core-mount-namespaces-Remove-auxiliary-bind-mounts.patch +++ /dev/null @@ -1,79 +0,0 @@ -From b7e5e6e85048c1a71632bc2d5efe57fb1bfe7472 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20Koutn=C3=BD?= -Date: Wed, 18 Jan 2023 23:20:31 +0100 -Subject: [PATCH] core: mount namespaces: Remove auxiliary bind mounts - directory after unit termination - -Unit that requires its own mount namespace creates a temporary directory -to implement dynamic bind mounts (org.freedesktop.systemd1.Manager.BindMountUnit). -However, this directory is never removed and they will accumulate for -each unique unit (e.g. templated units of systemd-coredump@). - -Attach the auxiliary runtime directory existence to lifetime of other -"runtime" only per-unit directories. - -(cherry picked from commit b9f976fb45635e09cd709dbedd0afb03d4b73c05) -(cherry picked from commit 80e8340ec49d0da3744cdf81f82202e13b0fad3b) -(cherry picked from commit fd260cb37e3441b851c7fee4825d5b6af17f66ca) -(cherry picked from commit ff542dcd1a8c2c7cdc96b9f4b9889774b9474c26) ---- - src/core/execute.c | 17 +++++++++++++++++ - src/core/execute.h | 1 + - src/core/unit.c | 1 + - 3 files changed, 19 insertions(+) - -diff --git a/src/core/execute.c b/src/core/execute.c -index 37f63a9378..6844b1d28f 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -4978,6 +4978,23 @@ int exec_context_destroy_credentials(const ExecContext *c, const char *runtime_p - return 0; - } - -+int exec_context_destroy_mount_ns_dir(Unit *u) { -+ _cleanup_free_ char *p = NULL; -+ -+ if (!u || !MANAGER_IS_SYSTEM(u->manager)) -+ return 0; -+ -+ p = path_join("/run/systemd/propagate/", u->id); -+ if (!p) -+ return -ENOMEM; -+ -+ /* This is only filled transiently (see mount_in_namespace()), should be empty or even non-existent*/ -+ if (rmdir(p) < 0 && errno != ENOENT) -+ log_unit_debug_errno(u, errno, "Unable to remove propagation dir '%s', ignoring: %m", p); -+ -+ return 0; -+} -+ - static void exec_command_done(ExecCommand *c) { - assert(c); - -diff --git a/src/core/execute.h b/src/core/execute.h -index 47349a69a2..f1f0ee4186 100644 ---- a/src/core/execute.h -+++ b/src/core/execute.h -@@ -422,6 +422,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix); - - int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_root); - int exec_context_destroy_credentials(const ExecContext *c, const char *runtime_root, const char *unit); -+int exec_context_destroy_mount_ns_dir(Unit *u); - - const char* exec_context_fdname(const ExecContext *c, int fd_index); - -diff --git a/src/core/unit.c b/src/core/unit.c -index 0e8a01966a..0f44ea8bcd 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -5700,6 +5700,7 @@ void unit_destroy_runtime_data(Unit *u, const ExecContext *context) { - exec_context_destroy_runtime_directory(context, u->manager->prefix[EXEC_DIRECTORY_RUNTIME]); - - exec_context_destroy_credentials(context, u->manager->prefix[EXEC_DIRECTORY_RUNTIME], u->id); -+ exec_context_destroy_mount_ns_dir(u); - } - - int unit_clean(Unit *u, ExecCleanMask mask) { --- -2.27.0 - diff --git a/backport-core-namespace-allow-using-ProtectSubset-pid-and-Pro.patch b/backport-core-namespace-allow-using-ProtectSubset-pid-and-Pro.patch deleted file mode 100644 index 0406216..0000000 --- a/backport-core-namespace-allow-using-ProtectSubset-pid-and-Pro.patch +++ /dev/null @@ -1,53 +0,0 @@ -From eeb50421761e3ac562e96c47fb5f0f6ed622cfe1 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Fri, 21 Jan 2022 13:08:19 +0100 -Subject: [PATCH] core/namespace: allow using ProtectSubset=pid and - ProtectHostname=true together - -If a service requests both ProtectSubset=pid and ProtectHostname=true -then it will currently fail to start. The ProcSubset=pid option -instructs systemd to mount procfs for the service with subset=pid which -hides all entries other than /proc/. Consequently trying to -interact with the two files /proc/sys/kernel/{hostname,domainname} -covered by ProtectHostname=true will fail. - -Fix this by only performing this check when ProtectSubset=pid is not -requested. Essentially ProtectSubset=pid implies/provides -ProtectHostname=true. - -(cherry picked from commit 1361f015773e3b4d74e382edf1565f3315a3396b) -(cherry picked from commit a727941affa7821592d503c8a5033c92d615f64c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/eeb50421761e3ac562e96c47fb5f0f6ed622cfe1 ---- - src/core/namespace.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/core/namespace.c b/src/core/namespace.c -index e3aebe8b5e..5961b14f98 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c -@@ -2115,14 +2115,19 @@ int setup_namespace( - goto finish; - } - -+ /* Note, if proc is mounted with subset=pid then neither of the -+ * two paths will exist, i.e. they are implicitly protected by -+ * the mount option. */ - if (ns_info->protect_hostname) { - *(m++) = (MountEntry) { - .path_const = "/proc/sys/kernel/hostname", - .mode = READONLY, -+ .ignore = ignore_protect_proc, - }; - *(m++) = (MountEntry) { - .path_const = "/proc/sys/kernel/domainname", - .mode = READONLY, -+ .ignore = ignore_protect_proc, - }; - } - --- -2.33.0 - diff --git a/backport-core-namespace-s-normalize_mounts-drop_unused_mounts.patch b/backport-core-namespace-s-normalize_mounts-drop_unused_mounts.patch deleted file mode 100644 index a87e2ed..0000000 --- a/backport-core-namespace-s-normalize_mounts-drop_unused_mounts.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2540b0e3e0aa3e9bc4eef39723aa869f235923dd Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Mon, 24 Jan 2022 10:12:57 +0100 -Subject: [PATCH] core/namespace: s/normalize_mounts()/drop_unused_mounts() - -Rename the normalize_mounts() helper to drop_unused_mounts. All the -helpers called in there get rid of mounts that are unused for a variety -of reasons. And whereas the helpers are aptly prefixed with "drop" the -overall helper isn't and instead uses "normalize". - -Make it more obvious what the helper actually does by renaming it from -normalize_mounts() to drop_unused_mounts(). Readers of code calling this -helper will immediately see that it will get rid of unused mounts. - -Link: https://github.com/systemd/systemd/issues/22206 -(cherry picked from commit fbf90c0d5cadc5d1e95485f770f45a7d4cd39daa) -(cherry picked from commit 09936a7ec92c859b3c4c9520ecd49c2909a8b35c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2540b0e3e0aa3e9bc4eef39723aa869f235923dd ---- - src/core/namespace.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/core/namespace.c b/src/core/namespace.c -index 5961b14f98..a6c6963bb7 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c -@@ -1578,7 +1578,14 @@ static size_t namespace_calculate_mounts( - ns_info->private_ipc; /* /dev/mqueue */ - } - --static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { -+/* Walk all mount entries and dropping any unused mounts. This affects all -+ * mounts: -+ * - that are implicitly protected by a path that has been rendered inaccessible -+ * - whose immediate parent requests the same protection mode as the mount itself -+ * - that are outside of the relevant root directory -+ * - which are duplicates -+ */ -+static void drop_unused_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { - assert(root_directory); - assert(n_mounts); - assert(mounts || *n_mounts == 0); -@@ -1659,7 +1666,7 @@ static int apply_mounts( - if (!again) - break; - -- normalize_mounts(root, mounts, n_mounts); -+ drop_unused_mounts(root, mounts, n_mounts); - } - - /* Create a deny list we can pass to bind_mount_recursive() */ -@@ -2208,7 +2215,7 @@ int setup_namespace( - if (r < 0) - goto finish; - -- normalize_mounts(root, mounts, &n_mounts); -+ drop_unused_mounts(root, mounts, &n_mounts); - } - - /* All above is just preparation, figuring out what to do. Let's now actually start doing something. */ --- -2.33.0 - diff --git a/backport-core-normalize-r-variable-handling-in-unit_attach_pi.patch b/backport-core-normalize-r-variable-handling-in-unit_attach_pi.patch deleted file mode 100644 index 038642f..0000000 --- a/backport-core-normalize-r-variable-handling-in-unit_attach_pi.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 84ec6a0043f7a447157753fb12e991ebce6e14b7 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 27 Oct 2021 23:08:58 +0200 -Subject: [PATCH] core: normalize 'r' variable handling in - unit_attach_pids_to_cgroup() a bit - -The 'r' variable is our "go-to" variable for error return codes, all -across our codebase. In unit_attach_pids_to_cgroup() it was so far used -in a strange way for most of the function: instead of directly storing -the error codes of functions we call we'd store it in a local variable -'q' instead, and propagate it to 'r' only in some cases finally we'd -return the ultimate result of 'r'. - -Let's normalize this a bit: let's always store error return values in -'r', and then use 'ret' as the variable to sometimes propagate errors -to, and then return that. - -This also allows us to get rid of one local variable. - -No actual codeflow changes, just some renaming of variables that allows -us to remove one. - -(cherry picked from commit db4229d12f48663400802171b336c7cadbbe04ef) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/84ec6a0043f7a447157753fb12e991ebce6e14b7 ---- - src/core/cgroup.c | 38 +++++++++++++++++++------------------- - 1 file changed, 19 insertions(+), 19 deletions(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 5c07aa71d1..1551d57e90 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -2137,7 +2137,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - CGroupMask delegated_mask; - const char *p; - void *pidp; -- int r, q; -+ int ret, r; - - assert(u); - -@@ -2164,16 +2164,16 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - - delegated_mask = unit_get_delegate_mask(u); - -- r = 0; -+ ret = 0; - SET_FOREACH(pidp, pids) { - pid_t pid = PTR_TO_PID(pidp); - - /* First, attach the PID to the main cgroup hierarchy */ -- q = cg_attach(SYSTEMD_CGROUP_CONTROLLER, p, pid); -- if (q < 0) { -- bool again = MANAGER_IS_USER(u->manager) && ERRNO_IS_PRIVILEGE(q); -+ r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, p, pid); -+ if (r < 0) { -+ bool again = MANAGER_IS_USER(u->manager) && ERRNO_IS_PRIVILEGE(r); - -- log_unit_full_errno(u, again ? LOG_DEBUG : LOG_INFO, q, -+ log_unit_full_errno(u, again ? LOG_DEBUG : LOG_INFO, r, - "Couldn't move process "PID_FMT" to%s requested cgroup '%s': %m", - pid, again ? " directly" : "", empty_to_root(p)); - -@@ -2192,16 +2192,16 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - continue; /* When the bus thing worked via the bus we are fully done for this PID. */ - } - -- if (r >= 0) -- r = q; /* Remember first error */ -+ if (ret >= 0) -+ ret = r; /* Remember first error */ - - continue; - } - -- q = cg_all_unified(); -- if (q < 0) -- return q; -- if (q > 0) -+ r = cg_all_unified(); -+ if (r < 0) -+ return r; -+ if (r > 0) - continue; - - /* In the legacy hierarchy, attach the process to the request cgroup if possible, and if not to the -@@ -2216,11 +2216,11 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - - /* If this controller is delegated and realized, honour the caller's request for the cgroup suffix. */ - if (delegated_mask & u->cgroup_realized_mask & bit) { -- q = cg_attach(cgroup_controller_to_string(c), p, pid); -- if (q >= 0) -+ r = cg_attach(cgroup_controller_to_string(c), p, pid); -+ if (r >= 0) - continue; /* Success! */ - -- log_unit_debug_errno(u, q, "Failed to attach PID " PID_FMT " to requested cgroup %s in controller %s, falling back to unit's cgroup: %m", -+ log_unit_debug_errno(u, r, "Failed to attach PID " PID_FMT " to requested cgroup %s in controller %s, falling back to unit's cgroup: %m", - pid, empty_to_root(p), cgroup_controller_to_string(c)); - } - -@@ -2231,14 +2231,14 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - if (!realized) - continue; /* Not even realized in the root slice? Then let's not bother */ - -- q = cg_attach(cgroup_controller_to_string(c), realized, pid); -- if (q < 0) -- log_unit_debug_errno(u, q, "Failed to attach PID " PID_FMT " to realized cgroup %s in controller %s, ignoring: %m", -+ r = cg_attach(cgroup_controller_to_string(c), realized, pid); -+ if (r < 0) -+ log_unit_debug_errno(u, r, "Failed to attach PID " PID_FMT " to realized cgroup %s in controller %s, ignoring: %m", - pid, realized, cgroup_controller_to_string(c)); - } - } - -- return r; -+ return ret; - } - - static bool unit_has_mask_realized( --- -2.33.0 - diff --git a/backport-core-only-refuse-Type-dbus-service-enqueuing-if-dbus.patch b/backport-core-only-refuse-Type-dbus-service-enqueuing-if-dbus.patch index 5542dac..43eb3b7 100644 --- a/backport-core-only-refuse-Type-dbus-service-enqueuing-if-dbus.patch +++ b/backport-core-only-refuse-Type-dbus-service-enqueuing-if-dbus.patch @@ -1,4 +1,4 @@ -From fe432460c2ecbd3dd7f0fa16278b9d4ca57a0de3 Mon Sep 17 00:00:00 2001 +From bee6e755bb8e53a7a436e221b015ce0232ed87c0 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Wed, 10 May 2023 13:54:15 +0800 Subject: [PATCH] core: only refuse Type=dbus service enqueuing if dbus has @@ -33,22 +33,14 @@ What we can support is: Replaces #27590 Fixes #27588 --- - src/core/dbus-unit.c | 32 +++++++++++++++++++++++++------- - 1 file changed, 25 insertions(+), 7 deletions(-) + src/core/dbus-unit.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c -index 295e271..24e4d25 100644 +index 5b89c76586..59d541ebfe 100644 --- a/src/core/dbus-unit.c +++ b/src/core/dbus-unit.c -@@ -1849,6 +1849,7 @@ int bus_unit_queue_job( - sd_bus_error *error) { - - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; -+ const char *dbus_unit; - int r; - - assert(message); -@@ -1879,13 +1880,30 @@ int bus_unit_queue_job( +@@ -1875,13 +1875,30 @@ int bus_unit_queue_job( (type == JOB_STOP && u->refuse_manual_stop) || (IN_SET(type, JOB_RESTART, JOB_TRY_RESTART) && (u->refuse_manual_start || u->refuse_manual_stop)) || (type == JOB_RELOAD_OR_START && job_type_collapse(type, u) == JOB_START && u->refuse_manual_start)) diff --git a/backport-core-really-skip-automatic-restart-when-a-JOB_STOP-j.patch b/backport-core-really-skip-automatic-restart-when-a-JOB_STOP-j.patch deleted file mode 100644 index 0b72004..0000000 --- a/backport-core-really-skip-automatic-restart-when-a-JOB_STOP-j.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b17f9c7c8db6959227cebf1b30ed1698d024382e Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Fri, 18 Feb 2022 10:06:24 +0100 -Subject: [PATCH] core: really skip automatic restart when a JOB_STOP job is - pending - -It's not clear why we rescheduled a service auto restart while a stop job for -the unit was pending. The comment claims that the unit shouldn't be restarted -but the code did reschedule an auto restart meanwhile. - -In practice that was rarely an issue because the service waited for the next -auto restart to be rescheduled, letting the queued stop job to be proceed and -service_stop() to be called preventing the next restart to complete. - -However when RestartSec=0, the timer expired right away making PID1 to -reschedule the unit again, making the timer expired right away... and so -on. This busy loop prevented PID1 to handle any queued jobs (and hence giving -no chance to the start rate limiting to trigger), which made the busy loop last -forever. - -This patch breaks this loop by skipping the reschedule of the unit auto restart -and hence not depending on the value of u->restart_usec anymore. - -Fixes: #13667 -(cherry picked from commit c972880640ee19e89ce9265d8eae1b3aae190332) -(cherry picked from commit 2198c08d0786c5cec1b39283831969b2cc1adf40) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b17f9c7c8db6959227cebf1b30ed1698d024382e ---- - src/core/service.c | 7 +------ - 1 file changed, 1 insertion(+), 6 deletions(-) - -diff --git a/src/core/service.c b/src/core/service.c -index a480edc439..21bf3dc28c 100644 ---- a/src/core/service.c -+++ b/src/core/service.c -@@ -2267,12 +2267,7 @@ static void service_enter_restart(Service *s) { - - if (unit_has_job_type(UNIT(s), JOB_STOP)) { - /* Don't restart things if we are going down anyway */ -- log_unit_info(UNIT(s), "Stop job pending for unit, delaying automatic restart."); -- -- r = service_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->restart_usec)); -- if (r < 0) -- goto fail; -- -+ log_unit_info(UNIT(s), "Stop job pending for unit, skipping automatic restart."); - return; - } - --- -2.33.0 - diff --git a/backport-core-refuse-to-mount-ExtensionImages-if-the-base-lay.patch b/backport-core-refuse-to-mount-ExtensionImages-if-the-base-lay.patch deleted file mode 100644 index 0996f58..0000000 --- a/backport-core-refuse-to-mount-ExtensionImages-if-the-base-lay.patch +++ /dev/null @@ -1,34 +0,0 @@ -From af8d87d6bc8506629f1e73599ccdc4b8f8eaa6c8 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Wed, 19 Jan 2022 00:08:57 +0000 -Subject: [PATCH] core: refuse to mount ExtensionImages if the base layer - doesn't at least have ID in os-release - -We can't match an extension if we don't at least have an ID, -so refuse to continue - -(cherry picked from commit 78ab2b5064a0f87579ce5430f9cb83bba0db069a) -(cherry picked from commit 179bd47f04c538ed1f2c1de2cf2c18f17b027a51) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/af8d87d6bc8506629f1e73599ccdc4b8f8eaa6c8 ---- - src/core/namespace.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/core/namespace.c b/src/core/namespace.c -index b933d46cf6..e3aebe8b5e 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c -@@ -1151,6 +1151,8 @@ static int mount_image(const MountEntry *m, const char *root_directory) { - NULL); - if (r < 0) - return log_debug_errno(r, "Failed to acquire 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory)); -+ if (isempty(host_os_release_id)) -+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "'ID' field not found or empty in 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory)); - } - - r = verity_dissect_and_mount( --- -2.33.0 - diff --git a/backport-core-replace-m-honor_device_enumeration-with-MANAGER.patch b/backport-core-replace-m-honor_device_enumeration-with-MANAGER.patch deleted file mode 100644 index 98c27fa..0000000 --- a/backport-core-replace-m-honor_device_enumeration-with-MANAGER.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 7870de03c52982290f9b8ae11eb4d89db66f4be3 Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Thu, 5 May 2022 11:11:57 +0200 -Subject: [PATCH] core: replace m->honor_device_enumeration with - MANAGER_IS_SWITCHING_ROOT() - ---- - src/core/device.c | 7 +++---- - src/core/manager.c | 21 +-------------------- - src/core/manager.h | 2 -- - 3 files changed, 4 insertions(+), 26 deletions(-) - -diff --git a/src/core/device.c b/src/core/device.c -index d9669e3..0bca0ff 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -189,9 +189,8 @@ static int device_coldplug(Unit *u) { - * OPTIONS="db_persist". Hence, almost no devices are enumerated in the step 2. However, in general, - * we have several serialized devices. So, DEVICE_FOUND_UDEV bit in the deserialized_found must be - * ignored, as udev rules in initramfs and the main system are often different. If the deserialized -- * state is DEVICE_PLUGGED, we need to downgrade it to DEVICE_TENTATIVE (or DEVICE_DEAD if nobody -- * sees the device). Unlike the other starting mode, Manager.honor_device_enumeration == false -- * (maybe, it is better to rename the flag) when device_coldplug() and device_catchup() are called. -+ * state is DEVICE_PLUGGED, we need to downgrade it to DEVICE_TENTATIVE. Unlike the other starting -+ * mode, MANAGER_IS_SWITCHING_ROOT() is true when device_coldplug() and device_catchup() are called. - * Hence, let's conditionalize the operations by using the flag. After switch-root, systemd-udevd - * will (re-)process all devices, and the Device.found and Device.state will be adjusted. - * -@@ -199,7 +198,7 @@ static int device_coldplug(Unit *u) { - * Of course, deserialized parameters may be outdated, but the unit state can be adjusted later by - * device_catchup() or uevents. */ - -- if (!m->honor_device_enumeration && !MANAGER_IS_USER(m) && -+ if (MANAGER_IS_SWITCHING_ROOT(m) && - !FLAGS_SET(d->enumerated_found, DEVICE_FOUND_UDEV)) { - found &= ~DEVICE_FOUND_UDEV; /* ignore DEVICE_FOUND_UDEV bit */ - if (state == DEVICE_PLUGGED) -diff --git a/src/core/manager.c b/src/core/manager.c -index 5ed7191..91e9b2a 100644 ---- a/src/core/manager.c -+++ b/src/core/manager.c -@@ -1689,8 +1689,6 @@ static void manager_ready(Manager *m) { - - /* Let's finally catch up with any changes that took place while we were reloading/reexecing */ - manager_catchup(m); -- -- m->honor_device_enumeration = true; - } - - static Manager* manager_reloading_start(Manager *m) { -@@ -3259,9 +3257,6 @@ int manager_serialize( - (void) serialize_bool(f, "taint-logged", m->taint_logged); - (void) serialize_bool(f, "service-watchdogs", m->service_watchdogs); - -- /* After switching root, udevd has not been started yet. So, enumeration results should not be emitted. */ -- (void) serialize_bool(f, "honor-device-enumeration", !switching_root); -- - if (m->show_status_overridden != _SHOW_STATUS_INVALID) - (void) serialize_item(f, "show-status-overridden", - show_status_to_string(m->show_status_overridden)); -@@ -3635,15 +3630,6 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { - else - m->service_watchdogs = b; - -- } else if ((val = startswith(l, "honor-device-enumeration="))) { -- int b; -- -- b = parse_boolean(val); -- if (b < 0) -- log_notice("Failed to parse honor-device-enumeration flag '%s', ignoring.", val); -- else -- m->honor_device_enumeration = b; -- - } else if ((val = startswith(l, "show-status-overridden="))) { - ShowStatus s; - -@@ -3767,7 +3753,7 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { - - if (q < _MANAGER_TIMESTAMP_MAX) /* found it */ - (void) deserialize_dual_timestamp(val, m->timestamps + q); -- else if (!startswith(l, "kdbus-fd=")) /* ignore kdbus */ -+ else if (!STARTSWITH_SET(l, "kdbus-fd=", "honor-device-enumeration=")) /* ignore deprecated values */ - log_notice("Unknown serialization item '%s', ignoring.", l); - } - } -@@ -3860,11 +3846,6 @@ int manager_reload(Manager *m) { - assert(m->n_reloading > 0); - m->n_reloading--; - -- /* On manager reloading, device tag data should exists, thus, we should honor the results of device -- * enumeration. The flag should be always set correctly by the serialized data, but it may fail. So, -- * let's always set the flag here for safety. */ -- m->honor_device_enumeration = true; -- - manager_ready(m); - - m->send_reloading_done = true; -diff --git a/src/core/manager.h b/src/core/manager.h -index 453706c..67c204f 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -442,8 +442,6 @@ struct Manager { - unsigned sigchldgen; - unsigned notifygen; - -- bool honor_device_enumeration; -- - VarlinkServer *varlink_server; - /* Only systemd-oomd should be using this to subscribe to changes in ManagedOOM settings */ - Varlink *managed_oom_varlink_request; --- -2.33.0 - diff --git a/backport-core-replace-slice-dependencies-as-they-get-added.patch b/backport-core-replace-slice-dependencies-as-they-get-added.patch deleted file mode 100644 index 158be33..0000000 --- a/backport-core-replace-slice-dependencies-as-they-get-added.patch +++ /dev/null @@ -1,178 +0,0 @@ -From b68731eeb692a4cfcdf5790ae118ebf21d827301 Mon Sep 17 00:00:00 2001 -From: Anita Zhang -Date: Tue, 9 Nov 2021 15:26:28 -0800 -Subject: [PATCH] core: replace slice dependencies as they get added - -Defines a "UNIT_DEPENDENCY_SLICE_PROPERTY" UnitDependencyMask type that -is used when adding slices to the dependencies hashmap. This type is -used to remove slice dependencies when they get overridden by new ones. - -Fixes #20182 - -Reference:https://github.com/systemd/systemd/commit/899acf5c2d4b89caa891d05ccfa4be828a999c2d -Conflict: NA ---- - src/core/dbus-unit.c | 2 +- - src/core/load-fragment.c | 2 +- - src/core/unit-serialize.c | 1 + - src/core/unit.c | 10 +++++++--- - src/core/unit.h | 7 +++++-- - src/test/test-engine.c | 31 ++++++++++++++++++++++++++++++- - 6 files changed, 45 insertions(+), 8 deletions(-) - -diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c -index aa10939..c42ae5e 100644 ---- a/src/core/dbus-unit.c -+++ b/src/core/dbus-unit.c -@@ -2272,7 +2272,7 @@ static int bus_unit_set_transient_property( - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unit name '%s' is not a slice", s); - - if (!UNIT_WRITE_FLAGS_NOOP(flags)) { -- r = unit_set_slice(u, slice, UNIT_DEPENDENCY_FILE); -+ r = unit_set_slice(u, slice); - if (r < 0) - return r; - -diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index 399a759..3f5d6d3 100644 ---- a/src/core/load-fragment.c -+++ b/src/core/load-fragment.c -@@ -3575,7 +3575,7 @@ int config_parse_unit_slice( - return 0; - } - -- r = unit_set_slice(u, slice, UNIT_DEPENDENCY_FILE); -+ r = unit_set_slice(u, slice); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to assign slice %s to unit %s, ignoring: %m", slice->id, u->id); - return 0; -diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c -index 689a536..3544f18 100644 ---- a/src/core/unit-serialize.c -+++ b/src/core/unit-serialize.c -@@ -571,6 +571,7 @@ static void print_unit_dependency_mask(FILE *f, const char *kind, UnitDependency - { UNIT_DEPENDENCY_MOUNTINFO_IMPLICIT, "mountinfo-implicit" }, - { UNIT_DEPENDENCY_MOUNTINFO_DEFAULT, "mountinfo-default" }, - { UNIT_DEPENDENCY_PROC_SWAP, "proc-swap" }, -+ { UNIT_DEPENDENCY_SLICE_PROPERTY, "slice-property" }, - }; - - assert(f); -diff --git a/src/core/unit.c b/src/core/unit.c -index ffcf8eb..bff0527 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -3267,7 +3267,7 @@ reset: - return r; - } - --int unit_set_slice(Unit *u, Unit *slice, UnitDependencyMask mask) { -+int unit_set_slice(Unit *u, Unit *slice) { - int r; - - assert(u); -@@ -3300,7 +3300,11 @@ int unit_set_slice(Unit *u, Unit *slice, UnitDependencyMask mask) { - if (UNIT_GET_SLICE(u) && u->cgroup_realized) - return -EBUSY; - -- r = unit_add_dependency(u, UNIT_IN_SLICE, slice, true, mask); -+ /* Remove any slices assigned prior; we should only have one UNIT_IN_SLICE dependency */ -+ if (UNIT_GET_SLICE(u)) -+ unit_remove_dependencies(u, UNIT_DEPENDENCY_SLICE_PROPERTY); -+ -+ r = unit_add_dependency(u, UNIT_IN_SLICE, slice, true, UNIT_DEPENDENCY_SLICE_PROPERTY); - if (r < 0) - return r; - -@@ -3353,7 +3357,7 @@ int unit_set_default_slice(Unit *u) { - if (r < 0) - return r; - -- return unit_set_slice(u, slice, UNIT_DEPENDENCY_FILE); -+ return unit_set_slice(u, slice); - } - - const char *unit_slice_name(Unit *u) { -diff --git a/src/core/unit.h b/src/core/unit.h -index 759104f..6dc2bcb 100644 ---- a/src/core/unit.h -+++ b/src/core/unit.h -@@ -88,7 +88,10 @@ typedef enum UnitDependencyMask { - /* A dependency created because of data read from /proc/swaps and no other configuration source */ - UNIT_DEPENDENCY_PROC_SWAP = 1 << 7, - -- _UNIT_DEPENDENCY_MASK_FULL = (1 << 8) - 1, -+ /* A dependency for units in slices assigned by directly setting Slice= */ -+ UNIT_DEPENDENCY_SLICE_PROPERTY = 1 << 8, -+ -+ _UNIT_DEPENDENCY_MASK_FULL = (1 << 9) - 1, - } UnitDependencyMask; - - /* The Unit's dependencies[] hashmaps use this structure as value. It has the same size as a void pointer, and thus can -@@ -761,7 +764,7 @@ Unit *unit_follow_merge(Unit *u) _pure_; - int unit_load_fragment_and_dropin(Unit *u, bool fragment_required); - int unit_load(Unit *unit); - --int unit_set_slice(Unit *u, Unit *slice, UnitDependencyMask mask); -+int unit_set_slice(Unit *u, Unit *slice); - int unit_set_default_slice(Unit *u); - - const char *unit_description(Unit *u) _pure_; -diff --git a/src/test/test-engine.c b/src/test/test-engine.c -index 6dc1619..1ac15a8 100644 ---- a/src/test/test-engine.c -+++ b/src/test/test-engine.c -@@ -8,6 +8,7 @@ - #include "manager-dump.h" - #include "rm-rf.h" - #include "service.h" -+#include "slice.h" - #include "special.h" - #include "strv.h" - #include "tests.h" -@@ -75,7 +76,8 @@ int main(int argc, char *argv[]) { - _cleanup_(sd_bus_error_free) sd_bus_error err = SD_BUS_ERROR_NULL; - _cleanup_(manager_freep) Manager *m = NULL; - Unit *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL, *g = NULL, -- *h = NULL, *i = NULL, *a_conj = NULL, *unit_with_multiple_dashes = NULL, *stub = NULL; -+ *h = NULL, *i = NULL, *a_conj = NULL, *unit_with_multiple_dashes = NULL, *stub = NULL, -+ *tomato = NULL, *sauce = NULL, *fruit = NULL, *zupa = NULL; - Job *j; - int r; - -@@ -260,5 +262,32 @@ int main(int argc, char *argv[]) { - - verify_dependency_atoms(); - -+ /* Test adding multiple Slice= dependencies; only the last should remain */ -+ assert_se(unit_new_for_name(m, sizeof(Service), "tomato.service", &tomato) >= 0); -+ assert_se(unit_new_for_name(m, sizeof(Slice), "sauce.slice", &sauce) >= 0); -+ assert_se(unit_new_for_name(m, sizeof(Slice), "fruit.slice", &fruit) >= 0); -+ assert_se(unit_new_for_name(m, sizeof(Slice), "zupa.slice", &zupa) >= 0); -+ -+ unit_set_slice(tomato, sauce); -+ unit_set_slice(tomato, fruit); -+ unit_set_slice(tomato, zupa); -+ -+ assert_se(UNIT_GET_SLICE(tomato) == zupa); -+ assert_se(!unit_has_dependency(tomato, UNIT_ATOM_IN_SLICE, sauce)); -+ assert_se(!unit_has_dependency(tomato, UNIT_ATOM_IN_SLICE, fruit)); -+ assert_se(unit_has_dependency(tomato, UNIT_ATOM_IN_SLICE, zupa)); -+ -+ assert_se(!unit_has_dependency(tomato, UNIT_ATOM_REFERENCES, sauce)); -+ assert_se(!unit_has_dependency(tomato, UNIT_ATOM_REFERENCES, fruit)); -+ assert_se(unit_has_dependency(tomato, UNIT_ATOM_REFERENCES, zupa)); -+ -+ assert_se(!unit_has_dependency(sauce, UNIT_ATOM_SLICE_OF, tomato)); -+ assert_se(!unit_has_dependency(fruit, UNIT_ATOM_SLICE_OF, tomato)); -+ assert_se(unit_has_dependency(zupa, UNIT_ATOM_SLICE_OF, tomato)); -+ -+ assert_se(!unit_has_dependency(sauce, UNIT_ATOM_REFERENCED_BY, tomato)); -+ assert_se(!unit_has_dependency(fruit, UNIT_ATOM_REFERENCED_BY, tomato)); -+ assert_se(unit_has_dependency(zupa, UNIT_ATOM_REFERENCED_BY, tomato)); -+ - return 0; - } --- -1.8.3.1 - diff --git a/backport-core-respect-install_sysconfdir_samples-in-meson-fil.patch b/backport-core-respect-install_sysconfdir_samples-in-meson-fil.patch deleted file mode 100644 index b5477b1..0000000 --- a/backport-core-respect-install_sysconfdir_samples-in-meson-fil.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d36785b19b10ec04ae7b87cdb402de4126e17bca Mon Sep 17 00:00:00 2001 -From: Andreas Rammhold -Date: Mon, 26 Jul 2021 16:57:43 +0200 -Subject: [PATCH] core: respect install_sysconfdir_samples in meson file - -The refactoring done in e11a25cadbe caused the configuration files to be -installed into the pkgsysconfdir regardless of the state of the -install_sysconfdir_samples boolean that indicates whether or not the -sample files should be installed. - -(cherry picked from commit cfd760b6a77808d0b9451ed618a23b6259fe525f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d36785b19b10ec04ae7b87cdb402de4126e17bca ---- - src/core/meson.build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/meson.build b/src/core/meson.build -index f0d2c6f642..c66538eab1 100644 ---- a/src/core/meson.build -+++ b/src/core/meson.build -@@ -193,7 +193,7 @@ foreach item : in_files - output: file, - command : [meson_render_jinja2, config_h, '@INPUT@'], - capture : true, -- install : dir != 'no', -+ install : (dir == pkgsysconfdir and install_sysconfdir_samples) or (dir != pkgsysconfdir and dir != 'no'), - install_dir : dir) - endforeach - --- -2.33.0 - diff --git a/backport-core-service-also-check-path-in-exec-commands.patch b/backport-core-service-also-check-path-in-exec-commands.patch deleted file mode 100644 index f7d6552..0000000 --- a/backport-core-service-also-check-path-in-exec-commands.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b3978cf401306a793c7531299a5e9b3c63e53a27 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 6 Oct 2021 00:19:41 +0900 -Subject: [PATCH] core/service: also check path in exec commands - -(cherry picked from commit 8688a389cabdff61efe187bb85cc1776de03c460) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b3978cf401306a793c7531299a5e9b3c63e53a27 ---- - src/core/service.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/core/service.c b/src/core/service.c -index e061d488c7..701c145565 100644 ---- a/src/core/service.c -+++ b/src/core/service.c -@@ -551,11 +551,17 @@ static int service_verify(Service *s) { - for (ServiceExecCommand c = 0; c < _SERVICE_EXEC_COMMAND_MAX; c++) { - ExecCommand *command; - -- LIST_FOREACH(command, command, s->exec_command[c]) -+ LIST_FOREACH(command, command, s->exec_command[c]) { -+ if (!path_is_absolute(command->path) && !filename_is_valid(command->path)) -+ return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), -+ "Service %s= binary path \"%s\" is neither a valid executable name nor an absolute path. Refusing.", -+ command->path, -+ service_exec_command_to_string(c)); - if (strv_isempty(command->argv)) - return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), - "Service has an empty argv in %s=. Refusing.", - service_exec_command_to_string(c)); -+ } - } - - if (!s->exec_command[SERVICE_EXEC_START] && !s->exec_command[SERVICE_EXEC_STOP] && --- -2.33.0 - diff --git a/backport-core-slice-make-slice_freezer_action-return-0-if-fre.patch b/backport-core-slice-make-slice_freezer_action-return-0-if-fre.patch deleted file mode 100644 index 08a96a1..0000000 --- a/backport-core-slice-make-slice_freezer_action-return-0-if-fre.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4617bad0a3b5d8026243cb4e72a5cae25ca106f0 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 6 May 2022 14:01:22 +0900 -Subject: [PATCH] core/slice: make slice_freezer_action() return 0 if freezing - state is unchanged - -Fixes #23278. - -(cherry picked from commit d171e72e7afa11b238ba20758384d223b0c76e39) ---- - src/core/slice.c | 6 +----- - src/core/unit.c | 2 ++ - 2 files changed, 3 insertions(+), 5 deletions(-) - -diff --git a/src/core/slice.c b/src/core/slice.c -index 2e43c00119..c453aa033e 100644 ---- a/src/core/slice.c -+++ b/src/core/slice.c -@@ -389,11 +389,7 @@ static int slice_freezer_action(Unit *s, FreezerAction action) { - return r; - } - -- r = unit_cgroup_freezer_action(s, action); -- if (r < 0) -- return r; -- -- return 1; -+ return unit_cgroup_freezer_action(s, action); - } - - static int slice_freeze(Unit *s) { -diff --git a/src/core/unit.c b/src/core/unit.c -index b233aca28c..3bceba1317 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -5831,6 +5831,8 @@ static int unit_freezer_action(Unit *u, FreezerAction action) { - if (r <= 0) - return r; - -+ assert(IN_SET(u->freezer_state, FREEZER_FREEZING, FREEZER_THAWING)); -+ - return 1; - } - --- -2.33.0 - diff --git a/backport-core-timer-fix-memleak.patch b/backport-core-timer-fix-memleak.patch deleted file mode 100644 index 2d04881..0000000 --- a/backport-core-timer-fix-memleak.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 82362b16ac842fc38340d21ebf39b259c5edaed3 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 10 May 2022 14:09:24 +0900 -Subject: [PATCH] core/timer: fix memleak - -Fixes #23326. - -(cherry picked from commit d3ab7b8078944db28bc621f43dd942a3c878fffb) ---- - src/core/timer.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/src/core/timer.c b/src/core/timer.c -index a13b864741..0dc49dd46b 100644 ---- a/src/core/timer.c -+++ b/src/core/timer.c -@@ -135,6 +135,7 @@ static int timer_add_trigger_dependencies(Timer *t) { - } - - static int timer_setup_persistent(Timer *t) { -+ _cleanup_free_ char *stamp_path = NULL; - int r; - - assert(t); -@@ -148,13 +149,13 @@ static int timer_setup_persistent(Timer *t) { - if (r < 0) - return r; - -- t->stamp_path = strjoin("/var/lib/systemd/timers/stamp-", UNIT(t)->id); -+ stamp_path = strjoin("/var/lib/systemd/timers/stamp-", UNIT(t)->id); - } else { - const char *e; - - e = getenv("XDG_DATA_HOME"); - if (e) -- t->stamp_path = strjoin(e, "/systemd/timers/stamp-", UNIT(t)->id); -+ stamp_path = strjoin(e, "/systemd/timers/stamp-", UNIT(t)->id); - else { - - _cleanup_free_ char *h = NULL; -@@ -163,14 +164,14 @@ static int timer_setup_persistent(Timer *t) { - if (r < 0) - return log_unit_error_errno(UNIT(t), r, "Failed to determine home directory: %m"); - -- t->stamp_path = strjoin(h, "/.local/share/systemd/timers/stamp-", UNIT(t)->id); -+ stamp_path = strjoin(h, "/.local/share/systemd/timers/stamp-", UNIT(t)->id); - } - } - -- if (!t->stamp_path) -+ if (!stamp_path) - return log_oom(); - -- return 0; -+ return free_and_replace(t->stamp_path, stamp_path); - } - - static uint64_t timer_get_fixed_delay_hash(Timer *t) { --- -2.33.0 - diff --git a/backport-core-timer-fix-potential-use-after-free.patch b/backport-core-timer-fix-potential-use-after-free.patch deleted file mode 100644 index fc0569e..0000000 --- a/backport-core-timer-fix-potential-use-after-free.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 38410e13ec9b1b67364f2f0af3b27d9e934bcd96 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 10 May 2022 14:10:17 +0900 -Subject: [PATCH] core/timer: fix potential use-after-free - -(cherry picked from commit 756491af392a99c4286d876b0041535e50df80ad) ---- - src/core/timer.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/timer.c b/src/core/timer.c -index 0dc49dd46b..b439802bc2 100644 ---- a/src/core/timer.c -+++ b/src/core/timer.c -@@ -68,7 +68,7 @@ static void timer_done(Unit *u) { - t->monotonic_event_source = sd_event_source_disable_unref(t->monotonic_event_source); - t->realtime_event_source = sd_event_source_disable_unref(t->realtime_event_source); - -- free(t->stamp_path); -+ t->stamp_path = mfree(t->stamp_path); - } - - static int timer_verify(Timer *t) { --- -2.33.0 - diff --git a/backport-core-unit-drop-dependency-to-the-unit-being-merged.patch b/backport-core-unit-drop-dependency-to-the-unit-being-merged.patch deleted file mode 100644 index da217a1..0000000 --- a/backport-core-unit-drop-dependency-to-the-unit-being-merged.patch +++ /dev/null @@ -1,65 +0,0 @@ -From c8b3b524134539846917269ddd644ee93a35623f Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 16 Nov 2022 03:08:22 +0900 -Subject: [PATCH] core/unit: drop dependency to the unit being merged - -Fixes a bug in 15ed3c3a188cf7fa5a60ae508fc7a3ed048d2220. - -Fixes #24990. Also, hopefully fixes #24577. ---- - src/core/unit.c | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index 36e3afd7fb..1a580157af 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -1044,10 +1044,10 @@ static int unit_add_dependency_hashmap( - return unit_per_dependency_type_hashmap_update(per_type, other, origin_mask, destination_mask); - } - --static void unit_merge_dependencies( -- Unit *u, -- Unit *other) { -- -+static void unit_merge_dependencies(Unit *u, Unit *other) { -+ Hashmap *deps; -+ void *dt; /* Actually of type UnitDependency, except that we don't bother casting it here, -+ * since the hashmaps all want it as void pointer. */ - int r; - - assert(u); -@@ -1056,12 +1056,19 @@ static void unit_merge_dependencies( - if (u == other) - return; - -+ /* First, remove dependency to other. */ -+ HASHMAP_FOREACH_KEY(deps, dt, u->dependencies) { -+ if (hashmap_remove(deps, other)) -+ unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); -+ -+ if (hashmap_isempty(deps)) -+ hashmap_free(hashmap_remove(u->dependencies, dt)); -+ } -+ - for (;;) { - _cleanup_(hashmap_freep) Hashmap *other_deps = NULL; - UnitDependencyInfo di_back; - Unit *back; -- void *dt; /* Actually of type UnitDependency, except that we don't bother casting it here, -- * since the hashmaps all want it as void pointer. */ - - /* Let's focus on one dependency type at a time, that 'other' has defined. */ - other_deps = hashmap_steal_first_key_and_value(other->dependencies, &dt); -@@ -1103,8 +1110,6 @@ static void unit_merge_dependencies( - * them per type wholesale. */ - r = hashmap_put(u->dependencies, dt, other_deps); - if (r == -EEXIST) { -- Hashmap *deps; -- - /* The target unit already has dependencies of this type, let's then merge this individually. */ - - assert_se(deps = hashmap_get(u->dependencies, dt)); --- -2.27.0 - diff --git a/backport-core-unit-fix-log-message.patch b/backport-core-unit-fix-log-message.patch deleted file mode 100644 index b6b44e1..0000000 --- a/backport-core-unit-fix-log-message.patch +++ /dev/null @@ -1,112 +0,0 @@ -From ed9911630e4bca844381d7caeb850dad9a9fa122 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 15 Nov 2022 22:59:01 +0900 -Subject: [PATCH] core/unit: fix log message - -As you can see in the below, the dropped dependency Before=issue-24990.service -is not logged, but the dependency Before=test1.service which is not owned by -the units generated by the TEST-26 is logged. - -Before: -systemd[1]: issue-24990.service: Dependency After=test1.service dropped, merged into issue-24990.service -systemd[1]: issue-24990.service: Dependency Before=test1.service dropped, merged into issue-24990.service - -After: -systemd[1]: issue-24990.service: Dependency After=test1.service is dropped, as test1.service is merged into issue-24990.service. -systemd[1]: issue-24990.service: Dependency Before=issue-24990.service in test1.service is dropped, as test1.service is merged into issue-24990.service. ---- - src/core/unit.c | 49 ++++++++++++++++++++++--------------------------- - 1 file changed, 22 insertions(+), 27 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index ea09416be5..988ba8e34a 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -937,29 +937,17 @@ static int unit_reserve_dependencies(Unit *u, Unit *other) { - return 0; - } - --static void unit_maybe_warn_about_dependency( -- Unit *u, -- const char *other_id, -- UnitDependency dependency) { -- -- assert(u); -- -+static bool unit_should_warn_about_dependency(UnitDependency dependency) { - /* Only warn about some unit types */ -- if (!IN_SET(dependency, -- UNIT_CONFLICTS, -- UNIT_CONFLICTED_BY, -- UNIT_BEFORE, -- UNIT_AFTER, -- UNIT_ON_SUCCESS, -- UNIT_ON_FAILURE, -- UNIT_TRIGGERS, -- UNIT_TRIGGERED_BY)) -- return; -- -- if (streq_ptr(u->id, other_id)) -- log_unit_warning(u, "Dependency %s=%s dropped", unit_dependency_to_string(dependency), u->id); -- else -- log_unit_warning(u, "Dependency %s=%s dropped, merged into %s", unit_dependency_to_string(dependency), strna(other_id), u->id); -+ return IN_SET(dependency, -+ UNIT_CONFLICTS, -+ UNIT_CONFLICTED_BY, -+ UNIT_BEFORE, -+ UNIT_AFTER, -+ UNIT_ON_SUCCESS, -+ UNIT_ON_FAILURE, -+ UNIT_TRIGGERS, -+ UNIT_TRIGGERED_BY); - } - - static int unit_per_dependency_type_hashmap_update( -@@ -1057,8 +1045,10 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { - - /* First, remove dependency to other. */ - HASHMAP_FOREACH_KEY(deps, dt, u->dependencies) { -- if (hashmap_remove(deps, other)) -- unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); -+ if (hashmap_remove(deps, other) && unit_should_warn_about_dependency(UNIT_DEPENDENCY_FROM_PTR(dt))) -+ log_unit_warning(u, "Dependency %s=%s is dropped, as %s is merged into %s.", -+ unit_dependency_to_string(UNIT_DEPENDENCY_FROM_PTR(dt)), -+ other->id, other->id, u->id); - - if (hashmap_isempty(deps)) - hashmap_free(hashmap_remove(u->dependencies, dt)); -@@ -1085,7 +1075,11 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { - if (back == u) { - /* This is a dependency pointing back to the unit we want to merge with? - * Suppress it (but warn) */ -- unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); -+ if (unit_should_warn_about_dependency(UNIT_DEPENDENCY_FROM_PTR(dt))) -+ log_unit_warning(u, "Dependency %s=%s in %s is dropped, as %s is merged into %s.", -+ unit_dependency_to_string(UNIT_DEPENDENCY_FROM_PTR(dt)), -+ u->id, other->id, other->id, u->id); -+ - hashmap_remove(other_deps, back); - continue; - } -@@ -3055,7 +3049,6 @@ int unit_add_dependency( - [UNIT_IN_SLICE] = UNIT_SLICE_OF, - [UNIT_SLICE_OF] = UNIT_IN_SLICE, - }; -- Unit *original_u = u, *original_other = other; - UnitDependencyAtom a; - int r; - -@@ -3074,7 +3067,9 @@ int unit_add_dependency( - - /* We won't allow dependencies on ourselves. We will not consider them an error however. */ - if (u == other) { -- unit_maybe_warn_about_dependency(original_u, original_other->id, d); -+ if (unit_should_warn_about_dependency(d)) -+ log_unit_warning(u, "Dependency %s=%s is dropped.", -+ unit_dependency_to_string(d), u->id); - return 0; - } - --- -2.27.0 - diff --git a/backport-core-unit-fix-logic-of-dropping-self-referencing-dep.patch b/backport-core-unit-fix-logic-of-dropping-self-referencing-dep.patch deleted file mode 100644 index 09e19cb..0000000 --- a/backport-core-unit-fix-logic-of-dropping-self-referencing-dep.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 53e0e6ef0eea396bb432cbfc1f2f6ea1272ff1f1 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 15 Nov 2022 23:08:35 +0900 -Subject: [PATCH] core/unit: fix logic of dropping self-referencing - dependencies - -Fixes a bug in 15ed3c3a188cf7fa5a60ae508fc7a3ed048d2220. ---- - src/core/unit.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index 1a580157af..a9052428e4 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -1131,10 +1131,11 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { - } - } else { - assert_se(r >= 0); -- TAKE_PTR(other_deps); - - if (hashmap_remove(other_deps, u)) - unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); -+ -+ TAKE_PTR(other_deps); - } - } - --- -2.27.0 - diff --git a/backport-core-unit-fix-use-after-free.patch b/backport-core-unit-fix-use-after-free.patch deleted file mode 100644 index 9998e8f..0000000 --- a/backport-core-unit-fix-use-after-free.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3daae8785764304a65892ddcd548b6aae16c9463 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 9 May 2022 00:56:05 +0900 -Subject: [PATCH] core/unit: fix use-after-free - -Fixes #23312. - -(cherry picked from commit 734582830b58e000a26e18807ea277c18778573c) ---- - src/core/unit.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index af6cf097fc..b233aca28c 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -671,8 +671,8 @@ Unit* unit_free(Unit *u) { - - unit_dequeue_rewatch_pids(u); - -- sd_bus_slot_unref(u->match_bus_slot); -- sd_bus_track_unref(u->bus_track); -+ u->match_bus_slot = sd_bus_slot_unref(u->match_bus_slot); -+ u->bus_track = sd_bus_track_unref(u->bus_track); - u->deserialized_refs = strv_free(u->deserialized_refs); - u->pending_freezer_message = sd_bus_message_unref(u->pending_freezer_message); - --- -2.33.0 - diff --git a/backport-core-unit-merge-two-loops-into-one.patch b/backport-core-unit-merge-two-loops-into-one.patch deleted file mode 100644 index 3b792d0..0000000 --- a/backport-core-unit-merge-two-loops-into-one.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 4b7918a65cc2571a2b3fc166229e1b8db463e217 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Nov 2022 12:46:45 +0900 -Subject: [PATCH] core/unit: merge two loops into one - -No functional change, just refactoring. ---- - src/core/unit.c | 47 +++++++++++++++-------------------------------- - 1 file changed, 15 insertions(+), 32 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index a9052428e4..0d52e4bf1a 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -1048,7 +1048,6 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { - Hashmap *deps; - void *dt; /* Actually of type UnitDependency, except that we don't bother casting it here, - * since the hashmaps all want it as void pointer. */ -- int r; - - assert(u); - assert(other); -@@ -1075,6 +1074,8 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { - if (!other_deps) - break; /* done! */ - -+ deps = hashmap_get(u->dependencies, dt); -+ - /* Now iterate through all dependencies of this dependency type, of 'other'. We refer to the - * referenced units as 'back'. */ - HASHMAP_FOREACH_KEY(di_back.data, back, other_deps) { -@@ -1085,6 +1086,7 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { - /* This is a dependency pointing back to the unit we want to merge with? - * Suppress it (but warn) */ - unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); -+ hashmap_remove(other_deps, back); - continue; - } - -@@ -1103,40 +1105,21 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { - di_move.origin_mask, - di_move.destination_mask) >= 0); - } -- } - -- /* Now all references towards 'other' of the current type 'dt' are corrected to point to -- * 'u'. Lets's now move the deps of type 'dt' from 'other' to 'u'. First, let's try to move -- * them per type wholesale. */ -- r = hashmap_put(u->dependencies, dt, other_deps); -- if (r == -EEXIST) { - /* The target unit already has dependencies of this type, let's then merge this individually. */ -- -- assert_se(deps = hashmap_get(u->dependencies, dt)); -- -- for (;;) { -- UnitDependencyInfo di_move; -- -- /* Get first dep */ -- di_move.data = hashmap_steal_first_key_and_value(other_deps, (void**) &back); -- if (!di_move.data) -- break; /* done */ -- if (back == u) { -- /* Would point back to us, ignore */ -- unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); -- continue; -- } -- -- assert_se(unit_per_dependency_type_hashmap_update(deps, back, di_move.origin_mask, di_move.destination_mask) >= 0); -- } -- } else { -- assert_se(r >= 0); -- -- if (hashmap_remove(other_deps, u)) -- unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); -- -- TAKE_PTR(other_deps); -+ if (deps) -+ assert_se(unit_per_dependency_type_hashmap_update( -+ deps, -+ back, -+ di_back.origin_mask, -+ di_back.destination_mask) >= 0); - } -+ -+ /* Now all references towards 'other' of the current type 'dt' are corrected to point to 'u'. -+ * Lets's now move the deps of type 'dt' from 'other' to 'u'. If the unit does not have -+ * dependencies of this type, let's move them per type wholesale. */ -+ if (!deps) -+ assert_se(hashmap_put(u->dependencies, dt, TAKE_PTR(other_deps)) >= 0); - } - - other->dependencies = hashmap_free(other->dependencies); --- -2.27.0 - diff --git a/backport-core-unit-merge-unit-names-after-merging-deps.patch b/backport-core-unit-merge-unit-names-after-merging-deps.patch deleted file mode 100644 index ec6e096..0000000 --- a/backport-core-unit-merge-unit-names-after-merging-deps.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1d0c81a05b1605a5fc3db44d5a157a1d6876eda9 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 16 Nov 2022 03:18:30 +0900 -Subject: [PATCH] core/unit: merge unit names after merging deps - -Before: -systemd[1]: issue-24990.service: Dependency Before=n/a dropped, merged into issue-24990.service -After: -systemd[1]: issue-24990.service: Dependency Before=test1.service dropped, merged into issue-24990.service ---- - src/core/unit.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index 0d52e4bf1a..ea09416be5 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -1165,11 +1165,6 @@ int unit_merge(Unit *u, Unit *other) { - if (r < 0) - return r; - -- /* Merge names */ -- r = unit_merge_names(u, other); -- if (r < 0) -- return r; -- - /* Redirect all references */ - while (other->refs_by_target) - unit_ref_set(other->refs_by_target, other->refs_by_target->source, u); -@@ -1177,6 +1172,11 @@ int unit_merge(Unit *u, Unit *other) { - /* Merge dependencies */ - unit_merge_dependencies(u, other); - -+ /* Merge names. It is better to do that after merging deps, otherwise the log message contains n/a. */ -+ r = unit_merge_names(u, other); -+ if (r < 0) -+ return r; -+ - other->load_state = UNIT_MERGED; - other->merged_into = u; - --- -2.27.0 - diff --git a/backport-core-unit-use-bus_error_message-at-one-more-place.patch b/backport-core-unit-use-bus_error_message-at-one-more-place.patch deleted file mode 100644 index be4658f..0000000 --- a/backport-core-unit-use-bus_error_message-at-one-more-place.patch +++ /dev/null @@ -1,36 +0,0 @@ -From aa25320dbbc2b239d9f551cffac39263814a3dfa Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 30 Jan 2022 05:38:01 +0900 -Subject: [PATCH] core/unit: use bus_error_message() at one more place - -(cherry picked from commit 33322185554799b08e94aca036dd109aaee52408) -(cherry picked from commit 81e59411161078f4f90d80e2e111755adc16db33) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/aa25320dbbc2b239d9f551cffac39263814a3dfa ---- - src/core/unit.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index dfe200ee20..0e8a01966a 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -3422,8 +3422,12 @@ static int get_name_owner_handler(sd_bus_message *message, void *userdata, sd_bu - - e = sd_bus_message_get_error(message); - if (e) { -- if (!sd_bus_error_has_name(e, "org.freedesktop.DBus.Error.NameHasNoOwner")) -- log_unit_error(u, "Unexpected error response from GetNameOwner(): %s", e->message); -+ if (!sd_bus_error_has_name(e, "org.freedesktop.DBus.Error.NameHasNoOwner")) { -+ r = sd_bus_error_get_errno(e); -+ log_unit_error_errno(u, r, -+ "Unexpected error response from GetNameOwner(): %s", -+ bus_error_message(e, r)); -+ } - - new_owner = NULL; - } else { --- -2.33.0 - diff --git a/backport-core-use-correct-level-for-CPU-time-log-message.patch b/backport-core-use-correct-level-for-CPU-time-log-message.patch deleted file mode 100644 index f4db746..0000000 --- a/backport-core-use-correct-level-for-CPU-time-log-message.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 034a23c640c74856df76b3af5fdc4af5cb48256b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 6 Dec 2021 16:57:42 +0100 -Subject: [PATCH] core: use correct level for CPU time log message - -raise_level() takes the info condition as second argument and the notice -one as third. For the consumed CPU time these conditions are swapped. - -Fixes: 37109b856aeb ("pid1: use LOG_DEBUG/INFO/NOTICE for unit resource consumption message") -(cherry picked from commit ef6bb4dd3e3bb9c210c310026b4d827a46acc762) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/034a23c640c74856df76b3af5fdc4af5cb48256b ---- - src/core/unit.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index c792bd8e82..dfe200ee20 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -2296,8 +2296,8 @@ static int unit_log_resources(Unit *u) { - message_parts[n_message_parts++] = t; - - log_level = raise_level(log_level, -- nsec > NOTICEWORTHY_CPU_NSEC, -- nsec > MENTIONWORTHY_CPU_NSEC); -+ nsec > MENTIONWORTHY_CPU_NSEC, -+ nsec > NOTICEWORTHY_CPU_NSEC); - } - - for (CGroupIOAccountingMetric k = 0; k < _CGROUP_IO_ACCOUNTING_METRIC_MAX; k++) { --- -2.33.0 - diff --git a/backport-core-use-the-new-quoting-helper.patch b/backport-core-use-the-new-quoting-helper.patch deleted file mode 100644 index e2d969e..0000000 --- a/backport-core-use-the-new-quoting-helper.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 284781bcb00be27737b52ffb974b66b7d5e990d5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 7 Jul 2021 16:28:19 +0200 -Subject: [PATCH] core: use the new quoting helper - -(cherry picked from commit 8a62620ebe23945021075df7e1b0759102c286ae) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/284781bcb00be27737b52ffb974b66b7d5e990d5 ---- - src/core/execute.c | 64 ++++++++++------------------------------------ - 1 file changed, 13 insertions(+), 51 deletions(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index e24775c150..28efe5c36f 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -51,6 +51,7 @@ - #include "env-file.h" - #include "env-util.h" - #include "errno-list.h" -+#include "escape.h" - #include "execute.h" - #include "exit-status.h" - #include "fd-util.h" -@@ -3596,8 +3597,6 @@ static int compile_suggested_paths(const ExecContext *c, const ExecParameters *p - return 0; - } - --static char *exec_command_line(char **argv); -- - static int exec_parameters_get_cgroup_path(const ExecParameters *params, char **ret) { - bool using_subcgroup; - char *p; -@@ -3800,7 +3799,7 @@ static int exec_child( - const char *vc = params->confirm_spawn; - _cleanup_free_ char *cmdline = NULL; - -- cmdline = exec_command_line(command->argv); -+ cmdline = quote_command_line(command->argv); - if (!cmdline) { - *exit_status = EXIT_MEMORY; - return log_oom(); -@@ -4650,12 +4649,15 @@ static int exec_child( - if (DEBUG_LOGGING) { - _cleanup_free_ char *line = NULL; - -- line = exec_command_line(final_argv); -- if (line) -- log_unit_struct(unit, LOG_DEBUG, -- "EXECUTABLE=%s", executable, -- LOG_UNIT_MESSAGE(unit, "Executing: %s", line), -- LOG_UNIT_INVOCATION_ID(unit)); -+ line = quote_command_line(final_argv); -+ if (!line) { -+ *exit_status = EXIT_MEMORY; -+ return log_oom(); -+ } -+ -+ log_unit_struct(unit, LOG_DEBUG, -+ "EXECUTABLE=%s", executable, -+ LOG_UNIT_MESSAGE(unit, "Executing: %s", line)); - } - - if (exec_fd >= 0) { -@@ -4739,7 +4741,7 @@ int exec_spawn(Unit *unit, - if (r < 0) - return log_unit_error_errno(unit, r, "Failed to load environment files: %m"); - -- line = exec_command_line(command->argv); -+ line = quote_command_line(command->argv); - if (!line) - return log_oom(); - -@@ -5954,46 +5956,6 @@ void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix) { - prefix, s->status); - } - --static char *exec_command_line(char **argv) { -- size_t k; -- char *n, *p, **a; -- bool first = true; -- -- assert(argv); -- -- k = 1; -- STRV_FOREACH(a, argv) -- k += strlen(*a)+3; -- -- n = new(char, k); -- if (!n) -- return NULL; -- -- p = n; -- STRV_FOREACH(a, argv) { -- -- if (!first) -- *(p++) = ' '; -- else -- first = false; -- -- if (strpbrk(*a, WHITESPACE)) { -- *(p++) = '\''; -- p = stpcpy(p, *a); -- *(p++) = '\''; -- } else -- p = stpcpy(p, *a); -- -- } -- -- *p = 0; -- -- /* FIXME: this doesn't really handle arguments that have -- * spaces and ticks in them */ -- -- return n; --} -- - static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { - _cleanup_free_ char *cmd = NULL; - const char *prefix2; -@@ -6004,7 +5966,7 @@ static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { - prefix = strempty(prefix); - prefix2 = strjoina(prefix, "\t"); - -- cmd = exec_command_line(c->argv); -+ cmd = quote_command_line(c->argv); - fprintf(f, - "%sCommand Line: %s\n", - prefix, cmd ? cmd : strerror_safe(ENOMEM)); --- -2.33.0 - diff --git a/backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch b/backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch deleted file mode 100644 index 729a427..0000000 --- a/backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch +++ /dev/null @@ -1,261 +0,0 @@ -From 24a40953d3d6ad8b1429d19da2f66399ae3f7e0b Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 5 Aug 2021 03:14:41 +0900 -Subject: [PATCH] core: wrap cgroup path with empty_to_root() in log messages - -This fixes e.g. the following log message: ---- -systemd[1]: -.slice: Failed to migrate controller cgroups from , ignoring: Read-only file system ---- - -(cherry picked from commit 6178e2f88956e1900f445908ed053865cc22e879) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/24a40953d3d6ad8b1429d19da2f66399ae3f7e0b ---- - src/core/bpf-devices.c | 3 ++- - src/core/cgroup.c | 46 +++++++++++++++++++++--------------------- - src/core/unit.c | 6 +++--- - 3 files changed, 28 insertions(+), 27 deletions(-) - -diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c -index 8a345a4498..4daa7f76b0 100644 ---- a/src/core/bpf-devices.c -+++ b/src/core/bpf-devices.c -@@ -9,6 +9,7 @@ - #include "fileio.h" - #include "nulstr-util.h" - #include "parse-util.h" -+#include "path-util.h" - #include "stat-util.h" - #include "stdio-util.h" - #include "string-util.h" -@@ -260,7 +261,7 @@ int bpf_devices_apply_policy( - r = bpf_program_cgroup_attach(prog, BPF_CGROUP_DEVICE, controller_path, BPF_F_ALLOW_MULTI); - if (r < 0) - return log_error_errno(r, "Attaching device control BPF program to cgroup %s failed: %m", -- cgroup_path); -+ empty_to_root(cgroup_path)); - - finish: - /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program. */ -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index eab0929dc5..3a6f768c60 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -84,7 +84,7 @@ static int set_attribute_and_warn(Unit *u, const char *controller, const char *a - r = cg_set_attribute(controller, u->cgroup_path, attribute, value); - if (r < 0) - log_unit_full_errno(u, LOG_LEVEL_CGROUP_WRITE(r), r, "Failed to set '%s' attribute on '%s' to '%.*s': %m", -- strna(attribute), isempty(u->cgroup_path) ? "/" : u->cgroup_path, (int) strcspn(value, NEWLINE), value); -+ strna(attribute), empty_to_root(u->cgroup_path), (int) strcspn(value, NEWLINE), value); - - return r; - } -@@ -713,25 +713,25 @@ void cgroup_oomd_xattr_apply(Unit *u, const char *cgroup_path) { - if (c->moom_preference == MANAGED_OOM_PREFERENCE_OMIT) { - r = cg_set_xattr(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, "user.oomd_omit", "1", 1, 0); - if (r < 0) -- log_unit_debug_errno(u, r, "Failed to set oomd_omit flag on control group %s, ignoring: %m", cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to set oomd_omit flag on control group %s, ignoring: %m", empty_to_root(cgroup_path)); - } - - if (c->moom_preference == MANAGED_OOM_PREFERENCE_AVOID) { - r = cg_set_xattr(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, "user.oomd_avoid", "1", 1, 0); - if (r < 0) -- log_unit_debug_errno(u, r, "Failed to set oomd_avoid flag on control group %s, ignoring: %m", cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to set oomd_avoid flag on control group %s, ignoring: %m", empty_to_root(cgroup_path)); - } - - if (c->moom_preference != MANAGED_OOM_PREFERENCE_AVOID) { - r = cg_remove_xattr(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, "user.oomd_avoid"); - if (r < 0 && r != -ENODATA) -- log_unit_debug_errno(u, r, "Failed to remove oomd_avoid flag on control group %s, ignoring: %m", cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to remove oomd_avoid flag on control group %s, ignoring: %m", empty_to_root(cgroup_path)); - } - - if (c->moom_preference != MANAGED_OOM_PREFERENCE_OMIT) { - r = cg_remove_xattr(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, "user.oomd_omit"); - if (r < 0 && r != -ENODATA) -- log_unit_debug_errno(u, r, "Failed to remove oomd_omit flag on control group %s, ignoring: %m", cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to remove oomd_omit flag on control group %s, ignoring: %m", empty_to_root(cgroup_path)); - } - } - -@@ -750,7 +750,7 @@ static void cgroup_xattr_apply(Unit *u) { - sd_id128_to_string(u->invocation_id, ids), 32, - 0); - if (r < 0) -- log_unit_debug_errno(u, r, "Failed to set invocation ID on control group %s, ignoring: %m", u->cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to set invocation ID on control group %s, ignoring: %m", empty_to_root(u->cgroup_path)); - } - - if (unit_cgroup_delegate(u)) { -@@ -759,11 +759,11 @@ static void cgroup_xattr_apply(Unit *u) { - "1", 1, - 0); - if (r < 0) -- log_unit_debug_errno(u, r, "Failed to set delegate flag on control group %s, ignoring: %m", u->cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to set delegate flag on control group %s, ignoring: %m", empty_to_root(u->cgroup_path)); - } else { - r = cg_remove_xattr(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "trusted.delegate"); - if (r < 0 && r != -ENODATA) -- log_unit_debug_errno(u, r, "Failed to remove delegate flag on control group %s, ignoring: %m", u->cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to remove delegate flag on control group %s, ignoring: %m", empty_to_root(u->cgroup_path)); - } - - cgroup_oomd_xattr_apply(u, u->cgroup_path); -@@ -1921,12 +1921,12 @@ int unit_watch_cgroup(Unit *u) { - * is not an error */ - return 0; - -- return log_unit_error_errno(u, errno, "Failed to add control inotify watch descriptor for control group %s: %m", u->cgroup_path); -+ return log_unit_error_errno(u, errno, "Failed to add control inotify watch descriptor for control group %s: %m", empty_to_root(u->cgroup_path)); - } - - r = hashmap_put(u->manager->cgroup_control_inotify_wd_unit, INT_TO_PTR(u->cgroup_control_inotify_wd), u); - if (r < 0) -- return log_unit_error_errno(u, r, "Failed to add control inotify watch descriptor to hash map: %m"); -+ return log_unit_error_errno(u, r, "Failed to add control inotify watch descriptor for control group %s to hash map: %m", empty_to_root(u->cgroup_path)); - - return 0; - } -@@ -1984,12 +1984,12 @@ int unit_watch_cgroup_memory(Unit *u) { - * is not an error */ - return 0; - -- return log_unit_error_errno(u, errno, "Failed to add memory inotify watch descriptor for control group %s: %m", u->cgroup_path); -+ return log_unit_error_errno(u, errno, "Failed to add memory inotify watch descriptor for control group %s: %m", empty_to_root(u->cgroup_path)); - } - - r = hashmap_put(u->manager->cgroup_memory_inotify_wd_unit, INT_TO_PTR(u->cgroup_memory_inotify_wd), u); - if (r < 0) -- return log_unit_error_errno(u, r, "Failed to add memory inotify watch descriptor to hash map: %m"); -+ return log_unit_error_errno(u, r, "Failed to add memory inotify watch descriptor for control group %s to hash map: %m", empty_to_root(u->cgroup_path)); - - return 0; - } -@@ -2012,9 +2012,9 @@ int unit_pick_cgroup_path(Unit *u) { - - r = unit_set_cgroup_path(u, path); - if (r == -EEXIST) -- return log_unit_error_errno(u, r, "Control group %s exists already.", path); -+ return log_unit_error_errno(u, r, "Control group %s exists already.", empty_to_root(path)); - if (r < 0) -- return log_unit_error_errno(u, r, "Failed to set unit's control group path to %s: %m", path); -+ return log_unit_error_errno(u, r, "Failed to set unit's control group path to %s: %m", empty_to_root(path)); - - return 0; - } -@@ -2042,7 +2042,7 @@ static int unit_update_cgroup( - /* First, create our own group */ - r = cg_create_everywhere(u->manager->cgroup_supported, target_mask, u->cgroup_path); - if (r < 0) -- return log_unit_error_errno(u, r, "Failed to create cgroup %s: %m", u->cgroup_path); -+ return log_unit_error_errno(u, r, "Failed to create cgroup %s: %m", empty_to_root(u->cgroup_path)); - created = r; - - /* Start watching it */ -@@ -2058,7 +2058,7 @@ static int unit_update_cgroup( - /* Enable all controllers we need */ - r = cg_enable_everywhere(u->manager->cgroup_supported, enable_mask, u->cgroup_path, &result_mask); - if (r < 0) -- log_unit_warning_errno(u, r, "Failed to enable/disable controllers on cgroup %s, ignoring: %m", u->cgroup_path); -+ log_unit_warning_errno(u, r, "Failed to enable/disable controllers on cgroup %s, ignoring: %m", empty_to_root(u->cgroup_path)); - - /* Remember what's actually enabled now */ - u->cgroup_enabled_mask = result_mask; -@@ -2080,12 +2080,12 @@ static int unit_update_cgroup( - if (cg_all_unified() == 0) { - r = cg_migrate_v1_controllers(u->manager->cgroup_supported, migrate_mask, u->cgroup_path, migrate_callback, u); - if (r < 0) -- log_unit_warning_errno(u, r, "Failed to migrate controller cgroups from %s, ignoring: %m", u->cgroup_path); -+ log_unit_warning_errno(u, r, "Failed to migrate controller cgroups from %s, ignoring: %m", empty_to_root(u->cgroup_path)); - - is_root_slice = unit_has_name(u, SPECIAL_ROOT_SLICE); - r = cg_trim_v1_controllers(u->manager->cgroup_supported, ~target_mask, u->cgroup_path, !is_root_slice); - if (r < 0) -- log_unit_warning_errno(u, r, "Failed to delete controller cgroups %s, ignoring: %m", u->cgroup_path); -+ log_unit_warning_errno(u, r, "Failed to delete controller cgroups %s, ignoring: %m", empty_to_root(u->cgroup_path)); - } - - /* Set attributes */ -@@ -2175,7 +2175,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - - log_unit_full_errno(u, again ? LOG_DEBUG : LOG_INFO, q, - "Couldn't move process "PID_FMT" to%s requested cgroup '%s': %m", -- pid, again ? " directly" : "", p); -+ pid, again ? " directly" : "", empty_to_root(p)); - - if (again) { - int z; -@@ -2187,7 +2187,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - - z = unit_attach_pid_to_cgroup_via_bus(u, pid, suffix_path); - if (z < 0) -- log_unit_info_errno(u, z, "Couldn't move process "PID_FMT" to requested cgroup '%s' (directly or via the system bus): %m", pid, p); -+ log_unit_info_errno(u, z, "Couldn't move process "PID_FMT" to requested cgroup '%s' (directly or via the system bus): %m", pid, empty_to_root(p)); - else - continue; /* When the bus thing worked via the bus we are fully done for this PID. */ - } -@@ -2221,7 +2221,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - continue; /* Success! */ - - log_unit_debug_errno(u, q, "Failed to attach PID " PID_FMT " to requested cgroup %s in controller %s, falling back to unit's cgroup: %m", -- pid, p, cgroup_controller_to_string(c)); -+ pid, empty_to_root(p), cgroup_controller_to_string(c)); - } - - /* So this controller is either not delegate or realized, or something else weird happened. In -@@ -2656,7 +2656,7 @@ void unit_prune_cgroup(Unit *u) { - * the containing slice is stopped. So even if we failed now, this unit shouldn't assume - * that the cgroup is still realized the next time it is started. Do not return early - * on error, continue cleanup. */ -- log_unit_full_errno(u, r == -EBUSY ? LOG_DEBUG : LOG_WARNING, r, "Failed to destroy cgroup %s, ignoring: %m", u->cgroup_path); -+ log_unit_full_errno(u, r == -EBUSY ? LOG_DEBUG : LOG_WARNING, r, "Failed to destroy cgroup %s, ignoring: %m", empty_to_root(u->cgroup_path)); - - if (is_root_slice) - return; -@@ -2869,7 +2869,7 @@ void unit_add_to_cgroup_empty_queue(Unit *u) { - - r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path); - if (r < 0) { -- log_unit_debug_errno(u, r, "Failed to determine whether cgroup %s is empty: %m", u->cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to determine whether cgroup %s is empty: %m", empty_to_root(u->cgroup_path)); - return; - } - if (r == 0) -diff --git a/src/core/unit.c b/src/core/unit.c -index 30afd5a776..47966bcf0d 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -427,7 +427,7 @@ bool unit_may_gc(Unit *u) { - - r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path); - if (r < 0) -- log_unit_debug_errno(u, r, "Failed to determine whether cgroup %s is empty: %m", u->cgroup_path); -+ log_unit_debug_errno(u, r, "Failed to determine whether cgroup %s is empty: %m", empty_to_root(u->cgroup_path)); - if (r <= 0) - return false; - } -@@ -4553,7 +4553,7 @@ int unit_kill_context( - log_func, u); - if (r < 0) { - if (!IN_SET(r, -EAGAIN, -ESRCH, -ENOENT)) -- log_unit_warning_errno(u, r, "Failed to kill control group %s, ignoring: %m", u->cgroup_path); -+ log_unit_warning_errno(u, r, "Failed to kill control group %s, ignoring: %m", empty_to_root(u->cgroup_path)); - - } else if (r > 0) { - -@@ -5011,7 +5011,7 @@ int unit_fork_helper_process(Unit *u, const char *name, pid_t *ret) { - if (u->cgroup_path) { - r = cg_attach_everywhere(u->manager->cgroup_supported, u->cgroup_path, 0, NULL, NULL); - if (r < 0) { -- log_unit_error_errno(u, r, "Failed to join unit cgroup %s: %m", u->cgroup_path); -+ log_unit_error_errno(u, r, "Failed to join unit cgroup %s: %m", empty_to_root(u->cgroup_path)); - _exit(EXIT_CGROUP); - } - } --- -2.33.0 - diff --git a/backport-coredump-Connect-stdout-stderr-to-dev-null-before-do.patch b/backport-coredump-Connect-stdout-stderr-to-dev-null-before-do.patch deleted file mode 100644 index f6f3bcb..0000000 --- a/backport-coredump-Connect-stdout-stderr-to-dev-null-before-do.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 098a25754b0835ffe078b12f75a1862cf528a986 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Fri, 15 Jul 2022 01:49:25 +0200 -Subject: [PATCH] coredump: Connect stdout/stderr to /dev/null before doing - anything - -When invoked as the coredump handler by the kernel, systemd-coredump's -stdout and stderr streams are closed. This is dangerous as this means -the fd's can get reallocated, leading to hard to debug errors such as -log messages ending up being appended to a compressed coredump file. - -To avoid such issues in the future, let's bind stdout/stderr to -/dev/null so the file descriptors can't get used for anything else. - -(cherry picked from commit 1f9d2a8199c261593aa6a11df9cce5d31e23c714) -(cherry picked from commit fba50bc0fc5a69e5573ceadb5d6224f365d3c3f5) -(cherry picked from commit 3e1224d4ac3f44558c7bc3ceec2d6080afe21dc3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/098a25754b0835ffe078b12f75a1862cf528a986 ---- - src/coredump/coredump.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c -index c6639c0100..72df958bc3 100644 ---- a/src/coredump/coredump.c -+++ b/src/coredump/coredump.c -@@ -1268,6 +1268,13 @@ static int process_kernel(int argc, char* argv[]) { - struct iovec_wrapper *iovw; - int r; - -+ /* When we're invoked by the kernel, stdout/stderr are closed which is dangerous because the fds -+ * could get reallocated. To avoid hard to debug issues, let's instead bind stdout/stderr to -+ * /dev/null. */ -+ r = rearrange_stdio(STDIN_FILENO, -1, -1); -+ if (r < 0) -+ return log_error_errno(r, "Failed to connect stdout/stderr to /dev/null: %m"); -+ - log_debug("Processing coredump received from the kernel..."); - - iovw = iovw_new(); --- -2.27.0 - diff --git a/backport-coredump-Don-t-log-an-error-if-D-Bus-isn-t-running.patch b/backport-coredump-Don-t-log-an-error-if-D-Bus-isn-t-running.patch deleted file mode 100644 index eddefb4..0000000 --- a/backport-coredump-Don-t-log-an-error-if-D-Bus-isn-t-running.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6745eaa6308b835e2c5e68d49e9bece29fd37fa2 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Wed, 6 Oct 2021 13:20:36 +0100 -Subject: [PATCH] coredump: Don't log an error if D-Bus isn't running - -coredumpctl could be used in a chroot where D-Bus isn't running. If -that's the case, we shouldn't consider it an error if we can't connect -to the D-Bus daemon so let's reduce the severity of the error we log -when we can't connect to D-Bus because the socket doesn't exist. - -(cherry picked from commit 414bd2e786f9912f51b82e5fe4a1126179a5652a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6745eaa6308b835e2c5e68d49e9bece29fd37fa2 ---- - src/coredump/coredumpctl.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/coredump/coredumpctl.c b/src/coredump/coredumpctl.c -index def3650bb4..3d44e51e32 100644 ---- a/src/coredump/coredumpctl.c -+++ b/src/coredump/coredumpctl.c -@@ -1186,6 +1186,10 @@ static int check_units_active(void) { - return false; - - r = sd_bus_default_system(&bus); -+ if (r == -ENOENT) { -+ log_debug("D-Bus is not running, skipping active unit check"); -+ return 0; -+ } - if (r < 0) - return log_error_errno(r, "Failed to acquire bus: %m"); - --- -2.33.0 - diff --git a/backport-coredump-Fix-format-string-type-mismatch.patch b/backport-coredump-Fix-format-string-type-mismatch.patch deleted file mode 100644 index ae3e024..0000000 --- a/backport-coredump-Fix-format-string-type-mismatch.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 08e86b15fc22a8e9f1ee0a791dfd35b2fc25e4c4 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Sun, 22 May 2022 14:36:07 +0200 -Subject: [PATCH] coredump: Fix format string type mismatch - -Fixes #23471 - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/08e86b15fc22a8e9f1ee0a791dfd35b2fc25e4c4 - ---- - src/coredump/coredump.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c -index c9747416ad..994d968d87 100644 ---- a/src/coredump/coredump.c -+++ b/src/coredump/coredump.c -@@ -512,8 +512,8 @@ static int save_external_coredump( - - if (truncated) - log_struct(LOG_INFO, -- LOG_MESSAGE("Core file was truncated to %zu bytes.", max_size), -- "SIZE_LIMIT=%zu", max_size, -+ LOG_MESSAGE("Core file was truncated to %"PRIu64" bytes.", max_size), -+ "SIZE_LIMIT=%"PRIu64, max_size, - "MESSAGE_ID=" SD_MESSAGE_TRUNCATED_CORE_STR); - - r = fix_permissions(fd, tmp, fn, context, uid); --- -2.33.0 - diff --git a/backport-coredump-drop-an-unused-variable.patch b/backport-coredump-drop-an-unused-variable.patch deleted file mode 100644 index 8f3af80..0000000 --- a/backport-coredump-drop-an-unused-variable.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9abe4cfc39579037937c63602ce8fe4f51746d38 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Sat, 20 Aug 2022 21:04:24 +0200 -Subject: [PATCH] coredump: drop an unused variable - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9abe4cfc39579037937c63602ce8fe4f51746d38 - ---- - src/coredump/coredump.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c -index 3ec41a32c3..98e7492811 100644 ---- a/src/coredump/coredump.c -+++ b/src/coredump/coredump.c -@@ -931,7 +931,6 @@ log: - } - - static int save_context(Context *context, const struct iovec_wrapper *iovw) { -- unsigned count = 0; - const char *unit; - int r; - -@@ -955,7 +954,6 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { - p = startswith(iovec->iov_base, meta_field_names[i]); - if (p) { - context->meta[i] = p; -- count++; - break; - } - } --- -2.33.0 - diff --git a/backport-coredump-fix-filename-in-journal-when-not-compressed.patch b/backport-coredump-fix-filename-in-journal-when-not-compressed.patch deleted file mode 100644 index c328f72..0000000 --- a/backport-coredump-fix-filename-in-journal-when-not-compressed.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 01cf580c235ac4725051e6101ce5bcef1b97cc48 Mon Sep 17 00:00:00 2001 -From: xdavidwu -Date: Fri, 5 Nov 2021 22:37:06 +0800 -Subject: [PATCH] coredump: fix filename in journal when not compressed - -Since 587f2a5e564cf434c2e0a653f52b8f73e86092d8, filename for -not-compressed coredump is missing from save_external_coredump, making -it write COREDUMP_FILENAME= (empty) in journal, making `coredumpctl` -report it missing but it is actually saved. -This fixes it. - -(cherry picked from commit 0cfb0971f0fcd345cae76f6837d9801b6cbde407) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/01cf580c235ac4725051e6101ce5bcef1b97cc48 ---- - src/coredump/coredump.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c -index 444b9ec374..1e34c4b5be 100644 ---- a/src/coredump/coredump.c -+++ b/src/coredump/coredump.c -@@ -525,6 +525,7 @@ static int save_external_coredump( - if (lseek(fd, 0, SEEK_SET) == (off_t) -1) - return log_error_errno(errno, "Failed to seek on coredump %s: %m", fn); - -+ *ret_filename = TAKE_PTR(fn); - *ret_data_fd = TAKE_FD(fd); - *ret_size = (uint64_t) st.st_size; - *ret_truncated = truncated; --- -2.33.0 - diff --git a/backport-coredump-stacktrace.c-avoid-crash-on-binaries-withou.patch b/backport-coredump-stacktrace.c-avoid-crash-on-binaries-withou.patch deleted file mode 100644 index ef501bb..0000000 --- a/backport-coredump-stacktrace.c-avoid-crash-on-binaries-withou.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 765c366274db3ff841da237769f2b20a4ec3a045 Mon Sep 17 00:00:00 2001 -From: Sergei Trofimovich -Date: Sat, 31 Jul 2021 13:07:54 +0100 -Subject: [PATCH] coredump/stacktrace.c: avoid crash on binaries without NHDR - -Observed as a crash on binaries built with gcc-master: - -``` - 3 0x00005573b8841d6a in parse_package_metadata (name=name@entry=0x5573b901a620 "/a", id_json=0x0, - elf=0x5573b9028730, c=c@entry=0x7fffc688f790) at ../systemd-stable-249.2/src/coredump/stacktrace.c:157 - 4 0x00005573b884209e in module_callback (mod=0x7fffc688f6c0, userdata=, - name=0x5573b901a620 "/a", start=, arg=0x7fffc688f790) - at ../systemd-stable-249.2/src/coredump/stacktrace.c:306 - 5 0x00007f56d60dcbd5 in dwfl_getmodules (dwfl=0x5573b901fda0, - callback=callback@entry=0x5573b8841eb0 , arg=arg@entry=0x7fffc688f790, offset=offset@entry=0) - at ../../elfutils-0.185/libdwfl/dwfl_getmodules.c:86 - 6 0x00005573b884231b in parse_core (ret_package_metadata=0x7fffc688f848, ret=0x7fffc688f850, - executable=0x7fffc688f790 "\200\332\001\271sU", fd=21) at ../systemd-stable-249.2/src/coredump/stacktrace.c:366 - 7 coredump_parse_core (fd=fd@entry=6, executable=0x7fffc688f790 "\200\332\001\271sU", ret=ret@entry=0x7fffc688f850, - ret_package_metadata=ret_package_metadata@entry=0x7fffc688f848) - at ../systemd-stable-249.2/src/coredump/stacktrace.c:406 - 8 0x00005573b883f897 in submit_coredump (context=context@entry=0x7fffc688fa10, iovw=iovw@entry=0x7fffc688f990, - input_fd=input_fd@entry=5) at ../systemd-stable-249.2/src/coredump/coredump.c:827 - 9 0x00005573b883d339 in process_socket (fd=3) at ../systemd-stable-249.2/src/coredump/coredump.c:1041 - 10 run (argv=, argc=-964101648) at ../systemd-stable-249.2/src/coredump/coredump.c:1416 - 11 main (argc=-964101648, argv=) at ../systemd-stable-249.2/src/coredump/coredump.c:1422 -``` - -Happens only on enabled elfutils symbolizer. - -Signed-off-by: Sergei Trofimovich -(cherry picked from commit 1da3eef262078905ec14c707eeab655a17ae8bd2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/765c366274db3ff841da237769f2b20a4ec3a045 ---- - src/coredump/stacktrace.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/coredump/stacktrace.c b/src/coredump/stacktrace.c -index 0edb1b40a7..e46b324cdf 100644 ---- a/src/coredump/stacktrace.c -+++ b/src/coredump/stacktrace.c -@@ -153,6 +153,8 @@ static int parse_package_metadata(const char *name, JsonVariant *id_json, Elf *e - program_header->p_offset, - program_header->p_filesz, - ELF_T_NHDR); -+ if (!data) -+ continue; - - while (note_offset < data->d_size && - (note_offset = gelf_getnote(data, note_offset, ¬e_header, &name_offset, &desc_offset)) > 0) { --- -2.33.0 - diff --git a/backport-coredumpctl-stop-truncating-information-about-coredu.patch b/backport-coredumpctl-stop-truncating-information-about-coredu.patch deleted file mode 100644 index 072fb9a..0000000 --- a/backport-coredumpctl-stop-truncating-information-about-coredu.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 473627e1c9fcdf8f819ced2bb79cb7e9ff598b0c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 12 Oct 2021 19:46:25 +0200 -Subject: [PATCH] coredumpctl: stop truncating information about coredump -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -With the changes to limit that print 'Found module …' over and over, we were -hitting the journal field message limit, effectively truncating the info output. - -Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1998488. - -(cherry picked from commit 384c6207669eb0d92aa0043dbc01957c6c7ff41e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/473627e1c9fcdf8f819ced2bb79cb7e9ff598b0c ---- - src/coredump/coredumpctl.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/coredump/coredumpctl.c b/src/coredump/coredumpctl.c -index 3d44e51e32..7eba8330d7 100644 ---- a/src/coredump/coredumpctl.c -+++ b/src/coredump/coredumpctl.c -@@ -555,6 +555,8 @@ static int print_info(FILE *file, sd_journal *j, bool need_space) { - assert(file); - assert(j); - -+ (void) sd_journal_set_data_threshold(j, 0); -+ - SD_JOURNAL_FOREACH_DATA(j, d, l) { - RETRIEVE(d, l, "MESSAGE_ID", mid); - RETRIEVE(d, l, "COREDUMP_PID", pid); --- -2.33.0 - diff --git a/backport-creds-util-switch-to-OpenSSL-3.0-APIs.patch b/backport-creds-util-switch-to-OpenSSL-3.0-APIs.patch deleted file mode 100644 index e63c2e8..0000000 --- a/backport-creds-util-switch-to-OpenSSL-3.0-APIs.patch +++ /dev/null @@ -1,995 +0,0 @@ -From 5f4862e5e1cd2a7ef302947b8634f7980e8d6275 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 29 Sep 2021 09:47:08 +0200 -Subject: [PATCH] creds-util: switch to OpenSSL 3.0 APIs - -Let's switch from the low-level SHA256 APIs to EVP APIs. The former are -deprecated on OpenSSL 3.0, the latter are supported both by old -OpenSSL and by OpenSSL 3.0, hence are the better choice. - -Fixes: #20775 -(cherry picked from commit 18f568b8e64b48f6aee204cc6384b4796cd27eb0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5f4862e5e1cd2a7ef302947b8634f7980e8d6275 ---- - src/shared/creds-util.c | 954 ++++++++++++++++++++++++++++++++++++++ - src/shared/openssl-util.h | 1 + - 2 files changed, 955 insertions(+) - create mode 100644 src/shared/creds-util.c - -diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c -new file mode 100644 -index 0000000000..b764198b76 ---- /dev/null -+++ b/src/shared/creds-util.c -@@ -0,0 +1,954 @@ -+/* SPDX-License-Identifier: LGPL-2.1-or-later */ -+ -+#include -+ -+#if HAVE_OPENSSL -+#include -+#endif -+ -+#include "sd-id128.h" -+ -+#include "blockdev-util.h" -+#include "chattr-util.h" -+#include "creds-util.h" -+#include "env-util.h" -+#include "fd-util.h" -+#include "fileio.h" -+#include "fs-util.h" -+#include "io-util.h" -+#include "memory-util.h" -+#include "mkdir.h" -+#include "openssl-util.h" -+#include "path-util.h" -+#include "random-util.h" -+#include "sparse-endian.h" -+#include "stat-util.h" -+#include "tpm2-util.h" -+#include "virt.h" -+ -+bool credential_name_valid(const char *s) { -+ /* We want that credential names are both valid in filenames (since that's our primary way to pass -+ * them around) and as fdnames (which is how we might want to pass them around eventually) */ -+ return filename_is_valid(s) && fdname_is_valid(s); -+} -+ -+int get_credentials_dir(const char **ret) { -+ const char *e; -+ -+ assert(ret); -+ -+ e = secure_getenv("CREDENTIALS_DIRECTORY"); -+ if (!e) -+ return -ENXIO; -+ -+ if (!path_is_absolute(e) || !path_is_normalized(e)) -+ return -EINVAL; -+ -+ *ret = e; -+ return 0; -+} -+ -+int read_credential(const char *name, void **ret, size_t *ret_size) { -+ _cleanup_free_ char *fn = NULL; -+ const char *d; -+ int r; -+ -+ assert(ret); -+ -+ if (!credential_name_valid(name)) -+ return -EINVAL; -+ -+ r = get_credentials_dir(&d); -+ if (r < 0) -+ return r; -+ -+ fn = path_join(d, name); -+ if (!fn) -+ return -ENOMEM; -+ -+ return read_full_file_full( -+ AT_FDCWD, fn, -+ UINT64_MAX, SIZE_MAX, -+ READ_FULL_FILE_SECURE, -+ NULL, -+ (char**) ret, ret_size); -+} -+ -+#if HAVE_OPENSSL -+ -+#define CREDENTIAL_HOST_SECRET_SIZE 4096 -+ -+static const sd_id128_t credential_app_id = -+ SD_ID128_MAKE(d3,ac,ec,ba,0d,ad,4c,df,b8,c9,38,15,28,93,6c,58); -+ -+struct credential_host_secret_format { -+ /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine -+ * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the -+ * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed -+ * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not -+ * being able to directly associate a secret key file with a host. */ -+ sd_id128_t machine_id; -+ -+ /* The actual secret key */ -+ uint8_t data[CREDENTIAL_HOST_SECRET_SIZE]; -+} _packed_; -+ -+static int make_credential_host_secret( -+ int dfd, -+ const sd_id128_t machine_id, -+ const char *fn, -+ void **ret_data, -+ size_t *ret_size) { -+ -+ struct credential_host_secret_format buf; -+ _cleanup_free_ char *t = NULL; -+ _cleanup_close_ int fd = -1; -+ int r; -+ -+ assert(dfd >= 0); -+ assert(fn); -+ -+ fd = openat(dfd, ".", O_CLOEXEC|O_WRONLY|O_TMPFILE, 0400); -+ if (fd < 0) { -+ log_debug_errno(errno, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m"); -+ -+ if (asprintf(&t, "credential.secret.%016" PRIx64, random_u64()) < 0) -+ return -ENOMEM; -+ -+ fd = openat(dfd, t, O_CLOEXEC|O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW, 0400); -+ if (fd < 0) -+ return -errno; -+ } -+ -+ r = chattr_secret(fd, 0); -+ if (r < 0) -+ log_debug_errno(r, "Failed to set file attributes for secrets file, ignoring: %m"); -+ -+ buf = (struct credential_host_secret_format) { -+ .machine_id = machine_id, -+ }; -+ -+ r = genuine_random_bytes(buf.data, sizeof(buf.data), RANDOM_BLOCK); -+ if (r < 0) -+ goto finish; -+ -+ r = loop_write(fd, &buf, sizeof(buf), false); -+ if (r < 0) -+ goto finish; -+ -+ if (fsync(fd) < 0) { -+ r = -errno; -+ goto finish; -+ } -+ -+ if (t) { -+ r = rename_noreplace(dfd, t, dfd, fn); -+ if (r < 0) -+ goto finish; -+ -+ t = mfree(t); -+ } else if (linkat(fd, "", dfd, fn, AT_EMPTY_PATH) < 0) { -+ r = -errno; -+ goto finish; -+ } -+ -+ if (fsync(dfd) < 0) { -+ r = -errno; -+ goto finish; -+ } -+ -+ if (ret_data) { -+ void *copy; -+ -+ copy = memdup(buf.data, sizeof(buf.data)); -+ if (!copy) { -+ r = -ENOMEM; -+ goto finish; -+ } -+ -+ *ret_data = copy; -+ } -+ -+ if (ret_size) -+ *ret_size = sizeof(buf.data); -+ -+ r = 0; -+ -+finish: -+ if (t && unlinkat(dfd, t, 0) < 0) -+ log_debug_errno(errno, "Failed to remove temporary credential key: %m"); -+ -+ explicit_bzero_safe(&buf, sizeof(buf)); -+ return r; -+} -+ -+int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) { -+ _cleanup_free_ char *efn = NULL, *ep = NULL; -+ _cleanup_close_ int dfd = -1; -+ sd_id128_t machine_id; -+ const char *e, *fn, *p; -+ int r; -+ -+ r = sd_id128_get_machine_app_specific(credential_app_id, &machine_id); -+ if (r < 0) -+ return r; -+ -+ e = secure_getenv("SYSTEMD_CREDENTIAL_SECRET"); -+ if (e) { -+ if (!path_is_normalized(e)) -+ return -EINVAL; -+ if (!path_is_absolute(e)) -+ return -EINVAL; -+ -+ r = path_extract_directory(e, &ep); -+ if (r < 0) -+ return r; -+ -+ r = path_extract_filename(e, &efn); -+ if (r < 0) -+ return r; -+ -+ p = ep; -+ fn = efn; -+ } else { -+ p = "/var/lib/systemd"; -+ fn = "credential.secret"; -+ } -+ -+ (void) mkdir_p(p, 0755); -+ dfd = open(p, O_CLOEXEC|O_DIRECTORY|O_RDONLY); -+ if (dfd < 0) -+ return -errno; -+ -+ if (FLAGS_SET(flags, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS)) { -+ r = fd_is_temporary_fs(dfd); -+ if (r < 0) -+ return r; -+ if (r > 0) -+ return -ENOMEDIUM; -+ } -+ -+ for (unsigned attempt = 0;; attempt++) { -+ _cleanup_(erase_and_freep) struct credential_host_secret_format *f = NULL; -+ _cleanup_close_ int fd = -1; -+ size_t l = 0; -+ ssize_t n = 0; -+ struct stat st; -+ -+ if (attempt >= 3) /* Somebody is playing games with us */ -+ return -EIO; -+ -+ fd = openat(dfd, fn, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW); -+ if (fd < 0) { -+ if (errno != ENOENT || !FLAGS_SET(flags, CREDENTIAL_SECRET_GENERATE)) -+ return -errno; -+ -+ r = make_credential_host_secret(dfd, machine_id, fn, ret, ret_size); -+ if (r == -EEXIST) { -+ log_debug_errno(r, "Credential secret was created while we were creating it. Trying to read new secret."); -+ continue; -+ } -+ if (r < 0) -+ return r; -+ -+ return 0; -+ } -+ -+ if (fstat(fd, &st) < 0) -+ return -errno; -+ -+ r = stat_verify_regular(&st); -+ if (r < 0) -+ return r; -+ if (st.st_nlink == 0) /* Deleted by now, try again */ -+ continue; -+ if (st.st_nlink > 1) -+ return -EPERM; /* Our deletion check won't work if hardlinked somewhere else */ -+ if ((st.st_mode & 07777) != 0400) /* Don't use file if not 0400 access mode */ -+ return -EPERM; -+ if (st.st_size > 16*1024*1024) -+ return -E2BIG; -+ l = st.st_size; -+ if (l < offsetof(struct credential_host_secret_format, data) + 1) -+ return -EINVAL; -+ -+ f = malloc(l+1); -+ if (!f) -+ return -ENOMEM; -+ -+ n = read(fd, f, l+1); -+ if (n < 0) -+ return -errno; -+ if ((size_t) n != l) /* What? The size changed? */ -+ return -EIO; -+ -+ if (sd_id128_equal(machine_id, f->machine_id)) { -+ size_t sz; -+ -+ if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) { -+ r = fd_is_encrypted(fd); -+ if (r < 0) -+ log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", p, fn); -+ else if (r == 0) -+ log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", p, fn); -+ } -+ -+ sz = l - offsetof(struct credential_host_secret_format, data); -+ assert(sz > 0); -+ -+ if (ret) { -+ void *copy; -+ -+ assert(sz <= sizeof(f->data)); /* Ensure we don't read past f->data bounds */ -+ -+ copy = memdup(f->data, sz); -+ if (!copy) -+ return -ENOMEM; -+ -+ *ret = copy; -+ } -+ -+ if (ret_size) -+ *ret_size = sz; -+ -+ return 0; -+ } -+ -+ /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock -+ * to ensure we are the only ones accessing the file while we delete it. */ -+ -+ if (flock(fd, LOCK_EX) < 0) -+ return -errno; -+ -+ /* Before we delete it check that the file is still linked into the file system */ -+ if (fstat(fd, &st) < 0) -+ return -errno; -+ if (st.st_nlink == 0) /* Already deleted by now? */ -+ continue; -+ if (st.st_nlink != 1) /* Safety check, someone is playing games with us */ -+ return -EPERM; -+ -+ if (unlinkat(dfd, fn, 0) < 0) -+ return -errno; -+ -+ /* And now try again */ -+ } -+} -+ -+/* Construction is like this: -+ * -+ * A symmetric encryption key is derived from: -+ * -+ * 1. Either the "host" key (a key stored in /var/lib/credential.secret) -+ * -+ * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed -+ * by a key derived from its internal seed key. -+ * -+ * 3. The concatenation of the above. -+ * -+ * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted -+ * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for -+ * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant, -+ * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed -+ * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask -+ * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a -+ * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is -+ * then followed by the encrypted data, which begins with a metadata header (which contains validity -+ * timestamps as well as the credential name), followed by the actual credential payload. The file ends in -+ * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in -+ * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No -+ * unprotected data is included. -+ */ -+ -+struct _packed_ encrypted_credential_header { -+ sd_id128_t id; -+ le32_t key_size; -+ le32_t block_size; -+ le32_t iv_size; -+ le32_t tag_size; -+ uint8_t iv[]; -+ /* Followed by NUL bytes until next 8 byte boundary */ -+}; -+ -+struct _packed_ tpm2_credential_header { -+ le64_t pcr_mask; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems -+ * generally have. But keep the door open for more. */ -+ le16_t pcr_bank; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */ -+ le16_t primary_alg; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */ -+ le32_t blob_size; -+ le32_t policy_hash_size; -+ uint8_t policy_hash_and_blob[]; -+ /* Followed by NUL bytes until next 8 byte boundary */ -+}; -+ -+struct _packed_ metadata_credential_header { -+ le64_t timestamp; -+ le64_t not_after; -+ le32_t name_size; -+ char name[]; -+ /* Followed by NUL bytes until next 8 byte boundary */ -+}; -+ -+/* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of -+ * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV, -+ * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */ -+#define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U) -+ -+static int sha256_hash_host_and_tpm2_key( -+ const void *host_key, -+ size_t host_key_size, -+ const void *tpm2_key, -+ size_t tpm2_key_size, -+ uint8_t ret[static SHA256_DIGEST_LENGTH]) { -+ -+ _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL; -+ unsigned l; -+ -+ assert(host_key_size == 0 || host_key); -+ assert(tpm2_key_size == 0 || tpm2_key); -+ assert(ret); -+ -+ /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */ -+ -+ md = EVP_MD_CTX_new(); -+ if (!md) -+ return log_oom(); -+ -+ if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context."); -+ -+ if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key."); -+ -+ if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key."); -+ -+ assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH); -+ -+ if (EVP_DigestFinal_ex(md, ret, &l) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash."); -+ -+ assert(l == SHA256_DIGEST_LENGTH); -+ return 0; -+} -+ -+int encrypt_credential_and_warn( -+ sd_id128_t with_key, -+ const char *name, -+ usec_t timestamp, -+ usec_t not_after, -+ const char *tpm2_device, -+ uint32_t tpm2_pcr_mask, -+ const void *input, -+ size_t input_size, -+ void **ret, -+ size_t *ret_size) { -+ -+ _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL; -+ _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL; -+ size_t host_key_size = 0, tpm2_key_size = 0, tpm2_blob_size = 0, tpm2_policy_hash_size = 0, output_size, p, ml; -+ _cleanup_free_ void *tpm2_blob = NULL, *tpm2_policy_hash = NULL, *iv = NULL, *output = NULL; -+ _cleanup_free_ struct metadata_credential_header *m = NULL; -+ uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0; -+ struct encrypted_credential_header *h; -+ int ksz, bsz, ivsz, tsz, added, r; -+ uint8_t md[SHA256_DIGEST_LENGTH]; -+ const EVP_CIPHER *cc; -+#if HAVE_TPM2 -+ bool try_tpm2 = false; -+#endif -+ sd_id128_t id; -+ -+ assert(input || input_size == 0); -+ assert(ret); -+ assert(ret_size); -+ -+ if (name && !credential_name_valid(name)) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name); -+ -+ if (not_after != USEC_INFINITY && timestamp != USEC_INFINITY && not_after < timestamp) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid (" USEC_FMT " < " USEC_FMT ").", not_after, timestamp); -+ -+ if (DEBUG_LOGGING) { -+ char buf[FORMAT_TIMESTAMP_MAX]; -+ -+ if (name) -+ log_debug("Including credential name '%s' in encrypted credential.", name); -+ if (timestamp != USEC_INFINITY) -+ log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), timestamp)); -+ if (not_after != USEC_INFINITY) -+ log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), not_after)); -+ } -+ -+ if (sd_id128_is_null(with_key) || -+ sd_id128_in_set(with_key, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) { -+ -+ r = get_credential_host_secret( -+ CREDENTIAL_SECRET_GENERATE| -+ CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED| -+ (sd_id128_is_null(with_key) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS : 0), -+ &host_key, -+ &host_key_size); -+ if (r == -ENOMEDIUM && sd_id128_is_null(with_key)) -+ log_debug_errno(r, "Credential host secret location on temporary file system, not using."); -+ else if (r < 0) -+ return log_error_errno(r, "Failed to determine local credential host secret: %m"); -+ } -+ -+#if HAVE_TPM2 -+ if (sd_id128_is_null(with_key)) { -+ /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH -+ * if user picks TPM2 explicitly, let's always honour the request and try. */ -+ -+ r = detect_container(); -+ if (r < 0) -+ log_debug_errno(r, "Failed to determine whether we are running in a container, ignoring: %m"); -+ else if (r > 0) -+ log_debug("Running in container, not attempting to use TPM2."); -+ -+ try_tpm2 = r <= 0; -+ } -+ -+ if (try_tpm2 || -+ sd_id128_in_set(with_key, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) { -+ -+ r = tpm2_seal(tpm2_device, -+ tpm2_pcr_mask, -+ &tpm2_key, -+ &tpm2_key_size, -+ &tpm2_blob, -+ &tpm2_blob_size, -+ &tpm2_policy_hash, -+ &tpm2_policy_hash_size, -+ &tpm2_pcr_bank, -+ &tpm2_primary_alg); -+ if (r < 0) { -+ if (!sd_id128_is_null(with_key)) -+ return r; -+ -+ log_debug_errno(r, "TPM2 sealing didn't work, not using: %m"); -+ } -+ -+ assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX); -+ assert(tpm2_policy_hash_size <= CREDENTIAL_FIELD_SIZE_MAX); -+ } -+#endif -+ -+ if (sd_id128_is_null(with_key)) { -+ /* Let's settle the key type in auto mode now. */ -+ -+ if (host_key && tpm2_key) -+ id = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC; -+ else if (tpm2_key) -+ id = CRED_AES256_GCM_BY_TPM2_HMAC; -+ else if (host_key) -+ id = CRED_AES256_GCM_BY_HOST; -+ else -+ return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), -+ "TPM2 not available and host key located on temporary file system, no encryption key available."); -+ } else -+ id = with_key; -+ -+ /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */ -+ r = sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md); -+ if (r < 0) -+ return r; -+ -+ assert_se(cc = EVP_aes_256_gcm()); -+ -+ ksz = EVP_CIPHER_key_length(cc); -+ assert(ksz == sizeof(md)); -+ -+ bsz = EVP_CIPHER_block_size(cc); -+ assert(bsz > 0); -+ assert((size_t) bsz <= CREDENTIAL_FIELD_SIZE_MAX); -+ -+ ivsz = EVP_CIPHER_iv_length(cc); -+ if (ivsz > 0) { -+ assert((size_t) ivsz <= CREDENTIAL_FIELD_SIZE_MAX); -+ -+ iv = malloc(ivsz); -+ if (!iv) -+ return log_oom(); -+ -+ r = genuine_random_bytes(iv, ivsz, RANDOM_BLOCK); -+ if (r < 0) -+ return log_error_errno(r, "Failed to acquired randomized IV: %m"); -+ } -+ -+ tsz = 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */ -+ -+ context = EVP_CIPHER_CTX_new(); -+ if (!context) -+ return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate encryption object: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ if (EVP_EncryptInit_ex(context, cc, NULL, md, iv) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize encryption context: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ /* Just an upper estimate */ -+ output_size = -+ ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz) + -+ ALIGN8(tpm2_key ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size : 0) + -+ ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) + -+ input_size + 2U * (size_t) bsz + -+ tsz; -+ -+ output = malloc0(output_size); -+ if (!output) -+ return log_oom(); -+ -+ h = (struct encrypted_credential_header*) output; -+ h->id = id; -+ h->block_size = htole32(bsz); -+ h->key_size = htole32(ksz); -+ h->tag_size = htole32(tsz); -+ h->iv_size = htole32(ivsz); -+ memcpy(h->iv, iv, ivsz); -+ -+ p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz); -+ -+ if (tpm2_key) { -+ struct tpm2_credential_header *t; -+ -+ t = (struct tpm2_credential_header*) ((uint8_t*) output + p); -+ t->pcr_mask = htole64(tpm2_pcr_mask); -+ t->pcr_bank = htole16(tpm2_pcr_bank); -+ t->primary_alg = htole16(tpm2_primary_alg); -+ t->blob_size = htole32(tpm2_blob_size); -+ t->policy_hash_size = htole32(tpm2_policy_hash_size); -+ memcpy(t->policy_hash_and_blob, tpm2_blob, tpm2_blob_size); -+ memcpy(t->policy_hash_and_blob + tpm2_blob_size, tpm2_policy_hash, tpm2_policy_hash_size); -+ -+ p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size); -+ } -+ -+ /* Pass the encrypted + TPM2 header as AAD */ -+ if (EVP_EncryptUpdate(context, NULL, &added, output, p) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ /* Now construct the metadata header */ -+ ml = strlen_ptr(name); -+ m = malloc0(ALIGN8(offsetof(struct metadata_credential_header, name) + ml)); -+ if (!m) -+ return log_oom(); -+ -+ m->timestamp = htole64(timestamp); -+ m->not_after = htole64(not_after); -+ m->name_size = htole32(ml); -+ memcpy_safe(m->name, name, ml); -+ -+ /* And encrypt the metadata header */ -+ if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, (const unsigned char*) m, ALIGN8(offsetof(struct metadata_credential_header, name) + ml)) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt metadata header: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ assert(added >= 0); -+ assert((size_t) added <= output_size - p); -+ p += added; -+ -+ /* Then encrypt the plaintext */ -+ if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, input, input_size) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt data: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ assert(added >= 0); -+ assert((size_t) added <= output_size - p); -+ p += added; -+ -+ /* Finalize */ -+ if (EVP_EncryptFinal_ex(context, (uint8_t*) output + p, &added) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize data encryption: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ assert(added >= 0); -+ assert((size_t) added <= output_size - p); -+ p += added; -+ -+ assert(p <= output_size - tsz); -+ -+ /* Append tag */ -+ if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_GET_TAG, tsz, (uint8_t*) output + p) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to get tag: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ p += tsz; -+ assert(p <= output_size); -+ -+ if (DEBUG_LOGGING && input_size > 0) { -+ size_t base64_size; -+ -+ base64_size = DIV_ROUND_UP(p * 4, 3); /* Include base64 size increase in debug output */ -+ assert(base64_size >= input_size); -+ log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input_size, base64_size, base64_size * 100 / input_size - 100); -+ } -+ -+ *ret = TAKE_PTR(output); -+ *ret_size = p; -+ -+ return 0; -+} -+ -+int decrypt_credential_and_warn( -+ const char *validate_name, -+ usec_t validate_timestamp, -+ const char *tpm2_device, -+ const void *input, -+ size_t input_size, -+ void **ret, -+ size_t *ret_size) { -+ -+ _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL, *plaintext = NULL; -+ _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL; -+ size_t host_key_size = 0, tpm2_key_size = 0, plaintext_size, p, hs; -+ struct encrypted_credential_header *h; -+ struct metadata_credential_header *m; -+ uint8_t md[SHA256_DIGEST_LENGTH]; -+ bool with_tpm2, with_host_key; -+ const EVP_CIPHER *cc; -+ int r, added; -+ -+ assert(input || input_size == 0); -+ assert(ret); -+ assert(ret_size); -+ -+ h = (struct encrypted_credential_header*) input; -+ -+ /* The ID must fit in, for the current and all future formats */ -+ if (input_size < sizeof(h->id)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); -+ -+ with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC); -+ with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC); -+ -+ if (!with_host_key && !with_tpm2) -+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m"); -+ -+ /* Now we know the minimum header size */ -+ if (input_size < offsetof(struct encrypted_credential_header, iv)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); -+ -+ /* Verify some basic header values */ -+ if (le32toh(h->key_size) != sizeof(md)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header."); -+ if (le32toh(h->block_size) <= 0 || le32toh(h->block_size) > CREDENTIAL_FIELD_SIZE_MAX) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header."); -+ if (le32toh(h->iv_size) > CREDENTIAL_FIELD_SIZE_MAX) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "IV size too large."); -+ if (le32toh(h->tag_size) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */ -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected tag size in header."); -+ -+ /* Ensure we have space for the full header now (we don't know the size of the name hence this is a -+ * lower limit only) */ -+ if (input_size < -+ ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) + -+ ALIGN8((with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0)) + -+ ALIGN8(offsetof(struct metadata_credential_header, name)) + -+ le32toh(h->tag_size)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); -+ -+ p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)); -+ -+ if (with_tpm2) { -+#if HAVE_TPM2 -+ struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p); -+ -+ if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range."); -+ if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank))) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported"); -+ if (!tpm2_primary_alg_to_string(le16toh(t->primary_alg))) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 primary key algorithm invalid or not supported."); -+ if (le32toh(t->blob_size) > CREDENTIAL_FIELD_SIZE_MAX) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 blob size."); -+ if (le32toh(t->policy_hash_size) > CREDENTIAL_FIELD_SIZE_MAX) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 policy hash size."); -+ -+ /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size -+ * though, hence still just a lower limit test only) */ -+ if (input_size < -+ ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) + -+ ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) + -+ ALIGN8(offsetof(struct metadata_credential_header, name)) + -+ le32toh(h->tag_size)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); -+ -+ r = tpm2_unseal(tpm2_device, -+ le64toh(t->pcr_mask), -+ le16toh(t->pcr_bank), -+ le16toh(t->primary_alg), -+ t->policy_hash_and_blob, -+ le32toh(t->blob_size), -+ t->policy_hash_and_blob + le32toh(t->blob_size), -+ le32toh(t->policy_hash_size), -+ &tpm2_key, -+ &tpm2_key_size); -+ if (r < 0) -+ return r; -+ -+ p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + -+ le32toh(t->blob_size) + -+ le32toh(t->policy_hash_size)); -+#else -+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available."); -+#endif -+ } -+ -+ if (with_host_key) { -+ r = get_credential_host_secret( -+ 0, -+ &host_key, -+ &host_key_size); -+ if (r < 0) -+ return log_error_errno(r, "Failed to determine local credential key: %m"); -+ } -+ -+ sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md); -+ -+ assert_se(cc = EVP_aes_256_gcm()); -+ -+ /* Make sure cipher expectations match the header */ -+ if (EVP_CIPHER_key_length(cc) != (int) le32toh(h->key_size)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header."); -+ if (EVP_CIPHER_block_size(cc) != (int) le32toh(h->block_size)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header."); -+ -+ context = EVP_CIPHER_CTX_new(); -+ if (!context) -+ return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate decryption object: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ if (EVP_DecryptInit_ex(context, cc, NULL, NULL, NULL) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize decryption context: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_IVLEN, le32toh(h->iv_size), NULL) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV size on decryption context: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ if (EVP_DecryptInit_ex(context, NULL, NULL, md, h->iv) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV and key: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ if (EVP_DecryptUpdate(context, NULL, &added, input, p) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ plaintext = malloc(input_size - p - le32toh(h->tag_size)); -+ if (!plaintext) -+ return -ENOMEM; -+ -+ if (EVP_DecryptUpdate( -+ context, -+ plaintext, -+ &added, -+ (uint8_t*) input + p, -+ input_size - p - le32toh(h->tag_size)) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to decrypt data: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ assert(added >= 0); -+ assert((size_t) added <= input_size - p - le32toh(h->tag_size)); -+ plaintext_size = added; -+ -+ if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_TAG, le32toh(h->tag_size), (uint8_t*) input + input_size - le32toh(h->tag_size)) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set tag: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ if (EVP_DecryptFinal_ex(context, (uint8_t*) plaintext + plaintext_size, &added) != 1) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Decryption failed (incorrect key?): %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ -+ plaintext_size += added; -+ -+ if (plaintext_size < ALIGN8(offsetof(struct metadata_credential_header, name))) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete."); -+ -+ m = plaintext; -+ -+ if (le64toh(m->timestamp) != USEC_INFINITY && -+ le64toh(m->not_after) != USEC_INFINITY && -+ le64toh(m->timestamp) >= le64toh(m->not_after)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Timestamps of credential are not in order, refusing."); -+ -+ if (le32toh(m->name_size) > CREDENTIAL_NAME_MAX) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name too long, refusing."); -+ -+ hs = ALIGN8(offsetof(struct metadata_credential_header, name) + le32toh(m->name_size)); -+ if (plaintext_size < hs) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete."); -+ -+ if (le32toh(m->name_size) > 0) { -+ _cleanup_free_ char *embedded_name = NULL; -+ -+ if (memchr(m->name, 0, le32toh(m->name_size))) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name contains NUL byte, refusing."); -+ -+ embedded_name = memdup_suffix0(m->name, le32toh(m->name_size)); -+ if (!embedded_name) -+ return log_oom(); -+ -+ if (!credential_name_valid(embedded_name)) -+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name is not valid, refusing."); -+ -+ if (validate_name && !streq(embedded_name, validate_name)) { -+ -+ r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME"); -+ if (r < 0 && r != -ENXIO) -+ log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m"); -+ if (r != 0) -+ return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name); -+ -+ log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name, validate_name); -+ } -+ } -+ -+ if (validate_timestamp != USEC_INFINITY) { -+ if (le64toh(m->timestamp) != USEC_INFINITY && le64toh(m->timestamp) > validate_timestamp) -+ log_debug("Credential timestamp is from the future, assuming clock skew."); -+ -+ if (le64toh(m->not_after) != USEC_INFINITY && le64toh(m->not_after) < validate_timestamp) { -+ -+ r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER"); -+ if (r < 0 && r != -ENXIO) -+ log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m"); -+ if (r != 0) -+ return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "Credential's time passed, refusing to use."); -+ -+ log_debug("Credential not-after timestamp has passed, but configured to use credential anyway."); -+ } -+ } -+ -+ if (ret) { -+ char *without_metadata; -+ -+ without_metadata = memdup((uint8_t*) plaintext + hs, plaintext_size - hs); -+ if (!without_metadata) -+ return log_oom(); -+ -+ *ret = without_metadata; -+ } -+ -+ if (ret_size) -+ *ret_size = plaintext_size - hs; -+ -+ return 0; -+} -+ -+#else -+ -+int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) { -+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); -+} -+ -+int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) { -+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); -+} -+ -+int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size) { -+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); -+} -+ -+#endif -diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h -index e6c2bd9310..ce8207414f 100644 ---- a/src/shared/openssl-util.h -+++ b/src/shared/openssl-util.h -@@ -11,6 +11,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL); - DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL); - DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL); - DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL); -+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL); - - int rsa_encrypt_bytes(EVP_PKEY *pkey, const void *decrypted_key, size_t decrypted_key_size, void **ret_encrypt_key, size_t *ret_encrypt_key_size); - --- -2.33.0 - diff --git a/backport-cryptenroll-fix-wrong-error-messages.patch b/backport-cryptenroll-fix-wrong-error-messages.patch deleted file mode 100644 index b234f97..0000000 --- a/backport-cryptenroll-fix-wrong-error-messages.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a9149ef71dbfafd964b4e509690418be602c6eb6 Mon Sep 17 00:00:00 2001 -From: Gibeom Gwon -Date: Fri, 3 Dec 2021 15:10:50 +0900 -Subject: [PATCH] cryptenroll: fix wrong error messages - -PKCS#11 -> FIDO2 in cryptenroll-fido2.c - -(cherry picked from commit 4b9aa29bc9ded35147f9fa77f77e13c3c6fa7fcf) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a9149ef71dbfafd964b4e509690418be602c6eb6 ---- - src/cryptenroll/cryptenroll-fido2.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c -index fbf76ee586..9e1d94bd16 100644 ---- a/src/cryptenroll/cryptenroll-fido2.c -+++ b/src/cryptenroll/cryptenroll-fido2.c -@@ -67,7 +67,7 @@ int enroll_fido2( - base64_encoded, - strlen(base64_encoded)); - if (keyslot < 0) -- return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node); -+ return log_error_errno(keyslot, "Failed to add new FIDO2 key to %s: %m", node); - - if (asprintf(&keyslot_as_string, "%i", keyslot) < 0) - return log_oom(); -@@ -83,7 +83,7 @@ int enroll_fido2( - JSON_BUILD_PAIR("fido2-up-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_UP))), - JSON_BUILD_PAIR("fido2-uv-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_UV))))); - if (r < 0) -- return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m"); -+ return log_error_errno(r, "Failed to prepare FIDO2 JSON token object: %m"); - - r = cryptsetup_add_token_json(cd, v); - if (r < 0) --- -2.33.0 - diff --git a/backport-dbus-wait-for-jobs-add-extra_args-to-bus_wait_for_jo.patch b/backport-dbus-wait-for-jobs-add-extra_args-to-bus_wait_for_jo.patch deleted file mode 100644 index db4033d..0000000 --- a/backport-dbus-wait-for-jobs-add-extra_args-to-bus_wait_for_jo.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 84188acc6fe4a2f04c91c2c4d7b20a3166caa63b Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Thu, 30 Dec 2021 00:53:29 +0000 -Subject: [PATCH] dbus-wait-for-jobs: add extra_args to bus_wait_for_jobs_one() - -And pass it through to bus_wait_for_jobs() - -(cherry picked from commit 86980de64bf8c03505eec729808f52f3b3042998) -(cherry picked from commit 0c4fe2e3dcde8225006a36cff643c112bd6c6523) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/84188acc6fe4a2f04c91c2c4d7b20a3166caa63b ---- - src/mount/mount-tool.c | 6 +++--- - src/nspawn/nspawn-register.c | 2 +- - src/run/run.c | 6 +++--- - src/shared/bus-wait-for-jobs.c | 4 ++-- - src/shared/bus-wait-for-jobs.h | 2 +- - src/shared/tests.c | 2 +- - 6 files changed, 11 insertions(+), 11 deletions(-) - -diff --git a/src/mount/mount-tool.c b/src/mount/mount-tool.c -index 70b4c5a765..9659355c33 100644 ---- a/src/mount/mount-tool.c -+++ b/src/mount/mount-tool.c -@@ -600,7 +600,7 @@ static int start_transient_mount( - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); - if (r < 0) - return r; - } -@@ -709,7 +709,7 @@ static int start_transient_automount( - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); - if (r < 0) - return r; - } -@@ -875,7 +875,7 @@ static int stop_mount( - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); - if (r < 0) - return r; - } -diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c -index 2e6c12b3b7..c78bead4a4 100644 ---- a/src/nspawn/nspawn-register.c -+++ b/src/nspawn/nspawn-register.c -@@ -313,7 +313,7 @@ int allocate_scope( - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, false); -+ r = bus_wait_for_jobs_one(w, object, false, NULL); - if (r < 0) - return r; - -diff --git a/src/run/run.c b/src/run/run.c -index 1c83e36e4e..9a7e1efaca 100644 ---- a/src/run/run.c -+++ b/src/run/run.c -@@ -1228,7 +1228,7 @@ static int start_transient_service( - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); - if (r < 0) - return r; - } -@@ -1473,7 +1473,7 @@ static int start_transient_scope(sd_bus *bus) { - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); - if (r < 0) - return r; - -@@ -1693,7 +1693,7 @@ static int start_transient_trigger( - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); - if (r < 0) - return r; - -diff --git a/src/shared/bus-wait-for-jobs.c b/src/shared/bus-wait-for-jobs.c -index e4a3ab9a95..0cd47d5787 100644 ---- a/src/shared/bus-wait-for-jobs.c -+++ b/src/shared/bus-wait-for-jobs.c -@@ -323,12 +323,12 @@ int bus_wait_for_jobs_add(BusWaitForJobs *d, const char *path) { - return set_put_strdup(&d->jobs, path); - } - --int bus_wait_for_jobs_one(BusWaitForJobs *d, const char *path, bool quiet) { -+int bus_wait_for_jobs_one(BusWaitForJobs *d, const char *path, bool quiet, const char* const* extra_args) { - int r; - - r = bus_wait_for_jobs_add(d, path); - if (r < 0) - return log_oom(); - -- return bus_wait_for_jobs(d, quiet, NULL); -+ return bus_wait_for_jobs(d, quiet, extra_args); - } -diff --git a/src/shared/bus-wait-for-jobs.h b/src/shared/bus-wait-for-jobs.h -index 68c9d604ad..5acf8b9241 100644 ---- a/src/shared/bus-wait-for-jobs.h -+++ b/src/shared/bus-wait-for-jobs.h -@@ -11,6 +11,6 @@ int bus_wait_for_jobs_new(sd_bus *bus, BusWaitForJobs **ret); - BusWaitForJobs* bus_wait_for_jobs_free(BusWaitForJobs *d); - int bus_wait_for_jobs_add(BusWaitForJobs *d, const char *path); - int bus_wait_for_jobs(BusWaitForJobs *d, bool quiet, const char* const* extra_args); --int bus_wait_for_jobs_one(BusWaitForJobs *d, const char *path, bool quiet); -+int bus_wait_for_jobs_one(BusWaitForJobs *d, const char *path, bool quiet, const char* const* extra_args); - - DEFINE_TRIVIAL_CLEANUP_FUNC(BusWaitForJobs*, bus_wait_for_jobs_free); -diff --git a/src/shared/tests.c b/src/shared/tests.c -index ab7d799029..6d35bc6a8d 100644 ---- a/src/shared/tests.c -+++ b/src/shared/tests.c -@@ -247,7 +247,7 @@ static int allocate_scope(void) { - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, false); -+ r = bus_wait_for_jobs_one(w, object, false, NULL); - if (r < 0) - return r; - --- -2.33.0 - diff --git a/backport-devnode-acl-use-_cleanup_-to-free-acl_t.patch b/backport-devnode-acl-use-_cleanup_-to-free-acl_t.patch deleted file mode 100644 index 49eba0c..0000000 --- a/backport-devnode-acl-use-_cleanup_-to-free-acl_t.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 541ada330879dd928b33b55f1fc437ec1bbd349f Mon Sep 17 00:00:00 2001 -From: David Tardon -Date: Thu, 3 Mar 2022 15:58:24 +0100 -Subject: [PATCH] devnode-acl: use _cleanup_ to free acl_t - -(cherry picked from commit 203ea2c8f158288fea56c5be980715b2b7e002fe) -(cherry picked from commit 543c73300e3b9298e5316555bf4df6ff7dfc210f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/541ada330879dd928b33b55f1fc437ec1bbd349f ---- - src/shared/devnode-acl.c | 73 ++++++++++++++-------------------------- - 1 file changed, 25 insertions(+), 48 deletions(-) - -diff --git a/src/shared/devnode-acl.c b/src/shared/devnode-acl.c -index 07e29e1019..394422b164 100644 ---- a/src/shared/devnode-acl.c -+++ b/src/shared/devnode-acl.c -@@ -52,8 +52,8 @@ int devnode_acl(const char *path, - bool del, uid_t old_uid, - bool add, uid_t new_uid) { - -- acl_t acl; -- int r = 0; -+ _cleanup_(acl_freep) acl_t acl = NULL; -+ int r; - bool changed = false; - - assert(path); -@@ -66,7 +66,7 @@ int devnode_acl(const char *path, - - r = flush_acl(acl); - if (r < 0) -- goto finish; -+ return r; - if (r > 0) - changed = true; - -@@ -75,13 +75,11 @@ int devnode_acl(const char *path, - - r = acl_find_uid(acl, old_uid, &entry); - if (r < 0) -- goto finish; -+ return r; - - if (r > 0) { -- if (acl_delete_entry(acl, entry) < 0) { -- r = -errno; -- goto finish; -- } -+ if (acl_delete_entry(acl, entry) < 0) -+ return -errno; - - changed = true; - } -@@ -94,68 +92,47 @@ int devnode_acl(const char *path, - - r = acl_find_uid(acl, new_uid, &entry); - if (r < 0) -- goto finish; -+ return r; - - if (r == 0) { -- if (acl_create_entry(&acl, &entry) < 0) { -- r = -errno; -- goto finish; -- } -+ if (acl_create_entry(&acl, &entry) < 0) -+ return -errno; - - if (acl_set_tag_type(entry, ACL_USER) < 0 || -- acl_set_qualifier(entry, &new_uid) < 0) { -- r = -errno; -- goto finish; -- } -+ acl_set_qualifier(entry, &new_uid) < 0) -+ return -errno; - } - -- if (acl_get_permset(entry, &permset) < 0) { -- r = -errno; -- goto finish; -- } -+ if (acl_get_permset(entry, &permset) < 0) -+ return -errno; - - rd = acl_get_perm(permset, ACL_READ); -- if (rd < 0) { -- r = -errno; -- goto finish; -- } -+ if (rd < 0) -+ return -errno; - - wt = acl_get_perm(permset, ACL_WRITE); -- if (wt < 0) { -- r = -errno; -- goto finish; -- } -+ if (wt < 0) -+ return -errno; - - if (!rd || !wt) { - -- if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) { -- r = -errno; -- goto finish; -- } -+ if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) -+ return -errno; - - changed = true; - } - } - - if (!changed) -- goto finish; -- -- if (acl_calc_mask(&acl) < 0) { -- r = -errno; -- goto finish; -- } -- -- if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) { -- r = -errno; -- goto finish; -- } -+ return 0; - -- r = 0; -+ if (acl_calc_mask(&acl) < 0) -+ return -errno; - --finish: -- acl_free(acl); -+ if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) -+ return -errno; - -- return r; -+ return 0; - } - - int devnode_acl_all(const char *seat, --- -2.33.0 - diff --git a/backport-dhcp-fix-assertion-failure.patch b/backport-dhcp-fix-assertion-failure.patch deleted file mode 100644 index ff9c40c..0000000 --- a/backport-dhcp-fix-assertion-failure.patch +++ /dev/null @@ -1,31 +0,0 @@ -From d59f045a9341f33df161a83a0a5428e137381206 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 8 Dec 2021 05:47:11 +0900 -Subject: [PATCH] dhcp: fix assertion failure - -Fixes #21671. - -(cherry picked from commit 990d0aa98023140d1efc897c3dcd5e0599a60203) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d59f045a9341f33df161a83a0a5428e137381206 ---- - src/libsystemd-network/sd-dhcp-lease.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c -index 095a4ee683..9a0d7f6fea 100644 ---- a/src/libsystemd-network/sd-dhcp-lease.c -+++ b/src/libsystemd-network/sd-dhcp-lease.c -@@ -691,7 +691,7 @@ int dhcp_lease_parse_options(uint8_t code, uint8_t len, const void *option, void - } - - if (!timezone_is_valid(tz, LOG_DEBUG)) { -- log_debug_errno(r, "Timezone is not valid, ignoring: %m"); -+ log_debug("Timezone is not valid, ignoring."); - return 0; - } - --- -2.33.0 - diff --git a/backport-dhcp-fix-potential-buffer-overflow.patch b/backport-dhcp-fix-potential-buffer-overflow.patch deleted file mode 100644 index d704e41..0000000 --- a/backport-dhcp-fix-potential-buffer-overflow.patch +++ /dev/null @@ -1,102 +0,0 @@ -From d903e94e8ea532d2128c5c4686ae440ebf17a07d Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 6 Aug 2022 13:05:59 +0900 -Subject: [PATCH] dhcp: fix potential buffer overflow - -Fixes a bug introduced by 324f818781a250b60f2fcfa74ff1c9101d2d1315. - -This also renames several macros for DHCP packet size. - -(cherry picked from commit 4473cd7f61b9eb0860f2daab81491ad2145d554b) -(cherry picked from commit 037b1a8acc50cbeeebb82f95594a4909375577c2) -(cherry picked from commit 887837a5a9425945b91488db661122459af94c52) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d903e94e8ea532d2128c5c4686ae440ebf17a07d ---- - src/libsystemd-network/dhcp-protocol.h | 7 ++++--- - src/libsystemd-network/sd-dhcp-client.c | 11 +++++------ - src/libsystemd-network/sd-dhcp-lease.c | 6 +++--- - 3 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/src/libsystemd-network/dhcp-protocol.h b/src/libsystemd-network/dhcp-protocol.h -index 11f4201ab2..686cf67e84 100644 ---- a/src/libsystemd-network/dhcp-protocol.h -+++ b/src/libsystemd-network/dhcp-protocol.h -@@ -43,9 +43,10 @@ typedef struct DHCPPacket DHCPPacket; - - #define DHCP_IP_SIZE (int32_t)(sizeof(struct iphdr)) - #define DHCP_IP_UDP_SIZE (int32_t)(sizeof(struct udphdr) + DHCP_IP_SIZE) --#define DHCP_MESSAGE_SIZE (int32_t)(sizeof(DHCPMessage)) --#define DHCP_DEFAULT_MIN_SIZE 576 /* the minimum internet hosts must be able to receive */ --#define DHCP_MIN_OPTIONS_SIZE (DHCP_DEFAULT_MIN_SIZE - DHCP_IP_UDP_SIZE - DHCP_MESSAGE_SIZE) -+#define DHCP_HEADER_SIZE (int32_t)(sizeof(DHCPMessage)) -+#define DHCP_MIN_MESSAGE_SIZE 576 /* the minimum internet hosts must be able to receive, see RFC 2132 Section 9.10 */ -+#define DHCP_MIN_OPTIONS_SIZE (DHCP_MIN_MESSAGE_SIZE - DHCP_HEADER_SIZE) -+#define DHCP_MIN_PACKET_SIZE (DHCP_MIN_MESSAGE_SIZE + DHCP_IP_UDP_SIZE) - #define DHCP_MAGIC_COOKIE (uint32_t)(0x63825363) - - enum { -diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c -index 46191e58f5..b9c5748fed 100644 ---- a/src/libsystemd-network/sd-dhcp-client.c -+++ b/src/libsystemd-network/sd-dhcp-client.c -@@ -637,7 +637,7 @@ int sd_dhcp_client_set_client_port( - - int sd_dhcp_client_set_mtu(sd_dhcp_client *client, uint32_t mtu) { - assert_return(client, -EINVAL); -- assert_return(mtu >= DHCP_DEFAULT_MIN_SIZE, -ERANGE); -+ assert_return(mtu >= DHCP_MIN_PACKET_SIZE, -ERANGE); - - client->mtu = mtu; - -@@ -804,7 +804,6 @@ static int client_message_init( - - _cleanup_free_ DHCPPacket *packet = NULL; - size_t optlen, optoffset, size; -- be16_t max_size; - usec_t time_now; - uint16_t secs; - int r; -@@ -955,9 +954,9 @@ static int client_message_init( - */ - /* RFC7844 section 3: - SHOULD NOT contain any other option. */ -- if (!client->anonymize && type != DHCP_RELEASE) { -- max_size = htobe16(size); -- r = dhcp_option_append(&packet->dhcp, client->mtu, &optoffset, 0, -+ if (!client->anonymize && IN_SET(type, DHCP_DISCOVER, DHCP_REQUEST)) { -+ be16_t max_size = htobe16(MIN(client->mtu - DHCP_IP_UDP_SIZE, (uint32_t) UINT16_MAX)); -+ r = dhcp_option_append(&packet->dhcp, optlen, &optoffset, 0, - SD_DHCP_OPTION_MAXIMUM_MESSAGE_SIZE, - 2, &max_size); - if (r < 0) -@@ -2267,7 +2266,7 @@ int sd_dhcp_client_new(sd_dhcp_client **ret, int anonymize) { - .state = DHCP_STATE_INIT, - .ifindex = -1, - .fd = -1, -- .mtu = DHCP_DEFAULT_MIN_SIZE, -+ .mtu = DHCP_MIN_PACKET_SIZE, - .port = DHCP_PORT_CLIENT, - .anonymize = !!anonymize, - .max_attempts = UINT64_MAX, -diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c -index 89386f6809..b818020589 100644 ---- a/src/libsystemd-network/sd-dhcp-lease.c -+++ b/src/libsystemd-network/sd-dhcp-lease.c -@@ -621,9 +621,9 @@ int dhcp_lease_parse_options(uint8_t code, uint8_t len, const void *option, void - r = lease_parse_u16(option, len, &lease->mtu, 68); - if (r < 0) - log_debug_errno(r, "Failed to parse MTU, ignoring: %m"); -- if (lease->mtu < DHCP_DEFAULT_MIN_SIZE) { -- log_debug("MTU value of %" PRIu16 " too small. Using default MTU value of %d instead.", lease->mtu, DHCP_DEFAULT_MIN_SIZE); -- lease->mtu = DHCP_DEFAULT_MIN_SIZE; -+ if (lease->mtu < DHCP_MIN_PACKET_SIZE) { -+ log_debug("MTU value of %" PRIu16 " too small. Using default MTU value of %d instead.", lease->mtu, DHCP_MIN_PACKET_SIZE); -+ lease->mtu = DHCP_MIN_PACKET_SIZE; - } - - break; --- -2.27.0 - diff --git a/backport-discover-image-mount-as-read-only-when-extracting-me.patch b/backport-discover-image-mount-as-read-only-when-extracting-me.patch deleted file mode 100644 index 83b1f7b..0000000 --- a/backport-discover-image-mount-as-read-only-when-extracting-me.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 783b787a3aecbd2c9d6908546f89c9690728aa79 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Thu, 22 Jul 2021 22:21:10 +0100 -Subject: [PATCH] discover-image: mount as read-only when extracting metadata - -We don't need to modify the image, and the loopback device is already set to read-only. - -(cherry picked from commit f6f4ec7951f429e8a470f8912cbeacde8fa1206e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/783b787a3aecbd2c9d6908546f89c9690728aa79 ---- - src/shared/discover-image.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c -index 5c833afc78..521264ec29 100644 ---- a/src/shared/discover-image.c -+++ b/src/shared/discover-image.c -@@ -1208,6 +1208,7 @@ int image_read_metadata(Image *i) { - DISSECT_IMAGE_GENERIC_ROOT | - DISSECT_IMAGE_REQUIRE_ROOT | - DISSECT_IMAGE_RELAX_VAR_CHECK | -+ DISSECT_IMAGE_READ_ONLY | - DISSECT_IMAGE_USR_NO_ROOT, - &m); - if (r < 0) --- -2.33.0 - diff --git a/backport-discover-image-pass-the-right-fd-to-fd_getcrtime.patch b/backport-discover-image-pass-the-right-fd-to-fd_getcrtime.patch deleted file mode 100644 index 978d488..0000000 --- a/backport-discover-image-pass-the-right-fd-to-fd_getcrtime.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 64b025686f36ae4385811be6f81d5f7d94da3437 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 18 Aug 2021 22:41:08 +0200 -Subject: [PATCH] discover-image: pass the right fd to fd_getcrtime() - -(cherry picked from commit 12a7f04a2b9135a4751dba71e2f688525d7c93e7) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/64b025686f36ae4385811be6f81d5f7d94da3437 ---- - src/shared/discover-image.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c -index 521264ec29..5f8bf43776 100644 ---- a/src/shared/discover-image.c -+++ b/src/shared/discover-image.c -@@ -305,7 +305,7 @@ static int image_make( - } - - /* Get directory creation time (not available everywhere, but that's OK */ -- (void) fd_getcrtime(dfd, &crtime); -+ (void) fd_getcrtime(fd, &crtime); - - /* If the IMMUTABLE bit is set, we consider the directory read-only. Since the ioctl is not - * supported everywhere we ignore failures. */ --- -2.33.0 - diff --git a/backport-dissect-image-add-extension-specific-validation-flag.patch b/backport-dissect-image-add-extension-specific-validation-flag.patch deleted file mode 100644 index 8c523a6..0000000 --- a/backport-dissect-image-add-extension-specific-validation-flag.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 1d1b529d7781c7ac28fd6130eeda76bf2d70fe79 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Wed, 18 Aug 2021 16:08:14 +0100 -Subject: [PATCH] dissect-image: add extension-specific validation flag - -Allows callers to specify which image type they are looking for - -(cherry picked from commit 9ccb531a5f99a7f399f352e79079188957f5a170) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1d1b529d7781c7ac28fd6130eeda76bf2d70fe79 ---- - src/portable/portable.c | 9 ++++++++- - src/shared/dissect-image.c | 26 +++++++++++++++++++------- - src/shared/dissect-image.h | 23 ++++++++++++----------- - 3 files changed, 39 insertions(+), 19 deletions(-) - -diff --git a/src/portable/portable.c b/src/portable/portable.c -index 4cf5fb4f0a..5ecbeec2de 100644 ---- a/src/portable/portable.c -+++ b/src/portable/portable.c -@@ -424,9 +424,16 @@ static int portable_extract_by_path( - if (r < 0) - return r; - if (r == 0) { -+ DissectImageFlags flags = DISSECT_IMAGE_READ_ONLY; -+ - seq[0] = safe_close(seq[0]); - -- r = dissected_image_mount(m, tmpdir, UID_INVALID, UID_INVALID, DISSECT_IMAGE_READ_ONLY); -+ if (!extract_os_release) -+ flags |= DISSECT_IMAGE_VALIDATE_OS_EXT; -+ else -+ flags |= DISSECT_IMAGE_VALIDATE_OS; -+ -+ r = dissected_image_mount(m, tmpdir, UID_INVALID, UID_INVALID, flags); - if (r < 0) { - log_debug_errno(r, "Failed to mount dissected image: %m"); - goto child_finish; -diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c -index 9b30c86a53..3a24f5041f 100644 ---- a/src/shared/dissect-image.c -+++ b/src/shared/dissect-image.c -@@ -1725,17 +1725,28 @@ int dissected_image_mount( - if (r < 0) - return r; - -- if (flags & DISSECT_IMAGE_VALIDATE_OS) { -- r = path_is_os_tree(where); -- if (r < 0) -- return r; -- if (r == 0) { -+ if ((flags & (DISSECT_IMAGE_VALIDATE_OS|DISSECT_IMAGE_VALIDATE_OS_EXT)) != 0) { -+ /* If either one of the validation flags are set, ensure that the image qualifies -+ * as one or the other (or both). */ -+ bool ok = false; -+ -+ if (FLAGS_SET(flags, DISSECT_IMAGE_VALIDATE_OS)) { -+ r = path_is_os_tree(where); -+ if (r < 0) -+ return r; -+ if (r > 0) -+ ok = true; -+ } -+ if (!ok && FLAGS_SET(flags, DISSECT_IMAGE_VALIDATE_OS_EXT)) { - r = path_is_extension_tree(where, m->image_name); - if (r < 0) - return r; -- if (r == 0) -- return -EMEDIUMTYPE; -+ if (r > 0) -+ ok = true; - } -+ -+ if (!ok) -+ return -ENOMEDIUM; - } - } - -@@ -2617,6 +2628,7 @@ int dissected_image_acquire_metadata(DissectedImage *m) { - DISSECT_IMAGE_READ_ONLY| - DISSECT_IMAGE_MOUNT_ROOT_ONLY| - DISSECT_IMAGE_VALIDATE_OS| -+ DISSECT_IMAGE_VALIDATE_OS_EXT| - DISSECT_IMAGE_USR_NO_ROOT); - if (r < 0) { - /* Let parent know the error */ -diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h -index 1ce14e915e..9db2719afb 100644 ---- a/src/shared/dissect-image.h -+++ b/src/shared/dissect-image.h -@@ -100,19 +100,20 @@ typedef enum DissectImageFlags { - DISSECT_IMAGE_MOUNT_ROOT_ONLY = 1 << 6, /* Mount only the root and /usr partitions */ - DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY = 1 << 7, /* Mount only the non-root and non-/usr partitions */ - DISSECT_IMAGE_VALIDATE_OS = 1 << 8, /* Refuse mounting images that aren't identifiable as OS images */ -- DISSECT_IMAGE_NO_UDEV = 1 << 9, /* Don't wait for udev initializing things */ -- DISSECT_IMAGE_RELAX_VAR_CHECK = 1 << 10, /* Don't insist that the UUID of /var is hashed from /etc/machine-id */ -- DISSECT_IMAGE_FSCK = 1 << 11, /* File system check the partition before mounting (no effect when combined with DISSECT_IMAGE_READ_ONLY) */ -- DISSECT_IMAGE_NO_PARTITION_TABLE = 1 << 12, /* Only recognize single file system images */ -- DISSECT_IMAGE_VERITY_SHARE = 1 << 13, /* When activating a verity device, reuse existing one if already open */ -- DISSECT_IMAGE_MKDIR = 1 << 14, /* Make top-level directory to mount right before mounting, if missing */ -- DISSECT_IMAGE_USR_NO_ROOT = 1 << 15, /* If no root fs is in the image, but /usr is, then allow this (so that we can mount the rootfs as tmpfs or so */ -- DISSECT_IMAGE_REQUIRE_ROOT = 1 << 16, /* Don't accept disks without root partition (or at least /usr partition if DISSECT_IMAGE_USR_NO_ROOT is set) */ -- DISSECT_IMAGE_MOUNT_READ_ONLY = 1 << 17, /* Make mounts read-only */ -+ DISSECT_IMAGE_VALIDATE_OS_EXT = 1 << 9, /* Refuse mounting images that aren't identifiable as OS extension images */ -+ DISSECT_IMAGE_NO_UDEV = 1 << 10, /* Don't wait for udev initializing things */ -+ DISSECT_IMAGE_RELAX_VAR_CHECK = 1 << 11, /* Don't insist that the UUID of /var is hashed from /etc/machine-id */ -+ DISSECT_IMAGE_FSCK = 1 << 12, /* File system check the partition before mounting (no effect when combined with DISSECT_IMAGE_READ_ONLY) */ -+ DISSECT_IMAGE_NO_PARTITION_TABLE = 1 << 13, /* Only recognize single file system images */ -+ DISSECT_IMAGE_VERITY_SHARE = 1 << 14, /* When activating a verity device, reuse existing one if already open */ -+ DISSECT_IMAGE_MKDIR = 1 << 15, /* Make top-level directory to mount right before mounting, if missing */ -+ DISSECT_IMAGE_USR_NO_ROOT = 1 << 16, /* If no root fs is in the image, but /usr is, then allow this (so that we can mount the rootfs as tmpfs or so */ -+ DISSECT_IMAGE_REQUIRE_ROOT = 1 << 17, /* Don't accept disks without root partition (or at least /usr partition if DISSECT_IMAGE_USR_NO_ROOT is set) */ -+ DISSECT_IMAGE_MOUNT_READ_ONLY = 1 << 18, /* Make mounts read-only */ - DISSECT_IMAGE_READ_ONLY = DISSECT_IMAGE_DEVICE_READ_ONLY | - DISSECT_IMAGE_MOUNT_READ_ONLY, -- DISSECT_IMAGE_GROWFS = 1 << 18, /* Grow file systems in partitions marked for that to the size of the partitions after mount */ -- DISSECT_IMAGE_MOUNT_IDMAPPED = 1 << 19, /* Mount mounts with kernel 5.12-style userns ID mapping, if file system type doesn't support uid=/gid= */ -+ DISSECT_IMAGE_GROWFS = 1 << 19, /* Grow file systems in partitions marked for that to the size of the partitions after mount */ -+ DISSECT_IMAGE_MOUNT_IDMAPPED = 1 << 20, /* Mount mounts with kernel 5.12-style userns ID mapping, if file system type doesn't support uid=/gid= */ - } DissectImageFlags; - - struct DissectedImage { --- -2.33.0 - diff --git a/backport-dissect-image-validate-extension-release-even-if-the.patch b/backport-dissect-image-validate-extension-release-even-if-the.patch deleted file mode 100644 index bea0bf6..0000000 --- a/backport-dissect-image-validate-extension-release-even-if-the.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 4b14a6aafe45270b50b4a0b75d0cce11a9ac738d Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Wed, 19 Jan 2022 00:01:48 +0000 -Subject: [PATCH] dissect-image: validate extension-release even if the host - has only ID in os-release - -A rolling distro won't set VERSION_ID or SYSEXT_LEVEL in os-release, -which means we skip validation of ExtensionImages. -Validate even with just an ID, the lower level helper already -recognizes and accepts this use case. - -Fixes https://github.com/systemd/systemd/issues/22146 - -(cherry picked from commit 37361f46d571ad0b71ef99dec6a9b76edbab38bb) -(cherry picked from commit 0dab9e5f057380322755e90ee4d35716d5bf6232) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4b14a6aafe45270b50b4a0b75d0cce11a9ac738d ---- - src/shared/dissect-image.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c -index 714baa8572..9b30c86a53 100644 ---- a/src/shared/dissect-image.c -+++ b/src/shared/dissect-image.c -@@ -3015,9 +3015,9 @@ int verity_dissect_and_mount( - /* If we got os-release values from the caller, then we need to match them with the image's - * extension-release.d/ content. Return -EINVAL if there's any mismatch. - * First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if -- * available, or else fallback to VERSION_ID. */ -- if (required_host_os_release_id && -- (required_host_os_release_version_id || required_host_os_release_sysext_level)) { -+ * available, or else fallback to VERSION_ID. If neither is present (eg: rolling release), -+ * then a simple match on the ID will be performed. */ -+ if (required_host_os_release_id) { - _cleanup_strv_free_ char **extension_release = NULL; - - r = load_extension_release_pairs(dest, dissected_image->image_name, &extension_release); --- -2.33.0 - diff --git a/backport-dns-domain-make-each-label-nul-terminated.patch b/backport-dns-domain-make-each-label-nul-terminated.patch deleted file mode 100644 index 11d9d70..0000000 --- a/backport-dns-domain-make-each-label-nul-terminated.patch +++ /dev/null @@ -1,50 +0,0 @@ -From ec5a6e5a3011f095e739fa0636c3273fe868f2cf Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 11 Jun 2022 05:51:03 +0900 -Subject: [PATCH] dns-domain: make each label nul-terminated - -dns_label_unescape() does not nul-terminate the buffer if it does not -have enough space. Hence, if a lable is enough long, then strjoin() -triggers buffer-overflow. - -Fixes #23705. - -(cherry picked from commit 9db01ca5b0322bc035e1ccd6b8a0d98a26533b4a) -(cherry picked from commit 25158b294482f793f962e8ee5f34e99a01214321) -(cherry picked from commit ac4e64939d05ed81739028c0a45c3f99d2f91ba4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ec5a6e5a3011f095e739fa0636c3273fe868f2cf ---- - src/shared/dns-domain.c | 2 +- - src/test/test-dns-domain.c | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c -index 787bb8fec9..517fe85600 100644 ---- a/src/shared/dns-domain.c -+++ b/src/shared/dns-domain.c -@@ -1035,7 +1035,7 @@ static bool dns_service_name_label_is_valid(const char *label, size_t n) { - int dns_service_split(const char *joined, char **_name, char **_type, char **_domain) { - _cleanup_free_ char *name = NULL, *type = NULL, *domain = NULL; - const char *p = joined, *q = NULL, *d = NULL; -- char a[DNS_LABEL_MAX], b[DNS_LABEL_MAX], c[DNS_LABEL_MAX]; -+ char a[DNS_LABEL_MAX+1], b[DNS_LABEL_MAX+1], c[DNS_LABEL_MAX+1]; - int an, bn, cn, r; - unsigned x = 0; - -diff --git a/src/test/test-dns-domain.c b/src/test/test-dns-domain.c -index 2df2380de4..10916dd057 100644 ---- a/src/test/test-dns-domain.c -+++ b/src/test/test-dns-domain.c -@@ -560,6 +560,7 @@ static void test_dns_service_split(void) { - test_dns_service_split_one("_foo._bar", NULL, "_foo._bar", ".", 0); - test_dns_service_split_one("_meh._foo._bar", "_meh", "_foo._bar", ".", 0); - test_dns_service_split_one("Wuff\\032Wuff._foo._bar.waldo.com", "Wuff Wuff", "_foo._bar", "waldo.com", 0); -+ test_dns_service_split_one("_Q._Q-------------------------------------------------------------", NULL, "_Q._Q-------------------------------------------------------------", ".", 0); - } - - static void test_dns_name_change_suffix_one(const char *name, const char *old_suffix, const char *new_suffix, int r, const char *result) { --- -2.27.0 - diff --git a/backport-dns-domain-re-introduce-dns_name_is_empty.patch b/backport-dns-domain-re-introduce-dns_name_is_empty.patch deleted file mode 100644 index 19d4d66..0000000 --- a/backport-dns-domain-re-introduce-dns_name_is_empty.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 435a9af906c02d8024811311b012c9d7a2400009 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 24 Jan 2022 06:06:55 +0900 -Subject: [PATCH] dns-domain: re-introduce dns_name_is_empty() - -(cherry picked from commit 7bdf41983044268b4bc2f9d34462db7f89ba284a) -(cherry picked from commit df08c12062dfd9903edec371598412a47a3055e0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/435a9af906c02d8024811311b012c9d7a2400009 ---- - src/shared/dns-domain.h | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/shared/dns-domain.h b/src/shared/dns-domain.h -index c25fcaacc2..24bf00bd58 100644 ---- a/src/shared/dns-domain.h -+++ b/src/shared/dns-domain.h -@@ -60,6 +60,10 @@ static inline int dns_name_is_valid_ldh(const char *s) { - return 1; - } - -+static inline bool dns_name_is_empty(const char *s) { -+ return isempty(s) || streq(s, "."); -+} -+ - void dns_name_hash_func(const char *s, struct siphash *state); - int dns_name_compare_func(const char *a, const char *b); - extern const struct hash_ops dns_name_hash_ops; --- -2.33.0 - diff --git a/backport-docs-SYSTEMD_NSS_BYPASS_BUS-is-not-honoured-anymore-.patch b/backport-docs-SYSTEMD_NSS_BYPASS_BUS-is-not-honoured-anymore-.patch deleted file mode 100644 index bd99668..0000000 --- a/backport-docs-SYSTEMD_NSS_BYPASS_BUS-is-not-honoured-anymore-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a7cfaa555379f19ab229c024027a74a5d22991d6 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 17 Feb 2022 14:47:34 +0100 -Subject: [PATCH] docs: $SYSTEMD_NSS_BYPASS_BUS is not honoured anymore, don't - document it - -It was removed back in 1684c56f40f020e685e70b3d1785d596ff16f892 - -Follow-up for: 1684c56f40f020e685e70b3d1785d596ff16f892 - -(cherry picked from commit cec16155e3dab4f123ba073223477a4ef2cf10f9) -(cherry picked from commit 4ec9aec4b695e1f0a26dc9cd55719c2f91ebdd6a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a7cfaa555379f19ab229c024027a74a5d22991d6 ---- - docs/ENVIRONMENT.md | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md -index 2cec3bdc16..efb360f0a4 100644 ---- a/docs/ENVIRONMENT.md -+++ b/docs/ENVIRONMENT.md -@@ -208,10 +208,6 @@ All tools: - user/group records for dynamically registered service users (i.e. users - registered through `DynamicUser=1`). - --* `$SYSTEMD_NSS_BYPASS_BUS=1` — if set, `nss-systemd` won't use D-Bus to do -- dynamic user lookups. This is primarily useful to make `nss-systemd` work -- safely from within `dbus-daemon`. -- - `systemd-timedated`: - - * `$SYSTEMD_TIMEDATED_NTP_SERVICES=…` — colon-separated list of unit names of --- -2.33.0 - diff --git a/backport-docs-improve-wording-when-mentioning-the-acronym-ESP.patch b/backport-docs-improve-wording-when-mentioning-the-acronym-ESP.patch deleted file mode 100644 index c9e9ba0..0000000 --- a/backport-docs-improve-wording-when-mentioning-the-acronym-ESP.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 6822cfa5f066fcbf79ded85419d59a97decc67b9 Mon Sep 17 00:00:00 2001 -From: nl6720 -Date: Fri, 9 Jul 2021 12:56:54 +0300 -Subject: [PATCH] docs: improve wording when mentioning the acronym "ESP" - -"ESP" is "EFI system partition", so "ESP partition" is redundant. - -(cherry picked from commit 250db1bf02b9fd73f2e0604acddbc20937c67d19) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6822cfa5f066fcbf79ded85419d59a97decc67b9 ---- - docs/BOOT_LOADER_INTERFACE.md | 8 ++++---- - docs/BOOT_LOADER_SPECIFICATION.md | 4 ++-- - man/systemd-boot.xml | 4 ++-- - src/boot/bootctl.c | 2 +- - src/systemctl/systemctl-start-special.c | 2 +- - 5 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/docs/BOOT_LOADER_INTERFACE.md b/docs/BOOT_LOADER_INTERFACE.md -index be3b6e401d..e9155117b9 100644 ---- a/docs/BOOT_LOADER_INTERFACE.md -+++ b/docs/BOOT_LOADER_INTERFACE.md -@@ -76,10 +76,10 @@ variables. All EFI variables use the vendor UUID - * `1 << 6` → The boot loader supports passing a random seed to the OS. - - * The EFI variable `LoaderRandomSeed` contains a binary random seed if set. It -- is set by the boot loader to pass an entropy seed read from the ESP partition -- to the OS. The system manager then credits this seed to the kernel's entropy -- pool. It is the responsibility of the boot loader to ensure the quality and -- integrity of the random seed. -+ is set by the boot loader to pass an entropy seed read from the ESP to the OS. -+ The system manager then credits this seed to the kernel's entropy pool. It is -+ the responsibility of the boot loader to ensure the quality and integrity of -+ the random seed. - - * The EFI variable `LoaderSystemToken` contains binary random data, - persistently set by the OS installer. Boot loaders that support passing -diff --git a/docs/BOOT_LOADER_SPECIFICATION.md b/docs/BOOT_LOADER_SPECIFICATION.md -index b87246ede1..7b5b19700a 100644 ---- a/docs/BOOT_LOADER_SPECIFICATION.md -+++ b/docs/BOOT_LOADER_SPECIFICATION.md -@@ -61,8 +61,8 @@ Everything described below is located on a placeholder file system `$BOOT`. The - * On disks with GPT (GUID Partition Table) - * If the OS is installed on a disk with GPT, and an Extended Boot Loader Partition or XBOOTLDR partition for short, i.e. a partition with GPT type GUID of `bc13c2ff-59e6-4262-a352-b275fd6f7172`, already exists, it should be used as `$BOOT`. - * Otherwise, if the OS is installed on a disk with GPT, and an EFI System Partition or ESP for short, i.e. a partition with GPT type UID of `c12a7328-f81f-11d2-ba4b-00a0c93ec93b`) already exists and is large enough (let's say 250MB) and otherwise qualifies, it should be used as `$BOOT`. -- * Otherwise, if the OS is installed on a disk with GPT, and if the ESP partition already exists but is too small, a new suitably sized (let's say 500MB) XBOOTLDR partition shall be created and used as `$BOOT`. -- * Otherwise, if the OS is installed on a disk with GPT, and no ESP partition exists yet, a new suitably sized (let's say 500MB) ESP should be created and used as `$BOOT`. -+ * Otherwise, if the OS is installed on a disk with GPT, and if the ESP already exists but is too small, a new suitably sized (let's say 500MB) XBOOTLDR partition shall be created and used as `$BOOT`. -+ * Otherwise, if the OS is installed on a disk with GPT, and no ESP exists yet, a new suitably sized (let's say 500MB) ESP should be created and used as `$BOOT`. - - This placeholder file system shall be determined during _installation time_, and an fstab entry may be created. It should be mounted to either `/boot/` or `/efi/`. Additional locations like `/boot/efi/`, with `/boot/` being a separate file system, might be supported by implementations. This is not recommended because the mounting of `$BOOT` is then dependent on and requires the mounting of the intermediate file system. - -diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml -index 139f79fa6b..2135d9eb36 100644 ---- a/man/systemd-boot.xml -+++ b/man/systemd-boot.xml -@@ -73,8 +73,8 @@ - systemctl1 for - details. - -- An EFI variable set by the boot loader informs the OS about the ESP partition used -- during boot. This is then used to automatically mount the correct ESP partition to -+ An EFI variable set by the boot loader informs the OS about the EFI System Partition used -+ during boot. This is then used to automatically mount the correct EFI System Partition to - /efi/ or /boot/ during OS runtime. See - systemd-gpt-auto-generator8 - for details. -diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c -index df8b0542c9..fa8c600321 100644 ---- a/src/boot/bootctl.c -+++ b/src/boot/bootctl.c -@@ -1337,7 +1337,7 @@ static int verb_status(int argc, char *argv[], void *userdata) { - sd_id128_t bootloader_esp_uuid; - bool have_bootloader_esp_uuid = efi_loader_get_device_part_uuid(&bootloader_esp_uuid) >= 0; - -- print_yes_no_line(false, have_bootloader_esp_uuid, "Boot loader sets ESP partition information"); -+ print_yes_no_line(false, have_bootloader_esp_uuid, "Boot loader sets ESP information"); - if (have_bootloader_esp_uuid && !sd_id128_equal(esp_uuid, bootloader_esp_uuid)) - printf("WARNING: The boot loader reports a different ESP UUID than detected!\n"); - -diff --git a/src/systemctl/systemctl-start-special.c b/src/systemctl/systemctl-start-special.c -index 3edb65be61..56068d25f5 100644 ---- a/src/systemctl/systemctl-start-special.c -+++ b/src/systemctl/systemctl-start-special.c -@@ -36,7 +36,7 @@ static int load_kexec_kernel(void) { - return log_error_errno(r, - "No kexec kernel loaded and autodetection failed.\n%s", - is_efi_boot() -- ? "Cannot automatically load kernel: ESP partition mount point not found." -+ ? "Cannot automatically load kernel: ESP mount point not found." - : "Automatic loading works only on systems booted with EFI."); - if (r < 0) - return r; --- -2.33.0 - diff --git a/backport-docs-portablectl-is-in-bin.patch b/backport-docs-portablectl-is-in-bin.patch deleted file mode 100644 index fc62618..0000000 --- a/backport-docs-portablectl-is-in-bin.patch +++ /dev/null @@ -1,40 +0,0 @@ -From b4221cca108f46f58cc15d83a298714b4de0bebf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 7 Sep 2021 18:43:58 +0200 -Subject: [PATCH] docs: portablectl is in bin/ - -Follow-up for 80f39b81f3876ed3816061f1093db991f72269ec. - -(cherry picked from commit a00ff6717b98580136d46cde0e8f9543e60c8f76) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b4221cca108f46f58cc15d83a298714b4de0bebf ---- - docs/PORTABLE_SERVICES.md | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/docs/PORTABLE_SERVICES.md b/docs/PORTABLE_SERVICES.md -index d9171c7b65..ec4a50373c 100644 ---- a/docs/PORTABLE_SERVICES.md -+++ b/docs/PORTABLE_SERVICES.md -@@ -86,7 +86,7 @@ If you have a portable service image, maybe in a raw disk image called - `foobar_0.7.23.raw`, then attaching the services to the host is as easy as: - - ``` --# /usr/lib/systemd/portablectl attach foobar_0.7.23.raw -+# portablectl attach foobar_0.7.23.raw - ``` - - This command does the following: -@@ -268,7 +268,7 @@ include template units such as `foobar@.service`, so that instantiation is as - simple as: - - ``` --# /usr/lib/systemd/portablectl attach foobar_0.7.23.raw -+# portablectl attach foobar_0.7.23.raw - # systemctl enable --now foobar@instancea.service - # systemctl enable --now foobar@instanceb.service - … --- -2.33.0 - diff --git a/backport-errno-util-add-ERRNO_IS_DEVICE_ABSENT-macro.patch b/backport-errno-util-add-ERRNO_IS_DEVICE_ABSENT-macro.patch deleted file mode 100644 index 4332d61..0000000 --- a/backport-errno-util-add-ERRNO_IS_DEVICE_ABSENT-macro.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 3f2ada89f3a277625390bf6789ccd4e7aba08743 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 24 Mar 2022 13:50:50 +0100 -Subject: [PATCH] errno-util: add ERRNO_IS_DEVICE_ABSENT() macro - -Inspired by: https://github.com/systemd/systemd/pull/22717#discussion_r834254495 - -Reference:https://github.com/systemd/systemd/commit/3f2ada89f3a277625390bf6789ccd4e7aba08743 -Conflict:discard change on homework-luks.c - ---- - src/basic/errno-util.h | 10 +++++++++- - src/rfkill/rfkill.c | 2 +- - src/udev/udev-builtin-btrfs.c | 3 ++- - 3 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/src/basic/errno-util.h b/src/basic/errno-util.h -index 09abf0b7512d..648de50eb497 100644 ---- a/src/basic/errno-util.h -+++ b/src/basic/errno-util.h -@@ -138,10 +138,18 @@ static inline bool ERRNO_IS_PRIVILEGE(int r) { - EPERM); - } - --/* Three difference errors for "not enough disk space" */ -+/* Three different errors for "not enough disk space" */ - static inline bool ERRNO_IS_DISK_SPACE(int r) { - return IN_SET(abs(r), - ENOSPC, - EDQUOT, - EFBIG); - } -+ -+/* Three different errors for "this device does not quite exist" */ -+static inline bool ERRNO_IS_DEVICE_ABSENT(int r) { -+ return IN_SET(abs(r), -+ ENODEV, -+ ENXIO, -+ ENOENT); -+} -diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c -index 656afa06ac8b..a833771d97f2 100644 ---- a/src/rfkill/rfkill.c -+++ b/src/rfkill/rfkill.c -@@ -80,7 +80,7 @@ static int find_device( - - r = sd_device_new_from_subsystem_sysname(&device, "rfkill", sysname); - if (r < 0) -- return log_full_errno(IN_SET(r, -ENOENT, -ENXIO, -ENODEV) ? LOG_DEBUG : LOG_ERR, r, -+ return log_full_errno(ERRNO_IS_DEVICE_ABSENT(r) ? LOG_DEBUG : LOG_ERR, r, - "Failed to open device '%s': %m", sysname); - - r = sd_device_get_sysattr_value(device, "name", &name); -diff --git a/src/udev/udev-builtin-btrfs.c b/src/udev/udev-builtin-btrfs.c -index a0093cb42347..f9d4f1dd4ef4 100644 ---- a/src/udev/udev-builtin-btrfs.c -+++ b/src/udev/udev-builtin-btrfs.c -@@ -6,6 +6,7 @@ - #include - - #include "device-util.h" -+#include "errno-util.h" - #include "fd-util.h" - #include "string-util.h" - #include "strxcpyx.h" -@@ -22,7 +23,7 @@ static int builtin_btrfs(sd_device *dev, sd_netlink **rtnl, int argc, char *argv - - fd = open("/dev/btrfs-control", O_RDWR|O_CLOEXEC); - if (fd < 0) { -- if (IN_SET(errno, ENOENT, ENXIO, ENODEV)) { -+ if (ERRNO_IS_DEVICE_ABSENT(errno)) { - /* Driver not installed? Then we aren't ready. This is useful in initrds that lack - * btrfs.ko. After the host transition (where btrfs.ko will hopefully become - * available) the device can be retriggered and will then be considered ready. */ - diff --git a/backport-ether-addr-util-make-hw_addr_to_string-return-valid-.patch b/backport-ether-addr-util-make-hw_addr_to_string-return-valid-.patch deleted file mode 100644 index 5980741..0000000 --- a/backport-ether-addr-util-make-hw_addr_to_string-return-valid-.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 798baafc027d829bdf6fc41163e6d12085a2c620 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 15 Sep 2021 22:59:52 +0900 -Subject: [PATCH] ether-addr-util: make hw_addr_to_string() return valid string - even if hardware address is null - -Previously, when the length of the hardware address is zero, then the -buffer was not nul-terminated. - -This also replaces sprintf() with hexchar(). - -(cherry picked from commit 914ac555cd40f9c09e655a737214bfb7de21b8d9) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/798baafc027d829bdf6fc41163e6d12085a2c620 ---- - src/basic/ether-addr-util.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/basic/ether-addr-util.c b/src/basic/ether-addr-util.c -index e660ac2c6f..dc5b5b833d 100644 ---- a/src/basic/ether-addr-util.c -+++ b/src/basic/ether-addr-util.c -@@ -7,6 +7,7 @@ - #include - - #include "ether-addr-util.h" -+#include "hexdecoct.h" - #include "macro.h" - #include "string-util.h" - -@@ -15,12 +16,13 @@ char* hw_addr_to_string(const struct hw_addr_data *addr, char buffer[HW_ADDR_TO_ - assert(buffer); - assert(addr->length <= HW_ADDR_MAX_SIZE); - -- for (size_t i = 0; i < addr->length; i++) { -- sprintf(&buffer[3*i], "%02"PRIx8, addr->bytes[i]); -- if (i < addr->length - 1) -- buffer[3*i + 2] = ':'; -+ for (size_t i = 0, j = 0; i < addr->length; i++) { -+ buffer[j++] = hexchar(addr->bytes[i] >> 4); -+ buffer[j++] = hexchar(addr->bytes[i] & 0x0f); -+ buffer[j++] = ':'; - } - -+ buffer[addr->length > 0 ? addr->length * 3 - 1 : 0] = '\0'; - return buffer; - } - --- -2.33.0 - diff --git a/backport-event-util-introduce-event_reset_time_relative.patch b/backport-event-util-introduce-event_reset_time_relative.patch deleted file mode 100644 index 5279c50..0000000 --- a/backport-event-util-introduce-event_reset_time_relative.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 52c3bc708fb6a3eb68a3cac780b49192818bd409 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 13 Nov 2021 10:33:08 +0900 -Subject: [PATCH] event-util: introduce event_reset_time_relative() - -Reference:https://github.com/systemd/systemd/commit/52c3bc708fb6a3eb68a3cac780b49192818bd409 -Conflict:NA - ---- - src/libsystemd/sd-event/event-util.c | 24 ++++++++++++++++++++++++ - src/libsystemd/sd-event/event-util.h | 26 ++++++++++++++++++++++---- - 2 files changed, 46 insertions(+), 4 deletions(-) - -diff --git a/src/libsystemd/sd-event/event-util.c b/src/libsystemd/sd-event/event-util.c -index 132796f..0e53406 100644 ---- a/src/libsystemd/sd-event/event-util.c -+++ b/src/libsystemd/sd-event/event-util.c -@@ -84,6 +84,30 @@ int event_reset_time( - return created; - } - -+int event_reset_time_relative( -+ sd_event *e, -+ sd_event_source **s, -+ clockid_t clock, -+ uint64_t usec, -+ uint64_t accuracy, -+ sd_event_time_handler_t callback, -+ void *userdata, -+ int64_t priority, -+ const char *description, -+ bool force_reset) { -+ -+ usec_t usec_now; -+ int r; -+ -+ assert(e); -+ -+ r = sd_event_now(e, clock, &usec_now); -+ if (r < 0) -+ return log_debug_errno(r, "sd-event: Failed to get the current time: %m"); -+ -+ return event_reset_time(e, s, clock, usec_add(usec_now, usec), accuracy, callback, userdata, priority, description, force_reset); -+} -+ - int event_source_disable(sd_event_source *s) { - if (!s) - return 0; -diff --git a/src/libsystemd/sd-event/event-util.h b/src/libsystemd/sd-event/event-util.h -index c8f97bc..64a4199 100644 ---- a/src/libsystemd/sd-event/event-util.h -+++ b/src/libsystemd/sd-event/event-util.h -@@ -5,9 +5,27 @@ - - #include "sd-event.h" - --int event_reset_time(sd_event *e, sd_event_source **s, -- clockid_t clock, uint64_t usec, uint64_t accuracy, -- sd_event_time_handler_t callback, void *userdata, -- int64_t priority, const char *description, bool force_reset); -+int event_reset_time( -+ sd_event *e, -+ sd_event_source **s, -+ clockid_t clock, -+ uint64_t usec, -+ uint64_t accuracy, -+ sd_event_time_handler_t callback, -+ void *userdata, -+ int64_t priority, -+ const char *description, -+ bool force_reset); -+int event_reset_time_relative( -+ sd_event *e, -+ sd_event_source **s, -+ clockid_t clock, -+ uint64_t usec, -+ uint64_t accuracy, -+ sd_event_time_handler_t callback, -+ void *userdata, -+ int64_t priority, -+ const char *description, -+ bool force_reset); - int event_source_disable(sd_event_source *s); - int event_source_is_enabled(sd_event_source *s); --- -2.33.0 - diff --git a/backport-execute-document-that-the-env-param-is-input-and-out.patch b/backport-execute-document-that-the-env-param-is-input-and-out.patch deleted file mode 100644 index 0e386ac..0000000 --- a/backport-execute-document-that-the-env-param-is-input-and-out.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 5c8437361d54bd6c04d613619f71c161df32024f Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 1 Feb 2022 13:50:28 +0100 -Subject: [PATCH] execute: document that the 'env' param is input *and* output - -(cherry picked from commit 421bb42d1b366c00392ef5bbab6a67412295b6dc) -(cherry picked from commit c4357f31da66b1917d3612d02c28adb300d4b0c6) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5c8437361d54bd6c04d613619f71c161df32024f ---- - src/core/execute.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index 1129905b61..e24775c150 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -1152,7 +1152,7 @@ static int setup_pam( - uid_t uid, - gid_t gid, - const char *tty, -- char ***env, -+ char ***env, /* updated on success */ - const int fds[], size_t n_fds) { - - #if HAVE_PAM --- -2.33.0 - diff --git a/backport-execute-line-break-comments-a-bit-less-aggressively.patch b/backport-execute-line-break-comments-a-bit-less-aggressively.patch deleted file mode 100644 index b10e32d..0000000 --- a/backport-execute-line-break-comments-a-bit-less-aggressively.patch +++ /dev/null @@ -1,107 +0,0 @@ -From ee7db04c13f5b46ad2437762caa7b4c239780de5 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 1 Feb 2022 13:50:13 +0100 -Subject: [PATCH] execute: line break comments a bit less aggressively - -(cherry picked from commit cafc5ca147cb05b90bd731661d8594c299601f79) -(cherry picked from commit 14567dc93d5c498bfaadd28478f59952f6da320c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ee7db04c13f5b46ad2437762caa7b4c239780de5 ---- - src/core/execute.c | 41 +++++++++++++++++------------------------ - 1 file changed, 17 insertions(+), 24 deletions(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index b6c54493d3..1129905b61 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -1238,8 +1238,7 @@ static int setup_pam( - goto fail; - } - -- /* Block SIGTERM, so that we know that it won't get lost in -- * the child */ -+ /* Block SIGTERM, so that we know that it won't get lost in the child */ - - assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0); - -@@ -1251,18 +1250,16 @@ static int setup_pam( - if (r == 0) { - int sig, ret = EXIT_PAM; - -- /* The child's job is to reset the PAM session on -- * termination */ -+ /* The child's job is to reset the PAM session on termination */ - barrier_set_role(&barrier, BARRIER_CHILD); - - /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only - * those fds are open here that have been opened by PAM. */ - (void) close_many(fds, n_fds); - -- /* Drop privileges - we don't need any to pam_close_session -- * and this will make PR_SET_PDEATHSIG work in most cases. -- * If this fails, ignore the error - but expect sd-pam threads -- * to fail to exit normally */ -+ /* Drop privileges - we don't need any to pam_close_session and this will make -+ * PR_SET_PDEATHSIG work in most cases. If this fails, ignore the error - but expect sd-pam -+ * threads to fail to exit normally */ - - r = maybe_setgroups(0, NULL); - if (r < 0) -@@ -1274,20 +1271,16 @@ static int setup_pam( - - (void) ignore_signals(SIGPIPE); - -- /* Wait until our parent died. This will only work if -- * the above setresuid() succeeds, otherwise the kernel -- * will not allow unprivileged parents kill their privileged -- * children this way. We rely on the control groups kill logic -- * to do the rest for us. */ -+ /* Wait until our parent died. This will only work if the above setresuid() succeeds, -+ * otherwise the kernel will not allow unprivileged parents kill their privileged children -+ * this way. We rely on the control groups kill logic to do the rest for us. */ - if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0) - goto child_finish; - -- /* Tell the parent that our setup is done. This is especially -- * important regarding dropping privileges. Otherwise, unit -- * setup might race against our setresuid(2) call. -+ /* Tell the parent that our setup is done. This is especially important regarding dropping -+ * privileges. Otherwise, unit setup might race against our setresuid(2) call. - * -- * If the parent aborted, we'll detect this below, hence ignore -- * return failure here. */ -+ * If the parent aborted, we'll detect this below, hence ignore return failure here. */ - (void) barrier_place(&barrier); - - /* Check if our parent process might already have died? */ -@@ -1332,19 +1325,19 @@ static int setup_pam( - - barrier_set_role(&barrier, BARRIER_PARENT); - -- /* If the child was forked off successfully it will do all the -- * cleanups, so forget about the handle here. */ -+ /* If the child was forked off successfully it will do all the cleanups, so forget about the handle -+ * here. */ - handle = NULL; - - /* Unblock SIGTERM again in the parent */ - assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0); - -- /* We close the log explicitly here, since the PAM modules -- * might have opened it, but we don't want this fd around. */ -+ /* We close the log explicitly here, since the PAM modules might have opened it, but we don't want -+ * this fd around. */ - closelog(); - -- /* Synchronously wait for the child to initialize. We don't care for -- * errors as we cannot recover. However, warn loudly if it happens. */ -+ /* Synchronously wait for the child to initialize. We don't care for errors as we cannot -+ * recover. However, warn loudly if it happens. */ - if (!barrier_place_and_sync(&barrier)) - log_error("PAM initialization failed"); - --- -2.33.0 - diff --git a/backport-execute-respect-selinux_context_ignore.patch b/backport-execute-respect-selinux_context_ignore.patch deleted file mode 100644 index 7dacf3c..0000000 --- a/backport-execute-respect-selinux_context_ignore.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 38d0d41e0fc5d559cff5a1bcf46482aec9d6f5ef Mon Sep 17 00:00:00 2001 -From: Topi Miettinen -Date: Sat, 30 Oct 2021 19:58:41 +0300 -Subject: [PATCH] execute: respect selinux_context_ignore - -When `SELinuxContext=` parameter is prefixed with `-`, the documentation states -that any errors determining or changing context should be ignored, but this -doesn't actually happen and the service may fail with `229/SELINUX_CONTEXT`. - -Fix by adding checks to `context->selinux_context_ignore`. - -Closes: #21057 -(cherry picked from commit 2ad2925de5f258d128ec8cdb07f10f3c52fa4fcf) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/38d0d41e0fc5d559cff5a1bcf46482aec9d6f5ef ---- - src/core/execute.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index 6ff757ff04..e324db87cc 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -4361,7 +4361,7 @@ static int exec_child( - - if (fd >= 0) { - r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net); -- if (r < 0) { -+ if (r < 0 && !context->selinux_context_ignore) { - *exit_status = EXIT_SELINUX_CONTEXT; - return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m"); - } -@@ -4495,7 +4495,7 @@ static int exec_child( - - if (exec_context) { - r = setexeccon(exec_context); -- if (r < 0) { -+ if (r < 0 && !context->selinux_context_ignore) { - *exit_status = EXIT_SELINUX_CONTEXT; - return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context); - } --- -2.33.0 - diff --git a/backport-execute-use-_cleanup_-logic-where-appropriate.patch b/backport-execute-use-_cleanup_-logic-where-appropriate.patch deleted file mode 100644 index 07b41e7..0000000 --- a/backport-execute-use-_cleanup_-logic-where-appropriate.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1fa6abd4ae2445b08e3c3fc3d4eade1e833f43da Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 1 Feb 2022 13:49:56 +0100 -Subject: [PATCH] execute: use _cleanup_ logic where appropriate - -(cherry picked from commit 46e5bbab5895b7137b03453dee08bd1c89c710e9) -(cherry picked from commit 9b2954b79435eaf54be208acdce8026b83bdc249) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1fa6abd4ae2445b08e3c3fc3d4eade1e833f43da ---- - src/core/execute.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index 04c0513453..b6c54493d3 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -1163,10 +1163,11 @@ static int setup_pam( - }; - - _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL; -+ _cleanup_strv_free_ char **e = NULL; - pam_handle_t *handle = NULL; - sigset_t old_ss; - int pam_code = PAM_SUCCESS, r; -- char **nv, **e = NULL; -+ char **nv; - bool close_session = false; - pid_t pam_pid = 0, parent_pid; - int flags = 0; -@@ -1363,9 +1364,7 @@ fail: - (void) pam_end(handle, pam_code | flags); - } - -- strv_free(e); - closelog(); -- - return r; - #else - return 0; --- -2.33.0 - diff --git a/backport-explicitly-close-FIDO2-devices.patch b/backport-explicitly-close-FIDO2-devices.patch deleted file mode 100644 index c1b7926..0000000 --- a/backport-explicitly-close-FIDO2-devices.patch +++ /dev/null @@ -1,66 +0,0 @@ -From d6e4920b10c3da1665cb44f4686893b865003d12 Mon Sep 17 00:00:00 2001 -From: pedro martelletto -Date: Wed, 8 Sep 2021 10:42:56 +0200 -Subject: [PATCH] explicitly close FIDO2 devices - -FIDO2 device access is serialised by libfido2 using flock(). -Therefore, make sure to close a FIDO2 device once we are done -with it, or we risk opening it again at a later point and -deadlocking. Fixes #20664. - -(cherry picked from commit b6aa89b0a399992c8ea762e6ec4f30cff90618f2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d6e4920b10c3da1665cb44f4686893b865003d12 ---- - src/shared/libfido2-util.c | 2 ++ - src/shared/libfido2-util.h | 5 ++++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c -index 12c644dcfc..6d18178b68 100644 ---- a/src/shared/libfido2-util.c -+++ b/src/shared/libfido2-util.c -@@ -58,6 +58,7 @@ bool (*sym_fido_dev_is_fido2)(const fido_dev_t *) = NULL; - int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *) = NULL; - fido_dev_t* (*sym_fido_dev_new)(void) = NULL; - int (*sym_fido_dev_open)(fido_dev_t *, const char *) = NULL; -+int (*sym_fido_dev_close)(fido_dev_t *) = NULL; - const char* (*sym_fido_strerr)(int) = NULL; - - int dlopen_libfido2(void) { -@@ -106,6 +107,7 @@ int dlopen_libfido2(void) { - DLSYM_ARG(fido_dev_make_cred), - DLSYM_ARG(fido_dev_new), - DLSYM_ARG(fido_dev_open), -+ DLSYM_ARG(fido_dev_close), - DLSYM_ARG(fido_strerr)); - } - -diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h -index 5640cca5e3..4ebf8ab775 100644 ---- a/src/shared/libfido2-util.h -+++ b/src/shared/libfido2-util.h -@@ -60,6 +60,7 @@ extern bool (*sym_fido_dev_is_fido2)(const fido_dev_t *); - extern int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *); - extern fido_dev_t* (*sym_fido_dev_new)(void); - extern int (*sym_fido_dev_open)(fido_dev_t *, const char *); -+extern int (*sym_fido_dev_close)(fido_dev_t *); - extern const char* (*sym_fido_strerr)(int); - - int dlopen_libfido2(void); -@@ -75,8 +76,10 @@ static inline void fido_assert_free_wrapper(fido_assert_t **p) { - } - - static inline void fido_dev_free_wrapper(fido_dev_t **p) { -- if (*p) -+ if (*p) { -+ sym_fido_dev_close(*p); - sym_fido_dev_free(p); -+ } - } - - static inline void fido_cred_free_wrapper(fido_cred_t **p) { --- -2.33.0 - diff --git a/backport-fileio-fix-truncated-read-handling-in-read_virtual_f.patch b/backport-fileio-fix-truncated-read-handling-in-read_virtual_f.patch deleted file mode 100644 index 7b02708..0000000 --- a/backport-fileio-fix-truncated-read-handling-in-read_virtual_f.patch +++ /dev/null @@ -1,44 +0,0 @@ -From c9e0daf821b3e1e6504ca4c4e3a8b73513e28fa7 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 16 Sep 2021 12:20:09 +0200 -Subject: [PATCH] fileio: fix truncated read handling in read_virtual_file() - -We mishandled the case where the size we read from the file actually -matched the maximum size fully. In that case we cannot really make a -determination whether the file was fully read or only partially. In that -case let's do another loop, so that we operate with a buffer, and -we can detect the EOF (which will be signalled to us via a short read). - -(cherry picked from commit 00bd9a4a82ed57bc0c7f158da4564fc1eab808b4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c9e0daf821b3e1e6504ca4c4e3a8b73513e28fa7 ---- - src/basic/fileio.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 1046e5b9b4..6c8ebe63e0 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -470,9 +470,14 @@ int read_virtual_file(const char *filename, size_t max_size, char **ret_contents - if (n <= size) - break; - -- /* If a maximum size is specified and we already read as much, no need to try again */ -- if (max_size != SIZE_MAX && n >= max_size) { -- n = max_size; -+ /* If a maximum size is specified and we already read more we know the file is larger, and -+ * can handle this as truncation case. Note that if the size of what we read equals the -+ * maximum size then this doesn't mean truncation, the file might or might not end on that -+ * byte. We need to rerun the loop in that case, with a larger buffer size, so that we read -+ * at least one more byte to be able to distinguish EOF from truncation. */ -+ if (max_size != SIZE_MAX && n > max_size) { -+ n = size; /* Make sure we never use more than what we sized the buffer for (so that -+ * we have one free byte in it for the trailing NUL we add below).*/ - truncated = true; - break; - } --- -2.33.0 - diff --git a/backport-fileio-lower-maximum-virtual-file-buffer-size-by-one.patch b/backport-fileio-lower-maximum-virtual-file-buffer-size-by-one.patch deleted file mode 100644 index e883954..0000000 --- a/backport-fileio-lower-maximum-virtual-file-buffer-size-by-one.patch +++ /dev/null @@ -1,71 +0,0 @@ -From feb68f6aad36930f0b0c6c70164287c5bc46b64c Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 14 Sep 2021 23:03:37 +0200 -Subject: [PATCH] fileio: lower maximum virtual file buffer size by one byte -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When reading virtual files (i.e. procfs, sysfs, …) we currently put a -limit of 4M-1 on that. We have to pick something, and we have to read -these files in a single read() (since the kernel generally doesn't -support continuation read()s for them). 4M-1 is actually the maximum -size the kernel allows for reads from files in /proc/sys/, all larger -reads will result in an ENOMEM error (which is really weird, but the -kernel does what the kernel does). Hence 4M-1 sounds like a smart -choice. - -However, we made one mistake here: in order to be able to detect EOFs -properly we actually read one byte more than we actually intend to -return: if that extra byte can be read, then we know the file is -actually larger than our limit and we can generate an EFBIG error from -that. However, if it cannot be read then we know EOF was hit, and we are -good. So ultimately after all we issued a single 4M read, which the -kernel then responds with ENOMEM to. And that means read_virtual_file() -actually doesn't work properly right now on /proc/sys/. Let's fix that. - -The fix is simple, lower the limit of the the buffer we intend to return -by one, i.e. 4M-2. That way, the read() we'll issue is exactly as large -as the limit the kernel allows, and we still get safely detect EOF from -it. - -(cherry picked from commit 7ab7547a40d456d34120b2f44b26385ac1338ebd) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/feb68f6aad36930f0b0c6c70164287c5bc46b64c ---- - src/basic/fileio.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 99a44fdea2..ba0ca98d72 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -30,14 +30,16 @@ - /* The maximum size of the file we'll read in one go in read_full_file() (64M). */ - #define READ_FULL_BYTES_MAX (64U*1024U*1024U - 1U) - --/* The maximum size of virtual files we'll read in one go in read_virtual_file() (4M). Note that this limit -- * is different (and much lower) than the READ_FULL_BYTES_MAX limit. This reflects the fact that we use -- * different strategies for reading virtual and regular files: virtual files are generally size constrained: -- * there we allocate the full buffer size in advance. Regular files OTOH can be much larger, and here we grow -- * the allocations exponentially in a loop. In glibc large allocations are immediately backed by mmap() -- * making them relatively slow (measurably so). Thus, when allocating the full buffer in advance the large -- * limit is a problem. When allocating piecemeal it's not. Hence pick two distinct limits. */ --#define READ_VIRTUAL_BYTES_MAX (4U*1024U*1024U - 1U) -+/* The maximum size of virtual files (i.e. procfs, sysfs, and other virtual "API" files) we'll read in one go -+ * in read_virtual_file(). Note that this limit is different (and much lower) than the READ_FULL_BYTES_MAX -+ * limit. This reflects the fact that we use different strategies for reading virtual and regular files: -+ * virtual files we generally have to read in a single read() syscall since the kernel doesn't support -+ * continuation read()s for them. Thankfully they are somewhat size constrained. Thus we can allocate the -+ * full potential buffer in advance. Regular files OTOH can be much larger, and there we grow the allocations -+ * exponentially in a loop. We use a size limit of 4M-2 because 4M-1 is the maximum buffer that /proc/sys/ -+ * allows us to read() (larger reads will fail with ENOMEM), and we want to read one extra byte so that we -+ * can detect EOFs. */ -+#define READ_VIRTUAL_BYTES_MAX (4U*1024U*1024U - 2U) - - int fopen_unlocked(const char *path, const char *options, FILE **ret) { - assert(ret); --- -2.33.0 - diff --git a/backport-fileio-set-O_NOCTTY-when-reading-virtual-files.patch b/backport-fileio-set-O_NOCTTY-when-reading-virtual-files.patch deleted file mode 100644 index 2d7ae85..0000000 --- a/backport-fileio-set-O_NOCTTY-when-reading-virtual-files.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ca6c93956879e368e40bbf5a742fcb1689712d81 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 14 Sep 2021 23:11:55 +0200 -Subject: [PATCH] fileio: set O_NOCTTY when reading virtual files - -Better be safe than sorry, maybe someone points this call to a TTY one -day, and we'd rather not make it our controlling TTY in that case. - -(cherry picked from commit be991d7678c35aa037ef79672c0c70781eebed9c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ca6c93956879e368e40bbf5a742fcb1689712d81 ---- - src/basic/fileio.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index ba0ca98d72..39abf985eb 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -395,7 +395,7 @@ int read_virtual_file(const char *filename, size_t max_size, char **ret_contents - * contents* may be returned. (Though the read is still done using one syscall.) Returns 0 on - * partial success, 1 if untruncated contents were read. */ - -- fd = open(filename, O_RDONLY|O_CLOEXEC); -+ fd = open(filename, O_RDONLY|O_NOCTTY|O_CLOEXEC); - if (fd < 0) - return -errno; - --- -2.33.0 - diff --git a/backport-fileio-start-with-4k-buffer-for-procfs.patch b/backport-fileio-start-with-4k-buffer-for-procfs.patch deleted file mode 100644 index ed9f02a..0000000 --- a/backport-fileio-start-with-4k-buffer-for-procfs.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b3f5d2f4044751a4a741e033a9bc621ede573cb2 Mon Sep 17 00:00:00 2001 -From: Anita Zhang -Date: Tue, 14 Sep 2021 16:33:10 -0700 -Subject: [PATCH] fileio: start with 4k buffer for procfs - -There's a very gradual increase of anonymous memory in systemd-journald that -blames to 2ac67221bb6270f0fbe7cbd0076653832cd49de2. - -systemd-journald makes many calls to read /proc/PID/cmdline and -/proc/PID/status, both of which tend to be well under 4K. However the -combination of allocating 4M read buffers, then using `realloc()` to -shrink the buffer in `read_virtual_file()` appears to be creating -fragmentation in the heap (when combined with the other allocations -systemd-journald is doing). - -To help mitigate this, try reading /proc with a 4K buffer as -`read_virtual_file()` did before 2ac67221bb6270f0fbe7cbd0076653832cd49de2. -If it isn't big enough then try again with the larger buffers. - -(cherry picked from commit 5aaa55d841249f057fd69e50cf12a52e9781a6ce) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b3f5d2f4044751a4a741e033a9bc621ede573cb2 ---- - src/basic/fileio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 39abf985eb..1046e5b9b4 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -433,6 +433,11 @@ int read_virtual_file(const char *filename, size_t max_size, char **ret_contents - } - - n_retries--; -+ } else if (n_retries > 1) { -+ /* Files in /proc are generally smaller than the page size so let's start with a page size -+ * buffer from malloc and only use the max buffer on the final try. */ -+ size = MIN3(page_size() - 1, READ_VIRTUAL_BYTES_MAX, max_size); -+ n_retries = 1; - } else { - size = MIN(READ_VIRTUAL_BYTES_MAX, max_size); - n_retries = 0; --- -2.33.0 - diff --git a/backport-fix-CVE-2021-33910.patch b/backport-fix-CVE-2021-33910.patch deleted file mode 100644 index cf702e5..0000000 --- a/backport-fix-CVE-2021-33910.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 764b74113e36ac5219a4b82a05f311b5a92136ce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 23 Jun 2021 11:46:41 +0200 -Subject: [PATCH] basic/unit-name: do not use strdupa() on a path - -The path may have unbounded length, for example through a fuse mount. - -CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and -ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo -and each mountpoint is passed to mount_setup_unit(), which calls -unit_name_path_escape() underneath. A local attacker who is able to mount a -filesystem with a very long path can crash systemd and the whole system. - -https://bugzilla.redhat.com/show_bug.cgi?id=1970887 - -The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we -can't easily check the length after simplification before doing the -simplification, which in turns uses a copy of the string we can write to. -So we can't reject paths that are too long before doing the duplication. -Hence the most obvious solution is to switch back to strdup(), as before -7410616cd9dbbec97cf98d75324da5cda2b2f7a2. - -(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/764b74113e36ac5219a4b82a05f311b5a92136ce ---- - src/basic/unit-name.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c -index 284a773483..a22763443f 100644 ---- a/src/basic/unit-name.c -+++ b/src/basic/unit-name.c -@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { - } - - int unit_name_path_escape(const char *f, char **ret) { -- char *p, *s; -+ _cleanup_free_ char *p = NULL; -+ char *s; - - assert(f); - assert(ret); - -- p = strdupa(f); -+ p = strdup(f); - if (!p) - return -ENOMEM; - -@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { - if (!path_is_normalized(p)) - return -EINVAL; - -- /* Truncate trailing slashes */ -+ /* Truncate trailing slashes and skip leading slashes */ - delete_trailing_chars(p, "/"); -- -- /* Truncate leading slashes */ -- p = skip_leading_chars(p, "/"); -- -- s = unit_name_escape(p); -+ s = unit_name_escape(skip_leading_chars(p, "/")); - } - if (!s) - return -ENOMEM; --- -2.33.0 - diff --git a/backport-fix-CVE-2022-3821.patch b/backport-fix-CVE-2022-3821.patch deleted file mode 100644 index 0c26aa6..0000000 --- a/backport-fix-CVE-2022-3821.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 8d2d0895229cfbe39c1c5c16e61e426812a72e8b Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 7 Jul 2022 18:27:02 +0900 -Subject: [PATCH] time-util: fix buffer-over-run - -Fixes #23928. -Conflict:adapt test context -Reference:https://github.com/systemd/systemd/pull/23933/commits/8d2d0895229cfbe39c1c5c16e61e426812a72e8b ---- - src/basic/time-util.c | 2 +- - src/test/test-time-util.c | 5 +++++ - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/basic/time-util.c b/src/basic/time-util.c -index 5d162e8..2cc0b92 100644 ---- a/src/basic/time-util.c -+++ b/src/basic/time-util.c -@@ -590,7 +590,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) { - t = b; - } - -- n = MIN((size_t) k, l); -+ n = MIN((size_t) k, l-1); - - l -= n; - p += n; -diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c -index 6f4675a..d7cb71c 100644 ---- a/src/test/test-time-util.c -+++ b/src/test/test-time-util.c -@@ -241,6 +241,11 @@ static void test_format_timespan(usec_t accuracy) { - test_format_timespan_one(500 * USEC_PER_MSEC, accuracy); - test_format_timespan_one(9*USEC_PER_YEAR/5 - 23, accuracy); - test_format_timespan_one(USEC_INFINITY, accuracy); -+ -+ /* See issue #23928. */ -+ _cleanup_free_ char *buf; -+ assert_se(buf = new(char, 5)); -+ assert_se(buf == format_timespan(buf, 5, 100005, 1000)); - } - - static void test_verify_timezone(void) { --- -2.27.0 - diff --git a/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch b/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch deleted file mode 100644 index 182e9c6..0000000 --- a/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 10fc8b7775a8cfd9519a1c6628d813b1aa315a33 Mon Sep 17 00:00:00 2001 -From: jiangchuangang -Date: Mon, 29 Nov 2021 22:30:37 +0800 -Subject: [PATCH] fix ConditionDirectoryNotEmpty when it comes to a - Non-directory file - -(cherry picked from commit 193105f2d0408e2d96265935174b3cf0f100ef2e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/10fc8b7775a8cfd9519a1c6628d813b1aa315a33 ---- - src/shared/condition.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/shared/condition.c b/src/shared/condition.c -index ec9d57b292..163ddc1208 100644 ---- a/src/shared/condition.c -+++ b/src/shared/condition.c -@@ -934,7 +934,7 @@ static int condition_test_directory_not_empty(Condition *c, char **env) { - assert(c->type == CONDITION_DIRECTORY_NOT_EMPTY); - - r = dir_is_empty(c->parameter); -- return r <= 0 && r != -ENOENT; -+ return r <= 0 && !IN_SET(r, -ENOENT, -ENOTDIR); - } - - static int condition_test_file_not_empty(Condition *c, char **env) { --- -2.33.0 - diff --git a/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch b/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch deleted file mode 100644 index b70ba2c..0000000 --- a/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 80b7a4276abb832b6af1d1d060affb0988ab7fa0 Mon Sep 17 00:00:00 2001 -From: jiangchuangang -Date: Tue, 30 Nov 2021 15:25:27 +0800 -Subject: [PATCH] fix ConditionPathIsReadWrite when path does not exist. - -(cherry picked from commit 7c4c9948d02ceda903ed4e4deea0d0084612625a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/80b7a4276abb832b6af1d1d060affb0988ab7fa0 ---- - src/shared/condition.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/shared/condition.c b/src/shared/condition.c -index 163ddc1208..6645f771dd 100644 ---- a/src/shared/condition.c -+++ b/src/shared/condition.c -@@ -897,11 +897,15 @@ static int condition_test_path_is_mount_point(Condition *c, char **env) { - } - - static int condition_test_path_is_read_write(Condition *c, char **env) { -+ int r; -+ - assert(c); - assert(c->parameter); - assert(c->type == CONDITION_PATH_IS_READ_WRITE); - -- return path_is_read_only_fs(c->parameter) <= 0; -+ r = path_is_read_only_fs(c->parameter); -+ -+ return r <= 0 && r != -ENOENT; - } - - static int condition_test_cpufeature(Condition *c, char **env) { --- -2.33.0 - diff --git a/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch b/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch deleted file mode 100644 index 0e0f6d6..0000000 --- a/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0fdcae09c44486e30e4fe0469606c02d034577be Mon Sep 17 00:00:00 2001 -From: yangmingtai <961612727@qq.com> -Date: Mon, 6 Dec 2021 17:06:13 +0800 -Subject: [PATCH] fix DirectoryNotEmpty when it comes to a Non-directory file - -(cherry picked from commit 5896a9ebdbe4d38c01390d0a5e82f9fcb4971059) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0fdcae09c44486e30e4fe0469606c02d034577be ---- - src/core/path.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/path.c b/src/core/path.c -index e098e83a31..684e17f433 100644 ---- a/src/core/path.c -+++ b/src/core/path.c -@@ -215,7 +215,7 @@ static bool path_spec_check_good(PathSpec *s, bool initial, bool from_trigger_no - int k; - - k = dir_is_empty(s->path); -- good = !(k == -ENOENT || k > 0); -+ good = !(IN_SET(k, -ENOENT, -ENOTDIR) || k > 0); - break; - } - --- -2.33.0 - diff --git a/backport-fix-test-string-util-failed-when-locale-is-not-utf8.patch b/backport-fix-test-string-util-failed-when-locale-is-not-utf8.patch deleted file mode 100644 index bab8745..0000000 --- a/backport-fix-test-string-util-failed-when-locale-is-not-utf8.patch +++ /dev/null @@ -1,71 +0,0 @@ -From bad124022e97195191d3dd1ea2b5b9aa9df57aea Mon Sep 17 00:00:00 2001 -From: yangmingtai <961612727@qq.com> -Date: Tue, 11 Jan 2022 20:22:11 +0800 -Subject: [PATCH] fix test-string-util failed when locale is not utf8 - -(cherry picked from commit 647082cf7f07a87c65601626e86c3ed9f78fb387) -(cherry picked from commit 32f33c9474ab89061d799a92a1273b106468e8c6) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bad124022e97195191d3dd1ea2b5b9aa9df57aea ---- - src/test/test-string-util.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - -diff --git a/src/test/test-string-util.c b/src/test/test-string-util.c -index 4d9d0260c9..266aee9115 100644 ---- a/src/test/test-string-util.c -+++ b/src/test/test-string-util.c -@@ -176,33 +176,33 @@ static void test_cellescape(void) { - assert_se(streq(cellescape(buf, 1, "\020"), "")); - assert_se(streq(cellescape(buf, 2, "\020"), ".")); - assert_se(streq(cellescape(buf, 3, "\020"), "..")); -- assert_se(streq(cellescape(buf, 4, "\020"), "…")); -+ assert_se(streq(cellescape(buf, 4, "\020"), is_locale_utf8() ? "…" : "...")); - assert_se(streq(cellescape(buf, 5, "\020"), "\\020")); - -- assert_se(streq(cellescape(buf, 5, "1234\020"), "1…")); -- assert_se(streq(cellescape(buf, 6, "1234\020"), "12…")); -- assert_se(streq(cellescape(buf, 7, "1234\020"), "123…")); -- assert_se(streq(cellescape(buf, 8, "1234\020"), "1234…")); -+ assert_se(streq(cellescape(buf, 5, "1234\020"), is_locale_utf8() ? "1…" : "1...")); -+ assert_se(streq(cellescape(buf, 6, "1234\020"), is_locale_utf8() ? "12…" : "12...")); -+ assert_se(streq(cellescape(buf, 7, "1234\020"), is_locale_utf8() ? "123…" : "123...")); -+ assert_se(streq(cellescape(buf, 8, "1234\020"), is_locale_utf8() ? "1234…" : "1234...")); - assert_se(streq(cellescape(buf, 9, "1234\020"), "1234\\020")); - - assert_se(streq(cellescape(buf, 1, "\t\n"), "")); - assert_se(streq(cellescape(buf, 2, "\t\n"), ".")); - assert_se(streq(cellescape(buf, 3, "\t\n"), "..")); -- assert_se(streq(cellescape(buf, 4, "\t\n"), "…")); -+ assert_se(streq(cellescape(buf, 4, "\t\n"), is_locale_utf8() ? "…" : "...")); - assert_se(streq(cellescape(buf, 5, "\t\n"), "\\t\\n")); - -- assert_se(streq(cellescape(buf, 5, "1234\t\n"), "1…")); -- assert_se(streq(cellescape(buf, 6, "1234\t\n"), "12…")); -- assert_se(streq(cellescape(buf, 7, "1234\t\n"), "123…")); -- assert_se(streq(cellescape(buf, 8, "1234\t\n"), "1234…")); -+ assert_se(streq(cellescape(buf, 5, "1234\t\n"), is_locale_utf8() ? "1…" : "1...")); -+ assert_se(streq(cellescape(buf, 6, "1234\t\n"), is_locale_utf8() ? "12…" : "12...")); -+ assert_se(streq(cellescape(buf, 7, "1234\t\n"), is_locale_utf8() ? "123…" : "123...")); -+ assert_se(streq(cellescape(buf, 8, "1234\t\n"), is_locale_utf8() ? "1234…" : "1234...")); - assert_se(streq(cellescape(buf, 9, "1234\t\n"), "1234\\t\\n")); - -- assert_se(streq(cellescape(buf, 4, "x\t\020\n"), "…")); -- assert_se(streq(cellescape(buf, 5, "x\t\020\n"), "x…")); -- assert_se(streq(cellescape(buf, 6, "x\t\020\n"), "x…")); -- assert_se(streq(cellescape(buf, 7, "x\t\020\n"), "x\\t…")); -- assert_se(streq(cellescape(buf, 8, "x\t\020\n"), "x\\t…")); -- assert_se(streq(cellescape(buf, 9, "x\t\020\n"), "x\\t…")); -+ assert_se(streq(cellescape(buf, 4, "x\t\020\n"), is_locale_utf8() ? "…" : "...")); -+ assert_se(streq(cellescape(buf, 5, "x\t\020\n"), is_locale_utf8() ? "x…" : "x...")); -+ assert_se(streq(cellescape(buf, 6, "x\t\020\n"), is_locale_utf8() ? "x…" : "x...")); -+ assert_se(streq(cellescape(buf, 7, "x\t\020\n"), is_locale_utf8() ? "x\\t…" : "x\\t...")); -+ assert_se(streq(cellescape(buf, 8, "x\t\020\n"), is_locale_utf8() ? "x\\t…" : "x\\t...")); -+ assert_se(streq(cellescape(buf, 9, "x\t\020\n"), is_locale_utf8() ? "x\\t…" : "x\\t...")); - assert_se(streq(cellescape(buf, 10, "x\t\020\n"), "x\\t\\020\\n")); - - assert_se(streq(cellescape(buf, 6, "1\011"), "1\\t")); --- -2.33.0 - diff --git a/backport-fstab-generator-Respect-nofail-when-ordering.patch b/backport-fstab-generator-Respect-nofail-when-ordering.patch deleted file mode 100644 index 11b4c20..0000000 --- a/backport-fstab-generator-Respect-nofail-when-ordering.patch +++ /dev/null @@ -1,30 +0,0 @@ -From efd98964fb9202451293043dcffb3898b176a7d0 Mon Sep 17 00:00:00 2001 -From: Vladimir Panteleev -Date: Tue, 17 Aug 2021 18:30:29 +0000 -Subject: [PATCH] fstab-generator: Respect nofail when ordering - -(cherry picked from commit e9aee932409754c9f709a8ea3ad13caf39fce7d2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/efd98964fb9202451293043dcffb3898b176a7d0 ---- - src/fstab-generator/fstab-generator.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c -index a4e3ea5311..b6582c9538 100644 ---- a/src/fstab-generator/fstab-generator.c -+++ b/src/fstab-generator/fstab-generator.c -@@ -435,7 +435,8 @@ static int add_mount( - - /* Order the mount unit we generate relative to the post unit, so that DefaultDependencies= on the - * target unit won't affect us. */ -- if (post && !FLAGS_SET(flags, MOUNT_AUTOMOUNT) && !FLAGS_SET(flags, MOUNT_NOAUTO)) -+ if (post && !FLAGS_SET(flags, MOUNT_AUTOMOUNT) && !FLAGS_SET(flags, MOUNT_NOAUTO) && -+ !FLAGS_SET(flags, MOUNT_NOFAIL)) - fprintf(f, "Before=%s\n", post); - - if (passno != 0) { --- -2.33.0 - diff --git a/backport-fstab-generator-do-not-remount-sys-when-running-in-a.patch b/backport-fstab-generator-do-not-remount-sys-when-running-in-a.patch deleted file mode 100644 index c79e2da..0000000 --- a/backport-fstab-generator-do-not-remount-sys-when-running-in-a.patch +++ /dev/null @@ -1,43 +0,0 @@ -From cee7e40200b5eba60a5fed04fe006e8b48944fb2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 12 Dec 2021 11:43:21 +0900 -Subject: [PATCH] fstab-generator: do not remount /sys when running in a - container - -Closes #21744. - -(cherry picked from commit 18f0eaafd7f180f5d0d2d65349835374146efdb3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/cee7e40200b5eba60a5fed04fe006e8b48944fb2 ---- - src/fstab-generator/fstab-generator.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c -index b6582c9538..1dee728233 100644 ---- a/src/fstab-generator/fstab-generator.c -+++ b/src/fstab-generator/fstab-generator.c -@@ -601,9 +601,16 @@ static int parse_fstab(bool initrd) { - if (!what) - return log_oom(); - -- if (is_device_path(what) && path_is_read_only_fs("/sys") > 0) { -- log_info("Running in a container, ignoring fstab device entry for %s.", what); -- continue; -+ if (path_is_read_only_fs("/sys") > 0) { -+ if (streq(what, "sysfs")) { -+ log_info("Running in a container, ignoring fstab entry for %s.", what); -+ continue; -+ } -+ -+ if (is_device_path(what)) { -+ log_info("Running in a container, ignoring fstab device entry for %s.", what); -+ continue; -+ } - } - - where = strdup(me->mnt_dir); --- -2.33.0 - diff --git a/backport-fstab-generator-skip-root-directory-handling-when-nf.patch b/backport-fstab-generator-skip-root-directory-handling-when-nf.patch deleted file mode 100644 index 34e5b38..0000000 --- a/backport-fstab-generator-skip-root-directory-handling-when-nf.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 60d4ac20d8b02dd8f67150aaf55a4e0d019f58d2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 5 Jan 2022 19:24:46 +0900 -Subject: [PATCH] fstab-generator: skip root directory handling when nfsroot is - requested - -Fixes RHBZ#2037233 (https://bugzilla.redhat.com/show_bug.cgi?id=2037233). - -(cherry picked from commit 77b8e92de8264c0b656a7d2fb437dd8d598ab597) -(cherry picked from commit 7ca41c509e6549abbfc753e560c822b5e32a63cc) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/60d4ac20d8b02dd8f67150aaf55a4e0d019f58d2 ---- - src/fstab-generator/fstab-generator.c | 59 ++++++++++++++++++++++++++- - 1 file changed, 57 insertions(+), 2 deletions(-) - -diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c -index 1dee728233..0f3892789f 100644 ---- a/src/fstab-generator/fstab-generator.c -+++ b/src/fstab-generator/fstab-generator.c -@@ -10,6 +10,7 @@ - #include "fs-util.h" - #include "fstab-util.h" - #include "generator.h" -+#include "in-addr-util.h" - #include "log.h" - #include "main-func.h" - #include "mkdir.h" -@@ -691,6 +692,57 @@ static int parse_fstab(bool initrd) { - return r; - } - -+static int sysroot_is_nfsroot(void) { -+ union in_addr_union u; -+ const char *sep, *a; -+ int r; -+ -+ assert(arg_root_what); -+ -+ /* From dracut.cmdline(7). -+ * -+ * root=[:][:] -+ * root=nfs:[:][:], -+ * root=nfs4:[:][:], -+ * root={dhcp|dhcp6} -+ * -+ * mount nfs share from :/, if no server-ip is given, use dhcp next_server. -+ * If server-ip is an IPv6 address it has to be put in brackets, e.g. [2001:DB8::1]. NFS options -+ * can be appended with the prefix ":" or "," and are separated by ",". */ -+ -+ if (path_equal(arg_root_what, "/dev/nfs") || -+ STR_IN_SET(arg_root_what, "dhcp", "dhcp6") || -+ STARTSWITH_SET(arg_root_what, "nfs:", "nfs4:")) -+ return true; -+ -+ /* IPv6 address */ -+ if (arg_root_what[0] == '[') { -+ sep = strchr(arg_root_what + 1, ']'); -+ if (!sep) -+ return -EINVAL; -+ -+ a = strndupa(arg_root_what + 1, sep - arg_root_what - 1); -+ -+ r = in_addr_from_string(AF_INET6, a, &u); -+ if (r < 0) -+ return r; -+ -+ return true; -+ } -+ -+ /* IPv4 address */ -+ sep = strchr(arg_root_what, ':'); -+ if (sep) { -+ a = strndupa(arg_root_what, sep - arg_root_what); -+ -+ if (in_addr_from_string(AF_INET, a, &u) >= 0) -+ return true; -+ } -+ -+ /* root directory without address */ -+ return path_is_absolute(arg_root_what) && !path_startswith(arg_root_what, "/dev"); -+} -+ - static int add_sysroot_mount(void) { - _cleanup_free_ char *what = NULL; - const char *opts, *fstype; -@@ -708,9 +760,12 @@ static int add_sysroot_mount(void) { - return 0; - } - -- if (path_equal(arg_root_what, "/dev/nfs")) { -+ r = sysroot_is_nfsroot(); -+ if (r < 0) -+ log_debug_errno(r, "Failed to determine if the root directory is on NFS, assuming not: %m"); -+ else if (r > 0) { - /* This is handled by the kernel or the initrd */ -- log_debug("Skipping root directory handling, as /dev/nfs was requested."); -+ log_debug("Skipping root directory handling, as root on NFS was requested."); - return 0; - } - --- -2.33.0 - diff --git a/backport-growfs-don-t-actually-resize-on-dry-run.patch b/backport-growfs-don-t-actually-resize-on-dry-run.patch deleted file mode 100644 index 4e2b237..0000000 --- a/backport-growfs-don-t-actually-resize-on-dry-run.patch +++ /dev/null @@ -1,37 +0,0 @@ -From e9a1f6237f281b4bf05386bd9b2c921ea999232f Mon Sep 17 00:00:00 2001 -From: undef -Date: Thu, 14 Jul 2022 05:53:15 +0000 -Subject: [PATCH] growfs: don't actually resize on dry-run - -This causes systemd-growfs to exit before resizing the partition when -`--dry-run` is passed. Resizing during a dry run of a change breaks the -users expectations. - -(cherry picked from commit d26c0f7243a709cfa7b8bdc87e8131746bb0e2d0) -(cherry picked from commit 00c6c62845c560ef09f845aeedabdc9027be5678) -(cherry picked from commit e39019fd1065c8e2eb078b72359c5e755b013493) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e9a1f6237f281b4bf05386bd9b2c921ea999232f ---- - src/partition/growfs.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/partition/growfs.c b/src/partition/growfs.c -index 15c56d0584..a7e745208b 100644 ---- a/src/partition/growfs.c -+++ b/src/partition/growfs.c -@@ -241,6 +241,10 @@ static int run(int argc, char *argv[]) { - return log_error_errno(errno, "Failed to query size of \"%s\": %m", devpath); - - log_debug("Resizing \"%s\" to %"PRIu64" bytes...", arg_target, size); -+ -+ if (arg_dry_run) -+ return 0; -+ - r = resize_fs(mountfd, size, &newsize); - if (r < 0) - return log_error_errno(r, "Failed to resize \"%s\" to %"PRIu64" bytes: %m", --- -2.27.0 - diff --git a/backport-home-fix-heap-use-after-free.patch b/backport-home-fix-heap-use-after-free.patch deleted file mode 100644 index 47e6799..0000000 --- a/backport-home-fix-heap-use-after-free.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5ed20345db356121bc72e0092c17b74e2de67ff7 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 14 Dec 2021 15:38:12 +0900 -Subject: [PATCH] home: fix heap-use-after-free - -`bus_home_emit_remove()` may be called from manager_free() -> home_free(). -In that case, manager->bus is already unref()ed. - -Fixes #21767. - -(cherry picked from commit 2ff457720bd3bc59985e807b748f6305bdf27826) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5ed20345db356121bc72e0092c17b74e2de67ff7 ---- - src/home/homed-home-bus.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/home/homed-home-bus.c b/src/home/homed-home-bus.c -index c71256d15e..601ecc5cf5 100644 ---- a/src/home/homed-home-bus.c -+++ b/src/home/homed-home-bus.c -@@ -940,6 +940,12 @@ int bus_home_emit_remove(Home *h) { - if (!h->announced) - return 0; - -+ if (!h->manager) -+ return 0; -+ -+ if (!h->manager->bus) -+ return 0; -+ - r = bus_home_path(h, &path); - if (r < 0) - return r; --- -2.33.0 - diff --git a/backport-home-secret-argument-of-handle_generic_user_record_e.patch b/backport-home-secret-argument-of-handle_generic_user_record_e.patch deleted file mode 100644 index ffb203f..0000000 --- a/backport-home-secret-argument-of-handle_generic_user_record_e.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 5179b3a071535610be2b55efa77f174c87c3c2b6 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 5 Sep 2021 11:16:26 +0900 -Subject: [PATCH] home: 'secret' argument of handle_generic_user_record_error - may be null - -When RefHome() bus method is called in acquire_home(), secret is NULL. - -Fixes #20639. - -(cherry picked from commit 6a09dbb89507449d158af6c7097d2c51ce83205f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5179b3a071535610be2b55efa77f174c87c3c2b6 ---- - src/home/pam_systemd_home.c | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c -index b7db39dab9..27b292f460 100644 ---- a/src/home/pam_systemd_home.c -+++ b/src/home/pam_systemd_home.c -@@ -281,7 +281,6 @@ static int handle_generic_user_record_error( - const sd_bus_error *error) { - - assert(user_name); -- assert(secret); - assert(error); - - int r; -@@ -301,6 +300,8 @@ static int handle_generic_user_record_error( - } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD)) { - _cleanup_(erase_and_freep) char *newp = NULL; - -+ assert(secret); -+ - /* This didn't work? Ask for an (additional?) password */ - - if (strv_isempty(secret->password)) -@@ -326,6 +327,8 @@ static int handle_generic_user_record_error( - } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) { - _cleanup_(erase_and_freep) char *newp = NULL; - -+ assert(secret); -+ - if (strv_isempty(secret->password)) { - (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token of user %s not inserted.", user_name); - r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Try again with password: "); -@@ -350,6 +353,8 @@ static int handle_generic_user_record_error( - } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) { - _cleanup_(erase_and_freep) char *newp = NULL; - -+ assert(secret); -+ - r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Security token PIN: "); - if (r != PAM_SUCCESS) - return PAM_CONV_ERR; /* no logging here */ -@@ -367,6 +372,8 @@ static int handle_generic_user_record_error( - - } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) { - -+ assert(secret); -+ - (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please authenticate physically on security token of user %s.", user_name); - - r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true); -@@ -377,6 +384,8 @@ static int handle_generic_user_record_error( - - } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) { - -+ assert(secret); -+ - (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please confirm presence on security token of user %s.", user_name); - - r = user_record_set_fido2_user_presence_permitted(secret, true); -@@ -387,6 +396,8 @@ static int handle_generic_user_record_error( - - } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_VERIFICATION_NEEDED)) { - -+ assert(secret); -+ - (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify user on security token of user %s.", user_name); - - r = user_record_set_fido2_user_verification_permitted(secret, true); -@@ -403,6 +414,8 @@ static int handle_generic_user_record_error( - } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) { - _cleanup_(erase_and_freep) char *newp = NULL; - -+ assert(secret); -+ - (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN incorrect for user %s.", user_name); - r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); - if (r != PAM_SUCCESS) -@@ -422,6 +435,8 @@ static int handle_generic_user_record_error( - } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_FEW_TRIES_LEFT)) { - _cleanup_(erase_and_freep) char *newp = NULL; - -+ assert(secret); -+ - (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only a few tries left!)", user_name); - r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); - if (r != PAM_SUCCESS) -@@ -441,6 +456,8 @@ static int handle_generic_user_record_error( - } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_ONE_TRY_LEFT)) { - _cleanup_(erase_and_freep) char *newp = NULL; - -+ assert(secret); -+ - (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only one try left!)", user_name); - r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); - if (r != PAM_SUCCESS) --- -2.33.0 - diff --git a/backport-homed-add-missing-SYNTHETIC_ERRNO.patch b/backport-homed-add-missing-SYNTHETIC_ERRNO.patch deleted file mode 100644 index 56b670c..0000000 --- a/backport-homed-add-missing-SYNTHETIC_ERRNO.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 00eff1d423d2cb336d1e378cc8f348d2d19c2ed4 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 31 Aug 2021 10:47:29 +0200 -Subject: [PATCH] homed: add missing SYNTHETIC_ERRNO() - -(cherry picked from commit 9191142ddfb3ccd2007245c01197d3f42943815c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/00eff1d423d2cb336d1e378cc8f348d2d19c2ed4 ---- - src/home/homework-cifs.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c -index a697f7e5ee..04a4db8a94 100644 ---- a/src/home/homework-cifs.c -+++ b/src/home/homework-cifs.c -@@ -86,7 +86,8 @@ int home_prepare_cifs( - } - - if (!mounted) -- return log_error_errno(ENOKEY, "Failed to mount home directory with supplied password."); -+ return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), -+ "Failed to mount home directory with supplied password."); - - setup->root_fd = open("/run/systemd/user-home-mount", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); - } --- -2.33.0 - diff --git a/backport-homed-fix-log-message-referring-to-fsck-when-we-actu.patch b/backport-homed-fix-log-message-referring-to-fsck-when-we-actu.patch deleted file mode 100644 index 31da36a..0000000 --- a/backport-homed-fix-log-message-referring-to-fsck-when-we-actu.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f41b77e9788541244ad6d6bafe3e130fbabace84 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 31 Aug 2021 10:47:02 +0200 -Subject: [PATCH] homed: fix log message referring to fsck, when we actually - mean mount - -(cherry picked from commit e070b9eac92993422db25c72ebdbdcc1cf424a0f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f41b77e9788541244ad6d6bafe3e130fbabace84 ---- - src/home/homework-cifs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c -index cf3c58431a..a697f7e5ee 100644 ---- a/src/home/homework-cifs.c -+++ b/src/home/homework-cifs.c -@@ -71,7 +71,7 @@ int home_prepare_cifs( - h->cifs_service, "/run/systemd/user-home-mount", - "-o", options, NULL); - -- log_error_errno(errno, "Failed to execute fsck: %m"); -+ log_error_errno(errno, "Failed to execute mount: %m"); - _exit(EXIT_FAILURE); - } - --- -2.33.0 - diff --git a/backport-homed-make-sure-to-use-right-asssesors-for-GID-acces.patch b/backport-homed-make-sure-to-use-right-asssesors-for-GID-acces.patch deleted file mode 100644 index ba15a3e..0000000 --- a/backport-homed-make-sure-to-use-right-asssesors-for-GID-acces.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b2420e2f911455b57edbb67e16883485ba75a638 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 31 Aug 2021 10:46:06 +0200 -Subject: [PATCH] homed: make sure to use right asssesors for GID + access mode - -Don't reach directly into the UserRecord struct, but use the right -assessors, so that the "unspecified" case is covered. - -(cherry picked from commit 279e060e2549183101ebf94e9739b70ed499c4c1) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b2420e2f911455b57edbb67e16883485ba75a638 ---- - src/home/homework-cifs.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c -index 2254eb59cd..cf3c58431a 100644 ---- a/src/home/homework-cifs.c -+++ b/src/home/homework-cifs.c -@@ -58,8 +58,8 @@ int home_prepare_cifs( - - f = safe_fclose(f); - -- if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" UID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o", -- p, h->uid, h->uid, h->access_mode, h->access_mode) < 0) -+ if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" GID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o", -+ p, h->uid, user_record_gid(h), user_record_access_mode(h), user_record_access_mode(h)) < 0) - return log_oom(); - - r = safe_fork("(mount)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_STDOUT_TO_STDERR, &mount_pid); --- -2.33.0 - diff --git a/backport-homed-remove-misplaced-assert.patch b/backport-homed-remove-misplaced-assert.patch deleted file mode 100644 index a541e8d..0000000 --- a/backport-homed-remove-misplaced-assert.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3c8240a44dc28a4c7c60c1599799383776f9e6dc Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 31 Aug 2021 10:47:40 +0200 -Subject: [PATCH] homed: remove misplaced assert() - -(cherry picked from commit 67f9bf897c762ecb61872a5e8e0707a97c8ccd3d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/3c8240a44dc28a4c7c60c1599799383776f9e6dc ---- - src/home/homework-mount.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/home/homework-mount.c b/src/home/homework-mount.c -index 5e737687d1..da4f14e08d 100644 ---- a/src/home/homework-mount.c -+++ b/src/home/homework-mount.c -@@ -69,9 +69,10 @@ int home_move_mount(const char *user_name_and_realm, const char *target) { - const char *d; - int r; - -- assert(user_name_and_realm); - assert(target); - -+ /* If user_name_and_realm is set, then we'll mount a subdir of the source mount into the host. If -+ * it's NULL we'll move the mount itself */ - if (user_name_and_realm) { - subdir = path_join("/run/systemd/user-home-mount/", user_name_and_realm); - if (!subdir) --- -2.33.0 - diff --git a/backport-homed-shutdown-call-valgrind-magic-after-LOOP_GET_ST.patch b/backport-homed-shutdown-call-valgrind-magic-after-LOOP_GET_ST.patch deleted file mode 100644 index 83bced0..0000000 --- a/backport-homed-shutdown-call-valgrind-magic-after-LOOP_GET_ST.patch +++ /dev/null @@ -1,84 +0,0 @@ -From bf6bd21f7c887ffa4591ed0cee00b234835ca2be Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 15 Oct 2021 17:58:13 +0200 -Subject: [PATCH] homed,shutdown: call valgrind magic after LOOP_GET_STATUS64 - -valgrind doesn't understand LOOP_GET_STATUS64. We already work around -this in various placed, via VALGRIND_MAKE_MEM_DEFINE(), but we forgot -three places. Let's fix that. - -(cherry picked from commit 48f462547d63e1d03bee612e1c77073263e71293) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bf6bd21f7c887ffa4591ed0cee00b234835ca2be ---- - src/home/homework-luks.c | 8 ++++++++ - src/shutdown/umount.c | 12 ++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c -index 38d7d7cc70..05a0ed861e 100644 ---- a/src/home/homework-luks.c -+++ b/src/home/homework-luks.c -@@ -8,6 +8,10 @@ - #include - #include - -+#if HAVE_VALGRIND_MEMCHECK_H -+#include -+#endif -+ - #include "blkid-util.h" - #include "blockdev-util.h" - #include "btrfs-util.h" -@@ -1136,6 +1140,10 @@ int home_prepare_luks( - offset *= 512U; - } - } else { -+#if HAVE_VALGRIND_MEMCHECK_H -+ VALGRIND_MAKE_MEM_DEFINED(&info, sizeof(info)); -+#endif -+ - offset = info.lo_offset; - size = info.lo_sizelimit; - } -diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c -index c2a26242c0..1f945b7875 100644 ---- a/src/shutdown/umount.c -+++ b/src/shutdown/umount.c -@@ -15,6 +15,10 @@ - #include - #include - -+#if HAVE_VALGRIND_MEMCHECK_H -+#include -+#endif -+ - #include "sd-device.h" - - #include "alloc-util.h" -@@ -409,6 +413,10 @@ static int delete_loopback(const char *device) { - return -EBUSY; /* propagate original error */ - } - -+#if HAVE_VALGRIND_MEMCHECK_H -+ VALGRIND_MAKE_MEM_DEFINED(&info, sizeof(info)); -+#endif -+ - if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) /* someone else already set LO_FLAGS_AUTOCLEAR for us? fine by us */ - return -EBUSY; /* propagate original error */ - -@@ -434,6 +442,10 @@ static int delete_loopback(const char *device) { - return 1; - } - -+#if HAVE_VALGRIND_MEMCHECK_H -+ VALGRIND_MAKE_MEM_DEFINED(&info, sizeof(info)); -+#endif -+ - /* Linux makes LOOP_CLR_FD succeed whenever LO_FLAGS_AUTOCLEAR is set without actually doing - * anything. Very confusing. Let's hence not claim we did anything in this case. */ - if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) --- -2.33.0 - diff --git a/backport-homework-don-t-bother-with-BLKRRPART-on-images-that-.patch b/backport-homework-don-t-bother-with-BLKRRPART-on-images-that-.patch deleted file mode 100644 index 84b46be..0000000 --- a/backport-homework-don-t-bother-with-BLKRRPART-on-images-that-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7b3ff9a957630535ec58aeca7e41e6c63fa99114 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 15 Oct 2021 11:23:00 +0200 -Subject: [PATCH] homework: don't bother with BLKRRPART on images that aren't - block devices - -We currently call this ioctl even if we are backed by a regular file, -which is actually the common case. While this doesn't really hurt, it -does result in very confusing logs. - -(cherry picked from commit 6a1301d8c97dc650e4355bb7c193f5821b3383a8) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7b3ff9a957630535ec58aeca7e41e6c63fa99114 ---- - src/home/homework-luks.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c -index 64bbfe3c77..38d7d7cc70 100644 ---- a/src/home/homework-luks.c -+++ b/src/home/homework-luks.c -@@ -2813,7 +2813,7 @@ int home_resize_luks( - if (r > 0) - log_info("Growing of partition completed."); - -- if (ioctl(image_fd, BLKRRPART, 0) < 0) -+ if (S_ISBLK(st.st_mode) && ioctl(image_fd, BLKRRPART, 0) < 0) - log_debug_errno(errno, "BLKRRPART failed on block device, ignoring: %m"); - - /* Tell LUKS about the new bigger size too */ -@@ -2887,7 +2887,7 @@ int home_resize_luks( - if (r > 0) - log_info("Shrinking of partition completed."); - -- if (ioctl(image_fd, BLKRRPART, 0) < 0) -+ if (S_ISBLK(st.st_mode) && ioctl(image_fd, BLKRRPART, 0) < 0) - log_debug_errno(errno, "BLKRRPART failed on block device, ignoring: %m"); - } else { - r = home_store_embedded_identity(new_home, setup->root_fd, h->uid, embedded_home); --- -2.33.0 - diff --git a/backport-homework-fix-a-bad-error-propagation.patch b/backport-homework-fix-a-bad-error-propagation.patch deleted file mode 100644 index 8f04f0b..0000000 --- a/backport-homework-fix-a-bad-error-propagation.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e05915315fdf21ee51ec1501e02d04ba1e9af045 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 24 Nov 2021 18:36:00 +0100 -Subject: [PATCH] homework: fix a bad error propagation - -(cherry picked from commit b05f4495bd374dc28d39ea43ac7cec3f0fea4071) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e05915315fdf21ee51ec1501e02d04ba1e9af045 ---- - src/home/homework.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/home/homework.c b/src/home/homework.c -index b20b4bdf3e..32a42c5d09 100644 ---- a/src/home/homework.c -+++ b/src/home/homework.c -@@ -485,7 +485,7 @@ static int write_identity_file(int root_fd, JsonVariant *v, uid_t uid) { - } - - if (fchown(fileno(identity_file), uid, uid) < 0) { -- log_error_errno(r, "Failed to change ownership of identity file: %m"); -+ r = log_error_errno(errno, "Failed to change ownership of identity file: %m"); - goto fail; - } - --- -2.33.0 - diff --git a/backport-homework-fix-incorrect-error-variable-use.patch b/backport-homework-fix-incorrect-error-variable-use.patch deleted file mode 100644 index 3b7d747..0000000 --- a/backport-homework-fix-incorrect-error-variable-use.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 3e9dbda7d5efbe642e6254cc086b4cf54c862618 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 14 Oct 2021 15:40:59 +0200 -Subject: [PATCH] homework: fix incorrect error variable use - -(cherry picked from commit 82fb0911fc0aa2aaf39428ef36e78898ece2b4ea) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/3e9dbda7d5efbe642e6254cc086b4cf54c862618 ---- - src/home/homework-luks.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c -index 6448883fe0..64bbfe3c77 100644 ---- a/src/home/homework-luks.c -+++ b/src/home/homework-luks.c -@@ -1146,7 +1146,7 @@ int home_prepare_luks( - - root_fd = open(user_record_home_directory(h), O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); - if (root_fd < 0) { -- r = log_error_errno(r, "Failed to open home directory: %m"); -+ r = log_error_errno(errno, "Failed to open home directory: %m"); - goto fail; - } - } else { -@@ -1233,7 +1233,7 @@ int home_prepare_luks( - - root_fd = open(subdir, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); - if (root_fd < 0) { -- r = log_error_errno(r, "Failed to open home directory: %m"); -+ r = log_error_errno(errno, "Failed to open home directory: %m"); - goto fail; - } - --- -2.33.0 - diff --git a/backport-homework-repart-turn-on-cryptsetup-logging-before-we.patch b/backport-homework-repart-turn-on-cryptsetup-logging-before-we.patch deleted file mode 100644 index 21dc8b5..0000000 --- a/backport-homework-repart-turn-on-cryptsetup-logging-before-we.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 7b49704dfe47474be0d74996db45e6ba42d6b2e1 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 28 Oct 2021 19:06:52 +0200 -Subject: [PATCH] homework,repart: turn on cryptsetup logging before we have a - context - -Otherwise we'll miss the log message from allocation of the context. We -already made this change in most of our tools that interface with -libcryptsetup, but we forgot two. - -As suggested: - -https://github.com/systemd/systemd/pull/21135#discussion_r738287504 -(cherry picked from commit 30f194001ff647280ad49b68597c223e57ad7f6e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7b49704dfe47474be0d74996db45e6ba42d6b2e1 ---- - src/home/homework.c | 2 ++ - src/partition/repart.c | 4 ++++ - 2 files changed, 6 insertions(+) - -diff --git a/src/home/homework.c b/src/home/homework.c -index bdd9ac649e..b20b4bdf3e 100644 ---- a/src/home/homework.c -+++ b/src/home/homework.c -@@ -1651,6 +1651,8 @@ static int run(int argc, char *argv[]) { - - log_setup(); - -+ cryptsetup_enable_logging(NULL); -+ - umask(0022); - - if (argc < 2 || argc > 3) -diff --git a/src/partition/repart.c b/src/partition/repart.c -index 3c80d1380a..7602ac6aa8 100644 ---- a/src/partition/repart.c -+++ b/src/partition/repart.c -@@ -4863,6 +4863,10 @@ static int run(int argc, char *argv[]) { - if (r < 0) - return r; - -+#if HAVE_LIBCRYPTSETUP -+ cryptsetup_enable_logging(NULL); -+#endif -+ - if (arg_image) { - assert(!arg_root); - --- -2.33.0 - diff --git a/backport-hostname-fix-off-by-one-issue-in-gethostname.patch b/backport-hostname-fix-off-by-one-issue-in-gethostname.patch deleted file mode 100644 index 30fdc7d..0000000 --- a/backport-hostname-fix-off-by-one-issue-in-gethostname.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 6a8b886fef4ad101108126cab2125a90f7aa6441 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 11 Aug 2021 00:12:40 +0900 -Subject: [PATCH] hostname: fix off-by-one issue in gethostname() - -gethostname() returns null-terminated hostname. - -Fixes #20309 and #20417. - -(cherry picked from commit ccdf235464297c2ca4c1dea8733a6bad423084d5) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6a8b886fef4ad101108126cab2125a90f7aa6441 ---- - src/shared/hostname-setup.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/shared/hostname-setup.c b/src/shared/hostname-setup.c -index 511aa7d031..742174d6c8 100644 ---- a/src/shared/hostname-setup.c -+++ b/src/shared/hostname-setup.c -@@ -20,11 +20,11 @@ - #include "util.h" - - static int sethostname_idempotent_full(const char *s, bool really) { -- char buf[HOST_NAME_MAX + 1] = {}; -+ char buf[HOST_NAME_MAX + 1]; - - assert(s); - -- if (gethostname(buf, sizeof(buf) - 1) < 0) -+ if (gethostname(buf, sizeof(buf)) < 0) - return -errno; - - if (streq(buf, s)) -@@ -42,11 +42,11 @@ int sethostname_idempotent(const char *s) { - } - - bool get_hostname_filtered(char ret[static HOST_NAME_MAX + 1]) { -- char buf[HOST_NAME_MAX + 1] = {}; -+ char buf[HOST_NAME_MAX + 1]; - - /* Returns true if we got a good hostname, false otherwise. */ - -- if (gethostname(buf, sizeof(buf) - 1) < 0) -+ if (gethostname(buf, sizeof(buf)) < 0) - return false; /* This can realistically only fail with ENAMETOOLONG. - * Let's treat that case the same as an invalid hostname. */ - --- -2.33.0 - diff --git a/backport-hostnamed-correct-variable-with-errno-in-fallback_ch.patch b/backport-hostnamed-correct-variable-with-errno-in-fallback_ch.patch deleted file mode 100644 index 184cfdf..0000000 --- a/backport-hostnamed-correct-variable-with-errno-in-fallback_ch.patch +++ /dev/null @@ -1,59 +0,0 @@ -From b873f52871845b769f739e9d6954080ba490200c Mon Sep 17 00:00:00 2001 -From: Jan Palus -Date: Thu, 8 Jul 2021 00:23:21 +0200 -Subject: [PATCH] hostnamed: correct variable with errno in fallback_chassis - -fixes assertion failure on arm: - -systemd-hostnamed[642]: Assertion '(_error) != 0' failed at src/hostname/hostnamed.c:207, function fallback_chassis(). Aborting. - -(cherry picked from commit 105a4245ff13d588e1e848e8ee3cffd6185bd0ae) -(cherry picked from commit 4a44597bdd725f504ebd520b0deef7797dc46daa) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b873f52871845b769f739e9d6954080ba490200c ---- - src/hostname/hostnamed.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c -index bd535ddc4d..36702f2fb0 100644 ---- a/src/hostname/hostnamed.c -+++ b/src/hostname/hostnamed.c -@@ -204,14 +204,14 @@ static const char* fallback_chassis(void) { - - r = read_one_line_file("/sys/class/dmi/id/chassis_type", &type); - if (r < 0) { -- log_debug_errno(v, "Failed to read DMI chassis type, ignoring: %m"); -+ log_debug_errno(r, "Failed to read DMI chassis type, ignoring: %m"); - goto try_acpi; - } - - r = safe_atou(type, &t); - free(type); - if (r < 0) { -- log_debug_errno(v, "Failed to parse DMI chassis type, ignoring: %m"); -+ log_debug_errno(r, "Failed to parse DMI chassis type, ignoring: %m"); - goto try_acpi; - } - -@@ -260,14 +260,14 @@ static const char* fallback_chassis(void) { - try_acpi: - r = read_one_line_file("/sys/firmware/acpi/pm_profile", &type); - if (r < 0) { -- log_debug_errno(v, "Failed read ACPI PM profile, ignoring: %m"); -+ log_debug_errno(r, "Failed read ACPI PM profile, ignoring: %m"); - return NULL; - } - - r = safe_atou(type, &t); - free(type); - if (r < 0) { -- log_debug_errno(v, "Failed parse ACPI PM profile, ignoring: %m"); -+ log_debug_errno(r, "Failed parse ACPI PM profile, ignoring: %m"); - return NULL; - } - --- -2.33.0 - diff --git a/backport-hwdb-Allow-console-users-access-to-media-nodes.patch b/backport-hwdb-Allow-console-users-access-to-media-nodes.patch deleted file mode 100644 index 991bd32..0000000 --- a/backport-hwdb-Allow-console-users-access-to-media-nodes.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 920d0d1b14dfb94788a5b2794860cac583b982c3 Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Tue, 26 Oct 2021 11:57:30 +0200 -Subject: [PATCH] hwdb: Allow console users access to media* nodes - -Newer webcams and video devices have controls only available through -/dev/media* nodes. Make sure they're accessible in the same way as -/dev/video* nodes. - -Closes: #21054 -(cherry picked from commit 63fbfc598f9f6d3ce34cc00a7687089dab24daff) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/920d0d1b14dfb94788a5b2794860cac583b982c3 ---- - src/login/70-uaccess.rules.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/login/70-uaccess.rules.in b/src/login/70-uaccess.rules.in -index 56e1087fef..1b6be82703 100644 ---- a/src/login/70-uaccess.rules.in -+++ b/src/login/70-uaccess.rules.in -@@ -33,6 +33,7 @@ SUBSYSTEM=="sound", TAG+="uaccess", \ - # Webcams, frame grabber, TV cards - SUBSYSTEM=="video4linux", TAG+="uaccess" - SUBSYSTEM=="dvb", TAG+="uaccess" -+SUBSYSTEM=="media", TAG+="uaccess" - - # industrial cameras, some webcams, camcorders, set-top boxes, TV sets, audio devices, and more - SUBSYSTEM=="firewire", TEST=="units", ENV{IEEE1394_UNIT_FUNCTION_MIDI}=="1", TAG+="uaccess" --- -2.33.0 - diff --git a/backport-hwdb-fix-parsing-options.patch b/backport-hwdb-fix-parsing-options.patch deleted file mode 100644 index 00eb94e..0000000 --- a/backport-hwdb-fix-parsing-options.patch +++ /dev/null @@ -1,34 +0,0 @@ -From eee4da4d240bef47a6cc8ab60838d6c443ab8ab8 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 6 Apr 2022 01:08:35 +0900 -Subject: [PATCH] hwdb: fix parsing options - -Fixes #22976. - -(cherry picked from commit 5674b74c4f99e433fd8e7242e9f16f6ddfece94c) -(cherry picked from commit df6253cbda3e5d1b3c694de223cb7899f3aecc74) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/eee4da4d240bef47a6cc8ab60838d6c443ab8ab8 ---- - src/hwdb/hwdb.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/hwdb/hwdb.c b/src/hwdb/hwdb.c -index 50b4cb304a..a3a050530b 100644 ---- a/src/hwdb/hwdb.c -+++ b/src/hwdb/hwdb.c -@@ -73,8 +73,8 @@ static int parse_argv(int argc, char *argv[]) { - assert(argc >= 0); - assert(argv); - -- while ((c = getopt_long(argc, argv, "ust:r:h", options, NULL)) >= 0) -- switch(c) { -+ while ((c = getopt_long(argc, argv, "sr:h", options, NULL)) >= 0) -+ switch (c) { - - case 'h': - return help(); --- -2.33.0 - diff --git a/backport-hwdb-remove-double-empty-line-in-help-text.patch b/backport-hwdb-remove-double-empty-line-in-help-text.patch deleted file mode 100644 index 7189fea..0000000 --- a/backport-hwdb-remove-double-empty-line-in-help-text.patch +++ /dev/null @@ -1,29 +0,0 @@ -From da61fe147e40ba26ed8cf405dbf0a0e71e060d0b Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 30 Aug 2021 13:20:59 +0200 -Subject: [PATCH] hwdb: remove double empty line in --help text - -(cherry picked from commit aecc04f1800c87e0479e74e0225e288a403ba77e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/da61fe147e40ba26ed8cf405dbf0a0e71e060d0b ---- - src/hwdb/hwdb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/hwdb/hwdb.c b/src/hwdb/hwdb.c -index 26cc83f31b..50b4cb304a 100644 ---- a/src/hwdb/hwdb.c -+++ b/src/hwdb/hwdb.c -@@ -43,7 +43,7 @@ static int help(void) { - " --version Show package version\n" - " -s --strict When updating, return non-zero exit value on any parsing error\n" - " --usr Generate in " UDEVLIBEXECDIR " instead of /etc/udev\n" -- " -r --root=PATH Alternative root path in the filesystem\n\n" -+ " -r --root=PATH Alternative root path in the filesystem\n" - "\nSee the %s for details.\n", - program_invocation_short_name, - ansi_highlight(), --- -2.33.0 - diff --git a/backport-icmp6-drop-unnecessary-assertion.patch b/backport-icmp6-drop-unnecessary-assertion.patch deleted file mode 100644 index 4b4dbae..0000000 --- a/backport-icmp6-drop-unnecessary-assertion.patch +++ /dev/null @@ -1,30 +0,0 @@ -From aff2bf0465f677ba60e1cc701ae73968991e4a3f Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 20 Aug 2021 08:44:27 +0900 -Subject: [PATCH] icmp6: drop unnecessary assertion - -Follow-up for 3691bcf3c5eebdcca5b4f1c51c745441c57a6cd1. - -(cherry picked from commit 6da22a2fa592cc908d26c732b537d8b4fc004280) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/aff2bf0465f677ba60e1cc701ae73968991e4a3f ---- - src/libsystemd-network/icmp6-util.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/libsystemd-network/icmp6-util.c b/src/libsystemd-network/icmp6-util.c -index 67c6b55d84..0b8c3e4cc3 100644 ---- a/src/libsystemd-network/icmp6-util.c -+++ b/src/libsystemd-network/icmp6-util.c -@@ -186,7 +186,6 @@ int icmp6_receive(int fd, void *buffer, size_t size, struct in6_addr *ret_dst, - - /* namelen == 0 only happens when running the test-suite over a socketpair */ - -- assert(!(msg.msg_flags & MSG_CTRUNC)); - assert(!(msg.msg_flags & MSG_TRUNC)); - - CMSG_FOREACH(cmsg, &msg) { --- -2.33.0 - diff --git a/backport-import-turn-off-weird-protocols-in-curl.patch b/backport-import-turn-off-weird-protocols-in-curl.patch deleted file mode 100644 index 5994c12..0000000 --- a/backport-import-turn-off-weird-protocols-in-curl.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 4d8fd88b9641fce81272f60f556543f713175403 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 19 Aug 2021 18:12:56 +0200 -Subject: [PATCH] import: turn off weird protocols in curl - -Let's lock things down a bit and now allow curl's weirder protocols to -be used with our use. i.e. stick to http:// + https:// + file:// and -turn everything else off. (Gopher!) - -This is cde that interfaces with the network after all, and we better -shouldn't support protocols needlessly that are much less tested. - -(Given that HTTP redirects (and other redirects) exist, this should give -us a security benefit, since we will then be sure that noone can forward -us to a weird protocol, which we never tested, and other people test -neither) - -(cherry picked from commit 55b90ee00b78a449c8f187a5e8141f8ccb100bf4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4d8fd88b9641fce81272f60f556543f713175403 ---- - src/import/curl-util.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/import/curl-util.c b/src/import/curl-util.c -index ed2ac0a654..d6a16b4f57 100644 ---- a/src/import/curl-util.c -+++ b/src/import/curl-util.c -@@ -256,6 +256,9 @@ int curl_glue_make(CURL **ret, const char *url, void *userdata) { - if (curl_easy_setopt(c, CURLOPT_LOW_SPEED_LIMIT, 30L) != CURLE_OK) - return -EIO; - -+ if (curl_easy_setopt(c, CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_FILE) != CURLE_OK) -+ return -EIO; -+ - *ret = TAKE_PTR(c); - return 0; - } --- -2.33.0 - diff --git a/backport-journactl-show-info-about-journal-range-only-at-debu.patch b/backport-journactl-show-info-about-journal-range-only-at-debu.patch deleted file mode 100644 index 8ade4a1..0000000 --- a/backport-journactl-show-info-about-journal-range-only-at-debu.patch +++ /dev/null @@ -1,51 +0,0 @@ -From cc9ef67919c33b253bed86db415f5970e96440d9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 14 Dec 2021 22:30:15 +0100 -Subject: [PATCH] journactl: show info about journal range only at debug level - (#21775) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The message that the "journal begins … ends …" has been always confusing to -users. (Before b91ae210e62 it was "logs begin … end …" which was arguably even -more confusing, but really the change in b91ae210e62 didn't substantially change -this.) - -When the range shown is limited (by -e, -f, --since, or other options), it -doesn't really matter to the user what the oldest entries are, since they are -purposefully limiting the range. In fact, if we are showing the last few -entries with -e or -f, knowing that many months the oldest entries have is -completely useless. - -And when such options are *not* used, the first entry generally corresponds to -the beginning of the range shown, and the last entry corresponds to the end of -that range. So again, it's not particularly useful, except when debugging -journalctl or such. Let's just treat it as a debug message. - -Fixes #21491. - -(cherry picked from commit a2d7654f99eba250eddf988db262abef96ebbe7a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/cc9ef67919c33b253bed86db415f5970e96440d9 ---- - src/journal/journalctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c -index 3eac97510d..decdf14145 100644 ---- a/src/journal/journalctl.c -+++ b/src/journal/journalctl.c -@@ -2598,7 +2598,7 @@ int main(int argc, char *argv[]) { - if (!arg_follow) - (void) pager_open(arg_pager_flags); - -- if (!arg_quiet && (arg_lines != 0 || arg_follow)) { -+ if (!arg_quiet && (arg_lines != 0 || arg_follow) && DEBUG_LOGGING) { - usec_t start, end; - char start_buf[FORMAT_TIMESTAMP_MAX], end_buf[FORMAT_TIMESTAMP_MAX]; - --- -2.33.0 - diff --git a/backport-journal-Deduplicate-entry-items-before-they-are-stor.patch b/backport-journal-Deduplicate-entry-items-before-they-are-stor.patch deleted file mode 100644 index 757d1da..0000000 --- a/backport-journal-Deduplicate-entry-items-before-they-are-stor.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 71976e91c5a887585b9fb8a162116824b141eecf Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Fri, 12 Nov 2021 14:32:40 +0000 -Subject: [PATCH] journal: Deduplicate entry items before they are stored in - the entry object - -If the iovec contains the same data more than once, we'll end up with -duplicate offsets in the items array. Let's make sure we remove any -duplicates before we store the items in an entry object. - -(cherry picked from commit 5ec9fbae64bef896368f744a875dd0437a4c42f2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/71976e91c5a887585b9fb8a162116824b141eecf ---- - src/libsystemd/sd-journal/journal-file.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c -index ae19c1c1f2..a8029c2868 100644 ---- a/src/libsystemd/sd-journal/journal-file.c -+++ b/src/libsystemd/sd-journal/journal-file.c -@@ -2082,6 +2082,21 @@ static int entry_item_cmp(const EntryItem *a, const EntryItem *b) { - return CMP(le64toh(a->object_offset), le64toh(b->object_offset)); - } - -+static size_t remove_duplicate_entry_items(EntryItem items[], size_t n) { -+ -+ /* This function relies on the items array being sorted. */ -+ size_t j = 1; -+ -+ if (n <= 1) -+ return n; -+ -+ for (size_t i = 1; i < n; i++) -+ if (items[i].object_offset != items[j - 1].object_offset) -+ items[j++] = items[i]; -+ -+ return j; -+} -+ - int journal_file_append_entry( - JournalFile *f, - const dual_timestamp *ts, -@@ -2151,6 +2166,7 @@ int journal_file_append_entry( - /* Order by the position on disk, in order to improve seek - * times for rotating media. */ - typesafe_qsort(items, n_iovec, entry_item_cmp); -+ n_iovec = remove_duplicate_entry_items(items, n_iovec); - - r = journal_file_append_entry_internal(f, ts, boot_id, xor_hash, items, n_iovec, seqnum, ret, ret_offset); - --- -2.33.0 - diff --git a/backport-journal-Only-move-to-objects-when-necessary.patch b/backport-journal-Only-move-to-objects-when-necessary.patch deleted file mode 100644 index 68b0eee..0000000 --- a/backport-journal-Only-move-to-objects-when-necessary.patch +++ /dev/null @@ -1,244 +0,0 @@ -From 57ba83ddd33d8ed5e8cee6a35f6ee780532a7a0d Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Tue, 25 Jan 2022 11:50:40 +0000 -Subject: [PATCH] journal: Only move to objects when necessary - -Conflict:don't modify journal_file_read_object because 117e2112 isn't merged; -don't modify generic_array_get because 8d801e35cb isn't merged; adapt context -Reference:https://github.com/systemd/systemd/commit/ded10e3a5f4c9a9fca9a57f5feb7e77db4155dbd - -Let's make sure we only move to objects when it's required. If "ret" -is NULL, the caller isn't interested in the actual object and the -function being called shouldn't move to it unless it has to -inspect/modify the object itself. ---- - src/libsystemd/sd-journal/journal-file.c | 99 +++++++++-------------- - 1 file changed, 39 insertions(+), 60 deletions(-) - -diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c -index e3e926b..efc5018 100644 ---- a/src/libsystemd/sd-journal/journal-file.c -+++ b/src/libsystemd/sd-journal/journal-file.c -@@ -931,7 +931,6 @@ int journal_file_move_to_object(JournalFile *f, ObjectType type, uint64_t offset - uint64_t s; - - assert(f); -- assert(ret); - - /* Objects may only be located at multiple of 64 bit */ - if (!VALID64(offset)) -@@ -986,7 +985,9 @@ int journal_file_move_to_object(JournalFile *f, ObjectType type, uint64_t offset - if (r < 0) - return r; - -- *ret = o; -+ if (ret) -+ *ret = o; -+ - return 0; - } - -@@ -1584,19 +1585,11 @@ static int journal_file_append_field( - - hash = journal_file_hash_data(f, field, size); - -- r = journal_file_find_field_object_with_hash(f, field, size, hash, &o, &p); -+ r = journal_file_find_field_object_with_hash(f, field, size, hash, ret, ret_offset); - if (r < 0) - return r; -- if (r > 0) { -- -- if (ret) -- *ret = o; -- -- if (ret_offset) -- *ret_offset = p; -- -+ if (r > 0) - return 0; -- } - - osize = offsetof(Object, field.payload) + size; - r = journal_file_append_object(f, OBJECT_FIELD, osize, &o, &p); -@@ -1610,20 +1603,20 @@ static int journal_file_append_field( - if (r < 0) - return r; - -- /* The linking might have altered the window, so let's -- * refresh our pointer */ -- r = journal_file_move_to_object(f, OBJECT_FIELD, p, &o); -- if (r < 0) -- return r; -+ /* The linking might have altered the window, so let's only pass the offset to hmac which will -+ * move to the object again if needed. */ - - #if HAVE_GCRYPT -- r = journal_file_hmac_put_object(f, OBJECT_FIELD, o, p); -+ r = journal_file_hmac_put_object(f, OBJECT_FIELD, NULL, p); - if (r < 0) - return r; - #endif - -- if (ret) -- *ret = o; -+ if (ret) { -+ r = journal_file_move_to_object(f, OBJECT_FIELD, p, ret); -+ if (r < 0) -+ return r; -+ } - - if (ret_offset) - *ret_offset = p; -@@ -1647,19 +1640,11 @@ static int journal_file_append_data( - - hash = journal_file_hash_data(f, data, size); - -- r = journal_file_find_data_object_with_hash(f, data, size, hash, &o, &p); -+ r = journal_file_find_data_object_with_hash(f, data, size, hash, ret, ret_offset); - if (r < 0) - return r; -- if (r > 0) { -- -- if (ret) -- *ret = o; -- -- if (ret_offset) -- *ret_offset = p; -- -+ if (r > 0) - return 0; -- } - - osize = offsetof(Object, data.payload) + size; - r = journal_file_append_object(f, OBJECT_DATA, osize, &o, &p); -@@ -1693,17 +1678,16 @@ static int journal_file_append_data( - if (r < 0) - return r; - --#if HAVE_GCRYPT -- r = journal_file_hmac_put_object(f, OBJECT_DATA, o, p); -+ /* The linking might have altered the window, so let's refresh our pointer. */ -+ r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); - if (r < 0) - return r; --#endif - -- /* The linking might have altered the window, so let's -- * refresh our pointer */ -- r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); -+#if HAVE_GCRYPT -+ r = journal_file_hmac_put_object(f, OBJECT_DATA, o, p); - if (r < 0) - return r; -+#endif - - if (!data) - eq = NULL; -@@ -2307,20 +2290,15 @@ static int generic_array_get_plus_one( - uint64_t i, - Object **ret, uint64_t *ret_offset) { - -- Object *o; -- - assert(f); - - if (i == 0) { - int r; - -- r = journal_file_move_to_object(f, OBJECT_ENTRY, extra, &o); -+ r = journal_file_move_to_object(f, OBJECT_ENTRY, extra, ret); - if (r < 0) - return r; - -- if (ret) -- *ret = o; -- - if (ret_offset) - *ret_offset = extra; - -@@ -2349,7 +2327,7 @@ static int generic_array_bisect( - - uint64_t a, p, t = 0, i = 0, last_p = 0, last_index = UINT64_MAX; - bool subtract_one = false; -- Object *o, *array = NULL; -+ Object *array = NULL; - int r; - ChainCacheItem *ci; - -@@ -2537,12 +2515,11 @@ found: - else - p = le64toh(array->entry_array.items[i]); - -- r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o); -- if (r < 0) -- return r; -- -- if (ret) -- *ret = o; -+ if (ret) { -+ r = journal_file_move_to_object(f, OBJECT_ENTRY, p, ret); -+ if (r < 0) -+ return r; -+ } - - if (ret_offset) - *ret_offset = p; -@@ -2567,7 +2544,6 @@ static int generic_array_bisect_plus_one( - - int r; - bool step_back = false; -- Object *o; - - assert(f); - assert(test_object); -@@ -2610,12 +2586,11 @@ static int generic_array_bisect_plus_one( - return r; - - found: -- r = journal_file_move_to_object(f, OBJECT_ENTRY, extra, &o); -- if (r < 0) -- return r; -- -- if (ret) -- *ret = o; -+ if (ret) { -+ r = journal_file_move_to_object(f, OBJECT_ENTRY, extra, ret); -+ if (r < 0) -+ return r; -+ } - - if (ret_offset) - *ret_offset = extra; -@@ -3088,7 +3063,6 @@ int journal_file_move_to_entry_by_monotonic_for_data( - * exists in both bisection arrays */ - - for (;;) { -- Object *qo; - uint64_t p, q; - - r = journal_file_move_to_object(f, OBJECT_DATA, data_offset, &d); -@@ -3117,14 +3091,18 @@ int journal_file_move_to_entry_by_monotonic_for_data( - p, - test_object_offset, - direction, -- &qo, &q, NULL); -+ NULL, &q, NULL); - - if (r <= 0) - return r; - - if (p == q) { -- if (ret) -- *ret = qo; -+ if (ret) { -+ r = journal_file_move_to_object(f, OBJECT_ENTRY, q, ret); -+ if (r < 0) -+ return r; -+ } -+ - if (ret_offset) - *ret_offset = q; - --- -2.23.0 - diff --git a/backport-journal-Remove-entry-seqnum-revert-logic.patch b/backport-journal-Remove-entry-seqnum-revert-logic.patch deleted file mode 100644 index b2a1a51..0000000 --- a/backport-journal-Remove-entry-seqnum-revert-logic.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 06a0e8283ed87773795f28e58318d5d1b46b1088 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Fri, 12 Nov 2021 14:29:02 +0000 -Subject: [PATCH] journal: Remove entry seqnum revert logic - -This actually causes mismatches between the header tail entry seqnum -and the last entry seqnum since when we revert the header seqnum, we -don't remove the entry object we added. If adding the entry object -itself fails, we don't need to revert the seqnum since it's never -incremented so let's remove this logic alltogether. - -(cherry picked from commit b41b682bd6f1290caa4220291b22cae317cb6413) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/06a0e8283ed87773795f28e58318d5d1b46b1088 ---- - src/libsystemd/sd-journal/journal-file.c | 32 ++---------------------- - 1 file changed, 2 insertions(+), 30 deletions(-) - -diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c -index 2c17435de2..ae19c1c1f2 100644 ---- a/src/libsystemd/sd-journal/journal-file.c -+++ b/src/libsystemd/sd-journal/journal-file.c -@@ -1021,30 +1021,6 @@ static uint64_t journal_file_entry_seqnum( - return ret; - } - --static void journal_file_revert_entry_seqnum( -- JournalFile *f, -- uint64_t *seqnum, -- uint64_t revert_seqnum) { -- -- assert(f); -- assert(f->header); -- -- if (revert_seqnum == 0) /* sequence number 0? can't go back */ -- return; -- -- /* Undoes the effect of journal_file_entry_seqnum() above: if we fail to append an entry to a file, -- * let's revert the seqnum we were about to use, so that we can use it on the next entry. */ -- -- if (le64toh(f->header->tail_entry_seqnum) == revert_seqnum) -- f->header->tail_entry_seqnum = htole64(revert_seqnum - 1); -- -- if (le64toh(f->header->head_entry_seqnum) == revert_seqnum) -- f->header->head_entry_seqnum = 0; -- -- if (seqnum && *seqnum == revert_seqnum) -- *seqnum = revert_seqnum - 1; --} -- - int journal_file_append_object( - JournalFile *f, - ObjectType type, -@@ -2004,12 +1980,12 @@ static int journal_file_append_entry_internal( - #if HAVE_GCRYPT - r = journal_file_hmac_put_object(f, OBJECT_ENTRY, o, np); - if (r < 0) -- goto fail; -+ return r; - #endif - - r = journal_file_link_entry(f, o, np); - if (r < 0) -- goto fail; -+ return r; - - if (ret) - *ret = o; -@@ -2017,10 +1993,6 @@ static int journal_file_append_entry_internal( - if (ret_offset) - *ret_offset = np; - -- return 0; -- --fail: -- journal_file_revert_entry_seqnum(f, seqnum, le64toh(o->entry.seqnum)); - return r; - } - --- -2.33.0 - diff --git a/backport-journal-Skip-corrupt-Data-objects-in-sd_journal_get_.patch b/backport-journal-Skip-corrupt-Data-objects-in-sd_journal_get_.patch deleted file mode 100644 index 82b2269..0000000 --- a/backport-journal-Skip-corrupt-Data-objects-in-sd_journal_get_.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 2124893b258ffc23ae034bce388b61fb148c805f Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Wed, 17 Nov 2021 16:46:29 +0000 -Subject: [PATCH] journal: Skip corrupt Data objects in sd_journal_get_data() - -Similar to the change we made for sd_journal_enumerate_data(), let's -skip corrupt entry items and data objects in sd_journal_get_data(). - -(cherry picked from commit 8a799bed4c25be5792acf4d375bd2cdf0a4a3165) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2124893b258ffc23ae034bce388b61fb148c805f ---- - src/libsystemd/sd-journal/sd-journal.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index 18ede19e26..71875a4dc8 100644 ---- a/src/libsystemd/sd-journal/sd-journal.c -+++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -2309,11 +2309,17 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** - p = le64toh(o->entry.items[i].object_offset); - le_hash = o->entry.items[i].hash; - r = journal_file_move_to_object(f, OBJECT_DATA, p, &d); -+ if (r == -EBADMSG) { -+ log_debug("Entry item %"PRIu64" data object is bad, skipping over it.", i); -+ continue; -+ } - if (r < 0) - return r; - -- if (le_hash != d->data.hash) -- return -EBADMSG; -+ if (le_hash != d->data.hash) { -+ log_debug("Entry item %"PRIu64" hash is bad, skipping over it.", i); -+ continue; -+ } - - l = le64toh(d->object.size) - offsetof(Object, data.payload); - --- -2.33.0 - diff --git a/backport-journal-Skip-data-objects-with-invalid-offsets.patch b/backport-journal-Skip-data-objects-with-invalid-offsets.patch deleted file mode 100644 index e2af7d6..0000000 --- a/backport-journal-Skip-data-objects-with-invalid-offsets.patch +++ /dev/null @@ -1,68 +0,0 @@ -From bf022f9f4841368bb84372ee5605ce5c0f936c79 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Wed, 12 Jan 2022 14:44:50 +0000 -Subject: [PATCH] journal: Skip data objects with invalid offsets -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We already skip invalid objects, but don't yet skip invalid offsets. -Let's skip these as well to improve robustness when we're dealing with -corrupted journals. - -Before: - -``` -âžœ systemd git:(main) build/journalctl -r -n 5 --file ~/Downloads/system@0005d2b275abaaf8-f243a2818cb39b98.journal_ -Failed to get journal fields: Cannot assign requested address --- No entries -- -``` - -After: - -``` -âžœ systemd git:(main) ✗ build/journalctl -r -n 5 --file ~/Downloads/system@0005d2b275abaaf8-f243a2818cb39b98.journal_ -Dec 09 08:32:38 snowball3 NetworkManager[911]: [1639038758.1464] device (wlp1s0): supplicant interface state: scanning -> authenticating -Dec 09 08:32:38 snowball3 kernel: wlp1s0: send auth to ec:a9:40:79:fb:ad (try 1/3) -Dec 09 08:32:38 snowball3 kernel: wlp1s0: authenticate with ec:a9:40:79:fb:ad -Dec 09 08:32:38 snowball3 wpa_supplicant[1003]: wlp1s0: SME: Trying to authenticate with ec:a9:40:79:fb:ad (SSID='UPC949397B' freq=5500 MHz) -``` - -(cherry picked from commit df207ccb7be02b1ca6bdd0a2066a898e5b24ee86) -(cherry picked from commit 556f46aa3b17f4ed6768521137405297c8a99d35) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bf022f9f4841368bb84372ee5605ce5c0f936c79 ---- - src/libsystemd/sd-journal/sd-journal.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index dd28b8008f..3cdc629a8d 100644 ---- a/src/libsystemd/sd-journal/sd-journal.c -+++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -2310,8 +2310,8 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** - p = le64toh(o->entry.items[i].object_offset); - le_hash = o->entry.items[i].hash; - r = journal_file_move_to_object(f, OBJECT_DATA, p, &d); -- if (r == -EBADMSG) { -- log_debug("Entry item %"PRIu64" data object is bad, skipping over it.", i); -+ if (IN_SET(r, -EADDRNOTAVAIL, -EBADMSG)) { -+ log_debug_errno(r, "Entry item %"PRIu64" data object is bad, skipping over it: %m", i); - continue; - } - if (r < 0) -@@ -2455,8 +2455,8 @@ _public_ int sd_journal_enumerate_data(sd_journal *j, const void **data, size_t - p = le64toh(o->entry.items[j->current_field].object_offset); - le_hash = o->entry.items[j->current_field].hash; - r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); -- if (r == -EBADMSG) { -- log_debug("Entry item %"PRIu64" data object is bad, skipping over it.", j->current_field); -+ if (IN_SET(r, -EADDRNOTAVAIL, -EBADMSG)) { -+ log_debug_errno(r, "Entry item %"PRIu64" data object is bad, skipping over it: %m", j->current_field); - continue; - } - if (r < 0) --- -2.33.0 - diff --git a/backport-journal-Skip-over-corrupt-entry-items-in-enumerate_d.patch b/backport-journal-Skip-over-corrupt-entry-items-in-enumerate_d.patch deleted file mode 100644 index 9cfa077..0000000 --- a/backport-journal-Skip-over-corrupt-entry-items-in-enumerate_d.patch +++ /dev/null @@ -1,93 +0,0 @@ -From e8a54526d8a89097742d808a53956a54431ded06 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Wed, 17 Nov 2021 15:54:35 +0000 -Subject: [PATCH] journal: Skip over corrupt entry items in enumerate_data() - -Similar to sd_journal_next(), if trying to access an entry item -offset's data results in EBADMSG, skip to the next entry item so -we handle corruption better. - -Fixes #21407 - -(cherry picked from commit 5a94a2bf2b9c9ae362dd4a7c2e6b263c55545036) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e8a54526d8a89097742d808a53956a54431ded06 ---- - src/libsystemd/sd-journal/sd-journal.c | 47 ++++++++++++++++---------- - 1 file changed, 29 insertions(+), 18 deletions(-) - -diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index b3240177cb..02d4582c98 100644 ---- a/src/libsystemd/sd-journal/sd-journal.c -+++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -2425,10 +2425,8 @@ static int return_data( - - _public_ int sd_journal_enumerate_data(sd_journal *j, const void **data, size_t *size) { - JournalFile *f; -- uint64_t p, n; -- le64_t le_hash; -- int r; - Object *o; -+ int r; - - assert_return(j, -EINVAL); - assert_return(!journal_pid_changed(j), -ECHILD); -@@ -2446,26 +2444,39 @@ _public_ int sd_journal_enumerate_data(sd_journal *j, const void **data, size_t - if (r < 0) - return r; - -- n = journal_file_entry_n_items(o); -- if (j->current_field >= n) -- return 0; -+ for (uint64_t n = journal_file_entry_n_items(o); j->current_field < n; j->current_field++) { -+ uint64_t p; -+ le64_t le_hash; - -- p = le64toh(o->entry.items[j->current_field].object_offset); -- le_hash = o->entry.items[j->current_field].hash; -- r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); -- if (r < 0) -- return r; -+ p = le64toh(o->entry.items[j->current_field].object_offset); -+ le_hash = o->entry.items[j->current_field].hash; -+ r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); -+ if (r == -EBADMSG) { -+ log_debug("Entry item %"PRIu64" data object is bad, skipping over it.", j->current_field); -+ continue; -+ } -+ if (r < 0) -+ return r; - -- if (le_hash != o->data.hash) -- return -EBADMSG; -+ if (le_hash != o->data.hash) { -+ log_debug("Entry item %"PRIu64" hash is bad, skipping over it.", j->current_field); -+ continue; -+ } - -- r = return_data(j, f, o, data, size); -- if (r < 0) -- return r; -+ r = return_data(j, f, o, data, size); -+ if (r == -EBADMSG) { -+ log_debug("Entry item %"PRIu64" data payload is bad, skipping over it.", j->current_field); -+ continue; -+ } -+ if (r < 0) -+ return r; - -- j->current_field++; -+ j->current_field++; - -- return 1; -+ return 1; -+ } -+ -+ return 0; - } - - _public_ int sd_journal_enumerate_available_data(sd_journal *j, const void **data, size_t *size) { --- -2.33.0 - diff --git a/backport-journal-Use-separate-variable-for-Data-object-in-sd_.patch b/backport-journal-Use-separate-variable-for-Data-object-in-sd_.patch deleted file mode 100644 index be58cca..0000000 --- a/backport-journal-Use-separate-variable-for-Data-object-in-sd_.patch +++ /dev/null @@ -1,95 +0,0 @@ -From a1ca5320ec74f5112d32338e3061a34f17c4b954 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Wed, 17 Nov 2021 16:44:21 +0000 -Subject: [PATCH] journal: Use separate variable for Data object in - sd_journal_get_data() - -A little cleanup to make the next change easier. We're not moving to a -new Entry object in the for loop so there's no danger of changing the -Entry object window. - -(cherry picked from commit 847c7ee8c3c1a6cecd02501562b1afd8dd3c51de) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a1ca5320ec74f5112d32338e3061a34f17c4b954 ---- - src/libsystemd/sd-journal/sd-journal.c | 23 ++++++++++------------- - 1 file changed, 10 insertions(+), 13 deletions(-) - -diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index 02d4582c98..18ede19e26 100644 ---- a/src/libsystemd/sd-journal/sd-journal.c -+++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -2300,6 +2300,7 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** - - n = journal_file_entry_n_items(o); - for (i = 0; i < n; i++) { -+ Object *d; - uint64_t p, l; - le64_t le_hash; - size_t t; -@@ -2307,20 +2308,20 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** - - p = le64toh(o->entry.items[i].object_offset); - le_hash = o->entry.items[i].hash; -- r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); -+ r = journal_file_move_to_object(f, OBJECT_DATA, p, &d); - if (r < 0) - return r; - -- if (le_hash != o->data.hash) -+ if (le_hash != d->data.hash) - return -EBADMSG; - -- l = le64toh(o->object.size) - offsetof(Object, data.payload); -+ l = le64toh(d->object.size) - offsetof(Object, data.payload); - -- compression = o->object.flags & OBJECT_COMPRESSION_MASK; -+ compression = d->object.flags & OBJECT_COMPRESSION_MASK; - if (compression) { - #if HAVE_COMPRESSION - r = decompress_startswith(compression, -- o->data.payload, l, -+ d->data.payload, l, - &f->compress_buffer, - field, field_length, '='); - if (r < 0) -@@ -2331,7 +2332,7 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** - size_t rsize; - - r = decompress_blob(compression, -- o->data.payload, l, -+ d->data.payload, l, - &f->compress_buffer, &rsize, - j->data_threshold); - if (r < 0) -@@ -2346,23 +2347,19 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** - return -EPROTONOSUPPORT; - #endif - } else if (l >= field_length+1 && -- memcmp(o->data.payload, field, field_length) == 0 && -- o->data.payload[field_length] == '=') { -+ memcmp(d->data.payload, field, field_length) == 0 && -+ d->data.payload[field_length] == '=') { - - t = (size_t) l; - - if ((uint64_t) t != l) - return -E2BIG; - -- *data = o->data.payload; -+ *data = d->data.payload; - *size = t; - - return 0; - } -- -- r = journal_file_move_to_object(f, OBJECT_ENTRY, f->current_offset, &o); -- if (r < 0) -- return r; - } - - return -ENOENT; --- -2.33.0 - diff --git a/backport-journal-file-if-we-are-going-down-don-t-use-event-lo.patch b/backport-journal-file-if-we-are-going-down-don-t-use-event-lo.patch deleted file mode 100644 index 2156ec1..0000000 --- a/backport-journal-file-if-we-are-going-down-don-t-use-event-lo.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 88afe98fa9887ba636d5f271c7b9c9b7c5a65960 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 24 Mar 2022 21:24:23 +0100 -Subject: [PATCH] journal-file: if we are going down, don't use event loop to - schedule post - -The event loop is already shutting down, hence no point in using it -anymore, it's not going to run any further iteration. - -(cherry picked from commit 47f04c2a69d5a604411f17a2e660021165d09c89) -(cherry picked from commit 6253eb576cdde2230b75f84532f745b4409f71ad) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/88afe98fa9887ba636d5f271c7b9c9b7c5a65960 ---- - src/libsystemd/sd-journal/journal-file.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c -index a8029c2868..e3e926b0f0 100644 ---- a/src/libsystemd/sd-journal/journal-file.c -+++ b/src/libsystemd/sd-journal/journal-file.c -@@ -2022,11 +2022,18 @@ static int post_change_thunk(sd_event_source *timer, uint64_t usec, void *userda - } - - static void schedule_post_change(JournalFile *f) { -+ sd_event *e; - int r; - - assert(f); - assert(f->post_change_timer); - -+ assert_se(e = sd_event_source_get_event(f->post_change_timer)); -+ -+ /* If we are aleady going down, post the change immediately. */ -+ if (IN_SET(sd_event_get_state(e), SD_EVENT_EXITING, SD_EVENT_FINISHED)) -+ goto fail; -+ - r = sd_event_source_get_enabled(f->post_change_timer, NULL); - if (r < 0) { - log_debug_errno(r, "Failed to get ftruncate timer state: %m"); --- -2.33.0 - diff --git a/backport-journal-network-timesync-fix-segfault-on-32bit-timev.patch b/backport-journal-network-timesync-fix-segfault-on-32bit-timev.patch deleted file mode 100644 index 93f3cb6..0000000 --- a/backport-journal-network-timesync-fix-segfault-on-32bit-timev.patch +++ /dev/null @@ -1,71 +0,0 @@ -From bacb991ea76b4a8ad41e74273b65549ac926a694 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 15 Sep 2021 23:29:11 +0900 -Subject: [PATCH] journal,network,timesync: fix segfault on 32bit - timeval/timespec systems - -Fixes #20741. - -(cherry picked from commit f782eee68aea996c68b8cfeba5f288dae7fc876f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bacb991ea76b4a8ad41e74273b65549ac926a694 ---- - src/journal/journald-server.c | 7 +++++-- - src/libsystemd-network/icmp6-util.c | 3 ++- - src/timesync/timesyncd-manager.c | 3 ++- - 3 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index abd52f7c14..2d1d9e66d7 100644 ---- a/src/journal/journald-server.c -+++ b/src/journal/journald-server.c -@@ -1275,11 +1275,14 @@ int server_process_datagram( - /* We use NAME_MAX space for the SELinux label here. The kernel currently enforces no limit, but - * according to suggestions from the SELinux people this will change and it will probably be - * identical to NAME_MAX. For now we use that, but this should be updated one day when the final -- * limit is known. */ -+ * limit is known. -+ * -+ * Here, we need to explicitly initialize the buffer with zero, as glibc has a bug in -+ * __convert_scm_timestamps(), which assumes the buffer is initialized. See #20741. */ - CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred)) + - CMSG_SPACE_TIMEVAL + - CMSG_SPACE(sizeof(int)) + /* fd */ -- CMSG_SPACE(NAME_MAX) /* selinux label */) control; -+ CMSG_SPACE(NAME_MAX) /* selinux label */) control = {}; - - union sockaddr_union sa = {}; - -diff --git a/src/libsystemd-network/icmp6-util.c b/src/libsystemd-network/icmp6-util.c -index 823be0f275..3832bbd920 100644 ---- a/src/libsystemd-network/icmp6-util.c -+++ b/src/libsystemd-network/icmp6-util.c -@@ -148,8 +148,9 @@ int icmp6_send_router_solicitation(int s, const struct ether_addr *ether_addr) { - int icmp6_receive(int fd, void *buffer, size_t size, struct in6_addr *ret_dst, - triple_timestamp *ret_timestamp) { - -+ /* This needs to be initialized with zero. See #20741. */ - CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(int)) + /* ttl */ -- CMSG_SPACE_TIMEVAL) control; -+ CMSG_SPACE_TIMEVAL) control = {}; - struct iovec iov = {}; - union sockaddr_union sa = {}; - struct msghdr msg = { -diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c -index 648e804105..e37db1c570 100644 ---- a/src/timesync/timesyncd-manager.c -+++ b/src/timesync/timesyncd-manager.c -@@ -412,7 +412,8 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re - .iov_base = &ntpmsg, - .iov_len = sizeof(ntpmsg), - }; -- CMSG_BUFFER_TYPE(CMSG_SPACE_TIMESPEC) control; -+ /* This needs to be initialized with zero. See #20741. */ -+ CMSG_BUFFER_TYPE(CMSG_SPACE_TIMESPEC) control = {}; - union sockaddr_union server_addr; - struct msghdr msghdr = { - .msg_iov = &iov, --- -2.33.0 - diff --git a/backport-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch b/backport-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch deleted file mode 100644 index c123614..0000000 --- a/backport-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch +++ /dev/null @@ -1,52 +0,0 @@ -From c4d12459c6bc065bd255c9f5555ca20bf735e16a Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 20 Dec 2021 20:48:32 +0900 -Subject: [PATCH] journal-remote: use MHD_HTTP_CONTENT_TOO_LARGE as - MHD_HTTP_PAYLOAD_TOO_LARGE is deprecated since 0.9.74 - -(cherry picked from commit 30df858f43b14a55c6650b43bea12cbf2cc0bc67) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c4d12459c6bc065bd255c9f5555ca20bf735e16a ---- - src/journal-remote/journal-remote-main.c | 2 +- - src/journal-remote/microhttpd-util.h | 10 +++++++--- - 2 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c -index ae1d43756a..9ff31763da 100644 ---- a/src/journal-remote/journal-remote-main.c -+++ b/src/journal-remote/journal-remote-main.c -@@ -319,7 +319,7 @@ static mhd_result request_handler( - /* When serialized, an entry of maximum size might be slightly larger, - * so this does not correspond exactly to the limit in journald. Oh well. - */ -- return mhd_respondf(connection, 0, MHD_HTTP_PAYLOAD_TOO_LARGE, -+ return mhd_respondf(connection, 0, MHD_HTTP_CONTENT_TOO_LARGE, - "Payload larger than maximum size of %u bytes", ENTRY_SIZE_MAX); - } - -diff --git a/src/journal-remote/microhttpd-util.h b/src/journal-remote/microhttpd-util.h -index a92ba57d0f..7e7d1b56b1 100644 ---- a/src/journal-remote/microhttpd-util.h -+++ b/src/journal-remote/microhttpd-util.h -@@ -38,9 +38,13 @@ - # define MHD_HTTP_NOT_ACCEPTABLE MHD_HTTP_METHOD_NOT_ACCEPTABLE - #endif - --/* Renamed in µhttpd 0.9.53 */ --#ifndef MHD_HTTP_PAYLOAD_TOO_LARGE --# define MHD_HTTP_PAYLOAD_TOO_LARGE MHD_HTTP_REQUEST_ENTITY_TOO_LARGE -+/* Renamed in µhttpd 0.9.74 (8c644fc1f4d498ea489add8d40a68f5d3e5899fa) */ -+#ifndef MHD_HTTP_CONTENT_TOO_LARGE -+# ifdef MHD_HTTP_PAYLOAD_TOO_LARGE -+# define MHD_HTTP_CONTENT_TOO_LARGE MHD_HTTP_PAYLOAD_TOO_LARGE /* 0.9.53 or newer */ -+# else -+# define MHD_HTTP_CONTENT_TOO_LARGE MHD_HTTP_REQUEST_ENTITY_TOO_LARGE -+# endif - #endif - - #if MHD_VERSION < 0x00094203 --- -2.33.0 - diff --git a/backport-journal-send-close-fd-on-exit-when-running-with-valg.patch b/backport-journal-send-close-fd-on-exit-when-running-with-valg.patch deleted file mode 100644 index 20b5b3d..0000000 --- a/backport-journal-send-close-fd-on-exit-when-running-with-valg.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 6e5141ba038c1d8e22933f969b2bfe25bbc031d8 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 23 Feb 2022 02:03:54 +0900 -Subject: [PATCH] journal-send: close fd on exit when running with valgrind - -Fixes an issue reported in #22576. - -(cherry picked from commit eb9752d2be82d994cd6a17f271be27c4d56423d6) -(cherry picked from commit a7ec2be1509372974f44f1d98bf243a155cd203f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6e5141ba038c1d8e22933f969b2bfe25bbc031d8 ---- - src/libsystemd/meson.build | 1 + - src/libsystemd/sd-journal/journal-send.c | 26 +++++++++++++++++-- - src/libsystemd/sd-journal/journal-send.h | 8 ++++++ - src/libsystemd/sd-journal/test-journal-send.c | 3 +++ - 4 files changed, 36 insertions(+), 2 deletions(-) - create mode 100644 src/libsystemd/sd-journal/journal-send.h - -diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build -index 489ed12a73..3be5b3ec5e 100644 ---- a/src/libsystemd/meson.build -+++ b/src/libsystemd/meson.build -@@ -12,6 +12,7 @@ sd_journal_sources = files( - 'sd-journal/journal-file.h', - 'sd-journal/journal-internal.h', - 'sd-journal/journal-send.c', -+ 'sd-journal/journal-send.h', - 'sd-journal/journal-vacuum.c', - 'sd-journal/journal-vacuum.h', - 'sd-journal/journal-verify.c', -diff --git a/src/libsystemd/sd-journal/journal-send.c b/src/libsystemd/sd-journal/journal-send.c -index fd3fd7ef9c..d96e422d3b 100644 ---- a/src/libsystemd/sd-journal/journal-send.c -+++ b/src/libsystemd/sd-journal/journal-send.c -@@ -6,6 +6,9 @@ - #include - #include - #include -+#if HAVE_VALGRIND_VALGRIND_H -+#include -+#endif - - #define SD_JOURNAL_SUPPRESS_LOCATION - -@@ -14,8 +17,9 @@ - #include "alloc-util.h" - #include "errno-util.h" - #include "fd-util.h" --#include "io-util.h" - #include "fileio.h" -+#include "io-util.h" -+#include "journal-send.h" - #include "memfd-util.h" - #include "socket-util.h" - #include "stdio-util.h" -@@ -39,10 +43,10 @@ - * all its threads, and all its subprocesses. This means we need to - * initialize it atomically, and need to operate on it atomically - * never assuming we are the only user */ -+static int fd_plus_one = 0; - - static int journal_fd(void) { - int fd; -- static int fd_plus_one = 0; - - retry: - if (fd_plus_one > 0) -@@ -62,6 +66,24 @@ retry: - return fd; - } - -+#if VALGRIND -+void close_journal_fd(void) { -+ /* Be nice to valgrind. This is not atomic. This must be used only in tests. */ -+ -+ if (!RUNNING_ON_VALGRIND) -+ return; -+ -+ if (getpid() != gettid()) -+ return; -+ -+ if (fd_plus_one <= 0) -+ return; -+ -+ safe_close(fd_plus_one - 1); -+ fd_plus_one = 0; -+} -+#endif -+ - _public_ int sd_journal_print(int priority, const char *format, ...) { - int r; - va_list ap; -diff --git a/src/libsystemd/sd-journal/journal-send.h b/src/libsystemd/sd-journal/journal-send.h -new file mode 100644 -index 0000000000..cf8b199297 ---- /dev/null -+++ b/src/libsystemd/sd-journal/journal-send.h -@@ -0,0 +1,8 @@ -+/* SPDX-License-Identifier: LGPL-2.1-or-later */ -+#pragma once -+ -+#if VALGRIND -+void close_journal_fd(void); -+#else -+static inline void close_journal_fd(void) {} -+#endif -diff --git a/src/libsystemd/sd-journal/test-journal-send.c b/src/libsystemd/sd-journal/test-journal-send.c -index b6644e65c1..533b8d91e6 100644 ---- a/src/libsystemd/sd-journal/test-journal-send.c -+++ b/src/libsystemd/sd-journal/test-journal-send.c -@@ -5,7 +5,9 @@ - #include - - #include "sd-journal.h" -+ - #include "fileio.h" -+#include "journal-send.h" - #include "macro.h" - #include "memory-util.h" - -@@ -103,5 +105,6 @@ int main(int argc, char *argv[]) { - /* Sleep a bit to make it easy for journald to collect metadata. */ - sleep(1); - -+ close_journal_fd(); - return 0; - } --- -2.33.0 - diff --git a/backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch b/backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch deleted file mode 100644 index 3be690d..0000000 --- a/backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch +++ /dev/null @@ -1,44 +0,0 @@ -From dc331f4c9268d17a66f4393cfd0dba14c7022d41 Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Wed, 4 Aug 2021 11:20:07 +0200 -Subject: [PATCH] journalctl: never fail at flushing when the flushed flag is - set - -Even if journald was not running, flushing the volatile journal used to work if -the journal was already flushed (ie the flushed flag -/run/systemd/journald/flushed was created). - -However since commit 4f413af2a0a, this behavior changed and now '--flush' fails -because it tries to contact journald without checking the presence of the -flushed flag anymore. - -This patch restores the previous behavior since there's no reason to fail when -journalctl can figure out that the flush is not necessary. - -(cherry picked from commit f6fca35e642a112e80cc9bddb9a2b4805ad40df2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/dc331f4c9268d17a66f4393cfd0dba14c7022d41 ---- - src/journal/journalctl.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c -index c8fb726d42..3eac97510d 100644 ---- a/src/journal/journalctl.c -+++ b/src/journal/journalctl.c -@@ -2074,6 +2074,11 @@ static int simple_varlink_call(const char *option, const char *method) { - } - - static int flush_to_var(void) { -+ if (access("/run/systemd/journal/flushed", F_OK) >= 0) -+ return 0; /* Already flushed, no need to contact journald */ -+ if (errno != ENOENT) -+ return log_error_errno(errno, "Unable to check for existence of /run/systemd/journal/flushed: %m"); -+ - return simple_varlink_call("--flush", "io.systemd.Journal.FlushToVar"); - } - --- -2.33.0 - diff --git a/backport-journald-make-sure-SIGTERM-handling-doesn-t-get-star.patch b/backport-journald-make-sure-SIGTERM-handling-doesn-t-get-star.patch deleted file mode 100644 index a460e10..0000000 --- a/backport-journald-make-sure-SIGTERM-handling-doesn-t-get-star.patch +++ /dev/null @@ -1,125 +0,0 @@ -From a98f2d7a0b017505720477d9fc89de2b56470dfa Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 24 Mar 2022 20:37:43 +0100 -Subject: [PATCH] journald: make sure SIGTERM handling doesn't get starved out - -Fixes: #22642 -(cherry picked from commit 19252b254861d8c9b56e2acaeb182812c8f07e52) -(cherry picked from commit c901bc8680d1835737de116f2bf1f522bdb083c2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a98f2d7a0b017505720477d9fc89de2b56470dfa ---- - src/journal/journald-server.c | 76 +++++++++++++++++++++++++++++++++-- - 1 file changed, 73 insertions(+), 3 deletions(-) - -diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index a212079758..86302e31e3 100644 ---- a/src/journal/journald-server.c -+++ b/src/journal/journald-server.c -@@ -1443,12 +1443,82 @@ static int dispatch_sigusr2(sd_event_source *es, const struct signalfd_siginfo * - } - - static int dispatch_sigterm(sd_event_source *es, const struct signalfd_siginfo *si, void *userdata) { -+ _cleanup_(sd_event_source_disable_unrefp) sd_event_source *news = NULL; - Server *s = userdata; -+ int r; - - assert(s); - - log_received_signal(LOG_INFO, si); - -+ (void) sd_event_source_set_enabled(es, false); /* Make sure this handler is called at most once */ -+ -+ /* So on one hand we want to ensure that SIGTERMs are definitely handled in appropriate, bounded -+ * time. On the other hand we want that everything pending is first comprehensively processed and -+ * written to disk. These goals are incompatible, hence we try to find a middle ground: we'll process -+ * SIGTERM with high priority, but from the handler (this one right here) we'll install two new event -+ * sources: one low priority idle one that will issue the exit once everything else is processed (and -+ * which is hopefully the regular, clean codepath); and one high priority timer that acts as safety -+ * net: if our idle handler isn't run within 10s, we'll exit anyway. -+ * -+ * TLDR: we'll exit either when everything is processed, or after 10s max, depending on what happens -+ * first. -+ * -+ * Note that exiting before the idle event is hit doesn't typically mean that we lose any data, as -+ * messages will remain queued in the sockets they came in from, and thus can be processed when we -+ * start up next – unless we are going down for the final system shutdown, in which case everything -+ * is lost. */ -+ -+ r = sd_event_add_defer(s->event, &news, NULL, NULL); /* NULL handler means → exit when triggered */ -+ if (r < 0) { -+ log_error_errno(r, "Failed to allocate exit idle event handler: %m"); -+ goto fail; -+ } -+ -+ (void) sd_event_source_set_description(news, "exit-idle"); -+ -+ /* Run everything relevant before this. */ -+ r = sd_event_source_set_priority(news, SD_EVENT_PRIORITY_NORMAL+20); -+ if (r < 0) { -+ log_error_errno(r, "Failed to adjust priority of exit idle event handler: %m"); -+ goto fail; -+ } -+ -+ /* Give up ownership, so that this event source is freed automatically when the event loop is freed. */ -+ r = sd_event_source_set_floating(news, true); -+ if (r < 0) { -+ log_error_errno(r, "Failed to make exit idle event handler floating: %m"); -+ goto fail; -+ } -+ -+ news = sd_event_source_unref(news); -+ -+ r = sd_event_add_time_relative(s->event, &news, CLOCK_MONOTONIC, 10 * USEC_PER_SEC, 0, NULL, NULL); -+ if (r < 0) { -+ log_error_errno(r, "Failed to allocate exit timeout event handler: %m"); -+ goto fail; -+ } -+ -+ (void) sd_event_source_set_description(news, "exit-timeout"); -+ -+ r = sd_event_source_set_priority(news, SD_EVENT_PRIORITY_IMPORTANT-20); /* This is a safety net, with highest priority */ -+ if (r < 0) { -+ log_error_errno(r, "Failed to adjust priority of exit timeout event handler: %m"); -+ goto fail; -+ } -+ -+ r = sd_event_source_set_floating(news, true); -+ if (r < 0) { -+ log_error_errno(r, "Failed to make exit timeout event handler floating: %m"); -+ goto fail; -+ } -+ -+ news = sd_event_source_unref(news); -+ -+ log_debug("Exit event sources are now pending."); -+ return 0; -+ -+fail: - sd_event_exit(s->event, 0); - return 0; - } -@@ -1500,8 +1570,8 @@ static int setup_signals(Server *s) { - if (r < 0) - return r; - -- /* Let's process SIGTERM late, so that we flush all queued messages to disk before we exit */ -- r = sd_event_source_set_priority(s->sigterm_event_source, SD_EVENT_PRIORITY_NORMAL+20); -+ /* Let's process SIGTERM early, so that we definitely react to it */ -+ r = sd_event_source_set_priority(s->sigterm_event_source, SD_EVENT_PRIORITY_IMPORTANT-10); - if (r < 0) - return r; - -@@ -1511,7 +1581,7 @@ static int setup_signals(Server *s) { - if (r < 0) - return r; - -- r = sd_event_source_set_priority(s->sigint_event_source, SD_EVENT_PRIORITY_NORMAL+20); -+ r = sd_event_source_set_priority(s->sigint_event_source, SD_EVENT_PRIORITY_IMPORTANT-10); - if (r < 0) - return r; - --- -2.33.0 - diff --git a/backport-json-do-something-remotely-reasonable-when-we-see-Na.patch b/backport-json-do-something-remotely-reasonable-when-we-see-Na.patch deleted file mode 100644 index c4c0f5c..0000000 --- a/backport-json-do-something-remotely-reasonable-when-we-see-Na.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 06444b314b863facdb173f10f2d1ff11196755d2 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 26 Oct 2021 15:45:49 +0200 -Subject: [PATCH] json: do something remotely reasonable when we see - NaN/infinity - -JSON doesn't have NaN/infinity/-infinity concepts in the spec. -Implementations vary what they do with it. JSON5 + Python simply -generate special words "NAN" and "Inifinity" from it. Others generate -"null" for it. - -At this point we never actually want to output this, so let's be -conservative and generate RFC compliant JSON, i.e. convert to null. - -One day should JSON5 actually become a thing we can revisit this, but in -that case we should implement things via a flag, and only optinally -process nan/infinity/-infinity. - -This patch is extremely simple: whenever accepting a -nan/infinity/-infinity from outside it converts it to NULL. I.e. we -convert on input, not output. - -(cherry picked from commit 8f1daefce6e952f2fad9510e5101b5fc675d363f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/06444b314b863facdb173f10f2d1ff11196755d2 ---- - src/shared/json.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/shared/json.c b/src/shared/json.c -index c52460a3ec..d72b1e3a38 100644 ---- a/src/shared/json.c -+++ b/src/shared/json.c -@@ -359,6 +359,12 @@ int json_variant_new_real(JsonVariant **ret, long double d) { - } - REENABLE_WARNING; - -+ /* JSON doesn't know NaN, +Infinity or -Infinity. Let's silently convert to 'null'. */ -+ if (isnan(d) || isinf(d)) { -+ *ret = JSON_VARIANT_MAGIC_NULL; -+ return 0; -+ } -+ - r = json_variant_new(&v, JSON_VARIANT_REAL, sizeof(d)); - if (r < 0) - return r; --- -2.33.0 - diff --git a/backport-kernel-install-also-remove-modules.builtin.alias.bin.patch b/backport-kernel-install-also-remove-modules.builtin.alias.bin.patch deleted file mode 100644 index 1aa7a99..0000000 --- a/backport-kernel-install-also-remove-modules.builtin.alias.bin.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 44e060dd1641068752b79d49322d379c2ef2a1c1 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 15 Jan 2022 03:37:40 +0900 -Subject: [PATCH] kernel-install: also remove modules.builtin.alias.bin - -Fixes RHBZ#2016630. - -(cherry picked from commit 06006691b5c56b6123044179d934b3ed81c237ca) -(cherry picked from commit fdcb1bf67371615f12c4b11283f2bd6a25bda019) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/44e060dd1641068752b79d49322d379c2ef2a1c1 ---- - src/kernel-install/50-depmod.install | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/kernel-install/50-depmod.install b/src/kernel-install/50-depmod.install -index 2fd959865f..fd00c43632 100644 ---- a/src/kernel-install/50-depmod.install -+++ b/src/kernel-install/50-depmod.install -@@ -36,7 +36,7 @@ case "$COMMAND" in - remove) - [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && \ - echo "Removing /lib/modules/${KERNEL_VERSION}/modules.dep and associated files" -- exec rm -f /lib/modules/"${KERNEL_VERSION}"/modules.{alias{,.bin},builtin.bin,dep{,.bin},devname,softdep,symbols{,.bin}} -+ exec rm -f /lib/modules/"${KERNEL_VERSION}"/modules.{alias{,.bin},builtin{,.alias}.bin,dep{,.bin},devname,softdep,symbols{,.bin}} - ;; - *) - exit 0 --- -2.33.0 - diff --git a/backport-libsystemd-network-disable-event-sources-before-unre.patch b/backport-libsystemd-network-disable-event-sources-before-unre.patch deleted file mode 100644 index d947eff..0000000 --- a/backport-libsystemd-network-disable-event-sources-before-unre.patch +++ /dev/null @@ -1,194 +0,0 @@ -From 00a2361bb5d3fccfa5b4fdb4d73b7aa7938e2449 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 24 Sep 2021 17:26:35 +0900 -Subject: [PATCH] libsystemd-network: disable event sources before unref them - -Fixes #20825. - -(cherry picked from commit eb2f750242d6c4c0963887dbd561d8bafa318685) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/00a2361bb5d3fccfa5b4fdb4d73b7aa7938e2449 ---- - src/libsystemd-network/sd-dhcp-client.c | 12 +++++------- - src/libsystemd-network/sd-dhcp-server.c | 4 ++-- - src/libsystemd-network/sd-ipv4acd.c | 5 ++--- - src/libsystemd-network/sd-lldp.c | 7 ++++--- - src/libsystemd-network/sd-ndisc.c | 9 +++++---- - src/libsystemd-network/sd-radv.c | 6 ++---- - 6 files changed, 20 insertions(+), 23 deletions(-) - -diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c -index 030b50cf2a..46191e58f5 100644 ---- a/src/libsystemd-network/sd-dhcp-client.c -+++ b/src/libsystemd-network/sd-dhcp-client.c -@@ -726,7 +726,7 @@ static int client_notify(sd_dhcp_client *client, int event) { - static int client_initialize(sd_dhcp_client *client) { - assert_return(client, -EINVAL); - -- client->receive_message = sd_event_source_unref(client->receive_message); -+ client->receive_message = sd_event_source_disable_unref(client->receive_message); - - client->fd = safe_close(client->fd); - -@@ -1492,7 +1492,7 @@ static int client_timeout_t2(sd_event_source *s, uint64_t usec, void *userdata) - - assert(client); - -- client->receive_message = sd_event_source_unref(client->receive_message); -+ client->receive_message = sd_event_source_disable_unref(client->receive_message); - client->fd = safe_close(client->fd); - - client->state = DHCP_STATE_REBINDING; -@@ -1847,7 +1847,7 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i - - client->start_delay = 0; - (void) event_source_disable(client->timeout_resend); -- client->receive_message = sd_event_source_unref(client->receive_message); -+ client->receive_message = sd_event_source_disable_unref(client->receive_message); - client->fd = safe_close(client->fd); - - client->state = DHCP_STATE_BOUND; -@@ -2229,17 +2229,15 @@ static sd_dhcp_client *dhcp_client_free(sd_dhcp_client *client) { - - log_dhcp_client(client, "FREE"); - -+ client_initialize(client); -+ - client->timeout_resend = sd_event_source_unref(client->timeout_resend); - client->timeout_t1 = sd_event_source_unref(client->timeout_t1); - client->timeout_t2 = sd_event_source_unref(client->timeout_t2); - client->timeout_expire = sd_event_source_unref(client->timeout_expire); - -- client_initialize(client); -- - sd_dhcp_client_detach_event(client); - -- sd_dhcp_lease_unref(client->lease); -- - set_free(client->req_opts); - free(client->hostname); - free(client->vendor_class_identifier); -diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c -index 9ae884b0fc..3f4af8440e 100644 ---- a/src/libsystemd-network/sd-dhcp-server.c -+++ b/src/libsystemd-network/sd-dhcp-server.c -@@ -267,8 +267,8 @@ int sd_dhcp_server_stop(sd_dhcp_server *server) { - if (!server) - return 0; - -- server->receive_message = sd_event_source_unref(server->receive_message); -- server->receive_broadcast = sd_event_source_unref(server->receive_broadcast); -+ server->receive_message = sd_event_source_disable_unref(server->receive_message); -+ server->receive_broadcast = sd_event_source_disable_unref(server->receive_broadcast); - - server->fd_raw = safe_close(server->fd_raw); - server->fd = safe_close(server->fd); -diff --git a/src/libsystemd-network/sd-ipv4acd.c b/src/libsystemd-network/sd-ipv4acd.c -index 9a77a33317..ebd4764840 100644 ---- a/src/libsystemd-network/sd-ipv4acd.c -+++ b/src/libsystemd-network/sd-ipv4acd.c -@@ -120,7 +120,7 @@ static void ipv4acd_reset(sd_ipv4acd *acd) { - assert(acd); - - (void) event_source_disable(acd->timer_event_source); -- acd->receive_message_event_source = sd_event_source_unref(acd->receive_message_event_source); -+ acd->receive_message_event_source = sd_event_source_disable_unref(acd->receive_message_event_source); - - acd->fd = safe_close(acd->fd); - -@@ -130,9 +130,8 @@ static void ipv4acd_reset(sd_ipv4acd *acd) { - static sd_ipv4acd *ipv4acd_free(sd_ipv4acd *acd) { - assert(acd); - -- acd->timer_event_source = sd_event_source_unref(acd->timer_event_source); -- - ipv4acd_reset(acd); -+ sd_event_source_unref(acd->timer_event_source); - sd_ipv4acd_detach_event(acd); - free(acd->ifname); - return mfree(acd); -diff --git a/src/libsystemd-network/sd-lldp.c b/src/libsystemd-network/sd-lldp.c -index 49aa876a53..b38d6dbd1e 100644 ---- a/src/libsystemd-network/sd-lldp.c -+++ b/src/libsystemd-network/sd-lldp.c -@@ -239,7 +239,7 @@ static void lldp_reset(sd_lldp *lldp) { - assert(lldp); - - (void) event_source_disable(lldp->timer_event_source); -- lldp->io_event_source = sd_event_source_unref(lldp->io_event_source); -+ lldp->io_event_source = sd_event_source_disable_unref(lldp->io_event_source); - lldp->fd = safe_close(lldp->fd); - } - -@@ -365,10 +365,11 @@ const char *sd_lldp_get_ifname(sd_lldp *lldp) { - static sd_lldp* lldp_free(sd_lldp *lldp) { - assert(lldp); - -- lldp->timer_event_source = sd_event_source_unref(lldp->timer_event_source); -- - lldp_reset(lldp); -+ -+ sd_event_source_unref(lldp->timer_event_source); - sd_lldp_detach_event(lldp); -+ - lldp_flush_neighbors(lldp); - - hashmap_free(lldp->neighbor_by_id); -diff --git a/src/libsystemd-network/sd-ndisc.c b/src/libsystemd-network/sd-ndisc.c -index 4d5f1b54cd..9b3a89378c 100644 ---- a/src/libsystemd-network/sd-ndisc.c -+++ b/src/libsystemd-network/sd-ndisc.c -@@ -133,18 +133,19 @@ static void ndisc_reset(sd_ndisc *nd) { - (void) event_source_disable(nd->timeout_event_source); - (void) event_source_disable(nd->timeout_no_ra); - nd->retransmit_time = 0; -- nd->recv_event_source = sd_event_source_unref(nd->recv_event_source); -+ nd->recv_event_source = sd_event_source_disable_unref(nd->recv_event_source); - nd->fd = safe_close(nd->fd); - } - - static sd_ndisc *ndisc_free(sd_ndisc *nd) { - assert(nd); - -- nd->timeout_event_source = sd_event_source_unref(nd->timeout_event_source); -- nd->timeout_no_ra = sd_event_source_unref(nd->timeout_no_ra); -- - ndisc_reset(nd); -+ -+ sd_event_source_unref(nd->timeout_event_source); -+ sd_event_source_unref(nd->timeout_no_ra); - sd_ndisc_detach_event(nd); -+ - free(nd->ifname); - return mfree(nd); - } -diff --git a/src/libsystemd-network/sd-radv.c b/src/libsystemd-network/sd-radv.c -index 857401bf6e..eac8aa385b 100644 ---- a/src/libsystemd-network/sd-radv.c -+++ b/src/libsystemd-network/sd-radv.c -@@ -89,8 +89,7 @@ static void radv_reset(sd_radv *ra) { - - (void) event_source_disable(ra->timeout_event_source); - -- ra->recv_event_source = -- sd_event_source_unref(ra->recv_event_source); -+ ra->recv_event_source = sd_event_source_disable_unref(ra->recv_event_source); - - ra->ra_sent = 0; - } -@@ -116,10 +115,9 @@ static sd_radv *radv_free(sd_radv *ra) { - free(ra->rdnss); - free(ra->dnssl); - -- ra->timeout_event_source = sd_event_source_unref(ra->timeout_event_source); -- - radv_reset(ra); - -+ sd_event_source_unref(ra->timeout_event_source); - sd_radv_detach_event(ra); - - ra->fd = safe_close(ra->fd); --- -2.33.0 - diff --git a/backport-list-introduce-LIST_FOREACH_BACKWARDS-macro-and-drop.patch b/backport-list-introduce-LIST_FOREACH_BACKWARDS-macro-and-drop.patch deleted file mode 100644 index 7766b87..0000000 --- a/backport-list-introduce-LIST_FOREACH_BACKWARDS-macro-and-drop.patch +++ /dev/null @@ -1,102 +0,0 @@ -From bd335c961fed6982e5ad8c2322414ff33a46e92e Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 16:12:06 +0900 -Subject: [PATCH] list: introduce LIST_FOREACH_BACKWARDS() macro and drop - LIST_FOREACH_AFTER/BEFORE() - -Reference:https://github.com/systemd/systemd/commit/bd335c961fed6982e5ad8c2322414ff33a46e92e -Conflict:NA - ---- - src/basic/list.h | 7 ++----- - src/core/device.c | 8 ++++---- - src/core/swap.c | 4 ++-- - src/udev/udev-rules.c | 2 +- - 4 files changed, 9 insertions(+), 12 deletions(-) - -diff --git a/src/basic/list.h b/src/basic/list.h -index 256b718..e488fff 100644 ---- a/src/basic/list.h -+++ b/src/basic/list.h -@@ -142,11 +142,8 @@ - #define LIST_FOREACH_SAFE(name,i,n,head) \ - for ((i) = (head); (i) && (((n) = (i)->name##_next), 1); (i) = (n)) - --#define LIST_FOREACH_BEFORE(name,i,p) \ -- for ((i) = (p)->name##_prev; (i); (i) = (i)->name##_prev) -- --#define LIST_FOREACH_AFTER(name,i,p) \ -- for ((i) = (p)->name##_next; (i); (i) = (i)->name##_next) -+#define LIST_FOREACH_BACKWARDS(name,i,p) \ -+ for ((i) = (p); (i); (i) = (i)->name##_prev) - - /* Iterate through all the members of the list p is included in, but skip over p */ - #define LIST_FOREACH_OTHERS(name,i,p) \ -diff --git a/src/core/device.c b/src/core/device.c -index c24bc12..06270e7 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -785,11 +785,11 @@ static Unit *device_following(Unit *u) { - return NULL; - - /* Make everybody follow the unit that's named after the sysfs path */ -- LIST_FOREACH_AFTER(same_sysfs, other, d) -+ LIST_FOREACH(same_sysfs, other, d->same_sysfs_next) - if (startswith(UNIT(other)->id, "sys-")) - return UNIT(other); - -- LIST_FOREACH_BEFORE(same_sysfs, other, d) { -+ LIST_FOREACH_BACKWARDS(same_sysfs, other, d->same_sysfs_prev) { - if (startswith(UNIT(other)->id, "sys-")) - return UNIT(other); - -@@ -816,13 +816,13 @@ static int device_following_set(Unit *u, Set **_set) { - if (!set) - return -ENOMEM; - -- LIST_FOREACH_AFTER(same_sysfs, other, d) { -+ LIST_FOREACH(same_sysfs, other, d->same_sysfs_next) { - r = set_put(set, other); - if (r < 0) - return r; - } - -- LIST_FOREACH_BEFORE(same_sysfs, other, d) { -+ LIST_FOREACH_BACKWARDS(same_sysfs, other, d->same_sysfs_prev) { - r = set_put(set, other); - if (r < 0) - return r; -diff --git a/src/core/swap.c b/src/core/swap.c -index 83e77d2..7a9628e 100644 ---- a/src/core/swap.c -+++ b/src/core/swap.c -@@ -1323,11 +1323,11 @@ static Unit *swap_following(Unit *u) { - if (streq_ptr(s->what, s->devnode)) - return NULL; - -- LIST_FOREACH_AFTER(same_devnode, other, s) -+ LIST_FOREACH(same_devnode, other, s->same_devnode_next) - if (streq_ptr(other->what, other->devnode)) - return UNIT(other); - -- LIST_FOREACH_BEFORE(same_devnode, other, s) { -+ LIST_FOREACH_BACKWARDS(same_devnode, other, s->same_devnode_prev) { - if (streq_ptr(other->what, other->devnode)) - return UNIT(other); - -diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c -index bf997fc..5e8dad2 100644 ---- a/src/udev/udev-rules.c -+++ b/src/udev/udev-rules.c -@@ -1154,7 +1154,7 @@ static void rule_resolve_goto(UdevRuleFile *rule_file) { - if (!FLAGS_SET(line->type, LINE_HAS_GOTO)) - continue; - -- LIST_FOREACH_AFTER(rule_lines, i, line) -+ LIST_FOREACH(rule_lines, i, line->rule_lines_next) - if (streq_ptr(i->label, line->goto_label)) { - line->goto_line = i; - break; --- -2.33.0 - diff --git a/backport-localed-use-PROJECT_FILE-rather-than-__FILE__-for-lo.patch b/backport-localed-use-PROJECT_FILE-rather-than-__FILE__-for-lo.patch deleted file mode 100644 index f6961b3..0000000 --- a/backport-localed-use-PROJECT_FILE-rather-than-__FILE__-for-lo.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 00b0393e65252bf631670604f58b844780b08c50 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 11 Oct 2021 13:56:22 +0200 -Subject: [PATCH] localed: use PROJECT_FILE rather than __FILE__ for logging - -All our log.h code uses PROJECT_FILE for this, let's hence use it here -too. - -(cherry picked from commit 11c8b1f1031d368358286f4bb26abebd73cd2868) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/00b0393e65252bf631670604f58b844780b08c50 ---- - src/locale/localed.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/locale/localed.c b/src/locale/localed.c -index df0eb030d4..c228385d0e 100644 ---- a/src/locale/localed.c -+++ b/src/locale/localed.c -@@ -560,7 +560,7 @@ static void log_xkb(struct xkb_context *ctx, enum xkb_log_level lvl, const char - - fmt = strjoina("libxkbcommon: ", format); - DISABLE_WARNING_FORMAT_NONLITERAL; -- log_internalv(LOG_DEBUG, 0, __FILE__, __LINE__, __func__, fmt, args); -+ log_internalv(LOG_DEBUG, 0, PROJECT_FILE, __LINE__, __func__, fmt, args); - REENABLE_WARNING; - } - --- -2.33.0 - diff --git a/backport-log-don-t-attempt-to-duplicate-closed-fd.patch b/backport-log-don-t-attempt-to-duplicate-closed-fd.patch deleted file mode 100644 index d8cf413..0000000 --- a/backport-log-don-t-attempt-to-duplicate-closed-fd.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 417f37c1455fe770d96559205b864766188d9866 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 2 Sep 2022 18:35:03 +0200 -Subject: [PATCH] log: don't attempt to duplicate closed fd -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -if the console fd is not open we shouldn#t try to move it out of the 0…2 -range. - -Fixes: #24535 -Alternative-for: #24537 -(cherry picked from commit f1ee066840eea748ad4074ac2bc859bb897953b9) -(cherry picked from commit e0dde8a14f8b05b88e1add1abdb68c364913346b) -(cherry picked from commit 40cedddab7e5c84c8fa4738de423971997d9aef5) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/417f37c1455fe770d96559205b864766188d9866 ---- - src/basic/log.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/log.c b/src/basic/log.c -index 1d68b49963..4a1d3c0d6d 100644 ---- a/src/basic/log.c -+++ b/src/basic/log.c -@@ -1477,7 +1477,7 @@ int log_dup_console(void) { - /* Duplicate the fd we use for fd logging if it's < 3 and use the copy from now on. This call is useful - * whenever we want to continue logging through the original fd, but want to rearrange stderr. */ - -- if (console_fd >= 3) -+ if (console_fd < 0 || console_fd >= 3) - return 0; - - copy = fcntl(console_fd, F_DUPFD_CLOEXEC, 3); --- -2.27.0 - diff --git a/backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch b/backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch deleted file mode 100644 index a453599..0000000 --- a/backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0bc055cf52251a98e41391a7587b7222120c67d2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 28 Apr 2022 19:53:12 +0900 -Subject: [PATCH] login: drop non-default value for RuntimeDirectoryInodesMax= - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0bc055cf52251a98e41391a7587b7222120c67d2 ---- - src/login/logind.conf.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in -index 8ec979e0e8..08a89c351c 100644 ---- a/src/login/logind.conf.in -+++ b/src/login/logind.conf.in -@@ -42,7 +42,7 @@ - #IdleAction=ignore - #IdleActionSec=30min - #RuntimeDirectorySize=10% --#RuntimeDirectoryInodesMax=400k -+#RuntimeDirectoryInodesMax= - #RemoveIPC=yes - #InhibitorsMax=8192 - #SessionsMax=8192 --- -2.33.0 \ No newline at end of file diff --git a/backport-login-make-RuntimeDirectoryInodesMax-support-K-G-M-s.patch b/backport-login-make-RuntimeDirectoryInodesMax-support-K-G-M-s.patch deleted file mode 100644 index a363efe..0000000 --- a/backport-login-make-RuntimeDirectoryInodesMax-support-K-G-M-s.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 08a767f1e03bd59c0960a96ad585dbc3ef0bc78d Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 27 Apr 2022 17:44:46 +0900 -Subject: [PATCH] login: make RuntimeDirectoryInodesMax= support K, G, M - suffixes - -Fixes #23017. - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/08a767f1e03bd59c0960a96ad585dbc3ef0bc78d ---- - src/login/logind-gperf.gperf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/login/logind-gperf.gperf b/src/login/logind-gperf.gperf -index 867db36533..f11ab8ada5 100644 ---- a/src/login/logind-gperf.gperf -+++ b/src/login/logind-gperf.gperf -@@ -45,7 +45,7 @@ Login.HoldoffTimeoutSec, config_parse_sec, 0, offse - Login.IdleAction, config_parse_handle_action, 0, offsetof(Manager, idle_action) - Login.IdleActionSec, config_parse_sec, 0, offsetof(Manager, idle_action_usec) - Login.RuntimeDirectorySize, config_parse_tmpfs_size, 0, offsetof(Manager, runtime_dir_size) --Login.RuntimeDirectoryInodesMax, config_parse_uint64, 0, offsetof(Manager, runtime_dir_inodes) -+Login.RuntimeDirectoryInodesMax, config_parse_iec_uint64, 0, offsetof(Manager, runtime_dir_inodes) - Login.RemoveIPC, config_parse_bool, 0, offsetof(Manager, remove_ipc) - Login.InhibitorsMax, config_parse_uint64, 0, offsetof(Manager, inhibitors_max) - Login.SessionsMax, config_parse_uint64, 0, offsetof(Manager, sessions_max) --- -2.27.0 - diff --git a/backport-login-respect-install_sysconfdir_samples-in-meson-fi.patch b/backport-login-respect-install_sysconfdir_samples-in-meson-fi.patch deleted file mode 100644 index 16c0e9d..0000000 --- a/backport-login-respect-install_sysconfdir_samples-in-meson-fi.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 426cd32268f6068b843bc24d54b3f969034ab998 Mon Sep 17 00:00:00 2001 -From: Andreas Rammhold -Date: Mon, 26 Jul 2021 17:20:34 +0200 -Subject: [PATCH] login: respect install_sysconfdir_samples in meson file - -The refactoring done in c900d89faa0 caused the configuration files to be -installed into the pkgsysconfdir regardless of the state of the -install_sysconfdir_samples boolean that indicates whether or not the -sample files should be installed. - -(cherry picked from commit 72964d047a7a8f79ae12ab41168feb0080eef6c3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/426cd32268f6068b843bc24d54b3f969034ab998 ---- - src/login/meson.build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/login/meson.build b/src/login/meson.build -index 8c20e6be65..b637adc9a2 100644 ---- a/src/login/meson.build -+++ b/src/login/meson.build -@@ -67,7 +67,7 @@ pam_systemd_c = files('pam_systemd.c') - - enable_logind = conf.get('ENABLE_LOGIND') == 1 - in_files = [ -- ['logind.conf', pkgsysconfdir, enable_logind], -+ ['logind.conf', pkgsysconfdir, enable_logind and install_sysconfdir_samples], - ['70-uaccess.rules', udevrulesdir, enable_logind and conf.get('HAVE_ACL') == 1], - ['71-seat.rules', udevrulesdir, enable_logind], - ['73-seat-late.rules', udevrulesdir, enable_logind], --- -2.33.0 - diff --git a/backport-login-use-bus_error_message-at-one-more-place.patch b/backport-login-use-bus_error_message-at-one-more-place.patch deleted file mode 100644 index ef14f13..0000000 --- a/backport-login-use-bus_error_message-at-one-more-place.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 98f8c18db0edda121db05171fbaf35c342fd86b2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 30 Jan 2022 05:38:35 +0900 -Subject: [PATCH] login: use bus_error_message() at one more place - -(cherry picked from commit 80c8c786a314bceba180fac5506e72aa48c0764a) -(cherry picked from commit 048487c094a149e99b4067c8cd2d3974a8f17397) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/98f8c18db0edda121db05171fbaf35c342fd86b2 ---- - src/login/logind-user.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/login/logind-user.c b/src/login/logind-user.c -index a2c468e8dd..3c65867cb6 100644 ---- a/src/login/logind-user.c -+++ b/src/login/logind-user.c -@@ -358,15 +358,19 @@ static void user_start_service(User *u) { - - static int update_slice_callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) { - _cleanup_(user_record_unrefp) UserRecord *ur = userdata; -+ const sd_bus_error *e; -+ int r; - - assert(m); - assert(ur); - -- if (sd_bus_message_is_method_error(m, NULL)) { -- log_warning_errno(sd_bus_message_get_errno(m), -+ e = sd_bus_message_get_error(m); -+ if (e) { -+ r = sd_bus_error_get_errno(e); -+ log_warning_errno(r, - "Failed to update slice of %s, ignoring: %s", - ur->user_name, -- sd_bus_message_get_error(m)->message); -+ bus_error_message(e, r)); - - return 0; - } --- -2.33.0 - diff --git a/backport-logind-do-not-propagate-error-in-delayed-action.patch b/backport-logind-do-not-propagate-error-in-delayed-action.patch deleted file mode 100644 index 6dddc40..0000000 --- a/backport-logind-do-not-propagate-error-in-delayed-action.patch +++ /dev/null @@ -1,65 +0,0 @@ -From e6ca5aa8ac8d79217d11240b09dfbdb9364cdb36 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 5 Jan 2022 15:10:33 +0100 -Subject: [PATCH] logind: do not propagate error in delayed action - -If the action failed, we should log about the issue, and continue. -Exiting would bring the graphical session down, which of course is not -appreciated by users. - -As documented in previous commits, a non-negative return from the callback -doesn't matter, so the callback is simplified a bit. - -Fixes #21991. - -(cherry picked from commit 8207b8321bbbcbd19a345deb77d455d98e6ffb84) -(cherry picked from commit fb9bbbee6a3c09b75817f9f343176fa2170fdb31) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e6ca5aa8ac8d79217d11240b09dfbdb9364cdb36 ---- - src/login/logind-dbus.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c -index 19c3f9bd6e..b3c204f0b0 100644 ---- a/src/login/logind-dbus.c -+++ b/src/login/logind-dbus.c -@@ -1639,7 +1639,6 @@ error: - } - - int manager_dispatch_delayed(Manager *manager, bool timeout) { -- - _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; - Inhibitor *offending = NULL; - int r; -@@ -1671,10 +1670,9 @@ int manager_dispatch_delayed(Manager *manager, bool timeout) { - - manager->action_unit = NULL; - manager->action_what = 0; -- return r; - } - -- return 1; -+ return 1; /* We did some work. */ - } - - static int manager_inhibit_timeout_handler( -@@ -1683,13 +1681,11 @@ static int manager_inhibit_timeout_handler( - void *userdata) { - - Manager *manager = userdata; -- int r; - - assert(manager); - assert(manager->inhibit_timeout_source == s); - -- r = manager_dispatch_delayed(manager, true); -- return (r < 0) ? r : 0; -+ return manager_dispatch_delayed(manager, true); - } - - static int delay_shutdown_or_sleep( --- -2.33.0 - diff --git a/backport-logind-downgrade-message-about-run-utmp-missing-to-L.patch b/backport-logind-downgrade-message-about-run-utmp-missing-to-L.patch deleted file mode 100644 index 0ca9190..0000000 --- a/backport-logind-downgrade-message-about-run-utmp-missing-to-L.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5ac75f556c2ff3c28a815414dab92b58c3726dbd Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 8 Nov 2021 23:08:13 +0100 -Subject: [PATCH] logind: downgrade message about /run/utmp missing to - LOG_DEBUG - -This isn't really anything to really complain about, let's debug log -about this, and continue quietly as if utmp was empty. - -(cherry picked from commit 9830d716147c4e35026457027af95f303e690ae9) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5ac75f556c2ff3c28a815414dab92b58c3726dbd ---- - src/login/logind-core.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/login/logind-core.c b/src/login/logind-core.c -index 22031f485a..e08929e52a 100644 ---- a/src/login/logind-core.c -+++ b/src/login/logind-core.c -@@ -707,7 +707,9 @@ int manager_read_utmp(Manager *m) { - errno = 0; - u = getutxent(); - if (!u) { -- if (errno != 0) -+ if (errno == ENOENT) -+ log_debug_errno(errno, _PATH_UTMPX " does not exist, ignoring."); -+ else if (errno != 0) - log_warning_errno(errno, "Failed to read " _PATH_UTMPX ", ignoring: %m"); - return 0; - } --- -2.33.0 - diff --git a/backport-logind-fix-getting-property-OnExternalPower-via-D-Bu.patch b/backport-logind-fix-getting-property-OnExternalPower-via-D-Bu.patch deleted file mode 100644 index 562f739..0000000 --- a/backport-logind-fix-getting-property-OnExternalPower-via-D-Bu.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 848586f6f46e58c4960c2675102757d8c11ce046 Mon Sep 17 00:00:00 2001 -From: Michael Biebl -Date: Wed, 12 Oct 2022 11:07:57 +0200 -Subject: [PATCH] logind: fix getting property OnExternalPower via D-Bus - -The BUS_DEFINE_PROPERTY_GET_GLOBAL macro requires a value as third -argument, so we need to call manager_is_on_external_power(). Otherwise -the function pointer is interpreted as a boolean and always returns -true: - -``` -$ busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager OnExternalPower -b true -$ /lib/systemd/systemd-ac-power --verbose -no -``` - -Thanks: Helmut Grohne -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021644 -(cherry picked from commit 63168cb517a556b2f4f175b365f5a4b4c7e85150) -(cherry picked from commit 3028e05955f1d1a43d57bbbe05321546d56c70a9) -(cherry picked from commit c622de4c9d474c2b666881ccbf60c7e2bf1fb484) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/848586f6f46e58c4960c2675102757d8c11ce046 ---- - src/login/logind-dbus.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c -index b3c204f0b0..1d0cf904bc 100644 ---- a/src/login/logind-dbus.c -+++ b/src/login/logind-dbus.c -@@ -353,7 +353,7 @@ static int property_get_scheduled_shutdown( - static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_handle_action, handle_action, HandleAction); - static BUS_DEFINE_PROPERTY_GET(property_get_docked, "b", Manager, manager_is_docked_or_external_displays); - static BUS_DEFINE_PROPERTY_GET(property_get_lid_closed, "b", Manager, manager_is_lid_closed); --static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_on_external_power, "b", manager_is_on_external_power); -+static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_on_external_power, "b", manager_is_on_external_power()); - static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_compat_user_tasks_max, "t", CGROUP_LIMIT_MAX); - static BUS_DEFINE_PROPERTY_GET_REF(property_get_hashmap_size, "t", Hashmap *, (uint64_t) hashmap_size); - --- -2.27.0 - diff --git a/backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch b/backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch deleted file mode 100644 index 411c6b5..0000000 --- a/backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 927898c86d121a2985bc6c8d261f505197df8e80 Mon Sep 17 00:00:00 2001 -From: Arfrever Frehtes Taifersar Arahesis -Date: Thu, 27 Jan 2022 00:00:00 +0000 -Subject: [PATCH] logind.conf: Fix name of option: RuntimeDirectoryInodes -> - RuntimeDirectoryInodesMax - -(cherry picked from commit a42a93830fcc18da073a5ac06f93c386efc9109d) -(cherry picked from commit 5b20a2b19c847b8ad8b354f1b735fbbaf88d2f8f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/927898c86d121a2985bc6c8d261f505197df8e80 ---- - src/login/logind.conf.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in -index 27ba77ce79..be2eb790bf 100644 ---- a/src/login/logind.conf.in -+++ b/src/login/logind.conf.in -@@ -38,7 +38,7 @@ - #IdleAction=ignore - #IdleActionSec=30min - #RuntimeDirectorySize=10% --#RuntimeDirectoryInodes=400k -+#RuntimeDirectoryInodesMax=400k - #RemoveIPC=yes - #InhibitorsMax=8192 - #SessionsMax=8192 --- -2.33.0 - diff --git a/backport-machined-set-TTYPath-for-container-shell.patch b/backport-machined-set-TTYPath-for-container-shell.patch deleted file mode 100644 index 61634ff..0000000 --- a/backport-machined-set-TTYPath-for-container-shell.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 6076f379d6911abd69c9565cbbecc60d34be8ce8 Mon Sep 17 00:00:00 2001 -From: Ludwig Nussel -Date: Tue, 21 Dec 2021 11:38:49 +0100 -Subject: [PATCH] machined: set TTYPath for container shell - -TTYPath is needed for proper utmp registration of the shell to -receive wall messages. - -(cherry picked from commit a9c97bbbfb271d68b2ca4f3aa346fdf5e9c70c27) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6076f379d6911abd69c9565cbbecc60d34be8ce8 ---- - src/machine/machine-dbus.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c -index 0022a980c5..404ff1ca46 100644 ---- a/src/machine/machine-dbus.c -+++ b/src/machine/machine-dbus.c -@@ -688,7 +688,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu - - description = strjoina("Shell for User ", user); - r = sd_bus_message_append(tm, -- "(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)", -+ "(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)", - "Description", "s", description, - "StandardInputFileDescriptor", "h", slave, - "StandardOutputFileDescriptor", "h", slave, -@@ -696,6 +696,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu - "SendSIGHUP", "b", true, - "IgnoreSIGPIPE", "b", false, - "KillMode", "s", "mixed", -+ "TTYPath", "s", pty_name, - "TTYReset", "b", true, - "UtmpIdentifier", "s", utmp_id, - "UtmpMode", "s", "user", --- -2.33.0 - diff --git a/backport-machined-varlink-fix-double-free.patch b/backport-machined-varlink-fix-double-free.patch deleted file mode 100644 index b98a6ae..0000000 --- a/backport-machined-varlink-fix-double-free.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 1600b38cd2029533547f8c3d4abfa12911ca0630 Mon Sep 17 00:00:00 2001 -From: David Tardon -Date: Mon, 2 Aug 2021 13:31:04 +0200 -Subject: [PATCH] machined-varlink: fix double free - -Fixes: #18599 -(cherry picked from commit feac9a1d1bf3f59adaa85f58b655ec01a111a29a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1600b38cd2029533547f8c3d4abfa12911ca0630 ---- - src/machine/machined-varlink.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c -index 009d283acc..fc0b0f11ad 100644 ---- a/src/machine/machined-varlink.c -+++ b/src/machine/machined-varlink.c -@@ -297,7 +297,7 @@ static int group_lookup_name(Manager *m, const char *name, gid_t *ret_gid, char - desc = mfree(desc); - - *ret_gid = converted_gid; -- *ret_description = desc; -+ *ret_description = TAKE_PTR(desc); - return 0; - } - --- -2.33.0 - diff --git a/backport-macro-account-for-negative-values-in-DECIMAL_STR_WID.patch b/backport-macro-account-for-negative-values-in-DECIMAL_STR_WID.patch deleted file mode 100644 index 740c0c1..0000000 --- a/backport-macro-account-for-negative-values-in-DECIMAL_STR_WID.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 19c0ce4c68fd424f48a71afbc9d8b7b67ba58709 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Sun, 13 Mar 2022 14:45:03 +0100 -Subject: [PATCH] macro: account for negative values in DECIMAL_STR_WIDTH() - -With negative numbers we wouldn't account for the minus sign, thus -returning a string with one character too short, triggering buffer -overflows in certain situations. - -(cherry picked from commit e3dd9ea8ea4510221f73071ad30ee657ca77565d) -(cherry picked from commit 25b3c48ec5203a1220daaf33b8df6e50e79fd74a) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/19c0ce4c68fd424f48a71afbc9d8b7b67ba58709 ---- - src/basic/macro.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/macro.h b/src/basic/macro.h -index 072fed4378..5a3027ae5c 100644 ---- a/src/basic/macro.h -+++ b/src/basic/macro.h -@@ -349,7 +349,7 @@ static inline int __coverity_check_and_return__(int condition) { - #define DECIMAL_STR_WIDTH(x) \ - ({ \ - typeof(x) _x_ = (x); \ -- unsigned ans = 1; \ -+ unsigned ans = 2; \ - while ((_x_ /= 10) != 0) \ - ans++; \ - ans; \ --- -2.33.0 - diff --git a/backport-main-drop-get_process_cmdline-from-crash-handler.patch b/backport-main-drop-get_process_cmdline-from-crash-handler.patch deleted file mode 100644 index 423b559..0000000 --- a/backport-main-drop-get_process_cmdline-from-crash-handler.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 28c5859fa30572950a24a7638a3a8191d65daf68 Mon Sep 17 00:00:00 2001 -From: licunlong -Date: Thu, 10 Mar 2022 09:22:29 +0800 -Subject: [PATCH] main: drop get_process_cmdline from crash handler - get_process_cmdline calls malloc, which should be avoid in signal handler. - -Fixes: #22690 ---- - src/core/main.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/src/core/main.c b/src/core/main.c -index 41a4b4225f..7c9265f394 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -274,11 +274,12 @@ _noreturn_ static void crash(int sig, siginfo_t *siginfo, void *context) { - int r; - - if (siginfo) { -- _cleanup_free_ char *cmdline = NULL; -- pid_t sender_pid = siginfo->si_pid; -- -- (void) get_process_cmdline(sender_pid, SIZE_MAX, 0, &cmdline); -- log_emergency("Caught <%s> from PID "PID_FMT" (%s)", signal_to_string(sig), sender_pid, strna(cmdline)); -+ if (siginfo->si_pid == 0) -+ log_emergency("Caught <%s> from unknown sender process.", signal_to_string(sig)); -+ else if (siginfo->si_pid == 1) -+ log_emergency("Caught <%s> from our own process.", signal_to_string(sig)); -+ else -+ log_emergency("Caught <%s> from PID "PID_FMT".", signal_to_string(sig), siginfo->si_pid); - } - - /* Order things nicely. */ --- -2.27.0 - diff --git a/backport-main-log-which-process-send-SIGNAL-to-PID1.patch b/backport-main-log-which-process-send-SIGNAL-to-PID1.patch deleted file mode 100644 index 184cecd..0000000 --- a/backport-main-log-which-process-send-SIGNAL-to-PID1.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 7347b3db838ea3f02afc6c8a6dccac1ff8e7edbd Mon Sep 17 00:00:00 2001 -From: licunlong -Date: Tue, 8 Mar 2022 19:18:36 +0800 -Subject: [PATCH] main: log which process send SIGNAL to PID1 This can help - users to figure out what makes systemd freeze. 1. Someone kills systemd - accidentally, then the sender_pid won't be 1; 2. systemd triggers segfault or - assert, then the sender_pid will be 1; - ---- - src/core/main.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/src/core/main.c b/src/core/main.c -index 5009b8d85f..41a4b4225f 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -228,7 +228,7 @@ _noreturn_ static void freeze_or_exit_or_reboot(void) { - freeze(); - } - --_noreturn_ static void crash(int sig) { -+_noreturn_ static void crash(int sig, siginfo_t *siginfo, void *context) { - struct sigaction sa; - pid_t pid; - -@@ -273,6 +273,14 @@ _noreturn_ static void crash(int sig) { - siginfo_t status; - int r; - -+ if (siginfo) { -+ _cleanup_free_ char *cmdline = NULL; -+ pid_t sender_pid = siginfo->si_pid; -+ -+ (void) get_process_cmdline(sender_pid, SIZE_MAX, 0, &cmdline); -+ log_emergency("Caught <%s> from PID "PID_FMT" (%s)", signal_to_string(sig), sender_pid, strna(cmdline)); -+ } -+ - /* Order things nicely. */ - r = wait_for_terminate(pid, &status); - if (r < 0) -@@ -330,8 +338,8 @@ _noreturn_ static void crash(int sig) { - - static void install_crash_handler(void) { - static const struct sigaction sa = { -- .sa_handler = crash, -- .sa_flags = SA_NODEFER, /* So that we can raise the signal again from the signal handler */ -+ .sa_sigaction = crash, -+ .sa_flags = SA_NODEFER | SA_SIGINFO, /* So that we can raise the signal again from the signal handler */ - }; - int r; - --- -2.27.0 - diff --git a/backport-malloc-uses-getrandom-now.patch b/backport-malloc-uses-getrandom-now.patch deleted file mode 100644 index 3f9220f..0000000 --- a/backport-malloc-uses-getrandom-now.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 08c99e5600f92c5143b931a507980a2655380cb3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= -Date: Fri, 9 Jul 2021 17:19:05 -0400 -Subject: [PATCH] malloc() uses getrandom now - -glibc master uses getrandom in malloc since https://sourceware.org/git/?p=glibc.git;a=commit;h=fc859c304898a5ec72e0ba5269ed136ed0ea10e1 , getrandom should be in the default set so to avoid all non trivial programs to fallback to a PRNG. - -(cherry picked from commit 14f4b1b568907350d023d1429c1aa4aaa8925f22) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/08c99e5600f92c5143b931a507980a2655380cb3 ---- - src/shared/seccomp-util.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index e0f88aec73..cad0af89f2 100644 ---- a/src/shared/seccomp-util.c -+++ b/src/shared/seccomp-util.c -@@ -310,6 +310,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { - "getpgrp\0" - "getpid\0" - "getppid\0" -+ "getrandom\0" - "getresgid\0" - "getresgid32\0" - "getresuid\0" --- -2.33.0 - diff --git a/backport-manager-allow-transient-units-to-have-drop-ins.patch b/backport-manager-allow-transient-units-to-have-drop-ins.patch deleted file mode 100644 index 32d6250..0000000 --- a/backport-manager-allow-transient-units-to-have-drop-ins.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 1a09fb995e0e84c2a5f40945248644b174863c6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 14 Oct 2022 15:02:20 +0200 -Subject: [PATCH] manager: allow transient units to have drop-ins - -In https://github.com/containers/podman/issues/16107, starting of a transient -slice unit fails because there's a "global" drop-in -/usr/lib/systemd/user/slice.d/10-oomd-per-slice-defaults.conf (provided by -systemd-oomd-defaults package to install some default oomd policy). This means -that the unit_is_pristine() check fails and starting of the unit is forbidden. - -It seems pretty clear to me that dropins at any other level then the unit -should be ignored in this check: we now have multiple layers of drop-ins -(for each level of the cgroup path, and also "global" ones for a specific -unit type). If we install a "global" drop-in, we wouldn't be able to start -any transient units of that type, which seems undesired. - -In principle we could reject dropins at the unit level, but I don't think that -is useful. The whole reason for drop-ins is that they are "add ons", and there -isn't any particular reason to disallow them for transient units. It would also -make things harder to implement and describe: one place for drop-ins is good, -but another is bad. (And as a corner case: for instanciated units, a drop-in -in the template would be acceptable, but a instance-specific drop-in bad?) - -Thus, $subject. - -While at it, adjust the message. All the conditions in unit_is_pristine() -essentially mean that it wasn't loaded (e.g. it might be in an error state), -and that it doesn't have a fragment path (now that drop-ins are acceptable). -If there's a job for it, it necessarilly must have been loaded. If it is -merged into another unit, it also was loaded and found to be an alias. -Based on the discussion in the bugs, it seems that the current message -is far from obvious ;) - -Fixes https://github.com/containers/podman/issues/16107, -https://bugzilla.redhat.com/show_bug.cgi?id=2133792. - -(cherry picked from commit 1f83244641f13a9cb28fdac7e3c17c5446242dfb) -(cherry picked from commit 98a45608c4bf5aa1ba9b603ac2e5730f13659d88) ---- - src/core/dbus-manager.c | 2 +- - src/core/unit.c | 14 ++++++++------ - 2 files changed, 9 insertions(+), 7 deletions(-) - -diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c -index 1a3098ceb1..9a2a5531c6 100644 ---- a/src/core/dbus-manager.c -+++ b/src/core/dbus-manager.c -@@ -901,7 +901,7 @@ static int transient_unit_from_message( - - if (!unit_is_pristine(u)) - return sd_bus_error_setf(error, BUS_ERROR_UNIT_EXISTS, -- "Unit %s already exists.", name); -+ "Unit %s was already loaded or has a fragment file.", name); - - /* OK, the unit failed to load and is unreferenced, now let's - * fill in the transient data instead */ -diff --git a/src/core/unit.c b/src/core/unit.c -index a7b3208432..60e4e42d2f 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -4806,16 +4806,18 @@ int unit_fail_if_noncanonical(Unit *u, const char* where) { - bool unit_is_pristine(Unit *u) { - assert(u); - -- /* Check if the unit already exists or is already around, -- * in a number of different ways. Note that to cater for unit -- * types such as slice, we are generally fine with units that -- * are marked UNIT_LOADED even though nothing was actually -- * loaded, as those unit types don't require a file on disk. */ -+ /* Check if the unit already exists or is already around, in a number of different ways. Note that to -+ * cater for unit types such as slice, we are generally fine with units that are marked UNIT_LOADED -+ * even though nothing was actually loaded, as those unit types don't require a file on disk. -+ * -+ * Note that we don't check for drop-ins here, because we allow drop-ins for transient units -+ * identically to non-transient units, both unit-specific and hierarchical. E.g. for a-b-c.service: -+ * service.d/….conf, a-.service.d/….conf, a-b-.service.d/….conf, a-b-c.service.d/….conf. -+ */ - - return IN_SET(u->load_state, UNIT_NOT_FOUND, UNIT_LOADED) && - !u->fragment_path && - !u->source_path && -- strv_isempty(u->dropin_paths) && - !u->job && - !u->merged_into; - } --- -2.33.0 - diff --git a/backport-manager-reformat-boolean-expression-in-unit_is_prist.patch b/backport-manager-reformat-boolean-expression-in-unit_is_prist.patch deleted file mode 100644 index 7a0d94d..0000000 --- a/backport-manager-reformat-boolean-expression-in-unit_is_prist.patch +++ /dev/null @@ -1,40 +0,0 @@ -From b146a7345b69de16e88347acadb3783ffeeaad9d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 14 Oct 2022 14:40:24 +0200 -Subject: [PATCH] manager: reformat boolean expression in unit_is_pristine() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Not not IN_SET(…) is just too much for my poor brain. Let's invert -the expression to make it easier to undertand. ---- - src/core/unit.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index d6bea2080f..5016114cb4 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -4850,12 +4850,12 @@ bool unit_is_pristine(Unit *u) { - * are marked UNIT_LOADED even though nothing was actually - * loaded, as those unit types don't require a file on disk. */ - -- return !(!IN_SET(u->load_state, UNIT_NOT_FOUND, UNIT_LOADED) || -- u->fragment_path || -- u->source_path || -- !strv_isempty(u->dropin_paths) || -- u->job || -- u->merged_into); -+ return IN_SET(u->load_state, UNIT_NOT_FOUND, UNIT_LOADED) && -+ !u->fragment_path && -+ !u->source_path && -+ strv_isempty(u->dropin_paths) && -+ !u->job && -+ !u->merged_into; - } - - pid_t unit_control_pid(Unit *u) { --- -2.33.0 - diff --git a/backport-meson.build-change-operator-combining-bools-from-to-.patch b/backport-meson.build-change-operator-combining-bools-from-to-.patch deleted file mode 100644 index 55fe2f5..0000000 --- a/backport-meson.build-change-operator-combining-bools-from-to-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c29537f39e4f413a6cbfe9669fa121bdd6d8b36f Mon Sep 17 00:00:00 2001 -From: Dan Streetman -Date: Fri, 3 Sep 2021 12:43:33 -0400 -Subject: [PATCH] meson.build: change operator combining bools from + to and - -upstream meson stopped allowing combining boolean with the plus -operator, and now requires using the logical and operator - -reference: -https://github.com/mesonbuild/meson/commit/43302d3296baff6aeaf8e03f5d701b0402e37a6c - -Fixes: #20632 - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c29537f39e4f413a6cbfe9669fa121bdd6d8b36f ---- - meson.build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/meson.build b/meson.build -index 6e1a8b1e50..0fe996adba 100644 ---- a/meson.build -+++ b/meson.build -@@ -35,7 +35,7 @@ conf.set10('BUILD_MODE_DEVELOPER', get_option('mode') == 'developer', - - want_ossfuzz = get_option('oss-fuzz') - want_libfuzzer = get_option('llvm-fuzz') --if want_ossfuzz + want_libfuzzer > 1 -+if want_ossfuzz and want_libfuzzer - error('only one of oss-fuzz or llvm-fuzz can be specified') - endif - --- -2.33.0 - diff --git a/backport-missing-syscall-add-__NR_openat2.patch b/backport-missing-syscall-add-__NR_openat2.patch deleted file mode 100644 index ef7c146..0000000 --- a/backport-missing-syscall-add-__NR_openat2.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 31f64a65423414bf1d11fc9035450e9b6256858c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 3 Jan 2022 03:44:50 +0900 -Subject: [PATCH] missing-syscall: add __NR_openat2 - -(cherry picked from commit d96ad9e8cb9fc8a9adfeebf69a645b809705daa0) -(cherry picked from commit cd88d010e862d26ce816eb3bd6735a80999ac41e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/31f64a65423414bf1d11fc9035450e9b6256858c ---- - src/basic/missing_syscall_def.h | 66 +++++++++++++++++++++++++++++++++ - src/basic/missing_syscalls.py | 1 + - 2 files changed, 67 insertions(+) - -diff --git a/src/basic/missing_syscall_def.h b/src/basic/missing_syscall_def.h -index 6a48c2a0c5..29dfd2e5fa 100644 ---- a/src/basic/missing_syscall_def.h -+++ b/src/basic/missing_syscall_def.h -@@ -679,6 +679,72 @@ assert_cc(__NR_open_tree == systemd_NR_open_tree); - # endif - #endif - -+#ifndef __IGNORE_openat2 -+# if defined(__aarch64__) -+# define systemd_NR_openat2 437 -+# elif defined(__alpha__) -+# define systemd_NR_openat2 547 -+# elif defined(__arc__) || defined(__tilegx__) -+# define systemd_NR_openat2 437 -+# elif defined(__arm__) -+# define systemd_NR_openat2 437 -+# elif defined(__i386__) -+# define systemd_NR_openat2 437 -+# elif defined(__ia64__) -+# define systemd_NR_openat2 1461 -+# elif defined(__loongarch64) -+# define systemd_NR_openat2 437 -+# elif defined(__m68k__) -+# define systemd_NR_openat2 437 -+# elif defined(_MIPS_SIM) -+# if _MIPS_SIM == _MIPS_SIM_ABI32 -+# define systemd_NR_openat2 4437 -+# elif _MIPS_SIM == _MIPS_SIM_NABI32 -+# define systemd_NR_openat2 6437 -+# elif _MIPS_SIM == _MIPS_SIM_ABI64 -+# define systemd_NR_openat2 5437 -+# else -+# error "Unknown MIPS ABI" -+# endif -+# elif defined(__powerpc__) -+# define systemd_NR_openat2 437 -+# elif defined(__riscv) -+# if __riscv_xlen == 32 -+# define systemd_NR_openat2 437 -+# elif __riscv_xlen == 64 -+# define systemd_NR_openat2 437 -+# else -+# error "Unknown RISC-V ABI" -+# endif -+# elif defined(__s390__) -+# define systemd_NR_openat2 437 -+# elif defined(__sparc__) -+# define systemd_NR_openat2 437 -+# elif defined(__x86_64__) -+# if defined(__ILP32__) -+# define systemd_NR_openat2 (437 | /* __X32_SYSCALL_BIT */ 0x40000000) -+# else -+# define systemd_NR_openat2 437 -+# endif -+# elif !defined(missing_arch_template) -+# warning "openat2() syscall number is unknown for your architecture" -+# endif -+ -+/* may be an (invalid) negative number due to libseccomp, see PR 13319 */ -+# if defined __NR_openat2 && __NR_openat2 >= 0 -+# if defined systemd_NR_openat2 -+assert_cc(__NR_openat2 == systemd_NR_openat2); -+# endif -+# else -+# if defined __NR_openat2 -+# undef __NR_openat2 -+# endif -+# if defined systemd_NR_openat2 && systemd_NR_openat2 >= 0 -+# define __NR_openat2 systemd_NR_openat2 -+# endif -+# endif -+#endif -+ - #ifndef __IGNORE_pidfd_open - # if defined(__aarch64__) - # define systemd_NR_pidfd_open 434 -diff --git a/src/basic/missing_syscalls.py b/src/basic/missing_syscalls.py -index 19f9726d4e..dd458994f2 100644 ---- a/src/basic/missing_syscalls.py -+++ b/src/basic/missing_syscalls.py -@@ -16,6 +16,7 @@ SYSCALLS = [ - 'move_mount', - 'name_to_handle_at', - 'open_tree', -+ 'openat2', - 'pidfd_open', - 'pidfd_send_signal', - 'pkey_mprotect', --- -2.33.0 - diff --git a/backport-mkosi-Build-Fedora-35-images.patch b/backport-mkosi-Build-Fedora-35-images.patch deleted file mode 100644 index 748d1c2..0000000 --- a/backport-mkosi-Build-Fedora-35-images.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e5c19733785558e6fc17f96e6c18219d46179a2d Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Thu, 9 Dec 2021 12:35:23 +0100 -Subject: [PATCH] mkosi: Build Fedora 35 images - -(cherry picked from commit 808b23ecf681c12493cbb84958e75ea300ebbeab) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e5c19733785558e6fc17f96e6c18219d46179a2d ---- - .mkosi/mkosi.fedora | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/.mkosi/mkosi.fedora b/.mkosi/mkosi.fedora -index cc3a5a2d1a..3e7462e477 100644 ---- a/.mkosi/mkosi.fedora -+++ b/.mkosi/mkosi.fedora -@@ -5,7 +5,7 @@ - - [Distribution] - Distribution=fedora --Release=34 -+Release=35 - - [Packages] - BuildPackages= --- -2.33.0 - diff --git a/backport-mkosi-Fix-openSUSE-Jinja2-package-name.patch b/backport-mkosi-Fix-openSUSE-Jinja2-package-name.patch deleted file mode 100644 index 1188a08..0000000 --- a/backport-mkosi-Fix-openSUSE-Jinja2-package-name.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c135c18d0aedeb6043ea4e54a252b7d2452d0937 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20Koutn=C3=BD?= -Date: Thu, 10 Jun 2021 14:39:13 +0200 -Subject: [PATCH] mkosi: Fix openSUSE Jinja2 package name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Dare to be different ¯\_(ツ)_/¯ - -(cherry picked from commit ed802c44da7918ba1c14944b711a20b14d9e0fd4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c135c18d0aedeb6043ea4e54a252b7d2452d0937 ---- - .mkosi/mkosi.opensuse | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/.mkosi/mkosi.opensuse b/.mkosi/mkosi.opensuse -index fdbbdeb1f8..7eb7b857ca 100644 ---- a/.mkosi/mkosi.opensuse -+++ b/.mkosi/mkosi.opensuse -@@ -36,7 +36,7 @@ BuildPackages= - pcre-devel - python3 - python3-lxml -- python3-jinja2 -+ python3-Jinja2 - qrencode-devel - system-user-nobody - systemd-sysvinit --- -2.33.0 - diff --git a/backport-mkosi-Remove-Arch-nspawn-workaround.patch b/backport-mkosi-Remove-Arch-nspawn-workaround.patch deleted file mode 100644 index bbc1d4c..0000000 --- a/backport-mkosi-Remove-Arch-nspawn-workaround.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c24f4e86781d866894128a56fbc03f4302f737f6 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Fri, 25 Feb 2022 11:01:07 +0000 -Subject: [PATCH] mkosi: Remove Arch nspawn workaround - -This has been fixed so the workaround can be removed. - -(cherry picked from commit 6b2ab8fc5cc0f706b85cbd559e8dcf4e05d7687d) -(cherry picked from commit f0cc6d2f99b2510c57fa36ad7f28cc42c0b724b3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c24f4e86781d866894128a56fbc03f4302f737f6 ---- - .github/workflows/mkosi.yml | 13 ------------- - 1 file changed, 13 deletions(-) - -diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml -index 489eb01880..c8d572a4d8 100644 ---- a/.github/workflows/mkosi.yml -+++ b/.github/workflows/mkosi.yml -@@ -37,19 +37,6 @@ jobs: - - name: Symlink - run: ln -s .mkosi/mkosi.${{ matrix.distro }} mkosi.default - -- # Ubuntu's systemd-nspawn doesn't support faccessat2() syscall, which is -- # required, since current Arch's glibc implements faccessat() via faccessat2(). -- - name: Update systemd-nspawn -- if: ${{ matrix.distro == 'arch' }} -- run: | -- echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list -- sudo apt update -- sudo apt build-dep systemd -- meson build -- ninja -C build -- sudo ln -svf $PWD/build/systemd-nspawn `which systemd-nspawn` -- systemd-nspawn --version -- - - name: Build ${{ matrix.distro }} - run: sudo python3 -m mkosi --password= --qemu-headless build - --- -2.33.0 - diff --git a/backport-mkosi-openSUSE-update-bootable-no-dependencies.patch b/backport-mkosi-openSUSE-update-bootable-no-dependencies.patch deleted file mode 100644 index 4e81ba4..0000000 --- a/backport-mkosi-openSUSE-update-bootable-no-dependencies.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e4e572117b41f6e8152a30acc6f60a0385090137 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20Koutn=C3=BD?= -Date: Fri, 12 Feb 2021 18:11:18 +0100 -Subject: [PATCH] mkosi: openSUSE update --bootable=no dependencies - -Since we can build --bootable=no images without dracut->systemd, we need -to add systemd runtime dependencies explicitely. - -(cherry picked from commit f2bb8857cd093eb9bd5e1dad6fb996a0a4463556) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e4e572117b41f6e8152a30acc6f60a0385090137 ---- - .mkosi/mkosi.opensuse | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/.mkosi/mkosi.opensuse b/.mkosi/mkosi.opensuse -index b468433f34..fdbbdeb1f8 100644 ---- a/.mkosi/mkosi.opensuse -+++ b/.mkosi/mkosi.opensuse -@@ -60,6 +60,7 @@ Packages= - libapparmor1 - libcrypt1 - libcryptsetup12 -+ libgcrypt20 - libkmod2 - liblz4-1 - libmount1 --- -2.33.0 - diff --git a/backport-mmap-cache-LIST_REMOVE-after-w-unused_prev.patch b/backport-mmap-cache-LIST_REMOVE-after-w-unused_prev.patch deleted file mode 100644 index 4bd7350..0000000 --- a/backport-mmap-cache-LIST_REMOVE-after-w-unused_prev.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 42ca0ab5082344004c0f26b2d6ec57b7a9d4ff03 Mon Sep 17 00:00:00 2001 -From: Vito Caputo -Date: Thu, 25 Nov 2021 07:05:06 -0800 -Subject: [PATCH] mmap-cache: LIST_REMOVE() *after* w->unused_prev - -The LIST_REMOVE() macro always assigns NULL to w->unused_prev, -meaning every time this window was in last_unused, the remainder -of the unused list was lost to the ether. - -Turns out there's been a memory leak in journald after all, this -code has been there since at least 2013... - -(cherry picked from commit b82aca89a5b366c4377b3b140e54313e817e8f57) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/42ca0ab5082344004c0f26b2d6ec57b7a9d4ff03 ---- - src/libsystemd/sd-journal/mmap-cache.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-journal/mmap-cache.c b/src/libsystemd/sd-journal/mmap-cache.c -index 9e0be01d41..02d2d721cf 100644 ---- a/src/libsystemd/sd-journal/mmap-cache.c -+++ b/src/libsystemd/sd-journal/mmap-cache.c -@@ -224,9 +224,9 @@ static void context_attach_window(Context *c, Window *w) { - - if (w->in_unused) { - /* Used again? */ -- LIST_REMOVE(unused, c->cache->unused, w); - if (c->cache->last_unused == w) - c->cache->last_unused = w->unused_prev; -+ LIST_REMOVE(unused, c->cache->unused, w); - - w->in_unused = false; - } --- -2.33.0 - diff --git a/backport-mount-setup-don-t-need-to-mount-sys-fs-pstore-if-the.patch b/backport-mount-setup-don-t-need-to-mount-sys-fs-pstore-if-the.patch deleted file mode 100644 index 38ceedf..0000000 --- a/backport-mount-setup-don-t-need-to-mount-sys-fs-pstore-if-the.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ccbb0b48c48f80a3121ff9d99f395b642a0090b5 Mon Sep 17 00:00:00 2001 -From: jcg -Date: Fri, 9 Dec 2022 20:45:39 +0800 -Subject: [PATCH] mount-setup: don't need to mount /sys/fs/pstore if there is - no ENABLE_PSTORE - -(cherry picked from commit 5e5fce3e918ebba5d0cbf0b64bb97f0eaeae70a3) -(cherry picked from commit 613994c10b19f02c0764aa1d5865730f3af99267) -(cherry picked from commit 46a7e30cb9f274763657d40193c2a03a02c687ab) -(cherry picked from commit 0e96d07e8c03e543816702b13db891924b485951) ---- - src/shared/mount-setup.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c -index ef3527e9a7..8c7c390854 100644 ---- a/src/shared/mount-setup.c -+++ b/src/shared/mount-setup.c -@@ -102,8 +102,10 @@ static const MountPoint mount_table[] = { - cg_is_legacy_wanted, MNT_IN_CONTAINER }, - { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, - cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER }, -+#if ENABLE_PSTORE - { "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, - NULL, MNT_NONE }, -+#endif - #if ENABLE_EFI - { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, - is_efi_boot, MNT_NONE }, --- -2.27.0 - diff --git a/backport-mount-util-fix-error-code.patch b/backport-mount-util-fix-error-code.patch deleted file mode 100644 index d4dc3b4..0000000 --- a/backport-mount-util-fix-error-code.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 561205a9c4fd0db341a93e227d249a6b6d03e2e1 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 4 Sep 2022 22:34:38 +0900 -Subject: [PATCH] mount-util: fix error code - -If multiple service is starting simultaneously with a shared image, -then one of the service may fail to create a mount node: - -systemd[695]: Bind-mounting /usr/lib/os-release on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC "")... -systemd[696]: Bind-mounting /usr/lib/os-release on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC "")... -systemd[695]: Failed to mount /usr/lib/os-release (type n/a) on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC ""): No such file or directory -systemd[696]: Failed to mount /usr/lib/os-release (type n/a) on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC ""): No such file or directory -systemd[695]: Bind-mounting /usr/lib/os-release on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC "")... -systemd[696]: Failed to create destination mount point node '/run/systemd/unit-root/run/host/os-release': Operation not permitted -systemd[695]: Successfully mounted /usr/lib/os-release to /run/systemd/unit-root/run/host/os-release - -The function apply_one_mount() in src/core/namespace.c gracefully -handles -EEXIST from make_mount_point_inode_from_path(), but it erroneously -returned -EPERM previously. This fixes the issue. - -Fixes one of the issues in #24147, especially reported at -https://github.com/systemd/systemd/issues/24147#issuecomment-1236194671. - -(cherry picked from commit b6ca2b281eff254dce2293990360e799af806ad4) -(cherry picked from commit 24238be484e6d7633bc68c784f7b3180299a80d4) -(cherry picked from commit 260633c50b5da5522b714d7989a138ecd73febd6) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/561205a9c4fd0db341a93e227d249a6b6d03e2e1 ---- - src/shared/mount-util.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c -index 26618bb113..199ff6163d 100644 ---- a/src/shared/mount-util.c -+++ b/src/shared/mount-util.c -@@ -1089,8 +1089,10 @@ int make_mount_point_inode_from_stat(const struct stat *st, const char *dest, mo - - if (S_ISDIR(st->st_mode)) - return mkdir_label(dest, mode); -+ else if (mknod(dest, S_IFREG|(mode & ~0111), 0) < 0) -+ return -errno; - else -- return mknod(dest, S_IFREG|(mode & ~0111), 0); -+ return 0; - } - - int make_mount_point_inode_from_path(const char *source, const char *dest, mode_t mode) { --- -2.27.0 - diff --git a/backport-mount-util-fix-fd_is_mount_point-when-both-the-paren.patch b/backport-mount-util-fix-fd_is_mount_point-when-both-the-paren.patch deleted file mode 100644 index acdfb33..0000000 --- a/backport-mount-util-fix-fd_is_mount_point-when-both-the-paren.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 8de173ff933510200ac3db77f1ae713f2c4acdc3 Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Thu, 30 Sep 2021 14:05:36 +0200 -Subject: [PATCH] mount-util: fix fd_is_mount_point() when both the parent and - directory are network fs - -The second call to name_to_handle_at_loop() didn't check for the specific -errors that can happen when the parent dir is mounted by nfs and instead of -falling back like it's done for the child dir, fd_is_mount_point() failed in -this case. - -(cherry picked from commit 964ccab8286a7e75d7e9107f574f5cb23752bd5d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/8de173ff933510200ac3db77f1ae713f2c4acdc3 ---- - src/basic/mountpoint-util.c | 68 ++++++++++++++++++++++--------------- - 1 file changed, 41 insertions(+), 27 deletions(-) - -diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c -index 8c836a1b74..e7a5a99551 100644 ---- a/src/basic/mountpoint-util.c -+++ b/src/basic/mountpoint-util.c -@@ -157,6 +157,19 @@ static bool filename_possibly_with_slash_suffix(const char *s) { - return filename_is_valid(copied); - } - -+static bool is_name_to_handle_at_fatal_error(int err) { -+ /* name_to_handle_at() can return "acceptable" errors that are due to the context. For -+ * example the kernel does not support name_to_handle_at() at all (ENOSYS), or the syscall -+ * was blocked (EACCES/EPERM; maybe through seccomp, because we are running inside of a -+ * container), or the mount point is not triggered yet (EOVERFLOW, think nfs4), or some -+ * general name_to_handle_at() flakiness (EINVAL). However other errors are not supposed to -+ * happen and therefore are considered fatal ones. */ -+ -+ assert(err < 0); -+ -+ return !IN_SET(err, -EOPNOTSUPP, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL); -+} -+ - int fd_is_mount_point(int fd, const char *filename, int flags) { - _cleanup_free_ struct file_handle *h = NULL, *h_parent = NULL; - int mount_id = -1, mount_id_parent = -1; -@@ -206,39 +219,40 @@ int fd_is_mount_point(int fd, const char *filename, int flags) { - return false; /* symlinks are never mount points */ - - r = name_to_handle_at_loop(fd, filename, &h, &mount_id, flags); -- if (IN_SET(r, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL)) -- /* This kernel does not support name_to_handle_at() at all (ENOSYS), or the syscall was blocked -- * (EACCES/EPERM; maybe through seccomp, because we are running inside of a container?), or the mount -- * point is not triggered yet (EOVERFLOW, think nfs4), or some general name_to_handle_at() flakiness -- * (EINVAL): fall back to simpler logic. */ -- goto fallback_fdinfo; -- else if (r == -EOPNOTSUPP) -- /* This kernel or file system does not support name_to_handle_at(), hence let's see if the upper fs -- * supports it (in which case it is a mount point), otherwise fall back to the traditional stat() -- * logic */ -+ if (r < 0) { -+ if (is_name_to_handle_at_fatal_error(r)) -+ return r; -+ if (r != -EOPNOTSUPP) -+ goto fallback_fdinfo; -+ -+ /* This kernel or file system does not support name_to_handle_at(), hence let's see -+ * if the upper fs supports it (in which case it is a mount point), otherwise fall -+ * back to the traditional stat() logic */ - nosupp = true; -- else if (r < 0) -- return r; -+ } - - r = name_to_handle_at_loop(fd, "", &h_parent, &mount_id_parent, AT_EMPTY_PATH); -- if (r == -EOPNOTSUPP) { -+ if (r < 0) { -+ if (is_name_to_handle_at_fatal_error(r)) -+ return r; -+ if (r != -EOPNOTSUPP) -+ goto fallback_fdinfo; - if (nosupp) -- /* Neither parent nor child do name_to_handle_at()? We have no choice but to fall back. */ -+ /* Both the parent and the directory can't do name_to_handle_at() */ - goto fallback_fdinfo; -- else -- /* The parent can't do name_to_handle_at() but the directory we are interested in can? If so, -- * it must be a mount point. */ -- return 1; -- } else if (r < 0) -- return r; - -- /* The parent can do name_to_handle_at() but the directory we are interested in can't? If so, it must -- * be a mount point. */ -+ /* The parent can't do name_to_handle_at() but the directory we are -+ * interested in can? If so, it must be a mount point. */ -+ return 1; -+ } -+ -+ /* The parent can do name_to_handle_at() but the directory we are interested in can't? If -+ * so, it must be a mount point. */ - if (nosupp) - return 1; - -- /* If the file handle for the directory we are interested in and its parent are identical, we assume -- * this is the root directory, which is a mount point. */ -+ /* If the file handle for the directory we are interested in and its parent are identical, -+ * we assume this is the root directory, which is a mount point. */ - - if (h->handle_bytes == h_parent->handle_bytes && - h->handle_type == h_parent->handle_type && -@@ -338,10 +352,10 @@ int path_get_mnt_id(const char *path, int *ret) { - } - - r = name_to_handle_at_loop(AT_FDCWD, path, NULL, ret, 0); -- if (IN_SET(r, -EOPNOTSUPP, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL)) /* kernel/fs don't support this, or seccomp blocks access, or untriggered mount, or name_to_handle_at() is flaky */ -- return fd_fdinfo_mnt_id(AT_FDCWD, path, 0, ret); -+ if (r == 0 || is_name_to_handle_at_fatal_error(r)) -+ return r; - -- return r; -+ return fd_fdinfo_mnt_id(AT_FDCWD, path, 0, ret); - } - - bool fstype_is_network(const char *fstype) { --- -2.33.0 - diff --git a/backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch b/backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch deleted file mode 100644 index 7175d71..0000000 --- a/backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch +++ /dev/null @@ -1,116 +0,0 @@ -From c789d2f457d2e160d00760aa3ecfd6883c64cf5f Mon Sep 17 00:00:00 2001 -From: Topi Miettinen -Date: Sat, 27 Nov 2021 12:51:39 +0200 -Subject: [PATCH] namespace: allow ProcSubset=pid with some ProtectKernel - options - -In case `/proc` is successfully mounted with pid tree subset only due to -`ProcSubset=pid`, the protective mounts for `ProtectKernelTunables=yes` and -`ProtectKernelLogs=yes` to non-pid `/proc` paths are failing because the paths -don't exist. But the pid only option may have failed gracefully (for example -because of ancient kernel), so let's try the mounts but it's not fatal if they -don't succeed. - -(cherry picked from commit 788e720181aead8c85ba30fc7ec9a1455a865cbe) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c789d2f457d2e160d00760aa3ecfd6883c64cf5f ---- - src/core/namespace.c | 42 ++++++++++++++++++++++++++++++++++-------- - 1 file changed, 34 insertions(+), 8 deletions(-) - -diff --git a/src/core/namespace.c b/src/core/namespace.c -index 9251871384..b933d46cf6 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c -@@ -101,7 +101,7 @@ static const MountEntry apivfs_table[] = { - }; - - /* ProtectKernelTunables= option and the related filesystem APIs */ --static const MountEntry protect_kernel_tunables_table[] = { -+static const MountEntry protect_kernel_tunables_proc_table[] = { - { "/proc/acpi", READONLY, true }, - { "/proc/apm", READONLY, true }, /* Obsolete API, there's no point in permitting access to this, ever */ - { "/proc/asound", READONLY, true }, -@@ -116,6 +116,9 @@ static const MountEntry protect_kernel_tunables_table[] = { - { "/proc/sys", READONLY, true }, - { "/proc/sysrq-trigger", READONLY, true }, - { "/proc/timer_stats", READONLY, true }, -+}; -+ -+static const MountEntry protect_kernel_tunables_sys_table[] = { - { "/sys", READONLY, false }, - { "/sys/fs/bpf", READONLY, true }, - { "/sys/fs/cgroup", READWRITE_IMPLICIT, false }, /* READONLY is set by ProtectControlGroups= option */ -@@ -133,8 +136,11 @@ static const MountEntry protect_kernel_modules_table[] = { - }; - - /* ProtectKernelLogs= option */ --static const MountEntry protect_kernel_logs_table[] = { -+static const MountEntry protect_kernel_logs_proc_table[] = { - { "/proc/kmsg", INACCESSIBLE, true }, -+}; -+ -+static const MountEntry protect_kernel_logs_dev_table[] = { - { "/dev/kmsg", INACCESSIBLE, true }, - }; - -@@ -1554,9 +1560,11 @@ static size_t namespace_calculate_mounts( - (n_extension_images > 0 ? n_hierarchies + n_extension_images : 0) + /* Mount each image plus an overlay per hierarchy */ - n_temporary_filesystems + - ns_info->private_dev + -- (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) + -+ (ns_info->protect_kernel_tunables ? -+ ELEMENTSOF(protect_kernel_tunables_proc_table) + ELEMENTSOF(protect_kernel_tunables_sys_table) : 0) + - (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + -- (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) + -+ (ns_info->protect_kernel_logs ? -+ ELEMENTSOF(protect_kernel_logs_proc_table) + ELEMENTSOF(protect_kernel_logs_dev_table) : 0) + - (ns_info->protect_control_groups ? 1 : 0) + - protect_home_cnt + protect_system_cnt + - (ns_info->protect_hostname ? 2 : 0) + -@@ -2037,10 +2045,21 @@ int setup_namespace( - .flags = DEV_MOUNT_OPTIONS, - }; - -+ /* In case /proc is successfully mounted with pid tree subset only (ProcSubset=pid), the -+ protective mounts to non-pid /proc paths would fail. But the pid only option may have -+ failed gracefully, so let's try the mounts but it's not fatal if they don't succeed. */ -+ bool ignore_protect_proc = ns_info->ignore_protect_paths || ns_info->proc_subset == PROC_SUBSET_PID; - if (ns_info->protect_kernel_tunables) { - r = append_static_mounts(&m, -- protect_kernel_tunables_table, -- ELEMENTSOF(protect_kernel_tunables_table), -+ protect_kernel_tunables_proc_table, -+ ELEMENTSOF(protect_kernel_tunables_proc_table), -+ ignore_protect_proc); -+ if (r < 0) -+ goto finish; -+ -+ r = append_static_mounts(&m, -+ protect_kernel_tunables_sys_table, -+ ELEMENTSOF(protect_kernel_tunables_sys_table), - ns_info->ignore_protect_paths); - if (r < 0) - goto finish; -@@ -2057,8 +2076,15 @@ int setup_namespace( - - if (ns_info->protect_kernel_logs) { - r = append_static_mounts(&m, -- protect_kernel_logs_table, -- ELEMENTSOF(protect_kernel_logs_table), -+ protect_kernel_logs_proc_table, -+ ELEMENTSOF(protect_kernel_logs_proc_table), -+ ignore_protect_proc); -+ if (r < 0) -+ goto finish; -+ -+ r = append_static_mounts(&m, -+ protect_kernel_logs_dev_table, -+ ELEMENTSOF(protect_kernel_logs_dev_table), - ns_info->ignore_protect_paths); - if (r < 0) - goto finish; --- -2.33.0 - diff --git a/backport-namespace-make-tmp-dir-handling-code-independent-of-.patch b/backport-namespace-make-tmp-dir-handling-code-independent-of-.patch deleted file mode 100644 index 581e66a..0000000 --- a/backport-namespace-make-tmp-dir-handling-code-independent-of-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 78858632566c30d2299bcdbd6efe3cbd1cc99d5a Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 12 Nov 2021 11:16:02 +0100 -Subject: [PATCH] namespace: make tmp dir handling code independent of umask - too - -Let's make all code in namespace.c robust towards weird umask. This -doesn't matter too much given that the parent dirs we deal here almost -certainly exist anyway, but let's clean this up anyway and make it fully -clean. - -(cherry picked from commit 30443439274cc223583c6c57f7d9041e440e346f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/78858632566c30d2299bcdbd6efe3cbd1cc99d5a ---- - src/core/namespace.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/src/core/namespace.c b/src/core/namespace.c -index b10a53ad2e..9251871384 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c -@@ -2466,7 +2466,8 @@ static int make_tmp_prefix(const char *prefix) { - if (errno != ENOENT) - return -errno; - -- r = mkdir_parents(prefix, 0755); -+ RUN_WITH_UMASK(000) -+ r = mkdir_parents(prefix, 0755); - if (r < 0) - return r; - -@@ -2474,7 +2475,8 @@ static int make_tmp_prefix(const char *prefix) { - if (r < 0) - return r; - -- if (mkdir(t, 0777) < 0) -+ if (mkdir(t, 0777) < 0) /* umask will corrupt this access mode, but that doesn't matter, we need to -+ * call chmod() anyway for the suid bit, below. */ - return -errno; - - if (chmod(t, 01777) < 0) { -@@ -2533,10 +2535,9 @@ static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, ch - if (!y) - return -ENOMEM; - -- RUN_WITH_UMASK(0000) { -+ RUN_WITH_UMASK(0000) - if (mkdir(y, 0777 | S_ISVTX) < 0) - return -errno; -- } - - r = label_fix_container(y, prefix, 0); - if (r < 0) -@@ -2548,7 +2549,8 @@ static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, ch - /* Trouble: we failed to create the directory. Instead of failing, let's simulate /tmp being - * read-only. This way the service will get the EROFS result as if it was writing to the real - * file system. */ -- r = mkdir_p(RUN_SYSTEMD_EMPTY, 0500); -+ RUN_WITH_UMASK(0000) -+ r = mkdir_p(RUN_SYSTEMD_EMPTY, 0500); - if (r < 0) - return r; - --- -2.33.0 - diff --git a/backport-namespace-make-whole-namespace_setup-work-regardless.patch b/backport-namespace-make-whole-namespace_setup-work-regardless.patch deleted file mode 100644 index 3631c59..0000000 --- a/backport-namespace-make-whole-namespace_setup-work-regardless.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 569ef9413c2ef3275b45458367342112e5d5f991 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 12 Nov 2021 11:11:27 +0100 -Subject: [PATCH] namespace: make whole namespace_setup() work regardless of - configured umask - -Let's reset the umask during the whole namespace_setup() logic, so that -all our mkdir() + mknod() are not subjected to whatever umask might -currently be set. - -This mostly moves the umask save/restore logic out of -mount_private_dev() and into the stack frame of namespace_setup() that -is further out. - -Fixes #19899 - -(cherry picked from commit cdf42f9bd40ff21a67d58b948efea055d56ad398) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/569ef9413c2ef3275b45458367342112e5d5f991 ---- - src/core/namespace.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/core/namespace.c b/src/core/namespace.c -index 233ee7be40..b10a53ad2e 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c -@@ -852,13 +852,10 @@ static int mount_private_dev(MountEntry *m) { - char temporary_mount[] = "/tmp/namespace-dev-XXXXXX"; - const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL; - bool can_mknod = true; -- _cleanup_umask_ mode_t u; - int r; - - assert(m); - -- u = umask(0000); -- - if (!mkdtemp(temporary_mount)) - return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount); - -@@ -1864,6 +1861,10 @@ int setup_namespace( - - assert(ns_info); - -+ /* Make sure that all mknod(), mkdir() calls we do are unaffected by the umask, and the access modes -+ * we configure take effect */ -+ BLOCK_WITH_UMASK(0000); -+ - if (!isempty(propagate_dir) && !isempty(incoming_dir)) - setup_propagate = true; - --- -2.33.0 - diff --git a/backport-namespace-rebreak-a-few-comments.patch b/backport-namespace-rebreak-a-few-comments.patch deleted file mode 100644 index dd72581..0000000 --- a/backport-namespace-rebreak-a-few-comments.patch +++ /dev/null @@ -1,92 +0,0 @@ -From bce7fb14df960aee57f0ad5c9c12a0d35c3e504e Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 12 Nov 2021 11:09:40 +0100 -Subject: [PATCH] namespace: rebreak a few comments - -(cherry picked from commit d73020f2420aa3f220481016829aaa2602abf081) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bce7fb14df960aee57f0ad5c9c12a0d35c3e504e ---- - src/core/namespace.c | 30 ++++++++++++++---------------- - 1 file changed, 14 insertions(+), 16 deletions(-) - -diff --git a/src/core/namespace.c b/src/core/namespace.c -index 982aeeac19..233ee7be40 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c -@@ -806,8 +806,7 @@ static int clone_device_node( - *make_devnode = false; - } - -- /* We're about to fall back to bind-mounting the device -- * node. So create a dummy bind-mount target. -+ /* We're about to fall back to bind-mounting the device node. So create a dummy bind-mount target. - * Do not prepare device-node SELinux label (see issue 13762) */ - r = mknod(dn, S_IFREG, 0); - if (r < 0 && errno != EEXIST) -@@ -930,10 +929,8 @@ static int mount_private_dev(MountEntry *m) { - if (r < 0) - log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount); - -- /* Create the /dev directory if missing. It is more likely to be -- * missing when the service is started with RootDirectory. This is -- * consistent with mount units creating the mount points when missing. -- */ -+ /* Create the /dev directory if missing. It is more likely to be missing when the service is started -+ * with RootDirectory. This is consistent with mount units creating the mount points when missing. */ - (void) mkdir_p_label(mount_entry_path(m), 0755); - - /* Unmount everything in old /dev */ -@@ -975,8 +972,8 @@ static int mount_bind_dev(const MountEntry *m) { - - assert(m); - -- /* Implements the little brother of mount_private_dev(): simply bind mounts the host's /dev into the service's -- * /dev. This is only used when RootDirectory= is set. */ -+ /* Implements the little brother of mount_private_dev(): simply bind mounts the host's /dev into the -+ * service's /dev. This is only used when RootDirectory= is set. */ - - (void) mkdir_p_label(mount_entry_path(m), 0755); - -@@ -1085,7 +1082,8 @@ static int mount_tmpfs(const MountEntry *m) { - entry_path = mount_entry_path(m); - inner_path = mount_entry_unprefixed_path(m); - -- /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */ -+ /* First, get rid of everything that is below if there is anything. Then, overmount with our new -+ * tmpfs */ - - (void) mkdir_p_label(entry_path, 0755); - (void) umount_recursive(entry_path, 0); -@@ -1930,11 +1928,11 @@ int setup_namespace( - * we create it if it doesn't already exist. */ - (void) mkdir_p_label("/run/systemd", 0755); - -- /* Always create the mount namespace in a temporary directory, instead of operating -- * directly in the root. The temporary directory prevents any mounts from being -- * potentially obscured my other mounts we already applied. -- * We use the same mount point for all images, which is safe, since they all live -- * in their own namespaces after all, and hence won't see each other. */ -+ /* Always create the mount namespace in a temporary directory, instead of operating directly -+ * in the root. The temporary directory prevents any mounts from being potentially obscured -+ * my other mounts we already applied. We use the same mount point for all images, which is -+ * safe, since they all live in their own namespaces after all, and hence won't see each -+ * other. */ - - root = "/run/systemd/unit-root"; - (void) mkdir_label(root, 0700); -@@ -2198,8 +2196,8 @@ int setup_namespace( - (void) mkdir_p(propagate_dir, 0600); - - if (n_extension_images > 0) -- /* ExtensionImages mountpoint directories will be created -- * while parsing the mounts to create, so have the parent ready */ -+ /* ExtensionImages mountpoint directories will be created while parsing the mounts to create, -+ * so have the parent ready */ - (void) mkdir_p(extension_dir, 0600); - - /* Remount / as SLAVE so that nothing now mounted in the namespace --- -2.33.0 - diff --git a/backport-network-add-comments.patch b/backport-network-add-comments.patch deleted file mode 100644 index 1558354..0000000 --- a/backport-network-add-comments.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 7522b239b865f851e7834b53367dc196244e48fd Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 4 Aug 2021 13:52:52 +0900 -Subject: [PATCH] network: add comments - -(cherry picked from commit 17d808a8bf55471009f5e0e1ccb06b1ffccdfa1a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7522b239b865f851e7834b53367dc196244e48fd ---- - src/network/networkd-setlink.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c -index a316a6c59b..fa1dd9b3ba 100644 ---- a/src/network/networkd-setlink.c -+++ b/src/network/networkd-setlink.c -@@ -106,7 +106,7 @@ on_error: - static int link_set_addrgen_mode_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { - int r; - -- r = set_link_handler_internal(rtnl, m, link, SET_LINK_ADDRESS_GENERATION_MODE, true, NULL); -+ r = set_link_handler_internal(rtnl, m, link, SET_LINK_ADDRESS_GENERATION_MODE, /* ignore = */ true, NULL); - if (r <= 0) - return r; - -@@ -120,31 +120,31 @@ static int link_set_addrgen_mode_handler(sd_netlink *rtnl, sd_netlink_message *m - } - - static int link_set_bond_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_BOND, false, NULL); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_BOND, /* ignore = */ false, NULL); - } - - static int link_set_bridge_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE, false, NULL); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE, /* ignore = */ false, NULL); - } - - static int link_set_bridge_vlan_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE_VLAN, false, NULL); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE_VLAN, /* ignore = */ false, NULL); - } - - static int link_set_can_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_CAN, false, NULL); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_CAN, /* ignore = */ false, NULL); - } - - static int link_set_flags_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_FLAGS, false, get_link_update_flag_handler); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_FLAGS, /* ignore = */ false, get_link_update_flag_handler); - } - - static int link_set_group_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_GROUP, false, NULL); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_GROUP, /* ignore = */ false, NULL); - } - - static int link_set_mac_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_MAC, true, get_link_default_handler); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_MAC, /* ignore = */ true, get_link_default_handler); - } - - static int link_set_mac_allow_retry_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -@@ -180,13 +180,13 @@ static int link_set_mac_allow_retry_handler(sd_netlink *rtnl, sd_netlink_message - } - - static int link_set_master_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_MASTER, false, get_link_master_handler); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_MASTER, /* ignore = */ false, get_link_master_handler); - } - - static int link_set_mtu_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { - int r; - -- r = set_link_handler_internal(rtnl, m, link, SET_LINK_MTU, true, get_link_default_handler); -+ r = set_link_handler_internal(rtnl, m, link, SET_LINK_MTU, /* ignore = */ true, get_link_default_handler); - if (r <= 0) - return r; - --- -2.33.0 - diff --git a/backport-network-address-read-flags-from-message-header-when-.patch b/backport-network-address-read-flags-from-message-header-when-.patch deleted file mode 100644 index d47827e..0000000 --- a/backport-network-address-read-flags-from-message-header-when-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a6c264cbd6fc8c10c905ee2c1cd22717247c3c25 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 8 Dec 2021 05:35:37 +0900 -Subject: [PATCH] network: address: read flags from message header when - IFA_FLAGS is not supported by kernel - -Follow-up for 0828a38605975b68c14c9194a1ee2c5c2ff7038f. - -Fixes #21670. - -(cherry picked from commit 8ed68422e1bafc84afe524bc5020d343bc6163ca) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a6c264cbd6fc8c10c905ee2c1cd22717247c3c25 ---- - src/network/networkd-address.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c -index 7b221516d7..bfc2e19bee 100644 ---- a/src/network/networkd-address.c -+++ b/src/network/networkd-address.c -@@ -1368,6 +1368,14 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message, - } - - r = sd_netlink_message_read_u32(message, IFA_FLAGS, &tmp->flags); -+ if (r == -ENODATA) { -+ unsigned char flags; -+ -+ /* For old kernels. */ -+ r = sd_rtnl_message_addr_get_flags(message, &flags); -+ if (r >= 0) -+ tmp->flags = flags; -+ } - if (r < 0) { - log_link_warning_errno(link, r, "rtnl: received address message without flags, ignoring: %m"); - return 0; --- -2.33.0 - diff --git a/backport-network-allow-users-to-forbid-passthru-MACVLAN-from-.patch b/backport-network-allow-users-to-forbid-passthru-MACVLAN-from-.patch deleted file mode 100644 index 06bef70..0000000 --- a/backport-network-allow-users-to-forbid-passthru-MACVLAN-from-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1d1b7de63902e5fa8d1ba900e9bf608e2ccd2b23 Mon Sep 17 00:00:00 2001 -From: Tom Yan -Date: Mon, 16 Aug 2021 18:00:42 +0800 -Subject: [PATCH] network: allow users to forbid passthru MACVLAN from putting - its link into promiscuous mode - -While we haven't implemented a key for users to set MACVLAN/MACVTAP flags, -we can at least allow them to make use of the Promiscuous= key of -the corresponding link to set the nopromisc flag. - -(cherry picked from commit 17a6a4ae2e7104a1105a0cef0ba049799f3ef6bc) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1d1b7de63902e5fa8d1ba900e9bf608e2ccd2b23 ---- - src/network/netdev/macvlan.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/network/netdev/macvlan.c b/src/network/netdev/macvlan.c -index 46b0826148..9d037c2f36 100644 ---- a/src/network/netdev/macvlan.c -+++ b/src/network/netdev/macvlan.c -@@ -5,6 +5,7 @@ - #include "conf-parser.h" - #include "macvlan.h" - #include "macvlan-util.h" -+#include "networkd-network.h" - #include "parse-util.h" - - DEFINE_CONFIG_PARSE_ENUM(config_parse_macvlan_mode, macvlan_mode, MacVlanMode, "Failed to parse macvlan mode"); -@@ -16,6 +17,7 @@ static int netdev_macvlan_fill_message_create(NetDev *netdev, Link *link, sd_net - assert(netdev); - assert(link); - assert(netdev->ifname); -+ assert(link->network); - - if (netdev->kind == NETDEV_KIND_MACVLAN) - m = MACVLAN(netdev); -@@ -52,6 +54,13 @@ static int netdev_macvlan_fill_message_create(NetDev *netdev, Link *link, sd_net - return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACVLAN_MODE attribute: %m"); - } - -+ /* set the nopromisc flag if Promiscuous= of the link is explicitly set to false */ -+ if (m->mode == NETDEV_MACVLAN_MODE_PASSTHRU && link->network->promiscuous == 0) { -+ r = sd_netlink_message_append_u16(req, IFLA_MACVLAN_FLAGS, MACVLAN_FLAG_NOPROMISC); -+ if (r < 0) -+ return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACVLAN_FLAGS attribute: %m"); -+ } -+ - if (m->bc_queue_length != UINT32_MAX) { - r = sd_netlink_message_append_u32(req, IFLA_MACVLAN_BC_QUEUE_LEN, m->bc_queue_length); - if (r < 0) --- -2.33.0 - diff --git a/backport-network-also-check-addresses-when-determine-a-gatewa.patch b/backport-network-also-check-addresses-when-determine-a-gatewa.patch deleted file mode 100644 index b42298b..0000000 --- a/backport-network-also-check-addresses-when-determine-a-gatewa.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 2f599380f1ab1ee5fe3f7b02926ae2dd642bed9b Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 12 Jul 2021 15:46:44 +0900 -Subject: [PATCH] network: also check addresses when determine a gateway - address is reachable or not - -Fixes #20201. - -(cherry picked from commit 11046cea1414c70b5d7aab37ea88d5a839cbd209) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2f599380f1ab1ee5fe3f7b02926ae2dd642bed9b ---- - src/network/networkd-route.c | 34 ++++++++++++++++++++++++++++++++++ - 1 file changed, 34 insertions(+) - -diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c -index 77a93beca9..068915616e 100644 ---- a/src/network/networkd-route.c -+++ b/src/network/networkd-route.c -@@ -746,6 +746,26 @@ static bool route_address_is_reachable(const Route *route, int family, const uni - FAMILY_ADDRESS_SIZE(family) * 8) > 0; - } - -+static bool prefix_route_address_is_reachable(const Address *a, int family, const union in_addr_union *address) { -+ assert(a); -+ assert(IN_SET(family, AF_INET, AF_INET6)); -+ assert(address); -+ -+ if (a->family != family) -+ return false; -+ if (FLAGS_SET(a->flags, IFA_F_NOPREFIXROUTE)) -+ return false; -+ if (in_addr_is_set(a->family, &a->in_addr_peer)) -+ return false; -+ -+ return in_addr_prefix_intersect( -+ family, -+ &a->in_addr, -+ a->prefixlen, -+ address, -+ FAMILY_ADDRESS_SIZE(family) * 8) > 0; -+} -+ - bool manager_address_is_reachable(Manager *manager, int family, const union in_addr_union *address) { - Link *link; - -@@ -764,6 +784,20 @@ bool manager_address_is_reachable(Manager *manager, int family, const union in_a - return true; - } - -+ /* If we do not manage foreign routes, then there may exist a prefix route we do not know, -+ * which was created on configuring an address. Hence, also check the addresses. */ -+ if (!manager->manage_foreign_routes) -+ HASHMAP_FOREACH(link, manager->links_by_index) { -+ Address *a; -+ -+ SET_FOREACH(a, link->addresses) -+ if (prefix_route_address_is_reachable(a, family, address)) -+ return true; -+ SET_FOREACH(a, link->addresses_foreign) -+ if (prefix_route_address_is_reachable(a, family, address)) -+ return true; -+ } -+ - return false; - } - --- -2.33.0 - diff --git a/backport-network-bridge-fix-endian-of-vlan-protocol.patch b/backport-network-bridge-fix-endian-of-vlan-protocol.patch deleted file mode 100644 index 59cdde4..0000000 --- a/backport-network-bridge-fix-endian-of-vlan-protocol.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 7b9aa956fbf9fc342a4e35fbcf90e7083cccbf6c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 10 Feb 2022 17:47:14 +0900 -Subject: [PATCH] network: bridge: fix endian of vlan protocol - -Fixes #22469. - -(cherry picked from commit 6eb35be8e0fa5f1f00dddd558cf4dc3642d9e53e) -(cherry picked from commit 514a4c051ce6cceaa5417a2044e708bd5105131d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7b9aa956fbf9fc342a4e35fbcf90e7083cccbf6c ---- - src/network/netdev/bridge.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/network/netdev/bridge.c b/src/network/netdev/bridge.c -index 99fb9e1c3c..b9a0136843 100644 ---- a/src/network/netdev/bridge.c -+++ b/src/network/netdev/bridge.c -@@ -126,7 +126,7 @@ static int netdev_bridge_post_create(NetDev *netdev, Link *link, sd_netlink_mess - } - - if (b->vlan_protocol >= 0) { -- r = sd_netlink_message_append_u16(req, IFLA_BR_VLAN_PROTOCOL, b->vlan_protocol); -+ r = sd_netlink_message_append_u16(req, IFLA_BR_VLAN_PROTOCOL, htobe16(b->vlan_protocol)); - if (r < 0) - return log_netdev_error_errno(netdev, r, "Could not append IFLA_BR_VLAN_PROTOCOL attribute: %m"); - } --- -2.33.0 - diff --git a/backport-network-check-the-received-interface-name-is-actuall.patch b/backport-network-check-the-received-interface-name-is-actuall.patch deleted file mode 100644 index b23ec35..0000000 --- a/backport-network-check-the-received-interface-name-is-actuall.patch +++ /dev/null @@ -1,71 +0,0 @@ -From d2895063305712cd9e5d7f4361f9343bf3b3f00b Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 12 Jul 2021 21:23:41 +0900 -Subject: [PATCH] network: check the received interface name is actually new - -For some reasons I do not know, on interface renaming, kernel once send -netlink message with old interface name, and then send with new name. -If eth0 is renamed, and then new interface appears as eth0, then the -message with the old name 'eth0' makes the interface enters failed -state. - -To ignore such invalid(?) rename event messages, let's confirm the -received interface name. - -Fixes #20203. - -(cherry picked from commit 176b8be10ffce2f8c1fc931a37904a528057016f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d2895063305712cd9e5d7f4361f9343bf3b3f00b ---- - src/network/networkd-link.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c -index 9421ce1aa6..d58b700050 100644 ---- a/src/network/networkd-link.c -+++ b/src/network/networkd-link.c -@@ -1,5 +1,6 @@ - /* SPDX-License-Identifier: LGPL-2.1-or-later */ - -+#include - #include - #include - #include -@@ -21,6 +22,7 @@ - #include "ethtool-util.h" - #include "fd-util.h" - #include "fileio.h" -+#include "format-util.h" - #include "fs-util.h" - #include "ipvlan.h" - #include "missing_network.h" -@@ -2161,6 +2163,7 @@ static int link_update_alternative_names(Link *link, sd_netlink_message *message - } - - static int link_update_name(Link *link, sd_netlink_message *message) { -+ char ifname_from_index[IF_NAMESIZE + 1]; - const char *ifname; - int r; - -@@ -2177,6 +2180,16 @@ static int link_update_name(Link *link, sd_netlink_message *message) { - if (streq(ifname, link->ifname)) - return 0; - -+ if (!format_ifname(link->ifindex, ifname_from_index)) -+ return log_link_debug_errno(link, SYNTHETIC_ERRNO(ENXIO), "Could not get interface name for index %i.", link->ifindex); -+ -+ if (!streq(ifname, ifname_from_index)) { -+ log_link_debug(link, "New interface name '%s' received from the kernel does not correspond " -+ "with the name currently configured on the actual interface '%s'. Ignoring.", -+ ifname, ifname_from_index); -+ return 0; -+ } -+ - log_link_info(link, "Interface name change detected, renamed to %s.", ifname); - - hashmap_remove(link->manager->links_by_name, link->ifname); --- -2.33.0 - diff --git a/backport-network-configure-address-with-requested-lifetime.patch b/backport-network-configure-address-with-requested-lifetime.patch deleted file mode 100644 index 9489fae..0000000 --- a/backport-network-configure-address-with-requested-lifetime.patch +++ /dev/null @@ -1,50 +0,0 @@ -From d18f1ad555a0b0b03fe8eb176f763b50a1aab215 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 19 Jul 2021 15:18:37 +0900 -Subject: [PATCH] network: configure address with requested lifetime - -When assigning the same address provided by a dynamic addressing -protocol, the new lifetime is stored on Request::Address, but not -Address object in Link object, which can be obtained by address_get(). -So, we need to configure address with Address object in Request. - -Fixes #20245. - -(cherry picked from commit 2d302d88e4dfd48b18486c5ce2c7dfeb229a1b0a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d18f1ad555a0b0b03fe8eb176f763b50a1aab215 ---- - src/network/networkd-address.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c -index 6b2230b725..7b221516d7 100644 ---- a/src/network/networkd-address.c -+++ b/src/network/networkd-address.c -@@ -1272,17 +1272,17 @@ int request_process_address(Request *req) { - if (r <= 0) - return r; - -- r = address_get(link, req->address, &a); -- if (r < 0) -- return r; -- -- r = address_configure(a, link, req->netlink_handler); -+ r = address_configure(req->address, link, req->netlink_handler); - if (r < 0) - return r; - - /* To prevent a double decrement on failure in after_configure(). */ - req->message_counter = NULL; - -+ r = address_get(link, req->address, &a); -+ if (r < 0) -+ return r; -+ - if (req->after_configure) { - r = req->after_configure(req, a); - if (r < 0) --- -2.33.0 - diff --git a/backport-network-disable-event-sources-before-unref-them.patch b/backport-network-disable-event-sources-before-unref-them.patch deleted file mode 100644 index e084d88..0000000 --- a/backport-network-disable-event-sources-before-unref-them.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 847168ed320e9ff14ed95dbde0a1f392acbe4a44 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 24 Sep 2021 17:26:10 +0900 -Subject: [PATCH] network: disable event sources before unref them - -(cherry picked from commit d105befc976ad704d3b17b3a5ee1b659a5f624d4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/847168ed320e9ff14ed95dbde0a1f392acbe4a44 ---- - src/network/networkd-lldp-tx.c | 2 +- - src/network/networkd-route.c | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/network/networkd-lldp-tx.c b/src/network/networkd-lldp-tx.c -index 45a087b301..82a403fe21 100644 ---- a/src/network/networkd-lldp-tx.c -+++ b/src/network/networkd-lldp-tx.c -@@ -413,7 +413,7 @@ int link_lldp_emit_start(Link *link) { - void link_lldp_emit_stop(Link *link) { - assert(link); - -- link->lldp_emit_event_source = sd_event_source_unref(link->lldp_emit_event_source); -+ link->lldp_emit_event_source = sd_event_source_disable_unref(link->lldp_emit_event_source); - } - - int config_parse_lldp_mud( -diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c -index b7852f6eec..791fd64c39 100644 ---- a/src/network/networkd-route.c -+++ b/src/network/networkd-route.c -@@ -290,7 +290,7 @@ Route *route_free(Route *route) { - - ordered_set_free_with_destructor(route->multipath_routes, multipath_route_free); - -- sd_event_source_unref(route->expire); -+ sd_event_source_disable_unref(route->expire); - - return mfree(route); - } -@@ -1273,7 +1273,7 @@ static int route_expire_handler(sd_event_source *s, uint64_t usec, void *userdat - } - - static int route_add_and_setup_timer_one(Link *link, const Route *route, const MultipathRoute *m, const NextHop *nh, uint8_t nh_weight, Route **ret) { -- _cleanup_(sd_event_source_unrefp) sd_event_source *expire = NULL; -+ _cleanup_(sd_event_source_disable_unrefp) sd_event_source *expire = NULL; - Route *nr; - int r; - -@@ -1311,7 +1311,7 @@ static int route_add_and_setup_timer_one(Link *link, const Route *route, const M - return log_link_error_errno(link, r, "Could not arm expiration timer: %m"); - } - -- sd_event_source_unref(nr->expire); -+ sd_event_source_disable_unref(nr->expire); - nr->expire = TAKE_PTR(expire); - - *ret = nr; --- -2.33.0 - diff --git a/backport-network-do-not-assume-the-highest-priority-when-Prio.patch b/backport-network-do-not-assume-the-highest-priority-when-Prio.patch deleted file mode 100644 index b7059d9..0000000 --- a/backport-network-do-not-assume-the-highest-priority-when-Prio.patch +++ /dev/null @@ -1,292 +0,0 @@ -From c5ff3ea39882609b307c4a9925d1c17413d17dfc Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 17 Aug 2021 14:03:19 +0900 -Subject: [PATCH] network: do not assume the highest priority when Priority= is - unspecified - -Previously, when Priority= is unspecified, networkd configured the rule with -the highest (=0) priority. This commit makes networkd distinguish the case -the setting is unspecified and one explicitly specified as Priority=0. - -Note. -1) If the priority is unspecified on configure, then kernel dynamically picks - a priority for the rule. -2) The new behavior is consistent with 'ip rule' command. - -Replaces #15606. - -(cherry picked from commit c4f7a347566b8926382029593b4d9957fef2564c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c5ff3ea39882609b307c4a9925d1c17413d17dfc ---- - man/systemd.network.xml | 4 +- - src/network/networkd-routing-policy-rule.c | 120 +++++++++++++++++--- - src/network/networkd-routing-policy-rule.h | 1 + - test/test-network/systemd-networkd-tests.py | 2 +- - 4 files changed, 110 insertions(+), 17 deletions(-) - -diff --git a/man/systemd.network.xml b/man/systemd.network.xml -index 3b7680eb8b..9de9816ced 100644 ---- a/man/systemd.network.xml -+++ b/man/systemd.network.xml -@@ -1238,7 +1238,9 @@ IPv6Token=prefixstable:2002:da8:1:: - Priority= - - Specifies the priority of this rule. Priority= is an unsigned -- integer. Higher number means lower priority, and rules get processed in order of increasing number. -+ integer in the range 0…4294967295. Higher number means lower priority, and rules get -+ processed in order of increasing number. Defaults to unset, and the kernel will pick -+ a value dynamically. - - - -diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c -index af7e8a973c..03ccbd8e85 100644 ---- a/src/network/networkd-routing-policy-rule.c -+++ b/src/network/networkd-routing-policy-rule.c -@@ -163,7 +163,9 @@ void routing_policy_rule_hash_func(const RoutingPolicyRule *rule, struct siphash - siphash24_compress(&rule->type, sizeof(rule->type), state); - siphash24_compress(&rule->fwmark, sizeof(rule->fwmark), state); - siphash24_compress(&rule->fwmask, sizeof(rule->fwmask), state); -- siphash24_compress(&rule->priority, sizeof(rule->priority), state); -+ siphash24_compress_boolean(rule->priority_set, state); -+ if (rule->priority_set) -+ siphash24_compress(&rule->priority, sizeof(rule->priority), state); - siphash24_compress(&rule->table, sizeof(rule->table), state); - siphash24_compress(&rule->suppress_prefixlen, sizeof(rule->suppress_prefixlen), state); - -@@ -229,10 +231,16 @@ int routing_policy_rule_compare_func(const RoutingPolicyRule *a, const RoutingPo - if (r != 0) - return r; - -- r = CMP(a->priority, b->priority); -+ r = CMP(a->priority_set, b->priority_set); - if (r != 0) - return r; - -+ if (a->priority_set) { -+ r = CMP(a->priority, b->priority); -+ if (r != 0) -+ return r; -+ } -+ - r = CMP(a->table, b->table); - if (r != 0) - return r; -@@ -293,8 +301,9 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR( - routing_policy_rule_compare_func, - routing_policy_rule_free); - --static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *rule, RoutingPolicyRule **ret) { -+static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *rule, bool require_priority, RoutingPolicyRule **ret) { - RoutingPolicyRule *existing; -+ int r; - - assert(m); - -@@ -312,6 +321,23 @@ static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *rule, Ro - return 0; - } - -+ if (!require_priority && rule->priority_set) { -+ _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL; -+ -+ r = routing_policy_rule_dup(rule, &tmp); -+ if (r < 0) -+ return r; -+ -+ tmp->priority_set = false; -+ -+ existing = set_get(m->rules, tmp); -+ if (existing) { -+ if (ret) -+ *ret = existing; -+ return 1; -+ } -+ } -+ - return -ENOENT; - } - -@@ -328,7 +354,7 @@ static int routing_policy_rule_add(Manager *m, const RoutingPolicyRule *in, Rout - if (r < 0) - return r; - -- r = routing_policy_rule_get(m, rule, &existing); -+ r = routing_policy_rule_get(m, rule, true, &existing); - if (r == -ENOENT) { - /* Rule does not exist, use a new one. */ - r = set_ensure_put(&m->rules, &routing_policy_rule_hash_ops, rule); -@@ -371,6 +397,32 @@ static int routing_policy_rule_consume_foreign(Manager *m, RoutingPolicyRule *ru - return 1; - } - -+static int routing_policy_rule_update_priority(RoutingPolicyRule *rule, uint32_t priority) { -+ int r; -+ -+ assert(rule); -+ assert(rule->manager); -+ -+ if (rule->priority_set) -+ return 0; -+ -+ if (!set_remove(rule->manager->rules, rule)) -+ return -ENOENT; -+ -+ rule->priority = priority; -+ rule->priority_set = true; -+ -+ r = set_put(rule->manager->rules, rule); -+ if (r <= 0) { -+ /* Undo */ -+ rule->priority_set = false; -+ assert_se(set_put(rule->manager->rules, rule) > 0); -+ return r == 0 ? -EEXIST : r; -+ } -+ -+ return 1; -+} -+ - static void log_routing_policy_rule_debug(const RoutingPolicyRule *rule, const char *str, const Link *link, const Manager *m) { - _cleanup_free_ char *from = NULL, *to = NULL, *table = NULL; - -@@ -422,9 +474,11 @@ static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule - return log_link_error_errno(link, r, "Could not set destination prefix length: %m"); - } - -- r = sd_netlink_message_append_u32(m, FRA_PRIORITY, rule->priority); -- if (r < 0) -- return log_link_error_errno(link, r, "Could not append FRA_PRIORITY attribute: %m"); -+ if (rule->priority_set) { -+ r = sd_netlink_message_append_u32(m, FRA_PRIORITY, rule->priority); -+ if (r < 0) -+ return log_link_error_errno(link, r, "Could not append FRA_PRIORITY attribute: %m"); -+ } - - if (rule->tos > 0) { - r = sd_rtnl_message_routing_policy_rule_set_tos(m, rule->tos); -@@ -662,6 +716,28 @@ int manager_drop_routing_policy_rules_internal(Manager *m, bool foreign, const L - continue; - } - -+ if (!foreign) { -+ _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL; -+ -+ /* The rule may be configured without priority. Try to find without priority. */ -+ -+ k = routing_policy_rule_dup(rule, &tmp); -+ if (k < 0) { -+ if (r >= 0) -+ r = k; -+ continue; -+ } -+ -+ tmp->priority_set = false; -+ -+ k = links_have_routing_policy_rule(m, tmp, except); -+ if (k != 0) { -+ if (k < 0 && r >= 0) -+ r = k; -+ continue; -+ } -+ } -+ - k = routing_policy_rule_remove(rule, m); - if (k < 0 && r >= 0) - r = k; -@@ -821,11 +897,11 @@ int request_process_routing_policy_rule(Request *req) { - } - - static const RoutingPolicyRule kernel_rules[] = { -- { .family = AF_INET, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -- { .family = AF_INET, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -- { .family = AF_INET, .priority = 32767, .table = RT_TABLE_DEFAULT, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -- { .family = AF_INET6, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -- { .family = AF_INET6, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -+ { .family = AF_INET, .priority_set = true, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -+ { .family = AF_INET, .priority_set = true, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -+ { .family = AF_INET, .priority_set = true, .priority = 32767, .table = RT_TABLE_DEFAULT, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -+ { .family = AF_INET6, .priority_set = true, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, -+ { .family = AF_INET6, .priority_set = true, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, - }; - - static bool routing_policy_rule_is_created_by_kernel(const RoutingPolicyRule *rule) { -@@ -936,6 +1012,9 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man - log_warning_errno(r, "rtnl: could not get FRA_PRIORITY attribute, ignoring: %m"); - return 0; - } -+ /* The kernel does not send priority if priority is zero. So, the flag below must be always set -+ * even if the message does not contain FRA_PRIORITY. */ -+ tmp->priority_set = true; - - r = sd_netlink_message_read_u32(message, FRA_TABLE, &tmp->table); - if (r < 0 && r != -ENODATA) { -@@ -1027,13 +1106,16 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man - * protocol of the received rule is RTPROT_KERNEL or RTPROT_STATIC. */ - tmp->protocol = routing_policy_rule_is_created_by_kernel(tmp) ? RTPROT_KERNEL : RTPROT_STATIC; - -- (void) routing_policy_rule_get(m, tmp, &rule); -+ (void) routing_policy_rule_get(m, tmp, false, &rule); - - switch (type) { - case RTM_NEWRULE: -- if (rule) -+ if (rule) { - log_routing_policy_rule_debug(tmp, "Received remembered", NULL, m); -- else if (!m->manage_foreign_routes) -+ r = routing_policy_rule_update_priority(rule, tmp->priority); -+ if (r < 0) -+ log_warning_errno(r, "Failed to update priority of remembered routing policy rule, ignoring: %m"); -+ } else if (!m->manage_foreign_routes) - log_routing_policy_rule_debug(tmp, "Ignoring received foreign", NULL, m); - else { - log_routing_policy_rule_debug(tmp, "Remembering foreign", NULL, m); -@@ -1155,11 +1237,19 @@ int config_parse_routing_policy_rule_priority( - if (r < 0) - return log_oom(); - -+ if (isempty(rvalue)) { -+ n->priority = 0; -+ n->priority_set = false; -+ TAKE_PTR(n); -+ return 0; -+ } -+ - r = safe_atou32(rvalue, &n->priority); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule priority, ignoring: %s", rvalue); - return 0; - } -+ n->priority_set = true; - - TAKE_PTR(n); - return 0; -diff --git a/src/network/networkd-routing-policy-rule.h b/src/network/networkd-routing-policy-rule.h -index aed37b00d2..557048c3f4 100644 ---- a/src/network/networkd-routing-policy-rule.h -+++ b/src/network/networkd-routing-policy-rule.h -@@ -20,6 +20,7 @@ typedef struct RoutingPolicyRule { - NetworkConfigSection *section; - - bool invert_rule; -+ bool priority_set; - - uint8_t tos; - uint8_t type; -diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py -index 0eb2fdf87e..4a2af0c500 100755 ---- a/test/test-network/systemd-networkd-tests.py -+++ b/test/test-network/systemd-networkd-tests.py -@@ -3644,7 +3644,7 @@ class NetworkdBridgeTests(unittest.TestCase, Utilities): - - output = check_output('ip rule list table 100') - print(output) -- self.assertIn('0: from all to 8.8.8.8 lookup 100', output) -+ self.assertIn('from all to 8.8.8.8 lookup 100', output) - - class NetworkdLLDPTests(unittest.TestCase, Utilities): - links = ['veth99'] --- -2.33.0 - diff --git a/backport-network-fix-configuring-of-CAN-devices.patch b/backport-network-fix-configuring-of-CAN-devices.patch deleted file mode 100644 index 0558913..0000000 --- a/backport-network-fix-configuring-of-CAN-devices.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9bf50758426a3d8dd4b40e28c960e920d41444ba Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 12 Aug 2021 13:39:53 +0900 -Subject: [PATCH] network: fix configuring of CAN devices - -Fix a bug introduced by 7558f9e717381eef0ddc8ddfb5a754ea4b0f3e6c. - -Fixes #20428. - -(cherry picked from commit 1e8cce8f1e61e01db844d518b7051b6ce69867fd) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9bf50758426a3d8dd4b40e28c960e920d41444ba ---- - src/network/networkd-setlink.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c -index 10c312c480..13c4cedd10 100644 ---- a/src/network/networkd-setlink.c -+++ b/src/network/networkd-setlink.c -@@ -229,10 +229,14 @@ static int link_configure( - - log_link_debug(link, "Setting %s", set_link_operation_to_string(op)); - -- if (IN_SET(op, SET_LINK_BOND, SET_LINK_CAN)) { -+ if (op == SET_LINK_BOND) { - r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_NEWLINK, link->master_ifindex); - if (r < 0) - return log_link_debug_errno(link, r, "Could not allocate RTM_NEWLINK message: %m"); -+ } else if (op == SET_LINK_CAN) { -+ r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_NEWLINK, link->ifindex); -+ if (r < 0) -+ return log_link_debug_errno(link, r, "Could not allocate RTM_NEWLINK message: %m"); - } else { - r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_SETLINK, link->ifindex); - if (r < 0) --- -2.33.0 - diff --git a/backport-network-fix-handling-of-network-interface-renaming.patch b/backport-network-fix-handling-of-network-interface-renaming.patch deleted file mode 100644 index f7eddd0..0000000 --- a/backport-network-fix-handling-of-network-interface-renaming.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 6ee3390c978dca7a590a4c16d4d620984e60fa96 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 10 Sep 2021 08:09:56 +0900 -Subject: [PATCH] network: fix handling of network interface renaming - -Fixes #20657. - -(cherry picked from commit 160203e974945ce520fe8f569458634ef898c61c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6ee3390c978dca7a590a4c16d4d620984e60fa96 ---- - src/network/networkd-link.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c -index d58b700050..20675f2306 100644 ---- a/src/network/networkd-link.c -+++ b/src/network/networkd-link.c -@@ -1404,17 +1404,21 @@ static int link_initialized(Link *link, sd_device *device) { - assert(link); - assert(device); - -- if (link->state != LINK_STATE_PENDING) -- return 0; -+ /* Always replace with the new sd_device object. As the sysname (and possibly other properties -+ * or sysattrs) may be outdated. */ -+ sd_device_ref(device); -+ sd_device_unref(link->sd_device); -+ link->sd_device = device; - -- if (link->sd_device) -+ /* Do not ignore unamanaged state case here. If an interface is renamed after being once -+ * configured, and the corresponding .network file has Name= in [Match] section, then the -+ * interface may be already in unmanaged state. See #20657. */ -+ if (!IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_UNMANAGED)) - return 0; - - log_link_debug(link, "udev initialized link"); - link_set_state(link, LINK_STATE_INITIALIZED); - -- link->sd_device = sd_device_ref(device); -- - /* udev has initialized the link, but we don't know if we have yet - * processed the NEWLINK messages with the latest state. Do a GETLINK, - * when it returns we know that the pending NEWLINKs have already been --- -2.33.0 - diff --git a/backport-network-fix-logic-for-checking-gateway-address-is-re.patch b/backport-network-fix-logic-for-checking-gateway-address-is-re.patch deleted file mode 100644 index 3c5a1f6..0000000 --- a/backport-network-fix-logic-for-checking-gateway-address-is-re.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 2bd5bbbd39d5c825ed520e8282840b76b8f7fc79 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 21 Aug 2021 03:51:39 +0900 -Subject: [PATCH] network: fix logic for checking gateway address is ready - -This fixes the followings: -- The corresponding route or address to the gateway address must be in - the same link. -- IPv6 link local address is not necessary to be reachable. - -Fixes an issue reported in https://github.com/systemd/systemd/issues/8686#issuecomment-902562324. - -(cherry picked from commit 3333350a0e1917395d3654731ca985ea668bca9b) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2bd5bbbd39d5c825ed520e8282840b76b8f7fc79 ---- - src/network/networkd-nexthop.c | 7 +--- - src/network/networkd-route.c | 72 ++++++++++++++++++++-------------- - src/network/networkd-route.h | 2 +- - 3 files changed, 44 insertions(+), 37 deletions(-) - -diff --git a/src/network/networkd-nexthop.c b/src/network/networkd-nexthop.c -index a52e5dcb16..c5cba88f46 100644 ---- a/src/network/networkd-nexthop.c -+++ b/src/network/networkd-nexthop.c -@@ -791,12 +791,7 @@ static bool nexthop_is_ready_to_configure(Link *link, const NextHop *nexthop) { - } - } - -- if (nexthop->onlink <= 0 && -- in_addr_is_set(nexthop->family, &nexthop->gw) && -- !manager_address_is_reachable(link->manager, nexthop->family, &nexthop->gw)) -- return false; -- -- return true; -+ return gateway_is_ready(link, nexthop->onlink, nexthop->family, &nexthop->gw); - } - - int request_process_nexthop(Request *req) { -diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c -index 068915616e..b7852f6eec 100644 ---- a/src/network/networkd-route.c -+++ b/src/network/networkd-route.c -@@ -753,6 +753,8 @@ static bool prefix_route_address_is_reachable(const Address *a, int family, cons - - if (a->family != family) - return false; -+ if (!address_is_ready(a)) -+ return false; - if (FLAGS_SET(a->flags, IFA_F_NOPREFIXROUTE)) - return false; - if (in_addr_is_set(a->family, &a->in_addr_peer)) -@@ -766,37 +768,34 @@ static bool prefix_route_address_is_reachable(const Address *a, int family, cons - FAMILY_ADDRESS_SIZE(family) * 8) > 0; - } - --bool manager_address_is_reachable(Manager *manager, int family, const union in_addr_union *address) { -- Link *link; -+static bool link_address_is_reachable(Link *link, int family, const union in_addr_union *address) { -+ Route *route; - -- assert(manager); -+ assert(link); -+ assert(link->manager); - assert(IN_SET(family, AF_INET, AF_INET6)); - assert(address); - -- HASHMAP_FOREACH(link, manager->links_by_index) { -- Route *route; - -- SET_FOREACH(route, link->routes) -- if (route_address_is_reachable(route, family, address)) -- return true; -- SET_FOREACH(route, link->routes_foreign) -- if (route_address_is_reachable(route, family, address)) -- return true; -- } -+ SET_FOREACH(route, link->routes) -+ if (route_address_is_reachable(route, family, address)) -+ return true; -+ SET_FOREACH(route, link->routes_foreign) -+ if (route_address_is_reachable(route, family, address)) -+ return true; - - /* If we do not manage foreign routes, then there may exist a prefix route we do not know, - * which was created on configuring an address. Hence, also check the addresses. */ -- if (!manager->manage_foreign_routes) -- HASHMAP_FOREACH(link, manager->links_by_index) { -- Address *a; -- -- SET_FOREACH(a, link->addresses) -- if (prefix_route_address_is_reachable(a, family, address)) -- return true; -- SET_FOREACH(a, link->addresses_foreign) -- if (prefix_route_address_is_reachable(a, family, address)) -- return true; -- } -+ if (!link->manager->manage_foreign_routes) { -+ Address *a; -+ -+ SET_FOREACH(a, link->addresses) -+ if (prefix_route_address_is_reachable(a, family, address)) -+ return true; -+ SET_FOREACH(a, link->addresses_foreign) -+ if (prefix_route_address_is_reachable(a, family, address)) -+ return true; -+ } - - return false; - } -@@ -1692,6 +1691,22 @@ int link_request_static_routes(Link *link, bool only_ipv4) { - return 0; - } - -+bool gateway_is_ready(Link *link, int onlink, int family, const union in_addr_union *gw) { -+ assert(link); -+ assert(gw); -+ -+ if (onlink > 0) -+ return true; -+ -+ if (!in_addr_is_set(family, gw)) -+ return true; -+ -+ if (family == AF_INET6 && in6_addr_is_link_local(&gw->in6)) -+ return true; -+ -+ return link_address_is_reachable(link, family, gw); -+} -+ - static int route_is_ready_to_configure(const Route *route, Link *link) { - MultipathRoute *m; - NextHop *nh = NULL; -@@ -1735,19 +1750,13 @@ static int route_is_ready_to_configure(const Route *route, Link *link) { - return r; - } - -- if (route->gateway_onlink <= 0 && -- in_addr_is_set(route->gw_family, &route->gw) > 0 && -- !manager_address_is_reachable(link->manager, route->gw_family, &route->gw)) -+ if (!gateway_is_ready(link, route->gateway_onlink, route->gw_family, &route->gw)) - return false; - - ORDERED_SET_FOREACH(m, route->multipath_routes) { - union in_addr_union a = m->gateway.address; - Link *l = NULL; - -- if (route->gateway_onlink <= 0 && -- !manager_address_is_reachable(link->manager, m->gateway.family, &a)) -- return false; -- - if (m->ifname) { - if (link_get_by_name(link->manager, m->ifname, &l) < 0) - return false; -@@ -1759,6 +1768,9 @@ static int route_is_ready_to_configure(const Route *route, Link *link) { - } - if (l && !link_is_ready_to_configure(l, true)) - return false; -+ -+ if (!gateway_is_ready(l ?: link, route->gateway_onlink, m->gateway.family, &a)) -+ return false; - } - - return true; -diff --git a/src/network/networkd-route.h b/src/network/networkd-route.h -index 2d262819ad..235a91f08d 100644 ---- a/src/network/networkd-route.h -+++ b/src/network/networkd-route.h -@@ -78,8 +78,8 @@ int route_configure_handler_internal(sd_netlink *rtnl, sd_netlink_message *m, Li - int route_remove(const Route *route, Manager *manager, Link *link); - - int link_has_route(Link *link, const Route *route); --bool manager_address_is_reachable(Manager *manager, int family, const union in_addr_union *address); - int manager_find_uplink(Manager *m, int family, Link *exclude, Link **ret); -+bool gateway_is_ready(Link *link, int onlink, int family, const union in_addr_union *gw); - - int link_drop_routes(Link *link); - int link_drop_foreign_routes(Link *link); --- -2.33.0 - diff --git a/backport-network-fix-wrong-flag-manage_foreign_routes-manage_.patch b/backport-network-fix-wrong-flag-manage_foreign_routes-manage_.patch deleted file mode 100644 index d40fbba..0000000 --- a/backport-network-fix-wrong-flag-manage_foreign_routes-manage_.patch +++ /dev/null @@ -1,32 +0,0 @@ -From fc88dc07544978b1bda9c192481a07d43d384f81 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 7 Sep 2021 21:46:50 +0900 -Subject: [PATCH] network: fix wrong flag: manage_foreign_routes -> - manage_foreign_rules - -Fixes a bug in d94dfe7053d49fa62c4bfc07b7f3fc2227c10aff. - -(cherry picked from commit 771a36439e955906290afc16a6fb3b10401892cf) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/fc88dc07544978b1bda9c192481a07d43d384f81 ---- - src/network/networkd-routing-policy-rule.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c -index 03ccbd8e85..b7e0fd779d 100644 ---- a/src/network/networkd-routing-policy-rule.c -+++ b/src/network/networkd-routing-policy-rule.c -@@ -1115,7 +1115,7 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man - r = routing_policy_rule_update_priority(rule, tmp->priority); - if (r < 0) - log_warning_errno(r, "Failed to update priority of remembered routing policy rule, ignoring: %m"); -- } else if (!m->manage_foreign_routes) -+ } else if (!m->manage_foreign_rules) - log_routing_policy_rule_debug(tmp, "Ignoring received foreign", NULL, m); - else { - log_routing_policy_rule_debug(tmp, "Remembering foreign", NULL, m); --- -2.33.0 - diff --git a/backport-network-ignore-errors-on-setting-bridge-config.patch b/backport-network-ignore-errors-on-setting-bridge-config.patch deleted file mode 100644 index 33d26bd..0000000 --- a/backport-network-ignore-errors-on-setting-bridge-config.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0c136b86d6c32445c6b503c87ba5fa348f34e22b Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 4 Aug 2021 13:53:21 +0900 -Subject: [PATCH] network: ignore errors on setting bridge config - -For some setups, kernel refuses to set bridge configs with -EOPNOTSUPP. -See kernel's rtnl_bridge_setlink() in net/core/rtnetlink.c. - -Fixes #20373. - -(cherry picked from commit 1171f3f030319155914c2bb90655f46653f88cbf) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0c136b86d6c32445c6b503c87ba5fa348f34e22b ---- - src/network/networkd-setlink.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c -index fa1dd9b3ba..8130bb6bcc 100644 ---- a/src/network/networkd-setlink.c -+++ b/src/network/networkd-setlink.c -@@ -124,7 +124,7 @@ static int link_set_bond_handler(sd_netlink *rtnl, sd_netlink_message *m, Link * - } - - static int link_set_bridge_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -- return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE, /* ignore = */ false, NULL); -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE, /* ignore = */ true, NULL); - } - - static int link_set_bridge_vlan_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { --- -2.33.0 - diff --git a/backport-network-ignore-errors-on-unsetting-master-ifindex.patch b/backport-network-ignore-errors-on-unsetting-master-ifindex.patch deleted file mode 100644 index 1090eca..0000000 --- a/backport-network-ignore-errors-on-unsetting-master-ifindex.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 090378dcb1de5ca66900503210e85d63075fa70a Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 5 Aug 2021 00:10:52 +0900 -Subject: [PATCH] network: ignore errors on unsetting master ifindex - -Fixes #20241. - -(cherry picked from commit c347a98272bd1b81682c266b9720fad107b96ab0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/090378dcb1de5ca66900503210e85d63075fa70a ---- - src/network/networkd-setlink.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c -index 8130bb6bcc..10c312c480 100644 ---- a/src/network/networkd-setlink.c -+++ b/src/network/networkd-setlink.c -@@ -95,9 +95,16 @@ static int set_link_handler_internal( - return 1; - - on_error: -- if (op == SET_LINK_FLAGS) { -+ switch (op) { -+ case SET_LINK_FLAGS: - assert(link->set_flags_messages > 0); - link->set_flags_messages--; -+ break; -+ case SET_LINK_MASTER: -+ link->master_set = true; -+ break; -+ default: -+ break; - } - - return 0; -@@ -183,6 +190,11 @@ static int link_set_master_handler(sd_netlink *rtnl, sd_netlink_message *m, Link - return set_link_handler_internal(rtnl, m, link, SET_LINK_MASTER, /* ignore = */ false, get_link_master_handler); - } - -+static int link_unset_master_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { -+ /* Some devices do not support setting master ifindex. Let's ignore error on unsetting master ifindex. */ -+ return set_link_handler_internal(rtnl, m, link, SET_LINK_MASTER, /* ignore = */ true, get_link_master_handler); -+} -+ - static int link_set_mtu_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { - int r; - -@@ -745,10 +757,14 @@ int link_request_to_set_mac(Link *link, bool allow_retry) { - - int link_request_to_set_master(Link *link) { - assert(link); -+ assert(link->network); - - link->master_set = false; - -- return link_request_set_link(link, SET_LINK_MASTER, link_set_master_handler, NULL); -+ if (link->network->batadv || link->network->bond || link->network->bridge || link->network->vrf) -+ return link_request_set_link(link, SET_LINK_MASTER, link_set_master_handler, NULL); -+ else -+ return link_request_set_link(link, SET_LINK_MASTER, link_unset_master_handler, NULL); - } - - int link_request_to_set_mtu(Link *link, uint32_t mtu) { --- -2.33.0 - diff --git a/backport-network-print-Ethernet-Link-Layer-DHCP-client-ID-wit.patch b/backport-network-print-Ethernet-Link-Layer-DHCP-client-ID-wit.patch deleted file mode 100644 index 7dd72a9..0000000 --- a/backport-network-print-Ethernet-Link-Layer-DHCP-client-ID-wit.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 133354a3b9fc7b88fb143f241cfc4565b943ae87 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alvin=20=C5=A0ipraga?= -Date: Tue, 31 Aug 2021 14:17:33 +0200 -Subject: [PATCH] network: print Ethernet Link-Layer DHCP client ID with - leading 0's - -This is a small cosmetic change. - -Before: - - Offered DHCP leases: 192.168.0.183 (to 0:9:a7:36:bc:89) - -After: - - Offered DHCP leases: 192.168.0.183 (to 00:09:a7:36:bc:89) - -(cherry picked from commit 8e664ab6ecc9c420d2151f14b36824aecc76d8ac) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/133354a3b9fc7b88fb143f241cfc4565b943ae87 ---- - src/libsystemd-network/sd-dhcp-client.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c -index dc8ff19d1a..030b50cf2a 100644 ---- a/src/libsystemd-network/sd-dhcp-client.c -+++ b/src/libsystemd-network/sd-dhcp-client.c -@@ -192,7 +192,7 @@ int sd_dhcp_client_id_to_string(const void *data, size_t len, char **ret) { - if (len != sizeof_field(sd_dhcp_client_id, eth)) - return -EINVAL; - -- r = asprintf(&t, "%x:%x:%x:%x:%x:%x", -+ r = asprintf(&t, "%02x:%02x:%02x:%02x:%02x:%02x", - client_id->eth.haddr[0], - client_id->eth.haddr[1], - client_id->eth.haddr[2], --- -2.33.0 - diff --git a/backport-network-route-fix-possible-overflow-in-conversion-us.patch b/backport-network-route-fix-possible-overflow-in-conversion-us.patch deleted file mode 100644 index ea7bb01..0000000 --- a/backport-network-route-fix-possible-overflow-in-conversion-us.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 7a9b38919302e98cebc2c6233fd09d0c07ae41dc Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 15 Oct 2021 10:06:25 +0900 -Subject: [PATCH] network: route: fix possible overflow in conversion usec_t -> - uint32_t - -(cherry picked from commit ff43dddab7260c9220eaea2a545514772c0e581f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7a9b38919302e98cebc2c6233fd09d0c07ae41dc ---- - src/network/networkd-route.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c -index 791fd64c39..eeba31c45d 100644 ---- a/src/network/networkd-route.c -+++ b/src/network/networkd-route.c -@@ -1537,7 +1537,7 @@ static int route_configure( - - if (route->lifetime != USEC_INFINITY && kernel_route_expiration_supported()) { - r = sd_netlink_message_append_u32(req, RTA_EXPIRES, -- DIV_ROUND_UP(usec_sub_unsigned(route->lifetime, now(clock_boottime_or_monotonic())), USEC_PER_SEC)); -+ MIN(DIV_ROUND_UP(usec_sub_unsigned(route->lifetime, now(clock_boottime_or_monotonic())), USEC_PER_SEC), UINT32_MAX)); - if (r < 0) - return log_link_error_errno(link, r, "Could not append RTA_EXPIRES attribute: %m"); - } --- -2.33.0 - diff --git a/backport-network-use-address_equal-route_equal-to-compare-add.patch b/backport-network-use-address_equal-route_equal-to-compare-add.patch deleted file mode 100644 index 4232212..0000000 --- a/backport-network-use-address_equal-route_equal-to-compare-add.patch +++ /dev/null @@ -1,68 +0,0 @@ -From ea4d7828fe525201ffb98ff2a31fde8a12e0a4c4 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 4 Aug 2021 13:14:03 +0900 -Subject: [PATCH] network: use address_equal()/route_equal() to compare - addresses or routes configured by NDisc - -Fixes #20244. - -(cherry picked from commit 10e417b3eac03c1bcd0b5f3d5c24291ac644e164) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ea4d7828fe525201ffb98ff2a31fde8a12e0a4c4 ---- - src/network/networkd-address.c | 2 +- - src/network/networkd-route.c | 4 ++-- - src/network/networkd-route.h | 1 + - 3 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c -index 35305aff99..6b2230b725 100644 ---- a/src/network/networkd-address.c -+++ b/src/network/networkd-address.c -@@ -165,7 +165,7 @@ Address *address_free(Address *address) { - set_remove(address->link->dhcp6_pd_addresses, address); - set_remove(address->link->dhcp6_pd_addresses_old, address); - SET_FOREACH(n, address->link->ndisc_addresses) -- if (n->address == address) -+ if (address_equal(n->address, address)) - free(set_remove(address->link->ndisc_addresses, n)); - - if (address->family == AF_INET6 && -diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c -index 7b36b48141..77a93beca9 100644 ---- a/src/network/networkd-route.c -+++ b/src/network/networkd-route.c -@@ -279,7 +279,7 @@ Route *route_free(Route *route) { - set_remove(route->link->dhcp6_pd_routes, route); - set_remove(route->link->dhcp6_pd_routes_old, route); - SET_FOREACH(n, route->link->ndisc_routes) -- if (n->route == route) -+ if (route_equal(n->route, route)) - free(set_remove(route->link->ndisc_routes, n)); - } - -@@ -435,7 +435,7 @@ DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR( - route_compare_func, - route_free); - --static bool route_equal(const Route *r1, const Route *r2) { -+bool route_equal(const Route *r1, const Route *r2) { - if (r1 == r2) - return true; - -diff --git a/src/network/networkd-route.h b/src/network/networkd-route.h -index fa0b3ba0fc..2d262819ad 100644 ---- a/src/network/networkd-route.h -+++ b/src/network/networkd-route.h -@@ -66,6 +66,7 @@ typedef struct Route { - - void route_hash_func(const Route *route, struct siphash *state); - int route_compare_func(const Route *a, const Route *b); -+bool route_equal(const Route *r1, const Route *r2); - extern const struct hash_ops route_hash_ops; - - int route_new(Route **ret); --- -2.33.0 - diff --git a/backport-network-use-monotonic-instead-of-boot-time-to-handle.patch b/backport-network-use-monotonic-instead-of-boot-time-to-handle.patch deleted file mode 100644 index 8c8e824..0000000 --- a/backport-network-use-monotonic-instead-of-boot-time-to-handle.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 171daf2dc084fab16c0696b139b1af3f0ab9d9f0 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 6 Aug 2021 19:37:16 +0900 -Subject: [PATCH] network: use monotonic instead of boot time to handle address - creation/update timestamp - -Follow-up for 25db3aeaf32ba95bad5e765720ebc23c8ef77a99 and 899034ba8167bd16e802cfbea29a9ee85dee5be5. - -Fixes another issue in #20244. - -(cherry picked from commit 5865dc1493e5519549d24fef23a2ce5c812eca32) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/171daf2dc084fab16c0696b139b1af3f0ab9d9f0 ---- - src/network/networkd-ndisc.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c -index efc4707855..e3705bfed5 100644 ---- a/src/network/networkd-ndisc.c -+++ b/src/network/networkd-ndisc.c -@@ -765,7 +765,9 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r - assert(link); - assert(rt); - -- r = sd_ndisc_router_get_timestamp(rt, clock_boottime_or_monotonic(), &time_now); -+ /* Do not use clock_boottime_or_monotonic() here, as the kernel internally manages cstamp and -+ * tstamp with jiffies, and it is not increased while the system is suspended. */ -+ r = sd_ndisc_router_get_timestamp(rt, CLOCK_MONOTONIC, &time_now); - if (r < 0) - return log_link_error_errno(link, r, "Failed to get RA timestamp: %m"); - --- -2.33.0 - diff --git a/backport-networkd-Include-linux-netdevice.h-header.patch b/backport-networkd-Include-linux-netdevice.h-header.patch deleted file mode 100644 index 4be2aed..0000000 --- a/backport-networkd-Include-linux-netdevice.h-header.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 898949f71513da918c4aa94a0681fbc6b868e00f Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Mon, 26 Jul 2021 10:58:46 -0700 -Subject: [PATCH] networkd: Include linux/netdevice.h header -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This header provides definitions for NET_NAME_UNKNOWN Ã¥nd NET_NAME_ENUM -Fixes build issue found with non-glibc systems - -../git/src/network/networkd-link.c:1203:52: error: 'NET_NAME_UNKNOWN' undeclared (first use in this function) - -Signed-off-by: Khem Raj -(cherry picked from commit 2a0d07d6a0d5be63c6c10cb0789412f584858ec1) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/898949f71513da918c4aa94a0681fbc6b868e00f ---- - src/network/networkd-link.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c -index c1ab14ebec..9421ce1aa6 100644 ---- a/src/network/networkd-link.c -+++ b/src/network/networkd-link.c -@@ -4,6 +4,7 @@ - #include - #include - #include -+#include - #include - #include - --- -2.33.0 - diff --git a/backport-nspawn-fix-type-to-pass-to-connect.patch b/backport-nspawn-fix-type-to-pass-to-connect.patch deleted file mode 100644 index a9f689e..0000000 --- a/backport-nspawn-fix-type-to-pass-to-connect.patch +++ /dev/null @@ -1,34 +0,0 @@ -From caa0827ca920617dc54e62be1ff8422ad9ce2d3a Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 1 Sep 2021 14:41:37 +0200 -Subject: [PATCH] nspawn: fix type to pass to connect() - -It expects a generic "struct sockaddr", not a "struct sockaddr_un". -Pass the right member of the union. - -Not sure why gcc/llvm never complained about this... - -(cherry picked from commit 32b9736a230d47b73babcc5cfa27d672bb721bd0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/caa0827ca920617dc54e62be1ff8422ad9ce2d3a ---- - src/nspawn/nspawn.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c -index 04685fecba..575b9da447 100644 ---- a/src/nspawn/nspawn.c -+++ b/src/nspawn/nspawn.c -@@ -5354,7 +5354,7 @@ static int cant_be_in_netns(void) { - if (fd < 0) - return log_error_errno(errno, "Failed to allocate udev control socket: %m"); - -- if (connect(fd, &sa.un, SOCKADDR_UN_LEN(sa.un)) < 0) { -+ if (connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) { - - if (errno == ENOENT || ERRNO_IS_DISCONNECT(errno)) - return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), --- -2.33.0 - diff --git a/backport-nspawn-guard-acl_free-with-a-NULL-check.patch b/backport-nspawn-guard-acl_free-with-a-NULL-check.patch deleted file mode 100644 index 585e12e..0000000 --- a/backport-nspawn-guard-acl_free-with-a-NULL-check.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 1d0921354ab975910c44ac0d646661323bca8717 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 6 Jan 2023 12:30:36 +0100 -Subject: [PATCH] nspawn: guard acl_free() with a NULL check - -Inspired by #25957 there's one other place where we don't guard -acl_free() calls with a NULL check. - -Fix that. - -(cherry picked from commit 34680637e838415204850f77c93ca6ca219abaf1) -(cherry picked from commit 4dabf90526d4573144a51bdd87c1203b25265b33) -(cherry picked from commit d8b4ac7a1783a29435cb3dfee3dfdee37c1b1ac8) -(cherry picked from commit 3a9fe8e7687ed3b2b563c6b2237d2b62a79f79e6) ---- - src/nspawn/nspawn-patch-uid.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/nspawn/nspawn-patch-uid.c b/src/nspawn/nspawn-patch-uid.c -index 785332e091..321caf066b 100644 ---- a/src/nspawn/nspawn-patch-uid.c -+++ b/src/nspawn/nspawn-patch-uid.c -@@ -189,7 +189,9 @@ static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shi - - if (S_ISDIR(st->st_mode)) { - acl_free(acl); -- acl_free(shifted); -+ -+ if (shifted) -+ acl_free(shifted); - - acl = shifted = NULL; - --- -2.27.0 - diff --git a/backport-nss-drop-dummy-setup_logging-helpers.patch b/backport-nss-drop-dummy-setup_logging-helpers.patch deleted file mode 100644 index f2e296d..0000000 --- a/backport-nss-drop-dummy-setup_logging-helpers.patch +++ /dev/null @@ -1,61 +0,0 @@ -From da98ffd65aa29ee968a4f4379f5c8e06bf2d58f4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 11 Jan 2022 13:23:27 +0100 -Subject: [PATCH] nss: drop dummy setup_logging() helpers - -log_parse_environment() stopped being a macro in 9fdee66f2d9. -As reported by @bauen1 in https://github.com/systemd/systemd/issues/22020, -the comment was out of date. - -(cherry picked from commit 56a5f4969b96529c82ec8cc08db4fa8e9c61e7b9) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/da98ffd65aa29ee968a4f4379f5c8e06bf2d58f4 ---- - src/nss-mymachines/nss-mymachines.c | 7 +------ - src/nss-systemd/nss-systemd.c | 7 +------ - 2 files changed, 2 insertions(+), 12 deletions(-) - -diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c -index 44715bb3e5..781fd48d72 100644 ---- a/src/nss-mymachines/nss-mymachines.c -+++ b/src/nss-mymachines/nss-mymachines.c -@@ -22,14 +22,9 @@ - #include "signal-util.h" - #include "string-util.h" - --static void setup_logging(void) { -- /* We need a dummy function because log_parse_environment is a macro. */ -- log_parse_environment(); --} -- - static void setup_logging_once(void) { - static pthread_once_t once = PTHREAD_ONCE_INIT; -- assert_se(pthread_once(&once, setup_logging) == 0); -+ assert_se(pthread_once(&once, log_parse_environment) == 0); - } - - #define NSS_ENTRYPOINT_BEGIN \ -diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c -index 36486b96e3..c6c00c40e6 100644 ---- a/src/nss-systemd/nss-systemd.c -+++ b/src/nss-systemd/nss-systemd.c -@@ -116,14 +116,9 @@ static GetentData getsgent_data = { - .mutex = PTHREAD_MUTEX_INITIALIZER, - }; - --static void setup_logging(void) { -- /* We need a dummy function because log_parse_environment is a macro. */ -- log_parse_environment(); --} -- - static void setup_logging_once(void) { - static pthread_once_t once = PTHREAD_ONCE_INIT; -- assert_se(pthread_once(&once, setup_logging) == 0); -+ assert_se(pthread_once(&once, log_parse_environment) == 0); - } - - #define NSS_ENTRYPOINT_BEGIN \ --- -2.33.0 - diff --git a/backport-nss-myhostname-do-not-apply-non-zero-offset-to-null-.patch b/backport-nss-myhostname-do-not-apply-non-zero-offset-to-null-.patch deleted file mode 100644 index a7007ab..0000000 --- a/backport-nss-myhostname-do-not-apply-non-zero-offset-to-null-.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 05189e8c961c6b4ac8ef79c8911cb56965a5034f Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 31 Dec 2021 09:13:00 +0900 -Subject: [PATCH] nss-myhostname: do not apply non-zero offset to null pointer - -Fixes https://github.com/systemd/systemd/issues/21935#issuecomment-1003216503. - -(cherry picked from commit 92e9df9ca031b9b04487a46afd986ab3122183fd) -(cherry picked from commit a473bfb4332ad6b0a0894135c4de0f8cc324d378) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/05189e8c961c6b4ac8ef79c8911cb56965a5034f ---- - src/nss-myhostname/nss-myhostname.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/nss-myhostname/nss-myhostname.c b/src/nss-myhostname/nss-myhostname.c -index 3536c5fc83..67b1554d27 100644 ---- a/src/nss-myhostname/nss-myhostname.c -+++ b/src/nss-myhostname/nss-myhostname.c -@@ -39,10 +39,8 @@ enum nss_status _nss_myhostname_gethostbyname4_r( - const char *canonical = NULL; - int n_addresses = 0; - uint32_t local_address_ipv4; -- struct local_address *a; - size_t l, idx, ms; - char *r_name; -- unsigned n; - - PROTECT_ERRNO; - BLOCK_SIGNALS(NSS_SIGNALS_BLOCK); -@@ -136,7 +134,9 @@ enum nss_status _nss_myhostname_gethostbyname4_r( - } - - /* Fourth, fill actual addresses in, but in backwards order */ -- for (a = addresses + n_addresses - 1, n = 0; (int) n < n_addresses; n++, a--) { -+ for (int i = n_addresses; i > 0; i--) { -+ struct local_address *a = addresses + i - 1; -+ - r_tuple = (struct gaih_addrtuple*) (buffer + idx); - r_tuple->next = r_tuple_prev; - r_tuple->name = r_name; --- -2.33.0 - diff --git a/backport-nss-only-read-logging-config-from-environment-variab.patch b/backport-nss-only-read-logging-config-from-environment-variab.patch deleted file mode 100644 index 45ed5e5..0000000 --- a/backport-nss-only-read-logging-config-from-environment-variab.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 9e29d13926b62c10d931d287b30b7874872bfe39 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 11 Jan 2022 13:36:39 +0100 -Subject: [PATCH] nss: only read logging config from environment variables - -log_parse_environment() uses should_parse_proc_cmdline() to determine whether -it should parse settings from the kernel command line. But the checks that -should_parse_proc_cmdline() apply to the whole process, and we could get a positive -answer also when log_parse_environment() was called from one of the nss modules. -In case of nss-modules, we don't want to look at the kernel command line. - -log_parse_environment_variables() that only looks at the environment variables -is split out and used in the nss modules. - -Fixes #22020. - -(cherry picked from commit a7d15a24659770b0fa9f4cd26fc7bbb17765cbb7) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9e29d13926b62c10d931d287b30b7874872bfe39 ---- - src/basic/log.c | 16 ++++++++++------ - src/basic/log.h | 1 + - src/nss-mymachines/nss-mymachines.c | 2 +- - src/nss-resolve/nss-resolve.c | 2 +- - src/nss-systemd/nss-systemd.c | 2 +- - 5 files changed, 14 insertions(+), 9 deletions(-) - -diff --git a/src/basic/log.c b/src/basic/log.c -index fb183ea9e7..1d68b49963 100644 ---- a/src/basic/log.c -+++ b/src/basic/log.c -@@ -1189,14 +1189,9 @@ static bool should_parse_proc_cmdline(void) { - return getpid_cached() == p; - } - --void log_parse_environment(void) { -+void log_parse_environment_variables(void) { - const char *e; - -- /* Do not call from library code. */ -- -- if (should_parse_proc_cmdline()) -- (void) proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX); -- - e = getenv("SYSTEMD_LOG_TARGET"); - if (e && log_set_target_from_string(e) < 0) - log_warning("Failed to parse log target '%s'. Ignoring.", e); -@@ -1222,6 +1217,15 @@ void log_parse_environment(void) { - log_warning("Failed to parse log tid '%s'. Ignoring.", e); - } - -+void log_parse_environment(void) { -+ /* Do not call from library code. */ -+ -+ if (should_parse_proc_cmdline()) -+ (void) proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX); -+ -+ log_parse_environment_variables(); -+} -+ - LogTarget log_get_target(void) { - return log_target; - } -diff --git a/src/basic/log.h b/src/basic/log.h -index 8bfae8e0e5..3dbd01a75d 100644 ---- a/src/basic/log.h -+++ b/src/basic/log.h -@@ -69,6 +69,7 @@ int log_open(void); - void log_close(void); - void log_forget_fds(void); - -+void log_parse_environment_variables(void); - void log_parse_environment(void); - - int log_dispatch_internal( -diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c -index 781fd48d72..c64e79bdff 100644 ---- a/src/nss-mymachines/nss-mymachines.c -+++ b/src/nss-mymachines/nss-mymachines.c -@@ -24,7 +24,7 @@ - - static void setup_logging_once(void) { - static pthread_once_t once = PTHREAD_ONCE_INIT; -- assert_se(pthread_once(&once, log_parse_environment) == 0); -+ assert_se(pthread_once(&once, log_parse_environment_variables) == 0); - } - - #define NSS_ENTRYPOINT_BEGIN \ -diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c -index 4f54973202..dd2e5206e2 100644 ---- a/src/nss-resolve/nss-resolve.c -+++ b/src/nss-resolve/nss-resolve.c -@@ -22,7 +22,7 @@ - static JsonDispatchFlags json_dispatch_flags = 0; - - static void setup_logging(void) { -- log_parse_environment(); -+ log_parse_environment_variables(); - - if (DEBUG_LOGGING) - json_dispatch_flags = JSON_LOG; -diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c -index c6c00c40e6..e87f1d31b3 100644 ---- a/src/nss-systemd/nss-systemd.c -+++ b/src/nss-systemd/nss-systemd.c -@@ -118,7 +118,7 @@ static GetentData getsgent_data = { - - static void setup_logging_once(void) { - static pthread_once_t once = PTHREAD_ONCE_INIT; -- assert_se(pthread_once(&once, log_parse_environment) == 0); -+ assert_se(pthread_once(&once, log_parse_environment_variables) == 0); - } - - #define NSS_ENTRYPOINT_BEGIN \ --- -2.33.0 - diff --git a/backport-nss-systemd-ensure-returned-strings-point-into-provi.patch b/backport-nss-systemd-ensure-returned-strings-point-into-provi.patch deleted file mode 100644 index 4165a9c..0000000 --- a/backport-nss-systemd-ensure-returned-strings-point-into-provi.patch +++ /dev/null @@ -1,350 +0,0 @@ -From 055ba736e12255cf79acc81aac382344129d03c5 Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Wed, 8 Sep 2021 16:51:16 -0500 -Subject: [PATCH] nss-systemd: ensure returned strings point into provided - buffer - -Jamie Bainbridge found an issue where glib's g_get_user_database_entry() -may crash after doing: - -``` -error = getpwnam_r (logname, &pwd, buffer, bufsize, &pw); -// ... -pw->pw_name[0] = g_ascii_toupper (pw->pw_name[0]); -``` - -in order to uppercase the first letter of the user's real name. This is -a glib bug, because there is a different codepath that gets the pwd from -vanilla getpwnam instead of getpwnam_r as shown here. When the pwd -struct is returned by getpwnam, its fields point to static data owned by -glibc/NSS, and so it must not be modified by the caller. After much -debugging, Jamie Bainbridge has fixed this in https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2244 -by making a copy of the data before modifying it, and that resolves all -problems for glib. Yay! - -However, glib is crashing even when getpwnam_r is used instead of -getpwnam! According to getpwnam_r(3), the strings in the pwd struct are -supposed to be pointers into the buffer passed by the caller, so glib -should be able to safely edit it directly in this case, so long as it -doesn't try to increase the size of any of the strings. - -Problem is various functions throughout nss-systemd.c return synthesized -records declared at the top of the file. These records are returned -directly and so contain pointers to static strings owned by -libsystemd-nss. systemd must instead copy all the strings into the -provided buffer. - -This crash is reproducible if nss-systemd is listed first on the passwd -line in /etc/nsswitch.conf, and the application looks up one of the -synthesized user accounts "root" or "nobody", and finally the -application attempts to edit one of the strings in the returned struct. -All our synthesized records for the other struct types have the same -problem, so this commit fixes them all at once. - -Fixes #20679 - -(cherry picked from commit 47fd7fa6c650d7a0ac41bc89747e3b866ffb9534) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/055ba736e12255cf79acc81aac382344129d03c5 ---- - src/nss-systemd/nss-systemd.c | 204 ++++++++++++++++++++++++++++------ - 1 file changed, 168 insertions(+), 36 deletions(-) - -diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c -index 1b0866109a..1840a0d508 100644 ---- a/src/nss-systemd/nss-systemd.c -+++ b/src/nss-systemd/nss-systemd.c -@@ -2,6 +2,7 @@ - - #include - #include -+#include - - #include "env-util.h" - #include "errno-util.h" -@@ -139,6 +140,155 @@ NSS_GRENT_PROTOTYPES(systemd); - NSS_SGENT_PROTOTYPES(systemd); - NSS_INITGROUPS_PROTOTYPE(systemd); - -+/* Since our NSS functions implement reentrant glibc APIs, we have to guarantee -+ * all the string pointers we return point into the buffer provided by the -+ * caller, not into our own static memory. */ -+ -+static enum nss_status copy_synthesized_passwd( -+ struct passwd *dest, -+ const struct passwd *src, -+ char *buffer, size_t buflen, -+ int *errnop) { -+ -+ size_t required; -+ -+ assert(dest); -+ assert(src); -+ assert(src->pw_name); -+ assert(src->pw_passwd); -+ assert(src->pw_gecos); -+ assert(src->pw_dir); -+ assert(src->pw_shell); -+ -+ required = strlen(src->pw_name) + 1; -+ required += strlen(src->pw_passwd) + 1; -+ required += strlen(src->pw_gecos) + 1; -+ required += strlen(src->pw_dir) + 1; -+ required += strlen(src->pw_shell) + 1; -+ -+ if (buflen < required) { -+ *errnop = ERANGE; -+ return NSS_STATUS_TRYAGAIN; -+ } -+ -+ assert(buffer); -+ -+ *dest = *src; -+ -+ /* String fields point into the user-provided buffer */ -+ dest->pw_name = buffer; -+ dest->pw_passwd = stpcpy(dest->pw_name, src->pw_name) + 1; -+ dest->pw_gecos = stpcpy(dest->pw_passwd, src->pw_passwd) + 1; -+ dest->pw_dir = stpcpy(dest->pw_gecos, src->pw_gecos) + 1; -+ dest->pw_shell = stpcpy(dest->pw_dir, src->pw_dir) + 1; -+ strcpy(dest->pw_shell, src->pw_shell); -+ -+ return NSS_STATUS_SUCCESS; -+} -+ -+static enum nss_status copy_synthesized_spwd( -+ struct spwd *dest, -+ const struct spwd *src, -+ char *buffer, size_t buflen, -+ int *errnop) { -+ -+ size_t required; -+ -+ assert(dest); -+ assert(src); -+ assert(src->sp_namp); -+ assert(src->sp_pwdp); -+ -+ required = strlen(src->sp_namp) + 1; -+ required += strlen(src->sp_pwdp) + 1; -+ -+ if (buflen < required) { -+ *errnop = ERANGE; -+ return NSS_STATUS_TRYAGAIN; -+ } -+ -+ assert(buffer); -+ -+ *dest = *src; -+ -+ /* String fields point into the user-provided buffer */ -+ dest->sp_namp = buffer; -+ dest->sp_pwdp = stpcpy(dest->sp_namp, src->sp_namp) + 1; -+ strcpy(dest->sp_pwdp, src->sp_pwdp); -+ -+ return NSS_STATUS_SUCCESS; -+} -+ -+static enum nss_status copy_synthesized_group( -+ struct group *dest, -+ const struct group *src, -+ char *buffer, size_t buflen, -+ int *errnop) { -+ -+ size_t required; -+ -+ assert(dest); -+ assert(src); -+ assert(src->gr_name); -+ assert(src->gr_passwd); -+ assert(src->gr_mem); -+ assert(!*src->gr_mem); /* Our synthesized records' gr_mem is always just NULL... */ -+ -+ required = strlen(src->gr_name) + 1; -+ required += strlen(src->gr_passwd) + 1; -+ required += 1; /* ...but that NULL still needs to be stored into the buffer! */ -+ -+ if (buflen < required) { -+ *errnop = ERANGE; -+ return NSS_STATUS_TRYAGAIN; -+ } -+ -+ assert(buffer); -+ -+ *dest = *src; -+ -+ /* String fields point into the user-provided buffer */ -+ dest->gr_name = buffer; -+ dest->gr_passwd = stpcpy(dest->gr_name, src->gr_name) + 1; -+ dest->gr_mem = (char **) strcpy(dest->gr_passwd, src->gr_passwd) + 1; -+ *dest->gr_mem = NULL; -+ -+ return NSS_STATUS_SUCCESS; -+} -+ -+static enum nss_status copy_synthesized_sgrp( -+ struct sgrp *dest, -+ const struct sgrp *src, -+ char *buffer, size_t buflen, -+ int *errnop) { -+ -+ size_t required; -+ -+ assert(dest); -+ assert(src); -+ assert(src->sg_namp); -+ assert(src->sg_passwd); -+ -+ required = strlen(src->sg_namp) + 1; -+ required += strlen(src->sg_passwd) + 1; -+ -+ if (buflen < required) { -+ *errnop = ERANGE; -+ return NSS_STATUS_TRYAGAIN; -+ } -+ -+ assert(buffer); -+ -+ *dest = *src; -+ -+ /* String fields point into the user-provided buffer */ -+ dest->sg_namp = buffer; -+ dest->sg_passwd = stpcpy(dest->sg_namp, src->sg_namp) + 1; -+ strcpy(dest->sg_passwd, src->sg_passwd); -+ -+ return NSS_STATUS_SUCCESS; -+} -+ - enum nss_status _nss_systemd_getpwnam_r( - const char *name, - struct passwd *pwd, -@@ -164,17 +314,14 @@ enum nss_status _nss_systemd_getpwnam_r( - /* Synthesize entries for the root and nobody users, in case they are missing in /etc/passwd */ - if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { - -- if (streq(name, root_passwd.pw_name)) { -- *pwd = root_passwd; -- return NSS_STATUS_SUCCESS; -- } -+ if (streq(name, root_passwd.pw_name)) -+ return copy_synthesized_passwd(pwd, &root_passwd, buffer, buflen, errnop); - - if (streq(name, nobody_passwd.pw_name)) { - if (!synthesize_nobody()) - return NSS_STATUS_NOTFOUND; - -- *pwd = nobody_passwd; -- return NSS_STATUS_SUCCESS; -+ return copy_synthesized_passwd(pwd, &nobody_passwd, buffer, buflen, errnop); - } - - } else if (STR_IN_SET(name, root_passwd.pw_name, nobody_passwd.pw_name)) -@@ -211,17 +358,14 @@ enum nss_status _nss_systemd_getpwuid_r( - /* Synthesize data for the root user and for nobody in case they are missing from /etc/passwd */ - if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { - -- if (uid == root_passwd.pw_uid) { -- *pwd = root_passwd; -- return NSS_STATUS_SUCCESS; -- } -+ if (uid == root_passwd.pw_uid) -+ return copy_synthesized_passwd(pwd, &root_passwd, buffer, buflen, errnop); - - if (uid == nobody_passwd.pw_uid) { - if (!synthesize_nobody()) - return NSS_STATUS_NOTFOUND; - -- *pwd = nobody_passwd; -- return NSS_STATUS_SUCCESS; -+ return copy_synthesized_passwd(pwd, &nobody_passwd, buffer, buflen, errnop); - } - - } else if (uid == root_passwd.pw_uid || uid == nobody_passwd.pw_uid) -@@ -259,17 +403,14 @@ enum nss_status _nss_systemd_getspnam_r( - /* Synthesize entries for the root and nobody users, in case they are missing in /etc/passwd */ - if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { - -- if (streq(name, root_spwd.sp_namp)) { -- *spwd = root_spwd; -- return NSS_STATUS_SUCCESS; -- } -+ if (streq(name, root_spwd.sp_namp)) -+ return copy_synthesized_spwd(spwd, &root_spwd, buffer, buflen, errnop); - - if (streq(name, nobody_spwd.sp_namp)) { - if (!synthesize_nobody()) - return NSS_STATUS_NOTFOUND; - -- *spwd = nobody_spwd; -- return NSS_STATUS_SUCCESS; -+ return copy_synthesized_spwd(spwd, &nobody_spwd, buffer, buflen, errnop); - } - - } else if (STR_IN_SET(name, root_spwd.sp_namp, nobody_spwd.sp_namp)) -@@ -309,17 +450,14 @@ enum nss_status _nss_systemd_getgrnam_r( - /* Synthesize records for root and nobody, in case they are missing from /etc/group */ - if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { - -- if (streq(name, root_group.gr_name)) { -- *gr = root_group; -- return NSS_STATUS_SUCCESS; -- } -+ if (streq(name, root_group.gr_name)) -+ return copy_synthesized_group(gr, &root_group, buffer, buflen, errnop); - - if (streq(name, nobody_group.gr_name)) { - if (!synthesize_nobody()) - return NSS_STATUS_NOTFOUND; - -- *gr = nobody_group; -- return NSS_STATUS_SUCCESS; -+ return copy_synthesized_group(gr, &nobody_group, buffer, buflen, errnop); - } - - } else if (STR_IN_SET(name, root_group.gr_name, nobody_group.gr_name)) -@@ -356,17 +494,14 @@ enum nss_status _nss_systemd_getgrgid_r( - /* Synthesize records for root and nobody, in case they are missing from /etc/group */ - if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { - -- if (gid == root_group.gr_gid) { -- *gr = root_group; -- return NSS_STATUS_SUCCESS; -- } -+ if (gid == root_group.gr_gid) -+ return copy_synthesized_group(gr, &root_group, buffer, buflen, errnop); - - if (gid == nobody_group.gr_gid) { - if (!synthesize_nobody()) - return NSS_STATUS_NOTFOUND; - -- *gr = nobody_group; -- return NSS_STATUS_SUCCESS; -+ return copy_synthesized_group(gr, &nobody_group, buffer, buflen, errnop); - } - - } else if (gid == root_group.gr_gid || gid == nobody_group.gr_gid) -@@ -404,17 +539,14 @@ enum nss_status _nss_systemd_getsgnam_r( - /* Synthesize records for root and nobody, in case they are missing from /etc/group */ - if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { - -- if (streq(name, root_sgrp.sg_namp)) { -- *sgrp = root_sgrp; -- return NSS_STATUS_SUCCESS; -- } -+ if (streq(name, root_sgrp.sg_namp)) -+ return copy_synthesized_sgrp(sgrp, &root_sgrp, buffer, buflen, errnop); - - if (streq(name, nobody_sgrp.sg_namp)) { - if (!synthesize_nobody()) - return NSS_STATUS_NOTFOUND; - -- *sgrp = nobody_sgrp; -- return NSS_STATUS_SUCCESS; -+ return copy_synthesized_sgrp(sgrp, &nobody_sgrp, buffer, buflen, errnop); - } - - } else if (STR_IN_SET(name, root_sgrp.sg_namp, nobody_sgrp.sg_namp)) --- -2.33.0 - diff --git a/backport-nss-systemd-fix-alignment-of-gr_mem.patch b/backport-nss-systemd-fix-alignment-of-gr_mem.patch deleted file mode 100644 index fca306b..0000000 --- a/backport-nss-systemd-fix-alignment-of-gr_mem.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 649e83bb995eb067cce3e70f50e5d3ab54c9d47d Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 31 Dec 2021 06:59:42 +0900 -Subject: [PATCH] nss-systemd: fix alignment of gr_mem - -Follow-up for 1e65eb8f9b7d567462030b2e625998d77677e636. - -Fixes #21935. - -(cherry picked from commit 420a35c1fadfb4d67be6316436233d98b5688de5) -(cherry picked from commit 9c8bc0451ab2393f3b9b689e46e1b05e9f6dad35) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/649e83bb995eb067cce3e70f50e5d3ab54c9d47d ---- - src/nss-systemd/nss-systemd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c -index 7aea3652c4..36486b96e3 100644 ---- a/src/nss-systemd/nss-systemd.c -+++ b/src/nss-systemd/nss-systemd.c -@@ -238,7 +238,7 @@ static enum nss_status copy_synthesized_group( - required += strlen(src->gr_passwd) + 1; - required += sizeof(char*); /* ...but that NULL still needs to be stored into the buffer! */ - -- if (buflen < required) { -+ if (buflen < ALIGN(required)) { - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } -@@ -250,7 +250,7 @@ static enum nss_status copy_synthesized_group( - /* String fields point into the user-provided buffer */ - dest->gr_name = buffer; - dest->gr_passwd = stpcpy(dest->gr_name, src->gr_name) + 1; -- dest->gr_mem = (char **) stpcpy(dest->gr_passwd, src->gr_passwd) + 1; -+ dest->gr_mem = ALIGN_PTR(stpcpy(dest->gr_passwd, src->gr_passwd) + 1); - *dest->gr_mem = NULL; - - return NSS_STATUS_SUCCESS; --- -2.33.0 - diff --git a/backport-nss-systemd-fix-required-buffer-size-calculation.patch b/backport-nss-systemd-fix-required-buffer-size-calculation.patch deleted file mode 100644 index fa0220f..0000000 --- a/backport-nss-systemd-fix-required-buffer-size-calculation.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 5f78618a44a21197e727cd1c62da5aa8bf7e0610 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 31 Dec 2021 00:31:51 +0900 -Subject: [PATCH] nss-systemd: fix required buffer size calculation - -This also fixes the pointer assigned to the gr_mem element of struct group. - -Fixes a bug introduced by 47fd7fa6c650d7a0ac41bc89747e3b866ffb9534. - -Fixes #21935. - -(cherry picked from commit 1e65eb8f9b7d567462030b2e625998d77677e636) -(cherry picked from commit 17227e81ab8a9bdfac679d450ed35434435a6ff8) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5f78618a44a21197e727cd1c62da5aa8bf7e0610 ---- - src/nss-systemd/nss-systemd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c -index 1840a0d508..7aea3652c4 100644 ---- a/src/nss-systemd/nss-systemd.c -+++ b/src/nss-systemd/nss-systemd.c -@@ -236,7 +236,7 @@ static enum nss_status copy_synthesized_group( - - required = strlen(src->gr_name) + 1; - required += strlen(src->gr_passwd) + 1; -- required += 1; /* ...but that NULL still needs to be stored into the buffer! */ -+ required += sizeof(char*); /* ...but that NULL still needs to be stored into the buffer! */ - - if (buflen < required) { - *errnop = ERANGE; -@@ -250,7 +250,7 @@ static enum nss_status copy_synthesized_group( - /* String fields point into the user-provided buffer */ - dest->gr_name = buffer; - dest->gr_passwd = stpcpy(dest->gr_name, src->gr_name) + 1; -- dest->gr_mem = (char **) strcpy(dest->gr_passwd, src->gr_passwd) + 1; -+ dest->gr_mem = (char **) stpcpy(dest->gr_passwd, src->gr_passwd) + 1; - *dest->gr_mem = NULL; - - return NSS_STATUS_SUCCESS; --- -2.33.0 - diff --git a/backport-nss-systemd-pack-pw_passwd-result-into-supplied-buff.patch b/backport-nss-systemd-pack-pw_passwd-result-into-supplied-buff.patch deleted file mode 100644 index ebee877..0000000 --- a/backport-nss-systemd-pack-pw_passwd-result-into-supplied-buff.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 84313bc5a262e87f49d176db169e1562d7060b33 Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Wed, 8 Sep 2021 13:42:16 -0500 -Subject: [PATCH] nss-systemd: pack pw_passwd result into supplied buffer - -getpwnam_r() guarantees that the strings in the struct passwd that it -returns are pointers into the buffer allocated by the application and -passed to getpwnam_r(). This means applications may choose to modify the -strings in place, as long as the length of the strings is not increased. -So it's wrong for us to return a static string here, we really do have -to copy it into the application-provided buffer like we do for all the -other strings. - -This is only a theoretical problem since it would be very weird for an -application to modify the pw_passwd field, but I spotted this when -investigating a similar crash caused by glib editing a different field. -See also: - -https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2244 -(cherry picked from commit 92b264676ccd79c89da270aabc1ec466fa18cd0d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/84313bc5a262e87f49d176db169e1562d7060b33 ---- - src/nss-systemd/userdb-glue.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c -index a55790f641..c865ff0d82 100644 ---- a/src/nss-systemd/userdb-glue.c -+++ b/src/nss-systemd/userdb-glue.c -@@ -35,6 +35,8 @@ int nss_pack_user_record( - assert(hr->user_name); - required = strlen(hr->user_name) + 1; - -+ required += 2; /* strlen(PASSWORD_SEE_SHADOW) + 1 */ -+ - assert_se(rn = user_record_real_name(hr)); - required += strlen(rn) + 1; - -@@ -51,12 +53,12 @@ int nss_pack_user_record( - .pw_name = buffer, - .pw_uid = hr->uid, - .pw_gid = user_record_gid(hr), -- .pw_passwd = (char*) PASSWORD_SEE_SHADOW, - }; - - assert(buffer); - -- pwd->pw_gecos = stpcpy(pwd->pw_name, hr->user_name) + 1; -+ pwd->pw_passwd = stpcpy(pwd->pw_name, hr->user_name) + 1; -+ pwd->pw_gecos = stpcpy(pwd->pw_passwd, PASSWORD_SEE_SHADOW) + 1; - pwd->pw_dir = stpcpy(pwd->pw_gecos, rn) + 1; - pwd->pw_shell = stpcpy(pwd->pw_dir, hd) + 1; - strcpy(pwd->pw_shell, shell); --- -2.33.0 - diff --git a/backport-oomd-fix-race-with-path-unavailability-when-killing-.patch b/backport-oomd-fix-race-with-path-unavailability-when-killing-.patch deleted file mode 100644 index 095f7e7..0000000 --- a/backport-oomd-fix-race-with-path-unavailability-when-killing-.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 1656ad6fd17e5be6504785bf94495437bcf453cb Mon Sep 17 00:00:00 2001 -From: Anita Zhang -Date: Wed, 19 Jan 2022 10:40:46 -0800 -Subject: [PATCH] oomd: fix race with path unavailability when killing cgroups - -There can be a situation where systemd-oomd would kill all of the processes -in a cgroup, pid1 would clean up that cgroup, and systemd-oomd would get -ENODEV trying to iterate the cgroup a final time to ensure it was empty. -systemd-oomd sees this as an error and immediately picks a new candidate even -though pressure may have recovered. To counter this, check and handle -path unavailability errnos specially. - -Fixes: #22030 -(cherry picked from commit 2ee209466bb51f39ae9df7fec4d5594ce8cfa3f0) -(cherry picked from commit 0456e3aaaae7c21a037f4d3c758463c3ba4d167c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1656ad6fd17e5be6504785bf94495437bcf453cb ---- - src/oom/oomd-util.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c -index b2a48acb1f..503ede9a9f 100644 ---- a/src/oom/oomd-util.c -+++ b/src/oom/oomd-util.c -@@ -196,7 +196,14 @@ int oomd_cgroup_kill(const char *path, bool recurse, bool dry_run) { - r = cg_kill_recursive(SYSTEMD_CGROUP_CONTROLLER, path, SIGKILL, CGROUP_IGNORE_SELF, pids_killed, log_kill, NULL); - else - r = cg_kill(SYSTEMD_CGROUP_CONTROLLER, path, SIGKILL, CGROUP_IGNORE_SELF, pids_killed, log_kill, NULL); -- if (r < 0) -+ -+ /* The cgroup could have been cleaned up after we have sent SIGKILL to all of the processes, but before -+ * we could do one last iteration of cgroup.procs to check. Or the service unit could have exited and -+ * was removed between picking candidates and coming into this function. In either case, let's log -+ * about it let the caller decide what to do once they know how many PIDs were killed. */ -+ if (IN_SET(r, -ENOENT, -ENODEV)) -+ log_debug_errno(r, "Error when sending SIGKILL to processes in cgroup path %s, ignoring: %m", path); -+ else if (r < 0) - return r; - - r = increment_oomd_xattr(path, "user.oomd_kill", set_size(pids_killed)); --- -2.33.0 - diff --git a/backport-oomd-handle-situations-when-no-cgroups-are-killed.patch b/backport-oomd-handle-situations-when-no-cgroups-are-killed.patch deleted file mode 100644 index e806412..0000000 --- a/backport-oomd-handle-situations-when-no-cgroups-are-killed.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 07b5c382361a310b3ec1fa6ccfcfc99fb4fc1ee0 Mon Sep 17 00:00:00 2001 -From: Anita Zhang -Date: Wed, 19 Jan 2022 13:26:01 -0800 -Subject: [PATCH] oomd: handle situations when no cgroups are killed - -Currently if systemd-oomd doesn't kill anything in a selected cgroup, it -selects a new candidate immediately. But if a selected cgroup wasn't killed, -it is likely due to it disappearing or getting cleaned up between the time -it was selected as a candidate and getting sent SIGKILL(s). We should handle -it as though systemd-oomd did perform a kill so that it will check -swap/pressure again before it tries to select a new candidate. - -(cherry picked from commit 914d4e99f43761f1ce77b520850cf096aa5196cd) -(cherry picked from commit c4d89cd602b94ab3baac746395c797ec4da43679) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/07b5c382361a310b3ec1fa6ccfcfc99fb4fc1ee0 ---- - src/oom/oomd-manager.c | 10 +++++++--- - src/oom/oomd-util.c | 11 +++++------ - 2 files changed, 12 insertions(+), 9 deletions(-) - -diff --git a/src/oom/oomd-manager.c b/src/oom/oomd-manager.c -index 9cae0c9c8a..727206d0b3 100644 ---- a/src/oom/oomd-manager.c -+++ b/src/oom/oomd-manager.c -@@ -364,7 +364,7 @@ static int monitor_swap_contexts_handler(sd_event_source *s, uint64_t usec, void - if (r < 0) - log_notice_errno(r, "Failed to kill any cgroup(s) based on swap: %m"); - else { -- if (selected) -+ if (selected && r > 0) - log_notice("Killed %s due to memory used (%"PRIu64") / total (%"PRIu64") and " - "swap used (%"PRIu64") / total (%"PRIu64") being more than " - PERMYRIAD_AS_PERCENT_FORMAT_STR, -@@ -475,9 +475,13 @@ static int monitor_memory_pressure_contexts_handler(sd_event_source *s, uint64_t - if (r < 0) - log_notice_errno(r, "Failed to kill any cgroup(s) under %s based on pressure: %m", t->path); - else { -- /* Don't act on all the high pressure cgroups at once; return as soon as we kill one */ -+ /* Don't act on all the high pressure cgroups at once; return as soon as we kill one. -+ * If r == 0 then it means there were not eligible candidates, the candidate cgroup -+ * disappeared, or the candidate cgroup has no processes by the time we tried to kill -+ * it. In either case, go through the event loop again and select a new candidate if -+ * pressure is still high. */ - m->mem_pressure_post_action_delay_start = usec_now; -- if (selected) -+ if (selected && r > 0) - log_notice("Killed %s due to memory pressure for %s being %lu.%02lu%% > %lu.%02lu%%" - " for > %s with reclaim activity", - selected, t->path, -diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c -index 503ede9a9f..5867d2946c 100644 ---- a/src/oom/oomd-util.c -+++ b/src/oom/oomd-util.c -@@ -206,6 +206,9 @@ int oomd_cgroup_kill(const char *path, bool recurse, bool dry_run) { - else if (r < 0) - return r; - -+ if (set_isempty(pids_killed)) -+ log_debug("Nothing killed when attempting to kill %s", path); -+ - r = increment_oomd_xattr(path, "user.oomd_kill", set_size(pids_killed)); - if (r < 0) - log_debug_errno(r, "Failed to set user.oomd_kill on kill: %m"); -@@ -231,8 +234,6 @@ int oomd_kill_by_pgscan_rate(Hashmap *h, const char *prefix, bool dry_run, char - continue; - - r = oomd_cgroup_kill(sorted[i]->path, true, dry_run); -- if (r == 0) -- continue; /* We didn't find anything to kill */ - if (r == -ENOMEM) - return r; /* Treat oom as a hard error */ - if (r < 0) { -@@ -245,7 +246,7 @@ int oomd_kill_by_pgscan_rate(Hashmap *h, const char *prefix, bool dry_run, char - if (!selected) - return -ENOMEM; - *ret_selected = selected; -- return 1; -+ return r; - } - - return ret; -@@ -271,8 +272,6 @@ int oomd_kill_by_swap_usage(Hashmap *h, uint64_t threshold_usage, bool dry_run, - continue; - - r = oomd_cgroup_kill(sorted[i]->path, true, dry_run); -- if (r == 0) -- continue; /* We didn't find anything to kill */ - if (r == -ENOMEM) - return r; /* Treat oom as a hard error */ - if (r < 0) { -@@ -285,7 +284,7 @@ int oomd_kill_by_swap_usage(Hashmap *h, uint64_t threshold_usage, bool dry_run, - if (!selected) - return -ENOMEM; - *ret_selected = selected; -- return 1; -+ return r; - } - - return ret; --- -2.33.0 - diff --git a/backport-openssl-util-use-EVP-API-to-get-RSA-bits.patch b/backport-openssl-util-use-EVP-API-to-get-RSA-bits.patch deleted file mode 100644 index 33be9f8..0000000 --- a/backport-openssl-util-use-EVP-API-to-get-RSA-bits.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 0b982442694ff69e873349459b83b421abc60d52 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 29 Sep 2021 15:03:44 +0200 -Subject: [PATCH] openssl-util: use EVP API to get RSA bits - -(cherry picked from commit 7f12adc3000c08a370f74bd16c654506c8a99e92) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0b982442694ff69e873349459b83b421abc60d52 ---- - src/shared/openssl-util.c | 7 +------ - 1 file changed, 1 insertion(+), 6 deletions(-) - -diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c -index bb47ae5e87..bd728e6c7c 100644 ---- a/src/shared/openssl-util.c -+++ b/src/shared/openssl-util.c -@@ -46,7 +46,6 @@ int rsa_pkey_to_suitable_key_size( - size_t *ret_suitable_key_size) { - - size_t suitable_key_size; -- const RSA *rsa; - int bits; - - assert_se(pkey); -@@ -58,11 +57,7 @@ int rsa_pkey_to_suitable_key_size( - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) - return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key."); - -- rsa = EVP_PKEY_get0_RSA(pkey); -- if (!rsa) -- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate."); -- -- bits = RSA_bits(rsa); -+ bits = EVP_PKEY_bits(pkey); - log_debug("Bits in RSA key: %i", bits); - - /* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only --- -2.33.0 - diff --git a/backport-packit-build-on-and-use-Fedora-35-spec-file.patch b/backport-packit-build-on-and-use-Fedora-35-spec-file.patch deleted file mode 100644 index 2ecdaab..0000000 --- a/backport-packit-build-on-and-use-Fedora-35-spec-file.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4d2e39342352fce3969064e58e366753e7002f46 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Tue, 15 Feb 2022 01:21:01 +0000 -Subject: [PATCH] packit: build on and use Fedora 35 spec file - -It's targeted to the v249 branch, while the rawhide one follows -the newest upstream release, and the command line options are not -compatible - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4d2e39342352fce3969064e58e366753e7002f46 ---- - .packit.yml | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/.packit.yml b/.packit.yml -index ee47f8954e..fb2cb5a7c3 100644 ---- a/.packit.yml -+++ b/.packit.yml -@@ -16,8 +16,8 @@ upstream_tag_template: "v{version}" - - actions: - post-upstream-clone: -- # Use the Fedora Rawhide specfile -- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" -+ # Use the Fedora 35 specfile -+ - "git clone --branch f35 https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" - # Drop the "sources" file so rebase-helper doesn't think we're a dist-git - - "rm -fv .packit_rpm/sources" - # Drop backported patches from the specfile, but keep the downstream-only ones -@@ -31,14 +31,12 @@ actions: - # [0] https://github.com/mesonbuild/meson/issues/7360 - # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 - - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' -- # cryptolib is supported from v250 and newer, remove it -- - 'sed -i "/-Dcryptolib=openssl/d" .packit_rpm/systemd.spec' - - jobs: - - job: copr_build - trigger: pull_request - metadata: - targets: -- - fedora-rawhide-aarch64 -- - fedora-rawhide-i386 -- - fedora-rawhide-x86_64 -+ - fedora-35-aarch64 -+ - fedora-35-i386 -+ - fedora-35-x86_64 --- -2.33.0 - diff --git a/backport-packit-drop-unnumbered-patches-as-well.patch b/backport-packit-drop-unnumbered-patches-as-well.patch deleted file mode 100644 index e353d65..0000000 --- a/backport-packit-drop-unnumbered-patches-as-well.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d566e288f2fb1935261d36c0c35effc4489da5e6 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Thu, 17 Feb 2022 14:02:04 +0100 -Subject: [PATCH] packit: drop unnumbered patches as well - -(cherry picked from commit 729c6b6af8e3cef259b80746f7f7f10cc63d309f) -(cherry picked from commit 477b85f43871c78fce053ebbd9592bf71d49dd30) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d566e288f2fb1935261d36c0c35effc4489da5e6 ---- - .packit.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/.packit.yml b/.packit.yml -index fb2cb5a7c3..3a47c6a6a1 100644 ---- a/.packit.yml -+++ b/.packit.yml -@@ -21,9 +21,9 @@ actions: - # Drop the "sources" file so rebase-helper doesn't think we're a dist-git - - "rm -fv .packit_rpm/sources" - # Drop backported patches from the specfile, but keep the downstream-only ones -- # - Patch0000-0499: backported patches from upstream -+ # - Patch(0000-0499): backported patches from upstream - # - Patch0500-9999: downstream-only patches -- - "sed -ri '/^Patch0[0-4]?[0-9]{0,2}\\:.+\\.patch/d' .packit_rpm/systemd.spec" -+ - "sed -ri '/^Patch(0[0-4]?[0-9]{0,2})?\\:.+\\.patch/d' .packit_rpm/systemd.spec" - # Build the RPM with --werror. Even though --werror doesn't work in all - # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the - # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]). --- -2.33.0 - diff --git a/backport-packit-remove-unsupported-Dcryptolib-openssl-option.patch b/backport-packit-remove-unsupported-Dcryptolib-openssl-option.patch deleted file mode 100644 index 3d0099a..0000000 --- a/backport-packit-remove-unsupported-Dcryptolib-openssl-option.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 8815d340e508f0456bb56e9858c6cea3390a6143 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Tue, 15 Feb 2022 01:21:01 +0000 -Subject: [PATCH] packit: remove unsupported -Dcryptolib=openssl option - -Introduced later, so it breaks the build on v249-stable - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/8815d340e508f0456bb56e9858c6cea3390a6143 ---- - .packit.yml | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/.packit.yml b/.packit.yml -index 4545e30e08..ee47f8954e 100644 ---- a/.packit.yml -+++ b/.packit.yml -@@ -31,6 +31,8 @@ actions: - # [0] https://github.com/mesonbuild/meson/issues/7360 - # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 - - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' -+ # cryptolib is supported from v250 and newer, remove it -+ - 'sed -i "/-Dcryptolib=openssl/d" .packit_rpm/systemd.spec' - - jobs: - - job: copr_build --- -2.33.0 - diff --git a/backport-path-util-make-find_executable-work-without-proc-mou.patch b/backport-path-util-make-find_executable-work-without-proc-mou.patch deleted file mode 100644 index 94a4d0a..0000000 --- a/backport-path-util-make-find_executable-work-without-proc-mou.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 727d0b55f46468d6171f4a326bd3139bab3c93ab Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 23 Aug 2021 06:16:48 +0900 -Subject: [PATCH] path-util: make find_executable() work without /proc mounted - -Follow-up for 888f65ace6296ed61285d31db846babf1c11885e. - -Hopefully fixes #20514. - -(cherry picked from commit 93413acd3ef3a637a0f31a1d133b103e1dc81fd6) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/727d0b55f46468d6171f4a326bd3139bab3c93ab ---- - src/basic/path-util.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/basic/path-util.c b/src/basic/path-util.c -index e5afb5f5f5..13d71ed1b6 100644 ---- a/src/basic/path-util.c -+++ b/src/basic/path-util.c -@@ -628,7 +628,11 @@ static int check_x_access(const char *path, int *ret_fd) { - return r; - - r = access_fd(fd, X_OK); -- if (r < 0) -+ if (r == -ENOSYS) { -+ /* /proc is not mounted. Fallback to access(). */ -+ if (access(path, X_OK) < 0) -+ return -errno; -+ } else if (r < 0) - return r; - - if (ret_fd) --- -2.33.0 - diff --git a/backport-pid1-fix-segv-triggered-by-status-query.patch b/backport-pid1-fix-segv-triggered-by-status-query.patch deleted file mode 100644 index 72431a4..0000000 --- a/backport-pid1-fix-segv-triggered-by-status-query.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0aadfe4937045efd5a7a53a176d05db7dc937435 Mon Sep 17 00:00:00 2001 -From: Robin Humble -Date: Wed, 1 Feb 2023 23:36:48 +1100 -Subject: [PATCH] pid1: fix segv triggered by status query (#26279) - -If any query makes it to the end of install_info_follow() then I think symlink_target is set to NULL. -If that is followed by -EXDEV from unit_file_load_or_readlink(), then that causes basename(NULL) -which segfaults pid 1. - -This is triggered by eg. "systemctl status crond" in RHEL9 if - -/etc/systemd/system/crond.service - -> /ram/etc/systemd/system/crond.service - -> /usr/lib/systemd/system/.crond.service.blah.blah - -> /usr/lib/systemd/system/crond.service - -(cherry picked from commit 19cfda9fc3c60de21a362ebb56bcb9f4a9855e85) -(cherry picked from commit 015b0ca9286471c05fe88cfa277dd82e20537ba8) -(cherry picked from commit 9a906fae890904284fe91e29b6bdcb64429fecba) -(cherry picked from commit a2dc9e3be9a8895edcba10f4c0d8d703b435c18b) ---- - src/shared/install.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/shared/install.c b/src/shared/install.c -index 4bf868f8e9..f038665dea 100644 ---- a/src/shared/install.c -+++ b/src/shared/install.c -@@ -1609,7 +1609,7 @@ static int install_info_traverse( - } - - r = install_info_follow(c, i, paths->root_dir, flags, false); -- if (r == -EXDEV) { -+ if (r == -EXDEV && i->symlink_target) { - _cleanup_free_ char *buffer = NULL; - const char *bn; - --- -2.27.0 - diff --git a/backport-pid1-lookup-owning-PID-of-BusName-name-of-services-a.patch b/backport-pid1-lookup-owning-PID-of-BusName-name-of-services-a.patch deleted file mode 100644 index e8ecbb5..0000000 --- a/backport-pid1-lookup-owning-PID-of-BusName-name-of-services-a.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 1daa382a7f9e55d11f7b59b144a9963688169843 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 17 Feb 2022 14:40:25 +0100 -Subject: [PATCH] pid1: lookup owning PID of BusName= name of services - asynchronously - -A first step of removing blocking calls to the D-Bus broker from PID 1. -There's a lot more to got (i.e. grep src/core/ for sd_bus_creds -basically), but it's a start. - -Removing blocking calls to D-Bus broker deals systematicallly with -deadlocks caused by dbus-daemon blocking on synchronous IPC calls back -to PID1 (e.g. Varlink calls through nss-systemd). Bugs such as #15316. - -Also-see: https://github.com/systemd/systemd/pull/22038#issuecomment-1042958390 -(cherry picked from commit e39eb045a502d599e6cd3fda7a46020dd438d018) -(cherry picked from commit cf390149cb25248169c482e315a1a7ff02eaf956) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1daa382a7f9e55d11f7b59b144a9963688169843 ---- - src/core/service.c | 91 ++++++++++++++++++++++++++++++++++++---------- - src/core/service.h | 2 + - 2 files changed, 74 insertions(+), 19 deletions(-) - -diff --git a/src/core/service.c b/src/core/service.c -index 5f56217904..f6eb46cb54 100644 ---- a/src/core/service.c -+++ b/src/core/service.c -@@ -398,6 +398,8 @@ static void service_done(Unit *u) { - s->timer_event_source = sd_event_source_disable_unref(s->timer_event_source); - s->exec_fd_event_source = sd_event_source_disable_unref(s->exec_fd_event_source); - -+ s->bus_name_pid_lookup_slot = sd_bus_slot_unref(s->bus_name_pid_lookup_slot); -+ - service_release_resources(u); - } - -@@ -4216,6 +4218,60 @@ static int service_get_timeout(Unit *u, usec_t *timeout) { - return 1; - } - -+static bool pick_up_pid_from_bus_name(Service *s) { -+ assert(s); -+ -+ /* If the service is running but we have no main PID yet, get it from the owner of the D-Bus name */ -+ -+ return !pid_is_valid(s->main_pid) && -+ IN_SET(s->state, -+ SERVICE_START, -+ SERVICE_START_POST, -+ SERVICE_RUNNING, -+ SERVICE_RELOAD); -+} -+ -+static int bus_name_pid_lookup_callback(sd_bus_message *reply, void *userdata, sd_bus_error *ret_error) { -+ const sd_bus_error *e; -+ Unit *u = userdata; -+ uint32_t pid; -+ Service *s; -+ int r; -+ -+ assert(reply); -+ assert(u); -+ -+ s = SERVICE(u); -+ s->bus_name_pid_lookup_slot = sd_bus_slot_unref(s->bus_name_pid_lookup_slot); -+ -+ if (!s->bus_name || !pick_up_pid_from_bus_name(s)) -+ return 1; -+ -+ e = sd_bus_message_get_error(reply); -+ if (e) { -+ r = sd_bus_error_get_errno(e); -+ log_warning_errno(r, "GetConnectionUnixProcessID() failed: %s", bus_error_message(e, r)); -+ return 1; -+ } -+ -+ r = sd_bus_message_read(reply, "u", &pid); -+ if (r < 0) { -+ bus_log_parse_error(r); -+ return 1; -+ } -+ -+ if (!pid_is_valid(pid)) { -+ log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "GetConnectionUnixProcessID() returned invalid PID"); -+ return 1; -+ } -+ -+ log_unit_debug(u, "D-Bus name %s is now owned by process " PID_FMT, s->bus_name, (pid_t) pid); -+ -+ service_set_main_pid(s, pid); -+ unit_watch_pid(UNIT(s), pid, false); -+ return 1; -+} -+ - static void service_bus_name_owner_change(Unit *u, const char *new_owner) { - - Service *s = SERVICE(u); -@@ -4246,28 +4302,25 @@ static void service_bus_name_owner_change(Unit *u, const char *new_owner) { - else if (s->state == SERVICE_START && new_owner) - service_enter_start_post(s); - -- } else if (new_owner && -- s->main_pid <= 0 && -- IN_SET(s->state, -- SERVICE_START, -- SERVICE_START_POST, -- SERVICE_RUNNING, -- SERVICE_RELOAD)) { -- -- _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL; -- pid_t pid; -+ } else if (new_owner && pick_up_pid_from_bus_name(s)) { - - /* Try to acquire PID from bus service */ - -- r = sd_bus_get_name_creds(u->manager->api_bus, s->bus_name, SD_BUS_CREDS_PID, &creds); -- if (r >= 0) -- r = sd_bus_creds_get_pid(creds, &pid); -- if (r >= 0) { -- log_unit_debug(u, "D-Bus name %s is now owned by process " PID_FMT, s->bus_name, pid); -- -- service_set_main_pid(s, pid); -- unit_watch_pid(UNIT(s), pid, false); -- } -+ s->bus_name_pid_lookup_slot = sd_bus_slot_unref(s->bus_name_pid_lookup_slot); -+ -+ r = sd_bus_call_method_async( -+ u->manager->api_bus, -+ &s->bus_name_pid_lookup_slot, -+ "org.freedesktop.DBus", -+ "/org/freedesktop/DBus", -+ "org.freedesktop.DBus", -+ "GetConnectionUnixProcessID", -+ bus_name_pid_lookup_callback, -+ s, -+ "s", -+ s->bus_name); -+ if (r < 0) -+ log_debug_errno(r, "Failed to request owner PID of service name, ignoring: %m"); - } - } - -diff --git a/src/core/service.h b/src/core/service.h -index 6d931c3d5e..6c47c91f85 100644 ---- a/src/core/service.h -+++ b/src/core/service.h -@@ -185,6 +185,8 @@ struct Service { - NotifyAccess notify_access; - NotifyState notify_state; - -+ sd_bus_slot *bus_name_pid_lookup_slot; -+ - sd_event_source *exec_fd_event_source; - - ServiceFDStore *fd_store; --- -2.33.0 - diff --git a/backport-pid1-pass-PAM_DATA_SILENT-to-pam_end-in-child.patch b/backport-pid1-pass-PAM_DATA_SILENT-to-pam_end-in-child.patch deleted file mode 100644 index f1da3dd..0000000 --- a/backport-pid1-pass-PAM_DATA_SILENT-to-pam_end-in-child.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 9ac4b463b6d8da420c2b12af4408d0d583280a6d Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 1 Feb 2022 12:37:51 +0100 -Subject: [PATCH] pid1: pass PAM_DATA_SILENT to pam_end() in child - -Fixes: #22318 -(cherry picked from commit 7feb2b5737ad110eb3985e8e9d8189f18d1c5147) -(cherry picked from commit 9c560d201527ee064ae11784d6538ae544926181) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9ac4b463b6d8da420c2b12af4408d0d583280a6d ---- - src/core/execute.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index 2f2de4d9cf..04c0513453 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -1323,7 +1323,9 @@ static int setup_pam( - ret = 0; - - child_finish: -- pam_end(handle, pam_code | flags); -+ /* NB: pam_end() when called in child processes should set PAM_DATA_SILENT to let the module -+ * know about this. See pam_end(3) */ -+ (void) pam_end(handle, pam_code | flags | PAM_DATA_SILENT); - _exit(ret); - } - -@@ -1358,7 +1360,7 @@ fail: - if (close_session) - pam_code = pam_close_session(handle, flags); - -- pam_end(handle, pam_code | flags); -+ (void) pam_end(handle, pam_code | flags); - } - - strv_free(e); --- -2.33.0 - diff --git a/backport-pid1-propagate-the-original-command-line-when-reexec.patch b/backport-pid1-propagate-the-original-command-line-when-reexec.patch deleted file mode 100644 index e995700..0000000 --- a/backport-pid1-propagate-the-original-command-line-when-reexec.patch +++ /dev/null @@ -1,156 +0,0 @@ -From f3af6ba86c1128ccf6d6f896f70c22f9645a51c5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 22 Jul 2021 08:21:46 +0200 -Subject: [PATCH] pid1: propagate the original command line when reexecuting - -When we reexec the manager in a container, we lose configuration settings on -the kernel command line: - - $ systemd-nspawn -M rawhide -b systemd.status-unit-format=name systemd.show-status=yes - ... - # tr '\0' ' ' -Date: Thu, 17 Feb 2022 14:49:54 +0100 -Subject: [PATCH] pid1: set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for - dbus-daemon -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There's currently a deadlock between PID 1 and dbus-daemon: in some -cases dbus-daemon will do NSS lookups (which are blocking) at the same -time PID 1 synchronously blocks on some call to dbus-daemon. Let's break -that by setting SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon, -which will disable synchronously blocking varlink calls from nss-systemd -to PID 1. - -In the long run we should fix this differently: remove all synchronous -calls to dbus-daemon from PID 1. This is not trivial however: so far we -had the rule that synchronous calls from PID 1 to the dbus broker are OK -as long as they only go to interfaces implemented by the broke itself -rather than services reachable through it. Given that the relationship -between PID 1 and dbus is kinda special anyway, this was considered -acceptable for the sake of simplicity, since we quite often need -metadata about bus peers from the broker, and the asynchronous logic -would substantially complicate even the simplest method handlers. - -This mostly reworks the existing code that sets SYSTEMD_NSS_BYPASS_BUS= -(which is a similar hack to deal with deadlocks between nss-systemd and -dbus-daemon itself) to set SYSTEMD_NSS_DYNAMIC_BYPASS=1 instead. No code -was checking SYSTEMD_NSS_BYPASS_BUS= anymore anyway, and it used to -solve a similar problem, hence it's an obvious piece of code to rework -like this. - -Issue originally tracked down by Lukas Märdian. This patch is inspired -and closely based on his patch: - - https://github.com/systemd/systemd/pull/22038 - -Fixes: #15316 -Co-authored-by: Lukas Märdian -(cherry picked from commit de90700f36f2126528f7ce92df0b5b5d5e277558) -(cherry picked from commit 367041af816d48d4852140f98fd0ba78ed83f9e4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0863a55ae95fe6bf7312b7a864d07a9e3fbee563 ---- - src/core/execute.c | 10 +++++----- - src/core/execute.h | 26 +++++++++++++------------- - src/core/service.c | 2 +- - 3 files changed, 19 insertions(+), 19 deletions(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index 28efe5c36f..37f63a9378 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -1828,11 +1828,11 @@ static int build_environment( - our_env[n_env++] = x; - } - -- /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic -- * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but -- * check the database directly. */ -- if (p->flags & EXEC_NSS_BYPASS_BUS) { -- x = strdup("SYSTEMD_NSS_BYPASS_BUS=1"); -+ /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use blocking -+ * Varlink calls back to us for look up dynamic users in PID 1. Break the deadlock between D-Bus and -+ * PID 1 by disabling use of PID1' NSS interface for looking up dynamic users. */ -+ if (p->flags & EXEC_NSS_DYNAMIC_BYPASS) { -+ x = strdup("SYSTEMD_NSS_DYNAMIC_BYPASS=1"); - if (!x) - return -ENOMEM; - our_env[n_env++] = x; -diff --git a/src/core/execute.h b/src/core/execute.h -index 4c7a5b874f..47349a69a2 100644 ---- a/src/core/execute.h -+++ b/src/core/execute.h -@@ -343,21 +343,21 @@ static inline bool exec_context_with_rootfs(const ExecContext *c) { - } - - typedef enum ExecFlags { -- EXEC_APPLY_SANDBOXING = 1 << 0, -- EXEC_APPLY_CHROOT = 1 << 1, -- EXEC_APPLY_TTY_STDIN = 1 << 2, -- EXEC_PASS_LOG_UNIT = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */ -- EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */ -- EXEC_NSS_BYPASS_BUS = 1 << 5, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */ -- EXEC_CGROUP_DELEGATE = 1 << 6, -- EXEC_IS_CONTROL = 1 << 7, -- EXEC_CONTROL_CGROUP = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */ -- EXEC_WRITE_CREDENTIALS = 1 << 9, /* Set up the credential store logic */ -+ EXEC_APPLY_SANDBOXING = 1 << 0, -+ EXEC_APPLY_CHROOT = 1 << 1, -+ EXEC_APPLY_TTY_STDIN = 1 << 2, -+ EXEC_PASS_LOG_UNIT = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */ -+ EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */ -+ EXEC_NSS_DYNAMIC_BYPASS = 1 << 5, /* Set the SYSTEMD_NSS_DYNAMIC_BYPASS environment variable, to disable nss-systemd blocking on PID 1, for use by dbus-daemon */ -+ EXEC_CGROUP_DELEGATE = 1 << 6, -+ EXEC_IS_CONTROL = 1 << 7, -+ EXEC_CONTROL_CGROUP = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */ -+ EXEC_WRITE_CREDENTIALS = 1 << 9, /* Set up the credential store logic */ - - /* The following are not used by execute.c, but by consumers internally */ -- EXEC_PASS_FDS = 1 << 10, -- EXEC_SETENV_RESULT = 1 << 11, -- EXEC_SET_WATCHDOG = 1 << 12, -+ EXEC_PASS_FDS = 1 << 10, -+ EXEC_SETENV_RESULT = 1 << 11, -+ EXEC_SET_WATCHDOG = 1 << 12, - } ExecFlags; - - /* Parameters for a specific invocation of a command. This structure is put together right before a command is -diff --git a/src/core/service.c b/src/core/service.c -index f6eb46cb54..a480edc439 100644 ---- a/src/core/service.c -+++ b/src/core/service.c -@@ -1573,7 +1573,7 @@ static int service_spawn( - return -ENOMEM; - - /* System D-Bus needs nss-systemd disabled, so that we don't deadlock */ -- SET_FLAG(exec_params.flags, EXEC_NSS_BYPASS_BUS, -+ SET_FLAG(exec_params.flags, EXEC_NSS_DYNAMIC_BYPASS, - MANAGER_IS_SYSTEM(UNIT(s)->manager) && unit_has_name(UNIT(s), SPECIAL_DBUS_SERVICE)); - - strv_free_and_replace(exec_params.environment, final_env); --- -2.33.0 - diff --git a/backport-pid1-watch-bus-name-always-when-we-have-it.patch b/backport-pid1-watch-bus-name-always-when-we-have-it.patch deleted file mode 100644 index f9b816d..0000000 --- a/backport-pid1-watch-bus-name-always-when-we-have-it.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b301230a6ce52989053b12324fcaef0d45610ee6 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 17 Feb 2022 17:23:48 +0100 -Subject: [PATCH] pid1: watch bus name always when we have it - -Previously we'd only watch configured service bus names if Type=dbus was -set. Let's also watch it for other types. This is useful to pick up the -main PID of such a service. In fact the code to pick it up was already -in place, alas it didn't do anything given the signal was never received -for it. Fix that. - -(It's also useful for debugging) - -(cherry picked from commit 1e8b312e5a22538f91defb89cf2997e09e106297) -(cherry picked from commit a51e540b278827c0fc59760b9c77cd42cbddc0d2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b301230a6ce52989053b12324fcaef0d45610ee6 ---- - src/core/service.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/core/service.c b/src/core/service.c -index 7b90822f68..5f56217904 100644 ---- a/src/core/service.c -+++ b/src/core/service.c -@@ -685,17 +685,19 @@ static int service_setup_bus_name(Service *s) { - assert(s); - - /* If s->bus_name is not set, then the unit will be refused by service_verify() later. */ -- if (s->type != SERVICE_DBUS || !s->bus_name) -+ if (!s->bus_name) - return 0; - -- r = unit_add_dependency_by_name(UNIT(s), UNIT_REQUIRES, SPECIAL_DBUS_SOCKET, true, UNIT_DEPENDENCY_FILE); -- if (r < 0) -- return log_unit_error_errno(UNIT(s), r, "Failed to add dependency on " SPECIAL_DBUS_SOCKET ": %m"); -+ if (s->type == SERVICE_DBUS) { -+ r = unit_add_dependency_by_name(UNIT(s), UNIT_REQUIRES, SPECIAL_DBUS_SOCKET, true, UNIT_DEPENDENCY_FILE); -+ if (r < 0) -+ return log_unit_error_errno(UNIT(s), r, "Failed to add dependency on " SPECIAL_DBUS_SOCKET ": %m"); - -- /* We always want to be ordered against dbus.socket if both are in the transaction. */ -- r = unit_add_dependency_by_name(UNIT(s), UNIT_AFTER, SPECIAL_DBUS_SOCKET, true, UNIT_DEPENDENCY_FILE); -- if (r < 0) -- return log_unit_error_errno(UNIT(s), r, "Failed to add dependency on " SPECIAL_DBUS_SOCKET ": %m"); -+ /* We always want to be ordered against dbus.socket if both are in the transaction. */ -+ r = unit_add_dependency_by_name(UNIT(s), UNIT_AFTER, SPECIAL_DBUS_SOCKET, true, UNIT_DEPENDENCY_FILE); -+ if (r < 0) -+ return log_unit_error_errno(UNIT(s), r, "Failed to add dependency on " SPECIAL_DBUS_SOCKET ": %m"); -+ } - - r = unit_watch_bus_name(UNIT(s), s->bus_name); - if (r == -EEXIST) --- -2.33.0 - diff --git a/backport-policy-files-adjust-landing-page-link.patch b/backport-policy-files-adjust-landing-page-link.patch deleted file mode 100644 index 40cdc7f..0000000 --- a/backport-policy-files-adjust-landing-page-link.patch +++ /dev/null @@ -1,170 +0,0 @@ -From de0d375e38df25b9fe333d64f9880751aea46e6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 12 Jan 2022 10:42:22 +0100 -Subject: [PATCH] policy files: adjust landing page link - -(cherry picked from commit d6e2c1ab7158d52425d3cb72459c5624db12368c) -(cherry picked from commit 944d8d9050b96e690054224e796254dfc18e6681) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/de0d375e38df25b9fe333d64f9880751aea46e6b ---- - src/core/org.freedesktop.systemd1.policy.in | 2 +- - src/home/org.freedesktop.home1.policy | 2 +- - src/hostname/org.freedesktop.hostname1.policy | 2 +- - src/import/org.freedesktop.import1.policy | 2 +- - src/locale/org.freedesktop.locale1.policy | 2 +- - src/login/org.freedesktop.login1.policy | 2 +- - src/machine/org.freedesktop.machine1.policy | 2 +- - src/network/org.freedesktop.network1.policy | 2 +- - src/portable/org.freedesktop.portable1.policy | 2 +- - src/resolve/org.freedesktop.resolve1.policy | 2 +- - src/timedate/org.freedesktop.timedate1.policy | 2 +- - 11 files changed, 11 insertions(+), 11 deletions(-) - -diff --git a/src/core/org.freedesktop.systemd1.policy.in b/src/core/org.freedesktop.systemd1.policy.in -index 74721c516f..f34b2d5bf0 100644 ---- a/src/core/org.freedesktop.systemd1.policy.in -+++ b/src/core/org.freedesktop.systemd1.policy.in -@@ -16,7 +16,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Send passphrase back to system -diff --git a/src/home/org.freedesktop.home1.policy b/src/home/org.freedesktop.home1.policy -index 10ad7c283a..71253e04e9 100644 ---- a/src/home/org.freedesktop.home1.policy -+++ b/src/home/org.freedesktop.home1.policy -@@ -7,7 +7,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Create a home area -diff --git a/src/hostname/org.freedesktop.hostname1.policy b/src/hostname/org.freedesktop.hostname1.policy -index 7d28c395cf..dacea0ff0a 100644 ---- a/src/hostname/org.freedesktop.hostname1.policy -+++ b/src/hostname/org.freedesktop.hostname1.policy -@@ -14,7 +14,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Set hostname -diff --git a/src/import/org.freedesktop.import1.policy b/src/import/org.freedesktop.import1.policy -index 9736816e33..e88a6e8ae6 100644 ---- a/src/import/org.freedesktop.import1.policy -+++ b/src/import/org.freedesktop.import1.policy -@@ -16,7 +16,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Import a VM or container image -diff --git a/src/locale/org.freedesktop.locale1.policy b/src/locale/org.freedesktop.locale1.policy -index f12ca0970a..ed98c4aa09 100644 ---- a/src/locale/org.freedesktop.locale1.policy -+++ b/src/locale/org.freedesktop.locale1.policy -@@ -16,7 +16,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Set system locale -diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy -index 80ebb39f30..df906b0e73 100644 ---- a/src/login/org.freedesktop.login1.policy -+++ b/src/login/org.freedesktop.login1.policy -@@ -16,7 +16,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Allow applications to inhibit system shutdown -diff --git a/src/machine/org.freedesktop.machine1.policy b/src/machine/org.freedesktop.machine1.policy -index ddf5ec05c6..5e43cb6e24 100644 ---- a/src/machine/org.freedesktop.machine1.policy -+++ b/src/machine/org.freedesktop.machine1.policy -@@ -16,7 +16,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Log into a local container -diff --git a/src/network/org.freedesktop.network1.policy b/src/network/org.freedesktop.network1.policy -index 9e27f728bc..c39f20655d 100644 ---- a/src/network/org.freedesktop.network1.policy -+++ b/src/network/org.freedesktop.network1.policy -@@ -16,7 +16,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Set NTP servers -diff --git a/src/portable/org.freedesktop.portable1.policy b/src/portable/org.freedesktop.portable1.policy -index 17e22b0155..09f9028dc5 100644 ---- a/src/portable/org.freedesktop.portable1.policy -+++ b/src/portable/org.freedesktop.portable1.policy -@@ -7,7 +7,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Inspect a portable service image -diff --git a/src/resolve/org.freedesktop.resolve1.policy b/src/resolve/org.freedesktop.resolve1.policy -index 08615ec6a4..2408bb9e38 100644 ---- a/src/resolve/org.freedesktop.resolve1.policy -+++ b/src/resolve/org.freedesktop.resolve1.policy -@@ -16,7 +16,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Register a DNS-SD service -diff --git a/src/timedate/org.freedesktop.timedate1.policy b/src/timedate/org.freedesktop.timedate1.policy -index c4e71b0753..4a770c08e6 100644 ---- a/src/timedate/org.freedesktop.timedate1.policy -+++ b/src/timedate/org.freedesktop.timedate1.policy -@@ -16,7 +16,7 @@ - - - The systemd Project -- http://www.freedesktop.org/wiki/Software/systemd -+ https://systemd.io - - - Set system time --- -2.33.0 - diff --git a/backport-portable-add-flag-to-return-extension-releases-in-Ge.patch b/backport-portable-add-flag-to-return-extension-releases-in-Ge.patch deleted file mode 100644 index 7cc7fd5..0000000 --- a/backport-portable-add-flag-to-return-extension-releases-in-Ge.patch +++ /dev/null @@ -1,493 +0,0 @@ -From e31e2b84cf5afff73b793dd335600265dca1ca7e Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Tue, 25 Jan 2022 15:49:22 +0000 -Subject: [PATCH] portable: add flag to return extension-releases in - GetImageMetadataWithExtensions - -Return the name of each extension and the associated extension-release -file, and pretty-print them in 'portablectl inspect', if a new flag -is passed. - -$ portablectl inspect --extension app2 --extension app0 minimal app0 app1 -(Matching unit files with prefixes 'app0', 'app1'.) -Image: - /run/portables/minimal.raw -Portable Service: - n/a -Operating System: - Debian GNU/Linux 10 (buster) -Extension: - /run/portables/app2.raw - Extension Scope: - n/a - Extension Compatibility Level: - n/a - Portable Service: - n/a - Portable Prefixes: - n/a - Operating System: - n/a (debian 10) -Extension: - /run/portables/app0.raw - Extension Scope: - n/a - Extension Compatibility Level: - n/a - Portable Service: - n/a - Portable Prefixes: - n/a - Operating System: - n/a (debian 10) -Unit files: - app0.service - -(cherry picked from commit e3f7ed944ae750a40685c52349f3cc850db0876e) -(cherry picked from commit a87fdd2af22128bce621508315ed5126a8d11f45) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e31e2b84cf5afff73b793dd335600265dca1ca7e ---- - man/org.freedesktop.portable1.xml | 10 ++- - src/portable/portable.c | 99 ++++++++++++++++++++---------- - src/portable/portable.h | 15 ++--- - src/portable/portablectl.c | 78 ++++++++++++++++++++++- - src/portable/portabled-image-bus.c | 38 ++++++++++-- - test/units/testsuite-29.sh | 3 + - 6 files changed, 199 insertions(+), 44 deletions(-) - -diff --git a/man/org.freedesktop.portable1.xml b/man/org.freedesktop.portable1.xml -index 53c960206e..053f2a5434 100644 ---- a/man/org.freedesktop.portable1.xml -+++ b/man/org.freedesktop.portable1.xml -@@ -187,7 +187,15 @@ node /org/freedesktop/portable1 { - This method is a superset of GetImageMetadata() with the addition of - a list of extensions as input parameter, which were overlaid on top of the main - image via AttachImageWithExtensions(). -- The flag parameter is currently unused and reserved for future purposes. -+ The flag parameter can be used to request that, before the units, the path of -+ each extension and an array of bytes with the content of the respective extension-release file -+ are sent. One such structure will be sent for each extension named in the input arguments. The -+ flag value to enable this functionality is defined as follows: -+ -+ -+#define PORTABLE_INSPECT_EXTENSION_RELEASES (UINT64_C(1) << 1) -+ -+ - - GetImageState() retrieves the image state as one of the following - strings: -diff --git a/src/portable/portable.c b/src/portable/portable.c -index 8c5e5b6821..23fe6bf926 100644 ---- a/src/portable/portable.c -+++ b/src/portable/portable.c -@@ -533,13 +533,14 @@ static int extract_image_and_extensions( - bool validate_sysext, - Image **ret_image, - OrderedHashmap **ret_extension_images, -+ OrderedHashmap **ret_extension_releases, - PortableMetadata **ret_os_release, - Hashmap **ret_unit_files, - sd_bus_error *error) { - - _cleanup_free_ char *id = NULL, *version_id = NULL, *sysext_level = NULL; - _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; -- _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; -+ _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL, *extension_releases = NULL; - _cleanup_hashmap_free_ Hashmap *unit_files = NULL; - _cleanup_(image_unrefp) Image *image = NULL; - Image *ext; -@@ -561,6 +562,12 @@ static int extract_image_and_extensions( - if (!extension_images) - return -ENOMEM; - -+ if (ret_extension_releases) { -+ extension_releases = ordered_hashmap_new(&portable_metadata_hash_ops); -+ if (!extension_releases) -+ return -ENOMEM; -+ } -+ - STRV_FOREACH(p, extension_image_paths) { - _cleanup_(image_unrefp) Image *new = NULL; - -@@ -600,6 +607,7 @@ static int extract_image_and_extensions( - _cleanup_(portable_metadata_unrefp) PortableMetadata *extension_release_meta = NULL; - _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; - _cleanup_strv_free_ char **extension_release = NULL; -+ _cleanup_close_ int extension_release_fd = -1; - _cleanup_fclose_ FILE *f = NULL; - - r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error); -@@ -610,10 +618,15 @@ static int extract_image_and_extensions( - if (r < 0) - return r; - -- if (!validate_sysext) -+ if (!validate_sysext && !ret_extension_releases) - continue; - -- r = take_fdopen_unlocked(&extension_release_meta->fd, "r", &f); -+ /* We need to keep the fd valid, to return the PortableMetadata to the caller. */ -+ extension_release_fd = fd_reopen(extension_release_meta->fd, O_CLOEXEC); -+ if (extension_release_fd < 0) -+ return extension_release_fd; -+ -+ r = take_fdopen_unlocked(&extension_release_fd, "r", &f); - if (r < 0) - return r; - -@@ -621,15 +634,28 @@ static int extract_image_and_extensions( - if (r < 0) - return r; - -- r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); -- if (r == 0) -- return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); -- if (r < 0) -- return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); -+ if (validate_sysext) { -+ r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); -+ if (r == 0) -+ return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); -+ if (r < 0) -+ return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); -+ } -+ -+ if (ret_extension_releases) { -+ r = ordered_hashmap_put(extension_releases, ext->name, extension_release_meta); -+ if (r < 0) -+ return r; -+ TAKE_PTR(extension_release_meta); -+ } - } - -- *ret_image = TAKE_PTR(image); -- *ret_extension_images = TAKE_PTR(extension_images); -+ if (ret_image) -+ *ret_image = TAKE_PTR(image); -+ if (ret_extension_images) -+ *ret_extension_images = TAKE_PTR(extension_images); -+ if (ret_extension_releases) -+ *ret_extension_releases = TAKE_PTR(extension_releases); - if (ret_os_release) - *ret_os_release = TAKE_PTR(os_release); - if (ret_unit_files) -@@ -643,24 +669,29 @@ int portable_extract( - char **matches, - char **extension_image_paths, - PortableMetadata **ret_os_release, -+ OrderedHashmap **ret_extension_releases, - Hashmap **ret_unit_files, - sd_bus_error *error) { - - _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; -- _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; -+ _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL, *extension_releases = NULL; - _cleanup_hashmap_free_ Hashmap *unit_files = NULL; - _cleanup_(image_unrefp) Image *image = NULL; - int r; - -- r = extract_image_and_extensions(name_or_path, -- matches, -- extension_image_paths, -- /* validate_sysext= */ false, -- &image, -- &extension_images, -- &os_release, -- &unit_files, -- error); -+ assert(name_or_path); -+ -+ r = extract_image_and_extensions( -+ name_or_path, -+ matches, -+ extension_image_paths, -+ /* validate_sysext= */ false, -+ &image, -+ &extension_images, -+ &extension_releases, -+ &os_release, -+ &unit_files, -+ error); - if (r < 0) - return r; - -@@ -677,8 +708,12 @@ int portable_extract( - isempty(extensions) ? "" : extensions); - } - -- *ret_os_release = TAKE_PTR(os_release); -- *ret_unit_files = TAKE_PTR(unit_files); -+ if (ret_os_release) -+ *ret_os_release = TAKE_PTR(os_release); -+ if (ret_extension_releases) -+ *ret_extension_releases = TAKE_PTR(extension_releases); -+ if (ret_unit_files) -+ *ret_unit_files = TAKE_PTR(unit_files); - - return 0; - } -@@ -1225,15 +1260,17 @@ int portable_attach( - PortableMetadata *item; - int r; - -- r = extract_image_and_extensions(name_or_path, -- matches, -- extension_image_paths, -- /* validate_sysext= */ true, -- &image, -- &extension_images, -- /* os_release= */ NULL, -- &unit_files, -- error); -+ r = extract_image_and_extensions( -+ name_or_path, -+ matches, -+ extension_image_paths, -+ /* validate_sysext= */ true, -+ &image, -+ &extension_images, -+ /* extension_releases= */ NULL, -+ /* os_release= */ NULL, -+ &unit_files, -+ error); - if (r < 0) - return r; - -diff --git a/src/portable/portable.h b/src/portable/portable.h -index 94144287ae..ce55f050a2 100644 ---- a/src/portable/portable.h -+++ b/src/portable/portable.h -@@ -20,13 +20,14 @@ typedef struct PortableMetadata { - #define PORTABLE_METADATA_IS_UNIT(m) (!IN_SET((m)->name[0], 0, '/')) - - typedef enum PortableFlags { -- PORTABLE_RUNTIME = 1 << 0, /* Public API via DBUS, do not change */ -- PORTABLE_PREFER_COPY = 1 << 1, -- PORTABLE_PREFER_SYMLINK = 1 << 2, -- PORTABLE_REATTACH = 1 << 3, -- _PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME, -+ PORTABLE_RUNTIME = 1 << 0, -+ PORTABLE_INSPECT_EXTENSION_RELEASES = 1 << 1, /* Public API via DBUS, do not change */ -+ PORTABLE_PREFER_COPY = 1 << 2, -+ PORTABLE_PREFER_SYMLINK = 1 << 3, -+ PORTABLE_REATTACH = 1 << 4, -+ _PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME | PORTABLE_INSPECT_EXTENSION_RELEASES, - _PORTABLE_TYPE_MAX, -- _PORTABLE_TYPE_INVALID = -EINVAL, -+ _PORTABLE_TYPE_INVALID = -EINVAL, - } PortableFlags; - - /* This enum is anonymous, since we usually store it in an 'int', as we overload it with negative errno -@@ -64,7 +65,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(PortableMetadata*, portable_metadata_unref); - - int portable_metadata_hashmap_to_sorted_array(Hashmap *unit_files, PortableMetadata ***ret); - --int portable_extract(const char *image, char **matches, char **extension_image_paths, PortableMetadata **ret_os_release, Hashmap **ret_unit_files, sd_bus_error *error); -+int portable_extract(const char *image, char **matches, char **extension_image_paths, PortableMetadata **ret_os_release, OrderedHashmap **ret_extension_releases, Hashmap **ret_unit_files, sd_bus_error *error); - - int portable_attach(sd_bus *bus, const char *name_or_path, char **matches, const char *profile, char **extension_images, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error); - int portable_detach(sd_bus *bus, const char *name_or_path, char **extension_image_paths, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error); -diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c -index 2d8079ad97..af5e78c998 100644 ---- a/src/portable/portablectl.c -+++ b/src/portable/portablectl.c -@@ -259,8 +259,8 @@ static int maybe_reload(sd_bus **bus) { - static int get_image_metadata(sd_bus *bus, const char *image, char **matches, sd_bus_message **reply) { - _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; - _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; -+ PortableFlags flags = PORTABLE_INSPECT_EXTENSION_RELEASES; - const char *method; -- uint64_t flags = 0; - int r; - - assert(bus); -@@ -365,6 +365,74 @@ static int inspect_image(int argc, char *argv[], void *userdata) { - if (r < 0) - return bus_log_parse_error(r); - -+ /* If we specified any extensions, we'll first get back exactly the -+ * paths (and extension-release content) for each one of the arguments. */ -+ for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { -+ const char *name; -+ -+ r = sd_bus_message_enter_container(reply, 'e', "say"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ if (r == 0) -+ break; -+ -+ r = sd_bus_message_read(reply, "s", &name); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ r = sd_bus_message_read_array(reply, 'y', &data, &sz); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ if (arg_cat) { -+ if (nl) -+ fputc('\n', stdout); -+ -+ printf("%s-- Extension Release: %s --%s\n", ansi_highlight(), name, ansi_normal()); -+ fwrite(data, sz, 1, stdout); -+ fflush(stdout); -+ nl = true; -+ } else { -+ _cleanup_free_ char *pretty_portable = NULL, *pretty_os = NULL, *sysext_level = NULL, -+ *id = NULL, *version_id = NULL, *sysext_scope = NULL, *portable_prefixes = NULL; -+ _cleanup_fclose_ FILE *f = NULL; -+ -+ f = fmemopen_unlocked((void*) data, sz, "re"); -+ if (!f) -+ return log_error_errno(errno, "Failed to open extension-release buffer: %m"); -+ -+ r = parse_env_file(f, name, -+ "ID", &id, -+ "VERSION_ID", &version_id, -+ "SYSEXT_SCOPE", &sysext_scope, -+ "SYSEXT_LEVEL", &sysext_level, -+ "PORTABLE_PRETTY_NAME", &pretty_portable, -+ "PORTABLE_PREFIXES", &portable_prefixes, -+ "PRETTY_NAME", &pretty_os); -+ if (r < 0) -+ return log_error_errno(r, "Failed to parse extension release from '%s': %m", name); -+ -+ printf("Extension:\n\t%s\n" -+ "\tExtension Scope:\n\t\t%s\n" -+ "\tExtension Compatibility Level:\n\t\t%s\n" -+ "\tPortable Service:\n\t\t%s\n" -+ "\tPortable Prefixes:\n\t\t%s\n" -+ "\tOperating System:\n\t\t%s (%s %s)\n", -+ name, -+ strna(sysext_scope), -+ strna(sysext_level), -+ strna(pretty_portable), -+ strna(portable_prefixes), -+ strna(pretty_os), -+ strna(id), -+ strna(version_id)); -+ } -+ -+ r = sd_bus_message_exit_container(reply); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ } -+ - for (;;) { - const char *name; - -@@ -699,6 +767,14 @@ static int maybe_stop_disable(sd_bus *bus, char *image, char *argv[]) { - if (r < 0) - return bus_log_parse_error(r); - -+ /* If we specified any extensions, we'll first get back exactly the -+ * paths (and extension-release content) for each one of the arguments. */ -+ for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { -+ r = sd_bus_message_skip(reply, "{say}"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ } -+ - for (;;) { - const char *name; - -diff --git a/src/portable/portabled-image-bus.c b/src/portable/portabled-image-bus.c -index 23c6e2633a..3e6310f23e 100644 ---- a/src/portable/portabled-image-bus.c -+++ b/src/portable/portabled-image-bus.c -@@ -102,13 +102,13 @@ int bus_image_common_get_metadata( - Image *image, - sd_bus_error *error) { - -+ _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_releases = NULL; - _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; - _cleanup_strv_free_ char **matches = NULL, **extension_images = NULL; - _cleanup_hashmap_free_ Hashmap *unit_files = NULL; - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; - _cleanup_free_ PortableMetadata **sorted = NULL; -- /* Unused for now, but added to the DBUS methods for future-proofing */ -- uint64_t input_flags = 0; -+ PortableFlags flags = 0; - size_t i; - int r; - -@@ -133,14 +133,17 @@ int bus_image_common_get_metadata( - - if (sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || - sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions")) { -+ uint64_t input_flags = 0; -+ - r = sd_bus_message_read(message, "t", &input_flags); - if (r < 0) - return r; -- /* Let clients know that this version doesn't support any flags */ -- if (input_flags != 0) -+ -+ if ((input_flags & ~_PORTABLE_MASK_PUBLIC) != 0) - return sd_bus_reply_method_errorf(message, SD_BUS_ERROR_INVALID_ARGS, - "Invalid 'flags' parameter '%" PRIu64 "'", - input_flags); -+ flags |= input_flags; - } - - r = bus_image_acquire(m, -@@ -161,6 +164,7 @@ int bus_image_common_get_metadata( - matches, - extension_images, - &os_release, -+ &extension_releases, - &unit_files, - error); - if (r < 0) -@@ -186,6 +190,32 @@ int bus_image_common_get_metadata( - if (r < 0) - return r; - -+ /* If it was requested, also send back the extension path and the content -+ * of each extension-release file. Behind a flag, as it's an incompatible -+ * change. */ -+ if (FLAGS_SET(flags, PORTABLE_INSPECT_EXTENSION_RELEASES)) { -+ PortableMetadata *extension_release; -+ -+ ORDERED_HASHMAP_FOREACH(extension_release, extension_releases) { -+ -+ r = sd_bus_message_open_container(reply, 'e', "say"); -+ if (r < 0) -+ return r; -+ -+ r = sd_bus_message_append(reply, "s", extension_release->image_path); -+ if (r < 0) -+ return r; -+ -+ r = append_fd(reply, extension_release); -+ if (r < 0) -+ return r; -+ -+ r = sd_bus_message_close_container(reply); -+ if (r < 0) -+ return r; -+ } -+ } -+ - for (i = 0; i < hashmap_size(unit_files); i++) { - - r = sd_bus_message_open_container(reply, 'e', "say"); -diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh -index 34fa730514..ca09f321b7 100755 ---- a/test/units/testsuite-29.sh -+++ b/test/units/testsuite-29.sh -@@ -80,6 +80,9 @@ systemctl is-active app1.service - portablectl "${ARGS[@]}" reattach --now --runtime --extension ${app1} ${root} app1 - - systemctl is-active app1.service -+portablectl inspect --cat --extension ${app1} ${root} app1 | grep -F "MARKER=1" -+portablectl inspect --cat --extension ${app1} ${root} app1 | grep -F "Extension Release: /usr/share/app1.raw" -+portablectl inspect --cat --extension ${app1} ${root} app1 | grep -F "ExecStart=/opt/script1.sh" - - portablectl detach --now --runtime --extension ${app1} ${root} app1 - --- -2.33.0 - diff --git a/backport-portable-add-return-parameter-to-GetImageMetadataWit.patch b/backport-portable-add-return-parameter-to-GetImageMetadataWit.patch deleted file mode 100644 index 224ccf4..0000000 --- a/backport-portable-add-return-parameter-to-GetImageMetadataWit.patch +++ /dev/null @@ -1,393 +0,0 @@ -From 594b9adc847c4b759d1e51559fceb617015f8575 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 3 Mar 2022 16:26:36 +0100 -Subject: [PATCH] portable: add return parameter to - GetImageMetadataWithExtensions - -The complaint was that the output array was used for two kinds of data, and the -input flag decided whether this extra data should be included. The flag is -removed, and instead the old method is changed to include the data always as -a separate parameter. - -This breaks backward compatibility, but the old method is effectively broken -and does not appear to be used yet, at least in open source code, by -searching on codesearch.debian.net and github.com. - -Fixes #22404. - -Co-authored-by: Luca Boccassi -(cherry picked from commit 087a799f64560bb0379b8a99ebbd9ca84804e4c3) -(cherry picked from commit 00b5aa8d741ad17f6b8f5f03d901b038e3a27d04) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/594b9adc847c4b759d1e51559fceb617015f8575 ---- - man/org.freedesktop.portable1.xml | 21 ++--- - src/portable/portable.h | 13 ++- - src/portable/portablectl.c | 142 +++++++++++++++-------------- - src/portable/portabled-bus.c | 1 + - src/portable/portabled-image-bus.c | 30 +++--- - 5 files changed, 110 insertions(+), 97 deletions(-) - -diff --git a/man/org.freedesktop.portable1.xml b/man/org.freedesktop.portable1.xml -index 053f2a5434..8f960cc28d 100644 ---- a/man/org.freedesktop.portable1.xml -+++ b/man/org.freedesktop.portable1.xml -@@ -54,6 +54,7 @@ node /org/freedesktop/portable1 { - in t flags, - out s image, - out ay os_release, -+ out a{say} extensions, - out a{say} units); - GetImageState(in s image, - out s state); -@@ -183,19 +184,12 @@ node /org/freedesktop/portable1 { - and a list of portable units contained in the image, in the form of a string (unit name) and - an array of bytes with the content. - -- GetImageMetadataWithExtensions() retrieves metadata associated with an image. -- This method is a superset of GetImageMetadata() with the addition of -- a list of extensions as input parameter, which were overlaid on top of the main -- image via AttachImageWithExtensions(). -- The flag parameter can be used to request that, before the units, the path of -- each extension and an array of bytes with the content of the respective extension-release file -- are sent. One such structure will be sent for each extension named in the input arguments. The -- flag value to enable this functionality is defined as follows: -- -- --#define PORTABLE_INSPECT_EXTENSION_RELEASES (UINT64_C(1) << 1) -- -- -+ GetImageMetadataWithExtensions() retrieves metadata associated with an -+ image. This method is a superset of GetImageMetadata() with the addition of a list -+ of extensions as input parameter, which were overlaid on top of the main image via -+ AttachImageWithExtensions(). The path of each extension and an array of bytes with -+ the content of the respective extension-release file are returned, one such structure for each -+ extension named in the input arguments. - - GetImageState() retrieves the image state as one of the following - strings: -@@ -340,6 +334,7 @@ node /org/freedesktop/portable1 { - in t flags, - out s image, - out ay os_release, -+ out a{say} extensions, - out a{say} units); - GetState(out s state); - Attach(in as matches, -diff --git a/src/portable/portable.h b/src/portable/portable.h -index ce55f050a2..a1abf60dc7 100644 ---- a/src/portable/portable.h -+++ b/src/portable/portable.h -@@ -20,14 +20,13 @@ typedef struct PortableMetadata { - #define PORTABLE_METADATA_IS_UNIT(m) (!IN_SET((m)->name[0], 0, '/')) - - typedef enum PortableFlags { -- PORTABLE_RUNTIME = 1 << 0, -- PORTABLE_INSPECT_EXTENSION_RELEASES = 1 << 1, /* Public API via DBUS, do not change */ -- PORTABLE_PREFER_COPY = 1 << 2, -- PORTABLE_PREFER_SYMLINK = 1 << 3, -- PORTABLE_REATTACH = 1 << 4, -- _PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME | PORTABLE_INSPECT_EXTENSION_RELEASES, -+ PORTABLE_RUNTIME = 1 << 0, /* Public API via DBUS, do not change */ -+ PORTABLE_PREFER_COPY = 1 << 1, -+ PORTABLE_PREFER_SYMLINK = 1 << 2, -+ PORTABLE_REATTACH = 1 << 3, -+ _PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME, - _PORTABLE_TYPE_MAX, -- _PORTABLE_TYPE_INVALID = -EINVAL, -+ _PORTABLE_TYPE_INVALID = -EINVAL, - } PortableFlags; - - /* This enum is anonymous, since we usually store it in an 'int', as we overload it with negative errno -diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c -index 827d7a7b4a..21048baeb5 100644 ---- a/src/portable/portablectl.c -+++ b/src/portable/portablectl.c -@@ -259,7 +259,7 @@ static int maybe_reload(sd_bus **bus) { - static int get_image_metadata(sd_bus *bus, const char *image, char **matches, sd_bus_message **reply) { - _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; - _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; -- PortableFlags flags = PORTABLE_INSPECT_EXTENSION_RELEASES; -+ uint64_t flags = 0; - const char *method; - int r; - -@@ -361,71 +361,78 @@ static int inspect_image(int argc, char *argv[], void *userdata) { - strna(pretty_os)); - } - -- r = sd_bus_message_enter_container(reply, 'a', "{say}"); -- if (r < 0) -- return bus_log_parse_error(r); -- -- /* If we specified any extensions, we'll first get back exactly the -- * paths (and extension-release content) for each one of the arguments. */ -- for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { -- const char *name; -+ if (!strv_isempty(arg_extension_images)) { -+ /* If we specified any extensions, we'll first get back exactly the paths (and -+ * extension-release content) for each one of the arguments. */ - -- r = sd_bus_message_enter_container(reply, 'e', "say"); -+ r = sd_bus_message_enter_container(reply, 'a', "{say}"); - if (r < 0) - return bus_log_parse_error(r); -- if (r == 0) -- break; - -- r = sd_bus_message_read(reply, "s", &name); -- if (r < 0) -- return bus_log_parse_error(r); -+ for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { -+ const char *name; - -- r = sd_bus_message_read_array(reply, 'y', &data, &sz); -- if (r < 0) -- return bus_log_parse_error(r); -+ r = sd_bus_message_enter_container(reply, 'e', "say"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ if (r == 0) -+ break; - -- if (arg_cat) { -- if (nl) -- fputc('\n', stdout); -+ r = sd_bus_message_read(reply, "s", &name); -+ if (r < 0) -+ return bus_log_parse_error(r); - -- printf("%s-- Extension Release: %s --%s\n", ansi_highlight(), name, ansi_normal()); -- fwrite(data, sz, 1, stdout); -- fflush(stdout); -- nl = true; -- } else { -- _cleanup_free_ char *pretty_portable = NULL, *pretty_os = NULL, *sysext_level = NULL, -- *id = NULL, *version_id = NULL, *sysext_scope = NULL, *portable_prefixes = NULL; -- _cleanup_fclose_ FILE *f = NULL; -- -- f = fmemopen_unlocked((void*) data, sz, "re"); -- if (!f) -- return log_error_errno(errno, "Failed to open extension-release buffer: %m"); -- -- r = parse_env_file(f, name, -- "ID", &id, -- "VERSION_ID", &version_id, -- "SYSEXT_SCOPE", &sysext_scope, -- "SYSEXT_LEVEL", &sysext_level, -- "PORTABLE_PRETTY_NAME", &pretty_portable, -- "PORTABLE_PREFIXES", &portable_prefixes, -- "PRETTY_NAME", &pretty_os); -+ r = sd_bus_message_read_array(reply, 'y', &data, &sz); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ if (arg_cat) { -+ if (nl) -+ fputc('\n', stdout); -+ -+ printf("%s-- Extension Release: %s --%s\n", ansi_highlight(), name, ansi_normal()); -+ fwrite(data, sz, 1, stdout); -+ fflush(stdout); -+ nl = true; -+ } else { -+ _cleanup_free_ char *pretty_portable = NULL, *pretty_os = NULL, *sysext_level = NULL, -+ *id = NULL, *version_id = NULL, *sysext_scope = NULL, *portable_prefixes = NULL; -+ _cleanup_fclose_ FILE *f = NULL; -+ -+ f = fmemopen_unlocked((void*) data, sz, "re"); -+ if (!f) -+ return log_error_errno(errno, "Failed to open extension-release buffer: %m"); -+ -+ r = parse_env_file(f, name, -+ "ID", &id, -+ "VERSION_ID", &version_id, -+ "SYSEXT_SCOPE", &sysext_scope, -+ "SYSEXT_LEVEL", &sysext_level, -+ "PORTABLE_PRETTY_NAME", &pretty_portable, -+ "PORTABLE_PREFIXES", &portable_prefixes, -+ "PRETTY_NAME", &pretty_os); -+ if (r < 0) -+ return log_error_errno(r, "Failed to parse extension release from '%s': %m", name); -+ -+ printf("Extension:\n\t%s\n" -+ "\tExtension Scope:\n\t\t%s\n" -+ "\tExtension Compatibility Level:\n\t\t%s\n" -+ "\tPortable Service:\n\t\t%s\n" -+ "\tPortable Prefixes:\n\t\t%s\n" -+ "\tOperating System:\n\t\t%s (%s %s)\n", -+ name, -+ strna(sysext_scope), -+ strna(sysext_level), -+ strna(pretty_portable), -+ strna(portable_prefixes), -+ strna(pretty_os), -+ strna(id), -+ strna(version_id)); -+ } -+ -+ r = sd_bus_message_exit_container(reply); - if (r < 0) -- return log_error_errno(r, "Failed to parse extension release from '%s': %m", name); -- -- printf("Extension:\n\t%s\n" -- "\tExtension Scope:\n\t\t%s\n" -- "\tExtension Compatibility Level:\n\t\t%s\n" -- "\tPortable Service:\n\t\t%s\n" -- "\tPortable Prefixes:\n\t\t%s\n" -- "\tOperating System:\n\t\t%s (%s %s)\n", -- name, -- strna(sysext_scope), -- strna(sysext_level), -- strna(pretty_portable), -- strna(portable_prefixes), -- strna(pretty_os), -- strna(id), -- strna(version_id)); -+ return bus_log_parse_error(r); - } - - r = sd_bus_message_exit_container(reply); -@@ -433,6 +440,10 @@ static int inspect_image(int argc, char *argv[], void *userdata) { - return bus_log_parse_error(r); - } - -+ r = sd_bus_message_enter_container(reply, 'a', "{say}"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ - for (;;) { - const char *name; - -@@ -763,18 +774,17 @@ static int maybe_stop_disable(sd_bus *bus, char *image, char *argv[]) { - if (r < 0) - return bus_log_parse_error(r); - -- r = sd_bus_message_enter_container(reply, 'a', "{say}"); -- if (r < 0) -- return bus_log_parse_error(r); -- -- /* If we specified any extensions, we'll first get back exactly the -- * paths (and extension-release content) for each one of the arguments. */ -- for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { -- r = sd_bus_message_skip(reply, "{say}"); -+ /* If we specified any extensions, we'll first an array of extension-release metadata. */ -+ if (!strv_isempty(arg_extension_images)) { -+ r = sd_bus_message_skip(reply, "a{say}"); - if (r < 0) - return bus_log_parse_error(r); - } - -+ r = sd_bus_message_enter_container(reply, 'a', "{say}"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ - for (;;) { - const char *name; - -diff --git a/src/portable/portabled-bus.c b/src/portable/portabled-bus.c -index 5b992d9df8..db71057bb3 100644 ---- a/src/portable/portabled-bus.c -+++ b/src/portable/portabled-bus.c -@@ -420,6 +420,7 @@ const sd_bus_vtable manager_vtable[] = { - "t", flags), - SD_BUS_RESULT("s", image, - "ay", os_release, -+ "a{say}", extensions, - "a{say}", units), - method_get_image_metadata, - SD_BUS_VTABLE_UNPRIVILEGED), -diff --git a/src/portable/portabled-image-bus.c b/src/portable/portabled-image-bus.c -index 964035ec15..d538a4786f 100644 ---- a/src/portable/portabled-image-bus.c -+++ b/src/portable/portabled-image-bus.c -@@ -108,7 +108,6 @@ int bus_image_common_get_metadata( - _cleanup_hashmap_free_ Hashmap *unit_files = NULL; - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; - _cleanup_free_ PortableMetadata **sorted = NULL; -- PortableFlags flags = 0; - int r; - - assert(name_or_path || image); -@@ -119,8 +118,10 @@ int bus_image_common_get_metadata( - m = image->userdata; - } - -- if (sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || -- sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions")) { -+ bool have_exti = sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || -+ sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions"); -+ -+ if (have_exti) { - r = sd_bus_message_read_strv(message, &extension_images); - if (r < 0) - return r; -@@ -130,8 +131,7 @@ int bus_image_common_get_metadata( - if (r < 0) - return r; - -- if (sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || -- sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions")) { -+ if (have_exti) { - uint64_t input_flags = 0; - - r = sd_bus_message_read(message, "t", &input_flags); -@@ -142,7 +142,6 @@ int bus_image_common_get_metadata( - return sd_bus_reply_method_errorf(message, SD_BUS_ERROR_INVALID_ARGS, - "Invalid 'flags' parameter '%" PRIu64 "'", - input_flags); -- flags |= input_flags; - } - - r = bus_image_acquire(m, -@@ -185,16 +184,16 @@ int bus_image_common_get_metadata( - if (r < 0) - return r; - -- r = sd_bus_message_open_container(reply, 'a', "{say}"); -- if (r < 0) -- return r; -- - /* If it was requested, also send back the extension path and the content - * of each extension-release file. Behind a flag, as it's an incompatible - * change. */ -- if (FLAGS_SET(flags, PORTABLE_INSPECT_EXTENSION_RELEASES)) { -+ if (have_exti) { - PortableMetadata *extension_release; - -+ r = sd_bus_message_open_container(reply, 'a', "{say}"); -+ if (r < 0) -+ return r; -+ - ORDERED_HASHMAP_FOREACH(extension_release, extension_releases) { - - r = sd_bus_message_open_container(reply, 'e', "say"); -@@ -213,8 +212,16 @@ int bus_image_common_get_metadata( - if (r < 0) - return r; - } -+ -+ r = sd_bus_message_close_container(reply); -+ if (r < 0) -+ return r; - } - -+ r = sd_bus_message_open_container(reply, 'a', "{say}"); -+ if (r < 0) -+ return r; -+ - for (size_t i = 0; i < hashmap_size(unit_files); i++) { - - r = sd_bus_message_open_container(reply, 'e', "say"); -@@ -866,6 +873,7 @@ const sd_bus_vtable image_vtable[] = { - "t", flags), - SD_BUS_RESULT("s", image, - "ay", os_release, -+ "a{say}", extensions, - "a{say}", units), - bus_image_method_get_metadata, - SD_BUS_VTABLE_UNPRIVILEGED), --- -2.33.0 - diff --git a/backport-portable-inline-one-variable-declaration.patch b/backport-portable-inline-one-variable-declaration.patch deleted file mode 100644 index 5b6ffda..0000000 --- a/backport-portable-inline-one-variable-declaration.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f1f790658be65ba281d101d651f853701a829250 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 3 Mar 2022 19:13:20 +0100 -Subject: [PATCH] portable: inline one variable declaration - -(cherry picked from commit 90e3f3581dd578a23aec9f63ca846babfe4fcaa0) -(cherry picked from commit 06d466a05c69e39058f109700c8a6c10bd4c2c89) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f1f790658be65ba281d101d651f853701a829250 ---- - src/portable/portabled-image-bus.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/src/portable/portabled-image-bus.c b/src/portable/portabled-image-bus.c -index 3e6310f23e..964035ec15 100644 ---- a/src/portable/portabled-image-bus.c -+++ b/src/portable/portabled-image-bus.c -@@ -109,7 +109,6 @@ int bus_image_common_get_metadata( - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; - _cleanup_free_ PortableMetadata **sorted = NULL; - PortableFlags flags = 0; -- size_t i; - int r; - - assert(name_or_path || image); -@@ -216,7 +215,7 @@ int bus_image_common_get_metadata( - } - } - -- for (i = 0; i < hashmap_size(unit_files); i++) { -+ for (size_t i = 0; i < hashmap_size(unit_files); i++) { - - r = sd_bus_message_open_container(reply, 'e', "say"); - if (r < 0) --- -2.33.0 - diff --git a/backport-portable-move-profile-search-helper-to-path-lookup.patch b/backport-portable-move-profile-search-helper-to-path-lookup.patch deleted file mode 100644 index 5b90cbd..0000000 --- a/backport-portable-move-profile-search-helper-to-path-lookup.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 494652d95c620f0191f5c7c8f30956e9e98dd62b Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Fri, 26 Nov 2021 17:50:34 +0000 -Subject: [PATCH] portable: move profile search helper to path-lookup - -Will be used in systemd-analyze later - -(cherry picked from commit 13c02e7bd54e4420c392bd76c0fcf1846c10f99c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/494652d95c620f0191f5c7c8f30956e9e98dd62b ---- - src/basic/path-lookup.c | 28 ++++++++++++++++++++++++++++ - src/basic/path-lookup.h | 3 +++ - src/portable/portable.c | 33 ++------------------------------- - 3 files changed, 33 insertions(+), 31 deletions(-) - -diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c -index 05eb17d66c..83adf4767e 100644 ---- a/src/basic/path-lookup.c -+++ b/src/basic/path-lookup.c -@@ -8,6 +8,7 @@ - #include "fs-util.h" - #include "log.h" - #include "macro.h" -+#include "nulstr-util.h" - #include "path-lookup.h" - #include "path-util.h" - #include "stat-util.h" -@@ -864,3 +865,30 @@ char **env_generator_binary_paths(bool is_system) { - - return TAKE_PTR(paths); - } -+ -+int find_portable_profile(const char *name, const char *unit, char **ret_path) { -+ const char *p, *dot; -+ -+ assert(name); -+ assert(ret_path); -+ -+ assert_se(dot = strrchr(unit, '.')); -+ -+ NULSTR_FOREACH(p, PORTABLE_PROFILE_DIRS) { -+ _cleanup_free_ char *joined = NULL; -+ -+ joined = strjoin(p, "/", name, "/", dot + 1, ".conf"); -+ if (!joined) -+ return -ENOMEM; -+ -+ if (laccess(joined, F_OK) >= 0) { -+ *ret_path = TAKE_PTR(joined); -+ return 0; -+ } -+ -+ if (errno != ENOENT) -+ return -errno; -+ } -+ -+ return -ENOENT; -+} -diff --git a/src/basic/path-lookup.h b/src/basic/path-lookup.h -index 088bb9b57c..af85dc7b4f 100644 ---- a/src/basic/path-lookup.h -+++ b/src/basic/path-lookup.h -@@ -72,3 +72,6 @@ char **env_generator_binary_paths(bool is_system); - - #define NETWORK_DIRS ((const char* const*) CONF_PATHS_STRV("systemd/network")) - #define NETWORK_DIRS_NULSTR CONF_PATHS_NULSTR("systemd/network") -+ -+#define PORTABLE_PROFILE_DIRS CONF_PATHS_NULSTR("systemd/portable/profile") -+int find_portable_profile(const char *name, const char *unit, char **ret_path); -diff --git a/src/portable/portable.c b/src/portable/portable.c -index 02f4a692b0..8c5e5b6821 100644 ---- a/src/portable/portable.c -+++ b/src/portable/portable.c -@@ -37,8 +37,6 @@ - #include "tmpfile-util.h" - #include "user-util.h" - --static const char profile_dirs[] = CONF_PATHS_NULSTR("systemd/portable/profile"); -- - /* Markers used in the first line of our 20-portable.conf unit file drop-in to determine, that a) the unit file was - * dropped there by the portable service logic and b) for which image it was dropped there. */ - #define PORTABLE_DROPIN_MARKER_BEGIN "# Drop-in created for image '" -@@ -967,33 +965,6 @@ static int install_chroot_dropin( - return 0; - } - --static int find_profile(const char *name, const char *unit, char **ret) { -- const char *p, *dot; -- -- assert(name); -- assert(ret); -- -- assert_se(dot = strrchr(unit, '.')); -- -- NULSTR_FOREACH(p, profile_dirs) { -- _cleanup_free_ char *joined = NULL; -- -- joined = strjoin(p, "/", name, "/", dot + 1, ".conf"); -- if (!joined) -- return -ENOMEM; -- -- if (laccess(joined, F_OK) >= 0) { -- *ret = TAKE_PTR(joined); -- return 0; -- } -- -- if (errno != ENOENT) -- return -errno; -- } -- -- return -ENOENT; --} -- - static int install_profile_dropin( - const char *image_path, - const PortableMetadata *m, -@@ -1014,7 +985,7 @@ static int install_profile_dropin( - if (!profile) - return 0; - -- r = find_profile(profile, m->name, &from); -+ r = find_portable_profile(profile, m->name, &from); - if (r < 0) { - if (r != -ENOENT) - return log_debug_errno(errno, "Profile '%s' is not accessible: %m", profile); -@@ -1731,7 +1702,7 @@ int portable_get_state( - int portable_get_profiles(char ***ret) { - assert(ret); - -- return conf_files_list_nulstr(ret, NULL, NULL, CONF_FILES_DIRECTORY|CONF_FILES_BASENAME|CONF_FILES_FILTER_MASKED, profile_dirs); -+ return conf_files_list_nulstr(ret, NULL, NULL, CONF_FILES_DIRECTORY|CONF_FILES_BASENAME|CONF_FILES_FILTER_MASKED, PORTABLE_PROFILE_DIRS); - } - - static const char* const portable_change_type_table[_PORTABLE_CHANGE_TYPE_MAX] = { --- -2.33.0 - diff --git a/backport-portablectl-reorder-if-branches-to-match-previous-co.patch b/backport-portablectl-reorder-if-branches-to-match-previous-co.patch deleted file mode 100644 index 3298903..0000000 --- a/backport-portablectl-reorder-if-branches-to-match-previous-co.patch +++ /dev/null @@ -1,42 +0,0 @@ -From b57a0605dd294c00ed34d7bad08a9c33f9810a2d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 3 Mar 2022 18:56:06 +0100 -Subject: [PATCH] portablectl: reorder if branches to match previous - conditional in the same function - -One is a ternary op, the other an normal conditional, but they should still use -the same order of branches. - -(cherry picked from commit 573e33de078956ded078653ef3f90f93469b4dbf) -(cherry picked from commit 7856dc310906cb8b09d27b7175b322129bd619b6) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b57a0605dd294c00ed34d7bad08a9c33f9810a2d ---- - src/portable/portablectl.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c -index af5e78c998..827d7a7b4a 100644 ---- a/src/portable/portablectl.c -+++ b/src/portable/portablectl.c -@@ -927,12 +927,13 @@ static int detach_image(int argc, char *argv[], void *userdata) { - if (r < 0) - return r; - -- if (!strv_isempty(arg_extension_images)) { -+ if (strv_isempty(arg_extension_images)) -+ r = sd_bus_message_append(m, "b", arg_runtime); -+ else { - uint64_t flags = arg_runtime ? PORTABLE_RUNTIME : 0; - - r = sd_bus_message_append(m, "t", flags); -- } else -- r = sd_bus_message_append(m, "b", arg_runtime); -+ } - if (r < 0) - return bus_log_create_error(r); - --- -2.33.0 - diff --git a/backport-portabled-error-out-if-there-are-no-units-only-after.patch b/backport-portabled-error-out-if-there-are-no-units-only-after.patch deleted file mode 100644 index fc8fe1c..0000000 --- a/backport-portabled-error-out-if-there-are-no-units-only-after.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 6ea63e538eaa13e1efacd33e4ade2cd096b818e0 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Wed, 18 Aug 2021 16:37:13 +0100 -Subject: [PATCH] portabled: error out if there are no units only after parsing - all images - -It's ok if the OS image doesn't have matching units, if we find them -in the extensions. Tidies up the parsing logic a bit. - -(cherry picked from commit 7bf5ec4538cd4c77979dd9d09d9e9429a0a3535c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/6ea63e538eaa13e1efacd33e4ade2cd096b818e0 ---- - src/portable/portable.c | 29 ++++++++++++++++++++++++++--- - 1 file changed, 26 insertions(+), 3 deletions(-) - -diff --git a/src/portable/portable.c b/src/portable/portable.c -index 5ecbeec2de..8550becded 100644 ---- a/src/portable/portable.c -+++ b/src/portable/portable.c -@@ -504,9 +504,6 @@ static int portable_extract_by_path( - if (extract_os_release && !os_release) - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image '%s' lacks os-release data, refusing.", path); - -- if (!extract_os_release && hashmap_isempty(unit_files)) -- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Couldn't find any matching unit files in image '%s', refusing.", path); -- - if (ret_unit_files) - *ret_unit_files = TAKE_PTR(unit_files); - -@@ -573,6 +570,19 @@ int portable_extract( - return r; - } - -+ if (hashmap_isempty(unit_files)) { -+ _cleanup_free_ char *extensions = strv_join(extension_image_paths, ", "); -+ if (!extensions) -+ return -ENOMEM; -+ -+ return sd_bus_error_setf(error, -+ SD_BUS_ERROR_INVALID_ARGS, -+ "Couldn't find any matching unit files in image '%s%s%s', refusing.", -+ image->path, -+ isempty(extensions) ? "" : "' or any of its extensions '", -+ isempty(extensions) ? "" : extensions); -+ } -+ - *ret_os_release = TAKE_PTR(os_release); - *ret_unit_files = TAKE_PTR(unit_files); - -@@ -1189,6 +1199,19 @@ int portable_attach( - return r; - } - -+ if (hashmap_isempty(unit_files)) { -+ _cleanup_free_ char *extensions = strv_join(extension_image_paths, ", "); -+ if (!extensions) -+ return -ENOMEM; -+ -+ return sd_bus_error_setf(error, -+ SD_BUS_ERROR_INVALID_ARGS, -+ "Couldn't find any matching unit files in image '%s%s%s', refusing.", -+ image->path, -+ isempty(extensions) ? "" : "' or any of its extensions '", -+ isempty(extensions) ? "" : extensions); -+ } -+ - r = lookup_paths_init(&paths, UNIT_FILE_SYSTEM, LOOKUP_PATHS_SPLIT_USR, NULL); - if (r < 0) - return r; --- -2.33.0 - diff --git a/backport-portabled-refactor-extraction-validation-into-a-comm.patch b/backport-portabled-refactor-extraction-validation-into-a-comm.patch deleted file mode 100644 index 9534602..0000000 --- a/backport-portabled-refactor-extraction-validation-into-a-comm.patch +++ /dev/null @@ -1,245 +0,0 @@ -From 04934ab329767b4a1fde60438f769f9eb055fd9d Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Mon, 6 Sep 2021 13:19:47 +0100 -Subject: [PATCH] portabled: refactor extraction/validation into a common - helper - -(cherry picked from commit 9ff61565be1efe5cc962964cde1af2278e554e9e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/04934ab329767b4a1fde60438f769f9eb055fd9d ---- - src/portable/portable.c | 169 ++++++++++++++++++++++------------------ - 1 file changed, 92 insertions(+), 77 deletions(-) - -diff --git a/src/portable/portable.c b/src/portable/portable.c -index 765aedf852..02f4a692b0 100644 ---- a/src/portable/portable.c -+++ b/src/portable/portable.c -@@ -528,14 +528,18 @@ static int portable_extract_by_path( - return 0; - } - --int portable_extract( -+static int extract_image_and_extensions( - const char *name_or_path, - char **matches, - char **extension_image_paths, -+ bool validate_sysext, -+ Image **ret_image, -+ OrderedHashmap **ret_extension_images, - PortableMetadata **ret_os_release, - Hashmap **ret_unit_files, - sd_bus_error *error) { - -+ _cleanup_free_ char *id = NULL, *version_id = NULL, *sysext_level = NULL; - _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; - _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; - _cleanup_hashmap_free_ Hashmap *unit_files = NULL; -@@ -544,6 +548,9 @@ int portable_extract( - int r; - - assert(name_or_path); -+ assert(matches); -+ assert(ret_image); -+ assert(ret_extension_images); - - r = image_find_harder(IMAGE_PORTABLE, name_or_path, NULL, &image); - if (r < 0) -@@ -574,17 +581,91 @@ int portable_extract( - if (r < 0) - return r; - -+ /* If we are layering extension images on top of a runtime image, check that the os-release and extension-release metadata -+ * match, otherwise reject it immediately as invalid, or it will fail when the units are started. */ -+ if (validate_sysext) { -+ _cleanup_fclose_ FILE *f = NULL; -+ -+ r = take_fdopen_unlocked(&os_release->fd, "r", &f); -+ if (r < 0) -+ return r; -+ -+ r = parse_env_file(f, os_release->name, -+ "ID", &id, -+ "VERSION_ID", &version_id, -+ "SYSEXT_LEVEL", &sysext_level); -+ if (r < 0) -+ return r; -+ } -+ - ORDERED_HASHMAP_FOREACH(ext, extension_images) { -+ _cleanup_(portable_metadata_unrefp) PortableMetadata *extension_release_meta = NULL; - _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; -+ _cleanup_strv_free_ char **extension_release = NULL; -+ _cleanup_fclose_ FILE *f = NULL; - -- r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, NULL, &extra_unit_files, error); -+ r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error); - if (r < 0) - return r; -+ - r = hashmap_move(unit_files, extra_unit_files); - if (r < 0) - return r; -+ -+ if (!validate_sysext) -+ continue; -+ -+ r = take_fdopen_unlocked(&extension_release_meta->fd, "r", &f); -+ if (r < 0) -+ return r; -+ -+ r = load_env_file_pairs(f, extension_release_meta->name, &extension_release); -+ if (r < 0) -+ return r; -+ -+ r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); -+ if (r == 0) -+ return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); -+ if (r < 0) -+ return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); - } - -+ *ret_image = TAKE_PTR(image); -+ *ret_extension_images = TAKE_PTR(extension_images); -+ if (ret_os_release) -+ *ret_os_release = TAKE_PTR(os_release); -+ if (ret_unit_files) -+ *ret_unit_files = TAKE_PTR(unit_files); -+ -+ return 0; -+} -+ -+int portable_extract( -+ const char *name_or_path, -+ char **matches, -+ char **extension_image_paths, -+ PortableMetadata **ret_os_release, -+ Hashmap **ret_unit_files, -+ sd_bus_error *error) { -+ -+ _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; -+ _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; -+ _cleanup_hashmap_free_ Hashmap *unit_files = NULL; -+ _cleanup_(image_unrefp) Image *image = NULL; -+ int r; -+ -+ r = extract_image_and_extensions(name_or_path, -+ matches, -+ extension_image_paths, -+ /* validate_sysext= */ false, -+ &image, -+ &extension_images, -+ &os_release, -+ &unit_files, -+ error); -+ if (r < 0) -+ return r; -+ - if (hashmap_isempty(unit_files)) { - _cleanup_free_ char *extensions = strv_join(extension_image_paths, ", "); - if (!extensions) -@@ -1166,91 +1247,25 @@ int portable_attach( - size_t *n_changes, - sd_bus_error *error) { - -- _cleanup_free_ char *id = NULL, *version_id = NULL, *sysext_level = NULL; -- _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; - _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; - _cleanup_hashmap_free_ Hashmap *unit_files = NULL; - _cleanup_(lookup_paths_free) LookupPaths paths = {}; - _cleanup_(image_unrefp) Image *image = NULL; - PortableMetadata *item; -- Image *ext; -- char **p; - int r; - -- assert(name_or_path); -- -- r = image_find_harder(IMAGE_PORTABLE, name_or_path, NULL, &image); -- if (r < 0) -- return r; -- if (!strv_isempty(extension_image_paths)) { -- extension_images = ordered_hashmap_new(&image_hash_ops); -- if (!extension_images) -- return -ENOMEM; -- -- STRV_FOREACH(p, extension_image_paths) { -- _cleanup_(image_unrefp) Image *new = NULL; -- -- r = image_find_harder(IMAGE_PORTABLE, *p, NULL, &new); -- if (r < 0) -- return r; -- -- r = ordered_hashmap_put(extension_images, new->name, new); -- if (r < 0) -- return r; -- TAKE_PTR(new); -- } -- } -- -- r = portable_extract_by_path(image->path, /* path_is_extension= */ false, matches, &os_release, &unit_files, error); -+ r = extract_image_and_extensions(name_or_path, -+ matches, -+ extension_image_paths, -+ /* validate_sysext= */ true, -+ &image, -+ &extension_images, -+ /* os_release= */ NULL, -+ &unit_files, -+ error); - if (r < 0) - return r; - -- /* If we are layering extension images on top of a runtime image, check that the os-release and extension-release metadata -- * match, otherwise reject it immediately as invalid, or it will fail when the units are started. */ -- if (os_release) { -- _cleanup_fclose_ FILE *f = NULL; -- -- r = take_fdopen_unlocked(&os_release->fd, "r", &f); -- if (r < 0) -- return r; -- -- r = parse_env_file(f, os_release->name, -- "ID", &id, -- "VERSION_ID", &version_id, -- "SYSEXT_LEVEL", &sysext_level); -- if (r < 0) -- return r; -- } -- -- ORDERED_HASHMAP_FOREACH(ext, extension_images) { -- _cleanup_(portable_metadata_unrefp) PortableMetadata *extension_release_meta = NULL; -- _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; -- _cleanup_strv_free_ char **extension_release = NULL; -- _cleanup_fclose_ FILE *f = NULL; -- -- r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error); -- if (r < 0) -- return r; -- -- r = take_fdopen_unlocked(&extension_release_meta->fd, "r", &f); -- if (r < 0) -- return r; -- -- r = load_env_file_pairs(f, extension_release_meta->name, &extension_release); -- if (r < 0) -- return r; -- -- r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); -- if (r == 0) -- return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); -- if (r < 0) -- return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); -- -- r = hashmap_move(unit_files, extra_unit_files); -- if (r < 0) -- return r; -- } -- - if (hashmap_isempty(unit_files)) { - _cleanup_free_ char *extensions = strv_join(extension_image_paths, ", "); - if (!extensions) --- -2.33.0 - diff --git a/backport-portabled-validate-SYSEXT_LEVEL-when-attaching.patch b/backport-portabled-validate-SYSEXT_LEVEL-when-attaching.patch deleted file mode 100644 index e3787da..0000000 --- a/backport-portabled-validate-SYSEXT_LEVEL-when-attaching.patch +++ /dev/null @@ -1,240 +0,0 @@ -From 5453257f8caebbcfe880601de27853f2d51acbb7 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Wed, 4 Aug 2021 15:00:06 +0100 -Subject: [PATCH] portabled: validate SYSEXT_LEVEL when attaching - -When attaching a portable service with extensions, immediately validate -that the os-release and extension-release metadata values match, rather -than letting it fail when the units are started - -(cherry picked from commit 239ac0c7f72c30cab2e84d395d064c3b7384ff84) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5453257f8caebbcfe880601de27853f2d51acbb7 ---- - src/portable/portable.c | 88 ++++++++++++++++++++++++++++++++--------- - src/portable/portable.h | 1 + - 2 files changed, 71 insertions(+), 18 deletions(-) - -diff --git a/src/portable/portable.c b/src/portable/portable.c -index 8550becded..765aedf852 100644 ---- a/src/portable/portable.c -+++ b/src/portable/portable.c -@@ -11,8 +11,10 @@ - #include "dirent-util.h" - #include "discover-image.h" - #include "dissect-image.h" -+#include "env-file.h" - #include "errno-list.h" - #include "escape.h" -+#include "extension-release.h" - #include "fd-util.h" - #include "fileio.h" - #include "fs-util.h" -@@ -232,6 +234,8 @@ DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(portable_metadata_hash_ops, char, - static int extract_now( - const char *where, - char **matches, -+ const char *image_name, -+ bool path_is_extension, - int socket_fd, - PortableMetadata **ret_os_release, - Hashmap **ret_unit_files) { -@@ -241,6 +245,7 @@ static int extract_now( - _cleanup_(lookup_paths_free) LookupPaths paths = {}; - _cleanup_close_ int os_release_fd = -1; - _cleanup_free_ char *os_release_path = NULL; -+ const char *os_release_id; - char **i; - int r; - -@@ -255,19 +260,27 @@ static int extract_now( - - assert(where); - -- /* First, find /etc/os-release and send it upstream (or just save it). */ -- r = open_os_release(where, &os_release_path, &os_release_fd); -+ /* First, find os-release/extension-release and send it upstream (or just save it). */ -+ if (path_is_extension) { -+ os_release_id = strjoina("/usr/lib/extension-release.d/extension-release.", image_name); -+ r = open_extension_release(where, image_name, &os_release_path, &os_release_fd); -+ } else { -+ os_release_id = "/etc/os-release"; -+ r = open_os_release(where, &os_release_path, &os_release_fd); -+ } - if (r < 0) -- log_debug_errno(r, "Couldn't acquire os-release file, ignoring: %m"); -+ log_debug_errno(r, -+ "Couldn't acquire %s file, ignoring: %m", -+ path_is_extension ? "extension-release " : "os-release"); - else { - if (socket_fd >= 0) { -- r = send_item(socket_fd, "/etc/os-release", os_release_fd); -+ r = send_item(socket_fd, os_release_id, os_release_fd); - if (r < 0) - return log_debug_errno(r, "Failed to send os-release file: %m"); - } - - if (ret_os_release) { -- os_release = portable_metadata_new("/etc/os-release", NULL, os_release_fd); -+ os_release = portable_metadata_new(os_release_id, NULL, os_release_fd); - if (!os_release) - return -ENOMEM; - -@@ -353,7 +366,7 @@ static int extract_now( - - static int portable_extract_by_path( - const char *path, -- bool extract_os_release, -+ bool path_is_extension, - char **matches, - PortableMetadata **ret_os_release, - Hashmap **ret_unit_files, -@@ -371,7 +384,7 @@ static int portable_extract_by_path( - /* We can't turn this into a loop-back block device, and this returns EISDIR? Then this is a directory - * tree and not a raw device. It's easy then. */ - -- r = extract_now(path, matches, -1, &os_release, &unit_files); -+ r = extract_now(path, matches, NULL, path_is_extension, -1, &os_release, &unit_files); - if (r < 0) - return r; - -@@ -428,7 +441,7 @@ static int portable_extract_by_path( - - seq[0] = safe_close(seq[0]); - -- if (!extract_os_release) -+ if (path_is_extension) - flags |= DISSECT_IMAGE_VALIDATE_OS_EXT; - else - flags |= DISSECT_IMAGE_VALIDATE_OS; -@@ -439,7 +452,7 @@ static int portable_extract_by_path( - goto child_finish; - } - -- r = extract_now(tmpdir, matches, seq[1], NULL, NULL); -+ r = extract_now(tmpdir, matches, m->image_name, path_is_extension, seq[1], NULL, NULL); - - child_finish: - _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); -@@ -485,7 +498,7 @@ static int portable_extract_by_path( - - add = NULL; - -- } else if (PORTABLE_METADATA_IS_OS_RELEASE(add)) { -+ } else if (PORTABLE_METADATA_IS_OS_RELEASE(add) || PORTABLE_METADATA_IS_EXTENSION_RELEASE(add)) { - - assert(!os_release); - os_release = TAKE_PTR(add); -@@ -499,10 +512,12 @@ static int portable_extract_by_path( - child = 0; - } - -- /* When the portable image is layered, the image with units will not -- * have a full filesystem, so no os-release - it will be in the root layer */ -- if (extract_os_release && !os_release) -- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image '%s' lacks os-release data, refusing.", path); -+ if (!os_release) -+ return sd_bus_error_setf(error, -+ SD_BUS_ERROR_INVALID_ARGS, -+ "Image '%s' lacks %s data, refusing.", -+ path, -+ path_is_extension ? "extension-release" : "os-release"); - - if (ret_unit_files) - *ret_unit_files = TAKE_PTR(unit_files); -@@ -555,14 +570,14 @@ int portable_extract( - } - } - -- r = portable_extract_by_path(image->path, true, matches, &os_release, &unit_files, error); -+ r = portable_extract_by_path(image->path, /* path_is_extension= */ false, matches, &os_release, &unit_files, error); - if (r < 0) - return r; - - ORDERED_HASHMAP_FOREACH(ext, extension_images) { - _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; - -- r = portable_extract_by_path(ext->path, false, matches, NULL, &extra_unit_files, error); -+ r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, NULL, &extra_unit_files, error); - if (r < 0) - return r; - r = hashmap_move(unit_files, extra_unit_files); -@@ -1151,6 +1166,8 @@ int portable_attach( - size_t *n_changes, - sd_bus_error *error) { - -+ _cleanup_free_ char *id = NULL, *version_id = NULL, *sysext_level = NULL; -+ _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; - _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; - _cleanup_hashmap_free_ Hashmap *unit_files = NULL; - _cleanup_(lookup_paths_free) LookupPaths paths = {}; -@@ -1184,16 +1201,51 @@ int portable_attach( - } - } - -- r = portable_extract_by_path(image->path, true, matches, NULL, &unit_files, error); -+ r = portable_extract_by_path(image->path, /* path_is_extension= */ false, matches, &os_release, &unit_files, error); - if (r < 0) - return r; - -+ /* If we are layering extension images on top of a runtime image, check that the os-release and extension-release metadata -+ * match, otherwise reject it immediately as invalid, or it will fail when the units are started. */ -+ if (os_release) { -+ _cleanup_fclose_ FILE *f = NULL; -+ -+ r = take_fdopen_unlocked(&os_release->fd, "r", &f); -+ if (r < 0) -+ return r; -+ -+ r = parse_env_file(f, os_release->name, -+ "ID", &id, -+ "VERSION_ID", &version_id, -+ "SYSEXT_LEVEL", &sysext_level); -+ if (r < 0) -+ return r; -+ } -+ - ORDERED_HASHMAP_FOREACH(ext, extension_images) { -+ _cleanup_(portable_metadata_unrefp) PortableMetadata *extension_release_meta = NULL; - _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; -+ _cleanup_strv_free_ char **extension_release = NULL; -+ _cleanup_fclose_ FILE *f = NULL; -+ -+ r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error); -+ if (r < 0) -+ return r; - -- r = portable_extract_by_path(ext->path, false, matches, NULL, &extra_unit_files, error); -+ r = take_fdopen_unlocked(&extension_release_meta->fd, "r", &f); - if (r < 0) - return r; -+ -+ r = load_env_file_pairs(f, extension_release_meta->name, &extension_release); -+ if (r < 0) -+ return r; -+ -+ r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); -+ if (r == 0) -+ return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); -+ if (r < 0) -+ return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); -+ - r = hashmap_move(unit_files, extra_unit_files); - if (r < 0) - return r; -diff --git a/src/portable/portable.h b/src/portable/portable.h -index dd080edf4e..94144287ae 100644 ---- a/src/portable/portable.h -+++ b/src/portable/portable.h -@@ -16,6 +16,7 @@ typedef struct PortableMetadata { - } PortableMetadata; - - #define PORTABLE_METADATA_IS_OS_RELEASE(m) (streq((m)->name, "/etc/os-release")) -+#define PORTABLE_METADATA_IS_EXTENSION_RELEASE(m) (startswith((m)->name, "/usr/lib/extension-release.d/extension-release.")) - #define PORTABLE_METADATA_IS_UNIT(m) (!IN_SET((m)->name[0], 0, '/')) - - typedef enum PortableFlags { --- -2.33.0 - diff --git a/backport-process-util-wait-for-processes-we-killed-even-if-ki.patch b/backport-process-util-wait-for-processes-we-killed-even-if-ki.patch deleted file mode 100644 index 4250b70..0000000 --- a/backport-process-util-wait-for-processes-we-killed-even-if-ki.patch +++ /dev/null @@ -1,46 +0,0 @@ -From deda69dad784f9c4367533555ff4d7bf6308c0ff Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 3 Nov 2021 15:54:28 +0100 -Subject: [PATCH] process-util: wait for processes we killed even if killing - failed - -The processes might be zombies in which case killing will fail, but -reaping them still matters. - -(cherry picked from commit 2c1612100daae9cef1b71c06ae4c4ec5f9378f09) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/deda69dad784f9c4367533555ff4d7bf6308c0ff ---- - src/basic/process-util.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/basic/process-util.c b/src/basic/process-util.c -index 14259ea8df..461bbfe9a5 100644 ---- a/src/basic/process-util.c -+++ b/src/basic/process-util.c -@@ -858,8 +858,8 @@ int wait_for_terminate_with_timeout(pid_t pid, usec_t timeout) { - void sigkill_wait(pid_t pid) { - assert(pid > 1); - -- if (kill(pid, SIGKILL) >= 0) -- (void) wait_for_terminate(pid, NULL); -+ (void) kill(pid, SIGKILL); -+ (void) wait_for_terminate(pid, NULL); - } - - void sigkill_waitp(pid_t *pid) { -@@ -876,8 +876,8 @@ void sigkill_waitp(pid_t *pid) { - void sigterm_wait(pid_t pid) { - assert(pid > 1); - -- if (kill_and_sigcont(pid, SIGTERM) >= 0) -- (void) wait_for_terminate(pid, NULL); -+ (void) kill_and_sigcont(pid, SIGTERM); -+ (void) wait_for_terminate(pid, NULL); - } - - int kill_and_sigcont(pid_t pid, int sig) { --- -2.33.0 - diff --git a/backport-random-util-use-ssize_t-for-getrandom-return-value.patch b/backport-random-util-use-ssize_t-for-getrandom-return-value.patch deleted file mode 100644 index df57885..0000000 --- a/backport-random-util-use-ssize_t-for-getrandom-return-value.patch +++ /dev/null @@ -1,81 +0,0 @@ -From a7ba75de06efb5a1d962c4b250f66e49e1d3ac6a Mon Sep 17 00:00:00 2001 -From: Mike Gilbert -Date: Fri, 24 Dec 2021 19:20:36 -0500 -Subject: [PATCH] random-util: use ssize_t for getrandom return value - -This matches the prototype provided by glibc. - -(cherry picked from commit 289b41aae7356b7a6c72ff4a3476193a084ff33f) -(cherry picked from commit 4d889024ef5ba1edc5d967a010a2551e0826e5d7) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a7ba75de06efb5a1d962c4b250f66e49e1d3ac6a ---- - src/basic/missing_syscall.h | 3 ++- - src/basic/random-util.c | 16 ++++++++-------- - 2 files changed, 10 insertions(+), 9 deletions(-) - -diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h -index 9e3a165857..279c5911bd 100644 ---- a/src/basic/missing_syscall.h -+++ b/src/basic/missing_syscall.h -@@ -57,7 +57,8 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) { - /* ======================================================================= */ - - #if !HAVE_GETRANDOM --static inline int missing_getrandom(void *buffer, size_t count, unsigned flags) { -+/* glibc says getrandom() returns ssize_t */ -+static inline ssize_t missing_getrandom(void *buffer, size_t count, unsigned flags) { - # ifdef __NR_getrandom - return syscall(__NR_getrandom, buffer, count, flags); - # else -diff --git a/src/basic/random-util.c b/src/basic/random-util.c -index c2be962355..e117330857 100644 ---- a/src/basic/random-util.c -+++ b/src/basic/random-util.c -@@ -161,7 +161,6 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { - static int have_syscall = -1; - _cleanup_close_ int fd = -1; - bool got_some = false; -- int r; - - /* Gathers some high-quality randomness from the kernel (or potentially mid-quality randomness from - * the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't block, unless the RANDOM_BLOCK -@@ -220,18 +219,19 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { - if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) { - - for (;;) { -- r = getrandom(p, n, -+ ssize_t l; -+ l = getrandom(p, n, - (FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK) | - (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE) ? GRND_INSECURE : 0)); -- if (r > 0) { -+ if (l > 0) { - have_syscall = true; - -- if ((size_t) r == n) -+ if ((size_t) l == n) - return 0; /* Yay, success! */ - -- assert((size_t) r < n); -- p = (uint8_t*) p + r; -- n -= r; -+ assert((size_t) l < n); -+ p = (uint8_t*) p + l; -+ n -= l; - - if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { - /* Fill in the remaining bytes using pseudo-random values */ -@@ -248,7 +248,7 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { - /* Fill in the rest with /dev/urandom */ - break; - -- } else if (r == 0) { -+ } else if (l == 0) { - have_syscall = true; - return -EIO; - --- -2.33.0 - diff --git a/backport-repart-use-real-disk-start-end-for-bar-production.patch b/backport-repart-use-real-disk-start-end-for-bar-production.patch deleted file mode 100644 index 5c32308..0000000 --- a/backport-repart-use-real-disk-start-end-for-bar-production.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0c3c3db042a24d11da7accf777029fbaf8db5a29 Mon Sep 17 00:00:00 2001 -From: Tom Yan -Date: Mon, 20 Dec 2021 01:30:38 +0800 -Subject: [PATCH] repart: use real disk start/end for bar production - -Partitions are not always within our aligned scope. Bar printing -involves foreign partitions as well. - -Fixes #21817. - -(cherry picked from commit d8daed09f37bc9f8ecb9268a4e371f65aec8b24a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0c3c3db042a24d11da7accf777029fbaf8db5a29 ---- - src/partition/repart.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/src/partition/repart.c b/src/partition/repart.c -index 7602ac6aa8..9f0fe9e10d 100644 ---- a/src/partition/repart.c -+++ b/src/partition/repart.c -@@ -2103,16 +2103,14 @@ static void context_bar_char_process_partition( - from = p->offset; - to = from + p->new_size; - -- assert(context->end >= context->start); -- total = context->end - context->start; -+ assert(context->total > 0); -+ total = context->total; - -- assert(from >= context->start); -- assert(from <= context->end); -- x = (from - context->start) * n / total; -+ assert(from <= total); -+ x = from * n / total; - -- assert(to >= context->start); -- assert(to <= context->end); -- y = (to - context->start) * n / total; -+ assert(to <= total); -+ y = to * n / total; - - assert(x <= y); - assert(y <= n); --- -2.33.0 - diff --git a/backport-repart-use-right-error-variable.patch b/backport-repart-use-right-error-variable.patch deleted file mode 100644 index 620cde1..0000000 --- a/backport-repart-use-right-error-variable.patch +++ /dev/null @@ -1,38 +0,0 @@ -From b57f76bff912de738a8da8feceb298160bebab26 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 5 Oct 2021 14:10:27 +0200 -Subject: [PATCH] repart: use right error variable - -(cherry picked from commit 8ac04a65477b59c9143b635c0c0daa5152d9b466) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b57f76bff912de738a8da8feceb298160bebab26 ---- - src/partition/repart.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/partition/repart.c b/src/partition/repart.c -index 851c68cc4b..3c80d1380a 100644 ---- a/src/partition/repart.c -+++ b/src/partition/repart.c -@@ -2784,7 +2784,7 @@ static int context_copy_blocks(Context *context) { - return log_error_errno(r, "Failed to copy in data from '%s': %m", p->copy_blocks_path); - - if (fsync(target_fd) < 0) -- return log_error_errno(r, "Failed to synchronize copied data blocks: %m"); -+ return log_error_errno(errno, "Failed to synchronize copied data blocks: %m"); - - if (p->encrypt != ENCRYPT_OFF) { - encrypted_dev_fd = safe_close(encrypted_dev_fd); -@@ -3060,7 +3060,7 @@ static int context_mkfs(Context *context) { - - if (p->encrypt != ENCRYPT_OFF) { - if (fsync(encrypted_dev_fd) < 0) -- return log_error_errno(r, "Failed to synchronize LUKS volume: %m"); -+ return log_error_errno(errno, "Failed to synchronize LUKS volume: %m"); - encrypted_dev_fd = safe_close(encrypted_dev_fd); - - r = deactivate_luks(cd, encrypted); --- -2.33.0 - diff --git a/backport-resolvconf-compat-make-u-operation-a-NOP.patch b/backport-resolvconf-compat-make-u-operation-a-NOP.patch deleted file mode 100644 index 2b371f2..0000000 --- a/backport-resolvconf-compat-make-u-operation-a-NOP.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 4fe53426991e829c0add9378d91f3677a23076fd Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 29 Sep 2021 10:48:24 +0200 -Subject: [PATCH] resolvconf-compat: make "-u" operation a NOP - -According to the various man pages of "resolvconf" the -u switch is for: - -"-u Just run the update scripts (if updating is enabled)." - -"-u Force resolvconf to update all its subscribers. resolvconf does not - update the subscribers when adding a resolv.conf that matches what - it already has for that interface." - -We have no "subscribers", we ourselves are the only "subscriber" we -support. Hence it's probably better to ignore such a request and make it -a NOP, then to fail. - -Fixes: #20748 -(cherry picked from commit bee07a399572e0d60600c040a84099ecb418ed33) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4fe53426991e829c0add9378d91f3677a23076fd ---- - src/resolve/resolvconf-compat.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/resolve/resolvconf-compat.c b/src/resolve/resolvconf-compat.c -index 93ded6d564..991c62e21d 100644 ---- a/src/resolve/resolvconf-compat.c -+++ b/src/resolve/resolvconf-compat.c -@@ -39,8 +39,8 @@ static int resolvconf_help(void) { - "This is a compatibility alias for the resolvectl(1) tool, providing native\n" - "command line compatibility with the resolvconf(8) tool of various Linux\n" - "distributions and BSD systems. Some options supported by other implementations\n" -- "are not supported and are ignored: -m, -p. Various options supported by other\n" -- "implementations are not supported and will cause the invocation to fail: -u,\n" -+ "are not supported and are ignored: -m, -p, -u. Various options supported by other\n" -+ "implementations are not supported and will cause the invocation to fail:\n" - "-I, -i, -l, -R, -r, -v, -V, --enable-updates, --disable-updates,\n" - "--updates-are-enabled.\n" - "\nSee the %2$s for details.\n", -@@ -171,8 +171,11 @@ int resolvconf_parse_argv(int argc, char *argv[]) { - log_debug("Switch -%c ignored.", c); - break; - -- /* Everybody else can agree on the existence of -u but we don't support it. */ -+ /* -u supposedly should "update all subscribers". We have no subscribers, hence let's make -+ this a NOP, and exit immediately, cleanly. */ - case 'u': -+ log_info("Switch -%c ignored.", c); -+ return 0; - - /* The following options are openresolv inventions we don't support. */ - case 'I': --- -2.33.0 - diff --git a/backport-resolve-add-reference-of-the-original-bus-message-to.patch b/backport-resolve-add-reference-of-the-original-bus-message-to.patch deleted file mode 100644 index 578c244..0000000 --- a/backport-resolve-add-reference-of-the-original-bus-message-to.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 965e8b5a691d05b32ecadbe1d4d00de2200492c2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 11 Feb 2022 09:43:16 +0900 -Subject: [PATCH] resolve: add reference of the original bus message to the aux - queries - -Otherwise, the error in aux queries cannot be replied. - -Fixes #22477. - -(cherry picked from commit 08275791d85a1852e79951212f6cbbc727db789a) -(cherry picked from commit 919d398668d2baa1873e61f7f502fac910a9d606) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/965e8b5a691d05b32ecadbe1d4d00de2200492c2 ---- - src/resolve/resolved-bus.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c -index ed06895ed9..61d4b50c5b 100644 ---- a/src/resolve/resolved-bus.c -+++ b/src/resolve/resolved-bus.c -@@ -1137,6 +1137,7 @@ static int resolve_service_hostname(DnsQuery *q, DnsResourceRecord *rr, int ifin - if (r < 0) - return r; - -+ aux->bus_request = sd_bus_message_ref(q->bus_request); - aux->request_family = q->request_family; - aux->complete = resolve_service_hostname_complete; - --- -2.33.0 - diff --git a/backport-resolve-drop-never-matched-condition.patch b/backport-resolve-drop-never-matched-condition.patch deleted file mode 100644 index 2144bf3..0000000 --- a/backport-resolve-drop-never-matched-condition.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 7b99795c46d4cd61501a31364894f13ac3a9e60d Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 23 Feb 2022 07:49:40 +0900 -Subject: [PATCH] resolve: drop never matched condition - -As dns_scope_good_domain() does not return negative errno. - -(cherry picked from commit 830f50ab1e03fa7ee262876ed42023d10e89688d) -(cherry picked from commit 499115dbc3408f9a85160099e114bbaf0bacfe84) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7b99795c46d4cd61501a31364894f13ac3a9e60d ---- - src/resolve/resolved-dns-query.c | 12 ++---------- - 1 file changed, 2 insertions(+), 10 deletions(-) - -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index 192bfd3bf5..4d15240e25 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -743,11 +743,7 @@ int dns_query_go(DnsQuery *q) { - continue; - - match = dns_scope_good_domain(s, q->ifindex, q->flags, name); -- if (match < 0) { -- log_debug("Couldn't check if '%s' matches against scope, ignoring.", name); -- continue; -- } -- -+ assert(match >= 0); - if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one - * that matches this well */ - found = match; -@@ -779,11 +775,7 @@ int dns_query_go(DnsQuery *q) { - continue; - - match = dns_scope_good_domain(s, q->ifindex, q->flags, name); -- if (match < 0) { -- log_debug("Couldn't check if '%s' matches against scope, ignoring.", name); -- continue; -- } -- -+ assert(match >= 0); - if (match < found) - continue; - --- -2.33.0 - diff --git a/backport-resolve-fix-assertion-triggered-when-r-0.patch b/backport-resolve-fix-assertion-triggered-when-r-0.patch deleted file mode 100644 index 61fabd1..0000000 --- a/backport-resolve-fix-assertion-triggered-when-r-0.patch +++ /dev/null @@ -1,35 +0,0 @@ -From bfa7063dac7173858ddddda7c49eda95a9dd89bf Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 20 Jan 2022 05:24:31 +0900 -Subject: [PATCH] resolve: fix assertion triggered when r == 0 - -Fixes #22178. - -(cherry picked from commit 98b1eb711cfc70776fefd3d4ec437a6a4f9aeff2) -(cherry picked from commit 740dd39e070b3b827cbac37df2a40d61bd9cdb89) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bfa7063dac7173858ddddda7c49eda95a9dd89bf ---- - src/resolve/resolved-etc-hosts.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-etc-hosts.c b/src/resolve/resolved-etc-hosts.c -index 9af3a27bb1..a8da6c3d88 100644 ---- a/src/resolve/resolved-etc-hosts.c -+++ b/src/resolve/resolved-etc-hosts.c -@@ -109,7 +109,10 @@ static int parse_line(EtcHosts *hosts, unsigned nr, const char *line) { - - r = dns_name_is_valid_ldh(name); - if (r <= 0) { -- log_warning_errno(r, "/etc/hosts:%u: hostname \"%s\" is not valid, ignoring.", nr, name); -+ if (r < 0) -+ log_warning_errno(r, "/etc/hosts:%u: Failed to check the validity of hostname \"%s\", ignoring: %m", nr, name); -+ else -+ log_warning("/etc/hosts:%u: hostname \"%s\" is not valid, ignoring.", nr, name); - continue; - } - --- -2.33.0 - diff --git a/backport-resolve-fix-heap-buffer-overflow-reported-by-ASAN-wi.patch b/backport-resolve-fix-heap-buffer-overflow-reported-by-ASAN-wi.patch deleted file mode 100644 index eef6c0e..0000000 --- a/backport-resolve-fix-heap-buffer-overflow-reported-by-ASAN-wi.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c285d500d0fe356f74f34846bc2ac0e25fe6ae42 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 8 Jul 2022 22:00:58 +0900 -Subject: [PATCH] resolve: fix heap-buffer-overflow reported by ASAN with - strict_string_checks=1 - -Fixes #23942. - -(cherry picked from commit beeab352de413e1c04de0a67ee36525fcf6e99dd) -(cherry picked from commit feb244676baa246e660b713544c2cb8766c25b34) -(cherry picked from commit 63c0ce2346cb70a2959bd539541119866223a619) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c285d500d0fe356f74f34846bc2ac0e25fe6ae42 ---- - src/resolve/resolved-dns-packet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c -index b37f57fe67..c4cfbf7820 100644 ---- a/src/resolve/resolved-dns-packet.c -+++ b/src/resolve/resolved-dns-packet.c -@@ -1393,7 +1393,7 @@ int dns_packet_read_string(DnsPacket *p, char **ret, size_t *start) { - if (memchr(d, 0, c)) - return -EBADMSG; - -- t = strndup(d, c); -+ t = memdup_suffix0(d, c); - if (!t) - return -ENOMEM; - --- -2.27.0 - diff --git a/backport-resolve-fix-possible-memleak.patch b/backport-resolve-fix-possible-memleak.patch deleted file mode 100644 index cc0955b..0000000 --- a/backport-resolve-fix-possible-memleak.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 11f8123bbf36801ec436dc77d42a8e253eed1fb7 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 5 Feb 2022 22:03:19 +0900 -Subject: [PATCH] resolve: fix possible memleak - -Fortunately, unlike the issue fixed in the previous commit, the memleak -should be superficial and not become apparent, as the queries handled -here are managed by the stub stream, and will be freed when the stream -is closed. - -Just for safety, and slightly reducing the runtime memory usage by the -stub stream. - -(cherry picked from commit fe8c5ce615ee2123f17b1f0b3728c439e19e4b5b) -(cherry picked from commit 4dbc210124b4303ecadb6cdb28a4a4c821e1150b) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/11f8123bbf36801ec436dc77d42a8e253eed1fb7 ---- - src/resolve/resolved-dns-stub.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index 49da916576..8040db70f9 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -755,8 +755,10 @@ static void dns_stub_query_complete(DnsQuery *q) { - * packet doesn't answer our question. In that case let's restart the query, - * now with the redirected question. We'll */ - r = dns_query_go(q); -- if (r < 0) -+ if (r < 0) { - log_debug_errno(r, "Failed to restart query: %m"); -+ dns_query_free(q); -+ } - - return; - } --- -2.33.0 - diff --git a/backport-resolve-fix-potential-memleak-and-use-after-free.patch b/backport-resolve-fix-potential-memleak-and-use-after-free.patch deleted file mode 100644 index 1cc6f9b..0000000 --- a/backport-resolve-fix-potential-memleak-and-use-after-free.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8baf04a6588bd392f606a3d55b0711cdd00b4b80 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 5 Feb 2022 21:37:01 +0900 -Subject: [PATCH] resolve: fix potential memleak and use-after-free - -When stub stream is closed early, then queries associated to the stream -are freed. Previously, the timer event source for queries may not be -disabled, hence may be triggered with already freed query. -See also dns_stub_stream_complete(). - -Note that we usually not set NULL or zero when freeing simple objects. -But, here DnsQuery is large and complicated object, and the element may -be referenced in subsequent freeing process in the future. Hence, for -safety, let's set NULL to the pointer. - -(cherry picked from commit 73bfd7be042cc63e7649242b377ad494bf74ea4b) -(cherry picked from commit d82bd80cf4e7659906a502735b20a45964b55a88) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/8baf04a6588bd392f606a3d55b0711cdd00b4b80 ---- - src/resolve/resolved-dns-query.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index 7f341986d9..6d372395fe 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -381,6 +381,8 @@ DnsQuery *dns_query_free(DnsQuery *q) { - if (!q) - return NULL; - -+ q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source); -+ - while (q->auxiliary_queries) - dns_query_free(q->auxiliary_queries); - --- -2.33.0 - diff --git a/backport-resolve-make-dns_scope_good_domain-take-DnsQuery.patch b/backport-resolve-make-dns_scope_good_domain-take-DnsQuery.patch deleted file mode 100644 index dc34ed5..0000000 --- a/backport-resolve-make-dns_scope_good_domain-take-DnsQuery.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 8cc818cdc726c8185387b413e8a2f31e00d7c185 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 23 Feb 2022 07:50:30 +0900 -Subject: [PATCH] resolve: make dns_scope_good_domain() take DnsQuery* - -(cherry picked from commit 176a9a2cca47f7c1553d96f7dd51c2193a269dbc) -(cherry picked from commit 54ab65f5f3da22985126dc3ae846a777d6b555a9) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/8cc818cdc726c8185387b413e8a2f31e00d7c185 ---- - src/resolve/resolved-dns-query.c | 14 ++------------ - src/resolve/resolved-dns-scope.c | 21 +++++++++++++++++---- - src/resolve/resolved-dns-scope.h | 4 ++-- - 3 files changed, 21 insertions(+), 18 deletions(-) - -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index 4d15240e25..24cd7cddf5 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -736,13 +736,8 @@ int dns_query_go(DnsQuery *q) { - - LIST_FOREACH(scopes, s, q->manager->dns_scopes) { - DnsScopeMatch match; -- const char *name; - -- name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol)); -- if (!name) -- continue; -- -- match = dns_scope_good_domain(s, q->ifindex, q->flags, name); -+ match = dns_scope_good_domain(s, q); - assert(match >= 0); - if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one - * that matches this well */ -@@ -768,13 +763,8 @@ int dns_query_go(DnsQuery *q) { - - LIST_FOREACH(scopes, s, first->scopes_next) { - DnsScopeMatch match; -- const char *name; -- -- name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol)); -- if (!name) -- continue; - -- match = dns_scope_good_domain(s, q->ifindex, q->flags, name); -+ match = dns_scope_good_domain(s, q); - assert(match >= 0); - if (match < found) - continue; -diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c -index 2546d0d4da..47edba6bc3 100644 ---- a/src/resolve/resolved-dns-scope.c -+++ b/src/resolve/resolved-dns-scope.c -@@ -584,11 +584,13 @@ static DnsScopeMatch match_subnet_reverse_lookups( - - DnsScopeMatch dns_scope_good_domain( - DnsScope *s, -- int ifindex, -- uint64_t flags, -- const char *domain) { -+ DnsQuery *q) { - -+ DnsQuestion *question; - DnsSearchDomain *d; -+ const char *domain; -+ uint64_t flags; -+ int ifindex; - - /* This returns the following return values: - * -@@ -602,7 +604,18 @@ DnsScopeMatch dns_scope_good_domain( - */ - - assert(s); -- assert(domain); -+ assert(q); -+ -+ question = dns_query_question_for_protocol(q, s->protocol); -+ if (!question) -+ return DNS_SCOPE_NO; -+ -+ domain = dns_question_first_name(question); -+ if (!domain) -+ return DNS_SCOPE_NO; -+ -+ ifindex = q->ifindex; -+ flags = q->flags; - - /* Checks if the specified domain is something to look up on this scope. Note that this accepts - * non-qualified hostnames, i.e. those without any search path suffixed. */ -diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h -index a2b9546b38..1f9d22b7d1 100644 ---- a/src/resolve/resolved-dns-scope.h -+++ b/src/resolve/resolved-dns-scope.h -@@ -10,7 +10,7 @@ typedef struct DnsScope DnsScope; - #include "resolved-dns-cache.h" - #include "resolved-dns-dnssec.h" - #include "resolved-dns-packet.h" -- -+#include "resolved-dns-query.h" - #include "resolved-dns-search-domain.h" - #include "resolved-dns-server.h" - #include "resolved-dns-stream.h" -@@ -76,7 +76,7 @@ int dns_scope_emit_udp(DnsScope *s, int fd, int af, DnsPacket *p); - int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port, union sockaddr_union *ret_socket_address); - int dns_scope_socket_udp(DnsScope *s, DnsServer *server); - --DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain); -+DnsScopeMatch dns_scope_good_domain(DnsScope *s, DnsQuery *q); - bool dns_scope_good_key(DnsScope *s, const DnsResourceKey *key); - - DnsServer *dns_scope_get_dns_server(DnsScope *s); --- -2.33.0 - diff --git a/backport-resolve-mdns_packet_extract_matching_rrs-may-return-.patch b/backport-resolve-mdns_packet_extract_matching_rrs-may-return-.patch deleted file mode 100644 index 1a9209c..0000000 --- a/backport-resolve-mdns_packet_extract_matching_rrs-may-return-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 9b1f4d855aa7b16b425545fdd888dbef918d1daa Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 4 Jul 2022 11:23:33 +0900 -Subject: [PATCH] resolve: mdns_packet_extract_matching_rrs() may return 0 - -Fixes the following assertion: - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9b1f4d855aa7b16b425545fdd888dbef918d1daa ---- -Assertion 'r > 0' failed at src/resolve/resolved-mdns.c:180, function mdns_do_tiebreak(). Aborting. - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9b1f4d855aa7b16b425545fdd888dbef918d1daa ---- - -(cherry picked from commit f2605af1f2e770818bbc6bad2561acdbd25a38ad) -(cherry picked from commit 0070302b3cdc1350bf7bfd5d032dbea420f4ed40) -(cherry picked from commit 30d24c8df600545d1878a868bcd409e65479af77) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9b1f4d855aa7b16b425545fdd888dbef918d1daa ---- - src/resolve/resolved-mdns.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c -index 24241249b1..8c8ee81da1 100644 ---- a/src/resolve/resolved-mdns.c -+++ b/src/resolve/resolved-mdns.c -@@ -165,8 +165,6 @@ static int mdns_do_tiebreak(DnsResourceKey *key, DnsAnswer *answer, DnsPacket *p - if (r < 0) - return r; - -- assert(r > 0); -- - if (proposed_rrs_cmp(remote, r, our, size) > 0) - return 1; - --- -2.27.0 - diff --git a/backport-resolve-refuse-AF_UNSPEC-when-resolving-address.patch b/backport-resolve-refuse-AF_UNSPEC-when-resolving-address.patch deleted file mode 100644 index 033898a..0000000 --- a/backport-resolve-refuse-AF_UNSPEC-when-resolving-address.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 63590abb5dd48fbcc8c0dfc5dfc1ee088382d5f7 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 11 Feb 2022 09:49:13 +0900 -Subject: [PATCH] resolve: refuse AF_UNSPEC when resolving address - -Fixes #22480. - -(cherry picked from commit 0234f0c0531682e7f28a4ef51852c102c6e97267) -(cherry picked from commit 084c88983eaecbf23e113db5a7ee11f94b60472b) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/63590abb5dd48fbcc8c0dfc5dfc1ee088382d5f7 ---- - src/resolve/resolved-varlink.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-varlink.c b/src/resolve/resolved-varlink.c -index 6f4ab425ef..9a61b19e61 100644 ---- a/src/resolve/resolved-varlink.c -+++ b/src/resolve/resolved-varlink.c -@@ -484,7 +484,7 @@ static int vl_method_resolve_address(Varlink *link, JsonVariant *parameters, Var - if (p.ifindex < 0) - return varlink_error_invalid_parameter(link, JSON_VARIANT_STRING_CONST("ifindex")); - -- if (!IN_SET(p.family, AF_UNSPEC, AF_INET, AF_INET6)) -+ if (!IN_SET(p.family, AF_INET, AF_INET6)) - return varlink_error_invalid_parameter(link, JSON_VARIANT_STRING_CONST("family")); - - if (FAMILY_ADDRESS_SIZE(p.family) != p.address_size) --- -2.33.0 - diff --git a/backport-resolve-remove-server-large-level.patch b/backport-resolve-remove-server-large-level.patch deleted file mode 100644 index d51cfd9..0000000 --- a/backport-resolve-remove-server-large-level.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 0bc9811acfd2535bf8a7a16a3903a2c22df206c9 Mon Sep 17 00:00:00 2001 -From: Dan Streetman -Date: Fri, 20 Aug 2021 14:44:35 -0400 -Subject: [PATCH] resolve: remove server 'large' level - -This removes the DNS_SERVER_FEATURE_LEVEL_LARGE, and sets the EDNS0 -advertised max packet size as if always in 'large' mode. - -Without this, we always send out EDNS0 opts that limit response sizes -to 512 bytes, thus the remote server will never send anything larger -and will always truncate responses larger than 512 bytes, forcing us -to drop from EDNS0 down to TCP, even though one of the primary benefits -of EDNS0 is larger packet sizes. - -Fixes: #20993 -(cherry picked from commit 526fce97afe130f71dba3bd4646196bbb1188b82) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0bc9811acfd2535bf8a7a16a3903a2c22df206c9 ---- - src/resolve/resolved-dns-server.c | 63 +++++++++++-------------------- - src/resolve/resolved-dns-server.h | 3 +- - 2 files changed, 24 insertions(+), 42 deletions(-) - -diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c -index 58a1376708..a21148d288 100644 ---- a/src/resolve/resolved-dns-server.c -+++ b/src/resolve/resolved-dns-server.c -@@ -282,11 +282,6 @@ void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLeve - if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) - level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1; - -- /* Even if we successfully receive a reply to a request announcing support for large packets, that -- * does not mean we can necessarily receive large packets. */ -- if (level == DNS_SERVER_FEATURE_LEVEL_LARGE) -- level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1; -- - dns_server_verified(s, level); - - /* Remember the size of the largest UDP packet fragment we received from a server, we know that we -@@ -429,7 +424,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { - * better than EDNS0, hence don't even try. */ - if (dns_server_get_dnssec_mode(s) != DNSSEC_NO) - best = dns_server_get_dns_over_tls_mode(s) == DNS_OVER_TLS_NO ? -- DNS_SERVER_FEATURE_LEVEL_LARGE : -+ DNS_SERVER_FEATURE_LEVEL_DO : - DNS_SERVER_FEATURE_LEVEL_TLS_DO; - else - best = dns_server_get_dns_over_tls_mode(s) == DNS_OVER_TLS_NO ? -@@ -597,7 +592,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { - } - - int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeatureLevel level) { -- size_t packet_size; -+ size_t packet_size, udp_size; - bool edns_do; - int r; - -@@ -616,40 +611,29 @@ int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeature - - edns_do = level >= DNS_SERVER_FEATURE_LEVEL_DO; - -- if (level == DNS_SERVER_FEATURE_LEVEL_LARGE) { -- size_t udp_size; -- -- /* In large mode, advertise the local MTU, in order to avoid fragmentation (for security -- * reasons) – except if we are talking to localhost (where the security considerations don't -- * matter). If we see fragmentation, lower the reported size to the largest fragment, to -- * avoid it. */ -- -- udp_size = udp_header_size(server->family); -- -- if (in_addr_is_localhost(server->family, &server->address) > 0) -- packet_size = 65536 - udp_size; /* force linux loopback MTU if localhost address */ -- else { -- /* Use the MTU pointing to the server, subtract the IP/UDP header size */ -- packet_size = LESS_BY(dns_server_get_mtu(server), udp_size); -+ udp_size = udp_header_size(server->family); - -- /* On the Internet we want to avoid fragmentation for security reasons. If we saw -- * fragmented packets, the above was too large, let's clamp it to the largest -- * fragment we saw */ -- if (server->packet_fragmented) -- packet_size = MIN(server->received_udp_fragment_max, packet_size); -- -- /* Let's not pick ridiculously large sizes, i.e. not more than 4K. No one appears -- * to ever use such large sized on the Internet IRL, hence let's not either. */ -- packet_size = MIN(packet_size, 4096U); -- } -+ if (in_addr_is_localhost(server->family, &server->address) > 0) -+ packet_size = 65536 - udp_size; /* force linux loopback MTU if localhost address */ -+ else { -+ /* Use the MTU pointing to the server, subtract the IP/UDP header size */ -+ packet_size = LESS_BY(dns_server_get_mtu(server), udp_size); -+ -+ /* On the Internet we want to avoid fragmentation for security reasons. If we saw -+ * fragmented packets, the above was too large, let's clamp it to the largest -+ * fragment we saw */ -+ if (server->packet_fragmented) -+ packet_size = MIN(server->received_udp_fragment_max, packet_size); -+ -+ /* Let's not pick ridiculously large sizes, i.e. not more than 4K. No one appears -+ * to ever use such large sized on the Internet IRL, hence let's not either. */ -+ packet_size = MIN(packet_size, 4096U); -+ } - -- /* Strictly speaking we quite possibly can receive larger datagrams than the MTU (since the -- * MTU is for egress, not for ingress), but more often than not the value is symmetric, and -- * we want something that does the right thing in the majority of cases, and not just in the -- * theoretical edge case. */ -- } else -- /* In non-large mode, let's advertise the size of the largest fragment we ever managed to accept. */ -- packet_size = server->received_udp_fragment_max; -+ /* Strictly speaking we quite possibly can receive larger datagrams than the MTU (since the -+ * MTU is for egress, not for ingress), but more often than not the value is symmetric, and -+ * we want something that does the right thing in the majority of cases, and not just in the -+ * theoretical edge case. */ - - /* Safety clamp, never advertise less than 512 or more than 65535 */ - packet_size = CLAMP(packet_size, -@@ -1097,7 +1081,6 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE - [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0", - [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0", - [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO", -- [DNS_SERVER_FEATURE_LEVEL_LARGE] = "UDP+EDNS0+DO+LARGE", - [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0", - }; - DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel); -diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h -index fe0eaee49c..be9efb0a79 100644 ---- a/src/resolve/resolved-dns-server.h -+++ b/src/resolve/resolved-dns-server.h -@@ -32,7 +32,6 @@ typedef enum DnsServerFeatureLevel { - DNS_SERVER_FEATURE_LEVEL_EDNS0, - DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, - DNS_SERVER_FEATURE_LEVEL_DO, -- DNS_SERVER_FEATURE_LEVEL_LARGE, - DNS_SERVER_FEATURE_LEVEL_TLS_DO, - _DNS_SERVER_FEATURE_LEVEL_MAX, - _DNS_SERVER_FEATURE_LEVEL_INVALID = -EINVAL, -@@ -43,7 +42,7 @@ typedef enum DnsServerFeatureLevel { - #define DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_EDNS0) - #define DNS_SERVER_FEATURE_LEVEL_IS_TLS(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_TLS_DO) - #define DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_DO) --#define DNS_SERVER_FEATURE_LEVEL_IS_UDP(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, DNS_SERVER_FEATURE_LEVEL_DO, DNS_SERVER_FEATURE_LEVEL_LARGE) -+#define DNS_SERVER_FEATURE_LEVEL_IS_UDP(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, DNS_SERVER_FEATURE_LEVEL_DO) - - const char* dns_server_feature_level_to_string(int i) _const_; - int dns_server_feature_level_from_string(const char *s) _pure_; --- -2.33.0 - diff --git a/backport-resolve-synthesize-empty-domain-only-when-A-and-or-A.patch b/backport-resolve-synthesize-empty-domain-only-when-A-and-or-A.patch deleted file mode 100644 index 69ebd75..0000000 --- a/backport-resolve-synthesize-empty-domain-only-when-A-and-or-A.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 76016b82c683bcb15c155a8ab7ca45004894c134 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 4 Feb 2022 12:05:33 +0900 -Subject: [PATCH] resolve: synthesize empty domain only when A and/or AAAA key - is requested - -Follow-up for 3b2ac14ac45bef01cf489c3231b868936866444b (#22231). - -Before this commit. ---- -$ dig -t SRV '.' - -; <<>> DiG 9.16.24-RH <<>> -t SRV . -;; global options: +cmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16836 -;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 - -;; OPT PSEUDOSECTION: -; EDNS: version: 0, flags:; udp: 65494 -;; QUESTION SECTION: -;. IN SRV - -;; Query time: 1 msec -;; SERVER: 127.0.0.53#53(127.0.0.53) -;; WHEN: Fri Feb 04 12:01:09 JST 2022 -;; MSG SIZE rcvd: 28 ---- - -After this commit. ---- -$ dig -t SRV '.' - -; <<>> DiG 9.16.24-RH <<>> -t SRV . -;; global options: +cmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19861 -;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 - -;; OPT PSEUDOSECTION: -; EDNS: version: 0, flags:; udp: 65494 -;; QUESTION SECTION: -;. IN SRV - -;; AUTHORITY SECTION: -. 86394 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022020302 1800 900 604800 86400 - -;; Query time: 20 msec -;; SERVER: 127.0.0.53#53(127.0.0.53) -;; WHEN: Fri Feb 04 12:00:12 JST 2022 -;; MSG SIZE rcvd: 103 ---- - -Fixes #22401. - -(cherry picked from commit 30fa3aa1fa56d9a1a4f3a26c0bc02253d44dfa0f) -(cherry picked from commit d57147ef5698c50e02e5e74df8d0936230032cfe) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/76016b82c683bcb15c155a8ab7ca45004894c134 ---- - src/resolve/resolved-dns-scope.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c -index 47edba6bc3..360ceecdb7 100644 ---- a/src/resolve/resolved-dns-scope.c -+++ b/src/resolve/resolved-dns-scope.c -@@ -626,10 +626,6 @@ DnsScopeMatch dns_scope_good_domain( - if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, false, false) & flags) == 0) - return DNS_SCOPE_NO; - -- /* Never resolve empty name. */ -- if (dns_name_is_empty(domain)) -- return DNS_SCOPE_NO; -- - /* Never resolve any loopback hostname or IP address via DNS, LLMNR or mDNS. Instead, always rely on - * synthesized RRs for these. */ - if (is_localhost(domain) || -@@ -658,6 +654,22 @@ DnsScopeMatch dns_scope_good_domain( - DnsScopeMatch m; - int n_best = -1; - -+ if (dns_name_is_empty(domain)) { -+ DnsResourceKey *t; -+ bool found = false; -+ -+ /* Refuse empty name if only A and/or AAAA records are requested. */ -+ -+ DNS_QUESTION_FOREACH(t, question) -+ if (!IN_SET(t->type, DNS_TYPE_A, DNS_TYPE_AAAA)) { -+ found = true; -+ break; -+ } -+ -+ if (!found) -+ return DNS_SCOPE_NO; -+ } -+ - /* Never route things to scopes that lack DNS servers */ - if (!dns_scope_get_dns_server(s)) - return DNS_SCOPE_NO; --- -2.33.0 - diff --git a/backport-resolve-synthesize-empty-name.patch b/backport-resolve-synthesize-empty-name.patch deleted file mode 100644 index 165d411..0000000 --- a/backport-resolve-synthesize-empty-name.patch +++ /dev/null @@ -1,97 +0,0 @@ -From d3331adc66af4e69f7bdc378c1c591dd27703bf2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 24 Jan 2022 06:07:33 +0900 -Subject: [PATCH] resolve: synthesize empty name - -Do not return any error for empty name. Just returns empty answer. - -Before: ---- -$ dig . - -; <<>> DiG 9.16.24-RH <<>> . -;; global options: +cmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13617 -;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 - -;; OPT PSEUDOSECTION: -; EDNS: version: 0, flags:; udp: 65494 -;; QUESTION SECTION: -;. IN A - -;; Query time: 0 msec -;; SERVER: 127.0.0.53#53(127.0.0.53) -;; WHEN: Mon Jan 24 05:49:30 JST 2022 -;; MSG SIZE rcvd: 28 ---- - -After: ---- -$ dig . - -; <<>> DiG 9.16.24-RH <<>> . -;; global options: +cmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7957 -;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 - -;; OPT PSEUDOSECTION: -; EDNS: version: 0, flags:; udp: 65494 -;; QUESTION SECTION: -;. IN A - -;; Query time: 1 msec -;; SERVER: 127.0.0.53#53(127.0.0.53) -;; WHEN: Mon Jan 24 06:05:02 JST 2022 -;; MSG SIZE rcvd: 28 ---- - -Replaces #22197. - -Fixes RHBZ#2039854 (https://bugzilla.redhat.com/show_bug.cgi?id=2039854). - -(cherry picked from commit 3b2ac14ac45bef01cf489c3231b868936866444b) -(cherry picked from commit 0fd3ccca64402eaec9535d0288d888f7fcacb9b8) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d3331adc66af4e69f7bdc378c1c591dd27703bf2 ---- - src/resolve/resolved-dns-scope.c | 4 ++++ - src/resolve/resolved-dns-synthesize.c | 5 ++++- - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c -index 178482727c..2546d0d4da 100644 ---- a/src/resolve/resolved-dns-scope.c -+++ b/src/resolve/resolved-dns-scope.c -@@ -613,6 +613,10 @@ DnsScopeMatch dns_scope_good_domain( - if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, false, false) & flags) == 0) - return DNS_SCOPE_NO; - -+ /* Never resolve empty name. */ -+ if (dns_name_is_empty(domain)) -+ return DNS_SCOPE_NO; -+ - /* Never resolve any loopback hostname or IP address via DNS, LLMNR or mDNS. Instead, always rely on - * synthesized RRs for these. */ - if (is_localhost(domain) || -diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c -index ef1423f441..ea239e686d 100644 ---- a/src/resolve/resolved-dns-synthesize.c -+++ b/src/resolve/resolved-dns-synthesize.c -@@ -394,7 +394,10 @@ int dns_synthesize_answer( - - name = dns_resource_key_name(key); - -- if (is_localhost(name)) { -+ if (dns_name_is_empty(name)) { -+ /* Do nothing. */ -+ -+ } else if (is_localhost(name)) { - - r = synthesize_localhost_rr(m, key, ifindex, &answer); - if (r < 0) --- -2.33.0 - diff --git a/backport-resolve-synthesize-null-address-IPv4-broadcast-addre.patch b/backport-resolve-synthesize-null-address-IPv4-broadcast-addre.patch deleted file mode 100644 index 8478b27..0000000 --- a/backport-resolve-synthesize-null-address-IPv4-broadcast-addre.patch +++ /dev/null @@ -1,41 +0,0 @@ -From a3d2c2b669149fe7e1bfdfa0c72c39653bef2e4c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 24 Jan 2022 06:36:53 +0900 -Subject: [PATCH] resolve: synthesize null address, IPv4 broadcast address, or - invalid domain - -These are filtered in `dns_scope_good_domain()`, but not synthesized. - -Fixes #22229. - -(cherry picked from commit 46b53e8035fb60c9a7f26dd32d6689ab3b7da97c) -(cherry picked from commit 89b439ee00e3fbee47cda3f790cbf320538cae7f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a3d2c2b669149fe7e1bfdfa0c72c39653bef2e4c ---- - src/resolve/resolved-dns-synthesize.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c -index ea239e686d..0914515fdf 100644 ---- a/src/resolve/resolved-dns-synthesize.c -+++ b/src/resolve/resolved-dns-synthesize.c -@@ -397,6 +397,14 @@ int dns_synthesize_answer( - if (dns_name_is_empty(name)) { - /* Do nothing. */ - -+ } else if (dns_name_endswith(name, "0.in-addr.arpa") > 0 || -+ dns_name_equal(name, "255.255.255.255.in-addr.arpa") > 0 || -+ dns_name_equal(name, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0 || -+ dns_name_endswith(name, "invalid") > 0) { -+ -+ nxdomain = true; -+ continue; -+ - } else if (is_localhost(name)) { - - r = synthesize_localhost_rr(m, key, ifindex, &answer); --- -2.33.0 - diff --git a/backport-resolve-use-_cleanup_-attribute-for-freeing-DnsQuery.patch b/backport-resolve-use-_cleanup_-attribute-for-freeing-DnsQuery.patch deleted file mode 100644 index e56b352..0000000 --- a/backport-resolve-use-_cleanup_-attribute-for-freeing-DnsQuery.patch +++ /dev/null @@ -1,563 +0,0 @@ -From 87f33d6a03d8c25393ad6472fcad5b69bb60aa6b Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 5 Feb 2022 22:04:42 +0900 -Subject: [PATCH] resolve: use _cleanup_ attribute for freeing DnsQuery - -(cherry picked from commit c704288c473fa08820566fdb16c38726d24db026) -(cherry picked from commit 0533d1aab61b6a797d07c4c861acf5e87f8191e8) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/87f33d6a03d8c25393ad6472fcad5b69bb60aa6b ---- - src/resolve/resolved-bus.c | 112 +++++++++++++++----------------- - src/resolve/resolved-dns-stub.c | 27 +++----- - src/resolve/resolved-varlink.c | 38 +++++------ - 3 files changed, 79 insertions(+), 98 deletions(-) - -diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c -index 78d1acf5e0..ed06895ed9 100644 ---- a/src/resolve/resolved-bus.c -+++ b/src/resolve/resolved-bus.c -@@ -179,9 +179,10 @@ static int append_address(sd_bus_message *reply, DnsResourceRecord *rr, int ifin - return 0; - } - --static void bus_method_resolve_hostname_complete(DnsQuery *q) { -+static void bus_method_resolve_hostname_complete(DnsQuery *query) { - _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL; - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = query; - _cleanup_free_ char *normalized = NULL; - DnsQuestion *question; - DnsResourceRecord *rr; -@@ -202,8 +203,11 @@ static void bus_method_resolve_hostname_complete(DnsQuery *q) { - } - if (r < 0) - goto finish; -- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ -+ if (r == DNS_QUERY_CNAME) { -+ /* This was a cname, and the query was restarted. */ -+ TAKE_PTR(q); - return; -+ } - - r = sd_bus_message_new_method_return(q->bus_request, &reply); - if (r < 0) -@@ -264,8 +268,6 @@ finish: - log_error_errno(r, "Failed to send hostname reply: %m"); - sd_bus_reply_method_errno(q->bus_request, r, NULL); - } -- -- dns_query_free(q); - } - - static int validate_and_mangle_flags( -@@ -403,11 +405,11 @@ void bus_client_log(sd_bus_message *m, const char *what) { - - static int bus_method_resolve_hostname(sd_bus_message *message, void *userdata, sd_bus_error *error) { - _cleanup_(dns_question_unrefp) DnsQuestion *question_idna = NULL, *question_utf8 = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = NULL; - Manager *m = userdata; - const char *hostname; - int family, ifindex; - uint64_t flags; -- DnsQuery *q; - int r; - - assert(message); -@@ -459,21 +461,19 @@ static int bus_method_resolve_hostname(sd_bus_message *message, void *userdata, - - r = dns_query_bus_track(q, message); - if (r < 0) -- goto fail; -+ return r; - - r = dns_query_go(q); - if (r < 0) -- goto fail; -+ return r; - -+ TAKE_PTR(q); - return 1; -- --fail: -- dns_query_free(q); -- return r; - } - --static void bus_method_resolve_address_complete(DnsQuery *q) { -+static void bus_method_resolve_address_complete(DnsQuery *query) { - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = query; - DnsQuestion *question; - DnsResourceRecord *rr; - unsigned added = 0; -@@ -493,8 +493,11 @@ static void bus_method_resolve_address_complete(DnsQuery *q) { - } - if (r < 0) - goto finish; -- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ -+ if (r == DNS_QUERY_CNAME) { -+ /* This was a cname, and the query was restarted. */ -+ TAKE_PTR(q); - return; -+ } - - r = sd_bus_message_new_method_return(q->bus_request, &reply); - if (r < 0) -@@ -550,17 +553,15 @@ finish: - log_error_errno(r, "Failed to send address reply: %m"); - sd_bus_reply_method_errno(q->bus_request, r, NULL); - } -- -- dns_query_free(q); - } - - static int bus_method_resolve_address(sd_bus_message *message, void *userdata, sd_bus_error *error) { - _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = NULL; - Manager *m = userdata; - union in_addr_union a; - int family, ifindex; - uint64_t flags; -- DnsQuery *q; - int r; - - assert(message); -@@ -604,17 +605,14 @@ static int bus_method_resolve_address(sd_bus_message *message, void *userdata, s - - r = dns_query_bus_track(q, message); - if (r < 0) -- goto fail; -+ return r; - - r = dns_query_go(q); - if (r < 0) -- goto fail; -+ return r; - -+ TAKE_PTR(q); - return 1; -- --fail: -- dns_query_free(q); -- return r; - } - - static int bus_message_append_rr(sd_bus_message *m, DnsResourceRecord *rr, int ifindex) { -@@ -645,8 +643,9 @@ static int bus_message_append_rr(sd_bus_message *m, DnsResourceRecord *rr, int i - return sd_bus_message_close_container(m); - } - --static void bus_method_resolve_record_complete(DnsQuery *q) { -+static void bus_method_resolve_record_complete(DnsQuery *query) { - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = query; - DnsResourceRecord *rr; - DnsQuestion *question; - unsigned added = 0; -@@ -667,8 +666,11 @@ static void bus_method_resolve_record_complete(DnsQuery *q) { - } - if (r < 0) - goto finish; -- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ -+ if (r == DNS_QUERY_CNAME) { -+ /* This was a cname, and the query was restarted. */ -+ TAKE_PTR(q); - return; -+ } - - r = sd_bus_message_new_method_return(q->bus_request, &reply); - if (r < 0) -@@ -714,19 +716,17 @@ finish: - log_error_errno(r, "Failed to send record reply: %m"); - sd_bus_reply_method_errno(q->bus_request, r, NULL); - } -- -- dns_query_free(q); - } - - static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd_bus_error *error) { - _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL; - _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = NULL; - Manager *m = userdata; - uint16_t class, type; - const char *name; - int r, ifindex; - uint64_t flags; -- DnsQuery *q; - - assert(message); - assert(m); -@@ -782,17 +782,14 @@ static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd - - r = dns_query_bus_track(q, message); - if (r < 0) -- goto fail; -+ return r; - - r = dns_query_go(q); - if (r < 0) -- goto fail; -+ return r; - -+ TAKE_PTR(q); - return 1; -- --fail: -- dns_query_free(q); -- return r; - } - - static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr) { -@@ -952,10 +949,11 @@ static int append_txt(sd_bus_message *reply, DnsResourceRecord *rr) { - return 1; - } - --static void resolve_service_all_complete(DnsQuery *q) { -+static void resolve_service_all_complete(DnsQuery *query) { - _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL; - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; - _cleanup_free_ char *name = NULL, *type = NULL, *domain = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = query; - DnsQuestion *question; - DnsResourceRecord *rr; - unsigned added = 0; -@@ -964,8 +962,10 @@ static void resolve_service_all_complete(DnsQuery *q) { - - assert(q); - -- if (q->block_all_complete > 0) -+ if (q->block_all_complete > 0) { -+ TAKE_PTR(q); - return; -+ } - - if ((q->flags & SD_RESOLVED_NO_ADDRESS) == 0) { - DnsQuery *bad = NULL; -@@ -977,6 +977,7 @@ static void resolve_service_all_complete(DnsQuery *q) { - - case DNS_TRANSACTION_PENDING: - /* If an auxiliary query is still pending, let's wait */ -+ TAKE_PTR(q); - return; - - case DNS_TRANSACTION_SUCCESS: -@@ -1093,8 +1094,6 @@ finish: - log_error_errno(r, "Failed to send service reply: %m"); - sd_bus_reply_method_errno(q->bus_request, r, NULL); - } -- -- dns_query_free(q); - } - - static void resolve_service_hostname_complete(DnsQuery *q) { -@@ -1119,7 +1118,7 @@ static void resolve_service_hostname_complete(DnsQuery *q) { - - static int resolve_service_hostname(DnsQuery *q, DnsResourceRecord *rr, int ifindex) { - _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL; -- DnsQuery *aux; -+ _cleanup_(dns_query_freep) DnsQuery *aux = NULL; - int r; - - assert(q); -@@ -1142,32 +1141,27 @@ static int resolve_service_hostname(DnsQuery *q, DnsResourceRecord *rr, int ifin - aux->complete = resolve_service_hostname_complete; - - r = dns_query_make_auxiliary(aux, q); -- if (r == -EAGAIN) { -+ if (r == -EAGAIN) - /* Too many auxiliary lookups? If so, don't complain, - * let's just not add this one, we already have more - * than enough */ -- -- dns_query_free(aux); - return 0; -- } - if (r < 0) -- goto fail; -+ return r; - - /* Note that auxiliary queries do not track the original bus - * client, only the primary request does that. */ - - r = dns_query_go(aux); - if (r < 0) -- goto fail; -+ return r; - -+ TAKE_PTR(aux); - return 1; -- --fail: -- dns_query_free(aux); -- return r; - } - --static void bus_method_resolve_service_complete(DnsQuery *q) { -+static void bus_method_resolve_service_complete(DnsQuery *query) { -+ _cleanup_(dns_query_freep) DnsQuery *q = query; - bool has_root_domain = false; - DnsResourceRecord *rr; - DnsQuestion *question; -@@ -1188,8 +1182,11 @@ static void bus_method_resolve_service_complete(DnsQuery *q) { - } - if (r < 0) - goto finish; -- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ -+ if (r == DNS_QUERY_CNAME) { -+ /* This was a cname, and the query was restarted. */ -+ TAKE_PTR(q); - return; -+ } - - question = dns_query_question_for_protocol(q, q->answer_protocol); - -@@ -1237,7 +1234,7 @@ static void bus_method_resolve_service_complete(DnsQuery *q) { - } - - /* Maybe we are already finished? check now... */ -- resolve_service_all_complete(q); -+ resolve_service_all_complete(TAKE_PTR(q)); - return; - - finish: -@@ -1245,17 +1242,15 @@ finish: - log_error_errno(r, "Failed to send service reply: %m"); - sd_bus_reply_method_errno(q->bus_request, r, NULL); - } -- -- dns_query_free(q); - } - - static int bus_method_resolve_service(sd_bus_message *message, void *userdata, sd_bus_error *error) { - _cleanup_(dns_question_unrefp) DnsQuestion *question_idna = NULL, *question_utf8 = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = NULL; - const char *name, *type, *domain; - Manager *m = userdata; - int family, ifindex; - uint64_t flags; -- DnsQuery *q; - int r; - - assert(message); -@@ -1316,17 +1311,14 @@ static int bus_method_resolve_service(sd_bus_message *message, void *userdata, s - - r = dns_query_bus_track(q, message); - if (r < 0) -- goto fail; -+ return r; - - r = dns_query_go(q); - if (r < 0) -- goto fail; -+ return r; - -+ TAKE_PTR(q); - return 1; -- --fail: -- dns_query_free(q); -- return r; - } - - int bus_dns_server_append(sd_bus_message *reply, DnsServer *s, bool with_ifindex, bool extended) { -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index 8040db70f9..400e741031 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -684,7 +684,8 @@ static int dns_stub_patch_bypass_reply_packet( - return 0; - } - --static void dns_stub_query_complete(DnsQuery *q) { -+static void dns_stub_query_complete(DnsQuery *query) { -+ _cleanup_(dns_query_freep) DnsQuery *q = query; - int r; - - assert(q); -@@ -705,7 +706,6 @@ static void dns_stub_query_complete(DnsQuery *q) { - else - (void) dns_stub_send(q->manager, q->stub_listener_extra, q->request_stream, q->request_packet, reply); - -- dns_query_free(q); - return; - } - } -@@ -717,11 +717,8 @@ static void dns_stub_query_complete(DnsQuery *q) { - q, - dns_query_question_for_protocol(q, DNS_PROTOCOL_DNS), - dns_stub_reply_with_edns0_do(q)); -- if (r < 0) { -- log_debug_errno(r, "Failed to assign sections: %m"); -- dns_query_free(q); -- return; -- } -+ if (r < 0) -+ return (void) log_debug_errno(r, "Failed to assign sections: %m"); - - switch (q->state) { - -@@ -755,11 +752,10 @@ static void dns_stub_query_complete(DnsQuery *q) { - * packet doesn't answer our question. In that case let's restart the query, - * now with the redirected question. We'll */ - r = dns_query_go(q); -- if (r < 0) { -- log_debug_errno(r, "Failed to restart query: %m"); -- dns_query_free(q); -- } -+ if (r < 0) -+ return (void) log_debug_errno(r, "Failed to restart query: %m"); - -+ TAKE_PTR(q); - return; - } - -@@ -767,11 +763,8 @@ static void dns_stub_query_complete(DnsQuery *q) { - q, - dns_query_question_for_protocol(q, DNS_PROTOCOL_DNS), - dns_stub_reply_with_edns0_do(q)); -- if (r < 0) { -- log_debug_errno(r, "Failed to assign sections: %m"); -- dns_query_free(q); -- return; -- } -+ if (r < 0) -+ return (void) log_debug_errno(r, "Failed to assign sections: %m"); - - if (cname_result == DNS_QUERY_MATCH) /* A match? Then we are done, let's return what we got */ - break; -@@ -817,8 +810,6 @@ static void dns_stub_query_complete(DnsQuery *q) { - default: - assert_not_reached("Impossible state"); - } -- -- dns_query_free(q); - } - - static int dns_stub_stream_complete(DnsStream *s, int error) { -diff --git a/src/resolve/resolved-varlink.c b/src/resolve/resolved-varlink.c -index 27d8c8967e..6f4ab425ef 100644 ---- a/src/resolve/resolved-varlink.c -+++ b/src/resolve/resolved-varlink.c -@@ -143,9 +143,10 @@ static bool validate_and_mangle_flags( - return true; - } - --static void vl_method_resolve_hostname_complete(DnsQuery *q) { -+static void vl_method_resolve_hostname_complete(DnsQuery *query) { - _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL; - _cleanup_(json_variant_unrefp) JsonVariant *array = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = query; - _cleanup_free_ char *normalized = NULL; - DnsResourceRecord *rr; - DnsQuestion *question; -@@ -165,8 +166,11 @@ static void vl_method_resolve_hostname_complete(DnsQuery *q) { - } - if (r < 0) - goto finish; -- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ -+ if (r == DNS_QUERY_CNAME) { -+ /* This was a cname, and the query was restarted. */ -+ TAKE_PTR(q); - return; -+ } - - question = dns_query_question_for_protocol(q, q->answer_protocol); - -@@ -228,8 +232,6 @@ finish: - log_error_errno(r, "Failed to send hostname reply: %m"); - r = varlink_error_errno(q->varlink_request, r); - } -- -- dns_query_free(q); - } - - static int parse_as_address(Varlink *link, LookupParameters *p) { -@@ -284,7 +286,7 @@ static int vl_method_resolve_hostname(Varlink *link, JsonVariant *parameters, Va - _cleanup_(lookup_parameters_destroy) LookupParameters p = { - .family = AF_UNSPEC, - }; -- DnsQuery *q; -+ _cleanup_(dns_query_freep) DnsQuery *q = NULL; - Manager *m; - int r; - -@@ -338,13 +340,10 @@ static int vl_method_resolve_hostname(Varlink *link, JsonVariant *parameters, Va - - r = dns_query_go(q); - if (r < 0) -- goto fail; -+ return r; - -+ TAKE_PTR(q); - return 1; -- --fail: -- dns_query_free(q); -- return r; - } - - static int json_dispatch_address(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) { -@@ -382,8 +381,9 @@ static int json_dispatch_address(const char *name, JsonVariant *variant, JsonDis - return 0; - } - --static void vl_method_resolve_address_complete(DnsQuery *q) { -+static void vl_method_resolve_address_complete(DnsQuery *query) { - _cleanup_(json_variant_unrefp) JsonVariant *array = NULL; -+ _cleanup_(dns_query_freep) DnsQuery *q = query; - DnsQuestion *question; - DnsResourceRecord *rr; - int ifindex, r; -@@ -402,8 +402,11 @@ static void vl_method_resolve_address_complete(DnsQuery *q) { - } - if (r < 0) - goto finish; -- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ -+ if (r == DNS_QUERY_CNAME) { -+ /* This was a cname, and the query was restarted. */ -+ TAKE_PTR(q); - return; -+ } - - question = dns_query_question_for_protocol(q, q->answer_protocol); - -@@ -447,8 +450,6 @@ finish: - log_error_errno(r, "Failed to send address reply: %m"); - r = varlink_error_errno(q->varlink_request, r); - } -- -- dns_query_free(q); - } - - static int vl_method_resolve_address(Varlink *link, JsonVariant *parameters, VarlinkMethodFlags flags, void *userdata) { -@@ -464,7 +465,7 @@ static int vl_method_resolve_address(Varlink *link, JsonVariant *parameters, Var - _cleanup_(lookup_parameters_destroy) LookupParameters p = { - .family = AF_UNSPEC, - }; -- DnsQuery *q; -+ _cleanup_(dns_query_freep) DnsQuery *q = NULL; - Manager *m; - int r; - -@@ -509,13 +510,10 @@ static int vl_method_resolve_address(Varlink *link, JsonVariant *parameters, Var - - r = dns_query_go(q); - if (r < 0) -- goto fail; -+ return r; - -+ TAKE_PTR(q); - return 1; -- --fail: -- dns_query_free(q); -- return r; - } - - int manager_varlink_init(Manager *m) { --- -2.33.0 - diff --git a/backport-resolved-Don-t-omit-AD-bit-in-reply-if-DO-is-set-in-.patch b/backport-resolved-Don-t-omit-AD-bit-in-reply-if-DO-is-set-in-.patch deleted file mode 100644 index 9a7efbc..0000000 --- a/backport-resolved-Don-t-omit-AD-bit-in-reply-if-DO-is-set-in-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5421863a16f19ba6a85214bb17986d6015b298b3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jack=20D=C3=A4hn?= -Date: Tue, 3 Aug 2021 08:07:05 +0200 -Subject: [PATCH] resolved: Don't omit AD bit in reply if DO is set in the - query - -Set the AD bit in the response if the data is authenticated and AD or DO is set in the query, as suggested by section 5.8 of RFC6840. - -Fixes #20332 - -(cherry picked from commit b553abd8aed0f6fbff9973882fb08c3aec1d9400) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5421863a16f19ba6a85214bb17986d6015b298b3 ---- - src/resolve/resolved-dns-stub.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c -index 5b9d32f001..49da916576 100644 ---- a/src/resolve/resolved-dns-stub.c -+++ b/src/resolve/resolved-dns-stub.c -@@ -585,7 +585,7 @@ static int dns_stub_send_reply( - DNS_PACKET_RD(q->request_packet), - !!q->request_packet->opt, - edns0_do, -- DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q), -+ (DNS_PACKET_AD(q->request_packet) || DNS_PACKET_DO(q->request_packet)) && dns_query_fully_authenticated(q), - DNS_PACKET_CD(q->request_packet), - q->stub_listener_extra ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX, - dns_packet_has_nsid_request(q->request_packet) > 0 && !q->stub_listener_extra); -@@ -627,7 +627,7 @@ static int dns_stub_send_failure( - DNS_PACKET_RD(p), - !!p->opt, - DNS_PACKET_DO(p), -- DNS_PACKET_AD(p) && authenticated, -+ (DNS_PACKET_AD(p) || DNS_PACKET_DO(p)) && authenticated, - DNS_PACKET_CD(p), - l ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX, - dns_packet_has_nsid_request(p) > 0 && !l); --- -2.33.0 - diff --git a/backport-resolved-clean-up-manager_write_resolv_conf-a-bit.patch b/backport-resolved-clean-up-manager_write_resolv_conf-a-bit.patch deleted file mode 100644 index f80a934..0000000 --- a/backport-resolved-clean-up-manager_write_resolv_conf-a-bit.patch +++ /dev/null @@ -1,109 +0,0 @@ -From e4f6e956abdca1b7f538845dae79e5afb708e2df Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 22 Nov 2021 18:29:17 +0100 -Subject: [PATCH] resolved: clean up manager_write_resolv_conf() a bit - -Let's downgrade log messages which are not fatal for the service to -LOG_WARNING. - -And let's simplify clean-up by using _cleanup_(unlink_and_freep). - -(cherry picked from commit e2ef1e9aea24d89d1e92fa4675ddc330029b48bf) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e4f6e956abdca1b7f538845dae79e5afb708e2df ---- - src/resolve/resolved-resolv-conf.c | 41 +++++++++++------------------- - 1 file changed, 15 insertions(+), 26 deletions(-) - -diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c -index d5a77605a8..100894d6b2 100644 ---- a/src/resolve/resolved-resolv-conf.c -+++ b/src/resolve/resolved-resolv-conf.c -@@ -330,7 +330,7 @@ static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet - - int manager_write_resolv_conf(Manager *m) { - _cleanup_ordered_set_free_ OrderedSet *dns = NULL, *domains = NULL; -- _cleanup_free_ char *temp_path_uplink = NULL, *temp_path_stub = NULL; -+ _cleanup_(unlink_and_freep) char *temp_path_uplink = NULL, *temp_path_stub = NULL; - _cleanup_fclose_ FILE *f_uplink = NULL, *f_stub = NULL; - int r; - -@@ -342,60 +342,49 @@ int manager_write_resolv_conf(Manager *m) { - /* Add the full list to a set, to filter out duplicates */ - r = manager_compile_dns_servers(m, &dns); - if (r < 0) -- return log_warning_errno(r, "Failed to compile list of DNS servers: %m"); -+ return log_warning_errno(r, "Failed to compile list of DNS servers, ignoring: %m"); - - r = manager_compile_search_domains(m, &domains, false); - if (r < 0) -- return log_warning_errno(r, "Failed to compile list of search domains: %m"); -+ return log_warning_errno(r, "Failed to compile list of search domains, ignoring: %m"); - - r = fopen_temporary_label(PRIVATE_UPLINK_RESOLV_CONF, PRIVATE_UPLINK_RESOLV_CONF, &f_uplink, &temp_path_uplink); - if (r < 0) -- return log_warning_errno(r, "Failed to open new %s for writing: %m", PRIVATE_UPLINK_RESOLV_CONF); -+ return log_warning_errno(r, "Failed to open new %s for writing, ignoring: %m", PRIVATE_UPLINK_RESOLV_CONF); - - (void) fchmod(fileno(f_uplink), 0644); - - r = write_uplink_resolv_conf_contents(f_uplink, dns, domains); -- if (r < 0) { -- log_error_errno(r, "Failed to write new %s: %m", PRIVATE_UPLINK_RESOLV_CONF); -- goto fail; -- } -+ if (r < 0) -+ return log_warning_errno(r, "Failed to write new %s, ignoring: %m", PRIVATE_UPLINK_RESOLV_CONF); - - if (m->dns_stub_listener_mode != DNS_STUB_LISTENER_NO) { - r = fopen_temporary_label(PRIVATE_STUB_RESOLV_CONF, PRIVATE_STUB_RESOLV_CONF, &f_stub, &temp_path_stub); -- if (r < 0) { -- log_warning_errno(r, "Failed to open new %s for writing: %m", PRIVATE_STUB_RESOLV_CONF); -- goto fail; -- } -+ if (r < 0) -+ return log_warning_errno(r, "Failed to open new %s for writing, ignoring: %m", PRIVATE_STUB_RESOLV_CONF); - - (void) fchmod(fileno(f_stub), 0644); - - r = write_stub_resolv_conf_contents(f_stub, dns, domains); -- if (r < 0) { -- log_error_errno(r, "Failed to write new %s: %m", PRIVATE_STUB_RESOLV_CONF); -- goto fail; -- } -+ if (r < 0) -+ return log_warning_errno(r, "Failed to write new %s, ignoring: %m", PRIVATE_STUB_RESOLV_CONF); - - r = conservative_rename(temp_path_stub, PRIVATE_STUB_RESOLV_CONF); - if (r < 0) -- log_error_errno(r, "Failed to move new %s into place: %m", PRIVATE_STUB_RESOLV_CONF); -+ log_warning_errno(r, "Failed to move new %s into place, ignoring: %m", PRIVATE_STUB_RESOLV_CONF); - -+ temp_path_stub = mfree(temp_path_stub); /* free the string explicitly, so that we don't unlink anymore */ - } else { - r = symlink_atomic_label(basename(PRIVATE_UPLINK_RESOLV_CONF), PRIVATE_STUB_RESOLV_CONF); - if (r < 0) -- log_error_errno(r, "Failed to symlink %s: %m", PRIVATE_STUB_RESOLV_CONF); -+ log_warning_errno(r, "Failed to symlink %s, ignoring: %m", PRIVATE_STUB_RESOLV_CONF); - } - - r = conservative_rename(temp_path_uplink, PRIVATE_UPLINK_RESOLV_CONF); - if (r < 0) -- log_error_errno(r, "Failed to move new %s into place: %m", PRIVATE_UPLINK_RESOLV_CONF); -- -- fail: -- if (r < 0) { -- /* Something went wrong, perform cleanup... */ -- (void) unlink(temp_path_uplink); -- (void) unlink(temp_path_stub); -- } -+ log_warning_errno(r, "Failed to move new %s into place: %m", PRIVATE_UPLINK_RESOLV_CONF); - -+ temp_path_uplink = mfree(temp_path_uplink); /* free the string explicitly, so that we don't unlink anymore */ - return r; - } - --- -2.33.0 - diff --git a/backport-resolved-fix-ResolveService-hostname-handling.patch b/backport-resolved-fix-ResolveService-hostname-handling.patch deleted file mode 100644 index f7c33d4..0000000 --- a/backport-resolved-fix-ResolveService-hostname-handling.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 70f465cb5d10b7bcd7bd7c326756d542e59c0e0b Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 22 Nov 2021 14:37:54 +0100 -Subject: [PATCH] resolved: fix ResolveService() hostname handling - -Let's eat up special returns of dns_query_process_cname_many() when -storing hostname resolution results. - -The rest of the code assumes only == 0 means success and != 0 means -error, but so far > 0 also could mean success, let's fix that. - -Fixes: #21365 #21140 - -(This was originally broken in 1db8e6d1db0880de240e5598e28d24d708479434) - -(cherry picked from commit 5a78106ad92d3f122f7ac653eecf767f0a8948cf) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/70f465cb5d10b7bcd7bd7c326756d542e59c0e0b ---- - src/resolve/resolved-bus.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c -index 7226200f00..78d1acf5e0 100644 ---- a/src/resolve/resolved-bus.c -+++ b/src/resolve/resolved-bus.c -@@ -1005,6 +1005,7 @@ static void resolve_service_all_complete(DnsQuery *q) { - goto finish; - } - -+ assert(bad->auxiliary_result < 0); - r = bad->auxiliary_result; - goto finish; - } -@@ -1112,7 +1113,7 @@ static void resolve_service_hostname_complete(DnsQuery *q) { - return; - - /* This auxiliary lookup is finished or failed, let's see if all are finished now. */ -- q->auxiliary_result = r; -+ q->auxiliary_result = r < 0 ? r : 0; - resolve_service_all_complete(q->auxiliary_for); - } - --- -2.33.0 - diff --git a/backport-resolved-make-sure-we-don-t-hit-an-assert-when-deali.patch b/backport-resolved-make-sure-we-don-t-hit-an-assert-when-deali.patch deleted file mode 100644 index ff70e3f..0000000 --- a/backport-resolved-make-sure-we-don-t-hit-an-assert-when-deali.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 018c8e8f67b699c5e5aadb73a3ddf3b8009a741a Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 22 Nov 2021 16:14:07 +0100 -Subject: [PATCH] resolved: make sure we don't hit an assert when dealing with - incomplete DNSSD service definitions - -Fixes: #21142 -(cherry picked from commit 8cf9898a964693b8a3c40b502af0377ede746f4d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/018c8e8f67b699c5e5aadb73a3ddf3b8009a741a ---- - src/resolve/resolved-dns-zone.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/resolve/resolved-dns-zone.c b/src/resolve/resolved-dns-zone.c -index b86b325144..6b3f5f707d 100644 ---- a/src/resolve/resolved-dns-zone.c -+++ b/src/resolve/resolved-dns-zone.c -@@ -94,7 +94,9 @@ void dns_zone_remove_rr(DnsZone *z, DnsResourceRecord *rr) { - DnsZoneItem *i; - - assert(z); -- assert(rr); -+ -+ if (!rr) -+ return; - - i = dns_zone_get(z, rr); - if (i) --- -2.33.0 - diff --git a/backport-resolved-properly-signal-transient-errors-back-to-NS.patch b/backport-resolved-properly-signal-transient-errors-back-to-NS.patch deleted file mode 100644 index 700839c..0000000 --- a/backport-resolved-properly-signal-transient-errors-back-to-NS.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 7ab91cb307eb0a518f4a956674a108221538fc88 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 22 Nov 2021 15:17:34 +0100 -Subject: [PATCH] resolved: properly signal transient errors back to NSS stack - -NSS mostly knows four error cases: SUCCESS, NOTFOUND, UNAVAIL, TRYAGAIN, -and they can all be used in nsswitch.conf to route requests. - -So far nss-resolve would return SUCCESS + NOTFOUND + UNAVAIL. Let's also -return TRYAGAIN in some cases, specifically the ones where we are -currntly unable to resolve a request but likely could later. i.e. -errors caused by networking issues or such. - -Fixes: #20786 -(cherry picked from commit ae78529fc75027b3487b64e0d22a572fd9c8ffeb) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7ab91cb307eb0a518f4a956674a108221538fc88 ---- - src/nss-resolve/nss-resolve.c | 55 +++++++++++++++++++++++++++++------ - 1 file changed, 46 insertions(+), 9 deletions(-) - -diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c -index e2a29475a2..4f54973202 100644 ---- a/src/nss-resolve/nss-resolve.c -+++ b/src/nss-resolve/nss-resolve.c -@@ -41,6 +41,9 @@ NSS_GETHOSTBYNAME_PROTOTYPES(resolve); - NSS_GETHOSTBYADDR_PROTOTYPES(resolve); - - static bool error_shall_fallback(const char *error_id) { -+ /* The Varlink errors where we shall signal "please fallback" back to the NSS stack, so that some -+ * fallback module can be loaded. (These are mostly all Varlink-internal errors, as apparently we -+ * then were unable to even do IPC with systemd-resolved.) */ - return STR_IN_SET(error_id, - VARLINK_ERROR_DISCONNECTED, - VARLINK_ERROR_TIMEOUT, -@@ -50,6 +53,16 @@ static bool error_shall_fallback(const char *error_id) { - VARLINK_ERROR_METHOD_NOT_IMPLEMENTED); - } - -+static bool error_shall_try_again(const char *error_id) { -+ /* The Varlink errors where we shall signal "can't answer now but might be able to later" back to the -+ * NSS stack. These are all errors that indicate lack of configuration or network problems. */ -+ return STR_IN_SET(error_id, -+ "io.systemd.Resolve.NoNameServers", -+ "io.systemd.Resolve.QueryTimedOut", -+ "io.systemd.Resolve.MaxAttemptsReached", -+ "io.systemd.Resolve.NetworkDown"); -+} -+ - static int connect_to_resolved(Varlink **ret) { - _cleanup_(varlink_unrefp) Varlink *link = NULL; - int r; -@@ -242,9 +255,11 @@ enum nss_status _nss_resolve_gethostbyname4_r( - if (r < 0) - goto fail; - if (!isempty(error_id)) { -- if (!error_shall_fallback(error_id)) -- goto not_found; -- goto fail; -+ if (error_shall_try_again(error_id)) -+ goto try_again; -+ if (error_shall_fallback(error_id)) -+ goto fail; -+ goto not_found; - } - - r = json_dispatch(rparams, resolve_hostname_reply_dispatch_table, NULL, json_dispatch_flags, &p); -@@ -341,6 +356,12 @@ fail: - not_found: - *h_errnop = HOST_NOT_FOUND; - return NSS_STATUS_NOTFOUND; -+ -+try_again: -+ UNPROTECT_ERRNO; -+ *errnop = -r; -+ *h_errnop = TRY_AGAIN; -+ return NSS_STATUS_TRYAGAIN; - } - - enum nss_status _nss_resolve_gethostbyname3_r( -@@ -390,9 +411,11 @@ enum nss_status _nss_resolve_gethostbyname3_r( - if (r < 0) - goto fail; - if (!isempty(error_id)) { -- if (!error_shall_fallback(error_id)) -- goto not_found; -- goto fail; -+ if (error_shall_try_again(error_id)) -+ goto try_again; -+ if (error_shall_fallback(error_id)) -+ goto fail; -+ goto not_found; - } - - r = json_dispatch(rparams, resolve_hostname_reply_dispatch_table, NULL, json_dispatch_flags, &p); -@@ -508,6 +531,12 @@ fail: - not_found: - *h_errnop = HOST_NOT_FOUND; - return NSS_STATUS_NOTFOUND; -+ -+try_again: -+ UNPROTECT_ERRNO; -+ *errnop = -r; -+ *h_errnop = TRY_AGAIN; -+ return NSS_STATUS_TRYAGAIN; - } - - typedef struct ResolveAddressReply { -@@ -594,9 +623,11 @@ enum nss_status _nss_resolve_gethostbyaddr2_r( - if (r < 0) - goto fail; - if (!isempty(error_id)) { -- if (!error_shall_fallback(error_id)) -- goto not_found; -- goto fail; -+ if (error_shall_try_again(error_id)) -+ goto try_again; -+ if (error_shall_fallback(error_id)) -+ goto fail; -+ goto not_found; - } - - r = json_dispatch(rparams, resolve_address_reply_dispatch_table, NULL, json_dispatch_flags, &p); -@@ -694,6 +725,12 @@ fail: - not_found: - *h_errnop = HOST_NOT_FOUND; - return NSS_STATUS_NOTFOUND; -+ -+try_again: -+ UNPROTECT_ERRNO; -+ *errnop = -r; -+ *h_errnop = TRY_AGAIN; -+ return NSS_STATUS_TRYAGAIN; - } - - NSS_GETHOSTBYNAME_FALLBACKS(resolve); --- -2.33.0 - diff --git a/backport-resolved-retry-on-SERVFAIL-before-downgrading-featur.patch b/backport-resolved-retry-on-SERVFAIL-before-downgrading-featur.patch deleted file mode 100644 index ff081de..0000000 --- a/backport-resolved-retry-on-SERVFAIL-before-downgrading-featur.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 8280bec34df8e35592f4a4a549127471a9199231 Mon Sep 17 00:00:00 2001 -From: Steven Siloti -Date: Sun, 11 Jul 2021 11:05:26 -0700 -Subject: [PATCH] resolved: retry on SERVFAIL before downgrading feature level - -The SERVFAIL RCODE can be generated for many reasons which may not be related -to lack of feature support. For example, the Stubby resolver generates -SERVFAIL when a request times out. Such transient failures can cause -unnecessary downgrades to both the transaction and the server's feature level. -The consequences of this are especially severe if the server is in DNSSEC -strict mode. In this case repeated downgrades eventually cause the server to -stop resolving entirely with the error "incompatible-server". - -To avoid unnecessary downgrades the request should be retried once with the -current level before the transaction's feature level is downgraded. - -(cherry picked from commit 8a33aa199dc1cea14494469ac9d7d08dc6721df1) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/8280bec34df8e35592f4a4a549127471a9199231 ---- - src/resolve/resolved-dns-server.c | 3 +- - src/resolve/resolved-dns-transaction.c | 43 +++++++++++++++++--------- - 2 files changed, 29 insertions(+), 17 deletions(-) - -diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c -index e7a4bce71a..58a1376708 100644 ---- a/src/resolve/resolved-dns-server.c -+++ b/src/resolve/resolved-dns-server.c -@@ -362,9 +362,8 @@ void dns_server_packet_rcode_downgrade(DnsServer *s, DnsServerFeatureLevel level - if (s->possible_feature_level > level) { - s->possible_feature_level = level; - dns_server_reset_counters(s); -+ log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", strna(dns_server_string_full(s))); - } -- -- log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", strna(dns_server_string_full(s))); - } - - void dns_server_packet_invalid(DnsServer *s, DnsServerFeatureLevel level) { -diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c -index 9535a7ba4c..cf10c5c359 100644 ---- a/src/resolve/resolved-dns-transaction.c -+++ b/src/resolve/resolved-dns-transaction.c -@@ -1142,22 +1142,35 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypt - break; - } - -- /* Reduce this feature level by one and try again. */ -- switch (t->current_feature_level) { -- case DNS_SERVER_FEATURE_LEVEL_TLS_DO: -- t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN; -- break; -- case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1: -- /* Skip plain TLS when TLS is not supported */ -- t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1; -- break; -- default: -- t->clamp_feature_level_servfail = t->current_feature_level - 1; -- } -+ /* SERVFAIL can happen for many reasons and may be transient. -+ * To avoid unnecessary downgrades retry once with the initial level. -+ * Check for clamp_feature_level_servfail having an invalid value as a sign that this is the -+ * first attempt to downgrade. If so, clamp to the current value so that the transaction -+ * is retried without actually downgrading. If the next try also fails we will downgrade by -+ * hitting the else branch below. */ -+ if (DNS_PACKET_RCODE(p) == DNS_RCODE_SERVFAIL && -+ t->clamp_feature_level_servfail < 0) { -+ t->clamp_feature_level_servfail = t->current_feature_level; -+ log_debug("Server returned error %s, retrying transaction.", -+ dns_rcode_to_string(DNS_PACKET_RCODE(p))); -+ } else { -+ /* Reduce this feature level by one and try again. */ -+ switch (t->current_feature_level) { -+ case DNS_SERVER_FEATURE_LEVEL_TLS_DO: -+ t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN; -+ break; -+ case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1: -+ /* Skip plain TLS when TLS is not supported */ -+ t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1; -+ break; -+ default: -+ t->clamp_feature_level_servfail = t->current_feature_level - 1; -+ } - -- log_debug("Server returned error %s, retrying transaction with reduced feature level %s.", -- dns_rcode_to_string(DNS_PACKET_RCODE(p)), -- dns_server_feature_level_to_string(t->clamp_feature_level_servfail)); -+ log_debug("Server returned error %s, retrying transaction with reduced feature level %s.", -+ dns_rcode_to_string(DNS_PACKET_RCODE(p)), -+ dns_server_feature_level_to_string(t->clamp_feature_level_servfail)); -+ } - - dns_transaction_retry(t, false /* use the same server */); - return; --- -2.33.0 - diff --git a/backport-resolved-suppress-writing-DNS-server-info-into-etc-r.patch b/backport-resolved-suppress-writing-DNS-server-info-into-etc-r.patch deleted file mode 100644 index 6c2d00f..0000000 --- a/backport-resolved-suppress-writing-DNS-server-info-into-etc-r.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 2b2804757c8520b5cc133d9a3078f6fbec4a69cb Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 27 Sep 2021 14:28:16 +0200 -Subject: [PATCH] resolved: suppress writing DNS server info into - /etc/resolv.conf for non-standard UDP ports - -glibc doesn't support this, hence don#t generate it. - -Fixes: #20836 -(cherry picked from commit a50dadf2fd7413bbfc26af7e2ad2900b3e06af82) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2b2804757c8520b5cc133d9a3078f6fbec4a69cb ---- - src/resolve/resolved-resolv-conf.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c -index dd02d368e9..d5a77605a8 100644 ---- a/src/resolve/resolved-resolv-conf.c -+++ b/src/resolve/resolved-resolv-conf.c -@@ -216,6 +216,13 @@ static void write_resolv_conf_server(DnsServer *s, FILE *f, unsigned *count) { - return; - } - -+ /* resolv.conf simply doesn't support any other ports than 53, hence there's nothing much we can -+ * do — we have to suppress these entries */ -+ if (dns_server_port(s) != 53) { -+ log_debug("DNS server %s with non-standard UDP port number, suppressing from generated resolv.conf.", dns_server_string(s)); -+ return; -+ } -+ - /* Check if the scope this DNS server belongs to is suitable as 'default' route for lookups; resolv.conf does - * not have a syntax to express that, so it must not appear as a global name server to avoid routing unrelated - * domains to it (which is a privacy violation, will most probably fail anyway, and adds unnecessary load) */ --- -2.33.0 - diff --git a/backport-revert-delete-initrd-usr-fs-target.patch b/backport-revert-delete-initrd-usr-fs-target.patch deleted file mode 100644 index 15deec1..0000000 --- a/backport-revert-delete-initrd-usr-fs-target.patch +++ /dev/null @@ -1,237 +0,0 @@ -From 29a24ab28e9790680348b1ffab653a321fa49a67 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 26 Mar 2021 22:40:40 +0100 -Subject: [PATCH] fstab-generator: if usr= is specified, mount it to - /sysusr/usr/ first. - - This reverts 29a24ab28e9790680348b1ffab653a321fa49a67 - -Reason: In systemd 249, at initrd stage, /usr fs will be mounted on /sysroot, or on /sysusr. -This will cause sysroot.mount to be run ahead of time. But at this time, the lvm of extra file directory is inactive, -This will make the crashed system have to wait 5 minutes. So we revert the commit, and don't mount sysroot in advance. - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/29a24ab28e9790680348b1ffab653a321fa49a67 ---- - src/basic/special.h | 1 - - src/fstab-generator/fstab-generator.c | 90 ++++---------------------- - units/initrd-usr-fs.target | 17 ----- - units/initrd.target | 4 +- - units/meson.build | 1 - - units/systemd-repart.service.in | 2 +- - units/systemd-volatile-root.service.in | 2 +- - 7 files changed, 17 insertions(+), 100 deletions(-) - delete mode 100644 units/initrd-usr-fs.target - -diff --git a/src/basic/special.h b/src/basic/special.h -index 78f22f1..8b01df8 100644 ---- a/src/basic/special.h -+++ b/src/basic/special.h -@@ -37,7 +37,6 @@ - #define SPECIAL_INITRD_FS_TARGET "initrd-fs.target" - #define SPECIAL_INITRD_ROOT_DEVICE_TARGET "initrd-root-device.target" - #define SPECIAL_INITRD_ROOT_FS_TARGET "initrd-root-fs.target" --#define SPECIAL_INITRD_USR_FS_TARGET "initrd-usr-fs.target" - #define SPECIAL_REMOTE_FS_TARGET "remote-fs.target" /* LSB's $remote_fs */ - #define SPECIAL_REMOTE_FS_PRE_TARGET "remote-fs-pre.target" - #define SPECIAL_SWAP_TARGET "swap.target" -diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c -index a4e3ea5..54bfbc2 100644 ---- a/src/fstab-generator/fstab-generator.c -+++ b/src/fstab-generator/fstab-generator.c -@@ -758,10 +758,6 @@ static int add_sysroot_mount(void) { - static int add_sysroot_usr_mount(void) { - _cleanup_free_ char *what = NULL; - const char *opts; -- int r; -- -- /* Returns 0 if we didn't do anything, > 0 if we either generated a unit for the /usr/ mount, or we -- * know for sure something else did */ - - if (!arg_usr_what && !arg_usr_fstype && !arg_usr_options) - return 0; -@@ -785,23 +781,8 @@ static int add_sysroot_usr_mount(void) { - return log_oom(); - } - -- if (isempty(arg_usr_what)) { -- log_debug("Could not find a usr= entry on the kernel command line."); -+ if (!arg_usr_what) - return 0; -- } -- -- if (streq(arg_usr_what, "gpt-auto")) { -- /* This is handled by the gpt-auto generator */ -- log_debug("Skipping /usr/ directory handling, as gpt-auto was requested."); -- return 1; /* systemd-gpt-auto-generator will generate a unit for this, hence report that a -- * unit file is being created for the host /usr/ mount. */ -- } -- -- if (path_equal(arg_usr_what, "/dev/nfs")) { -- /* This is handled by the initrd (if at all supported, that is) */ -- log_debug("Skipping /usr/ directory handling, as /dev/nfs was requested."); -- return 1; /* As above, report that NFS code will create the unit */ -- } - - what = fstab_node_to_udev_node(arg_usr_what); - if (!what) -@@ -814,62 +795,17 @@ static int add_sysroot_usr_mount(void) { - else - opts = arg_usr_options; - -- /* When mounting /usr from the initrd, we add an extra level of indirection: we first mount the /usr/ -- * partition to /sysusr/usr/, and then afterwards bind mount that to /sysroot/usr/. We do this so -- * that we can cover for systems that initially only have a /usr/ around and where the root fs needs -- * to be synthesized, based on configuration included in /usr/, e.g. systemd-repart. Software like -- * this should order itself after initrd-usr-fs.target and before initrd-fs.target; and it should -- * look into both /sysusr/ and /sysroot/ for the configuration data to apply. */ -- -- log_debug("Found entry what=%s where=/sysusr/usr type=%s opts=%s", what, strna(arg_usr_fstype), strempty(opts)); -- -- r = add_mount(arg_dest, -- what, -- "/sysusr/usr", -- NULL, -- arg_usr_fstype, -- opts, -- is_device_path(what) ? 1 : 0, /* passno */ -- 0, -- SPECIAL_INITRD_USR_FS_TARGET, -- "/proc/cmdline"); -- if (r < 0) -- return r; -- -- log_debug("Synthesizing entry what=/sysusr/usr where=/sysrootr/usr opts=bind"); -- -- r = add_mount(arg_dest, -- "/sysusr/usr", -- "/sysroot/usr", -- NULL, -- NULL, -- "bind", -- 0, -- 0, -- SPECIAL_INITRD_FS_TARGET, -- "/proc/cmdline"); -- if (r < 0) -- return r; -- -- return 1; --} -- --static int add_sysroot_usr_mount_or_fallback(void) { -- int r; -- -- r = add_sysroot_usr_mount(); -- if (r != 0) -- return r; -- -- /* OK, so we didn't write anything out for /sysusr/usr/ nor /sysroot/usr/. In this case, let's make -- * sure that initrd-usr-fs.target is at least ordered after sysroot.mount so that services that order -- * themselves get the guarantee that /usr/ is definitely mounted somewhere. */ -- -- return generator_add_symlink( -- arg_dest, -- SPECIAL_INITRD_USR_FS_TARGET, -- "requires", -- "sysroot.mount"); -+ log_debug("Found entry what=%s where=/sysroot/usr type=%s", what, strna(arg_usr_fstype)); -+ return add_mount(arg_dest, -+ what, -+ "/sysroot/usr", -+ NULL, -+ arg_usr_fstype, -+ opts, -+ is_device_path(what) ? 1 : 0, /* passno */ -+ 0, -+ SPECIAL_INITRD_FS_TARGET, -+ "/proc/cmdline"); - } - - static int add_volatile_root(void) { -@@ -1031,7 +967,7 @@ static int run(const char *dest, const char *dest_early, const char *dest_late) - if (in_initrd()) { - r = add_sysroot_mount(); - -- r2 = add_sysroot_usr_mount_or_fallback(); -+ r2 = add_sysroot_usr_mount(); - - r3 = add_volatile_root(); - } else -diff --git a/units/initrd-usr-fs.target b/units/initrd-usr-fs.target -deleted file mode 100644 -index 7219655..0000000 ---- a/units/initrd-usr-fs.target -+++ /dev/null -@@ -1,17 +0,0 @@ --# SPDX-License-Identifier: LGPL-2.1-or-later --# --# This file is part of systemd. --# --# systemd is free software; you can redistribute it and/or modify it --# under the terms of the GNU Lesser General Public License as published by --# the Free Software Foundation; either version 2.1 of the License, or --# (at your option) any later version. -- --[Unit] --Description=Initrd /usr File System --Documentation=man:systemd.special(7) --AssertPathExists=/etc/initrd-release --OnFailure=emergency.target --OnFailureJobMode=replace-irreversibly --DefaultDependencies=no --Conflicts=shutdown.target -diff --git a/units/initrd.target b/units/initrd.target -index fc8fbff..655158a 100644 ---- a/units/initrd.target -+++ b/units/initrd.target -@@ -14,6 +14,6 @@ OnFailure=emergency.target - OnFailureJobMode=replace-irreversibly - AssertPathExists=/etc/initrd-release - Requires=basic.target --Wants=initrd-root-fs.target initrd-root-device.target initrd-fs.target initrd-usr-fs.target initrd-parse-etc.service --After=initrd-root-fs.target initrd-root-device.target initrd-fs.target initrd-usr-fs.target basic.target rescue.service rescue.target -+Wants=initrd-root-fs.target initrd-root-device.target initrd-fs.target initrd-parse-etc.service -+After=initrd-root-fs.target initrd-root-device.target initrd-fs.target basic.target rescue.service rescue.target - AllowIsolate=yes -diff --git a/units/meson.build b/units/meson.build -index df6741b..31fedf5 100644 ---- a/units/meson.build -+++ b/units/meson.build -@@ -38,7 +38,6 @@ units = [ - ['initrd-switch-root.service', 'ENABLE_INITRD'], - ['initrd-switch-root.target', 'ENABLE_INITRD'], - ['initrd-udevadm-cleanup-db.service', 'ENABLE_INITRD'], -- ['initrd-usr-fs.target', 'ENABLE_INITRD'], - ['initrd.target', 'ENABLE_INITRD'], - ['kexec.target', ''], - ['ldconfig.service', 'ENABLE_LDCONFIG', -diff --git a/units/systemd-repart.service.in b/units/systemd-repart.service.in -index 92e0a9b..f39a990 100644 ---- a/units/systemd-repart.service.in -+++ b/units/systemd-repart.service.in -@@ -12,7 +12,7 @@ Description=Repartition Root Disk - Documentation=man:systemd-repart.service(8) - DefaultDependencies=no - Conflicts=shutdown.target --After=initrd-usr-fs.target -+After=sysroot.mount - Before=initrd-root-fs.target shutdown.target - ConditionVirtualization=!container - ConditionDirectoryNotEmpty=|/usr/lib/repart.d -diff --git a/units/systemd-volatile-root.service.in b/units/systemd-volatile-root.service.in -index 5a0ec89..37eb23c 100644 ---- a/units/systemd-volatile-root.service.in -+++ b/units/systemd-volatile-root.service.in -@@ -12,7 +12,7 @@ Description=Enforce Volatile Root File Systems - Documentation=man:systemd-volatile-root.service(8) - DefaultDependencies=no - Conflicts=shutdown.target --After=sysroot.mount sysroot-usr.mount systemd-repart.service -+After=sysroot.mount systemd-repart.service - Before=initrd-root-fs.target shutdown.target - AssertPathExists=/etc/initrd-release - --- -2.33.0 - diff --git a/backport-revert-units-add-ProtectClock-yes.patch b/backport-revert-units-add-ProtectClock-yes.patch deleted file mode 100644 index 2612b28..0000000 --- a/backport-revert-units-add-ProtectClock-yes.patch +++ /dev/null @@ -1,46 +0,0 @@ -From cabc1c6d7adae658a2966a4b02a6faabb803e92b Mon Sep 17 00:00:00 2001 -From: Topi Miettinen -Date: Thu, 2 Apr 2020 21:18:11 +0300 -Subject: [PATCH] units: add ProtectClock=yes - -Add `ProtectClock=yes` to systemd units. Since it implies certain -`DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so -they are still able to access other devices. Exclude timesyncd and timedated. - -=== -Conflict:this only revert systemd-udevd.service.in -Reference:https://github.com/systemd/systemd/commit/cabc1c6d7adae658a2966a4b02a6faabb803e92b - -When DeviceAllow is configured, devices.deny will first be set to "a", and -then devices.allow be set based on DeviceAllow, which makes devices.list -between these two steps is not reliable. Only revert systemd-udevd.service.in -because udevd can fork subprocess to execute udev rules, which may affect user -process. ---- - units/systemd-udevd.service.in | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in -index 7b6354a..30746c1 100644 ---- a/units/systemd-udevd.service.in -+++ b/units/systemd-udevd.service.in -@@ -17,8 +17,6 @@ ConditionPathIsReadWrite=/sys - - [Service] - Delegate=pids --DeviceAllow=block-* rwm --DeviceAllow=char-* rwm - Type=notify - # Note that udev will reset the value internally for its workers - OOMScoreAdjust=-1000 -@@ -30,7 +28,6 @@ ExecReload=udevadm control --reload --timeout 0 - KillMode=mixed - TasksMax=infinity - PrivateMounts=yes --ProtectClock=yes - ProtectHostname=yes - MemoryDenyWriteExecute=yes - RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 --- -2.23.0 - diff --git a/backport-run-mount-systemctl-don-t-fork-off-PolicyKit-ask-pw-.patch b/backport-run-mount-systemctl-don-t-fork-off-PolicyKit-ask-pw-.patch deleted file mode 100644 index f1318d9..0000000 --- a/backport-run-mount-systemctl-don-t-fork-off-PolicyKit-ask-pw-.patch +++ /dev/null @@ -1,70 +0,0 @@ -From fb999b918462361fefa435f86884f81edff503c5 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 30 Aug 2021 13:21:55 +0200 -Subject: [PATCH] run/mount/systemctl: don't fork off PolicyKit/ask-pw agent - when in --user mode - -When we are in --user mode there's no point in doing PolicyKit/ask-pw -because both of these systems are only used by system-level services. -Let's disable the two agents for that automaticlly hence. - -Prompted by: #20576 - -(cherry picked from commit 966f3a246c8c804d8a9c9d393f03c5c3fe0dd393) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/fb999b918462361fefa435f86884f81edff503c5 ---- - src/mount/mount-tool.c | 3 +++ - src/run/run.c | 4 ++++ - src/systemctl/systemctl.c | 5 +++++ - 3 files changed, 12 insertions(+) - -diff --git a/src/mount/mount-tool.c b/src/mount/mount-tool.c -index c213c905a1..70b4c5a765 100644 ---- a/src/mount/mount-tool.c -+++ b/src/mount/mount-tool.c -@@ -332,6 +332,9 @@ static int parse_argv(int argc, char *argv[]) { - assert_not_reached("Unhandled option"); - } - -+ if (arg_user) -+ arg_ask_password = false; -+ - if (arg_user && arg_transport != BUS_TRANSPORT_LOCAL) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Execution in user context is not supported on non-local systems."); -diff --git a/src/run/run.c b/src/run/run.c -index 38de0322e0..1c83e36e4e 100644 ---- a/src/run/run.c -+++ b/src/run/run.c -@@ -506,6 +506,10 @@ static int parse_argv(int argc, char *argv[]) { - assert_not_reached("Unhandled option"); - } - -+ /* If we are talking to the per-user instance PolicyKit isn't going to help */ -+ if (arg_user) -+ arg_ask_password = false; -+ - with_trigger = !!arg_path_property || !!arg_socket_property || arg_with_timer; - - /* currently, only single trigger (path, socket, timer) unit can be created simultaneously */ -diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c -index 4cc723aab5..2f6f58127c 100644 ---- a/src/systemctl/systemctl.c -+++ b/src/systemctl/systemctl.c -@@ -925,6 +925,11 @@ static int systemctl_parse_argv(int argc, char *argv[]) { - assert_not_reached("Unhandled option"); - } - -+ /* If we are in --user mode, there's no point in talking to PolicyKit or the infra to query system -+ * passwords */ -+ if (arg_scope != UNIT_FILE_SYSTEM) -+ arg_ask_password = false; -+ - if (arg_transport == BUS_TRANSPORT_REMOTE && arg_scope != UNIT_FILE_SYSTEM) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Cannot access user instance remotely."); --- -2.33.0 - diff --git a/backport-scope-count-successful-cgroup-additions-when-delegat.patch b/backport-scope-count-successful-cgroup-additions-when-delegat.patch deleted file mode 100644 index 6393e0f..0000000 --- a/backport-scope-count-successful-cgroup-additions-when-delegat.patch +++ /dev/null @@ -1,51 +0,0 @@ -From be509064edba9863521a77a4a20a6e1a0971693e Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Wed, 10 Nov 2021 22:46:35 +0100 -Subject: [PATCH] scope: count successful cgroup additions when delegating via - D-Bus - -Since commit 8d3e4ac7cd37200d1431411a4b98925a24b7d9b3 ("scope: refuse -activation of scopes if no PIDs to add are left") all "systemd-run --scope ---user" calls fail because cgroup attachments delegated to the system instance -are not counted towards successful additions. Fix this by incrementing the -return value in case unit_attach_pid_to_cgroup_via_bus() succeeds, similar to -what happens when cg_attach() succeeds directly. - -Note that this can *not* distinguish the case when -unit_attach_pid_to_cgroup_via_bus() has been run successfully, but all -processes to attach are gone in the meantime, unlike the checks that commit -8d3e4ac7cd37200d1431411a4b98925a24b7d9b3 adds for the system instance. This is -because even though unit_attach_pid_to_cgroup_via_bus() leads to an internal -unit_attach_pids_to_cgroup() call, the return value over D-Bus does not include -the number of successfully attached processes and is always NULL on success. - -Fixes: #21297 - -(cherry picked from commit c65417a01121301fdf7f8514ee7663d287af3a72) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/be509064edba9863521a77a4a20a6e1a0971693e ---- - src/core/cgroup.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 51936b7d1d..79e10ca3c0 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -2188,8 +2188,11 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - z = unit_attach_pid_to_cgroup_via_bus(u, pid, suffix_path); - if (z < 0) - log_unit_info_errno(u, z, "Couldn't move process "PID_FMT" to requested cgroup '%s' (directly or via the system bus): %m", pid, empty_to_root(p)); -- else -+ else { -+ if (ret >= 0) -+ ret++; /* Count successful additions */ - continue; /* When the bus thing worked via the bus we are fully done for this PID. */ -+ } - } - - if (ret >= 0) --- -2.33.0 - diff --git a/backport-scope-refuse-activation-of-scopes-if-no-PIDs-to-add-.patch b/backport-scope-refuse-activation-of-scopes-if-no-PIDs-to-add-.patch deleted file mode 100644 index 54b2814..0000000 --- a/backport-scope-refuse-activation-of-scopes-if-no-PIDs-to-add-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 7ecb1b82d9b55a081d81b2802695fd21293ce029 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 27 Oct 2021 23:17:50 +0200 -Subject: [PATCH] scope: refuse activation of scopes if no PIDs to add are left - -If all processes we are supposed to add are gone by the time we are -ready to do so, let's fail. - -THis is heavily based on Cunlong Li's work, who thankfully tracked this -down. - -Replaces: #20577 -(cherry picked from commit 8d3e4ac7cd37200d1431411a4b98925a24b7d9b3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7ecb1b82d9b55a081d81b2802695fd21293ce029 ---- - src/core/cgroup.c | 3 ++- - src/core/scope.c | 6 ++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 1551d57e90..51936b7d1d 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -2196,7 +2196,8 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { - ret = r; /* Remember first error */ - - continue; -- } -+ } else if (ret >= 0) -+ ret++; /* Count successful additions */ - - r = cg_all_unified(); - if (r < 0) -diff --git a/src/core/scope.c b/src/core/scope.c -index af6311bb5f..fd4367dbed 100644 ---- a/src/core/scope.c -+++ b/src/core/scope.c -@@ -374,6 +374,12 @@ static int scope_start(Unit *u) { - scope_enter_dead(s, SCOPE_FAILURE_RESOURCES); - return r; - } -+ if (r == 0) { -+ log_unit_warning(u, "No PIDs left to attach to the scope's control group, refusing: %m"); -+ scope_enter_dead(s, SCOPE_FAILURE_RESOURCES); -+ return -ECHILD; -+ } -+ log_unit_debug(u, "%i %s added to scope's control group.", r, r == 1 ? "process" : "processes"); - - s->result = SCOPE_SUCCESS; - --- -2.33.0 - diff --git a/backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch b/backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch deleted file mode 100644 index 7d2d34f..0000000 --- a/backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9442b2f78f17309bb1c2bca0df735728b03ee732 Mon Sep 17 00:00:00 2001 -From: Wenchao Hao -Date: Sun, 28 Aug 2022 16:44:56 +0800 -Subject: [PATCH] scsi_id: retry inquiry ioctl if host_byte is - DID_TRANSPORT_DISRUPTED - -The inquiry is issued to kernel via ioctl, kernelspace would set -this inquiry command's retry count to 0 which means the command -would not be retried in kernel space even if the LLDs returned -a status which need to be retried. So we should take the retry -in user space. ---- - src/udev/scsi_id/scsi_serial.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/udev/scsi_id/scsi_serial.c b/src/udev/scsi_id/scsi_serial.c -index cfc13feced..992d1cf25b 100644 ---- a/src/udev/scsi_id/scsi_serial.c -+++ b/src/udev/scsi_id/scsi_serial.c -@@ -69,6 +69,7 @@ static const char hex_str[]="0123456789abcdef"; - #define DID_NO_CONNECT 0x01 /* Unable to connect before timeout */ - #define DID_BUS_BUSY 0x02 /* Bus remain busy until timeout */ - #define DID_TIME_OUT 0x03 /* Timed out for some other reason */ -+#define DID_TRANSPORT_DISRUPTED 0x0e /* Transport disrupted and should retry */ - #define DRIVER_TIMEOUT 0x06 - #define DRIVER_SENSE 0x08 /* Sense_buffer has been set */ - -@@ -79,6 +80,7 @@ static const char hex_str[]="0123456789abcdef"; - #define SG_ERR_CAT_TIMEOUT 3 - #define SG_ERR_CAT_RECOVERED 4 /* Successful command after recovered err */ - #define SG_ERR_CAT_NOTSUPPORTED 5 /* Illegal / unsupported command */ -+#define SG_ERR_CAT_RETRY 6 /* Command should be retried */ - #define SG_ERR_CAT_SENSE 98 /* Something else in the sense buffer */ - #define SG_ERR_CAT_OTHER 99 /* Some other error/warning */ - -@@ -126,6 +128,8 @@ static int sg_err_category_new(int scsi_status, int msg_status, int - if (host_status) { - if (IN_SET(host_status, DID_NO_CONNECT, DID_BUS_BUSY, DID_TIME_OUT)) - return SG_ERR_CAT_TIMEOUT; -+ if (host_status == DID_TRANSPORT_DISRUPTED) -+ return SG_ERR_CAT_RETRY; - } - if (driver_status) { - if (driver_status == DRIVER_TIMEOUT) -@@ -332,6 +336,8 @@ resend: - case SG_ERR_CAT_RECOVERED: - retval = 0; - break; -+ case SG_ERR_CAT_RETRY: -+ break; - - default: - if (dev_scsi->use_sg == 4) --- -2.27.0 - diff --git a/backport-sd-boot-Fix-possible-null-pointer-dereference.patch b/backport-sd-boot-Fix-possible-null-pointer-dereference.patch deleted file mode 100644 index 4e9aec9..0000000 --- a/backport-sd-boot-Fix-possible-null-pointer-dereference.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 872d101c2308e07c523fd6ca84bd774447f05b7e Mon Sep 17 00:00:00 2001 -From: Jan Janssen -Date: Wed, 11 Aug 2021 14:59:46 +0200 -Subject: [PATCH] sd-boot: Fix possible null pointer dereference - -Auto entries are showing garbage for the version in print_status() -because StrDuplicate does not expect null pointers. - -(cherry picked from commit b52fafb26d90b77cfc259fcbdab3c95a571bacb1) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/872d101c2308e07c523fd6ca84bd774447f05b7e ---- - src/boot/efi/boot.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c -index 3249171ec1..13940a6df7 100644 ---- a/src/boot/efi/boot.c -+++ b/src/boot/efi/boot.c -@@ -1724,7 +1724,7 @@ static ConfigEntry *config_entry_add_loader( - *entry = (ConfigEntry) { - .type = type, - .title = StrDuplicate(title), -- .version = StrDuplicate(version), -+ .version = version ? StrDuplicate(version) : NULL, - .device = device, - .loader = StrDuplicate(loader), - .id = StrDuplicate(id), --- -2.33.0 - diff --git a/backport-sd-boot-Rework-console-input-handling.patch b/backport-sd-boot-Rework-console-input-handling.patch deleted file mode 100644 index 263eb2a..0000000 --- a/backport-sd-boot-Rework-console-input-handling.patch +++ /dev/null @@ -1,323 +0,0 @@ -From 9e47ea7c98d1f4e0a75edb5d1590e5742f253317 Mon Sep 17 00:00:00 2001 -From: Jan Janssen -Date: Wed, 11 Aug 2021 14:59:46 +0200 -Subject: [PATCH] sd-boot: Rework console input handling - -Fixes: #15847 -Probably fixes: #19191 - -(cherry picked from commit e98d271e57f3d0356e444b6ea2d48836ee2769b0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9e47ea7c98d1f4e0a75edb5d1590e5742f253317 ---- - src/boot/efi/boot.c | 55 +++++++--------------- - src/boot/efi/console.c | 102 +++++++++++++++++++++++++++++------------ - src/boot/efi/console.h | 2 +- - 3 files changed, 91 insertions(+), 68 deletions(-) - -diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c -index 54d704f0d1..b4f3b9605a 100644 ---- a/src/boot/efi/boot.c -+++ b/src/boot/efi/boot.c -@@ -134,7 +134,7 @@ static BOOLEAN line_edit( - uefi_call_wrapper(ST->ConOut->OutputString, 2, ST->ConOut, print); - uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, cursor, y_pos); - -- err = console_key_read(&key, TRUE); -+ err = console_key_read(&key, 0); - if (EFI_ERROR(err)) - continue; - -@@ -387,7 +387,7 @@ static VOID print_status(Config *config, CHAR16 *loaded_image_path) { - Print(L"OsIndicationsSupported: %d\n", indvar); - - Print(L"\n--- press key ---\n\n"); -- console_key_read(&key, TRUE); -+ console_key_read(&key, 0); - - Print(L"timeout: %u\n", config->timeout_sec); - if (config->timeout_sec_efivar >= 0) -@@ -432,7 +432,7 @@ static VOID print_status(Config *config, CHAR16 *loaded_image_path) { - Print(L"LoaderEntryDefault: %s\n", defaultstr); - - Print(L"\n--- press key ---\n\n"); -- console_key_read(&key, TRUE); -+ console_key_read(&key, 0); - - for (UINTN i = 0; i < config->entry_count; i++) { - ConfigEntry *entry; -@@ -482,7 +482,7 @@ static VOID print_status(Config *config, CHAR16 *loaded_image_path) { - entry->path, entry->next_name); - - Print(L"\n--- press key ---\n\n"); -- console_key_read(&key, TRUE); -+ console_key_read(&key, 0); - } - - uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); -@@ -509,11 +509,10 @@ static BOOLEAN menu_run( - UINTN y_max; - CHAR16 *status; - CHAR16 *clearline; -- INTN timeout_remain; -+ UINTN timeout_remain = config->timeout_sec; - INT16 idx; - BOOLEAN exit = FALSE; - BOOLEAN run = TRUE; -- BOOLEAN wait = FALSE; - - graphics_mode(FALSE); - uefi_call_wrapper(ST->ConIn->Reset, 2, ST->ConIn, FALSE); -@@ -538,12 +537,6 @@ static BOOLEAN menu_run( - y_max = 25; - } - -- /* we check 10 times per second for a keystroke */ -- if (config->timeout_sec > 0) -- timeout_remain = config->timeout_sec * 10; -- else -- timeout_remain = -1; -- - idx_highlight = config->idx_default; - idx_highlight_prev = 0; - -@@ -643,7 +636,7 @@ static BOOLEAN menu_run( - - if (timeout_remain > 0) { - FreePool(status); -- status = PoolPrint(L"Boot in %d sec.", (timeout_remain + 5) / 10); -+ status = PoolPrint(L"Boot in %d s.", timeout_remain); - } - - /* print status at last line of screen */ -@@ -664,27 +657,18 @@ static BOOLEAN menu_run( - uefi_call_wrapper(ST->ConOut->OutputString, 2, ST->ConOut, clearline+1 + x + len); - } - -- err = console_key_read(&key, wait); -- if (EFI_ERROR(err)) { -- /* timeout reached */ -+ err = console_key_read(&key, timeout_remain > 0 ? 1000 * 1000 : 0); -+ if (err == EFI_TIMEOUT) { -+ timeout_remain--; - if (timeout_remain == 0) { - exit = TRUE; - break; - } - -- /* sleep and update status */ -- if (timeout_remain > 0) { -- uefi_call_wrapper(BS->Stall, 1, 100 * 1000); -- timeout_remain--; -- continue; -- } -- -- /* timeout disabled, wait for next key */ -- wait = TRUE; -+ /* update status */ - continue; -- } -- -- timeout_remain = -1; -+ } else -+ timeout_remain = 0; - - /* clear status after keystroke */ - if (status) { -@@ -787,7 +771,7 @@ static BOOLEAN menu_run( - config->timeout_sec_efivar, - EFI_VARIABLE_NON_VOLATILE); - if (config->timeout_sec_efivar > 0) -- status = PoolPrint(L"Menu timeout set to %d sec.", config->timeout_sec_efivar); -+ status = PoolPrint(L"Menu timeout set to %d s.", config->timeout_sec_efivar); - else - status = StrDuplicate(L"Menu disabled. Hold down key at bootup to show menu."); - } else if (config->timeout_sec_efivar <= 0){ -@@ -795,7 +779,7 @@ static BOOLEAN menu_run( - efivar_set( - LOADER_GUID, L"LoaderConfigTimeout", NULL, EFI_VARIABLE_NON_VOLATILE); - if (config->timeout_sec_config > 0) -- status = PoolPrint(L"Menu timeout of %d sec is defined by configuration file.", -+ status = PoolPrint(L"Menu timeout of %d s is defined by configuration file.", - config->timeout_sec_config); - else - status = StrDuplicate(L"Menu disabled. Hold down key at bootup to show menu."); -@@ -813,7 +797,7 @@ static BOOLEAN menu_run( - config->timeout_sec_efivar, - EFI_VARIABLE_NON_VOLATILE); - if (config->timeout_sec_efivar > 0) -- status = PoolPrint(L"Menu timeout set to %d sec.", -+ status = PoolPrint(L"Menu timeout set to %d s.", - config->timeout_sec_efivar); - else - status = StrDuplicate(L"Menu disabled. Hold down key at bootup to show menu."); -@@ -2369,13 +2353,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { - else { - UINT64 key; - -- err = console_key_read(&key, FALSE); -- -- if (err == EFI_NOT_READY) { -- uefi_call_wrapper(BS->Stall, 1, 100 * 1000); -- err = console_key_read(&key, FALSE); -- } -- -+ /* Block up to 100ms to give firmware time to get input working. */ -+ err = console_key_read(&key, 100 * 1000); - if (!EFI_ERROR(err)) { - INT16 idx; - -diff --git a/src/boot/efi/console.c b/src/boot/efi/console.c -index 83619d2147..369c549daf 100644 ---- a/src/boot/efi/console.c -+++ b/src/boot/efi/console.c -@@ -11,61 +11,105 @@ - - #define EFI_SIMPLE_TEXT_INPUT_EX_GUID &(EFI_GUID) EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL_GUID - --EFI_STATUS console_key_read(UINT64 *key, BOOLEAN wait) { -+static inline void EventClosep(EFI_EVENT *event) { -+ if (!*event) -+ return; -+ -+ uefi_call_wrapper(BS->CloseEvent, 1, *event); -+} -+ -+/* -+ * Reading input from the console sounds like an easy task to do, but thanks to broken -+ * firmware it is actually a nightmare. -+ * -+ * There is a ConIn and TextInputEx API for this. Ideally we want to use TextInputEx, -+ * because that gives us Ctrl/Alt/Shift key state information. Unfortunately, it is not -+ * always available and sometimes just non-functional. -+ * -+ * On the other hand we have ConIn, where some firmware likes to just freeze on us -+ * if we call ReadKeyStroke on it. -+ * -+ * Therefore, we use WaitForEvent on both ConIn and TextInputEx (if available) along -+ * with a timer event. The timer ensures there is no need to call into functions -+ * that might freeze on us, while still allowing us to show a timeout counter. -+ */ -+EFI_STATUS console_key_read(UINT64 *key, UINT64 timeout_usec) { - static EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *TextInputEx; - static BOOLEAN checked; - UINTN index; - EFI_INPUT_KEY k; - EFI_STATUS err; -+ _cleanup_(EventClosep) EFI_EVENT timer = NULL; -+ EFI_EVENT events[3] = { ST->ConIn->WaitForKey }; -+ UINTN n_events = 1; - - if (!checked) { - err = LibLocateProtocol(EFI_SIMPLE_TEXT_INPUT_EX_GUID, (VOID **)&TextInputEx); -- if (EFI_ERROR(err)) -+ if (EFI_ERROR(err) || -+ uefi_call_wrapper(BS->CheckEvent, 1, TextInputEx->WaitForKeyEx) == EFI_INVALID_PARAMETER) -+ /* If WaitForKeyEx fails here, the firmware pretends it talks this -+ * protocol, but it really doesn't. */ - TextInputEx = NULL; -+ else -+ events[n_events++] = TextInputEx->WaitForKeyEx; - - checked = TRUE; - } - -- /* wait until key is pressed */ -- if (wait) -- uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &index); -+ if (timeout_usec > 0) { -+ err = uefi_call_wrapper(BS->CreateEvent, 5, EVT_TIMER, 0, NULL, NULL, &timer); -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Error creating timer event: %r", err); -+ -+ /* SetTimer expects 100ns units for some reason. */ -+ err = uefi_call_wrapper(BS->SetTimer, 3, timer, TimerRelative, timeout_usec * 10); -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Error arming timer event: %r", err); - -- if (TextInputEx) { -+ events[n_events++] = timer; -+ } -+ -+ err = uefi_call_wrapper(BS->WaitForEvent, 3, n_events, events, &index); -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Error waiting for events: %r", err); -+ -+ if (timeout_usec > 0 && timer == events[index]) -+ return EFI_TIMEOUT; -+ -+ /* TextInputEx might be ready too even if ConIn got to signal first. */ -+ if (TextInputEx && !EFI_ERROR(uefi_call_wrapper(BS->CheckEvent, 1, TextInputEx->WaitForKeyEx))) { - EFI_KEY_DATA keydata; - UINT64 keypress; -+ UINT32 shift = 0; - - err = uefi_call_wrapper(TextInputEx->ReadKeyStrokeEx, 2, TextInputEx, &keydata); -- if (!EFI_ERROR(err)) { -- UINT32 shift = 0; -- -- /* do not distinguish between left and right keys */ -- if (keydata.KeyState.KeyShiftState & EFI_SHIFT_STATE_VALID) { -- if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_CONTROL_PRESSED|EFI_LEFT_CONTROL_PRESSED)) -- shift |= EFI_CONTROL_PRESSED; -- if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_ALT_PRESSED|EFI_LEFT_ALT_PRESSED)) -- shift |= EFI_ALT_PRESSED; -- }; -- -- /* 32 bit modifier keys + 16 bit scan code + 16 bit unicode */ -- keypress = KEYPRESS(shift, keydata.Key.ScanCode, keydata.Key.UnicodeChar); -- if (keypress > 0) { -- *key = keypress; -- return 0; -- } -+ if (EFI_ERROR(err)) -+ return err; -+ -+ /* do not distinguish between left and right keys */ -+ if (keydata.KeyState.KeyShiftState & EFI_SHIFT_STATE_VALID) { -+ if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_CONTROL_PRESSED|EFI_LEFT_CONTROL_PRESSED)) -+ shift |= EFI_CONTROL_PRESSED; -+ if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_ALT_PRESSED|EFI_LEFT_ALT_PRESSED)) -+ shift |= EFI_ALT_PRESSED; -+ }; -+ -+ /* 32 bit modifier keys + 16 bit scan code + 16 bit unicode */ -+ keypress = KEYPRESS(shift, keydata.Key.ScanCode, keydata.Key.UnicodeChar); -+ if (keypress > 0) { -+ *key = keypress; -+ return EFI_SUCCESS; - } -+ -+ return EFI_NOT_READY; - } - -- /* fallback for firmware which does not support SimpleTextInputExProtocol -- * -- * This is also called in case ReadKeyStrokeEx did not return a key, because -- * some broken firmwares offer SimpleTextInputExProtocol, but never actually -- * handle any key. */ - err = uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, &k); - if (EFI_ERROR(err)) - return err; - - *key = KEYPRESS(0, k.ScanCode, k.UnicodeChar); -- return 0; -+ return EFI_SUCCESS; - } - - static EFI_STATUS change_mode(UINTN mode) { -diff --git a/src/boot/efi/console.h b/src/boot/efi/console.h -index 2c69af552a..23848a9c58 100644 ---- a/src/boot/efi/console.h -+++ b/src/boot/efi/console.h -@@ -16,5 +16,5 @@ enum console_mode_change_type { - CONSOLE_MODE_MAX, - }; - --EFI_STATUS console_key_read(UINT64 *key, BOOLEAN wait); -+EFI_STATUS console_key_read(UINT64 *key, UINT64 timeout_usec); - EFI_STATUS console_set_mode(UINTN *mode, enum console_mode_change_type how); --- -2.33.0 - diff --git a/backport-sd-boot-Unify-error-handling.patch b/backport-sd-boot-Unify-error-handling.patch deleted file mode 100644 index d6147b6..0000000 --- a/backport-sd-boot-Unify-error-handling.patch +++ /dev/null @@ -1,404 +0,0 @@ -From 218c0839b24853899d2ea15cb2973ab0d56a7f31 Mon Sep 17 00:00:00 2001 -From: Jan Janssen -Date: Wed, 11 Aug 2021 14:59:46 +0200 -Subject: [PATCH] sd-boot: Unify error handling - -log_error_stall() and log_error_status_stall() will ensure the user has -a chance to catch an error message by stalling and also forcing a -lightred/black color on it. Also, convert several Print() calls to it -since they are actually error messages. - -(cherry picked from commit 8aba0eec499b762657f528988c2f093ac490620d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/218c0839b24853899d2ea15cb2973ab0d56a7f31 ---- - src/boot/efi/boot.c | 62 ++++++++++---------------------- - src/boot/efi/random-seed.c | 73 +++++++++++++------------------------- - src/boot/efi/stub.c | 24 ++++--------- - src/boot/efi/util.c | 17 +++++++-- - src/boot/efi/util.h | 9 +++++ - 5 files changed, 75 insertions(+), 110 deletions(-) - -diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c -index 13940a6df7..54d704f0d1 100644 ---- a/src/boot/efi/boot.c -+++ b/src/boot/efi/boot.c -@@ -527,7 +527,7 @@ static BOOLEAN menu_run( - err = console_set_mode(&config->console_mode, config->console_mode_change); - if (EFI_ERROR(err)) { - uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); -- Print(L"Error switching console mode to %ld: %r.\r", (UINT64)config->console_mode, err); -+ log_error_stall(L"Error switching console mode to %lu: %r", (UINT64)config->console_mode, err); - } - } else - uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); -@@ -1221,8 +1221,7 @@ static VOID config_entry_bump_counters( - break; - - if (r != EFI_BUFFER_TOO_SMALL || file_info_size * 2 < file_info_size) { -- Print(L"\nFailed to get file info for '%s': %r\n", old_path, r); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -+ log_error_stall(L"Failed to get file info for '%s': %r", old_path, r); - return; - } - -@@ -1234,8 +1233,7 @@ static VOID config_entry_bump_counters( - StrCpy(file_info->FileName, entry->next_name); - r = uefi_call_wrapper(handle->SetInfo, 4, handle, &EfiFileInfoGuid, file_info_size, file_info); - if (EFI_ERROR(r)) { -- Print(L"\nFailed to rename '%s' to '%s', ignoring: %r\n", old_path, entry->next_name, r); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -+ log_error_stall(L"Failed to rename '%s' to '%s', ignoring: %r", old_path, entry->next_name, r); - return; - } - -@@ -2165,18 +2163,12 @@ static EFI_STATUS image_start( - EFI_STATUS err; - - path = FileDevicePath(entry->device, entry->loader); -- if (!path) { -- Print(L"Error getting device path."); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return EFI_INVALID_PARAMETER; -- } -+ if (!path) -+ return log_error_status_stall(EFI_INVALID_PARAMETER, L"Error getting device path."); - - err = uefi_call_wrapper(BS->LoadImage, 6, FALSE, parent_image, path, NULL, 0, &image); -- if (EFI_ERROR(err)) { -- Print(L"Error loading %s: %r", entry->loader, err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Error loading %s: %r", entry->loader, err); - - if (config->options_edit) - options = config->options_edit; -@@ -2190,8 +2182,7 @@ static EFI_STATUS image_start( - err = uefi_call_wrapper(BS->OpenProtocol, 6, image, &LoadedImageProtocol, (VOID **)&loaded_image, - parent_image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); - if (EFI_ERROR(err)) { -- Print(L"Error getting LoadedImageProtocol handle: %r", err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -+ log_error_stall(L"Error getting LoadedImageProtocol handle: %r", err); - goto out_unload; - } - loaded_image->LoadOptions = options; -@@ -2202,10 +2193,8 @@ static EFI_STATUS image_start( - err = tpm_log_event(SD_TPM_PCR, - (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions, - loaded_image->LoadOptionsSize, loaded_image->LoadOptions); -- if (EFI_ERROR(err)) { -- Print(L"Unable to add image options measurement: %r", err); -- uefi_call_wrapper(BS->Stall, 1, 200 * 1000); -- } -+ if (EFI_ERROR(err)) -+ log_error_stall(L"Unable to add image options measurement: %r", err); - #endif - } - -@@ -2231,9 +2220,7 @@ static EFI_STATUS reboot_into_firmware(VOID) { - return err; - - err = uefi_call_wrapper(RT->ResetSystem, 4, EfiResetCold, EFI_SUCCESS, 0, NULL); -- Print(L"Error calling ResetSystem: %r", err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return err; -+ return log_error_status_stall(err, L"Error calling ResetSystem: %r", err); - } - - static VOID config_free(Config *config) { -@@ -2305,30 +2292,21 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { - - err = uefi_call_wrapper(BS->OpenProtocol, 6, image, &LoadedImageProtocol, (VOID **)&loaded_image, - image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); -- if (EFI_ERROR(err)) { -- Print(L"Error getting a LoadedImageProtocol handle: %r", err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Error getting a LoadedImageProtocol handle: %r", err); - - /* export the device path this image is started from */ - if (disk_get_part_uuid(loaded_image->DeviceHandle, uuid) == EFI_SUCCESS) - efivar_set(LOADER_GUID, L"LoaderDevicePartUUID", uuid, 0); - - root_dir = LibOpenRoot(loaded_image->DeviceHandle); -- if (!root_dir) { -- Print(L"Unable to open root directory."); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return EFI_LOAD_ERROR; -- } -+ if (!root_dir) -+ return log_error_status_stall(EFI_LOAD_ERROR, L"Unable to open root directory.", EFI_LOAD_ERROR); - - if (secure_boot_enabled() && shim_loaded()) { - err = security_policy_install(); -- if (EFI_ERROR(err)) { -- Print(L"Error installing security policy: %r ", err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Error installing security policy: %r", err); - } - - /* the filesystem path to this image, to prevent adding ourselves to the menu */ -@@ -2367,8 +2345,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { - } - - if (config.entry_count == 0) { -- Print(L"No loader found. Configuration files in \\loader\\entries\\*.conf are needed."); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -+ log_error_stall(L"No loader found. Configuration files in \\loader\\entries\\*.conf are needed."); - goto out; - } - -@@ -2440,8 +2417,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { - err = image_start(image, &config, entry); - if (EFI_ERROR(err)) { - graphics_mode(FALSE); -- Print(L"\nFailed to execute %s (%s): %r\n", entry->title, entry->loader, err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -+ log_error_stall(L"Failed to execute %s (%s): %r", entry->title, entry->loader, err); - goto out; - } - -diff --git a/src/boot/efi/random-seed.c b/src/boot/efi/random-seed.c -index 3e179851b0..939daf3e41 100644 ---- a/src/boot/efi/random-seed.c -+++ b/src/boot/efi/random-seed.c -@@ -35,10 +35,8 @@ static EFI_STATUS acquire_rng(UINTN size, VOID **ret) { - return log_oom(); - - err = uefi_call_wrapper(rng->GetRNG, 3, rng, NULL, size, data); -- if (EFI_ERROR(err)) { -- Print(L"Failed to acquire RNG data: %r\n", err); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Failed to acquire RNG data: %r", err); - - *ret = TAKE_PTR(data); - return EFI_SUCCESS; -@@ -149,14 +147,12 @@ static EFI_STATUS acquire_system_token(VOID **ret, UINTN *ret_size) { - err = efivar_get_raw(LOADER_GUID, L"LoaderSystemToken", &data, &size); - if (EFI_ERROR(err)) { - if (err != EFI_NOT_FOUND) -- Print(L"Failed to read LoaderSystemToken EFI variable: %r", err); -+ log_error_stall(L"Failed to read LoaderSystemToken EFI variable: %r", err); - return err; - } - -- if (size <= 0) { -- Print(L"System token too short, ignoring."); -- return EFI_NOT_FOUND; -- } -+ if (size <= 0) -+ return log_error_status_stall(EFI_NOT_FOUND, L"System token too short, ignoring."); - - *ret = TAKE_PTR(data); - *ret_size = size; -@@ -209,8 +205,7 @@ static VOID validate_sha256(void) { - sha256_finish_ctx(&hash, result); - - if (CompareMem(result, array[i].hash, HASH_VALUE_SIZE) != 0) { -- Print(L"SHA256 failed validation.\n"); -- uefi_call_wrapper(BS->Stall, 1, 120 * 1000 * 1000); -+ log_error_stall(L"SHA256 failed validation."); - return; - } - } -@@ -246,7 +241,7 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { - err = uefi_call_wrapper(root_dir->Open, 5, root_dir, &handle, (CHAR16*) L"\\loader\\random-seed", EFI_FILE_MODE_READ|EFI_FILE_MODE_WRITE, 0ULL); - if (EFI_ERROR(err)) { - if (err != EFI_NOT_FOUND && err != EFI_WRITE_PROTECTED) -- Print(L"Failed to open random seed file: %r\n", err); -+ log_error_stall(L"Failed to open random seed file: %r", err); - return err; - } - -@@ -255,15 +250,11 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { - return log_oom(); - - size = info->FileSize; -- if (size < RANDOM_MAX_SIZE_MIN) { -- Print(L"Random seed file is too short?\n"); -- return EFI_INVALID_PARAMETER; -- } -+ if (size < RANDOM_MAX_SIZE_MIN) -+ return log_error_status_stall(EFI_INVALID_PARAMETER, L"Random seed file is too short."); - -- if (size > RANDOM_MAX_SIZE_MAX) { -- Print(L"Random seed file is too large?\n"); -- return EFI_INVALID_PARAMETER; -- } -+ if (size > RANDOM_MAX_SIZE_MAX) -+ return log_error_status_stall(EFI_INVALID_PARAMETER, L"Random seed file is too large."); - - seed = AllocatePool(size); - if (!seed) -@@ -271,20 +262,14 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { - - rsize = size; - err = uefi_call_wrapper(handle->Read, 3, handle, &rsize, seed); -- if (EFI_ERROR(err)) { -- Print(L"Failed to read random seed file: %r\n", err); -- return err; -- } -- if (rsize != size) { -- Print(L"Short read on random seed file\n"); -- return EFI_PROTOCOL_ERROR; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Failed to read random seed file: %r", err); -+ if (rsize != size) -+ return log_error_status_stall(EFI_PROTOCOL_ERROR, L"Short read on random seed file."); - - err = uefi_call_wrapper(handle->SetPosition, 2, handle, 0); -- if (EFI_ERROR(err)) { -- Print(L"Failed to seek to beginning of random seed file: %r\n", err); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Failed to seek to beginning of random seed file: %r", err); - - /* Request some random data from the UEFI RNG. We don't need this to work safely, but it's a good - * idea to use it because it helps us for cases where users mistakenly include a random seed in -@@ -299,27 +284,19 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { - /* Update the random seed on disk before we use it */ - wsize = size; - err = uefi_call_wrapper(handle->Write, 3, handle, &wsize, new_seed); -- if (EFI_ERROR(err)) { -- Print(L"Failed to write random seed file: %r\n", err); -- return err; -- } -- if (wsize != size) { -- Print(L"Short write on random seed file\n"); -- return EFI_PROTOCOL_ERROR; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Failed to write random seed file: %r", err); -+ if (wsize != size) -+ return log_error_status_stall(EFI_PROTOCOL_ERROR, L"Short write on random seed file."); - - err = uefi_call_wrapper(handle->Flush, 1, handle); -- if (EFI_ERROR(err)) { -- Print(L"Failed to flush random seed file: %r\n"); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Failed to flush random seed file: %r", err); - - /* We are good to go */ - err = efivar_set_raw(LOADER_GUID, L"LoaderRandomSeed", for_kernel, size, 0); -- if (EFI_ERROR(err)) { -- Print(L"Failed to write random seed to EFI variable: %r\n", err); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Failed to write random seed to EFI variable: %r", err); - - return EFI_SUCCESS; - } -diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c -index 082fe91c9e..82da1d3ec4 100644 ---- a/src/boot/efi/stub.c -+++ b/src/boot/efi/stub.c -@@ -36,18 +36,12 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { - - err = uefi_call_wrapper(BS->OpenProtocol, 6, image, &LoadedImageProtocol, (VOID **)&loaded_image, - image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); -- if (EFI_ERROR(err)) { -- Print(L"Error getting a LoadedImageProtocol handle: %r ", err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Error getting a LoadedImageProtocol handle: %r", err); - - err = pe_memory_locate_sections(loaded_image->ImageBase, sections, addrs, offs, szs); -- if (EFI_ERROR(err)) { -- Print(L"Unable to locate embedded .linux section: %r ", err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return err; -- } -+ if (EFI_ERROR(err)) -+ return log_error_status_stall(err, L"Unable to locate embedded .linux section: %r", err); - - if (szs[0] > 0) - cmdline = (CHAR8 *)(loaded_image->ImageBase) + addrs[0]; -@@ -72,10 +66,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { - err = tpm_log_event(SD_TPM_PCR, - (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions, - loaded_image->LoadOptionsSize, loaded_image->LoadOptions); -- if (EFI_ERROR(err)) { -- Print(L"Unable to add image options measurement: %r", err); -- uefi_call_wrapper(BS->Stall, 1, 200 * 1000); -- } -+ if (EFI_ERROR(err)) -+ log_error_stall(L"Unable to add image options measurement: %r", err); - #endif - } - -@@ -126,7 +118,5 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { - (UINTN)loaded_image->ImageBase + addrs[2], szs[2]); - - graphics_mode(FALSE); -- Print(L"Execution of embedded linux image failed: %r\n", err); -- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -- return err; -+ return log_error_status_stall(err, L"Execution of embedded linux image failed: %r", err); - } -diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c -index 6f4e5933d3..aee076060b 100644 ---- a/src/boot/efi/util.c -+++ b/src/boot/efi/util.c -@@ -411,8 +411,21 @@ EFI_STATUS file_read(EFI_FILE_HANDLE dir, const CHAR16 *name, UINTN off, UINTN s - return err; - } - -+VOID log_error_stall(const CHAR16 *fmt, ...) { -+ va_list args; -+ -+ uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, EFI_LIGHTRED|EFI_BACKGROUND_BLACK); -+ -+ Print(L"\n"); -+ va_start(args, fmt); -+ VPrint(fmt, args); -+ va_end(args); -+ Print(L"\n"); -+ -+ uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -+} -+ - EFI_STATUS log_oom(void) { -- Print(L"Out of memory."); -- (void) uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); -+ log_error_stall(L"Out of memory."); - return EFI_OUT_OF_RESOURCES; - } -diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h -index 1a42b01033..d3bf848a95 100644 ---- a/src/boot/efi/util.h -+++ b/src/boot/efi/util.h -@@ -74,4 +74,13 @@ static inline void FileHandleClosep(EFI_FILE_HANDLE *handle) { - #define UINT64_MAX ((UINT64) -1) - #endif - -+VOID log_error_stall(const CHAR16 *fmt, ...); - EFI_STATUS log_oom(void); -+ -+/* This works just like log_error_errno() from userspace, but requires you -+ * to provide err a second time if you want to use %r in the message! */ -+#define log_error_status_stall(err, fmt, ...) \ -+ ({ \ -+ log_error_stall(fmt, ##__VA_ARGS__); \ -+ err; \ -+ }) --- -2.33.0 - diff --git a/backport-sd-bus-allow-numerical-uids-in-M-user-.host.patch b/backport-sd-bus-allow-numerical-uids-in-M-user-.host.patch deleted file mode 100644 index 526768d..0000000 --- a/backport-sd-bus-allow-numerical-uids-in-M-user-.host.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 93597655ac3b1ecc8411e6b1249ab6ce631e87e2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 7 Jul 2021 18:02:50 +0200 -Subject: [PATCH] sd-bus: allow numerical uids in -M user@.host - -UIDs don't work well over ssh, but locally or with containers they are OK. -In particular, user@.service uses UIDs as identifiers, and it's nice to be -able to copy&paste that UID for interaction with the user's managers. - -(cherry picked from commit 2da7d0bc92e2423a5c7225c5d24b99d5d52a0bc6) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/93597655ac3b1ecc8411e6b1249ab6ce631e87e2 ---- - src/libsystemd/sd-bus/sd-bus.c | 27 ++++++++++++++++++--------- - 1 file changed, 18 insertions(+), 9 deletions(-) - -diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c -index ab8d4e4a60..e85a409871 100644 ---- a/src/libsystemd/sd-bus/sd-bus.c -+++ b/src/libsystemd/sd-bus/sd-bus.c -@@ -39,6 +39,7 @@ - #include "parse-util.h" - #include "path-util.h" - #include "process-util.h" -+#include "stdio-util.h" - #include "string-util.h" - #include "strv.h" - #include "user-util.h" -@@ -1616,7 +1617,7 @@ static int user_and_machine_valid(const char *user_and_machine) { - if (!user) - return -ENOMEM; - -- if (!isempty(user) && !valid_user_group_name(user, VALID_USER_RELAX)) -+ if (!isempty(user) && !valid_user_group_name(user, VALID_USER_RELAX | VALID_USER_ALLOW_NUMERIC)) - return false; - - h++; -@@ -1647,17 +1648,25 @@ static int user_and_machine_equivalent(const char *user_and_machine) { - - /* Otherwise, if we are root, then we can also allow the ".host" syntax, as that's the user this - * would connect to. */ -- if (geteuid() == 0 && STR_IN_SET(user_and_machine, ".host", "root@.host")) -+ uid_t uid = geteuid(); -+ -+ if (uid == 0 && STR_IN_SET(user_and_machine, ".host", "root@.host", "0@.host")) - return true; - -- /* Otherwise, we have to figure our user name, and compare things with that. */ -- un = getusername_malloc(); -- if (!un) -- return -ENOMEM; -+ /* Otherwise, we have to figure out our user id and name, and compare things with that. */ -+ char buf[DECIMAL_STR_MAX(uid_t)]; -+ xsprintf(buf, UID_FMT, uid); -+ -+ f = startswith(user_and_machine, buf); -+ if (!f) { -+ un = getusername_malloc(); -+ if (!un) -+ return -ENOMEM; - -- f = startswith(user_and_machine, un); -- if (!f) -- return false; -+ f = startswith(user_and_machine, un); -+ if (!f) -+ return false; -+ } - - return STR_IN_SET(f, "@", "@.host"); - } --- -2.33.0 - diff --git a/backport-sd-bus-do-not-pass-NULL-when-received-message-with-i.patch b/backport-sd-bus-do-not-pass-NULL-when-received-message-with-i.patch deleted file mode 100644 index a7d756b..0000000 --- a/backport-sd-bus-do-not-pass-NULL-when-received-message-with-i.patch +++ /dev/null @@ -1,34 +0,0 @@ -From bc3d5f31bf8af840d3f4c1f66ea5d7ec6dcfcb1b Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 14 Jul 2022 10:53:54 +0900 -Subject: [PATCH] sd-bus: do not pass NULL when received message with invalid - type - -Fixes #24003. - -(cherry picked from commit 3f0dbb0f0c4e3c0013fa5fe54441ca7f969555a7) -(cherry picked from commit e56bfc8a417d1877c25b943b75cd73163246fbf2) -(cherry picked from commit a6aa5b2f7262ba67acfddd6dfa304144639a9ca4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bc3d5f31bf8af840d3f4c1f66ea5d7ec6dcfcb1b ---- - src/libsystemd/sd-bus/sd-bus.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c -index e85a409871..7a58c560d5 100644 ---- a/src/libsystemd/sd-bus/sd-bus.c -+++ b/src/libsystemd/sd-bus/sd-bus.c -@@ -48,7 +48,7 @@ - do { \ - sd_bus_message *_mm = (m); \ - log_debug("Got message type=%s sender=%s destination=%s path=%s interface=%s member=%s cookie=%" PRIu64 " reply_cookie=%" PRIu64 " signature=%s error-name=%s error-message=%s", \ -- bus_message_type_to_string(_mm->header->type), \ -+ strna(bus_message_type_to_string(_mm->header->type)), \ - strna(sd_bus_message_get_sender(_mm)), \ - strna(sd_bus_message_get_destination(_mm)), \ - strna(sd_bus_message_get_path(_mm)), \ --- -2.27.0 - diff --git a/backport-sd-bus-fix-buffer-overflow.patch b/backport-sd-bus-fix-buffer-overflow.patch deleted file mode 100644 index d08ebc2..0000000 --- a/backport-sd-bus-fix-buffer-overflow.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 1a4f4051c3f41b7750dbc904bb4768413bc8bd58 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 27 May 2022 04:23:10 +0900 -Subject: [PATCH] sd-bus: fix buffer overflow - -Fixes #23486. - -(cherry picked from commit 89b6a3f13e5f3b8a375dc82cb2a1c2c204a5067e) -(cherry picked from commit a5c4e29b2ca83b0956ea4635e1db7b02ae007d55) -(cherry picked from commit a5b0338e896338774226a3bd8a56f63555c7b9ce) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/1a4f4051c3f41b7750dbc904bb4768413bc8bd58 ---- - src/libsystemd/sd-bus/bus-message.c | 30 ++++++++++++++---- - test/fuzz/fuzz-bus-message/issue-23486-case-1 | Bin 0 -> 32 bytes - test/fuzz/fuzz-bus-message/issue-23486-case-2 | Bin 0 -> 16 bytes - test/fuzz/fuzz-bus-message/issue-23486-case-3 | Bin 0 -> 16 bytes - 4 files changed, 23 insertions(+), 7 deletions(-) - create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-1 - create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-2 - create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-3 - -diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c -index 20f7396c74..d74a351e29 100644 ---- a/src/libsystemd/sd-bus/bus-message.c -+++ b/src/libsystemd/sd-bus/bus-message.c -@@ -428,7 +428,7 @@ int bus_message_from_header( - - _cleanup_free_ sd_bus_message *m = NULL; - struct bus_header *h; -- size_t a, label_sz; -+ size_t a, label_sz = 0; /* avoid false maybe-uninitialized warning */ - - assert(bus); - assert(header || header_accessible <= 0); -@@ -506,7 +506,10 @@ int bus_message_from_header( - m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size); - m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size); - -- if (sizeof(struct bus_header) + ALIGN8(m->fields_size) + m->body_size != message_size) -+ assert(message_size >= sizeof(struct bus_header)); -+ if (m->fields_size > message_size - sizeof(struct bus_header) || -+ ALIGN8(m->fields_size) > message_size - sizeof(struct bus_header) || -+ m->body_size != message_size - sizeof(struct bus_header) - ALIGN8(m->fields_size)) - return -EBADMSG; - } - -@@ -3062,15 +3065,21 @@ void bus_body_part_unmap(struct bus_body_part *part) { - return; - } - --static int buffer_peek(const void *p, uint32_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) { -+static int buffer_peek(const void *p, size_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) { - size_t k, start, end; - - assert(rindex); - assert(align > 0); - -- start = ALIGN_TO((size_t) *rindex, align); -- end = start + nbytes; -+ start = ALIGN_TO(*rindex, align); -+ if (start > sz) -+ return -EBADMSG; -+ -+ /* Avoid overflow below */ -+ if (nbytes > SIZE_MAX - start) -+ return -EBADMSG; - -+ end = start + nbytes; - if (end > sz) - return -EBADMSG; - -@@ -3273,10 +3282,17 @@ static int message_peek_body( - assert(rindex); - assert(align > 0); - -- start = ALIGN_TO((size_t) *rindex, align); -+ start = ALIGN_TO(*rindex, align); -+ if (start > m->user_body_size) -+ return -EBADMSG; -+ - padding = start - *rindex; -- end = start + nbytes; - -+ /* Avoid overflow below */ -+ if (nbytes > SIZE_MAX - start) -+ return -EBADMSG; -+ -+ end = start + nbytes; - if (end > m->user_body_size) - return -EBADMSG; - -diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-1 b/test/fuzz/fuzz-bus-message/issue-23486-case-1 -new file mode 100644 -index 0000000000000000000000000000000000000000..fe8338b42ba6af6c080aa92aa619e05a6e6e1cc8 -GIT binary patch -literal 32 -gcmd1dVrFCj0xbpQd;uUW! -Date: Wed, 21 Jul 2021 11:10:36 +0200 -Subject: [PATCH] sd-bus: fix missing initializer in SD_BUS_VTABLE_END (#20253) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When two fields were added to the vtable.x.start struct, no initializers -for these were added to SD_BUS_VTABLE_END which also (ab)used that -struct (albeit sneakily by using non-designated initialization). - -While C tolerates this, C++ prohibits these missing initializers, and -both g++ and clang++ will complain when using -Wextra. - -This patch gives SD_BUS_VTABLE_END its own case in the union and -clarifies its initialization. - -I tested the behaviour of g++ 10.2 and clang 11 in various cases. Both will warn -(-Wmissing-field-initializers, implied by -Wextra) if you provide initializers for some -but not all fields of a struct. Declaring x.end as empty struct or using an empty initializer -{} to initialize the union or one of its members is valid C++ but not C, although both gcc -and clang accept it without warning (even at -Wall -Wextra -std=c90/c++11) unless you -use -pedantic (which requires -std=c99/c++2a to support designated initializers). - -Interestingly, .x = { .start = { 0, 0, NULL } } is the only initializer I found for the union -(among candidates for SD_BUS_VTABLE_END) where gcc doesn't zero-fill it entirely -when allocated on stack, it looked like it did in all other cases (I only examined this on -32-bit arm). clang always seems to initialize all bytes of the union. - -[zjs: test case: -$ cat vtable-test.cc -#include "sd-bus.h" - -const sd_bus_vtable vtable[] = { - SD_BUS_VTABLE_END -}; - -$ g++ -I src/systemd/ -Wall -Wmissing-field-initializers -c vtable-test.cc -vtable-test.cc:5:1: warning: missing initializer for member ‘sd_bus_vtable::::::features’ [-Wmissing-field-initializers] - 5 | }; - | ^ -vtable-test.cc:5:1: warning: missing initializer for member ‘sd_bus_vtable::::::vtable_format_reference’ [-Wmissing-field-initializers] - -$ clang++ -I src/systemd/ -Wmissing-field-initializers -c vtable-test.cc -vtable-test.cc:4:4: warning: missing field 'features' initializer [-Wmissing-field-initializers] - SD_BUS_VTABLE_END - ^ -src/systemd/sd-bus-vtable.h:188:28: note: expanded from macro 'SD_BUS_VTABLE_END' - .x = { { 0 } }, \ - ^ -1 warning generated. - -Both warnings are gone with the patch.] - -(cherry picked from commit 654eaa403070d3c897454a5190603fda4071c3ff) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/cdaf655f73bb3be10d47ab6f00d71a8d0b1a81e3 ---- - src/systemd/sd-bus-vtable.h | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/systemd/sd-bus-vtable.h b/src/systemd/sd-bus-vtable.h -index 75f8848360..35c942b16c 100644 ---- a/src/systemd/sd-bus-vtable.h -+++ b/src/systemd/sd-bus-vtable.h -@@ -75,6 +75,9 @@ struct sd_bus_vtable { - uint64_t features; - const unsigned *vtable_format_reference; - } start; -+ struct { -+ size_t reserved; -+ } end; - struct { - const char *member; - const char *signature; -@@ -185,7 +188,11 @@ struct sd_bus_vtable { - { \ - .type = _SD_BUS_VTABLE_END, \ - .flags = 0, \ -- .x = { { 0 } }, \ -+ .x = { \ -+ .end = { \ -+ .reserved = 0, \ -+ }, \ -+ }, \ - } - - #define _SD_ECHO(X) X --- -2.33.0 - diff --git a/backport-sd-bus-print-debugging-information-if-bus_container_.patch b/backport-sd-bus-print-debugging-information-if-bus_container_.patch deleted file mode 100644 index 2c046d9..0000000 --- a/backport-sd-bus-print-debugging-information-if-bus_container_.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 4358cbc8076352e7946956f5d71bf7c80d7f2e43 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 7 Jul 2021 18:01:03 +0200 -Subject: [PATCH] sd-bus: print debugging information if - bus_container_connect_socket() fails - -We would return the errno, but there are many steps, and without some -debugging info it's hard to figure out what exactly failed. - -(cherry picked from commit 0c201ca945c64e97ba4961ded13ce38a63200468) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4358cbc8076352e7946956f5d71bf7c80d7f2e43 ---- - src/libsystemd/sd-bus/bus-container.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/libsystemd/sd-bus/bus-container.c b/src/libsystemd/sd-bus/bus-container.c -index b11ebb3f65..1159af46cd 100644 ---- a/src/libsystemd/sd-bus/bus-container.c -+++ b/src/libsystemd/sd-bus/bus-container.c -@@ -37,11 +37,11 @@ int bus_container_connect_socket(sd_bus *b) { - - r = namespace_open(b->nspid, &pidnsfd, &mntnsfd, NULL, &usernsfd, &rootfd); - if (r < 0) -- return r; -+ return log_debug_errno(r, "Failed to open namespace of PID "PID_FMT": %m", b->nspid); - - b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); - if (b->input_fd < 0) -- return -errno; -+ return log_debug_errno(errno, "Failed to create a socket: %m"); - - b->input_fd = fd_move_above_stdio(b->input_fd); - -@@ -50,12 +50,12 @@ int bus_container_connect_socket(sd_bus *b) { - bus_socket_setup(b); - - if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0) -- return -errno; -+ return log_debug_errno(errno, "Failed to create a socket pair: %m"); - - r = namespace_fork("(sd-buscntrns)", "(sd-buscntr)", NULL, 0, FORK_RESET_SIGNALS|FORK_DEATHSIG, - pidnsfd, mntnsfd, -1, usernsfd, rootfd, &child); - if (r < 0) -- return r; -+ return log_debug_errno(r, "Failed to create namespace for (sd-buscntr): %m"); - if (r == 0) { - pair[0] = safe_close(pair[0]); - -@@ -80,20 +80,22 @@ int bus_container_connect_socket(sd_bus *b) { - - n = read(pair[0], &error_buf, sizeof(error_buf)); - if (n < 0) -- return -errno; -+ return log_debug_errno(errno, "Failed to read error status from (sd-buscntr): %m"); - - if (n > 0) { - if (n != sizeof(error_buf)) -- return -EIO; -+ return log_debug_errno(SYNTHETIC_ERRNO(EIO), -+ "Read error status of unexpected length %zd from (sd-buscntr): %m", n); - - if (error_buf < 0) -- return -EIO; -+ return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), -+ "Got unexpected error status from (sd-buscntr): %m"); - - if (error_buf == EINPROGRESS) - return 1; - - if (error_buf > 0) -- return -error_buf; -+ return log_debug_errno(error_buf, "Got error from (sd-buscntr): %m"); - } - - return bus_socket_start_auth(b); --- -2.33.0 - diff --git a/backport-sd-bus-print-quoted-commandline-when-in-bus_socket_e.patch b/backport-sd-bus-print-quoted-commandline-when-in-bus_socket_e.patch deleted file mode 100644 index 333e9e3..0000000 --- a/backport-sd-bus-print-quoted-commandline-when-in-bus_socket_e.patch +++ /dev/null @@ -1,69 +0,0 @@ -From a221143c6de4917bb6653f5aa134ce8be3c90f6c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 7 Jul 2021 16:36:49 +0200 -Subject: [PATCH] sd-bus: print quoted commandline when in bus_socket_exec() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The arguments are where the interesting part is: -src/libsystemd/sd-bus/bus-socket.c:965: sd-bus: starting bus with systemd-run... -↓ -src/libsystemd/sd-bus/bus-socket.c:972: sd-bus: starting bus with systemd-run -M.host -PGq --wait -pUser=1000 -pPAMName=login systemd-stdio-bridge "-punix:path=\${XDG_RUNTIME_DIR}/bus" - -(cherry picked from commit 87fa2e21dd7a30d25ccda2df6b8446a82637b059) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a221143c6de4917bb6653f5aa134ce8be3c90f6c ---- - src/libsystemd/sd-bus/bus-socket.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c -index 09eb49c37f..42c5f175d3 100644 ---- a/src/libsystemd/sd-bus/bus-socket.c -+++ b/src/libsystemd/sd-bus/bus-socket.c -@@ -12,6 +12,7 @@ - #include "bus-internal.h" - #include "bus-message.h" - #include "bus-socket.h" -+#include "escape.h" - #include "fd-util.h" - #include "format-util.h" - #include "fs-util.h" -@@ -962,8 +963,17 @@ int bus_socket_exec(sd_bus *b) { - assert(b->exec_path); - assert(b->busexec_pid == 0); - -- log_debug("sd-bus: starting bus%s%s with %s...", -- b->description ? " " : "", strempty(b->description), b->exec_path); -+ if (DEBUG_LOGGING) { -+ _cleanup_free_ char *line = NULL; -+ -+ if (b->exec_argv) -+ line = quote_command_line(b->exec_argv); -+ -+ log_debug("sd-bus: starting bus%s%s with %s%s", -+ b->description ? " " : "", strempty(b->description), -+ line ?: b->exec_path, -+ b->exec_argv && !line ? "…" : ""); -+ } - - r = socketpair(AF_UNIX, SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, s); - if (r < 0) -@@ -984,10 +994,8 @@ int bus_socket_exec(sd_bus *b) { - - if (b->exec_argv) - execvp(b->exec_path, b->exec_argv); -- else { -- const char *argv[] = { b->exec_path, NULL }; -- execvp(b->exec_path, (char**) argv); -- } -+ else -+ execvp(b->exec_path, STRV_MAKE(b->exec_path)); - - _exit(EXIT_FAILURE); - } --- -2.33.0 - diff --git a/backport-sd-device-introduce-device_has_devlink.patch b/backport-sd-device-introduce-device_has_devlink.patch deleted file mode 100644 index 147314c..0000000 --- a/backport-sd-device-introduce-device_has_devlink.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 8ada2c1b5922110d961aa82e6d712f6eed696afe Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 09:22:15 +0900 -Subject: [PATCH] sd-device: introduce device_has_devlink() - -(cherry picked from commit b881ce16b9ccae4c3089c82e2ea1781cd9773a4f) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/8ada2c1b5922110d961aa82e6d712f6eed696afe ---- - src/libsystemd/sd-device/device-private.h | 1 + - src/libsystemd/sd-device/sd-device.c | 7 +++++++ - 2 files changed, 8 insertions(+) - -diff --git a/src/libsystemd/sd-device/device-private.h b/src/libsystemd/sd-device/device-private.h -index fe268d7f2f..9bb5eff208 100644 ---- a/src/libsystemd/sd-device/device-private.h -+++ b/src/libsystemd/sd-device/device-private.h -@@ -32,6 +32,7 @@ void device_set_db_persist(sd_device *device); - void device_set_devlink_priority(sd_device *device, int priority); - int device_ensure_usec_initialized(sd_device *device, sd_device *device_old); - int device_add_devlink(sd_device *device, const char *devlink); -+bool device_has_devlink(sd_device *device, const char *devlink); - int device_add_property(sd_device *device, const char *property, const char *value); - int device_add_tag(sd_device *device, const char *tag, bool both); - void device_remove_tag(sd_device *device, const char *tag); -diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c -index 3f2cce5bba..418a5b10bd 100644 ---- a/src/libsystemd/sd-device/sd-device.c -+++ b/src/libsystemd/sd-device/sd-device.c -@@ -1195,6 +1195,13 @@ int device_add_devlink(sd_device *device, const char *devlink) { - return 0; - } - -+bool device_has_devlink(sd_device *device, const char *devlink) { -+ assert(device); -+ assert(devlink); -+ -+ return set_contains(device->devlinks, devlink); -+} -+ - static int device_add_property_internal_from_string(sd_device *device, const char *str) { - _cleanup_free_ char *key = NULL; - char *value; --- -2.33.0 - diff --git a/backport-sd-device-monitor-actually-refuse-to-send-invalid-de.patch b/backport-sd-device-monitor-actually-refuse-to-send-invalid-de.patch deleted file mode 100644 index 78173f3..0000000 --- a/backport-sd-device-monitor-actually-refuse-to-send-invalid-de.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b1b19cfdd22892ecc11e27206c3eab138c719e13 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 12 Aug 2022 04:19:27 +0900 -Subject: [PATCH] sd-device-monitor: actually refuse to send invalid devices - -Fixes an issue introduced by 9e79123884a36ce095b98d1c0fe247dddf02dbec. - -(cherry picked from commit 8bb4989906a1659b0f6adfa03dc7585e294a392b) -(cherry picked from commit 6e1acfe81823b67b6b830d3ae8d0f0184eab8b2f) -(cherry picked from commit b48a17f13fb85145c17ee1dd3beb450d1dcc4b08) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b1b19cfdd22892ecc11e27206c3eab138c719e13 ---- - src/libsystemd/sd-device/device-monitor.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd/sd-device/device-monitor.c b/src/libsystemd/sd-device/device-monitor.c -index 2cb35951de..d7c6c69640 100644 ---- a/src/libsystemd/sd-device/device-monitor.c -+++ b/src/libsystemd/sd-device/device-monitor.c -@@ -577,8 +577,8 @@ int device_monitor_send_device( - if (r < 0) - return log_device_debug_errno(device, r, "sd-device-monitor: Failed to get device properties: %m"); - if (blen < 32) -- log_device_debug_errno(device, SYNTHETIC_ERRNO(EINVAL), -- "sd-device-monitor: Length of device property nulstr is too small to contain valid device information"); -+ return log_device_debug_errno(device, SYNTHETIC_ERRNO(EINVAL), -+ "sd-device-monitor: Length of device property nulstr is too small to contain valid device information"); - - /* fill in versioned header */ - r = sd_device_get_subsystem(device, &val); --- -2.27.0 - diff --git a/backport-sd-device-monitor-update-log-message-to-clarify-the-.patch b/backport-sd-device-monitor-update-log-message-to-clarify-the-.patch deleted file mode 100644 index c07f738..0000000 --- a/backport-sd-device-monitor-update-log-message-to-clarify-the-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 82b2135bf0512c11f7f21f9d0689e8ea5b4a2529 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 13 Oct 2021 12:57:40 +0900 -Subject: [PATCH] sd-device-monitor: update log message to clarify the error - will be ignored - -(cherry picked from commit 6b652c03a47aa28898dffd408543c06670e3450d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/82b2135bf0512c11f7f21f9d0689e8ea5b4a2529 ---- - src/libsystemd/sd-device/device-monitor.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/libsystemd/sd-device/device-monitor.c b/src/libsystemd/sd-device/device-monitor.c -index b485e3e2b6..2cb35951de 100644 ---- a/src/libsystemd/sd-device/device-monitor.c -+++ b/src/libsystemd/sd-device/device-monitor.c -@@ -178,7 +178,7 @@ int device_monitor_new_full(sd_device_monitor **ret, MonitorNetlinkGroup group, - - netns = ioctl(m->sock, SIOCGSKNS); - if (netns < 0) -- log_debug_errno(errno, "sd-device-monitor: Unable to get network namespace of udev netlink socket, unable to determine if we are in host netns: %m"); -+ log_debug_errno(errno, "sd-device-monitor: Unable to get network namespace of udev netlink socket, unable to determine if we are in host netns, ignoring: %m"); - else { - struct stat a, b; - -@@ -191,9 +191,9 @@ int device_monitor_new_full(sd_device_monitor **ret, MonitorNetlinkGroup group, - if (ERRNO_IS_PRIVILEGE(errno)) - /* If we can't access PID1's netns info due to permissions, it's fine, this is a - * safety check only after all. */ -- log_debug_errno(errno, "sd-device-monitor: No permission to stat PID1's netns, unable to determine if we are in host netns: %m"); -+ log_debug_errno(errno, "sd-device-monitor: No permission to stat PID1's netns, unable to determine if we are in host netns, ignoring: %m"); - else -- log_debug_errno(errno, "sd-device-monitor: Failed to stat PID1's netns: %m"); -+ log_debug_errno(errno, "sd-device-monitor: Failed to stat PID1's netns, ignoring: %m"); - - } else if (a.st_dev != b.st_dev || a.st_ino != b.st_ino) - log_debug("sd-device-monitor: Netlink socket we listen on is not from host netns, we won't see device events."); --- -2.33.0 - diff --git a/backport-sd-device-silence-gcc-warning-with-newest-gcc.patch b/backport-sd-device-silence-gcc-warning-with-newest-gcc.patch deleted file mode 100644 index 6aef517..0000000 --- a/backport-sd-device-silence-gcc-warning-with-newest-gcc.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e05023045edd4a0e20b60e81f9fa54f08636d660 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sat, 15 Jan 2022 13:38:30 +0100 -Subject: [PATCH] sd-device: silence gcc warning with newest gcc - -(cherry picked from commit 376ee2c312b87951028a0adff96b1052f32475fa) -(cherry picked from commit 18aff8c85720606e05826045b6799d19a7dcf08a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e05023045edd4a0e20b60e81f9fa54f08636d660 ---- - src/libsystemd/sd-device/sd-device.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c -index 388128bf33..45261588a8 100644 ---- a/src/libsystemd/sd-device/sd-device.c -+++ b/src/libsystemd/sd-device/sd-device.c -@@ -1370,7 +1370,7 @@ int device_read_db_internal_filename(sd_device *device, const char *filename) { - _cleanup_free_ char *db = NULL; - const char *value; - size_t db_len; -- char key; -+ char key = '\0'; /* Unnecessary initialization to appease gcc-12.0.0-0.4.fc36 */ - int r; - - enum { --- -2.33.0 - diff --git a/backport-sd-dhcp-lease-fix-a-memory-leak-in-dhcp_lease_parse_.patch b/backport-sd-dhcp-lease-fix-a-memory-leak-in-dhcp_lease_parse_.patch deleted file mode 100644 index 7c37251..0000000 --- a/backport-sd-dhcp-lease-fix-a-memory-leak-in-dhcp_lease_parse_.patch +++ /dev/null @@ -1,51 +0,0 @@ -From aaf7afb05cdbfbec6d06798b698689bdfe1a50ac Mon Sep 17 00:00:00 2001 -From: Evgeny Vereshchagin -Date: Sat, 29 Jan 2022 03:16:40 +0000 -Subject: [PATCH] sd-dhcp-lease: fix a memory leak in - dhcp_lease_parse_search_domains - -================================================================= -==81071==ERROR: LeakSanitizer: detected memory leaks - -Direct leak of 16 byte(s) in 1 object(s) allocated from: - #0 0x51245c in __interceptor_reallocarray (/home/vagrant/systemd/build/fuzz-dhcp-client+0x51245c) - #1 0x7f01440c67e6 in strv_push /home/vagrant/systemd/build/../src/basic/strv.c:435:13 - #2 0x7f01440ca9e1 in strv_consume /home/vagrant/systemd/build/../src/basic/strv.c:506:13 - #3 0x7f01440ca9e1 in strv_extend /home/vagrant/systemd/build/../src/basic/strv.c:558:16 - #4 0x5806e3 in dhcp_lease_parse_search_domains /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:900:21 - #5 0x57c1be in dhcp_lease_parse_options /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:727:21 - #6 0x572450 in parse_options /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:348:33 - #7 0x571c6a in dhcp_option_parse /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:376:13 - #8 0x559a01 in client_handle_offer /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-client.c:1543:13 - #9 0x5592bd in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/libsystemd-network/fuzz-dhcp-client.c:74:16 - #10 0x44a379 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x44a379) - #11 0x42ae1f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x42ae1f) - #12 0x432ade in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x432ade) - #13 0x421f86 in main (/home/vagrant/systemd/build/fuzz-dhcp-client+0x421f86) - #14 0x7f0142fff55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) - -(cherry picked from commit 9591c0a8b3496d0e5cbbfe7c75161ba80089c143) -(cherry picked from commit 7dc0f80588f371a62a56a75bf27eab2c515becf3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/aaf7afb05cdbfbec6d06798b698689bdfe1a50ac ---- - src/libsystemd-network/sd-dhcp-lease.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c -index 75aa0c3d2c..ccfd66caa3 100644 ---- a/src/libsystemd-network/sd-dhcp-lease.c -+++ b/src/libsystemd-network/sd-dhcp-lease.c -@@ -815,7 +815,7 @@ int dhcp_lease_parse_search_domains(const uint8_t *option, size_t len, char ***d - pos = next_chunk; - } - -- *domains = TAKE_PTR(names); -+ strv_free_and_replace(*domains, names); - - return cnt; - } --- -2.33.0 - diff --git a/backport-sd-dhcp-lease-fix-an-infinite-loop-found-by-the-fuzz.patch b/backport-sd-dhcp-lease-fix-an-infinite-loop-found-by-the-fuzz.patch deleted file mode 100644 index 8b270d4..0000000 --- a/backport-sd-dhcp-lease-fix-an-infinite-loop-found-by-the-fuzz.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c95ae2ba0093742292671fd30a63af15f1b63bc6 Mon Sep 17 00:00:00 2001 -From: Evgeny Vereshchagin -Date: Sat, 29 Jan 2022 02:08:39 +0000 -Subject: [PATCH] sd-dhcp-lease: fix an infinite loop found by the fuzzer - -(cherry picked from commit 86b06c666be8b7afb45541d35aa4d0ecb38056d1) -(cherry picked from commit 426807c54b9500b806eaaf50d32c7c936510706c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c95ae2ba0093742292671fd30a63af15f1b63bc6 ---- - src/libsystemd-network/sd-dhcp-lease.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c -index 9a0d7f6fea..75aa0c3d2c 100644 ---- a/src/libsystemd-network/sd-dhcp-lease.c -+++ b/src/libsystemd-network/sd-dhcp-lease.c -@@ -463,10 +463,8 @@ static int lease_parse_routes( - - route->option = SD_DHCP_OPTION_STATIC_ROUTE; - r = in4_addr_default_prefixlen((struct in_addr*) option, &route->dst_prefixlen); -- if (r < 0) { -- log_debug("Failed to determine destination prefix length from class based IP, ignoring"); -- continue; -- } -+ if (r < 0) -+ return -EINVAL; - - assert_se(lease_parse_be32(option, 4, &addr.s_addr) >= 0); - route->dst_addr = inet_makeaddr(inet_netof(addr), 0); --- -2.33.0 - diff --git a/backport-sd-dhcp-lease-fix-memleak.patch b/backport-sd-dhcp-lease-fix-memleak.patch deleted file mode 100644 index 9408663..0000000 --- a/backport-sd-dhcp-lease-fix-memleak.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e2b7a7e3d285180ef04087cd5f821b42cb128c31 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 31 Jan 2022 05:19:09 +0900 -Subject: [PATCH] sd-dhcp-lease: fix memleak - -Fixes https://github.com/systemd/systemd/pull/22294#issuecomment-1024840811. - -(cherry picked from commit 06cf04dff4dd6c69e527913ad137616c23861270) -(cherry picked from commit ae95ca27bee2bef5bf53002873a254f1a0fe8b81) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e2b7a7e3d285180ef04087cd5f821b42cb128c31 ---- - src/libsystemd-network/sd-dhcp-lease.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c -index ccfd66caa3..421ca6f306 100644 ---- a/src/libsystemd-network/sd-dhcp-lease.c -+++ b/src/libsystemd-network/sd-dhcp-lease.c -@@ -1024,6 +1024,18 @@ int dhcp_lease_save(sd_dhcp_lease *lease, const char *lease_file) { - return 0; - } - -+static char **private_options_free(char **options) { -+ if (!options) -+ return NULL; -+ -+ for (unsigned i = 0; i < SD_DHCP_OPTION_PRIVATE_LAST - SD_DHCP_OPTION_PRIVATE_BASE + 1; i++) -+ free(options[i]); -+ -+ return mfree(options); -+} -+ -+DEFINE_TRIVIAL_CLEANUP_FUNC(char**, private_options_free); -+ - int dhcp_lease_load(sd_dhcp_lease **ret, const char *lease_file) { - _cleanup_(sd_dhcp_lease_unrefp) sd_dhcp_lease *lease = NULL; - _cleanup_free_ char -@@ -1046,8 +1058,8 @@ int dhcp_lease_load(sd_dhcp_lease **ret, const char *lease_file) { - *vendor_specific_hex = NULL, - *lifetime = NULL, - *t1 = NULL, -- *t2 = NULL, -- *options[SD_DHCP_OPTION_PRIVATE_LAST - SD_DHCP_OPTION_PRIVATE_BASE + 1] = {}; -+ *t2 = NULL; -+ _cleanup_(private_options_freep) char **options = NULL; - - int r, i; - -@@ -1058,6 +1070,10 @@ int dhcp_lease_load(sd_dhcp_lease **ret, const char *lease_file) { - if (r < 0) - return r; - -+ options = new0(char*, SD_DHCP_OPTION_PRIVATE_LAST - SD_DHCP_OPTION_PRIVATE_BASE + 1); -+ if (!options) -+ return -ENOMEM; -+ - r = parse_env_file(NULL, lease_file, - "ADDRESS", &address, - "ROUTER", &router, --- -2.33.0 - diff --git a/backport-sd-dhcp-server-fix-possible-double-free-or-use-after.patch b/backport-sd-dhcp-server-fix-possible-double-free-or-use-after.patch deleted file mode 100644 index 37921e0..0000000 --- a/backport-sd-dhcp-server-fix-possible-double-free-or-use-after.patch +++ /dev/null @@ -1,29 +0,0 @@ -From bb320989bf7580f46a4867c361be1ee02eccc678 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 11 Aug 2021 16:20:35 +0900 -Subject: [PATCH] sd-dhcp-server: fix possible double-free or use-after-free - -(cherry picked from commit 3dc8fb0eb8dd4b7dd802aa69cfe5b2c8f760f561) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bb320989bf7580f46a4867c361be1ee02eccc678 ---- - src/libsystemd-network/sd-dhcp-server.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c -index e2ea79f584..9ae884b0fc 100644 ---- a/src/libsystemd-network/sd-dhcp-server.c -+++ b/src/libsystemd-network/sd-dhcp-server.c -@@ -1107,7 +1107,7 @@ int dhcp_server_handle_message(sd_dhcp_server *server, DHCPMessage *message, siz - - if (server->bound_leases[pool_offset] == existing_lease) { - server->bound_leases[pool_offset] = NULL; -- hashmap_remove(server->leases_by_client_id, existing_lease); -+ hashmap_remove(server->leases_by_client_id, &existing_lease->client_id); - dhcp_lease_free(existing_lease); - - if (server->callback) --- -2.33.0 - diff --git a/backport-sd-dhcp-server-refuse-too-large-packet-to-send.patch b/backport-sd-dhcp-server-refuse-too-large-packet-to-send.patch deleted file mode 100644 index a11eccd..0000000 --- a/backport-sd-dhcp-server-refuse-too-large-packet-to-send.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 76bcd1d6d26ebe0424e2c5edc7f5a31a82ae3a7c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 28 Jan 2022 11:53:49 +0900 -Subject: [PATCH] sd-dhcp-server: refuse too large packet to send - -Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44134. - -(cherry picked from commit 71df50a9734f7006bc1ac8be59ca81c797b39c35) -(cherry picked from commit 530a18d49361ade6d3f09abb78f8f901753a4cda) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/76bcd1d6d26ebe0424e2c5edc7f5a31a82ae3a7c ---- - src/libsystemd-network/sd-dhcp-server.c | 3 +++ - ...z-dhcp-server-relay-message-4972399731277824 | Bin 0 -> 65508 bytes - 2 files changed, 3 insertions(+) - create mode 100644 test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 - -diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c -index 3f4af8440e..0b3904c02a 100644 ---- a/src/libsystemd-network/sd-dhcp-server.c -+++ b/src/libsystemd-network/sd-dhcp-server.c -@@ -296,6 +296,9 @@ static int dhcp_server_send_unicast_raw(sd_dhcp_server *server, - - memcpy(&link.ll.sll_addr, &packet->dhcp.chaddr, ETH_ALEN); - -+ if (len > UINT16_MAX) -+ return -EOVERFLOW; -+ - dhcp_packet_append_ip_headers(packet, server->address, DHCP_PORT_SERVER, - packet->dhcp.yiaddr, - DHCP_PORT_CLIENT, len, -1); -diff --git a/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 b/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 -new file mode 100644 -index 0000000000000000000000000000000000000000..e902b6989b419428fa0114c973b148fbe583c871 -GIT binary patch -literal 65508 -zcmeHQO^Xyq7_QnGHe|g?!~_DVcn}G3nRRFO0}pY$Wa3jnmhk?a_5|05v50Z;< -z1A(xFv7AqGrXhzLPhg%F5=s4Qd=bvy4)*Yw9z -zZ$0%^b-mR?(XdwPvQk6J$<0WqDAFTJX*r;pPQLo0xf(^0?8x@Xn?A1uE5-~N`~Nl~ -zhtGuH?fz))UzyNS`-2uF0t}NYi=vLRRHC7)k&K;Yz -z5Ai&kd6AE?nV$zJxnc|PGo`*nj-Oq&D@#{5M^dG4&m4&|K2!Qgx7vgvHRjv;6O>OP -zUKu6u`sm=g5t$Yx617$MQ9b$PF0TP{AgERfP$atKe_n^KxF=V`K1)576{ilF@5puC -zUqzev0zUJ7f5_^t62;#O#n6SqfJ487Kt2DI6?y7t&sLu%Kf`1BR?lRv#!%W7m|djw+iBtgIV@ -zAghzr$?9bFfkJ?+PFC-L09l=^K2V%STb-=lfzxQKlhw)U-Lm@RWM#ZMFDmP5j=b>cA*6fKJ?Xv!0;GG=eYbQk6IRLUFCGE1dIwJH&WJxyn-G1L -zQ`uROo&^dv!<8lsm3>o`eSdXoY`ivhU}}1@HZ@V1tWH(NsQraUfZD$)+TV*SgLmmz -zPWczf+ui-vuVF>X!?_nVTm6fgdlI({>;CfAWAD!q9ezz*As)zMDD~dRD=Ly*^>?%R -z{-LHl$HCyE^mLtD$gQU-pOE_Ku0NfF(ti!yTI^EtuK0vtKEIs*mb7GdmX&!Gll-qb -z=a1hlH4zJZ0mhD*s=k45zdAa)pU+=wyrx=I2(?RT2P0ya5}$cf2HUM -zIQk;1iv>bf&qe^8MxVsM>|}Madf^cutE0Mt)5+>N2mm0mI#7U+)eFyQ9DyOL+p0=d -z&qn|N^@r6*v=;r74VTLC^{}^qOXXzZMOOE)a9o|XdL9D(V|5{PxAGrZJ(Hd~C6d)M -z5hAOT)oH7DK!B_c1cGn`Mi>2EAz3}e>Vvc%Y3jC@_2+c}2afE^5MKv-4>)j?i5a^XWOcH72L#CKKp+Thbb{A0EgKv1qzUU8ZcwNHg+4ZTbhZ~w(6F?bSnnn -zv!2P~1iwm^Ge(Np&Z3pAEEAQ;hQIGb0|s11RtE}@ezJNdN3}^Lt7n3akK#)jbr+{1?PH2gbp|IWU|9sOPFA;l4cnFFqGXu}03dct -z1Fw_S$?AnifUHhd?|=XflhuI&gsfh8PNS_(R<~7^wt7AS0Eny(6d+`EvU=eWAgkM| -zn$KyR7yy9C>OcWPRxdoK^<=AGR`1{&YgUG3x~)-IQpta&OG|QdxBC!Eqk%m3LnvC? -zU(6ywWX1*fxYzBYC#EmnJ$3qc$xqW#^7Rxsi@ejfQ+e&lwLPuO>bP|N_wpOR``O= -zqMO=~2sB@?6&(RzdpT`FI5hM163shM8qK>v>|}Madf^cutE0M#ZM>~ny%#$@FRwAu -zk8l%d#fw5bDWdCer#O6O$y`~w=Xy5PwQG&lhl_K^W&;VX4@Kj8>Q%AdupUF7!WO3R -z{JOcS4!g6@%MIo#TkCDp9e8L`-YMu$3$_ -zaOZxQvn`eOK-`d<+VS|`eLFJbpiRT4lOy?4>V_X!)LM2vw5OIxEY^)t?!n%Hcv>f`=W!aRkE7ml1O_NT$m&Aef`c80 -zvxtz@3x@z%-B#6jpg2srvbbRK7g-$uk=20$gse_hFFXQdbz4=*>iGx&AhJ48fRNP- -z&uJWiA*SXo8BS2QSRh6vXf&iBy%Ui|(>7aHi!9A00o^9~h -z<{8Bgix(dOws~yxIv{|T1^a9R8WiUMptohP;6HhCB$y_Nj3%X4rt414eRIEidqLx#7$K}Yv%4A%QOlz5w -ms+1UNDFta4jrEG`)UNv3W$G~9mo9->FvVI#b}H<0Wd8%4hT`V{ - -literal 0 -HcmV?d00001 - --- -2.33.0 - diff --git a/backport-sd-dhcp-server-rename-server_send_nak-server_send_na.patch b/backport-sd-dhcp-server-rename-server_send_nak-server_send_na.patch deleted file mode 100644 index ac227f2..0000000 --- a/backport-sd-dhcp-server-rename-server_send_nak-server_send_na.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 96acfde5aae2017e1cad042b51f179ad20aba38d Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 28 Jan 2022 02:14:47 +0900 -Subject: [PATCH] sd-dhcp-server: rename server_send_nak() -> - server_send_nak_or_ignore() - -And logs error in the function. - -(cherry picked from commit eb5bff9c9de2bd218f5ac431e3aead4b5747ecd9) -(cherry picked from commit 7f36fb25d5c6681dbabb067a9fb083bfad37a804) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/96acfde5aae2017e1cad042b51f179ad20aba38d ---- - src/libsystemd-network/sd-dhcp-server.c | 29 ++++++++++++++----------- - 1 file changed, 16 insertions(+), 13 deletions(-) - -diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c -index 070f4ec1c2..d594aeb7cd 100644 ---- a/src/libsystemd-network/sd-dhcp-server.c -+++ b/src/libsystemd-network/sd-dhcp-server.c -@@ -583,16 +583,28 @@ static int server_send_offer_or_ack( - return 0; - } - --static int server_send_nak(sd_dhcp_server *server, DHCPRequest *req) { -+static int server_send_nak_or_ignore(sd_dhcp_server *server, bool init_reboot, DHCPRequest *req) { - _cleanup_free_ DHCPPacket *packet = NULL; - size_t offset; - int r; - -+ /* When a request is refused, RFC 2131, section 4.3.2 mentioned we should send NAK when the -+ * client is in INITREBOOT. If the client is in other state, there is nothing mentioned in the -+ * RFC whether we should send NAK or not. Hence, let's silently ignore the request. */ -+ -+ if (!init_reboot) -+ return 0; -+ - r = server_message_init(server, &packet, DHCP_NAK, &offset, req); - if (r < 0) -- return r; -+ return log_dhcp_server_errno(server, r, "Failed to create NAK message: %m"); -+ -+ r = dhcp_server_send_packet(server, req, packet, DHCP_NAK, offset); -+ if (r < 0) -+ return log_dhcp_server_errno(server, r, "Could not send NAK message: %m"); - -- return dhcp_server_send_packet(server, req, packet, DHCP_NAK, offset); -+ log_dhcp_server(server, "NAK (0x%x)", be32toh(req->message->xid)); -+ return DHCP_NAK; - } - - static int server_send_forcerenew(sd_dhcp_server *server, be32_t address, -@@ -1079,18 +1091,9 @@ int dhcp_server_handle_message(sd_dhcp_server *server, DHCPMessage *message, siz - server->callback(server, SD_DHCP_SERVER_EVENT_LEASE_CHANGED, server->callback_userdata); - - return DHCP_ACK; -- -- } else if (init_reboot) { -- r = server_send_nak(server, req); -- if (r < 0) -- /* this only fails on critical errors */ -- return log_dhcp_server_errno(server, r, "Could not send nak: %m"); -- -- log_dhcp_server(server, "NAK (0x%x)", be32toh(req->message->xid)); -- return DHCP_NAK; - } - -- break; -+ return server_send_nak_or_ignore(server, init_reboot, req); - } - - case DHCP_RELEASE: { --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-cirtainly-adjust-T1-and-T2.patch b/backport-sd-dhcp6-client-cirtainly-adjust-T1-and-T2.patch deleted file mode 100644 index 496d3ee..0000000 --- a/backport-sd-dhcp6-client-cirtainly-adjust-T1-and-T2.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e444192a850854e5bc45673b29ba03e5a87a2297 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 10 Aug 2021 21:39:27 +0900 -Subject: [PATCH] sd-dhcp6-client: cirtainly adjust T1 and T2 - -This fixes a bug introduced by 99f1d3fc5043b33dea5faa88f7015a487965333f. -Note that in the information requesting mode, the lease has neither -addresses nor PD prefixes. - -(cherry picked from commit de949e911ee15d1c9daaf5ba5a3cff806fb2b514) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e444192a850854e5bc45673b29ba03e5a87a2297 ---- - src/libsystemd-network/sd-dhcp6-client.c | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c -index afeb346944..f99c12620b 100644 ---- a/src/libsystemd-network/sd-dhcp6-client.c -+++ b/src/libsystemd-network/sd-dhcp6-client.c -@@ -1328,17 +1328,16 @@ static int client_parse_message( - dhcp6_message_type_to_string(message->type)); - return -EINVAL; - } -+ } - -- } else { -- if (lease->ia.addresses) { -- lease->ia.ia_na.lifetime_t1 = htobe32(lt_t1); -- lease->ia.ia_na.lifetime_t2 = htobe32(lt_t2); -- } -+ if (lease->ia.addresses) { -+ lease->ia.ia_na.lifetime_t1 = htobe32(lt_t1); -+ lease->ia.ia_na.lifetime_t2 = htobe32(lt_t2); -+ } - -- if (lease->pd.addresses) { -- lease->pd.ia_pd.lifetime_t1 = htobe32(lt_t1); -- lease->pd.ia_pd.lifetime_t2 = htobe32(lt_t2); -- } -+ if (lease->pd.addresses) { -+ lease->pd.ia_pd.lifetime_t1 = htobe32(lt_t1); -+ lease->pd.ia_pd.lifetime_t2 = htobe32(lt_t2); - } - - client->information_refresh_time_usec = MAX(irt, IRT_MINIMUM); --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-constify-one-argument.patch b/backport-sd-dhcp6-client-constify-one-argument.patch deleted file mode 100644 index 3bd2d14..0000000 --- a/backport-sd-dhcp6-client-constify-one-argument.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d3f99205f84172f6f9e41061a5aa9414eccf3571 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 23 Sep 2021 14:57:29 +0900 -Subject: [PATCH] sd-dhcp6-client: constify one argument - -(cherry picked from commit dc95e21d33708e807d3e5872af428383aac3f9b7) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d3f99205f84172f6f9e41061a5aa9414eccf3571 ---- - src/libsystemd-network/dhcp6-internal.h | 2 +- - src/libsystemd-network/dhcp6-option.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd-network/dhcp6-internal.h b/src/libsystemd-network/dhcp6-internal.h -index 35cafc96ec..96d7de8cae 100644 ---- a/src/libsystemd-network/dhcp6-internal.h -+++ b/src/libsystemd-network/dhcp6-internal.h -@@ -105,7 +105,7 @@ int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, - size_t *optlen, uint8_t **optvalue); - int dhcp6_option_parse_status(DHCP6Option *option, size_t len); - int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, be32_t iaid, DHCP6IA *ia, uint16_t *ret_status_code); --int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, -+int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, - struct in6_addr **addrs, size_t count); - int dhcp6_option_parse_domainname_list(const uint8_t *optval, uint16_t optlen, - char ***str_arr); -diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c -index 34d7e997dd..0709cfd4fd 100644 ---- a/src/libsystemd-network/dhcp6-option.c -+++ b/src/libsystemd-network/dhcp6-option.c -@@ -707,7 +707,7 @@ int dhcp6_option_parse_ia( - return 1; - } - --int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, -+int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, - struct in6_addr **addrs, size_t count) { - - if (optlen == 0 || optlen % sizeof(struct in6_addr) != 0) --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-constify-several-arguments.patch b/backport-sd-dhcp6-client-constify-several-arguments.patch deleted file mode 100644 index e799b0b..0000000 --- a/backport-sd-dhcp6-client-constify-several-arguments.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 9dcf9e12a68640f413d52f48d1d9786c4c71e073 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 24 Sep 2021 13:34:14 +0900 -Subject: [PATCH] sd-dhcp6-client: constify several arguments - -(cherry picked from commit 3f8227bf830cc2b87ea9bce5394a71c186d12956) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9dcf9e12a68640f413d52f48d1d9786c4c71e073 ---- - src/libsystemd-network/dhcp6-lease-internal.h | 10 ++++------ - src/libsystemd-network/sd-dhcp6-lease.c | 12 +++++------- - 2 files changed, 9 insertions(+), 13 deletions(-) - -diff --git a/src/libsystemd-network/dhcp6-lease-internal.h b/src/libsystemd-network/dhcp6-lease-internal.h -index 391b4f1fa9..41b43ba7a4 100644 ---- a/src/libsystemd-network/dhcp6-lease-internal.h -+++ b/src/libsystemd-network/dhcp6-lease-internal.h -@@ -50,12 +50,10 @@ int dhcp6_lease_get_rapid_commit(sd_dhcp6_lease *lease, bool *rapid_commit); - int dhcp6_lease_get_iaid(sd_dhcp6_lease *lease, be32_t *iaid); - int dhcp6_lease_get_pd_iaid(sd_dhcp6_lease *lease, be32_t *iaid); - --int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen); --int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, uint8_t *optval, -- size_t optlen); --int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen); --int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, uint8_t *optval, -- size_t optlen) ; -+int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); -+int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); -+int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); -+int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) ; - int dhcp6_lease_set_fqdn(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); - - int dhcp6_lease_new(sd_dhcp6_lease **ret); -diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c -index 9c77b146c7..8378971422 100644 ---- a/src/libsystemd-network/sd-dhcp6-lease.c -+++ b/src/libsystemd-network/sd-dhcp6-lease.c -@@ -193,7 +193,7 @@ void sd_dhcp6_lease_reset_pd_prefix_iter(sd_dhcp6_lease *lease) { - lease->prefix_iter = lease->pd.addresses; - } - --int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { -+int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { - assert_return(lease, -EINVAL); - assert_return(optval, -EINVAL); - -@@ -215,8 +215,7 @@ int sd_dhcp6_lease_get_dns(sd_dhcp6_lease *lease, const struct in6_addr **addrs) - return -ENOENT; - } - --int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, uint8_t *optval, -- size_t optlen) { -+int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { - int r; - char **domains; - -@@ -248,7 +247,7 @@ int sd_dhcp6_lease_get_domains(sd_dhcp6_lease *lease, char ***domains) { - return -ENOENT; - } - --int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { -+int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { - int r; - - assert_return(lease, -EINVAL); -@@ -295,7 +294,7 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { - return 0; - } - --int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { -+int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { - assert_return(lease, -EINVAL); - assert_return(optval, -EINVAL); - -@@ -335,8 +334,7 @@ int sd_dhcp6_lease_get_ntp_fqdn(sd_dhcp6_lease *lease, char ***ntp_fqdn) { - return -ENOENT; - } - --int dhcp6_lease_set_fqdn(sd_dhcp6_lease *lease, const uint8_t *optval, -- size_t optlen) { -+int dhcp6_lease_set_fqdn(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { - int r; - char *fqdn; - --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-do-not-merge-NTP-and-SNTP-options.patch b/backport-sd-dhcp6-client-do-not-merge-NTP-and-SNTP-options.patch deleted file mode 100644 index a544e4d..0000000 --- a/backport-sd-dhcp6-client-do-not-merge-NTP-and-SNTP-options.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 4b05527fe35de9602cdcd68a9812d67cd0892e00 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 24 Sep 2021 15:00:43 +0900 -Subject: [PATCH] sd-dhcp6-client: do not merge NTP and SNTP options - -Previously, SNTP option is ignored when it appears after NTP option(s), -but merged later NTP options when it appears first. -This makes split the NTP and SNTP addresses, and use SNTP addresses only -when no NTP option is provided. - -(cherry picked from commit e693e969614062fea1746399cf5cff4c09526c6a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4b05527fe35de9602cdcd68a9812d67cd0892e00 ---- - src/libsystemd-network/dhcp6-lease-internal.h | 4 ++- - src/libsystemd-network/sd-dhcp6-client.c | 2 +- - src/libsystemd-network/sd-dhcp6-lease.c | 26 ++++++++++--------- - src/libsystemd-network/test-dhcp6-client.c | 3 +-- - 4 files changed, 19 insertions(+), 16 deletions(-) - -diff --git a/src/libsystemd-network/dhcp6-lease-internal.h b/src/libsystemd-network/dhcp6-lease-internal.h -index 41b43ba7a4..dbcb6d040f 100644 ---- a/src/libsystemd-network/dhcp6-lease-internal.h -+++ b/src/libsystemd-network/dhcp6-lease-internal.h -@@ -33,6 +33,8 @@ struct sd_dhcp6_lease { - size_t ntp_count; - char **ntp_fqdn; - size_t ntp_fqdn_count; -+ struct in6_addr *sntp; -+ size_t sntp_count; - char *fqdn; - }; - -@@ -53,7 +55,7 @@ int dhcp6_lease_get_pd_iaid(sd_dhcp6_lease *lease, be32_t *iaid); - int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); - int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); - int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); --int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) ; -+int dhcp6_lease_add_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) ; - int dhcp6_lease_set_fqdn(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); - - int dhcp6_lease_new(sd_dhcp6_lease **ret); -diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c -index efbf7d7df3..a31dd16c01 100644 ---- a/src/libsystemd-network/sd-dhcp6-client.c -+++ b/src/libsystemd-network/sd-dhcp6-client.c -@@ -1265,7 +1265,7 @@ static int client_parse_message( - break; - - case SD_DHCP6_OPTION_SNTP_SERVERS: -- r = dhcp6_lease_set_sntp(lease, optval, optlen); -+ r = dhcp6_lease_add_sntp(lease, optval, optlen); - if (r < 0) - return r; - -diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c -index 4804f0941a..e424aa15b6 100644 ---- a/src/libsystemd-network/sd-dhcp6-lease.c -+++ b/src/libsystemd-network/sd-dhcp6-lease.c -@@ -294,31 +294,32 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t opt - return 0; - } - --int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { -+int dhcp6_lease_add_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { - assert_return(lease, -EINVAL); - assert_return(optval, -EINVAL); - - if (optlen == 0) - return 0; - -- if (lease->ntp || lease->ntp_fqdn) -- return -EEXIST; -- -- /* Using deprecated SNTP information */ -- -- return dhcp6_option_parse_addresses(optval, optlen, &lease->ntp, &lease->ntp_count); -+ /* SNTP option is defined in RFC4075, and deprecated by RFC5908. */ -+ return dhcp6_option_parse_addresses(optval, optlen, &lease->sntp, &lease->sntp_count); - } - --int sd_dhcp6_lease_get_ntp_addrs(sd_dhcp6_lease *lease, -- const struct in6_addr **addrs) { -+int sd_dhcp6_lease_get_ntp_addrs(sd_dhcp6_lease *lease, const struct in6_addr **ret) { - assert_return(lease, -EINVAL); -- assert_return(addrs, -EINVAL); -+ assert_return(ret, -EINVAL); - -- if (lease->ntp_count) { -- *addrs = lease->ntp; -+ if (lease->ntp) { -+ *ret = lease->ntp; - return lease->ntp_count; - } - -+ if (lease->sntp && !lease->ntp_fqdn) { -+ /* Fallback to the deprecated SNTP option. */ -+ *ret = lease->sntp; -+ return lease->sntp_count; -+ } -+ - return -ENOENT; - } - -@@ -377,6 +378,7 @@ static sd_dhcp6_lease *dhcp6_lease_free(sd_dhcp6_lease *lease) { - strv_free(lease->domains); - free(lease->ntp); - strv_free(lease->ntp_fqdn); -+ free(lease->sntp); - - return mfree(lease); - } -diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c -index b22297dcd5..429687562c 100644 ---- a/src/libsystemd-network/test-dhcp6-client.c -+++ b/src/libsystemd-network/test-dhcp6-client.c -@@ -521,8 +521,7 @@ static int test_advertise_option(sd_event *e) { - - case SD_DHCP6_OPTION_SNTP_SERVERS: - assert_se(optlen == 16); -- assert_se(dhcp6_lease_set_sntp(lease, optval, -- optlen) >= 0); -+ assert_se(dhcp6_lease_add_sntp(lease, optval, optlen) >= 0); - break; - - default: --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-fix-buffer-size-calculation-in-dhcp6.patch b/backport-sd-dhcp6-client-fix-buffer-size-calculation-in-dhcp6.patch deleted file mode 100644 index d49a7b6..0000000 --- a/backport-sd-dhcp6-client-fix-buffer-size-calculation-in-dhcp6.patch +++ /dev/null @@ -1,154 +0,0 @@ -From b8a852e515002e5e312dd99b964bb17b9ca8fc1d Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 24 Sep 2021 01:24:52 +0900 -Subject: [PATCH] sd-dhcp6-client: fix buffer size calculation in - dhcp6_option_parse_ip6addrs() - -GREEDY_REALLOC() takes number of elements, not buffer size. - -This also rename dhcp6_option_parse_ip6addrs() to -dhcp6_option_parse_addresses(). - -(cherry picked from commit ad3c84204c76e03a0b9b761563f6cd8907515014) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/b8a852e515002e5e312dd99b964bb17b9ca8fc1d ---- - src/libsystemd-network/dhcp6-internal.h | 7 ++++-- - src/libsystemd-network/dhcp6-option.c | 22 +++++++++++------- - src/libsystemd-network/sd-dhcp6-lease.c | 30 +++++-------------------- - 3 files changed, 24 insertions(+), 35 deletions(-) - -diff --git a/src/libsystemd-network/dhcp6-internal.h b/src/libsystemd-network/dhcp6-internal.h -index 8d083d3858..e555557914 100644 ---- a/src/libsystemd-network/dhcp6-internal.h -+++ b/src/libsystemd-network/dhcp6-internal.h -@@ -111,8 +111,11 @@ int dhcp6_option_parse( - const uint8_t **ret_option_data); - int dhcp6_option_parse_status(DHCP6Option *option, size_t len); - int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, be32_t iaid, DHCP6IA *ia, uint16_t *ret_status_code); --int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, -- struct in6_addr **addrs, size_t count); -+int dhcp6_option_parse_addresses( -+ const uint8_t *optval, -+ size_t optlen, -+ struct in6_addr **addrs, -+ size_t *count); - int dhcp6_option_parse_domainname_list(const uint8_t *optval, uint16_t optlen, - char ***str_arr); - int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char **str); -diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c -index 781d391c0c..8f763de133 100644 ---- a/src/libsystemd-network/dhcp6-option.c -+++ b/src/libsystemd-network/dhcp6-option.c -@@ -699,20 +699,26 @@ int dhcp6_option_parse_ia( - return 1; - } - --int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, -- struct in6_addr **addrs, size_t count) { -+int dhcp6_option_parse_addresses( -+ const uint8_t *optval, -+ size_t optlen, -+ struct in6_addr **addrs, -+ size_t *count) { -+ -+ assert(optval); -+ assert(addrs); -+ assert(count); - - if (optlen == 0 || optlen % sizeof(struct in6_addr) != 0) -- return -EINVAL; -+ return -EBADMSG; - -- if (!GREEDY_REALLOC(*addrs, count * sizeof(struct in6_addr) + optlen)) -+ if (!GREEDY_REALLOC(*addrs, *count + optlen / sizeof(struct in6_addr))) - return -ENOMEM; - -- memcpy(*addrs + count, optval, optlen); -+ memcpy(*addrs + *count, optval, optlen); -+ *count += optlen / sizeof(struct in6_addr); - -- count += optlen / sizeof(struct in6_addr); -- -- return count; -+ return 0; - } - - static int parse_domain(const uint8_t **data, uint16_t *len, char **out_domain) { -diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c -index 6375a22537..9c77b146c7 100644 ---- a/src/libsystemd-network/sd-dhcp6-lease.c -+++ b/src/libsystemd-network/sd-dhcp6-lease.c -@@ -194,22 +194,13 @@ void sd_dhcp6_lease_reset_pd_prefix_iter(sd_dhcp6_lease *lease) { - } - - int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { -- int r; -- - assert_return(lease, -EINVAL); - assert_return(optval, -EINVAL); - -- if (!optlen) -+ if (optlen == 0) - return 0; - -- r = dhcp6_option_parse_ip6addrs(optval, optlen, &lease->dns, -- lease->dns_count); -- if (r < 0) -- return r; -- -- lease->dns_count = r; -- -- return 0; -+ return dhcp6_option_parse_addresses(optval, optlen, &lease->dns, &lease->dns_count); - } - - int sd_dhcp6_lease_get_dns(sd_dhcp6_lease *lease, const struct in6_addr **addrs) { -@@ -281,12 +272,10 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { - if (sublen != 16) - return 0; - -- r = dhcp6_option_parse_ip6addrs(subval, sublen, &lease->ntp, lease->ntp_count); -+ r = dhcp6_option_parse_addresses(subval, sublen, &lease->ntp, &lease->ntp_count); - if (r < 0) - return r; - -- lease->ntp_count = r; -- - break; - - case DHCP6_NTP_SUBOPTION_SRV_FQDN: { -@@ -307,12 +296,10 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { - } - - int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { -- int r; -- - assert_return(lease, -EINVAL); - assert_return(optval, -EINVAL); - -- if (!optlen) -+ if (optlen == 0) - return 0; - - if (lease->ntp || lease->ntp_fqdn) -@@ -320,14 +307,7 @@ int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) - - /* Using deprecated SNTP information */ - -- r = dhcp6_option_parse_ip6addrs(optval, optlen, &lease->ntp, -- lease->ntp_count); -- if (r < 0) -- return r; -- -- lease->ntp_count = r; -- -- return 0; -+ return dhcp6_option_parse_addresses(optval, optlen, &lease->ntp, &lease->ntp_count); - } - - int sd_dhcp6_lease_get_ntp_addrs(sd_dhcp6_lease *lease, --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-fix-copy-and-paste-mistake.patch b/backport-sd-dhcp6-client-fix-copy-and-paste-mistake.patch deleted file mode 100644 index 5b175e4..0000000 --- a/backport-sd-dhcp6-client-fix-copy-and-paste-mistake.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 1c71cba86be4818c1546d5f84fde5138f737e180 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 10 Aug 2021 21:36:04 +0900 -Subject: [PATCH] sd-dhcp6-client: fix copy-and-paste mistake - -Fix bug introduced by b47fb949b338a8e77be789542fffb8c86da79284. - -(cherry picked from commit 0c42b613485978eb82d7aff7ed426b8a8bb327af) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1c71cba86be4818c1546d5f84fde5138f737e180 ---- - src/libsystemd-network/sd-dhcp6-client.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c -index e8c47f429a..afeb346944 100644 ---- a/src/libsystemd-network/sd-dhcp6-client.c -+++ b/src/libsystemd-network/sd-dhcp6-client.c -@@ -1219,7 +1219,7 @@ static int client_parse_message( - - if (lease->ia.addresses) { - lt_t1 = MIN(lt_t1, be32toh(lease->ia.ia_na.lifetime_t1)); -- lt_t2 = MIN(lt_t2, be32toh(lease->ia.ia_na.lifetime_t1)); -+ lt_t2 = MIN(lt_t2, be32toh(lease->ia.ia_na.lifetime_t2)); - } - - break; --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-fix-error-handling.patch b/backport-sd-dhcp6-client-fix-error-handling.patch deleted file mode 100644 index 437f576..0000000 --- a/backport-sd-dhcp6-client-fix-error-handling.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c766dc2f77ed15e41de70e5e5f03dc4650fa55de Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 30 Nov 2021 17:58:40 +0900 -Subject: [PATCH] sd-dhcp6-client: fix error handling - -(cherry picked from commit 97e80ee4a86d4097fda78a01d8b64ad2085008f3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c766dc2f77ed15e41de70e5e5f03dc4650fa55de ---- - src/libsystemd-network/sd-dhcp6-client.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c -index a31dd16c01..1acca301b4 100644 ---- a/src/libsystemd-network/sd-dhcp6-client.c -+++ b/src/libsystemd-network/sd-dhcp6-client.c -@@ -1424,10 +1424,10 @@ static int client_receive_message( - len = recv(fd, message, buflen, 0); - if (len < 0) { - /* see comment above for why we shouldn't error out on ENETDOWN. */ -- if (IN_SET(errno, EAGAIN, EINTR, ENETDOWN)) -+ if (IN_SET(len, -EAGAIN, -EINTR, -ENETDOWN)) - return 0; - -- return log_dhcp6_client_errno(client, errno, "Could not receive message from UDP socket: %m"); -+ return log_dhcp6_client_errno(client, len, "Could not receive message from UDP socket: %m"); - - } - if ((size_t) len < sizeof(DHCP6Message)) { --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-ignore-IAs-whose-IAID-do-not-match-c.patch b/backport-sd-dhcp6-client-ignore-IAs-whose-IAID-do-not-match-c.patch deleted file mode 100644 index ca540be..0000000 --- a/backport-sd-dhcp6-client-ignore-IAs-whose-IAID-do-not-match-c.patch +++ /dev/null @@ -1,318 +0,0 @@ -From 5193b40cebe30e6297ba8d1e8cf888ab25cea2ae Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 22 Sep 2021 10:35:56 +0300 -Subject: [PATCH] sd-dhcp6-client: ignore IAs whose IAID do not match client's - IAID - -But do not refuse whole message. - -(cherry picked from commit 469fd57f181e2a8d93f01662418ca998e1239ea5) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5193b40cebe30e6297ba8d1e8cf888ab25cea2ae ---- - src/libsystemd-network/dhcp6-internal.h | 2 +- - src/libsystemd-network/dhcp6-option.c | 36 ++++++++++++++++++-- - src/libsystemd-network/sd-dhcp6-client.c | 29 +++------------- - src/libsystemd-network/test-dhcp6-client.c | 39 ++++++++++++++-------- - 4 files changed, 64 insertions(+), 42 deletions(-) - -diff --git a/src/libsystemd-network/dhcp6-internal.h b/src/libsystemd-network/dhcp6-internal.h -index f0f814957f..35cafc96ec 100644 ---- a/src/libsystemd-network/dhcp6-internal.h -+++ b/src/libsystemd-network/dhcp6-internal.h -@@ -104,7 +104,7 @@ int dhcp6_option_append_vendor_option(uint8_t **buf, size_t *buflen, OrderedHash - int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, - size_t *optlen, uint8_t **optvalue); - int dhcp6_option_parse_status(DHCP6Option *option, size_t len); --int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6IA *ia, uint16_t *ret_status_code); -+int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, be32_t iaid, DHCP6IA *ia, uint16_t *ret_status_code); - int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, - struct in6_addr **addrs, size_t count); - int dhcp6_option_parse_domainname_list(const uint8_t *optval, uint16_t optlen, -diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c -index 97ef03a2d2..34d7e997dd 100644 ---- a/src/libsystemd-network/dhcp6-option.c -+++ b/src/libsystemd-network/dhcp6-option.c -@@ -509,7 +509,13 @@ static int dhcp6_option_parse_pdprefix(sd_dhcp6_client *client, DHCP6Option *opt - return 0; - } - --int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6IA *ia, uint16_t *ret_status_code) { -+int dhcp6_option_parse_ia( -+ sd_dhcp6_client *client, -+ DHCP6Option *iaoption, -+ be32_t iaid, -+ DHCP6IA *ia, -+ uint16_t *ret_status_code) { -+ - uint32_t lt_t1, lt_t2, lt_valid = 0, lt_min = UINT32_MAX; - uint16_t iatype, optlen; - size_t iaaddr_offset; -@@ -529,6 +535,14 @@ int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6I - if (len < DHCP6_OPTION_IA_NA_LEN) - return -ENOBUFS; - -+ /* According to RFC8415, IAs which do not match the client's IAID should be ignored, -+ * but not necessary to ignore or refuse the whole message. */ -+ if (((const struct ia_na*) iaoption->data)->id != iaid) -+ /* ENOANO indicates the option should be ignored. */ -+ return log_dhcp6_client_errno(client, SYNTHETIC_ERRNO(ENOANO), -+ "Received an IA_NA option with a different IAID " -+ "from the one chosen by the client, ignoring."); -+ - iaaddr_offset = DHCP6_OPTION_IA_NA_LEN; - memcpy(&ia->ia_na, iaoption->data, sizeof(ia->ia_na)); - -@@ -547,6 +561,14 @@ int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6I - if (len < sizeof(ia->ia_pd)) - return -ENOBUFS; - -+ /* According to RFC8415, IAs which do not match the client's IAID should be ignored, -+ * but not necessary to ignore or refuse the whole message. */ -+ if (((const struct ia_pd*) iaoption->data)->id != iaid) -+ /* ENOANO indicates the option should be ignored. */ -+ return log_dhcp6_client_errno(client, SYNTHETIC_ERRNO(ENOANO), -+ "Received an IA_PD option with a different IAID " -+ "from the one chosen by the client, ignoring."); -+ - iaaddr_offset = sizeof(ia->ia_pd); - memcpy(&ia->ia_pd, iaoption->data, sizeof(ia->ia_pd)); - -@@ -564,13 +586,21 @@ int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6I - if (len < DHCP6_OPTION_IA_TA_LEN) - return -ENOBUFS; - -+ /* According to RFC8415, IAs which do not match the client's IAID should be ignored, -+ * but not necessary to ignore or refuse the whole message. */ -+ if (((const struct ia_ta*) iaoption->data)->id != iaid) -+ /* ENOANO indicates the option should be ignored. */ -+ return log_dhcp6_client_errno(client, SYNTHETIC_ERRNO(ENOANO), -+ "Received an IA_TA option with a different IAID " -+ "from the one chosen by the client, ignoring."); -+ - iaaddr_offset = DHCP6_OPTION_IA_TA_LEN; -- memcpy(&ia->ia_ta.id, iaoption->data, sizeof(ia->ia_ta)); -+ memcpy(&ia->ia_ta, iaoption->data, sizeof(ia->ia_ta)); - - break; - - default: -- return -ENOMSG; -+ return -EINVAL; - } - - ia->type = iatype; -diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c -index f99c12620b..efbf7d7df3 100644 ---- a/src/libsystemd-network/sd-dhcp6-client.c -+++ b/src/libsystemd-network/sd-dhcp6-client.c -@@ -1119,7 +1119,6 @@ static int client_parse_message( - while (pos < len) { - DHCP6Option *option = (DHCP6Option *) &message->options[pos]; - uint16_t optcode, optlen; -- be32_t iaid_lease; - int status; - uint8_t *optval; - -@@ -1198,8 +1197,8 @@ static int client_parse_message( - break; - } - -- r = dhcp6_option_parse_ia(client, option, &lease->ia, &ia_na_status); -- if (r < 0 && r != -ENOMSG) -+ r = dhcp6_option_parse_ia(client, option, client->ia_pd.ia_na.id, &lease->ia, &ia_na_status); -+ if (r < 0 && r != -ENOANO) - return r; - - if (ia_na_status == DHCP6_STATUS_NO_ADDRS_AVAIL) { -@@ -1207,16 +1206,6 @@ static int client_parse_message( - continue; - } - -- r = dhcp6_lease_get_iaid(lease, &iaid_lease); -- if (r < 0) -- return r; -- -- if (client->ia_na.ia_na.id != iaid_lease) { -- log_dhcp6_client(client, "%s has wrong IAID for IA NA", -- dhcp6_message_type_to_string(message->type)); -- return -EINVAL; -- } -- - if (lease->ia.addresses) { - lt_t1 = MIN(lt_t1, be32toh(lease->ia.ia_na.lifetime_t1)); - lt_t2 = MIN(lt_t2, be32toh(lease->ia.ia_na.lifetime_t2)); -@@ -1231,8 +1220,8 @@ static int client_parse_message( - break; - } - -- r = dhcp6_option_parse_ia(client, option, &lease->pd, &ia_pd_status); -- if (r < 0 && r != -ENOMSG) -+ r = dhcp6_option_parse_ia(client, option, client->ia_pd.ia_pd.id, &lease->pd, &ia_pd_status); -+ if (r < 0 && r != -ENOANO) - return r; - - if (ia_pd_status == DHCP6_STATUS_NO_PREFIX_AVAIL) { -@@ -1240,16 +1229,6 @@ static int client_parse_message( - continue; - } - -- r = dhcp6_lease_get_pd_iaid(lease, &iaid_lease); -- if (r < 0) -- return r; -- -- if (client->ia_pd.ia_pd.id != iaid_lease) { -- log_dhcp6_client(client, "%s has wrong IAID for IA PD", -- dhcp6_message_type_to_string(message->type)); -- return -EINVAL; -- } -- - if (lease->pd.addresses) { - lt_t1 = MIN(lt_t1, be32toh(lease->pd.ia_pd.lifetime_t1)); - lt_t2 = MIN(lt_t2, be32toh(lease->pd.ia_pd.lifetime_t2)); -diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c -index a72c13684d..5e3b191595 100644 ---- a/src/libsystemd-network/test-dhcp6-client.c -+++ b/src/libsystemd-network/test-dhcp6-client.c -@@ -287,25 +287,31 @@ static int test_option_status(sd_event *e) { - }; - DHCP6Option *option; - DHCP6IA ia, pd; -+ be32_t iaid; - int r = 0; - - log_debug("/* %s */", __func__); - -+ memcpy(&iaid, option1 + 4, sizeof(iaid)); -+ - zero(ia); - option = (DHCP6Option *)option1; - assert_se(sizeof(option1) == sizeof(DHCP6Option) + be16toh(option->len)); - -- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); -+ r = dhcp6_option_parse_ia(NULL, option, 0, &ia, NULL); -+ assert_se(r == -ENOANO); -+ -+ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); - assert_se(r == 0); - assert_se(ia.addresses == NULL); - - option->len = htobe16(17); -- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); -+ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); - assert_se(r == -ENOBUFS); - assert_se(ia.addresses == NULL); - - option->len = htobe16(sizeof(DHCP6Option)); -- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); -+ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); - assert_se(r == -ENOBUFS); - assert_se(ia.addresses == NULL); - -@@ -313,7 +319,7 @@ static int test_option_status(sd_event *e) { - option = (DHCP6Option *)option2; - assert_se(sizeof(option2) == sizeof(DHCP6Option) + be16toh(option->len)); - -- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); -+ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); - assert_se(r >= 0); - assert_se(ia.addresses == NULL); - -@@ -321,7 +327,7 @@ static int test_option_status(sd_event *e) { - option = (DHCP6Option *)option3; - assert_se(sizeof(option3) == sizeof(DHCP6Option) + be16toh(option->len)); - -- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); -+ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); - assert_se(r >= 0); - assert_se(ia.addresses != NULL); - dhcp6_lease_free_ia(&ia); -@@ -330,7 +336,7 @@ static int test_option_status(sd_event *e) { - option = (DHCP6Option *)option4; - assert_se(sizeof(option4) == sizeof(DHCP6Option) + be16toh(option->len)); - -- r = dhcp6_option_parse_ia(NULL, option, &pd, NULL); -+ r = dhcp6_option_parse_ia(NULL, option, iaid, &pd, NULL); - assert_se(r >= 0); - assert_se(pd.addresses != NULL); - assert_se(memcmp(&pd.ia_pd.id, &option4[4], 4) == 0); -@@ -342,7 +348,7 @@ static int test_option_status(sd_event *e) { - option = (DHCP6Option *)option5; - assert_se(sizeof(option5) == sizeof(DHCP6Option) + be16toh(option->len)); - -- r = dhcp6_option_parse_ia(NULL, option, &pd, NULL); -+ r = dhcp6_option_parse_ia(NULL, option, iaid, &pd, NULL); - assert_se(r >= 0); - assert_se(pd.addresses != NULL); - dhcp6_lease_free_ia(&pd); -@@ -447,13 +453,14 @@ static int test_advertise_option(sd_event *e) { - opt_clientid = true; - break; - -- case SD_DHCP6_OPTION_IA_NA: -+ case SD_DHCP6_OPTION_IA_NA: { -+ be32_t iaid = htobe32(0x0ecfa37d); -+ - assert_se(optlen == 94); - assert_se(optval == &msg_advertise[26]); - assert_se(!memcmp(optval, &msg_advertise[26], optlen)); - -- val = htobe32(0x0ecfa37d); -- assert_se(!memcmp(optval, &val, sizeof(val))); -+ assert_se(!memcmp(optval, &iaid, sizeof(val))); - - val = htobe32(80); - assert_se(!memcmp(optval + 4, &val, sizeof(val))); -@@ -461,10 +468,10 @@ static int test_advertise_option(sd_event *e) { - val = htobe32(120); - assert_se(!memcmp(optval + 8, &val, sizeof(val))); - -- assert_se(dhcp6_option_parse_ia(NULL, option, &lease->ia, NULL) >= 0); -+ assert_se(dhcp6_option_parse_ia(NULL, option, iaid, &lease->ia, NULL) >= 0); - - break; -- -+ } - case SD_DHCP6_OPTION_SERVERID: - assert_se(optlen == 14); - assert_se(optval == &msg_advertise[179]); -@@ -598,6 +605,8 @@ static void test_client_solicit_cb(sd_dhcp6_client *client, int event, - static int test_client_send_reply(DHCP6Message *request) { - DHCP6Message reply; - -+ log_debug("/* %s */", __func__); -+ - reply.transaction_id = request->transaction_id; - reply.type = DHCP6_REPLY; - -@@ -658,7 +667,7 @@ static int test_client_verify_request(DHCP6Message *request, size_t len) { - assert_se(!memcmp(optval + 8, &val, sizeof(val))); - - /* Then, this should refuse all addresses. */ -- assert_se(dhcp6_option_parse_ia(NULL, option, &lease->ia, NULL) >= 0); -+ assert_se(dhcp6_option_parse_ia(NULL, option, test_iaid, &lease->ia, NULL) >= 0); - - break; - -@@ -704,6 +713,8 @@ static int test_client_verify_request(DHCP6Message *request, size_t len) { - static int test_client_send_advertise(DHCP6Message *solicit) { - DHCP6Message advertise; - -+ log_debug("/* %s */", __func__); -+ - advertise.transaction_id = solicit->transaction_id; - advertise.type = DHCP6_ADVERTISE; - -@@ -899,6 +910,8 @@ int dhcp6_network_send_udp_socket(int s, struct in6_addr *server_address, - IN6ADDR_ALL_DHCP6_RELAY_AGENTS_AND_SERVERS_INIT; - DHCP6Message *message; - -+ log_debug("/* %s */", __func__); -+ - assert_se(s == test_dhcp_fd[0]); - assert_se(server_address); - assert_se(packet); --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-make-dhcp6_lease_free-accepts-NULL.patch b/backport-sd-dhcp6-client-make-dhcp6_lease_free-accepts-NULL.patch deleted file mode 100644 index 6ef4219..0000000 --- a/backport-sd-dhcp6-client-make-dhcp6_lease_free-accepts-NULL.patch +++ /dev/null @@ -1,45 +0,0 @@ -From f160a20a6bf995617cf8a22466638755f9a07813 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 24 Sep 2021 23:45:13 +0900 -Subject: [PATCH] sd-dhcp6-client: make dhcp6_lease_free() accepts NULL - -(cherry picked from commit 5cf67bb4072f149d0404398bfc359b068312ba28) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f160a20a6bf995617cf8a22466638755f9a07813 ---- - src/libsystemd-network/sd-dhcp6-lease.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c -index 8378971422..4804f0941a 100644 ---- a/src/libsystemd-network/sd-dhcp6-lease.c -+++ b/src/libsystemd-network/sd-dhcp6-lease.c -@@ -366,20 +366,18 @@ int sd_dhcp6_lease_get_fqdn(sd_dhcp6_lease *lease, const char **fqdn) { - } - - static sd_dhcp6_lease *dhcp6_lease_free(sd_dhcp6_lease *lease) { -- assert(lease); -+ if (!lease) -+ return NULL; - - free(lease->serverid); - dhcp6_lease_free_ia(&lease->ia); - dhcp6_lease_free_ia(&lease->pd); -- - free(lease->dns); - free(lease->fqdn); -- -- lease->domains = strv_free(lease->domains); -- -+ strv_free(lease->domains); - free(lease->ntp); -+ strv_free(lease->ntp_fqdn); - -- lease->ntp_fqdn = strv_free(lease->ntp_fqdn); - return mfree(lease); - } - --- -2.33.0 - diff --git a/backport-sd-dhcp6-client-modernize-dhcp6_option_parse.patch b/backport-sd-dhcp6-client-modernize-dhcp6_option_parse.patch deleted file mode 100644 index e9b9c03..0000000 --- a/backport-sd-dhcp6-client-modernize-dhcp6_option_parse.patch +++ /dev/null @@ -1,275 +0,0 @@ -From 1cc074167fd29c6c8c9dc5d7fd6c38e4dd91ca71 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 23 Sep 2021 14:58:28 +0900 -Subject: [PATCH] sd-dhcp6-client: modernize dhcp6_option_parse() - -- merge dhcp6_option_parse() with option_parse_hdr(). -- do not assign/update any values on error. -- use assert() instead of assert_return(), as the assertions cannot - be triggered by a library user. - -(cherry picked from commit b89a3758e92894162e3c2dcb594a55acff3274d5) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1cc074167fd29c6c8c9dc5d7fd6c38e4dd91ca71 ---- - src/libsystemd-network/dhcp6-internal.h | 10 +++- - src/libsystemd-network/dhcp6-option.c | 60 ++++++++++------------ - src/libsystemd-network/sd-dhcp6-lease.c | 37 ++++++------- - src/libsystemd-network/test-dhcp6-client.c | 50 +++++++++--------- - 4 files changed, 76 insertions(+), 81 deletions(-) - -diff --git a/src/libsystemd-network/dhcp6-internal.h b/src/libsystemd-network/dhcp6-internal.h -index 96d7de8cae..8d083d3858 100644 ---- a/src/libsystemd-network/dhcp6-internal.h -+++ b/src/libsystemd-network/dhcp6-internal.h -@@ -101,8 +101,14 @@ int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn); - int dhcp6_option_append_user_class(uint8_t **buf, size_t *buflen, char * const *user_class); - int dhcp6_option_append_vendor_class(uint8_t **buf, size_t *buflen, char * const *user_class); - int dhcp6_option_append_vendor_option(uint8_t **buf, size_t *buflen, OrderedHashmap *vendor_options); --int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, -- size_t *optlen, uint8_t **optvalue); -+ -+int dhcp6_option_parse( -+ const uint8_t *buf, -+ size_t buflen, -+ size_t *offset, -+ uint16_t *ret_option_code, -+ size_t *ret_option_data_len, -+ const uint8_t **ret_option_data); - int dhcp6_option_parse_status(DHCP6Option *option, size_t len); - int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, be32_t iaid, DHCP6IA *ia, uint16_t *ret_status_code); - int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, -diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c -index 0709cfd4fd..781d391c0c 100644 ---- a/src/libsystemd-network/dhcp6-option.c -+++ b/src/libsystemd-network/dhcp6-option.c -@@ -370,47 +370,39 @@ int dhcp6_option_append_vendor_class(uint8_t **buf, size_t *buflen, char * const - return dhcp6_option_append(buf, buflen, SD_DHCP6_OPTION_VENDOR_CLASS, total, p); - } - --static int option_parse_hdr(uint8_t **buf, size_t *buflen, uint16_t *optcode, size_t *optlen) { -- DHCP6Option *option = (DHCP6Option*) *buf; -- uint16_t len; -- -- assert_return(buf, -EINVAL); -- assert_return(optcode, -EINVAL); -- assert_return(optlen, -EINVAL); -- -- if (*buflen < offsetof(DHCP6Option, data)) -- return -ENOMSG; -- -- len = be16toh(option->len); -- -- if (len > *buflen) -- return -ENOMSG; -- -- *optcode = be16toh(option->code); -- *optlen = len; -+int dhcp6_option_parse( -+ const uint8_t *buf, -+ size_t buflen, -+ size_t *offset, -+ uint16_t *ret_option_code, -+ size_t *ret_option_data_len, -+ const uint8_t **ret_option_data) { - -- *buf += 4; -- *buflen -= 4; -+ const DHCP6Option *option; -+ size_t len; - -- return 0; --} -+ assert(buf); -+ assert(offset); -+ assert(ret_option_code); -+ assert(ret_option_data_len); -+ assert(ret_option_data); - --int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, -- size_t *optlen, uint8_t **optvalue) { -- int r; -+ if (buflen < offsetof(DHCP6Option, data)) -+ return -EBADMSG; - -- assert_return(buf && buflen && optcode && optlen && optvalue, -EINVAL); -+ if (*offset >= buflen - offsetof(DHCP6Option, data)) -+ return -EBADMSG; - -- r = option_parse_hdr(buf, buflen, optcode, optlen); -- if (r < 0) -- return r; -+ option = (const DHCP6Option*) (buf + *offset); -+ len = be16toh(option->len); - -- if (*optlen > *buflen) -- return -ENOBUFS; -+ if (len > buflen - offsetof(DHCP6Option, data) - *offset) -+ return -EBADMSG; - -- *optvalue = *buf; -- *buflen -= *optlen; -- *buf += *optlen; -+ *offset += offsetof(DHCP6Option, data) + len; -+ *ret_option_code = be16toh(option->code); -+ *ret_option_data_len = len; -+ *ret_option_data = option->data; - - return 0; - } -diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c -index 9082185bca..6375a22537 100644 ---- a/src/libsystemd-network/sd-dhcp6-lease.c -+++ b/src/libsystemd-network/sd-dhcp6-lease.c -@@ -259,9 +259,6 @@ int sd_dhcp6_lease_get_domains(sd_dhcp6_lease *lease, char ***domains) { - - int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { - int r; -- uint16_t subopt; -- size_t sublen; -- uint8_t *subval; - - assert_return(lease, -EINVAL); - assert_return(optval, -EINVAL); -@@ -269,10 +266,14 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { - lease->ntp = mfree(lease->ntp); - lease->ntp_count = 0; - -- while ((r = dhcp6_option_parse(&optval, &optlen, &subopt, &sublen, -- &subval)) >= 0) { -- int s; -- char **servers; -+ for (size_t offset = 0; offset < optlen;) { -+ const uint8_t *subval; -+ size_t sublen; -+ uint16_t subopt; -+ -+ r = dhcp6_option_parse(optval, optlen, &offset, &subopt, &sublen, &subval); -+ if (r < 0) -+ return r; - - switch(subopt) { - case DHCP6_NTP_SUBOPTION_SRV_ADDR: -@@ -280,19 +281,18 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { - if (sublen != 16) - return 0; - -- s = dhcp6_option_parse_ip6addrs(subval, sublen, -- &lease->ntp, -- lease->ntp_count); -- if (s < 0) -- return s; -+ r = dhcp6_option_parse_ip6addrs(subval, sublen, &lease->ntp, lease->ntp_count); -+ if (r < 0) -+ return r; - -- lease->ntp_count = s; -+ lease->ntp_count = r; - - break; - -- case DHCP6_NTP_SUBOPTION_SRV_FQDN: -- r = dhcp6_option_parse_domainname_list(subval, sublen, -- &servers); -+ case DHCP6_NTP_SUBOPTION_SRV_FQDN: { -+ char **servers; -+ -+ r = dhcp6_option_parse_domainname_list(subval, sublen, &servers); - if (r < 0) - return 0; - -@@ -300,12 +300,9 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { - lease->ntp_fqdn_count = r; - - break; -- } -+ }} - } - -- if (r != -ENOMSG) -- return r; -- - return 0; - } - -diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c -index 5e3b191595..5d1f709f11 100644 ---- a/src/libsystemd-network/test-dhcp6-client.c -+++ b/src/libsystemd-network/test-dhcp6-client.c -@@ -170,47 +170,47 @@ static int test_option(sd_event *e) { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 'B', 'A', 'R', - }; -+ size_t offset, pos, optlen, outlen = sizeof(result); -+ const uint8_t *optval; - uint16_t optcode; -- size_t optlen; -- uint8_t *optval, *buf, *out; -- size_t zero = 0, pos = 3; -- size_t buflen = sizeof(packet), outlen = sizeof(result); -+ uint8_t *out; - - log_debug("/* %s */", __func__); - -- assert_se(buflen == outlen); -+ assert_se(sizeof(packet) == sizeof(result)); - -- assert_se(dhcp6_option_parse(&buf, &zero, &optcode, &optlen, -- &optval) == -ENOMSG); -+ offset = 0; -+ assert_se(dhcp6_option_parse(packet, 0, &offset, &optcode, &optlen, &optval) == -EBADMSG); - -- buflen -= 3; -- buf = &packet[3]; -- outlen -= 3; -- out = &result[3]; -+ offset = 3; -+ assert_se(dhcp6_option_parse(packet, 0, &offset, &optcode, &optlen, &optval) == -EBADMSG); -+ -+ offset = 3; -+ assert_se(dhcp6_option_parse(packet, sizeof(packet), &offset, &optcode, &optlen, &optval) >= 0); - -- assert_se(dhcp6_option_parse(&buf, &buflen, &optcode, &optlen, -- &optval) >= 0); -- pos += 4 + optlen; -- assert_se(buf == &packet[pos]); - assert_se(optcode == SD_DHCP6_OPTION_ORO); - assert_se(optlen == 7); -- assert_se(buflen + pos == sizeof(packet)); -+ assert_se(optval == packet + 7); -+ -+ pos = 3; -+ outlen -= 3; -+ out = &result[3]; - -- assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, -- optval) >= 0); -+ assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, optval) >= 0); -+ -+ pos += 4 + optlen; - assert_se(out == &result[pos]); - assert_se(*out == 0x00); - -- assert_se(dhcp6_option_parse(&buf, &buflen, &optcode, &optlen, -- &optval) >= 0); -- pos += 4 + optlen; -- assert_se(buf == &packet[pos]); -+ assert_se(dhcp6_option_parse(packet, sizeof(packet), &offset, &optcode, &optlen, &optval) >= 0); -+ - assert_se(optcode == SD_DHCP6_OPTION_VENDOR_CLASS); - assert_se(optlen == 9); -- assert_se(buflen + pos == sizeof(packet)); -+ assert_se(optval == packet + 18); -+ -+ assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, optval) >= 0); - -- assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, -- optval) >= 0); -+ pos += 4 + optlen; - assert_se(out == &result[pos]); - assert_se(*out == 'B'); - --- -2.33.0 - diff --git a/backport-sd-event-don-t-destroy-inotify-data-structures-from-.patch b/backport-sd-event-don-t-destroy-inotify-data-structures-from-.patch deleted file mode 100644 index caec0ef..0000000 --- a/backport-sd-event-don-t-destroy-inotify-data-structures-from-.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 439a271943aa182002e5fb64f1a216415e556472 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 9 Nov 2021 00:11:38 +0100 -Subject: [PATCH] sd-event: don't destroy inotify data structures from inotify - event handler - -This fixes a bad memory access when we destroy an inotify source handler -from the handler itself, and thus destroy the associated inotify_data -structures. - -Fixes: #20177 -(cherry picked from commit 53baf2efa420cab6c4b1904c9a0c46a0c4ec80a1) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/439a271943aa182002e5fb64f1a216415e556472 ---- - src/libsystemd/sd-event/event-source.h | 5 ++++ - src/libsystemd/sd-event/sd-event.c | 40 +++++++++++++++++++++++--- - 2 files changed, 41 insertions(+), 4 deletions(-) - -diff --git a/src/libsystemd/sd-event/event-source.h b/src/libsystemd/sd-event/event-source.h -index d2dc21470e..7a0f14ecce 100644 ---- a/src/libsystemd/sd-event/event-source.h -+++ b/src/libsystemd/sd-event/event-source.h -@@ -214,6 +214,11 @@ struct inotify_data { - * the events locally if they can't be coalesced). */ - unsigned n_pending; - -+ /* If this counter is non-zero, don't GC the inotify data object even if not used to watch any inode -+ * anymore. This is useful to pin the object for a bit longer, after the last event source needing it -+ * is gone. */ -+ unsigned n_busy; -+ - /* A linked list of all inotify objects with data already read, that still need processing. We keep this list - * to make it efficient to figure out what inotify objects to process data on next. */ - LIST_FIELDS(struct inotify_data, buffered); -diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index 99c0acfa54..3b4d938546 100644 ---- a/src/libsystemd/sd-event/sd-event.c -+++ b/src/libsystemd/sd-event/sd-event.c -@@ -1820,6 +1820,29 @@ static void event_free_inode_data( - free(d); - } - -+static void event_gc_inotify_data( -+ sd_event *e, -+ struct inotify_data *d) { -+ -+ assert(e); -+ -+ /* GCs the inotify data object if we don't need it anymore. That's the case if we don't want to watch -+ * any inode with it anymore, which in turn happens if no event source of this priority is interested -+ * in any inode any longer. That said, we maintain an extra busy counter: if non-zero we'll delay GC -+ * (under the expectation that the GC is called again once the counter is decremented). */ -+ -+ if (!d) -+ return; -+ -+ if (!hashmap_isempty(d->inodes)) -+ return; -+ -+ if (d->n_busy > 0) -+ return; -+ -+ event_free_inotify_data(e, d); -+} -+ - static void event_gc_inode_data( - sd_event *e, - struct inode_data *d) { -@@ -1837,8 +1860,7 @@ static void event_gc_inode_data( - inotify_data = d->inotify_data; - event_free_inode_data(e, d); - -- if (inotify_data && hashmap_isempty(inotify_data->inodes)) -- event_free_inotify_data(e, inotify_data); -+ event_gc_inotify_data(e, inotify_data); - } - - static int event_make_inode_data( -@@ -3556,13 +3578,23 @@ static int source_dispatch(sd_event_source *s) { - sz = offsetof(struct inotify_event, name) + d->buffer.ev.len; - assert(d->buffer_filled >= sz); - -+ /* If the inotify callback destroys the event source then this likely means we don't need to -+ * watch the inode anymore, and thus also won't need the inotify object anymore. But if we'd -+ * free it immediately, then we couldn't drop the event from the inotify event queue without -+ * memory corruption anymore, as below. Hence, let's not free it immediately, but mark it -+ * "busy" with a counter (which will ensure it's not GC'ed away prematurely). Let's then -+ * explicitly GC it after we are done dropping the inotify event from the buffer. */ -+ d->n_busy++; - r = s->inotify.callback(s, &d->buffer.ev, s->userdata); -+ d->n_busy--; - -- /* When no event is pending anymore on this inotify object, then let's drop the event from the -- * buffer. */ -+ /* When no event is pending anymore on this inotify object, then let's drop the event from -+ * the inotify event queue buffer. */ - if (d->n_pending == 0) - event_inotify_data_drop(e, d, sz); - -+ /* Now we don't want to access 'd' anymore, it's OK to GC now. */ -+ event_gc_inotify_data(e, d); - break; - } - --- -2.33.0 - diff --git a/backport-sd-event-don-t-mistake-USEC_INFINITY-passed-in-for.patch b/backport-sd-event-don-t-mistake-USEC_INFINITY-passed-in-for.patch deleted file mode 100644 index aef1bce..0000000 --- a/backport-sd-event-don-t-mistake-USEC_INFINITY-passed-in-for.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3aa1cf93ad9eff91e8d26fb4628ac33b620b6b28 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 6 Jan 2023 11:27:17 +0100 -Subject: [PATCH] sd-event: don't mistake USEC_INFINITY passed in for overflow - -Let's pass USEC_INFINITY from sd_event_source_set_time_relative() to -sd_event_source_set_time() instead of raising EOVERFLOW. - -We should raise EOVERFLOW only if your addition fails, but not if the -input already is USEC_INFINITY, since it's an entirely valid operation -to have an infinite time-out, and we should support that. - -(cherry picked from commit ef8591951aefccb668201f24aa481aa6cda834da) -(cherry picked from commit 9769d84fe51573b4f2d5cb8f76664e886c7daf88) -(cherry picked from commit 5fe49d0fb88b779d5096713627ce54757bff70b2) -(cherry picked from commit 33036c403225ad0c88c9e5a9058aea69ff6ed9bc) ---- - src/libsystemd/sd-event/sd-event.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index 4ba7151050..19e7680687 100644 ---- a/src/libsystemd/sd-event/sd-event.c -+++ b/src/libsystemd/sd-event/sd-event.c -@@ -2611,6 +2611,9 @@ _public_ int sd_event_source_set_time_relative(sd_event_source *s, uint64_t usec - assert_return(s, -EINVAL); - assert_return(EVENT_SOURCE_IS_TIME(s->type), -EDOM); - -+ if (usec == USEC_INFINITY) -+ return sd_event_source_set_time(s, USEC_INFINITY); -+ - r = sd_event_now(s->event, event_source_type_to_clock(s->type), &t); - if (r < 0) - return r; --- -2.27.0 - diff --git a/backport-sd-event-never-pass-negative-errnos-as-signalfd-to.patch b/backport-sd-event-never-pass-negative-errnos-as-signalfd-to.patch deleted file mode 100644 index fb953ee..0000000 --- a/backport-sd-event-never-pass-negative-errnos-as-signalfd-to.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b369b5884d52e5fd5fde0de78323d16a969df9d5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 19 Dec 2022 14:36:08 +0100 -Subject: [PATCH] sd-event: never pass negative errnos as signalfd to signalfd - -We treat any negative value as "invalid fd", but signalfd only -accepts -1. - -(cherry picked from commit cbff793ffb280d9d11e5d7b1dc3964276491bee8) -(cherry picked from commit 54c840ea58c578060e941f754a4fed2931483820) -(cherry picked from commit 4178457f0ec07452f856894988e5490bbc91cc36) -(cherry picked from commit 0accce1b1c5d67e4183cb67f0bbbaaf7fc50c9f6) ---- - src/libsystemd/sd-event/sd-event.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index 20ffd38eff..4ba7151050 100644 ---- a/src/libsystemd/sd-event/sd-event.c -+++ b/src/libsystemd/sd-event/sd-event.c -@@ -649,7 +649,9 @@ static int event_make_signal_data( - ss_copy = d->sigset; - assert_se(sigaddset(&ss_copy, sig) >= 0); - -- r = signalfd(d->fd, &ss_copy, SFD_NONBLOCK|SFD_CLOEXEC); -+ r = signalfd(d->fd >= 0 ? d->fd : -1, /* the first arg must be -1 or a valid signalfd */ -+ &ss_copy, -+ SFD_NONBLOCK|SFD_CLOEXEC); - if (r < 0) { - r = -errno; - goto fail; --- -2.27.0 - diff --git a/backport-sd-event-take-ref-on-event-loop-object-before-dispat.patch b/backport-sd-event-take-ref-on-event-loop-object-before-dispat.patch deleted file mode 100644 index 8f600cc..0000000 --- a/backport-sd-event-take-ref-on-event-loop-object-before-dispat.patch +++ /dev/null @@ -1,36 +0,0 @@ -From a93ddddd00860bda05df72cfd5b80be9b3a93023 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 8 Sep 2021 15:42:11 +0200 -Subject: [PATCH] sd-event: take ref on event loop object before dispatching - event sources - -Idea is that all public APIs should take reference on objects that get -exposed to user-provided callbacks. We take the reference as a -protection from callbacks dropping it. We used to do this also here in -sd_event_loop(). However, in cleanup portion of f814c871e6 this was -accidentally dropped. - -(cherry picked from commit 9f6ef467818f902fe5369c8e37a39a3901bdcf4f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a93ddddd00860bda05df72cfd5b80be9b3a93023 ---- - src/libsystemd/sd-event/sd-event.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index e9199deb41..99c0acfa54 100644 ---- a/src/libsystemd/sd-event/sd-event.c -+++ b/src/libsystemd/sd-event/sd-event.c -@@ -4154,7 +4154,7 @@ _public_ int sd_event_loop(sd_event *e) { - assert_return(!event_pid_changed(e), -ECHILD); - assert_return(e->state == SD_EVENT_INITIAL, -EBUSY); - -- _unused_ _cleanup_(sd_event_unrefp) sd_event *ref = NULL; -+ _unused_ _cleanup_(sd_event_unrefp) sd_event *ref = sd_event_ref(e); - - while (e->state != SD_EVENT_FINISHED) { - r = sd_event_run(e, UINT64_MAX); --- -2.33.0 - diff --git a/backport-sd-journal-Don-t-compare-hashes-from-different-journ.patch b/backport-sd-journal-Don-t-compare-hashes-from-different-journ.patch deleted file mode 100644 index fc300e1..0000000 --- a/backport-sd-journal-Don-t-compare-hashes-from-different-journ.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 2f5b486edfdb6dc3d5465fe7569c19560208813c Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Tue, 14 Sep 2021 15:08:46 +0100 -Subject: [PATCH] sd-journal: Don't compare hashes from different journal files - -In sd_journal_enumerate_fields(), we check if we've already handled -a field by checking if we can find it in any of the already processed -journal files. We do this by calling -journal_file_find_field_object_with_hash(), which compares the size, -payload and hash of the given field against all fields in a journal file, -trying to find a match. However, since we now use per file hash functions, -hashes for the same fields will differ between different journal files, -meaning we'll never find an actual match. - -To fix the issue(), let's use journal_file_find_field_object() when one -or more of the files we're comparing is using per file keyed hashes. -journal_file_find_field_object() only takes the field payload and size -as arguments and calculates the hash itself using the hash function from -the journal file we're searching in. - -(cherry picked from commit 27bf0ab76e13611dce10210f2a22fb5fba05adbb) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2f5b486edfdb6dc3d5465fe7569c19560208813c ---- - src/libsystemd/sd-journal/sd-journal.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index 5728c537bc..a2fbc1b037 100644 ---- a/src/libsystemd/sd-journal/sd-journal.c -+++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -3158,7 +3158,11 @@ _public_ int sd_journal_enumerate_fields(sd_journal *j, const char **field) { - if (JOURNAL_HEADER_CONTAINS(of->header, n_fields) && le64toh(of->header->n_fields) <= 0) - continue; - -- r = journal_file_find_field_object_with_hash(of, o->field.payload, sz, le64toh(o->field.hash), NULL, NULL); -+ if (!JOURNAL_HEADER_KEYED_HASH(f->header) && !JOURNAL_HEADER_KEYED_HASH(of->header)) -+ r = journal_file_find_field_object_with_hash(of, o->field.payload, sz, -+ le64toh(o->field.hash), NULL, NULL); -+ else -+ r = journal_file_find_field_object(of, o->field.payload, sz, NULL, NULL); - if (r < 0) - return r; - if (r > 0) { --- -2.33.0 - diff --git a/backport-sd-journal-Ignore-data-threshold-if-set-to-zero-in-s.patch b/backport-sd-journal-Ignore-data-threshold-if-set-to-zero-in-s.patch deleted file mode 100644 index cccaf5d..0000000 --- a/backport-sd-journal-Ignore-data-threshold-if-set-to-zero-in-s.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 99ae9b83b42abbe54c059ae964b737b64ae17df9 Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Wed, 15 Sep 2021 13:05:46 +0100 -Subject: [PATCH] sd-journal: Ignore data threshold if set to zero in - sd_journal_enumerate_fields() - -According to the documentation, Setting the data threshold to zero disables the -data threshold alltogether. Let's make sure we actually implement this behaviour -in sd_journal_enumerate_fields() by only applying the data threshold if it exceeds -zero. - -(cherry picked from commit adbd80f51088058d55e703abe0ac11476cfe0ba4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/99ae9b83b42abbe54c059ae964b737b64ae17df9 ---- - src/libsystemd/sd-journal/sd-journal.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index a2fbc1b037..b3240177cb 100644 ---- a/src/libsystemd/sd-journal/sd-journal.c -+++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -3178,7 +3178,7 @@ _public_ int sd_journal_enumerate_fields(sd_journal *j, const char **field) { - if (memchr(o->field.payload, 0, sz)) - return -EBADMSG; - -- if (sz > j->data_threshold) -+ if (j->data_threshold > 0 && sz > j->data_threshold) - sz = j->data_threshold; - - if (!GREEDY_REALLOC(j->fields_buffer, sz + 1)) --- -2.33.0 - diff --git a/backport-sd-journal-fix-segfault-when-match_new-fails.patch b/backport-sd-journal-fix-segfault-when-match_new-fails.patch deleted file mode 100644 index 27bf8c1..0000000 --- a/backport-sd-journal-fix-segfault-when-match_new-fails.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 4bf497c3814e2f612cb055b838a656e6e14c0ed0 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 23 Dec 2021 21:45:29 +0900 -Subject: [PATCH] sd-journal: fix segfault when match_new() fails - -Fixes #21867. - -(cherry picked from commit 39dfc0de05238410e2cd4d7c0176a3f3994cc563) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4bf497c3814e2f612cb055b838a656e6e14c0ed0 ---- - src/libsystemd/sd-journal/sd-journal.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index 63b8f0dc7b..dd28b8008f 100644 ---- a/src/libsystemd/sd-journal/sd-journal.c -+++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -211,7 +211,7 @@ static Match *match_new(Match *p, MatchType t) { - return m; - } - --static void match_free(Match *m) { -+static Match *match_free(Match *m) { - assert(m); - - while (m->matches) -@@ -221,14 +221,14 @@ static void match_free(Match *m) { - LIST_REMOVE(matches, m->parent->matches, m); - - free(m->data); -- free(m); -+ return mfree(m); - } - --static void match_free_if_empty(Match *m) { -+static Match *match_free_if_empty(Match *m) { - if (!m || m->matches) -- return; -+ return m; - -- match_free(m); -+ return match_free(m); - } - - _public_ int sd_journal_add_match(sd_journal *j, const void *data, size_t size) { -@@ -323,9 +323,9 @@ _public_ int sd_journal_add_match(sd_journal *j, const void *data, size_t size) - fail: - match_free(m); - match_free_if_empty(add_here); -- match_free_if_empty(j->level2); -- match_free_if_empty(j->level1); -- match_free_if_empty(j->level0); -+ j->level2 = match_free_if_empty(j->level2); -+ j->level1 = match_free_if_empty(j->level1); -+ j->level0 = match_free_if_empty(j->level0); - - return -ENOMEM; - } --- -2.33.0 - diff --git a/backport-sd-journal-free-incomplete-match-on-failure.patch b/backport-sd-journal-free-incomplete-match-on-failure.patch deleted file mode 100644 index 9b083e6..0000000 --- a/backport-sd-journal-free-incomplete-match-on-failure.patch +++ /dev/null @@ -1,37 +0,0 @@ -From cd9b726453398bef20c66f30a454eb503f7bcb72 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 23 Dec 2021 21:35:29 +0900 -Subject: [PATCH] sd-journal: free incomplete match on failure - -(cherry picked from commit 418cce628cf28d4feaeda60241cf9781f8afbf1c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/cd9b726453398bef20c66f30a454eb503f7bcb72 ---- - src/libsystemd/sd-journal/sd-journal.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index 71875a4dc8..63b8f0dc7b 100644 ---- a/src/libsystemd/sd-journal/sd-journal.c -+++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -232,7 +232,7 @@ static void match_free_if_empty(Match *m) { - } - - _public_ int sd_journal_add_match(sd_journal *j, const void *data, size_t size) { -- Match *l3, *l4, *add_here = NULL, *m; -+ Match *l3, *l4, *add_here = NULL, *m = NULL; - uint64_t hash; - - assert_return(j, -EINVAL); -@@ -321,6 +321,7 @@ _public_ int sd_journal_add_match(sd_journal *j, const void *data, size_t size) - return 0; - - fail: -+ match_free(m); - match_free_if_empty(add_here); - match_free_if_empty(j->level2); - match_free_if_empty(j->level1); --- -2.33.0 - diff --git a/backport-sd-lldp-use-memcpy_safe-as-the-buffer-size-may-be-ze.patch b/backport-sd-lldp-use-memcpy_safe-as-the-buffer-size-may-be-ze.patch deleted file mode 100644 index fbc2b69..0000000 --- a/backport-sd-lldp-use-memcpy_safe-as-the-buffer-size-may-be-ze.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5e069e405a73ff5a406598436fe21d6dabbb281c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 4 May 2022 16:05:04 +0900 -Subject: [PATCH] sd-lldp: use memcpy_safe() as the buffer size may be zero - -(cherry picked from commit 87bd4b79e692f384c2190c9b3824df4853333018) ---- - src/libsystemd-network/lldp-neighbor.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/libsystemd-network/lldp-neighbor.c b/src/libsystemd-network/lldp-neighbor.c -index 372bc2ef93..bc98235ce1 100644 ---- a/src/libsystemd-network/lldp-neighbor.c -+++ b/src/libsystemd-network/lldp-neighbor.c -@@ -652,7 +652,8 @@ int sd_lldp_neighbor_from_raw(sd_lldp_neighbor **ret, const void *raw, size_t ra - if (!n) - return -ENOMEM; - -- memcpy(LLDP_NEIGHBOR_RAW(n), raw, raw_size); -+ memcpy_safe(LLDP_NEIGHBOR_RAW(n), raw, raw_size); -+ - r = lldp_neighbor_parse(n); - if (r < 0) - return r; --- -2.33.0 - diff --git a/backport-sd-netlink-always-append-new-bridge-FDB-entries.patch b/backport-sd-netlink-always-append-new-bridge-FDB-entries.patch deleted file mode 100644 index 28959a9..0000000 --- a/backport-sd-netlink-always-append-new-bridge-FDB-entries.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f65dedbb8f3bd8a0ec69a02f63f62f339a791423 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 4 Aug 2021 18:16:44 +0900 -Subject: [PATCH] sd-netlink: always append new bridge FDB entries - -This partially reverts 192a9d95ea3e058afd824d38a9cea16ad0a84a57 (#19432). - -Fixes #20305. - -(cherry picked from commit 74c1ab841fbad9d4f237c819577fcd1d46a072b6) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f65dedbb8f3bd8a0ec69a02f63f62f339a791423 ---- - src/libsystemd/sd-netlink/rtnl-message.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd/sd-netlink/rtnl-message.c b/src/libsystemd/sd-netlink/rtnl-message.c -index e771b95e08..7f83bf58b3 100644 ---- a/src/libsystemd/sd-netlink/rtnl-message.c -+++ b/src/libsystemd/sd-netlink/rtnl-message.c -@@ -443,8 +443,12 @@ int sd_rtnl_message_new_neigh(sd_netlink *rtnl, sd_netlink_message **ret, uint16 - if (r < 0) - return r; - -- if (nlmsg_type == RTM_NEWNEIGH) -- (*ret)->hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_REPLACE; -+ if (nlmsg_type == RTM_NEWNEIGH) { -+ if (ndm_family == AF_BRIDGE) -+ (*ret)->hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_APPEND; -+ else -+ (*ret)->hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_REPLACE; -+ } - - ndm = NLMSG_DATA((*ret)->hdr); - --- -2.33.0 - diff --git a/backport-seccomp-Always-install-filters-for-native-architectu.patch b/backport-seccomp-Always-install-filters-for-native-architectu.patch deleted file mode 100644 index 91671e6..0000000 --- a/backport-seccomp-Always-install-filters-for-native-architectu.patch +++ /dev/null @@ -1,64 +0,0 @@ -From ba8bce7b562f9ef83a4de697eae2f97cf1806e3d Mon Sep 17 00:00:00 2001 -From: Benjamin Berg -Date: Fri, 17 Sep 2021 13:05:32 +0200 -Subject: [PATCH] seccomp: Always install filters for native architecture - -The commit 6597686865ff ("seccomp: don't install filters for archs that -can't use syscalls") introduced a regression where filters may not be -installed for the "native" architecture. This means that setting -SystemCallArchitectures=native for a unit effectively disables the -SystemCallFilter= and SystemCallLog= options. - -Conceptually, we have two filter stages: - 1. architecture used for syscall (SystemCallArchitectures=) - 2. syscall + architecture combination (SystemCallFilter=) - -The above commit tried to optimize the filter generation by skipping the -second level filtering when it is not required. - -However, systemd will never fully block the "native" architecture using -the first level filter. This makes the code a lot simpler, as systemd -can execve() the target binary using its own architecture. And, it -should be perfectly fine as the "native" architecture will always be the -one with the most restrictive seccomp filtering. - -Said differently, the bug arises because (on x86_64): - 1. x86_64 is permitted by libseccomp already - 2. native != x86_64 - 3. the loop wants to block x86_64 because the permitted set only - contains "native" (i.e. "native" != "x86_64") - 4. x86_64 is marked as blocked in seccomp_local_archs - -Thereby we have an inconsistency, where it is marked as blocked in the -seccomp_local_archs array but it is allowed by libseccomp. i.e. we will -skip generating filter stage 2 without having stage 1 in place. - -The fix is simple, we just skip the native architecture when looping -seccomp_local_archs. This way the inconsistency cannot happen. - -(cherry picked from commit f833df38488ea40fc3d601ccefd64cfa3fce8bb4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ba8bce7b562f9ef83a4de697eae2f97cf1806e3d ---- - src/shared/seccomp-util.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index 631ca5dd34..31d6b542c0 100644 ---- a/src/shared/seccomp-util.c -+++ b/src/shared/seccomp-util.c -@@ -1789,6 +1789,10 @@ int seccomp_restrict_archs(Set *archs) { - for (unsigned i = 0; seccomp_local_archs[i] != SECCOMP_LOCAL_ARCH_END; ++i) { - uint32_t arch = seccomp_local_archs[i]; - -+ /* See above comment, our "native" architecture is never blocked. */ -+ if (arch == seccomp_arch_native()) -+ continue; -+ - /* That architecture might have already been blocked by a previous call to seccomp_restrict_archs. */ - if (arch == SECCOMP_LOCAL_ARCH_BLOCKED) - continue; --- -2.33.0 - diff --git a/backport-seccomp-drop-getrandom-from-system-service.patch b/backport-seccomp-drop-getrandom-from-system-service.patch deleted file mode 100644 index ae771d0..0000000 --- a/backport-seccomp-drop-getrandom-from-system-service.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 9eb9b07c404be8d59a800c70593809a69f0d0e55 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 27 Jul 2021 17:10:21 +0200 -Subject: [PATCH] seccomp: drop getrandom() from @system-service - -It's included in @default now, since -14f4b1b568907350d023d1429c1aa4aaa8925f22, and since @system-service -pulls that in we can drop it from @system-service. - -Follow-up for #20191 - -(cherry picked from commit 67347f37407489a68e12da8f75b78ae1d1168de9) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9eb9b07c404be8d59a800c70593809a69f0d0e55 ---- - src/shared/seccomp-util.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index cad0af89f2..703d5a939c 100644 ---- a/src/shared/seccomp-util.c -+++ b/src/shared/seccomp-util.c -@@ -859,7 +859,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { - "get_mempolicy\0" - "getcpu\0" - "getpriority\0" -- "getrandom\0" - "ioctl\0" - "ioprio_get\0" - "kcmp\0" --- -2.33.0 - diff --git a/backport-seccomp-move-arch_prctl-to-default.patch b/backport-seccomp-move-arch_prctl-to-default.patch deleted file mode 100644 index 4a305c4..0000000 --- a/backport-seccomp-move-arch_prctl-to-default.patch +++ /dev/null @@ -1,54 +0,0 @@ -From cf6d1dcc93ad7caedaa139d3c0377f7524fe1013 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 7 Jan 2022 15:23:55 +0100 -Subject: [PATCH] seccomp: move arch_prctl to @default - -It was reported as used by the linker: - -> [It is] called in the setup of ld-linux-x86-64.so.2 from _dl_sysdep_start. -> My local call stack (with LTO): -> -> #0 init_cpu_features.constprop.0 (/usr/lib64/ld-linux-x86-64.so.2) -> #1 _dl_sysdep_start (/usr/lib64/ld-linux-x86-64.so.2) -> #2 _dl_start (/usr/lib64/ld-linux-x86-64.so.2) -> #3 _start (/usr/lib64/ld-linux-x86-64.so.2) -> -> Looking through the source, I think it's this (links for glibc 2.34): -> - First dl_platform_init calls _dl_x86_init_cpu_features, a wrapper for init_cpu_features. -> - Then init_cpu_features calls get_cet_status. -> - At last, get_cet_status invokes arch_prctl. - -Fixes #22033. - -(cherry picked from commit 5f02870a74aa3a758115cc9bd6d68f239caf8453) -(cherry picked from commit d08f6ff204c8525f7533875128468afb8be60ae0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/cf6d1dcc93ad7caedaa139d3c0377f7524fe1013 ---- - src/shared/seccomp-util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index 2d73354e1a..ccfa4cc56a 100644 ---- a/src/shared/seccomp-util.c -+++ b/src/shared/seccomp-util.c -@@ -283,6 +283,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { - .name = "@default", - .help = "System calls that are always permitted", - .value = -+ "arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */ - "brk\0" - "cacheflush\0" - "clock_getres\0" -@@ -712,7 +713,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { - .name = "@process", - .help = "Process control, execution, namespacing operations", - .value = -- "arch_prctl\0" - "capget\0" /* Able to query arbitrary processes */ - "clone\0" - "clone3\0" --- -2.33.0 - diff --git a/backport-seccomp-move-mprotect-to-default.patch b/backport-seccomp-move-mprotect-to-default.patch deleted file mode 100644 index 05be12f..0000000 --- a/backport-seccomp-move-mprotect-to-default.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 0c8195d673f46ab41ffbf7bb0eb54b53f202bb3f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sat, 13 Nov 2021 16:08:25 +0100 -Subject: [PATCH] seccomp: move mprotect to @default - -With glibc-2.34.9000-17.fc36.x86_64, dynamically programs newly fail in early -init with a restrictive syscall filter that does not include @system-service. -I think this is caused by 2dd87703d4386f2776c5b5f375a494c91d7f9fe4: - -Author: Florian Weimer -Date: Mon May 10 10:31:41 2021 +0200 - - nptl: Move changing of stack permissions into ld.so - - All the stack lists are now in _rtld_global, so it is possible - to change stack permissions directly from there, instead of - calling into libpthread to do the change. - -It seems that this call will now be very widely used, so let's just move it to -default to avoid too many failures. - -(cherry picked from commit 4728625490b70ac4a686b1655c08ad3fe7b97359) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0c8195d673f46ab41ffbf7bb0eb54b53f202bb3f ---- - src/shared/seccomp-util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index 31d6b542c0..2d73354e1a 100644 ---- a/src/shared/seccomp-util.c -+++ b/src/shared/seccomp-util.c -@@ -324,6 +324,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { - "membarrier\0" - "mmap\0" - "mmap2\0" -+ "mprotect\0" - "munmap\0" - "nanosleep\0" - "pause\0" -@@ -864,7 +865,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { - "ioprio_get\0" - "kcmp\0" - "madvise\0" -- "mprotect\0" - "mremap\0" - "name_to_handle_at\0" - "oldolduname\0" --- -2.33.0 - diff --git a/backport-seccomp-move-sched_getaffinity-from-system-service-t.patch b/backport-seccomp-move-sched_getaffinity-from-system-service-t.patch deleted file mode 100644 index 32e96e9..0000000 --- a/backport-seccomp-move-sched_getaffinity-from-system-service-t.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 77681242c8c6d7693814b8245e9096e43faa21be Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 27 Jul 2021 17:11:09 +0200 -Subject: [PATCH] seccomp: move sched_getaffinity() from @system-service to - @default - -See: https://github.com/systemd/systemd/pull/20191#issuecomment-881982739 - -In general, we shouldn't blanket move syscalls like this into @default, -given that glibc actually does have fallbacks, afaics. However, as -long as the syscalls are "read-only" and thus benign, I figure it's a -safe thing to do. But we should probably stick to a "if in doubt, don't" -rule, and put these syscalls in @system-service as default, but not into -@default. - -I think in the real world @system-service is the sensible group people -should use, and not @default actually. - -(cherry picked from commit 7df660e45682af5c40a236abe1bdc5ddcf3b3533) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/77681242c8c6d7693814b8245e9096e43faa21be ---- - src/shared/seccomp-util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index 703d5a939c..631ca5dd34 100644 ---- a/src/shared/seccomp-util.c -+++ b/src/shared/seccomp-util.c -@@ -331,6 +331,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { - "restart_syscall\0" - "rseq\0" - "rt_sigreturn\0" -+ "sched_getaffinity\0" - "sched_yield\0" - "set_robust_list\0" - "set_thread_area\0" -@@ -874,7 +875,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { - "remap_file_pages\0" - "sched_get_priority_max\0" - "sched_get_priority_min\0" -- "sched_getaffinity\0" - "sched_getattr\0" - "sched_getparam\0" - "sched_getscheduler\0" --- -2.33.0 - diff --git a/backport-shared-bootspec-avoid-crashing-on-config-without-a-v.patch b/backport-shared-bootspec-avoid-crashing-on-config-without-a-v.patch deleted file mode 100644 index bd18b74..0000000 --- a/backport-shared-bootspec-avoid-crashing-on-config-without-a-v.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 412b89a6e8055f2c8c9db4b6b847f081e00461ff Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 6 May 2022 17:36:47 +0200 -Subject: [PATCH] shared/bootspec: avoid crashing on config without a value - -(cherry picked from commit b6bd2562ebb01b48cdb55a970d9daa1799b59876) ---- - src/shared/bootspec.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/shared/bootspec.c b/src/shared/bootspec.c -index 0076092c2a..9e2b2899bd 100644 ---- a/src/shared/bootspec.c -+++ b/src/shared/bootspec.c -@@ -124,6 +124,13 @@ static int boot_entry_load( - continue; - } - -+ if (isempty(p)) { -+ /* Some fields can reasonably have an empty value. In other cases warn. */ -+ if (!STR_IN_SET(field, "options", "devicetree-overlay")) -+ log_warning("%s:%u: Field %s without value", tmp.path, line, field); -+ continue; -+ } -+ - if (streq(field, "title")) - r = free_and_strdup(&tmp.title, p); - else if (streq(field, "version")) --- -2.33.0 - diff --git a/backport-shared-condition-avoid-nss-lookup-in-PID1.patch b/backport-shared-condition-avoid-nss-lookup-in-PID1.patch deleted file mode 100644 index 273f8b8..0000000 --- a/backport-shared-condition-avoid-nss-lookup-in-PID1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 03101b5186a43b893165f44726f4865702005d8e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 7 Oct 2022 17:34:53 +0200 -Subject: [PATCH] shared/condition: avoid nss lookup in PID1 - -PID 1 is not allowed to do nss lookups because this may take a long time or -even deadlock. - -While at it, the comparisons are reordered to do the "easy" comparisons which -only require a string comparison first. Delay parsing of the UID until it is -really necessary. The result is the same, because we know that "root" and -"nobody" parse as valid. - -(cherry picked from commit 734f96b8490a2c48712ff6754a84fcaeac3d53c1) -(cherry picked from commit 5da595db39e8c6b229dfe388130683ff9a32eda5) -(cherry picked from commit 4ddeea92faf69291449af95dc9ba6440ad06ec1b) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/03101b5186a43b893165f44726f4865702005d8e ---- - src/shared/condition.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - -diff --git a/src/shared/condition.c b/src/shared/condition.c -index b0520566ed..ed7de273bf 100644 ---- a/src/shared/condition.c -+++ b/src/shared/condition.c -@@ -373,31 +373,36 @@ static int condition_test_cpus(Condition *c, char **env) { - static int condition_test_user(Condition *c, char **env) { - uid_t id; - int r; -- _cleanup_free_ char *username = NULL; -- const char *u; - - assert(c); - assert(c->parameter); - assert(c->type == CONDITION_USER); - -+ /* Do the quick&easy comparisons first, and only parse the UID later. */ -+ if (streq(c->parameter, "root")) -+ return getuid() == 0 || geteuid() == 0; -+ if (streq(c->parameter, NOBODY_USER_NAME)) -+ return getuid() == UID_NOBODY || geteuid() == UID_NOBODY; -+ if (streq(c->parameter, "@system")) -+ return uid_is_system(getuid()) || uid_is_system(geteuid()); -+ - r = parse_uid(c->parameter, &id); - if (r >= 0) - return id == getuid() || id == geteuid(); - -- if (streq("@system", c->parameter)) -- return uid_is_system(getuid()) || uid_is_system(geteuid()); -+ if (getpid_cached() == 1) /* We already checked for "root" above, and we know that -+ * PID 1 is running as root, hence we know it cannot match. */ -+ return false; - -- username = getusername_malloc(); -+ /* getusername_malloc() may do an nss lookup, which is not allowed in PID 1. */ -+ _cleanup_free_ char *username = getusername_malloc(); - if (!username) - return -ENOMEM; - - if (streq(username, c->parameter)) - return 1; - -- if (getpid_cached() == 1) -- return streq(c->parameter, "root"); -- -- u = c->parameter; -+ const char *u = c->parameter; - r = get_user_creds(&u, &id, NULL, NULL, NULL, USER_CREDS_ALLOW_MISSING); - if (r < 0) - return 0; --- -2.27.0 - diff --git a/backport-shared-format-table-allocate-buffer-of-sufficient-si.patch b/backport-shared-format-table-allocate-buffer-of-sufficient-si.patch deleted file mode 100644 index ebe05af..0000000 --- a/backport-shared-format-table-allocate-buffer-of-sufficient-si.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e6407ca25852dadec355df2e6fdc92d1f189bceb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 5 Jul 2021 21:29:11 +0200 -Subject: [PATCH] shared/format-table: allocate buffer of sufficient size - -(cherry picked from commit 6dc57047ff0f1f9e98938ffb172dae06e6868b94) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e6407ca25852dadec355df2e6fdc92d1f189bceb ---- - src/shared/format-table.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/shared/format-table.c b/src/shared/format-table.c -index c4c3439541..4c4e4593d8 100644 ---- a/src/shared/format-table.c -+++ b/src/shared/format-table.c -@@ -1409,7 +1409,7 @@ static const char *table_data_format(Table *t, TableData *d, bool avoid_uppercas - _cleanup_free_ char *p = NULL; - char *ret; - -- p = new(char, FORMAT_TIMESTAMP_MAX); -+ p = new(char, d->type == TABLE_TIMESTAMP_RELATIVE ? FORMAT_TIMESTAMP_RELATIVE_MAX : FORMAT_TIMESTAMP_MAX); - if (!p) - return NULL; - -@@ -1418,7 +1418,7 @@ static const char *table_data_format(Table *t, TableData *d, bool avoid_uppercas - else if (d->type == TABLE_TIMESTAMP_UTC) - ret = format_timestamp_style(p, FORMAT_TIMESTAMP_MAX, d->timestamp, TIMESTAMP_UTC); - else -- ret = format_timestamp_relative(p, FORMAT_TIMESTAMP_MAX, d->timestamp); -+ ret = format_timestamp_relative(p, FORMAT_TIMESTAMP_RELATIVE_MAX, d->timestamp); - if (!ret) - return "n/a"; - --- -2.33.0 - diff --git a/backport-shared-json-fix-memory-leak-on-failed-normalization.patch b/backport-shared-json-fix-memory-leak-on-failed-normalization.patch deleted file mode 100644 index f7fd5ef..0000000 --- a/backport-shared-json-fix-memory-leak-on-failed-normalization.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c1dbf637d7f5588a19b5d9ea812fee2e68a6dcfa Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 9 May 2022 14:28:36 +0200 -Subject: [PATCH] shared/json: fix memory leak on failed normalization - -We need to increase the counter immediately after taking the ref, -otherwise we may not unref it properly if we fail before incrementing. - -(cherry picked from commit 7e4be6a5845f983a299932d4ccb2c4349cf8dd52) ---- - src/shared/json.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/shared/json.c b/src/shared/json.c -index dff95eda26..711aa36c87 100644 ---- a/src/shared/json.c -+++ b/src/shared/json.c -@@ -4680,10 +4680,11 @@ int json_variant_normalize(JsonVariant **v) { - if (!a) - return -ENOMEM; - -- for (i = 0; i < m; i++) { -+ for (i = 0; i < m; ) { - a[i] = json_variant_ref(json_variant_by_index(*v, i)); -+ i++; - -- r = json_variant_normalize(a + i); -+ r = json_variant_normalize(&a[i-1]); - if (r < 0) - goto finish; - } --- -2.33.0 - diff --git a/backport-sleep-don-t-skip-resume-device-with-low-priority-ava.patch b/backport-sleep-don-t-skip-resume-device-with-low-priority-ava.patch deleted file mode 100644 index b9e39ca..0000000 --- a/backport-sleep-don-t-skip-resume-device-with-low-priority-ava.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 20c776c5e92201e01d4bfbea4ecbc4df758bcf09 Mon Sep 17 00:00:00 2001 -From: Egor -Date: Sun, 3 Oct 2021 03:42:50 +0300 -Subject: [PATCH] sleep: don't skip resume device with low priority/available - space - -this fixes hibernation when there's a higher priority swap preceding -the resume swap in /proc/swaps. - -fixes #19486 - -(cherry picked from commit 936a7cb66a0b423e75ceef87f02537067ad17002) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/20c776c5e92201e01d4bfbea4ecbc4df758bcf09 ---- - src/shared/sleep-config.c | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c -index dbaecb3a0f..8ec3d09a58 100644 ---- a/src/shared/sleep-config.c -+++ b/src/shared/sleep-config.c -@@ -392,15 +392,17 @@ int find_hibernate_location(HibernateLocation **ret_hibernate_location) { - } - - /* prefer resume device or highest priority swap with most remaining space */ -- if (hibernate_location && swap->priority < hibernate_location->swap->priority) { -- log_debug("%s: ignoring device with lower priority", swap->device); -- continue; -- } -- if (hibernate_location && -- (swap->priority == hibernate_location->swap->priority -- && swap->size - swap->used < hibernate_location->swap->size - hibernate_location->swap->used)) { -- log_debug("%s: ignoring device with lower usable space", swap->device); -- continue; -+ if (sys_resume == 0) { -+ if (hibernate_location && swap->priority < hibernate_location->swap->priority) { -+ log_debug("%s: ignoring device with lower priority", swap->device); -+ continue; -+ } -+ if (hibernate_location && -+ (swap->priority == hibernate_location->swap->priority -+ && swap->size - swap->used < hibernate_location->swap->size - hibernate_location->swap->used)) { -+ log_debug("%s: ignoring device with lower usable space", swap->device); -+ continue; -+ } - } - - dev_t swap_device; --- -2.33.0 - diff --git a/backport-socket-util-introduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch b/backport-socket-util-introduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch deleted file mode 100644 index 30628d7..0000000 --- a/backport-socket-util-introduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch +++ /dev/null @@ -1,94 +0,0 @@ -From d36785cdd845710028ab033f85493572f15cab23 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 29 Aug 2021 20:50:49 +0900 -Subject: [PATCH] socket-util: introduce CMSG_SPACE_TIMEVAL/TIMESPEC macro to - support additional 64bit timeval or timespec - -Fixes #20482 and #20564. - -(cherry picked from commit 9365e296fe281da45797af89a97627e872fc019d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d36785cdd845710028ab033f85493572f15cab23 ---- - src/basic/socket-util.h | 22 ++++++++++++++++++++++ - src/journal/journald-server.c | 2 +- - src/libsystemd-network/icmp6-util.c | 2 +- - src/timesync/timesyncd-manager.c | 2 +- - 4 files changed, 25 insertions(+), 3 deletions(-) - -diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h -index f92e425fd6..09e606614c 100644 ---- a/src/basic/socket-util.h -+++ b/src/basic/socket-util.h -@@ -277,6 +277,28 @@ static inline int getsockopt_int(int fd, int level, int optname, int *ret) { - int socket_bind_to_ifname(int fd, const char *ifname); - int socket_bind_to_ifindex(int fd, int ifindex); - -+/* Define a 64bit version of timeval/timespec in any case, even on 32bit userspace. */ -+struct timeval_large { -+ uint64_t tvl_sec, tvl_usec; -+}; -+struct timespec_large { -+ uint64_t tvl_sec, tvl_nsec; -+}; -+ -+/* glibc duplicates timespec/timeval on certain 32bit archs, once in 32bit and once in 64bit. -+ * See __convert_scm_timestamps() in glibc source code. Hence, we need additional buffer space for them -+ * to prevent from recvmsg_safe() returning -EXFULL. */ -+#define CMSG_SPACE_TIMEVAL \ -+ ((sizeof(struct timeval) == sizeof(struct timeval_large)) ? \ -+ CMSG_SPACE(sizeof(struct timeval)) : \ -+ CMSG_SPACE(sizeof(struct timeval)) + \ -+ CMSG_SPACE(sizeof(struct timeval_large))) -+#define CMSG_SPACE_TIMESPEC \ -+ ((sizeof(struct timespec) == sizeof(struct timespec_large)) ? \ -+ CMSG_SPACE(sizeof(struct timespec)) : \ -+ CMSG_SPACE(sizeof(struct timespec)) + \ -+ CMSG_SPACE(sizeof(struct timespec_large))) -+ - ssize_t recvmsg_safe(int sockfd, struct msghdr *msg, int flags); - - int socket_get_family(int fd, int *ret); -diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index a0695ec519..abd52f7c14 100644 ---- a/src/journal/journald-server.c -+++ b/src/journal/journald-server.c -@@ -1277,7 +1277,7 @@ int server_process_datagram( - * identical to NAME_MAX. For now we use that, but this should be updated one day when the final - * limit is known. */ - CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred)) + -- CMSG_SPACE(sizeof(struct timeval)) + -+ CMSG_SPACE_TIMEVAL + - CMSG_SPACE(sizeof(int)) + /* fd */ - CMSG_SPACE(NAME_MAX) /* selinux label */) control; - -diff --git a/src/libsystemd-network/icmp6-util.c b/src/libsystemd-network/icmp6-util.c -index 0b8c3e4cc3..823be0f275 100644 ---- a/src/libsystemd-network/icmp6-util.c -+++ b/src/libsystemd-network/icmp6-util.c -@@ -149,7 +149,7 @@ int icmp6_receive(int fd, void *buffer, size_t size, struct in6_addr *ret_dst, - triple_timestamp *ret_timestamp) { - - CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(int)) + /* ttl */ -- CMSG_SPACE(sizeof(struct timeval))) control; -+ CMSG_SPACE_TIMEVAL) control; - struct iovec iov = {}; - union sockaddr_union sa = {}; - struct msghdr msg = { -diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c -index 9d874cfc8a..eae14e8fb2 100644 ---- a/src/timesync/timesyncd-manager.c -+++ b/src/timesync/timesyncd-manager.c -@@ -412,7 +412,7 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re - .iov_base = &ntpmsg, - .iov_len = sizeof(ntpmsg), - }; -- CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct timespec))) control; -+ CMSG_BUFFER_TYPE(CMSG_SPACE_TIMESPEC) control; - union sockaddr_union server_addr; - struct msghdr msghdr = { - .msg_iov = &iov, --- -2.33.0 - diff --git a/backport-src-boot-efi-linux-fix-linux_exec-prototype.patch b/backport-src-boot-efi-linux-fix-linux_exec-prototype.patch deleted file mode 100644 index be17432..0000000 --- a/backport-src-boot-efi-linux-fix-linux_exec-prototype.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a825ced57fa8533ba54fec4c4476400e122ddbc3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alfonso=20S=C3=A1nchez-Beato?= - -Date: Thu, 19 Aug 2021 12:21:12 +0200 -Subject: [PATCH] src/boot/efi/linux: fix linux_exec prototype - -Callers to linux_exec() are actually passing an EFI_HANDLE, not a pointer to -it. linux_efi_handover(), which is called by linux_exec(), also expects an -EFI_HANDLE. - -(cherry picked from commit d48f9174cf211a235193963a06b3d28537fc6529) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/a825ced57fa8533ba54fec4c4476400e122ddbc3 ---- - src/boot/efi/linux.c | 2 +- - src/boot/efi/linux.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/boot/efi/linux.c b/src/boot/efi/linux.c -index 4d44671315..b5d6120493 100644 ---- a/src/boot/efi/linux.c -+++ b/src/boot/efi/linux.c -@@ -25,7 +25,7 @@ static VOID linux_efi_handover(EFI_HANDLE image, struct boot_params *params) { - handover(image, ST, params); - } - --EFI_STATUS linux_exec(EFI_HANDLE *image, -+EFI_STATUS linux_exec(EFI_HANDLE image, - CHAR8 *cmdline, UINTN cmdline_len, - UINTN linux_addr, - UINTN initrd_addr, UINTN initrd_size) { -diff --git a/src/boot/efi/linux.h b/src/boot/efi/linux.h -index 09be2de27b..53270e16b3 100644 ---- a/src/boot/efi/linux.h -+++ b/src/boot/efi/linux.h -@@ -83,7 +83,7 @@ struct boot_params { - UINT8 _pad9[276]; - } __attribute__((packed)); - --EFI_STATUS linux_exec(EFI_HANDLE *image, -+EFI_STATUS linux_exec(EFI_HANDLE image, - CHAR8 *cmdline, UINTN cmdline_size, - UINTN linux_addr, - UINTN initrd_addr, UINTN initrd_size); --- -2.33.0 - diff --git a/backport-stat-util-replace-is_dir-is_dir_fd-by-single-is_dir_.patch b/backport-stat-util-replace-is_dir-is_dir_fd-by-single-is_dir_.patch deleted file mode 100644 index 489088f..0000000 --- a/backport-stat-util-replace-is_dir-is_dir_fd-by-single-is_dir_.patch +++ /dev/null @@ -1,85 +0,0 @@ -From ab77d5f0c18783c273d1b3b0e8126c7019ddb1f8 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 13 Jul 2022 23:43:36 +0200 -Subject: [PATCH] stat-util: replace is_dir() + is_dir_fd() by single - is_dir_full() call - -This new call can execute both of the old operations, but also do -generic fstatat() like behaviour. - -(cherry picked from commit a586dc791ca465f4087473d2ad6794b7776aee2d) -(cherry picked from commit 9255fa3a15c5c7dea9ddb2ce5399d3b675f8368b) -(cherry picked from commit a77b81f1240ff7e0ea5d084d61875e1bdefc075d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ab77d5f0c18783c273d1b3b0e8126c7019ddb1f8 ---- - src/basic/stat-util.c | 20 ++++++-------------- - src/basic/stat-util.h | 9 +++++++-- - 2 files changed, 13 insertions(+), 16 deletions(-) - -diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c -index 56f7652cec..652cfd1485 100644 ---- a/src/basic/stat-util.c -+++ b/src/basic/stat-util.c -@@ -31,31 +31,23 @@ int is_symlink(const char *path) { - return !!S_ISLNK(info.st_mode); - } - --int is_dir(const char* path, bool follow) { -+int is_dir_full(int atfd, const char* path, bool follow) { - struct stat st; - int r; - -- assert(path); -+ assert(atfd >= 0 || atfd == AT_FDCWD); -+ assert(atfd >= 0 || path); - -- if (follow) -- r = stat(path, &st); -+ if (path) -+ r = fstatat(atfd, path, &st, follow ? 0 : AT_SYMLINK_NOFOLLOW); - else -- r = lstat(path, &st); -+ r = fstat(atfd, &st); - if (r < 0) - return -errno; - - return !!S_ISDIR(st.st_mode); - } - --int is_dir_fd(int fd) { -- struct stat st; -- -- if (fstat(fd, &st) < 0) -- return -errno; -- -- return !!S_ISDIR(st.st_mode); --} -- - int is_device_node(const char *path) { - struct stat info; - -diff --git a/src/basic/stat-util.h b/src/basic/stat-util.h -index a566114f7c..f9a24c8775 100644 ---- a/src/basic/stat-util.h -+++ b/src/basic/stat-util.h -@@ -13,8 +13,13 @@ - #include "missing_stat.h" - - int is_symlink(const char *path); --int is_dir(const char *path, bool follow); --int is_dir_fd(int fd); -+int is_dir_full(int atfd, const char *fname, bool follow); -+static inline int is_dir(const char *path, bool follow) { -+ return is_dir_full(AT_FDCWD, path, follow); -+} -+static inline int is_dir_fd(int fd) { -+ return is_dir_full(fd, NULL, false); -+} - int is_device_node(const char *path); - - int dir_is_empty_at(int dir_fd, const char *path); --- -2.27.0 - diff --git a/backport-stat-util-specify-O_DIRECTORY-when-reopening-dir-in-.patch b/backport-stat-util-specify-O_DIRECTORY-when-reopening-dir-in-.patch deleted file mode 100644 index 687df80..0000000 --- a/backport-stat-util-specify-O_DIRECTORY-when-reopening-dir-in-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e1e32516f98a1f39ce763545de9a8664526d0b8a Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 21 Oct 2021 18:07:06 +0200 -Subject: [PATCH] stat-util: specify O_DIRECTORY when reopening dir in - dir_is_empty_at() - -That way we can fail earlier if the specified fd is not actually a -directory. - -(Also, it's not exactly according to standards to open things without -either O_RDONLY/O_RDWR...) - -(cherry picked from commit b9d06522631a22d242374dc44a74c3b6459e3cb3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e1e32516f98a1f39ce763545de9a8664526d0b8a ---- - src/basic/stat-util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c -index 72a7e4a48b..56f7652cec 100644 ---- a/src/basic/stat-util.c -+++ b/src/basic/stat-util.c -@@ -79,7 +79,7 @@ int dir_is_empty_at(int dir_fd, const char *path) { - } else { - /* Note that DUPing is not enough, as the internal pointer - * would still be shared and moved by FOREACH_DIRENT. */ -- fd = fd_reopen(dir_fd, O_CLOEXEC); -+ fd = fd_reopen(dir_fd, O_RDONLY|O_DIRECTORY|O_CLOEXEC); - if (fd < 0) - return fd; - } --- -2.33.0 - diff --git a/backport-swap-tell-swapon-to-reinitialize-swap-if-needed.patch b/backport-swap-tell-swapon-to-reinitialize-swap-if-needed.patch deleted file mode 100644 index 6f491d5..0000000 --- a/backport-swap-tell-swapon-to-reinitialize-swap-if-needed.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 316382fb90c7018b5309bacf66c5f18488c2a3c4 Mon Sep 17 00:00:00 2001 -From: David Tardon -Date: Mon, 12 Dec 2022 16:21:30 +0100 -Subject: [PATCH] swap: tell swapon to reinitialize swap if needed - -If the page size of a swap space doesn't match the page size of the -currently running kernel, swapon will fail. Let's instruct it to -reinitialize the swap space instead. - -(cherry picked from commit cc137d53e36da5e57b060be5e621864f572b2cac) -(cherry picked from commit a0ac79bce9255cf33b0f208b18d888f0f700133c) -(cherry picked from commit 8be5a12c7170ed7e7b4303c16573e463ef997e23) -(cherry picked from commit f8201271fdaef4e3a68efac8a21e9f195e4e4a6b) ---- - src/core/swap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/swap.c b/src/core/swap.c -index 3843b19500..83e77d24ae 100644 ---- a/src/core/swap.c -+++ b/src/core/swap.c -@@ -836,7 +836,7 @@ static void swap_enter_activating(Swap *s) { - } - } - -- r = exec_command_set(s->control_command, "/sbin/swapon", NULL); -+ r = exec_command_set(s->control_command, "/sbin/swapon", "--fixpgsz", NULL); - if (r < 0) - goto fail; - --- -2.27.0 - diff --git a/backport-syscalls-update-syscall-definitions.patch b/backport-syscalls-update-syscall-definitions.patch deleted file mode 100644 index 78f80cf..0000000 --- a/backport-syscalls-update-syscall-definitions.patch +++ /dev/null @@ -1,853 +0,0 @@ -From f551941e5d7a39312903625d473e1d527358f0e1 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 3 Jan 2022 03:48:10 +0900 -Subject: [PATCH] syscalls: update syscall definitions - -(cherry picked from commit 0c718b1a67cd0d3512eafeb4659458694bf3865b) -(cherry picked from commit 7e338876577cb328632ce3e7753c0130b54dd7a2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f551941e5d7a39312903625d473e1d527358f0e1 ---- - src/basic/syscalls-alpha.txt | 6 ++++-- - src/basic/syscalls-arc.txt | 6 ++++-- - src/basic/syscalls-arm.txt | 6 ++++-- - src/basic/syscalls-arm64.txt | 6 ++++-- - src/basic/syscalls-i386.txt | 6 ++++-- - src/basic/syscalls-ia64.txt | 6 ++++-- - src/basic/syscalls-m68k.txt | 6 ++++-- - src/basic/syscalls-mips64.txt | 6 ++++-- - src/basic/syscalls-mips64n32.txt | 6 ++++-- - src/basic/syscalls-mipso32.txt | 6 ++++-- - src/basic/syscalls-powerpc.txt | 6 ++++-- - src/basic/syscalls-powerpc64.txt | 6 ++++-- - src/basic/syscalls-riscv32.txt | 8 +++++--- - src/basic/syscalls-riscv64.txt | 6 ++++-- - src/basic/syscalls-s390.txt | 6 ++++-- - src/basic/syscalls-s390x.txt | 6 ++++-- - src/basic/syscalls-sparc.txt | 6 ++++-- - src/basic/syscalls-x86_64.txt | 6 ++++-- - 18 files changed, 73 insertions(+), 37 deletions(-) - -diff --git a/src/basic/syscalls-alpha.txt b/src/basic/syscalls-alpha.txt -index 3bcc357075..5aef86b09e 100644 ---- a/src/basic/syscalls-alpha.txt -+++ b/src/basic/syscalls-alpha.txt -@@ -106,6 +106,7 @@ ftruncate 130 - ftruncate64 - futex 394 - futex_time64 -+futex_waitv 559 - futimesat 454 - get_kernel_syms 309 - get_mempolicy 430 -@@ -203,6 +204,7 @@ madvise 75 - mbind 429 - membarrier 517 - memfd_create 512 -+memfd_secret - memory_ordering - migrate_pages 449 - mincore 375 -@@ -374,7 +376,6 @@ pciconfig_read 345 - pciconfig_write 346 - perf_event_open 493 - perfctr --perfmonctl - personality 324 - pidfd_getfd 548 - pidfd_open 544 -@@ -394,6 +395,7 @@ preadv 490 - preadv2 520 - prlimit64 496 - process_madvise 550 -+process_mrelease 558 - process_vm_readv 504 - process_vm_writev 505 - pselect6 463 -@@ -404,7 +406,7 @@ pwritev 491 - pwritev2 521 - query_module 347 - quotactl 148 --quotactl_path -+quotactl_fd 553 - read 3 - readahead 379 - readdir -diff --git a/src/basic/syscalls-arc.txt b/src/basic/syscalls-arc.txt -index e4204fa0f2..f275f104bf 100644 ---- a/src/basic/syscalls-arc.txt -+++ b/src/basic/syscalls-arc.txt -@@ -106,6 +106,7 @@ ftruncate - ftruncate64 46 - futex 98 - futex_time64 422 -+futex_waitv 449 - futimesat - get_kernel_syms - get_mempolicy 236 -@@ -203,6 +204,7 @@ madvise 233 - mbind 235 - membarrier 283 - memfd_create 279 -+memfd_secret - memory_ordering - migrate_pages 238 - mincore 232 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 241 - perfctr --perfmonctl - personality 92 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 69 - preadv2 286 - prlimit64 261 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 270 - process_vm_writev 271 - pselect6 72 -@@ -404,7 +406,7 @@ pwritev 70 - pwritev2 287 - query_module - quotactl 60 --quotactl_path -+quotactl_fd 443 - read 63 - readahead 213 - readdir -diff --git a/src/basic/syscalls-arm.txt b/src/basic/syscalls-arm.txt -index a4847a18b3..9037b28384 100644 ---- a/src/basic/syscalls-arm.txt -+++ b/src/basic/syscalls-arm.txt -@@ -106,6 +106,7 @@ ftruncate 93 - ftruncate64 194 - futex 240 - futex_time64 422 -+futex_waitv 449 - futimesat 326 - get_kernel_syms - get_mempolicy 320 -@@ -203,6 +204,7 @@ madvise 220 - mbind 319 - membarrier 389 - memfd_create 385 -+memfd_secret - memory_ordering - migrate_pages 400 - mincore 219 -@@ -374,7 +376,6 @@ pciconfig_read 272 - pciconfig_write 273 - perf_event_open 364 - perfctr --perfmonctl - personality 136 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 361 - preadv2 392 - prlimit64 369 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 376 - process_vm_writev 377 - pselect6 335 -@@ -404,7 +406,7 @@ pwritev 362 - pwritev2 393 - query_module - quotactl 131 --quotactl_path -+quotactl_fd 443 - read 3 - readahead 225 - readdir -diff --git a/src/basic/syscalls-arm64.txt b/src/basic/syscalls-arm64.txt -index ef76ffa96f..e91d7cfca4 100644 ---- a/src/basic/syscalls-arm64.txt -+++ b/src/basic/syscalls-arm64.txt -@@ -106,6 +106,7 @@ ftruncate 46 - ftruncate64 - futex 98 - futex_time64 -+futex_waitv 449 - futimesat - get_kernel_syms - get_mempolicy 236 -@@ -203,6 +204,7 @@ madvise 233 - mbind 235 - membarrier 283 - memfd_create 279 -+memfd_secret 447 - memory_ordering - migrate_pages 238 - mincore 232 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 241 - perfctr --perfmonctl - personality 92 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 69 - preadv2 286 - prlimit64 261 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 270 - process_vm_writev 271 - pselect6 72 -@@ -404,7 +406,7 @@ pwritev 70 - pwritev2 287 - query_module - quotactl 60 --quotactl_path -+quotactl_fd 443 - read 63 - readahead 213 - readdir -diff --git a/src/basic/syscalls-i386.txt b/src/basic/syscalls-i386.txt -index baacb9b7a3..6b57d6f05d 100644 ---- a/src/basic/syscalls-i386.txt -+++ b/src/basic/syscalls-i386.txt -@@ -106,6 +106,7 @@ ftruncate 93 - ftruncate64 194 - futex 240 - futex_time64 422 -+futex_waitv 449 - futimesat 299 - get_kernel_syms 130 - get_mempolicy 275 -@@ -203,6 +204,7 @@ madvise 219 - mbind 274 - membarrier 375 - memfd_create 356 -+memfd_secret 447 - memory_ordering - migrate_pages 294 - mincore 218 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 336 - perfctr --perfmonctl - personality 136 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 333 - preadv2 378 - prlimit64 340 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 347 - process_vm_writev 348 - pselect6 308 -@@ -404,7 +406,7 @@ pwritev 334 - pwritev2 379 - query_module 167 - quotactl 131 --quotactl_path -+quotactl_fd 443 - read 3 - readahead 225 - readdir 89 -diff --git a/src/basic/syscalls-ia64.txt b/src/basic/syscalls-ia64.txt -index c37ea6f88f..3d646f6d17 100644 ---- a/src/basic/syscalls-ia64.txt -+++ b/src/basic/syscalls-ia64.txt -@@ -106,6 +106,7 @@ ftruncate 1098 - ftruncate64 - futex 1230 - futex_time64 -+futex_waitv 1473 - futimesat 1285 - get_kernel_syms - get_mempolicy 1260 -@@ -203,6 +204,7 @@ madvise 1209 - mbind 1259 - membarrier 1344 - memfd_create 1340 -+memfd_secret - memory_ordering - migrate_pages 1280 - mincore 1208 -@@ -374,7 +376,6 @@ pciconfig_read 1173 - pciconfig_write 1174 - perf_event_open 1352 - perfctr --perfmonctl 1175 - personality 1140 - pidfd_getfd 1462 - pidfd_open 1458 -@@ -394,6 +395,7 @@ preadv 1319 - preadv2 1348 - prlimit64 1325 - process_madvise 1464 -+process_mrelease 1472 - process_vm_readv 1332 - process_vm_writev 1333 - pselect6 1294 -@@ -404,7 +406,7 @@ pwritev 1320 - pwritev2 1349 - query_module - quotactl 1137 --quotactl_path -+quotactl_fd 1467 - read 1026 - readahead 1216 - readdir -diff --git a/src/basic/syscalls-m68k.txt b/src/basic/syscalls-m68k.txt -index 7522b82e1f..ef7295db2f 100644 ---- a/src/basic/syscalls-m68k.txt -+++ b/src/basic/syscalls-m68k.txt -@@ -106,6 +106,7 @@ ftruncate 93 - ftruncate64 194 - futex 235 - futex_time64 422 -+futex_waitv 449 - futimesat 292 - get_kernel_syms 130 - get_mempolicy 269 -@@ -203,6 +204,7 @@ madvise 238 - mbind 268 - membarrier 374 - memfd_create 353 -+memfd_secret - memory_ordering - migrate_pages 287 - mincore 237 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 332 - perfctr --perfmonctl - personality 136 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 329 - preadv2 377 - prlimit64 339 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 345 - process_vm_writev 346 - pselect6 301 -@@ -404,7 +406,7 @@ pwritev 330 - pwritev2 378 - query_module 167 - quotactl 131 --quotactl_path -+quotactl_fd 443 - read 3 - readahead 240 - readdir 89 -diff --git a/src/basic/syscalls-mips64.txt b/src/basic/syscalls-mips64.txt -index 6b85975eea..1f7ff567be 100644 ---- a/src/basic/syscalls-mips64.txt -+++ b/src/basic/syscalls-mips64.txt -@@ -106,6 +106,7 @@ ftruncate 5075 - ftruncate64 - futex 5194 - futex_time64 -+futex_waitv 5449 - futimesat 5251 - get_kernel_syms 5170 - get_mempolicy 5228 -@@ -203,6 +204,7 @@ madvise 5027 - mbind 5227 - membarrier 5318 - memfd_create 5314 -+memfd_secret - memory_ordering - migrate_pages 5246 - mincore 5026 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 5292 - perfctr --perfmonctl - personality 5132 - pidfd_getfd 5438 - pidfd_open 5434 -@@ -394,6 +395,7 @@ preadv 5289 - preadv2 5321 - prlimit64 5297 - process_madvise 5440 -+process_mrelease 5448 - process_vm_readv 5304 - process_vm_writev 5305 - pselect6 5260 -@@ -404,7 +406,7 @@ pwritev 5290 - pwritev2 5322 - query_module 5171 - quotactl 5172 --quotactl_path -+quotactl_fd 5443 - read 5000 - readahead 5179 - readdir -diff --git a/src/basic/syscalls-mips64n32.txt b/src/basic/syscalls-mips64n32.txt -index a4c12cc442..7e1ad9637d 100644 ---- a/src/basic/syscalls-mips64n32.txt -+++ b/src/basic/syscalls-mips64n32.txt -@@ -106,6 +106,7 @@ ftruncate 6075 - ftruncate64 - futex 6194 - futex_time64 6422 -+futex_waitv 6449 - futimesat 6255 - get_kernel_syms 6170 - get_mempolicy 6232 -@@ -203,6 +204,7 @@ madvise 6027 - mbind 6231 - membarrier 6322 - memfd_create 6318 -+memfd_secret - memory_ordering - migrate_pages 6250 - mincore 6026 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 6296 - perfctr --perfmonctl - personality 6132 - pidfd_getfd 6438 - pidfd_open 6434 -@@ -394,6 +395,7 @@ preadv 6293 - preadv2 6325 - prlimit64 6302 - process_madvise 6440 -+process_mrelease 6448 - process_vm_readv 6309 - process_vm_writev 6310 - pselect6 6264 -@@ -404,7 +406,7 @@ pwritev 6294 - pwritev2 6326 - query_module 6171 - quotactl 6172 --quotactl_path -+quotactl_fd 6443 - read 6000 - readahead 6179 - readdir -diff --git a/src/basic/syscalls-mipso32.txt b/src/basic/syscalls-mipso32.txt -index fcebabab11..c0c262fd1a 100644 ---- a/src/basic/syscalls-mipso32.txt -+++ b/src/basic/syscalls-mipso32.txt -@@ -106,6 +106,7 @@ ftruncate 4093 - ftruncate64 4212 - futex 4238 - futex_time64 4422 -+futex_waitv 4449 - futimesat 4292 - get_kernel_syms 4130 - get_mempolicy 4269 -@@ -203,6 +204,7 @@ madvise 4218 - mbind 4268 - membarrier 4358 - memfd_create 4354 -+memfd_secret - memory_ordering - migrate_pages 4287 - mincore 4217 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 4333 - perfctr --perfmonctl - personality 4136 - pidfd_getfd 4438 - pidfd_open 4434 -@@ -394,6 +395,7 @@ preadv 4330 - preadv2 4361 - prlimit64 4338 - process_madvise 4440 -+process_mrelease 4448 - process_vm_readv 4345 - process_vm_writev 4346 - pselect6 4301 -@@ -404,7 +406,7 @@ pwritev 4331 - pwritev2 4362 - query_module 4187 - quotactl 4131 --quotactl_path -+quotactl_fd 4443 - read 4003 - readahead 4223 - readdir 4089 -diff --git a/src/basic/syscalls-powerpc.txt b/src/basic/syscalls-powerpc.txt -index 3185562726..2f085161e1 100644 ---- a/src/basic/syscalls-powerpc.txt -+++ b/src/basic/syscalls-powerpc.txt -@@ -106,6 +106,7 @@ ftruncate 93 - ftruncate64 194 - futex 221 - futex_time64 422 -+futex_waitv 449 - futimesat 290 - get_kernel_syms 130 - get_mempolicy 260 -@@ -203,6 +204,7 @@ madvise 205 - mbind 259 - membarrier 365 - memfd_create 360 -+memfd_secret - memory_ordering - migrate_pages 258 - mincore 206 -@@ -374,7 +376,6 @@ pciconfig_read 198 - pciconfig_write 199 - perf_event_open 319 - perfctr --perfmonctl - personality 136 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 320 - preadv2 380 - prlimit64 325 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 351 - process_vm_writev 352 - pselect6 280 -@@ -404,7 +406,7 @@ pwritev 321 - pwritev2 381 - query_module 166 - quotactl 131 --quotactl_path -+quotactl_fd 443 - read 3 - readahead 191 - readdir 89 -diff --git a/src/basic/syscalls-powerpc64.txt b/src/basic/syscalls-powerpc64.txt -index e940737781..85e53422ee 100644 ---- a/src/basic/syscalls-powerpc64.txt -+++ b/src/basic/syscalls-powerpc64.txt -@@ -106,6 +106,7 @@ ftruncate 93 - ftruncate64 - futex 221 - futex_time64 -+futex_waitv 449 - futimesat 290 - get_kernel_syms 130 - get_mempolicy 260 -@@ -203,6 +204,7 @@ madvise 205 - mbind 259 - membarrier 365 - memfd_create 360 -+memfd_secret - memory_ordering - migrate_pages 258 - mincore 206 -@@ -374,7 +376,6 @@ pciconfig_read 198 - pciconfig_write 199 - perf_event_open 319 - perfctr --perfmonctl - personality 136 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 320 - preadv2 380 - prlimit64 325 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 351 - process_vm_writev 352 - pselect6 280 -@@ -404,7 +406,7 @@ pwritev 321 - pwritev2 381 - query_module 166 - quotactl 131 --quotactl_path -+quotactl_fd 443 - read 3 - readahead 191 - readdir 89 -diff --git a/src/basic/syscalls-riscv32.txt b/src/basic/syscalls-riscv32.txt -index 8fe0d5ea88..013e38189b 100644 ---- a/src/basic/syscalls-riscv32.txt -+++ b/src/basic/syscalls-riscv32.txt -@@ -40,7 +40,7 @@ clock_settime - clock_settime64 404 - clone 220 - clone2 --clone3 -+clone3 435 - close 57 - close_range 436 - connect 203 -@@ -106,6 +106,7 @@ ftruncate - ftruncate64 46 - futex - futex_time64 422 -+futex_waitv 449 - futimesat - get_kernel_syms - get_mempolicy 236 -@@ -203,6 +204,7 @@ madvise 233 - mbind 235 - membarrier 283 - memfd_create 279 -+memfd_secret - memory_ordering - migrate_pages 238 - mincore 232 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 241 - perfctr --perfmonctl - personality 92 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 69 - preadv2 286 - prlimit64 261 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 270 - process_vm_writev 271 - pselect6 -@@ -404,7 +406,7 @@ pwritev 70 - pwritev2 287 - query_module - quotactl 60 --quotactl_path -+quotactl_fd 443 - read 63 - readahead 213 - readdir -diff --git a/src/basic/syscalls-riscv64.txt b/src/basic/syscalls-riscv64.txt -index e021ea79b4..104a2d9dfa 100644 ---- a/src/basic/syscalls-riscv64.txt -+++ b/src/basic/syscalls-riscv64.txt -@@ -106,6 +106,7 @@ ftruncate 46 - ftruncate64 - futex 98 - futex_time64 -+futex_waitv 449 - futimesat - get_kernel_syms - get_mempolicy 236 -@@ -203,6 +204,7 @@ madvise 233 - mbind 235 - membarrier 283 - memfd_create 279 -+memfd_secret - memory_ordering - migrate_pages 238 - mincore 232 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 241 - perfctr --perfmonctl - personality 92 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 69 - preadv2 286 - prlimit64 261 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 270 - process_vm_writev 271 - pselect6 72 -@@ -404,7 +406,7 @@ pwritev 70 - pwritev2 287 - query_module - quotactl 60 --quotactl_path -+quotactl_fd 443 - read 63 - readahead 213 - readdir -diff --git a/src/basic/syscalls-s390.txt b/src/basic/syscalls-s390.txt -index 5d3b73e6c0..a25093c7be 100644 ---- a/src/basic/syscalls-s390.txt -+++ b/src/basic/syscalls-s390.txt -@@ -106,6 +106,7 @@ ftruncate 93 - ftruncate64 194 - futex 238 - futex_time64 422 -+futex_waitv 449 - futimesat 292 - get_kernel_syms 130 - get_mempolicy 269 -@@ -203,6 +204,7 @@ madvise 219 - mbind 268 - membarrier 356 - memfd_create 350 -+memfd_secret - memory_ordering - migrate_pages 287 - mincore 218 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 331 - perfctr --perfmonctl - personality 136 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 328 - preadv2 376 - prlimit64 334 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 340 - process_vm_writev 341 - pselect6 301 -@@ -404,7 +406,7 @@ pwritev 329 - pwritev2 377 - query_module 167 - quotactl 131 --quotactl_path -+quotactl_fd 443 - read 3 - readahead 222 - readdir 89 -diff --git a/src/basic/syscalls-s390x.txt b/src/basic/syscalls-s390x.txt -index 62a2ea4fae..b4b798f9df 100644 ---- a/src/basic/syscalls-s390x.txt -+++ b/src/basic/syscalls-s390x.txt -@@ -106,6 +106,7 @@ ftruncate 93 - ftruncate64 - futex 238 - futex_time64 -+futex_waitv 449 - futimesat 292 - get_kernel_syms 130 - get_mempolicy 269 -@@ -203,6 +204,7 @@ madvise 219 - mbind 268 - membarrier 356 - memfd_create 350 -+memfd_secret - memory_ordering - migrate_pages 287 - mincore 218 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 331 - perfctr --perfmonctl - personality 136 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 328 - preadv2 376 - prlimit64 334 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 340 - process_vm_writev 341 - pselect6 301 -@@ -404,7 +406,7 @@ pwritev 329 - pwritev2 377 - query_module 167 - quotactl 131 --quotactl_path -+quotactl_fd 443 - read 3 - readahead 222 - readdir 89 -diff --git a/src/basic/syscalls-sparc.txt b/src/basic/syscalls-sparc.txt -index fe41bf97e8..a382e75c24 100644 ---- a/src/basic/syscalls-sparc.txt -+++ b/src/basic/syscalls-sparc.txt -@@ -106,6 +106,7 @@ ftruncate 130 - ftruncate64 84 - futex 142 - futex_time64 422 -+futex_waitv 449 - futimesat 288 - get_kernel_syms 223 - get_mempolicy 304 -@@ -203,6 +204,7 @@ madvise 75 - mbind 303 - membarrier 351 - memfd_create 348 -+memfd_secret - memory_ordering - migrate_pages 302 - mincore 78 -@@ -374,7 +376,6 @@ pciconfig_read 148 - pciconfig_write 149 - perf_event_open 327 - perfctr 18 --perfmonctl - personality 191 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 324 - preadv2 358 - prlimit64 331 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 338 - process_vm_writev 339 - pselect6 297 -@@ -404,7 +406,7 @@ pwritev 325 - pwritev2 359 - query_module 184 - quotactl 165 --quotactl_path -+quotactl_fd 443 - read 3 - readahead 205 - readdir 204 -diff --git a/src/basic/syscalls-x86_64.txt b/src/basic/syscalls-x86_64.txt -index d2ac17ab46..5bc9c58a2a 100644 ---- a/src/basic/syscalls-x86_64.txt -+++ b/src/basic/syscalls-x86_64.txt -@@ -106,6 +106,7 @@ ftruncate 77 - ftruncate64 - futex 202 - futex_time64 -+futex_waitv 449 - futimesat 261 - get_kernel_syms 177 - get_mempolicy 239 -@@ -203,6 +204,7 @@ madvise 28 - mbind 237 - membarrier 324 - memfd_create 319 -+memfd_secret 447 - memory_ordering - migrate_pages 256 - mincore 27 -@@ -374,7 +376,6 @@ pciconfig_read - pciconfig_write - perf_event_open 298 - perfctr --perfmonctl - personality 135 - pidfd_getfd 438 - pidfd_open 434 -@@ -394,6 +395,7 @@ preadv 295 - preadv2 327 - prlimit64 302 - process_madvise 440 -+process_mrelease 448 - process_vm_readv 310 - process_vm_writev 311 - pselect6 270 -@@ -404,7 +406,7 @@ pwritev 296 - pwritev2 328 - query_module 178 - quotactl 179 --quotactl_path -+quotactl_fd 443 - read 0 - readahead 187 - readdir --- -2.33.0 - diff --git a/backport-sysext-refuse-empty-release-ID-to-avoid-triggering-a.patch b/backport-sysext-refuse-empty-release-ID-to-avoid-triggering-a.patch deleted file mode 100644 index fa24a29..0000000 --- a/backport-sysext-refuse-empty-release-ID-to-avoid-triggering-a.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6100e1dded709f681aca0cf913095e2591a54e33 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 21 May 2022 03:03:21 +0900 -Subject: [PATCH] sysext: refuse empty release ID to avoid triggering assertion - -Otherwise, the assertion in extension_release_validate() will be -triggered. - -(cherry picked from commit 30e29edf4c0bb025aa7dc03c415b727fddf996ac) ---- - src/sysext/sysext.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c -index 60789e0f2c..4245bf1760 100644 ---- a/src/sysext/sysext.c -+++ b/src/sysext/sysext.c -@@ -483,6 +483,10 @@ static int merge_subprocess(Hashmap *images, const char *workspace) { - "SYSEXT_LEVEL", &host_os_release_sysext_level); - if (r < 0) - return log_error_errno(r, "Failed to acquire 'os-release' data of OS tree '%s': %m", empty_to_root(arg_root)); -+ if (isempty(host_os_release_id)) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), -+ "'ID' field not found or empty in 'os-release' data of OS tree '%s': %m", -+ empty_to_root(arg_root)); - - /* Let's now mount all images */ - HASHMAP_FOREACH(img, images) { --- -2.33.0 - diff --git a/backport-sysext-use-LO_FLAGS_PARTSCAN-when-opening-image.patch b/backport-sysext-use-LO_FLAGS_PARTSCAN-when-opening-image.patch deleted file mode 100644 index f5ca58d..0000000 --- a/backport-sysext-use-LO_FLAGS_PARTSCAN-when-opening-image.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 9370cf015e54e2201227c27271506e63ad8c3e1d Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Wed, 19 Jan 2022 00:27:45 +0000 -Subject: [PATCH] sysext: use LO_FLAGS_PARTSCAN when opening image - -Jan 17 12:34:59 myguest1 (sd-sysext)[486]: Device '/var/lib/extensions/myext.raw' is loopback block device with partition scanning turned off, please turn it on. - -Fixes https://github.com/systemd/systemd/issues/22146 - -(cherry picked from commit 70a5c6dce0872b3bb0a39be250adde86a0c8f35c) -(cherry picked from commit 4ef7122f3c3328aa01e1ed187a793e7b1595ee87) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9370cf015e54e2201227c27271506e63ad8c3e1d ---- - src/sysext/sysext.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c -index 572e4007fe..bcd87ab152 100644 ---- a/src/sysext/sysext.c -+++ b/src/sysext/sysext.c -@@ -2,6 +2,7 @@ - - #include - #include -+#include - #include - #include - -@@ -523,7 +524,11 @@ static int merge_subprocess(Hashmap *images, const char *workspace) { - if (verity_settings.data_path) - flags |= DISSECT_IMAGE_NO_PARTITION_TABLE; - -- r = loop_device_make_by_path(img->path, O_RDONLY, 0, &d); -+ r = loop_device_make_by_path( -+ img->path, -+ O_RDONLY, -+ FLAGS_SET(flags, DISSECT_IMAGE_NO_PARTITION_TABLE) ? 0 : LO_FLAGS_PARTSCAN, -+ &d); - if (r < 0) - return log_error_errno(r, "Failed to set up loopback device for %s: %m", img->path); - --- -2.33.0 - diff --git a/backport-systemctl-allow-set-property-to-be-called-with-a-glo.patch b/backport-systemctl-allow-set-property-to-be-called-with-a-glo.patch deleted file mode 100644 index 16b6a65..0000000 --- a/backport-systemctl-allow-set-property-to-be-called-with-a-glo.patch +++ /dev/null @@ -1,111 +0,0 @@ -From f8e994d928fc1636f7aefc6dd9ee8374c7cc63f3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 28 Jul 2021 12:57:10 +0200 -Subject: [PATCH] systemctl: allow set-property to be called with a glob - pattern -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We call "systemctl set-property … Markers=+needs-restart" and this should -also work for globs, e.g. "user@*.service" or "syncthing@*.service". - -https://bugzilla.redhat.com/show_bug.cgi?id=1986258 -(cherry picked from commit 23a0ffa59f9cb26c4b016c9fd1a3a70da2607f61) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f8e994d928fc1636f7aefc6dd9ee8374c7cc63f3 ---- - src/systemctl/systemctl-set-property.c | 53 ++++++++++++++++---------- - 1 file changed, 33 insertions(+), 20 deletions(-) - -diff --git a/src/systemctl/systemctl-set-property.c b/src/systemctl/systemctl-set-property.c -index 183a7b6a8a..5739bac070 100644 ---- a/src/systemctl/systemctl-set-property.c -+++ b/src/systemctl/systemctl-set-property.c -@@ -6,33 +6,20 @@ - #include "systemctl-util.h" - #include "systemctl.h" - --int set_property(int argc, char *argv[], void *userdata) { -- _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; -+static int set_property_one(sd_bus *bus, const char *name, char **properties) { - _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; -- _cleanup_free_ char *n = NULL; -- UnitType t; -- sd_bus *bus; -+ _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; - int r; - -- r = acquire_bus(BUS_MANAGER, &bus); -- if (r < 0) -- return r; -- -- polkit_agent_open_maybe(); -- - r = bus_message_new_method_call(bus, &m, bus_systemd_mgr, "SetUnitProperties"); - if (r < 0) - return bus_log_create_error(r); - -- r = unit_name_mangle(argv[1], arg_quiet ? 0 : UNIT_NAME_MANGLE_WARN, &n); -- if (r < 0) -- return log_error_errno(r, "Failed to mangle unit name: %m"); -- -- t = unit_name_to_type(n); -+ UnitType t = unit_name_to_type(name); - if (t < 0) -- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid unit type: %s", n); -+ return log_error_errno(t, "Invalid unit type: %s", name); - -- r = sd_bus_message_append(m, "sb", n, arg_runtime); -+ r = sd_bus_message_append(m, "sb", name, arg_runtime); - if (r < 0) - return bus_log_create_error(r); - -@@ -40,7 +27,7 @@ int set_property(int argc, char *argv[], void *userdata) { - if (r < 0) - return bus_log_create_error(r); - -- r = bus_append_unit_property_assignment_many(m, t, strv_skip(argv, 2)); -+ r = bus_append_unit_property_assignment_many(m, t, properties); - if (r < 0) - return r; - -@@ -50,7 +37,33 @@ int set_property(int argc, char *argv[], void *userdata) { - - r = sd_bus_call(bus, m, 0, &error, NULL); - if (r < 0) -- return log_error_errno(r, "Failed to set unit properties on %s: %s", n, bus_error_message(&error, r)); -+ return log_error_errno(r, "Failed to set unit properties on %s: %s", -+ name, bus_error_message(&error, r)); - - return 0; - } -+ -+int set_property(int argc, char *argv[], void *userdata) { -+ sd_bus *bus; -+ _cleanup_strv_free_ char **names = NULL; -+ char **name; -+ int r, k; -+ -+ r = acquire_bus(BUS_MANAGER, &bus); -+ if (r < 0) -+ return r; -+ -+ polkit_agent_open_maybe(); -+ -+ r = expand_unit_names(bus, STRV_MAKE(argv[1]), NULL, &names, NULL); -+ if (r < 0) -+ return log_error_errno(r, "Failed to expand '%s' into names: %m", argv[1]); -+ -+ r = 0; -+ STRV_FOREACH(name, names) { -+ k = set_property_one(bus, *name, strv_skip(argv, 2)); -+ if (k < 0 && r >= 0) -+ r = k; -+ } -+ return r; -+} --- -2.33.0 - diff --git a/backport-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch b/backport-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch deleted file mode 100644 index f88beaa..0000000 --- a/backport-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 99a6dc51727e6c26cf43566de481272773cb1a91 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Fri, 18 Feb 2022 23:09:18 +0100 -Subject: [PATCH] systemctl: make `--timestamp=` affect the `show` verb as well - -Currently the `--timestamp=` option has no effect on timestamps shown by -`systemctl show`, let's fix that. - -Spotted in #22567. - -Before: -``` -$ systemctl show --timestamp=us+utc systemd-journald | grep Timestamp= -ExecMainStartTimestamp=Sat 2021-12-11 15:25:57 CET -StateChangeTimestamp=Sat 2021-12-11 15:25:57 CET -InactiveExitTimestamp=Sat 2021-12-11 15:25:57 CET -ActiveEnterTimestamp=Sat 2021-12-11 15:25:57 CET -ActiveExitTimestamp=Sat 2021-12-11 15:25:57 CET -InactiveEnterTimestamp=Sat 2021-12-11 15:25:57 CET -ConditionTimestamp=Sat 2021-12-11 15:25:57 CET -AssertTimestamp=Sat 2021-12-11 15:25:57 CET -``` - -After: -``` -$ systemctl show --timestamp=us+utc systemd-journald | grep Timestamp= -ExecMainStartTimestamp=Sat 2021-12-11 14:25:57.177848 UTC -StateChangeTimestamp=Sat 2021-12-11 14:25:57.196714 UTC -InactiveExitTimestamp=Sat 2021-12-11 14:25:57.177871 UTC -ActiveEnterTimestamp=Sat 2021-12-11 14:25:57.196714 UTC -ActiveExitTimestamp=Sat 2021-12-11 14:25:57.144677 UTC -InactiveEnterTimestamp=Sat 2021-12-11 14:25:57.176331 UTC -ConditionTimestamp=Sat 2021-12-11 14:25:57.176980 UTC -AssertTimestamp=Sat 2021-12-11 14:25:57.176980 UTC - -``` - -(cherry picked from commit a59e5c625da5a6e0c46e493d55f2f4212e9457ca) -(cherry picked from commit e59c381e2321ae9e476c550d5a3d43a1fd0493ac) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/99a6dc51727e6c26cf43566de481272773cb1a91 ---- - src/systemctl/systemctl-show.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c -index dd99bc5323..5b6ee3c518 100644 ---- a/src/systemctl/systemctl-show.c -+++ b/src/systemctl/systemctl-show.c -@@ -1006,6 +1006,22 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m - } - break; - -+ case SD_BUS_TYPE_UINT64: -+ if (endswith(name, "Timestamp")) { -+ char timestamp_str[FORMAT_TIMESTAMP_MAX] = "n/a"; -+ uint64_t timestamp; -+ -+ r = sd_bus_message_read_basic(m, bus_type, ×tamp); -+ if (r < 0) -+ return r; -+ -+ (void) format_timestamp_style(timestamp_str, sizeof(timestamp_str), timestamp, arg_timestamp_style); -+ bus_print_property_value(name, expected_value, flags, timestamp_str); -+ -+ return 1; -+ } -+ break; -+ - case SD_BUS_TYPE_STRUCT: - - if (contents[0] == SD_BUS_TYPE_UINT32 && streq(name, "Job")) { --- -2.33.0 - diff --git a/backport-systemctl-only-fall-back-to-local-cgroup-display-if-.patch b/backport-systemctl-only-fall-back-to-local-cgroup-display-if-.patch deleted file mode 100644 index 49abf23..0000000 --- a/backport-systemctl-only-fall-back-to-local-cgroup-display-if-.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 08693ce568f0967046b669fcd99ba0939a1df86d Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 28 Oct 2021 16:47:40 +0200 -Subject: [PATCH] systemctl: only fall back to local cgroup display if we talk - to local systemd - -Otherwise we likely show rubbish because even in local containers we -nowadays have cgroup namespacing, hence we likely can't access the -cgroup tree from the host at the same place as inside the container. - -(cherry picked from commit 35ac0260db7b896604d156e9638ad15700083508) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/08693ce568f0967046b669fcd99ba0939a1df86d ---- - src/systemctl/systemctl-show.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c -index 290a501c52..dd99bc5323 100644 ---- a/src/systemctl/systemctl-show.c -+++ b/src/systemctl/systemctl-show.c -@@ -741,7 +741,7 @@ static void print_status_info( - c = 0; - - r = unit_show_processes(bus, i->id, i->control_group, prefix, c, get_output_flags(), &error); -- if (r == -EBADR) { -+ if (r == -EBADR && arg_transport == BUS_TRANSPORT_LOCAL) { - unsigned k = 0; - pid_t extra[2]; - --- -2.33.0 - diff --git a/backport-systemctl-pretty-print-ExtensionImages-property.patch b/backport-systemctl-pretty-print-ExtensionImages-property.patch deleted file mode 100644 index 9d51284..0000000 --- a/backport-systemctl-pretty-print-ExtensionImages-property.patch +++ /dev/null @@ -1,85 +0,0 @@ -From c4967b69610a75375cdcaafc9a9816ffddaeec38 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Tue, 26 Oct 2021 22:55:30 +0100 -Subject: [PATCH] systemctl: pretty-print ExtensionImages property - -Complex type, so without explicit support 'systemctl show' just prints [unprintable] - -(cherry picked from commit 60c16c5cf3458199646cbda9dfe7763b6ba8b62f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c4967b69610a75375cdcaafc9a9816ffddaeec38 ---- - src/systemctl/systemctl-show.c | 56 ++++++++++++++++++++++++++++++++++ - 1 file changed, 56 insertions(+) - -diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c -index 1f524626bf..3bc9fd4920 100644 ---- a/src/systemctl/systemctl-show.c -+++ b/src/systemctl/systemctl-show.c -@@ -1694,6 +1694,62 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m - - return 1; - -+ } else if (streq(name, "ExtensionImages")) { -+ _cleanup_free_ char *paths = NULL; -+ -+ r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(sba(ss))"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ for (;;) { -+ _cleanup_free_ char *str = NULL; -+ const char *source, *partition, *mount_options; -+ int ignore_enoent; -+ -+ r = sd_bus_message_enter_container(m, 'r', "sba(ss)"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ if (r == 0) -+ break; -+ -+ r = sd_bus_message_read(m, "sb", &source, &ignore_enoent); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ str = strjoin(ignore_enoent ? "-" : "", source); -+ if (!str) -+ return log_oom(); -+ -+ r = sd_bus_message_enter_container(m, 'a', "(ss)"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ while ((r = sd_bus_message_read(m, "(ss)", &partition, &mount_options)) > 0) -+ if (!strextend_with_separator(&str, ":", partition, mount_options)) -+ return log_oom(); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ if (!strextend_with_separator(&paths, " ", str)) -+ return log_oom(); -+ -+ r = sd_bus_message_exit_container(m); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ r = sd_bus_message_exit_container(m); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ } -+ -+ r = sd_bus_message_exit_container(m); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ bus_print_property_value(name, expected_value, flags, paths); -+ -+ return 1; -+ - } else if (streq(name, "BPFProgram")) { - const char *a, *p; - --- -2.33.0 - diff --git a/backport-systemctl-show-error-when-help-for-unknown-unit-is-r.patch b/backport-systemctl-show-error-when-help-for-unknown-unit-is-r.patch deleted file mode 100644 index be21368..0000000 --- a/backport-systemctl-show-error-when-help-for-unknown-unit-is-r.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 486412ad3bba4f1306597302cf66cc4858126243 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 12 Jul 2021 12:32:39 +0200 -Subject: [PATCH] systemctl: show error when help for unknown unit is requested - -Fixes #20189. We would only log at debug level and return failure, which looks -like a noop for the user. - -('help' accepts multiple arguments and will show multiple concatenated man -pages in that case. Actually, it will also show multiple concatenated man pages -if the Documentation= setting lists multiple pages. I don't think it's very -terribly useful, but, meh, I don't think we can do much better. If a user -requests a help for a two services, one known and one unknown, there'll now be -a line in the output. It's not very user friendly, but not exactly wrong too.) - -(cherry picked from commit 75312ada5324d8adae3f3a0ed97f0acfc8b8bde5) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/486412ad3bba4f1306597302cf66cc4858126243 ---- - src/systemctl/systemctl-show.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c -index 470ff617d6..1f524626bf 100644 ---- a/src/systemctl/systemctl-show.c -+++ b/src/systemctl/systemctl-show.c -@@ -1915,7 +1915,7 @@ static int show_one( - return log_error_errno(r, "Failed to get properties: %s", bus_error_message(&error, r)); - - if (unit && streq_ptr(info.load_state, "not-found") && streq_ptr(info.active_state, "inactive")) { -- log_full(show_mode == SYSTEMCTL_SHOW_STATUS ? LOG_ERR : LOG_DEBUG, -+ log_full(show_mode == SYSTEMCTL_SHOW_PROPERTIES ? LOG_DEBUG : LOG_ERR, - "Unit %s could not be found.", unit); - - if (show_mode == SYSTEMCTL_SHOW_STATUS) --- -2.33.0 - diff --git a/backport-systemctl-small-fixes-for-MountImages-pretty-printin.patch b/backport-systemctl-small-fixes-for-MountImages-pretty-printin.patch deleted file mode 100644 index e6ca843..0000000 --- a/backport-systemctl-small-fixes-for-MountImages-pretty-printin.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 1f332abc9f82c653d40e5f3e42b761dca88d31ed Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Wed, 27 Oct 2021 11:17:02 +0100 -Subject: [PATCH] systemctl: small fixes for MountImages pretty printing - -(cherry picked from commit 8ec6108c0bdb5ab2e05bc20ab41ad6653805fd00) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1f332abc9f82c653d40e5f3e42b761dca88d31ed ---- - src/systemctl/systemctl-show.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c -index 3bc9fd4920..290a501c52 100644 ---- a/src/systemctl/systemctl-show.c -+++ b/src/systemctl/systemctl-show.c -@@ -1649,11 +1649,13 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m - - r = sd_bus_message_enter_container(m, 'r', "ssba(ss)"); - if (r < 0) -- return r; -+ return bus_log_parse_error(r); -+ if (r == 0) -+ break; - - r = sd_bus_message_read(m, "ssb", &source, &destination, &ignore_enoent); -- if (r <= 0) -- break; -+ if (r < 0) -+ return bus_log_parse_error(r); - - str = strjoin(ignore_enoent ? "-" : "", - source, -@@ -1664,27 +1666,25 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m - - r = sd_bus_message_enter_container(m, 'a', "(ss)"); - if (r < 0) -- return r; -+ return bus_log_parse_error(r); - - while ((r = sd_bus_message_read(m, "(ss)", &partition, &mount_options)) > 0) -- if (!strextend_with_separator(&str, ":", partition, ":", mount_options)) -+ if (!strextend_with_separator(&str, ":", partition, mount_options)) - return log_oom(); - if (r < 0) -- return r; -+ return bus_log_parse_error(r); - - if (!strextend_with_separator(&paths, " ", str)) - return log_oom(); - - r = sd_bus_message_exit_container(m); - if (r < 0) -- return r; -+ return bus_log_parse_error(r); - - r = sd_bus_message_exit_container(m); - if (r < 0) -- return r; -+ return bus_log_parse_error(r); - } -- if (r < 0) -- return bus_log_parse_error(r); - - r = sd_bus_message_exit_container(m); - if (r < 0) --- -2.33.0 - diff --git a/backport-systemd-analyze-parse-ip_filters_custom_egress-corre.patch b/backport-systemd-analyze-parse-ip_filters_custom_egress-corre.patch deleted file mode 100644 index 77dcb73..0000000 --- a/backport-systemd-analyze-parse-ip_filters_custom_egress-corre.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2d8f28adf58c58d99c19da9d53c6c66a9b952ce4 Mon Sep 17 00:00:00 2001 -From: Maanya Goenka -Date: Tue, 10 Aug 2021 14:30:46 -0700 -Subject: [PATCH] systemd-analyze: parse ip_filters_custom_egress correctly - -Fixed bug in original assignment of security_info variable: ip_filters_custom_egress. - -(cherry picked from commit 3da57008e743643d45d3dc05eacac1a4623539a4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/2d8f28adf58c58d99c19da9d53c6c66a9b952ce4 ---- - src/analyze/analyze-security.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c -index f20606c17c..309e9a81b5 100644 ---- a/src/analyze/analyze-security.c -+++ b/src/analyze/analyze-security.c -@@ -1910,7 +1910,7 @@ static int property_read_ip_filters( - if (streq(member, "IPIngressFilterPath")) - info->ip_filters_custom_ingress = !strv_isempty(l); - else if (streq(member, "IPEgressFilterPath")) -- info->ip_filters_custom_ingress = !strv_isempty(l); -+ info->ip_filters_custom_egress = !strv_isempty(l); - - return 0; - } --- -2.33.0 - diff --git a/backport-systemd-run-ensure-error-logs-suggest-to-use-user-wh.patch b/backport-systemd-run-ensure-error-logs-suggest-to-use-user-wh.patch deleted file mode 100644 index 7f7b236..0000000 --- a/backport-systemd-run-ensure-error-logs-suggest-to-use-user-wh.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 8ece102d314cfe92aaa7a7afc853b6921da941c4 Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Thu, 30 Dec 2021 00:54:32 +0000 -Subject: [PATCH] systemd-run: ensure error logs suggest to use '--user' when - appropriate - -Before: - -$ systemd-run --service-type=notify --user false -Job for run-rc3fe52ee6ddd4a6eaaf1a20e0a949cdf.service failed because the control process exited with error code. -See "systemctl status run-rc3fe52ee6ddd4a6eaaf1a20e0a949cdf.service" and "journalctl -xeu run-rc3fe52ee6ddd4a6eaaf1a20e0a949cdf.service" for details. - -After: - -$ systemd-run --service-type=notify --user false -Job for run-r7791e380a7b6400ea01d6a0e5a458b23.service failed because the control process exited with error code. -See "systemctl --user status run-r7791e380a7b6400ea01d6a0e5a458b23.service" and "journalctl --user -xeu run-r7791e380a7b6400ea01d6a0e5a458b23.service" for details. - -Fixes https://github.com/systemd/systemd/issues/21933 - -(cherry picked from commit 466f2351bbb5c0fdc9f153e35506570e59b14c5f) -(cherry picked from commit b59615dc76cf82bd1fca301220ee0b7961cbcacd) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/8ece102d314cfe92aaa7a7afc853b6921da941c4 ---- - src/run/run.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/run/run.c b/src/run/run.c -index 9a7e1efaca..c858bf793d 100644 ---- a/src/run/run.c -+++ b/src/run/run.c -@@ -1228,7 +1228,7 @@ static int start_transient_service( - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, arg_user ? STRV_MAKE_CONST("--user") : NULL); - if (r < 0) - return r; - } -@@ -1473,7 +1473,7 @@ static int start_transient_scope(sd_bus *bus) { - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, arg_user ? STRV_MAKE_CONST("--user") : NULL); - if (r < 0) - return r; - -@@ -1693,7 +1693,7 @@ static int start_transient_trigger( - if (r < 0) - return bus_log_parse_error(r); - -- r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); -+ r = bus_wait_for_jobs_one(w, object, arg_quiet, arg_user ? STRV_MAKE_CONST("--user") : NULL); - if (r < 0) - return r; - --- -2.33.0 - diff --git a/backport-sysusers-add-fsync-for-passwd-24324.patch b/backport-sysusers-add-fsync-for-passwd-24324.patch deleted file mode 100644 index be5bec5..0000000 --- a/backport-sysusers-add-fsync-for-passwd-24324.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3982142116871b3eead4d5833d898f077e7942d4 Mon Sep 17 00:00:00 2001 -From: Avram Lubkin -Date: Tue, 16 Aug 2022 08:51:21 -0400 -Subject: [PATCH] sysusers: add fsync for passwd (#24324) - -https://github.com/systemd/systemd/pull/6636 added `fsync()` when -temporary shadow, group, and gshadow files are created, but it was -not added for passwd. As far as I can tell, this seems to have been -an oversight. I'm seeing real world issues where a blank /etc/passwd -file is being created if a machine loses power early in the boot process. - -(cherry picked from commit 19193b489841a7bcccda7122ac0849cf6efe59fd) -(cherry picked from commit 9f2f3911539c453037aecd51f875dfd75ed04113) -(cherry picked from commit 7ca021b87e92a4e775af22c04a2ab2bf404ae313) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/3982142116871b3eead4d5833d898f077e7942d4 ---- - src/sysusers/sysusers.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c -index 669efe4a1d..055eb6775e 100644 ---- a/src/sysusers/sysusers.c -+++ b/src/sysusers/sysusers.c -@@ -487,7 +487,7 @@ static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char - break; - } - -- r = fflush_and_check(passwd); -+ r = fflush_sync_and_check(passwd); - if (r < 0) - return log_debug_errno(r, "Failed to flush %s: %m", passwd_tmp); - --- -2.27.0 - diff --git a/backport-sysusers-use-filename-if-proc-is-not-mounted.patch b/backport-sysusers-use-filename-if-proc-is-not-mounted.patch deleted file mode 100644 index 8b5196f..0000000 --- a/backport-sysusers-use-filename-if-proc-is-not-mounted.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f78a48840205339157b186b7c8e576a3c690f6d9 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 31 Dec 2021 00:11:01 +0900 -Subject: [PATCH] sysusers: use filename if /proc is not mounted - -During system install, /proc may not be mounted yet. - -Fixes RHBZ#2036217 (https://bugzilla.redhat.com/show_bug.cgi?id=2036217). - -(cherry picked from commit b78d7f246899687a1697cdcebe93d8512c5e7c4b) -(cherry picked from commit 747b4f1ff8aac3a1b800b0a7ac0edef4af34da70) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f78a48840205339157b186b7c8e576a3c690f6d9 ---- - src/sysusers/sysusers.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c -index a18634d254..669efe4a1d 100644 ---- a/src/sysusers/sysusers.c -+++ b/src/sysusers/sysusers.c -@@ -267,7 +267,7 @@ static int make_backup(const char *target, const char *x) { - - /* Copy over the access mask. Don't fail on chmod() or chown(). If it stays owned by us and/or - * unreadable by others, then it isn't too bad... */ -- r = fchmod_and_chown(fileno(dst), st.st_mode & 07777, st.st_uid, st.st_gid); -+ r = fchmod_and_chown_with_fallback(fileno(dst), dst_tmp, st.st_mode & 07777, st.st_uid, st.st_gid); - if (r < 0) - log_warning_errno(r, "Failed to change access mode or ownership of %s: %m", backup); - --- -2.33.0 - diff --git a/backport-temporarily-disable-test-seccomp.patch b/backport-temporarily-disable-test-seccomp.patch index 2aca221..6af53ba 100644 --- a/backport-temporarily-disable-test-seccomp.patch +++ b/backport-temporarily-disable-test-seccomp.patch @@ -4,40 +4,21 @@ Date: Tue, 22 Feb 2022 20:33:40 +0800 Subject: [PATCH] temporarily disable test-seccomp --- - src/test/test-seccomp.c | 23 +--------------------- - 1 file changed, 1 insertion(+), 22 deletions(-) + src/test/test-seccomp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c -index 023c4b6..8d23ab5 100644 +index 2d06098..a95deb8 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c -@@ -1154,26 +1154,5 @@ static void test_restrict_suid_sgid(void) { +@@ -1199,4 +1199,6 @@ TEST(restrict_suid_sgid) { + assert_se(wait_for_terminate_and_check("suidsgidseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); } - int main(int argc, char *argv[]) { -- test_setup_logging(LOG_DEBUG); -- -- test_parse_syscall_and_errno(); -- test_seccomp_arch_to_string(); -- test_architecture_table(); -- test_syscall_filter_set_find(); -- test_filter_sets(); -- test_filter_sets_ordered(); -- test_restrict_namespace(); -- test_protect_sysctl(); -- test_protect_syslog(); -- test_restrict_address_families(); -- test_restrict_realtime(); -- test_memory_deny_write_execute_mmap(); -- test_memory_deny_write_execute_shmat(); -- test_restrict_archs(); -- test_load_syscall_filter_set_raw(); -- test_native_syscalls_filtered(); -- test_lock_personality(); -- test_restrict_suid_sgid(); -- -- return 0; +-DEFINE_TEST_MAIN(LOG_DEBUG); ++int main(int argc, char *argv[]) { + return 77; - } ++} -- -2.30.0 +2.33.0 + diff --git a/backport-test-Check-that-native-architecture-is-always-filter.patch b/backport-test-Check-that-native-architecture-is-always-filter.patch deleted file mode 100644 index e031198..0000000 --- a/backport-test-Check-that-native-architecture-is-always-filter.patch +++ /dev/null @@ -1,95 +0,0 @@ -From ef92d7fc97a543d2b7e0730f2b78d8ef2a91959c Mon Sep 17 00:00:00 2001 -From: Benjamin Berg -Date: Fri, 17 Sep 2021 14:00:39 +0200 -Subject: [PATCH] test: Check that "native" architecture is always filtered - -(cherry picked from commit 08bf703cc1511817cdf67543c3b166dc8831ba8c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ef92d7fc97a543d2b7e0730f2b78d8ef2a91959c ---- - src/test/test-seccomp.c | 61 +++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 61 insertions(+) - -diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c -index 023c4b6e0e..dc3088d4b0 100644 ---- a/src/test/test-seccomp.c -+++ b/src/test/test-seccomp.c -@@ -890,6 +890,66 @@ static void test_load_syscall_filter_set_raw(void) { - assert_se(wait_for_terminate_and_check("syscallrawseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); - } - -+static void test_native_syscalls_filtered(void) { -+ pid_t pid; -+ -+ log_info("/* %s */", __func__); -+ -+ if (!is_seccomp_available()) { -+ log_notice("Seccomp not available, skipping %s", __func__); -+ return; -+ } -+ if (!have_seccomp_privs()) { -+ log_notice("Not privileged, skipping %s", __func__); -+ return; -+ } -+ -+ pid = fork(); -+ assert_se(pid >= 0); -+ -+ if (pid == 0) { -+ _cleanup_set_free_ Set *arch_s = NULL; -+ _cleanup_hashmap_free_ Hashmap *s = NULL; -+ -+ /* Passing "native" or an empty set is equivalent, just do both here. */ -+ assert_se(arch_s = set_new(NULL)); -+ assert_se(seccomp_restrict_archs(arch_s) >= 0); -+ assert_se(set_put(arch_s, SCMP_ARCH_NATIVE) >= 0); -+ assert_se(seccomp_restrict_archs(arch_s) >= 0); -+ -+ assert_se(access("/", F_OK) >= 0); -+ assert_se(poll(NULL, 0, 0) == 0); -+ -+ assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, scmp_act_kill_process(), true) >= 0); -+ assert_se(access("/", F_OK) >= 0); -+ assert_se(poll(NULL, 0, 0) == 0); -+ -+ assert_se(s = hashmap_new(NULL)); -+#if defined __NR_access && __NR_access >= 0 -+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); -+ log_debug("has access()"); -+#endif -+#if defined __NR_faccessat && __NR_faccessat >= 0 -+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); -+ log_debug("has faccessat()"); -+#endif -+#if defined __NR_faccessat2 && __NR_faccessat2 >= 0 -+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat2 + 1), INT_TO_PTR(-1)) >= 0); -+ log_debug("has faccessat2()"); -+#endif -+ -+ assert_se(!hashmap_isempty(s)); -+ assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0); -+ -+ assert_se(access("/", F_OK) < 0); -+ assert_se(errno == EUCLEAN); -+ -+ _exit(EXIT_SUCCESS); -+ } -+ -+ assert_se(wait_for_terminate_and_check("nativeseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); -+} -+ - static void test_lock_personality(void) { - unsigned long current; - pid_t pid; -@@ -1171,6 +1231,7 @@ int main(int argc, char *argv[]) { - test_memory_deny_write_execute_shmat(); - test_restrict_archs(); - test_load_syscall_filter_set_raw(); -+ test_native_syscalls_filtered(); - test_lock_personality(); - test_restrict_suid_sgid(); - --- -2.33.0 - diff --git a/backport-test-add-test-case-for-sysv-generator-and-invalid-de.patch b/backport-test-add-test-case-for-sysv-generator-and-invalid-de.patch deleted file mode 100644 index c6dbd62..0000000 --- a/backport-test-add-test-case-for-sysv-generator-and-invalid-de.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 5f882cc3ab32636d9242effb2cefad20d92d2ec2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 15 Nov 2022 21:52:19 +0900 -Subject: [PATCH] test: add test case for sysv-generator and invalid dependency - ---- - test/units/assert.sh | 58 +++++++++++++++++++ - test/units/testsuite-26.sh | 116 ++++++++++++++++++++++++++++++++++++- - 2 files changed, 172 insertions(+), 2 deletions(-) - create mode 100755 test/units/assert.sh - -diff --git a/test/units/assert.sh b/test/units/assert.sh -new file mode 100755 -index 0000000..2f4d93a ---- /dev/null -+++ b/test/units/assert.sh -@@ -0,0 +1,58 @@ -+#!/usr/bin/env bash -+# SPDX-License-Identifier: LGPL-2.1-or-later -+ -+# utility functions for shell tests -+ -+assert_true() {( -+ set +ex -+ -+ local rc -+ -+ "$@" -+ rc=$? -+ if [[ $rc -ne 0 ]]; then -+ echo "FAIL: command '$*' failed with exit code $rc" >&2 -+ exit 1 -+ fi -+)} -+ -+ -+assert_eq() {( -+ set +ex -+ -+ if [[ "${1?}" != "${2?}" ]]; then -+ echo "FAIL: expected: '$2' actual: '$1'" >&2 -+ exit 1 -+ fi -+)} -+ -+assert_in() {( -+ set +ex -+ -+ if ! [[ "${2?}" =~ ${1?} ]]; then -+ echo "FAIL: '$1' not found in:" >&2 -+ echo "$2" >&2 -+ exit 1 -+ fi -+)} -+ -+assert_not_in() {( -+ set +ex -+ -+ if [[ "${2?}" =~ ${1?} ]]; then -+ echo "FAIL: '$1' found in:" >&2 -+ echo "$2" >&2 -+ exit 1 -+ fi -+)} -+ -+assert_rc() {( -+ set +ex -+ -+ local rc exp="${1?}" -+ -+ shift -+ "$@" -+ rc=$? -+ assert_eq "$rc" "$exp" -+)} -diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh -index 7982099..fe6b63b 100755 ---- a/test/units/testsuite-26.sh -+++ b/test/units/testsuite-26.sh -@@ -2,6 +2,11 @@ - set -eux - set -o pipefail - -+# shellcheck source=test/units/assert.sh -+. "$(dirname "$0")"/assert.sh -+ -+: >/failed -+ - # Make sure PATH is set - systemctl show-environment | grep -q '^PATH=' - -@@ -26,6 +31,113 @@ systemctl show-environment | grep '^FOO=$' && exit 1 - systemctl show-environment | grep '^PATH=.*testaddition$' && exit 1 - systemctl show-environment | grep -q '^PATH=' - --echo OK >/testok -+# test for sysv-generator (issue #24990) -+if [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]]; then -+ # This is configurable via -Dsysvinit-path=, but we can't get the value -+ # at runtime, so let's just support the two most common paths for now. -+ [[ -d /etc/rc.d/init.d ]] && SYSVINIT_PATH="/etc/rc.d/init.d" || SYSVINIT_PATH="/etc/init.d" -+ -+ # invalid dependency -+ cat >"${SYSVINIT_PATH:?}/issue-24990" <<\EOF -+#!/bin/bash -+ -+### BEGIN INIT INFO -+# Provides:test1 test2 -+# Required-Start:test1 $remote_fs $network -+# Required-Stop:test1 $remote_fs $network -+# Description:Test -+# Short-Description: Test -+### END INIT INFO -+ -+case "$1" in -+ start) -+ echo "Starting issue-24990.service" -+ sleep 1000 & -+ ;; -+ stop) -+ echo "Stopping issue-24990.service" -+ sleep 10 & -+ ;; -+ *) -+ echo "Usage: service test {start|stop|restart|status}" -+ ;; -+esac -+EOF -+ -+ chmod +x "$SYSVINIT_PATH/issue-24990" -+ systemctl daemon-reload -+ [[ -L /run/systemd/generator.late/test1.service ]] -+ [[ -L /run/systemd/generator.late/test2.service ]] -+ assert_eq "$(readlink -f /run/systemd/generator.late/test1.service)" "/run/systemd/generator.late/issue-24990.service" -+ assert_eq "$(readlink -f /run/systemd/generator.late/test2.service)" "/run/systemd/generator.late/issue-24990.service" -+ output=$(systemctl cat issue-24990) -+ assert_in "SourcePath=$SYSVINIT_PATH/issue-24990" "$output" -+ assert_in "Description=LSB: Test" "$output" -+ assert_in "After=test1.service" "$output" -+ assert_in "After=remote-fs.target" "$output" -+ assert_in "After=network-online.target" "$output" -+ assert_in "Wants=network-online.target" "$output" -+ assert_in "ExecStart=$SYSVINIT_PATH/issue-24990 start" "$output" -+ assert_in "ExecStop=$SYSVINIT_PATH/issue-24990 stop" "$output" -+ systemctl status issue-24990 || : -+ systemctl show issue-24990 -+ assert_not_in "issue-24990.service" "$(systemctl show --property=After --value)" -+ assert_not_in "issue-24990.service" "$(systemctl show --property=Before --value)" -+ -+ if ! systemctl is-active network-online.target; then -+ systemctl start network-online.target -+ fi -+ -+ systemctl restart issue-24990 -+ systemctl stop issue-24990 -+ -+ # valid dependency -+ cat >"$SYSVINIT_PATH/issue-24990" <<\EOF -+#!/bin/bash -+ -+### BEGIN INIT INFO -+# Provides:test1 test2 -+# Required-Start:$remote_fs -+# Required-Stop:$remote_fs -+# Description:Test -+# Short-Description: Test -+### END INIT INFO -+ -+case "$1" in -+ start) -+ echo "Starting issue-24990.service" -+ sleep 1000 & -+ ;; -+ stop) -+ echo "Stopping issue-24990.service" -+ sleep 10 & -+ ;; -+ *) -+ echo "Usage: service test {start|stop|restart|status}" -+ ;; -+esac -+EOF -+ -+ chmod +x "$SYSVINIT_PATH/issue-24990" -+ systemctl daemon-reload -+ [[ -L /run/systemd/generator.late/test1.service ]] -+ [[ -L /run/systemd/generator.late/test2.service ]] -+ assert_eq "$(readlink -f /run/systemd/generator.late/test1.service)" "/run/systemd/generator.late/issue-24990.service" -+ assert_eq "$(readlink -f /run/systemd/generator.late/test2.service)" "/run/systemd/generator.late/issue-24990.service" -+ output=$(systemctl cat issue-24990) -+ assert_in "SourcePath=$SYSVINIT_PATH/issue-24990" "$output" -+ assert_in "Description=LSB: Test" "$output" -+ assert_in "After=remote-fs.target" "$output" -+ assert_in "ExecStart=$SYSVINIT_PATH/issue-24990 start" "$output" -+ assert_in "ExecStop=$SYSVINIT_PATH/issue-24990 stop" "$output" -+ systemctl status issue-24990 || : -+ systemctl show issue-24990 -+ assert_not_in "issue-24990.service" "$(systemctl show --property=After --value)" -+ assert_not_in "issue-24990.service" "$(systemctl show --property=Before --value)" -+ -+ systemctl restart issue-24990 -+ systemctl stop issue-24990 -+fi - --exit 0 -+touch /testok -+rm /failed --- -2.27.0 - diff --git a/backport-test-add-tests-for-reading-unaligned-data.patch b/backport-test-add-tests-for-reading-unaligned-data.patch deleted file mode 100644 index ed29eb8..0000000 --- a/backport-test-add-tests-for-reading-unaligned-data.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 61ca9b34258e4786d9a8e68b9b28c4e794a65d1f Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 28 Sep 2021 00:48:59 +0900 -Subject: [PATCH] test: add tests for reading unaligned data - -(cherry picked from commit e620104956dff64244c0e73e86c3138c0b13b875) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/61ca9b34258e4786d9a8e68b9b28c4e794a65d1f ---- - src/libsystemd-network/test-dhcp6-client.c | 29 ++++++++++++++++------ - 1 file changed, 21 insertions(+), 8 deletions(-) - -diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c -index 5d1f709f11..b22297dcd5 100644 ---- a/src/libsystemd-network/test-dhcp6-client.c -+++ b/src/libsystemd-network/test-dhcp6-client.c -@@ -156,7 +156,7 @@ static int test_parse_domain(sd_event *e) { - - static int test_option(sd_event *e) { - uint8_t packet[] = { -- 'F', 'O', 'O', -+ 'F', 'O', 'O', 'H', 'O', 'G', 'E', - 0x00, SD_DHCP6_OPTION_ORO, 0x00, 0x07, - 'A', 'B', 'C', 'D', 'E', 'F', 'G', - 0x00, SD_DHCP6_OPTION_VENDOR_CLASS, 0x00, 0x09, -@@ -164,12 +164,13 @@ static int test_option(sd_event *e) { - 'B', 'A', 'R', - }; - uint8_t result[] = { -- 'F', 'O', 'O', -+ 'F', 'O', 'O', 'H', 'O', 'G', 'E', - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 'B', 'A', 'R', - }; -+ _cleanup_free_ uint8_t *buf = NULL; - size_t offset, pos, optlen, outlen = sizeof(result); - const uint8_t *optval; - uint16_t optcode; -@@ -185,16 +186,28 @@ static int test_option(sd_event *e) { - offset = 3; - assert_se(dhcp6_option_parse(packet, 0, &offset, &optcode, &optlen, &optval) == -EBADMSG); - -- offset = 3; -+ /* Tests for reading unaligned data. */ -+ assert_se(buf = new(uint8_t, sizeof(packet))); -+ for (size_t i = 0; i <= 7; i++) { -+ memcpy(buf, packet + i, sizeof(packet) - i); -+ offset = 7 - i; -+ assert_se(dhcp6_option_parse(buf, sizeof(packet), &offset, &optcode, &optlen, &optval) >= 0); -+ -+ assert_se(optcode == SD_DHCP6_OPTION_ORO); -+ assert_se(optlen == 7); -+ assert_se(optval == buf + 11 - i); -+ } -+ -+ offset = 7; - assert_se(dhcp6_option_parse(packet, sizeof(packet), &offset, &optcode, &optlen, &optval) >= 0); - - assert_se(optcode == SD_DHCP6_OPTION_ORO); - assert_se(optlen == 7); -- assert_se(optval == packet + 7); -+ assert_se(optval == packet + 11); - -- pos = 3; -- outlen -= 3; -- out = &result[3]; -+ pos = 7; -+ outlen -= 7; -+ out = &result[pos]; - - assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, optval) >= 0); - -@@ -206,7 +219,7 @@ static int test_option(sd_event *e) { - - assert_se(optcode == SD_DHCP6_OPTION_VENDOR_CLASS); - assert_se(optlen == 9); -- assert_se(optval == packet + 18); -+ assert_se(optval == packet + 22); - - assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, optval) >= 0); - --- -2.33.0 - diff --git a/backport-test-cover-initrd-sysroot-transition-in-TEST-24.patch b/backport-test-cover-initrd-sysroot-transition-in-TEST-24.patch deleted file mode 100644 index 36080c7..0000000 --- a/backport-test-cover-initrd-sysroot-transition-in-TEST-24.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 1fb7f8e15e19fbe61230b70203b0c35fca54f0a0 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Wed, 25 May 2022 17:39:14 +0200 -Subject: [PATCH] test: cover initrd->sysroot transition in TEST-24 - -This should cover cases regarding devices with `OPTIONS+="db_persist"` -during initrd->sysroot transition. - -See: - * https://github.com/systemd/systemd/issues/23429 - * https://github.com/systemd/systemd/pull/23218 - * https://github.com/systemd/systemd/pull/23489 - * https://bugzilla.redhat.com/show_bug.cgi?id=2087225 ---- - test/TEST-24-CRYPTSETUP/test.sh | 61 ++++++++++++++++----------------- - 1 file changed, 29 insertions(+), 32 deletions(-) - -diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh -index 2c13126..a52848b 100755 ---- a/test/TEST-24-CRYPTSETUP/test.sh -+++ b/test/TEST-24-CRYPTSETUP/test.sh -@@ -9,6 +9,13 @@ TEST_FORCE_NEWIMAGE=1 - # shellcheck source=test/test-functions - . "${TEST_BASE_DIR:?}/test-functions" - -+PART_UUID="deadbeef-dead-dead-beef-000000000000" -+DM_NAME="test24_varcrypt" -+# Mount the keyfile only in initrd (hence rd.luks.key), since it resides on -+# the rootfs and we would get a (harmless) error when trying to mount it after -+# switching root (since rootfs is already mounted) -+KERNEL_APPEND+=" rd.luks=1 luks.name=$PART_UUID=$DM_NAME rd.luks.key=$PART_UUID=/etc/varkey:LABEL=systemd_boot" -+ - check_result_qemu() { - local ret=1 - -@@ -16,12 +23,12 @@ check_result_qemu() { - [[ -e "${initdir:?}/testok" ]] && ret=0 - [[ -f "$initdir/failed" ]] && cp -a "$initdir/failed" "${TESTDIR:?}" - -- cryptsetup luksOpen "${LOOPDEV:?}p2" varcrypt <"$TESTDIR/keyfile" -- mount /dev/mapper/varcrypt "$initdir/var" -+ cryptsetup luksOpen "${LOOPDEV:?}p2" "${DM_NAME:?}" <"$TESTDIR/keyfile" -+ mount "/dev/mapper/$DM_NAME" "$initdir/var" - save_journal "$initdir/var/log/journal" - _umount_dir "$initdir/var" - _umount_dir "$initdir" -- cryptsetup luksClose /dev/mapper/varcrypt -+ cryptsetup luksClose "/dev/mapper/$DM_NAME" - - [[ -f "$TESTDIR/failed" ]] && cat "$TESTDIR/failed" - echo "${JOURNAL_LIST:-No journals were saved}" -@@ -34,39 +41,29 @@ test_create_image() { - create_empty_image_rootdir - - echo -n test >"${TESTDIR:?}/keyfile" -- cryptsetup -q luksFormat --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p2" "$TESTDIR/keyfile" -- cryptsetup luksOpen "${LOOPDEV}p2" varcrypt <"$TESTDIR/keyfile" -- mkfs.ext4 -L var /dev/mapper/varcrypt -+ cryptsetup -q luksFormat --uuid="$PART_UUID" --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p2" "$TESTDIR/keyfile" -+ cryptsetup luksOpen "${LOOPDEV}p2" "${DM_NAME:?}" <"$TESTDIR/keyfile" -+ mkfs.ext4 -L var "/dev/mapper/$DM_NAME" - mkdir -p "${initdir:?}/var" -- mount /dev/mapper/varcrypt "$initdir/var" -- -- # Create what will eventually be our root filesystem onto an overlay -- ( -- LOG_LEVEL=5 -- # shellcheck source=/dev/null -- source <(udevadm info --export --query=env --name=/dev/mapper/varcrypt) -- # shellcheck source=/dev/null -- source <(udevadm info --export --query=env --name="${LOOPDEV}p2") -- -- setup_basic_environment -- mask_supporting_services -- -- install_dmevent -- generate_module_dependencies -- cat >"$initdir/etc/crypttab" <"$initdir/etc/varkey" -- ddebug <"$initdir/etc/crypttab" -+ mount "/dev/mapper/$DM_NAME" "$initdir/var" -+ -+ LOG_LEVEL=5 -+ -+ setup_basic_environment -+ mask_supporting_services -+ -+ install_dmevent -+ generate_module_dependencies -+ -+ echo -n test >"$initdir/etc/varkey" - -- cat >>"$initdir/etc/fstab" <>"$initdir/etc/fstab" <> "$initdir/etc/systemd/journald.conf" -- ) -+ # Forward journal messages to the console, so we have something -+ # to investigate even if we fail to mount the encrypted /var -+ echo ForwardToConsole=yes >> "$initdir/etc/systemd/journald.conf" - } - - cleanup_root_var() { --- -2.33.0 - diff --git a/backport-test-do-not-use-alloca-in-function-call.patch b/backport-test-do-not-use-alloca-in-function-call.patch deleted file mode 100644 index 3cf5457..0000000 --- a/backport-test-do-not-use-alloca-in-function-call.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 5f326b0388d4b0a7fcab8cedca255e93a6e311f4 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 24 Oct 2021 00:16:57 +0900 -Subject: [PATCH] test: do not use alloca() in function call - -(cherry picked from commit 4150584e63562616e16242f7b1016c0e642fb59e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5f326b0388d4b0a7fcab8cedca255e93a6e311f4 ---- - src/test/test-path.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/test/test-path.c b/src/test/test-path.c -index 490fb136a7..88457d177f 100644 ---- a/src/test/test-path.c -+++ b/src/test/test-path.c -@@ -306,7 +306,7 @@ static void test_path_unit(Manager *m) { - } - - static void test_path_directorynotempty(Manager *m) { -- const char *test_path = "/tmp/test-path_directorynotempty/"; -+ const char *test_file, *test_path = "/tmp/test-path_directorynotempty/"; - Unit *unit = NULL; - Path *path = NULL; - Service *service = NULL; -@@ -328,7 +328,8 @@ static void test_path_directorynotempty(Manager *m) { - assert_se(access(test_path, F_OK) < 0); - - assert_se(mkdir_p(test_path, 0755) >= 0); -- assert_se(touch(strjoina(test_path, "test_file")) >= 0); -+ test_file = strjoina(test_path, "test_file"); -+ assert_se(touch(test_file) >= 0); - if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0) - return; - --- -2.33.0 - diff --git a/backport-test-fileio-test-read_virtual_file-with-more-files-f.patch b/backport-test-fileio-test-read_virtual_file-with-more-files-f.patch deleted file mode 100644 index c1b9121..0000000 --- a/backport-test-fileio-test-read_virtual_file-with-more-files-f.patch +++ /dev/null @@ -1,53 +0,0 @@ -From dd6cb364bcc58b390671d4ee2ed7b30f4a5dced8 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 16 Sep 2021 11:31:52 +0200 -Subject: [PATCH] test-fileio: test read_virtual_file() with more files from - /proc - -i.e. let's pick some files we know are too large, or where struct stat's -.st_size is zero even though non-empty, and test read_virtual_file() -with that, to ensure things are handled sensibly. Goal is to ensure all -three major codepaths in read_virtual_file() are tested. - -Prompted-by: #20743 -(cherry picked from commit f3b751220bb842ce22a4f607d817f481f0961d40) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/dd6cb364bcc58b390671d4ee2ed7b30f4a5dced8 ---- - src/test/test-fileio.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c -index 321b544448..c8d5bf6914 100644 ---- a/src/test/test-fileio.c -+++ b/src/test/test-fileio.c -@@ -1028,7 +1028,11 @@ static void test_read_virtual_file(size_t max_size) { - FOREACH_STRING(filename, - "/proc/1/cmdline", - "/etc/nsswitch.conf", -- "/sys/kernel/uevent_seqnum") { -+ "/sys/kernel/uevent_seqnum", -+ "/proc/kcore", -+ "/proc/kallsyms", -+ "/proc/self/exe", -+ "/proc/self/pagemap") { - - _cleanup_free_ char *buf = NULL; - size_t size = 0; -@@ -1036,7 +1040,11 @@ static void test_read_virtual_file(size_t max_size) { - r = read_virtual_file(filename, max_size, &buf, &size); - if (r < 0) { - log_info_errno(r, "read_virtual_file(\"%s\", %zu): %m", filename, max_size); -- assert_se(ERRNO_IS_PRIVILEGE(r) || r == -ENOENT); -+ assert_se(ERRNO_IS_PRIVILEGE(r) || /* /proc/kcore is not accessible to unpriv */ -+ IN_SET(r, -+ -ENOENT, /* Some of the files might be absent */ -+ -EINVAL, /* too small reads from /proc/self/pagemap trigger EINVAL */ -+ -EFBIG)); /* /proc/kcore and /proc/self/pagemap should be too large */ - } else - log_info("read_virtual_file(\"%s\", %zu): %s (%zu bytes)", filename, max_size, r ? "non-truncated" : "truncated", size); - } --- -2.33.0 - diff --git a/backport-test-fix-file-descriptor-leak-in-test-catalog.patch b/backport-test-fix-file-descriptor-leak-in-test-catalog.patch deleted file mode 100644 index cb8f7b0..0000000 --- a/backport-test-fix-file-descriptor-leak-in-test-catalog.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4ad43ef47147039b63a1a86c08087c7ced97d10c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 22 Feb 2022 21:11:51 +0900 -Subject: [PATCH] test: fix file descriptor leak in test-catalog - -Fixes an issue reported in #22576. - -(cherry picked from commit 62d4b3b36e9aba9e605ba042a75c374155b6e18b) -(cherry picked from commit 92b86911c0c877e6b61d06dfe3ad20046e10d8e8) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4ad43ef47147039b63a1a86c08087c7ced97d10c ---- - src/libsystemd/sd-journal/test-catalog.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/libsystemd/sd-journal/test-catalog.c b/src/libsystemd/sd-journal/test-catalog.c -index 316c3b1634..ad06221175 100644 ---- a/src/libsystemd/sd-journal/test-catalog.c -+++ b/src/libsystemd/sd-journal/test-catalog.c -@@ -196,6 +196,7 @@ static void test_catalog_file_lang(void) { - - int main(int argc, char *argv[]) { - _cleanup_(unlink_tempfilep) char database[] = "/tmp/test-catalog.XXXXXX"; -+ _cleanup_close_ int fd = -1; - _cleanup_free_ char *text = NULL; - int r; - -@@ -218,7 +219,7 @@ int main(int argc, char *argv[]) { - test_catalog_import_merge(); - test_catalog_import_merge_no_body(); - -- assert_se(mkostemp_safe(database) >= 0); -+ assert_se((fd = mkostemp_safe(database)) >= 0); - - test_catalog_update(database); - --- -2.33.0 - diff --git a/backport-test-fix-file-descriptor-leak-in-test-fs-util.patch b/backport-test-fix-file-descriptor-leak-in-test-fs-util.patch deleted file mode 100644 index f9e1cd1..0000000 --- a/backport-test-fix-file-descriptor-leak-in-test-fs-util.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 4a247759a008f0a80f03a80c78efcde2e23e5ae5 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 22 Feb 2022 21:42:22 +0900 -Subject: [PATCH] test: fix file descriptor leak in test-fs-util - -Fixes an issue reported in #22576. - -(cherry picked from commit 19962747ca86a25e7102c536380bb2e9d7cfee9a) -(cherry picked from commit cfe1cd0a066b29e5508b4a2c388fd919fd5e0c9f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4a247759a008f0a80f03a80c78efcde2e23e5ae5 ---- - src/test/test-fs-util.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c -index a24558f25b..98ce3d96ef 100644 ---- a/src/test/test-fs-util.c -+++ b/src/test/test-fs-util.c -@@ -27,10 +27,11 @@ static const char *arg_test_dir = NULL; - - static void test_chase_symlinks(void) { - _cleanup_free_ char *result = NULL; -+ _cleanup_close_ int pfd = -1; - char *temp; - const char *top, *p, *pslash, *q, *qslash; - struct stat st; -- int r, pfd; -+ int r; - - log_info("/* %s */", __func__); - -@@ -318,6 +319,7 @@ static void test_chase_symlinks(void) { - assert_se(fstat(pfd, &st) >= 0); - assert_se(S_ISLNK(st.st_mode)); - result = mfree(result); -+ pfd = safe_close(pfd); - - /* s1 -> s2 -> nonexistent */ - q = strjoina(temp, "/s1"); -@@ -331,6 +333,7 @@ static void test_chase_symlinks(void) { - assert_se(fstat(pfd, &st) >= 0); - assert_se(S_ISLNK(st.st_mode)); - result = mfree(result); -+ pfd = safe_close(pfd); - - /* Test CHASE_STEP */ - --- -2.33.0 - diff --git a/backport-test-fix-file-descriptor-leak-in-test-oomd-util.patch b/backport-test-fix-file-descriptor-leak-in-test-oomd-util.patch deleted file mode 100644 index 7cb7219..0000000 --- a/backport-test-fix-file-descriptor-leak-in-test-oomd-util.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 95def20d81c030e36046770f55840191ff98c91a Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 22 Feb 2022 21:38:15 +0900 -Subject: [PATCH] test: fix file descriptor leak in test-oomd-util - -Fixes an issue reported in #22576. - -(cherry picked from commit 282696ce52471f5e3c963b9d98dbc89fba3a1fba) -(cherry picked from commit 55ec995341e6a2d554bc69a1eddb097d21d8084f) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/95def20d81c030e36046770f55840191ff98c91a ---- - src/oom/test-oomd-util.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c -index a152387a26..2c2ee114b1 100644 ---- a/src/oom/test-oomd-util.c -+++ b/src/oom/test-oomd-util.c -@@ -5,6 +5,7 @@ - #include "alloc-util.h" - #include "cgroup-setup.h" - #include "cgroup-util.h" -+#include "fd-util.h" - #include "fileio.h" - #include "fs-util.h" - #include "oomd-util.h" -@@ -13,6 +14,7 @@ - #include "string-util.h" - #include "strv.h" - #include "tests.h" -+#include "tmpfile-util.h" - - static int fork_and_sleep(unsigned sleep_min) { - usec_t n, timeout, ts; -@@ -244,12 +246,13 @@ static void test_oomd_update_cgroup_contexts_between_hashmaps(void) { - - static void test_oomd_system_context_acquire(void) { - _cleanup_(unlink_tempfilep) char path[] = "/oomdgetsysctxtestXXXXXX"; -+ _cleanup_close_ int fd = -1; - OomdSystemContext ctx; - - if (geteuid() != 0) - return (void) log_tests_skipped("not root"); - -- assert_se(mkstemp(path)); -+ assert_se((fd = mkostemp_safe(path)) >= 0); - - assert_se(oomd_system_context_acquire("/verylikelynonexistentpath", &ctx) == -ENOENT); - --- -2.33.0 - diff --git a/backport-test-fix-file-descriptor-leak-in-test-psi-util.patch b/backport-test-fix-file-descriptor-leak-in-test-psi-util.patch deleted file mode 100644 index 5d6bcb9..0000000 --- a/backport-test-fix-file-descriptor-leak-in-test-psi-util.patch +++ /dev/null @@ -1,47 +0,0 @@ -From eb760f4875afd75c433961c0a9bf00b1883e5d35 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 22 Feb 2022 21:46:41 +0900 -Subject: [PATCH] test: fix file descriptor leak in test-psi-util - -Fixes an issue reported in #22576. - -(cherry picked from commit be99883e131ef422f8278ec1d099520996a78bb0) -(cherry picked from commit 81d3e2abff5f4234e06ceb6590d0c9939d8d97b4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/eb760f4875afd75c433961c0a9bf00b1883e5d35 ---- - src/test/test-psi-util.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/test/test-psi-util.c b/src/test/test-psi-util.c -index c636cf255b..026f6aa1ab 100644 ---- a/src/test/test-psi-util.c -+++ b/src/test/test-psi-util.c -@@ -3,19 +3,22 @@ - #include - - #include "alloc-util.h" -+#include "fd-util.h" - #include "fileio.h" - #include "fs-util.h" - #include "psi-util.h" - #include "tests.h" -+#include "tmpfile-util.h" - - static void test_read_mem_pressure(void) { - _cleanup_(unlink_tempfilep) char path[] = "/tmp/pressurereadtestXXXXXX"; -+ _cleanup_close_ int fd = -1; - ResourcePressure rp; - - if (geteuid() != 0) - return (void) log_tests_skipped("not root"); - -- assert_se(mkstemp(path)); -+ assert_se((fd = mkostemp_safe(path)) >= 0); - - assert_se(read_resource_pressure("/verylikelynonexistentpath", PRESSURE_TYPE_SOME, &rp) < 0); - assert_se(read_resource_pressure(path, PRESSURE_TYPE_SOME, &rp) < 0); --- -2.33.0 - diff --git a/backport-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch b/backport-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch deleted file mode 100644 index cdcf73b..0000000 --- a/backport-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 40e43b290473aac1737f64b84194c5fc6b8210cf Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 22 Feb 2022 21:44:58 +0900 -Subject: [PATCH] test: fix file descriptor leak in test-tmpfiles.c - -Also fixes a typo in assertion. - -Fixes an issure reported in #22576. - -(cherry picked from commit 1da5325d19dee654326e5fa2f61262e5e0a40fff) -(cherry picked from commit d9189c31117e159f7bae9233863aa88a02159e14) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/40e43b290473aac1737f64b84194c5fc6b8210cf ---- - src/test/test-tmpfiles.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/test/test-tmpfiles.c b/src/test/test-tmpfiles.c -index 4c3389af8c..0ac2b7f599 100644 ---- a/src/test/test-tmpfiles.c -+++ b/src/test/test-tmpfiles.c -@@ -37,7 +37,7 @@ int main(int argc, char** argv) { - assert_se(endswith(ans, " (deleted)")); - - fd2 = mkostemp_safe(pattern); -- assert_se(fd >= 0); -+ assert_se(fd2 >= 0); - assert_se(unlink(pattern) == 0); - - assert_se(asprintf(&cmd2, "ls -l /proc/"PID_FMT"/fd/%d", getpid_cached(), fd2) > 0); -@@ -49,6 +49,7 @@ int main(int argc, char** argv) { - pattern = strjoina(p, "/tmpfiles-test"); - assert_se(tempfn_random(pattern, NULL, &d) >= 0); - -+ fd = safe_close(fd); - fd = open_tmpfile_linkable(d, O_RDWR|O_CLOEXEC, &tmp); - assert_se(fd >= 0); - assert_se(write(fd, "foobar\n", 7) == 7); --- -2.33.0 - diff --git a/backport-test-generate-a-custom-initrd-for-TEST-24-if-INITRD-.patch b/backport-test-generate-a-custom-initrd-for-TEST-24-if-INITRD-.patch deleted file mode 100644 index 82412cc..0000000 --- a/backport-test-generate-a-custom-initrd-for-TEST-24-if-INITRD-.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b22d90e59438481b421b1eb2449e6efdfb7f2118 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Thu, 26 May 2022 13:19:11 +0200 -Subject: [PATCH] test: generate a custom initrd for TEST-24 if $INITRD is - unset - -Co-Authored-By: Yu Watanabe ---- - test/TEST-24-CRYPTSETUP/test.sh | 24 ++++++++++++++++++++++++ - test/test-functions | 5 +++++ - 2 files changed, 29 insertions(+) - -diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh -index a52848b..c18f4aa 100755 ---- a/test/TEST-24-CRYPTSETUP/test.sh -+++ b/test/TEST-24-CRYPTSETUP/test.sh -@@ -64,6 +64,30 @@ EOF - # Forward journal messages to the console, so we have something - # to investigate even if we fail to mount the encrypted /var - echo ForwardToConsole=yes >> "$initdir/etc/systemd/journald.conf" -+ -+ # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt -+ # support -+ if [[ -z "$INITRD" ]]; then -+ INITRD="${TESTDIR:?}/initrd.img" -+ dinfo "Generating a custom initrd with dm-crypt support in '${INITRD:?}'" -+ -+ if command -v dracut >/dev/null; then -+ dracut --force --verbose --add crypt "$INITRD" -+ elif command -v mkinitcpio >/dev/null; then -+ mkinitcpio --addhooks sd-encrypt --generate "$INITRD" -+ elif command -v mkinitramfs >/dev/null; then -+ # The cryptroot hook is provided by the cryptsetup-initramfs package -+ if ! dpkg-query -s cryptsetup-initramfs; then -+ derror "Missing 'cryptsetup-initramfs' package for dm-crypt support in initrd" -+ return 1 -+ fi -+ -+ mkinitramfs -o "$INITRD" -+ else -+ dfatal "Unrecognized initrd generator, can't continue" -+ return 1 -+ fi -+ fi - } - - cleanup_root_var() { -diff --git a/test/test-functions b/test/test-functions -index bef87ca..0239bbc 100644 ---- a/test/test-functions -+++ b/test/test-functions -@@ -325,6 +325,11 @@ qemu_min_version() { - # Return 0 if QEMU did run (then you must check the result state/logs for actual - # success), or 1 if QEMU is not available. - run_qemu() { -+ # If the test provided its own initrd, use it (e.g. TEST-24) -+ if [[ -z "$INITRD" && -f "${TESTDIR:?}/initrd.img" ]]; then -+ INITRD="$TESTDIR/initrd.img" -+ fi -+ - if [ -f /etc/machine-id ]; then - read -r MACHINE_ID -Date: Fri, 26 Nov 2021 09:40:51 +0100 -Subject: [PATCH] test-journal-flush: allow testing against specific files -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ->=0 → ==0 because sd_journal_open* are documented to return 0. - -(cherry picked from commit 0fa167cd58b5a4ffe16a332131df70bf77edddbe) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bb29932a4172810357597175a62cb4c8cbd1087c ---- - src/libsystemd/sd-journal/test-journal-flush.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd/sd-journal/test-journal-flush.c b/src/libsystemd/sd-journal/test-journal-flush.c -index dad277dd66..aa814225dd 100644 ---- a/src/libsystemd/sd-journal/test-journal-flush.c -+++ b/src/libsystemd/sd-journal/test-journal-flush.c -@@ -29,8 +29,11 @@ int main(int argc, char *argv[]) { - r = journal_file_open(-1, fn, O_CREAT|O_RDWR, 0644, false, 0, false, NULL, NULL, NULL, NULL, &new_journal); - assert_se(r >= 0); - -- r = sd_journal_open(&j, 0); -- assert_se(r >= 0); -+ if (argc > 1) -+ r = sd_journal_open_files(&j, (const char **) strv_skip(argv, 1), 0); -+ else -+ r = sd_journal_open(&j, 0); -+ assert_se(r == 0); - - sd_journal_set_data_threshold(j, 0); - --- -2.33.0 - diff --git a/backport-test-journal-flush-do-not-croak-on-corrupted-input-f.patch b/backport-test-journal-flush-do-not-croak-on-corrupted-input-f.patch deleted file mode 100644 index 4e3edc6..0000000 --- a/backport-test-journal-flush-do-not-croak-on-corrupted-input-f.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 0d98afa9548873669531fb3f8aa0f1ab56455411 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 26 Nov 2021 09:46:02 +0100 -Subject: [PATCH] test-journal-flush: do not croak on corrupted input files - -We would fail if the input file was corrupted: -build/test-journal-flush ./system@0005b7dac334f805-0021aca076ae5c5e.journal\~ -journal_file_copy_entry failed: Bad message -Assertion 'r >= 0' failed at src/libsystemd/sd-journal/test-journal-flush.c:55, function main(). Aborting. -[1] 619472 IOT instruction (core dumped) build/test-journal-flush ./system@0005b7dac334f805-0021aca076ae5c5e.journal\~ - -Let's skip some "reasonable" errors. - -Fixes #17963. - -(cherry picked from commit b4046d55570ff0e23d16f7e2912e7ef0a55b25d8) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/0d98afa9548873669531fb3f8aa0f1ab56455411 ---- - src/libsystemd/sd-journal/test-journal-flush.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/libsystemd/sd-journal/test-journal-flush.c b/src/libsystemd/sd-journal/test-journal-flush.c -index aa814225dd..c6fb65791e 100644 ---- a/src/libsystemd/sd-journal/test-journal-flush.c -+++ b/src/libsystemd/sd-journal/test-journal-flush.c -@@ -51,8 +51,11 @@ int main(int argc, char *argv[]) { - - r = journal_file_copy_entry(f, new_journal, o, f->current_offset); - if (r < 0) -- log_error_errno(r, "journal_file_copy_entry failed: %m"); -- assert_se(r >= 0); -+ log_warning_errno(r, "journal_file_copy_entry failed: %m"); -+ assert_se(r >= 0 || -+ IN_SET(r, -EBADMSG, /* corrupted file */ -+ -EPROTONOSUPPORT, /* unsupported compression */ -+ -EIO)); /* file rotated */ - - if (++n >= 10000) - break; --- -2.33.0 - diff --git a/backport-test-journal-send-close-fd-opend-by-syslog.patch b/backport-test-journal-send-close-fd-opend-by-syslog.patch deleted file mode 100644 index 9ca6330..0000000 --- a/backport-test-journal-send-close-fd-opend-by-syslog.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e1cc12ee2ba089bc126764be509b6b0ed8e8a68b Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 23 Feb 2022 01:52:29 +0900 -Subject: [PATCH] test-journal-send: close fd opend by syslog() - -Fixes an issue reported in #22576. - -(cherry picked from commit 9048a6ccf3bd4f6794fc1ac9a838e1a0bfbcabf1) -(cherry picked from commit 4d24a369908f9915757632fa196deda14c172f9e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e1cc12ee2ba089bc126764be509b6b0ed8e8a68b ---- - src/libsystemd/sd-journal/test-journal-send.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/libsystemd/sd-journal/test-journal-send.c b/src/libsystemd/sd-journal/test-journal-send.c -index 75bd8e7b85..b6644e65c1 100644 ---- a/src/libsystemd/sd-journal/test-journal-send.c -+++ b/src/libsystemd/sd-journal/test-journal-send.c -@@ -90,6 +90,10 @@ static void test_journal_send(void) { - assert_se(sd_journal_sendv(graph2, 1) == 0); - assert_se(sd_journal_sendv(message1, 1) == 0); - assert_se(sd_journal_sendv(message2, 1) == 0); -+ -+ /* The above syslog() opens a fd which is stored in libc, and the valgrind reports the fd is -+ * leaked when we do not call closelog(). */ -+ closelog(); - } - - int main(int argc, char *argv[]) { --- -2.33.0 - diff --git a/backport-test-oomd-util-fix-conditional-jump-on-uninitialised.patch b/backport-test-oomd-util-fix-conditional-jump-on-uninitialised.patch deleted file mode 100644 index 544a1f6..0000000 --- a/backport-test-oomd-util-fix-conditional-jump-on-uninitialised.patch +++ /dev/null @@ -1,32 +0,0 @@ -From bb0bb8afe78c699a1334fdd7df78d71427596d2e Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 22 Feb 2022 20:23:58 +0900 -Subject: [PATCH] test-oomd-util: fix conditional jump on uninitialised value - -Fixes #22577. - -(cherry picked from commit a6d6a51d83fae32212e1780e71b16517a4df9a57) -(cherry picked from commit b10cc2de7dc6ac8d7d72d576100dd3a37ddb588a) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/bb0bb8afe78c699a1334fdd7df78d71427596d2e ---- - src/oom/test-oomd-util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c -index 02034c1293..a152387a26 100644 ---- a/src/oom/test-oomd-util.c -+++ b/src/oom/test-oomd-util.c -@@ -283,7 +283,7 @@ static void test_oomd_system_context_acquire(void) { - static void test_oomd_pressure_above(void) { - _cleanup_hashmap_free_ Hashmap *h1 = NULL, *h2 = NULL; - _cleanup_set_free_ Set *t1 = NULL, *t2 = NULL, *t3 = NULL; -- OomdCGroupContext ctx[2], *c; -+ OomdCGroupContext ctx[2] = {}, *c; - loadavg_t threshold; - - assert_se(store_loadavg_fixed_point(80, 0, &threshold) == 0); --- -2.33.0 - diff --git a/backport-test-oomd-util-skip-tests-if-cgroup-memory-controlle.patch b/backport-test-oomd-util-skip-tests-if-cgroup-memory-controlle.patch deleted file mode 100644 index 51ab682..0000000 --- a/backport-test-oomd-util-skip-tests-if-cgroup-memory-controlle.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 38787a985396277058a20ac0c6f66fd1377d0737 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 11 Sep 2021 20:37:50 +0900 -Subject: [PATCH] test-oomd-util: skip tests if cgroup memory controller is not - available - -Fixes #20593 and #20655. - -(cherry picked from commit 8b2e22579a6549ab8423858819703fc142862bcb) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/38787a985396277058a20ac0c6f66fd1377d0737 ---- - src/oom/test-oomd-util.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c -index 776c65820e..29f2c54ab1 100644 ---- a/src/oom/test-oomd-util.c -+++ b/src/oom/test-oomd-util.c -@@ -90,6 +90,7 @@ static void test_oomd_cgroup_context_acquire_and_insert(void) { - _cleanup_free_ char *cgroup = NULL; - ManagedOOMPreference root_pref; - OomdCGroupContext *c1, *c2; -+ CGroupMask mask; - bool test_xattrs; - int root_xattrs, r; - -@@ -102,6 +103,11 @@ static void test_oomd_cgroup_context_acquire_and_insert(void) { - if (cg_all_unified() <= 0) - return (void) log_tests_skipped("cgroups are not running in unified mode"); - -+ assert_se(cg_mask_supported(&mask) >= 0); -+ -+ if (!FLAGS_SET(mask, CGROUP_MASK_MEMORY)) -+ return (void) log_tests_skipped("cgroup memory controller is not available"); -+ - assert_se(cg_pid_get_path(NULL, 0, &cgroup) >= 0); - - /* If we don't have permissions to set xattrs we're likely in a userns or missing capabilities --- -2.33.0 - diff --git a/backport-test-oomd-util-style-fixlets.patch b/backport-test-oomd-util-style-fixlets.patch deleted file mode 100644 index 55f80c2..0000000 --- a/backport-test-oomd-util-style-fixlets.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 76b5fae410a2434e8fadab07700d1480566e8ddd Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 22 Feb 2022 20:21:45 +0900 -Subject: [PATCH] test-oomd-util: style fixlets - -(cherry picked from commit d9fe39b24a0a5464c83c7a754752ca21dbd2578f) -(cherry picked from commit 1343c2efd5401aa52f7790fff4ad7e2d70173f01) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/76b5fae410a2434e8fadab07700d1480566e8ddd ---- - src/oom/test-oomd-util.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c -index 29f2c54ab1..02034c1293 100644 ---- a/src/oom/test-oomd-util.c -+++ b/src/oom/test-oomd-util.c -@@ -300,12 +300,11 @@ static void test_oomd_pressure_above(void) { - assert_se(store_loadavg_fixed_point(1, 11, &(ctx[1].memory_pressure.avg300)) == 0); - ctx[1].mem_pressure_limit = threshold; - -- - /* High memory pressure */ - assert_se(h1 = hashmap_new(&string_hash_ops)); - assert_se(hashmap_put(h1, "/herp.slice", &ctx[0]) >= 0); - assert_se(oomd_pressure_above(h1, 0 /* duration */, &t1) == 1); -- assert_se(set_contains(t1, &ctx[0]) == true); -+ assert_se(set_contains(t1, &ctx[0])); - assert_se(c = hashmap_get(h1, "/herp.slice")); - assert_se(c->mem_pressure_limit_hit_start > 0); - -@@ -313,14 +312,14 @@ static void test_oomd_pressure_above(void) { - assert_se(h2 = hashmap_new(&string_hash_ops)); - assert_se(hashmap_put(h2, "/derp.slice", &ctx[1]) >= 0); - assert_se(oomd_pressure_above(h2, 0 /* duration */, &t2) == 0); -- assert_se(t2 == NULL); -+ assert_se(!t2); - assert_se(c = hashmap_get(h2, "/derp.slice")); - assert_se(c->mem_pressure_limit_hit_start == 0); - - /* High memory pressure w/ multiple cgroups */ - assert_se(hashmap_put(h1, "/derp.slice", &ctx[1]) >= 0); - assert_se(oomd_pressure_above(h1, 0 /* duration */, &t3) == 1); -- assert_se(set_contains(t3, &ctx[0]) == true); -+ assert_se(set_contains(t3, &ctx[0])); - assert_se(set_size(t3) == 1); - assert_se(c = hashmap_get(h1, "/herp.slice")); - assert_se(c->mem_pressure_limit_hit_start > 0); --- -2.33.0 - diff --git a/backport-test-store-the-key-on-a-separate-device.patch b/backport-test-store-the-key-on-a-separate-device.patch deleted file mode 100644 index 8272b45..0000000 --- a/backport-test-store-the-key-on-a-separate-device.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 6b70d3cf81088ee9226cd691bbccc4ebf4764065 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Thu, 26 May 2022 14:52:52 +0200 -Subject: [PATCH] test: store the key on a separate device - ---- - test/TEST-24-CRYPTSETUP/test.sh | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh -index bdf630d912..b81b811654 100755 ---- a/test/TEST-24-CRYPTSETUP/test.sh -+++ b/test/TEST-24-CRYPTSETUP/test.sh -@@ -12,10 +12,8 @@ TEST_FORCE_NEWIMAGE=1 - - PART_UUID="deadbeef-dead-dead-beef-000000000000" - DM_NAME="test24_varcrypt" --# Mount the keyfile only in initrd (hence rd.luks.key), since it resides on --# the rootfs and we would get a (harmless) error when trying to mount it after --# switching root (since rootfs is already mounted) --KERNEL_APPEND+=" rd.luks=1 luks.name=$PART_UUID=$DM_NAME rd.luks.key=$PART_UUID=/etc/varkey:LABEL=systemd_boot" -+KERNEL_APPEND+=" rd.luks=1 luks.name=$PART_UUID=$DM_NAME luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev" -+QEMU_OPTIONS+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img" - - check_result_qemu() { - local ret=1 -@@ -57,7 +55,13 @@ test_create_image() { - install_dmevent - generate_module_dependencies - -- echo -n test >"$initdir/etc/varkey" -+ # Create a keydev -+ dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16 -+ mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img" -+ mkdir -p "$STATEDIR/keydev" -+ mount "$STATEDIR/keydev.img" "$STATEDIR/keydev" -+ echo -n test >"$STATEDIR/keydev/keyfile" -+ umount "$STATEDIR/keydev" - - cat >>"$initdir/etc/fstab" < -Date: Thu, 30 Sep 2021 14:14:19 +0200 -Subject: [PATCH] test: use a less restrictive portable profile when running w/ - sanitizers - -Since f833df3 we now actually use the seccomp rules defined in portable -profiles. However, the default one is too restrictive for sanitizers, as -it blocks certain syscall required by LSan. Mitigate this by using the -'trusted' profile when running TEST-29-PORTABLE under sanitizers. - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9dbdd33ffa824934962ebe61d03a9f727a1c416c ---- - test/units/testsuite-29.sh | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh -index 3408e6d71a..549fc2663c 100755 ---- a/test/units/testsuite-29.sh -+++ b/test/units/testsuite-29.sh -@@ -4,9 +4,16 @@ - set -eux - set -o pipefail - -+ARGS=() -+if [[ -v ASAN_OPTIONS || -v UBSAN_OPTIONS ]]; then -+ # If we're running under sanitizers, we need to use a less restrictive -+ # profile, otherwise LSan syscall would get blocked by seccomp -+ ARGS+=(--profile=trusted) -+fi -+ - export SYSTEMD_LOG_LEVEL=debug - --portablectl attach --now --runtime /usr/share/minimal_0.raw app0 -+portablectl "${ARGS[@]}" attach --now --runtime /usr/share/minimal_0.raw app0 - - systemctl is-active app0.service - systemctl is-active app0-foo.service -@@ -16,7 +23,7 @@ systemctl is-active app0-bar.service && exit 1 - set -e - set -o pipefail - --portablectl reattach --now --runtime /usr/share/minimal_1.raw app0 -+portablectl "${ARGS[@]}" reattach --now --runtime /usr/share/minimal_1.raw app0 - - systemctl is-active app0.service - systemctl is-active app0-bar.service -@@ -37,7 +44,7 @@ portablectl list | grep -q -F "No images." - unsquashfs -dest /tmp/minimal_0 /usr/share/minimal_0.raw - unsquashfs -dest /tmp/minimal_1 /usr/share/minimal_1.raw - --portablectl attach --copy=symlink --now --runtime /tmp/minimal_0 app0 -+portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/minimal_0 app0 - - systemctl is-active app0.service - systemctl is-active app0-foo.service -@@ -47,7 +54,7 @@ systemctl is-active app0-bar.service && exit 1 - set -e - set -o pipefail - --portablectl reattach --now --enable --runtime /tmp/minimal_1 app0 -+portablectl "${ARGS[@]}" reattach --now --enable --runtime /tmp/minimal_1 app0 - - systemctl is-active app0.service - systemctl is-active app0-bar.service -@@ -66,11 +73,11 @@ portablectl list | grep -q -F "No images." - root="/usr/share/minimal_0.raw" - app1="/usr/share/app1.raw" - --portablectl attach --now --runtime --extension ${app1} ${root} app1 -+portablectl "${ARGS[@]}" attach --now --runtime --extension ${app1} ${root} app1 - - systemctl is-active app1.service - --portablectl reattach --now --runtime --extension ${app1} ${root} app1 -+portablectl "${ARGS[@]}" reattach --now --runtime --extension ${app1} ${root} app1 - - systemctl is-active app1.service - -@@ -83,7 +90,7 @@ mount ${app1} /tmp/app1 - mount ${root} /tmp/rootdir - mount -t overlay overlay -o lowerdir=/tmp/app1:/tmp/rootdir /tmp/overlay - --portablectl attach --copy=symlink --now --runtime /tmp/overlay app1 -+portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/overlay app1 - - systemctl is-active app1.service - --- -2.33.0 - diff --git a/backport-test-watchdog-mark-as-unsafe.patch b/backport-test-watchdog-mark-as-unsafe.patch deleted file mode 100644 index 7012938..0000000 --- a/backport-test-watchdog-mark-as-unsafe.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7f7ad0e691eb2a05e7f319be8d098af760258dcd Mon Sep 17 00:00:00 2001 -From: Mike Gilbert -Date: Tue, 4 Jan 2022 23:43:10 -0500 -Subject: [PATCH] test-watchdog: mark as unsafe - -If something goes wrong with this test it may result in an unsafe -system restart. Let's avoid running it automatically. - -See https://github.com/systemd/systemd/issues/22001. - -(cherry picked from commit 70652c2a6fa9c06c7faac62f41c72e2e4eaa9340) -(cherry picked from commit 4c0ed19c520a8944f68f613edc3acbd0471dcc81) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7f7ad0e691eb2a05e7f319be8d098af760258dcd ---- - src/test/meson.build | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/test/meson.build b/src/test/meson.build -index 64dbb82002..a327a1f8f9 100644 ---- a/src/test/meson.build -+++ b/src/test/meson.build -@@ -521,7 +521,8 @@ tests += [ - [], - core_includes, '', 'manual'], - -- [['src/test/test-watchdog.c']], -+ [['src/test/test-watchdog.c'], -+ [], [], [], '', 'unsafe'], - - [['src/test/test-sched-prio.c'], - [libcore, --- -2.33.0 - diff --git a/backport-tests-add-test-case-for-UMask-BindPaths-combination.patch b/backport-tests-add-test-case-for-UMask-BindPaths-combination.patch deleted file mode 100644 index 463c48d..0000000 --- a/backport-tests-add-test-case-for-UMask-BindPaths-combination.patch +++ /dev/null @@ -1,61 +0,0 @@ -From ae53f4b5e48860b473c4d05958486a77f84ecc6d Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 12 Nov 2021 13:41:59 +0100 -Subject: [PATCH] tests: add test case for UMask=+BindPaths= combination - -Inspired by the test case described in #19899 - -(cherry picked from commit 875afa02fabe1dad5aa3d1e9bff89d493a369fd0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ae53f4b5e48860b473c4d05958486a77f84ecc6d ---- - src/test/test-execute.c | 5 +++++ - test/test-execute/exec-umask-namespace.service | 12 ++++++++++++ - 2 files changed, 17 insertions(+) - create mode 100644 test/test-execute/exec-umask-namespace.service - -diff --git a/src/test/test-execute.c b/src/test/test-execute.c -index 1119ad4acf..88e1b30095 100644 ---- a/src/test/test-execute.c -+++ b/src/test/test-execute.c -@@ -828,6 +828,10 @@ static void test_exec_condition(Manager *m) { - test_service(m, "exec-condition-skip.service", SERVICE_SKIP_CONDITION); - } - -+static void test_exec_umask_namespace(Manager *m) { -+ test(m, "exec-umask-namespace.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); -+} -+ - typedef struct test_entry { - test_function_t f; - const char *name; -@@ -904,6 +908,7 @@ int main(int argc, char *argv[]) { - entry(test_exec_dynamicuser), - entry(test_exec_specifier), - entry(test_exec_systemcallfilter_system), -+ entry(test_exec_umask_namespace), - {}, - }; - int r; -diff --git a/test/test-execute/exec-umask-namespace.service b/test/test-execute/exec-umask-namespace.service -new file mode 100644 -index 0000000000..8419c86c9a ---- /dev/null -+++ b/test/test-execute/exec-umask-namespace.service -@@ -0,0 +1,12 @@ -+# SPDX-License-Identifier: LGPL-2.1-or-later -+[Unit] -+Description=Test for UMask= + namespacing -+ -+[Service] -+ExecStart=/bin/ls -lahd /tmp/subdir -+Type=oneshot -+User=65534 -+Group=65534 -+TemporaryFileSystem=/tmp:ro -+BindPaths=/etc:/tmp/subdir/subsub -+UMask=0007 --- -2.33.0 - diff --git a/backport-timedatectl-fix-a-memory-leak.patch b/backport-timedatectl-fix-a-memory-leak.patch deleted file mode 100644 index ec1ad78..0000000 --- a/backport-timedatectl-fix-a-memory-leak.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 71d2356edffafe8c40797c64f6fb82a8885d1da9 Mon Sep 17 00:00:00 2001 -From: Evgeny Vereshchagin -Date: Wed, 4 May 2022 11:35:19 +0000 -Subject: [PATCH] timedatectl: fix a memory leak - -``` -timedatectl list-timezones --no-pager -... -==164329==ERROR: LeakSanitizer: detected memory leaks - -Direct leak of 8192 byte(s) in 1 object(s) allocated from: - #0 0x7fe8a74b6f8c in reallocarray (/lib64/libasan.so.6+0xaef8c) - #1 0x7fe8a63485dc in strv_push ../src/basic/strv.c:419 - #2 0x7fe8a6349419 in strv_consume ../src/basic/strv.c:490 - #3 0x7fe8a634958d in strv_extend ../src/basic/strv.c:542 - #4 0x7fe8a643d787 in bus_message_read_strv_extend ../src/libsystemd/sd-bus/bus-message.c:5606 - #5 0x7fe8a643db9d in sd_bus_message_read_strv ../src/libsystemd/sd-bus/bus-message.c:5628 - #6 0x4085fb in list_timezones ../src/timedate/timedatectl.c:314 - #7 0x7fe8a61ef3e1 in dispatch_verb ../src/shared/verbs.c:103 - #8 0x410f91 in timedatectl_main ../src/timedate/timedatectl.c:1025 - #9 0x41111c in run ../src/timedate/timedatectl.c:1043 - #10 0x411242 in main ../src/timedate/timedatectl.c:1046 - #11 0x7fe8a489df1f in __libc_start_call_main (/lib64/libc.so.6+0x40f1f) -``` - -(cherry picked from commit a2e37d52312806b1847800df2358e61276cda052) ---- - src/timedate/timedatectl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/timedate/timedatectl.c b/src/timedate/timedatectl.c -index 75ca6195da..31909064cf 100644 ---- a/src/timedate/timedatectl.c -+++ b/src/timedate/timedatectl.c -@@ -304,7 +304,7 @@ static int list_timezones(int argc, char **argv, void *userdata) { - sd_bus *bus = userdata; - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; - int r; -- char** zones; -+ _cleanup_strv_free_ char **zones = NULL; - - r = bus_call_method(bus, bus_timedate, "ListTimezones", &error, &reply, NULL); - if (r < 0) --- -2.33.0 - diff --git a/backport-timesync-check-cmsg-length.patch b/backport-timesync-check-cmsg-length.patch deleted file mode 100644 index 90a3260..0000000 --- a/backport-timesync-check-cmsg-length.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 4e9f1d0a28cc29d1f010b05d74898f222d757cc8 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 29 Aug 2021 20:55:44 +0900 -Subject: [PATCH] timesync: check cmsg length - -(cherry picked from commit 37df6d9b8d3a8b34bec5346766ab8093c0f0fc26) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/4e9f1d0a28cc29d1f010b05d74898f222d757cc8 ---- - src/timesync/timesyncd-manager.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c -index eae14e8fb2..648e804105 100644 ---- a/src/timesync/timesyncd-manager.c -+++ b/src/timesync/timesyncd-manager.c -@@ -467,6 +467,8 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re - - switch (cmsg->cmsg_type) { - case SCM_TIMESTAMPNS: -+ assert(cmsg->cmsg_len == CMSG_LEN(sizeof(struct timespec))); -+ - recv_time = (struct timespec *) CMSG_DATA(cmsg); - break; - } --- -2.33.0 - diff --git a/backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch b/backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch deleted file mode 100644 index aef7fe9..0000000 --- a/backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch +++ /dev/null @@ -1,45 +0,0 @@ -From dac54d1aa759255144d9937361289bde57d64118 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 20 Aug 2021 08:40:11 +0900 -Subject: [PATCH] timesync: fix wrong type for receiving timestamp in - nanoseconds - -Fixes #20482. - -(cherry picked from commit 6f96bdc58746b1698bf8b3430a6c638f8949daec) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/dac54d1aa759255144d9937361289bde57d64118 ---- - src/test/test-sizeof.c | 2 ++ - src/timesync/timesyncd-manager.c | 2 +- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/test/test-sizeof.c b/src/test/test-sizeof.c -index 3c9dc180fa..e36bee4e8f 100644 ---- a/src/test/test-sizeof.c -+++ b/src/test/test-sizeof.c -@@ -89,5 +89,7 @@ int main(void) { - printf("big_enum2_pos → %zu\n", sizeof(big_enum2_pos)); - printf("big_enum2_neg → %zu\n", sizeof(big_enum2_neg)); - -+ printf("timeval: %zu\n", sizeof(struct timeval)); -+ printf("timespec: %zu\n", sizeof(struct timespec)); - return 0; - } -diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c -index cb5d42b1d3..9d874cfc8a 100644 ---- a/src/timesync/timesyncd-manager.c -+++ b/src/timesync/timesyncd-manager.c -@@ -412,7 +412,7 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re - .iov_base = &ntpmsg, - .iov_len = sizeof(ntpmsg), - }; -- CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct timeval))) control; -+ CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct timespec))) control; - union sockaddr_union server_addr; - struct msghdr msghdr = { - .msg_iov = &iov, --- -2.33.0 - diff --git a/backport-tmpfiles-avoid-null-free-for-acl-attributes.patch b/backport-tmpfiles-avoid-null-free-for-acl-attributes.patch deleted file mode 100644 index c7cddb3..0000000 --- a/backport-tmpfiles-avoid-null-free-for-acl-attributes.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 85e06ba8753e767d9f28550bf9f6b0d2e971b296 Mon Sep 17 00:00:00 2001 -From: Sam James -Date: Fri, 6 Jan 2023 10:58:32 +0000 -Subject: [PATCH] tmpfiles: avoid null free() for acl attributes - -When built with ACL support, we might be processing a tmpfiles -entry where there's no cause for us to call parse_acls_from_arg, -then we get to the end of parse_line without having ever populated -i.{acl_access, acl_default}. - -Then we pass a null pointer into acl_free(). - -From UBSAN w/ GCC 13.0.0_pre20230101: -``` -$ systemd-tmpfiles --clean -/var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer - #0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44 - #1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855 - #2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158 - #3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897 - #4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985 - #5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157 - #6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218 - #7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289) - #8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344) - #9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900) -``` - -(cherry picked from commit 9f804ab04d566ff745849e1c4ced680a0447cf76) -(cherry picked from commit a11a949c43def70ec5d3f57f561884c3f652603e) -(cherry picked from commit 455193605d22a171c0f9b599a105be9ac18f433f) -(cherry picked from commit 0e711b7c06fc8b1290adcd38b4bb8faaa49ab764) ---- - src/tmpfiles/tmpfiles.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c -index 1bfb1cbe16..461dfe5a5f 100644 ---- a/src/tmpfiles/tmpfiles.c -+++ b/src/tmpfiles/tmpfiles.c -@@ -2683,8 +2683,11 @@ static void item_free_contents(Item *i) { - strv_free(i->xattrs); - - #if HAVE_ACL -- acl_free(i->acl_access); -- acl_free(i->acl_default); -+ if (i->acl_access) -+ acl_free(i->acl_access); -+ -+ if (i->acl_default) -+ acl_free(i->acl_default); - #endif - } - --- -2.27.0 - diff --git a/backport-tmpfiles-check-the-directory-we-were-supposed-to-cre.patch b/backport-tmpfiles-check-the-directory-we-were-supposed-to-cre.patch deleted file mode 100644 index d7b6537..0000000 --- a/backport-tmpfiles-check-the-directory-we-were-supposed-to-cre.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 675dd1039c69ff28ce9c7e617fcede80e998b3e9 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 13 Jul 2022 23:44:45 +0200 -Subject: [PATCH] tmpfiles: check the directory we were supposed to create, not - its parent - -This current code checks the wrong directory. This was broken in -4c39d899ff00e90b7290e4985696f321d7f2726f which converted the previous -code incorrectly. - -(cherry picked from commit 92631578fff1568fa8e99f96de05baae5b258ffe) -(cherry picked from commit 625472b219a4b1ac64534d38cf6e64b51ab22bbb) -(cherry picked from commit 8b674cf43f1ba8137da3a90c67826f13c865838c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/675dd1039c69ff28ce9c7e617fcede80e998b3e9 ---- - src/tmpfiles/tmpfiles.c | 17 +++++++---------- - 1 file changed, 7 insertions(+), 10 deletions(-) - -diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c -index 7e85c50634..1bfb1cbe16 100644 ---- a/src/tmpfiles/tmpfiles.c -+++ b/src/tmpfiles/tmpfiles.c -@@ -1666,15 +1666,12 @@ static int create_directory_or_subvolume(const char *path, mode_t mode, bool sub - r = btrfs_is_subvol(empty_to_root(arg_root)) > 0; - } - if (!r) -- /* Don't create a subvolume unless the root directory is -- * one, too. We do this under the assumption that if the -- * root directory is just a plain directory (i.e. very -- * light-weight), we shouldn't try to split it up into -- * subvolumes (i.e. more heavy-weight). Thus, chroot() -- * environments and suchlike will get a full brtfs -- * subvolume set up below their tree only if they -- * specifically set up a btrfs subvolume for the root -- * dir too. */ -+ /* Don't create a subvolume unless the root directory is one, too. We do this under -+ * the assumption that if the root directory is just a plain directory (i.e. very -+ * light-weight), we shouldn't try to split it up into subvolumes (i.e. more -+ * heavy-weight). Thus, chroot() environments and suchlike will get a full brtfs -+ * subvolume set up below their tree only if they specifically set up a btrfs -+ * subvolume for the root dir too. */ - - subvol = false; - else { -@@ -1694,7 +1691,7 @@ static int create_directory_or_subvolume(const char *path, mode_t mode, bool sub - if (!IN_SET(r, -EEXIST, -EROFS)) - return log_error_errno(r, "Failed to create directory or subvolume \"%s\": %m", path); - -- k = is_dir_fd(pfd); -+ k = is_dir_full(pfd, basename(path), /* follow= */ false); - if (k == -ENOENT && r == -EROFS) - return log_error_errno(r, "%s does not exist and cannot be created as the file system is read-only.", path); - if (k < 0) --- -2.27.0 - diff --git a/backport-tpm-util-fix-TPM-parameter-handling.patch b/backport-tpm-util-fix-TPM-parameter-handling.patch deleted file mode 100644 index 8ea2e6b..0000000 --- a/backport-tpm-util-fix-TPM-parameter-handling.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 966a8cd270e017928389aa1c3966551b301da5e7 Mon Sep 17 00:00:00 2001 -From: Anatol Pomozov -Date: Fri, 10 Sep 2021 11:52:55 -0700 -Subject: [PATCH] tpm-util: fix TPM parameter handling - -cryptenroll allows to specify a custom TPM driver separated from -parameters with colon e.g. `systemd-cryptenroll --tpm2-device=swtpm:` -tells to load swtpm tss driver and use it as a device. - -Unfortunately it does not work, swtpm driver init() fails with - -``` -debug:tcti:src/tss2-tcti/tcti-swtpm.c:570:Tss2_Tcti_Swtpm_Init() Dup'd conf string to: 0x562f91cbc000 -debug:tcti:src/util/key-value-parse.c:85:parse_key_value_string() parsing key/value: swtpm: -WARNING:tcti:src/util/key-value-parse.c:50:parse_key_value() key / value string is invalid -Failed to initialize TCTI context: tcti:A parameter has a bad value -``` - -It turns out that cryptenroll suppose to use the driver name internally -and strip it before passing the rest of parameters to init() function. -Without doing it swtpm receives incorrect key-value property and gets -confused. - -Fix it by passing the correct parameter (without driver name) to the -init() function. - -Fixes #20708 - -(cherry picked from commit 8889564a8da574e4b956e2b6ced34354dee54cd7) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/966a8cd270e017928389aa1c3966551b301da5e7 ---- - src/shared/tpm2-util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c -index df6d2eef58..56a7fe622e 100644 ---- a/src/shared/tpm2-util.c -+++ b/src/shared/tpm2-util.c -@@ -182,7 +182,7 @@ static int tpm2_init(const char *device, struct tpm2_context *ret) { - if (!tcti) - return log_oom(); - -- rc = info->init(tcti, &sz, device); -+ rc = info->init(tcti, &sz, param); - if (rc != TPM2_RC_SUCCESS) - return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), - "Failed to initialize TCTI context: %s", sym_Tss2_RC_Decode(rc)); --- -2.33.0 - diff --git a/backport-tree-wide-mark-set-but-not-used-variables-as-unused-.patch b/backport-tree-wide-mark-set-but-not-used-variables-as-unused-.patch deleted file mode 100644 index 800c91a..0000000 --- a/backport-tree-wide-mark-set-but-not-used-variables-as-unused-.patch +++ /dev/null @@ -1,546 +0,0 @@ -From e3516e4fdce54f62819bbb18a9fcdd843544d354 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Wed, 15 Sep 2021 10:56:21 +0200 -Subject: [PATCH] tree-wide: mark set-but-not-used variables as unused to make - LLVM happy - -LLVM 13 introduced `-Wunused-but-set-variable` diagnostic flag, which -trips over some intentionally set-but-not-used variables or variables -attached to cleanup handlers with side effects (`_cleanup_umask_`, -`_cleanup_(notify_on_cleanup)`, `_cleanup_(restore_sigsetp)`, etc.): - -``` -../src/basic/process-util.c:1257:46: error: variable 'saved_ssp' set but not used [-Werror,-Wunused-but-set-variable] - _cleanup_(restore_sigsetp) sigset_t *saved_ssp = NULL; - ^ - 1 error generated. -``` - -(cherry picked from commit d7ac09520be8f0d3d94df3dd4fd8a6e7404c0174) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e3516e4fdce54f62819bbb18a9fcdd843544d354 ---- - src/basic/process-util.c | 2 +- - src/basic/unit-file.c | 3 ++- - src/core/manager.c | 4 ++-- - src/cryptsetup/cryptsetup.c | 2 +- - src/home/homed.c | 2 +- - src/initctl/initctl.c | 2 +- - src/journal-remote/journal-remote-main.c | 2 +- - src/journal-remote/journal-remote.c | 2 +- - src/journal-remote/journal-upload.c | 2 +- - src/journal/journald-server.c | 2 +- - src/libsystemd-network/sd-dhcp-server.c | 6 ++++-- - src/libsystemd/sd-device/sd-device.c | 9 ++++++--- - src/libsystemd/sd-journal/test-catalog.c | 2 +- - src/login/logind-core.c | 2 +- - src/login/logind-session.c | 2 +- - src/login/logind.c | 2 +- - src/network/networkd-dhcp-common.c | 6 ++++-- - src/network/networkd.c | 2 +- - src/network/wait-online/wait-online.c | 2 +- - src/nss-systemd/userdb-glue.c | 4 ++-- - src/oom/oomd-manager.c | 2 +- - src/oom/oomd.c | 2 +- - src/resolve/resolved-dns-cache.c | 2 +- - src/resolve/resolved-dns-query.c | 2 +- - src/resolve/resolved.c | 2 +- - src/shared/barrier.c | 2 +- - src/shared/utmp-wtmp.c | 8 ++++---- - src/timesync/timesyncd.c | 2 +- - src/tty-ask-password-agent/tty-ask-password-agent.c | 3 ++- - src/udev/udevd.c | 3 ++- - src/userdb/userdbd.c | 2 +- - 31 files changed, 50 insertions(+), 40 deletions(-) - -diff --git a/src/basic/process-util.c b/src/basic/process-util.c -index 461bbfe9a5..b76ca6f7c5 100644 ---- a/src/basic/process-util.c -+++ b/src/basic/process-util.c -@@ -1278,7 +1278,7 @@ int safe_fork_full( - - pid_t original_pid, pid; - sigset_t saved_ss, ss; -- _cleanup_(restore_sigsetp) sigset_t *saved_ssp = NULL; -+ _unused_ _cleanup_(restore_sigsetp) sigset_t *saved_ssp = NULL; - bool block_signals = false, block_all = false; - int prio, r; - -diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c -index 0d58b1c4fe..d1e997ec9f 100644 ---- a/src/basic/unit-file.c -+++ b/src/basic/unit-file.c -@@ -286,7 +286,8 @@ int unit_file_build_name_map( - - FOREACH_DIRENT_ALL(de, d, log_warning_errno(errno, "Failed to read \"%s\", ignoring: %m", *dir)) { - char *filename; -- _cleanup_free_ char *_filename_free = NULL, *simplified = NULL; -+ _unused_ _cleanup_free_ char *_filename_free = NULL; -+ _cleanup_free_ char *simplified = NULL; - const char *suffix, *dst = NULL; - bool valid_unit_name; - -diff --git a/src/core/manager.c b/src/core/manager.c -index 34891a8754..abc63a71af 100644 ---- a/src/core/manager.c -+++ b/src/core/manager.c -@@ -1731,7 +1731,7 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { - - { - /* This block is (optionally) done with the reloading counter bumped */ -- _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; -+ _unused_ _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; - - /* If we will deserialize make sure that during enumeration this is already known, so we increase the - * counter here already */ -@@ -3770,7 +3770,7 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { - } - - int manager_reload(Manager *m) { -- _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; -+ _unused_ _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; - _cleanup_fdset_free_ FDSet *fds = NULL; - _cleanup_fclose_ FILE *f = NULL; - int r; -diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c -index 0fa41b8360..440f17d017 100644 ---- a/src/cryptsetup/cryptsetup.c -+++ b/src/cryptsetup/cryptsetup.c -@@ -1482,7 +1482,7 @@ static int run(int argc, char *argv[]) { - verb = argv[1]; - - if (streq(verb, "attach")) { -- _cleanup_(remove_and_erasep) const char *destroy_key_file = NULL; -+ _unused_ _cleanup_(remove_and_erasep) const char *destroy_key_file = NULL; - _cleanup_(erase_and_freep) void *key_data = NULL; - const char *volume, *source, *key_file, *options; - crypt_status_info status; -diff --git a/src/home/homed.c b/src/home/homed.c -index 807d25e273..579c289a68 100644 ---- a/src/home/homed.c -+++ b/src/home/homed.c -@@ -14,7 +14,7 @@ - - static int run(int argc, char *argv[]) { - _cleanup_(manager_freep) Manager *m = NULL; -- _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; - int r; - - log_setup(); -diff --git a/src/initctl/initctl.c b/src/initctl/initctl.c -index c48fef16ef..a48a8570c4 100644 ---- a/src/initctl/initctl.c -+++ b/src/initctl/initctl.c -@@ -311,7 +311,7 @@ static int process_event(Server *s, struct epoll_event *ev) { - - static int run(int argc, char *argv[]) { - _cleanup_(server_done) Server server = { .epoll_fd = -1 }; -- _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; - int r, n; - - if (argc > 1) -diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c -index 9ff31763da..b46b4fc08e 100644 ---- a/src/journal-remote/journal-remote-main.c -+++ b/src/journal-remote/journal-remote-main.c -@@ -1099,7 +1099,7 @@ static int load_certificates(char **key, char **cert, char **trust) { - - static int run(int argc, char **argv) { - _cleanup_(journal_remote_server_destroy) RemoteServer s = {}; -- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; - _cleanup_(erase_and_freep) char *key = NULL; - _cleanup_free_ char *cert = NULL, *trust = NULL; - int r; -diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c -index 6e5aebdc48..f530ba3c7e 100644 ---- a/src/journal-remote/journal-remote.c -+++ b/src/journal-remote/journal-remote.c -@@ -272,7 +272,7 @@ int journal_remote_add_source(RemoteServer *s, int fd, char* name, bool own_name - - int journal_remote_add_raw_socket(RemoteServer *s, int fd) { - int r; -- _cleanup_close_ int fd_ = fd; -+ _unused_ _cleanup_close_ int fd_ = fd; - char name[STRLEN("raw-socket-") + DECIMAL_STR_MAX(int) + 1]; - - assert(fd >= 0); -diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c -index 2a38d206ea..37660b925a 100644 ---- a/src/journal-remote/journal-upload.c -+++ b/src/journal-remote/journal-upload.c -@@ -820,7 +820,7 @@ static int open_journal(sd_journal **j) { - - static int run(int argc, char **argv) { - _cleanup_(destroy_uploader) Uploader u = {}; -- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; - bool use_journal; - int r; - -diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index 2d1d9e66d7..a212079758 100644 ---- a/src/journal/journald-server.c -+++ b/src/journal/journald-server.c -@@ -910,7 +910,7 @@ static void dispatch_message_real( - pid_t object_pid) { - - char source_time[sizeof("_SOURCE_REALTIME_TIMESTAMP=") + DECIMAL_STR_MAX(usec_t)]; -- _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL; -+ _unused_ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL; - uid_t journal_uid; - ClientContext *o; - -diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c -index 0b3904c02a..070f4ec1c2 100644 ---- a/src/libsystemd-network/sd-dhcp-server.c -+++ b/src/libsystemd-network/sd-dhcp-server.c -@@ -1004,7 +1004,8 @@ int dhcp_server_handle_message(sd_dhcp_server *server, DHCPMessage *message, siz - /* verify that the requested address is from the pool, and either - owned by the current client or free */ - if (pool_offset >= 0 && static_lease) { -- _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL, *old_lease = NULL; -+ _unused_ _cleanup_(dhcp_lease_freep) DHCPLease *old_lease = NULL; -+ _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL; - usec_t time_now, expiration; - - r = sd_event_now(server->event, clock_boottime_or_monotonic(), &time_now); -@@ -1482,7 +1483,8 @@ int sd_dhcp_server_set_static_lease( - uint8_t *client_id, - size_t client_id_size) { - -- _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL, *old = NULL; -+ _unused_ _cleanup_(dhcp_lease_freep) DHCPLease *old = NULL; -+ _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL; - DHCPClientId c; - int r; - -diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c -index 45261588a8..3f2cce5bba 100644 ---- a/src/libsystemd/sd-device/sd-device.c -+++ b/src/libsystemd/sd-device/sd-device.c -@@ -94,7 +94,8 @@ int device_add_property_aux(sd_device *device, const char *key, const char *valu - properties = &device->properties; - - if (value) { -- _cleanup_free_ char *new_key = NULL, *new_value = NULL, *old_key = NULL, *old_value = NULL; -+ _unused_ _cleanup_free_ char *old_value = NULL; -+ _cleanup_free_ char *new_key = NULL, *new_value = NULL, *old_key = NULL; - int r; - - r = ordered_hashmap_ensure_allocated(properties, &string_hash_ops_free_free); -@@ -119,7 +120,8 @@ int device_add_property_aux(sd_device *device, const char *key, const char *valu - TAKE_PTR(new_key); - TAKE_PTR(new_value); - } else { -- _cleanup_free_ char *old_key = NULL, *old_value = NULL; -+ _unused_ _cleanup_free_ char *old_value = NULL; -+ _cleanup_free_ char *old_key = NULL; - - old_value = ordered_hashmap_remove2(*properties, key, (void**) &old_key); - } -@@ -1920,7 +1922,8 @@ _public_ int sd_device_get_trigger_uuid(sd_device *device, sd_id128_t *ret) { - } - - static int device_cache_sysattr_value(sd_device *device, const char *key, char *value) { -- _cleanup_free_ char *new_key = NULL, *old_value = NULL; -+ _unused_ _cleanup_free_ char *old_value = NULL; -+ _cleanup_free_ char *new_key = NULL; - int r; - - assert(device); -diff --git a/src/libsystemd/sd-journal/test-catalog.c b/src/libsystemd/sd-journal/test-catalog.c -index 982fec0d8d..316c3b1634 100644 ---- a/src/libsystemd/sd-journal/test-catalog.c -+++ b/src/libsystemd/sd-journal/test-catalog.c -@@ -53,7 +53,7 @@ static void test_catalog_import_invalid(void) { - } - - static void test_catalog_import_badid(void) { -- _cleanup_ordered_hashmap_free_free_free_ OrderedHashmap *h = NULL; -+ _unused_ _cleanup_ordered_hashmap_free_free_free_ OrderedHashmap *h = NULL; - const char *input = - "-- 0027229ca0644181a76c4e92458afaff dededededededededededededededede\n" \ - "Subject: message\n" \ -diff --git a/src/login/logind-core.c b/src/login/logind-core.c -index e08929e52a..a9792fd5e4 100644 ---- a/src/login/logind-core.c -+++ b/src/login/logind-core.c -@@ -689,7 +689,7 @@ bool manager_all_buttons_ignored(Manager *m) { - int manager_read_utmp(Manager *m) { - #if ENABLE_UTMP - int r; -- _cleanup_(utxent_cleanup) bool utmpx = false; -+ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; - - assert(m); - -diff --git a/src/login/logind-session.c b/src/login/logind-session.c -index 3f09750ec9..cde2b5e8bb 100644 ---- a/src/login/logind-session.c -+++ b/src/login/logind-session.c -@@ -1323,7 +1323,7 @@ bool session_is_controller(Session *s, const char *sender) { - } - - static void session_release_controller(Session *s, bool notify) { -- _cleanup_free_ char *name = NULL; -+ _unused_ _cleanup_free_ char *name = NULL; - SessionDevice *sd; - - if (!s->controller) -diff --git a/src/login/logind.c b/src/login/logind.c -index ec52a57acb..b642da6eaa 100644 ---- a/src/login/logind.c -+++ b/src/login/logind.c -@@ -1155,7 +1155,7 @@ static int manager_run(Manager *m) { - - static int run(int argc, char *argv[]) { - _cleanup_(manager_unrefp) Manager *m = NULL; -- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; - int r; - - log_set_facility(LOG_AUTH); -diff --git a/src/network/networkd-dhcp-common.c b/src/network/networkd-dhcp-common.c -index 249d780887..02cef0fbfc 100644 ---- a/src/network/networkd-dhcp-common.c -+++ b/src/network/networkd-dhcp-common.c -@@ -631,8 +631,10 @@ int config_parse_dhcp_send_option( - void *data, - void *userdata) { - -- _cleanup_(sd_dhcp_option_unrefp) sd_dhcp_option *opt4 = NULL, *old4 = NULL; -- _cleanup_(sd_dhcp6_option_unrefp) sd_dhcp6_option *opt6 = NULL, *old6 = NULL; -+ _cleanup_(sd_dhcp_option_unrefp) sd_dhcp_option *opt4 = NULL; -+ _cleanup_(sd_dhcp6_option_unrefp) sd_dhcp6_option *opt6 = NULL; -+ _unused_ _cleanup_(sd_dhcp_option_unrefp) sd_dhcp_option *old4 = NULL; -+ _unused_ _cleanup_(sd_dhcp6_option_unrefp) sd_dhcp6_option *old6 = NULL; - uint32_t uint32_data, enterprise_identifier = 0; - _cleanup_free_ char *word = NULL, *q = NULL; - OrderedHashmap **options = data; -diff --git a/src/network/networkd.c b/src/network/networkd.c -index 48f6061b1f..ff3380c82c 100644 ---- a/src/network/networkd.c -+++ b/src/network/networkd.c -@@ -19,7 +19,7 @@ - - static int run(int argc, char *argv[]) { - _cleanup_(manager_freep) Manager *m = NULL; -- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; - int r; - - log_setup(); -diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c -index 1b24b6f1a6..3ce29ac679 100644 ---- a/src/network/wait-online/wait-online.c -+++ b/src/network/wait-online/wait-online.c -@@ -195,7 +195,7 @@ static int parse_argv(int argc, char *argv[]) { - - static int run(int argc, char *argv[]) { - _cleanup_(manager_freep) Manager *m = NULL; -- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; - int r; - - log_setup(); -diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c -index c865ff0d82..002e6925f9 100644 ---- a/src/nss-systemd/userdb-glue.c -+++ b/src/nss-systemd/userdb-glue.c -@@ -303,7 +303,7 @@ enum nss_status userdb_getgrnam( - } - - if (!g) { -- _cleanup_(_nss_systemd_unblockp) bool blocked = false; -+ _unused_ _cleanup_(_nss_systemd_unblockp) bool blocked = false; - - if (strv_isempty(members)) - return NSS_STATUS_NOTFOUND; -@@ -365,7 +365,7 @@ enum nss_status userdb_getgrgid( - } - - if (!g) { -- _cleanup_(_nss_systemd_unblockp) bool blocked = false; -+ _unused_ _cleanup_(_nss_systemd_unblockp) bool blocked = false; - - /* So, quite possibly we have to extend an existing group record with additional members. But - * to do this we need to know the group name first. The group didn't exist via non-NSS -diff --git a/src/oom/oomd-manager.c b/src/oom/oomd-manager.c -index 727206d0b3..891b0acacb 100644 ---- a/src/oom/oomd-manager.c -+++ b/src/oom/oomd-manager.c -@@ -387,7 +387,7 @@ static void clear_candidate_hashmapp(Manager **m) { - static int monitor_memory_pressure_contexts_handler(sd_event_source *s, uint64_t usec, void *userdata) { - /* Don't want to use stale candidate data. Setting this will clear the candidate hashmap on return unless we - * update the candidate data (in which case clear_candidates will be NULL). */ -- _cleanup_(clear_candidate_hashmapp) Manager *clear_candidates = userdata; -+ _unused_ _cleanup_(clear_candidate_hashmapp) Manager *clear_candidates = userdata; - _cleanup_set_free_ Set *targets = NULL; - bool in_post_action_delay = false; - Manager *m = userdata; -diff --git a/src/oom/oomd.c b/src/oom/oomd.c -index deb7b094d5..e13a1b35e5 100644 ---- a/src/oom/oomd.c -+++ b/src/oom/oomd.c -@@ -116,7 +116,7 @@ static int parse_argv(int argc, char *argv[]) { - } - - static int run(int argc, char *argv[]) { -- _cleanup_(notify_on_cleanup) const char *notify_msg = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_msg = NULL; - _cleanup_(manager_freep) Manager *m = NULL; - _cleanup_free_ char *swap = NULL; - unsigned long long s = 0; -diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c -index f73ead872d..c2fca1fabe 100644 ---- a/src/resolve/resolved-dns-cache.c -+++ b/src/resolve/resolved-dns-cache.c -@@ -274,7 +274,7 @@ static int dns_cache_link_item(DnsCache *c, DnsCacheItem *i) { - - first = hashmap_get(c->by_key, i->key); - if (first) { -- _cleanup_(dns_resource_key_unrefp) DnsResourceKey *k = NULL; -+ _unused_ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *k = NULL; - - /* Keep a reference to the original key, while we manipulate the list. */ - k = dns_resource_key_ref(first->key); -diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c -index 6d372395fe..192bfd3bf5 100644 ---- a/src/resolve/resolved-dns-query.c -+++ b/src/resolve/resolved-dns-query.c -@@ -165,7 +165,7 @@ static int dns_query_candidate_add_transaction( - } - - static int dns_query_candidate_go(DnsQueryCandidate *c) { -- _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL; -+ _unused_ _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL; - DnsTransaction *t; - int r; - unsigned n = 0; -diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c -index aabaa266e9..85ab917c4f 100644 ---- a/src/resolve/resolved.c -+++ b/src/resolve/resolved.c -@@ -23,7 +23,7 @@ - - static int run(int argc, char *argv[]) { - _cleanup_(manager_freep) Manager *m = NULL; -- _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; - int r; - - log_setup(); -diff --git a/src/shared/barrier.c b/src/shared/barrier.c -index 2864c1b8f9..87061f55d7 100644 ---- a/src/shared/barrier.c -+++ b/src/shared/barrier.c -@@ -90,7 +90,7 @@ - * Returns: 0 on success, negative error code on failure. - */ - int barrier_create(Barrier *b) { -- _cleanup_(barrier_destroyp) Barrier *staging = b; -+ _unused_ _cleanup_(barrier_destroyp) Barrier *staging = b; - int r; - - assert(b); -diff --git a/src/shared/utmp-wtmp.c b/src/shared/utmp-wtmp.c -index 784aad2943..d529498fad 100644 ---- a/src/shared/utmp-wtmp.c -+++ b/src/shared/utmp-wtmp.c -@@ -25,7 +25,7 @@ - #include "utmp-wtmp.h" - - int utmp_get_runlevel(int *runlevel, int *previous) { -- _cleanup_(utxent_cleanup) bool utmpx = false; -+ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; - struct utmpx *found, lookup = { .ut_type = RUN_LVL }; - const char *e; - -@@ -87,7 +87,7 @@ static void init_entry(struct utmpx *store, usec_t t) { - } - - static int write_entry_utmp(const struct utmpx *store) { -- _cleanup_(utxent_cleanup) bool utmpx = false; -+ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; - - assert(store); - -@@ -215,7 +215,7 @@ int utmp_put_init_process(const char *id, pid_t pid, pid_t sid, const char *line - } - - int utmp_put_dead_process(const char *id, pid_t pid, int code, int status) { -- _cleanup_(utxent_cleanup) bool utmpx = false; -+ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; - struct utmpx lookup = { - .ut_type = INIT_PROCESS /* looks for DEAD_PROCESS, LOGIN_PROCESS, USER_PROCESS, too */ - }, store, store_wtmp, *found; -@@ -340,7 +340,7 @@ int utmp_wall( - bool (*match_tty)(const char *tty, void *userdata), - void *userdata) { - -- _cleanup_(utxent_cleanup) bool utmpx = false; -+ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; - _cleanup_free_ char *text = NULL, *hn = NULL, *un = NULL, *stdin_tty = NULL; - char date[FORMAT_TIMESTAMP_MAX]; - struct utmpx *u; -diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c -index e6a2b06687..8d43e55583 100644 ---- a/src/timesync/timesyncd.c -+++ b/src/timesync/timesyncd.c -@@ -90,7 +90,7 @@ settime: - - static int run(int argc, char *argv[]) { - _cleanup_(manager_freep) Manager *m = NULL; -- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; - const char *user = "systemd-timesync"; - uid_t uid, uid_current; - gid_t gid; -diff --git a/src/tty-ask-password-agent/tty-ask-password-agent.c b/src/tty-ask-password-agent/tty-ask-password-agent.c -index 59b144972b..25d69180c5 100644 ---- a/src/tty-ask-password-agent/tty-ask-password-agent.c -+++ b/src/tty-ask-password-agent/tty-ask-password-agent.c -@@ -338,7 +338,8 @@ static int process_and_watch_password_files(bool watch) { - _FD_MAX - }; - -- _cleanup_close_ int notify = -1, signal_fd = -1, tty_block_fd = -1; -+ _unused_ _cleanup_close_ int tty_block_fd = -1; -+ _cleanup_close_ int notify = -1, signal_fd = -1; - struct pollfd pollfd[_FD_MAX]; - sigset_t mask; - int r; -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 13ac7c83b5..8808c5cf95 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -1092,7 +1092,8 @@ static int on_ctrl_msg(struct udev_ctrl *uctrl, enum udev_ctrl_msg_type type, co - manager_reload(manager); - break; - case UDEV_CTRL_SET_ENV: { -- _cleanup_free_ char *key = NULL, *val = NULL, *old_key = NULL, *old_val = NULL; -+ _unused_ _cleanup_free_ char *old_val = NULL; -+ _cleanup_free_ char *key = NULL, *val = NULL, *old_key = NULL; - const char *eq; - - eq = strchr(value->buf, '='); -diff --git a/src/userdb/userdbd.c b/src/userdb/userdbd.c -index d469411eb8..0c321bf411 100644 ---- a/src/userdb/userdbd.c -+++ b/src/userdb/userdbd.c -@@ -24,7 +24,7 @@ - - static int run(int argc, char *argv[]) { - _cleanup_(manager_freep) Manager *m = NULL; -- _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; -+ _unused_ _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; - int r; - - log_setup(); --- -2.33.0 - diff --git a/backport-tree-wide-use-sd_event_source_disable_unref-where-we.patch b/backport-tree-wide-use-sd_event_source_disable_unref-where-we.patch deleted file mode 100644 index 52a9aad..0000000 --- a/backport-tree-wide-use-sd_event_source_disable_unref-where-we.patch +++ /dev/null @@ -1,158 +0,0 @@ -From e53bfae86dfb909e0a2eb179328b61f4ed723639 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 8 Nov 2021 23:07:51 +0100 -Subject: [PATCH] tree-wide: use sd_event_source_disable_unref() where we can - -(cherry picked from commit 4f538d7b221de5707c1ff422e6e34be795535397) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e53bfae86dfb909e0a2eb179328b61f4ed723639 ---- - src/journal/journald-stream.c | 7 +---- - src/libsystemd/sd-bus/sd-bus.c | 37 +++++--------------------- - src/libsystemd/sd-resolve/sd-resolve.c | 6 +---- - src/shared/varlink.c | 10 ++----- - 4 files changed, 10 insertions(+), 50 deletions(-) - -diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c -index c6720b6b13..ee0fd27f2e 100644 ---- a/src/journal/journald-stream.c -+++ b/src/journal/journald-stream.c -@@ -108,7 +108,6 @@ StdoutStream* stdout_stream_free(StdoutStream *s) { - return NULL; - - if (s->server) { -- - if (s->context) - client_context_release(s->server, s->context); - -@@ -122,11 +121,7 @@ StdoutStream* stdout_stream_free(StdoutStream *s) { - (void) server_start_or_stop_idle_timer(s->server); /* Maybe we are idle now? */ - } - -- if (s->event_source) { -- sd_event_source_set_enabled(s->event_source, SD_EVENT_OFF); -- s->event_source = sd_event_source_unref(s->event_source); -- } -- -+ sd_event_source_disable_unref(s->event_source); - safe_close(s->fd); - free(s->label); - free(s->identifier); -diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c -index a32e2f5e20..79c24fe703 100644 ---- a/src/libsystemd/sd-bus/sd-bus.c -+++ b/src/libsystemd/sd-bus/sd-bus.c -@@ -62,7 +62,6 @@ - - static int bus_poll(sd_bus *bus, bool need_more, uint64_t timeout_usec); - static void bus_detach_io_events(sd_bus *b); --static void bus_detach_inotify_event(sd_bus *b); - - static thread_local sd_bus *default_system_bus = NULL; - static thread_local sd_bus *default_user_bus = NULL; -@@ -139,7 +138,7 @@ void bus_close_io_fds(sd_bus *b) { - void bus_close_inotify_fd(sd_bus *b) { - assert(b); - -- bus_detach_inotify_event(b); -+ b->inotify_event_source = sd_event_source_disable_unref(b->inotify_event_source); - - b->inotify_fd = safe_close(b->inotify_fd); - b->inotify_watches = mfree(b->inotify_watches); -@@ -3738,15 +3737,8 @@ int bus_attach_io_events(sd_bus *bus) { - static void bus_detach_io_events(sd_bus *bus) { - assert(bus); - -- if (bus->input_io_event_source) { -- sd_event_source_set_enabled(bus->input_io_event_source, SD_EVENT_OFF); -- bus->input_io_event_source = sd_event_source_unref(bus->input_io_event_source); -- } -- -- if (bus->output_io_event_source) { -- sd_event_source_set_enabled(bus->output_io_event_source, SD_EVENT_OFF); -- bus->output_io_event_source = sd_event_source_unref(bus->output_io_event_source); -- } -+ bus->input_io_event_source = sd_event_source_disable_unref(bus->input_io_event_source); -+ bus->output_io_event_source = sd_event_source_disable_unref(bus->output_io_event_source); - } - - int bus_attach_inotify_event(sd_bus *bus) { -@@ -3778,15 +3770,6 @@ int bus_attach_inotify_event(sd_bus *bus) { - return 0; - } - --static void bus_detach_inotify_event(sd_bus *bus) { -- assert(bus); -- -- if (bus->inotify_event_source) { -- sd_event_source_set_enabled(bus->inotify_event_source, SD_EVENT_OFF); -- bus->inotify_event_source = sd_event_source_unref(bus->inotify_event_source); -- } --} -- - _public_ int sd_bus_attach_event(sd_bus *bus, sd_event *event, int priority) { - int r; - -@@ -3851,17 +3834,9 @@ _public_ int sd_bus_detach_event(sd_bus *bus) { - return 0; - - bus_detach_io_events(bus); -- bus_detach_inotify_event(bus); -- -- if (bus->time_event_source) { -- sd_event_source_set_enabled(bus->time_event_source, SD_EVENT_OFF); -- bus->time_event_source = sd_event_source_unref(bus->time_event_source); -- } -- -- if (bus->quit_event_source) { -- sd_event_source_set_enabled(bus->quit_event_source, SD_EVENT_OFF); -- bus->quit_event_source = sd_event_source_unref(bus->quit_event_source); -- } -+ bus->inotify_event_source = sd_event_source_disable_unref(bus->inotify_event_source); -+ bus->time_event_source = sd_event_source_disable_unref(bus->time_event_source); -+ bus->quit_event_source = sd_event_source_disable_unref(bus->quit_event_source); - - bus->event = sd_event_unref(bus->event); - return 1; -diff --git a/src/libsystemd/sd-resolve/sd-resolve.c b/src/libsystemd/sd-resolve/sd-resolve.c -index ee973c0692..073b658d3f 100644 ---- a/src/libsystemd/sd-resolve/sd-resolve.c -+++ b/src/libsystemd/sd-resolve/sd-resolve.c -@@ -1285,11 +1285,7 @@ _public_ int sd_resolve_detach_event(sd_resolve *resolve) { - if (!resolve->event) - return 0; - -- if (resolve->event_source) { -- sd_event_source_set_enabled(resolve->event_source, SD_EVENT_OFF); -- resolve->event_source = sd_event_source_unref(resolve->event_source); -- } -- -+ resolve->event_source = sd_event_source_disable_unref(resolve->event_source); - resolve->event = sd_event_unref(resolve->event); - return 1; - } -diff --git a/src/shared/varlink.c b/src/shared/varlink.c -index a57475b5ba..ec062f3da4 100644 ---- a/src/shared/varlink.c -+++ b/src/shared/varlink.c -@@ -2364,14 +2364,8 @@ int varlink_server_detach_event(VarlinkServer *s) { - - assert_return(s, -EINVAL); - -- LIST_FOREACH(sockets, ss, s->sockets) { -- -- if (!ss->event_source) -- continue; -- -- (void) sd_event_source_set_enabled(ss->event_source, SD_EVENT_OFF); -- ss->event_source = sd_event_source_unref(ss->event_source); -- } -+ LIST_FOREACH(sockets, ss, s->sockets) -+ ss->event_source = sd_event_source_disable_unref(ss->event_source); - - sd_event_unref(s->event); - return 0; --- -2.33.0 - diff --git a/backport-udev-add-usec_add-at-one-more-place.patch b/backport-udev-add-usec_add-at-one-more-place.patch deleted file mode 100644 index 7031856..0000000 --- a/backport-udev-add-usec_add-at-one-more-place.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 92fd70addf25d4f301ba43ca3e6ede96d9564295 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 15:41:20 +0900 -Subject: [PATCH] udev: add usec_add() at one more place - -Reference:https://github.com/systemd/systemd/commit/92fd70addf25d4f301ba43ca3e6ede96d9564295 -Conflict:NA - ---- - src/udev/udevd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 279b409..2179825 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -893,7 +893,7 @@ static int event_queue_start(Manager *manager) { - assert_se(sd_event_now(manager->event, CLOCK_MONOTONIC, &usec) >= 0); - /* check for changed config, every 3 seconds at most */ - if (manager->last_usec == 0 || -- usec - manager->last_usec > 3 * USEC_PER_SEC) { -+ usec > usec_add(manager->last_usec, 3 * USEC_PER_SEC)) { - if (udev_rules_check_timestamp(manager->rules) || - udev_builtin_validate()) - manager_reload(manager); --- -2.33.0 - \ No newline at end of file diff --git a/backport-udev-also-rename-struct-udev_ctrl-UdevCtrl.patch b/backport-udev-also-rename-struct-udev_ctrl-UdevCtrl.patch deleted file mode 100644 index 5013b29..0000000 --- a/backport-udev-also-rename-struct-udev_ctrl-UdevCtrl.patch +++ /dev/null @@ -1,350 +0,0 @@ -From e0d61dac3324abc90f61014a98b1bc5a9a1f60ae Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 16 Jun 2021 19:18:56 +0900 -Subject: [PATCH] udev: also rename struct udev_ctrl -> UdevCtrl - -Reference:https://github.com/systemd/systemd/commit/e0d61dac3324abc90f61014a98b1bc5a9a1f60ae -Conflict:NA - ---- - src/udev/udev-ctrl.c | 52 ++++++++++++++++++------------------ - src/udev/udev-ctrl.h | 54 +++++++++++++++++++------------------- - src/udev/udevadm-control.c | 2 +- - src/udev/udevadm-settle.c | 2 +- - src/udev/udevadm-trigger.c | 2 +- - src/udev/udevd.c | 4 +-- - 6 files changed, 58 insertions(+), 58 deletions(-) - -diff --git a/src/udev/udev-ctrl.c b/src/udev/udev-ctrl.c -index 3d563547190c..00279ba3d87d 100644 ---- a/src/udev/udev-ctrl.c -+++ b/src/udev/udev-ctrl.c -@@ -23,14 +23,14 @@ - /* wire protocol magic must match */ - #define UDEV_CTRL_MAGIC 0xdead1dea - --struct udev_ctrl_msg_wire { -+typedef struct UdevCtrlMessageWire { - char version[16]; - unsigned magic; -- enum udev_ctrl_msg_type type; -- union udev_ctrl_msg_value value; --}; -+ UdevCtrlMessageType type; -+ UdevCtrlMessageValue value; -+} UdevCtrlMessageWire; - --struct udev_ctrl { -+struct UdevCtrl { - unsigned n_ref; - int sock; - int sock_connect; -@@ -47,9 +47,9 @@ struct udev_ctrl { - void *userdata; - }; - --int udev_ctrl_new_from_fd(struct udev_ctrl **ret, int fd) { -+int udev_ctrl_new_from_fd(UdevCtrl **ret, int fd) { - _cleanup_close_ int sock = -1; -- struct udev_ctrl *uctrl; -+ UdevCtrl *uctrl; - - assert(ret); - -@@ -59,11 +59,11 @@ int udev_ctrl_new_from_fd(struct udev_ctrl **ret, int fd) { - return log_error_errno(errno, "Failed to create socket: %m"); - } - -- uctrl = new(struct udev_ctrl, 1); -+ uctrl = new(UdevCtrl, 1); - if (!uctrl) - return -ENOMEM; - -- *uctrl = (struct udev_ctrl) { -+ *uctrl = (UdevCtrl) { - .n_ref = 1, - .sock = fd >= 0 ? fd : TAKE_FD(sock), - .sock_connect = -1, -@@ -81,7 +81,7 @@ int udev_ctrl_new_from_fd(struct udev_ctrl **ret, int fd) { - return 0; - } - --int udev_ctrl_enable_receiving(struct udev_ctrl *uctrl) { -+int udev_ctrl_enable_receiving(UdevCtrl *uctrl) { - int r; - - assert(uctrl); -@@ -107,7 +107,7 @@ int udev_ctrl_enable_receiving(struct udev_ctrl *uctrl) { - return 0; - } - --static void udev_ctrl_disconnect(struct udev_ctrl *uctrl) { -+static void udev_ctrl_disconnect(UdevCtrl *uctrl) { - if (!uctrl) - return; - -@@ -115,7 +115,7 @@ static void udev_ctrl_disconnect(struct udev_ctrl *uctrl) { - uctrl->sock_connect = safe_close(uctrl->sock_connect); - } - --static struct udev_ctrl *udev_ctrl_free(struct udev_ctrl *uctrl) { -+static UdevCtrl *udev_ctrl_free(UdevCtrl *uctrl) { - assert(uctrl); - - udev_ctrl_disconnect(uctrl); -@@ -127,9 +127,9 @@ static struct udev_ctrl *udev_ctrl_free(struct udev_ctrl *uctrl) { - return mfree(uctrl); - } - --DEFINE_TRIVIAL_REF_UNREF_FUNC(struct udev_ctrl, udev_ctrl, udev_ctrl_free); -+DEFINE_TRIVIAL_REF_UNREF_FUNC(UdevCtrl, udev_ctrl, udev_ctrl_free); - --int udev_ctrl_cleanup(struct udev_ctrl *uctrl) { -+int udev_ctrl_cleanup(UdevCtrl *uctrl) { - if (!uctrl) - return 0; - if (uctrl->cleanup_socket) -@@ -137,7 +137,7 @@ int udev_ctrl_cleanup(struct udev_ctrl *uctrl) { - return 0; - } - --int udev_ctrl_attach_event(struct udev_ctrl *uctrl, sd_event *event) { -+int udev_ctrl_attach_event(UdevCtrl *uctrl, sd_event *event) { - int r; - - assert_return(uctrl, -EINVAL); -@@ -154,25 +154,25 @@ int udev_ctrl_attach_event(struct udev_ctrl *uctrl, sd_event *event) { - return 0; - } - --sd_event_source *udev_ctrl_get_event_source(struct udev_ctrl *uctrl) { -+sd_event_source *udev_ctrl_get_event_source(UdevCtrl *uctrl) { - assert(uctrl); - - return uctrl->event_source; - } - --static void udev_ctrl_disconnect_and_listen_again(struct udev_ctrl *uctrl) { -+static void udev_ctrl_disconnect_and_listen_again(UdevCtrl *uctrl) { - udev_ctrl_disconnect(uctrl); - udev_ctrl_unref(uctrl); - (void) sd_event_source_set_enabled(uctrl->event_source, SD_EVENT_ON); - /* We don't return NULL here because uctrl is not freed */ - } - --DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(struct udev_ctrl*, udev_ctrl_disconnect_and_listen_again, NULL); -+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(UdevCtrl*, udev_ctrl_disconnect_and_listen_again, NULL); - - static int udev_ctrl_connection_event_handler(sd_event_source *s, int fd, uint32_t revents, void *userdata) { -- _cleanup_(udev_ctrl_disconnect_and_listen_againp) struct udev_ctrl *uctrl = NULL; -- struct udev_ctrl_msg_wire msg_wire; -- struct iovec iov = IOVEC_MAKE(&msg_wire, sizeof(struct udev_ctrl_msg_wire)); -+ _cleanup_(udev_ctrl_disconnect_and_listen_againp) UdevCtrl *uctrl = NULL; -+ UdevCtrlMessageWire msg_wire; -+ struct iovec iov = IOVEC_MAKE(&msg_wire, sizeof(UdevCtrlMessageWire)); - CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred))) control; - struct msghdr smsg = { - .msg_iov = &iov, -@@ -235,7 +235,7 @@ static int udev_ctrl_connection_event_handler(sd_event_source *s, int fd, uint32 - } - - static int udev_ctrl_event_handler(sd_event_source *s, int fd, uint32_t revents, void *userdata) { -- struct udev_ctrl *uctrl = userdata; -+ UdevCtrl *uctrl = userdata; - _cleanup_close_ int sock = -1; - struct ucred ucred; - int r; -@@ -282,7 +282,7 @@ static int udev_ctrl_event_handler(sd_event_source *s, int fd, uint32_t revents, - return 0; - } - --int udev_ctrl_start(struct udev_ctrl *uctrl, udev_ctrl_handler_t callback, void *userdata) { -+int udev_ctrl_start(UdevCtrl *uctrl, udev_ctrl_handler_t callback, void *userdata) { - int r; - - assert(uctrl); -@@ -309,8 +309,8 @@ int udev_ctrl_start(struct udev_ctrl *uctrl, udev_ctrl_handler_t callback, void - return 0; - } - --int udev_ctrl_send(struct udev_ctrl *uctrl, enum udev_ctrl_msg_type type, int intval, const char *buf) { -- struct udev_ctrl_msg_wire ctrl_msg_wire = { -+int udev_ctrl_send(UdevCtrl *uctrl, UdevCtrlMessageType type, int intval, const char *buf) { -+ UdevCtrlMessageWire ctrl_msg_wire = { - .version = "udev-" STRINGIFY(PROJECT_VERSION), - .magic = UDEV_CTRL_MAGIC, - .type = type, -@@ -339,7 +339,7 @@ int udev_ctrl_send(struct udev_ctrl *uctrl, enum udev_ctrl_msg_type type, int in - return 0; - } - --int udev_ctrl_wait(struct udev_ctrl *uctrl, usec_t timeout) { -+int udev_ctrl_wait(UdevCtrl *uctrl, usec_t timeout) { - _cleanup_(sd_event_source_unrefp) sd_event_source *source_io = NULL, *source_timeout = NULL; - int r; - -diff --git a/src/udev/udev-ctrl.h b/src/udev/udev-ctrl.h -index 680fbf7bff1d..ca80c2aa4e0d 100644 ---- a/src/udev/udev-ctrl.h -+++ b/src/udev/udev-ctrl.h -@@ -6,9 +6,9 @@ - #include "macro.h" - #include "time-util.h" - --struct udev_ctrl; -+typedef struct UdevCtrl UdevCtrl; - --enum udev_ctrl_msg_type { -+typedef enum UdevCtrlMessageType { - _UDEV_CTRL_END_MESSAGES, - UDEV_CTRL_SET_LOG_LEVEL, - UDEV_CTRL_STOP_EXEC_QUEUE, -@@ -18,62 +18,62 @@ enum udev_ctrl_msg_type { - UDEV_CTRL_SET_CHILDREN_MAX, - UDEV_CTRL_PING, - UDEV_CTRL_EXIT, --}; -+} UdevCtrlMessageType; - --union udev_ctrl_msg_value { -+typedef union UdevCtrlMessageValue { - int intval; - char buf[256]; --}; -+} UdevCtrlMessageValue; - --typedef int (*udev_ctrl_handler_t)(struct udev_ctrl *udev_ctrl, enum udev_ctrl_msg_type type, -- const union udev_ctrl_msg_value *value, void *userdata); -+typedef int (*udev_ctrl_handler_t)(UdevCtrl *udev_ctrl, UdevCtrlMessageType type, -+ const UdevCtrlMessageValue *value, void *userdata); - --int udev_ctrl_new_from_fd(struct udev_ctrl **ret, int fd); --static inline int udev_ctrl_new(struct udev_ctrl **ret) { -+int udev_ctrl_new_from_fd(UdevCtrl **ret, int fd); -+static inline int udev_ctrl_new(UdevCtrl **ret) { - return udev_ctrl_new_from_fd(ret, -1); - } - --int udev_ctrl_enable_receiving(struct udev_ctrl *uctrl); --struct udev_ctrl *udev_ctrl_ref(struct udev_ctrl *uctrl); --struct udev_ctrl *udev_ctrl_unref(struct udev_ctrl *uctrl); --int udev_ctrl_cleanup(struct udev_ctrl *uctrl); --int udev_ctrl_attach_event(struct udev_ctrl *uctrl, sd_event *event); --int udev_ctrl_start(struct udev_ctrl *uctrl, udev_ctrl_handler_t callback, void *userdata); --sd_event_source *udev_ctrl_get_event_source(struct udev_ctrl *uctrl); -+int udev_ctrl_enable_receiving(UdevCtrl *uctrl); -+UdevCtrl *udev_ctrl_ref(UdevCtrl *uctrl); -+UdevCtrl *udev_ctrl_unref(UdevCtrl *uctrl); -+int udev_ctrl_cleanup(UdevCtrl *uctrl); -+int udev_ctrl_attach_event(UdevCtrl *uctrl, sd_event *event); -+int udev_ctrl_start(UdevCtrl *uctrl, udev_ctrl_handler_t callback, void *userdata); -+sd_event_source *udev_ctrl_get_event_source(UdevCtrl *uctrl); - --int udev_ctrl_wait(struct udev_ctrl *uctrl, usec_t timeout); -+int udev_ctrl_wait(UdevCtrl *uctrl, usec_t timeout); - --int udev_ctrl_send(struct udev_ctrl *uctrl, enum udev_ctrl_msg_type type, int intval, const char *buf); --static inline int udev_ctrl_send_set_log_level(struct udev_ctrl *uctrl, int priority) { -+int udev_ctrl_send(UdevCtrl *uctrl, UdevCtrlMessageType type, int intval, const char *buf); -+static inline int udev_ctrl_send_set_log_level(UdevCtrl *uctrl, int priority) { - return udev_ctrl_send(uctrl, UDEV_CTRL_SET_LOG_LEVEL, priority, NULL); - } - --static inline int udev_ctrl_send_stop_exec_queue(struct udev_ctrl *uctrl) { -+static inline int udev_ctrl_send_stop_exec_queue(UdevCtrl *uctrl) { - return udev_ctrl_send(uctrl, UDEV_CTRL_STOP_EXEC_QUEUE, 0, NULL); - } - --static inline int udev_ctrl_send_start_exec_queue(struct udev_ctrl *uctrl) { -+static inline int udev_ctrl_send_start_exec_queue(UdevCtrl *uctrl) { - return udev_ctrl_send(uctrl, UDEV_CTRL_START_EXEC_QUEUE, 0, NULL); - } - --static inline int udev_ctrl_send_reload(struct udev_ctrl *uctrl) { -+static inline int udev_ctrl_send_reload(UdevCtrl *uctrl) { - return udev_ctrl_send(uctrl, UDEV_CTRL_RELOAD, 0, NULL); - } - --static inline int udev_ctrl_send_set_env(struct udev_ctrl *uctrl, const char *key) { -+static inline int udev_ctrl_send_set_env(UdevCtrl *uctrl, const char *key) { - return udev_ctrl_send(uctrl, UDEV_CTRL_SET_ENV, 0, key); - } - --static inline int udev_ctrl_send_set_children_max(struct udev_ctrl *uctrl, int count) { -+static inline int udev_ctrl_send_set_children_max(UdevCtrl *uctrl, int count) { - return udev_ctrl_send(uctrl, UDEV_CTRL_SET_CHILDREN_MAX, count, NULL); - } - --static inline int udev_ctrl_send_ping(struct udev_ctrl *uctrl) { -+static inline int udev_ctrl_send_ping(UdevCtrl *uctrl) { - return udev_ctrl_send(uctrl, UDEV_CTRL_PING, 0, NULL); - } - --static inline int udev_ctrl_send_exit(struct udev_ctrl *uctrl) { -+static inline int udev_ctrl_send_exit(UdevCtrl *uctrl) { - return udev_ctrl_send(uctrl, UDEV_CTRL_EXIT, 0, NULL); - } - --DEFINE_TRIVIAL_CLEANUP_FUNC(struct udev_ctrl*, udev_ctrl_unref); -+DEFINE_TRIVIAL_CLEANUP_FUNC(UdevCtrl*, udev_ctrl_unref); -diff --git a/src/udev/udevadm-control.c b/src/udev/udevadm-control.c -index 20820dd64723..06c61e5c07c6 100644 ---- a/src/udev/udevadm-control.c -+++ b/src/udev/udevadm-control.c -@@ -48,7 +48,7 @@ static int help(void) { - } - - int control_main(int argc, char *argv[], void *userdata) { -- _cleanup_(udev_ctrl_unrefp) struct udev_ctrl *uctrl = NULL; -+ _cleanup_(udev_ctrl_unrefp) UdevCtrl *uctrl = NULL; - usec_t timeout = 60 * USEC_PER_SEC; - int c, r; - -diff --git a/src/udev/udevadm-settle.c b/src/udev/udevadm-settle.c -index 84b4f9ca4588..6da9439bd28a 100644 ---- a/src/udev/udevadm-settle.c -+++ b/src/udev/udevadm-settle.c -@@ -176,7 +176,7 @@ int settle_main(int argc, char *argv[], void *userdata) { - - /* guarantee that the udev daemon isn't pre-processing */ - if (getuid() == 0) { -- _cleanup_(udev_ctrl_unrefp) struct udev_ctrl *uctrl = NULL; -+ _cleanup_(udev_ctrl_unrefp) UdevCtrl *uctrl = NULL; - - if (udev_ctrl_new(&uctrl) >= 0) { - r = udev_ctrl_send_ping(uctrl); -diff --git a/src/udev/udevadm-trigger.c b/src/udev/udevadm-trigger.c -index 8acf3d9b1189..a24073fb7341 100644 ---- a/src/udev/udevadm-trigger.c -+++ b/src/udev/udevadm-trigger.c -@@ -421,7 +421,7 @@ int trigger_main(int argc, char *argv[], void *userdata) { - } - - if (ping) { -- _cleanup_(udev_ctrl_unrefp) struct udev_ctrl *uctrl = NULL; -+ _cleanup_(udev_ctrl_unrefp) UdevCtrl *uctrl = NULL; - - r = udev_ctrl_new(&uctrl); - if (r < 0) -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 6baedd2f2e69..a35b095dd141 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -94,7 +94,7 @@ typedef struct Manager { - sd_netlink *rtnl; - - sd_device_monitor *monitor; -- struct udev_ctrl *ctrl; -+ UdevCtrl *ctrl; - int worker_watch[2]; - - /* used by udev-watch */ -@@ -1067,7 +1067,7 @@ static int on_uevent(sd_device_monitor *monitor, sd_device *dev, void *userdata) - } - - /* receive the udevd message from userspace */ --static int on_ctrl_msg(struct udev_ctrl *uctrl, enum udev_ctrl_msg_type type, const union udev_ctrl_msg_value *value, void *userdata) { -+static int on_ctrl_msg(UdevCtrl *uctrl, UdevCtrlMessageType type, const UdevCtrlMessageValue *value, void *userdata) { - Manager *manager = userdata; - int r; - diff --git a/backport-udev-assume-block-device-is-not-locked-when-a-new-event-is-queued.patch b/backport-udev-assume-block-device-is-not-locked-when-a-new-event-is-queued.patch deleted file mode 100644 index 9790e2d..0000000 --- a/backport-udev-assume-block-device-is-not-locked-when-a-new-event-is-queued.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 82a5de9fd289e1d9b109528bcdddb74534e1a4bf Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 25 Mar 2022 02:56:58 +0900 -Subject: [PATCH] udev: assume block device is not locked when a new event is - queued - -Then, hopefully, previously requeued events are processed earlier. - -Reference:https://github.com/systemd/systemd/commit/82a5de9fd289e1d9b109528bcdddb74534e1a4bf -Conflict:adaption - ---- - src/udev/udevd.c | 40 +++++++++++++++++++++++++++++++++++++++- - 1 file changed, 39 insertions(+), 1 deletion(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index eebb2f8..e0f70cc 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -1033,6 +1033,40 @@ static int event_requeue(Event *event) { - return 0; - } - -+static int event_queue_assume_block_device_unlocked(Manager *manager, sd_device *dev) { -+ const char *devname; -+ Event * event; -+ int r; -+ -+ /* When a new event for a block device is queued or we get an inotify event, assume that the -+ * device is not locked anymore. The assumption may not be true, but that should not cause any -+ * issues, as in that case events will be requeued soon. */ -+ -+ r = device_get_block_device(dev, &devname); -+ if (r <= 0) -+ return r; -+ -+ LIST_FOREACH(event, event, manager->events) { -+ const char *event_devname; -+ -+ if (event->state != EVENT_QUEUED) -+ continue; -+ -+ if (event->retry_again_next_usec == 0) -+ continue; -+ -+ if (device_get_block_device(event->dev, &event_devname) <= 0) -+ continue; -+ -+ if (!streq(devname, event_devname)) -+ continue; -+ -+ event->retry_again_next_usec = 0; -+ } -+ -+ return 0; -+} -+ - static int event_queue_insert(Manager *manager, sd_device *dev) { - sd_device_action_t action; - uint64_t seqnum; -@@ -1095,6 +1129,8 @@ static int on_uevent(sd_device_monitor *monitor, sd_device *dev, void *userdata) - return 1; - } - -+ (void) event_queue_assume_block_device_unlocked(manager, dev); -+ - /* we have fresh events, try to schedule them */ - event_queue_start(manager); - -@@ -1426,8 +1462,10 @@ static int on_inotify(sd_event_source *s, int fd, uint32_t revents, void *userda - continue; - - log_device_debug(dev, "Inotify event: %x for %s", e->mask, devnode); -- if (e->mask & IN_CLOSE_WRITE) -+ if (e->mask & IN_CLOSE_WRITE) { -+ (void) event_queue_assume_block_device_unlocked(manager, dev); - (void) synthesize_change(dev); -+ } - - /* Do not handle IN_IGNORED here. It should be handled by worker in 'remove' uevent; - * udev_event_execute_rules() -> event_execute_rules_on_remove() -> udev_watch_end(). */ diff --git a/backport-udev-assume-there-is-no-blocker-when-failed-to-check-event.patch b/backport-udev-assume-there-is-no-blocker-when-failed-to-check-event.patch deleted file mode 100644 index ad64bd4..0000000 --- a/backport-udev-assume-there-is-no-blocker-when-failed-to-check-event.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 2d40f02ee4317233365f53c85234be3af6b000a6 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 12 Mar 2022 20:57:15 +0900 -Subject: [PATCH] udev: assume there is no blocker when failed to check event - dependencies - -Previously, if udevd failed to resolve event dependency, the event is -ignored and libudev listeners did not receive the event. This is -inconsistent with the case when a worker failed to process a event, -in that case, the original uevent sent by the kernel is broadcasted to -listeners. - -Reference:https://github.com/systemd/systemd/commit/2d40f02ee4317233365f53c85234be3af6b000a6 -Conflict:NA - ---- - src/udev/udevd.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index f1f864a4610c..8c690357b8d3 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -951,24 +951,21 @@ static int event_queue_start(Manager *manager) { - - /* do not start event if parent or child event is still running or queued */ - r = event_is_blocked(event); -+ if (r > 0) -+ continue; - if (r < 0) { - sd_device_action_t a = _SD_DEVICE_ACTION_INVALID; - - (void) sd_device_get_action(event->dev, &a); - log_device_warning_errno(event->dev, r, -- "Failed to check event dependency, " -- "skipping event (SEQNUM=%"PRIu64", ACTION=%s)", -+ "Failed to check dependencies for event (SEQNUM=%"PRIu64", ACTION=%s), " -+ "assuming there is no blocking event, ignoring: %m", - event->seqnum, - strna(device_action_to_string(a))); -- -- event_free(event); -- return r; - } -- if (r > 0) -- continue; - - r = event_run(event); -- if (r <= 0) -+ if (r <= 0) /* 0 means there are no idle workers. Let's escape from the loop. */ - return r; - } - - \ No newline at end of file diff --git a/backport-udev-builtin-input_id-don-t-label-absolute-mice-as-p.patch b/backport-udev-builtin-input_id-don-t-label-absolute-mice-as-p.patch deleted file mode 100644 index 387daa8..0000000 --- a/backport-udev-builtin-input_id-don-t-label-absolute-mice-as-p.patch +++ /dev/null @@ -1,69 +0,0 @@ -From c6cdd3489f2abfd0a868ad5d8d42b166d7eec33f Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Wed, 23 Feb 2022 09:12:43 +1000 -Subject: [PATCH] udev-builtin-input_id: don't label absolute mice as pointing - sticks - -The Getac UX10 tablet exposes a "CUST0000:00 0EEF:C002 Mouse" device -with BTN_LEFT/RIGHT and ABS_X/Y on the i2c bus. This causes the builtin -to incorrectly label it as pointing stick (all i2c mice are -tagged as ID_INPUT_POINTING_STICK, see 3d7ac1c655ec4). - -Fix this by adding a separate variable for absolute pointing -devices like the VMmouse USB mouse or this Getac tablet - this way we -skip the pointing stick check. - -See https://gitlab.freedesktop.org/libinput/libinput/-/issues/743 -for recordings. - -(cherry picked from commit 8ac9ec4d5c210825759d515422d3e66c20615fc1) -(cherry picked from commit ea5701eb64ff40f915567ae4088ffb7efc0f4155) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/c6cdd3489f2abfd0a868ad5d8d42b166d7eec33f ---- - src/udev/udev-builtin-input_id.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/udev/udev-builtin-input_id.c b/src/udev/udev-builtin-input_id.c -index dda53b6da0..f62dffbc58 100644 ---- a/src/udev/udev-builtin-input_id.c -+++ b/src/udev/udev-builtin-input_id.c -@@ -168,6 +168,7 @@ static bool test_pointers(sd_device *dev, - bool finger_but_no_pen = false; - bool has_mouse_button = false; - bool is_mouse = false; -+ bool is_abs_mouse = false; - bool is_touchpad = false; - bool is_touchscreen = false; - bool is_tablet = false; -@@ -232,7 +233,7 @@ static bool test_pointers(sd_device *dev, - else if (has_mouse_button) - /* This path is taken by VMware's USB mouse, which has - * absolute axes, but no touch/pressure button. */ -- is_mouse = true; -+ is_abs_mouse = true; - else if (has_touch || is_direct) - is_touchscreen = true; - else if (has_joystick_axes_or_buttons) -@@ -264,7 +265,7 @@ static bool test_pointers(sd_device *dev, - - if (is_pointing_stick) - udev_builtin_add_property(dev, test, "ID_INPUT_POINTINGSTICK", "1"); -- if (is_mouse) -+ if (is_mouse || is_abs_mouse) - udev_builtin_add_property(dev, test, "ID_INPUT_MOUSE", "1"); - if (is_touchpad) - udev_builtin_add_property(dev, test, "ID_INPUT_TOUCHPAD", "1"); -@@ -277,7 +278,7 @@ static bool test_pointers(sd_device *dev, - if (is_tablet_pad) - udev_builtin_add_property(dev, test, "ID_INPUT_TABLET_PAD", "1"); - -- return is_tablet || is_mouse || is_touchpad || is_touchscreen || is_joystick || is_pointing_stick; -+ return is_tablet || is_mouse || is_abs_mouse || is_touchpad || is_touchscreen || is_joystick || is_pointing_stick; - } - - /* key like devices */ --- -2.33.0 - diff --git a/backport-udev-cdrom_id-check-last-track-info.patch b/backport-udev-cdrom_id-check-last-track-info.patch deleted file mode 100644 index 04ced42..0000000 --- a/backport-udev-cdrom_id-check-last-track-info.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c3fcff52912b0323e11f535fce151dc758f111e6 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 14 Aug 2022 06:00:10 +0900 -Subject: [PATCH] udev/cdrom_id: check last track info - -Fixes off-by-one issue. - -Fixes #24306. - -(cherry picked from commit 628998ecfa0d39b38874e1aecdb28022f80f3269) -(cherry picked from commit c67a388aeffcdc27ff280f01b7939005f7a9c8e9) ---- - src/udev/cdrom_id/cdrom_id.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/udev/cdrom_id/cdrom_id.c b/src/udev/cdrom_id/cdrom_id.c -index cdb66bb3b7..964eb6988e 100644 ---- a/src/udev/cdrom_id/cdrom_id.c -+++ b/src/udev/cdrom_id/cdrom_id.c -@@ -704,7 +704,7 @@ static int cd_media_toc(Context *c) { - /* Take care to not iterate beyond the last valid track as specified in - * the TOC, but also avoid going beyond the TOC length, just in case - * the last track number is invalidly large */ -- for (size_t i = 4; i + 8 < len && num_tracks > 0; i += 8, --num_tracks) { -+ for (size_t i = 4; i + 8 <= len && num_tracks > 0; i += 8, --num_tracks) { - bool is_data_track; - uint32_t block; - --- -2.33.0 - diff --git a/backport-udev-certainly-restart-event-for-previously-locked-device.patch b/backport-udev-certainly-restart-event-for-previously-locked-device.patch deleted file mode 100644 index 83682e4..0000000 --- a/backport-udev-certainly-restart-event-for-previously-locked-device.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 4f294ffdf18ab9f187400dbbab593a980e60be89 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 26 Aug 2022 00:16:17 +0900 -Subject: [PATCH] udev: certainly restart event for previously locked device - -If udevd receives a uevent for a locked block device, then the event -is requeued. However, the queued event will be processed only when at -least one sd_event_source is processed. Hence, if udevd has no event -under processing, or receives no new uevent, etc., then the requeued -event will be never processed. - -Follow-up for 400e3d21f8cae53a8ba9f9567f244fbf6f3e076c. - -Fixes #24439. - -Reference:https://github.com/systemd/systemd/commit/4f294ffdf18ab9f187400dbbab593a980e60be89 -Conflict:adaption because previous commits in https://github.com/systemd/systemd/pull/23088 are not introduced - ---- - src/udev/udevd.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index a979d43..b15a9d4 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -129,8 +129,11 @@ typedef struct Event { - sd_device_action_t action; - uint64_t seqnum; - uint64_t blocker_seqnum; -+ -+ /* Used when the device is locked by another program. */ - usec_t retry_again_next_usec; - usec_t retry_again_timeout_usec; -+ sd_event_source *retry_event_source; - - sd_event_source *timeout_warning_event; - sd_event_source *timeout_event; -@@ -172,6 +175,7 @@ static Event *event_free(Event *event) { - LIST_REMOVE(event, event->manager->events, event); - sd_device_unref(event->dev); - -+ sd_event_source_unref(event->retry_event_source); - sd_event_source_unref(event->timeout_warning_event); - sd_event_source_unref(event->timeout_event); - -@@ -749,6 +753,8 @@ static int event_run(Event *event) { - - log_device_uevent(event->dev, "Device ready for processing"); - -+ (void) event_source_disable(event->retry_event_source); -+ - manager = event->manager; - HASHMAP_FOREACH(worker, manager->workers) { - if (worker->state != WORKER_IDLE) -@@ -995,6 +1001,11 @@ static int event_queue_start(Manager *manager) { - return 0; - } - -+static int on_event_retry(sd_event_source *s, uint64_t usec, void *userdata) { -+ /* This does nothing. The on_post() callback will start the event if there exists an idle worker. */ -+ return 1; -+} -+ - static int event_requeue(Event *event) { - usec_t now_usec; - int r; -@@ -1025,6 +1036,15 @@ static int event_requeue(Event *event) { - if (event->retry_again_timeout_usec == 0) - event->retry_again_timeout_usec = usec_add(now_usec, EVENT_RETRY_TIMEOUT_USEC); - -+ r = event_reset_time_relative(event->manager->event, &event->retry_event_source, -+ CLOCK_MONOTONIC, EVENT_RETRY_INTERVAL_USEC, 0, -+ on_event_retry, NULL, -+ 0, "retry-event", true); -+ if (r < 0) -+ return log_device_warning_errno(event->dev, r, "Failed to reset timer event source for retrying event, " -+ "skipping event (SEQNUM=%"PRIu64", ACTION=%s): %m", -+ event->seqnum, strna(device_action_to_string(event->action))); -+ - if (event->worker && event->worker->event == event) - event->worker->event = NULL; - event->worker = NULL; --- -2.33.0 - \ No newline at end of file diff --git a/backport-udev-do-not-try-to-find-blocker-again-when-no-blocker-found.patch b/backport-udev-do-not-try-to-find-blocker-again-when-no-blocker-found.patch deleted file mode 100644 index 7a122ff..0000000 --- a/backport-udev-do-not-try-to-find-blocker-again-when-no-blocker-found.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 044ac33c35ab1aeb35fc8b84462a9549cbbac294 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 16:57:32 +0900 -Subject: [PATCH] udev: do not try to find blocker again when no blocker found - previously - -Reference:https://github.com/systemd/systemd/commit/044ac33c35ab1aeb35fc8b84462a9549cbbac294 -Conflict:NA - ---- - src/udev/udevd.c | 45 +++++++++++++++++++++++++++++++++++---------- - 1 file changed, 35 insertions(+), 10 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 20bd556..be2c3ee 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -783,6 +783,35 @@ static int event_is_blocked(Event *event) { - - /* lookup event for identical, parent, child device */ - -+ assert(event); -+ assert(event->manager); -+ assert(event->blocker_seqnum <= event->seqnum); -+ -+ if (event->blocker_seqnum == event->seqnum) -+ /* we have checked previously and no blocker found */ -+ return false; -+ -+ LIST_FOREACH(event, loop_event, event->manager->events) { -+ /* we already found a later event, earlier cannot block us, no need to check again */ -+ if (loop_event->seqnum < event->blocker_seqnum) -+ continue; -+ -+ /* event we checked earlier still exists, no need to check again */ -+ if (loop_event->seqnum == event->blocker_seqnum) -+ return true; -+ -+ /* found ourself, no later event can block us */ -+ if (loop_event->seqnum >= event->seqnum) -+ goto no_blocker; -+ -+ /* found event we have not checked */ -+ break; -+ } -+ -+ assert(loop_event); -+ assert(loop_event->seqnum > event->blocker_seqnum && -+ loop_event->seqnum < event->seqnum); -+ - r = sd_device_get_subsystem(event->dev, &subsystem); - if (r < 0) - return r; -@@ -808,21 +837,13 @@ static int event_is_blocked(Event *event) { - return r; - - /* check if queue contains events we depend on */ -- LIST_FOREACH(event, loop_event, event->manager->events) { -+ LIST_FOREACH(event, loop_event, loop_event) { - size_t loop_devpath_len, common; - const char *loop_devpath; - -- /* we already found a later event, earlier cannot block us, no need to check again */ -- if (loop_event->seqnum < event->blocker_seqnum) -- continue; -- -- /* event we checked earlier still exists, no need to check again */ -- if (loop_event->seqnum == event->blocker_seqnum) -- return true; -- - /* found ourself, no later event can block us */ - if (loop_event->seqnum >= event->seqnum) -- return false; -+ goto no_blocker; - - /* check major/minor */ - if (major(devnum) != 0) { -@@ -882,6 +903,10 @@ static int event_is_blocked(Event *event) { - - event->blocker_seqnum = loop_event->seqnum; - return true; -+ -+no_blocker: -+ event->blocker_seqnum = event->seqnum; -+ return false; - } - - static int event_queue_start(Manager *manager) { --- -2.33.0 - \ No newline at end of file diff --git a/backport-udev-do-not-try-to-process-events-if-there-is-no-free-worker.patch b/backport-udev-do-not-try-to-process-events-if-there-is-no-free-worker.patch deleted file mode 100644 index b89df06..0000000 --- a/backport-udev-do-not-try-to-process-events-if-there-is-no-free-worker.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5f4bca9dccdd9e9a888587c6224b08ae5fbe3bdb Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 15:51:34 +0900 -Subject: [PATCH] udev: do not try to process events if there is no free worker - -Reference:https://github.com/systemd/systemd/commit/5f4bca9dccdd9e9a888587c6224b08ae5fbe3bdb -Conflict:NA - ---- - src/udev/udevd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 7f41336..e99c2c0 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -927,7 +927,7 @@ static int event_queue_start(Manager *manager) { - continue; - - r = event_run(event); -- if (r < 0) -+ if (r <= 0) - return r; - } - --- -2.33.0 - diff --git a/backport-udev-do-not-try-to-rename-interface-if-it-is-already.patch b/backport-udev-do-not-try-to-rename-interface-if-it-is-already.patch deleted file mode 100644 index 33a4b1b..0000000 --- a/backport-udev-do-not-try-to-rename-interface-if-it-is-already.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 214ea3a26e9cc5dda8530a45a71b052e75a250a4 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 24 Oct 2021 20:43:34 +0900 -Subject: [PATCH] udev: do not try to rename interface if it is already up - -See dev_change_name() in kernel's net/core/dev.c. - -Fixes #21105. - -(cherry picked from commit 6681eb021a0b56ef0dc849e3b358a515ece16482) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/214ea3a26e9cc5dda8530a45a71b052e75a250a4 ---- - src/udev/udev-event.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c -index b28089be71..9854270b27 100644 ---- a/src/udev/udev-event.c -+++ b/src/udev/udev-event.c -@@ -828,6 +828,7 @@ int udev_event_spawn(UdevEvent *event, - static int rename_netif(UdevEvent *event) { - sd_device *dev = event->dev; - const char *oldname; -+ unsigned flags; - int ifindex, r; - - if (!event->name) -@@ -855,6 +856,16 @@ static int rename_netif(UdevEvent *event) { - return 0; - } - -+ r = rtnl_get_link_info(&event->rtnl, ifindex, NULL, &flags); -+ if (r < 0) -+ return log_device_warning_errno(dev, r, "Failed to get link flags: %m"); -+ -+ if (FLAGS_SET(flags, IFF_UP)) { -+ log_device_info(dev, "Network interface '%s' is already up, refusing to rename to '%s'.", -+ oldname, event->name); -+ return 0; -+ } -+ - /* Set ID_RENAMING boolean property here, and drop it in the corresponding move uevent later. */ - r = device_add_property(dev, "ID_RENAMING", "1"); - if (r < 0) --- -2.33.0 - diff --git a/backport-udev-drop-unnecessary-calls-of-event_queue_start.patch b/backport-udev-drop-unnecessary-calls-of-event_queue_start.patch deleted file mode 100644 index d9766db..0000000 --- a/backport-udev-drop-unnecessary-calls-of-event_queue_start.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 5fab6b7b18d0158c005a5bcf096face23377af72 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 26 Aug 2022 00:34:15 +0900 -Subject: [PATCH] udev: drop unnecessary calls of event_queue_start() - -As the subsequent call of on_post() will call it if necessary. - -This also drop unnecessary call of event_source_disable() for killing -idle workers, as the event source is disabled in event_queue_start(). - -Reference:https://github.com/systemd/systemd/commit/5fab6b7b18d0158c005a5bcf096face23377af72 -Conflict:adaption - ---- - src/udev/udevd.c | 21 --------------------- - 1 file changed, 21 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index b15a9d4..75e2086 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -1151,9 +1151,6 @@ static int on_uevent(sd_device_monitor *monitor, sd_device *dev, void *userdata) - - (void) event_queue_assume_block_device_unlocked(manager, dev); - -- /* we have fresh events, try to schedule them */ -- event_queue_start(manager); -- - return 1; - } - -@@ -1220,9 +1217,6 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat - event_free(worker->event); - } - -- /* we have free workers, try to schedule events */ -- event_queue_start(manager); -- - return 1; - } - -@@ -1456,10 +1450,6 @@ static int on_inotify(sd_event_source *s, int fd, uint32_t revents, void *userda - - assert(manager); - -- r = event_source_disable(manager->kill_workers_event); -- if (r < 0) -- log_warning_errno(r, "Failed to disable event source for cleaning up idle workers, ignoring: %m"); -- - l = read(fd, &buffer, sizeof(buffer)); - if (l < 0) { - if (IN_SET(errno, EAGAIN, EINTR)) -@@ -1516,7 +1506,6 @@ static int on_sighup(sd_event_source *s, const struct signalfd_siginfo *si, void - - static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) { - Manager *manager = userdata; -- int r; - - assert(manager); - -@@ -1565,16 +1554,6 @@ static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *si, voi - worker_free(worker); - } - -- /* we can start new workers, try to schedule events */ -- event_queue_start(manager); -- -- /* Disable unnecessary cleanup event */ -- if (hashmap_isempty(manager->workers)) { -- r = event_source_disable(manager->kill_workers_event); -- if (r < 0) -- log_warning_errno(r, "Failed to disable event source for cleaning up idle workers, ignoring: %m"); -- } -- - return 1; - } - --- -2.33.0 - \ No newline at end of file diff --git a/backport-udev-drop-unnecessary-clone-of-received-sd-device-object.patch b/backport-udev-drop-unnecessary-clone-of-received-sd-device-object.patch deleted file mode 100644 index 3a33f70..0000000 --- a/backport-udev-drop-unnecessary-clone-of-received-sd-device-object.patch +++ /dev/null @@ -1,85 +0,0 @@ -From c9473aaa5b69c47edab365b46abee6e9ab5b18dc Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 25 Mar 2022 01:13:39 +0900 -Subject: [PATCH] udev: drop unnecessary clone of received sd-device object - -As the sd-device object received through sd-device-monitor is sealed, -so the corresponding udev database or uevent file will not be read. - -Reference:https://github.com/systemd/systemd/commit/c9473aaa5b69c47edab365b46abee6e9ab5b18dc -Conflict:adaption - ---- - src/udev/udevd.c | 21 ++++----------------- - 1 file changed, 4 insertions(+), 17 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 108142e9c619..05397df7a429 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -124,7 +124,6 @@ typedef struct Event { - EventState state; - - sd_device *dev; -- sd_device *dev_kernel; /* clone of originally received device */ - - uint64_t seqnum; - uint64_t blocker_seqnum; -@@ -163,7 +162,6 @@ static Event *event_free(Event *event) { - - LIST_REMOVE(event, event->manager->events, event); - sd_device_unref(event->dev); -- sd_device_unref(event->dev_kernel); - - sd_event_source_unref(event->timeout_warning_event); - sd_event_source_unref(event->timeout_event); -@@ -973,9 +971,8 @@ static int event_queue_start(Manager *manager) { - } - - static int event_queue_insert(Manager *manager, sd_device *dev) { -- _cleanup_(sd_device_unrefp) sd_device *clone = NULL; -- Event *event; - uint64_t seqnum; -+ Event *event; - int r; - - assert(manager); -@@ -989,15 +986,6 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { - if (r < 0) - return r; - -- /* Save original device to restore the state on failures. */ -- r = device_shallow_clone(dev, &clone); -- if (r < 0) -- return r; -- -- r = device_copy_properties(clone, dev); -- if (r < 0) -- return r; -- - event = new(Event, 1); - if (!event) - return -ENOMEM; -@@ -1005,7 +993,6 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { - *event = (Event) { - .manager = manager, - .dev = sd_device_ref(dev), -- .dev_kernel = TAKE_PTR(clone), - .seqnum = seqnum, - .state = EVENT_QUEUED, - }; -@@ -1440,10 +1427,10 @@ static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *si, voi - device_tag_index(worker->event->dev, NULL, false); - - if (manager->monitor) { -- /* Forward kernel event unchanged */ -- r = device_monitor_send_device(manager->monitor, NULL, worker->event->dev_kernel); -+ /* Forward kernel event to libudev listeners */ -+ r = device_monitor_send_device(manager->monitor, NULL, worker->event->dev); - if (r < 0) -- log_device_warning_errno(worker->event->dev_kernel, r, -+ log_device_warning_errno(worker->event->dev, r, - "Failed to broadcast failed event to libudev listeners, ignoring: %m"); - } - } - \ No newline at end of file diff --git a/backport-udev-fix-inversed-inequality-for-timeout-of-retrying-event.patch b/backport-udev-fix-inversed-inequality-for-timeout-of-retrying-event.patch deleted file mode 100644 index b8c6fbe..0000000 --- a/backport-udev-fix-inversed-inequality-for-timeout-of-retrying-event.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 400e3d21f8cae53a8ba9f9567f244fbf6f3e076c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 19 Aug 2022 21:25:03 +0900 -Subject: [PATCH] udev: fix inversed inequality for timeout of retrying event - -Follow-up for 5d354e525a56955ae7f68062e283dda85ab07794. - -Reference:https://github.com/systemd/systemd/commit/400e3d21f8cae53a8ba9f9567f244fbf6f3e076c -Conflict:NA - ---- - src/udev/udevd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index a6926bbfb71d..01162bc7b601 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -898,7 +898,7 @@ static int event_is_blocked(Event *event) { - if (r < 0) - return r; - -- if (event->retry_again_next_usec <= now_usec) -+ if (event->retry_again_next_usec > now_usec) - return true; - } - diff --git a/backport-udev-fix-potential-memleak.patch b/backport-udev-fix-potential-memleak.patch deleted file mode 100644 index 27c77fd..0000000 --- a/backport-udev-fix-potential-memleak.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f4a8e2c2115fc901e588a1672f129e7e3371f5d7 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 27 Aug 2021 17:27:26 +0900 -Subject: [PATCH] udev: fix potential memleak - -(cherry picked from commit 4154524d47d24bcee3ebfed939912a847ebeb1b3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/f4a8e2c2115fc901e588a1672f129e7e3371f5d7 ---- - src/udev/udev-builtin-net_id.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c -index 92917852ba..2699a8929f 100644 ---- a/src/udev/udev-builtin-net_id.c -+++ b/src/udev/udev-builtin-net_id.c -@@ -103,7 +103,6 @@ static int get_virtfn_info(sd_device *dev, struct netnames *names, struct virtfn - _cleanup_(sd_device_unrefp) sd_device *physfn_pcidev = NULL; - const char *physfn_link_file, *syspath; - _cleanup_free_ char *physfn_pci_syspath = NULL; -- _cleanup_free_ char *virtfn_pci_syspath = NULL; - struct dirent *dent; - _cleanup_closedir_ DIR *dir = NULL; - char suffix[ALTIFNAMSIZ]; -@@ -134,7 +133,7 @@ static int get_virtfn_info(sd_device *dev, struct netnames *names, struct virtfn - return -errno; - - FOREACH_DIRENT_ALL(dent, dir, break) { -- _cleanup_free_ char *virtfn_link_file = NULL; -+ _cleanup_free_ char *virtfn_link_file = NULL, *virtfn_pci_syspath = NULL; - - if (!startswith(dent->d_name, "virtfn")) - continue; --- -2.33.0 - diff --git a/backport-udev-introduce-device_broadcast_helper_function.patch b/backport-udev-introduce-device_broadcast_helper_function.patch deleted file mode 100644 index 661dd74..0000000 --- a/backport-udev-introduce-device_broadcast_helper_function.patch +++ /dev/null @@ -1,66 +0,0 @@ -From c17ab900cbb47f0c136b141bb83557f112501707 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 25 Mar 2022 02:33:55 +0900 -Subject: [PATCH] udev: introduce device_broadcast() helper function - -Reference:https://github.com/systemd/systemd/commit/c17ab900cbb47f0c136b141bb83557f112501707 -Conflict:NA - ---- - src/udev/udevd.c | 28 ++++++++++++++++++---------- - 1 file changed, 18 insertions(+), 10 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 05397df7a429..53728c9f7971 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -344,6 +344,21 @@ static int on_kill_workers_event(sd_event_source *s, uint64_t usec, void *userda - return 1; - } - -+static void device_broadcast(sd_device_monitor *monitor, sd_device *dev) { -+ int r; -+ -+ assert(dev); -+ -+ /* On exit, manager->monitor is already NULL. */ -+ if (!monitor) -+ return; -+ -+ r = device_monitor_send_device(monitor, NULL, dev); -+ if (r < 0) -+ log_device_warning_errno(dev, r, -+ "Failed to broadcast event to libudev listeners, ignoring: %m"); -+} -+ - static int worker_send_message(int fd) { - WorkerMessage message = {}; - -@@ -558,9 +573,7 @@ static int worker_device_monitor_handler(sd_device_monitor *monitor, sd_device * - log_device_warning_errno(dev, r, "Failed to process device, ignoring: %m"); - - /* send processed event back to libudev listeners */ -- r = device_monitor_send_device(monitor, NULL, dev); -- if (r < 0) -- log_device_warning_errno(dev, r, "Failed to send device, ignoring: %m"); -+ device_broadcast(monitor, dev); - } - - /* send udevd the result of the event execution */ -@@ -1426,13 +1439,8 @@ static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *si, voi - device_delete_db(worker->event->dev); - device_tag_index(worker->event->dev, NULL, false); - -- if (manager->monitor) { -- /* Forward kernel event to libudev listeners */ -- r = device_monitor_send_device(manager->monitor, NULL, worker->event->dev); -- if (r < 0) -- log_device_warning_errno(worker->event->dev, r, -- "Failed to broadcast failed event to libudev listeners, ignoring: %m"); -- } -+ /* Forward kernel event to libudev listeners */ -+ device_broadcast(manager->monitor, worker->event->dev); - } - - worker_free(worker); - \ No newline at end of file diff --git a/backport-udev-make-event_free-return-NULL.patch b/backport-udev-make-event_free-return-NULL.patch deleted file mode 100644 index 662e6b7..0000000 --- a/backport-udev-make-event_free-return-NULL.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 5393c52897ff5b57686c867fcab77f9740f4af24 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 15:21:27 +0900 -Subject: [PATCH] udev: make event_free() return NULL - -Reference:https://github.com/systemd/systemd/commit/5393c52897ff5b57686c867fcab77f9740f4af24.patch -Conflict:NA ---- - src/udev/udevd.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 34a5c9d5d8ee..bb7c0eabe420 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -152,9 +152,9 @@ typedef struct Worker { - typedef struct WorkerMessage { - } WorkerMessage; - --static void event_free(Event *event) { -+static Event *event_free(Event *event) { - if (!event) -- return; -+ return NULL; - - assert(event->manager); - -@@ -174,7 +174,7 @@ static void event_free(Event *event) { - if (unlink("/run/udev/queue") < 0 && errno != ENOENT) - log_warning_errno(errno, "Failed to unlink /run/udev/queue, ignoring: %m"); - -- free(event); -+ return mfree(event); - } - - static void event_queue_cleanup(Manager *manager, EventState match_state) { diff --git a/backport-udev-make-event_queue_start-return-negative-errno-on-error.patch b/backport-udev-make-event_queue_start-return-negative-errno-on-error.patch deleted file mode 100644 index 73ee2f7..0000000 --- a/backport-udev-make-event_queue_start-return-negative-errno-on-error.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 0744e74c526814e28f2fbcea128f40ed36341fcd Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 15:29:02 +0900 -Subject: [PATCH] udev: make event_queue_start() return negative errno on error - -Reference:https://github.com/systemd/systemd/commit/0744e74c526814e28f2fbcea128f40ed36341fcd -Conflict:NA - ---- - src/udev/udevd.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 1b1b126..279b409 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -879,7 +879,7 @@ set_delaying_seqnum: - return true; - } - --static void event_queue_start(Manager *manager) { -+static int event_queue_start(Manager *manager) { - Event *event; - usec_t usec; - int r; -@@ -888,7 +888,7 @@ static void event_queue_start(Manager *manager) { - - if (LIST_IS_EMPTY(manager->events) || - manager->exit || manager->stop_exec_queue) -- return; -+ return 0; - - assert_se(sd_event_now(manager->event, CLOCK_MONOTONIC, &usec) >= 0); - /* check for changed config, every 3 seconds at most */ -@@ -909,10 +909,8 @@ static void event_queue_start(Manager *manager) { - - if (!manager->rules) { - r = udev_rules_load(&manager->rules, arg_resolve_name_timing); -- if (r < 0) { -- log_warning_errno(r, "Failed to read udev rules: %m"); -- return; -- } -+ if (r < 0) -+ return log_warning_errno(r, "Failed to read udev rules: %m"); - } - - LIST_FOREACH(event, event, manager->events) { -@@ -925,6 +923,8 @@ static void event_queue_start(Manager *manager) { - - event_run(manager, event); - } -+ -+ return 0; - } - - static int event_queue_insert(Manager *manager, sd_device *dev) { --- -2.33.0 - \ No newline at end of file diff --git a/backport-udev-move-several-functions.patch b/backport-udev-move-several-functions.patch deleted file mode 100644 index 7d69b04..0000000 --- a/backport-udev-move-several-functions.patch +++ /dev/null @@ -1,544 +0,0 @@ -From 419ec631358c8bf7013db01ae42763e6971d8765 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 15:14:59 +0900 -Subject: [PATCH] udev: move several functions - -No functional chage. - -Reference:https://github.com/systemd/systemd/commit/419ec631358c8bf7013db01ae42763e6971d8765 -Conflict:adaption - ---- - src/udev/udevd.c | 434 +++++++++++++++++++++++------------------------ - 1 file changed, 216 insertions(+), 218 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 9c9487f..018809e 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -134,8 +134,6 @@ typedef struct Event { - LIST_FIELDS(Event, event); - } Event; - --static void event_queue_cleanup(Manager *manager, EventState match_state); -- - typedef enum WorkerState { - WORKER_UNDEF, - WORKER_RUNNING, -@@ -181,6 +179,17 @@ static void event_free(Event *event) { - free(event); - } - -+static void event_queue_cleanup(Manager *manager, EventState match_state) { -+ Event *event, *tmp; -+ -+ LIST_FOREACH_SAFE(event, event, tmp, manager->events) { -+ if (match_state != EVENT_UNDEF && match_state != event->state) -+ continue; -+ -+ event_free(event); -+ } -+} -+ - static Worker *worker_free(Worker *worker) { - if (!worker) - return NULL; -@@ -197,6 +206,48 @@ static Worker *worker_free(Worker *worker) { - DEFINE_TRIVIAL_CLEANUP_FUNC(Worker*, worker_free); - DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(worker_hash_op, void, trivial_hash_func, trivial_compare_func, Worker, worker_free); - -+static void manager_clear_for_worker(Manager *manager) { -+ assert(manager); -+ -+ manager->inotify_event = sd_event_source_unref(manager->inotify_event); -+ manager->kill_workers_event = sd_event_source_unref(manager->kill_workers_event); -+ -+ manager->event = sd_event_unref(manager->event); -+ -+ manager->workers = hashmap_free(manager->workers); -+ event_queue_cleanup(manager, EVENT_UNDEF); -+ -+ manager->monitor = sd_device_monitor_unref(manager->monitor); -+ manager->ctrl = udev_ctrl_unref(manager->ctrl); -+ -+ manager->worker_watch[READ_END] = safe_close(manager->worker_watch[READ_END]); -+} -+ -+static Manager* manager_free(Manager *manager) { -+ if (!manager) -+ return NULL; -+ -+ udev_builtin_exit(); -+ -+ if (manager->pid == getpid_cached()) -+ udev_ctrl_cleanup(manager->ctrl); -+ -+ manager_clear_for_worker(manager); -+ -+ sd_netlink_unref(manager->rtnl); -+ -+ hashmap_free_free_free(manager->properties); -+ udev_rules_free(manager->rules); -+ -+ safe_close(manager->inotify_fd); -+ safe_close_pair(manager->worker_watch); -+ -+ free(manager->cgroup); -+ return mfree(manager); -+} -+ -+DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free); -+ - static int worker_new(Worker **ret, Manager *manager, sd_device_monitor *worker_monitor, pid_t pid) { - _cleanup_(worker_freep) Worker *worker = NULL; - int r; -@@ -228,97 +279,75 @@ static int worker_new(Worker **ret, Manager *manager, sd_device_monitor *worker_ - return 0; - } - --static int on_event_timeout(sd_event_source *s, uint64_t usec, void *userdata) { -- Event *event = userdata; -- -- assert(event); -- assert(event->worker); -- -- kill_and_sigcont(event->worker->pid, arg_timeout_signal); -- event->worker->state = WORKER_KILLED; -- -- log_device_error(event->dev, "Worker ["PID_FMT"] processing SEQNUM=%"PRIu64" killed", event->worker->pid, event->seqnum); -- -- return 1; --} -+static void manager_kill_workers(Manager *manager, bool force) { -+ Worker *worker; - --static int on_event_timeout_warning(sd_event_source *s, uint64_t usec, void *userdata) { -- Event *event = userdata; -+ assert(manager); - -- assert(event); -- assert(event->worker); -+ HASHMAP_FOREACH(worker, manager->workers) { -+ if (worker->state == WORKER_KILLED) -+ continue; - -- log_device_warning(event->dev, "Worker ["PID_FMT"] processing SEQNUM=%"PRIu64" is taking a long time", event->worker->pid, event->seqnum); -+ if (worker->state == WORKER_RUNNING && !force) { -+ worker->state = WORKER_KILLING; -+ continue; -+ } - -- return 1; -+ worker->state = WORKER_KILLED; -+ (void) kill(worker->pid, SIGTERM); -+ } - } - --static void worker_attach_event(Worker *worker, Event *event) { -- sd_event *e; -- -- assert(worker); -- assert(worker->manager); -- assert(event); -- assert(!event->worker); -- assert(!worker->event); -- -- worker->state = WORKER_RUNNING; -- worker->event = event; -- event->state = EVENT_RUNNING; -- event->worker = worker; -- -- e = worker->manager->event; -+static void manager_exit(Manager *manager) { -+ assert(manager); - -- (void) sd_event_add_time_relative(e, &event->timeout_warning_event, CLOCK_MONOTONIC, -- udev_warn_timeout(arg_event_timeout_usec), USEC_PER_SEC, -- on_event_timeout_warning, event); -+ manager->exit = true; - -- (void) sd_event_add_time_relative(e, &event->timeout_event, CLOCK_MONOTONIC, -- arg_event_timeout_usec, USEC_PER_SEC, -- on_event_timeout, event); --} -+ sd_notify(false, -+ "STOPPING=1\n" -+ "STATUS=Starting shutdown..."); - --static void manager_clear_for_worker(Manager *manager) { -- assert(manager); -+ /* close sources of new events and discard buffered events */ -+ manager->ctrl = udev_ctrl_unref(manager->ctrl); - - manager->inotify_event = sd_event_source_unref(manager->inotify_event); -- manager->kill_workers_event = sd_event_source_unref(manager->kill_workers_event); -- -- manager->event = sd_event_unref(manager->event); -- -- manager->workers = hashmap_free(manager->workers); -- event_queue_cleanup(manager, EVENT_UNDEF); -+ manager->inotify_fd = safe_close(manager->inotify_fd); - - manager->monitor = sd_device_monitor_unref(manager->monitor); -- manager->ctrl = udev_ctrl_unref(manager->ctrl); - -- manager->worker_watch[READ_END] = safe_close(manager->worker_watch[READ_END]); -+ /* discard queued events and kill workers */ -+ event_queue_cleanup(manager, EVENT_QUEUED); -+ manager_kill_workers(manager, true); - } - --static Manager* manager_free(Manager *manager) { -- if (!manager) -- return NULL; -+/* reload requested, HUP signal received, rules changed, builtin changed */ -+static void manager_reload(Manager *manager) { - -- udev_builtin_exit(); -+ assert(manager); - -- if (manager->pid == getpid_cached()) -- udev_ctrl_cleanup(manager->ctrl); -+ sd_notify(false, -+ "RELOADING=1\n" -+ "STATUS=Flushing configuration..."); - -- manager_clear_for_worker(manager); -+ manager_kill_workers(manager, false); -+ manager->rules = udev_rules_free(manager->rules); -+ udev_builtin_exit(); - -- sd_netlink_unref(manager->rtnl); -+ sd_notifyf(false, -+ "READY=1\n" -+ "STATUS=Processing with %u children at max", arg_children_max); -+} - -- hashmap_free_free_free(manager->properties); -- udev_rules_free(manager->rules); -+static int on_kill_workers_event(sd_event_source *s, uint64_t usec, void *userdata) { -+ Manager *manager = userdata; - -- safe_close(manager->inotify_fd); -- safe_close_pair(manager->worker_watch); -+ assert(manager); - -- free(manager->cgroup); -- return mfree(manager); --} -+ log_debug("Cleanup idle workers"); -+ manager_kill_workers(manager, false); - --DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free); -+ return 1; -+} - - static int worker_send_message(int fd) { - WorkerMessage message = {}; -@@ -597,6 +626,56 @@ static int worker_main(Manager *_manager, sd_device_monitor *monitor, sd_device - return 0; - } - -+static int on_event_timeout(sd_event_source *s, uint64_t usec, void *userdata) { -+ Event *event = userdata; -+ -+ assert(event); -+ assert(event->worker); -+ -+ kill_and_sigcont(event->worker->pid, arg_timeout_signal); -+ event->worker->state = WORKER_KILLED; -+ -+ log_device_error(event->dev, "Worker ["PID_FMT"] processing SEQNUM=%"PRIu64" killed", event->worker->pid, event->seqnum); -+ -+ return 1; -+} -+ -+static int on_event_timeout_warning(sd_event_source *s, uint64_t usec, void *userdata) { -+ Event *event = userdata; -+ -+ assert(event); -+ assert(event->worker); -+ -+ log_device_warning(event->dev, "Worker ["PID_FMT"] processing SEQNUM=%"PRIu64" is taking a long time", event->worker->pid, event->seqnum); -+ -+ return 1; -+} -+ -+static void worker_attach_event(Worker *worker, Event *event) { -+ sd_event *e; -+ -+ assert(worker); -+ assert(worker->manager); -+ assert(event); -+ assert(!event->worker); -+ assert(!worker->event); -+ -+ worker->state = WORKER_RUNNING; -+ worker->event = event; -+ event->state = EVENT_RUNNING; -+ event->worker = worker; -+ -+ e = worker->manager->event; -+ -+ (void) sd_event_add_time_relative(e, &event->timeout_warning_event, CLOCK_MONOTONIC, -+ udev_warn_timeout(arg_event_timeout_usec), USEC_PER_SEC, -+ on_event_timeout_warning, event); -+ -+ (void) sd_event_add_time_relative(e, &event->timeout_event, CLOCK_MONOTONIC, -+ arg_event_timeout_usec, USEC_PER_SEC, -+ on_event_timeout, event); -+} -+ - static int worker_spawn(Manager *manager, Event *event) { - _cleanup_(sd_device_monitor_unrefp) sd_device_monitor *worker_monitor = NULL; - Worker *worker; -@@ -689,76 +768,6 @@ static void event_run(Manager *manager, Event *event) { - worker_spawn(manager, event); - } - --static int event_queue_insert(Manager *manager, sd_device *dev) { -- _cleanup_(sd_device_unrefp) sd_device *clone = NULL; -- Event *event; -- uint64_t seqnum; -- int r; -- -- assert(manager); -- assert(dev); -- -- /* only one process can add events to the queue */ -- assert(manager->pid == getpid_cached()); -- -- /* We only accepts devices received by device monitor. */ -- r = sd_device_get_seqnum(dev, &seqnum); -- if (r < 0) -- return r; -- -- /* Save original device to restore the state on failures. */ -- r = device_shallow_clone(dev, &clone); -- if (r < 0) -- return r; -- -- r = device_copy_properties(clone, dev); -- if (r < 0) -- return r; -- -- event = new(Event, 1); -- if (!event) -- return -ENOMEM; -- -- *event = (Event) { -- .manager = manager, -- .dev = sd_device_ref(dev), -- .dev_kernel = TAKE_PTR(clone), -- .seqnum = seqnum, -- .state = EVENT_QUEUED, -- }; -- -- if (LIST_IS_EMPTY(manager->events)) { -- r = touch("/run/udev/queue"); -- if (r < 0) -- log_warning_errno(r, "Failed to touch /run/udev/queue: %m"); -- } -- -- LIST_APPEND(event, manager->events, event); -- -- log_device_uevent(dev, "Device is queued"); -- -- return 0; --} -- --static void manager_kill_workers(Manager *manager, bool force) { -- Worker *worker; -- -- assert(manager); -- -- HASHMAP_FOREACH(worker, manager->workers) { -- if (worker->state == WORKER_KILLED) -- continue; -- -- if (worker->state == WORKER_RUNNING && !force) { -- worker->state = WORKER_KILLING; -- continue; -- } -- -- worker->state = WORKER_KILLED; -- (void) kill(worker->pid, SIGTERM); -- } --} -- - /* lookup event for identical, parent, child device */ - static int is_device_busy(Manager *manager, Event *event) { - const char *subsystem, *devpath, *devpath_old = NULL; -@@ -870,57 +879,6 @@ set_delaying_seqnum: - return true; - } - --static void manager_exit(Manager *manager) { -- assert(manager); -- -- manager->exit = true; -- -- sd_notify(false, -- "STOPPING=1\n" -- "STATUS=Starting shutdown..."); -- -- /* close sources of new events and discard buffered events */ -- manager->ctrl = udev_ctrl_unref(manager->ctrl); -- -- manager->inotify_event = sd_event_source_unref(manager->inotify_event); -- manager->inotify_fd = safe_close(manager->inotify_fd); -- -- manager->monitor = sd_device_monitor_unref(manager->monitor); -- -- /* discard queued events and kill workers */ -- event_queue_cleanup(manager, EVENT_QUEUED); -- manager_kill_workers(manager, true); --} -- --/* reload requested, HUP signal received, rules changed, builtin changed */ --static void manager_reload(Manager *manager) { -- -- assert(manager); -- -- sd_notify(false, -- "RELOADING=1\n" -- "STATUS=Flushing configuration..."); -- -- manager_kill_workers(manager, false); -- manager->rules = udev_rules_free(manager->rules); -- udev_builtin_exit(); -- -- sd_notifyf(false, -- "READY=1\n" -- "STATUS=Processing with %u children at max", arg_children_max); --} -- --static int on_kill_workers_event(sd_event_source *s, uint64_t usec, void *userdata) { -- Manager *manager = userdata; -- -- assert(manager); -- -- log_debug("Cleanup idle workers"); -- manager_kill_workers(manager, false); -- -- return 1; --} -- - static void event_queue_start(Manager *manager) { - Event *event; - usec_t usec; -@@ -969,15 +927,77 @@ static void event_queue_start(Manager *manager) { - } - } - --static void event_queue_cleanup(Manager *manager, EventState match_state) { -- Event *event, *tmp; -+static int event_queue_insert(Manager *manager, sd_device *dev) { -+ _cleanup_(sd_device_unrefp) sd_device *clone = NULL; -+ Event *event; -+ uint64_t seqnum; -+ int r; - -- LIST_FOREACH_SAFE(event, event, tmp, manager->events) { -- if (match_state != EVENT_UNDEF && match_state != event->state) -- continue; -+ assert(manager); -+ assert(dev); - -- event_free(event); -+ /* only one process can add events to the queue */ -+ assert(manager->pid == getpid_cached()); -+ -+ /* We only accepts devices received by device monitor. */ -+ r = sd_device_get_seqnum(dev, &seqnum); -+ if (r < 0) -+ return r; -+ -+ /* Save original device to restore the state on failures. */ -+ r = device_shallow_clone(dev, &clone); -+ if (r < 0) -+ return r; -+ -+ r = device_copy_properties(clone, dev); -+ if (r < 0) -+ return r; -+ -+ event = new(Event, 1); -+ if (!event) -+ return -ENOMEM; -+ -+ *event = (Event) { -+ .manager = manager, -+ .dev = sd_device_ref(dev), -+ .dev_kernel = TAKE_PTR(clone), -+ .seqnum = seqnum, -+ .state = EVENT_QUEUED, -+ }; -+ -+ if (LIST_IS_EMPTY(manager->events)) { -+ r = touch("/run/udev/queue"); -+ if (r < 0) -+ log_warning_errno(r, "Failed to touch /run/udev/queue: %m"); -+ } -+ -+ LIST_APPEND(event, manager->events, event); -+ -+ log_device_uevent(dev, "Device is queued"); -+ -+ return 0; -+} -+ -+static int on_uevent(sd_device_monitor *monitor, sd_device *dev, void *userdata) { -+ Manager *manager = userdata; -+ int r; -+ -+ assert(manager); -+ -+ DEVICE_TRACE_POINT(kernel_uevent_received, dev); -+ -+ device_ensure_usec_initialized(dev, NULL); -+ -+ r = event_queue_insert(manager, dev); -+ if (r < 0) { -+ log_device_error_errno(dev, r, "Failed to insert device into event queue: %m"); -+ return 1; - } -+ -+ /* we have fresh events, try to schedule them */ -+ event_queue_start(manager); -+ -+ return 1; - } - - static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdata) { -@@ -1047,28 +1067,6 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat - return 1; - } - --static int on_uevent(sd_device_monitor *monitor, sd_device *dev, void *userdata) { -- Manager *manager = userdata; -- int r; -- -- assert(manager); -- -- DEVICE_TRACE_POINT(kernel_uevent_received, dev); -- -- device_ensure_usec_initialized(dev, NULL); -- -- r = event_queue_insert(manager, dev); -- if (r < 0) { -- log_device_error_errno(dev, r, "Failed to insert device into event queue: %m"); -- return 1; -- } -- -- /* we have fresh events, try to schedule them */ -- event_queue_start(manager); -- -- return 1; --} -- - /* receive the udevd message from userspace */ - static int on_ctrl_msg(UdevCtrl *uctrl, UdevCtrlMessageType type, const UdevCtrlMessageValue *value, void *userdata) { - Manager *manager = userdata; --- -2.33.0 diff --git a/backport-udev-node-add-random-delay-on-conflict-in-updating-d.patch b/backport-udev-node-add-random-delay-on-conflict-in-updating-d.patch deleted file mode 100644 index e4d4930..0000000 --- a/backport-udev-node-add-random-delay-on-conflict-in-updating-d.patch +++ /dev/null @@ -1,64 +0,0 @@ -From fca1dafcc29f123aadfd8a2bc5ebfc2468284a6a Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 04:34:48 +0900 -Subject: [PATCH] udev-node: add random delay on conflict in updating device - node symlink - -To make multiple workers not update the same device node symlink -simultaneously. - -(cherry picked from commit 0063fa23a1384dd4385d03b568dc629916b7e72a) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/fca1dafcc29f123aadfd8a2bc5ebfc2468284a6a ---- - src/udev/udev-node.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 2e7df899e4..d8edf39aec 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -20,12 +20,14 @@ - #include "mkdir.h" - #include "parse-util.h" - #include "path-util.h" -+#include "random-util.h" - #include "selinux-util.h" - #include "smack-util.h" - #include "stat-util.h" - #include "stdio-util.h" - #include "string-util.h" - #include "strxcpyx.h" -+#include "time-util.h" - #include "udev-node.h" - #include "user-util.h" - -@@ -33,6 +35,8 @@ - #define LINK_UPDATE_MAX_RETRIES 128 - #define CREATE_STACK_LINK_MAX_RETRIES 128 - #define UPDATE_TIMESTAMP_MAX_RETRIES 128 -+#define MAX_RANDOM_DELAY (250 * USEC_PER_MSEC) -+#define MIN_RANDOM_DELAY ( 50 * USEC_PER_MSEC) - #define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f) - - static int create_symlink(const char *target, const char *slink) { -@@ -447,6 +451,15 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - _cleanup_free_ char *target = NULL; - struct stat st1 = {}, st2 = {}; - -+ if (i > 0) { -+ char buf[FORMAT_TIMESPAN_MAX]; -+ usec_t delay = MIN_RANDOM_DELAY + random_u64_range(MAX_RANDOM_DELAY - MIN_RANDOM_DELAY); -+ -+ log_device_debug(dev, "Directory %s was updated, retrying to update devlink %s after %s.", -+ dirname, slink, format_timespan(buf, sizeof(buf), delay, USEC_PER_MSEC)); -+ (void) usleep(delay); -+ } -+ - if (stat(dirname, &st1) < 0 && errno != ENOENT) - return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); - --- -2.33.0 - diff --git a/backport-udev-node-always-atomically-create-symlink-to-device.patch b/backport-udev-node-always-atomically-create-symlink-to-device.patch deleted file mode 100644 index 6121dfc..0000000 --- a/backport-udev-node-always-atomically-create-symlink-to-device.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 0116618b67980eeb8d82d09050087ed245630efe Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 02:20:33 +0900 -Subject: [PATCH] udev-node: always atomically create symlink to device node - -By the previous commit, it is not necessary to distinguish if the devlink -already exists. Also, I cannot find any significant advantages of the -previous complecated logic, that is, first try to create directly, and then -fallback to atomically creation. Moreover, such logic increases the chance -of conflicts between multiple udev workers. - -This makes devlinks always created atomically. Hopefully, this reduces the -conflicts between the workers. - -(cherry picked from commit 242d39ebc1391f4734f6e63ff13764de92bc5f70) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/0116618b67980eeb8d82d09050087ed245630efe ---- - src/udev/udev-node.c | 42 +++++++++--------------------------------- - 1 file changed, 9 insertions(+), 33 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 1a34ea8128..46c04fe00b 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -71,6 +71,13 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) { - assert(node); - assert(slink); - -+ if (lstat(slink, &stats) >= 0) { -+ if (!S_ISLNK(stats.st_mode)) -+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST), -+ "Conflicting inode '%s' found, link to '%s' will not be created.", slink, node); -+ } else if (errno != ENOENT) -+ return log_device_debug_errno(dev, errno, "Failed to lstat() '%s': %m", slink); -+ - r = path_extract_directory(slink, &slink_dirname); - if (r < 0) - return log_device_debug_errno(dev, r, "Failed to get parent directory of '%s': %m", slink); -@@ -80,41 +87,11 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) { - if (r < 0) - return log_device_debug_errno(dev, r, "Failed to get relative path from '%s' to '%s': %m", slink, node); - -- if (lstat(slink, &stats) >= 0) { -- _cleanup_free_ char *buf = NULL; -- -- if (!S_ISLNK(stats.st_mode)) -- return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST), -- "Conflicting inode '%s' found, link to '%s' will not be created.", slink, node); -- -- if (readlink_malloc(slink, &buf) >= 0 && -- path_equal(target, buf)) { -- /* preserve link with correct target, do not replace node of other device */ -- log_device_debug(dev, "Preserve already existing symlink '%s' to '%s'", slink, target); -- -- (void) label_fix(slink, LABEL_IGNORE_ENOENT); -- (void) utimensat(AT_FDCWD, slink, NULL, AT_SYMLINK_NOFOLLOW); -- -- return 0; -- } -- } else if (errno == ENOENT) { -- log_device_debug(dev, "Creating symlink '%s' to '%s'", slink, target); -- -- r = create_symlink(target, slink); -- if (r >= 0) -- return 0; -- -- log_device_debug_errno(dev, r, "Failed to create symlink '%s' to '%s', trying to replace '%s': %m", slink, target, slink); -- } else -- return log_device_debug_errno(dev, errno, "Failed to lstat() '%s': %m", slink); -- -- log_device_debug(dev, "Atomically replace '%s'", slink); -- - r = device_get_device_id(dev, &id); - if (r < 0) - return log_device_debug_errno(dev, r, "Failed to get device id: %m"); -- slink_tmp = strjoina(slink, ".tmp-", id); - -+ slink_tmp = strjoina(slink, ".tmp-", id); - (void) unlink(slink_tmp); - - r = create_symlink(target, slink_tmp); -@@ -127,8 +104,7 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) { - return r; - } - -- /* Tell caller that we replaced already existing symlink. */ -- return 1; -+ return 0; - } - - static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir, char **ret) { --- -2.33.0 - diff --git a/backport-udev-node-always-update-timestamp-of-stack-directory.patch b/backport-udev-node-always-update-timestamp-of-stack-directory.patch deleted file mode 100644 index 9fc0e72..0000000 --- a/backport-udev-node-always-update-timestamp-of-stack-directory.patch +++ /dev/null @@ -1,150 +0,0 @@ -From bd4714982537b5fc08b82ccd5f20522231dd5bee Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 12:57:40 +0900 -Subject: [PATCH] udev-node: always update timestamp of stack directory - -Please see the comments in the code. - -(cherry picked from commit 6df797f75fa08bb1a9e657001229bd47903e6174) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/bd4714982537b5fc08b82ccd5f20522231dd5bee ---- - src/udev/udev-node.c | 90 ++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 87 insertions(+), 3 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 5d6aae0bd4..0de848da19 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -32,6 +32,7 @@ - #define CREATE_LINK_MAX_RETRIES 128 - #define LINK_UPDATE_MAX_RETRIES 128 - #define CREATE_STACK_LINK_MAX_RETRIES 128 -+#define UPDATE_TIMESTAMP_MAX_RETRIES 128 - #define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f) - - static int create_symlink(const char *target, const char *slink) { -@@ -285,9 +286,60 @@ toolong: - return size - 1; - } - -+static int update_timestamp(sd_device *dev, const char *path, struct stat *prev) { -+ assert(path); -+ assert(prev); -+ -+ /* Even if a symlink in the stack directory is created/removed, the mtime of the directory may -+ * not be changed. Why? Let's consider the following situation. For simplicity, let's assume -+ * there exist three udev workers (A, B, and C) and all of them calls link_update() for the -+ * same devlink simultaneously. -+ * -+ * 1. B creates/removes a symlink in the stack directory. -+ * 2. A calls the first stat() in the loop of link_update(). -+ * 3. A calls link_find_prioritized(). -+ * 4. C creates/removes another symlink in the stack directory, so the result of the step 3 is outdated. -+ * 5. B and C finish link_update(). -+ * 6. A creates/removes devlink according to the outdated result in the step 3. -+ * 7. A calls the second stat() in the loop of link_update(). -+ * -+ * If these 7 steps are processed in this order within a short time period that kernel's timer -+ * does not increase, then even if the contents in the stack directory is changed, the results -+ * of two stat() called by A shows the same timestamp, and A cannot detect the change. -+ * -+ * By calling this function after creating/removing symlinks in the stack directory, the -+ * timestamp of the stack directory is always increased at least in the above step 5, so A can -+ * detect the update. */ -+ -+ if ((prev->st_mode & S_IFMT) == 0) -+ return 0; /* Does not exist, or previous stat() failed. */ -+ -+ for (unsigned i = 0; i < UPDATE_TIMESTAMP_MAX_RETRIES; i++) { -+ struct stat st; -+ -+ if (stat(path, &st) < 0) -+ return -errno; -+ -+ if (!stat_inode_unmodified(prev, &st)) -+ return 0; -+ -+ log_device_debug(dev, -+ "%s is modified, but its timestamp is not changed, " -+ "updating timestamp after 10ms.", -+ path); -+ -+ (void) usleep(10 * USEC_PER_MSEC); -+ if (utimensat(AT_FDCWD, path, NULL, 0) < 0) -+ return -errno; -+ } -+ -+ return -ELOOP; -+} -+ - static int update_stack_directory(sd_device *dev, const char *dirname, bool add) { - _cleanup_free_ char *filename = NULL, *data = NULL, *buf = NULL; - const char *devname, *id; -+ struct stat st = {}; - int priority, r; - - assert(dev); -@@ -302,10 +354,31 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add) - return log_oom_debug(); - - if (!add) { -- if (unlink(filename) < 0 && errno != ENOENT) -- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); -+ bool unlink_failed = false; -+ -+ if (stat(dirname, &st) < 0) { -+ if (errno == ENOENT) -+ return 0; /* The stack directory is already removed. That's OK. */ -+ log_device_debug_errno(dev, errno, "Failed to stat %s, ignoring: %m", dirname); -+ } -+ -+ if (unlink(filename) < 0) { -+ unlink_failed = true; -+ if (errno != ENOENT) -+ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); -+ } -+ -+ if (rmdir(dirname) >= 0 || errno == ENOENT) -+ return 0; -+ -+ if (unlink_failed) -+ return 0; /* If we failed to remove the symlink, there is almost nothing we can do. */ -+ -+ /* The symlink was removed. Check if the timestamp of directory is changed. */ -+ r = update_timestamp(dev, dirname, &st); -+ if (r < 0 && r != -ENOENT) -+ return log_device_debug_errno(dev, r, "Failed to update timestamp of %s: %m", dirname); - -- (void) rmdir(dirname); - return 0; - } - -@@ -335,12 +408,23 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add) - if (r < 0) - return log_device_debug_errno(dev, r, "Failed to create directory %s: %m", dirname); - -+ if (stat(dirname, &st) < 0) { -+ if (errno == ENOENT) -+ continue; -+ return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); -+ } -+ - if (symlink(data, filename) < 0) { - if (errno == ENOENT) - continue; - return log_device_debug_errno(dev, errno, "Failed to create symbolic link %s: %m", filename); - } - -+ /* The symlink was created. Check if the timestamp of directory is changed. */ -+ r = update_timestamp(dev, dirname, &st); -+ if (r < 0) -+ return log_device_debug_errno(dev, r, "Failed to update timestamp of %s: %m", dirname); -+ - return 0; - } - --- -2.33.0 - diff --git a/backport-udev-node-assume-no-new-claim-to-a-symlink-if-run-ud.patch b/backport-udev-node-assume-no-new-claim-to-a-symlink-if-run-ud.patch deleted file mode 100644 index 26a4cb0..0000000 --- a/backport-udev-node-assume-no-new-claim-to-a-symlink-if-run-ud.patch +++ /dev/null @@ -1,38 +0,0 @@ -From c9fce59c8f0c471a7a474c6a20cdc340fc53a48d Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 2 Sep 2021 06:58:59 +0900 -Subject: [PATCH] udev-node: assume no new claim to a symlink if - /run/udev/links is not updated - -During creating a symlink to a device node, if another device node which -requests the same symlink is added/removed, `stat_inode_unmodified()` -should always detects that. We do not need to continue the loop -unconditionally. - -(cherry picked from commit 8f27311eb2aec2411d1fb7d62e6c9d75d21ae8df) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/c9fce59c8f0c471a7a474c6a20cdc340fc53a48d ---- - src/udev/udev-node.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 0de848da19..1a34ea8128 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -491,11 +491,6 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - r = node_symlink(dev, target, slink); - if (r < 0) - return r; -- if (r == 1) -- /* We have replaced already existing symlink, possibly there is some other device trying -- * to claim the same symlink. Let's do one more iteration to give us a chance to fix -- * the error if other device actually claims the symlink with higher priority. */ -- continue; - - /* Skip the second stat() if the first failed, stat_inode_unmodified() would return false regardless. */ - if ((st1.st_mode & S_IFMT) != 0) { --- -2.33.0 - diff --git a/backport-udev-node-check-stack-directory-change-even-if-devli.patch b/backport-udev-node-check-stack-directory-change-even-if-devli.patch deleted file mode 100644 index 270df9a..0000000 --- a/backport-udev-node-check-stack-directory-change-even-if-devli.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 982d13d4cfd1513bdbd74ceb8b256bad5cf679d5 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 09:44:26 +0900 -Subject: [PATCH] udev-node: check stack directory change even if devlink is - removed - -Otherwise, when multiple device additions and removals occur -simultaneously, symlink to unexisting devnode may be created. - -Hopefully fixes #19946. - -(cherry picked from commit 1cd4e325693007b3628f1a27297f0ab7114b24b8) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/982d13d4cfd1513bdbd74ceb8b256bad5cf679d5 ---- - src/udev/udev-node.c | 15 ++++++--------- - 1 file changed, 6 insertions(+), 9 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 46c04fe00b..28e6e8df94 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -468,15 +468,12 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - if (r < 0) - return r; - -- /* Skip the second stat() if the first failed, stat_inode_unmodified() would return false regardless. */ -- if ((st1.st_mode & S_IFMT) != 0) { -- r = stat(dirname, &st2); -- if (r < 0 && errno != ENOENT) -- return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); -- -- if (stat_inode_unmodified(&st1, &st2)) -- break; -- } -+ if (stat(dirname, &st2) < 0 && errno != ENOENT) -+ return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); -+ -+ if (((st1.st_mode & S_IFMT) == 0 && (st2.st_mode & S_IFMT) == 0) || -+ stat_inode_unmodified(&st1, &st2)) -+ return 0; - } - - return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP; --- -2.33.0 - diff --git a/backport-udev-node-do-not-ignore-unexpected-errors-on-removin.patch b/backport-udev-node-do-not-ignore-unexpected-errors-on-removin.patch deleted file mode 100644 index b5a2475..0000000 --- a/backport-udev-node-do-not-ignore-unexpected-errors-on-removin.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 4a0c4d21ca03ffb37da3b5203988156644e13c5e Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 12 Sep 2021 16:14:27 +0900 -Subject: [PATCH] udev-node: do not ignore unexpected errors on removing - symlink in stack directory - -Only acceptable error here is -ENOENT. - -(cherry picked from commit 0706cdf4ec92d6bd40391da0e81a30d9bf851663) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/4a0c4d21ca03ffb37da3b5203988156644e13c5e ---- - src/udev/udev-node.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 4e4a45bbe9..d9309efa25 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -334,25 +334,30 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add) - return log_oom_debug(); - - if (!add) { -- bool unlink_failed = false; -+ int unlink_error = 0, stat_error = 0; - - if (stat(dirname, &st) < 0) { - if (errno == ENOENT) - return 0; /* The stack directory is already removed. That's OK. */ -- log_device_debug_errno(dev, errno, "Failed to stat %s, ignoring: %m", dirname); -+ stat_error = -errno; - } - -- if (unlink(filename) < 0) { -- unlink_failed = true; -- if (errno != ENOENT) -- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); -- } -+ if (unlink(filename) < 0) -+ unlink_error = -errno; - - if (rmdir(dirname) >= 0 || errno == ENOENT) - return 0; - -- if (unlink_failed) -- return 0; /* If we failed to remove the symlink, there is almost nothing we can do. */ -+ if (unlink_error < 0) { -+ if (unlink_error == -ENOENT) -+ return 0; -+ -+ /* If we failed to remove the symlink, then there is almost nothing we can do. */ -+ return log_device_debug_errno(dev, unlink_error, "Failed to remove %s: %m", filename); -+ } -+ -+ if (stat_error < 0) -+ return log_device_debug_errno(dev, stat_error, "Failed to stat %s: %m", dirname); - - /* The symlink was removed. Check if the timestamp of directory is changed. */ - r = update_timestamp(dev, dirname, &st); --- -2.33.0 - diff --git a/backport-udev-node-drop-redundant-trial-of-devlink-creation.patch b/backport-udev-node-drop-redundant-trial-of-devlink-creation.patch deleted file mode 100644 index ea31b43..0000000 --- a/backport-udev-node-drop-redundant-trial-of-devlink-creation.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 1df2313e201c39907653a99335b7d21db092fcbc Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 09:29:42 +0900 -Subject: [PATCH] udev-node: drop redundant trial of devlink creation - -Previously, the devlink was created based on the priority saved in udev -database. So, we needed to reevaluate devlinks after database is saved. - -But now the priority is stored in the symlink under /run/udev/links, and -the loop of devlink creation is controlled with the timestamp of the -directory. So, the double evaluation is not necessary anymore. - -(cherry picked from commit 7920d0a135fb6a08aa0bfc31e9d0a3f589fe7a1f) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/1df2313e201c39907653a99335b7d21db092fcbc ---- - src/udev/udev-event.c | 5 +---- - src/udev/udev-node.c | 12 ++++-------- - 2 files changed, 5 insertions(+), 12 deletions(-) - -diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c -index 8320e96fe2..56fe0a43a7 100644 ---- a/src/udev/udev-event.c -+++ b/src/udev/udev-event.c -@@ -1071,10 +1071,7 @@ int udev_event_execute_rules( - - device_set_is_initialized(dev); - -- /* Yes, we run update_devnode() twice, because in the first invocation, that is before update of udev database, -- * it could happen that two contenders are replacing each other's symlink. Hence we run it again to make sure -- * symlinks point to devices that claim them with the highest priority. */ -- return update_devnode(event); -+ return 0; - } - - void udev_event_execute_run(UdevEvent *event, usec_t timeout_usec, int timeout_signal) { -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index d8edf39aec..52816c72fd 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -416,7 +416,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - _cleanup_free_ char *slink = NULL, *dirname = NULL; - const char *slink_name; - char name_enc[NAME_MAX+1]; -- int i, r, retries; -+ int r; - - assert(dev); - assert(slink_in); -@@ -443,11 +443,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - if (r < 0) - return r; - -- /* If the database entry is not written yet we will just do one iteration and possibly wrong symlink -- * will be fixed in the second invocation. */ -- retries = sd_device_get_is_initialized(dev) > 0 ? LINK_UPDATE_MAX_RETRIES : 1; -- -- for (i = 0; i < retries; i++) { -+ for (unsigned i = 0; i < LINK_UPDATE_MAX_RETRIES; i++) { - _cleanup_free_ char *target = NULL; - struct stat st1 = {}, st2 = {}; - -@@ -473,7 +469,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - log_device_debug_errno(dev, errno, "Failed to remove '%s', ignoring: %m", slink); - - (void) rmdir_parents(slink, "/dev"); -- break; -+ return 0; - } - - r = node_symlink(dev, target, slink); -@@ -488,7 +484,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - return 0; - } - -- return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP; -+ return -ELOOP; - } - - static int device_get_devpath_by_devnum(sd_device *dev, char **ret) { --- -2.33.0 - diff --git a/backport-udev-node-save-information-about-device-node-and-pri.patch b/backport-udev-node-save-information-about-device-node-and-pri.patch deleted file mode 100644 index bd74ab8..0000000 --- a/backport-udev-node-save-information-about-device-node-and-pri.patch +++ /dev/null @@ -1,254 +0,0 @@ -From 56c7e4c0873feba9809d4638d64132a61b43f995 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 04:16:21 +0900 -Subject: [PATCH] udev-node: save information about device node and priority in - symlink - -Previously, we only store device IDs in /run/udev/links, and when -creating/removing device node symlink, we create sd_device object -corresponds to the IDs and read device node and priority from the -object. That requires parsing uevent and udev database files. - -This makes link_find_prioritized() get the most prioritzed device node -without parsing the files. - -(cherry picked from commit 377a83f0d80376456d9be203796f66f543a8b943) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/56c7e4c0873feba9809d4638d64132a61b43f995 ---- - src/udev/udev-node.c | 172 ++++++++++++++++++++++++++++++------------- - 1 file changed, 121 insertions(+), 51 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 4496a2bd9b..5d6aae0bd4 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -18,6 +18,7 @@ - #include "fs-util.h" - #include "hexdecoct.h" - #include "mkdir.h" -+#include "parse-util.h" - #include "path-util.h" - #include "selinux-util.h" - #include "smack-util.h" -@@ -28,9 +29,9 @@ - #include "udev-node.h" - #include "user-util.h" - --#define CREATE_LINK_MAX_RETRIES 128 --#define LINK_UPDATE_MAX_RETRIES 128 --#define TOUCH_FILE_MAX_RETRIES 128 -+#define CREATE_LINK_MAX_RETRIES 128 -+#define LINK_UPDATE_MAX_RETRIES 128 -+#define CREATE_STACK_LINK_MAX_RETRIES 128 - #define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f) - - static int create_symlink(const char *target, const char *slink) { -@@ -175,39 +176,67 @@ static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir, - return r; - - FOREACH_DIRENT_ALL(dent, dir, break) { -- _cleanup_(sd_device_unrefp) sd_device *dev_db = NULL; -- const char *devnode; -- int db_prio = 0; -+ _cleanup_free_ char *path = NULL, *buf = NULL; -+ int tmp_prio; - -- if (dent->d_name[0] == '\0') -- break; - if (dent->d_name[0] == '.') - continue; - -- log_device_debug(dev, "Found '%s' claiming '%s'", dent->d_name, stackdir); -- -- /* did we find ourself? */ -+ /* skip ourself */ - if (streq(dent->d_name, id)) - continue; - -- if (sd_device_new_from_device_id(&dev_db, dent->d_name) < 0) -- continue; -+ path = path_join(stackdir, dent->d_name); -+ if (!path) -+ return -ENOMEM; - -- if (sd_device_get_devname(dev_db, &devnode) < 0) -- continue; -+ if (readlink_malloc(path, &buf) >= 0) { -+ char *devnode; - -- if (device_get_devlink_priority(dev_db, &db_prio) < 0) -- continue; -+ /* New format. The devnode and priority can be obtained from symlink. */ - -- if (target && db_prio <= priority) -- continue; -+ devnode = strchr(buf, ':'); -+ if (!devnode || devnode == buf) -+ continue; - -- log_device_debug(dev_db, "Device claims priority %i for '%s'", db_prio, stackdir); -+ *(devnode++) = '\0'; -+ if (!path_startswith(devnode, "/dev")) -+ continue; - -- r = free_and_strdup(&target, devnode); -- if (r < 0) -- return r; -- priority = db_prio; -+ if (safe_atoi(buf, &tmp_prio) < 0) -+ continue; -+ -+ if (target && tmp_prio <= priority) -+ continue; -+ -+ r = free_and_strdup(&target, devnode); -+ if (r < 0) -+ return r; -+ } else { -+ _cleanup_(sd_device_unrefp) sd_device *tmp_dev = NULL; -+ const char *devnode; -+ -+ /* Old format. The devnode and priority must be obtained from uevent and -+ * udev database files. */ -+ -+ if (sd_device_new_from_device_id(&tmp_dev, dent->d_name) < 0) -+ continue; -+ -+ if (device_get_devlink_priority(tmp_dev, &tmp_prio) < 0) -+ continue; -+ -+ if (target && tmp_prio <= priority) -+ continue; -+ -+ if (sd_device_get_devname(tmp_dev, &devnode) < 0) -+ continue; -+ -+ r = free_and_strdup(&target, devnode); -+ if (r < 0) -+ return r; -+ } -+ -+ priority = tmp_prio; - } - - *ret = TAKE_PTR(target); -@@ -256,10 +285,72 @@ toolong: - return size - 1; - } - -+static int update_stack_directory(sd_device *dev, const char *dirname, bool add) { -+ _cleanup_free_ char *filename = NULL, *data = NULL, *buf = NULL; -+ const char *devname, *id; -+ int priority, r; -+ -+ assert(dev); -+ assert(dirname); -+ -+ r = device_get_device_id(dev, &id); -+ if (r < 0) -+ return log_device_debug_errno(dev, r, "Failed to get device id: %m"); -+ -+ filename = path_join(dirname, id); -+ if (!filename) -+ return log_oom_debug(); -+ -+ if (!add) { -+ if (unlink(filename) < 0 && errno != ENOENT) -+ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); -+ -+ (void) rmdir(dirname); -+ return 0; -+ } -+ -+ r = sd_device_get_devname(dev, &devname); -+ if (r < 0) -+ return log_device_debug_errno(dev, r, "Failed to get device node: %m"); -+ -+ r = device_get_devlink_priority(dev, &priority); -+ if (r < 0) -+ return log_device_debug_errno(dev, r, "Failed to get priority of device node symlink: %m"); -+ -+ if (asprintf(&data, "%i:%s", priority, devname) < 0) -+ return log_oom_debug(); -+ -+ if (readlink_malloc(filename, &buf) >= 0 && streq(buf, data)) -+ return 0; -+ -+ if (unlink(filename) < 0 && errno != ENOENT) -+ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); -+ -+ for (unsigned j = 0; j < CREATE_STACK_LINK_MAX_RETRIES; j++) { -+ /* This may fail with -ENOENT when the parent directory is removed during -+ * creating the file by another udevd worker. */ -+ r = mkdir_p(dirname, 0755); -+ if (r == -ENOENT) -+ continue; -+ if (r < 0) -+ return log_device_debug_errno(dev, r, "Failed to create directory %s: %m", dirname); -+ -+ if (symlink(data, filename) < 0) { -+ if (errno == ENOENT) -+ continue; -+ return log_device_debug_errno(dev, errno, "Failed to create symbolic link %s: %m", filename); -+ } -+ -+ return 0; -+ } -+ -+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ELOOP), "Failed to create symbolic link %s: %m", filename); -+} -+ - /* manage "stack of names" with possibly specified device priorities */ - static int link_update(sd_device *dev, const char *slink_in, bool add) { -- _cleanup_free_ char *slink = NULL, *filename = NULL, *dirname = NULL; -- const char *slink_name, *id; -+ _cleanup_free_ char *slink = NULL, *dirname = NULL; -+ const char *slink_name; - char name_enc[NAME_MAX+1]; - int i, r, retries; - -@@ -279,35 +370,14 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), - "Invalid symbolic link of device node: %s", slink); - -- r = device_get_device_id(dev, &id); -- if (r < 0) -- return log_device_debug_errno(dev, r, "Failed to get device id: %m"); -- - (void) udev_node_escape_path(slink_name, name_enc, sizeof(name_enc)); -- dirname = path_join("/run/udev/links/", name_enc); -+ dirname = path_join("/run/udev/links", name_enc); - if (!dirname) - return log_oom_debug(); - -- filename = path_join(dirname, id); -- if (!filename) -- return log_oom_debug(); -- -- if (!add) { -- if (unlink(filename) < 0 && errno != ENOENT) -- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); -- -- (void) rmdir(dirname); -- } else { -- for (unsigned j = 0; j < TOUCH_FILE_MAX_RETRIES; j++) { -- /* This may fail with -ENOENT when the parent directory is removed during -- * creating the file by another udevd worker. */ -- r = touch_file(filename, /* parents= */ true, USEC_INFINITY, UID_INVALID, GID_INVALID, 0444); -- if (r != -ENOENT) -- break; -- } -- if (r < 0) -- return log_device_debug_errno(dev, r, "Failed to create %s: %m", filename); -- } -+ r = update_stack_directory(dev, dirname, add); -+ if (r < 0) -+ return r; - - /* If the database entry is not written yet we will just do one iteration and possibly wrong symlink - * will be fixed in the second invocation. */ --- -2.33.0 - diff --git a/backport-udev-node-shorten-code-a-bit-and-update-log-message.patch b/backport-udev-node-shorten-code-a-bit-and-update-log-message.patch deleted file mode 100644 index 44608ee..0000000 --- a/backport-udev-node-shorten-code-a-bit-and-update-log-message.patch +++ /dev/null @@ -1,36 +0,0 @@ -From f27b7c3d26bf90cad9348e7c31a2db4eb3cac42e Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 2 Sep 2021 08:23:35 +0900 -Subject: [PATCH] udev-node: shorten code a bit and update log message - -(cherry picked from commit 8424da2de88ceeed7be8544fb69221f0b0ea84ea) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/f27b7c3d26bf90cad9348e7c31a2db4eb3cac42e ---- - src/udev/udev-node.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 28e6e8df94..2e7df899e4 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -447,13 +447,12 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - _cleanup_free_ char *target = NULL; - struct stat st1 = {}, st2 = {}; - -- r = stat(dirname, &st1); -- if (r < 0 && errno != ENOENT) -+ if (stat(dirname, &st1) < 0 && errno != ENOENT) - return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); - - r = link_find_prioritized(dev, add, dirname, &target); - if (r < 0) -- return log_device_debug_errno(dev, r, "Failed to determine highest priority for symlink '%s': %m", slink); -+ return log_device_debug_errno(dev, r, "Failed to determine device node with the highest priority for '%s': %m", slink); - if (r == 0) { - log_device_debug(dev, "No reference left for '%s', removing", slink); - --- -2.33.0 - diff --git a/backport-udev-node-simplify-the-example-of-race.patch b/backport-udev-node-simplify-the-example-of-race.patch deleted file mode 100644 index d7736ee..0000000 --- a/backport-udev-node-simplify-the-example-of-race.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 76e4e1df71fc26acd2aa2ef2d599da3cdd95a014 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 12 Sep 2021 16:05:51 +0900 -Subject: [PATCH] udev-node: simplify the example of race - -(cherry picked from commit 3df566a66723490914ef3bae0ca8046044b70dce) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/76e4e1df71fc26acd2aa2ef2d599da3cdd95a014 ---- - src/udev/udev-node.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 52816c72fd..4e4a45bbe9 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -272,14 +272,14 @@ static int update_timestamp(sd_device *dev, const char *path, struct stat *prev) - - /* Even if a symlink in the stack directory is created/removed, the mtime of the directory may - * not be changed. Why? Let's consider the following situation. For simplicity, let's assume -- * there exist three udev workers (A, B, and C) and all of them calls link_update() for the -- * same devlink simultaneously. -+ * there exist two udev workers (A and B) and all of them calls link_update() for the same -+ * devlink simultaneously. - * -- * 1. B creates/removes a symlink in the stack directory. -+ * 1. A creates/removes a symlink in the stack directory. - * 2. A calls the first stat() in the loop of link_update(). - * 3. A calls link_find_prioritized(). -- * 4. C creates/removes another symlink in the stack directory, so the result of the step 3 is outdated. -- * 5. B and C finish link_update(). -+ * 4. B creates/removes another symlink in the stack directory, so the result of the step 3 is outdated. -+ * 5. B finishes link_update(). - * 6. A creates/removes devlink according to the outdated result in the step 3. - * 7. A calls the second stat() in the loop of link_update(). - * --- -2.33.0 - diff --git a/backport-udev-node-split-out-permission-handling-from-udev_no.patch b/backport-udev-node-split-out-permission-handling-from-udev_no.patch deleted file mode 100644 index 7d79c3f..0000000 --- a/backport-udev-node-split-out-permission-handling-from-udev_no.patch +++ /dev/null @@ -1,309 +0,0 @@ -From 7534eb17595810512574e930eb114b49ec1d3675 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 09:24:15 +0900 -Subject: [PATCH] udev-node: split out permission handling from udev_node_add() - -And then merge udev_node_add() and udev_node_update_old_links(). - -(cherry picked from commit 2f48561e0db3cd63f65e9311b4d69282b4ac605d) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/7534eb17595810512574e930eb114b49ec1d3675 ---- - src/udev/udev-event.c | 9 +- - src/udev/udev-node.c | 204 +++++++++++++++++++----------------------- - src/udev/udev-node.h | 12 ++- - 3 files changed, 106 insertions(+), 119 deletions(-) - -diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c -index 9854270b27..8320e96fe2 100644 ---- a/src/udev/udev-event.c -+++ b/src/udev/udev-event.c -@@ -906,9 +906,6 @@ static int update_devnode(UdevEvent *event) { - if (r < 0) - return log_device_error_errno(dev, r, "Failed to get devnum: %m"); - -- /* remove/update possible left-over symlinks from old database entry */ -- (void) udev_node_update_old_links(dev, event->dev_db_clone); -- - if (!uid_is_valid(event->uid)) { - r = device_get_devnode_uid(dev, &event->uid); - if (r < 0 && r != -ENOENT) -@@ -932,7 +929,11 @@ static int update_devnode(UdevEvent *event) { - - bool apply_mac = device_for_action(dev, SD_DEVICE_ADD); - -- return udev_node_add(dev, apply_mac, event->mode, event->uid, event->gid, event->seclabel_list); -+ r = udev_node_apply_permissions(dev, apply_mac, event->mode, event->uid, event->gid, event->seclabel_list); -+ if (r < 0) -+ return log_device_error_errno(dev, r, "Failed to apply devnode permissions: %m"); -+ -+ return udev_node_update(dev, event->dev_db_clone); - } - - static int event_execute_rules_on_remove( -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 9e52906571..7cc9ee3670 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -356,45 +356,117 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP; - } - --int udev_node_update_old_links(sd_device *dev, sd_device *dev_old) { -- const char *name; -+static int device_get_devpath_by_devnum(sd_device *dev, char **ret) { -+ const char *subsystem; -+ dev_t devnum; -+ int r; -+ -+ assert(dev); -+ assert(ret); -+ -+ r = sd_device_get_subsystem(dev, &subsystem); -+ if (r < 0) -+ return r; -+ -+ r = sd_device_get_devnum(dev, &devnum); -+ if (r < 0) -+ return r; -+ -+ return device_path_make_major_minor(streq(subsystem, "block") ? S_IFBLK : S_IFCHR, devnum, ret); -+} -+ -+int udev_node_update(sd_device *dev, sd_device *dev_old) { -+ _cleanup_free_ char *filename = NULL; -+ const char *devnode, *devlink; - int r; - - assert(dev); - assert(dev_old); - -- /* update possible left-over symlinks */ -- FOREACH_DEVICE_DEVLINK(dev_old, name) { -- const char *name_current; -- bool found = false; -+ r = sd_device_get_devname(dev, &devnode); -+ if (r < 0) -+ return log_device_debug_errno(dev, r, "Failed to get devnode: %m"); - -- /* check if old link name still belongs to this device */ -- FOREACH_DEVICE_DEVLINK(dev, name_current) -- if (streq(name, name_current)) { -- found = true; -- break; -- } -+ if (DEBUG_LOGGING) { -+ const char *id = NULL; - -- if (found) -+ (void) device_get_device_id(dev, &id); -+ log_device_debug(dev, "Handling device node '%s', devnum=%s", devnode, strna(id)); -+ } -+ -+ /* update possible left-over symlinks */ -+ FOREACH_DEVICE_DEVLINK(dev_old, devlink) { -+ /* check if old link name still belongs to this device */ -+ if (device_has_devlink(dev, devlink)) - continue; - - log_device_debug(dev, -- "Updating old device symlink '%s', which is no longer belonging to this device.", -- name); -+ "Removing/updating old device symlink '%s', which is no longer belonging to this device.", -+ devlink); - -- r = link_update(dev, name, false); -+ r = link_update(dev, devlink, /* add = */ false); - if (r < 0) - log_device_warning_errno(dev, r, -- "Failed to update device symlink '%s', ignoring: %m", -- name); -+ "Failed to remove/update device symlink '%s', ignoring: %m", -+ devlink); - } - -+ /* create/update symlinks, add symlinks to name index */ -+ FOREACH_DEVICE_DEVLINK(dev, devlink) { -+ r = link_update(dev, devlink, /* add = */ true); -+ if (r < 0) -+ log_device_warning_errno(dev, r, -+ "Failed to create/update device symlink '%s', ignoring: %m", -+ devlink); -+ } -+ -+ r = device_get_devpath_by_devnum(dev, &filename); -+ if (r < 0) -+ return log_device_debug_errno(dev, r, "Failed to get device path: %m"); -+ -+ /* always add /dev/{block,char}/$major:$minor */ -+ r = node_symlink(dev, devnode, filename); -+ if (r < 0) -+ return log_device_warning_errno(dev, r, "Failed to create device symlink '%s': %m", filename); -+ -+ return 0; -+} -+ -+int udev_node_remove(sd_device *dev) { -+ _cleanup_free_ char *filename = NULL; -+ const char *devlink; -+ int r; -+ -+ assert(dev); -+ -+ /* remove/update symlinks, remove symlinks from name index */ -+ FOREACH_DEVICE_DEVLINK(dev, devlink) { -+ r = link_update(dev, devlink, /* add = */ false); -+ if (r < 0) -+ log_device_warning_errno(dev, r, -+ "Failed to remove/update device symlink '%s', ignoring: %m", -+ devlink); -+ } -+ -+ r = device_get_devpath_by_devnum(dev, &filename); -+ if (r < 0) -+ return log_device_debug_errno(dev, r, "Failed to get device path: %m"); -+ -+ /* remove /dev/{block,char}/$major:$minor */ -+ if (unlink(filename) < 0 && errno != ENOENT) -+ return log_device_debug_errno(dev, errno, "Failed to remove '%s': %m", filename); -+ - return 0; - } - --static int node_permissions_apply(sd_device *dev, bool apply_mac, -- mode_t mode, uid_t uid, gid_t gid, -- OrderedHashmap *seclabel_list) { -+int udev_node_apply_permissions( -+ sd_device *dev, -+ bool apply_mac, -+ mode_t mode, -+ uid_t uid, -+ gid_t gid, -+ OrderedHashmap *seclabel_list) { -+ - const char *devnode, *subsystem, *id = NULL; - bool apply_mode, apply_uid, apply_gid; - _cleanup_close_ int node_fd = -1; -@@ -511,95 +583,5 @@ static int node_permissions_apply(sd_device *dev, bool apply_mac, - if (r < 0) - log_device_debug_errno(dev, r, "Failed to adjust timestamp of node %s: %m", devnode); - -- return r; --} -- --static int xsprintf_dev_num_path_from_sd_device(sd_device *dev, char **ret) { -- const char *subsystem; -- dev_t devnum; -- int r; -- -- assert(ret); -- -- r = sd_device_get_subsystem(dev, &subsystem); -- if (r < 0) -- return r; -- -- r = sd_device_get_devnum(dev, &devnum); -- if (r < 0) -- return r; -- -- return device_path_make_major_minor(streq(subsystem, "block") ? S_IFBLK : S_IFCHR, devnum, ret); --} -- --int udev_node_add(sd_device *dev, bool apply, -- mode_t mode, uid_t uid, gid_t gid, -- OrderedHashmap *seclabel_list) { -- const char *devnode, *devlink; -- _cleanup_free_ char *filename = NULL; -- int r; -- -- assert(dev); -- -- r = sd_device_get_devname(dev, &devnode); -- if (r < 0) -- return log_device_debug_errno(dev, r, "Failed to get devnode: %m"); -- -- if (DEBUG_LOGGING) { -- const char *id = NULL; -- -- (void) device_get_device_id(dev, &id); -- log_device_debug(dev, "Handling device node '%s', devnum=%s", devnode, strna(id)); -- } -- -- r = node_permissions_apply(dev, apply, mode, uid, gid, seclabel_list); -- if (r < 0) -- return r; -- -- /* create/update symlinks, add symlinks to name index */ -- FOREACH_DEVICE_DEVLINK(dev, devlink) { -- r = link_update(dev, devlink, true); -- if (r < 0) -- log_device_warning_errno(dev, r, -- "Failed to update device symlink '%s', ignoring: %m", -- devlink); -- } -- -- r = xsprintf_dev_num_path_from_sd_device(dev, &filename); -- if (r < 0) -- return log_device_debug_errno(dev, r, "Failed to get device path: %m"); -- -- /* always add /dev/{block,char}/$major:$minor */ -- r = node_symlink(dev, devnode, filename); -- if (r < 0) -- return log_device_warning_errno(dev, r, "Failed to create device symlink '%s': %m", filename); -- -- return 0; --} -- --int udev_node_remove(sd_device *dev) { -- _cleanup_free_ char *filename = NULL; -- const char *devlink; -- int r; -- -- assert(dev); -- -- /* remove/update symlinks, remove symlinks from name index */ -- FOREACH_DEVICE_DEVLINK(dev, devlink) { -- r = link_update(dev, devlink, false); -- if (r < 0) -- log_device_warning_errno(dev, r, -- "Failed to update device symlink '%s', ignoring: %m", -- devlink); -- } -- -- r = xsprintf_dev_num_path_from_sd_device(dev, &filename); -- if (r < 0) -- return log_device_debug_errno(dev, r, "Failed to get device path: %m"); -- -- /* remove /dev/{block,char}/$major:$minor */ -- if (unlink(filename) < 0 && errno != ENOENT) -- return log_device_debug_errno(dev, errno, "Failed to remove '%s': %m", filename); -- - return 0; - } -diff --git a/src/udev/udev-node.h b/src/udev/udev-node.h -index 2349f9c471..a34af77146 100644 ---- a/src/udev/udev-node.h -+++ b/src/udev/udev-node.h -@@ -8,10 +8,14 @@ - - #include "hashmap.h" - --int udev_node_add(sd_device *dev, bool apply, -- mode_t mode, uid_t uid, gid_t gid, -- OrderedHashmap *seclabel_list); -+int udev_node_apply_permissions( -+ sd_device *dev, -+ bool apply_mac, -+ mode_t mode, -+ uid_t uid, -+ gid_t gid, -+ OrderedHashmap *seclabel_list); - int udev_node_remove(sd_device *dev); --int udev_node_update_old_links(sd_device *dev, sd_device *dev_old); -+int udev_node_update(sd_device *dev, sd_device *dev_old); - - size_t udev_node_escape_path(const char *src, char *dest, size_t size); --- -2.33.0 - diff --git a/backport-udev-node-stack-directory-must-exist-when-adding-dev.patch b/backport-udev-node-stack-directory-must-exist-when-adding-dev.patch deleted file mode 100644 index f1c6fe8..0000000 --- a/backport-udev-node-stack-directory-must-exist-when-adding-dev.patch +++ /dev/null @@ -1,40 +0,0 @@ -From f16172aeb2349dab0f73a4651f31cd025faab6b7 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 1 Sep 2021 04:14:42 +0900 -Subject: [PATCH] udev-node: stack directory must exist when adding device node - symlink - -(cherry picked from commit 46070dbf26435ba0def099121f46a6253f3f19b6) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/f16172aeb2349dab0f73a4651f31cd025faab6b7 ---- - src/udev/udev-node.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 7cc9ee3670..4496a2bd9b 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -161,12 +161,13 @@ static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir, - - dir = opendir(stackdir); - if (!dir) { -- if (errno == ENOENT) { -- *ret = TAKE_PTR(target); -- return !!*ret; -- } -+ if (add) /* The stack directory must exist. */ -+ return -errno; -+ if (errno != ENOENT) -+ return -errno; - -- return -errno; -+ *ret = NULL; -+ return 0; - } - - r = device_get_device_id(dev, &id); --- -2.33.0 - diff --git a/backport-udev-only-ignore-ENOENT-or-friends-which-suggest-the-block.patch b/backport-udev-only-ignore-ENOENT-or-friends-which-suggest-the-block.patch deleted file mode 100644 index 0a465d3..0000000 --- a/backport-udev-only-ignore-ENOENT-or-friends-which-suggest-the-block.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ef400c3878ad23aa02bd5bb47f089bdef49e9d8c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 12 Mar 2022 20:40:58 +0900 -Subject: [PATCH] udev: only ignore ENOENT or friends which suggest the block - device is not exist - -The ENOENT, ENXIO, and ENODEV error can happen easily when a block -device appears and soon removed. So, it is reasonable to ignore the -error. But other errors should not occur here, and hence let's handle -them as critical. - -Reference:https://github.com/systemd/systemd/commit/ef400c3878ad23aa02bd5bb47f089bdef49e9d8c -Conflict:NA - ---- - src/udev/udevd.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 8389c39f652f..f1f864a4610c 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -399,8 +399,10 @@ static int worker_lock_block_device(sd_device *dev, int *ret_fd) { - - fd = open(val, O_RDONLY|O_CLOEXEC|O_NOFOLLOW|O_NONBLOCK); - if (fd < 0) { -- log_device_debug_errno(dev, errno, "Failed to open '%s', ignoring: %m", val); -- return 0; -+ bool ignore = ERRNO_IS_DEVICE_ABSENT(errno); -+ -+ log_device_debug_errno(dev, errno, "Failed to open '%s'%s: %m", val, ignore ? ", ignoring" : ""); -+ return ignore ? 0 : -errno; - } - - if (flock(fd, LOCK_SH|LOCK_NB) < 0) - \ No newline at end of file diff --git a/backport-udev-propagate-error-on-spawning-a-worker.patch b/backport-udev-propagate-error-on-spawning-a-worker.patch deleted file mode 100644 index 73cddc4..0000000 --- a/backport-udev-propagate-error-on-spawning-a-worker.patch +++ /dev/null @@ -1,89 +0,0 @@ -From f2a5412bf286cabc047dc96395c2dae978e722b4 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 15:47:34 +0900 -Subject: [PATCH] udev: propagate error on spawning a worker - -Reference:https://github.com/systemd/systemd/commit/f2a5412bf286cabc047dc96395c2dae978e722b4 -Conflict:NA - ---- - src/udev/udevd.c | 23 +++++++++++++++-------- - 1 file changed, 15 insertions(+), 8 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 2179825..7f41336 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -720,16 +720,18 @@ static int worker_spawn(Manager *manager, Event *event) { - return 0; - } - --static void event_run(Manager *manager, Event *event) { -+static int event_run(Event *event) { - static bool log_children_max_reached = true; -+ Manager *manager; - Worker *worker; - int r; - -- assert(manager); - assert(event); -+ assert(event->manager); - - log_device_uevent(event->dev, "Device ready for processing"); - -+ manager = event->manager; - HASHMAP_FOREACH(worker, manager->workers) { - if (worker->state != WORKER_IDLE) - continue; -@@ -743,29 +745,32 @@ static void event_run(Manager *manager, Event *event) { - continue; - } - worker_attach_event(worker, event); -- return; -+ return 1; /* event is now processing. */ - } - - if (hashmap_size(manager->workers) >= arg_children_max) { -- - /* Avoid spamming the debug logs if the limit is already reached and - * many events still need to be processed */ - if (log_children_max_reached && arg_children_max > 1) { - log_debug("Maximum number (%u) of children reached.", hashmap_size(manager->workers)); - log_children_max_reached = false; - } -- return; -+ return 0; /* no free worker */ - } - - /* Re-enable the debug message for the next batch of events */ - log_children_max_reached = true; - - /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db -- and, until the next SELinux policy changes, we safe further reloads in future children */ -+ * and, until the next SELinux policy changes, we safe further reloads in future children */ - mac_selinux_maybe_reload(); - - /* start new worker and pass initial device */ -- worker_spawn(manager, event); -+ r = worker_spawn(manager, event); -+ if (r < 0) -+ return r; -+ -+ return 1; /* event is now processing. */ - } - - /* lookup event for identical, parent, child device */ -@@ -921,7 +926,9 @@ static int event_queue_start(Manager *manager) { - if (is_device_busy(manager, event) != 0) - continue; - -- event_run(manager, event); -+ r = event_run(event); -+ if (r < 0) -+ return r; - } - - return 0; --- -2.33.0 - \ No newline at end of file diff --git a/backport-udev-remove-run-udev-queue-in-on_post.patch b/backport-udev-remove-run-udev-queue-in-on_post.patch deleted file mode 100644 index fed83ae..0000000 --- a/backport-udev-remove-run-udev-queue-in-on_post.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 4029328014be9350ca9fc0774ad936c8b5e50ff2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 13 Mar 2022 21:22:57 +0900 -Subject: [PATCH] udev: remove /run/udev/queue in on_post() - -When the last queued event is processed, information about subsequent -events may be already queued in the netlink socket of sd-device-monitor. -In that case, previously we once removed /run/udev/queue and touch the -file soon later, and `udevadm settle` mistakenly considered all events -are processed. - -To mitigate such situation, this makes /run/udev/queue removed in on_post(). - -Reference:https://github.com/systemd/systemd/commit/4029328014be9350ca9fc0774ad936c8b5e50ff2 -Conflict:NA - ---- - src/udev/udevd.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 6bb9eeb4bb37..8389c39f652f 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -171,12 +171,6 @@ static Event *event_free(Event *event) { - if (event->worker) - event->worker->event = NULL; - -- /* only clean up the queue from the process that created it */ -- if (LIST_IS_EMPTY(event->manager->events) && -- event->manager->pid == getpid_cached()) -- if (unlink("/run/udev/queue") < 0 && errno != ENOENT) -- log_warning_errno(errno, "Failed to unlink /run/udev/queue, ignoring: %m"); -- - return mfree(event); - } - -@@ -1480,7 +1474,13 @@ static int on_post(sd_event_source *s, void *userdata) { - if (!LIST_IS_EMPTY(manager->events)) - return 1; - -- /* There are no pending events. Let's cleanup idle process. */ -+ /* There are no queued events. Let's remove /run/udev/queue and clean up the idle processes. */ -+ -+ if (unlink("/run/udev/queue") < 0) { -+ if (errno != ENOENT) -+ log_warning_errno(errno, "Failed to unlink /run/udev/queue, ignoring: %m"); -+ } else -+ log_debug("No events are queued, removing /run/udev/queue."); - - if (!hashmap_isempty(manager->workers)) { - /* There are idle workers */ - \ No newline at end of file diff --git a/backport-udev-rename-is_device_busy-event_is_blocked.patch b/backport-udev-rename-is_device_busy-event_is_blocked.patch deleted file mode 100644 index dde6b33..0000000 --- a/backport-udev-rename-is_device_busy-event_is_blocked.patch +++ /dev/null @@ -1,141 +0,0 @@ -From a1fa99d84124cdcd4a306113ebe4febc1251c41c Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 16:14:01 +0900 -Subject: [PATCH] udev: rename is_device_busy() -> event_is_blocked() - -Also this rename delaying_seqnum -> blocker_seqnum. - -Reference:https://github.com/systemd/systemd/commit/a1fa99d84124cdcd4a306113ebe4febc1251c41c -Conflict:NA - ---- - src/udev/udevd.c | 34 +++++++++++++++++----------------- - 1 file changed, 17 insertions(+), 17 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index e99c2c0..20bd556 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -126,7 +126,7 @@ typedef struct Event { - sd_device *dev_kernel; /* clone of originally received device */ - - uint64_t seqnum; -- uint64_t delaying_seqnum; -+ uint64_t blocker_seqnum; - - sd_event_source *timeout_warning_event; - sd_event_source *timeout_event; -@@ -773,8 +773,7 @@ static int event_run(Event *event) { - return 1; /* event is now processing. */ - } - --/* lookup event for identical, parent, child device */ --static int is_device_busy(Manager *manager, Event *event) { -+static int event_is_blocked(Event *event) { - const char *subsystem, *devpath, *devpath_old = NULL; - dev_t devnum = makedev(0, 0); - Event *loop_event; -@@ -782,6 +781,8 @@ static int is_device_busy(Manager *manager, Event *event) { - int r, ifindex = 0; - bool is_block; - -+ /* lookup event for identical, parent, child device */ -+ - r = sd_device_get_subsystem(event->dev, &subsystem); - if (r < 0) - return r; -@@ -807,21 +808,21 @@ static int is_device_busy(Manager *manager, Event *event) { - return r; - - /* check if queue contains events we depend on */ -- LIST_FOREACH(event, loop_event, manager->events) { -+ LIST_FOREACH(event, loop_event, event->manager->events) { - size_t loop_devpath_len, common; - const char *loop_devpath; - - /* we already found a later event, earlier cannot block us, no need to check again */ -- if (loop_event->seqnum < event->delaying_seqnum) -+ if (loop_event->seqnum < event->blocker_seqnum) - continue; - - /* event we checked earlier still exists, no need to check again */ -- if (loop_event->seqnum == event->delaying_seqnum) -+ if (loop_event->seqnum == event->blocker_seqnum) - return true; - - /* found ourself, no later event can block us */ - if (loop_event->seqnum >= event->seqnum) -- break; -+ return false; - - /* check major/minor */ - if (major(devnum) != 0) { -@@ -833,7 +834,7 @@ static int is_device_busy(Manager *manager, Event *event) { - - if (sd_device_get_devnum(loop_event->dev, &d) >= 0 && - devnum == d && is_block == streq(s, "block")) -- goto set_delaying_seqnum; -+ break; - } - - /* check network device ifindex */ -@@ -842,7 +843,7 @@ static int is_device_busy(Manager *manager, Event *event) { - - if (sd_device_get_ifindex(loop_event->dev, &i) >= 0 && - ifindex == i) -- goto set_delaying_seqnum; -+ break; - } - - if (sd_device_get_devpath(loop_event->dev, &loop_devpath) < 0) -@@ -850,7 +851,7 @@ static int is_device_busy(Manager *manager, Event *event) { - - /* check our old name */ - if (devpath_old && streq(devpath_old, loop_devpath)) -- goto set_delaying_seqnum; -+ break; - - loop_devpath_len = strlen(loop_devpath); - -@@ -863,24 +864,23 @@ static int is_device_busy(Manager *manager, Event *event) { - - /* identical device event found */ - if (devpath_len == loop_devpath_len) -- goto set_delaying_seqnum; -+ break; - - /* parent device event found */ - if (devpath[common] == '/') -- goto set_delaying_seqnum; -+ break; - - /* child device event found */ - if (loop_devpath[common] == '/') -- goto set_delaying_seqnum; -+ break; - } - -- return false; -+ assert(loop_event); - --set_delaying_seqnum: - log_device_debug(event->dev, "SEQNUM=%" PRIu64 " blocked by SEQNUM=%" PRIu64, - event->seqnum, loop_event->seqnum); - -- event->delaying_seqnum = loop_event->seqnum; -+ event->blocker_seqnum = loop_event->seqnum; - return true; - } - -@@ -923,7 +923,7 @@ static int event_queue_start(Manager *manager) { - continue; - - /* do not start event if parent or child event is still running */ -- if (is_device_busy(manager, event) != 0) -+ if (event_is_blocked(event) != 0) - continue; - - r = event_run(event); --- -2.33.0 - \ No newline at end of file diff --git a/backport-udev-rename-type-name-e.g.-struct-worker-Worker.patch b/backport-udev-rename-type-name-e.g.-struct-worker-Worker.patch deleted file mode 100644 index eb573d7..0000000 --- a/backport-udev-rename-type-name-e.g.-struct-worker-Worker.patch +++ /dev/null @@ -1,302 +0,0 @@ -From d9239923c1de3f10f1598567e8bebcb798c4bd27 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 16 Jun 2021 19:05:39 +0900 -Subject: [PATCH] udev: rename type name e.g. struct worker -> Worker - ---- - src/udev/udevd.c | 97 +++++++++++++++++++++++++----------------------- - 1 file changed, 50 insertions(+), 47 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 5a4657de14..6baedd2f2e 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -77,10 +77,13 @@ static usec_t arg_event_timeout_usec = 180 * USEC_PER_SEC; - static int arg_timeout_signal = SIGKILL; - static bool arg_blockdev_read_only = false; - -+typedef struct Event Event; -+typedef struct Worker Worker; -+ - typedef struct Manager { - sd_event *event; - Hashmap *workers; -- LIST_HEAD(struct event, events); -+ LIST_HEAD(Event, events); - const char *cgroup; - pid_t pid; /* the process that originally allocated the manager object */ - int log_level; -@@ -106,16 +109,16 @@ typedef struct Manager { - bool exit; - } Manager; - --enum event_state { -+typedef enum EventState { - EVENT_UNDEF, - EVENT_QUEUED, - EVENT_RUNNING, --}; -+} EventState; - --struct event { -+typedef struct Event { - Manager *manager; -- struct worker *worker; -- enum event_state state; -+ Worker *worker; -+ EventState state; - - sd_device *dev; - sd_device *dev_kernel; /* clone of originally received device */ -@@ -126,32 +129,32 @@ struct event { - sd_event_source *timeout_warning_event; - sd_event_source *timeout_event; - -- LIST_FIELDS(struct event, event); --}; -+ LIST_FIELDS(Event, event); -+} Event; - --static void event_queue_cleanup(Manager *manager, enum event_state type); -+static void event_queue_cleanup(Manager *manager, EventState match_state); - --enum worker_state { -+typedef enum WorkerState { - WORKER_UNDEF, - WORKER_RUNNING, - WORKER_IDLE, - WORKER_KILLED, - WORKER_KILLING, --}; -+} WorkerState; - --struct worker { -+typedef struct Worker { - Manager *manager; - pid_t pid; - sd_device_monitor *monitor; -- enum worker_state state; -- struct event *event; --}; -+ WorkerState state; -+ Event *event; -+} Worker; - - /* passed from worker to main process */ --struct worker_message { --}; -+typedef struct WorkerMessage { -+} WorkerMessage; - --static void event_free(struct event *event) { -+static void event_free(Event *event) { - if (!event) - return; - -@@ -176,7 +179,7 @@ static void event_free(struct event *event) { - free(event); - } - --static struct worker* worker_free(struct worker *worker) { -+static Worker *worker_free(Worker *worker) { - if (!worker) - return NULL; - -@@ -189,11 +192,11 @@ static struct worker* worker_free(struct worker *worker) { - return mfree(worker); - } - --DEFINE_TRIVIAL_CLEANUP_FUNC(struct worker *, worker_free); --DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(worker_hash_op, void, trivial_hash_func, trivial_compare_func, struct worker, worker_free); -+DEFINE_TRIVIAL_CLEANUP_FUNC(Worker*, worker_free); -+DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(worker_hash_op, void, trivial_hash_func, trivial_compare_func, Worker, worker_free); - --static int worker_new(struct worker **ret, Manager *manager, sd_device_monitor *worker_monitor, pid_t pid) { -- _cleanup_(worker_freep) struct worker *worker = NULL; -+static int worker_new(Worker **ret, Manager *manager, sd_device_monitor *worker_monitor, pid_t pid) { -+ _cleanup_(worker_freep) Worker *worker = NULL; - int r; - - assert(ret); -@@ -204,11 +207,11 @@ static int worker_new(struct worker **ret, Manager *manager, sd_device_monitor * - /* close monitor, but keep address around */ - device_monitor_disconnect(worker_monitor); - -- worker = new(struct worker, 1); -+ worker = new(Worker, 1); - if (!worker) - return -ENOMEM; - -- *worker = (struct worker) { -+ *worker = (Worker) { - .manager = manager, - .monitor = sd_device_monitor_ref(worker_monitor), - .pid = pid, -@@ -224,7 +227,7 @@ static int worker_new(struct worker **ret, Manager *manager, sd_device_monitor * - } - - static int on_event_timeout(sd_event_source *s, uint64_t usec, void *userdata) { -- struct event *event = userdata; -+ Event *event = userdata; - - assert(event); - assert(event->worker); -@@ -238,7 +241,7 @@ static int on_event_timeout(sd_event_source *s, uint64_t usec, void *userdata) { - } - - static int on_event_timeout_warning(sd_event_source *s, uint64_t usec, void *userdata) { -- struct event *event = userdata; -+ Event *event = userdata; - - assert(event); - assert(event->worker); -@@ -248,7 +251,7 @@ static int on_event_timeout_warning(sd_event_source *s, uint64_t usec, void *use - return 1; - } - --static void worker_attach_event(struct worker *worker, struct event *event) { -+static void worker_attach_event(Worker *worker, Event *event) { - sd_event *e; - - assert(worker); -@@ -315,7 +318,7 @@ static Manager* manager_free(Manager *manager) { - DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free); - - static int worker_send_message(int fd) { -- struct worker_message message = {}; -+ WorkerMessage message = {}; - - return loop_write(fd, &message, sizeof(message), false); - } -@@ -591,9 +594,9 @@ static int worker_main(Manager *_manager, sd_device_monitor *monitor, sd_device - return 0; - } - --static int worker_spawn(Manager *manager, struct event *event) { -+static int worker_spawn(Manager *manager, Event *event) { - _cleanup_(sd_device_monitor_unrefp) sd_device_monitor *worker_monitor = NULL; -- struct worker *worker; -+ Worker *worker; - pid_t pid; - int r; - -@@ -635,9 +638,9 @@ static int worker_spawn(Manager *manager, struct event *event) { - return 0; - } - --static void event_run(Manager *manager, struct event *event) { -+static void event_run(Manager *manager, Event *event) { - static bool log_children_max_reached = true; -- struct worker *worker; -+ Worker *worker; - int r; - - assert(manager); -@@ -685,7 +688,7 @@ static void event_run(Manager *manager, struct event *event) { - - static int event_queue_insert(Manager *manager, sd_device *dev) { - _cleanup_(sd_device_unrefp) sd_device *clone = NULL; -- struct event *event; -+ Event *event; - uint64_t seqnum; - int r; - -@@ -709,11 +712,11 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { - if (r < 0) - return r; - -- event = new(struct event, 1); -+ event = new(Event, 1); - if (!event) - return -ENOMEM; - -- *event = (struct event) { -+ *event = (Event) { - .manager = manager, - .dev = sd_device_ref(dev), - .dev_kernel = TAKE_PTR(clone), -@@ -735,7 +738,7 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { - } - - static void manager_kill_workers(Manager *manager, bool force) { -- struct worker *worker; -+ Worker *worker; - - assert(manager); - -@@ -754,10 +757,10 @@ static void manager_kill_workers(Manager *manager, bool force) { - } - - /* lookup event for identical, parent, child device */ --static int is_device_busy(Manager *manager, struct event *event) { -+static int is_device_busy(Manager *manager, Event *event) { - const char *subsystem, *devpath, *devpath_old = NULL; - dev_t devnum = makedev(0, 0); -- struct event *loop_event; -+ Event *loop_event; - size_t devpath_len; - int r, ifindex = 0; - bool is_block; -@@ -916,7 +919,7 @@ static int on_kill_workers_event(sd_event_source *s, uint64_t usec, void *userda - } - - static void event_queue_start(Manager *manager) { -- struct event *event; -+ Event *event; - usec_t usec; - int r; - -@@ -963,11 +966,11 @@ static void event_queue_start(Manager *manager) { - } - } - --static void event_queue_cleanup(Manager *manager, enum event_state match_type) { -- struct event *event, *tmp; -+static void event_queue_cleanup(Manager *manager, EventState match_state) { -+ Event *event, *tmp; - - LIST_FOREACH_SAFE(event, event, tmp, manager->events) { -- if (match_type != EVENT_UNDEF && match_type != event->state) -+ if (match_state != EVENT_UNDEF && match_state != event->state) - continue; - - event_free(event); -@@ -980,7 +983,7 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat - assert(manager); - - for (;;) { -- struct worker_message msg; -+ WorkerMessage msg; - struct iovec iovec = { - .iov_base = &msg, - .iov_len = sizeof(msg), -@@ -994,7 +997,7 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat - }; - ssize_t size; - struct ucred *ucred; -- struct worker *worker; -+ Worker *worker; - - size = recvmsg_safe(fd, &msghdr, MSG_DONTWAIT); - if (size == -EINTR) -@@ -1007,7 +1010,7 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat - - cmsg_close_all(&msghdr); - -- if (size != sizeof(struct worker_message)) { -+ if (size != sizeof(WorkerMessage)) { - log_warning("Ignoring worker message with invalid size %zi bytes", size); - continue; - } -@@ -1357,7 +1360,7 @@ static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *si, voi - for (;;) { - pid_t pid; - int status; -- struct worker *worker; -+ Worker *worker; - - pid = waitpid(-1, &status, WNOHANG); - if (pid <= 0) --- -2.27.0 - diff --git a/backport-udev-requeue-event-when-the-corresponding-block-device-is.patch b/backport-udev-requeue-event-when-the-corresponding-block-device-is.patch deleted file mode 100644 index b193b03..0000000 --- a/backport-udev-requeue-event-when-the-corresponding-block-device-is.patch +++ /dev/null @@ -1,288 +0,0 @@ -From 5d354e525a56955ae7f68062e283dda85ab07794 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 15 Mar 2022 13:50:06 +0900 -Subject: [PATCH] udev: requeue event when the corresponding block device is - locked by another process - -Previously, if a block device is locked by another process, then the -corresponding worker skip to process the corresponding event, and does -not broadcast the uevent to libudev listners. This causes several issues: - -- During a period of a device being locked by a process, if a user trigger - an event with `udevadm trigger --settle`, then it never returned. - -- When there is a delay between close and unlock in a process, then the - synthesized events triggered by inotify may not be processed. This can - happens easily by wrapping mkfs with flock. This causes severe issues - e.g. new devlinks are not created, or old devlinks are not removed. - -This commit makes events are requeued with a tiny delay when the corresponding -block devices are locked by other processes. With this way, the triggered -uevent may be delayed but is always processed by udevd. Hence, the above -issues can be solved. Also, it is not necessary to watch a block device -unconditionally when it is already locked. Hence, the logic is dropped. - -Reference:https://github.com/systemd/systemd/commit/5d354e525a56955ae7f68062e283dda85ab07794 -Conflict:adaption - ---- - src/udev/udevd.c | 154 +++++++++++++++++++++++++++++------------------ - 1 file changed, 97 insertions(+), 57 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index d153b03a38e1..973727375b67 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -70,6 +70,8 @@ - #include "version.h" - - #define WORKER_NUM_MAX 2048U -+#define EVENT_RETRY_INTERVAL_USEC (200 * USEC_PER_MSEC) -+#define EVENT_RETRY_TIMEOUT_USEC (3 * USEC_PER_MINUTE) - - static bool arg_debug = false; - static int arg_daemonize = false; -@@ -128,6 +130,8 @@ typedef struct Event { - sd_device_action_t action; - uint64_t seqnum; - uint64_t blocker_seqnum; -+ usec_t retry_again_next_usec; -+ usec_t retry_again_timeout_usec; - - sd_event_source *timeout_warning_event; - sd_event_source *timeout_event; -@@ -152,8 +156,13 @@ typedef struct Worker { - } Worker; - - /* passed from worker to main process */ --typedef struct WorkerMessage { --} WorkerMessage; -+typedef enum EventResult { -+ EVENT_RESULT_SUCCESS, -+ EVENT_RESULT_FAILED, -+ EVENT_RESULT_TRY_AGAIN, /* when the block device is locked by another process. */ -+ _EVENT_RESULT_MAX, -+ _EVENT_RESULT_INVALID = -EINVAL, -+} EventResult; - - static Event *event_free(Event *event) { - if (!event) -@@ -360,10 +369,11 @@ static void device_broadcast(sd_device_monitor *monitor, sd_device *dev) { - "Failed to broadcast event to libudev listeners, ignoring: %m"); - } - --static int worker_send_message(int fd) { -- WorkerMessage message = {}; -+static int worker_send_result(Manager *manager, EventResult result) { -+ assert(manager); -+ assert(manager->worker_watch[WRITE_END] >= 0); - -- return loop_write(fd, &message, sizeof(message), false); -+ return loop_write(manager->worker_watch[WRITE_END], &result, sizeof(result), false); - } - - static int worker_lock_block_device(sd_device *dev, int *ret_fd) { -@@ -490,44 +500,12 @@ static int worker_process_device(Manager *manager, sd_device *dev) { - if (!udev_event) - return -ENOMEM; - -+ /* If this is a block device and the device is locked currently via the BSD advisory locks, -+ * someone else is using it exclusively. We don't run our udev rules now to not interfere. -+ * Instead of processing the event, we requeue the event and will try again after a delay. -+ * -+ * The user-facing side of this: https://systemd.io/BLOCK_DEVICE_LOCKING */ - r = worker_lock_block_device(dev, &fd_lock); -- if (r == -EAGAIN) { -- /* So this is a block device and the device is locked currently via the BSD advisory locks — -- * someone else is exclusively using it. This means we don't run our udev rules now, to not -- * interfere. However we want to know when the device is unlocked again, and retrigger the -- * device again then, so that the rules are run eventually. For that we use IN_CLOSE_WRITE -- * inotify watches (which isn't exactly the same as waiting for the BSD locks to release, but -- * not totally off, as long as unlock+close() is done together, as it usually is). -- * -- * (The user-facing side of this: https://systemd.io/BLOCK_DEVICE_LOCKING) -- * -- * There's a bit of a chicken and egg problem here for this however: inotify watching is -- * supposed to be enabled via an option set via udev rules (OPTIONS+="watch"). If we skip the -- * udev rules here however (as we just said we do), we would thus never see that specific -- * udev rule, and thus never turn on inotify watching. But in order to catch up eventually -- * and run them we we need the inotify watching: hence a classic chicken and egg problem. -- * -- * Our way out here: if we see the block device locked, unconditionally watch the device via -- * inotify, regardless of any explicit request via OPTIONS+="watch". Thus, a device that is -- * currently locked via the BSD file locks will be treated as if we ran a single udev rule -- * only for it: the one that turns on inotify watching for it. If we eventually see the -- * inotify IN_CLOSE_WRITE event, and then run the rules after all and we then realize that -- * this wasn't actually requested (i.e. no OPTIONS+="watch" set) we'll simply turn off the -- * watching again (see below). Effectively this means: inotify watching is now enabled either -- * a) when the udev rules say so, or b) while the device is locked. -- * -- * Worst case scenario hence: in the (unlikely) case someone locked the device and we clash -- * with that we might do inotify watching for a brief moment for a device where we actually -- * weren't supposed to. But that shouldn't be too bad, in particular as BSD locks being taken -- * on a block device is kinda an indication that the inotify logic is desired too, to some -- * degree — they go hand-in-hand after all. */ -- -- log_device_debug(dev, "Block device is currently locked, installing watch to wait until the lock is released."); -- (void) udev_watch_begin(manager->inotify_fd, dev); -- -- /* Now the watch is installed, let's lock the device again, maybe in the meantime things changed */ -- r = worker_lock_block_device(dev, &fd_lock); -- } - if (r < 0) - return r; - -@@ -560,25 +538,29 @@ static int worker_process_device(Manager *manager, sd_device *dev) { - - static int worker_device_monitor_handler(sd_device_monitor *monitor, sd_device *dev, void *userdata) { - Manager *manager = userdata; -+ EventResult result; - int r; - - assert(dev); - assert(manager); - - r = worker_process_device(manager, dev); -- if (r == -EAGAIN) -- /* if we couldn't acquire the flock(), then proceed quietly */ -- log_device_debug_errno(dev, r, "Device currently locked, not processing."); -- else { -- if (r < 0) -- log_device_warning_errno(dev, r, "Failed to process device, ignoring: %m"); -+ if (r == -EAGAIN) { -+ /* if we couldn't acquire the flock(), then requeue the event */ -+ result = EVENT_RESULT_TRY_AGAIN; -+ log_device_debug_errno(dev, r, "Block device is currently locked, requeueing the event."); -+ } else if (r < 0) { -+ result = EVENT_RESULT_FAILED; -+ log_device_warning_errno(dev, r, "Failed to process device, ignoring: %m"); -+ } else -+ result = EVENT_RESULT_SUCCESS; - -+ if (result != EVENT_RESULT_TRY_AGAIN) - /* send processed event back to libudev listeners */ - device_broadcast(monitor, dev); -- } - - /* send udevd the result of the event execution */ -- r = worker_send_message(manager->worker_watch[WRITE_END]); -+ r = worker_send_result(manager, result); - if (r < 0) - log_device_warning_errno(dev, r, "Failed to send signal to main daemon, ignoring: %m"); - -@@ -794,6 +776,17 @@ static int event_is_blocked(Event *event) { - assert(event->manager); - assert(event->blocker_seqnum <= event->seqnum); - -+ if (event->retry_again_next_usec > 0) { -+ usec_t now_usec; -+ -+ r = sd_event_now(event->manager->event, clock_boottime_or_monotonic(), &now_usec); -+ if (r < 0) -+ return r; -+ -+ if (event->retry_again_next_usec <= now_usec) -+ return true; -+ } -+ - if (event->blocker_seqnum == event->seqnum) - /* we have checked previously and no blocker found */ - return false; -@@ -980,6 +973,44 @@ static int event_queue_start(Manager *manager) { - return 0; - } - -+static int event_requeue(Event *event) { -+ usec_t now_usec; -+ int r; -+ -+ assert(event); -+ assert(event->manager); -+ assert(event->manager->event); -+ -+ event->timeout_warning_event = sd_event_source_disable_unref(event->timeout_warning_event); -+ event->timeout_event = sd_event_source_disable_unref(event->timeout_event); -+ -+ /* add a short delay to suppress busy loop */ -+ r = sd_event_now(event->manager->event, clock_boottime_or_monotonic(), &now_usec); -+ if (r < 0) -+ return log_device_warning_errno(event->dev, r, -+ "Failed to get current time, " -+ "skipping event (SEQNUM=%"PRIu64", ACTION=%s): %m", -+ event->seqnum, strna(device_action_to_string(event->action))); -+ -+ if (event->retry_again_timeout_usec > 0 && event->retry_again_timeout_usec <= now_usec) -+ return log_device_warning_errno(event->dev, SYNTHETIC_ERRNO(ETIMEDOUT), -+ "The underlying block device is locked by a process more than %s, " -+ "skipping event (SEQNUM=%"PRIu64", ACTION=%s).", -+ format_timespan((char[FORMAT_TIMESPAN_MAX]){}, FORMAT_TIMESPAN_MAX, EVENT_RETRY_TIMEOUT_USEC, USEC_PER_MINUTE), -+ event->seqnum, strna(device_action_to_string(event->action))); -+ -+ event->retry_again_next_usec = usec_add(now_usec, EVENT_RETRY_INTERVAL_USEC); -+ if (event->retry_again_timeout_usec == 0) -+ event->retry_again_timeout_usec = usec_add(now_usec, EVENT_RETRY_TIMEOUT_USEC); -+ -+ if (event->worker && event->worker->event == event) -+ event->worker->event = NULL; -+ event->worker = NULL; -+ -+ event->state = EVENT_QUEUED; -+ return 0; -+} -+ - static int event_queue_insert(Manager *manager, sd_device *dev) { - sd_device_action_t action; - uint64_t seqnum; -@@ -1054,11 +1085,8 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat - assert(manager); - - for (;;) { -- WorkerMessage msg; -- struct iovec iovec = { -- .iov_base = &msg, -- .iov_len = sizeof(msg), -- }; -+ EventResult result; -+ struct iovec iovec = IOVEC_MAKE(&result, sizeof(result)); - CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred))) control; - struct msghdr msghdr = { - .msg_iov = &iovec, -@@ -1081,7 +1109,7 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat - - cmsg_close_all(&msghdr); - -- if (size != sizeof(WorkerMessage)) { -+ if (size != sizeof(EventResult)) { - log_warning("Ignoring worker message with invalid size %zi bytes", size); - continue; - } -@@ -1106,6 +1134,11 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat - worker->state = WORKER_IDLE; - - /* worker returned */ -+ if (result == EVENT_RESULT_TRY_AGAIN && -+ event_requeue(worker->event) < 0) -+ device_broadcast(manager->monitor, worker->event->dev); -+ -+ /* When event_requeue() succeeds, worker->event is NULL, and event_free() handles NULL gracefully. */ - event_free(worker->event); - } - -@@ -1467,8 +1500,15 @@ static int on_post(sd_event_source *s, void *userdata) { - - assert(manager); - -- if (!LIST_IS_EMPTY(manager->events)) -+ if (!LIST_IS_EMPTY(manager->events)) { -+ /* Try to process pending events if idle workers exist. Why is this necessary? -+ * When a worker finished an event and became idle, even if there was a pending event, -+ * the corresponding device might have been locked and the processing of the event -+ * delayed for a while, preventing the worker from processing the event immediately. -+ * Now, the device may be unlocked. Let's try again! */ -+ event_queue_start(manager); - return 1; -+ } - - /* There are no queued events. Let's remove /run/udev/queue and clean up the idle processes. */ - - \ No newline at end of file diff --git a/backport-udev-run-the-main-process-workers-and-spawned-comman.patch b/backport-udev-run-the-main-process-workers-and-spawned-comman.patch deleted file mode 100644 index bc39fd9..0000000 --- a/backport-udev-run-the-main-process-workers-and-spawned-comman.patch +++ /dev/null @@ -1,176 +0,0 @@ -From a1f4fd387603673a79a84ca4e5ce25b439b85fe6 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 16 Mar 2022 20:46:49 +0900 -Subject: [PATCH] udev: run the main process, workers, and spawned commands in - /udev subcgroup - -And enable cgroup delegation for udevd. -Then, processes invoked through ExecReload= are assigned .control -subcgroup, and they are not killed by cg_kill(). - -Fixes #16867 and #22686. ---- - src/udev/udevd.c | 76 ++++++++++++++++++++++++++-------- - units/systemd-udevd.service.in | 1 + - 2 files changed, 59 insertions(+), 18 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 8380d674c5..c6f6d945c8 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -28,6 +28,7 @@ - #include "sd-event.h" - - #include "alloc-util.h" -+#include "cgroup-setup.h" - #include "cgroup-util.h" - #include "cpu-set-util.h" - #include "dev-setup.h" -@@ -48,6 +49,7 @@ - #include "mkdir.h" - #include "netlink-util.h" - #include "parse-util.h" -+#include "path-util.h" - #include "pretty-print.h" - #include "proc-cmdline.h" - #include "process-util.h" -@@ -85,7 +87,7 @@ typedef struct Manager { - sd_event *event; - Hashmap *workers; - LIST_HEAD(Event, events); -- const char *cgroup; -+ char *cgroup; - pid_t pid; /* the process that originally allocated the manager object */ - int log_level; - -@@ -238,6 +240,7 @@ static Manager* manager_free(Manager *manager) { - safe_close(manager->inotify_fd); - safe_close_pair(manager->worker_watch); - -+ free(manager->cgroup); - return mfree(manager); - } - -@@ -1722,12 +1725,63 @@ static int parse_argv(int argc, char *argv[]) { - return 1; - } - --static int manager_new(Manager **ret, int fd_ctrl, int fd_uevent, const char *cgroup) { -+static int create_subcgroup(char **ret) { -+ _cleanup_free_ char *cgroup = NULL, *subcgroup = NULL; -+ int r; -+ -+ if (getppid() != 1) -+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Not invoked by PID1."); -+ -+ r = sd_booted(); -+ if (r < 0) -+ return log_debug_errno(r, "Failed to check if systemd is running: %m"); -+ if (r == 0) -+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "systemd is not running."); -+ -+ /* Get our own cgroup, we regularly kill everything udev has left behind. -+ * We only do this on systemd systems, and only if we are directly spawned -+ * by PID1. Otherwise we are not guaranteed to have a dedicated cgroup. */ -+ -+ r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup); -+ if (r < 0) { -+ if (IN_SET(r, -ENOENT, -ENOMEDIUM)) -+ return log_debug_errno(r, "Dedicated cgroup not found: %m"); -+ return log_debug_errno(r, "Failed to get cgroup: %m"); -+ } -+ -+ r = cg_get_xattr_bool(SYSTEMD_CGROUP_CONTROLLER, cgroup, "trusted.delegate"); -+ if (IN_SET(r, 0, -ENODATA)) -+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "The cgroup %s is not delegated to us.", cgroup); -+ if (r < 0) -+ return log_debug_errno(r, "Failed to read trusted.delegate attribute: %m"); -+ -+ /* We are invoked with our own delegated cgroup tree, let's move us one level down, so that we -+ * don't collide with the "no processes in inner nodes" rule of cgroups, when the service -+ * manager invokes the ExecReload= job in the .control/ subcgroup. */ -+ -+ subcgroup = path_join(cgroup, "/udev"); -+ if (!subcgroup) -+ return log_oom_debug(); -+ -+ r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, subcgroup, 0); -+ if (r < 0) -+ return log_debug_errno(r, "Failed to create %s subcgroup: %m", subcgroup); -+ -+ log_debug("Created %s subcgroup.", subcgroup); -+ if (ret) -+ *ret = TAKE_PTR(subcgroup); -+ return 0; -+} -+ -+static int manager_new(Manager **ret, int fd_ctrl, int fd_uevent) { - _cleanup_(manager_freep) Manager *manager = NULL; -+ _cleanup_free_ char *cgroup = NULL; - int r; - - assert(ret); - -+ (void) create_subcgroup(&cgroup); -+ - manager = new(Manager, 1); - if (!manager) - return log_oom(); -@@ -1735,7 +1789,7 @@ static int manager_new(Manager **ret, int fd_ctrl, int fd_uevent, const char *cg - *manager = (Manager) { - .inotify_fd = -1, - .worker_watch = { -1, -1 }, -- .cgroup = cgroup, -+ .cgroup = TAKE_PTR(cgroup), - }; - - r = udev_ctrl_new_from_fd(&manager->ctrl, fd_ctrl); -@@ -1880,7 +1934,6 @@ static int main_loop(Manager *manager) { - } - - int run_udevd(int argc, char *argv[]) { -- _cleanup_free_ char *cgroup = NULL; - _cleanup_(manager_freep) Manager *manager = NULL; - int fd_ctrl = -1, fd_uevent = -1; - int r; -@@ -1937,24 +1990,11 @@ int run_udevd(int argc, char *argv[]) { - if (r < 0 && r != -EEXIST) - return log_error_errno(r, "Failed to create /run/udev: %m"); - -- if (getppid() == 1 && sd_booted() > 0) { -- /* Get our own cgroup, we regularly kill everything udev has left behind. -- * We only do this on systemd systems, and only if we are directly spawned -- * by PID1. Otherwise we are not guaranteed to have a dedicated cgroup. */ -- r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup); -- if (r < 0) { -- if (IN_SET(r, -ENOENT, -ENOMEDIUM)) -- log_debug_errno(r, "Dedicated cgroup not found: %m"); -- else -- log_warning_errno(r, "Failed to get cgroup: %m"); -- } -- } -- - r = listen_fds(&fd_ctrl, &fd_uevent); - if (r < 0) - return log_error_errno(r, "Failed to listen on fds: %m"); - -- r = manager_new(&manager, fd_ctrl, fd_uevent, cgroup); -+ r = manager_new(&manager, fd_ctrl, fd_uevent); - if (r < 0) - return log_error_errno(r, "Failed to create manager: %m"); - -diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in -index d042bfb0d3..9901198274 100644 ---- a/units/systemd-udevd.service.in -+++ b/units/systemd-udevd.service.in -@@ -16,6 +16,7 @@ Before=sysinit.target - ConditionPathIsReadWrite=/sys - - [Service] -+Delegate=pids - DeviceAllow=block-* rwm - DeviceAllow=char-* rwm - Type=notify --- -2.27.0 - diff --git a/backport-udev-skip-event-when-its-dependency-cannot-be-checked.patch b/backport-udev-skip-event-when-its-dependency-cannot-be-checked.patch deleted file mode 100644 index b28f6b1..0000000 --- a/backport-udev-skip-event-when-its-dependency-cannot-be-checked.patch +++ /dev/null @@ -1,58 +0,0 @@ -From c6f78234d1d1c6065ecc56240f217d1fdbeb1771 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Thu, 17 Jun 2021 17:14:10 +0900 -Subject: [PATCH] udev: skip event when its dependency cannot be checked - -Reference:https://github.com/systemd/systemd/commit/c6f78234d1d1c6065ecc56240f217d1fdbeb1771 -Conflict:NA - ---- - src/udev/udevd.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index be2c3ee..683938d 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -910,7 +910,7 @@ no_blocker: - } - - static int event_queue_start(Manager *manager) { -- Event *event; -+ Event *event, *event_next; - usec_t usec; - int r; - -@@ -943,12 +943,26 @@ static int event_queue_start(Manager *manager) { - return log_warning_errno(r, "Failed to read udev rules: %m"); - } - -- LIST_FOREACH(event, event, manager->events) { -+ LIST_FOREACH_SAFE(event, event, event_next, manager->events) { - if (event->state != EVENT_QUEUED) - continue; - -- /* do not start event if parent or child event is still running */ -- if (event_is_blocked(event) != 0) -+ /* do not start event if parent or child event is still running or queued */ -+ r = event_is_blocked(event); -+ if (r < 0) { -+ sd_device_action_t a = _SD_DEVICE_ACTION_INVALID; -+ -+ (void) sd_device_get_action(event->dev, &a); -+ log_device_warning_errno(event->dev, r, -+ "Failed to check event dependency, " -+ "skipping event (SEQNUM=%"PRIu64", ACTION=%s)", -+ event->seqnum, -+ strna(device_action_to_string(a))); -+ -+ event_free(event); -+ return r; -+ } -+ if (r > 0) - continue; - - r = event_run(event); --- -2.33.0 - \ No newline at end of file diff --git a/backport-udev-split-worker_lock_block_device-into-two.patch b/backport-udev-split-worker_lock_block_device-into-two.patch deleted file mode 100644 index dc8f58b..0000000 --- a/backport-udev-split-worker_lock_block_device-into-two.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 7b7959fba52ba4bb6b5f7001971917760df40fee Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 25 Mar 2022 02:55:25 +0900 -Subject: [PATCH] udev: split worker_lock_block_device() into two - -This also makes return value initialized when these function return 0 to -follow our coding style. - -Just a preparation for later commits. - -Reference:https://github.com/systemd/systemd/commit/7b7959fba52ba4bb6b5f7001971917760df40fee -Conflict:NA - ---- - src/udev/udevd.c | 54 ++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 41 insertions(+), 13 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 973727375b67..0b620cb7dcac 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -376,35 +376,29 @@ static int worker_send_result(Manager *manager, EventResult result) { - return loop_write(manager->worker_watch[WRITE_END], &result, sizeof(result), false); - } - --static int worker_lock_block_device(sd_device *dev, int *ret_fd) { -- _cleanup_close_ int fd = -1; -+static int device_get_block_device(sd_device *dev, const char **ret) { - const char *val; - int r; - - assert(dev); -- assert(ret_fd); -- -- /* Take a shared lock on the device node; this establishes a concept of device "ownership" to -- * serialize device access. External processes holding an exclusive lock will cause udev to skip the -- * event handling; in the case udev acquired the lock, the external process can block until udev has -- * finished its event handling. */ -+ assert(ret); - - if (device_for_action(dev, SD_DEVICE_REMOVE)) -- return 0; -+ goto irrelevant; - - r = sd_device_get_subsystem(dev, &val); - if (r < 0) - return log_device_debug_errno(dev, r, "Failed to get subsystem: %m"); - - if (!streq(val, "block")) -- return 0; -+ goto irrelevant; - - r = sd_device_get_sysname(dev, &val); - if (r < 0) - return log_device_debug_errno(dev, r, "Failed to get sysname: %m"); - - if (STARTSWITH_SET(val, "dm-", "md", "drbd")) -- return 0; -+ goto irrelevant; - - r = sd_device_get_devtype(dev, &val); - if (r < 0 && r != -ENOENT) -@@ -417,16 +411,46 @@ static int worker_lock_block_device(sd_device *dev, int *ret_fd) { - - r = sd_device_get_devname(dev, &val); - if (r == -ENOENT) -- return 0; -+ goto irrelevant; - if (r < 0) - return log_device_debug_errno(dev, r, "Failed to get devname: %m"); - -+ *ret = val; -+ return 1; -+ -+irrelevant: -+ *ret = NULL; -+ return 0; -+} -+ -+static int worker_lock_block_device(sd_device *dev, int *ret_fd) { -+ _cleanup_close_ int fd = -1; -+ const char *val; -+ int r; -+ -+ assert(dev); -+ assert(ret_fd); -+ -+ /* Take a shared lock on the device node; this establishes a concept of device "ownership" to -+ * serialize device access. External processes holding an exclusive lock will cause udev to skip the -+ * event handling; in the case udev acquired the lock, the external process can block until udev has -+ * finished its event handling. */ -+ -+ r = device_get_block_device(dev, &val); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ goto nolock; -+ - fd = open(val, O_RDONLY|O_CLOEXEC|O_NOFOLLOW|O_NONBLOCK); - if (fd < 0) { - bool ignore = ERRNO_IS_DEVICE_ABSENT(errno); - - log_device_debug_errno(dev, errno, "Failed to open '%s'%s: %m", val, ignore ? ", ignoring" : ""); -- return ignore ? 0 : -errno; -+ if (!ignore) -+ return -errno; -+ -+ goto nolock; - } - - if (flock(fd, LOCK_SH|LOCK_NB) < 0) -@@ -434,6 +458,10 @@ static int worker_lock_block_device(sd_device *dev, int *ret_fd) { - - *ret_fd = TAKE_FD(fd); - return 1; -+ -+nolock: -+ *ret_fd = -1; -+ return 0; - } - - static int worker_mark_block_device_read_only(sd_device *dev) { - \ No newline at end of file diff --git a/backport-udev-store-action-in-struct-Event.patch b/backport-udev-store-action-in-struct-Event.patch deleted file mode 100644 index b0281bd..0000000 --- a/backport-udev-store-action-in-struct-Event.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 0c3d8182c997c979c7a0ccce88d9fc48638261a5 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Fri, 25 Mar 2022 02:39:55 +0900 -Subject: [PATCH] udev: store action in struct Event - -Reference:https://github.com/systemd/systemd/commit/0c3d8182c997c979c7a0ccce88d9fc48638261a5 -Conflict:NA - ---- - src/udev/udevd.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 53728c9f7971..d153b03a38e1 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -125,6 +125,7 @@ typedef struct Event { - - sd_device *dev; - -+ sd_device_action_t action; - uint64_t seqnum; - uint64_t blocker_seqnum; - -@@ -964,16 +965,12 @@ static int event_queue_start(Manager *manager) { - r = event_is_blocked(event); - if (r > 0) - continue; -- if (r < 0) { -- sd_device_action_t a = _SD_DEVICE_ACTION_INVALID; -- -- (void) sd_device_get_action(event->dev, &a); -+ if (r < 0) - log_device_warning_errno(event->dev, r, - "Failed to check dependencies for event (SEQNUM=%"PRIu64", ACTION=%s), " - "assuming there is no blocking event, ignoring: %m", - event->seqnum, -- strna(device_action_to_string(a))); -- } -+ strna(device_action_to_string(event->action))); - - r = event_run(event); - if (r <= 0) /* 0 means there are no idle workers. Let's escape from the loop. */ -@@ -984,6 +981,7 @@ static int event_queue_start(Manager *manager) { - } - - static int event_queue_insert(Manager *manager, sd_device *dev) { -+ sd_device_action_t action; - uint64_t seqnum; - Event *event; - int r; -@@ -999,6 +997,10 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { - if (r < 0) - return r; - -+ r = sd_device_get_action(dev, &action); -+ if (r < 0) -+ return r; -+ - event = new(Event, 1); - if (!event) - return -ENOMEM; -@@ -1007,6 +1009,7 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { - .manager = manager, - .dev = sd_device_ref(dev), - .seqnum = seqnum, -+ .action = action, - .state = EVENT_QUEUED, - }; - - diff --git a/backport-udev-support-by-path-devlink-for-multipath-nvme-bloc.patch b/backport-udev-support-by-path-devlink-for-multipath-nvme-bloc.patch deleted file mode 100644 index 92ee8b3..0000000 --- a/backport-udev-support-by-path-devlink-for-multipath-nvme-bloc.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 67c3e1f63a5221b47a8fea85ae421671f29f3b7e Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 21 Sep 2022 02:26:42 +0900 -Subject: [PATCH] udev: support by-path devlink for multipath nvme block - devices - -If multipath feature is enabled, nvme block devices may belong to the -"nvme-subsystem" subsystem, instead of "nvme" subsystem. -(What a confusing name...) - -Then, the syspath is something like the following, - /sys/devices/virtual/nvme-subsystem/nvme-subsys0/nvme0n1 -Hence, we need to find the 'real parent' device, such as - /sys/devices/pci0000:00/0000:00:1c.4/0000:3c:00.0/nvme/nvme0 - -Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2031810. -Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2124964. -Replaces #24748. - -Conflict:different code contexts, manual synchronization path, and include patch 6209bb and f4a449 to fix coredump in 67c3e1f -Reference:https://github.com/systemd/systemd/commit/67c3e1f63a5221b47a8fea85ae421671f29f3b7e ---- - rules.d/60-persistent-storage.rules | 1 + - src/udev/udev-builtin-path_id.c | 61 +++++++++++++++++++++++++---- - 2 files changed, 54 insertions(+), 8 deletions(-) - -diff --git a/rules.d/60-persistent-storage.rules b/rules.d/60-persistent-storage.rules -index 03f0a619dc..64a2409196 100644 ---- a/rules.d/60-persistent-storage.rules -+++ b/rules.d/60-persistent-storage.rules -@@ -88,6 +88,7 @@ KERNEL=="msblk[0-9]p[0-9]|mspblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL} - - # by-path - ENV{DEVTYPE}=="disk", DEVPATH!="*/virtual/*", IMPORT{builtin}="path_id" -+ENV{DEVTYPE}=="disk", SUBSYSTEMS=="nvme-subsystem", IMPORT{builtin}="path_id" - KERNEL=="mmcblk[0-9]boot[0-9]", ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}-boot%n" - KERNEL!="mmcblk[0-9]boot[0-9]", ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}" - ENV{DEVTYPE}=="partition", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}-part%n" -diff --git a/src/udev/udev-builtin-path_id.c b/src/udev/udev-builtin-path_id.c -index ce7bc5caf0..7ec2e94583 100644 ---- a/src/udev/udev-builtin-path_id.c -+++ b/src/udev/udev-builtin-path_id.c -@@ -543,19 +543,55 @@ static sd_device *handle_ap(sd_device *parent, char **path) { - return skip_subsystem(parent, "ap"); - } - -+static int find_real_nvme_parent(sd_device *dev, sd_device **ret) { -+ _cleanup_(sd_device_unrefp) sd_device *nvme = NULL; -+ const char *sysname, *end; -+ int r; -+ -+ /* If the device belongs to "nvme-subsystem" (not to be confused with "nvme"), which happens when -+ * NVMe multipathing is enabled in the kernel (/sys/module/nvme_core/parameters/multipath is Y), -+ * then the syspath is something like the following: -+ * /sys/devices/virtual/nvme-subsystem/nvme-subsys0/nvme0n1 -+ * Hence, we need to find the 'real parent' in "nvme" subsystem, e.g, -+ * /sys/devices/pci0000:00/0000:00:1c.4/0000:3c:00.0/nvme/nvme0 */ -+ -+ assert(dev); -+ assert(ret); -+ -+ r = sd_device_get_sysname(dev, &sysname); -+ if (r < 0) -+ return r; -+ -+ /* The sysname format of nvme block device is nvme%d[c%d]n%d[p%d], e.g. nvme0n1p2 or nvme0c1n2. -+ * (Note, nvme device with 'c' can be ignored, as they are hidden. ) -+ * The sysname format of nvme subsystem device is nvme%d. -+ * See nvme_alloc_ns() and nvme_init_ctrl() in drivers/nvme/host/core.c for more details. */ -+ end = startswith(sysname, "nvme"); -+ if (!end) -+ return -ENXIO; -+ -+ end += strspn(end, DIGITS); -+ sysname = strndupa(sysname, end - sysname); -+ -+ r = sd_device_new_from_subsystem_sysname(&nvme, "nvme", sysname); -+ if (r < 0) -+ return r; -+ -+ *ret = TAKE_PTR(nvme); -+ return 0; -+} -+ - static int builtin_path_id(sd_device *dev, int argc, char *argv[], bool test) { -- sd_device *parent; -- _cleanup_free_ char *path = NULL; -- _cleanup_free_ char *compat_path = NULL; -- bool supported_transport = false; -- bool supported_parent = false; -+ _cleanup_(sd_device_unrefp) sd_device *dev_other_branch = NULL; -+ _cleanup_free_ char *path = NULL, *compat_path = NULL; -+ bool supported_transport = false, supported_parent = false; - const char *subsystem; -+ int r; - - assert(dev); - - /* walk up the chain of devices and compose path */ -- parent = dev; -- while (parent) { -+ for (sd_device *parent = dev; parent; ) { - const char *subsys, *sysname; - - if (sd_device_get_subsystem(parent, &subsys) < 0 || -@@ -642,13 +678,22 @@ static int builtin_path_id(sd_device *dev, sd_netlink **rtnl, int argc, char *ar - parent = skip_subsystem(parent, "iucv"); - supported_transport = true; - supported_parent = true; -- } else if (streq(subsys, "nvme")) { -+ } else if (STR_IN_SET(subsys, "nvme", "nvme-subsystem")) { - const char *nsid; - - if (sd_device_get_sysattr_value(dev, "nsid", &nsid) >= 0) { - path_prepend(&path, "nvme-%s", nsid); - if (compat_path) - path_prepend(&compat_path, "nvme-%s", nsid); -+ -+ if (streq(subsys, "nvme-subsystem")) { -+ r = find_real_nvme_parent(dev, &dev_other_branch); -+ if (r < 0) -+ return r; -+ -+ parent = dev_other_branch; -+ } -+ - parent = skip_subsystem(parent, "nvme"); - supported_parent = true; - supported_transport = true; --- -2.33.0 - diff --git a/backport-udev-update-comment-and-log-messages.patch b/backport-udev-update-comment-and-log-messages.patch deleted file mode 100644 index 17dbaf9..0000000 --- a/backport-udev-update-comment-and-log-messages.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 87afc766d199642c6da956657b05690a39542856 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 12 Mar 2022 20:48:36 +0900 -Subject: [PATCH] udev: update comment and log message - -Reference:https://github.com/systemd/systemd/commit/87afc766d199642c6da956657b05690a39542856 -Conflict:NA - ---- - src/udev/udevd.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 41d0ec1e137c..0407068d5112 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -1448,10 +1448,11 @@ static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *si, voi - device_tag_index(worker->event->dev, NULL, false); - - if (manager->monitor) { -- /* forward kernel event without amending it */ -+ /* Forward kernel event unchanged */ - r = device_monitor_send_device(manager->monitor, NULL, worker->event->dev_kernel); - if (r < 0) -- log_device_error_errno(worker->event->dev_kernel, r, "Failed to send back device to kernel: %m"); -+ log_device_warning_errno(worker->event->dev_kernel, r, -+ "Failed to broadcast failed event to libudev listeners, ignoring: %m"); - } - } - - \ No newline at end of file diff --git a/backport-udev-update-log-message-to-clarify-that-the-error-is-ignored.patch b/backport-udev-update-log-message-to-clarify-that-the-error-is-ignored.patch deleted file mode 100644 index 06065e2..0000000 --- a/backport-udev-update-log-message-to-clarify-that-the-error-is-ignored.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6be97d67c82ef5f45360c4323616739816b8f833 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 16 Jun 2021 21:02:01 +0900 -Subject: [PATCH] udev: update log message to clarify that the error is ignored - -Reference:https://github.com/systemd/systemd/commit/6be97d67c82ef5f45360c4323616739816b8f833 -Conflict:NA - ---- - src/udev/udevd.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/udev/udevd.c b/src/udev/udevd.c -index 546bfe039e1d..34a5c9d5d8ee 100644 ---- a/src/udev/udevd.c -+++ b/src/udev/udevd.c -@@ -171,8 +171,8 @@ static void event_free(Event *event) { - /* only clean up the queue from the process that created it */ - if (LIST_IS_EMPTY(event->manager->events) && - event->manager->pid == getpid_cached()) -- if (unlink("/run/udev/queue") < 0) -- log_warning_errno(errno, "Failed to unlink /run/udev/queue: %m"); -+ if (unlink("/run/udev/queue") < 0 && errno != ENOENT) -+ log_warning_errno(errno, "Failed to unlink /run/udev/queue, ignoring: %m"); - - free(event); - } -@@ -965,7 +965,7 @@ static int event_queue_insert(Manager *manager, sd_device *dev) { - if (LIST_IS_EMPTY(manager->events)) { - r = touch("/run/udev/queue"); - if (r < 0) -- log_warning_errno(r, "Failed to touch /run/udev/queue: %m"); -+ log_warning_errno(r, "Failed to touch /run/udev/queue, ignoring: %m"); - } - - LIST_APPEND(event, manager->events, event); diff --git a/backport-udev-when-setting-up-lo-do-not-return-an-error.patch b/backport-udev-when-setting-up-lo-do-not-return-an-error.patch deleted file mode 100644 index 3739d43..0000000 --- a/backport-udev-when-setting-up-lo-do-not-return-an-error.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 5f2582e23f10b46052c7f83b85c1f85184b4cd0f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 26 Jul 2021 11:46:12 +0200 -Subject: [PATCH] udev: when setting up lo, do not return an error - -From #20300: -> commit 70f32a260b5ebb68c19ecadf5d69b3844896ba55 -> Author: Yu Watanabe -> Date: Sun May 23 16:59:40 2021 +0900 - -> udev/net: do not manage loopback interfaces - -> There are nothing we can configure in udevd for loopback interfaces; -> no ethertool configs can be applied, MAC address, interface name should - -> introduced a regression for 'udevadm test-builtin net_setup_link /sys/class/net/lo/'. -> Prior to this commit this command would exit with 0 whereas after this commit -> it exists with 1. This causes cloud-init on Archlinux to fail as this command -> is run by it and likely also netplan to have networkd rescan and re-apply a -> bunch of things on NICs. - -I think it's reasonable to keep returning 0 here: we are intentatinally doing -nothing for the device, and that is not an error, but a (noop) success. - -Fixes #20300. - -(cherry picked from commit b4f0261337c91157231452b5a258799391d7ae51) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5f2582e23f10b46052c7f83b85c1f85184b4cd0f ---- - src/udev/udev-builtin-net_setup_link.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/udev/udev-builtin-net_setup_link.c b/src/udev/udev-builtin-net_setup_link.c -index d40251331c..5964e30bf1 100644 ---- a/src/udev/udev-builtin-net_setup_link.c -+++ b/src/udev/udev-builtin-net_setup_link.c -@@ -28,10 +28,12 @@ static int builtin_net_setup_link(sd_device *dev, int argc, char **argv, bool te - - r = link_config_get(ctx, dev, &link); - if (r < 0) { -- if (r == -ENOENT) -- return log_device_debug_errno(dev, r, "No matching link configuration found."); - if (r == -ENODEV) - return log_device_debug_errno(dev, r, "Link vanished while searching for configuration for it."); -+ if (r == -ENOENT) { -+ log_device_debug_errno(dev, r, "No matching link configuration found, ignoring device."); -+ return 0; -+ } - - return log_device_error_errno(dev, r, "Failed to get link config: %m"); - } --- -2.33.0 - diff --git a/backport-udevadm-cleanup-db-don-t-delete-information-for-kept.patch b/backport-udevadm-cleanup-db-don-t-delete-information-for-kept.patch deleted file mode 100644 index 2e2d230..0000000 --- a/backport-udevadm-cleanup-db-don-t-delete-information-for-kept.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 7a23db67795b6583028b7d7c0d5d8ef63c67d8c9 Mon Sep 17 00:00:00 2001 -From: Martin Wilck -Date: Thu, 20 Jan 2022 14:31:45 +0100 -Subject: [PATCH] udevadm: cleanup-db: don't delete information for kept db - entries - -devices with the db_persist property won't be deleted during database -cleanup. This applies to dm and md devices in particular. -For such devices, we should also keep the files under /run/udev/links, -/run/udev/tags, and /run/udev/watch, to make sure that after restart, -udevd has the same information about the devices as it did before -the cleanup. - -If we don't do this, a lower-priority device that is discovered in -the coldplug phase may take over symlinks from a device that persisted. -Not removing the watches also enables udevd to resume watching a device -after restart. - -Signed-off-by: Martin Wilck -(cherry picked from commit 7ec624147a41d80f8e492c9fe19a24e2cda58c25) -(cherry picked from commit ef7ceef26adb714ef44b2fbc07a219c05a012b42) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7a23db67795b6583028b7d7c0d5d8ef63c67d8c9 ---- - src/udev/udevadm-info.c | 64 +++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 61 insertions(+), 3 deletions(-) - -diff --git a/src/udev/udevadm-info.c b/src/udev/udevadm-info.c -index f05363150e..3314d6335e 100644 ---- a/src/udev/udevadm-info.c -+++ b/src/udev/udevadm-info.c -@@ -248,6 +248,64 @@ static void cleanup_dir(DIR *dir, mode_t mask, int depth) { - } - } - -+/* -+ * Assume that dir is a directory with file names matching udev data base -+ * entries for devices in /run/udev/data (such as "b8:16"), and removes -+ * all files except those that haven't been deleted in /run/udev/data -+ * (i.e. they were skipped during db cleanup because of the db_persist flag). -+ * Returns true if the directory is empty after cleanup. -+ */ -+static bool cleanup_dir_after_db_cleanup(DIR *dir, DIR *datadir) { -+ unsigned int kept = 0; -+ struct dirent *dent; -+ -+ assert(dir && datadir); -+ -+ FOREACH_DIRENT_ALL(dent, dir, break) { -+ struct stat data_stats, link_stats; -+ -+ if (dot_or_dot_dot(dent->d_name)) -+ continue; -+ if (fstatat(dirfd(dir), dent->d_name, &link_stats, AT_SYMLINK_NOFOLLOW) < 0) { -+ if (errno != ENOENT) -+ kept++; -+ continue; -+ } -+ -+ if (fstatat(dirfd(datadir), dent->d_name, &data_stats, 0) < 0) -+ (void) unlinkat(dirfd(dir), dent->d_name, -+ S_ISDIR(link_stats.st_mode) ? AT_REMOVEDIR : 0); -+ else -+ /* The entry still exists under /run/udev/data */ -+ kept++; -+ } -+ -+ return kept == 0; -+} -+ -+static void cleanup_dirs_after_db_cleanup(DIR *dir, DIR *datadir) { -+ struct dirent *dent; -+ -+ assert(dir && datadir); -+ -+ FOREACH_DIRENT_ALL(dent, dir, break) { -+ struct stat stats; -+ -+ if (dot_or_dot_dot(dent->d_name)) -+ continue; -+ if (fstatat(dirfd(dir), dent->d_name, &stats, AT_SYMLINK_NOFOLLOW) < 0) -+ continue; -+ if (S_ISDIR(stats.st_mode)) { -+ _cleanup_closedir_ DIR *dir2 = NULL; -+ -+ dir2 = fdopendir(openat(dirfd(dir), dent->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)); -+ if (dir2 && cleanup_dir_after_db_cleanup(dir2, datadir)) -+ (void) unlinkat(dirfd(dir), dent->d_name, AT_REMOVEDIR); -+ } else -+ (void) unlinkat(dirfd(dir), dent->d_name, 0); -+ } -+} -+ - static void cleanup_db(void) { - _cleanup_closedir_ DIR *dir1 = NULL, *dir2 = NULL, *dir3 = NULL, *dir4 = NULL, *dir5 = NULL; - -@@ -257,11 +315,11 @@ static void cleanup_db(void) { - - dir2 = opendir("/run/udev/links"); - if (dir2) -- cleanup_dir(dir2, 0, 2); -+ cleanup_dirs_after_db_cleanup(dir2, dir1); - - dir3 = opendir("/run/udev/tags"); - if (dir3) -- cleanup_dir(dir3, 0, 2); -+ cleanup_dirs_after_db_cleanup(dir3, dir1); - - dir4 = opendir("/run/udev/static_node-tags"); - if (dir4) -@@ -269,7 +327,7 @@ static void cleanup_db(void) { - - dir5 = opendir("/run/udev/watch"); - if (dir5) -- cleanup_dir(dir5, 0, 1); -+ cleanup_dir_after_db_cleanup(dir5, dir1); - } - - static int query_device(QueryType query, sd_device* device) { --- -2.33.0 - diff --git a/backport-udevadm-cleanup_dir-use-dot_or_dot_dot.patch b/backport-udevadm-cleanup_dir-use-dot_or_dot_dot.patch deleted file mode 100644 index fa22397..0000000 --- a/backport-udevadm-cleanup_dir-use-dot_or_dot_dot.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 75ff2fb73ed545d0427aea251fae6d55124f0e7c Mon Sep 17 00:00:00 2001 -From: Martin Wilck -Date: Fri, 21 Jan 2022 10:44:26 +0100 -Subject: [PATCH] udevadm: cleanup_dir: use dot_or_dot_dot() - -which is safer than just checking dent[0]. -Also, fix two style issues. - -(cherry picked from commit 28d6e8545151d413f8614db9fa790f9f9edbb045) -(cherry picked from commit 494e3c0def197abd4ec88f7b0c3ba331a708d81e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/75ff2fb73ed545d0427aea251fae6d55124f0e7c ---- - src/udev/udevadm-info.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/udev/udevadm-info.c b/src/udev/udevadm-info.c -index fa7f04f14c..f05363150e 100644 ---- a/src/udev/udevadm-info.c -+++ b/src/udev/udevadm-info.c -@@ -224,12 +224,14 @@ static void cleanup_dir(DIR *dir, mode_t mask, int depth) { - if (depth <= 0) - return; - -+ assert(dir); -+ - FOREACH_DIRENT_ALL(dent, dir, break) { - struct stat stats; - -- if (dent->d_name[0] == '.') -+ if (dot_or_dot_dot(dent->d_name)) - continue; -- if (fstatat(dirfd(dir), dent->d_name, &stats, AT_SYMLINK_NOFOLLOW) != 0) -+ if (fstatat(dirfd(dir), dent->d_name, &stats, AT_SYMLINK_NOFOLLOW) < 0) - continue; - if ((stats.st_mode & mask) != 0) - continue; --- -2.33.0 - diff --git a/backport-umask-util-add-helper-that-resets-umask-until-end-of.patch b/backport-umask-util-add-helper-that-resets-umask-until-end-of.patch deleted file mode 100644 index 3316a58..0000000 --- a/backport-umask-util-add-helper-that-resets-umask-until-end-of.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 77cfa37459fbd350c67c08597aaa5cc098fcc1ee Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 12 Nov 2021 11:06:46 +0100 -Subject: [PATCH] umask-util: add helper that resets umask until end of current - code block - -(cherry picked from commit 52f05ef21d7790f37bc3cd6e54fb9a4bcb16efa5) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/77cfa37459fbd350c67c08597aaa5cc098fcc1ee ---- - src/basic/umask-util.h | 3 +++ - src/nspawn/nspawn.c | 9 +++------ - src/shared/dev-setup.c | 3 +-- - src/test/test-fs-util.c | 3 ++- - 4 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/src/basic/umask-util.h b/src/basic/umask-util.h -index bd7c2bdb8c..90d18f70ba 100644 ---- a/src/basic/umask-util.h -+++ b/src/basic/umask-util.h -@@ -24,3 +24,6 @@ assert_cc((S_IFMT & 0777) == 0); - for (_cleanup_umask_ mode_t _saved_umask_ = umask(mask) | S_IFMT; \ - FLAGS_SET(_saved_umask_, S_IFMT); \ - _saved_umask_ &= 0777) -+ -+#define BLOCK_WITH_UMASK(mask) \ -+ _unused_ _cleanup_umask_ mode_t _saved_umask_ = umask(mask); -diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c -index 575b9da447..1c468b310f 100644 ---- a/src/nspawn/nspawn.c -+++ b/src/nspawn/nspawn.c -@@ -2201,13 +2201,12 @@ static int copy_devnodes(const char *dest) { - "tty\0" - "net/tun\0"; - -- _cleanup_umask_ mode_t u; - const char *d; - int r = 0; - - assert(dest); - -- u = umask(0000); -+ BLOCK_WITH_UMASK(0000); - - /* Create /dev/net, so that we can create /dev/net/tun in it */ - if (userns_mkdir(dest, "/dev/net", 0755, 0, 0) < 0) -@@ -2284,11 +2283,10 @@ static int copy_devnodes(const char *dest) { - } - - static int make_extra_nodes(const char *dest) { -- _cleanup_umask_ mode_t u; - size_t i; - int r; - -- u = umask(0000); -+ BLOCK_WITH_UMASK(0000); - - for (i = 0; i < arg_n_extra_nodes; i++) { - _cleanup_free_ char *path = NULL; -@@ -2485,12 +2483,11 @@ static int setup_kmsg(int kmsg_socket) { - _cleanup_(unlink_and_freep) char *from = NULL; - _cleanup_free_ char *fifo = NULL; - _cleanup_close_ int fd = -1; -- _cleanup_umask_ mode_t u; - int r; - - assert(kmsg_socket >= 0); - -- u = umask(0000); -+ BLOCK_WITH_UMASK(0000); - - /* We create the kmsg FIFO as as temporary file in /run, but immediately delete it after bind mounting it to - * /proc/kmsg. While FIFOs on the reading side behave very similar to /proc/kmsg, their writing side behaves -diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c -index b788b06913..0390abbfdc 100644 ---- a/src/shared/dev-setup.c -+++ b/src/shared/dev-setup.c -@@ -81,13 +81,12 @@ int make_inaccessible_nodes( - { "inaccessible/blk", S_IFBLK | 0000 }, - }; - -- _cleanup_umask_ mode_t u; - int r; - - if (!parent_dir) - parent_dir = "/run/systemd"; - -- u = umask(0000); -+ BLOCK_WITH_UMASK(0000); - - /* Set up inaccessible (and empty) file nodes of all types. This are used to as mount sources for over-mounting - * ("masking") file nodes that shall become inaccessible and empty for specific containers or services. We try -diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c -index 08bebcf0e8..a24558f25b 100644 ---- a/src/test/test-fs-util.c -+++ b/src/test/test-fs-util.c -@@ -763,7 +763,6 @@ static void test_rename_noreplace(void) { - - static void test_chmod_and_chown(void) { - _cleanup_(rm_rf_physical_and_freep) char *d = NULL; -- _unused_ _cleanup_umask_ mode_t u = umask(0000); - struct stat st; - const char *p; - -@@ -772,6 +771,8 @@ static void test_chmod_and_chown(void) { - - log_info("/* %s */", __func__); - -+ BLOCK_WITH_UMASK(0000); -+ - assert_se(mkdtemp_malloc(NULL, &d) >= 0); - - p = strjoina(d, "/reg"); --- -2.33.0 - diff --git a/backport-unit-coldplug-both-job-and-nop_job-if-possible.patch b/backport-unit-coldplug-both-job-and-nop_job-if-possible.patch deleted file mode 100644 index 1858050..0000000 --- a/backport-unit-coldplug-both-job-and-nop_job-if-possible.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 213ae9db6274227636fdca6731511499ed933e61 Mon Sep 17 00:00:00 2001 -From: Geass-LL -Date: Fri, 2 Apr 2021 11:27:59 +0800 -Subject: [PATCH] unit: coldplug both job and nop_job if possible - -Sometimes, both job and nop_job are deserialized. In this case, -if we only cold plug the job, the nop_job will also stuck in the -job list. - -(cherry picked from commit 7dbd330c7ef28852db0fb044503ed6f072477d50) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/213ae9db6274227636fdca6731511499ed933e61 ---- - src/core/unit.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index e469beb534..38d3eb703f 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -3581,7 +3581,6 @@ int unit_add_blockdev_dependency(Unit *u, const char *what, UnitDependencyMask m - int unit_coldplug(Unit *u) { - int r = 0, q; - char **i; -- Job *uj; - - assert(u); - -@@ -3604,9 +3603,13 @@ int unit_coldplug(Unit *u) { - r = q; - } - -- uj = u->job ?: u->nop_job; -- if (uj) { -- q = job_coldplug(uj); -+ if (u->job) { -+ q = job_coldplug(u->job); -+ if (q < 0 && r >= 0) -+ r = q; -+ } -+ if (u->nop_job) { -+ q = job_coldplug(u->nop_job); - if (q < 0 && r >= 0) - r = q; - } --- -2.33.0 - diff --git a/backport-unit-escape.patch b/backport-unit-escape.patch deleted file mode 100644 index 2394762..0000000 --- a/backport-unit-escape.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 6e4d122ad1db11ca898de183f898f731c4839d4a Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 23 Feb 2022 01:29:42 +0900 -Subject: [PATCH] unit: escape % - -Fixes #22601. ---- - units/tmp.mount | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/units/tmp.mount b/units/tmp.mount -index 4e1bb8de24..734acea237 100644 ---- a/units/tmp.mount -+++ b/units/tmp.mount -@@ -22,4 +22,4 @@ After=swap.target - What=tmpfs - Where=/tmp - Type=tmpfs --Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=1m -+Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m --- -2.27.0 - diff --git a/backport-unit-file-avoid-null-in-debugging-logs.patch b/backport-unit-file-avoid-null-in-debugging-logs.patch deleted file mode 100644 index 5abc189..0000000 --- a/backport-unit-file-avoid-null-in-debugging-logs.patch +++ /dev/null @@ -1,43 +0,0 @@ -From e58e1472edc97ff2b234fda60fd0f977f12659fb Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 23 Jul 2022 12:48:35 +0900 -Subject: [PATCH] unit-file: avoid (null) in debugging logs - -The variable `inst` was set to NULL by TAKE_PTR(). - -This fixes the following log message: -``` -systemd[1]: Unit getty@tty2.service has alias (null). -``` - -(cherry picked from commit 7c35b78a0b96085e3d634542212c5521bc2a2f21) -(cherry picked from commit 9ac0ad80fe97c22ec3dc4670e859abaae9a1f8bf) -(cherry picked from commit 0e7214c8b5c95bc378ad6b9353e944ec0fba4e21) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e58e1472edc97ff2b234fda60fd0f977f12659fb ---- - src/basic/unit-file.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c -index d1e997ec9f..7b0c932654 100644 ---- a/src/basic/unit-file.c -+++ b/src/basic/unit-file.c -@@ -520,12 +520,9 @@ static int add_names( - continue; - } - -- r = set_consume(*names, TAKE_PTR(inst)); -- if (r > 0) -- log_debug("Unit %s has alias %s.", unit_name, inst); -+ r = add_name(unit_name, names, inst); - } else - r = add_name(unit_name, names, *alias); -- - if (r < 0) - return r; - } --- -2.27.0 - diff --git a/backport-unit_is_bound_by_inactive-fix-return-pointer-check.patch b/backport-unit_is_bound_by_inactive-fix-return-pointer-check.patch deleted file mode 100644 index 0829a03..0000000 --- a/backport-unit_is_bound_by_inactive-fix-return-pointer-check.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 02d51801672376505f07fae5938e195845f2c7a9 Mon Sep 17 00:00:00 2001 -From: Dominique Martinet -Date: Wed, 24 Nov 2021 22:27:22 +0900 -Subject: [PATCH] unit_is_bound_by_inactive: fix return pointer check - -*ret_culprit should be set if ret_culprit has been passed a non-null value, -checking the previous *ret_culprit value does not make sense. - -This would cause the culprit to not properly be assigned, leading to -pid1 crash when a unit could not be stopped. - -Fixes: #21476 - -(cherry picked from commit 3da361064bf550d1818c7cd800a514326058e5f2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/02d51801672376505f07fae5938e195845f2c7a9 ---- - src/core/unit.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index 38d3eb703f..c792bd8e82 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -2118,7 +2118,7 @@ bool unit_is_bound_by_inactive(Unit *u, Unit **ret_culprit) { - continue; - - if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(other))) { -- if (*ret_culprit) -+ if (ret_culprit) - *ret_culprit = other; - - return true; --- -2.33.0 - diff --git a/backport-units-remove-the-restart-limit-on-the-modprobe-.serv.patch b/backport-units-remove-the-restart-limit-on-the-modprobe-.serv.patch deleted file mode 100644 index 2de832e..0000000 --- a/backport-units-remove-the-restart-limit-on-the-modprobe-.serv.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 639423416c18c3a41a8f326618e340c25585a40a Mon Sep 17 00:00:00 2001 -From: Alban Bedel -Date: Wed, 15 Jun 2022 13:12:46 +0200 -Subject: [PATCH] units: remove the restart limit on the modprobe@.service - -They are various cases where the same module might be repeatedly -loaded in a short time frame, for example if a service depending on a -module keep restarting, or if many instances of such service get -started at the same time. If this happend the modprobe@.service -instance will be marked as failed because it hit the restart limit. - -Overall it doesn't seems to make much sense to have a restart limit on -the modprobe service so just disable it. - -Fixes: #23742 -(cherry picked from commit 9625350e5381a68c1179ae4581e7586c206663e1) -(cherry picked from commit 8539a62207c9d0cc1656458eb53ffc9177b2c7c8) ---- - units/modprobe@.service | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/units/modprobe@.service b/units/modprobe@.service -index cf8baf6084..85a2c08dee 100644 ---- a/units/modprobe@.service -+++ b/units/modprobe@.service -@@ -13,6 +13,7 @@ DefaultDependencies=no - Before=sysinit.target - Documentation=man:modprobe(8) - ConditionCapability=CAP_SYS_MODULE -+StartLimitIntervalSec=0 - - [Service] - Type=oneshot --- -2.33.0 - diff --git a/backport-user-record-disable-two-pbkdf-fields-that-don-t-appl.patch b/backport-user-record-disable-two-pbkdf-fields-that-don-t-appl.patch deleted file mode 100644 index cd65874..0000000 --- a/backport-user-record-disable-two-pbkdf-fields-that-don-t-appl.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 5ee578fd13809e08fbda1a9bca2256ffd24e9857 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 5 Oct 2021 18:24:05 +0200 -Subject: [PATCH] user-record: disable two pbkdf fields that don't apply for - pkbdf2 - -Fixes: #20830 -(cherry picked from commit 8b4f88d13681c6dec839de06c668d32374d44724) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5ee578fd13809e08fbda1a9bca2256ffd24e9857 ---- - src/shared/user-record.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/shared/user-record.c b/src/shared/user-record.c -index 17460ceaf6..5fb3d4bbf2 100644 ---- a/src/shared/user-record.c -+++ b/src/shared/user-record.c -@@ -1913,9 +1913,9 @@ uint64_t user_record_luks_pbkdf_memory_cost(UserRecord *h) { - assert(h); - - /* Returns a value with kb granularity, since that's what libcryptsetup expects */ -- - if (h->luks_pbkdf_memory_cost == UINT64_MAX) -- return 64*1024*1024; /* We default to 64M, since this should work on smaller systems too */ -+ return streq(user_record_luks_pbkdf_type(h), "pbkdf2") ? 0 : /* doesn't apply for simple pbkdf2 */ -+ 64*1024*1024; /* We default to 64M, since this should work on smaller systems too */ - - return MIN(DIV_ROUND_UP(h->luks_pbkdf_memory_cost, 1024), UINT32_MAX) * 1024; - } -@@ -1923,8 +1923,9 @@ uint64_t user_record_luks_pbkdf_memory_cost(UserRecord *h) { - uint64_t user_record_luks_pbkdf_parallel_threads(UserRecord *h) { - assert(h); - -- if (h->luks_pbkdf_memory_cost == UINT64_MAX) -- return 1; /* We default to 1, since this should work on smaller systems too */ -+ if (h->luks_pbkdf_parallel_threads == UINT64_MAX) -+ return streq(user_record_luks_pbkdf_type(h), "pbkdf2") ? 0 : /* doesn't apply for simple pbkdf2 */ -+ 1; /* We default to 1, since this should work on smaller systems too */ - - return MIN(h->luks_pbkdf_parallel_threads, UINT32_MAX); - } --- -2.33.0 - diff --git a/backport-user-record-fix-display-of-access-mode.patch b/backport-user-record-fix-display-of-access-mode.patch deleted file mode 100644 index bc28126..0000000 --- a/backport-user-record-fix-display-of-access-mode.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 9e318d9ff288b2b12b21a534d0cab3b4e153b462 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 5 Nov 2021 16:36:32 +0100 -Subject: [PATCH] user-record: fix display of access mode - -(cherry picked from commit 7cdd5c0d4c2213b791d8d22e7dd466a39e9c5db0) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/9e318d9ff288b2b12b21a534d0cab3b4e153b462 ---- - src/shared/user-record-show.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/shared/user-record-show.c b/src/shared/user-record-show.c -index 29790282b4..54ff949ff5 100644 ---- a/src/shared/user-record-show.c -+++ b/src/shared/user-record-show.c -@@ -280,7 +280,7 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) { - printf(" IO Weight: %" PRIu64 "\n", hr->io_weight); - - if (hr->access_mode != MODE_INVALID) -- printf(" Access Mode: 0%03oo\n", user_record_access_mode(hr)); -+ printf(" Access Mode: 0%03o\n", user_record_access_mode(hr)); - - if (storage == USER_LUKS) { - printf("LUKS Discard: online=%s offline=%s\n", yes_no(user_record_luks_discard(hr)), yes_no(user_record_luks_offline_discard(hr))); --- -2.33.0 - diff --git a/backport-userdb-fix-type-to-pass-to-connect.patch b/backport-userdb-fix-type-to-pass-to-connect.patch deleted file mode 100644 index 6c89beb..0000000 --- a/backport-userdb-fix-type-to-pass-to-connect.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 667eab61d4c5520d7875de5df489ec68a4c9f123 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sat, 16 Oct 2021 05:04:26 +0900 -Subject: [PATCH] userdb: fix type to pass to connect() - -Fixes https://github.com/systemd/systemd/pull/20613#issuecomment-944621275. - -(cherry picked from commit c14e57356f1e82c35bf3a3e8aaeac134b545801b) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/667eab61d4c5520d7875de5df489ec68a4c9f123 ---- - src/userdb/userdbctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c -index 8db0c34fb5..9ec0ad6c5e 100644 ---- a/src/userdb/userdbctl.c -+++ b/src/userdb/userdbctl.c -@@ -512,7 +512,7 @@ static int display_services(int argc, char *argv[], void *userdata) { - if (fd < 0) - return log_error_errno(r, "Failed to allocate AF_UNIX/SOCK_STREAM socket: %m"); - -- if (connect(fd, &sockaddr.un, sockaddr_len) < 0) { -+ if (connect(fd, &sockaddr.sa, sockaddr_len) < 0) { - no = strjoin("No (", errno_to_name(errno), ")"); - if (!no) - return log_oom(); --- -2.33.0 - diff --git a/backport-util-another-set-of-CVE-2021-4034-assert-s.patch b/backport-util-another-set-of-CVE-2021-4034-assert-s.patch deleted file mode 100644 index ca8b54d..0000000 --- a/backport-util-another-set-of-CVE-2021-4034-assert-s.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 356b1ee1febeecf636eec6b7e08036603bf760d5 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 1 Feb 2022 12:06:21 +0100 -Subject: [PATCH] util: another set of CVE-2021-4034 assert()s - -It's a good idea that we validate argc/argv when we are supposed to -store them away. - -(cherry picked from commit 007e03b284e8ffc0b92edb2122cd9d2d16f049ef) -(cherry picked from commit dcba78244e5dc3a4b57fb978a2d21640164c89a2) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/356b1ee1febeecf636eec6b7e08036603bf760d5 ---- - src/basic/util.h | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/basic/util.h b/src/basic/util.h -index b6c51c036e..22fcef719f 100644 ---- a/src/basic/util.h -+++ b/src/basic/util.h -@@ -9,6 +9,12 @@ extern int saved_argc; - extern char **saved_argv; - - static inline void save_argc_argv(int argc, char **argv) { -+ -+ /* Protect against CVE-2021-4034 style attacks */ -+ assert_se(argc > 0); -+ assert_se(argv); -+ assert_se(argv[0]); -+ - saved_argc = argc; - saved_argv = argv; - } --- -2.33.0 - diff --git a/backport-utmp-remove-dev-from-line.patch b/backport-utmp-remove-dev-from-line.patch deleted file mode 100644 index 5b6f2ef..0000000 --- a/backport-utmp-remove-dev-from-line.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 09534e85b5c51c664077637e7e8c7c68dec52972 Mon Sep 17 00:00:00 2001 -From: Vincent Bernat -Date: Mon, 18 Oct 2021 20:58:43 +0200 -Subject: [PATCH] utmp: remove /dev from line - -utmp(5) says `ut_line` is the device name minus the leading "/dev/". Therefore, -remove it. Without that, when using UtmpMode=user, we get `/dev/tty` in the -output of `last`/`w`. - -(cherry picked from commit 33331d116db2eaf1189ea56ee4b36540179ac3dd) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/09534e85b5c51c664077637e7e8c7c68dec52972 ---- - src/core/execute.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index 2a337b55a2..6ff757ff04 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -4059,13 +4059,17 @@ static int exec_child( - } - } - -- if (context->utmp_id) -+ if (context->utmp_id) { -+ const char *line = context->tty_path ? -+ (path_startswith(context->tty_path, "/dev/") ?: context->tty_path) : -+ NULL; - utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0), -- context->tty_path, -+ line, - context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS : - context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS : - USER_PROCESS, - username); -+ } - - if (uid_is_valid(uid)) { - r = chown_terminal(STDIN_FILENO, uid); --- -2.33.0 - diff --git a/backport-varlink-disconnect-varlink-link-in-one-more-case.patch b/backport-varlink-disconnect-varlink-link-in-one-more-case.patch deleted file mode 100644 index 915d3db..0000000 --- a/backport-varlink-disconnect-varlink-link-in-one-more-case.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 968f2f3f5a76b05142e1de447bb79f4f97868721 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 21 Oct 2021 17:29:48 +0200 -Subject: [PATCH] varlink: disconnect varlink link in one more case - -Previously we'd possibly see POLLHUP on a varlink link, and continue to -run epoll on it even though we have nothing to read nor write anymore. - -Let's fix that, and once we know that there's nothing to write anymore -(or we saw a write error already) we'll disconnect after POLLHUP. - -Fixes: #20062 -(cherry picked from commit 7c26a631ad8bf91016db156b7d299ca68fd7866e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/968f2f3f5a76b05142e1de447bb79f4f97868721 ---- - src/shared/varlink.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/shared/varlink.c b/src/shared/varlink.c -index 8da568e208..a57475b5ba 100644 ---- a/src/shared/varlink.c -+++ b/src/shared/varlink.c -@@ -417,9 +417,10 @@ static int varlink_test_disconnect(Varlink *v) { - if (IN_SET(v->state, VARLINK_IDLE_CLIENT) && (v->write_disconnected || v->got_pollhup)) - goto disconnect; - -- /* The server is still expecting to write more, but its write end is disconnected and it got a POLLHUP -- * (i.e. from a disconnected client), so disconnect. */ -- if (IN_SET(v->state, VARLINK_PENDING_METHOD, VARLINK_PENDING_METHOD_MORE) && v->write_disconnected && v->got_pollhup) -+ /* We are on the server side and still want to send out more replies, but we saw POLLHUP already, and -+ * either got no buffered bytes to write anymore or already saw a write error. In that case we should -+ * shut down the varlink link. */ -+ if (IN_SET(v->state, VARLINK_PENDING_METHOD, VARLINK_PENDING_METHOD_MORE) && (v->write_disconnected || v->output_buffer_size == 0) && v->got_pollhup) - goto disconnect; - - return 0; --- -2.33.0 - diff --git a/backport-veritysetup-print-help-for-help-h-help.patch b/backport-veritysetup-print-help-for-help-h-help.patch deleted file mode 100644 index a3725c9..0000000 --- a/backport-veritysetup-print-help-for-help-h-help.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5e5923f272682476c053e5afd705e0f6b4595cbf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sat, 31 Jul 2021 09:00:11 +0200 -Subject: [PATCH] veritysetup: print help for --help/-h/help - -In general our commands print help on --help, but here this would trigger -the error that two arguments are needed. Let's make this more user-friendly. - -(cherry picked from commit 5d5e43cc33637a12f743f17294cfbd3ede08a1b3) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5e5923f272682476c053e5afd705e0f6b4595cbf ---- - src/veritysetup/veritysetup.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c -index 34208dcd87..14d7462ddb 100644 ---- a/src/veritysetup/veritysetup.c -+++ b/src/veritysetup/veritysetup.c -@@ -130,7 +130,10 @@ static int run(int argc, char *argv[]) { - _cleanup_(crypt_freep) struct crypt_device *cd = NULL; - int r; - -- if (argc <= 1) -+ if (argc <= 1 || -+ strv_contains(strv_skip(argv, 1), "--help") || -+ strv_contains(strv_skip(argv, 1), "-h") || -+ streq(argv[1], "help")) - return help(); - - if (argc < 3) --- -2.33.0 - diff --git a/backport-virt-Fix-the-detection-for-Hyper-V-VMs.patch b/backport-virt-Fix-the-detection-for-Hyper-V-VMs.patch deleted file mode 100644 index fc435fc..0000000 --- a/backport-virt-Fix-the-detection-for-Hyper-V-VMs.patch +++ /dev/null @@ -1,45 +0,0 @@ -From ba22ee4985c6ca690b84fdca36cf012b200a3c4e Mon Sep 17 00:00:00 2001 -From: Boqun Feng -Date: Tue, 23 Nov 2021 15:09:26 +0800 -Subject: [PATCH] virt: Fix the detection for Hyper-V VMs - -Use product_version instead of product_name in DMI table and the string -"Hyper-V" to avoid misdetection. - -Fixes: #21468 - -Signed-off-by: Boqun Feng -(cherry picked from commit 76eec0649936d9ae2f9087769f463feaf0cf5cb4) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ba22ee4985c6ca690b84fdca36cf012b200a3c4e ---- - src/basic/virt.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/basic/virt.c b/src/basic/virt.c -index cc123a286f..bbc583ae52 100644 ---- a/src/basic/virt.c -+++ b/src/basic/virt.c -@@ -146,7 +146,8 @@ static int detect_vm_dmi_vendor(void) { - "/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */ - "/sys/class/dmi/id/sys_vendor", - "/sys/class/dmi/id/board_vendor", -- "/sys/class/dmi/id/bios_vendor" -+ "/sys/class/dmi/id/bios_vendor", -+ "/sys/class/dmi/id/product_version" /* For Hyper-V VMs test */ - }; - - static const struct { -@@ -165,7 +166,7 @@ static int detect_vm_dmi_vendor(void) { - { "Parallels", VIRTUALIZATION_PARALLELS }, - /* https://wiki.freebsd.org/bhyve */ - { "BHYVE", VIRTUALIZATION_BHYVE }, -- { "Microsoft", VIRTUALIZATION_MICROSOFT }, -+ { "Hyper-V", VIRTUALIZATION_MICROSOFT }, - }; - int r; - --- -2.33.0 - diff --git a/backport-virt-Improve-detection-of-EC2-metal-instances.patch b/backport-virt-Improve-detection-of-EC2-metal-instances.patch deleted file mode 100644 index 309cca9..0000000 --- a/backport-virt-Improve-detection-of-EC2-metal-instances.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 785e760653cf5249207caa80857956f0096525df Mon Sep 17 00:00:00 2001 -From: Benjamin Herrenschmidt -Date: Fri, 3 Sep 2021 11:36:46 +1000 -Subject: [PATCH] virt: Improve detection of EC2 metal instances - -The current detection code relies on /sys/firmware/dmi/entries/0-0/raw -to disambiguate Amazon EC2 virtualized from metal instances. - -Unfortunately this file is root only. Thus on a c6g.metal instance -(aarch64), we observe something like this: - -$ systemd-detect-virt -amazon -$ sudo systemd-detect-virt -none - -Only the latter is correct. - -The right long term fix is to extend the kernel to expose the SMBIOS BIOS -Characteristics properly via /sys/class/dmi, but until this happens (and -for backwards compatibility when it does), we need a plan B. - -This change implements such a workaround by falling back to using the -instance type from DMI and looking at the ".metal" string present on -metal instances. - -Signed-off-by: Benjamin Herrenschmidt -(cherry picked from commit f90eea7d18d9ebe88e6a66cd7a86b618def8945d) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/785e760653cf5249207caa80857956f0096525df ---- - src/basic/virt.c | 32 ++++++++++++++++++++++++++++++-- - 1 file changed, 30 insertions(+), 2 deletions(-) - -diff --git a/src/basic/virt.c b/src/basic/virt.c -index 7e88f09b48..7ed01ba3c9 100644 ---- a/src/basic/virt.c -+++ b/src/basic/virt.c -@@ -235,8 +235,36 @@ static int detect_vm_dmi(void) { - - /* The DMI vendor tables in /sys/class/dmi/id don't help us distinguish between Amazon EC2 - * virtual machines and bare-metal instances, so we need to look at SMBIOS. */ -- if (r == VIRTUALIZATION_AMAZON && detect_vm_smbios() == SMBIOS_VM_BIT_UNSET) -- return VIRTUALIZATION_NONE; -+ if (r == VIRTUALIZATION_AMAZON) { -+ switch (detect_vm_smbios()) { -+ case SMBIOS_VM_BIT_SET: -+ return VIRTUALIZATION_AMAZON; -+ case SMBIOS_VM_BIT_UNSET: -+ return VIRTUALIZATION_NONE; -+ case SMBIOS_VM_BIT_UNKNOWN: { -+ /* The DMI information we are after is only accessible to the root user, -+ * so we fallback to using the product name which is less restricted -+ * to distinguish metal systems from virtualized instances */ -+ _cleanup_free_ char *s = NULL; -+ -+ r = read_full_virtual_file("/sys/class/dmi/id/product_name", &s, NULL); -+ /* In EC2, virtualized is much more common than metal, so if for some reason -+ * we fail to read the DMI data, assume we are virtualized. */ -+ if (r < 0) { -+ log_debug_errno(r, "Can't read /sys/class/dmi/id/product_name," -+ " assuming virtualized: %m"); -+ return VIRTUALIZATION_AMAZON; -+ } -+ if (endswith(truncate_nl(s), ".metal")) { -+ log_debug("DMI product name ends with '.metal', assuming no virtualization"); -+ return VIRTUALIZATION_NONE; -+ } else -+ return VIRTUALIZATION_AMAZON; -+ } -+ default: -+ assert_not_reached("Bad virtualization value"); -+ } -+ } - - /* If we haven't identified a VM, but the firmware indicates that there is one, indicate as much. We - * have no further information about what it is. */ --- -2.33.0 - diff --git a/backport-virt-Support-detection-for-ARM64-Hyper-V-guests.patch b/backport-virt-Support-detection-for-ARM64-Hyper-V-guests.patch deleted file mode 100644 index 48ece31..0000000 --- a/backport-virt-Support-detection-for-ARM64-Hyper-V-guests.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 258968ba75bc27d4ea61967b9a27c1f139e89799 Mon Sep 17 00:00:00 2001 -From: Boqun Feng -Date: Wed, 13 Oct 2021 11:32:09 +0800 -Subject: [PATCH] virt: Support detection for ARM64 Hyper-V guests - -The detection of Microsoft Hyper-V VMs is done by cpuid currently, -however there is no cpuid on ARM64. And since ARM64 is now a supported -architecture for Microsoft Hyper-V guests[1], then use DMI tables to -detect a Hyper-V guest, which is more generic and works for ARM64. - -[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7aff79e297ee1aa0126924921fd87a4ae59d2467 - -(cherry picked from commit 506bbc8569014253ea8614b680ccbc4fc2513a87) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/258968ba75bc27d4ea61967b9a27c1f139e89799 ---- - src/basic/virt.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/basic/virt.c b/src/basic/virt.c -index 7ed01ba3c9..0243b2d2a8 100644 ---- a/src/basic/virt.c -+++ b/src/basic/virt.c -@@ -165,6 +165,7 @@ static int detect_vm_dmi_vendor(void) { - { "Parallels", VIRTUALIZATION_PARALLELS }, - /* https://wiki.freebsd.org/bhyve */ - { "BHYVE", VIRTUALIZATION_BHYVE }, -+ { "Microsoft", VIRTUALIZATION_MICROSOFT }, - }; - int r; - --- -2.33.0 - diff --git a/backport-virt-detect-OpenStack-Nova-instance.patch b/backport-virt-detect-OpenStack-Nova-instance.patch deleted file mode 100644 index 47f4df4..0000000 --- a/backport-virt-detect-OpenStack-Nova-instance.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 01d9fbccddd694bc584aed24eaa0543f831dc929 Mon Sep 17 00:00:00 2001 -From: wangyuhang -Date: Tue, 19 Apr 2022 21:05:25 +0800 -Subject: [PATCH] virt: detect OpenStack Nova instance - -Conflict:add testcase for virt detect OpenStack Nova instance -Reference:https://github.com/systemd/systemd/commit/01d9fbccddd694bc584aed24eaa0543f831dc929 ---- - src/basic/virt.c | 1 + - src/test/meson.build | 14 ++ - src/test/test-virt.c | 39 ++++++++++++++++++++++++++++++ - 3 file changed, 54 insertion(+) - -diff --git a/src/basic/virt.c b/src/basic/virt.c -index 7e88f09..d8740cf 100644 ---- a/src/basic/virt.c -+++ b/src/basic/virt.c -@@ -154,6 +154,7 @@ static int detect_vm_dmi_vendor(void) { - int id; - } dmi_vendor_table[] = { - { "KVM", VIRTUALIZATION_KVM }, -+ { "OpenStack", VIRTUALIZATION_KVM }, /* Detect OpenStack instance as KVM in non x86 architecture */ - { "Amazon EC2", VIRTUALIZATION_AMAZON }, - { "QEMU", VIRTUALIZATION_QEMU }, - { "VMware", VIRTUALIZATION_VMWARE }, /* https://kb.vmware.com/s/article/1009458 */ - -diff --git a/src/test/meson.build b/src/test/meson.build -index e106059..ea64a12 100644 ---- a/src/test/meson.build -+++ b/src/test/meson.build -@@ -602,6 +602,14 @@ tests += [ - - [['src/test/test-nscd-flush.c'], - [], [], [], 'ENABLE_NSCD', 'manual'], -+ -+ [['src/test/test-virt.c', -+ 'src/basic/virt.c', -+ 'src/basic/virt.h'], -+ [libcore, -+ libshared], -+ [], -+ core_includes], - ] - - ############################################################ - -diff --git a/src/test/test-virt.c b/src/test/test-virt.c -new file mode 100644 -index 0000000..17cc22e ---- /dev/null -+++ b/src/test/test-virt.c -@@ -0,0 +1,39 @@ -+/* SPDX-License-Identifier: LGPL-2.1-or-later */ -+ -+#include -+#include -+#include -+ -+#include "string-util.h" -+#include "fileio.h" -+#include "virt.h" -+#include "log.h" -+#include "tests.h" -+ -+static void detect_virt(const char *vendor) { -+ assert_se(write_string_file("/sys/class/dmi/id/product_name", vendor, -+ WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755) == 0); -+ -+ assert_se(detect_virtualization() == VIRTUALIZATION_KVM); -+} -+ -+int main(int argc, char *argv[]) { -+ char template[] = "/tmp/test-virt.XXXXXX"; -+ assert_se(mkdtemp(template)); -+ -+ if (geteuid() > 0 && unshare(CLONE_NEWUSER) != 0) { -+ (void) log_tests_skipped("Don't have namespace support"); -+ return EXIT_TEST_SKIP; -+ } -+ -+ if (chroot(template) != 0) { -+ (void) log_tests_skipped("Don't have chroot support"); -+ return EXIT_TEST_SKIP; -+ } -+ -+#if defined(__arm__) || defined(__aarch64__) -+ detect_virt("OpenStack Nova"); -+#endif -+ -+ return 0; -+} -\ No newline at end of file --- -2.27.0 - diff --git a/backport-wait-online-rename-Manager-elements.patch b/backport-wait-online-rename-Manager-elements.patch deleted file mode 100644 index 5011a97..0000000 --- a/backport-wait-online-rename-Manager-elements.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 5d4fc5cb2a0d18f8a67468209227a59ec3f30b5f Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 26 Jan 2022 20:54:39 +0900 -Subject: [PATCH] wait-online: rename Manager elements - -(cherry picked from commit 5f200833ed0754adaba548b0b617f6c192615acd) -(cherry picked from commit 397ede8dcd29f35350c015f1d945e50c88476a93) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5d4fc5cb2a0d18f8a67468209227a59ec3f30b5f ---- - src/network/wait-online/link.c | 4 ++-- - src/network/wait-online/manager.c | 33 ++++++++++++++++++------------- - src/network/wait-online/manager.h | 8 ++++---- - 3 files changed, 25 insertions(+), 20 deletions(-) - -diff --git a/src/network/wait-online/link.c b/src/network/wait-online/link.c -index 5a33d563c2..0f5f68e765 100644 ---- a/src/network/wait-online/link.c -+++ b/src/network/wait-online/link.c -@@ -32,7 +32,7 @@ int link_new(Manager *m, Link **ret, int ifindex, const char *ifname) { - .required_operstate = LINK_OPERSTATE_RANGE_DEFAULT, - }; - -- r = hashmap_ensure_put(&m->links, NULL, INT_TO_PTR(ifindex), l); -+ r = hashmap_ensure_put(&m->links_by_index, NULL, INT_TO_PTR(ifindex), l); - if (r < 0) - return r; - -@@ -53,7 +53,7 @@ Link *link_free(Link *l) { - return NULL; - - if (l->manager) { -- hashmap_remove(l->manager->links, INT_TO_PTR(l->ifindex)); -+ hashmap_remove(l->manager->links_by_index, INT_TO_PTR(l->ifindex)); - hashmap_remove(l->manager->links_by_name, l->ifname); - } - -diff --git a/src/network/wait-online/manager.c b/src/network/wait-online/manager.c -index e1df0345c0..d8cf2338b0 100644 ---- a/src/network/wait-online/manager.c -+++ b/src/network/wait-online/manager.c -@@ -21,14 +21,15 @@ static bool manager_ignore_link(Manager *m, Link *link) { - return true; - - /* if interfaces are given on the command line, ignore all others */ -- if (m->interfaces && !hashmap_contains(m->interfaces, link->ifname)) -+ if (m->command_line_interfaces_by_name && -+ !hashmap_contains(m->command_line_interfaces_by_name, link->ifname)) - return true; - - if (!link->required_for_online) - return true; - - /* ignore interfaces we explicitly are asked to ignore */ -- return strv_fnmatch(m->ignore, link->ifname); -+ return strv_fnmatch(m->ignored_interfaces, link->ifname); - } - - static int manager_link_is_online(Manager *m, Link *l, LinkOperationalStateRange s) { -@@ -101,14 +102,14 @@ static int manager_link_is_online(Manager *m, Link *l, LinkOperationalStateRange - bool manager_configured(Manager *m) { - bool one_ready = false; - const char *ifname; -- void *p; - Link *l; - int r; - -- if (!hashmap_isempty(m->interfaces)) { -+ if (!hashmap_isempty(m->command_line_interfaces_by_name)) { -+ LinkOperationalStateRange *range; -+ - /* wait for all the links given on the command line to appear */ -- HASHMAP_FOREACH_KEY(p, ifname, m->interfaces) { -- LinkOperationalStateRange *range = p; -+ HASHMAP_FOREACH_KEY(range, ifname, m->command_line_interfaces_by_name) { - - l = hashmap_get(m->links_by_name, ifname); - if (!l && range->min == LINK_OPERSTATE_MISSING) { -@@ -139,7 +140,7 @@ bool manager_configured(Manager *m) { - - /* wait for all links networkd manages to be in admin state 'configured' - * and at least one link to gain a carrier */ -- HASHMAP_FOREACH(l, m->links) { -+ HASHMAP_FOREACH(l, m->links_by_index) { - if (manager_ignore_link(m, l)) { - log_link_debug(l, "link is ignored"); - continue; -@@ -191,7 +192,7 @@ static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void * - return 0; - } - -- l = hashmap_get(m->links, INT_TO_PTR(ifindex)); -+ l = hashmap_get(m->links_by_index, INT_TO_PTR(ifindex)); - - switch (type) { - -@@ -294,7 +295,7 @@ static int on_network_event(sd_event_source *s, int fd, uint32_t revents, void * - - sd_network_monitor_flush(m->network_monitor); - -- HASHMAP_FOREACH(l, m->links) { -+ HASHMAP_FOREACH(l, m->links_by_index) { - r = link_update_monitor(l); - if (r < 0 && r != -ENODATA) - log_link_warning_errno(l, r, "Failed to update link state, ignoring: %m"); -@@ -331,10 +332,14 @@ static int manager_network_monitor_listen(Manager *m) { - return 0; - } - --int manager_new(Manager **ret, Hashmap *interfaces, char **ignore, -+int manager_new(Manager **ret, -+ Hashmap *command_line_interfaces_by_name, -+ char **ignored_interfaces, - LinkOperationalStateRange required_operstate, - AddressFamily required_family, -- bool any, usec_t timeout) { -+ bool any, -+ usec_t timeout) { -+ - _cleanup_(manager_freep) Manager *m = NULL; - int r; - -@@ -345,8 +350,8 @@ int manager_new(Manager **ret, Hashmap *interfaces, char **ignore, - return -ENOMEM; - - *m = (Manager) { -- .interfaces = interfaces, -- .ignore = ignore, -+ .command_line_interfaces_by_name = command_line_interfaces_by_name, -+ .ignored_interfaces = ignored_interfaces, - .required_operstate = required_operstate, - .required_family = required_family, - .any = any, -@@ -384,7 +389,7 @@ Manager* manager_free(Manager *m) { - if (!m) - return NULL; - -- hashmap_free_with_destructor(m->links, link_free); -+ hashmap_free_with_destructor(m->links_by_index, link_free); - hashmap_free(m->links_by_name); - - sd_event_source_unref(m->network_monitor_event_source); -diff --git a/src/network/wait-online/manager.h b/src/network/wait-online/manager.h -index f2e091638c..01ad18f8f6 100644 ---- a/src/network/wait-online/manager.h -+++ b/src/network/wait-online/manager.h -@@ -13,12 +13,12 @@ typedef struct Manager Manager; - typedef struct Link Link; - - struct Manager { -- Hashmap *links; -+ Hashmap *links_by_index; - Hashmap *links_by_name; - - /* Do not free the two members below. */ -- Hashmap *interfaces; -- char **ignore; -+ Hashmap *command_line_interfaces_by_name; -+ char **ignored_interfaces; - - LinkOperationalStateRange required_operstate; - AddressFamily required_family; -@@ -34,7 +34,7 @@ struct Manager { - }; - - Manager* manager_free(Manager *m); --int manager_new(Manager **ret, Hashmap *interfaces, char **ignore, -+int manager_new(Manager **ret, Hashmap *command_line_interfaces_by_name, char **ignored_interfaces, - LinkOperationalStateRange required_operstate, - AddressFamily required_family, - bool any, usec_t timeout); --- -2.33.0 - diff --git a/backport-watchdog-pass-right-error-code-to-log-function-so-th.patch b/backport-watchdog-pass-right-error-code-to-log-function-so-th.patch deleted file mode 100644 index cdc4dc9..0000000 --- a/backport-watchdog-pass-right-error-code-to-log-function-so-th.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 11d5f109b04cd61c8bf437065b5e178c485a49b4 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 15 Sep 2021 15:43:42 +0200 -Subject: [PATCH] watchdog: pass right error code to log function so that %m - works - -(cherry picked from commit a4588af942af976c55f72869340c24d5017db278) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/11d5f109b04cd61c8bf437065b5e178c485a49b4 ---- - src/shared/watchdog.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/shared/watchdog.c b/src/shared/watchdog.c -index d33acafe64..8586a88e54 100644 ---- a/src/shared/watchdog.c -+++ b/src/shared/watchdog.c -@@ -47,8 +47,8 @@ static int update_timeout(void) { - flags = WDIOS_ENABLECARD; - if (ioctl(watchdog_fd, WDIOC_SETOPTIONS, &flags) < 0) { - /* ENOTTY means the watchdog is always enabled so we're fine */ -- log_full(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, -- "Failed to enable hardware watchdog: %m"); -+ log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno, -+ "Failed to enable hardware watchdog, ignoring: %m"); - if (!ERRNO_IS_NOT_SUPPORTED(errno)) - return -errno; - } --- -2.33.0 - diff --git a/backport-xdg-autostart-service-Ignore-missing-desktop-sepcifi.patch b/backport-xdg-autostart-service-Ignore-missing-desktop-sepcifi.patch deleted file mode 100644 index ab388d4..0000000 --- a/backport-xdg-autostart-service-Ignore-missing-desktop-sepcifi.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5d3466ec91b05853b815db509b901e6a6d5f4db4 Mon Sep 17 00:00:00 2001 -From: Benjamin Berg -Date: Mon, 10 Jan 2022 12:35:46 +0100 -Subject: [PATCH] xdg-autostart-service: Ignore missing desktop-sepcific - condition binary - -If a desktop specific ExecCondition= binary does not exist, this just -means that the desktop environment is not available. As such, it is not -an error condition that should prevent the service from being installed -in the .wants target. - -Fix this by simply returning zero. - -(cherry picked from commit 6d0aef1dd15088e7379681b3bd93c3cb450f3c55) -(cherry picked from commit 19fbd7764da2e23a89e27b4d95afd77b99f4be87) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5d3466ec91b05853b815db509b901e6a6d5f4db4 ---- - src/xdg-autostart-generator/xdg-autostart-service.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/xdg-autostart-generator/xdg-autostart-service.c b/src/xdg-autostart-generator/xdg-autostart-service.c -index fe73bfe9db..16545beb50 100644 ---- a/src/xdg-autostart-generator/xdg-autostart-service.c -+++ b/src/xdg-autostart-generator/xdg-autostart-service.c -@@ -486,7 +486,7 @@ static int xdg_autostart_generate_desktop_condition( - log_full_errno(r == -ENOENT ? LOG_DEBUG : LOG_WARNING, r, - "%s not found: %m", test_binary); - fprintf(f, "# ExecCondition using %s skipped due to missing binary.\n", test_binary); -- return r; -+ return 0; - } - - e_autostart_condition = cescape(condition); --- -2.33.0 - diff --git a/bugfix-also-stop-machine-when-a-machine-un.patch b/bugfix-also-stop-machine-when-a-machine-un.patch index 39eebb2..ea7caf8 100644 --- a/bugfix-also-stop-machine-when-a-machine-un.patch +++ b/bugfix-also-stop-machine-when-a-machine-un.patch @@ -24,18 +24,18 @@ Change-Id: I80e3c32832f4ecf08b6cb149735978730ce1d1c0 3 files changed, 72 insertions(+), 1 deletion(-) diff --git a/src/machine/machine.c b/src/machine/machine.c -index c0ed24b..b48aee6 100644 +index c08a645..02fd9f7 100644 --- a/src/machine/machine.c +++ b/src/machine/machine.c @@ -32,6 +32,7 @@ + #include "tmpfile-util.h" #include "unit-name.h" #include "user-util.h" - #include "util.h" +#include "cgroup-util.h" - Machine* machine_new(Manager *manager, MachineClass class, const char *name) { - Machine *m; -@@ -523,6 +524,40 @@ int machine_finalize(Machine *m) { + DEFINE_TRIVIAL_CLEANUP_FUNC(Machine*, machine_free); + +@@ -520,6 +521,40 @@ int machine_finalize(Machine *m) { return 0; } @@ -76,7 +76,7 @@ index c0ed24b..b48aee6 100644 bool machine_may_gc(Machine *m, bool drop_not_started) { assert(m); -@@ -535,7 +570,7 @@ bool machine_may_gc(Machine *m, bool drop_not_started) { +@@ -532,7 +567,7 @@ bool machine_may_gc(Machine *m, bool drop_not_started) { if (m->scope_job && manager_job_is_active(m->manager, m->scope_job)) return false; @@ -86,10 +86,10 @@ index c0ed24b..b48aee6 100644 return true; diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c -index 342b18a..dcc2253 100644 +index 0c157a9..10d370f 100644 --- a/src/machine/machined-dbus.c +++ b/src/machine/machined-dbus.c -@@ -1614,3 +1614,38 @@ int manager_add_machine(Manager *m, const char *name, Machine **_machine) { +@@ -1509,3 +1509,38 @@ int manager_add_machine(Manager *m, const char *name, Machine **_machine) { return 0; } @@ -141,5 +141,5 @@ index 280c32b..6b8d98b 100644 #if ENABLE_NSCD int manager_enqueue_nscd_cache_flush(Manager *m); -- -2.23.0 +2.33.0 diff --git a/check-whether-command_prev-is-null-before-assigning-.patch b/check-whether-command_prev-is-null-before-assigning-.patch index bdca1fe..06ebf86 100644 --- a/check-whether-command_prev-is-null-before-assigning-.patch +++ b/check-whether-command_prev-is-null-before-assigning-.patch @@ -18,11 +18,11 @@ index 9a26271f72..3c255b3bcc 100644 - + if (!current) + return 0; - first = s->exec_command[id]; + const ExecCommand *first = s->exec_command[id]; /* Figure out where we are in the list by walking back to the beginning */ -- for (c = current; c != first; c = c->command_prev) -+ for (c = current; c != first; c = c->command_prev) { +- for (const ExecCommand *c = current; c != first; c = c->command_prev) ++ for (const ExecCommand *c = current; c != first; c = c->command_prev) { idx++; + if (!c->command_prev) + return idx; diff --git a/core-add-OptionalLog-to-allow-users-change-log-level.patch b/core-add-OptionalLog-to-allow-users-change-log-level.patch index 4a88705..f62a735 100644 --- a/core-add-OptionalLog-to-allow-users-change-log-level.patch +++ b/core-add-OptionalLog-to-allow-users-change-log-level.patch @@ -16,10 +16,10 @@ or LOG_DEBUG. Set "OptionalLog=yes" to log in LOG_INFO. Defaults to no. 7 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/basic/log.h b/src/basic/log.h -index 625be22..6ff143f 100644 +index f73d4c4..d341681 100644 --- a/src/basic/log.h +++ b/src/basic/log.h -@@ -239,6 +239,7 @@ int log_emergency_level(void); +@@ -243,6 +243,7 @@ int log_emergency_level(void); #define log_warning(...) log_full(LOG_WARNING, __VA_ARGS__) #define log_error(...) log_full(LOG_ERR, __VA_ARGS__) #define log_emergency(...) log_full(log_emergency_level(), __VA_ARGS__) @@ -27,7 +27,7 @@ index 625be22..6ff143f 100644 /* Logging triggered by an errno-like error */ #define log_debug_errno(error, ...) log_full_errno(LOG_DEBUG, error, __VA_ARGS__) -@@ -235,6 +236,7 @@ int log_emergency_level(void); +@@ -251,6 +252,7 @@ int log_emergency_level(void); #define log_warning_errno(error, ...) log_full_errno(LOG_WARNING, error, __VA_ARGS__) #define log_error_errno(error, ...) log_full_errno(LOG_ERR, error, __VA_ARGS__) #define log_emergency_errno(error, ...) log_full_errno(log_emergency_level(), error, __VA_ARGS__) @@ -36,10 +36,10 @@ index 625be22..6ff143f 100644 /* This logs at the specified level the first time it is called, and then * logs at debug. If the specified level is debug, this logs only the first diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c -index 184df9d..acf782d 100644 +index 7e57a32..9ca392b 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c -@@ -2656,6 +2656,7 @@ const sd_bus_vtable bus_manager_vtable[] = { +@@ -2870,6 +2870,7 @@ const sd_bus_vtable bus_manager_vtable[] = { BUS_PROPERTY_DUAL_TIMESTAMP("InitRDUnitsLoadFinishTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_INITRD_UNITS_LOAD_FINISH]), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_WRITABLE_PROPERTY("LogLevel", "s", bus_property_get_log_level, property_set_log_level, 0, 0), SD_BUS_WRITABLE_PROPERTY("LogTarget", "s", bus_property_get_log_target, property_set_log_target, 0, 0), @@ -48,26 +48,26 @@ index 184df9d..acf782d 100644 SD_BUS_PROPERTY("NFailedUnits", "u", property_get_set_size, offsetof(Manager, failed_units), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE), SD_BUS_PROPERTY("NJobs", "u", property_get_hashmap_size, offsetof(Manager, jobs), 0), diff --git a/src/core/main.c b/src/core/main.c -index 2a6b9b8..15a3cb9 100644 +index eaae658..809ed76 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -110,6 +110,7 @@ static const char *arg_bus_introspect = NULL; +@@ -119,6 +119,7 @@ static const char *arg_bus_introspect = NULL; * defaults are assigned in reset_arguments() below. */ static char *arg_default_unit; static bool arg_system; +static bool arg_optional_log; - static bool arg_dump_core; - static int arg_crash_chvt; - static bool arg_crash_shell; -@@ -641,6 +642,7 @@ static int parse_config_file(void) { - { "Manager", "LogColor", config_parse_color, 0, NULL }, - { "Manager", "LogLocation", config_parse_location, 0, NULL }, - { "Manager", "LogTime", config_parse_time, 0, NULL }, -+ { "Manager", "OptionalLog", config_parse_bool, 0, &arg_optional_log }, - { "Manager", "DumpCore", config_parse_bool, 0, &arg_dump_core }, - { "Manager", "CrashChVT", /* legacy */ config_parse_crash_chvt, 0, &arg_crash_chvt }, - { "Manager", "CrashChangeVT", config_parse_crash_chvt, 0, &arg_crash_chvt }, -@@ -748,6 +750,7 @@ static void set_manager_defaults(Manager *m) { + bool arg_dump_core; + int arg_crash_chvt; + bool arg_crash_shell; +@@ -626,6 +627,7 @@ static int parse_config_file(void) { + { "Manager", "LogColor", config_parse_color, 0, NULL }, + { "Manager", "LogLocation", config_parse_location, 0, NULL }, + { "Manager", "LogTime", config_parse_time, 0, NULL }, ++ { "Manager", "OptionalLog", config_parse_bool, 0, &arg_optional_log }, + { "Manager", "DumpCore", config_parse_bool, 0, &arg_dump_core }, + { "Manager", "CrashChVT", /* legacy */ config_parse_crash_chvt, 0, &arg_crash_chvt }, + { "Manager", "CrashChangeVT", config_parse_crash_chvt, 0, &arg_crash_chvt }, +@@ -745,6 +747,7 @@ static void set_manager_defaults(Manager *m) { * affect the manager itself, but are just what newly allocated units will have set if they haven't set * anything else. (Also see set_manager_settings() for the settings that affect the manager's own behaviour) */ @@ -75,7 +75,7 @@ index 2a6b9b8..15a3cb9 100644 m->default_timer_accuracy_usec = arg_default_timer_accuracy_usec; m->default_std_output = arg_default_std_output; m->default_std_error = arg_default_std_error; -@@ -2327,6 +2330,7 @@ static void reset_arguments(void) { +@@ -2423,6 +2426,7 @@ static void reset_arguments(void) { /* arg_system — ignore */ @@ -84,10 +84,10 @@ index 2a6b9b8..15a3cb9 100644 arg_crash_chvt = -1; arg_crash_shell = false; diff --git a/src/core/manager.h b/src/core/manager.h -index c20abd5..543f30c 100644 +index d3f6aa2..814421f 100644 --- a/src/core/manager.h +++ b/src/core/manager.h -@@ -378,6 +378,7 @@ struct Manager { +@@ -385,6 +385,7 @@ struct Manager { LogTarget original_log_target; bool log_level_overridden; bool log_target_overridden; @@ -96,10 +96,10 @@ index c20abd5..543f30c 100644 struct rlimit *rlimit[_RLIMIT_MAX]; diff --git a/src/core/mount.c b/src/core/mount.c -index 9d676c2..dba8566 100644 +index af0eae6..3751cb4 100644 --- a/src/core/mount.c +++ b/src/core/mount.c -@@ -674,7 +674,7 @@ static void mount_set_state(Mount *m, MountState state) { +@@ -756,7 +756,7 @@ static void mount_set_state(Mount *m, MountState state) { } if (state != old_state) @@ -109,7 +109,7 @@ index 9d676c2..dba8566 100644 unit_notify(UNIT(m), state_translation_table[old_state], state_translation_table[state], m->reload_result == MOUNT_SUCCESS ? 0 : UNIT_NOTIFY_RELOAD_FAILURE); diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index d6cc751..f521f3e 100644 +index 066a9a7..564d146 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in @@ -20,6 +20,7 @@ @@ -121,10 +121,10 @@ index d6cc751..f521f3e 100644 #ShowStatus=yes #CrashChangeVT=no diff --git a/src/core/unit.h b/src/core/unit.h -index 759104f..02f4cb2 100644 +index 58417eb..cc65d93 100644 --- a/src/core/unit.h +++ b/src/core/unit.h -@@ -990,12 +990,14 @@ int unit_thaw_vtable_common(Unit *u); +@@ -1097,12 +1097,14 @@ Condition *unit_find_failed_condition(Unit *u); #define log_unit_notice(unit, ...) log_unit_full(unit, LOG_NOTICE, __VA_ARGS__) #define log_unit_warning(unit, ...) log_unit_full(unit, LOG_WARNING, __VA_ARGS__) #define log_unit_error(unit, ...) log_unit_full(unit, LOG_ERR, __VA_ARGS__) @@ -137,8 +137,8 @@ index 759104f..02f4cb2 100644 #define log_unit_error_errno(unit, error, ...) log_unit_full_errno(unit, LOG_ERR, error, __VA_ARGS__) +#define log_unit_optional_errno(unit, use_info, error, ...) log_unit_full_errno(unit, ((use_info) ? LOG_INFO : LOG_DEBUG), error, __VA_ARGS__) - #define log_unit_struct_errno(unit, level, error, ...) \ - ({ \ + #if LOG_TRACE + # define log_unit_trace(...) log_unit_debug(__VA_ARGS__) -- -2.23.0 +2.33.0 diff --git a/core-add-invalidate-cgroup-config.patch b/core-add-invalidate-cgroup-config.patch index 3b122fa..673c102 100644 --- a/core-add-invalidate-cgroup-config.patch +++ b/core-add-invalidate-cgroup-config.patch @@ -29,10 +29,10 @@ Under the group(user.slice). 5 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/core/main.c b/src/core/main.c -index 09075ef..a39d7d3 100644 +index 500691a..c6638a0 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -154,6 +154,7 @@ static bool arg_default_cpuset_accounting; +@@ -166,6 +166,7 @@ static bool arg_default_cpuset_accounting; static bool arg_default_freezer_accounting; static bool arg_default_tasks_accounting; static TasksMax arg_default_tasks_max; @@ -40,23 +40,23 @@ index 09075ef..a39d7d3 100644 static sd_id128_t arg_machine_id; static EmergencyAction arg_cad_burst_action; static OOMPolicy arg_default_oom_policy; -@@ -704,6 +705,7 @@ static int parse_config_file(void) { - { "Manager", "DefaultFreezerAccounting", config_parse_bool, 0, &arg_default_freezer_accounting }, - { "Manager", "DefaultTasksAccounting", config_parse_bool, 0, &arg_default_tasks_accounting }, - { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, -+ { "Manager", "DefaultInvalidateCgroup", config_parse_bool, 0, &arg_default_invalidate_cgroup }, - { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, - { "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy }, - { "Manager", "DefaultUnitSlice", config_parse_string, 0, &arg_default_unit_slice }, -@@ -780,6 +782,7 @@ static void set_manager_defaults(Manager *m) { +@@ -692,6 +693,7 @@ static int parse_config_file(void) { + { "Manager", "DefaultFreezerAccounting", config_parse_bool, 0, &arg_default_freezer_accounting }, + { "Manager", "DefaultTasksAccounting", config_parse_bool, 0, &arg_default_tasks_accounting }, + { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, ++ { "Manager", "DefaultInvalidateCgroup", config_parse_bool, 0, &arg_default_invalidate_cgroup }, + { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, arg_system, &arg_cad_burst_action }, + { "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy }, + { "Manager", "DefaultOOMScoreAdjust", config_parse_oom_score_adjust, 0, NULL }, +@@ -778,6 +780,7 @@ static void set_manager_defaults(Manager *m) { m->default_freezer_accounting = arg_default_freezer_accounting; m->default_tasks_accounting = arg_default_tasks_accounting; m->default_tasks_max = arg_default_tasks_max; + m->default_invalidate_cgroup = arg_default_invalidate_cgroup; m->default_oom_policy = arg_default_oom_policy; - - (void) manager_set_default_rlimits(m, arg_default_rlimit); -@@ -2401,6 +2404,7 @@ static void reset_arguments(void) { + m->default_oom_score_adjust_set = arg_default_oom_score_adjust_set; + m->default_oom_score_adjust = arg_default_oom_score_adjust; +@@ -2500,6 +2503,7 @@ static void reset_arguments(void) { arg_default_freezer_accounting = false; arg_default_tasks_accounting = true; arg_default_tasks_max = DEFAULT_TASKS_MAX; @@ -65,45 +65,46 @@ index 09075ef..a39d7d3 100644 arg_cad_burst_action = EMERGENCY_ACTION_REBOOT_FORCE; arg_default_oom_policy = OOM_STOP; diff --git a/src/core/manager.c b/src/core/manager.c -index 29ef96b..740bad5 100644 +index 4fa20f8..1a5dcd8 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -780,6 +780,7 @@ int manager_new(UnitFileScope scope, ManagerTestRunFlags test_run_flags, Manager +@@ -837,6 +837,7 @@ int manager_new(LookupScope scope, ManagerTestRunFlags test_run_flags, Manager * .default_cpuset_accounting = false, .default_tasks_accounting = true, .default_tasks_max = TASKS_MAX_UNSET, + .default_invalidate_cgroup = true, - .default_timeout_start_usec = DEFAULT_TIMEOUT_USEC, - .default_timeout_stop_usec = DEFAULT_TIMEOUT_USEC, + .default_timeout_start_usec = manager_default_timeout(scope == LOOKUP_SCOPE_SYSTEM), + .default_timeout_stop_usec = manager_default_timeout(scope == LOOKUP_SCOPE_SYSTEM), .default_restart_usec = DEFAULT_RESTART_USEC, diff --git a/src/core/manager.h b/src/core/manager.h -index 9a38737..485bab1 100644 +index 9e391b1..ea95efe 100644 --- a/src/core/manager.h +++ b/src/core/manager.h -@@ -371,6 +371,7 @@ struct Manager { - +@@ -377,6 +377,7 @@ struct Manager { + TasksMax default_tasks_max; usec_t default_timer_accuracy_usec; + bool default_invalidate_cgroup; - + OOMPolicy default_oom_policy; - + int default_oom_score_adjust; diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index f521f3e..c1fd308 100644 +index 564d146..11936cd 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -74,5 +74,6 @@ DefaultLimitMEMLOCK=64M +@@ -76,6 +76,7 @@ DefaultLimitMEMLOCK=64M #DefaultLimitNICE= #DefaultLimitRTPRIO= #DefaultLimitRTTIME= +#DefaultInvalidateCgroup=yes #DefaultOOMPolicy=stop DefaultDFXReboot=yes + #DefaultSmackProcessLabel= diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c -index 689a536..f3b3e70 100644 +index 21457dc..0398ec8 100644 --- a/src/core/unit-serialize.c +++ b/src/core/unit-serialize.c -@@ -526,7 +526,7 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) { +@@ -548,7 +548,7 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) { /* Let's make sure that everything that is deserialized also gets any potential new cgroup settings * applied after we are done. For that we invalidate anything already realized, so that we can * realize it again. */ @@ -112,6 +113,6 @@ index 689a536..f3b3e70 100644 unit_invalidate_cgroup(u, _CGROUP_MASK_ALL); unit_invalidate_cgroup_bpf(u); } --- -2.27.0 +-- +2.33.0 diff --git a/core-cgroup-support-cpuset.patch b/core-cgroup-support-cpuset.patch index 7902994..311e877 100644 --- a/core-cgroup-support-cpuset.patch +++ b/core-cgroup-support-cpuset.patch @@ -5,39 +5,33 @@ Subject: [PATCH] core-cgroup: support cpuset This patch add support for cpuset subsystem. --- - src/basic/cgroup-util.c | 3 +- - src/basic/cgroup-util.h | 10 ++- - src/basic/string-util.c | 42 +++++++++ - src/basic/string-util.h | 2 + - src/core/cgroup.c | 86 ++++++++++++++++--- - src/core/cgroup.h | 10 ++- - src/core/dbus-cgroup.c | 52 +++++++++-- - src/core/dbus-manager.c | 1 + - src/core/load-fragment-gperf.gperf.in | 5 ++ - src/core/load-fragment.c | 73 +++++++++++++++- - src/core/load-fragment.h | 1 + - src/core/main.c | 4 + - src/core/manager.c | 1 + - src/core/manager.h | 1 + - src/core/system.conf.in | 1 + - src/core/unit.c | 1 + - src/shared/bus-unit-util.c | 15 +++- - src/shared/cpu-set-util.c | 1 + - src/test/test-cgroup-mask.c | 5 +- - .../fuzz-unit-file/directives-all.service | 5 ++ - test/fuzz/fuzz-unit-file/directives.mount | 5 ++ - test/fuzz/fuzz-unit-file/directives.scope | 5 ++ - test/fuzz/fuzz-unit-file/directives.service | 5 ++ - test/fuzz/fuzz-unit-file/directives.slice | 5 ++ - test/fuzz/fuzz-unit-file/directives.socket | 5 ++ - test/fuzz/fuzz-unit-file/directives.swap | 5 ++ - 26 files changed, 319 insertions(+), 30 deletions(-) + src/basic/cgroup-util.c | 3 +- + src/basic/cgroup-util.h | 10 +- + src/basic/string-util.c | 42 +++++++ + src/basic/string-util.h | 1 + + src/core/cgroup.c | 112 ++++++++++++++---- + src/core/cgroup.h | 14 ++- + src/core/dbus-cgroup.c | 60 ++++++++-- + src/core/dbus-manager.c | 1 + + src/core/load-fragment-gperf.gperf.in | 13 +- + src/core/load-fragment.c | 69 +++++++++++ + src/core/load-fragment.h | 1 + + src/core/main.c | 4 + + src/core/manager.c | 1 + + src/core/manager.h | 1 + + src/core/system.conf.in | 1 + + src/core/unit.c | 1 + + src/shared/bus-unit-util.c | 15 ++- + src/shared/cpu-set-util.c | 1 + + src/test/test-cgroup-mask.c | 5 +- + .../fuzz-unit-file/directives-all.service | 5 + + 20 files changed, 309 insertions(+), 51 deletions(-) diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c -index 1ff6160..01a4181 100644 +index feda596..1bb07f7 100644 --- a/src/basic/cgroup-util.c +++ b/src/basic/cgroup-util.c -@@ -2155,12 +2155,13 @@ bool fd_is_cgroup_fs(int fd) { +@@ -2248,12 +2248,13 @@ bool fd_is_cgroup_fs(int fd) { static const char *const cgroup_controller_table[_CGROUP_CONTROLLER_MAX] = { [CGROUP_CONTROLLER_CPU] = "cpu", [CGROUP_CONTROLLER_CPUACCT] = "cpuacct", @@ -53,10 +47,10 @@ index 1ff6160..01a4181 100644 [CGROUP_CONTROLLER_BPF_DEVICES] = "bpf-devices", [CGROUP_CONTROLLER_BPF_FOREIGN] = "bpf-foreign", diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h -index ce2f4c6..06a23ff 100644 +index b69f168..764d47a 100644 --- a/src/basic/cgroup-util.h +++ b/src/basic/cgroup-util.h -@@ -20,12 +20,13 @@ typedef enum CGroupController { +@@ -21,12 +21,13 @@ typedef enum CGroupController { /* Original cgroup controllers */ CGROUP_CONTROLLER_CPU, CGROUP_CONTROLLER_CPUACCT, /* v1 only */ @@ -71,7 +65,7 @@ index ce2f4c6..06a23ff 100644 /* BPF-based pseudo-controllers, v2 only */ CGROUP_CONTROLLER_BPF_FIREWALL, -@@ -43,22 +44,23 @@ typedef enum CGroupController { +@@ -48,12 +49,13 @@ typedef enum CGroupController { typedef enum CGroupMask { CGROUP_MASK_CPU = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_CPU), CGROUP_MASK_CPUACCT = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_CPUACCT), @@ -86,7 +80,8 @@ index ce2f4c6..06a23ff 100644 CGROUP_MASK_BPF_FIREWALL = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_FIREWALL), CGROUP_MASK_BPF_DEVICES = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_DEVICES), CGROUP_MASK_BPF_FOREIGN = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_FOREIGN), - CGROUP_MASK_BPF_SOCKET_BIND = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_SOCKET_BIND), +@@ -61,10 +63,10 @@ typedef enum CGroupMask { + CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_RESTRICT_NETWORK_INTERFACES), /* All real cgroup v1 controllers */ - CGROUP_MASK_V1 = CGROUP_MASK_CPU|CGROUP_MASK_CPUACCT|CGROUP_MASK_BLKIO|CGROUP_MASK_MEMORY|CGROUP_MASK_DEVICES|CGROUP_MASK_PIDS, @@ -97,16 +92,15 @@ index ce2f4c6..06a23ff 100644 + CGROUP_MASK_V2 = CGROUP_MASK_CPU|CGROUP_MASK_CPUSET2|CGROUP_MASK_IO|CGROUP_MASK_MEMORY|CGROUP_MASK_PIDS, /* All cgroup v2 BPF pseudo-controllers */ - CGROUP_MASK_BPF = CGROUP_MASK_BPF_FIREWALL|CGROUP_MASK_BPF_DEVICES|CGROUP_MASK_BPF_FOREIGN|CGROUP_MASK_BPF_SOCKET_BIND, + CGROUP_MASK_BPF = CGROUP_MASK_BPF_FIREWALL|CGROUP_MASK_BPF_DEVICES|CGROUP_MASK_BPF_FOREIGN|CGROUP_MASK_BPF_SOCKET_BIND|CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES, diff --git a/src/basic/string-util.c b/src/basic/string-util.c -index a645958..45f358b 100644 +index ad8c986..755ad11 100644 --- a/src/basic/string-util.c +++ b/src/basic/string-util.c -@@ -1146,3 +1146,45 @@ int string_contains_word_strv(const char *string, const char *separators, char * - *ret_word = found; +@@ -1159,6 +1159,48 @@ int string_contains_word_strv(const char *string, const char *separators, char * return !!found; } -+ + +int string_isvalid_interval(const char *instr) +{ + const char *pstr = instr; /* tmp */ @@ -148,26 +142,45 @@ index a645958..45f358b 100644 + + return 0; +} ++ + bool streq_skip_trailing_chars(const char *s1, const char *s2, const char *ok) { + if (!s1 && !s2) + return true; diff --git a/src/basic/string-util.h b/src/basic/string-util.h -index 9155e50..338dcd5 100644 +index e0a47a2..b025c06 100644 --- a/src/basic/string-util.h +++ b/src/basic/string-util.h -@@ -242,3 +242,5 @@ int string_contains_word_strv(const char *string, const char *separators, char * - static inline int string_contains_word(const char *string, const char *separators, const char *word) { +@@ -235,6 +235,7 @@ static inline int string_contains_word(const char *string, const char *separator return string_contains_word_strv(string, separators, STRV_MAKE(word), NULL); } -+ + +int string_isvalid_interval(const char *instr); + bool streq_skip_trailing_chars(const char *s1, const char *s2, const char *ok); + + char *string_replace_char(char *str, char old_char, char new_char); diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index de1d5f4..2c2d1b0 100644 +index f6ae2ab..a6396e1 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c -@@ -246,8 +246,14 @@ void cgroup_context_done(CGroupContext *c) { - while (c->bpf_foreign_programs) - cgroup_context_remove_bpf_foreign_program(c, c->bpf_foreign_programs); +@@ -90,8 +90,8 @@ bool unit_has_startup_cgroup_constraints(Unit *u) { + return c->startup_cpu_shares != CGROUP_CPU_SHARES_INVALID || + c->startup_io_weight != CGROUP_WEIGHT_INVALID || + c->startup_blockio_weight != CGROUP_BLKIO_WEIGHT_INVALID || +- c->startup_cpuset_cpus.set || +- c->startup_cpuset_mems.set; ++ c->startup_cpuset_cpus2.set || ++ c->startup_cpuset_mems2.set; + } + + bool unit_has_host_root_cgroup(Unit *u) { +@@ -277,10 +277,16 @@ void cgroup_context_done(CGroupContext *c) { + + c->restrict_network_interfaces = set_free(c->restrict_network_interfaces); - cpu_set_reset(&c->cpuset_cpus); +- cpu_set_reset(&c->startup_cpuset_cpus); - cpu_set_reset(&c->cpuset_mems); +- cpu_set_reset(&c->startup_cpuset_mems); + if (c->cpuset_cpus) + c->cpuset_cpus = mfree(c->cpuset_cpus); + @@ -175,27 +188,33 @@ index de1d5f4..2c2d1b0 100644 + c->cpuset_mems = mfree(c->cpuset_mems); + + cpu_set_reset(&c->cpuset_cpus2); ++ cpu_set_reset(&c->startup_cpuset_cpus2); + cpu_set_reset(&c->cpuset_mems2); ++ cpu_set_reset(&c->startup_cpuset_mems2); } static int unit_get_kernel_memory_limit(Unit *u, const char *file, uint64_t *ret) { -@@ -382,7 +388,7 @@ static char *format_cgroup_memory_limit_comparison(char *buf, size_t l, Unit *u, +@@ -415,7 +421,7 @@ static char *format_cgroup_memory_limit_comparison(char *buf, size_t l, Unit *u, } void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { -- _cleanup_free_ char *disable_controllers_str = NULL, *cpuset_cpus = NULL, *cpuset_mems = NULL; -+ _cleanup_free_ char *disable_controllers_str = NULL, *cpuset_cpus2 = NULL, *cpuset_mems2 = NULL; - CGroupIODeviceLimit *il; - CGroupIODeviceWeight *iw; - CGroupIODeviceLatency *l; -@@ -412,14 +418,15 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { +- _cleanup_free_ char *disable_controllers_str = NULL, *cpuset_cpus = NULL, *cpuset_mems = NULL, *startup_cpuset_cpus = NULL, *startup_cpuset_mems = NULL; ++ _cleanup_free_ char *disable_controllers_str = NULL, *cpuset_cpus2 = NULL, *cpuset_mems2 = NULL, *startup_cpuset_cpus2 = NULL, *startup_cpuset_mems2 = NULL; + CGroupContext *c; + struct in_addr_prefix *iaai; + +@@ -434,16 +440,17 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { (void) cg_mask_to_string(c->disable_controllers, &disable_controllers_str); - cpuset_cpus = cpu_set_to_range_string(&c->cpuset_cpus); +- startup_cpuset_cpus = cpu_set_to_range_string(&c->startup_cpuset_cpus); - cpuset_mems = cpu_set_to_range_string(&c->cpuset_mems); +- startup_cpuset_mems = cpu_set_to_range_string(&c->startup_cpuset_mems); + cpuset_cpus2 = cpu_set_to_range_string(&c->cpuset_cpus2); ++ startup_cpuset_cpus2 = cpu_set_to_range_string(&c->startup_cpuset_cpus2); + cpuset_mems2 = cpu_set_to_range_string(&c->cpuset_mems2); ++ startup_cpuset_mems2 = cpu_set_to_range_string(&c->startup_cpuset_mems2); fprintf(f, "%sCPUAccounting: %s\n" @@ -206,9 +225,9 @@ index de1d5f4..2c2d1b0 100644 "%sTasksAccounting: %s\n" "%sIPAccounting: %s\n" "%sCPUWeight: %" PRIu64 "\n" -@@ -442,6 +449,10 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { - "%sMemoryMax: %" PRIu64 "%s\n" +@@ -469,6 +476,10 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { "%sMemorySwapMax: %" PRIu64 "%s\n" + "%sMemoryZSwapMax: %" PRIu64 "%s\n" "%sMemoryLimit: %" PRIu64 "\n" + "%sCPUSetCpus=%s\n" + "%sCPUSetMems=%s\n" @@ -217,7 +236,7 @@ index de1d5f4..2c2d1b0 100644 "%sTasksMax: %" PRIu64 "\n" "%sDevicePolicy: %s\n" "%sDisableControllers: %s\n" -@@ -454,6 +465,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { +@@ -481,6 +492,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { prefix, yes_no(c->io_accounting), prefix, yes_no(c->blockio_accounting), prefix, yes_no(c->memory_accounting), @@ -225,20 +244,24 @@ index de1d5f4..2c2d1b0 100644 prefix, yes_no(c->tasks_accounting), prefix, yes_no(c->ip_accounting), prefix, c->cpu_weight, -@@ -462,8 +474,8 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { +@@ -489,10 +501,10 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { prefix, c->startup_cpu_shares, - prefix, format_timespan(q, sizeof(q), c->cpu_quota_per_sec_usec, 1), - prefix, format_timespan(v, sizeof(v), c->cpu_quota_period_usec, 1), + prefix, FORMAT_TIMESPAN(c->cpu_quota_per_sec_usec, 1), + prefix, FORMAT_TIMESPAN(c->cpu_quota_period_usec, 1), - prefix, strempty(cpuset_cpus), +- prefix, strempty(startup_cpuset_cpus), - prefix, strempty(cpuset_mems), +- prefix, strempty(startup_cpuset_mems), + prefix, strempty(cpuset_cpus2), ++ prefix, strempty(startup_cpuset_cpus2), + prefix, strempty(cpuset_mems2), ++ prefix, strempty(startup_cpuset_mems2), prefix, c->io_weight, prefix, c->startup_io_weight, prefix, c->blockio_weight, -@@ -476,6 +488,10 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { - prefix, c->memory_max, format_cgroup_memory_limit_comparison(cdd, sizeof(cdd), u, "MemoryMax"), +@@ -506,6 +518,10 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { prefix, c->memory_swap_max, format_cgroup_memory_limit_comparison(cde, sizeof(cde), u, "MemorySwapMax"), + prefix, c->memory_zswap_max, format_cgroup_memory_limit_comparison(cde, sizeof(cde), u, "MemoryZSwapMax"), prefix, c->memory_limit, + prefix, c->cpuset_cpus, + prefix, c->cpuset_mems, @@ -247,20 +270,55 @@ index de1d5f4..2c2d1b0 100644 prefix, tasks_max_resolve(&c->tasks_max), prefix, cgroup_device_policy_to_string(c->device_policy), prefix, strempty(disable_controllers_str), -@@ -1277,9 +1293,9 @@ static void cgroup_context_apply( +@@ -921,11 +937,11 @@ static bool cgroup_context_has_cpu_shares(CGroupContext *c) { + } + + static bool cgroup_context_has_allowed_cpus(CGroupContext *c) { +- return c->cpuset_cpus.set || c->startup_cpuset_cpus.set; ++ return c->cpuset_cpus2.set || c->startup_cpuset_cpus2.set; + } + + static bool cgroup_context_has_allowed_mems(CGroupContext *c) { +- return c->cpuset_mems.set || c->startup_cpuset_mems.set; ++ return c->cpuset_mems2.set || c->startup_cpuset_mems2.set; + } + + static uint64_t cgroup_context_cpu_weight(CGroupContext *c, ManagerState state) { +@@ -950,18 +966,18 @@ static uint64_t cgroup_context_cpu_shares(CGroupContext *c, ManagerState state) + + static CPUSet *cgroup_context_allowed_cpus(CGroupContext *c, ManagerState state) { + if (IN_SET(state, MANAGER_STARTING, MANAGER_INITIALIZING, MANAGER_STOPPING) && +- c->startup_cpuset_cpus.set) +- return &c->startup_cpuset_cpus; ++ c->startup_cpuset_cpus2.set) ++ return &c->startup_cpuset_cpus2; + else +- return &c->cpuset_cpus; ++ return &c->cpuset_cpus2; + } + + static CPUSet *cgroup_context_allowed_mems(CGroupContext *c, ManagerState state) { + if (IN_SET(state, MANAGER_STARTING, MANAGER_INITIALIZING, MANAGER_STOPPING) && +- c->startup_cpuset_mems.set) +- return &c->startup_cpuset_mems; ++ c->startup_cpuset_mems2.set) ++ return &c->startup_cpuset_mems2; + else +- return &c->cpuset_mems; ++ return &c->cpuset_mems2; + } + + usec_t cgroup_cpu_adjust_period(usec_t period, usec_t quota, usec_t resolution, usec_t max_period) { +@@ -1495,7 +1511,7 @@ static void cgroup_context_apply( } } - if ((apply_mask & CGROUP_MASK_CPUSET) && !is_local_root) { -- cgroup_apply_unified_cpuset(u, &c->cpuset_cpus, "cpuset.cpus"); -- cgroup_apply_unified_cpuset(u, &c->cpuset_mems, "cpuset.mems"); + if ((apply_mask & CGROUP_MASK_CPUSET2) && !is_local_root) { -+ cgroup_apply_unified_cpuset(u, &c->cpuset_cpus2, "cpuset.cpus"); -+ cgroup_apply_unified_cpuset(u, &c->cpuset_mems2, "cpuset.mems"); + cgroup_apply_unified_cpuset(u, cgroup_context_allowed_cpus(c, state), "cpuset.cpus"); + cgroup_apply_unified_cpuset(u, cgroup_context_allowed_mems(c, state), "cpuset.mems"); } - - /* The 'io' controller attributes are not exported on the host's root cgroup (being a pure cgroup v2 -@@ -1477,6 +1493,45 @@ static void cgroup_context_apply( +@@ -1667,6 +1683,45 @@ static void cgroup_context_apply( } } @@ -306,18 +364,16 @@ index de1d5f4..2c2d1b0 100644 /* On cgroup v2 we can apply BPF everywhere. On cgroup v1 we apply it everywhere except for the root of * containers, where we leave this to the manager */ if ((apply_mask & (CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES)) && -@@ -1603,8 +1658,8 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { - c->cpu_quota_per_sec_usec != USEC_INFINITY) +@@ -1808,7 +1863,7 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { mask |= CGROUP_MASK_CPU; -- if (c->cpuset_cpus.set || c->cpuset_mems.set) + if (cgroup_context_has_allowed_cpus(c) || cgroup_context_has_allowed_mems(c)) - mask |= CGROUP_MASK_CPUSET; -+ if (c->cpuset_cpus2.set || c->cpuset_mems2.set) + mask |= CGROUP_MASK_CPUSET2; if (cgroup_context_has_io_config(c) || cgroup_context_has_blockio_config(c)) mask |= CGROUP_MASK_IO | CGROUP_MASK_BLKIO; -@@ -1614,6 +1669,11 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { +@@ -1818,6 +1873,11 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { unit_has_unified_memory_config(u)) mask |= CGROUP_MASK_MEMORY; @@ -329,7 +385,7 @@ index de1d5f4..2c2d1b0 100644 if (c->device_allow || c->device_policy != CGROUP_DEVICE_POLICY_AUTO) mask |= CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES; -@@ -3984,7 +4044,7 @@ int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name) { +@@ -4286,7 +4346,7 @@ int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name) { if (!u->cgroup_path) return -ENODATA; @@ -339,7 +395,7 @@ index de1d5f4..2c2d1b0 100644 r = cg_all_unified(); diff --git a/src/core/cgroup.h b/src/core/cgroup.h -index ea92936..a8a4726 100644 +index d137e3a..501cba4 100644 --- a/src/core/cgroup.h +++ b/src/core/cgroup.h @@ -115,6 +115,7 @@ struct CGroupContext { @@ -350,47 +406,55 @@ index ea92936..a8a4726 100644 bool tasks_accounting; bool ip_accounting; -@@ -131,8 +132,8 @@ struct CGroupContext { +@@ -131,10 +132,10 @@ struct CGroupContext { usec_t cpu_quota_per_sec_usec; usec_t cpu_quota_period_usec; - CPUSet cpuset_cpus; +- CPUSet startup_cpuset_cpus; - CPUSet cpuset_mems; +- CPUSet startup_cpuset_mems; + CPUSet cpuset_cpus2; ++ CPUSet startup_cpuset_cpus2; + CPUSet cpuset_mems2; ++ CPUSet startup_cpuset_mems2; uint64_t io_weight; uint64_t startup_io_weight; -@@ -148,6 +149,11 @@ struct CGroupContext { - uint64_t memory_max; +@@ -151,6 +152,11 @@ struct CGroupContext { uint64_t memory_swap_max; + uint64_t memory_zswap_max; + char *cpuset_cpus; + char *cpuset_mems; + bool cpuset_clone_children; + bool cpuset_memory_migrate; + - bool default_memory_min_set; - bool default_memory_low_set; - bool memory_min_set; + bool default_memory_min_set:1; + bool default_memory_low_set:1; + bool memory_min_set:1; diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c -index 84c3caf..0cdc98c 100644 +index b5484ed..c3b140e 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c -@@ -414,8 +414,8 @@ const sd_bus_vtable bus_cgroup_vtable[] = { +@@ -441,10 +441,10 @@ const sd_bus_vtable bus_cgroup_vtable[] = { SD_BUS_PROPERTY("StartupCPUShares", "t", NULL, offsetof(CGroupContext, startup_cpu_shares), 0), SD_BUS_PROPERTY("CPUQuotaPerSecUSec", "t", bus_property_get_usec, offsetof(CGroupContext, cpu_quota_per_sec_usec), 0), SD_BUS_PROPERTY("CPUQuotaPeriodUSec", "t", bus_property_get_usec, offsetof(CGroupContext, cpu_quota_period_usec), 0), - SD_BUS_PROPERTY("AllowedCPUs", "ay", property_get_cpuset, offsetof(CGroupContext, cpuset_cpus), 0), +- SD_BUS_PROPERTY("StartupAllowedCPUs", "ay", property_get_cpuset, offsetof(CGroupContext, startup_cpuset_cpus), 0), - SD_BUS_PROPERTY("AllowedMemoryNodes", "ay", property_get_cpuset, offsetof(CGroupContext, cpuset_mems), 0), +- SD_BUS_PROPERTY("StartupAllowedMemoryNodes", "ay", property_get_cpuset, offsetof(CGroupContext, startup_cpuset_mems), 0), + SD_BUS_PROPERTY("AllowedCPUs", "ay", property_get_cpuset, offsetof(CGroupContext, cpuset_cpus2), 0), ++ SD_BUS_PROPERTY("StartupAllowedCPUs", "ay", property_get_cpuset, offsetof(CGroupContext, startup_cpuset_cpus2), 0), + SD_BUS_PROPERTY("AllowedMemoryNodes", "ay", property_get_cpuset, offsetof(CGroupContext, cpuset_mems2), 0), ++ SD_BUS_PROPERTY("StartupAllowedMemoryNodes", "ay", property_get_cpuset, offsetof(CGroupContext, startup_cpuset_mems2), 0), SD_BUS_PROPERTY("IOAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, io_accounting), 0), SD_BUS_PROPERTY("IOWeight", "t", NULL, offsetof(CGroupContext, io_weight), 0), SD_BUS_PROPERTY("StartupIOWeight", "t", NULL, offsetof(CGroupContext, startup_io_weight), 0), -@@ -440,6 +440,11 @@ const sd_bus_vtable bus_cgroup_vtable[] = { - SD_BUS_PROPERTY("MemoryMax", "t", NULL, offsetof(CGroupContext, memory_max), 0), +@@ -470,6 +470,11 @@ const sd_bus_vtable bus_cgroup_vtable[] = { SD_BUS_PROPERTY("MemorySwapMax", "t", NULL, offsetof(CGroupContext, memory_swap_max), 0), + SD_BUS_PROPERTY("MemoryZSwapMax", "t", NULL, offsetof(CGroupContext, memory_zswap_max), 0), SD_BUS_PROPERTY("MemoryLimit", "t", NULL, offsetof(CGroupContext, memory_limit), 0), + SD_BUS_PROPERTY("CPUSetAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, cpuset_accounting), 0), + SD_BUS_PROPERTY("CPUSetCpus", "s", NULL, offsetof(CGroupContext, cpuset_cpus), 0), @@ -400,7 +464,7 @@ index 84c3caf..0cdc98c 100644 SD_BUS_PROPERTY("DevicePolicy", "s", property_get_cgroup_device_policy, offsetof(CGroupContext, device_policy), 0), SD_BUS_PROPERTY("DeviceAllow", "a(ss)", property_get_device_allow, 0, 0), SD_BUS_PROPERTY("TasksAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, tasks_accounting), 0), -@@ -1065,6 +1070,43 @@ int bus_cgroup_set_property( +@@ -1129,6 +1134,43 @@ int bus_cgroup_set_property( if (streq(name, "MemoryLimitScale")) return bus_cgroup_set_memory_scale(u, name, &c->memory_limit, message, flags, error); @@ -444,17 +508,25 @@ index 84c3caf..0cdc98c 100644 if (streq(name, "TasksAccounting")) return bus_cgroup_set_boolean(u, name, &c->tasks_accounting, CGROUP_MASK_PIDS, message, flags, error); -@@ -1146,15 +1188,15 @@ int bus_cgroup_set_property( +@@ -1208,13 +1250,13 @@ int bus_cgroup_set_property( return -ENOMEM; if (streq(name, "AllowedCPUs")) - set = &c->cpuset_cpus; + set = &c->cpuset_cpus2; - else + else if (streq(name, "StartupAllowedCPUs")) +- set = &c->startup_cpuset_cpus; ++ set = &c->startup_cpuset_cpus2; + else if (streq(name, "AllowedMemoryNodes")) - set = &c->cpuset_mems; + set = &c->cpuset_mems2; + else if (streq(name, "StartupAllowedMemoryNodes")) +- set = &c->startup_cpuset_mems; ++ set = &c->startup_cpuset_mems2; + + assert(set); - cpu_set_reset(set); +@@ -1222,7 +1264,7 @@ int bus_cgroup_set_property( *set = new_set; new_set = (CPUSet) {}; @@ -464,10 +536,10 @@ index 84c3caf..0cdc98c 100644 } diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c -index de057a0..82896af 100644 +index c4f205b..d6f45a7 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c -@@ -2690,6 +2690,7 @@ const sd_bus_vtable bus_manager_vtable[] = { +@@ -2910,6 +2910,7 @@ const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_PROPERTY("DefaultCPUAccounting", "b", bus_property_get_bool, offsetof(Manager, default_cpu_accounting), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DefaultBlockIOAccounting", "b", bus_property_get_bool, offsetof(Manager, default_blockio_accounting), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DefaultMemoryAccounting", "b", bus_property_get_bool, offsetof(Manager, default_memory_accounting), SD_BUS_VTABLE_PROPERTY_CONST), @@ -476,12 +548,27 @@ index de057a0..82896af 100644 SD_BUS_PROPERTY("DefaultLimitCPU", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_CPU]), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DefaultLimitCPUSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_CPU]), SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in -index 42441ea..60c9dbc 100644 +index 3ea3ca3..8600faa 100644 --- a/src/core/load-fragment-gperf.gperf.in +++ b/src/core/load-fragment-gperf.gperf.in -@@ -197,6 +197,11 @@ - {{type}}.MemoryMax, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) +@@ -187,10 +187,10 @@ + + {%- macro CGROUP_CONTEXT_CONFIG_ITEMS(type) -%} + {{type}}.Slice, config_parse_unit_slice, 0, 0 +-{{type}}.AllowedCPUs, config_parse_allowed_cpuset, 0, offsetof({{type}}, cgroup_context.cpuset_cpus) +-{{type}}.StartupAllowedCPUs, config_parse_allowed_cpuset, 0, offsetof({{type}}, cgroup_context.startup_cpuset_cpus) +-{{type}}.AllowedMemoryNodes, config_parse_allowed_cpuset, 0, offsetof({{type}}, cgroup_context.cpuset_mems) +-{{type}}.StartupAllowedMemoryNodes, config_parse_allowed_cpuset, 0, offsetof({{type}}, cgroup_context.startup_cpuset_mems) ++{{type}}.AllowedCPUs, config_parse_allowed_cpuset, 0, offsetof({{type}}, cgroup_context.cpuset_cpus2) ++{{type}}.StartupAllowedCPUs, config_parse_allowed_cpuset, 0, offsetof({{type}}, cgroup_context.startup_cpuset_cpus2) ++{{type}}.AllowedMemoryNodes, config_parse_allowed_cpuset, 0, offsetof({{type}}, cgroup_context.cpuset_mems2) ++{{type}}.StartupAllowedMemoryNodes, config_parse_allowed_cpuset, 0, offsetof({{type}}, cgroup_context.startup_cpuset_mems2) + {{type}}.CPUAccounting, config_parse_bool, 0, offsetof({{type}}, cgroup_context.cpu_accounting) + {{type}}.CPUWeight, config_parse_cg_cpu_weight, 0, offsetof({{type}}, cgroup_context.cpu_weight) + {{type}}.StartupCPUWeight, config_parse_cg_cpu_weight, 0, offsetof({{type}}, cgroup_context.startup_cpu_weight) +@@ -208,6 +208,11 @@ {{type}}.MemorySwapMax, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) + {{type}}.MemoryZSwapMax, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) {{type}}.MemoryLimit, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) +{{type}}.CPUSetAccounting, config_parse_bool, 0, offsetof({{type}}, cgroup_context.cpuset_accounting) +{{type}}.CPUSetCpus, config_parse_cpuset_cpumems, 0, offsetof({{type}}, cgroup_context.cpuset_cpus) @@ -492,28 +579,10 @@ index 42441ea..60c9dbc 100644 {{type}}.DevicePolicy, config_parse_device_policy, 0, offsetof({{type}}, cgroup_context.device_policy) {{type}}.IOAccounting, config_parse_bool, 0, offsetof({{type}}, cgroup_context.io_accounting) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index 399a759..ad80a64 100644 +index ce15758..b0feac7 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c -@@ -3632,7 +3632,7 @@ int config_parse_allowed_cpus( - - CGroupContext *c = data; - -- (void) parse_cpu_set_extend(rvalue, &c->cpuset_cpus, true, unit, filename, line, lvalue); -+ (void) parse_cpu_set_extend(rvalue, &c->cpuset_cpus2, true, unit, filename, line, lvalue); - - return 0; - } -@@ -3651,7 +3651,7 @@ int config_parse_allowed_mems( - - CGroupContext *c = data; - -- (void) parse_cpu_set_extend(rvalue, &c->cpuset_mems, true, unit, filename, line, lvalue); -+ (void) parse_cpu_set_extend(rvalue, &c->cpuset_mems2, true, unit, filename, line, lvalue); - - return 0; - } -@@ -3722,6 +3722,75 @@ int config_parse_memory_limit( +@@ -3864,6 +3864,75 @@ int config_parse_memory_limit( return 0; } @@ -590,11 +659,11 @@ index 399a759..ad80a64 100644 const char *unit, const char *filename, diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h -index 45e9c39..1ecad67 100644 +index 11d43dd..405681f 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h -@@ -74,6 +74,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_unit_slice); - CONFIG_PARSER_PROTOTYPE(config_parse_cg_weight); +@@ -81,6 +81,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_cg_weight); + CONFIG_PARSER_PROTOTYPE(config_parse_cg_cpu_weight); CONFIG_PARSER_PROTOTYPE(config_parse_cpu_shares); CONFIG_PARSER_PROTOTYPE(config_parse_memory_limit); +CONFIG_PARSER_PROTOTYPE(config_parse_cpuset_cpumems); @@ -602,10 +671,10 @@ index 45e9c39..1ecad67 100644 CONFIG_PARSER_PROTOTYPE(config_parse_delegate); CONFIG_PARSER_PROTOTYPE(config_parse_managed_oom_mode); diff --git a/src/core/main.c b/src/core/main.c -index 9282b09..c4564e8 100644 +index c6d16b2..e64882c 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -148,6 +148,7 @@ static bool arg_default_io_accounting; +@@ -160,6 +160,7 @@ static bool arg_default_io_accounting; static bool arg_default_ip_accounting; static bool arg_default_blockio_accounting; static bool arg_default_memory_accounting; @@ -613,15 +682,15 @@ index 9282b09..c4564e8 100644 static bool arg_default_tasks_accounting; static TasksMax arg_default_tasks_max; static sd_id128_t arg_machine_id; -@@ -693,6 +694,7 @@ static int parse_config_file(void) { - { "Manager", "DefaultIPAccounting", config_parse_bool, 0, &arg_default_ip_accounting }, - { "Manager", "DefaultBlockIOAccounting", config_parse_bool, 0, &arg_default_blockio_accounting }, - { "Manager", "DefaultMemoryAccounting", config_parse_bool, 0, &arg_default_memory_accounting }, -+ { "Manager", "DefaultCpusetAccounting", config_parse_bool, 0, &arg_default_cpuset_accounting }, - { "Manager", "DefaultTasksAccounting", config_parse_bool, 0, &arg_default_tasks_accounting }, - { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, - { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, -@@ -764,6 +766,7 @@ static void set_manager_defaults(Manager *m) { +@@ -681,6 +682,7 @@ static int parse_config_file(void) { + { "Manager", "DefaultIPAccounting", config_parse_bool, 0, &arg_default_ip_accounting }, + { "Manager", "DefaultBlockIOAccounting", config_parse_bool, 0, &arg_default_blockio_accounting }, + { "Manager", "DefaultMemoryAccounting", config_parse_bool, 0, &arg_default_memory_accounting }, ++ { "Manager", "DefaultCpusetAccounting", config_parse_bool, 0, &arg_default_cpuset_accounting }, + { "Manager", "DefaultTasksAccounting", config_parse_bool, 0, &arg_default_tasks_accounting }, + { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, + { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, arg_system, &arg_cad_burst_action }, +@@ -762,6 +764,7 @@ static void set_manager_defaults(Manager *m) { m->default_ip_accounting = arg_default_ip_accounting; m->default_blockio_accounting = arg_default_blockio_accounting; m->default_memory_accounting = arg_default_memory_accounting; @@ -629,7 +698,7 @@ index 9282b09..c4564e8 100644 m->default_tasks_accounting = arg_default_tasks_accounting; m->default_tasks_max = arg_default_tasks_max; m->default_oom_policy = arg_default_oom_policy; -@@ -2358,6 +2361,7 @@ static void reset_arguments(void) { +@@ -2457,6 +2460,7 @@ static void reset_arguments(void) { arg_default_ip_accounting = false; arg_default_blockio_accounting = false; arg_default_memory_accounting = MEMORY_ACCOUNTING_DEFAULT; @@ -638,22 +707,22 @@ index 9282b09..c4564e8 100644 arg_default_tasks_max = DEFAULT_TASKS_MAX; arg_machine_id = (sd_id128_t) {}; diff --git a/src/core/manager.c b/src/core/manager.c -index 38482c0..3a12d6d 100644 +index 2c8c726..011de6b 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -776,6 +776,7 @@ int manager_new(UnitFileScope scope, ManagerTestRunFlags test_run_flags, Manager +@@ -833,6 +833,7 @@ int manager_new(LookupScope scope, ManagerTestRunFlags test_run_flags, Manager * .default_timer_accuracy_usec = USEC_PER_MINUTE, .default_memory_accounting = MEMORY_ACCOUNTING_DEFAULT, + .default_cpuset_accounting = false, .default_tasks_accounting = true, .default_tasks_max = TASKS_MAX_UNSET, - .default_timeout_start_usec = DEFAULT_TIMEOUT_USEC, + .default_timeout_start_usec = manager_default_timeout(scope == LOOKUP_SCOPE_SYSTEM), diff --git a/src/core/manager.h b/src/core/manager.h -index 0c39626..f658caa 100644 +index e7b594f..c4edacc 100644 --- a/src/core/manager.h +++ b/src/core/manager.h -@@ -360,6 +360,7 @@ struct Manager { +@@ -365,6 +365,7 @@ struct Manager { bool default_cpu_accounting; bool default_memory_accounting; @@ -662,22 +731,22 @@ index 0c39626..f658caa 100644 bool default_blockio_accounting; bool default_tasks_accounting; diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index f2c75fc..fcc20d0 100644 +index 1349b1f..a0ef2bf 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -53,6 +53,7 @@ +@@ -55,6 +55,7 @@ + #DefaultIOAccounting=no #DefaultIPAccounting=no - #DefaultBlockIOAccounting=no #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} +#DefaultCpusetAccounting= #DefaultTasksAccounting=yes #DefaultTasksMax=80% #DefaultLimitCPU= diff --git a/src/core/unit.c b/src/core/unit.c -index e30c14b..bfd47cf 100644 +index 5e230ef..9ac41b4 100644 --- a/src/core/unit.c +++ b/src/core/unit.c -@@ -176,6 +176,7 @@ static void unit_init(Unit *u) { +@@ -179,6 +179,7 @@ static void unit_init(Unit *u) { cc->io_accounting = u->manager->default_io_accounting; cc->blockio_accounting = u->manager->default_blockio_accounting; cc->memory_accounting = u->manager->default_memory_accounting; @@ -686,10 +755,10 @@ index e30c14b..bfd47cf 100644 cc->ip_accounting = u->manager->default_ip_accounting; diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c -index d3a5b25..caad3ab 100644 +index 1e95e36..e1aed3d 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c -@@ -460,7 +460,10 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons +@@ -481,7 +481,10 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons "IOAccounting", "BlockIOAccounting", "TasksAccounting", @@ -701,7 +770,7 @@ index d3a5b25..caad3ab 100644 return bus_append_parse_boolean(m, field, eq); if (STR_IN_SET(field, "CPUWeight", -@@ -561,6 +564,16 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons +@@ -587,6 +590,16 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons return bus_append_parse_size(m, field, eq, 1024); } @@ -719,7 +788,7 @@ index d3a5b25..caad3ab 100644 if (isempty(eq)) r = sd_bus_message_append(m, "(sv)", "CPUQuotaPerSecUSec", "t", USEC_INFINITY); diff --git a/src/shared/cpu-set-util.c b/src/shared/cpu-set-util.c -index e3e6963..2cb4a36 100644 +index 34c13cf..68da01b 100644 --- a/src/shared/cpu-set-util.c +++ b/src/shared/cpu-set-util.c @@ -7,6 +7,7 @@ @@ -731,10 +800,10 @@ index e3e6963..2cb4a36 100644 #include "errno-util.h" #include "extract-word.h" diff --git a/src/test/test-cgroup-mask.c b/src/test/test-cgroup-mask.c -index 19e159b..425fe19 100644 +index 57483f7..e969569 100644 --- a/src/test/test-cgroup-mask.c +++ b/src/test/test-cgroup-mask.c -@@ -55,6 +55,7 @@ static int test_cgroup_mask(void) { +@@ -55,6 +55,7 @@ TEST_RET(cgroup_mask, .sd_booted = true) { * else. */ m->default_cpu_accounting = m->default_memory_accounting = @@ -744,10 +813,10 @@ index 19e159b..425fe19 100644 m->default_tasks_accounting = false; @@ -140,10 +141,10 @@ static void test_cg_mask_to_string_one(CGroupMask mask, const char *t) { - static void test_cg_mask_to_string(void) { + TEST(cg_mask_to_string) { test_cg_mask_to_string_one(0, NULL); -- test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset io blkio memory devices pids bpf-firewall bpf-devices bpf-foreign bpf-socket-bind"); -+ test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset2 io blkio memory devices pids cpuset bpf-firewall bpf-devices bpf-foreign bpf-socket-bind"); +- test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset io blkio memory devices pids bpf-firewall bpf-devices bpf-foreign bpf-socket-bind bpf-restrict-network-interfaces"); ++ test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset2 io blkio memory devices pids cpuset bpf-firewall bpf-devices bpf-foreign bpf-socket-bind bpf-restrict-network-interfaces"); test_cg_mask_to_string_one(CGROUP_MASK_CPU, "cpu"); test_cg_mask_to_string_one(CGROUP_MASK_CPUACCT, "cpuacct"); - test_cg_mask_to_string_one(CGROUP_MASK_CPUSET, "cpuset"); @@ -756,10 +825,10 @@ index 19e159b..425fe19 100644 test_cg_mask_to_string_one(CGROUP_MASK_BLKIO, "blkio"); test_cg_mask_to_string_one(CGROUP_MASK_MEMORY, "memory"); diff --git a/test/fuzz/fuzz-unit-file/directives-all.service b/test/fuzz/fuzz-unit-file/directives-all.service -index 3039d1c..5f8cdd8 100644 +index f8237d7..dcf99e1 100644 --- a/test/fuzz/fuzz-unit-file/directives-all.service +++ b/test/fuzz/fuzz-unit-file/directives-all.service -@@ -48,6 +48,11 @@ BusName= +@@ -52,6 +52,11 @@ BusName= CoredumpFilter= CPUAccounting= CPUQuota= @@ -771,102 +840,6 @@ index 3039d1c..5f8cdd8 100644 CPUShares= CPUWeight= CapabilityBoundingSet= -diff --git a/test/fuzz/fuzz-unit-file/directives.mount b/test/fuzz/fuzz-unit-file/directives.mount -index 451f291..3adfd5b 100644 ---- a/test/fuzz/fuzz-unit-file/directives.mount -+++ b/test/fuzz/fuzz-unit-file/directives.mount -@@ -19,6 +19,11 @@ CPUQuotaPeriodSec= - CPUSchedulingPolicy= - CPUSchedulingPriority= - CPUSchedulingResetOnFork= -+CPUSetAccounting= -+CPUSetCloneChildren= -+CPUSetCpus= -+CPUSetMemMigrate= -+CPUSetMems= - CPUShares= - CPUWeight= - CacheDirectory= -diff --git a/test/fuzz/fuzz-unit-file/directives.scope b/test/fuzz/fuzz-unit-file/directives.scope -index 7e69cf8..c953f9c 100644 ---- a/test/fuzz/fuzz-unit-file/directives.scope -+++ b/test/fuzz/fuzz-unit-file/directives.scope -@@ -11,6 +11,11 @@ BlockIOWriteBandwidth= - CPUAccounting= - CPUQuota= - CPUQuotaPeriodSec= -+CPUSetAccounting= -+CPUSetCloneChildren= -+CPUSetCpus= -+CPUSetMemMigrate= -+CPUSetMems= - CPUShares= - CPUWeight= - DefaultMemoryLow= -diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service -index de7d2c7..aa5ad32 100644 ---- a/test/fuzz/fuzz-unit-file/directives.service -+++ b/test/fuzz/fuzz-unit-file/directives.service -@@ -63,6 +63,11 @@ ConditionSecurity= - ConditionUser= - ConditionVirtualization= - Conflicts= -+CPUSetAccounting= -+CPUSetCloneChildren= -+CPUSetCpus= -+CPUSetMemMigrate= -+CPUSetMems= - DefaultDependencies= - Description= - Documentation= -diff --git a/test/fuzz/fuzz-unit-file/directives.slice b/test/fuzz/fuzz-unit-file/directives.slice -index 789ac8f..54cb55d 100644 ---- a/test/fuzz/fuzz-unit-file/directives.slice -+++ b/test/fuzz/fuzz-unit-file/directives.slice -@@ -11,6 +11,11 @@ BlockIOWriteBandwidth= - CPUAccounting= - CPUQuota= - CPUQuotaPeriodSec= -+CPUSetAccounting= -+CPUSetCloneChildren= -+CPUSetCpus= -+CPUSetMemMigrate= -+CPUSetMems= - CPUShares= - CPUWeight= - DefaultMemoryLow= -diff --git a/test/fuzz/fuzz-unit-file/directives.socket b/test/fuzz/fuzz-unit-file/directives.socket -index 11f589e..aa9e758 100644 ---- a/test/fuzz/fuzz-unit-file/directives.socket -+++ b/test/fuzz/fuzz-unit-file/directives.socket -@@ -24,6 +24,11 @@ CPUQuotaPeriodSec= - CPUSchedulingPolicy= - CPUSchedulingPriority= - CPUSchedulingResetOnFork= -+CPUSetAccounting= -+CPUSetCloneChildren= -+CPUSetCpus= -+CPUSetMemMigrate= -+CPUSetMems= - CPUShares= - CPUWeight= - CacheDirectory= -diff --git a/test/fuzz/fuzz-unit-file/directives.swap b/test/fuzz/fuzz-unit-file/directives.swap -index 582a136..bc07775 100644 ---- a/test/fuzz/fuzz-unit-file/directives.swap -+++ b/test/fuzz/fuzz-unit-file/directives.swap -@@ -19,6 +19,11 @@ CPUQuotaPeriodSec= - CPUSchedulingPolicy= - CPUSchedulingPriority= - CPUSchedulingResetOnFork= -+CPUSetAccounting= -+CPUSetCloneChildren= -+CPUSetCpus= -+CPUSetMemMigrate= -+CPUSetMems= - CPUShares= - CPUWeight= - CacheDirectory= -- -2.23.0 +2.33.0 diff --git a/core-cgroup-support-default-slice-for-all-uni.patch b/core-cgroup-support-default-slice-for-all-uni.patch index 361286c..74a25ef 100644 --- a/core-cgroup-support-default-slice-for-all-uni.patch +++ b/core-cgroup-support-default-slice-for-all-uni.patch @@ -7,15 +7,15 @@ With this patch, users can specify a default slice for all units by adding DefaultUnitSlice=xxx.slice in /etc/systemd/system.conf. --- src/core/main.c | 22 +++++++++++ - src/core/manager.h | 2 + + src/core/manager.h | 3 ++ src/core/unit.c | 98 ++++++++++++++++++++++++++++++++++++++++++---- - 3 files changed, 114 insertions(+), 8 deletions(-) + 3 files changed, 115 insertions(+), 8 deletions(-) diff --git a/src/core/main.c b/src/core/main.c -index 48e8a4b..c3d9e1c 100644 +index 809ed76..500691a 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -159,6 +159,7 @@ static EmergencyAction arg_cad_burst_action; +@@ -171,6 +171,7 @@ static EmergencyAction arg_cad_burst_action; static OOMPolicy arg_default_oom_policy; static CPUSet arg_cpu_affinity; static NUMAPolicy arg_numa_policy; @@ -23,16 +23,16 @@ index 48e8a4b..c3d9e1c 100644 static usec_t arg_clock_usec; static void *arg_random_seed; static size_t arg_random_seed_size; -@@ -705,6 +706,7 @@ static int parse_config_file(void) { - { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, - { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, - { "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy }, -+ { "Manager", "DefaultUnitSlice", config_parse_string, 0, &arg_default_unit_slice }, - {} - }; - -@@ -784,6 +786,26 @@ static void set_manager_defaults(Manager *m) { - +@@ -694,6 +695,7 @@ static int parse_config_file(void) { + { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, arg_system, &arg_cad_burst_action }, + { "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy }, + { "Manager", "DefaultOOMScoreAdjust", config_parse_oom_score_adjust, 0, NULL }, ++ { "Manager", "DefaultUnitSlice", config_parse_string, 0, &arg_default_unit_slice }, + { "Manager", "ReloadLimitIntervalSec", config_parse_sec, 0, &arg_reload_limit_interval_sec }, + { "Manager", "ReloadLimitBurst", config_parse_unsigned, 0, &arg_reload_limit_burst }, + #if ENABLE_SMACK +@@ -786,6 +788,26 @@ static void set_manager_defaults(Manager *m) { + (void) manager_default_environment(m); (void) manager_transient_environment_add(m, arg_default_environment); + if (m->default_unit_slice) @@ -56,36 +56,37 @@ index 48e8a4b..c3d9e1c 100644 + arg_default_unit_slice = NULL; + } } - + static void set_manager_settings(Manager *m) { diff --git a/src/core/manager.h b/src/core/manager.h -index 25d058f..ddddc8e 100644 +index 814421f..9e391b1 100644 --- a/src/core/manager.h +++ b/src/core/manager.h -@@ -23,6 +23,7 @@ typedef struct Unit Unit; - +@@ -22,6 +22,7 @@ typedef struct Unit Unit; + /* Enforce upper limit how many names we allow */ #define MANAGER_MAX_NAMES 131072 /* 128K */ +#define DEFAULT_UNIT_NAME_LEN_MAX 32 - + typedef struct Manager Manager; - -@@ -445,6 +446,7 @@ struct Manager { + +@@ -455,6 +456,8 @@ struct Manager { unsigned sigchldgen; unsigned notifygen; - + + char *default_unit_slice; - bool in_manager_catchup; - ++ VarlinkServer *varlink_server; + /* When we're a system manager, this object manages the subscription from systemd-oomd to PID1 that's + * used to report changes in ManagedOOM settings (systemd server - oomd client). When diff --git a/src/core/unit.c b/src/core/unit.c -index cbb02ea..e3dee86 100644 +index eef05d0..cc74a43 100644 --- a/src/core/unit.c +++ b/src/core/unit.c -@@ -3316,6 +3316,58 @@ int unit_set_slice(Unit *u, Unit *slice) { +@@ -3340,6 +3340,58 @@ int unit_set_slice(Unit *u, Unit *slice) { return 1; } - + +/* system-xxx.slice, xxx must be (a b c/A B C...and 0 1 2...) */ +static bool slicename_is_valid(const char *slicename) { + const char *str_start = "system-"; @@ -141,10 +142,10 @@ index cbb02ea..e3dee86 100644 int unit_set_default_slice(Unit *u) { const char *slice_name; Unit *slice; -@@ -3326,6 +3378,20 @@ int unit_set_default_slice(Unit *u) { +@@ -3353,6 +3405,20 @@ int unit_set_default_slice(Unit *u) { if (UNIT_GET_SLICE(u)) return 0; - + + bool isdefaultslice = false; + char *default_unit_slice = u->manager->default_unit_slice; + @@ -161,11 +162,11 @@ index cbb02ea..e3dee86 100644 + if (u->instance) { _cleanup_free_ char *prefix = NULL, *escaped = NULL; - -@@ -3343,24 +3409,40 @@ int unit_set_default_slice(Unit *u) { + +@@ -3370,24 +3436,40 @@ int unit_set_default_slice(Unit *u) { if (!escaped) return -ENOMEM; - + - if (MANAGER_IS_SYSTEM(u->manager)) - slice_name = strjoina("system-", escaped, ".slice"); - else @@ -182,7 +183,7 @@ index cbb02ea..e3dee86 100644 + slice_name = strjoina("system-", escaped, ".slice"); + } else slice_name = strjoina("app-", escaped, ".slice"); - + - } else if (unit_is_extrinsic(u)) + } else if (unit_is_extrinsic(u)) { /* Keep all extrinsic units (e.g. perpetual units and swap and mount units in user mode) in @@ -202,15 +203,15 @@ index cbb02ea..e3dee86 100644 slice_name = SPECIAL_APP_SLICE; + isdefaultslice = false; + } - + r = manager_load_unit(u->manager, slice_name, NULL, NULL, &slice); if (r < 0) return r; + if (isdefaultslice) + slice->default_dependencies=false; - + return unit_set_slice(u, slice); } --- -2.27.0 +-- +2.33.0 diff --git a/core-cgroup-support-freezer.patch b/core-cgroup-support-freezer.patch index e383190..8511989 100644 --- a/core-cgroup-support-freezer.patch +++ b/core-cgroup-support-freezer.patch @@ -23,20 +23,14 @@ This patch add support for freezer subsystem. src/test/test-cgroup-freezer.c | 43 +++++++++++++++++++ src/test/test-cgroup-mask.c | 3 +- .../fuzz-unit-file/directives-all.service | 2 + - test/fuzz/fuzz-unit-file/directives.mount | 2 + - test/fuzz/fuzz-unit-file/directives.scope | 2 + - test/fuzz/fuzz-unit-file/directives.service | 2 + - test/fuzz/fuzz-unit-file/directives.slice | 2 + - test/fuzz/fuzz-unit-file/directives.socket | 2 + - test/fuzz/fuzz-unit-file/directives.swap | 2 + - 24 files changed, 173 insertions(+), 2 deletions(-) + 18 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 src/test/test-cgroup-freezer.c diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c -index 01a4181..f912b65 100644 +index 1bb07f7..ac25693 100644 --- a/src/basic/cgroup-util.c +++ b/src/basic/cgroup-util.c -@@ -2162,6 +2162,7 @@ static const char *const cgroup_controller_table[_CGROUP_CONTROLLER_MAX] = { +@@ -2255,6 +2255,7 @@ static const char *const cgroup_controller_table[_CGROUP_CONTROLLER_MAX] = { [CGROUP_CONTROLLER_DEVICES] = "devices", [CGROUP_CONTROLLER_PIDS] = "pids", [CGROUP_CONTROLLER_CPUSET] = "cpuset", @@ -45,10 +39,10 @@ index 01a4181..f912b65 100644 [CGROUP_CONTROLLER_BPF_DEVICES] = "bpf-devices", [CGROUP_CONTROLLER_BPF_FOREIGN] = "bpf-foreign", diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h -index 06a23ff..a491eca 100644 +index 764d47a..147c956 100644 --- a/src/basic/cgroup-util.h +++ b/src/basic/cgroup-util.h -@@ -27,6 +27,7 @@ typedef enum CGroupController { +@@ -28,6 +28,7 @@ typedef enum CGroupController { CGROUP_CONTROLLER_DEVICES, /* v1 only */ CGROUP_CONTROLLER_PIDS, CGROUP_CONTROLLER_CPUSET, @@ -56,7 +50,7 @@ index 06a23ff..a491eca 100644 /* BPF-based pseudo-controllers, v2 only */ CGROUP_CONTROLLER_BPF_FIREWALL, -@@ -51,13 +52,14 @@ typedef enum CGroupMask { +@@ -56,6 +57,7 @@ typedef enum CGroupMask { CGROUP_MASK_DEVICES = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_DEVICES), CGROUP_MASK_PIDS = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_PIDS), CGROUP_MASK_CPUSET = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_CPUSET), @@ -64,7 +58,8 @@ index 06a23ff..a491eca 100644 CGROUP_MASK_BPF_FIREWALL = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_FIREWALL), CGROUP_MASK_BPF_DEVICES = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_DEVICES), CGROUP_MASK_BPF_FOREIGN = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_FOREIGN), - CGROUP_MASK_BPF_SOCKET_BIND = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_SOCKET_BIND), +@@ -63,7 +65,7 @@ typedef enum CGroupMask { + CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_RESTRICT_NETWORK_INTERFACES), /* All real cgroup v1 controllers */ - CGROUP_MASK_V1 = CGROUP_MASK_CPU|CGROUP_MASK_CPUACCT|CGROUP_MASK_BLKIO|CGROUP_MASK_MEMORY|CGROUP_MASK_CPUSET|CGROUP_MASK_DEVICES|CGROUP_MASK_PIDS, @@ -73,10 +68,10 @@ index 06a23ff..a491eca 100644 /* All real cgroup v2 controllers */ CGROUP_MASK_V2 = CGROUP_MASK_CPU|CGROUP_MASK_CPUSET2|CGROUP_MASK_IO|CGROUP_MASK_MEMORY|CGROUP_MASK_PIDS, diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 83e94c7..f811a8b 100644 +index a6396e1..7d1e59b 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c -@@ -139,6 +139,7 @@ void cgroup_context_init(CGroupContext *c) { +@@ -162,6 +162,7 @@ void cgroup_context_init(CGroupContext *c) { .startup_blockio_weight = CGROUP_BLKIO_WEIGHT_INVALID, .tasks_max = TASKS_MAX_UNSET, @@ -84,17 +79,17 @@ index 83e94c7..f811a8b 100644 .moom_swap = MANAGED_OOM_AUTO, .moom_mem_pressure = MANAGED_OOM_AUTO, -@@ -260,6 +261,9 @@ void cgroup_context_done(CGroupContext *c) { - - cpu_set_reset(&c->cpuset_cpus2); +@@ -287,6 +288,9 @@ void cgroup_context_done(CGroupContext *c) { + cpu_set_reset(&c->startup_cpuset_cpus2); cpu_set_reset(&c->cpuset_mems2); + cpu_set_reset(&c->startup_cpuset_mems2); + + if (c->freezer_state) + c->freezer_state = mfree(c->freezer_state); } static int unit_get_kernel_memory_limit(Unit *u, const char *file, uint64_t *ret) { -@@ -433,6 +437,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { +@@ -451,6 +455,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { "%sBlockIOAccounting: %s\n" "%sMemoryAccounting: %s\n" "%sCPUSetAccounting: %s\n" @@ -102,7 +97,7 @@ index 83e94c7..f811a8b 100644 "%sTasksAccounting: %s\n" "%sIPAccounting: %s\n" "%sCPUWeight: %" PRIu64 "\n" -@@ -460,6 +465,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { +@@ -481,6 +486,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { "%sCPUSetCloneChildren=%s\n" "%sCPUSetMemMigrate=%s\n" "%sTasksMax: %" PRIu64 "\n" @@ -110,7 +105,7 @@ index 83e94c7..f811a8b 100644 "%sDevicePolicy: %s\n" "%sDisableControllers: %s\n" "%sDelegate: %s\n" -@@ -472,6 +478,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { +@@ -493,6 +499,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { prefix, yes_no(c->blockio_accounting), prefix, yes_no(c->memory_accounting), prefix, yes_no(c->cpuset_accounting), @@ -118,7 +113,7 @@ index 83e94c7..f811a8b 100644 prefix, yes_no(c->tasks_accounting), prefix, yes_no(c->ip_accounting), prefix, c->cpu_weight, -@@ -499,6 +506,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { +@@ -523,6 +530,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { prefix, yes_no(c->cpuset_clone_children), prefix, yes_no(c->cpuset_memory_migrate), prefix, tasks_max_resolve(&c->tasks_max), @@ -126,7 +121,7 @@ index 83e94c7..f811a8b 100644 prefix, cgroup_device_policy_to_string(c->device_policy), prefix, strempty(disable_controllers_str), prefix, yes_no(c->delegate), -@@ -1566,6 +1574,11 @@ static void cgroup_context_apply( +@@ -1722,6 +1730,11 @@ static void cgroup_context_apply( } } @@ -138,7 +133,7 @@ index 83e94c7..f811a8b 100644 /* On cgroup v2 we can apply BPF everywhere. On cgroup v1 we apply it everywhere except for the root of * containers, where we leave this to the manager */ if ((apply_mask & (CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES)) && -@@ -1708,6 +1721,9 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { +@@ -1878,6 +1891,9 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { c->cpuset_mems) mask |= CGROUP_MASK_CPUSET; @@ -149,7 +144,7 @@ index 83e94c7..f811a8b 100644 c->device_policy != CGROUP_DEVICE_POLICY_AUTO) mask |= CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES; diff --git a/src/core/cgroup.h b/src/core/cgroup.h -index 1e27104..6833d5b 100644 +index 501cba4..2251548 100644 --- a/src/core/cgroup.h +++ b/src/core/cgroup.h @@ -116,6 +116,7 @@ struct CGroupContext { @@ -160,7 +155,7 @@ index 1e27104..6833d5b 100644 bool tasks_accounting; bool ip_accounting; -@@ -186,6 +187,9 @@ struct CGroupContext { +@@ -196,6 +197,9 @@ struct CGroupContext { /* Common */ TasksMax tasks_max; @@ -171,10 +166,10 @@ index 1e27104..6833d5b 100644 ManagedOOMMode moom_swap; ManagedOOMMode moom_mem_pressure; diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c -index 0cdc98c..8527a1a 100644 +index c3b140e..c51a8b7 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c -@@ -445,6 +445,8 @@ const sd_bus_vtable bus_cgroup_vtable[] = { +@@ -475,6 +475,8 @@ const sd_bus_vtable bus_cgroup_vtable[] = { SD_BUS_PROPERTY("CPUSetMems", "s", NULL, offsetof(CGroupContext, cpuset_mems), 0), SD_BUS_PROPERTY("CPUSetCloneChildren", "b", bus_property_get_bool, offsetof(CGroupContext, cpuset_clone_children), 0), SD_BUS_PROPERTY("CPUSetMemMigrate", "b", bus_property_get_bool, offsetof(CGroupContext, cpuset_memory_migrate), 0), @@ -183,7 +178,7 @@ index 0cdc98c..8527a1a 100644 SD_BUS_PROPERTY("DevicePolicy", "s", property_get_cgroup_device_policy, offsetof(CGroupContext, device_policy), 0), SD_BUS_PROPERTY("DeviceAllow", "a(ss)", property_get_device_allow, 0, 0), SD_BUS_PROPERTY("TasksAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, tasks_accounting), 0), -@@ -1073,6 +1075,9 @@ int bus_cgroup_set_property( +@@ -1137,6 +1139,9 @@ int bus_cgroup_set_property( if (streq(name, "CPUSetAccounting")) return bus_cgroup_set_boolean(u, name, &c->cpuset_accounting, CGROUP_MASK_CPUSET, message, flags, error); @@ -193,7 +188,7 @@ index 0cdc98c..8527a1a 100644 if (STR_IN_SET(name, "CPUSetCpus", "CPUSetMems")) { const char *cpuset_str = NULL; -@@ -1107,6 +1112,30 @@ int bus_cgroup_set_property( +@@ -1171,6 +1176,30 @@ int bus_cgroup_set_property( if (streq(name, "CPUSetMemMigrate")) return bus_cgroup_set_boolean(u, name, &c->cpuset_memory_migrate, CGROUP_MASK_CPUSET, message, flags, error); @@ -225,10 +220,10 @@ index 0cdc98c..8527a1a 100644 return bus_cgroup_set_boolean(u, name, &c->tasks_accounting, CGROUP_MASK_PIDS, message, flags, error); diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c -index 82896af..184df9d 100644 +index d6f45a7..7e57a32 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c -@@ -2691,6 +2691,7 @@ const sd_bus_vtable bus_manager_vtable[] = { +@@ -2911,6 +2911,7 @@ const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_PROPERTY("DefaultBlockIOAccounting", "b", bus_property_get_bool, offsetof(Manager, default_blockio_accounting), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DefaultMemoryAccounting", "b", bus_property_get_bool, offsetof(Manager, default_memory_accounting), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DefaultCpusetAccounting", "b", bus_property_get_bool, offsetof(Manager, default_cpuset_accounting), SD_BUS_VTABLE_PROPERTY_CONST), @@ -237,10 +232,10 @@ index 82896af..184df9d 100644 SD_BUS_PROPERTY("DefaultLimitCPU", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_CPU]), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DefaultLimitCPUSoft", "t", bus_property_get_rlimit, offsetof(Manager, rlimit[RLIMIT_CPU]), SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in -index 60c9dbc..5b7ecd2 100644 +index 8600faa..eb68807 100644 --- a/src/core/load-fragment-gperf.gperf.in +++ b/src/core/load-fragment-gperf.gperf.in -@@ -202,6 +202,8 @@ +@@ -213,6 +213,8 @@ {{type}}.CPUSetMems, config_parse_cpuset_cpumems, 0, offsetof({{type}}, cgroup_context.cpuset_mems) {{type}}.CPUSetCloneChildren, config_parse_bool, 0, offsetof({{type}}, cgroup_context.cpuset_clone_children) {{type}}.CPUSetMemMigrate, config_parse_bool, 0, offsetof({{type}}, cgroup_context.cpuset_memory_migrate) @@ -250,10 +245,10 @@ index 60c9dbc..5b7ecd2 100644 {{type}}.DevicePolicy, config_parse_device_policy, 0, offsetof({{type}}, cgroup_context.device_policy) {{type}}.IOAccounting, config_parse_bool, 0, offsetof({{type}}, cgroup_context.io_accounting) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index 5f6a703..d5eb932 100644 +index b0feac7..d01b6c4 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c -@@ -3791,6 +3791,39 @@ int config_parse_cpuset_cpumems( +@@ -3933,6 +3933,39 @@ int config_parse_cpuset_cpumems( return 0; } @@ -294,10 +289,10 @@ index 5f6a703..d5eb932 100644 const char *unit, const char *filename, diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h -index 1ecad67..090776c 100644 +index 405681f..d5437ea 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h -@@ -75,6 +75,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_cg_weight); +@@ -82,6 +82,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_cg_cpu_weight); CONFIG_PARSER_PROTOTYPE(config_parse_cpu_shares); CONFIG_PARSER_PROTOTYPE(config_parse_memory_limit); CONFIG_PARSER_PROTOTYPE(config_parse_cpuset_cpumems); @@ -306,10 +301,10 @@ index 1ecad67..090776c 100644 CONFIG_PARSER_PROTOTYPE(config_parse_delegate); CONFIG_PARSER_PROTOTYPE(config_parse_managed_oom_mode); diff --git a/src/core/main.c b/src/core/main.c -index 6309aab..9cc7fec 100644 +index e64882c..9f62b9d 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -149,6 +149,7 @@ static bool arg_default_ip_accounting; +@@ -161,6 +161,7 @@ static bool arg_default_ip_accounting; static bool arg_default_blockio_accounting; static bool arg_default_memory_accounting; static bool arg_default_cpuset_accounting; @@ -317,15 +312,15 @@ index 6309aab..9cc7fec 100644 static bool arg_default_tasks_accounting; static TasksMax arg_default_tasks_max; static sd_id128_t arg_machine_id; -@@ -695,6 +696,7 @@ static int parse_config_file(void) { - { "Manager", "DefaultBlockIOAccounting", config_parse_bool, 0, &arg_default_blockio_accounting }, - { "Manager", "DefaultMemoryAccounting", config_parse_bool, 0, &arg_default_memory_accounting }, - { "Manager", "DefaultCpusetAccounting", config_parse_bool, 0, &arg_default_cpuset_accounting }, -+ { "Manager", "DefaultFreezerAccounting", config_parse_bool, 0, &arg_default_freezer_accounting }, - { "Manager", "DefaultTasksAccounting", config_parse_bool, 0, &arg_default_tasks_accounting }, - { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, - { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, -@@ -767,6 +769,7 @@ static void set_manager_defaults(Manager *m) { +@@ -683,6 +684,7 @@ static int parse_config_file(void) { + { "Manager", "DefaultBlockIOAccounting", config_parse_bool, 0, &arg_default_blockio_accounting }, + { "Manager", "DefaultMemoryAccounting", config_parse_bool, 0, &arg_default_memory_accounting }, + { "Manager", "DefaultCpusetAccounting", config_parse_bool, 0, &arg_default_cpuset_accounting }, ++ { "Manager", "DefaultFreezerAccounting", config_parse_bool, 0, &arg_default_freezer_accounting }, + { "Manager", "DefaultTasksAccounting", config_parse_bool, 0, &arg_default_tasks_accounting }, + { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, + { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, arg_system, &arg_cad_burst_action }, +@@ -765,6 +767,7 @@ static void set_manager_defaults(Manager *m) { m->default_blockio_accounting = arg_default_blockio_accounting; m->default_memory_accounting = arg_default_memory_accounting; m->default_cpuset_accounting = arg_default_cpuset_accounting; @@ -333,7 +328,7 @@ index 6309aab..9cc7fec 100644 m->default_tasks_accounting = arg_default_tasks_accounting; m->default_tasks_max = arg_default_tasks_max; m->default_oom_policy = arg_default_oom_policy; -@@ -2405,6 +2408,7 @@ static void reset_arguments(void) { +@@ -2461,6 +2464,7 @@ static void reset_arguments(void) { arg_default_blockio_accounting = false; arg_default_memory_accounting = MEMORY_ACCOUNTING_DEFAULT; arg_default_cpuset_accounting = false; @@ -342,10 +337,10 @@ index 6309aab..9cc7fec 100644 arg_default_tasks_max = DEFAULT_TASKS_MAX; arg_machine_id = (sd_id128_t) {}; diff --git a/src/core/manager.h b/src/core/manager.h -index b7a51cf..72fd86e 100644 +index c4edacc..0196c52 100644 --- a/src/core/manager.h +++ b/src/core/manager.h -@@ -361,6 +361,7 @@ struct Manager { +@@ -366,6 +366,7 @@ struct Manager { bool default_cpu_accounting; bool default_memory_accounting; bool default_cpuset_accounting; @@ -354,11 +349,11 @@ index b7a51cf..72fd86e 100644 bool default_blockio_accounting; bool default_tasks_accounting; diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index fcc20d0..f97bd2f 100644 +index a0ef2bf..a44511b 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -54,6 +54,7 @@ - #DefaultBlockIOAccounting=no +@@ -56,6 +56,7 @@ + #DefaultIPAccounting=no #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} #DefaultCpusetAccounting= +#DefaultFreezerAccounting=no @@ -366,10 +361,10 @@ index fcc20d0..f97bd2f 100644 #DefaultTasksMax=80% #DefaultLimitCPU= diff --git a/src/core/unit.c b/src/core/unit.c -index 2f20053..70849e4 100644 +index 9ac41b4..eef05d0 100644 --- a/src/core/unit.c +++ b/src/core/unit.c -@@ -177,6 +177,7 @@ static void unit_init(Unit *u) { +@@ -180,6 +180,7 @@ static void unit_init(Unit *u) { cc->blockio_accounting = u->manager->default_blockio_accounting; cc->memory_accounting = u->manager->default_memory_accounting; cc->cpuset_accounting = u->manager->default_cpuset_accounting; @@ -378,10 +373,10 @@ index 2f20053..70849e4 100644 cc->ip_accounting = u->manager->default_ip_accounting; diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c -index caad3ab..f20fcbf 100644 +index e1aed3d..a174e3e 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c -@@ -462,6 +462,7 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons +@@ -483,6 +483,7 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons "TasksAccounting", "IPAccounting", "CPUSetAccounting", @@ -389,7 +384,7 @@ index caad3ab..f20fcbf 100644 "CPUSetCloneChildren", "CPUSetMemMigrate")) return bus_append_parse_boolean(m, field, eq); -@@ -574,6 +575,16 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons +@@ -600,6 +601,16 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons return 1; } @@ -407,20 +402,20 @@ index caad3ab..f20fcbf 100644 if (isempty(eq)) r = sd_bus_message_append(m, "(sv)", "CPUQuotaPerSecUSec", "t", USEC_INFINITY); diff --git a/src/test/meson.build b/src/test/meson.build -index c0faeb4..fc891bb 100644 +index 34dbd6d..be99212 100644 --- a/src/test/meson.build +++ b/src/test/meson.build -@@ -450,6 +450,12 @@ tests += [ +@@ -525,6 +525,12 @@ tests += [ [], core_includes], -+ [['src/test/test-cgroup-freezer.c'], ++ [files('test-cgroup-freezer.c'), + [libcore, + libshared], + [], + core_includes], + - [['src/test/test-cgroup-unit-default.c'], + [files('test-cgroup-unit-default.c'), [libcore, libshared], diff --git a/src/test/test-cgroup-freezer.c b/src/test/test-cgroup-freezer.c @@ -473,10 +468,10 @@ index 0000000..a533d16 + return 0; +} diff --git a/src/test/test-cgroup-mask.c b/src/test/test-cgroup-mask.c -index 425fe19..31fd5d0 100644 +index e969569..e76f252 100644 --- a/src/test/test-cgroup-mask.c +++ b/src/test/test-cgroup-mask.c -@@ -56,6 +56,7 @@ static int test_cgroup_mask(void) { +@@ -56,6 +56,7 @@ TEST_RET(cgroup_mask, .sd_booted = true) { m->default_cpu_accounting = m->default_memory_accounting = m->default_cpuset_accounting = @@ -486,18 +481,18 @@ index 425fe19..31fd5d0 100644 m->default_tasks_accounting = false; @@ -141,7 +142,7 @@ static void test_cg_mask_to_string_one(CGroupMask mask, const char *t) { - static void test_cg_mask_to_string(void) { + TEST(cg_mask_to_string) { test_cg_mask_to_string_one(0, NULL); -- test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset2 io blkio memory devices pids cpuset bpf-firewall bpf-devices bpf-foreign bpf-socket-bind"); -+ test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset2 io blkio memory devices pids cpuset freezer bpf-firewall bpf-devices bpf-foreign bpf-socket-bind"); +- test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset2 io blkio memory devices pids cpuset bpf-firewall bpf-devices bpf-foreign bpf-socket-bind bpf-restrict-network-interfaces"); ++ test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset2 io blkio memory devices pids cpuset freezer bpf-firewall bpf-devices bpf-foreign bpf-socket-bind bpf-restrict-network-interfaces"); test_cg_mask_to_string_one(CGROUP_MASK_CPU, "cpu"); test_cg_mask_to_string_one(CGROUP_MASK_CPUACCT, "cpuacct"); test_cg_mask_to_string_one(CGROUP_MASK_CPUSET2, "cpuset2"); diff --git a/test/fuzz/fuzz-unit-file/directives-all.service b/test/fuzz/fuzz-unit-file/directives-all.service -index 5f8cdd8..1cd161d 100644 +index dcf99e1..1a5cd5d 100644 --- a/test/fuzz/fuzz-unit-file/directives-all.service +++ b/test/fuzz/fuzz-unit-file/directives-all.service -@@ -107,6 +107,8 @@ FileDescriptorName= +@@ -115,6 +115,8 @@ FileDescriptorName= FileDescriptorStoreMax= ForceUnmount= FreeBind= @@ -506,84 +501,6 @@ index 5f8cdd8..1cd161d 100644 Group= GuessMainPID= IOAccounting= -diff --git a/test/fuzz/fuzz-unit-file/directives.mount b/test/fuzz/fuzz-unit-file/directives.mount -index 3adfd5b..53c035a 100644 ---- a/test/fuzz/fuzz-unit-file/directives.mount -+++ b/test/fuzz/fuzz-unit-file/directives.mount -@@ -47,6 +47,8 @@ ExecPaths= - ExtensionImages= - FinalKillSignal= - ForceUnmount= -+FreezerAccounting= -+FreezerState= - Group= - IOAccounting= - IODeviceLatencyTargetSec= -diff --git a/test/fuzz/fuzz-unit-file/directives.scope b/test/fuzz/fuzz-unit-file/directives.scope -index c953f9c..1dd6c60 100644 ---- a/test/fuzz/fuzz-unit-file/directives.scope -+++ b/test/fuzz/fuzz-unit-file/directives.scope -@@ -25,6 +25,8 @@ DeviceAllow= - DevicePolicy= - DisableControllers= - FinalKillSignal= -+FreezerAccounting= -+FreezerState= - IOAccounting= - IODeviceLatencyTargetSec= - IODeviceWeight= -diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service -index aa5ad32..a5f7f07 100644 ---- a/test/fuzz/fuzz-unit-file/directives.service -+++ b/test/fuzz/fuzz-unit-file/directives.service -@@ -73,6 +73,8 @@ Description= - Documentation= - FailureAction= - FailureActionExitStatus= -+FreezerAccounting= -+FreezerState= - IgnoreOnIsolate= - IgnoreOnSnapshot= - JobRunningTimeoutSec= -diff --git a/test/fuzz/fuzz-unit-file/directives.slice b/test/fuzz/fuzz-unit-file/directives.slice -index 54cb55d..2328a24 100644 ---- a/test/fuzz/fuzz-unit-file/directives.slice -+++ b/test/fuzz/fuzz-unit-file/directives.slice -@@ -24,6 +24,8 @@ Delegate= - DeviceAllow= - DevicePolicy= - DisableControllers= -+FreezerAccounting= -+FreezerState= - IOAccounting= - IODeviceLatencyTargetSec= - IODeviceWeight= -diff --git a/test/fuzz/fuzz-unit-file/directives.socket b/test/fuzz/fuzz-unit-file/directives.socket -index aa9e758..6fb1e5f 100644 ---- a/test/fuzz/fuzz-unit-file/directives.socket -+++ b/test/fuzz/fuzz-unit-file/directives.socket -@@ -59,6 +59,8 @@ FileDescriptorName= - FinalKillSignal= - FlushPending= - FreeBind= -+FreezerAccounting= -+FreezerState= - Group= - IOAccounting= - IODeviceLatencyTargetSec= -diff --git a/test/fuzz/fuzz-unit-file/directives.swap b/test/fuzz/fuzz-unit-file/directives.swap -index bc07775..6ca6198 100644 ---- a/test/fuzz/fuzz-unit-file/directives.swap -+++ b/test/fuzz/fuzz-unit-file/directives.swap -@@ -45,6 +45,8 @@ EnvironmentFile= - ExecPaths= - ExtensionImages= - FinalKillSignal= -+FreezerAccounting= -+FreezerState= - Group= - IOAccounting= - IODeviceLatencyTargetSec= -- -2.23.0 +2.33.0 diff --git a/core-cgroup-support-memorysw.patch b/core-cgroup-support-memorysw.patch index 5b2141d..2c0a9e8 100644 --- a/core-cgroup-support-memorysw.patch +++ b/core-cgroup-support-memorysw.patch @@ -10,68 +10,63 @@ This patch enables setting memory.memsw.limit_in_bytes by MemoryMemswLimit. src/core/cgroup.h | 1 + src/core/dbus-cgroup.c | 4 ++++ src/core/load-fragment-gperf.gperf.in | 1 + - src/core/load-fragment.c | 2 ++ + src/core/load-fragment.c | 10 ++++++---- src/shared/bus-print-properties.c | 2 +- src/shared/bus-unit-util.c | 1 + test/fuzz/fuzz-unit-file/directives-all.service | 1 + - test/fuzz/fuzz-unit-file/directives.mount | 1 + - test/fuzz/fuzz-unit-file/directives.scope | 1 + - test/fuzz/fuzz-unit-file/directives.service | 1 + - test/fuzz/fuzz-unit-file/directives.slice | 1 + - test/fuzz/fuzz-unit-file/directives.socket | 1 + - test/fuzz/fuzz-unit-file/directives.swap | 1 + - 14 files changed, 32 insertions(+), 3 deletions(-) + 8 files changed, 30 insertions(+), 7 deletions(-) diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index d9b1d9b..4eedaf7 100644 +index 7d1e59b..f827219 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c -@@ -125,6 +125,7 @@ void cgroup_context_init(CGroupContext *c) { - .memory_swap_max = CGROUP_LIMIT_MAX, - +@@ -154,6 +154,7 @@ void cgroup_context_init(CGroupContext *c) { + .memory_zswap_max = CGROUP_LIMIT_MAX, + .memory_limit = CGROUP_LIMIT_MAX, + .memory_memsw_limit = CGROUP_LIMIT_MAX, - + .io_weight = CGROUP_WEIGHT_INVALID, .startup_io_weight = CGROUP_WEIGHT_INVALID, -@@ -454,6 +455,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { - "%sMemoryMax: %" PRIu64 "%s\n" +@@ -481,6 +482,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { "%sMemorySwapMax: %" PRIu64 "%s\n" + "%sMemoryZSwapMax: %" PRIu64 "%s\n" "%sMemoryLimit: %" PRIu64 "\n" + "%sMemoryMemswLimit=%" PRIu64 "\n" "%sCPUSetCpus=%s\n" "%sCPUSetMems=%s\n" "%sCPUSetCloneChildren=%s\n" -@@ -495,6 +497,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { - prefix, c->memory_max, format_cgroup_memory_limit_comparison(cdd, sizeof(cdd), u, "MemoryMax"), +@@ -525,6 +527,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { prefix, c->memory_swap_max, format_cgroup_memory_limit_comparison(cde, sizeof(cde), u, "MemorySwapMax"), + prefix, c->memory_zswap_max, format_cgroup_memory_limit_comparison(cde, sizeof(cde), u, "MemoryZSwapMax"), prefix, c->memory_limit, + prefix, c->memory_memsw_limit, prefix, c->cpuset_cpus, prefix, c->cpuset_mems, prefix, yes_no(c->cpuset_clone_children), -@@ -1484,13 +1487,16 @@ static void cgroup_context_apply( - +@@ -1673,14 +1676,17 @@ static void cgroup_context_apply( + } else { char buf[DECIMAL_STR_MAX(uint64_t) + 1]; - uint64_t val; + uint64_t val, sw_val; - + if (unit_has_unified_memory_config(u)) { val = c->memory_max; + sw_val = CGROUP_LIMIT_MAX; - log_cgroup_compat(u, "Applying MemoryMax=%" PRIi64 " as MemoryLimit=", val); + if (val != CGROUP_LIMIT_MAX) + log_cgroup_compat(u, "Applying MemoryMax=%" PRIu64 " as MemoryLimit=", val); - } else + } else { val = c->memory_limit; + sw_val = c->memory_memsw_limit; + } - + if (val == CGROUP_LIMIT_MAX) strncpy(buf, "-1\n", sizeof(buf)); -@@ -1498,6 +1504,12 @@ static void cgroup_context_apply( +@@ -1688,6 +1694,12 @@ static void cgroup_context_apply( xsprintf(buf, "%" PRIu64 "\n", val); - + (void) set_attribute_and_warn(u, "memory", "memory.limit_in_bytes", buf); + + if (sw_val == CGROUP_LIMIT_MAX) @@ -81,43 +76,43 @@ index d9b1d9b..4eedaf7 100644 + (void) set_attribute_and_warn(u, "memory", "memory.memsw.limit_in_bytes", buf); } } - -@@ -1679,6 +1691,7 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { - + +@@ -1883,6 +1895,7 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { + if (c->memory_accounting || c->memory_limit != CGROUP_LIMIT_MAX || + c->memory_memsw_limit != CGROUP_LIMIT_MAX || unit_has_unified_memory_config(u)) mask |= CGROUP_MASK_MEMORY; - + diff --git a/src/core/cgroup.h b/src/core/cgroup.h -index 9177415..1a36c2d 100644 +index 2251548..313b63c 100644 --- a/src/core/cgroup.h +++ b/src/core/cgroup.h -@@ -177,6 +177,7 @@ struct CGroupContext { +@@ -187,6 +187,7 @@ struct CGroupContext { LIST_HEAD(CGroupBlockIODeviceBandwidth, blockio_device_bandwidths); - + uint64_t memory_limit; + uint64_t memory_memsw_limit; - + CGroupDevicePolicy device_policy; LIST_HEAD(CGroupDeviceAllow, device_allow); diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c -index 509ae4f..a200710 100644 +index c51a8b7..e54657e 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c -@@ -440,6 +440,7 @@ const sd_bus_vtable bus_cgroup_vtable[] = { - SD_BUS_PROPERTY("MemoryMax", "t", NULL, offsetof(CGroupContext, memory_max), 0), +@@ -470,6 +470,7 @@ const sd_bus_vtable bus_cgroup_vtable[] = { SD_BUS_PROPERTY("MemorySwapMax", "t", NULL, offsetof(CGroupContext, memory_swap_max), 0), + SD_BUS_PROPERTY("MemoryZSwapMax", "t", NULL, offsetof(CGroupContext, memory_zswap_max), 0), SD_BUS_PROPERTY("MemoryLimit", "t", NULL, offsetof(CGroupContext, memory_limit), 0), + SD_BUS_PROPERTY("MemoryMemswLimit", "t", NULL, offsetof(CGroupContext, memory_memsw_limit), 0), SD_BUS_PROPERTY("CPUSetAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, cpuset_accounting), 0), SD_BUS_PROPERTY("CPUSetCpus", "s", NULL, offsetof(CGroupContext, cpuset_cpus), 0), SD_BUS_PROPERTY("CPUSetMems", "s", NULL, offsetof(CGroupContext, cpuset_mems), 0), -@@ -1032,6 +1033,9 @@ int bus_cgroup_set_property( +@@ -1093,6 +1094,9 @@ int bus_cgroup_set_property( if (streq(name, "MemoryLimit")) return bus_cgroup_set_memory(u, name, &c->memory_limit, message, flags, error); - + + if (streq(name, "MemoryMemswLimit")) + return bus_cgroup_set_memory(u, name, &c->memory_memsw_limit, message, flags, error); + @@ -125,139 +120,67 @@ index 509ae4f..a200710 100644 r = bus_cgroup_set_memory_protection_scale(u, name, &c->memory_min, message, flags, error); if (r > 0) diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in -index 5b7ecd2..0702aa0 100644 +index eb68807..c1bc771 100644 --- a/src/core/load-fragment-gperf.gperf.in +++ b/src/core/load-fragment-gperf.gperf.in -@@ -197,6 +197,7 @@ - {{type}}.MemoryMax, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) +@@ -208,6 +208,7 @@ {{type}}.MemorySwapMax, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) + {{type}}.MemoryZSwapMax, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) {{type}}.MemoryLimit, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) +{{type}}.MemoryMemswLimit, config_parse_memory_limit, 0, offsetof({{type}}, cgroup_context) {{type}}.CPUSetAccounting, config_parse_bool, 0, offsetof({{type}}, cgroup_context.cpuset_accounting) {{type}}.CPUSetCpus, config_parse_cpuset_cpumems, 0, offsetof({{type}}, cgroup_context.cpuset_cpus) {{type}}.CPUSetMems, config_parse_cpuset_cpumems, 0, offsetof({{type}}, cgroup_context.cpuset_mems) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index 1fb097d..a2ad32b 100644 +index d01b6c4..8d2171f 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c -@@ -3716,6 +3716,8 @@ int config_parse_memory_limit( +@@ -3854,6 +3854,8 @@ int config_parse_memory_limit( c->memory_swap_max = bytes; - else if (streq(lvalue, "MemoryLimit")) - c->memory_limit = bytes; + else if (streq(lvalue, "MemoryZSwapMax")) + c->memory_zswap_max = bytes; + else if (streq(lvalue, "MemoryMemswLimit")) + c->memory_memsw_limit = bytes; - else - return -EINVAL; - + else if (streq(lvalue, "MemoryLimit")) { + log_syntax(unit, LOG_WARNING, filename, line, 0, + "Unit uses MemoryLimit=; please use MemoryMax= instead. Support for MemoryLimit= will be removed soon."); diff --git a/src/shared/bus-print-properties.c b/src/shared/bus-print-properties.c -index b459219..a16aca8 100644 +index 9369866..9e26b71 100644 --- a/src/shared/bus-print-properties.c +++ b/src/shared/bus-print-properties.c -@@ -165,7 +165,7 @@ static int bus_print_property(const char *name, const char *expected_value, sd_b - +@@ -162,7 +162,7 @@ static int bus_print_property(const char *name, const char *expected_value, sd_b + bus_print_property_value(name, expected_value, flags, "[not set]"); - -- else if ((STR_IN_SET(name, "DefaultMemoryLow", "DefaultMemoryMin", "MemoryLow", "MemoryHigh", "MemoryMax", "MemorySwapMax", "MemoryLimit", "MemoryAvailable") && u == CGROUP_LIMIT_MAX) || -+ else if ((STR_IN_SET(name, "DefaultMemoryLow", "DefaultMemoryMin", "MemoryLow", "MemoryHigh", "MemoryMax", "MemorySwapMax", "MemoryLimit", "MemoryMemswLimit", "MemoryAvailable") && u == CGROUP_LIMIT_MAX) || + +- else if ((STR_IN_SET(name, "DefaultMemoryLow", "DefaultMemoryMin", "MemoryLow", "MemoryHigh", "MemoryMax", "MemorySwapMax", "MemoryZSwapMax", "MemoryLimit", "MemoryAvailable") && u == CGROUP_LIMIT_MAX) || ++ else if ((STR_IN_SET(name, "DefaultMemoryLow", "DefaultMemoryMin", "MemoryLow", "MemoryHigh", "MemoryMax", "MemorySwapMax", "MemoryZSwapMax", "MemoryLimit", "MemoryMemswLimit", "MemoryAvailable") && u == CGROUP_LIMIT_MAX) || (STR_IN_SET(name, "TasksMax", "DefaultTasksMax") && u == UINT64_MAX) || (startswith(name, "Limit") && u == UINT64_MAX) || (startswith(name, "DefaultLimit") && u == UINT64_MAX)) diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c -index f20fcbf..b4b04e1 100644 +index a174e3e..984dfa9 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c -@@ -521,6 +521,7 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons - "MemoryMax", +@@ -547,6 +547,7 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons "MemorySwapMax", + "MemoryZSwapMax", "MemoryLimit", + "MemoryMemswLimit", "TasksMax")) { - + if (streq(eq, "infinity")) { diff --git a/test/fuzz/fuzz-unit-file/directives-all.service b/test/fuzz/fuzz-unit-file/directives-all.service -index 1cd161d..208c33b 100644 +index 1a5cd5d..59c693d 100644 --- a/test/fuzz/fuzz-unit-file/directives-all.service +++ b/test/fuzz/fuzz-unit-file/directives-all.service -@@ -158,6 +158,7 @@ MemoryHigh= +@@ -166,6 +166,7 @@ MemoryHigh= MemoryLimit= MemoryLow= MemoryMax= +MemoryMemswLimit= MemorySwapMax= + MemoryZSwapMax= MessageQueueMaxMessages= - MessageQueueMessageSize= -diff --git a/test/fuzz/fuzz-unit-file/directives.mount b/test/fuzz/fuzz-unit-file/directives.mount -index 53c035a..0c3cd57 100644 ---- a/test/fuzz/fuzz-unit-file/directives.mount -+++ b/test/fuzz/fuzz-unit-file/directives.mount -@@ -109,6 +109,7 @@ MemoryLimit= - MemoryLow= - MemoryMax= - MemoryMin= -+MemoryMemswLimit= - MemorySwapMax= - MountAPIVFS= - MountFlags= -diff --git a/test/fuzz/fuzz-unit-file/directives.scope b/test/fuzz/fuzz-unit-file/directives.scope -index 1dd6c60..36a60f6 100644 ---- a/test/fuzz/fuzz-unit-file/directives.scope -+++ b/test/fuzz/fuzz-unit-file/directives.scope -@@ -52,6 +52,7 @@ MemoryLimit= - MemoryLow= - MemoryMax= - MemoryMin= -+MemoryMemswLimit= - MemorySwapMax= - NetClass= - RestartKillSignal= -diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service -index a5f7f07..8044977 100644 ---- a/test/fuzz/fuzz-unit-file/directives.service -+++ b/test/fuzz/fuzz-unit-file/directives.service -@@ -231,6 +231,7 @@ MemoryLimit= - MemoryLow= - MemoryMax= - MemoryMin= -+MemoryMemswLimit= - MemorySwapMax= - MountAPIVFS= - MountFlags= -diff --git a/test/fuzz/fuzz-unit-file/directives.slice b/test/fuzz/fuzz-unit-file/directives.slice -index 2328a24..097ff4e 100644 ---- a/test/fuzz/fuzz-unit-file/directives.slice -+++ b/test/fuzz/fuzz-unit-file/directives.slice -@@ -49,6 +49,7 @@ MemoryLimit= - MemoryLow= - MemoryMax= - MemoryMin= -+MemoryMemswLimit= - MemorySwapMax= - NetClass= - Slice= -diff --git a/test/fuzz/fuzz-unit-file/directives.socket b/test/fuzz/fuzz-unit-file/directives.socket -index 6fb1e5f..c372f1e 100644 ---- a/test/fuzz/fuzz-unit-file/directives.socket -+++ b/test/fuzz/fuzz-unit-file/directives.socket -@@ -137,6 +137,7 @@ MemoryLimit= - MemoryLow= - MemoryMax= - MemoryMin= -+MemoryMemswLimit= - MemorySwapMax= - MessageQueueMaxMessages= - MessageQueueMessageSize= -diff --git a/test/fuzz/fuzz-unit-file/directives.swap b/test/fuzz/fuzz-unit-file/directives.swap -index 6ca6198..a46164e 100644 ---- a/test/fuzz/fuzz-unit-file/directives.swap -+++ b/test/fuzz/fuzz-unit-file/directives.swap -@@ -106,6 +106,7 @@ MemoryLimit= - MemoryLow= - MemoryMax= - MemoryMin= -+MemoryMemswLimit= - MemorySwapMax= - MountAPIVFS= - MountFlags= --- -2.23.0 +-- +2.33.0 diff --git a/core-skip-change-device-to-dead-in-manager_catchup-d.patch b/core-skip-change-device-to-dead-in-manager_catchup-d.patch deleted file mode 100644 index 3c8bdbd..0000000 --- a/core-skip-change-device-to-dead-in-manager_catchup-d.patch +++ /dev/null @@ -1,106 +0,0 @@ -From e5c023a1c20058703f1517a48848b4ecec563db6 Mon Sep 17 00:00:00 2001 -From: xujing -Date: Mon, 10 Jan 2022 22:42:30 +0800 -Subject: [PATCH] core: skip change device to dead in manager_catchup during - booting - -There is a problem during booting as follows: -1.systemd is processing all udev devices state but not finished -2.now calling daemon-reload, it will serialize and deserialize the device state -3.after deserialize, some devices is processed finished, it will cause devices - state changed when calling manager_catchup and then set device to DEVICE_DEAD - later which will cause some fs unmounted. - -This patch just fix that fs will not unmounted during booting when calling -daemon-reload, if boot time is more than 10min, just ensure fs will not -unmounted during 10min after booting. ---- - src/core/device.c | 16 +++++++++++++++- - src/core/manager.c | 5 +++++ - src/core/manager.h | 2 ++ - 3 files changed, 22 insertions(+), 1 deletion(-) - -diff --git a/src/core/device.c b/src/core/device.c -index 58007cc..7be59bd 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -728,7 +728,10 @@ static void device_process_new(Manager *m, sd_device *dev) { - } - - static void device_found_changed(Device *d, DeviceFound previous, DeviceFound now) { -+ Manager *m; -+ - assert(d); -+ m = UNIT(d)->manager; - - /* Didn't exist before, but does now? if so, generate a new invocation ID for it */ - if (previous == DEVICE_NOT_FOUND && now != DEVICE_NOT_FOUND) -@@ -741,10 +744,21 @@ static void device_found_changed(Device *d, DeviceFound previous, DeviceFound no - /* If the device has not been seen by udev yet, but is now referenced by the kernel, then we assume the - * kernel knows it now, and udev might soon too. */ - device_set_state(d, DEVICE_TENTATIVE); -- else -+ else { -+ if (m->in_manager_catchup && !MANAGER_IS_FINISHED(m)) { -+ dual_timestamp boot_timestamp; -+ -+ dual_timestamp_get(&boot_timestamp); -+ if (boot_timestamp.monotonic < 10*USEC_PER_MINUTE) { -+ log_info("Want to change device to dead in manager_catchup during booting, skipping!"); -+ return; -+ } -+ } -+ - /* If nobody sees the device, or if the device was previously seen by udev and now is only referenced - * from the kernel, then we consider the device is gone, the kernel just hasn't noticed it yet. */ - device_set_state(d, DEVICE_DEAD); -+ } - } - - static void device_update_found_one(Device *d, DeviceFound found, DeviceFound mask) { -diff --git a/src/core/manager.c b/src/core/manager.c -index 5becd30..c5dd041 100644 ---- a/src/core/manager.c -+++ b/src/core/manager.c -@@ -811,6 +811,7 @@ int manager_new(UnitFileScope scope, ManagerTestRunFlags test_run_flags, Manager - .test_run_flags = test_run_flags, - - .default_oom_policy = OOM_STOP, -+ .in_manager_catchup = false, - }; - - #if ENABLE_EFI -@@ -1579,6 +1580,8 @@ static void manager_catchup(Manager *m) { - - log_debug("Invoking unit catchup() handlers…"); - -+ m->in_manager_catchup = true; -+ - /* Let's catch up on any state changes that happened while we were reloading/reexecing */ - HASHMAP_FOREACH_KEY(u, k, m->units) { - -@@ -1588,6 +1591,8 @@ static void manager_catchup(Manager *m) { - - unit_catchup(u); - } -+ -+ m->in_manager_catchup = false; - } - - static void manager_distribute_fds(Manager *m, FDSet *fds) { -diff --git a/src/core/manager.h b/src/core/manager.h -index 67c204f..d298dce 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -442,6 +442,8 @@ struct Manager { - unsigned sigchldgen; - unsigned notifygen; - -+ bool in_manager_catchup; -+ - VarlinkServer *varlink_server; - /* Only systemd-oomd should be using this to subscribe to changes in ManagedOOM settings */ - Varlink *managed_oom_varlink_request; --- -2.33.0 - diff --git a/core-update-arg_default_rlimit-in-bump_rlimit.patch b/core-update-arg_default_rlimit-in-bump_rlimit.patch index 796ff6d..0b4e327 100644 --- a/core-update-arg_default_rlimit-in-bump_rlimit.patch +++ b/core-update-arg_default_rlimit-in-bump_rlimit.patch @@ -15,7 +15,7 @@ index a58f65a..4762669 100644 #DefaultLimitNOFILE=1024:{{HIGH_RLIMIT_NOFILE}} #DefaultLimitAS= #DefaultLimitNPROC= --#DefaultLimitMEMLOCK= +-#DefaultLimitMEMLOCK=8M +DefaultLimitMEMLOCK=64M #DefaultLimitLOCKS= #DefaultLimitSIGPENDING= diff --git a/delay-to-restart-when-a-service-can-not-be-auto-restarted.patch b/delay-to-restart-when-a-service-can-not-be-auto-restarted.patch index 557e0de..71f8910 100644 --- a/delay-to-restart-when-a-service-can-not-be-auto-restarted.patch +++ b/delay-to-restart-when-a-service-can-not-be-auto-restarted.patch @@ -33,7 +33,7 @@ index e368ec8..9b4b5b1 100644 log_unit_info(UNIT(s), "Stop job pending for unit, skipping automatic restart."); - return; + restart_usec = (s->restart_usec == 0) ? 1*USEC_PER_SEC : s->restart_usec; -+ r = service_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), restart_usec)); ++ r = service_arm_timer(s, /* relative= */ false, usec_add(now(CLOCK_MONOTONIC), restart_usec)); + if (r < 0) + goto fail; } diff --git a/delete-journal-files-except-system.journal-when-jour.patch b/delete-journal-files-except-system.journal-when-jour.patch index bb57e4e..b6f3fdc 100644 --- a/delete-journal-files-except-system.journal-when-jour.patch +++ b/delete-journal-files-except-system.journal-when-jour.patch @@ -11,17 +11,17 @@ except system.journal, to ensure that the sd_journal_next function meets user expectations. --- meson.build | 2 ++ - src/basic/dirent-util.c | 24 ++++++++++++++++ + src/basic/dirent-util.c | 24 +++++++++++++++++ src/basic/dirent-util.h | 2 ++ - src/libsystemd/sd-journal/journal-file.c | 35 ++++++++++++++++++++++++ + src/libsystemd/sd-journal/journal-file.c | 34 ++++++++++++++++++++++++ src/libsystemd/sd-journal/sd-journal.c | 22 --------------- - 5 files changed, 63 insertions(+), 22 deletions(-) + 5 files changed, 62 insertions(+), 22 deletions(-) diff --git a/meson.build b/meson.build -index 278e264..9ab40b6 100644 +index 0372b17..8b1ce23 100644 --- a/meson.build +++ b/meson.build -@@ -1644,6 +1644,8 @@ basic_includes = include_directories( +@@ -2001,6 +2001,8 @@ basic_includes = include_directories( 'src/basic', 'src/fundamental', 'src/systemd', @@ -31,19 +31,19 @@ index 278e264..9ab40b6 100644 libsystemd_includes = [basic_includes, include_directories( diff --git a/src/basic/dirent-util.c b/src/basic/dirent-util.c -index f6213a3..b227cae 100644 +index 17df6a2..e362554 100644 --- a/src/basic/dirent-util.c +++ b/src/basic/dirent-util.c -@@ -6,6 +6,8 @@ - #include "dirent-util.h" +@@ -7,6 +7,8 @@ #include "path-util.h" + #include "stat-util.h" #include "string-util.h" +#include "id128-util.h" +#include "syslog-util.h" - static int dirent_ensure_type(DIR *d, struct dirent *de) { - struct stat st; -@@ -59,6 +61,28 @@ bool dirent_is_file_with_suffix(const struct dirent *de, const char *suffix) { + int dirent_ensure_type(int dir_fd, struct dirent *de) { + STRUCT_STATX_DEFINE(sx); +@@ -65,6 +67,28 @@ bool dirent_is_file_with_suffix(const struct dirent *de, const char *suffix) { return endswith(de->d_name, suffix); } @@ -70,15 +70,15 @@ index f6213a3..b227cae 100644 +} + struct dirent *readdir_ensure_type(DIR *d) { - struct dirent *de; + int r; diff --git a/src/basic/dirent-util.h b/src/basic/dirent-util.h -index c7956e7..f72a731 100644 +index 0f1fb23..2effce3 100644 --- a/src/basic/dirent-util.h +++ b/src/basic/dirent-util.h -@@ -11,6 +11,8 @@ - bool dirent_is_file(const struct dirent *de) _pure_; +@@ -12,6 +12,8 @@ bool dirent_is_file(const struct dirent *de) _pure_; bool dirent_is_file_with_suffix(const struct dirent *de, const char *suffix) _pure_; + int dirent_ensure_type(int dir_fd, struct dirent *de); +bool dirent_is_journal_subdir(const struct dirent *de); + @@ -86,24 +86,23 @@ index c7956e7..f72a731 100644 struct dirent *readdir_no_dot(DIR *dirp); diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c -index 6807c46..0abda23 100644 +index 9e6bf6e..561a705 100644 --- a/src/libsystemd/sd-journal/journal-file.c +++ b/src/libsystemd/sd-journal/journal-file.c -@@ -33,6 +33,7 @@ - #include "string-util.h" - #include "strv.h" +@@ -38,6 +38,7 @@ + #include "sync-util.h" + #include "user-util.h" #include "xattr-util.h" +#include "dirent-util.h" #define DEFAULT_DATA_HASH_TABLE_SIZE (2047ULL*sizeof(HashItem)) #define DEFAULT_FIELD_HASH_TABLE_SIZE (333ULL*sizeof(HashItem)) -@@ -3781,9 +3782,37 @@ int journal_file_rotate( - return r; +@@ -4069,8 +4070,35 @@ int journal_file_archive(JournalFile *f, char **ret_previous_path) { + return 0; } +static void delete_dumped_journal_files(const char *path) { + _cleanup_closedir_ DIR *d = NULL; -+ struct dirent *de; + + d = opendir(path); + if (!d) @@ -130,12 +129,11 @@ index 6807c46..0abda23 100644 + int journal_file_dispose(int dir_fd, const char *fname) { _cleanup_free_ char *p = NULL; - _cleanup_close_ int fd = -1; + dual_timestamp boot_timestamp; assert(fname); -@@ -3804,6 +3833,12 @@ int journal_file_dispose(int dir_fd, const char *fname) { +@@ -4091,6 +4119,12 @@ int journal_file_dispose(int dir_fd, const char *fname) { if (renameat(dir_fd, fname, dir_fd, p) < 0) return -errno; @@ -145,14 +143,14 @@ index 6807c46..0abda23 100644 + return 0; + } + - /* btrfs doesn't cope well with our write pattern and fragments heavily. Let's defrag all files we rotate */ - fd = openat(dir_fd, p, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW); - if (fd < 0) + return 0; + } + diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c -index 1a76bb6..56e1398 100644 +index f6090dd..8b83f65 100644 --- a/src/libsystemd/sd-journal/sd-journal.c +++ b/src/libsystemd/sd-journal/sd-journal.c -@@ -1523,28 +1523,6 @@ static bool dirent_is_journal_file(const struct dirent *de) { +@@ -1510,28 +1510,6 @@ static bool dirent_is_journal_file(const struct dirent *de) { endswith(de->d_name, ".journal~"); } @@ -171,7 +169,7 @@ index 1a76bb6..56e1398 100644 - if (!e) - return id128_is_valid(de->d_name); /* No namespace */ - -- n = strndupa(de->d_name, e - de->d_name); +- n = strndupa_safe(de->d_name, e - de->d_name); - if (!id128_is_valid(n)) - return false; - @@ -182,5 +180,5 @@ index 1a76bb6..56e1398 100644 DIR *d; -- -2.23.0 +2.33.0 diff --git a/disable-initialize_clock.patch b/disable-initialize_clock.patch index 508c052..6b1afce 100644 --- a/disable-initialize_clock.patch +++ b/disable-initialize_clock.patch @@ -14,49 +14,52 @@ or even 1930s. we think it is ok when current system time is before build time. And, don't restore time when systemd-timesyncd started. --- - src/core/main.c | 5 ----- - src/timesync/timesyncd.c | 12 ------------ - 2 files changed, 17 deletions(-) + src/core/main.c | 12 ------------ + src/timesync/timesyncd.c | 8 -------- + 2 files changed, 20 deletions(-) diff --git a/src/core/main.c b/src/core/main.c -index a114257..bac746f 100644 +index 4051a91..c6d16b2 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -1473,11 +1473,6 @@ static void initialize_clock(void) { +@@ -1627,18 +1627,6 @@ static void initialize_clock(void) { */ (void) clock_reset_timewarp(); -- r = clock_apply_epoch(); -- if (r < 0) -- log_error_errno(r, "Current system time is before build time, but cannot correct: %m"); -- else if (r > 0) +- ClockChangeDirection change_dir; +- r = clock_apply_epoch(&change_dir); +- if (r > 0 && change_dir == CLOCK_CHANGE_FORWARD) - log_info("System time before build time, advancing clock."); +- else if (r > 0 && change_dir == CLOCK_CHANGE_BACKWARD) +- log_info("System time is further ahead than %s after build time, resetting clock to build time.", +- FORMAT_TIMESPAN(CLOCK_VALID_RANGE_USEC_MAX, USEC_PER_DAY)); +- else if (r < 0 && change_dir == CLOCK_CHANGE_FORWARD) +- log_error_errno(r, "Current system time is before build time, but cannot correct: %m"); +- else if (r < 0 && change_dir == CLOCK_CHANGE_BACKWARD) +- log_error_errno(r, "Current system time is further ahead %s after build time, but cannot correct: %m", +- FORMAT_TIMESPAN(CLOCK_VALID_RANGE_USEC_MAX, USEC_PER_DAY)); } static void apply_clock_update(void) { diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c -index e56e09c..028e5d6 100644 +index e60742c..efe56fd 100644 --- a/src/timesync/timesyncd.c +++ b/src/timesync/timesyncd.c -@@ -73,18 +73,6 @@ static int load_clock_timestamp(uid_t uid, gid_t gid) { - } +@@ -121,14 +121,6 @@ static int load_clock_timestamp(uid_t uid, gid_t gid) { + if (ct > min) + return 0; - settime: -- ct = now(CLOCK_REALTIME); -- if (ct < min) { -- struct timespec ts; -- char date[FORMAT_TIMESTAMP_MAX]; -- -- log_info("System clock time unset or jumped backwards, restoring from recorded timestamp: %s", -- format_timestamp(date, sizeof(date), min)); -- -- if (clock_settime(CLOCK_REALTIME, timespec_store(&ts, min)) < 0) -- log_error_errno(errno, "Failed to restore system clock, ignoring: %m"); +- /* Not that it matters much, but we actually restore the clock to n+1 here rather than n, simply +- * because we read n as time previously already and we want to progress here, i.e. not report the +- * same time again. */ +- if (clock_settime(CLOCK_REALTIME, TIMESPEC_STORE(min+1)) < 0) { +- log_warning_errno(errno, "Failed to restore system clock, ignoring: %m"); +- return 0; - } - - return 0; - } - + log_struct(LOG_INFO, + "MESSAGE_ID=" SD_MESSAGE_TIME_BUMP_STR, + "REALTIME_USEC=" USEC_FMT, min+1, -- -2.23.0 +2.33.0 diff --git a/disable-systemd-timesyncd-networkd-resolved-homed-us.patch b/disable-systemd-timesyncd-networkd-resolved-homed-us.patch deleted file mode 100644 index 8c0381e..0000000 --- a/disable-systemd-timesyncd-networkd-resolved-homed-us.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 72e9c079d0fd769d1bdb7d7db9c49454ce4bd255 Mon Sep 17 00:00:00 2001 -From: licunlong -Date: Wed, 1 Dec 2021 17:27:07 +0800 -Subject: [PATCH] disable systemd-{timesyncd, networkd, resolved, homed, - userdbd, pstore} by default - ---- - presets/90-systemd.preset | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset -index d260874..2a7396c 100644 ---- a/presets/90-systemd.preset -+++ b/presets/90-systemd.preset -@@ -16,12 +16,6 @@ enable remote-cryptsetup.target - enable machines.target - - enable getty@.service --enable systemd-timesyncd.service --enable systemd-networkd.service --enable systemd-resolved.service --enable systemd-homed.service --enable systemd-userdbd.socket --enable systemd-pstore.service - - disable console-getty.service - disable debug-shell.service -@@ -44,3 +38,9 @@ disable syslog.socket - disable systemd-journal-gatewayd.* - disable systemd-journal-remote.* - disable systemd-journal-upload.* -+disable systemd-timesyncd.service -+disable systemd-networkd.service -+disable systemd-resolved.service -+disable systemd-homed.service -+disable systemd-userdbd.socket -+disable systemd-pstore.service --- -2.23.0 - diff --git a/fix-mount-failed-while-daemon-reexec.patch b/fix-mount-failed-while-daemon-reexec.patch deleted file mode 100644 index ea7e69b..0000000 --- a/fix-mount-failed-while-daemon-reexec.patch +++ /dev/null @@ -1,62 +0,0 @@ -From e485f8a182f8a141676f7ffe0311a1a4724c3c1a Mon Sep 17 00:00:00 2001 -From: licunlong -Date: Tue, 28 Jun 2022 21:56:26 +0800 -Subject: [PATCH] fix mount failed while daemon-reexec - ---- - src/core/manager.c | 1 + - src/core/manager.h | 1 + - src/core/mount.c | 5 ++++- - 3 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/core/manager.c b/src/core/manager.c -index 55adcd1..74f8304 100644 ---- a/src/core/manager.c -+++ b/src/core/manager.c -@@ -1808,6 +1808,7 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { - } - - manager_ready(m); -+ m->mountinfo_uptodate = false; - - manager_set_switching_root(m, false); - -diff --git a/src/core/manager.h b/src/core/manager.h -index 31b4670..df74200 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -259,6 +259,7 @@ struct Manager { - /* Data specific to the mount subsystem */ - struct libmnt_monitor *mount_monitor; - sd_event_source *mount_event_source; -+ bool mountinfo_uptodate; - - /* Data specific to the swap filesystem */ - FILE *proc_swaps; -diff --git a/src/core/mount.c b/src/core/mount.c -index 8fed04c..00482e9 100644 ---- a/src/core/mount.c -+++ b/src/core/mount.c -@@ -1785,6 +1785,7 @@ static int mount_load_proc_self_mountinfo(Manager *m, bool set_flags) { - (void) mount_setup_unit(m, device, path, options, fstype, set_flags); - } - -+ m->mountinfo_uptodate = true; - return 0; - } - -@@ -1948,8 +1949,10 @@ static int mount_process_proc_self_mountinfo(Manager *m) { - assert(m); - - r = drain_libmount(m); -- if (r <= 0) -+ if (r < 0) - return r; -+ if (r == 0 && m->mountinfo_uptodate) -+ return 0; - - r = mount_load_proc_self_mountinfo(m, true); - if (r < 0) { --- -2.33.0 - diff --git a/fuser-print-umount-message-to-reboot-umount-msg.patch b/fuser-print-umount-message-to-reboot-umount-msg.patch index 734396c..362f4b6 100644 --- a/fuser-print-umount-message-to-reboot-umount-msg.patch +++ b/fuser-print-umount-message-to-reboot-umount-msg.patch @@ -22,7 +22,7 @@ Signed-off-by: lixiaokeng 4 files changed, 94 insertions(+), 6 deletions(-) diff --git a/src/core/fuser.c b/src/core/fuser.c -index 0a0c791..dd2ca60 100644 +index e943469..94a0812 100644 --- a/src/core/fuser.c +++ b/src/core/fuser.c @@ -383,6 +383,8 @@ static void print_matches(const struct name *name) { @@ -105,16 +105,16 @@ index 0a0c791..dd2ca60 100644 - if (pptr->pid != 0) + if (pptr->pid != 0) { manager_status_printf(NULL, STATUS_TYPE_NORMAL, NULL, - "\t\t%-d\t\t%-d\t%-s", pptr->uid, pptr->pid, pptr->command); + "\t\t%-u\t\t%-d\t%-s", pptr->uid, pptr->pid, pptr->command); - else + if (fp != NULL) { -+ fprintf(fp, "%-d\t\t%-d\t%-s\n", pptr->uid, pptr->pid, pptr->command); ++ fprintf(fp, "%-u\t\t%-d\t%-s\n", pptr->uid, pptr->pid, pptr->command); + } + } else { manager_status_printf(NULL, STATUS_TYPE_NORMAL, NULL, - "\t\t%-d\t\t%-s\t%-s", pptr->uid, "kernel", pptr->command); + "\t\t%-u\t\t%-s\t%-s", pptr->uid, "kernel", pptr->command); + if (fp != NULL) { -+ fprintf(fp, "%-d\t\t%-s\t%-s\n", pptr->uid, "kernel", pptr->command); ++ fprintf(fp, "%-u\t\t%-s\t%-s\n", pptr->uid, "kernel", pptr->command); + } + } } @@ -148,7 +148,7 @@ index b74b879..2729c9b 100644 int fuser(const char *dir); diff --git a/src/core/job.c b/src/core/job.c -index 3645c11..7a0ed48 100644 +index d7ad85a..ee48860 100644 --- a/src/core/job.c +++ b/src/core/job.c @@ -31,6 +31,8 @@ @@ -160,7 +160,7 @@ index 3645c11..7a0ed48 100644 Job* job_new_raw(Unit *unit) { Job *j; -@@ -682,6 +684,9 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult +@@ -706,6 +708,9 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult const char *ident, *format; int r = 0; pid_t pid; @@ -170,7 +170,7 @@ index 3645c11..7a0ed48 100644 assert(u); assert(t >= 0); -@@ -751,6 +756,39 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult +@@ -807,6 +812,39 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult ((u->type == UNIT_MOUNT || u->type == UNIT_AUTOMOUNT) && t == JOB_STOP && result == JOB_FAILED)) { Mount *m = MOUNT(u); @@ -211,15 +211,18 @@ index 3645c11..7a0ed48 100644 r = safe_fork("(fuser-shutdown)", FORK_RESET_SIGNALS, &pid); if (r < 0) { diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index cf34a12..d6cc751 100644 +index e9a5420..066a9a7 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -74,4 +74,4 @@ DefaultLimitMEMLOCK=64M +@@ -76,7 +76,7 @@ DefaultLimitMEMLOCK=64M #DefaultLimitRTPRIO= #DefaultLimitRTTIME= #DefaultOOMPolicy=stop -#DefaultDFXReboot=no +DefaultDFXReboot=yes + #DefaultSmackProcessLabel= + #ReloadLimitIntervalSec= + #ReloadLimitBurst= -- -2.27.0 +2.33.0 diff --git a/journal-don-t-enable-systemd-journald-audit.socket-b.patch b/journal-don-t-enable-systemd-journald-audit.socket-b.patch deleted file mode 100644 index ca97a3e..0000000 --- a/journal-don-t-enable-systemd-journald-audit.socket-b.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7a650ee8d3faf79fd5ef866b69741880a3a42b8d Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Thu, 2 May 2019 14:11:54 +0200 -Subject: [PATCH] journal: don't enable systemd-journald-audit.socket - by default - -Resolves: #1699287 - ---- - units/meson.build | 3 +-- - units/systemd-journald.service.in | 2 +- - 2 files changed, 2 insertions(+), 3 deletions(-) - -diff --git a/units/meson.build b/units/meson.build -index 4eb09a3..ccea8a6 100644 ---- a/units/meson.build -+++ b/units/meson.build -@@ -110,8 +110,7 @@ units = [ - 'sysinit.target.wants/'], - ['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], - ['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], -- ['systemd-journald-audit.socket', '', -- 'sockets.target.wants/'], -+ ['systemd-journald-audit.socket', ''], - ['systemd-journald-dev-log.socket', '', - 'sockets.target.wants/'], - ['systemd-journald.socket', '', -diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in -index 0cb1bfa..fa7348a 100644 ---- a/units/systemd-journald.service.in -+++ b/units/systemd-journald.service.in -@@ -34,7 +34,7 @@ RestrictRealtime=yes - RestrictSUIDSGID=yes - RuntimeDirectory=systemd/journal - RuntimeDirectoryPreserve=yes --Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket -+Sockets=systemd-journald.socket systemd-journald-dev-log.socket - StandardOutput=null - SystemCallArchitectures=native - SystemCallErrorNumber=EPERM --- -2.23.0 - diff --git a/keep-weight-consistent-with-the-set-value.patch b/keep-weight-consistent-with-the-set-value.patch index 5f6385b..24c3e99 100644 --- a/keep-weight-consistent-with-the-set-value.patch +++ b/keep-weight-consistent-with-the-set-value.patch @@ -4,31 +4,33 @@ Date: Thu, 9 Jun 2022 20:10:50 +0800 Subject: [PATCH] keep weight consistent with the set value --- - src/core/cgroup.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) + src/core/cgroup.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index ee15d50..4c5feef 100644 +index 4cac3f6..f6ae2ab 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c -@@ -1249,7 +1249,7 @@ static void set_io_weight(Unit *u, uint64_t weight) { - * See also: https://github.com/systemd/systemd/pull/13335 and - * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. - * The range is 1..1000 apparently, and the default is 100. */ -- xsprintf(buf, "%" PRIu64 "\n", BFQ_WEIGHT(weight)); +@@ -1392,7 +1392,8 @@ static void set_io_weight(Unit *u, uint64_t weight) { + + assert(u); + +- (void) set_bfq_weight(u, "io", makedev(0, 0), weight); + xsprintf(buf, "%" PRIu64 "\n", weight); - (void) set_attribute_and_warn(u, "io", "io.bfq.weight", buf); ++ (void) set_attribute_and_warn(u, "io", "io.bfq.weight", buf); xsprintf(buf, "default %" PRIu64 "\n", weight); -@@ -1262,7 +1262,7 @@ static void set_blkio_weight(Unit *u, uint64_t weight) { + (void) set_attribute_and_warn(u, "io", "io.weight", buf); +@@ -1403,7 +1404,8 @@ static void set_blkio_weight(Unit *u, uint64_t weight) { + assert(u); - /* FIXME: see comment in set_io_weight(). */ -- xsprintf(buf, "%" PRIu64 "\n", BFQ_WEIGHT(weight)); +- (void) set_bfq_weight(u, "blkio", makedev(0, 0), weight); + xsprintf(buf, "%" PRIu64 "\n", weight); - (void) set_attribute_and_warn(u, "blkio", "blkio.bfq.weight", buf); ++ (void) set_attribute_and_warn(u, "blkio", "blkio.bfq.weight", buf); xsprintf(buf, "%" PRIu64 "\n", weight); + (void) set_attribute_and_warn(u, "blkio", "blkio.weight", buf); -- 2.33.0 diff --git a/let-the-child-of-one-unit-don-t-affect-each-other.patch b/let-the-child-of-one-unit-don-t-affect-each-other.patch index f60169f..5c8c4ea 100644 --- a/let-the-child-of-one-unit-don-t-affect-each-other.patch +++ b/let-the-child-of-one-unit-don-t-affect-each-other.patch @@ -17,8 +17,7 @@ if will be restored to the default value of systemd. Defaults to "no". src/core/load-fragment-gperf.gperf.in | 1 + src/core/unit-serialize.c | 2 ++ src/core/unit.h | 2 ++ - test/fuzz/fuzz-unit-file/directives.service | 1 + - 5 files changed, 9 insertions(+) + 4 files changed, 8 insertions(+) diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 4eedaf7..ab6d602 100644 @@ -79,18 +78,6 @@ index cb85dfc..439714a 100644 /* Garbage collect us we nobody wants or requires us anymore */ bool stop_when_unneeded; -diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service -index 8044977..03eab60 100644 ---- a/test/fuzz/fuzz-unit-file/directives.service -+++ b/test/fuzz/fuzz-unit-file/directives.service -@@ -98,6 +98,7 @@ RefuseManualStop= - ReloadPropagatedFrom= - Requires= - RequiresMountsFor= -+IndependentChild= - RequiresOverridable= - Requisite= - RequisiteOverridable= -- 2.27.0 diff --git a/logind-set-RemoveIPC-to-false-by-default.patch b/logind-set-RemoveIPC-to-false-by-default.patch index 657b28a..6b99a61 100644 --- a/logind-set-RemoveIPC-to-false-by-default.patch +++ b/logind-set-RemoveIPC-to-false-by-default.patch @@ -22,7 +22,7 @@ index b00daf366d..a9fed78aa6 100644 + are excluded from the effect of this setting. Defaults to no. - + diff --git a/src/login/logind-core.c b/src/login/logind-core.c index 4289461df6..556945be20 100644 --- a/src/login/logind-core.c diff --git a/pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch b/pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch index 8db3b77..c023571 100644 --- a/pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch +++ b/pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch @@ -22,7 +22,7 @@ index c11dd46..b259631 100644 + of slice units. Defaults to 80% of the minimum of kernel.pid_max=, kernel.threads-max= and root cgroup pids.max. Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. - For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, + For example, with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, diff --git a/src/core/main.c b/src/core/main.c index da6c50a..f4fe751 100644 --- a/src/core/main.c @@ -41,7 +41,7 @@ index e88280b..f2c75fc 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in @@ -54,7 +54,7 @@ - #DefaultBlockIOAccounting=no + #DefaultIPAccounting=no #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} #DefaultTasksAccounting=yes -#DefaultTasksMax=15% diff --git a/print-the-process-status-to-console-when-shutdown.patch b/print-the-process-status-to-console-when-shutdown.patch index 51b9839..cb59646 100644 --- a/print-the-process-status-to-console-when-shutdown.patch +++ b/print-the-process-status-to-console-when-shutdown.patch @@ -13,17 +13,17 @@ Subject: [PATCH] print process status to console when shutdown src/core/main.c | 13 +- src/core/manager.c | 1 + src/core/manager.h | 2 + - src/core/meson.build | 2 + + src/core/meson.build | 1 + src/core/system.conf.in | 1 + - src/shutdown/meson.build | 10 +- + src/shutdown/meson.build | 9 +- src/shutdown/process-status.c | 143 ++++++++++ src/shutdown/process-status.h | 24 ++ src/shutdown/shutdown.c | 45 +++ - src/shutdown/umount.c | 8 +- - src/test/meson.build | 17 ++ + src/shutdown/umount.c | 5 + + src/test/meson.build | 15 + src/test/test-fuser.c | 14 + src/test/test-process-status.c | 10 + - 19 files changed, 945 insertions(+), 8 deletions(-) + 19 files changed, 939 insertions(+), 7 deletions(-) create mode 100644 src/core/fuser.c create mode 100644 src/core/fuser.h create mode 100644 src/shutdown/process-status.c @@ -32,10 +32,10 @@ Subject: [PATCH] print process status to console when shutdown create mode 100644 src/test/test-process-status.c diff --git a/meson.build b/meson.build -index 1c088ba..278e264 100644 +index bfc8685..0372b17 100644 --- a/meson.build +++ b/meson.build -@@ -3211,8 +3211,10 @@ public_programs += executable( +@@ -3882,8 +3882,10 @@ endif executable( 'systemd-shutdown', systemd_shutdown_sources, @@ -45,14 +45,14 @@ index 1c088ba..278e264 100644 + core_includes], + link_with : [libcore, + libshared], - dependencies : [libmount], - install_rpath : rootlibexecdir, - install : true, + dependencies : [libmount, + versiondep], + install_rpath : rootpkglibdir, diff --git a/src/basic/process-util.c b/src/basic/process-util.c -index 14259ea..e28412a 100644 +index b6bf83c..eb48f4d 100644 --- a/src/basic/process-util.c +++ b/src/basic/process-util.c -@@ -1729,3 +1729,61 @@ static const char* const sched_policy_table[] = { +@@ -1569,3 +1569,61 @@ static const char* const sched_policy_table[] = { }; DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(sched_policy, int, INT_MAX); @@ -115,18 +115,18 @@ index 14259ea..e28412a 100644 + return n; +} diff --git a/src/basic/process-util.h b/src/basic/process-util.h -index 0e064de..6f9b577 100644 +index 96da0bb..55cb72b 100644 --- a/src/basic/process-util.h +++ b/src/basic/process-util.h -@@ -205,3 +205,5 @@ int pidfd_get_pid(int fd, pid_t *ret); +@@ -189,3 +189,5 @@ int pidfd_verify_pid(int pidfd, pid_t pid); int setpriority_closest(int priority); - bool invoked_as(char *argv[], const char *token); + _noreturn_ void freeze(void); + +unsigned int read_cmdline(char *restrict const dst, unsigned sz, const char* whom, const char *what, char sep); diff --git a/src/core/fuser.c b/src/core/fuser.c new file mode 100644 -index 0000000..0a0c791 +index 0000000..e943469 --- /dev/null +++ b/src/core/fuser.c @@ -0,0 +1,506 @@ @@ -262,7 +262,7 @@ index 0000000..0a0c791 + if (isprint(*cptr)) { + pptr->command[cmdlen++] = *cptr; + } else if (cmdlen < (COMM_LEN - 4)) { -+ cmdlen += sprintf(&(pptr->command[cmdlen]), "\\%03o", *cptr); ++ cmdlen += sprintf(&(pptr->command[cmdlen]), "\\%03o", (unsigned int)*cptr); + } + } + @@ -557,10 +557,10 @@ index 0000000..0a0c791 + } else { + if (pptr->pid != 0) + manager_status_printf(NULL, STATUS_TYPE_NORMAL, NULL, -+ "\t\t%-d\t\t%-d\t%-s", pptr->uid, pptr->pid, pptr->command); ++ "\t\t%-u\t\t%-d\t%-s", pptr->uid, pptr->pid, pptr->command); + else + manager_status_printf(NULL, STATUS_TYPE_NORMAL, NULL, -+ "\t\t%-d\t\t%-s\t%-s", pptr->uid, "kernel", pptr->command); ++ "\t\t%-u\t\t%-s\t%-s", pptr->uid, "kernel", pptr->command); + } + } +} @@ -698,7 +698,7 @@ index 0000000..b74b879 + +int fuser(const char *dir); diff --git a/src/core/job.c b/src/core/job.c -index eb6728a..3645c11 100644 +index 032554a..d7ad85a 100644 --- a/src/core/job.c +++ b/src/core/job.c @@ -27,6 +27,9 @@ @@ -711,7 +711,7 @@ index eb6728a..3645c11 100644 Job* job_new_raw(Unit *unit) { Job *j; -@@ -677,6 +680,8 @@ static const char* job_done_mid(JobType type, JobResult result) { +@@ -701,6 +704,8 @@ static const char* job_done_mid(JobType type, JobResult result) { static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult result) { _cleanup_free_ char *free_ident = NULL; const char *ident, *format; @@ -720,12 +720,12 @@ index eb6728a..3645c11 100644 assert(u); assert(t >= 0); -@@ -741,6 +746,37 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult +@@ -797,6 +802,37 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult "See 'systemctl status %s' for details.", quoted); } } + -+ if (IN_SET(manager_state(u->manager), MANAGER_STOPPING) && u->manager->default_dfx_reboot && ++ if (FLAGS_SET(manager_state(u->manager), MANAGER_STOPPING) && u->manager->default_dfx_reboot && + ((u->type == UNIT_MOUNT || u->type == UNIT_AUTOMOUNT) && t == JOB_STOP && result == JOB_FAILED)) { + + Mount *m = MOUNT(u); @@ -759,26 +759,26 @@ index eb6728a..3645c11 100644 static int job_perform_on_unit(Job **j) { diff --git a/src/core/main.c b/src/core/main.c -index 8de32a7..2a6b9b8 100644 +index 9f62b9d..eaae658 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -114,6 +114,7 @@ static bool arg_dump_core; - static int arg_crash_chvt; - static bool arg_crash_shell; - static bool arg_crash_reboot; +@@ -123,6 +123,7 @@ bool arg_dump_core; + int arg_crash_chvt; + bool arg_crash_shell; + bool arg_crash_reboot; +static bool arg_default_dfx_reboot; static char *arg_confirm_spawn; static ShowStatus arg_show_status; static StatusUnitFormat arg_status_unit_format; -@@ -645,6 +646,7 @@ static int parse_config_file(void) { - { "Manager", "CrashChangeVT", config_parse_crash_chvt, 0, &arg_crash_chvt }, - { "Manager", "CrashShell", config_parse_bool, 0, &arg_crash_shell }, - { "Manager", "CrashReboot", config_parse_bool, 0, &arg_crash_reboot }, -+ { "Manager", "DefaultDFXReboot", config_parse_bool, 0, &arg_default_dfx_reboot }, - { "Manager", "ShowStatus", config_parse_show_status, 0, &arg_show_status }, - { "Manager", "StatusUnitFormat", config_parse_status_unit_format, 0, &arg_status_unit_format }, - { "Manager", "CPUAffinity", config_parse_cpu_affinity2, 0, &arg_cpu_affinity }, -@@ -756,6 +758,7 @@ static void set_manager_defaults(Manager *m) { +@@ -630,6 +631,7 @@ static int parse_config_file(void) { + { "Manager", "CrashChangeVT", config_parse_crash_chvt, 0, &arg_crash_chvt }, + { "Manager", "CrashShell", config_parse_bool, 0, &arg_crash_shell }, + { "Manager", "CrashReboot", config_parse_bool, 0, &arg_crash_reboot }, ++ { "Manager", "DefaultDFXReboot", config_parse_bool, 0, &arg_default_dfx_reboot }, + { "Manager", "ShowStatus", config_parse_show_status, 0, &arg_show_status }, + { "Manager", "StatusUnitFormat", config_parse_status_unit_format, 0, &arg_status_unit_format }, + { "Manager", "CPUAffinity", config_parse_cpu_affinity2, 0, &arg_cpu_affinity }, +@@ -754,6 +756,7 @@ static void set_manager_defaults(Manager *m) { m->default_restart_usec = arg_default_restart_usec; m->default_start_limit_interval = arg_default_start_limit_interval; m->default_start_limit_burst = arg_default_start_limit_burst; @@ -786,7 +786,7 @@ index 8de32a7..2a6b9b8 100644 /* On 4.15+ with unified hierarchy, CPU accounting is essentially free as it doesn't require the CPU * controller to be enabled, so the default is to enable it unless we got told otherwise. */ -@@ -1473,18 +1476,20 @@ static int become_shutdown( +@@ -1512,19 +1515,21 @@ static int become_shutdown(int objective, int retval) { char log_level[DECIMAL_STR_MAX(int) + 1], exit_code[DECIMAL_STR_MAX(uint8_t) + 1], @@ -797,7 +797,7 @@ index 8de32a7..2a6b9b8 100644 - const char* command_line[13] = { + const char* command_line[15] = { SYSTEMD_SHUTDOWN_BINARY_PATH, - shutdown_verb, + table[objective], "--timeout", timeout, "--log-level", log_level, + "--dfx-reboot", dfx_reboot, @@ -805,12 +805,13 @@ index 8de32a7..2a6b9b8 100644 }; _cleanup_strv_free_ char **env_block = NULL; + usec_t watchdog_timer = 0; - size_t pos = 7; + size_t pos = 9; int r; - usec_t watchdog_timer = 0; -@@ -1494,6 +1499,7 @@ static int become_shutdown( + assert(objective >= 0 && objective < _MANAGER_OBJECTIVE_MAX); +@@ -1534,6 +1539,7 @@ static int become_shutdown(int objective, int retval) { xsprintf(log_level, "%d", log_get_max_level()); xsprintf(timeout, "%" PRI_USEC "us", arg_default_timeout_stop_usec); @@ -818,7 +819,7 @@ index 8de32a7..2a6b9b8 100644 switch (log_get_target()) { -@@ -2325,6 +2331,7 @@ static void reset_arguments(void) { +@@ -2421,6 +2427,7 @@ static void reset_arguments(void) { arg_crash_chvt = -1; arg_crash_shell = false; arg_crash_reboot = false; @@ -827,10 +828,10 @@ index 8de32a7..2a6b9b8 100644 arg_show_status = _SHOW_STATUS_INVALID; arg_status_unit_format = STATUS_UNIT_FORMAT_DEFAULT; diff --git a/src/core/manager.c b/src/core/manager.c -index 3a12d6d..29ef96b 100644 +index 011de6b..4fa20f8 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -771,6 +771,7 @@ int manager_new(UnitFileScope scope, ManagerTestRunFlags test_run_flags, Manager +@@ -828,6 +828,7 @@ int manager_new(LookupScope scope, ManagerTestRunFlags test_run_flags, Manager * *m = (Manager) { .unit_file_scope = scope, .objective = _MANAGER_OBJECTIVE_INVALID, @@ -839,10 +840,10 @@ index 3a12d6d..29ef96b 100644 .status_unit_format = STATUS_UNIT_FORMAT_DEFAULT, diff --git a/src/core/manager.h b/src/core/manager.h -index dada79c..c20abd5 100644 +index 0196c52..d3f6aa2 100644 --- a/src/core/manager.h +++ b/src/core/manager.h -@@ -335,6 +335,8 @@ struct Manager { +@@ -339,6 +339,8 @@ struct Manager { /* Have we ever changed the "kernel.pid_max" sysctl? */ bool sysctl_pid_max_changed; @@ -852,48 +853,47 @@ index dada79c..c20abd5 100644 /* If non-zero, exit with the following value when the systemd diff --git a/src/core/meson.build b/src/core/meson.build -index f0d2c6f..825eede 100644 +index 981b46f..b03fcdd 100644 --- a/src/core/meson.build +++ b/src/core/meson.build -@@ -127,6 +127,8 @@ libcore_sources = ''' - unit-serialize.h - unit.c - unit.h -+ fuser.c -+ fuser.h - '''.split() +@@ -66,6 +66,7 @@ libcore_sources = files( + 'unit-printf.c', + 'unit-serialize.c', + 'unit.c', ++ 'fuser.c', + ) - subdir('bpf/socket_bind') + if conf.get('BPF_FRAMEWORK') == 1 diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index dfc2477..cf34a12 100644 +index a44511b..e9a5420 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -74,3 +74,4 @@ DefaultLimitMEMLOCK=64M +@@ -76,6 +76,7 @@ DefaultLimitMEMLOCK=64M #DefaultLimitRTPRIO= #DefaultLimitRTTIME= #DefaultOOMPolicy=stop +#DefaultDFXReboot=no + #DefaultSmackProcessLabel= + #ReloadLimitIntervalSec= + #ReloadLimitBurst= diff --git a/src/shutdown/meson.build b/src/shutdown/meson.build -index e1348d9..12fbef3 100644 +index d62032a..0ec8e76 100644 --- a/src/shutdown/meson.build +++ b/src/shutdown/meson.build -@@ -1,15 +1,21 @@ +@@ -1,13 +1,18 @@ # SPDX-License-Identifier: LGPL-2.1-or-later +shutdown_includes = [includes, include_directories('.')] + - systemd_shutdown_sources = files(''' - shutdown.c - umount.c - umount.h -+ process-status.c -+ process-status.h - '''.split()) + systemd_shutdown_sources = files( + 'shutdown.c', + 'umount.c', ++ 'process-status.c', + ) tests += [ - [['src/shutdown/test-umount.c', - 'src/shutdown/umount.c', - 'src/shutdown/umount.h'], + [files('test-umount.c', + 'umount.c'), - [], - [libmount]], + [libshared, @@ -1081,11 +1081,11 @@ index 0000000..2f4333d + +int process_status(void); diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c -index a98cfc4..1ad6fa0 100644 +index 42111d2..1bbabfb 100644 --- a/src/shutdown/shutdown.c +++ b/src/shutdown/shutdown.c -@@ -38,13 +38,17 @@ - #include "util.h" +@@ -40,13 +40,17 @@ + #include "umount.h" #include "virt.h" #include "watchdog.h" +#include "process-status.h" @@ -1102,7 +1102,7 @@ index a98cfc4..1ad6fa0 100644 static int parse_argv(int argc, char *argv[]) { enum { -@@ -55,6 +59,7 @@ static int parse_argv(int argc, char *argv[]) { +@@ -57,6 +61,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_LOG_TIME, ARG_EXIT_CODE, ARG_TIMEOUT, @@ -1110,7 +1110,7 @@ index a98cfc4..1ad6fa0 100644 }; static const struct option options[] = { -@@ -65,6 +70,7 @@ static int parse_argv(int argc, char *argv[]) { +@@ -67,6 +72,7 @@ static int parse_argv(int argc, char *argv[]) { { "log-time", optional_argument, NULL, ARG_LOG_TIME }, { "exit-code", required_argument, NULL, ARG_EXIT_CODE }, { "timeout", required_argument, NULL, ARG_TIMEOUT }, @@ -1118,7 +1118,7 @@ index a98cfc4..1ad6fa0 100644 {} }; -@@ -78,6 +84,13 @@ static int parse_argv(int argc, char *argv[]) { +@@ -80,6 +86,13 @@ static int parse_argv(int argc, char *argv[]) { while ((c = getopt_long(argc, argv, "-", options, NULL)) >= 0) switch (c) { @@ -1132,18 +1132,18 @@ index a98cfc4..1ad6fa0 100644 case ARG_LOG_LEVEL: r = log_set_max_level_from_string(optarg); if (r < 0) -@@ -313,6 +326,9 @@ int main(int argc, char *argv[]) { - char *arguments[3], *watchdog_device; - int cmd, r, umount_log_level = LOG_INFO; - static const char* const dirs[] = {SYSTEM_SHUTDOWN_PATH, NULL}; +@@ -340,6 +353,9 @@ int main(int argc, char *argv[]) { + _cleanup_free_ char *cgroup = NULL; + char *arguments[3]; + int cmd, r; + usec_t now_time, time_interval; + pid_t pid; + bool fork_failed = false; /* The log target defaults to console, but the original systemd process will pass its log target in through a * command line argument, which will override this default. Also, ensure we'll never log to the journal or -@@ -405,8 +421,37 @@ int main(int argc, char *argv[]) { - need_md_detach = !in_container; +@@ -425,8 +441,37 @@ int main(int argc, char *argv[]) { + need_dm_detach = !in_container, need_md_detach = !in_container, can_initrd, last_try = false; can_initrd = !in_container && !in_initrd() && access("/run/initramfs/shutdown", X_OK) == 0; + now_time = now(CLOCK_MONOTONIC); @@ -1179,66 +1179,63 @@ index a98cfc4..1ad6fa0 100644 + bool changed = false; - if (use_watchdog) + (void) watchdog_ping(); diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c -index c2a2624..1541bcc 100644 +index 61bd9d2..ecba3d4 100644 --- a/src/shutdown/umount.c +++ b/src/shutdown/umount.c -@@ -37,6 +37,7 @@ +@@ -48,6 +48,7 @@ + #include "sync-util.h" #include "umount.h" - #include "util.h" #include "virt.h" +#include "manager.h" static void mount_point_free(MountPoint **head, MountPoint *m) { assert(head); -@@ -553,6 +554,7 @@ static int umount_with_timeout(MountPoint *m, int umount_log_level) { - return r; - if (r == 0) { +@@ -678,6 +679,7 @@ static int umount_with_timeout(MountPoint *m, bool last_try) { + pfd[0] = safe_close(pfd[0]); + log_info("Unmounting '%s'.", m->path); + manager_status_printf(NULL, STATUS_TYPE_NORMAL, NULL, "Unmounting '%s'.", m->path); - /* Start the mount operation here in the child Using MNT_FORCE - * causes some filesystems (e.g. FUSE and NFS and other network -@@ -562,8 +564,12 @@ static int umount_with_timeout(MountPoint *m, int umount_log_level) { - * filesystem less busy so the unmount might succeed (rather - * than return EBUSY). */ - r = umount2(m->path, MNT_FORCE); -- if (r < 0) -+ if (r < 0) { - log_full_errno(umount_log_level, errno, "Failed to unmount %s: %m", m->path); + /* Start the mount operation here in the child Using MNT_FORCE causes some filesystems + * (e.g. FUSE and NFS and other network filesystems) to abort any pending requests and return +@@ -689,9 +691,12 @@ static int umount_with_timeout(MountPoint *m, bool last_try) { + (m->umount_lazily ? MNT_DETACH : MNT_FORCE))); + if (r < 0) { + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Failed to unmount %s: %m", m->path); + manager_status_printf(NULL, STATUS_TYPE_NORMAL, NULL, "Failed to unmount '%s'.", m->path); + + if (r == -EBUSY && last_try) + log_umount_blockers(m->path); + } else { + manager_status_printf(NULL, STATUS_TYPE_NORMAL, NULL, "Unmounted '%s'.", m->path); -+ } + } - _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); - } + (void) write(pfd[1], &r, sizeof(r)); /* try to send errno up */ diff --git a/src/test/meson.build b/src/test/meson.build -index 561386d..09c5298 100644 +index be99212..e0a40b8 100644 --- a/src/test/meson.build +++ b/src/test/meson.build -@@ -616,6 +616,23 @@ tests += [ - libshared], - [], - core_includes], -+ -+ [['src/test/test-process-status.c', -+ 'src/shutdown/process-status.c', -+ 'src/shutdown/process-status.h'], +@@ -700,6 +700,21 @@ tests += [ + [files('test-sha256.c')], + + [files('test-open-file.c')], ++ ++ [files('test-process-status.c', ++ '../shutdown/process-status.c'), + [libcore, + libshared], + [], + [shutdown_includes, + core_includes]], + -+ [['src/test/test-fuser.c', -+ 'src/core/fuser.c', -+ 'src/core/fuser.h'], ++ [files('test-fuser.c', ++ '../core/fuser.c'), + [libcore, + libshared], + [], -+ core_includes], ++ core_includes], ] ############################################################ @@ -1279,5 +1276,5 @@ index 0000000..4a4c3da + +} -- -2.23.0 +2.33.0 diff --git a/process-util-log-more-information-when-runnin.patch b/process-util-log-more-information-when-runnin.patch index 059ef8d..c4b1c3a 100644 --- a/process-util-log-more-information-when-runnin.patch +++ b/process-util-log-more-information-when-runnin.patch @@ -14,10 +14,10 @@ Subject: [PATCH] process-util: log more information when running 4 files changed, 66 insertions(+) diff --git a/src/basic/process-util.c b/src/basic/process-util.c -index 5452edd..f137ba0 100644 +index b6bf83c..aaf5e87 100644 --- a/src/basic/process-util.c +++ b/src/basic/process-util.c -@@ -42,6 +42,7 @@ +@@ -49,6 +49,7 @@ #include "stdio-util.h" #include "string-table.h" #include "string-util.h" @@ -25,7 +25,7 @@ index 5452edd..f137ba0 100644 #include "terminal-util.h" #include "user-util.h" #include "utf8.h" -@@ -189,6 +190,36 @@ int get_process_cmdline(pid_t pid, size_t max_columns, ProcessCmdlineFlags flags +@@ -258,6 +259,36 @@ int get_process_cmdline(pid_t pid, size_t max_columns, ProcessCmdlineFlags flags return 0; } @@ -59,26 +59,26 @@ index 5452edd..f137ba0 100644 + +} + - static int update_argv(const char name[], size_t l) { - static int can_do = -1; - + int container_get_leader(const char *machine, pid_t *pid) { + _cleanup_free_ char *s = NULL, *class = NULL; + const char *p; diff --git a/src/basic/process-util.h b/src/basic/process-util.h -index 41d4759..4d8147e 100644 +index 96da0bb..135386c 100644 --- a/src/basic/process-util.h +++ b/src/basic/process-util.h -@@ -38,6 +38,7 @@ typedef enum ProcessCmdlineFlags { +@@ -40,6 +40,7 @@ typedef enum ProcessCmdlineFlags { - int get_process_comm(pid_t pid, char **name); - int get_process_cmdline(pid_t pid, size_t max_columns, ProcessCmdlineFlags flags, char **line); + int get_process_comm(pid_t pid, char **ret); + int get_process_cmdline(pid_t pid, size_t max_columns, ProcessCmdlineFlags flags, char **ret); +int print_process_cmdline_with_arg(pid_t pid, int argc, char *argv[], char *filter[]); - int get_process_exe(pid_t pid, char **name); - int get_process_uid(pid_t pid, uid_t *uid); - int get_process_gid(pid_t pid, gid_t *gid); + int get_process_exe(pid_t pid, char **ret); + int get_process_uid(pid_t pid, uid_t *ret); + int get_process_gid(pid_t pid, gid_t *ret); diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c -index 1c01914..dd5bee9 100644 +index 4e7fd04..6143505 100644 --- a/src/systemctl/systemctl.c +++ b/src/systemctl/systemctl.c -@@ -12,6 +12,7 @@ +@@ -2,6 +2,7 @@ #include #include @@ -86,9 +86,9 @@ index 1c01914..dd5bee9 100644 #include #include "sd-daemon.h" -@@ -9272,6 +9273,14 @@ static int logind_cancel_shutdown(void) { - - static int run(int argc, char *argv[]) { +@@ -1153,6 +1154,14 @@ static int run(int argc, char *argv[]) { + _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL; + _cleanup_(umount_and_rmdir_and_freep) char *mounted_dir = NULL; int r; + pid_t ppid; + char *filter[] = { @@ -100,26 +100,27 @@ index 1c01914..dd5bee9 100644 + }; setlocale(LC_ALL, ""); - log_parse_environment(); -@@ -9291,6 +9300,9 @@ static int run(int argc, char *argv[]) { + log_setup(); +@@ -1166,6 +1175,9 @@ static int run(int argc, char *argv[]) { if (r <= 0) goto finish; + ppid = getppid(); + (void) print_process_cmdline_with_arg(ppid, argc, argv, filter); + - if (arg_action != ACTION_SYSTEMCTL && running_in_chroot() > 0) { - if (!arg_quiet) - log_info("Running in chroot, ignoring request."); + if (proc_mounted() == 0) + log_full(arg_no_warn ? LOG_DEBUG : LOG_WARNING, + "%s%s/proc/ is not mounted. This is not a supported mode of operation. Please fix\n" diff --git a/src/test/test-process-util.c b/src/test/test-process-util.c -index 8dc9fdd..1cb4ee2 100644 +index 1864f8a..3a844cf 100644 --- a/src/test/test-process-util.c +++ b/src/test/test-process-util.c -@@ -601,6 +601,27 @@ static void test_ioprio_class_from_to_string(void) { - } +@@ -798,4 +798,26 @@ static int intro(void) { + return EXIT_SUCCESS; } -+static void test_print_process_cmdline_with_arg(pid_t pid) { ++TEST(print_process_cmdline_with_arg) { ++ pid_t pid = getpid(); + char *arg_filter_empty[] = {"", NULL}; + char *arg_filter_1_in[] = {"status", NULL}; + char *arg_filter_1_no[] = {"stop", NULL}; @@ -140,17 +141,7 @@ index 8dc9fdd..1cb4ee2 100644 + assert_se(print_process_cmdline_with_arg(pid, 3, arg_var_filter, arg_filter_2_no) >= 0); +} + - int main(int argc, char *argv[]) { - log_show_color(true); - test_setup_logging(LOG_INFO); -@@ -627,6 +648,7 @@ int main(int argc, char *argv[]) { - test_ioprio_class_from_to_string(); - test_setpriority_closest(); - test_get_process_ppid(); -+ test_print_process_cmdline_with_arg(getpid()); - - return 0; - } + DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro); -- -2.23.0 +2.33.0 diff --git a/resolved-create-etc-resolv.conf-symlink-at-runtime.patch b/resolved-create-etc-resolv.conf-symlink-at-runtime.patch index 21ba790..f289127 100644 --- a/resolved-create-etc-resolv.conf-symlink-at-runtime.patch +++ b/resolved-create-etc-resolv.conf-symlink-at-runtime.patch @@ -13,12 +13,12 @@ don't touch it in that case either. https://bugzilla.redhat.com/show_bug.cgi?id=1313085 --- - src/resolve/resolved.c | 5 +++++ - tmpfiles.d/etc.conf.in | 3 --- - 2 files changed, 5 insertions(+), 3 deletions(-) + src/resolve/resolved.c | 5 +++++ + tmpfiles.d/systemd-resolve.conf | 2 -- + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c -index 50989a6b0a..95a51a574a 100644 +index d3bc902..a94d744 100644 --- a/src/resolve/resolved.c +++ b/src/resolve/resolved.c @@ -58,6 +58,11 @@ static int run(int argc, char *argv[]) { @@ -33,20 +33,16 @@ index 50989a6b0a..95a51a574a 100644 /* Drop privileges, but keep three caps. Note that we drop two of those too, later on (see below) */ r = drop_privileges(uid, gid, (UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */ -diff --git a/tmpfiles.d/etc.conf.in b/tmpfiles.d/etc.conf.in -index f82e0b82ce..66a777bdb2 100644 ---- a/tmpfiles.d/etc.conf.in -+++ b/tmpfiles.d/etc.conf.in -@@ -12,9 +12,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts - {% if HAVE_SMACK_RUN_LABEL %} - t /etc/mtab - - - - security.SMACK64=_ - {% endif %} --{% if ENABLE_RESOLVE %} +diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf +index cb1c56d..ce3d1a6 100644 +--- a/tmpfiles.d/systemd-resolve.conf ++++ b/tmpfiles.d/systemd-resolve.conf +@@ -6,5 +6,3 @@ + # (at your option) any later version. + + # See tmpfiles.d(5) for details +- -L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf --{% endif %} - C! /etc/nsswitch.conf - - - - - {% if HAVE_PAM %} - C! /etc/pam.d - - - - -- -2.23.0 +2.33.0 diff --git a/revert-rpm-restart-services-in-posttrans.patch b/revert-rpm-restart-services-in-posttrans.patch index b76853f..01e6f75 100644 --- a/revert-rpm-restart-services-in-posttrans.patch +++ b/revert-rpm-restart-services-in-posttrans.patch @@ -10,20 +10,18 @@ and use the version 20.03 scheme Conflict:NA Reference:https://github.com/systemd/systemd/commit/fa97d2fcf64e0558054bee673f734f523373b146 --- - src/rpm/macros.systemd.in | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) + src/rpm/macros.systemd.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in -index 3a0169a..8dae941 100644 +index 8880078..b1a297e 100644 --- a/src/rpm/macros.systemd.in +++ b/src/rpm/macros.systemd.in -@@ -86,9 +86,7 @@ fi \ +@@ -89,7 +89,7 @@ fi \ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_restart}} \ - if [ $1 -ge 1 ] && [ -x %{_bindir}/systemctl ]; then \ + if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ # Package upgrade, not uninstall \ -- for unit in %{?*}; do \ -- %{_bindir}/systemctl set-property $unit Markers=+needs-restart || : \ -- done \ +- {{SYSTEMD_UPDATE_HELPER_PATH}} mark-restart-system-units %{?*} || : \ + %{_bindir}/systemctl try-restart %{?*} || : \ fi \ %{nil} diff --git a/rules-add-rule-for-naming-Dell-iDRAC-USB-Virtual-NIC.patch b/rules-add-rule-for-naming-Dell-iDRAC-USB-Virtual-NIC.patch index af9c43c..19893e3 100644 --- a/rules-add-rule-for-naming-Dell-iDRAC-USB-Virtual-NIC.patch +++ b/rules-add-rule-for-naming-Dell-iDRAC-USB-Virtual-NIC.patch @@ -13,7 +13,7 @@ Related: #1523227 diff --git a/rules.d/73-idrac.rules b/rules.d/73-idrac.rules new file mode 100644 -index 0000000000..d67fc425b1 +index 0000000..d67fc42 --- /dev/null +++ b/rules.d/73-idrac.rules @@ -0,0 +1,6 @@ @@ -24,17 +24,17 @@ index 0000000000..d67fc425b1 + +ACTION=="add", SUBSYSTEM=="net", SUBSYSTEMS=="usb", ATTRS{idVendor}=="413c", ATTRS{idProduct}=="a102", NAME="idrac" diff --git a/rules.d/meson.build b/rules.d/meson.build -index 13d1d330cf..b06edf0621 100644 +index cba9dd4..39e174d 100644 --- a/rules.d/meson.build +++ b/rules.d/meson.build -@@ -18,6 +18,7 @@ rules = files(''' - 70-joystick.rules - 70-mouse.rules - 70-touchpad.rules -+ 73-idrac.rules - 75-net-description.rules - 75-probe_mtd.rules - 78-sound-card.rules +@@ -24,6 +24,7 @@ rules = [ + '70-joystick.rules', + '70-mouse.rules', + '70-touchpad.rules', ++ '73-idrac.rules', + '75-net-description.rules', + '75-probe_mtd.rules', + '78-sound-card.rules', -- -2.23.0 +2.33.0 diff --git a/rules-add-the-rule-that-adds-elevator-kernel-command.patch b/rules-add-the-rule-that-adds-elevator-kernel-command.patch index 768c72b..b3f37e3 100644 --- a/rules-add-the-rule-that-adds-elevator-kernel-command.patch +++ b/rules-add-the-rule-that-adds-elevator-kernel-command.patch @@ -7,21 +7,23 @@ Subject: [PATCH] rules: add the rule that adds elevator= kernel Resolves: #1670126 --- - rules.d/meson.build | 1 + - 1 file changed, 1 insertion(+) + rules.d/meson.build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules.d/meson.build b/rules.d/meson.build -index 62026fd..4a3c32f 100644 +index 39e174d..e356183 100644 --- a/rules.d/meson.build +++ b/rules.d/meson.build -@@ -5,6 +5,7 @@ install_data( +@@ -5,7 +5,8 @@ install_data( install_dir : udevrulesdir) - rules = files(''' -+ 40-elevator.rules - 60-autosuspend.rules - 60-block.rules - 60-cdrom_id.rules + rules = [ +- [files('60-autosuspend.rules', ++ [files('40-elevator.rules', ++ '60-autosuspend.rules', + '60-block.rules', + '60-cdrom_id.rules', + '60-drm.rules', -- -2.23.0 +2.33.0 diff --git a/sd-bus-properly-initialize-containers.patch b/sd-bus-properly-initialize-containers.patch index a6583b8..3f74b2e 100644 --- a/sd-bus-properly-initialize-containers.patch +++ b/sd-bus-properly-initialize-containers.patch @@ -15,17 +15,17 @@ Related: #1635435 1 file changed, 1 insertion(+) diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c -index eb029e4..e0c8338 100644 +index 9719f97..ec6cd57 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c -@@ -2051,6 +2051,7 @@ _public_ int sd_bus_message_open_container( +@@ -1783,6 +1783,7 @@ _public_ int sd_bus_message_open_container( .enclosing = type, .signature = TAKE_PTR(signature), .array_size = array_size, -+ .peeked_signature = NULL, ++ .peeked_signature = NULL, .before = before, .begin = begin, - .need_offsets = need_offsets, + }; -- -2.19.1 +2.33.0 diff --git a/shutdown-reboot-when-recieve-crash-signal.patch b/shutdown-reboot-when-recieve-crash-signal.patch index 4213090..f5bebc7 100644 --- a/shutdown-reboot-when-recieve-crash-signal.patch +++ b/shutdown-reboot-when-recieve-crash-signal.patch @@ -5,13 +5,13 @@ Subject: [PATCH] shutdown: reboot when recieve crash signal --- src/shutdown/shutdown.c | 33 +++++++++++++++++++++++++++++++++ - 1 files changed, 33 insertions(+) + 1 file changed, 33 insertions(+) diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c -index 680de4f..066a03a 100644 +index 1bbabfb..8f68559 100644 --- a/src/shutdown/shutdown.c +++ b/src/shutdown/shutdown.c -@@ -307,6 +307,26 @@ static void bump_sysctl_printk_log_level(int min_level) { +@@ -322,6 +322,26 @@ static void bump_sysctl_printk_log_level(int min_level) { log_debug_errno(r, "Failed to bump kernel.printk to %i: %m", min_level + 1); } @@ -35,10 +35,10 @@ index 680de4f..066a03a 100644 + } +} + - int main(int argc, char *argv[]) { - bool need_umount, need_swapoff, need_loop_detach, need_dm_detach, need_md_detach, in_container, use_watchdog = false, can_initrd; - _cleanup_free_ char *cgroup = NULL; -@@ -316,6 +336,19 @@ int main(int argc, char *argv[]) { + static void init_watchdog(void) { + const char *s; + int r; +@@ -356,6 +376,19 @@ int main(int argc, char *argv[]) { usec_t now_time, time_interval; pid_t pid; bool fork_failed = false; @@ -59,5 +59,5 @@ index 680de4f..066a03a 100644 /* The log target defaults to console, but the original systemd process will pass its log target in through a * command line argument, which will override this default. Also, ensure we'll never log to the journal or -- -2.23.0 +2.33.0 diff --git a/support-disable-cgroup-controllers-we-don-t-want.patch b/support-disable-cgroup-controllers-we-don-t-want.patch index 5fc541a..1fa0df1 100644 --- a/support-disable-cgroup-controllers-we-don-t-want.patch +++ b/support-disable-cgroup-controllers-we-don-t-want.patch @@ -15,10 +15,10 @@ Subject: [PATCH] support disable cgroup controllers we don't want 8 files changed, 81 insertions(+) diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c -index f912b65..79089ac 100644 +index ac25693..a7c839c 100644 --- a/src/basic/cgroup-util.c +++ b/src/basic/cgroup-util.c -@@ -1951,6 +1951,20 @@ int cg_mask_supported(CGroupMask *ret) { +@@ -2052,6 +2052,20 @@ int cg_mask_supported(CGroupMask *ret) { return cg_mask_supported_subtree(root, ret); } @@ -37,13 +37,13 @@ index f912b65..79089ac 100644 +} + int cg_kernel_controllers(Set **ret) { - _cleanup_set_free_free_ Set *controllers = NULL; + _cleanup_set_free_ Set *controllers = NULL; _cleanup_fclose_ FILE *f = NULL; diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h -index a491eca..faa253b 100644 +index 147c956..a539327 100644 --- a/src/basic/cgroup-util.h +++ b/src/basic/cgroup-util.h -@@ -269,6 +269,7 @@ typedef const char* (*cg_migrate_callback_t)(CGroupMask mask, void *userdata); +@@ -295,6 +295,7 @@ typedef const char* (*cg_migrate_callback_t)(CGroupMask mask, void *userdata); int cg_mask_supported(CGroupMask *ret); int cg_mask_supported_subtree(const char *root, CGroupMask *ret); @@ -52,10 +52,10 @@ index a491eca..faa253b 100644 int cg_mask_to_string(CGroupMask mask, char **ret); diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index ab6d602..6101d53 100644 +index 9987dac..af58b9b 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c -@@ -3378,6 +3378,7 @@ int manager_setup_cgroup(Manager *m) { +@@ -3646,6 +3646,7 @@ int manager_setup_cgroup(Manager *m) { if (r < 0) return log_error_errno(r, "Failed to determine supported bpf-based pseudo-controllers: %m"); m->cgroup_supported |= mask; @@ -64,10 +64,10 @@ index ab6d602..6101d53 100644 /* 10. Log which controllers are supported */ for (CGroupController c = 0; c < _CGROUP_CONTROLLER_MAX; c++) diff --git a/src/core/main.c b/src/core/main.c -index a39d7d3..c4ce9a8 100644 +index 990e4d2..5404e24 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -145,6 +145,7 @@ static nsec_t arg_timer_slack_nsec; +@@ -157,6 +157,7 @@ static nsec_t arg_timer_slack_nsec; static usec_t arg_default_timer_accuracy_usec; static Set* arg_syscall_archs; static FILE* arg_serialization; @@ -75,15 +75,15 @@ index a39d7d3..c4ce9a8 100644 static int arg_default_cpu_accounting; static bool arg_default_io_accounting; static bool arg_default_ip_accounting; -@@ -696,6 +697,7 @@ static int parse_config_file(void) { - { "Manager", "DefaultLimitNICE", config_parse_rlimit, RLIMIT_NICE, arg_default_rlimit }, - { "Manager", "DefaultLimitRTPRIO", config_parse_rlimit, RLIMIT_RTPRIO, arg_default_rlimit }, - { "Manager", "DefaultLimitRTTIME", config_parse_rlimit, RLIMIT_RTTIME, arg_default_rlimit }, -+ { "Manager", "DisableCGroupControllers", config_parse_cgroup, 0, &arg_disable_cgroup_controllers }, - { "Manager", "DefaultCPUAccounting", config_parse_tristate, 0, &arg_default_cpu_accounting }, - { "Manager", "DefaultIOAccounting", config_parse_bool, 0, &arg_default_io_accounting }, - { "Manager", "DefaultIPAccounting", config_parse_bool, 0, &arg_default_ip_accounting }, -@@ -767,6 +769,10 @@ static void set_manager_defaults(Manager *m) { +@@ -684,6 +685,7 @@ static int parse_config_file(void) { + { "Manager", "DefaultLimitNICE", config_parse_rlimit, RLIMIT_NICE, arg_default_rlimit }, + { "Manager", "DefaultLimitRTPRIO", config_parse_rlimit, RLIMIT_RTPRIO, arg_default_rlimit }, + { "Manager", "DefaultLimitRTTIME", config_parse_rlimit, RLIMIT_RTTIME, arg_default_rlimit }, ++ { "Manager", "DisableCGroupControllers", config_parse_cgroup, 0, &arg_disable_cgroup_controllers }, + { "Manager", "DefaultCPUAccounting", config_parse_tristate, 0, &arg_default_cpu_accounting }, + { "Manager", "DefaultIOAccounting", config_parse_bool, 0, &arg_default_io_accounting }, + { "Manager", "DefaultIPAccounting", config_parse_bool, 0, &arg_default_ip_accounting }, +@@ -765,6 +767,10 @@ static void set_manager_defaults(Manager *m) { m->default_start_limit_burst = arg_default_start_limit_burst; m->default_dfx_reboot = arg_default_dfx_reboot; @@ -94,7 +94,7 @@ index a39d7d3..c4ce9a8 100644 /* On 4.15+ with unified hierarchy, CPU accounting is essentially free as it doesn't require the CPU * controller to be enabled, so the default is to enable it unless we got told otherwise. */ if (arg_default_cpu_accounting >= 0) -@@ -2395,6 +2401,7 @@ static void reset_arguments(void) { +@@ -2494,6 +2500,7 @@ static void reset_arguments(void) { /* arg_serialization — ignore */ @@ -103,10 +103,10 @@ index a39d7d3..c4ce9a8 100644 arg_default_io_accounting = false; arg_default_ip_accounting = false; diff --git a/src/core/manager.h b/src/core/manager.h -index 54c1d3e..1f7d3b5 100644 +index ea95efe..9bf5454 100644 --- a/src/core/manager.h +++ b/src/core/manager.h -@@ -295,6 +295,8 @@ struct Manager { +@@ -296,6 +296,8 @@ struct Manager { /* Data specific to the cgroup subsystem */ Hashmap *cgroup_unit; CGroupMask cgroup_supported; @@ -116,10 +116,10 @@ index 54c1d3e..1f7d3b5 100644 /* Notifications from cgroups, when the unified hierarchy is used is done via inotify. */ diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index c1fd308..2fe6f60 100644 +index 11936cd..e7aecfd 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -49,6 +49,7 @@ +@@ -52,6 +52,7 @@ #DefaultStartLimitIntervalSec=10s #DefaultStartLimitBurst=5 #DefaultEnvironment= @@ -128,7 +128,7 @@ index c1fd308..2fe6f60 100644 #DefaultIOAccounting=no #DefaultIPAccounting=no diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c -index d0ac1b2..23fc1f5 100644 +index 29051ca..2527d31 100644 --- a/src/shared/conf-parser.c +++ b/src/shared/conf-parser.c @@ -10,6 +10,7 @@ @@ -136,10 +136,10 @@ index d0ac1b2..23fc1f5 100644 #include "conf-files.h" #include "conf-parser.h" +#include "cgroup-util.h" - #include "def.h" - #include "ether-addr-util.h" - #include "extract-word.h" -@@ -1196,6 +1197,59 @@ int config_parse_rlimit( + #include "constants.h" + #include "dns-domain.h" + #include "escape.h" +@@ -1557,6 +1558,59 @@ int config_parse_rlimit( return 0; } @@ -200,17 +200,17 @@ index d0ac1b2..23fc1f5 100644 const char* unit, const char *filename, diff --git a/src/shared/conf-parser.h b/src/shared/conf-parser.h -index c3a1382..65ef71e 100644 +index e1765f5..2d8f21e 100644 --- a/src/shared/conf-parser.h +++ b/src/shared/conf-parser.h -@@ -146,6 +146,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_ifnames); +@@ -200,6 +200,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_ifnames); CONFIG_PARSER_PROTOTYPE(config_parse_ip_port); CONFIG_PARSER_PROTOTYPE(config_parse_mtu); CONFIG_PARSER_PROTOTYPE(config_parse_rlimit); +CONFIG_PARSER_PROTOTYPE(config_parse_cgroup); CONFIG_PARSER_PROTOTYPE(config_parse_vlanprotocol); - CONFIG_PARSER_PROTOTYPE(config_parse_hwaddr); - CONFIG_PARSER_PROTOTYPE(config_parse_hwaddrs); + CONFIG_PARSER_PROTOTYPE(config_parse_hw_addr); + CONFIG_PARSER_PROTOTYPE(config_parse_hw_addrs); -- -2.23.0 +2.33.0 diff --git a/systemd-249.tar.gz b/systemd-253.tar.gz similarity index 54% rename from systemd-249.tar.gz rename to systemd-253.tar.gz index 7d0d938cbff08c53ec81b1068eff3afb5d76da0d..0337f9fafebe7741d63196dfe3128e14eeef0448 100644 GIT binary patch literal 11987237 zcmV(=K-s?^iwFP!000001MEEQa^p6V`K_lwGFxSPV#<;%%QMc+ZOO7cqeQm6l01{y z)RYX7kc5~dxBzHdxxK5p7r46r_hVmiAK|(Ik``sk_9TvzyNH#HMRWt*XrMpP02tAm z(bN}X>W^lOdQ5)t^iKtzMx$Z=!n6Drfb}n`_1*p5T5Z3&kLA_+Uaj)Q^jF~J&J!z5 zC6JUt==<;(g-ROoR;Ry?y=6$J+n;s`207ZR{_P|6YA>_lsu{;vancUy$L9EARo~gim8h zH5Vb7aGw#EhGfi0te8i%AT-t@nHogT04zL4##FI#=><6zno!>-)0lhA=OI%>Ma<D$p@__5n2R5CIVzAvtsw@sA5=AaG9RP1YVay}T6)7}tiqi5n;n>IYI zT*(6-QqBDNHW|m7FzU_>W55*ipbd8h6POV-6S41M3zA)N26PAwJt9JXZg{6rBt;}S z)Ph2$ZV5qWN+=QrZ7a@{Cf9Usx*tVJWh(>C!zq@}MJyAtiu6vqAGe`C2oyjdIa6WE zwX>*M1UnLGvKgxwgf@rH!5s8`;PRU58Ck^LvJ5$d9P=9zM~l?Q3|=xJK?xvM%cSjb zZMqAMf-DS!IG_p#s#YfbI3yRqQ;yCB0(Z;gJ(GMgCtpLWQZiS=ugy5zvP~u3MAUkj zv<%&Q_@fiez2wk;Wt zPbOLjpE%xyne8*?M_GO7;lT9z>xAAmiG+qYiJLJqBX!|86hbGcz8NqYno*zd8xRAs z=~I|Kwr(r|oR!SS>+WqD~z^3xC4dM118KOtPV*yYsUA zgFE}Qk-oU@2KhU=p>nG7lpIbRrRP3-gOv?KA4P0>J^}qA0nR2KT5L1}@E>x4asr`* zIG9qjBF>Sf=*3d%xGcRb;$ofeiI8xjNLr57P7 zRi5dO^>GJY;V&QA{5Yr(SCMd>S@!PW2)d9!lz7BBbeqhN?r!=%qzz zE0;#hJ7w3#5FL;%n`jGyiV`#f$|lrT3<^QKgPD-}I1XLINH1&-K;S;>qQt?lg@~4s zI5bo41Pm3&)(2VwGPI{W5F>+j7zZf^A%n>0x*bG%o_3@N)@PsyUJ>LJXsQV4+!D%2yN@ppTBb&9{RUl@@@7RnNQKl{HgXQN_-2=k%!k z{i?c)U{n1s=k39;(>uM>$3npI(V#udmn01z4*SQ0QK#1$c1MGDvkyh+Bij8O)=~R? zr`0Yf0zQvMgY(0|$HB0DQiK41x}DSSia=-m-dVdp{8$8o2AjiS5f`Ij^KHJk({G;+ z3yMa~MBteeArk5we;l>nFIN~0`w&v)i*mhs*BrcCo_kAWqt4Oyh2`J1Z5O}oo%c_h z-K_kmIc$#l?cw{TW%Jts4BPu=ztcqC`~Bv}9Jw60cld3)l^@b>XRx|p)I1(0gPJQo zY~!!H<-Os%c7JfUe9%0$*eC75p!v3)0nVCzE7H^RE=V)SNWKVAJC>8A6KBogyIWwt zecZ8f?Db(DwvR?dvR?tqWSzp7=lv>L1?8iYR5Amg^Wo@l0lqMC0k|}Mmt6;~ScK2u%@cgs`dT*iaR;zb%E0Aul1&FBF2{%U(b!}Ybpid2>Sm6(%8#^teZUMQt1{1hFLsdyw4(H%ckuP$ZoBY1DLv9 z2%_-+1G1NgTCaORveNbq23)Nf5OOV@4Af^jmf>(7v0m8Gs&^e)S6ZzAir}F}f17or z&!;n88laCh!fP4l*rMqCjbJQDia7L=+JAuskcsnv&qJYS7R8DHdd@ItLT@aE55c%* zCSpQ{Bb{@$ww~&QO$^=Aff&+pHfraJwff!T)K&l1%kJOJvy}gV7>~(G{L@bm8M3EJ z2>y)xU!z{#U+4dx;kkGGj|8l-B(Cj#5se4(f0f$q^8Qb)Qmt9E$UjMAuZ@!ts z;T$Ywx)6w*Nexcbda zs8od?SJaPLb&KG8Eq$+TZEZp26U0sS6GQHAlj|9GXJm>iZQ`*B#f?8xL6u8@e=0O? zfKW}Y8Bt6VYBoT~HLm86hic_D?lh6IYj(Q6Kk1TW>jbw25yGyRoa-5GJAFeKEcwW$ zigCA4ksk#tYN-zlY3hq|#B zh*(G}TaT-l)p9X#{G6($f=|cHe{2mZr#KxQj;R5%@%7iASIzYWOo-2<1*4&zP=pL~ zJ7fc}a8AaNGj&~us=$$KO0vSF))qb`vKih4{_WVAH+KeMF7yDiNl;qLGlTrx9b(f~ zz?2AY8?&#r9XsY`unnr3-QvOTr5RCQB8e!r9lQUB7^WF|eRh1j3FS zkLL6O4hMN-^Spq09`YM|xPgSp#=kwHLDP4_LJv<;n83ia0WM!poL9zkgC#5d@bXg$ zkVaxMG8Ntse^TP;<@IR7Az~P%O(k@-UX=oRV>&YO zSvZAu-k9xlY(>o;)kGbTjdv-Vl*}W^LLD0Jyexx{`?LhC6}Pa8QFCDA{)EKjq;0VOB#B&7Lq1^ick%vER63|Mwf~{Lgbd_V5_FHC}Hp zI^$_Txt*Ff$Lh_?@-&(fGUj;jhfGMeq%dMf4m)5}HlIyDs^Q&#b%M3z7 z0ZTfUfps-UD>*ZV=k$yP)c#PEb&B$VP~=#1vZ>e3)W?o6wge}b!~xd$07d`Q9b+D4HU)S zV)Rqyv}&r7<;EhsKlwcX)Q8X9|Et$)>+}E5@f3~!@%bqp*DlY4 zr%3`nWdAFT+MWI1+HPZQ|DWM;&8f}<^20`YYF9-ZjK6D+?1BmW5sa)#_w9BzKK*e+ zrT>>tk^XlEgY))i*giSyHizwB?hby2{ckiXjkW!MhUXFEKaQs(2&aV9Khq=JZ~v>c zy~f`1`H$*eb)Eltjwhr6J0OSgl=RIImmuIa*OSa0f+n#8k2wekXql7{O!JUXD0eYo zkxUc z3N|}I2e1gB;iWS1yQY`sz7<5nng`6@vw@f%Rt7fDgw!mnUzQdK@emdcrd948WK0%Q zHLM>j_sG!XO2v%KU?DSREF=p5!30fGGbggYXZh?S0ZRf9Q9Q=mO1B)sifD|CXKRRY zY_HVmYe7u9%L><@!w;XCow%1~)9vLlcZ$T3(vs2O%ZzMif{jV!7uH6G;Q;Te!14vJ zgpGZcHk-&6_t{MIX{)g4F>tfT#XTl%(k{92mW{m#S$YS}cFbJ*3azxt89yIpz(K4G z5Eg9;cWiJ`MW-wyw2&d3CHD(c`P-)P3ZNo*$qL$;#J=G??R$B#?->n~v%*?YWbzox}4X1okf`c1dprN^Pa|A|F=xGehryY}EE@8>K`WxtH8vN-!n+TMVmjFF9ws zQsL}K+^=uvIK3D9QlwOOkjx^S>kXAt>ZLv$GfzlLb{h}(!=4IW*%1(J$o%^|(&b@% zlVE1!g>&zID{*!^q8Bk*W8%mQ)Uzqmxa)nV&BEc@D_8f+)ta+gso2RHMQ)?+v!Bs( zPl_lr&e(Y>UCa)-8uasi5wy6C9 zoaB7Ua#d>uoaC~24&;j|tk{?E0}6^5-r*o*5N62BJH<*lps>QfV!3i5f@Rc*2BXBY ztSTR&O!7c*;^+pK8%t>3DUO2Vn!L|+UObk>a)ly>QU^>yn)9DnF-%=L5DqAiNpa;d z4<~^x2EimL1h`WzqGCughl+u69%;pNTnzS@uW2EKg;!3J6c(}&W1`&4LclcAj`_61 z{q?6(Tu+L|!EJ@o zUIA6WaWOFnlX7y&{X$iDWL(U=(sA*`g1;-w27=g4F?;YAf-_k>`Qh(F zs)q|!bXhBbY96}9z#zKo9a3QIv8!T{A-5}3>k6;r&sUq68*gf?0p>*Xihia2Sr#QS zM7`in8IdsM3*4M#bGa1=Lze8l340!~6uA@kXc$p&wKR)+*i8gnLntt2ur}tP;P(eW z?F64>_~v|z$GvbvV?g^9OvT~nvUQ%-SYk}k>!;udrb46~a0#HZ5)796K-51#d<^(9 ze7m%k0t`j)6dX~{<5-zu_>+B~eVdPxK!EN2BOhSz)%U3&ca~OWU|cWx+n06m_6)`lLhHe^YIl}Vz@I9 zJANxj;uz>yTK3b|JLv3|0|8k`ulIs@!%(yUXUveR#&~L z5p@m!FpXbv8k`+{?{w`M9jAkbfy_<)1JZqa)^%#-sw1R>S}RMXu}{Oxkm_HEG=gX4j2{_8)VXRB|L=k?3qO{#N=v31fjD_*LIkAw?5ES>eQb+%s`D~*mb70NhtkBu_Zsjlm9?nTe(k7lcfWlw&g&_c;7I8r5> z)L|d;<*2m1GR3{WbMz-DjXOS6T{;TUGcP$ZT=V0SRp{d`W9zSc3zjv$(e!STfTPh1 zP~RufET^@*jKLiY{m{vK*4Pgxgzn}bzT*r@T|b%9kw-{LJPsR|yfGqE zJTihHH7EjDVBe=q*o7MYTSV%h>X12t>h{ft*mC{mbd!(I z$A9wlKZ|#dcWYyn{>Lz~_y6n0WBiYYd4&EKq_NPv25OpP&I+^v2#q!w&Bj9@PIx!e zB%ikn@Z^b9P86h8LQrYx4}XiDrmquJSdMy8u=juqPxb{R6(MOqjWi^0B6(>z@~sPP zL|*1kNpgzw1hJ1^WA(G#A187cyWlsd(3;yrzbWJaNNl2)LrLzob3uvi_EI2nN1j`q zcHT>Ci@kY%Ww|-et)JBXRB|@-`4FQW{qjD=8~YXzR!XI%up`Y=C8hk$2bfSqEeD#^ zSmlC}`lh8&B862YrGT!i&|1ysuc8n_r?tEn z=h99}ZRn!v{CfG!OO5HG>f(rI34~>BlfHFT>q05J2*h%kC!@B_1wxw0Tqr_EnO{jN zN0+u9X@o0jZR$dZs3Benk<`ffAfz67IS8d}&IN&r+@;lpI=T|8fh+Uc-+aiV23`(Z zD6}g{opCO#gnD}^z@!>H7f?zMz7*6VjrpT zMZwB!af~cH_tEhe1(uZ;MquMJkskfjdPhfm08czJmU4`t7ieWYU(mUl&s;gx<(}(7^chF2<0W^iBK~=TO-FRK~;I*#Y!p2PhfLJpb|G>6qQQ% zIMLbkYL+^CVZvN(Hfm4kr(<(}UfrnIGVnz0IfITOBDBu&PtKCQipCJ=H3m?{9oz{hV# z2nVGVosM=B*d#k9x+ZOxHU6wzzGh>Dyl z=W)E6q>X%k5@_gmM+*R3^1Fqf<2xFf5@_6U00Yw5vtZ&{u0IR3i3mZ6YYc5_*DR)8 z`mVjGtY|!yJM#k5;W*ls87|22awB5hOdJPenj0e!T>(9QPWgMN*XCy=3(N z$FoHKQ!?%cw?T*exAXtkX*64p{{J4}S!4cR`AEcFlxg;WM*_{61uE_>@S@ditdRek zIrbl|R_8JP<3l{v&CLSaqzwSc{?lM+&w#|B=Qh9LmQsnujT-ISH|mA{`SLHN61k1yXF}%P z8eRUSRAND+M*B{UqJ1*$0#;x>6%tJgn`d108g6w&2PQy$LZ`e@3fLdU(&2)lNzjSo zlcWC8(c#hUJ7`)M7Jg~>M3K02hYHCP{S#%HcUXq*6j{{b4#)zcdDptQkpp6e=L1Ct zglf#6-elV^ye||eEQKQF1QMB4B}#%#-W2+lCGiCcPXR!Pr9pucDn`8)HDs5UvJeGZ z@r^>j(Fj9!K{fTM#hJ(Fmd_gU|7*|nTto}^7jAzql?p#V(cKX@z1d{t9$|B1o}~&iDjfMFk{*UgIV`X#zOXYV#vchK zc&hX{kggH==)l`)(XnBw$ygDlP92hUbgVM5=h?~~A+Cmgyg4xdO8s2cj6YUq!UvUsd z!x(Rbu6T4MjbBejuI1uMjeF(^qqnLI(yu^!ETl%LxWz5{R;d*whA*B@BxO|DDr~xk zmXCCUL4<09LAg8_$kyTInnIdxiYr!-inroYACmeCou+IL8a)ojA+?U=@uj~HWy%NG zwwfDuDL!DzgV`uVX1uc(ca~W4rR2sapj_(bX0RW%gmRV0tZvdFN7Ns@54PlcbX~_- zsu*bydddJUw(RYw^5qR|h-8_ftW``jwM+NUTqm{i6v`-JidLWvGbWr_P&=5uXijtb zAQI#mfO!8N9fX{KcvRjX83@KI2w2RLfGE)bCy^d^Rot@!ws2X{94rR{L;X(N-UCFN zFIr^p(T2*00~HCPE07!!rlP1p!PztGQG zfTyD{s4(b3?0z4`I?f}nYQBxqZe|gYAo3fbB^)2x;LQQn( zL;*P2=Jl5%52}_wzuu5SC?ObV0f8wF6? z=K;c?FO_lEBqCPWxqpRpyb?D}jY>;g!t{JZaJ`H5(IA3-S)oE3OHk}<6ViYltP7kr zB!Efe%1Xxcz;Bd_heezdQH?&2<@8S8c`eH`Ab_qyPXIb#l!$OPC7oMH4ue?WkGY7H zH{{_J&+>)@(N@NXn_5=v4s{PN$O`5owrfmIxwzoUqE9d*9ApZA1l+!Urf4%6vQlx(_YG%YXn6;+A4iVyG`X|4J>Lxycp1!d1dBjQWfs z0Q=u zNK_ELPF^GRN9RXlH3(6s5)bjFXzPnyc^Y6+-^0-HAUq`U5JlJHr#bx=V3DH;XgVxy znzk~IMmkU7oA@vOeUBV*GBwY}=BekqbbsVcQk+8Hd#(o(1m^4jfgZyePiTXY?8qVB z3C1+OFuZKxw{ByVgrv1tuJp%aXnWr@ZquC!LlO5rjU{l6JK{XZ47YUto!Yo69 z;_N6wwgXE&2qfsff?O8VEuua-6zqzlg8^w(5{URkW7C?Fgll@@zCAKA!3x5giF5~w z6idjpS05XTR={Hg^=756>|aboq=3ds$4Y(`$Lu+02lnvp_ls!y>p z56VEcpyZ{wkrbXyz}Go!QF^OOv%-og8T#onz=|8HI^-;gM8Y{FdYe5bE|b}O>P68y ze!S2J{(kgeYv_Ms%c?uJu|oe-Yc%HkKN^qvpNDzw-Tt#6&sLR{cgoZ{W$Gqfooun1 zUek?&%_nFf>RHkxJYgIM)NP9uH;Zv9S;cARd<5h$5P4FC?nAFoYx1cF_IL8+t$#5S z=Fq=uz{kw9YW;WS*1yrIw;uh!KE!jowH+wYtDcE`oH8Oe?oTQxFP<9e;6HD zvHlICnZ5r}uXUP_>;EC1yZZhi9Ff=&x%@$4BH{Mu30WP>y%QjqHnoh3`c;SRN@(e{ zWXL#~otFObr{hh?`pN#{X-T;7aX7az;DTBSu!r~saGvxI$?zLH9z*B|DUQ=hHxsxm zl}OUp8twpxoSZ1rJ${T08u-f78VLU~2I;FK-1&qQ&;(0+{3`ZYhY)vO?Z;sxKoYSj zG6ZZtLw7_QQLLdH%SC-s9^aHsWaf!6od2XBP^)jVU`E>>XEsXui!%wjh}tR>b*zDA zY@SbHJ-Ce2n^?_Ew8c>AlZ?>H#dlzM5%d5#M7NJJ0wsMD{3h3suZ~d57Wk;@4R=e@T;Q1;C@cJdC5ngy$U*N} zA{~F}b`^6A(qWXyKs#-j5NApMQ*$L`Iuso9K#djs9LNX*dPqK1L`Nt`r^wu;!uY}u z~0*u>0BB+a}8ekDBZY!()H)rsp;ZZtMnUly4M zh#C6zctk*F3B(ca00a68ziks{+e>AOq__mfIAQ4$loXY~1K2QCfKsCT7(-#2Wzlgv&eW2uzmo@BXHhA1h#3?;g+l0>%Hwx?l;G}#bcE(|k`h`cnZ z7737}y!j;ZRFcd^FFl!DOu}5;w8l7#uj%!S8{;@7osYmUMcXV1Dw5sUL%DD=t|yy@ zS6N!UV{LTW6ZZn&(!BtxBNAg;kMEm>*@YWJhZhIuYv#G?qv)rACEWNV`XUmrJnR@? z<38L{v z-vc~PKC8}xX%%*ARoJ93;4kO5JnuuJQjK313K)WstR}g2?n4qQ{#0u;P8*Fcjqy{1 ze%HpuFWLKoV}@wAr;2{{c|B3w$P`DD9cExPsR~Ici#J^J z87Ko$s%j5KnfMlchoB>&L>iz+@-+;CRIjhOmwLSz3KN=CBJH75!|_WH#$6u! zBY6c5J5Ik~6Q6xPPSWo; zut5(L=BQM{z_>eaXTEebkCBFCymJuU9bfidO6ai3qgVV`!0p|`7q9jY`bXQvr|;D7 ztv|glMj3g4cX|7)tIUMTCRf6(7K?n6d- z6buLINJF!NjbfpI#2bFIA`!)gHM`fLbuGNa=i@w3XFO1Kz> z7mq0Lx&_6ThcUnt3@(CL($5n6>Z>Xbt*SW*s{vWM2Rd5(7h_*fJ9Ld?CXD?;$Grwn z7W!AJo>>-CgreSCEg1#T*@QV2cCY}L zD1~qn7(r2{-6+;Dyt=~PqR}f zsNU|6Kgtqce6gs^4$SdrbUD_{X&sPrC+Au&GtGl-b8CJ+2ub3Riv3%4oQ%84vS9vLjeD0v;cqd zitMMTdHEF88ZD-O=1p_n>eTIOxO`T=&6#JNPfS|}mRbF0L823g zGOd0gDY+uw*j5C{v~3O1Fm{c|v>P^=m|HoJqMCUqu;8=v(=}ocAP3N_27*YDn2(pI z@aBL=*3rPOVHXikcL7@l%J*tVP-e8a#-nW@gS7W#Nvl9sCQ}0Bz8i%lA1Y(1X;GvZ zw;KN}U?rj{H!`epGKCrif-zARi^)ud8^D&;K%G8&18n&T+m~5DW;mLa&8pj#S`F@OGE_bc)sJP8e($0){s$02&>W;00QQXxmgqT(|^=9Gg3- zt6@)H?VNn87XV5lvD#1>%Cu>Y4p#=KBe#Hfm;{Aol6DRP4-X2kgTTQ-xF8vQd-$SX z)u{uxt=*#bV3|MN-G!%mz#N@v z=nRrMOrsm*iK9YPFK{5G07-LMsha3`)h@BpyZ7+ti;|iL+y^_tv76Ej7o3$lDl zltDfY%diMP2BHgl@ca3}&Ns)~MePUaUnW@rIr~%iTg0D=R=5!s+Vq2fOqWSTGk~0xU^f`C*!U?T9p~ zi)6*G<0T@8L0yH07M@Bbflc|I4bwnSKef^~@vN=?{{UmK74~2CW@BFekN!U&_5UCL zxtI74Pvk8hu@-1oAX0lNM%xm$!tJc z5`dU6;nT58u9W3PBM+U`1Y6`GpiubPA5uE?NOTqUfq{ni9^@vfUe{|)q0sg{Yc@qS z>y7#<;sLP9dG}7btJl>xu=npZOb-43aD4c(3=+lEz1F#ht{y~=tT5#cq!bhr0MQDg z@S#D-89IU9qI=bm!ZPG%QR7IKHOItIsN(*WNES`SaZsVnbWqfHEYe`o7Oz-=WiTuP5P?_)*c_2B;k+e;jh#G zW$>Fx_@mL>_LGV^JlS$A!4D( z3q4hp{jAe!*=E;jSdL+|ObbYTx8C5Lo@sES)9pIlUb9xO8N*CV*eM}amrH_h2!XQv zuJ&GgXTZNY{A;}5C{^$)bTt_1H#IaORSb+Qp$26mUP`o*w}5%uKGXU+o6XdL_iu?$ zf2?OY|F;~xlr)%pm@W7!{%;sr`wvKZy#Mnc&%N^hU2&Q1IdIwoz#F_Tf?O9*-xkRO z!zpmLbDp3>r~;2(E>CM(@68u@I|h$FQmmWUHQo)5S@x@=e11JLBUPvCY{gtQqII8b zM*$|4uCT;@{Z*AD6IDIgdmR;4I>oca-FPX!GkXgE-jwbx97sYPnCO7u7uY>LuxJo9 zyv0sU+eV-jijm@AoLzMFIffB?lVu@_tP4_(D8Q!yD=+vW<;w&^x(iG1B#Sxo{j(9T zX6{B-73UE|+7V4WyHs&!aSxXJ84LOl6_qztL;r$%qBLyRraTPvZ}v~Vef{;|=Wfpm{_i5jeCS2675u-^?#%K3TC4sT|M4N7`{Dl-J1xFIOq5N<40HXeA7G#a z*nXo~7Y0!xLvwCpz%zKCVIT#(<9;Sw8&wNRp4dkMyK=++8`d?%$!Kg84Fqg1O4Q}x ze5n|u3Ul|`w-c4-g{6!n5v?-UbEc-G-3x>!5t=1}la?zOQ=o8e@W@dU9WJG? zM?BI@B0VuQ5@-j6wlY(cPc(6+7-+DT@l@PA19-JW@h9wp^NBX|Op4k@QQ`0yMpR?L zxj(}z_B=X$^zpzkFCJfZG(^P1PR%gz?mtjITD&kS}B+<= zY&iyR8ob+V0rBkdpoLr?6`mO`c-;3c4ncUqX^6!22&MXe=Jf>z2Z|mcT$n1Y2gKKutvjTiLT%5 zrzY-eJgfM>2w(DX{lB%^^Zs9Jt@frQ^M6J5vK z9(s?Li`1GT2VdpYR)`2G}&V=v)x@;Q}~{6HbrKsvdKQ_%e<`^Lm;p6nIu8i6#> zu93aqp=q0;$%I-KuLvYam5AvPa^L}yPQQA6a4+f3mZ;bFwqo+dtY$ z?M4@te7=9s-(q9g>e`$~4#rl*VZKtktfT=!^7};+@ttJHO6>E`S60Q{+-OGk2$K4! zxvJ~%w|qvqXy2A{Hk{d^l*nLnpWowb0m$n$MM{-5=_U88BW8bjbHL&I*= zoKCMb?A1EF)oR$?cBj{9wtAh`Lam&Dvy}`L2JCl zt1Thms1Bdj-sJY#R_L^Bl2jq}Z4WUy>bq%%QX>m9l2e-QZw`d@;}$FZ;!a9yO`3!F zDQ~}(OHNRVBT3QY1UfCr=df)*zVWPbDWl#ACZ>h^{OVfsqEp8}*l`>_)$zJlS&c4X z$wu5usR5XIP=&1xypW+6rEfsMPSFaFxKHU}D8%gzYL-)#RnsL(O{N3!l~DL4{V2mc zB7cdeQD1MuN*i-6Ot~)ZN2)M7yVpKK=w9~uv475#4;bLYQxK>bJh{{T;d{_o>tGdbCk z-V5W|t%U9!$UI(Q<~9=gb%k?;Nse}Wk1IL-c8X`&k!3bPS>qqT>&b|MYMrv->}(*y z-Xj)Qly9WyHXkIid6OXW;C~-RKMCU#b4oGDaHvuLm!VA1xMO<5nRTIbTU1m-C#HP* z%reYYt7mt*Luc5v?OLmDv~6?Pa~u$ydq%BWcbrzE9;+=-ADM)(Sg4kRrAc#BNecFl zk6-r(C;b<%4t7rZ)r8TIs*ppH@symV99?t3l&ISvv# zpVeC?+T3*O?Pk4c*-op|u{y@E)wQ~I z*BRPv-nQ&v%Wl`4mSNTFjYi9{S{vc9LLuWrLScP66PE=u3~PQU7~zxP92hFRNUj>)051cX30HgMuuL#!qucHn zX`@l(X%uUdy!2(cn?!)t&ES`rzGlSXs@dunPe6nBJ5}Xan$BYH)OUTQVq*NX@>n zv5~P7Scna#Z3|?WJF34e9^B$=f6b$PMK(^0!cV6rcu(<7s@(h3vFrQf5F%A6i-TT* zh31W?MFEA|RrKB)08nyH|F^&V`~NP^nG0l}qUCCM{~?&G{J++(44WU#oJ=@~y4uVG z>_Z;8Ms?LBlD^`b>=a`J;p`kPoOVG=Y3Ao`H106bZN0r`hq>Q=N^icAPos=0L2`l==MY6#BC&(?G+Mb-t^{^ z;q>UOrhcD}Y^Uh%>f*N*Ojg5KDXXl}jdjGA+kMR%5=}lxF`l*?STov`LB0R^@3)wT zY_os;@Bej;+BPg}@fFbCfB7G4)Ck_r%-|gMl%m=iHQvr#>q61}zy0Ok{?lLo`rrQJ|NTGz_QwVO-LjQ+ec|KJAxAOjfqn+dbsb)Ot{~qAEC;v}5 z24rJ%dcniV$h2aocEM}{L{ngu)EOSY3th!!Ujt9MFV6vYxG|X99U?u8m3nu&R)4Ge z^La;7vB|;185=xdKgdusCUa2BOLrhGj2xMivX+`8|R2G zJ;NX<8BmFba28{yor9$3odp|nt?HXU>1EgZ_4vE~LI33N<%aBlI(VuE7a*R6zA*O) z7B`i6__YO7#xD5OBP68zlZl$o_YY3`M}wpOH~k+6{U3J^Uhnm{peNO`7=vHSr~i2I z=GTkz#jpHgV-wyuymCmKzS)3xmBIhC@uy7hH=ZWi`F`hMe{bicKiD}q80;SI^}pUZ z?$1w3R1C7eo%7KYB zhj{MG|D%f+F&V~op*!0cOiabDp}=4w=bSS_DdvueKAv$9_EGbQktO3?alj)87!g!L zLz_G1Y=n^vbtyYgdMq;B&1VlL&N~@OI0pLcsK2xKqMu4S*x&8HJkCu!PP-NQ?BsCo zF!^r#R>r^NXGlfUDHaB<@y{};WJRsXORs1hkgNK8}C>S<_9-SdqccYWS3WaM!--8T;XqN&k!$x>~h<*+*3|EEVsJLoSVt_|4 z1B@Ux^wEaMqZRY#{)^WvG%0TO6SgO!aZ%3x@h;o@cJ~zv_!PsARWP0|WZW=w%E^P0 z?9*$KYoY#k{iBzC;Jh#P4)$LH<1NbG>gW(*n^v1fBBcgPS_{r+Azla65kAlf_SxH+ z%R}{v=p21OU$iYoA(<{TeA}py^P#&q28r?%g-jKf%YGn2l~3(~u*=#0*`G~4bM%FR zp~{b8EViQ%;o{rdQ6HC;QiY1~{=jlqxfA&i&ss9rVmeU;b$(#qskzQhMF+R&#%e}O zO`Qa^_eUcYT{~L~rrkBY{CdbF7S)?6e9Wo$vpF8$WrU2IXQW4zVHzXo|_`v&$;ar3)^*2gXP zy-RoMdwBe`y}Lj7`t|<7-nNmbaY&RZuJ9dguy(}}9PEZgSJ3D?O?i{u!4XJ}<2O=f z64%e9%yq$UlEW&*D3Go&Jylycu30inas7+|492?5t0!bR7R=zQra8S(8R>3dr*omH z4T%>_%quSmj{Nlqm_t=PckGxsvw>gLGWbW)h3?)a2@z=WbIvr26;Dr@#uV2=-P%~O|8Lal^YI@a?|(ncL%wvkw++3f*JNl~jpAx= z2j^zJ)!u4>EKs*Q!(qp6cFbnetk;c3yT|zuM1U4=o2EUqt?sbi?l?}XWAjFRSa0!O zy;e6ncCVQW)HGW)vpF=Ityaf^(g3^LY_`pzWAkpS(*rnY)ZcA%TaM!ldAm~^nl;`9 z$-uIBttG;BW48?q^PJZN$RC|%qu%C*;S9}&(}i}rfL|@U)2kcpdan*W?bwY*qt$44 zECAl&J&;>Wz&^`rnz=w5je2j`9Cj?D-D`FlwN9trs@Kg1bPhhI=GaEdsu}fWr_F7= z#N2Zrt;aiUqgQM6nmiw9v(rK=2@s}QunM|$yW4@$M0XT+yJ6eScB40}b(}6ha2(zS z0n32Ca@(x6tghM32Rf{Ghpk?V+pTV`1D$Nv(9=b?ZVcPjuw%B&rqwpvwWif=w`?4% zq21^@wKlKwVaI9Z0&VhEvoo|ht)A8Dz{fZ2ZsY&4ccsg18(aE6pQ0nVqQwHZZ;s@G zEXlItO_A&@IlQ_5Pid7QO zjb2WlK7E#6PTTc*&1%&hyKV74@3*WP9_YB9)8;rfJnpOEm39t%C?egUFlc%5Hykp-^%=ZQd2=1oS>f z$G6Z6W{(`nqyKDC@7s9RIviCs>!3Z5mM|@=-RSjet2?UO?W5&A(W-T=c8mAS4m#d+ zpooJSdVPRy+l_Y3>2yt}ZuU(KMf5p0I~aAg)iqZZ+5>?!xWHe_ZuEG!*5k-;VIb7; ziHkO9yxFiiHbzvhh9C$H`h26wZ3hTg4JilJbXtxe3&M6x8|?yFnm|{(CosTT9hBts zPzSd;H$iZ10h0hDuU5B2XLX?_ae^l7h89c;WN!*!0zcar)Fbl0?A-3ZEp7* zE=WuaED+2k$sWgo1oE(DGhQS2XJA%{Vbg$PG%_e~ZMgs~G=pd)n>DX-tBMEG)Z#BUMFd_g6 zNTu6dS*WmuRj;+dD_V7k;99o>h@GymYRJ>-fTIFjkZ_IjI>r}9UbEjd8+8Gy2DVoh z>a@td>j=RcH4tON>6oTd>-BBN>YyfWx9aHQPOB#BHg9!=(=eN4%r!br*Ak89ogVkE z^INa~MdUxq;-MY=iT8iEYt3c<&ycit`rjA${UPf==?pLw>$ zr`cq$d{3?RWHUW#;eocGQbyWYXX}-0Jz_8o1G*x`4g5ivI+HFtmd<=eZ`IqZQI}4m zJGZ>W;gc3Y7FRnyHeR+WK;yBnJeqIM+FDpZp!s-OHedk|qJQjeQ=a;%FYZ<;pqv-o z*#D`=);8HoNMvEtLdCNGV~UlRNJbX-eOh6#A)3qpK4|7VG=xDAmq#){tHvju*~$r-|vg z)^6bjk3ANID@vw;nQnI>N-Yehw4l(v#8@bnR4U~)Xk8vJl|Z4nd&~*w-ZSOYoQRSZ z*jDV0TiLgpJV8E?i}Gu($qm!sI(n(nIqu3Q$}f&you3>Xo*xfr;dOqpyp;KjP!o+x zBbN5YE0oRK>58a;@*Ge#6eFEIrc(le0O>0^G*)HcXX0?i2A+q-F=&xm@cilHygoH<2?wgmTqGPSHV95(>I;l1h4B+z=-l?!wcD}LRLW6X z%HE4Ir#Uw>tg?5U_FCKnFQ;z&Br&%lb-BRJvTFf5i^6WcoVxO)%Mw*AV0GoSGbxH? z6K{R@Oom^Y*lTodM6fJ$CG-EQ71O)l7x}HX|4J8Oe0CjV4|TikoBV$?+TA7pfAz-Q z{=YBs+x)7UL}Ar*{i^UU2Gj&arkoZ<`Mq0qvt1wFW;Q~wo^Gj!Ry7z!N$F9FER(&>bzz}I~$e5+7uoi$KuT*B*X0@H2Xp&C+G{H9hR%^|y*AmX{8q?DHxbBXqdc$cu&TwQ;>poY=yIF z8~{TH_kKM(|LN@YtLIN2J5)S}Rm8Zi{&)cwD%jBTkHtJf;Kmkt2sNs|uW zg)ZGnOqU_i7Czt&B3iv}v4;< zL_cmrrJKfDK~vObY&zu+k||&ke4=H7!*Z+h*K#2!U`U-cgPv;hSlskg0z;=pvW*xw zB}`2<>c0hMAUm>@ZR$>&c?K<9am&-<;x^N?G)m5}KUk`rkg9zD(XUW3^Et(Z*S zM9wHAG(pMz*%i$VNTZs3R3IXzNeq1f!#4>(b%Ajz`lv+BWn0xkL#p0Mie?lPI@5}Rqqen6fwG`UClzz^gTqXa@BgoxCRCAl6XKH&vH8t|Hmqfv<%dEt8@ z2F!R4kmSRxc#*66$^9BkJ4!i;c3JwG(hy;Bo%*#n$%l)Io!fBLX{>ps`YlS*V&Xu{?o}`ty}F_DL)3iYbo5=Yf;XSvt~Sx~NFnR<7YdH=G!+*n5|8|#JW0zA>!osy;# z-5}%c__M12jz8a$KbwPy(@o;n;s8oJjr2W9@Gg01{!G?f`kZncN%*hM8&?~hddu!LIj?ov{RS7dsjosqsg46F zp;UY0kXr)HNTbxAcZ5rD77qugHa&j&+PBn1$%6e__PW#pt3`;70G(#C}C4Mj@<YNU+Q;@iCBMesajlam*np>)K#qeG>Rrf!Vf zGbS9!CsLq^gN5uVdj3+-a5shUS$-06ULYNxQ!`d-lYy0Z=oCP#*abx?&u6I#0~=R0 zb-5@zkzSwW@ijWYw+96tgDZ3rZ%5iUo}hzyJZ5BUr04mHK1CPG%lOfRj};(t$dPd% zS93@ZQ!H)vNAs3=)izCi-2d+OZn-fM?GL|hu#GqV7}}Gc&Ms{!yo?`DWxr`~R>1jH@yk7J!cb{qy%_T%yC zU>EQwj-%99DVD_iNU2mXu4n?5v>loOC*2^4M0q2VD(5o2+%@&*nQ3KY3WV~UUm=e? z_Lmzpf2RV-lv%95RLdEU(wT$Ye<&>%&Z{LSc*$@i3*RFhhhGK|+)&oaD&MAT1^1*g zf0B#x7Nv^$ldSD{}%N>cjyP9_+#t%i2hfH z2DqUA!9;Df@ASVf@Y~fbSVE$*t50d|n4Yt@7G(Uc9$iiGKMteH?(Y>{`DD_02&+#Y z+U8({ML6ub<#?{`&Cr0?&(|UeH5@)c>c)m8z7vyOpXHT#AqnQEOFtBG5yARjKNmc|iB9 zap9Y4FfnAg(PHHXn&m5gnQ-5Agp5-XUyDN_P>b@311Oa13JH_#hSe-W&6ecB^bkN6 zObaV!P);2*a&VyULJNN?$0JQ%uJVl~r*k*Fz~bIU<`9TP*g}1}UESTS?#gt#vL`Fm zm{UihYE4E*(CCF%(Jv#~#!|f#2>&9#690!O=1utYkFH}q|8KM!OZR`(TkZOt|KBh1 zJM_5Ez7_r$yol{{gmh~Z5^JAA`_|v9FUBwkhMpk$ph@(HmCwtjQfk>(()QDDdNNK6 zJr7I~#xy0l&qMWYTnk@!g9#7gLNV{dETu6l0wz9iY4tn{z|G@va7oGau?*diG663g zQNnThMyU#E*?#TA;g1H{UXf1xc30bA+!j$}sE6*0_+cJ*b6XzqnF%mn0=>Qq z0&@MSTcoo`!go2{dcaP(cL_xTung6kq3*p*JHiw`;@8zgTZn!NY_bZ+Gh{%xT!b4( zGIC8BA?;Oq6wJIRmS~}{Zl+;lG!-h{5wJ-b#x`D}9rgoCMJv#~mU|`N4Ksw^VCTt! z#_!Oy?_8bUjVl+FLK_uR$Xc~duhnnX?$g)r+BMs;$d!F-qCKEhF@?8^^pf($$BtK@(JN zG)W=_QCh%h5SoH#sfIFSjDmRH-D$#a*$+^vMo4)@&tf-aNuKc$U#-Zw76MMTaFH^dKBk7l6HZ&{9D{vpl0~vwsuvcpTM%py4DK(`ozHeNH2;7y4j* zmTUE;IFMx)!H)PPpd%Wv)SKa$Iqgu2dZTT`ZiH4t!>2A3J}3$FKx`2rYlwt0O25jZ z4AT42;b~2-7zQ9#H(+NXj)nh^|0cc)#a_%rRDx;Z#-Tf7r-JVC*|$|tA5w5B-HbgO zdBOyjB3UQX&h&8}1^jTe?;vdsxDo#_YpJ7w>j)r7h8_fk8nxv8d_RrKV~VhxOk7Z6 z;E9<`DiAcHG?=CcU5gzB0f^c2627MDlgpui@cCYZklWUX4_zwpk~T;iGp>ip!^&e$ z+cN|9*tP%hU%myL?mH^Vaph!fP#ph-)FMrsrJ9C;lh9IxJ_$^h3U;r-_@9GN9PlT+ zdw4Cj^s#^j;93DYcG;OrtEMC)=-F?S(xFhF(aI?LXy1}g$A~RkcOmZ{hpHHM6b9Ek z21J&8F~|XB+ErN;IToa&lB(QOp2RdLpCqaDMxXlwg+GH16NDW4f0|YVbS=#(pV{E9 zpbsQ7hQlrtFCv9ucTF#x0%cx;G4Uvn$lC`;bDA}<_(CI3LosB}!hnyoCy>js?}vyp z#uRt!G-(7~k&WS^;)!j1Lf+4+kS1^=ecPuM^iRk)9vPCgIkX)>?s)k`XiXlv0X+GB?;hlIU3y!*bQE zxXkNEiO|{sWS9)oH)A@QMebO4 z5)DWMiAvJ=+>C|KIa5Mmu;yGJ1|S+0$`@l8y7m;Rf7VzP{eDe{qZEjikW8FYS?$T>;%6djo)@Y-NmQoiwi~9V zbw0#!g%m?GJCMMzR+Y&hVT*gj6i%gYg@JG9j;wHory2IWXo5yG_ehpF<*==S6?xQZ zrF=r~x-Po-IllPW&q;Squ<&RGIeu=&2(_IcNewG@QaK2eu>ADmziHJ#nQ&69yVEue z9L+h>;J>OpBe9?8lFUe&7|}CPSb8Q^-B;u6$u}9XjlA5LXEGNZ7pL?1qr5$i`?>1r zt6y=@Ow_v>aeChm-n)o)8wO=sY^!)wfSF* zqjbUXd7hl7VP8Cz_Q-W6u1zazWS&k#b2MaBdUN&oACPLBLthS{!$F_6is$k$9gxro zh4?sxOvxwPNb}~nb~KICYOhW_ORMy#56Yu>VfD8yyJg$P%9iaI&DB=ZkXGL^wwr4$ zDK|G-vj3r3`{%SMvT?h~#Dw}6bLYUJRT%fgvy1-hHFW^9f^QsxE=R;+`Jcig>u|^*Q;1FnExSE`ECVlQ_yp@x}juqy+So2NlLz zBzpHB7k?Sjs<%n7BhKRlX-wV=*X zE}&*`=zv2{PEAMG)y+mFha>vvV&V>TBwk9NuC|aVTB6@wzm{(=M`-%-oz<|IY5sS2B3 zyqtbZigBjY~+Dv%p;-GkZ20o!6$WQkX8-AMUv;9MLHAmF+=s(j+|hSfz!EXmE2BZ z8AX&(1ALNJC<6 zEd5y8!-dw-ht7zYxBTBfV#+2eP@y!O?%kh6=iEMbBKhv$5)#gLlTl1cVpcI&&0^<@ zai(&BRv3E@E%GE{Kpd{%%4T@O9B@eXdz682yCj_0M7nn4VCbKQr)@U?EDC8vdJVfH zFHFQY@-!gAIQBV6W1kJA#}q?No8m>KuGls>zW8&Jc)Wy(I8%36dFohU&fR_FxHPX~ zoYLJ5=oz-lNx*LE7hhT>5%!2mqs4UMS{4ID!NTjoXj~?wYwH{9+uN;;+o?`=O{Y+X zA#yy*EtfbN_v&8i|3x~i^rNrhF(cS zq_rBt@<@!+#n90*4ZF>ijjE0ESXxBb51eyJ9YuO#4vrVaeJ|dsP^4oSdVt0uengD0 zM>8lwOq+ClQc1D_o41Z}oX8%DLm4D}VgWs*fP;ikFYC4X{Z~C!G*!ViPzSu zC6exONUCxQ_MOsPR~*hrw3dG?;Ued8+;cHcq9H$2rv5QYwGWn{zETQ@r2}ZHm2yac zk7;$}J?Gt@Ml>xat`nzDVL4aV>HDyVD3P9c3uSuz^5_|5iRUN_XsvoAp7HEdGeNx> zwdvoO^<2{;d7Jd`o;Z%-eP%bNXEVZcxi-+$havUcVMff8C$V}kWBmrw7Z30YENqf- z9%q9gMlDw1_K?CP8yEVy3I&x}Q+)c$JTwKVRs8uW{#N?$MQG97d=-r2?`bAO5VnRW3qCCDy* zik)+@=Zz))?#7u#x|M9FUWThdM9IA7*2-727p1Q6NN*g96Dlcjcq7hBsSo?t)VM?I zEhqgjW);nv#0f>r8B#koEpJjKd^Yy@*vBJkj>tB(EQv^h{IGQC{BYZJBX zxZarL)n|cw4mLW1QXBiBGmIS`Kpx=^q*HP1fE0kxsRvRe{i^8DISn0JADkSVo`Wh` z0xIoEE97;}yVadk(k%AmSnLrU^TM(F*MG+bsd~1}3X`J5v>u5_GXLf-WYC-26OL#nI)VvvC(WQw9onQHa({Bz^cjy7 zTYWmOEWv!}$RY1dCJ8@OI=!{FzS3&mE?!+TYj4gg;UpD`)5&Q~L4c{;m{U(01gSZDl_*)2AOy!skhl4iC_^@+U$wb6DP?Mk^eMLlaK`5 zR54+^col}k$^b>{nG;i#65X`Y@Ezg29Dax2^o}nszK1 z6;n|LB>EN%IVG_o&8vGW%vsKPErc;smy}~ntB7fzZT8hx&gvSxCvUZG2bq_I!)sQv z&h=QrLOBRi;?ogHuTaLorcWs2lqT(Cw@|fG6=M!{%!~xT^s`i)IOn}AmoXec_mWXa z!fQtH#EezED)k$pl%AVVB3i3NNmCq?8G9;JZuB>v>?s2LjhhUET=KRibFh&@CQ@AI*eQ{M(^V^uX)hZ}tJ6qX(JzEtEZ*B4_NghP@KA;L~5;PW%_ z2S3ViO5Y5;uL_-Mg5EW8!mK2He~Z%hO_-XnTbX0S+{d%o+TPxp9cuWN-aaFKGLm4p z>cPz2pmf5e8n10Zv-2;%laTmGm~(@G*dk`nDqNUstZm(%6mbSn!$`!xW+ME~atDFy zOvKZ_{%0>fcTSxNO(~;u?t|%`TX{m<7pICQa>7&NLqDKi2(z|xCgGt|mHFEBDe18yt%sx>X_;*|MxbpuB)-#}hA2p_nh7FKL~K^<_du2t;xdi_MwaO#TshH= zWH`cHTix1jZLe%>-BvGj{I!B}fUUrj1Y*m@pCO5J42@k7j@5o9NZ3=Ei+fo-;Qa)d zn-)K}``M|RCRrh?ham*ci7^b5)L1pa>oCp5BT1cNaJ|5? z5uwQ8-}ltyKhLjn{x`yIL;BJFzUO~8-Tz%(nfL$DT5qjxd^-R8EBvPSf9J0M!gE1r zCo}LLJvVyJxWS&7Yc<>i#5IJjf@0RQryEC8kPQ<_YJ63pn}*#a4{Y2^Gel{oaX5+X zYcjwcwjOQ}i%N6>McBo6a^Q5;<-Gz!5Uz=@P4Kz+1Ccu9Y{#zU{6T|FCM7q`z=P&n z{o|Fjb>r;pYzf#4#EdM;cSOqc@ga~dun$DpDf|;4E!|@8=L(QC5&GM+rDc-@c_2ol z6Z%|%jjOMP!cq|=ZH6#u4ZM8TzElpnRGSFYZ%5R}Kj@F%)@uoMR+n#`ba4%5M|}6X zR@1jz`2sd5?G&@o_QF8l)@3&fT!V+~0$03H-fl%Psx@^XvW_m|@1`?>2Fp}_b0Y;3 z1d80CiX_Fbm4{Loz&lEZcU$#Z>G~_*@YJZ4b-vAl>#ngwYMo<{YK&d0Ug$8e4`4$^ zV&W{}A`E-PHKUTe*Xhe``t2-~qrWa1$X9h^zN@PX{jO=Oz5bf7 z%Ky;3v+{QN>+iqcF>inWy~&^AHt$u7spu1R#TBi@9OipO1;~&o_QwwH67hxJDfCb= z8ZiE0iAW8r`#CR>1n4A=_^$bS`3`O^le9!>GsfJqySO!Ww?R))q@EQNisdj!l?L9| zxuHI=Q#yQunZ&&~OzsF?P)Pg5{f7s8k2;Mn?jIlXlPKLn`f83INRFjQYn9LhWZcotH^&icODICmNkCSGC(A+#(!7O3-aH} z+P|#-qP4i<_y1h}yJGyOPX?eQocLql|8K(oZ#6d;{J%9f*FW9={xyCdkN>am*t0YB z5CVAH0fnJ-yK8xy^S@BCC+=Y_vC2*MJZcAcpw#C@7;gA z-+l0eUw8Ho_l_SwCoVmW-Z2`fA0hXbC(nioSfpZicmMgr8ss|??tV{;rlH*n zG&F?IygPua+yt1tN|2_~D@XY5U`RDpmC$2=yE(LiLuv@Axe9ymGp!-psYi8tlet*? z#zZn0tM(0GXcQubDO4DQEd@bHWgSYAVQZY1L|E}H(J`ZV<^B@!wr|j zSC^(%3A%1rDB6<%(Drb~q&D@? z@P_7qg!?-~6BC?>gBMVsm}(yoC3g<2$!F0Zmc3d0)MZ01h`jhY=0{BdA1l{-jATj^ zm!0flzmuV}YxDu5hg!{)ayK=K~&4rc{!HA8lNP!z&QaJmD5rFxqc#4^G z3RCj)vfvwr9j_EQM=*$^doVXOhAkXp1QPfAs0~F&B(>Sf$^u_fB?=j>7^YH+g6zzv z0F9UqH!G^wJ`}sPa!^mj8QrZK==k zpsN})%~TQRg}x}Qxl5d@RFae?HSy;9mDR6fqP$l&g`XiMvI(}L5+&nF-zV}7S$Uf1 z6t`Das$=t=5)0;psk(SAe*96)ERHkIqD_c18zhl)Y0gd*H*D8PNdzoQVA#mIq>yS& z=Ea=p%c_Tg`AIH&G-(-35(Z?{qER9z<+P|op9XpOKCLL$F*l_!0;y&wVYj}JcL8B2 z9`2vqf82e%zxP1bXnr}^F|jY9sIeDTYx(k+1hoCV!|pdMA>S$+#xY~HxG`=tev>qe zhS?Y_Em!LT=S?h|h_7^qOiMBYXHqLn!z7ND3wvuem&MB?JsBVTMu1KRc7B&AJsR*O z_DGdCPmQvOMO;YyiVfFTJkt5|>fXg{EIJdbQVnj>#$rlLBGDvJn&kuO8ZcQHFP3Xl z>RE2ve4|LLy0o3;@BHz?XGpUUxiC^JvS3ilrr_eI$)L{UvJ{_B9fX#aL!!4X3a(i0 z$Lgvtpdm?CcwUTEL%dlkisalNB&TucT~2fTu;Tva^8DExs%*G-8zO1kZQQ-i6A4=> zNm(r%k=*Q>WadpsG^VwO5Apf#3PO^e+yTs(R$P)i$#)t>|_qz99J~?6t93@rNl1*q@${Hc7o=wf0MIX2CL)^@)%dx`xK z`G*Vr`7xCRLl#C-RRtIGBcA!4_~L6)58u$hyuOTu{ga}XfBJpw?AzOJ_PIi60rE1K9H~@;BQ)k!E1wWnStCQt!uePtSMkLcrT}zbX*SnjTE5Sq>I{ropj{J3dXqUBi5I7#HT9;E zNH(POYp6+AVX>n~{go;msM$NB4pD&=1nn{<47#vB;p(f)6&?~(Pj-kD)+{fyM|!(c zHCKBBRiM#|ex{_n7dXrXQoSba#YY8zco{mJ@+i3WVjq?%Gd7%Y9B`*Xt&N#VV35e* z7z*IEn&kSeo(d@TdwxPn(kGtqkN2z4|FP@G_Ag(?P4s_lecu0fYi*^u`HBAj3cosz zr$Dri?IoB1|5eWdW%LC~zt9oW(^6BrhZ{RKLqONXE9KX0N9;rY12IO9Fk1JZBiIU^t%8*LSpzO!XeRgQ16}#rj}R&*^RFQ602qwS$jU=SX&EFUf|WcqL1tEVsl|2xPSTSA z90do+K<+`@5Xdk)7nVd(M8qFoi2L*LSM@EVt<0(=RJG} zcLyUPGpo90I-{#If}rE`@A!W2@p%rflNHU621+=Vz#%hcr(*tEko(DR1EAz~B7*6aJ~Z&94_cJNiNPW=0LrL;Mq7H=Ex)2Z71{>Cx$V z|M~xvKa{2(p8xbyy1J7W%jGPjF2_OHc`SD@U`hT3aTO|Ki!^u_lW-(9U554ZrRzJ);9+&@5kpNzm{~tfw z{qRTm{|ER}$^Q_ied{rk;Bq>aPdQ2aMGALbVNNDVQWiNfn-_q?WG zQh}0*_Y01^93m9n>)C=M#hg_Q&A-L`fOsrqf46YwS??_Qgv9BJdVjM-HZ)q_v}ADW zal7>sCSA-pS7W^D@=RQW@75{8MPke^9HrzyEo5YGab6Q<2Ip?f} zar(fC!kO+U?i~LM;eB4>U|3{wQIpuL=p^0_JIuGnVRRU+LaTsG8~bMCDsc9M@H#^4 zk;YkfQ9G1&b#|REtSj#OV2?!hEcZd19%Zx?*qV42vF_U}pR<;Oek{2pm4?MHMMv?? z%4?~m0oqIu{AO}oYKu26X)Cn#%Uf=rMn_uIjBM9@vBKLh3%q5g3+~bNl8JqJQcCGx zUWT(F98=LU=z)0MOZulTFTUD4?54v)`{4todf4Uu&hewAOU$>K&hZiSk^(8gCmz=>}yMKAK zcb=SGo}Zoed(?#kYWU>vd4-Uqn@-&qu4*%J3MYD2YbhRuh5xuYU7l?a?THGXTEyfKw%o-@I9v= z+cd263(Nq2^{c~v4>PlOe%QwxygWapS6~k5JEzMMe@^P=#zu?u@cja{ zor~-^YtZdUW6Z~V2T)7pa>iV{d}nZu{-y<0SP-|E-`Oses&MY|3tRbw+qfAQ1N(PT z+P|RZ(2bC_TCM)+<@tW^s`tx_-bo)ZhU9s&wb9+D-MP^n&SvuWn>X_JQ2yfoPUOFn zjqMhKuD$bGBd__1TludxajQ+<-qQD4txQ&)3%0ws>_g82o+CwMin~ z24yjZm`2@|6DDbFlUec{EFC_vXhd$rZq%?8J<;T#cH|a%K3r2<_A|W`^=Acp4*^v%ToFk=JecVOGX?UmY+#@YqzVTE}P9xFVf|rpN*Gg zvdOR7)Z~|ee;8^&G;z6oJA8@>>0l(``%k;cspTEEvA+hwugA9`GbZcve1&*(SbTGC z`Zv1_;CV&n+@|jK2T%v!1F}0EAX%nye4hvFQ)*uYPBoYU)C=)Q(3>0_eVlAM%3-!u zSGq(l?sK=+-xT?DYt8PXJ<2nQU5YQ$JM3#R<}GP%JD{YLog|;P;#cAvcJZIBcY66d zh0Hd(T|P?u-w*hoZlX7~eZPg|86Bzhbz{RlwVV9ub6S+?+Hu*ll>@_JY5fwapXmSf zgj~#1PWgGUIzZmX7Ay#JVq~zhNJ>JZX+G&Go1V1AhqvL`fqz(!{3aUQ40oEV+w+YZ zUn8rJ$!7iSo4VQAC*a0RXYazlA~;10(ipF?(Xuz((#ZRTbg`-1p0=8f&`A*pzO?t>z1&-!w-7u30S$gzRAjESBTPrR% zyPNSb$;&IwUwTdps2r_s8`Idfwl(ATESs|moF<&sqwMNPvqSoGve4DH)w;=1ROe?B znT7IVD2RCD75%cUb47|Q%Ue$1&3U&yq~kl@L&4V6-K|}Y;{ZQNn5=ti<2)OSBj_B@ zBy>>hZPlzM`GWSKLf(Dduya4Fozt6af!_y0hR+9mRC`oj6SPKO`p+8=zBambz5T1s z?qBhIp*P_ST~{8ewewGEpU`*eUHDJmX_WXQd!n0;MqAC(3BO+btB-!I{uRF&xqvT{ zKqhEgSE~A4mGdDQe0LE~UmyX0Wn;#&UqS3VuL-Z}JK8w+-$Kt@Z2jj@a{dWP-0N|A zgJt}c9Hz5U%uv$6Ss2sVtgw5cZNl|{k2 z-#}B;8c_UavjZT+&35z&ySFNzU5|@&(aDgyTltNm3wP2vNsP+x%G;CWqF!lM8cf z3x*N@OjGoy+p#tXW43YjR68lS(3b6N#==cU5MrC$$IUMFBa`yoYxWzkX+Q=mY48dc zKvuwToKA1Lnz_yDp^_mA0@F6ak#7=;dM zOe;Lsa2Je59K*%@V=L14_P&5Re@0f*)&A-6+2K(Se;<=k*QZN5`LQGabM6s(4=8udvedcOnM+ty;YRn9pbL+n z0`MVu&cEJ2wtE(A)mA)0{h>>)+X}vYWyKR$y6n%J)p9b2YUB-tresey_ZCl3n^VPUny=giTG5&g7q&};huY?x zbKtVsI2~rHr08XcxnSqqb^bzJ$SH+9e!eL>M05nz z#^Nd={_SS1(^XYNuJ77oHQf_CM`l7Ui)r?7<%F$VcJMu2O-a06xlY-ofnTG8{wo_c zOlZv{ZSY?iCjZk7bK|d^hJx?%rHeLv2dyX6D*p0`i8Qu)m*UIqEnN;;;(S$VUZAu} z%x zs#j`n{g-I7)LcO3Cdn3o%siZ47cYxP$MagSPp+5Kq4{ygV8U9?qI(0rIJuSmfW}Q-Z?`S`*W?Zc?gt;hTha)%C0JUpcm3wBy{^gps=lzRO6gpLz|}g#ix;W-<;Fz} zetw5eyXDfe%Zf<#m+j<(4}f`nQ}x^Ild*wXs_5tr;5EN5?&LtlZg80O^O1M}T0o`0 z&u>_zlnw`O_PFFzrzbe`>bp5yI5#2ik@)TSj_4@nHO$7m9$t~>_@jMF|4g~DSWC_9 ztkU}d9mDb{AFzJ!LR;6>UWM~Q3tc~HKS^F>DH}wSoP$^C;;q|3BoP#GUD7mYP6F55 zdC9X$lMVdP8RvJ|2H0I_628oaNil#{@4nfv>EC681iM%&OygFnC%7V3@aGzFVyBV4 zRSk|BeA`U5-|^|-n!i#_D0V@ZwtTg~#H{fneAgkVW*@v`JMwRMXV3;ey75`~20zA) z5z=~xw;4U)6s&*pA7{GG5B?|2|2aC`ryHo(eRX#9^oM-M8 z|MLg<^Cy3T)AH)%GI`ZI>7DN#C1;l}Xd@)L8CvoH{rOUn3ZJ$C0iGqhpMJVa=XKu& z{`B%wHvBzicOm(_xp6@3URzLBAU_{}Me-lKUkXkm=$rig`PE zQGmm&ogD8aPoD1XKI!a!_+&S^?C-UJP&c=P7gCoeIp+dt)(ac`K{^XPJD^uj@Jq%> zv%sNc>5Piu5|^Od9PGP+5~`>RB;Og-AREzj`zJCVXQ-MSj9H#Tt=5)A6`jC+x>XVDM)4I=TQ$Y?xTFsO_CQ9%blmV*>KzPVzHh+PR=-o zq;=%ejU*jJUUjof!6{Gc!2YhsUWMPatk0beJrbmWqKd+XV;M%A-ZLJ`ee9ET7H*o2AMjV7=s`ypHLNO<1@O2DwvOLW&N6Rv!t;Q7%XA(Jpwr-L#h~tB) zc**7}1GBg7iN@w6gWaaQZ7!MC4f1?=#4IwB>x>%W_rOt(u&6p_hxsh$Y)pt1KMP{n z;|tiUT{&g^-O6^RudMihwcS<=wim3cVCPXgd$c87KgwI$5)4hEn}IGBg>K4LvSAiT z!fV;m;0$L?yF{!mqNf$T~TQ-uLeBSYeZ)p*5936zMtSs6sd_eaZqRkZ7;rbueW5kxqMwHd#vicMKz}1 zUi8k7`yAY86VB3B!5|)*+ z|WjIdf$JEU7;j&nkV=aA{ zi72PN3;cPh6~Q1_MbJ)$Pqq9>Q^}))7>?5%EXmYqyZApBM16oT4Hu@|wd8BAoI|t7 z7m+0N1rh0>)bt-7n`^p-XIO{y)?uIr#8bynrkT$h*7vkh#tsy<%|A^`UO}OqFack!*1V4xCOu}r;2eNoV(Wfvr?|Q zFwr(%SWWMktJYmyw>9wO6(xj)U>ju$1jWNpHoh(V~!|gbgkGX*w;I)1k(}T#!iQJ0U z@V0tyfaS%|E_p0fd?t9f2Glo6_Ohe_w-aRY#Yr%Yro1geERsMrn!1L-RhuKfoR!A9 z+b!oc2?{*LBd3>%+pdB?>P`onqODwOT?JTG@quN2QiCj22)%VDv)vL<(7km6mtL_ib(h46V=xX zp~2k5U(h>|n!KlBq%>Y~A3mep|p zZzpb-`|woj#@6UiNWYr8$`hAw@71ThA#wnqt>g=@_zpEUrIL%KFkKzo<>;j7Pu>PG z&=fnhfluKPMNqDqcsRVkx_Cost(c_qe2j8IbqjeHA?_Se#y+PhY&(UlKC;xEC)T*z z$$dJ`r8$&dlXPCN_f5vN%F;Q9X}ndz`Vk8Rt7GqK zY%_$N7KfZW`ttS`zg=Ew(U@Al=yQ4r&~(|kt42#(>TqG0q-9wQbMuEODZwba&ZoJn z{I=&s4kMwcl&wa$n%!Sv-Ycs;0-BeGih~~!jq)`u{5>Wex*hXWV#PDlW!ts!gvW&g zd|Xv0?zonfcsNgw(`m!6ZNX|6Z=tqKb0k<8r~{(w%bkQt`VDIU6WY$5XT`901PQ5g${oJRQM`f;9$+QDdpT*33G7RZF$@R8J`Tnd8}`Oa8j1 zEd;GY#R^UU6Hthoj5j*7DKI{T%f=97FAYTVZeTC9YPI&Q1nN48W+s$~8>sC*$J+>H zRBAhhWC1|WFI!D&Wh5oDfZfo`_B<;CALnF7HdByM5;Rir76p^RD#J%!WsuCk5QU{= z7rLmgq0$nm5-r)N*u2>rKyj38KIu(w(mc>q5Xyvm3Gh3MmZ!?8fx!6JuYWtlCxS|{ z1vyZZ8Uj0SdR!to)-eitHgv1yj-kyjG-!?pIoT>6E1nFCvGeLOFqtZ7fk)5<-z;q* zpZnAs*D*dh#s|Wp*g8PwAfj9-V_A+xu#9uy0`by4lch83F0?frrgdn5lsR0I7MbRq zqq!C=Yu)gn6Y~y70P_Y0zBp~;IIcSMNP@3f7q}~J|1a@p_RZ*wUVgVN`Y1Vsj9f{x75A3*2TUpt{p@hhi=!%`%`u4Mr*ua z{S`54_!}+7=zXGk(qq^CR%H?^7LMjQe5^&}%r_+Z$zz)STSmMHGa4!fNH;%o9O;-% zqO~djQj#VjhdA~m2GM=%7oBbvMGM5Tvo(=W%b!s31V9w^TV5~c9IcA7P1FSQF7?gC z*_tX_RRHk5rm48)09UsapCnCB(c;Yvs^AdohhU#5zh~oJzpCMT#gcoXj3Fpelai%|YoUCPgv6s}_c17{-v4B7;ldKs-H zJKuw^>CInTL}=c&G1r_ujrrHpl2Th;mpa4cKWIwwLz8*2A}e9l;e3MNa0hCFy@iCI zXuSpJ;1n*rrU4cyixbK%$Tj`RYENk#GDMaW2#NIjdcw zGe8n~j!VmVgLsi2>At9NLCB}(j{>}DHijZCwlLD@rgA7VR`TTP0#t?Q*^l|mm96j zQtxN}Nltx`dQ$qN3b^@ctFF{}#@;&1(ory>zL{%_3(dg{0P4ae7Mu-{WEsRW5NEAV;#4A2V7hC^qL_62f(|eOBqhu9po;+XymszIjXe&EQ7y%QSM^iDR9c&b zj+wI5i+OgRmx6AJB}YQDax9cBUHdiZ=%NBZiN$H6ziD`Vj4f<~&kpt_UGVu>3h~NW zKIfEmb22dmq<%vxBhW)qJFf){R4_kS!b`RhzrtltN|1v#BBwvHZmo@BsRRxwf`CpRL&u%68?m>GY!Afb13$OKoAJ?Tt9Tu`NL(fU5EC z(^#Lj3^9ujTBnM+r3^%`vIX`zde{!FhV4)ryANl`B&?dIpb{cmxdfKN)O`C2Ow;Dx zG?imW-qMq<>5i6v8k`PR6>7;RoCqi4H_SjSHF_7F;EGNyJB4=v4~XV?a3 zNULV(E&&&f48`1AX1?;eb?5bSF5f6784g+5;_JY<7)zJ!tR)(_!+73>OjYrPU0;wc zep94lKHZ8K>>v_ZDdjzn9ibbObTbRqv%Hx8-R(T*NFRyl>Uza zXKYnYC#MdYmDhi_o4n}l?*Tm&FrjDXr?1ZUj)Co}DX|C1%ky53@k?Ltoxkd}@tmN) zhHbr67*cJZZP2Y;0)LU5_0EqEF97NK;_GDZ?2H;`VAZ3&uV^-VzufPgT>v=sq~$PC zlm5jXzHoSwe06?!0ccb-h%DUm!&k2_lGmq42fcGn)!i{LRl$Dk^;?Qe8x2Z9Y9Gg_ zO?rpikOI~A4qA;+we1G1TAmtvwgOsPfvn}U;kTjI!hM4&q(*4M&ky@wBzygqPV8S? z?zx6&cBzfyy_0=jsLDbzWbD_cm$)@(+(!p^pk)tWqI$_e?=z59~bgJSQ*r4v#L+YkQ2|d`eS@CV8*9 z1+h)m-){3BNDg1ptM*^(>Lt;s{W^KQ2h3%9Z13R9Lr5NZPm9h%|4`@TR9nz_bUFQW zO62*5?0tF$PrQ~CsXewu#lL#N*FSyuHRSCH={kDJmDs>~F^&N1TFmHfR%OWNPzI%K znxSXVkX-svE?Q)Ph?8ttR#3*(-iE;dR|0#aZ((4F&LcVQdeG@*9qPDsbmtRybCxZ{O5um5|vT^ z3~2~Ir#EmDxb#`)`MJE8tH~HD8IfgOtL2z&8ePEHO4+GyNuLEm#Md2 zPx3_+Qb2AmIr5<}Ze=UZklwDV&)wz;2;;D7h20{hXQA_KIu{))T24WZfIVY(J7kdE z@1MKs3yl-9b9cnkM%hZfU?LE)?qJk!ij*)OCec)S(BAMsXx9%;S7~ z{SXC|x7UPHmfnw4#y}Q#p4Dy?}}lXEtX)(sP2pCKVM?o+}-qOw*}e zO-aYT7vKUI*Ctn?b|~#CbWEX??wOgh?I|`uS3Q8bKVuYA($~S`D-p* zeNfDuh*2b}GL_^oTnE{BScrF^A|SX0t)p`8BeTdp4_`Oj3_H@5yp`M440awzxqQaA z^^g1DzO6ghif*IIlE{o)TYGkT&4Cq-h4}Yz;JAd3a|QnfB5oWHCNqs43_;;jW7o8f zN&NII0R~xXQZSDq_27>E8k20gqzTI=Wv2sK&bD;9%q6bt%Kf#1Ld`cLd__m^S(J>ezW1LR7?ZOuUigG3c+d3 zQcsaYF&oph!6{Vy9c)vnwfMSN6{FQO)057@y}`=8sC=9=#a>Pg{dKUqkO}pe`MJKJ8{=A*+lD0O_$BaP& zwMBl>23ALzTYcA;w1d>IyGA}bH;cxNyo&?-CtP24ZnT0TScf;@f^73p6r~8!&I?4S zA#4V7=E+eXP0JC~p*oZ4)A_dI;G^_}WGkn3g>MY}>ZMCcX=&r;LlU9zU^${z(LE~K ziB-?kaV}cTI2U!-=HEAj&5wV+$DbzrCy@R=?e6|y?|2;l>EjPS{;0?YwLdHg;LJLIr0%`xj{}J6?vn184dzP-sNGLL{j>ol>eF3@iTd;{%H{i^M1`8= z-!o3suS^wV8 z@Aw;)SOKk4_pe&(){_7Hae`cF!p(Prxr$vQ-wozUX2b7_cC?6%Iz>ASLqQj{oMhw> z`?Og1@);>R=}ku3B`MvSH6~Yjjt?~9zGU!xeDG-3Hb zpmVUZ5!hJX+(47#tRi7HA^rIdHMP)6kkBzGq)v>pG@^5&x~D6^T!);ck-YPT0 zce13~?}okA^4MF=3oVHRBEG*j@>bB8gWXC5cB}RMV7D;)H-P=7FMc27t+1@bCm_O} zQ9;G~)aBI2w$W0^IJivO)v0LOy{q+)$Kq2&#F|efFKK$m-se{JMG51v7{Za90oST~ zhNGrpqarJXCFpm;5KG<>Lo7vDxC0ci1n!GsBv@h(VJ&)K?TMcUXkri98bC42AFCjW zwHgq`k~l9svvP9T_Z}R?I)GTtDH5vy3ksrO9axwKzr8st;AMGyfM}b)D_&S- z%d2Y!OVfHstT3Mu6Kt_6`qyR|pnv(Q1tfxTJVSH#ELDb^neciJI4!USJJxOeCn17Z zpeaZ$mt=7}=&(fK#B2*k^hs6pu^3RSaa@Im<$B14KB9-Yov_vtjs@S$uv_!QPBqlmpz=57v z35dz_!h^&cpJ{@isCvc1qeoyDdZn!$LyKy5ovBA_o%P)&Rnxm_)?lqh>ZV;&fu0%k z3V9;b{;!vC_q&7}pGW={6;AdJ%~Y)aab1SK*S##lyRUe(1g#)^bWt!vbfjN+)h-R) zYG_13vpBD_auG7pi|EjtJjoSmVi}D5)9OSJ~$EUW89d~LU?m%>-#dynmBj=jp;H`W;igUs+>TI`8E(n>(PVocU3G9YWy z@a8w|)>dt|nt84IL>Z)}h0Nd_!-qV>+gqH-m!zY6lB^6jaGy!}X10(3cy*te@<=zK z`&QXX=caOTg~>zaoUd;)l-S0#e){xp9iD$Zj-R1-T19L%wZ5WrQYYsO z=r$zF%N1_SGXoDy6KhB{blQ&y%A{&RAc-8hTbR`#g*uUJSoy0ohjivJSPKWLbDa*M zq61kposR@#GE97E*C*e}c&q-mXD?Qx)Ip{4(dWqu_Rgb@ z2VT>|sh!r8Aw6Sdk727qE8A&RQ#UZ5wV46PhO=)aX=NT{-)f10Yg1V5H61$kyi^N# z>RqynZr^#iXy4Ws+xjzM#5<9hVJ~%gQ+0fciJb=6xLYW}xBIP7YYoFQL%%=#=sfL6`3 zxb+Ikkex;kz-UZc4Je|zg*PIcQA5)zqenzmbA^63_sDC43Q&c23Uv!earqG4oU_>B zh_llRszzq0|IoCHO8=d_@4pAs**#a7Sizrl!Y6Q7NMV*o;SaHBlXu0UwE{?WQs&=g z3bOJjN^KK3j)Ws0J%L-|RF`akjWB+>vE6OG8+#SX)w{E|r$NW2X1n6b31~c>`rOsF^Z}*V5QITPMXt1qn_|^hSQ&Hs2t?2=Vw0 zr8~GAdXgP-Z_$ZFi{uc|n(f9t|jo%Y& zj2C|uw3x)B#k9UNT1?{6Vp`t?EhcF|i)pPxiwP~2KQ2_{v~m%Ldv*;4&Y&CA~_k>w)Nv-#Hf?0086?F6+V3yrE{5~+ttvIndbO=YFp>b-d&q4}S z#qSNJ+_EIb?+2yaVkqVR=8 zKxxdS3fHlUf`6&d>RzWf?Ai4-(x`!=>h0FH0yIkm;yzQX-k|rspmoV*Hhc(zIq@^n zj`~M?1`!pp%GHZ)5Q~!LD8;Q(TcVW?r2}FR5U7$B7TS5&%dxKER^*cimWMC4z$=3* zf=}(Qmz+jW6x2NF!iwT-FS5JNA$P#l&|#IPf&i@E0RFn4pg0B+AO=1i890@BtP}=3 z_;SZ>n{b!O{$iEMR2BDYwqW^KTM2YJcCgQnty``R6PXSHPb|RL9=5ED)--j0znIM? zn}5V?ZpLhOcb9lz{sYBqZv6wpZ1%d>_rz@0hFUcT2>%=F#3aWrDWCk;HF-UxIa) zY4#A5>9NL8t=W5*pf!7iXwEZux&q|^vQ?ogS`k);buCC~1F6x0h(}R39Egu)jZQU% zOlMJa`qSx9D`M?2g(u}3+^?6(fP4_d{A0kNvsGq zpDMVG(lNb;^sPR*R4tplv@#HP8(5|W?>m#^;$aR`LAw}I^new~2_2TB|6wW{**hlAdI)=l=}t?q&n)1s1}QG>^G?g~kP zX5Jm2)GK#<^$HvyI$s@75{?`<`}qFG9h&L4j= zNjbM>Y)NppB$bemLc7V)7luMU(#AvCV7@eQ;AnzI>+#)EIghc+Q+8a)bEgF@@Z7?x z^)(DQC+xYJF3et(*b7@z;fX+4BN~PzKf7<_rTLxGIBN=UgIS5tq34km_lWgJ^7T0w z&1Ds0WefVT30I>Z3bKb~8Q42MB_(yven=Qs6S_J;1;K$kTJq(POHRk>3dc$OxmuK? zE{Jl%QI2#tFUsJ9dXJi zswR)DmuNVaxfY&27BIr@@AMDRF0#GOUZ5(;~vtca`%5M@u|~=Lfy8j z%l(L0@U^j(J7w*@f5cb%akmAO^laUbou2@X)24y6TQ;-B+>A#F?dbk?IIy*QLbkN1 zs2|fMr6N+X!c3!g+JriFowHl&!8onJE|~X~&6+{SfT(i8gri?0Y1?%zP-n@sHJfDd zoHJ@>)fw#V=l6@&TC0U#tUgdp*~1V?On;y_L9?`FOb7(G}CG7+tPk>PBl0s(2hgp7_yH z^f%td?2HpGy8z+NOrpT>)X*}Ir4~}Md3PfKU?zK-qWq{->`yKzl&v0d%IPLvGX%-o zcl{B9qLvFwNF7iUKapFDx2W~aygAhLG!2z242xnd}=mBq@@Ri4c3ZO^8^JT;dbW> z%j#fB~Ns?Dx4%Nr;)h$O41 z{D#5J#UzCai~%DJYSUn>_$aE^ClwF4Q54mvM}ybOy~i=KOHPLbK8S3}DD^yDGz7O=+4*ho#Mey+H1e1%9waAcj)4!SS3AKduv4kCKn^mjeQ_D*2eRx<$ZZ zBx)^a=rpWO3Bp4kr)|?An&`^xC{6X$C|jAQC}Y_jnmJL7voQpq!t8C{3AD1-Lm^T8 zM?DiVtjgfsq%`>|wCmY6;0Z){g))R)m3ju6p|nb)WV4qPbMJT(XgU2pA0VDPZaVcI zy&CJ56{0D@Oqh_>WX<|Sx$rXQ%s7OJxj=Uzp;4C^jg)+8x;4*4B%8bqU2mANn5~Ad z`Z{M;E82f*dp*XRl~j4NTJOu7l{E2Ywce9AD{0`(YP~OSR#NB9YQ^6c3sW*yZ{hrQ zf`hTyy@$+`d{`o~;H1a2E7t)pfkFNF@+bj6FCv27RvL+*>ZqM}Dd>QNU63Cb(1GAi zV_u5IZRWGay%}+%*5$Ox%@YS7#o+m=_biL|&|MZ1&UXXiTJr{09eX!iSe?PDBWZMS zuOLHi9M(%{=Xl3hP*HqS!OMh}tI_dOvv^9IGfC?9rM7h=$Ax6q3P?w8TvecKr-nTa zrzh9cL>SO52VfQ2s4%Vip?HgC?UL2UP9<90R-gn~ma^@^>P%x=({dW8z58&D z%|A5fwI@|KO<*;@ z2cukTJ)>N3OTCp+uCXwamocpxk4{z(H&1OXV=Sr*z|H*wj4%%{u3oR_>p4n zA0Wk?Q^0p1dRLCQS|R*DWRAHXDdzqm zP|Pvk$~$q)1zP;yE61Gmqd|vPj=9!%=a@^X9CNMr=a@_C9CNMr=a^HcP|PvcdRLCQ z-4DMP$z013#8t3K-<4~w)l4;)ybsk}>k+ECr@-(i2a``%%n2-V0H`KYDkLxhTo?yK&5+?ONyu=${RYa|RswZj5uS zQ0O(W>pjjm*F;PgGtMQCGtRZ%m2pm#hINc{41V;EjB~1f)EVbmZ)cpVBVqVIRT{cy zF%8|(;fr(7jJ+cbUCS}K84aB_@IEwjt$>9t`K~NV z*J@;;tI^v$#zNP6jD;?FClQv7jzDKo`tUU{w#D!0}EZtv(Pn4xyLx^BBY>qqNY2tVBuPBx(GG)`*G7fWRfd0 zLDilDiR6pQ1;O^%yU@_74^e=k;V^Zd`aigP9!)E#bmrJ>rjn3y-JZ_sWGgHdKw@FBhH%0)9U(Jjv`Z(Cx># z@EYwP&CP10#d}oWGfF&ez?Il_cfDfki1FT&6fc;G{}4&>7^RPA^>MrNdvoKx!+M6b zMt)}Bg(8pJsnO(pKPHnOkR$K!os%rg;`>8$l2HS8M*jNcyclfK0rM#r=-`7w{N7EA zK@$_%IZbFWc|St3PoKP%kStwnItYH52KFQT>F=3dtAYQizw-mX1AIt7{pqtc{7>@l z3jfnbPwDSxKX5-9|NH~ze`;L+7yX0I)6V`FC3)S&n@7j}4u2l!|9bNDqbEPDuK!P; z>^}RE|LYI%C(yNqPS^Tb@j&$CBaTs@x$EZF<;PW0y~&F1J2M#G z7aM<5J+B-b% z9mF1={%d%Rnno$^qF{{PajQQ+&fgaozv;?L=BR!YyKzvGuW}tZ}Sd58J+Hbz#OJ) z@Ba_~VE6xrPd=>if71Q`Bmd_g;?K@b;BI+JiZ_Rk_ivF*y__VcB-@2Uu-mK+?CjA0 zlJBn)pp_p+E8v!(7)aOX&j;UAKR`3zPeoYQk9SlP@ckb~Q$S1KOIbhzvA$qqI|=Z+ z%~kiRC{UmQLp_-mfh8}A_N5GL>UsMVxWX`JEvcre18Q94Sio7s5(2} zSq(x%KZqtId*^#ALulp)(T8}sepHEm{PS*q8uh>Z{U@E>?vo!t_2WN}>wmk?KHjbQ z|DJvP(;xjme~3T(i0>j?w_i*q&>oHe7(_pfvQ~@sK|=c=xt!*RHKk*Tv+SSu_Kanm872%MeqdQYp>660p&3WfJI|A^PS3xPCY;iNe5K11 z&KKeN)BC#buZ|>0@Ss=sFON9!oML)70a=Xp8u^vs;OY@lBc#T+rGsBnq2ziU!UHHOXm(DYpBvF906tR&}RcWgOW zFEG|@C(D^u5Ha*zG3P|H0DhDGm|Nv`vgM$H>8(h4NH+L)8{3jQ>A4yeCQXT4%iDZr zx^c?Y_9)Jh<^U1C@fAG|3Zd4%Wu5g`1#Z7}{PHT#F@CBk_!lsp2Fy>U*)+|8D2Mn`6Byx`)l%6n9 zDK^+PLY_cbFia1=Z535IQ)NiK+Q6T~$tiP&G_Y@U6?0q{Ops5ft|Ca{x+WC`)`krb z4t|fabSxENoN+3%pLx?uirvgu(cFyY)k^$o*(6D>>5Z_9I~w6)?nw6{Yg@yr`CRr; zKIMv<#1~Iw4ns?T`aQk?BIhp)OP`5sK$|AzyjgJeCs$U5djvHq*&DL47Ow8Xz@|B+ zU$E0%{~6tLTB?Q5n~*vIq8=sx!SdnO(K>V<&=#KC*t@>Y!O^y{-S)J`3xV9A4eiP{ zT7s#>tBUSCDo@lD{)z!Nfl^K8Fi?P696v98r4ah0Z{R%zdRf!uaLHq@1BU8X zf*}bEkNY$q2lZNLQf%~=78*&m%P?wjt}Sv=0ew0s7z{?m9fVQvbSr*83DdVt2bWX` zOsm1h`ZCIP?EB!9fxMfzQc?kSQWpzt=21FZ#D%bmgwr-?HA#(O5we_e!Lg#y8v~eb z)X!T8aDV@^$rjD@RMR!BD#;Ko4{ThbwD&CijiI z733go()>&WUR`=U&hN4*3MNL`%qn++{@!<8d%kWgh2$xb4|Sd9j_KBzFa&KfxV3bC z;`-n~`0@@0HU`(@Bp+?1+e$e{JxCgRpr?B-_2;}2Wj0ZY<8}ZEs43-)(aF6CM|V$i z=&o$re1hmv>Zzd9UJ5<~cK3n6+L0FW>Bl>t?)3IU@QI|iL;)Ykma}wD*X6`$AT+IL zzgSL(Io}GqyUB4nr}ylB`sv4xloF>?S_%k?wDSX@W@X2z6-Fj9T-q$I5YMBJNt#G; z9o~D)qBap(0AaXPc+wC>3&WQNMmAUhrfc0}%V`yxl@I8t51Xt<>fRU)llrLaZ1$jS`!Q|&VF9^-)`ISV9_RzBYg zp=b*e7k7*FY`tMDqX-Z&3nY&s?Qzu(Rk?PHk>iV@Q-AZ@0s1liFi+cg|b_V;5=R$U5dNfD+F(JwcCH?$;!JlTX0&u$(&z zqkF4Mscn>&Y?QFm+Ci>5<2C0hvu%Ejb_MiMJke5n&tEV+_E2~9)m(}hA^>&y{dQHo z47AU7>m3zM+%4EaB4C^cTlTrru0*+!O^vJ1Z9-J{NHL)N(#_z29FKOU|ba>ZI`kF>LjhPsN6~nIt?*TQs z0FE$4jc3;t$CHv^+1+*nRK(LlVWC^m{0}lK-pbrU+Zn5g#D%8jPidI|PekhOJ5NLs z@yHl8k7?j;%p8NUaaJX&0@XO?9v*QvYKiUwgxLT^jhyJ^y=1i>%E0u5(&N5 zh9_X=n6sTOx35QlF&X))2ZpZIl67d^Y$wu{m3n$Sx8VX?ZS5%yv&mt{DlE(QJf^H* zF{A|)x2Xqoh`!7!xtE~&T&fnNU`mZ-nWBOKvG;r-dF_a${Bv0~iXF-ocCOp{EOaA7 zRNl;1c#}5LYB&q1QNShync#ep#8keGibPB0Ih(|D<`GzgE5-_jMw5AvqPq!-xj(M0 zw+QZ!x-@Uz2tgMPTp*ll2GVYFQb5FvXxK6o1>sTUmLW{SeZ`?=NV<_z?dYEZNNTzr ze&;wQ&7Z1$glN89mnA{M`jy8agTTJ&0h)XNu;&J&@xp=(^(C`ohSy)VGD z0rZOs2Nvjx&g#BQUN!4k+J{M(>#lK0-v0 zXlD^?uDH}y`_Lq}_ys(|1Y@_T_uyUKWnC$95kF`99fwy8%w@qhk(GWZI`tF_RJJ2_ zK)1TipW-2N-B1G~UAs04CR{PZQxHuHX@~Q|shF(Az>I8%o5UVnInFdYvD_3ec)%>Q z6#4G)r>de&*NwiRx7U3#AlD-TOb3h z6&Jw0Q}J6{ir;!xHXH%)7%=#|FuZfBoalRYgvC9?HOE@8Z08=nV=i_0)rFBB!KX}S zGSc%SZ%uq7PGDDvCjP(8q5Hh2kZ^brLN3Jx;*2v9U}Oln?MimMBoDX%F(k)?)~YZ-CyUC3yw?mr z`9M2#k5I~P$es^wW5LV1VPGkqeRluGIM!9LVvCsuD8-)3R;Z>J z2N+I9_pJgRJ|B7GW6Ki7j;$RVULprn5}FUTcylEj^xy|h*0FeTxF3hHZUDr4cY&1spqyH8+(SEmxF5@ad7UA zWQ2G?bh={3oJlZk3SF0*L2e4?k>nitYD>yaAZ0~=Vyk(|`0U{7;e;rj0~Ohd7}-s} z%3ShP3fOpc_|fK9;uS~15#w{m7ZHyFz`1llmweTW@o5eo)1`2kEZMTvya{nQJ0_f9 z6jMn8a(o>2E{;XcKu@RqFT8pV1{HUY0C)NYkUkjufpZq|rqzwNse5TDwerk#)9ZjrWlc!O$SWvMn$vuxdf-?%I5`=@r7aaE7?ae-2_WQ35I%GApzGHmOs`0 znW`amJ`neku|wayU}4WbWLy8#vw~F6bA<*vTp)Roo#?@MDVM&WR;t4k+d+0SORPb* zc*wG862a;tNaK=1bnkNP8E!r}OzfICax}luRhI@=wtD)UjT8xX2CG$tT0HmR8)|m| zdoa^+aRWqPtj2OGuAu5x;z0yhzWQ<3vmbDh$0B>PSZWHLTpFd{c}mF{^Zt4smqaL* zo47{>7D5kY(6g_?b4gJN0d*(hAqb}(UYdxbE>*@hYAf<7ML zLb)tOCkPdSvF$8SHXIcS4D#MuF*3X0$bH4GcR{cW$>h8Q(8paNq_*qGFC&CvV2lz<9jDl z9+yy6OlF084<@j25Ni4b>Hy1N5~gDpv2{9?*;ovvYiK9;nGH(s^ ziO$W|SDB*|p+k~6&>*l!W<19@9i>a{GF_8e2>7T=ahN#SCSM-uhHv;TJM4#iNIfxN z1xS9IV}A@x<>j9uZv&-_=lnV?IqOyC+#)^kB&YyZ2I%)9_t1*fh?oF-K!m?m5(vA= z8PbBsY}=!7(DD#OGG8knsuRS<${W!J85g<2pEdFJdb;upPF`fkwIf1ji#RNItQuBE zQ8`8*=Sl~_iQh3LR;(zW6bp|AmIrCqVwZVVE!?4NHHYRy6Ou$)u**2*=vu~NHQ*d_ zNdpQGx#TY@2f>4kj(NDxB@3B^x2!Gy>*~aqaNsae4(88_Hps zY>-shfGL!0xXmX-Z@2=-W1oBI=EfgTwXK+0kWSN#$x0n<2XBQbsk*t;Gz8r4O_z3Q zjJXhotSUGu9=(xYx6NlA$^HRLx1Q?_&tS``qiykk`9)qbXkulhm6}Ia95(9!$Fy;I zOlTkhy5STb#SKOvxCNDd`LRZW^Z#pXsqvA{6KtNtKhk+H%OW0Uwxlz&X3M zls@Law#9VrAzDfLH~K;I`~cQ?h0ji>>d_?Wy-WeZx%HZgG4qE@rn~h> zy`0>hjA`DyGwcSc+!XBKGLP0P~)b)MGy3HiZ7McdH z_pevgm9P|yr4T>PYbrMdvmgs2FB9KX?|p;V9&G#2fEd3L$AxTnO+q5m!mMfpq9vP< zF87(w3oq0tXvUlaoV%xcQemvM6T`+%2rE^1wTW^S`uL`W?M7VCd|E;RyY-5t=YvU% zwL3NT)s@}PZUSug1PYZ?&P4SP4~mwmXh+MXPrFQ~O}bx22HN}E;r*3zu^x?4l4{fe z{-CMOL7$;=+!uGaO&0j=Dhm0e$xTs^x{%^rOOd0%$GBLKD_RgYZKcPa?_|k2RlMQD zIS5$0U7zSq@)Y)(N2^s_C0_`_f8uCmOP5$HS(c?$@m(+B%iW5?YQYllg%wz1kp6rs zf4$^La8YPHCUq~c3(OI^p}eDG#nTP??CPOjqIeI&MeQCQeiz zQ##zQ&HpVzG97=0o4?YV+S25jp%9F|(xR+O(=0*%wBV^@(eB200GqFlsOT zng>;8p-ThKG5&_CS~Yt;ma-`)8jHJ_i-@dNwz59#xiufM*!1ex5g(ST3#gJi0c>xDd^Yh{%cdeq1TerS(@EJAEE~&5^Fcj zHdh&P0k={FkPs;5QU@E4Pb(svR2j^j@7?##->hr`HQcNpdiAWBEqtALWlz3Sh>Zuxs7(s`s2K&%>NS;UcMJquEhy4%Tt2u4vMTvC_i#Z6T!)j33F z#B`|6a(kxK5brcvDLeaIjD#MTS5@QJc%ppgDUSS^w5|cZiJAedu2(p`rDJ;g=vys$ zPOXx>RPqNe(k=4N`z@6~a*OaqF=Tc2(Z`*@aR^?@3Rk-f7R-M+>zN?ulW&xQ%WAFy5tMIXV(uIG= zF4^F*&erE*DAhIzQ@grjZK9?rfbV2UkaF!7OxLFBIoWPU5vz9z(#5F-es0#dSi4SS zeavo!Oto`9wAG`@=4TuO;k4klOdfw?*sXS8g8;6Zwzvv1(7QvKV7@PLxky~=Z5yR> z4&wtan=SORYHmHetT0x6S~gAyJDa8pvk4_WB4$%?77Sa=4MS2^-8b+G@f7(hiPsMq zX(b|iK6g(X8`d4krRHcdCyHMijtkdxL86Kqdm3ha${Mg2drG?KoSlX+p(b=&pwf&z zD74zkAs6V5(-n@97ACpkd$#%}9EwPX^P&ts$fwM*<)dd?um|uN8xL%e&><%Ye6x@= zYxSiBuJEwKPy(i*v%YHC$YO~?V->NreL(tM&+pebjs=Ay*jF4ES#u60>@Nm9giPhO z{}=}R>B83}#tZ$3H1IsNm0M)(j(^0l`7u&#SK$GT2kcw{@NzZ{qgHU}!Y{hB1)F8u zU=GPY(md=ac4uvRo;4qrA5~mK;cir>@5=*Q{#0uJYLw=`7m} zi;tVB(W`D_zY>~(69u@cF+x_-SU=*zegL0%&>*Pfu=j81(1_N;LO2^NZ#c`X?(Vku zfXh&?`if{g>jxyAw|ztB}6gpZg9hdce)t>U_+?y=^uhs#9f4vm(gs`371 zADaMOm93^`8mR;YDf(=rTZf$Sh|@@rTs<=By{(z|A9&yl&SW zvV4&{?P3Q~r4hsp_MGPK2L65Y_u3GHx?1z~TJF;W+#j~Y?(JJ|GXR=(et~DI3%f`m z3bn)NjC1r60*E^Tznm+axXpY>ncZ9#u`e~2lUH3)nh0-&$}qH`1P#WTPHe)o>a*75 zzo^f_>u`%%d}`e;O`WTcO{;by5EL9D^z@y`fCFU{SC9GH8Mdh8M4<}~&EF{Pd0z&u z{g2bOT^169)UeaE5Sm3+ie>(UZ9u~u?tZT@2wB{#!RidR@OL&jC7k-WsVVldAF-c> z2E#Lmm3>K1nfJ);BX&29abi|$SS8DFp3T$a3hC^-rIiRsv#EJyIBg|7(CyFwj`Lt1 zy{{ul&DluMHyH@0lCRGtYw9#GJVXz@=N%}REM(R=OOD03O!EWav-(~Y@rs@7Au8nP{ z2y^g`?|iO+prcSHSiWb%c*Uyyo_8N zQh^KbWV1IlmohB$^N0{ZB}yd|SmQlzO4CTjRLATb1pfWvC`Xo*I#n${d{8WuwAkX_ zUN6){Q_eZ5+3In)h$iHx-YF=qAIHHd;ngUu`LV1YxF9-%RY$UxU?U?VX`BTS(=Y`# ztlN!V_DFhEO@A$I!nB&e<(t)2Ru@29D+n7$72ry)?QvcP&@!$nUgOX;N2V`leJI|h zEL8_)S5m0jvhaK)j0fN?E4JWoSBj>?p=c)WJGw^eHcpW5@oK$x-Z(OC?;43cJXbzm z|JFz)hXmiy_7xRHd9umm%k^-$gC`K9?&YC4ck@Vt_{1Ly*^USl7^=3zJT$vWh$Cb^#&Otiy7TgdGmd`%tQwKZG?+j7kr)N1Oa z3Tu&8YQ?oMk>dj5f(+qG!!urw{&AKh=VS=5X5sR*HH7axzKj#;elijV8b;vCmjW*V z_rX@6UfJxjhVHzI;YG)f4b*dSJ;$x(vWR$zAL+itJ8HqrAde|mu*3i>b2*h0nFag- zhQXDUYMENnh3!sKKdUzux9`E0$$FE}!i=)I+wXF;k~z`jz= z)uN?Y>aOCS(cTZ?z-Ibm5TKlqw!q7=imm}D=6;vlr>tJ z!?q6WvpHwYgmq`3uJ0L305vV0%axpl_rz4PB+G@X@(bPn?n|Gm^1ht8q5-bh+Zh#8 znSRA*qCB{j`2Ma zI%WpZ&JU?T!uqJP9jhd@;!21_b_B!)GYyvkhq6W^@iNSqAcMAE!Q>JgZjFW*)TJ>> zv|^bTTy3C3@gD5xs}a_m6edYNJjXWtM2Of}mimHh#8}x5qPHD)KPb^QH;+f+EU_ic z@vH9WK{2XFLugGulsNWU*fMslX#LJSyU)3(Ko%T0SehAEi@>f!9$+N^`YetV{jF}J zs3|t42AT0kFg(O8r{UN+G!#|`OM{#kiORA|m%%@1pN&~&OGzug!a>$Zek{OjA-7q} zb~%2frr@OtuW$pZEv&aaA$WZ5EI18Uoy533;zw)tgviPuAy2Q`4afu`%F-4#+A)rr zs{{&odA(bsVvFe6GO^~M2IqE9M6a@C_O;9FHbrgdKD%DCCcPaI&x8*nlPELg-X4)c zhj;D-ZQhTZ#%LLbA!!&igxbdBY(o*d6}$*O&C$`VD$-N-!z|cTFkcYoiO+M-^(B{t zA+SM#4_Ja(JM`#6c4dab?k&TvylvfMpELMhG0AYqO1Tr9m%Vh!Dgy9_dyH4WP9AOf zk?#szeK!S1B(6iy39lD8j0`BJ-W4EzW<{n5P$s7a2?k7eZO9-$B0?Vbl^YQ!V+I^> zjEP^<7I@Z8Ui6qwm+1%%g!Hg)z@rDr%kv)d7w*5_JAc(_->Xd)( z{qh2AhiAR>jjPI`yjkTOPtq}OpqHxWhu zFf7rH6wzIoKx%`g`~0x~MM4A6Y5j}KJ=YG+EptdRP4Ua>GGesJ*Qb|sQ_!f74x-;< zntI7W?`3Zv+?s7XNN?$19`|&%`^;(#I_i_&KJ^yg60T65h4bFo-l1|*pMz`q@bmQ#p`tsxmBR%i^#U%}IkMIAovV60KZzHdfT2*+Y@cCC)76b=$J8@ z_t}Z<4|;d?NCv#r^}Xj2|(<%4{9e&Eg$Z_k%|hewy^wGBpZKBXx{lf2RVf*9-dwx_*jVryBwBs#HQC$INF zWKNI0Gc|S}ipPmO*Z^X}Nw3UQz&59NQ!n_Irw_k|R6QY$=E!1pY+AE3Rp4!;N+O1z z3eZng{nyLUfzdngmSyR#7%|`&jgE5_Kn-T-2@IE%MaE5tdMMzOG2)`twK^r zn#=SW(}>I8eR*Qf0wUZIE?FpAGHMIK(+VND7#~G0U?rvzy)Q0R=cc%gQs_w}QNZVR zWXXopE;cy9Q|-)I!Dbcbk4wl2<6KG{gK>7DCeWN(SPTow-w$&{#tuzj%E)%?Vq;=c zN&6I7AOS4kR${zwWSu1PRcH^aI_c{asLvUa(LVd!)#*grOVsE9(=%VJ+ZAsI73A8( zchyEe50F&iIwa>8rCx2t1^wG~CA_<4^r3@8EjmWKGTd}HZ-%h?O=)5Ayva2D7A9JFvCWoHJ*=d3WjZMasvGZaI_BF zogB`>1^h5?Cs2|Vs|*x6Y7V)oW3_K4*?c=OwD1zf*I2yMQ-(I?2qCg~y+_4kZ)~`v zMGx9|?Rhu4$!mqOO%aBkjp=ks`5?Z6vyBviuZvYNT1_*XP$e4jL?7um^yjc_$~X(D z6}&n5>z8E0Z_+{X@qhFUfP#?Dchh1}Zkz9;MKAaT-k+RGDm7euW@oht6E~y$C=a=l^)JyZh6REBqf%pFDf^EI}7ipG`6h?Hz@D?CIH%Mh+;XQQ_hkW;(9SL~cyLfI|(OoiFS`~lk5)C-Z(XMe1 zp0Xvn1D&9j4r9CFeX4R9=Jsu&NSO%ic_4wNQLrakf@~EE5{!?oj%(7)G+1P-!|!LW zX~sajS6GazFcMc|Gf@=6JWKAMa?VMM{?UDktLXm2?ikdtyUk8cPYzFBp3_@;$Gww_*mv81 z4eu{rwRcIqKkp|B4;;JUz2EeuI%fBe_70ER&h6sd@FHviB6Hj?0`q}0A(LYAH)A;Ax?H0#p&N-!sZiSb{bdj7O8u+vNXFu;&H4FC|gN&rRS+)!8LoQWdHCeIYpH(KkR~tMxu;!6;ar#bC98wh1tT`vN-&7PaQ~I z-ddWx-200pU3}KMT`Xpw?d&MIK)1}t-C}-&quXk=I^X?Ii~E1pJE5!UC&$&;UcuNSuHV&6Na%aL^ym#>Dotj%MxMFZUCq&~#H7N{jrc-rv@ zDdw#TNf6*mN$r_Sh1)fnn#~L7OM;mI*c3*KzSZ9{;27K>0wXQSal>?!O*F7Kmc&w0 zk5FecSx&ix)hlw!37U!)OrN$2jN%#?P=b75HRgC*(! zhO$u?=HVDHOS0r1ZvK8*$ z>ii{c{_xIYJA4iAtehGHM{#tHWMY1zf4?$Q~ux6myKh?r~C3eTZDsOlQmhxY|Lg z1IgrUcsoTMM~l-u0@^KgA26nmRTyOszB}p@y`Ix6`+ZnD|7n<=_k(yYT5(cK^zOEE z8bIc*obNz<1}ycQCm|Aj3Q&>>0g)5Zbne`bu@eEWZTZ)}n;&3zJ2?r+tKy}cTGguX z6?p#KVDq%;KqqeJ&=;zknhv+!X?kNg(7LDFkAJgqLajBsIo{{Ks6ui$gtnH01YNv? zVa@2Fzk|^tK>AI4|Hk0=e1WC!M{TEY@1+`mEpf0ZNxUN!&5ach(6h^meRR;^tWwK89YQ3xOm8{XdT3+|6-ZDr4KRgje z%E+i2AmJK~BQF<2Vk&dV+p~RRQYWlcYB3;vh70uIu+Lt?-Z?u@*&O>G9@N%*dr*V) zQ}Lj-eh?38i+z~tB5l)`P^Z&QF3$H3ddGX`U$ngkk{?;)acx!Itl!DY+Io9k#la!U zOTr3^cCEysddJ5leHM?%3XG8yOqyLZW@q^=DcQX26d`xeN z|9$-7Pj_qnzh}>WjQ{;1{`^GK^hU{d9In9#;>`5Pa>^g;~p-cL$|1vz~MR@?cb| zXmJIGA>H7imQBG?4w{xlQX7lmPVMNsH{F5URD6(PzVcZ1#_{6ds+NHPF9R>bxE-fs zS65FbXfbEj!AsHEeC{4n4@Zja*!ay-VXJFyP_Ef%RqC4c;``tOE&~8x@qAqs!2Q$i zE~8YV$l`+!P(Df~roB`^6`Yf%t|J`1Iy>r66P;q-kva`U`eN-kBc(Z0+$hDs5z7y&Ig2pqvkP z@bOO54ATtq_@21&eei*C%Ag*D+he;R7n{IvQ8>H~$8vqjn%eB5hn8wyCYUCeJCDH_vu`*Zbs;zqc{!d(Qx!7VKv;9k__<346xRNHtSjIAAI1x z&1b{xrrU_HB5U|2+VjBbY(uhvYSR&n52(JRdUkJZj_P573KAD-#nk)<9~?b0-?a%G z%&xEK)K8=LXxyN267i1eJl4CWrt1eEyyzcvo_6-fpv<6oE28~CMi%WawCH%z@<_Hs zCq`U*UKE5)JCz*+z0iS%+vkA<-OVzckA7bRCH1y4J_(06ZJ+NvWTe%EBaIz0ZxNl= zN1uc}Wh4C}D=w&ikXm@d+BanqS+@FjBV?>#a5 z`%gN%-6wu>KC5*gpWUYA?bDCC!}Y(4`*oWQ?>f4&Wp{=R^<7r1Q|}h8XoVCru}(9$ z<2xq%XSf*em?BPp-*=P>yxaexchtKe+mgRPV)r_~35aJaP47&z1!5eJ&#Q?~y>AZ+ z+-lVGExoqRv+K@eIj8^eWOby9xHIDCwrlf!%#XgtqxBgNe|h`;yEQI~yXEY|^<5h0 z1D(g6a@6^TnkT8dqhAZV_xOXZtF}RaC%c>!<<3n;`+m77%4G?L&Z{|i;%O`Efou*5 zi?oLn{Ll;7P&&NMvO%H#3i;Nk7?wNyLF4r=d#*9kj0i0Yt`7u%G57leh2lFd;Vr~Z zatL>Dm6ae-oEFoL^M^t?#vrz`o6iy@R-JbQ+Jp6{<+tCW({#YMMGvB0_4`N32}w~> zgHBul3(HA|98%G+*ezvW^{yE%t+pyg{Z6+mS{gBRrHu}hMNk%FLIi8p(bD~W8(x1T ze;V!o#&h=Fvw_}X|I;r&s@DJQ?tb*6{r`vf<76Yp{$3P=b<8~6s z0Fv#|((S<(o#Lp~Z~}aI)i9U?x{x2G%HPkQ@cbXAcNz4>ANn0{JO4QI z761Q7&wi}`{Db`Y3HzoyYCLqjd;YV!3$@iEoAk5RpG@=VH)+z@7j3@PQfrldbI|Kw z92}lM|FbRq*LD&=oanPZp7uYIKjHa5>3!AzeZ1qb^Z()QPj{c}*6P1MeD>2H^Z)-4 zf6NB&dnD_=KzRV=J4K|Vg^)kO=jjbgk(^k;86EtbYd0u7$(sQ0o zihCq$3K<0VasyD!C*wrJv!@B<_mC9~_kZROm0Av=$zchOmv z^JHrW|D6Cm8?-t)QR7wce&r_}(23i&3`k^8j-&y6gQjfkVxpMbodFY%je=(IB7EFV z;O^sw_#^tEon(vQwx*MDU{IOa%&ngxXc@G1n~tw-FSYHd>wI1=+zyn;F@xPORIvcI z05SU^pN@)$aIs!iK-AjwM)4Wj`!qH@&dWvFMONx4EAJM?j045IqwcfPIgPpKVFyN2 zr;m^(5Sw?NeDukO&z^Q~7nAYYr4mR-TI1XFJ_o|sLwDX?bP?F}2+Xr=-eLG3Jvc!> zCn6&x=12b-6mJ-iXQrea0X68#vs=Rbh!=8RbKIIh;AB&d$DeUFbasjT_}qA8D~`U9 zBQa=7!H0Mpw9XD(AL~usU{Fk6cm~lE$Qpesh8ncQIp#A)rr(M>w8{WjCcNymu`{7L zw!CilCWyjTUarT%+djbKeGtR3VkODI~3^pXM2 zTqL?(c~9#(*0)ZP7_4$BXiV}T_<2l5_xCA=4zi(>LLYxpl|l#Ej6}B*{;*#mR1Jm= zs(}lX*@<`n?B!H;bUwW=%-avyvNM|(!yUV1!jqD9Z@Te!L~%ffr&w%li|7Wnt;@IJ zn6kATD;Rrchw>7^WJTMv@Z#$1{PflN-tpDx`IW$S_xe{rR=@0D zU7mb#a{ATDwqru46JSZVm2qw&lO-KZI6S?H8V3~JsVi!v+eix~cxPmQQAl}n(EN96 zSHh@+mPlrfG>rfB$?iwnfjH9ROV6g2u0SEdYqLVlg(&9+0`#F*Rr;Ul+pdGJ5+ZGI}`Nh)#d}q?6s#Ctdl35m#9N z>dHYrj0<`-1{=v@<|I;el;hKrVw8?^K<0w`5xg1z&a_qM{CcPCM0fRK$mAOOHTE82 z?z#pgi1}2x#BjpFyBS~4{YgusIlT7w6+}AACa$?eR+^T14P8ey3k)x+c1)xxQvYd^ za*#`5qY5n$>H67lkp(2J)=N))hpP}3Vd5GT;V`fIE^|Qe;;)oQqp#5>X4O~ zy}_ZP0}s?yInr_sL-}z0IN@~g0RvsM!Ym5q&_nCV&lxRYj}P~w9#jfo;@~Oro+`97ppwC`?;cFhB^T>T>L$ur4choQ{qhQ zX{IYp$=UvS@=3f(E{SBZ9JFH~>Mm-sGsl1fLXWU?~)v(ZN@%6{@D~u)69alX$k0H@-BO{J(7yU=bI9DfT&%N24BXP zCbOMMtDtVcllgK~BbG&wS z`-fFvt?}YH?&R`xNz=}$$aFo=acU)(L@)lbVa=vwWIRlxP2lt@>EpK7eON4u>Vdb{ zniJb?H3J~)Vt!qsnrQJ+J9)$ZoEP}3{Pi*|Z}G4D>vYjIs6{F58c0Pf1pl z64MwP-PJONy31@g8FhoiK)4L*{6KTp`J1e)Z9%fE(&d;TpE}IJ3R+BhBT3|glRmEH zEKtR8S~key+z9n7zQAzr25Q>IwAk40CVL`{?IkzkVvvp-UJ>~?)QIBuBwLWny8hM) zO)eK#zCz)*<#0xdar~aZ6fWf6!+1-n&gcFGoDzAdR?YhMs*RX=c5F}4L(hdduq?*+ zB)xH&v_tVW=SHT%y@$%@ROtUU^n1|tCL_8v4^J+7=P&p6do+-SqX$NSlU2z=VW^|eX@F7L(G#O+cTMn9D$4keWL88$plS^8M@-`GucvY}r z)alK4i8`>wznRyz4+`qd`e&$#3;NG<6eeGS5R`~c9B~ta_Pty zn2q7`~d7NoHPUeKpk}cd* z<>*Q#Y-^iD;;B`&C?g}!YF>JI9<>xqch@b4$eDAV%sx-ubE{6bN?+B8u1C@>jC0~@)l49rV(TOGdg^vPDd`k}Zn|!jIfZ22@uu1%ticfR9TbEEr#m&nclp$wo zldtRHbul+*yjp65tkOOo52K;v(ySd)I05i;!)6@W?cf7-G>Ej3X@q52xhcbY#z~2` zy4DTOQkkjw89Nx71wIP*>Us8!_zLVrvL)5@E*Hhz`+D{J45C4;KcsV9(VLE&VRkk<|}uX6b}ki#Wq5k@b`mg4J+WFWEtno-+Y5A z#?U;VFW`3oBLd}C0@!vEF`C=$7fJ8R?oZGk!-06!UUIjl}^q^z4zZj z7?v~!h)gR@7)vwqbzUG6s;d0c7n8djQQJ@u0XG4%jO!XE?rN0V-j$p+`i-v3MLMv2 zdhql5v6TteByr9=LRi;s2gNR2_~0SWcDP!|%cSjw%^`=K5~xA+ zg}%rDZqrcb3SA(d)x~yKI)BAIyUO+bSMVb2G(Ixmu55#@Ids1%DxkYodF-?wL{rdO zK3-?hKd498x$0$-H$*B49g}h)l-kOP#X%`PS8)^_O|YpX=*SSl>cEWeCiG~YabS*g z{ckf>CMwPecRkIZ@RoQ^FEMUdLj11I!uw6b$152I^W}8vol@Q8B%mhAUF1w=Y7=jP zpM1FxCs}m*3@4AD>~zRRp52t+nx~T8AQe7(G}GYYgBm8bbZ)b;dS-^V(GGA@!pPJBi?;BHd&|Pq1-H$juU;RpIM2Q^rPg<{^|Y~VYj$5 zwTn(D?UJ*-W2YQ@1bN9yGP@}>w6I9gW|z89fYmeNLP0AyxpJr9P7{KF!`pm3nrG|+ ziQ23m9v6fP8rnK$^r3)1)%kYtoqS$(zK9P4T;Uvv8!ky9ooLdH56<8u*ljJbta!7E zCLhM1%}*ORd3!JSE{`s*j!!R7F0R13d&NLOS1&Hl`xkYGvFWwyIF^GZVo20CzI!<% zLHbrvXK+X`q)iE?13qqtzYZ$KO*;p0edfrZ15VDbZpe5reW5`k`=kl8=EQXr77sO5C zt!i<*&CY@9uyJ&xV&eyo)gvi^$3l$H zu!qNUse6Hcg2qC#K2?wp_l+>o5td z(yaCc_y^o&=TqaGqB;Jwt3>$fM`f0#$goDy$0wb+75g@_~;4W zV(~4z2#~mp{MBOJAmpTNqV<4SRr70S7yK7`5FD^=N+UX z{A~L3cB8=Za9N@6Fz5ok9LLQ>gIHd4m^Sn!89W(+C!Tix=s)waOM`8>3@BEba?WGQyq>=I_TW}HMe19GIU zF9BR6j!xS3&G})S4vDE7XttdWu8MKC>6eX>zqyaMN)>vq{BOBEKE-hv%pa%VCQ zb*ERI@aAzdo6!A=JZPmC<(4Q}<0D^tCJXAzjfj zr<`^z--x1p@>s8b24R}qXtNgokZkr5 zf{3;BZeCBj^K=nhL4!<#;uf>;3MNTqXC;KPesUt0vPd|M2=jhaINic>vbjtsHvVbx z+uRF99pZnBfHDUyze%uW{-Sq$DICFYY3jurDF_Brp3f%=ru#_O*=bU$bHm^8;ysY) zd?XL&;8M=N6)FK$j)N}++GKf`&qO`Yl;N@_5CcjH)m+&{p@bg}-cUTTGLtFWH)ZTV zbyYU+xJ+XAZ06S;IOsMdB}mk6mYSq{(TI}ESbX(aKFUR;i5&3ZBi_e%5rSW+Ih#0# z3zk8SHU#^1&9NF#b#F>f9QA0jw@}lbo6}#*4Pw6HijJm>V<_j1bAkLtS$7viiT1ul zR8n5HRdYfePpB5Fv75W?j1EqbU`LkjT*(Q^^=MQBlPa=(0;w0-a#F%qwhduhK$ce3 zn~F0xQnrqwv0HYzQ#dV<2?woMsv<5l{fSoH6xlXkk4*=FQ?ATU3{?z<9B&An!l5f& z^Yth4o_G&1COAkTFclX5v^ho+lP(%QSfgRv09n5`*M7;S74|tGAR=M?%Ppgmj?w9o|fcQf~1NeU;}*586V0*4p9T z7E?O*W%6fV^v+LuM^}d@{foV$qpSVXlb2WLr>7S_jK+H!2Poc$si?1hP>bsRfi)%7 z0}>{n$=R?zAggo3?<~dd>kJjOp}@&QxA<=0H!9S`5a{^ z)oWuEG^5Fy>f1+-7J^&To8XmM5DF+bT= z?=QA7^i7fG5L*J8SPTF?Pco&kCt?HEy8{lK>2kKAMuer$vCb*?e?|SNIxR^2Zb~K8 zFJI7hI663og~vk>rEkMmBuOqqJ@(}cNyIBwysk(-nXU|UfqrqJlMqZ)-M_DXd49Y1 zEct}`@hZ3qD_KEVT-lL~!K0E)m#789meh6jo%Nd@aW;B~)|=p?I2xv4fm?wNA__@4 zO=smTsk#HEFrw|aoR!uK0Av4dXRCD3d2#c(>>orSNENc1mAj0nQQkdb|1Rp5{1 zO40$0)+;D?n`f+#v(l~A7f~Lmq!WpZm=&d}Ymtg~Ba{!R62jQeI(m7**3<1o0b;w! znUsBN6ftP4(~+k;)`-iAYOE^rqtM*v&88B^p`72siu6>$h%PhP1;M3eiHn`iwCHeK zYtqMJc~a7H34A-3kerGo3X^5{5LLN@we-$}aI#;f2SVHCl|znwR@m2e0?f z?mzmg#A<7(nXdWXxN~}oVte*Es&WR0O1@YnnjIY zbA~1&|0qypuU}~y5cNYyGiDPzSiv(_(=y%SVjukK@a+EMJ(jQMdu|%awF@4`9I*I* zvCM~ed&9fuPOFR-U7UKd=okBE$*=KvvbX<*Si^DDn7dza?oM!1>xM{&>Q~VT74gmb zqh@9CSHt!kLz8GXTjzUaJ)iCz-#X3^By)m(%P(A8{{C335=@qFHcAuYes7B>h^G^S zM(sJf_e)WAZu6U4l#h(^vz6QsL$KxKL0RZa1vE5vXL0ZV=4Y;r=i9af?_T5@ zi9uHy%z2>LdsB|a#O|Lkakp+1#i)s`>k1tpmyzHCUY2UlK7KW6g=AxpMSmCDZF*2U9q0sYp=ise z3(bFA+*Vw7-ehB@(g1jf?Z<tkIv9!X9aP=Dr1+48~f z0RE(M0UhWQ934M^dqE2Mk}VoWxy`hAr08`7ZX?`AwOTgmQV5HKooZgwHY0NJYr>e0 z`tLZj0~b{^^>B7@Zyp^wBme+zK#{+@@R`c8OrB1;;{V1MxyXpL_92a{xz#-ygIwUZV2$#s>9lk9*Y$falm z2EJnH1PM5?v4q!{g}NvB7It9Oox)dV z#XS@a%aSaViP{gN78;EfpE1iuS<2-Ano&Li*2+g;M03HXf^jgyE6aM&4bqYQe&&i~ zw+f}AVCe#|7i}2lobj8gM~HD0!ob>;Rf~7IvgdI6G~d|rt5C(WJjjmmv~=7emd`8E z+)gKZQ-4Mh#h6gq0WlR*zZbZYoPETQBDJzD4Ov%u7(}YAxZ5@)Goa?fsu^i<3xKZp zeJIYtc+bK~Z>XB-l&8CK4~PCxU-H2YUjL93z8MpH%0>k-q%V=} zrJAJFZ4}pKjIj}?{DChRnY6S@TWL^~5|yd?RWiJgx(R$ts=*{2J6v;7ehC}2$;Kc< z97=6bmuD2JyGY)gpt;mSdb6VB>`YlRIBg7{k5M78>rs0;A%l6lA_+E7MNn2=$RjNa zm|!cx9+Vf=hh_78GcO)!CY5Ge0%()0w7MIsPxX#B^akFshM=^x<%vz%SHsPtHb zxnI{p%HH5T3Kpv3D_vN1JXXS2#Ew=-JLNkm3`?(E&P=tYXIeZmJTx9&I98amCLPx5 zW9uHnFD+w7tFQzrhc73FWgRIFqsAK<+sxO*)(m#ith2%LhA+#uOG2?yhTaM1VjZ2n zLiqKf_sfgtyDEUY$-YG>tFatc22zh1TYYTM8xD;xO_dvk&?AgMc<|z~f7S1u9Q4jf z&hbwGOjjo9=i=GnkCE`IKL>9PXPx`tvQ_ovnmTIl*SGe*L=vs|w-3$_zofUv#S)AH z$u)8!t})M6|0JRbuwKi75n_sVx%S{#MRg}#!kw>PMPE*85sy)v_#U3%T6AQCW*V=} z%LxmmMKPn}I39cVE59t1DY`N)WHWU|i@C#EG?xr~4yv?S5H*%57RFLEGV?BSn$}`R zn&HTi=(&tUHoT+v*F!b3iImE3O?;(Hj?*`nWk!483sS{jlEMER)I4t>xciW~vN`k< z66M3l_6U(FmUFDHsLcpl)ob572v#q=A<}$ZOMQd%E-JXJSJFSG01oG?*+O!W+VO`R z!EJ|O2G`CSxE-yWMO(P~BsjV%o8A@Qm&+;C{Mbu@&G_>0;Pj~^!jQq~TmbTT=Q~jt4#2 z5;jw@L}XNaeQ{9^L)d6Qx}98p$;iQ$fKzWvbAG||f=AS!BJfMNj-$B?PP@!M#K|HO zuNwbHZBaXLV?<+@%OEnUv|@#JL)03B+RX(BMlK8J+NwUfJ1RN4{GyLNl9c0O(d-gg zH}#=GvY1Vt8g@}^r$xEUM{Sf(+;6<=E1g9wDO=7S zx-MO4I11X(Z^r2jiQOicMsW?P_kbrb(#E4(%H~u!U8NY`!?L@?#elR?8mx+G=T(9f z!z0fdhfX^YWT;uQk*!|FPCn9DIQp$g=wXNjJ(azs?z-q}0W@;ONucPJyU)6~>LSy~ z*Z--*J?OEej0P^x1{Iqg3^nXZ)uUeg9Ay_+0C9v=ecffSe2OdN%hKOzN?{KhLaBKP zd3&*2hsMV>6>a+C}ONWgUt0#;NBBC>_))5~)Iu!*p<7hfE_jGaD^{js^%Yp8xMefjh2)8pRN@fR=q zSEpyt(EC>}F3w-}!zp^?Su!y`l8fz;hkp68A5HkmZp|7rk}GI&SxPe4$=!9$7K-Ou zj$o-#CbJxy*QQ)ZVTmAO$i-K2ON9YJ`r^)TOzO_gXp-;bqn$xslvlK2M}@FMta$>^ zW1{^(gq~@LBeAPIR@G<8ORW|7(l=`#9i$c9fzZtz7QymK@{V;O$CeO#RGe6!2>}KU zrlNm&c6NGxK^En~bFoc1i7t%6mmQ5NBT7d)pn||pZ-j5BFT1`srK{Oq#Hf>y5X&+v zs|YN)fDxIu)*_?^O=fAHkF2c8YZFq?YQ@NoJXgS^bp90heBuBb`aAhA}9Fhol zad~{Ed;}mzp3L-+aqNNJ!QpN~?~5r{m$J4@%RQO3ZLCrz_@H*}C|8qxp7E`D6YcFO z2oI)OAj9YH$ zKB;1w{qlA!9i$m3VHMiJZ3-$1lPJaH%zu zwtu<1yYmJhbv%gC&XXq{>lc5doeP?h&}r=btkipn`5nfE@w-d_Rcb)@$UM;7QU+(z zY0Myp_N6c;Iu{UC3<(zmUP zH|ei8s zr$6mJq5pgKp*&%fDD11f4qBm0>CGx?rm2;W!d99y?-(d5m;s006d>qE&`Lq-c-6q@ zD2T8WC{RNi{fpDHGi@czIoHPx<)s#~t|WbX{<^R$Wq?Y^WRPONc^=m7^r3S)u8mW=s*LVdXZhROyf*(wRJgFd|D|BX!6;Z@m+QoD7guh zBY}hVrSL3@Mk5mg`bBw6-Mi98q!9P*;%P^n;|l+OjLoqb8ooTkPMy>)M)?E*(tF$m ziD4+XP{Ke%vh&u(Wa;mSEbT#~rgEVu7J#o|Y;I$mWwT`Sbw1#1)$AY}r>j20Cb{%W z55~_4A{98ptaJbL+0)I^du{Y)lq%l-vV@Y|D@mW>omOo;mQ-?IHCiP zMUIj>zu*FBV^*im?(gB6^c#|yA@qECo6glLj-50Tzzn>DtQbvmR@rP}N+~-7k9vD20Kjzw zFrD7v>9)&?iLTvG1|${8GP9I1hsez<9Jn$WMVSfXXdgzf5qxQ|1Aiq7u;w|OTpk@U zpt)QzAvKMdI>OfwPLe~W((Esn$itWLT=B-!shH8+6SKh-;v&9p9IWd!6WAQ>Nh?hIp}%EBw?bxc8YhIF!cz8RKkD-3nv zlkLFS2FT7iF9kbWLOZm7z*zxT=1Y{nuX-n69-g0`9QRHxu3q&{dgpr=r|0cQzIWO0 zoxlIL`n|pL{nwAbv@*|Ynt1H}(R4Wyhd2zk_wtI7K)GfU@cz!w2^G(VL;!}!4wWH} zbiL86S%>u}@7Zn&nmK0I>*UW)PA?8$etm_W^e*h?lq~dnWITMfe|Yd2TG}vy5#L)2 zpSj>zD5Iik_B%0v6}?W$B_(Si9Gm3dcP(9!aXteEDSk}{xDceA$$J9SUe1iFMo}BG zakw%RA#6rXv7{mATUVdVBh;4B*f)-7dTt?~j#=4DUL&{w5!5%-Ual#jfsM(&XC#nf zj(o1y{iJ{13#l7o$QOguX$Xu2S0VcrIcHOb8eM>WHn+!!9dkfHGcl|AkHHZxZm6)gBf8!}=&)Vo z8MjJ#4KPc#Nds_=6o9CXwzr?~%R_02I8i;jn>sPu-Mz~fW{uh0E4Jyr_PI$l~-GGBTL&Dsv>itIO3BxKvRY+cEe#eBcYX}e5kd548Qli5bt z2j$LZ+@rN+`=PR~$Zt{U!2k_#_|IPb?!Q|s zfCUz`gk|Z{EGhnuju#r{Ek{(291zvJzxFyH(z#t z`|Y{e^q2i_|Mg$mC$6P0(!8@zzoXu~F7u4$`-|I*4(vG=@QY$VU;2Vp^(dQ8Q|y7WB7;|e zeUqfv-=@Jb9?>A~meUnY=+SaW-+WOFhrkAKKc8QooZ^SkLr&d4S<*_3{rCUfKV9CX z<+m(V#xM}*(bcecD8|ZaxCY=CGD*K@b-8Ar)wMs`UE@T%d}huhlW0- z50BCZnvrAlH5+5OvcXt?{&)X#jBc?Sr}_a-J6U7X-~F4Q75zm&yBlYV^#A)$@xJ^H zyE2eIAHyNN`=jnxrw&fBj2RFUB<0Uo5|!(pG|0rH@!R z&z4YCze>jonymqyjIVOsf-mWcxD786e4JzYX`$#8fJTJj3V!>W0a+#Vk1|DS*VH-G!z{_Ve}fBoP8{XhNN|JUFCYv0)4{u_Gk|K^ps zzx$hiPJ@}3=|ekt`sC?{ohMH_yU$v!{nvXZuX_FDtHX=e$~lmGEw{BQmjfoi)) z*VuA8RDcPxFJ3O0z2v2`n4AMVEUhF^ePzXw0v`<>*O=YzcYVYUc7iFxhHW6Y=dmk{ zLlW2AZT3vAiY1DwJzPAi+nkc(at{%Ufx&8T4ZUL0^`J~Q*-&oX+nm(n`S5n7{5XdD zAX1-1GMn>YpOfeHTH*EcSDxIjft~U()(f4ONDGR!R0kJAsYlt}^ z^L*Y-j+MoSF=xWCN{D$Z7MiBQ3r~q4Pj=t7a#11zO)sb$=E)X}I#*Ti0kT3DpG0zz z_^_=sqRclwk_PY%nzC_JW)3s4;+-+;v7Nx6lw2*fE=fgP47bA?^jl69a`>AWY{<~I zO2^l>m)f2s0XRjr19>xDQ_o7nG)je5f?hBkp$OYI_mXpf=UkPF%9J+XKSNiT*>Wh2 zFC$tzm~_0O?z3{odqGHR+o8@q?ew$R0zi-RohKiC^5L_m-P^@v92#fgo_awmc^99- zeKVegu=h)WgnUjGMF!q*9+d?wH=l1JjJ5fv_*)^=Yc<3c`R9GDwB@q3$<*NF$H1v* z2$aF^gZ6&+FKO#i6L@MknKAk4m-TN*F%K6`j^O6da8l4vfm}}x!db7A&7Weg$_d8y;^s!Qg}eWvBG6*y5@^O$%%Xb!#(E8vxm1l@cvMj^av0T^y< z*_4TB#s9LX1nt*UZfOcsjkStXdpPN_C)itKx?IN!j|=SoUR6A5vWp&wn6sBNXhK@H zT+k>>6&T}4W>*Uv<<$>X-N0Q-BOGF@_NellaA!jHpc!ejbd50Ab(tfy#SNKAiaR_( zwM{re#TKqp=^83&1k}j?r*4s>8_TS{jQ~&?ze!(VSMP z9%V9^X*1|Cn8mjZkTot4R#0C75ST3oboX;*iCc9^NV}PevSOYvVgHVNkVv znmXbTcXI}s=0>Pjb#R1+uc9!N+jct)u#BOiP)4x99Fe8mcPYSPk^{~n<~^eJX5n}2+LNl!kb?QeSf^WpNUA+ zA~>!uaV0-e?X%+p;ub5RJ+^L;GN7G!EG$LrHVpO=5`yy@HeTavk%yq$R!Y3mIV&{P z9aYhl)yPZ2wXW4th^`Yv^8+TpM%@VGhieU*-^XHC(=vY@wuk zpJ5QNtt1s%3me8O?V%IPZCPrbI?PFAsksT1=$0q9BT-E6AKAaE^8MZ4{ImGj z8ge-JTx2@9mXl^oUZMPg5Dn-%9nn0vj1 z%B#smf|ON zbcd>%qOpH=`Bet>)}c*`>63bfS*ewrb;dBFrFBla(a!m{w&+V;{#Bb3CE<&ij_ean zA(9`>w-9gacuT~s_1MY(GJE4ai>0viHXFvdE*jTvxAr^w0*QD5Fn;u??jy(%u92Tikl|0~0 zS*Z1nsF;rY(kj-L1q7K8Z%9bQ~)VLN(Ppl?liV|WJS|^+8F6(gR z=cXq2N}fkqtqRkN-hnC2P8(w95Mb;n$9BVRnoDghs*;TV^4Y%Yilr%c%g(R?w~ne(!SF?1*2t;w6FOh{8X%-*a_)rjA(wZf$$+y%lEbw z)Rk2(>3Ry0;|Fi_a~(5+;d6&gEa+9sYa#sJ`l6j2x06?N&$sEq{%^LMl5_hLk_MW` za|9dyc~m>#dMR~2iX=LhpBluzDE9qhfI&N&Z}AOiwZMZw+Ae~scwR)zPw25`e?z^$ z2V7u%A(XdBjQ#<-TP4!vE&@qeMU_=`+v$iLDgv$$uTS^#;$`O($7rSe1@;;#_!6(2 zkVKP);~mzKoH6XesQq8L4e*a;H~y7X+&&Nd9wFA39V*>fMRn+`^sQ}iNmurN*!EA&U6WtWLBD3 z!Be%yUrpeC;L$3u??|+ecEH&lYkAlc#^BDT6|0?W7lBPjyCo{Gn_BB+EW-uo$%rcA znv4pCvic2?3`Lvhc^wCrmZBI6B3cLz(H4%-IK1-0&xhPI3LC)1B!*x6cmKtIC724q z&peSfczhC`UQO%Ub_ECqr_!M6mKxA71+*rwogtHY%~Ta@={Xr*-J9-b^m|6Asi>ZH z`9CeQRG2}eMp0~ajI5DZJF3QGU9+EsH_Q&Q-NK(C%-teJ&d;(4>0Fo}lD1kObA1N! z;JDkOju_UP><&{A{Ql>d0|XfyB4tc)f>CuuN9iDgRZE?;o-E*5Pg$IihS>!2=%N}A zX~+}61dTuw`=%JE(gSD!-Noi?CIx62mjMPyl3Ed}%`0WQ6 zU|K4*3hjzmu0m0(^s05=5?4g(ozGZ|vpPV?;Z*v{(5OpBR8rB677ovj4{3&|L!;s* z8O?JJ?-((-bYm5jnS~KhwHKsrWHR9rTx&{UON;>^oJ%HAwkMys0|&~ek;=BfQ(DPM zMo7HYDdmETjgqX&N@{JkHNHt|7)n=y3H*hcTNw zr1T6slk|c(mBI8l@qjX!Q|x2wgXzs@GhtLum1^-axQk9>+s$(HIdWmGMAUQq2K0NO|) z=fHN*Q@#wpJdUcNjHY6GUySc1(iKH>tX7LQ#B$Vu{Mg%ad6#V3he>P{LinmRW5YIWBW4=@05Mq8Nc=Z+A#58e*!E=%P$>#i4QAu5rN) zdm|Vaoph9Ps7RuG2Zo@0ZmZi!$_DW?&*X0LDEYTsi^vHg<3pEnUQA4=Cf6S`HbidT z;5()Biv+%IL8|44kktN?5zC)DBJFy(e$2u6p{UOZG!IuJ;_J9o{gAqJ@0@O z7MpQs*Sv?$Hz{YuBUQ6b9}9MjIpg58Y5HhQ%~@8B)f$d9|CiL`lWg&Pm8~NoGj?6& z;%vKc^V%Yf8Y|g)7Dl&z497;pTh1h6JWl6|&FP0|DlA?O%vl{yy`%-yFkX@LDFOF2T;!YwEPS}VT^BScO z!5a+2Gy)IoFP4L|;aoDZgm(mMs2?9vKhF>7Z1vvIfWe;ZC0(R_lnQX_L-ovTEYN+L zqM@N^SJ_(zdTHo_2(CGgdiWG<9HFFEr5kKGBnxeH>qd6wUmA`gnxUGc07*EBN>w4v z;Dx$3x2e|TA_tLU*#^SA9SX6`u*b327E(0~71)lbs0ShgNX-gDM4&kZFKMM7)=x0p zb~vHDd^>DR%1Q!T0nxznWSg2RrzY`Q+2(0snDHYYI@{QFPgBiK9>-xtQ zuVSpRhN$#ME16u&)jn00$|f}wFWVxMos$%{Y5SIJz1aWTXmuph3ipg*VmZ5AEj0&R9@LmJl2CV!cKy31CZmT4BjTX8;DWc7yWR#B#-5qH9b zlj3Woax(95{i0`QvbsJQQ^>8BG#M&w>kFwdpAfi=rGuoKCf@8(=k{SVfJ1Y>s_+;u z7~x7ppNNz9;pO&}4N;>;sI0vd zhe)AI5gsa*DB5T#BndF~A!Lh5fLFAp+P+Hh8Lgk={TvDzuaYg3b;dzk39-tO!HIk0 z@Re$u$;R+$cMsldfm+fXmTM=Z~!y`W*wDbsE`%SZdgWRfq~B;KO)v7Mvo(Q>G# zQ-H?cg33JLVbw2zcPa<$*7?i*B zUQI%9Ah-)7pwH$VX60o<!oJWm=dm`ogk#lxaT}Y6 z5g#rtPj)W$&b(i~^w)ZvZ(z)XjMgQ@t#s>^>dO>w*9e)7BI=xbUH{iGx;Q!`O1r^K$!Uh$KX7* zjcP3wK3CI;!8F;#Y0gKJbhfF`YF3aC1AXCk%}1RHO0GtZ3jwL$GoEF}|L3fyAZ=b_ z)R{?|$AV4Z4diE{vp3ldQom{uCDvpia430)^1 zax|j3@=>=`5|719eCuRDfi8JaWU=$HQ9h(dS}-b{et$>5zmpeT{iu5`A9at(jHhL5 z*Fd!6bT^JA8g>q1Stor@7sI(QfVfm(A{TG-fvwnv1)nH$W^>$hDw+=OGgzuTnn*3x z{zupI=0tifw|P@3!`r8F0k2eX3BVfY0bk9w}n*7oV-k;<(3sg^D zsY41L4N?CMzi&P-=2vupuJ5A2Eh z*p4>M4SLwVx|6jD-z|g|M6nj$d4DD8N-_%9JR8H zt|EVr-ih{b?Tb1Rwx)Grss0#V9?bdnexuftjy*#o#vBAriLKBZB=?^gNv0?bCCe)K zQeb5UX?Wuz3_v)PH})u1`tm^~V#|Rx1Hp8sBH8j|>&P!V)9JKZ7NO52cxG6TDk@KG zyYv80#~_TP^WkmB{PLl-9h7G~Esm)d*q`M*jtwF5k|~V3x5{ws;sPeV+idP&GGARD z9{5s^;O*;BtKtActrB}(A+}vpd9ibF*xx_>vUkpGi)VZ17l%xAvQr<1JA$-aut|Bd zqOVs_uV};8qid|SrU{-7r&7&b+r|M|5{FIABT&uvys(O`u~Eqwvx*`=q6TSkMQ>MZ zQiUS)+-9MJ;oLB@Ilt}Ts`n+p4f}_$PWFzj&dyKwkN5gtsN>9(4{8>X;7MBEZEeT5 z?jWlm)>_pDZVguj;w?()VH0Yh*WEc(4=*FyGE_B99aX?l0EkXE)qM<4lw9-SK~s-< z!^RA+29A%qIV>{=0*fTPrp1lqSBJmGeMU;*%+`tN7bU`wIK~Khc3c#*P-}@MZvkN4 zDO=6TyadIU7U!aOe!N3}AD&!1MrX8!f3ONg?PEsgsZs8d1%3B{bsf_Pjk=)&NC=4H9mIxqeiHlf}gK}2)yTm|G+KE2Yr z3>bQVXFMP6+|d7X7%7TlGu$#h)w<8Ii|Tw<40h`IW?9~LL5@jx`nTEWiV2Zmh;2sY7uQkhtVp*?NUq<1om3i< zooDV+=K^S^?$L4i_=3^VjaSNFo1}x1$(tn7L{`zpK8l)V;kbD3uU+kzI}ds~Jm$Y_ zG>BTnmWIVhldibjC|v>SA+pJs>geN-eAv@pRm!+DC$*nrts2^7lz7&wq$AbqoWzVQ zrLf4(Cg2#D7iEz0r9jJUj5#j|i;pr&71B)QGTCILX&d_$eMtib|L7|E4Sum6($t8l?rRZ{~7czZKe>%s< zor43hkKib%XproIGF+A1tXEUg!IT~v>Ms813Ft@ItYaLA zdxEseTO>Rs>}%JG92KR7t0o(P=O95U%{Zbah$q^;o^HiSHp&@&DRdubXF2JPdA62Q zwy0{vJ;rcg5^9*v(jl{vl~Ns+Jo`uMcr7B=2_h(<5DthnxZF#axf6Lja(g-Aiskff z3TWae;URiyNa^82Hcap6qcac;okgMBo`1q{!+=daMg!vr_jfQBA7BbY>tQ^7jC3Hp zSGlAk-ylvf`}cZoO~0SGrjUu9)WbDA=@<|QCmpVpzjdX5G(09|Spc*o@RhQh13#FoZ^QJM$ zE{g^eqfKEBL(TSeZ||UYesy@Ve|mhjcX0@_m;bqcu}KEBUc`%AP4vPF1Q>Q=XT-sO zNs15#67|qZc%NMaI8;Ni9lzzkB0`B>q_6Q?ib}$3z4K&}2ufD4V?0onM)I4(nXCgx z`yvrLmdD0diRZ=$^Nd}#S~zpY3-F86%X8SsI&06LY+CT01N|Yox1*Sk`{g->FvS(F z8$OGM-0yR4o88UJ=_ceK!U{C5juR>_((6(A!`MVT;c=9L#5YOISo}cFqC*uquVNQ_ z#ANz=&pmTh(8Btj)5pDEUPyl{edXR+=fY{{>x z*q$`7n3ScrRFYei&d6FPLKs?2b9cSoXFrUl?_fC0vaODoqRc$hU^XeU@jbj0kqzbP zh??oD-MV{XPem{Cq=u-i!XS`0gx3Y_XSOX&m+YSG9ru)Ikn3uI3)FTLMN)UACpoGc zSxpcQdrK#^f2BEXFD5f2i#sX5m@kn`$rP~Yb|gxRYU9-T&9Xj(z&fx{@8(rHU2U?T z-pWEkZ6_k)Iy4^OAm@j%aunvjLw6gaxns+^mq!IT85e(QIo`svR0#^i$mIdHjmcr# z2LMEXgfm;qR{`lS-!AUxnw)b;JCi&2xB%YjPaRH&d+g<*S`FA$CvIgf zQM<&k0sJmJR@5hCX_pGsl6n+dXPPsHlH2OG6yzWWg2_ApD2Gf{!;SDHn{*mTZ2(3%9AtgL?4Q zYE`J_Xe#db`S=A;om>U9=KmNyBE7Y9$H8z;6l}gpm}W0ZwG}%v)q*q*AYA8H`k*ET zOPX4=50N`>%0``2NQ~;2gPhSdJj^%1J&df2{-T&2j>cJE0FoGQBp_r*Wjf^U zDC&)(DJiG}@?|pTay5*R#va@jlknyT0tuok^rjD=D6X@d1n9WfOt42Rb`t7QAz(JH zw`*8rStTljx7Cs~H#?p2@~-TZtXX$p#ysCtDeTOgQX$deuuuk#S-gpy+XnTD;S!`R zHi^2)v1(4Ka2YW$wKJoi?LLhh&ZFd`C!c=YbrXcwjs_^@9Wtz$>pCkp<*X3b4_~40 z$V#fFxacc=GImJWJlMPFUG>gR_g`P=P75w|O&l57jXg_UH|+$b)^JT$o_~ zflPATgGHT8NUV#;2l`K>ZOOM%fr-7#$c%r%@)ywy@e40zlc!G6W%V_L0W7Nu_F&}| zO^8c6AoG=g(N-%@v>ntCUz1i_=e>5o;a`q4cSkT>bo|<$fP+*tob*l< z2mnA17gE1X(~Zo*xn*b$mPq=UYTc<`qch}HR)YPEvu-mNWz8s}Gk+(-jY71^8#R@1 z6v`LS6g7L7YTTrTj%anc=^|{b0d1o6UOc`lcvaEFb{NGguZbQbB* z@($Rja)6~xrrmWHq)`($&1~d?^hhoW70fi!0y-VRGVRc}JNSC2_1t7tP%V$yj6JRKcK#=f zuMl~W4&}rjI$Xuuf@l!!>Hyooj;>@7*lX~qK&)~Shyms_xF|@A^-EoZ_YE(7TZ%0sN>RR{46rl2?IBW34=))W)nF-5|4T? zyYAc!hbW{``9!uJeVF|Gd9vFLhl-`5Uod(w{qm>XCpBtrDJh3|jciFh6I>mgF^qwv zFC6BLqGJ5YQ1lX;v)Gm|=tndJi~9Qeca{TiIuvQMp!iuy*%7M^fcp~~ z{IZtgFu5zrT+d4gCEQf4wkBmo_Jb%xs?+;g&B*@|xRXV(&dLh%hvk0y5?RqU9GyAS z?-VnGW|0Ow0CKbezzR3Ceh#iM#;lU@Z_ZaZ%jCXtE0keT-BY+GD?J7vq?otx6AVJ$3XLn_`Vm3e$J@+9MD~XvY6VbgQ9ibh5 z(7!EaU_lE$qCTR3!PjT__#_+Tzx~bEX_?+Zqe|zbATxz4S(Ly1%`a%sJSzGC43S@? z<3UK^N*_LeKd+c(`pgP+t~84Bc9E^773x>|sk}+&pyr$pg~l>yY&{$7G+mDH^Bif@ zB|ceU)*$w89W|_P={}wCpy|Q;Io9WBIk*Gy)QfcdyMOs@3I4nC?sxw!KA^n;O1hI` zNMgN-O%?>A-`-^v=2)n^A3gi{r=NVyo)BzXtu?cOZZD zzkQ9e8hU=b0xRf?75D}Z4-eaX#c1B=KKKg3NCzyRfI;xxIb?IDltkwq=-LjZ)P8qP z$Ly|&Zg$Rl^eA6^n@tBG2b(*7+1`lku2Ho2^f$jq|J}b#-E-%+8EIAcviqo?<=0F} z8B^7|cIuS1@Dq&Y;3Ljx2z0;>3R=bd*Gr6($-lEjKw9f>y0zrBz0s1{9WRP;QBrTS zo11G81of!1V`hQOf+g$0G4R{poROi%Ot#~ki9Io$->xIJMGU0K!6-{R9+MbQ+ZH8r z5ccU>z0E=3QX{v$V-b@!G2Oam8mVnx(U0?NM1y^i&QYR9GOV54EFS2jKG_YvyrdVW zq_xo2>SB9fuf3*o+C+&Xtl9Z=?e^W@31-KWn!diEA# z+!y(n6<=n{WJ*bzd0^o)5$+5AJ1^0(@rX{w+yFwhl@l_imn9sI@b{`<)!L;Ya*eg4%~Im@ZBJPU^`E(Ynf{d|-S zm>9UA4Xg~O^rGOv)i{4a^4p;aqXXW#9^k7hR84-7=DZk?z+;lucNkYd(%Z!3dz4{$ zj%j&bWyKtsS)^UV(&Aq_T3_D?nP4y2HXMO;_Ne&X|7A$~lol($nPM1pe~=iNgJYUZ zm2r&_*thfuF>n(hFm0?M-QA1bryoW{zx4Vq#u@bS7t0Y27S;)zw_mb?DjdPggi6;s zq|^i^NfEZOAafI|b(EJ7GRNr~P_vRABj0|LPgu{$7j%`DcloMDD(u^;a0##B5Z2E~ zqrzInoWem{$XZ|qR@&Hrk;62Ee8Lr`;AA@f_@_^ww3E|+`!AL>cRg^z`}R)9*$tno z;(i5%=X88S3(%*DM88&t!S-~G#f_b=(k>FSPuk{t4GNgkB|a

}~^OC>Hrr;*WXp43eRk7M1a4n3|0Ot3B2J`?{6Ij;)1(U}l+_etl&-Q<7# z7ysM;ca61pH*hVypey$QuEmaL-yCO_zgWXmfRZ;^PO4Ow>Tei%Ps?CAnVFa6!|v{f zFup(P?mi1cjWCV(k52c$xO#DVdVxGrm%PBy45=|u-XxTJ#1WF+U9l%$om>XVH^~;9 z*&8?0z_Ve<1|S$xLh6XyBHoKVfg3$ME1w5o$wHoGNs*Cfkw=>P#>x{7%@`c|4n!6dnp)w_B z-Nn!;1?z*RuKS_HGHkXOvt|(%2s0IALpGC5BDxi#i@2=$Y0{-p!eQT(`8;3@i@B0! zCX7@F-ybq2Un1FZYrEOibm#BW;I)vw&XX< z(T$1#km(k8*;JXhmZjk6#$)B!lK2+U2hJ=XVMD^ZJ^)=nqQ4RXGh_Y1XEvL7m+ptE zs2ixLt)y;iXI!L1yo4+PeT{t3)U+5BBNwktnTwD{cB4GReij6h#q)_O{6Ni%ZajH0 zcB6XnCixrsQ9!A%T=LuVgY&(UgJdi6%W7G~w()>xh7Ov{;ASSNmvK?4VdZgoqf5uF z_=^#m)6iJkQARTM|55`5x#KKIf@}nqK`bz8JFV1#IAlRA;Ln!?#DrEcHS`kH`zkwYU|bc$-$MOr)*cCC_HXT4H;G@Oyx^$MR`}bnRlU9 z02_+Hje==+lQKk>eBekIr;7s|*(jc(j5M3O%~Gp?qIfe`7+u?32QeNYYEDo)XVF!f zCsNzf(F2IRZ38sqM}RSoYbY#TEalsV>?f{$#~5sU29cOCJVe;F65U|c1QMCI5=jcz zC~asf?Q=UEDWUvc`m}aGmYf*@HRRU#M`#1y=Vhp>HHL3IwYlOPd*8cNLrE2^G2bYl zaX2$UJ{W%aiKV|zu+=h4f<)f_z4_-{Z> z869d@&BX+8f^i$5GJn!`IGuM)VG3n+#ZZd6*CGLd15A64RCqz5cS*p^ z5j1D48-SKw%qCzHmBRhSW)-zzO9l`!(lX89c6j9;UYn-buC6;%?tv0u@sJO}Icrw} z^^3H<)wp5uKA>s+K4GA@5^OA$#0}KRG_Bkm5M8QhbE4p zT456~ypT`gD|WCHXoz&i zPjem!YM@IiIn>UGh?voH!ZU&Lutqd&JW|2v;53x^a-2Eb2f4@@5!5PJFbkLc7cLo( z_Y+KrIWmvJ8!3B}f;?dY#th~X*^$IT25K7RH_V{qERG;j$?~p}Ruu?lI)ThZ#%4f5 z>V~{JdZ9MYRu>eKvWg+1c7Wt1;R4Y^1Wh=VNpNAtFv!W%5W$&UayqAwT1X}mY%ON^ zl+tHr+mlJe#g|v4EXpFTW^-Cy&_}p&^7UiN`hVt3A5S=n!d`6HYi5Ipsa8wHmGk%@ zb@qtBq6sO~#H@)=sK89jfX(4idNpc}3`g2=(<+@MQrZk@K!+{cD#*r)VC~4NqHEjN z+*gt-fg!aVgs@0_XUa5*Q1$Qw7Idz&F4iA1+nOJKzm=8IiQ?(--J5$6OO$lTDEnTd z$n{&N7!i*M%R)SRrgoPR#gqn7tx(=flAb_4=?G~l`21loKgNv8g1RVyqBV46&r$VfTTv>Ew`c-dIqpDfL$C;fmMNa+uy~IO&ocAzDD> zYKkA*lx`{VIQ_Jq_k)>{ezF_7DgcG<(yR+c7t4pCRN{GkAGa7HxJ1 zniWSOU*_=YsjIB4<_^7W{$V1Ez-(UHXq4k@yIQyBg%h=5o6Yjz-5!cldo3%DD;SUW zUiGd}$B0CBD`!+)w!(X?ihTvOmeD*lMNef!SoO%shO1yo+vS+5Jm7d% z+(yn&I@eMh5fW3?7PLy&s6G=Zs=HM>dvh#UPAxl{0KpP%nX*o}!*)W6W2`6^dTVp> zFA}6Rhj@@BO)w})(qB%Hh5i|g*;TRR^Thj!(SC`RPlts4;xHI z_GUO?6Ac--!bK`q<)I9g}7Vzgm&hG zk-ScashDi_`e)nG-boki^_~p!8=?HgcU6_wxiT564Oe=w6Z-3&KD8AlDgzXU7KqEl zA|vca*YjEj8+Tdu*aG|?na=KdT_ObTW6-=ZQx`=Mz@<_N8Xh4p3sF<;`u|)g~0O0ZvoY@DDEllGmTlOw3x-3^#wFau+M_K8fc*e81bNx+$4v2P-3%?! z(uR_bC!kYdU8L>Tnyk`nW>}~A0IihEf%FsNG@QAB6T_|Jywv6pHFC{;)-Vf^hx^h- z#DMtXxm!373f?5nGjQdgLeNpF(R&-!T6U6w7zF|xDKHYBc36LgS&HhvZt|4@07iO` z7`rJd;pX&vnS{KIG%}>I$c8OL;QeP$KYIGfC$y%!pZxUGCm(&X`{}OwWn3#Zz52ma zZCe5AQnsKdP|oO5Sx6e^|1<#oQ``Lx9jJcze9(o^MHRi&_@z~qlF~W<+tYq1KIuf1 z;bMgLu8W?g2~*qTh0uU;IENFuV~^Lbm&GD&3qUcKhqseHX2^lca zT*}olr5#DV93#RVgi;WHE~Y%l#|n{6D)}R{``NDQhG|)LNH!G9n_Ezv-Ez+vg({X0 zmwa;}3ru3_jt*QFL#HJV?60FU_tzp!42{md>#-(1_PBt)#a%Lna#PgU zJuEMX?0vHO#FS_30x5mBWz;zQTmao?!t9<)n%8|Afu=O zj5(Pwox)3*Jdq_{Kz&mlt_eGqL()t(y~Q6i2h8xKx;C;5tZ<2Ui$9g(Y_y8lnd_UU zXbAU9E|BjGS+R;|CA>Kdfmsq!(Y1yy4N+w@Qx$(y@ZK1MsFb7dO5(+Vso)B02fv7= z$K3I7l-OFq_oIr^w&cv+z^wqVJEf$EYf9}zO5Y@h#L@o5nGW?ES|wd26!VYDoN)YoiHE(|26;zix_slA`h&_XhpdIfl%lQsH z=_0A}cRQKnAXhTKr)ArQ7krJ+ChCm7U2hKc9HFTN3CeN3N8+Jj;8~ec2BVd^Q-F4^ zv7cwOA8H1fdv&r%Zz3QNBPOnO7oCj5#Ffd#18NQhoC6jtv)$XfwC4wVR2e z;$s?ifV8AynDbT5r`2_jq3?v1EEtpyCAy%@dun&SI03k0c^T#;SzSf~6B!O2;9fNM z%cxK_H+6?Dwbc*@W3*Jz)df7%LU<(Upv+MaUg~^R=@ViWai0`5m{WSE7BgAgIycET z#e8RyPmy3+Jyy}gsbRSRb%{jd2AhaOMOY8v_RDQarE2oc2GE)5D8PfN%(tov5!7OH z-=N9xnnU->cz7WovtwMTzM=V!KRZ0wH6|zLg$|)E8!mm#@3%xN<(+H9KrcNeh~b+D zqdJ|wB-u&V*z=v!Xt7ySwEZu7zdXFS+CM$$RX^)r>|I>;+f9uf zo_u+_zXy7_D_AZx$?jK|^p^x2Be*j}w8l+?L-v*sGGW>M#mUH_ZK3E%V4(}Ax_+&J z!ps$_9C(%TEva;>IMpMhxBvQ=e_2pV%e;-Z@Jxtb!Jt}LEu4)?m= zwuAd5a$PvaaY4(+ea5RqP>+2QoGS3lpZvoCu?yqOJ|`H4nkqum6oEc33nYv}s) zA$NKwD_~hA6|!_chEh6z1L6d2;r)HOJ&@(Zbj8kxacr#RWZ!iKT+!V-?yDSyehxW2wX z0CYo3hJkrqESJNFsoTOdU^*wU>vPjUbvI>}6lV)6XFg%nLx)yLvP549ZxbT#S%uyS zQ^4#=UG(FM{!?x?EP3n+Kn~IA@mVp>hpXrQn1!@9ZZF;f<7{5_V1$FO)?Eh2)|}7( zXtnc?zIHW}^D>0-l_YP59}Caq6pEXqp!p8s7z8Q(47D~~3PYa8YQ&|5B}R@MJoGu0;}f zqP7C=fwui1NVKK@K-tLY1O3;DIcCmiV>GpQc(zYZ(|;>Z+V43%+4p=O+Et|;{>2w8 zA}*Hf{S3Y!pC2=nb?xJ$;wGLjo?k9ueeM>`MLHu~NF43QB%6WzIVUA7#QAa>;;=Ez z3VV&5%49U|%=QzxF$A48aCOOjVD-y|%a@PciXZqaYF0hZg~I*0){1jvn=Ms{6+ouD zI^5?bGozFZuH<8{hn4^{>hfUT@b#ehb}FS)m7KD$N=7z_T2${E-Ro{ZyILN zD}t-?MSkwHMM6WZ9z`({5O-MN*__0U#*km(c0L@rG;%FUC}KUS zj9nZlvje8Hk_joL|N1y>3ue3qlBpoXgC)Rn0$gcav^U`JW?usn$?&&gz9qqM5d;7&C+dOY#O;F?2IT$=bnJ&&31#l{R`d&lv0-E!BVZ zN*jB=mMqp-(`bXSFpr&s)nbPaygkE5k8kruN)pY2ud#uBTVU}vX!YJ~@HR)LLd6r! z-{-?gPst~G8sLuavxmZIt*Fq)c$J$;so|FSsKdVd4c-v?>5cm|vUwtkM=44J7@0aQIAcVn z#?8XCSV%Pq+Zi+`6|hNs zo>Sy9;3&b@uDiJQ22RDr105a-cRbET;b9<3G0v*2m#o&DiwNWLFn|bTI1BlY{rXJUs7TFtAMZMGYQ) z=1Lq%(soR-CWrzy5ypWcuV%26+tPJ(zIr^-63a0P|wG9U9b+Hlu;x`CL2Iv?IK zm%D71(0t%c^6PA}+>F$ghpXZBjmIHqSK=e^pGiit(FA*b;4hDB3m8#y-g4r)gg~q| z)EnMV53F?rd!x-o-*!RrDM`wQ>0kT6ZP`usgMnF*7%R`tRvBsduNvp z`<0)(=YJhuSR{^AZm(}iv}e-f$Dl+?M;ss;u^tr5SzPJj{bY}0V8n)Nr}!7_L5Wpn zR$cVDd|^4xt7ug)z(xmXVVI=Mvo1^%g-4iAZAs1Ku9jKhp= z7;VmOvgc5xr7l|YOY568(l<~El{%Oeg+3{+uh-~+ZVlxf!7`T5r^R1CvS^PQ2Wt+T zW77?%yq2TE+9RIeq71tHxN0~0zyi?z!#Lz#4H<;&^;6F22IF`!MktU2JN;kS+Sr0$RUC))AqUUOKBk?Wvg@nR9SJix=v8dMdJDDl zfXsQT0BAl=4j*4r$163awcQ&Ty|QBinEj~zlnbUTft7Xxr()oCLClsF!FbOaNPd(U z){qbu_;nsl;4}``8fu*Jqj5T_(zI)cv|g>iq(s8VT}|M1_eGg(HS|+>KM#)%FTTFo zJ2^mvLVntbolqe~bO*2F-0m_?f91YvN~_s~oepCdl#NICl2bZpPRpIo5~IHD{gSEI zU!I;H?_KoSwd%kboc{EX-{qBEsww~NB;kAJ7~rpA>9 z&ctU``v$$Xd~JC&w-2s93Jth~l3>)d$i;#TC_vnHLV( zxU`hysmkZ!*`4V6T53*9z=0CyU7$Cf3fLY8h@n#IOk+D2*xWjqcUC$kIbw( zg+jpG-6GsF+|B%$nMb52I3NYJ1V|9BfNtDw;tsl6kQyK^8em_ld8ux)2UUl&9u)rq zfgbcsKSAqTYwf+)HnYg8LrFMfR`_e%ey+Wq-xqD0K8V@+UOV7ug7ClKgG>Nn3?pkh z%Rn7DxIi>M!ykA1n zVCKGXBFf(AoFBxAly(T4$oeUacgv;HNO>J>@wmQ%FH2L}#|q+d$yus%T3n%U<8+Ei zF)tiq2J6C*03Ycai3pTXcy(C2$!}6~lJrq&V9dC3?e1PpW=Ig-^tIPC$=kgd$x+zF z@hRQ2Qx+b3!(6u}EkvipJEG#EVZaq4JP%eu&8yk|gS`C108O@T#UmMgtb6ZiDv>il z#H4ssnVcQ2iIik?lY$OMUlil4dpD~DGzO`D4H-7FdG$%4taGDsX|-)^h(;??62-YX zF2RctJR3lhh#6Tl(1Gr?98Y0lM)^d`SXatH28vUlLILr2AWAFIYi^I!?j zT=~#B+BN-^N+KU0 z_&z2_qA(t2MFWhb_#`FIzOfzq*-{?vFEO!Oh5xF-^F%^QyVDzC2s@3uSKj(awhR{lev=3-K|L70ARrZHo-E>x+UAPbeXry5bxlj;ewa#dhj)mHr7s8g^_l>7@td7O(rV$kz)LKf1C&m*wJlJoy>% z?ze!`g1QioT|pS!W_^3Sdm5>rO`jX@a94%tgZR>cMTk#+jfVXBXdlS!_{4rp%Dl?* zXh<@nECTF?4woV7~KM3}Sdwkk9lN0-qf z?QaOjJ!<8Z9HR#5VZ3i1l`mk`3D;&j)VwbF&AW5W`fM{>jU9r`wlqO_5Y<8?S}YZ| zwkiX-iP(64=#tdtev^HFxyos;e#2Qc@OgAikM+w7!&M|tYi@#tWvZ<(!yehFTen-u z7IZnL?{>+*Ha@{je73(|YYxpfz2m2s=b<~eZ9H=CxfD<`9jaL_F1xgqWud`|KbQs*^!(@H~|J-cRft1tXO|zTBhbILMz*M`3_ItklxIM@+-WTBS z=6d`v1{&V;ql2@jJw~DU5k=LdgT`m`}@z8!-JEfUaQK8 z&GX4TsjBViBHPZUo2_n3bO;qFJ30) z6xI`60JPFkeU;$oCsXGSo#|J()(d(DXIpa$q;!&VL}=XX7lPEYvV@cEs`&YhG(Bhh zz0sOEmwZ=Dn~{BQ^M&%d?yO3)*~I4_h;gF5#v6xqm{f3OG)Hh*ELT#6;q0J*sN17? znbgzZvcVl2lEZe7Ta4n||l4sZL-f1q6X7I4S9eNl5W31NV3g0)| zG!?DpU0^{{PaBv_9#>w9)7jhYV5{$n3|nkj)G9g1_!jFO_m%>$cNSkv$54YA_b7IV zSyYIC7@0`Qdb_?AK^eSzn?uWH42}*_%9G4#g$>Knsa)DuP5~NLV4ZWKrg2kf<%K#V z)U3w$#jLJ46MX_a5^(`@28Mhia<#jPk1FDax2BzKd&n@D**>`eK!~Ih;^!J)dpcxf z5e-k=M==(|P>$8(}yvm6zoi0sKw_FNZTbb)jkFgI@@38oF zEclK@ z4H9dp|IX>z6@NMiIdlAa)HLLN2fvTy#|dBu9#sk)%7(}lAP+nfgj|Ff3sZIZ(ivi( zoV!XRRw$=XdS*IC#c)WatYr%R0@sVvsy`!9z8H{bBrBci*X`}MyuBGJd%REq4E!+@ zfZ%|!z<(pcvei2jxM*7y+WQ?vSWvJ8(@591T!)84Mn#BFS%<^CAd9hiQ@c19H^3j# zZMxV#@<^{+vwAWAZ3~aUjX!WbHGQ7T82^{``+=|t0@qgc_ZFV4yFMfgz(_(ypLg5| z&2*QjiWt}x)74_x#@kmA4qfRX$NPh%o2LGukX`|(R&o}BJJ76HWF*+sdQB0dkopJT ze_G$Io2|~p9Ui!w+kAiL{f98ehs=D$0m`}C1>-SRgyWjJALZ7w)eHZ)& z!*N!_{!Gh$?9H)og^tR^r3v8296re=Wl@T3QpdZ0U#1 z+!~01@01e~Sk`B&b_OkkzheQGbw(SZ;@=3F38;uzuF8U5X)D4Eat*Ig6 z^I^Kc*70+EVw^cE)IrYr0PRgg!j$t&+!b@yX0$E4MH>-ABhb=l4-}ldq3Aso%YGWg zP0{e5vkyluZ^?6SNs6QN*j29OFxk4LTyd9P1BB}=v~f$z*`}CRY4qg zmMBCScyW+&0{auPmo#SVRb3&KQ=~d>?wUV+R)gN|6nwZ! zjLTHV38{%m{uzD54Ajhy{66$;cb>lAPihbh<4^Dg=X9Cj)ipI`+u9$t^HxR zM|-Zo2Q)@{+qQ8B!soyLHd~g-O+wFHB;~uLyh-Ntb^CWdC4&p}!^>qtT9_dZmX9i? zQ(nvp@W|6!Yi0??pIM!NteTm7ck`OmXb`^7??|Ei@ZGo1)9hVgSig76Yfc1YcI{aW zruWMvyQZB1M*7_{nWYuziOB#N^!7jn4X*f8I?^R|f6uW0j?<)^(N0|BZTik3&346q zzax8s-q=ga8~ge>*>@jqO$&Rd5@xRJ1xSYXXJw|;(|cvIV&duj`FcuIy0-?=_0iE0 zy|XIotWxsx(AGhcFthe|-=3sv{PKXzU^=0AP3!DlgU%jg=y(Oz?^oq&v0#RA(-P^^ z1NjdK+;jIL1?@7K_>;tcdYOQXp3W4#d{p@ZS zK=s?rM6zpQt)yo@5oxMlFxtk^G|>A zg#H=yjuYk~KE|UjX>)`&j*}I*z-jg-A2Q~wKTdPftm*8W7mQ2DalK=*j7ahqGib;Y zc*!kY{BcG*^#+mxZzFSqEERfG0x$}i)#KH;SY#vvE?`B@@x}xXEhZCqDosQ3{>AIl zGiruj+!PahdwQQy^QSACVEXk5br#3%C9MX10EUlpGJEoiUwjf;!gnA>CpblS8UF~v z>o{A`HlfoxFXX)ynAtCHlgWqmZS?coRRvacaMqSJf0xuO_g^$rVanZ068<>*CvwivrW=YZ+C!u$NS%8E*O*4zFe?c=b3^xqPMzTEk;wTF;%!e7R{sk#S`0z9# zqlaFu#+ag4X?Z&U=fHU=`hFc)KQH z@SJW2BaKGb#B?jpak=5QkpGb1z)>It3deXeWP21)Dlt-A+TtuIR+crc$3|+ zK5;;|=^SSL{U?tfKmFwCC!f%tq`|CLqQ|_YV?vtUp!a2#6f)s&SD_hNsvArTshfk| zSBvtX&c7fP?<<-Dpz}ezl0h|AeIklXN_0o4YmIC@zbZn$Da+KKKZTR+JCuw ziZX|{N0%?bCKJ~XY}rt45EEqpqfVzf;P>2`#!SClTK z#$GlAR1pU0inebK9ETj4KkzEK2qx#uZ;S&`97vc$dr@S{;gCgbNIp4jUp7MSGcDtj z-eNScbvK)?&1UUVT;euO{Q`?oz9_ixEZ`J1^4Ju(gJ&7^k_k}lI?6rt$82&5;7ONj z89tXSwIA6#{V4KSKXMCO#nrCL3Ta)-LOH9@?OHD5dSUU8st2p&8kQbO%FbH4kW+$G z=Lb+fbl)2TKRB~_uOY9b%6Jzq0M&`(!0pjN8jX(a`q9NHG%{?al7e&ZV>hlIw@S%M zPc9LkG>%Le-ppgDYbI3$EFKxwMd>54oq?d6Wj(~U8-}`b zmjM#*MtFu+OYZ?_)TJH2el>b(L{fF1EJGPUJBat<{1V8tzNtVeRy{;vhLV;#$%U0E zI+2FjEb=Ipj&p}A9!+<=OM<~6vxwdaxhbYd+&go9U7T}-<&*hp$_1K9jkBV`j%f_0 zRreqvn5)ip4aK|z2OG<9mME}9EEcl@iRUuk1SHwC$92G~#h5k}Zcl-{2xKYB`=NzD zbZEE2WX|Jy)VRodU|l3Mp@Wa@k2pxsrge2S%nHJ799u|Wf%^@^_@{3PbEQ2*YZp~0 zm~|IAL@sIu=i>RR{n2m#tOt}G@$B-(Aj3D_5}|>CCK%|UR5V-5G2*?X&S&es)fHXm z$9Z1F0Apxkc~WN<-|mg9Sgp@axoFfC3naeI1Sb;VqU8+8Lq=lxQmAOdnz}Rv3#ex% z;Z_d=E(BBJj+6|z)f&rSMl|pu^r!AT`Z2P12VHy3)evt3NsYlHcft={&P5Dv3g4f^ z_d|QwcI`cYX%7Ya26tz}L#3?oCA$U)x|!Lx(;RYzv>8$da0)~jX{8C!?w7OQ*_MZU z%`{zs!E82!>8Q2QkUfSl3tzG(r=#m4(CK~z$tHz+o+;R;SV;8UAPI9pWzxCg7Js`T zhPbu@Z7Oe5h~c;Ra|Li%*)jRFXb6Nl$HGvwzr=WrH#q$Lpr~VrC~n)432hF12eLRd zA9*9X<=O#hspw-oQTb{U8ufvQe}Ep{nr=r+6xCm=4C7KW^YGDEqr)#R1=VIJ$TN?% z!Z6mNaB=-o+$EV*JIO5ao=Mr?b+0dJrpQs3pY}1xzMF)8t9mlZ@Z$;&6<`Zdq~_N{ zUubjZR6rkJZ-L3iV$HD`$fpU>$nOZk{IJx!`zd{3ZQpw5s5uk3MVkSibl&8>4ifPUEk3)kqa)bCYd{Y913B-s)j7dOq6X@Whkc?0U{#m~7ERTy(g919dcTj=%)ohH82RguUza#%50d z&*|C$?wF?fD9vNELm@kU)(+v2t{TQuV~<(-cs|bW1m{TZ=)TVdZ#AcAO``?|2bsD!t7^9)hM7my`XFapD=Z7RSg8sv(yenc)r{hq{I0YiI-9F$Ks( znJ9z#$=A{jXRw2%Zi)=1pLpo(R80pi=D?-nqn}S6D{0)dw$d$_SmBtb*L8e5WL3MS zz_S1@p#<*WC4c2&x|VgNfk>GidM`M3*-Z*hm)#PtHUyQ@5uIL1|F zZhAKaQjBz;1sR=->;p@5n0mK#;J6BD(}f>Yq?l&A`gS|NPo!QOTn zbf0dc@SOR*@Gy2j)zuSA7|~@OG57FlxeMzro$jB%ZW%W5H%?MIeCtynvGLp_Tpqkr6(T2Lw;i+)BtNb%5=kZVzQAJp@jzeJB zQS`eiv4GR;nqg|{&>I2Dg>s>9l<5uh$5?BL+3DhW!9X3&p_^Em^S5bsGplU?><%!j z?t^GuFH$W&D_DX*i#)g5(AqQrZM0HN z_4_T=O+D*^_mXJjCM@}k5rBBL+wJMZ#u%;wQ0blKzTr@r@jz?NvI^bomhEDzIpikg zH>kGZC5|`o*Pi|0Pj>mkZ@!ju@h3EOe{yv84V(R-sA_?oJE3a*sq)<0Y`M*}gUa5` zHmu#Tk4R>Tl|E;tflazx@zCwba&0@r)rp7HH|Ow-=^%VTx)z#tIMkR> z$rPG9Rmqn5b?VTu+5@_fQ3?kjQ@(WPmp5s}7!t_swu*nv;8K$5!bYp0!AnVz+@w-D z%!*0FK?bWJ4H&_ESGXdg5M3q3g*(g4DK==|%q)-KNFsDz&e~x4r-Ms-zjMBO`O;$9 zTiLCs_9njM0Q0>T{}D4qEjCU|TA-@n@O@n-OtsONWiw5Uu?ULOD$r}GcUMBGZV6oZ zrZ=P_72b#o(m%CVC&_#6iLy?XzLUL#d7wMOA$gs=_gAk~O8hmUZ5u|TSpBH&N4`vUF9L%5K1BufobmkQ*M+NI3W0!l0Chw(F<|t!aq- z=%1)uhSVQj+{??aE~xuE+w{ji&_ME*qHFyYC4F~$BHwenhJNWvIlCAqtD1K7HvLOm z82?Gjva#Q~^h7`mB+R%+%}2q_g&{pmJcN=$NPI*#wyE9@-)HqDFkidmW5?PnPb8j8 z_xB=g7=)xbGEwVZFr-zix7=_BhY%U9-pjzCEPht@)*Yx|zSBxz6vCx7DGU*knQZtf zI5Dy~!_T!K&Z~Ipkaxt)@$Een+e<9|1O}$s3E2ppW%nke67W3bF^)O_OP^Gp15TBm zhVyZu`U!spnK9Rucm77h=)W%KK4+!h+i;cKqP854_Itv=?L#m61(FOT3T_)gXQsh$ z2%8)%D`_`?ub9TcgtTj?vKXX(q?6w?DLroA2nu|mzzU#;+yp$-%F)&Q`R%NC4 zrG1;NRg#&w1R{f9PrGDCc?VEp-T#?xLEV+Hf&fQewlRO^G_sIj}YL_gpyqOoF0 zr~<{U6q#1*AwYKJ*jL4zkwqM3eU?f?Ad#YR>p^I&F4lcOQ&BGobf{?m> z=Xh$VfpK1NGQC4K4YF27FL$4Q_Bj`djuRX!Pl4*tVj5W4E<}g#(2t+U&p2KrsZGKa zjRu#v%(K9TZ09@b{20g(K9!U8gMma9XO4^2@1k3MHa)=FbM8?k9T!2iU>aqZsVm_0 zPYboR*{dg4A7B{fsGVW;^+Bb`2vfE;Gh65&~~*`0ap$`o?U_B zkkCD$Ng>zx+_Qi zs~7oenzP@YJlVGBTk1E5P`F_$iT1cO$PK0QWElq=BoEnViqWN31~yC`r*qrjf?du^ zIw_!lM?i;{J`P>AR03P~;Cvv+m|P44R*9RIL}{xeCr)yx<}Fef|2wRVv++31-ECk0 z4cWrpqPK@x=p8y7dhyEpfY4p4kCamijPj-jG#->e_o4T>!EO3O+IbLCMn2|#o4j3S zK=6@t2d=fMN>U(a_AdKKATI_1pT6d|L{_ zT-~@5)uAMVyP_Xo{oY5Jpc;yGM~Z^_sAg z-zR8iZZEi+2ub~zuWkL0P6~&M+Iz*yBDs;pR|~CavYsdmX#~TsA^J%aW{R-jC&dkO z9kBl9=@OzwSSa&j#OD#`qN^XD0&fR56;p#3UB!l;njXQ~wwWGzSnw zA7}wSJE1@#Q(>X3m)(SSH-l?QkvatWgR?~(AD)O}p9(jKVMMWTkv^fMIRTIN9)WuY zd&l!wh<3nzXUP?}7p!29fuwO3?OmC|YDC7;ur7vEF0bPZ2~m$8RCR(;?en3}MnYfU zxGCfOJ)IP<_6f`li^$R5?xl?x1Fx@~$~}IaOrRgcsb4tW9%4@un{-xqV~%Foq8E|9 zWsdg{4)e6(y>fkXequWOw7XiUERPrp7Y2j5n-7vY>59|(ZC{Y#g0tt%L4Fi<0hel4 zJ13|jh(Cf?PL~^3+*KU8x{6wx-3BD;Ft=hsK7vP?a{A% zE-b7s&)sa@UjFx+nv5qdv}s6;q>(sH-iZpn{Ul;Zgsr`H9GpRG+14T`Rr<#6)4%BmTs8cO$R#P-rF(hBTM$z;NyeJp$5trklt zw{(C?o%HD{6=_M6xDL5gk?J;PgEaeSNMb~4vGx3P(Al*xC#?^^GtaA0dFT+~9o&)2 z)o7VDQhkzpV@Y&F#vFj zE&~~>HD@XzpFUE?Fk3$8u&pII!6vc9!~e8F#GO%RZ?o(XP?qnPaCG2ewB?amt;q0z zs=y5+dMgO--Pv|Q7~7sB<;l9K1iHJO#JJie3VSP3BZp~O7Ntw&kAoM0P_HbmBRdc{ zmQQmhKNNgWPpuP;E=p@*JXU!oQgHKi&yTsoQ`j5~7a|L&ry+TCq z4K$W0RORcT^Lv8zMD4xHcZ@ZBiQv0fn(onU-N1bQwad*d!AG@wZ(?>r@tMbzj;nu$ zL!aHS6Y$*|!FXfd%DyXD4;Fu!|NS!;FO0unb&dCvG@UjGpERh*(v0m+Xt&r7p~rT& zMMv2!;E;WOYj>(Oz#rmdexbc@uz}N0KbUyV7G0-Z`Sx0jL8)jJm{^}Xr~8nd)ga9hvR>}zA?vS@Bu z;G#o1>wr0H7P>%ddWziaw4Zi{ZW6~POAGUk^s#6)40Gy7n`>-NvOGvvFzoH>b&M!D})&P&MwDWNhw@ zT{%G?@OhAer#dw-h|C!nxR62o5q{mpaC~-gc<}n<{OWvn|JCk`!>g0S%iV+B%iZlJ zn^T)KNoM2q65&aov%2Fhw6BlO?>-;VHFdGu!3Q<~Q$Vc05LKqrRlu3~r=zfV>^W#+ z)jyEr%C5JXNzcVJV1^iFlWA90I`SYFz~V2OryQL-avBJXRb9c>bKDmp9frQPgcDgX z=$(NnPmQ{_zkAvhwQG_XT_Z9WB~2WwA1um*Im^@0tU$UZ(hJG9*~J%n`{0hqCU7|% zr}<4i+o#)oN4j;N3U@7aq^+{B8X&iKSYu9d!y=qlnCt zFUVMWn@#K4&VZdY%_sAlUC%V_@K-u}(EZ8N7KswR7x%_Q(hI*%Wlmx{1_j>mJ{4FuDgcceg673(}WtXtZ=$)n%G2esrgN{!@2KJA;dctV2ns zGP0eAcFWX#&!ZW1q%(N0zK=P;q0t=2{}<=D8MM?S!uIr57~2c#$$hfk*`~jl^3#n` z(ulna!N{mMW5gYDhhgMv?3MD_$1c$S9zUY&?YgXzMz*g~xwHoV9Oj6gor5zx@+fF| z5s_crvF28fbH27N-a!2Jt$3_1b|qb_WA(cx@_`5Yc$K`r&tjz6U3;jz*Ers8xoOc! zrogJ#yG#bv@X^QYd;sEv<{@@3O>Jnd( zHRB%Tb2}Q`;bppg%Sk2RirQJgp z2(n)=hyLn#f!x`L@2#U7I0E*QlB~?~xTvc3{Is^X=}XgM)#O2r?I*|{P24#i8_(9j zooc>baZ&}0qm_1~5e~W`CSF;QuF@~6jv2Icq(5ouR4#YOw&s;viU9ATl~wcP)!|Rj zGF^?GHPp<*k5SRrQo{Q(p`XGM(c<3>^hIeECMHdi~cm*O0L$|peHYpd+a6L0xB;0S zYS1aO(fwyMZPAlKz1GM@X-+-7evUp6N#*%;S!B4BnW1*&Q?}mHrg#BzfKIl4Nt z-if62*M9Wh#PQAW!Fg(g%a71Y`_UKdb`(!=G!Z^?V~G?KCa|}MI9!SvkQtNXYGvFTB%7bJ5J^tfNo7D=#P)ff+d0%YZ?`*ADy%JzDJsB zmS=mh3S_$rxfwI2H@cy;ZB?(I(Pka@x4=VUw}(0eyZ?rRqOWab z*RV%jOvQ%V6dWhF#USb%W*)nZwel@gSKFG;jV_N-1^1dItb;LJ~7QHXT z=Ojnd6Ubs6$ZprFa%V~8@wjzkIDf6tTzhk*H}OzYPK`7VIz8H_uO{@%i6)uyI0wkk zQP9GW3vqpoSf>9{)F<1ANcVV48tYkpoaE;U2i;b_j_IczuJ9;{(kLoP?`?71>yH>n z`Yi8zpy?jNBTH|irAg|b-a=S(pOJ7oQU}xg&WEsK^*FZ$Q&O|pD4P^A#!%eK16NG&Lbqa07zcRHxt=mn^6*oY&!M8|46m1q-Ql86<+(;>M>uu zpN8jWXDsAxbh0RJxoD;1`M-nj>(ZKj$Z6zyvaDvWNFxjucVVOnbsmwTokue(7Dz~X z6cJx(?IFJ(NxO2@wYDGG2@j+>RBC(-k-F0XR~V1Vm~QTeGBI4G9bh){$;RgPwfiq3 zUGjHJWOA510CoqM*JZNC>1<{8cu3`TQ)YE4&CRQlYsiQn%g|{86V|;DgG~fgM%gQY z)tdmpN7a`yby9rF85@FG5yPXgdy_6uJQ_O1ea0H#n0|PjLBf7))dIR(;#dbRj*m`` zF0W3{o*x|_vV`byDP2cpF;1#WNg$~qXk{y>m@p2Y!C>mHQST5apm;|{2mU)O3zLA< zVc(nntg`7MS#IZr{Na=ClS+$8UCsvQAok^3{g6Hzrx7AimCH57J>)C|*1|y)O}|~T zQ7Dlx_P_L$M!aeOm%2138XhY#v?=ITW1~m77PwIG$+IWUza_i0QF;=7HIS4tlAc^7 z!*$flgfAr>jqdFGD0_x4oNbFhFxKQD``F6u3bw&{h+k(BaLPv?m1h|*p3G>zL7aw>EzupRC0&siS(K9Zm&LCHkaa>p^W ztf6mMwd7vB?op_*QRP{v{^yk7G+$BM=^|1B=Th>a1_!Sax4#i^c=~^YRh*KntwSObK`aur4I%5uXd>q|aB}rZ0J*L;dnL(1J~Bp4|FqO>ppR z@ZOh(Z5)oyH(gDZHpH@36AIOD=;sd=5emT)X=+JSlc#%)HN3jukF7pyvESMwby~-l zduL~t#|IY=RCz^o&t6(BkzcG1aRA#Qa}!8oOm^C1rJ@VD6I?Nh+i5p3C)1H=Ee0+X zyt^W{H!k53?>dEA7AyJT9)wrBg%%40N7uc(jQN5(w+{xEF2*UB4{jAz2~?;MMdZYI;<;Hp_+W0~)(Ihw2pJj~T`2 zBS7OE@$%&6+nhy#2^4R!8=zX$&Qj!}vaH2Y?w-r3zEPd9SWzh2pb4$&)mWSZ32xqG zY9GYeb+R002b+iVx2E;DZ-56w?1D!dW1}?}lb^le#2&x0X^}Uia`Q4$47fTPPP-dv8+^V`8V=D!2%XUcKw%78tK8PP{^n(Wg9mVe^&;>lB_?>C5p<&=+ ze~4BG71>qI%9SjVLy5A-8&%~p#nq-xo0=pHb;Y0iQvL1d0dcUxE!u$5@)(NG-q^j~ zzFAo95E6-MPKbN&Yl`eykkh(hT5r4ECxTss>tk+f3x$pbm6W-6t5jq=#(-ybDx#eS z_{WLkoNz!9%PtQG2bL>4sk5qhfy7&Mom0jrpg)1+hw(Q(s zle=x@3vc;Y7S49J3shih)pB}QdVR#r`OSxI{?n!L)6Qvd)`x}Zh>xBkxBFgTqs3D3 z_~`WYmsix`tE1DS%Zr1nlf#3f-K!TcbukQ=2Q}dH-O?W7q7USmzyJB?F_A~qb*$~A zo;zDXW1kMjLS#{RJ)~_#rdsW@%zF)>t489T!@?HZ4EmmjqSMW3i;_23kBwY*^ail9 zWu1W!iK=(es5d*uk>qY}hk8$0rCJ8KNLrGs*|PVjAKv%j388@roEOoDpfwv`GODOl*WT1Lii-OUzv>ThBTS zRIwaKs0D+-69Hx~)7G?rx(Gf(Jm+SWibFHX_|SUCp~tT^&ub=Zu(Q~>oH)1UTJn6I zsYUPg$MdQ`Xkak3{8u^wHlk>w3hgv^DDqdwXS)Z77gwY6!~LV@NBg^%M`x$o$emi< zWPBhKAie?fPm%5s=j4U9j8=cN+pDJs}5*vsMNEp0gBitpINlChn+CcXs0x#`xVG4Df zvzEB;4tl*NgJ zKxFXrN&b9D^FFDN$PvhB?Ra4YlT2=8Q&Z`Lu2fF8;}6u2Sa~rCBoEG6Pg3{T%w-%+ zO=G76v4}!U!Z79hx7SkYM@q$5JZT&Kn_@mqmEElB3p6!Xk!wau(b?l5^b*|hbV1l@ zb@>PS)L@TSkx!7f`5t43Vci`4S+aKS*w(USX~?AO?3b*lh3Ru_qhjDD^^EfZ*iGYC zvMFYqy}HU1(uZzVLfoQ`BR0KUXEgC0@t(R1cyto&Be3PM*MwE&CCdB6QwdF&q{%$` zb{D`q4ghJ3^-tX~BH(((_%8DZYe-o~xq(!7FCQM99 zhgQ7fne50Jq7)6!t==2WJdk`zeOA?5t{7liyO1>4Bvt%O)_hbmU!D1OaDmC!r);2Mr$Utp1CIf7$SXx0jJ#MGwE*q3v~30Du-gF7Nb$6&ZM-EIbd zGXf~P?j*{1FcdsG~4q$?el1H;J)o#>ND zFG;4r(npQ+knaybP&#a}xL8++`E1#*)soW62X8!@iO-%68i6!Is)KP`#TwOyPuBP zuLk3w6Zc)O!~lxQ5D+36?DR1U3u?864@|3X%ZeniE9UX<4YZmwykV`4YC^YE!Jy~# zO?FJMw+3~%Bv@v`LdY)Hd4{i$9k#WpIW!EtVlVqt*;X=jbU2_9WfuOC84;bVb6z+B zy0X>2b|;V7%5#%4p&eXOBOC7NZ0%i_@YQU3%6O68B9PxG{a7+E-)6@M z%9V_il?l&F$m2E4GvzfC1sGhO2l0jw#iLn?s}KdaPN)-H&}CFy*BrOt49#Bpr90`g zZ1V)@Z5!3i`>VTjIoWIkfjru66yjEqA;8mp`fa~syarZDaF#R;u+KhA3?*rV%u7es{C97(K1{dxJOm5oqr!nDfCyo)jM-uIPSSDkpp6t<0yB~0C&mu zxJPLdJChZBL_39DrqoWhu~<$+)(2pYKt2QkD@BE#E^wAi1zo#C$5c`srb1A(L0$!pj9Q*FAj0Qqx%_=9>X_pf)^VNpj>efs`KUG#Im$#FsYmLdvY^x zrQ|3ncjX}3j}9DCL2KfmHDGJ#Hcsij)n9G(Hug1fo99!#m3nuwy3s@`k{^=!6S9T2 zHf^VYrZ8PCme9~v0@$Tv0tWIk(?&3Q!`3M6%OAObd1He@~yi17l;XjwbACxkRf zp-H;!@FAkpt(Yf_{amIl1cbF?AQ7h~R@nznC!lf!8Evqr9?1M}kJ;g2ga?Uw6U{>d z@?R3kNRy`?jf?lGFFWphCbAt(vOS|80!&;W`w^rP9N?7mB5?sEvG=b90wxLj-up%3 z0`SJn5{YQg7O)eXz)}UViZ?r~KiC}a6J9%R4^bm^s&PkxX$VeJfY6K1RV?D<9E97| zUFCR$v7xcCAD#~qE61;2jh>n@V^5^HnJF1gbY4x0IAdId71Sz%2F1zi!upJ+-e znP}UJWb^VukjBBLMH2ty+Tof@(2AFxkt3Vw8c4gZ;qoo%A`3}x4)o3uwz;HO-n3#Z z`{zXfrpn6hh`@}t79@}sBti80K$R4UR?XT@JvZ#N6U;p*zaCmIvZ3IrUM)i*DXVo= z9G^b(Vs`M*MxWAkVFP=bkw1Yg!#mDyN!iJ`+a#bF_Vge?g16-_o-yPWD_ilP3C15w z6_(DTp8`m)tOzcfGW7|UPKyi6WGg@wKvIXO1iRB{Iz1Kz4MhZu^365XBe}IAO|LK6 zjD49N*{=TFhpfg%`m#h#rj8}6FDRleW7COA8D?Jxt|DuMn4Pnx{B)N!jfSadK?`==sPCuZ9ZZ6JYpDZ5}Jp&NN^g z1g=yR3?evSF{>lVEQVHejGF0ci9UJOU|8mbs_F0u8eE`b`pF~h$iK6IbKXp7Z2^}G zt(rPRjPZUJl!4v`wNWu4&I!JM=HSYqMK+5*N!g+=55=V6=7)u2(TRn?X0SB`LV+EN zra5DQ*rL(6&%%#U;amz7QkEBewXx%SadfixN#KZeV9XmU$LzihYVY#m`DpObuN;1P`RU*%HuohR zCzI9_;_{8e@Mr|^GpV4RuWmaIiakp>TyZ#nEjTi24&Mt{HQI6~WjI8OU8iX?whgs> z2QJNwb!TxbvU=<3U0i}af2FbsBvJT|EMCb?^JRC{jE>dqHd#^k4IR#99fN0iwb<4Y zJUdl*mc}@cb0hT-45zuONTb?DX#xi>D;gsM)G=3O*iAMjk5ZGw39A6}w*`7*p?Ow9 zA~CwT(h)`t$&qKx_JSS<$o?KZdZNH7s2i_C@vRB?Au8CI5 zjOhwIpLpbxKz6@Cj&UnaTf`w`M_4*_^3&`7P{tY#YY)&ttH^7vR- zgT@nlF*+~Yq1+n1g!2xQjGR?jEZxAi<~M7&S6vck#}GJyTJR^0SeMCbg)rjUccZ{# z6AeX-3>S>)=W0wjM$9Lw#MF3?w94B)!cv$h{blC=p2rpZ*D42kpdEvtzW({oO zz{=%nQT@kbxVChXJOI&%sZgEt%%ZZa3`YhQ9KM`#GPt#pzEH>-)SdOc*6jc z`X%`V6G&+3l6$yIm8d2OFm=^#6*4$0cibsKG7GAVAK2U<+0uY zos(_7iOa)mNfrptMJ^VVc$f-N{@Af&h*_K?)%aoxTtr7Q(QTk?&GjnLCRt<6DxXst2k~garsK$^*#RirNZJ>8X7)fg@ZGHDC*Z)f z^C?0F5|3^dE?GxEWR;wYsh5+` zM`xeu%BZRtq~fgLJnSKthCL9uY`7@rerDySV%`j9JC*k&z>smg*g0|}u zP%b`%6MU38m*d$o%}1k`)YDzx%U9INeQjK7=v%bdO_Cx#E2*_uATEs$|_v0)))qi&O7U9WP9hF8-o{>l{@ z8&?_VF|OBF*VB#7X3B6(xz_bF`VFLlLmWv&DG*rXWnIKD!XdgX)S{Wo_zHT2fO50{ zWa4ZpW_)krTs8e?KW*q%@VU`QsOX9W;g#n^y`sZM2IUoQIb5tdH4T9jXAww7y!%C% zZI^^Qk$f6Rj`WU!7kbiL>44qcDMw#f#=+CfUE-XSS<~NnisGJPvhq8s8U5DGevuat zyEM&OQtj`|SiG^u;`m^=lmRnn)6}2Yw6cyI;PbPK%cIj5SC?m3r-yH^b}#l{9$g;p zU%tLL95vVM{m}goPBy57-owio+t-K}ic)6?D%wn!q?11#;NMT=OkF>{jx^L*7@v6d zV==Upj@JVTg!FQGew0=CC@*j+K8pPj;$nkW%oTodnAYWEDGNX&5j9|VWQFHX(0eV$qaiCyw2sNYg6Q`H3=qjoPPOnF+lOkAv}LNF}MBzT8DlH6j?#dS4g zzp9d2sbb}-u0^1)cc4NKqA{vzl*3fR}^tNr#znLTTx472+XD{yc9IjM zlOmle-Xm7V^7ZSGGWqQAh7Gtg^tAqXjWWBw;9cU*R~E!LDwfO{c|&=771dj#2Wl#c z_DdbSPfB689A*w=$tn4f8Qu%FKkyGqqf>==GO!B-;qm*uHZu|K7(C8Mn@_iuNRl8LG>muN=G$*h zqCL%pcI@$B1zB;Zs58%4Q9d}`y=;={iHjTkzjhUT`Py(2$b9Q0b)Feg?C46GT3Pdu zkf^$(#L)?^O>yO3jb87)IXfOa@aZ4FKD*rQbmr>UMqi!o586mV9^X#v-fA@#f3#^y zWhSep@~vO3iaL?`lYkuC=4!ZQAKEE8%?XJxlbm2NsX8Vs6)Fl$mqf8Yw)*2d8{cpR z=mXM=FR>6W(nd;A>($8uFh zQ6@KWs)|6F|dpESAW&X7w&!N~YkPM{~@sy@EQjTXIcx(7&5H{zfZAz|>bv zDmCc6IKMQ76LJB)etmQxskq%iIyWI|v?A+)gN_i^Hz89%8NehbqIETDBMwD^r=m6E z^kWvT+tc)J`*u;?e0+hVR&*#1-m15M_Ewy$QfEK)&y<9Qm^vd+G4(8h9~#*L!HeR7 zX(?9FakEw_?E{bV`yDY97r~UuCXuD43z1%v)WUvlqn_%+{_*Lc9kAlsaLy7G6n#b@ zP)7#Muv@q&TY-TVv{2bYm$?yDb|K&rnp;XU&IEy0(a{~= zuofAt68;5!3@Sg=z7K~1K5U?n)E@25&Re9oxJ0J51>^AWI$djO8xMz&(F4wYR%zZy z`9)dAitA3hOr_o4@zMU_>F98@Z40d=c47V>B z^MC>z56&iJK%^QuLiH+pJba31Q^%(Zyr?ox`{;SrKL2RW5J9z%lt~z5geXR;k91IL zNEk{O9H?4O-)|MA6*Qbl>+-qT7=6~;O>UEF_T9H5+JykCo>bS+ba$u4{JQw=+b@#! zBK_{$J+3Rr>%tU8>`rM9=ihz%rntMMAI!&TS<^R3qj#_9_b0F_Zju~tk!^<@@9(~S zmE_4?W_ZXF`fUDTw!*irQ5rz~`TpP1F-t!T_egsv@B#heyKn#g+iXeqQi3a@ z_M)h4rxqDK;B1jiGx|zSKb?Q~?Rl{%J`{I&W18L4Z!XL1KAR@fgx^BcgW5?J3lK7z zw%kW=NCxqw;Ei|ReS4g|BU5LhZ`@O7Nli#f^SUnblwYpD`*wep**3G9I`B(~Tzr9q z;CJ7?O!Axz0K5iQERCK*7BDSu?CX~)EI&GG zG^aIxz~h64Qkw>gn<+NKD9y7K&CFi$t5uHfV3_-4+t93~v?P<+yddc}ThHgi4W#rJ<**Es&syKmE3InSDn(9>u_F>kaTGcXZz zWBykc#kBnX-`}j#4`9{8I|sDmPtrAg%{O&G)0fV%pR@Pe8F~ZbE0YhIzQnYU0I3() z?FR{LVOsp;j-+*B8{%adr5T;Gdf;AP(m8=KB9)5CxTwFT|Nn+Qhf}nqP4Y!C%Q1=5 zTiVH?Irs5-vP`DMvRKXOjOyF8PmU^5M{eo-9OxUbX7hBMXK^D1V)0~s^LedF4W^Dw zSBb#S9^MqC{7cQ<;7HL)I$UHl8y9Jw<3Q7%VXs|i5}(u4UeIR6^c>cpd8K8j5z3<1 zcVvOl=WkNbpppVYdKXg{h)8+GfYiP*n&o^#n|*IZI|whpkwdRXt3{Q}N%f;sS`ClM zkbIGi(_%r-y~kv}$mwqWGPLuexGB)5n~K`GA$|74s-&rTL4VPal)qPWwcXLT_6z!B z(4(VC+Y>AKqDZG{XzOJlOq;_Sa5v6z)O-TL!lP=BbBBcNi*-@lElI&wl>- z(?Rcx1XFkL{r`QI;|1OPbf!tI$!N#njT}Ng2MTRykKcW@B9(^rLayIBp@vra_jxi$ zEc1(`yuF36PHu1AH`f!Itmnx(HE^x!Vqd&dec{N9>2o3txdYNXp&S+}IS){OFaHNkc*CKJ>M4czOC*QaNAF}=@d z0!~-74d!@#i`j)Nr|Zbx9ojeoNbxwnT=5xL1@P(g_}Yg7gK*$u$3frtlgY zWCHnim)WMu$x2p?W(21dL?dWwg1cl4b*7RsxPzqBf|39iUD-~Zd{R}k8! z$@dwQ6`ax#!8RYO4oxMTt zG?~nbNX_cySg7(BkLkm#l1{AVx1=STNzCV;|LiG!<4hHkSH%a~HG|%Hvcj`Y(>vHP z=VWtXxPSlWseHUlrzL&7fPp@zVbo^C=O}8WWm&n4Qr{rspoB7ho)vY86Z-3aPFwFH zsTNqpH^^&S6nGju0`IJFx}eVBf?JG{15L-A{=FcL1UmvdV+Icl-YYO)!{ecwB6)+q zLYvDpNE#nRLY@ocewEPt*N;DY@?_8(O^Uk4VOos+i?>A?ozxL&IB5ngu(-|^(Bx=$ zj4=O4*@qSO^=MAlHkM-ozbfuZdMl%gJ;ln;*VvEHG|f_s>hwCv_sUg@^`uvKtSHf% z*R&<7J6h@)jp>s5n&IZUN$wL!{7crqGnS#rqOeOrAFZ%XXL+%r`4Lr*dIeu*c=;0X z)-t?4`TlQb@FvZyG`S>+Ghfj|W(mnca9z<4zyF(T4i1VhzW*DVkep@FC2r5J68;Mp z^lmjr^{Q#9SZ2_pIG+Z;cs-{BNgCGo|I?f%2yc|ornCBkynKVyg}i1Zfs}{P(wnU2 zyK%XKe10=0LztEKbGqNtd79Fszui53@!hvyuF?`WKY*FHi~C>FUo@02v!s9^4Gq4Z zLYKNH(cwO$wWn9_SMOL((z4y4z_W%_{VFM-Fq*%<`*!2M|NH;(zyF{9^?&=%|J!D0 z^{bRMADAzs5>ltWqKChQs7S`N48I&_H>4Vp(*MP;|9nbf@LdWaJRE&kq-M|l@GpP( z%OC#sAO1D{`*+`c`@_HZ;XnTHU;g1wfB35({)YbgU;p9He)vy6(ADz8-_hs)AsB4` z_^1D}_ckf3gbv=*$4{ROpFABt{p7cPYyTxp%;Bi__UQ6u@9C$%cxKIB#`%gW7XzPt z`j;*gcuQ9ln1uil1ByKf-IBj~2@&=UZBDcFBfTqWEg`7{Q+?>#DuqTYEF z;10WqQ8-qqd1RVuVh#UQCJsI{hDUC%s&YHH|0*eBjZiHHnty^o;j-bUSU}U^Iy#eK zU)3B|nk<$Zn~W~TfQHgy&|}v%?}=ObmcLXX&Bd34;;m(>knd*d?m1vBEW3j1lIx?U z&6q_Z_zQTJHf;cSG7TdTp@ z*K_yu)1Ni7!}*ERtr-boQlQ=QxBdW+`9qIsO5b2-51ca1FWKE>(JV_zcBdVzcvE(O zE=sVGX0=eQ_g#Q}y&@DN~>feL7=y4iCNA$c)&7>xy`t4j%mNks*kgfb+Nr*FA;ASHvmmZ%yqjjC28i5s?Uaa{N# zDIAX~qansOX2c5@mDyOWI?!yL(99f!^5hPhEe5t$WQTH`)n%L*8`m~-rk%|$4GEN* z)iDS(yf;XoYosu0)~2dGQEGGna)xva3TSlHFbK)+6cj4kd4_MP1tQS>ELz}> zMcV?Sx=TSEa7nn^D7_eV%uavFM`;@sAlq_dZ_`a>t&ssQ0PgGN`mCG9raCHV%`}Fq z9XCQ_fh1oC_fB^WrILhjt1&t==lMV}<+wNxQGrSokHb#ZVv$Y}ug1BTEIZ*r7;-8K zRGyD-@BL!A-UEI|)glpZ3JfhJCPiy3fgddS(xj>f@? zz@n81ErY!;>5On6S@~^kPgu3loEX%0aIQPJ2L~yM#9)6~v>&Wh!;HjyMwPR^K0?zg zrA!mrdKn{v7LNNz(v-EO|36BX=kw$SMA1p_f>!*D7ThHVpBB5EDy%DNpog^HP;aIP zQan!6xklrGlut9o!pV8ot6KhQk&@BGwsE$-WaZ2Nj>nK4v2u{mq-ZuR z*9Ur$d8xy3b_D4Szk4$1{qC+y7C|OtGs7A7D&`^N@nHR(g5R(j9T)*RtnGE!FAdy8 z*4M}Lv{i}b2`N3~=Z@mu(brjs=r8Rvlv~$o>i*~2Gf@*%dvOqhOij%eOImM-3(R#zLH%p3HH+>856~czRR-}Bfw>rkfKJ5W@pHv81a+U? zO)>9)r*!P09T5U$svwel*D{c+tL)OpAqA$atwx9>q#{bTMv67B5W2EOr#Ibl2*ZwO zyJ>(#sNV8r$?L0=p&f$)VzTIg7hYh)1xhTm*5-@xsB27NC6m5f^n~<@4tB|gIjbL= zkpd&#_I8359o>RS=WWbXq3!S#lnms$#C?u zxusp|(xi(f&mJD?`)!(wA+bnbm=?GV17c7FENN##jPtC~w*{9~OcVA*(2X73Qe1v5 zq=Y%B0ssbgUzGEysB+he(~7b11>3$ z_KUzJm_}$qNtXsN4a%_c6`d6+7C|`}I}UTE<=~U#8|di|qK1MaMc9RI@}iX5c6PJl zJURS3CV9@Loy|xew%Q{t@^JxhScdIlunHWz&p-R@lg|YI4FVbGWllg8{JwnAR{r4)XuGo9Ip(TUMCBryPS zxaNXA+L1Rq9V&7xYJZan7koI)25)s&0LyQ#$X>XjeKWZVo=sN`t%DJ-3i1+=h&W-c zq^9M=&O}HZ?TI))CGj*E)K302mq>pUsbtjg%5;;ihMSwTyu#+ZTCK9FEa8Jga^IJ) z%3g$&mok*#hU;uVf2;-GZWfYWNlz>ma2ok)SyU6aGH1KCRaHzfD|VTfoc;qFVkK3e zp%sM|#P(B}fOaFJW-X`_i5iUDpzE;iNOlzGNFJ8z>XpK+OwtTFAJ(GKv-V?i#`t1R zRQOV&)&Yib2(*-l^xQ!6bk`b}+5Z-DY3fXTS8>HZFJaD==fMSsR8wZTuy28%7%C2!I zeB^kUZ-T_YmJ(8o+-~czOCRZuDvf@L5tkP%??*hla`l}GX+J+ zE871xY(D;l#icTVz=W;zv~F;1+7Su{E~*!iik`aq;26Il`0&;7)aV0g|^zBt`IzB=8#JbH6@b$)SndA5Ic+}6?e&Yz!`#SNXl;D~JUC=}k@XS;?ALRv9G zrWGt4!UzAQ^wJueq9R=cV##ta28ow&?G!DQy zcm8ULM>m{_B1LUCq)13%ZoR*82J6~K0-Qsj?fXy+J~;H-h6%jYTS>W0`n1Z6#K9K( znRV+3lmi#Gsp#MogWkpS{oc<%`PpZU<+F#c(1493Nt|Bp za;c!8-%5Qhf^-1ZIXE4S4)>ug1Sr9{rZU_S@FoQLND5c`?r>>kEXSKC+k15VkyGwN&wSMTXM% z;;OlpM-81zwUlRCUj{#3Ltw0?_{0o(%+y@uojxc1-Vpcf&>`e0)S>e!dIp+L1#kBA zX5K-g|Mh*E+*-sazQj2egh<8F`Q4{I^WyW^HOKn+9j#i_-^RQ}7x{(gNz>;E>K$l- z&UhSQL827^cFwR~<*DtV!=|MR%5@Jt^A-69ggEZ4fKNs@WnZQ-<|EPW!x8Gedz>sl zKV^^tRF}D5a_~R(Av^jM;-}kz(kSh1PL#~h*{Z%NXeN$aCx6;zRV-ufg(f0|VS)>< z%%&vXo*(Qf=E0A22JM`%M+!375mNZ%i8!4h)?dCpCAs;sSbpQ+aRw3o+zYhj2i1}V z2QT-}9X^?;r!mmgM|M|y-SCuMr1NBb$&sHO4di*NO&=oJ2+?!Fg|&`7nyECkOY*MX z&&tUvtBG|X@xDGkx_V+!tFAUZfwdbsKia_)uF9VEi~efcjY{U z?GqJLww7CqGaZsrM0cyti(oITYF!D<8N5keaTR6KA4<5XYGk@`H!WD?px1y)hb;XG z<2G2yUV?Ukd^1Cwc>uR096AqR^?!}8$Rv*V*T?wwH_`T*2+|3w7i!0u=~FoQ;9Wl1 z-FI`*j9`NYacbr^RR=Hbc6gMM)?8dDGn=k3%hD{3RytP68reI|R0st=*0^zAKpRTI!Q?i$4kAUlnfCx(c3CZG=Mi2BL!}AMrDTyM3@1BGbH-PJ zOOhdCwB_4$9hAY??snV@%n}^vJadKD)r<4;{AAN*&It;DpPlCJ|5~^GH|`W-S2o01 z@KRQ-s{!g@dXnM<8MQ;RRb*Q##-8YKh=P@Z{R4kU+g4weDV<^ddI-t4QcImAjAFI+ zjxniXUI^WNe$I^_r1SKKfAI}3&DTf%BR>uHII0}{cQm0H-M!hDRZ39!QI07v$ z#E>bc%cY$QOTf6WccN2r=XQDaFLu9Clfi04wR0wk6Kh$pP z3eUaTyExlD*xwyp3P5f~+#;lV3cxXBcty-X~r3Zv2||(6G23Qa=z<6yenDb*y4n)o`(P zq;1_$P(k-*r>G#Ww=N#%)e-lMz0Q2={VVF<7#U0&caiW{#{B4X^~BA&^b7HYu`wOp z%?uDX&u&xYu@PfQAJAbQN%kFw5hL^39lWz#BEOFCp{UrUnKh!iA(qZJo`;N^(cGb~ z2iT~k0;BZlIsI1OBdI04(;V``fCg^Bk{2lVnad;+4AW^_CCjP_>>=*QxxW=hmO9~q zNNZCjx09TDeI%dS5}v;6h}@60Nz<}J16k)5*K{$Os;$$JU<1klnR`Wp{a1jVMI`B30L| zz1s~|`2+OWF=RWY+fy2X)JkyR_4e{jI6mVCSc&A6s`t}oV~0NQSHd#PI1FuCl4~=L z9Lv`=RF^QLLokNDih0)}NAWWl;AAn*>nh@Hafw6nJp~Kt%>#^P_-yAS=Bg320xL9rP8Mo|7bI9-{b*C zgLF!bxs0TXK-P6pA;fv@?kZDGH-t0HWfX3aX_`i9HzCo^*~4Te(t1`u=D|KV8ttFG zIlS22J3hQR-@UjzVvd@h>WA|F0hYp-#p&hwPORK~+G+36=656#8y>FSh;@bXC)J-? zboOdn05iFt#-cUE=Ufny4_P>hNbkb|EVSFre0MZGw*~|?tNfC+8){tj)KA+|0J_Ae z>>yl!rTD@)mnv~VaHk?ChYn04z;XC$39vR-v)~rt;B*vg3nwo|OwEUVSXCWBl(;XR0H>;yWVu zq{Y|TYVVqc0ZWR+VXZk59HGv5j-n_=Itd==a>XD8y2)N2K0gX}tm?>HOvLNnE!q{9 zo_nV1nXD~QN)Z+bZVhR0$PH?TKQ?7&qYFt_{wK{Dk29n^Z+y0?*}NLB-{}u}{r`dg z{R94o|NKMw*9PsS3<^N9%`z2!grb5g3&@O<_7^76k=;DDIfRcS9=s%Nl8pKiV&7DG zZ}kp;wUS#myy*#LNLOftA~i`FN-`Nk15Ff}Yp~O_(D<@xM$@>j$W()W-==nV^FGJo z{ea8%#)#A(4EI(QZ1`C*jWc(WCWi_gHcs+Mj1|mJ;N%?6FJ(Rz!!TzER!l>E*DZk^ zWL6QT3R5At#?!a;K1{(L?wm4To zQVu*efd-wbn7omT>k&@C18*E=X`C~xQPSRoSs28bmP_^aBGn<7l``&)rn@$=>!mBD zg*Yc#MIDdf7!lr(ZPvXWoGj-8Ic^a;H;=GzxMceNOl_tUp!r*f4D(wrRyCsxJ{-=Vj4uuno2yhAiUaAAaP3$>PM1Fz zA%saiyvxd()hsWW-_ScNe{^>O4s9z*DJ0M;@WQ&cyGTCJc01gE`Y-}M26SB99D{xI zBzga_C^h3wDpg$nJ`8O*AT82D%M0&&I)#vsp$;UOYl(X^kcju3S@E5*1H5 z!lUFiwbjQSg0#b&wuA|qau$lHavLr-INhE<)=IIobkDSyr=c3omSJ-I(6bo3;zk=M zTrbn!6Zsvdx0Egh8coK5mWZQFq&M2zy_5@vOX#)q!!i{kQJ)%wGIV~3d>76VY6taA z(pYgHJ&-*G?70VPNf&l(e?~?cu&SG(pO}Bha}H2n8D~IJ{Hj!$+!7@*;e`!A3-sdr z=(K9W1EbHk89-H9F_0pUqaHZXu8W!<#9pc>W?}o_Vb!Ay6>OHOnP3smj$l`JO_3YV zFrCbbo&Ha-$o)R#q)mQ=RM;p0Z9tO0pb6cfi)F2G7_{2(U%;C+4PWP+GpKh1sBGw_ z!#8m>s|lABSGVfXj~vY6cg&0d<-^Q@b>o?%rI7Air|FcT&SM29JSK9tKR-G+dm0GD zLx5I-MjZ3mj^6Y90WDWjiviapr}CT!bGQYX5>H}ZFjRQqC#jOR@_UR2txkx(sLxVR zbDzRFT>160W2cQQfbD7zYYF5Gw}~r(xA_h(C&x4~9A0PB;^`0?6?3u;UGH`V9Ut0m z?hGDkN3sZq%Z%@kOc7fE~hX}G>;@;{vfjSICiqejP$Ja^S1)#)oVs2VbBZx@Cio+ zBm|0LzNQn>0oo{bwdhhJHwS>uV8^#2$p}ii+!zOgjW4ov6n1`Y&T1l4pTkQP~+X)r^+~5yLxks`8U}ZLlR2&jzciWhDdLYeE77N z9Vl3%C2A)v5ljzQ8!XRtw=sBG>{)=DK&p$L_4?eAKHD552IwVTmaJf7ki_F0pk>#-{!f+hYzSjn>F?_WYw|Xy}u7qmhM-ZJih_{nK zOf>(&wAb-$GkV%HtFmH`4+gxk$%qFcVzLgk$$9=PN!j%^pfpwz>2wfK(nJm~$23s1 zH_xj7J}{nnd!nF)rG)zEN$D#6x5jCG4?)sZI1YRYdL#+{P-`thvOPkJS5~18^uD3o zXk}k=SJ0%Q7{X>k$ecs})QJ~rKLl4mpv6@JU1y8W{j^}gI!8L8Kop`J5gcur^yBxe z;X*z>xOf&NIOMYWQV3GPS^EyReVN>|8t4$|>}BetaAYQMHi%3#&X-X9Nx0p+EH_p; zv*WCb6{prP8Oorg*Sme@Lu_uS96o#k#pceWIprAXO-R2RNSPMy?{1bxe3lW z7N;LnGIk|&CcTxm(3JDiB?rN<+BJhS@Zi(Ojo&*yV1-#z^uk~^IU4P8M7|!W$KKO1 z!F`ao>ECn-uJtznjZfXX8TsJXwVE}GyTSmoU`pgrv7|!HS zo~NNrYoC}~h7B_5-u9rkO`@Uk3ajScY8)`mfSYGy_i?Z+EoLYwGWTf-LzA@OS(0a! zaLfvnz{5kVqT)AWqYp%n_1(M9qL!~58ZLKhoju4EUZ;R-1KQ6p4mslIGx4>lUTOpy=| zO|a&z*RI(OjM$7k_h5;Gm_67@FnQu#pda3WDmA}#uwE*B-CTt70$vCnd*zdQVpFCJ z00mIVn+fy{&7m7W1(ix_-e9lcrIdYQJ2xLk2b%R9S4CtMr%PuAs8Y(;1Y`fm>^-tF zk4u3fI-gK6m70oKiAc1bW_4C%>Iq_tJ(B{xHOuJYD<`ux5+JV8E68n+->V+2hA&v2 zpzuhoi^VD!)_{^BHf}-(BSm-WE|OQ>O_ub))d4^Se~?-dn4}+45KU`*m|?jzWU>Go zTOi<;JYpp?Qk2~Nz_g??8*q9=DHh}4Nh6u;GCx>0M@}4xlSnnOsUi+;IB^$e1{;uF zJ;8@$_lC8?KBAGzwBupnj-_EYlDN{G!~O2)d+cO|XGy~1wS}l}H%^kMabNTNi0J+p z>)8-wucTj0<7{`Hfgm&Rc=%XUYDXet0i1hrz|7N~;CF0WXFR38)kyUWgk!Qi0`Dt< zDT!>)*ER))o#A6R)?1D%S5E8Hgr=Z8%b(LUt`Nf)FAQ0XYp==*gRJe4 zvxUQ1CGZ=72sX6kpKx}))7$VFQsx^ZQsctExH8BC|FCMyWADt62AroKO|;?tlN@-T z_EKV%0DR}B9mzDfeq+wcek2RoIkLIs!ja5VfEp`Kx=px{x?>*rOEd>|zqlA1->^_e zqXc3%a0%oXBqUb_gL7+TeoVK$NEs@Hr-sakCJa@`VQDM}r$08fz`0{Wu10mSyexKl zzi%Fl_xv}e&*?VUX=F7xSUwkRk?%Tu>O6vO276Rb3;ta%aC0lo`B5D}Tn*eSyT>&f z$a-3R$1hSuQ@HCr`McR=KL^cN%Wl^c(PkU1SYvJuwzsjIuPVFKx_6^*0J|cn7lM`7 zbpo2K=L#7ur6853 zJhCA|yfKK@)A#b%GOBWUx?s zCDmk}HW^X7m-F=!OmzR`#iXC7^XcCDH&{tszvwP)uB7Xgg9~Z)T5OWK6jE8J@v#f; zZ9>Orhc93y^i>J>H}9>$SU2t6zZ&j z-y&e3q+dxB8{*QXi;wBKf3-?iK1X}gSYHv~L~I{l2>I=fL(p}5f~AH`_dKed@qvl> z!qn)b)c9lW-MnQIj;Dz#42G?IBrLRJE|`s`EX-s`Vax?ULR-(;)k#h%NvhkS;Vn=E z?HH)NR4&slcz>^!Tb2Tk%pOOWh8DEnxru*z$D&wgKzm#i?=pjj9AELPW{SECzT1c= zz+rinP#(tZ^)~+B|K?x*UpM3ZRIy9n=c>n{QEY1mTYGu=Ra*%fax~VkvUCmT2Mfk@xa9;xLiCo7{^0BwuM5fNLjcGhT7a9%l0jiRpjUc{))Q`*QTKOC__)+O zmo99{JK#v20ya+Ck09T-$tvB(EFk6+!Ev?s^C_-?2py%FhsjLeYAneGP?R@G9&-B{ z&SGb@r~^cD+R7h?JKVk4e|dCyxPSTj;?VZ+HEUigo=l&mbP8|eYYt=YG%3Yl(?OoH zYMeFU!{ARV8`R*n)9tmWl5Hsl?4UJE>Fz|@i-jHOlp_w-$YkU1l9|LMkl^ z=CzmXR#$ge*>kC}s~ut|4QJpAsuuh#nn9Rru*V=`r31+L+BVI}yDzhw+0LNVM;{AIn zpxwJzUPq8@67o?PmJ*b-xm*koVurq5JZ4gD*B-TLkjL+Ki!kztejt??el2ynGJO`b zXJJ{YV>MS?7&=&*pFr|HcwnWF_ardt?whd{g((fz^G4?DP6VCNVf}I(iQY-(>kn?X z_>RO%7NezcG!cMv;spo5ujDq1h;S_LcBeT)jIHUm^Gh{~X&&u7(qNpX+_^k-cb~;- zt>QY_>M)~alSV;fPLu}#os?h_pIXM4c&K-DaXi|+Ngu`4-+Av5P33UBe&n-NorH4u zdtEpx@(qs!jWWl%6*&Pd8oqEkY>Opra*4v&dCx#SIL=D=;`nbtkJT48gvoDhivJD} zQ*{$Z5&*4Jn^mS0$wmRfM7n(?AB2s#PU8vX*(27dMky(dbqgq@UDWVUEwr0S)u-|p ziAO8uVc7A5SSHwSnC3K>wTY5*Ig8*pz6sbL-PK*KyiyxSTp||GfvY26f=a{Hl}rZ2 zuqLXH1>2M3r49*O#?{3CZjJ3NP25?2oa7OB#}-4FbwL?8KrZG1=uSKEdE-nH$|6P& zSAdwlN2+a+507_G1(>SoHF=Fp1lb<)#7O2<0y*g->Fa5d1w@ zwYgHnRGo+yXrJ8+Xu)JAMsXclC7w~-2kgllFRz0*3+iN(ho|8yo(=^AE|z1bvZF5P z9Fl@chr`k6G&N;isl=Cb)$$YmZ>**9dT7#y1I4d=vIFA-;?a`R64InLE{dW)@Cncj zQ~nyHx6^8q86;x98IQlB;T@i&lhM`b*$Cm3aSV{CHj2jKgCcDE$SsTxC2>eEp=gZE zpP6#ukU(5=bnpXhKjj>vm(Y2AM9-@#O7+*!haS}*a3^hj$R6p~W}GAJVkAeqr@P@9 zAugu~?t_LMuK`?a&PVvclVAMo@fQ8$k+ID@P9VgX)JD4YZBz4%6#y4=548k7@VeC- zNx048wUY&Qogih>?quj28nf!T;!PK67IZ_d;+YoCY0c`&x>!Xqa|7GY@j%-uU6_ne zgOWQ^Rcpa?tw3BWw=^!IhC{o73Rb7{-b>mx<@GJrOfYF#S#oyEf=teU3&^f`wzl%9 zmR`*&qy^cQ7!%{3T6swVGg;Qfvf^q5kt--$aS-ecF+gj^??xpf1Bq&j&`Qz;x1Nf_ zW}2dO5+AIDc_z}g96~KSMUfq*IL@TSM~U?N@Cx{4g+PDS+hsmtFc;@HGul$qGE4H$ z2EE<6kTLI-#rvSkf)zJ``be{_F^@zE08HC^v3+dY-Jmo zgD?4QIv(TuOr8Gs-)2kF8xy>-uBrsA-pH2UW#klmIiDq~8`B7AuoEx{FKO0_DSk=D z2)*;m8S~C36{$Qlsy*8Jpd`LXCm&Mk;2sSPfY0B3`vn{NCbMx|kboVI=g9{YSAuw@ zc%LOtA3y&2FGmb=F^u@k_Wv5GU7qbJpu>$ zHCi~prz05a^}@0nAAsB#G|@RJXG!_}zvub5Nv6fXeRc^-ZCZeXG+idQAe_HX=)g>G zCZx`#h7JAz_ClG_aEnCv^JFp6B;Q>zoca|GFyZHO~;u3%#a3*EE3L z9RE$0$rO1kV+`aAGV&JG)zJsr-1mP`e*gbmq~O%1g(HQoz&Gjnyq^%Lr|tEQcHhlp zwxWOeNPJPGnymfn%ULp? zrP+esSRwR`U0$U1hjeaQUD2iU-M6ojk__`Zn#Na2Hl%f-pFihme>F=N*tzfM&tgqG zeN@cA(hbs9vH(a^35^}oj!Ynw&gn72JvX2?>koCxj-LDjyFoo-+H&#!DdWl_zOI~=yjjGlmG&>Bm23`p#9 zHAP)3i4&;PH0*r-`Olux={qeF+L9;fIxT5;nB#jkPj9dgO9+xPlIGMBZ5X;VXid%_ znBQSIWYyCYoG16`-~aD0Cnf2~Swh?YoP^DK>#LO&dFR-~w24+&Tx?!_6s=qxF->+8_Y#aiSyjfu__ABa)1SYZYCo|EP<0oPl3L(&BYf0T|B75RH}(qTh8 zqm)#R;jDl_D)2=*GHZyBn*{4NqT?YFM16p{NmF=?~;{-3}3%Z7DY|nzbuv+P72!+70}+6x&-wPZILWpV!W^K zu}|kIlGa{*|JQj&<9d_b){wd<*(`ZCFYc<_3~!R6gI|)oA<>+yjQ;T^g9P7CmMiq( zEiG%7koedok@YHNeZR)U9334EdS8*eqnW(HlA?oOr7Yn^IZ2I(|B43kBBA!aTJfAh z>e2@Jc%le+ybEkC61(tGOQaP(n;{qh0%%!A$!fA_;*{_r1yj)jbl!)ca} zS0(hRr;ndL89x3Q{oil>*8a=g(-()M-rJ+gm%XQ-{`^_&+i(m8J_gj}6%)V=&m=~= zI-Gj?(MLjD2>VIa8>1^S$s`$u+a{~dWxpYNHL`wPvZSQl#40}7(LxRx5S6U`%nqWoe?cBK=BOB@OC^JE>tvHM&zI|iQ- z7(pqVjUw(GaY-2_T^f>DiH&4UP0m{7`p4YyeMj-%>oToo?b$J7WelQ@pw9jM{T9*| zr)foJYPnUEH`|W=%loWJ;%&!$-I~>lc{Cy$kJIls%Rf%}rjt7hI+ zL-v^;o5Lpk2G{qHL$>P1nl+G?o#RgM@+@|<24Mu(Q}zP=Ug>)Ioh=e95vrM#c$m2t zEJ0Tiw{+eiC*d4$QQPS&>)fVZmAU{_!`5q5YB%9;oS)NrNESo+z9!}4FOYp`G?UY? zIZZ+FH@A9+Aduln%Ut?Y?07(~eP7UThwS`?1IiJ)AYIt~jYYw0N66WaLs}v7ZOhL) zCgLLt>LSrH#w|SYN}smV=HO^el$oC3aCL=xj25hrOHH>m5;{b7_#{@Es<@7RgMELb z%TGl@Y&!7xSYS)Yh)(V9^Q+gVM_+D_&h}qjjV><^cTW@*%SES*wA%9Bh#?JK*1>q~ z0XSXqIABesISDFB?hPOGOfi@vU!TN=xRA{5RCTedL>I?D*UNKf!o_Jf;Tn`}4(vRF z!{Q7IO;Ez!)8SclH>cq5Rvel(u(haeWT;Pkrys(N9vLaRrkRBeizYZ87G+UFoQapD z_wGEy56KzW$bgQn6r~lE#keU*5(z}2pw~7|aAF{0)Ri0W%{JKmHBA|po%!(#T)6tU zT`{BaTQ55Cf?9LJ*F>AgAj^H32@2JoG2o$0hiUEL@cHiRm9*0+30HKk4;b(=+V9`rhi!0DUpYl)$kDGx)#G4{TQC^UqPz*`$H zT0%xrTm{w8qakvMq=8&&cb_He#~B|zJA8C32AWJXgUsiEacDX|G3fIjZP`3bmA(xi zaVh7}<~KV-ZsE`=;I=Qza7D-w4s9i8nvu^R?{@#Ca@M|KqTYUE>iowi#WbDwTTk=Z2d;oU+{z507-uC)mcIt`d#mN3 zH(M>ZNFkZ>3C8ijf@rpz*DiS&Q6ZS{3abW3UE2~|xd3P+({4(_9GWA2>)_fL&|c&Z3T%iBry?xt6UiH-~xB-PbCoL~$CD&s&)romF<~~KW zX_BV{DaVHLbS|XH1H}FXHcoyC&OoaoX}NJy2S*`W1kNWUA~thO-59p}W|YX`dh$;= z$4=u_yD`q5h)lX?AO{*E0W%#U?S)G{6id5^^-;mM=&TevD$kf}n z!nIPbauPA>+SAe>DT-2h`Hnv<2h{Qj-wMk>3*cMyaQ>{)?^>T zP;T6$&ZUi1OU7718eX2t<+edhmkVL2-RyFiG;pN%&tE?mfSy*tS_g=D>>0GU+fv@? zg$^}qV7H%#o5=c|x;jx#OD2heS?wR;N~fFv6DLI@uLnio_s&V7bA)b0)z=pX7rUni zv=LBM(YDUqWgdDawKvQYsDIBH60VV++H{mpUAmi-XoA(%>)$<5A$9k(zs3K0^tPm# zd`4qt2gTh}mpmT4x+<*)+Srq*84xtlO>p<5BgC?H1qib>co@z5ilN<=rh6`+QAg+d z25r_a3-4i1JO??EPJ?WUw+;Jn?i^r2;^|na>EO*)0Fw%u5k3^&iryQ1%L+_E&CM7J z1v@zt|N|gosyB2Y`t4mA8xbsKAU_X z+kdgOWZ+BgPj|>D1P3@!1rIf&7ph-f>eCfJ9c8i784KRT`0WGy9RDmn|CIkT=w+Y$ z{B!y@!5fRue}0SHhGq5nr}-yO-JkN`g5I#2DIju|)R_K(uYnj!{(V273zjxL{g)O4 z&wT&$&#&;E_n$m%t;`8R2D|4+Z=N&7L*OR#TbozI$43z!6RanVMA-W$7tjsFO+#&` zBb`Y!mzGscV39yy;X71*6vse3A{9qf71NXbArfVAoHHSCp#|1Z{qLE&#zuQ@Rtd7Q zQZ1iV10o5rTnRHpi~pLTc$h6vI^!Z`Af3Qjsdg9xKMxR3`fd#65xjHiMp=tQ7vM8e zc2OcaNqvnJE?_e3+0D;W7A<|2*FoNyA{ke|07}_Tl2X*>1%Me55>aHE<81n&-gH?G z7yz8<1HA(+h9~v1mt|Ej;*03uX7Wz?{$mJ_=|N-0eSrH2TBdAE312 z5C8E`|J|d8d&hjAyC#fJ{%8D(f7dz#BdvZsWBp0EW8Hg)Wm%M_{?7TQ-Cp2y0jra+ zw5(}IPZEcpu6o%94XW=xc_!oNZ?<}KNSB7&N7Rwi!o1PNUTb2wrXP8M%SX|k%i0$X z+E7hol1zud?PonoSc&w2(I;2*$rbFTD>xOe)B@hv^zIVt84L7k9+L%!gIPNrY=(=# zDm*n)&I_|e8*GLP-dxqPvd6V)1)P)K=`6z&j~yBn5&13Bs!E8=;`qA)PJ=e*lBf4a z*F`Z-N~y@FIWFQmBdfg1mUBR-2p(BK3H++B4fZjBuF?19Nqwd9H84Lu>J;<(hDZ)S zplBAX3Ye7m)tQHdyD0kXZ!iHm^k1!3?>lx;T-!{~xJ&blQB#|{O7)YginK)DP;n&I zab4UM0Zr2VRDLpm81?WyuEZvG<4FCupl~^bi2eBaw0Q<3{asZcR=1?Y)A1stoEtCS zQe3hDAF^qROzaj?6(IP5GFq@b8U0R83N8S^Y~C?HxWGiTl3^U806fe~^q(eyTf36h zXg2CA^q0H4@yVukiYdFgd=Ivg$*aGd5hP=tLoQBa62^WNo`rY(NnPk!7B0X`n3?3q8izDCK@N%DSgUF!sx-#zqY zeWTiOF+2yzHj|1Q+NwhO7gL5{Bl!udv<)p}lXcSv_VfWgePlPR-bV<&IV7{UwYzn> zbwdB1Zjl;!hXS!_KRPA|R#uf~^+gs)F)8M9K0GQB{7s{?ZL(^5$IN>ARF8Z!JVuuS zj!=%WMjUd8?31{#T-f!>f`?ot?rBOFmIUSh4$CD&_Sn4Mi#pB5vNO;N_>>M;#jK9AasYx zCuRg86|LExq@w*M6X{r}$%JYZF-Ld2fqs!$uqTASnZv z>4M}|Qm#XHo9HG#`Y_Dut|a-=Gh|?8bpw6!LH!P9k^Fh08dXjBHvC)!#B6(8x{joE$4o=?6C#`jff;zzh%a_ z90GR}>^Y9>xS%?oOU4?TLnWHWRD>{Xr=r1mvTVOiv~0Br3x+4-c7g40kFLuod_Z1$ zd2F`Po8#S6){FRNq8s2Szrmyb_-u5NEUO59@G$;FXyH$G_oWR#4JRo1#vfMacu@Aa z7!bzvhKs}HhG&*(u!h^gaG|y&uxe%>FVnoZx#HYich=*0_%t1_ZiI%a>7;b@B6zx9 z0aBSc=rQlvyH(}K6`Przk7UT z-qJruhnM^^7Ssp3m%CTz7l-G&7l#L+Eer`C?JQHdx=GLY#pj;)wJlE$!&UX z+j-$!vatFE0?<6;-(^$Kmbiq;m|3bqu?Vm*7<5`AV`I`0uQT-`NkSqv>>QM;zUCl= z$*kK*)KrbH@^`tT)y;c1^qgj}@^rME1!>Y?<2<`DbD{wCMWOBTX-0!sC3Ay=h=*7| z3LZ#$1g8S>?jM>K=UK?FOW!+0aQ+FqoI^9Q@8%ph6;P80d-&h2xAy6Dbo& zol$GGRaoD9J=$Ym{jge9h;{4zz*#p9B?s|&ZvBDGkE)p8nG8^}$WVcPa5@?t?)NxC z&2t;ri;<7C8pkd~v{Bl-57LHiyPkzgRc{mXGD#JBq0cdm-H|~*RREY7o%@tp*6>~8 zyCZXWaQ6HA2UuNZ=Kvc|S-fv1(t;3KnAs$up;{KXUjt3$UF8bbGj#&K6hnC0oJ;{f zscKrDh4L(ad|D$g!EsR_an0#``=mOjfNMQ=`N})7rQur9Y)Lq(%a!JOs>fGYh*W}1 z5>aDW+AABh-3bEJPO@N{YDmeCCGbW&zu%LmKihgt|9i6i?3oSX>Gh9A*$c!ejC$!q zpE^L0)F<;Q-E7TEWQnR8f!?Q*b*(*(NmvEj$paS1cCuHujDBDQH%aW(V(B)MZotO+ z$#bLIAYaqg{rI{%E*v#1E}rjy_W1FW-suP+??Unaw5n!}DosFQhFj}PRa}vBa4Zng@5r;z_!j6EcyKeGJ?GyhE2$cqB9i3^q zXp(#~D@y*3ia-as&H*bG9hIe@YbQk1_h7q8^!yBB>m&=gsVw8&QgFZRi8KmS=hVkv zh}12euSjBsd&941Soa0($nE3flhX@Eml?QijLU~7COVgxqCvFg`c-plcx%n40jMq1 zl7v5*v0^w(7Gq`;^sH{d#5B!r?8?{n&9~Uvk~Z1A*^DcWwBbmM8R9s0kohFY5QbPL z>xZ3#(Fj-!N@wCHYeI8+kLmI_ly-MtYyLp6DLQgdL+~eC%J;3f6Llrv%QIK&b*Bo%IHx|zI7Bo-__g~oRaiWS|~LsEZ$>jf~{Tu^cZm+*A=lHHd8Sd(n2c5^(p z#h}+17yaf_DJyV;@{c01%7B)3nE1LYO}1{#XjtpC>U%8E#ITMcJ{f&8Ti$)zcQr1N zY-N63zFd%L!l%7M6p`&o1<~|V4>=yB!v&O06L`um!qP?qWQ65@} zjF;3~nl>V)PjjIyEm}^T^IC)!gne#Y(k++S^z7{9oa+RcA2lbT`6sLy{YkMfb-!L; z0=yL0Kao|NMB1f5#CCYvWbQP<5Y@M&Tk>teIP~G0Pi6=`7(p{g22U{o5G!m&jO zG9Rf(CpvRce(gd+vYs3NV z4R5Ba7QX57>bNzN0MOYZzJSxIcUEz7ue>?DNm&lMw67kU*!hiq9A_U5rzsa&ZM?pG zKK!}LK}{7{z%=2a{y+gHwp%*Rl6=U?n$}4e0mW^|x3*u8S9!hKJ_qs2X!|nBZ|1A* zt*tFl|8`4~Zw$xRF-(c0a~A6`%Q-qxl+_N~QEuQSqoWve)vEhm(}SkT=y$~}n*jMR zBKa2IiBMdMTYcEsl!|0MU_oZ9g&L?^J37wx)C1!bVLXh)y*vj$<9DZ8;h1(XcG>?170%WdvPcpMoF=c0L zmI81`!S_RwshIs*z-MBAzM!)T#bvfR=PmVx(9(Xwjuh#RYB!gcU&&34Z$zmZcBF;; zc3QxnC-~X<+TGDEjB+zC#+q%T+3hAvxXrKTEPT!Fhjzoc`2)@Oc4G)b^^gNrmtUx` z_Dp83R-j#3Yp(*Muj%5ssTAJvk2lr8)pUhg*bOdLE@gnb=SPj|(?KA|tO~m0t6A5= z`9TjngR3+pv4$^DX?P{Nf;$TK1An06I0~Z zTfW?=BTWIFm%40)0f!ygfGTwam4-62dmXo#;thWU{gAn`;YCm8)}+v!3l}qqbQeyL z@AcuC^{RR^ciY zydoX-sBss}bT?`cTzJxz|L>n2pIwZiUbL(8pY{4rKG)KPr=NY^Z=g9dwE*O<_|0P9 zU@HHxXse%!MGfCOO^fJ60CR4!)!o^t*y_DplQPT8 zxqCV~qQgqoUd}86x$m$qC6d5Jd?QSI4je1d1&Qh}NbR7vJjoz+hesn#QIq2){=F7O zq1P}IeSdtgVau=1>x<)~=U?qSe%SF8c1z}EX@VUX&F|hSn@=?`6v+ZtWTD7hjL~KB zxHkIK*Q_QjxwJ`4V{UK2ni!);fljp4w>N$Kr+_C=XcMi0ylXWd)r*jrv;d)k$Bp2| zwtS&AvsfqMH;^cpDIe~+9yu# z|1lHH*%w|1#m%W$%fbJJYSRT-f?8nLd`Jl0c7xtz4#ZAkYn(@ofckazzR55*5$&ji zi&Q*B;-zl&H>obG<4^#!Y zH22K0Q+ULJJI|F4+aHJxLKT7th68rU8))MB)XHZm#t%%e=q{@ijaE;JE zqmQ9d>lyN&9)wqZAmNI{>MN4ch31`vYCr9N?*E= z*{W26nuA6s=;q1`sfy@)vb))=XPZ?p+Yk-$3RdS8)T*nJ-jx;+x#nP_0?fG|SOz+z4k~3@u&yrS@=a#+ibLk&zWtqs#W*G zuUY3KK~A#K>+eQTct=ANj?(Yv1$WoKUNg>7(G#+Azh~7IU#3c1*Pu`r1dwW58fkE9 zun}WJY&653(W(zbWcq181i>uf#|NNOM{X#l+k~3wN^X1sp+dr-Tpv!_q1Zz$oErBb zU%`E)t(J?l^rzYpVFgm%*ke3&1E2=ZnAcNVP^hwjrQ?;342#k|HChO{!uz2pOq?U^ zV&=$}hT7Ff>PttfhPOji0b00Do)N`~asov?EBA?D72?NDpE3VTd%P`U!1WELC-??@ zSVEaUSzn&iv76X;n+wPj@NII)I$h#5P$xSCR8+fy3>iAEB~B_N7P~LGPKAqMoO4eR z!J4`>o3WsjP0A8Une;>PNU*^srKZ^bidKZgqbN!g>(UMyVyUx8ol0ob9Nk4ANgDtHu!w*N<-(l+y2$|A2ULiXby&2tI9!gQoEWi0gf5h zJ)}9Qw|zDK8+x?@-T?339php3 z7=(?xkdD9sfELT`^8yh3cAA|I>NpES5&}oUql7>YDC&sfZ=_;G4I6$C%-;|t_UL~V z>vXX-0EcOX-R>#J^jC=*7SWtwr{KAfqX>JZkCmyD$*d3KbLIA(0vLi%jm_INa&cu^=i`@VSQm&N(hlFWi^#jks(?M z9cige?w`LV8`3ZD*yI2v25LwW0ZFRgytl5kPHL1Xu*FZabk4}`j#J=Gad%6vz5u3w zIZc=V1@AMWy=6EdojS=%`e4Qw|Ar=Ik7f!?A$NE;`|jJ_@sxH2m`a$^|MSaG8<@klE{3J_2O^^D?7V+%2bIZIR(I z3jH}C_;Y>_IQP#}kVRy8ohK_WkC?{3`*s9W^<)8_m8#A_DsWm%m`P+W&EF-9OmOyZ z?CXnS43zo3ci;bYNiPo)GB`q`!n)$=R^ArH6kIFxDixrAyaL=xN$r4?uFRfBWGsiX zQsyD7aEpsY-YJ$dEXmn;3?c`hpsX1~eo`jaG>wy@yjziQBlC2!EF*pvG;|j%JQ?$Z z?p~AjR$~&L)BY@1UN>4P$5T9jo$8u9Qs)90AhR&@UFKvzIoe$pnc>Ag(n zU?xc_`VhBDU4Y;y2bRe!v&=R}$qhAg{QX}o(+{93nA33vH%WF={Nl5pe@;99XuhVV zc%d_pCSZv{PlHuO7Pj4DOha>7yvq}s^)Iq?#w+zjmakX5DYG_7Oiy@&M)SmW>x&}i zrm0I?-+lWUJNupwYWUz}a!}lJtnP~fI4oLpF?8%}va4=p_~L5L zBIP9;fi*M8m>u?tG%#ATUnXWlyh@o*YL5%wRygYV&N=n-`8-`@E#{fLSkSm{Ngz}= z?@~*4H2?JGdP1`8IC%%ABR&9w2dHSWd{WFI+=L3_quev}{>AIlvwf3BSxfSx6S%&ss zk=}%pC3G~Gt1`En)sxb^$f_|*DF4n0r0&|haaktZkW$k?2;4SW0@=$evKfB;e{6Hx zJiuu~+ZMv}#R`*|;ewb<3fnArZeC<_*#wJhUfj(QU8QRh?qu5Vrx`|^XJp!B?}rP> zlR@w7*Z*ckhvu-v9qwCm1T`l`rF2Y7(h)&abB7VWET_s_!!Jh(9lRON6yNdRefwjy zH5o(!oyXOtJRA=ujPfUYjrXta>R$7!#J*|w;$?zUYKFpI9L_!!mPp zpU?v?XT<`YdYR~VK@B#VF}|B`uSG+1S%4=9@`APsgdr*B%bWM>5A@NRZ@HIX@gdc9 zemyiSKdu>wo=+Kl|Z7{qQ$2+sz)w$sEDH4^4bzQ}Mv8YWije^HMq`YtTwbUzPMT8dLJ@-%k)BM;HvY5# z10kA#f{T#%isChiGH@aXT^@8GV8cmf1^Xtrz_4ld2TEOu*|EvaK2DHIYw4C7rJ?JU zuUZd?5IiAA0H<8AOi0gJ$@M-D1=Mb|TE^#!7P~=fqNR)9SrM(hLWpH-w;@-Ljipv}nU;Tq!CZ8OP`f zt{M#+JNR}1Ee?(~_91iW)FLhz^w9+YI3a_q28d7Tsc6%<+;UFVDXQxbe|4_^$fH_H z;m3Veg+Pby9G_iGqf-(B#jB2zKCQPwoG(%= zI36vFfgge!f#xtAdXE=7MzE6cEjj5n^8E5!cNsfidYYMSqywLia4N=Y`GLb0Ewe_> zCoT~=)xZJKoh4h|Gi(@<;fAu|2#YvxH+GaQdO#T@#dN*d^T1vbMvsIFNk(x4V`2Ms za#PuGxg+!0@Uhk;5d3g8dU@+gFa;QpYYKJKNIX1B(NKzG6n-$k8E-lI(x#0v+;br6 zne+)=>PTqdlu8Fz+$T9XvR^S3N)m z&+Xd*n@N9YT9X9GRlb}ft!cX1!H&#Tj>wu^N_86MB+N(T5R}|hkyqUnEZlM+lplzW3xYz+-?va0`rQU*6iV? z`$0|{?~Ij?Q#J5g+|9WP*VCq4Phl6hok!!HF-R4A>)qRS|7UK^e@{mFdojJc4*mD| zS-;0B#44YYdT-Ik?d^vym^$x!o|t)dole%1xs)8p)wRis!6%nYc8WB1mk zkXk*o9GslmhsU8Bdgx67PZ=lZg5_F$jVn(z?ZVM9GRRw(8bV*DXOViSEcLDV9`Fsv z>G48O?NbvP=|QIaQ2hFOayjUfYa)N(u94Uy>Sm*ACh7RLFNYQ#Cob%qW)*3SQt#`| zD=kTM7iBkOKn3{;GPew{7;+?hPDvU%`Pv6Und z@=d=TNBDi;o!Z$5-C8t4DQxk2gy>9qp$%Rt;60FykkH9<9=kgC@4k-XpmN z9`XKa-l$HuatfDd>f2t{6!zYitYAsutK(uV93GPXi6UKb^;goT%DYG`dlIXB_z*pzrVbnFcmwB|z~3GInPq($}nY+Yfd+p*G~ z7)E?0$o0qIG%U}$3_a%dbPEx+qRI}kp84$BY+2&cE@==uvETdsUSD^k&;FT&I9Qmxs3os#>sLkTa@A+Hb1WvkqLN%gMd1fW z?V+mCoe5s$tn|Nu!s=I0p1WyIiql!+om6munZ*Pj)I|^ znNu!SjRe7-JQ%y$n%4S8SFdq-K^au#X_7TWmFAQHh|Zl_H7(<4IBP!xKhs^MF}=}0-89UG)1D;L*P{LnR7WX1FKvV(;nIAlawndTZeO(gZI$#sEw8e57CG;dPx!73bRB!v9!=F&W>X4{ARsrF?8+qe zjLH2hATG{@<2a&Oxe`gN3~AyE5#z1p*fEGx{F^vs@O=O5)W^8a~(RNd>Z|W2RGc(WoF2i&69BHkdQcO1Wh9KAUGq?snhN3~zR(1dj8dX0mpp zM-Ovt9c8)Ds~2oYh?9pCsT;MibrF1ES>;u;$O@aIT1`Eyh7b3*DZukqCy68Sc5 z@lDLts#NrHKZn6YY&ApmSZlfP6evh~?gFZ9Cncden& zbQq6}_}KyOipq+4%3cN$ih$rOgcjJFr2Z_y?c#?}<~_th~ZXOt9WusWDM6 zURAi#6foB1H!+QoF;kH8oxMjL0lj7yAy2EZ1lNomr^^*ih82){M(X&OxZH0ZaHx=J zZW-L`u^6HqaK;PYY-;93QPfAs z1yH1VdU?QgSbEfa6#s(H3G>_&%>(0{NvJ_ z;2-6>-Ga+H>^zA2_^3kKZIiIIa^}=l??onND6KRmg!HZm&eQIHtmm@K7Ib4_EkRpU z+=!t;t8q3`M&N2Y(zLADP-|DSwbzbhXqqy6H((nom@$yNF2L!EJQsq45`}LtGT-UO z7(JA~kML3Jefhd$`+<`ojvnw&w74cyT>}oZTH$UDJjq_fME_*f_-lIx=k==wH6GsRY z)k^&1N^`&*PC+5K=nX@A%4W}47&xV`qUbvA zL_1MR-TKT1-CVuPbe$)QY~q+)<9<)m34Nz2a=2tA%kk~Q z0wl5wGt`Ke4Ae50%ID-RA*sT36w2xq8q|w#3>mZ%GdWUuoWCR#Cb9Aa#0}%L83>|g zwNetbYuX;;cuxo(0DFSz(#b>7m1Q@NDUvnDNHVEh#urs2iky<6c)FTn;48MZG%i|% zx&u6F8kF^=0HzEe7*O}_E8dlXmNOkRLy3-+)rYw%W1xj!0?M@zP9QjveCAOfkd*zn zQ=&M;n?h^ceBHF%ahyies!)5V9ywrC`rky)6(DKab=8bFX4kfDnMuZgrw#y%McQUB z987d*_p+i>R3YX?U#Xz%MY=l;f^9Elm*-y`3 z^*EejV)Mu0cq^E6gO$y5aNQ%z86MlxiJt~}d$Wh&O^)wU&D(L8QZlZJIoE-5H@iu- zV)82kdFJ&&SI9*@slgu(iAVN}HQ*L}@kD?)6URgw?zz};+@#7vtu`KURpeLth>gvL z_0vVK)&7l-O0$$#mV`mWDW_kD@sHGWuL0TlP%W}FaqfEo7gVQB9Kf!fq?I=2MX~H{ zXsU_0z9hXZDE%Y_-^HFK0ZNG*(#~+)k7hN?S3bQfewt<;*->g0TPW#ex}Xpo?chF> z;0V}ypbD?;I%^K08Nr4m47u41Cf{{ZBb8GL^vZ+_&#m{-dqw*{+8i0->}Uo6M-1t3 z0=poZC5g29?HyoYEwt0=>*Hg$xOTR5nK@TM-TR3;am<=B!C@xe{fYTBx*51LnV0-o zwS*rE`!HarK*?q(0Ok*+eTKLf%Y?F(NRae2yN#g|^}C7mM502DlihbT*qKas9&HSy z7YC$H?1rN=WnV;*R%2hNvv#X@h^KWA)*)}Id(Kr4^X0L@KwXdv?Eepr5Yj*En9U>2 zWx~sJ;BqbFsdtWJcidP*re+n=nbs1`Pyp$4q8zeHnQU3Ez&w+K`R6(DCr4sJ^Ynd5fK0x5HmQ3 z)$Z3ZeH=9*Mub0XFm&S1AnpAwnM=qunh@c$NryrzCp-OcFn!1@Y}wMWhIi_FSi$8<6YxDowCcK&J(@+f{Lr$t+VP2;YTx}(MFD@HoCUtYSE@1?rhTyp-PzRVUb6Dj6LU3X6!rK%OpksYT+=6BNFAj z)!Vi;RxvM82K3`R9WsIqn`P=y1l5EluD~-S63T^ABdZe!&|J(>ze7hE)>H)Y&LnZl zh^y(44=VpO1{;o)Ig9b^#O6S#XX4D_Z>_G*9j9d-zm(ra88(;9chDS1nVl;oy_n4rc|>s=YYerv>J_$)(hniMz;R z&={$56VVIULf8(=M4@`3;kP`rv zW8x5Z2ljAVBrR^?n~#LOK&10c>XaS&9*f$UGh8|}e7?ARDxjD6*b)5OAZxJ%*Gg)j z`1;mXWeCV7g0d@IRcXbvL&b7El*C%bYvb1f)E0T7mdsWV^4sl&ok;~36QT2@)1Ht{ zI&o1qh?(3b&&Bg7W6Mm3J+50DW=cd>hstOf2U?1!ZdWN#^Brs*0KqPL8d)=n;_I$Z zr?^^gh0t|em4FAT$Ql40c0aQB24>TVBBH6+pKblDB@9gb84E6aBge(P1h3`gNk&6v z>&^zk)sq2|j5s4h`Xxg19{kH*b?Ve>W(80{n^E=Pn-KIXJ4>9DYqzqGrtn8{9^CGp zaRyPmg^pjp8Y!Mu6|gX^k`!WN-gr<(mgm$F!MSBNYD-qjBM}Nb(-!N$xl;Ff)?2&i zp_aBQe=b&T+=-TND$OQuS(!&=8{kYA8U^jKdpR=IjBdJHiGnnZZgvI*_n_Quaw9Xh zBi%7lsPg{08hC${au`K-l{~M=k$pMvl>_>0kTP9^euSEFc`J1~ndO?a0Kaq;8eE8P zONpnQCnl>+h)kOn#cZ>E2XhSBUBOC=Y?3~8_q9c@J#zRtC$rwB>&oLTLIWKqmG+&k zup*yIYGqX|XQjf(N+OHB&2#1*;C`XBYlW(?<|gH5NTd+SG(b%l`pOP_+7it^Mp`ko zIFv}9)=~OOdA^`;*ib1scaLPO-J*EB)7ac#hcs9ZN8h-RMH8{p(sU8p;YmGZs7sE1 z$Lz9<@0}_r@*iKY7cmZRHTQLe9pD3$w_KjdN?dZS0RuhP!S5V}`hS`=8f}tC)dTzE z`O(4IQ`mp!ul7g3{p3l*XdlS17|$()VSRdeBkt)?-|FHv)l86if&2BsZbG*pDHI4P zRw`4?Txms7>G`+n1LVz#EVLhy#14?4VofyzN@(wTp4>>GD$>hXgnDMe#$Gb&go^}C znF>=+MAH10Xkv9!6Pu>WC_vo;`Ztmp#T{^c4GH7ccrKauA+SJ(C(Zx$`k{U~a%WX< zA@ig~&H_eCp2Wr-iUN!TJUFr^@B@!@;LDZoJ@{eorYNT9N+RYJ-w~3jj+|(y-BvDi zvHZ0_3;{pCK*1~M7@cQsr;`D~>QpZO8u9NnE1quXt_|60qQ*4n7?n&Sb`JBkCCrFu zl?v*a91NaR8Jq-PMF^BIVP8iR?mAgxtEx5wkzqJL#Pl_i6d&#PPhDrtYE# zevJ9B1wLS_Ti{mP2Epkz155yTu0d zY2VWcax*Vbuj=;@r!lZ*tsPL5ZQe(v2wN;xxp3inb*i<-k;SWVX6eI*mgKj$h4!qO zJz}RW#0IuwD@UfUZ@A%xU1ZH3{*up;Alrbr&ftI6qHq zwoLFq9r1ylwb03}&Vl-e4&B^XKv2$A!GdMd$Y?;2q!=AI0_3q89+D^a0Dd~U4tkJ%yaHLHQ+$`WkR>7Ggbx{o({ z%Oa+)waYAss4%fpN3yZeWc+tApsoRsOs;OS~U-{~7OZsI=a%KC3`y{&RL6phh-&XggQcdH7X zhinK?lvrhuIY!uPLR0W$>ofT&-Gq|aZ@n-c48@_yG*d-D5!lF@@sQdIyUk^fTp`Df z=8a8fv9Q-W4rH5O^hEqCp`}YvlaII|x#y!QJL|XSFS0L>jbaaco>PncrLYo!s1Vn9!@<#Lks-$&QG6&+0Bo7?sXEt# z7?P2xK4J7$-ttnB;hZ;I&=rgxP7h&>dfwXe2BWk^vWT{ecNWv#HeY|>-G%8I%691+ zCKYI#QZ%7dO_k87M%!2R>A0xtV&T$NME8BxwXZdo&uwYW1hlsSXC11q!xW#HaHQMU z;*wVi3NH3(*40Fhci=c$j3)ZFdh_tWuI@##z6^!k&HO{nIQA&{$7e6DMu+<-RNZ;f zecfwabAxy$)@B<*!3~*?`P}9yk2&CT(^TSX4~$1UcttnUW+w?mUD7^ckcH;Si9%Gq zmY_=`bs{31p_c0QsOnx4Hz*0`e{@#ej6VLS&nO>d@y5lVc`GJD12E8XQ|4V>L~eP9 ziv~}dWEM8db1ogaWZSoUUKTK>=sy!Nnef+WHKs4@gsl8H*TK0T6~i900XXMnHdU)j ze;y|%(E&k1!F6R7TOiK_J|jmknL7|Qt=de@cj&lDVuD*<+qcqS;=7g}@xC%tBY^Vr z_$GW^Qm4no`#9X89x<1k)2KjH;*}yg4WZm>Hxk02IvA3+nupUHxH0`MwF1SLdk6?z zT-+s;cAh^{2c~ai3P%z`1N5ek3;etpLKn$Yd4vnUj@n$*j4=91V-;WcoR@7)Rd3zs z@41k4qS@e$fW5>FU_AItfuESO)JWFqJ)f_t*}0U1?${jMhAOkvicvLe5oz9@cmi&5 zja;KGiwhJi;mEs-v_u#Ha#u1%Cxg)Sg`-t{E1`Ov?5JXrNi?y=oh8|wtI$ymF~z|J(4%mhv!*0T~^zm2<8e6CQ2Mg49U zwoJnVXpg!wGx}kv8zGA2BJZ;DPSgsXF7|*zHZMtC66Y*$ZVoMmwFSqeJrE_kHJM8m zY_XX`HxNocZ*l-$iEG|#XMl7Pnl-B#cdvZM-)9q~DYvvnCL8i;UaT`Ceqh#zw zQn0y1NjwG$EXM_(amT9GZ=D9f7JK2VNP(llTMkJVZOU&mgT3A7SFcZxzU(QehlmGK zWWuntxbp$;iQ9iDRPemNrk7Q4VGY>G6cR>t%E!Td{fT%dpmX~nb~VR{jnXSuXknWB zo&Af$gTvFyqut}t)xpul;r`{>#aEq*jm1SWPiox8;Zd!GUie&Hcq6GYPLksU)>cvQ z;rnzlg5P1sCq)TEQ(Y7THGv9Wyd1^%8%`@TBU%(kT6K~xApH4~*AxMlaSNwD!#Bxy zOjF|i=Ugi1gBfSF0?lzY0yW(|oec-OgMYRqWL!j8rL{UlA6S-1q{8l!BfrY4d%9{_ z`;;sKwC3e%rABuK|38_Anxb;ukXr5URwn;il#Dp_n&j^5qXWe@i#9@3vQD>7T^4J- zVr>Hg0sApWx-YKq4v^N8vaiVnts9R2RpSTYcxJUP8cI+{=8+nH{BR&KqnH$Ph;%T4 zxSK=0LiTx0mNsk{HCJSz-9)Hwcbh${ZD357&DBr}pSi%P=DTq1iG99@9&UTs8x?qB zS#b>BMf0Drnd@-3MKAW>+LUGI39ZDJ-8ERN6M$dFc1|O{9#eiA<(N!kHgk4Al__aE zBBynuJgS;gD0fA?joN~E(Adh+v>+-7u;(s^e?DzHjC~Ee{*sf6Y_#1)r()-*F5GNYsYf^EuBt_S?*xFhj-2xnEV{EubstBz{Q3@WgK z(o=Ro!^A4p4nla#HPUUWopxomXY&o2w_QQdo~T#b2v=LZTAs1JES3Uc!gO?+$sLG- z-QDS4H_S>O{@#|S;4jyrClzo7K`2FMj+?IJ;4m7Nx`P?!su}S`s9n6_BDBs>Ow5AQqi!Qf*AeFQy*d@-3 zY>Y}960R;|Unwg^l5`nglz8qmmZ6*xrp51ERnF6kKP0Z5aPfhZ&bQoZk)VQSsUHuv z&j~EK=2@~&5tXP2cX&n+?o(Gjcxb9B=69N2;%AC(r*hgmI^Peeu*%uWbuKK-;wUAz z!@RnR{XuC1P=D9Bx-FZx3z@%qM$1qi(y?@Vd`4; zNK3{D)D6%2nvEF^^R&h{+}TL0XBJFdyKQ}PTqp}SnPy^g?lK9T2NIopuO3Rd#uggY ztMM^=Z_@JcJ)NPQSZlNpIMx-@c@4>#U)zeXqx0B%TBc4%l6V!lQSX#U5?^qlLF>G1ic@%6Z2OwBcbDHQn_Yj6eVAjaU!#nP8}4;TbJ9897Fad*QR^-fy{K)2KDx zriq(P7qlMsenek&Q9_ zvuPZ7ZCOc8Ft+2O3kh}725f0WpQGc;WYYafvP>knF9%k07a+BHm)Z8+SCNIP0jVgo z%u}KtNK~a6Xw-rElBNlA%7^K)UCLVJ2swEZ??M;VArb+J!%Cw z>Ef9=8#zU_ie^5ySj6(Mu*n$8F`s61c2t1|y_|??~D&a3KIVIj(BFqvJ$!gRXAyvNQEkcjR%2-p%Ez**;iD{#RG0x&; zd@fN7C4Z>muAHB}J-it3pQG2K^TX2v+z0&f`0((2%l6l*bbv7z_8S9i?=I~VWG*ez zX_knG{XK}A3I>^k@r7%o0Zzupw*nbFJ)PEcvFRz&xYFLkBd*ku>}qJz#Wi~5k|B3MB&pUoeD9(u|1 zEYI zsW6s)!|yaCX){Yfi8Jq8i=+KLlz+p6umiLR?H<=L&*@t0+n82YL{M$i1_%J>u%3-B z0sdj|-GB~WrDl|~l+Niq)=)}#@QYP#^Y%IPMstv*QT=G(!ov(8kWgTs^dmu_&-%#X zJd*0ioGw&TF!mG5J=uw{%$BJ-5)6ieMDr#RxazYG&b1QsRV_l46qv}{n)EI&zmjqH zrCCp$*xh}#!)O3o`gbqFAh4b91c`MA!sF6lJ}1CnTHu_P;FEM{;yCi-GMnB6Z1$F; z?CU-L!pXtjH!iWOReIWp^U&3E2sM4x;J3@FNw#EPr^=|WpU;c?Kc+9H^b6no0}C6^ z3~(}JVhnDXv;D-c*z4~lW%~Ny-0q%wl_O_j&=4FdC}_0ulW#ilcRKp=f*y1a*cwxn z*jTv$Kh?rq)NmtjH8PH_rnAZNQ)M2y%9eMZmq}mp`L(mgoQ*I&iw3!g55bin0QP_< zH`3csfeRsd@N)k=MiD$Zzx%v*!PLRM-61b}){0E`>x63Nu#p`gByyDm;&?jk1~8WQ72Rg`nsj(1iu zS{|*TD&3mz(2>+AHl5wmX5d+46t1EvfY6nk&4%z(j4YA@o}cqcnhql=zTc;=9HI*1 zl&QEo@ClkXT~oKZ&E|8x+-U9`y+)fJGNe6eF$h1f9nbL$j1F^_rI|iP%8gvEDg-p% z?~3m#K`U8u(ydyGQ(cClNk!(s5cN~jsXOxW!c@`j>YAc1T2MD-Hpj`8!?a5+d zU9fjxZsvg3r5|e2q3u-qNKM>YDmr0m)7qRIc>4jq$X-=k*Y{Yki`}Dx&BpPL)K-nW zj@kX?Ic;c44oq<+TOr*g)d-$Z zYErtHmHd%LDw=WfhRXy>iuXmRqd{AgfCblUd~7@y2N%1iA0G~k`^SCnmTCvfYF{s| zt?i$`=4dngJwe8VQDk`}QS5?h{xJi>uk{K}ODA;lA|E=gZRCqj3|ewGYenbv%`OcA zrT3|pK|OI!JYKrqhU=17<}B|=SNa=oEASUd>UUqmTJ#1Iu&wDWVT#{5J{*k>_g`Ne z?mXGV;S)?jAtV9#MYWn1{b-3IIqLukbeaV;n;jQ-#cfoF?+bXmdv}RUGHaVUJr}MS zm$b;uw#a!5olCc4(N`gz@4h&^kP&vL>qe}FTvDNRf3QbgA+%ue(1L9F#JDZKEa|^U zD#d^1jogDR$$l2=OFrJTnO_YOAk70a4V*~$^6cznM32}Rm^TEM>KxV_t@2JYg7eT9 zk1>k#w4AW@Ao`02=KV;Q`rSzT;lWF?jz;g5DGW8mxec=w#iC0S^VxCcYYpv-{a8wI zT>1XQzO-7>?Uckx0fV7k#5Gc(+C9K%osW(p!!y(!(0P|qo+#ub>jo{gGMX#<7A1Mu z`s#s5mn{9*kIRLWvZP4eX&RcGj19{M7n>aD4b*;d{^X{DTeVqp z4b@j7PF>E(5vxSWjQCTNtXL-ta(v zKU7t7xXPx(F{mh*9;b;W{tzN}ptX{kPp>Dxrt3a5XV{}S}n0rv6xpVima_v-vdK$B7>?7PYfX9LL<#BsOTK3LkTH*aD6pF{(*~hTsfuPj?eD zGbq=9P%v?>q(cg*So>qf6PZ^;y=(w>Qvul;sR5ks^58W{ z8YfTVXDZ&#Mw(F0sf@tqC^7*;bui}|HkgtUQ>>dRj^G)HKb}ML8K5bp0u?NmF5yBN#DlG<0Jo*M+2J_rtlINq9T{6hOY;>qqx<>(&)mh zmX1S%pFT| zC8Z%20k7kpYROSYSIT*Cjq>2QVApLQziC)E7Xm#+KE;`KgX;1`8>+MpPlw*yoIuCc zAbsA*gjZTKlSrpn16ms#6$Ln5Q+{N<`vI3s59)k%TWuAN!J?}%WtJ01bDZQWw)Qq> z?|~{Sc@Hsz5pjM*rgXV6ZHO|e@~4sVb}QK)Z3JSn%CE9%KZtP0RoZ1)WE_m|?e5cd zz8bwgwMS>p*@@Hiy~6sVU@&czace!XamXjV^Zg@@cv`#CyLj*zZ5Q`NC?@p~P8u#X z7gODUzZGA)Be3VP@fI74rsX)fxEPb1h7l&einSmP2V4gvnwGa7#ZK{Xi;(3@1GX0; z_dXO1>b>Y5Q%#Uy&|~y7b14?NznvN)3~ZP1p&%yD4j;evxVQYGvH~?-O%(Qogt|P? zuBbe^fA{p$pY^p0#4)AnXAX$cUH5u6tcRKAW=onL%8z!az0dlcr@|opOO7hTjjv;Ai z7)@3?`>^jdeDT89;y8=bwih_6b-@vM#)q^lI@T-cip%)SGs-q6xHjULOgU`*Yl_>$ z_lw%d?`v~2iN}*`;_S_3CP5uGrci~+a`Jj3*u@MKdp~7d)5hk2+Bk1+1gTr9R+CAZPL;-b-BYwA zd9bg%iqt;b$2=ez4=1V%r6eS`7?G2tq;7N^IeUaaue~fGh8y5y=$~NdqVUdHS!`3K zV5>{Xw5kIfx?urxp2)6T3@Ku-di_7r7Li2tN7@?yt?Axh9HPV+0rLTC;2EI!Rf8i9kVIE2O ziFLq|6dux1Dg^HsAjO+oG*~!lLta{x$03B!-0|23G8B=nb9!sflU&K~09xJjXU1E5 zDVRr|GL2I$JbRYRsD~_A!Gvg;hcC`AZ80YUg`%m8qtX7GPo8dn{;6-dbn!NX(qdKG z2OE_ZCo8S?_a@~TGu56!5pXG2jlibcFPv~eS8frN2HY%bw)~vISCszA9aOrl*sYla z&S3D!_3&6c>+Md9`E}9zA|Y$Mw?{G-mv@1|UEd6PyQDsWJn{ApB1%nN$`o|LnTq*|;h#!??ABqE-KDcwu+3|d{$dy&kkp=^M+ z-r+6!qok+rz5D)e%AAH(-qO!eeMvJhpzhNk;LJ$_P}f1a<_}8PG{b)peW6;?jB-Gdeh#uDR zGS5hZrI*t(b1!{!CvkB(9IGPV7Z^us=n`CWHLv+=ktP>{uR>1La(0FVLumN; z8(C4ez0qn>fdT0HezX9{#f!8c?SXd1J^i}EP;XL_eEEm^Lul$nHcpF0@5Mbne=(;W z^>&ukIac^ZaZ})*ik?DCNzduMo=($of$j1FkEO|`^LB4&onNB3l7#(>BE^>Hm#^m~ zf-|S2>+|z-ykAV9GhY@M^h>fM$d((Wq+6Td(riUDvzBjQBhy)zwq@s7HX-qAt96 z!#QG==y+c`any0yqY9*4ki<18OqD5_ckqW7b!yo=r`Wds|sPSauUWiPhoKF zt)|!$_^9Z;Ws!G+`+&AwHpijmSF~SO(<)sq2SDy3o1HfA)5nh=hfbY*|8MK>|APAa zf#l^HKdWmxIQf0XjiAeP^!KuKJP$8v<>^W+^^G7dUKOi4|NigX`?Lvf$&^U`>z|e3 ztraFA<+g9Rtq(w;;4jQWHo$&TC4h^^7#9d6(}$P|y0dA6UH$RukLms5=F_LNZ%^nQ zQm1%F(~6!ZAB^CCgHryW zgWlP%|IO+H$)U>b{Ihv>mys57Ofs{8ggC=Z^p3{v5T##NH|NYPZ>c9Qn|Kq>?=l_i~N1QDZAgAf7EKX1*W+d4tf%_w&RlFlz zf+mOFSYeMoAM|K=q`{Rpbc%5rMfm{KmX|m8`BslwB6fEF7nd!`OH@DFy{S^bM)=w4Il<0|s=U z$8*L2d`lz#icc-w5HMM>2orNF!Gb3x;|{C$6*Y654e_6^R&=@U&kE90vODa6uU2&W zp&gB>)nAUY8@j4P9>5pB{_|=1A$>>J%563reOO=tez~AKv+P~c+|sKb{^bvU`NQA- z!@s6~|E~ALzxd%l{_tP^;ZJ|~s~`S`{`z14;m>~fPe1%kQ1AZnPyYoyuB?*#LGS6~ zr;mqEo(!LU{#(Db|8n>A#o?&;_UQ6u@9C$XKWn;LoA5aaGa(N8YMvC1VfI~eXVXR4{`i)sFf1xEhaB|arKVN*rvRH? zALA34R}DhDSM+66-tXi^?zq3jHLZamiCC_3akI{}5Y&WNeQrstz48 z&(8KPjlHa!Z$AvdtJF~qcL_(_JS$7$^H8G<(gvYNsqiWcOJj2)efZV`2)VVEZ*dyB zwe&gFN)F_7Au%gPWNPrCYZ=Fqv^97kB6ui2L5CrU$xV)Z%Z9c(lAG7sc;@~|Z^Ps`zw8ww=m@Tx`msPcu%AfI(+B-VGI)8O}bo%^^jMDQrpI==Z?!WQxoE}~tADzB( zUvUV|8hEx>y_5|p%$9x){<()wPGe@>jG{W>Wm3(4ly%Fc7J6qN38WcIojdX1xfB9J zY8%Q6S`B65;0(nPTl}|p19u(-9CFaFjcHXUA}=GO`w5t?DZMbKVym|ST|-cG<1Nga z+Tio+Ff22>!w+sgwxdwru~bR4SlMSq2`M>SD`|RI`SgU4UMzGDY!Sw}|Ix@6VQg+$ zuI&c_A>*we^t;2MEaVWw(R@-zt?mGKRl0Q08r_+xPXUCC5~p=>>jg%NZ8nW=uh0t@t6Z+ea|hyWWpiWYR8Z2_O3(k- ziLYO#$TW7y_*NtO!=2t|Tc2(Myv3yO;O(bdpFE~Lx$A+xb+fe+L9Kvj5OL%lj>NHR z_cn$@jCY9f4r#`Aud?BDBv#iZ~XxnmVld|P> zaJ*GVM=vf9FHQ#dV|VZ360Ospua1t7qbWH7wU{gSHe?Q_>aI6S-zQT#5{poWFNM8n ziyH0mdt1sB5X>bT*EK={IB|>+vX0K&E+%!-s3lSAQ)fv%E?iZyg0)FVPr%>(*HtDx z9!HTh`?I)GSSvibvtKH$Kzj&Xua)x?un6G3h6f=a<{Q=57 zk$3UMx-v2#`SSHA>>*r01Z6tTLuyyxo2K4o7%$jcnY(;?e z3fd<_#il?_k`<@!WAN0~ux8E=PfRQHux+~m&Ax6HR<}a@vRg?NS8%nh>9z;N)yzri!50Btz_c zg=pRH7Tdpjzx}&=+rRrZb|*0KqyE%YdL125C)4@VX5trspW~cZYHV(w+PI1POk&Xw zV0w|ktn$3JXnPURO8329m#bV^(Q1=`G;Mg_npBHhYRI~b)wp!oWNk6SVUyirf<&*S z$?ht~fD5WqOSdS9MX4uSgg1-z_Hm3(#`y7S?eOzRNIVU+i@goG2-1}7r?(?H9#Tys zr38_@5UF{CG`;4wrHdM66jLt57w{_g)*07OHVe4(f-~zGSCVJ1wVvxrit&*UBrhCt zQr}~etBZ^COeIlY<}`Bbs_hwNt_zrfLB?_%emarW0~|T|RI}-Tnj!j6UnPNdRbTzS z?`z}~?kWOp;HCFoSMa`svQM6lycieLwWQaOymtLGeN!9S!J@$}VW8z``l{Z>SnG7e zx69wmq2e?+X&hJ#G(+1d=>%Wq?DDj{P>w=%xhhctZ4JZg_7F4^r%6%h1ekH zFvH=jkkFnWUMp6jt%a+ja*WS$Si*tZhqRyG1`sy~%$H05PSd;XYPM+Zd+xKMZ?exh z5nOSZSh&AjDwW!+8=pP?T`c~^?n%S2z~dz0$vvz0B>Ju@A=3Xrk8Xl3+KcCW5kM(u z!%VU*tWXUqy?uRK)k9C13Wm}219H7oqr^@D_Cr{mmJ^LahNg*YrXwS?i?b$!ja-0sIZ+DC=S76(e`k1LG$ z3M(HHOxqEiBMWp5dEzS^VyFs5WI>|evf)F_7L2}$v}J?I6ujNw2SUf1q=B7~B#VS= z+qu+NW-|noIQLe>CyrWH()}wziprHKR83+v)%^jAPdA2}8{sf1?-_Fr4Af%VaDuI? zW8{2@$jghF=-4{WFa8s@5K5VM9$bwxd{&vXyH$laCsERhw%(qtcNiX_9G>*r=4p0A)jC$Xb zu3G4yuv!9rOv^C&iAUZkT&A$Y;~n#R0a8BW@}u5&|1q)@S@}T*+!JJ_J^97Y9!HYF z7gmVH-qKX)IK@|wuUC2@S?I8QUGR>*d&!+;KT$1?zV7rY|FOU4%YYfq)e*W)h*CHu1Ha>uYh9BcCA8$ zSB=ZKLAjz(EMN5<9(Ii6qt($%I5S#cZ;6L&n9xn5P9gRjy4jK6MMHX$)!?w6FKVw!N4F-N&Lox!^a7;eEl(drz%-mXJ>8u%VDbzxd&#Z)(j5C&Tv30E7! zAklT1Ir4ZlQub$nLRc-%Mp$LwN$@4VE>=#-HklUotormFyXs*91EO(O8(gsf{}62n zrMh2=f=xyfG+z$2Fm4n?=2WVzR5ZG=G5&_t>>Un0R%aVCx;5SY{4p05XeYPuZa2Uv zel)ennQe3!2b3W0`YVq3fYMAndG?BCR!_`FwJgK|@{v1)HJ(PJO$Zd| zMu)|3%)bwY30B=sw{YrIDXPC5({WMWMk!8VjKK!?Auc;kYQRMsVt#Z%ZEAvHZZR~f zLnvl&99sYqt$ zzmZ^G;Kyty#@dQ=M+^PNM-wsxo9H=-mH!WG|JEbPmYoNJ@A?%+7Yi9dx<{PMljl@b zic!tDXJp2$!XwYAQw1W*+}*<6PPm(SnYl%zr&^7oh@O5J%)^WXOwR>S6C)5R41`vT z-2|Z_^)N}k&BNheDE^UI-&$*5%_8!Y)Do*I!`*z_wr%^eF5mh-dZ)~4Tt9-!Xv-nV zs}ofTrBe3dne;+SOe;;TRDKQemqwP;*;<>7k% z{0@A|jzzi6VQu>8pV=Kly~`ZFf$+Ca1MG;nOt#A3NP_d6AU%VBJytGPZ z-)rdv*zib8;Pv(1_v7_{ZRpT=wD%fxGNx1Syl8(;FVs^4Fi0VZY%g!~+p?GZ3U@>} zz&B~5M3eO6^62E~!aD?e$5)33z3?pj#j)^1Us3nU#UcF4gG{SZY18cukM_9K`xnDi zIi^KTlkh0btG#)X;p;J3#JynJCBN9;eS3)SE>8~Sr;s?%^q=VgBcz1o9v}2CuVpa!{2^?T-HucN8BS(X)Bq<4=6| z`t?!#eDu@%^=srkDgm+Ly2IY zJB%y~LeLcBOFKT7=l-21v#h#nMU}7;fQQ}>_YQi4=Wf|{Erpe9hhf|BC#^1q?~nRR zUc?OrM{Dk_joX;0!@|ToeO8Mwq277>ao`YK`d==ZY2lgr0mfYMf|DHe+?Oga0z}2`sC<K)9my z;2~<;Yfm0=pDmeAbeD^>qBDWzBiXl>T=3PdJ(lzd5#IP-@9gE%XCTqYeii+(Ev2q z?$lOtB|W$>6lrauPwk`ERvR(tF!nsioI#PJxT{4DW11o0g!~wn25^sT{z=V~uD9A+ zA$U9O{vLvW_u}&Noo)W_K7TMgyT07n=Kq!tPA{)^w((yADYweL@{qyt@0N~KbxEdO zJRR_Plw){M{;StD^yuLjNCnti_s-stsrK&bv`#j9ic$4Cs7M?!xW`{gS{j=H_)J+L8|Qiw3QduRwl>Dj>lGA6bNhMWx}`Ek4u3#j>mcT z|2ls!^z*(%r`XHW7j$er&S2V@grIX*aeSbGz%ZmPiV(YTU~TDSoVeKyc$tD{x2o(j zfE{i5p2YC4-<@yMTzxFTG0LX7rdWFSt3l7v`y;o%#ViB?V`0du&ms7eOAfI~!H_Ob zpaT+77Q_yRBzpk!>d-Irv>~iLKqvZFXQuE^g27dOpG%}kA`twRVjI^v+}2oDLNw_N zvtXi&h;=uG7P#~Up1TgC|KqgE2U)S^+c=p#h7tKuPOB8>F++LS@5jaPw6mVRmdV`o zXf(#4%*q~mHtT{niO+eW(d{CuNJdHx`C5!0v?YsHPweX;=F}5e@t&%6_;1WggkyIq znnhN@Yx7J+1sv0s+cqEqe<_UGRZ6^uhisOL`~>;1eNOKBi2W`Di0Nvr#%hIs3;FS< zgyL!P9-I$%y0c+XT|<{{6Car(Se0y~xA6UXuX;jvn95$kE8TqePhqiq?MsyVA$Fry zZkD2)|I|UQ)E``*4uk58+!kFK%D&Y&E`oE*+90pUw6HHq1#?U(G|SZ4_+kH%S7lr; z*R*-MAN0Btkd^>Zf9aQal$f?4QU&f~I?o34bd=5U(6X4qbfG{#fMu%{2hF_am|`H| zMnW9-V4w$W6?G<54Xb9UDl7iGlVUX7NtQ=#sj6E=HQn>Zy%u9V=~5k@pLq3fpHi-s zM)^UEwwAYp%H)!A{dT4r#JF6>6c=(>_|l4Li!?&iQ-lB=*=Z!f!E}#63fp?99z=@= zEaYsE1sufps$bCY7>9`M6*bx})2TiiRAL4VLdSQywg>g98TEX|k#><8_&`&*@|t|R zou~I??(**9b-x%;B3>Q?7Z~ z>2-q{P|aV~<}fr@Gr*~RpBBD&lnI}_QP;(cyQMi_8BFF=fg&*ec9&8!z2+bHQl%~G;2X`P`yh1G9E|88YzB+^WA84JhjZ_IuDn?)q znqjpt!bF9(r2aX-53W958Of;d3eTbg+&2qB4yI(8TL7*suO+VJ$%{DV^m%5)YFOql zON*8&MtE;iF2K{+ktj`2R?asHWE1cJfdNK8g1KofwnW-?XLxh*?&^H^^ycm1H-`r| zuXl&9O;9+%L39YCag;53H@4W=VIMz>L2Hcl;&J3yU4Wt2b00xk0AOx!wPYZ5lguCc zaHxcqDDj5cJU{IhdMPa^e=Y=CCt;|@{lM9=rm!r9fjqwBVPG#?XS?yAbq9*%Bf;b0 z?e9E*$}&+P7A4&^1mdC6M=*kS1X z3sSFPB_O>@#lB_JqoAnE_4k1`4qJxe=4+bjpMoH!7^yK{TX7B27_wCLSDhjeo zx5MymU!X_o4N6Q0c%b)xOG zlqT7W2X2-Dt<3Rnt3)(G&^jhfsu6bl1Y^~H&kUcjZ+L6Q0z(nCgxTIh0`$p^{^%y- zr~ti{8%y(XLuSRVnrve;u9$fGSAfLQZ+Paz=1f;sb|lnY9iyr(t3<5N<=1!;xaQ23 z4&PGz#riH^GL3y($I2E<+5$v_B(+g8iNiiBt|j?hk*5(WMy9aP+xhZ3i&R)Mn(=J2 z@4pU%>~Gobg8|M*<1zLf%aAqDMERqAuu@a6{E{O7yls2;9u-V5+*)uTiaa2O>FRZD zF!`b5Wq<7{*?S`tGX~;`*cMFZQ$#MKQbE(|C@*dot4HkLrl_(hv;T_hoBdNmX5Q`0 zHz-Ln!1NU>g=~2-2-pqxB^P>ySjGT-XQh{o!K3sZ^2%%fUiQf89rZZn-=#(?1!-eG z9eiH3rZ8k`-Qfn5W2`ycK-*v(X23v67~xgYqZI@}h(0u4=eNB8U4$p?b%0oK{9zY2 zsbEv;6Vj5tisn$*IkUK)p(Q@N+4*wS1lE}_+OLn`3|MCnC(}^9h7mdPrKn0O5rfPP zNa&RlR$KRaHOyAmWYy57!^{I2DiFvxHY#j(g=yp9IO9yYm2~zkjyX06On##d5pUv7 zf{+_tt<9AY8-tUK0NpN6M$z_QPqVD#l;ru?IVi%40>}OR`jHiqz0X&Jd@|1lh(qi| zcCHVJqG#oc%Yv`xxWyy!GVI4Z?SQ56fKWjfloVB*qF#hJ^(r&@Vs6OlX?v7jCaYz9 zD^p|MP4ycU#tz& zq2(oryKincDgzEXzl;N~mq)>sq1H;H!cjH2%sR<~KnMJcN%>+RJN!;p^x6Il=H=bE ze*Szwy$iQJlRm}aWXRB6!I|$z=C{Vs^pl~&mV%fVOv1X!g_^W`Z2i^{yKZz_=reT_ zf^w}Y6D(bX*Yr+Vq1!}g1-WS^30!ZgtvL$YLuw=LIa1cyt&*t*NT^Rdhe$HcI4-EQ z5k}|m;ghc@utsWw-1CNCO#XiKh;d~$L;2b0n{eJnX18`*CREqq&o$#%=Dfi$>oWO! z-KljYbuDbJBv`1X1CrQrJCMR>AOn>l6Wb4hwXM90i77Fplh*SKKAhgKUdG+7z&n?^ zeab$7Nd(Z7?7%Z}%GD6D%fH8i!QfsrhF15!4K&Q%juY6}3@y8V01 z7r;3(F?LG49-R0_u+vdK zlyF8HFcjk=AyBvdMC*1h?{g<-_rb%3JGO zFi0}ilA0~lZZfTO`Eikfn2K}k&VI{4%~^KS9XqHTvMW3_&TfMfNm^+=wKdzHlCHL) zOMPm*6V}ntNl^;}3?98T+4TGjcLiQUsuS&Rw(ceJjR$CZYqI@E($r73upGkhAK0-z z@e8J9#vv$1PHns)K5IYq=vG8TmP`hrq^blDXR?>0@(u;!=1D_iC76-@fPKWjse~Ik zg7{ambPmka@!ST)2yK|)eZw^kbgqJLy zenlrwkCh;_gY|wg6(Rv3MVv%o1aF6{+!1xR{5U=fAD;XhQDeMoM+};$v-GYfqzWf;4^7bQYQ9u0WNVQuydC4PQkzHj^_w5 z!$6^P0~|Llg%oVwcH|u!7k80YfReq87ZX0P_|zypp7dyDc$@)ohnOJSY<$d=4W$)} zwMAGzFlvJ9ci8>2AUu`;k|u;6!fvQ(2*4DBLd;*UAZ#!|;qfX9ZxYYMrU=z8unXC1 z1EEo#qZ<>vU7#UP zDaT~1OeD+k;nI>P2_oFya%0n9T?TRIkUp&hUX-GU?YeLu7fU^<7-G!%>xr-{nbd@t z$}^_z!ju5bYRUrftH?DFvpNx?EGZ@M*=9f0(|)jx+)4Ew^Ay3#Ga|uEpd=2y5+j5; z7p&5*Fq9{@B}sUG7lsQI(H$YZM@GqAv(_PBjzDi@sjI$HPX)yG4OK{=eql3$f)6<>L+FP~V z1=;PxS)ifTxIa8^tLzr)#4+RivYgL1HZ_cH-CFmc^s0~$vi|Xg@=nFr2iIYPiZ;F5 z>_6Tq+&#%-91|Y+^}9=Wkof1})fE@~t_*I-HvOK%WouvQOk)+vtzw1AV|*47qz&qq!-fF}uCpkb(lRtfdz25;a-p8kGg z)0P-?e7(Wu4rT>DtaF z7pL#84{t7xj)sTVe(;3z^8)jmvwg&s-WqdYP{gw2@T={w!KZ6kc_e=4;*Va12;W6O zm$IN~dxeFhFt^%qru#-}J>X<8TP4~F#~OjywNMafe>5|0dmHR9I#_va!E>59=^ELB zlb0yRgT>HPPeO$-gKT*E2HDt~yuRV837TtvXfDxhqkTcUwFLyPs>hp>2fcyK<9{EW zex{@b(@6wTjJl%)(bnY6(IvO+Pa2y@HZIi|Xvaa@>l*{FQ|;{V`t`-Z4YXZvcCU_y z8=L;o{>Vi-Aq7okE~32#m|w3YT8M~t1V%mb9DI=D5hhwquMl-Ex#9XcZzooT4yMR! zKO4k{muzJjCqb$~AIt{z+*QY|8IfJEC-VtZDwzBoW{+jsvXbZ4u4o`YaWn5Onr~y;l~=UC?Sy^Z7rE;J);K z*d@5Ek#@OOrm8Dlsgel1oI8GCiRL6H7TVeWtYcIRi46kGQkApHrjGD|o7v_)Y!ox0 zhY!fnlRCPir%WvWZ?;-3>sQ+**|(LK+wX>lS2yRoXNSX2U%P*C{?*~t^~w41&Gp62 z>x;9)gYS2PgT0&G^Mjj%!{OWOi_4+^nnN`5tpyql*n@lHgW(jIXP;3>pM%Y|m{<;0 z3FEKI?=uJnpnr5i$IQ{i)!FWKJQZEVodH~NSyP>CbPv?^?#Vfg?8*7{;nmUZ{-N&* z*(cyc=EV3d3KQ)XRpqTh_VZRgCeV~IwTxs(IAs~DBNxr7S1=nMAaK-~vv@}^gt%osgfYr7TbP(pdHpFyWSsOKBS(mAmfyKvK zAP}m^xo6u>f_n`^M@Sg6Fyzj|tBuJ@d6m3)Im&AYk9_DSyOVU0oYOk0p=ZB4r#XI^ zRn;2*CIcPQ*tT_+&ePj0yQl9KIrQj@$=3cXzXPfR*Hh0f%Vmmx-qXMT{(s7s6}jQK zysVSGyz&Hhc8dv(N1a@yi^Z&*Px|u7)oc9+`C(<1qDuwcD)~8HJ^r{OoAC|JX4ewE zy$=Pl>btaMHk0Itx=-6jjSp5c8kaL_2yz5va+*#{d`u_H-CaM~qv!cHw+&r3MbT6Z ze@<&7xyr^LkoegH0UzyJ=jAx7Qe^lRv|jN0toSx1YnlF0OG|sn`1NRqho?9e@0*)v6}j&-*fYjhKx8!Nmld%07)Zf1QpO7`lBt zMv0rQUGK)AwWj~{SrmGmyv_^qP9H#`Mn65slCx}$#t!KHCKvM>XcPK(vX5lnlwN~t ziaw@^lN>ek`9gn!zppU7@}uFZ%CZ%A<^bl>RhHL7nPeA)aP5jECg7WjT$~I0Z8i^|tYp&5!9_uU5E>wl2&~THfd=|9Oyo z#U)_$=RNIiYe?T_^^7*EsXs*z->-5qVvceIly7M!zt5Y3saANh(z3zeRv-Uet-UzP z=lL>A_9`sEV$@VYtc|~2mf!}iI|FGBOUPHjG z(Zk;*!)8$f1UOBbDy4Bd&dO?}%q5l3)am5FkNZA}!*?pS1<2?J; z%`mdkJ}mNSo?&dy(#hF)zbYT_&uTotsqyhQ)GQq;yCrwAe-;|9U>hM=Ls%A26Tbx8YAZstP2M*ZA{&?n0?Y}k{6RmT zCvVC0D?a|M{d<_*kx!fc|NgY{o21EgoXIEYeZ_Z94ui&mOWl%>dfbC*_h>B8}8}J|36zkN=S# zU^*q6BgaQ~d*YceV)-wxa9cq z>jpCtlj#z3fPMvTRcwIt_sTO=PJzn6r{$_j4ywQV?`hUvrMDQ@BeI9c44otHc!e>m zCTP8)eqND}NxMQmEmtf2<#FbnB3k^AVrE=5BS7Mg@+oz)$|g`AOEJeLH0y>L?F>*h zK21k8{v4&@asGx@7X|=p0!v}mOlN>144Z03w#yl(9EVK}lXRHEIiPDljJ|kI8|gK< z#op?Aoyy*PO(q3~w<)Ib=Ys!>7uRK3FF*eKzyEWb$MhME;c!MiN1+$ekNEa(ODdN+ z%?QrLqMO$Z7?7??p0n>BGP7{re*CK-_RLfQBx_;!*A#iaVPOxW>~?ebdu1o zzFAZUtKtm}`!{6e)7mPlqRj94k|y~&g@rnz;r#iC4vpMPQos4T|J$VckbRpy)OY!S z_7n`y&u0zobN%GIfBoHm`0j81;eVw6{@dicfA!t}_T7K}hhKm9m*4$0{p&ye!=HZl zpT7HRy6A7|>;J`B*}whuzoHvfHSDMtpS}2O@YxRspMUmG{>lF9-SgwaVS;EFncZK! zYG*4s`PB^%kb9aS!Te*>20k|yg>1$2yLX!3|gA(wQ-3Vy07hxLONlzJIN*=FvSve=wfJKfT|^j;?qJZAP{TtGYqum% zLj=sXSZsKLUDq|qq$GRY9rGriKmB{}9A8)Y@)T7sQPNSySaT297^_@aEYAzOCF;!@-zW}pfy zN)@(ZMvU|>E4tt;D6cHAxA!C>-aZ{t7D!h9rh0)~vt%l~{@5c%8nJXLJ>`j0er-99 zW7-ICj8RBQc*l;`mHPyE*hvR3L^%1LX=R!10U1tS?Fp#Iy#zav8Y?g63 zn~J7GHjrHN2P;cr?MqsjwE&4aUrSUM?+Lpy`i(WP7Dk@aRjvjzoy?ZTu*C&00C5SL z|5DsTE3d@Psxh}`FaqXxKxyvI=R+|bkIUa9m-6|KJ68N1L&d*))q2$XpxQq~D^42qcy~_ovo9 zlIy4@Io!X#xccTvsy^jEVREN|6lSb)owTkx*0?8;P@^s6c$8(%1Eql!lN{_hws=&S z_~%yi^FKDfR|}nq+3d}%tt2onW^ncz!zucV(J!b$e+Ic6>{{Cx=3 zF!=SRQ4_KCG1il!FSx2p7qhnkt3eS+I4Q1? zVHhh6)*2;e9RwSW0vAi9Zz4jWscx-Ro=6?Yc^yU60}5`YTnZVXfN>z&;;`_~_Mb`Z z4pSKAofPlF#w~$DZcIraP=h4+G2Ll~ho^bbytfj@k9KaGA<&j7L#lC`+SNu&AjHsP z2**TR4XdSU)nrStCqB+u;Tq;ESD0ih7>-PM?QyX~uCPcSq%8NS12J(-np+{xS*wnG zxb<^*&};!?_`9nI-q%g2MvH`GTG+?s<E9!Zl6IVr)ZvT$Lw33t&pLOOz;y9nK2r%Bhsu`wb72=v7uig$C;h2u$mRC{W`X(Cd(GH!Wd|6@_en_l zY6n3JE#m2KOeE8IUubaT2}6dsQpD5TN#JuF2xeK#amRG27Qw1T1mSMa=x;3)?6BqZ z@m)D3vw@pAfkR{B2(i&~z`A2Mi8)NkaYL}1y$uLGiq^+804L@D3y!iVe!LSV?h2ap+-N?__Xc*6FobM46knz@z($?lh zn_OL6aO`sA8ouu$li||mQazap2-A%{^2`w{D<-e>z7Ha&)E8-ZS*;_o?56~Fe(602@%)j-%fJ)<_Rm)+1Z z);k2pcqKwhZkB7TQjCndoC$r}##eUVN|NyXjij<&veM2inNgGOy5sLFugn_AiHIO4 zBC6}%eB*lWXw#1vGoN*>O30xDVhN)hiaLnxy8Amp;{^J;1qSG+BJZ4R43B=g*-!Q@ zJKEqN3uoHynD;+cvs%rcq3Kl8Ny9z8{HfaBa8hl!b9KXGCLloZ;$Ax|l_{+LCnqv6Yhgl$w^vQkkSs zTzbGhp3j}=LkMWG9b{u6dN2f)PE;HiO!1zrO1PTgng*NDe(oQroIFfLYpaAkE9TNT z1GcR#jd^m*QNiMt?y(BZSh9gy1duw`29=D38 zMHoo3hAW+ZC<$~=K+e-eb4C|Gul7)6TwA8YCF{AgXF-={nkoT0(X_xe3dPFYEO4?Q zvf@;ihhsFWlo6sb+@hvmTml8VzG~)~|0d%B^5G>}XT2hOW}2LtjA- z#=_Wa%e3AgsEc>BPS>dPaEG|=A(~Axx#wKu5@cf2IS1;c8F8~DGK)xoSkW}$o_Qj5 zV!l7?i%N8OFdOYiR^Un+2#;EW22r(x!>_KtxwH)Tx@NPj>6ScB7A4`_O6{sb4JyiE z%NSA$sS#x-0tO2(5ciqkmWS~W2L4P5q=pWqN|r{hXMfu>MbEyMCfsOo#s7j_$;xr5 zuK7|nB=n)xS%?$2-i{Qsrmm3i)Ju_(%Rt)>vOj17&@d_e!y+hj9v+?#Pp(hCI&_mG zhb_R#Ts-xIve96iOi^Xvp@iktfPW;SfVhf$>gn$zViSI3*8v2LN5Nj7Sx zQ}#TXii@PXiMrP{QjK+|iDD3Ta)tF7+F3$Zu{v?#Xz|7!nQ!O)fh@bNRk;9HzPDfs z{fevbT%bq7JGb=kBR?VC(S3va``OVj0GeGoHkW+m5{_|94P1>pfkvz9w)R_Sx$xdi zLtepPQoJ8%5HY3iXrpr`QxN~xYj$-fwk);oP21-nc6&V;}+$@+@%DB-Miw?=)w$`BcHkgW5nfstMHXR9I+T&@U@|B0RK&XKHt{FQIiVX5!O3Bpm1_7~v zHD=iLLY*s5=4s_vh=Lf43K^`oT%?`ZK@Bmftl4=vWnJ_XBGELB1cL81w3k%{&Cbq+ z0n?+?_hUE$%g{5Khb))glM>OK58@P(}_|aXo^{n1HR4x06&aB>eVF~ z-Kwjmo)T?zMR}igI4AW-#u+eh@<13HIj>)=8t|E-VrqK83-d0=k)j+=5 z(LFKDBE*@=Uj z75{KZr*2XHVK%SmxVE}xU2oZ z6tyk3=KwRm@mAIL9Q2BO^8Ce*1d$&KCL{RK6Cz+nhL{SbDzIe$l2ovnP0Had3|Qln zb!_Twy2FV49r`CZ%T1*o8jPsG$m%E@<2X#)?K#kj4G|P@wKTT0Oc(#75oO=SxKE{; z0RPwqb-!1Hq4yzEZ5ZT3^SXl5gJ1~fliO4KZwSNFQdV8(Dmsr!I%bR0kB zYnunt*wXphNS-(dk7!ayEYwbq8r>Qg7~Yr`UL;1)-e?_$-Wwi?-Stq1<$cNmn1SeJ zV6eD+kw|mjU4wD== z!*DWN%4j+YEC)_(oDVW5QU+KhP1Lj9ea$-TJVKwzJa-6u_+vmiiMds zi2$>*FgP?yu4}}P!Y#pMfLdW(9)jx%n53~LBsrx>Zv-10*;n+=+~|OlrjK1orVdlRzpKeIdYLomvpTGyVYBw;+Lc5_@KmH0u7>gMw zjmktk12!T+0z1a)Q`h<%DYIEf!U96G()_09{bj)!^(|-QLSIqR?{Tu!(CI&LV_DTR6anm|;THP(r@kJ@Zr@ z1rH_4p~j4~un>P#IT9olqJ1rcT-;Eb<0=DU1R?EEh_o+NCK64Es=UyLMLB6S8--KJ zEBi&0C|CeNqLrKI#L!`IJRj5z$U6asVAm-e&8837^v!WJFvzM%VLDh zSeoM#RRH|%gcU&eeJLgkR}sryBe5Vs@U3W#nq&jES#2eFj(3;GSGxy?$;oi|?htCY zqh_iJDn|KyTaI8jBVAlE_c6{)h}ISpfXg0&Jq8G@i3K1R%!O^knbdHtb#JQ(yn)a} z+sKt>ct_y$7pmiD<;t(BQs-S{IKva2Fxxa_uyt1~-+7B9Vg|b<_ zyX+viwNl$)VvtB(XyAlTWxM|L7aJUzq}FLF1iq|pN%x8c9B|Owt0Unz0f{BgPW&wlvBA3hf|DJ((q_7Ycs z^$9M#-8aczI)z&lGT3#{)6odnrYs*_JtY@quc??xW`$2yWs#R4L93Z-4isGX;FSS+ z4Or^x*_^CV@SJ&Qo)+aC8G>H}Dz>QG1aut)bNe&!1-S*hK_Aeuizf0EZP1${FW`9> z_1sxgEoW<=PVR74$>X@8v)_4ybmRLnFK)Y-<8pe>^ydV$Isq%3ZBRcQ&eB=RO%w&_ z$UfxSLP#A4rm+vnaY}|6(mSS2XLo$p1Njc7;&GGDXPLA3 zPsyySaOmKRd5V1BLD_u#&4;uY99JOlGAwGAJ#F`T_nY0bT^g&rZoqkV;+Mdkrp$20 zfjgSMh9S+8K7xjeHoXEwui5P?pKdxnG{=MH+9OXNtZYs3j9x}gQ+3f`s=iJ0b(9&`(h(3Xo&*y@%|p;m`41+Gn09dZp(nEj0RTjrm08 zl+P|VOlj*#X?!12Y^p=DRHxtO%q<7{ta*B$g1~N)^3okHQF2n5@di)UdVcRu<4fj( zyd`h14+g>_XI`mY8j^VlF2WX>mXK&U@~n_kiyjD8D}7E=0)Ndv{>{gKBUj=R+E4G8 z7fU#|G|gxKemjR8OXc%v@#n);N#i6ubTP%&s?KTXz*bc?G~Mc^#87@sv(ZmFy{27W ze*ZN#hWP@WYlK-3o4j2_$@@vuOu>nTILJQ!YnT^8k>%~?k5Og8h91%o%p7gjBXn8W zx^bKN#rg45WLTdMKKrsohV?Qa!x~044dZ14_h8Hzk~+D6;Z&1bs&KxCVWI76A<`z# z^h+9EGu4Otm+$HjKpW)u=H){+!8JCiXJab12}M(#zoR{tMfE<_-WmVk9GBW=+p%9k zsGC|ebRSzGdjcC_Qi`!@T*`-UHzPr{wk)zDp#-if?Y^a{GvqtE9>vL1MZ!rWO^i`P zW6x?toS-q@uPM2N3c6lvkq+ESo~e$Z^>nh^e4s5oi$)@F^;WH6ef%x44uZJZNKh85 zJCtK)T;|N4Z-%l2OOVx7fhj4SMu4*El0{s&&c;<&eUNqP&e*p6%Cn% zsv^T0&5sSLS{=0gFec05-^3K9wrOyaXWAe^7+MRRPaW z$W1zSC6}{YRwX%j3$q8H9NDD!?iTgbk@hsTbA$b0pL-olGbGh5Ra0;((LUqGIS(Ym z1O<|1!e#!uGUS2wU4Uvw_7C{%1H9J%2wTey@?<~RnrtTtNWRWJ%r*k{DTlS#y6H);&pIR2!ozBndDLU z3%^qBD_XlKE7M4#29-5?V>={ENB)c<0S4ekL&?z})+>)sS5?D3OWzN(u~!`tylKHu z)#Gvr6B=t56nx&TEJui(92Pt1m||qYsw8t5dgXEPcTFn`fE(&7)a{nB0ZOD~@{Y>t zb+bs{-_-OF;f^WPm#M5551Wgit*&DUz>13FLbM>UoLUEi%xJIg9Y+FnWWcRt6X|D{ z9^)S`p}6ej{1q6iqt2u#GWAUjyw&N7cjp0XY^mk76p(|~kqek05-AZ1vqyrP$r3LWd9^#M#ZvjW#$&M|m~P0mDpXVLy5(HaLGLlPD%SF16;q@V zzLk(~-X=1Pxj=0Uh|Iz^k=>Co^(RqDGrXBr94Mg$KIMdCh_m~N!!=LWA7z1rRKyFW9+c(y@sykXXJJ+ zd7tyDzxaV{7}%fjoO;7UIyF~w<|iAs`J}wbCwgM#oTs_P!FP0WaFOg^?_T=!2phe3 zFOGVf+xYy2D+yVl;4}gR3LA~E7F%d;9s*gU&JcMNr^2Z<9LomvWD=atx+R1{GBtiR zjAE{Jn8i@xqK;fP4&{Sj#D-*->Gd;cCfIDlr{aO(Tn%r%P8>Ge5rev42XbYR@}_2l z0>6lglVnOLp&MUl0ckx`P%9>DE_q+eQUS%+SX`m>f((3 zhoUS7wtk-}A!PZpth%~m!MqKyX#S`pQ%74w-Pme0%NHUB_DUP{k3T)6q(j&b3e}bN zGS<2A^;q$kwJG7+1!#Rif`~OGh5FX4uX2OlT+IwqvXL8{^YOC_#VuizF z$U)_)pDu;AP&{i68H~6TU2-Kh7rg?&z{&77l0yr92ZZ#}n4c~CZsJ#u$#Ieyb05|vKy1vc zCSA0_D@DJ?+2sQn94?BzC=U1yAn6x4Zl0uBYrL%zx)?|P z9Gz^nV&)A2bKEkw#fZ2@GXzNRPZ{K48I;NzDB=J^V9)0t31L>@K2&{>)m)P&DL&zJUqG7 z-?0gTP551%(Wi`@2qsS*R8<9S>i~PJ$_v-pD0UphjIb6=1?Pv2`R5wT?22N4x(i@q zp#ykCUIPHurURa$dQeH?-ySbm?%jQB@i$K{hhpAJ8M-k(VibJD#*p+*E<1oG2;TIR zFn|p^!Sw4Bc2A}+&GXY#tO}*bP+o=unx9ji)350$wq=CDS#MsFmfX*BWiVg48`LEq zChck&Z$|6;`(0i_>_~i{VSntN?Oh!?3+(;z{EqKxcKJiP7_(j|6Y!7kw?pA_57%ot zLna|)1+iTTbp{8&nHtgGRlHw{+B$yavkY)M&lqa<{kCfmHk+9y$C|sbcRQ~S5%UqF z+Fm6+A#zhdv{J(Pq!kKGi`dcp+aDZ$b+Ui>+h6~MZNz=YVwBb6rhWt&HBTq}4D>|9 z;mHAy{T}~|QMnH}AU}0&9?$s^J@$CnvT)nOpzT9+$4T{;jZX9qVY&ypYEQY7^Jpr zULDm)t!Wm7OwD;1=Bh+Rmu<6vV$|7jo(au%9{s+^Oxl#A4})1bZavVa7eKhlDx}(w zJi&WvB7=Ei@zr+I(-g;J`PJV6sEt{2nc~F<)HD(1nt7*SvGqH@c>|%oiobunjms2y z$5RAH+s&Mob$yja{5bKg3{MhY`1ICixmE*D{NWFs=grLgnWV5E%MeTkDOtYj4;j-? z_=X-wU<_}FiNA(ZERX#{eQDOSlZElX)n2v~w)W454K5=O$-_n&C_EGoYl1a4E`U5d4~B6tK*WmcwRTJp5^)L$j>NpH&&D9+oTQbU4`OmLTRq3} zYAYor_D(7xKC+k>OGB{Oj=`&5Owy7t_L!Lm13_jEXvU;W6)cfFaHj~v7V`5sGp{K# z$c88ZgrPS61yo3s43;@)YmLZnc0~8(qySiN09zj0Ym`-*H zEd#@BY+{P($b5}CH7Tb-HpgHm+V%Yoi_6Ju09HV$zZU#zipe}kl}MaSSsphn(im8E z-;;?pSd`Jb{b_KZw;DWX4?TQ^&`pIVAD2%^;Me>@DJ@5t$!m8zhdR9`wuGSuTbyp^ zvW1S}-SWViYE`V{*-2h(eYW-7(aQ=sLNqzL&=NE- z$Z0XD-AMbl+53n)aDE~o39B%W-CpFN5wO`7t?0s@8<$^ z&@f%!8G$s&bmhiokSN^14TOCO(@~KH zw3Q$kxZ>2}8U))FRUn^U9J>Io5NR#aNyxM#qrrQr=iKI^bM{OWrcf%S-l$fm2wpym zOJ@wVv=dhl0VfV9GUr2`vEA=@?SAuDpZaEg*!li)3vv|mFzdmW%A|`8S~_bra7z5lS_b+ z`h+^U6B_S=yNAN!F=$;Rzuntp!RZbt`vdjo8YNMc;MPN#?*>}Xf4&Npz=vyEk=dPG za$SB~q?L$&4;diZ0dN2Kmot}@5-&By=167`UNw=KS*ajcU!*_;bI;|mxmlPVEW%|B|l>%X{hdPn}fgnjY0pH{y< z&&TE5Oa2^`&4Nb0$nWrRjIt-Aq4@FVFCoT!nF4Wwsk>J-`L{)guXk%T1z_woR4P(~ zy8pVNf6cIl7ywYPtn??es%?W;bWA`f`r~g_GFn&p7({4{R!8z1y4GY_R}D?3>g%)p zmag^MTN4V;cS6@ud@`BQ8=axPh}IOjL3b&(=plsaQ5==}wFmMkIpga& zrbY{SpO4r$JOB6_mI|l!OWQR)gaO8TlIr>D1MLIVnm?u``3C=}$S|O7C^r+uSDa4P z%iACR_<4wDcYFEw#I-*LVuz;I^TCTBw?OQlzY2{-k#f+|Iu5sx6-GzIJ-OV|%mY!1 zi6^Er*K23_DkK<%vCUam6=U%8$(uHYd$NCanH-L1rM3th^`?m+2T9E}SA^zHXR`-x zoP2rzatlAYVNli$Grsm1P_>#Hql&r2+Qx&ywurRuyYrKu8QD)+EkdL;pLz$}^=smW_`(z0LZ@L=QRqh14KM3kAA`9&@e}pG1?MmFfmBG}IkI{#?Xn8P{lE zqo}q2V}(>Pfm!Ohgq{iKdKrVND6BQlT%8Gh3g42==OC--i0gk|qC)~IYH+$D@{ zr2v_76u2%H4iw~-yg{>ESI&L(qskICG&w{zs!eC{3+W|Zoc}2=i1vIkEPOdnK8^=7 zewR_xqmtEob)Fmkf(>%EUv52r>64m@UN8AJbv6dYTyXJ=t(RM$ZJKo=9a1qqy}bQ& zJPPW=Gl9C{)Y8r{#gM(5r6m*Et{_%tUOOO|v}a_7I+r5~N;)blzQw&%g#2E;`K zNV%?n#}?4$mZP8YA5mkVAxEWhUXSN#zEG+zZ;LgO62TTKeetKX4zYV3m~ePl!I~JX ztAk&R^f_6POOonu*;%tc6$ zu)R0Ct3-fhZf%i!#1id(8=FI_AtnI3~4J ziu(9*HI=wZ>pMYWJM<^*>rgKXwn^RWTZ@NLiu$1*e*^mk!;g8dWX}B{sewoh&eZ9g zU;T)W#_V>LY;-keXQYLWhGA{Iz1nQ1Cc=e?sv*G`t)qQLQZ$S;XRS0puPHK7ioAyO zCC8%HOJxjs!0+dICZ>vMl9%-tG)bosV{w`MP(S4pqFx1{Fsw0sZ{ zf&6)v7ds{_YOB=->4VH(0MaYwRrm8yinxo~3qD1&CW@x&jP0s6b3e6Gkq9tB>vmZK z&vZord(|cWUekk_nO*gLvwv_0uoHplWILlBRrdKiv0EYloC zh5;#+2x*k20V{1fO?A>BjZCu(g>jvQd|C~H-`gN^Pvxz9kCYc`6+#eUrY(uHb$YN2 z4z$sM{q2qs&DMhocXGe;Pedcy=v(1k4bIl&luo1!!&#D#`8!p1JI^$GnB1nuB-d)^ z`xn;F;RGiaUxdmgBb7U5Pp6Rm#4mja66aF&iUm8Dg1PY2NBJF1u?G-V`$vT20u9-s zcUs871?KU{@>Z+QWL=&Zrw!Tfi)06IsPQ^Zl?0~?<8?i)HSwC5_S>uWG3lGy*o#57 zE^W}~X6cd!YF4l)gRt9%>xE|PQl$R4x^pE$?E!tYBr%eW*=jM@i@5?o>G!)lK=*TG zAhhIZg0jML$p^YVGnwOKsSydwfB9=?VNP^&V8h8T^O5Ha47xs)BZ73ebGxw{8Gmwc zKqI*WtR&{mHnl%Ez!U06b-*_5wdN<_unvsV6x4g9bxjAi1EuhDGSd?o&oP7PQlQfv z!^1`y97=uxuo9%fLPi3+5>x)gBUdXOq8lisNfIo#0c9_#n-=n2Mu8a*vB(a>Kj$KO7uWTkY{YGweX#o1<>QYggILir%GIlkkC5W+Ga z$jssD85uo`OP6Na9t#M0qnbmq@LVZ$2W8kO+WmS#q(=b!tq1 zo3l-KOO9a&QKX3U^ni`h3~tXH$bl?vx{^(lYr@Uy2o@y0>;XJT8lOdq@)*P__LyIb z%q2*R$p(X@9%7-QzLoM@6ejW@ZObi);5gQ;C4-Y4RH@#PBu#E^Ai>Lew~j{NYwH{Y zK2kkxIw;MuR1*8F{3bS-SmU$b{`z12kjGmpwnlNW?g$2)T*dJ)8j{cYLdx+Y`t zo4lSy+tqecSKIX{ryVvW^Hi{(Jitcz-IbywCnkj6f$$40LLB$ZIZ~rc(Qsvg)?I?H z5G=LQnQ$k=z&&#_kb#&f(L=Z*OH;Ag(NJGisKk2}Z~mPvN}jr=q!rQJhEdVMlVP|it~75-giAj;^)`0xZVhxggI$EF>Q z$tl~6eU6QaGb3G8reiA-roGzuQ3yX``q{L_9}JFUuHK_T2*A@UyTtUt8*0plI!(y>RApF4J0^v{98ZdJ)ieXQ)Z79TP3-uXg$;WWXYF5KsWVY zfY5QH0S$)7sjYT2oy1z3y%1{54!ERA{D3yf=*C1iIK%`@q*r1BVgHqY77WAma}(** zb~W(es5#o2UE$=~0nGVbs~`0c}bl$ED_>BpS;nJv~&f%SkXa`{;(sd$*EBCl|Y8j^xp}8oJ@l zt>ldCXv|7~Sf#(%IrVzht5g!LKrhTZ2!rNSgt6m&Pn?{0D(4MGIt(tnnpCjaS^xF! z_5SOFi(^AyWK}Yw3gUWlQF%0Gu^JL|PlL z^@5HE&k+MD7Z5w9yhbt+Y%%xok0*# zih54WL!Kskmq!L8<27UoLl`;Xq%l$fakCPg0VOv}RK>|rffH`~w%#5sZ?}CrOp0L` zHz3RZl4B+rDDk<&+Zq3lG_U+0ZvVyyf$5#ETCdt7PJqMm!*zDE;zdi38|L~19K>s4 z>2Z@hP3NV&8_I-eWr3Kp$Ry45R2YMm#$W47C&f8_)Eq>lX5QYxK2FX)kOhN?WV*lB zwOY~D!+C~{kSMwC_>3!thcF5QQ`agh;$n99OW+;Y&)D(Ghk`LWaH^Ngydz9~pt`qK zcg!A``qV6eorh4FB1EwD3kjT8w`73&CZEUjgEkjlhivGIyaDXw9uag9-wAn**b*X( z#^;bc18gGK?X(IFo(TjfIME#DC?0RN7J|oi;>6yALrf~mJqI)Jcowjr;EouWe4XrRTp)i_Xm_WfSIJxzft=IhI zle0sG3?jZK4$IEh?YYCUO=6L$$R0}(q)Nvn$taEX2a#W+#w_(!5E_u*sWWbE0ISwr zR;bQes}T^`hqW^CKUN~PVQLsu;Gir`Xw1~bVh8ZFTJQqr$n^xtB6hs^@L6ZP#ceFT zdBBaHQ`Nj3gzKFEp&#!l{&QH#dTij#T)*DrvRT?qbJ`?aDt?jjx*S-ap0Ibie zC+7EZu_CmJEabSHLllW!D`SMrvIQ2794j1`*QprH=R+DTX0~W0J-dq&9PGAg1O~%nloNiq?w$la^Zjpiqmz`d-PYKZ(MW z{2@904cEeqWf}{2St*M4rp3pSd=;yXAUUhC?3VvXJHv$DDj!6FKqtTXP_ir35o^7j-Z*stmlzhaQA>qutMl8_A(fzml_RC&Ib<(82t%tX|H8?3$rM!gZZua0paX-; zTvZ3LODRY-sd(zhAQD9FS~{Pm9I%RSXS@4#Hl~R*hKf4X+aJ`6` zy~Ajv4UW>;W@> zN^^L}zu6=!)&nC{%IyjR3|Q^`Q%X3?0@5CJBYfr_@!IacOs;m7YsbBk&?HJjR;WiF zpUybC0Z|QQgdyK?Hgq>6~2^4RmDAK{&ktX%x#9ZyQV}EGw8|4H6a3F*4>n1Gh6cTfWJd8=3V7?O^?zgbNgh9iL-rtC9&iLUvlM1gUi zCJ@vdQYYrj>I` z*AGCr>5rQ~7jy)#uTL)x&a&O+X*xn-F;f&|Aiu$hb2_}-#P7o36E~rOOO^d|dZPY` z&lyhg^{O(RjH#Dlnqti#$wHKW(r5kTy&*!8xetG={M2+cI;n1ugQKQ3WjlE>#mfkY zcl`m1s73>mUZ+NAsD3Y-g^jatnVDFs!H>~Pd%xbjx{O(@%;#UzX4)}F@NGh0dmDyZ zPQKM^#-B%{YPV!xkR|c7Ew&jibrIP{Pma$nzmmG6Rsz%D!r6AC0kJpoW5X;EK@QC^ zqk7Lc!Nd?avx6iXxW}fcZu-=yAC=_=UHb0evNi629jcY=v;GC1K679(5HPDk0u{)) zp5l9fd|%Q9J32n?35ahm>E7)z323lzmuF1W(%Ne}9_{+wBU`pvoL|w!uQSl;?8E`o z2c@z#`|~j4jWfBpy=D5iuI&!1-&)M%D$F_aYqGn-Ol`6^P6FZ)a;_t8V8`>w*@(H4 zDJLoLD{9g%@lVKeYp{Dl7TqfAS=o~y;B6#%_1A$@py?9dewP*pkjPxsJwxZ>>wnA7 zq9mla&0XEqU_Ib3(4=he#a|GlIZBN?XyzB{>o_31) z+D+_Fb=lW!kB9F(%crvuB+Shb{j~J?DZQ%Gbe&bE#l8WHJ>l2~Nkz9ee=i%tWK<0# zS27sSYJ$PdDfK2e%C0;Hh3c$ zBmE|x+$P7QZUIfz=;$=R4~$la&m~XX5qYo5W<2vd!k)-OUbh*K1-VPZf#5_gmDJ3) z)n?f;zz@bvGdw75m$L|lwE=Xq*tU(TEHGDf1u8|gf0-ZnI#K0}fEEeQX6V%=9*W*8 zz6CK?Mp|%Quq*;#5z7LouDXn(C5Cd|pQh4zNihDd1GB}9U(o~@XjHO{)d&-->0|&Q zUZ2da)#ra1t$Tm_;wa?FWi(CPG28N0I~CyM34Q1?z0`v$9XIWhejmL5WZvuxGt$**8Dm3GSc0UskHC^{IOxlRGeGOmr80R#pDtYl7R1 znE_5-o6GRRWT9jBQ#S^9VZdw0+!v{HCUB@%23&%Rf?F~!R<M?=m@vB?;yYi9WZ8*!2!}uXhixu6q8#R3~7O zxX0|{G(_*qFQnKQd6Bp!+9Fx>)3_4;$`=bWKx{t#It6cHYDHjH-ghs47ATu|@WtAK zQh5%MZ?xLuEHuhPHZ~dEhkhh*;JSrp(BI~)5(Ipm!3O21_R(S z2lU%PB%P)nq=($}4@sk#Bh)DNr;qTv&S+9sfUO|s-7GTC@NgjIvb@tX0GHg(Q_y&R zA5+0&$MlXTNUUiiQY#TH&~{M6Jd!7ihdY|ia}9Bat1%gf3TP133IB13a|@B_7$zD79*~eW_D{vbCDir%)=2liGl@<9L3?m&B+1%?gl)vH=mr(R1uNr1fu#6&o~JCOMn|ErKIIUCimHzjlK3$J!12;Zo5A=82DIij@Kif8eZ zg4+rjEwXbtIsxlG;=v3|=trwAWR-YLbs6&-I5Wkt(%BnUmX#N`(=kfjIbm(;?cw`u z98hO}zakN>O-UVgIFP|a5m6#VMuA)B@G|a)t!gmE&sdRU+09}^mT8@riXT<;X(P(p z+rA|wc>vWEQbuqCzeQ< z$@bqg6IiFoisl-3hUF7XxoY^e6W9M@X+XxTV0V;kRh=8bV9JU#hj5+j}69Tc0g z&1QdWOsqvJ`ir)uTXxgEwl<^$#WY3R(P~yPdDV+AUT!i~Thum3@TnQw=%cMs6JIb@ z+eif0{ep`wc>)7pH|Eq5>@%5FaPErTEF08}<0SHW!EqT=P#}$LOD#IX3G$UgVdf*f zfM+;NiEs-8cS6up?4n@q_p%%|CefKAcIWE(b(d&W1X9I#8=(+*^Xp<9o~%92fARg{ zl}ZIGJFL8QvZo6D%XimDgC8aOt&>^=o4MBu(4}rA8{d=-dmh*h+dmdIGj@59H@_?aYAV32f6fZSj#^nSS zc1mx&T#&<c~AM>h6Ip~b7nvH4lg&i{3;mS-bZ`P7?mXq zs9wvWTrC_@rgQqbWj75rdKLvi&C=5FnbFfZ{X^76?JA|F`NG@<3_G#ufqq^L#kiYu ziMG9b#Y~&LwA_;EeEnW~Oe-KJiyHOL@QNnX26vck=S{Wx#Q^YMv%L36u)CUCSG&sSdRE6H)e>4xV#1G+8lF{iYe~PV-FcU$Ry+3EI*Fvu!M{J*|;TQ zJ8bv{O9Mkq#!?}h2I9{P3xD4T2LLFb1GjYY@>jHEUf@MS@1pd!_O^C z;rUGDX(AL|Dih&>D~Mu=O>bodOVHe)Q%o<4+L~*<-Aa38IgmJ`q6?3fm(cJQSbss} z)}Bcd zI>wHN05v}vn}m?m*c9V&!zSIwj9hu$31Z#wYm#$+?^cy5d9j%56KiKKn`+u7b-_J# z7iDO5rzDl0VzG6n1MDq^XI!u;cAVtneLF$V)y{2(IrzAdU@Fa4t7ZLa+qlnLdAaSK z;lmb9hL?!snrw~rX}Ru0y7YpDs^k(3haX^*p@a^2-7aWMmS7aqRfFxsy4wB@=WbZ{ z4dInFR=nQWxI9Y4u!nWN_GOiqOut%kG5lO}(uxs5hfLdXv#dIETV+A#WZ&l5qt(fF zSMkHZLBC8FLJ}MVIQZ;ZrK5mqF^EInWoxYWfd)Bt*z|6JDoT&cZV6um0VRviKwnId zWX6$Nsn@a<{b9v|8wD;M;69>t>WcCA(waxjOipYh4`iK$c-4!qfy!9z_z%U^BLJx= z?dVE~4<0gMbDa4K%wDJVj(*BDJCkP4pn=E|TQW4Ovuf@wH=^SW-b`c>-yo(#+-e@xR2C39qz3jGz!&P(37X8M|^SLXi3 z`SsPw-n;9Q^W%SN8Xep>bL{vMk{C$eeAD)E`J=tGVx;Ttqyjl0mQn`oBq+$tJ?*5c zas*wUak?l!#1cvFIcItEm~7JV$G=*wFf05I-)8eUKgd41R^m2Z&j2r=S9FzS4Bt?} zBQ6%Pf1M)YU6?}v@1eNfkIL?N|BwitzChk z@d@3e@m+FU<+oNdiQXxVH#$t-tFId)qrlxd1kCav`-&;_=}&A|$5nd!n7C3lpU?vK z^pmoA{yw?NRYmA%Uh>O7D4Av+O|rrgon>WmnH7k`^?lJL*HBA*37>obMbe61J8iEp zQWd6?bXq2-AOCWheXxxk)2z%ZNaCE3SxED6UD7`>BZsqeS>C5}j9R42 zG-kD>yK-ckd56fwLsNY~@u6xr(b!q#ra4Wl4^Vi*U#BJQN3`9^Uzg=wSrs4u_Hk9G zfmIf&8tp=Mmjd!$_lH& z(Yz@e8KrX!fotyLUr}GK zXX$*F<+?G zWg(oxMW?nD)+Q|pTEGZC%|%1XZ97&=>a_Xz?`xXFWNPNvfX>otJiyNO@i+8c#SaI~ zs0J5_aF%LDUFIvVkl+l`QFMBo!sqDopE-+dRfQ@|J*^_;8qzN=E1Ew`cj0iAF0*;q z*3W18y_2At)0i|X%($>IPl>9fE``m0ufnc+mRDsxPw#04jc50`cCpNU^o7?}H8?6u zD-E0s$<`=<0=SqXnLw+unqz|bno~|;Dp?-B$(M(o(iAJm>~7J3Ov}~pt}ul|A@l6t zA$t?%<1!i2+yG~8tS5zBaUU{vHSJR8SyPo~*qyu$&529Bfx;QRaoU25^^`09hqU=);a#p1uM2;$_;lp60?isJk zWlpc0WAJ_g2B`i`hXpNDDF#Ls6{# zbb%eAR9URg=>I-%$zr_-WU)>PAL7{e;Ka&+x3q*VqReX;vOStqKTHJR0m};cO7(02 z8b1Ik9SSH1NVoy4J6(dE0?foA3d-Ofyy|2j#SrYNAWPYy&L;@W2=|bOWRIz{Ty)+f zzJvo*@OsR5C-oHWsU@mMpV83xVGjs=UEaSuJ$0C836DLnihb(9=|W{Hst!!}6!>8_ z0jqjdI;bY(^zf_0(;ex8fgJ$^IpC}!Se~=h z4GSOK@QUJ$6m_Mpx9OYhKf;Xr$uGUuqk(1KZoKf0QON;Q(<%%%hcP$QS2K|r@E74| z%hZ#fMwFeYd@HH1zDyOXvY=HSM*b-;Xk`Hzh+jylK|nWAc3lyW-1SY#vOu0ytAh6$ z-+BDyFa2TpryIMBNe7U`JxF7LNmG2-_UrIPYPe^`HkT8BS*YW5c) zWF38satK>GpEY4@IR;0Tg=laK5(p0##>n_6fNH<3&At{zheSW11FgTsbT4sImdmET z1_$nrN1$u)GFfT_WVnQanx8ArQC@iQ9X znXfl>&=@=!wIfIg?%rdia0sPrOWb^WKA$Xo#O`!njz&t2JApM+`&=tQ;=n(q>UP}| zCmjq(-77PTr|9oro*W#VoF4l4P8SAuyfu>ClWNSmoTJPc2xos!b+8u>f}vqr#!~bY z5b(+5dL-|5OFicbD6dwZqfgAn(@a$rl5ep;FPq6NQ+6ocj(!y7_CSG?yrXIP%fZ2< zs0aGl&MzGz$|Xt6&AYG&nsd?j+|;ycQ`$3D=FJIdteprE`&DLBA;l3Y!#DVA(M42jvCQtdvaaQ*bRMZ>+7aGkN zfUcy-el)o-zeqfiT*ls%%yns46$P22T$*0UzYJPq30PZn>e^n`Su-iQz@fDcF9n0G zPv9U;*eBo6W>DLQy14a@kzA;t;=w~iT(lx-*th(Lcx9s3nl};7X5l&%TF(GN?pZVT z#IyTO`w1gdDP}>}Cmrgf|<%q5w()PgrJpYubu@vwN({kUEz*hmKCA$ zRijj4zQL}_LtDwl&`|r^?13D8=q+k%EV--HRR$QGEuV@r%BUL7Gs_KoQP8$JzT0P? zA}({jC_wc4fh-^MeP>Mtv;J6mUUQ~O%B+XPIshs1n6nMQ2to{Jbe8IH+Hxp4xn;<$R-fcD zU%9F%Atc{<5~VL!GB&}CrB!9J3E=j*aJ753{lC`!QB{+K551=$XnCZFSnk5(N!Tz zZi27SNS( z19*73=OJX#lik5a+Y@?ITe=}Duigw&x;}_v0I11;7o^G{D}xf?hMoaZ<=JfqZ$Zej z{cSm_g$H3`k>`3|C~+E=!!oNZ(LK{JJWaBPLg*>R+QIit145ttEGyV4o;+h2lmKzz zom$T(*|Y*D_A~5?&&VgBXR4lUsuY@yddW5{oQ3|IXTR3O&R{=Cz|8nNLf>ibF)+=$ z-lj2of9BMb1iw@8eyyQ_MOv>iuVb?7WA~O3^(VPLzl}<1c+0zWFvL+Uvq_BWEIVP~ z=f3p+v;^6KM;E6GwEodAjn%&S;8}x-js%OblF`uG?XFaF`>3og3LFtn)m_`Nmkvu0 znMx4%d5^8*Y-GLdSbNN7ihC>|pBv&fdL?(K=LZ?gtdyEJxd7a_^V9pVhqI!2odrR&=0C!)e7KiGm3aIyMn+y?RTWu{C_@;?u;Pxsi3MlhYU1mr6*| zZHw4hXl*<4gLla-Ey_jN)R%0vO4$K@aZw=Rr5`>Xgp~a;wXGN~2Lv?L4)$<1WIXI3?Iye>Fp9N^T&YM-GvT=2u}|;6 z9UuVhU_=kbY)fVzb7Wfa!pFc~R{$;z5y9kJIeMgyh2Ndb+v z?x>OXBCP%}Y%d3kwC+DvZuTHLS zj!u(}XP2LBTAQC6jBn7flaa}cIbD5(;k-Wjq z9}=(^LeU9NWe-0)Wqhq~P5x}};^O-B;A&F>;!2b?6GcQUYs1zv(qOy%wLM~Rz?0ms zfKuB=gCEmDz|#(m;1549v>#SDfr=_r$0>sYv6w+PbPm#{J7rAq^8Q?%Ya@I$pfRH+#CJ9#L|h<2e;q*h~X@%`=v z2kB`p;wd;&pcRgexUcRgRRN=Jm;r{#2zEMVh_A;Ps1-`}@?tzbY_n{B%UKg)1|lO|9QoTI4uY(;^VuHQv1!YeU<{fi;`LeTm349eBul zLkpvfJNg8B0vj}PTmcTFMuObel!>BVBuMQidZ*i3^HbFFNJO4YLj$%0xk;zXEPl7Y z-C_&iiUZoL>Mg)6Rw@bDEc;qgX&K+7wanFF`O!=h5_7pML%4wi2@An+MHSDnpsv;U zgx2De`dUkGjk{W@c3VPbM%_2g?Wk0;Bt638!Jze;gm0kR=ncET6>oGPUhJP()uT}Z ztb|zu?HEBh&IfXhC0JH!r$`#L)*7IOgROn(_96@w-_l9Qb%%z4%wOEDMT|ZcgjaTl z_|Gb&!IMDYL~0izNmP+ZmAjdvlM(fR#mv{yJ2y5*&KiYu7zvqi_6RMh3~FGeS)p__ zyIPwY4Y{8L(!md(zcitEUS0z}Y$ZHJmaE*9PvSu1mApO|ciq`O@&AeqDi(*tCQ%!& z>NcEtX2Dh&y}-c$^QA=@)o3i|HUoj@KphUb4OG);Fu;fOV zH8?1tiHu)D*7TP`aOBIei?%hAZRsQSs-qHH4Wy@W|EDRRhv=5_Ep_-7hJB7}0tItr zN-h-3(wiAG+>>Bn($@#P zX0m<5!fTo=EA{W|M{*8aeU^3zA-G=#hpEqh>$u3ojL7Ecvc|UczC%`%4qAGF`#!ge zZ;`3E2R*^8oVbUn+oxxnJ>@CtE4`IWAG&w#=MEXZC0o0@WiNVO`96x7)1#v(>@nS` zps0q{Ra4bv#Tmn$uzE&V<5`o9cA>ag~>CTG;{PECN9)! ziwpNvfDE~|D8Iaab)L+~1*q=xTA?;y)5yY(8k&MIeua`R-S~QVx@juQLswH0^j?Hb zJ{y3$SPY+*gkE4r+qBGALUybLppkmW^~?)IaCuEQBRs3foc(fkd09s9rY7H5dnM|J zFm`XQFK&)buFk&Ry*j)Z9$vq@^gWo4i}`;~FLnzU%uoE}@cjDf8_s#G zHJqdmgu2x{0zcJv`BG=Eitf2cItWPMP13Qr!G5rURc>kIGvTTTqb@3sk$@k|)`M=- znP&XUupLzBZ}z=dU63+dHA+Vh!qc%e{m4W1y2#Dh2;i0xR;qy(_YJ4ppc~t=R0k_0 z=c~m7O~Qd#gx+r+`2qj0SnvbtSQEdT@9{G(&g=&pEC@m8D=AmJk83)u!w?u&wa7+_ z;xRaPXnkhO+PrKUBBU#Vbhi|G>po_zM{*#*dTqzF>(InjrOMS#u#yKI6}-}3ZWICh zE@OoJ_fRFN3mp3wiWX30(b_@dk&ct)gZ7~A_~9+vGqszxk`1;`HSizu*Z6($h39Iv z7^AaX9mxO$ATE$8IX1B{BUVU8s7nSrB^kyUuo2V|zgjDwB>emBKU%O7b~eZ-KiU2x zy_wSg|3uPN-Xr)6yvUbJwl82f3o~;mL3GWWl(;YhA>hH_zE(cZ)M?Aurja9?m>A)mkj;o*q@n$8y%*58&6{a% z^~2iL%|2$0j6dWw)hzZ(tX+sBtl^$k&FDpV(kRyi^jFep7CZ;-i0IKT=}`VQHQ)S_ zcEtz9N$Cg$w)jHS5^>jQwpy+KnEvzJFo^V9nGO5R6FDda4Y?m%ZNQEnqa1yeNmQBl zO$+nXZyfORd#1fy=egdz#mJ*y2i6@&$62j_Ch{-cMkNFQt!A-5Q(G3H+Npptvav9%Vthgtv^gp^1x3BB zS*3UnC1rV4poyVuQl(`X7LT>od4HmfQIwkO&S?v0uKVk{Tx-qwI{7B$B2c%J z;qwpKx5;Imtty-~5Bc~*RFoc;prg7xhu>PFR`?!8dbTxGp`VnuK@IvIS6|aeCTj}M&&ta0mXy$zfG8(lm*~X)974e4&K}OmV4vdyn2&XGOh*)6>?AGHsNCE( z$JOCkvY+0Qr<$5-ajgb5e_oOKSkzJ|nk~c{F}2*brKqMGrI%TL0DOuCW+p;pZ=IU(Q7*}bdc>0hm zv^kdiN~(=f(qEwgTY7v-c4T4x21#i7&{=srEVZ;cszZK*3ee;-y}L`f0`hH|4_;@q z3XU=^AC{70*Rv-}i(56swm?`4gL7{|znwRWcuiq(3OU4eMz0F;|?TVio?fXF@Q^0!>S@FLD&kE>Pdz%yXs}xDq;n>l*j}_;0H| zQy0+Os8)CjS8K1t{kSYXr1OlHpR1&OTYXs9AMVPB92MR}a*F63W+?HdKB7v0xO!WT z9<81ou4#p0NayrzcKh+)-P6Pxen>~H8XnolRk(OO4=M2=_Hk!TH8`kTN@V8 z(sQFyyTO#>f>~+-b+%=(PIhZL2ul8I>1Y_d!dbFi-qS&!P8OKWUtwaVNH5b0t5ceE z|Mug*t?x1#GP(R4@=Z_k0sW6{EG&6_qRiE=YyH>so2pJ9OjYa4!Sm;>s@CVP;$z(4 zRfW~CTg(%&Bph_Cy-dd5R&rsg1On|0I!iQh#0Lbke4CXC^7rlJ%t{J9K7h~;soxj3LXBVT87REr(OHo{bx;5dR@ zVaJWt!`cqKjF{#d*&zWicSZjm9M#B@ikRH>F~ zJqrQwq7W9f_A;E9zkjgzZg?|191c$|&TsJV-GhTG`t!-+GMWO*baA6k?Jp`sygM9* zP|z_!9g0+BCOwGA^b$YCr@oa}!5-vsCvF<*x}_of@s9_F{+EBpW$m^uEl96~;|7Do z4-0Q@F@=K$54ewg6V!;F0;MQ^T9~DiC19b0Wa$t4A?udbUNY6SP(tg#xz;rN01;71 zbcb^8Vxgzus0kXX!#jTQ@-v262Rh`*AJG>38NX7qEvR6-yb^i%&{yN|xcI{U8|Ygc zE*{G^x0M{S;m?+MKSr#2MRIxEwV&*C^evXJ$2f+0RXdvGNLCZAs`3ktbbkwK$ZVxY z;3jKB@;-S6xS1L}q~RIR_hTy4W8!m1$RGjbc*2SRO?y7tBfx7Qk1PQ;hRqH+5Jddxqt`+2^KqGLQy5C-enWg^E0I#(O?hLpOhNV^^* z{*!q01%2N41>w!hfjJtLS}=0yqX3*p4#dpBlB$%02*N%feJvO^86j*0wPZ4^%$1kc z3NTqHucV3ZwT^Xq>nN^?Qgk-zF{#Ss(r3^7W4Ub5jy^qBgd^c7DTS^Onj+5%TFgHH=YuhGAk6`WgKru<#^Cnyov2EALGKr0fu zjNjnz2cK=d{BgTXx!zhzacVZXQLO`kbNFA}=C@_7Jl6&$$wVLiAvDqar(_*pZax38 z4JB~agk?4AWm(>GUR1_hLO`hFsKV0uhmI{3QLx-lO7n>^E0>uP-!8CG#MG2FnnETj zqfh*J9^4U|D$t%T0-c{kWGWWzQ;%!i@x`kroxuv{Y z)ZDx~nSb}sfBfUVr{ZJlK^Y9xDGw<-E<---E^+9rFM)-7l`39AYZ#jpg*Cj>ntalk zlq|sf2YQuRdH}1K&pA)HLZU^vs=b7@*WBgB@Z@Kr(-7_#mMBH4Mf>&xMb5ep(CfM2 zip)oglDZ#&B-`AnBOF;|CSF|DnvHD=!6Bj?j`0wldDnSU{)0x-v*mId0iF64r_^apmtEH7A11eL0L@C)r}T zTDx$qg2%aX1E+u!6sW_lF&qEFznqhv;>OlTCZ5`W_0h*mS;Z|5)jl;#zd|S#!5)mVfuB_l)vJP&+w;rmz>l zUL)SNN5{bk;jnganqzIrWe3A)a+)qiF&nA`qCK|L*We=Qh(8DM=3UnLvV^9tHA8F~ zF_`8P;n`cH)yIFICRgP&1)JSLo=wYSKP?(Ct}0)ti_7}FrQIB(DdL?O)BUB4Tb2m5 z3()@#k?Lex-anw#FfQ%7!zT7?rmCwZ9pPshi{xEH23I=Q=rsMOu9XAS#VRecrwLJ? zjp;3A^Lap+nMpLd6}G02eE99_EML(efRQ(jT%V>)yVyy3SvE8uuG970XJ`fWB^Uy$ zyF~_P0r6tIwHjgLX8w2o*CMSg^X00bdN_xdKd&{OC2?g#W;p^eNMDVne zc+ySw1};|2MR_-aqR!itYzfSa^DGB5D$n!t{BF)6+r{YP-;j&zrC2Ug9_Cwq00&9#@KN`+X4w2$; z^Fcp7&Z?PEM{;c2F+zs1>L@1N9c}(5Kg#mt=d*_Xxu_0S#T)#qDSn!R|8U5EbVQTg z({+(2ejrzBno-w&_``nk-M{|sKYaH$|L{N3fB$Xr-M{+ofBWt~|HH4p`^)eCn*Q}4 z|KU%+`%mBfbr^@<%PQtTmN@i_!Sk1`IP_;h96C-Vud_O$5GaLw9Wb4NIRiTAZi3K_ zb@;bD{WgV`OD#)DRwSE9$)w4`pzH8Z;g4ypzhIOH8zd$vE<^*$iG@={1vs8RBg2qJ z+YhB!B~p%t>apN+OadQ9S^B)I_QE?xF_MZaK@O9#Yy!iafM^vahOoAxRORW~i8J;L7Z$WrE zpPG$NrTg&%a}INBAm|$Jq@z_62_VX|9ZonKg|C=F&yN`bKC7x84(?XBAH_!ZVAHb| zo@_8HTb%x{vVn>>1yF|w+_Q<-I0uXwtP7r?g+Fa~X}L)RRoHQ)O0MfQ1kV8#j##V4 z37bi+uLXaaCbs1kz6M(NC4s%kz#7kelp-Tndq=+NUEeR8GeO9hT?;`DzE83t@f)qZ zmD;CVAcOoFA|9LkrxNQJ7uSCcLX^UUSd2STEE-Bt9>96Hjk&R9FqYdvH7@-iCST+m zdEAIA@gKNj;|RpA&uy|r94Yj(WB$__>)$@5$fy{qfb2aKcyfqZ;RJ}Z3@vFR^9QI( z6I$sD?QKcciq-ybN*=fV!v;|r$WvFewV=z;gp=*wdtU9JlGkLa;fzEPhmpL-`1NRR ztujny3jb#W)XJ$(*oXISj|gSZ9Gsq779exvxK9hbf##l@3y!6E35rf81?sMrQU<#u^%~Le5N@X1VK#0_=fX;)4kf*7 zi}z?#;>ZQ7)1KbPWuVQvMPvGa@T z!&iRM!TXg3K)iVQ+ymAEkSG8PekVc*zUpAx6QVqzLO2euS#SEM8@iC}uEW_d6sKg2 zz6simGzG67N^RdstMmMFR-r!Ui0v3! z)aSz?r@qLfpt(3hBQWZO(|ul+cLSJp;`$_Pq-`=LI>-R89x{#B>V)?tbS}}HU=d4tlYTemi zU!9(uom}6XUocTIoCapnV*pFUk>E5U9pkVgF@FBpiNL;3wGHvi#LX)*D;bEKRYe@CmA zQ{mK+f+-YIt+e5@)qj?s_>e8Wx0FW&L*(@ol-(ly%1fLjKh2LxEIsE8ma`Xh)jh#0*rMlTg^DiurKLriq_6U zDqLR7Y8940czcCRR|Y82wLN;~L0yUn8`*9LE3LdX9k^Qv38 zphk5T7322beg4^JZ`-fQD3pY*Jt~q1^ZYgwgJ7)1xeu5tWFOFcz!?$}xzdZ~nLsNf zq*XD`$V><2LxiYNX-^Iw1RWNbEPT^=uDQXgwVd?%@uoO@Hc0(S%ZF*EJxKdau4rOaYC0}4tO-t@$#vGFFoPx~}w{$i8oO&a%9c6m*-Vs$WY36}^- zH)LJ=vrV@Qu0bj^&gj1myl;i%^sP5z2Aie}UXlM=5&4*cNqLb^CS25s$igepPOW77 zcn~kO>+So?)F=yc5K;E{Im3vUTb>gT_hmjY&x;q?dg8|))z3AU7r2#d?9yG(-c-08HOrFJw4dIvc-4`BLxsHJ}aDfeGv9CIwb;A zlT*UopLVE+ltCU1O1}-z=N7OVi|h6+hIprNFFh+*uW6EOc*EHDhS>KQLQ8zcDdO-m zF|KKEK>;JoUaux}^-#t+2H-m-sDR5GpubcH2Y9D|evOe3 z7~Iwa^AI~s1HrfHxT>hYSzE|On}Nv?gGVZ6GfV=ht-=AF`T=KR5K^(!Ha_e|cS|!q zG9}bL5i_G5XD>>DyGgBz;M@463Mfdq zE~RJM^6=SlnuuQ0>F)XQ4wJN-aDe_S098^O$~NUMoS^(e5W+cEo*^}-WL#r_Sq#~^ z)QRw^vXp`iuem9m*kjywTB;pvYBH^6HtQnS+J-AAa^Sxx$pCcL~7}#s5Y`#n>~3oO+eVq+6braQX3<3%g1@J9<#aXoSVbsalp6 z8zzx+;S4QVKF#ET5rVPo+kE2t6N+9nM-(4QcJ0x?DQS25n3;_M5a|Xh zHRMFYTW$_3CH$eE#^6ZDSY#Y#c~&7^At#z;DR;+H7%5x9RYWnbwXU(Qi01CX9z<2i>r!T{%Kgr_zF@dDU)&meGxH z3Esemxq%@}2WkjVo<4Tb<9l5^{Z?K@v~m}62v3^|ACT7gmbo{lR&M}2p*}^NjF}ft zSZI}r|6?7`vbxz{W<-Sw2Zu?YC{zYrLToXn0xNkfGc$Xz|yJ zfJrlC3}t+`1#N@!)0iR5C&O=&C;ubDf4B3do*|dQv0A2k7WKM$SuPp5|Gq^x^R*@q z+1*BEHPm9slLm9W79-<7I@8D(w3Wohr1Xa;)i+R*C!ZIptu5Ok5)X$UDXTVBr=JSL83((*n7sP!um7Uw@pksjQsFlZWa;(6#k=cm z`k%wAE7?=p^>;RLuWZaq1N{*vsYNQvbg(9Dp8_OFy94<0aD%&CNSWxLyn6+?t?(V& z;?&VR^D|inzyqIs0PbO))x(qHwrldrk2P|3)%19Qm2O8ZCg+jMgzrx zh*qdPC$B1{MwF_n73PeV#7F{?`gVPIb++jM0}`Ihe19Q2)?3Y|qq5TMiY7TQF~$n{ z2#B~*#55_VcEj^b8jlYGz=Msi^;&)WHa)}74vuXd{K4Vy?e)cFcMW{^O`4)H)c9GX%dwLSjpR$h5I;f{Fxg#>9|FzF_%F7%oUztNpBkxxCfPZNSdW&}YB> z^?!IKGv<9LsP%(qo1GSnfy3H&;#L1*QC`pr9u7}^<(}iBxjr36Tgk!saDX*4ps$|1 z(X%=l88)dcDwktCz5tPT4@;1iP7YUN$fG{SifqG7-XRjQR01r>TR#Vw*tIt#6YXGz z6c6=udIcJonjkMdb+;g3JXpK;^pv9$=IKG+8i(WMMY} z^lV{6E^Q`4m>1826fcB(DDsq!lYxHYD$BtIwt{yDm;L1MYIwPO&bK`o z?q2U+`kTDUcv0iygXnYq7z4gXJt0ZARaOzu0Mc zBSw|rN1wge`aBI-VVE#osTCAve+>{5nVgVd*-PgsvoTAf8~{U$O1l?Kbvhl4U3CjN z6-5K{y9l2+-heS|SLAR`4zlIET;n`8a%x_{-+v+*X#B)KE9|e;1(b>waOr+V&f%*1V6_$+MWb^x0-dc&Zg6 zSaEdQfZ#qMa;8eQ5GhsoG$!+)CR1w1BdV|_U1ZM5Qw7JV%x=3<4hsa^=5Rl{%CFQ3%i=qqkpB6hu< zo?2cmg2(k38f9X6xh~D|-WUO=$jmvO86aAG}5^HAMB^&ng4-z*VA%Z2bcN=p8LY-_!-Cs zGZF-77Xu78h;&R1>-SlcLzNcU2i0TwY3_gJ2{T6n5C?wY18@mmkx1Zc8OayMC|tce zM;O3ruziD(y57C^KB33o-GA+W;E&YB@i4gb;{533_}$g+H9Jk_3!65;75h6c@p+Vpp`L=AI3nA*F>dtc2x!XSy|ROG%ulnz{lQ;hJ_xe)`-|9f^fdN*1=- zJw#AFbFduygq!oloeGNQj&Y{kq&3~0r5si-~*#POUy zf>KUk7u%Y}MYtB{fOyQejDk~f+E8to6ATD7GPK74(YazCp=1`&u>{AqkNU!c40}iP zjGiu^Jb&>cdc45Y^w~K00uGacRsM#0b7O$+L1fvy?Kx6#QgMTT*C5nUpd-Wu%b~jz z#=70jl(s**pA}GQH?KeN&9l&DQ=NCr1mlGB?K-92BN++n8Ah-NtLJ1)Rca45HF*|o zAP?xY&Ppc6fd*Tj9H_)1Bzvw0B6>2|33Z5MwWAlf(D#2VtYx1!;-VQs%_#Uo>Y3f95pumXT zZt7}#lo#8fESYLtcw*^h;+cIg>4Dr|Ge14P4}U_2S3N6N{>%_A^VKR&7loRUDw~MU z=zlj_fBl!FP-v7eH*^;MEi&aV%zj&}DC+dJ9gOVpX^(8WU~st)TS=-`2EVMNFNuJ1eKC=D+`x>G>H*(Km_pJd?i*CB^!5B(q1*{^zntr8uS!stq09qs?{ z<(Dt@RzZK>1$1oIWybLTV7mQ-V@nlUX#m|&D5z_Nk{7Q#oVwpWcHUcD=UX)>vH=X& z9nIo$+IbN6ijbHG^Y+4|{mvGRMa83KF#oVWBW=ord04K7CfV-lHi1Hsu|ou(p)xNw&eYBF{m? z%V>BjjVODjnm$z~l@L+^8ANbKHKM#M!ltnGYgMb|nQe>AxY&-qjovx}LtcCKRMdUI zTf(Sx16Pz9ghvP`{1xTi{zZ_mKp%GZ>4bjh#=LYz zd{bHH#^$wvZN=Zjq}_TkpY-6|GKz@caWIHKFs9-1NEuKcSW!W!3KJb|TlpU!c5Z2MpAH5DS+9tN+KZT%jx2q0J3CuBq;8wrZ039#H2qvPG~NzvTE zLuWzZ9tW3=cuGxhBvsUacx}PfzvYV!W?ITVzdf>+12X!IJk(2nSa7OZ4i3tanu8^VNQGI zyl4E0Mc+FsJnWX4kA?+psr z{9uroi$mX}OXuBy-%LD20W2KHswX%6<&6OPI4X2Y2Mq2m7``xe6kJ?~7wdM#*wttf zs2A_=Ufd<+7ofeSXBq-p0qX_Ky;ZqpHh)-<7H`7dKY)DxzM+u7Rh`Xm+xxY#W@sLX zc@wOs-c@#6d+=knb?02{6VeSx!GxOQ&d^~?Fm?HzfKh7$8z|HNNS-9vG{D&;gjQ`} z)0;9c0!X|ePd8_ngl>WgI6H~k8JbBxF}8_A`SlZ3xD%2oImZk-iNBm@({#K>)-Ot| zArQ|73XWGTje_W(fi-U$FkY&o^pMtC?H-1p-zconq{U@)adMlu-^5`w6jKcAsWPSM zw48!Ty5b5#jUlhn>C^?%1%8m6k)^YHe0W2ClMib%J&3KwxC>@W(;N|>i!N%t01O1c z%W08+K)lHhc(KX0YkFm%msX*JjS*!Q|0ja(x3Q zk_45wWh*TP113rL8UxoLrwInbO|#xQz}&V;wEz3V*N3O4ZO@YBMukt#^j`Hpr5*)5 z)wJ1AC&(Vg_$ysBq~9es8|?Sm#9-w}$Sx{Auz8QA$Dh=FcOc@84~9Jx=nT6?gFn7Q z5$;3EoMHSoEm1JDnFL8HNhB`k5q7CDYlns>0>Ux_!(5{$t9exnK7StuT{M4yz*L7x zLnA};Wq{3?hnfErV=K8BCQ(I^1yAY=-vTjiR&pV~AX5FwP=R_5^dahl@irNm|1j*h znqoO%f5MUWC%UULn$O^m}ur9hy^>= zA+^stQa~;n;?GH!BUJ+x)a*!1yzHwP-EW+s(mvp+P=D~uxu!a z3H_X_=)6I7red`+C7cU9?SJYxSjF5M`5W1p1u}y$&T3}8W)&~vKKjB<9gPB-tM8Wr6cn2Diu;?Fvi;lg5Tyd zISkw2WDbTfWtfU-;olDIrn{62;eRrEe|oY1_U7R5tCRi18~pp^{Mf%A2f?t*h@ywx zbRw{^MxgN+CbuZ^HQ~hJXtjfy4hHf&2mKayF#yMy7|wu_XkwdaZ`;%0gVN%slJFwzcVf3=dwVy?mP)A%c!S(AhTwqo3r^6(!wcttUiP@HvoW` zlwxY>!nPR|#Yh*8?^)q#ZwSH|rpo(F9!vg5nV7VBpM&~;&Hdzfn9a@S^$oqk+m-`1 zJRqAD7wn#%9n^lZcVoTU`szqHe>=h z@U^6p!tkTaI13aKClBSY02#6B2(8)NtY0pfDui85&qaUm7Pc%{`yg6L)ZIQq%=zii z^DP}g0qF3h3d)I6tRVN4Y382Gz%J3&QzNk%=~F3wuPad^@o&{nGw~_x*;e|bB}v%v z(wQDl`4KkJti@@l#=9IOGhbdpY!PE9rni~0ma2zrS!UHk6$1Oj5-d(M=NWa(qsKQa zGbo0+2#Z4A9$uXvo+9j#>|Gu1z9kRvRmf8Ia_jkzlsjPJsVi0F16L7)?&7W}C(O+1 zSkEl)C3EuCK~0#s-Z1==BSxIku^5vd1h2Rd+oi_M&apb zxfG^!DGIN5I--Dj6RRB;EkOf0ATNYwk!n^N#$xsZ%T44$|P1}fyB=0#zUVDfm(2X!{alIKQ7wZx5Xll|Sxo8dRZo3pp)7YCcI z_JX(SUZIlrOL&YIB-)CHHW)fV5-}N()qB&xI-RaOcrWNph;QP*6cN(&eR*ioFwd9j zt(xU+s#SEXv0sSKWPJ>6Hgv==(hsw8ZW#%sOFGGTk?Xa#_XS~&MO zzpHGNO8LH|QwpJw)Daj48=HrdGPW+?Q-V$aCfsq90M@$Pa zlc}qeul8XzdSm%Ose4Q)99nt|{*CLQFJTDOu%l~cLcgHp;As{@wrWXJjQ5reO-oD7 zmyI+>F7YG6wwp2ljJ7biS1I-q`avU~8y)QI;@{56r^JZ%{;=0idcW6`qpJ6Nzh~gp zLV4uzxm!*4w(lGIRKL59HdjZpOtkNu_(j9Qnc3!c351|!fF|!HpO8isHU-Z zGrc^LLuS1Ov#}Z-WM9jAD-i$nJ1^#3ba#&H!|Gbgj%=1`U*w|IQI&^kH?}IvJ3Wb7 z1K};o+DXgW?WR`hKr25BRoE{hM`*c*irL`vtuH>IjF;X{0Y-&*T2|cUg~;ID)mffg z=Zo?-TW9y8j0a^mH(yxzZCU!?C2yN*^+7(M0pBa9leC~lOZupofciCgofTDnS5v1w zg*|-tki01?vcg!sZI|rsH2FEknx^uy$lnhd8rR+GE-haE82_lDO?Q^o^Nh@K=+)WQ z(mK6Q$y?s7N8f(@>#9h0m*fW&obdTD&#A$^lvXHBjPr7wfz@q~{=HXbWP8l{k8G0P zx#Rn+tmv)I_?vI>G9j#mRw|T$Y9II0Y7SjJ8dpg9L6mQtd_|Tmg#NrO>!-Pq2Hc(()CShOVV zmshkV?(AQ*Atzro(-l6b==L9y<8)FkSQ{@89<=R=0O2l&K7i-qzcU)2`*c1|jX>ck zObGMG8GTdE7y74dX-J++Q`@VqY2)MuMY%9kEIhzx>*Ttu%DWjpn0!09OYc@q?e(lI zrgf8CrjUL*oaZU*>vB}n!yVEYoD9jTg5V?lN%J&$Tb8WWgg@_Th%beO!@U5AB<9I+ zIsaWG6Vq7+NyphDow%ls()#ugYeLDz ztliQ0ePzzM#YMxT5!m2548H7uR4Zy>9a4oBUS@5#)<>T|$KK zgq&X*{55sr>|8Hr6(WbnB ztmAL0kH1;0X@h8HwBqO!dZY9=Wc=Rb%^H$^r&zvk%8&oAl4T7`S_I>nlLq{XHZXjj z(X-J2j52v?_~0sC&(a5$qohx1H<^KEyD)zbS2z_4Z<0Zh5}QPoiC|@N#aS5qyPnaE zr4ye1-ORCD@LpOcZ|5am%$o)~Te6pXjeYzZ+!Q<&Tq^Yzn0T5+HMY37@L;dfZ|Pro z1taE+7JSjvvpc-BQ@mK)5bc6Rz2g0@Q}7b5=r^hSlR7CPm~`xZur0j)_%|cE?K~UM zj4iU9CB#pgQMt$~JmU(_+aZy8+DsmDe&P3d7N}|7ef;yk|MTR0eOG<_TXeX&%aY-& z0qbT3q{#d+F-`v1i>VFo(rSbmgU`$48et0Z#gYyF*T?^*+~lt?;``aMlne7Rd0mwv z*m>tn%d_=-zGjg~eBRVF>uK8ZUn^`W`D$hV7?z`Qb(h+|zs~1mP`IX2GI6tp`qNCZ z`QS8N(g1)9pS~b#G(*QT(dJau(6?k| z^Qw}+-Eetoq9QL^&R6TYLrD}YpmSccXSB9x^{(h7!v1=mdF>s;GLD2s)f60(Gs!Be zsyup~kGQ6uKPd6Z`FgZ=k9ba=QcZ3^GEAXe-={&y0UQ|8VKM8ANahJ!0>IN-uoLap8=wK`$F-i}cv3{s+ z?27EqhCcuJn-#y3Z|CrKOnBT*XzZt1*wTH4~?|FyV0N2Uoif&cpFp`He9nMGG0wBRvO2SFcbzwj ztgSw)e{MnlR?I7IH>Y=qidZaz>o-uT9pzqQbPPTP0+t`bS(Cg;0n zC+EkB{`gfZ2?+|{n|$KCu5cZ3kVxLiqdRu_z1pcnGW9v*TPzut*On#}CH6zU|Efvn zUCo(TD@VD8SA&y_uQ=Xtez|)U;Yoz@Se<(ni=rc9|HQWIk>_e?*HW+{BILK1)N}e& z6@yZ;Z^y{nPlC{xcE|MI+}l9YG$_CtC5lnxLDL+nK=rzkq}O0u&rMq*k-GhO?Z}NjV7an!8WXRyaY3o}+{jk5 zKPrB*$+4LTXOr0VAP*uiag%|Qq&E7C+15D+!%Y46nT=cxZYQ2UAN|+DA$|!)GEnE1 ztBYiA)!bmm6!1qTjDY^vjL{z?yGJ)CwBhiN_1|CeatL&!uQcMS1Z zlZj7i7|#>7$!`Ppe|jC`JIM}&N`HseH;eSFpmBhlgKL%>i9HrlDg zqwQ3ene$)tZk?#!EDK)ZldsOtfPeZWwukqk&?=)HlZTTu9=NNe7L^a0D=DAc5n`ow znULr&cMPveAct7VQD$&beC|bQcNOMMeN9X)-(;TEm{BCUnV+IH$P>oS@*c^hpIi`R z3jzeNuF-oV*kyI8z2>Z}2G@z&x>z4jYVz+Es=zyVI>~hp2@W4$jlow)^pz1A1Om9l z1Tbg~!lMM`$;P^%V}|9%r)#if92Vm|AFHS&?;SEI!E=VgBiXiGBxL|QW0X_hGI}{u*_2BM!n0}7@mhgY z)I(vrDacv7+ZN(C{hxs+{Af^oxSQAV05D*zh{y`aCI6KQx0%=vvLI!TXkgPdT-5D5 z0Cwgpu*KAv+&1&AM?39_@DvmOoMFKe?Vl(xS_Tc(_rRpzUa-$Q)j}o1%_4xSzy(;l zl&_UIH-dziK!OmrHWpFi znOHE4OBMy9P{ydWHm%J9aEZYY-A29Js6B$UXlpyePINR+r?oY1Hv6hLW#k|ACfa3F zVtGrBVZ=ZPniG{(Hm`t3d@vW%2N@?rc*F0TSzl>5AJSz%SlnFu%~i^bwqPSqP*RzN zEx?*(=qh+E>lleDEsRw~1|U?eO%LfHY-uRcz#g8ssr<7OOvhi7(OEvoo^+OuFNRW} zZrvda6qBf}yE#1Mp#~7f9FSABco4&=Xqeo_$~FrPwF+G*5O~DF_`p%Cgto9Q=Z)nB zeVrd%o;bc+kr4NUCu9IZNXR2Y;gr7pn>ako(^S_1%Sk|7EyxmvRrpg!D_?1peOWA= zSM+O8-O_J&N^Yv{_q8i)2_*)Gw6_2((|sVoZ>G70Tl5V}vS z_%FgB+XQ_b+|T2Ub&aXul`N+PG#? z(__jdlrhzQsZ57nFO=ezMatL8&nx(e_!eC)NAO$r!!%ShvIuD~b4!bDn26D!7wkHN zE->W;7szNIj80M4gZU&~YQd6F$v}ji40^2j;1H)HBqRS^s;s1!w}OI`t67qk&nZ*O zC{+&AY_)u7@=3rw$I9k&ejx0duVl8!n0Zo^CYr<^*vUae+5YIea=a@sgMl(_k7pSz ze0owp*x=oYojtFB3FQxJVBf0IXEYK+*FAR0g`39Kwv;Mj@W80NkrQgi84kud;3ywr zYkOXncMVI8px%GZ-jONRu&+?1Z3QVP<8=o9FKm|9j$-8D_`&6Vh9rhh711c{ z63E8ko=$Lzyz)`4w$mO90J|OE=l!V(WIU)e?izPDCS`fFHA^WDL%?`G@?v>eiu$c@ zM;Mw>#!S%TbOU5`Z&D|RKbMTl`OmO&n4QCg zqWKl8qb^MuTA@jqIIX)N+&M676sEB~z)~eDNIe>Vd7EP-srcrPks}A4C{=q_XA-|J zCU4iZQ1R*a%jMm4Anmo^BN_JwDz~E>18pLUy!a&)e*NE?Uj&Xp*KgDJzjVW$uUtS9 z!Zx|k;344X&+dlY8#2g*9@NBa*%<=4vOI@H>luAxyOZ(u?8gYmrh1e^(Q$H>bDug{ zLY6FO$``-~*~nKhE0d9FcY>K*P$h*YWCo)dBZ}jrDYcL|h(7q#czn2_CTzgLe#be+ z1Y7I5B@q)8-ygkSfA~o#B7q0OL|5#)^Q6kk7T0wk`^>{`cMcHSadzfDlkYGgo&^S& z_oQqA8rm`IU%Nr_+tAT^j2+jwX;K!aRd2Nl!lMc><~R(uhJ$RBOZjthM202=l-#}f z@gCJrtc3=1fOwUo4Q;91u``)^M3=#Hn8>|4Z)#OBaV58|#;u`EGtxRjI$Fm ze6^EVAft4j2`^5NV__z`9pO@8L6|yJOz2H$xegG#?4g|4-yAZn=`nJntlNm5!~RT@ z1FT9|neu&Z@79LU)<)W7qUy8G@bNuPC}ClQgC!jefe^H~3Z^j7$2F{QM9uugP6&2C zL$wqrS|LuntqtNO@DYZ5Vk&WrNj_0kC7BeahjHx8uoYqCX)+?nzSHfH#I>IGmH3YO zn$I_&^{|&P8POIn09HxN(4w%exH|so2k5W-DQFqErDwdYEQI8Mi{$hLtlEK{&gN3P zk6RTjD{@R@{KfMZ9aZH%^NAUX^YT1~pz*ZnG0A2%b$lW) zmlH?|AnG>D=My?hHUp-0DZ-Y4)wM_eC+0JCqX|?m5LT}YPiIi6k}kO{mKgx&r9?sV zN}}5|HJFMo;H3Y0#%US7y;1PBRatP!ajrv0ZBjULa6V7-Bf)ArGwxuqo3s;JOXPfJpZ zB`)>$#$3F*-cQ&d&pL>SWH-?Wm*ycQu%i~JFm|#pL{BarE{OAaSJ7SuCqReP2j_## zLB!G2Ruys1Dms4F*KoQ3y5w&rWbVODzNH0#44SFh;WwTYqBLB39Iv_Ylyu!Zq&}OJ z#Nss+DPA*tEk|(8S-aN5m;z}_iCA|$6U=J?hG?42UG2{>s1Veu)9%MwSc9Vu4=W)a zbVQ6%y-4r2EXfY6=szFK{Ow1Jloz&m_Y*B}?KSq{9(Jb(OBABIvS_rsjdlZ4 z&V%p0?+guC8cQ2n7ZC>is%i=;Pg27NTW5iSu1Q+YGE15&APx?_*3rD-Vm)~mb&{oZ zK34`XDSqLIIhP|E*$?-^l0X>@gjl9b%u zaT3(drX>gEQTAH)Ltb&^6W^t;?1k*@*@8c2l6KB>@M!!%{orge5ScWQ47urMl}&TO z5sm0yg_S%B=VY7;63h{I=$ZJe^tudLzau}kvLu$FPghNA#d^ugyndDZKsc^{@P?aE z{TfduM`VgkKO=)KiOOP;g2$YCj11HcdhH2jE8kLbNznkyVjOG40(sY~ z0q*+2q3i`*S_7>r!hatXYmKgkhC z3zX-M0Rm{{Sww>2c>B^3hxJ85Nm!AJvKWLPbDJKZBix+q=WKbcZB(+(AP29RI*q7A zfzD?^mJP^891p*LxqJOOVn+f0OK!4$&x|F5-Ua(4?l>?OpwS(8rdyOi#YA$@t069Z zdMAGmspH|XrmD3u-NOgRT5H8b^ov|pEHrk#Q92o@U2kcC4Nycly`p_hb{9Ak!lS6{ z+FFf7wo^(wT*4yPwYCTBCp(%g8q!gwB5AzKY15OsVxO+SQg4!t8kP1m(OUoQ>t5q4vCgTQ8EjcAJOzEYnz4}Y>NvtGynCi6hCwOOz2x_Y-wdx0&kk-5 z4)@+2A0J+Imf;3rD$NHLoloj3$ojc08rnzD4F+YXn=U*JXS*p~R92Jsgys7yR%~cV zgjy7)AUP1&phJ$wYz<@w!vONaQBH{Z<6b>E1y95a?A2W^*lDJyIn!k>r6Y2!v7f0MJaGa7b@8v{(j-SoE>6o!gj z;iYHw!I@u*ElFB+@f=k{IArK@=ouU=Y*LOg{}Eks+fg6dHTv%A^yKK9z%6dC)qtR0 zCtXMPgs|QlGNpW*lHb2IrCT>6@)Z`_*>pi0(p@>)&PLClzkKoIm)Y%TJozG>jGq7a z<;(GpZ$BT8zPQaM=_3)%Et>~zDSyam1U<~N>vwx#%<>gR!+@qGETu~m!v(=on%Up?2%9CZxgl z$?U~;qB5JxT(eUCRC|S|N`JCytC2d>)zEtD)8eCF?C+kt=ZzWf>C52o;CH8)`LlPY z*C+eCLj?n$p7IA?9^@7v9*;^sI@TEJKIxp}{IZPvs+`=r^SS$^JsIlG5W2@d9`S(Q z@t$tRUcwbLJ^AH@Zb5Dw2|*Vz-dDil_AGAE1oBMxr2YJ9?$2JWCZS$famye`zEZVc z1|lG!()Sg&-|y?EJN@L^`@?I1)sVf*_8IA$P3%YABTLG!Y4Z| zq0)Xb&6yBm)!H$=>7N(OcMYJCDwCuFtfOt2(MNjWV;K?bAHY|&$CbezXsRcd)cK<4 z)eVKbD;x_Bgn6t)`f;{`k-WE7^6z8h6~L+!^CO04kZ?lUBOSD~0uK|&pV=KO10%OB zS&-jV5Mi9IG>zN)ByA(?S%p$CGbTG|IL_N%vMDms=(l0M_Z!oYnfi7UVR)7I2&p}* zl0h9orH{Bk$^lwO33VYEGQ4t@jC0cEzso6R4Cbcp#0;1bbHiiVB)zmnPnhxy&7BlB zwPNF4ihK^m2;18Q@J5;XJ~)F~VqwCFZ)naX?~77bYkaba8|HaEKyoK|$AFmno!aTW z!JuP?aN<5R*qG$6UaIW5g)y4Q0yIS)ibnu>F^<$4#l6-e1l?&F^IWUY1hErF!(wM{ z0nm|XKoBX^bIr*mOIJRrwL9^!VxV*b>4_c-P}IECef_1bf*#W-ZEGSxf((T*@1+@@ zK+1l8etj7<5~dWCBmOpM9TzF5z5K2|P^6$}jCDEGUHH@kwmVUli$RU>%s>ibY#;QdvKTKe z&cGQUl7)PoPRMx^@Yd^{{Q=ciHeNP^6qWAek9OZ<|MH!`GW1$wM|Qt0Gaoo4%p2iO z`?X1KL=v{L1ha`9Q)-@}j?#pr-!1cLTlv8BB2d>@*^Xdde<+L0K4I6r+s3->1!pk1 zL?h~hcjvBUBK0%_)B(q9g;!z7M6Jktu373h9JtcO1_|y8993VPeP0zZ-@xr%sxU2R zBzR|tx$&Wq5mjGpUtU~Y@9v!*+Wl;6VG7Q9|J+LUP4BdB%~-%~tU0PqtDH^jxuFph z&R|!MYVq%gI&39Z0A4_$zu7G$Dhv|gk;Y`hmizZS{oS4kk88oICZgD!>(tss=td>= zyq}+zX8sKp2k{LDRt$kZ5s)KP$4wfrKb#W=&`VhNS+#qQB9V~x^^CbWFCU}XJ}`j zvn$;RxlR!uh#crgm-+i_KA>558;YicL22&0-cThl%IUUM z9g+tyyq6|Z)M0B32JmSHWXKFWn@A@_ta4s@n7tM*XWi{RiO-b!B%7*QLdU8Y8-hde( z5(nG%zluc09(5iCXS409tujw0%vrT!RWcocAld?K5I_Wh{HVK*W{%bzuvw~!bpZq$ zrJtZfi)^7{GFo{M-58EtEk#dUxnis|$Hjlg^J$J{ZZn zoC$E(A{AFV7!>~*z>9T0E00~Unu4IL=FtrT5B(V6f_bRn!n$}3(-4_XiMfs+fCNkk zq8T~i$T}kEMWp1{_g8LTJIWudsuam0dHdd|gch>vNW256ir>xH(8oTqTTHvI4Lb3C zo0E$>+k1QfzE9&Voy7QhN8;Qu3vlKmGPsp5?_X}M#><;*T=ZD5ay55R2`~Rrc!hr* z(ZfeV%VeShX8=U>7EbEQa3Yv;`?yXCXh3tMtBpr5dgB_T!b=C_oiY`RX*(cn5AJXG zI}^xq#i}$S!O3!-J%mI89ml8nUWEk_9)Khv3u$|OF!r3Qj5di}6X#-PgI_h0>eIY# zCT~ont~w=$ywp<|%bRSE<|P!gK-#!Xy{xzQkFPG?UEUlVo*o|WUY}f?Zv{vGe@T;F zM*e?oFE0)bZ+`l2_w?lY8?+Wp(LKOCPo*k&Xo{pCc{lu)C29bcL0`iUX`>ZxlbzRt^i)X|vG_!zSv@=9FF|6`;8t2jhv0g#46>(@Fi9U|-Uwk0xk>u_ zx4-_2O;IVUto+)vYz!Rfj6<5(^1MMSggu4xuePbueR3hk_^qTB8A4vTP3K)8d zd#(W-k8U1VEqL1?f8`nT?(pbD_0}_vNc0|?*Sa7Fa_9`me9}6Qo{%bWEKl=cj2ovy3og@5D?O zp@9i-tim_&p2le3ef@eL@sscLKK6rlzxC)u9eigF2>y;6a`G^39z}5Xo^`k-;&aL)U>0EwINI z4LE0aD<(mP!T}9pvx2BX?!E3eTge$hwD{>>)f6SD^$U2dqLpx(E=Km>S)GHi)(I!< zRcRBb61cBkW8ZsBWFgd2Pz{6waLLNQZF{FVOB)pHd6~Q|s}eD#$FvT*gbQ3lzJNi# zPL4AMk|^7)c2h(N=6OnASM*w_KQw{ow6WKsU0|F0Dx0$;#v^(J8LJ5lfe>VkfQ%;X zu(3J=wwWjN25y_xG9Njy08b>~xB<2Nf*$bRANy&OzkmOpl>@M*L5vN-jZaAlKrIA% zHDgkzu~S%u^T*9~XsvZR;e zi-tf|z*7@IN^-w^nC57sB`)B}2>>epHvK>^)q7T}A8=L5Z(@}Is}6vW?dvRGjcDgU zdrdyrr?0Q_@!i^+X3V1BBJNM~!E3xbyg>Yk1ki3XZLopi?{zZFu?2XAfN!f0>-xhA z+1B!bZjyu4pAH9l^y==eWRmJmGXISB+=?Fc<6jl|)MMN)SqVW{`pGjIj}biXB<%;0 zKDgCEDk^`uUd=HZ276E&Ger8QVDTQ~C6<;9A1@)M#y6Dswz0F632hB2epV(&TeJc| zvXncX{Il_KUKILwp4J1m6^cHAMv_B-(8N5uFu=o`LGYkKZ`d@$!7 zto&g9efja<)^$K3e>Nu{6p|$0rnK7gzxyBBocj5g8S(c@bc615foR9u6g%@}TKQ$V zr`Z(VV&3O@nw(|D2QY@qA7J0U!`z7Y@tFpHcZ)`6T6%*fpC3HKBJLo|=fB^eAe#P| zVb7s)p+(L#=<ri4|LLbbo;nZ3D$ISp=fye^bE{>&xZ*OH%706^qxN9 z+3mCHouRI2jsp?eAJ|~Vvjy>iUce2qx!XD3L z@rEScHpP$j0Sxft41tPdWiBJzjG0df`RUIucRAWqTo3@ox; z-}xWHwdjc7_F+i3{X@E6E$CZ~o_H;7>|eg4GyMXj(woW@!=QYYjw>I0M{$%ft6IXI zFS9D(H6dwkUk~}b`d;9Rfw#dcjE;yaInzSE2%LZ60EFT>*C#kGRmaH4(~NF-pXn(1 z{zLH2z4t&avs2xDnQ(nI#403dtd44!mYKk@lnl8YFwg+4D$S;7t-I8<7eRI>GOxC5xmCTHd zvxmuuLzGP2m~8w2pWfip8@bef;qoP4so!qeh__+)7^C#9q>1zc{p3bJF~5l4xNHK` zDuqAg`U(bja<<9NM-0?f5c596;Q}P<{Dky1P~(UeCCq@EVY))da8Ee2UjE+RH6r3RKFDR*T;w+B&Fp294mK{C$Cy9(W0ZSUApJNJs- zKQWqSQYyu(a5rl3pGm|y-l1)9YMW+_f~1S^Y`sf1a%ByyOQWw*)|pq7Oq-{P&7>S} zt2Q|@6o%MVxuNLA4VCB(glZN`SqHQKx~r;9k+nic7HvbC;z*->?hni?x{+bHF+;dW z$5lz&FwOkg7rz&_ZL08>c%y(g6UX?*HFHKF1izIy>E z|4W@!HpRo)3E9IX{L6;8cWbHq>ig_6CZi*Kpi&vO(QEi`1`|Gi@%gKlUwqly?1yC` z#-x7o#{>Ck9K^?C$RuIY&7XjF1;Xaiyp=naf_OL05krvUnEh-_Ur>9x|0qze9Viy> zin$HxjiPQ7R1(qwU65wG^xi~gb)oC!#xf+86N-E0CHhViN|@i zJ+Ku^po>j&aTG$c&FO|H2#qcU!AbWFMGG)7GFu?jNg^~rga=)7+k|RocQ2x zlbfVk1kB_yq0*1kq1Y)t&sqFuJeSR~h7S+Hn*3!$2B-BwvfrtjUV zTyE**&$rHmMQ3YwwW7&>Y104KC6hEwOnq%@HTruFURge6?haV{`LytG1lX>Cc2Nv$ zmnM;-Y9xNKmc#JYgG?s7mnU8>T&pu*wXylirmS4#V1gQR7gZ&LC!Ko2?rQm$zYxqX zz2|bzqjlum1pzLLPX!|XNUE&;<4BE7z$@B2!)+0Z%2cYWB^Uu3sT4#gT9N8;Z#M-V zhKE{*;J3g2iymXH0`xRy2$y6cFR!7-`ximcjVvRB{%}!_@W>0mOdYxXYr~3lMC(w& z7Z$z}&mRN?VGSw2SP&`2@al3lVMhV0v0Y3CVl5PLmYq;m)>y0NBbzJPqh0nA$E#2j z;Lj^sycflMtshf|W(Y=@VqQz;l?R5X=x&a)z#;=Qhyyv;XesVDBoHVm~8{c+A^ppF^J2@R(m(G0iF>#35RVfJO9JUI(;#uImv^{EOMq#dF15mp2wIY^Ahf zcopB*j9^n&vI~VnYP4qg#;r5X)~+VXCIGVSVj zd9xB0i5?oQG)$AyyLj7EmaT5<<=y4+)$YMzaxxsgJA4H*A$Q9|xe1NR%A1l7Xe%;# zak~@yJc|EQad-i#B3{!>r)yuu*l8EL()<=lu(ziOSE?WG$BUb!*@8AR+PP^e^(80{ z44-s)L7q;yV67%$xH8Z8FV1MDp6s0fV*ZNRkBWlU>e%8hlk>x`g%tb6=RfQ}6(KR4 z;wboIoEMB!W|=ofnhBt>3(W@ra$iNjYSM`Ti&0++?K(=XKK}KD4)>XSN?Y2S3}1N= zfL+?5?$YGC${+Gc3Y-poLgr#}Ok2PQAenZHdYV?rUQ>-hH^VhGtNa5U{^jcV=k(CF ztv#AcD2KeL7Xay`fB$dp(lxcXmlZk4RZHl&-*eg<=$Pc2asou&9bjTMj%Hp!V2Oi5db)2VU5tWS3VN4bvJ<02D(>Yn)H7Dw0+*O9eZb3r{Rm;l9 znVdkV{`BKtF0&69X^dM9?9*K{Lf6u}7AlHv09eQY07bXi+>1BAp`oHFBoH2IZ=VKq z&Wi3aXsQ#21Xz*7hJ^5|MAcM<{$s;|NW1D_W$|EfBC=u3Fz3y+5V=xy1ebj+3 znStiwlsY%TAP#33lH@dR`pElvF@>Y@fzf}%Z_DB}N??mRN8YY3Ksj?eFBw54=#m&! z;vTUBU9vZC79Q4w)ej>0h>r!aZ9Rnv=_lX)Kfn7A|M2VY{?m8=nf|$zeD{C$Y{O+&+;s23r& zM&PJ4QIyQ6yMHK4XiH`TYLVr>P%fdWO-f!5GizFgP=8jSRIh8i zMJn5qq~?;7ASb^@jh3;WR}3|vLHi*4JC378`YjV2i07YhiJGeUO`5Twk{}*@%e|ewb_9Tm&KDNo^Knn3Y;WU)I9V; zJRD=`F|%rqu9`v-Y_@Q##t$SJ7gtQjL9@gw@trpSM1@D)I5hsxu~fDf{NH2z_hzK8 z3EDa{nQR11<(j5hD<|xMq?|^0XyM0_&Pj46(6+abO%BIz|J4 zwPT_68(SIaF$J2HBk@2UX6x1?@@}z!d!c6kZC(XVgm9_RLCgB%wD+ZVy~dB~yOm_4%+%?3MS`w1>)n#jL1vDn4Y(do(g zp{-Z)`NLWhALt^VK}-wU?84+iHp~l;jJg)_t{{UTJb8>d!4}cef}mbZ^#_6OBK5Ehx~+MHh8J?_`wpA(L<8%-T<(mTsOGIhOE15kS=z(uq|>Es*FoxXv<}TBo%pU zLz81-qXyQYTxd}mg-=2gt57}>H=u4bEoJ1R`i%0fOdmT~H%v|#`)joWD zU$bnjTB;{cz=y2WWfet1J&&M-kWYNVVD1Qgq~Tjr3#!MmCUt@gK`EC$R&+Qv0aF(` z^{Hd`4b^cK*VYCbXS$NaU2Q{|9&4;7S1fCC^*H^olSJur9zJ9u?ssZ3d%U_~-Z5h9 z#$^Et5cuU zn&v=A8{A^Z?jq-AT_UdhRU&IWL_=x%E%YPW&{@4kMw|O{4Or6L_2&sj@G#N8i-gZ9 zP={A^aIUf)&f2wE%Jl)gH}$=r@I(j(_94(xqcM?`56YnRn%xNy)^wOpu7s>wFXbuq zQzXE5$9Frjx&8ud=B|UCJfFPtU8T!>vQPU%zS`*o)p&ChZQg%rAEjd$FIlU}yVZeZ zD~TzA9$^8Jx!hw8B!ti>JwyDxB_d;yE2v*GR8Ed$EHO>k`vU4lM3uQtG^&p8BBALb z**&^pl|4NOtm)=9Bu{!k0K9s#es5hmW_eQSEl^Xe2dpj^l%jXp=K{E}{q_sC@wBae zX?!{WgsP+0OyL|stxqiarMmyE_Z}l5Vij&@I2)!BgZr@j?vIbj7WxfK&ye4C$x;+8 z48&mI=EqKO0&7;IYqB}wV<#Jms_9u)=N~dF4A|Q@_@G`==TnB%1;B6};Z!;4yeY;q zM?Ag2!D##vO_L;xTts*x-%F2oSDJp{v8UNC*rV3<*iowm)`;I56&`W8aBVI3<&Shu zjsnicK)?;8Vf-E>4=+}cg|c?7RX-NO6lo*a1tYSIwh&2{C$Pu8H%N}wQr)m%6ZJ4k zu@(b>B?gMbq*~eP#t!3+Jom;XP78nV4e~R!bbjXddCfSWHno{=Ds<#O)94lOOfb_z zoNvRu#)Ie0ws4_!&Vv~E7;K{}#XB)8p?MA+#v52{H>{DqvDpo7(m+pmC2z@|vO1Tf zO*tyBAST~iK`PI3-uBhAR_9Rf0@gSV5e2t!RR#XrG1FB-N?|ud$k(O&o^hPSZK2qf zf|%7)8&p;cjcSdohEnL`J7Zo4sGD#!c)~tl#ujw+tpqI&8LP2UKvXD)KsbeF6R5x< zX-O`UK&9XsvP3{;BR+}RXh+h=B#ZiBCj0Jh=l^Jil-IJPH`PcXmW2Cq9+ zAz0bJ`C7kc;)k$Gx=cJ}g<`$tY619?;X<_DQvJIQ4z?%Ae`nRBLnAw4c%{!_F3cmG zr(%FPJsKVC(=uE{mfv+lbO^0#ow?RsQOcJL=|wSw@dy0aOM&3twOcS!%Tu^x#G*cY zmM4r|;FpZ5@{R+>{zZ5o`2yC~+#3A)kZG|7rKR5+vWJZszjka zquqC>*J9O%0so1KB;EpiuXdgv5?wLnr)l4Cf44SJs4##6ooSp@t}bzOPOM15?9(o+ zW!XZfJ(e zfA!%vH}8grSN-@yiBbmd(x6;;Xv6rDKgQ^rL6bZ! zj?sQ>Fn5kPTVJ|U*s&IZzl!Gmq_rV+OnEkUmT4fn8`FIL^J%vFZ)wN*7dLr%b33`A zGj?M$1ZTQ2WlQ6cyh2$wRTe~d40kTq93&?fI2Nj+Q(NzQt-q?}n8vmN>C73HX$tb57E zyOV?D%P+q8{H46o9-}Vhq9^S44$l2f_ zXJC=l>UgAE{0tkM3KI8nIS1Vj$M}x2Nm-?@lH#_O%ah;!AO0_i{F6>}KSYkHCm~F& zSQ0r3Oo`CaCR55s53}@v;m)L`uo}1l9_UTki}IW#FQUlf8Sb-{Nrg5`eK&zRt(8NX zfcrzHnlN!cGSj4vAu6^(^wX2kqtndk1{f~Ks9W23(N5$p;f4(jsXeai%wd(=Xnd2+ zc%+UaE|IFT<&IYkBq9$5=Q&oK0W?LJ!SRwg=T??0+@Gvs?#Lw)FIBOX?74K_!ZKUe zaWN+uXc*(~S{iP)UKu;YZDhtL>< z#bBv|tQO4*nkQ|3n2mQf`;nxhsMw-cM)<%J-vPckb#iWA2uPl`9kVi=i#PU}c1$>S zrRWzKODOSl6%zI4<#aHo<7eKJeHnin?m&~r@GCgYi;i+*UL1iD(GtX9+_2he+ge$7OBa(>W_y|S7y6g%`+3fLjyo8U z>R!!sWdL*>KYsjtydTf|JS2bQK1Q3pUdlc3*YamN;g#*yx3ArGY6FM|7xiE;ubFj8BqAexEC@9@1 zR4IxAGFL4h%V~m}FF_NMSEt8z7Fjmve&VIC5S*3tzUm?3qe{nXDJyn|uGC#qM?!lB zo?Gt*_fqmv+9m(<7#tlVEhA-@z_@Qd3PToQ~P*cCzaJILW4L1hV+%4Cj+OoM+fumaY% zcwKIkp79&P6V(o*t4Q2V}yyyq+oO1AYd7GFl_nnDt}Pj%+tj@%VBum zz|-!$$k+8bJp%Uy2-ei6) zxN3yMBP<(v=V%J`8NGa$yj*PV)1`AO08k#eewW-~9f+{o()f!$1D;ZzFQO3ily~ML!!n|5*zb{Y8sfZ&^-IuPQ^q zPp362YJDS?Dc!p()#zd_d-OFKejGZWh$#EqdvsW6FTh(N=MV|lNwZvTuvKZUWxW;6 z60ZR#0Af-sj}}V2H46Hvji`5qHzHwLaQ9nN=!&`2&WoY=wlKEQHvu40SeW` zv_$-ZS||(JTG`s4*NX(6t4>PNuvz_7f11OuFu z4f_~7y`TJ~x4V}lJHryZBJkf2KL1J2(-x?9K;J0H+kk}pqCYLmgHc-b7{`f^(K|bQ zadLL>{wJHCeCSEu<0l*D!TF#MYk@5(5=WSKxGpE@Cer_kGu~DrLFJJqn<8BXp>isk z)o_LUcE4UXqk$EX3?MDRjmLM;k#;maIvFVG){G=CnXLOrmVp0&q%F=RPadm zIH;_|o6?<_3kS<)1E}k0gOUpfM5Y`)UVeCW>SdcRhQqcvM8oC4J*F2#r9V&hRFzb; zLHou&{CWTGei;+c;MbEX->)eDaQuf1{;4xTC9xYp@CO{tr(b;W1+L3wF1(`Q+?NQ* zjw6oK(srquz=y;l&4B=@TXzpI99}HR5NKtn)`1uIB&L<31UiR``5C9-KGr+tm-iMd zcZ`b|*-eGF2838n>sV2t9k>vQF%4$0Yd(N^tk-UVk?7^kiqu-=VuzeS^SEcioIT#A zgB{8taSL7*a5-Z@Xk8$3w5S^)=>l(yRKeghb|pJ?2N+lrpRzC*z!_E9p342E^*S9n zKR5(6>fY}?YFqvAULR`@*YuP(e*Y!bXiUX(M~cXd3oa-G&UFzHPG~(3XlpEFDR%;o zRH4IEenJaCb?*JhXJ1h8%~cG=ja3rY*3t>o937F;l|c6DP%?)rZi72YcqnfJK9!)A z?;k^42$~|4S=5gSVZr;1$;Uw}c0GSuC?%Rq>+zj^%5s*E-OQmk$uWpkBMC?cq@_3X zi;qlaer4vWI&p+(ebbkYpJLB`;TOQQhOaSH>ST5qlkJeeCD~Ors!f!g>uUOmP|Z`s z^IadxI7DF)+@Z8`IohkSn-V_fO+HXS-6r%)^>J_C44)&UnrI^VH>_?{jH?alPPrG1 zD2|{o#Hixj%)Lq})~Af<*I-mOtLLh{$W&Wwi-qq?!lc_^(=Fy1x8n*TrH5%h3?;#y z$qXw2&DAKa^RcLkFh<#JtQ8iQ;c_#G1ee)DC_K|3Re>xD7BFnw5Kv7-`F= zCkPEvC-FrFxK5+Jj@jsHl;Ug#HmW+&6s#+9I7!zv*Ro7PaLb?W?{No+J!If*+I`W9 zhIw7D*s%!ejcB~XU0w)I17&*cr1T4huVArDg@rxxWCNNjc0IQ*p>n7Wsh;RYJSfbe zvjqzt+w^YOm`>cJz<*-QQF~bYWca`RYdMe{CSVON8b^dV8K6VBNp@J^Hy^oKvy~jF zpZviuk6+y$U0%FAeRcc#^8Cd8CRhZ!{p2S{tv&=3#8IL!!xBdgSuroC^y_#{oQlvi{%xwR^>VE#=zwVz(3i z;Dg|XvF#yf%2D^P-(K9Do}b(vpI&zroP^J?C1EJ@RKPNdd&0sI5~?0BNa{e!c9*$& z=z(oTSQXFdMzAW9E@UZi;x-?ZHLu36hnE*t2D_W?*%_rzT13)lQ3TspE3|N3mh0o3 zpZq+1k4dN&#A=zo&zH@T>kcP!F#!+h3=Ap_*H~lMP?pj;t`4E9HsKX`<)`RXgY$Ww z7j)C`bPBGJZsEju!1_Sy6G{OzOW_gX{vm*yy><9iFjR;wZ{>V7W7fk|Z%CX8$2J{iGH6DIGp|E=O=%;!$d4Mmxjeu8 z_A;sE8i{UopAN~dPZ|H}3O4HSsK!&038k={is<|}I%m4eCyTRtx%yTEI$lbSe^;|d zlEAr4r^J5e+9E@PUS&wDE0H@vnK~{7VnT>11m2?W-4idj=cKHO#(+I7kM=ZN$8E*< zJ#j2TjxqGi(wU-q`EMSw6%5dIh7}X18WYG4~*JmCn)6)T5E!O05FN4Ov`eVR?aJU(pAX8 zZ$h>uw0JS=vkpM!Pk!-)nW^~G-jiLj{$tKM4cbA!!58Iv$f@AsRKzfhu{NHWy2G&O z5VOO?#mgL%dk1bRvwhSK6f0i^f-1ABD$1TsDKmV-zG_uySg@r`Bo3;<4Bzf0C#;`p zjjC3!{t=+{j>`gvhw}fko(^rnYg!aHV^*Cj9*Y$tuUpa-PKwnnx*>0PI7uy&D!} zmIFT}Cy>;3eW=Mff;t0qV%+BzDpE^-U}IRJ^dvIsaXm6K^sDQpJ5ab;1rO7ApD)Q8 z4F~K5tGWUTMtNYnTS>`Yy`CWFIanLb8vg^^nx`)0IHS^mB+f_66#Ih7 zR{OJufBQ;-N{=cN%R4>7ZDYJ9&dvy%DSiu2bbF4VjjDH@rPT<*fn#pR@0Ykg3lqR; zjLo)5sCu7eR4{~#gef?{Z0WVXByR@n^8_oNP5 zjIBPr-)V_NU^Huf439o>-S@`G91GK)JqAjjrM%?@w(~lxg&UYJ7d9p93Dg$hdRZLF zm1GwXuS8@w)lQVm-j;WSRV4(*s4#$`Be*XXFN%Im0sD>Z9QGx|_M0ZyxyTmjs?Opd zYOE9yXbQiC*$2DZA-(j2w$68GZ8==%kY}6xtlugSPmO;fboe246^j=!R!#{K@SH}9 z6g!n$(m;WA>*s^3d`2En z`8s|@Y=ZNzqbSs|L+F+u@H)-%luT(}+HpWHG?e`goZ+I2ZDA0gCm<)2^0ytFTm zhc}nkC)X$Em+wvvp2hVnF1ag}lb)2zAgcpg1)qv&IKZl(i=}^cd3N^t?G>K&_|KE; zYnLe4*t*PM#%*E|aX#9Wg$@6K)dj=BEBK$i<)l^IT$-{3rc;WMCE8Z48P$Enu2!U` zM7UW>uhQL!ze!hmn1JD#$L$!>-uR6vR9jupE4bA&QK29_fuT3@YswUdn|mtO{Fs_L z=n5Cg!XSp~(ZE8pL7yo*fQ(mi{W5+?32@F?7A~7 zLN@}o`_7vM+CcRhe!Yj_I{qz=n3RGB2^PJdj}xsV#gQg^lcKIAp{&VLSBZmv+D~=@ zV_sqOXve~BFf53%>b?s&k%W?aPiTR0HSXcn>8Gt)4Y`qBb@I!blZ)e9402z-rE0*V zgJq67YZ}Jz$w?S5ItB z5i6(IqC&gJ3$`utZ>f%lw~(c`txbj*dx;*!$0ixf1MJQt^eyPa|Lp0{o?2t_Wb*v; z&!7FASxjkUFa?Sv4|Q9xC%S7`mq8?7@i|0g%dNARG>Qf=wGR6FZ%Q+}kBh~!sNAPz za3yNFj{^c7{zIX@?qHx|rPeFOz1g27nC0Fk(q=JFl4{n3GWau3LhZ$-p34%pIr8xQ zDqF9M-#7kfj$&0xQBNDNvfsPT+VDJ17nZ0H{FJ=kI@wXM)M~YwbQ}Ify+Xik6pfc{ zWl$(nJE>oVyep;){5CZZ6$JqZyq0>~GWo6~!2p*Y3!)3Wow@t=X;0>IEH;fPNQrTh zqz6|QbuaeiKZW@mk?e$2rV@oi3>d*|+ce_Av7oRoWDo67*la#%O>mm2f2z3uC&Upp4cUzsA~C!eL9* z#EV5bzH^_>z~e&*c6UvMYwoey3aluY)eVZv!!J)JSQJF%9r%JiMtHseH4>)$oA^l3kNQ+?RfAJ(w1U6c>` z7~$k^HgIr$lP>PC<7Y4zk~e9!z^aIxKfC7MWN?q!Y%l~@h>+uFDQqywOUPTxZBGp^gh;3(Hm9D-Z0 zDDU&%{);|UEMY0rjCMJ$=I~o$$U^@k*ynF@T>L{=^-DYa74NS%V4uOXr*XJ}Gj)hj zMcBCT(<+CzOEx~$hLp5P!>BDr70d!Z`T@WFmfDc?Y=b-S(Y%byLZtS??>}8NAiqLg zg0H~`EU36DD&@#vwNmT6V`F28$1yl@OKZ zCd-$|eoMvfl1Fa|ifOQ0^89E`c;;2C&&I4;olf~-XIRuao|nXFn}$^rS)KXkm0C

>1uAdA)qL|y{%~qB~+VLP3#grbSQku z+AoTUx$=fwXyzktn&92AS@Z-V;pm^3x4Dk{x=saQadA4_|JKee`v6prvrddaJBJnn za_9#RQQ@Lr2bls)B+#Rg$xM@|ubdZUUFV34!AMC{VOnpBu|`<~Bq9*F!dq6}4!()g ztHa3z1JB1`I8o#qJ>g%AukO$wc9u#Ki~ylbRn^DL7dh$sCg?0ckKH}0wuLLR)Pny) z$*Cn$);r~QPFv%Bz@(73BPz|buuHA}uun<8g)15pcq3MRVB!*f#$3}ZX-AVJoE*XE zTa`krcj6sNl2Umc^S9CZ!DxCt?$V`1Zs)3eFJewQNj%HDlYn1U`8^EX4A~;2w!6&3rwfCcekPz#An} zbc2hGUCJ$cWM5{f!||0tt#^w1n#{<9Js`5Y|^$x^<%5i1U24%B&)yq+CRlG>FABS~{qfMDWBd{-r*6DrbWd zn$)&TQX21vt0TQHbFMO6c)amp3G__}T)@iRCr_*RBOouy64|EI!9T0Y2e%w~vBiI~uAJnKl%yi1) zmLkf++Vr?%*-=w6wOquhi3f&xnFPA7!8{G+NX;9SRd9$VdZ|xMB16d3;@*Bju2wU( zFnEA$`Fd?~dQDE$XE3@!+7{yX<8lU+}CvVQ{*?~N`tc*xIwB(!@p7U6311G&K zB*f%6A|@v_F=BbXF7XRj=|-!-vg6BO*BwgpQ2~Q={S5v}K&q}Zq(f0*z;%%oGnn;3 zo_Bb2eEIffAO3?0C43IH4W!PDl0~uwxpW%yw!l9=``Md*$T;dVTS|k5a(@i9dH(dX zE=duxQQUjrxaqNC+OJ?+K=ZAQH;LJ&1Y>13XQq=xup1ZEq-4#&=_%L?^=QTnkQ;fOal~lQ8=c&w@5M{0KdHb$9P7X2CNnYPk>YimNQ(8A8 zTUHbFxYf^~Ch5B{(NPw*D8Y?E3(s8JjYyOHLo8154~5~-@!Wo4Zgd7q!8||i4@Wi( zZ~o?i!$>cf5jF9mEgaGwRII_}jVqwKYK@d>N6TsYi7#c5e-ru;x`|maVmp&8jb|5L zvhQF`8RJE;j=X`w@^dkugH=dkP!kPuXcrYgJB1IJcD2^o`6BixS5B2l7*ltyDe;@7yoPYOuf_zH2t^UjL;|+Ovr)bb<{^J)+UcH>43z8Imf19CAt7a) z4!p5Yrnt@w_!3i7mW|yL?HW4v*wTqAy9K1ZaRCg9r(}IMb4dRs6bgW8iDtQ`Lt)_X zwr7_OIao4Nq7I6K1c7Fsl4= z;4Emb2>~-skwPxD*cCQMy< z^nha13AG&&DU!yDD@j+&zb`UI_gUfLOD)|T1TqykHj9na;YdJpLNIm0M3$@{Ba?VW zk!hx$1QQ_*>dTlHC6#ldiI864moGP98m}>5y5CADd(sH+WLo(PyM-L?AHx5Ui$*vg zAxG6p!``j1JMsdgx`}aOu%e zTEU4`9mFGw36{F;{bSsa@q0v5L!7BZ+@2M2&jUkN2|-$-MnPu}i?Y}(kr>GJ+mr6v z&cQBE)I}uv(JV(vGh)a(!%XMx0U?UHR5tzex?KcHc6X5Q$uX!Bm zTjXR@_ugH<{HVN_yqFtoF_@j)mFe^xba}@rs$HPYadMSo@hkr8Vt0K`o+1 z?0yoam(qd{=>?%pbXB@Ajdbiql}~0__p~&Pkrv&{vO>_rd0O8Eq|mKOA+2kakGNu5 zA?RsEgxyXhg!+*X*r)Zzz5z4pvN%f%|0eLYd11OO(@PgfG|F6$Ee`$7(bX5jZ04fH zm(wZ6bp4&$D`LwOfR;F;h(QEKFPU~R07EQ6@xv*Li3mkRv1^5hTG^+Jq1nmxahM^) zL!G`mb0t@6X3BtHwIE@XTF6@JADv*TF3m+@R7RI>FqNuE0ae+T?O~++>&Zk4F4zpl z4~C_i>oxU!k2oKQ@}F;o=dCc$dD+Ui^B%=7G*v-%(hamLcI6vTXof2pgUZDT60+jg z-AKje(ZO0FO=}0wGe+oIu|gPw;mz^s#eNv>YT>kfY1x)4pDOdoN4eOSe|YcQOLDgJ zPh6ovI+1MSOXLdkISjRTdZa$X(OClR+@>8WaOHAV7Ph_1RDp=KhD1e3qRsS@taFEH zxrWU(bAdPb{FezCMD{Ya(1LIV2~&g-3Z_xu{_YZp0gj_ZrVM{L1P&$8#W^_RGDm_R zj~9q3A17SzHqQwBy~;>&)y|}ExCX|BKQaYr zZP_?naZ?_IS%yBw7P%qG=lH7hFcf8?j8f9HV+>%j`X5Lthq8V+#S6nl*=cU_jcYCT z>v>KE{!1@meGSCh-(!tc2w$e<6!IOubj8y$juZzeeK#1^`HUrwRh_ztEeNq#TH{hq+qG^8;X zV)U>hQOOh>`a(<8W@Zn1gm3{80@Y}G@1OOg7M-us9GNS84Ujl?Wo7S)nqB=tm|ke6 z<>{i<>|c~^p_jI^yAS`Exqr}WCiOp>ruUdIj)>uGDW65B{E@JWl9G>XUStg@Dw&)K z@gCUO#~(SNf*@m2moOAC79{ZQBpop`js7n^*%-6-c*9Xfu^?D@7nfH_hn|6!<;huz z8C#-+O;@SnZCWLN8g33ktL}ZTnOp^IT+Wzuv?!rk7rzcwBcmgL>bJqapfRpeSNraO z7QW16nW2S|*GoHKEjZI!p2jiORxvg28KHT=!$r&1l&~Wv#mb_annN)7&e4!vM@F`k z$Ua&q?Q(K(?G>yH0e!{UtI!n-4S6yFsJxRVIOaABSr};X3BBGz5D zZ@Zm&ofcvuMk$Z@cMnY8My*b3bE|f*rghL8ZjoGh|I3hu!WdvtROM{}y*TkxWlPj2 z*yr^Mmlm{B8;gq2N2vqL-95bZ|CL3-J5Mk<0++<9pDa_MPkZgsp9($uu&ZZ1{5fua5V4d3e%wGwcuaQ z+cv@*A5GJumN&q2)RAQcZ+fp@D5`yrn~Mw`IGlK8a4ZtVaOn5kE$U8G6-;OyrIzaQ z#m$5ecS5)U*;7vibt#lR3HK2DvTFy;V-=0emMC}9LV&?LJUR>D%;GO@qV<_!mEl;} zfyLA{=o=`XkVGItZ^Alm*mIuCYz7k=nDV4{Br^U+R#VKVc69aD ztVo_$_6vmg>iU!zkocexB5GYV<28+i0c3e~b9}DQ{fq!O_6->7HdCj`cu!}2G)r>1 zIZ9G@sM}*ur-SM6FrZy{lWlNibn)sai(MkTEw+fV73C`3LYfQjqL?;!d;=>;PrEaF zTOn|ygC@#sN-GrJE2mTNf`ZTjS}x&t^K=2=Us z$TgpX+mQ&=SAzTyw-Q4N1j)~r@S5_JaL&%yuv1!z9Vpt86-2o_2^g8v+-23MKE?ea z;&ozflUAXbeo*t=;(bor zj|(&~zMd(Fbu8nKHN{wYFFAzn`w2%Xmvwj;hBJ?eK{=Rm$n3!yj?76%hC9Y5oBj5%FFp1Y}?+h}_$Qh8@>(oi-9;JnRB57U{cE-kWYPSe{q{-kedmIY# zE~Y5UIU1yh0ZEZBv_XA9{CRK>Fk#-_93?UbIq9QUwvr%@3|ne1(4u1?Y)24ZwtaIq zg|h9Bpds=94QT1<7hgQJ3*_k+PoGjah2oW>K@km5uYsn#76rmmHcq}?&<)}m_+kgI zln@RDf^IMuMVqd)j2sXYl-lf17fsEjWca832mGH!TCeqqA`lA}2-E@kzy)7jQX`uf z(6-L87II4)lSmbeG~7-1Z8!3WEx^#_N*81codi#8k9!W5`^D++gZm{oO$&r}aN&e$ zg?EIfUwrl%EN^;~5-kzmhZJiFGK{$60XQj-D7x71^2RGng`K*J#X5POLxeH$c7sid3ySWO^vCAu$o+ zHg8rXV&cYGejn~r!_!x9hu6|gy3A*T^OUHB>aD7lt|6yx$-E4()~?g#a!wkB9ZU`M#Soqp>l6=* zdY1a8UVuG^IcG3!Ut~p|F7u*99)Wu*Nrtb!!>_OocV<3P*)`HNq}9Sq{@2Z@lf^-4 z8M2C=(0%bHoflYO4(GU|XK;<3TMh^1Y~WA--+z@=qu>6waB7Sj{E~p3N8lAL#%U;) z=~{Ed4tY5%lPfsbbF5-N{w`g>+44Gttr{Pgcpvgj@+yP3>1ZHs%Bs8z)I`CaP4COa zy5Fs~`7#~lCA=oAQT!C0%~%aH;Cna)>$^y0@HggVwL+=~==XAyyujN3M`SV`A;foJ1=TOgx;AQO7F7B2w4|31(kiS@zRp)C{fIQ7fkkNS$Kkpm)~Def%v0hxfYIBe zW%5hZKNYHit2|p1l|(2#3Gep12G@1jH}8{33C?pNCE$-ktV<#0fl*Gnld$kBRi1=y z<9me(0W!)w?SM&JK^pX$%haKo&nYw%rK=L=tnbot(MISe6!}2isuN6Ia0PtFXNg`U-RU0VI0rDEd_O z2X^%d#|W5mm2TFT%Dgqw@L@8d$}<~!s~hkHtBrXj{C|7u`O5uDMMH-HLC!dh*D(MKMN4Q-I0zhkZ6j=_` z5VmO!byJ>t0Sl@Q(Gn~EicpFcnjq0!_54|rj2&F`M<)8UUcJNL zVPF<~(kZGaBcJ3SL06dXkQ-rCu&Wd`&2?1;#+cGqCl@F0P6$gXZjTM;+pIK>XC0x% zV|=S3RJhOO`_0Aim3s$aRK%c6!ZBO$-$H{Ik>=XwDGm;k%nluspVpoGI=!+gIh-KjU|utVPFXB{&8?e{+c*bx^na~$ zB!B-Wk1*`dGwoC;Hi*8R5s5Le4!4@=ojBr)eu4#N_nEkbVP@OHY+-_3A8t{PdQv-~ zr~~E5*t#z}aj77d42Jr8kk=)qP{%NiJ^2Mirvx2>Qc&x3x#A#+&$aO{Y`$xFnGnZG zM-jPB0u+70`G&-TxA~+;hYi}_iYL|_10L#_L~0Xq_=0`{3vuby>5Fri@DEw_?mT&S zdg-#|W(PVvx;jNmWsNSn4K{TUJX@AmH<(7Z(nSpnQ*I}uP-Im1Cwa|!s-b#-y-yc) zZV+DoDCKPzC>srvMLxAi?qpl}F9bhcCEcN69DEww)iiz3lMPw}Uer6N$GjtN*eu+m(ZI82D5 zF-XE%VD~Ijx9cRsx5JY`y+)!zu*=ftpMQ~z=h^rUtT@?vjh!6C9U02Z;aN}AVArML z+vl6T9f9lI@a=50>GdJpclh>vC~8!}6qpP!s=jsE*OOcL`>iDLZZSSwOzwAfd2Hh9 ze_|!LrG%|Vwo>M`tC^kMR#y;t)6p06sNwLwK0V(*zkJh*)D6!MkKQCmc%b3QfTA6t zyyJA$>s$>i0$fzh z%jc3^<$71XXaa@j$3Qy_!{u0zy4=$FAm=wo}L|W9xy0yYo>5wA`Ny%m6Fnn zouBQx9G{h05B9gm5=mxP^>}8L=311TwOdnl>gk%xTqDxCc2R;AN6VF|z}0qy#4ABg zSodq8r$6wh%Dv=@9nivM7^Y1{nFUS?MY&c^Iyf~kLujw~l8}OnV)_;WWZL>=S#b%F z&aeexG_`(wW%=KASShfqN)vY3uaSv>;m2~R&*mq@nl3M)AApdU;wZMy&~4l@{M(6AO|0bUtOva!6Y&7}e^Pi5t%$_}c z7GnMn7Yo4-48)rT`=enfCh}`wuGXxyF5sBy-mxSS@p$aJ#vk@5oHxvoI)yzfgVP2MiH6aB%gj-zhIE0OIVPB+aOjB)*;zOKR|RM z@U^5uBHx|d6*;MNeAHi8M;0ncFk=m8Jl$MC#6}F}dGrZtR;CJHVlgfI(QLE976tM) zB>bW5Lunnq_Q*!`f3YVBksWkQp~rfSh(qr9)_DkzKm%8lL65dPa4;34WyZ286#=PO z2ZYW~DVaBo6QfC3D6#b+bd^*Y?^mXskBz+ZY6NHc7JtGW%e&v@C-#ZPi{EMcWqvF@ zIH@>~hF2Hg|1~lb&-%&X47r8DU%H=Ro}=87C9KvT+#f2q98*v054l{OZ7`=WxyzaR z{e5!Qz(0^p`zpPgAh`v8aLs*-92J;99D_%i9Hna_fuEPf25Hf2qSJW+Zc+{#*#$T# zm|k-U!&XWoP9?r5n=#RTOHL7w?YiDbG7k4Jk8!mQ)aae2>iM6qJ5E zZy6^lo8SE<<^t0Xm`6HUV2j_@bs|?W##KOH;NEYo?p25^@m;&oALmF)O)Q>Wqt}S%fF!2dSD5kT% z!4kh}L`mnE?jBwwOfi_zt<0#;aQT!dQ}n|Oc$nqL56&N7XUm$>gI~i-$>8Jn|4Ub* z)HQgGmPUmM%kTdmB~15bfkk_;hB2X(3SmBetqb0_}z=SOyO#0LD?SBo2WS%|b;}0Dy`(0VlMf3gN)VL~568ckk z@_+Z|M2t^d;!8<|#>Dp~gI|piI{?>J8<#XaD$#GFk9W{cS@UZaPJGFnZY91?ju!Ac z8ZhF)hn*TGCAdB7z9Ys@URAhXR{G6%c$5~fWb%N6|53L5#iP9V0fGLoT&xjwsMj^< zSY&rGfBprYE!2DZ_gwapJ$OM6mSZza_TH5XeDh#QRVhP0uF@K<^Wh#Yqc@8(qa<*0 zooBd+HkuOl3tk!bn+5Uhrwf=wG&3T~{p4y6^I=7pMhr|z8reVRhs`AW-Cx|5$iqLy z0ee}Z);4aM_|=BQJrKWeofD=6#`pml`O$It2EKw}_%1U~dR-Q<23eSk}cs!befmdsKv>TFo*&C$Did*jmV3O^1FPQ{)oJGKl$N*_~GCD@E?Ew zui$_G!8P~8zx?6f{qT>!|Fa+d_J_ZRfBoCv|M?I9{)fMRBnkc$$^2VM@SlDahh}>7 z4U&8G9Ne2Bl@$7R5JRcX<$4@0It#qin4&M~p%C^CxitSpL z#XQCw<|pQOHY{|`1@$QXRdJ~KKIiIHA(Uk{;h4o}p7|!9`zA>r8liL)RU;)_`$$pu z!AilG5>y9z6@g@dMPIOk%@BGW1Oqcm}%GU!-%9xHYRlVqbg>rdZJMOYSC|G4?p;c{H0X`Yr zTkiX!vU^hwx<4b_yjUU3%tLOtu4&3M8wn$^`3&>=9FyCN?K1=?{PS<7rp5UgFydF2~{!{rsm!5}J+YEgs*<4-^ zM7l9;r~zGn2niL0%?P30JoK<~S4~iTWcvVfL!Jw60SA~Nv5_G0iY9Mvs!r>U?SYg7 zG9sN=(dhbz#(V66wdSL@1}$ zs1tsGB$^A3>S`IXZ-jjcXM6NVC8YQ8 z9*sir#7-?Haj?*PiiC;G4zUM-&Djfws^^OQLID$|4h&6#eBI(<;9JxpqfNi6X;p;f ziP$wE;G5>}eJTC+J!dc3!L-f)?x#Qf+0UX`s!5DMoq-w*2d-gMjbrOPuW;H_w z4CTiR_BnY@5)o0|1_o7WEFNVJX{*r#1n$L;Gs&xiWG{~8uQnKxaO-z7ioBxay$Ms7wmTX7B({s&`eupBjCMyr%-yefGRq;?DhHK5hLz`uQ_vW$r2P`&;qmZ9vIeu zn~XD#;ZMf>u{p8vy%~mnDkNOR!WtWB>`XBK!kyT#1-WkHgVk=}xjvLRGBH6ng z!P9bGqAN1e@;@fQU4)P{KGF#26gP{rVZ^hi&g=tI-C|x$7Y(B6tU)M6Lc;~AHh17v zs0N3K#&rKA*4$Au8_?HI#)p<{W{WIa7ttpmv6JvDl8Yp1*Qc4Tg%;5 zg25*IS=&4$TyS>5eoY-{=;ymU!aA!&IW@NYJQ@gVmJEgr%`#3ZJG0ddz(EIo0Dh2;eYps}ekcL!J)9Bh}T*o*i;fbJ$`EIsY1>fYm zl=Gr4qzPf!6kffxBj4?oqgsAL0AR;MlGDh}BG4u*tKGYN^&`3tMkS76)cegY88Gdi z+joI4{7Lad-jlKDKVc5gCS!NVQ8rFB*@xB++0`int!e)4#kZD56?{SNI3?TpjNloT zV!g27!tNb;P(&Bz#e@yPkPvjRA8N=U_vHC*>CwU^;PlnueG&~X^9;H(GEJ^e4v)V* zz*@Yu$974QKXMEh??X;Tv!YF-DA@-v90xT~Hd<~591B9#*wIx}loM_|cc`uxleuaW zq&ykw8e!=82QrAeACQkkxDBT)si0wHN@Yzk|D5@@v)rEMOgdMtuF87tsO)OTP7s#T z;|BI*BFgHFvCG53p-`f`vpxp`g4n&Ef`XgvLx4P>NMh+rHY;)ReTSB3;b*N zaAp-+)a>K@e6qT)rP%#KmE`L-?+Q^2Y~xwcYWawePDfd{RHsx=%OF;}U_}gxVMq+P z6>HDeF{+=)eN*K537e}(7J~t_0adG`cd*OaOoYB}ZvF5{Mbv_^f9_F~MA8VHdj2_E z#T0lFi|if^TVZz9Lii*VDC(4|)j5QNfs}hfavDm_urYeu_ss&KDK2O&en5vmWFh=u z6MvlL9Q6a5b$OA^;B2NjcFJ192_~J9m84RBvoM)_D7d6**Q#Q zOw^a;;@A@5d6G9w*>n|q31!?tI3Yf@j7xP)1(NVdeC zT~#@HSo}?EhUng{KiB0%s$!4S3Q8A)XrS*b>;mj=EJd7b3k~(e&mh?n4Y8dmk|RCc zfQi%kLhlFanNTAGDH=U^yf92OB5h28Iq{I&Of(V|R7rhPn(*#h^BWwDsL0r*0@=tU zEVr~m0zu3c84$pxLV=qZez^d<9gqr3;daodjX6ydE=>&@B^@RNvCdp7)(Pis)P3xj zU}P7tJhZNW;kUz^lk?--^UJpvH@C+p?@o_SZePHM;{=Zz6{-yivUz5WknC4_6r#za zN5sKXzM-Sz>&tWN8dfm5d`Y?{q2W5Q?}L`4CWHuxNvJA|$pRxGwTy4Dn2tsI7Wh3 zy^thsu8>*&DYqLD!7Vky)Umx`br+tP1Nvc9d(B0Un8%VZK0Q2>#Agu&u{<5tkmDPn z=15=LcE(jW{&Q_nnUsTro*#ne8a6Rf#%cHaAE{lEtzZ<8tBcb6ayWwxcPI5yHcL(1 znPN{qpqR>6&`sX}&ZEJAes*9AXk|v)o9N8u3(!P`%Ai9m=14=c#M~bS+&Cs}-~W*k)v-2Ri>GK|QrX}92fEH{9YXp%~m zgoMNUN$(E_PoMwk)1US@eQKLqJ2(RJ!{Kl7!Cq#gssUr6x0jq6J`pKR+<@2qK1w}S z*@~G{N#?tb{YhVq)!XkOu%b#~m#M;j+J60fZ|~Wc`_I36`n0DxUuJK`Eo6?Q!3wRkNobw>nC4(0$!mN^gQciRcbtIw5UMNf71Q7fP4b(z;yTNG z^6dG~BBi#gQ!cUMN(14OfK4wsJ+58Qg+gNyV>$c4>Dn(e@G$P;Qi9N-wli~bOWnDh zW$Rn{0Tzhf>XhBtO%N4+Pt3+xb72`SOhZ8t3Op48h6WNf0_VCc22}P%7_+{Xhm+i) z6yAq^H^yA?d?rPCxG{s}FozY5Mop<4Ohz?p2l5EYw-8|XMJl6f+13bw8N8Zje^ z6pY2HS%(Sy3yP*6QuO5@oKJq==Sra-k(p2+R(e$OGMDA1`x}vD)7T8$#U9K zGJ)N!&6MI37)v*)?w*{fTYY|-K;#C)JXpX~C;O-NqhxM;$(OJ#CLd7J{<2tX)WhxI zx73j*6^USBiRh50)GlqcsWS*HuI&-Sf%qQK_&<k_~(_oGpGKw%6; z2P{a5Bu9jk=50us8WsxzDT5RbE79mglLkDX0<~KH|MnoE@rj~WW8UymQ>!OkG9`Nj zv$2M>rNVjaEOxc%&BIUfj(FnKJa>mVM0i$BniI^Hst%D`+hKED88N4w79x0YXk#3j ziEcDK<;Uue@M*sK3jbIA9*$4aHY-=z?Un5QfL#d8wiyPHSsUC7k<0rh8?rA=<<>Ws z>{e%GWZ||}Oq|Pz%N~tKjZ{Y4cThTU@>uHz`DeS|3dY83LM1+CYCA(%98)>s9u(PD zr4NBQNrt?ApHeWs6Vagwi-BP`r(=c17t#G=SU_bQ02XA~GVfBYJ!IC;Uq< z&Mu)I#c~CPyKZFWb?lflH!gX6hUiB3c~B=jS8*}CVt`k4YKrZ4PFgnMs+-x6O$Ast@(B~viuruew z+mP)Py<_Hle{Yr%7fqNN1{=7?8I8lL6WC2wLYt<->P_~Y+nR#-S72`7MorQBrR-Dm zI>cKw>@}-q1O^+K+B=&}x!&`TdZOWTuu49^5z!0F~zv7&>&xD zTH9i#tADZ90Fu!fC@?zQaa-o9QxI3>gk)#_Fd6M~mPTfG-8pdMv_X#5 zja2a0Ha{dzHI4!04wovzW;C+#M{F-kXIv^Z3>B)@6ozly{P5OV14J!@L-At#3IZP5(hu z!OpIPyLjG(_A=N_lrBn*ARr5sMKoQUU?&u%k6yGi-vq_b>3C1`s$P#|*J*D81cQ{t zXb(L}d%9mAbe`@`n|>`J#+nOa5fWqjS4hY}66Vu%QD>4@s*phpyGN)_H+$>uU(^|=#qazrQ&pk*;TSYu2XiGre9$9AW zfOT}PZ6birto`lrU~xg{wiG}we#)MRBU{(phln)qrb|6Ikx+0+c$6u2N~L3Y?JjmH zbpZv(#x*|cV_iGoA^9;Kv@;8T)u@;>MXgNV&_u-Uix-Kx9Mq{&P@?)y_E@r^+2Sj6RJ(!^>cX-Ptf zrx;a^d9g{yD74SkzUCczwIjB&pg<^)QEZ|r9x0Ow!_F|}rCOR zWDoY8qoaJAF!iAWJzK2@gf#T)yCaJbh0r1=!p6!>asXW=oWeep5;e2xaxN94BB+g; z>qY{-_RvVv+)-dWSXJ(h=V1(@6pS9eynQ#kJbL4_LgS>RWgU%lmH+tU{OxveWwf<= z&I9X7fU&^cm#So7~tD?#NhhY z`JFG~GU=dLycQvJwG~(@R?wPK)-0`e;4<01itqOccc}#f@d&GLB$p->zvdAIo5dEo zGW5nlas!;(p$aafiN-JYqd()bVOS{EM{dcZSJ@ON-L&C^Wr(UT(@CA|pug-OO+hdl zt-JwW*P^ek!L=$DqytNNd9YrdeQ}<@z_CM)(uC0D_5lM4Urc%tCxLR)v)e-MG1iCa zl6K)UE<}kFWNvTdYGZ6-p-7s{D38lSsG~dS2s*Z_2w*ci}oJRC!_c3;|BalhPp$Ro`Xs-9r z`GYR?c3UR2S_T?OaO<76URO90u;fOo23jynQOx7G;l6}HYq@nD?L4Jo`dlc|CWK}F z`+6Rj#28Zeaac*+{8#yXxu#s(fz!ndY=7^;cG~zII0sq#aDZdmarJ`puc%FPO!Td= zsOHq=e)S!D2=@}x2%;ZamQEwpyk z6y>z*3C`i-=Blk!Vg&1j&Op;q9`@|){a0m)V(A9l7!kJD_AY1|U_JmHO(HvC$YmEB zQ6$CUi2JK-Mm&?4oW_P%7;kn|+wL2<{yR?ok&9qQYm6bmX1PKHa$tA#27*Kbi`F<* zV7V1q8%w5-^~x{Ha~vg8_wkyguKK)G1OETNUT=m@j+5lfU8aGHvCMj+Uu z5mVvHpkzF`AKOZ;^dZD*aA%K@5l&pqf-i9-qa@0X$mv3`>~%#2U?}7QhNtj_A#k^t zH7RMtS`v&f(M$UU$@l8jjzx?4YJvwb3N7JW#%F(fdW;l0QyL^r*!$cRL98OCDO1Qu zJnnLwc8KA2Sm;I)2Mv#&jpv$lH`Y&6I67c03{85naT&03gS8(~jRwqa>k-=swZ@G- zY}Abyz z*Rk_v_$GAM)YqPLhHk5jwh!LJ;0S}=s^)_G5HSyrL~3IrjBnDCx+nGo*hNzMZjr7? zc!LI-Sd@sTjD3^sQCR)s~vw&$dv@+EcTO`t*ykSvb+@ zN5rQ6dxc4h-0Jv5Z!#i_$G7kXb38CmL=pZ5`AQ2E5`d!&{K>l<$=L^Yj$Ylh7SOCW zqZ0KLuF;!a^tUjqV|1jcQzQ&e5iD6GMo8ctmu;P=cXe`+HcK3(Hsv~Ts}E=sfEK~# zZu$}Xx@)kTcKzhL38oO*JnRij%e+ip;;Cc%b-4g9m?YGf`8eG|q7EO2xHU`+JNkIO z%qJ?2ZAjDucJ<7?kdQ+iKHb4)yI>*c^St_y5-Yx8PfwTgO#{})8+_*l@u!zlM75Q0 z$d%=&gZ7+0zroGUv!J^MBQ|s=s%`1c(NjQ|=XJTn7OtVs1KmySE(umJ-2ygPcpT_? z)_ma45fM7f2b61mk;AGe;nrY-E;q&dz8S7+2K)UL%!7H6k74fMH?Sx_ByXz`?36g2 zM9TXGUR$}3uhZ{}a{R&Uy7C7@qfQFp$@%yUJdL77t3KQ;?$PtSfmy_SU!=3mHhT4tRy}4@f0y5_O(gPN`n$jR?Z3FoY3t&@ zLLblbdHNlUFp=S-kOP=7!)B4wB5Sj%`zb-NW7Hi0_jf=f_%#ZMBY82+mwxgsnkZP- zgCPi5f!ND$^W+3(=GRSOiP(!j&WZEB`EfMt|K}h6!w>)NhkyV3KSv_=AO7FJ|1;O* z5C8Wc{{Hv>-4Fi=U;pC||MoEw_MZ-(K5LP%KMzRQ2{R;U9!V>nXUnqM9K#9qO_i^+ z6K1bE=sT{N>kP&ROz)VCTK_Ke2`^!FU^&ZydI@BzW2sBbx1v>@rY$z4(Nh>@juZl+ zJsLew`%Jmd`ALW%sSK({oj38o_0Q=82g&-VI7o$QTpKMO1gH7fi45E>PYA=fhU|Tb zz*+Bui4Rm~t`{DZ6QSEE7mPKkeFtq$P}h%xOjBt_$_Hw8%pyMG8}W#*sc7c(>d4hs z2zRI__#s*WxFRV>7-y*;qv=gbWoP2VkN}6I_=B7m{syVk+KEQeJZ8|}8^Tzemy>3J zbD+C(BFXA%>P?SaDyAV-P+v1#8-n#EH;*n>>I1K*Q7TL-ULC=a1NrOEP4Q7a4KnpC zd=)&WJRfssxd#ggyA=6>%c18=gHlaY1hAlT5!PB$fYA%m>3k$Pf(c6GNbH)z*6JVxZ@#-JVIV`s8KIFlhiZ^748IwCuV2ZA_#AtE;!%#*eD%w7L_Q*K03RRWH>5$ z!7kcor)e1oEChGg;n0wZ3ru)cIfR8~I0bR)n45LK)(xI$ozJoflQ`Qp^{q6$6ENSG zQUFE8a4fEyRlWjxkxw(_VsRs2^YTG*hw?VZ-0EAnm>33aX#-tlQ{mK;zwnt134IVd&T}uaP8lrK1;5V$$wg@*} zp{xtL&kQh>1W5(=L4_#rB=#83Fg8F6gl5BX(Le#PwN}1=jryjj|H1|;FJH3TET1?k zC$J$cDKBZ00qX#nLIY4pJP!kp4xnkz!>jJk>vd!D96*q@apiJ z3#4|xJ$iL9>Esco+9hE~rX<>+ zoDRscTM4>bAA{#j6uqZ)AkUlE3^c7NcM=TAIkQb+4BLUG7;k9QySXAA+Jw`t&MA;@ z?#7BC_Rt0+U%AqBWKjR%@anX0AvyeT;pS%QB;<7%!?qK?HE;s)sV~CiyIG$(g_X?1A3<?8L#LH}wrKeRXoglY zmY(1jo&!t@2*ily)gmQs-36Xh?w*hD0@^qR%u(f!H^-Yb7`Gqv#B*aDc%?AfGBC8c zZ6qKNC3+U6-ET9NzSUlCe!Efs8YIKW>JHYcQCWA#X>A zSjB!e&7Fza7^!ayAC&_V>-k0jD7znGt(aTDs)r*&9+5-3-&R!q#~Qd1Sl~x)JdR z^|J8Q0~GM$+ggxWjfH^oa7)h?b!Z7t>6rv$7`u*j&S8CL6`%+rI2k^uMHIj(W%@k4 zVzCkI8yUhdh)5Apd4(ZWQ=!lef*t~4^k>d$qq%AmTC3Ixxc03Z=py+=5uZ&|F55IiYGK+g@d?)+o@pwh;tx^or#n18KvuRl1sU$1{nUcq=Z{+;XC1 zUv>R{Aiv+^Ziw?9{c!**R4zc5x2vX0YOQv@+?5EI*3n56ih(Y)dCBv-qWbU*YZEQs zt7e8!7v>*0lr;{-NwGYb+(-gQ7#*0f`Q**B)+gB$y`@@r)BrjoZ)z+pm z7ad(*eM_Ul0+(&C12=2x${i+{S7eZgt-{|#5jcm!iFhbiqO6JleDCH{GjJ@zq(lxdQ50fq z6yu5eVmeJrx2cCke!`9*toAKg)OERvukjwlj$^i^`ZKAgz}cY}+tX|sdV<~7uRQW# z27~^PZYEe>P!)of9SkN08oW|M1cGOpJF&g(Vp<*@s};M!ojnpxNOBJT)1UoS?7+cJ z*hsaezLb_)7tupR^pOHAdiJHG@6+j0|z zPR96d#5yA}swhe5m$%=%J~=tNJvuu*dUJbt@#^g4_VwlU>91giI6ORe{xwT z6LjtIhcKl=rO7GyE4VAr>Fit9i6~+T{=9G#OVE_2F@Bn!eZoLUQ6QZTrN1r%NU&+C z6JhK^JfU;49`AGHm!k5{f=7Obf%=(*)--%CJ`&irX2e1!+^q(QIj2=P&OXs>aW~Z? z(5}xGhaYYe=}f_v!LHek@;M${HQ;J-4v2l1HdPkeak^k!Zm|wcMP{WF_MqhSN^2GL zl~9ndovu1h-yeC>-K(q`QVQarFPpPE=kBaflDz;Z8n$xKx!*h{Byo?O-08g&E9mI( zqPOdXJ3c#h6X zw0j@>y<8@}^*^VFh`x=aGE6JKJ_Bzn)XeajJFT@dT&3)K-e9B`b5`XT;ayi%USh3V zKRKMypYvtr!w$!-?F{8`l6Pl^7f4VeqiQOsiA1K#Cs^DlNaSf^=S>AcC{Jdpuw&qluvDIA#B8kQ}MvS1=)N zQlkSI*958W%S+qx*N$C6w) z=Elnf*YE1PZY5r@R)HLL)yeMO_;oMx?-AvBP#ZDQM2hF5Y3z|+qdZG@k-;AfPp(Pn z6PN&Ed`4Ay+7gnup3B@|oE!g4mB5%L?*cJBp~N zgt^9I32e$Jwe5e2^4IF+Zy*cdG^jyH&835hoeeS@H*qP?E0?#X;kBi0)B;V=02dSmH1BLXTl9HQ&<4#$ljwg1&iCY=C&3N z!Q}VP+T>wS1(q9j>VRrpWal&c1{tbKf2Fl-Y&|}vl}*x~Q)D|h`_*Uk6qSSyk*UoK z%SxaoSwBeDKBSA`{7`ET1v?uY@ob<8@-Rl+Rx+dVT-9{7{oQE_eQVid*X?YrT=($x z;q}Qaf9Yhkx3H9klt5i?-nsh%MWxNuZkC;QzZl-0ULEzf|Mlwhxc@1wyuBHAC}9z= z2Rn;6xGk#~{F3}WpP)r+L=f$p>6vOlET8SUazXZ2jTw(AUx?Q)+RqM$B^Vf#B4{P{Yy0o6$!ryKw7;_6t=C(pc zNEDyh*^LA?{B^VFy6~@r5V*zheWVG#s78~&+SwIEl<=W5I0DJ=%rD@N;W1Q6{#Y@+ zOd007)e|3>Q$5ZN6A?r`Qv@bJu(ZL`&*S!q$i#`pD@li!g!+J zmc=bCDRR+vcB3;vuAXhVy1V3)v0lN+!U0@1sib$IUrg48iX}C*k$VZV(lr%;gq!XQ zyq<>BnI>w8u&Gx$5Jqp67d-+rqa#Ft91IKCq#eO(i1J98ED8sT_5&`7o7;;b0i8 z28TeBR~76?iwq589ZXi;Rp#S)wpfY6%LAHIAy%N^2!N~7#e2i1HXvFaEG1Ft*SxR* zeyPL`w#L{HrMZErbqdxoCs0j93SHnpK>#W^&>dV#$3TMO2wEg7fJ~;h7l-c-PtR<~ z4^yil)fXagjt4l`1XCd>Q`QUTXS=w(c}X&T`1>GEyC};$QZUyyM)EqC*%mQJHB>2s z&AeHp%-|7$uXxxi6IETnUi~_I3c>9UN1A1=Y%|v+!7l?c_^7B5-`4cj)mjk{-+`6hrk@|2!q~ zkSLTC-zGV!NaRZb#H=%s;ubS>tyo7L)9wfLx^gl?0qq<=%_IX`WziQv6(WZl%D9!& zX|RW`bJPWhl9yq;!)qXF%;cIR?T>KE*Uj?geY-@;{{0&N-d05=w@!?KNUbcg)7Kd< zFKBB?gb;)U!-YUvzN&`Z-m>D8iqei+f8PtJnR|{ylUOU62%+tL!yGt4dn|Cmqaq@7 zh$z`lx7kL>ypt-)J=LWzleceAkHJK!nTcC6PO1l1ZwU%uHYqxmS&NOK<;iSOj+ol! zFzQVbz)4`f%OelyKAbi}W!ySP^tR^h2oa*Jdo3r#hW7-L?>bhMw?7 zP&k^CBeqJP=^;;wC`SoIZ`OER5E4F~&c`5?Y_POXn6b%T8WlHm&V+bQnPH;$&fC$= ze0#@&mr008B@zj6?JT;6Cwt(?cE#tCoj*9ecz1bpcyoGraSO{prz=^jX#k{pm95`` zZTVtz>N<6L47PO_>2^4D^2?oFduBB25baCWqs}C}J>iiUbVIn`(S~9rMaaRYW+#~! za!D|1ylnVP%_iJxj{F;oT^D6wwUB)H+Y=tB&3rY4aS z@G$&islqv3M?BH4EP{hzU3}1iVrMg1^=JLHS)$^#cuM^6G$B9Fgs8}BHzVos{OB0W&4$|7WQs42_-hLSrY4<(aW zXULhirV-bmyA`^mMp+{!v}f0R8w`z(DHbeq!Gm@^g(bzt&7Kp4*jDNCmNMI_O}%9O zD?2W$3Jx6P#e7IP>)5h9 zLr?KNO!5lTOr~1Zk{+uG1*>IoKCeY?3lBYu3}T=-+k39mfaj)VOaL| z`tY06%OJzBN=LayU`g>DA5m$rC|-}_jIBo6fTk5~{rt_v<*~a zF(S*FOuSZhd?G;y=7d~N@?szU7xpIk4;c)F&)(R=QtNjk+F7gi93%<-8C^1awdES` zl2v^PT{?C>xgbxeVxYSKnxdFop$VG{a6U$vLQ zo^)%nw@lyPl0?X@_^`oA@W|z4mVffan;Hz@gZ^XJ+%4H zIHgqbk5LW!(>fh>T4#(I9w4CjQQBGFUIttN%7LADLubd>+fd>qk;~+jkcmk^;)sG> zO}B9#X0E!WuL8}X(nrv(UWXEi11%kCSma#*opx)o#c%9I`|K=3!4x5;4T$0?EE84o zZYd1zWUyO|kP8b@wj0Y|_XaC2=FCwCdr2jKUq=bcXf>kRQm2A`8tEA zSd_#`xA^`qKh(+h|8qsOb?fB1S>Tl|I;Crv< z;DT7bd`mII-N$I_7RbDG1qMmIW{Ns9F^H-TUL_Hz@%#KV<~sQNKKT_!zJ1REUb?JA zAlYl84@9=LS2>K%3fmat5<*J4*M~QU-yWVH!o%lvb7%SHvi$BYPu_s7w@R5P45r)! zJNlw(VA0dC&+})`zU(Kb^|DN^nuhco3TC8pEw!2H;FwJBS~PVrCEc6v|88+-XV=%@ z^9_dI|Mf^17hk}(4;SaZ`=7r5o8;>Izp3uZE&@9mg$p>$M_}398N#lBn(hwY)+lY3 z{p1Zwe8NnsX}X_b(4L1`S?Vl1oonqZgF9Cf;s`7zFddNzEGzD|GS(q8AZ&^yvDbb7 zm%sZ<*VM)4uKNBTkeV$W=NSxmS$)9p{$reV%v5=W38A8F0;0MxE~0X==4p;!l+Xk` zT={Y0x^?!QpAzW^k6HZsJ*BoX1cQw?TUqOl;LXzl&@Wz>mO@Xyyj+Z6MHue8t8$fj zrn`XAE+wwV^+qV|Tw9LX?gAn6mk${dOI@XFoUShyo4YlBddPnF7s>EL_AvgixoZ*F zxwb-rx(xONu(Od69`{Ok!^t;$=X*HM(4V?4m&Bk+iC^WQGy9?Aq8nyZcLl@tCWnd2 zY-t^oahN+iZ}Lj%;`}la+PELj1((iBn4R~zDTfp?xUZXHhV%2LT;c@8RaiE^`%7Gd zH{~jaF{XpEn;h=#(nKO}vJaDHlUB)DUQFt{az<2eCG57VW?do=+}Q?WN=I}2kT2%h zVo6+nyc)hu4GZT995$ENrxyX&Tk>rK+tF!J&Kj`Bx3IkVt)h$V?N=F0pRdyy+zYpe zkkf65D+@MNVs-ms@a);(=}%j%ZqL4Y#Gk1hOa(cF5TN(VZ+~Twp1uT7VaPTq$>C`0 zzpL4UlP(<-oUGQWY}I~kvF5n=JsC@1X)4OM@#K%5xN6j}kV!m=AmCL57%QhmN!k)F zsZ2!RGgui5L97seP=FFfmIx$waLy*|&V(`_W@`pCYM|86JY*_-5~2jcV6-##t~|pO zaY`UNN?6#$m8n}pY?2cV5-}8#cAlg4wSw@p8vN@hl@+kTux}mb`6=B#DQ6T$AaO5G z3=x7@1(u&C-yGf?y*|Etg~TF92aZafWOpXFMTs>~JE7~%gd%4cGC2s8cgSCHQ#7Iv z$9OB+#K=nxcd(tYS}F3f{DnBd@V5ou24U>-wo(x)3W7OWrOWUPCw$2fxE)G|5sjbl zow>4LYOro8$GUq+gS%m2ay@4D1czsJ^h=U?j{=WDx0CC`^8jFBx*AmFtE)u_t4UD% za?Nko36c!+4<1VG0x;2QsJq_-2fJHQ7FiRReTcRc(2C$0Eo8%wyC?3~cf!4flTRfMA0 zVwK5M`uy4RwbFRX%+j>8lrsfFdxk1C|@PL&-V7d{OZ}$ zo{bwpb5XVaYdo)W&l=BmJ2n#~Y_g?rFv&{7J<@aOX1FX+EfqWw$$5^-CoFx2MG zJQYz6TrJ1GfR$)YS;N!FlNxdggL!zJB`fXhSR+aX z%yvU*E_dz=_lLs(LwAE z-Wd@R=Vg^ql@8c!Z{WGmin`K=JqTls?I5T-X(Fq}>B-S>I@uYEw+OcfKfXA)ycy6W zEha5E@I-15=A3qD#kpIrlw^vbu|N3w^6mA-;o0r*=K2JV)XuED=!15kV35xh=bQ`k zXH`W(MoAlZIDk|!2&;e%5}E^ofq7m)-T0Gmtwcp8 zThXyG2an^5TRa90^ZE=7!k09wSQ1JYAT$IU_A0NULCWi`V?;bF%AqSuB}fz%s&_=Q zlyX_PuemV}FqMp>ky7fkg>pntf%Ajy99qokqG-m07O#Jb@F<&VBff?NCE%6nJ%x4a5_G z*@C)WQPxd95qJVloBLkKbQf%-Wj?9B-vv#=*&xe&y(Wk#quNL&D_zx6+_hSi9cXCm z{2l@Wh@V@AZHY8|Tsu!0)CDpb!G^Rcn;JdLpKa!R6g z6qxHCWd+;#-LU)6Q<6hNImi~e-G$|v`{&!`t!7AjLNsq3ZdNT!9!@isAv$U3t{RS& zKyT5I^lI6;ZwO&4l-7#i_F5WFEF2>*RLeT3EplY4yrpLWvv%<^M^CoH8tX_X1&2#E zAo~-$%BGt5d1&QeLu(>WikSaQ3#~5vVocVKCa(*>vlC>_)hwW1EnaB{6deob^FX~} z(-)*%@|FvldOmS%(zhLf3G<99|4Te5{MBB9Hm2WU?1RVR*jlyakoSZq1LKp~GMW*( z3Tx61)GdX>hC_DByxAg%utkH^Zi^uvj248Vjj_7Wz;HKK`H?8SBt~GGLvC9#WL@1S5{uJA z^KOd$;*V0&L0a4*k`}D6te7*iLyZMP2(d8Er4q#HY31tq8N-Ko{J?c4=5aoD4fQ0E zo@wE z;Wn-Nx=ic~8n$a5HH^Qs*r6Gc)B;|VGK68psst3Nc3toRVKCke3dSO}uFsTldKvSEn0Ff(g?d|L7qN(SRvxp||7)687 zSwOd9UQXn|if6xU;=Zt@qhi~FaFnVUr-oF%)m&-rO$H3d_o4?f%?$?B=K=Td(Q%Kd zuDD#zC_yVkJ4L>dEaXmyc~EV1-O}2}*A$Z$g6)8DSjW9%EA{M<)@(=yy$#^nVPB8% z;SSt>t;rZM3Ycm%@Zy5Qd#Ylo)Z>&vcw8p#l#a-s#XuB033kOWLjysBS8$Ro)|;q4 zkqQA>UDF)E3|x&PHf~1B&1-?!i!74s-I9w*sptU}zx!Q64JK^v*9>cz3zw=}Ev^t; z6*Is3>RA#jUPYom6OTKry(OO!dp0Q>oRy+J%iaCBN-0C$YmM8tdKJLnBkL6(O;%YQ zpQb?+kl!7*t$~doj6v{c3a2VxB6#y-l=(=UmFzo?g(i!gL@TH zR>GKP>j6*?!vlg(*)kKRUCNYV%PU7ygsI4^U?g=J%nFf=ZIs92*xRp z)j{@>(J_0*X|`ipF@c%~2jJ-rZR-U5mS`6u)>-o0CR!3{3n7t)?EZ^AN60PrGL5{g zv*QwTK$7Oe&lkgkE|zXv^_|zg$oo@M!gS?p?`}@_;s1RBrdm;C45yIAV~9!Gz9T;62}>P@=~0%-fri9wVg}SR0v?9d^?Yh(}AN# z#PjZJSVEu<69KDdArcH~u18!hOv@D*&FW+#n1}vM6fOB$e3PBsXzPqT87a$5+z*6y z#$}@TmT=OpXp`p3YP%J$lMh){s#~Lw2}+~jNlVrm1EX9^{%##HpK65>g)ubw6M3t* z&SzHHory1Kq)Y2PxioUlsmqo}JIB(ttigwKtvf{^viHY#l$eMUfM7K|VS^HDqt*3} zJbVOV5I?SGtRA`At>DP<(qY!a*F~$%ix`HB$l##J^9K<%9iC7_r}U&VsbkcU2jo{J z{c00Lv6jPX$+9~sPq5TU9rnXit$ju*<%-**Jmv!71Ih@Z9kEn-eGZb~qcqImo?&p` zHbx^lhml?c)ISLowDMd?esU|_lcY5UvRR7I{RQhVg1_QkZcTzvdx68~8|kz}Z`|+O zTVRRgGt8z%#;mN^cPH0FtQkil$BV=B6Zm7cm~_;n*xJMdrKV|9W;K(zk%Nb_oNPh> z9}Wg-?>a8>x5p>%ZjVoghcC`fZm+P3;myefQb%51AHF)dy?%RkGQ53xcKGVxS(L^d zF{`AhMg*_8mO=3OSEcqRdC9Nt3lVC^CYC1ga(L!50iEytft2QI-X4W%i#G>pY7Gw z5!`_-x2&-G+J~p){uo=M8N~S~flA_B>Z>@_YLc$o&|;=gR7SXZ*N1$~BZY^N%Y6=zZ~e^6{C^u)4woW%Dc_Nr#Iz>=$4rJ4e- zRJZ}q+%Mqb!xyIsW!f|Lv~w1r;ks*?dwhZsXe~^Z$?!~M6!(%V-qWgDGS@Qe{3fir z*HN@nRCHP|8`Vikt(xBw4jKG;9Kl#c~{nX&y~<(b&7(OS_dcw z>+2jbr+W$gjuqi3C++hST-Ce)XM4P1im%I|WcOpKw7d?%urqj!X7p7uU$0m7SNr?? zc@L(T3o+1rBZWuv5DIXSnJpF8*ao1-yTurddNAKFm*++YkB1^KrE??!6+Hzy?*kWY}pL%?w16o zD9A!ln6!0cP`>wL{s=OK#(8t;oXUt?0{Bh{Q-XqhGFSYFvG%DhM7`n;Bs%zL9iyS>h`RZQ7kKj~U> zb(Gyzl4v=POXy#bCV$+}Ffh#Z@ zVG%7AD1MVtb!2k({a+X9_y4bP^17iaPpMJ#!{uugC9Ed8_&vV3yLk!TPP+y$Dja-+Qczjd z-%=y^yT72K=Cb~9muC<8_(Rm-qg8{&-G-LIc{7J~1!geZ3|8N=S=^xpl_|BpT*H3z z4LU(Z-cUW^Xn~b3U=eb7?>;S>qvkFc{ru^My<5D0MCSfU-FB;Xk5d4PGAxzcc z6+JoTq$h(3?j7TUq9m2Xo;wd*V>#{h7NOn%qj%V$(-}5e)OaafOuz_ESo(MHc!er&d_bLwd(Z>?v|sAXu$fo zZ0@q#@azu($|4+k$3uxjihOVr0*!@U%R`p9xy%CY#XueyC$=^4gG4f>v2l#30Y;ot zO4|38F`)2X9q)Un8Bb3*@)Fb36H$M~hBv4``5O6*ze-jdYN3J(aKG0a-|WaKK)1(4 z!5vOphSnkCc#J!aOv({iDbl$B+kxR6i3lRgO-{*4c#W>Uj9(|hik)|Pb`vH3U~WvB zv4}4615o)7J=l)-cClM5DyEEc_9Ysc<4#sxa`e;jnza#|`q4y~N-LN*OxC#4>6&af z1F7S5sLjcBDY1Ew3iRzB4$4dvI_XQe@!`dZNKl%cU@%xOYU^f+eNXv-tCNeXS66RN zzU}&52}aOrwsJzqr)vUZ2ap%RaHCuTZI6-x=GK^FQzh3KPy<&SbjIg{(i(&2_XmiV z-yk9w4>?ryXt4Er=R6RJt;g_K93b6MQPyAna*w{=bpVo>Fb8@?n)l-VNh(N7JQ%9( zg6i#pqK-rn#?t9gWuj>Wa3%bARwtu}Csiv3W=b`C8-z94{2mR7eel{vn>nf(RB(~! z&8{+)X-N&YsgGZ00<8`x{OG)n4wAxQ?E{>ud0U8qukJCe3?onm+6G|D%yVIdWX8c- zNn>+!KqAhXlqx-$A!)ksy;>skm~(LSZ0TCh4()}hxT2%fYf8`?3SJ&hA`R?{@*U1T z9c;c0LS=ZO*#Z|FjJ+=OLR0KK+eN@7%-dO)dZ$tr2%JF~v*uxqJxK$XL>*AW@kac9 zh!F8po~%-=y`G1o$3c}kMDI9ZNj&H{;Jj?!2XE`p74^~M>oTFCTzE<4_+80Vv}cUh zd?cKoU-t0Zf^aDAE;u|rOoWoB)pKAn)7(uN6rIsLl^C@Q5KT_JtB43O9paRW7Q?+n zCSZx8AMUo`#MEo64JUbsB?V^^Rr|pA8kYofaE34N%081E&C~V-@ zx{oCpEBmp1-=ws+kg^VCPEn10Xq256b1>sD5`%y2bEI4=n*4V9vu8hlPN$hsOq~%` zP!ysL_fH~6&>NsdtTqtYyPtHJfvHlaljzCd{~w;ddj0mQmBVQYVGH5nBCp%bxiwha zXL-@QPd?lG+#$}CvevGKx888slQwU;&0E*z!LyL|Fsy)z)Hra)g98l4KtBKpP$^el zc9n5?&OW@o-L%|O#nlMJ{wWy?EfDLY^vI-^B0juTxK_#g^krEKS~6N(;`w~bpf|n` z;ZbyWeQ|p6>MKW^xejPExol4sP?R*Pw@~UnHvDP2gYyg}H@`MtBV<105ET4xxWIJ6|m zFNf8$Barg};y+`_9M-xA(H(xr7%?Ug|C4pV{W07I@8t7r?+ETnZ0Qle&~(iOZ%(AQ2} zAFULDi_81PTZqMU0wx8684->c!>QC-gAP()Jm{$9hozfvb$9a9WQSX{SUoRGl_48z zw4-Ck*NS(;%ykRJu8*Z6+AOWvK@8(^^P%Xra5#7@6;`q1O-6a4xMnIkLQr@+@{o1o zjg_QWX$cTEjY6mt6~anB8aggyGAiT58fIB7ZN%e|!N2 zE<&gZ(t(khgNqgA71IOJrowUyb%qL4SbdJwRLIr(3^TCLe*WcCYtr8w?YfiVF=FYW z9Jm0albVWSc$NCs?$U9&XqHZca+)p?#(<$HdfJ{Hgzl3RoazDEc@G!|j7S)e<(arO zinXuhOx)FB_n23nUL8G++*!#}bj~8+A}<6h8FuOAu(u>7DST^Cd{IPU8N(_ki6RgDJ`at(U*6PDg_CWf2e7$0%)Qk;E@$CpfjB);+5{cR^wyZ2L zo)cQu5Y}WR93^`J;-1_Y_7H+};*`pON-54Im>DIW+Vbm%QR%a5n~|TrPK~C}vkC5u zKhlEVdoZow(G-74^T|DD-!W7MC@LFJaD^p=tQxWA52g>9)W-4VR9vkofdFoPt9CGj z$fKo#Q;yv4AbZDh(@f%EeFDl)&2t!z!W8v0*spU7T`yPsX18wd9Gjt;k}*4fwp^_@ z;gSj%@if9oRIYwGGVYiMW9crUB;6-4CIlS|#$si~+Q1jve|35sEmAUi9}3-h@#Epq zS*;;t9s#QQ^v^+Y?a+vq;UxGXC1Kahf}nQ|#RE83h4|DuTafP?t*elE!E57ak|hib zSO+GEjRyJ&gE0{UxmxnAhxgXRFf_o{XiCf$eHVYi>|{afN*|Y>F49k>ga!ZJJzPIZ z&;?ySSRu!^o--|CH>rH=eo*9cD`(`3P^D;{Iaw4PVPaUeyMIo)Fn3w|ZBcbG&pH!q z;aX8QNKpuhjC3#{7v+W{mVqNijrp8}Q(E#gOY?vdD&|M!lF1erbPEyBV_YKx^$G_c z$|5^(M=u91TTIHjR?`WXcH`t;YO+pnqzldn+~MZCexOaTO@`4A#wZodDcTYcBB6qG zCfyd&kgyc8-!5$LBnKDr07EMqCq*r#4;>sGEnWes5@4)6)!}HtH}Pw@CmvO0I-%gl zgh~xXxihYetTTIY%Pp{UQ2KHl1t?Vcp!<>dxV<_sZq2nX_T~6(Kg}&Y8(vGG4XYK z9l+q*KR3LhO%jF2B!}+w@DV5x@^eH=7yF(#E-z1 zux12;bK2RT`lB9Nki9|Amu<>@@W>rJfBK*P?602vJW8`Tc5fq#46`J966zBrn)H@f zP$Nq`$^eB8;X_`Zot~fG+~PQPBqhTVAffwLHM~&Wu7he&4nAv4ED&WD(BTOb>nnES zvT7hit@|o4t&#pV0DxE~X%B{DjrKyqNKv!S6DT-|M8768zgLu4{upp~XNuCL+1rEPD%MShErQxN?2~s6<%no znmVyb3SBDp>ari~^`j_^j2GCi^U1U4Kcg=>KkoiO@rJOzkfSHwCH3J<3GnG}pFjP1 zz^%>)A`yjjMKH%DJbJw;#JAphvcpOAd{!W?B=WWpEDFnO5|I_5HuQ3Y;g9fk;d!-1=%hOu+(nKl z+AnbQqLh1#LZAftWKh9$m+fqiuk5#8Gn+Iuk@BcMIA>XjtXOKZOqIFpzSwpU@@7C= z0hX7PlU1VDcj~hFRIP_bGvSbIt$M^BBabC{6cK!#bhZAUFQKR34d>;`mYz^m))5?0 zFalaymAqMe|NpGW0hLm#ll%@P!CquVjx|(e@+w{2Q=LXzO0OJYdBTf4Et9hb{_)-S ze-BHwN-nY*rS9N|@PMLC6&GD4M`RuQL3&j+BkTtY=Dljx@B>$Vl^j>;_F}BBv9zR~ zw}kYZavrK=&0!T17h8%j=OqUJwn*an2Sj-Gg!FzQMLV=j8@R)(e34vbo2tYw&o4jZ zsK~~3TCSDudaVw9yPQ71sPOd_qXuRSeoOUQt}&|Hn!trRby1Ch77!#C?+l zUXCSC`5h9{h813-XXhL9x^}Pe?Uc~hBD=>@FjUa`{%=>=2YmloUZL)r0HP}2@xrJ?fU9wQy1XB)c^Zp*K9E;@c?$S+# z#Y%55K?HBv�q0?A*t6Fx`-tfb{CxI(IOoN98j2KG-#yuZxbtu`L>P zu?U^39dj*4#b8VRSbn7RODnwIfE`hM{|}Frf`Qrkvf9*yPL$71Iqn?39b=T?MVj*` zM6&tje1RDJ^Fvm^%ez1&Ay_2yO*)$6uP)MZo>ygZSgz^M^k&Y-LkxQOmSFXjSmB8B znUetukCnKgL~?aeT^WDIx;l7GMyxJdSMUOxb;VO3KbJM^UNejv;JXgx?BG-BmYEao8`$*G8hj1* zJ1@I$n7#|P;CZ&do%=_t=!GSDFVno5rth^T@AJX)XK_v5^Phj!0u;m*cU+x8A3R(g zZ5|gYFkI)MTZQHdktQ*)2o>&83LcEcCB7|m1#=%^K|lnCL8KlgbcL~YjDYcL*s--c zdqL?;Zm9!I)n8!5I*ho`Ph{^`PHw{#3&wSbKDcJuDzf)$N7}*cfh5)SKr+in{Y^9$ zqjEyt3gTi~rFLPePmN)z6O5`GUCB|%2q`s$u{xN(Dw{G$netLz&GFzxQ~MwuCVR-( zBkw&zjs$@moDu}>lUh7QTCaoyG1-~2hzdRv!a30?3I>kjha6U3HPgfjkuGu0REMOfj zIK|MHnB$s+AN41z26^rxPetzQ$TQI)!-OPk?OfKz%x{i7As=%%-omj1)>j5-ZVC+a z<{!W(xW29(34DfTcvc(T4FqUxCymqkFv4nawuWg(nBO#kzAuCt-%hRQ4S5`nlE_Y6 zr5@E|O4#dBT$T{EjvJ0cOSK_x5Ob<-z()D8B1l=78FpAO`^bddK#|+=4o$Yf>W*?inU9ruS%wc)p#wh^>r6k6ID>7IV=x?V{ ztuH<>EiH6d-B@x-3aMjab(%e$Iu$Ox#3W^t^JS*BbsWgmbm=@@fg?`5D(jpGRbgf0 z6pw^PoN9;DPEZnjOa_0W@fga+)AW$&j2jCZRl`xC*d{R;D~Fw90W(vLiQrrXJ05(3 zoDFwzy?599R_sn*+gyj#!$g`26fPzJ3O*xcmY7P4prr0dz|1=K8g?qU?TpD`75y0V z;9(I_NRY%eBN*T|k!U}39M>%ito#jUn?$ycF0W7Asj5t3;2@&TlguD}Xx>{X`$!QE zdnlL%Mvufr&f zo<*G&KK;9F681^+&90scu|(8B@<2f_3N=S>M~4yKLhotM9XYOHiqoQLAvsVjN$Fy2 zm$z-74|XN39$j#0Pf@z01LsS+08)P02lAy#!1(c9$IfY*RDzpAoK-Pa828d|#XR3I zLRlm86_$1FMv;5999t@>wnE9y9d~D6bkfmW$B;iz^{eA?bT&k}S`WfXSrJg9A@ZjI znZR@)=<#Z5@l^AH7eqe}6v}uI!#7q~#%DxN(%@)6E2B6vIE~8paZ{_3>VO&SsbVhR z-_<0m;TaHB10pEde`raU=*eIv$5c~+QWYu33w55nNnb8{dTg`oPAivhCc6hscHVRM zb`2AqvP|IdgPJMha1~)P+)bpQB1_mMsC2D8kmfx^OPuTGP*+Z=Mh*2DD<5q${v4!U z60JTV8)EoFyisJ|4lj@1+#bIo>1F5+eH@^DpXFPIin-qKO!OqJnmzhRwN;9@)s>h)%!^#a*?BA;WeM>#R~sOYf^l0`pOd7pKu z#Y&&lXuxKPzOT1gG0~#iiNf>#VEFCu=H&bs4uG@E>!GD^3*2EAyVR3QCFY%_sXIh*$HDgQmq?55SX+w3 zm9>P@ep0xg_Je8tn5HC6&nvi=`Kj?=*SNJFbmeIz8zrF3+kA4+S*t3qHp=6~>o%&g zQ$;Ij95xN-p37H*e1fM?-co80YUE!dtw9^K_|8SuNS%i-xSX?}1mYMm|7)E(0?!1rOfiqI|-=^~b9 zMrupFtB+H(6e?O>49`aktinleHLwK8By8A)-^x0irwINl6UH0DY_kZ5q_!i-x*)nS z!gOG@(bwmoCJ(%Qvpc!{UI z)~n(%6|O0*c*IAchvdK#op4pM4+pG24W@_@*jDJ(r2yC)42WpFmg+7lS|Mbs{xXO@ z5bqH)le22O4`Op=kIrEQmn1$mf|gQLE#gklaI9H1)r?nGG)r=(Zn?8NaXG!Y7X5OB zE9#YPvnD_)3dXTEwfuLr-j1H`8g@sV+aglHSMd5Rg(QK!`eeL6R&yv2VRu<^`EE+vu5 zLO+PCE`z|kOqF-cpa(;BS9BJylykKs+WV{n{22qQ3LQ5YyNd#5?OaflF_cxO6nk(A{0z~_h^b)i-lfXbwV zFP}RHJK=clr0Yy`&wl>&IhK$9^k=vkVi~CmTcVLF3ITi&u<7BV0C~|0L&fk~eG=uY zWK5BJQyL&)FF7kno+a4gIL_%I5xK4y)2*Fiw*9w7dT~?io(#gW4r0m!z%Tom- z(u}E#Uyf?kCdo} zTe5QD!>Fb2^JTMi)wNuX>CoL$RG{ZRyrem1R@R-_d^BV{^BpB78r3yPrm*5LKaYey zSyw_TO6T$vFXku>QFp9zdKKjFp^ zD>0Ho!RE?yp`D=BE=73Y&?EaC%3m?Ul1ZUyS?4npH+yocxZUVhu>)9G69@;lFmBz zW|e?xD-eh3iL~5E%@l@N;@Xbr`bZfltD5OxYvit07IE~$VU2{P_Gf4B&i%xN$B?~b zlOg<8M^xy z<0hC(-P_^EL{L1#>6EHyu{3OyRxBG>d!K^%Cs$z9)uEX>UNkjLYj`>WU{pdd9%>?? zF2MvQ7#)0S_XyRyiTooa;EpdEyOUK``>+m~}RF z8AGVVJpbo>WZQK>4-!4>BfS#$MDBwRYJJWiOUoD`e><^`ijwxgta5;~=q2#mg6DKT-MWaON1s zADC>vehVM}#L>rZ90gUtb&H3jV-*VMA6(=vu$A|cOQ(Sns+DT=E_^>yiY%R|&EQd{ zU!pY_0$d1>N&q9VOH2c?+aiITrD>x{nOv9oY;c}Z5q8~gm#f{?RGa1+I-I1-lFKhT zi`hCA!t&%rS$)WgyP&#_%h$fi7vu6hTv)B=Fi*M2Y~5MUb_CAzhRQaYX;3slrE1CH z8dh5E^um(!bW?Veu^m(8l@wlO_w*>orYz(bE7hb7?UB+o{rsk^N?ebj(3o#6u2;jU zUgcacb(T$VNRneL1<3D`*GQjMbP0^P_PQm-9w|iQ0<>4@2)2?p8I7)QEvhz4H^{O? zdQw=5mMySaE(%1?6b3n;e>36V(uG0;^xCy-E zoQu&~MQE-uCtPNWBiESzhsnD$&!+2qw#yfsU>T7J%HikXrbx%xovlp6)XWPwut@gn z>k>71X%b-+2KCD-cxk`F+H_ZtW(v_lp;8&vmu(&^FY}|dMWU=* zYb=x&gD-|CJ!Thx7M{KO{%>j3wF=9$pz8=$W#d1d!r;{S(c~PD(u(UYizQ}{3o0-w ziVx48KL1Qgz+hHg&Iv6Umw?S-x64<_(CD3YR%yYo!-cRshjYw?pTRqx;C(t|$6P~E z^;KMTHOaoi8Ib+%AANCE4$c8g))Z#H8U4dRWGv7e`_y_Vta~ye#`RBupjcy9E?4^5S5Z*QG3N*cV4ek-ZMHvQvTC#(532}1Q@az8j~-`%q_u5TAU_e-(9@tP z@1D3Q@JqzEc?un+Zy7b3US9LW(E-ROKgVX`bHIPB1c*^2@jbDaNphPdr3q7DIzgq+yn0(S8W^hx{4<>mPhJ&wZ(9{IuVPdqdY_F$yWz6M9~ zn+lw+W6!%5`~)w!gf|lW9kxj(xkM*m+b^%ci-SK5X;|Pl^7%D5Xn13etLl$82W`}A z$9r;Cxp_0>{y2bU5IFKQ{ur_pofLKlTl}`d^%Z2*hBwEj7yIzPmv3+IKPT7M4z!}W zx)Pxb9p6P~KvKz&-1CG}jN*xQ1U1kj?#4sv6>gZmR25(NE}DQ0dDz?cj7OSy8Jz*h z34balvT*>;dn40JBO@Ps)u0!PC&80 zIx8>OI<}tBXk>_oWSi&+nt;8z?j$nP$dQ`Zs}+-|R0y}Oq~?!b5`{tR8GDjZt}@Y-dz@O+i6INl#xZKvN$)pOYxu{#I0~cus5G~G_dU_eqEbE# zYhj@h>n)7d)wBi&zg*kEwbwi$C}#Ut}*`bbZ>L$>!00w;cS znyeO7t*BdU_Z+8Ut9vAZMt&p&4tMu)w+&<^zuHF~2nHJ6vo8UiFr@G97^359Vwxl= zYH}+X5+OyG$h1V>UJ)APO=|D)Qu?hGZvsKx9rX#B( z#76L@oz5BkprZ&uIg3)_!EIP8#xXj@x7Kq$gYyzT3Ty_t6EfRF(P#^}4ZNYZL5pHWMsL;M+`3Qmv z5DuX4iR#)}(*$dqB8<5aXyn!gEooD{-+;4&?m3yVPGY0XJZc_{{Tb7WootwDgkNJi zLuyILCZ@SPChPf;pYt26vxw5&MIghr`{A?Dso^o0;fkeIL!O$I!tAK9MAVLX9vnG4 zH$Hp%^Dl&ojgs|T?XnIz3ao2sUMFk+AyAsquxPQB4@I~-9fEhSgMnB|nM6j?_0moS zrqkz2N?qW@ECGFIEjm9#h&6l~&nB9un6f|#NLxFyeSvmrU*(qPlz~NpMU%p8#gict zsYR^r8PxZ{Y^XHV+j+7TmN zHILQ)Q|yX3;M0#zpI=ipkQ78u7U`yx-+h3$u}Z>kctRNP($zwE9#6b(3WD7!&2sx6?i?=un~yIM?XY_lV=n$IU|N z_%N3rCXs!Z!*rwXRA5t)u>@;oqi8@*lLqf9#ef+&+T2-&+j5V(R+y1sMoJ4_VQUmH ze7^@r-|YkgVz<9pFpC8ql$}M+*uak8bUX`Bojm(uw~H9U&QhE#h+CkSs2NCDEr%~} zkvVtYl&flOD${D_9q0=~9f9h^jB?$_P1F4x~ev53>CCg4bEo}AnBTR(wq?p=n z+~&;EB&F7sKAx9yw#%{T z--^IL;+j&OG+gWLrwa_sWD$pS4hu`0kMeO;w7X769^|nF@!-I1HxfSbzfgp>Y$qu* zGfb_l(-g9t0p?7T*cr(N1PJMI%?uD?x$5ivvmk z^UXXapE>tK!n00h_H*0V*1xOUdymL?RnF#X^ z_xu1)lkTI4)h&G58_#kCwmxENqV-HTh znZ$Y{qPBchF8U+b0)68OzC>*MoV45ze^K}+n(TuT;33dB zvGwzE%y@-(je~h(y{oEU;oF8qo6cX#R5?*NKLL^#qR91VGddf{=W*s$R?N@<8D$I| z1^**3D=8?AMSpKiKxEDaP**?Q=59@)SWhUU&ECwkRwvuRdZJ#KrsK7gMk>FK3Dl@T z5||t^m)Ku_QnQg2nE#RdR9Uc2+dK<^gJmfMoNFUG4SO8QHSq2!EIlRk<~`e)otgXb zn9^=D47FVQ&34Pn;_-~bBq^@|^f6&ypOHD{qd#UyBp3oc4tKp5ZvGM9Df61Z=$u}? zEGw)HcH%5;O^h9K?O2&p{3ivhn)44s9$sumTwQzS;9w$109sqK6cA>38Jz0)J;k)p zW3R1IE34CXyAw$W0)yNM1>sfr)mPR855gGyf9(2cYHL~ z`xQq8S1^h7k#d{Z1E!JFtNYJr?}2}O(X~M&!ZI}FH$-Ydb+}Y%d)$#-hpU>XHDb?V zLO$}LTeL{w+tOW13pQlzn83i$k6rTR3e%7RRd!P8MTLuw zJ=O*zl67qj1o@$n;8yShL*ODHrEslJ9iL?yk;EFq-5*F zR-n59rU0lld*EPdDBNhc?_iEjnG4rsr?nEBqj0f%AKb(&)^q{ms1sG(i3qAQVM4ud zNfOdXd3Bi9sB*l&ER!0}Qpd_f1-qD~#&&i;hOcIT^VcXs*R9V{ZW;qT{+0l<9z{Ga zi+(JO@u>Jkwkc4WL9ZLGtF%FQ=P?|mb(37B)m^_6KzeHaL^BPJTwj9s}rf4H_5j!>hwQ9 z8mc>n>G1;I4B{~GBkC9|(xP;q&a=gWKY2<`IBj6k^HX-heb3RA$yC9G*DY>{tA`tN7Y7PWq1IuwGQ3V$4W)$?qqf={iDaa`q zB1$K32vC(|3vxcwP*zzZkQh{D;@xa9-KVjw9}g65%Sy*=1mGvN^E7hWI*L)}ym7Xk z;ZZ`A8oV}sRYbtcNC2!wR-QGuV~dc|{FXBJhwjddObtL3j1nj$+K54O8bZ^CxKrXC zTGWqe`0;@ga+OaQJL?{~JTRL#Oi+WuxWv(dWR}{09KsF~N4l9tc!_Ww9X_v}hS|dG z0h3R}g2K*Dm0|`a00^Wj=IJ$j5_L@4BaSF^4`w57)nQhhyF5k?N#~S#4mI*P;n2)U zh=4>Ei&+&CHL@?rTULQs+|eQ@itu)+aAM|0Dw6h8Pv}`za9@MpdIA>Qi(lb*b@<6r zJ$Hz21Hl8NPRi7OrH~(M!jbD|-v=JMw@!J8dl-LVZf+Ff_R8O_v|bRX38vT+ANb2_ z@nHtClRTjvj-j%3@&vpc%(y*i<2lv!;n#sXUR2u%myS8?+_;yv5&6;l-A&Aw707B*=2(dU&3)z9 z825k{kncq)zV3?)4vz+fPZ#Ay_HgBbDp;d+^DTHU^MiiJ%8Ig3 zuqB#5np!r$**fK62N<&3Z>yB!#?u}SQrKHIAF_ZVUJ5&)QIxhFu##vGZPih@o3pCFxXKVI8U-z8N(!OTo8(-{Z^#{^wJKS(8c~)0;>!3Dhy~5 zST`UthQFhZ%ltMg@bPbvEF>uD5tN*}Zjzbn3>X&toO+W`D*~>wJ545EBkd0y!#UDQ z=B}icNT`@RuI9WtiR#%HDszls4^Y*TbMi`et^JcT{&u=(>N&V`Wt|0&5)%)W30=wA zb-bE#PFx(I2197Y6pW1SE=?NG!1M3M-44$82Lmy34t#}D;KSkBJokw%at)o(UFxf@ z9EUwlvu(7-cR3nSU41FsVgd6MsSa%?sAG)Abv2T_PihL%X~(dIh7GW7V;w;U_4l3v zc8Ibgo(_(!)_FSF_G_k6$6sL)4sRci2vm@!%xy({F9**$H7dLugw6U!+1~B|Oq1Cx%0*9-!HV z31m#l2Xs!ORO&8izh(3e-y4;hnP86+;@zNZxdYaBy*|2X^&niEFXN(eVal8+8C)#c zKJKx5+6!pag8SX!M+*v^B9*y&d3?HL+=NYZ))(<-Q^;xPt)FtBF3meGBjcp1QEDqDc{2hqF?e_Bu=%E5PYYg0fH-h zaY(f0{LA2nH7&tCMNe=5BJRSGAqvE9yvA${R#h;O!+HAta7O=*&Nuu&L8*8y!V$d0 zS!TH_r2|NV_3`^(5zY~O<{@Dh54aQ&&AKtkp=J@4ApYOh#}gYWt?vf-(%~A^yTgvr zP-dFo*cpRK_(No|!LXP0^0oe%Q*wNC~#0^0>u*>h3yXJqA0Ks!nEPQ z<~8!`6BU7_p(iMyKB9Z(hqUu)xVucSzu17Qg4p|%CG`GzBJw`>SzOewtty~fV?2&A zagq_N#B;OSUwaoWm=>y58Hz5mG-+4x$u>-f{sA zcb*6o1!f_edW968VxD^{;MrtJHIp`48@T9HW2JNFNu9j9xI8~`4?y#Zp$X1X4h`B zSYR}vhrh8gH~IrKg5n)8cx!$uy*+luEtiKXWjUfB?G0LKx?C;$4>8P^A&V+0e#=x9 zrbcKsc+$62@P)xVT)I6u?t0;z)R0s=tAqqP3>S7%tO}jQ=@X*xW9ar7o$N!7lO8a$ zc!edloNcHnBw3j?=pg(42lyR@P!)bd$Y17zmXLZ)rC zqZzA!%rh5ebHX6@pZ#6>%8DVCXZ_P@{4!9no1ubyp!uZIaEZbmHL6 zWyu_)F24~F?)FtfHzdDbHKK!Ccrc-GMKF`XlH=f(@mcHU!YJsor%xGm$Hyca(F*YP z(!mMyUV#mVR&w3q33Va`{Aa_RBp#cKsRw7M=jG`IL0pZt3k(7KW>`pE|<{D8(6=X`o`G#LI{(ooIw)quBA?lTw0aT0>a%9#1qnw zI>?-B!b9h>;ye5kI2j`Z=^#QahuhyLFBV`9mGH<&{h1Ym*U0=?=c#XGX9$k?BHQdb zblnTWynYmU=URvmc*%Lb7&VC7pOg*kiY5GK_Gw5vg3{$>oj-=POOEqw)?^=u#iZwX$M4|G-aVN-ut z!%BElt`}J`OZ&+g641ZRV1*PpSP~1z!s&jzosIK%e~uqNAhqNIjVAO1$9eW$@(sS2 zyWD{62>BNx{_>_KxHvWZ2wA6ZM819nyhVbihj&BO*a|HKGACO4&L-sKKu(|s$1osPY zeXfmezRpho{kaw%A?#cx$hnDNzdN+1-=(mW?{LR6;K|3>H~YyC|F<9h&F}y0hkyUW zKf*uvk{|x(AO7+8fByTw_~Gw=|9^c95cqWP^vf0?@Qbfv(}RLs?WE4O0E^No2IlsI z!v5+Y=rZs(Kzk7*>Q+TKLwk$jY!^e?s4s4=f_MX#F=9zxWyMaM0I#sp$>#Z<%x9GCVk395f>r+s>G>95xJ46_y?_mSDBeguWIu zqM%Yq^{7d+A|Re^dq)EW;ZP8$kD`CBfM~K84)&18n6nMJ%F#Gg4Evlc^oNnGuu7P~ z58h=bkkFsdYBYPzgY^dRi(wLE!IKHj38@WZ0Mdw%M|HM!|{fH6G=v8S)w@n)J zo*e4HQMnkdpTK+#C@#KoDHBeKFjqReE9gLmRFOd|STn8xBf2R%S+I7Zmv+XC6AFDY zIsZqdHW-ogJB=LD0|_oM_`}}g%Mq4+MJ2AvEw=WY7r_mcM&*d+l?P90AvQd$Lj_>4 zDkeb)U(1Lr7OoaiI1Tk@K?G&7E>>61TT z{ww%&Ii14WY6oKRZ$of=4q8rJR*chC-LQ$Nt_D0Gf^Qa9X4P-1%b<+5^Tj7mPHekG zym#=VTks3~{Cv9cg(ECzX42CHiJ-Vg(AhWvL%>Gyhn2Pi^`o&)b0P{)1jg(nmS)}34A$tw)gC5vcu|*ys&YI@K1KSXl*>+Z6IxO z@n(y4+Tn?~(BBTl9o`6zkhj-z1McWQn1W2}*CGVsD*|>sAewB;>+Mm|@ zd^tS?Q90?kPV^iBc0_}Yk#xosV=1_$In7v+Xq-i0V$Tjs=*_-WM}CbbgoKcy(<#gY zFZ1_w0Yy>uRs>L$$Je_cBuM}^K~ABbJGwiY^u><zCJy< zKD<79{cR8nZxfK=gIgs%B`c$&&pmXgEW)vRDaz0615;_goWXtVDvh+{^@G5A_|RTq z-VC6eF?0wwbt}iwYQw3n=l50y%z zkS0@bOtdS?ovE*=Jt)BxA)65%`?I}(Ns)3`TgNm~fYe(tDH^GpO)`9|1VfXYdFjKZ zBt>U;oOGI@QW9fITy1#BRcNLfP19KfIqSL$lR(K2EKI9?7%EE{^NU)FN`aVqX=(QRGAdIzWe?}>Q1aMO zb2+I&9iF0#_YdYG7~E=J5AKBM-!)+Qb2?xu6vUz2T)8mi-yDgj zp&>R@#yTOV4sl*hIyMFebWQSL1;#AS;aVk$f)Sims!)Lc9#rLldnDKWU~gV~%a^c- zW24Q6ye{tfvGhVpB10?8h{$RHUp*IvO0M$B?F{S0=pF9t#>ISj``Q_B?5OGZ~o+|QJ zJHr0{u|er_n?Zulsw`XKX-%1O{K#On+MzRNPIy4+N0L)VsvLJ+PO9(!hEp(~lomQ^ zkW(}H7FEqk3PwLB+~yjHaz9Z9r&|wg3v)t{Yw03FI0qXyfB&DUOm;L+S4-kipmc`s zhD&R-6vFayT_wlWZ~wbloOIw^p6>~baKshhatUcYo@f8XguWgL^gsRi;Ay+^|MMWw zZ?HH4!UaoyzzxUBw4}^1q}i(-<;XfMiP&S~t~h62H)uH6mMbT!fR-_Bdm#zG;H22%Sk+lGDV?h8lRfOe z7SB$N8aTyytt+olWN|rc1t2CevC85}Ty*#(a^=;QO*IzA093A=ZIXe$5gCKjMaM#j zAHON@L=+@gi`1qlHZ6&B)I~-Isbm?Aj?xp@DrcyS#AM@jOFFw1sd5rKxY?})X|v)Y zxdG)5FkoxFQ!%kTTtm1IMTM>Q2+{RiN}(e@f)fr>iBIK0fmkIYAiaHG2`C3@9pe9m zw@v&4tG2G<6+AbTL_Exm*~8f~zX}RPV$t*!)`Eq3HL0`SWSwy(u-a>1Y3q+@4!1M3 zUfATiXa*=-Vr80EQrl(*oZh(jM!3 zaI)YrV;{CpmHa|qj#-5d8Sfruptsi&S(AW5U711a!RGT6{DgxZn+0|vgBirX$*3BC zp06mG>B@iPpD>~oR*BZQ;BtyLTa!SPsk$L^Ld3-^Dx~qP<^iQfO2%?(PV?;S{NmbL zohdzw+gE1fiMm{zdX~e}S8s>c&&0-TS>b^={3Jt)TfCunsM@sN%(aZ0QM(j$FqrtV z5XamZEL|4HDvJm^!~%Ot@8(+BRyM@-E#EAuoUF+z2!93n-+?I` zWga>rKz`Helr`!I0DWcp@^-ykog;Ito(fSeZ;F+{xF3U`K@p0UKoJp$BRCma;sPK1 zM}`J-<}G-|tmaeQ7TaM@C6(chpj;iFhe28EY6VAMw|x`FnLmL+IAmb@{Y?x7cbea*g5_(W7pECURGAsrCP zW?&WNti+cR9)K6aA>|8;x*jYy+9QJi_!!O)2R+Tv6PV3eXgqt56?P9WOcV90ToYU9 z?z*(IPb%0M-#~{dmL+#>bUR!T!QJb_o5ODp&kx~VdEMM)p*O`U=HLHAKZ3Wx{h?)W zS299YZGpJCX5N6Yi-;-W_v`k>zJtla^4pJlWOs0epDd>OGxE^R^Sirj(LpbluKg~3 zgUp;2)j;J-{0Z18;9lP4o0fBTkuK*Ogm}Hlms`o>kXkPJ2Bu`XS(MdB$mCojvBQTq zt|ri_hkggtECb8&>x_!1&1iN=M8{NeFHnFmat{4VjTz+EndKA znqCB2&;KNOXK*clHhA8~kbTy|km;_JO>?678Hiv9#70&6ViHHPLtF^mKMf`240D~ibxma>3j>LPzXDXVFBki~2seu2kPka*hK zDfiff`Eu~nwjTITTN7rrft|b<*gCS7-hgM(@R3wv+amkYzYI1({NH>-s)Q^87h__$ zXXZdQ*`++#+C>PGD5Od_OYU+k2SK*;wg!t6U3Fy%qGZv^Kj!sUPAFmq-exn}gRbn$ zW9^57v1M&(X^1=TVMj01Ny1Xl`S!WGL%fB0FC$~Qi`G21I^f1)e{3=zub3-Qq$BTP zXGFtJ?fpz=dt5DBPj2zYx8&wg#)5x(t3Un3a^BRG9c)E;MNqNB?Mqk}F20tV!z))8 z#0%N9k|a;wU1aOmSqf90&{m`$#t_camoIPMU7Xz9zCONAri*l@lvQF-1?})H@Q00< zmE>cfw^B?T4ihcySHnxCxa)i(#*uYDknTiBHiiqh8Q=hR&;}A zu{jpJ=#B7zEL|xYO**|$rVAVdn`iHZ0lr79!j$em)821pKD_{yO z3>Mgg`f+k^e)-{~Q@slu`RkWQ&p-R(X$PJa1H||1boIoEQL0z2`;yL7hf?f!d!0#8 zs%JRT@D5-BJ$Vcm7)G=V_XhO*^UpqiP9XpW3ggty(UlvE*kMpeNuezSJ=Fv$*-H*5 zUZ|k2Voem*!!%O4%s<31Z5ti;_#-6JX(|mBuSo`k?@lgmy(-Ho1@(~6H!NDS*bn{{%NeV8;G*ig@)z51@4g|zIhrFU?g z7a#HxZa7=yX_f!eo$4t!p$&u;Qmj?ysZqmF`F6UYa;Sm=hMhlf)*VHZIB#PvFuC#wb2*i5+Q82`XKzI$Q)Fzj3 z;JA`;fe(29{P|BK!m58l(4;feHkyDPUgom_9FN2n+gI(Ill-n(_LCRj9>Ri2F3K@% zH-23negD@J4BsDPWp>?Rh42?}lHXJ%9-8T0UWaCgYwJgwBb+&S!DNB_$vkFx*G?9^ z$`DAY zHRQ~nj+*=p>iy)1l=v9*%Vb$7pYR4&XN^_UpN9F0)M~mwU+1tX;SY(Xkbm$Is|Bur z|G&sSDiZUES<+>Wc$?Fy!ekSqR5;I}ulaBP`~H8KNdA{y)!@(Ck$gg7?9GLimGQOk z@$l+Yu+dJdb&`$2{tt$6mAMx84M=LG{4pbOgI=%HZk<){?6Tuozg3zJcw2Auu@-y3iVY$4W+xTPy+L z2-fO$mz8;PJkKhx#GSmrN2a%qXA%m3TThszzd3_^YDFYok+@3`3~BdQw47C}SnBTRCVO{fyA7~J8l`(% zGvPFo_~wPfp4HL-UbRz>qT``eYonn zwq&?B|3=Mn6_?LE-+TVWR(5zeWko4x$5m0g?{=+E6!v zv|NKo&UA8ke15_L5?~qR(cW4E7vu>URm2x+Tn8+mQjPIU>)2o zwYrqBLQ()*2mJFi?g1?#3L>px0We}rfO9ZTyBrl{&(7rr#jVC;%f|P7y{+UaxE)Wq zjjjm%1{%c$`CU`T!m#-4tr-dLlDufFyqT2a#_#Fg4Pk|8P3q3pcW`0wDo7z1C9Y%K z<&4_?cybs^iTc71Nfk431s9oma8@DV>Q=c7Q=})wDTFzeyc+QehFj&M8);Xff;0H=pdCI=jwft5lED4V2rj3sE39zTUdfG|Tu zXT7uxGYcvGt5%HwCzg5>ZUbh<9-M8y%#Ctl_(ze9QH!W3*B?cS1;8-HaWE8XBVXh` zFkOO`UXVX`1nvYzG>)6;6fQg}VW$M2U=2Pbx{@8mJgyb?D6`}ooP*psn6FdT(tJ#V z)igm&aOJ$(;%**)2mUKIibf{fWKu60urE)%2{L@hDTGaqskoq>q;QY;n$Uc@K);l* zOx<4Q=?vb)yXG#0wfT@b!Dlg8)%4}Va4$I@pErvIx~^Yi+8JE-`xI;4zXo#zysOkY zmS2OVM|7MoO8CtqBye{N7>mcDGl+&89Kr^MtNsenV@28YySdu@IeeBcON<+-8tX^B z+D}ki4TAJG91r^tjB@rNg)cg~H3 z*(pPZHN2YEeub^La}st6W5n8SkY*2h0j@L}YpaZN!H>Hx-3cvx1*Q?c#GNt0traz} zCs(OLnTxQ8mYmaRpVB7&KyIAsJgCutszZJ8ZT2ME9eWaW#>XM15SoH(vQ)FB^b}5H z=vx%Kz6sQAsQ0i6VUpE%U`@~)Ax4(_tlkfPzfbe$Jl*U+{ps_kUq0QNua}E$+&%u> zJi2=O7V8i$i2KW(m&B(6)<+PHWy6zfR;k?^HCj$9S!PDVm6T{9>_ZJEoE=`cA9H6= zskpYeL)KTb#BYf@f+(I{b$Lr_QhuiG?}~}f5^hSM?PqsDT@F348m@>zX{h+jl~G9Z zPCIMORUY8`h4W-R52T*(QMr~TwJa(NK|5E1~R-T={I?Mdk-4%6pk$yVuV zj*RvC7uJ~%3^K==MWogOGqF~oD?Hk5S%L)SWo@)dbOgF;yoj5E2y+6neU)PrkE14R zFy1g#-sxn))OSuou}Joae;-?lT$Xw-*+E7OyLr~hd(9r~PeqGO3sCuo$pwtL9}WlH^MfaWh&raqYhS_B zpdP>rKWJl{NXz*BDiZxQCHXpPXOb zoZKEBA75`}GYgL{+??0sAPZe2pEBAKqC2;>6lGa`OZaAG=DN)@(!-3|dn|Em*X@vs zVM;se2<-4zr$1ION!e&obFHbusHTW+aT50hnAS&W1zv0A%0;DOPBPg(y%Riv1p`=d zP_2f=yCdL$rWu9w!x#}a*ekdF<}IFfIQ3fzTt z*XRz4Dh;bGGLTi`IrYbGk8_sDkZ8VZ*WcC|G8cCi>3YI2SgBqO|7tpx&@t{I z(KF;u!i*utuJnG|rrF72Qm@=B4 z#Oeq?+|O6{zy9otKiS7Y+5f|R6WLNTxpR(k{Lp}ysgM;btdjfZ&wkGH->q*UAiyAA z7_60hIct<(qR)9o6}I?bvqd=y4xaAk$yc}1zMk+-Lb_|IF>|QI_axA$vqyu4s(KO5 zre0C@0_Hg^uGBZ8v=^fI=pQVW)AGr-y79Tj((T6l)cRIEvK`HP(+r`8%)tJ$v@C#Ew1}l=h55I@^T^qDI-hWB1B^1zmJ$< z+PtITGgL@B+1_j~>4B3s1V0BX$yrLk`b9RZRvr5C*(P@`>5NV7x(3z1DyF$cQj~0S48<89v@GVRQYt) z>&+*>hPK2T-WM6@?BrplHG7((+>;)|lz|Ha55DK7nKtvokC-iD{JVML9FQ=%-svMa z;XH%ucR&DazLiyxW~MGl+%}JGi2;+J<%E=BXUe+=lL3D@X`u;(6W4TAbMd2fMNnYE zY!J8ch!pHv#V)GXrZ_|No#A+-{H|6e>|yGR@TVy^-0d5QIJ4p}D1c+V>A2bOxYCp- zx35STG1_F5EU=gom-2A&^N^&K>!=x;Sw-|5oR=n4Wma^~G=T@;(tGTUbWT5cKA#uY z*Vkc9Q7_GXf76ufv`?P2(4P9IC!IhlRWTH(URf=)0Xf)6@6!tT!7e_aANM-Du05sW zDlO#M?cPm$HnT=xyvZV6`XORz;;4FpNL8?E_M5ue2XA;^FMU#T4Bgp1 zTd7rC#7tdh^I$N|t0hK%21HyRqZ5Tl zK`TLo(8!&67%$ZZl=+^ZVKKzf5TQj68Kgf7rg(M9411)NDz47KDeg*5fHJa|T(CQl zqSdY_YNNS-e3S<_GJ9I zU{w|Q7&(M7?cgXE(GDfE@U?)WOzmY4JSvL-{;$}%ee4;&d`g4C;H)~}XRn&&GN%`e z@0I>R+gs)7n|a1Q#`4jZ!gta=$MJSlRx}IwbjE)=x-xCon&plg+VjwvRzjMpg1Rf< zy?Wh@A`SXP`DN`)W~0X3QhrZQo);;xOW8~s*-lPHF&$G;FaOBymxS1*bVNb6E5b-< zBvD6R=u!si)!_r&@f>kh!Eul9n`XSE|GhBqf;Fm_@!nwBWaMC*=JFjAKuH$xD_vh*;w zBp&4aAZHla3*yR9uV5!{w&_2!+ZyfzZu^I>ZdU8k?H`K`j|r|wesyp*#N=p~DxZDDW{(8;`bo_QYjkcH1V!=AB4X;+=j^ntw~BN+C^T2{2$Mm*S$c_1 zk~cBdf4zkm9)&!MO@jGvk@iqBYMlpREAr-o!;ABSZkQxO!?*~EG4l;<)&<5VXB^ik zQc%}h!P$Yl)#UHmbWQZQ9n5w+QXGlIYJxuCOwlf#LNz7wp^d$H*B0eovngwkkXkuG zsmKpVxDM^8v}sG)K#H#&#*&cqB(eg>0?huDm`5ceyQGB7R4)!sS3G72(U~R>71m}~ zu3XbUM8^osA0{IzAta%9jxdxI0S7B4rP@NSSfk`^#E`zu%?l4_f2RSrUapu|vcsl! z)Pm%qDQ!le))C}RlHPcZmx*jH8Qb_kPv%nI{`v`Ru-#!AmFA5X3hWvfsq->QSsXKD z&++2&=<*w8hk;!R?;8+j`e>PwV@$#=mFqQiIO+mZZtEy&fKNh41k$3m%t^_}P`Qie z#MKZctu(3;z*E1?dnvsILj;^L;tTS*g@SL&9DbN2Sla63{#s+d$8E`h;Y+2U0V+bW8H z4h~p7B==%G4GUrqHq_$`C5(e!ku!m@kFp--~6XP`>Wj_C#gJ1m&vQLL>s7g_a6{o99QX`$p93o~}O z!3tQCT4)!lX7FIJ`IaA(nI6J&Z!kT6oKGu+`%%pQ0G^R?x9)!+?*ws6MvIONVTn z>4(XOyhI)3kd8C0S5z&#mt4WH5GWZujhA3Ik@@kPbqkR3LFNkHB zw+`VOLYCdny?%8Go93Ic%)2Q)&ze!W%;6oOMT2_P&DaD*jxz!<&+}NUnm=7PHQx73 zgsbnso4L!KlC|%PQM3jJsYZ-)v-s`*Sl~E6iktTDc8lBt3`U+c1UIg7<_%rL*8Bi3 z5(ap^j&RZ+tr9i}>sHzDBfKcpxWu(SW*q(njOP%hZszz#T_aA_`cZ5(eLllufe`uh z*){QvNKpq071uahUcvr~^9o)?7iX#8jXgN~x&(LPMFZO^lCWf>RB8{>dfD*I9-;@o zNv`0%%~90cR6Ym1r?^%gVA;Y}Ozf}>`+k{L1u8A9=fwCj#Wm9ucb01vzFy(M4oeTr zqg_Y;aG*gH^odyRQ=ljr?A9)1164tHE?{vNc<|rq2I`M_D_YA ze?EBrJcg4$`*{E-KUE@aIsegzKsh8d*7xQ;GE|gnnG-!QBOW4xCN;`7ilE~6^iNMr%+gUvs2jsb zVRd6{Uz|fj1EC~wX#T5-O72X{4-cX$dRtCeA!wZO|v1+H|ijC1t$7nB-cQcuy zs2C+X>=&nK`X!Sl28fA${UkYJ$7I(f%&Kfk;3$sk!FI7+Q3f1k4TH!Mr7OUmTxY0K ziFe;HIE4I*ACd0FrMV>P9gRYM6S9x_h@^J1F47ek-kiNl5fTySVqsKJKChLBCO#C3 zWTW<6j&v3q2ikXnk6np27XD){HGBfJ{~O9&`ox#SrxiBvfE?mBd`%^AnA0QmbTqj- zdmZ;RTulqivXmwp=(^^^a}rN?87c`i+ISDS*K`0&K(xQm&4On@^y6C92W?ieg|nxW zt|n4as>F7i0RHK681_bx_jVOoTth1l`Y5U)nnXBH(fK>@q3ktF5k#FPojNLhG2>Td znWp@aTtV7$P8j~Zb3S6)!zx` zQ5vn9qH~nDjcqGn*P$nuCVPyMr(zDTPn25leB#A1#G|v%NO);clR;hzlM}FQQ>jhK z^nIxLWGgWUgU3I%_pQ6}>j~l`79qCS_7>JS7NBg^t0n+s;o^4~Ul$yfhmD7*hNkd; zp@*SJ!yeerBV=eqsXqbA#8=vfr09fuA_T>4nMGW+^{qP+OL@uG7QBxC_WAICJeSn=pg-T%@kjcgU;XaryA<7#! zrmel0O8(YR+keTJ^H6b+2Al3=RSGG}&Cm!dhTRq$ z^dad;!k$XsVol;lS=zRNn}yxj11{~6t+8O$SJ|0PMp9@H05QAb>9CP*l*+sp0V#T& zIk`|XP2m(V_KB%D&?l?V?O_B7vO3&V2`7sJwmnu*r&JRPuDeZHMO3vbFOQw z*241~rWWCXTBA=9MR{Pn@YU5T(}?8N$g-3tgYgWP@{}K=FEHeMEzkgad?Fhlmtb_G zPwHJ?56LV=DNmswwuft&(oCZd&-=;y5B+5JAzvl>bv7}bBs4H04UlFj8d;~ z4BM*7>A^;BKuC?EFcqKq-Fu2ydzv)!xZGi!zSLyRNuAH~(5;Z7SI_ zei=+mP6%OxFSAKmrF8SRBiK`#q<6F^n@K=&!mC4UV2?&(kQ-Q&oD(*-4IbVTvZPEi zJLZ1UX74N)U zWkk8TYt`ZP0m#Eh6uVQjx8lXi83KfY9#POj1lJ zu~k9brBOBw1)S>8^dbNsr5rfVwI}>E#-ydh&N#J?5}lWX5HyV2eVtcSR9(y8;Z`us zHtIpk^tZ<@J?lWrXS+6T%)r;CelPH`O)&~RE)U%&4*PgP!H8(wP5X}43}>3qP(`JA z>Obw!AnkSuMCa?i(x!60%_1SG5AKww-4#uz_Vy8&B?Ngg6sed zHw8(iI#C|b*rK62ZQR?Wb*cqvS7bZF`li@!eht=0UA0&S|=F%}! z76!LpE*q4ypf{qkbLq4vd?(J)zNBWj=qzYPqiJT^jH|LX=K!1yuwn?NgGd8@M!Nyn zmjPo=SVu4m=RJb*we+yX_71X%xcf4XkAgw_vY%lHom2+6pxJ|xVA}{G{p_QmCppVe zDbdU1B8gR%%+T(JqAP&GylHllkdD#5JMA=k_5(@(S3>J z<+aTdlV_N$&BiPLRwEpx_YNtSEl+KX@CS89d3L;w~g|3}Z#9Tc7yzPv;q_rn+*$Zn; zurX+&q!R_J7=j}VA$<4gLh4CFN*4nKmM4d1^x=Ck6j#+_vl=G1P>H|;!KGN=`DiJd z3lVZmhe|Cp=|OLBTE}r}Z^BW)hbobyGCTTx_CAz^?i#%(HCIwJBMO$wo<^cgy0Oi3 zup?lZhL7QZTEdJVwbg>td^x-o_!=HOgkfU>N;_G*;A|1>YL!)F=NDri?(Tk*l!@a?2^w57xG@zZ_ypU+UP7;{PCpunbb`6dxwUHGwk1<3ai zcpdyw$rtop8_%=x9UnXd!N#jb$deUU^zelZCenP&g(`OZEu~AMkHJO?UKrbEgf=CU z1hLb2qQO9p+3m)uL-;|lX7MEsPhY)wJG5hh;c+=1*-B%Z2NNZ@>EcPhv+HW}wpL{3($OV^(kxl1bw+;HW zit-VnSYk4R?p8;no?K%lujxrGRnYtJADE0$M#7C&u+uPKyrhfwkl}LM%anQ%dg&AQ zI-N6CPi|NFw_jKsp@zPA~G|Q8Jn3ISrL(>Qf?1C273B(26HzTGYtc04EVx;(e4=-gPy+G?fcVz z!MD>tqSy0&to5!Hk(72F+o-ceGIPa>_4$50@AK>tbUcok23-?cMEae*D7KYz-6jWb zsJb&!<&nwqdYLrzfp(2J%CR`Lo04&lvhjflB6}RlK~@zt7QO8-1M^tZs4E#AgaK`@ z6boI4K$yd>PA}d>)H@qNnR8|>`shP>3g`Pcm%qSG9D5!2c zUb<_K;HihwzMDHQa>}V<_cRUWsA!xWzr^J8ee3Cs>jd@4Zk@)R0wqh_aD};QDJl=M ztpJZ)ela=sEcb_=!c<{F#{+f1ynU35T6vr6!<$1BkEF~3$FUpWythn{xWkH*x^!a4 za|X+ckj0Bbv&zm`MLwVesnq7!?_U_**^eu2ov%W?-QJ>2qI1z?vVp4;uJ$hB@cO41 zWjQ1HJQ64F=tzDeS4M1{4}^dog$o5`T$Ec>e$&IE(WR-7ryLT0hp)cv5@~En`E}dP z!SI{mDlsjk<%NHI^2Cn_Ulj{~D>IVH*dK_GI#&s!$611Q2T3S>}!nl0%H=6M5 z_JaDLo@q2nFO}=i3Y(G*%dR<>q2ThwNlAloSZ_EcXy;R{jl5y!x@)8PfOedZ{zBF} zvC;@|cXodF-61QGk=U`NNH-EN_*i5YG=ND`8Y);iR?#$KFTDevmJ9AuLaz{EYJ7;3 zZKc=~jhLE}(&|o9nkJ9KK*||3qCR+c_NK56_|Qz|Tv`qm6V-~rOgw75gjxWft)d{N zoHU6fT&*SHc|#>u%&sBRM|s^&a0Ac#3J@ATIvQc3pJjWa^}eB+;ac+SDq=o!U3q^3 zV!ozrn1si`?^fZ-J=xgEeIp9BDiA7Quv6(+p&l|bZ*#5jtn3eipc12R;zY8N4)l%_ zhSQ^VLXH7?kQ$NqR6tcKX7YuBe$=GvM@E=dkOqd_X%h(|sYc0QgoB?k4L<0hSj>Ek z_(2eJXzNWB{1HFNt+G)y8@X?e#?_~TNO@pa$ji18D#&eMkb;1f*{)v~0dg-)AzR^k zqoC%+;YTE7Z-*&aP2}6~k>)vk2>u~pRdTw?G_7K4OZdCYm9Te)-G|r$uQlRbK~uh_ zi`e??30mS$`Kpjgw3P`;p)fTzB6=oWLc(Igb|S-Zz_gL{p#l!@?>EmcSZw+H%EnYP zTTCDMHU#*VVs%c73DwqGDR>XEb5mT`k6)v9(r3zs1iu;m4f!1N?X#06&gkjBnE-0x zbN;Z}m-){R)Z6)e#yS6JRQu?)7=h>Z#`V96!JP)$vbICn`5f?zK9=&$*AG;Nxaca`?^=BfB zY94=HITLQnOsiBY`t?8nO)L(|H8ka6j^ETpo3CS=yy~K17_+&mozX#MtU-HAXOq|4 zgAIJh>vDCC3XMi`1lH2hvUbm5LGevbS!yDOZA4^mw^l@HPxzO>tka3G(g8u9QO%Hq zJiKaH~R_&A^3*X7JJC&kCXd?ObGKD+Wb zp9+OCB=Jl(8)}S;#76PrRR>w($V0dm*SYkHV+zFKAn_ZMBZt^o88ei(s0#GZGCB1rMbG!*6rBuVWq;Mt{X!Mg@Bs02%yQ^Z}!LI5j` zHN*_jQxCFHw@^@maw`oGhO2vhTe7WBbfv$-MsS$6sQ=;$~KZbgLDc0J=( z@KFxK!|bti@eO}bkz9mnPk2$1A;79=lroA5ej~f-A*8<%xBI7Wa_12Kv#ep7*x16< z_0Gzekj=5@`YiY_L|QpgStN9l=-c6Exk-)oXun{aA(bFX2u}q8>IZ06IdjTHEE6^G z?72JGD=6Z&`RC6i3X_lXdQml~HD9?2sPq@Ug*R0V>+U$G3#U?chojaVt4-zE9)5JE zb4^$hFD&kx_^A|@iJ&=tS(H@jETZGQi5~WdR9G%nEv~iET&ll6sO21MZs55S{8A`~oy>wQ1o&8i0GYb6(4i0yh_*Tw~ z+TBJ#?!=r9uQsK7QxF^U@i+Ldr#udZqah(=V6urg%Sn@Q0*&2uCs_mlAiSb%I7HN(UmgdGZoH^2N{?F=m=>DNQeVAvSk&xIR^4PqO0 z9|c2LuK5ab=x-pe^0{BSZo)JO?PqSPz71yao2|Pxh{`3QX!ukv@wl>eSF7vMHr2KZ zEqpB}gXLmaP4mr-nUv@7BJ)jiOXLz&@fou+Ux3@Oi1>GGB=Vxi&y~eN}JU-Ft)N0{pINZ1|bu& zlG!s*;`M=s-Y9cygM*aV!pA058ZYnx>eRBlnYXIHqp2N}v9wmrigW7pJzUTXa)2QT zry^(uaGT@Uth$WZ*c7$l3{e(AIaVIEKmO@&eN!o@irf?lP)w@!@&Cf$M6cv?AfiRP#-cpK=leT!npR2KTc@RySObUEL8_enH9NQ}wv?F3?;tmtQ z0O8JP61j5ZvX)xzn_}lEWfe#uVPeP*bkVuQ+k`_Y|~n z=O(49M=-M8^)cPI{wEh1AktIxrcIk>wA|`q3qc5Ib}TsiBr*7rbKl+JuOGE1*p2J< zeZC!dQ70*>H6yKA(6e(&D8@k)`M%rqRXx>YCx<1L1*B?yIG+3y!Z@Y4cmO?0ffpzF~9A09OEsqd+@Z%WbOXD?FR~;XsgOt9+`X}xhKnZO; z;=LL^OvAoLxyZhT1qr=L(J36{EB8)ZDTJhcK5091E?2;&d0-OF)WyjcP1~YCqCcKm zuIA;K-0OQi9o*_-bCxJ3tEtF#Ecoz`d`bFll~k%$t zB6B1_F}L!E+Q(3br8ymzph!;*xg|U+y;pryF&jhYxvooRWR`u|N{UuXaEn5&s#w=p zC_x`sNdQ9e2zALeL4%v2Y9Qjb42dV4nn{jW$f?-{ucXS5E-~UWYDH;X8>0kE6p)+J z(O)bCN7}eUr=>n1g0VX9rlo09l}GnfMyD6dV1yP0{zBewS{WCaus0yC2YT6g zUPqh&!a4`)`V~?1BnlbPT>K?tjY1u3jp=7(vnaK_0INLX1SRxnr%w$ow}=ky`_q~??) z^KYVGMTLIovoqD_l|7tEd}!z+2593({vF=Y$_yr2!n4|4zf+PRk2CJ_QVH{1zM(p@ z(Zp>~C{ruE*#nFq+Zjbn3aJ7pgfDWA1tQG={6KW%#E2Q@DDsd=(A{Sb@lv$Y3Fg86 zD(uZ6AEW{hjIwP=a$rTIZ)kv5lva|f%q!6)mnAPhJAG}v9o;~CR^|>r!|EUKa8MeD z43$Cnl>I(^mQTwmk%KWKnh-&NsXje<;+%x-GGB)f-FPd_YtZJ#^=Bm?OXS!%)w>2qJuch4 zCemPCJKT(*$lRLh+9F=#!`+y^^AfWo|7npj%6V}_w`Vs%^fZdeBECa6+{iqcLMdh5 ziK1QP(I~P}zs`X=uE+3^7qu*%8Bo;`u3uLn7tb<5U_=Wz^rDws?kyM4yj%*ml%@vG7dH6HH?5Na zDcrVm^LR>N&9B47ZL$+cpQJ!Ss>*p011a4Mxy9jDU}0kJSvGIm_0z+{`*}5L55_2; zSy%1Bv^f0c@ssZkpL}x&j2`akQ9hck%aLLcNA5u*deFRGE~4GO@KnL9x|3_{1Q6Mb zF3Vi$heGr(36y&EhX4x<3SY61yEAmkl<0}%HV)DNW6TxEXuu&=NF3V9=BOz4G%+R& zgLnkbF~Uws)H6DD<)9!(e&oKopV5~OGT=^wDZ_rYFZS9Q=jGwhgEx8kU1Mlo^{L`; zNP>haZ}6`n^Ttg1hwfz~f5@6eQLN?PBq%mV=_~)NCq$P%?HtN<0qDH`qs)?s@L%nMz(Ns-4vBS4eQ~=4g!3sv z9j-?x&go}dnvr;8qJ`5cvz`1|z-viFnAMvm6T)h73{C`u z4Maui%NxPOTXk^L$l1yD`O(!YK8}ovyQrr5G6d-uB~|wB7dGYYoG@ozITI1Y_Ru;} z_JJOwL7kmMtaDUON4Uq_mGD4u0*fTYSs4xH-cve^4j8IcR`C8btz%+_9;&3mDhM6W zIs?ehIjfe0sP@LN`&0Q zhxz%NapNo%ycS7L?gB&sHig9(jz!@RP{V{Om807rJ_L+xI-dLCkFSs3dL*^xTwz(n zD_;m*MUL0q@um<`jhskc-UGbSt1ZFU(>mY5B71f&$qswAa>B=e0S^R>{t(-iY2aO5 z-k|XNEm%%C6)dFyjd7{@_e2Tbq;c9xS}<@qP8j)kxIb795}aEUli#W-n7z4r&tg!{ zus>oi;+fizETJd45In+t*sdr3mO39o|Hiauaq)WyqI74bU*GlWAu%ht2KwtC-@iXQ z8Tscq!~U!0p1BQ8GxTt|6})F02&28mA7y2LXMS{kW*)M~3Hw-|OGWhpIVZRUM~s)bzXu=2cIShFW<;(R_%(#xppXVB??@=jTp&!yBPyWn%{P1xD1xF z3h(hczb7V1!e-91s~Q`wZ4+c>4+=B15P>X3;wqB1nv})Q0CW}vyJVbYn9W4;Dg{0NqR__+&9VQeYXJmpCbY!GJWdM=&=VG~S z7WsYlQ!)Jvl}5aKgm1(EgYC{Bl2x0^b?2A=39@GTi;o9y4pf4VfRL$Hm6=fIdfexL zJzo}X*8k-EiW^`X-70VX)4y^Za-#_Wz!cr+TTme5R|`ii4URFi^3_UFA4(t<3mWOd z)IwjBbTY)y#lm^4Tes=%>6G}3@QUA!o_sTU^0?_c!KF#C;2*%{H?K=zL10#=q1J4hpzv##ip4{ zg$cp}^SWA*$zUyIe5N3kRmllZoW}ilsNq8RK16G2epgz%Kg80>VV2@>A3;wvSGijU zU8@8mg>od5^ft&t77eE=yBL0>Q~}6BG8q-uF$z_U2u%@f3ZofwLCaaY3N#gh5xh8k z{qE@G?Cr~EPxh%`N9zF1hs;+muil-X^QYtLYugDRylSw}Tfy(tDklAHjxfwTsT%RO zE~q*)r^HJ@hf;_liMmT{o`rGX`Ko2a^pOp>#Td?$(eotZN=AH|ZuJ992Hn+mT|C3- z2l*_?u`uC7#s38)=JZoBxx`o}`CQI@_E6}(Z@g`+&{-w_hxwksfqwJHlb6>Q@84dX zy*a%;IlDNN6-IP7hr#QPRhDg_2}|65$q?Ieq6uW5Vpa!B+nxmKng|TH;S{B>$VH@F z=x;h4JU;?E%T;i|)*ZO>!v83z6dBMtqij3mtD+2qsx*K6prDg}zc2eBDD9F!nN)+? zC6^Y%x~0CZ?u&YabWSc+PL34gz!W{$-7dA8q)et=3txMr>Hg94{3 zA&ujG^Ql~JmO2hXP%9ct(RacBPeoSK&QOSCRHap*95F%(!YZmXH)jkOO5u$Y)lxt6 zpC`tNs;%A0=9SMhGBl$A%V@JE{I2^R9n!7|m~z{8-l@$S=S?}05!wgm`hNE9<7HeTxH5~wH*u)T#Gc4W^|ZZL zBIcI_TVTQ;$+6T5Q>S{a!N-TcTn)q%k!RVoYi*AUm=r_I6B;-0%0CUzM5t|cMd`k z@7ktwwua0mQUnUsF-Z^NiEJt*KwUTohwpdmd@}bb{u3k!HR?xtill*tjFr|YifTrx zd&T??2(Z4Q=e;hcm-Ms~YC?Hb_LB(myjY;XQA7$jJs0A|N^HuAFbfLo@qKYpEhPjq zFUO3a4E&u4g4X$R2B+G5`$qY?INHl%K9YpqECc_GoUR<#>E2Dkk{=EX{(ADZbYBR& zol=}udWxNzROdl#8EDLP_z?8 z>PXr3rhx)Vdk_V;eT>c~WhFqZID88sBq2a+@JSbrxd$&?b8m~be}Tg|p~7BBCN7DP zMumGcOyomWT3a5UAhaQY(REi^2x>}rQ6Y*YvlqD2ZMo*n@a@6xJ0V1(LPY&FV)J-A z#McdJJD;XP4)BCpiE>jbOqv{_3Ucu9$#q?l79wXkp2)`&ree3*-T9Hm(Qfe!VHBu@)!{n9gpLY1@ZxUw@z6$|1C$$u z9XF@kVD^qZcJk2qOxa?zCb&k$n?JDURs5&q7=kinKp4!BQdRdM&XM!%MSY_i%@D2z z$AbyHISH7nzMF`rMCmT!Z!JIfLsZY572r1LG&{P%*eQs)FT#vs%(9SdX>x8z{RPYW zFtT!}_ET|ibD(StT(c96o}R;bb30mVZ&LN-$-L6*5jP(U*#w3904K70!lYfGiq2Qb zdH9+;up2Nw`mvXjEjs}O6i*`#hsrJ{u#Stjb;|5 za70uB@=RyQ7I%DtM>bBL-BeYmDPuYd3^|>_0w0?SM_I#YM?I_g{ zvMp1KB{47w%%FFK?1iD#i9!W*Bf~+caAbn}5ItPelPQ%%MStFHO~QN3IjWV!Bxo!4 z457&B`j}&;j1Y$naRhE3{+heqU?KvvRzjMfFKdrTVAy?1h3wP9B%$jw*f#E_`EAlL z=3>kwkK3QMZNzbj&y=I{Gs^UV9A50wYv+1hPucd|+mG!DDnu8zKt2-T2>nIJ=YVXG z$SCHA#OB4@vp;4V(4^@(>%jwrHXRxDUk-7~=WIro)U8G{2$t+t6o04)XyAt(jm$z;a*)M?q@jIxz z$4L0i+jm!IFaC6W`R@3q(<@&hiEu^`@z7vtICdi&E1a5CqlWdu(T#GYUrCxcK6M}H{au^b{FmfX&dLj5~eNO+kHXBAt(Ot zOYofn|3;T%aB$pX}c)S=BVf%oSx*H1Q-cmS-zCzxr z*zUNQzIpQd&V&spJ~V2Iyd8Z?!5He<@~Olv4ddtn9a>S`&#H;BP}h{tkUx40p1mU^guWm{uni2 zYLPjh?&gwkTCtO3Mc^ebdGz}AyN}mrZ?8@-j*hR+KAc_)Q~uu`U7fvq+sV90%`yvE zB_))M%32uT>k*kDw`D?nK8J0b@BdkGzy>eoT?U=hk#1l zm1Ol(VYKV<`Ps>nM@Be%8umpap>{)!Z|^p2TrI!itZ0X<0wIumx@5HeXv9lkfSpjU z+9(;C4WKws50YL2;HhA)x*(R^F6XcUn6<7sKA+%u#?aTrwx$=Mkduu6r) zYMY5lLehvL_G2oD@@7>98q-er-5^kzcY_R6z-b~|%3aeV9ti)~4w{$A0%Nde8E0j@ z;Ce>-I4IdlER|yvQcbY{VTk!s6J8krb+!gC*ONmJ6@hH6P<3~M0>EWC%2z9*7y-BM zpEn?etQXsk3C7Va`a{Fy?-S0*#jMqwRxR}IkBm6;9OviM^e;fIA7%>nHWk$vOak=J zlw`zA*dk#n_7s+uM0W$!@6gyvoZV~oT%Nr=dVX<*C8B3R_VdQs2<{J% zhuRO0p>0Lri^Qa#D}lSO`XaXZd~(ah+tHLsUc>KdX5$yH9f>@t%h5n7^8G!jUd@B+ zBM-ylgtdHAM=G7%z8j+0%`$?AsoFp<7!iO&;FXG1UEVUwApNe)o>%qfVs%^Hg`59q zb>qC`m*rSK*W9=sKi||7;Xr)u*2KqZ(Ub)uFGFT$bUk?;0us*`1RM-Bl&@e>K1e6& zo-mpJWq8C6)1+_3KoAL%c!_;iHw6kY^{@Y90I^MzZ&1U~Ggsr0S9bn7y|tFlYC-#%|ZKUa^-qW%)j@f8tv`c^);6?g~E z%9|>CSyu?Lx_*~=+s|GZ!5n=f2JR>_+70vH0xKEQP%d&~C!KEy z(DzdXg2bvScTrMynI=O|lyR~T9GQ|%c0iE68GskvV!d+9%cCQ2tDW?c|1c`ag196Z z%=pz<$v35&tVMq3MtU;8>u^biG41d}ro51IXEj`sz{3vs1HEE}2e zl!Hj|TE6~IAy=z*JtE8QV0!r12dLx)XeIC^xz?>^8$HJtAvzn)-A_@1!QDc$MLB63 zpWqG^ks9fZFJ@-NFtmX99WHBPX=i4=i0u7Qlk`r*`H{ulYyY|b!k|x>!5DKuq=@XG z>?m|$)9?M+$>GbhldNX-A(jy(aaxVb&?641N;^tnxG6cnQW9B2df+DL($Q!J!rpHyp-`;uls#7tC_QfF|qLlJx}XC5-UC~Pq{JoL+}le4$R zNfU~jz8bu!8HoxgRpZ6^8(8~PjOEqw#3Ird48MYPMyTfjX$qi#`###DkQs>vXiXmr zNx4r&@E~4&LU~$f_6YjQ9?#(B?D}od=o@*~!T>qXr|wtW-6;B_xM@vV@*4DhWTVkw*}lbUp2tE_J)(XSccD-onz(|9 z`QxTuPi_-PPGCrolBq_5580D+EdlX@?J8l5D2lm;x!-F328%g_?lvnE#9)Rs#e7O9 zqc>3k*N)alU~B}c4+w*9;vo&VNMHv`eG5`R1ZhT6VbqqUG(+=o_$$Jz^PoYHzw~27&`5B3E4pO+r7N4#{H(m4CL2o$Io_|7;}q?S$;3Y=250!e`w{R?6lyh*_E>-cwD1mcf^gHarj zBk#CQr}7n!0zw$1;c4Z?M)d$WiApFmC7EN=^z->zASNhkNSv2cq7iHAp;9uU(=k+I z5@&Gp5PD#lh@(7s6h&kfScR>AIDgv+aVJ8DuaDkFfL$G}DA*vdo2Fom%V|Y9AI7+J zM-^5>caxfN`{E{zcf8F=C`UPiW4OmOC}!6Z8>!#AZrk9-vZ2DH$HHor(j{`nZtJNG zdotx%YpBJ3CX8{|c=UW|SKq`8{1y3)E+_reHj zs%f1pP_jCqZn-b>$)dqJocSmf#vMm{D82zif{OS>aZAwho`K&dz2*nl|Swgv4vOE-wOzSS1G7qaw7<90& zkd+x`b?ZJwU=xY}>qVFzRp5D9wIV2J&~8vi$6{A5J-Zw8?Ll^G%$j@L66=DM*J$l1 zRX*grhzfMENQNI7XQWVJXc{zFyiyJrliWw=d{WGc`iRQ-5OwzCYRO`WxYRi1-#mht z@Ab*)i_?qiqvPY#^DDwWI}U$O^Qlv_P5`3ZDQK0Ya(cTy1!O#j+xvPjcDXq~7H{#fh`MT7M zitbaln8x0^cfC75dZQ1B_oB^CG0}ll{(864^j26JJtA@A!mHYS2}KUIPbHNI)MsE`w>KgCE;#MJLhM_Cw|5oT1Q&(xDjqA7-yS^qJxKg!Q(_O2^0r{b(>S?N zrY8k57F0s_jz=IFqCyhsno^Yj$sDxTOgCP8NX zBA16Qa~@nDZz{qmBUe}Xbb<{HoSO~QNc~H%m}){h#ztpE*F#*nR3*xnuRSxRd|Zgd zr1VfS=_R35WS4SaGM{X_9<@A2SWZKhoDbvdIa z$)78Wx$DAyGBE{vWLyakN^~SbsS2@;OcP~jAyXgE#_srt`2Rft!@z(=h~QK>)g$hm z54inY#Cu+26aywKWsA*SkO^XtPCg$M38Co+_fkI})uh_2N$1?eb^8niKJj>w*rKVT z-K-m(6N=AJRahz(+IoA~%#)Od^-4pgteIUfzCcZM7vyWWlyxbA9p~e^(Lb|ccx9#P zf8MV+hLSA|cwZ4A>-@cBu7I`g@#0jtzy~9>qO&I=(C6zi>tJ?u^`}g# zK~VInfVmndpPJ6o9fApE6A9aEyn&B3;kWe7Xxakv8-z;d92!iC|!{HE4(>O95D-ZA}SW+tL|6uY2&<4C_0im zM$~|4-avgx&^roU@|$Z&FM`m*(Lpj~MZpWQ0PaZ|c!QYgy;P#(w1IC*TPte7UBq58 z2NV){@-$^`gnNbMM4FCuXJ7>_KBRV(7)7e;%ElC;6O!24E-!c(uBuCFlMa-KBY3}m zH6{rzu>g2FUjOZP6!FIqUe(FHE%f3+Z-!DOvKGUa#D&r-u;nHqAK;=e9`8T?ttt2r z*d!Hw=mDQH;==`0j-((mX9Hj)3!`{biJC?F7BfV9SZ5G1SV$FZ8u8U4&df@A+@+aa zM~;uw7R@AIcQYFjqrIgnVS63s&6Z+N^feDi#kQmxHUp0^26$3Wby^4881&PWoD5 zKaP|Oho#&*lu3MBfdzDi5g$sZI5rXdJ?|^obed#ZBcf!do zJI?hN7uj`FASs>WkzSE;pruT$~*yDQy`ii)2ToFQ~|bFF7y|^iLXR;S~O>|GFQe=#p<&& z6o=Vqv6xiZNwokkc?8;g#nRlaL3hsGdaR{yLNS-vftPb=;++En85F{QbpH1UZu2ky zmSA!fKx#k!@*kl2?OS<%kiFde^6!_<*=LaLj};Wy;bpE=+j|GTvalSO9}5z``7)^T zL4EFe;yT<`*aGLyty!(A&4YMI{n0k@_0rlg>@l?A{13wD-QfTJT;Zd)MfS2>j0xkI zQb{s&(SO}N05ISl2xC7KF@hi_Yjg+n&_fQd^3}%8N^>h>(*!mQbGz6qzfRFQh93F` z1cLaoz)VhVKaDO*P>f!oz0ZIkPCj>liGUx52D&iBzmV(k@eiXXf9N0%zkm7#+uuWx z(n6*yE#$HxD1t#X5g3jooCpx-$s*`-NNHN=FZ977?jEj|^_3A&v1NFoX`DZ9!&spC zDt#G?g+5Ye+=1SKr1c5XIm3k@b)g*m_nY)EF^RurPr7ppX0;_u=MQ*Y)V9WpN?&>_nd+*kHe(@_uznL-A`g>Sy!nLca2ur*hE zj!0kN80ASQjM8W8X)%u6uDxa+7lm~sC2_g2#8xb!;#LdG7>LPCIhir2f0`z(UOSRG z!FnQ3Kl_5=3p>-dKoSq86sO|cAY4+ivTWYR zzKGih1JdvuWM0HmG92j!32MOIO2l5x3Y3n4b!0Q4R*+rQnqqXvc7t`KSKbVk*~6fs z&XL@Q=xiHG5q}g8CQJw)GM7d8m*D5iQdUC9v1cL_q3R3*zZ>GQv{iS0A|e8FIXOC$_RxwQB*c2R2U*hle$ zdvbhYopQ3x?hYo{C|5C)kXvODAic=`DL>+$!N*Uu%@9>1=1rD{?hLSmIvZ<(ApVlT z7U>E9j0Fh|1&H$Lw)&dC^TOq)-BRmV+(wdIK7Xm_g}j3v_A$dKAF?>>s?E(jsWu=z z4ko?Biht+hsi{1XOohgpY`(E!T%La;9q~SarM|hm`viedVU_b)Lj}(#`RUE-u+6!6 zc)D3Gw|;AV?bCwgBNarFaF*zeHKMuJh?R4Ff|k~mBBn?8;Idj*#CqM$%36(KV^&y! zG~(%Cx*3W~TXVoyci8-Jq%NbY;~}ZTKIV&9iiru8A-L)C$u05m za{y8dWl%17J0hO09sm)!#TBsrgwhojpvYsO%eaTvf?VJ5RX)@J74j<%N47~c23i2??gwOD}&d6Gcew*l!8cLCfB*N;df^l>@iD- z`|@Dl%>_zSgc^C|uVGf6N9=ys#X_KP%hGiD3DMt5c2po#kr^n9%YbbMbYIHCF#%-bO-A?!Yw@Ag-r}-jlhwkpm0Y*YfqE$n zZyk-K55QA?DI(&5^IBp;F%SujR`R2Y|v6FFFxh)ef)c}KdWH@2J>)7`WbTMHX!crc$Zs2zqZ(PG|LwiOdy&ATGH>jkp5*^Y2P!y5pWdF zcx#s{T_8G0Y6lvn#c~!wt)N%CAi}>DFAW_^We@gE_!G8gp=(Kx6cmt91%W%UC(|;6 z{&jAv(ntr%M&&eAyA+va4p+u;BfNey?-t3E@+S2N8s_VHV4)(14q=?GMe06rxTu`D ztHnGd9E{(N+j`dcU)%Ub5-g?r#8lU31F*IaB=})*ols$*5Sz{Ogvdq+ne@gZJkOKQ z-p3_m%JCF)EwuzpCW2w1z;5E%uWWSi;aBY8ZXlD_Gfy?1R?+%Jtfx)HYb-Qos6zCc#_&;WQZe0+pg^G@ zL1nw?g59i4Y@JZ_(F=9hKT#ne-UarK9u6VWpJ>LX3BK_=;y!l^LaGs>g{Q?E{vq)#J{UdW8&PmEyN`=o zqFv=sAYIq=WE)8hwGcR^qsw5zi~=o?s)o_SZ37`eR8YF$R)j3nW-n=5ErQn2O8Brn zE@^-}#F>A3L9={~jXUJaqLW@bfF^-~uS8i14Iw45&4koK%Vns2OJ<`saLS((eL?mk z<^(_YVgjAhcj>IS_6?a@24PJH)?iak2eSLaJf$-j5ngZ*ACPE0_o!+W-eK6uX@zel@WKve`H6joWoIp{4mIyxs#1;HD5y#Cr+4KR%=lOm>Ix?2su}z z>eb7R9LdJ0n$A!zhwRf2zst_vu>?G?w;^eL#2MuLhQ>sB5}dhukiCJq=Z4FDGpE94 z4))s1#$D#uZ>&%NvU-kiUWN(&K<5e^t>#iZ`1_-QzwL% z0aa3mW0Pz-XJ9&$*KHt5i{<5#(c{&qZ3NfrzJ8L0x;0yPT7e6mA3 zWSG!x$T8pIlv4+Txp|sU2#4S-q{sCTfAQ+F=kArLWla;m_x=7sA1Vs*h`lHDTGr-^ zEDR=$P%dW1_~Uy4bwkkVXj`#r9JW+PxAMqm45&nz?Mn-rNOd`RV?`lZsw<$RIhO(O zx#$VRlz=EF784=^Xx#AICLp#k)NB$xovmDFxK_%Gq%{$Sh&Z+sZ5}}Rxa1TV3vQb# zdS}ICJ6ZUIv<>yX&MR*mY)xJO>+O#n7^x@q}zXp?vv! zYeu4-GD%WSIbgbB7qz{|KH|C1*M{wNethP6{tmRAP9&ODEsDTZ%nfnQ(zo^Mqb8Du zQf$ljdSpv;jU!r=QC9lG+LJ#7;H~q2fePlfnva zIEqh51C=*!Z#7xSxJ8}_mG0c-iw$!XB#hC_A0-?PMtd`QZPAESX=XfC^Oyc)rouTG z0z{a=zcWq9Tl=g}zYYy@J+CaCfGRp;-Boc3Tpt-jSWHZ$f{d}Se3uXK5_zQrd0e6$ z6c$Y!cm zguj4!`+2eYId`@V;OOP*o+?DcEpnXKgsaaBBG>LxXruZfJ9EGIi7a)c)bLn6mwZ)!?E&1^QpANj&rPb9Y!H z4II@$NXdh5Bq@C;vdj4f_HezECR%GALKC+3A!3pK3gTzq3jN_f{VR}nw^j4`wk+;T z0QNh4&k?&b$`(Mf9eRWMi@IogIhoxh45RE_;SRAyTCLz)NUIj+`Lx(%ubrI$D)Gx| z^Er2mh}0UZq+TJ6Nw;nxWkg=O?@)d>qCoa7gc^kRRa<87>vayw=)bfe;rFA*-*yTT zzKaVI8cL@)OWxT;q$I87_(MihQe27a)+&;gOU^jf0u6EKY;T57?Y(|?{L}U2tN(`n z`}X<%J~GDOij9g2ISJFK#KHiz@vEx>8vbrmv3WzDzZhiDpPA@bb-8=5m>8Y;_<>2Oe4 z?(X%U+4do)nxX(qd_txViUCDggz$!Pt9Ry@bq!uPIyVYfsa;qo8f%n zC#rSzwG5n>DC1oB$HFf;ptj(2tOZ{%7%c|Y4ua$t!Ek3-7C1H^rRBxG zFIQZzII;8L~gW8N2N zGny8TkIt_z|8#kMesytle99r9NxtUbURf|ZLWVLGw)pu}tvB`zp;?<1_ek#e{yvOj zChoG$O4+7`Mj=Fc<%2eqO`#jWlk0+`T6k@A|Ly73_0h?jv$sS4U0#K+TpWFjURn+{`JOh`#`CcG=-@Yj_n?IzJ7H<;&jg;V`iwJe^|I+b5s zQdc9U(@wsPP*vW1YCWT-!dikJpG_O8jNu{JyFoU=DVI{9YPkJJOz){$b!pllG_h&w z{qT)pWO8}TjVwM!o~3JTfnglo7c`m(qWd9oj~`c`Bo;)bNHnigqrV66ufA&LYkUkM z)7np_S4c3Z2(l29*@892E{UY24VhYTOB@swGQDv>?>WE_IYk`;(3?M=feHzdA12w(gwB$iANIpWfuBI5UiH$>aXnnCGYsg zcD<$ASsYAI`blSf;+?4_W0dV;@c)uz?>GvKkw&yf*)C+li zBZ25c_8}h>1t1yGOy6?jQ7mS=@M<^uF^^UQRRH3icr&w6^pv${rrQu~V1|#0G?5Vd z@GI;(9O6(g=K{rJEhWAHXYt$_rEW~wNo&9wm`Ho}=r0PBKh3d!QyvMoM7-K}giUky zI^Kv7XT_}D_uX!)J~A4uj*mt?Z|QM-3;P7Fh5QZUdfQd(jPro`$_-+=aTjt&<6h$T zsmMFIInDHXT^ib^VqLM40&e% zah+39f_#7nD9-P(G0D%26{$_ei*9IBIh-DF4a*mVPVZ@Aqkn*6o^H2%Zb$~y6jKt2 zhXta7h*Z+ucrv9pDE*L*jT{{U%49f)LJ{ndpAk}%FGB?y%m~egYrSzN4ArUG_lmsW zK&}^rL-h{O7nRT;^{dO&dzS;r+Y2-vRI5=wW)#Z6J0zHOpTX+LQOBk3Eg6Hcl&Psz zlx$lgvL)HTKP}4IN%Sgp$MXo5Tyi%26H=9@mQuKNhM{Q z)c1wB6V15Nw$U>fSHaKY?Bj&48DgRC?Zbf|I5V>3#NhpdVqOgBG2g+`K=z&;L<`#X z6%sjD&D*n8b#FNoNntBH^6GWDQ>dz`rp0_&Xjf@JRK6gg^VSDFy^QwUt~Xa8r`0ny zD=jgPdX33w=9!@fslAZU-DP64>t$dk*-DGv0^UV zIq=TiwGWO?ddYTZ`h!2@(aj!@Uju8_5dWT?Myg1fYSob+$gZN<8&gARiJ-+!q?ka- z`CDl92yTJpozl0pkrn4WexR-J`to@On@vvsrV}zX-41t!oYG=P=s}-ECE_c`LO#i- z_ef4jL`ym4$}&=M9agIPD8`=lm=1eRO?XvluAJF4iW0a>su4D06q!&JTQ1e0GiSHm zfPtPA1?V}Xw+EjUHcD434n;o-4qp*Q(&ViLA&&eH`>_phjJ-9~ZVnDu#t6EQ^j?vYjF{2%5HRPKPao`~^a8#P{uN9hw{MloJ-^vS4j(?H!kD7f#{1LQaqC2`3~OyE_7 zsY%WorC?()Cr!Z~xTYvEy-%g(RO#tj(^sOc5FHtO$1KV32vzxr874=GHK8J3zTld9 z+6sgJ;~+RxsocUg_!y|GiB7-q*4I3@mTHMh_iKZ%wxYS#udho2WDIF%X<;}6X6Pp_ z&elRPXOH{09VRQOxhbcI%?AI+4f?HH!(|&b7k9lUXpO68*G<=3cS|8v)$B8+w}YMN z)hq>a?{edC^h#-MOb6kC)v<1;3B+JO7WcUiXLL>B!HlR!v^JI=tJLmDc-^lgn?}*U z+4QgNxgmK*vT!vA2)l*3V4|Yi(&N2*Lm% z@%?V}F0quWl42VB5>ptqdbD&=+b3G*`x)-wA&JXJEPhH9-pA9 zmud<_aIf!sl9tmnA$11E4?Ppj)dj^|C(80ROxHf$qqZNO%+7f}YzF&~)tHNqlX6bF zxxtD;-KSW@CqfC#ocYR>K`Un0r?Mj&Dez1s=|U8BDG)s<8h1xnL?0NFXssDoPw!V` zDIn7vRnsuL=-`*J(^K1*fofCexP@?=*a~6M>v*7E}0!2K;@caE-KojmN1O2 z__)5=l5ug~RF@$^N$6q?JQs=*O5sy}$C zC{fh2Cco>JABwn-&Jv>+3-aG-?%BK|sdP8Ny|)}|HVayD!+;^i$eVh9#sH)n&)Q~W zREa$b`fj634YwL%I8&VsYhXq$AyG7uLFICRcBOj9tu;wGU z`kibc42B!U3IzUaa1-)YBu=_o64J$?&&!oTdxli^bWq$JMcI#Z-}CGZRVy{HeVdea z=U5y>tE8B!xRA!ts#VM<7qa&q)4`nu8`Rtve_m~zQyj{>5I}NwFZ0pLLKeK}G@-;o zJ^&`WkDNdUk*n&1dlpo})~r4iHPJv04aXw~lo}}mBg^Eba{fAdECUJKS}$UMA8t?3atT+e#m2R-xX9riQzk zrZz(&p0a={2~420MzM?W720_@&MgZAACd}&e~amOQL-CZCd*=q>kZzy(cCmL#!W#i zSenB~!kUsziYn?#G98+Z9-MNmy7P)+KtAhBXaN*EN`a`%JZS($&mw>wUopNKvZrh@ z_*nL8A&-*9&WV^p>L|2VN^e2U`SQDi&S4%zLAyNHtSjUuo4Etli##r(V73-UAWA9= z&L?f@L|E}kNGiZHC@S$lA!|iuHW63L@UWC=Ssw8)AtN2IfSqR?zqrhf&)>TltJ+*! z4IprF<#=*B_OykJ(N=OT{S!3gLohv?sFT;n-ce+c8#{0>!11GEP4LF6Bzq~oyu^8n zco~xJBr&=9g-CG^(u#%GPG%imm2Pq6*0-OJEK{;JKtdH!4 z&d<)lIt%dH*_9w&Jx#Q2pp%`V;b*pr81erbHU4^3$%(f+`Mky~-2O(HuEaC!&LgeGg%0mHIQ0Atp4LSz>vrx~}FE#8-&7+v<(fL`Rn4tW5 ztlAfCvK#0(qWU_R9|yhF;3>8zzP0H9V^b$QsuX2O(x>Yqd8EkJ^mP(>ljD1DUcGf~%Bb8=9^8RKA4&ECeNeTRYSu`I5U{!87Z%vl^ zN=%r}2^V{`oW^V-jJjvB1C}|s4<~PJ#wOZshA9q*BtZv|?I+Q81Y9`00E;g!&CyIu zB~?wCh)z(9pUr3Y*vr#n4`g;frmuisktRkLP>{U*=squ7IZ>6sj4w@TeHkZ@MmFwd?e6VMFy=PT zl8KVPKSv47U_Dk>DL zI@3{sS872;2|95}{X--e!uPZMN?=qqR!Bk~7tHKV4I^~|=Lp;DUhlnU3*zglji6#{ z{udzmrW9Y1RQx=m?S;=hqAU(lZToU!0V^V!GYB5~Jsoe4`DAUSVr+)D-l)*nx(p<} z+NtRLf$2&19+@MHt@*xNsk{OcN_Qz7h}|+_IORhlpW<+ZIAmMlD32RZ@i30-*sZ}J zUji;~<=OhQFY!Mt%IwuacAPtB{1%#n?iUTjsph$JT~;Kn2^gnu#2I=Bs^1KmZoz%@ zd=C1B<|`5#zL67RhgdA}z+TpeU;eJ17W!vP17VuL??W~OKB{|ucDZ(MUEw!B=LJo6Hxs zl`l$oK9DR6IX<5>`PK&`GC#6Q$EW zaxJ8x*@erA8^g`9yZKfG9QWvu7COox4ea4How}6|J3*sosMc3t)WTh#?oZ$U)&nCn zHDSFAKIqwB>9f|xf=h=uKMc&QCE$qhmHstlhEKLQY zx$A2Z<;T-NjP7*J}|=b&jUXti>n5 zD5>W`$3Ja9@9js;Y~Y+AMUY@nfr<@ozq;s&bW*SaThQg-#6us-&{_i649HqU!eW>W zRH(rHa|%P<*{uURJ_CBBb1GJo0w1D+K72tdHlED7UdlwANY_s1tnCJ zqOGgmVKp2E(cy~8aNliA`sdwc)QuIf7v3wKbKj)9(T*@?rO)+ovbrSfw6fUs^U@`V z;!!;?NIQf1cME^Bq|MjKlt{TxH;F~#PVq0@BzEchWYoZq=U#L`1)k2=atneMNH~rdBddl- z6kK($%CHNQ90hExxSl5ZIm#ooJLaJy4Pu3eoX^|@GV#Kv zk9q@}niQdQU63Uo(}jf0zVfgx-3BdzzcCC>aR{lk?2XY|k})#Pc4%*Ct&97kW$PtC zV`7m>sCI_RPvT}Sq*TE@fuheHLj4q9!W{bd^NNlR*4ZFVu8DK6xD3Tj@1~IS1UO32 zt2kT5vd!`=TCff0MV9VWupt`fV6W#@&GpV&?`aw#M21(D#DCAQ zGfYw7*JTa`*A2fYfi|I)Ktbi5p;=jyqjEYTc^qDqii<{EG$6;L?SRw5!pGHyq@&ZP zUE(ukhjz(fucCub;<~fyKCh>`er!E2Uj6FoPmM@r*dgZ+mn&I>d!RO54EDnzY45@= z(%Belrb4>MXo)DwrSBtw`*jT$E>YU1Lry^-Y7o71)v5Rt zq;%+`u@8W3-~s_o=e_aet}T$C2h?FCoEt@6LurJ53ETx>)W*FeWoEu7Vbr4{JLTD5 zIs}Ysbn@fP4Jj?JH#N{X$r}R$+UC&nvC`JIP^dvE(zFT8nOPE2Db|(S{h(le0xI7p zfB5}lqNrhD8@=N{9!Q;VpzomoU34evlVYVHu6S-I>-#!i8zFbUV7oMy@?qO}LyAf$ zULNY{%&I3U0`5zGxkMC6s~QC_anP`C-B>g87-=$7NZuzQ6-KNTHnDG6g8cji6ZdV_ zGOJSS=HHKsS(GC#UJlF_=gCL5V4h?!=_p4KleU%SMXBC>vW{w>2*(EhBbalpxuWf3 z_7D;)%E`wGEPh$jtmq+PCDlh0cdO--?PW3P)%*-d!{kmCTO|6vj}gzZ147jDcJ8d- zx{sOaqdOji1Wqw}J6N?CtQ(022rnfcVtn@+G&)5wV6WS)hT}1?mG5*oU6 zdEz~+H7*sHDpwO~+xNfjP0s;wbWd2d|IjyWnBblrOl67TYU{`ncYjz=1q(w|Ljkcx z8PXI>tcDj;#p%iF(GR66v(C6@u=@LrZt3 zXu*gW~p3I!*+iY#Z6KX`9}|gQFMMXKzohI3Fi@s)1L!3c)}n z1xs$syd@!5X8>z`jW^tJ_ZOck3PjgcTTQA3%f2?9{EByl*w zo8I7VXC9jDf|Ena7_?1MSn1#2h&Ff+3TvnQjF6wOWLT)9qf^y74C4YpRFG8kRp)p4 zv@D-;2n1W+ytG0xEubHI+mVvj)4QAz>Ka4PZuZ0yw%|c6X9c|lCPfo-ZB#7CSI4R& zXJ4pn7n(ug02q1tkX~GuZT695-v{p={bJ$dh`) zGa)C@Y)p38)OX35K~dBoi;>zxM8nLf&3orRMcN>?e`JICMFbV{QL!Q&aujle=1EH+ z#H!;AFs#gBU-k>g7ij>_!xt~DCZvt9&D(a}JUvtj?t`*AJUP2O ze)r+@;^_J7)9dr2i>tG%vv+SV5BK98P2=p$HK}Y-TDh2cM{`Xgu3%aqMCS}C8fHRN zWnYSbOI1~`l5fOrC~5IE>NQ~0nix`2(3Ft3B*ZP0^$NKsy16^txB4=4kcU(m5xS9< zMpTfUG2K@-PHK$h{Gelwr|~bFxsXlQyoM-KAnOrzWSNT?iCwmKpnNf$d=Ji?joOGX zUA%v$#d=X~Q83+{@1;@=+WgguNy6dX?R~VgMT>F_LbTE1ljO4@U1DNe zY0OXrl!)$#N&NP|e#SNPxXdSa&f*MFfygL8VjTG!x`B|1k&l}SWZ^(e(f}MG?o)k8 zr5Ez#0{F?DiqG^h+9`K99U!7o-1St}^h$mBBS|kIG^0Rb@wuX`BL2?q*_RSBI&`-1 zpp%t}b}6$mFwG0TMT6E$96v6Sfa z)98*A1ejL9t=e$x?mn-bQ`~a$70tMf*;#>i!)amz3=p2I zz^V`_)C(}aKF^k`IB;I{2TE)PaYrK7C!%qGFC z+y4Pi=hD5SiHI8AS}sQI;curDrLK4lkcP1eR$W7DKeBe@<7A0EdE5omX6yO3p(-*4 z09g1;6s04Rhth&v5LdNaoXKlNH;xqNdQ+gYAWRw-Y5ry5! zWC(^W`Gn&wA$#q#GTU-5A105{*CR#P=7z!TZ9R$V#?uTnt$f{9Yd0rTm6n?mrN5HH z0KO$fi1A@0=c$jLQm8V}Y_Xa+$10FU4Ggi-_KPj^Y0=!GH^s``(AA2`f4ttv%eU{| zoJL?;tytt%f0(8TO2P-~A+(9YPRh^Hkg&-*%}YH=b}pGK6`dfAF#0v!UxPelC^ zPl2Mnbg$3LG16u>u0rfgCdkU2kvCCcHkn7O4Q4maMo9iR8H;IsaM{o;>0z+nK5hhe zKnGtJV9C!u`F?|_$NS6YU?b&o zR#~UWl@h8Dr30l(_$rz)Vq#-s()1}K*=1Cg&g7WG)s6W64Mvpo`c!%fjxr%Kth6*lJ_f;EA}H2DVC z_#iuFzP+bLlq@PhHQkQu2%kJwLw`I-OTObK^kYPRm=S1@Ho@6D*Qt3i-7twMHM?sp ziKTl}PM;0ke{bZ!ZW!Ipwg2=2KZ*T7ezj=1G2ms{ zC~U|%ZPuUJsn5L4o>%qfVs#6azoS)iXXR>{uE=}vvd<#1? zl+$Xn+w5IixSbi7o`qJTvN5j5yU2fDRrB0uNb;py@!91DIeNSr>bracQs>nv=ql-dX68eR2#HU$)eR{>W@f942vD|TvMY45Et1{`azf=VI+tHJ6I(e4IPkT-W zgW)Nh)#%=i^mq7(R}2ge!pk>D$3F=g#>Ort6L-jq1QCCRusc0|Yse)Cg~!o)?RG>} zpVt+B-31e*-aq=GU&0Qh#`L5PSsSViqVu`01VeOnGk4CpQ}kGWJ~Ghnv?ta@twIyH zV+zUEdrkvutC}Vg{xfHEGx^q-L>!jI-ab;xf|47!VJa41NbN>}1s@rYdSHFhh~0je z^sOhjH|(pXCJ3=$yw6VhjHYfdGQS~GJlG=?R+0xVjqBQ@C~;v=cXvv1kU2FZ1g!jOm^Iu-JEuH>Z2y$^Pw*qbnw?I^e# za!rAwS}oTv*zB0u%a7M5@7$5(g$uc5aw}+5Q#tU;kEw*8Jx`-_y&K=u*)kE)GQu24ef{8U6lgAsLf z>}(-%6Ow&EU!PX=Mq2#AF<(y+!-U-UginM<{s;q=Y3HyPi?+DbqS?%5u<=&x5T3A0 zX})`Ey<9E8Wik>wP3kJLgUBp;5!3r8N(3*An;x8V3REN)V#`Y?jdNEk6$Fl!pRdpH zC81WlERatMshR<&_c6kV>NFvsS;vi$q{2tEGO{94${YvVVAxvCJVql>BxVKZEQs~- z1L1X+LsK{sZ(MoA9*UT#oF(*PpEo~}&P7*$>0@C?u~-2{gIfn0YSzp9fdI3_&0lYjx++oMdmDNj=P7 zI@^#}`llipVq-kP8Cd}dM>}q>JaB%FOfamA?8)QDkM~o?U#5cc5|A}~dF*gTDG2fL zvH%LE2}DCE-;Yi#Hwb5^$6xHgH{Wrhxv6IDeH>?&XAI+)Qm)C#roklE+vv~c>mSS8 za*fO90E?&i1ctMccyB~WMZA6L2&+dmDXSyGF?~4JhfxS7trOVNV(SWZ-R=ha6nB{d z4(n5E&kEBkFeS{+FKA%Z()r9S~a9ZIM8W(60JgZvOP8893Urn_+^&(w`z|0h6 ztclq*&KZUy=bxT&;`pBhBEZr zU*|qo=zdBH`VN{Zt|E{RjLPYgZ+^gE?U%^pb-zqd2<8(ERKrKaaaRWdaxDJ#nJx-;fMuv|CwB43p=-2%hl87#! ziE(v3*`%L-_+2bi(TxbxYB|Wxsahtg2&47nQ}+C7BdnG*D4>i6@%*e&{4@QlbmJVT zysO;#fy!RhXr>C_MTgZsN!&MC(I<7a9+fLGDu5iBMw$DdG(o|C)y4UWP_ygR3%5)f zi7HbxnT2dP2HIGV{Xaa&%rt42lertp8^zWixfeu8byh5BY_Mw zLm48Z4(q6#%Hzj|UL$0vX~06t{9rr)+XGz<_zGlC+D4G>rZ}0iJ%>BUQJZS9QO2qi zLSR3(8HbqApEo6B!OIya7IG^57ObbUlBN^q{zWEKyIyQ=La4Yj$hoG^%fPFwZWhJv z&M+u`NN*3zGOQOxykw_1`d3A)l@nHvs$MWGBzE;ZP9c|NV#n0P0m(vDUkyr?BT&+c zaxn#=ccJL~{*W3=w>Ca)yPJev&v=(eGTU{ngxDh3Qn57;sg^!2Gp52 zrnowV>pXd~X5_ zNyX){$9j2s{QBtm>Fa;~FETI3NZ=UChOsjqg;fzy)BT}{e9!d2-wJh=&bTkIL|?>V zDj;qszUQCb6bs;%{{<1DsWuB6og4@zV)p8EQUo_MJrnBkh?uWX> zaZ4O;v_zp?oW#o+rcBOM=rEg^R8W~OLp}eHUJvsZSI@q=dhZ?vW!q1_WMW8l#-nOA za#xi3ZPZ)$gYAwKhjG;%8EaY_D3;W*=tF0=%Mb80~am^7lovOo9xa^OLe2%|Paw+?uqY1{Oa5%na!gr#7J$cyKPsNB(6()%8#LBcMfFiW!}jk+0AJcU05X3dzP&`l4l1zl>C*LNKm73oD0iI=#IZi_jN1qVvqIXgmR~a zh%rQhs0Z%DSbhVZB_Gy|zU(aOX0srkPqfWvV=x{n=`~0FNjnNDv$l;4IwV55R`q~Q zhJi|Q6`v->ntP?qH-d{c-w)+pJD4Ecszu=gxM@*L<(hiZqn%~?&8JFi2@(^E#B+3Y z=@=!qz<~wmHEGD&edj5avS28jxiDhfTz1DL@$sVB0o!()ucY+5=a%!jQ^9Vg;2!%% zY*tv;NW_fmI;X=C3B_g6&WY<87lzx9^e#IXY&w}rpOz(eh@!vxYz%m8de;@K7A9SE zd)Q~BQD=vvlAzd!_}=KrVKCLB+qRKlwzGa3O5!c^HfYv~QP7CYPMvynuFK?rM50+8 zv<_R+Qt_(E4DsDWUCaGlr9icCB}!kz2i28#GJ1}p6t2Nm!yN6Ozxl{aY5q>TklJa!3 z`?PCd7@)5bi8OAQn8t#b!mUIk5pmdaRK9{rbAB17>S&1hdoLHVnti={h}$`O3p{Ef z396XS1Zui0hsC_MFm|U^1hCkwaa=Xl+p`H6+;q+Kny?(uH*#Y+5OJ*$sDSnZ*k_4m>x#^Gn9r{9ZLJMsz^D|%B?;*N$o1+KSrXd z{KX#Irz~;&A@p?jog5D%${ZyYfz1gfCSx~jmRjjGtx3MEdn;p80wrzoK>Xcn@^_y- z{%@WP#KaKt_`%}=Vq7a7Qu}6d?lWm6o&Mf?&Y|n1wPEZ_yT%j&5Zzv))AyzdY{wHO z{iF$IN1pKf>QoDzc(fvv0Fj>GO+US8Cb#GA40~HWOAaIfe=2?3VRT>HcvXk;3+-~1 zap$jW~nu$)hH+(by`G2!9W;XNTjEt#9D$i8_c# zgoj#Y+q5w*6k>y!Q7z>HHA;4cB8#(=F44hVPF!ZPI>@H;NnC;Y(ZA3XDhlv}H3T;e z{n=Cvkb}z19X;=p4MuMU2{m<)-VU*mVGmuSJ69Vy=eu90V3n^yry0S4czO9stE<_X z<(lrkSgnTu?9w+F8a3!D=3onGAzK2C5?M-2@2pk{O!q+*lrHBUUckZVRYdC^iIyw1 zYSk#K;pMAvSXu6l{%E4@l#*qYttY_(->+O&KUd?3ba@q?-Y3bpi^4Oo+GC9kgew;= z=8f~tZ7*3yqU2iqg!es~TA?-BhCfG1@P{YY!eN1T4O1HDs=JfBFR%a#_YxJpFJ~cU zzOQ36W!f{tXZj%3jbKOImxV4Z<`;fwO`BF?^^Wc?N!y{9qY}G_;6rO?XDrWli{jU> zq5qF4(F~6(CD-wx*xM6i6El=E%fZxguLY13pL-NZEf&t-jnDT_iO*oN{ydn@Vlwpp zz2uiwD*bANC(@Z*FoJi=c_h-A=t@lbCmW8XuNlPA$nD3`lGu_0>$J_NL~uL6%2+04 z11zljE{&QYB4+qKU6pPjd6DE89|J)T+)QO%Q#uwwI^G5DcO(fgvbU$!i^nzv!-GQM zvEoJZDZKx(3Cx=@&9jXe_mlAi-Wod=*2R-sPs4*)FhJO2ZAl=*(4w0v>!|xkKXbt~ zS+sY#7(ko4X*GPkgE%MIgvy-rJ}p0iArY(3;Ev|UqgoW2QHlUCfogWo^Ww<6XiVA0 zWfXAsUPO_ilCUysgzVub)wH+8h}%1Xn75vCCr`0s>7o*J$c#kNY4|3LopmUhqd*95?GDK_yo? zs_J)Mc8`Z-bet(N_+#Zx(YMO2{BG9E%4&^w&JimqG(<@PAvCXH5AWfMebh^KQtO`0 znTirp(rS09TFz>W=q6>pPE>IwdE2Lj6GIVM1So|*R_+!pk^3@5W?BU{)cR#$cUBZH z?Q+CWfCFC%X|%zV!8-%Xg6C=A1XG#x1EHf-3{r%RcH9B|yk~MS=;_86?5FMLm_3@c z>xUA+^};v}^9|C^66hL4$6$g>tQya3(ijc)0JWp{@6xLUe~0Uf-KYH3)noPQ%O!WV z=dzJlU(;Jap|KOGC28W*41qLhBn})Sa3VbCp6E8|!5Kf`H{L?Jc1CLxks4qcI6h1n zC+jwmi91UC(YOy>8Y0%PXG}@VAuRQF+goGSWpiRT!Cn1PSXo5c3hF)+O3+edXE<4&XjeB3xGNYDh6!P4U;C@~UVPaTuDmzNUK zOj&E(jOMd~v&{a>#a5IDeJ{|qTY638A$WQlvSfK-@F{>gAHEa_qU(!CiGYs8y*ou^ zJz`g*RW$y!U~s>><`=sFT`xT@*ob&xSvn>9r{B zU6;)@J8pZ3Q-_WC~uztb77UV+c@J?GD$zi}}g-bVIc>Q|bCpX}Bc@{)47BkXJhy!}1QbO#JXjiQ_2rw8-O zq%PMwE@G5vBgW+^Q}4!nGwPTpI!%{4dq7f1qj_bo!o^_vD2M?4BtioO&1AjdQL5rz zy{PruQWG^z8Sw^xHDDV|#M3q_yn>vj`HGmj2O>#SBO$P z-;iFQ0q3eanuxwfTIPUYVh1bF74roV|FB2xggCW(2| zi4{U^?vMd4277vMA7FnjgCr*OiW`j-$;{`ka~y2Yrqf6*E)PkScA84~_62-yUnuEw z2b@oQPF2E#f?#A&&^dW~$>^-Qpv=D;4sR6t`h&EDC4H`PW?G#vn9pI*mUxb7<@L$Y z`7m>iv#eyyb!q4a+?&vwt{U!L+4kX6sK^PmK5K!{x`U>XsJtdB((~0lsi9@1B_nfE z9u3zP|HK6&^H{DlI+{6mpwN&REveEH(1z)V19m+%D}7Zdy@f2({z?{KrxF*RB-~Xb zl{Mw+8x~~|WUS&&Y@755+F)^tPPQ7^yUTI4V3J;xQ~);5h6talpo}Uf(V=Z4Fzn_x zMHnV$QgFNtyMn?GwC1DTn*!iH&w;N zy7&Eo4Ob-^*e-oBE$LL7(oax?P2B7*2csdDG5*(Cy|oSz4GceHP!)k3DnrZJ47| zqCPP8c$3ppA$HuBtkA>j){&}}Q@qM~m(yy=%8f*i!}W%(Uih;Vw|Nc70 zk;aRQs-vYpS>&}@1-z*G5ypM+m%P4V(uRR-zsOtbBpj!GVKdHJ=;?ECTj`THU*K-e zIQUvpH*X3dUvL-E8ePy@ZMr&4RLwb3l#fVnGZ9eN+T2i?nMrtp{9x?lrwDte2Tg1o z7!Os?&HlHcgq;SpQoN)YL?0C2G4hPz5iW`j2^eL44I878s3p87Tf>H9f;jE7B~yYF zi2>t!N~vPfPKminW#b5uBfc*bLAel3*bJUeOop*hB($d)HDK3q=gy0+ZZ&?j!k;8D zU>+_g0k0ghtV|ZuS#_wybRSW%o$zpeRX*IgiEfjQObj_Bk<)9Q^K+cAnh@dtqd5A! z2eP|dFrsw^@7An9ID)FM@E6|1NxAG8B7X6aykax3>A7ihN8sRh$YC+q|D z9EPE4s6pcI1fz&pmEyb6vu!_wuu~h>i}}ijBgce2e^1vmmJ zmpC!$l|E0z4l=-9&evq3W&Xr$Yv?djRYh{9ng!(@g(e#(4C<3d)oj*uuX%U+&Q%$yWs$lU3jM!8+tyNCo$@&wDz>l~UsR4S&? zj*8|F0W*~HNhz`GhH{toXjEKF{OG!I?|#RiYF0w?dxCg>Iw~s_QPq)gA{LSow^PV% z#PP@x<*m%|+tIiuc~_KelAb7i$)m)XpQU<0&G)${V;7c6PB$s|KpA?HQfd}T?<5ig zE`!^TZbX0R5m6CUHdy3q2m88ECUkwzfJPkZmBxC~zl}C^9!fs&8sV_Af#)coZYP5VWIQ@3nR%<}*_)TfZN(t{%${!vT+45Wl zT+zJPJ0F7b^ul;6f2>Ay>|mSlW|dG`cGbZ3u$NCD@$3i6hxyE}6pa`k4YZLx02CmU zd`zOM1yapG;nRjxLV~6P3zTl^O(h=`1T2}dEMK{*oF!hvpp5oWvqmI=TyQ0eN^oqn z3ZSw;XRS~24^u<^9)^9auG2Df3jHGZVq7pL276vhp1CLRi~Gu*z!l4(kIPjqDsVJy zT}zR|Hc`|!T$C(BL^B3n*_;mC@#aSD2ZLWohz|1_hd1Z`*lr=Zx5ab>{lt!={E+n3 zz*FyAAVE_ksCb5dP~}lCE=5uaT6E(pEV_=i&pZ?3Ze3uf$VEh+tZ(~S0`0dw6;KKb zQcoU~cJp(hs%C(3(rQ$TfgDk1*LF#xl+Q82Kg;cjb9E!yc9^;ZQ)9kYahy(QTj{{@ zun^XhX^6qNiHjWFg(hhiEp4O}-meg{Bm5Zg-cU%(!g^zg2g%<{hsjYPkt+XPiTJK8 zfb}2)RME83^FYS&+TUPfwi^B3g^zTn&SJsyj3(D)?AOk$D(IgaJ`P>`iXjPQBPv%# z+b0sMi+njM`c@FUB3g-DgCJPHVix|qDcy{Rp|=IIk!8NM;6JfNlzzi^@)0j0fxueh zkiPIM`bBlNBlQ{V%1Ejt?Yh9Z2sD&>v9$8p;`;%*@}(CuSa*j%m~m!Z-`&uHgX-j2_-l)bBIbK>vvyYL-m6j$Q|eM|VPbb()Uk z!PluS`XWxh91_*t>W+4OJuX|y%o+ZsfCvv&JSo&UAzPMbD3~QzHX_dyWuQ!van#=9 zA|WPF0rV!%?9zR9vy^0vi=WBtEE>8D6r-A0>Czyp+Rz%CX?ZpfX83_dI7-5fbg;A#@wM4iD`Vb)huOJ$ z<<>ZHA{jM}xuhX3K&N%M6(cEp57_OnMH6A%BVnYX>kjTy@u>|A)n+_p6#MiRLV2_- zbNzbWy-?*Aj!|3uSc&TNIf8F!r>L$rrS)x1@`^n56{3f~x%|`R)#;m)>({53m;DRd zyPN}wy zIU9H?$d9P=nnp5o+L5g|TWs876Fxz50sBq?XuLGV1X0F;vKZQ^6LB+n&xI4tiJb`e z0Jq?g66RiD?f@}$Z3p{m-}%8L_{l~YqH~&m&6icIf+)5CrYw3j@CGtVLtEVlY!<_J zNw0kD=Ho>PINY;gM_xC4&jhLvRiUM;K7)m`XMkA~dZ_3-(k zLMG^F<4%d6DtD$m2V=EcP;cD=tn={wV|V4>+!tl`ryR7p$MYJcx6YBgEK1_IWy;`} zo7VlM*vTM#tY5pRru8rX?q*Yb_S$vNH-LNa4@LH-nAWBL+mF5l*JLyA=-sWdH^x8NDjlj~`uWls2pa@K6XxRV#BC#YHlCNw?ZS@esT+Ow+g0l}=!->FGtFN+FnF>fZvP~~k%N$#avnC@5zTlBemf;;Km2izZ>WuN_2SNVM89t=WaQsA3H zg70~~DJHk{K4&-P=KI_EIA1{@@JILLQ+MDmWM=WR`(M+DU|&kG>|5w3T8;>ofBfY? zxb?lto*%fm{pH^;H>+twOYTRDlRvvzITy0Z-a>x*=L)>cwVR#4&2JNm=AU%_U;XkQ zZyI-$8am^CjlglWEbHt7uEHYG4CJ3a`vxv=-P*VeCHV(Me1<@$ z(XF88#bVK;(0I9B+`(WwUqA?b=GGnm&P~thqA`H2UMa_~R%{H-d=+PR_I{N^qp=*L zQfZid_~l=zpo@Ro~v5ni^U z!`1^HxD{CppzQHV0Cr#;P>T zT~JjqQ{sILYcjxFfUYniLP!!{DqMV815KZ%oP(yYH`$*xV*Y(5%%R#R%nj-mJ84@n#BFv)=C zw6U!tR2w83Z^hyhXu>%9&0%sT@SoX|xCHA!aeDS;m_V%|OtEn0#(ZY>@o(IR>+NMV zYhS|?eWsFyo}+>ad$Cv-vlo3`t zUu{Xn%GYu@Ut1qW5JoIcdkj%c5J?Xa{08z0UeXL30`yqCoozGSMIm8;?#3g%r3Xp# z18yWpC*Q}&DXLzhZ^{=e4wlweb-(h5uleeZ2l1*xMA4lXH$e1Io~sSTv3<9zu&Z#O zhtz5NN&*B=o(2K6<0?i#P-iy5WUG1_{Ga?*QbNgHQAFGI^6X^jE8wV$OE7ZUt;KMPshe9MQ5#$f=qJ*b z3mp5l@EM#AT*1}}?JE0<=aO1A6VbY9n(4m07B)QsiZLce0gKAU99Ar!;?(DCOh{Q$ z(Ct>p@_12t4zEI}TF{O6S|Ey_p7y3pdFdFXFs7f<#fT2cx~P-r?HaclBSd!X340^s zQ#cwUd?zGFoXagmUiVmSFeC`TMmw7$^nhw@0yfk7L2Kv7P}Zud2>egi-NpHvjBWpg zv%vPF?G%=6oOfq{GU~hu7%A029Z{6$p63-q!!UCMK&M9D<1S|r1*sXPYq$pm=Rc>k zZeiqNBq_Y*nl%RUD5Ilu=nv`8398E1<~o>Iu4r;INR%PC?U!zwZ!}uVjHBc|?4kX5&uMNI{We0N1Y$kufxwK5;wUmww+M%X|b48*-5nk zCd2)B=N^IdMLDT*cQU=q!>XPYh|RppYn)`Ssx6-RW9i1E$gc8DUFIwu*QaL}f<#eZ z)CNMk@ysaF7)1lW5Jz-pomaM_SfD#;-%O5OYg-e7D=4t%UiTdWnMn-nFN!mLJ9_eX z^!S@joay&ZQ(O9?pmL*UYQ~yuc9*>`%@jHV)pPNPC!$o8o(DS@5zHQSiC9b`f;eZ+ zpj#6{nh>psQurqUEEJjYB~`8Q&Nf>{ZYOOTEDKe4>N!Tvamh5Q=5Ri71)H8 z$g^lLZlPM)2fG(3nMoIrv}QlGCzG-^9;iGt)smD$N$T7o-G#OUZk3$SWG;|mLKW4a zkfU4kDW$+;Zs%EiGo|FKy>Su(Kyn?O+a)njB;ov+c9@w>R4QX*Yb^)v*7KT5f7B$K65bTT zB9vdYP_KwsXqkU1mz$;OF7>2atCWNgfj`4-1YZh`xrZ7^m z9+3wi$m(fN^^Z}n3;7qY+!5m>tLmNwj;GCU_XIbqWqq+y3IR}l)0iDEP8d$NZ%%x@f z5|@c=%T)!|LSo4$kaKlEl2%Y(y^6Oj5lhYTNksSIk1UZS1O=zFc` zH`6r)&D(I}65l2Ixywp|3k!EDw7{f?lginMpUI_^Y+7j-HeR1NiQRGjhi|{lC%-SA zd{d0S`)>B++wl+IefPL{@?G&wUd;aRRB(?z_iq$rP4MyTZ$2d zjSx*%^bBEi(QglNaJ!u@yf%q_WaBQdlsxYk*XP)1SEu+@565fxVlsU_ql@J2i$bwWa zZW}r@Dy*|CT z!g+N1=JevFwH6yv6e{nc@z@!jxp#jeG$F+RSK0ZzT$Jm^;0ApguTUdt+<%#NKYncu8( zgl<-#KXVPQP|}~oa?I=0lh4IX_P5RnXoo;d;Xr%^rl)g6>arJgv1MAB1h(g!_^}`q z-s_yBDKUNyg|`>^&%-{noNplw4o%A9=j@|9UI-o6A1s=fD=9*`8N8ZAkDiyscoBZ| zFtsm)nedA?Ul$94{dFK~8jJF+XiO?asJ+7q`#F1_FY?cQs55}b!ccfHSqt8{>=jI# z$!+r`#8(KqrO2-b5nsdXYKM=R16 z&XRH08eM?cAA`g}u_k14z$n1#{O0lZ(E;^7)HcUHoM3!s+I4%KXqI_c4TaWSt9qNXoQ<9geC?XMeD7#E6YVwiGobl5B-gq(^BG%Pn(j67i~ zWs##^d6I0mwezSeAzi1{ki_^GQS>!Y$`zdMJ#y{N&Kpsxjx{$pS>|05EV@?q#8Hza zWV}X&lA$z|Y2EOGa1NngM}%9VBX*M1r%HzvvdTr4LLJ&_$ydI(&$lu^4Mkp}`~dFb zm4bUj^L~oNkz497B1tC-w!6b@*_jo8Ec)5VgE*k{zs&M)?vjHa0G*#rbS~hqXMav5<(tNny-ZQi6+lzD(JDriz?hDn+8?PJ$eFy zqb`Z=x#1e)!ugF8@eQRTn?~gy@6s6A@zFW3QP*#Ndi(Aqa4&2L&)|30REQswqEgP0 zJW{T??CAJ)q=iRLr)QOP3!8VeU73Yu=>(P_nS2f~tUBSFM)8YM_*Zsu%=U2yZP~g!rK79)OG{ zL}|7#sKL+}bi%VTC6tk&O~Xo4Xo2^Ix_~pmi>r*4 zxI2EYhNM0i?wFN>In2PQs&c0Ebc0sp*N5hei2w2Xf* z7Mwv3^y{&^B>;&7DpB`}IP=oaMI(t`V5Q{N5M?wh>%Uc zBJ72qL+C56S~Zoa55&ZN4NNMHgmt4^zL|H6aZNHJ7y0sbv&?J!BL_fo3b5A&(v+{k zF>#-RS~sp;^sQ)6>EQfecL?bUpZVF5&{^f5?)I@#mFKoT~;S?gp`s?H4}0X=1jhX1_az z{1IAe{X0nTaU~(M;!B3Oa#W-gHLWB-1{0fC8_`UVGZUx$SU`#>Bk?-qMh}I1lBmYg z-6C}!hf>XT$i7yi#YMfheJ%pK6c?so4GZ27A-yn@#^Py_DT*>zopds0!?B?U0BmA+ zGoS*CW#x&+I%-8c)YzG#Um@kyR}+{7Mp$v9^c2U2gNNzzJTsZr0LSz`mdP=s*nKfk z0EZbTpNngwM(AC^R!Nc=HqT7KDf32GI>;T4dM-*3>#--8Io+=EB@ih>UQ2~n_jyE2 zDU_8sg(x}5F_wk%k6R+N>k{mzl~QYIh;UHFEwPg(ux; z%?nj9YNOMJ2^81N_HUjvB!(s}b`5306vu||o+L*tyY5E`b+eBj@seA^)3z|>h|kK~ zgG`@P)WICoKo7lEpX37ievqB2SIwTb;V@HRg+!rt7Wknehst7jY}^_jdM%hK5N5%Z zah>S7Mmdh;yc^ysI+tDtE1lE>XNIj}RyI4G+#LCt1V*CA6A7sXc*foHiBJ?i8xV3O z1J4eZfwx_NYfEP`%mH+}OCf1Eu>eaGHIh)Bp+t!NA^d2Qg}cyo^ezgwBqGYpWXUzf zrU`d#9EL07AlpS}n@=WHjg_?6rm(a{Ii}E$D)s1B2nGp&m8Z+3PfS3R4Q(#O^x`0V zHv~%j$OK%D`l%YnxU%D!SqgZH2yg@1f;8Jm%O1jsa++e~;w40dK9dcxBLEIqvf37K z6Zca8ESGb1Cv{xiCKCqpm-z6rVf5phYFf^=&+IGOKZ72T_>tS>dq-L}{47`+-SE*t zcFwiio2IaJ+o9;#)90yy9bI{<^ltZjcbnldBV_z#(IO{&&eZL0qwnqa&}kE*BMFru zZKsiabA1wwUXzif=x~V%6`wl3&KBEHro}WQ7ovzX!k{5XJ>RBzLfvLw&IDlv;{9mu%&NB;4fJs7Xq~U+AVu%{$OeGE8yGm%j@+bZ4sSYS zAF=IY!%PGc^`@RtL#)NhP2gCI!fyp;iVWoiex2zq??)lZJkvWx)&1mOk`|^>mt4SN zvI~Je#jAmC^YwybfIOQ#jEYevKnSHAOap)36dU#>jXg(75S%t6wX?dsp_9KS+Z2mv z>7i7vyhlWU@ivAm$gL1U?sP^6o5AP;(wgAVV3UegftIQDQJ%3Io7*fs)SHd#x>SWz z+x-lB)Km;AH^vaB6*OOU_U4G1K3cDj>LpcUxoIm~J1;YAM7T9Fjy{KRDW6Tr40lx- zB((Rp1H*Pp8FdyET5P*GTLsAtomt?H0ty*S-7jy%-1tXyFbH)w&C_UvAsQsN4=C(u zvkhV@^62S84I~-5m`lrRhU6a_b9uv~Nw~3`au3J`K6<+SKvcj&?Cmh}( zI}*7PYHEyG7KX}m5|=F8-hj$)#tYV}eK^YPp&xYHPmA&9W)R}oQ8Cw!tz`lA^nEQI zAKDnyeO&XRXXJtV>^0qk&-B@RkhuGP+80?(u(1-NAkooqw3|OXz^7Z83aZwS@VD;u zK`+nf<8E2Igx4Du#Zlooawf)};`X6V8$fSzJCO6|+IPoc8RxKIxx>26foG(1h;?L#_=f}}^InGX08$A+qlnG_`)%tI9%CVr~0LF}-56W8yA zUP-5}EO@6FQ01P$m3~cIN(urK9}0h`kfSE0B3_9D`4RI%zNS9LZY-~Iz;_qX%djF1 zI8HXJ37e~=;1z%_F(n7n+k2@j?G=fK2CPJG3+p?9v=~$&6HlYA%^9_I{xHkZ*-1q0 zRW@Z&dOH+ZU9~&2-a0Ib4>{o#erl9O3@@yCnid2QYk;MTmEwtB-IE@!9bbXbqu%DJ z=oBu_bS?hvJV{JfNcr9KA5V|3uAS5SOvq}8(}diiIQPCY;;^})&a-b#!KWZMAaG{_)iP@Sp$Xzu{gr9S)n)q6gC;xmKqDAVB)ejch!>2bj^r z2HiuD-fxJ*aAZ9cV~V|6DTRud5-@@2i^s(~2R*N+F?+f7AG`_`sX=`i?0* ze>lw)+&I{^ANHmq{QO$jcZ`llVvQJ>KIAho-E@IveJhk>%J8sB@JYxe~Wad^QX9&`+Tg6UsS?qMNO( zu_0#_b?W}l5p>46#rSLgE0(eY2+fG2zA9+Rz>q{p4BL_*{t-4`jF0>qEWlhP>c z0q8f#x46evUKW4#@R8KBiyo>Gc{rP#Ow_ke`<#^2YnA9UUBC?O=ZiPGIXsKiPz-IF z?9sA9u*4{+JZjiRs9@nfEJqV8N-E#o5#{XHLK0uY$}%Y}UlT$=K3W!;Mz|)2!XTwx zmwMPfZXpVbN-ocH0QzgLChwSInpC6oW80U^!PBrUT{ zdLXA00#naj97mP@V9+I3>a|$(v37{IziqivFbH`Vjesixm5-93Ti-M02D(l za1a@~9tT}dgmN`6#{%jWMhH{XNphYMEHxp;U@W7vGFP0?qsB-_cXFEq?3&SXt1Phz zrHGU@WdlkE;X^ip6o6n6=?$Hl459R}I`xy{C@BKhgzAUvgfM}))pB-z_q*)r(&E07RUVZqiJ! z9>_5WHkF@h(=JeMCTdZ7eG|iHYp52$zQR(Ydk9-)S$-xmaL?Yy3C3&*fhkrdfE5$kZx+m0ueooo*Y4n>vC^MOYfleVVFHbQL0D(g~M4@jgd9+NS#1J*cCmEt10U?eSdCDM_~|Rr~O9dIw(~8N7f00PK^zH6sp$eCzg>hg zx6{G+DTNW9=Sypw34mzF@bvA6f37suACKN%UH%K~a;k%o-Qvz8p^pcq|dwQ z1U|S$P-K_4+qOm2Oucsh&9Cv^zv+Zo0=()`Vyq+6{m9unEyrBeZWT0hrRz8A?$Kxj zocOaxVcD5N16h$vCh3Aby8^)NsKYbB21VKlt_pGe=!G$mU2hK(IfrL@P{`Nq;XuS5 z?BuNaqVl#51%JYML`?Be_gXJDjn5z{g0)lCB9K;*Melh2#V2=smBh=iNVBi1zevL# z60o*$3W9s>$&7E3pCu6#DthcT2)i^PaL>i092yqRuLHA_P z#j3;#X{z-cN5Vt|Ap>0zKaK5Un+>Ay*tTecY=GCFY{+6G(>W^^`M4slp(S%NF4hvE z1ql*RCX}lv$2%&lq8pt|??;}*3R$Shi0gXAOn4NXv3XGX=F+!v5?6!^I!rBG;vYy{ z6I|x7r~0N2r~ZT9SJ(4`hqEr(=fd4`jd$9!vrVu>!%fP;92pK8f!uq>Wuv~C^;B1# zBv2@jXar(zHW}UDd7p4jAC@=?;`wk=!(kd5@bTBKg88DiT*pv6Yh`xqbL;B|QH%&- zNn}Y=zO);XfYECG`+^J3;!RITohC$Wz}c#K(nA_^EK%*b8NnXwSt4%1evB&)4!c6q zTFEOjMXMu?F>0N90Lfv$+Q3u8u_O*y;qN|c7v$Qt+HDx2$)b(zY4#X0=fS^woVrG& zL`*$FGb|!}D1c${s(8e2G4{+p0~A9RR_R#U;Ry?qWTV5`3+_zmF~jqfR{zgg8Kj(J>yrhM3pE&j;6FMvm~p z6X!Pwa?ySD7#YA|OaSEE)0ACCu2F8Y_r2xJ1-~L)MYLHdhh#@WD7wGMh8M~48h2|K zecTG_n=jqCOx^4}&u?!F7F(Tv!QuH!vg2P$jw7p|e+3C#$bg&7cCSy@(F4hL;_?`InS9?XWYt)qO3FJ#I`qq5U|O)NYYXD@w9dTmW48eKK=C858YFvezY5 zj+7D?uXB1t`<{7HNUjmImc7*Fh(Ro%%4CR`5v-{q)L!h4x@G-nU9Jl_8;_V*hYt~z zc6Fu&rR&`Q7mJ0Iaz!gqbCrr})}J5Q94w3p#fG{*zxXF7Z>{4eU+J2Wyo6iL`Z<@b zktUdMZ0&CSyL_=R#B^P|hK(P5x2QXp%dE}?x@+xZdz1^Q)!_Ss@8^R9+bxx{qqWEZ zywIF!!W#No>hAk5`mouPB~t9=fm=lGQBS`4_Pg(Y*Vv%AElVDJ-(>D1&gXZZ+B5?u zLg}^{l|tbPY6|2Tbj+|#>9iP19-?Xr-<|loPyy)wZma-u1E>q`ktOK8BUT)F>k(;t zFvEnzJk<^nw&> z)<8bn8m<|8r*a;;;aktaOn_zHU-qvJ5z@!r_4HLLKV+JX*g%kjnzQ;+x*tb1IC)}@>B8d88AJ*! z>Q9w>;h(CiA6V$Tgj+X?*_&dqDsLk;=)9hcj@$}{YkdyOcvWpWz}y}$BOGcTVEb-S zxTloa<-E9?%s01v{LkcFyqSD(4V8vLViy7Q$D;h@zjtoRX5LM{Fd#O#RvsAp5EQlp zf$caak2?t&LO{@g3cD|#BfvmQG7vfAOyGhEP!|@{(pt>1v>*Wy-9JX$kVcz)sD;uq zO<##oBbgNT7V@d4K^rdBc8x$Na9UD|f)1@HUhLL_n+6R=3f)HF?EwMqq!nEVmQvA9 zT2oQFOA1%>EeQgvh{1}8G2miQ0I8OvWEGdsxV17}u;?vh4`r|Vw#bkYVo5S<&~|i? zkUrdq4doh89`(~8Z{G{64EWS)o743m1fA~W$qpK~(^n~S@&fTACaq4cfGB^{1LY3R(CBKAV|gp5cvu_Se>M6DiuHHAiO zTn-$)2?5NIDUB_l=e`tk*sXdc=^nS`H#md69*a$Y_;R#JX8oy*+>BhW`p=$K0%y@+*1M;UYU+@%dACxolEuTH^A!>o(RwRo@&E zhY&cyLLK^Du{b0iL6~v#!^e;R@cTdf{$SoN7Z0-r8_EKfsWG`OxlenvYDAVMrhoU!5(dsRs$my2_NW8@jBn8HmX%@FHWa~k{f0I*LgEP5FsqqL|0NE63VtmH|Nky{1HygrTf;ISW8fNMe{m@tX#Dl-3els zwiwNt5nXc!#{1y4W72kU_+`CWEGVg>UREgI6h?ViJ1xm$^HWmUE&;cejYM-O;MqqI z%l8ksNvL;hXw{8&mZK|>$JAdm@tC;*g{9`dEuCk=3N+=LP)f%rN=Vr^&S6$zCrRK_ zpDCMK=mP96+tgHWP5HlF1hsCr5mv98Z^o~$869%%rs&!i4_%XUpJFr`s`_tcO{g-G zOPSl~r%D!1E4fx0OC?}9SD1XVFUGGBNy=FOyWsrjMG!Wiof3p>HBew$IzE3N+4kh# za{%0aBfB_y6XKML(M;B*7{fU`@4W36;eGg=T@qjgQug`H4F$NOc#pnA*(^m7nluh+ zlAk<&{Fug6spH)iTM;|euS7?BEvn;G#_9n$6e#^YjWdST>ssuCilw; z!``aEF9?adADrn^Y_jKdIfW4sX9G?4uct0H)_S@H_VYvjGqklls*=%^zL~DK|L(IJ zh+qD@{D1lH-7yQ8WpCwc61?CFShqN4?rOZrUKL+o68o!Mnja#U<~Yi9NF9XSe3p}0 zYYcHObQxXv^ICo-RP9JVIkWUo6eo(9-ohTGNW3)#G?sen`$WM!pQ5%F9wRDcP|Kf4 zF0cba7efe8=5awmoKyj8V=P60_hmIo@Rhh1T`L`Vk`z*14+K5`vP2GF%`EW*`z{TX zki3(`^_n6S)+p8QmYMFz>R)#Sn2f#>(d`~f0p$h}ONy%l6eGNv9z)oIGs(M{9Fq4QQ>+*(D;IvlV zmKtcK*5DvJ*-ey*5}gsLgkR!zjLd~MNbm*T8}Dlg%{1^=taVU9ejU-NP$m}{!Z1=0 zIUq(zT_VU=Z@sFOk~v$B{Al~b@5Z4MJU+>FSx%Q1@7_IoesqCXELPKwQg|PEi_xi7 zNRa*57{!~mC*(^g=Mc-Ak;(y__wa%d(TsoFC>r6xOP$B*n&E-Nag8r~J190=+>~z? zBsMK+3y7ESyK#q=^^q6Q(^1e94>;qU+8Ly{uj@N1Mkd z)2@o&xPq`#{~L-39o7AykTJgND5`S#tLQw?aSFs^|}aJEf!1T{4q2@VP^Ix5Jcm%B*V z+xLi-z!O{;(k!pPk=D0+sBPWs+bY-q!Hu{v18-$=!1z2?uO$JAYHb_{gS?mC@wOu~ z%&3GBT%Xi}n5;Jk6tuLf{TpY>4+768;s4Ixb8xe<=v-|D{-aDy-+HIKG6ROzo@tdT zk0~~x2lqzAwGvApHk?A;WIp|QBOHsq)Si+9aX>Wq-|ULc5W`~50bNCMW+sOXhtrVAg1Xd0KPX&o*YVA+`yEgn(W`<6J_9;pt)(kLbQo70B3pBbw_Z01fb! zB!)g*eO1kc=PH<9%jP94dE0LH_K}~6A{PlkD@~qek#KZ2F{wCBxu}pw2O?5z08K!$ zzv_*S{Gxt+`CLWdwn{I7(2XKhAk}2&W8yr(wt1TU=F`YE=q#A+NJ=q=*>9W~yBHC- z>#V3p?w6}bGt>MX{gn^&e=Yk>vuxMVw^tiC6oP;ztWo!CQRqrU+0r1p;YSfZ;}bJ7 zYRM@5SdFM>jQd-zooy+%pIodV=r_shnorU3riNI10!QGf;){t(%Eg<~@Ds|>Vmcx> z&v=z6Evk;zRuvh+Wr%tKGd@Av&kg3b0Wvi{J%2-H`t>YabIwx1!KF98nx9_&QF<1c zKF-V-QS~#H5|)cDl9;W4UnKO&Zbizm@IGV80V&3!yh^A8=aLi8N6vRC=q&Ax{8tW2mq4Z)qkPrdg- z8sR{d2-%O-m>R#7HtmHj#3{xB?>iGE=sUV`=b9TyU#50>`C6y16aUi-e_+hc0o!TA zAc_d*iBUjgK_-s4E?UVyv;WG3&vF-G5jTsxnP+>0|HEKEj?j{PEs9&5QA4#sQpRT} zkC|qhaXWk9kM*$VB>u@Ppe8<8OH`7OKk=}=2n#JKl*03`wVe9><>|%s`?qITnw*br zsidTuJq-c%67>X;7y{fcipPe)+h$UF2nq$%G-l-yc{rWW0S8dU0&G!Lo)%d>Ob%`O zKIQ8PvYtopPtLBcKVF<&ohBzo`0Mezw^tYMUPr2p>N7>ZYl?JNMU_xdO*|;4o!P?$ z8FaR6R!oE*1$ti;&Zo#d3_=4x+@KbfDX}*vVF5lVWBZSIsh>TT{DagPM})yqYR;Xo z8xB9j83OsJD4+;!6M(dUF}Ir)r;oW82sw}I>Xw9j62n?Fdo0QJ91^5JsGuHhxh%+D zg46&ZE4Of*PbgY8o}8Y@uA-zb67hTzQ+_l`Aone&#JCxa zK*OfhS47EHSI;bgeq>4E0|IyV#)*xYc*aks6_gE^d6ChW(ZcYY|P9`*#UT?j>Hw4^lN_G%Z0_Q zC+=1_dwX?y@#5(Cw40sxT+_W7`M3s;7G^5*j#<0pb$RY()Amj;&#BV%kl&l;GB;#6 z);xpq9p<~?fRR?W%RtzL--kaBIp!!k%aPVT9VdfKS+NA)InmD*Zh$Yrgt9ktmRhl& zoLO#4l|6=?f6mbhUlvs+(n^-tiV?PtqKYc36N&4gh(L4dFml|64FHzJI`@Kf8z>7A z!g?10`euc&+(?5jDFyma=9u)eqc_FZG%)2XW%msa3QouoTOzp__T-br$T8hXI-{JS z__Y*y(XAAP3RECVw;;w@m1v0|o3SAH@_Xv`rF>;ChA0ha@;UyJw<9j->7!*|=A>vO zJO_B`s6TmoknK?c0SE2;r|54ypzw1PE0D9(-L)$C{#d;1E`RtvsU z)K2a`mO&7LRxS(IBWM1MH!~`tqyjpiwD|5Ij5U2ZGE_X)!^5;1$gnLb0%Vy+g_17_ zP}?0(Wpd!`Y1>7gWE=4&v|RkvkBw`XoKtJN6YpP$){NBwyPOU;<{1ttP}g^9pH18gO15U*dJzrOqC;K|=GF@MaYDS>aV zXX@OmTeqi)Ylvb$ea>@2hC8WhY#O#CS%W_A>bhFo#^K-4RV`SQlFgw`sB*L>AwuGH zuwP&~Qo}^Y5YGq6GtEGG_$Eg(jycfRpMjcIq8CGfFrKBP>7BAJ{_b|Cwlfp8deV4p zaT#}d^V0X#o{)WaQla|)@t`C z3$-x>TdT&Krh7LE?*{4^Lg^umPjsOO7C1i3v`i+}kJ%vr$EW{Dc(8g;&WWm&M(i;P z&Za_>AVjIR%5#bq^Fey4IX?{juW`FB&rgrfUYs2tU7fvq8v*9Mdo0-@t<&`Vm(tFu zK?+6(wd;4QelhQ1sf{H^j$kho2i`Sqey<60+ZVO-V#}WG4MvGd6YA~`<=$UxgJ=Js z=$&LGXuY|UZHX-wLTmISGU1?EWsS|w)7_cFw^1JjPoIpMQf&{iJvVHldf(7pz#)is z4KGF+=5nRGOzwa730$-2F4^0}fUy6yJy|2NKSEBP`%>7x{JdGN0Z;=o8N#GUBmD2WO&tqH3DF;0BW#$0oY{ zL}IgZqQ*r8nhbMCv-O5k6vQCOxC}Jn%rTclHeAW_xhyH!@SzKyeUPZLibYdI`6L8^ z`3{Lzo%6|-1MZ+C4FLp>(nybvWC!n7*WMSCvhr zr9}J@vc*pxd$>&yU=_n&lF;c3o=k5)5FpVX@Gx>=KyIsiK#d781D*Yl;CE z&LzbD<9RD#6d0IaDi@hLJNjilb@S+qzavyHaKXl#s=je|Ec3tlCaAFFXzS+gW#K+h z472CC+p%us-d2+W<=aWsi7hPgtvtxLEvj&@iW;e&RjLx_8%fH>Pgiy6e!iT{tHtNu zs+B(Sx>yL#xzTh@9iuE~^($&nzDCk*2cbl3j210e+0^dEoJ$U5FMj@%y?{GDb_er( zr}Ud|C6<7DxTJ-C@nPHCR+BOT({uHH?y1XTuB99 zmesB06bOr~k8$H~i=vrRiBy^G{p1e5Hox8P)aU#@rrn@2Lbj$ONKEdQ>ogaBBZ*?~ ztOR$1Rkf&Av>%7{1z7{)zp%(y5e^qfvrTqt;a#3Qzp);72)bO&H$ykyrUk0e{p-<_ z;rH2-Cr_Vz^YqELYNrIIJpGG$MkzNPVn5}~`8mK6R3s^bH*~*{FKpdeNRJwlVYQNo zYH(^0B8W=A1KsDOuD}Uwp(=4UxJt!Yf;;!n zxGtPovw^A66y0*y=>fj6_xqj{jafHMBz7M-Af?XS-zRZ|N2}3&G`kU6G*hq+m?wK0 z1gai`3bG?U#zuyJid?FuD%6=Qj6!vvi01<6}YYB}Y6ABbHL@l#gqjrJLIjcux3l(tuWqC{eEwk~^v-WR{^23fu@E5> zrZ9~jx4|OLI&g6wo}?+a_-l917Ahx3*_}umEb=WNO^9gkwh^r}TBrz_zrDPqaSD^= z?5*5}^##+#LhnA>;CcL}0%pxKmR~5BMe5t|2mIibB)T9OVi@?Y*Y}t-go39WG-_f? zSd_bHo}~ki8YRQ<>qkO<4-rB;-`S(rRHpOc+yHnC@7w-Z^3D2>|Zcw2qk*0Uxx zoFTP)d6IRQp@wnvrkj{+>Y?bLC8pQ1 z*B%6&DKIWqch#*3!4WU3FW#nkdYgxI=RF~y3oc{|U1I@_Y}7TUeo%n{t^K_*Zd;?-dS-Hme>@CD{0 z6uNO*PS9D89p5c(ew`IJ;e@sSm2CUHs-Pyr4_drr$-Dkn4m z2PBVPz@nQmT70r4)@0MsdAuu59FbS&Qm24;oRf{YTj7TT; z@{R(;M9z=UOi^iEjJS-fF{v~xgYJX*mSFOv=AjR<;g?+m6%-WQp_d*z^ixCFaCCfr zMq_pI#@1=shr8MK5$Ihh6M-7!lfb)0rz`6@Ge!W+<4NTBTuPk!a(PXlvxlVWHZ&^HN24&X|ai zx7_Ym)g+hAi17^ru%nH$jsjs!5I{uKp+;&-77QbMDp5=fMq0#Q8~0fN`2&46=>&G{ zMN@VD!hP!ZMFy_o1R)vN()y{Tc~X z2?2B2m1qL_p|OsRt>h!A^BrZ6|5Z7gg7K!__TiqTge(y5iH*%=6NKt6C#jERpOfFL zDkvfyWT);Sgo1$q%(Vg)r{Mtxqte(!d9LypCv`?Fp<$_hk+PwM!_BTSm9@!Uaav^< z6&11%YC7CEmQq97Pp|JzI+MC3?iIEHqEXa5RWvPRywQ=yN#e*T?PuqwBC2sU-BPX( zi%xJ?Mpp%`R1w=>(sLZ%om|-g6Iw(a>`7@(OHQ^OKr{mXc*OOPp7)so98Fmhym;4w zq*GqRPpP)6s_*j}U{>jW&n&FVV#1^av>Jq1C7?fU+zNnNUaA2?td}S@V-^&Jz=|En zJHJzF!hU#^zF?d>eViNxIdrtWWzptc+bM8`Cz%|?dV^gqpJTqyuH!-lr(8&1uJp6Y zC&*A-kA~T-)&yRE0QRb9Nm6S-+yXP8+ZehUg-yIuMu>8TuQx(+Pkh__0S0~((HMmy zx*`RdIaRF=fwc2=r2us@NwLNl7i-s1X_8_fgYo*m~OXvb>qMaf4)K*t!nATOuP%!crczPf-0v z+&YTtdJ58MT@uh?4_&o;y2;*tD5vfSg@LorP&=?55iS%y2#eD*c3`gOXOjGks_{0; zvji03N;@D=(SDTOS(REGqtGiQ-|{M>ZVQ#s2K!Ly5wW=h=}k%uc{VQkRu;+1zp3I*)CWl1_)DBJSPi z#i|0P;$>OgxdzMZIA5;ajhid?o#nhE^{bF2N>s31r-KX%Rdjg$DZ+Q|TKBD7=5GIiOyIn@z0KVl zITy=0s7v>YdATUp+1ql_(E7N@m$#dxsX=nT$bsFMBDs5khq;UFPkBY@LEOi0-0A|I zo_j`_{Zu%&*M0DEZle{i-PfnZF3LTd`QyL;nAcTf6V<;rssbx$i&U2z1v= zOuWg?-<}VH*Zl76gzW`)%XNYPbU%ZRjH~z4!Qm39o0^oV;^N^#N(Jc*Ub*uV)%N)! ze3uC&RwL92b)=Aey|xS@tQzj54PVD&;s)Z-y}G^J^jVMqWO@e^mVsvyu2m(V?dS>vR z7ui2>C!uHl5+CT@-jn@dk`4jFOcb<|W;%8XbL?n?rX(*aQ}G$bfZs#kJ1fFg1J(uf z4x&36HZVMN?uiF?3Nnh&rl@0{i(G5TsdY3O8*p4wfYrK5K6?pV7Mkk$Fgpv14%W=nyr!C67zmJft zg9k(=2YwcLaQqtC>3nuq%WqZUSK5?S5=H60YQ0EBiY^;aIS?Xa$NC}VGG{NC2T2R+ zu#z_d7{kt`iRzc2oR#Qh(UKqqxZY?p83+sFCAHa4sx-EcR&vjLb~4HxNP@L4l+B4g zFXfuH!kpxrdioKSs564!GfvIurqG@ULKf7AcZH1tD<~AOGXxD|jC9a};d(dsK-cTK zj3=0oD?w!^N;~$dTWQhoAV=|T5USAv=_umI_lx`1B7$9l7mtNn3z%WRI`F318--qg!2N@|lqf)Br6no2;n0uoG9v6m5hM)T^(4cdE zgn%_acq9+j3bail*_$%edV>e-UcmWN(?xN~&-mz`m&b(0wbqNyXL_ zf+#*kqQd!hLGhV}xxx7WN=xS@<{R~1OK~K0oNMT}8udgrCkXzpTf;C`0_a=c4K1nM z<+l0YDd5bvl_#Pyw!Pjfa3M&pJJggu8b88>Ke~Km*C=%C>&cv9-INinC(MqkOlfJo zMX~#OomUd5r*qlvU`mj1GE&I`V*3*G-&A7GHXP#o&>I9Y%O zl9Ve!3iht@1x#HFBrP$&USLi;*9`j(nJ45DHmL>8&=a?>6y$0y?SiKW#=>Gz1_!5 zS3`spgLNNhN-~n97;kReINA59oJ&ggq^DvekY~=I8qu3cM^?r#rMoMf14wuaPn_0! z)027}2RstAoIf2I{xf#ZB(Th(Yy5Uu`NhAp$eglM#CI|1fv@qONz5-+J72QOH6WPC z8;S^Lg3SUSXc=Oi$)1%WK|x&+As5guy#o-MidU!lAqtyGxXJo7ls%Hi9zH501f!d8 z!4!z3yOPP8^feo^c1c4~-p08AY_LZ=K?1}S2T=Gd>;&-+DeNqU|K2`(E75q7--7Pp z-nNly_E>&n130 z5-L@>ZoU+^r_g5hZc)uRE*s=zp1alXyh7C56pEx8GnF&5s_eL!xc&8o@O_B6$Avs! zEBYGxFyE|3e=4)rMS+0&Z2?OSA@hF8*EEbCN6oW~d^2r|^}3@XlN9Crmr;=^8+r^V zN*)%GalRSQm(QK$;l|&G%i}OPhp~M#&wu$lsnhv#;9@3 z_xDd9Ui7@+>3UQ?N0L8#=79#u2^mOBQFrJ$S|X6iN&u}q^@$-7)S9Jq{cyC2U99c8 zc!mTXh<82fIWmWEYM>W+Q6MP)Oev}o4ka>h=}O&M4Q>UoJQ*VNzd07i_~>et+>Uqo zWV2b)V(x(r6Y&_aA&ofVoW^Xl)t$WxBu)rUQKR8tWPe-)&f^g!jSBud68SOcR0RJT zC1+4sKp6S6~~hgwt{r)mnRCcdUF;2c1!+B9p5L>VIuPFlKj3ZYC{Z4fRlu zjr~rwKi%O9Yw~pufwZivKG|h}O3<4q2^kqJz8HIF_>Cw{Asi@)C#p;*Trk1UNperV z+9MYG2qaS{r@;jyNsA6;05LZa0h^Yw5VbS0CbRvtpMeusHXW~1dr-7Y#E#`1EHC#) zV=DBb>l%a5l7+97Y8~;QCVdCPtiqHduH()zB|nxyxQVk+wjz9Es-0C-m6@U#J!VR4 z$R^vlKXyix^1w9XYu`-}|OY zl^K|mj@u{9j4x#h-YFHo6A1gRVkai<1)Xm0)6NV(O-)fv*;_`^Sz=4r5 zbIX2m3;pKJ(c7b!rx)jEC%{L-ASJwC;R*Qgmr&Cbhm+1;UR=F7d;2%ve8&fGBXUK# zJk3)XTQcEhvxqB~0^Lo8!q${L>Y)SjRis3aCdo;n@l;P=oYc*CWCkkIi{bA z?YKhtXqDfUH+^^evVw6T(MUZk69SvQ(K6kH;v^KWxx#fAhY6Og+_9&>w!2Re!^*JNIC@SN{4R!5nW zS9+^*QT{MY0BJrLAniO%NC$UI)=etkF(iY}q{^)GwHat&xX-O)VO)2rUNE`en{sto zelDH?52M08`a6F;*fI2OxF#liQlHCyNY;95;sE0~O|Ml6ag_k*B_2&PMTECJn7B^X z#3V1OTM@sINOqaly#qk3Wo{~NP#C}^C;=g@pJKVCx|-bn)fYX`+BJIW9JHl#DCeSD zn!N(BLI7gEftQ=seW383=8y0-n~sEO;$gl(EHgxkKmPKsZ&tgISzknC8P~5PK}D>GSol6l5Q(3Tz7>H;Wk< z9)GGg1qthX9c97a|Led1|Ni~|{P+LE-~Z45>%VmW{U87S-)DdS|M>g==zjSh|JQ$o zAO5d@|Nr~@|Iz*J|Ly+&|KNW4-*p_p?;=O=Y{s{_$}DkcoFZkb5g}Ts$rdLgN5ZaK?Gic@uX%(GV3Ty@E=z;y?2Fhu!WBv1x2v(u=aNlE>(VfW2h1fNG8n zSCI2Yx7W1Dt+-D-3Sk(D4}0Zf!qI_4G7iP6+T6_PRG?ToG{_q%K@)$({Thbqlq-T3 zUB#;an8LG~LwP!346JkEwkq-EvV4|l1ePyh>609aq`);x!lh&UhA?cR^x|qHV~{Q- zI)1e*YF@5M_nI0>&D3~ddyzzwDrZTKmMad3kkRy4_E`Gnr z8`e~kcVm8$@rJ=efHrE1OJIiw*+r5aAm5hLdV#i3thBnoqP{D72P{IG{a0CJsn))x zX6J-OU%n?Dv$kD7J!EAq1XP|r`NQ|$J~`B#WxjCb^?DG9qbt?+P>(8#JKCd8J#|m0 zuRemW<>F9XgHR4|)^0f@uj#h`A{)IL98vxIQwv`@FY+c&@0`x9^3BuKPequ^27e>&5);67JGs}DOLeG$ zKw;g9fXx|9+__SKFFdG;iUwg^Qf*II_Z z@3Qm!Zt=^%>n_A6(Lzkcz+^ljA-5!ea?m&wU}UoAJ-dc2XC6i>_c;3=aiZvRwdzp_ zwnYV5tVlXliTT{fq0tQ)AAKavNj+}Dax`C|<4+o9&X!o#iKf*MiXI9)JT-phAv;$Q znA12o&P4^zoMOT++1HU+LTXGH!~V%*?3`+eBuamz##TS_I4|>0<#My+g=()s1(sUt zg<>e1wQ4Y%L_v>Ox{!5reFg$_k4infgs=!3#v@pRdW$!IlVW;_d{eg>BO-W=PSC6K zC2v&(^N%69T2K)poSit~(!B~&Lhe}kV|HIdqOwi|QQ(OYRs`0C^EI37kJbV0;B-_v z1TXLFF}2PEtC-Lti7`Tzs5$9{P(lXPMbaBVEukA!)9Zn7(eXpax$9lrU3YLToeu!i zT+>!-cl)hF<-A~EqV%%+1K;{mFqw&(v4~&S7Gx6?MXX=Xxd;#QV_3)^d2JkIr$mJ# z*fKxdX^8+w4Vi|AVcLcZ4zNsBdX5th0?P%Mmq59)Bv%~JG&AaqG-63g%B8xnUL5QE z+gA!F#_!oKtQH>Pn=XjfdM-LQe|+*pC4apvW}PA@U1OWFnR88ad(S{Tjk2jNxbswi$uS4 zTRnc7rk98kTgvsd5P+<~h;*3G#8RESu950{lrS`!H`dw z|0!6h?iOEfhM5?k*4$!K(eEbvl~vJRPZrL6!av-FT?HHWi%@iBHS=U)p_`J82MgDR z$aq)?#WZ+!qB4CbOP!#I>X5hjVeL9vElHR1y7aUuVw0FAhy+3y5BWRvptF-qQWR`t zAz)jg6LhETcg_IpY79$3Br8-`l~dhMR5>*s2>!{NN0|YI=L6bOb|0h$A*0xfd)>j=RKYyp$prRI=VSDMM0d zH_0nH+k}ED%+h9CZ1|kV1tu?w*o-|0;Ny=N6qG7m8Wo*D9Yw9Amg~yh{RnL@*d4+V zjnGRjxytc2n{V9p+jJZ~DK%gT0-?PT!Mea9=utd9x=Qe=_#HKFUKNcPO-B2gwdW(D ztw_*1NQEA~uRVjjDBD$Wv_zyY>7tOS@Z#ag;DH z5|6helT&M5(SbjKW~3eoAyq^@K9$s_g_uLq`|?kh*B7TyS?b>I9o1q^M%WiqqDUaB zOlgs)>S4-1t;yk6+v#8#%Dh19`0moZ`K{7qT&iWCxCjR^B- z5F`#nDvIwQ$MS3uSffqeJ_s)Rnm%ul-6HJo3ZG&ng<-6pAo@TZ8hT>EyMFX0KS%y{+f{fh+ZY5FKj(NmlIP}6cYff zSb9{uXm9(~V(WXXmA=A{K4k8nr~n3wFM1KlS<=3s@NO6gTi+14mk$^)m$)68VQ{w< zU%PH2cKYEJHg#=Ge`%%+_CWsRL-S@G1xH+L<$gI!Sow+BA>t<9FZjRnule`xhc5(n?(=#j`Ye-ND#Mr`Er4PBDB8IopOR@xcZt}!P~{5la)rWihHj&`a@BbhcttwU$tyNwD{pl&JqB0q1pw) zkq=kDvmrBo(e6iaPdCq@n(KGjAA{;S<$8KT>*R>FfN_FFV!_dy4_A%25t|l8ra4Kr zQBR_%wQ3ZvD$`d?SY7l4Fgk=kmM7Iv!}4%bN0>`pjLS67#H4%tk&7eeeL0f zNX05q#G-B8&)1!C9XdyeMyeQybda7B;zCkD!SfIFMEQXb;4`|vq&^B% zA&i`Qj}b4Qy@`_zDTTFE$qh~c0%kBch$(R?=7Shv^pXg!$?jofKS~*JS_IU-?nOfA z0KyMkPVCTzhc~_$f~gV8Iujyl55n;X#+aUl+Za)2N3LT-{S9>*zY$m!{c-{N0(!^D zb*I6Ep4@a(OA4l}RjrxA#JqC^{V!xc_GN@|E3o*WrzfWpwI$1$n7TYyeKm_xv1;;5 zUz|yO@0xs;zTMOG<(_t4Ec?&@^4~<3sz+{6{Ld&9YcL))*shBRwyQc>OA(Oh1&cuR z%aj33oJyq>{;K0Yun_rVf-CFcJw_xa9Kes1{Ss`C&H7;1Ae; zeb*S_LK`?x!E!OAn`BH)V@6}Ub<|Sv^(uS6eYHQ7G!jvuBlNWQTj%a+q>X&jvlDv+ z{&u|og(&e6DrMbY+SXZSi>Nx2qFgKC)oaoUO%Ig)3LM!ND>NaRcIpnG1ptZdugbMf z+*x!|5OX04M88CF=v(PB8kX*p$BUf7wF#cqeXej0En{Ze&!HKj2mBSZfD!J^w~|EJ zhuNQ8*M4$G@@-!JI&|C*e~1F|m!>>Qg|tn%ms}toWs_*t9y&|n@OIhUL}^*^@1#VC z;V4$J@Zd`w=zFRJX6?hQO=b}5bi@PtP0-772JWE&b*@>ht4QpY=|b$D_4Ryc>w^%BtEf&)8Nh^ z#4|c!--X-Tu>B0tRQC#_5_(Q~Uc0|sqv!f_Io;c*cuu!zmNF(PkC2%lj4**}_b%Mv zymL}iI-euSqYf8L^Cp(a6)tL6IHzAce}ImiL&ID08X#o4;NtJ>?DV~jq5 z$1J>*Tbofh(Pvj<_b%pMA}9eM$1v#*+ofs|m%cXWYjY6DXbaanij2r$L42DzP=pxJS!RFM<^K^et&B!2y)1sx2d%MNC-1`;Oq zcHLIi!s0eV39JNxnobEDaY)`$j);*SbT?2OQh2|;C#i%S2@fN?lAPfpol_6=VynF( zZjy$GM+nEsjlyY(I>XUKt>t5_D|)V|nf2e=?R~{Jw*dZpndL=6t{t30cW|73D%(rS zF+NM&+sh4^LFNN8xa>Q07?Tj(j{Qdz5bfdDjI9CzzPkee$~DdlVfWzF7rio2HTRbH z?hrpZhs_7A8t&t4v)C1p?$AfL>lpTv;;B_YP6DB^waxr)?BSz&wB(bG{1H7ryK5=N z-0YRJ2UfORJo`T8&KA8*5X557U%8V(+O`p;dpgmZb_&8_`uA*ln9Q~2k370*T^A!c zSUfp6(hI8BL1G$FWVlK4hu*+7j^%9AJ@033e#b_#b7h^Z^P`Ka_wUb6IP8X>ULQR_ zeQlSjmJxPC%|5pL%5Ab|Ci2|Pqfs@zeH$zrAwdhqD~%>X%gw$NkgE;rYMF>hkW=#&(g3tJziyCMFtMSNR$j;exImM3k9 zEu5%k-JNj!?tb@C8Gv0~qHUI-j39}!Vco4r5~a^*f9?#0I$uVXa12&_waJY~^(x0F zeswWgkCJdAjQguB(;qre5x*zgSV#ddvbbH(jmVM{IQ0f_PUMyM&M&SnPp__zU!A=^ zxxRe={NnWJ{PbeK8=c}vLqu*+7lqwskf?@I%d}@xoVx*eH+yDveu~v(%h?#KLm3E5 zBZkBzX~c*MUxrO7{S|BuFlHp$S_aj^$KJq-+j&JBMuuw*b#fT?F5aZdcU=>##ko2a z-`B!PSHduxb}*57joCYdUp*<3&yN|o;5J2T=u~>l>QD_m-i9_PwHXm&-n7*^De+l( zG9x{O5hAPB`$NgfbyQ|73^N=Fu8SI`5a+-hJ)zV5P}9n2Jk$@Cq`oxa(vWPA#rBAM z3c;E6rrqxx+s$SMTDU<#M4Gu2L@7)}0z~+U?`AqBgNHEBf>;mLUh&c=9U2Zs_0!;u zHw~w5Jra*d7yv{g+tt%lMtOTAUZ_5vzk_u{RHPhZWs=O1em90*nN+hN|NPKuUX~sl z^37{nhf%Vb^LWlfXfiY9uIWjppC&*Gu{6Z>L&?4Ewk~Px8E?+!A~*m}NFCY?yjZ$= zbYv#u8dmC9%p*Jatp;ZBZnwo2R>%k-T6+gG1S5`H2^eJWhke1X5>Wz1Y0sOEZlgO} z5Cf)(rbH|-_w6tzusaZlKfHsoWjvenK64=upp~rgr;bO`Q(|Nv+7-8L?s-Tge=tTNJRZsgi}{3B6rZ}%`>28 z?A{)so1=Qo?rC;7pb`mCa(4&M*?P0-Qa3V>Q(EnRke%$1YVtRer_#i5(e2{tGX+$# zHJR(%I6hu_*2JKk6-m7yMaU;o4YHaLZ%o3C9XN3x55c8C`Mtgtu z%W|N@NX)J?y;tS3aLdv89)U%e#K`=mEeFEwSY(YUsh}S9fqOn6Wa4( zMl{sUB?k)^bK!2KVKyR$I++k9Pr&LMwtRNrl< zZfGydsk4t(w^g6U&hvVkBVIZEJkD3WnmR!{=T%-KhyJSC+IaAfiR&hI?-lVq6z(ln2%;dY>l^tC%bI`qeWw7;BB9Ia zlW%^=jv4Tx99|6QSIv5X0!O+A>x7~4ud`EdDp6A2Z6aaB4Rr(T)^W1XbBStcbh4lX z>Y7~~ySFO3y?JIGWPy+D+{7|lsq?XE~P z(eJS*sj><6C$SRGKrV+y^*vn=NeHd>r4SIKFz=_4aa;)Zm2sw#rt0#;>1+GAxQDpT z7Mn%{X;2m{#b({wLzNc67P$9~M-Y@{#4v9M$unG!4`XXfQ8;iDJ((+U%*NoPl zF3)Ix|id$FS2%c?TpVekdnE*N$_B9gU%rjk5rEL3YOny1-s zH^c0=bN9bEa}&|-dJXv@|8vgTqOuDlP>R1qwptMT3q~zvwKT3LHc`Z5)&YihAvr{! znbrcb)mPSZMA}1*;q-HqCbKI2O+h*78K#6i=l?qU{rA5m7&W`xQf+8jF<)m`jwB=u z=tP}lHvL@_ok|8@x*=xlf)E^YE}C}hfU!~2I`@=ayfNY`!F9ovp9rr5C6$fKoe=5d zup5jDf`})cW(LMBe6UHu^boxSK**BZWl+qqofAWV-gDnLNly&Ml>na zjXTnddr{-`c`;GpGA-Od2Y|+zXcVyE;RB zG0hiDV-Jl;`K7H%3**%{^93W;Eh-Rm)ev631z6S{DQ}9^XX0ZnKKW*@8o&Tjs6kAj z^TCaWYwdR1w!i${UnU&*Lo6J4iN4dd=Uz0mza(iM@r`ONbx&3i7OOaBx!9KyJtLq} zd=U{8+HNDFAoh@MRvKketg=?OmheAC4JT9>T4E$MT=nvkQkd2qU*3eqsK%Je^YX=3 zO0}u#2j_^aFNN~hh)Z;=YyH$T!1LZWF(U@hwTFvx>@~gAgb5GRE*u{C-}PK5nzIF8 zN6w{-&|_fPc5JG4`v<;KLf)*~oixVGt&I5QQ+vxEmM{Po+okhI=N{M1EZBzazhan^ zl7q_UBNv58?hoAG2;~_8H8$&;8X0ravC}W(EJ^AH`Y_=-np*Y{^H|=UHiZlrPQEi&3$*TaHC}x%(|v=`|w6d1;1zRu@9lB2xIPfJEI`M zO^nKmB=me@=sisPIWX0;qO~GrVWyVrK2O4c;Oj?G1oOvvns%<|_0EpvJs^bnPA>{h zskl)UEbX8*mlkT7ehemV4bEl*iZV56XZlMa;#;8s!|(gc3$CT-e}BWFDxR~XidAWR z)yorni9lg}5TD#Wl8RxvC40TFu^vCd@B{myl(^)s;rIqln9_DYpI}G zAdNa)3**8sHHGT}3B%li(c}Jj^78uP{oAXv|DC;mYi=Y#mWI2X5?f?k0e`A3|Wg z@MR(Qs5&t(Z}ptq$sj|i?H!}pm2)(`^*D-fcvby%Ioiz*L@q>#@_Ev~_@@`ObbT6% zn8O-Lj?&qC13NYGw|@V}%}U5Vv!RHzkt`}Rg=y%HAykG_pG5*TPF0UR4z>q*d2=TR z*|^Zr4NN5>s$NY6f}ScH)e6sl(IclYK9>P{xS33yn#hq-PaFZ4_kkR+NX1m=N5!|4 znkwTOsc4j;?N1AVuBrcJWoF%pHik7H)%*~J)Gvf853S&ya1#x9gr>^p?!ReZA~VIb ze&O~?S)z{xSSB{95rJ@JJfx_CP$G2oBFT%f#(Nn3w%0$txbAn{e@?EhK4HYViN)xz zTIwye)ZzVQ+h6V|0*)11ljoAlUJl?fi+1^Ea7b$KBCHkC*{UEkipX+lan%TC(ZIn= zn<^W8iw$1-CJ#gl+NZ?`B2Fz)Q^_mNOHtI2YQpmy!l8yJW*bV^hn+|@{=7LK_vqSZ z+#~8x)7|tILd{vq>dF$8eJ?AA>0CnkntW6$T{qt=2+=r7WdiPQCoQ$&*m|=xhVSZa zgcG!4r|R^JEmfs6@sjNk!eFBfxkiTGL5%H_7nq@0n_D1@KN8B@gF0|>UWKF?H&HEB zA-9t1ZSYBK($7)JM${09CCxcwHI~NJYH#$o^|lhkI@3K|w%E1C&oNF1pX_c_?ea_) zH?3?rU#g4Q7lLS*wVL}8jS}385D5M?tXr}d<@1X0T5XO3hNV?+6ce-DlN>q%Z^^(|G1c zv9a77y(F6(2})vSXPhbVRvIMR{q?HrTnS=+y2koZqE+`ZfN0M9mw`c8HlVNz#%CET zLF$p6*>X-%u(CbseAY(9x4B{V_#U*}_3b5qtIKsf$uD8Q){$v|Nr?7|1er|ve@SQ~4TSF7hjk-C=Jq=QmadO|e_F~H3#jYhE;iT!1GWvgY;2+EyRbSN2UYqde3 zS^y__z@FP$-28jyOo%vHD}coS!Y|iR_+qB}A=346`wWkp(N;5>@f52in%!o~@Wz$b z+)ygPI|aKjFFo@FQ196&nz1+no0|)O(dWSm307tmlvPY?hN_eH-yd+>LDusi9q^VOuQ;I80(Wm%;`5+)W2gzEZtd*h-vNr(66L{2@^ z=Zd*kl@q+|9`9--LAL<8w)KeExfGy_e)!KxCwz(+I9)Ar_feV7;sVcKl>b2uYwOV2 z-#DHxftHvRtGHsdQlz>zQ>#iSis@bFK=lOwlcyai7GW6N>hI%Y33cCEe_wj&Z?$^= zQ<#xBFesjo+k`$oBYeaobCAzEZhhS4Ejb+;!bC@5#5jOjj3bY&GR5$#D&wQK7v3TS z<({>dEf4B5MJO0b0}P^u8S@WvusA^a6%0qp#_bS%vfNM3ea65;1WG0Ykmb|wHnyCt@rop`uy{Q zhS=TvfBxrxX~=YCA-8*d;1UUy+;SP1601yF7R&IHq5Vt)vup{lhid_0r*e$}+Mc(< z!7p?w8~V=RCjK~*S(zH=qmFGef`bL5KrQh$$nJ81h`GVL&&@H1jtw?oFYw;vk5@Ba zt|;OM$Y@llv_*6ZXthjISk#c0Y7aa~I2Pf2fjtZe#C9n4s|MZFk(olsV37HzOv|wB zt@bK3A+tAX21+v-I9Z54NM zWq(>_tBiD+V@i77!27KQ!HVG~Filk2i=xR<48tt|w7xWfPAG46LSe z<>HWD+f`CkX{Cr8<14;`D?0pIkqH-TMN*@=9ygDE9{tQ}fDnYDiU{_=FMz5997c)9BFB~7T2nl9nRFF!{lp2dfB$q@SotaX~t zkgi*<#<44A+vawaO(0U)&@RY+xRU&bvk`XcOn&IeS+{Rb;3m>YZTI%?hj)L#Vxz=? z*<$5N(9_kqWansFk~z7R&o<=cZPyTSWO_GIy}OB2&}SiNzpO=|f^dfG1$6{Wg7;1Z z1nP13=q^5rLIgZ+(y{uwPCl9hHh6r-~0`mNBpDYTTFz&3Xuv`qP zh`&FT|LKJspHO)<2ccApa28BPXWAXqt!i9O*X69o>e=w8>7kc)cY!q&`)3 z61*L*37B~5E;0}Ij1a^ev_)|I>J_XZ0jZ;PyK+vin}wN3lbHs|tjNo(HHJ?mxu&=k zK}K&>K?)4E)s#amEj5Nd4ih5;_1Q)sV5PC-Qe^Y76JsqsBpfIyt+lnl>v#g za=+7ge0*%+{4p4D?6RurySR^dyyMG+Wvfukg3a{?*~pN!6hsy`{Bvczo79uZ)P`Z%Bu;$!Y8d_CW-t zqaPki?d>TTNq+d@hXWtL-8_n74Ty(e%Ei@PhJ`f@XprTkUQo=)2zQpq@guowO&Taf zvR(wA$<5;>kIpK&hOVP}wXLTNiBmjMZjhC_R{cfljkxXTPuX-;vuJb=NVaV+|}9%oe>O^9$ear}lfM3syh zym)T^)w5m(KOoWT^nS3UrKiN_OJJ3Pgq)t1 zEHaBkBEaHGBX>R?FVdmttX5KQqI_BtxvHVVa;Qj1S&CRov_&fWF>fNFW##@sgv zbRuz{D#7Gxbtt)CY^~CI zan`}D^VRP>Uw)g-D<0P7FZn4cb5&C*M73S^v6?yu^5%>>KXE?&EjW<%|<@aBHNBdF#`GT5lebiA_A z1Iay-B1s{eq1|{In_6Q0%OcZ(gJ1+KO|%1he(E*>*BC9y>b~s>>k}45)Lz|lcF&c> z!bOy+fO~Cqt?Z`f~T>o*jXaZI$#-uFecwjcT}l|Hrav zVWhPoM>8*<59>+LLWq*wGk@1_LBi`fdr=G`$x20Vqd~TYu^z;`89bqHEq-GJiycL8O+&~-)gWH?0b&kDO=#V@^Mbt6o9npw zuw_JW3`!c+2^ElE*$n5PP_sR=YSuWy+(rTX@hGr32?ej*7eOcy&qk@wMtC|6Ksh-} z)_Rl?MYH7+@(p>2X~ehW#=&$vUjZ39PT?pH%4a zY~M(=yC|JnZnS=%L%p?HBAXT7I?+_#QH>wdxS)b{{CrvX_nC*AcnSON**soP*8Mq@zXg6Y?|fk?wYbd7j=rxxcND zSzAnt5N=?si@?p`yf0IY!++^yZJ`<=V@zy43NzW~Ot&I13h|BoVh?|M-z zTc_#NozfNJ_YEkU4Seu!LY)<}bXX8dm51H;unoqceCYeR4KDavwgKl6{f%Agivhi!czLo9K^428LWv6uAwjhvOk0V+NFxqb9myb&RDAK1O^~eQN@xIo0+^94FmK<($McL9v5_2(_Bfh9k zf?Ll+C~F#LO||g_1?swo>5qi+$2A5Q8m1n!LTsF1X)}-#4l{v);5@IK`Fh;92}wWt z{BtkiI8hXCjru85Z?XQsLVSoV7l;f*Ui4LoR#e5jnN<6r2hJiJW3xwk_qzY?D{5Vn z)I&*HEM)W?(HS8Pp2#JH;zp``qn3LRtfEv-K4TG8oHii58O|Be^O#9m?&jLgCS^vL zZ_P!!&FS`^xh0fb_uje{>P(>-u^ZLojW@(03SKoHqNl34e_rTB^-D-r{c$OCzs~o> z82O@V7&EjzPRqNs#swC&p+Fr)=unTx_ieuJNM{GokVk1)Kd6W ztr>ZHRp5m;7sT;z!BU#AFsh;{_6%zR-s9RCYLkc@J79Pwg-sp;lQx>(JljNvhAArm zDZoi1xNTjc5M|V4V~Imv!m+r?=3?;--7w#x8_y5@vr}7NT#}05iUUFEVo+6G_<7Xn zalW`uPVzyD1I7;I@OwR&*QiN;j*`S3g5ktZSEDkU&)0F*p9TQJY>spnt}@~=YG=%= zf9n}z9wpu#X}W4#SuMjE08eov-|0lM!uXWHPRrj2rEJBaYL`W&zYEM95+5*7dw3?v z;!+C%Oe-GPLvjYz{Wl}yEJYY0pZy%>_~+l9SRK9*8YA^l-`hCqLW$-^35qJ!k>{Ft zcwLRy8?-N;=;ELGgWveoBbeNHRf%bFtzlm_#Ey6VeaaS2%4+tgtYQp_5_=Ri^Rb*P z0U@idN2{@loiq1mgip(eDcN^>Rf@_)RmIZam^KujcJ-oPs?<0jhW7Q22U!Snlz-?# zcwaYB$}71iRk)d8i8MVbZY8y`>VBM5cG9_+XTD-v1BdBa+h`cv^>MASnoMZAx=jQ1 zCv*$7b#)H$fOK}H8qh4HzeFhSVmu}_vw+LW*tk+S&ZnpU+idp76mjKui*)uAe22Ff z&+~#TE_dlP82D@6$tPCJ&)ewy{Qv#GN#6hK|FoDrK?tf?I@@CL|N7sqZE3q}44yvW zN7O@#~R=6+RDjigXdb}+c2SrTpRd;zligcre=WdA$ zy(ucNw(2crq&Xwmf+X}I$A9(K&s3%UOs%=4;7j+**~39i$imm0TV&F+XpgcOir~Z9 z6%K-@nVa%TgR!CNT+I$yzRxAQL)tTd6P^ zB*|aAi~M4xxo0+vuu(iC?e;xRuXLIm7pq%mF4Xsom;Y8XNZ*_KHcO!>D+@4EJw*&P z0zh3iIU85Z*)-Hk+DHL%Uj)lLIJ^I3qb|q!b zGsz$S618SfOudopV>VnZ71HRtlGT;JCCeU2g?##YNn)&r-@p8WFo2AaA_{_6$d<%; z2nFEjT{l9t++H+QVogatK0@-ZQc5k-u$=1dFw*-sJx?Tp;E`a|JDh(H~$hE!k?MgA#jGuk8jhToRL^&4^8JDJfWV` zE!^6qe)aXICpD2BIuT?$c3VraK=KdPx7%VX9GV(jS+g^2TN7mvOH`Bf7#{Y*{au6o zgQqpB0FPWD@SxJR^VR8Cn3B;1PL^=J9v+?YQM{QeLVQWLQs<}}SJST%)JNZoq8Vpy zDk`arC{P4lU4W>O+k&J>!nd%R`MifR))x|IPrcmgQh9BoCOq}C)>VQkOElMcWsUR- z6?Gy>({S#7Lu?K=WoiOlbpnw%lt3kGx!Dwz$}1}koo2{umj=$z`;b6Fo*>>W;)1C_ zfgb7)i7F}s0qOHx(mdBtZz^eVABEBIOW}FhYP?n&rm>{zMwzV9h~YNI_gEhWY~sk{ zJvBKa#It36<|;;xWrK}jx@^>BDgM;3m`!8-8Tb!Ej6HaXDi^`4PnpA`J zO-sGjUg9j?NWkNSZDd^7k;8ppF+i!?0z_jFM4XoOU0%qTIzr8a`8AVr{wk4E8_tka znSw5%f@^x)JLW{pP}st}xF>OxmF|A@jKb=LFXxrXuC=oDc-jzk*Q@EgT(<@MB16bT zEpD4lpJvqL8^B6gEi|1=1G(H!X6~?QCPTNqH*00sp7j2XcD{y*g?-;OxgF48V69c@V^F1nM5ewxAj$V=zMxHURqnzEAr{S?~wF~83{y*lLgGW{6$u(GdMB4q03M?RmZ z*iCZPKhl^oD$+q!QLVqVFxj-26-Z|~lcsy21ihGuPX?rka5R;;y)Z1|Y(x6j+=RzW zp+N{UJV;tV^p9j;clW4lDI<{o*^kGmaE)y57`kyO`l>^%6l6|d0CdfLK8nF`pc5#E z_mvlYEa?K;1?tBw@9;#GAjI%Cc$G~zF(%bhNwXs6jWF4Kzg`0WOpSN)p;-Lu|9JnG zdK=ybtJ_y!{kz*&I7ShHb9105bJk4=@@HAZfOU6?o51dM&D@{XA?ww^M(pL6ckXwa ze&aq{`(4zpcO;s$fSjiuU#IoN;&QimIWL&~Z;vt%)ZRjYnLLOc_cL>d*WmK85uw|$ zLJ@7cK*PBu1S_LDYl2=lZ7(p?y2SY-Ob;A=KRA<-E`)s@y}=*^iNmHBL6SC&c$36=D|8G8xuN7*|NkC8E6k zFswOdqRaOv5QkR6e|#7`DUMU@36GYyr7=SEGkwroBp-!2KX)0>AcuSGG$xF&{NeMAt1&13p7w5fBy(TqKfjFbV-9nY2Loi$1 zFY!(ukw00k1)6*P!>d000RG|T^6Es3!ToS3?FR-e`facK{@d>9DYh#J4KP2IFRMJT zMl&r-CC1``>w0*9DDwq{ou5_kRLpi}$ko$Etf>BnmB>Ynbd(gHat7&B$3pG&6H60qz1RmU;pHXv8X zx|*DEBWot_7n$?_`R``(yJD7-rs+IK68GN_#*Q(V8-v)@bncbA*W1iJb_(E1F?BEH zcOYa#AiSSX-II{4NN|+Cl?tBn7b`ygH~;mY|Nr~PPWQbpUUjZc4v)`H{>$IvrTgd2 zo7eoW`=|Eb*I#_$zT18M>dRMqdtdH;iO+Xmefehhzj^szzANkhtl%ZOTjHes)OA1i zef{D7f8-ytk$Pgyu(C>zGo^Fh+WP+Ftvi7FC*crXKSH;*-go=qg4=xgckX|8t3lh@ zWc#&{N&7ZRjaysc^7RPI*Q^=nsOo@k1HMdH=BAy*OWQ=lM{O4I0Bh^`HIX=1 z1mhKrxmf0Eh5z|~|9?+jwRgXWjD_eQeEYinN^U{i5EA<|pt=f$_~(|CTY?{j%P$21nA-=$CbEPag2H*G;y~ z=dlG{6w}ep^FRJVrvZ6UGmtYCl4g2)`Ob1?pZfJ{iRL)V$^H1djPmaJ6b|#JekD(g zTL>?ZdBgbRw0FiQ4hHO>|Ihz9`Bvt&=TRGE@bxgolkEl(9jhsYXke!|c04O&WR-_G z;+9;~GuTXXN}2>kpen9-J8R#zlcUp%qi=8CI!_1`Aikj(Rf=rwVm!K$V#V#9*x>*3 z|LOno|M`FZAD(%L*YXfvQzsk64-T6j! zA-*UkAkR#IeYqOD`(lRxCa0J>-|`L;0}p~+eN<9MnY__F*OA$APFacw*?5xPCNGM~ zsHL^r9#dOp%XXju$yo_ap#MKX*ORi0I%psTsiKl#_dX{3}P&srUEgt5@w=sRZ?B%utlsoG`@19@u zyYGIyx$d1@t$*u0+4IBGcgO4BVA@@6`obN(r>E;5U!Qk>U>|i_m-fZ^Nnb`!6htHn z$G4Nuyw|)8W#}88q4#5N)5u(2T^!wP`r_S(!}H_QlVn@j8=FaBI1Bt_p13nYmoad| zIRPvjMw(nsK6f<9Zqp(6x-o)LPsM7v;bpSF?v-9%og5wZPmT|wLYz}+L7@jpN$wej zQz9e_H+MH>DD6h>%?$&7@|`=6Z$6xyUY=atTpsp695kY0wQHbuSQG|{52DY_ch?b* z;|HS%eebc9QI;db+cxy%-S;=A7l+QO;v~}^#n0RW5-%`|3c*Ld09BxcwS^ZfXHD58 z&$OU-(?U7xc8{Z`W6(Zs(>rp9k^(raI$o(V78$TP4=A&tS@iM#1WI9;SHU zzz%`nVG4y-Yly-OOO|b_q6X^jqOD|YGpRWspikC^`C!x zbapAo7OuMCbiTcVmpP;rVd>O?s;q6cdcx`P;pFJs%ZsktDXvZsQ$4Yq-#>lP-rd`I z=G`7$Uia?Yo*^&R;~xzwNi2*ipKp58a%SE1+}$^vAny*lS2yt$&-UT(SH&{@H+I3j z#JBDk_`ZAG|M1Kmx|fGy@g8Thr-Nqr`ynFP{Gcn=x@fwCXd)8F=w6=Gzx?^G{%psc zNxJbvoGM3$n~q+5`MYj^{fiHW-<{l?Jo~l2CERfH`1I%&ymcq$KX63;dyLaR9zbs# zY1rXXcaSbz3l9l}@rE&>YA zjOQk=#WsSCN8QbLCs*D6kNl6b;gA^laM=3*vu*tjZc}g;7G;+<-DgFog907djP{}- z{gboeTi@LFnbh02E*?=%|84fPgC8Lv@t1ZH8{x(I@!{2vH{YK8c-1|BzurLi?C|FB z>ga>pXivLGKW?&L`zP;thqJ?@58d+<-`3_awyEhBWhP;?Uv@bC+vcA09XHwXZ?Dnu zcNaHr`x{zyKRRf*)1~QL?*`IO8bd)2-#}xNavH9QPT-0bD$?ky#f;?-S6Mn~LH9-h z(@F}XX|X6@S|LuANntUq)0faLIihJ_&zihaOZpxbgEWng+?Vo-a$Ze(7Aem zIbg=Jv?&q+a<_5T`)$S~Q$iRqH;_jbf`-JI>y+kR;Zk1p+sPp@+{%>|JUUUT%S?hx z?y5|{cBh))rIr|}+=Emz`UZ)%5x+iPzJPaKE@S6xZ7AFpK@vlH zlr-?umkr75<1`=`dG>-F24mODr9x|fNQ)T~HLPXrM6o38*C^Tcx*;s-b6$RTl<6x1 zgXtrj7vCVN8>2G3Ik2RxyNMLv@M^tE!oq9Xv0BabnJiYmK~^Nm>%CJC%22*CMU4G) z0l5-)b6>(ZGLG_~-eM3;qj;{=&1G5iTOVw$(LPlVl?om4=Fq}rzjt$XecJC{o}Rdk zsnxLf&H$_`cS0i7MEP^Jg_EFk~7X)=Y zmy2&s>ixc#AH>DqLLK=>4bn(M{^#!X&IS637ZnAH7Qzvd%Y3p8)OXSK+C=5$ZqY(f z#FK9Yk}~qrQYKRC(wL^UOf5N#!s`}%A^4De zW3u1iwYb$Q#5xRZD9}tO?}o)fijW1N<%UmQR*7iu>k5o#mI=`$R=I2A^gkY7?aP~% zo4A+Vl*nPUT5sJu8e(njwRhh{GiNYN=kZ@9D8=huy>t#BrG8yoP~l#ETo0*lhcA=Q zfbIMY8y{&YeX&ogB~RS4_FMW!ThnDa*okj%Lo6L=?*{F+%4LMn%SC&y*L(TQuUPEu zeuTjD`UPObz?bda_TDoMP&!ul=fed}>+H*9@k{OOxKVj&n{S9JzGp^YKE{1ty57Eg z=8`cvnWS@jzj%-sf_E=-^S6_qrs=a^y_WIANOY3jSI_n9r*bK;q5b;VzTa}FpZW4n zVDm*K+UBpP`EXGn89I9Ag87r1m$PTS%ty05Y@PDQO&8tHR!g@o-4nP8+I}4_Y077B z+*6T+JGex)D;}TsTBtQ{^-p`UFGypd@nY@_#ByRY@nzilFKba-2u)^_F z{`Tp|h|-+v8B1;yK4>yxNx)HM`nTNZ$>X|bd-lDUt%egZ3h^BaYn)m)O%lLM9RXPA zJ$y5S!XpzsPzgu%M9~T4`t;zAgfHE};k&XO80}yV!0gZr8A^jB3)5U1gy;TQ$@NM3 zn9h-r<9~VJu84;I136)+ik#>S5+cyIAiF5bN#(IpL9F)nS44Vn4E-rW2sBmE9?-;PYC*l z)yx#iP4YUH?=ulByp8qY@OO!yz{cXaOXE6i|D<9kYneB`^r057s~nlBLZWOc?YwJT z@o+6A6~1~S>UZ^pC9MZ0)jCoMw)T9i9Sm8xliGX5?4&GAXE zf84z~z#D$%r_uZ|8a$gX7CflGh=+r{FJ59QqCk;u(Sv&%Ek*I$KKbj1PV(^UhvdIc z#6k+6qX@2z52FxV#6Qx4B!d(TX!&|mbK0BIS({kNoWanVK3Ovr+Ii4X5z_AblnI%U zVv-+Dy*RXEZIn$f7QrUn{hma9W%9r&!@Q9|2l9nGz){shy~&8tY@80U)vi4y=ONWY z@^QWInpgI$Rne5gmFC0R+EHID3A{)ad2fnzbh>;|R?f9>kjXe8^>|=O`gTnq82pO9 zln2F?#khq!&O!09s!S4dPgfdtZfR3ucG6euZ^G5cg?4IpSageYh$<&LFX+I*U z<7g+_XT>7JxzO|i3L$u*zX(b4KmYT8_M8Yp&x21iSgD7M>G+m-OLG5kScbY2981)8 zp)`!Ju2WEEAVm{#7lYE1wCbmUcinTZOAQ<;5}i+M*n!k9WL(l-L~1AbwFJx?&q;zn9Z$>gjVNiHStF0PW^ z^(C;w$;G?mxZCSrb>ChiW7kU#&yN#iqPqQ)qyF{PNrZIu>lB2ngN2)JcOopA@&ufw ze?)j1>Vn)~y&gH# zCY)THR(}638x@PRsl?1~-bxQUidpN(U&CIY4|F|nhW08s?e|3F%C(F?+jBMP==QFA zCrN+hmS5(U&Zu*mrSphG-aX1i50p>9%YDUmzJ@|YYgx3&H*>f^*^Dz;-5!IqmhiZ& zjh0H##Ev&vQ6w9%>7kAHmxET6VM}=@LOvD{eH6eGihA`us3kg6k*CR1tC(P=SB5{@ zQJ~d06Nbx30a7FlRaPwmQYzC+FsB`Mg}$Mcfal1IrFRM=hqmhDO? z+B(yYFCXCXC=M*>J0?Fr})c!K78{!i7@60skZ+-rP;mVX1N z3kJ1r=~1=rfJFtR8*TuoWTO&HXxO1ttuF@I*`Xi&dRA|z3t#;kf#Q{EE(&z}b2~B| z2jB==-Y(ovkT4J*MM4RbA=E@Oah_S_m72PvFi~-J%xn!?^|#;xHRUJdVdmvTAqT{4 zi)Jz$EsAN=t;}>%fKC7bS6IvB7Py~+Q|$i1{cAEuXk^CnK;ZV=zv1~q$F_JrFcOz> zD;+~vZg*a+&9h`SbVx&_hC@p!G`DxOS$8}s>2h>%BfhikLBxT8Spe<`T(=WQ z0W0(xw-7rG3z>;`5!n+aoQidC5uRpcDwIjXy_(ED4PJyWyID73ZmHB2x4aq^o9jUJ z@hW*b&m>?d#oE>p=u=4l@k>U$CD*PEJjveB{rVfwSFB83N~G*(n{#&}s^{t!PgPIn zdOx@)xYbz-jg6@$e^>dabDMi~--<~G-Rq+V?a8i4ZETWU%AJMSjGOu=pIfhQ)Qpm6 zANctj!wKM`mT~yxU1jlSfBjvJQOxg}o9}0r{o?n!we|kA`}Qa~?`^Qx-~;O6N!BsR z#JNk2t9ZZap+>%}KDa8bv$Q_;(Ty@KQXA=B#>;C#Y)UicB5d$SXr+NBcK5z)zjXh% z+u7gWt+~p2cXg3Vq#EK^22zoL7WZ#ygzGw|r)TE@>8jFx5Op8eLoL?c@2JtPkA%vu zl)ewq{Y7(7hb2nDE>s&MD)$$HIBCl`?(#)UFWJ2ei{#3NSO0W+vOctjexa z2{5SBYy8B@N?eV;R>evIRf^`XM>u$ma%EO&V49WtjnMf9Bv2kl`?|Sv*xX-)WdJ~T z1drXI3rm@(^I>mp*cPDo42w*xD5bpOU1fbWMzhkc7Ly<^g^6feVgrB#xxEZDI8o*4 z@XpPmmN1I*5h~4$5ms|nwEL-Z-0y{%SLW_c?KI(1H!|{ysDKAN2AhbSR?#+K|LABb zHIS{ewaa7}f9@)I8G15COUst|@Bild{P4TO?&-lI1DfCu$p|rKzZ-3B^?vMqmvqm& z{q}LvJG$y##)X&+NMa)5fg%wjSvDPoi*@o+!2qKMF(QVh(^yVOjFANgvGTT?&%;GN zUp8g*!Nva^6FnB|Lrdc-fs)>HRSEH|Gg3-8nW7XUs2!@AF_ILyS>BR~;^az^=)+yZ zyL;Jx;SLE`eQPmnI}`j;A}xzRlQmxy53yu2`y~&D$rWY7^19H+HolZut5;fu%=(B0 zcPmV(OBIB0J3+Y^cKrLSEF7V;=>h>Zy|F zGf`KqfaJIech&aNv!?7D3d^=nmE2^YGS(k;Z@Uw_r1d-HCT|NF;~ikdlu*q(n#(eq zjKwt(diko6Ct-l-c?#i@nWv(9fw^Tjn?v|U%x9^;#^w~>QJgEa8=|x@z7a@jGscXh zE*s?KGf~#6Jm!opQk&TH>|=^o+l-yOrNV$0*;sU#$S;=bmhK)U902|sQEq@7gh6hT0=JuNA{MPe_3IbQT4PO565s1G*#I?>QIav)}UkOdJ^=#8;ztr7}( zN9Z%@twhI3LrPjsZntHgh3q+DBG3dWW6|IQZ?Pb(gr9^IN3H%EI zgGOw00dQMH$zi>(DeOLNZ1iE*n)7l?L$W$Y$EO=7BMKAk!6V^Sue3+ErgitoUt62< zG$Co`_VqDp>93&^y-41>|JcfS^TijhUdK(A$qT!Fl{-(qShjf0i^}ry*W6aF(fddD zSrBV3)eGLIT6@F*k(TtXd-({GCuE%?Yu3v@|MS1B_cg3ga&EWKW8U$F^in>(^`BO( zZ#Ls+ne5eMDj%8g0JA}&u!vuAjuA!yiPw>a6vH+yS{cabM>h3fRZ`41TeeJz#0|}D zWjX89?w9X(d-LJvt^zj@s3d8x`T4hs-xpNfxNEKuCJl5)bwx;o_kP zrrV3$r|!pY_r9B%Gc)ARaWc2jz+=7R#x(J5Z23svO#3Wx22ST;5!=9L_6^|I;LncMFVu0(V z?q&7*hi^|$lDAif=SLq-B-sA;5GAw~zM-CE`Xm=<2^veO&_rDF^GX!EzC#A`XH6T< z3#@>j=Q7e?#5;GbKTJJ=M^FKQL$^v&)~0G|G9uq#)E(fCupJqQYT8W5%<-`I>MOhH z#(PN=vtol)yg6h}ElLE-nhFhYW`ui$HeQzf6{qxDpUyHSfZ#aREd)HU8q>}d`d^y! zEBzp7>sMdA`mg+N|1<`<@Nsm=FvQq}p zNq6pN%d!KCV2}V8?KufdKE)XKd)I6>P3L!52uIyyul-U~IkA+NtMU&%3JQD_{3?sQ zwoCinFy}_(j7;a&`Bi6o0O;Lj?egLF8&Z!Rl+IL}jLMzApyfKj+RkqVi_UM+_ahiC z2*mUN0jhVobRV{ddP%jVS6{r84x?u~zw{^J#uvR_>)q<7pVsbKlx1t|zGxBAh1XEF zK{X6+@Y|xeb$jgGZE5QRR_n-L(2hF*vyUX5`_=jYb?cU@kV1luS$5<{8^`Ap zzfTpA6WzO;yai_D5^5^I+J$ydFgdr6+eq!WU3ihYV`0UlH@9;?^t-R#d@bGC`D>bp zx+V}5H{n|bNBJtW{KpK!T|URqPUrKoT@2@K%tv>1QL=5m8F~Mm+*!8Yl&b-5b|5YO z?cU3yuKQODf3Q!!`VW6B1_wqK)soh}+WCv`?ON&7Tj^|mK7eWdJ)aHjSD)%3WyZM$ zhfJ!P{<`N|Ywr_JnrxRTpxi%!^6KCFvE6^-+x^TawEmi&eR@Emrk@#`tJIm>aA%by z|KD|N^kx_yyWQroS;&PgEpPkFJN1xfkDY66cJmwefJ;~(3{X5W#Ye_#hpL&(w=-%!7 zVL-lc^9x`Nd+*%o4`U%+j6zH9bZi^qqO`BeHaNQcned6jtbW-1b{q`^jx*=x zOvf`9`hPsVe^7~Np{+JCC=Tv8Z*p!e)h~=;>=~*@tLK2&Xl&m^744Io> zr-11(3#c_gVz*4bcV1Mu*)R69(3S4m9R=8~5lpF9$xF*gg?o!f!x;1*w&gEq??^(l z3DUN|KR@}tr&r*Q5>#1##z!d*fC!1UPP!4*Y_W&5$>eSlCE?hYBLpYT()k~@-8(8f zG4R*9T+iK>QPd!F^};v+jj#{WZX0g)K~*bmS8hD?jvo$>zU`jB-*_|k|IGXq$sH&$ zqXG#doD_imv=|Xvx?F!q4rWZmpS;J-neNvf99^6%{5k5zy0gp&cW(p_@IGIDSPhac zsgx!0SP1*2esc+#&MVPBW1116S_DH|l=EcIM&JCGZn33^ z@YX1QzV*sQ5yJTd$~Cie!j~zPIQsFcMgc?^KnijNQgGp3=$kSLb1;Pb>t^{h&ys_rF&;FU__v!^ zM9B^(X;}iUn9lF=VcEdX2|*j=vySh+fc!!#>CR-if=C^aj`;Oh-$c2(y@e$OGBe;{ zDNhMqA&e#R@JYkBAPNI)Gk_N1j)5X!$D-L+bkdu|HL;IE)=iYx&#?aojNbfAaFbOLL565J1fJDy3c*OXA~R28AW_&?u_tBxhe;|%9m4fYq5<&8W6`v z6tu~%AZ2V%O!~8wi{$I+Qd}GTnU;?DvJ~GCfV?E;du&l5-c-wi|AFnWURO_kNk9v7 z$(4EmQvQ5P_D1=H#`=fU`QmWo)5pvg@+SAW%$swx8A1gl|SYdJg^e@-2-syReo~YGAK=0G=bIV!{>6rm+<$NyZSSCg zuumfPxmXm7?ZuAiL9!e6acjXJ%+osvlwzmJmN)a2z$4P~Zko>JuZh6Tl_5m#&`yX6 zIXFmOhBAJ*!`nN5gSN;Uh#*-8J!*G$Y*#wrKa(OqXOX&fw7_U{5O692K}L~Kvt)&n?dt`Wa8HQa*jxS6##hcp}gA1bngBbq&sDi z%e;1*l51bK(~k4~DIK8l1Y1CXPBCqU?t}oGSI{J4OVNU94@qO_ZVb)rMb6O>u7w*M zfT>a}YH@5+EOv~h+i=_)Hxo=RgL>|gkPLy{>kzkVH^8|F?1ul96k`mY5Hq;D$v&dc zetCltl*{n@E4>PW&(9pxfQ1GuKx9i?QqPH?ET(MClsB zzzm>xRgZj_dAJwKq#3nyBkyj-!XRB>9y9$Ui_g;`8k$3RS3yRLLOhae9A|TcXg&Q6 z&j2@-<@I0TFPW0f23iOl#kOnXgeBbDwbR;&B!_CKJ0vGha2&419zqqy)iHUguihOV zAp#YYjd7*B`QFRjuUoq>lRy9S|6m;<2R{(^{qE7XH%Axez5dPN(b37Nz^j2;DuZ2y zV^r8+fA#ejU%rz0%yzg{m-B~R|5zs%Ke`+4y&~`NoIc;DgIP+0Q&xjm9oNQQ>vyZk zQ|IODuXgudn#7szwKH2$hPT`c1^GhKIUc#i!QJCN%jN=TAE8I$IpDbBdX~%87!>Cd z%MgQ0@UHOQ_$@^bH+SY^POEo=n#}mU8fB+|+YvS0q%-D!BEUE0g@rO1JOvX$+F|9> zZ2cyUzxkVn23=K4Ez)bX0&3O{RDkIciFA%s0qagW`st@Ind50TjRc;eUW5PeOLTfG z3Efs^Rkn(?JJ09%6}}$&VHog7_XohaLD z0g#=?#D39!Wovi$>sMdDdGq?s zS6YHUk_<~bIpdDv73|aHK8sy|G;0yc+KK82*5-$6DSGBk7swj&(RhT4j_65i&$;`G5Bgz`8`i$nPT?K59FoJM%Wm@S z^0@CqP>e@m9(7FVsFM!od1pKy2}XU8JNInqc1`T!eW_?su)T7G2<;XFXU4(oZgYd% zGy}NS=FkI_Q*<_d{OXO!8NF%miM-)r%4fX5AjD7q+C6=9(-ZrXvN{1F6DPXsQ`KFj{?`4!TVXB6bDnwlh+J%Ur2>zGWOJJR?hAPM^TQZh>|d2R}*3|r2pdx_gK2+QJ+-`kJ1 zXe%^uxv2qXLl-z$*V?gKVt36P`O9+2Q%s6$l7euIq;b?RO9d_PhbL6^kjP=_FD>=d zn5^8SdMG9lB;Wz&%-V&8N8((K59a zqn}4Vy-c>BaJNgoAf?J-^HPjE#yI$(4u7C^dK#Lx6!H$c@Q$oEbgDGAQifL+x5RY_ zZoNAZZAkey3=%?EL>EV*namo$$ zIO5vl0+Z5j7HKFOnpE?_s1MD-_%EfA<9a=4Gce7CcVQ;2-k+I?8IMMtNJ7wbU2<)J z$>h0LDnC=Lk1)T5nuPU961HP|vcT!tHg)MqU>!jqI`SQ3UE}L%nquX`N>$L}BVA~; zCv}>5N_lu@w#}Px=4n+ELtij~3Gg8btO!u|VgyW5LyO;)K*2ci!ld<2-%j4Hl=f=l z;G}nADsTCs8MZ&Hm%fAfDSkSm9AlXBG1F(1!Z7@ulutUh07yW$zcZ~f<+ZZFYSS5& z0e+Z~45*E-J~rD6ONg$hcf0&D1G^;41KMJtpsKKQJ72ai&Yk1qZn^8WyPU1 zXT@j3twspGAdlb+cFX3LR+aETPigiu^?<`tP#msX^4n2^QyZp!)PUE76fZ`SVx-GV zD!P2q<*@NNCq{A-6A-rf20gozt|s_fl4hZxMfQRbgE{<(Y{_|+jHaMmc3pD=FrVvr zMx#mcbKDr5Gq{yRw~?1ps_`bz2Rctq5pE%9KTQU5KB1%G$5t4|n2V5@j`Cp|aa&Sr z#|}O}^6~u(9|1FI6}Pdwl`+nr@Cer|aFZg{O~3b9Nd&NTHtU{;h~QQdHX6Q4ZK`l~ zQ!d<#)>6LI$0sFHInOnxYOHKhFDMKY8aEBEzY$L{OrFD;v)c0@D51Sf6G{ZDb+MJi zKTGu(wmfVz$cwULOXk$%%hGf!KF$j=WR=PL%YOW3@f0u>!t<5k^)j3~SG^H#Fi&+e zZ7Y$fi94V!TKJK1Xdq=2=x8stox!<1+u4x~2BS4La|*MLhoDkT(Y7S7X0ci-+CQGpj`1 zqVRO_C|kE15HQF1WkN(*1Y)QDy}dvYfv7|T9_u`QdIUR;U8G{|({#ZiBBdT|ax zq5g#`>Ln&yX=B^;$8);$6?j{Epa@@#yQ8Ac*87E9%A9DbePY5fU>sB0+*DTojARIY z883?>s8>B^vg2d(M!d;$j#xkUIk6C)+EQu*GO42ud%}*1vXgrwyDDGnPMay@gR{=X zQP*D}y=$v?g=g8f1JxaA`fjX7m+O87vjAo4#Uv_fROwn(7lT6kR$X@sc~t!!Nsvuq zNP6Yol3H_t`4`lS=ovGxB=1LAjo1niyRP4kR5=^_p-G$e5BuFCD!HCr9G^tu!(lB_ zR#|qNDci~!8`zBu07Ka}H>RX`3~Q;m0bR6z8IXxspAxy}Ql>Eir)PQ>RN>ko!y4*4 z_a!h{X0mUUqZ_wM^6?W&K_vw%mW-PpQ?6fZ78+r~K3Onj=^7$0H@Dm&y%AxC5__+q zHWEDOX@d)NCIFc`XA6z?#o2Ywo&Utx_Y9FuDNHS&Wg;2`eCn zgcFa7Gb;F8h}YeAo6M7*_|D9TRMdGRfeazbyOl_PvbdXW(s@y3VY91Q1#-lI@1IB1 zlpGyXL=AX*oCh?Ym75W4&u}wz1458j`P?3H-ig(sZo5Slnwo7U#Fj1G&hnoar$ORq zA$(rmgNe8VqSAlk=-+N&JDX>thMpW)*Ekp5U_^~zjSd+e!n--|Uqa{4HRFCh$-o)a z*s&cc^c1;ij21U)zJ94)2jp~$1{XyM64Bf&#xm31m(mySI9X-Wh$vh+vip#7#KK<*awOL&clsmpYdik5a8st3IfI6ey-cC;WhKdBJl)Sn*jmFW zILao=)ZibZuu=Q2h9B48;C^Lb1^psscN|zk^fi!<%d3cz;px^`Dyx>Pt!V z(hZ*ke}zjz*hL>*)As(j5_Lp1q?SlwN$u78Vqx!huL!yMuv5F1-D_ZT!P~7lczEvb zg@Bgt!F8aiS!HF15l*L(932z{z`@hh-ARlCNyKgINk*&BA29qqcW*uy&*ytsy>{S< zak0aOXNVVQz%s@AamK{aw>NJuF8clM*@>~tTNQgMPq7m)L=r8iJ^fY^CU?^qw%yK$ zX=ApDElp=K>DXY0MxWq*`kxbTjd^2;>!!HiVY5%YuOzEY7$1`F<*mRU$X+0aiigB* z3p8dfR*iH*dY~S;ol;hQuagI_lRA-jZlCQy$BY}x0-tVPWy|WpNBcwUHJKGDWI78U zF!E8vlisB=i2*N@FD1IiK&;nrWu#C*`k3cN=TVASxmMIySB`9zb~l^|<{|mbNc|0o zM=_B=#(fR7#1HdSI-7LgiU(kyA`ake3v!3Jg9t_$1)SYuH|fyIp+p;*x2G1IMbLuq zW_%mBA2{=5X~Tw@)@ZfT<k zu}y-mo*xYF%iZ11I3E>zurBW+mrAx{2^jzh!(2Y+uo%yeg*n;I_RR!J=++H#7q_FS zg>D%t1aXQR*5QgcqGvcRaC^ap#D8R3@YU|F8q}B+`x?y0G!{@D!D|x7`PHsIGjEZs z786OOuqv;yC5oM;9RTVi(gf%ABU0tiTY8+Kai8?z>f`2&w?lVdlD#%qkkrA{G-6+6 zx_L^n>A)FE!W)_l=Xs&qwsyCiK?au4DR|xTj7IY8u>l5fi_^!D5wTfop|O@8lB_6_ zfM1$if7>N5J6sbp2!6mudwP6jNC-?{xi^{O)hTd4Kjjb~bH-k}y_k_2ks~5zRrg?P zPiD|#77{{|ly>{YgB(hPgVJ2BnSx8>nR1&^$M+8xX#l{v+%$m+Aju*Eepxr}XG#>R z2blH!B<}lG;yEvIsv$KP)KNIDvhdvmzRL$9Sij0g+dKB8vtm$;2;EsUl?(WufZy9v zodfJcDyP}j^HG0fM2W^{tSmXkrMj9484&r@7hVQOt~NJ(j$%_J*lroIn-mgN5>T%4 zq6+V@fyzeRc6nJo6XAP^JF$I1MJBbJHAEmf!KDzmG9$2vjbE` z6sDAr1sKj_LOZ`*S;*pu!YI2u!B6Q|v?fu@}BIy&p=@-CRzjQr(hY`KZvHiB)Ap>jt?DFI}% zRC&6rjX7)>c^x<7e|w+a7RzW-C>+9 zaVqlVv6uvgb14bW=nXg8ZeMPQJ7#4fDi= z4+mkf%wV>=qZq~I}^4kf&ma2a`hx6&4+&Snj)*x9NNqJ!5TBn+f`#V-Q z*9EeiyI+V$x0I2fR6)9wEr27P>v(oM-m0v`u zaJ|`T;Jyj>qD-Va+I9HJfR_Z%9Xp1*TN$DPqd{jh_}G~i_xRsO3ByYmZq(M`ZTh4j z4+|YKEQcN2lHfgl`qm9|r@YIjG8|2h^1M@cDh@}YB=C%0*ULxPHERp)4T)C3z_7S+ z1sqc5{#Wpj_&dS5$};q<bWyt$`4~UJQA9NCTMOz~Q@_>+|jp zogU%@$M3J4!$AiX=dGKaOVMK>&mB9WI=a#U_7{=Eh#(`mR;TlHZb*aRsLBNAUvbxzS+*b|hVTptz{kW8d{Xms=B4r6SsL zTwpU&$t=i9K62gWB78(!MVSvu%MnG>LlVSAU?u5_{2Y{8?EdoT0!3epjwd~FhF;kJy$|+B39y5-Ns8>(WaAIT; zUFf)@v!lozwCWk(d59^DfLoq7P!NcK@$salu!WuH_rvnbXe69v0C8y_6N?~Fm{EGt zCq4IqQUs95YS+wl?%06eC`8HV`il6ca6vNepuuxuwXTO3J?9#xvR-A zbrC%{%0o^VP_}{)Sb9nVN(i?i^?4!e!TDn|`~|j2(?^N$2|`5tBqf+(3cFZ=C2m?3 zV>M9k{TUF0U>dMt8v@1>s~oR|^P73pMK%)TK^dcjXfWv)4CAh73ssQXoL$+{JTqik z7cllqO_I_Ov{4dhh`gGBpD^j*Fmsu6LCY4^&4Qg}P%DOKD;BUkt4^vY+@W9(Z?c(9 zZ`ic3l2XKW16*vrS^)H68I`54O4*N_*9fL*>?8niTh*gNAW#`DPy#pF?moZPYj5%> zImBhmeudY;TOW=_aR^p*Hl!!MfIM>77b{c>)_)KZOI{U69gMOfLEZ6D;`G$)LivrPRSVX>S!PUj!2ab~`3+ViK{jz-OjAtu7Ttvj34H1J zNEFr$KG%%mkOmjsQlxd;k{hw7dkB8nrWgh5^es!0fD z&*zGor=8y!W&CfvmLrdn;RblqZpQz_e=iHfXH7Wiku;p3oDSaj- zQ^CRoYE&v#5ZlYrFAOYQ1%A_g5w}pW(z7tP35jkeM=_K~&^WUEzckrLGaSUy6o16@ z4WV8~hlUa)V#+d2&YHoL$K{yR8WmtnsL9sqV`H_}4POhPn?^uD>r$Ax46+~?Q5DU8 zgd#BjN~FUYKe}s@?FC||djvOvv!@Bg^9XK}${z|nRy67b ztm?7j`UEm$0$Grc+Q|n*vYSRMLMz;>iUzF~c@uKV+DlZ#{_Yn@9*E{GKr!OKoAkOO z-RT(m0&kC}ppch_SU3l$Ct~PIVu7afvM(wYw!2lAB8jI^kWiiF8lk4g?2f9?XH8|0Vv`n^53qeHgLZuR2&r60}?k9fMd z7eb#-Tv&kiT{pk?!EMR?hu_8|BF#uet{JV$$cB@Yf>DsPLzxL}aK5Nl>I~sITdno+ z&_k-&3e@WY*OFVF$+fPj0|BXfMK(K6Y|W>(VQVeChQ_UPqZ(U}6|0NkYe-x{&4k}< zYre*{r&hU6Ybn~cn}jzbYzz^)!cLJ;FDn=VZv7Y`?(06CYv7vHz!Quw_mAGYIodc% zXOf&vPEa|NoEEnX*iOZrBPs}kQ-Rn?MH-<(j3gjBRy^|7T4MfaKreUgR4wU&du5&` zdO_fcxAy3}Gn{5wjn2?|)?!T)Sd&}Qv5o~@kq+E9@8uR!<4DdmWT$NCna%Xu9*5h^5tI6J>C3Pa(Kpzb12(pEI1Q47H4E5H{IF-s2i6;Hnj-rrmX9m}( z+{GZpIQt@B$~}d9q7fxIz43trpE$9TNk|Ms|m=td&3NaS$gwhf_WEtZ^mS1q`%ke2mJ`6S4oSLlTz<*5mPm<(rQZk+? zcyWG-%RwQ7h+x_``dPqTOyVY@ntYk9~GX0`4$|v5Uk2dky|>(;uWM*;oQSg`(v~a@|cbS*bfB z1F3h!7<9)9>9RQLMGqFD7jjq_3SoU=0r5^)z{4efcm1han9@B{Qk0^ ze1;_BXHqp5jx98DJ8^!&B-Eks-E*%i?{^5#$d(FZOy1$28rltz8!5Jz8mD+QG-aQA zcI|kH+R{T25&jkNYRtW=@uFxn=efH%G0xo+>WMfZ(*l{j2xk+puxDalrt#ly*=!!aY6*fY{pkFkI=LvLT(IV zrmIQZbpYuyJhRL!k6s6Kib<}BKB@zAvCSu|+gpL$f*UbdzxV=P66+Th!ANsMa+k9^ z73vtc6_r~qr*j%s`&K=}!&}z&%pgTlm?6s8B!rBnfFEaxBQmZSpsIo`(AF``vXWq< z(ym2pfo7zKFX5Gs%E}huzGTIgf_-WT3dUcmmM#k*VFqTwE0!E{+xfk7=bH=Uvn0AF zx_1Q0(VjOwI?hKeA{E>y*^eQM{5mPmGY;CPdbC%Q4SFt0c??*ul17Forbd$+mNuhk z=Ts!?g1?IGFh$P2%q{&NEDS3L3um`SNHujg_hzHmT$NkzPqOsEqS}H?irSWxekzih zf|<*O!=D)j1!b>hKwh}nMZ%4eq`i{y(<;0+Ve=fNNNd{N%3c#jf2QTt_^ixtjo^b8 zLn?7IA?lEs6s6=mxc+;K@5?N*t$FiaABvL6hV)gK_t$5M_uWzT0YBH)@doK#4Sz2qMxq@2bJRaiI`{gTGA>XJRi z@51@c$w|3-!c4Q$>#@eDB7IY?>wC`U%ICT=EeBA`dhsYQ>frEQWYt9n!f<@+9X157 zA#qVG5Oi27%q>FV$n|RI24s-mO#S+d!fbL}`f-qP(^`|b2vRf|Xd+1-da#<&1O_7+ z1JuTM%)gA-d^U4%n^qtQ&XHiL9o092vv5BF&as3=@^isoy%Ug z8FA)_YltrJhHiB=g|Kol6|ihJyF>hCCsmR^?7O!Ikpk(wPtF!o1m1V){ri4nEnLFNSn$%ER(8I z895bOO7i=eFbvD8oka+GR0c57&_UG{ud=jH%$zc1@-_c~_un9R*7lk53iF&Qxz zFpsFv=&^)fv=df1)uw;6O$SNqXzvf}oJ+SrqJM;-`9l;@&p)wp>2Jnsx2f(?oEpp( zdVO0IBU=TGKuJ+{eJPI-{Z)uOvf)Tq0!UnWUbTk6pAlwD^@aOdj*u;vLNfWY43!(V zi}*)=72QdVMA_Jc4wkwvNpB!cp}k?pH(`iIGPrbS(OSZ1qx7j zMUmVCu`z>wVtQe&n2L58h()5l$5=9Nw;M9f8A9Ui2A(2*mCwkzR*bFR9eq4{fn0jn zmjItV5_)?T%jWUK#W2aSbiU643INYViO|Nf3{OV_eXwAnQq_Hc$;PY*-PND6MbTo$ z#fp~Pr~9E5FclPx5J&_+_h*adoNZ|lGUN*@Wt_2lNf0aE`H@h-Bm%QAs!>>vFQGR- zL4=aq_#{!~yqYUBD=i(+Q>vi9E&-)$spZ>|!*}tI=z2lpc?@rG9H?9fr@?BnC9GxBZz7aHk%(_*;H1@1n_UM+=PP4`?1oIKWivd_JghRS& zR$%W;Z*ehgdSBrfY;+l=DC5sJiPz>+9#Yq0$+=zO#fyz%#j^@+nK%z_%71s3+_|5) zW1*B-#0vT=*~s@IkZlZpu^E=YsG7)?f%3_M!uBD>{t_Y zX_QBJvekjd$c!9F5&S-IHRc8;tZ}&_8;BtOxUAB4=t?!KSq=i9sJlElBW^+z(4;gW zj?B65vE6x3sMH#KEujd(i*_7KVK!>DKo+9{jODSfCy@la;#;Q^RPj8S`g}LJT_GR! z7^F$CcQZgS$|O1|hnQRU!<@faZ`2}r=&8IOXO=xPKtw#KpG=r5BRy~;e4QS~#9wpJ z^dz@iNz4M~fo`lp3vOhPhhRrtL;S9Vwvuh_sl*|x3sg2%1sb+m>PGT+;+$7QazL^$ z&c(&Znl`CcOa{vZ>Je81buEJcgs$SnV`ow9{3T6}hv}RNlKHBxLP{HCbd%kv!tti%JK?_JdnvIN|IlyH?l`XykL5EZ z9t)!+5os7WY*4M}rY->^Q1tY|b!rYP`NAm6HXt+cNt|+hAWu|K3vg<7+sAez*GNZQ zi4x%w!T{G!#~CWiXVf1desabXG}L6-<)|2rz{$w^mujhe5da*{S~6p5B}AAQHMN`c z`NgiQ04#+9TOGB)hvA_D2($52h@j0DP^P#8Ly&eGt$16>)}tV#khXv?OX>kGnMlG> z<2F{#OXtzY9YU~XmCN|?Q7n^;TYSzq{;hgS<)2n*c{eUw%!9XPw@}&42Me;p$pZ^t zVV!7^W(Pqz7|F2M^!*{(v21yW$~SRQz<$gwj8bw{iSZ{fx9BLPC_rkGQe$a$22ZFf zxG%Fmb)4<6h9sA|YsgQ`CH!Ie3Smnh-nT^}1O=O903n3|M=LmzaoADWP_)!se0-l_ zz)Z4`_a?l|egMF=-A~=TzVUatVKnPtToi+J(SA%PqoQfsX`87bZW~gvmIyaGHY@bn zs1i7<zM#~Axk~Vii zj3TBSCZg5~XTI`FA#kumn46Bf86I*#eO7FDR$(L*1O71Bd`~+Xi^qe~r4KbJDwH0gIxK(84-vhmfYK{+zoa{$e1(*?UbWmlfYD&iYxwf);S& z4Z^DZ;m1lY+Bj#8tlIoC)vpD#AtL0!Vw5_?)x!Dd4}_Xq!dlgo1eNCIMy`&I2O~<7 zfuI9pG*NjsWz1L#IdC1~gyqeja$5!A1kpl*(Ngk8AteA&B~ADE5$Q)N1?G5+ttztj zH<-{ow4`U0H6Kv*CtejAurqa-^#x4BI&FEwiG>O8{3)BR)ZsUzUm4gfJBROXzC+Elo3$|iY@ zuuD@4t(=A8o^=V9RHE#ae6>|lHr!VfG?f&HdGj?Zo_+vTOBUYz*W{nX74c^&?kX9W zthh7&CK@(JWDbw0-;Zbw0zT@TO82IPe-yD`>U$aV!``y`=7YLSO$|W>3t^HaXj5CcWWd!(|P02>&24L`%*ZWD> z(R2p_0)cxXIivWxo&l2nflgJf@}Q**J)Sq0-y_Ypjx@no^~(G?u;aWKtqrP0+a`Sbto z|0t9h2I*IjFGhsAznZj8C6Oz%JHj@`agd@CyNi)!DpteO)_{`D@5j>>1Dsgi>6qfb z&VpWMGbLELmmQ~a7Sht#H)K~7KUXkn;9?2B>{b$8*ok58IJO8h_8SMLLk%O5gfLRW zLyzJlFXBZVcTw<}iwJz+WmOE=osSs@Qu{PYvbEdfW zyjqH8P+kUo9bo&5xwFDM@Em4|b9qeSAOh%l5P=O3Dzov(TSjI+Qy{Qbjv@^brSu+S zNQI}sw(&P^Ckei82p+DHI%DyMx06-l2=5qQ9s3w3-74d@lN2$rf^qFWRe$4~+8L&d z!koS!-hi6dCtf>yri8ohW4ve0vFTwYZ@>qIjI@f-L=AZ8m6Au7?qM#h;a^}p@iAHA zxDZ}VgaopMrp`R<+RWj16+-B1~Ew*~49i3;1b&I|cFXGdqc zH+f(tEu*@hWhw&+fiU)G*FEW!xrj-cn-%gEd_`czXyISDAtT*Z28&Zrh)mrYo5#RAN5 zNb6z_Xxep4;+GLQILQjIzSX!x}}ybB|gL z@vRS6#OO@_9Q5F@Br`F->Y*?Fl{W|XrAL*KYuL9EUQ_lwHJfn4L~u`z2?t3LM4B=5 z>U9XzQyxO^EH6U0-r8yjc4O*U(?hr1Mp$qQf-!#}U~3qmivw-iT8&xltDK5a`;{RH z(MSHa?Lz{BQRc?`yWYjQfM_Eggi2Yp)-Q38DN`dINW*5Xe~VQ=(%k5)hii#%#Fr^Ym6zz-yl zwn6|+-K}O43)HZyJjEi@nqjIIW|0!30m$9Msd9iSnU2g@@(-A7V)K*Yy5R2#mx{4W zP~TKO@@eqeLsm_W5Yf~)At6-m|5+rD%U6il*M9RFz+RK@2SbG4FN^%S4r;)7+@_?!&_Y9j^1q8ib_q$hZ z(^AtV`5<5s&tw^?$OefWYU|Whd8BJ9e`Dc0Bj@BJgz=NWIDn(M!Z?iIOd>sx(irJp z#3Zz`_@JEyeHwV_Mu+V>HpoXKK85@oUCj`tTDIIIW=CJZH9{a~K@8$+c`c&ba&L4c zI00E+LP=oB?gZgdRT->5Qfc{!-u30>#Z~|2-AWe|H2g#e!k z@hz6_XR%Liz9{LX$zP#Uo;lMR;rG78_`yIc1RF4XK-;7-8&vB={i^u>Ow#gt)r0ug z|IxY3u5-&#C3GCYdsefk0LIex7QMob6>5c}5I)RH1o5K?vft+9Xe!2Q5lInqSS$JF zx|4X1FZ$-|vESPU_PGh^McLeJIzYNxuk_U?WQ+AObumqSGbtXX{tc+vfThJ)T9vMJ zry7Eh>VkBn!LoQ?mox;=5qO;)E1i-^QjIA=DrGciBAzVTt5EzK3l68Q_|&lu#J=o9 zeVzxQ^gPAr9Bk%ZZ3bZ=IoUNzcOYBNC-}q-%7RbBGiq=RBz2|QX9zFIM#Rh7AGNMV zM@HF5FjsKCMg1m`qq@y#yIN{(OPYdzn08!KQukDMa=ZpMUYVPNQcZk=Cr&kqH+D02 z7Rj${C2L7C55F^Rvq+E?A|5Fb(P;^Zz`;|Mvd%Cj7xQd(>3{al*=`3CY=n&`dn)I@ z@B)g@$GV)V%q_#0jd1^lYRX^*Y9!Nogd+Q;Dm9{(3dG_nM7r&)piq)f$)+L^YGHe= z5LIF{<;C&UZa7hfX`uGT5)Fh`;aii@3k^y)L=r-Y8|~FAjvoN{=^QoFbBI0LJODm3 z>bL=Ag{%>;*T!Y|WC2o!?)K~GyM}wk`K%#A?HEBnTa1EZB;vo6_K*!IH*16v5(Tl=z@{O1C0wS zxeG1O`;z7r>AzNkplz2@eqeY{-bjY9P2@{0bc-WdNL_3xCA8J7tH#Ks?#^s!G8cQ6 zK-j@S_HRTWwOejWh8!gzinfSMbJw-O+T>2BREf~M{Ery1Cc&@?-HPIBc;*3kqp-OO z4A7jM+{^k{QjZnfV$1x_*_gY)RcY-)N--{OOhz^95vdg$@S+Ur#5`VNA zCh7^_`vcFo!?e!T*+q!9rGj%Xq;}J=57AbN&J>R((Jk7k(zv&Yd~Rwhsi58b&r)Yy zFM+E<19}h=ZH)^$k`@}pk6GGtS`WOFT#2&UP2JD z^sBOk&?>Ec7guh0#xNDR2(eCmQ(juwnsX29BRyb}_EV#@3PAt(!kDTwM0d{VCh}p2 zi!1;^5c+TW4Hl=5cp(m3UM7D2a{9s`&1Mf?c|0(q z%A<$e-B_yM1!wwCowipIl#rT|3gA?8r|8I19;u%93}+WoyhW*I7QRT%G@1v|%V7V- zljMTjQ4<+MUwLb|kUK?0cgO%EA)H_D4Y>PUiCa=&lF^;1mn6p`a&X%kVp2!#f$iI_vKe^-tg2A zd9|p)rU^VU&lqrQ#ubJ>D-)GU`;em= zZi=pFx{;NzH5+mXN!KSDEcl)%U1b`JWnQ!(vCcWGfP|odBCuSQf?zX|&TGWjfUdTa z6H$HULaPmkB)MdKHM_$hs0~e1woqGY<~I+S^Xgn4U6tM;W_3o0OGcTjrIPE3Rj(D8 z>+DCBY01G0bl9#xEi)q`D_~2~OY*c;`yVa#5cmtkS|ZM}$R_L-0YOp~R%*#R`OZY4 zow-F%ne}WjCv|FB5yu2D=f-@l)I4+%oz2AOMjw4zUW<^F7&gMrHY`sj*$3P2%A^y%r}est)<6V>t)4( zc;v}Qs$G25O*^@;Dd1^fc*OgsV-ybbqEbQ4pNpDWEDQU@ln_T#t58229(~(Af8UK(MK5B1R-`8}LjcPZs}UnY9h71%14pVw zvWXKi5=*MkS0Lk(_!n|!1rF4le!-$9k65vaT+Rgx$Bj>Api?eb*58t5OpsZOH6Wz# zHWafrWguyv;V1Jv8#)g>op`Jdggwy7?)gpk{rSb!$+0+?TZ!_T5jpl~VyD|XJ{53s z`2Mhau53c?=YM~5@!iSQyVHyB*EA$VQ!mR@OoET&9#K45$xWE~FB|~(g;=Rh0*1o0K)fY4Eh+{EEbK^xM7Y>J0~vFu7UuM# z!0HtXL@*jhKGIGMQ(8; z?o`__X=}v8m@_F9Vx|KjbqXp-0L{5qG_Wuxw*H zW3`i}G06u(o>8|GuI5~)Wu`p~41Eg2@&a(xqH-O{X+Ctjl2_0{8f?2GnXiujuJhTBhpI#%7kvvA+5jsyfHTq4 zI%F-^agHC5n=GL&6-i?^*Gj$AqXga2+)gfWEW;qtpuDMPL_~X1Ef>lC_|ipZGrG1X zF{YEDSk;`8;uyms_PXz{`df*ZWs^z;tu+Xc1f%g*aG;u~-V>lsFaOQwp z4%=>%_IMhwLURr^_8L*yvNJQC%i!KTk3#pW9iO}RLV+lF=XbH74FJiAmH5~I=rO69 z)DLua8sAd8-VnAl836ZJ(p-0hEWk8c$z^FM&WrjO78b#aUpGO|w0u z5_bG}1F{vKAb|&6L-&fVSl837L@qpB{hNf5@TGILzp0e6kQgQCx@cS}u1zrriK@TL7x2HcD~w}n5#yKwt4RATaoD%=*jGe#t-y3@#Bva=!iyNhiJ1S{2XVbq9`6xG)Gi+%|g z<|iTrqaW)NLQK9xF?q?k$9lsR$jwAqd`R4|K+r++J2aoo&QNGgNBH9-NF|TO`c)!9 z*tSI31Q{mawv@B2OV9(J~wu-w7s7Og{Hdk`1k*AQTp+$}be@r7r z+rm!cb`!9P%UiR8cJ9_7q-Ao4@)-t{Xj&;{Q=*u>G-yl3losR!b}z#!iBxi2*04tK z??hBQrtlNSNGk~N?BACsT8v>Z{!pYP&S_A}_VmOt%OchrFQJXE7(ZxuW9l|oFC%Q! z(NgzlRm}o|7;P!$savdG3plUk6i$x+d7$X@HF)pQmpMshd&DMQG zkIOdUyPfEZHpn8E9?lLE04F#?(r#|ZuCGp$&;31`V3#hFc2O=skKv9H!+jA=l!wCO zy4zcGY?DLyc=_ zszaOTJ*l#-fyt0RRhcbsY)cLkRG2VHrSXO_9w-@8=?enlt(66Zd@>4z21rdbgH&pW zv@21W4i07K3qqPf;zz=W z;#k$d_T;AAOzSbBKSSLr=4lXe2U1@<6#Q=2EjP(`*0!LUcD+E0CG)8Uz8rX_N^VsH z^VMY1TBMIHtDHD!`a$vE$#glW1eQ&D)m9BUh~_8=cDT|Z-jsMT zDou-?! zpniutV{Is-5CokME*ZpNM&nVurrl@GZxx_FnH81>g(@F*lksZ7GN5g@BxjUQ@e1Uc z!Q9!nc7!=?2%ZB`U!gU&n$Cj;Q>ny>++_mbn|SRgw^+Id9TXoKLE&k(k9s+z=DMTu zfchO$nL)T9Y*Y1&yK;wUKs=@9}UNgCrm6?0A_HBzqIO5~VQ zo#&8{Yk{Ol8`sk+i{j3=1abZbYHzp90%V!l5X{m-~-{4SS zHF%4rM4ZlOO%Okl7B*3$830R}9EmM58dd;kb2VHtu+0K{>gg#*i83b9knJ8fLl#**H8I98iCCK>A8vOkOxl!} z23Zt#XI4o3QWQ4so78oYD)~F;?XZHQR45y9=ffOYMSTh6L<1mcJNTDVsp6Ib`uQY% z^0t@KR&!XE>2xk6C_`jmVxNR|f&Ri5 zA)%DO;3=32dSf>SOO-)#i!jH*yjti+5OFdk+e5Da&3%7F9j}?8LD7Ysbsl1`;t4Aj zc}lTNcvjrre0=(8d&lGMfY<}$4M7Hp=k37`G+`A9^wXzULO$8wbkejXJmJz0+jeu{$z41nHNUFjec$h*5+ z6X#OF-^J@5gJt+&r!E}tT&Bs>Pnnp9Wb%WTFZJ6Sdm?-N^LHSpoo7tzXc2NK7V2NP zji5?L64jV^@(|I7tSM`VpE5(SHkp`$&A0uexl3pck6W*nT0gn~Z0rUpdrCLm`Vn>aEn_rDU z8cvHv$?+8U^eC5ObiBS45A(LU(UF1b-Dz#3$+|Pz(E{5uDt-MkaRdYW3{;>TGPV;Qj(mF@8YlF#M6d!1C?=5hIum7c$nAj!_&%e~#!xtnm) zLAL0;eEsFiFTOS$V_)Z`5jcAesi=l@tyqpmC#QH7@&+=n;nLJf_zTqxH90RN4W%q} zv>F<}h($Me5nc)Q3VD+Z^G?1+EWF2NLQDykyqfjY;cF(g8X(!ZKoTO^rxe zad;LQce_fX)9?t0@=muJZh?|`V6Ij<1qN{XE3D@3ZT5N}v_Ah1M2<7zp2DXh&mxu7 zt3_y!!-4>zNwI5+!vJJJo4>P?5$wP{X{sknMRUyq7_p7#D8T0kNu>7)5C+#{b8t2M zqlreZW??#dsVZ(m7#==c_9A#tkyjbhx2UZX1`+QOBiHnb3t0ICO=QFE9Yqc?t1C)p z8EIViQR4H$D6tR%$JnYjtCNIih0T3!%deQqo|MUOg z{y%ve=(xmaqO^m7Ozw5svPe(kko#V?(eG*KS}d84AnaD6g#b2g!eZolgi0niUAttC?W_Q8zaxr z%fz6%F)#0B0ry`uDomtnekqVTR@Z5eaTW3kY!4hL%i^yYl&A` zh+>8AgeOPGy+cX8dZEmG5zAs~TnXG}(j_ldYk5q*8sFlTYY%hsWVH9i7rS4xZST4< zW9B2NLRBelNJa50qAgM+3hXHl@{Ra`U7tSqjawI&VRpx-^iM4)qmldZYSH^pkb^T zxd}+h88^h;<$g45<~GE*fzQM2#BN>Rz<>@5UNLW6-e1=GFl6abHmr8hqT_;zEXO>+pl_ON-ugI)9Yl(`BGq~JKi=5R; z;35qwM)cf;^Ta2a1pLR&sEJXk+d?=am-T3X&MY)`B77=S&oC_|l{}V6yy5*3#mnKX zNGgkZq!0O`m`&@{dRCBwcoXL?gq##(fxE$^n?z<+r0%!KMFeBaNE3oqiAaWLA33db zIk=I%?jCpG2-0(vSaht^j<~WB>uu=hsE}f0clo7=4qYRDcOW`#5hb4-fTHw37G?t- ztKdp8f6}nOY%gtRm84*`ARG`@a(n(IVHqI@ANvW-h&RaMD4~|hx5gXUNjWZCvLfqh zkXj;%FgRK6$caYnkXu%OdnX9kTOTE{t#ChS+-2#*ld5{r7;Y#C%)PZtWf-@}8w{h& zE2-LE>TIE9WShmXG3+|TaE2RNoC);|Zn`MpEfEF4a1hRdCt?C!IS~HN_G^|*r7DG! z8wc)I;_+KC$U>rK_1goLq+BuB7bAKthIcgGUkM4YBrfg-b`m3{pIO;A1fpd01O?%m zyNt^d+1Bu`5N#r9^&Pn)OT}44MB2V72_|6@2qfLFwHiuUmo5vZlrG7W#50*JbH`2a zeZSys_i`sKld?mETxM2|8I(m(QBcx_zLM@)QGkE+E3lqM3bLiP&hs z=7?spu&YKORx9r$eF+F}taLfu>>wo#W?LQ|Ha)v^SP z-KI#ze!_$?1-F4s*78uy(QJa5{k) zKj0#j5>}bYOq~n|ghaOFz+(mntH$G7no^Kx*m#@^5>2pXH*%oGF(BnCx+`YIDvGLF z3@?C`+8}*AjP&$!Pi}7H)@}Ez8~o}3E} z8s2KW*iB?TwU281%i}a-6c$RKWW$j3D_^7ma$0&%_TImFm}1yLeHbX9xBPj+L@Uh; ztrFUxixX8svCnGsMj#a*Qk2R8Om#pQxx9qC%-AzSRNim4HoKPd>7EJ89PI8Xtu6Ko z`HT@5xr4~d?EFU?lZ|pdQMW~VR0I%(DcumDoBI8!UfT|=okla2Zhx`X?P{mLaGhr5 z!k}2*DQkf@!!;`HNd!Y`BCM!P&r!HrTDs*~_yY?wS+4BoOi05Q(mGqEXsV}^NRvQ= z+|+xll*#Y9eCHr=^B%06PxhNH!f)c)E+a38*-nkacIFOf1{S&2R(W|BA=y1Au5K^R z)ssiqG7VZw-bE90$5^|_Iy<||G%YRtm7i5rj(1=ld2pV=mBgw5N*|KDnVl1syNu4s z6l~O3fDH>s)z3wZ>>@d|WS-A&_7~s!@=oam*o@(1QuH+)wM2RQQ39(9(}}ku5zmOe zts-*`f($be1fWv5Ddk3<;&YMRYIICS0WWiqLdOT+3agu-@MvQg5Y)A)>QU`DE|r({ z=ok~nEFtxB!T{V;!o#CVX|QQ9gghsn(AMagF%7KGd??K{FW~e7>KjIk>;x-`uAx^r zC*^~~%PvXz56|{}#cD0%y)59m*7f+fJNo<=$#a4Z=|1L5_w4Zf$&GWrCCXz&9Wgx$~Pj|MJ_G`vX7uZH04joXnSkSvGaKtwiC$ruWI`u`Gt1 zISN1{hZXqbj2b7%N2b1_R<|y zY%0JJ6mMI0M8v^=Zh?VLoNK}ZsEKJ<3}tZ^aE4}!z429stQ$K%4hC5*(2((WPJojZJpL*eKQSX~w2)S@Cr=*FaS zG7@Zq#9o)frCB(wBjwULlJB z5VvlYuLf;55j&%Y(cQxRrx=!CV8Vt0VTsOYF>T!ykISM1-V}Enwuf4k9QjgAdq}ma zjZTQng_8*zbLX>2Ymk{RE>Sx+m^KOKaA8m$p4bs`M`8<-=5og}+2^0M8UsgBn<+!7vzx2#`w#tIWG~DRWV?kstT~O*%0y%&o}8&B8H=TtfitCqd9kGV?}mSDvPNP|xwVC` zHkkRM@>lIY4uX@9*|3MG;z7rK*%?U0tx87uDmV)^hD=Hv_@N~aa5UsroFe)rPq9ga zyV3{xMGc;pQvlB6&+=ACmSOtVhL2_!jC_yX> zKX1~Q81t0;;yPVYH%p(Ug(UT&2XNN&gx68wFmQbu(rDytX34X#Q{&QSXG0*JFQPWG z6#lXbDrcaK0_m05q9JQn;d&Cbk8h89zxvW0OQ52E+dJmP;;$%Z2|&3hutge()pYvg z9QfNcl}Cf}GOgQi%^os=am*|)&cDiB+mDh9TZxY|Q-4nhF~}jnlHmUsXBNVxvMtX1 z{-U7dC}vgfl*woXpO+{AdSsylnQuH*1D`bnIAcIiKt_y;%%GXrvD(_pCov(f?ULS&$?b9}iu+_qF=P_BUmi0H&J87c;A1x`5}c_fxR^9q#DFRmN2dG=l_(7N zu(4a~EdEf*UZlpXab-~{72v`oLd7am&?u?(VFN$TSir6dyBe{%W&U%NMHFyU;|s!(H{GaeWJ`Vm69^Y5=J{a8LF8!#q5-R1(z=*hby` z-H92Q4m@U(MX$&Rry2lrL9iAn-yAoJxidwMqYTZ$&crv3* z5Gyu(MNfHQWn$8-=xt)JpFbvbsg-Cun6S&O7ObikOYLf%H7aOTti$B@L{IswnsGD% zC2@RlhKNGhyWR(9i9}Fgx8>ZIkLkQKz0dZ>Wp%PfoOQCQ zwn8a6o_*{gOExO?yK#Hi)S!(;h5M2UDOStiyMoxivsj!}R|(`SMr{D`+H8k`d$(Vf zYhpr7p4Xl$}&$9d!=n4k!&gWHp#kt?AHSAC@ogFTR?|pA}9`m5d6yEiqPr<*0o8cZ(Lr& z=om}KxB)m@nl%RLybOp91x><0pi6XgczN^v;kPF@ho^^EXX+-Z(zr|0jLCpjk9;8I zc;p48j0LFU#o?g-hQ&p>Z{;jS&6lwfqU4O+Iq7a1!s%_$wM~2yLzWXHZngM8I*?<4za-T z=E=iiOtZHkdkJ}~k{%CxVE-X@W&2lZp)`>P)RTXnKNL$UXl*yzjb`HhwWDN}RsE_6MXNXM~W0B44hTL5g(trwH9a-yAT6FqXmf4WUu{dPoi7Sze@*$MfPwro2%Fv z>P4`bV%hRjs}^B-9(;YAR@nP0+wsN4S(BjOROQkTUeOJaJYq(%!6>-chVy*1yPupD z;z(k*F!=ctyQ=%Tqjeu7ex=F_F!#_6An8YF#LgsQLndzAUb)ACAJsyzq@_Yg${H7b z#=x$SdUFa(th_4RB*Nw)E@0AWR_M2tsC*`tveqW+xO3=767d!O;p~y2X5F462GHCX zWG04vW`1~4Fh%7?2NZ}5{EQ%+Fass3Yi3^}?a95fG+OTEmTteG+5)$9$!2g95dp{U2RyV|n$Xp*2`A2l>jr@!c)gP-#GUNiallba?#y-v2%3F$fh z{LlY6x&0{@oAsx1Ia5xE17Vf97(a`Z-?=76Ew{lljMjFIwaY>u#XgM(+;X*AhV;4j7X_l74Y8h$=MK|C zKe}NYTDBwpkzIB35NJcP#z@WCST{msNDc!RqV7y6;6&w ze6WSxnGTiQh6$LUN?J~3Q_&0UvdTdQK%dw)0D@tNe|URw(LX)DBGyl&RU31G(>6>c zw?mcO&JZwGR`&oh*JL6?avg3IetmU)-tV5B+#GkWPLBE)S3fqBU-$Zl{pgd5XXXbt z!iNxV@DbbG+pd=)AjQ=z`S{hF)|=ODscll8WXvZpUdGJ{veL6K=vZOhx<;c4RNPDa zakLURZM}=FI|oS%R;4?|Z60V$hrpnL8!a~i4RIfGk;qDe4W@)VVD)F|5%GoGPR4dlNVDMH)0m&6hF)PSW_)xWB3?c1)L`*TSuuYex5{TR* zNPRn7Ehl9N$j&?g$Is@C-Bv@IZ{(jwMyn-EFLxy1j0;t`Psztd)t0x_WVGVYi_(IDt8 zRiQ{pY!or$qlqV}L4w(l&sLe4z%&`9;;op~^n~xAUYvPPeO#GvnitM`q@adr2V5 z1fVv>1Ry~$0vrllVRf@evQRI>k^q|9vc!Zb&TxkUNF6q?>p;W@64fU7ZYV{jpvEP~ zg9qm8Ttairzf`ciW3c^O^V&DK&7Z`Dl9v%4GzcR5mriR)aW?)3zNV8sFPCBLB=XDH zbIC?<3Tfz7nQ~H6LO27a#RoT`r9=$&xSG(t2l5>KdST zD~Zp^7_5$q+{WkL8G#PdVpLf|l3xSe_NDWvkdtvE(WM`WLt{xU0?(O+WI**yhTABo zCGM(q*MN>s#I#k9^hH@079`X+;3KuBqmtkAAzw4Aw@d;PHjXVDf&%mjGkLz%j8pzm zGVM$1XB9@+tHh`b{s6ry0Rtr+G9yQ$OY)(RPNn84^989!4O7RzcKbso`{?QHkOYo2 zz%YW~w!AAQRzaU|r-Rm&+yV2)bW`1_5tCL7R=4Y%6-YGPxNq9S+x(k+bnxcu*RQ|i z^5A+U>gUE2iosA1@ zPf>wQ*sU5$9V0=OrR1B6?@;dD8H7yB1bs|X)-3j(3cI)oBVweY?yY7Bm*u{L66AEI zF*6NJp5VQyb_zXSQ2r0|Qb6Kfr&-GMqzi=mv7Tl>jq8#4!-$`$co1P9l;489!L z;LO}?Ka!xpnHqmo5CXio67gDPAaE9ZI@xI_SBlB>H5WeeEQR@|wRU)P*-dWV_AeDx z7I8B&`g}v2_*3VzPU`li=}xFhC)9w}tf0lsVPM;js^eyuM&&)1v8V>!RC}Qm7<)Bw z6@nt-TA_&94LP#d42_E_)30Zd3rRy*@)A2z04o2v2 z_g=oa*}FNs>1Fff-q-E<2pIr_q3^zI@45f`N-aWbA3&`(jp?!&FA3qwpt#o&J%zFb zgBq#84k`j~XC2AxwNRsk&=zivjxS~{^4|}hS{T-rb_|2%nfN4nwvot6O2}zAFNW<= z=j!C}`0T{PEET0pA7Hp8`Y{w=JLEc4&OecABOSC=Isi&kL)mT2$n2wS;-Ad;D>IeN z%1uGLp7fma5EfB#5yXm0`nb-GY%;P|?e7YAFmbU_pw+2Jep~wt^EX3&ihB^NF;q_{ z@T$5^?67}xb$EV!ah7}zw%0jrk3TP zxX>)ta~yaOfHf^s;b}v)tnp6RM2%|QAj@Ws*pp{znTxPa?JSftxujX7DT!JBr5)JpX0T@^U7ECN_% zF?5UP%BZ;I(FkYNq}Ex$?0zXIUm^gu690lJp9Hw-9HC!J^DcF)6No=*<)(L7;v^@x z$;FtC^-8%>G+aC})pgxF6q$_QIx~MY@iW00nA5B^n5?p8!Qvz!FBrZKVcfIB?zwvt z2R?)ykcCQ3NIDlSppR<=epb?p|iVMkS-YRxlC$Wow1 zRjI+<9FQu!SMe|!GA$YcFEfFivEiV=R=db}8h?EHsV(0(wuC*XELU1VA%SfI$>jZ@ zaEwf68Y$rdA2nk`hBSlXyrcAE*c#q}=lCya4e>YR#5fLORVxe8EV<}~5LdiC-DMNx z1puzPky)={orr>5;A0O6xAH@r6}VoPj9emrsT8wfqGg^p_v*BJ*6rV%U%cy{o+LO! z1Y#;K=$DjwKA05x_29iuYs}EZAq8TB0}`~)OE!}(yAFXrB_kVP2=yJ5dfQY zDA7^|t?eVL^i!PcU_SPnA*$SP?~$guDxfmU%*y&yA^}Eq+-W&0@^rs~P_|7hVt!-~ zrzka|8!Sg)<~k>WX@LncNb?XAlZt?is6@NfaO3)R;~cUwoBOV(t6Rg1Om(%$jUq<0 zv%}->ZjLX``^VR3)Xa=ZklhR07XC1HGz0H?nN%Lr5+MY#u=CDp=8eArS6E= zLfbnjE7N?MNy`g(H8|iAMJ*AZfol45Pa++0G}ByOie{7UfGTa|mO@(+IOV9Np|lqE zPTVZ)Is1|x!;UN+1A6v0^{A_P;P{CJ1*#SfF5;mm1~-4>9>blw5qJMiT#%4ZzEMui zs+>^_(xSvg5JrC#t#t_y_|+hG6HIASNt?BP$`(b^5T;^K3pa$AQW%A0IviabpWI*@ zI%vwDPrK(Q2SLq73c%^7^6R&Uy_16>z5|2^A`?g#URY2jHf<=%&d=TA?XYJO`R_ zV|CASS1S|>FN4LTstJR8g_%frK@70y-djddW-J2fV1O4u*9jUN8WNT#*GAbfgO`Kd-Mv@CVGY`dqh&=k zMCCgZa^{qyL)8jC0lM9QW8(ahhGw$guhfW%qYGXwgxRwZ<8X# zt9oc2%p~C4t~WPX0z08ZbdJuHXk(jPQI*_9!pmMb5GS5^N`TiO%(Wy;+`uoMQ`K_A zmXX32nrMf)G+fMqN;Q0g&W=Lc$YcXER9T3?9VYZ z?mjppcH2Dj#Ob~%#$)u~0_>hIk?|H{zqB6Q*r||r<6@J9xIFOW3Hk25b_g`^I;jGB z%yPg@g=b0=iAJ!@boVRik(B1so>zY>_Tr^}lCeMGGT#^6lnVN>ke>ho0U=4&!_AjL zF?tg53QFAL&1eI7HIFmn#B2tqAVQZo4}E5NKns4!c_G_hl$Q`HDZ!>IPX`3g4b={PGjiJg}{5zCpkvAc=%3JziP-ov{wCt;DcfNnB?} z6Eo0Fc~YRq%tvqwubv~dA8{$AFSj*m@JL!@1U@&`2b$p(k6*(sgWI4-x^7zIq8OwL z?vRgZnzk3|qfSfh1A||;vOJZpZZ}=*rwO}&s`c1Dp%6U{ zh~jsL{r*+=t*SR^%3h1rC6;VeN?Nz2u?{5&)13d9^bNviD`mfV#B(6vDbA&) zUcdx!56MEp-LlmRy{d|{=>Rhk;H^WCpZ2<3ZWwPRq~%|r=ff7m&&-dpgm5do7K)@N zN0cT56i4L;_BXJOc7L1jzk9#sywh~BaH11|pxMM2XoTxa$yI1>Di4ITNA3+kIK%A! zv|JZWPkiNNlyu{(Q)Hxa@~hUXP>WmWQ;-MMD#|jc@tRksJ8M!r9V2!= zqGy$gi!BvKlP#U1tDeJiKseh%?6Of2c}03YL+Qd8RJHBSe+{NE^ zPfzU?%T6wsG2(m8g|iyL4V7kPs0p@6=dR}8NomonOg-e%;_MK&O5%lsO;X!1j>X{Z z!I!qV=Ldl=D+$%?rP%vI%LCXyvtp7ef&C;d!&+olodj)@Zo8pGOc6m?(0nQOnbgT? zuRMJgIBv~Razg=aBJ3g|Xdq9%MRGscdIW2NzKRYTxMAPrGo`JOkS51Qi8u9LFp1Sg z+wvN4HK9+TRgh|WrqiVEE{U1#oN zl!)w$V4JuMsj1x&5JE4BZ~-VpLA|POY&$FXKAEkcm7zzZ+m7w;TGfGf{FH%%Dsn&! zHOHJG3*VE*Aa9|)323?`MNn$}aiszXeR$B**4c;6jpqQ!wlXT6OOX-Fa6+t4H;wA! znm-M0k6>(=zoO6u>xD3^1VRN0z(<8Y?vT0(-^TC=3SO}$BqZud14S4z*R8WiG)fm2 zMY!#O1SAjc4=flWe=s?UeKumfZWDUkT9>;ebjmH_aYEHjOm;(rh#~#`aa=*L8I zxGf`Nu*MDpJ0RLBvCfH13Nf|Vnliz>S%yHhy9%-ftBFDTeGvjCX;V&i51o}TGyQZV zPkCILZ}AdQrNx6g zG^W1%PF7nP1>Gk3I2%3<#d_5pR59=-4f2?=%!R)H+Wx^)jrhCVYi~gKpx{}iewJDN zCcTDQW+H+RFW%pro_u$5dO#`&x|l5zAw@a_)Mv=|nUwJdWA51`9f(Pj6Qf zK}a1>5a_WPYKBY_xL`ZEVBv3^{%k7MxDt)aR#>i;nX({| z)i7ZrN&E(@Y9>%Z#RJzdUGh6pQQw8Lo%C$_f)Mntp6Sinncqx~P#hJ15Q)^)gq^Jr zNaCQ%Xc*R+h)A&X8sV+y<4>v#jk(dCRVnIl$aw`x38G3a=o(3&RjGH889<+t4)r8^ zNM}mOtI0sYA)Q8_kz^h;|NnLaLAETW_T4MNXdIZ@Q6rn+bI2`I1dd=+Y)^(@|7Fv?_rBwB1Uu&Bc0URH>8@# zXIawXF^da}sS7qs{$xVHYsImciJ~>ob|)jlC;JlVs@#6xlW0o*z}^B5(=(~p@^6CT zcis>2!kNSm@a(xSg^D2n%gkrBUdgr?A%SQS8Kzw8!=fKpoRL+%MA7A{?G`;JaF^~_ z#6m(Pv?Qx=oi->n7K>EHsUi>o7>NRaM5FJT<4DVzu8Tt20&Z@nBJ`m?8XVm`f?Kb| zJ`U9XwG#D)(qF++#1ao!O!OzcHHLhQ}iGk01{BDm|c3Emsr8^BQ0=zlK3Gk_Zh z#y^y~D#2YbKMA}*g}58`yL8};06C038Ncd1m^~eIypU3DZi3nx&$}XRnOal@BgzQ4 z*8%+i1gCAc(rsMPyS4l_cBAkn-NXS&CTZP-f)vl*7Zhf1SbM;_^o}q`^C$@ zH4|l7(N`P$wICazLCz{tC+(!WwDS*3li>_!7fI#a#IwVx?`tQH!Ck2JCOf{Q$WNVX zaR!A6Z{<{;j@MTjp5Hx{FhvYu<(j$_o7W_TeH?0*Ev?#5PyfvTCvhVgH^Do(gFH8M z6_WU z>INBf_kjt%Q4RAh=PUsfnIR~Jp?GJ;>>(jvoT!SByafN9hWKZEExIxZ1W&fjyw{40 z#h(P^xZ~EH_k{2uJ>8h9r)>v+MGQp#)}4u~g1|CAiR>t&cJu6Ut`B&7hWlI1P|@!? z3gPcl5Jey)aN0XdwtaM0KW*p5j*qr^hu_1@lR`>m$nD}izw4fJn!D%ky64^gk2HKG z^59PfIbhV~jl>R{%8)?z-P(^RNtXyJ9-1CBhsy(aGyJ4scIT zdX9ftXoX2Ys6h0dki-kBy73#b) zVBa5o?TZ1B7Q(e?bcW9AE|pZr#}@Eevy!3K0S-x1eAJY zKCN!-V(WYF2HPcNK#6>id5zw_C?ozIAAo#Z6cz=$OCQuWTqr-iR$b!oYD$RO4Fh9= zUfC5S#!+6~**J?~2Y{3gn`jS(dnhZlN%}kp%Ui61C!^9Np=T0dY5x_u#V=aFTg|f0 z%U63}zuEJ7#WCuwVyeWbXaUexG-G#dyh5M1vilJ@sT+A32-heddf7#nTHJDP$aie_-C7y7H)$f~zXp@7%yr z0dz*mebAH5#W}O7$+aoG_+HxH-Ew43qQvR=xaU+Z6uO&4Fbsd)>p64=$Hcv#mwS65 z?+dWF3cG;C3ef5$Liaw6ue3Toys8`f7$!WXmDQv%gXorJNumgiR`%W|NAEhlV<4Y} z?w5K}bxB#l00fYX5S3YW0o9y89_)5rdS@N&#w}t;a3=;Pc|N=suG_(rx5Tt?XbC#2 zAWV%8ucno>?=;6QrJLFy!^(tXS<@Qk!aF)nMyNNGy$S{gEEf_IF{UO{nqfi|H44U& zdwW?-R=%8~cXsF;wV}xy!?vb9`qw1+U$>64AxP;LotJxWcE9?{zii7Vqt*g37n}kb zZ0Du`o^pCQf8FgboRKJZfBnT*VJpDYD2iFUpOsABM+GdfvL5o1;E>e4H9As0P=(n0 zWCF7zbw-t)i+^Qrqrv*(t9a*%DTL%GikUH8|Bzxw*W*-xDu3crJ&47AnQ3|ZH9qqJ zxe$L^iUg_FvPM)*AEH*+^m06g{YRwR1|1zSG#YIt=OVtLv?Kn)U$)i!Vz^hi zl}MU=Q_OBy5NiadVvW*&v`8?mh+g;o;oGZzOaoz9vIKPCOxYDG;0wP22`b?{n3N2SiR>zr?Vm$R6Z*o0OhH`>^|1~4K%G5*4OYa4%5=PJL>7ICn) zG7*x~)3fs{_J+_9ycn^?KU?xr@RwN6hW)3Pw% z85sR8FIpMo$93B0cSLGQ8^JvW)IYEZPTo?eeS@+Nog6F|<5C3{xrs$2*+j=w5|v&N zQh!&j2Kv)xC^+Len=d@|rccLm5eZ9;7<8iOBF;_)E@903WhGv5>$c3N0HT4d{cHb| z8-y5f$}22VS9P?9r%ZCzJ*$bbfu$q2%aUeBc2d$Ubr9I`&gL*>3A*7mcxIre!QOW4 ze(|_37V$Z-A2Lc_qb)!j;sZlI&?@v8nq|^UDzYx$^#DkdG7yU}1@Lo(J@wcR-y}^Mf#PmzA)7Wa!H-Au(X`T~rAZ>AX~e z{@?hR8~h~%#lXe1;X1Z_hL{C~Ze@~+qHmNAITY=mbi+^dH$8K)3Tv!~=zX#Sx|J-wS z+Cj1%7bxx6?n!cJR@CL$@CMbhMlbBcLdV#Vb7w7NL~O+yGEo*n^{0-B*;pYX73p3? zzzr!TK?*kTHHsI^;t@JEtGQx8uQJ!oOZQ3-;)*uDztBxz9SkVPyEI?)hIiR$g@t#p ztK|^#6OV(Al*K)6gZJyZIXk*VkCfXoD@)y9A7!70y%Ez03*1>_E4sF^M{(RFb}@O9 zDfjq^YRRUS^2Zh3@%M29sx~T8!;e0qD8IVP-8^;H>Qj{n0>LU=&6A5EPQ6Z}@xnLf zF<@J&h7u2s+@L*8KeoZR4wkK%Ql3`6nhV!npw}gWQ4FytZM7+Ix8)@)NzyM&)bSOX z8dXG#_Z`hqQ&TGxGnVOt5ETJvB-LX9?IJNGUlFIW!ujAKUo1BSkTBc5BmqIL$>EXh zsfvV{FXWJ!PoU!!6>*w;NW^RGv6sP7fV>#10!C; zQUTLbsiR#es8g^6FwPgtN}9S%wq0k3H_M&mC42Ax+S;Y5K#G?pb}2GAZWO-8=^^_W z3z7?NlrcvhJqu93l(F|>RTfbiUXLBOH+czW##hvm)_4qZdB*K_xS1F&u8@@_9DhD)b;n{@>OdHNUl1vq_gd$t3DlHD*dy0%F8=J=AxvY zr4{iG-LC0g(tX=m6dgC)5o6fvyxi;TenFL6g*smLA+B znLGxxQFmVkTRv(8a*Kj-Ej)BKBw2;8NIs1#dW_WfK6^sO(Jg1?aK_Z}3vOHpy=k%` zoZL>XB>xBlmzmb?WZ$S8*gnaPSVS(1&u@%6nl zA-<1D;xwG)V}N2uY+GzSc?&>)U*J{9EV?=8j7j{_ZHnz3Q8WNbk&JHgYj;q(dEY+> zVT7n&x3voOJxT;8UcZ04DhHsodcr~@#b0`!a5{R+CuAwrdehQeE@F9QZij5Q`R%_w zydNsN_P%=g*L{E8yV{e!lj!>J%(Mf6R#OTA32X+#`ms)tX>&E=GstG# zT^}?5B?5+Vw>NQEv&^P)<{JDukWpfqi5;h#5GR@a>mg80oq zF>~A#@B^_&XoMne#cZj}e6>qFaz*xjS;wpSjwyO6P5E&UQ}S9+1f@yS$!P6+Kd%{a zo+`=)VV=x%Vs5BlGlfk=Hqn?D*MNhOviI=`3+^5b?` zO#}C~i2Y;fRVgpW&Dw_mSS60ZW|#kv*cRtQ=ocRAQu({HXv3{iIxh@&R}2s=C`z$M zb@2njIXw)jklL(dyjsX}1;GFf$(9?pz$0g!M`4C1x1r678jCaukCMx)o8HlfljEDC zi>nj2;EVe_Qq&R(hNN12<)7e%j}}Uj!pESc8L=ST=TJv=don0vXJiJ~>w9N?l1#|C zLHAZ%CppC;{q(jNGu)!*t3jt6PTdARTYWT4qPwQ!eCUUCGAiYpHa~K!s&gDW1RX{~ zTemB>2X^irTMw(rjKG3c>Bp<>-a8KLNN_j`i(}tAc!_~%ujK&h?*Wd3x*u>IYLTHU zO$!`&J&jtM5i!(Se#2dRh@^#E^Or{wpi;M!zpo@LJTFD`7z~G&?2Mw_y2s>vsGO36 z)$LEtI8NJ(Yy`z{(wo(2(7)V!_4Vt$sA&{(R`Qyj9lWL)PU({w*;}$&2#nox7E_Bb zW{bO2#Ivt54>Y}c{hcSQ*351w8+*tMQKQhXK5Aui$wQyeUhC;%A8*CZ!HPZB}r9&_C58@sQB zkKHIvXsNTU@j`g4qUtdV6?wBAPZEWCyeO>DF!&gG(EN;)WTT*j|6O`3VIIgABRYzp z0#ZQ0f*A9SIo>cjjw}T@%hX*j;imLqk#67rxnPijyyTayBljIUb;e=1@w+D6RKx-I0{h(nu%E)^NF) zIQtPw9kO>idvK=yAb52+D*i|h(ljDVg4!xF9P`}Vr_mxEu9TR7 z*d)z-N0k8S6iA=dM6o`2VUpEK?nWX8Jil8o2s6|C3T#E!7KBHP={EZ~&n0A8OJd)S zrsDi?6x+|=mpbV>SB#ii2DfC{1=AyxHx~b^GPzWEiOa{$iB1U3h6;X5x{dSO8%ZTd z80Ln%)V8XvWmApXnvp#&MC?|z7_GFWlvpA%s0vo#_o!Qgx2v%_hPt?Az$Wmy_;$qW zK9dX=?&$+CTS7}?m#E+!+F8I>hrRJR+L0p_vt0^PHgq8(V=h^MKnvO8fKj?I$`nQ{ ztXNJAbFeCM5*{56X^ispt@9GiM~V=}k!|J&0;+MM=xdSTlP@x^I~}d;E9S6W~4*K*5P&zB{^c9yNW8w`(Yv; zX)kN;h_j@}YXEc)ts;0A7*bd{^9@)^B-H4P%#|{%_*l;}LhF2j6cj1C&h8hxFTeg3 zS+v2iXXNIc)cR0b6J8Hjar_OcfUKmVcoZ%^^F?(hpmG+IEILmRIOn`; zCYb_)1)Kvha_*1i@Sd!VvqA!ymf!JnlwMp2xVpKQ4%`Xv?1K*LN|>qe7y4K>W6R$} z1U5XbPTn3K_fGp>MwK7F&z8<;z4S3PAqY>oulX_qt%&jMD-xg18DP8E0laCk<#qie z3uo{dJsu+|@BYzctmG}Gq*i0AJzSUhP`({7DuIS|aT9dsKpdulV_)^LjI=(Sy`>p9 z`$YeW9>gN@l@4fWS)_pAoW6Wy+B=$gl0}NFo;M7%0ELpj)@^G-)0Dhci8b6NHQf*5 zV{W5>R8}hDS}h$WXgI0OvTtazR&ws%{i&M+9sJ?Y_M`&#Y_`n8bv%rmXOYhBdKN8q)_x;g_Q_-uC)V(z+&B!S>l?q=GJSshlo1o9jyBy4pZd+c> zql=W_23hFcyJqsn{crEJ`{ysZ{mZbfi_mK$e}xYtldG$XD{=mI zw74jwV|;pq^k1|d!M9CYVu|9aWhm$O`5~AoK>teck%ilt$*)l3MWT5ol1sST-?{(o zdbiqyjI<(+J`Dcs3|~p0z<*Mp+rl%5lU90c844DWsxU;yN-TIW(iNgWUyA~SnkBdv z>@dy?RSJmCHSm4G=kyrRNF7MY9Z3jAQnii0GUnod-1m9_YLKuaq6|=p1FB1a$6M2i z7wdrKVGJsFEC3@6-^2-4Tg{h7p(WWW)6O03*!fe)0`FCm;j7@C1aBbsDif*?}G=(RIg_7&YUgIn%=#1(dHw|n?^Z25I5 zy78AN{fHa#ZDA78vMOhVc|__=0gO=S`$U`mlAmu=xg{~s$h67Wa^o3A^%@j@s8oXZ zdPNC_1QL*n=EH3P*f0wIE1g9~Q*LP4sN!~JHj8m1&A9e(okV}!&~AkvHoY2!uR~PM z0kqLzQVbX)Hy0boK}SE87sTX?xf{@G(GUwOieeHbiEq(M6!GA>n9T5FpbpN;y)s3` z7k4ay3Ez*)_QROSD&t38Ylzgd5?y3bm8QRyz+8%`DSrfX=C5`uE)dUgtNj*4P9Y&+ zX~ounJZwd=Ll2r*vVu3*^X)|khu*uXCa{<&w=<*B6A%evPy1?#@XwVS8uG>+rmef& z0&Jdm(983&nm_0t3Ll)g!s4>#cA8dhh7%XR?G$`6H=OVed`tSk5?m#ZED>d57n7tQ zl?0izS7};~Tg&aaPhqaOEeAf4an-n`@QpXwdU8{2alWQPh*?1X6k9NEIrwFz}rZreRTi327cm6Qn#>e14P>%C^T~Lq>KV^AjV9SAT~-@0Q9OrY!9Iq50zs^?At|?09GCuuMYDg;pXqKyQ+{r}YJi zg{>w3s$*{@uF9%bO{+5n78fOS(FGb)0_%|>>gN^NqnKXUeWG85ju^}P(19(bt3ErW}7s^hoz4oHWXeJc5f{U#bykNOip%Xc?64u9j#^3$AcXHVGwyPKXVyICN z3?(aV8GtI2qjdIukW(4r4#@Lr^Db^l(F#K=_=V+!E+m>m+V3^ zmwz~Ze{*$x4&t4gcZ& z_i0I2w$L;l5xwp_eQ6aOr0he0968ckYA>rE&$iz~Lp8@buLKNz-V-StC9vLU%SeK% ztmPa@*b?ZsV#LJuFz?j|e0XQg6C^kN{*MRA=gG|_{7mX; z*t&84?n_T3yGj4Md#tEJo(!I+kl$%(oBz4)=SG!)-OVJ|tkABs?3prAs~c5Ls8>%_ zDz`v(OA~;sBqQ8mGld~7L5OlgB&kGp5(t+L;gF+BAM}=EmWrva!{1q1l{iRELK z))0alf8Go+u^BDd+r$VgHC7Wz(KABsJLZm-WifPqhiJvx5P?M?;-v<^vFuVoP;Vcm zveciKqZ|E@!9OrB8XG8~fw1algl*j={x*Z#+Uu8u!a}i*)AF`7#n?dqQ}KgCY^K4V zxz7CU%ClKCLfNUu%)z;kbEMD+!jcq4AH~|R5TL|_KoKa(Q*%ef6;8!6Fxgu5_PiW- z5aW)3mVrf|ZhNbx=ao1`zT|+l`>vHCGccafBwgH=-^53Jn0PG9ou|3V_qZ*0D8cRM zolyC(vQ{Ka?@pduw;?xbv#F7+mL6FkHm+{g8z!D?q?$Jdy*=*T>mOfS_f17#)q)-+e!xEQ$>xK1@f^;vOCDMH4`Z>ef8ZfAd0J* zHm9;S)sd-^Sc&!MSD|Z*k}ZVQHv?kCV&P3A-(5|zvfA$V#-@+!&)@Y-vwogFF$_sb z?zJP}Q(TCOIt|-_?exOLtyQ>Y$FioWV?{Rj9d3Vi~sI>=ZJ2jZkrZTM-3#+<~1r)Aa}Jhkv&gL5dA z)P_uzOwrn0XCYr?;+hTVC6L_oT-;jqsN`oyxiiq97bQH)uIIA%1;7Q|C{iRCg~&LU z&F@M@=@nMPe-HR?lIpsZfXQuMm_4Ux&nU<^Mr_?H)Fi6KVg(8w5Y%MIPikUkvZq7lW<}qa*81f z^r@!pLKTBe$DJ;1%Le=A45+JA7?sUI9OIP{GFFd60s*FoG5EIlz7dv96~~&GxJ{y9 zG&FBJ29LcB8-Ub)iO{l6U3rLTg(z%q2ZX6ZIzE&bQRlo zfh1@|sp*9PgIKFE(Ex!qf|uJ~n@ZSCYDhURqAZw!a!D~3sa#;(hOk`0+qdHroRw+r z^Ue>uyKee9Pv)St8w&6h&AEWj6aC7K4I};t;0&G;tEV;VE68q6(x38)yW`1>aT*34 zv^pqG8syP2gAFWBVX>V`y?h~vYYB=nN)o9ANdm^Lu&neO=}JmXy(`ZFlDvPE|FZ1b zY(FFc)%{p3RxDnxJfPmqcy-gERwlK~wezwcWq!+CDz&(mqE9_tEwhijy62|9siB%w}skiH4_e6^8QoW~h86dO1CfOQY!RE$ zGUKuBww-r}-P5M#@ML#qJ64S4&r-fGN>6Kze1_ zLXo73W;6g$Vhlk%4&bIlXkvgI)I)Ez1p8vj)ny@Im~u^xrX%-U+j&}3kKYr{q3{a* zjwPx)7_}#gfN0Xd7T=T)7xaWY+)p$#BUfK*h{;4)khB|3yv=6W7;q-lCyWIQHL}C1 zAgngr@ZY1;DS*#x|yw=evBl;?mYK~YsBHxH09O|UN7C^N026EUpAAgcO zu}Ka+MG=Tma1yTG9lhFp^O{HBli$O^tT>hGWu9Z=a58dRX4x;p-$`zuv-|bl7rRvi z-dDSC-n`uX`in2nr4LG6V_kdUCU&oR7l zBp*IisIjWQy3d}J783w>Y!BQT@U9stRltjD3bV!CUvxmI8ZK_?V>S>#m5JgoQRbRw zu7z>Hrv8AlE}eL~#wkm`=OS$=`iY_-d-nu%l|f>cDsddmnn<89yhwL8#pi;r4RF`C zig8O%U=@i&mX#Kb*HXb@x|LWcg+dZGY_R|CGUTSB7y~q2@{)lcj9^K}hT@(+L9Ky7 z_ad!h<0CfrwvfxP?((>?V1Vz`C&odf6vQ zB39-b1+X_OJOJdN zcX87@KSreXBGSnUktrW6izr)~rXms{>RGy4BrkvZgbq0&kSYRzQL5 zAvn7|;L>!AM{){nAC748j_B>HITPY7sh%;Pi=`~Y8brM6dMBJ^HxYr^d`+~AIn`<$3&p$&4=a>4+z z((f<;F=jq#>inu8pGb7+`Ni4Ei;~Dl9;fbq2wme|tdo?q__h*9mu9WorYop|;UW`8 z;7Y37xobNyijf5zp^Qk=m>Mu;1Zt@?7-_gnq{(LjzQ&CBUGL)D#xLHS*}4>Th`FLg z*vPI*>LrudKqyb&Px2uMR2GwOnp(=S$U<5b=!|cgLX{@9b6}8zz$~`~Wsr_g}Xq4pMP-&;^FbgK&$+dtryTxkv^f zR81{{OyxkJ+T6&n(mnlpJAet`VoV;?#e_JR6jCQ4kH#Gdxhs2esmUcrUtGt_rIK0- zNqngq`G3g-H;>LblmJ^jD}d9a;r1-ION<&Z5GB0)nN$;Gw2rJ#3iMQquS(4nqT-S= zwx!bylFQB5;!=6-79(qP_ht4t>rA{U0SS?bOsW5rRfiV`9>5(CUb>d{r6gVrb(!@e z!Dg=jP(VG-qIgO=hW?jRd>AKFNwzu*)R26}X7thL`de|9NCoHhw3~h{Flz9LE2VRR z3eJuA<>48S$p-}F5NB(j|M{Q)MPIU=osHoH{>ZSQ!dTo8%1ZU0g^dPJvMom~U`uo_^4Il* zuSZO1eky94zpjpq9Gn_tG|3P~*Wzu@u#LKBxh2v_2c>(u#+GM%a1P=!nchy98unnr z5z^>}?+^*A@L3e;Y~X7-_~!S+a(B12Ebg;eYqiJ^8Ws#_s)fvl=i79HTr6{K=ipln#F8j1!5wJ=zf z0R+PVy8QO2_p9CAgby1=1N>*OmS`qOa31kIF7f)Rkz@V%%uc$DthnPc@nyzrlJiI5 z(krmpDy*E&v+YNIt5QUW7&^k#$V3C>^thPLdN;k(!|zUfT1kXsq%6hDXjMHBw`I4I z?6xWQIt=W)#mdW9_BAS&l#YKFI za4!%Bmmy)QXa}Xm3L88l{nY4S)`L}sFnA>YmzM%*gdB>#FvQZ>=b4aBvox96MK|YB zGL6rLx&hOITcF^$lc#LC(`1HXR3uNuiYd2zN^wJLeQ>QJS zd1_q1F)9v6kCMEDw|%MFrt&UHh4@W0A(i0)P$%8Hm7iJD{w+cN6NI&+@#S2F7%Z5! zWl&NWOp5T7ZI@%M;hHgb5BL72bE!>n_Ww|TA;O95`ZhGGvV@rix4-36w>&kZRxLy@ zMLo&)nW{seF|nw+t{VC%)(E!}u~ifV%JT47P%>35Y^r<=Qpjk{bOiz%L(j%`8;{oJ-*nJgCsE-cdVv8%m4clDy7GWt=|^s z3?Q`gW_?EJ%$7aWh^OoJs(YuOwYeiH4aTFoh5ubVaQ~e=pdyoMIUllr3*jb08YmS< zvm&l)Cpsqw?{3~#gc^FW%?v?S-kD2{ph6J2f}IE8B5p+wh_W@2gZTC?(4u4u4roRg|zsfj-4WY=Uh zbwg+guQV&-1hHmpJt6#M!nN3Ez!`vzz^lhp%)B%S4b@Ij|K9hLY{m{TOV3!ZQHyHC zTIK)|4!HrH?MOnY@j?LnLNdDyK3AoXNqW04Rdqb5l;+wZ+%)NaeROqleBuo9!_yut z@{^Y2 zRk7lbAw)R|NzZRK{Vqc6c``&pfsX3)%ZKKr3QMU5xN3wnh%S>zYFky6_+{BgtNy`Z z4sg6($BFEka{J*<4UC$86fo*&^g^Kx?c~b)SNUMfToe4OPb9(a-T6BCDZTFi?bi|p zElq@d{qoCALvr@^YHeY8sof*eJVvaSD9f2CPD#vj(kq42D>N1Dc#^6S0FzMYp|wIc z=J%Ip+CTMx#>2_(tV~{=f=#DGvXW#fBEsNSB;9<$Be*}6hBx- z5sJiB2LIAa#Q~ymI15=4se;d#buiJzvakstUEt7)S^#1e?lQ}osp})Rpgo2MtV(#434`V$>N zs5J8eJ2DzVNNJT(;~c;O4*1^8N2vd})jr%Y&Y+e(lEE0TB#AE6rgbn7L|4yon)MHZ=9W5Zr=u*%T^cl8rfT+paIjMNB1c-WLt!m43K$23*ta^}heX|oaLnTcA0-{{;TmZpqs3I;b+HAORFf~t;u7Mj9)VKt`8xmHP^ zn!GSkh-D~pl%OhqVEQ&%UJJALAq60S`!9V$#*dYcu?)A?z&*ATiN}K78}|vf7weMQ z3|nFJON##%-953311w@uZ7nJ#)5uda;y9aHW1vidCdH!`stdLPn^D3b?vj7zO`_&>b7)BX zUC#&=sLqkWm=ysWq4hu9j1&OejvEs`+lD`P?^yUltP)=havLLSPU1R*Z~&RpyVDwk zkLn&+MHj(JGHg5t4WZap1c1NBx*5?8NFGf=j1^*!S>e$yfUeG@n@p3d&JS4CB5e?{ z6=SN{PDT*vZ1_}3UYl5*9nC(~RfW!ivAq&L;xPaKtIFu?s!vqMG1V zQXl?(ZwTpr&MF{xoG5!umAA|m(H+T>wA3J+9nz!{`#qvU<(ukF-4p#zQCguehGjG( zwRJd|sI9AdDh>apLD?ev!fbbUiIZ=d!f~0~$ zQb#S6dIS69p@6g+K`5d$_mZUvQN~E?yzzkU3{mE1yM;iuTJ$!9dmf%{E78$uw0H{I z6K)4u7M?7Mrw~CbDX*GjV+E_CoEkd;UEUpIxNys1g(5FW;xMnDxL!JYX;%8;w_5_9 z0liF}WI^|1X)=qlCq{1vufHWPyoJ&#W~%l1HKcBt?#^*v1ocpKGlg^cvTi5^8?I$230vrHL%q3Yc2nDK<`Q>y6mJ*s5 z{>g|5DA*oY_X_zXNTM2ab$4&nS9L>h(?Tpg6$J{!@!e}Viht~xU=MizsGT{Zuq`(N zjWxyzq^TJgvPQs@L4 z0qnbvMSN?MbxF3x<~%DI7ip@)MI&fu!vqmTLhC^}bM27PZAnNdSojcIf_RsA)b+SC zOoJUn$m40&geLy1<=*uJRdi^5g_!yx6)Z3|oycX?fufVaocFxll)isouZ4TX?gD_j}*7;GHoiCC6*8U4j)aWV(7>g$b&wekm)6mH#7B(KdDAmg$@ZW#t1& z=7nzti+psO9mpeEv(1=L-+c&b5=OYlX`@hK(_Juv1f+9CqfUAo1b7*~76^|S@kVi) zk3?HFrq>Zvy3(zD#jD*f z-)t$c4v4b*7uRfBO&a9BellwRCsX9CqI!7rdpw+Kr zS?LSNNuN9yt#!1A_Sme+fE^%)?d0N}zp~sgG3_LW`dod)8yHv1twXGAW0vX3}k2h%QN;tD?OVr&*tNDK2;j0 zES1um7W35y+$n7z7p=9+qpM_hH|)r^j=egxvYFwA>gqO4v;>PyTeDknrD=&M*>X!& zA~l)ow)9WyF=4xh8VZ5-*vO6JS;e#u=pBF_7e|+v6U;&WxrVPO#S%?q%Ckt&Pcj}( zER-!7yBZZyn!Uu1pm^x044FHSOdmZ7%hAoOSmxuW?HvO!|9{zg(%!hP>+<>iiU+#^ z$$Dn^_C*1cp~z9ph@{vdWjQqr;;j}dk;BZ8mJ}F zCPZyOe!CXLh%@hgATCB1jKso=*zdlkL)a0riBKMxzzi?~ zk?eLOWnw>>QT=v{F6VK?Ws9sH>iOBFNz9-Q`a9NdlX0DN%59T1C(68zw{W*ZRX5z4 z2LIVs;cyoQ7s01Bxq6h?ftsK{JYNzY<8?M<=FVM$=*8j%v-K=51V#Y2sXR9(>8}Qq z5S>sx&Bo#idr?J&N}gIXA-fHQ^K9c)9I^?^s<(sp)j6b_ z7A)>gT)rj>QAyT>%9-ea$B^X?y>y@A20;-K9|=!g-iu3l*OVF4BKFW zjoj%iMrU=fz^&KUF#CGKCYju#N4bZKDI16!wzyO<4Jd2KL@c6LWD)~~FXu?(qqOMo zR_1bkA&X&Vg3iOp`XmZA{>y8;EH7qR09afcSeUfA6t6{+KAlCnNGn4By;T~YN)gIC zhQ)qGE~z&L9w0yle?^%etym)4!zJ7{K)m-!a1=HY`0htwak=%}XpVN_E|GTqE)5vhNLzuNAhSy+r(hmu4QgVgfqLt@wQ&OMV`RM z{2AabGiNc$#X@6cdUkqcnru#j=tphTu6Y=ecr(Kj8k0NfcwSQY!=y%4uBlMv&+%X9 zmM3Quyf-p=0duH_E%c8}F7fS(rtFhUdt2+9#bT4>a(v?|dEMTa#q`H5bsTGQWUqPtjyewLhv{;hofyxmh@QD{qtSkZmcLUAIlr z7YbxTM$QzmjH_kDf}EAo*HP5>LS-oOwUIwg z8s-WUqshn{X74po0Dqs}eQ%oYT;~xoBUUr}_RP|UR#y3XoYF)TO8&^?hL_f;!h5R5 z*FZJEm?+x8iM;DJ$(=C#JZ$j$xjx%cYjT&eRA1FRSAr-`MG8clVsYY&(IzFLm2K%= zwokS;stueE^eFe7+u%zSfs~c8kuDYT=wp{cM`>*oWuQ`ZcEZXHvfFU?h^qKVWlq&?%+1c`t6)7D*21Xd6~17P zCXrR}BTuiW>969Ap>LTLRktiG723L-*QV%iXV^w14`(G~C?1Kc*VJ)fJ(E{9Igtw= z6pk{MmgHEL{KFv00jV|%SYJo4T*N+Co`7`!NnN!?F%*JUTqAc77Us=*!1lDu{DOcu zA1=Nx&OzSU)srlYpS3F7iT4(exMY|p?bFEgc~TNhsKd0?`rD7fppAe0S`~*aGpKHF zifTZq44vzU?1wZP8?oj&e~Fl_f?U;(0v8fu9-DJCA+5UHJXZH)C{fG|9+967s}>{G&~a-Yj=1p}BYPFG~fX|cZ) z{zV??Hg`@ebp=WG6yV~Ie)#;Ae56squ+2%4AZhZX$I#&8x;Fg{pZ>q;-@0YGreV0c zi@yWYg!cAHPh{9<8z~$Ni6NS!+P&;~|Kk2aKEw7O$Qf{F$^dvGV<0>n$2w~N4czm- z{dXMG{n7UV#Q*2}|E9XUH2ZFK9)zBaPEwuAO17LLV^`Iv>D5-dieV*fMOoWe<&dN) z^}S4x9g`JF!=xsT&{$>I(>m1zAKB)EQBOxaii43)M@}qlk9vA>^waH8PeG&}@$^z_ z)YHw&BcE=qo^Fn6&>lIl&d5dm`r_)$;!7H=TqrbnUr~hUwYuHD42Od%{*rPtJ|>=2 z;mO!U)(&0nQ_$nbKVCk+v~;eyvUel)y$1jiPDwp`+iztF3K}4YuO2l~YIbAw%U( zsqb-?rF^*+b*w(OxO9G{KKA~Q7lTcT3q6Il%Au3v%BU}Sz8bH!p^bnAe3?){1rnfB z6sGJT;IGQ|ov6LGxdpp)aSSF{jfSi^`;3v~UfodN_?y|r^2+R7^9}W*k5t&R$r1S$ zv+YC*ivDPr)Wi=Gf`^0W}C(j{QrCS9E<-C;!_fG2aye*kch>Mul*o@sHjX#d?!R~Ude^&8;m@0D_YnW;?scDZ zpLZX2_f+`ji{8E74fy+6?~dAi2EX-gU=w)fIsEo%?+$b#eJfY4T&ZESSe$e&ZM8PZ z!GZ;=CYM|3))i34vnWC_Yn;KER$JbKkd>mZT)f8DZ#mKy^TLw(L5_3vQWR5gqOKX% zq@q--YU;YC>j$3YYoVoiVVKyd<6D}o*@5f2p|ZS91sPAN-9PrefZ2bI>r%Vl^mgFO zGhB0TxBE3N6qdECb`NOnJFwbMq2+z}dsmqyD_>kaeeINlwIZSpPN^jZswmyBpx-@s z`3o2Z-oA%$>wN)`#=!`<#~HhVd-14y*t_1l)4Q+sK7p@~;XT-tNBFuTUczB^)ZRT6 zhk%WG4hy}*`$*I2KJVSfp`ho_LQhpBsoVH0-_#)7r-!>+V%}D3}K!6O8g1EaL|3g+!*O$AUxs7w6757pLb}7pE5* zb#*-Zj&7;?gbEPa?Y@A~uk*l<5uIV!`po$z#^bD>Uv8`}H5)4{zpU4k?jHyY08VQ5 zr1v?YH5{Woc>8OZ<&*9{qx%b-D)mb%eL_c&dR~}*x3AZ)sMmYkp!-zip0IP+ho=bs zX97s@%jdn@G*z`eJGXpx^=zZDw0fr5$of;qu^-y*9he2pk0;4M@9il3=JY$$bMw=u z=d(8_U@HG6rt%a3kB0zP0ekWUe}WCTIj|ZoT_SqG-BSUe&_nN*S|1oe>7N>$obEr% zz9p3`z>be6jrI+n71*#(vCRQPotqNH?LJnQ=`?V?s;P?jdNxTm&j4keswmlWEM$c? zW@yyJ=(_bJdr5rH-zv1oUIQFZj0pJg)h8XAIYYWKHwAJc|0 z>n73<6WOoul%I>&aVmWPJ#tKyxC&x6t>B^9@P{lK6!u6Eg<< z83X5q#G6(E$L|{=tuKg{;$cH1g{eF~YO42ebvv*{JIw9+R#-VEW-3h(zNnzj99sQ9 z3@$Gx(G+r)?7`{nc4rF_OMNxOQeF$O5NDq>joI@HORGzBv&eF@?=$BX7Le!O z$d1x|RRG|Hp!$H9Ah*3HMZy3nCPc@Z*L6bh2Svf><#R<0`yEP(v_FrTg9*&W*J+cH znMy=@AYaGr1tmbmo|%|E6eNxKzDgMS2uThc_J4&9J{0us8RBJ*a3u^zT*$_uX;5DT zhZ`kH7ET-Y$h+-<(CQdkqz9I1d2tx(uBB^nV7rl{MNSbT{sl#2=!ay*eL8`=>i>Ll zPpvOEmX|RfEdrPb5lAw$CLtyfIuad6VMGwB&*fCqI><#$eEBsFKquxT+v6r4fT2?b z5_O`pl~N1}H`jBr{x~1=9`Dj49(TSmJ=^A&?dWJQiGlg+9er zg4FJ#s)eMQgeO&3#qx-t6HC^8SL1bBcIp|a6(p$}SYem~HHZ?=(PKR|G~d_y*GaN8 ziJ8xV3H2{q%nRrA_vaQH$3l`pFbDk!S&aE_Ok3a6f5gMX`9X%>a3(HH>GmV!G45;ITVeH#U;=8VI>4^ng)bhf_a3jOE zbi*sz5=-(w*|O+(-6qwRro_Ak=LUi-Q0DnYW9gV=;Xg7vS--|HFyhWpBML#&)AhuO zQzP&aOG|Ap@U18b3@7!HFx9Q2*M@u~8|6l3PZy^3?_zDQJ|eHp_YBAL94FRe+d_*? zWF@}m8+z=UVPt7XudP7k*zSoSeSp@E-p;W#OF|CTVWc=iDv*#so&e$kUT5~+A|b1x z(8u=QU5Vc+_Vp?xl%*eD5;VA(lZafYCq^=4SOlLNTfXfjo@K;=6}YySI*}g55%7E` zj-sLr^xs61ZUR~XGS^FZnj0fd4seC;@qFLq(Mbuw@r5Ywr?zRieryJsWe1U$=(_7U zhUFQio`&hGO#dWYCNG<9jo~_;-K9R{!qdDYgEKbEj9Ejpg(6a&2*9hnC?4 zju|Evh-IM@L?(!2Al)ZM>Wo-h=1}a~B0cmwi$F@u_ z2x3DsJm=+;|26{USI3&^@J&H6DglKsbv)aS4N$7Wz|!K>O?(imj8rq@k{I=XjCuo| zA8+DEcJuO6Vp_3gx@nr~p5-P^kT{MXn68#MzU3OD5LmDg5^`<|U5v~pd%e4)g+u#K zVBCjf;MyZ;?DjF$1{O+8Accc9&$O?kJ31>tyf;P z5FozWH6MGxm+ra)B8lxfwjSxBl|+7kG%p5KMgxUSPuxM(l?`%@cN;V3SI|LJ&s<#3 zQIjU)C)=@v&P+PyYhmEG8I4SHU(2PV>*RoVGJyoxzsf9Ing=tp9=C;GNkYF4V>g?N z=LEDcT*NT^D9{{Gi#$DW9h4Fb3nZa5FcM{XO+xD*Q40YyVg4m>xxnU1-7l3-SO?J34rI5hB z$LftZ`MYvzCF8j;tM3oBoR9FQ91Q4}3J{M*(C%o3E-mXpQH;!`D02Jzb^*1sPzkPH=2M!aJCOgXBFFs zz6jE0MowiMbwYUcAv7b1lE)km0eO1T&Q=i80aGsE6_cq_lY(EUz?sDSC)CVOE>;Ts zQ|K!rDXF{RK&2xOh zfI@q*W!XTvO-nN@-_ekN=^)|h254u66ZRWY_i+wc%mc2aWPKoIMY0f_0b*SiR`FV* z?JEpl=kN~1u_w|HkN8)zx2yg37@?UXnaLu4Ue#P{dzNX0u^9#t$ir?F+PW3m4gfIp zP;)sc@V$-zdSZYZX6pxyEQE6s*ntnqPNIjg6{L3Rn~5H!nq8z&e}I+TqLm?SeX7nb zE-yD`gj1Qd(XMc95*WyBa-C)2oc3b802!}vqC!60MN0CT-om`<0Vgk#sYu4Xi7cVf zQLznpL?k=O^l1!d`6mz##*gZGqWt2W-u=v^2cW4Im#>tUf4vU?gw%te1$y(RKEXvq zU{KFUp5-2tLm=|aV5^=WpQLxOH5@uX8iQ($586ST zC}lT)3Cu{y`@x`oJ20?kmL)Wf5fG+UkZ&`P6XXAeyrg}z%mcgFo4#KJ;|-RBm^Wfn z)t~=Mz%+aR&rd334Z9`%xP`Eb1A^02vQ`S`LMDzDwn7S~rR{@0c_;-Bkd4A-vCu5tCuI{5vmkt0%#*o|nHl0xsA*TTG$|(xb4`Ci3fH5ILznNYY z=Gr?P(>ein8C3Pabj%0z9ci` z$)i=>Rgy~TuIf~ENl25t%QiNcTY!X%0Rwgd0Wu+xF9P9ST1N9ITFxi#cCodLh^ADMkdb@%N#*vh;8+lqDhnJ1Na@|6C$t% z8qUBru)+uI!I6<|Tec5w8?gtSQP`N$HfvP(N4%r}Uy!s;d#g)IT;c-Rbt<`L-RW~p zx21Ea`Y}x-Wo_v4`D2+Va!uwrUurOwA(a#S&o$manPVaqYAGV>wa@}@(D?+HsT36< zrc~B!Ll`6>W##`jum4C^>~&fN(xU!jXkhD>bp6NR=$65|^&cDXvtjigdy$gTRUi*p zSQ%zc(^!+1X;s~j?y#ntWCGtS&3)I(JPuLcWAn3Ra;CV}40d<7%z3LCg(dg14*?mu z43PueOFzVG)heC^NNP4TUTHTS%zgHuIc`m1n7 zK7A73o~zB}t-@%q%CI`;-H|oM1H&@rEnXrJmc#4JTSQ^ch0`$f6gFvh!V;iu-hydr z_{pcwS)q?~Sm|o9M9GC+Z~~ZUs)EyG7fC!~O^0s9`t&kzfNjms_}EEh&a7G$d^emf zTQ82eURVd9bap7FA(FoD&ceHK}np4AWEq zMcDVMV3slWSc586&oFOJ!Q-XLtYQW^DeN3&FcZ&+%3G0ez?yL#+p6I9dqDAgI|nc^ zu(#_)wYjd>9SDxLY!D7Jz-q`5mR$o@JXfQ;d3As+`X1zV;Mb;I6J9|=TehZ&d!l~h z(`R9Sr>%_FigRU4t^#-e5o-$32fL2~Y2I}TIHQlxxoWlPam*SJIZQkW=$*7Aa*zuW zXmh>K&dp&XbNZfv#zBRc{qDFG?O#5t8F&IWn< zZe5ywWVR+PqZMhHNz!URCqIRw5RPQnG%puLr4c=4*@4Adrp7B^k5)vgkn8nA9R!pC zxCgNaBte&@;K5|!v6MH7UYsB;)6_%UMxX-#y-MQ7D!JWCm~R(`z?v_rvn&fBSp1_i zbAZGt;0h#hGem5I)I~}x;$w5=(i|`ha^55`AIN)i+6QuR`i+CmG;*V7M@*rTpk00$ z#)F3gKsze|o(qrX&0^o@1N{S7aCo}#-@5$fur}j^re`swf|vlT;-Lm}bw5u%1k{(qZV-otYDRjAABlhWLS26VJ@qD0sWKb?wgxD=osw2MQf3cbX2BE8iOr zXLBB91S*%g#hnHz<2ut3-U?xxgLtt4iYV9M1LIcs7`s`d8H-v8BFheiuC@*)XFgL^cp`*Hy^X3*ycxUE##E{%I z=(On)w9N+2n=CAWmHdZNHn56*Ey}6!0)4U8R%JyGPMNYB0adeyg4wO#IE3e|MYL_= z^I4pWClr45rWrT3?F%b>_pV=86?Wu0r}p(1k%$G196*sTX{9geU} zh-h;i+*}V)_jA~R>GdVzCSVSEOS^zip^PEHWT3SDRNH#+@}A@engf)=Xs%QMO+d20 z+DD6EM<+(h1zG*;O}Dh|tl0$4NFKt0RU>6HgnuJ247_o7G6KZRP302~$)S1I^(nyg z%9tW=0&MmI=xpjL{4GXqwj1qdvr21O&nzX6r4Ks2SwvG8)p#$rXQKUa@sORtl|<$| z&>Sx8r@n``?*wF%lbsD;dQk<;!VdFLci5h9mXzLJ?+`=a$aCUZ({6yi5dy4(EYtN( zCC;V-Ic?E|@;&L~s#*csALNyu*YZSDUW%l)Xao**H80Vz##0~wtd0`f#r~eO+ihM` zZLKMzG#S;VEjTu!ycwQ93;Zgmfq2$xZYR9a3XJ@G()?!}rBYd((X=&>7(^G>bp13v zb`VYaXvv}zAMqTgX&SIgB1uzyD|~`N@Tts9SHU~iZ~jCo=ES3)otq{Lc*-&2i6gv4 z2cB?2Wtsx*1hEgJyA=@;5)Mrdu}$V947-c`i9Y@rfmLa^rO5*DJP-;fyVDpQVO<4{ z1=wjAS7sL3Ght+9I2hW`X>4bm9UbW%tTE{vYCkRU5!b=S_3nH{CR128 zYs2LEg~fp48_ZBNhj`wu1$YY%vHg@a>2GM>p@?nF%#nm*ZO5%(D7ZNm( z;wZO(FaVE4L5O(4Tm&XU@<;d_#NZuP>-#Ajsq|?X4xdThqG=?uDe_hUV>q9kBa;l- zgg4Lg*p)>)Ylab!@VuKhlWiA4f=tF}m%CWRd;`miIC!<*=xcMtwFg4Kxi8j`SUSvO zh{wYW4_l65h%s;vtfB`WV-$$A2jm0o{Kf;nD5#MlMaWj1eNZ=AvxKs{Ki{dJrulyp z8`1xHbadd%<}Vuh0r!l_#XfgFIE><1J7YUIlxgs1UxY3)f&7j*G@BNnQ7O|SP|OA%as zCGIl_|1M#_UQX~{#yShk50{mARONC!U*%Hk(M1Q2B`SAVAtY{S1xTq9aA zscR^AcUxM$La=?5n&PdIY8H4Y zXs)GNt1{JR&>Lddpz2;Ogb@`Ph`=X_B|he-j}kUPLczBT%s-C4mBjUbIi;QuU#@T-G3YFU}FhOAv$CHTSCG03c z;(+Qt2)Bft#np>c_i>5phXe-FX@Ud@k>62(hMRpYiyF5JBx;s(H_AQ-BVk{(r&vI7 zr+GnL*SJ6r_y2L~l>E48&Mcm|agw)P)b%fQzjgMT*$}`#i(C=RhnmD8RbJ9p)DG?% z^?$<(+Vmo24{a*fIgZGbO-e&3@{w!UN&_rD6lYD;v&$ecxDuj^p0%41&|lk$JKQywSxB&-*H-P z%y&i}zBAXwcgA}7E>9nAZVnNvgt*~#%0b;W<sCjVnH@2T$ZgAg>s8V-%WU7xPrgL`V zmbzWbR9>Oq;$cTf(@)Puv1sj1hFpq#%ii4ipgd35XCl57D={P&c@yz4zMuh%j~MXY zqP|R$mO`AYe$t2hLW3=vss#i~f=fU=SAZ&(OxZ!^C>5lVVtGNqL^Z?5V{(yQycbMX zxtQBTX9=V`yar=gU86yQM707%g8i8KFdU~Y?Mv}@>EXpq1sJ%oEZg1&N8N~B8YvE1 z+e-NB=Lc2ucq=i;kE@4b>ql;RA~j2c<(dWl5wDH7ZKkvc)t$*3J2SYR#&OL8gg z`I3SA13Di!38w)BV&p3OB~spMVg(AmhOYgv|wKjo=l z_TV(VDRWewU#Jv(r1jU~*$aHMNWEdnoGn!R zM+@>6tYve;F7^zj;e(+*mc5ar4Z29Z?D@BkgvePEV;cgpCDD>%F+O*4bgMrnIZ6sN zlNl=JbeiJ%WXic9D5iOM?>w)WI>U6oP5rBlCxg>j%}2-bq9!EbCAC-&^>AaE4o6oL zAAopS^1O_)cGRjq1FP&Xk$pziqd#Xfs&74Cf?9L;tbbFpdY3gSTGoeUO&ptKvz2;> zTGb2fqxHN3&ZO8|COzjOkHYSgG%x4wN`F=dMV`mm;4r)65q44t^Yt|GNusA+FqEcz zO-MoAr?H&7|NJ?eMKxJSs)Y)W3u4{*d`zO}JMI(8#>;eeH}~0b4~0cOrRlk4BL76Q zdK!zIX>t2$O=B?zQANhK64(=Jsk3(VX|z14mcj;!Y$tz7h?@?Z*1x9@E1X(9a8op? z7WVucidqE#IW%&%u|JpcJS)Yt5ft3@`DtqTnoAgRSNrSSABD}3_e``filzr!AGWl?+`(pkCPWj8L?dPe|XUnV3@<(M$EXzDB<679@}`Iax+6 z*7d>9=F66YAKdXs+VdSNn9B;!S6KXiOkB-6m)JA~k6vM7bPP|XK65Pg+9a)+C2jut zPWcT%z#|Hdr2%UcIMIe9YItzlwxPj+Enxa=9kzY$og<6B3a($KaMYsq{@?s}tEXwo&)B?%Y z!pbLh4duJLqz((QEuE2llQUVRxk`CeO`SkgO84moK62c;QIC&nGO&4_dw$nzQ(dEx zHs)FT!|jLBo-Un6JBG-zGq4B<{RP zr8`sj=qisR(?RLQW%AHo%}BV(eV@%ANn&2sT;yib;*&yiQ8`r>*pHlVlV8#jwkR=N zL_Lv7xI9|%M`|9lTlfUiZ^6;S-!vpG!f3RBe;j?uq}-9E_%)DZ49jwS@lE4AOe({s z{7x~BOhz;6lF=0VbHz62nW=O~>^x8YkVGEz4L!F`p0&E8K;$LF?tJ0{iZe;WQW=pM z7?93HsqK(e_mrUG3)sn>y!%2vBi&w2L5L29#8NrGe~A~yPDzy(fu`$6D)S&tl`F`k zCkg{$AA0J0uhOs-8)zN}jgjbr4xKp6dWeX#=t8Tf@f43;r4(1meH~A|iNx+jj8CZR zUZlE*$!Ee7sECc%vMBGE$$6%u7%S2${Ae zElUq%FEk2d=eV!uoK(60=ioJ7aqi1~&XS&msZ*#c$!iJNL!=Tf7FGR7oHxmlDN@~p z3cE-<$=rDfv+v-6kJg<`)~r%BZJ|L2v7e7apBoV z?kv$&OBb@T4a7B`*F?RPO2HSE^OV2|zw`Dl$h*`ano;LwF9Y~d$8(*(QpWgWn1sEd` zHHYy*q!lb)&~^f;N6Cx-&(V6AbskZQ-7;l3UlsyO*f!UNK>V1W;mtiIbC%?Iu|J}2n5~fP0E02u{l^Duf{jDEtw+i z`h1*2o;Wa6c!##EUzo3gpDwP($)U^uOClK^>0_C%;Gw+lI_^mYg;(KUrZ3AG?C9@?HSq7XjxxhA#7*z#+jtc3JnMoAeA32Lb?f?Wr z4U-NigW~HP(AFblb%sFVs66Ok#Xi;hi1IaO+xXVvw$V|7A>euq2XXEj8EqYsN3$S7>I|yOseq?R<2}lvjurB{sAP}rSaz>) zemNr;m>wuuC2OQOUfMQT8YmV=w{9EVzIAAH>u}0rxG3VCPu{5|#s+(0BK9;baFWEe z)Iqn*TYR1BVzl}PDZco&T2Z}%cxvK_*!`GO+Ua|?i&9jU#H|m}DALk#2SYAex^ETF z*&wdA4mvn5od#T}pf2TI2t;C&=g||h)a}q}xx7@O0 z3$rkd0<$3swr_KWhlYj*hB1-Xu|bI21KY=)f#DMVXHY*^U)4DuwXY5lkV<AU|#rWMaux;z8wcRcb42+MIFb?PpT0@pS49q`l4HoN8%evCm zMv22oyF{oG(z|s@iY$5K=heIsm*12A#gph|OIL&sT0pl*OnsUEd!O--V~-;)!fM&A z^+jQT+amCDulQ5unR2EGtxk98r5CHa#bZ~jsJW~6DazC>!^})yjIASy00D7nBJiVX z*jI7G(Df!H+{tv^MJeL0v!X3VT^7m7u}O}~>qoH_pvGqz$2$5VfT+SV*GLNy+4^j% zJWZLqVlS1`o~KBnNUmYV3i^V`>nmEej(7O@UiesdW#8Z;X*Of8r4(+-X!tI_M-y!F zXPjUhEc?i{`#itaH@aoZ@Q9qKu_H>0PLiKg8I#9XRRKUcKeGqsj=X8lpT+5W0aGj! z_C0h+;g4Ne8C^h9zL?cUS)j7ood2IzBQYtLI?=VI3Z}hCZr|(ZBI^1Q<=7d^0%I<2 z-H}}jK{S4zv!d#w8B`asW6wVAw5?l5Mn{J&ti8k5SKGD^+S{D*bo^6R znNb2jV;N2n722beCW3LQ>o<;RJK8}xve7Xt%hKO+DGPrH(O%b!9^M`krVH99nQS1@s2jUkH2IizS zw zMR^olZ78(v)kFvvg+6?6|B(Zt`OxY$>1|^_0+wzclOBa@vHxW`E{Tz;^Wr>BNS0-} zqwDaE$X;Wz9iQvpOJF0whp>oAvkaFNwYG@?RT--xf!ksHQ4A*9bKzd6tA%2(D=G=k ziy5WDbXitL;H;G7oG6^u{p+%nDQmnI2xrG@qdikaemLz#zTKIenRIZXa!N7B`wZj% z{L<>1-_iHz*ssJd1AW`a`hNAF1BKy%-+mt^c`IvKb-S-MGsC$PUA?s9Mru1Mg9%aynuh$`HP=MfCrP68C}%o)NOR6NnITPoPH}cKSX|dqUj={?unndd=fD zG8fDvhac+OcE6#oKzowYvjny^|7p51EU{hN{g}=KvTr6%M!ECz$EaKcYI54!$864hX z4Gw`NnDpeOGeP*gKwrRl_FyW;&B_;`eg0TKEm^z8YVAk%AK70N^3;W zn##Foku;LA66S5$@!?~RF_4Q|mq*DgfTwgDxTnA3M_#QLxDj-@)UtAS8X=nqJtivH zBJia;U1Y3{gMxiL7X0s`I&c%+EmTTMdS$c_pp8(Lfm~uw1o`nqGK7r9T}ZqnsGKk$ zP4SfcNW;67asjftqu%FC0gfcDI59?q9+Z-7lHzhvBwQS4X92;n$W533|k&&IcM-jr0P}@1CeMFBYey{7CPgTEZf7;`$QC0bEPHX_65D^ z9hJ!?+7bc1_omBmVt7_XnJcPL=gAQ(n~iV-kR>wenSpvZNZT*PZ9#%dzl_OW`sFYG zn@pF+EB)V(?c2xB6p{EsE7-S>RO?fM6|Qk)7e`Uv_@sX(-YN_Oq_VA?-Mb%x6|sbVaffmf8!wb!f||21P;8ma1G#Qe_kVGT|^zS^ZK) zF{!wxu4cQ=)YJKn;Y~|4VDb9*QhhfuRCbvUOVlM)=vKmACr%11v_5GfMYC~W)Z^gy zrU>RfE#fD%H2|Keq)#e^OYeA+IAGG*UM&DK8rIp$aAh+6uwL+!ks~qyGxE%+^MDMf zkytxU)(m=#o=|F0Viy&H7?Mk?ACYFDwDx+lZYiZRvUJXXCRODw3+b0pfxdApcIitw zBvpQCwq|@6d(kq3gdDwK>z%UbF0g1&fy?B6+z`oh%WRhlCZyx=Vv30Ck}H=Q9fmP+ zUy$6nfDI2XN*|gwc|r94tCs>?%3R;{Pbd#{9nY!@ zC8(?&C6*e-qmG15@IZQRFw0=Xykb=X9@fpvX3X)0vYcl)C{FjijG|Zq-#P_;gG3>xP&MW4lL=i zt|O<6<3hM~ROypw_Irga(ztW7@Q@k}yrX)~xF$Io_41-V2`njY$W%G)Y^g83Ow~7w z{%BVdLh*Q$mD3rTnN}}OK;iP2F#zHJuiMD_-YqwdaVBzV!!ozJpNr&WE0F6M0{dEg zfF^Medk$heAVoD_HMtA9M&MfJ>9Lg1piuEm_`>UQYq`UPN-9ejR7zD4k~OmjgmB4{ z%chA_-?))(3Zp`lH&iJ_A{kVr#T`%Pmyk*<^Mv5P5y+cR&)(0lw^}9ir}aV3!<_T1 zid!Oiru_ATrGb$xBc;KjJv1~j=nPn;(Q#+II8rQ)4iAnD4>wFOkq}3=Gt(D3wOZMc z$xR|~APMC8PC~&cx>H5|jWmULKIUI;-C__Ve#sZYHkd@j6kt(DtU1?-w z^p(tvFLFf#CUD|#?=uj1|UYhNVB2J}26n=hhz zu==`Gm{g(uVyZ$*=sC+7h!%9r{*WhWeyvZboFx^eNd=urDqR;#ydpxrDi@PZR{1Wi zA5%GXKLbldh4Ks$t*B**pj_Z(r7|0(&McHKsqJW$PihjQu3eUl$){cEY1Ox&#VAr9 z#I)92PdUoAXGbzNhP}x9vuvb#7}k%cE;^eU};URg+WFl1XR0| zv}uUrMd5QkPA#xA@R4Emko!2@c;QN%I3sGUInAQO&4OdsNS&jiuMb-raWnL|?H*a4 zt6ZKYdYH$SXS0lfY~}Fn#x62s+f#;(XWeiOvNs(Wg#?#_1~I^ zmsDE6Mt7Ilc}9n8q98z^7Paf=IdL?3p4aKQ6bH?i_=eV^=wtK9p&u(jbDS)yx~_ET zGa!C>_390-YDid~T1T;ZVTv2V{n4brOgAn`QNGzjCo(+LAI~QmW{Ok$ywHZ})2uZw z_ZCvtCC6@*Q;x z3b9O3J>}b>ZjSzD(H$?=(Ca9qpCs+sx}mBvgpEz!(Bu(U(CQj~84}A*&3| zWtVPSr+YtTatp7*)6xJ@-b7@G8z-oMOO!+FB9_VYjNx7$o7#zYrq-Y ziYeJe2YbLIi~O_tEQ%_Wn5)vo)_OzKYixJq?hzF?d0Y~4BDEKZTYH2=ttaf*&=)Gp zVhhj>wskLUgY&yA+vDy89UAg@4f3>>*Z)9|EWTfu?zro?H zckln(fS+9V|J}X3?><_RXdq!uS|O)1QALVl=Mq0S5I>{Fs|J1vut(#HArDU>Y(%c-&zgZ_*>h&iR|5vluOla{g?X>mYp__qTJ7>; zC!-qO5KXHnm3>SO!_6y2K>(Ceo-?dc&7Fy%q4npz|8AEXPMcxXDmkW1KhtsA&AaPh zClu^38E#PajdhP$kGYjd+^LQGP3#4)!(okESbsC!UdNiD4X>GH#|mo=FP}qRGJE`S z4H9d{a?4h+>@>P_&Vl+ydv$SJ!ARczRxs1|zNt_2*Knhd0YlUEjK+6O^_zzr$4uW9MI3B9H9$z1 z_cAsiia`nlKG2UTJ&SRcWeCKJ>6rPLwXM6>c4*UuCdlFm6i~j8kI$(yfVRQ~t~L>C zX4MH?-|knC8w5FSWX?EZ1rcLtryx9C0Sa+T(?CX!=SLHhd9MdMAcksr=N8^#1cZS%4R!0%ueRqd z1y(qT2PkZ=1_u!~3DF1+n>nC4+XY1mNf}Wz5m=Q9lDQKEKmme)Xe|6xJb{B6;iMmx zZKU|X!Br6Jo5(IRj%TAnhGQ0^iM%&#?F2B1T+LbB-5~N1KpH)9zf*CphNpkGFUmr` zkJS=jYXnE+wO1_SbdW;=G4Xj*5l1*Oj(8m~W)N@H`~Z(lII}YExY~~r4Tl?d13by= z7729?)h3JL@g| z)}8cQn9RWzWX6l>TTD{#=DH#WCqm7_LXPapMjw{vk{s3bU|bKD5}%`dg-zNO)o&7! zNa|pkFcLJO*@^YEkTjOk`i30Cfc3$U@)MLypqGOINd7`%B|zdK{0^TS7o@~%0R?5c zoegOJ>KMsmWiZ$gB3O*LcEm(?W6-(NN{V|i46Q>BtxcEr&X*6mzc&)JEHyn}|7A^gx5kChfW9`P|!Zuwa- zdps&>kUCBKSDpx%$E{Kg4S~Qx&)m9}pB$XbA=N(YZ4VBUQqpDWbq>xiq5Tns@}b3`kae-Qgu0 zJ1FjP#|XInq1)Wo_Ak+BF}>V_ZZ1iV*~N`)`|^t&FizRG>^roT`37%uGuyv@q9p(w zZfBdLc5g%5za&EWMfH0jO5~wLI|h_fab)J#{;F*cP3vL_C~&}TR4=L&0Rw?kivmvu zuVBG)WL$e^*F5Y8YYe+$P=)^M$KA*&6aBiS2^UIL8uZK>lccd5k#IxmLCv9 zUvaJv|I4yGzJsBGPg+`@@=ArIsw4Em8Y@l|&;$skQM(00LwUHus)I=e29U^v2F20dzly0hFQdqD?an!!X`xa@aJXMY1B==RD?yoM*t9 z2LK4W3)F&&0A~e*a2DwxE;^&k!#-tR)FypYWI^fd6G}J_Q!uI+!X}%L34oW*p)1=7 z%5!o`<(}~=)QLE;f;pq?mn80@p)_h9{*9qG}z_dH`5 z110EKhItO44_0`P)uhrlQiB4uAww`1fh#F~RI{c*B9tj1W8BQ{TTj_9F>oL&5-3nQ zK=uOAuJzDe1^}X9CqfdliA1q0l?q5-7E9ziMo%Y!EcG2sh=}2% z5FM@~iERmCVfp(2hNN?y#eTJ2|>Sz_SHQE6jaouQ^6D=R^iD) zg^+p41F{v*gWhK2@lz0ai!-Py0>O%pjSPtLc2(aI)%*&~UqXVAUT`185o=5FnO_1+ zCd%#0XfV1;!%0|y`ZNWp_X+s`TD6f9kFx2xOg4+7)-ZD3Hs}WhJCKkLfilP}As7SB zZ_6K~&=x2o9k%o&@)QWIRPSxYlG2mdcK`AtI1>pj$L>H`N$*5L1nS=X&Da%tv+gTz zzX>_RIPG?nCaXh;vP6ty+7a0}z!J&s-z1Bq^$Enn2R*FKXtW$YQ3bJWPIR~4oVUF< zEwuyBU)EkE;N>yfhPeH1+yt>Szrn1@tMcyf%(%O@8mQ=CB%U-9zkXpfOMk+ru$exE z&0}?Gv(`j=Gn;HRevvQ`2~UC6C_8VLY%M;NR?k2J&RTPPy0O|p{W%d-P$ep1?wuX? zQ6WTZYywpx+(ZGIs?S#8eMXCKqOM#2F`hfQ@JtFr#h_A)BK z!W1TLxfZx3F}c=FTC7eql9pyTta7eWcD-pF7r(%_GMhx#0ZuVru%t-Uz(Zh@Xob9q zz6#AAQv6Kn03l<g%u0v`5C5V*UsHtj^yX&EzJn|CKCq-*pDWHP}H5Ya6;Z>!`T zdXARhz2vb@4T4qrc-%5LS015}m?viRM$>T18G%J0vOa&jPh=Eg*WzA-VZaP(x75-Z zrXdWr3=I=87F$$S%@BWkbUF&nifU^5H4Ir{=$9zc$bvPknV_kO?f@WXp_vqcz~ekx zKXw<$!-ikPQUPG`IXxK5h%guh-)z_59l*|2QlF4K?`5J!BCT%-To8o}aXO4ugFl(g z>s}9{^7`^oTlD&sc_2+e)-+4$P?W1c$x3U-9W9{^BxApUQ??$X>W+*Ru?tY4;MYKw z?)V&g=GZsO=n%{26oe)iqFSXII&4v7PDEuZK(QK##6&nG+GxmoxE0i5sgwag5~u)^ z&?i!9X5TGB>P_6w&q$vb;$`2Fy_|eokm>(u;RP1R_kcbtqf;O-!?G1l8u3?hD8v;R zl%jvG_?TEtCX^y10jM}!R{-h($;tak?`Ob5b5s8&d~Q>J|EBv*)=)hl8o;l7ge)uh zc+mm_6dn4jt0GOcH~%0aTMwwP2x} z6Kz~K=M%C?9YS}9)7Xg^1Z)u|Gw{KT&S8d$8(10&wCv`xhgFgUJCYpB)1)m;CL$Y^ zWC%dyT~a!@DBYs$suV&(ttYI_y@hDDaL$84Lw6qNf+3}MxS|gUSDOw98Vmp{AhPj{ z_!#J?;z#!Em>~s7OeZW^Rm%7)Px!!XlXO_X0A&yd_t8qMBAEP9jhAQ8wu#cJf{3%j z{G0CGq!B&&xU3S(-c5a*%$}N-9PLwHpdpe|d;85t{J=rIqCmM|p6~Tpj)P`7!yB#a9k#$S`ti z45oG_PbL>Z$Ee70zO5n+{3u1jME#<+54C@fnahw>5591cz-;2-5{7LgX_IF-aK=HR zc`O4IffFs#yHpUNhGtE&<_o`Ln#W)w;czB}nN}ogQe<>dBob~88DRoBqzQq&L}(Lp z)%?KY`qI!Ecgn0US<+!c90|IU%qkPPXP9tGyw1`NA430O1&(c@TUj%{YqOse$sHa* zoYu)J7Sq^L%N^%s1F56I^^c=}(3W2zKW-IAr&>**TGbHK?FRxvA5gLEhLij>Soo54 zYKR^Bkc((jD>G9oL+%j?o}#ikZ$HdKs9{*b9I0z?sk{Da!kbDF2|)gxYjBx%DI~32 z4xgEsohqf{T?3P4K;6o4y+Cgjr1NSNR4J_Kv6c_^9#*)eot!i*3kC9l&SKmR_Lhyu zIN6rY=a@a1^9=I%AYGLNwvjP5Co5sme@`H40S{5E#QCbu`7n6lZsMw(0&xNeck@1O@ z3)1+M&KeF82s6f*h~OmlY7UTq5NuIVZZPQC>?&nx7_vLsl|$eWdeGrS1DRv1feQ!x zTtPVGl7|6RIPwWLO~)Bx#bq93IgaCzd;YKvLLosiz;>7lHOq06S<6LDu;!LY5daKw zezQQTfy~An8e7Gz)1$9WRt8ZXaT%0LkiUdXTpMALho&`xLKccht?<|Pn?C_Pmh`ro zZ(DPi5iD@XR(@dPS)rl8_A#zL>j%@E4T6Unh%3w(D#XvzU{oU=VqHHNYbesFBAiZZ zM4$SEgGbq`L7^PMX)5#p0SBof@F7aDxFSk=8(}~L3|`DqL4Xk(Ix044Xx^kDRf<9m z&bTt|$0(KYsGUXWm3);=2Xa)R*+l|U+apj3>^QXOdWI&9NH?X;7^kjo3UQb}=F||q zeH44eOjz}$(Aj~y9swN}^c#7W%UCm&xWE=-R*n)_>h&HD?;>r9ImB8FEa;$;F8;e0 zw}cNh%*!X!iwg0HR;5X;CXghH8Z1Wl@B|avUPu|Ea!?DD#nL3mc|Qut?IkuGsaA0S zsrGY*&;;!$P&CbD&h)nkUnwD>h(9ex)cImzN;_x8^ExCF^=1Mt@wH4NAzVpvFK|IL z6~i6&1Dut}Xd&&+!a^;yXc4&~eePmzk9qL$PAM+qeltGBcOoxv z%5Ge!Iy}DB-r|f8J6lG^M}`N6iX-DdE+fOm;?UNClBI{Q4m@HW*m=<0{aB5Zz}%QR zjF|&~j00t>hP|jv5SvjM&)*&xyEp!PXQKAypfllyXg>GA?7hZ=@GmyH0UOHlrbF|= zAMe=rvqKLSV%$3dKrIWE{Rf*Ld}Q~ILq`q*(@@m%7jRDCX{$T-L09oY(iGVArvwWr z)#$`7=;9Wa1300oAbnPlYVJ6ubYhH!W~a0YvAuLYgbwfq>h)E>3~CoQlQIAkeMLO0 z@cY22g|WzvL-yo}A!mU|7m~7{0F*`Yh5);hu5@>QHtMHY|3BO6P7A>1{r?6>2M31h z`u}Yi9J<^8Zv%erVE@1GnY%2Hyj3XF%6zo{KeH*I=zE0HAC+g2>NSx$p09?N>qGle zE%F@HQ35$2=yL^g<=rA^?TK!9f#-1Mm|G5~19yh}7(TZ1F}=u~CPM?wO3a|JDZ$h7 z;5U5C3Gy}u%w8}y!|Kw4$%jJY;TmxHmFDp z22F*I9xsTTNwr{ZdcFDL_3hJk$MezJuzwnB@D=K0QIx=;OPJ#72;zi`dRNW0L++#o zXKP{=eg!z7=431-thjc~oLTuZrtkhN^5O{^yr;d8#1!ZQ*pNs%+z`ZR%m`n3cg781 zgJArJgOxvfp#Xbw#t*!ecY}DwV%eQZ%wSFfuTD!>ZGhb*9J@jDG$4k$-f1nm?lo?@ zSDwN|XeaP1oi;jCi-P~3Sb5i>C`3LM5Unt>M>1_I)!+QS&ZFcsMGga;b-eO0K69@{ew%Lbl!~33TQi3WOCN#jo zyc-wG0W|Cao0hXtr}2CAkzhgsYy-P~s27?;VRd{9Fl_UnG`#J|XAGF57=iV~L@nE) z;e=BJDN-iLyLLGr%-yX=X_4D zw~fV$NyR!z8kcFAXj|7UIZrPxJA`*_lsg@0Q8f&9X<*V&c#eShNp#|x#s)jn94d1t zHNfsS2m3`st`1vq*&#N~lHl{C9rof9V|ki!ff77>VI4Q*+F#|~6V`ZQ4xp{^sBDj~ zECu<_@g3zjUsSJOCr2H#H*WH#zv5;j1m zh9Qx_S_6_#cj(fnDfy1e-MZ+VRDZ69??kFs7rj>B94h%{XWgNq3Q!MNNvJfb)=0Hr zaVK~yHpz#nDH?gUtBJH*7!V>E>~Z^L8?S!6WqY_j@AqarA#w$Km zqtx9ld#);XJ0H&R5iM$h@s~>PAgqzFVL+7&LFcr}}Zh6w2w}X)uOH z2TtAY=j`XxY^OjhfRP8vS;&b_aMZi8t08}|u?aKAQ#l!veBiA2gx=#!!_hxO4x&8kJD{A3tp~=#fJhX5Yw??*Y~T~1@sAHoW8EGSZfDJV zR!+frMTI}(Wi%U<_eX;YbCa+`Am}j8%1QPf0 zN&8f=|6n*RvQH82WCtINn@c|y0fWluQh9=ht)LBs<_u6bc0(XvfdoE(_Z~dT(V0_? zyy==U+G>6!pEP^OFWc^zoIaJ*Y(1bx;o=+dMm9)~Hp+mqQ`g5vO>3y=4C$&W+=33UyghqzEmvr< z8@*iV3$5J^?|-L%n#TW~jfnpb3=R#BX2k!u+>QTlz)!yTf3EP+p{nDS;B>Q!MYn9j z>3%gp6>q++SPn&Q0F3p9UiBzado#P(U#2+W6hZmJOx{_{j>GGOY{LQdH?^u+ivB2Q zLDa9Dfg=^4m~~uAu&$XlrdQ$1KXE<$)U={;{2PWnAc9Tf&Lm2B%DnQ+pbHpQIW!;Q zPce=+<-nVGHp3_m9Q=GDOn^dFM)hLWK`8TjoF8@E+R8h4c1Jml&Rwn}oIQOwh{6Mp zR-+YaPUlB7$DL<-7FJfnqS8+1Z<-ta=lwL3|Kq_%$p2yZzYO_5JbG9DZ@^D3`TsrR zd#1V5ug(Qj`Ssr)n0QfdAN(^4!k|2ZRdEN(Scfyd^8SpIJ74S}Fi1*u`C@w=nI>jO za-4|l64lie)8Flt4@v<@q8>6gCd!tJT}M{lbItqKmrj-|6KrpMA)RHed;kU#0#>nt zVC92c0(P&8jYlCaT+aeoc^^w>;(-gMA7KqV2BN|CDowgrV+MF<h7JpnHZ|c&z-T zX0Dv2<^ve{!&*EnAb^jZ+}FcqEEeJUORf8BO^$BT-KbHRTrge{J02QfB#FnzouIPv zLGEi}cXI^FcEeu-ouOsyhA>(c(@Q$KEw-(cuvRz9G8|Y=$#xsnAY|VuyVp^7(qSoZ zK;R1=!A{*s0QL9E?ufvo$DIF0_sQD6OPwiU3orp37!1b6vhgCiTXD*&SWz+td`uT*!}td09zf6uHD;^#mdh+*tc99De~3&D^K_Bx`< z9sVnD0TKj3u&}!cmWm?7rhvu&Rh_6Nw*bk&P$`Q}q#;EX90TM)k26k*7z{gFRaV}w zp@Wf?CV9oI2y`{Sm)2}~FRhVvFRg8n5ij|}Y?38s{M>hg`aHQRd|+0~$dnG^tD|db zcj5IxQc&BQqd4<1W>mVU)4eP`VKz=Wr&sEIxH&bOS}95Xu*BNDu4zb5@iwD5x^}c@iIX-e!w7jUG2jR+Z|fuu-rR zs&kuqm4uk32m{Z!vPWh6)_LO0ZD|x+=ETYeK{;YP_o+g?JRUSY{wixBj^7;^zOg(#c^(L0qpCXisweq(b3+=L{ zrbX4E(=^h(RyIz<%{VHzw}Yj03vJqTcJrmDA;_Cc3g;p156Gmd5Afmz6IQKPPjn=Y zl~kL$M;NW_MW=|uVN9yj)Gp7aBN->EmeD!xt9%t2UTRaByi6+~DtP`|NtkfcKCcyuK5If(^L)HckPS2&V=g~zahn8iJITa(l+)hbJ_ zlMJ_pm&Xd@FEs?{1_yUMLS^uvAIQEF=`kB!Et@qaU`E=G`r(!uvB{OEPVP%*>xgNB zn^t&4(>fF#6W89&>e|`#__ltChnWXE-%nfT41-OrCtA$;#^wa}W()g-)`Y4cUc$av z&B!&A*d&z^$?3$V1}zwVgfp`JB%K>HI(f>lJx0Z6C9#Yd4=${W_r3|{dCy^t_BXx# zROY=p|9PbOkczq)O(CK~;z2lh;tOAUWr}ZJG1-XI0XOYUm^bNJpECrYTxP6|TwBg* z^QKAfAU|gE#Hsi}DK}$U83RdQDG%6hs;4Y{h1^Z8ga%Aa@L^mvppVD?G$A)a<#{E( z70-|vuH3Nrf`Obt`9Zm_iru>z+uOhbdhox!GBMGLAx6qm+?x|&xyH_$SKV-Ui9WIf zW1-O<*c%L9kX{-Sq^-!gUQd#Bd$B-d6XIYJ;!u1%CRkW@^V4D+=1J2?YkpP20e7_`Rp_yZjw!K++^#aG6@#jP! zti!bJBc2JmB3kJ#>AT9$>ur{oMdtVXs_}N8FD@S?8NryzQbA+6xk>*$8hMno2Hf( zQ2ArEO@3rlVYL>uXXAhmN(l!W&J$RrBsNG7w6XIWUPh$d@(R0l0If7M*<7s5HA~tg z1#`xU@Q#ytk)Td@y~eR$M~BwXl*lOTn*u|c4ULGJS_gD>12%xick^bEqib5;Q5t7I z!;VDcod>-b#YB%vvhH1P28Wd~ok+5-H;2{XiwW1#pDn%D1*6Ur%BdUZ2PX*y$)XyD((=}kRM{s$P6AL=&f?gn)DFYK*fn4bl+x_ zORvp$@uC^jT@<@Fjsn|!isRJ{D14jT7E75yH46ADZ=HmF-yz+59iiPu7sVp7HF!|&r0$A!YN<7t={2Yw z({4YdAd2342yh@q|@fQMi$p% zc_ogD62FiKHzfmM;2EDXt?o2l^T5)djBd+UjrdjDcQZ0mh-4Eg#b)dQ2+vBK76Clh zGwjX$uF%g>3ofv)c^nmDH=w-&{-uztc!K?b_3Oxc4=t*hj^;X+*L9E&dvm=uDDi{2 z4y1zSR%#p0h6`%w7D&ulz!q8osE|VOPub7v1dlU<)TOl@+)t}tPzzi^Nk?`RP^#YM zl@HjY5jIF_1>LZ&ImWK^4Yn{9EFx)E0m;%9Va$6cXW9d;AB98+z*+9f`vFRFm*|r+ zOz0jw4zAG^o#cbfNfczFAraJSl;P&iVBU5pa>hjS{LpN8Sto)Ud6}k$36c@WKm@ia zJBtoz!xS~6lxu0LQrCJlyU`7vc2RT20DFJyrwR*HU^cnyU~JC}Wy zH{&&%sib3Gb$xgZ))rsH*+V=?HHj;#E8qAGN)3 z%Bf+sL04Kp%QW68bPY}iju+(%B*~7l?Ei*y4Cr#kA}gAQ1CagNj32l@&LOK%z&5Ob zRXdGKG@~lsEn|jNyuHCQY2Bt@gcV2d+hlFZnX&TL_-N~zw+N^*ptKuHo5JGQ>GD+c z>2t6q7ls$h3un-!jTrQNgIYa%ahkMTZ{DJwT`-qF+euMR z%Yq%b1T{%^vCckgYR38WNp!7LBcM{p!;SRe?V`ohB#~|bV`S9r?C0;T3Vb~U`ws6k zs^AIBe$lr9q#gyF4Z}xO_@!a#4kHeDU0}}Y?Kcjb+DOwf1rvrPG)ol~%2Pr!Iw3tJB1ExaHbrXu*G>`wa`V5K(`l+B6AAO-^2;ldYS zv?R-K%y!CejF#m$W>)!)xV8-xou&m22mFb$V_Q?Tj6T)Cy)*7-=Wqp6j_rD|PB(A) z%>h4%rY+N*H>0o|O*l+aH8+Iqx4K_#gL5$12JVzK-4;mKmWmtVQsq zq22^41YRjS^67}7_1uu;g5>xXQJkq!oBwYNcs#uV)18d#Ug$W0O_)NT?1beTHXPICDG)Bj zVBY8R%ato?zrcl?ceSn|Aqb0BiO$vei6H83-}2S~U|+QWFinSG5)|x{2j7rz6~!ln z(#S6Yby|Q^-;Cx1A0(j#zfJ_sXXlWWBKb6`Q$Vn;LB~lMQ0lT{o|qFvA~4+y{9bd) zMAvc*D{nQ*KA)785XMTDD@@`2M{ut5_Op!kT%e4um!9Y#0NakmBpuP!KCLPsD? z1qTzSS;yVTvoHc8aoSy{08Xs^P_t#L+49zk>_dGyM45teKr3KCT%rt=2X+^?u;GL# zQ;`*rOF|)lHH9HpEy$rJYl^1JK3WZ3TU3L|)I6{r7T+WSlS^v9_T%Tk(oTiMLi!vmt$Y?6XvTOL_- z)p%AA`t~wG%bJV1)G?8%FBL#eVzYj4QkrAR}Gz zl*=X!#zRm?bMt1&{}dH{w`9qP6)`F?Oj#EY`TR8PjhQzqK66+ijV^;)KPL5=p6A3@ z^(o2d^<=^~#Z!`!x`+SdxOwy6o8qh6AZL%8H~T$3G-*e4s+IFGdb5Fa0?DR|w$t5P zaF2)1Dig7RGNR@ReU?RHH`%oLMESDZTd>(3UQ@dhwb;VE4ak#;=cM(3g7evO?AUiZ z=s(`ZsBl(D+H_I>|8d|?347czX9Dt0f!5|$gnjB)Xu+MOvIE9J`E|>#nQ+cYz$VCr z5SCpuUI4Vnv^@t*1*UZMA|fgF#+2KkxJZvGGNePxoB^Tt>65_zDl_`Po?U$;1q?Y?UHA{J z9`fSK6S)2S@K)=S=ey%|eT8CSYN4>gc(%Oh-y+SB>|9UR_OVeuTDB9&(jZ_yTXxYA zO4Sv>O`k32lymD&_ZHz3;H_Xvoo~%jy^-x}(*d56AljshjMA+eFG;0&yXrUe{08C_ zH9!{609vdhs!-nTpRuM)+n=yLeGz^^o}Ra&c?U#fWy%Th!un}4ry68?OZY(kB$K>d zvkB-^ch+LhQJTtl}+mf>i_fzf`E7VLNu)&>3H72n%!%A?;$?nStvvP^x%0wuuUXS1DB+2` zS=>pK;jt>mzk@7gP=SLur&(TkZUv4scs2?`b>jNKTYh?1`{9Jv)doXX8xT{OJIank z%gdXdEhqP*c^hLlp=&es5>HqCd5q}XVNA6Kpr2y^84p#E%8MA|RF3%qVcf4em=Zh_ zAGGRGpd@5P@+(h^!`(;q4`jZted#v_?ryGMcYm7Z|3w>-{|6#vC?o%G%i!JozYX|V zfB)}M^I@y#2jXR(*fx=BhSQI5D?l_I50ao zXU<}{4KIH*Ym;tR0DH7c$$&fX%q*{5G{J1~Y&h)m-6V^(>UKEq1Y(qNzdUClUgU6i zzte;_=YmNCTFuIb!OFQ1WUM8o9bY*&MRzR~3~bp_0gK9(E;d!8XUEBdj!~mj#qXjK-sLVd^n@8 zxt2FOYWKvP8O{R&U^+NC0SV^HRX~$db6mi-xAH+{<-^*#t$_MOsf>whE0@b==uayM zYGP^gu*)VKj_|K*fA%5}tW~S^n>&o;0JW8i@IIodV$B0Gd~q7ttKT??EK^3100f{(cnphG>hiD9*!Ih|CCRV-tgC&rzwydvoN%5o&_T*o z)-Wh2@HQ4nNkA5oFXHY=X@ zJwGI5ASXI_RwW<=sP8lMT&*4YSRf~y8b}Gb<+z*BU2BTF17z(- zGfr*VnMb)EqhM;~vc5Vo@nulH6?#P~JqZ9jT!})By}Lewj}7JFwD>2|<|w`q!pq`2ydv434*>tOJxU z{c8^>29=eIHq+0!eAS?_9=383O?A0jGl|?UXFhOjT$68uiH}9l)X5k7`bM~x!G1G> zsih~R?Yu7p9S$bX>eClM&DihjH0LW`5vfc#JV5PrDgByejSt5H+xBoqh~ zJ&X=L?}qi>0Xsec@O6LkL>(ll`At*Q^Zf`@t)NV!w~C^}*Q z(*cVX_pW}9`#Npq+WtDwc$s$BxfV45uH~~A%bBZzneOYfaqB@jQ(3nifOh9?r$T$3 zQ#%0YWsJ4ikYMd4zDENEpAZ^BLD$X9>AV5dC!GhI zM@dkDA8d!5>=G*6I&ucUldumn=*8jyj^PMjjZ=eN#a_>-qtVvykk6o7nrR8XGi%uR z5nh@ELE7yR{9u{~O3^Afx}!-TS{c;-^dZe{VN;!KndfkNJpW2X5|8L3`kt zj7C9w$|57c2chYT7baZOcIB|Xx$-_Xd&7IK;i(=MJE=~TozUsUo_XuM`WvvLvbQH4 z)g%F=2rxOecSC{d*!hwJU{T`kSppt!lJQMzX2ym8<`NcrWJ{e8a|#h_GnmZ~j}B-G zT^z%zn+OyH%e1Jux9J*m=@Ouh(HMbjbZmSD6SrUr58vbKjRMCEs7qc*SB|zukYBAb zg4)k1$V3odcd#KSQd5}@VhL6og}zaXYE+^@xU%5)88?Xl>@Z}C%fCXvUvbW?O~##? za&;>@RJG<^YI0NZxl`Ue)#2LMiRljXDuRXMnj%mR=-MqgrDyw%?ik-Jp7G6!6^3rb zrv{lQK5DdWZiRCCiFE3l79DcUvK5wGOztbYMJE82vrLs7jd~aLFnm-;inyV-{QDa9 zE$Z#Z%@_BH!!9dmL7)&S0YnfGSjV1jRaC-DKkHi*S$Kz-rLJd$;b8yw@DwbPxJOJG zg%$oAW^STOn;7?70n+q*11QwddfDP*2nMnx;}J#zwS42+7ojhn?_zUfs1OLJX`h;h zBP*~$mS)`9j3E-hOs!^3lvAwph`iilJn$>1Ym1)elh%wQ1PR^{j!3feCHU+~92)ZS zaoiR}J25;+0G|iXRmPC(_HmqW(vo6_giHXFYDXGKU%U|*zXD9TzD=?T0I2#v$=WJl zU$WNVART&KeSgR=V^@jncSHkf{bfVFTu8nK8wG4x3tag+2!B}U1itBdGgjd8go+Em zqztg;`PUKF{)7rFF9A=ekrdEA5_*Hn!|QT(T(9|c;g0QQlU@a9_5(yTsT9OdNh*{) zsjgay$q&2GGU>IS+|w560cdvK3ZWD=h`<>Q3Ibb<8q&X|NiZ7S%=6Chu(P#1^ML%Y zMuQ&UgC4iOShTQs9~(?LWuLFzNFDoJ-PlH(BRi^qCO~O5`Lc=hGrZ+2lc=Y74zU>W z6HMCQt(>Ao zKQhr`HB7m@*{W8{z{mWFgFUkXir zh?Cf--YCLOmg8gnmVp~3#>OMh5#z!sA2|J{kiu2GC_ZDQi313u;3!G=h(nhfDaP9= zbPrS_9K6W~E9bahD(~-vUF;bI9urg$_=X?=y316eJfi$wZSQvgEzM?MbgoqRQs59h zp#4T|$Ky1yT$yQmEz^rci>{EUHZh+d4~yqxCcswLq>kQ!YwGKu!BZ&RJgYsR`jbS4 z8*X7AQ`7>r31BcSB`sqYteVy#O5tBxBYgaHa)W(6rsbGj>p!-)H6qoVZ7kjmP0ybN zTh(&uda8UGZi>>B;;gsc5@v0z#&<27ujRagmXu`C&1?;xG=dsYMgY=gMrb8%XTL{(tx6G@ax-8XxHIQ95k44pu%@)b zpoD`8{i(i98s3k?=H4JG0G{Rg+#xMvN%O=yv@SY&IxIFuy)$%H7Ni3s(h&7zcpJr9K#kg-b^oH`>Calgnk9 zZ<*s(NV=Fsv+ITzoU{?vL89ElE06FH=r{ScGraE1icfQKjML@jwnLVZoSQsKY>a|Q z1h|wF%EcjrVONm7n=OR^q54n8@cMP#)nZCaz07_IOqNT&-{`{o)cc^^pgO<~ujB|# z?mADITt`B_5YVDKS(}iD143=U8U;eILBI_UZre6AIIsm&&aJ~%(Y7^nVee*F*eueN z@%gsI_~b^al_Zm|^F|wkiwp0Sd}D{J)o-S#&7dnrK(m*dF6fD$cl*s93By~`5ZG`@ zoe)UHND?QpBGOn$V9LkExXDda>wz6~D^=H-u=4GoWbOD?beUU+H`8M-L%z(%J!M_E z;N|v0w#YSBttjlQKVA0F9{cLZG)WKN_EO8vcr9OMWD=MtEV=C7)kICVR;mr2Z=sV> z4VyOr_CdZ$4Yd7a$s`oo7KT+YPFxab`5Fw05PZYY>X=OTcYuv%d0y<^2hK1PPJNyp z3^Te)wU!oDfCQP|!z$PW80oWaZBhxYjxM@CD+dKE&x1{xK5II;&+2Rps2CRZJUwvp z<-we8I0^cxzPR?2Dl-6y!z$fgV&jqfNdZlYN3_F|c~vcU894!)`J2cN`LZzE+>uUM zBLDFEdYkNedd2OhakjfbU0iaj@mr8OSeY!_+E4vV0|7)e4)WE_txq%>hMfw5%h$Gd zM71QF0;lX-HtwWb3sd*d=SmmN098;LnY83(c1srik8m#BA9#%by4q4Pq;(=`9W%Ej z^jcu8{T$Q`*p(w>~?%GL=B)xF5_~fz3X9k?@%-JN5|nNR*y&5m}-|b8uR&+x0NKM>dL_ zCJ%nwo`vib3|GVfGoDQ$9<)EaXS7@fHq|Tg%_bog422a8FnCn|N3jX67@mNkM2Iq7 z@9T2}-ZCimMVypKLIUgFx9ilzNBoE`&~&{T+p#sgv%WT$FGm(>G4gmNq>W0v&tN!5knR*SQkbU6Fj>immkpmt12hPE$e1N97m_fJ$X4@ zrYJ@j2FKH$+!^kCh@PQIm-!l#Ml2W8MzgZY+Rwb*!ET1w=_KZYN#Z&35>5SJA~zK` z=)j&`ajZjiYLtEtL-;*}i<`2@khRL2qtNdRFUd$q`zgDJ)v5PwK~AG!h-iC8SJTJK z2H}QXkjBRgrWNvK?g8lKPUvl}sS9u2TE3>3xBw7eW#UmWuL2L`0w4wZxyk7~5`}WM zjqQrLM>`2@OhJJM#0lD@H72#oiSk}{jI zZ)3$bYc5DaJ)naJ6AB5I6t){$C~<1M!8={h9e^D`D*#-F4clXqTQZJ1%M7ekuS`eV zmBdO&EiS2Uk1R!HqfBFu5R}*)7lk=z=U|YM5)~14qvfKngOm|)f z*lbq#v*U#ZbvP5_fWoM}K(2=;Jf0;1hIimY>et9eh-b-UGwiY`G8^J731@~>R5dj( zJ3!Dj>&q7BbeV8-h|v@y!t@QKg~W0Yae*tGWRyu0`E(rNd=-Fd#xMJse9FtEc4Dy& z*?x=6y_pE>%#zI8{SgD;Ko4+QQrl9Mdp1cfvT+NOsR@im8>@7!mG_M(j1xyak$U0? zrfambdRD7U4KV<0ze4eo)Bz!IQwt)zm)$E(`hgw?o$;p``R(`LJmMusONv0B1})`G zH_pEa?ZMEG&|+xWj}^3W*N#eVoV9F#8K(&kpQMD~JK2&GExegHr-TyXJdtsTR)psg zKN&m~#~1LS)NVvIzXHRR$i4wp1TDa|THH1|is;)~+-{8z z501lOzHOj5IJC8-w(N^R|IgxmS;}8O-D(>g#chvPFq>Z;~HTG;mB}M zQE=3;nIN`W_K-ceZ9BTxMjRlBVUUp91~I*5a0pn}NW2U4ca*b|0-j?&?ER3T+C%_o zv+Y>+X0r#Z?V8`4v4&XA+d#EjhaG#%7Hf25+$nAw8X0m1hU}uVb-OjPy=0_c%~E%wuFrkACgW^=}hgag8K9&=TM#~B_P8X6eJYy-yz7PSYqkAvk} z!v75FLX;0p<-=fF%elrxQspC$?AV9hz^YZWfjl}>tSr9d^O_wmV25M2ILZk8)T(o= zY<_U}zXKL_?%%ch!Og-V5eGgc`_s3F4(~X8kZj;ENrBFam~H%~=a;JS=QY zi3L$5E27Ia{bJdvaIWOQwymSqcDpz*Fg{X3zqvDL4Ouo=DWzd+Fj@4XCsk;ooHN5& zYn#+k193J~fW&-xbBKk?3K}2S*x@D)L8C8*w5a=xK66u81(NEE!eEp6kE1V{_rh<4 zIWJ)dhYtE;$Q_nQDds2|^;eYvXXOgO(MuD7A63IX%&mqagy(QoQUf*(N43tSEY{G$ zAhl4`0TJ{roN_RaKmq9 z*PDios1*G&o(W)IRPdu-*lc_fhw(wB90$!ka_v6Pul0>?*)lxB1C}>~*%yVfQb()= zPgl&OkJx3gDe|U0(5^R`J!D6i=DvqW1;bnj&jS4iQ!08TP&B+g??j$?0iP2AVy&}j z_ik2IH!*RdPex@HKX`b@o_%Qt@D3$aKrawHn^X>_T{tyWjnw}AkMJi!Kc)IPqvMu^ z$HLaFBcr3k7ABNpZRob`gZ4IOJfX!YK5uq@#{nX|;nPb@*r~K?cRuu~WA0eV(sOq9 zx?c1cZjmAD>X1ap%5hCUs`dHfeUwf-XZ8TJz5OOwa9oSQgS!P?#hb+2A4-5%FW%Y(FNKkL03L^zKwFxAki1`hzvtBW+0p)-E#_~ZJ$mcJ3+C-- z&fI?M#aw3?zVh@tU!Oc9$N2iC6SvNtxqV^@KECztRWat*ublel#k1x=mlkfFd-K*` zKDd4M*zGe{;X(D$E4Q~2!%3k5?T&bH!qpDUU~@uJoZ=fpBESZ zxp0Dzd-jFfXU+ly`IgF{wy68YImKeLs=SR`?>+nVF<9wo*vAiUz5NuybNsLH$JZ~P zuG>fR_Trga&mJ|u23mOi1NF*LBVGP|`>m7OE4QC`_Uo6=G^+c?$!~pfO5ww}b^QH* zUI4V8lSA}~6~xH9efGrd3zuR58rFy#w_aMf1zULnDB_uSZl66PR;O0-@|j!DpSbn( zOQ{-h$p|OlotJODaGK~oqh!1uf0tlqPuzauIat$)+pkRIy5Td?* z`2)4>Z@mCqhuePZ_$9y%Qc1dOmx=At*T1`T>*A%`&wPm7d-|QcH#{Ix0M$>wLxl9f zOE}7VM~T_bFWf$R>g$)^?|RiYN{6#Aqa20Jy7l~Pw_iS`!SU(~NN=}JoVxW_;Q04` zhXk4gj6^QTUyU@hn6h;My#^y?D~_2a$w ztTx`8&(dZrECJ60$*IjSP@=!P)Bwo?qM z2MOe#3%^GUHK*zZw>~fh-hS<9T^+fgO~u49Z5kQ0Syxg{MBRWk+piE;Cz(XRttb9) z`;%PsXlQx>9c_|6uDp{NngIUjgIgb+`1-9=Abif=diT;lFFb4BzHl0jVr=ILc4_4Zqj;~}3sgih-V9&3;gfriI?j3lrzMA^><8R_oyl!4q zwcIVhse^z{XCU#jFW-LrSgZ=&I`-zR%s|q z2?4x#iFo$X?U%1=G@h??S5>--;}IvqGwtzH$tq7o=gHG}>fQRopSx8+m~V2@%5eU7 zQp8H)PdsuuiE^R;(J3zyHDV1V=j9RE_&Al5tDEAZ!J>f@AFpT6c57w@Iz@3NaQ)X$ zFDX?|2#2@uAn4XIvL@721vWnF0Z8fCZI`{)ukGv^IBwP_QPTTTzZjn66=55JfOrY$ zkXS#tGLXB;m9<~j%36kbYvHATUO&~TIRs-|B*BH%skcs^Fb8kH@e=&=CamGjOJBc% zY@!#qB1yyN$Nq}!a|y&ZoDs+QtR}%|sBKKGtNlvWxRz8ZQqLZx^IHC~{w4F6uASim6t!&!Y+ zrRouHod*L#onA(4>1#&Zt@oF1KXaDFrPS&`Nq8I1oM(@MYD%{7C9s-Ew*&3+?@RRC z%O`Mz4;Boh1<-j>-+K*CI#xJv)o0CHFF*UwPo5(O#mNy@rI-V%`B$G(0XHv2s=giq#c43{+!u^Ek3&%o_hIA+7x0sUvgh)NKQb@81P zfbG{O-oA3_>p#4Y*3YeDCurmjoN4JXkN`jxL+a0Bt~7tfkCQ*^C7^mkJj8A$O|yTK zRf*RxiPHtOI<%1zT3!3~ha%W>`^?!}&%Dve+7kmbSaHs~80ui^P-JF}!>VDLV#FN( zys!ZBm2^O@tR<}nwqN#_1c1zhOEGz@8{2gwHbZ~=rF$))UiU_1L7mCO?HA&uCXncT z=j&(J1t^0@XDtquLTa1T(spfKid;!|GGQFpQ8;3+bts!s{CPTa;Dp0ptug0K3+=%F z+6l0AyAQukNp&Vrd;8RW0a~IgEE(qzDp{=0=QEXzhC^!`l=9L5Wxn!MLmDODzBZ2Z zJ1(65`nA)jE3z}eymjH!*QZH^6Xj>*j!9yu{ZcYiN{^p5*~+PNxpJWufqWL!#lNlt zU(zF|X{oOrC1QByjKm3GhXXgFz)N?cHiy)xhfh1i*^hJk)EV^B$6>LQ3zaDLiRUnY zpq6g_bMdbjuDEasG(Zu3fZxdX_m?YRjglNEr8;%4w_iJ^bOf}@P??TH4Z``Fmo!De z80gHm&OQaY&aFTHRjOb5L=q49$IG$N+oRQs$ zT`cce5W+;gA?wTd>E8NP#k3y-7TZj>7Qos@tedx9I1S1zy~2KOB!ROhh-f$lr&dXy zor6jKDk3ognpa-{+v)6!|NQu>Mj_;Qdm#>Syz}BMFt&uBP(p-^r^OF1UIG*D)(4jg zCX99K;*$8z(3C!W>I9ibXHMMyjmC9gI5;f+_A_s$EHM@N6$ts~g`>Cs z{3Zq8o_-hj&G_f#tGC~KG3h`Cnz--|nqL4;vMftUh6dGL1c!_l-+mR{n+20mVPv5K zBo~S}IGW+OMmzAI7p~oYeF0-?AhK>PoVoq@n|eSMB^PZe=?hoi(Vl<$B|~mHXil$R z!qC83bVncoU_|-C2Z&b=+XGh#rV?03!HzQLPbh?OTY#Kje~D(KP2u<7dcnB;DvF?t zIY{UVfI<2_v535O`}_$Ebu+$TFhKNTQdzil?CR||p1pPAPjsp-d;nW0{8m{zMtpPm zD&X+epD&3Okb3y?vl#!>^qIs)GI{WMds-3M(L#zmIXeIuDRXx&{qy_+C=&%CK@5cy zdKct2s3!khc#R^x&9(sG2Bn1|x%J$FaM%IiioLjX=1NL4YronoiM0F{Qr_YwLLg=T zNV$rP`^2*-3vun&UJ|5{0IY#JiyOu}BeX9mMUvEnJ9};c1T6DdL#(x5CMJM`Id1)N z0k%V&Oyr~d_5u>8f12h0R?8ca|GQ;iWN6FX z`=7p{pF5iWd%!Qd;pBHR|2JPU?vWrWP5KoVOQ`I5*YP|z->s3Hbmz~`iRub9ie=7Y zUFm1X%}C8LS1|qBtRKwJ!N=7yAR~U)K_vuOeBAkb}r(MVN zi%!XN9mATg&COyD)+8SC=HNc!I#bwr#-{9>*Wh1A6wFRSp}(!3+rhIQ(*bDkf%=B)ea zYo)pymtb~y9OtW_ifGugu&zx(2D`gIp2VWN7X!Z>O##thjgtS_8-SiPkZMmS{PeCO zVm%s%$}W9E?>rVLRs7PYC(Ve^>U?(M&ZN&~-N0nb{`XlV>ZnQTW50O_uXeENue_N@ za083+?MxZs)|=9ln>T@0A{u4eG<9&8wrX>@Wl{Lq@o3@>T$)7VS}eyv9N=%J4V$L{ zuyS$M1O)lhf%DlLWsnmUvovpoE|A90vVfGLWe&I0^#Ch$k}^c#%NB&IP4VhabnFC ze*(y{2!QIu>N$o+tbP@?xxtM}AWhS$u#(Q2C61S)qPf?fXgH?+9S<9m@04Q$>x0l1 z)H+vBtuTUAI1pm=GeK#3|rq#IA$% zBuk{@6ON?#%EgJ#jvIU$<1r4K=>l2!cGZVP+a7kjo1ZIA`+1XWx$$D_%ZcWL`KaUy z?SZdk>QY{9yAVWW2XJ6oppCdLo$+-b!QvmCotwssiNa}XKANJ75rCnJs2texRwOs9 z&6VbXs%D8rK@i9<92^%>iY;wun?8Ngn1^Y7KBuPmAn@&|guQ-dU31C;uIJ%}C%Nsr zjt)q$l@b$92P+p#Nbh#?Dy4rM{riu*f6tM?e8nXNidn{-uUJ)*4^w6pFajUCK!QM+ z70@c&N(7`y9Y1xw5RfKLP9sdn7;$K3T!qwc9wvcV1(pRB&8b_iA&?@JQwzl)yySTC zb_?Z(PkIt?d|a1N-^Ds(4*>l1H5+?m*XF8`A?`dX!e=P-LeNT`3F1T_#0eoEJJfV#k$`~~g{LGfYzpW%y{`6CqaOuf2z-EwVU+8Xe-s3X^lPA@Dn?OTIa1@@WJzO5F34E9Y4Nj7>|%=Ll{fi7A?_vzvRQtu4m1#F&=G zA7V*Xa+bV#&PQV2Cr5=<1G1^yEB`YBFGr%c3 z%WeZwr>nk=i#0TGzBE7Q z;Za381exgqcvjhGO8_fkme}z zQM+Ng7w`Cq$I!E!8;k+sl#Wx+O&)OZAgTOjHBPRpdKwW8ND#*c6b7mDD;E*L_n)4u zx=w1q`a_%V>xl)CMiCjL*p%in$*Q4|33_RoN=WZv6)47tW1#sZ6j*&|v$}Hev&-n< zN$;Sx;I{Ux{mk-bPQy8BqcE69+Y9-xV8AIL(TW3r9ScXS z)FhSHN}5!0Px=xtE1Ns>WcwOmzJY-{<)k2Ds)HSp3L&~h)bWP*IQx}3n1f&i)2`+t z9~jEowenUA98`qi^J>tOic17xg=C*NW>Ls0w~xpU&b1foo(&rV>h^(r^FGc5W*aD1 zX~F@4P&^CbbBl*{y1e{#&eiVX+t0FpwB4!A5R`b66_Huj2N{{KHEa75#Rs;MKIo-| zmx*Oau2ouNqJWVJcRKY&e62~Ys*hG=J1;|L8^I&3CTo{U+AkkDQctU0U2zBFcZUGl zF63ynCsiL?FrsEY3r0X~V+f($N!ule_Ul42HtddIU>);xg+SV`AlWCPxSl0+0%ZtB ziRzMk$AxgZCoU~gfd*wc2qlC<>IpHuauMV-tYjZvU_}1!*KDwnXQls|m6Vzz`$pcU z-BgsTIz(GNjyY}3BV4#8xKU{3NXK;|=w+)LfbwAFrw;6E<3Zziy2OtJiF790*S!xo zw`O=vp&w#eyLU(gDuk23luiO&uakEs;lu{1fwQm;tR8~Jht7dH5p)g!|I?(ffl0{b zrkemhZ%N33$eXU2QulT_3`H=0)RNi#QBBX+V+Vjqq&5ua zBm$0H7=qhGUy3S^`siVNi;(UhB>4N0unZ2lS|UiKCU;n!1}OkKHzh;3VGaMwVOB~T zf!S(v6?2-G7NK?xUmKE1Vh5zTqln(XqQx$pni!yfj6pU&Y#qA)Q1}W6;4y~WkX8`P zhJj!(d414dfKEI&%3HRfXB<^5Ft|LJe3mbw@qlU&pBPYf@?LE72n}Ybu`F4o(8E{S z#Nh%NC+O8;4+<(v`lby^KeC9QI29ysjfNgq`1UL{PEoS*mT3G!z3Q8_V6G@KZ4+^0 zCz!>q(LVbgizJD_3cQ2a#u<;-*KWwv4Dn6S>;fJTi2`c zm%x@0lMX&cIV5xO>RAtvucG9V*aSEPIyqB?eA@HEFJVN0uy9`Zh~o4FEmvXQrPTt8 zrum*1c}#JZMq)Ggw54D^<*y0CNa1W8Gx}JDW}vTNSmh%7*VRJN;}O{$A47>9RsDHi zOL`u)s&lL$Aa+pBaUL4#WV2N_G%=V1M5285?39#y z>&mNoGV&-y5Ch#p2!~sZfaWR9l&O$TLk~W1Dyc2adCLw{rRQ??O>NdKG3k$!Ucdm} zNgV!+=CsmNYG;-Pq6L}+5HX-2AsWypk68eyNfdoUB=yj(I;FWO*o;aPx=M|l2Lh%m z21zEsJHI{3`zV|-gkq!9!()KvLT8svs@S8Jc`T!qJpA3(z7Zx5~uSu|5UtXr94ko?0JGS zZk`zj321^6Q;^@|GquaL*jc(N_@PJH(^cAW1^dKA>C|`G^o9=`tzx5DosSAFf<1 z7U1Yzxfsj|ort!H4;pcsPd=Oc5mpjGnF4#rv&dQ%dBm_}r#1(hUYmpU-e>&d=pXSj zb+r#tin`o~qf<62jb&5;cwP+7vgxY8Cfyp4ZkVy5%M0WzY+dfktP8s!Cr{n{BSD~S z2S1VQgxCLYq`e5jTv!RNxc(=E*-W_Gg{Q(uEKp^%&nb|! zyMYu&)a^jh*UMxZHkiU>g*Z2j^KBJ>%t5SYbkB9{|} z)dM1BTM2rrNd*UDBVLEFfK{pkI_0F$1;81}vCfjvK#QY;<6usW4i16hRs>sTXlUD( z;`Z&^wv7xAz;}twMlBv^Mhm;GRh2YZjubkD zStSNp^e)9}1Ao38VFDA@@3gZ(kqD0Y4^`*0<47_RK_Kt>eb}_mUZ>9-@yT4n@nkl- z!*1)@xxgZKEWcT{0uOoQKEwDwzqI=1cl13v_ABwrK;QPUzF+<4Kw)^`x8J7_oLos8 zvl22Y5!JS+Tp6O5g5g&&>M~D`Z6tP#0Zc>%9xN`3DdB>P)>LiI+;?Ozm>-@+F#;+f z@|=QU&qmXMUxg3JZ-C(hk37{h5G;}N=4qU20OMk)9=Oh|InyKzjvRidZ(G6Oc~Rq* zd4hr5K8L^eld2`ZHd4#rVyn{JI4BnQh8kub-Rz!v zj(9>CF{s5FR2rHXN@5SzM=l>Vu<-m8hl|DSBN)paz)ak2g9Ag`9I(Nx!6DFfHB*N3 z{~flLBz7nj7r9zfdYMH*Lc$+-_&l=z$iBm42lk62C?g*t-;HzoG;PjObCJ$ZQI;qj z*2#!z`QEG(&@+}np*Oi8(iVxM;}!K+{K%^T&Ew5QiRGwzoOGD01yrm%f#&wv)eyzM zOF7+mkbvcEZ~=-UK-fegIRTI}4Lc`Wg4sX}6_>p6_&>Wd2$ujNRAXf+k^s})9!DKbz(e`**cpA?IwD$x9Z7FJV z<}c8E#nqF9V6PjP7)a(mQWfy$(3Vk}fx^aUEKnG=V4xGONcHk{#D7w+P(17>%a>)o zIglB9@-*z~q5xp6_yDOuR=*P{^|jI^JUtlAbiD8j!Yb)Ef66fkB2Jw$QQ5BgglMKe zP?sgKMQkYP3^m6LRZ9Y1Flv5=IFR*VNoyJ~O9bIk7VcctvO$rQOoul7d^WdMR#A3JDsz+k;9@$IELfOKCMoBKDsZeC;3I80gr4O7#`X(zP&WOeZ<;Y#1gQf;X!B1pf$90 z%aG>nI+S#H2qAz0yp@Y(FQE>b5AJ{Hq22p-?b-J*=A$2cu)vQq-Ku?b?&-2pyJy#- zzK7wT43Ap9&ql?qnKh4uPVhh)ZcLn!9s&S9hP>Z=__O0c1Lz>oxEW+%vH&499>yEX zV6RPwd>k_H7HKy!;sAf}VKaxx?X#dYBlW@W<$7mLY0{8fiotG9J}`wNN=gLaT^qw{ zmPp0%r!DRbp@WJt3*@t6ax|{&c`j=QVr43tF1xq^bi1(hyVis%m7x(Edugc_O7}Q* zEjDdqX#+G2_yv&%#3^!PYH0`!mPKLgP!ramC=&HVD0nX6G_o;6EF%7tMX0k*%~Y*a z3Pv4DO%0_n3RB4KN6%czYbZqGWIZX}c#*iWS6Prk;vfXVh+BXP zbwzz5^Cad}po>mha`?GehThyYRih*-Z#r;lS}%kGUG>W{)=1U}!+-I9>5%<&n))W9 zGcsrt*TL-KhltaJ(q0-E*)mcZEZRduBZJNWnBwEkcyXjy8XX=S8P=6{k)0rCk8EeA zFLY|PvLj=HQiYqR7}Y%b5pv!DO-U^JDVVH`u*tjH7yzjo89EFgDt^Jj+{DzGaK09i z2=`@ykH_UUGE-2`jyBLUD&vbpN)xjdC<3J^SCA{aYUg6-s6;=;$;m#)G6P!_YxLu_ zt-?=7R(ehAdLi7^oEqb@(3rH~+_I57*dS9!Crc>GCZtU4U&K)uqHCF}Suyn~5LV5R zOZi)%-^7M;#D}DlIJAW#fEG2(LcRe`K;b%;`M9RE*F;X-$YEoVcC`V@XwPQveol59)|yHCod~47`Jbmt3r%BF~KWMG=l& z_`H|uca)RUlr1bIPkj2M!L;H@Ggb@>q+)Y>BMnzvlEti7a!DBptofK8VKfWW`_g3K zdn}v_CXr1fxI-I>5ngjN>p52418chEI>~xlm!=k9>1&deN)*9`LdGf*{njISrgs*TwyA>cqYAk|0EBcen z;zY6YhIKZfaiZyfTLN;h_~}UlyBWYoGBJenvVeR<@(3>mNj#1q#;55VodCj2V8IGX zMCw$^T9owhX!<9p!G|8?bcND3Yh-YIcx!R%=*aewL2JMn+=@vTMF(qx^yFgYmcVTl zgfvfCQ`nFr$QR~5;3Ij;P9m|bM%~Gnw6(}$1j1n&9n*=40eSllA25<~-xoez`a0Hc z8N|4(al-!})s?hq|Igakj}LaC1!(jBpM#@YM+egVKL-a#w%qOixdA`9`hR{8@3Y_O zSLXtEVzOrb_Xl*#y?M|Yx16&1kP`%s3%t~$HT>+wcAPt{+R8bgAvo2jG#&ecdZAfG z#sk)lKOrf*aQ%AaUj5LUmAR{nx37`Nt~pyG#SErKuHF!T%Nj5B3vbFZtL=zep`$GQ?&H7I&s z$%UomlA-&>Srz(nB+L+U$&DZeb!k*MUtm@446Fq(Y*pa6!9YQ1I*eQlF?%(icS?+D z1t3V_rO*Z3EIMJ{_MxfO0bK={=F#~Q?MADFjW4?sL>HhsfQe+n|EmSVM)GS$;x)v= zI7Zvy`Mj+XABhPW)YXbf=j_URz8E%)fUqmBZH3)$nW#+$#~iFC@FUYhN6rL7;;me+ zH~}EyF~k|HKgo&6^?}b&8&xM*`OvrNPXMgy_v;Ju)2jk3m#hHT&k9Ll2JP_Ikz-m_ z$4l~d5+z{u!DB#Vf65r>e$&TpdZD3W={N?HSWmC_lICRPz2PW`O4UikbnJk zWO>;8SBEGh){bXIU4!z`jgl;?M|tB{8uU_h>TVVH{3cBl`^}$&kf?8dNX%u!BFdAJ zo7(SenAjP`Scn(cMmsO98HwShoxpR_!vT_9U?jyc@wBuj)s;)OBQjIMm2+@#gt*l+ zPT4QP>xkcI937P&S`l;rz}kVRZPlJDU$a9H04<1S16#nnNd|{uMAT&Hz;H%klH}#@hk&&rn}F;-Ey|HI%z0fB>vCnl=ifm2-HU z``z!3cLY|SfCO39H}~vn4w4@Or8mUWP81*X8yAd3KLArxjlS|h$F1=WH9{3glM2qX zo-&dYPTIhRnl*1nJQy7ijz@r1)0(&mMa%`$)LZ!wc)g3O$(oOLR1?uoJp_4M;2o-; zApm=D#>GQp!p~>Kw%nk`b2%(Vc|8>i8{?-J)qelG!)^sQebVwK@}*(#N7=D*al-Y} zDwS16XRDMc+J)d1w-oqc2o|=7C$&{wxfq&*|9u%`moa5|U>A@W>!c~(LlLm#q#rQL zrXc97Egl#Yi9wsMvg4+Bdq~YjhmJBM^l5;EOXX?uZX)=T)SHg%SWxt8~o`KW2bcW%(p*!J$ z30dN!$ucV|=RoC#NtmcX5AZ{)AoK`*6{vny3=0lFdKMr9KB}rY>!E~Ct7V6J8D*ea zs4vyPDY+q>j>+4?lLQMR>~g~r(I|Gy6Enpx!{^EC!Ry}7fB?>V3w2#vJ8}{urf&(a z8#GsIw%s8e_oQQimf?jdnv?fv%dO1GGIAKQ6(W|3sEIgP({|Xet=%O6+=S|m7ZF;n zT!P)s654O%wu`M!l>Z6PJHmRS!D1txvCt1@wXHuJI{ZB;on-tPjU)#1x6}#9_*d4l zcm_?V5Hnd~tGNBnVMjbx{AGhE2Mw`~u(1O}=lWPIQ4%A{YW%kQdZoZ)p^U_l7B}ky zweh%ECOt_V-GW+QRK+Uus7!a_tfv)KCf1clq^ZbaZ-^{zQ0+JQRUbLnjdX z$x%Ky@$iU)&e}zxfe$1_W>D<5V+bSLA)hM3=#?xuyC&I($0mLU{i4=0oAheNovNG) z`4=ta4Nd3I%Cbdc`49#fo@hVk|#!Vlj6b9Nme2of*r6(R_VEW5bdNW z0~#t--vCuqYbXUfNgvCGQrLokUH{~X7EErdI8$%J^fqWY{ifI={9II#297|n1f+mX zi4u{8YOwM_pYs^1PVi1>c*GCdVnfuhfCkvEvdCaV`#$XF_!BnPv49BBjV(tln4w>U z$w86(b%Z3!ZUff;tOPvBg5%Z<{EMFvWkiy~G{>!DD2PMYVyhJUWHA5+1f*FrA&|0X zqX}c>ZdFy$Y`_`rwM5$kz^(iR$R$X`q;iVux{*Z>C$dtV$i!Ao>OyV`rj_;Stjtgs z@_7_m@)DS~TUE8WRHbWg&{{PeEgk=D7XJ^Tjky1FWOQ)raQ*$Cqj&HB+=!p`$Nz`> z;GeDLAt#t{=F9^%E1U$@n$CS$=)ouqUCT?~7P|V*>hg`Ft5;VSZX7pPFXMk!7gn#V zF0Wo(T`+GPgI|_c&);}zb#e9D>eA{bCj5DQbqT&$SiNS#ugmZd{NFS1&gIp`_2vhx zzP-8#;4H3QB4AcOTD=5AUo~$$2jedSm;eSqxC|eyUcg7-H}&ZPyt%ZxWZrn3-u;+B z6vD$qm~Whf=P$uRaCOTtU3z^to;Q2ozY8Y53eQ}@CBs8B5B6*Mo*8?8!KnNx>l)@H z98pCFv*6ImbnJWy39GNdbk}b@E}$T^Ux7t@w0a&v`3Sx_ik~Am@Z0k01p*JC%_ZPg z-^Q13JOLPn9V@_20?sbLUrz$&eg~7&_I})S%GE^#4pDiWw&U83XKtKiG@gfFkK-5x z*Z}zCI*fb@aZO{=`i{{9SKz+PEN%nr9bx%nl!1VDq!0aL6m>U_(pCvdx`2Gc^VHo|yZTo0 zA(W%MKj&EvqG&}{LTP!~#NQcmpysO$@3ienE;osIBRK)=OoJ#Woz46yuL5-}q-_+ZmvKXnN_A{?3Fx6YYR;2-xR8Mn<}KoVJa?Ej zE-3j)hZX1(PqL8bahB@F0c2-ras(^NjLY~gZO?P`*(Zs8Di|5>B1OXk7vYbS+S5p; zi-ah_p4Sj1bjH!aEJRj;=$nwgs7am}^$qj|AuygKIn1XA{CW{L4TXg~!!z+rDpj4h zAvwb0CM8-HNc3lC-sxY6)VqXiXqtrwD!e8TgnV8?c(0P~a8zzHb9|DyO+x!+S|^Tj zjI^7D7CbNYIBD)^%#JP947IiA5tM>Sr{ZOKxa&k`G*?oQ#H9w$WAnsH$zCQ~3jj~NRsIs49Iz4hu#heM6X_ zbjsk<=TSI=*nL%*OJt2_tq(=h@5!iMrVoH43qlY|3SL633dX&HAH@)8Qx$M*oz(eg zmL~WmI?-9c3DI&Dh2rX2c=)n7J+1-GKCa}EM)E=dSiJFKto%wt14SVcFsg_q$%K!I zK`xVWtWKx%(mRl($enoaF*@YUS+MYGLFAP{tYMjZ;s#|fLeP(#>ptq$cUTyjr~?bU z^BJq*Ua+T0+_oqj5{Sv<^vIK-P#^F5oz---K23^$60GYwtx8e0h-#W-mF0F7Ub*%K zHv8+$TT%%PVc$!4XyR_`Bo*UXo;bL#6Y*Xk%`y{hFv6QifNX+X0S%i0UWSvM6$d7F zJWUmcEFvKbB^*y>)>f4tVnGT=+%#C(Nuow#&})2Vp^e0TCsg&aUNbbhxWIlTF(080 zTl(M)+r6wAUqnrUG-Z5^SwdJrcm&XIA4#2BQ;OuNoJDI%ZrEXZ&Mc*`0?8z^R+R&! z6gb2o=t{)S0$Nsat{mpomlz=_vyB`M_=Osl1;NLJs%s`w4ja5^WgZs)t+Q?`l|A2b^V5L5RuLK7b$}Lc{iTPXTzLpIF4?u*F(_HLPL2Gmys}(3l3DkXQZ=C&w?ip zM=OjJP3fr0zz|II;@%pn{L3?s^qH^p(kkbz*j<&v>XN@AS; zo-3uEO*_GCpRjHAJd3K2g)Y3vhsi>xDfV@k|3qLuV^&rSl9Q9tB&7i<)eBP3TV1>_ znUt?#NpxRV$&^AeicE1QU;e&|dmUo~RV@gqXB}q;7(6lJY`H{U{-eSv zm7!ffE8H1r^)?@mpGi)acQR$OHL?KOP%X!fpmrwZYl8VfzA7Q4NgUP#U{}eXN6v1O zrGt<*OCqACVOF~Gn6Vnl8guoJ#5)EH0J$5B1yhNjrDm+o0bFSqBU^B`1i5F}J9Q!L zIao|`Dmo;ukk4pY8`|KgavYD3z4nCsk15QySkLEK6tzySkmpy~ajMi-&rvlmn4TA~ zqS<~;P~sR~P^u0&(@12i2<0*W$LS zqJv4G27|I`;MgyC2at1t^hpgdZO)#Jn#rh!w-;iLW6hQ3a{Cob93auGB@uK^s6Uq( zXx$=!12!Kv-sGcAo#U~C;d&heOO2+KNmkd<^5X~tsLrO!Ex0BO+f;O0rGun2Fe9ab zAp}<`kcKk$C~$sy2pM%+7Cyivrc#FZBiY9`HHIq4plskA=8h& z8^0qwq1DmB&Du@&C?Qzur)j=$fWQqW9Xqk?_KUWXdP;igbt>m?=US(!AFtY+{RW2@ zJ_cgKQ=URnb(e>?qzz=|n(Iwqn@2BS30O95BvZUHm((o^Nl&%ZIhCZb(0-j+S}Ekn zQA-@;>k6BunKoA5gl?K)gsykXSG)$IPzK7@z1eRk0&uPh zWg`W+wJ@%^qAcND1#+u@V<^=wDElf_jyUHhPSaFLgLMXWuIQ}Mbnf&4SO-e10q|Nb$c&VHGlSDWuvCQ?q=*4Hd>CBkcl3Rq}TTH`fythLw7NpkF-_p zfnIA@@}sg1_AXu;A}Z~Ke&2S5AVn4dh)ZPbFSDy6ka^g$21Q;4mYDrMnT4^A zi4ljdqn?+D1V~1AFbSl-_T)uKkU=FR= zrGQ>V$|06n^qi)`aEas_%}~)(rV7I6Dp)fgIVPZxb()2QH(I4oCM#Pw`(}ajgSZMH zhIgqUv}O+n=q|*bEQ8HpfZ;qR;YpioK`Z&xeLENG^9dJaC8+jtBk`{3GQ9=%S4r$^ z35$$P%uxsG{_uuK^Iy`u*c@6rC5bP4!M{T*lUz&-lu#nlS{74YF6oiO$qiiKHS(tE zMJVS{Y_PM8y;5<49y{RPBP^bmj;%y~^JND9s;R$M$V!dAK!V{($}Rn!p=49t>X@;f zV|k%l$?#gzN`9P!2b|K%Ukf_9@pw8GD{CL|MiiG%1uU<$sJb$%&Z+%M)w((-%u@!S z5Eaq^k8+2^&ncEy_X--qg?xf&zi~8YD5&KWvdpumvAfr#S};o3km5I$LUo_Yx#&%~ zImz8*XwDYo3r*Umlh)eZf@HQv`$e>x=SC|+`hV zSd;0Gj~B3|DV7ib=55~zz0EbMAAse7R!>fqQM(9aZf&u)4~%Sa28;HHHNIth`>-=u z8XwrAA2?X9bW&*MAA=+ib4x=tl>v~>;Dx9A@KncSI1YF$^6IatDhxy!eEm_J`@PPT zLYc1@IH6yjactSzzGqvnsXoiDMo_7ovW{tq)91*i&k1#W=v*M>D07-#sy2=D>ba^x zDK7eHD1)LGl$j%Av|#zvqplgwO!9J`B=TbY4c(x;Sq0+d1wK5vYF5k8T}o~u*I@9A zeIk@f^KOankWIi3EukJ}^~Ik|~rZ^cZXsY^8?T zR3L=$IiIS>_(Z)abaBe?KS@K;V$Tx^TxM;ZAxLecSh7KY9_R42UWr3wafRWH3oSE> zha_|GkO`!7q0H|!l3?L2@-8TXB3_X{%k@Hoiso7`~k# zp#^mk$hj9fsSVC2zYW?*y+Ya~fhAM3WdlhAKQq$P%U6!d{lg@F~62ODs{L zx1S6iqyxQBEv`stM4yuPmQ`JhVBl*)PlwlpEs!GYMQJCosZ29~nelPjjkiN?LM@2G znrV5ZNng{p0%yjb=6xOkZFgW>Y1|&L2S-M>ZP`A!ZNwgQMq%?y+pN(o2~|s!xRV`2 z{w_KivW|Y_ZL(SJxK$wWZ8CQRhf#arGC*k*ol z&I5XzYCbNgWEw7i5?-$*(G=sdNS6|Ye030CCG{XFhyj`PJuMhu^oz-e1K`m0fRJY` z?6qLk%nG%aDOpiSZRCn&r^3}w1KYNaTHEd7z`*!O3B!KQpfzOKU__RNtwBAd{rA95 z&r41d+(>MCP38rPh6buIOq6Khvlp5;h7!U3oUt<%aX>Jh6;4nLd?a*6&h8{K#PhwN zG-j1^{FDlpWB}g)^81WFb5mF?yS2V33^vg{(#du@=DqL*nMKmw%37IB1Wp~h6!O!& zI;)~?IraoE77SC@W*21frpkM{aV*m(wjd@N7b+oD``O}^3p^K zrcyQ8r-q!5vLmexa(W3vLU0J`KrCM*#rit=!o)d%%UUKzd7S<|&OR-vdoQpLMaUf8 z3rC(6D$(Lf*c0feK#hfa2r0)Ta#JgCaOpEv&P|M{T+MuVR-bLZhdz5 z=YKWt{}%=u(f@A<^wH6b{(mEP`~PjgPp3lIwio2!=V1J48lfxK{;j?e2h0T)sN9TH zZR+FFajvm+{%Rq4`H>cyFgam9F)1yXTewk+msDV%>t77cOAs3NWs!Ana%T|o+sMvI zi|k(&%i}H%LOZ*JQ9wlgNgCw>xfJvDxvNJYjwg%$FWh)7e=caJNK8!3XcM%hqmsNy z7!;597?mTw2Ss_`T+{}h*ye_dn^9pqpLU%t#Z67Di{1gYIyWbt^ zPijKJ_mX5dX@r0vU&|?3vc&)|2m(7zTzHMM1w_NA{=~|R1}h`=|GcUx6r~;46h|X= z1rErLm4d7)jowXaiXgk|#38CuT@B_!HtuSKpcHPOCkJ$CjDc(WhX< z(ip|nB|ZUR3O1eLn~$mPyW^%vZL~xp*l>C0h3i5VUb28VO};XQ!R|}1I5@Wph#UZlJ85O-GUTu zu_`j`7IJ4i^lm7X1Wh7=b!|D;0kn*Zq7Z!}OIHv8Fuinq!z3swO%c8<{7Fx;gRPsLPI6!{1x4QL zCuK(fu9HP)^(hkfak~me?@^x=h&*WJ&0$`8s_lY*1CXP@R_vylnI=tgr3I`sd4g z%cdw-3!0g0Ociw3+d`kR{xS({bhOlOVwV>0b7g}(G zX*CjkoeR^t!-1$~8TDK_S3_v>UMt$!O0S8C<0%dtuY0Y69!?1@ef8t|g)U?+G)L+F zA2?`}B?r5iwjxD@9i9 zN?4Hjud0_+-pfo^PbvQab{JB{yvkoI)+DvzwCG#Rd9_0q=F58_YV#>$5x=xy%WQj2 z6uqZ!h--8*&mFR{)^V+B-u=*+7WV;3e^d>zp29f0;9N8jR# zZj2o%Rq$gBMadYL3RsZKh=Zn=VLo%%#G8UpnZ}JiB#yZ*WhT%wG2dYp}||R|3yU0pA^g0m$YcE zax+eh@S2nb_(n3?v&i416DiR1!pXH)**lSeX%VN5Q?@h8zbP)>H1CCD*;#MarFRre zSphD~o|eQ~MJe4fi4k!erQ(liiwvPxmEW>R4UQy9<2lN=6+A z?bq1lm6dJNv$~M8yI+g>Md>gLr3-OP2(j|E7B`VM_##wBof~kWK761h*VM#2HVR;kzQ$*cLwTu(m=1%M-5jyE?(VJ)fs)oAx%9A(G{pse}t7})E z|MHLj_2u6dzPxsA?ace@%?Mrl^YO3F9R2+A6JNgfr<)X%?&sIe{NJn3e);#0zkKglcXB>&zWVOk^;g$EzOZ)n=-PYv>WRL% zc;$;LZ}SLWUVr0@_n*OWUikak)9(Y6@cYfD{s6;%zWm186R)kEeD{mjPw>Nl#m}#N zwD!qIYfnD0_Rf=Q?_OJb=foE;JOK;4dH(qS@96QId6)4bj-9#r;UCw(h%c_3f^l#W z03!^0^5R#oet7e#qc_hywRY_fYfn9Q^U@VqWokhZ@b*(6zj*2V&9`6peCaPY&pfyG z^tmsOK6~>`Leod5ZXWwP%nUSk^XV7YPJPt%)JJ_@AmGoJj^dxMe)QF=m)2f<|K^#u z*Pb{DnuJZFMzx(pe{vQYkzo- zW?6gw@1I|J7Z%dwR#x-#r4PUS+w$7qUeCVO(ZCU&e>!!uqxpad)25)*!P^zF6Fe?|nq^Y+^H|H3W!>hbs2PCda3 zChmBirZRAd{QKX9Jh}W5 z%8-R8ZhrU5pI_l^ zqcMdxEwR&nep&;hu%zD@1gO>Xq%rrjn|`Kt7@76*d!Ju>PD^zH2?!|d?n)X>MKb=Y zlh1u|?Qi0Qq{)?3YddeO!O&m4cjc?s-s#p_noa`nqpW-4x#SYsPxlgMCgR}q%{MM} zqqf`-R`>sa$KzfBWLS-%Ci_PsM_H)}FnrCh0W8 zN&$_7X+Ue^N!Z%Yp%P~jDUUel-=4jB>V;fjv3jPDgLpl2^vgdV0~!`Uv%2%hc?6=;#0b<>S{rzXFHniO(C0b!e(gFCA7}`voT8h5 z|1Y`KYp31>1sz_3gXN1iPS?GcNDb27V>wGOU#fd4o!O(kmn)M;pdI+?`Wv9>tGtpg z-aPlknX_L!{n5>%$2uS~#C_8-)hXF_CXRyii$7n1Be%PdHW^bw+I}jHfb`@=q`h?* zXgtErKRgH4BaXv#^z17LQEGIcX`PL9cKPDUA8x++wt9dq9)--c=a#?_mTPQ3n?*zx z*PeTM?d0PM3?|cDOKmogQWo0IKuM3ri|+zh`asOpEF0kCx6Xhp`Nz>SderkDN8eP| zaN8Lo4NyU*F;hV|FsluxNW1N9j|OPz7Kru3sROC)jE%ZwzjOY}OYg1^b2J1CVA;#Dv2-N_}kjGmsR{4H~rZs*Z%f8Dw}fT z|9kb++H)7R?&GF7l0nz~>t8>={OrxM&*N!*>J>Si;0!}OC;O4Fefa9lzb*dXt53o6 zpD(=xl*9mh_2yduxxl4RiLbuSPB(@Fa1SuyYuBDouc7bb--%Y{AwH#Cqx{PcM(OV^k|p|_UuwF z4R)CWVuTR{4E{WMLP=Yf>uEoF+GIUw{O0z1tZPZ+K*uG~nT(5(@t+p)zr(-Si1^>& z*82G0)}g!czYX~5M*Q!m&iJ_blc>?0fm`wP#*tHpekvew!aKZvN$^o99kpe*Q5^>V>K66Yt7pD?MVy8FyReDjbbIPKFt|;IziZAXByH5#r-gJ`ttK%k+Q}E zeE!KZ{Hl6Sg!?|f@(Mo@5B}7XD&qIm+t>3&{NDc%R3{@d;%88wdWuI^3Ts?2L8Ty?!wygtE}FBdGSdYu%qxF(x^oBSH~`Q7XE`l znCO8GMNEsvL{z`_@)s{WL4m)sYuEn^bYBts`~1qa)WjVG{)oHU4*VToUVCo6t-a%@ zUz>BoX5akXQz)x6AZV#y9Tm0&yM&Q5K&z$4QQro!aTP;;7~>&+;!nPM_U~W*!sJ9~O<;dkQLIKG}RU~_~mzHsx+x4Vm(HgH0-=8pz$ zR2(qg-t0IU3s^WTzj%Hb*y6hz3WO!BGZaY2=$C(cx|28{=ppnvLPR3~p{L`3%g=Tt z4*1&fwdaniN!AkwB%on19q4t(0pV~Wy>dNqK#;6AKX@B{U%P%XjsOC@Po@=z4Ck1VQ9027Q&;Ft|Q}r*IxqzLB#*m z42C#a=mS0!QUO10PdQLy9^CPW`Nf}(eeuV)ldmP>ecEeEz7nW^NWPSg_a#XvU%YSe z{8vXWWCZ4(IePPCC$@zUAE0A29=5Z1A3*xXAAuse4{76JJB#-Lq_3U>{j z-`XpGBOxsO^%5wi)OV^Ze=H|< z+-_`i=D_)4dv!zeCfxy;n+@Dz3v$Hvg#D<8F)U{Nq(x-8uq$sNBoYoA3k>Fcf!t3XIdWQwyC0_VNvFiW7+4 zF`#~7gp<&LVJhiU!E-EWh=2LwtA-5f{r%5iXThsD$(g@!T<`O1PjXz3=Qq|9()-;T zKww{8c?&c{Kzauuy|11Xj{MPcYnfQ?I6I_}LgkFR}l;pQKf83>N#VY=Ig?=Zv|%+teoG?4+X zp}K$S1wpy+_4BWwjxALmbnO1+k6-@z6`bkv8z$al(O1D+sU6!?p2+H=rp+Z`7OzM4^6MP>P_hVc?b(xSFZ|cq z-yT=KibNdDWQEbtl`_CT|H&3ar%}E}3+v#3?POuR1S8fCa>suX@jt&*0&vS^=iaWy zm@po;b?cS}@jw1O8UGvHGB`T?zqWK0iUvRb!{dJq_P^-+<-U>?*81tg_07>d{tM^j z&~V-TA7ConjsI@I&%Hm)5db!Sc(3u`g9Z|ZS-jtH9;*gU7-HOX?tc6N3;^>1^PYQp z=6dfpenfxp7cJkI)1LpPQSv|Prvd+$%03W-RRqPMFRa4g6^E*`f98@uCX&$w;=t2xvQe}&e#Ge$H7ACfGHKN%yc8Y8OWZ`&FYetRHe z+|$II&!!F$430DQ~p0zP>LK1kjKn_G3QWb$e+NeMS*Ab4c@Pw_}9!Q z=mGKj0E!p!`_4xW^x!0Qf-Bd|PC0bG_0!{1^rtbyhilpU|%c0;RJ zcI-~)XlefqkJRaZ!vmvt`F{g`I^lmJ4$G^VA#p&D@jaXTT%bA}1f{|F0qP{~yyK7e zguQ)(K)?J2{AKiJ3;<6Pq2c%Xv)?ps{wMr2;D6gGMiZF0GvRs@>(vBW@&E8hUH<>T z)`8)>{J#M|o$!Bx=XdS?@sWqe_U?c9;XV5vCe|N|ys|s(l;_5JfPls(oZ48$dTgxh z%sAzqUNn#3=`nf_`8_#6ZyOV|8Z~3kZyL?t+Mh=J@6PlEe&pGG(fSR6R{TFQI#_@I z^Wa_med(C@M%>_2x^YgKT`;Y9~HFiX3uC3nh;Q=}uAqhYy zZ|l=%zyD2dSeJhq@qbk98!vga@Qpdfs$>W5V4XI9Po%&-)=)!Kd4x!R=f!5jZ+R)0D0 ztNwAf?3njFU~US7(!Dsuy~%MlnZLb1({~B;K3GMkBf2G#YT@^S`Ow&|BL^PZRX}g- zH;v|R?N0;#cPiD|9PYbqg_Cz${~xUH{|oFta+m)%;AfrZzck=`+>l5H%y#oPzd?K6 z`E^fNFgNvW>P4=kFUR~~4C(2vZU620X~q9Y_IKR=AFT8L4Qw46xXb?=@N;MQziQPc z$DChBR+)sry(uApxI`h)V61zz!G7=q^PcR{?x`E@o5tmL@uw;O*Ze*&DzDoHXvP1d zgZ1|RR`~2L|KIta4)y;XGrnt^LF9R^H$i|{*Mf7$vFS-`u{iL zr%UHQ2Dj7au^#6R%?I${rrad>RZ+iqG#y=6sz7>7U?La>d8k)sq81882(N|k5~>ba zuYJ>-@D2Vn;(rj8VHaHg^wZM*9~@2R|7;x{y{rFk#7~Fuzdm#KzWs*}9XSB(w0r*n z{{6uJWJdaq{xsr$w6?;oX#Z{4|HDId=l{siUH|_^{H*i*ckVX;e>K*O`MgC{!00jV zag5(!QXA^asP~e^ZuFuqPXGL8e}DgP4a$rQjkZUXgWjVCZ8+vPjoI(UPb2;h0?+R& zO**CNJJ0`vTkGS0!*~0CZphEN^8ZRA{|`74=>=K6uY^1)|0*%N(x3MvzPty&{2#4( ze>;Af@qf1}09x?>mVtpZ{||1(n802Bzw0X_M5Wn zP5;JoYPK`;8~7hCwB}DcUhkbFf9j;8_VV9FMQK#=-r=h=%1jWv6az8g%9_t1_#dygF4T{qrfdc63-ZyKTBv7ZL~KVG&b!oJYii2h%LgQMyA z@6f=&mb>-e8}ZX&{?{&U36Poj<$7kx3Z2lL#ZH)}TQhCn3BAoVvtmsIwWNqy#TecA|0(v&uBhr{cq7c%@4e!Z$|if)bVT)g04PDWT=vbdJXGX;8^8K&QU;BEx{_r+;D8hD!cZkUiES^ zBki&KW3T<3^4j3LoJp>YD z@BW=X+q3WCu^<1(&K-OA?mpNnO>r)8&iV@q;b^`tYA)n^8pEMO~rQ}X$`}0koS$BWB_tQxK3mj+6@@%k5 zs%5L>tV;uI>Hiz4v;PN2hVI(`8}YMF{jXXue=VgIkW5dN4)Q9aCLIA?KytbaKLXG%irFg2K+y1g_9MlI)(_n)BT?YhX?BW|Bnvb&HvhnpY`&; zY~bkB#!}2Fc@lq5e4RZ4YADr2$yk?$)a3=cIf$Hiwu?b*T6#?N{+e^QK#gTi0UpAF@+gQMcvZyLeh@}CC$?|Nfh3jY4D z*81O;k#zn4;MS2XckBN*;wLx%!wY-eid*Bh9Z{tSAN%84ur|c59i!&BADC4qps=u4 z!nm##;+HUl@u2C3V?bh77&<|1tW+`+`FSqhETX=)(=EqM0gUT-6Dc(&Nu-90cgW9_UyyhsOXIX=&8+B9ore#r@Ws&G!G-7 z+Q&cC5O5flTQI#r_}>uxZy5eJ0{`2>XrUUd2VtcOEfmK9ra)Q0_6Fl$hvHv{<6lSO zU$=l@Wmqw>J9{>c0e3c2i{Wz*-DJG>#%eG?lb18z_?Cye8_9ov#wqn-Rz?@jfL8k7 z){Op-LwEZ>ZOBg-`ac)YLsu3`*kiw(`&B^Ra9;PGXXLCRL5n6Nb z)sKGkEBJ8F{-5vOIrhkopY2AcT{-K*6@8leIg%5=$oU8D``5Zr`6F%EAGR~DR7thx z!a{t@1=+FjcVmYRAKbI=;fy{wj9wWJ!kK$ukf>BMi9xY*u8s(JR>Q(P<^a{<0msvf z=0^MR<^FB|o92lD?=^CR8J;VXnxSGDyvf=-N;ZU!yyqM^%V zhy^BUliYX>j^+XM#^L92Ye_oA>z@6W9MAqMJ$g@D&))Mu(}&^F1guS-_?MPX2)LR& zA)(29WUN{XS_2b5)eNBcsb)aMPh|l1tyZ7D^FIybf7zetn*u|lD+fSJ|KDJ`|Igso zyZt{m=4ZYAe+uSI!K7+|Mn!IV-Cm!GL^TG~)gxakm;I-MP1(TF;psE#wFz}>Rt1?nNbdv6p5_mHGJSVWq>dLVLhYyY&-amF=&#s=wdg+O{O)$aG zKdGJ_tAbKm8z1Yj3T6>==&Ty3sl}+~jE(j5jE%8g48QYpAiMCn-rjfst6cU=V?F4n ztbd)q#M>0%@3FC;?-<*0@Zm#aV~G($+%s7HSpECztFhz@CDg&kV0l@u@R#_l{!$b= zcE$|!abonyYxJmB|FG?_Me7F{FKAyTUaCfclkqrxoOqDjqZv=~=P5wo^eO?FXF;xg znFPebWXmj2_>08D72eGHhs76(hi4sYI^$9LIPsvoYY(;(zAr{DR!@z=Sq$6QbI(2S zc>!;<(zmCbR|b;!E|%Ra$YT-%f&n@QIOnbPuIek}PaE;ew+ zv&mF`Io9*N$5Q;{PBb8G`UZ1s}(-5;md)9-^3ld;P9ZE+LhIt%_rZyS)(Zu9f{Hf=&N|XVK`bsAs7{RgZG43`nHpYJ%>g(NmcR#Xw z-{C|1A41sj|NL*2ajX$qY0}3F<56Ag>0l)Jb5A@XMn^(m>PpqBxy7X6<4e3=5YPAC-!`6-)BgZ${;gZLrcoyHd~|&6+4b*Zdk*hDxa08tgJTcvIe6%> z*>hyizQbdW?D%)Ow@*F#lO2bC^2m+@V-M{=xO>OWpI|s78{)4-AAKblb zEZ0k^hsS=l`#KOG5iH15cEMqJk*cG zG4-CY=I^yL5)IM!uNnaXJjoA{#_G1J&7C-KaQA`T`*!hW;HI~~BO9_4M2D~wKODo~ zV3j}Mj|$nFb0>EK6E%A>G0(vDHo#i_Nb;wCu*{9Vzwt>CWH?${%GJZ31sQds z?|?QMLnii9(t`jb&uJ`wk}@u}l(t6tZL4Lp4O8Yp(uO#1lgmjGk(R8~tU{X_=66HG zqUzqU-0EW!>d33}ZUpU%9d4V|8;>M^B*L@gOnW0KJhiDQ+zBpfP5bdFOtequZ=Mkm_AA zk8YO<6tj`ln|HB|$%9SAV%zp%8zft7t}PbtZ#9xOLRJL*%hE!1Zbe`jJMH^#@T zq{QfLJ(B#n6Br+}njx&oNLJm#nxg)j5;s5Ijc(n1^5(9%>3F2Xh(fruGiq+)ZzwEs zjnq`^v>vHlvD0{@yke&{OmzfCJ{hDU`k;x&F8w359DKi-meYD9`6EH8AF`3hq;7;e zNCg?rwDv}-TTM1aG^2uiKi|ahrOu0_vDex0mFdK3eSFaxyRtg@vwjZFI^oxSq^3{w zHb?6Ik(xYHe|iM|IdZ6z_?VV@a1UFR$;JNQ2WI+n5;ZCNS;T@FfOg$RDF7%G-{bab zG7!mZ3j2mP*r%vRtdSFHjTP`f0;+8Rz;8saJ>7B_j zQVKRVO#tnWL??&Kjj5}RLXVxmR7VJHj`Z8Scy2fnQC_!3${=5XGxOi-7Hi(uiq`k; z-+y52$43s2?ccXs7m#g`ds}?h0H~%~C607YCzReUzW%NLBMDR8;kAFyKE_KsE~f^t zbl)HpR$N{qu8|c7W@G1RN9i9JOq!n^j?{hMtFmt_GH!(W1~6ua!<&qh85bwBJ3A)c zM03lu01&in#5EZSUuw@VX)sdv;(&nD{ApHZQ*APlJ%`1YTK3$b!v}w^6uc1YxEm$z z=}(URc*oA4{bI+#U59eKb704wgFRf$UH?W3NbKKROXrI2eB{u>AZs6bX!pUf!~bz$ zH)Rv&;JX+_k%t9Z-Bd0_NqVUgPE6W?{BI`#fyni0+s10x2l9y+jN=kA^X(qo#8l=UM4G`!05#26<;ZDBgQ+17 z?|4|fU9%?IeQoEFg9mr-JKX8(hyLTxj>Cr!s#h^Bz1?@=KYRD=`Xb;!hPl_25hCK7I|y^13z>LRIM!OfAOwrZ=|DpGN%eRH~)w z#`J#~7_Q_0!L6gicl$qY#7|fHKgk9~Ks7)#LeHJ20{zF#A3cEIa~~o>R@xJ-hZ_s6 zai{f|>Bqil#C}J98uS0W6Zjj$|D#(n_6oSrTU_+lvK+FV;Db(VYdkOB90@zbpR~|6|V`A|!J>@=AO+bS-qs zX*EzrsnrX~cg^ej4(BZLDi|fVANM!NI!ze?tSqLwEK6jrjQ{?*FK} zisKI4ctICl;LF|s#&`MG!T8sq_}Ah1*OB;FyzSziHm|$LKToT{^9|f=v^GX+^m?OL zv!1`(r}?}2(?I_FeV*-QTk$j>_YKhWGS=)oD#FK-qe*WiBj0A47Q@x*}U1fnN?lrcuLi5rjG614SA-06zf zJ#pi4zv&hKYpZ$h>1f`D!?wNN#`AvDO!y7{G?M?3*BAfUAFk^n5R`{ow{B@9|A$5g z>*fE*@ZJ00Hsa@d_s}gGMc2F6@n+1T6;2x8%W)(ap;I&a90OjGSLKfTpz_ROT(D}@ zCd2r$+?|S`Qo+K|*!}N2_a51`d)L^39fyB%=z$)poS^I9ih%cfopJZxA8v|23@0tn zQ0^_eUi4Vv3)v-G`y5s?SHYqI$41X2-6U6x!oHar-eA{PD)pC21uPpXO`0Vu3Z2k& z!!UyX$h&(JH}uAHB}+MA$a_;`_m?&`dV0zS(PNeGE&Kj-R2{}Adky38{sWlr|G=j2 z_e{7o6I&M0{U~N%UpVQ{_SO7q*_m<5y_*cY1>}JqtT;4xf|6NtOv^J#&18Jz9Vrx( z#cL?=Iu#hOzrWw8SXH`Rudil4v}f<`Lm)Q)g(fS9ef-Ym`|kZ=|1V3EzuMdjgTp(P zXX9{q{=?+KTy2tLzE%w|QY%fuJFwC4wI}vExtRuff*qg@)Ah_v-~Z3#x4(SwSHInK zziInoufj>74=UF&ZN6jhfkQioz#gRU3FHTQzW<-}3%q;pz2C>7f7@%=z6VrT!W(Bc zeSdHhOh#|?xxK0i2XXeJ2YUMYT(7TMwn|R?RXFL6*VJG4-)}gfRWb}XIPSqKYCws1 z%4XlB`L9^3bFUYb%l9K?@ElHQ(l<9BC_6a0i{9yS*?f54k@(FXybi>g0MO(|n|e3% zyN?0x2aR#pFn;+<^ZWn#y$645_IZvuVE*b?=yE-@^WdHXhhfc|zW?B+Uc72p`$W*o zCS7v>kkxgd48%JJ)&=Ipn@N-t@SFPj9_#Bf4+MS*4`0~c?~6C-3nt^kj~qa>BXw4$ zfsm`co3s&rWQJ9w2Bg(0k&+tY`~QiU|K$&V^;;w-ekn$3-=tNpnVvse7`NQ=1B39% zwBuAk!q`A@eSMxE&RSLYrD8qShZlc6Ff@=Z(^69ti_+{5DD-6AYqd!ObCZB`6XJ*< zMFg4m-FF{;ASn$#`Tw)`q}^@XTFz(w3RHdPMRr7a$>MX8x-X8GSD#7KOzgC;)9F|g z3CXM}lI3DqX*y?q#QehfC36>mt2W0n-8U6JBo;~FUR>M_z{N!c=w}|{m$T%3UON|l;QC3lg68T9XqmC5(Sdu^e{X8hMVN{PEEZgpinwgK@ z<0f2LmF`jxLVB#{@Uuot)G(MYS$*pAy$hd(7k1g@Rkc_;XQRgysrS zydzQX3)9a;Yc@Kck4m#RJhb@Uxy;i4M70?2QxDU-o&i}r|J$vv|2|pA|1?oPNB{F> z;jUAT)hHj?y6T7UwS2Ay&s0snP?erOG==_um)Y_!M`6;)`JX2{Q}RD-KVR?vHc{?7|AS_v zS_%lucMP$qKWmMwD|wM?i53T2Vc^R2P%DhGvI8Hyb65Jd?Al#y?I11$nLUcd8#LmC zP5&2ZC&CG2>_19GoQ7c#B??H(k%=VaS{;$b5?itapppRImq8S{g9&!i4o3X|54*;p zwAC|toL9dhQz9btu`g^4b_Nr$N6$bpr5 z2`BdjfLOm(Nrur9eF@Z-Ku_o>M&Y$B+YTa!1|(qO)3gQfcH{=OoW|G^1#J=T{zSBr zAQTi-*2+-q0NF8=55G|XGvbXzFqc6n#aId-1HrH@+@=eh6o6Ry2-_IhegIvXng(QlAKF%Y)e=Ee&m&INXkh5ubK^u{tZ%OExZ10*jgLFDQ^#wx{DL0C1Jr&AtC{KF7hV?YsO6lQ)ynU6 z&42#c>3sQL%>vLO`LE~yhWX#l`uukj<)P%i=0xyu>Z%UVu7#gVtp&n4>WHFn7T?ml zwRf>>nJxd<7puwvywLtXukHVA?>t}c|2I)qwEv&+%dB9U()%StX;#;0d7Hn|Y%$`X z7MpZ;ydPJ7KlF%~%PjdHTcMeZS91ZtBKb#|uloOc>-fJ$%1ZD5_y`hn!#8y7iwXWQ z5$dLnvmXxLU7Y{$9o^9Jhm(RoZiEEoOiu^mOf%)>kv-`Y${%7aO`uu+* z<&N?%=T6(9@zbG?n-qaB)vk$a3!BeLi^55MJmrt?yS5l#%7``@#+c+Y3BY{1_7!e6 zWasg{V0hukemaEtMm9B9XV4MH{C(>rNPS26LAIxYkOcHGnur(emYV(N71YE&TM#g1 zVfLSWc0p3nKKt?Q`8UVsr-v8E@87@uu8q4a*~-A@5voL_SX0Rz;da&5Z_ot%-{GH~ zF!j9Or%_B(gyw12Qtu-{Td9o)kh_{lu0IIct>YW`%pZ1<8oJw2P8j-VAzkpR)slsw z`vDBUTnwMTTa3YN;nP)%i^0=p_W*q)qoMTe$r2doPnW`?kWU*czd8Q?_zhPS`~M|c z|A`OV#Ot4MWIr)^KaH&jcYHrlcRytyH@NCwTBStY1ecpT{^`K{_n#l*2Mc;!z@$wL zWLQ70y{~qW{+-v&4{uM;XY@7o-Q*Ld3Hii#eSS)UE9r0CKM~S}B&lNEPCH^6X{LR* zm_#%AaWP^@Go?4vtjXCNntwhUza?d5N!&j$J9ez}mPW3q z{O%vOOeHRlUqvZXpx-=S|_Zv`l1QH-*_PWTNnWQ`jvp6Zz+j;dU#TC|79! zM_(pjRBs^_#R|>gx3pvwzHbh@TS!N#MspZ0FCoPW4dQnzDXCU!08jQjZy_he3eDlS zw44;aZw|X#$VsV2a~Li!C&da4;&&@Ksa9$LPnw$DLQD$ZH-_EPLXv;p7;d)^kz$3$ z@LOI$3g0(}-L1rUiq3zACE58^ z$xO(X@9_l*=1xIO!h)2XAN=d_#mQ0oSB#eie9kW=HVz=-z)LC6XdI-TgGV#OqdM?M zxa4ioft2iM14&tjHVxD%3t@?&7xba-HC`o#>3PLB!59xRbi|`_dwvknBSncv)DEFQ z06KzG+FGN~lO55zF~1%-t^7cTz$?n2dL$k3sMs#%q}`+)jI+_ZH)0rBqmdOEQ^G1R zUW)p#99=nBp-9MO$A6yuhsm8&e^FT^|4(+S@qasedpm3SZ=y6O|2nj0mIiot{+>9u zA_<*&trhrQSAS@N{*#qi^6!o$2*xNh-PpYAEuahJfA{(GTK=z{r`zlJpC-!P&wpq4 zaeg>EKD;=6dvf~r^!!H<%hKSNc z+!)ilw83$9yI{_-2D~%DXYjiAvX_k0F~KkPi}wfQtz1%=vO0rsgO`wCQuZ71Rk?R~ zuAqw54Ijm-eaj6%OYKHb)B&-#5YymWVP3cWXYF!$o8z}d1{tpv(WS(^w$(zLJ=(k%V%in5kR1W^hju?!l9RIzx3ajt2&;0l* z#4G1x_oEC3v|onIZolKblSygl0doY#HBo{>S?Hzn$$T zYx!@Y+}HWv(yY3E+a2nFLXfQMysYfYVeIZew7cCdo~--L;2Qy52NVE4!{~H;AYX+T zRE`Js9u_mTl37DgJul$-&?869?l6tyieaEU%(?$_`}wn~|Borb*ZzMKWo7q& z+5^uT#`~?qlQ#!{KimJyZ~TY(d&{tIZuHB4{3Cm<{=^UHR=>8ovJigoeTA>`OA6Js zj_@kG*b$3@wYgEs+NCj}&r5G!zRas?OsbVLT<2D=)WQxt#v2*24!@!cB>7TGKDC3F z2{LMb`<<>D)S%!eQ}G7Al(v8gKWLhM>Us`-hHcaRgZH92it_IScD!{DFc!)Gc0K>k zQ_TPI>>hBbl|Q-s*T%m)bYZ@pL~cJ#WV{j>i~PUs+Wc?l`QG+A|4S2Pvm5$D)K_2u ztY{*J(w7k?zBV?y<6tnz-u%J*mUUT8nJWJ-okd+4jD_-FkNG<5 z8C%_7 zyUzdLL@`a%NZiDeFN9(R@m|t0N&w!#L1bULm>WBdq=ENg4B_buaTxgQAiDn0@T^IY zCNFe?1>+WTM+6SDO$_*41l;)YO91Og@vRja#yKV&2X;+qTPci!YuAw&;(6%~FHK5k zErM$qUAuBjAtRTP!ajo(gEL1VOw0TvR&NXqJIY{p3Eml}&qlC@apXpTN)Wl6m7#~L zM?DRCMx=`6dBU;eDDdNs@Z5f6QFTl+4Oooef75e)s2v1eEaFQy45cIb6KW2c#+>C{ zBu^w^iYW!um~<%D_$c5($cTnDjbJ?F3&Sv(+#Hsz5^bCrt*I1K&m8?vXj$JqX6~u%798x&d@&vWLKP&@a$mbdt`cB@%RM$h3glI z7(~H{uLn@{NBDUD6o|!jfanuMQHv)q9qu?}gI-A7-pfTSrY`mJm)$t%X%^I2v@I{j z^&{)ray^Xr7FMh=EmpO98%Sn_BuE(z2ojR=y7P)tiD=OODRjwjR!MDoxn|P6!=N%? zKUM+^t|B)yZ~(6$KU%_Y9SOP2s`cLFM$E5#-~W0FDY`7L%oK6jFA7LTQ|PDT0=lW? z6`&IXPKYQ4HZg*!%=oxOrVi2x$3W<>i-TEwYm~?a*!~!#Vg$N85#zvj0O>K(;L1ht z1EyPFdVxQTIr~jloce0+>hT>4Q3~VjGVu&WXbR!)OU-~lM^r@=VuL?`y0P2GkbXLT zK*B)(*d&H&oGUy7TGnc#g+>R2LEWNI7`V3V4!Z)Z2+yIB+I&U;wT?m}35!W-=q4ovgJdB}u{~tn5M$MTl?(HBz;LsK#^Cbk>1CsUvC-akSPR z1~5P=u^TrDF5i|MxY+6pn}bx=rq3V?<_ErsjZwEHix5a(00W1IJ=~9I(CRIL>cGzS z%hsr>ztvYrKc%7g6L7%rzzNF6l%|a$f$kAd&A1r#(OM2X4-&FST;>tviqFEW$|VKk zRzk0=iI&5*1De^EVM2^lGSwQ~G*Aj7KaR~!{lg1}uD=ypqYG`DHWlyTuBBp5-I(6H z>@l@aHK!qg1~BTSX?reE08E@H+;x(hg%yx;PTw*zlKc4X^hoR&26^%7cD;;HHu$r3 z`#wU)4QXO)Ctkbi{6AQDxD7`wHvufA}Of+PPP@Ep2^S!(bOA8Lp!E{p~urA!(a+&*e-wLj}H_o1MStw{_DWv45?cP){~ zn4C#jFX9%SK>(tvyr->XA{A0icNaBY3yMJpzjhV-w=lOV^UEHaJ|7!>9Ge zkp6EihLbq_I!z%?$8ay(+29kCzM{Mo9l;ZBJk#( zz)=J&lY?w@Xhm_AOTEBy%t2%g5rM7^yiR%_=Vl@%%#^_1fGJBRp)^XP3w(yGqgw7y zh&C`Xic>rJnFyFryFQ0AC}pD-=Yb%IqcH;~a|jI$y8N%}_i$h$$w+`4PE-hoM8!ix+ywwJ~r#onYVj&U}R z%^MVIoKKit_aq|!<3+E(}~7Z^&J=tB~}kCjSTQ(BxCR*`ARavvMYX|`81-h ztpfs$iw&W{_R0H=aA9O5jY$5Qx+vKZOm#d7T*vm6)=Myh=qRM~Nwz1g2*?7~M_7HZ zhdcuz#`7gOdu>HGC7O8g9ikxz1J-ANMrifbY;QyBbjC1SV^NC}(&-q8M5gTp-hWA% zJk#tZy-VyUDhEV{M2lgedwI(96>vnZCD4;8w0HouJX~6UuT>#4Ne<#$=ctYz9y)4G zAX$B7cfcuDJz;4CwGV%w9mbx6^#HAynLQ>6yD&G>P7^gXA)$dsnA8h*Yh;IRSDbR8FYvtt(xf&S!h)n zh54oOZhX`z%7Ci52e1!z80d2{UDNck6)WzhV!N#d0io*gzEn&(*ZH^uhn7S+ew*SOc8$10T3?oJyeD5BSD%h(l4o7kOa{ zH8*hx;T6UYp@&O400t^bOwe8CNLrZ5bC7z1RzJJqEiHmV=Q#?8nUk+WRI9uMkTe@s zA-M&K#D^F}2%Q{XjV*Ly2DzC6WiN2GqFa^(*S`*M4FDG zRH%l9o|2E3ZhA_3c%2K7Qo_WGl2l)D#1xVlB?iQ$5a95lRt1K06JVD!a>5WJ#g2M@ z?=2*(!k1NW8qhx8cVU?5KRnVSz;>Wo)$84#Fntdgo(2jG#`rr$W7m}uXyF%iqX&+&A+YF`DLWA=ABJYXxMP$yJMdBPAQhyY}41_KjN01_vg3F$q2iRzT5V`^_R zh!pBaYM+tFTJrn5ZU9UG6mx>HKg|iJ9rYf2Jw?bOO#5JFFQucrJL9Lk$)DSoNfO2{ zwzl$T8)7W`7^$HK^zWcy)4q6z)26OC5F;?YXah2j3PncxaT>|YJ+;W1XLlfz(?^-J zXopVOxNJ7m%MG9~4>=rlOAHCF86w;sadt(YAD$}L?^_E~@}uwqg?##pcqCg1=ba#> zCbXX=#nI~zXXIZ*1KbGeOq~1eX)F=GF=b&b`?#y=D#FuA20)5>xw|6dnG{J$43|U&N%-D=jC#24fz)Sh##wf8myDEDxWh^#v0 zKF-My0ob^xDy2kQ;FLOqm&PqmAe=07t0FPpgmAeW}Jxap_2XMWEXtI^pWAXQQ?1oC8qDIPI1qU`Rz6kk)Z~ii%pWEN&@i;zu zZth#AhcxcdIlK?N)~KMXgm>cMn&-@YSs81L`~3J6C*&%hyQ2$v%e0aZRuJAc_br>fB=l0N zn=95;C)qH!u{zaP;Se5S)$E3@Ptu6iAPhRVbbl(=fNu(5o)`|~EWz=$*EHI=sVLy) zY#G5E$cl&=iKcMn3Nau?tgwc1RNsiP-6H7I?W3-UXyPht2To12?$6bf|n zeN~sbgLGV`4emhsX*RNbSx?4DJCd7(Iz~Cehw$J{hwb;AVH*wIE*rGJ@ySmbc-({^c096Z+;)9p$=s#M zXS(vUu2g`s!Px$$4wZ5>|Mq7+_0WW2jwMqi0Pa3yp2C9@IjA{ibd)23zF9b3sxIhn zO`8i$RUg2F@AG+SgRZ!N)pk`_%GkYj2&oDXxU-g`P2e^(pQdYWa9NhLLwpCkpw#tF zdpbHf6WcW+p3eM~{}nrBqsklmVw>}mjep+OuvTPu@Km^SDhQuUG*@@&z^^b0fui>tSDF(}g5oJ6sZ>-L+3l})N^K>l#9q1b!duVg?fw3V;_AmW9>kc& z@)-x#n5unt=?p#EbUE+)a*RNb+miVdVrU4zO+R% zrQ1JuX;vCsS&pXa1y50B=ODUPmU8=wMB$ev;@k;ztr0v?GV zfStr28{c(CzX-Z6=Rsri(U&!Pn!ownW^>p6*lmf8-fw`T9F=2tRu#sj;G0gYFT_9S zb;ZAwO$Cr^Kc5qn+RsO&dDeVis>NtjymxQghGHb1*6n;$PzgHYPv=!_s2}yL-jU9Z z^HF`r-?dIimGt04+it4tdd((OxaH=pE&*$)YKR(DbnT&%hR52n0R0{;bqVyjZYJj?9(O(qy|_anij>fA)iC3PT)CrNNTV1TF+6;uEH zcDkXMR{cI|W>QoYgD5o)4WU6vR#ncdQ5llLhkl)nbGd7w<7{slMwX*6rOPgWSa^?@ ziC2L>u7YX>QSQ1|!pu<&yzY_>T{IeTBJ4IrbR{1aT@oinGK?JFud?x#hN^;TGBvBm zO|kzPr-bGsrXG7`L=~fSx7Z~On_by2aE!sHTcy3+X?W@V^z&7Xo*@?slx81YGxy+$ zMp(@(>?-m`r7gp!=fT2p3|a78YJW8M4-cBk@bqO~e~cKi#0JdFM`}hiTaB)uz21ZE zUHAWXyZ7(j-5w3@eX{-j(?{oz9w5x`U)*>rpAsOje7vLLW#^Wresf<>zZ=~pv6fFtHwIz%AUYLI>{&|yPGO?wxh4tx=6)}nhiRm+6GG-% z!miv-k816%v(^~`_p%N6+uH_vue&S5l`ah_*-Z(e9#mASVB^f%NxGCgj5(*pJ-O#c zD{l`+trK-POjuTlo7~OmgXUhq25;F&^y6%&$A;5^jHkoM45(=C&>5<1G8Y!o?O~v> zT`p`2(aQ)p6i;1iip6fYeF}HG_hbsCIdi}y$;0+852H!53uo5)F;$Cx<)m0Xt;3*n zFNEHq6Jb2=tsIZMH0t<|>GIvKZSrQ1A8BrZE|kFR*x`!9lydw^H< z6saOE7TL&Vpi)|=dyS12rvFB6M6?uX-go*LiZu|oF_(|zv}IJ)r(O5GDG_qG*lBkT z5mrmnxPmlrrVy;|x5KEL1_EB=suX!g%Opj_6&zD4zEn#PtvGnx&|oag4I2Xl8Fjh1 zLx>3#(?z+c+|8srUv`mP+Qg{fWV)Ne*-?O25v-OA=8OJQ-p~Gh%&ftONj1n3=qe*w z^}rqDd?wc&yM%27I~!wARIUBF#S0?-^M3Qs2hBfM_P<{4!S2q7x0aBd=s5A5Xn<8NTvQyM{h!JM_f-!8=9cR*SxQtLp_A318~} z-1#5U|CvS^`{anL%?x<=$q%>zkQ3D0_`n682$rCF(hGww2JFjvPYxUv>L;c*$6t6n z_818j_GVYnUbDBKZhy#KWG%0D*qcf|wGNIGwr{>0g+~kp0nQEM?^>>e+a%EAR1pj^ zg0j-~spncDa3FJ2HXu`~sm6=(36)cQS$!77F9tAMfcx z2M84KLKfO*c{7#Mp-ve|)%CYNO)rLoJajAAhWe}KDgk-y&r$v!?*OJ{I!5y2t`kH* zG+$2W;UUJDL=~<}!hdno9$9c+bc8i)D7egt6TWqPHKEiU3cyi6^>0mO{K~V{6+Oz zX&pu-7%grecbl^#-qTdYj;vLChYj1Ka5{pNBmuCtgvEZz4>WoGIF$A}7tqfVq8en-0w+EV>|?dT8a3 zK~`@z^mx8S&6MdnkCk)=9qG8=IkR`p&>aWO?|A^2DlW$G3yqErvsoPnBk`ez2lIL{ ztCHk+WU#ZrRpj&%t!p9~a6VM2vB-JOR}o*4EiTOK0HZq*M7!%bjBckf%;9`?zZi-W zOs(rU1u1A+*4xGcTN>(1@g?nB(TL1(nz};Pd+22gO8`^>mBYrvObx)vZa@$hi~Y zv%N(``dRe*1nFcN0kF23S2!n1+%EC{8V(EbXs%EQsH0Fdp~#0B0!r&eYsWT&Y|t7+ zB5u1%sA?kux&v3JyN)cF-pGpGtn+rSHII!82+ddh5S8gf(7r5br|J+Brl(G%9~`dP94I_FbO)R@IvdTH zbmEb@lPdF=SLJhtc^2)(UKLh#TkKNHLZEL@q2d#Q;hB>^l<=6KjM-^HvQo8u*9(W} zXGDHmffnu@070%1JCgSckF`L0RH++h7-?4J0B3?_XHju);F6JCG~#HzX`%AVowaYv zK5-D@;j`_1%a)G4ccu!7Pw>w;yxduu6cz`d?S#^S<&-#oMl;ztt%E2R^KJS+)|pyC zEp9#8GN;}Ex-ryHy_~6Y1LE4v0Fa|*b!~d^!pQWycYNbw_EXkao|J{vLs4;o8&IDf zX(zf+pKUyxU?~qeD}n8T#S8>|<@N-{GIXSIF{lMOk-oE(fmpQsj9p1X8U6m%fi(Ql zy}Jid)0>Hj_9%Thy4|VRz=9J21R5CE+oBQCX7rybJbkH8R;OXpz;Th?4gkoU2s^`J zv0dwnN$?+3?&UNDqvxW)iIWx6wGuV$+1?+-DRgB1D6?@y%LawhjRtDO(}_+9T)pxaj-+x~kTo2R-o= zE+r-r^_`dKhq_NEYt;L=^99onqMmdAPb1M>{W$FMFaQ1g|5otdPhTGIe{p_r_~p_5 z;W_?&^!oYFKjJ*pQG0{qCQ z=KKXf;2(NrvUT?Iw+APW)3;6tKRrDVS&JW5$-9l-2>;r+x7phaSF^iyKjD4s)R)D3 z{3)4A_}9H1KCyjIRR}0h_#hd|Tc_nvd{M|7aw_e#_#Uue`iCLlk>o^CZq_HeqYkT( zUX@7R%@&A+B65f!x#0R5Y~YJic`;Ggbf&nwa-`HA)~?eF^SN|WX*#42X|0%Bc`-iO zU``2BUcvvR~o}RO!il zum?^61suVBQ#j>SV$fM*n&}9D8?l^Arga7XZEKAZ+K(C)KpV_05=ul~rQS;KXUq__ z-}lY4qA$a5`^&^x5Ym&z_BE5M(Y-0T9=$V$*@@7EaM7=9C5;M19c>L3Nr37j?opnf zzW8VU@9U?%gg+GH>s>fTKlKzP60Rtw%^qwp7%F;-kWxk)D*mNx5Y2+rhtXv8YbE-t z%gqpAW(&cN7h6qUs$<&hB~pCHX|9KR&-adA0|ZtevN4(y72aO$uz-9IZQ-dWL2_?M zB(m<_EK2&7k$$Oj6S=seDuu03_;sSa7mWM%qVkN~WVJI4SEYoCr>INtTJ;Jy{9?3p zV@-QUug~{i9-khbe|2(nc4$ZBvEN0SWH*&B7z=gQXh){AsFHpseQwux(bV`xfhYFOQIB2c@nZX8|9k#;q-AF zTV`u`x*0h0TvM0DjC8wAi7tGrnh-s`cx?7LPY+&$bi#Fqu_KNf_2Wr?$W#x~;nzKX zh`k*J(;gF`@=JLelmWP7nMNzenBiz(6xQxR@&14%h&TpBrxgAKa|P5;)uj~xU3pSb*g;3 zYgRPDfmi#OSPt5Um7nlnowXNP9njPx(If0!RmINxT)wE5s2ubFD4?Nrz_&r=UQN!4pd>)ZHqd5darruHP5M%M~VkXBlAj9PQ4YtIA?qn zt5INUv~rJ689KR4^cIVPk&GfJ_nbwI*O(h&^(mm3NDsHI)2FY2N%N~FRJtbAP3=i_ zfe@G+UKbT8qTn}H(Z<9UlrSufh3>MPmWz3_s}c5Heq=jOFGo%`lN{ZXd7^4qG?-xo z!6I*tYX7hv5tyTAPH2hnl8Hs4g?e** zdh~T{Y;W}Nza#epC)1yyTK&r}+&};Hum5dRh$N#VUr_)%mZ~ceSGh!!;BQqNwCpse z7!DRyv^3Ts+Cf&lNj&5%E#qQIJ;y(WTByqW0q1a#1#Pz=JyLOtC1(F z_RB9h#LDBw;9L~@rh2~-#T+n9jjWWa!@4y+**iLjwcE{3bm_*4*ZK7i+Y*8>l9Pt}sC6Ywg*#ZUbb#h$ zU&Y?K#v@K_POe53Wag-HYpVit)v-ni4C@#_oe>tOKelW$YFJ?Qnwq*qO9c+pLlr_! zWSB1%`|7L9(tUW~8r94*zuHA3NeFu*SC+eoh#xAjGX}xv$Lc$hq9f<}hE3C&4<@%) zji6h}t!5Xo8p>M0hqQ(K*`d(3C0kpu++dXp>6^;ys@XA1^||+O7jp?z{(O6DD@ooM zG{pc}K&HPluxHLD^X#~tRPv+IyK~pKbKc;CUW5KEOp_5-KTdkRUh?boVlYU%vWfiD zX?JW)C9PHy_r&&2^T#`&@U4c~uG^~tvx*&c70uRT|2woXlGnWVAAX?KXOgdHJH5F8 z_Or+7Nv@L;`$88}f0#I4E4G9`2FZs?gugmE>)u6K@Z?uUlKH!;9v0>H<>$?h+#bMs%e=m*2+TH+8L~ARZl?cP3W<-> z4fkjI`IGc+DCH}L5q|dD976Kkb%gYv?)!h#e&JL@&-X-J{vk@%hQY@#~l0{PQtv*Tb(5_uao< zAHQb!j{n?0JNt%Ba~GZao9l7QZvp@WlLEz$As1*$?xO;=!m00x;E#C&q zXF-qIWUr0Nw`P z`hG(Lb>MmzhTvpubJG6a{i9YmtwAVc9P51EV^_P1u8|$(#nip!ob()#J7u4Jph!T(V+f*RjmINPDIp0QB{7dWc|V0d}XD%DD)_ehMm=W zvo#*fQI~`IQR7*o+kRB(XgcYwQ+ewM^-Xs^tdoCK-QIj-qNuqIgYU#=0H?a)!`19| z1Gl^FD*n+ue7bk=?6*nWU;dE#D4s*4oyu%BzZi5>GuU!}T*s;{zJ%1j_d%(DG<_RXBPdHwU`g73-) z^|^-R!mPa8{bQ%`;g3_Co6oegVO#Y`{Cs$#WQt%-;6LF<3$8CDLa7@N$t`2`RsTmYj^GR?f(AZ=_$4q48H$p6xuKU{YU+`ivI-b z@5|%8gTs^aqt|DLC(riwe`X=@AFBWT@L`+(clVQryLW%VfBp^ri}0UuR-i|D{#Cet z&ssT%;ccG#cR)H){W!q*W3V{^N=RhRk>*QBKCD>+MMCA7$i?5$T4$A1g`St=W&q$! zkWdn>XrKuWpB*I@=tvKglZ-qD2=#}$sVjY?i(H3PNIT#wpx<{p-5ZZtc+`KCYEUb^ z&Zon2p1ys1bddBOWRE`S-~IGn_ipxJ(0#Bw7EOYr=ZQDb z;FsE9+LIYRD<=8Tw5Z>n<^x|~NKqcBep_b~4G<3IrG$u(+vTZ7jH4y1B9aZuiFj^j6!F92=TaAuwpqNlCVqYjAa5v{9Y6HQue-WNQvXK;yalGUR(5p1xT*5ZFR+x6|j; zSoP*&V_A0}MeCfT7K7tUs-^3|`w#Y6>K$N=ZgpB+W|t=Ubisvj-zPqyMXE3%Mu&)? z&xRyQdMG@x{pH$&E+4y=r1%W_C94s_y+41SvsvyYgzc2vo5DpmE?^1jLmj0(jIrz9 zDwMNCZ8)u20o}Qc-b!f*x`Oip>TTAaWKF*#Rs$md`!1Lbv4`07WifOTzo+)I% zY7ZgrHW~zhg!biX<90fgh$e6=^^e(E$J6}uvWz!a7Pgn3e2iG$t_2^P6bjsF1mxDX zw~kL6p?Cztgnr7c-pt*=4dzQOShs7G5vX3Vs2wTMEF9SSWDlx$VB-lsmDI2C-o9EoSmX0J5>V zc-)S;f+-pCm2iN*I6yuZunjgszJC26J67}gLf_-+Rw>Kqbr_rhJqx;(jc1pciZx?n z+?bVBRrJSxu9%|I1u&{ z&~nUUIKXu|$okG`mfDFQ9C7u7TVbhLy{#L@gyFi)AovHKw@7HTF2E1<>c#Lak*8tq{^LQSMQo-YAY=&%ae57wWBRBRj9~fc{*-NAj1a5>A)Wx z-LpIcrle|In2#Rx3y@rZ6-sF1@(YqeqM!*>KkuTHz<9qw(*J?s!P-;Tu?$ZXXyqzZ zkFEA-r2(th-cHPF>{aZhqHfgGCLhmM+S^Tk_q){HOMm*G{>zGbW1!ph%Ib~o{Ozcr z-9Nt}fArV2ckf5F*A#K<+PVMZ+xcLB9;|Q27GZ@;zDZgB?$&}rf86*`O{>kg3lD#w z3t-PQ&2sgIRm1M^y%xufT^w)BMv7ne=m%bh%_~as+-+NDFtLKK-^(97W>WO+th|DD z?oXN)+}7scDuJgP6~%nrqqayFX2SV8k|sm$X+LqxhJIGjq0_5fyc;0*Rv(S=`Y>@kedpl)l7?SS4)Oz!H+3;<=0k;%4Mrl+VOIfN$K zS|jsCInVvVud#PE{RbSNnh`7GsET@_bp=z!HQu=>$4=hf;j~XA?~pi31v)i%flz=6 zs8sn(Su%-K3Lew!omQs+!>{TI=s&=Jg)%DB`1LiHTw{__iG)->p-0-!MGKUHuuD!)fmOA__-hpi{rFBPx zc1I|@&MsTd8Q|=lb%&v2o*$bu0@TX|NPVCNd)_;Nn6LH1kxp!_i$`v>D1j=QX5;1e zxhCpG)u<<$Xw5Cx73OgK)}7|oMmR}pb6Nyn?{ajH{I?0DF)lSAEv=)UZKEwFkaJ{H2 zN_Zb#zX^v!*$QU_Ny;E-o{Nji@iJ+FpQF^7pkqsNJ8$Ayp-Ah{6I=2`Umr3YeQN%O z3Y~eiNjZmn0|8shh4l__b(^usf1T8Lkk#yoe{tIz86 zHye~ruBkf=W9G|=BRdg(P8~51)!QSbZln#eZaE@-FEtLdT6wN+C0P7Rl}=&6nUzaL z8(nLn%X$n$Wo&eR7*wowp8L^2j9jYD4o09?MNEHL#EX8ovT9MN7DDCN$fR z)88IG-x|#UnrnR6-KC4!$(!v>sqheaI##vr#sYy3gzVYjwr(uVZEI3i@A*#VL~0ej z)@-?-bk*Z1L<(r@2Nz-84kxP^N6gm>_haY{A3N#pyv>B~j@KxZ?% z_~|`Dw=JG1l$B<@v-y=FH2N+ zv^Ia&pMRdbJJ9!2tM|rc^>bc1jG8?6F}`Z;>;F2XJ+*Co;O?)D-JjH~KHX^1UUf06 zyIl0YRMofD2DRqfe>BeHw*Nke|2chgxPSEQXn*hQ==k+ttNu6H-d5^=?>_qE7yQrP z;J)zx?-~)}8;iM=uYKUOzuS zdbRib@bqU=Kk~m1pa1(0SI__MqlcgTg8%zl{1@T>P6bi?bWw~MH9ewj7XbkGmEPem zfB?MZUCGf@YB2a}2kD9;FA-qaq(jw=yM5P89XS!RI??RmxOzmxKrt$$e!eUvjU9#q z$OXEVWX<-#>Oe=al{yn5o74$Cbq&}MXcesS;gYD$@|U}PvhWi5*a#dDEq|;nDYi7}RR{kVtF!;%)@3V}F zOe5F%xSWZ5Ik9r;!Kg9!p_|Na^Fd909{6~f4+HmYm@9|m$0QN1n4na+FnM_wn%ndc$!;aNXiUsq*@Dp(&OIp@jBWrVh^wO_QO}=$_slh?d@D=P5N*Nx^xkA>B%nG zaQ~J~Y8poLo1bZ9MJ+XJl}p73Pekh}wygAqKyp9!p~4x6t+bLtb8l!h6uW0|$wWK9 z)7}zRyi%aSaqG4n*cyxHL{UofG-*V~(*RK{MLdh%duDO%RscnGkHy-|+J;f%Z6vuveRdeQT)1WWaPjopo+KBGe(v!Evk?HQD*5L_(u&ZI70P7Q|Z(i`ar$JU#{} zA-rE|F)yo~D+X8*r9ll53~BJeF^Jq$i@jM^hARbV zl!90ZALWUv%KBnC*#3)3G_V-kBO@|%p(b6TNaDIR8UiRZT`Gwy+p-W&1b~UuYrO5Y z4I*Wcu%ZbkpEqXnVD+TLA7@Q|ppjM5du}mWvz2bu0Mcxkeb!0rf|&|TT;K`m0A!|9 zvm_#faeVPK0sLX2b#on`QcIhbbsP9BiRZ}!w@d{-I*5d!oFy6U4#&~01rDSj z3tNBx8rh-J`y{+k>UMTgG5ee5vp4F+jzWC}r3{Xi2nJN*rG86A=bF$DcYbv6gaOJP z|KT1Ti<+OPu25E8<@o(60yR9X!gPbWPi0v8%>b}&nCU~U7akS%Yww|Cw3rS=$H1PB zYS{|3EP8a74X!YMLUBKjRd{VJ(VtYIu(Xpk^_>002AYvaG9PX>OaJ*&>AL;g5o!t! zubALCng|sVP%mr39Y^wbDE5cIH>nOp2-1#gLOwjfHhzZ9Cc0`U2txQ3N?s7^EH9CS zEDDSqR%Aqc?5JTHrUYaO{FM!4-i9#lzQ-ZO?T73z)`99ND>EL} zyi+%+{_t&jAeXM#oyBxk3g^J^j@ubuiHXCNCB$)7Q5qZGjEOZ=fR$VT{)*hH@nO#?+k%)pw0!M z#iDHF1>{!8k1DOM+}^H1vN&>+PaG}|tM`?7;;&GmHdYC6Aczf`=D4&n$^MY~j5C4t z1ZEV}MO(yhiy<=8p_t;u8x7dOeM`x8%Ko&fy1Gz5Q5B6^2#WrNvxf%h>(f)@jV{J{ z1Zj2Skc~pT;XovL&6P6g@k2u>r{azDXO*bq1Wk)Hu%g2uik^j2tLNmG7yR&*fk#bJW|X)ka$$ zXVYRMDe!ixb!p}Jg;(zQbL&f&F4bkSD$4{JrbTxs+~^w1k>w!%$o|r1aUjQoMH53N0z`B zxmR65zizlVWI#>^S+z#>;j;pYWJ(LXbEOA@Vrqz!$&QwJ9_4P3J;=CvQTvoHNQ6o>`tkNF@JR6g~u57X-+OIIXSkKEhJ zXdbPywt9;!i3LPMA(#qF!vI;Yon#GqHuc$b&C5Fw#hOLez=96SSs}#iDpTU{gB(oO zOxPJ^)W>udsj_3-{Mo*kHZOY#d3(v{zs)kOZm|p0mW#^WYexZHG-E(_#E9Mj_aWj= zqzQmy(;I}gz%A@B+~zV(9XNY^C^z^<6Sp$%PF_s?%rw~Ug#$j)?j_A9GD{mNY+CA1 zv~lX{ZW<$%+VtZM(}%^f!9+>*XS4l-jw?2VZ($P=YavyWvUv1nTctEci=AflSnCIC zY@?d$9$=URKLSEC*8CW24-e zWlQLzcl3+klu4L}ZrS+F5T!KW)1)wc6uS|9UV7Y+V@cgegd<5FqB^)?#1<3vUeYiu zD~mRY4xnTDGmo9tPB+%>v~p*mRXZJ@$JN6v+umLcAOYg&=xhO&s` zC5%{y;@dk;c!`MYxyxgcyMKq5cFanZD_i8G;+a>C)rQJ`??;a#_Ntjxfoa^^c`AVh zseV!9t)iZl5B2#<9K}V!xQGnY2~g3*+{PYOkJV=$gj}zg1!s=R#cU{N8sG=?!U-w& zCaDqOuLCMU%r$RJe6u5ajW-lVSqj902@R%WX=uPq#-|ZIPvdSCQz(K86YML}0P2rV z)T=F5GR(G9&~K)8CSV$Rjj-{ASRc>gL@(C+jBT{Fs~M8%B?H{Y>jS;>;Ifp8O%Gdd zxNR6&G!cK+NM<2*7uw#NbsY|Y5_Xt>09QY|g#R>OR*}n^x)`0+wuQ{a9l;9d5VWPD z5Ns&4Ijj0C%}|s!&15irM~W5c6i%0|XmD_<`mo;doWGO2+N_Qw6OZC!Er`Z`dB1|6 z9x2OZQ;`(4exOBhSOg;6lFI8-g?NIm`siUy;niY#c&AGXS-{#cKNnQMMm}WH!8IJw zZ9acebGDs;N?gk zeijqIXlURvL-=|g>Xl)2{=@QBRs!)yqY&5*!Z#a(D`2VjLs1*GUqvUh*+g=OYI<6y zi8{fB?zWxZb8&{Ud|TaQv+#WcgpfH_x!KH<23FNQCJLVqyog9%RC!0OoMph>0RbDU zCdI{+8B+|~w>O(~dS$bT$`?a%~|W$XFO+akMhc; znSn%v3yD7)Ee`>R{`&B@ebXV3@Un}osa|ApR+8oBG*i+(S{!C>(HHFM$Wfk%yS>t$ zrd!PG-&&6n)>0D4rQMQM*@~4dXv!hb3ZW6DA@O&FO#M8(iEl^6lUnR#hngZrxxQvGryIH*gxK?p)I3qS0=k=d9ewN1>^kG;88|}PK}L!$ zYs5SobYl$Jfvn*ZbzOmf!AgX$G@hW$2qf~<56%>-X0!45o#GEaygGu5z%H4r8C=Zh zNug*s2!DZzI{^xxFUrjjVxsest(eMjzgULBiIuu_dLxUAs3fN}t(j+TFx)FS4Ick0 z57ov|E*jBbaptnrR4vy+6G@#kX^Z*$MI|xxR#?)*js(W1dPECWo*W&t_L}{0&8VrP zh_bjQ!Uxbib-m z2BuI9O}H;A9rQX8pLlAz8jKx^b}QyqAkdO2?83b%1vFDN05u3e>EB--o}3;Xzjhyz zwSWY7M(^Pipm)6x_W6mE)CSp5`KlmC*e?}Z5_Yn!M`;&a{RZv!p7W1hsr>(FuV)vM zL_rT?=dLmP>a@Z^Fe792g&dK>AkR&-GtDnAH6yof z;HSssD2K!GmA&zyAjRMfuH?kl$ZC6d8^_{GThoHZerk|?v1=^yImX(rD2I8){4+*?LAdkA|9&33Z7Q{7@b6?p8O8( z@7J#NrU(ks?Zf)cO>tH1oVJx7ZHrC$mNxOWujU0i_T?*X<$b?~uXGK6%Ij{V(eCx6 zYg=KH*>)8K!&Tv@q4I%Yu)5CZCuIni)3yx0l};#yBZz_kJ&#URL5RgzVn)b>`NnN5 zZNv5#f?g$K64-UaQhe|5?uw&cC0<-6tK);Aa)v_h5FuxRvz{s0De4tY4!Tblm0TWr zhKJkfMuZ`2W!Pgsgc39T4C&RQax4gvq%m=d6O)V+u>Qjs zaz}asg4HB>h0DdT1ee9QtjgIXZ2ikZycSg?tq?IIMF>t`gxMD-ykw0ae<-8i(8G9r zFWr!=s~aQ^P=Z=L&J6G?%;HEU^ClN4Vrh5a^{y7;i2cp9kwfc36`L6Z5m+afgx5~| zhD3<1t!dd+XJKA--PtduZpOQ)3|nn&v5^L`WT3hrIuoTYY7zjK;)C&R1qM?msp;e7 z$gG132&_up7|!e-596JcFt-?fp$zp+^dTg*6yhJm+G1;ejy|)Hr%<`6mkJn0eVQp~uje)qm+~BfS#up-9otQ1>iO=lO)HgVU z7m`JWOL03r+`iZjL7OlQ=3uA30grT*u*y{!05RR@jS~v#pZ@iKX(ed1K$bRbL>UOPBA0y1#4C@(a{4iR!#QSHCY(T_kFk$( z>crHuSQY8aJJ3WVaHCq|QYfWrp#tHC8&{2(|M zro`h_{ctyDDaC!oP(Hr6pua&Q z>}G5cbS#wF^7Hv0oro}=TKE}8&O3pNoBlAo0n?!fDFP_5%EBO124~dW*YO1h*ftPJzf)Wir zwj@XBlaH7KoaEJahAPf%=OcpI_yJ z1!>*Q^8iU{S_S|l5*4Y?k>a{=zalwMd{0&-%`UkincOc*cM`zbWpqL%>~MC8e24>o z1D)Z|Q{A(Nm|MCAB>f-vY)_f#fTFkIwpvS8|S{VsBGONJwt*y6W(Yd=9SGt`; z%2w{kN*Yztv-g6z$N;~{!_o-t2Jz8ycSD`&!8q9&RciM2tX=L1E%RVafM7JjCnc(d zMA&w9lZ=h-%HNU@weOW^Of$3?_`QeGy>u%$SgsjdJ4dO~=mfLTjJz^eC~Ni6>WM~622cvKA1 zy;?6cQ&CCox3*p^`}3l`@>zPxj~m5|&Fp8!1gF%dN(57#xN)m*h1rJkqmCw;NBSzR z66om64fHDz(zDy0);9yXMQIvWK?{<>Ki^Q0i)qqWM?Z`(c{fyhMA42nm>L)zbA>gw zUS?%d1X@xdh5}t9&VOT#8c;8{w{ zeO^qQKxtGL2X#ziN#H!G2x^`V18~PGor9yv*1(B%_Xeotrwdd-F9zxh4f}6pW_+YS zo6YiU?$0N4m)u4l+jSRjX` zMWrccF`*A_KCMrR{h&YPssHkco#gV=_ppLJz98X{xvz3!r`(Ze(tmw^sq zMS!((I#UDNgQ{my!G}_3<15TA46v3pDz?69hUjasBhB1EKEXIycMZpVSGR&wv2SvD zV<3#vmU=s*vfSx2shy_?p4i5_+oEwWTZCt#Jm!@OM2U*b7bZ!`%p_FN?wZ-Em- z(?Ybj64&uYf!-bBZ4%u%kk!bxY}gga9YE0TSWfn;9r5q~_Fw*Al0^_Q9f(@P6RH#V zzqL@Vf{sI>7t4+EmXz<1569A5J{L{^I;A?Cj?c2#Ewzpiwh&|srd;Gi8it%W z)44a)17ggp+T2pFnW*ZwUO@T=wFhG7l0`h|JVJ{3P--!im1ob0;*|`{dh@f>px`=H znoOBJA=zG7{-_M0E`-h_gb+M}5PuR|DP{UJU|U)6aY7Bh5STRE14~y-K|<5JF2ZaY zb}0Bot40su&4$X)8e_1k2V*8AQU+s1#dt>fp$3u393@^Sfp#NHeQ<|#KHmF0kW7Lt zPh7m^0mzy*{O|wvfBLVsI|t=#&EB+lPQ;oUcCy_5M#W=?Vvvg#6Sk|~(6%?B++w#! zm5fr=60ZbK&MA@2;T|MaRzCFZPi@#3fSH&r-((dU@QPKbhgi2KFCAHO&;DW);uZ%J zAQ>|>#BW&=J&27}F&BH#%lwoJPs7KE)DJQ(yVR)R)I8W>3f3JCzQxCHZ6B07<;?A zxWkf)xerZwnJ`^8hP?J+3#Ek+lDMa$l{H3Y>@YDo~9{9Adr& z_imBmavBl*6kiT5@HNf30mHScmEf5fs@_!F##P|ni{dHF}FcrMyncefFFR+jT0e`~TnT_Dt-} zSwqp5Z+Gvdc+B*w0jZJ0AsSVXt{MJ>T;&~ zRbXL>WY^3dSv7irbL^!lbqtsWq6D=)x@sgjE*+@Eba zYYiqkzrMhHW;&DQNb2W_r%@=Jw0`je_YwuOS1T|2@|8x1Erh3T=S5t=lj2a{@4>~> zYL?xQa2324xHwEehM5qNfoRPvw6GZ;5xh|(YQOQPg(CTRc&fI(KrHf*0* z`6cJ_Eh+e*vWTQ46GEnWu%p;zsdAO~oD!^waACTQ>r5h)1(*nOpfO89S%@^#F@iSk z--0=G5}mD=Bb1`P$(Yw|mZ{fw{l+9C3}wtbyD_aFa2S6<8`)5*!y5)K6oaHRMl*}C zBwIlZ-4eYW&IPPt=)E}lOm)4%edZ>;s4aaZ1bq?~na%C8DC$NOM52gMyOH~ZIub5M z(>vpUjAhM43U?F|vH4_W17VhPVlRwT$du_#RH0{jme~RFX?!j7t>WmK<`#^^6{==3 z3<45=G#)_Yji?+j7iClK1C}`n4lI99a}vOht2W5ZWywdKvc?!#ly4pEk3MX^`43G2?ZME}afPhL4{yr|N=B<_yxv;ZX;8cBCM{?K1G-Yyq&y_ioGZ%vQJx;58z z=Hf=$4wmc0=3p0pz1v9_Ov;jy+hk z8WX|@xlV-Kb0De#C_xBkJ+loHy1A69(FYfU+wKea=j6FbA(-qa4vZ?%vVZ$fKZS5g z<9kA?t3weXG|Yih*EB~P3N?r$U4EOu)@|u#ANLj*!Q-Hi`sS#znS6+9C-nwy4^KBX zdqJ}U)7gMKK~x7NXAw^Ph$K$*osZ0IM83pU z{9-dEwJfKR0}N^lV)EL%W^3z%A)8^hkisCsV(H|{bE<%?b$&-z)(4RR3XDPexj0v% zyKjR=JK;tR&Lz3SH`T}7J{{Qr(IOpgC>ByEuh*X2=0G?cy@6F%=l%>=O)GLd4hiRh zn}G=h;QVk+oIg9?d-?MCtMgZHU!EQH{N8BDzX9Qpd^}c_$|0 zp^J}ZCY}!6l`%3!tW*glm=+1y2nT?Z`{KIU#781;r5=OKwP8tlq&I@m zW$Q~=iI57x%eKs`-lj;Z4+1_CKPtDCUgpFd)QIqDwRShDk6UZlz}mbaqSB~t?k`+g*pVgZT_lM} z<_UM{P5!ZBa~s&CM(<4K!!{GBsD$;hTHw4f%8?r@II8FRglaH&MV+@Kytn@o9%b*D z^wnIV%6Boem*_({i$WfN*)qd2bOc6=y->HE*w>b#W%~pqVL9-%UUBTC4W*LZLxFnQ zUbgES-!hgH<${oNq;c4Aem7N3bK9Q2vM}*1TT-ikC|u1lmGo0k#?dsl&D+zYb%--l zNYV}TfjjNG$daBr)bH`-#=Xs+hNMJ2gRH4Gy_@OM$&CT#wzu1h?5KzcI1%%_c`Aeu z%*h668oEuTmYC?GwgB?5SV!(aY#Ov9B36M$tONHKi$*Hv6WEtGo_!;BWI~PvA?3Gt zONg2r4Je7yu;f+xaQhJ*!Ba>-0dNMo!bZB(y@$I3kHIh9YHb{U(Mi=-5##OJ?f1vF zEpJ(9zq5inKCz(#jov$apASyqJAYGF^%KOP@ySV!taktBX(^dd_GZk%`1;s^Z{70N% zEHLS4K$Prxz!@w|T9avJWdxJy#8zazdgyh28SILNwjxq2MS$}v4r(=2%|;)Rj?_uL+rXK0PhFeyASYH zC-DdbomMk3w(6U5OYV8Apa*J6?NSruJr{Q+`bWxj~M5m6Y?Uu2upx%(uHrH_(5$xY0k{`J2K?%w9aX;+Bf zF=aqFd_1K~5KjvN0KLSSs(Xus&DMv0K6Mj%Nhcb`2sePbGprw$i$@&8snrqpnq#&U z9Ykw#t>m6~pR-|b2$~md#q~OyLy1p3oPwG_$Feu5+3?icv1szrDZQExX-I~;yPB}G znBqqbUnYSA5WA)_ti}KOKTGF^Zq5-bqP1VY*HL7dUR%3!ZuO_`EY$8-E(F9bz z9&;G0UX7)kqua0r+D@5x3|62_dxjliilA@~Su5*u_5&73%8tu*EM~j$!3(*sYE3@$ z;7)JjGL5ZVMHIqr5dGe@7d&IKeVC-}Hn+!y=$5f`2i4!a!c_=uzd0zR6O9^jtm;V% zwjDdxD@!RpDKlqEK+ei=*RZGWkZO3o$6gMQ!0Q&568Gxi!w~2nwL>kyAoz zQDn7;s@bTe;$1B4OqJyZ$fuQ({9+#|UN)`_9Au5S;oBL0y>HznbiZ^9o_1fc&WpCD z&TY><>9@tWEUzS^S_sFrUrs=4TVO0kSutMhp|wa}<6uOax}d=Z{aQYZIurFkTk`!- zQRWF2!osM}zVS`~Ey{V$)GxA?Yjcd#-I-N)B()lYt^nPnRZ&{SW#99V-v`qgD(Xhh z-6h@Jx;HC^9mt)IZp5CNqD&0Cn3j`V346P4>lHONvZV!C0?fbv+yC}|(5s@0?zvlH z3^5jNi6g;X3q*0An?S9CO&%F;9pjdd?RUGYk&RcmNvLaKf%D?4VU5W_6*1~ICGPiP z+Spv)fe=^nvx*zRyHNxdMV_VRrRN6~^{%MAan}~fdKU@6%kCsO(>#-4iDdoH7O2@q zC2?)7o}!{)`q(a4YzLf8tAQ%|U>u7HDvjkyxL#>;5nB0RPQ7Gys>}UxW7G^>GzO== zv#p2mSjLf#X+sHLN{uVZ$D2lFssrL3K{elOmdMRLHABotY%G6WF;=Zzi9=D4^(5Mu zQW|exnY}uHyCQAyu9TgF69TcBe05XK_OOP5Grpg~`1=_(m@BPI~k)@@x3R z0iDop_wuV`@6Aysy{a$Y_m}w{6+fyLA>kWc{?+}!sA4W-OE+JJeDFkxlb9Z%Nz^7j zXqPr4DMXb=+7W40$hN}Wpr-=K)*23_gH>5jGL8!~pWa zr9XPO6)d92gNnqMj%0o_a)3v)hgPNw2`PFJMl~EX89QtlqCN#%Yk&a{Sm9KvZl&qx z!Otv0(EKe;uWv*PKvDl` zY_x&JK%qhXyrwWfg$0;m)-*i*B)!*3QxOJ&TbcFCa$bB-Fn1p!>l;f#6D*VMyA(Do+z!`kPVt7ha@VIjnihF5hAyeH7>c$LaO@p?n;)T z6E1kCliYoGxiv%dVa+Bn;f8$ap<1=DWQj=TAU3=#Z`i_e2M8ch<~%|obWGTrSHGwe zDe%%tu52bkLh2*b5F(zcKq&UW04RxI&&*XTLsE^L*g`-Gn@+!0!kgBfpr}bQbp{?)y!qdpY4cgEBovuPbg$@_SM*^wlaCUzxO&szzmyqZ>yq>PmuW&Zvo zPLbkqF|TqPo@K=IBJt3zM&CLO(JvSz*j3xoXE;QpgCuGT$!v8iOINobG-Ihp8FCwwh_%I3S>^Q7 z)9#C`0A{TuZW_05Y;l~|DF_9m#VAp-wQCigX`wrBdR>&cIQ%=rV)}TdM$#naITW;M z)8(orSL!ioL8IWP6XhazViL(I!45Pe*GdT4yO%)vWY|xqCaDtA$PMsP)#InujN7J4 znOzc@gvN!k0?dhP)JeRXL0TlFVm#w~RCnRd@Ka@H0-+Zwr*79=lLBMDnCd2HOtPM5 z^cw)OW`_I3F4@GQL0naqA@bq4NUhS?25tEW_r_>&)+7O3P9`}R?O;@dW%tfRA^rEH zH(ncvXt;t1Y#@)lvMk~i9$1CfsjD%{#!F()Ch>`$qLaBB9(1NIC*t1OH{IK)6r$m~fYm<64|MCdjX1Zr57&Wd|UuCbLh@IgPhMRHN(^yN`z zT;_KLcbuEND|L^B%vtQ$fWLnuwP1tdjD3NbD6}$8)^MVxT00i@uCupyV;FTbz1; zXIuBaL77dOcxp`l@!9bUmRj-}Gv$|-d9lNboQtLuER$9~f}(>l zFpUV#aZzxTx5Dd1??kVG>?G)O+F)*sa4OO3$!};`TwzRZG`M|}Mzvor|EhHB0<65t zEg2imuvE8R`;JP(=2e+ApNrogn5D@Y)_y+j0B1m$ zzi;U|M24%j-9oHbh$iIencpy#LV>OLkYy1-(a;!N5-)Q^4a~q=aYa8u6Gqb z9d!#`n8%iRom`);4= zn31$Vq=-T$MlW-yGofN>Cm-IJqt+jg5L6b&wTI8jRpL`A2_IZ(28+hzld?Km zV*fElp<9w+hj3+b4{O9hOdw{{few*Lu!`OY*+qKlnF%B1sS!UJ(K|V^a@ewAg9F|( z*y}8`BKkwi$MKP^28A(#0}9n@a9{X(1CM2h-W|fgk4jt8lQs=8gCg4CkP9(PO=}FF zry;hyPN`}F^2(NQ(MfQZ#iiLq^t&)3Dbo?;L@R8kGNRcTFD5OUNVc*jx@Jv~XRI)~ zwY?~VKWV7t0bfBrs!XHGXPb@Mb%t3-_omp9=8=9JLA@h2YNhFPlWU58M`reS-gujcTceSKaUi-UBa`1ouf26M^&M9lzLV1`C5H^&3-l8L=c@ZZ7nn6jw z%Sx!RMHvN_mH(S=uBamvB`bYt+dO#IXR{+&ubI^A{Rf2vx{cC2#2CqE-eiLg0k@X3 zozGgl+?~nic^&2~DEq5y}9vnUqeD1Z3D5#S&>HzrToK;hdIE zVhAgPya?3A9VAhB-7ov&-0(nd1Bg6~thzO!;V7fX(@IBHta$B-NifC@&7op`V?-!m z0W67wV@90jKcAO#gM#=SxkZI`D^)a@%BWV_ZX0-GqGePXl+`$C{c>wQs82v!37x88 zYlQkLxtcFty)A|oLBDk?C}cI#?JRG(#cNi09FDThs~1^^G7>tjbPKNAEnbnNmzypl ziDR27P{-&Asmq!| z^Rkn}$2-^w(JO@8NeMT!zCtVG8%AHq`xp1kw5^+MvrMEinnXti5lW*C>g_-^+xhjI zqXSR7XHvY3d}DUPf#MFqbTnYC(@1kEn1p<8PT__{8Xw`thgH^gM4IYT`i z*0W~DvoD-gg&?83KxSN;z@E{VJ?yJ4CmRWKr2Z#vDU@iPNEUv-umrzMFne6_Jw2yhv8EuK4Q7 zLx4xnLbQzwQQ5jIRQ6C*!u?R$h(cz3Q99vsIZ-n0nP>qT?h|q%MsarH1VVH|X`w>l z;bsV~vRW`!j(O%}u^S|IVUPo!(u@~}&=sICwM4zue_b{G?S%v+E71tA%OWZuz#gGJ zq)Co-Ua{`LZVS(1v!A#F)(lcKp9o&=4a5?~hpn6r7oGi4OM`U+nDf8|Z_f)xdwf^hz!QuJw zv-ADq*9UL+&whUO*B`3?diVbB{k!e@ua6$x{p6SWuYZI8qWZ5UTldS!1X5~=(CBdC zB<6F}a0HWP6_tRc$Yb60>BV252<%zpoz^iYoKShM49n;4g^D0^T34`X^pYFc4CE1{m%&I>L@b1=3%1#x{`LRd zd;uLo)t~l8>2uy;OTPSmy@VM4W3r1CDX0+;>tVu5I( zvdnuD!jbCoGNaj8=r67$O6Jr*Kp3Q$iTwZy-TaDgrnN%Vb2iUCs)7N!#*5HxhSIDQ zt9I67*@JQ#CNk3Mz{F5hTIyG$t$q%LvE*03 zN)M$T7JddY97(_vv$n7G-lQRV@Z7cwIIP7~LX31j_N8lcV`31qK-?f9(N4i$C6yhg zK26e~I3eKz8~-2Oz%SfQD!CbMZ>WyRp9dy+jAaft6L z`FeYr*PnmhNe{0w=AUKhb2lGVF)6RJbmNPx-gFIo;Wp~h{owv548g{^( zx#_Om%(;U}jB7A8Z^$5TQ859eqgbJ^#xr#6t<6aetaKGTI~Lf~sg9i$5-!sx8hN77 zPl&+OH^pc)oGK-`DyG-aOfGz#WB$sCED(Z{X&mCqEr*pXsK^?Y4PeG(sn`KBi8VkIP-3gcSu5_j@ANsQ;A)9GA9G_mf1;$29xig>MAxE^y6x^7s^{*$VqK^g zN?c0G)hPCEE4}oZzx0NU&iF8$qA)RjPIwi0mD=Hnj#aBgo&7H** zO7k7yAbjl$bx;|5HOL1ye;bA=)r!iFyh=MGov2XC5bbmi__`<3d<+KBQV6$oNO&}) zQp32sp%X#g<01SjFLZCiZ@cnJx9WJ|+A_-O%C>o#WK)ntNJpY%c)j(i#)599f!gMA zoFuE$B@c|o*@c=TQ_nr7TUW=y&;ciqBe}zoG}yoWI=Yel>0kfb9WAKLEx5gd?(Ddw z=*HwA(#Ptuu^pK*5NBTFR~G0tM7gLbeB1G9T1%M0*K>r z(Kk0jRq7dWpSg*><_Df3!5VTK*{vB%fSiV=#?GiFCRLpzay-$A%i`j43={%Q(@)k9 zLa_AR%bQ_e`*8aYy4j*Gt3`zj!JeU&+()5w2mn+JXVJ`=FfRi`c(Z@hN#CA66?5f%b_wF|2-!;hhmm>WtC;lpT6*;3?K8AJeq#u0r?#^9) z9|dXA;lc@JskuTHl49yfy6AMdcEV4LM+=lTD}dsecjXjP=tJ*U#jY~sDI8I|PK|nZ ze0th_w)p=0@UYAPpAv7yj*}kUk^2n?A=D8Iq9;;(s%j8>0zDC1iP?8Qwzt+iUx~|% zNa}ykEHF3u||~t-1eS zR3&!@h&}D%OhM)6$$6+1U0e@~wydfpm5g`ByS?F%l*y-=(_9O;y`u5MU%NdXUr)Bn z`Gt4^^ymK9+n4oZEV~ag@$T)^+|^IbC;1~=_D|Y_t#`>?E^5nbFt;Ban48A*WQolfPl@vx@2PJ7xUyAucs%xu?tuZ<%clV+v#XyvlZr=()zNpJEn5$v zCp0!C>6z8)6_2yf!hzJ|&=f$tr69HCd970DiBOydytr^W${a;BD&<~9LNYod0Y!49 zY@)SEMvIYQWj{36SEN1zn3vC|gwsi#_xCe*vx8j~sc~v#3L_1R+xiCNovUx;dI`2Ip1-v6!?%kE7XdL_x|(0fJJI;_uN+9a4&K*x*1K`O*S67m;d%h zbv9~(eO=Q?)cpe?9FoaG1=Dn6)9uIbxBHXZuZK+Z_UM8aR48!DD8Y*}q6lRSp5E?% z={^48p2BS@9bMOVro>0zIk{Ay36MJ|aJd#@5M?jyFjt>VmCFC^< znrk7a1DQOg(AyjNbE()YQkVQ8UPkGBZ%oT+my^E9$4J4gJ`-YU0R5=*A6S7`xB}NK zz~0{8nn`{7^y!*U_xJZ#=hyx_*B`yw`?|B{$tiTF(S%fhseYXEFArVG2P&Nyb6 z*;K9B9JZB+;R#6qofQ@(V-8KL;(Nm&Vf*4?O+S=?BC~Qpd8fObp3Na^LumT8s42Wa z_nsb!LN;?(OdloVmOAZ-+SERiyqRK(fF}|l-Alp@3Y>AuBc&DE!(<7a6cl~p_$_sz zqZ)4-GDCakrw8YUuiw6M8}DTQ@ci`A13}CW=A|h?Y*$N>fb>TPM*XibNl6+l8bicd z+WXOiKKIHn=b9W&X7$o5n5nTPiQcKQp7SV(Kx#<7@8C0lxPX$`2kso$xQLrcf99rS za78AMsTNH|u@t3a@ybdbdV+&AVIB>6n*y<;xMrxU8FAC`7q;KAY;yBo<@wC(M_6Sh zPlSvV-?;3~)NP-kVplI%oJli{W5MJsn?LrZ@L9Z30)~JardJeErXJvJH&Oi*t4u|94t$xEa1f(1ce7k=6@dfR843KJ?nC z(>RvXw)HnGHTx}(J;suOEULIAU8s7X5OC7NTiAUo_9$PyIb3ry-ib) zm_z1!^XX@v$8JNT&2*is4-!%}x6+JAITBE`;IJp)@e2d!q=s~M;vWH1oO^-}ut-ZO zq(P&!_dEA7KiR(g9E|yvGjyXA6ly-=oeSn}MRhdbLEYVj9qi_LJKYeBc>yDGmQ4rC zR%~3@_M-BG43P=N*Nq6f{m(wbse<9qOSO6>T^as|ZkoC#n8#46r*-(HO1wZKok}80 zsBWz@kqT9=+-?l*j^i5Go|CmBQL2iiV1-CzGfkgD+YvKN`Xzx5?WBlDX6PJ$Vf&3m z2v|}LGq3J%KK6WnKdhXX*t+l9seD9Tc|$MIUcfG_*sGUsO?BQW@^3%e~A<6O;$Onxt~Ghm#r$krsmcQ*EYRMXrXc& z3^WetzKq_alQdjSv#b0Z0Yot?_QV8*p*IK*He6eS41j&M#nTcDc4c&8dKfPuiJ38b z6Z%QL{JZq4OIXyCQesagGNj}i4&tIRAA^)hqH1wn%*&~!1sF$=;tTrfS_(zWh?(Xp zkaHf9cwZQprkWxxj)J@!mXbC+7QQ&#v-rUB`{XiHS*E@w@gCQvkTaZ|Ue< zh$B+Bgr@(jOzcXpu&IOeL}4+WOi12wV>?GlgEB?OiqSH>a=zM(yAAin z&SB+xRd!W(QnM_2sqyBh6O|Y`8AIdctE>{XFl*YPQO+sC3dAMA*}T(g4u!=g)?`)I zs#DL|u;)%q=rflpU+4W3Lw8FzMkoHt>6c6vuc~rTFioPli$tew|HtJQ@8A}D-iaG@ z%DJ}D+NHNN#%8uKdtn&E&GbLBvG#6lw$XG0=x^_~9Ar4t<$NgA!y;ZA7(dyN3UM-? zT?B5V77|a^;Bwn18hM4nV0BCu6H;gqCxW^rYLG9c#wHxesm};4#m60hvG^B$GrlE;5-%CGU!u-4*<$1Qr zWd7R<}^?gJhj4)4@qn6o3b3FY%&Z|HlAH({ak%(SWb60E{vz$|BOXGB*xUw z_43SzvCby^1_Jz$MToVoN@6;p>aOL5)ea|PFxlUrle;gr2W0WB++{3h490P5nHntiN}l5e*k|si)H0Rx0%cpg zGPJ|okm!V|1QAW$lbBX~ySf$BO$g@_Axf(Ldxw1p7ss3`q0WyK@S9#W%mKGf;MiAV zTsC-Pm+9Hy_K(tbBU7R++ye{9fT8QXF{Ol*&*+476xk$BZI5!Ak*Vuibc0x$`3Nll zb3Pcj+3m@j&lzJxIf5yyA*HOKy($aM^^&>t6t>gLT#Kgo6O>*upcvzee7^E8)_@B*=7HqMqFZfW_H~L%mt)v;L#ZQHZ zZHSFsng!+WGf@}y%;30QXJc6PZ;nrozD@*-$D+tPu2Wr42n^>=r-|NI>x#f@Jj~y) zleH3)iO$Byh!oFeGrwpUvYSS!zbvhbp8$t}hu-~y?#yP<7ZO{!;X&18u7%N@a@67k zd&_;Z51fgb*0h($*b{ZGOg3Qy`&w_15S2&(nCZmf;2dt=`HK%QoPrlFRfDY{7-&J0#A1HEfs7zyEO;);`sywPde&J0C z4eDTa2A_Qv9Fatnd5lzHh%adz0=RW|NahR#B1>yA9x9V&v~o4vub;b{1G=FK^)vV`rAcX27*CN?i|5*K)MM-)wewdyVjK&o$wi#u2e?vO%MQ}(_}xp=BA4YY|D1d$0DLm z!x6%T(C=wMmyati$Hj!QzA&ywL#XRQ{_FfE@oq+?ODvFW|I>7O0`2vD5N%^m4al(wy8tVI z{@8YR7K%@qCs{Wz3ihR8DmeW%5wG9AeA%6n!_;nE+F61~yk%F$TQ~}uFUw)3GhI}? zL>VO3>5VK7E}qO91D$|vY&ZqO$^1aXKjZg5SjDpIU3J1B|B;~v^m*p^g zWQs8e1GMlmsd>aj>oYf}`TH7Wh7mwEUoXmdinvjEhH052MQ7WB@a`&DRP|K5D8r3k z9>BruJ%d5=Ew}J^)Q!xH5Pbkye`4%bF>EMmoK@`?Q#YTGofL>lBw+nFZzQRr=+o$7 zp?fxXZb-Q-gkn)DrB~_e<2RuYU8VWhHOnE=azjgC?IN!_0&N~M&sSCU9=`*%7D72; zX$IH4g`AvO`xM6|pj_C8%5Bd{0 zts%L^hu7STBrD*`aurVUv9TZ#GZ`rO|D0v<0Y|?u6Qu}H-@C_-5;_Gu8hb3@MDAhz zq0DZg2nS&wl@j-;stf^UsQdLm&zV=^&!wZY7+f0_`_R|246!gg@i0Ol&wAo+i8e0- zHkM`KD<&GZvOJ(0gJ>FR;~jMoOSJ%CC&*Z!Kp4V4o|&cen&i4zk=K}}XwF-aQGQb{ z!&wmeTr7p#wY>cC(i-l}2q+Ona@-}$ygxu?=u%s-7#QG#p?05cZz;9~8?*O*`Te;b zj1YaIigWEh|1j8i5p=v0QlgqCLfnQn(l*>1G9;yph2UqJlR&cr=pT=PZ;; z=`uz|J|0#cBonpej~y>~!SoGe8l_p@TsFXG?Eyje(E_3&oH}4lLZb<@ku13lyyQ$$ zU(f@uv7;5w@3&6yo>QTj*3l1|oe)3Uhq}>zbK|}3w_>>)@0A}2vmb$VFBDiuq#-|H zs%8{X6(7x%w6<>LdWY}dzjv?5w=cHSo*woXkg7gEMouPq1WI`j;N0A`ny9%(Nk|aD*;7OZHF66%TWbC zhbq{D)3ef9UV%%rY7EMLuIvbUrNYIeM z*JiW4n;KkK5kI~qjpm?-JwgvHQuevi0~-Jc<*`mr4$sbCAD*1NKHk`*atNa`c-S%F za#JY}DJ@um8kdS5_Srq?Ig;YEFVbD9;}qCMX-u#Ak!+<%@{7+3mUPs|1v25UoY~D= zKz^ckft$x4co?(?8+Ud*!tqWgJw874bbYgow_Vc@%Pk@{`qtx$5aEa_YZ1v+f`YE#`vF&8{{ zsp#TcTL_VFZKZnoXZor56#X|DxBpE@6LoB0AsTeN+@ysEnusNWcNI6<=|BNOY z!w(+oA#-swjS9bMx3mVQ`5r_w3I@eW2P&J4OwN0MzNnq;qCKKi{YnFXrC4Vd#kDTE zP73MV`|Cj66KYRc>snn* z|73*@?H?_@1;C50Y4~u4tUDu^37NaXDnDw)KT+VNq#e!n{?c5-YBvVoe(X#@p2-G0 zgV^~*d+Ty?Dm`a|)QPHPM}>++9))7$vDQ0II&Z3ai+nJ zvklz;|NhP`S$9;{+wJ^d1Kda922;wH9$w#zy!Z_dg!wDz+s>zr3tkGWlsGa>rNaD& z=CgGn7Oqdc05a!Q+0G&KZkKa6)#vUotVv1Gi9==rN$$>-wQ=Llel{hhX)#T=x3?RU zAoZUJz$Q%hkee=ZiiEUrCp^dX z$eJ_-8jpH;?~}r=zs5XH4|ME_Pppd@mKS0$$N;P%J|? z9e1kb)P3xlyAzc{&nm^94)Wq!!9P)iDIZ4rM8ZPfygqwzcy_dZPV=YdtdoqzwBQ@e z34+XRt`lD%rw-F&R!VA?iP|``Pqv9D9W{t(@-Mxp8{@9br@V*tPIK~Vkb(4t( ze}n2%gnqn=N~!ngwVW}-bo z@U`4NZ^Pt;N#Nn99u(JaE__~=_-DjUU32c>gW#e5;ZU|rx`xAgLI#?07AqYGb@B3{}ghRbzXo9FtSG#rYqQFoS|>s^x+iJ z<>^1!Xk&)5ir3PJThXH{184}*N^r|dxmBJQflF6WT9Z`mjU0gKhF)pr#fmxvQ7a@m z=A{xmzF0OV>WA{hiNXztSP&~fIkDHZasY!%kg0|Oq7uwjeF*p;IB*)k67hIxGRSv} zVsHhJ2_tJg0LZRI=7`3G){%3jl$lZ*n#e3pg(L&-OKLq+O106JlXe4uQI7(b(48Wq!lcd+C_0z z3axJ*P1k0(Pl+^hYbLwP8{iZPcuG@GGm>H;6$^1H;L4+97%c*Qx_5qZczU*Xa@I4R z9p0)cb|G@+i*=A#%$u!H-iHL<=2)(m3Jjt;x?C6c#pCN?bajMDwC}Bh}ns;mN|() ztZ3M5reWGO4KuN;nXeUJt#fh4%4;-wri)2KmkE}wm0{aX9)2X1xveF6H)FW&mCE9P zAAtm;_t8g<1TUv>T4#M%1p@C2M{(kwM$ro{q-C7kNSc_DG)g*5Hs|RXjY|oV^Hxey zEes(k!iC%M&J@eulYSQPc0|HK$p<{_QOs zuQ9S3p1hS|TRP}@Y_$`@Eu!f$wTZwHbyTyUzpRt(3pro)32{L;u4FV z)AKpk_*Z7`8fQ||d~*s&2)*2n?2#nZsg!%71Sth97r_@S(=FZ;TPksY+caha z&Rq}sg#9nU1N>7lJiZHpEaN{%S#{~b`3%$q`_`CRd`~;_&)rAi-}mo@e|pDNwc7#_Ay| zb2%E}4H!$uM08L?wM;k_tq^?HYyvTEg}SDg4`Eb`bDeVvbiAgGIuY{dLAPJjcC!lx zyjsl2Y+e}f++!%cP-3V}wMUvKESQj|_wS)OoCcxuuv}WXCX_oO3*pkrDGng01!K|F zZdm=+C%blh`no`VsJO7aICWEATo{#Tc0Lh|eTr%wXlozC=~WiE9bP%(qLjS6sdxDe zrEU-h$izZVmS*nYn@rN(u{Y-f5KRpNXO74;(G5VpWDBW{5F5+#=uwt|Ko6$w+JMF~ z_qJG|qtlbI_mr7>VJ9jEG#s(ujG$l)%C5inFf)M8yK^UurGyKaLS#mzOp)PxdejS? zpm`$(2=TEqY>u%vDrJ^|P zeHCY9?VG5&_0`v*B)&+K;Kwc0h@Gq?R1$)YlM1~SIf3SZ%ij}dF&j!7 zRsDd52gDf3qa=*J|Ji2(zn?N4Bs#aZ-GWA@M*!(YeZ1Ebg#|AJaBy` z4_@TeDyqs|yRT1AtpZI2+5*}Gn!(S@oy1D$oEvG)KLlw;A2ox1Z;lSqU9qFxSS0N4 zRBK|ehxTH*R%N=h0lG-W^jr&905nKoAj70Tz=#lX;~H^w%{+69~w5VkI6 zF?wjVEul8F3|?(A>U+mvZ1bYJQcKMGE%Wybdg(zfLXQ$B>i~f0MAuPnuzh>_|QrT^_s2XeC2Zey@^L09MC=WYd)!6gFY3rI*Lo?U%J7mzKT|GWIooCXCHf>RVe|KD94}dP_^4MUe6*6ycVrWZfQ*ARA71B*7Pb^Ht__k(Eh;@ ziziV^F=Wu!STk?Ag(?<5W2Mi-EY$hPh8aSgI>3 zp7)?WXnJNaIvSIR>oZvi8*8seHR(P@JXj0xLLDVRFkh=|`8`+II$#_Zk&PA=$=%i^d z{k%os)~klt)UQi#YlYW_3&%gBnL$|{9HcZh=(m$$>?^59L^MMW_d32k0qsf9jd=*Y zw&fdb?^?==WCl`c!q7rYTWp|yZcTPXNJdzC1BYiCFTN?Hh}BRD@&;mP#C*u&$F`z{ z$l3FeQ7w0Zj23wzoE4JuON(+^!wn?A_3SrnxhS6y zK?JU~?-r6Y0b`|rnz^Z14b~-7M^Gd51snL5>!Qa!`O}H3y{b>@OoD%qT#DnSyV;1MSM$Y-BycH zgLD2#uOl&MPt@om((B&Jz-H~~Bi46yRa$?zliEdEaqOfrFiH=*U2#;p|3UGWXc{+f z?|PE1>&LBqjukQDa*dHGQ)dFJ0ySn5GtrvMoe#}r)K0S^fKDq?-c|6eXoYIdMj2tH z1WLWX9jDrm8f+H0tu8o|PD3nvj3b zEjK=-m}sOa!Wj21YbWwax-zZH%dww#d|vs_D}Iif176MT#(KG5_H*`JwJ!N&_ffQH zDkIr-!V1i2XSkukw^A{JE18GtN@dJuCMt3#_;o_(n_X5@MS?)N$WHOVSGuR@x~~+A zpjxiFI;zD5YHf(O6@Gs2O}8W!?`pRq0(Yi)&17Fh8f1gqL7%zLGMO@Y1@i&>1!_GE zi)>297ct##%zE>93{4V^e=ZJ!E(knA?1g3>HjvxB^|@OtJr=8TWe&@^B`H3+Xs#X*8JDgPsCBOCmGjJl#&8s}ht)#aujtz35f`IX$0Vg={%NsEmjp zoNTZ0%*Zu#zo%N8>Z^RJl7|AYMA(Hc^19+~;CqoPi>Rzsgh9PJ1z1>SqS41g<6^{> z4ESUk)Fl@3!(y5@#=gG<)W6QWVLROS=p{s}m_C&n^*61;^> z$_#lHBhiN?#a2BChE+lYb3{TSV2_g2e%NFfI@gglWP%@kj9X+!6c1CWy{Cyhv8R}= zB7h26Xi!Y2p6H)qTZA3TqL1^bQT8jeidHs~?TUINd6hmw>Wz%r(>&rJi**pHI9NFy zafLNHv;hyWP&!J8glvr+yifK~6S@|5i>UgWNg5G;3K~&Grk1|sPKBa(&T>Tq6d@by z>s2y0zV*tR``TnwOZ9km^z!ia-YY>Q>rr^KclJU+#hx5$6ekJC_+%IsBk?nCifs0+ zec&lPV_lcx?ahwZq2Of78hOp0QA1ct?%AOb$nn60Zlh0%MB0uMRYUVWamui`Qg235 z!`<8!0)~41_9ay;T;|cN;AuBiuiZL7JNxSIyw|O$Eob_osLcaZc&7~5PiTTk?V~mB z0SOaLV`CxkRl~ChEdUt@K(x3?9k$H0{B&OFbvsE(Qk=)<@p1tF4}z1ytj+Thk^ zM`U6`pGAVdIk5~oUXR7d!aMOB^?g~jIvTUd;Y}~ybOr=%LLR_*7Wf};@{i4lr!~J?9PflL_-Z=DMO`6J(4%KBNdDsM$|_lm?!e}k zjj~CDOc5IqlRLPWwX@2hcum$jmUC0Jt-kt#6c+SlT{+JbP?n!?w#%*9i?xbR)wAT z_Uu{r(+D4y7SopakWH>>b*jHKMT}MZ6>i{3`E7wsh6|sX9Mx=1xgQI{6~>cl#KUZ9 zp2c$D)C=M?bt}r*^X~&R8_V@~>A(Nm|N1{CAFBVorvCfuv%RC&hbRbnc6jn^Z~teP zf&Xy*_lJ)j?cQtGfB)p(!(ZyZ|1JJ&)PI*!)bsQRcB<1&<1+C6v+6HU1RnR{y4NKn z(`SXYah<;VN`3xc7IOwlU(xB!E5bjWyrSrwSAX2Ntm|3zcxUJ4=4KmNUc|7S zIltJsDXxm0({fbbxC_Lia5SjUy`FR@+6??;rc6leRWQvsV1=K9P%|wP5)lf(fgh5! z)=3xxwg!vJ;{cF6FKk%Hr{O_w_s}^5$8Y#9(MDGzpo+jVFnI`Xh7Mck%yJ_RL+!65 z+4achl@ZW?P-(UeAk+Mr2l|Ne8oG#NR82wgW3Cwyr)NpaueO-{?5B!^Fj!r|1T6(% z60kQZhk_+gq)-5H`3^est%CI#v z*eLh5o0xMv%QO@BW*DgOa`&*?cFc*yKStG#yMf8u-_yxRNV~mmKCC@$WlamxFyF@? zaTR=IY$GxNQQDE5V_Ecre&OGO`;p4QCS$L2sivnRLpDllDumbr(JZp9`3cX0a>mWY6#4VVf3=_CQ0q9Q8*>MqGzOe<9t;6H_^uQ`(}se{7R3Ac6HhaIWFp5A$o8z>TnjkxhXhoS#(7^a?*AacUuBm!@cN`)YD$XWtOe z%J$L2a-8>6ZW{<{hA2=xLugD2VwF|yUx>sP2LDm)WigK=&c}e(j&fksw-vN0N-3VF zB&e4p0AoO$zpd3+Z=V#KR|N?aoS;12`-1L8sTerR5q_(ezU-iY-^sucf+s#Yl!ENJ;FwCa!SFCyg&T+uSOB;qh%!M38BP1N_w>!P^EW5Q z&(F`kd2@Ka|NP|m?VIz1!!M8a4|}Qm(x+sDJp_np*6F&wCx6R2^kf1nc2IuccZS=G z%_n#Hx0!`g!{%ud^izqnA@GgcMCM@_yeD4037#>QfUZ`+INBUw!fV_@HNW zoH9P1Lvb&J%pHbhhu2ba)JnP#e{FS!9)!xu-GzJY(EB2@>#P`SmB9El8$#)a%(2R& zoHs2}rd`khSkB#`PzsyH)Hf@xsrJhk)1vlhM3n$OB5U$i&VEzs(r+|WxQORg@*v4L zQ5Y8{ZgeFQp+eXc?u`p6s4KFkRJN<|+=$TZgo5Fc6#$E1Xj=p1-7iDZwnFl8zO?si|MGMEsAu({ljPBMdMJD%L6v1} zM`XmMGwYbcB59BeY-sJ(=#(?rnQA+)3{9Q#$2G7{3qfaG6LnHl6=i>r6IKy2=GEJB zgWpocg@#3>mUOL?%Qan#RRcO<+vT`ar~9>A=^Yt#&#Dbe-6xJ&LJwN|&2~^()?HzE z(%G^|2(j;4<=6?Ec5p|yy{BqEMGu8SbSNs~^k#{ZY09NtLT(l=qxzRJ6WXUc3s4r_ zAuO$m_PF|yqUDTKJhF=mt8Z6eb*f2lCS_=*?X_lCDL>)@ZmqB^yT|(*Y{48u{guF$#^QM!TMU>zx#2qsYhLILk-e3GFTl_gq;O`}jQSsohf zjnN_pNa&!1)4ed7g~y)GJGx%|jFoLmTgAynd{^tmiPXX(7m;qeI;29`^{hW`O_G0L zQ!i$3m#9hCyqS~a6S!0D{`2O(^d6f#axq%hoyw>5LuU0WSh9KIGM`biK{C-Q59LM3 z1-;^RAbSDsuvy+}&c4|skrDbUn0_ZP2TtSEy9+^tY;d{eIkW~dIB2}AS4pfRp9Q4% zM|RVTH~G8Lv=w<#WG4)QUwm-8n}r-+HOK2ZEiz59sAhkYZRmg-iNp#9uK zPJ@`X3A0VT!6JB3b@!5?K$XXVeAEi+sI$PBImPZo#4YE{`8#hS?zmwOl^kX3sD}=L zX~JI{YHWbt*r6bP(1-38g0;2KK5v*(U{gLjzFIjyqMDVeW(^5ySto#H!$C zJ=3a*6N&le4dWfpWWxzC4nF+eSJZo*E?&v+l)mp*cs}=~qT5&jd;aN7=1?v)k48tFY!LJ#!&xZ-S~Si%2Jt z;c?>10lv#m#_tE+anW}}t$TFg#qM5nNLf;|Za{ITuKIVI#olas-oAD7CAu>Fk9tnJ zAire}+$8sc4(}Nk!q2>jxEgFDs^5u~I93|Na!+8z3t|)-c$w47x`_kdhtQ_U?dw0r zrr6n9f3G40D4`-faj_@_=N0V{iqd$SG`5Bl3bJihbTCX0Y0DaAXQErlQkLA9zsn~J z%9pP6Kr+BLV+9dH(I;S6rUallu7j5QRE)BD9o)Y8ZedVc(TSXR^Ylr+ub!COGDUn| z3>sIW6(GY98k}C3Z#vfR`K?FI4JogvI0ho9hAFGbyfa{as+uKkqckawsZgt+y&*Ob z@;C3JIRdepd}%aE^1qVw0+6L`43h#Kph#d(rH^tjtxe8C zl=qn_YN*NqTCADgBk5|819Vt-JU5&MPUNk5B%`l|Y0V1w7@HEIGhnt~Qf8QyJ}^su+0QCvEHF%nPgyv4GT~YB>S-c(}2d zSTG2ZvvJAL1%*%Ena;vF?ka(AIp6qn^TTn&svR)fhsjT$w19542H6~6WlEP@-_BuW_Y-1X9oJn41 zEYxjgsw4_{>AW@^*D<6~%Y*M0vzUwL%?QVlXlhqA+Q#)lQCb2@!XIfyLk^!peE9M6 z^WR+u?#sQGZx283$t``mG)N&DrPz{W5cES(@m+YM1Q#@1`xEwLXi2tVC(W7h zx!V0=_+*&(i;S4u)vx=DVm!o;?%ln2w|n6(vh99qM$G$wI;%BrI4;z4rdN?5kIRJX%Ims?JU@&Y?IFfSKm52o7afER=6A z%WUY36zZhe_=$#1PxCtduo#mts*a&VF{^( z`37XX5l9mXvB@y%jmF9BuKJ;5n#7@85wz28b>q&QY{C!$><~nTmOgeC#Hji>(8Q%# z-w7ONHfTnd0+KwGH)OL0?`!YZ`zMD7hp*3$_FkTz9~_+=?w=i>e6#*)yd7XbxkP9z zUMca_ct(Yg!8AkjBgB_V!I7a9kLjkoWy8%x2hi3B1|9#r;T2%|Ej9w)k)TeGFl zzf$-%HpE!!jM;73R>3PL^1gR>2x`b+l{-QcEeWBJ+~v3u&?4#vOC3F5)iN#>jIMr9 z=Zjip@d2>6EC0D>w`<<5@1w+Fk-Ok?erI_J7dADUHTslHRcnSKG)8luDLlCuO0lP; zRBfy^Mjcq=kp;!%^CW}A`C#ARJ&W2m>iyeJv=Xd@+-JsKd z-dkt9h1XI%4U2hvS2~?4R+B5kaf&mbp(6L^kf-5aXWOg~m%`EWle1SxuYYr2s=3!v|1u<}H0?E=S*e?V*ZY^N`g|EDfoqKwQIl7FaGZ^} z1HQ1Q@Z@ODojIsPV`A?V=i!wvb78zYCG$gek07*`WEFh(~ z9f0`C78_1n6kfz-5w2*hV%7XY+qLA#bhMajC>jM1Do;S(NcWIE^R7Zl9vm;{qhYnN zySes&2ywjpnf#)CEsTZMan38Fa5QI%{DEwQ7oata|7^G3tWfZHAz2SD3-KF8ZcP50r3pbiv!%b;F_g2V1z75qSQ5DmNrgL9v<95=xIO_}L8%CVRk? zb@5t-S{J+~EUl8<0DxN>>7UdMR9XpT3y5`EnVbj{;MCaHf^J|U6~Mv)zTCK4S?%CD zuP=L|;|RABm~GJVT{0iE@e;9NA7IhVrIt|F(g5eYISyXzzqx+Uk^g<r_n-#&>vmoks3Sn@h?4N_g1SUev3blRj4wfuwqsFx*5j-CCxGQ-CSvT>;9K26wL-WCw25s#-!=(yzbr!kk7^V=>T7lFg;RP(4HjTKW$k%3#1${Gk zMO4x8gKI>O>Sp&XL&F^u18c9z>Y%hC_$s^)dg3%dW0h16+t4Wr$W`lkXvT&zxdx8r zB%E3LU6mL%2I(xlLowuc_|<(Zf#c>f5#8i|w$qCYR>22RyHHQ5NhJm>U!9(xzTErr zkcUBktIiebbrvoV<5_{zoUyDDBhktGA`?Es%*t^1#wsamfMqVK%M~N9Zy2jful&oFUC~FWyHin~y;WL1uZ^EdFOyjEK^P zQiJ~;T+S7U-5+0xJE78NQ#vH7Svehst%&A*Oewraa`9QNg{!==TBW-Z1(nVom^+7n z3{4}wwC|M>ANIwYOqaDv^{|hCH8=nBB$U)73ul;2nQ3HvM(AQL3eWo+TpOApb zLNO8DGb>08-oMq~Bho1;zSxJJpy8HyVP3CBT5is^?AP(&SADDexiHAQVYg}djk(LqqGL`% zxq{5n>x3Xz&~5{N1-tL(QZ@+m9$tGa8Ev=^hCvyXc(AgNaoCe*cwlMjqW85!qmn%7 zeFUNkPy)ouxRN(%7c^`nskNrjJUNRkt28*(qlxW^$89F;Hi(xmXft%Pp6-lF{2;9n z#-4R<5*@_4aGqU}E4|X`_(8y2l#F1Ewu<7I*Xy8h>s?xHpd8g~6Mf-&n&vkoZ4{3> z@kQwyjixHBE(}5TuC_zCn=YZ!OUqfbbrR+RFcoA~;VD*W7BWy{;&H0FMWbktK~O?O zwmD25=#Lw4GOdwF574daCn&HVT)cSLyn9v_PZ4cDw1UyZM_8%#6Hf?ryXPT7*ifW` zyi_T<8cbG1z)EsO@Mzr{f;I8d31uF{p8N_6{7tz?PkkNugOav`B4~$B*>C1It$1Cx zSF^K>C}}b=+#*-S++(IR$o3MGGe(6|6VOYtV_w9LAi>B1=RqP&%h4RXvr>I%1&PRf zWW9Yys~23AeTE?laf)ejsQ{~>FYrPC1FaaIF}*ATIwe$eE=#BLWzd;|S5ds7 zgGhcWt}hk}Q39LyF5X+S^-jMzJ>NTcb@Y1u_S=gn8R*qee30!wz22jUxg~Oo%{=Bs zZZMBdR3~{|-l6-5xgsx|))@bN%BK0rD`>RO+(y6yaWiL=8Gmr%CKhBC`9VOW`!7Hz z)%<)#`EEVNuu=Tdm@C}e#jNAuq*O5EqjYu)O2`-HENY~So9LNrQ(*Mxs3;;ub6dxu z>3hyAqY$o)Es87K+(-fU7f`T-mJQ9K?tOjm{QTst6K<~#A=?^B>6RCO0_>tnGg&^w zTVN}bB8-4=O;Ra7eBPt|EQ9uOS681G~&i~G#--$GWHP%L!} z8L74J#Bq8lmFAh@!eEN1b)J+zmuxdLn3#u;{6J<4wqX!0MEI9y9J^5yh!3HXG|EiF z9%euIOzC%byPy4W%jZj952~#=m)iZEZMj=%yfF4!V+CL(@_f$xG@S-16y@#hUQrHe z5a#;D4Z-s8E3K4Sp-j<~{#(hY=CTu?D1>q0St2u(W6d%re12glFl~v2L}->_#Jhg5 z?vHz|#PR#R0OW7AszG^b3lF!Ir?atQhJ_22Yi+ufghjWU)Ks&|ZElxSHs`2U-{9vP zmfq-W-UKXe)vyQG!iq!`nj*Kxi$cCErRUI=HZ^~lSGOf_ND)G1NIY~R+%oLUo2z~W zz&{&mYXFHTIR$w7JoT7nO8W}qQj#M^uEY_P?evs2&@{ZG<#BBrMf1}N^?Yo*ow|m|VEXa{5&}EP2>fnj_nx4r>#XzV24j{$VIi%r=S z7sK|1j> zZ1PY&DN2rq6_8(N;;Mr>PxPC&w?LPlOLo4)+e4pL}(4bS6Po|njZ=_K@94~$wLH^m0&JK2{S2|E0hfP0lcx3S?#fA z!N^$Y9EIq}9pcE7&&Bn5-u8r6tJQkgQtRB#spu%$;b@*a6qpo9OPVv53OC_JA=%og zPe)V?i137=eWF6)laASceAIwro0jo#StFy~4u#Zoj zaWCC~ogQkPg2+XZ;;gWNTZ+xt!biMuBFVnlG(l>Gyv;LWsD7dxgmU1wx7`MKBUuv+ z9+M|9tE@(DA3KFRWh5BQ<(Koed3l3M}NvFJf z33ctON{&F@2!a@UDMx8cD6+`PM*|r2RXHD4Nn#wp@EE6-?U{N2P@F_-X3%ZyVx7dug2{HK z7W?jwF1birq+t08iI_5)LG6&sXKX8`U*zk zJ_!75t3g6+cdg4!(hHD_gmfEm0;B=nN58hGhw@%^io+5w^b8<;aSm%VfsG|>)U!h4 zCQM`#7m0-UECDx!grn*`umLO)I3Z;}>JqG$g!Bn8UGInTiNMj-7U%dRg8ngZX=%Qv zN-(i4@-)^FLX%S|B4mjhW`L_rPCIHe&Tb$YB$*U@v|En4uI+BWeBUG?1P+`PY&sC@ z*<5KJoDnY)E>?kX$h6#G-U(X+QH9T1U3=m#xc-5PhgEZa%?)NZ?n)-hOv|Flt{VQIQ6#Kwx4kX7H{v zin#3$vh@G;{#(oce{%Hn?b*@m=RcSDU;q0s|Np(a_aEGC^Z!4(_u&37{QrN0|62V2 z?rvQ$Q7sVvH$MLP)c=j*QwMw zq82kND=8W5%Z$J)eF9?^lqswp+W7v6I!3v+qR?Z#ruhVa=q~ClR2GNA_bzTBDn)SN zl$%9=+YQj)752YUqGU7O+REQMMXsWKu(c)kuv1m3yKimv7Z;WL6e4eHYm{fOvE1KV zTXPu)zT7x@cIa9PI-nPUkf^xb)jyk})VH5RdUiR3^M&|i#d(dyVO*iPKG0zBWfaYGP#BbF&LY6Sbq$u$~nsdP|>8gl|3P2(^KwK^HyYzfLhP>X| zdX^8%dFIxko4#|W?|b)#EF32LWZRkPt`|I2(A?(d?wjqwMez@^4D}Of=kL8vY0Rse ze9Os;!zPbp5!!3BKp0o6NF^1Gu=d2=dlY}x${?eF!weE=mH|6Q! z{@atIvu~WPsinK$=(Qc+*1T(*rB)!o-khjW=h;LUwO6@T7oO|0hfK3H!o57N@?^4k=l|;?lUCVdiC`9Z8}1Os+MVYxQ+qqTLD5AprfPp~fA$I0A7@UFh^Lm(;BrRbxt~Z* zuGI3GYN%c^gEsPu$1>O%3J<$$H=l=_KibOFENBH-#zliveZ?B+c`BFaF&N=%ei}3l z&b;6S%k*9E<(j&29YjlC;js38lvV^jG3cbzoz)gLb*|{Cf&enr$C-)aaphg+ zvMe1DLs>dgS7+E5Qu3W{2U4(JX2xa3Q^Xx1nv*03l+#el4-aSvHR^(u7{}hkp{eNO zpDs<@kr4tiR$VI!+jl4AqO9wDijh6%tgH)@VRE_QWU{-`8QnofhR~Q1@`~mRna=g7 z2Ezl}Fque|uPBFtlal$_)3}G9wBAnZ?P`lP-b*5p>)gho9Z%MG+(M*L19Hop@Mml9 z8D3vbd#Onv==n9{rT9_%3{O=5@ZFQ5`sn^1rs_BR*KGcqE<5M`{n5R9cECTn_bfij zzxn9d-H$$d_R(h#KHB@#{VY5apYZT0atXS1+2wuX+QLTdGIOw7EiNw9sA{}<<&jLP z;kotd4hr9a-H$#!XmkL39y-sk(VBIOs@l9ea(^O~>^C1B-uvjYgO5JD-)O`A;Y5Ee z@Aj{{_tDUFG{)Z=kx^Ioyj;D#;fIlljJQ#U%fzf z&{&CaMF;RK_JI??Nol7>1(2A?6_Jjj8`@oNm1Wz)*qL1X2?(Gj!WC?CwOAuY4f7$z zl8K%H@vjq)CtBW^8UfrT*6Co9S()3_*wt5Ywc>0Bd;_>TaW@JVBFj=o2v`lonEfe* zjb;+oh^$Ph#vE)--lEFMJ(l7W3}8^<^}%Mw&E`w7jpwY>{dY-n<|g!tmk%6_5{~rl zgN7dxb=K3TPK@24mi4~sHDd0d9QL6Rl^jGxmgv@mfqETEHutTKL8A?UFnjE>4BmH!&D3CSiY4qhzgBM|^2D9bPFmnpFa1pENmb&TAX(Z&si->yt4bG7OW0lk0)EsFJ za2C%2ZPcOC;`B@C<6i1WDVbdBIJSm+BknF=Cda53=uFnO2LhE(g3$EtK3#3!=F+T6 zL||vNoynN;sg?AaylMazF($>8xd9BQkE^b$G#W!Ml+|Rpnd8=zYTbAlQRVQjK6aBZ zAMB8AZ%2_0=i2J|FduDS_BK0-ln>9X(w|HrZY*(GkBk1myi-A)Ovn99!H5Mp6q9h3NE z=ToV#W0aPt4@NddYXich6KurBxsGVexqBzG=u&peUrsL)kz=mquQV2;Q2v|TAmtQ{ zEqQ3!C9!|{<=LtCQDYx4(mNq`h#M{T1}0b-!O~>o2+pXkWF8%OXGE3}9;jk&D8(Qi zb5w`NFE^X-6~N*=hDhqrifJ+|7kxrIuWXNtpFvg@J3!MynXlOhbdlHnW2LX)kru9p zg*~tBV@$24mKu zV2xzult!waM86^F`0_mQNmGW!i(;Z#E@|GtvSsw@YmzuAVv3$+q#%mFBHlB?)Fs=r z`C7Mq6>_eCpOpm+bvzeSNgr)7fAJ5e{ZM`yQbG`QRlOK+LFv6t+Ve47jqCQ5?_IbDOG9iG@a(s*69QEFZR3MX|4^wv)bFyS1^EEl;LNE-&2{ z@2|#ueb`8tC2cuGkIAE5=}i21@>`sP+>|{hBQ1nimAxcseIO20g^CKPrqdq#$a~`? z`8D5rdbESmTrGLQo@oYitOl}Q8b0<^Oq_0LQ{3AUZR?mDM!ie!jtS_SC?{GdDh2XP-?iZOhNnXuvD>eKnb#k*R2zAnc`(GWYwk%Xdnc-x=*PyW_si>mIQ|;Mp2_X z@ND85pMd4HAL(wx?c{Vh>6djVNfe@2G7w_%VTEW6n zsH^8k7&ZWMa>DA{Umsk0T`{pX!f-@pMAr`>q+GO$!>m%nd@&~WABC#<|DFHV;eWn7 zJOTRW{OtJr#qq1dgP#in`Y`@y_x>k$@3rwipWMIy;1~SQ-{8L{{>KRkO0h!|XKz&u zd5Gerv-*b-I*32$q|cGIDaJd1(rH9k@Rz|1{m7mv5N{}7J4=6_nMNYT45(LXmRzJZ zRtUOWFk@=ta^V`;R0&Mrv$UCjJ|~CnX1Qu0MuJcOX2@)C{OQEmu)OhqYEmrW>+*sA zz*oLQSc4@5%Te;K*BDIiXOt#l1D2|)WYk7|FC6?@7DuznF~9Le)q@fh=eK%Vp@m4hAkr@o8r=}|dy|Cb0HPizSEpmi?G8PRr{1Q5E z#Zdmc_D=ib2E3;>aJumTUaCKCygfZUId?xhJ~?Roiu*YHO!!)w zze7Vi@$b@?WqIZPf_8!}@?|y$O@qEfnm{p3i=OXi*G^r57b@hVOqCQ&DdQ3OF|JfM zhp;#2?%IV*NGS_6sA~~cpr6xuQC)TX)QKSi%5`6QBPYmqfX))ABg`IPNF-MbY{ojN zK#%cQd|_x63mk}xjM2*7%Ho7{hlE=Mm22e2Kdtjw_vx~W|4ot?0@|U{gfIHbF8)`x zgj>hE+v%IR6f?s)d>lm;;h-b^UK8&@`{**xu$MiEtS~E=sFVVd+A3_7aUE|#CmECd zn>~RUzdk*UiJHX~E3V%vE@kQi#FGDy-d$-~Hi`vwXQyXbky*L{Bfo@Rvk4$X$wY0MEi+%}$zx4CEh^-uQPNj^dJiZ`wn+(fl3QW7 zNXKt>z|wsL=Zw^f?et|%2D@w-IzeXc18nx*s4V;0yr&%*mX8ryNz-1B>z7WhQ<*>c zUE`1K3gt)q&p{pZ!W_U6*uZy{!=LkvO4=ogC=ORdcc9o4Vjxml(!FeKt475uiSH=U zWQsR5PkVzT573xL41(;>3cXY(E7WwJ6Ou#0-bBR@;~#3x#05A(1R8Mz`xi41e<2r1 z`~@e){cqrFAW=OjZ!YuIK{u}~f3=w>Txq=K!Y5+5l0eQUMa?>%{wV@qxpBFUORy__ zC$HRi7?s*{Klp@~*cewa{_OJi_}4@2D!gJ7Wre>2s2Z zxwW5IDy5QL6Q&b17HTT-xziL`bW`K8G^Tc)UW&x8TIBH*Sljth9lu=N^;=N-fTw@V zHlxf?o&cK;1yl%Ke#Fw3RgImN26@w%E)+9UpN4nAGeJr`;Z}A+`l({quMFSrZcv|% z1qKqO;I1O!#h6u(bJ^Qu9WDP>A&CZCUYzUPR)GXmAmDz>^<>`Oz#8o~lR7^L;5mU4z{6*|jQ<95_C5toFk6{i% zS9lNHx2zO46_Oa6o%mep1=t~D1EsN$n28HiaIuRi{X0cI+$2MgP-^=M&g->$s}gS< zT^fyCS@O`E%}DG9OW>9A*EI|hPt6}~bVRT8>d9)QxXOlD0C(|9`u}urIWK)2S+A+e z7(hV2eO=5r68vx4t>m8P>((O8J^~taCV7JS(a5VPh*Uz10aM}=xM_O@N&xYsNX;n9@Zy!hlEy%@GSaF+&g+YdJsmZ663O3JXuhbB|t^yOf z<>-l)I8l>YT9a}jT9Jhg+`(cZfRwc{C(!ULDt9ZELN!-AGsshkb97Mm8oOT@GCV2D zrHM~WjT_p;>HKI*`jb^`KtGoctqL=8wefHvQMko>*EjzoknkR2`by1r1It0V57pNG68vD+i;^`6aLE^xMfhxJDk8) zw+U?q9n3Qo{;I_VJ|h*1ZR<=8&q8a%((L4TGji;0uNQti5nlAAbCzrGW-s<$zy11} z5)gNES3tsD+DmH;wViZ(RbR9!Agi~83Kh|PHAF#vY1J1cH(J)L$1e4}loeoXl&KAu zk`#anqH5io>d|qtCm0tjYx{T7qSn7!?Qk)@F0WAIO8O*1O@r!RSzh#YdF2_otU~3?v+DW;?TWnJtC$Sc)78?9$lF)(>b+Yauel!)0oMbcEMuEwkFX z-RBdOO8t;eVNYo|KNg~Mg^&$}y@9w{_5~-?_lq2@25wBJ{3(-IP!1;gh$)kJsSNI=x?>_qF{QnL9i{rmh>4^sY14C|qfiSL6X7Q>#)yfa? zJCm~pAiiB&RWUDcY~2Z5l6Nd7s5N!LXGLrrz*Yu!F(S(Fm?*$LdMuG^W8JdC#VpvK z1e_05lvWc`dxB7R@O)<)Ot!*P);Xtz5p$_1T=VU$d%NfWv$B@gFn*=Uvz43c0uJ_M zFkjAURF0TA%{RTum+qZl@t2xE#45u%fGB21i_O%_W-8XyQ|~6edRp`Y0+_(HOcJDi zC>=(m8F4aBU)rH$idt;(LaJ*3E4zCf|{1w5qi_*|3}hA4?*;fV+;$L|+$K zvW|8t@S|16+s8~AOGt@Ipw>#epWIGUMZ|DNY;)L~QnSdGS)9n=@sL&P7gJdL7!p&s z$&%|HUre1ciY2q~62bzoVWX;$9~&=dJYPx7n#%MGoPw&ki!$X>b4x|+Fhej_9x9nF z=6J#>`N}RO(_S}H3k;JfbOJivQdH88YP%;|xYTD5Ov;JC82rf%C90z`Rzk#q@!QXa zc~r|fltKt~Lx+pGcjkp^%nFv5`h~Z5GA8@7HxjfC^GkhATEtF`L9MFnOBY=V^{rFk zi-wi6Zu8MNy`?ITIKlUPL8KNTu9a<(wT%WV6)ET2>01(hNtk=xzQ092Nlgf;;kk~8 z4aS#nu_@ZoGikxG6WS{(of5{^ZF+?F1BDKz%*7rmNiN=?*isAs*z_01Yj|6U7Gev_ zY$%Pb8Im)o3%{x`OU>)#h0KHXdqQhQ`Mt}8XVCGqK}KZ%Eu!)R)ZXy zQ;Wd225iXdF~=Sx5uFeVxLIl`Zr8CwDH?BZ_lhv5M>{{0=wo{J=G8s7_{EHUhkYD} z*WISv>G2yRoCsHfY+SxvLs_vf+xpgNVq57J{484?4Fz##tCb4b>BgC|I~Q={S1czb z)HC)1DfA=Bk@55i_#M5aXf~Gv-Q=Ej2c+GPZWk(argNZ3j;n4ED8ycz6epxCCnCx%G&VucU6Z4#r?m;%%eAsUGqT)bNMF86FWp`3x>dQU-8g;q^yv6B zJwAM8o0H!8dHP*GS){$u&G}$-(cA1qEv!)1b)u8nidsmp(r?DMhtG~0lE-kw_*`|n zH*n!{c{gxBrx9O%RWJHIMAv|JShKMw61ZkMPb9A3rsGOahlRV9WD}?gK!>_(0sH>b z=0sBXPXqNXefU;n&Fd*z<)~TC$XzTxn9w_MYX8wh+|LLH;%|eTEyX3BvX+9;_dJqz|`>Z*0M$AZ6M$e&;tFY$i{33_TT#~GOssU)Q zuF2xbgX9$@r~|vNa2jIiZ&!sT^X)6(3j5Rjvb)we09>*qc|!nV#6&WSIW()kuO4DS zH}zh+8z#KsNv~Z{kQCvK8<1-!mxK!YTZOsb!J{6vjL!4e);UbgQN6c(p(b!-N?AH-Z zDv>>F_M9ijmFs6v%-mV7^Y^u}pcyV}5^4v@By*F4`fw>6h;j z-w6!w$Q55#Y0~ONq8fXp>W7Mo%~T4TwfkuCMfy{iFc=a}0|vT|imA#-l2Ex$dD)~? zDalced>R{XHh*KIntk$>kOf7vYunvx-)^l*4iqmf-e1I62)94i@`~SD_SUsPx0SD7 z4KuZ0m1AVH!K_bsaYjnlJ>7Hj28ZXLkd z;cB_~=Cxyo!)ccc34a8SsS1R7(?q2rI=&9|VuD{GbUle8ipim5zlJs*CkdjXfBM(| zmb}xo{-gUD9Po5ng zKixZdvv>C5$wxyC*0KWc9wa=1ekQoc?=WMYkQ$^4WQC%)G@^Zu;oJY zIo37o^Xn-*It>S4sBVF4@g^YsPG9V~Wr7F!Qu+E>&g%m+oYXf3@6RLB3*xpKiJ0q{W7K{GbHD^0`!g4 z1koSAz+SK3aGun3;M+mGxK3 zv*th03~gPiJk-2*%y5d2!NzE9`iLOcBdZ8{V|?IchlfKqg?-RTTXSjhu|)}%L_Qv| z`#|HTzirGz9Ceg7og!YR@0Z{EeVerGaVgBwmgli}=F`|7C^d`}{(zHB6p&5&8lmHy z^m%7^ASytQ>`)IyzUqeAQZ@B~#MTGeHY>ABn8?Y*X{S-soh6CZ>k>SKdPE~_4f7vs z16A(tPfty}n5Nw~X}3#KobD`bUHVynAU8g|UB2*LG|lb@a)pL$5_vt~?(@vqnL;@w z9X0BsXr^5QJ*6uRj&toFi}w1r_tY1{H#Ki4T3uLGQu3@U8#8}b_ef7Uf4tS1ByAUD z?BSLTL{cbtOPqa4Ub0(^X;=>lFa1`e7YQu+9G91(L0$im{((j24Y5%zClgqZgU#6A zj(r??`}t86>hgq}zRJOG*3+~qIdhruok@`52rL$OMWO{% zSIQ-7U;~rEm;=k!AO+S57w%J;J1c7{Knbc3g)rI0*@SEQAofM%GNK=b6zmcg%j(8$ zITHgh_VNx`Yf3x>Dvfnrcynd7FL9a3oO*&9{08NDrlh*naO~k4&yvriG*2OGV}=^f z;k71|gP#Ti_n{*nLCD}^!;LE?I1zWE8TDgU6!|mrykvEdhNr;$jb_X*wkkstaD`2+ zCNYbdg$;)E^(GL-t{GmodRVGhDRMGKS4>lAboh8A(Qjg>;!b=%npcrZ+7&4)635yi z;WX|-Xs?m$Y#TpwW(r2yT{M68V+D5bLaMp;>y6pXaC4{imNkN0t)!MLm!O=b?o4Ax zrDi~z6$IkpsKcg5CTm@r@<6LoJ?btXMhw`j+iy#vUT2qJvakM1$PHqQGlzF#6j!_>d;jpw&1m>+@&3)Cx;Px2eREXo z_dm^czIt@>`@tuJS2y`TeYyXKSN*fSljTu+J$_$*@`ul!?L7bf?(FIH?#sc0gV}WV zt6AP(K7Bg*&GjE1zTO$1e(}}4uTLkR4vt^n?3c6mvxC7WH^2Y(>x)m0&rTlAqxRlE z-=7^_KmYn=eZT16{C@oD?oIh}ncX`%`S$2~uybG<%843 zi~91r;_J^o&6l6Pc{};1-#?Ao`||nM7vueZdiL$p_rDo_lJ9?ab~L=WtY;5rZq{yI z{r>FH?Ax0M&qm8mrq}O z_WFy{onkot=Ii<8>^EN@9oE(S-lOWl`2EA>?%n6*a&Z5saDON_FTc6lJ>A2h+zoveYN>KGoiV`pbCQWLIWzDh6&Sac>%KKcxbPn828o`Yn)_D4SIYarVv*^MKs);o(xxM2@j)dbQ8|1q$|aeJMD#$WNj@_ zOi!XlKggmPLMIZBrPkmUD)^D6)hxT2ZtQOU9AA<&vKqgWyhJ!5^12%)Rl`m0b2ulP zUx=Fmdo?O+TmXAK6-bh%XL6mgdB3PZhtpUw9wdTd1i#U&)h@-g;4HFav3KFn`DhfX z_q;yaJ9>S1a(?vs?C|8--ae~(Fm|j&)XFUk;Kd(U^+p3|o%G9B9{#fGDWa2c6>*hr zC|4+6LEKft*{S}UUbk|_UMXNpCm5dW?sn*%eo~a%7EKK=d+hXvCz8}X|8t++7NwF+ zd^35r+;{S;*NI$iX-!5=!qU>GS(QI}VBitAG#3k5y;2}-wE=K$v&R4n_uiXZoYv@% z?kWF%ngGk0f<|Zbl~d%v#^uShE=x6fxgJJYCB+JcTH4z>tD_#k|2K7mf5jDR5^YB& zv~Qf*%jv_1NU5G@gPL3!hJELuo=SAvI~Aoq^>RBs)f(_Vo()M0V|;}20zmS#0cU1R zXj5D(50|ouS_e`zgi>rXZLi3!HBV}kyHPS))*RQ@bSaLnfUz*+tOXJvUks_gq6CoC zu#Zx0doUT|jlEDZOf!D{B9nkPy5Cuv-Euv6z(QUIu|sXlXlwp%$83uKX|Bc2i;+rG z@&`1bnm^-W!SjJgfPFCDcK3}cGeeyYMs*}yt}wPW4kvX6xYpKzP0cV4T1PRs%7q1Q z*+QWDgdh=JdOEaw_%2dF!s3dO;_rJgv?Vvdud1>b=^}=UP@EC5*5-YF*ZFi<&by@l zS1iZH)MTo=Bayw6RZ%~1R)otVo}DRxQ!KdvUT^j_oXboY7u_h7b=+bsHQ>caqy57p0HHQHx{ zAf1%c$5lNn%J{n>3zHP1CsXiA7sDr)!wx(lPi){F5jIaS2k~>_6nC=3ZQpJ+sEY1v zP@n<)d(AKT6W2Ijh_}Fma3(g50GN9i4D7{El>`Am@vP6dxJ@8kxR)J>a4B9Q? zsFu?6JsT*Z0aKyk4hkn^cT3Oib+k~1{8kl+9`-|z<`Xk!Sb3urvhPWU1=5-GkoKa^ z_rxt1Rlu;+4%L?IPHm$qVz9iFq`JjvY=@1$D(Q^O*zvq&n|XuGiYnm%whj`#$16cT zX*O~zuX@SiH#-CRE5ItgnBs&tK;B#AG?vo)wjv$vL|S`bHFY3>tB@E=%w(I5wF1uPpU5pSXJG1I zKnQ{^4NLU+cl$>NpFjQ`GA};wsVzG7gJAH@XDh|z{9nE}K0TA*FV+S3eAm5!u|5p> z!k6OmDIxLI9qT5Oa<~}hR(wLzbA`>m3u#qSSXVc{90PD9TwOU8~GB}96l4(PR(ih(hlh@a`h z@$LNB#R?BF;+X?g-2SYq6{RX!xbXE=zMN#U<|FV?e(yAio`%fA>PTaqRGyM_GW&I~ z4Pyxqr>rh>DK+NldTk2p$xJAEK`HxF<}NhwV<*i&;dakF(`^vkSfN2tJRsuswFs*^ zR&eOW)gl?Ipu&{;tWjo(Ct(g|s=yLQ3#P>rG99wtFvZ1HE~WBV2qP9fa!0nD4gt<{ zi;5hnzp;we)|_uS^4RH*f4woeQffkgZ=vUGeyFYX?t8qy{r2ox_tW^9eiR18Pg|T| zv33^|gRA-$J7PoNmhe{6Yk3jUvkvzpU@tTQ(yg?o{pxuThj6knx7BuT+vy#%4V3AM zq&9|rEfKJKs_pxZnxNwB@dcVTUPqS@eN?(T1RzTw$PnHbEqGZq51t+@fhv{h2)v8a zDz7`9e^Sa;CW^<`d`fK8t;LjRh>DPnE%UZ_f+90T{T-{nZ9pR7&`R7M%lc!{3!($Q zneO?_r?HjuqbISb9{*y5{eOuO_JPCyTIrQUC(f4$*;)kU4N?#uL_O&{srq<1&(wEniV zmNk1;s1FHv3}q0aW6;okb%XyJsnHqwK#Q&W^62#J@HOY9gE`_%JWSNk^=^U_V{l-) zTarA(f!xw7Zi~Q6t2hwn{#nY(sL(`;RcA7IaSZrs!2drdDa+|md$ql=i92k%NVjB7 zx0SX&)t$@&>GI^zjFC=Cxn}!|Hfj(t6Q$ zygQ;yQ=g<$C|6pQ#~+bVOCnsERIJpH1!0NptWP6aC}W3~=Y_D0G$9l-3XB#w1~`=} z096L@W8P8^W)n;0GQ|Ml8_{pI96Za5ud*~S$!1ODLz03SlJI?9-PwEY!Fe;!-lGr0 z<~CaYzj4XJ75>MA!_zO$j^CUgzW(y)*KS-$Kt&<)Q<28Aib?yOuI%Qtrf?l3dnO& zV%>Q?%}KqKn0rGEVGkWMycYaW7yhA29wJ$d&@>}%Bph>JX>AKIm{Uf0wtp@7LY_jg z6`V+Lzk@7P4xdXYJ2F9J89*U@k(~KbGAic*L{?Ohb@)T24hte^w_>Tvfi-w7M#+ z@HcN<7IV{@Evpls4d(90VV>A?bULfOJDmLK#lv;-jIV{in7OvOq3c8{;L3d9 zwcE+Qr&I!woUcn%YaquLUQVUHG0^~1*7+5RhP-PT=(hE7*SI6~E}&ziB=*K9KPwid zt*8f8UaF}Je&k)-8Nw*7_uDqm58JebHo4jygfK5(UDs@Ds0(}VYStal}P3wB#9Ymy^Bx| zKqxWJmcrcl2H%E=p<4{MLPbdm+VIn~&Z;YA?bR`R8dp{=p;Ma*o)&x=79*y8liCT* z6`qqKi95S3&K)^;WI~zb8CY>Bz930Sv?n1_mDx6ron)rT<(Nx1!&gqpWkk5uaaIjk z)ZKE_)#j?AUPuQLfNsmLKlyzj?cJble&Qlk|cs)~^&3jH-##9xi>&BLZ68 z%pD&bKTf|YL{QIjk!g{;Skz|OliY$r3lkPTaxW+Da5NIyX!P@E|3KOB^}%zW6%^Np zif7*S$&aLY{+cCoBt_gU5Hm$_@$d+YgzsktxS*iU?eRzi`s0-i1^F$~G;qILST7nn!!lgwFb?|sgR07zXj?V9d3tDGW%h;!X%pM71st*z-q?>ctCic7&=VMOUu z%DVcrd=tvV%AOjN7A!{!9pbzV_9cXD49`5yHchUA7#An8+c(mN-L=+?M867RgLTRB zwgNj)Ok0X?=84yxLpMF}FxlO>h=(ETxsE5UD08I8=Nc1Tc+n~RbtSOA9^mKapBU_i7hFs1@dF#xKV%_b9h zQel{3$OwIKeQ2tv^(@s~eRj0Pm&@U?MI=0(;2@Fe$>j{UlH} zV7ALsD%AEGMY_BwiocgTPS!rL9NzO1edPy8!f^pp**&+ zc1!J0x)Nir7Wh;Vi0cwg4I_Kw3%obKvNv;9-fI48+$qJtgNl2@>qb73qw8F`NH?_I z{SD&rUhE&d-c9$?>@o=$rLrxVU;7$NX!n^@HBQQ>H_EOp*mxZ0=}%vmgZybR;%Nc1 zZ=bof%B`gCiBs7euQ|^9Pw!WV4ouJTe5k9$^OlTDH_hwVY~@RaA+C?pyu_pG@7D=4 z?N_8+*U0&>>;c?Pr3K#PPLNpk6Ie;>G8KsISa05l&W6PqEosDj74fKy1(@I9z1JFn zNa0b`-Z|k?A%_6vB6vAKwZ8 z*ha~+H;sQ7oVWcGZQnAi<%>)s0`D-MD*alOOSnR>{gs$>(W;I%v~H9vL2x!j-=(kx zW=f-IJj#4^0X67o=4x+b#?1Y4Y9BC(p5|kHp3`-r37?cBXbdmueovt#Ox0Uyy_wX$ z+K#^IUDvs3JL0Bo^WY?Ol0gnHh~P!&skjvlqjvzq6q2U z$V9OI^v-ai-aC&v6M!7uuZphfecNFfLdjID7k141Z{8K-r_;&Ir?3Qe&j_tE0xd>N z#p7gPQOc{4x5HUtBX1g}P-0rFa0xq}{Gr9vW>cmB^bjHGRf;6}XLxGSiJ?EMk}$D~ zl!4hbHyUbk=|{q&CUHy#6Zm;A{MIEzx><3hhiKf z&q@%tECwp$+P*~`-+XdeiGXLOzq{!7F1urIdzIM^yP{dx_-%25)r7Q4tzKiLwdQNP zaEJOm5NdkE>#nb%3K_4ito`QiMZNx4{F(Rv>>Y0(e7k!@fce9%qm#Xpy@UOqwpBx>WBGX}S|HUs-0`Mc} z|H0V zFFI}Eb%G%`I(mPTBmUa&!)7n*4!;UB>$5MhWqSygHY-%Y#i9T0=q zUZn6mKXe_vNAheN0Z5I{C;ic&`T3;ZW?*ad5gY>u-J5G7pPrSYxt6EX>-Kpuh&~xj z#|Y7cz!!Zw7*z{CRlTM?n_vil!#F{`=qcPHQW*RYF4Rn%Cd*RHyqpXK4+5g<3S~{n zbhqFm6OC=z+igUDrUB7Z5Kj1^R@#9r$*@oqFtDD%MzzYqwQBVwB)b_tXR!of{pmx4 zxfFseWbLWqG@x1mkl?kR9QtTO^)QQBh=-DVd(ewojtO8wZ){nPwW8sye*xdD#VTEn zi=ifVkIk79P$26@ijd!?wE|cUz`b_qlfx$jX3XiM(*{F6pOv9V1zPugJ}k$fBvVee zbjue~5m3oN8(Wsd@Q#%)8ZjQ0*Jz+sAH{OFeXyY*BnS71hwEmE*g_f6N(;K;JH{y_ z%{O;?r^9I}dSiN-SAJzy#F_8sCpMwPy>a>+*Us}FPLB`X9BuDD-GHyQedb1tI9&m| zbj(9Ey!gBRFsm-?3Al4xuDP@RS?weD__)aDXVFqzn?E9ya8mNYKcXBrTWM!iTdGXa zknk>=y;eU*z79)!ie=>zL9($uNI;To7u9F%V`>q3S73}Y#o&w?lsBNjL;)MTky8}F zDg?NHa_IPIIZTpg-Y4h{S#8G3U61-OPOG8jMOh;3;823$@w&2zq>HEDuD3UT?40wV zj+TMbkZ_{iSaH%pi{X1ljK~XHU^pEQX{uF83bFsIp!q!f^}Y ztFQz+EE)pckd6Th>bi1_7g8`ckXKS649TZ_+Q#*+J^Xr;U-LS{IYIKF^oPf!rvyFm z@V`ZzhOC$dZs4nqj$kz(t;!pkzv(8+(j^Nz6NBUeBH?%D^*(d#0^ai^q7k9Fo&96R zWP)fGlATtbP^#M=mb1ax(6DCf1cjPcI{ZKUy53oH|K~s5>}=xKjR$KF zo@_o`Ta*7hS$9AD+=-D-HXl7$lm9$< z+JlLdz$kn%=p-KrDKHeaUhJN}-aXmc**e+!>&AaSbZY;c{qLUp?C<*jU;ii8|J{9qaIV++ zG-I+Z4uc~Hrys)^7&LzmxA=?b{)>9u#)Tr?CU?=@h~R{?0k4%Oj=lBYv9gEbRvLU6 zFtVyyFTkN@9(^1$F-IW+{G4)M$)|nvCXpC-$*f(@4dm_wSI2Sjg3Q>NJmnvtQ8wIT% zjgZZ7wlp+M%%7qX5|YPQ@W9y5o1<5$udbj~S9oM2%eTlCXYPURFpk z4)^y?bxi&wiT_I&+|rY!$@p@qmHMBr2|})fAQWwz4>r`y|eac{eI`HzaHLUtp@|8SwcAnoyh`PIRwfYJ6Ai@jMwLj8loEN_ScI4}w=(YG z!K`l#{A`9qe@Rrlf3Jt6I)q@QqJiqz z2iWJ%_pYK^HyaVMd(R-W-nBLd<|uwOX&3+-QJK&>Ub%+N zy^VCPW-ZLHR_AVWW<9zQ%r|L#6n92d_b6zNf0VhPJ|8J8+=?NKWKKkD#{f+jzW9;|tb;!ZpBaUUKx3g`#dXM!& ztKGlpGO$|?_Fw(5l0HedUhTcuU*23v{}jrw9PGbXUi+}Nw&p(m$j|EC^i@7O7nO$h zw=N9M{QjF)>D|@&b|3aWuU%gJA8psOQ-(peamIf8E&dzdj7DK77okRHnJ}r<%xNx4sgB`ykx*b)s-z zExzaNhX2?F|7XnL##yZS@jke}XhQe0mF7F~bfaIRmIk-Iv(aDF&x3sKod@f2i;IWZ ze8&xU(J=4DyE3;1_ZDqm)X#$XJlI^+Pkm~0{XAII_`}*T=lXdZ-Z_gG>$BJ3Ui9nc z{5y}rDDp*PdoVw?sKt%2Klj3}Z7kT+2XTx3o!YOTPdn@LYrV0kp9f)<4;IkD;?1v7 z$J{#$H}XqpG@|y0^Y26lAYQDE+xod-u>u(_ptsFvwl}ecPn=J!rMdZp7US2?;$hy> z&x3_W>B0Q|#Is$z*7IX~xNxx^WO0{s{Ve1m^%38)1`#`{kN6gz7&ZRM=jUM{qqVj8 zSHAOSr*Q4c%g8g+6TzYNDx)K}EA$hw<(1(Xo@q zPZtm8r}W;vPg*ZG22YP+3?55Q#QWM4pZxPv>P<`^9mD&u3O9_Q_QYq5p>E2$Z49+g zJQ;&}J8TTKCq82gqGo;cInu*+p#7f~na2)}ZzT&el{JXsr;n(2@fc#;nXbdU8F)4s zG9oItm_A`0KFJE_#_%8Q7XM%7XFmQT;Qsw0$shmeWAPsk?rm(W&EJ)Ri-?^{K?{i_9k+}5QNztrFwKh_bSxQIE)%#Rarg*&zzhcZ*Mljr<9Nn2F-swynQZ@Bm z!l{;>YYT)zc!yyi?nKd-&S!3luF;%nDHzcuoQHx?=;X-|f7cAU1CH;cWDp1D&-JQG z7}+Hh;wn!R#=*ipeP15`gg65}Ed-Ymy)P2);6&VKInr z&n~Uy3s+sk@6e`3N4(dnP;|g{qT)gH6-bLCUWE+(Ufe8V1Z}|s$PR+^1u|I{9cE|1 zaiJ%cj_Q7W{KN6d?(3b?gXhm*?d|VAeY^J4`j6f8FaP%6ar;?OuXQQ0I*Lg1?bj7)}jIORFsCM*&RIoit5mkis?H{sq|5@=CXp9xLn- zTk}&tiphkzA>;#ICwM02GgnrO)p zPaP}hzeA`8If2y8wc2hNd~FlsH43>tp)|K!7azwO%1=8=qw|QhqJ7|WhHAWw&hn+u z_|D?qDjhZs7qA0|*V3HQt~q`hq?@wh3?OY7J@yUphKSFH%~UTgyft_TCC*Tp1rQHi zL9-i`?Q-l6w1x8Csff98r-~6P7?^}O74AACo6-;@tnkSTj_JDJt)0`|Z=E!AdU$m3 zeDBrn>CWz}tsjn?`^CdIXoGgAsr(nYUJcKaEwN;r;Vv8Xuj}qg4-4O*7T5ju>Gta# zjBdVbjqs35M?6Y$`s<}@UH`mh8klHVpJmrdesgo#*-!?~wc}$g7~112bTcu}gM!5O z7#)JVD5?m_O2)@M3D;oNnES!;>Cx`1-L2!s%q4b)M2=X(2u+U30YQD~O7*CaW*B{? zfiod$KtL8*ftVnO0yz{IbAlp7tXA@ufBX0DN=subFai-PMgdb^18|(2!zztO#J!r$=0*anllpGdfi$dNve5%i~Df@f&qO_UtCJJ9;_X4L$CEdL+K(u8X*-m zMzekN!{N#2PMR?DVFXFKa15O^pyS4X&h#T=N}=wgYtHpM8{a%ml!t$Dw0H8u=PepW zEBG!>68p%See!sHgC805x4U09U?&#+f}@qzJ~GtZ=X<9Ihx8ZE4R+9EUlt;5r5C$W z;CXN$8IxU>H1?%8(k&bj?8CDM7a!^&5kvWm?OhQw~1C(-PsG07|wz!q2b&|8O8c? z+mMS9AYBE$rNHgz>o>&1eD>z}^knb#?!lXrr^mb7N)cAFsnYj96qmD0%@!?F7LvtK zoGy1!4jBC|w~V`w1qNDBDft3(!b89jLtHi5$Z|eu#$x!j-e&@govM;#N(Vv{%XE2G zwNg|w!#~iBE}TT?^rIFkA5GmK*DLJ5u>2!&6;L2aSTc1@^?`*+pjH9BzD%!oUmqSE zyn4DeFCI{blvr$H757;a>YU*2{WQNs{_ELoqPtS+f zAE#xk%?`!q}4=AGgJkFd#+ZKzBD7-85;OoFW zm45x;Yr%>5`ugi`qb{W!PEyoGIVw@RDJ{cgQ3-#P&K-C9z^O}}9{1+?sFWA{;}X4p z4n}qd4BX<*TY*i6<*Vy&ot1{{yt}=9@cOWM1l<|KMT1lY$pwh=k#i_}eJrHfIWUo^ z?y6h~CQS$=EYUroFjQh}?jouIi<|NU(HdLr{sxD}{6&1p{ za`u)p;_i?0fcAw1JE*Jnul8V{INsaYZ4Oi6VM^v=^VbOdhG&SP>yXIc&`?|P+GQ2(HDatm zGE+IfeHh5`@AeL%Mt*zKDnTxAGWoZSG5{B4`K}5(;OVPjIo&@#-1=_+)bX|Fd%HWQ zFZXtjwvM)6{?P1==W4!qFKk872uD)ivoCOT7lmVplm5lEk->r$krE$aV ziPf%eZSkmahPIpzbL3dT(YJfsyEIeGD=bTzPPZiPVOcIwohzwtr~kDL5e=?ZtAZl@)^ z&>j^StCl;CU^N!>^6FswcQ^C^J{j3}Sr%3c2`cF7;wDdCA3C}@nZFsdU2Mc<>BI%M zxzo$>YBwmap*PJCM(s`&!GtWxBuvH#*^E-Nwit=@+cfgLIdqc6@v%Fm``b-A#_?p? zTcEc%PBbzUCP#8|VTk?Pu8k4m3V5dY5t)nWdm*nAc+PH;K_N$G-JiX4V zuA(T#_K8sRyH-Zse=nfDO(ym1hr=zmyf62j?H=uK!Egb6%*m#w+b?$=eKnSRlJmk> zk@=$NiBR2uf$^>oif32ZIF*vLmC=!5s3?BMq@<5X#E1q39PK`XmG9)>^!eV=>+iOX zb{&5>d2?7FSJ1wi^QEZdHBnepM0sRR%^zl};v?4>z-XadI2!vBDql$BVV<8t~6o1I1FJX(m@6%z` z&`&+Wx?B#ajKREQ)vn>TsaCYg3D(Mem9tdO)ve>|#&oL%Wh)zwp0?!>Uqd5NWpzhZ zfaZhj*{UKnK@-c%TiT?wrCzOusTY=R_$kh z_XNS>d;2d=kDZ?LdiQC=7oiuGS~j4jlYL6HMe)x_T~v5w-f!G{wAA9ikLBOZwI!!4 zwv2n2$463BmJmNvO_!L5@5456pMjRllb2!|?h5X@F`NQoiFa|K7%FiINdHD{lnB{@ zzE9_n`<&m1F~?@*BQ(Vfp@P2Bx21%$jEXwe-f%1Qiz7Fp zO@ha6-uiiL#)ab__D^2!p6tyTaBAl0U*M0b02rmMG%kH&>EG! za^Peyg5l}DN)+&AAx0F9LY24>x{?OXSP2Yx=Lc|wZ5{Zh40n=4HobYMG2)w9Ci74b zN=7UUg}+k_^N*Q4+TD?6-nd8Hs8(Wj2YrSYLvshzJpIW(i{aj>fP%OUVp zbFd)XD;A?nQ#(0=@Hb*!tEt_PV||E4*ShadQS5Ho9!cI>IsmkItK4r}jtT$=5d=}xFAh&4Io>1MXi-4P$b9o=Z>Q<|b1QPVb@K8C z9|b#8rF+p@d;P6(+4@Fo(v0W`VM`(!JI)|r+Hgk5t_m)4>i5HnS^8DSs_U2xn=5S5h3Z@S>?p+UdfJ=))m zJcS4Q&rca`zIeICksbva)kI#5z-v6b0OSr|74aq;sIbkophn|Vdql&U9BC)$^*ft={1+kmK@o`yEjnCrBsYYg3hDC4G zYDY&_4RAWjVEv1Ng1avguWSHXB(jm53WH*egspp@FR!em=cUHE3p^&9iW}$<&)eH7 zh#Tc^3-zKbot0%Tn^?h8#4APf1<5N$IdmHz>=K8PE5So(%_9K}k>VdDJ_08dke{&Z z%M$ntUvdouGuBXx!XeY5k^*V&w5S0%tN<5M=a$d`EWkDRcDi@Ct)T~cpyUMTP8b-Y z)Joy9C0gY>kAsUAY=CRD(k;<;V)^AnFDpQ&+)G6?4-^-?`m#>%JNj9gTAm z$QIWM7}3WTHQR1W!wX#Oa7Z2;ov64D2jSdTuMghrpDg_5_`9vcZraAWNeq(BX-y#a zGpCdxt2t+lWjR{BfimQW`M~5(`odD(S`2(-txTfSOFh;qdoM}=E*(@_Ao`@>K)|?Q zC0Qht&mRqS!4VQ!g90sS&)1zI{91Zm2rcONoJvIps$Vx@QMh9rhmo>BaU-x_$gQK= zIU-2mCY0ej?vp9J=(WlbQfk**r=tBbcDT%NkCph?8Lex6m9eu0E9z^{jwhA_laZh* zV}q4kaG7q1>KMwVYZj_F%$BTqq$t3?Gqi9+pf+je^vFr=r?2*2@12}JdvkQGS4f>^ zY8N1V@)9h9^_xM$rqzVCBDkxHMeCz7+`YBR*T8xiAdgE#NJh(Bo#j^%^}vy@#WH52 zsamT;AIfAe3J(@XLxtbTaF3|FLE;Ex#8T+jU9$o{!133b^+o1QR;IG+qlzh5M;2=- zwk1@mq1hc6Gbpd^!5AE*on$ zotj8%nnEauZFXKsUkVv1>2g$LLqe{a7Lb)F(0U>^wIJotx5Z&&$t>(947 zh-l_HoR6ohR~;oe2r{CV%~h{4p&2%#MptwPQInYrGMH=h`m9UajFyO(nyO(h==Bnk zJQv}%~0>ij(J$5D2sNYIjaILBzGd)k-^RKo@iWN81#t- zj++Q4$Jc_*#5f^mq>7V`7uzXIVx})PtYkg6Av0zJKsl;3D`^Rpik4!XwwfCw2jYX% zahXMLMIpr*BItX{p@WD?)hgYQ;2Y5tu32?TE-bGag%6HZw-aD3pZ=g8WP2%gLU-43(3WxY zjG_oZv9ddMG1cVO$xL~7mB%Bp$l3)1(=ow#OREzWLmjyxJUPFt4Q8#YeI)6Py~GsO zINY>F65P8hH3?5)Nj%*>JlKBOTw?LmHlWk^%xRfbWd9NekK7De1nVLjlviCJ zm5p};_Qe1LC42p?6MUThvi|ttTDrFOWNj^dbF!U6bQ#hwF~}quU~Z(eyKCI0=A1Fh zARm{G(rtSzRZ5+2qi906jEvo@L|9zb+^}-VN*cdL$aBG2eY2Rhd)IAXEqh4kUNB~9 zq-GEPu(GT|07LYsjN2rNPhNR*#zrd-_ym-dQ8#+rOPjC)mG`Gtt0D)s(M6jJxLPNf z_mRLbe=mHCggu(fgnYIw$42ywn;PQXQ>lK=P;7X0)i>GHI?>J1_WsT<+zkRK1oebP zKhLtsC3^M+c5^4dHCfZHlTT1WYJsuJ(#*JL2)BTOKbNe|Fkr108|n&(tfiL|f-WYG zkl@$!t#%d+gszx3&mlTkSkNCyCT@NxoZtj*6yOtwg}YZEvSy>{QWS|pYy!)QmE%xV zX3KDWp3VMd;J{^j)G&B@^#RbjS#=A0;KJ{2;`nS%_OTV|IWqUiv&c>~sm zMEu07g%FIs z&>x<)`60Ppf_fThH%QP5<|(kOdUDLG-EVhab>j(XR!G9CxQpi#@~khhb#s#C-fJ2q zo}C;$Kd#-LjV#AjWP!7@q?@HaQv?}!1~;9YRkdpso?3wvi6t8PFC;i0cLModCw8LP#)7#^SsSPt@k}b$M_OXR5;JOQnH$SI2vkVM z8R)RY#WxTMKxQirQ1b;?b2O6H) zK*(2+24-_@ZykNXCNL^$3CUdjY_gPoOSpvy=az-)ux?6r>9Vv|h$%{!c%`L*FN`e8 z(lDox37Q$et@wSs)34isHiA4=TA#Zer%K9S(N~@E!-^m1m;P_Thv+&QJwp(QS_*P# zN;H*cgWqR;&FzRr#i)JL>MV>+Cr{-Fok)qgyukTI(GM20t1P@opXM@&)>5Z0DQ;)y z51$h<>{{IW3m3W`blWsm*0+53^|Rfbo!!M?3^(n$1Qb~$TqxqDqw$ke>FB0y4`x88 zQ#Dtu4p4+c5Gu%r4k!~exKp3i>;_hkFFfpxS1k>}3P=C#j;<@)_paXR=LD?|q9#v$ z-&G@kRWnlje#1yhwpp{$X-4rJkQ~)s3!dQp5Xd8_=v+@aL}6I4^=Qq}pYM|H8`Gex zDL9!O1~Y}h8puO%JAEDRz1ZJ6d2_V;1q7xJYKK?Zx9^q0ogkb0sk@HqJ4U&AJildXhPA{DK%m6YHNqza z#?fO64C)5`^|iJ1(sg*l=m>x&A09WLJZ>`9H4JP1zU<}R+D#Fq#yIp6X1s;pd=mv~ z(VekG04I}__d^K6leC+Em~K9yNcQA|```PsZ2BahlL!nXKI>>bcBOLg_Stn zJHQ10ug?)#wYWLTznrpkPiRYH(=_13{rxK^e5kkt(2Bi-6^QA;j3aUob1kDt#4E)p zv#YJ)h@r7Of;wDUThjYc%&D5?Ak|xAaVKD1HPss8Q7}c2dAKJBzuVnEeSNU==GE>e zEsV$ywlr4e5U2~j%XEnWB1=xb2As2bmlc%;PA7%d$of)I*UkNXk)_Y~b`CaL>EZ9T zkH1=9Z>1-PuQxQB{xXM^rl=gLNfN~;;e2)LtEt?|t<$$POc4?aoLNE!W)e~K^DV)^74kgQ}CCs_8H-!R$Bnpog zByrLfMi;Vt#%>DZNcd)PdzxFh?o1MrkYaJN1-I7#Y(SI0jaW}mXf3|g?Bza4QeYt9;pV-tG=B~~q}istG!@T#$U;xf)giqM7 z6rR%4VLfqnMmIeT)-d}uW+$rTsP93IRJ*Gr*l|#tF;F4)xX8@#`hvMcMug6yh1=bB ztBuRzbC-{Cz#pVoH~}j)WcnQf^Ch>PzRBAcllE+P%qa3$cAhQoaZKDx$gu30zAG~K4TORp`$U(F^r$K%0sIQ7t#DpzcYa%r&7B1XVIZVTRLcQKR^12=4QFDO$py+dmY#B>J1Nh zhVpdbxvszZ*`pg+#p1@1k}w{{?G)p0Eq-soL%ZLfY>JiWwx_zW#d{i+dA*_51kIX}T@^6s z1#_d(T%ys!d*Su(o*#d7Ipb$;T+R5Q1&bMRl5BE56HM?rctB-EZ)N9 z{m5!DobeOZ>m#ex71g_~R$r4y8X@nJfh6;dpqAE`T9M<)4X55%su?O{S{XR$`3E$N zSUGj504r|Cn_nQ)$HiCpB4fnWXPmhgVclh5@efcwf@)!S^%}6rOeeh)nq3m!zJx$7 zABZ0|7UmQ&ZBCy1?ZKO){Vik+yguC8R;g|g?11-O81|Z&Jt6PF0XZd`JmD2?DHp%oTpD7>_>zJEhtS(d6pmrA9;OhOu*rHus5_f!}@s(n^*?d8t33ERM zoYFOVZ-e0k<=I)qi+WcLrHh?`)oy6H%C4ZYOe-dcA00D zpbHRq!NNt=UMAtYh-_9hMII+K;fluzqApXGQvp28%sPejW7Q4~NcG

8uwp`&$uc zLezSFIK(FOq+9&aGJq^$JOnc7IO_Sv=n;tPi+~~{RZr|#@YxG5fX#>|BgrQ)9cez5 z@;|yB&i`sZbM>EI938wlRQcl@aeqOd z^O0zwQQ0RX+&Zy~UyGLX68HK}5E_1ga!?CKki06HudhfRlj)*yid_jQG1JMcKNZJ$ zm&HVqw|pGKx2JzxesjEg6i9rf`Fco;-Y!Q7jh_j3y_|`pc*X3o@pxE>f1Ewg=4RSE z<5(I`B(G4e9I)j3)oYs>oSDoQgL? z#}QSYeZXL%imtYD{-gK4-hqk9;`{V=g*sN1%xu55jI}XI9Jl6hM1gS9NyR+iAuG{V zLNYOA28R8@9fV^YyoqX}K)?>}d*{50N>W5@UMGaw@gJIAz!`mHnG<&Yk!7a9CT5sA z31Zd}4pgYZ5GRNF5cT-zC6-cxj$xsR?9o2bf5En{xS=4Nbel%oH^+49VMMgb73T;M zc(4fpRFh{~=INU{N(DX-fZEhRZf7Tv2wX(;uGr!+W>v}{c;Z!q8DQ3Xc}_RGBZc?iu(my&udgJjBv+AHaBf(I*%#)n^=_+yydKnRz} zYxEqVal3o;S$7xI9!zSt1qdb^0Qbjz%92(>H)<8fy`Fsr2_@o@5f40Tkhwivs&}wt zv{fT^8D4#+iA}&YuwbTs0@1NujSux|*KH$=VD2}^W~Q?WzgQ3key1c=Qgec>?;`C}iK=k(9JjJtMpj+&f#cLMv`XIq^68iZbsD~fC)ND6B3P$t% z4gv0nqL#{iRzp#80_wY}3sqxVR$^0O5~C&h_yz_@qXl#E(1iMMQU{6l86cInO%fD6 zyUcGCa0N;y%1J1z{E6O$t<+yL?$-tbS+x9i5I>z>!*rYPw)|wnB$Lmbq}=!O3t8C| z7tKPM$Y)IAhBw0$Pz=(ECcngXAspcRLX2S55IOq{H8Njr5H|yR2~--yO+Vd;aFZJ0 zK8eK6h0EkwY-6RO#~8h#q#Li7iNR8lmqZt8XbHzj?8W(UEwf|RG|62PLH5ZP*DJFl}_;Q4(A2#Ibqw{XYiS8a0~H{ zRVj6ZYSO)6gJ{03YOBP-VQdmXz_9$d3%lLlyC#x9CI5NJ6Zum5BwcDiEG)I~L@~g3 z>yPi@FOduIfqVNuFFok3KYF;fx$$rde#)tI?Au0 zs2|D@q)g~c98GG0N0)E6OI`!V)9YdW-8pDlF=W_*2qlj zq|Xs#eUULQEPf$b=CwNMul6!0{I8l=KOxS7dwjLKqF8B-h8dgL2ePi%GX;=fn2gI| z(U-y(W%@49$NDDI+`V-M@gj`E9OW5f635@|6Kt8+ z!{|E7_b*0CG^hAov5Cs+Wn4cAvIwb+G!TYIynfd}Gms@!swFslmR`84*u6`F(>?;x76veRRvE+#{=^GA>Ciw`+hX4r*1f1PKZ)SRa z%PfFD%%oHa(=ABOyQlyBX6x17$qz!#dBQd%dxX*Ya%Nf)v=*90YYYu`?D?7lJV%7B zqa#Ab`9TRJ7?v}fV9iMmr^XHW@JJTGM$;;RX)uDZpo0%`-Xw!WKi>R51k6m=O$ZlJGo%?S%oQ%anEnupomb zZxuiXt5VKUatc>`^fvOU!WLghtqo=t_?T^unRr7w#Q<{Xr9EJEDO7#p(}TO0@0^&@ z)uGFQlL?5|j8d?WJ`y)N$y>f~E3f1eD}rP!3xsMd=s@fTz{UXhkfeZ1{^=;4joqH) z*(IEgfy+s-nD=OC-Muq+mM(P6y5kxeo9LJcWk#AopAjmFla{AFUXc(y1+ zR7Y!eXP`8k6Y5+;pRfQO-;U(CbF|qg(VS?t5F*A~rd-C+Y^k^NwA6FRlOUZDnV-2s ziN)WA&Ul*j3~?r!0w`)D{GST zP9oesR13Ic*dh_UoPQ&%asxWc4V9A)cM9!n0IReS8p&!?N)=I%YE-ejmO7u<@t0yA z;>=r6U{@VLU3%l^2?cgxyv99>cJSn zBsU&oGqNfSM)f|?pMlX}`A+3?yo4!u3B@bTB+@b{Y?rkf)jDg7!UK&1QPF>cAxQbm z+zxBYuL`!A1G)o_-Ip)|6s^bAu-t7I-4zRS7>S--=~R)_Dx^=?5Mb{*^*(@5NYd%M z-14pjl!;f-6g8GuHzdyI1~h6Rbtn_MH*f5b9SwYbvO*{e*sHiNuNA~nJlVh+eSZkAG6N7w391Md&!z4@~=FwEm774{+_xF#< zHiq%^*TCu)32<7rb%<>Z#cp$`|CoNI5Z+9^;Ag7?*Q1<8)jqB=MX)GIg}6v$Lo92N zb7;~1QQHL#C$LM_!n4N2>4Eof^gbVvZHa7C`WuI3UM0a6+}IU|*#>d9TPut8aR<(R60dX5(r5+?@eF->$!~ zHR)g2b8bABh|00yR%7>#`>&KBz?#^5U#ERP#8r1JNAJM&+<_UtJ5SqHUiM|J4`&h1 zBd+RXgm2AO)kTA#Jtdz z=s_V_e;?^(8?GZa6ZaV~zDIfbab>aNzN)QDyQ?xnwecC@v>{qi5pHu{z35z5B~ z#USvd3XwR;M%QOj$H4MCCW(<<3oL+&+c2w+az7dhJqw%u zifoFqwH~pF(|p9aEvkhP;U1 zlnK{f#fZTH+vCMH^snkk;Hdz~$qAB;m6M@!7kTlrV@P%2%LIcD8he;^?sXh@>3swE`}MD+vc1N$u}NW#M}`Tj4F?lEb3^E?wG2iiqpz zzosy`So*_KlDy2uV_Z(OGW`Qh;wSJEWQzHJPS1f8(K_ybRA`dqm}C+(cyXDU95}Gj zk=({k`kiP8(<^tU&9(d_xhu4Zx@G=AoT62fy%s@}$o3V*Z-!n3{h%W`k=itjYvj5(Xd&4C(K2x;Hdjx%;O-*&P1-XSD&jrrb&X%fJ1*YfbXo+$Z@k z`b$vfu~lYPyz1?U(Z1l zb(stjVF-`dVb?Nu_M;<_Pu%>{JAb;9{`t@NC47NT+;~K`VVadffXHFc0qSO}`V?W} zHh25C%5hax z^EyW#_4)LzuRP{7Ev=uj|fJ*U7+6RL=w@ zjn^wRI?Z7RPd^=4L*12@FJ=&xSu$iSAM5EMh^Vq$%o&|S=_zi+C>z$}KrA%h9i40K zh#E|(!ElO-VF}54KdEUYnUlRW#n9tZu{fT#D$lUARD#l zamQ>V8j2!-rvV05>X3q34Jh;%Ba$c6_ zjriSW*kpC%_iqa+4C9*%(h{8_)q(+EMXa@GNQJm?yFbdzLwEq zbea1rrdA;ON5rDM4^hShBF9w-gsG&E5uz5V}_TWqp?b*=ri_!Tx{?=#Hw6p41$|PI8$cK(k zcbpK$S)ST5x7(rbrLX<(OYRHpWa(@9Wy!-ExbMUsY%FH!>&EIVB{y_Vo_#9(>`S_C z=jqm~R|nti?wme5B7oM(*3paIljGCF-J|W@{gbU1yHD4=8XzU!68<|%QoNA~ zol7%qEyxDXbX!|$V=?m874&v8Ln5c+lAqbUFZ#49qEMT4uUEgCT6-%L6hy226+%Nt z=Z?zW$}gb@`MWb5zP}_8s5*!6>5P<>Pu{DRXx6hzu*VF27%{?wB0C=eGNCUkjqOM# zjB9fHO?@&Sz)(Yr(M5?6f@Po2C=V){oxf#P41I}0mKyf1a^4xZCS>HQP9&dog?~ptZ0b+bifbXjPu*8b?tfn|kFN$R`jV4zTK+S&-H6q*-tOE( zD#Y?J3|{|U@El1bH0Nk?ijmYu3Y$hg0j>w~cgxXJ%6$n|r+?w({`6NL7A&Q#)A$|# z5vp=5SE^4yIBlakLFEqLQvuy*w_~S^d-Po~b`LtOrcI;^_mP-zl|mM5p7cwGyYIBP zmXzWnbCq|pDz3tS12!%lGpijeJwD!>0Z+QTE#=Kn21GiAOFnsD;Sf7QREqH0W6L|Y zS^g8ik)iOA(>1jbkU`g%9#`)b0zt$Un$)IQT?7!76A_}dT+t|dUz`&mw=^9_)!uNO zxIxAiVln}%<;Nq6zGH&H;TteLE(yMWan1#J{u<1i>~mDlrl?{)krUsO#x42&+Rxrx zCwD4Up+yaFH(&v~AriH;tOB#X#s-P(KJ@H^YERA85;VTZBLflnGrTX&AwO-NGa))U z2WhJD%jubx+lJcGh6VKF3(bAh$J;@?nK|tOnywKcH+0NUAR=3$y;|?ue!Qc2r!kCG z-Q0v+-O@a6BFOJF%%(EoC*soxPd~`I>)@JmqMzQM81ba>lAV5n4Ml~5r!??ARYUhJ37o}BN*pWCn%3E zh#VmBhndt-94Z@Q^t&I6<0LkamK1vRbWFXP2z{Dy>V@&U7=0wnyFx-c87Zz5iJ~%w!mK>2>uzJzn3}A57fxWUK5T<;`6+OjMW7-FCi&L2 zp{x83YO=#lZ=)8h(0pP@yg+56@LI{aH5ru!xrD;H=Yw7s8^Pg-`qvfK(5*8of#9B- zhZ98VGl3AhkfTXp6pa%o%3RGZ6-8%zb^BMp3PQ0*r>;SF!}frhv8{$2*R41Mb97-S zmTx;BM|YdXNL3ogrI;o`0nl^oG(2c`rrGJbxSrFcum5SuB)i-R^Z>wD#@<1~O&}hP z#z)1k%VI~j>X4#6fs6lyGeJ1P=M<^`yed;Of(cpoFxd)`*XR`SVOOnC5(m~KrBZpi zL8mRFYVNN-DF+-gGa_~yniwI3YR^gzv{;qi*Zy%D*rFqxR}+@M_FhXhr8pp8?-3bR zz-(?zCALh(rC@?-3+qlR(}IQL47NST@Fq2>ccuzg$zaQDXk)Cq(cZ!X8d-W!PX2vS z&72f7oeheTR%@mo^~d8?p^rA`qwS4LD-9NC^c!*XUwM{y5(PUC=3gNfmugxeuw9qYWR64T0P*jjyGOqd|) zOOs(tB3DVnTB6R}gI@eFUH6ixq*QdhY{VmypxFI&dVKuSYxfohDy%WYX6VJr@%aYu zqGI?1Y6l#4rh%?7tBD@u#TX4<@OBouk8akUlb@wMFBhhrn9YrGz1hfXZa%&-xn08s zl*fC}Qa+ ztbm-ZPO5ip6ym%1qV~$VC9Q$2n9)I;i*Yf6@Gdhm>ZWbdg8=pH?d%4DQMj|4k_@g@ z4?GS9Wb&kTMY2GZN8gwmyPC?SO%Z9-1a-5xj|}J{j}wNMwokXm<4(YvUV4%)?P&PJ zQp>&vF%5^sG4cm@#RIqSxqNg%Z|ZhAEGNYudABTnvI6g`rpF_|=1wd3(3#`Qc}ot+ zcP8kB3CjiOt@?VNC8;7vD;l57&pUG2tk%;8FcE$&E0=gST)RFz(x8u-&^saG%UFJ) z+4%f)((N!b$ukopEcu=w!1)2SJ}E|86Q5zJUILVyF6vrmqqDZulFw@b0haTvw{HK* z|HdbgXo1(=MLy`A>-+v&Cl@)n=MoRxR3u=*E8yyT1HAP0pVT$*Wb72bqx{k__CtB# z&&?Mt8qmEatKNJ7fe=d}iG8l)Vw|7A!VXL9(v!wS{Ue8AO5CnSGyb`)$$5R@YEQJc z7re)Bm~yx}E&V!yU9I{(UM)wf;JNzs>P^i!#W`K0V-SSMr?c-Ke~(j6X$}Ds>M9 zvo~X9e3OH>I6+ymIW0apq#|e}t@-C#PMkKjw{$d<>x|<3l9RkfK+s@xpc)MPp0n`-4=%~@} z%WFwlxG;P@e`UK%cTP?hAzmhHBa8AuwUB_j|5E0EO0_u8Pd%m<+^&)HD>M-&t*Clz z3U|a}SzDpbWIcP06lhU6O#-kfv`k!(48ZCg^PBJlh8$8bNl~>N8Z^*JK^2-w*PjkW z>uR?Z_4qn{?KT4qwcGEr;Ve&o?dSH7CekG}f4d58r5f$=u51k}8Bb*QG1~Jxj3mOA09nuKiG^OlUPcpA3)4V zpR8}(+l<_lMilB#(BM^3ZA4$EBaFn|u4HNmN;E^GvKgsND1KrxHn*~gC6R?aZnYmOud*7%>+pQ?sU*%P(tpsT}G1PoM3G0{4Hq(CnTqtXdO>g9Y%5|+;D zlw1%Q4F#bNm@Do!;}nTT?&D6nRXKICq*1vxG5{HCok{D6q=>n9u{*wy1d5=hPt!H# z)OII1iZOTfrg9tzCBzR5QMuN=X`c3b63Gk~L^bXF9R+#x!2>%S0ii?Ghf^WI)%P%$7-Xbk6X;=c3 zeeIga!Qd@n^3|##T+jO=L~~X9;XIyzrP8^pS$mP7N-dkjycz=;MNJ_su6=^E+gv@I z_0WJjm9GR1X|9)xAZW1`zUVcw!o7^EVD4fq_HmwWLlV?8mG)M`!ptk;mD(pl=t!^; zHXWwRyma)9RI9K`Qm>*vC=!cL3zn28HDZNwqkK{1$yyM^idqzRq7OA~dT&%rCxfS> zGKoTZo@G_;<2a(4LW%z{ghlHQfO8NYI{Oel8%(nPZ0Z5Y{{Hhf{h7yqV|7GUy*@bl z;TM5{yB+_{-42^`_-_yHZ>;|v|Lt$^6XU-%3;O(xtN+Y3nY^u6^6V(I;qs$6)%EJ? zs&h7RTrRKPP0KMu$E)&edX-J`khYzTRu{I#Ovsf)03fQlN{CWBO`>X+mo8@Rxuq4F z!%<%j(sYDbGu4uQ6#%rdaW!MErDjaxzM(n>>`<=>)+#=n`HxzW6DEP0JIOC#sAd+o zRFdhb4~#8j{XQazMY7ofL}ek|0tjY~RbLS12E1g&Mt@LBzAkl*kG&in9{m zWj@U?X2onVmu?tB7O)py2B0?C!29XQnbO$SyqTd!b=3*JE=4mZ#cfl z+%B7(bgfUl%db~FE*iFkm@W7cFo}w*9z%)wl8qy#f3depC6keAhbFti&oM5tw7#R_jKwbG9@lX~|+aV*7zX$m($ zli?t7Q;urFyTRB4GUye-3rZ{DE_)Xo84GIgWmn)0-goiyFl>*4bdI3|G2&B%4E^#wMjJ>{gA(fNo)ZS#;V7 z$})GW$UQNT6Nk8h-gUD0uItv~Q_)&0R5BO)TZb zSU_6KuSdAw9G7PKy18;N?#oNHbur`mDw&OMJg(idid?f>7kWg^n>%~%L#d=OU$3rt zn&&Q6-07%{5u87B>*#i#gYl3aesrC5+1+zVbb|f3)h^&`-ly@|>#U@|bE_bvPPxIY zE}F%NCjYby$wtmOd~@##zAxL+Hp4HnF%R z#z+ZJOE5CF=nR1*zHX3juF8f}=|t{NcL6y4TA!n*$?ujjYj@jeDKN-3lSMnawR^mA z{{h4o3XA!K5F9Q2Hsggk$ldK3!!6c=77w5OZs++%`{nDc?e_7@t^4a6t;FLAg*(m< zUPc5A4T^9Y6cg1qWF<{j2}i*&f@X9Fmu)4l<|L~a;%^b<7$k>(F>%Z@95Ys-LM&k& z8$?i0CmLORA(8_K!1edqi2-04EpTXAs0AGhN8~F~X2q~kn=Z#lSRIjioh+gGWYZLP zj~j>VgCi8e-zs1B2%a}GlYW8QdtQgyvr;cjj?%h;5f}&8bcgM|=f{?M%S;w6un5Vl zJjZPiB~PgvpmA#o2Z?0>8LV9YH?xnE3xjC&R2YfrUi3gJNO?{%n(g@!7yaB|Fg$C# zAdOg7O(aS;uKA>X#b@GQu47DMvGQzG1-2Tu;XCO;(mw}^43@}%EmRoSAiG{3)?EXd zg*71YqosC6Of1pLl;XSPuEY_&QKuA&N9kSZ=q}r2AJHTT20;~rM|h4#=yoD2nYtx} zP#-{5i?bR@gV@T@1l+@C%*@Xy(`J317!km=%7lskD5Wmt?!!c;rQGZq>U8O`bCf~V zZ+2r>17IkBk*!l@&wL5k>LPgmMHp0s&x=h^!Ef6^kjNC}JYj zO3ngGw4IWSoNvQ8xc_ummg8R5e<$ytmTx(t5Ar>Ac!(p}%KVv<*?jCuPLByeD(l7? z_a{C8HoAab9G);hP>LT#Amxaq2<059-1x$nC`|7-?Lwjzg^P$G{ z8hn-)mpd}YqG}Ex)botD0r3q$cbaQc9DT=n_r4|Z z#YQXF?>yP`$P1cmqQ!DG^r(NBZVG6g>ga^j``~^vAu{lm#dO;^3GoXJqf%x^INX_{ z92rET*~pl!ltzyUetFLN9SbCj_~w?t8)felsRJzwq$|bUemSnc_c0~BCGK{2d#6#@ z)%>ldz*CB`&c%>bn9u+qSrK9AstbDNs{4~HTA0P!c~|vmKj&6G!iaIvlPfK?^asj?Sw<}(0VF)cL#&+ z9X1F!hv_%5As2$`ygoYv~Y1HU!c*Gl}7L{w*-T(G*^tKH%8Ru%^TgtL@Z_| z!Idk`F`)E?I_O84czQ#Df(7z|U(hGP%vD>=k(1Ad*NItWJfKK@Z8ceOBA*T{Pu;%h=2&U$31zg|rQ5|YmSQRyTBujo%e5lR zz;<;qgz(7fR&2>>QL0amHzGsSZ56y3? zH-R?H4GZ|NTxbGu^F+m6i=~LAUNikz7O)4`9kNcTQ*z6mz#XC3N|nGJ(l5$c1p(ij zHgS{HH{!q`3^>cf^qC)$ddO0JFwvZDWfDA*79sXdg@+18vhlDirojw=IcV0H6w(Nh zAC8#byYUSy6{D#~lgPd9Wv7=^;FRc`fUHGzp>=_rIOAq3#eR6>!5npyw?!qmBhXKZW>%_uEcO5dZ%XdGP48kXH7dso!-nT zwMcSsVvuys8kbBfuT}gobRD}+YeW)pA2asHmS4MExH`f-~bb)@q+zpNzc(j6ZhC-&<&Q=oh5@Zm;2WCl#I#df(c#d`$ z%NM+i{L`Z(8l1Fmln1dOZ1W(ewMpi!Z^S1%?0JnFDICr-^Y-XDV=HF!kjh8P z#QXrKl~T-t9jvzwL21LTth5O9lDpAKdCo|Hl3Y6+@|oKVbxY`c^^bX{c#KaHQ>BQ} z3EuP>tsYwkm;$;+jP&QF${dENI356nJjf&YI^05(7e{3^lM?46r&GPxtsa$xHDJk< zs&3SqbAxeRq|kD}lnHb(f7mr9UdN=^UU{8MO>*7IC?|F9v7}ymHNJc3Vw$I{Iig=N zMpX*{@a=jFW|O5ibYCuWUjXRc8gKcjVfHkPIH>^z$k3`5iD3b_AkRzehJYU@%Ak>4 z8M9{^_PxA3y_n>-+kIByBI*&wHq5H&HigOp~iJSm`YSX!xvd{gFW~b+FTto9^pOx3{{{&lm98_TL2dwD4-%PRyW_NXg0?NDgQPK- zn=I+|IjLwnn`jtMx9@HjM9Jra#3xEm@Hz&HC2vAm(O|jb#N`Y|Ad70BSCCs)nTn@U zVt5-GoEu&D4Du*qyf_9cZxHXW3isYJ9ZOWMf#-WCM|-ckUVShrCr0cct?Nh;CL%L* z)Aycc1*q{1OIUS%HRp+~Y+Mj9=uC=BCwRjO9egwmP8Qbj;Oq=0(c6|&19Uq7GsmUQ z#eeSYyItKm-P=FeJ$k;iz55G9fZiVex%P1V{@Psp=fm~C$AA7UexmqK3G#OTcw`43 z|LH&b`Ej1fSK@JKbQYnZh;dHzNPR3w&dW|FpNI^%WCh8NwqCPF-%?8~%i{RTs)SEW zvdgn-X+_{_4C?6;0$|Kfm<{$`#XlN|5Jn$tzEPS%Eu>JqbPNbZ(ud?wv60CPId^+g znElO7RiHW*6hI=k78VMo>|ZO*Q@M%9CP1nkpC;kKL80g;xk(=?Y$iME$dvRI85nsYxGdO%%DfyXsbSwJXM>>E-xL zf~mRksHrr`+jiN~c9^EWpIwe66-C#E-d`mQirxX@B%X?COk<%jMNdhgF?LyKWbNVo z`z^}mC%>#yjO$;Tam*Uw3&ZpZ$3$KcI z#p-c0zR*H?+ODm3QMG$)X+_pYM1=?sS@zd+oz?1MHU*r0S7ONCe z3p=f=3vd!`rZd+;HwFVkPAELYslA$y-WQW{bg4B^#k*D;!nk;kl1S*+tT$ahX!y;- z+yIC^U4T6XsC(E@Sh5{9z7JmI5<6TuVMAiZMCvet6co5r@Gmd&Ii}YU>cdyRFMB4H z$-Lm*DFf(0QPtyW8iNiI2ebisjT=TG>ZFj(qlgT!CKbWZNoN5$pto z-NLV8_adGcoUl4H9GzzN0L&;{64`YR2J5xo`J>0(-m9TF)X-~5;4lY{i zuhIo%A~K`_)wuh^5~Fw$Bl`Mjss3K&iATUNd?}nDscX%W!I%L6tgh3&R3V(C1cJaj=A;=yqcMOnX4E#+}h+b_Ss%_}Jo5sDP|s zQ73hOl#@teFaBiE=~A$BN5+fpi-j_Ecksff!I`+0`WJ0nbX_kbMjrwjbz%kVIhP6r z@#r~z=RP0_k752pSQ#GBx>uQ0bocwigQJtv=Lbixw@!|KmKEqD`M+x$?z@Kl=i$T6 zhkv*K{0)90`_FIPg$y>i%ff!CV6s<#9V^gRH}!_=df`_|a@vT!p3g@$Hx!{6YO#xY zCpymgdud!;G%Z|DK1tBZ={SjK;=}-TozQ>TA%L_ET>+{RgushmPThn2fyvOiUhQjpe-*kgU zO02gyTvIl*5-hrGD9FH^Vw#YaH9U@T4=h9F=+1Pd<<(mekr>Y0N z(^J3tax#QqPR*{TI&)^V&g(~De)C#hCvfB-aQ%><;-qj3nIPPagtG42$WM!G?nZ6+*!+G;uC|DY_WK?tJ0qxGC?F3m86vKSmNdH5Hzq ziGB=j4GSRw$^xO6S=c+H$Mf^Ts~)Lg24w^)uuAb^?&J${s7j5CklL~l6VSjbwSggSK(f%{cGKn90@l--IR3zTmbx&P zO4XncMdH-Ql}>uV7z$xKNHnXSSmoiM7OEXXke9&Q0xUUDq58Z)dx{iL?s*6QiQdylih=7W3pHXrpi`;LO|XOHs-kNc1BXZQM# z@11>9Jl%BH>BDb&PapIj_8+XR-^(^0+}pg@+jyKmez5uA@%q`>#{I$CX8)VZr<-T} zhZ~#s9^~IlpKkW=uRY4#pBwiEkH7iwbZ{@f|6qOX!K3xH$B+8!Yu}6&mCNL>WFg;J zzqh$@e{=28gZ0hz2b*h;lf_JA!+m{!WBvZ)M;lJigz~?)^U)C}rzb~S`^Qi(F%~B| zCx=IS2S~IVkH&$ z^v!)@qjm4$V;rpq zkM2KyxOV?h_ULiXefr?@kCr<=5ANT3v^Lh)?mhlxj@E;@qxE>f(OP|Te6)J}Y;S*c z`{-bQCq7({HXc6mr)wGZkd@StXu3R^joMO8f>vgyJdZl=(wGddSCa5%d@}4@_&1{y z0jPPWd0qti_aCMF?dI;9XW-G?8Mx^L5ZC?DJo!KR6!OOi248#t9^AYC^A7;QJ-0l3 zv_|>YB;K(Jdcd0LcDcmkYp3ds?xpR1dWVvh_mNyu!Bj&2#(wEkPR?FlIxEY69rd!w z(#oAAzCcIo;S!Z0HSWEhzf{odwU{y2M(uiek{{88`WqkHQ;9M1ds*@Lxv z?sVpTN7D};KE8jp_F&W9VUGuctp7MWbJD`*{d;-tPUrp2`|hI4AFgdacIWf{+S&TX z+Qtp1&RvL)H#gnV-g|ie-u-(woVxoDA8+1YfB1Oq{^q0gaPB@fmiXNH!w-5}cN-=o zFTZVX9iHw!f4;kYviI$7OpOQM?e88%uXsXywYR6wDm00ER$$zej&e z;y>nye*0i&_mro0U4DQ5W`FzXuP+_#4fB6oz;KiVl_B`QYV1Hi?QAv=_`Um&9zR-q zq-CX68!NYJ_bA`&I5~Kn&!756vv2nI+_7KqqB6tezrFZx{}lh9J0FQV9=ZT~uXdmQ zT9UK>QTXAyyE^U#{uZ6WFFJ&`a+-+lHy+)8x6cml*KR+pdfgEuG7A2n=IG(nAKmp$5A zC){GGZ;=`VN-g10I=20nG(_6<)R5;b#}W*pHa1b7I9D}TG6A;M%qW{ODMB$-d)HHc z9BML*VhnJ{G$zA|fo=-SX%*Y0g?u3sCSCi>zy15h{rhH@sL_HzQpT}bv~gU_+W&2n~J6y!93I-NI4`grBzvPpw%dR|ktxn56|-X}oi(>z8A9adUJq^qJ3^r&cV+kW>`Kd+Gt(IJaoN9E zWFm9d$Z$Ag*fwM1e2yi9z{-)odDHEZF<6smJZdB}{qkk*h%EiCoD2s}lHS?<_SF4v z-^o)?R|olfL6!(#I5FyX@`WS8tXjYEn~lV&wp&L(Jgud(g24#$_}46XwRPnB58qca zcMr?a)Q6UbIZQ$0Nj_!Ds$$f(yt%o;4ewW57H1`@97DNAz@bB-0$&t>gn7VYT`wB4 zq>HnZK1r9N1!8fHrP?a-k+4#YC$K1Z;;lX-i?-B?|J+!T>TpZ4VDk9-`h!-wzP5?~ z+;{(3cmKJ!(fsT2L;d%W|7J}-U0=tm8|(Vk`Xl{#4NtD~H~sFR_Rifv=Q!J1#o|9Y zX5xRQpBv+U>N4%m>f_eTBk{ei0!vLFs3MSmG+vv^#`Bq^W)JcY>M}h zmR_ehwOZ|y{C$y2*-Oiavq5N?%YaZH1?o4#vsF^Gh}{Gc9azF(BRF?kI_t3>eWTXy zYHwKfRuR3-0#(DJ=N}lfm1tI1R9{Xgu|q>ZnLF&)%&B{mVoK#rPw6-=M0ln_Z%!dD z&gzFcF_D!Clc-XCKFRY|_y|zyFcd($aPzOSg4ITcgrMoWp~2@rf!@L##N=I`j~jer zHf~SL_Q2B3vVI>`*$CBsLzaTiNtg(tgrl7+H^E$>1?#~LNJO*}m!;1iu@ii!Ql&QC zPPPvBzQkbTcR-9Zq#N-zipIoYFvC=-M~iCW0J9FLJRMh8Pz6g0LzPpO8H66oST6yI zl7w~taOv3jo6jujV^i1hmSCfQY; zSAtsvV}(0{d3GtKG0e`urDdI3pQ#ZHJf#@gW&sbR!Ce#MuC_I1A}h)pqM&c!wx+mg zov#EnBX15a08#N<6TPfapm1De*M3GJImzOFk156T+(7@!dr!w((zlAN<}*aS&rxiHp3> zBpa!x04>*AURaDIKiGr#^zAQpWYnJZ4-62|fF9_`W}wu;xz*lIU6*7(qo_13ic>5$ zCc91iJZWJivB5N|>2TrfZqS1=ks`G)1MnGUH4bKdE%fO);)tB*A5NQ>S5{R(O6MFD zHdd}MiTgp}zR1*R=dE9k0Qgn42yId~J!duJvt(F0hOSkZM<{ZuoZ-CGtSQG?XJfVn z_`OR3A^8VyL(;tSk{9%BR7^wcsgIwUH-jfZmP-CgX7J>fGJ_|-s2Mz|o9{Z!J+I5h znz9}V#wG=BY(7vtbnn}U*bAYIrp$fwS*~$yCzUfKl+KBV6%)(rgw#sFjT|%13DS)s zt}w7iO$$sx{DEE=l^C1C6#)zQRSBx4^nP(&qu5vgL$%i)Qv1c)SRZOa?D04+F&mUp zJcyPn4Hgc7`!(sx)3%%?py<3y->Qa^zz&=Z0u`bHV>L&I3N2Cj0%QYl&ee^z^^NvH ze_HnP$?DqL!?pXHLWZ4$4!UQc|B6QoPg3b6uCyP?GU#biNCsRO%8FkQ9Ik?n8M5 z+{6|}7DI!RJwp(vW4MEu6Oi$8t-aq-67Wih?S}`ll9qb_FU%N_DCi0U%d%JY!qduU zb$i0$cl7F8>*dOeA>d6As5_#-a+zNu!`{4Ql9KCLm%3!GoG4LVRW{~`Oyjy*#pvVq z<-6&3v>+4Zso74G3g3*15AqP-*4kUY%|!i!w?NPW*iVDM=@4X!}4@)VmRb*k}%&%&-+lgCHr-I?((_+wFkt+ph zK+qOT4UeWt*><5mNm!~pHA#7Sx_unGzaxsS2b8YDOuegtQ$6A!AW;L?y!e9~@A}3g zkk8(ZOxc*dG4Fr^rw}RiL|GvBr|&l-9^aa)DwSFN67bb}alfP4kX1^~YN_-=*ViVB zz6I&4J{F)T2>MlsMmi}00~hewD64SQ7~PL!2Bq3V8ndw~2DK1q8J`@Vcr*sV7st$M zC>X>13_F0M=dmSlh9xUOY(ACGDwjH1)wJ_DGge(RbQ`I?>XQ|8&hv@8>7e;tw>+*X zT$Xoai)XQk-0vKGcgR6c6DHWTx?qm zvdfIop! z!bend^Q3O>x>H#l)7ot`$bqRLXrXUSxE|zZor_=04pnP)r874&5k)EsepFCUKh93N z(OQYgOKn)jqj zQ6R?&D2otBF>$gc_Ld^8UBFP#TH)f6dTwfJ^DxgoSOb_l)agkHOi2X$v)Ui=JhW;m z8Z}cFMI2>~8B2&?B{uMA=8?ST<(Uz{72Z{v#xjO)^lVb%2&y zkM8cD9R0Acfzy{;$1hJ$ww}G(UEJ1f53t$Ot)ru@`NmJSUWCt1?ZY1qcTZn$eV_dK z8*v&V(C6-54CL-zT^qAG)hZ1OduMre%6gD0ef1g3xl!53*NgE8*!6hF?0t4ov;{cG z7o%hjVAp)~&&#ss)a1*IWs96Z;{LxQ$Rf%ZOgY;v$!}kZERB;2KV`<|1n ze(b&{rmW^Ihq}IbPIc>8%ROK0Y#G!hfKdq&u6$y2CQ)G`?Mkp z!UsbUF={gx@~;@tbt@Zo2g9@OQ^AUmm?&O7E`v$A|g7jnio) z$)6Gn{F~+jvHhm`i0=~e)BMLK;kke`*E@|&wzk4?@7~C0WUNkP{4T4?Pu;OWG z(6`i^rl4F>2JU7PMY_mDk(h}>QAFxdsFf~-8M$T5$}ru4(K(GfiZw6Ro#Ay7>5$g4 zUxU&q0+mga1C~OZ_J;PNyw&w$NcAGSCj!{$bpg$Pl$~o}=ftDo3!beKKQ2fgxcXFkiGy?2F{?WVq^`H zDOI(ZXARZgYGqf`WI+SiBw-4|-Q04_-=KHzng9#0U@uSC(&8)`m3~Au6IFVhPouR} z&WASeC%Cu$E|-b@g=@lokM9PzD^h=i%j5lUw!TIbK4SrzG*Acc&fVE)$*sH`!{#?J zXLTRW5GUgfki^#~%LuF|j@63wNU^IlBZ7iF#Fn~X=!fF(p2V^_mYT@3-j`?Mw5(fg z+;+h)8hP|xJoYPh6zEAvd_4T$a>QQT5I)UoV?IK^HllbSi4DY%q6nQ_^I1e*fwZs? zOsdim_vWw`N(wTraIm$xL7tC+!OACXRj3@HfrJug3l+jib)ur`U ze2@b?*WK?4?XET8e8ZE8*lK)bw><_2zy#92Rt%C-|JNmQKl(Q{}eiSb&>byww-U zX`iu4QvD}V*yCMl5N9mM`6G3+w1!6*zUcXDQV-;c$k(#U`1$#;?1d;2e#0S)a=eR@ zEma{kyOqIv_arMGR1t`&JSza-zT|+USEXk&MmL4Pg7VA*4|mcd@_+C1VLX*)enrf4 zHj*L|YJpTdFxb{Xq?dZ9M_~-wfelUEIBFRiNks)pXrU0iZj{_dcPh8$O|9B)UhQpR z7ec3mlScWaZn6w*?mSd83E06yac`#JwQ%NE&UxaP*u-Vx} zv6?jJjv{OjnUt8Kdb+jk?a(E!oF;S0&diom)JRHR0=5|KT07nG4P4gjuYj_tq?PCom}O$a~^~|s|=%P z*KVb~vqAF?8E9Y!sp3wZN0CD$!U*#0HvhxR-L0M7qtm_p?St2cTPJ(ZUhM+R;P7bo z_;`2c^!tBt&pb`n(_jBOU2A>nTd)3Q)4#QT`&+-;{b5(Exblp?weiV){mb#mj=gp7 z<8N(kpLkte-`Z?JXTM=#qSudiw_fe;M5|$%{>Rr4w&uQiIrRD$SzUd{DNNkP!X;*& z&QDDW$PFj|`+q@QRo=7^=RUp-$!GPPF6!C4?a*9ir9$0tbR6qb_GW$rk|FNBa?QT* zR%h|5M%2=1HVToWr+V}*zjh635LHr-;*#hWd>`Vu>QBVcU3eN7L=ej~D_22qZ`^;- z+Jg13Sw=htz1(o{0$5lhU*PvFzaS-=Oy{@SjlS@q5B1Rax8z0w{wPVDY`yRlp|LNF zwY(t(MZNAj#bkP&?l_T?OSqWb9G`5R?4BMxe-7*rca$QYqF?RnH|x!BwvM)6?tRMx z7;%SF`7(Am?s?-EYFRopUH8$hJh9u*#_!DoAtnYIv%5Uv(U=IMO`=>xZe;^MsnJ9l zt^8Cj1$u5^hg5t$uh zJcuTuQD9SZj$$dLj(scbp5a!lu19?YEQWbYH5@5U5o{~90*wRGoiuy_6BF~9G!lgR zi90s?)cGrkT`}atzLVpx)iU6o5xYRd1ih9@@u9CJo}AEOppL3UFPn@2!^`@L6-BiW zwd}IggmTTjkwkfRKGoo8C%Sr%PLNmy0n!%B8%P`Ir7=$tmvEE&8Hp^fPx_NYA@h<4yRM%bj*sIIts-baetI&?uvAW z4nycGyhf&a(dZhu&MV4X;&^v2u=vPJu>&QRT9BEkj`Q$^=LJ(;m$v1h!;69BCrH$% zECfs_iA=mQd~v7ju?n=XQ|5bG#G_eJL&SY1*7?iAhLR=0T>?FyK^+Ji3u`ICjlcI% zl+i;7@O9@M=~kRxVu6s%REi$-A(81}c0DZJ>K~jOyfksnL`p{^?%ooZvtnv&o`#B? zk5X_Kju9fw^gWgZ=f0kprppO)OSeE&^w~99M|>mQLlD$hwOitmhPequD1}5rfsl#> zGa~L#axZO|f;XOoT1#;+SKjQyT67bq+0^7Yg`cv7D;g;zg40A=^jA(K&%_5WiSQy_ zR#M`MUGkbnRo5K05-(lUjou-sp30S!cLUl$rr9;_AYUQ}L6EsecczF;g+c)~fNZk! z6|tLLx=X|mn4IQwu6b73yL>jreuZ9be3mvWwOq@QhcKv9*qH@YTLK9yX;)HHFbeX# zD3LAYZHlri11dklZJ6jWL+ookF(@e^D0l*oyH9Ik7RJg+mSK@GUr%loRw6+mbg3T* zij>+Jyl5p`c3evFt%$KZN#HWOW{QT`KywNi84Akk<_%VLtZj!H;u+DfOr&dqbJgTlah% z5_0!0`t>?uQOP-rJ)mm1M?zjeosxHJCha76tzqKBb&U#ZeCEl*O=#V);(Orx1D|L5ez(`mE5j>8(AzuLFjgp!c=n`{TvCofbC+rYO$TePGCD-3mkC_ zp&Y28D7Kq>_rJv{Gibsc-3#SQl1s-eFf$Ey#h>tnp_q6?o`}zMe3+!)`B*o1@6LyX z`6&Dtx!*Dv0|v8fd9k!RLUumiBf8>k=N##4lioe5^$VMt%D^*bpHPa+p(tG=dOW zb92bZ>SKywan0+&#|lYWky=AeZ!6RbpGIDI%KnOCm7OE>WQr_PTo-02HG~uu!^KMy z!bQ9j*9UVjf}?pUNOXwBtw8aF+F6q_w4p|J2^`p2BSyvjIc8|+vKr+^=T3N0Z5C3M z>iiHOBt*_F*_ye^%#P&rJg1E6P~+=q@mL4(0YdWu_#(;$@@W~&HL?5K?|v@o;(%)u z-+CH7;|J_vk#GkxKgHUr#aWSlv0{k<`dYJ%xS3|-?vE(z#oFeyqLda%jWxq8dxpkr z_+ioZby$bjme%)^+%O5lJkw!~okC;QuJhtOg*^t1jIQgRQ-fHxq2vPt#npUP5fmuQ z#)Y_AAup`!qna3ftQIENt)Qfe;Ykhql944u5(OA73Uiv4(`=Y1vakCro^53&Ivukt zo~8Zx3VxMSv7~r%5^c?~gdwS4LZ~ZxoAJo&K6W$a+l{!`K!84JjqxP2kqDnmxrfzg zfpG4`>4kd5f=|UI95dXc8;h3RR;auM{M|Y$n^z(vU_x{cz{hzMy)?M0=@Pv0I#5q- z?Jj7s(xW^06OWG_0YEsqZ3K}u(7+&FED9ovX!TANKafPRWY4(?w@c`J=5HvXGe(uM zm(2%m(RO7banQ8!%$(pZTsL=KeIB|&SEPMGkBaCq0bKSJkZ5KgA5Du%-Ium+%z2lO!TyMv|M77&EU{sz$+*XzLPnMXK$n zw9u97J84KFO&LVnUMwAa#_bzlQU3aEW?d%5S$gaJyXf{+{=b&iuiV70+$Ompu|mpx z*6zJ%^@N317ukdYOi@KLsF^S;XDQ|G-xA)=I+8Y$KUv?f; zEwOno(r+hZIxR<;DB%+=#8f*S_ z!`TTy{hkZ^G>ip;MkD5;R=flui)zr|r9LvYeR$J>xCZ&GpI1;x>!zMIOtFm|kfCgKHauVYrL<>b{ z3-K?Rj5P9^ggCnNkA@Z{xn#H&W9JN`EP@}3pAj~W651!J(O~JzqUg`6NL}WDKt5MR zl_$JqYQc6ZK|%EKcTw=2g}}57mIjA8@fad4W9&8|3O!DX6w+g1mbOP}=e=@o*xqW5G?{X+QF^-(nSC?uS|1*eM4 zV3B0w$*WR~=K8+Z%4f6^%Tp{SF?g9l@rn4&IM8g^*SbG`s3?|`)%5Yii!jty78yZS zzDNp>Z+MT%jpE)$J3_Oo;y6$NmNU!KY!p$R)D$#WC!h0{(8eM{zM|R?Z#hh) zuD228(J*eX@A;q+G}a68WvcxNFrcOdfOSeW$k+g6O=>!jUwASw0ci8OkN?6kv6UNH zAksO)$7KnWpTTTcCO)-He1^ZDq14LqK%sX>K##)G@DX+Hrut#7{TXwPsI?wF#|}ke zdWqFPA%DAF!NG%jaEbnDp(=8lu0qpp?SVzUL3F@@e4cRT$ED}6?%S&&t@qqfpR-nh z8k-_?Oip?~IpR?aERX0Z(PiUdUdxLj9k9N1KW8usxdA+2k(tH|zB~)iO)W`eUIvcu z3_sX#zT#Yqlom2*qLRji2WkYN{rzy zB=dC!$cB~W@yWUazgI3orV~v$UA7hK*UY>sp%s+>q>F97}}dO zQ}^SfeG7zFBpoANLZVANq&-al{3O%cLW|g6l}&|GB0|IM5X1DqnkPuzg0qJVY7Yk( zn+g1L%dhfmLi(pI?6=wb%n>C{Z9x9XO_~44^x^&gvLXmI8bobLQuW|xMu7QhVD)74 zCcQ;5+XTLwNG^CDuGVaD z>CQS!R+WVNm#9kQ2_*F>IuU>77|+~TC1CtRE|GBGh?l{O=#~-X-_lq<#9KNxFX)IO zi)z3Ct8cn}0StC^N5Ybe_lWXy1G_L>fQefZ+&=CmbhjCzmTC(276l!DUo5^b_$Z(J zB5j*&>o)JOs>O4PoL9?D$6WA404AcoH>cY9J0zNK-C!ne?N5Q1>c~nYS!e`iYMyz0 zyLav1(`*tEX(jAPXv;CgaGjI<=LFPcDYk;RLw75%50F~DVBHtUeDiW%>gBxTMmevu zVD*A!+{c&HjIxzhniz?4%k;~Nrro~B&lGpv4dl^u-<3nTYsiJ=vI9&g6!M6YEs^lX zHtn)A&4xM2dfDKTcBi>CrwC1`3UVts8UiXtmJ!W%9V`QB9OL_SWJdxe(mMHdGn-Nd;;3Q!|38l!xU zDA;rw!Z6AEk{BStZ-1ncd(Z4gcUfa=OcIGz6jo1-6fr|Bj1$HwW?86?jy#E7XHlun zx&w_7p>sYj?kkyXm`y_HU3Gbh$`Y)m!R1NXVoq$7a?4Q1hS|VTag`6xS~s`_Ej$cD zK+aMXmZ=?EJT4^%C>td>B4YXwHh^2YrKtB+RZ z1$p=KFKJ&T0{6UoW15}64Wkhpy5pByZ8xg)n86}6D%V}Us&xX_>3g?oY3>+pVJU#DT9&J20LXsyH-vJ8oqZ<+vw|g z*a|!ZRn~JQVh3ja=+XJG0D6#+Bh812HNwOBF89S$Wq|c@A?TS_uMciPB$pd#yHnxr z&yNp}UcheY4vd6WD~`IKqV-1^%$;z2dH1eWeyv*~BfDjc+7l^SZWbyn+Yn7j=g@I0 z>+;o-)k9YA`x5UA1&ciYpk;BF33i>s0rGkd*+0rhXLzMV{WBa>LiG)cmxY65Y3PLZ z`2dP7Wcul{8gOgge4|-{s7V5W?aFvI0fq%;7io*4`k|>|@h)FUEHTGx9!+!^%osKn zjp`1fEEkn_P|0J-5{C5`5>O(>2yf-IEPK4^0SOF3Uc>gUnNt$rlb`#rOg`+F-4iP} zPwQo%8HChRKXC`OFJ-+F)1KUwp8D~5T!jeSVbK`~Kv69PjZGF3kS)2_lN51W%S%&I zZZL!dE_%irsFuctf}E~n9cYCcrYl-zR@6|#QWdm1F9vu~vUcBh(wODB{x98a@m^B( z5|*SP5zlQpM=AC!IdoDgh-Wtds}EX6A$kpgf-F>h%bffb{``vZ_^gWef?*=fm=?W_ zJxFSB?L)I1!TU_}K*menqgBi$6;@&Fn2KGvCcrTZzciB;fCh9Vm1FIky zKDPg6fr&+(#3z?}o1ZH5cW#wdfXSoyvhmz|*D++%WRCwW$H>79r$+IWLSV1SiEB`` zkvl#JXE%+QUe#MhtRl`-3pKDUkvF~k31I(H@dLC($c5%R^h;ShL)CT5e6Z}Uh2_!8 zUHNB)_mD}|Uaz%+Oz}NuScBFW^De3|sQ^yRHNuTNEOaz=qc!PA9`Y!N!3h;%k27@{ zgf%ZR)}Wrm&??il&_qV;R322gTGhd7V$-OUVTwK$RXySMnr1NMc>K2tHPw{7LsGjR zRVtOIfIv8mHc<{*O#@x5CiJe8x=H(Db#iZQ#ZGfAuiO)Qy)ve4{ghTLS*I+D38Xlmz@Viyw)}olXstYrx+O77IU&F_ zYRxg=ekPQnS#)Bm^w4o;$k8#!>f*;Dr9zOD0*`t6nU+%hORes;=u<4PTz5j0rf_R9 zgvgm#SgHw!hx_(B$rUtY)@Uc1I*Jup^WX{S!t*>Y+{)#eL{{K%FcezJM@EM?1GKHv zDFV=war0JE1Jm$BV>SvPvv`MDtqhML(l|fMBIxyJPPQNcdIf@ARvz&ZwrpeXjfL^qzZSKAVOI32 z6`f|29T%@|NFf#{;FdR)rZ=d!p&_rfoq3phI0dx2hH8ZBq0>VfWrG;(JH|mDd z@=AF@tB4z(wi61}_&{0_yAc%YZR}ECwpy^s@ZHmeK(HYRjBoCordo;>k8x*cc<&%d zPPfuCw=K%bnCHx6$Rfd-Oa4S_WCvQ4+aHIV_07g!xE*QoMi{0AJLtYD!U4FFOcCek zVm6tkHGGE{IfZh1)3~VDdE#$-l{FVxnRPHI6AM{ylpg%fVra)GV>Q8buWJZijWF9* zNa&8xLlDU=@d{yr;sz(Sw!dIoiA9d*Rzem$PK$|KMIP>MeIWiOuM56pW4at__=;*e zBv=rXlpW@mbdHn??89=6u9K>cmVzbcMRS?`9yPzK3f5I-%D41NwTr3whFwjmzmx3h z@Tu>J%*0)!r6OaES?fNan;c9I)ujYCpMre5vvFkxV9Mq_NYdaaCI^N~tIql`C`Upax&qaj(N_U|q z)@y2Fv>&$|gJkX)bkf6U{fT`OkINgCMj9|2&0@qlO3??gR3%4-`4ZG5KwUhoVA6_J zaYrgBO(|CjUO^!^&>18HU+$Nj+=;mVko>2=?T^(Y-MD{mbx`&zU-^1}>tyfS-P6OP zgOh{pgIAr)!58MOWIGc6t4OK?ih-HCtV7?o9Y zPllPJ+vyWT@MTT{PmT|FzHh%O`uV8J+k2**PoAW&UL3w^Z*!%OGAlU0Vu!mIOJ@fT~j;6}Q@b7Y2j^2X{1RRX+1WOl*k4*&8M3 z4J%A4Vr%_*!|jrs(6`-caH>6>jwg;aFW+0~eo;C4dNWeq8MW=zuVR5|3QSIboK%2P zG}hGS(rFZp2U;!+07+Q)!Vafsa=rYbuo}beR6^q@)K21-s=C3fi$L1tY9D)s`BIV9SbS4sqX4z=BvS5X~|V#1KqT{^&Htr z-*;EL$EcyZ^WtdhwQ&hF!LxfCry}ym$UF`pU{bmi2-U1oWjeL`XRy$jHAUneOUse8 zOjW+jMraL-qre?($>b>wGnx980P#c%N<)Rz+KbD~Ce zOSZGH-mNfSZ@wNPHq7-?pPR3bYl&A%Xh}-rITcZ^35$kP!j~U3|0ZNwyWCbap}FGh?^HrM!&O86z~jg zk!?b0ZU5?F?=vd6@@&3-UH_roy@wHuH9r4^K z(XXc^FodfbgNt;?K|VyFkfBKKtseMl&h_%mhGp}d8>7)UfmeC>{Ysr`vE@1+y)Pyu z>od1`mAuQZS7}sDAb3gTX2<{DjQDNzI0ZJ^_M!*55|UGL8FDhx{Wq@?sr+?OULpOe zWq?40K65-m?vJRZXvc|88Y?AOy|lK;7_b;Nv5@Fdb5x0jAw-i5aS3OF68%IVa{bD>w+cb` z*VZ+%BjUrCxnrOM;ln3BU`akjXi|<$2>}%Gvq((?M-U0-!_Hb7nQ(?^)=HDe=+hUZ zzkeNd)$^=Y(E6ITtP&f*9oN@Zq72}S(JI~N2M1ka&oaI4v#q0UV}9M|PT1=n`2Re` zf1cq#TlmjWx0PTh9h-2Kqhx{2IB+E?YkwBenO1mfhv3Im_b5uHZLTl;cWv#S{=0VbzsZf?*Y-Wt zeczkg)W(5{c6W|U(`B@>!h&gc0YY{+Sv<=IWzmD8Ad5KrElW4IqgEyUBJZRxjd_Vz zDY)1gn7OmcEb#HEJxhWcQVZ19XIQD@lCIpoxJ|qdF~C#@(Jl(tzzEJqLdL8b$hs^* z2URkit)DN z4;7H7gcoI~OP|gS5gkjX&xeA|;E#~5McQ)1B7Uf6s+w*{*xmfYG#R*CHuCSZ>MAZ4 z;lgoSF2XQ>pQ+{(hG@EfOKgov8C(r$$qfeHLB0gTWG2On{OU0N4Di96M7-~i*NTZk z`GgG8clov2BN_9gjP|rE**w-}7px|j`74KMb zdm9N4r4>Bv=LH&%)ex-{g`bFall$FCMXdI_$@TO?qE&p#Ma~rOhGXq=9J+@`dk05* zCqM9l**@6WJ$=6SYB&4^p#SK*H~ZWCYxn4A|KMpC2nl!Kb+4UgJA3soyJ$mnUmSM?QYD z)ntRfH$l6qBKq@*Y~hh+`Fg<#8iN}gBN9uuImUNnO)SK80zH(b5eeLcBEw$$1fODTEa#m+`o2&$YITCZ`2 zlIB4%fBA>WyILXmiH&<#KA%a>kiN4b#1xoQji&4fR=J@6YK*!qa!YTlOu_SOuuK$o zBo5cf@$`i+5Qbxi48E&?IGx)iU)3aAy`w}C>>1XozB4?CmYlsafpPaiFo9AmAA#88pmdR=X|4?S{y5HyBzN~4sgXw>Cqm;9 zoUT;%3n^LQ1F56Fl|pOxi4Sahmxt^TZiZh-Ml#xA_0M}^l9F8kvst2M>MO+Je3Pkw z#>i@e|4RWCUfsbhn$RcdYo3&sG-J{u=}Sje0KpeYN9U|L9kM^4@U_QcbuPaO$`rpe#D0%}2GGTZ=Vzf&46w-&v1jWyb+zlx`Q zo+8(cUsGd3uyBbujce@u44Z^v8>DvyPaDC2<^xYI$5A9cN&~vx{B3L&OZ@fjx3kH% zoDilXltLJxQ^`5gY1Q%46v=6Y$5QHh_q}$Xti*1}4C{C=07Cx-R%FIv}MTU_V_U`@bC^`P&_|?IS z)8|{;d#~)XAOKdA{;J}s_U#MGf)5|MKcDUGZyo(``s~%gGxwL%Q#YZj-t@l@AO3ap z!M6?(63L&ZfLICR*xT9NKiPY}w|fK}SKL4DJ39>!T8QGW2w`qU?pr2JEx+Pj4LPhg zp|3-fLaIN!E@-o1e#<*@Aw)L|J}I>qMC)z0tLgPHPXLEs4G|jUZuV>(SEE^xw1L^Q zl!yxR+@^2Fj+P{MV9%~&xGdnz0gc)l0szT}`Gp-zv!dSY(Srv|l@hJDBjF+zaDulZ zM{n?+Jqf^03Pu+jF{GdP7BO&@_$m>$Y!z=Zpn#0>q zN^1g9mvU1QBXq4KLFA`qRH8K)W*QoE^nGX|?Fgy^*4h@B_0#Csmd#2RtIL_28~(S-ib^ADxON~cUK|#GT_AU@DGi4B+Hg1o_CczDKmcnobkT>$ zcE7ezp5v3F-L2Q%WRVTN?hmhRTq;>@f~=($dr5jO-NLm^Y#xaIj-YZ0MG!v@gbz!I zk;R-!n!~_}0*)-jJiKC|yE@}Jca$Z+cdF^BYhPfn`IqaWn}!f}I(0Rn6=(`war(Gp z?bb^z9%uMsS-K)~-#=)%ZT8583cujwSr&4ebHRSVoNjJ5quy5+as z=4+?Acbynz2*b#o)KJ2S1*wV`1-(n|j4_*pxA@4vUd?*Jf<`bdDEP*7Rhpy7^-1eu zc>^7h56qIV~@CntR^I(>xD6!|Iv|pf1RJX_|N^_lkX0WerI)Ce@57+ z|G7Q>^WMh8x%kiZ2lqGc{XPEkZ}1bve;&;w%lcTDR;7*;u$+A@^tD$xAwLQT)z2aF z{{jJ_+R3(}G>Q0i+$hy}NEG8Fi9+}+bPuI~rif~yg@kyaio00)Qf2+P@h4=R)~^#a z+x4&0uD;fG-*u#Er)VwuG)8|G6Le+EsAVbxn$hFI%iU=kIRFTKZ%M791d^0{!=k#Nr&}MrD+9W_cto7YxO4L?Gu~pjGqA`{ zU|R2^44{;6lDzmRyOg$11BM*WhC`78)yQw%%LPgCL}yaF?P=eTtCZjkUXn(6I9*>9 z-+;{(eMp*J$8YU?^Od^vyi;iEHH;+o?d5Gv+2NzYfnO4Kw_VT7oE%}d=oM2%3d`|dy+Fx-CKAu z)!Ep;ih8`P>7gj{Sfu)K^7|3%QcEU7SR?)n{v3mV7FF$gkPOT1bnOX zEk@SFpLHNX58ZCTaEz#o5nOy`-hsHQorZ>5u?clpR>T7x$@lS#mI^(!)Om4I79$~X zgEVG6<(hA1o>1pmD};9Ct#VBi(;8<@iupsv@S@Rm;Bz%*Lxp1&Hqr)>?8$5`Lgh0U zHABM`t|a1dA#TQAt(E2^5bL#SHrXh-fm%>J{f|~PtC$FhX@PQ!6|Qr;h##kO{MfU> z8f&rrB&wq40lYg4T%P$Lk_1W?##7x-m3HrGvHrBvtA*_wb*|b!VG^tD1@=Vrvg?cgP2-H)f)MsuIpLzhs zDpo8wG&e1!-h~33Lz|?f>p+;A&hCLkHkxp%?)3m|!Jxd8)2(+o9vD;1laETbZm;vm1ZSRsu{ zTYk9mGXjpZ5zVeZyx~}486211hJ9{YM6q>FC#=3r!5EX|)$ububqwD9TIbVEL#~iy z_2=hV|C%qQVy{!c=A3&c;|L&NH#g??9eo-iG;Fd_n+!ZEhQowb`Jse<39Hm=N-fxO z-9;@E?`CwAB8B$@2 z(Y^9kDi!CG>tr@^%0s^Z#EopP+uccihW)BK%$I?~gB$ERKE2mj@2umu_O_#>Hcvv) zpZ~y7b1`ILA=z=(*v(4@q$suygJMG9i9k491%Z)KC#rB`MxFF!uAC1ZirHAgbmTp4 zyN^&1$4nJ=H$BTHK2Uy!588h{2cc|Vj*G^1EY#; zF=~On>@?P_ahs=}X3U~5$l@B3v9o_{JkwMiiG;nI9BGZA1@;LUyfHP>t19w(CS{`lR(HpW!B7wZ zZYNXN41H+HscVpHmtuexCSa6ADjN-oD9BTz>@G?I*~7`G0L+V>F*P{VV>683&m$m5xdmwkSG4x&U901~Fl!Ruh6q9ZfCJJrgp>G$kVNIszFr$1s|A@XuwZ8;iiu^2{aqVIgKcp@sJ@H zG2|nFnN4Qmg}W?!NV@b3V)+S(39Tq5QG%Olp`&3oc2ZDf?4&A1{I>a(*;1Yt0EA@w4B96+pWb|sn z6oVa&!c5cTqtR-`<7%wkkhu!_GTKF0j_YHZLHihA7;5Vg1`pd1!d3-RHmdTIK!e%*K!?DzaZIry>)10DbW$b}4`G&lVb_{ti#bY^ zor-huk}K_M#GC}A7__M8recZ~@l(ljfndo@X|0j2LxfAC9L-iA`i-C}4_by7>AEz^xjJ zieRY3*UVO+44#w=@Ek9U%K~^1Y;Asp8r}1)f0kNc9BR7Pj3c@9=3kLRD|KHq%u1{g zIlR7`%3=ErVX5NsGlEUUse24j&v9U!9uKpTx#7Hrqy{Ufp(h4|EoMS|Vgr=d7OtMD z6^VCaiZ;W9ZpQIC)jO$s?P`1@sr$j|-!W#^@CE{KhcAO%XiT_f)0Y%Onl{@-+G3?8 zK;or_>9#`?i&|H_C53f!yvQgf51u*_DowtgCZOm3M(d>2%=-~`pjirU;-p#^0{JM3 zS^_%hT{RQmRqS|+RFBMY>0u3iJ6byTYd)w$Ua&rK8%MTlP{x5sO&@&lr>tC37H)O_lBn>Nn?x1R+*HH91v zmcf#&4m(YfW8JQF35Ncq5CaD828007%AO=$m3UuEa9A6U+u%Jpy6zg!)j|#Y{v;8> zwNejEqn`|JZoK&? zii2Y>xuv_H(SGU#6H7!jO_-3SLQ)Z--%2^gZa#5IuLQ(bC6Z5{QYUTh^9^eVuO^Kw zPC6+lG1jU+cqezA`YOw?i>l0N&xx6Qq@^f**V_-8amvCpmk>`E=$kbZbbADLQ^Lf3 zVvTF@E(q(cMIKZ>mmwck;?iMt-5d4;hpUuA4A)_va@N8i0=n%?U0+&8Ez(t1p0G%c zJL{!W1lyH)QR(`t$HB$!q;z%*8?>GxtvPCmId@K2!TcXF$KkJDv0De^M{ z))U|;8%YOPobfov6;PFlCelmdo5H6Cn1EIwW}{-&HQ^I0naVXp7)N=0N5;) z)2sRTugZ~zK?tN;$*gv|K$@<4)c)m;XpZLxxg#ukT29v)20aiHsOrL`#-^5AS443F z>8=+ciD!qx9econm`f>0juf#mln_fMn*cWCTY(qsEWZNU%M4xwrfhc7AFwPiNd(mz zC34T4o{LAXHU4BM&WDCa_micz8w@G|41i^`%i%kPU!oAMqC^BIgkcZiD4|%K#d3W| zQrL8hgZ+3W85 z#zTIv-o@C!_pHk4xXNdPvaL&M(p%H27I|9rz(|oD*I2I@S@3+7r=cBBUz7nu$|9)wxa(mQf2@E)hCWtMFI`1U+Zd^5moV2)?&@Aobtu$PE zk&KJM`PM@Odlbvk-8(#eezd#$Y;S)@@-mRxVI|UODKqPVYfCIKg1%XcOp@a)t5y27 zMeu`)&n9a603Qy`^nhhR^uvVcrn(Z#=+v#fMBvYL+@Gk~XwFc?ZYB2Uev|7SUh*@j1?*cwIoqiTH@*NBe|(0qmvb75{9 zGrTM^pQ_eU2JUBe35|SXMM{ex(2x`#HxbT<46lj0F~=#C{Y2i+s#sm+{m;H88_feE;z>{CD72xm#@pg^_elQ*y(>$DBD)m z#PMh~-)#i_Sj2!Nz4opZ7u6>d)no>OPML82Dauak6O}H>;ZwJgWPlrnOw7^}??5J} zU@DrK5GDM@o8>-L*(1&ch)Am?4Tnk7RWDTxSRp`j0x@Cc*1f$+Fj^M14OYASDSX5MM9sGv;d~V2#7Uq{3{-TyOT;wd+(QrSNRpcSp@M>C* zLX4#BKtG@JQcJ#sm0>cJ1G@Jke_ij|V{=PEtL~eTZX`jVG|qJ3i0FU=u7B!;|KWA? zU41P(I^&;rGn$TKSEI&LV)R}H2E6ug#x!mxXjsG${qo`)^09CXR|XPQFjaf&?M>RJ zoB`fnQ32iyDYBOM2n>P=35ufn3*6q6L%5`w%?%fY8Ji=X#<;kAp?0D5=R>_gb==sk z(2p@7pLoOZ+c)lR`Z3v&i)beb#Ckd^&8%EiZKO=P8(+=Fjns>}P5I<{oIiDEr@C+w z+ffb!3ESEIP)wg*=T(xt)d1-qlid$_{}}xHX?2md`{^CWJKdoFAtl&?`(WMp5mFkz zfizMLQNL#W8x}vj;~FzV8V%j~;Mw&pw(iCGUvv3?hg-+T-yIz7oNm3?-9I`0B@zH{ z&;MJ$x4F4Cm;d)*bK~#%e}99YDF5%!DcX*92IH@{R4yjBlzOuS~=&;(wUs6XE$Z9|hHtuZwc%kGhaUFHggW1|Pa zea2KuR1@R*%-LLCj?0l)X~dl+H6Co!v~nRpJ0PMd9|ZIJ;h6QDaGiPO>U435U66qv}ec45w1Y z)HQ90EE?rCfiBWSYgkk=pp(9~aoXq%9mirJVz@RgyvJCK5Lb}sDOTg=@a@7pCmg!O zC2|5*Fx6d*RZM$cU%x2ERe)m(muR3D9kXKl9}cfC9SgY7zC3OkM`SO`35)d2_G~Qi zj$(9=UuI!i`Z5sbIWvX*EcDdGTVYEC4X91n#0fZ~>&m9&KFCrz`mYKr;oxMWF~bb9 zl=M;b4W>$9MX9az{nOO%`on^8i~^UcxVF)1d7nMHo5Qse7H5f%2B;&rTYBF0K!sxu z)!E5y=dxH{$&6y$ES*rpl+(9er1~zeuY6*igY{KB-&q&&v9_ueg8`U19H4XIyeUTl zKwko^PNl#myGrV8w7M2Ysm~GRlB82hnvaqNh~vs))|w za%)O+ic0Jg70)8`%q^peNJv@`X6hu=aj8Z+H$_M4GveOp08H9;s?&9_O++HL9H5wo zW>$5Z)e59^C?*COKajOC@_=MWc{>I?=`LvJXYA zXSk9hml6f_NR6*UoQ#J#oQ)*1F7B0hnOuOf$}Qi}qOh(+aZ&tigd-{Q)%q58DWk(5 z%Gn*(4b?|{XfPC56ekZIs_w+})NSC#^ zsWwBSx^IVx`R@wHbzMuXbZtd4eU!>bACzmKH7fS{YLUJfO%JX_a@hc z#!?n6v@#_eq82WRogDbx9Tij$>+be1N;e&Y;;iDd4>vua6Nk{!(u8r zKUh&yn}xq=t{DS>xIh-R)nYKryikcnIH{y9)$t9az8c?n+Wjcq-(I09DqO6$X(uo{ zVQ(SHmeN+hEVZ8Z%c&)4-AWXNuX^wJui{mU09Vypbp+Dah;V}1`FpGD7_^(h>x2D+ zlY{-e?JhFA`tP_K@i4FfSbHRI!tPDOjnA9}Yhya~9HYBHMtXEli|jZkGGHXeSNVzz z$Mb4m33!kXb5L5PGK6;ndY5YgxdIrr|DXk@_}F^>Pp!5 z;dn^kq#Oje{@hT`S&u=OJwm_4fg`4Llc@ZoRgLacnuh>C=h! zlQ45i%HpE{qYUnK+)kFxUYws_Q%TU^d?1XuDM^-qT3LQ}$ zzx42Tu6d*IkCFm(3@GM`i3uI?*NIGM=xBh`~j%S;)4k&OWj|| zHtAn&_g5_rI%dcXB^hg{=%G*~kfq7_#5Z3~#OUxsb zJ*3ME*u%;{2##!atzi}_44NigTeLzQOt!#Hb(*U;(Zd`=+F063$Q(c~opdMOE3ROS zp=jq`w?1H~^2&xd?G#rYo4Q6kr{&{bwIC#mQxgrxvt@rsVEdK`7!Ae9G_j3&Y6hMN zG0J`FHrnWAiZGO^Mjyx=y>dgWM%(Bm@As;iT9ycc?`u_vCdSGD9a{6!Zo54y+fJ7v zy09I~m~zl}Wk9jPP@#8ogi^poXtI0GLW7+u8O(BKRb9O83*s%Y0LHF+HKHvx{jG$M zFdsJ}I=4J1gL5BVQpw4#J=6tsu|hr46k*kh((Qn$b_GAjK$Z%EV~4POdsy9u3OIVJ zkt--)Iy==Es3Zr0K4J#}k)m6Re$1Px>s zMmRc{yAoSiDqpHiacl%yJs5kO{BpSf8CquP1Kt{D-(Zkj-U=|4m*u72(qxI$P#vKY zL#w*D)W{F&tw=7eI>$6lSlN?dddrJfp_oXdqz|>a2blB zS)cCSMafMA$?}<Qm`|e!^D_MkI8&duco%HuzC>g+gs?Sg zvUhqw*BmuM!s-&GR9Ao6%?r=g(;q=m;&1bUoMIWU0HKwr@UAYcJr9bSP4kI=z>-@< zD7^9R???zW?OHqW zN8FYw`lOkkk#^5f%_IJMl1b8j^qCaTqLVIsILWL2EQ)pQI*HKzijwo;v#~pulk)7W z_8!Ak!v`1HF#dCb)8_7^x9jcuKSmi%MuI!-XZ0IQH=1120+|##fazuAZt_6|rtjF3 zMzv~s0YlyW(h!}d<{3tZRl)r#O0 zI=C4H;~$4jjGqj=zK}XfXmMCxsq_&%HW4lQzKu~7teNIyov|@{y8V@WKYML+0 zk&LpW#H{YN#B3P(q#bpl9E6BgwF@C|ci0J;{-QD6j#=EY)!8KX=J7n_+`zIWGgkpi z1EM?th*GBEml+6cbGLQ%-;AQ`QWbUFUI_VFDDVZIhiXz0-&CJws1kx^W)XUo-%q(U zJXTM*;H!oO#;zQUp!S6>2H5t2M{W`heO_k6Sb$S_RJRjn*Xr??WT2YhUa1vYxV!Qa zs4V?SS&6l7P*lPW zp%Y;us>j)wff>t#MdcE14>{D9{j2`Wel}4{mNyuUHS*dc{91mC)fRS4ksu8HLXxGZ z!1&96^==F-VQOj6R0bi{~uJGvW=_!RI)QbJPjR9(k17i#YuO`MJ zxyp4~$Pv4V=}N?Ot^N#riakmGU=0JzFe`|UAoqrEUI2eaBX_a&<+=-rd?PES=BQ2f zTymc38M5J8Xp}1znLP_Sitv~;*F%0jbN8xSusn{|l&Wqj##Dag%m+Nv+KZMQN>P-! zYLaSPdF&}#C7Qv>3Be8emn|nW{jfRcI}nmY}oKYt1LFN?ZcfxG-E$ zooHMk{!F%z-}`0}*D#P>A-EEKqBMWdOzlL^3(H{DvY{!{vj{^fcz@%IjGPmxL5uAz zTQz&jHe`bZ)|S||;Wl4jpr!DmnM0!$ugg_@ zlKm~<>{squ4S zP9tdxxd@`P(raDPH|V7(a2F<-tRRs69l1geV4OO3D+vez0lEWM72hfNuumV&RzNrJ zQlBhazp9K9V}s39qo*nlFibVMwW}l11Ba zsJFVrOGeSgKIJ)=Cj6Qj=7_*#i};4f*mm!_%?MctQ7FG|{%Qc3k3%;aLP?yqC^g83 zF4RimQgTOiu|76|;jj|NC)=v%y1XbL+w*pi+_7FxzMz9-gdIK6G7gQmGv3e1&dvq( zg8Ci605m?IX28rHVbh-r%}qDi&W{80x@iQk480DrLDjSy`@mp%je;>`^N3%QKJHBh z8U%IZ03lG-!#3>1pq)rS*f6tWknu@sY`PAN2GwBsv-fatPIMH3m7lODQ z%a5VLDB&Ev-OaWGVt$7 zb0YY3p7XBMRX0VaH$sjR`pG3~8NJl(W(=MWE4vI%<*sODyywM~5wpUDm9?;J;J=+tXQiXEg)LPKu(AW`^5^+d1I05(D=u)p!d zcs^#ZvQxw88Hy-?wwd?&D6Hk!X$Vkr+{Q+TVAnCIqqyJG{ewel=uHybn)ELUlz?@T zDQR)<<`G6@8k4A&AVP>rHuClZBu5tK_Ngb{1+I%AKgOHL^NdR-3?+-ls%UST)Fcb! zu9nJhlJRM?;z3MPj3HRCAT_1*%N7KqmH{E@S_Vg)soE)i2NrFt7- zlEuszw=CL@$P>4nBNHJPYvoMVlxx6^bwRCzX1{kTt7Q=4ckLJjCr9HAQL4SwN!&s; zy}hD*L+{shN zM$s>&BC$U*(_ktZW+z=fscV{br-ztJ5EM5XhTAQ~lG0L=MW`kc5ySCIrVvP~K-~Q& zT!?P;;G#)V|62qDk9mvJajn`t{~MjK2oflEKd}|lhz$f{0h>11@_ZzCaQrY>*u~G? zz<2f58L1m%Hp&Hphw`_E8f6!H!^!RLB|`gh_aFnvqSsZUa5Il^q_s4;fF@)EK>e75 z7KpXs?r*Gb{(&V~gdK&eG@N>OmkU3QOS4pvKYLOAQnR}VCe`pp8B&zc_o{^Qq6a4K3Y{ms@3=M+y?Ys1$s@f1$R!l` zVenA!w`h{Y8VL9sSGjMJ401odYB(zrg6ys> zeW|{%Ke-vZ6~&C(_*ee-F|3&A)MS2S`3}(cAK}dl6qV}M*WjUKa zsSo+5^g0j!l^h29>+PG~Y&4yP-iO(2)V~;K#1C1W@!Qp3i7=pl>ZZ5VP2o=cTX*YB z%hDGF!W7Q=5l0XGbu}NY>Ofan=X=#1r_rR}HW-yb=Yt!xYwOwZj&BIMvYTq>-6X$s z%(v6;qp0^)-qU|N{qy2CV?~?oxi;L#-(*kSi9jhVECC&7yfeAp#6$Z-|5>N}*ubB$8BrT;AK?J2~1p-P=FeJ$k;ijk4=_Z#QHdw9>O- zX2EpzWf)Ad{>(i9tx`k|`zHQmR7&UD;wX$gPd_eiAMBrO?d|U#-9CiZ63bBU-l^ay z{j&P%`)&VOJL>Qm;(}h4*`VI#vx9?^(^m&uJBvDfzDK_;E}~|4=WbaG#u_c^?AUy% zGm2ur04eHsw^O1XTXBur>8*5JwE;40@t0vpuAxsmA9I7K25r9Hx%k3G3JqxY+fLXO zOU!~Hw478idkeQ+a4Qf0JkZTn3JRSecQ z9{rp#X#*cwq;|T9l-=tZ*ZOlt;G6h_F4|6=sZ9|bt}GsNEqFBDk%+$iD5-JIpRw|U$2XZ;c2A2yv_5th~PVzHg@em8;7v*^rxqc%nnBz{0RQXF`^QHfl zO=8i1nJJFg*r!agTr|B`fO-67MgrKxFCNElg;U9U&vhujJ$Q4pzxC?$`QEGD)8_|A zueVN=wr+0zCRS!0?0%s8q}j#p_eg!xPC&t5Der9Oe4#C!eZ22^dbXZ_dwj6}8U6mg zaw_+i_qwg20t#}`KX(K^riJ(RExsz=6|2Y1eLl=SKy;jx!xw0$!iY`)PSd`#X+Cs%#(v32hU>A*Go>5OrDIi^0+ z`4V|Hy!?6Wd0w+=XjiTi!HD>hQH7U3VN`}3WPi^Mg(cuMgxJY~Uof8V@+XX^t^>q7 z)hkA4m(wp=5qtGZcBy^Cl9=i03x;E_e$H@~#R+XzWabkD=}bOtEmW2{S~2}}pxk}I zfTOoRVa$QC-9q7YvKpP0KZmf~>z_5Q1$%l~4rcBow*hwlMKo4#;FqE_fTI8qrL5YT zyZI$*w}1H)hDC@G`$IBBTMR!tesjDVQJDL6bPlK9Wh;F?nVlnJ2aZP?+^e7@D?0;+ z{z7KPS3h;+x1SS;^5bfC(Q#QspD^M5u^fHLn%k?t^clZlr0*3B;Y&|=?fqZqj5G0| zYt38~PL6ZWUR#{QOL!FQGUtyu@uJ*OMq1jGq3TcgnMJ{i=416 zk%zsRmh8Q`*`#OqIS5bsSW>j446ynLqETf5G~5sonpNo|8R>vVz$a+4jDpSzk22*! zPV5~72P27HgO_|YCqw+Ihwo+*gDV-dsFf!XI>2ip*fHbbvAI5SR}wd{9Sh?vk!pmX z^VtO15I4kxM_G2}JC-1>C=|wrX>fMx!$z7&^SlY;3yp?-3D#%{YY{J`nSt^W;e9i##p~3?#N&eR&SS)qg zhe0UJ*I+iRq8KoAsuis=s!+>Sb_Tla3mS({ijnBOB#ZLCYlAB%wceRYsELDdpMuUY z1YAHf>D4b^RPHjc0Zkhd%oMFf;LT}?tq4#zW+QSjOD-g$m*ue9aG!)qMtRlG#%JNzEWH1ZP`8?&byqYn(M|yftJHW+LZ7(~&xW(=Leh}kU)A-f@7B55d>e`R)4bc7 z>)45(r!;UcTV(7uXznBHFPFaK*hoi zuiMemdQ#{_sAe{r2L9Kp-P7aUqi^@NcYlEjFdxDHT6^$tvswS;;o5_Hf5-p&8~n7R z`Y$H;A6xvwo`yJ*=LP7m?Q#U}@QW0KxxG)HeY#u~h_m+yUH2ZZ7(=U=ddLysI$N4+ za;cLn_|O*v9u|z#7MzVJ^Cc9nqo(0FOqEQp%5*-6S89rBR84>plsdCpwNxvlPtH)Y z7;-q`kv*DefZLHg_+Bx}1l3gVtXQ#=-wdKkRa&lwH=ic^Id#tc5nvjiiU}|z5)hFU zQy^`A1L$W&Sf2P=j8*RLLZ*oW5xHRM5(Zhhwj9g-pcuHdY+t!n$CCoVPJ+!TVaTpw zpk3I#IKR_?vo>8*?lJ{#xfX5B7s{*Mscm~@(DfyClEk+j)jNlT*_&v>k_eu~=pxs< z9vQnDEIgF}_bp0xIh3db>MZN|oC`>=82XjWBx9Tq2~iawMH6v!!h}VNWm!_OfD!t0 zqayOK6lXkUA$mtwcZ=$-Yi5o@mwtl~^KoNdyz3mrT)IQ#8kOMd5fYo>*J~LbZ80+4 zISZhmt)%qdWa%WkN~O36$i)a)vYy3K6r-mLqAB{2y1Wq9C>Sj9^(7|AsYJKr)DIRG z7nEuw@ycJmFp4z_bcQ56-ij7e&%HpI_!niYLLGxRhe5zT5*C}2cU6rNPz{QEfP`}A z%?T<_D&cA1<*qezBS<)DAo0Z^1w|rEq@`Mh431|^A&xUZD~I7?I4!2{x)CHJq?#IchWCA)+qWH^-9yZEDZzwWn%P z_U@a+U|G9^(V3GibP;gb0dW3IYcjvfsmFH*M7eUROE$I|033rFsfsEA&nLX1rhaIa zMWY(D0fAhH9e4aUW0`|qehqjF9FC-x!OyO$@Gj0$dO%Fqil~D{$lP+f`($o>i48+c zA?zP)z;~Th0^lPy8bu5s(c2+nJyxo3?-CtPoMp?pBmIKGl7c%)qH~Sn=BgLjRw5c? z*N(ytMtM>zjShAZxM|RgLx89tcYNJ8B_xg zIVGk!h};QmU}d?GqXL9ks$oh7%5*a8`%FtG3b+}z4BS_8oc*nsMA+Ftv2iQ<)&onX zdz{OU%U}5%?6ypA#Y0o6$;EY!QMMM{@_M0rJ}Wk*5swHp&*hccFcg`tmlN*AuD%u* zLoN-E8a5H0{autN5>f=E7~GPNs|DkZ{t`eFiWu*+b3j1m69C6}_-ccbmNHr<@w7*T zK}J+<8@OShM8BM>dhZ}WVzN4UH*J%XT^9XG>8l*YPx~ZROQgFK)z!O`e)}3y0_-5T z&zI)5e#!EY1Llb2L={yj1@U5RbiGx_*)>$2R>HA`(WIi8sBywQ4WKVtQCiXE4 zoaE;-qD9x4a?A5Q2}&8pg@FWK9YozSgd<5xv+qD2#V8T&>1>h-EziuzL{u)R)lZ!KQ$+I5ru z<=_6hEF3lKuDuiHIghWuROCCpiiyDs1CX*90mLy1Y$t$U1V377!Y!!*e zd9G|r;X#vU*5af2Hu}sJbB3k|+KJ#8#Kl&&vL+@^UJ5rUgqaNzzeut4Ow@ z{R_#o*|?f1L3;QMSwzn%#KLnnQ-8#HWP9?%O=`o%?lE0d9ZJ`6F&I{2RxQN|**;{;O@yv~e{OK#KhNjp>>hxI``E zPV0{JX{peM?U1WOU6?^=6vZ04P&uZosGvQOSSbR!m8b(Ua#YCP{Vqj$TIjhO0mw2Z zYN8fMsWt%(68=NhTI=QKPIwRJilavQy89AsE%Tc$H_P-Dz`!~7*yjmWJ}#i=WQ&zR zf1F8byOe@=%C>9lM6kTjo)4hCWda3LeQj3oh8n4sV$1)KP?fDH0w`8 zJv@(XOiABE9+4_Qz_`F;ymk$e+g&>l33**a8o1r!XatRM zj4MvQ!N`TjQ4t2n~Y%qNJO&QNUF7W(pNcLkxq||sqrcsIuXja1F@4M z_j0rly4ll`Z{NO`#;I##`S^Q_hSV9XZmfBO9OIvW>yE~BVy(Ji31ApQ;_1RP73!nb zFhv~)$7md{cmG&M-;em?$gMDy#izc8nVt&V4(@>{>*c9AGM>sK`1)0O?zGNH_8j&6 zszp!mhS^-WgN|W2p$3b!xgrj#7sv%r)?jbZA08w-~svyOfr-=dv>i(qwpN;R& zPWtTH+t|en3{wpMri;<23BrO^{fzJ$FY`e$y9^kH*0r*7QEI8#cinY>$dj(MLU5m0 zyyq=4D!oWnJ6<+8-t&?9kViuSrIE;$3Y2{XF&(DWM#2QBaN}EC|gmmlIE*^#3 zG^tw(K=@Ln=<-=jQq~Gt~yyvp%WH4U5}p#VIut1({ukMgn*0B|YSq>;RFoHree8E{r;H~}1YlGTbkvU}A< zV#9wbhSjbY>O|vFc0WO|7t|D!Vu|PF1u?2fI=spwzsGk(3;_c~(JLxPK6O8J_vk+7p~o3L zM)gbQ=pQ&^^z-?Y_<^oZ=so9JYhTO&x%?8ISykcZRE7u`w(aZM>pEv>LY>L^NFP@I z)l5NFBldFHTNgmnUN4-HHzBTlBO&=22%lYV;D(ip06Yt%`OZQ*LOqYCFeKKDkO4IU z13Ciw{FQ54P3jum`VlHMy`eL+)vI@NwrX9t^_2670 z027NSTgH9$!4qmsws3|+L%wu4h;M+eptQPA`pw+{i8@G0jfBWx}3oyzHFj@Qhp= z>+?Zy;X%Tmua;9}xSYSMXX~r7Col0@4bxNNU@f+95~CG#+!;!e4F=u^>}skVW*~J8 zZsV5>uQQg&zB6^G_=aoNTJx)_rX~Xmk}S%F5#w$J2y6|mN~hkI%Xz5;k>b;!)+_9& zp%G0aWkjf$DWy1)3*Fl0UmTxy-e(qXN$tg*XsLZ8DZ~d*{dov~tcyi8V5y^|YA03d{Il7eL`|NBm!BmM_e7U(ZJ2^^ywRSALT;91xOe)I zgNtE2GsD$rrk7bf06X-S0!~~q<05;3bg0e490 z<^Ap^t7q@j_z6a2sNAC+vqKin$ZoCQ_RLMK(8uRMO1}ccO6*3VE?unb`f^=+ytQj_ zlu~N%cS&O5)>{5CDc|jSS_}1Kpb}F)d{->xkK{VA9x>m+@9J^A6e@RKv6`1d<2~-U z>+L7fTPN_0drzpEW#7nrFrpf|t}uafr87?x39(71k%P&d5#->na$-#2DkiYA+<}uD zckZ0foeBI*bd69>dL4_K2^(fM84wP7*wn-OBgVY(`QwNFo5A}}9}gZs)CYEC$7$5F zpE5khH&ZWyl}zC|!#Qh2;F54^qPuvc_k`!RXrxEnYP+F-BX2(-r}hRwMQ_zkQ3EC_ z#ULk9xfI-TfezHS$z%)edc!yl(g%1!r--5n4tt_FTbN$+5zcQkylje9D~VuJ;sFv> zMhseyBGb8X?`ozu5mcdwO<%9!v~#So4@p6b%1HYI&{w$;4Kh`BxKkAfYac};VpR#P z_eGmWtVo%_jdWIh*Peu3-!#cT@ZaAE8;4QddR<18oot(w)}{vpPB9DbZ&FhyLHps~jcD*Bw5m}w7VsahT<792g_@Oy*EeGMqxEZ!*ByS)|ZZ}@Y zw8ZNNn|5taoH<)(A`L(MY^Os}C|548qS4NY35*%n&H?dp>c$OG`;l)6eS=v3!9Ris z|G__kc>lpavU}l&{D_XU$p6vud;HO9G1Zhj7%DF`!@y?<1r30C|LRDRb6+hp)V<)` zuOwklQOBW}^1#}iT3yWRWk@3Icu4^9Fz#nUR9W6c(ngFm?T!lXmEK{3qm3+AdO-x^ zc+T7rvXPnHrUy;(SCT6WPL@Dc*+kH~n{Py|n#*t~Hme9ae?l_=?w>@rNEx=x>zo}4 zujT;SzMHqJt96oHv_qnV5x5Q;xeOb(aLpzDvJ4$x)0PRGZgP#Iy8}5fVs5>c@*^qc ziZ=v>JwocZuwwhOK|d8YG-5Y?Ty*D z1P%BILUOTpC78)YgKFNgakYI-e25c=`ZkO-%V@+A;#M|;*2mK%YM4Hr4>$v2AL+~R z<8l%bjopjCerb+2d1>L{pxrm(CxA~y)B>uaz=?5!;kt~V{jHuFXtMa<=M z3V8NyxVm>9{TNExHWGq($KWTg15){UsVO5q6Ez?Cijw2k2hR_GcX0AKLhR*i;!6yX z-tJ3wyFyxQ=Cbh`j*PfvI9s(UJd;@q2^%K!dWpmwC)5(JBrMd6dG#Grgg53xG?@w7 zN*pnw8;U}!DMOXUPt-3e>&}o|xJ(@~ntWss=<5n+uGdippOUwA`7mC6j=M;Spyk06WBtCD>SIbTsU4>jY3PZ zXQ8`HQ~M){OD+S+wqy8K2WsXWvy}0rP}X~YYV2QOsAMqksbg_u2GNMv4Q{Kp){H;d zue|-3XYFKKxy&Rtnk3<61L|z#d*>+YR-G@gI+bA1v$dD+guk>L3o#M{6W&YeJ;$1u zU7wTmc_Ny|sjkwlQvx=-*G4UiZuCJ18`X{FW(Ql}2P!+xH1)f4HbPFGZRc(X!Lq;; zQ&Ymr;nkhThD>hoA*;jv&($Ay^81s6-<_VlIQaVD#ph0?`1;`W$>GtfGdw|ui@9(8 zrnXS!gH2QDIalqvmvp-MO_~Sx@COXqoXVS>$><|?^G2ug_jr`)$=r)P9LZSva!NM# zF$zl1#;2bv4vzHOkr9aqv_cre4`ld7r>vXp=MD?7YX*8S&+gqD-s9(*t?|7ro&!nb zyR%P*cU_CSTbq-|#9*bYwshMlnWP=Ex8&?C8beNkm-)slr>LyxODP}F1PnEQHmCcF zMNBR*M8_sDE|}IJnak?ent*SsuhC0oN8OSl?d5)&BAwmS;~%AeTMJ0#a##DByW7pw zo{#R+0EM@Q&>6IL{d=0r%Iz*6Wu+HW6^;-b^dwHwWUD=&9_?-8z2|3dULF3<6F5WN zJ3M~Y>w9ut&EOtAt>%+s1R6vbWc=W@Ge3`<+_x_b{vAsir4D#k)JkYg$ViUzEfK=q z6dbS6D?Mz&7{{?ArFstNiL4tu5SO)p_~~k$d*W(x5HAVrkR(;0G7K?ZkoU@O((D1F zXZDqn1e$<|))agJlaPGq%1G|KZ=>>$MmMzaru)JmyWgdPgkrCAGOR?`OV20{&W%r3 zOkfGi4_Bzd+#Eq_?P|@y1?b7FNbq_zHEC5_YPdaQc?RAqZRwmL7uVF6DxNM$U(SgB zQ~uxt=D!J;ot8zy><@kP-^r`SWnta;=wF=sU;O!>{@D_xkrh05w}W?CqjYy!7m~>- z(k#pw^t{H)EWg^!T9>&>k1~Tg%DGf%R~l+F6Qh_fS8N7gC#l=dE&&c&?F!4rjodkD3GN$|X`aCIuy0o|YBU9) zBNbb^Q@FW(&&4*FOh_qeGoJdmA=ZL!t{KF}siY1jw~Q|sT*|(Ub>W?Rz0r^GDnu=a zTjB4{m%ni>cdET@fA4(yqu#T%z4)!)6tlNRtBmd3DKZQ%zRL)JyN$u+a_(f;?sfPv zK%4!WJRL;*rq|`7md&p|#^!?soW8B-CB5wX(H*}3zm51Ghp)akJ3Tskb@0vE-s@*y z9-baNJAL!|M?-;p82{t$qel-uY2km|zx();dw<3M_yzuJ;eV(({mR|P2}x;+{-J?j zr*`~22p};+*2cGIUuu#v03FJyq@m10EEc*Ov=xuSM%Tuo+cZ^;EDp>|CL0N>nQqi9 zNmo&gcax_sKX^Xvf1MyW-$lvj?zU!nlAtyD(7VPz&%4GwjsG)TMHqnid&RT}^qa%{ zY1v51xHF&QgMaqB-~T-=<&waYg_ezzUD8=X)q8o+U^pyIE#C+(^DgT4P&Bzu)>NP_@R{qHEMx4MA5Luc!B`p?oSN?h>{z-96 z{L5tt+A@z~EyE39fRO7Tz~jEZnvGz))k~xY&2GfIbU58`Fg>u*n}g?v{jC!)avO^W zhDX!*veb^kG&*CKW5_XyQb;s?fm9Yu{cE(>1iys#;3Ng*Bl8$Q(&(qX-5C5yOY zr@O2jW!1xDz>=0fKs-WCaM!J*9&$~qYQbdqeDnB@vm_TnAb;|Gg7WK^x#kX3-zoJm zL#eu*pB=w(_Bggd6J={+FTMZt@ojv4xZn2h6@809bpFHT;f9|ip+JC>m zf3f}N#78w2p`x5;5nuHycSpx&pg!?48G#@1>Wo>e9#8Pyz0W?eYi^hPN%Y^PvI`|Q z7pU9x&G!+W#A~eV(}Rpt3kl#3BJ>Xs3vrM3^KV}4y`oh4<{S5q08Ji*BETe}CPFg# zSomsL_$ue*RWwYU9Sh!#QMtOji(F{;zxVLJ*Rx`d4~D~`W|&ybLiHXVPhQn-6jzNQ zQ{DVl9KKd&l)izW?(G3L0^}G}Jk-D<;r8YY+muVo6_EO9tYPIr5L$rQQ+ESjW3hy9LJGbmcVwdFbp{uf z>?Xw%3(sGcip_e%z)@x32ZHY_n__ID#)VuV_C*wGg8)g_V# z_HyqT)P$v?LkT+OdN~)wjgS-|16r*GiN_ADo4~7D!UtDRWCAn=WWt0nHMQG%l0k5! z8_jRrUt9Ktv#DIa=7dR)ft6Sb&vK&1D{BHCDgl2S6nm7y)C~`@5S00n(_xYVHCXHX z^{?@BCcPMddoo9wCFR~dR;mgfkiHMV@#QnpcsMoDNeS#hr_xTY3q3zcCLA7jJw$kh zqim^ve)|k_$>69iE)*9FKQj)I2*FDT5f;T*DopD+lX0BJtS(U%gdA^jW#mhSZQ@in z6{KOS!5-4<#bco2r}4(atNTo!kZ7q~8=+9v5B1t@z)4crU9wI@zdfj(E$SEj|Uo;2&vc}$QZ zhig8rmu@c9#o`Y7;_{|}GU1UIO#Z^@cV4^w$q-+mIg?e>x_ME;8O)7qg^e>bhzUf! z<#IFofV8k~9n5BTe=T~j_?E$f7s~_VU|@jiT2;D zz8(l7i0)Q>Q>FUa*a#FT@?|~QyC8iy!)mxUq3TSFCA5IQn!n>og0(ETcfp0Mjl2Eh zp*z_BxYjHX7c5Ji+GyD%C15!i0|?91lpRC_-ag4ke9+zZys;-&-2>Yn=3Y9E25CRfikk=u@*n+()EI>$pkeZUq(qDR>LrJUA5|PAe5hsid zl5|`w1bqTgkXoP(7})i~Mpnaa*>7-px@O;%iZrUhbqjQB@4Ua)iBL`TkPW;*LQAPN zG|9n*5V3d02g_fTb~1PE2=Dqs6rbfw^$9u|?G^#)%^r~;C|)?=f;s9n{JwsWX!ik- zkvJ;SFG8PI({P<&8hF9fOE2RDi;s!C@g9|Qe8%Q`>TEB7D_*}X=b=G$pe#!b;x}b+ zg-dvrQWl9KJh=kG%48-wagfbutz3$eu;7d4>gW~CaA}5tq`98gz>{e#`E-~ch;HXL zemP$}YVM9QH4eyyTaK#+QU=p)*E#%k&W>`n!#4!_RIedSE2W6idD`F$iHc_;k`_Ip z1|Toap!nvPsH=^0DJb5y)gnO|?X%nNK;!HLxkHV50mKit0Yuu2on9kTC(>*nN5A+U zvDOp2Lym%0i2Kyq&Y(;dZnLJS;amsuF_sNMWSWGRq+FV_(N%+{pW9J+dg#| zX8{Ohq__bnKT80*l)h4heWP!kB61z58sjUy;s2YNd0HU zcv&~FXIbRG{W)P4yNoZ<4Y#u9Z}L_iY`K=5zNfjcRA-a@4I5v|RjQ`9y)*2GER59N zif4)sqRFS_c>$kTq0$Fi*wDMCdy9g$VA`)*jbu= z2_J(Tjo2Pn{lddUX`7uD@~Tv#IdP)-Th}e%t5LID<+Elnu6(sC-&WGe;c*ti3*eln z)nGpNaKU%-=X{-aO$2DNesBvVw?OJ=P;t8II3yZhr807Fd8Wuu!bhpO>y{k~XNpbo zCfBc|j$W&TZbZqTT4Bksatu5mv(uCdYTxGq+87&Z8xL+2N@V)B9ehCFFwj;C*M5a%qun7wCQ82y|l2b7~YDF~? z>R!^#E-~7${f9VJN_62BSwu7K$*gSsSl(f~IrxhzwM`1y@}dt(Hv1|$}tjM$K$0N0s;v^bC!cRu+kv(afzr^Y?wW&pMR$5O_)ET>|l3QCTG zXBwlgpck<=M%>!T!%c{mB159RGjx;O-}P z+x(A@?>~I>*ZBW0@Lv@Ff9=kovky-IlJ=KjdraQoxg8n4EN6=rA`5X?L@Nk5ugh{) ziMo2}?nr?VTHRzzY1lhTVCR;M6ETiTgfgjHS-;P}5~*{5`m@E2GfwLnf{~Nr<~A+M z#hQdr8pSfay5toBZ9~05FieojnxHU5YM`M{u<~2Fp)cr1k`S7i_G*D%Av|@n(5qZ7 z*Mq8HboQxs-| zj5uv2tj39%P~|)fNSJ;yp08?qv%QB!b>8i>ahK7U#~Z&LxpkM{?Zh=!?jHMuw;=Oi z@#g^7T7!Sx-}S#4-d9|hJjsgWqQL|oO=rbL6Qe0;GV)z|R6IT~-Gky+%5r0dQX=k~ zIjG#`qEL(7wf0M-L*BYVS?-hNb(ZLaS_SY8bBYdaN|G7*VZ(B78-4Nm)&AM5qgPK~ z96kGL)E%ZR7IumDUi!n)B2;TYFS#FD?oP!y zMI10l>>O2dOTVNNr2+k6{?bVRB<;syRoa-<7bweCLLSdJCfHQkR^-XhvQ7Fd;)E9g z9BDYiH|4nq*=1Gyg(gcMX-_O`f}t$8VKoEKUij<{@!}3{RF4;?^Q2evG`# z{^oNFeT8k|d1?}2lJq2#BrdvFCFe*cYiGTnZePxsrQvQVa2Wg>KybX2L^VGJD<*ak z)8Wd)V+X}&^HgQgRP9_|FXtCMwH&p6*g$BEpT?$&xi+9aTEsV5#!Z>v#`7lFW8Tjg zo&aQE%9QNA+((vl<1bY-6tb!zYhLfeatJb}oDZ+7x77lofU*XE?Y^Es2kZ&fL!wym zv=8Ol<4IH|w?r5OnkkP{g*2^IdZWqSm{b#NbT=y*tKi1)T&(g|J%2Se2KGmRNPJ9_o}@QX7w=T2Y0IXOLZEB5)#C^EYjL|n!0wQ}`S5rmRM zX(}6cDA!+Onrt}7AoS?f`(u_LUDX|0>cLvTGxsqM$XW&K~ zsws4)x6hY4&3wKsJR=p-Q?(}ppfkTFbq)fZ#Suw?bO-&D^lX$&`F zDftD_dlY3x!0Tn9RzmK&Rv_4DQzYVJC7dyL1h}%Q2d=r1&&WV-MYw_T^adjHj2J;p zqN_&$>R-PU$OX~~^6jG3`bDsVgUT}>@d^fG!~pgB)fZ4Ll*t?_ZNuzBuP~yzPsF6| zTAVQ55W0^3!rGnkfIW}_};hc2qVXIh;o;Q^H=FO$vnIVt(O3Edv8VC%k z`{m*5|KOUe8YYiY@ZM^irhF^%4fyj>%_Ela5A9I#mso}4$er;wf?}jDoL6GM1}6?v zn863oRFerjm8-l0Y9bDS`3__BC(1F^X;R%7SZjV`Fi~ zNOpyi#ukogmYHPK1d5P~43I8`xQSd_oPd^(N>!=n^)mAa#uz08?7Y4%KsnEA$=NIL z^W{e83*QI=KN6W>BwQ(0d+u3$N`JEvMLE6Wr?W%7iF{)!?1?#5(cz(yVJAOZFw-zm^%fX|(%cx2F&Y2hPBR>8 zb}e}YSt9WMZJ30xjl~gQ)K>&seV_7m3rY2o`OLyhsLqgiS*#egTM^O89b(czY{3It6aSL-`T_4KyXBiP=qLt02E) z81LRN*CzIz=6V?r4a9ef+|k3iJA|4P%JfjGmRC@wwBF!b?37B`SBSs$wn>9o<7QZ_ zohI%&HY~=&`FFejcs0J>JuQW)d3RY(8x)d{cU|*tO$PPUFpGwZ$+Tw*5id%_#ncnq zI`A|eSAIkcyElHw;?qqeD35u0g>=5I~EpORh1(p5BLtj!h&Iwo=@MJwI`r2Bp04T9>l?`ihiGt zw_IHD{0exVPN(vlQ4?2I36O}h?wlA!_C3T(xpbRth+uDN4!cFp7tX(YYYbWAvYGe*;83{b=&1F5CG{U+`@#%-tco$tJ zUMRELt=Le{M_2=bz9_uiwRivTP-%qM0FZ*c_GPG2QSkF4dQV7`l_dcP{2qagH8&%k zc98%gt5A6%)495IdhSXBNYYH7dg#R(N{GPf;ecYgRNYbR>aWUj5mN@-9yR%X$#}im zxf|kX`Adn>WZ6jtr=#tsutG?XP#vx{2kGX`Hf>#}|4Z7DFB%dK4n_ndOjt}jM5d2= zxS#biI67EEBIPL%LduB{eEsy>AHF&{c=qP?K@WuvQ$y@fJu*wQMzh*QpMbX$Z~&pb zyS-6gUFCRF2dX`z+oOHJ#Dwudt=mnks?xMk-Fc2%SL(rV2I&#DnJ^$x;ihis^e0g| z|8uP|*|MTR)5lxAkcWvW=ffkLCf9B7uc{kNG}sLNAz-w>-J&0NVr}wMr-7(TNie%; z%Z43Arg24RXuM58m2Hca6XMDqVk0r+Loi@vA%tS0`51;r63pebLBavJe4Ay=q z4(N92<+|Zm4n6=QBquo<@_eN=Tl|sB1 zvwlTQj|5gH5oKvyDIy2AOw4T#t4gtC;Ictpp2AN{Un*H6hM~l(!cB;#@VTbnmWr)+ z`@&t7<@~nbrxVaf0a@#*78MICh0?%BhP6bc%puECCK)6%?+vqc8tRgXU?tJ=rTTKD zCs80urc=SvRc4wR8FShY_~z1B;F@Auc4GrZe(sbs#jX-O)kz2X^;ajqKRG>kxqlXA zO`Sahg39SAku-+RW$-((1%|ug9;pQ7bd5+IAzo9TMCSAjYJHbMTQX!IvV>|=-n&8J z7e#_-es-deAODDHRQO$Qm30z=|X(=OWuma3a(ts>26b)<``TT z@VfdOgCL4qNff;OquW_`piUw$VxX4{)(Zi+VzID5-$lV&t)Vv01<)(BHx>o;)a!C@ zstIC6EjPlss#^a%=~2>Krhbb~P9jePr9It2Dm97Y_7lV;H4iTr;k`{ckpj_5g{mv>L&Um zGwD;!{LL+oHD7xR-tziB6vNWb!I2+VlB`06*-GB6$u><8^Wq_rx2x`GV27$-8!i@p@w%1S0 zXMqsybPFQ#%ys*GC3*U2ny?ut-%4lSebpB= z)5nLUR!=UH=w{aUQfM+C$_bx5k8&2JeKq4+YvFTL;$wsnX`+f--FH>tr^0Qnw3=w; zQ$O5IKYDTa>do)Y+*8RNF8F6(ygA$#_U3!z@?QDqd_4GMT%Hde-k;tdeCj?Jd|DKf z>Ag?yP9J@8-i!97daP{yB~7Mux|J~YO$GCHbTF; z3qXGT6Jq3z*r{fwI_DWYBFqcH3>+ zr6f_%C+C0ksr)aV`SuUL#>fBp*U_u7P-rl)bwxD2lGW#4%O(Rtt?niMz?|1yCOs)m zGlW_fFoT)Jv~ZT@Ql-)SBbUoESOZgmVDE-~me7zy7Y-D{5IX(f9U6?F5VfNI#+zPZ zyuRc~V-KOE+`C(3=ZYy{dp6$K;gkY%nejb-y;B9$ks?z2d6$VE5ZtJ$lslC@KGC?k z3O_acuoq|0QASdi7mQTpE{!yJP50_Bl=(c%=-4Wy8+%3}E-5_B>s+O1Lt&bt1{#II z()m)h0@obwakVHHpc|DtVAIuMkqVtt5AuO9yT$%BH!-LsZsr42a@G}g!-12Q4FgCC@=A}Qnr~RS@)fcH#`zxSjVoI?yI`Dk& zG_jm4vqjL6HEkks8OPZj$}6_Fsd7qFxV%y`jIM*vN9`m*Y5))+yp@ZleEbj*U?RVn zme5N1+-&$zil|qQJY`F+T^d|WGbq(I)c#uSJ|_z6SdtV}thV6f@n<|lO0*6u@4)mO7u9t>yF94AV!p zQ(A2h$34&-%Dp_gR@eE~t$g5^KXQPnREcsJMeq!Ll|K}VbwmS7mcsF}0#KvSSS2o# zNIuy$nQ_qv3R!5iB;xc}1c+9e={?rL5HZ`5T~b~Ac9X2LV47)Q50whRD)^R+^o=oS_wCTxZe<;~pZ*y0D0N*_5OiKF?luHQO?Gx5{H9Tz9>WO>ulN7$G& zDB(FEC0jz=rUN9@2H!8V1jM?SF*t4zlSSK8tg!kPU7ht?F((#~;b^8wnr&Z>-d)uF zCu>imrat{q5+EA&L@FP4kWZpry~+73$`4E5iu}CNWKdaGUZ6flADz^ZLcixw(&BTzeJX&kn|tiTfMXSfNGM`jV$C@5+)}W=U}A%ncRLY2 zB2&KJmP^VJ%>ckd&qWX{lv$FN-`{YNrE)7jWgh2jJ$~!{UCiFvG4Gsl^#?l@Ni$Id zv{8Uu<@kC3>J!65nK+xFz7b{^A#oNE6YQ;cM%+Jl>!m074PgO+xx4A8-84{Q2U1^o zcH^p z$Ghoop4luEY;~?tN^FTYKW8Q-O`g5xt$X-CAg>ZGe+r#D-(2c#!F@vf8A#cv@b0&{ zR`%na#y9kD?$Bo0uO|G6fO!~`nigF4-^Q&lxKP8_l;#D*7p+1Z$ttLVWn`2B*>ha4J}|<5kP>(mqqWQcmLn;^tYx-a^CW9-T1Wo zJH3x9?|ZNtelvU^j(MA4x`exPd_vAoKoBdC77HNVbaJtZ6emv{g=yWS<_-E%Nww_0 zE0?uqa1oSh;(^j%_*q443 zt$?$lIT2b?nXQYJ&$qs{C~k1I+)`hpp5A^G3`~MC3RVkd5MM^=H z7w&QJE6#=XRD$EWf||F;LZ#hy;K_XuAnKR{r&Y?NR(s}lF{qj%f( z99Hyy^jqs7KLM6jM zKtT6hG1D9wticD0`yhS4uN?FKB)WKA7TVat2L?)3LCRV%rJd^hOBBE;BPHLIoj6 z*UInC*!;E6)fL02yh6$xtm{Ud-)_~brA8r~;bh)%^SZ=uiNMq~?5Z8wkva80GM)+U zOyEVk4T&-#GP~QXsnHK}Qjahz(vh0yB#n2O>s={HDZW_c@s=}QEXNNwBS{RMXq=xn z6JCblvEhT>$H*!~Iq)VXcgwxeH0#oGnJS+)+OXh8Ks5EjfG+Eu{1xhu%y^P4tXO4< zv<|~T26}r@C0GrLXVCI)%IyP92pbhey=uNBZ{R+tH1i@)Crm>nm;Pun5epv4koc}u zXqwXHw?sgjFJ>3@(jBR*2v2;Yv%~+CM~}zLMB2IXfr^wUQmoPn`DJX%Ylh!+Ln!mmOP~kdmBY6wtdoD{g{+uYG!YeZMlY*t$N(7%z#@I!0>z zaszs%&IH)p4NVvUQF}QzR9k}5AV-xF&CRorL2Al9i;LcRri>f`R;zeQ7j`)NXq@e)8@5;G4Fb2c+a)B!-9_RTf5uTiX$-SAJswP z^uf{K?wHfh{%H;Q>`vJEwL-@taNFNzT6+Krym>g)t6q1iLQHNE9go$cKADjSV zsXbqZ3|}NtC0wlDh(s~OUAKsb6r`~`CTSXCCH2$w^TXQ{g_IRXm8CCkSZ)R%R2b&p zuwd8w!Fh!@P7nwIHK{Pu7x4zab`tE8<^CsxgUCH1Cm;JsAe^lI{gRns~XJYeCSKbMxXE&V`JHEx&DvLZ}TLScs#2S?@t=#^WCrd(T z0%FQ!4&SM7pQ7t8r0bq5@eey7Q9gTdw6}loI`DT6uO>YYjH(!|**$Z=Qq3@^)@{cf z0rQRF7Lj!96TDLC=~p=tXZE#%HEBG%6U-hdTcyr>lcSeBAiv*Du0tO^`ZB^3jb zX0|o6N0MdI4DXZUcwZ&CxHPEwFwn={bqBI-H>qieh~818oY&&8zS6juW(%vULlQO> zI|i6tn{nvq*bnJfYGJBY?N&KlMSfDQI1Q|_8Rp+CtCbIp(q;{A!8CnbBl96g%Jt{y zD>3M0%AyoqkO~9BgL*E(v#`Yv9sq>RHFJ(ZV zye=7=OaY-4eeP%Be*W-l5hLE4NH$Vs_`$CZzBxfu^bO5iO=HncA!l>uggzuQp38Se z^J@MNMLu{Yg@pMP26$=&%i3lb zz+-lot#HR-P~(aG6f?(HdSpTqP74|lTfWp6F6vP)ALJ9Kad9PO*qmYdMa9W$$`o46 z{}$?g;WigGZB()cdcKMPf}+qdJyk*bLLHQbl5Za$oerL%%+-x*u^yWb6#Obid|M^xv zxXN#taS?q!q8+$jx0hr@P5-6On)L2qTYp&!<=7p+g;z&EBKVK%9otb`YrLA}gMt2b zL{;!jaFirQ#*@zOa96!ZoSc97 ze{3~>az&?l^Z|j2aITx(uF;Ej3FsKMR!W^hOm&nKVMLg`{Z}VxVXvFA7v)N7zZ*CN3BiTbci?4L zbGIP)ou%U_6WX0;#`u1RJ5HTL_@~BLc(0BHjkHby4Ke(=AP?%D{KS?}(B7U4Gjn4-GXM%)Y>jYjciup}geW7JDmr<>$Ly9RR=wCLC z>cf>p^E=1O>RmCu*)knr2%ZTs(9OYGL4!`wN1UWD;r6kzGNYtm;9xMfw>ZB}|PTkNIe-h=5xi0z)*Ush*{2@|3Tlmsqt}shS-*Z0bd7Ogf zHd$z?n-FiG6SL=_#)0}v2mv6EY5eUs zOu9=Mh-Iouw(;R{YZeGr!0cS6xO_nP+m7NXX_|Um*=eZelgi1Nb+uZAa6(hQ7==gg*ci zCtg7qW^U){6w~0l^*2_}24g*8zPj_;?j6vmu-+7)08?z%P@y17^w=Aim z-c>9%ksH+7mSk!vMd~g!k6w3i+n|MUBk7V$5=OO>Ko(*@E8;51S};7$VigmkmVz#g z+;KAPj_;~YBQySRFc`^@8u6r1g0BcO!(8=vW@JkRV1W<=)N*bs%N;m_xnUMoPm3=i zim{MY7VC|1=5Ev3Dqr>_!8YUV)V>{Xk@^&Iy$md)fJHA(((H<$ z+4Ul(2`P)~Icv%#N5}@p?Bi%^J6lB2C@e69sb_{vAu!QPNkVo%1wTl^jBu(XkND3Beq0JbmWe&L~)^J6?0I!mL29ng2j0*|4rlFdZn3}^iEl~%zGn;yEAG`@ z$N|Zg(|$uu1Rri!X&L6_@M5SFtlNF`kM|ybI=uJU{noJBJ1{B*Er`x3stSu)1JGBZ z%%W#biam@Vy73;o@BQ#5)l|x42YYb6e5C%80lyw0DDUKVL^)6hVRmWXl(_4dZiqOrSa1i0=fyCF;UrnFWl$-A}4yvi23oaoC zys_iLNasPCf>p#E(s9}Mt79<#lHRW6Yic&qMxD*dS;%}ASIeRn<%-F|!c@zJkIxk- zQOL+LD;nru7e(|7s~B!!s&lJ+$5mA~nPtFd@fZXnetA(&Zawh>F5g#@=LCNlV3Jj1 z@y<38LAPL0WzdRmDQVzX0%L_+nLYaFbakYjU1D5a_gY+)Bd6GXcSA%0qQ+Zw755m+ zfm->5PZT?2DK4vMe3JK?oX1SW*0Qww2v|-?s^ZABLSG~$coU`UdA%?p0!9x3I^@EK z$qZ>{3WFf~iZgYsFq{_(yc?M|DhYT^Xa1U|3rwj$r5yt-=jA&q=NH<6xtI=iCn#D- zX4`F;9~i`cJuh3PsiB zk%oX{SlZM)mE++%d^?_@sA$Qr$c_4?bX95PG_g8E``_&kxl2$1l=*P37vnOs>|Mc} zxOv1>D1H``n0}s|(L)ZAwyx<*P87(2n=xI5kg5n>t0ghH6QhY&ZF^iV7ejSf+MJ4> z#+@MJFHNo$$zq63z2Wzs9Tky2R?0iY{&y%VduN%>;nN+gf*Qka5OV(ON?tmhbWJ{{TCOevOIS25*tffk~ zslh2pNFfYavr+GigMS+kFbG`VoEy$+KGI3NJ5pfcw{nq32B@3WxzwtfXIipx=CLpw zZCnw9L)zB2g}ItH^-RA+&&=te08NXwqd9Lb1(4z+%m->>w6es@EChkRZ|z=OI}Kka zM?7Knv&1JYo-fz-ms(PVrLSdCy}c(o!iUXVSqtq$4!Cuan^u%c3k8`RGDiyNK-#7P$z1V6tAdijM4k(0 zX`ZH9q{pyoYKCdrS~s+OXr=Uyx0n&Mx{6spri8?*a~f?iO*Ynw$v&si8!O}l_RBDT zUd^Sb1X7>TK|wP^(3Ji+bU197O`g2bKi(hS-E7~iF3Wf$M^LC048*IAV!qCkVCgbqOK{o+7t?*>`br27VOTrKSejFr`x=T117+rnnZ} zk%0%cvEuzus{myZcCz(G=(Z`;_@<@5`f-8;oj-3YJPGHxc&?V!>bv22{eC1fXz4T~ zSePR}p_FE==>&`?3fY_x2{40I(+c%Cg@Q-S2ES$QE^32y-lROOJbn7yc=aO9naYM% z&3o+#jihm7m@3icvZZ&@h5^Y|hlKbsQu!|GjOt#pf9CE2pxeomBUv_$-izRLB2+bm zXtuM+iD;@fvQ?|Oz|dXPzHXeARx*1Yh$>mtOs1y+-(ypQLE@UFy3zGw1j#yBW4ZwW zHO#YU;8|Dp*%7s)C(sf4+2Jv~Li2JZXWaXYS#c-QaLdF`>TCKLE;tXiKiDrbKH^K* zhkh?i)sF`l0Sw!ZKRAFa^gG0q+hY76gygl%gM68Vv^bv__|=!91{|ifJ?=%nhsud- z@NC15{`f3bn{k4K=$eCC11);B1Fx|*pDChEsw zlxk5VKXT3W*}LeDf|N?VMJs_yTxuB9R03>cq{Rq{g_Y4t2|wEW&_&HoDH;-Okg!Z~ zdDb*&AY1R)3TclkaTWggpZ4?#!%JS2(&chk`vcB`HUcIv@Tt|j~(5PtblQE0@*jwp?43k z`LH4$T$JW&tpAo*D3Fa}T^d?Y_KD6;g2t^e`Mxp3ahqWFwB(mIrhey4FWzsh`2y*< zJC3-=fJp!b#cN_QAmQSQUd>DS#7Sy_eJuczT#e}wGAjHpokuw zl&crj{O!IhAka)!qJm?NfX^N&>9W=s%Z6xVTc2$>1+wo{%GB>&K-L;in)=&U%hG5U@G9?WmLl6GW8(b4JBOw(w;L1K^m z0k|$rB^kyWGQDdHiJ}ZJiD>EE+4IYrTvC7~Hg|J1b23RT+W19UPwT0kLYS;jD7H&t zHK)8DaNifpi&EWy?s7RdvZm)w1_(Ti9-}ws>-lPZyV>0@&#PiCDR$pRec1W5g~mk; z%Hf*7WBr4Dw(AzCS=|UcWoW=KDkYf|@C4sjRBtqRKT;5gh-*XGQ8&7V)tQ&#-m;2i z5*+AJur9LcY3;;$DdIA9ttC5m*rK#ZmOYZ>Ebpr6#qqyKV@!JG?W9^xCx5C57XCiP6RNe{uujNn|-g-9BqO0 zO3tDy`9u3EEJ?iPt+2jR$(0J$8D^!2^NvF^8fK3(aH4OcA7s9bgd!;R$aq(n;M5sb z>ZC8S6iL%QGcbc>jdFcr^D8za^;|;VxG9x7dB47%gMb>(YMS?cC@!%?9sS4|^jIvO zaWnq~(l{bAL}y@A@D8>#R+{((rJ&I~s|d~~`K4_`n|B~n`{)vo)V}R@?@DmoYNt3JoX?%ZR1R1(V<7pF>NO-87bFe4Ye$^D8?Ov~Ri~x!pnL0Rh0jYb zKqtC8%luBddUpb1+4)Vf)!d}rX>Ec#fQXlvvdnU4$v7w>I&i(`Se^P%ubJUbH1E~2 zqI=Si5t|IoTWM}ukJmypEcqms!KM~b3vouW?x2deKcXu%<0v#7idql1yJs`^m=a}? z7j`MR5DIdLqEuCh6 X32#GGm6t%)wCXnsSp-Hi3~+JDYsLf5knp6axPQdMIt6*@C+h<+&|Rnp3D4P zazltQ>)u&jfu}*p-$;SXG(t~56#JHMP3xL*M4i@Kfn31ecUyh_%rK{yRSLtL+9W~N z!u9Api+F$~PaT?Wsey7DR6X79T0*Bpa2zke2L0IEeTrpTIzhg=U-o5e1!aJh^v7vp z4#nH8n2GeYrPSW~$Ii55+>cjPb5)4)a_yr$LZU*Ymo8&drsk!be*$9J{-=hiyJe#Y zKx}}*a#b!e-T$N>d&1Bu<85s^+AW6p`AxhxGpyf|^6=4L@qd1a{}TKkcOhIjMPA{_Etc{cuwl=U6(zLVQ8~EB z9c+Gva&V8A=%m0$_a!TaZ->P&KRYho=g*uKUC@n_zjiv*`+RSCUN6tGj4A3K!`-`G z`uWvO{sOpj;t)l)CjB10EZb8k905+(1T5{lhU9o&`DDYN_v7e zNxk8`)G7d{kG&-nc~eV`CECM=PN*o=qb-9G1`F1-tLp86^7gCU{A}C|^W$at zuBz7!K}wzN0(7}WvAPtWye5T9iV<*3f()15LkG@WcV+zY^Yua_z5rH0slPD&%&1c`|UbYw@HUP^iO59_N1yPSCtROw_69#Ua4))Y%BLhOO&)gox0bYe$J zbS`?LsElJaOl_)cA;*(tneaMD7szZPe2SE2eW!CS*)h`Z+fZkPsE?SfPO;KgWzj5n z_(`|09`aHEBg|`!A^R#{33*&$6KPR{X5G(}mZP#7NOfhxPXiU+SO0P*gAkRU6MwT< zI+;h{uW$m~yfI;*a~1%TZ3i6I6F`0%ss5Z#W*fGn>pGI=Xg;)0SkYv*Tdk@O2Y&;< zFj}==37fiboXRfoLMiJ!EM;hYG4hE`BvJVw*e503&GRu!l~GT0LbBjYR!<;3n1I|p zYARga|7&hymu=EJEkw2+dAZ{3VjMtTH1UlQ8|M2LL63 zkZxLiQ72Mcqd{AEp>F$T?LG;xmtO7Gevw3iI4o7I^nMrRh zpUDU1MiA^kWxtxk4w~65su+6=_p973Cm9c`NaJhVZvbf!Xo1xd{PJ*4q+$_`B=^WL z-xKule%9{4V!msAt1ZOVnYGJY6LB@#wJZZlzQGM6VWF5bvS0ay4z|UM^d$2;0ywe&>M*3Yz5gy?a zZq&=F7WqkZ=p`?DWqGOY^uIDZ-!f)<&6~^hYC@U-n}PCu>C_Dp@=TIYe_90U74cW&Pd8#5;KNERY!#cRf}hNNF|J-4KP21P^tZjt60@eq1hdXw}o5}OJ_zV#;KG`|%BR1vNp+#Y&& zA}sFn5OvS0#5ds^6bY3+yV0!MmdLmzKwAuKF6fq3qiN<6cr@cdt21K?b&j2mSnze4 z2zv186R5Xdd_bqs+2M;}r1x}liv~TuES$}@5>*n&AExXA(R+@<+?9)4UoS?XKhv#7HFE-q` zs;nN{Ph=`Rn?l+_I}qA#PYy{w#ZmeHJx?C;%R zn{0Cfs447qX_XF6#+>aTN#1C=mtv$;%_cRz-Kwts@R~{rO>7r(hQmGk=kw03vsB_hYMCpN3KMK!!x-imZcy(;}9q%kD&cs ztRWE2%hk109Wk;2MmC5vY5y5UI+apTe|W@*9}}{d3D~>kYP_r3oFd4MOyOazIX!{6 zSg+iiF6S!m+QI+6k+|gF>H`sX%i*iT)7Seg+7{HjDglhKW->gYFOAfRQ8;-cT~Vc4 zc7jK0psD;YT%^n$8YYbWqE%z3`EM*){qNRu_p-_G@;4cLHM|~o@DKOKai4-Pzr(lx zp_l(BpV)_UZ~t~XZbwiQcW!N%%Uk{Y`PtD|z5F+y=XZPlSN305rnKMjpGCp|n97az zw?wFlC*-#+=Hx=H>OZc_FmRuarTp^?)WN`a{iKD@^k$CoYq;(r$n}g{)Xf>4msGn%iB|$2 zqjwbLoYXWT{31icyQ;F}qP0mLX)QVKRL)tYZX{>8(W@aTUQHD-2`1uB`)(2mJ> z9U=4s&#ye{i315@O1qU66KBL%OgE^PqTZsuZdK_0CZZ~c5}&?CCmkWJ#gN2e&~YVC zY!JFw7R}$~KxkfwGYy0RagqySs0<=_jn(uz|5eYZ)jZ80#Ic|XI2oYuUW zAlW5sECVvGYj-#A;ybr8mc*=^J!GPY!{2F#$~YMN^Mlb0+u-K6yh)nqF3~(Kekt zRMzvz$!!_XLPa2c()Li9*pG>*#5xqKNqvunBMkqQ`iT>n=4ABFa^BcibQYv^Zh4p2XfF zL~6*4L!-8sUnJI2eJw>m^VD!`QXjk%{g*cCiU9wzQI)J4Dg$@DX!f1QyN>lM_>IL$OrhMlD>;zXkQay zPe?=98S%Er@~C=g)v|G;OBfj$_4sYM8X!}2B3U5@qn+gmA{ln8QXc`_JC;XcsV_Cr zT=cXw1yN3*yvu7`t!>mw&rh_T_*x{PX{JakQUTIP?s#(FY684Z3G%F)+6&hON8Dxm+hOsd8F0)II0I3kIUwoLqZ%#=bq_ zuic}2{`XRV_GEYWu4r$|;iTNfkD%S7V7A%SZ5`gJRcG#uJu}i_X9r6(ALfX;C_6rt z5CWTQcCY-8o;=#g|2#Q(_U85B>F<9=0?6;-f4qP1-op<6ENO0Xz%5ff*g|(|R{)N*EkO!E;iXivDzB1Q%kG-KVv-v;p<(AFQz~l#pO0%-?BAHX z2g;}DR5Bi9$^;Vg_%_|C48Eg~g`r&rh9F_9QwqJ)ijR2QQD0UhlpB{n`HE>w{;fN3RbLeqsU0_wfJSd-(8Pr~c#7qsM=}|9^r1 zqWk|112wy=tHmyb$gY!(@|PyX{)Os3)lO7XY+t4H?kY}@yR0%ki&Kbs6-DA6q^ zs6-+WrJ_OYo-BbLEm7ZZKGjB1m8IZZ2+GuwcQSJ1-ZyPVo@ONr*TCz&m%Gh%u@K8` zI$JlF>XdfBBQCdO2uk|~P8_#iWa4S;Ggp#UXUmW4*C0m$h(@v7o|iUPxnkV4pZiK|gveyB=4Hh| zm;1`^ojC*fVefe8DyNT>W%eybKe%+e6*ZAJJD>D^1n5%Qh8nJRf8>Fr~NZn2iKtx(?~HJvuV z1egC}4L1#DpZgOd(+=MxxRx^iS@<%*Rw@m6DT+*y|JVQWzy5#n{c>Ivvq3!_oTwXi zXTLt_$(M<0pVdqsZv-=+zy}_{NMaq0k#r}$lbM;;^+-}#iusKsM1-Gfv|CfAl+V~F zVtuH|O!pg=c90z~0aaqy09@5{C&}9Ap_Sk;MST_zz{;x7L)EVerZ0g>^2DoQ-=^N&S&Zexes_98#A#Z&`h>;q8E1l?JzVmy4K02!i zaCdb6(h?EilvY>z1{M!WY@I`=ZpQmswutuEkVT!8qet&|_wI>rOC#`jXy`s1tmoDH z-BHLTfJEl>Ok5*iejgC5;>-G4o!23wBl4j#=|EhMVwE)RijkPKuoXCo5%*P*kOvk< z(}-C~WEaS^NH}YD566%UH!%ILBNaJIX*f${9Uh~yXIDA)%07;~XQm~OTEuv8< z*bvg&`LF-w|Mq_l6;+o`_OceiO9gDqaC2sD6;rDgMDLPL2BWKIfy10 zDDc^7TZU&LR}dWEZiterwq~Bb!Bo8J`I3%RTv|}=$Lh(jYwi>LWnEJqE=9DklbNh-JKyjDPWW|nI^t0 zy*rShxLGOLLX@xU*Spkt+4n4$@tZ4YFQliti#*Oz(G34hJIG&7k}8a=4cVfGa|4LV za=8+yO6D8^4-d$AgwuvHIZkOb`(>@aXILt#}*ADLvGLiK~ z+8dvLp$Czx$dol$ZL}6_>YUEk__{CZGV?J7LPoZp`1Mj}Z&C3483gp;%_7U5-k6J^ zA5i&Bfm4`vNw^ENs&4E3`G5U?{r~>I|JVGMyX@SUZwW_+lzul^YwXc_ZQW+4t%M1g zMCK$=R+`y}3|nMA&M$yY1NJ!tb~T+V;((_LHwAS!X`0jczwJkqjjO|&5zlu8@_u(t zl@x(vtt^xa#Q1E(44tp8RYYmRkL8#xtRx%TQ%mABZ70LUd=2J<(Xf|?CD38V69wCe zh2un6l8tchZayh)8c7`&M>Bt-^EuMT9>`-pebBEy8yui+Jwj59AcQ7W^A@4%3o8q4 zww-QMUM`k^=~i?=IxWD60W?2mh4~r}XJiA`ac+=uGa8L?_B&eB(h32XXdV9D`1QOS zRlmxQq^4Wcs7tA}@OGyf0FB;I^NWF{tfV%kkKIcTJE8~1*Fp;*B|<`9{$x_l!^Rp$ zIO4I=FF0ryn!hRck<6|{d_=c@NpwI$IpI(-d7L?zYC8)--9j^*H%yV?@oPt!dg1il ze!y{(u!y&UlUmLzJ&dp=tCg*=@=;2*ajB`w_G_Q}?p9VocD?A0?#Cxl%_Z9Nyk-8m zXlP~%)3_C$h*qz;ln`_ov5E!%kx>?R2&s4S?h1%0t7ur%UlP@0QX+HPRB9R6lCA)) zqO-ga%uyR}tDZ-j+O|8JTijwNG37cMhb|Hw$JPLJx_2+=)id`V*c7G>JUG2<{~eU z(*c&`uMG$rv(gH5x?PT)xzNxnq$qiBgcBg3q$I-fH2~r_ta!5Ag;MTDGiYvHk+6m^ zZK>+#WrQKC`*9*nL|pbGJ$P{y}-&!#rmPt&jVtFn__$*8^F`Epc z)NRZz%@FNfU0x}_&D%;i@#51?$8zMN_jE&7J>O*|jCvaxtgW>o#6#PhQj}9B)oQt>X?CQ6@V}F|zxt*_R&y%Lq!~|t?atnc*^^v(SwuNlPEtUv ztC}mB1d*;%^w7TFgkZHLMUo-<^GM-*Eh6a3EkoIO!Xw4-QWJtVjOqlQNkN1lxsPyJ z5UP<^fNTrhVrs-`=jgzxXPojlop9H#uZpf%RBp*m^WhyFHG-5rK~gm&R!ArfI<6jm(KE+0k0KV_I{t znvsW3egoMyjZ_tTQojufwSXm|!c&IY+T@g;k#mQiD($xDeyf{>xJ4paup=dtbnwP9 zpyvfdC;)aM_u(-A3M!Wri1>BWD#gx*v`cfmUM^V>c<4oqXD5MiArUdmqSHH?Vx{+X zVRbmf`C#1|!A;t)r|6AyvZ-Xz9%-B_MxYpA-R zb^nWV+G~HY#&jhXkjQvoe^;e4LHKc0%eeJMQoij`)?XmkWxfiNrEDu+%_^f~LQWyQ zAa#HY)g=b|jsQ^CvtV~&56_xW56-kJXRc$X8NUV-eWC*^)3D<%pQtb|nIk%L*NqiL z#$}J~@#&2(K5$>>V-Bs~LqeWJ@T$&&VghEj;|osEHALAHu1RhxtCO!PxJTI>fyvT(ZgG1xa-xs;XS{T_@W0_rLnx{ugJj-@H0K ze0kuLX?{NfML%x?)5{rX4SdrU;nr}6l`4g!HzoHrNb6) z@F@jj0W0tgo_yiN5B$muMw(u+BG0KC6H@SbxU387GM z{;3;831!vc5tj;SJkgxga12_M4d$5!)!-&u;rm2{Gck|=7n_7Dm1rM5>IaR}qwDvvR@RFP^3HUA4Lq(SD#nIuuXseN7jM?Z$=#zC{{4&oy?=dtYN@ zg8b0fSKf}*6DBB2ehz}{i`!L!GI~GS9sO>^aDpmLN|t08mj(pnx3*_%l_Edo63Q=T z_4zr={U{{kAX$861t+)?hKq%<(Jx79gIrn&L;u>YZ~ewwv;^m2OwG$X?}9a_J0nTl zvD*(f+R{@UDrq|!pF73s7og9t+31K9>Ed%=0ugF@+M5~|4xDYBBc5e6{ZAP%F;NY) zw1wz6_o3NJe1i!jTz!N9We(E*urxeNHat4>AZ;W39L}|#Z7?Q#OEEWXyg4hsty>qL-PND&Yz_3|Omx*1vX&e3^^FF{xwW9Y%(MW9rx5`~Z&c^q6?L_Ve zPh%?$Qs}nDIYvUo)^^+Kt_&hG4*iQSD|x^7dp+^?kZPFS?!>S2+uYvRSL+&%YhKB4 z=WcUgUxCO5C%2u2p;!CrvR2M`;aGsSJ44r!3{r7#Q@S6Wl#MqrH8(4uqQq`eArOK$ z?mw*SRgq<180k#kgw2exar0?^DBrd9Xpt>oJ|`J`#@^Dn%X65&te1jGsWsEkfZ}+w zz08TrK!!sf7+hqabD@K%m~RWF^<@g$oGw1xYdMByn?xvBjT3QWW%Ts7cI2vbCmqGA zlg!}tq^%gy&0TszUzY47o9 zG;9Uo1!>8AO1oR!I^e}S4YK7&?)kGHln?n}*M8#jD+N9|I3*j6y>XJDdWpThu~@_R znip4`dg~K>TU8;gsNM#PKy|=*Cg}RT|K5w*Hq?KeoF2aV;_REl(=X3X_Ff&H9{&Bo z>z`Bs_Tl=kd-onbe%z}6x_|dB{`Y4b=hpxJTK{GBU#A)kwaiv90=F+7Dap4>L2LVB<1PcW#l^3%zBXSht$x zXNTS-VKo*~_KshR?^iM3GNa0N#!01=j>#AXejX&==URu|U)!n) z!YHQfT`^nJ8955ik0RXbQ0i1ed9Ua0z8RgL+2BU1dGvFXo%x#+4{|D4bN$r)%bkjW zIV`Y4{su@t_DRS#VZC{vPt}`W9vkM*Bv|OQd7+#Tt-w!nKpA(xyBLpS(rDu#fm$)r z`B1Ia&kAhY7JxHz5`@T)Oiw}|sfbSs_JrBv!sR=^`8>b(5IWs?Ak~ns{5%TG4iWo% zvU^-lGxk=%|g z2h(gIfE}ouOY!J8l%J|3af^JJ?Kwekc65Atc=YPzb8(rR;eX~AXOd#@ z`MoET5>;JiWLP?LLph^M>r9wm-1mI&%u|`L-)A*!Z}+9PiEr(*?9J2ot)w@V){*Z~ zx*zFB0(s{CzAR?$*Yh*F6}=XiW!FVXbpdsImB-+%kJqiCZ%d;VhY zi<8fzpF>7u&wls2&0qLCXJn748^Ob+(XZ4j#|R30gqO+SeBJC~M(~fpJK8^k@pw3P z2mDzOA(`jsFk7*pD7Bs7L~K8jB_Ab7Sg9q#L=sI%AlF2Nv>Q*8qyTI>yu<$<&RJ#z zE0qYY+v0l?419M6SlV(arFXeMKIhe34izC{k^RN`@$9OS3^80F++}CW)esxz&PccJ z4aqU4)%);DP0t8a@ciZNCbL=ho4y~wu=S2pFWAVGz`=6mQ?r;ODA%HIA(P+@-%~0B zx*!6(-B2ti!QHx(e9YZEo5=c)dNx&=o#(4!zSi;^+$LdybmIjfpLa$j`^Xs_M+=YS zE}rylKixk$%6^s4CKJ(7t-{q z=YJ)@?7QoRIUslRUr>kT?*Zbg`7|Gp6Z`|s-v14~C-b$NTWjv|Lor)+KN;Q~-eZ!< z_7-5cSxV81{j(Q`Pl+0Hym$H~DOmtnbuqiioLUMmYU`2DKk!bptoRQCd5+z`#A-{1 z%q>43x6CzeT7XpSFj;eMh|6f>FR+L|YSQwZyYJy1_+(mq_Q|9B)3N(^&t!b%L8e%% z9q()%KQ!Tr;1(wQ!-eIxDmJ*l>Ib@2maf*ov)Ax~J6+Bw9W*yr=QRk^mLti&tUP(_ zB;V1~pT+hZf9KD;*!ay6^yEo^u zNT<^hip{Fiso;Y<4a0qXQ7EzEqFgcoZqiC4XN1R0Kqiv4)Voal3CagR(*h35!Eb*% zxHIZ`;8Y8b!uQXIs0bNtk27Hb&j$?q%yP5^(cWKjbU2)0D$lN$ZWrK`*w6pF!VK;D ze_!vtIypRebvigXIE5$pr?S6)KmYrqhi(7wy-)5vdiYoW?=SFQBcKfTOtp9CJY_UsPcee5-yciqUtqI zWiBQ`(RAPFq?gp8dXyS)vM{|UrVBmQv?`02S|Ld?6=OfONot6n3rP(pFvGTITm7>> zxjW9Tb?UzsOnk5*N{he#e*l9;WNGVF^^fckjseOOI~(xqMKM z*Pez;K02X4@z~v)^7m^|f12p8#@#mZ=QjX_l7Bu0{?2JFe>`)BiqjGNcZ`|KziIHv zKab|mUBB1%&GE8c6cI5+Dn?9}=Iw*L=4xJ`b*v#z9`QA4! z?aF4*5BlHN=P&DtK7L3RnxlErhI``F*;`ItoRnk#(QDBJHhiNW?Ty1~hEHD;Y;RAA z7j5KjTraAtYIUe}AHKQp)zkH|={z65L&p<;bh2hO#@43}-d8Kv*lOKuc)tDRrk+1D z2wH5^0|w`}e(}YuKHu==VY6?p*Nxwvh%GRF;WW984{#eD1AJ!V*RRWB^3Bp875}Y& z>#KToaJ5*q-~QZ*l@EM%*c{O3jN{(=`W47p-mvJW^Fz0W$joVd{uR@Ao(Zvn8)*A? z^8MH13v7M2w;W$q@G1EN9KY@g$u+Hyzpj?BJ=M9?`qIFyTOU6w77B3J`r^yFX^&>_ z*|9TXmaR|UG@XyWa97fz{URa7;aB?anf-9Dac!*HTdnh7@k+xGT~ zziaI+`D)9?k}tcvDtzAEQu1AAKiN-`%_JXg*-7!2$u^QNx_d}I-?UTYn{=DVXYD;A zpN0*h?}~Sad=$2Z{2lEJZTSP6;u-!uUWp8+vjRDA77rS{*8H7tiSGeH#(!`5JwNIq z|3(nJTYKxZTayhR9bOd|I=f-O(NIr7!!B%`%Nu^K8~l}1$@J1XdU-N-7u4Patavtl zU{GBx+z#?L`r*+Dc;?msD1SC9nx^~l@v^F;bAJ3L`U;0(;}_e1^V(U`D|e^53Gv_V zO{efw>*H@;7L9%v$F$oY;2@Y*(KMYW-#Gnz)%kQ^+%{oaUo)Nk@c5a(FzH1(oG;d^ z^rIs(1E!xH&@k%VK_EtBt=;_p8RzrNeLP z>&E}#Huw5!ZnyJIGpjFxaT0&}yckC(Pd+tI7*FA0a{K7S=4F4gQnZfO!etPoeaR20s!~OJA zjpsjihhpX@4l?M=qPa}}I;k$^MUeaW`0Fwp@)z~^?XkNsluuee#Im{r9{u(Fywk{uUAJXONc($OTImRee^8)`{lt)pmRi@;LrFM zCx>4gAH3Q>eDy{Avy(6W!<&OQ@oQckK1(`vdi?tEDER=@vNqFt^W(fX;j^Rp>?Zo? za307PqK{#uwf@}j<5SBig-n#)Wc$_wO~!xk(|B)^&&0+`_P=NWr)y?2Z2HQbnDypw z+(u46jxXl)#jncMwZ9DXGsx%k_vxtk(UIiAKbcXLF)huBD|$I{-9{}XZH(B>Vs~jz8DHkdt7<`0gE}%ED@(oCP`)XV zRp{5yDZ7i-r%-Z`^U$;(ia&LKvT!Q>%k9Ogp7=Y8zKL?;zD?Wee6AnJUGWOQ9h;u- zd@Uce2dVxK`SN8okDv8_CJ()+uj7YWe}3tvCTYVo2l?~lx>&S6qUf~uKtOQ-@dvTK zd3e+w!Qs({RZ2fRJd%de&md8sIyLROnyfB;r`#_gwl{r&9~>SXpR}J%K6?sj)a|8y zyrHWbzR{1moz^dso~P|6eb;Nk>D5iUKm5>ldcT~3h0lCqQr!^@DZ8wWJ9B@mnnbi_ z{xhgCy3obknKlzxCvN@QpUF0W;BCB`vF+PvvxG;ESx$@EwjerG;N)K^PkbslENj@a z$bYoNcoIa$NjaZ5`S{i0ix;2AAAI@dSQSjydXSCyi^|k2=wfaIv_F1cxqr4l{08ac zllsCwvr!t^z$Q1e;h+9^H}unW6Yc}(qTUG;J`$&I_&ajJ`ah4og&#gzmhmU%pS8c@ zUsS8pn?-4pGb{IfVeAPIQ~e(P0(iYIi)wys+U~1*&ST-X>#N#bT@Zn#S-jXik#uoC z4fdt85nXHagQFM8swICsM`}RV8`|hVQAEAvTQB?*mjGu7x?ZAcxPgYp<)hc`px0N` zcjbge8NbeRp{-0kw(a+u3mQnHzSXv?+WzJk#Vs7RbNprZ7xiNM59&pD-mmPNlc&!$ zL>(5m>3ny>Y`La&D$txA395YU1A#M7kn#_n2G)pfJM9SP>1$DgrQ1i6+1rC@Pvj`4jo_l?|-cf&w*tcMe4 zg2d}UGkl|9TJf77wh)n2I+~M?we+)lG>4Nj`qP=zCA=^GZwP^BOs=wz^zMy*g#Lb4 z&&%{V^uO~udK~CxQi66|-X$&936_o*zCxivM=j_RL2w^yjEHHU&dIdMWvc z|6yIO%lPw10IT%kFkye!<64`5lj89B-Q#d^A-!&9t}T3hT8m2iVP#;0#^5x9w!#n| zX-iw_T=4bE-?1Z|9|RG$L8|Q$eojvwDAA6knoQ5OmgJfu3WJxF<6f4hpE=ne;d<2s z%hFkC)w}ke7>FN*|Fq*f_20PpKR4@cA1bi)I`Vp|q@a9CeDkk`C;aIe1rb4ejsHG8 zK0P|||2%zR1M@zcYEhmbk6tEeS(aF0U6R1kuB*RvTH?5{C4=k!*|MC-_HDw4Y1jy# z$lgAjPc_Tn^x5$<;72uKH@+^{jWZHWD~orrTL=BK+3=1eqrSwQ9FDF>!GHu@LxuJOO>=s8prIT_Qxbe7-t|2F4;zSuiG z`e`-)@qgdL|NijN6kk>K?K%@OV=)Oo0y>kjSjrMilx63imM_o<;~TZZ?d_WYlKR~HE*b?6Gm zxWfvz-FY?thoTo3MN3JlVm1j{JIO3}Mt6pbdNu0xGfBK}{YI@N)PfESTgYm6?3M>N59wiqErgy0@e6!wqEcpQWwWDvzh>=NBAM@8s~yQCSWOc zPiO^&bRu~Zs)X+hFRtp5qFS?#nz%y3s}PO&{Ki+*1|Cu2ym6lrdyxaynqDc@oK{Q1 zIl65yUls3t=?O<@OX$miz#RuRR0D)7@>g!yr=iON9AW4I(O8u563GJCOSn01%INm! z=X5S%5HZ|brbUB(ZS*exRnBda51wg>k>|2^8zL(2VTFj_JIpY~PSl6FdpuRW7=O-; zDP?!gtqjxIc%&BL5U|dpU;QUm8v*X(Kl_R5D-l)lt=85M3UM$K6eOZ#2wR>_NVel4 z!=wb-(D$RCtx*-h${jkimp5z(@I6-ir6qaU;mJ|{_`zqn7206O&jobV&);~FrxSrc zTjTPzu=Bi}RFYNA@pm7UDadz-iy^EF{VX78yI-J%QU1l7L$*~fbuTdoObA}`13PZX zjykc8v9?D$JJf@cVvE3C^Rc@{V9W<$sJ3TTHKDNZuhz>9$p8Y+AT}1DQ(0N=JBn%o zqGXX@0GGMGx~e>J8BP>6JBkotLKXa10g{*}av;Oopj(a=*wQA#t?PlUOVq_avEL1K z8_-`jsaRnSeEh+cvykYm$Zk#7-+gy;%TQ@O%ZrG~rBnfuphHL|tsKxJW(ts1nE{}+ zycQP-(OG@*lal!n`W1VHgwQ=+B9vzWaN@e`ZXew%E#&-kIpF$nlU&!RMyxAB6=un% zlScY@YFR8UN#Pw=nkA@eK*GM5D|{gN+Z5^D&Gr%M+I2Mm6%!$)#EYyjA=+aTsqWB( zezW9^n+)I!&WJ0KWFvKJ6S;h3hxj^M0l-YQ{f-pmi{fj?ZN#3S;u>h#gF()lSFl3~ z*dv{c-=IXrwwnR%si*UGDR)!rP&Q$;mSuc0(p74M=#X=$OYXZ%a+d+q-^`ahDL24A@U^K)tc->3gSe02BGgSP(v=<$QU)_?sH z|3&&gQ-}JJF6;i+Z3Gd`U*I2gz(*06d~6vczvOR_VdRbb>Srki`=Q;-z7(840C^IZ z!6ctnISaX}@xmx@yRb2f3&6GMUb5@j&x!^@Sbm`xg4Hr#Qd}kQM@scW5dff@w3j5_ zS*|YY3nWk(Dx-3e364Hs6X1zBeEnjWeaI%C1YAcg@@J*RHjZsB{95Qqu`ICEjR z5uP~%dyB|Dujqet|93%)jnKPp`ucgK?Z#lZ%32g6LAbi^J;oei#Qpr$^Aq%dn7k1? zHO)0oNFuf!0l1YGRdK!COPtQsqP4dW7?GsXdd8Xv3;y5{tY5Eug>R??zmB|>1oCsn zqg(RT4M?sGm!Mx9bxsSK<6EM<=$S%)I9vj ze_)>6Ynn@Cxd8ym#7T;waL0#D?e^N+BEKbPV6?+i(aQ(-Mz?fpR+JhZc`4^nl;Lrw z3eQVZuAt{slbznEpO2g>dkvsh9`vab>F~`U#^!XodkT`ThlT`84OKVL0Qe2V(Q&g+ zjRpaE6}#A}!=zuroRGS6l~yFk90ea-dY=wQ0A>(?eG(pp;sJTabK!H*>)8RNu8`h3YXVB{7@29F3D}7>-CUL7FxnSo&l0l9Qn! zg8QdcCN~WXC1ZEt;Sywh>00IS-4tIR3=KF5?rN*9+|HSyP$DyW-_dTl8t(#a>v}Ru zuZI2T=y2BL>dCVGZ$!&~+_B{+_!bKKtx5ZjF;L3sU{8xPK~f zBhY_{WcXtQapu+kwhi zQaEIGc@o!olD^&b_u*%s?LNADmlRukmHXSx5eYW@RYm0^^FI?FLU}Vbl#rrG7h{x0 zxep7aE{t@v3~YCeQ4YkjCH5x=E?`H?HkCu4%G_#M6J!bMpt~sH`T)ay!|Vq^4hpi@ zcij7@oF>gDJui4Y%|4Tn-&HK3hycqAJdev>OeW|S7(z&a=b0&#n1WhMX$V4DID7Hp znl?uS7K0sQ4~CCnN)7WphU;#7hp}9%`0XHGfWGRG5q`Vc1gi2k@uzx<$-tn7i|}34 zvv=&H%Ass7WfpXv`2i4hKQ<*)Pj6Hls7p23#3C*;abhLk7#~s~um@Sp3cy->$Jmmu z4o|!sR&gSu$inaO;+^t68ETBzOD!PMZ7{P+c|pdgkRW}dF?TfCMk0a=H#xZo^1y7V z7cQLP%SkU4&B37hf|`5yTOa}(q41E0)p}tP6yYW17A|I>*}n0=Al^JFfqF5;gtDm1 zQ*zd=VJT~HJ&28z2+cMNyo?mdf}v<$*h%?rGP;eHnf`mlH0di6ZVF&Bj;%5k>DCTW zXhU$-O$APrK7OIE^^E$kSblKJk&wiJF{oDJY{_i+)qo4SP8@&1L< zn~dRx?it+DrEr_mT+r;+iAP~4i#U*FK|0~|mZN!OcbdN9-7s`BfPRj=MgR;74~yf% zx)dSmjTN1yuNJ68df6pmVKGq6x1tZnE}dp2mnt!PmqLyRt>5nU%c8kdHdt?d!FwPI z=Hq+!K7A+}=Dp9-^)>`Ry@0!fR?*Bu^i#mXCXH**-R_GKeU#qO@0B6o2X-F)lr6$0 zlwDr0ZZM3pTi}&Fhr;UY;s$zat=H&E_#%~QUA-(`@iJZ=_chw0?bjphTx}FfN=HNm z(v3_?w?&s%*e3T}gr6%qO)!n!!aRQXRq&9#5#L()u?0f9-kwuG?P{9}3m?WoMa++* zAC1=&mx+!~PCOxx3Py85!d{6X2c0qg9hcc|c&K|$xt*1e(7e`{bxpd&^};Qdn6Dau z(qLEv*9tCKaV1^X#2yC#rC!$JdjtuUTtH7aM130N0J62+N?exj3+Uy}YU+!lMNS;g z2szQ18}=l>`~Kkh-MhvLdH4PE=LgS?@iMW|KV+GkK^~~=DSr@+M|ozz+43hOJw2`S zg4eI%(K|UA;4Yq+4XQ6v{TAylCU^iAHM4t#9j&dOm!j?oy=Q8UKN#kZ?mxW$>8I|H z-~05F&+b0_^xkLp?4;`kO!O+`vtG}kSOwypunAO@EJUf-jUH|hPZI2AcQ8;gB>G;P z&yn=vbSXCifdHjSw<8Xt(csOfmlNXJAUab?&Mct^gZk_cKd79(%Pj|SS zH_60c{L;EDn?QXF4Rdk;e^Q5Qoyim4pJW~}@!5GVv{!s=JIJEw!~ShbfoO6V*&0i2 z*YhWc3L{4uhJNeD&_oTm>f$ko>&DpVZJjI#9}gvr09HV$zXO+{Ydi=fy(1&(g|T_Q zV1mLH4 z#cOi+{p08IU;AE2gk~!IBNoO=6ivG%9^8wc6NRA>!FRr_-{O|RD(u900ix83yAtFg zs*}cUf3n5{fqY&P!qtyZqefm^Sd|x?0doD(_vlp3+pCD6m3$|SC+yDe|HlXSRMOeu zzAC_+8&s;1ub$i__qd)LoRZw;oxNFjOxUnjyx{YbZ)OLY5i+!}XH^pwySR{j5`DdL zvRz$6RL@YK$Qu;%0>{@ismvpP{cg*2?5nREs=sJLnu`@Y++we^YHBrx$%osVK1ON(dO z{jCl?Y;zIB?$#4mddt}s#9*{fJwvhZsk`yZhGG;T8_mXV7uS<1!Zhg?L-igr|J**G zr~0M=LpRzu7!3wf$vSkV;Bz?FD&@Klk%8M1tWcSS06$|B^!iqSR1t&Se{J(2-Y0dy zsnhF^YiC_(I58V7-d?CvZ{)Lb!e{wlV0;muODpSYa#a{N?*!hpj0Y4x&5Md$sb~~tgx5u4aZIAI=sHjHJ>f}g?bv>&H{R(MnR+H$ zqJjP`Eu_zbdI<-`i8^&*gK6k(K=+Edqx3X3WwZf@N-8JXtv*RQ&d3=?Dsi6jIb@e> zgIu`Spf@U1#8h{`2M^XNM7t%)GJ&2S4faLq4z2`naNrho5W4jFYPl{)nom+F;4m%` z;OER&!|X%}X#G4%z`=-<8Ez6h!Y1X{i=suf=(3Ss_sK_p{k;G2}W0_BJO{$RGoyn#E`P4 z;$W*O#h;nA{hZ#lLdc%W>)_>-?ui>}za(HDxs4|^v>a`aD@}^)pdiD6>~@Y2x3uH) z^t^KulAI5QyA#SQlBWbsDvI{RNXcp6`GYJvdJ^pLM^5ABjL;^eSCTW7k3F|H3Vu~% z_My%6UBkQ^9^sZ}L<7NGW(~X7;)9^JWr?|J7haMb(KoYbeMN1-m&eQ2bY0P8mP~E; z0<;wFX27G6S`bkT;`Br8+)V)$k`lIn20LhgU>aubFlQT78⪙fYhHWZr09pz-_>L zOS~4oZ%X>DUp2lI|%<(=M3WALbf;kL*pV!@=3zeQj8r`@{QLNP4mZbA4II zB;^o^st!+zn?~F!CRSsGJZSZ)m~9fbLeM{v&#fErvS`}obYsx(n9}dcWi8Sc9-vNiwslU9~P7$~okjPJTCnzwm@UDev%S_?b}1o9?# z)=F!Pe5;w*>_P=U%)d09gA;@Sf^g6n1wp)v&`GKB@-R)3N)pd#-!h9^BjBV`%u?^> zPIS5q2&$wwInNJYogTb?wfEu-kA9vX{4VA43^U*r`b5T^wK+YA!Qx>dlz^*X>lsG*^#LKbvE;8OtpjKSKu;+~hoq4^;Hf2Q0 z{)#5qE{*6dLXik3&0tjzP%h+}5_(}KB}u9z-n(?BQPG&h$JE(9B%)H~3uLUDD1@oT z#XM_@X(=fe{>`bQqDX``H-XBxptVZWCKJgkf?nh#g51uKMJHT+7);Uyh?_;)t^pg~D!*=&w+E8TK^wSE!h zO(}Dx^R=TvaM>Hss z#>ac!SdQKC&5~|#&Bw7J&XrKTS6tew%hLL@3U|s~X1-?>dCXr$+=I4>+779xW>U<& z6E@D@RfT(_IFp&ctBP?h`%8B`(_rqXyW~y}K3wL-q&Hl$e=`4m)lQqDa+)TFlqxhb zv>my~1?oVLZw1@_7r-Q@tw0q844OuXjKtZdOSeVm7x`fv6v1 zW?M=?P$KLDg&u1stdONJbH60BtlLGfz-HwY_BHUwChKt-=PiS+8T*^LZ6^n(jHtlr z1VIBs&urypQ|v)=D$7Y{qK5zhlvz;Sv7jNGolDud8G^F2!zQS%C^*y8+8U)60STEk z6gP>%jdtG^%iU32gd=HCQa6@mf6CMUv@Fc&KF5-N(E9#Q;${Mk`;GklLNb5c3T*oC zPuZUaoB#XR&$m72zweAe{=4h?ro~J=*zp*|j17OM_vzoZk{mX_0U2Kp-EZSe`edFG z4@UbP8|G=_C?4UL$nVok#P|&%TW!-QKIRRNwIbjzGz!baXNJw6^4CdT@W;O6Z<#5) z`|9vy*R|DsOPYQ6r~FIg?dv;sD4BYjXDeCb50Av_19u;N@(JDncb26mD~EKNh!nr? zPhETe126gn3I!rJ7|a{V*=Tp}d;b2O!6fNxe=_=$014c*2k;{%?9rq9p$OwIGYY1mS^ZIm87cJ!?rp-Vj$XYtLO>I2cgvUlxl}06w)U~uFi9V)9_ITDW*%D z?Cf*4q2@f;Z`-zkq@5yZ2V3wzKDa-)--{ws&SZ9K>m-vTQ{psztyRaqyFJp~;NnM+!bB+9d!1*t=}swFYSvh0mF%lcZ>9eo`T z2qfegiYwxJCrJx_b#ju)ehDr%c^&?A&FP<71Kjg*Q5benb&h2%h`q8(P*-9Eh9?%# z*DEy`S(|$q)mYrHz`{IrNp)3hGmCS;5~~Hs%I%h5g4mtDLqE4^YHZ}^&ZBn3iRjB+5)&QsMZ!F}2t2m&Qp z5Aw>(z;mBc%@-gW16zX;UxczdyFY20(N&8jGz2wsrzh2*wVr76taK*dpzuQ6CKJE% zjYh#X{Mv7Z_OhfUe%gbqvo1Ir3y@#(x~r}fx(JE|OB|(EXecbvBLR73-bx{8O_Vwj zhjgB}Dz>E-${Y1I(_FhKySU|+oik92!2VJr_Co{h)yqoHbZ%gP-6Tf=BM&=20cTT3 z@&!_*q}{MZ`El5zJ;hNGnRmEnWj@)U+qbwQaJ#eUGJRw`!(QN< zGyi5eN_RLJ;X2;Ba0p1|cc4^P@7%AjR8NpwA5!te8C`B(s|e)A*PcU|b6;t3JKBV& zYOyBPg$IuGu!X?PDg-)LVBVsjiAe|)(b*d4(sCyWoSKEqBp^Xy+iA&5)R4l7yITZf zIGpNLWDAkEYET@U`Dl=>$R z?Yq_(hD<#2K{D&`Ncp?Bt)U+|BejrF6_2e%kA)+A%Wvb#)ifcB1JI7<0l99&DG~uD zDYQ6FI;=2|aCn4#d`n-Xg4l`1J5DynE};b;>_;k#a`dYlL>hl2RZRg`DX{s1_3I>Bd*~X0;8_X$ys=x6ptY;pda{QGS8^ zLtw1xeRnQU(#vXm*=HiqTtZKr=upX#X@aOeV^_b^pP=@P^Ea;!f43Vji$=}}Uyo5k zPfz2n{VjzWnf!%}tzrI@6+IInPt%#3|jYM z_s7Lj|9}Tw3^41cn7qe(FM*Cl z9_Xjln2V{~BdPN3d(f3HULCzWfR6Ol{y{IsNkCddf@rtQHD+dgitF^FM2SuB%LEK1 zN{!!RQgwk^8ISD*CzS#S;&}xngpG~BnzO|eTnh#|i%8~(-=ZOQS6oiE))ob4aJK6rL|^!oSimg?a-fAsaxy9aTnow>)3UhgMQ#j?RY z_QmU?H^;5#x-#SiHK}~>_>jud*8qE%ztxvW6Ye|yUV?}riT`BXEc8$$qq)h2P|qw% zb%^NW!1+a~Ur6qE%hwiqmOtQBwdD=V`n%~RlB{ROw5*=ISImSfgP3UK#kd8MQd#Yu z+ThKsEEoL@NHy=IN(*4=?&Y<@8ne$=5Y@0f=uNvK6{Q+#mSyWxKeJFe#8d4w`q@M` zn|hoip+90x%#_%pToXj{`=paYaa`&>Q{4OT3b6mwMP z5;uSwNt0OuS!ZUKBqkGCq$6ximAo&YayIv5b9y_{S)A=fkODvXR1&1( zPh=e=pPK33P6V6;%t--*^EHhgm8l8WvW%i5kKD{vbK0YwWl>Qb~Ku)Wmx zQ;dbR1u&GlIx@Jv;aad*t{E>&T2=v<^HhrD!k5H{0q|Pon;Hv`keJAtm?TfMld1fZ z9GDom*A;w{Wh-A+S=O^NJv#{&e#QtTmSj7Xm$) zh72Oi6!eB&Tu8RQ_#HOf7n+)9SatC{HJkx#-kKC?`=5PA(BwlBq<{ zN+yTLM;_SM`FyFFjp}-nIgmOqWL&EYeIijAxDn+ErhI1DKY}aUdXcOG`oKa_T?oHZ z(zTy02Snk1kVW>e+z4@jr+iP!e zT?KD$a7GL^!I?~hdOFZE6t7CArNQ+)@E=GHZ`;5-mmK>ll#rwkAmv_5V$>;KOsQ)| zx2J9Vwpg0mL!qn#1O=I#JcRz_>(3EVxL6yWEA*3ZM~mX>OuKT1hJTC&)ow$LC!9dZ zb%sLQo^jpnih*EQ#0}4_XzB^lByL^S&|rif223b4x=FxNS6T<{Y2Sw zLo4vhd{hYIdNUAUR3N>h)E*INnkl`^pRp>cSW4Xp}lht5-v;DzSrrqn_bMm3V2F=1j&x~RVV#;#ujNrybu<@P*?R^b!vlo(nf7l^#Uj0(K# z5!I3TvKCr<*W#dA-OS4N#k~SBi$I~GFzfiMXD5Gi@80h3*XPw&<&FME^l^Yw9ZpJ3 zX^l?rVzw4~u410K11dopkm%;xjF}NZrenKV?IQ;f>9;fq4lJ= z`L#vR?Yi;Oa>cz~h}FwU&-_GjN_xCJC7VN|nj7rniglU;RX>zmD+cyFoM*8MrgC$J z4EHjD#AEo|H7Ioy0q9tZc74)EW(R?0Y*!Y91RF1=R5tPrYbo{+#AMW_usOB-H+C(* z)yxpTy~W0Hvhv6p+eqS;NQ>xi+z(mU zuby57Fk=E16i<}_i_?1`tzgk;MGFzc{6<68<{kI={<7E7jk4|57y1@B!|A3`wUX5; zcpv>y;3n&7W|wL!q2g!uHU>B9C<|6is0Il1RXwTAuf0C$PE2v`WTeLay>3Gl)=oxi zX4i8?LzAj^I5o5E4NQsEdS0v)QjyKa9K0=DPLCAP>Na(h42_0*_lTg+D-I&6frgP^ ztld*HBF>U&%$yB!j}um`C1tVcLxjRKSIAiAU0P4+Ew#KgD<>E8mUk<<%CqJ-@C^LZ zl3}r|VKgeECOOKKlnlUJs4HvhpIP=?$QE&7(I?qeQ9Zt>0x(l-Yyf?TG#TjW3X$PA zk<37P)m1_3#Vz(1ssxu%1nx80m}FM62v2&Z8a6ap_^WqkP;g zC4I}1RX$mFei-jT(R++H1ysE5qqb(*ErLBbRpM53>$=|GaihK?96~<5QW~+0qRx;Z zw}LR!pp+97NxP=zv0BTZlHKtvXU=kg=@KWkY#5_rRbFs6!%a(cSAFW&+sh!Oz6@rA z{#Fy=G?N+CpLD6Gg1ee~*$tCX;&oYC2wm`lyVYh&6>FkEZrtReJ?3V;RZ$|aZ}K^y9A;+Wt4x) z;(*)#Vh*Qy=keQ3fOGAh6Wsxd_9nP7ZW>;c^SRSId#o+4=TiOWq@0sR<~63EfDg5+ z)Y79zSc5vhsD*N%J!ySSj?U9bw(`Ka4{2xoX$7|Jc=Ag7#BCo}oX>E485(?5KcP~KD1v)EDX%yeIp-!k> z9YsMdXTqy`DYa^JSze$%QK=`=Gw*&#x!~EBB5?NBehfJL zT@}DE<|{TJ93K*^;FX(w`z-X%^X|T}n%2}YX+7ZAf7p3;^y=$_*QbZCzBoHQIzv#H z(ObnYWR`utXNdz@*2-AOW33=0HrT>k6ATr|9u<-ECp=6+U+LisfPn`?~dbsCDo;_Rt_oHIC??o zh9gOAOQMU2ekH-Ec(^lSS0r^T;!9bz-CONccGyDZ+M;~&h2V6_L>E|NJHXYw`bnOsdnr1o7`j^()()_1Unn%U#f8XEp~KpN~lt!-zgA zRm^KVO;0^U%hFq1lH!(qANH}6kl*@jG7HqalMfi6>Cp!xWp2Di7B62U(YCyy{}UPUBSg@vdl-yXfxOyq=W1XlieK2Y!G3_F|-7^OvX*FI`$A}{OSjG%L(4E8r9@7m^^ENg{ri1J49A=Ici z|E*{gVaD=8%NrqC6F7XSS23MAq{KMcv1_bfdQ^zZLJVkD~nvf=?Nh#NaMphz3&RwQJ`vS!r3F?@fW*yrUsOj2N@{7Q8K_Ab0 zg`7k3Wvc;i3}h^855z{5qEJG$X4Z2pQdfiJDz-?tL3#=+2}AE?yrHPlS^wPimVU27 zU0te$M2N(Iq_5C57t#p=Ub}I`!546$yjiKsx@)4!!IekEzEQwjLs;Z_=KvJqlLcjZ z+%=MH2y?y_5?3N<02zbSMQ1n81&tO*F$B>h2VLevOKXj>YD#+78Xj?JL|`%34Urfa zZODb%NJ8%DE#A#B-xxhE%w0{cGju6&7Fo+zQ1IQ2MV=J$>cVq^X?KQLy^_Q`fxo)Z zjj}}6);Y@Snh^SCEhKigaMxb$PPyy`t6RH^~2{UM3w#=sIyp&Et75E zHZXjjcBuefH_SktN&YJUxaKh-QpnyByR4ckq8qbAOmKFDgeAS2Z_l+<&QZTBc*5~a z$pjfQqx!&OX4HO|97%>lYfNpM<3@5f!jk5jnA08`p4U>A9TZGsJ5TnbrKagE)qbOu z1tdC?Q+qfXCFBkkJ4f!OL#DPyq=9j;NC%;)G(~Z=_xuc%D5Krc$w!(eEY+ftz-nZ7LuHMj9J7 zGhg5M_v`BV47A=gcb#x>yM<(+0@f#ae?|ypK-&`L>X>wjSkEA z*#wv_^}@(saRNezQ-=CY?4JUa0lebOuBv=-Ns`naf~oYSP!xxvsK}KoZW`ph2@Z?6 zb)8bO)Lg(>F~3+lDU?NWK&HqB4zWtGK4bav$x^1IBKL)>)yMi~@ehmHb#a5l9`3D4 zyz3N<-3y?g@<#3@LS6*domXjt=TfzoAx1AH~XQNhSkx;w*|{2Kz&oAR*ApKT(4BTpIa(8q?%&Ks#!DPb|~Sc9y31) zCJUglzM4at845_2?NLoiu6cj`nU1*eJb>GRWDA;Ue}0plS943xlzUi*R3Hu>*ejxY z_i4abUR~D)=paifesA?UEK8+4=l-(m$R{L=Z4%!8@W3d{@cdXAiGoK&cK`H1bUv9a21iLJks*)PPV3^3;BsMllowWDOudF zqU&zla+SO!P&3q)9KhxR{)yEFDg&nK4p;F#m>`p{I$8mV4nL?E#OssZ7Osb+KR?y;mO)SvtJb>9(ow$I$Vw!|vl>6D0tWg)q%{6mTMnJE%1^;Ad= z7VhaX`&3s;NQ<#6)U(h@{{m=Xc6wb8(1}gV>6_svHeC&tQVGZd+VUYOHOfrro82I; z0e@G93<#PFD8|8ye73JQgrm5X;F&21r*8A?dlV4c!wLIQtGjry>#CwT#&8!YfaB`& zLxkmtl95F;zGyx^1&Kf3kJFY_aHY%v!#LK7s$OF;QH7k;V{4-AwZN|!m{?a9m zoZT!pPmK`q_kBSBv})B5mm6Q!;FYu2(tOcLy;8b^m^8(WT}DR*I@u(uNxNMMPRvw! z3y386HKR{bGb&L0;*G9k_iL(Ay}XucQv))kZQ*GEB0byR)p3rTe@AAAOcZ~wQ5d01 zdV=H{WwATlrs5-VlcMQfL<)&aPv}O(<~Q0(5BZ@Eu4uX^{U%ept;dYs!7; z)ZAIti~B~qrro)V4V~i&{iS>N(mREkosXKPpVZ5!;SaTIKh837vc9Ti{+`1xywlT9 zpB59nApA%Aw^PLTOhxwJJqx~tO|2bRoS>e&pPv|qq5GbkUeuS9oi?(dC@#gOZGkl@ z4;K%bWc*c=Q5Nc^shZKA(G)kesM(HQ-b7<(*>$mWiikVM)?7BS86D*x(I#d$DWtYG zGqxFVkVt{r+&_-{$G<=e_DVRCOT+dt>X#xjhni3lDRDX99VASYXl!Bumypybv(q;M zvm0L84{lz{?85fEyQmd91EQYy_qnlpnLD7GN=y<%Vji$Bz7`0F?L$=UIXzoV8?E7koZILYa5vuo=wcZP{^AMV4I!m|; zC2tu4QJX_=lxPr-ebZiOouO7cCQ0ONH$qRRFI^HLsN*ITHrLiI8y`cw$?AF}8V3Aq zyf@LCPcKbRiubBr@S~;5IA(hDX{Vk0t3*G~;jk2PQak>uq*;4D!c9)Y1oo^3Jaj)$ z`Y;&IzATp2J7<_*5Mx0-Ay%{$6xz%LiB#9iapU=p1YXiR$vUn@4o2SgEWFU9lavj4 zQdA8%YF|uCw5kU?Uvqe5=NfjjgafA)aw}tpITcwJBAME7UVNso%yPD2l6}n_OFWTP z$LJcH7q%@uGU72C3H>^vn%TyArEm=UAYLOn_nH5}VTxcKO`XhUi<#3kKiDKBriovi z0%m-Z)`A1@r;ps}^E!FAm+_o;z11dmzu4vScCLtMBA~NTqBtZ%8PPF0LNM!k{`)($a<*`0?5fATJ;pt zGgG=~hm2N8#o`iLvEg5O;CQJPPqN*7}TBv1uMI5aYGS6_T~Dv?s~y z!^S{#4Ouj$K`7}hnr3BW!Rz0TG6I6q5L)u8L-*n-~vKgftmjUC#t!8~e zXhEKbsl^E`iF1_NA88w^f2=LAd ztKO{FWr$O-yNSXvm8;2;IfnTgMTq#mu53|y89mRwU+FbPw=EfV1e?&)QVQ@A-ybQ= zk~RixTU{!qJiC|pXVfXEW*|vgbk3djwWqm=ZIhDQwtci#u{ersM?YxwvUiL;lL0Ly zI?YzuB*F5Hnyu2fdhM1;k`zibNobACk^a&-AmMWUz?CdJTx=|yJYGJ6$;+7yrbyh0 zF+I?QxVJV;XV#w1VVZ*U(JL^c)yN!3e|G)pq+>r0BWe>nJLVv`8MeS!XPLC6cDtFyt3LPn1$!N zVX0cZtX7haE3!BhWvbS=6;e^3oA#L!6Ga43X-rx;&}pnm%SThYg4;U3$rOFCiJohF zyE7dypC>vPXChrq1CFq7Su8o1ie`Vkiuu->AT4!K=0Z@1`{dWOj6s~O5ya+0_qG=&t{K;r@d&B$ONL+(5>N&J=7 zLmr=%-bVJY=615`^{r;~#l3_cq_;i~#TGy1$nsGm*AOtml)8l|4T6g%%w-yV0=U`# zcvYjD>px%Zy*&8Iv>*Pz@8SQr`{-V`{`2mGhkvdA{008oT>mK*c{ff4djBt2?HTui zR?@<~sA|MRDwhT`e_NTQLU~vlUXn%U;AAR`w@!=o>h-?&71ow98L*X{j1O31`o@^J zP-`QF}&Is zFyjlWG3&RxfpUzSD9gPGUIf`)Np_p828c6`=K1l_$>HzR4B|X|>#XKV4o;TKuR}%P z!Y$^|P10O!VH5@mXd=GY{p|5)pM7@kvrj(zY?nod<+R!T`rg_2vRK@es^Py`6&GiB zADlUf-gB)--XhoMZ*gShvzO{Kk)XNQORjBF+F;a3+G9L?_gs%CW-vFIA7!b+Z> z`{eRw;da^2-|PFI-tXa!9#$$k;-U`8n|%VJ3L)0OqISWx379?aQpob)kiglL-B^)& z7C@HBr6HW0%oJ74iNX>hQCl>s%rf4XuAOktNcZ3nU6e$~=o2MOV9A|Y!`1JHI&pye zBiBtr%c9MO{osR0R?J=4gRmv4i{kudC7d=hH`lAnA@Oc@-4s+zQIwh!V+BU0kQcUva6PWCbP`#UFfXGntIz1Fc#p?i zYtd}KSx6zGW@-V^CTi!MSL#OyL3bAs3xl6+rKLA=0V< zzVlFBKf~e3Dq?KOMbNeN8ZJiDG?OUu6r5C1maEJOEL&1{jsD$8^@VCx4hW+gce+VH zB@ob%lPlKho73lmPkWpD;uH&1kbIy&iCWg`)&De7nG*Hur}s)OW)1InYM`)BTMF2( zJ0-nh1Yei8XGjGcuQ%wp6m%ZS)S%^R&7@<9cbdC>wkRQ%aCa1yyI&12K?0^H#nn0E zvr`5-<`Pm_%<3C~9FSLPd4htErU{vxPelN>zWrKAArOu+g*<{XC-V)-*DE0qY1OM~ zY*MbNyaMBckmHJX!!_BgNgqlc<>uX&E=~c8ZtyedFtD_;;^G>f&n-hV-^;xWq z=qIGT<&W~>y{ZK^RzjkDojJ7RK9);1l%RzhxwVguFRNMI)B>UJ^+f6bd`nxYjBcH| z#^}`HmtBiH#Ghvg!%Dz!P* z`QsES)tZdA1JkY}3P|_Aw0nLI7D(Tgz?Kj^IOZ0Ya<0D^{UqNiu#?d?)5JL5Z)4*K z4?0#5m$8Bsi_UDr7PNY!cE4o@UXraG5`7(<=gIXiiF z_TuP^!&mfqoxR-qU2l}__=s12|IuSF^M0LMWWIdjebOMW7W>LVrvhuR5;A8Ps;)CV zcdfoT6~Efy-yaO_jq>Ov5AJP#he$ru7z>X7JX41zk$ywK+nI)CL5JsPy}DYAc1PFv zA3^d^9;B;tr@H!r2*Cza{8G1bh2U~zbKrV+|Iwq(or-Sr5Eu+S2t}uSMwO-2Wt+OJ z2f^j;u$PCg+`At4-6ZtgY(MJdpJxy5Z73lNRbGYlXF*poUQ1uO1VltS}J5%2KzAT%cZVqU*&vlgXz| z*>R<~Irv8DIU=Z;NQLzmnA?X>f-ZX&>#?TB{%R!R^mQbxIr zcT}wiYSyp94wNWuw3qo-J!0=B8SHj%5P00pKa0fEmQ3W?{Dk=sRN`nOG3utZb4odb zV_*TKP)pa(coL?bZ7f7@nAt(>=1x7VhkI$P#!NK%ES<=LMfjz{yVv!sNiS(nSOLSV z@eneLWpxFF;l+Bn(9-z$RT35f)N#@3bHK1E@_(q$qfxn2l)34ht81aTg!Zi@8X;*R zcp5yA!5`NJ>wK-`kw;5Ut{hBg_Rb3Oiu$WJFLLol>_qa(V4tuG&wS|27s-fb4}%@L zrduYb%nl$_(f8t1kteOain0?WOern3xRniTl#kSrV}x`&57}&zxs9T zW^1$xPQ*)49>81^h?M{R;mPjFWi?$5+`mM6Gl=P0;(Ns2lGFW$ca(Fd+$ zVi7LM^l|Uc|Mbrf?zMD>5)L>)3a(Qi0(0%rhwd!4#d;;+MT!hH3)qEP0Zx|zu0NkG zH!rVAauY_5ScCZT3_Z9r5xkKwa{GD8^KBU{k@W4bwYSAZGb@_QviY9=Z|uEJ{LHwxm%-H*J33-7 z+pp7<)Anr+XH6ow;&uc-QPKf++KO|~eSO|MXKBfED`&1B>90*B#N_&-ja-RLuMLvB zw?S>xYcQyf1eAzs>th{G{Q=_Oo6WM0{^G-O8-H#2S?#B^6LOpNeIX5RQoynlUGCG= z#tm)| zE|%;;o60iWS`464A|966N&U;py=9(x-wWpUcC(v!&~G>7LZV-#)vvtO3n7F?HjwU+ zVB)}bUlyK~Wi*BoGBPbLl%UWZU|kpmPq{hHTqSgfx0{fZ_{1Yp zvdnYlVQ-^N6$-}#c1Tpun}t+n68PCjs`_A2^A-8kgE16%(r@AzQ;&%I9`-hJ?>lmBz?@q@qS|NH{~MfpD+JoH~W z^{3kbbG1Z79l7SDh}j%fy+MXtz`VGrH3$}?et>T(^T;2)Hhg&?M}I+oSZ8Z|a9%uu@W)Kc z28^K2RCz$5W@bLM1oX+$HcWppKitKvJ}+hx4q*Jwzf8_8g^IY(5>_2IpARvgF(}T@ zf;gY&l5P_qh!jIcG$0SI;|cgulpWQab-p7wz_Jd&`Cxd9E0Z0GoJKfl-Wc=;2-6w`eW(#sPBGVwCxQcBOLOb3dr z>qhNG=rDo+I_b`aF$D?FdNYP+#KgDdbfw;9H?+s`5o#Bs|AaHtYO1vrNEVRR8=$;_ z=;VaBZ(&xYutm{Uh;PH7(MOcKZVu^t{Rol~18TRzgmfbW&>UZ!fhzlcd`nA_i7f)# z!|pYx*cJe5#LDKICK8iYbJ@?7Y|S&QqyWtD3(2*fB@U{ha~&IeMa-s=8q2FtSB~-r z>qrck$(kRzllKAzs3*p9X6ZyA*4+W{T<9rnR@9up*;gPJUsk00NV%}$NAr`DFZ0Fv z+;yIu?$LKWUWQSBIH$%-8l0a62m?Tk=X8!MAbJ;*2@Ik>%W#B(A;8io4+Ki;6>ysF zqw1>s&gn|LeO{YreYru7@7Qaf9lzN@IUaG$?vDltHTiT_$W^p%O7F8v zl^Dv!!}i{=a?{#L`L$wkwv-aFvWI{w;x)~(laSQdu`u#b(F$>y zeH_`7r0vYd#iChz8666`yKm9#yNGfEd+%DKyT}&+k9;KPoY-E~<9a3`Rhb`bhj#Th z_qR#Rly55KPEdbc_H9&Ov6)6oS+HUXxSo==q@{#cM73+`A4L`P%klas!wweZx4JfP zv^n8Hejk4=2w?XFpCa(UI^M`x&-g}JG&hm~;9(FoX$snK6amyVBxXO6)m3a7!f|LA z7%TNcULostU7j212cjkhx_MbI6gS?xx85S`Vx7u~tVnSmonc|4HkT`!7VO7BRi!>N z8m;4*)85E8bwPL)q?-wL-#qnBCvidpgO~3)!$u||m$=2H(0$e=LS>ZbnA;|U`~UIr zgZ$6`^v}8b$HT!r?>2Rvp@t!K6QNG=@YU(#hi5MjU*SjD8~ty;;T^a?Y%1CM9GUDqE$2WM+nU#{6f$+Sod{ei^fyIG6_F0> zK^n~(YqZ}A!!)cE^2i#u6n>_;waK6Gb*fuI6cWF2Vnjvm^bL5;wyKVS8$);`dQ?YZ z`0$YYW3%`Q+re|cqTtk*)E6K^m?e2PY3PXsvH?G?A_8B8z& z7k5Ig>Uq7WXVrIts6)t?x#zfvJadR$$Xw~-NN71Fc^32~NLDdf5Ranf^8H)MNTw=A zFmz{?OOHXVJB!XPWT-8d#Z9Qx@9wQ*=I2y1OA!-n714x)hYm7nU@VQ&F^vzCJ6*F3 zA{c1ljWdsj4^mU$Y0d}LY++!KIGw5LYf03;_l1Z@k};_lUl4u!5%JQ zG3WhIG0Z;?kjyi?Wx-xAOS&u0{bkCM;!vq<6%&TSlxBy?Q!h;WF|DG~z3?`5=LX6z zfx7AtiS-l7=HkvEryp1&;@{dJ_}fxZX*fC}F%gT2u$Ha+Ye`{3?6RCxbarc}cs7Kl z!iN=|2^)Z~xvSaV9EfI9wVIk$5Vdidg=iz%yIbh*EeU|~eJT|@n_VgA!qucrvYf+T zEgfTDB--k-Q2+-hKGlVgz4wDx0>E+rTtK708_$@J{F6T|$`Y;T2|7>!LNKcPlx`szLIBMqN(Sspp_CF4 zD&mfi;pW3^c@iLCWCO@u!Nc#*@6=At#Hl%xHC8AAxkZD9>m;$ycyZ$Pq8{qL{-+-3!5mcq4cw z9iz!o*OT0!)Jd5v?I+NTe8CTe?l&n5UjmeDG*t+juKY3N#Hh$LIL6jsqs(_AN6?c9 zX_2{f^fG96Ryf@~5nVhIOe68`dl5Ek&TPm&t**ETE1^JZ>Ty*Vr;u+mI;-lykXutz z-I_>yjo^>Ot<{!3p)GOJpKdwTe%@km*ey~*K!>DdkuY#tDcn~}>?Ihu6LC?Ige)LM zrQJ;I%J>qHg);R2g-9NsTTNBgGEar;hw%w7*@_DcPti1`ke`Q! z_?BfPUjBIpLEA9Z!^a4PqFfl}DML5!@mj$fGrgss7*qX314-@AemHyLaaB3dPnK5@ zBP5s8bz)hrMydyk9F__ppO3Eh4xJ8Bnx3`iNgTsbUs&;;-eI<)BI4OtvWcSP;5G~w z^Y)ZA4W#pOv9*|G(y)E(xkV`Z6WicA)XwgfFY=b7C(3K~HdoC(d3^XPmLxg>p7b{r zQ?cwyK}*|PT!?9OtlZ~jkVTNeg0dRFGJ-W`z@tpA{M7v81$e%!$|?3rT>Zfwjh!0F z;1KxO^N_n9AXL@k{oYyMg4dd)L(a8OLg%f!MlA(Eow#v-|HgP(jwSh59S zQQ&WUl4XC&Pjt-gzdt$6D2({TOOQY1$GU6Wg~VToi{r$b-hTqofNWY=V*@+;qJ{n` z`_mx$FZpBJ=Nli|_DlWNjmDDxIGP(L{JZ}ppZ^K=RQHJuABJz;Yod++k+0eC&_}$+ z%hR7Un$5oquQ7G-1AY2AUL!JpdkgK)f9z}gzWqs~`M$ML;ryY8Tci0ATOdjm_a$T@ z|0B(ci*47~DU8a}PaiRFY`3T7y;47amUPMfQicrDVL20{8Z1|B-8 z-HH$#QhFLIu34O69!MK~LYmw?m!;~q<`HxX<~0(yeYQMHBity@#rE_X>IUtRwZn0T zIVFY?89Na(kGGSUz#2c2$VH@QqB8(?*S?UIH)3Ik-80al+Qx{?{aB#SIrE5q^D1@9 z*KFMg&6ZeNnF+dWgJM>D;WOIhu0{Y8ivPSM;&>J(9vFNV(kFAR`HIF<#0%O=SP%&D zUglRLTxs$v(JjK7v=p9}ZiRbOBHJw|5F@x)m}TizH!xN3HkP}ee$1qIS)?Nba&pzL zJJFe8N)l<>f%#ixR;eQ+?&4PtJK8ec%E=%rG? z$uPAV*7C?@Svd2l*HWHTU$mNoZR&Zt14YU19F8WqG=`m75Tcrul<#LPGs-)Tyc;i2 zkO;Wh6nXZ^X7|Q*W|n`9uraNsfGTdE6J@_E>`)4pdpTF+S#jT`Gi1KC4q4?$l_WVh z!h$!U_Cu_`(3=ewdJ?p0XS$~Dkj!>E3h$_C+T@uL66XsbLJySbAc{l!Kqj6Ar6bsU zoXmVxhehkKM#ll1g?JIJ4t;;e5m=D-oXf*vQHc?o@62GV=6zZL~>3;Mvk!&x* z4DN4!==O)hl;TRy#5bh)5k3zl`eAU3sG*L^4vbF#@`Wi>vpPbhvQK64ZUM$VJU*I+ zBxoLH>2K8n^7IM3Jtcf%96gJ@;;#CJ_FiAv#95jCK8&9>$5n>L1c?0vE5Ys zY}739=wid8%>obZc%TL)fQ}d3`!lm7AlPFXM;<4YM4+9TNn&8K%-W_1-_hc>o|XsU zGfyJl1{Y}JjGzs8I3u9>UWHY=#lLR_wE4&*tm|NxmZl3!p!{N8HJ1j$+_a>WQmjKS zSXLMAoUKX$yD-cqbr|Xya^u8J;@Y?5Lh(9?@k`nTzinJI`>#%nmtAVqBv24vwSrYM zRi=$Ovd7m>07bvt5ezW(IV@9(c)~HvOI?AgQP!iD6H*WPXtt<{P&SHA>%=`WbZw4^ zo_yt@n=+qf5D3HzjZK7zn6wAx%F91$3zAcmB-3M`h98GHr>+s*C7b}avUroQ1-T5!zC060Y;#InZP?Grw1u55SI zbSfkA^AjKg)szA|oT*gBCmsI1zCRD?QHkgrG9P4dzu&pVnv`2TCH9b7oFE}*wIwp~ z6<-`YJ38@#FH15@)4XZ!5ck%1z%ynIax|S#@g;UiU z+5~~%1CIaGeAI&-!|Hzb#pubX*Y|)U21Ex%BrANp%vbg|ae_%w;x9>qiMPy>BHboq z2J@aIFo%tnS~W^)V?1jD)}&QJ z9B}0pAw5-gpkOGvFOl8-Hn_k2sJ#c(#BC%BaH}|DuvqH)8+3}D%zn&MsL5!eD7(Qs z<(g|kp3QE2>c0lB@Ocfjq7EjrzLWA`}r5;5^**09Xu@><^uKe*R|V84+;>x zjNJX~R=A2M#@18$okrChAGkxu&lHu607@;URpQ9yY(jqrVdVjS33 zqb{_j*yN!(Q49q+C~VI;1AKcwSE=vI%c>}lm_;UT1hUkvK+;;P6oLsLN38Z1L99Zi z*LsJa9nV#06PJuJJWokS(Q9`vFiN6+Y(($STg%DyxA2n8GzJ#U*9hgvs&CBe^LlbK zG98B<3yWl1G3^r-!KfQ1l^MyI803YvFd&_BK}Z~d5oadqv!tryCXoH?{V|bL z@QvDn2ctD?CGBb!b=9+iHGssS|0IU08j$%YPSN7BX-tExpB^&F;|%+H#BmfWl1yfE zQ(4KF+ZKptKwh@CvT8|bdJg5dr`r=v3I2h`sQ8#`tOlQe7Fz<4Pv47WH5NRAY8vKG zZ+wYkXv!1M2q0h>7rA@hK`XXAWh>h-bO|f&8v!=>8FK*MoRnh~7gSTlS^N0mIZmi% zaPyYxCn`6BPL;FER<7q5^#A_9x%<__jg^bq=?V8f`{ZulGVwgrQQO6^(4t7GJl1 zlLQN-T1`_;^?^&xXnspiibu}lc50h8;i3N{$^we$g z?euIZ*!eB<8>{0g(BOlZHO@A;=z1YCdLbgXNT1JW{JOE7L6VWam? zYW@@yALxGB!F7@=GP&)T55KM?i;*UO)Zc-n|0%3iVskpNg4uDmZ1XlKm-aUk%mee9 z8f2V<+^eVN7Mok8M=Y1u4Rg;R?`V9n88oh%kET(NS1^%ri@?yj-B?pitD?YMpm4=F zX>o;LDIA%RKdEAIjl@6}u~e%}-{^mYL;$U8_8N?+;NjNP{U?YtQoF)C6ir#?JAgm_ z{7?UU_mfXPaT>gRa@aUs^_xNP!eSHl~BXRF|Xjktxjq2=;o7)yg zIO(Em2upQ-ll=wEn#3^iD<7+Nw90~w<8Km4;YRdNVA_m8Jp?O|hrhu%qH+OWv#iTU z?8Lq#lqmQ{z=Dv+7y?Q&NPF&bKa)?R3_-}WiyP1~ud z-ev46*ydr9^MCnCezEuJiyt%1B90R|y6sSk#ExE(*((x#*iHVVJlj7QzBzsVDQ6zV zoG%di@p2|ndweoErS{-H1n<4i{*}zEoK|%d+>VOcMF;WDAWTp{^EDGIQV<~rqKfz+ zBU$JXTKXso16Xpoaw;Wiu5LbB=-uCqel@%=gW^G8a&7E0q_0;pTwkz6->-#)<4m`u zya#9jx4+cgXfat@5^stL}?rwllH5*=)@M>jXcWX zz-agPrp^-CV7#)%z<^*kSf+Oh{P2$UNY*Hm5@I!6{9?gql?u}jS)m_ZE{)EKGg8;0 zP&w@SYitZ+@}uvmshM54n+6^V2u;|Ut9sc{2ZHxi10HZ-%+_z2{_b-|=#X8XzjLPF zRSECwv|;uyK6i#n1HWrBZ~CtMs)RLOHCJsN`BLa6wS68K--B*a(v5%=EoMbR?NG## z8s<8vh)jCEtu@P1i*llsFD%vEmvxi~RMH4Ii z8lA6}QT3sviCFu)%rwd!Sj{dRXB0iVri5t?>w;^aGz9K`ch@} zBWLZTDxN7OU3Kt+D?>%r9D6oVO~ogwNvdl6YYk2vM7_pL7?uuOS+i^m>{(r&8W4GV z;_lS%k)Zvy!tT*`TGJL)RUsvSgai;6tPM4xBf5NtaMo>3*Gf6DbDLp8WmujY%i~V4 zf=e?RW;aiy>_+xPU`UVp34D@F&A-@dggp>#8)J4dL80kKY!V@6OGIP1jUi=?(8g{4 zab2UjLkp(kX$FS|5-byuk7qOz=$h4}JF1gL=l3QMXY$WoZioMomtl)Ck`7}F~pfWpYAV6!b#{eVf+Bvz22 z(mL z-R_|6y4!Jt|1+su2G?JbcPE8Nj2KN>MHdCV+&y{f7hX_7eYCHo@bFtn?;QLJ;WK_f zzk%RSeCY(O8>;*fb`mF*sd}6DQWI|`(x7Duk)igO`QyUE#I>b6i`lwqeXomJPx+h^ zQ$(BKJ-|4ztzELHy}rM8hWSBYCi=zJsh>ra)!{s1g2#*XH-!3g^IO&W&#luNO>87P zz@Kstp7m@emQ(Jdo~C^XE3eqd&yL^l)5D{@8DEx@weVXA-eBTci_Km^M7+MNXQh&d zm;ZVu(rGo(Mpf5^->lrnkU6jF{gSy1*vs<43GfU3Uk6eLY4eW?AT_-;2|zQuXvM{t zh=f55=!lADD6ojpmTnstRXZe)758uS=>eDZTyl%28$^FbfFhr#Uxcigd^5;JsH+uG z8T(U2!EL%_7xi3hN^V)F8}Bot_QUSmj&{tvB2C48cKH0HhYVCVFX3_yaVsfNQQI+s zf|Hw0_46t);Fxy!L8~sok+5t|8`7I3yZr|ZDkS5|xKw+Ry8qnAJ>yi-A2Q}FuGiT* z^bZ@f(a^Kb&`)ef{GgGC0+6tpvhh1sRU+5@UUIEOK5y}VWux8Qze5$wZ+8Dqn|J^6 z4edHn_Z!VE3avBwH!4)8<)dybp49-**69+uj&S+XQ^47*9K3f*{Ywn!i0wA5`H>{x zQ0gLMmp)JcliAQsiinq?ES%VQN-DWYl?xqW9wV^dkDUg*@#P-~dYi_K&-;mfvi))-z;JRh6u zwWhblPMs~DpAD~0jRe#~vHkpWw|!TO#sg06&PK#%dm*9#W5Cl=GBNi}5B-B2Qr4wTg(wUwRCP>$o7o37OHa zKtix3{v}RAh($FFB+G&z+?)K5i|aG@?(Hcc%)qE7UH`;Z+v?%{&mMmE_>=peJrbr{ zpDpGS+z^DmpEHJ!rBT<2h;BoVQzkmgqZT)LRJ^2qZv(%|TD2$6G!RH( zYp{F|BJCC&<`ZUVx&62l%ST+~^E#6k@i%c?tZ`>R$m%YrcVSX+f=_sWPj41m{nYMl z4;H@2mLvSN5OLwOg^Ht{41G}n#_z4^Hf>Dc) zU#j~jUBGAvEC^C#neBHFHnh)!=4l5XuVPyaD1A<#jn9 z+eQ7w@oDZ`=QCS;+atlzDoO5GcK0x_^6MJiUlY;zN4b34aZxS&htb`iIo#4ez(_N4`r{oIAsDFqur58T7MG}7NH3w5xi;oQZT*0)bxv8@aPVD+ z#$^p#ZC|PG{_!vPn&bGYyxAOG+7?$*@rj%mcQs$2rhcCJFw)1r{`mauWcp>%TzY8b z504X&% z8}t2WjbBp&lHNrYbr^efRX%eD{zs%}Z0{Iz9>%Vf@9E9<`3e_;+e`oZ{|49*QTNo% zvVAT^U?yXFNoONQ^`l3mp7D0DzTLx-8rv!`v8wdYktCJIH8>V zF=1x8M;W|r8*7`_I`;p+^fjA{`daojGT#&?HG6dLK5y8EcRzc~aNc@Vzb22xCb4LW zzq@3i@H>OznqG-Z_x0O>YiGcZhWVTMtZbT0GiCJo_AM5asKQNd&@Ir$yp{N-*9qsq z`}f5^5Q4_(PlRbs6NaQ3k=@DK{hg0mJ*gDf*FCqMzcnodQ2QtiU>}T#sT zqg%INRS9+)U318j0?YP%mAJ%#Zex$Kg3|t`~)J```NYK36v6oyb$u-b|9DOY|)7ClRL^EJ%gY5+NoUSD( zt}^kaBWSnW26Jy<(Y&N;L~EDdHASr{M_D{3q&kRFiC~#WW(i|MM1G^+cT%!8)gQJ9 z9m~+Z1gw@wV}XIlKwl2G!D}o5x6qUp1E9m)S@rSlSqaNn7BDEMTR^26Us-7VW}R+5 zw470}WR86Gnr|K(%k52O;2r`m`CT#lm~26d|HON$Rry53B`@w)5~vCHZ_PBUC3@aP5_3adtPGt2edBYk#f#cV+eMXPszxL+oWSVJ z$J6x^H<>u;1ZD^AJE^L6+mv$(ANI^&6zn$1C^k>BHu^oH-uQKltO4R_^LiuBk&?0}J&ii3Gz&3cf+>D7m5}N7+ucHp`AXQ#n)LvFp*Qufb5l zxH@4$v_ag)7GbJ_7vFxbiKdHvx3zA5jP@BP2V*e;>1vDXvjWUI(36(nlE|5w8|F*i^}4?zhGb;%bUeH)!a-U7+(x=ZY9!X1o_Y3xi_&KU4jNcL@RwA z0!-g4XbzX|k{e8+VV3jpO%OUV$HoES4i32Yw5m;sS63x+WT_lk-6n4y!7Hz(@dai% zl1LT0A({bvU)U3GtJ&<>@*K9il(y!nKs=_~7%fJVktdT8{Cocr85CS-b0o!7;j?n; zH|*w)3vmG+izaW8R9(NU<~&%t?azz%A9LU`l6y;B>e}gBxbbl26jX}wRLcX~MdDB0 z1cC!EXbqyDCC6JsA`z_S;_M3YPM{s#A1rzi?5uY6_0}>4gcquGWAv0~YRZu0#=Q4* zmcA*L^N*5CTc*j~m2NLYE2mWoE5Wa}`H{^2rmv#x19L-2JT$ot60bXk!@0x>f802- z?s9wC+3Nqq=gdUaFPV4hZ7i}+*1SSbKYn1Zu*%i&DRS{w)6lW-n?DXBGVM%Eg<#d3~5x{I|$? zfq>9lA^8HXSz;cLbqCP{RnN?b&9?Di2;o_j)UH4fkrF3n7&_w}-L<={iskrHp-=MP z4Ikb8jCl8gpd@x?^iG5Eg%43Fs=_M)gjWh?Jd3Nf5W%pj{cpnSfh~qWK@_jEUATk# zu=8?OU-uLW3GRGRMX=9>t5G(MjOj@l71wwtkedJkrjWb5e`aec4J=-cS3+>Vwx~n~ z6OqMpFcm>B_@w$q^Uh4GNqzszt781j!|i|EX3BxD^!WeJ-j~41RaJRcK(>b<3JRh^ zQGg^`+k5qDYtw-wos}$|m0h})*WHz_uIjF(JDugz;4(NO;OKmg0;7B`j032Q3o|H+ zq60s5a9;-TQwIk(J`qt|2FC9!_uhBkQk`@X!slm-U+7o$-n;9$=bm%!IsaoPXk9}) zm#-RFZy8#yO*$yjsG`@5b9wZ-Jd2?h4dv<23uP1dS0h-UvhiIjuBxkhD3NI)G_RYUxKU;!@=UP?3cimNI7{ZG zAO$M9)3;ng(maJtxwol;W6pVPh9J-@WiM=920^XER(BY#by&7pQki&X;asKu>}X!R zQ8y{C=wDbH1P1M5(1keRk1ungAVjfa5#L5fr5b0%7Tbz9?QBV3KyWeMcIs0OCoV*9 zDCGMs&Rt9fT?Qm0olDP2JAyedRX#fp*euytksTQv5=Q3eW?kXMdQ}r0KbW?vE@54Y zoY}Yl`KX=zOgMD|2A7Gt6?WxZ(ZZ$NyRxRxZK&pi@&|BJ--<|P7mkvV?=+lSLxb6* zn7e4~B3Q-eapxtr=L|ySa{$zY(>XsDm$}&#xSbx~z@j?h;F3ot=HIPK!{1!+csO-$ zm7U;}xbL3p@=9X&=F5g?)z8oDJE{)7AVGCh8f>Ar837FfwFl4n7%_xtbE!igrDmIiAxtyS#?# zU<_6^#kp}Qt`CFAxVON%kg3Yt^Jrse3RpVYQ3yax6sh!2F}Bg6rB@E{-T4b(1#}yp zeN;XL5_q@nCZE39!DqJ$^mVn!FWRe2$yWOpK#NnGZSpu2F@XaXO zJ~^Y0p7GFa2hN}1O72+!)Z{P8TODczG6l0w(H-u#Xm65`Ds97~vj*Wf=_Fov-S>nS zI1PDFXt?n&o+CpP(bSH`Dh9!+hAdI3^b!m~NlWwGaI|+^y9f@SizDt&w?cEspmHc} z*R&afQFK}w7O@u@P&rAIeej~f$XXMb6SSN;KDD#A;HdQ8S}-$-&?6beC#W+=_fcmK z;b(@ApGD`!&s@bHaXC;QN9PD1?~%Hd7Hp?+#0h+(J2k{?i*wctBAS@MS-_nh-8Vc{ z``DR}jX z$qq6d!worO@NT(7DE~#lCF-RaLLwF?Fdc!+?*w-qC2kOH`j&&l-xS6o-@at{_N7`| zzz};j4ap#TnH60cGZ^_p(U=>FIbNFZT98C~6fg3v${4^SX6Rl$SbhqtQZApAce8>Qkha1ie29&X9yQ3MKi%}_AwurdA+w-2#!A}#!fk$rt0}o~ zOzPaXqXb>e+$X3sblvEfJ0T*QAWjXG!`rHj9&2BTP{{a9jU3apP-}@tq_VQcWnyD_ z2s5MM&a&s1aJ3jmP*9j)oX`s9w`h1%E|8s`GNLyK33sU+AvOfisP(Xv3XDXrb=0+D zv?;C!1_7kQ%lH9T<*K4(0NoYa$(e4sR%v49o)ljuDyg-lMi-VsieF2b0&hXj=s^Y< zE1Sa;Ep(7|0o)jGKtv|Ntpa5NX{)4yG&)tB(01H#k|W9JP*djIEiqaf0p1Oo^q5l_h8M>Y&Pc1)8tc}E+(|WP zQnjsH=D()kLe5_7o7AWRF!Gv@nbrbP3n<2qPm~%p8F?NwnKJ{Q?`F>7`S!9Rr$*dO zl#jgD>@!6YC-o4~0zMZHat~sXiet%DDD&M>zk`e13wKv;As}|g@S_VtE41aq=UU1V z$5V*0Q>>D3XfKByGv{{I6)K9tY%t13oy-P>_~1HL$X!OuzhI-z@UT-6$r-U=be)jd zg~RP{L4$X={Vl{Wt|i!J5F`CCht1)5Fc)SH4+~!-nZ;ola=7WL7Q)Sh;7#46%fcZ9 zy-g^ZLT(KL=}X1XRl04$h$a%J7qpW;Iyzw^n@l%JNLeC#rQT@|rn=vjD8S2tMghY6 z)%GU89a%`Mqi!}gX<-eo$nYkmpw%hlO22H*9{Oy#6q~A)Vr7a=HE(4R3@qgXPS+(C zVrNv3ICjnUsLf$yz9IAVVUV&I+;Nm9QT5|iNpA?P@RI+WgdFb$v&JPM0XMnh=ebcy z8V{Rr{a;-cFd>7ID63bG31d7yrWM&Gaf?hw4AwSXP7%`pj6StJTKHgwEr0# zVcu+d+e`C4RjYR0Lm|<&xEv;#fkSQtSR~2~=+(ABETm8)u_yIWO(l&-Q!!D9Sb3{@ zn_k@^bkC1WtAHCY9xA~I;a-hn=;p%E#si;WTBP5FgQiG_>XNy^^C%@`j-NnVwlpck<$({ui@smyRb<+AXU2QdsyVAz9|4j5I4$_ zgw}6lkrFN!uNz>xYx8R*5sAq8+~5ak6_ET#!bZC}pk+!?@u(5-5b+T$=hv>XqE?r> zA#6w_HsH9SsZSZ9-GnTv046dwF{_7_VA4=eZkG;q4l3=_Q=1_is!ZrbQ74!-BQDb& zz=fV)0KO_<`*;`>JBCpxlyFX5rDIidWn+%OInr@<<38kCY>NPNjceg3+O9sUc4vJQ(Q-RLS##Yr4^65U|R72`V+pV!9TfQCH|9ujujwBaUVXAxGO<(#MfY) zXk3Ttz-g&bHt7*jrG#0CNB!smn5V}RVJ~oRw}=vaaour$fNWTJt@u@hj>ZG=p5neY zKrX= z6BYyz*S+JJ#x-AZ_`&N)OtTo~92*aK%?j_>z#GaTH1LYY%`))bIu1kg*}dc8o?W48 zg5QlKR7VK-nz-hOfNzO6_qQRP1zeYtTE_(pLY~UoSyI5@X>x=IFN-x#gI^Ir1MKEK ze=q1~1f3$1mg{aI7|m{=4kZ#Xh-~R1Ne-I+aodq@>8!`VV=op%xLumdoR0i3qBVD+K#wctM0UGq!IMH;&pfB=FjWs|yL!t)( zBs*8^Hl%tK#I4XHR1p52A~vwG6x*Vl!N{h?lWDNltNoCa?9?cELubOy#n3N=@e6mnB(G)yqh*hvlDy7B zqM){K3A;1M;+=Qxsq;sFrc_sgB6&0{kDaUb%Upg23bdF-yQ{<~ZQMNhtF)l?I6W^aV^g(~)*?LR)EcCl9~4UUD8WGB0z?mKR})8$#>vQ}iIWx+49|QNtjGGi zi0M3)d} zgKMJY#d5GGg@E*o5|b!%%)3tgGPS(Koa9rnItnN=Zc34fT0^H_KR4TVT{+}sT2q{( zM0oKUt~Mgf;L+x z{-bFQL9tjDVWR;NHVk7VRJ!rGkcJ93emB#($~LZ6?`*HsyKT17mMY>rOC0$L$5d&m zbKO$K4P)Fvhdf`vnU>=l?w81MQ8UH52|vURDU!`{nqAd|ShJCUG84n~nHcZT6ol7i zkgv_Ux+~0$w2qaxphA`NQ)i!N1dX7Z=3MqC%`zjCJJBAb4&r^gken11a^a|~48E0S zXe+Hx!0~TsyJ<*z#Vv7Z?n#~>;XwFK_@xSkK(X0PS*0=<$UL*W=G}bA+ay0@eV z8Vn3cpB@+tJ@WxBDT4qT#8k|V&WTTQi5(qIGo`p?N^BINl}Wd1ZES=C0eWi*(Qihz z%aB*4!*95b!0!G~!cAN}F3~!uYkUT-umam-&a`lxmrES0Ysa~2JbG(!0z;i2 z%qe?^XRx&4P^4|pz=)mFJ+gI4Ihd^@uoH8RQIHlfb+_SCHcB@j|7d4}2vf$GC^ zVjik(0U{lX5H^rO$$i4d8#tP;4)bd_TfMb|=Flj>DE-$XUcEyLdl?bHn8@MUz$UI4E3C=kUTgD9Nn*2xiks0qMh zVt{z#7D-Kc;#JlXJ$^nMZZ1km)NwD8rs2>ML{{yZ?!~HLT!inoj6Gb*0&HAF_xS)> z+8`{Bv4UAHVXm4f&leri-jUKOOJ-e5Q~jd>^> zP5=W(#b;<3Ha+3@fqcZP2m};BuED9P*S-9trs~uV)OB=x1*z$hQ>E^(v_|eYWTG+D zVv_5kUYioB4Fxj1CoO?uo}`=$z+5pMJ&r+pX?qJ)(#4L_PTImZP(AC(yR9X=5^i_y z=B$g4l~O~-=NMW-1nnD8ZGtMXJiz$Wnrc$wZ(ubwoO};;!dJwgFMa@i0Qs|E9&bOt%Q*VZ4F{_<@qg} zeQ_G5$xh?zGV&4CZ6mzf0fJIoD!kK3pN;c66x7AdCAfm=lJGb}P>maGF2u$++VhhPIXDoH^^D2>u zC`~E77f4eoo4CY3Gd&WF%7y?-9G{44tugj#;61QkOPrC~zKjGL3kXt4)vUT?1T(L? zxe>@y6=nkYuorqw!I7c!E*c>X$`3}N>}?(Xi|vTvCxf2e5Gn5+yi8B);T8q#kchA-|kG5wS4S zFavH52gD&mvu^a%eh@!TR!2z)OZs-vA-nDD<j~3Z$B;XnkJ0hL=am8vfrKCVxV`YKs~GgSJ|sEpuPu!@cqus@hE z{}5B8NXRC`amqy4sN;zx zkmpvi9s#(<8wQ7a2|6BAe*fCR2V71lze-KjAbHyp?23Yt3?LOZqRyJ!EU9Wf7Wr4lWsOT_v>wtql`{Bo2pZ*v-^}CLTREfwSBYkVN z+%RmoE!8JROJzsw59~mQu!D^%r(>ygKoL@K#|>wiL(<)HBu|wTzk1X9bp(2V-x@-j z5EQ8M0bIls1K`!J<6grjpWOu!G}<9RI_Q7^ibd)xEOO9 z{gTPIULo4XZfqNb!bDCTkG*!x{uiAiAI8 zte`@QXm^K!In|h$NWOPC*(>A7NyuP%1SUO)7#F)O?CH>=I;jOty^eIO4mG4P82#0g z(Uo*4K*lu#-CQ`*jUp2mMFUaM92S^a6K7x#Id zswS8V#;77rCmu{$hQ|54VBl=2)CQBRW7JLhUGJeJI}K_S6H5~7bfik87cNYHK)}DG1AUf8-_Om~bOu!8jJJqeDKZ^i^X*EZ>4yQY(Bl0#npJ-ba zHO}vmRHK~lGp_#>of%KCgx6`3bphU?0~1aRNY%;HC>0eTyrSEczKWjkm)%nhmGkb}9Wl@7#n~iNqp-{?sPK{L0F4Cr^S{)nL&fEZS#2 zlfE!DVc3BbGX2pq0XDXP^AP3?sGKQX+lB5nA*uap{afxzmckO1)jvQz?jl}nXhIxJrIX}Sk zMn-U@mU;=0+HoAK&r%pvlxgVZHcd(z6M>y>v?_(MQ4ox@p&5p2E9PxPRVP4)+d{H!Li5f+N;Ipw5@M>&}CFALDx@7N|&gQQyhr^(*cnHsxZX4 zMz=%B*VKtTg%rrf2o5e-nrtvFapsF`h8K%Tx|5aAXQSN}R5@PSMmuB!GA5IAkq$<=n3o?(uJys zr&TLck|~l7PGmW zlekf7HBlR8Ijt=N_h~h1E?=aqChBy+sxqpy8TU~hDv=Ub^7CE}FO<|rF_k0Ol$J1k zv2ukyLVG;3o(4wVh>guX7ohVal&<6wz|NCwOl!sKai=-6Sb z@0WrxQ(-7v6Ls>a#Vu4}-auJo+#QsF_H!?5aMilF!nLP4U`QMW;Ps-g(u$FRsrZG= zPSOx09P+6xE~*(ts#hJN549L-B!B|*E6Ef)@(hmG4~Fb1`=#n3p6hXVvC<5kPI7@l zwi;{!qeij9YYj$6zCp?0#V~nJq6E&c#6fRPw>blfQ*mljZjv$lO@bxGCS+ZH!y_iZ zjmbl9V`6lsOz6cq&eHu0+eAu=E?--WNn)}chVWg!G-IP}T?89fc!xudW!)L_0 zQ?ckXGkmZ^tp$->U~T*G_XIq>4gzivz`?k9MdYd0G8)URoY&f3%cHdQWQg#Y*>oN) zYHJ6hvVm{!if*FvP~_y#F5Yw1w@qRj4Y?Wk?7}oFEM0}%GHAAN)Nr80_3 z3h!Ahw4MX$*+|dIMxKGnfUw&`VU?lb=OE7+r7;ifnJj?dO|JvyiZg{$;#aK7e&(x4xqA- z{1bZ5e3kY0tJ->3MtM#`=PW!_^?>G#@~G@fWimO;fmFs>O7>ovn`7kwDif(g_F9=Y z8OnZE#_3K%sgdLH!^=|yBHsty;Iec)YF@Emzbf-Y`0ur{MN!iwePgk3A|wpfdO#{>#PZrQipWL5XfruWZxrS92LQyqLFpAl*uzR%@n&1f+jEn&UNm)XD`xVip)CeWg zA*?tVyFm{YmUMY8=DIlqeSp!wDyE=WQ!rteB=bTajW~b7?DM&GMK>Ag78`_)}`6)hySX*(y-s zuz|Odcs<*zZVW5ETXNd__B6U#(Hq-4?F3mXbF&Vs48i3&$Yrtxvs_B#i^JuFZCSZQ zxma})W}#5X6f?v5Y(BHM!aQNNSn8}}>j?>_HrVEHvErodM5SQm6LvXoCrZVFnW*G) z#o=PcDcjY`Y;6#JYE%}sXSQd%8UX~J+O2-sJNxe7`uz&+O;<7Mv6#IWvf&k|htJ8KbJ5Br z7fvl+zI=0W+l7OR?Xh##4_;yq*qbXmE?k$|w!X1?$4u5980fBFUm96jncBX6rrerd zTXxJ%TdU*ACFNFf$NKRl)y119k{epnmySWvt(rBSpVe>DrDKZfnd48 zq1_!yI-b2U!0%!lBJ<2_5j|rhXr1I{<3c^1@5K_!Wzxlrok`nv#+r>e1%1{%1y~t7 zowqXkQUEobUY?b6!Q(X2GQe(DKF8ZVKktnZo9#6j5y_(n8)PAu%jfg6ji(lKN^cd@ znY@{|igvoNm$xW372nAMLn{>0vvo(0dQu{j|1pgxOL2;9-91Gil@i|XhSXu~dzp3xna0LGs5*vogDvQ42k%mt$XVYK!`2VKuv>7q&OdjMI*pl&g*wZuF zNcvzkV75;egXf^iR~-WzuN|U9~`(iu?7T>M%ziOQufBa z=$aLSYZ6w{Of*{wLLW0gLZ~}^!h%&b%B8l`ZPkH~#G+@j$+=rbhZtq6gk9B%M+pHf zRjxNjQU*US^Hxatuhx_$V3`W-Ir?(6c6OSTCVSnfG7WOzF4YNAF4afvN*U0ZCEXgv z+RNUJms(@h=5(VkI@T(U3wnMn4awxY-9 zFMR#?n12WHp0A`dok^6P52%j4@P9L#&->=zN?UpBF#kUU9~P!}Mq`LqF@mOHV8?@e zq=X@(#7gnEB`r|#@E73NF^y%H@%N<5xKlAHx$i@v8yz|&YKN3NQtOO%%apfB6t4cZ z>0CGT$zq!=43VqY(*ryu5GlyCRyP)}Rog}Q-S0TO1bTjov*ZppW%UWlPSvY=&P_!V z)b@^Qqv~uAseF2RI#6}HIoz2pwH(!BY{#5yI!8?#@<}caABxYyvl59p zsC>~xVv%7iWYS=#?EV;PUYvkRmi0gCl&S||_3vH& zH*MR`|MOWpe|Y^Lg3tb~e4@IT`9Gabf2`XXP84G94P4y`j2D~gk6oPDvN*9+ zMMK6oAiM!@ty%a@a=H0yYXr%E~-wwT3MF2)>*M7~8k&&6aRQ(PVujW#I^AMFR3v(ao|G+0b9KUp|PmeE}Z-HYysedpCs(4~cU zUi`fC;Lb#gfQb9JLSbbK{Eolv-W~JT+V0HMo%X2XbhK(?Df&5CX@eTjtAdciFgaI@ z5Q+NPEhsgC$EjRyYPd9o4H>iDx~Zo&0mFU=rk!$CX(*dP5rm$eS-|A*kyd;SFuZ%Q_&hV~AJ&&N5zJyF2s0CaoYn$$RnyeduL5DPUn%0H)`)}4 zU5aV@YiT%WwuZS`8~o3=n&oDvtv%XklKvm(s7m?9LDT1brOi#D_r2WHpb?xTHi&F= z#32}CfCL^_h7;t^%ErWudiKp??|a3<30EZ`Z)V_jU2;H1C|W}MOfD?9+=qOPRVM3T zCl`fuq_ilhw1|mC`rhR3J^wFkJpukNRHTDh$NtFw88drW{yzktUi0r)kq@Mfz3l%v zwDtJ+e>-m;-v1B5hYTy*$LozYAI1sKhUpABG+59RG=jwDWP6F$s{JvKNkuTg{g5q~ zb)yd{l(`lvnX+=DW_l`Nue7(?qq(i=9pm{N{0!GqW??jugDW!)KgSRP7k4R!-(E^v za>`$#X=ajku@E)wWYNk^ChTN3ku2uuZzfsD7ozEenM~)4$y~Y!SH*&v%vmNp1AR4< z`GN^Q+O`STW-gJ;+EFW+Pv_|hp3LB=Bnx&SnYEyjq-7S9Su+P$g?twNZ)Y>fTsDVw z<6n5zw9HYcIh!d?rW470&Pu>Td8ouJWcV^^XKeVMDcXFQ%;#-trDbQ5nH)a_7dBrM zGth@-pXY&*lyc`ZYT4_Jp6$t z(^eh|g+`fBOD>nkpVD{<6&4E6mO>#9w=>XY(P_8~1Chzm71V8-&}IvU8paz3lFf@-qnD0I`FOs1i*BFr0(8&s9UVqie9x!IzPS2Rg!(GGYA zW*Vx#e!j)fGTJ#a`>ZJgfa^mOAJf8SfDGMFKkgB?xwM7 z3&;zufUxp70%krp1&`Rd6UT5tV6G{#}-ny4Gpny zqG2FmM(Y-|%8Ei~3OJ7z)I`@i#&h_I!r0e!VHE=lqj2yRMpiA1j93`f zGqEr%wJ=PvGR)x8D7Z@_CznR&Uap3rGf(UbK5qmp|LsHCag}DI=pzA5PZ`#n;tUX0n zKphz@JDZ0c0Ka6WazHRZDN$HVxDs&cGA6AFnB^kOmIVY3t+1#SSrh6hB-3VYGKtd) zG=(D@rP;#8m&_Gua!tCz_S5L)U`BEDXnDfu;ecjxxGrp~4!4U%_@$W5PZBBM@}aL$ zo_4u8K9*i6pj6{a#^ed`(YvLH**C^ zSH&z{WpG$`j6-#Hu89083*AjyNXyVpWHX|)I(G?v&lV?HYGJknw=Jpyui^ihEV02{PAmiv)o9a9 z(7HW=8DqAe-U}oJ{b>2)`gpl9%xRbe<+N zpJ%#)@g*jn&0+&G`6+HZZSDzgT}(9D$Oio|DU(p5X3 zRgYI{txDaARzQr;q+`*_On=PG#G`qfKNO!g4X#^pf^j;o<`Y(}9M}kdPr`r49u5CL^NBx|;Lmf~OIB?@7CyU< ztzHe^kDFL|Njnlb@$>j^-rv6R#FxO2FYYY6xU)$FKt#}nP-~2}E2RksEeSXLa^dNb z$h>1#4J_VVc*_^wcE{>_2Tyt9XLf$$eS0?E{Dtz`3tDH{U%lw0@9#SPRWCgAvm0Le z(p^X1`5)K+ZesG+N4;X*y6n`?VxtfK^zIXHe*YB@-v6?v?)%ao{`=nhe)QLcYk%>D zTiR!*e{#=R-};+9t6q|L?2ENO-gMcXe|gTkURe6#C6kx`_`#DmeDzDO{pFcI{OzYM zJpQ!zyfQHqx$XFEkq^J^)X3()i+->BRO!su?y{GE<&nbI&iLi3*X}(1SCfx_#Juvd z+y~S1?m6?x#~--%iz|-Y@y9ouzcTlUe@tKUxAlwCM}PG9|9<;NzByQ0vgq{JE%?z> z|NY|r8=iRDzGA^`uRQYV`9FQu6U*Qa_TDETBLraFPdUoc&=lVZDo1gyK+xeem2K;|> zX7;fE@1gk2(f()VT=SoqJ5amch{zw(Y>oHF=n@~8pDCoHiEJA5VQYcz$c3jd(H06P zIkXahfU@1ahMz4vT||>fEDFEdrUmj|uHd$}m{#4uOCi^QgjzzIrPh-1Qm0khJ|D!? zJX$$Wf91=BiRQv02;-o(fsnf(hFLb6W8!?UKL(UQJFnhldZWj#>AA)5>HsLI0n0=J5W1C_dBcmoJaZ!>d~^ zkGuf>%qyG}IU@YoflaGcz;m17@>ub2-im=`%OjC@T@Tlb;NJzuo_OrTD+bqZg5SOx zi9B~Y5_!?}x90NM6`Qs!fp=HJGY0*GI@fPXS&_&QsBfU&G4#5ReC^GZ@zO*ja`di9 zl|MflSI|5CAJKWFVKjXWfvqs@Z`0dN^{Ve!* z&hg)foIg6=*$(Z4XP_p|_s`-zQ;g-uJ$@{MCP=s}3|1-+K@I zyQBL3#4ydr5s}v=8y~p#%I7WoZDiiDH2&W>YXtir`IdFk3!XahsqY^%bZi-(Jx0#g z_6I9N)uA7*{NqQj-m~ZFub%noD<69FxaVH*{OUd1&xl-o)zPQpLs0g-uSPC{8CV@T z3f|lr8I8OdemnJqS4W-`nTKTzKkhtu?>%3<=bmj}ZoP5Op3=)-Kiqfk^`GmUasS8< zhh97H#NlI(K6?3Ssc*jOq3ag!S^T3r&tLKNcQ3o(-_LoZaMaO9FT4JwU)u5Q6E0Z2 zXU}nw*Jn<61Geie-`c%qi}TWBe)ZVy2OcZl_xXp8SbE$7(>9?@V0k+<99diY=7Y`|MtnBAN-;JGe5cUCo>;9ap*-)&Ace`{bTPw z$IJHKTbc9{Pvqy-}3R~d$!*4t9PFHwSRl!1vlOE@DJX4>+?!?UOw{aUG`r+ zzVwDCuKv#0Nef={*@ypl#=N`FxT)`T8$USD`D5gJm3r#vRg0dw&`d=yyX$M`{9@*p zKfT#Jr5(TQ)J^9{m#_Pe=l|@2yYD*nzcwGe<8_aI?fUl5PyDYJE?9E%V|TtY^X2co z>Fy6LdgO}R^54Dm#q%e}PP=E`PcFaW;mMbNs_*n8Uvc{STiaI;y?f`q1Lc4D^fed1 zY5Ch9GP+CcUpsGm`j$tBK7IRdVo$tq;>OBvtecj6;F@1QSh(({J8pXYm9M$#v|GqhDf7!Or?fT-*51$=<$KZRn{^*_2 zPo7`>`afT_y*BjFihnTQVLn;Df98=ZR=?!24^LH|+Vz?2#%tnt{=M-?-=2R=FMaaH zzh8Ev{oPNzee$^{roMj7S}?7ZNCiRA4|Z%)3yvHcHc{8KmagH7i?{Kh+$ zT>Ft99QE8=Po8goyY->}{l??&e$mN4Us&06{dsG@8{4w$<=1`Z!s7YYmTvgb8?Jj| z;e{`$AGQ0g({@{*?OSxgjSqbO^^-3P$313Da0Ce_N;2bkot-1xDahh;Xb{9KJ_3D@w`huW?z+P7lkAW zsN+cYu!y zy=Omm8UfZ&fM%lv+dWsY&vS)2Z$ZE_jVRWZqKe@I=2p@mJrB&6^SwRBxmmCKvBQ0r zpP`<6S%gkRql|E!ox*^`bFD;i%uk|Ip2CRuv02aHajv^`##X3hcvo5Iw31M)3y^Ef zpvVkhmqSNjk8w9TjeaES9F)6j*5Y3EDss36P1%Vw*3!;e%Gg$`w^65(xG&7(pz$U5 zj&PGE#CH3j<3NFJ(6?Q&9my z6ctefEVJn1ExS2|S(@cElO-WtCa0#Usi3UKrcs#QdZ?zcr%mVdKU;LB>7|DrT6@;M z&DrO-_xJr45arCwL8MM6*p+7cmWo=W3?VOa~v5)I`l!OXTy&50M|EibkXF zxMS`kciesIzHmRg)4A<_n9ueje6ElCd|&LR`#Rs~+x%Pc%s@db7#|b_MZwhI#^9!4 zdN4aEPbMwNGl63E)5&p5n0GFLFyV;nav!@-Ea8Ov%@Q(vmLKkO!h|Vd!dl-tkl=zm zODGH`Tf(%UBq$w7_=SOyEQG`#iC+_^5+@T!5^w)GvVTZ_2K1)~{XrV^?N0rwuf}Fc z-_3nxy~*B_wtd$7)2TMMD`xKy+vdJ?-?$#v?Y?$jxvj=*kv-C+G!<$R=w1FX^yF^ARWCc$XUMGUGhcNS7Ps1tI5!Mmoj0!WdT>BiWm&tS}G%)(pY0Cg%H3%n2F#z z$o5J|nPT!+zvvgurdo9i1ria7K+UfUM+C9&k)uh*H$2K{*^+dxLAj}`>qneDLA6<> zzG_&YY%yB878X>&ZHJN?4NT2NuB2H;vr!~d%T8K!1XG=nq+`5(jG6Zup@cQm5ZGh1XqnX%^qbPD=Ee!-s5=$Y8I+MW)+&Ud(bg-V>9TiPx+|7&CC~74UIi)C4 zBpTsb6nT`@5}I?x1is{hMo4+(Q=jtTIjFHmIj!J{Y^C{CU-An3=vtfkpK@`vN!jTF z76aLqZ74{O<%Tb}L**;vNcjn6 zR&S8ggcX#Z_Gp)uZ0aC<$%$3TC(v9RF(sZiruOUgU4tU1`qPD8wsz~S*&DE@I3<_> z+l#TRwpGHJG!YgqXMv;(BfC~2pDLNRD)#KKoepD{aPPaedDEaa4z2GQ$f7)4Rfwhw z9u4U4L(xE_UrYZ^7l^nFyZLV1Es>TT`_|0#hNz6`~c8 zIKS>Vj>*-y7OBWomqQv=zO2$9if@lX!TBe6at|R)`{3Jn z$)gFKIxHsFGhrw zER%DcFNjCen-(W~i#P3JY186VZ}FC0Jg5Z?mHvZ&Pr<)~uuH-}mIe67@(}!Eso)>W z!|;z~5&p59f`2TZhJP%Nz(1B+%Ze#ePebikECb{=4ooU>^)%ONS(8^H54Z3rEFw^h#b zV)75czxnfOHa+f4uyZF609d@e!MGL4tVbtxd4I*DnSY|9f}5b9LQceFQI=(mZ$4sq zsok!r8d^n&M+Kb~?O?`nCiWquvuIJ1v=_7-x@OVP(gESq?x3{RE-NW3ZJc>}D@~T| zd6ZLrmn|vg<}tSzZe(Oux*M6P?19MVhT4zbtjrFzfU6ulcrRmaYWBs+1aV7IHb`1n z&IE}I9CJf^a8Cl$(B{`45kc>PkEdS7{IFY?78YA%E zur2exF4Vx8ZY(5b^HZHzs0zY#wzow6W_>}`SSe?*(hDIwV&NVU#(F3$!-~8!nzsS&7PN z+1ZDSdST1zlH1s_I=AiKNA0+%X}0tzg}$cKr8aEi8iP|iQjyRym9Zl*E^~cO*~lj} zpnU5(7pTJZDdXnZ^XJit@ThdR{L7NA{a;ngK5^r!DDpoS1k*lUlE4&3nZGM&IJe}0GgOE}KiH%=#kFKaplQRgUD5pKDF7q%O% z7c>_%)d64B>u6yBF9A3VUe@c5nP~u+nMLMQ0hXA<;0kjXEHj6}irzpkya@CPkYmuR zdc(1EA&{MmnCCFM$~=RvG0&jam}k&+))@f2&N>;q!8#eltdl{)oCSbY<}he7he3-u z4AzWYKF|$g7o#_gU5wr`b}@R}*v04_V;7@$ja`i1Gj=h0A2B}DOW+4)MCSoNwD1Dp zM;vrBn#1TO9@h@%mW9mu*l?T<=M!u`+dK7BGcr3qvygXuZXwferG-rR z3fxNXysyp3(7&;e>EBw&^zX2hfFld3;4qVPG<}At_qO2?&PytUSTP9sL8D_8mx6@uh20jK( z2G$0k7EYiDztdg@2Pg!KFf+JpRAKB0jM(7N5wVdu#bu)!h_{QQfq{|5p(8mY0;D7o z2pqUvSu9ypImB66c(isf{%_sD(z}s~!DTaR3LArq3jh>)C$@OnV_+Z#Fj_HMF??b8 z!m^%$;a>tr(w{{v=l;Kduo(3i^%y=gd}iIiz`**A#R{f^^~nD>K)&DqH~+jre1=Ov zxRPNdp>Q0-M};(tZxs~1P~1XC`B@&000000pbDT0pbD{0z?9M0;~es z0}=yB1DFHu1Uv-91p)<91%w5(1?mPM22cik2G9on2N(xF2WkhF2fPRH2p$MP2y_UZ z2+#=@2|fvI37QGQ3O)*I3p5LM3%m>r3``8B4JHjr4SEfr4a^Pr4jv9h4tx%-4%QC- z4=xX253KHJvO5Xuo05o!_Y5=auP6A%+_6V?WB=jX_C9)|)XDF!LFDmW^ZD)=iZD{?EoEA%WpEOac$Efg(iEwnB?E_yD=F8VJ*FOo0F zFc2_2Fs3lnFzzuVF=8=}F~l+kGBh$)GKw;^GX66_Gki0^Gwd`dG_W-GH8eGLHN-Xo zHefc|HvBg%H)uDiH`q87I6yddIHowvIS4s8Inp{HI+!~uJ4!olJCHlPJMugvJc2x? zJls6^JsdqmJ)}LrJ>EVRK0rQbKGHt!KO{e*Ki)tfKzu-|K-fVPK{`Q%LFhsfLQ+DA zLa;*YLnuRJLySYRL=;3sM07;3MC?TnMN&n2MW#jkMkGdvMy^KIMfK{QF>9XQa)17QtnfVQ{YqJQ{YqJQ{YqJQ{Yq# zR18!&R5(;hRA^L$RIF6mRQ^>eRajMaRiahURqj>_Rx(y%R)|)%R^(R#S1?yzSD;tI zSO{2XSfE(&Sx#AQS=d@KT4Gv&TC7^uTP|BpTclgwTqsU?5;ZU}j*7V7Oq^VDMoMVJu-vVQ68NVYXrVVm4x8 zVt``iV?txLWFTa8WV&T8Wqf6*Wx!?HW)Nm9W>99-X98zDXI5u^XnJWRX-a9_YIDZZKQ3;ZR~CiZc=V`ZmMq7ZyIktZ(eVxZ|ra`aLRE)ao}{t^lXeyB^32Q@C+RAVo;xKTbVIiTFFpy3krW=Fw$lm=tVHh_P0pLjpft>-cdyrxm8DXsczYRUtb_X_ugoYSGtN*v4i2gStSW;5rDsSID zFE1sk|b*uc8+?3oLXLif1%#8H3R9g#M zi)2TVJ=z*=wSaKO$Hm3~IT7K;aHB!5(+Xiim=^xiX~R=hF{#+BHH${4(P}j3T63Mb zSWEv^!dqVc)|sm`nvG^HHac^i^eQd9hrdd5t{J|AA9Kz5&Rk(&-G2Ta_w+-D@u|ay zi3?tbmy{end>DrwE+G%&Q{>m-CFIuKf@YsXx7k)_I#w|%Yef@AD`EF?SQ1~Aq#32zOu|ljxDinlL zUCA0OaJZL<1%%-57{qb*LLOtBgnO&i>L7IxARn$!MFQ=-89SZW9K`X*+;wH-Fcat_p~RGoDs`YSVq+;G zv5wdzOJYb&NVHM!87Y{K)GR%BUg8~xx zQpEH2LNzE4RLWt5l2C8G9wEI^Z-l#bu*6$xwdNpL<94Ij%1g2i3t3P9Vje5Ixovwx z$-q5i2QQxdfg9+4E);)962r-BCUX6cKX7kyM6CUT{NoR@5*Kq;_Z0+`FF;6m74Qo~ zk)XR^Cc~te#-#c&Hs1#k%L7#b{k9Ij3H@?*8=!)nivIQ{&cnz}JhO#O*#Pc^`Lp zYUzI-Ub^_huZKPQYWciH3^$U-aLYpTkE$@Q#Jvh@&0sFmk*EMULe(G#Ai(ogSc!N} z$yXtTLMQ`V0b$?J z?ALQr+ov5ZlFZ`5sG~UfRAZI^u2il--=Yv?LJpUW(pV~BDn~F=9x+15sMm$VH9`5J z%9x4-9bm-?Rw_eI43cAIBE&0j=D~yHo!7`~D{;YETzdG)wX2^5VLn7&{g>-a^4cM> z*4^vF&*}>Q{UNNm`v1sdYf%EqcjbtfQ(&y*Jo6Sm96kGZ57OXe@D-5c0zlRIB$J`ZMYxg;~TdXDI=x<~V=r}fp zvK7^F3#g6@mu=e?+zPo|?Lf^S1y(95n+~t?8$K)y<1k$q_!c-6hf*{w8kH@zS@=g$ z4ZtsS_0VF43bcqyp{h}8fc=V^rUR+{1`3CPB0w0zOyMT)P(d&h@{SeOXsl!CA!)2& zbr26ql#)}`bQF!>DDm->p!gQ?$u>(^Tv)8h=p8Gh!B~yysudoS_=Xg~Ijm6rcYKrQ zzBSCf2DNY{QE7l>T?xL8NB;x7B#utI25G>MXqjKbX4_0B9zVymbH7T?!mKY54wHxK z+=pS(0q(H+YoZGDkD2Q5SS*NUj0Es5I9|bXifXV!q5w`zKsBk=*)2MUMM?DsC=IWk zOhkUV!kL|)3!b4?_;mA^TTYTMwm*!G&tpA~jw0`9tE;zcJMhHLZsZTH^NQgep1|#{ z7GK5f_mR3Ur_cHN>X6UA?DET(?xPa@q66p;Vp>6fZvS}m1% z>YIB0hz@ej{W>E*pE+~m-CJSpKgac?>uM9c{1agFD9RN9P$)!Zq!G1ryp{(Y11nj( z3Ad&>Di&+0iLxXm z<(jE@<>hJxwCJ<7o3GBtZH5jRST5Gq88*B>ee}N`oIGqs6@Sg6JH-|-PB2Pv#cIGk z0b%aNF~h=3;-k}Rbpl;AN+vS-5b|R)SM)HIn#H&RFCjdqB5S#}Pmu8-JJX-T@4M&L zeIT#Rbbzg(u#p53a3A4S#bBAWWtU^s?zVvfri%A=AFpm#EM@+b*%cq609(i7 zUJ@TTm?DOtS+5TlL9)$etsYykp5o~QBo#}^nFO-r5~)c5WHp=cSorf8p2IzV`yC<6 z-Gi)zaefiPJbXxkan#7>GApPS@vuSQIS;;Sq}FM5l-Fjqis%dfgZrOs0p;P={F8OX zz~y58$y-H|?h}(FznJMhv+NhwgI^30s*+=)P}3m_O0f#GJIH`a7%Ppdk;erwv0Ke? zF_9*tJ}d-lutulV2dONn%pV3HPIQW|G22YJEc-s`%q@_m#Gd4^&>2Kr1E&oPGV*Do zyxd&Txs81N{PX0??b~tm^Uvd$?c|l6_ix$0bIbkP@m2ED(@*0rA9wf|cYXS4^5VxG zaKiWBecJKLk3U}ND8&H`7b&J0K;ny zu6(sp#fx-0M4>7m)T}JCIjc=pL0*nI)0~k)K{JcgJl?g!=MoiDjMU`M@4V~mt>EP5kw(a4FNviOG?7UfF$FkV2Zdhy3_zL*iad8j4MI< zmFFFW>=M-IiV~MP*{)00B{2_Q_SY;9r8VE{?wazQN@T*4*w}L%m`RTCNja6AJxhvD ztuL$Ej$@vCa#gp}HSUO1{7jcITefp!Y-Di9VfXJ4o*_RS=lKK?NU5N~Ak1H0V@9&^4;yqZg3-#?~|P&b{li4=v|Ce z8JH!~48Y&SxENqb6!oqgW^Z6D`7c^&_MIMA*+%^rEfWK+vb?Tt&f&?=lK(vNFphY3 z(eA6yZ%tgV4kOAaBX>&F9Px zMbKzeA?F6DgT<9X#KD2xld~S+!bgM{4LZ0sNSmYt^MT~>j5#$lItDKb-tnVuEn9l) zAR*)|*LL=d?D72w!JJsT;PSe)7pD;gSgRgW%3b4Kq#M(vivfox0EbXuLyoH@HHOS5 zg-9Kc5m6=bp%DgFBP=Qmlrmfn0Y#D&u}gSZnWc2<@+4Fs!r^mnR9D}4>LYRyXM8kZ zVs`e#0Uv!N9GLOu@?~#LCtrfkdDA_nby@2+2m}?x|1XouQVy`ibiT)ko0?wv~0!fC9{4!L;jhU^Bnnd2VJdH)z_7Rn%}W= z%a-l^XTF%^e}YbtB~ErhZ4U6g6RBDO zk;05U*^F08yPVUo3cr(Da^v4HRY?b~FIm38ee>Fs8Plg;3k%~y-M@;pm1ovJdZzV1 zri`kXLhW@I@Q)4vf6`d)0z5$u3)L*gBF^{lg()|_3=qlSdt3Br7QLj|z(dN(%X3l; z%#0@ruz)6c?kqO1{{(aAz-KQlTJ!t%9XFPfb2F#*sC2I0^xIEMe%kd2`Q;#PvuVYI zNoljDa~o#X&YgR_a_XB)hfhlBnclfHz3}teh0m3b|76F4dk1&R=|+7xG^GA}F%e=4 zJ6c*;Yl2m-wcCt(f#cN}b1KlyJgAz6-+`yot3W zZV7OKAS6jwc{RLMZ?{?Pj1Mxwj{FGEB;@8|DL{c4(jjxUV8X(Hx0Zgf?&Zycr;M4r zVCCB7SXofruWAwqG9Zj=ar!Ru5}*6Y(e>vm+J2ome)!^v&x^Q4YSyw%bzS(An8V`2 z1#-SA8D!=n%R|SwBB^9}Vl=j*KtjTqpUGBnuGuVHBwffkQpo*?UlI=A?hEmm)lW6tHTTdCOXn&h&9GixE}vSf*aBZ?lJTtz|C_x{r#6FXj-iXgEhmN-ojz9 z7|ad|*6X_j#vvr4#{RY_-zJ zLTpP^UssY~JPdch9cWkyKKfaqfWk|JSl}wtIS}iHY6PC@L{R_>0csh0gWWI`X3<*A zEYb(4JWnC(^-iZ=ueeH1zdrMe&yTDor*NwiU+o+H^-FXN{%~DiaNL9W8}u(7O9!|s zSX`axiVISKUIF}j(U8a+1?zM=SzxjEe|`(DBBl6g@&Ne-{yYHhN+IY_f~m=HTkxMm z#a-nt5-pQs04Dsw)gGG_YfV28F&04<cLm-YRUS%rrKll#q9f3qAFynErTP_6~SdDKLvKhw?O6Pj{rEQ?YDWr5Lp0DH?dK z!bNxi>4X1GR&%}GM}X6(xeo4ub#7+UVGN-j#-P44#P&vzFd!Rqz33_i5%u3Ikd0Mz zbhIVfoMG15^)z2%i!d3@U@~%ZB)gu?lJQ_Ij7U<7GzdPaKw$nMl1Q0=&*G)-FS!D)+Pwrgumt|ibejS8K(ILumdCo=9KXY= zcbF-&ZOGg(#h<}3Tj|a5i=pIga^nQ~bmtyydHyKoHieP1!EI-ijoe(+ds9`-ig4We zI{C8}_q>vE8TWjq`ae5LrnjB)-sY?=m!{M#@XU`G#d5b%cgkx=81&la^V)J^J1>`y z#XXN4A;&%-udKuc>+!=wPi>xe-{#Xp#oFh|$=6d~Cnui+_H?LuV`g39>^Ev8Irs3$ zPIG;Upxx|$BiE;Q&^?hRxjt|%&M{)OyIUnI(NALUO{wep(cz=D~s&{8vB7gYG{R;4m;=2g& z)q-!>T+HuqG#B&R8e&D`{zd!A#Zxbniw6(j^p{WJ%md_H@s0@-whtUcUkBko$dOa0 zaGy6)-oSlMog&Y^k#gvR>go?_(w2U>aN&nb(-=-X!^wyocjK=DdUy0!Wz2FsxQdIG z&iU>v`Mhw@DRS|^ew=>lG|o6s7d&YD#EBHmi4(UCrF#h%T{69oi(Yz( z)V^<8|H-_0pRAAC@bTQaA8&}FGS>lYoLcA$Ya$KJcWG=`sZg*$Pm0$Zpc^?};Hv3% zqmrXZaLJ#_DpX)pF+A98W}yQ>$SokE6Gn5K`b>e=ql zv^1@wVCJALrB5DjS2(a^+mYLc4}NMsX;aX;#nE9soi1u882t)F?L-G^C%RId3w8qR z1$xA#u>(Jpe*DO8LZwQjE~TXyjzS;7nue^&yQ`ZRmoyEy6q%7>wPv);XqlC1O}C~= z+_DC%k|h5m5bhj4+5(~duFx#3@?y`+*ypK(Ih97#s6g#CMoFXbM<%Et1qF9~Bcmdy z0Tt1iKt*m&cFT;s%sf9jLK@H^e$a@HW9=y&O=cjsF#;M4+$;+X3gOl2bU#dj8)yFzM%#=wc{zS`gxzUAc<>iH-K8v1iBOe-aQq!v3V73h zD@*q@z+H)tqqop_RNEAHFE>N58fk*mnyOG7gj8aXs;cSwZ!{C_{?5IDW}|(3N=y5m z?R#|Tl+iAuZIjvX%2a(LdJYS{>+8^wru4LHBGzhkP+15L3UU-uK?yEH!NGPv4u>|R zspH?hpV1ZCfUa1pwP%lRU0m(k6tv3A&T1@SJnC3~O|e1fhtg3Fa-p9KYa;;ja0eEZ z1xhe7p(-$bG;D78RS=7s>7}ViAqt{GsMcU17_*cT-6vI+QQb_}JUFu~sg}Xf+*=Y` zZFjr{dG9DhK|#KoT?L-|z@Zg_i#47U)?M68GjQ$Nw93nIW@lL_{WiNLJVX@-uD|3u znApyaL*C!Xv3X5}otX+#o{5?ZJN-^+MzXg-EvI6Gdt&gSIl~wB?Az|ch4WwO-0rod zi=P{T@o(Gu_3Sr{ygTcIbr)tVes$fOlgLL!MNh}!33bZ;{aa3OJlbJ+CVpwmY`gun zmOXlPa}^DGcllK7m%Wv8}vBFJDT1>Kg4 zLp4$^Gb{`Xe58pJ1@Q4jI$8eTV3Exgy^wk`EH%xS(K?wdDL0Kh`HjRTKSOlTFn=A6 zP)ro7I|$e697;JQC#N}-)M?Ih>KT)?Ea$-|og6XZr8WPk3MIebj8Qx04w<~PW!8#& z2MK-G{ISQl_vY#q(-p{ld7Ar^b&roHL&tC53jQLjGyV_o9};M!?eVE0o@n4yXZd@H z@S1=U?BFR{*%qv4qt2Iy^4k~A%jf@?^X7s*Ure3)`R-+JP9tC8;R7ZQ=s&eDOxwKa z$HuJxb9?mmKi5~Ct|=P3cWv~B-Gh2CKehu&V|Znv1;;iA^20-mKVA92XY;z>KY7-S z(r)%|S}qn9u1~N*kW27&pqEnRE~}=-sDsmQx7c-z0t^eR^LXrwjY zU`1#pxU__nNmj1Sp!eS=7kBO)d30XSzMRb|ntOB}ez|TpKjQN6`<^N>{6{UV;Z9_* z&;n#X9;KkiB{gJ<1N&!A

5!<`kZN01<2?{Y41yi)X)aFk7Swj@4zll>`F zi6tqqAS8QtL7Ka;#AQrK01K6p0J;LOi+9-UHZ?1hk_;7S2x$kYfnLjRpx0U~{b~E; zFI_d+OZ!Y+P_cdKxd{`_Ew3FFRNN|m!Pt8zjuQ%Q|FHSuq#^x|=eM6bIdAH^Tic9} z-&!-LqV9=Oe0um(tBflSzrhKq2HjQCuxy>QX$>FCXl+-PUulyLX|+15 zo@RSd1l_lg%saF7c}~9M1i3h{cy2D;c+1-~Sm^uDtL~xP{!vBu)Df`kXFGM1=4KoS z(+lDcCAax*nmH8_*qLDv%8!)+3O zWHnVatg>jBTvO$&|B+$KaeS#L87vC&PPIk#_4Qi;-V*@NQ>QdcuB$Qwv{tTMsjiBa zR0&9+89G6b;ohmVN`|{jJktp7vHE;~oA1h@IbFVtRaf!p62QBttOB^t0i0Kx;9JYL zk*KGHvxM|tQ_s~uN(%9FY@Q=2tvbvLU`uIMo6fi>%{W^$0JI!{X4C3HT6+^78gS0_ z^qnIY)<>?^jEBO+_XYvjcK&Gp&RJ>8{bk_hXD^)B{-j?2!{f<(yoWr24_1;F6}axXj<_S~;9ddn=K(nf704@Rj%MU+ z9?qn`2h*j1lVTz0rzAAo6>N>;uoxLk9X{D*il9nTECYt}q6lo}IN4WqboK!^7f1u`o4DAJ%BsZr7*Tlo-*8>!9CTbcf2#xtr806cInxFV83EU zS0&XcK$jl%cWJ^g=7X@0Dm^frFB7REP4=i2(7uR%Y^rcdTp<8bk91mnW1Zu}pRYJf zE)E#nW=IUfxApdNq3^3#D5m9w*%@wyP_UqTFId+MFDYKHq;g#$$Lr%DUSH+XXaTWc zKTKPIaa5Jj$lAdiQFR#v+-(1bFAHjfe|j_5dZ`L(NL3UBESc%4U|Y=zaZx60z|pu=2k?kJb!Ix*B{O=%oQ4Gm9p-+!YxjTVO0PI$%#_Jv=wI&a zt@Z0~?J(}Rxqki49mZYz_OCInKKSG+qbFC>)i2L9M$TCd0VKduz>*b9X`#2HFd%A8 zs;ZiU$>F155!$=jNY!O@Qx-xY0kk0VOaj4fT43gZ?U&z^U>^h3)z;M-G?E~eu{~Nb zJuuKa)t3e4MXgXK@q)5JD3!GK-SGl6LWlaPFu$ke8Z)3jK#dv1fP9Uw!b}Q_eBrlW z?U*m-w&wde477Gk@2wrZ6%|Vkpnr4$bazq1)gynR^9RC_kyQFE%itpTW!xoGkxv+Op=MQV9z0{@C z@fo{dNqw_x`ti=LLlZV%m{`}gV#?&o$|;j8xW@(*_Z=FFOYuvi=Gl^7$?0C$rE4#` z#(?8{ zm+TV;s$){HoU=)8lG5?Jk;Oa&>5wk_wo3^2744P;8u5vN9BR zR8Tuzu?;X>(lTf9m@*l|TN|blUb)l#>Ae)iQKZk9Cs#8a3pg5Oey@^qXMV{GEalGN z8{Y35IUb1f%|n)7nxfDX3b1@ea-)1lgKO@P&(Pk%?>CYQm5(huIePTT75}I-40UEN zswy8*B^2CB!gW)qI^X-}s%2B__EzGfqn=o2TywzdYjBr=)-W_drW8yar{w9zVK0aa zdjO^I5AXffOR0|9qcTC3IOfyDfQ!REfhH>xytzRtUBRp%Bvh+oCGsf3#CyU6YN@%0 za>9jzmb+WRM8&F;=k*c#Dn)WxHNo9gD5&Y#SHjguA*M55Mclf*7fJa91% zln|?9l|ImOvNAVK9^L1VbRRfEO#8(Y*2b}dV(-sXpC$P#$QV}?WjKfUswTgcNRD4? z)H*N6k{A=k+-9fN!wiE$sc6UxPl!obk--7i@>%gDt3_Ke^P>mnoSqgN8yT6`x}Zny zxHmTS-QJ>=eQKv(0~51S^1HT-jg5*L+^J80q0a+vjU9Yoc9#K}j?PY7mz@0mQ@YH4 za%g&PV180vHzGkx1R@|O#y-0r!b-r)Xt@W5CADyWxo*zs7A5yCDN=?aBkE8AhWy3uazv1j3clP${{PW-mNdVDM@{dUi0~N^=pme51me zsFlvru~T$3lRDMfw}QO#@WVLc*s<)kUn>6{i@R_cmvJz;aoPQwD^rr^N|2EVh(UGK zAJ($7CA6+b_J=_N*jj>#FZZTHO`dOA?J&>da!(R8gvH>6 z>LUrucvx+UQfg?yzYT=2CBOwua5owZ5O$gjrU)a}WANy$I<;J17YHBl4Lc*Wz!e&S zMWqKLk0G?sGv`W9DRR|_x)-WISS2-cQ4`EeM!?Kd_vgV)Fz2Ql{54#q}%a0|Wz->7d|+RQxC84^obhA!|t2Dsp^ z=MiLG12L8Wvfj7`F}c|qM7>@R$kvlpM(4 zjgiJkQv`&o27}YCqKBe9@TK+Pg%9f^387xD?tajvFifLVvoK86WB{9u4q?l*Wuzn< ztwu{+j64uKeT7jEuzv5b`3YDbnS6Kkk^DP#=Zo+S633&lM05T6QEv0~L+-JNum6Me z5)#4hNJs5ZAGF&Q?9f6q+C78=QIOY9E>a-6=Um0M9jQ=c(WBU&xAd?sE0joLty7pC z%cjf9>35%uERy%-o4u>V72m!+#KwKv_wLrYO>1XMKrA)MMmM0MBkjRp;B66J&jt)Q zy!ZuwW|P(HGP8OnCpP%Xyr{{Pj!RhS?^40jfPbza2e$uv)}$fnGb*Rd`f%OwB0Qd( z({|Q}Yr7RjbZYkkIgwhFm)kF;tbbA2_cL0x?|wSZ5tBG|!Z$lM4mmifu)1(iwLQCV za^IGFD`v1Lt!lk4Z&mep8anfCZ>JH#dMCU$&yyFys zzotQbpHs_eK*{ye`LcnYDp2Ziv3&~mx#4e;s~fOLl>464QcNI{DJOIBVSI_CDkAGP z0Uj#%Nh!ZW_w5J&zq4=eIA2wDZp|}e_2f3)w_i7I%A(v>3#U{GeOKMuYus^j-MYEb zzWs;m_LY&YH$G+v^HzcCRb!|B1b>)P+CpE!y8Dt;57l%NJK}2i{D4efhCb;bpDz zswr=Tg1X3EU(K@EK8%iDu_k!h2F9gT)#K})7=cd@JFv>Qg7T;}%=>5-?^~M9sXFeQ zQ}wTrZN21|UAuo>viO(X@QTxCPb(aolQXstymDu5!%S^AZl?*>?Z$0S7OlC*IC$-V z0c!^voebk*!nm_(cft%m0iH zNTjXhQWI0`R;u9dN(V$VPJDq9=)1R5T8ApvibbFVXbNn3*{ZDYq0W{yw5A8NfN|%) zXC+!bjEr2iI&7Mp40E*yH82)GU9oqaam{|}uSP*k@ruGo{naSyuMS~;#t`mvKzErd zIMo15Ni%Z3x(0h#NGMM$8-kf@tWkmO0=FPY3E>FD25KxPDy;B3yOfqVG;>vn%N!Yr zab!khdP=g*+Y%3(a0IJ-Fod%b61uLUXgL_*nTE2^JB76|fJw03$f=Y`5gby{{8AYE z7=eRSNf=2*nDi=J5LT&_Wg3=u2dhib2n|sy1d2y6jp~wE^(Cb(1NkmRK|z0cm&<`v zK}yvSxC|U@Wl&XfSC*8xqSMpUv(mFN!JoI9<72IqKzi&jj3(pd%8n-G9dy2Fxg`?; zrDX6$+N@&sd+(78J5T#pe)Jji{u=k!{kM%w?KQh-R3*28To4LaC5V4DNRQ6L9q)b~ z7k4YdbWgEEI^8DMvM~Opqs6Y^M8F!EMUK{Z71m||XRJZAdq$ZigrmtQm4c%Omx9%7 z<4-AaawgPFe}^lcG@8LY>_EjIhxK zj4&W703nwd>aacxfcsRy-GpLL72Ro8h+4mDqy*Hc7)h;?R-)3gUgPNDeP20Jqu)zh z+Q`Vrn8+A|-O3^kjVjhFwz&Z$6n_B{3OKvJF4{JVN#q!i$cwT>UJf9GTzwtTa70+w zuvaAF1g^&0Ffw4TNV{3-?G>3ry7eXR;5XhX!f%szc5PVm;fKPy+tVTNs3uG5>!mRi z@!ool`{f$DsbH@sAC=k#N?PBFz&?wdQ0;4g=u7MIo>@10u4>v_lJ`u#F>tp;Ru2;h z9|b;I9*^d@G``M~5=#ClJWfz@!hBzsNvf#)u=49f$vCKLf|aTHW|SVh#NQg>b!=ul z>h0<&cZifJ_x5h|&*VAovK=LAc1~)Axq;?HAt?Ok#4knXKPS>vO?z1WjX9as2%qEN z(X6Buiw&v2Lods_YGdggFRsyehlLsxjaGW;w=x4IkLv4R8KBl8-N%YFADVIt%pm{S zYIu2xE9wp{Fu8ibPGN%eN&8=Rb#;>aUwWFS`S-yDKd|y{yI(q_)oV7IP4usw=M^S* z_oXVbZxnf+bG>z&)4Fde@vEe}hWtx+@t0rdivH#7uh%c(H;I$h4}fbWv;e$lKL|7J zpde~m1jfzN)A zQE>@LdvfrAqJiUzdkwts8ke(i@Kd{mb-Q;KuQcO6KeukvslZ**DXVRVA0!*ww*F^f zh_D^JCsuO#2Ea6jv>uLj3@hnlR$u z#X~1Ob+69hU%|g1;{KnuHD(H8d#XY{$WsW&lig(zuwP|+bKNc@0(HC0%jF)yst2}^ zKlhUF7URqc9Iu z>Y~^fk}W8sx^Sm#pF4pqm?9Yg2NG0`hNgA!Qe}-F7BMb6YmF(;)|gFh@m*KqifGv5 zks_{>dt(N|2kdjpcvve^V@wIDRN5L-C8+2TEJ4l28si;{mCXAimhA1ODJW{1Uhj`v zWaD<447(stJr=`HveSO}9qSfPyJ;dp(~xSZw4OEDY{;v?-89)yA>Nv`z;jb8^t#jB zsQqf|8_W%BzbVl6oB!3^$ny9E$fJgx-sf3w3Beyq)9#x_U-!-R_-hhPE`SV1@{fFV zgLIH&koKMcJzWm^(1OOfG;vrEE$mFbr}q{+nm@&>ustXAeTqAV`YH1H{pPPKacQ*r zhRr%zywB8JqwFp_y)U#`{(AMkKUc2&b=x1m8_3nrQI%7dEL-gw67eyo9@8yrS^bf= z&tkm%qf>*6cJFEb#Eyut?Uz`)4~bX8EZ|ksUY%YWeTQD1!YuMG=}MV}Uu5p|Y055= zj6bBXr^CxGfbFUG#ifDkeW&9LdNY$Hc;yyJvNWB_(tf$BoaRM)d&)x^l$J}q8JJgN z^l#+p{l3Jd3*5_d8I1LSpMSYut~n2fv4$U&O3tMrW13c;;}PBnFS1d;Pw!79E<2&Oketz_Rxh_2k#%@%XE>n4Tb?HygTK*<9)$%ER{A*a8?$1B}cA$U3Kid1I{%3w6 z%x^gAE}h;r37E&U920E$WWRPnF|G*jFSy3<2Wf*S9EDqS4cdizyM^)#r=Fhm=65)w zbGLSF!6b@{PgI;a+qc)CVcc!6{LTd&n)C`qrFZNVs-8!sb_5Q>_mN7xhdhe+&m|W? zcCAbBF!%571+pG_1Ypa(LIL%^=oQL8;$8{H>pGaNx-s7MB_3ctXro@Cba^%D6`IR> zg&O5vq2dAZP9k~hJb5R9TtM|3a0L9>_yISi?l|Ac{lEvn54!*7<-<%Er*W@P&&FKy zy+V7CZfpU+fYZ6x+?2^}xz}z_m-MpeRwNLL#+wsid?P*L$F&v~d z)|T?+S=kqv0c&iqrxwVASkoeKwjg4CokyFJP~r-0QV`wDxZrb)ibqvPrP6RYFU=~% zu|mMrGVrktD#hi-oBmBoJ(v08pbgNa)Q5+pyZrDtHYc9OSRQix>&YE=(WSImzScqz z)ReCQ3d$wE`Z}539baJuwXJ_0WXe-#zUU6UOpO4L#f()Awv!8ML*d6LR)*g23J+Rw zes$_ie=lj+xCjeg}N@>_~+*Pp9b|FLVw&9!ykESfcA@sb&{tMS&K3-90kw%AY&?s(>z9ceqL zE<_&w2>s>!N()z#+;5X-nTtw~FBz!YCLg%lW`FYHr31i|A2wf_K6wJ^c(Qm%$-t8# zA$TpBA*}27*wht|w%paTTNiqyyZ~fW34F<9Ig>{9&ww28sj5NsbA~lwr%g|*&4wk= ze!Vtl950#v=AsRs%p(_52eis7v?Z7HdFWKxw0G7n{dObHm^gi4Z^wuM_>ZBh##L^+ zXYk|Gk~%poIWdVD4!ya2%cKd96b-0dT2jL%RalcK!hMW1Gew)%BBhNp$yQ+5Ls_}y( z+gsaq8$W))zP7zO6q1ke)%Vw4DZk7ue|*uL1B2UM)yEdPdby5@@3b9T;f~?H`S8lT z`$!#<`y{gbg^I-jw0NGCEj80+GoP#^?~qO04m^i{q;3rV$aTb?fAF)A2Qc(waCWw>JY7+7dL{R>JA7nG$w=;Js`nUt z$^HzZdhfJs*N1`qxks`;2{0@;`y&!%^5%QuXP>7X*Qjx4V~1NCVWiC&jBych6a`Q3PKJYI)BSKbRu)gY zn){K|z^MD^qGgG`qC^LUtnuat0`s+27~PPsA_O0dYhJ_Nn6J_m{=LeZ=PSZ2f4-6V z#Nc}?y>+$-*C0QSxIwQ^Q$7|plA)j6ONQgNnAfO)+Yp+9KYuJUm6y+6#DP!$5z~83 z>TOZ!-PPNEME-bo{{B6C){@_`W!=GtrarZfj>Em;ZVzL*d0z7DF>ntFqgZ_2xZc(q zO$V&E{T2@+JMlvD===X7kK+ks2QGO9%-c!#Q9PTh;tIJ=WFwM!G?=YR@TL_IoydWM zmq|LEmX|9+<@^q5j)*N?=0j_w!vNh957u3vwQBiA3QBh1dN;-2M0#Mgj|7U+0kt&P_1 z81xXn*|4bKJaveE-w0Cej*V@wVx$nUf|_Y&jCx9CNJ;_1oo>u`Orbk?O1KFOC#r7d zdL&)#vNpYtwzNf~z1Op<0xd!gyCsnplOz9+WWBS!**rHc<$ON9v;tunv@-raX6xOCu=h@@y_4F2#b)#7aou`A3=V!im$uSni zX#&-lMKo|@W)*K6JAT`sL640ax4rn#J;eiu+%st4J;M22!-npz>Ql9A=+IqNeGX2a zUfO5)^y$Oc+l3wSqSm=QnyHt7Xm*6wy%O_L>Pgzg6Q>ad8 z<#?gT$Y++H7&YqUBF_wQTr>vrQlj5a*5*qzqBEw3Dm z&y^kCWF(hmdP{*`9n8gX$%zOJ1(!lgH|iwum5B5EmS;juzuh z1r6RayiW><_4}RHrX@9e=7YB|PcCk4a*1?OD=x;w_61oc)Rby&%qU(jHwHI`vj$bg zQIjvOJ~L*_*)?xWHeuDo>12;EawITlRJmg3(UmfTj_r1T;r^0qxnw_O&nFMglx!4e z24S&qi0UqQYegS%n_0g2BU*0jij@>DO^BHaY3Kh)t~X1FYQcX^_1yoW-~Cto?oXn5 zUs$7@SnUr72#yr}!B99(ju*ZIIJB<@yl0S3Ge}n?OlSneE%k$g8i1hsup{8IUwlEf zdo<_7c0DCez(lodB)ChU*Om0(gw)7cZ{`c|5VFS|f(tNu3zy+vNSM$WjK#}j9X{YW zA1OuvZs8P<&>#seT?!_4$^?Mwj0UZsjAT%m1DTUY^KAh9DLjJgCY>zg!kB5~4*+le zCoab~iIQ8I*2R4duY2NrK3+h|@Gj)l>229q5Ltv{n$Tj0FXSx%6Z2?GB~r{*EgRKN zA8Shc9>70Rr_#2!Z*rZ=%E<{_^3X@qzWeSsPB*ONM%9@$L<#VM>#y_aFou!tQqV4Y z!Ql#y*(ebA?lInvV1L-z#3Yt{mQPZcq?4VjNkb&h8u$2qfv@P#(t+zZK|YdZLAvj_!5adM~JjqksbEu5Jb%e3W?=?5tB}uBNil4*Xs>ta6Y3_u^)5II49ppCz=tt3->fY!B) zR+_V?&KiS2s~mu3T8loBN|7GOGXYhswf5tj=KEhba*o@5k(?C{ef7B;qM_#*K!8{O zt?;~X0%DsIm&O1hs%J-9CBtuG-YH$DCST7E5CtkIGTzKyH~du+lth$Zv)c?*Py|mP zBh?>kbF3Dn!_$eE+C)zOLk%v-DQnlhEN5j(=lHypZN@!3V95`UMlSyTVeluTyH9G{ zc2aj-vMv1egrwn5&mo5&{(iA^hM42I7T)=wYQ;M#sNsD4^b-D^&4+ss?UhB!`Beeu zG0HoS)UDE*xnlRvd>8UBxbx;SY)n`E5Bzz!H;kT7qP{rw^nB-&OuqBdaeQz2oV4Cb zrC6ZPgrF>-ki(G~i)XSPoVaxlC^AGru(Bg$wbO8}3T-HM#E7g|zRUitgCc zwj{Jdhv#bOTUn7X9YQszM{}_-R4|h1KcGwBZzYJpi-=)IEHC9p=uEnZlvl{eR=my4f=X#sR!Hg|}!& zgTmT)dOn&qm{K#w#Ly3d{Gmkp*+heVW;AP&2)zl%rS zGpIbIJNYNKr~l>@H76<(!oN((CEt=?+$A^gl{w3nE_BnrbUjHq{_ZbiM3SvzlkhH& zgwR@;YurY-PfO*4J{o|#vwYCXeZ7tHI3h`YXo!}ArAy=6G2L+IzFj-N$Au2rJKYcx zc1_c}AD4Hd?!?@uhQT}*!1{d!_#TOp(QKLXAuwbx1Rad?As{Z&2buGcypQt=_KYRU z**K2n(-9Ampiu2OwA1K{5|=(I3ZbavD2F)#hBVn)DU}hhzBxy3k~9rK1a~~BArI16uie!8IR*wtQ3JF zB5eYoNjK&MmL@VKB{_Jrp7sLC)e7aC$<0H*eBW{7Vq0#|aoo06Yw9~tIOOjC^!54o zeAP;CDaqn9>kjwINL)6Gdl|-EO3H5-#A~mf;>kb3Aw#F^&^Z6^JTpTvF zW^^$3uEuVAc=XE!Hzb{~wEk=1N$RW7T8L1TV5Z6rc z(%V&lmmrnsGY#dBUk<~M@sGp5R27t+>9KJ$c`P-fU7HRA9%!9xpD#EbB6a(slWkwc z#NkEN_{!921;IQ;`reVX1vlKoU;2GI%R2z?mI2hE~sJ+V0Wz2HMg__BOb|)hpfI`Rl8Q`v@7*{WdroKZ=`H;zKvw6??y{ zR^Z2<9ynlq-J?L06~NDA;|B0Iz@uT@^7m-CHbaZagLu)Vi}!-Hi!2&=qw?g^x<45W z^`9tu0W2MgWmQfPHic79ycZyi=^m>*4=nV9cw740gr}h2R}Zo z+kmu)O;+=Z+$fLNR5~nwX&Z6?RB!07+#}f9>CxO9Qtag)FD*xRjwT#Y#%;-;R~+Gog%Q8_xV=h?Qus z4(Vw!Y@Nvqn2jh01$ss>tHw9yio@xn=-jcwp>JdBifL59Vgm6NTQ?>e6G-ypTR*(y zOhm&9V)!?V34m>O6QxHuHFQwjLjJ+c7ho~nep9E^;;7I#u=J7r21)A*uWvOf(&-4^ zUP)$3zTwB>rcr)iT^Ifd%xUK;ps6pdq{9^|_Qdb1W|Vn+JgtDVGo5Z#D?R;^ zn}h#`?tc(Ia^UlPN4h2$9erJee&eWuAW~4NtB^v2m16S)rliEjr{t#OWM%jb9ITZ4 zB>&a8l)nFoaVL^9EWZSHU?Ls$J;u#fIv~399TqI@vmgP9f;h5)Dg~d!XwZ3cXcOJX z0>F6<;8ePTB{&AGWR;tAna9E8z#_XB(TCG1*)#O~V6y{UumYC`{<*{zuG8s~bq=jI ziXy>gkK!Qb%KULq;`2Cx^q|^}V!_TL$kozS4NZfNc099FcuJ-8%sx*(4B+Kbc$e7z z-1$&U`!#7{tzo%2iL^IX6);gI!EIr-YQ1nhIWT}5OyRyS;aNWvbiiskE2dS#+E!3! zlV!!EkDPy2ERmh4p{K+eDQl%SJ!T7Zi8oKC^rSzGCKJev#bl0)!4Vitq|T;RTIKpD zIp^i6OZhkH!s9SX*ji-@);oN8APT_ zq#T(~mt2-1meUGhm&OPh#DGO_-b@lDEGnuRC(x9h1e(ovNq|h6Pn0Ycj4kPwwB#hP z$B8z(&8YU!S^til`=WT!)0vXDNxAkddW><66S$>KS%(^Pjq;3?^DF&$cD0_#$ObgDBNtu=+@7->NpXk)c8CL<2VVOqV7 zNjrt_$%O&@juif968sNZ(Gw-uFE{2iNr;HkaQDPe`C`H0&(Rl|+>> z;AoX|N`Rx4;`pVkP>J7w$Tfr_P%l%51rGGHR|h@K3Suk~e`8eCf9 zib+X{j>cHBw9zf1lP!rj3P;*nYm{broqO^yRQ{K;b@`2qbphIiy1TjnFlCrV&dn%! zrIZg*@@PJr1dh#Dqa=;VL^ZdaM zWG$rvow2?whioWq7MkZ^(Yr6tfjqnCpt&38Jlu+cv{a_G{j(o+mz z-^)DjL%S|XqTrzC;soW8Kv@!2ej}$zs6fz(Ky)?SIimv0A|fKf9Fb^exfQL)NAcuG zJnQ0`qz~S@v(*R<4UGzo1jA3AtO($Ei9O8#O1Pgwjro-n}o-@Q+T+>>v^El~YxKFvTADnkMl|gqa5BY35Xi9Vg-hniDZ-l%Dz~wyy>L zvb6Ur*08@#ix-M^w4KO)YG#yCsVN6>T$mT@J%!zkh1MG(Dn#ZrBE%0fGYY?n!++(5EAF7|BP{XoRk6 zoROSTQcSku#hV&O=;;3!usBp&e@$p7*AX@MT-nAaKD3^aXDyNnS>-ZNq1}B~9(?fA z`SY$m_~6xfElmY3t@jbn6!jW{%}fKYib_ zSH_f{T%A22qvhaM@9pS4c38jBN!>DL9UWEn;_{LEv#6Z3rgf6+x!_?mKOe$4s}N~j zxO7Z_K1^FGHx3S_kIT_owAyfXo{<$tIIz>Hb(*yhJ&f8(F1n9|aV0->+)1(xdi(o@0&)-JcqXfH{JYme8RVOpS0R$xYnH?ckidW7k{yi!)dB+?hGM6CHb|v3qReo@$<#^O(-2Z>)n;B-kmkJlsqwbNS{9Ncj(yhCHIUQ zU&6h3bk>R!<>e<<%sS@GethiW=gZ2TUp#hiHvV$tph1-t#REsxg-j?NF=4`p;S<^1 z7T5nIt=0vU+jbb?Pa;v<}@6!EG0I<1rL?@XO=-k@O4v8@N0p?b^ zT=NyaXY%Rt@;$4U_Vd2<#ezem_D7Tc!ew3VvYyLMRnGrxQ_qpn6H5w)WQ-jtp4mix zJu=~U^4LlD{-?5AFSxpK{k1i9zq_&*Y<#fK{BF~?FyEm&w~jk1KF@pycn|(uCXnSd4PK*Cw_rZI(&&lo!xaQ^X)$U#MI(CNHB)S9 z%@!3U1!GaxC`(ETYl6)9y@q>69v|Mr_^sIZ9b9dry|PRF1yHYE$+c5!BbL#HnauTO zZQ*Q@)`U3L49*fEafa5o{>B~U6Hy4P@@Z0DSKs&qU=k}(4G#2^?-XCay8_-&Qc`jZ zB-2b?4;zaO<>1hm)Zm~gcXa>yjr;enUw`moPIgPD)7jFwb=R)#2X;KZcl!a-wQHZ} z`gQEs?>R}|(T8prcs=O5XqSn`M*`~MJ5m7N1*bBAbD?C;Md#yqww_CH?7FY+2e_Bc z=5xFmMbms}Bj18!HKbLIJd0=)ZL;cQ&%*9~x`9d{o@PDqoH+Qh3+B8UUU zD%rd69%J)O(p}%;o4mg@%HJ9QCfgNc)q%5P(c74_n zjl*%i$s2o&&v#B4oS4e52&dFqw5E4QNA>2oR2m}!j1IQsDU{n+|5I{xlBMJh-%8DQ& zA_{oy3bN|rq9W=lxGH)1-TmH7CLtX9|95wW$xL^>>guZMs_O2l_^2vNYE?hERD0mQQ;n<_7J(c^h5 z$Cfo$pNB~aW7E^3;?-Md_2z}43+FiIm84I~H}sv7l%@`dKu^p=^f^hJfd=St{c<&$ zhrUFg3wueOS6n;QJKK%1@6xD~mG1%R9zZZ5R6#)i1nGlxeL@ksfm%~n1BOo_N-Q{J z!XXO|+3JG%M&&Fjd!qW8{qrv@(EF4;;PNe)pvs(LO7E4DO7(hTcF7|J8(&IX_x8|T zAwWcT58l3bwbaFM+0&4QM2l2Ac z>v1hYSck^3_ce`=urdkM<9Wt;rqgOgJR_x{qL(?vw+@;Otq$rK)LGDRaCb2@&e+7R6W5ntj;X^1EN z$a>nv&fty0PD@aOl#52M(S`LURb_Q*VGMW>#12G;AU_%}Gms$8?7DHGmtXOy{?eS% zxsMNAH6$|DKPfTBX0y@S4KLfSAK$9BXIU0KTC%8wdr;l0B;8tIu~>Nc(fbCZek|pE)_$HyD5QavChU>L31O{u(X2HI2+xZCYFbvlO$Ub~;|NF7_ zBO?0riAajD#Kqu@d{NPEn~T)fm_j$Q(TF=muhJ04N7<0^5lWqWvOV>6X1eQ-RoJ%T zR#5xl0sQO&z+1E28t;fjrYB;N1$cv2>fUo(&aI(Ta67S!mXp|KJn0>ROWe?uU;(6o zVhGW1VoKVVw=-?1-vM|KKhuVLC6Hc8_5`ZOxI$)UTp^9YutH%dTK&UCQel5J4vpau z4=)bGOC<2J?OD-xiwlf*#|1JyaRD?!VW~7qq-J7!CL>(mggY_pWWZbP2=*O3^;GPw zq;<90rTl(V4#M$O9!?J6Ep`M4&GOwWcEMCn_4wdfw8vZ{%jgK%0^4w_CC*72R(dc zbB|Xr*>B_Ou1MW(ic56@9hXyWJX}J@6!&;T?&3vedb~&k`gT*?J>CMU8TlE91wW%% z@arNQBmh9W^4WPA*KIn_d`*xkG=P%XSHpuSyYA>ShlGPf+Ceh1hiq@RuSOCbI3 zC=HHIX~^#)4Km_q#-TAB65z#=F(eXr_bm+$k2Dl{NrTKR%xf~j_f2-M;K#NIer(H~ zBqGnr-6!y@FrWEcmf4_bC;59;qnmlnR-9?=BC)K8bWS@5?p|zHG}q zB*W3kghf3`hK%TI3!=e30dEVTL9&}qx=Kc#lfV9oB}3-+WigK(@!~O?d(3x|jIK!C zE*UbNhn}mDpL#@~=PJQZZMm0pI6Tr()RT0`Nd6*M$B*>q_m{t@d-i*E*Jw8V`Skae zEq{Od^fSwrzTe25D{~f?l)8#tF#5uT2^U&#tpB9G{*(1L;LQ4oGr1eH#*Uo@efah4 z88n(7m}R%cvAy%Nb&q2os<};IX7tPvCiQa>Aa~?6L4H%v`_0W{Tn;R>aK0189aK|SK z(ew+1OAL-A#PlqkclPXvZ0fr^bwU99Hm|Nr{Q8S|msZR?w*E7$=Qu_|`Tx*=G3Qc#cJ11=lhi+8 zdj+)h;lAeSx#9!YLab11-ba1S1%w&K zCm%aA_Wji}&pk@PIBHN4n3Pn5?9*QH@At3m+h_%TpV(k^O_P9L1ZyEgH2aBHg$HNC< z^09<~#w}A7@r%mhosm_gsY5kYm9%Ws-WiPtCyx7gqw`B>eC*e##_=&p?Vm;$#}qjt z!%~M=6WXGc4$1e*d;33pv>M*v-h|(^ucG(R&;Ps)$xksF`(+|mI9843#~rJ_n?LgZ zE>b;b?2PvxTYPrrxSG&A1 zt8YSXOBsU={lf5VDWldipXvahbvq|_@J^mSGmC5CPH2>kt84vYr)3;?@4*ir&2p&9 zocR?M=V}Ur>OfzMxnMk$P0xSlU7xHLMcJo>>{12~*YYs9{0|_r`@64(xyNA`^0O zJ{-=qJo0)qce4>1xhoAY0KkqvIu_DTBKSgXOb8ZX-D~WU8xtQRhY8dO?o|6GcJFWJ zMKQemuAtQLGF=IJ;gu2}3IMQ*B+;wGzn1d1CQTTEH~V8M!SN-LktK3AT^6$7#EBuj~L|;W~Q;=N^@KlgfkahU#b*WiLNdkLF$M9Ijl)|Eh^z83?fZ;e;-Dwr2$4 zxn__~!xdny7BO5lbx4aMGUgAMchy;@bIlv_*=gZiRmTnXabzQT&Q-z55`g}i48JC~ zStip*(6^8BBUj)ApEyG(sADL~d(ho~=^SrQeR^t+M;U^%;vz1J*TzMdy+%utg;L<5 zjvwGVga=8rMM5KfuaX>j73%UZ3;>LhQTWOTW8$K@N?J>cy0O-a2AFMd62?j_j*Ki$ zgeU0lZmHKs7RJOBM)L3Ine(_+@B>m~SqYr{euKs{Iq^D5tB}EqnC(>(_TIEeIY~~ucqXs&_8=Ez^)bw|F{Y91|^E9GED6+}s z@EI<`dx>z`KZ>k_xZt4C=^x-ni^Y;!Ul}El;5v#zfeaJ=g8T?1;&He4W89T8!T`W! zY_K5|;x2OH`43lnp)EKyno^HnRxNp1XbXO+wR)sx*2I5-4Bx{Ahw_gUdNA)i)RsU_5wqB{_~}77q`yu zI(e>ZyRJ=0$n|b2r^-v^Kx-G3gJ>Vw@eBPrdmQuz(WC;N+lHj^F5BGBBM~GmR2?9v za{Bb?6Wu4u9I98Cun`3Ky3C|9R2J1~OQM(7E2$enrY3t(S@AOihC=Q`YS#OUR=qnp zwYpSki=?<;4--D&xrK6VcjQjAzfe)J{PpUZy-lT$j4F~ROd9xf7j7o|PTV}Sww0pc z$Aa-fB_v!Q2C{enUqGP05NN@s=88Jm8w~~NLWYTC_;SEq+ToR*V#bKN@;V}Nj9weo zCp4IlSd2;Bjn@OwNc|}xCA5~*1H`}E5Ls+m_+PJa%@6LMlAdXH^5noP-Fc-zZryt~elm)FA#`PBMLgst`eBPfJ0VJygmF z8E3H+UyJl?CeqVy@asw@zMC?+;|DqlSzF^Z0N~<=yqEhU z?lyozPLaHt7PVT(Ki8bhTC$4|*y!=7tA zJz-N!%%%ya8=ni?lKkTip^ou`+%_s&^dj=r5H5gX+^MKNgara!h14b_Et!Sn)`TxD zyMxJE&CzXgF z$Fq|u*RQ|ge$P@aX3PEddzO*A`^|yBQm;|h?yuh*Dg*v{;|8{q-2Jefggzt5#mc@X z82Ah)WE3>Xn+_ac4!xCr4$Hk`4tk$|30qb3Ax^h#uxovJJwy|uxRNhfg}rFtQYlml z;S5Oym`xv~*J2nIv(ftk2E$kYpWARjB%!Uoz;!8R76^! zQV*?Gq(LgK|DF352L7Fra?{`vKM`DlTa|&?lnLQN;IKWyQ78!Pn#ls zhQsPzPe;W50!^24OY@$oJ9TR8rTo&Or)p1~!gDo^38Z~RMlx6EGosjH38vU$I1)V@ zJ6@tpsTPIE`empYvTUP#IPFdcv!7VMk%xBWq;XDye?5ME!a@+3+ zIOz>MG=TGj?iAm>wH4QQ;LgBh;QP+!7I>c9Nj^+Yu5du~9f{qdnYck<6w(zWnu zc020Z%kC?Md{-3|t8tzct5qvT%2FAZ3WMO3N_tE7R_EDQ8@_VzYiSH!OAjG^l^AQK zlyc9UiV_F90iZ?R=J^yuK*7nC-^U9d+(7?bSTtaZ8#)9T^kGU#?ik-|of7lw6qeHr z_z8XZmtRnuTmBs>+*P&%_<*YY5|ZGTFLx0F$R+cs*qOme8gbIaaRB+id@3yRBQE)K z+pqkQY9HW3Zdj1o8*;r|uhG*=iMLU3g?Ar3&}I6xsk#n@5Th|LHPau3Zm zjZMQ<>{^#~A#2^PUF)`PUB?`6d#3*%4>OCho@r})X6MdlFzwqb5M9HWtq3`f4_`?^ z??uTI1wfFw@C(e=-<#Q~gx9J&zGsTqw~#SjX)jkp5gUk;#6llDW*??V3>gVp=oose z6jCzuJw+YK1z zVY7eO*)sR}?bm1bZTD9!Zhn4l%kw162*z~yFuhrX1<1GO1S%vSIJ^ zvI(14ggo&AFS8{bS6Dmq6VL+-#=LJIjhdlgKb1eCJLTuY;w(&bQ5Z5Q3-Ov%;0|4q zWTc*?xdw|NF*-6d*v#_U3GoqM>=m&RAGbpcB@}wqU?UHB&e@Wr)fQG`iF^0BM|*_n%) zmpfk_HTLzAr<2F{LFZz*hYVOrU|Fy z=7V^F8anhq{iuDjH_SRd3&zeGRyE9A>3sHJ{g~HgZJ4pMmODRuV0pQ5a0wmOxV>q{ z&hdUHPx{rLd4B%1nj)Jstxwvt?enJYuJ`@uQ~9j7ADup<)|rr>(U<2rr6DuG<9tYZflCmBq(u#08;!8FIM~>nc3u>%vK}ZJkT&lE7y!HX>vpt zm{STaRXjVYWKnLU!)Qv^UZmE)IUy@QGJH%iz2I+S>^YI232n`4cRN?(ue?Qb;W{{F_i043% z1)`;u@%o#3V)*dl;@aBc_FIgEbJW(l@E^>jA$hq~Rk?XX+H0;|TT+#mSA}0lm>z?% zj350m$rlo5k47|s!afa6QS!{?rK;v6&R3*NF ziS;=JT{v)yDUitZ>#%5H2pXsz^{@3b$bjXStokl8_=)l9kQU+&kJX{N`x zeVHuqF8w?6G@3ins}c&23nF1NLui9gL%j>*+qm=G`8F8Oeb5GDU`!jehkJJqv~Xwk zz+`CMgUm+@&UiPx;~M)EdjiNw)dnlb!F;4dtgk{0t%gY9kUb%^Uf}&mv4|0S_J3oX z?v*;0CFLB9k!BsWo2c{DqMq>mX$3XxCbr-F^^~IO81v2~A0`g5@ik8=XG5Dz}ia8XpT0)gdY-irjgfBXB`;h7#k0 z9(>CT7LhxC zW_L{2#s_>gw6LL>Y(q8$Wzg%;lhIcSk`oGfjQV~CN}gm>D3A%0Y*P|TmULl`z)=Sw zJL1?=6;1sTmXr=zR7fiqz4MS`axnsw5tB6{m8KSRKfQaByRg*y(V z4M-l_))1+F2O2h<=32f|M}Ed#SZnIj8WnpSHbGUm3MydR%|H4T*T4^ajvUtZ9y<|p zS8m65Y&_B_S`Y`)Kr26mN^=PI^Ai*Lg)-z$J4xEz{ac##)DAJ?`ae*Wn=|^gSr2TleXHi@bkMQzvs+)~M@1H; zMTVuB>_fS46mh!vDqBUeW#W-p1Lsf7s$EkueecNH*4q6mvbp~>F6S=q<(PA&nGsdC zcw=EqSc?9ZUlO$YMV7}U502-(EV>@aW|w?fKQMNdI7@^S@+|<2_lB2}ToNdkC`VrDBn^2_TMMm)N2F!280C#k{tkFA)rj; zfn*e<$jJtULE&b7!uX)e@gcQ7$@@}@g}wyyj~?Y-fAbi3_~=oXcWfi{Yi;Fz-nfbT zxwRGgZ-m)xt@W*ymFVr2b=5VsW5*1y8M2N&euCR}_5*I)+i%0F4?ci{PyD`lGYs3c z3-)>GCGM+TySOhm!+{$|?rD4o&Bey&hgU9}KC5wA1u@{fX_O4?pn*_nbQ1Dcb>w`9 z0r_(d>_;%jAeUlli7>Ui3TZQ}gh2)`A(u>WrD#xUvtfeS?6&?{8S$|((NPh9fnZRj zQS15mIt~kH@xc~xpqk=&6c>5EC(V-NEq()Bt!rTLn%xbPZjRO#4|sIRebH>x5OaX8 zA-OPz+e4Qxo%cXyS}P35v?Zhj-{kK>bJ@&BM7tDF1TyTY1z9Pf3@NwN%?%Td>U7@G zO$5bJ5oVKKt5q6Bh@lOg+jB-$7Z=RdwK9_14I^79P3{-lb199+t$@L zpM$YC>Ze&|Pup~M>L6Ec?t<^vzwliXcdoI%p&@q0Loa>MFwoV$JZ8qM@??W4>EUU` z89MEjm7^ZoR#kdv4cwWR8JV8cH)=xbjG@&1Q?xEk&@c#Y+qP}nwr$(CZJceMZQHhO z+qTi?{RZprUTb+E?6Y(U;u0BXM&LtfS_^%SusS$wR-F)v^z zkZQJsaX-rLGbQS1W-=}i?QOOlZd6BHF?n%a#bkW8^=!fA?Dxv?)Ti_jG5ipb{G*Q* zMZ*?OH&ZaLfb?{}%%4EohhFP`8l-Y(4tF&a+ED{>YVQ@NX((n`f`I0E&M0uHNw>46 zzw9~^p+A7UUF9PA1)@NoimQfEJ>ywod;|zvW4d-!N;m?3;R*8o?-=7bIHlmP`={F6 zZ&46J&A6zbSy$@=y1Vj^Z#PyutAE-iyql^H4uE4z+tHas)w8gX3sNl*Y(#PgE<2KS z!iqX!^{v`_dMgSWb1%pu{n`qSp4&-aWO5Krd$7Kb!A5E(;&F@e7=D)f!;1GlVhM|} zR~PBA!cBO;=W!_8Y2S&VtF)6BDtk&NS_&tAEv>H6at=+-(|R(wg}0YT0$;s;FNn3r zr_b_wz}eFfi(!1d@OZ?!SVG7l#)lt@w6v%{S=`@IM;KXioWmW%n3)NqrIg;)9J@`9 z$2A%G?z&Xr<-*Mpdy%OdRkau|&!G#-Y42lwpMB=1RzOgo8+{9L1;ZK6O#f-Mu4vtuaY zNDwSZk_7hLyLCQ7G>NNfJflDlPwgUHh*X+FI~RyyiAHkNLu7^D@4 z+5Y=2v*WdX{r8s-!u-`bUHEIdE#_8R5BgzvK)>N(Zzy;4qsQ0TIUz-nH=heWEUEn9 zcw&tEzwD_Q7rA&%bOfs~oR$_mNRiwk$X4w4*JUN0>?EL043`tjTK|&l)X9YCsdMbO?*mv?|U1h6xK z;oWGV8B% zARHhN`%E$K6@@w?!3qe{24~(7im?QQ6-=UO3P`S_3Q4Ms+`d9?GHykblGYL1DSZ8Q zb>btWugpWYChq(?W%Ff!AmJ|@oS?8C%g2Hi)GH{r-P+-xgAJ}i z9U1MjnvjD9NC1`6@3q#Cy7LngsE-5RTSCJ`p{}qnE6SQ>fx@-GEUt|z= z2fbfpxNBt5?$k4vO|W4#4h~+A1Y)X8^#x{RoDKUGOfq0BxOTV%PeVrAv=DtAc;Zfr zzvLY&YAof5_sgltJTeA+h6EeSaF?rV-nZC#5M~UkD34#cBI$O?XN88K-cFkJS5o@8 z>1b`V{d|vm`*?}z_;`8ocyF_9nN>DxS=*igzuK9}$o&2=GG=_Gn=$CmC;voE1$2(V z@KX93xw*)-jZZ+!x}pDtgzA#DppaVL5%S$(M0x{&twWUIVVt=q8PPoEo0ps~<~X>h zyoXf*Nzka2SnC1NYiI3#v{53pw49%(ELY^HHB+&<M!)mr=4LbL1z>m`00U&kj+W zjC(=*PzMC(eP~|nm*U&G4zJWX98Bq{f~Ph93qeR4_?E7T`XNqI^O*KAZ1_`lCRVn5wo(e0T^OmQTQg)kDGLPY$ZT343|X+M~xCLw^sK zm%;55R&H57KVM!xzYEp$ruUX5-KU=q@1Uloh4MZkoOAQ*XUrH*P8ym;YX-lJP$?8~ z<`z5$>-=JsYeuC54Z{c*+c<0_#6UBtvOnd*kq10@pc^F6ARQ1*Pp}Okat8|@4%J&MBQD~J} z&qv;q9Pif8e=JEWhpH!^l&OG};~W!Cw4tgjO2p07h;llLhnStgq_6|2IaMH6)5{`y z3O^H(t@LIAE|y=WcC>0}SNdi7-ReEKBm|C+cP`Lp&kFlXDygp$cNMflkk68cG=iJU!WhUQN)gC2Es!ti2WPcs2tO zS4&C`VhqMbUPw1{hMB%~aN=}eIBk26$qt-XFkw>!Xj!HLI*`g}ZRs8wz6-y3pH}M5 zgNwh5a40+m`VM*UmCe82-xPAZqO^ zD((?{fXJsKPVdOoDUzQd^zkuBpq&RoJ26+$^AS6e?yNiz6DflzVI8vd)`ZpRY_LSM zbygDU7PV}l(Uzb&~XgnaU6{-BgFFa7bv+zrIl{J*Ym9

LXmDplWgcnI^o_h6@w+vkLola*C?8UB{Z=AfC8WmWvK@HxU#N>KzMy%H1rPNm2yjHA#-D%Desd)@~Ag zQI7r|RYhAX>UxXOSVUHU2GDR)dxSv)7eR7HP7e>JPf-ZWkKZ2=pbHVa2P%crpPZaT z&2#tDnYmf{vr7=&egmE88;G!?CiH-}fzRMIa6y_jY!OS`1gXRAyFK0h^~Vn3BtR`H zV)m!`f762|_%#0KdEh#DUH&oF zF%9+M>Abg>0>aQhLE?D6miO;WVDO{`M*16GnMis#TqV9DeL-+spKj1kkvi8V~2su6|&7nkqqC&i}UV#NSY>`@! z%}7f8z(lrMSQP5!tK)PVHHEsRmfri~ck~GyjwfM5sFBS40s4TmdZmCM=p7Gl@19>~ zR~dgI(4^waMTU2g!~&&RLRAANRY-UDp|*>|230eQO9qvfiiyK(1Aq7KSnkBb&F_5O z-ngdc(ZlWcK2Pp&x(jdNc17&$5$jcQ`Y$}sy9Y@#X}=xXWEPJx!>OO@d?xp)rqkGQ zatq{-TLxDxdYnf0E%!d*X6LRa)_%EYRbFs=1YfCq!%wAhCa}Zp7p$HyTd;IY9QhZv z%9hpJktO|zOx5oVOY|lM9#0g+sV03V?aE1P-kP^|3-clAhR(W}mFpU!= zaU@vAH4d`;!L-)-eY1?-1kOO4sU9%Q7=5kybj_bIO0XV_c=2wJj2hsHq$uGA&3LjloA&3GNcc{niv_cymCgZ7EM{ zxEjo~NF2?y#(IUZ<5`y}rfNdDBl8QE4lO7i*A(mZO2K@d@RIxVwAP z0Z-OqH97~$sAOfFiXqeKVtMO((e*%$kG}!c<u7oYYyT0-~shvZbxC<$c@j0Kere?{LfOwfp*j@R5Fc{=M`0 zu=D%tXMeLp?W2(APcK6Kb2`|(1ISwkojZVR(f=%Q0G1u4Td%!}DqIKGNgPUk&yw4Z zw}$L(NRd12?14vbV83L5526sw22zhkUw})0$g&lYWw2+RUM9@z3-K4Qc2BkF9&2C? z{nOCjClYuqm{(Jbe^RqwN{uiK#*8p}Fi{wsE-aSg0VD7kBT^1!&wve!5vq_8tafl1 zXG#>&m=R7EBOWq6JTg6=*ntGifHiJlIz7am0dqP%2w5|>JUuK_BV?EZYmpHceBZz) z)Y}2VyPo~Cj{eh;*=~lmjr7x*8g6f8D{Rw=n`h{{9T?mR!TreKW+ z{Pjo=XQEqk&=6elHMbWItxk=nvyYj5COMLt-IErZGqA z;o8uBc3))n(6~mVs?7BWuoGuz?xHD(`V|#%3odn)+C{Jc|Tl%O2Wc;xsPp-5lko*x-?oe`jHnj(o{IMlZ zj`^KT?r@_g-0ZO@PagW6P|XpQ-cWRVX4;*SUKnj1>4z~jOy9~H*rpM;&FrKnXzh_| zSLW)Smfq;4C$RmIY*$9>o!ZXGrYHFAk#1Mk>z&@t=;u2C{*bRv1pFf+-^6HJSo|X- z-+1X8OWuB?Pu%PyXw7l7PbB>#YR|;#8`th$mQS?(BW_Rh4n~-GJqmX|eT}HR4irDz zpj;b>Y1x2)4IFg%0Rv9Newi5kR+RQ!{O!J#PB8c#!O9-nRvfnjIo{#tR{;J4vEP*Z z8zui>eH;EU2b?)^U}qgMm@xv~VCx$k>RB)|1G2t>xyk`Zc8Dnlo;1S#=~vKYTdw{C zwcoV;8*S<#Z&x5{!~tzrH2XVl?y;M^=X7sLiV93VyjGS5nS$qDaG8iOLpz(iBS4 za9oRxRj$?WtvfG(#9jfe{>mkXhZ6a=6cF#vHJqe4{$Sh=5GD>Hp zui1K8Rr6KLnbK5NH+qVXC8(@vSN>5WDzTPWi>^CQv6(-ZP^OVK=3I*9aXa4^yr6*{ z9s(NFFkUg*W;%JJN1y3F_|Q(hKaPdMGaZvJFpt&vRDwdA)OUsvI$?BfDJrj#y zR7-GFikcpYt78WFgalQnV4-1iC@YYcp@fFP3{{v5@N#`n(7{6U(2;r)PeKLgNZko% zp#vS@7qEK&U zFSURi_ro6388#N_&>nn|aC6FolE<1aFxN6~y|N@FcV0hOPut3c+y<@dje1l_<;~la zrdLgR3X7Fw6;R79Z$*{jrbwjClA2m(k{YUEO($gaR1Z6BBMY+R&7E%i%XW%80R90W0O0R00KCTr zX?Q(kfB-@tQf<8hsQ3%0Kf>?|B8`s+_(LBGp`gKmxdDkr!a%CJX9G6xr>mIy>(joZ zhbJ=ri6`Xye`i;*26TG7D&9}dtA*t0Y~jbr??96rf%U$(g@OF~#}ibgpR zYf`b zYO!_Up^G}Nsy!3&6whO>rad2H=T!VjQ>;x@cYjMOuWbpgXwr7!MM(+A0+XG?xde*)xqsi&jl1@}2n7XC5_KJ2C4 zM&~=hP>ud|!qL@=p!1E_+7YA8D@a|Zf>j;L&;3R^R2OvR?Q{v>4Wn_Faz6SKUa|U# zOtm~~dc3{IsbKY?;XxZRieB~uLPaTrD#|27C7C*8yb@gIL*u4Tv{F&N8%qQI_nnTZ za>(z`a7x0jVI6cGH}Mrv>~lP1x2US?w^}>uw%nhIGe=X&AS-5{mixovoV=I_`a<_d zL{@dMKTk#9D^HAQc=`A?{S-~`VZRLBI60aRXeHQrTrA*oXG zl>n*k6*5A$vAh;hs0@Ff#NjX%#vZVLjb8vgT9dL68qqsGKsq*XnR{u@tx&J>nia~U zX4Lw7V&=9h#;l<_xRECY9pU(>&+mxO?p%)Ap>XkHliyg0=tPEuTs+XZx^Ub1gU*~0 zzG+4Lq33sn+@t5ViCkVIE)LBr{C+@}luL@JRi!(apm6b{nMLayjhtf zUhMWJ46BQX2gXgUk!OS7% z7pC9KjmNCty<;$&6_|s5i9wj>BTNZ0f%oAYjIRaMfS+*q20ehi5yLU<0#HY9FT*`g ziIyzZX$$Sx8>e-}TG@-@PYkw_t&QlEXQpprl+@o=81L%F^18#miR4Au2fg-}zJ30^ zqd=)6LpAb1hvF{4x-rn0KKRyIw8dEDO>e`e9y0W+B003nFXF9Yt^zk}?g=8*@00rI z!;&CYoR4r2k7*e6u&a&jf5RQkVT0>R2aWKV$OFPdd25SwWcCcdj$}qTH^J!PbTKE% zaRIgNm#_Yu15)c?J$XSW1P{O_81D$HDMWS=X4l*;$vRK%pjF`BMs(lK74Ur)$SGkC zXn0=y;N-=#D9EiUJ=YX?d?M=pqpp6z>Q%S{(f*t+}NynpQP+JonqEm8MC|L+k3IyM8}e zJwKe%zU8H(0ouLr?BXlz_bYr$Z|3#4CAwWl#SK_DbJAg5K)&;I%Y*%1>g?29u2^K- z|M+MdON=n?XGSyF6l?_bsFr*;gp0QToH3VJKi66RwDH#F0eNh-=-2$I7W=L2nDj$l z(I4fVd@QX{j{HKUR1OGpMD=!#KimfoRgd@)3pMxefa}p|a-O_jQU+)b8|shDaS39N zuF7TKo6$@rnkzsuhHSq_1XL6!e32052L%-lslPA_;Flv6O>1|cIl}?W$85eo?FCB0 zu8<$#yESK}(-P`heJYj-&oel~pyQGLUw_SuslRaE)R|KVOouLDBjRV8p-|gPN({5& z=8SOUc_P2#Px?jow0N>4`r(HV&m3l|3iQGL0lB^!#=flZyJ_+cD<~)YDeA5FRe`lC3x+H(79$u64it+~1MR%00K_B?X6!(^oE)(^~ z&nn9rqhzA{&d_4C^K$D|^aMg>ylzPJBfq3oG!Q-b=ha55bf}J$2-9*?1}%OBX4A?Y zxT&v4A~>J)MSdSU>B0`Nw?t#xqT!fU^w(`~RGXuyI}?4ig?>BB)DjiB7@(}t-G5?0 zdZy->py_vf2Qx1q)X?bvimKNsqt`7sGSP1!UVo4}OBeVm8oJPMVdg-FjZ%t7FW(ne zb<`AJo`ZEH+7)D7suf@9Q=K~(0)Gka;N-M!w<7dx022y|w;>b3CU-T!_27 zvQ2DkJ*q8hvbFUZ7h6ADQ)^0tSxd34_2zn93-!*!r(RuLi+zMG_(qd{6HJzEUd!zI zy&I8jLylOM>1j%Xs9U+NuiV3CaJ*FnbJ-H@Q`((P zMQ2#VeBO~|BgLM4S^6WsB1^B(!N<*dx^F0|mT(0+8?g<1G}^ z_ZW}Bl(+gHX`XCVa|C%}{@6Fzk6uKp`Pqc=;m+nLvBnNWCt_+?A28lS+7XH`qtX0c@Nb^(&t)Z^#Uu$r?WS9JD1%$t|ecSgMW{Eu9>! zx?C&|(&6~9DciH_#Ub@%_ZaR_XJbuun)j=O>I3EA3yal&UtDS{!C4G38uX=t!y)mp zQN&S3sUZJYzQFVT_HA3BH#nVLxFbwnr@;7)aDAXcIlxLDvlQ_jMD-W4hsJY!X};*6 z?+ARdUk2X^?=55%&V!t)Gwp*#kG$bU%=?V|$SmnG@ioc6a$f1!#fbbv+4u#&Y!~{X zUH4xV^QG+1-pK0tCz=P`oUe2TA4o4Uz6UEu+Q_@IIh~RI1V4doc$d}U*?q3HnggR> zpLi6JUpdVRttG_-eVAzK^7lW|NK z6tWBVVmv6E&&m7;w~$9INWbV~;!M~2&%-_b|J5)5EBxhh|Npk9{67I#XBR`Ke=eQu?Op!Q^!~re|Bny%|0m!sFDCZ? z*sUdX07(BjKn|P#Pr4$?lH&jL%KniM|4#%I7ZDW$0Law&NAvwd0SGvVLvaOp<$t_v z008J;007jlXx5xnab;DZf42X408syf|9r|T(=!1803rMvEB-@+Aom$}V_QQ9006K6 z003ZC002;;&9|9WV>cH9004xce>!^qFcSdJ+jk%%o zKif=||0O;Ia~scpTNh;v0Kj_^0N_Swn5^&C!qm{@U+91S$^ZEPV1t$&D6#m*{KuR6 zHzxdtBrxItsTQ^_9{=L|rwf7u007QM&Rl?PV{iOV50T_wd5?{VQgSxU|?WmVJGvBhdgWlm=c%~3uJ}5sWInbBzk~R2tie_-z}&FEW>yrv^POlr5!=fI`>Qj zlP)k3jj(k&Fa*?y9yEO*%6{6Q!MKQOo%}JlGD5^|MdDm3*>AV&P0td%*0pJV>Us0X zefpl`Jo~Q8jO!naZw$tej98DN-EJ>sHfKwAupFSGS2~bH=0e|)HTz=J%Nb#Z8qO@( z1KA<7J0?exNp{$hznN)zwU-U-VM^J8Ou?AeIIHQ?_sPpNemR?HJ5nGTc3+1XUm~hz z7;B4)F<>2T|x-Kk%G{qtb#0I`BRGQB; z4+Vv$h_0`HO=vxk?2s$7eFRsq2a!wqd&Iuy5h-ZUXUA~S;*T!QW^IZwy$ZgKttAE2 zkpqtS5rfVJOD%E6C<0cjrb~r;os5)&1tD*kgfy|*u0YHWmizA|*aHdXs{{v6L(rEo z{{W}Q{?VJ9C;IyWjz=Cd1N+RlP3RyN?1BAFLYiYOj>wu)mC4DUSg>+~8^7hQnwOkK z_4&FnQohUKN2WM1V<3Cb_ptJKuO|qjW6lxSf_|l#Z_gRdnr9^_41U~*@#I*WTVXAN zJc}WQJm2U)45tnxcf9jR(cC~QM8e+t^W=(j_IWs%W@>={P#sRVl5(d@*H4OoeGs~#NxW4IiD>W9c?A2^F~ma zq`;TMqKjv%$#vTAIHRM_Prc3%aM~Cf(=2|sL91HR%!={VD;yJ3#$Pv3sqcsOC$o+_ z2RgosfjYsSbieYsKRBn4S+m#v4-d1e{58FK{3HB5Kd9LDWU6b@yea~8Qbn!haSdgE zwydCL7mSaJaJ1yLDV%RKIc@X*6d%Z}u=7HV0ZtSnZiuS#v^oa1{BZ^S;9awKozjj? zR=7D-sBxw^MM05Y=6N)=VOKyrK4TI&lNl;YxhwO_J-jSq=BetI+o=^uy9c)(WbGWfM1DbzD)3A$9H5UrX7 zrr3X$ejvOYEQDZ`RwTBSKxaSwMu2N5F{$HIi3G=ik@=Cx<@8oAHO_WUQwhm`>JKP*ueV@7?9BGNv#COu-y@D5G#$WKwd%f(DjGrZ;7$ zR#pTQL_t*qp=mrjpzY)g)yzC*NhT%KB`Yl{FVC+UEm2J0@hU5+FO@xg;@5U5IWG>! z)AC;FnO;9_eSQ5#LpYwA5-gG7=yBlhTx`GgOP_rq_Nj^g^wGa6{p8v`+x*hLpArzH!N5lW5$#{v z8`&!{@M7SmkSC)ZXAU%aSsZtiPIspZWY~|mbi(hHr`ZqroJL~uNyWc$9tfc{9MIb3 zO4tkHk*0tl(;jHbC!xTVcnb|oqzM_qkJLvlMIuKQN3#FrZ19)x2YV_7{}#l0x|aK{ zs2wqr+@1C{?H=DrZt-3DTr6j6r8c`o*gWZR-EG5Lz3y?-Z?7J)N#tE9VnMY+I@A4O ze7fkX-#!7vZTU9*m%^7RRjO2Pdui5|%V95-4O^``v04_dSY)VOit^T?s~Afvh9&gB z>-350Op(Hvle8aU9xKM2IMp0cIddgix8;tXw4|47)skAxWmT*)+U>iUF^79@4R3D^ zcE9+-*Qb-xm|`|B)n~F+8S`dY7&W>YN3UFTVQ%a}~+q7HLm!R8D*8 z>Us%(vWPpoE@9B9hEJR;Mq6QuWU|ucV4O0h|21(Y%rMdXxAq`uj4>RC7=s#6W2@3J zr4iN{L#|tWs7ub&#eW!+F}Fr&CN%qeZuaExObA~e0i4V8qmHW#NK?Gxtk@R%z_2V0 zQL9mu3dx^H$=~8`pW8N?bmcE8dCO%t%EX&g;gJ__&4_XqMP{_#<+qNhzUkiI%ogYv_rm578sKIvV{LtQ$*dZDlaS~jYMt8n$+N@4nx0Eemk+8AlK$X z5@kR3A|;Vw^q}5*hCW@QT?;J^Qh%FRC^^E;Ghwlw@NTNI`r{w~ooRe5&+~pUO@rv~~g!Niv zL4Y`hk=WBVU>>G0V=cCj!pV>p7DN_FnlO?pxgTna3)jS@E_VwTRn}~4I(nJHiWHHv zm_msJYhMe+^UpF;rt>gJ&rz_Lgy*qx-orj;S-m)C^PTq`B-RFPG1{!9-;ri=lcgZkN^T*mb2G zr0D>g(e+g=sskA;h-h@?fkn{7ooYmRR2i*QFIROraK>p4x1BAXi}`GD)wh^q1w1;c z5hc)gu;(nvv5#9 z1QvL)7avaPCt8p5hFDt4t-KqRm(hmbQ8_Nq>GM?Bj*{-Rs(aZ8PTNjsFC;0a|u z_clGo3n6p3Xvh)GQ$JlZP2bbyoN4e^Epv|nb6)CQTsxwVk-4tT-;3nj8-2to?Y7G4 z#X?eOlAUwtBg7W~UO=J0v(U)BquH;GEEf+{?C(=`dCEXxQ+|T|<@!b(xQ$gQG z9}vEb%lGgn2k+ud5r68lgZydo!u)CC`}k9}CZi~o<%O>`Xn>E{;AE&ApIKI|G?Ued z;9Kt~=mcbM5=2v`sBZqoo3veh*Xvp3NOE!Ioa97WMXZd%@pW=C!PDcfJ`~lza^7WM z3`#k0x2n!O8a=@G_r5<`vGLx>)H#zQ0BCe|_qU;rSBaCmdioC+X80Er1ZCyt3CRta zD5jdm+VdHCmT%XTV`+&-h=b;!UK@-!lD!ZXHCiYpH=#G-bePT0EdcH>-sCr}&{0!T z+h%)uQOl-Yd;U@OOQWScIbm$Yuro1H>%h(^zX}{X4cmy{shWao4yeT8@t`-hvw9gG z2XT~EWRuX+m;s4|#&H(*c8~{JoI69gqf+@w%!aXp!%O^D&4qWPUG z=Sb|P!Xm!gt)qSHpM9B zflZeyrx`h6xxOAA?PWN5k+iwiz}0%aBYxdhX4&#Y5!zF-Sj=W~h!w2Nt&}*&lu}R3 zK+{&+ecc~|Dr`ZbwU^R2Hs#piffLGe@~`>Yhf<)$|8 zXfC~7Mq}X8p`wt}=F)W@njeNBvt}J154Ux9&y>?g>+cu-F3mBs&MrqDNN>#rs(4DF zhG^FwfZl>#jn0D3vJ9xdbZKD-Ko7_PqqlMymthHzo*{ao0+^aUxCiBoLBky0AGISu z-v#jmm0&zq=`~pIOqh@poqo#DF~JjD!#JD2nr=Slx`GMNHN%D3)z5`FRFy0^kPRB3 zdct7A6fPLe39}NT%QpvWj9$nds~fY!h$BuB({xBPE9~wI2 zt~gZY4Qfm3wySn}Y_7LH;e1zX?CG|yQTS~~i0sRN5ZMppRp+)VZ)$ALza`ariGWCkapy z2@(WOn~o-prV8hfrlv=e8^e$NcHcs0Vr0K5vo#cUa5OXkiWhmye>E!s)D_4;IgGNV z86(4&^#9brrh~ug2xxU5|T;@@3>cfa4=uSc-TEbx$LnCFT1Xuu!DMsc0DVl@+r!@f{0bu~i0Qmql0Yd<505^aD zfjEHFfdYZDfSQ5kg06r;fU$r@fHi^5fW3edfy;rrfR}+Ufj>czK`21vLYzS&K?*?H zL8e22K*>S9L32R|L9hLrN;jA{SS(m6SSQ$g*eTd2I2%qYwr z%rz_|ECnndtQM>vY(8uw>=7IUoFJSrTnJn_Tp!#nJPJG)yeE7;{0RaPf-r(3LO;SX z!aX7iq9~#}Vgcd;;t3KU5(W}Gk`|IHQXDb_G7Yi_aujkC@)L?LN+HTBDl#e$>Nx5# z8Wx&VnhjbCS}ocr+Ai7$IwCqPx;c70dMElW1`-AXhAM^)MhHeOMjOUV#vvvoCO#$& zrU0fYrZuJ?W(H;*W*_Dn<~0@pmJpUImJL=2RtDBGHaIppwgk2vb{uvm_6rUe4jv8@ zjs%V#juTDMRX&Gq;=|9qK(pxe(GJG;&GFP%>vVO9AazJu!aw~EV@>ud> z@-Fg8@(T(m3Qh_M3QLLsifu|VN;^tF$_2`A|7%kr`PUTwH6xV(l}wcZl{-~5RUuUe z)i~7-)iX6PH6k@BH7~USwK=sPbsTjmbr1C>^%V^~jR1`fO*l;(%^1xuEiJ7mtrD#% ztru-MZ5!<9<8^DXli3mi)v%L&Uns~~G4>jvvD8#0?ITPE8-wpVrxb|!Wqb_I4{ z_Bi$m_Fnc~_FMK}4q^`Z4hN2Ajyq1NPJPY*&T7ss&Lb`uE}9BXH#g^B$99ueY;*yp>n1rEWm7k zUy%qB03>m=faE}hgt*R02(L@F0obp}*a5A-XQpa0p~t&#e|ukhU%Np@ zFB%mWCxPhcgL^OE^%#*9X$~67u(q07{obEus_YD5D}FRz*>OJ%o#P7!XCt z4%6Gl(v48UjS3Hqq7_}BZKC4YP{|KGOk^V1(F#F8{G+Bc5FGdhI7rz6DpdmCDH!HT zF0ga77l9BeexM=N9W)#i))@Mrzgvxuw?q)4AXd|U;rl7*XEoQ#mDSXu(afAxR4gb) zT`#uF-D`7sJKQfXuD0rhKixEK8#h|U?e;D9$C}KW?3S5$X<3J}ZRF${G-(w}D3pm} zkkGM_aWM@c;FrTM23@pZ(FZ~;_V}yGSVS>%f?~0VYg;d6y$T19>bUE|zNq`O)qYlP z5T3-k6@#DM!gF+r17Gjd8MtEZaKFwN%rclU7N(A@bSVSKtCryN$jFDjfpkstQrJygEjrkH0@BHi}~ znLWd2W5S?kZ?BrJgzsgyv}A~D@#&Cz@m2Yteh5M^P=XQgXIBYGp#&&rNLWuWvImXf z2;aC78DmJ(hB34q^;4u!^PvEagi$9T(z&e%+_>358LlpCz*l>xisKZ$ z(&dn`ir`l|!xa||c@8ObU`IIPZw5HJv$u;qK`551g!*_2_oP*1V-YbWOOPz%ScXTz zL_siJuwEqsO^VD;l?QWPiqQ{HO^~3(?(r9_rGekj?*z6`pPf%6?v^zIL5hVaAp4{= zP)(T|BV$Q{hsj3CGGYW71?RnTc5Qq{m{~DySzbx(;?=l;i|&(bVjA4-Vj-KdP}>yy zsZmKKL?Ox#q?cr2aj#{9K}|gZDPMO2JpQ&{K4yb8Zvd&pN3oo-658aLr076T_c*Pn&B2H>Kspfkt@C73_6!dW63UPJI!Mj@v ziZ-oS!~o_K(|8p|rkH@D1jc=tYSJ9F%XA9q)b{?ca$6gcI`=Qr$DH4KP25>^aTtxl z@yPM?tzIG6a_h9-5uGTj6ZOZ7#uE%x1AhrAqO4WG&9wYQB4>y=#H`T>1Y}YSP1Pa5 zj(_tI+yamI=7o^UjPc3ti_7C zcs2<0m8udgrPlph#$m)l@Z0tV%pX*(8^K2zys_CT0pB%EwUpu zQz8c`f$d)w5mL58Iq}{-Lkx~C8B}dzjU`*dSN#RZ-eMGg3;+7vH3oHFrrMP z(MuPV*%Z(Z3~erJnUiR-{6NhTZ>(%v2#K^U_jXLWmqu`BYa_?p&y_bA!f$|P_aZ=n z!-A)SoG?xOOc}8Vqy;0c0ldV$XBWgC!fH@21J6g%<1g!Dy;O|-_Hd-mzU|?;x~cq@ zd3Zo=AJ;|K;}uiu2+QwQd8Kz8#T{{ym7_>@&0@7g10yQB)wT?x!go0XQuKV31J>{w{ZI)|2*yHOn z?Z;@EcS$$z?*j9enrWYX+&dvuVI7DM0t@{MQGo>NFAyaIMxPi3g|7kxWIu-pHqZ|^ z+(j8&aVSLJG{X@Wl_9R48FktCvlLVG6N^XWf;EXDeT_XS<_eqTbZ#5cp?SR1GUjaxr70O0L5yV zSS@S7LVJOeXg?m2I#o99IKU^<*S;pZbQ6-d@noH&?4q!YH}8n;2I^?L+7ASr-;VPoVg zJqSh-K&j;$KyJAM+5wIQ@^3vp7bEGA($~>|#|$x%q7(=PmCYlFurg*^1n0sZ3j?X3 z)Jy=sx(YRly{*(qE?forrb7_`8vVMwU~pd8H`Xfml8svmhS;T3p4Lq**qH^ZJLn?0 zn&B?Ot+`uX>8dW!uOo)Y*$z(kMK1*K4;pY8gqnB z@k34U-_Ky6wh{Nua>B53R1NWIRf|m`mLpOu8gP%0k-e}uOkdpUre%!pGLGgVHTQ8~ zPGQ$PbhMIU%N{YI?NLGKkOTsEje0FL08#eoDuzvRX$}r|B)#YoNxj|Jp8E|WwDE&r z<~RyM)%nuQB%aLnEhr4daOqOOw}_e?gK zLfyz7xOKpF_O)$e592`4pE14C1^BSAu@ z#E7s^uz}Wv0i}7@iewkehkDL9XkZ)Lu%sL7N+75iH>(vYQzMh=V@}uhPFD(+S^`iv zP~}^hK7$^ma88&tk|r&S8T9!6LC0_znN41_!s+r#e)~i&9nx>LAG}bOH&_OqJ>^$y z*>f?RKM$4f4Xce-$Kwp-?#cV*yKy-P@pupR!MRgjU&xa~%l`1Bgd6n%{EI#;X(4T5 z#`iZ>vZcX)ucfS+8P|q$R6RiMkSbGT)rM_zijCL67Kz8L)H3~ajy7O@XMIFUA_JI2 zRYd@2fyN@5vsg4~I@?N;bS}jyTilTP0=thd-Wb4*+q^|ep@BzJG?&^E$*NM#%(?QV zdc)K-Q#*4p8N$M9Jae=&%v-$x6hop02qNgcR|G3lD&hg7Of^Uif*43pYI^b>4 zEH)O8-UdzrNDtJ(W+;Xc6ac#~=sKmJEW=e&3)}IA@ojXeR=NqY#HQBSW~_x6 zIJF&ky>19^tKp^_A{a+s`>pSU@endz#<#&;QdQRkF`0AUa1U86?fQen{(iC6(OvA@ zTKp%xk0JQgj~y(WSIo1-d9?6Vui9)i1u3^5aq@!AHF0f3npzrIE9b;+FV13SeI|!z z!PJ&SR~9KAq+}XGGkNut6L^}edR?llT8XR};XPBw9~x*KJ#alXquP^rHM5O*&IX#SN(3f>UMkwo1Fu$rjJ$4=6KDg?Na?ZvUKTG`nSSPkMBi5 z4#$z>)`cTZgEIa5j)s3VNr*Rr$ANU#5c`n_gboZ!#DFAAMM5&j(5uk{A(vqv-b6dH z!}DP9lc81{n}9KDUsJvVrwJJyd~Bj+!j#;bTmM&Wd=$LCQ32fTb&F-i8w1|>>XcWz z(cv=EYP7+GO(zwY3XFqp;u9GLG#n2x3JjxWNh2#`(vo^;1a88 zM3Cg3VG5BuJ)T=oBznr6yxHuJNxVm83)&@ljVsrx9E!amZ>!wM4CU?VhsJ=pS9cV;K>Vd)X#XYbU_?KsSB%#?N0Arox;{5{nyM0t`oJS62^703z z>Uo~RLUX_jQ$B3nyNR8Zo-hqbD_Z7a9T!t$g9MU*{RD{$ z5!xKW=$Y>p?ScJ#5n%57VG?}{&evzsWH`Ld_OkP4L3k}X{kPdG*lM7(D16+eU(=gDYUbbtC$vw4m+N~~U@#0!fBrQ5Wi}en2C@H-?h0ad7jaF@tpCrhs>~m`yJD@qW z7CmL4g0u%l2mw_LCMkt2noHEK`W`;wv=Ch^dL7W3P(OksV9xlXWr(mMV7RHTxzzsl3A&ahEKf=Og{s8o}wG#{D5(2;||1fQ2ixdLrHMEdtpT5+D;P6wIw zMo`eRZyerc)b+Jm>^kS=fw}+Y`y7C_W(D(t$g}52O?^RLzjfFXgA(Fd}crol6$)AssKjJuI#I4FQ-g+|TEqm@B+uPh- zcKm&75Z3-k24@g3YEmU0$HL}N%!(K{#~_HsKg?bGa&{kCw@;>D{ekl4 zGhLnu-HPViFJr``YuHJ>g8R_xOQ)L>zCAGO(d}`KikXd}@#u>d9^HEQf8*zX(9Eow zZ-H-dI$-V^ax%ii@MMVV_PrWl3*uqpNfT0XyXZoz9aw{W@xGA_%sH=n{>jV43ia$| zSWDJuK0tiCLIYBrF{k%+26K`u_71zhC}9nzjSRO%HJAh6exYP^%+RhF+Gnpbpd}KB zARN48Noe*(R#&+Pba%UgU-yGaXh2te2-Jn&%ZP`N-2rlQhsHYya!I+8Py3<*E=F<% zG~=JlV%H@aK|m^G^Xpv0Y#JPm##ShABEs1;hF=F@52#hm?&peYjguUNn(@R*hW+J6 zj%*f7cRTx6mqdBJlfDb(JieGdSz~tLP9Di(80j1`+8A@@Gj68{~tJSC(nIr4Y z@VU);-?Gm7ZvAO*P~H7Q`4O)5_kHT*X?4X)axSSJG1rzaUHk}2w-#08jB*qKa!L0v zq437%gf)>!HY8Dm3H*N|F&s2u-u{HVyB62XW`Mi^re)kggp!&d?ox$RnQ&)h!SB-~ zIVuaXh~+<~8*?VL8B+UzD^)HFUJ&4h#6nHDV#ES?M4xZ%+p&@vau2QSxf_w?Wy&F~ zzMEVDDFi55lMtdia^PTqY}Sl!9dKFWv(?<-UkL|a^6j?TBez=phIvB+{8)PO(@xo4hU(rpt(NIxSFid6Gt*W$=oEfp7$SQ@| zK61Z!9ZM6*oqr8l)3{vq7!?q^8K6;AKEj%jLOBT5BuS?MrQh>+ zmN3dQo9p@p0z{`b*Syg22I}hhL!W&Ti8S~-@(X;Xy#hB}``mTl<9P{v9h~{$c;4Lc z<3n`Yv^kgzJ13jz(R#lnj!Cyoikq4{*1B``gnQ@eK8&Ay$E!xdyYgxEp05SpH19Y6 zy1qM6+j*bFynR_8D0`;)4eiqZxLm^L-TY#uzcSvpyDRS?=lP>ZEWQujQs1ho{Wz+W z$O6rc$UKCcy!n&MTS$X&NqP>DA%#LEQ7(Bghw^BB-=9Puc$dQMmoXEuk?6#6xmH{) zG=Lxm2h;P=_&pC59-xoLA9CEG8OQVJe;BO?RXU&aG#Q+yV7`g}TY>1d z+vlZAj@Fj~kDKcy_lwHP%lY}I@SzXcWei+-aV9;SVdy7jtNkX%rBc%D%_e1N3N2C; z(BQeT`s1xLQzj+Zv?Zv$?oEFPKqfom*eBzm$JtdeQM`I~(p!0fHQ&FWc}5 zd`_;>;3JJ(QAb9V;|*1GX;=9FP`&T9u50V~YrL+Mbv8;PtwWw-piv6c*292(Ys;ws zTR%%PSt(0wC;d5WVoq^)p^Yhz_wNhSNm+DgLd)O6lSf2=d*9enq#h!baDMl-3 z%Z2j|wj51!vRJ&mY0`oh!LOzApN;t_YNn?qKX~4IjLxm(zn*8KM4Ww}i`>2vaG^Z; zVH$KzVy445qj;pwC`MH?C*~jh0peKrQO+$Jkt(KL<#tS&9V*PJ-ZvN23yy4G|npkuD8rrb^f{*(I0?9S|t)5CuZ^P(?kBAS!h_(lPYAt*|jbtGqK zyr-=4TVYm!N>EkM&MwB=agqI)lb9Ls)y=lC@#>m+)4LuXd=?EbWtE&tQg1py$& z8SQPMdq2U1TU!&M2+kyBf(5?{*azWkD`T$4S?-jNw_}}qox5fFK6rt*7`E53s7K4~@O&m7cB>{dC@s1Nsf<1NCZ4qFAj$DyRmEwBMJ=RW z2=mjp>qguiNzi%8`ZE7-+F>O-0FV1?K~Q*y7g@$EjksHs3ZPwi*n{DdG6wJ&G|7>K zYA#X0c{>Iv01sRxEvlUJ&A-CodbnP0=UY8F%QnoKQ)ME=I2GzwhTjami5+^-J)mWh@MJvR3@B z?s}5J>@fZBmg>%>nZ(Vk9$VpXxh(o1czz3U*G)gc)nd^ccc<_h#W+9E5WeLPaEZsF z!G;T!+gTIq@(Bs|5X8k8cnG28gPeEm8RU(foe1kYSk@=d5BRzNqZ8K6I1PPC>xg*tmFL=3tgBY=g3+lZZV6Jpwe{a7nB46O%A#yxhLt z%&GP0RdcFx-VdsqwV~BCs!)w9*&M#9e>qC{-^7wC1j{Ki@?+Fj9m8-o3U>^3*OE~(m5!MkKEXN?X*$H}jKUB;nt`)%{wPfgh|=P={v zEgh_#u8ZQ5{Li;L7$rv3z3g1<06YMMrWiWCybL?fjN*B4{bw{<)%EK#PV^0V9C8C)(Xic)jA>FAXSxX))dFT1~9#_#C%##s8gZ~J{&*Y+pR zrd~+rrIWlTwzj*7Vo8`{?Z`MN2|C zlA=;uYt+h|7ehjbz2wm`Z~80muT4~G;_B_RTu+i#+WooqDX&v&w=g|-!$pqmrRUR{ zYh4{h$5_e4g3iTlx3O3buq*8F1_iTt}x!klf)fU%Hxr1_=C>GsAKNI1%MjiQ5R4pKs z^>IP?uZ3T?1tR>`0Mzfimt;HViE1dGQLl}830fB^ZV4Z@JkwHFPzj+TpQH}C=cVTp z#gxbcXHyV-;6dG`q*C~ji#bvbk%lY``%RX;m3+3x$$p&fvgP{M!1&>b$}+4Wes$)f zh3%OeX=1&QBgQB6m&D$g(ZSB7nm#2e_V z!kZn7cCslw`U1grR<){6*e+h99gJQj-md!{Klh1&(|?TSgT1M{y^hJ6Hm+-U&N6c!3(hO z5k7r>oDr~Vv4?pZz-k6!)^U&%{W3b>Hgkw;?CJ6_*q6UVgeZSa+EKXQl;?Xtu4c<5 ztS|GBo$oCs)D_EO7yk~@fd8P3Zz01S)@RSl6wEmO-Q*)5Jnx%o@6` zs$Ki*qec~Z_fC4-rFN=5pGs@n#>3m%;>L6H%kIeXvxoe(DdboTw2V44IBX=YPU`gd z3jwH zbMyT)uOf%N^0g^W=(_bi8rdpOp@~z4>AC-iEq?akgWr34IkmmT$Z1qkSI6z-SUcEj z)pxKtYqfc`4iR|NZqh=%0-Lg=BsKJ|-P*WzwDRGwl3 zANRHvrroXb6Q<}h3xxcqWtQ&8GPTtj`H!~PR%Dq^KHEaH;-QDZT;ms zkGA5v-tVjJnb&K;+7$j|xHF4wd)t2PceF&-|BAhekKgs;9WxB`v{W|OpX6K4G4X4H zF=PYzn8N_?ONStF@`x`>5bDvk{pSp=<8U10m5h_fJ4#k3=@h0#gGMs7$U#0-oB1%f zRzGNN$(gM~mX6Sn4Eq@2B$=3KDa$s>f~3OLzJgt75Oi1as^HL60UmFoSUYahBkS7IdFQRJq-Iu*jz|Z z$a+1MRoMJhjOXB&DMv6iwp<^C#~si}k=aU8u1PeE87Dbg1R4@pRf&+Wd9f*TE{pT7 zq)7`U=*w#3UMmm373*bp`%l-k>uNLb`jj%{Vs5q_ z1I+IF$TC0D+nW2d-RFFYMYLgG1oR9SxAz4^vc)$6(Q^O~J<8mb8?($(QXM9Pc6({i z-H-cNa|oL~En#%jg+1j(JD|Wd&5?+1c8*cK6e3MPl)}OhwFPpBs*=gsN-@yOco!Ep zFh}FG4O?ghFXk%PyIQz^T*|DCgT|y`VlQG$l$Sc$s`d1mIr@|3=ha3OdrnS`s?Dd# zPFH+OwO6%r8oIen4_A$ySz7bqNcGKv>9mK3>CS8}bJJ(l76BQ+FVnlnd{eRQ=QIsn zuH^IhwrnFA+H8Nc9nYNZ3K{dPY>t=RNovn=J1~`a!dHdH*swBgT0qHy2o*Bwxny<6 zV_C>F3XO18XZU=Cm@T0r*LRO#=JF{LC$H2j9cv<9$`zbs{KUJW6jI60y5nJ9c^gyZ zONiIXWGk0CN-RwyoM(}PskwYm)6_Hf@BG(u4ZQTM4CdP4b8WTqY${TBH}1(Fn$uG= zsd2+zPS%`PTPwZ2iSOHK=|u~@s-zQNL%rrky*AlWQ*5V#{-zM&npJg{O!YvGu^)cb-3&q&-s4&F+{L$W-zi)T|V)ZAP7uaEBO ziJBLG)QnSyR&!6aXz*vA)$hquf}Jle+TEl(2CrFmKVkOfF8EkutG}$V7G-6ZS-hAs z{ZwNc3I!^$KD#*f$KQ|T<7=m>&gV-RXg#g&JCKFRcspIbnW1v zNR-J1{-rulF=|rM_+#((d&v%*T_wm3l9|Xj(vq7}?w63dm_w;=zh^Nn{_-qE%kt+^ zbk5#OJ+i5sjBJ@;)NZj^R05!X31tZ!?w34Em<9T5%6}43`0Oy;z5LFJLqFCc(#wkC z+{}Nk3P#P~`E0EdTN)Op$|Z5f*vXWQ4*nP>n>!M-ce4-tCfV|CkZpd- z-7qy0G+B-J8094MX5lTi!JjyVF(R z;N=&G;fTCU_mMl$4Fy7#TG5tjnRm7o!_lLVa?ED00HC2F~psZwBTJO(*=5YfaQ_;4}pQEgnv4eO+$A-qu^3 znB5gCGEEkVDX=HoA@Z)1*HpV#vp2O;$1dNvScC81;dTYZ3Lv}CHjV?@`{QJd4A zw~YKLe-D@=a}esvqL)tZU3XM>Pgtr2%;ChxfrVIWfWo6JM^j6yZUJO0nXH}JQ`b*Y zkQ3RXi;|gPnX6p8Xjlck3TSRbyE5>nId=y@b{4S9AR$dWyWeXH`bM)&)|}|PjDP_s zU;G=X*c~hMXR(gWxfokC-q`Zta%t{Km81zWI5J@xL)S&4$(w4&57vclPncaN{?UTj zM{8rq3&Q0wqs2j?=(r;DfIxb2mF1vx?af2zmax|cs*6Lc=#%o*DD(|bSO|6F; z9uyq+odINJNg}P)-7~Hw_5oFXa0AeVsP2N6v*m4Vll~zDl;jeLm$h~AgjUXWoa-0& z!E%Gey&bPs0)bxl+f6qqW7!Wa6U=7EjV#6mnRSJCimOBmJLa7~>WHpyE$w8I zmKN^gwD^G_&vh`r-!FtbI=qiZmi6h!&NJi=rJUK6OdCgh9~`>#I#xh6G3(?80_mDV zpcypB`gF)UiqyE3$1#`!fm8Du8zzA~Dap67#c6HcjH}r&X(vb!Jz0FUCO~ z^YmU=H{8v7V_NJ+XVdLc1o`1e&TKTFVwNRL*r6(B0?A2-C<2(RWMWSYN(sOt6$etF z^KnH1jB-@o$C@c|sp6CtDyzEZ#H$`qI$R6e{;H7r*O*Xo5dSIf@+Q7Uf0iOQuTOx8s-fi zhM@OA17kXbh2(c2#>4sdfZFjG54%%(@pismo*;oYxUPdAOZD}*%Gh)JuPzv_oiuy1 zr%X$Slyl5pE;tK~OEJ5>X09SSaj>*>UeuD7cZ!YI)2X#vV7K&>I%(XOGK-$Jat~=S zJ0Az6<6I(CHKY_$OvVvM{p*OZZySK-dcDhl+f?m!!nec5z zBcMw;5B5)slpG{gh_+GpZ{8-zXYp?zv1dy4KXnsNRalj|;&ydB?~OR^yp?sr@w+4a zk(Z%V)MMo%4Qm$heAe_)5Ch=f)bFU5W2a3@cs(t93BexG>5X*W8`Fa>d;5P;fKd@$ zAMXl{>MkkU;l>4xr3&?NljIFBuV1Hs>$!^B(ocYt+TkF*fs{CjhUw+Aew>E2i~qu} z%=jQKyX&*dRftmQtl|bObc#QN->BJZ)1eY?r~8(ORETBzn1RjZT)F?g?P^Cq5%=yn zo&Us_%Dz@^Sa$vxq%H7QiW<#XXs}=DR~Ev5_7udj9 z#T1%K3d_Z5?^dpQX;n5F43>0$K84@f<~MT*JKfcGlIP?U=Q)P0T*RP-JEq@smmU}| z{DJlJzP$;y|zJ&|TS_^zNjXl4;!uU~=%aVhC z*=;Z!d7RYG;k|55shxqL#pQWh`j-WJ*U*Ek(p~k_pPH{zYn$-6O>|U!?C^ajdS9~B z7k}P*Z%+;6D-zK2{#?HBh|zv;wp{De>wdIeZ}w_wWhwLe>A2e603SwGIHyy;ve|aD z&ep}-_+Bwr@v+-(yq||z%FE@!{YsdlO4u#@@Ds5|VxN%d=dxX!CJl0~>n= z$jYJFUQIvi%cGp&FSBsAw{1M{S2ZRVk?g!PU;o;QgKipEW#O;1|B{OkvQ3^sSD~g%;zDRdz z;is>EESg^T@1TiF{3M61bZVOBYQNi~uRJ2+9^F!GhyDa(sDJy66o+C;n$&jH{=NKJ zD(tP%@N#x``$Yx*u)(?2&wKiHJ^IzaU3W=Y@O2@Pog5dHV%}Mwzm-{Kvt@JJ?daDn zdXlmnlTj*q>Lb%CR2jYcws5nGo)Fm-4&S7!Bx04q!(I0t8#R9_mj5Hr1vbyoi;CkM zvC4&HZU*vfCC)$(ydj(oob1|%K|6qUc&o{(>lnz~w^vIiG9ib5c81V_j+1|Ug- z1%rXD1WPHYCa=FtffM)4f{1}8MU9E+Rm1kLv=*eD7clQ70WL&IBE~2(aaz)VfHU|b zp^zHzDk=s6sYJ=aBtkH*-G@b1uzz4tx}zE|v(5!AS7$O!E>}^&8o>7gfIL1+ zx$f*}?5&L#^MIP9kuVRP>`_XzJBRn6f20h_BkU|JUqDRsKpB+|Q6h_$j9)-9r7P$W zr%^^U#A>7s!;>zu!+X0T9||3b)6J{dfg$1A~mTS z@sHAO7w`6)86PzN77kedx2r*V-9f|ycb(;K&NoLN`6EHPbBrhsqBKJhy4H!)@<{<} zmSyQQIC>V0AHHtGtf1PyQ?nt~UCA`KzcvgajX5sc#&`Ox>A;+YXyG4RpJU&){mgrq zHCv0WE9|#cpVreZS;gp_(P*nC^xMBNdeK;YeJ^V00o+%27?HKk?|3M#4rDpdB;+gq6`nOaV-%cf)9rm|bnSlbsi>w7h3Sq~kb z_dC6W^uiNJZ+U{b68w65eC_zPo$bbhJzc+^?0P@utINWGM&pTT8Mu$FjQ2J6K=)Zj zYIo6w2hZ1=jva4o>dm@5jk-Ev+Dw==>=LrWULNm=4$y$UNdg_Np%T=v13)j4v~KLj z&(}lPh=^ENi3o`J=*U(Ou&tQPyg44cg(xcQdO$Y79a$@1ISi zzgyi!E^%+rF>BW9^NGni%Ynhc6R{rQZ(|Yt@yoba>_$^0^+FSvsLQ`&%_lFwapyCC z!cMOxwNM&Kd$!$a{YtODozU>)g>Sm8bH7hkuJh>i9-ebA)XhMbt*BOR_&eO~=L=>8 zo726GzA|_5Gd-?eSr2Dvbh@6V&82d^=)ETlFv;uThs#MhuWcaI8(ytDCY4O2zqD^! zM9yKgZ>VnkO(vpw9zpsQK4%vBz)OtO`SceI@T>v0!)wAna#FR>l)k^|ekBq4K=t;J z0?>m3&}n8w;G|1~qP{!8&RjPX>{kIOKOWp*6EeX#(sOEJu|@BT-ahL#M(?uCXL;S; zGNg5uJ38SxD(U558i9YM=8)iT5n2(a7*b+KDS0K(LE#yOe<|-59eKso(Sp6MNde z4s2AMZ!`?m6S|L2JN;G(+rf+NcW7%*!kGIbyI&yz8=3;1c+4qk=EGa0Ss2Io??Si6 zIlcDYUB+2IoyT1&2b(>Nh#)9&TR7{y1VelKYc!r!3g7yodlJ5%g2Tgab9;UO6~5v6 zd7p(WzskXSU)@wxlH2L@vKXx=hnC;-+aP(5KOR3A^u&4}c-c(*dL1}!lsuFlYA zldxEa*u#qCI{u4c$NdGPcG$o@@B z#$;|6!!)H0YwhIQs%zGDwOJyyKNdj!CLCJhSCU`Ht*v*Vwl{H~?(@%j>F#-K9WYcN-Rxjbc1$>wou_Zy#!bOB_O8`~{jrq4 zX0LI#YBaxYqc`?xx*YB9U#Wn=t#P}b5PAx|cDmn%+xXSBI_mLw*Ky0Ys65RLrxVbj zx4PGq^C<^}=2``os13OaZl*za_^;mP6M78u51p&`AWa= z4dnV3;gh=31B@V3f3#JY94FAMX#0)OP3ob-Ptn{&H9 zmHWFd)>587T^CVDnn}kuv39_-dSX-dS(E_U8xu}GKJ7MpecmGJA`82^b3|r)EDYrE zEKh8*yzE}1O#1lSJ`|-@4%=JbcUGpF&f-$~MH9DId>JoF;p4y|DyCe9W`N?3xFU#8 z95%}LzZI=oI{O+GZ#%Zj+lW9oUSq#TvLdSM*{9tHyiQ?7jka%WIHSZmpRP?B$IH_4 z@_ezWKSza#cr(H~j8(b^!0p1%w}yJ~|2tr}dHW|4vBj;aAG!nUtzt zfKr1;58Ls}y3Nt3EdZrLM6`m^#5U9B))Zzxo7T&9sYc6py>1^U)i3gc&)RkR9K&0& z_K>(8ROE7Te)gj&GmkdmvqKZO1MluD=SxGymSZnT4ITjINcm6|BfFNrUjJa>)!6T8 z&oQ0fu$T0<8EsQ5TdULRYwXyqH(A$Cd3Y`-Wu?gDYqoo+PI@Y5EFE4xvcuDH@X+qRL46}axw=JXTE^C|b41Q|-avR{Oe{FWm<`1SPj zDLObzzWwY&ml;gz$68)kI?N&K?qRBXa20)^Q$k*2=3lAY*n3^%x2ZE{3zOxRtCtwqh z@c=gRBCp-WCJ*ccMqA?;zRF(+ScN$r4OjR>_SO_s3WvH6b#!R^@$A8BVr-Y5-c2bu z)f2`oCVntOvILaoJi5ks#S*ZN^>vg7P_lKpT#ANj^!M}0bGh@g>*DGu+Y@x*%-TE@H~7bUeRx8H=fcAO`N`dto) zT$KNYuQvV3^BIoh*)w$9V%t~GI~d1b@Dy%qPkC@W;WTaUpjWN`U39yCX3B0=hK=`M z7H&L>N;s@=Sl6H3VW;%a+NgyxRCLhz__0H$wjGjnq7~-YWN{U(22)X7f)0Bao;L^UhbtXkhd8U+qpUa)zldF4h^hQ#i zG-Ab+rD~<&`;L+;zsT%9%iK*iW$?n{)x@j}I-S`D>G~5h zenT3bWV!RZoG+IsGuK33KpHKk|B#oz(f4siTSBGKuA*gRRd((&4Q5-L$?|rN@UFxD zY<}KzP&^)!(TL^s;;&*MTnY>o=btq2Umiw(zy186cjytgf=jNyKWO4JgW`ctIEhfE zz=uZ7G^3AuNC}Sux$#hOj_NrgLG7tC8qE`^C@|xUp3>;CO*EluISG{t$moen2(^2h zqMn17XH1i6{Xk(N;^LbH)oeK{sp%3)t7zpkYH>GBNu6{#9Q#KH9GT50Xd^9+HuZAe zjR)(Hhk4rH7bw$#DAERPYhIDIXZNz$E9&5(p!mEU7c+L>lvQg^4#L|xhPv-{j>LDx zrT$)G{#UTbRdAm-EGCWc+RWCg(u*S#mXW2U zQ%Jw4nw)tuUOQBW@W<9$jc(uD&&8M2WZ#MOXMgxTfS!=blo*t}BlLn=$y|alWt~%s zw!ONT#gs}&lugD+hkY_6Yb9M9AR)b)4R_8e)k(u{#b)G{uGKw(V~# zfpcgRm_f*rWC^7{Re8>zJGjvu_-(r4ei1-x=yz!BkQO6cNlwSxr32I{`UyD%f+Ruu z1?05>1giOD1|gSP3^!8vnWIn2uWamjZe>^Lm1pHL_2PF279FQt!(7|b-8*p+o8OLZ zCNbM2R1S8xeKY!sZUqU4wBh?n2t_KsBfW^HYhahGr_xFcSS-&X&>lQ=7TN%R2s2|2 zFE0|KCWxFe%{GzPEGLhf80+G2kFni_;-XMvK^g*l6c1* zN2xJJ-B$m8As!fIC%3{6Ff0WwiTABN;lw=I02&pZbrIEd4tI$SCO7{D1s4PNz8sFO zX>H@(yxl&0yH@fYWW#d50gNsoPp}|DR;(d(!vS9_mIca!jeS`RTz-w zLRJ`dDMfPcgz(rQ9^HssHeH#22ii@@PSc5mBj|FsKHp{wS7f-50S{-ut$SO!Kh;pb zBTH{!`Qc2rR}VlI@v%KPl0+CoV@!}WULZw~o9jn`RYHa*w&ser?)?SR*JuXSsesKn zmHsqnNx>PCW2||8r^+w}yKgeH?H@h?Yd&xR?FgQRWTABN00a~XHTD(e9gy#z z6frgZNT@(oL%r=%R`iLYYTINcbaI-HQC=Fc!=;O6QEK6bT$3A^9UEg{jbh1GM#{nG z%F0W(lEt6G&9u%sk=A`9!kuUGOX~4+bZiIp*NY&%ir(p_pZFEFt?m{OtMmaE2cBKi zxxN0~1913j21Z;+FBYW074x z_wD%@-viBCc(R~Sw}*P_9yYfP zBS&E8=co2_WM;3#!{Q3YZm9hJKDw#j8tYGyytRO9A!1|8*vJ96*~_*|7Q#XoZZPRw zc$yZ@z?szyi}Kr{2G<_4X|&PVjk+sGb+$ER#Dg^%+C`B0EUF3`PQGZ%vLq%I(NSPa z;GymZ)hGEa2D$!u!gh2jI{Sc`so5N+apJ5!bW87@8H&ysz1icKkK!+2as#`&k+Urh zTta6{Fic2+IPgqgxt9v^rlZ(Qhz$CE=A9KVc&TahV7evo1n@1e+0Y%2g9|g^>Da!>Y18!S8k`zOsiMg;I z$5ABmE~PU|_xl1=v*xsAvDwI4>>gw~6re_H$AngUoBS-1%W--)SaH2oM#SU()LwN> za)Q8L$Ot|}w?2mJ7*MxeWFAPrJlaRTM~vi2k?<6QC`gFHiWqFcBGsQtbl#4wGv}Xw zs^J7Oqd#qW*+!7;biC?K|HFHIFe5mhM$daDx@sB1 zd9%Mf#l65KI90&m{hLlIL+=eQR+SKxYJ;7~c!U0Bz*})?T%XPBcItjYrgw*?M^e66PlpZ>kLo?^XvfjSxXb@bdm*2xX`*SF? zeY%wkyYCuww57b8>mNB0ANckXvg;V99;Y$h9uFj0(Do^Xl&Iyz2D0-YSS;%5c{M)# zZx`HF!>-~egIVT2Nulqo`FmADsE%av9Uxt7`cBA)FtQHOC5Y29zPA1zg(S=f`EoPU z{Ckxcq!kl`n3>8CnhP1j>s`^v$iHuOL9L=Xhewg8ORgbD#N`w6$L?!8?fBzwVd^h> zuTSrDbUXEooNmAU0vjj&cES&s|M)c;Zh!uY`|a5LBzKzaxY&p1<%zGPy}LhQu9mv! zY)9Li4#PfUF5^bo{hGUm*IRD)pZW{Cgj<*AJrGDHo}`5T`7Pzj>=klGJ1skD6PCa3 zEf7CCuO+bVVj(Xg7&d|WTZDOxi!Z-vpnz+q1bM@^Fx~IZdeMu>*RY?4iRk#i^TF-x zJE90?fT~s@l^_%g+Vc*mtaNaw+@OS0t^EOmBLV&ceVFwA?H){WS$Q~4g-x7SqUuRhLQ?C zWJe~c>kKrD`q>W_N7f5nnfb#xi&?R3mE6P@OO`~iugmXlH-Qfi*c$^p)GU&RC}XkA zD(;2g+t%!mf0jIiZxdc*VQQ)kiJrS|HW4yRlO@|h<#R%j^uPrd!0e4rfE z!bmx$Oco>)r8N4}+%4DlTWN<%jw2VhC8}{`?J-W^Vi&REzz@`;A{7ykG6rQ4BOMsF zy*q~3nJT0sXRwQIq} zksBW5zt?P1oA9O^Vu1cJ6V>yB9V3ZUHfoFmmDt6`d`?(VAXZ%}Wx5M41yr+`MhqB8 zuwnxhV#!Gl>fiWIGvm6W?!s8@d;nr4IfVvvFq0`PD&s)}7ND`ACnDS4e{OhC`Yxmm zd`bF+`~hgN?iZ&1fExv)q)3Tc03*1f5T)o+`X8li%bRq-07N)vUpORa@SgB;7K3z@ zr6=SII!QW^r%mlhXO1yJ-q0lHzSK*y7n5!}5V2)en{`hx&k}Ibi`)ghHlT}_p~dHx zsu**asTwc*4O0QuxY0qJtAfthFGZpU-46dqltFgb@+1ymj_7-r31SX=;IZT*_{0j~ zj&xz$^9nt3v0%ALlE;Y>4mgDjU*PO?76tH!2>fja`MnWP%8ByzfogqYccELdYSzOQ zQ+OFG=WZ1~Ym2J6O?&v534Olav%v=7s0=LDeE$phr#(yNYfLTt$baGA4D@pE9;7bT z9;s4^{(`CizTNOZ_t6vH^`_R-gS=%OcS%Fs`7i*KdZr-|BtHqxbYh%Ka>nKUc_cCT z!_rOEhRh%t069zKq$JX_k`;O1$uf(XlZ%HO?C7=m#Fl}{XvtWPh8#Ddc!JVw@W*pC zCyRh(SH$wCI>wcXE1rv+n}RS3BJlxrXn}bMfGw>p;TdvT-=eE!ASal>SY?s1CwcTN zobK=68Nt8lidb7YlSN%2`6E(d3aKn<`3jPdP>qhW(l+qG&N6Kn_!8(oQXp}ERP4V--+IzY{WYM8+&g82vr;XkGE2zNEEU(k)5&c zOUAzMWM|9_CbKXzcG5;ESu49jB_%CHDoQA6L8aYZQe;V%D1P@2Y7A5F_Itno|L^JJ?A{nbDr}#%X9C2rcIiqJw4@^kEw~A(CM#UD?aiO5;t+QG#hZ?nTS16x~}bkY3Nz$j_`2pmn?kUL?rmKP|D`VW7^CIQ2+-cS!}|>Ij(IN&|vY{^BONZuD3D7=iv049oHhDQ=;28AE??I?-NuC8F^cH;CLPJ z3ntL)surSVGI30(rBrLrhf6D$uC)1h z*y3F>A^6@U-tGywH@%E~rJ)^BpJ8hE!a4iD$Yx@-ly0>({>F*H?U>UpV*X zYAJE8;(>tk#w*XadRpwi{^r>Lykx8B z!=mi6!HKgQ2vP-~>=nti-2xfg&)2(mxY)Nw?tK2r@xpnhh=5RiBlqqorsD0}++D^| zA#LSZ&o4Mugz6`e0*`+_XkI+=D11l#3#N0gVA)Ap*vrd()DCFgR9$f;@HFGn#}KD) zdF@8$i^xf7>K@KwOl#L{jlbNqb%%V;mv6^PRN_Ac9&S0abRfJ@{7TWi2hpyQ?yM>M z4(%OUH)N%b+B9k7>fCLY;Tv1S7FJi>>0v5&$%yCbVK267Q6K1P`4t8S;gC41VE%Q7 z2vTU@+($e3^9=HDO>j9%p?j7e>?7WJU9lTo&H6y{dD@W@L6vh-7O)V~`&^C`2F;w8 z@{!|7uoiLsvdvE)mF~R|qMNw^=Qen+^kaNVtZLa=Z0(6pY{O;D&CYD+_vxQo+U77N zUyv=dvw+VB#Sj$r#r=rbLz6e2=tSozqh21a)ou<%RFX`#e30Rqv2zOf0qQw*KF{|y zu9jvx&+^Rr(E8dZdBPQ=x8j2G+p#XJnVI`Ht4sgWy`Wh96VivTmyUFQM`Yo&NTJNe@V;XW zr1lmA(+|lX4+~u$JAe0rE8_FV{)w)gv)q!r&U!*@U))O*;>+(*RNMLIrpt4#)R_?8;InNtcyOPa;bN_ zRA^Z9*`SR@nHrVkJMT`JNIgu|aQhanf0tP(Z|rS?7VoYcedNb z&JVe{uZ}Vu$25O@`}8si$@J)$nMU(L|G@MXrLq#6{Ks!vN!Q+RJGp9Jyy4w&YH$5H z%%_yPsiniQ`$nQ2@2rqJIe2Ivbj{U5!R&r3O!jBo#M_X4xk-6R>)F~XSCMkz>8HNb zkn-*!EE>Hg)!QvIj((CW@KYOpJd$hF$=&%}m6!Q?!AHMfQ$g479bxAqQr& za7Mn{GF0|mqmq5>&CC6EN?~hT2R}SMdtv+Y=0}^FyhCtJbrpcNrIu~>fZEjZBt$F; zX3=yqd91)&YuLi+=p-sSB>v<%s&p&S`sO|fFOFgPX^{$+*6N7B(9Jzj9_=AHyWKxSgu9XAZdWptOS9*S9V zj1*M8v|n_}2oj_m)qBDZasB{y(|2@o_Og!e-8@_|{wD<=^K53iR8Zw}B_!-ZDdQ%d zWPiK`CP5Fe_vxynr;WLcWjzU`)J@0UtQ})sa)bFEd9&6~{pm4t<;}dNEA>>H*xui% z6Oh_Sh=(ODkMU=+?P79#d|6ynR7mJv_L0QwO~^x+PM>sGJt4hwvzJ`44&Ub1>Tz7p zcyi`PpA$ywynLS6S>NO|aDlAR^&h?*#VJy`s}8q5W(V>{U+bW8Qsinq&9fYLc$K#Z7TnHiOvq{Pynt9iO9b+_*7(tM+MB&i)Ku zqTd<&L^#?cGTk%L<3ce|G#?R|DZW3W!(t`d)$f9DGZ^@+!q#J9&;@s_V} z+ld-EA&{5Ju%6BTOj#M3_XfK@7lZjhtxR_H@#X4n_ha#8;rJHGt7YPr6YLMv(%*7& zkBh81?<#?5&(Y26S(W@uC`=?fZggjiGX(5Lv7Es2xeYhc$}0medZqDMk; z*rO9WtD{HiKfJnvdsJ1qVfk~OzLzU4TAqekmqrk8eqrYQ#9KV+sD>)R`dWN&%2Xii z$Y^4f4}zE6dUA_-Djgu>O|=>@6=06xlDfL6h7P(YkN`6{mmIdwJE+O6l~-6zkRIf}%Q zEXJR$FUuYzd9F>~E_2qv;-$EvU4Fjjk)q|@8+kB9j1GX zyM)i|<;T`pttb(Z@%|qB@!?AMZ&fYXH@jFZlY8tFGFav8tdh*tP?Dk&AMc5V7bSD{ecTPf4-QKYV!2{_xEm z9bEarLte<>l zdTeQ-6Y55CaUr>d?k)4Sv-U09X>M~Y<>s&!M$|5$OSyw2&(M~tV*G@vxp-V08B$CN8hP3CK#-{clma|7YB^q0FBCmex zEAij^h7es;s3sVsa|(9%igfdl3UXaZ{ z>fyTVW5{)6hVYUWm(|P#x306l(CkmG+#}>U863+0maCg}JEO|qZei|LZ*bQbjH+UI%uu;F3r zp5qO?rs~zO`m1A{J+U*clE(NXN0#}MXiFL=6v;tqdUE7;DkkvT%*wPS2anB{@o6trkkTNFZL(a zXj`<_ar>^?vR=*KUG8w3*5-8+CVQvICvTETJ8JfYuM;}Qvdl~Pz+-4y*0G)<2K8s+ zx4*49a^h=O<=y6QTtcj|$4@4v-^{v5kY|b?cFeipc;v)LSLLACHq%~?=I^@a&L6LL z*bu2!HSMx{QbVxNeWjq!_p9zr{9~KB#m%Z$9Wg$fGyXbe()(WUl<+shnYK4pFPhuIo~I@?HC8$dMBd znTC0vb#In8HnY!r>Q!0obPZi8_$3f4z4Z@r@LOqos7ncE7V0q1$i|xUThJ%A-A{Wkl?2~rw-ge9IWGmvl2ZoobFKJSvP4S zKx#~!5;A2Cu|HT>mb0qd-evo8zJU$?*$lF78Xu;&*e2RRGrNmVLB3wpxWW6nI$tj= z__`0v=2R#ec+EzK#eRuoDAW5go;T^dKmG8brxvNhviy!21)8ZA*R+;+xBtLuGP`RL6vgQMP z37zr7c^Gv;o;2EzGi#`>Q6I~yY!IrXN_miK%e zg}7#gG#?Z{PZ*I@+wP6euDWS@A(&m`<&7=PmVA?jCih8)pNz?So$pP1IDN`J;h~L; zM0^5IG^YDV&m~b(_Kkn17-Hs=vvV{K6Lr0N15QZO<3UHN zR2^5Z)#&ETN(bLwiOp>m_$$-vhHDQk-u}s$8Jb9e=8|=&}m@JxGpo<4Fr}nkJJ>bsxoq+!&SIzxxx-xQgK~?@#p?lg9t32i4coB0CGXkiV59y> zybo5t7qYZsP z4xiL9XzAKed49G3`LDIT!ue(Sau04i8Rp0)xCWBmk=gfbVs?pql%RPPc11(&oJNJR zLSZ1Ow7m>bl=RJmt@yBc>xmXdQmWm9u`s8o&`Uw79Mbr(j&g2~ED6n_{V&CGa#~w+ zq8rCkMF!RpaO1k_o%U+)mIeja=f*uh1`Df*Kx&hxg@XBRf;CHjjr8GvX7@fp2}A|^i1GI10#0h+F-`o73sld3i=htKO>3;4cyZn zM&3DY$-h#yo3*0g^4Qxi(c-=bpN*%!&wpRCY2;x@UruWqzP^(%WH6fJIB_Jz`_;yZ z8y**Zop#*m3rI_AakSa!)uHg^GV;q&`xb*8Fp zY)_+;(CYhoGE!S|pDm4N-jtZKZvE}=iA8F1!TZ!A#*~r_tuqebb?&FRJTSSqB5KJp zh+UG4&s(ys%)KTk3(BzH=HlmlJ{&07v{(k4gNgUd4j-0D^YpaI$rk>m&BOuicVWo$sc4eH^hf+9LOgY!|a-kBjTJ zFT75-yjaVx@p-PYd>wQmvUF`k1KB2ib>PkPeck>iZ?8BMo#Iw9zMpV+O&ee7$X%QU zUgzS#hPb#@s|(I0F2BsOewZzExa^WX@zCWwmj`icj`3W)*0RIFdE=u}gi7J|EjkZN zLM~l9#798C^}@kgi%n8{ALR_Z7&|j|&m{;#LZ7Jj;0{fzF)NX=8-HyOr6LYx71&BT zxx+ENG^@Wyty+%v+(U=>>Tl{>^pu_%V6Dl?AxS6W zv*g^hv1Ue5D=Q--E2~^76w|Q~Ni1t(eonWCp`MW(xgwwzsTFO_ZfGTJpv^M4DN3-P z>89cNry_0a?p9ImcfXv})e{mn&_DI&#@L2)w+9>!?*F zkxi^@0)q`B&}fU?L_b8D(t73Try7WNgSWUatJb=&{GqjK|Fr zEXKR!91hBCI<;-er}O(!hd7auHQ`^xA_3$6s@iKYW?Y&w7&H`5NKiktSy%JaYm>wh z^4${m&lz8@I~vww+gWg(8BIIKvD$}$6uXjHGvlkyErn9#8;3nZFZenWm&)<OS&c$yS46Y zxa`F%&((N}m)=!;;dIa^r*oa~pdY(0*W`+@Y>#|t=lor}cGc}V0JS(Q%fqfz?;(AM z(`fv_376B4OVI}v`b*bgM(@{;Hghjib25Ecu-vEWUH{SdJ7nK)xD&4<(;mr}QnBil(59)okxv5NkH8?$Xq5iO&)kFpYl2c&1Q?NKQ>mYnH{E7q9YtQJK zDv67p@G;}Ul4V{J&ilPt??9rA4b&Mot$O$<@kPQ$AFMX% z3E!^A+j5v4Y$!5!Yuum^W_&m1Y+8eqXj_?>QXpnEpX=sceMTdX{3qGQ=pUfqLwCvx_h$GyIND$BaR+-}&c+Eg0Z&e9w0^{JE22mHS1CXqpUqxP3Gn{y3#|u@{zVt@) zE>U(#%bF-Tahy(B8om%-s%-tVlLUJtpCw?q>zslLTyl+ijd4OAzQ&<|7`qXvzJ{}R zS3><^!`1eNVzDACpP9HwhOS<1=^}haO))fP(}%=8MQZBfPa#HcTiOx=`x@1~Hirm} z$D+)Iwuat1d|&dJaMVGps$66Bz+nub#)3NjNkTzXjmDT^&P0 z9NSku3%}x#g1WkVCxW&*Kc7Jgn#Y)Uw(5TJX(DeQ z=7^k=f%VnLTUk!Ior0`uHDPBku`?&$+7#dA=j-g;d+A*8s^YWfygT5o8h3OHd%ifo z3>ki^6s@;OeOGC|w$AY#*ULM!+qJ8e^6`+;0k&_>C3{f{rGy~|k#s>~(LIKXM^dH+U~%UPy(4xR&Dx;PF)?x;PHI&NtT=qkwH_C^PKfPrgwz2G^fw=jFs~v zLQCQ0{;rejySkWRyIUcvV$S4!u@CIkea(xW+JWKFooq7yQX6xHN!$JL&alxX+b)(Y zcU|v}G+&bBRj9d+|LYYl(@R_JLs*_XxS{*1!&i*+{1jqc@9T3`-Hp(<`vN^yoAB%% zD;IskUU;g~nCVKq>V$J{fgmr=JqO@RWG~_m$(!x4s)9 z`qr$MU4B?sT1i{MZ=HfBA8Eb%^SfVJ5=Z@=?g!-r#I1kezfK|fm4TY`M8};zgPg73 zJ(leyhnL7rcOX{{>BKk5#I3L7(1?cei6=}iaZYJNes?n}Pjltvy>&Npd2&zoNgda3a#@Is#R|;?^cnQOfD}W4sgHcmO2Gd+{ICR z47TNyi)hr#mv;Jx&V9@|d8%I<=~1U|BITygaMUbh<+b$NE+1Q_?|h9m!3+&vAM)JP zxAZcP%Gk)0&n9AZQYYHj3;F%72X%S(4{S1SpN@KWI#WzjYKsvu$|)>agqT{vwgzsP za;RK6CML>fl|={NQ%|ml;*YuKZZ{uAMZcFXn%Z&r*_o7y;pxzQ)9-yPrUyr2o;N)! zyIOFU(54dK_I=9owxvW!P|>?n7d4CnJg2^jh+JUbJBfY?J$B>Bo4p_5d4$fCYwIhw ziDoA5h}{}?&OUN@f4+OIl)kh3wyMgVljHGH{)9|n-=Jys?BRg^ND<)|6_+LqIR_Kh znUa^U(b^$uTX|&1VW+%TXS%aswnZP^)Vpp+)em!sy>PE|Det~J+4miNRLZ?5{41K@ znK5ktdWPw$*6O{*6Uy}%l=uk=Q+8P|=BX~$(bjmO{3~zi2D7q4B$>HyPQO`oKB6l5{i%c% zOEvpy1-O?pPZnN_yyQ(9csURj5$}U{8EAPkd?;v;riXh`Hc#>LCa>?` zGGUnVJcwT6u6(TX0P#^m3yVmF?Ai7T7?uG@rX&N*Dx<(FJ6AhA)eJ{ zKa1ougN^kgSl86*EQBxfvo&9`Gc~`X2DF~+=IY~uRmhDscAHsf?kKbn?Ii?!|9s(N zMWho)X}?8S^YJ%<7`4`fm-wl-A1<;*-rk$0_GP8gq3?{g-TM+J&F#-QZ2DTRf(U*R zH_F4OQT=w(_E%alvgXyrppT3SH_ci9G4A8dv7o16YYo;!9t&aV7!!! z$W0FSc6b>}?M28vxERCeR-v%RJk{`*%zi~AOEsoFe99=H>$Oe+%tSRSa z-}&(FdL82=9z~NS-CF~0WL|YxG0A&yx#JsAn6&Ly>w<(d)z);j9)8cS;v&g6iH9SX zrwtn19vByRyyg4AhixO-J@4H0xW+lYw|a0_Fx|Pl@e}H1)kKa`Gvu?jh*W$0Q8HG_ zM!ZUJWtg|*AcwQ)#wUmZPvxPzG6y;ujqevfRgSk$`*b7$cHDOL@)!a3{6+}pmJKF@ z2XgvDM>8(FHlus%W8XDJy)($~=&ekuxh&H1bTHz}rS}<+heu>^SI)dkdnH;vWEDMO z+n%HHwBd!}sO(T)NY$gV6|470N#F65Z^k5}YV zyxzp;Ej@spI-Qbgs*f~2n3y6P**#pl?Zth}rKW<@sV_>ZsyU=8Q^dX{9*jXry?XR5 zF(lY$Wd9YF?Y0VYESk4uM^e# zS2N>IwxTpWnfxv!6U5Xt`9Gi4My)*e3bz3ASziS3sl4{vCH7I61ImQ2DQ zd(WD`toEp*=GCnJ8`H2nc+TLBJ?kFxqjU`quY2;qy}dz7Z{@ezQz9(yVDF@IzPaaE zPu0FV!@fc4y}Pze%CPr12b`r{x^4QPv&m=nNyIac6PI@#_gOZ$X(fM*t)bB2l}oXW z#)5@Uud(tudazblxgZkkxtUiVLYy1zSbgZy4eL%TYvlGdWnK!|8D;+6g_SqnXpWa( zDLmunyhQSe~$@)f+B9^StJDf2l?7mvITE z`}cGCcW+s}vS6kC3YCx-$~&i)Y-1T=InhFvykIc!ZB5o&aV?*xUCfopX(OKvAKj3h zC4t6UR+~KK#3%?JWiXLBbO-gp) z4JBXQ%-hM$_+;hr2bd}6Bj4F7p@RJbYno(KCz6mC#D?zUh(ozRwTy4 z{7!H=F6%s_TiAB#tJ^ceCv4^U^_yOGAia#QOY=ooQYx zqkMEqc5h*}yqjWo^_o%4*wdt-H$IlDqBe5HoYFeEboAQt!LT7E$TO$c>Is2|<;2)` zhraTV7mIor`Z$_bORm8)VCc>1mm0~Pr5g()VguY18k1fg;W(c^eAtHLG*Nz9b-Mog zx7Yda$lE@LT>t2@!|%>RmA20YQUd!~nm!NYsqVG3-J?PXi4m}Is`(Uhe4t~Rx4*KZ zw?fW1-_9+}9;Y0071!Fad+$w~aV3kapaOC8!(Mr{1D~CzH@qA5p6W9}>}IOY+j&@# zf4}7h>l1Qq)8md^JX{k9;uGh1#_<4&Eu7Ex1$>Q!-w@tll6FQos_#X;rPRfauC8wt zj!DaR*_LnqE-B~oL37pmNC)O3ZJz@P`0HBH`fpnm8DqoE4F}dsXnKhjcjP?5$g`i4 z`(Q19DVPFMV9>AYH)Yp}zuR7@qWEOQyrJ>Zac|#frf516(8;~kRL0B9fc8O zYG9^SOCH@KtMUtTsMN8Ua$IAWOtiWE3>RqVeLd&%txrWouNf0QLnNIi;B9wUj(vB~ zeumlDJso+c_pRyI&VU_TM~BxGmcKR<3=|i|vc0+&`p&X2SwJvq*VL(#mg@wN&QO+B zwYIMWa%$Lgj$XZLc|=rD6uz08cLVF`p`f9Fp&`Hhu?1Dkxx<_`3_ORIOT@=lD;KS@ zt-0H@dy^@{zEx*f(KjUYJZh9zX$*_jhkjDn+5Qpud*!+1vn%-t;`XflJR0?pr14cm zm4nvq>dIr5AzyRK87;P1xwj zhw8>^R!=2!xWC=DlfjO+Xj{b@-=+@})swyF_`*(x4VBjGTfX;tb*s+sl+C9V#)ti1 z@U4Xo!FIpE-(McKyVm$Bua?QO#>=9p2SnLYBiJqzSi0#NyUc_oOH2$cr1R4}bNK~s z>r6B4+M;yDSYZ6I!m(=_9?nhAi2D4Euy~ddhv&jPa);tIqHV)0itZUs>KX6R(0#a^vcWb6TTLEq3&pSPJh_s^DLtOE7C&cxTB7ZpD*tMuTBP16yR_TppZ z#usi4E;ZBK-EM#KlqT$HEMsOzv_FHizGcViV}=qAop^2o`S7@XJgb6>#pQtidJ_u^ zYty3Nxa`fj*m$d@&M_&gLRpUFA2^!CQz_h*>fn&-^MHfAMeh5SyxZ#f#+Z8tZY0*m zA9}VYBjMx5u}udKGA+L)uyw<$56`x{edmGO8B^aqL^>2Cb%I_98)lty z5KDVy=l6;OrF}6)qkGDKVi&6{;%Ql~=`Mz)7m<1brM31@Lxa^T+%xt|Jocz5U@gut z-;ai0hKY(TV=?UF+5lzSx?6DleZzIWN1)JvYr3LZezBM9mTC;|7@3N{?p~PYn30jr z=X9gu^u(ot+HS~O>368mj|~HncvFS_(eKlAlEM>qz#@G^!~O2wh}P5NuK)PV`@@rb zdtr9Tdv%WKS=Ys0)kK!|H16R(wOLw0ulvls5crT|`iizmot1{i*Q+a>^b;z$a0-Pd zxpF39y4l?c>3gj&PVe36{Y+M!Qa>HdEL-C!iFV?cC+q` z?Xk2Rf713yHdL~2=XBfI?_r}nmJyM17A1GDDKGf+lnbij5);DBxXfI6cQeEVN~Ii zl$s?bT;|&zQ()({KT$#8#6j88q#lKy@d%5O;}y5^dDRb`z&`t)|I#_UXvNh8sSa;^ z4eN^R5B*jduQ>zjtGvHfSzNeWX1Ol%&|r1d%D(ekI9`uFdu*EbTFx-@bo#zd zf5!2aj2GLOH~3F8lE%b*!XDjE_Noz!PZrs@`@P}dJ0`pCp*1mOn9COjrrVeAIrM?w zUwU`-=2qj^s;MQV%%_7#Ue??>;zLSs&lFPk*Yngd_A_?y)7El$48aG59elqvXzYs* z#@svo?pBt7(Ad4Vro&!1mo)6_J~SAP*_^SOX{2ME|BHGhF^AtUEK*qJ&PMo7XA?s$ zUUjG3K)c=bkSzbak576NJ+CgS7>EvjZ9L4KGh{T%q_4k2a9`4xmMiO)V<~Qjw0Ot@ zelF5S*4%SQ%aHawY=1Up`^TfP*vRSrh_;}qTRZ(fpVT0B++_VIaH;Kan;*fG+r_Ll z(M?AsS}?6$?A}WLL;KEnu0MM^&~N)y2c6~>j_Q5t#Q`U`#0c{A*vQ02hdo&@uHy__ zF)rxw_PPQhT<_kucH!sP!K0y>!ydWi`NDipmTI29`#~V{ZYgfbUUXlGs;>1OyEOwb zAGfx`+}NHQU9`S@ehaHW-s)+rX%iaNL*~*Pno3%aboKNM2oDeN^vp_(6ciT|5*EHA z%=a;7kH!SsEyuExGNPPr{7JtAE_96Ar~W3cffI(Q^`tXZ{9;D8O z6)CYR;_M@Rn1=S-J9WBYx|fpImx<%Linl60C-b0g96GR0wymS>+laJ#+eOQ5Z5MAk zz(fw}q*ukKnssu@+sZ$y*imO#4`pcHUF`jqC+Sx3tykwxZjCeC!6@2^lD+OEj1n#u zkBeEo=F8x&j@qqvw{msvvyIf=WS_BAEndc>MfrK3^7AvgnGd)-2e=axmrk*=PJN3u z+;VrbtV87`^XH>V09!z$zu`suCnlnzCMTkINVIv#>m_nBpIgnN^`upBeCnv>6{b9h z!0sC?ySR7^T)u7<}M{uhufAWJPVJ?_gU+NcYnvF zmP#!*zP#pg)o!MwuB}IF3dB=h$z;~34r?95s-|@1qYbr=$Q&Qpa_Qh2@qR6hJ_KnW zFCXLhdi%JSTE?5!F=p#Jt?9sPZd!Zdc)~>UmRnWs2d)a6H}!z#~Qi->mAE-}>%)H9jxn(0buWNr*xDpf7sV8+B>OW%fPjp^`_IoPlua0VFH}6!5GHi zy)728hMzAseTt3c@jjCJIHJ1xTeyylY3bl*xk??O2VLLml-DI=XjgP4*faMLVtxb^e zyN@52o-GLIX35=}wN5Zm^_uK;%VFj_%|>D|YdFJ&Jul}yu9XuwRRmM1zONVKzc#3n zFleH``@K?V?CA6)QeGbc@kcP{p&2lAa+W%a2SG$5HT|u6Np&gzjI;Q+b-VY2!p)*EUgrBf zPPx`<9Jy(NJIpdSSG!;*!Wq6B7gC_H@oA1B^GT>Mw^gaT?AMFUDZ+T26&?b~Ij2ky z@s8*A>`2=u6rlc&n4#TP)upamA5opWu_4)Hl|8IQzNqNM+wBv3w|uf#vtm1T;QAe= z^!#%SQ|rA>+n0Z|+jOb*1DrH;+e`^>+8>*4CFl3~ZMlG5nfJ}_f$1_^U!5mxjzDoI znG*vCd~R&N^9}3#yg>X;o%vLMY1J$3y&C9y2vO0LtJZRs)>R)?sVn7U)n9NK3e_s1 z+e53}{S@5~g!%hBV2<){yzg7E#t2=(UR~!qR8q2%`8N5}r#dokRhgAIyj0IBAn$d( z%!#+A_p6<6x0@nMN{UNL&YkM(^DG=NUwoN-Pv)Hy^ zCYN0Q;FYi^W)O{{MxOH_>iTlzo+0Icp7Og&>!y2#R+u$;#|z6;2CJ`qv^}1H2p+ndt(Cn?v`%4@z`jaqRWM6_T{`LJ4Mh2 zLjvc`(WqcwAJ0?6je7Cu$W(|c%em%>?&Q76d1f5U;Wr#UWaV4GkEy>3Etb)ckry+U ztv>Yril1cRd4|NoXDP~tAz8~G`r0v%o>=~5rH<*v>Pvk-%%Pc(WPj;S4Q6xY1Iod7 zn3$f2Zm!oQnUM9K_0_|+1xt=_X_p_~m#AuUz<7lu{;tuZ>kwn7v)=mJCi+k_{x>sVjskL2k>somcR>*{pOj6Gb0$T z?;0A2*nHc><>AI}uqiGD8Ix~me2ubj z$=p6yvObw{#IhG_WUX;)3R?9hVB|$hDf!%3!S3=H4!|ldh$$7>Iq1J_a6VTaw(7h1 zq;s2zLSk56%=X7snf$UuyQn7t_t@*+_Sdd@Q>yhe8^id_p1Z2-74F%NmfX9{+^_tC zFz%0*1g{h@*gk2tW?k_G)u1cdWA&4DN|!2!w)yT{c12K06TlMg7-KLSn)B}TwAPba zBGh~x2Xi5&|CKzfPLM<7T;XM&)YBL?qvWLP7j0KqS+T!ywtN#dP~pe&Cd|TbKqItm z?DM*b)b}60w@!X;ou1xF=x-Gdw>%yxr7J%5zWPe*QjLpD*|*tzszwYu88Q#LUUGiE zLFXd#b%7}1A^Geoz87p^2$AesQZS#C2jQv5<`tHQ6jxl@D3!}A)g}MtK!!)VZ|WHx zjfhn_OE0wBogCV9`vu1&A~HN?`HQ_8j{4i~J60LnZ;4*xwdGKCq7EZ0`mpk6&fO!N zG3M;;9*Ub}AbBzj7piM{9_XqX5_=B=2_ntKj0cGzxq^LO&*@7M6v>IBco(96oMTYC=&hJr&7t!2ltF8^ zXvvF$6G-tjx1POVcECF4?$zk{;nkY=^2gHK(;AXn_pdlK66_O%gnUDQ<~>M#~FR8HwT>? z;|Dr+xa?&dgg$Fmd=sbUC(PG1`EA$c&jLFiSd5EqtG;w~^E+i`Z-L#{FA6Xq*TJgG z#+f(t?3I&dbNBGJ?Oc($53S5+vaaL(w>`aAv)w<7?|euYmps;`abx#}1D%pL4k>-* zz4@NyTjI7M@2T7FU%4aSZ~m4XIYgMMj*J*=dOtieI3gj{Eqf*K1&rG@x$YX8ts>98 z79Lr0$A8(#RO+2ohlLKWhM-@D7qy7`Zh!vB`uU^B&r5qsPU@f2zpn3=XM-%&uh%im z-xpf)5G&q0k&$L~7yCTq+2#U&)ugQEMBU3hr)}RzB|TtIs*Nkf?#OoPVZ%H;2@w_U zGQ@{%kui90uLntUxh`=%4SUWF7XRYlP7{H%jcVzpSG+F2+~*c6YWo83biCK(?58B- zzW$>xGVDDGg*BU>bLPlc=UKg1IOd}m_#FGjw)m1R>Bt?Q!!nzY3U@wy@#hZu^!;F~ zwM~q(O;FisvzBzlYj#R1FZU%MyQ&*_13&VXT$%7hoK0S6hpBas;8>S(DJ}>)2J5YARS?(u{iDXp-PeM(9K_dz#yWes z9KZW^GBtcN6J%|UXd&A(CY{?12nSA9r`uA#eC$`8(1>6or7`}kAx111+g&?(^MJl7mH+A|RxUl8Nhn@Nkb7zl>YMvfX%_SVH z6uox3?=E|U%@?yKCA~J_!zlVyGtvF&ie*=t9}naGFK$&d_ADmC&n8^Jh;L0giu>vb z&ozC%wqI|9xmPyiZ06HUTl4(|reUv|W6Dj<*B_0w>62&(Iv-4ae|Fed$tdR@w?$cwe=C z_#9Q4cgot#azg=TK+ihv!B!Kmq>|D{Nte&BMc+5Qj1qE`P0rOe@k;)t8*uD_zKK_! zU~yBDBj<*jK8+Wq82uySoD(J9^5zR#_1JY?!^PxgSa=irBhR#+y0!#3mM&R3J-vh_ z_?6)PORINjt-H1U!X>|z2BRw@*VR5_l?V@J{Ctaj3*4jA+heOk!tG<*LoRb`Oa|z0 zAN$f_6db~~xjSU_*CjygI_0pI9RHjvvOjDf0!XDWn`c=vWu_33U=xAE*MY z71Ix}ifEPyP+qmS2CBfxnaNbt0}CzPd4G)z(}VTJcW&TH)2qABs9=n7`^+xhD?QHZ z^8|O=)g$G_yV6F!%ih=!PF6*h*HK0Yi<(10&WS-bK@6`5TdT5CnDK|VUi+T(Hal?( z{=&)YCbE3vE4B;Syn&^C)I7#@MvUd=b8W~Q#g~1sI{Px4((?F|bvP@F>&;?M9_ll8 zws?D}uP)_(%03V$>Q@lcpA`BmOUt{fDa$sznUur}@t$J#+-y*3){;M{vOB%L zV~i`@yz2cDe%vva@$QaRr?GM@`S`g4{F$fA4P1ja?8;YA?dlC)m*ps7^v?aA3R`Pb z((>yrL9A;yZdpR2t;uMGYeWWxLfy5~x@*O4y}lxB3lm8JU!+^lFGF4;@7r1)krW$F zw8Z6z+i>-`Zk3oc9QkZ><{D$6=Du2kGdI@Qx#+IsK;O{4$6m1Vg5#M`iDypg6OWfR z3-J@z7m_?W-g_`M7Hb6}c^OjuKXvo(FY>_0LE=rE$;xg!Oc)LMIg|Z9b!R8I^(*M! z*J*ImtJ%u+&Q1TOlF>%u@pi@B<>F1dTVx-eKgxw?l68zRFEkK-mdDoH6f<&pb>PaL z2a1L{YKLAeQ@HXisXlOdGYNmSO}Iyk`P%xmpUmEpSTBu1i`>J))(wbw@){J%I-FlV z4IkXRg7QE2%uP}O&AJ77*+)4awD>$I*Ei_0iclh}Zjd|9%(a)3t#Lok7XglzN7dL! zg)T0k%2XyZ@L!@J%|6mE$M^Vo;e+}RK%d9^BdQ>>tt`_lBi6^{>xZM0wv zK8@6fPgzko?vr+~{E^@HdzwtW3b$I2jh=%08dmlvOr6=n`xSi^e(_vX9oLHsO9k?; z>pV3+akOsC(pPkcWCeO`qiugHuBUHlUuzKJ=7xqdxHEFQS}-rNj_qiCq$9rjuG&$) z$h{9Wg9~+zL)tGL?VVba;K`rAE3+FfqMff{ZOq-^vLdVo-mRCg!@;W9ssVCnm`vCu3A`If`G-EFL_OhPXE^bI&< z8mB6$-~ZP4sXF!D*=kR7TRu(!!P+s?P@M@l!|ijuWrp=@UALS~+NfM*+t_fN2#?(6 zwvE8rF%cM7tEl^+%Zs(Y^*s#9(=~L)-s+yZ0%J~+R=!rK&aGUwn|i84X9G6X_8JF8 z4QR=PDqrkK%H{qT7LbW&6Z*hNPUsE^JU!>j_~eMVJW8g|<*crOpL zYIuI=%X*)X&?vXAfsbV)LKS+1{iV(W&-ag5`3R4wL>RfRO^!`%)D2Z*!+p%S^E5qe zJ&6^#kn^3tz4!^&`;89KgEN_%u)-wV7VT3Qw< zcU8eV!)yQRrb_O>%q(nvn3vl9M^~g+oqaf7Z|@`eoa=KA%!^=g%4tE5z0zsayd*s6 zW(D~KX@!|O@D6OeQvKp0B6#3==gz#q`w!ljPeyw6UTy*o0lTo_O}8r#bolzn+8dj~B1u$#u)Rd?RibRBpu&`{FuAA9$} z^V0+Dl?@wNj~m`l_*C|!^3dJAoSjRDrgTHu3e2P3P(AQyL;hxE7)pp`{btiPEdNVX z9ls8DCn=^uQ1juprNJh$sKk&HaZzp!0{vn`b+@*S?9}dlsQXCv^|tjY+HWKHKkZfb zGe0$eP+K*@6g#pES#gUeU3R}q=Q(xQwiDlntKxIoEZ(Y0Zb;kgX)n&{yJAQcRVPq= z{9dNn*4=e=?Siqq7{`<~hisQ7u&O?8kd^dqB*x))`EQhDIfJ;^my^BxHkW_gF`VOb zfgLNp989awYLkkY&UD=Hxbi{#1Ydl{)_C7n_gi>gHnf+0iO5oE*wVT$n61--(Odd- zg11DX(gxKF!!cOs`oVD!?1^18r%nyKo0 zV@U6=T736$JN13T=aa0{d;DK&RHTkRscSnHtng}EZFb+e7Xo|*$E^E;5WV?jP8S*y$&)93yqZq{>dpiEJ42w8`$I=E+O=)6PAC*DB15 z_+7~sS!X9dE}bySDv~1~%htX3OpYKx3eL*s=y}tg>2@~dLwJQbp>bvCxhbuICdRXM ztPw68z3U?!-Q{-24DMlR6VbR;lX~4OSLRJAqT{78{d?H9%GXX~_*y`nRk zyfV|Ur!yQA%I)3?7B@;LUeI#K+ozR1&>!YI)!29KaNoO;gs(N3(%z;8<(~EDFE!(E z+`ine!f=^5F9{+r5(wL&{S5hsN}PTfy#23Y>${Y_LX-$_ItVg^R~)+@1AtOTi39yLcMRL z2JgU-7^iLoSKIKhsJ$}Gf|{x0A|Lb4JU_LwE@JnPRLL9jlZ|b5K^-_=0m<6p567ce zbdF0cm)5L$B31qR+<`%Zs~MjHG+w@E>l13&`O!J`{kGc%(*3L6-}2HpzM?lq_X%-% zaSLbQopJU=`H46ZbC-|P>16L!xQ$lRY`E^Go!JdGQl8A^HIZiDf*wSsZsXXK_=We; zb*{o8*^q0Ktsn2=*0zznWL3hS9zXLG`K`rch2(&MvuADE2mhnDnO&G!mSL>=)0~?s zIfi5#1l&Vii@x>{Tl78N*iJ$3#HU&Cet>&9MN17EeHi|#5z_CyfyHXz9$wwFVs~v{ zPcvWBISu~fDU(mUZj4l9SyU_?x<9_BO2xhE&cS}+ol#ts9dZ}c_p^Np)c?{P;1RGv z(LMChiOjTb8CL~%9uCei$?G3@cJlD)*6Wwc{Oi0`y~9<9CQ1srhM=__<$UTN0|H_) zQw}I4tm+;ZvMC|xsvjNIC}0uLe9&usXS(NTQ{@2#z8o{x@Ka}@C*AIo>P0_3{}7fn zAu_;?vOZpy8EI4@_p&t)&7L^L<11UX>Z5;VVwe~bb2Gajh`*uwDO+8_Els~Gy^xIV zw;1yZKHSGk8?$$gXAe&|7w#UuQ2I3a`pHXg1k6sIDmkXOKAtelJU-fYfY5;YAhhkM z?T5V=2HopCxcEQFGPn=e48Bt}^D>N+I2P_G>Wj|%<_fVry(wSljM4a>yX6;T2i2Go zW1UVtgZ8QIU~0te$are2ch)fXTVX;orZ$6-!a22d0sE_&I{yYAW zgA_s{qj4xnSp_*M6ah(+!r)QpU>FYd54Ir<9Eytalz)MP=3g0EB}M5aGV*dta5gSBfJ3$$gG7yF(fDgN(#V`(NKaH)DuC%AfcWC7%U2d_lA062}oZO z)Qdm_h)gl~fMDnh9}H?lhWZf+ffy8;BH(9Bq}i5mGc7^MJ_s_D7=Q=JNKi{7U8u|q z88E+O5^xm_C89}WuyOG7toWb(``L)MH$X_j1frpS2qFTDMPo6c2r`C%hawSv2u}0N9aaOyCSTI2=mz;1FlK3-A%VywF4vlz^8+p>aRD z2+{z3Lm|*O0v@39MWg+IZW9qmU+_H8J%AZ(F@OY;&L{~|ptEYzDw2=D`#a0m>Z z4E!ZQafAT;Ot%mLWWvlhKLT(SpaRcgaDG@c4wze@$9O0ji|`~6fhh$W#FM}=5by{r zU=n_4z#-s~A(Ft1p?@lUu3;>}8-s*F=afha@be>p>IN*rp3;t~jW!g6$B>~UBoX6B zX$=JpA`pEk(}V!##1D%=QhG9@uMkooNDs`61u#!Ua1H=23?7LMK%oH!pha&`0W*pM zW`R6AAy6{mN4I9oYt~qRlU^9_0OHJ~U@^XEiUs%(NMt+$hn4_Dk%9jMCWyeIf9eoy z3o~OdV4G-^BybLxbK=Yx087Jz{Q#Q;sOL@xVu<7bKyx?*(g!#TXnW3Nkw|b7fD-^G z8G}PZQ5Yf`NhT1%zRwsm8MK1g37Rzoa8xrE4kc0M42nmSLH*4imc)?-Mt%Mdh{2(WfaU=S)O`sD z#}0f`h0d2o0!&Yp9~>4%3Md9NDL({;2pG_uEZ_ET!EatpZbq`N0E-7K1udM0=xQ6k**3peS1(A{zb286^Y! zKs?RxL!ANNMh+nTX?7sY%nF$K{ud<3{TPBRfOhBY7+;JZ8iheXL1&A^&JKwLh(zOI zL33AO1fsVT_-#&{=qxPM{fL0u!vdC|!H)s8D~Tka(2|tM#jgq3j>aMhfV}{4RVVoY zE_Id^Nx%Zp(i0ni=GW9mqW~uhm6e8y7@{#GG~P47TU1>NB-h*mfjC1KV+Dc{8qcq3 zVKPeyg}Oqm(SUaWj0%Vw-azoN20R7ey7e)DP0fU266{Y%GX=aHn&Qg<_oxe4UnF2R!Gtf=M+23w5Q z(!$2b0cr+>e9(_r1)u}azh}}#0~SS>%w{gl_|emuU=9-f@i9}R0P3O@vPgGy<^|s0 z_Fmu4Mi1nnL~t7FKi)qbA{qhqkAwyD6l)-DhuUB%9sH{@?0}d*o7)0m02s;NlsB6# z|7j^SmP_IPJEm_Fgz#Hz9&FJ#Ac;c&fkSsTLkanFQ$W*>DVSKz^G;9^OCnlyG1D|9 zAW%?iK-mNw7|>9Q8!$*EWrF}RbQ;n>-bc!4fj-i~78=w)Y4VGiu{9b=aSUMS0cHm~V=ptsfbP%YU~vrC5;5Lj z*{hEYAoC{=BK2&PrUM&#qx@@jNLSjTLCYJk8LFIXA&Cwa zjlc)^f!4gxInH{5Ki|nkmGc+m{I++CjRd@`tiOCnH% z{5f0v86>DD@UM5oEC5T!NX|^h+$!X3X$aK+XaosOQzAl4&_p~M3zdVZz+@$5rKMqB zNEu~Vu(G1NqC5y)pcAuSM36Ju0;*Q88Ij-$9bOfp4%EqLO$hD!?}GJz5;+8mh9OC$ ze{PNW*X#eX3bMd8+Vy`$CB^^N|Nn(UN(}nPm;0e&QV@ui7m)o)dLe*9CX533+3z?E zHbfOFY={Qpq_7(03WOITFxr;H#p#@mOi z3YC|ZR)a+R11)(HuqgV?D9$zmsK6dU#2`Guv<4WVDmc}Y79}M~C`nHukm^W!Vi8DR zRj3aMDHVSCD`zDgtZ@GIMNl z(z^0W3JckSd@y9RDpbJB%S#RN;}T65l;(OcN3dvP@<02i=&7VAN7a@$5fLIuSwY3l zXawYx0|zG!FsdldF?uO_DR{}#GA_y^JFh#45Sr`C3N+UxQ3&GPm=u&Gpt5oRm8>)^ z6{VAlk;?q&q^!J*mz)f>Cb0qNS#oLVIn7hrpQG>rMnD;bq^I}XaERWX2tYody`TS+ z`PrL!EHfRVZ~zU={0CE9j2MH*V(@6%W_~b9!=#md%|_J}P3NRxGE_sNGH^*efrvw3 zXW_KSbr2o1C;%=4Iy41OLvaKY8X8Cqh#$NFa*06ghLWU&I#rNLWRXewITTO8Vt>m* z8S76TAYKs`P*Z`BiV}nOT|_Pbf}b=bKn2*v8=v1*>Y1gYTxcV|oTx=PX=a~h0P}p( z4{q9t`pHBF=S7l82>R2_{p9o^1fq%a`9YP4&bVD1WtCh6$QQu-lrzecBmo%=4geHI zYZUMJ(@#R73u$H??jJE6Q7Y137|hSf|GlA5{O3H{#Y~0DMN`w#HyLWGKVmOGEbK2E z46TGeXfZR;r)K;URzut7FU@B0@kY$XRof6h0-!iQpAgWGh|L6593d1i>0n6`CKRX; zRH2?gkqwF^1XCMA^(Dc-jxUlc)v#iIEM(0)?WmP`*)= z1qcC*RfdSh{Wvw3T<}wp3w{YG34td`0+~9->j%xeGzAK!sLf~goD576?8uKU&{`2K z6e!yImC@5&q9D{qMgr<13;dM>{>lS?fiU2sIB&?{prFz~a8Q(0pdR16+-E`GWff+` zQ$&#g=PU_2XFwc~8v^Mct>R$HN{h*!)yoVeSWT!xXY5h!M+bokBa;a@Rj4dQK*XHS zAt6C9Qr4D4Z~$2l21WJ(daEGq7d+#1W;-{pBeF0#C54%efQIKIOCg!p(;r%xZJ$i= z1NjtYTKAD#$RVRJ+cm_`YYQ+(3rEUyQWS>**N!L)I^gK>XthO*;iprg@F4?;B=Gv| z{Y^^SsualmoDXWTfKi}{;0#hMZecHH^IM8LThth-9Nmmv5$D;E9B4z}!y{1nS>?@6 zhrF~P_>JI)Kw`)tv)^X`Z%TQT2n0Lq$8!--P3R2rXW5l!*k@+~i}nKg3N}M^k~lMh zpJ#*TOhHK&Fa=6$^BSP|sM+5Cpp^kMuo&^I4N*}l$juRgPU}bF^Hb_99Yq^kFyPt; z8G$Fycq57j0ln9A)&#ihRA5DizHA}KYY(T6P#z2bEuG;ISWp`7Z&il!9P`j z!jSy1U|vnR?@UR3iD>@-3=xf@JazDsXQs0R{ETiWpN&TpUUvo=<=d1cExH|G)6A)Io73_xT~|C+_|b|6F7goo5}C5lKMF zD2gC}f{Z~TuyaloFn}NKV)hiM&UwKKHs^%^LDbp+h0fDX*iWw6Ns)#rQ8Qx^^LT%L zoyR&mP1L-Ah3N#40K23-=>#sRgXpGx0^)b7qD|m`m$y;*Vrd}G%(?F$ijkoQk%&K> zzb-z8Uyg!0+nJZ>*Z`fvqRHU%TA+5oCweIPDMcg=W~qmvFcYWcW{0;RLi|W^DdtHf zR})GK^rj93rH3ffcHs@yRCo?6N{$tE@Y4=ZNigEn2 zb~NMpe=N%`8U+`2=jS6ki!%ThW+`Xp0|?`)st7Ogtizav36MlWJF_$SDU_g%=mX`_ z%o>{4%qRL;)(`uTn=ucnENeDDS(wepQvuct0Y2k64mJczX$M?~CQu%L1lTB1 zZpP>R!b!~twI+bK%5}iy0mC^QNI<$*!;&TDfAyjHj-vVQ=k>P-gC-JbWFQn}lw_3D=s0izv>ZwnCA*j?ZxoHBne}_R zlDxc7z_F+#^e-g+v2l4X7#3nq!~#+uy7Re!6!YhXh(dvbTvQT)Mv^k+Sd^63=oKi( zqNH=C`G>IJ9k4)0;ISwv`46kp7x}x%`(3|$e`QF2OalIIOQ2QypO-*ufqz~CtOut4C8dSfFG%O>3Fk@kJ@^kx zA|d{+ibPVoi_+2Jj2;~=n&{EV{y{og=S+`|cK+$n(atD6I@(E~N4F4nDk`#y zi;~hN1N1~LjQG;hN^*;m&bJ&Ct!2|`0l&~}lz~5sk$Te4ffh)mH6=i*qV}Tw#?xBU zpY}EQg>a)c1U#)t${`g{3aCHR7_HGLOH0#hjMiSk$@^1?#Cy%3RIi1J?4OlLYZiZA z0&Rq&pA_I}!-zCpT?H9DqyX9; zcv6lT%0F>C5L}6*REYfGn}RZmFz^yT6kJ|`{%nnMI~gGL{$-6wCE-_vqKpFgXSPtJ z9+bo{2Z)je|1748g>}VD6LeE$1X5l`e$l$(&sIga1yvHw2^pI2wBB7o8vL_pS7?2& zm%OK!(jP+|eNuwNuML^Lmi^{)`Yi~hbU7DPGAhyt6@|r%9$Ifrf2tOgQi=!_FHeQP zk+I@wzSE4@m-w3u7lBYxQ1M!{r3LwutTGVv{!k+R3(^JI7F|-BRDnd3bdr#?sRYe+ z8oMXS(tM}E2`QN7`+}7ax)!h?sim*g1=*L9f~UgbHRXcDPuWXBL2mIxjW&kUCtVO2 ze*sZi3-|>oZEW}jDXp@8V&Kn~9W;&$M>C^1%>3^d8VkV@epAN$V#XI_yi}yKw=%$R zq&>6Sz`WH(@E#QaGoNXn|5lQgTcYsK zb%Flzzx?@c`txtC2iG;zgJJN0yNzEz|1T{oE2ls^|G>Zh?f>&{9FBwlC=ex}SOUQp zd|wBAhJ;a2 zMW{CckKP7>7@~=2;hAk_g8i@v{LG7}z<)tL2r_WNn=tbRnkob`*PXe|RpvJQLCtPI zV_^d@0pjTQ&j%5RhIoQEduMl+K|wu3pm@rz8b7zGnca&A>IJ^b2>Y>V5#{ULPCyVK z4u^o7u3)eTBGfAYKf5UoxOD-UFt1e@)E3;O#TO0k4+Fj*HQNAWMj&P5mJom=kN}YI z&-4OG#_~%5qro73fEpN!g%SeDegR~vU1tzjECd-q1Y5d*CZ+Z;0L=6zJN5-#O!O6;L~Bgc<_xzka9)^60`g503;9+nc(M# z2GVvEh6LVPMNu9b!XZe$z(-($Nwm$*Y-a@C43KTxfMPZ<7#<=9|EvH0g@f+=&jJ_t__yB#|6TnD{8^;_Q~J;U{|m<-ssF%dRA)Ajq*OCN1qfP+ z6mVu{AIZ6T5ArY7djJX88y^G-IioU=<1O%t|>8z6Js$$Ux7*9)cTQ z&K7@=x#Dk@kzVx&3IQ<(Y8m{Dp#)^)>@3V^1v1mwxovD0of)vNlm~r1(Z4K~AalhM z^k>IrswFrU2>CO0Gd4s545}ocGsL-&IWvVn^s#V$AU}4PrRWu~hd`iV%EP&!kpUG8 z5iBXmM2u&^%pRpw+L*gN49bSgP6w3<&I*8m`)7b>X`3Pi0D^#toau=q*j1n^n(Y@3 z5dvssZXDpQY#8tjfDlRWU+51TqMl(&pBAeP!B}Q5IcH0t$S~$xB4xPtOYLv?~5yn!vqN234Wl56cL`;KMpi1NubOk35zbQzJNF>B21NW zQdNZWj``&pV6VUjQ3z#Aew5=c)PM2{a{twT|HiS{{G-Xp zf7Ay4QvENj@ZbFZ3kSXV$B;+?=zpk<-^G9F1?#^uigF4H|Hc1*;c&5;+g#9vIJ=Xe z3l1vcf)$1Q7g7Hg9Q5#yCy{_k80kYPDgS00zr(+xw9>-+Ke96a;s0Ma1faG)n3?Aw zz&q4_l$-BfbE|ML2*eKoSOQA*M+!c3kM_syaLNz3{Jc7M+1bWUM@P@bMuYO3E3QB9 zp8FtB;FFE?q|scTeSBi}Dg^w+9uie!xRAMD*_rtnn?N+wd5fJn+#YUZszF4P1BiIn zSsA#Hxu5%iqVOch?2qOA5Jn*a21_K62}lBV?mWtK_R8Et7jyJKE}+469jZS4xIpwn zQuUPT0@(IEt>H2MgLk^=;olE|gQ5PREbuSne~NO_^8e+3|HAR>`KLTx^tapio&T4W zUHJT;ocw?HfBuc*xBedyK=zqkdztwKwwX(k;CaaGZ<;NBkrFw;4fGegNSggAl|?W9 zPb=kr(eZ2iQ%%a>XyZ5dmyuIinExrr{`dUvzj6E){{m3(9xV|~*+3`=0e~HRViC0i z&>NHtvI1Wz_wpz|pE&Q19t>*a1zw}vHw9?{VF7p?0R=8FqbOIvd%t)B`R5OTl4gG( zh=lM$gF6;ceijiKKm;H9q;f`3Qh=8i28jV*ZvjlzJphjhhLH#m$sZIn1hWHj_aWfW zAmL9*Keo?5=3QkNTU| ze$dfr4GN^$3No_LnQR+MCWg3E_L6f48Nu0d2h~F+_)x z<##-R=7?zU-Zy`JeeoT*?~I-*^$|clp1JydrJcA-Vkj@v{7eu`;pPS!{6F4*&~?|<(}&xc+Pa%s=)g_&pb-)L|GC-! z&mOW6rGk_ZZK0zqYe{9j0>i7%!pS-M` z%zydczi=!v|1fV189|<@;?e)a&%pi8|4S>-`hOWE8QK5t|Nk3@lo*U0Os4p}nO(EN z-zq>ur2LQ=7zRb6IsHG~+y9P#`k;eb6(-rg!X)=snB@NolfqwNQv54SN`Hk(`L8gk{1qlRJthk?YYTIzE!l0Zs03)!6JQ3nwKk&HtPVXc9SjLcnEjPgiIk=+k2{*K@E1dStFc)qo6LMAY30|(}j|` zg|(TUwVvthnzo(|6%$=38JX(?Y!uZ(ZS`~v%`HqV3>+5@Nro=2bl_%s4pfA6v1G1C znSE+nx)1_CSXvmF+b%x$GIU|2YX`No0N5;z9DZoRhEgd~>yR#>EQkms7EMJ-7e(9k zv;o=HQ1CS}yO|G*b(Aik;FgxAMtZtXT}N}c8EAFDVD+rcDg1C#DhYJa1=qEQo9h4~ z0CsB&sIH#9kjdiH9{9pI^bK=WFi4S4~f+6 z(FK;Ro~ezIjV+)OT{|1V1Hh?#2b@X(U6|RTu{0ils$E&ScmqGowF%6qt`S@t3fHFM zq>DWpJ8L~NxH-idU{E3OUo$&%7{w^4o2H9Hdm|e=xG6OR=fhr>F8<)!+CLTb)8yy% zn=U4GEX>UT%|hW+Qz}armDX@G&>_(diY^#!4B?U{dZ1Qd5;R^_mM#R1;g*0Rt>L;x z78G^D%^j)O=;G1R+CtX|P}|)27lorNT{s$<=|BMowcWzn#Ad+&=|a%fdOK7SYNMyC zD`jMENyR}IdOFrdHkMGhovp=;)1?FhDn_~(1X+MTdJA2%EPV(XT2q>#co*tc=pxU? zLdQrCXaw*j)>KH7rH?ctGd)XFJqH?dm7|L>djqH`TpOGj3+tb=1sDevGhLWjS=uIXP7iTt>ptpk?Si>z1XR@Wm*y+L!_}AKq4io*z=Kv%EKr8`*G$jY3 zwK6%n$kVa00jHG8gUHc^nXQG5p^-M6PUq<2Ovlg>%p@1*qKh>QREGfmS|)Zu2$1^) z%mC#({IE+JtEP)Iz#ah>DoXkYGXm^L$CiqeF1BnO&26pq9BA`JdAiu5(}$6sEf^euXa_d{vP>Y?q5?5>qjZrqldt>?byPg`0~H)-!_<^sZ|Opb zV$^V;c(DPrt~VQ*7sO?Gx>&L>HL};UwKakQ*|n`96v%b0=j9;sbO8l;C<{|PFo^*o zvmL0Y1%XALE~aeI7+(TZ&yNJ8PdWsm-|X*aQ?dRcu>^W(Vf!O7o$-)VoWDpYbpS41 zJz!SmWg@h_rVBVD9aAXy1!_S(r*yFfWFB+|M;B+hI&>VHJYB%S%|Jje&O{e_V4ACA z4cA{#tSQh1ADFQKNLaij1-b|{w9ux?ZlMNd+J+P>g+WaWsQBp@aDayk0G}6yAqhBI zKc_&yY6GnU>?##8UGUi;eeh_?K1zDvMo~lzRRC3>3q25NMm9D;EP?|GCe+kJ4+x|{ z^#BDzzZrEW=@)a>FsL>R3gSn{go=SK=4^C;pfzu@X`GS*UBp?#0WQ6tCnf|u9?&P$0Ov`~LKk0prT{8IYcZi%iwP7?Z6b7W z1~^W=A88;}kx4r=`gx=c6qEtzhKial-~j(<4u&8gKtOfD-<2nWtBh2f^aEZ14nrp3 z2tUjWFlST%_-sD7yR#`7^;3u0;G<=GD^KUqQywVW$gJTev9zbDOzg(>hH>`hd02w}py9 ztpV6BV4@FI3mZK%3p>i<5JhX$dZvp{fK~@g2If!j{K80)eg^t;naA7)i0ia|L6I(K zZ7^62P$uCr67%#mFR;Dya$Da&SH$p0F>yLaN2q%a2u$-k*=P_tV*cZ=)#HO z-YpG*k90;x7gIn1XA3u5WVYzyX{O2ra$+O%xwhsp(uI;P7#M!wiDsVZ!U!m)^#D(4 zI9HNWVP1)TH3#H=fN9X_Aze((tO76Y1eNH5Nyn7321h5?RHC128kt+zI$G*U8iLEL z)FEA&F0vLuJrpiQr4wbkDAPuSEMkhvbOA=mP2oRoDnMsOWO zqDh-bKq63}1>tZ3cnorOhtJssX{hNuP0){6a7S=Wd2x@Z{0n^9!VN9#Z1jGektowI z;{Y}=!K9+4k1#Bj5b`taup|;t0Z1|lDgp=dHUt)f5QSQjL*^%M%JicdF~pCI_N9qO z%D-5zG}X4S1I*=zL!nJ0lgL6dF5>EaIPsFj_b zEqM2WVrND=^B*&S)34wb4T*5NaGP7;pIL9Ey?IV0fj$6%NihF8jSKTGI9(9hBFJR$ z!6zGQs=LH+y4aiRs{y$B0@VDA&OV&}D&{QvPxG0*&rCa|^p`S$FhC9Whk< zE<&}f?Mx`C@XwWE8tu|Wr!L&a27Gbxr*8!?K*dNGs5%I|Cz?n^%v)laA9l6ruXUR1 zN?OBp=kAy;eD*+_essk8`5>TX7$lKEMNSu*;JOoa6|`V&L7V;(r;!;jmpXK^e{H(h z)I(u#h~S_03Z^$O8ZV^%%O_W~jZBSf9iiaj2E{CZuES`%O+Q$IsfHwFy$(88^ic89 z50n=6^9*ni1J4!}nUGVtzurn})+x%>Q-rX>5`ir1O zMg|LJlrBgCpDqc0p`xW9FbPQCATW1;2apLknj%h{E)=aDEdX861|4nskE$5zLCtNA zpa#|!c2sNW+P}D|XEt+>b)K%~r{+3zfwx@`eCWs=s%vBb)FgDgxeomhxybU3&L4U< z%n~$3bK9S>j#>g;2paw$&d#p6QDjNOe}$_)GqJ~-6%!kKjQ~lEK3gEW-FH|jON=GZ z0&-jZ>o>EItfGpydg4TfBl?08P*i5+*OQf&Wma`N(moWxCr|E)LG;*j7DKjrrV+iR zqSkyUe%^}XkRxtYr>ip`id@*`ANf$yJm}>6P{6!tvWRV;912-@JRigdm_wY)v&;i7 zPT|LUAT{7m^qiD39Ew~J&SS5$+Q*0TM*btW)k(xbRJ2m2=}Xo26@6@&k~=TGCCxJM zq3n&lXEI!FzFa%ca~~hz`mpdZoYK~AabyBZbkkdM`lfq33ZN9m10ysZK!JPm=1P5y zX?X`w=$32RsN{5NF9bzR&f{plh$C3M7(kI*uIK)k%wF=`$BSvuGL!MTMiYSG+n?1iwA8~GS* zyFJ7)m}oQ$ziC1m;zYud^g#235j|lbO~l!?U{v`5oT01J(i!ooM%@lvh_^i7Puf-G z`V`}8%$VHjKv#Pq6uI?sz6e?+uc3`8h}SWPbg#8QG#5QtaG}j96g&CVX-c_QuyQ@# zPTBGcmPdA8l?$ODj-wIT9BjlnV{a9( zZ>|i(S@JwjPsM@EQyI2ET)_~>TDWfB$5vw>Lv`|7{wrB|ilp>0PNx?R^f5&Dr<%^_ zV{T5n4hmcF7;zno5wY!KP;MYLZ~Nl)Rq@f=^*Vjb%O&DR#gM1SYu=Z#H+>`&v#H1` zQROxaC% zuXGv{XHL3w^t|Zs$om+*3%@07-1=j1XPjveb#>x$M)i~Gs}G}he#+fY|4X?Pie&g* zDR?sk3Nv@BWSxsz%}pz#pcsxxLmksRch33N8Jx=_=?~6zk6u>Fa43%JJp0LKj#_60 z$|Q|`7iC3n%3}G0TMu_dg8CK?kDH^BA#^@!qM{6jV!ABFCgW9WeR`Z?_dg{|AA~8q zMeIk@>4IE9F4bry9{ZTUdrIrgesoUDt@T+kftQqmzHfVq^reL=9k* zzl4p}4gCl`^z|zXMHyl;@7W9EwKH4CowQvaBYI2Emq9n>T8s!S>DO=H)2Qm`V>U0$ z|1K_1;>GwFP*Q_oq+g36JlcWSc-W*)oHfcnBBOwdv2)cF!cZQEcgXkZQYIE4uT0;I z5Bp++LOCgp#kNqa3S|%$M&DVcWu4Rd&>j-wc|WpzFVd}?k+M0|`dZ$5AC6(Y@S`rp zQ9vQaq~4&YHhU-LF6bF8lx~x`k72!_Oi5M$bRL|+EK&wQ0h~N9o;<~`r8|+5Kg$Le zj$#U6Y%dnq!JjsSQj6EewB96WFc$T_pu9=5Eb-=QdQqDbT-}*C!?ZkhZvdFj`{q4n zx|!8}S}2A~K7v^_Uam8vjK!(FaX9roz1~{aOqkvq%snHZ*T>*q54qH=$=urC>147t?;kwQ!xE8zX(bH<*Ub zauv-J<#JqhhMQ&dF~VmZgEuST7O$Q~>(yV^lBr9_!a)X?h^j zk@hlu07hPeq@_qOe-{_|1$=Fc1m$_b9zRsk7{42c@{Ls9g^M;fqN;8ar;LT-6YsO! znb2Rz`^u>#kGjiy!&Dx9UUjVT)VRQGOY@(%R~&}&M$yzuexZUen-}JlIKCWoA5$5M z#i~K?_4X}&OyqH$2VZ|Bt-8H0%;=5&oOQ1q4Cv8!Khoq|VjCFE8%C?}iT(om^OGJu zur8(+O7A&-@?^0}ug#|RF`jqb*p+IfKSt?!*F3!P15ga(KA0X{M}2iMAIYpQoIzQn z+f7>4WXvn0ami=mO%rZG(>wLNKUTws_3}Y6WH7Bqd!{!}^vV2BScN`j^af#^v@<;_H$IdByz%D*z49U7`S_+&pq#M+R(QEcbs;q zvk%o})QXS#7`XGM5v@<d{vCvNk?gMs+$aD$2?-*jzjHy=9d;3)+ZMCd?@AFQ*m~9 z=XlQDN>K(wDGP&ms$2(UYUZs*5%P;Mb;o<|G>p~6fWGl!^3LCje78N5M$JxV6SD3O zr(z^;%mJ^%3m=wSIzf5fydBd@>gv2@@ml!2(L<>1ADGHZ_M$u%U(cjel*_TV7O*vS zm5Z2<6XUE%$NNEf3_nhyY{t#b6-^WwOn=jy-N#};&s&^Cu76exRPjy$D4^=N)~I?Qk9su^UhllXF&O5>~2a|)?(AGm@#oT5oD5yjXrG{yNhR& z2POH8nY;LT#k~}HBQru&7`aQtM_PTRlFWgYy5{`laz5Nj_qsk2hVT6JB<~mg-#I&R ze6o8QEf}82?Fku7;@M18%-~r^;c}F;%#Oxd#1I~BC$Y%X(j;XRl&on;p8ZIZe@x;{ zE=655bsU>}uMG3+K>_Y?S*v6 z{aQ@jMfq!%X9rHlcP>Q>bC>QO5@FOBVAPH^$EMrRz`Px^Yg{}kAuZk9!H}K&%9gjX zbVK>5xgytiE!^o+9#@*ZW}64EK9KR5I$pUcwrSq>&M;`Vo|AK|)k+%97N+c;#Noh& zFlq-FbB3Yp4Q5ZRZ3)wL2*dcQlMy3?l;19)>$Jf-i3CdAZToE=XGQm>{$ z$I#u^b6S=cp#Ly@XR}2yewU0FGl{3pS2887R%G`vduP2F6ts~jI8kt$4WueDhZjC7 zm1UT>YYL2#f;Dp>_&AUDuH3n#u`9Tuhg2@a(M@?$=Cv03E~nak@D3;eaOtWoX-7XC zgklx9e*}|wkGvhp>I8jOF@Wb6^g#@}MH>x8FU!C2o@ETc`n?Ch4B$<&{8XsUyD=2+YWcQMd%kphKuqJsnK+XD)LOk5 zy(2GztY72N@WysNk-uPCO&GWviysG3*QDDvZ)vF*W*D)W5X#K|;< zF={ts=%9FY>b>A-)ut$ooeSf3Uzf3QG47Va{%=}c6n%!lx^NZEw2E#EOh+qVlQotM zy~@oqP|?L}=1M6Dz;s|@4G8k9j+ zGJpcKqKh#*whX`UQ+L?RF2?Pm;Y^KY?2a#cWfD;7O+LNG&$*b|yXE!*+IIJu@!Xc`%!6DZt1khMJ+g{YgQG4+_L?NZ zReWx4RaOjZ;qWlFS)z4F2?bOA{VX4upD=n z*6b~P#%=Mg>{{r&jC-K@tvg~jb@6|nOue^l!$3Xdk z|0Jd7T4+1lD9plc-&5Kfw$44@(Pl|p4Bts-UlkrT;NxQa?)&+enog68fxAg@I2?;| zC-R3_l<$R9Z;B*f*zTrTNGVEgL>D;>*~#7K-aKCo!n8#MqjqsLYwAT;?Ing~YI8oM zFRix9E~e_5R>{L?9!j>el|yqeRu}MTWvA2O`Zl_*!#JJ4m(|4=V-hh#=hI!@l1JrI zoI@wCLQyCfj9ajiQ$)Tn~P1w+qpKy z_@tjLs=;tEE$3AQbFBA=RR&?C-23JklYzq`gMl+Bj>51^Fc0VLL@7GHk>!X;?@C>f zJ>dk(5GXIp2mkz{J9{pM-(;>(o{rE}lHg+YEy{O1@NjrorTJDFfepfUY2fJdg=x20 zn%8A&4`#X;b&HN%*_Ix#gWzJ`jTQN>xaZW`Nmb<+pnyg5DAA+>Q*VAz9SfB8a545q zx}Vmd?G2$|vANl@LNMj_J)V$$$<)$E?Zt4E{~F{_uEkJ5DH>}~eI0Ef;|#cEueTgj zCl0bK_zu_hPCdnN#n2lYGrFVR+HP#jo7jr36rPKLH}5FQw(W{(H_3945q|7YHkfu> zrI#w}bPX}<#wWsZmMj7F_Nrb~QCAn^a;Uc7#i*RO*%akAD`4T0i5USJCu^d*nC+R)Wpkbn1j$OU2IMug@R0iO#m|`U64v7T4oFN9d&pK(N z!f1P9ycWjm$mIT!zIWAyxtORkItjR#p!5ANzO9Vk#Sk5>;!HLqG?fY_>JnOn?RqPH z>%mA}Jo8qG{b6y7p;Dfwpt=LvbXt0XRr{-+7u7v&p$x_DpErxw^U zn>vrtbb4(8dvCU(jK{sc<{?N5V4lu9zGQV%f>>S6z)s=9c->nW(Kn~K_ibX<(xJr%US?6RsT z^tSmfM(`MTRdTb&rin2;$pksKdY6tsCI<0Hh_Y=r_vc~)FDc&0){Tp|bG6U9%4A&( z-$lz_V~Ut!i?O@uwXv9A{989$Ez}+7IC{B)aJd+^lkG{Gz*eUqVC>F22}AK=+%BfI z&UG}jAF5N0lW`nh5=PC7>YZTLuGM<$@0(TBmc7Eb>-Jh0j@B9rceM@iUkQb`N z{4r%WUOaori^gK>ET6Y1|IV;I^pwls$9tU~X=}rKPmlCO-vDhwZy# zl1?d%R!T0KS_@;cFiXcJpG{q%8H}>9bmRf>9BU5?#c;7qJ{y>Q-mNpfis`zLe7^c; z+uPCZ52dx~?NqXbp~!2iX2^2T-E1dQU%dOrP&luNA#CIn;^8`UwGxEmH9 ze|1P16wL1zd0>;hIt0UYG;W)vV8_9H9a&IChntC!x+gZYu041ae8;p0gyicG`1go;e42Q}mVcGEC3SBR@1fPfX8+vt>AHuX{|*4OSr^0n&jBm|w-x zxag3jO%Ky1Ql$*SBJ+_gezkmX-Ex@3O6NWo^K--V-)uO27ET%-HD>7sj5L4zqJ|!W zbslXy#a3<^#*0~+Im=8A+Ltj=7bae;d0rT#V{30G8~?W|-HlIsi^Lh@a2)Aj-jzXSp(f)#%vl|uX1GlxmHF<}(#PJnx za4%4CCW->W++ElUdS5*C=drOF-!m71xV6F;&V%FssXz~ywHp>2G9JTx&n4Hg9$6U$ zrEi&SbhJbnhBq)SU*n^gt~IOO>ju|9e_Pn{j+P_uinoku@D3crg5mkT4%c6k*zMb5 z8qb@B4g(TRS9`lBgAu(Yha1XH(B8#to(RbI+ZZK8n8%wnt@lOw|D2u6dg8j4$6tlf z{(7)0r@w8}b8|`J3I;ZIE>$xH6wt=l9AA=9&(^bkvDT6?$d>-fcWT1OGPbNGt=n%c zdo&WWdCPG!of-dwqwC=l9cJY5u_#y=)Kfk*SS0%|jN}C?&Ao@wyLcKrtXw7vrtYFJ zTEv49FLq2jRxn~Wc^L$9|IIRHooO6CXZ4{@sRTw)r?o;4)Vj3xCi@G+cP?8Kvv zQ1qUJ%B3(S6Sq%h85Oiru4eL~>e!5j*}4%cr2SEEV1k&30lVqT?LxcGK^w3l)kDO6 zUBJUU-S;30jE0!~(OAaVT46A1R$iIWLP)y@?xY-#2T#(*lh6Iyt3Kdip6<3*=41%d zK0OT7snbZoQsZP!BV6L9wk%dwkHt?A(2wb!jT&NpS$3 z%2rd>f5&s$n^-7{kD2%oX{wiD)1wj|#_HsSMl(CxH^l^O+Y+sp+ILOV@7@Vhc++nU zYRM^vZc{!zjO8_DVVozbhk3kY)jBx3Qh=enb1?3FMlJ(w437WFPpp*9o)V#r#k`)_ ztSPU^(x1z7^v26ydD@SH_17e(^&(zSJ#o8=>tSARd@5K8hvD|iR1cDOt#S_&dLu6W zA@8Qz0y}8vpUq;_Zi4-#a()_@IDB554f@Wra?b|$tk}G>qJCqqh1l~>5~PRWy@ZL6 zb4A0m+eC@3@&8bCr6#G`RT(23h(xyG?>(`=@ZQUj^G*Nm7}}!{q)yBj0*JA_aH2d8 z<_K3VTBp&1vDIRVFAnBE+G@;NK1`BVRbB||V_=63WtqWk7sGzx2P@fLbl3+RK=d#I zcu(DquMs38kmzCXFQUk!GGL6kgED&S8Q0?W=$TM{;BLSRh#95;?}D)DxcgRT`(~f! zy?xpZ1)?ajhrz&*eqD>p5narWyz^Njma(m}q>ZoYOrD|I(6yuPx94C8spv>k4au^Y zFhc0i=sk=PI!8ePR(b=s#XLPs5H1c>Xk4?&`cs0HT~RP=GZzm7gFku2krIf>!6%ky zeKXs`z~F*eBl#ZY1gU&blU8moVCOly*Gt+721qk|){rNXqDrPv*b$-&z+S1R4JC`f@X z(I;_mgrD+zv`Td22GfRNZ!5q%Jj@eDtf=JNE{pt)s_ClSblvskVXQC_R6&1tW0_S< z6t42RD)|0t2v~J`j2E`aKo68L$HXOY-(R>GGsGzj9!3b|%$94_>+RCX(|BhG!@H3J zw&5)W*B*SlTkFijRN*S5ilNp=#<35$7_jnsw$s$o(?Z19e8RAy)V7(lzM%Br*0Omy zXjOzG%ldG!he5-*F23Cnn%MSwy$-^h;V22m;e64x*Dzf;5&Shz<*pz;H+k`<4Z%mD z)FxjG8zJFgt}vo?-e1(1DZCZ0)Qb1a71^CW7&4@SU?a{BXGZ0kx26roVSP9wP7y5L zsXEuU5d|WQ_jK?~*@@~+HHt!W_;l1aOdOuK(^%+lg%jO&s#uE=2lOyQI8p%Na|7yt zPk=>_QG44sKWFCXlYs+|d0ETr@5Q&dHPyz${Gh7Kbj+y=mNZQZjvb;HCR`T(_rGtg zSDCCx(Wth0Cdg)zPj+Rl^_Z52VMA&Gt`-Md8zlz1kAf6Ha$+FyJ1Y+& zgH^#iOeLz00|buPrVMk4;&>!S5DbcVm`9{m56Uaj8}K_szK8ik=P29&y3VTHu(ur) zqEgo{%<-~1nZ@@#j3XvIE%~W?;9>S~{*pZPAI;ImPm12Ju5zc3gEIIy3+CE&*u`4P zho>#;MpIE8o%_znoSv_yjdOHesgxJjcyXKqP_W~UY9Qe)3$umPFMuGT)?m=a;FIt% z3SMkNfB{0O4$}k=Y&#}FmcKUKWbpXVSF&0Oy$P@^HG|NRxK7YgyWojHXe2D zYFv6(Zse(+KIvg-aJg8W%~$7S;F@REj>`%CVm!tO#HP&BENmWO|q>9Hs2nHRjTG z4$wy8$``Dx-q?YEVHjb?a4EOCWVImvx5x2&F36As= zM`Db^aYxn1A(ZBq)?w1aG~sd_4_5r0XZ0nw54m(PRTxzHmce0A44=8kh$jLjJthmg zJ+<9Zj8Vf&8Oru{m*(946@j6{`%|55m{8%W%35;D!`LCw;KqV*bo|Su9<;9HLgL!x zIK;?OA+^j*ut9@>3tnjBa30Rj!I*0I+g=6tbCAcMG@^(=>uWQZHhd1_P`eJBf6}!2 zr`DC`($Jc%kL&Q8o+neg*wsRl`a(O@1I!*$c34E6rN3IGP(c3{<%R(P!H!hg?9WbA z+r;3AqC*SD{GoFcl)w9MIbFF-q5dRcFmcQ(cC1raBE`dqViY`uFZ~I^JYslgo8oki zc}yTm1&D+1hZ)4AV4uPj4Rv$?l(uQbTuCb!MGPm4D8Cmoe2^Z?Y%!Xg{VA zpIMdWAKH~)_-1U8Rc$m*4ySCaTIy%(-3J$Cc`2}{4aN;O59hXGXMFW+w(0o*m`gmj zMZcUf-P%UWs$WCY!;Py-NbYBj`P^$1LsH*5;Z1L|Hm_Zm+{27eL)PB`iw9amR z52Cu}GRS$+)7&tccwbX-?5!h-+QWq6qG0P3WNKkTF&5j*>_%Z|0hm%8FM3s6J&YzU z4w)FIb=k?vGqa363@Xa0rOGy%mkg7M)P#}C$sqUcH8IomzZh9u-6r#~?R#KCu>tc3 zlT*eHXQ){l<|xLN9(UxSd$@Vf|Ht74T{o>8B6)%~x$N37S0Sj2k|FoRSThqbgc#+o zc_ltOhXlqBjLv3BizI!uIS0v@%Q@jtNfZRecwbu#fS?;FxbY?G4 zP;^k2LlI zOdm!MO%UI<0-<~@GEV;BjwXaj!xi7W$&E@=L(Pm7Oc;*k>}{AkVvR||n7S!hYBGD6 zHJq?tzoaQ~RVa;rb99ZaMz!3MHD4uW4aqO}7yW1#yUN@1Z6~j(_e@a2mMJT%Z>@X0 zt4}(BLza;vHRaA#kEz3D$_3l-ufkLqLretaiderKZYMFH-UZ222|#!KW86@kNfrNW za=&!%$Zx@h9)=B_qp(t`LdXPT*<{qm%;9YM5>d1CaGp$8b5)8mnDrt*KE@6g3JGxR zDLzIKr4~iO^6tv%4R#c`_$&o@S%*tyPyGZVk*4IJYRk>op4w6GVs6i`_8kBsyOFw3 z#a{D{S?FWzFv*XUMX}6FmA0fxgtPCGRqHx>grYOP8CK89}oN& z=^s&Da%%CB?QPtWk9oosYd9M0O!YBVxMY;@6aR}!?==U_I;V0IDlDqyT>2O-oX&#B zj`U)h@Y2OyweWq^pAch8lq0)7k$Vz;6kI+#Q`ARU4M=Z_I4kQy@jKTf#|Qn%zlcOw zAXpzmh2l67)HJ|&T!*1okiwk54bGVZ+8~T6?ZiIc*IJT$8>TYX0Zzisvs1^wRP8+E z5@^~FbYB2thH)yWX`S+(^r9c<0)Drv5u%I8Z*zmLIe$p@=mU zVq8(#IP(u2N!BN2MkIAX#>|K_!?yM@7pOdJuQ{WIB4=-WX#sJF%EAY^1pFKnmxR>8zt`IDkT0Nc3LX#ZWG%al-lGivC6U z#@r$?I=H5Vz6@W&Y5(;xEO^h-x4|SopjP+30~id(iFO@MGTVx@vqCJ39D{<-oMNq6 zE+1%_Jw~4 zGl5b5D%1wFY|8&?V=xmqeF!uO(1tjG+w?@afX+j8-ums&BV7ju7;;6bVl%H7<{8MWRAis(qHQoAd=VR+{-1h}lzl7CYPY@NLh zgMZ?tyr~AF++^R%`Y0E2HL%w8^But7Dhd;+{OHMQKBoMh>mAFk6@2LY6_uQ9@-0MR zsNDie?2~wx6JvZ+N6jZyv)dQ|g>=r|MJ6l zsyu2QSXMG^XUAyYIB#<=aiW5c`93P7L}cf+pQ1JjirbIib^(nqjP)h*85yd#>N~JL z^4?_jJpp5Vb9TybFbm^-33vL(G19l#om)81*sJ+}7*L;dvRaKd#7rNNQtOL(p^d;v zoa(*a&*_QXCv*^d6xe9fG5Z@VX7!R%WZPZMXl<9$%+EG?ZB<$^zc(s4|HYMd)EnZc z?(z@2de2E2kZaDc+8iw3XGNhdxNtDgrvQtyRo=xd^&l*;P9B*ytDclU#lwxh^OWjJW#aNo|G_$Is=d}l{ywcZ@)9_96{yJ%+rab0<4 z(~Mf07;YfU@{Ob&mD2(L551sP$YcJb4TsVg2eL-Ecf?>Vdll?l?7$)#nB`NM zg4Eo^<@m)&U(B*i6De}v0E*^!UX{&wK&|;0`HR>)&qUGxFPwljiUysgXg+58B9@BR z+Ojn{ItYEPOD)4Q9PK2E4V+9UOm{-s zy+%U^A47RK@88E9o>cc<#-`qeVZ0~uKF@4M5{B+v2R-KQoTIQ2$F`X`n(+b5-Hn4d zS!e+KziX}y!`2%my;M1sAUk)f>Fa|SzYF4NZ##d~{RNoB`w>LJeK3d?^u*)E&7Yl& zM9kt*H745rv}>VU&BBrVhnCN7s;~FVDo1xe)i9v-*V{xBvv{O1MSXt9cl7n!oRf(= z$V%_upnNSk-%~HeH`VW>b&{M%q=!qoR$(Ap)knhk;0S@y7&S%-NQJ97{nt zA9HxIoDij{_WBX~n8BMA{KKhRU=T0Ztk3;651bl*b{7ez@RIzL@42uiS327N71GL- z5Bo(l2%~syjc2)1WiF>tmV_A#orpp9c~Bn|e4<8l#8xl+=)ZSK_*bByW1)Eoz-=Quhrn&%vaT`g190(_82Z7~Xx za2!xV?R6vu_2hb1WV!ifu6}}VA`^LGugB+OLNAWSP%p!LUa*!XYu0z7Ya?;TYQ~FG z-LwTZ5|J>ZcbDc`@mymZl)#ayYO9qa6Yr|yYyV7k;Ctj-RYeA@y;ikbU_qR&j3;)t zWfA3vsE|>KQNDZrk@Bjds-t_UTxvrc(YnubJ84&TnWLp3Kjegl=z0n!`9?&q;Xmmhufg#`%;rjk=}z80l+0cug2gZ|Y$YLd^Iri@D}zA7W^4&I)$=La(G6Hiam;c0VkJXNP9nK3F+9uVsjO zFM!KN@XhA>3H1boA;$V{6%H+DN>JU3-ab0SC|@W){n}`RKE&`|@U)ORi70pCK(XfD zg2DOH)Qk7Xv`cY#JtWP{u1pLuzjx6hRKA3%91k(Y7l}>zrMq^B!9I`5b{Usr<&$O7 z^cckdihI+CS-#8haA{T1U8o5!4nm%UW&e&?7UhwdDw2yyBe36SQM&__%b)zUV8*_x zjl@pSL@EoP8sUzn331ze^$jZ924>8>r@0!}o zhKym#?|Xd|DkIn8M;KzzFBbGY%fYA?${*YPHo@JW+D)LKB64YEe`XYB{ zh;hG{ZWFuyCWfiMKuDv^@P`gD@%JC3uM9ErmoRF&c=j<{R+NMCJFr42d3}%P5Ho(x zn(jjk`pu+8GSNSU@t4?;e40sPtgO0P><}}4qh!`*qyN|agIS$_h=IRlUGSzRp~D?B zbTkoM266v6u}prK>+DkVMH}I$D)=!_-QbPc!{XR()he2J?ry1X*+w#@c2|6m?xhxf z5QC(wORBtLbH@!a8hF20g`>c@-VwMzsw9Y3#w`Mk3BjLvD!=6Cplhs|i^AdDk;jv% z%?>diIOFevoFA9AvPPMwA*KNXN)b8a=rsDRUV+2k>J>P|OyGaAcVSMD{Bt{Ha_hE6 zcU53kP?dCEj{Dc+UP)5p>Bq8-*>%N1N}IUogK;j6e6!RPTTBQBQeK-HK_65NBHawA z?e7QQbeq`@F&jwX#{6TO$^mU5L<40QVkGdM6|a;Z)#(|nnpY0aZGN@8;KMXr>DjtN z%mfBoUYNx-h8PTd2-`%pUhmN%<^!8Tc!?4C9y;0y261BFaU2Z<+q!)Y-4J7e3n>r6 zctC7v{(a>gyYqmVz$ccb{N%JVFb{Ysgm|%Wv{6v_9ww9UvLF7TcEr?@S3JZ-AmwE1 z$y?eOD0dUJx!FITBXK6B+<-Qn5%mTiVjwUmMBcD1z!f&cNZ^#w$w5T~&h7x+jez;U z)$M@DjrSHpuTEV_$Fv}AG<^`h_psR0vlFQ}>T`k{=rS@62liGeLre!gk=0VRIces( zjS<0HT4y?tXx}a{Gx%~^=M-JL5Kg^;IJNs}+&Z57bBV#hl~mLk|Fco#aftcBv&)W^ zJ4d~zAtnmF|M_ooWn+j?vB=~_waOIc2IEt<-pQ|!n};CA216?GO+~P&%#1bw_YKTH z$^!GQ;uI^ZwsjNZk@^^F~`j`>CFTSHrnSD$N zUiT*B*?rI^=j}E$eT)kFJT;64`bJ?YP{wQ53Dt>Ar&m-gVn*SZ2+Y|gP`$44DR18c z1)j^4rQ6f7bPNIB^&VY|EN1`CwcrC$w-v7)lff9EjJUH8JCHig0{cU7I)`r>an&lk zJ1hw!fl2+bSK3Q$XX4Ip#!S4(>f%{cJ9kzW6M+v?S7s3dfw#PQKApol`N+Pf^WW9t z>L*?{<^yl((0E7zuX7ykpmglO=zbGeLgo}pCiza~yFF9hBPEj;ZT8W~lP%tAO9{4* zNx=d8*z(N29G97LaTZEFm%?ZRv3YWIMuWjY-}2*W9q1c{1H$XHr~jFF2k?f=&LDFdfr}$>x=3ijGTb-tba>{mQ)vd72Au{wv&RZ_Faz zh;>;^;+geaFm{;cJkuOt%oYwa&dOo4b{6#YF<+>*Vfh%l8>xpYTvs%&_=A!Y02wF@ z8s5n_cHj;PxIX3$C(Xtdx6y`qB(qOx(BqhC77%RNV`1_?aL{F(| z{O;`e#ejJGm^U0whN>2Kqwhf&GEBdVs#4v{t%vIA5_r_wm!ayWt&P-1;d+}UYZcjz zd4lo6QOWlEb0*VzoERy*ou>L}L)UUJS{Tc)MYt)=J_ZU$JTFeo+wF;oVZwyHP~3N{ zdA8b2Y9D|_3zteKEH$+k`<|A8%k(1odF;6{Ww~6_lw4XN|@ICKI0;P&E+F*kF02*w1&Yyf0uM4JTn&$T`P8ss;wBu2DL@#dFI=3gCFfsw*LlX2&(V|j{ZBeubVV>!VH z;r)EI(ysH8yM<9Gt&M_)cKftQmc!fe!u}1o55&_X36e=NJodHK#(0`h3mLFzM^xR{ zjhjIfRO5F^msq=i^)cAEl$gs+w@*eNQ-bQeh{WuUiGt2ZOwkvI>L7mRR$_oq9j`0J zA04;pV|0+>x^&Z?w;t_S7tictbnsq2UQLbB9}HudFir>hSUncP7$N=4$_d}}F-;g( zY$tmDYQa863*!w3x-xyt8Mcjni#_lgF=#lRrB7*FzQDCm(F_edv|+g}I?6Em&&1Le zm-wm8+yrq|6&oQv*Umh|3}P(GH@OLR26&Dl_;F3=T_eZf;q;?z%A*Ht7&u(=s%T1i zxjOUEc4@=c!u;WK9)C4wC_eTpWI#u%H!`SH#AvJ=6*R{?xmYDXK0GNJ%pjh!lBa{9 zIAa@D*3LvbW)kDxy@DF1g{%C<*9=fjn!0l!h@r$&HVaDt^gS&Bl~HuAhjw_Au@@HH z-e}i)TH=Zy2qo`h0CD`Un;w;e8OtYT5Fe7|6UmKg*FtNWjMSl-^z*f=ab8pS^?Lf4 zH(bugsrQHt!-i?IZ*|Un8yCh7uRl#sWVC(M>LCuLb5AIsUghOpp)rNH+BNxB?q5sF zTzP-Hk4dBkOLaHSz)T|bA$jAZmI1Z~%p_jN3p55A8$W7Ad8@23mw3}qMotytK~D@r ziRpoJwF!0)3^8yx>HVQJHQ8F!+V#-<9!R-Uo#`m9(fV%C4CTI4b!7zm9;{G3`JgRL z=nTXA+ky6g^J)1h*QX7|TvJLF36wptwtoy1`Xa(#Vha11DI5vq9S6!E>^u;xfqn5a zE(HPha7-2^`-7lrIm@rXSmCN93Gzy>csI91PwPMV!)o#7>@cH^hsLM4JCZs1$?Awv z!zJHJV<^tdi@ii*+HlEpQSI3GV4;_~d0GO#@SK;O_lTjw87cO^@_$W|1?;@C*c zz}fm3DO@$uSEW`soqPI@88%w8ht5C`*t^ZeyLKg3w4lWDQuTvJ3!aB0EGkA_XU>R= zG0Y>Orq+aJAKVoz&$;{`)8H{r_`qlrTZ^o=!rag4WAdBf9%HaDzMhYlXALe_79S&q zX)K)??LugW52a(d_2Gn6Dq%yXeGC;o^7V(d@neYaSb9BRmD5AU0O5!iZP4Lf2QWSO zR2T=p_6>0`my>2AXmr!ZJmHelYZQBal)CGT#GBkacKcBn8yqi=g=n3-V0LN8NT)D{1sGGT62_S1YkuE2<5~%^gbita9=*T|}dgF~M|}LN_bK zpx~;gc4AFO?3uf%Ug&87STnhH0Lh6E1A{|Rz6zCSM$gW7=)=va>nS5R-)e zCm-kL)xQ^p7#x(|0{N20GS?Z6c|mp%+sAm;8Q~#$b0HVSvK3;}j<%5$T!;a}xbCH| zA3>@m143WxzoM#CGS3byLd*`*#`PbyK519uez#@KtB*WL_G`Y~N-x8?riB%8(v}~!)vNlQpb?HoPboNK2r)iL*y^Q)t>M##m>`VTywFrotzn)61Gyvt zrIHY{fpT?jWc1n@0L|{6eP^oUXD2`CJZBCu8Mr7#wLb^m+6a8CAokLM_Q@WE7!F*u zDksiC&;X^=cGQrto{y)T`bD&k!<6OCGuz1MRVbkjV>~vzqp+k29(9ZmbAjJD70286 z!|hdyny-uEm9}`E6^Aw_$<|jvFyS&bDvp|!))T`8X0(q`hgDvylMYZZ8e&LrI$oSQ zHFc&XK73&BmlkK*fS+&LxBgAmvbd&^N7U%UVxGAX;Pa6p>bR?fkuDVtj1e1MdTm|}*-XtNW z1gDRQ{X%?QTfU2}w*htdORWM!%nWwKI73VVdhdYiTxP4K{O|H1Sq7A>oy{ln(UUe3 zn&3dZ35T>qi21)&(QJ06pnq$!SCgxu{uFV`TN(*Pa8hQx8 ztqlG1A4lFx8-dY3mMOx~_=Ky}bAD}zAxEK%L5P{ZJH9=!uj`hlvnLKF{#M1IE_uG~(QGa$}^gWxSj^)yF0v zNTe;kQ980o}?Iq%JqRccpLbaFG84P1$JQ{p0~5VL`Cb>KN# z^e_?V^L8)}=pBU{cZ&Q_@`_!QR5U2mv-x6H@JSqaXR>27a3$kAxfp3V?hu24Q&y57 z<&YDz*U1}UFz}XV`=$r;ycJeK0;ai?0(`kH`>{gR^lQ+)^K1V`^K@Hbw`h15ELRm>j%q_ROh* zqL0SM_eE8M+O-h#gVGhuKZ22X<@UL3hd%??+P(2*lLOmiyWmOF)Jts?BUbLwQ9v$x~-spQ|M_Q zNbc1^y1cb?FcyZ3fe}IK@x?q^$sq;<+cHqyCBBTpDBza^Wqj&d1oIE=dQ2fn-(77j zBkgM3v08ekKYlRnQY_Scf2(!nJWHPI)w3by|I!0JvF6+c%zkW`0UW3UTjt2Gc?iJb z&7mQu55*MVczAC;e!*b6HxLk#vw59K@is5(@B_j^EF` zLyZ2#qFhSHz+WpFVi3@1iyC77FHIKlYTh}g#lYX~_!>+DT>D9V9i%CAdq0Ml>`R(f z?8AJ6rY&K}Z?Td$D&E+J724&{^eB7P5D*PxM@;$=0ohb8LZkB;&>X3|ct$e0?njHE zza+1S;r7iD%>KpOH>ZM9h{3;Q@G0m{W6b&S7o`wuy*8{ZA-3$qLm0IYnC0X08_5Z# zU5ah$VbvDT9UC8dqGrtVtw*c7jY zLzOV}aC+~jGG6U!e5Am$O0e8J(=fNElDc)%fxAKs?hUAM7_bLS@Qr7)`C~Gf*pVXU z_ZH*XeAc-f+e}%Ds+PO@L~J;zd{|P2+Gju`T9jhXO7j=t=43<9ih_~8i$sJ5esq2& zv?^&SQxb?dXu%?e_a1w6^ojg2Pn$nlMvkqQ^a0R_?gvKsl)05-T<=ys@6C=n_cbcp zQMa8S^pwB(>Y$x{Wm(N#=SCRdlQ(MXzHZv^&3Xr({(tl%zcWo1BE+a3iC4FPy8hW% zl1#9dk{#UrLPAXEJrrfG)1LOb#)w|pB4J1gJ;aROOq9KO8H}rv*|IhvM)On`9cxv` zI3C4`74Z`tsl3ob-}P6?edm2*2~J+s>R<~%Pa)>-;?>v}kYW^1b^WDiuJgFD0O0I$ z1n=^gF^o50a+xWq*31?7U>c7?tSn=8s;_fr%;bF`FJl{=v?!e(+%NS93_TL$Ih7fQ)?D$HEHH+>O@L z*+^Yhg$cm)gRPk%1pYbR|F@Aly|xx$6fj;<^lF}z^nxMVuS>;58IA~M18*`Ce07jS zAqE5E@ipm#xc4p$1Wx0X>j`;)z!v0`VY3XGt1B(L=^+6*HyWKg&*3l#_-DiNT2Svx zX;Y^q&;2_+l7n>EZMUG&Z;v7P<}aZ-2!79wFk-uVs4Sr2pJP7oy2xLim}-~O9<{n2 z0JKvXI|qYI)HYvltt%K7w8gGTd8y0$hQ6MJ)J4Z$k1#QqOui+n|M|Dv@L#EIiYBo9 zi4v%qc36mE!ckVNkIHP?<+yyCl_e0&3Nbx6&MEKS4FEATNJUK_Or6#?J!%Md7C)Wi?^Qb*EurhCW-b!gwexOpJWo4YQ@Vg<%HH} zKr_8@i_C@?LX;2ZFJ2pF1{@^JBF1tHX4}GkqZmcp@io(KV}IQUm*o(S`Y4~*(u?SyZHnZse4B!NnH6B?(Dz{*W{Qb(9GOr+~gg{Gf^ zTh>&knlI9g)JEfiQI?nOKG$8uBMck1PIo4lIsYS!6smOe3%9R_R!7MmURJeg+w!G+ zX40d3)sG4y%oY-NFSmTHzRxwEJeboPIi);EM~n1#z0Yoh0mJkm?x|BSLWPb(}spPuWp~Ny0nTG-JxjP7j3$lZ20gE6?{_0&XM% zBMcOZAk1#U0Dn)N<998`*m^BBc zP{=E5SBx-8m^5W^;1`E8(Avsg#$%pvRW|hxDwo&SdBeSrFjja&mbTFgfX#V@;X-np zW^z)J2V{Fr5vB=~$#6dNbuNf7PpE1h*t=_5Vu)}chaA%k;pdYjC?$v?qp zJ{#SQXSxn(Kz%zV+GNC#;Wwkg?ASHY{0W|(gvDv5YM0}JHaXvEGF%QRja+l&={cy> zjOYZm6D&lSG`v%qdrEl^N7fPM4R2^4H-8)66lZp>E5cBr(lQNZR9B!o2^c3--Ei{C zmJo_CM|j)R(if*%*ZE?VOwJF$n`VhHWjH_VMA=J8AW8{oYw6tx(}r=JNTWi4NQ7a- z>v$&3QO@RxzL04np)Jm5X}9z!!i3>XrcUR5wGNT5uVBqw1tzX%iwjAMQhYFn4~CJ# zR`%v6FB5k;+Z1*E(W1-J^HlodwAk&m!PpjO56MhUDeYQZT}q_As4mODvHD}c@HAW7 z>L6_dw7(h4sWD-&ptAhzG~G?QyZeN&x4IL#d?X}N)_Y`Gc1i3}g6GGMJKc1Q9zGVu zUveR8_ZOGILxjP@!Iztxcrw2l&orCEz+ozQS+Y|=ap^>;jm7;3<)-^X#uJ%#F%BAc zR3=oQ+)sqTLlyJbMus87CEI5D$(%3cA7S2b^<_D{@7xtrO?<;LEl9yIA$c69%=5AG zq4k}#!B`g~nTfCVm%_+BD>KqblzXSJ3M3;85neOV&R9p>j4{Fi7p*9e@zrpz-EKE_ z%a_40;dmkcK3kblA;t%Nu_Pu2y`!Kx?R!nHHry192rhRY^==_Eio3 ze5Y0GCks2~2ETsP%J|R1(c_Gfp^VEp}ADr5FbsyVG5DcJze9OVsxTp zFGWtmM)psECN(H1)o;qwSW^+hf21{V6n3pt{|ULw?dg1^;}u{Ya3t2`d5szwbC%kQ zh@rrQRW;FQ_r;dIcEc7-0}gp6U21us%KmnqY^UmT-irBX1%ujHtS%#Ci`LySOSRAC zvD!Puh~R2I9jBd>k&}mRyeJF}{^x)DfBaj!5R>)F&7tl;yi*PnVLXsfJ<)>Os$Buu za@Tqwx>oE&7 zj@=GBj}qH3ldrlmOJ5>P6^?7l*5;%pzo7$#^q^%mF-|y3zOIs|#Q6g;NJz-CoQFnb zcZ3nbYsPmh=be-!h6f25$lM2A5vB)I62F$#Wd!HlM~;suKJr4zz;y?C2*S1aZ$mH2 z*c&lHcviSOYDPI742%@U*@iMXE%z*f@;z!k5hfMe^O?OvVuZX@ z-S9ED=<^;uEeW%d`dFEcI%XE{x{_p_2Za$vlBs+VFP0NNf6~TcnHp86XwFbfFV0K0 z$++9zF~=y^BqBN83eyqh7k!T&bBx|m(DqJBlRzIN!YJc-%b90>V|;O#i3554od<$z z(X*^%TNQfSizKELr*e&@&S@8_+`b=1KDbga_XDUA<`XYj{OZ6r(g~r1k35hoeNkrA z`rNQV%rDA!(q;qgH60U-BUb*9%iK*VHm??%7Ga1n*}pPMR<;`YGW0k_1ed`WW^B)2 z3>*Ah{np)wG0x_vkU~nEvy(Re@|h1k5_7(_vxZOVtJf>n# zMWOD>?#RPC(tTf)_kKygX+;<29Kh(~BprjIsR+Z5a;_azgygVgj6kMx@sQ@V)Uu-( zfLw{gq0Lzes|#x9Yhrebx3Ux$)i7-oMogNra22*i7=;`a*_NA??EWkTrX#0K#j2f4 zQ#-#_R&IHta0x1445?*BPEx8=l)()-(_CSgl$`G?3A&NoVpwuss!ElY)_e9`!Mx-+c22^y%{Pd7$;X?~ z&9uYx#mMALFLKfrw4*OKt=q))a@XJNYjF!Hp(wj-_6WOvmyO3A7WD>SHU%1QF(`TV z#?6jw-6Hld#jZTGd}yo2(huI8zJ7?Wu zhH_BoowuwCDRzjkxW(LLOIbxP*~RBTOi#{9VU`YxN~m_c4a1Yc9|r+dpKdWnX)4}? z>G@$*S74a3&#c5KW$!3lrK-=_x%Ou-Mrm^uVv4dO+iMNQ$w;v~6oUF}Z*Pp*Q_{?> zCvI-;fYnQ3#!~NTZzfIAy}Mz~a;zu2sH;G`#^E};74`W&B`nwgT;fxA3$iB}=9jmW zbosEa$HInWq0@s{ZyxhkdRM923^xK^Jt$?d)2^{l{XHRWF-fVH_BUC)nJ{o;1TF)h zz8Tbn0__SIq0}R&Uv?{PfYHg-OTH`l*T<;jZ-GI9>~jjUlH+!ls9TIi-j5RJJ}=AH z!=;*u4Z~~cXjMQtt(*LbidyO<@~t~Pjp@f)jq5{OqUo_N zP9Ezs^zKkN)7tNN6?CeXwH_eLYhv>8ZW#oF`PYUn$1TPkr{YOC1DXA3wWPkqnB(-Y z%eltNxm=x%#TkC_q_;Jq3EJNTuegkK8o0BH(Z*8(p6XX*_9Cdng6e(D|Ni;EfBv`W zfF;=H!KmYF; zUL>(m&(5QM=Fk3xtu{^8EX4ri->n9b+D-nimR;F{LF(UCsr_r1er`Jj7Q>HIRfr7s2foDwq+fTPX#En7nigW40#&bD z%s9$nz9-$a#!ACUNh;HOpft|aiF?iHRc*)@z%89 zT0?QXMSF(JMtqPD!vWJe(9&UbVRTV$pXK*7e|NMsCAPLPg`vf}LQ0d<@17YLRt)qH z(m-}?AD1Xo@I*LFD$260vVDs|#6Hs=^N78pFhZOX$^sqxSsBldAtfY=atfN&^N!yyg7%TL*a$kW10;7d9KbA$y zb;cOsQs3+A0n9wOw#Mm!wXwg9a4|y|t!Jx{`t~@Z+0M~P0$qvbQW7$#gSR!%L-)%rEOsLbsdmxgT+E~W^Ba<8|`>jzob zSuPi|g9BB(YNu=AcbpB}^l~vtct7$_(O2r*A^5}fh%y;PPIf6SRa-8#-PI+ro!(ismCqtc4ZFa_+~7ie$h6Ct zb}=?M5Js$xU5dpYL`LeC#&%5Ab6v+%<%S2g9DrZ`rvKEh_AA0!bd_z@bKW|=T}%}I zW1p8d+#hr?RT%C|RX0m-t5v#~7F^0b#eS;h`oN1TKWKkm)(&o6tZBUf3`&(B8$+pTE&ocP(nhF7F9hq&ama zaH5lpEE|N6s?mVeN!7)aY#eSrnv;@Kv%@KWA3e&})5rM*KXgXHeK-u9*dP0eKMkE( z7-?%|#QqXoe5Qntx?ujeM2pTs0&F;5VR`;)=i2N|0^@#@Tz|*Ld5dvBQ%|eE$RDLC zjVRQcsM?W47bAetA+0E++H7XB;9DTZ0sEE&Mgn_B{iWrH!N0yy7y}tm8{20Yx5{f> z%!2%W5NSyYkDUi8ra}Bd{UAN!&jNUR1Hep(33gE1CpuRgQkp%N#n=ZXW<^Hgt?uqf zVWj56VoW3d;Wd(>XE z9d;7NOQ=`YnDz?mr*T&ukv-|t`DZ_fdwra%sz;(|2`t%XH|9(tg<@%LkKojB-q=qu zSF)hqn|bQQJh$Ltf@GF&%|1~J2UkL6T`L&FBNR#rGUMHMyiLrK#KBO1io;H2qQ7Lz z#b8N5>Y3$UFJgNZ^r%gV@@Th4bbHtlKQU4qb9yw^n#aYg$SC=Gl0QMtF{VV;dy_~z zImc`SHsTKjxn&>h+8*Wb-A-FF*U~OHvpyO&>1z|BE{tI&6sAI=aFIMRM+WmCi&T_5 zLNg+MdCxK`%Us`#LjmxZ8-W-FnH-~Yk+rDKxgLG4M{ z+KMq@cw@QxddX38{LB4Ix>D|6;xk;#XAC||qp#1mY0V9cSS|c@?8s(ebvvi-_5d5? zrLE{(t+QuVd_gsC1hX5Xa2&4unKSX@(Yf`@h>ygJFC0gDz0Q}5`O;s7^Oz07x``+f zj0p~H<4J;dgi6y!vA>J?jUY;#QE}r?6_6;Mhd=+7kxnQZ3YVU?naUHQtgZA`+!Zq% zktnHMyUb24+?G;hFVv~dV(nc_bIjK>?eKzLVRR#3_?=*7MOD7o)>^S=BXI&#W!v%} z4|>aISK|&HMZVWlw>!n=Vx+^A!irBXy(_ii_9#)Q=bbP@BCRpFYmR!!8(kn;rwj%< z{L#H14}+0&UMrun2cN?+(&68SvoM|}yuY4{`Hk68SS*!`2@SmmUm9hy>*4a71x^^> z&6kl`uzK-E(K-%?^}m{VAdFY}ga+r(hTC|nNtIGa3WKjN){HIeAp!2lDgod8pPkK4EZW4D7sFBuM%i!~9;J4b-l6=vy zG_2q3qpQr-#*OauXE2Jfo{X+P=`1z^pO~jk6~^&09osi~qy49gfsEiT>PU2A5<{Cc z)elp@zWY>uwsztk6{|jRau-t>{wU;OQ2XO!Fr&`|!Bj@?D6C{9Go=r?RDi7)6B=f{ zn=*nc6S!*VOxA;7 z`ESX35(i6XFr|&G`K%bh&^P$|L4J~GYz($O&m9c)8Mg3~gdNJ1LU*|aEW;$|2(4fmW0`A%g&cl+nqdlK z60Sfd4hOB30K*Js$Pt>*PK*69o>w~tvn6kzkyFJMGE$g z$wSxOsc?&Z7lRjPyqKr5>p#%g;V^EYO^9G-xl)*{_%@$M$bZH-#Y7gH1Bqxge0+is z6F$Djfs=ILmK{k5HoT`pP4;}CRNm#rxmW|wLSvp{qK|BnfU_PMug3X9cc=-&6r=q8 zRUT_^>YZ18yBMN~^b*|4>8vo(8`cmQx4aF=S4xaLLKH0hAAG@kBnyk zFhxO;$?PXRAY4pS{C&OXxG#L-nf4rZj2v?m{%Q_EQx_8z13?XaczUo$BdX_M!w5z1 zC|uER=XX>FP@`{1pEw`Ed37jFAM-M9NFeorQaaOGQmS^4N)-FaUlGW9!r|1Jy z6t&-ba>OXtDbsvUe}WB$Yibk@{MnZVWA0*9fTFfYw_B; zVny|=%nGv-4}Q#|rkIVOn$W5dwCjvcVNl{RNGy3;Ya~v-oux%DvJ_m#xM5picH%5( zq%Z$s=|x^SXE6l1b%six$UsSR@X3nM2UU&Et^A^)! zz@=q)bQUug+6K-ORkhqz%vVs9b#KI;?IBosSWgb4fYdo9;3{0lq26t;hF!A(>y;Mj zH2I(mxQB6zRkUK4;gXVbWANlfeH=1_ympGeDRU?6PvU;Ua@*C2*q8WowU4;XCsdIX+w0t#CNpB^SOPTj;#wMy2g zzf#8PVM3#KR8OBny1v^e^f0JFQP4F>UL;N5)9d3j5_=+JL}RAv9@CS2*V{0}>k)ej zBI_fwQ8=dJN69)KoAB;K7`NiNUXR|>C~>G<@?9``!^8AOB=jbEPWD~>q-xT`ti~mh z^J#=x?+BN#Xq!PY;ERpHotuihBEpd+x4Whe)&y3CNsskxa2VHWH~XipE*925O2FS1qb9+_UhkkgYm z*uR9sD9KqeN}v0Kdo~2F!pHf@Zzk<+eAB~d$7=pKp9bMH?0V~1pTZP2F>k=bEJq@; zW6o=`e_2o4y(>M8a72%KnI~=Y%){7*`n@EZ8dP(8J;a8p_NI5DH2|)&$*Nle+ryy7 z;L2DIT^&!`$h(EXDZCYvP|J#GS#?tO`eCv zm_iEwQ0~;<@2PrhBb$|19u{Tt(=@M8n!@XmV{U^21?! zuSasJ#~#IUOTD9Tg^5UaI|{saxSwo1W*5^#9d#5>_R)<+m;4`ccFcN^;_X!b z*xW0yHk0WkR~51qN?26Krfr1byn(;uJty=IqOHH!STO#~m@w?G!1XHAoqVp)a>KYD zRS@rGwlz7H3y$4!sA6i*-{;SgDRo&H5f8I^{y`SyyGXb2zHzmt%3kSSFZRPlLbZK} zVqVXW)XFLMd3xiNH%@WmBIUZIoHlm6xtfv7>TJUC#A_4kK>2&JZg1i zyvDkNhxJWxG?kpBV=FxDVOsBT{>_i=t8pOpT~(WxXDJG&E@?Q&z)m7Ke7nM=UQ)kP zOX`CeOBm1_L-yODue9C6;NEH(MuS=4 z1ncE|5j4C|Ozf@1=H=K5P+(rKULYj=xn2ggzlzblNEY%Gjxqa9_fd(-yjKfE|T({M=fRnSA>H`BGV@yEnIsg^w5BWYRV_Q z?!Gi;CWZiKxb3X+Q!Y_Db}|LopusJ<-O`|EFlr!<-UVg<%x(g66hMipj$J(kugq`U_dx z0EP+cin(u6AA6Q|g@@5W?V{_s+96HnVQ6rc%Xdkey0B&`Mh3@e{v^^>&O{pQl70`< zgVAv)%1_qJ8iv{3L&f{!HYGJZObciI3D=|AZ-l+CVqkEnC&5OFj>e2$4<)Q4)rWO ze(>TiHVWr1MOmfNsvKkkF-|cG*=2ZD>U~Y7UEdFjR*1dIzUSx7qMi1@q~LJjjDz`d z93;*%i2e19)r??VFqlR2ntq8NzqA@hS;ieC&ned5xW z&I`6RVq9>dH^#jQI|EZ5bAu~sd`)|gz_8$bI10X6o(4t*O^I;b*{6H@Vos3W;kzpB z*qD8%7#K8*?z`A@k#ru$1!q!hzo&J($%eaN{{`%BnvfiLUhHl9u}R14ld5(#^h+MC z6Mbmu$!l|0O_K#vh2e9i&A2-8-gHQupw^`V}+5ZUP$=KUXYkATvsa92BiHy z;2I0|$7f~52dwYb6Jgz{qqv?gIVdq4EOG-uJ<81Z* za;{4L^<>NPzksU+Oump^iK|WX+>&eZFhe+5j}q-6C-b{iheM26Lep-t7ES06&SJDs z`CIEYF+ZsHFVT=*X{UvIq?&@IK3V-np#>WUS6C#J)8)2fg7EADkbyEhD*#!8aiJS2 zADY}x+dsn8;7NX}VMMil6Rx_cp2(zTXnhB`*ha%k^WV1qvWKC;yFdRYwe#|v+V(Iz z7|Xoeh*W|@6XS#D5`;+KW@=Y#VQx^Gsm-p$goQ}OhiYi<@;EPM2P5&O>=sn~-teju zyML<8LKuE3Pw(}}G)aRMvPg9zGKVyP)aJ%%fUh2=4Zj8vB}bb1U`!c~<&HF~`qKj# zJWN#flxIJyBgP1#pFI;v`AkJZqO|WC8<=%_b$a(@SK%Rs5hr<7X(LQ(SEcy#U;4MN zoasM>ty$<{G;w$&&4fA!+tLT|Fr?^@Y6>K`I5H2ziGB7drW1Qd!3FvlME0ZLl*Q78YLS-h+QAZR;g}*d6lGiWFy~2n*D>!kNKzL72sQ8;0|^8%|kDqQL;#!&iE6K z(CiBK-h=VQG#Y#jM6f>Hv7mejLec^-?;VB|XYn-Yt6!NPjU&QE7JOrKHtSsm4e#77 zGuID`65!Xq7-Kaq-_M5=${5;D36DN|R?Vo7u9(kn7(W~cwLf}`#h5~Tyru4drlx0Y z#>}JiL=6e8=A!xDG7p8AjFKKzc!nWEHk+kM&vRlJER1G@i00cgkxZPVU-iK@F;_yf z`e)dx&l}f5GkQ>K@!9$1Ud?NoGHOn*V3;I)kk1d|NdBn(bv)hO`pwk;C`0Ltd9XoI zHEy}V37?(V&a=S~p*F+E9*=`zZZMVFe|?uZfW{dn2h$Z9oqExmwYTqsVT6!v^_iwE z!?+gL$BTFMUS2=S`I^v-;=DSZhPz7YF1I`YhPlBZOS7Qu@KM(;OiR|4VSX_BoJ-%V z6^0=~_Txw;6Q}ZRti&KwS;*rD^&TwMT6UF#m`C*~3X?$G8r>8OV}z;RcImjIP}2Q! z7$+2a%GsZvpRoj&O{f%_j;egJM^k_bHB}?)k?&te`&FAJ`%~_f=S~ zRp*yrgfLw)#CtJ}51#f?Q}oz=QWz!FJCm$V7^iW)hn=sq18dE7GL}KJOI9_h+5%6T zVUjS67VIvWUGhf88XT%cF>^&Bm`4|Cx63y_K4=*pq)mZ#7$bbt$6N7fT!{m(V?kTXWrMk5i^gg!OH{RSHrm)csm>HauwrpqL2p@*w!EZO&Xc0v=#1o9le0`mkXKm#eExZdeJ1g&a5ST5b3A`=8 z>wFfj#pT)wqL-W$0Z4ke$qJNCVvS+MFk*xB{B(`$F^C>TNa*KOY;6F?_&a}RZUw`Xp?4Lg3pd)Y-h5c+tNR{c%8KF`UQ7B4&4CJBS zuQoX$9Co;ik;CS8od}ARE6B(&YRDEz@DNP~@oC6Jld_<0meeRiG7ojwvYc&MupdEX z7(!(Eb0cfkYl4_P9R4TVC@^)Xqsmudwkw#c@H7kk7Pm<#*nZ0}eMq43>X3`-qJG?O z3z!2gD^>pht9+B5vS@5i#5cQJ7={d+@@2rw&mN^_h8e>}G)?Fu`-W69%oW}ptMXJC z^OhNy2Qb_#u^76SLqm-VGuzyA7GjccB3=)L2u3Q;JFguE38!o^23kQ3V}qkOW8o+c zrs9)gSm)RMzo+&xj0p}ad6YDjEmiW>t}*o!n+y|#qlaKGt9L`vkYR%Gu9C7KKG7A{ z`|A8!obx2RyrDdlFm@YE6o#VGKX7lWZ8J;=4x4I_{(8YfS>@{wwU$A;*4D8x?<}4j zs)KdoI%sktCpW3IHH#QV0;xH_nRsoOjN8t~Fe4aJlXUS3A_q(bhLtL?a3u3Efun(Q zjA05esyh7x#xiJRcg@_1O_TGzUFlaSw_YJk08Zm9z2^;taH$Tplr~vJ+iucrxL}wL zOo~^FnPV6Xq-KfgB^Q-{N*%+DV0u5BJq6FSL-@B(kHFt@dYuux*TzxZmgYjNek9ha z62-;gIk$ISPgpZf!{p$D$XA;Nr0UrqF)|qGaPYcS(XOM9SNAo;GuO0FNvDA0-(gVj z`>`pIxP2|xr5FjE&L?RwEUSazHDmmby;rLAB}+X3p!VOKHdcn=KO<$$>YNm*j8(Yn zOkb#sWQF^#V%{$l&4`ga7jBe;`93byS_I#O-gmjuQS9iTk6>Hfq*EJY9^fxO$Pd*S zRBaYLF!Yy9v`=MT39XX4^0cQpz8xD^<1wR0a`7(Rx~fm`g?VVcveI$4I_%GB2xAen zIsN-<2M1>u;#-Qmba#8q?qwSpG@N5ivm0!!2!^@6Op;i85ty@Pt+xczdwK_YBk2L> zD`Ijli{dG3158qHunTY)-piOiE3&gTg){8YJs~jAm$FHgTt8qjpVir50;1}!#v)+lKZkafRGuJcn`lq9~E$$dplZ&TP!(rL@~T>r<@rVYn3Wk7024p&HQr z63-b6v6+cnYb~f_X2x3VTk`8%72|qbes6+KPlg6#d1Ff2w!?mG zr^2yVkE$Oj$UMmB(|cOGFDe#p7eygHgtsS#VQepyYaIj5n#N(|IJ(SD&VTG^KT8tT?z`9*4B51SMJ`TN2t>i)T#Kl-S*(+$sk77UfNI;`#4nX3-@R`8 zc+9T}?Qe0|?JE5xYwcRhX&?`62h?_HuEsR&yqf~<_ETcuZxm~PS;u5Xu?lm3!^5%M zoEpNeqQBjb!vJ7AC%86bG8sny9uC^842J4iR?XmevlZFSUYMT^4N^|en{6LS!7wT~ z5b~pJ=ebx~g2q~$w$b0S3dW~?UtXqESuW+*3RfGNT6^JZem z$*Tyy(1i3tyK_HXr)T|a{2ged-^KP>O2;|HjNnr;PM+9QzjLEx%ueIP?I!`v^08k- zlVM8mLA&nd2aISiF_<2TO4(!WJNpOb1{Z8VL)EmuLf zO1)CgK1%3x)@qqOA5q^R;Re%3$bKVt|(PXX^qRYQd6YW zezuqvj3#k1ce14(P*BtxaSRsa=V1?;-r7ytx@p*xO}9y!kDH|V zxN*6H|M_YvSgpC+`79QW(<8H6{ZWlt8j`|Rj(!VqA*T)<`KhOX}fVMhYMK?m7DUv z&Y$&+9xcV%>Z8OsA=6($9|EUJyQrl5DYzX+orKpqUko?NRWu-f@BC0kkrMHb#-D(u z%C{8gbl;ju^IStb%4aE8oRj}f?E4^SqVuM$p<%!}88(hN$M~f@6zl4EaRX8vy^5VFH^njFxaM0ov&=Eu zNHW_fG0QR7$X?ZTq=$PCvBRsXU++7&9JdTqVkdvdzFUs_RLi}NWftU%#hym)s*MILXV zier8;D&Cd;ag7YdHTOb?N!qpz8ZR8C8dF6X#eFLQ`csg+yr@;%xOsbS?l=AnMm<#3 z%&Ic3#ZIft4^?UYS!jq45}vM@YD`xO#J?P~jlUm6EnViEW4>{cewp0;Z2Ar7C$Mt2 zUraiVlBQ*%XXnJE<0wfpsx9;(2^=Gj5mkF_FUS2zEGZ*s>QLv+#Hwu~zaa~<;>w;$ zQKym0_P2nR`Mk@8Qw8Q2d^}5F+?B=aQ6Kfx7P^vG$?e{Q5(AM>)cB`@?;G_*?xN9U zN(NV7|E6;5FUDVoro2oR(}*&WPF9*@baF}OMA@GbAe`jdL+F;fJ zSM^yjV%2?#F;#g2&DDD|x4nOh$5iE%&F+URB;lE05T(I1nPm$avz<^gvyoKbn6Dfc zfBsQb?&}22eJs_U^?f&7o_U?;XF>pSb*E|ih9%9#wDZRd_4~{DYnn&2?-bd*|vx3OBfp} zV;u96aq)T^aQ(E)U{LA*$wQrQ#9?pXJREbARQYda&UD^xOieZ&qx;oGaJch4Ji?46 z(Oc^vUQ3sDa5E>vGIM z5~g{Ugl^S|&0QT+kjprYlLxkptWCqCx=2Yx?OS}A{@fv^IHnz=?cs+suf!*(s}s>W z!Pl4H_#>XFij{gPjhRFo1CGh3-b7?=T#DZFn2( zE8}qR$QsJ3Rbc{c!Q3NmSnl4H{P?Q@;T%(qY^~3|{LmwpYZIy*V~xW~6mK#Zs-hWz zU}!&Z3^Ec2UX`miU&9N>IODk*tPSka%I*GUoVPiyHp)=}<(OSelhfvY8uU10V>XN9 zfpN5Aba5tMUW{a!>-%7YaoQ?0HesJ| z4%?pU2qqlIV%N+%=-tOK;drMv-u1p6%!gb-3^vk#9$1zI{B~(Bz;0(Uh%)2CzZJG& zhLKf=XF+3pov9c$LuqRpa!fj2>hKFmy<#ir-WbpH#dY%otf2%P6OJVI*vdXy`>nk@ zV9=4=yx-j~2TgDsE!ejx`)YR-am+RjwF$a)c8-BY_WrKQzLyt!pZgW8RC=Jsahx$L zY&s*h-9nv5hH$WC7tv*7AfJ8jG2+NxbD>Y!JMG@*`F^z#`b2p7^N%XvDqp{AzpQ$e zswUd(pgo&$yOF)MhfwJygw^FOa`#X^o@NfH^ZE3pa&O1u{3zKQ2dj}X(6Q|kEIZxoFoJG1pp z`-1aWv972N>B$tA_5gK`@yS#cd-j~$jWnIRhR1SH`gtQ%aNjuc=hAWX-v@ODtXy{i z8Fj$#YiW-OgKLVP5_MwVtl6ur&IL0cU#9p~jrse5kuyQ7K_z_L0 z&EB#p%u;4QO|0ff`%7Yqk~(JJ4wW!6w)U;{@RSD~o0QwK`);08vW!3Smqkg_H}*i4 z8>)i_sc3Xk>rRM9Up@Hp%WuE^mys{VVCC-zv8Sr6B01x!_8jzU_BEIrCpyL|r|Kx) z#D`&-4^1rM+&zzNS2T&F=Ul;X<%rEV3&(%eJcUuqFfR{leG@5?@mYiixm3Fibw77X zpBS@jXK6^A3g)-|n4} z)(xy?eM!ty>W?d$$>Jv=S79eeFin{rcGNN9%+Tt&nV76hr))Ceu`x99$ynw&hqG%D zw3$9*e;%Iy(MUR(0$z>4hp`meX_2~2g!{r`zOoVYZZwrw(z6$1+OjF};68VbiOaFt zP$AIpg0CAqgoZ#&#^5EgOyRCy`X9>QPhqB%chCkc|?Xe>aRB~}_2gmIDZwsa?L-I)7Y=HY>Vw$pn z)JTxI^NBcKjgu3*(4C~gF+!P6Ll{kCj51DH*tr^y;R&P6ooCK5I>}Tu%nhv2SOd-K zWQf`yl~+I1ScqkS^?#Nm`f6l5Fd{h=uX?vK#u-p#s_%5UGgd<@`*xqQnH$S`WEH`@ zOpeLOVI}3S+w$ESW5Y2O$?k?Mm<=)~<%TiHM@5^irB>Hw9$eoUlaEaHHXdRIav`_n zuCnBYou$x@R_lKnR)FEhbDzdwzuN1YkCD_D-r3dVS~D;-(t$N#oDh zsu}uVe-4&ZOcqlXWNIsef1H=v;e`iVbXhjZgP90ew$WPBei;xIYmvX;M%G02SOQa`$P z8Cu#!`fE{AOX}cS;piNjn1M`XwJP;O=K#Y9D6;)wAybvhdQ{{pnSfjCK6b|@W=VMiSt3@7)G za99?{cqCJFr@M0kGPCNJw{q2%|&L6<1+G8|*N`rJU zF|NkP*$r*W|A$S>!zOy-AxtECSK)|_rPSnpZ8+{6TNqE|vU<}mjDAPNmJSo6%y?NI zVnk7IS=aRAO+VonVl0uJR2;0UaRGyKGlL&u>Tooe#`-R-WI?%LyCEyYu%R}YqI?&| zrO@UUbJp}?RmNDHTVtWez&_s(S2C{C-V$QMFn+1!zP4``PFm{i-kCdX`;8&y3rDIZ zA}ffa|K;rLmJ~=9m-Dg>#DzqgeR-o>pFUIFS zc7$(W!uRF;QUWqldex4ZqnQaMP^tX+{+{>45etR^!zoEE@5(0Y^DQG2T?@u&=aSZk z@N~}3wRYSwOe8kzyatyj8(M(zLB`e6?>)sBrWac~f_s5n?wxcf!`z~Z%#6Zg^UgLz`Sc^F*LB+9iqcMqbvGXXXY(W}GD$YP<$z z7NXeh>((mnli6YeMB~y;!bp1(*NQj2qEz?U?4(+Mb|!CtaHQ6=Z)((|JqnkPi^HM6 zgq2~$F`_EDNW%pg#v7l4o|e%JlZ+ut8j^8X+ldWya9sFq?7%`yHh?x3-?LL%+0Wz3 z@jA~pKP`!5m~RY^DJAGKEwg?n03S|myrwUW$uQm+r)8BLhBOozrX2??bB3YD!BN=G z{gx?9sZr9g&SwlPDx`WVom)%m-Y$moZtGaVQVnT76E3>8Fk-?ZEtCTZB#E16yK%_^N9xFKng$c*$wpM~s zw-nd?V=%Ai=It+~c5JzJ+y11TqoUqa>vF>v#8_ez3w|y|wR_YBml&oJBhl7e-A`D{ zT$23E_ncTY8n}a842r^?xSI`Kde4>!X^xJjclKm z$5UTfB*Snc=`vT+7X6^tBQQ)gvbs8Fr_*RtWv~15ZOuFF{XmXrUsRl7`f-yL @x zr}Xf(v2X*gIgN5YiKFOG0x%3g#;JHURM0d774wi<%4=X*VU_3H#+1&R`RIe2^ zamH!>O5niwY3ypBgXNJ3ObmUAi+2hn{ZQ z4C9nDce!!(*0oK)lGm^T$f8DJVFN{|D2MmdRT#l#Gp-W!x zG{7)T>3)-kvpu^54I)|4eUX@-beYjlOX>cG&m_c5@U(VbW0Eo$yOFOwh|!U{`q7^@Fnt{i zPI}+&A#`gDPH0kNt({dl$uKbK#_KpC>*T7uXoib1FzFu1s5#wLTg<2_CM8|QtiJ}s zk({g`eab@A1YlY}q7ERbNGoj5vr_ zi+p34yG%TPPQ^dB12C9OANv*@t^p!cp+59iBrr@{N(U&d8vVU@YpyV986GK`aIh-a z8Rjfw`9equpt?Ky4>z$~&2_@a<uQe-1D8rjPLJSggK(=J@uO22$o>?1 z$uN33I0~mx0&PiPoYFl~WWVwIoRu_ssePpA^kioku#^_h?R`C^`)r%H%#A)8?#FR? z>MwR-18pQ5A?C)=GN%JemWSL|d6rJX4%3!_E4SHaN9pw}?R5_~Ss>45>C)<6g!vl> zP^;=ymglgGD8fLk>T&5z2Y$oxqNb5K6aAi z$-G50IVXnk$Aw3&{|0?rOhV3lN_Z&se!GB)VE}TLo$c$^a*8qU=y{eVyEX_{`s~Z% zbzd6EiVqIxXT~t}xPDGkH>)-xf9t%Sfem<&#`&U&B$$6C-gio zZ^W!)>`#L>@7po8Fy?p#Y})*|-P(;|wlSidWI6Ox2a4{>!|_a_@YkB$drK(mP{erS zQXE9#EWgS>Ra>z`NTceB3*HHi;G}YWI}dUFV_()E?Mk1{IfU`Xsi^9mxF3`KzXMyS z&#HvWnqnM$t)D5LSBc_uYkJyW{eaO%I#AMLXI1D~?`NPi@0|Te3uhzF{W%XzH;$9F z`K8(*>_=vKNl|LObPcnO2?>5v8|UurJpeQkk!VtWy>D@VY!tcDOwzCN2d}QmWBSn< zKWQHUckFserh`%`H3Tcz0M!_-m%PWfz&Io2Nf^-vx~`kO!7_^y|ojBV}IevbG~sVsT1KqAQ4lJOHrsgidijw?Ca9HwmK^lLyv*SY4-I( z7YsTsJniP9=umD96OMj7k6bVCSg1XXoy60&KG#|R4RegQjF>!)sV`>dl@0Va zFUkXTj!N(8MzcYQK3}+3WSJ8)q1sOs=iV|G%s4g>j5n-gk8I4fr>TEJAS@2p@4g->WBUYM-20i{$dk`4*e&IV-Fk?n1q~7pqB18<+k!>xB96^<{hAoYuNWuZ7KVF~h7lya0$DEOqu)qCXd-~6y#tegz zL!&Sq8DErs?Ys6Yz6>W}fT4AUambj2dtM3(>jY26&cGa`ypqo6T<;DPiCy|E{bOsf zV?=UQo-$>Gt?K7oT34}nN$;}XPG&4rOhm54=|ojq=E5GpA>AlhdXZYw+VcaKowPBO zcV?_Vj6VjC&iv8&R8s?`?9c;GGt55v=WWw#&n}S0=pzxjGu7UqzX}-hkK?M`id{z+ z<@y4Qk`oL@jy=|?&(p?XrK~VEwIPg!hwakw*ol)c`8t}DM)^Fk*Bjh{pIo0Dqgvj{ z=h{R?Fd&&!>6; zEXtm(gxSdPA`FAE7fqeTqn_QyV5A^{8(}J&of>OIe~H*9Tm~zomcTG68B!gFaMpS} z3p0^XN*#T!>Si>h+9khId2*K0Vv1Ms8ViD}+b{g3fSJOrz$Uh?!n0Sn!T)du1eV7pfD7+0m8 zpqPN1msNTT33Y2iF!vb$mX&ra%J@nwsd1@`oyeL*VZ)kq0|OX>R1&0pU9PpkSmHPe zM--{1{eAArKXVK~#;N!&E+EIiG5NUq;5CV;t<}=^7yBayGJuRqF3%KpwzE(ivyp*N zZ5%q^12^KNe19&h((#nk$=Q(GFb)}xamj5f-tQcAv%$1XIff>c2S@8^+w*R)27t(` zbla3D8!LfhY|?!$zokq(=Qf(bF)sO~PWQEV_`0w6BKv5p!O$#F;24@5OYgFzu=79U zXgwyneA0$v3v@l1xQp;n&j53bLI&KwM?~!H%`pk-CvknGxNW*KE2%lg9R1>-^ybm} zhMSUP-0OGq#bLTp)dXIn1X{3#W4e)h%OqYczDSRCN3P(iR4Z%p3`kp=tOnE8Y#gC+B3GD(}+%1i(|2JcF*EoX=n8MRZ@Z4>%`>aQ<)vb zR%Kzel4Oo?$Mx)1>e&%v<(P9!>gu`FGYpUBK=f;A3_V8SSlS%> z^1G8$9kuSRa7;S}^@*yu`jiPdCLHIN@@z(N4L_+T`o%H(C|@cG(kW!(lxidJ9qLbK z>LQ!D(b9`!N3QV4-q{*xkfVZ$E$8{q+E_@q7~7^RYSSeoZ#`3=Z|a*Q_e>~y5V zEH3M+qrAp3+qkNvv#q*pn6X$s)QGVWCDVgC(i_aLmFo1?u3Zv4;2_7yYS0LKjEUGLlRS>OaKXU&|5JAUHK7n8qgAA#M?^t)om zboZ}wU}89uN3oMgJE$oE;k7BUvdANzI+W1f=V2p8*{v_n#tk>R^OXo;PHKHgRxmz)yua{`P%P-+7i`ltSvs9B~h_S00$}zA=9TTMK4vqm}h^bC&!Q> z7iZBl-0m9&H`jAXZ8GdgF$NBQ+cZa-w!{YD!n>$g6JEBL4h9Qj^5d*4p)(rm*Obqh zJp5V_Mk-wr(#HcIBbFW%8Ex7y zxX1L2@Lfhl8;ON8T6gJQ2iG=D(SPnhE^+E6N$60+R1&^d!VI>2CC5M^0s3;5E~ndF zV>m@?#}8;;XCUNKoX&T=~tq78$4a+4JW?W5tkagO;yc<*Ao@Fq9CNq1Bd zeXTK2UBFnVe=Tkk)dr1FwHwFGAvNkPe)acXkiv65WX# z*+SdKyTKSD#ScbX>DG0=4er$^#Xi9hASM&3e3730HL1#Dsh#r}M~ojgO+WN_yO-|O zd9)EZZF8+@OsgVe9hewW46Em+z^2jVY~RX%I15qBGybkoVU#X%j4%4jNl57Ki%B?NQ_d@#`Cr$8@5G)T zyYqGYCG0tIG0+%ITBf@-xbI^y(YW-uyRzm6BaDF`xt`-EaZhv!BaD9WLd^yTQzaN< z^hjFP=wzw<8#^w5VMZRtj9#G|xJ!O(YO7y{m|>iVXX*9*9r%ivWo#8_X+wOc?(I#^ zyXShrTw^ChgULmuKG#hm^nW3)6kkrg#B&4fSsW^rn8JB`oJ3^h_N2No^Kj@?Da;xHS1KKwn zqm0Y!cqB11ipA7@i|xExN*H&XSIA$27SwM_yD~f0d)SK@QQ;hNDpc+<#AB~;P ze~J9W8zO5tW*Gg%cjQ0j({THZl@hP^B;0M|v3BQTO3^JSd%qHNl$fs;w*p@*e2>dN zSME(ecIJ&n;&i5C$FOyrVoZ&>&ewBy)lTms>+uvS1rgYVVoPH5SPrMjsO{9 znde8xef;15)IJmLxliTgOa;?DN5KG~s7$^_a_+;;^fT`SOe*?pMM2%x)zd}{)WtPL zv)44Jeg9xokp*An-oZFDE~w6K#FS!Oh~r3Zh|mk{kO?Lgm*OP0X3@1gl^@Mx8Ka6z zxmJ`<;U4ur5$-<?akuLQT+D7Q`PM=XlYjHoiNiK#{R zM5)rAQaj8oDoU?Wwby?Q&TeQy3^Q_PZc_{{YUW6?Pfwz*>P~bR6O7V|ryj~pYEU)T z(MG{d7e-UpnG5-c7N=gL5W|d19(R{MMi`sW-t~mN75x}D!4SwuFHrY2F}vs|lQ6Pp z9mhLs>Kro5MptRZ$6vHzaCgl_eLM;|_MT9Qesx`99M1Gjy69;)`AIhys6?&LNjLV`wEa_nqaiDF9hgrm1FKbqw_Sx}P zSkMhzdzeL}Abj9DTpF0ur4vpjKJ&D3IBb%hP4B2{w0W3G#2~tdfy7x#Rd4ZjU;Xhv zB&TZ}LLP<^iC#}{_Lgws$JL{&|4dwT69s`b8<<)RRIe) zj%An|{H`8AzxiTrFdfY_sf&L$MO)+2vu-$O!qJG9@$*zYp|G8Khf%_Ly7ai*6IXKF zdcPJwbF1kZ!&qTwPGO!Oyitubd>xo3q;n?Gn`hKUL))52d$(JN z>+U4OT;ZtBYgkCdFjaW2O^XE)x~9fG!&sr*??@A^M`KtU4ehV{_Hd=P_$lh5zvnP> zvV~c-$}>7E)UN-n3dXsp#?`KnVa$-N3i5l+(Y8h51NDk@(sivS(;P5a=(E^Q;M>Pw zA)V~)WYj|Liptxlb^TJNXx$!KZqilp>W-w{CS}xtZi6eJH{elYn zCt*4e=?O861BSs=?(%asn)-S(7c)MODym5lX)*w&JxAMuhC>lSqZ0*;-EGX(Nt}ch80k zf85E7GmHt6)KIhWG6h=~+6b(HnAaN;fihn%rURQzz8Ci8xc{Me&39$9|4odFfkF8e z{wuet0~rPd({;7kSC?*K=gxZCP^@~$Mxk$DWDH}1RCn2I`gaw~3d%5oa;?2}A`An9 zez{udy;`cCc~a`3T0sPJfP!qsc)(_3E4aq6U|T|V>P#|_{#h-TvM*G{rH#gF zGEiueVLC9ai(Q$M%$O~l{WtwbLW7G%vCqv=LK_Cnj5zVv!S-ZnJ+B@EgJ1vSk7OBM z{O9Xy=`{`v6DoZaxj9k?l6jCaZN0<%Al!;EH#o~TFD_pjbAwFU;i=7^b~(EI zMfsiX6vG(eoKBXh8vNtDs54sPv#ZkB_3?kwJ_}lMK#PuMdU6Y_*FyUt7*s5_UwSMF z6N(eLRZvZqHbD%n3gg#faB-9-`Ww@RV0>{WGLs`^4q&k=)t6Kr!HxR1+AxQJ{+stm z^WQIOBFJ8BDIA6w#R;1y(Z~zJFgi8(GLA|aMij?+R@*`k45NwE`LfI^?NSF`PaBJ? zH59`rqI}i&>cHIsVmgx?(}*dZk34BRCx#DI*hf9Dj1vNkADXQmx4HLKUT=RfXnpdh zP&KBG05i-VBI<%+rts>N_R?kyGleIeu+<`+IfF*++`2@@s zI!9rkUapy?977F0@_JWGx259+V&Kp(Gu4ip_W$)c1Fa2&_9a$3Zz7s~UdkBH&N^ep z@GclLa!x|~)Di=RqZyOydY~O5Vye)86*`ke{@&tnwDX4;D)ea`wq+P>({uoa7qKGk zYG`fOBPuGtdM34JZ(5Zr+V-sHi4!$D=~~bH(8k{E34oI}d9C_?YCD}a4%37SO1?z) zTf`7yD8qL-yZt76QL=M}CxZDwB`I#VtY(-PoEPQ4{(DsmBrZH8Gw5_~xds=y%9i6j$wo_l}ooM3vYRAO>9gMR=c0X$n>0UVO}t0 zR70PP6Kj2N(1Q8lwiJ6TRmU(p$g6r&?S(SGwk)jYVPc4Ip7}rX+JAk^|n7#;lHi0$E&P||-SPO{E|MMrUgVNTH9Tb*G#kZo5~uGW`M zz?|Tz)9Q6Y+aLB9XvU7LFerEd-yfQ-mngLl!~eXVU$-c{e&Xjq3gwiiG5y*l%+Uq0 z7MACR8NqoFDtCdjY2$^A$@;`;8Ab)?`9W-}LO4%dFg7^x?@2Y=s6Ds#JWLCY{3K=C zVX&hO;^n|F7D_Ns+h{N!C?l(^qDmX{)DP2uYHb``@&}|-PJ6NLuwyb1I_#JQoGkrt z@?#n;y@?-D^HyDKB(cB;^NnI+kY!?jDD&S4DKLx+ss_tXMn=G%5SSmlZI#SBq8K%o8&8sPdk4 z1||s?(g%N*VHz)1c}ZcDxmjVDaM;wVB76Dl3GaJTY}ZE}w~?dB2y=z^X_8n^0ovYOvCZY)+Uqi4m@uUlAfmDAZZS%j z+(vh11`uO}$xU#R%Kw5JFS*$nNhM4VF5-v>!)4-y&EZ#GSM{^l%9u#yRCA*q0V9Q~ z+^H@)^A>Z2k&L>8cP_zi>(%vvSV^%cPp9m=QhQApA!NHEqk`AE^W|`+CuT{IrdJsP zZ4gfML<$sAPSsbt*P-Y`)(8mMDn z=~AR@Y%da+D10cwwyV2gv=|~xsUa)%*)v>yOcN&4CG~d*&&SjH5gg_PW9mTMnM2sD zW)Hn91EvG#*;>@k+F=pK0@?ea&NsOX<@1&GjT}Uv^iQY@*;VCF8-?S(b#ZK5I=l>n zf&agZ0mcNMio?Aq%T7B&hB-lhRmhu!jez^$hDtgMDT~4cdE6U=GlBaqY|Gi zL&2!vy*QqQJ3ytP>0m54$ooAz?oHhy?VL^Q< z++|IeAY^g}2tDeTSf6yzbmc?)W1xNBH6`_+T1a1B*lsFD36tT-ldh_EDQ@M&d>tz{ zBO;6tM!Q4xrdP12yh-ni#EQWp%a8i$kTwWQGo^A`8s{j6QV7FzAzywA!l=I;5W{pK z+pgkfYu?iEU>!XW^JlR?H#;)sD#tA0EPs}9O@Hc&W3rG?^wgi-Dg^>0C-wXijOEI$v)EW?j9OJH$CzO97>=gO0nk+j zw2=;CcYEmTyQ4orXX$9ND~rQHKMCq)K{+M|Rrlav>|Uig1`6YGzr-8IOd$zUPzjN_ z?r=;FF2q)@0`zn=Q7LU8w6KuQZoIxlm1A6xS^-cNyYDezf`YQOa@En@4~{v(Z~mh< zjqYuI7;PvnBi-%~7abFGx8ax_Ji9ugw5fG%G!_D`_Nt)^>4_dlVp|)8>tV!30W+<5 zy8W_oTJjmNp&SE+Djnrh@vkbe?JmNYEgV(*P1_u}&#&N)o`mEnuNv<*HJbQTKfP)3 zyjBV?Z+%f5$KYYN_Xx*?AeZ+j4C{Le8`IL*tV=`1UlD|BQTI7SPd zqi_LtvALsA?`X|2j1sD8;%C|WyJvVJ93zA&^Jk9qEXNRGaA-SZ^{$c_BJ`VQisj%y zy!%m>P~r7`C*2&=gp-)Da7brjCtX%;5H!8zj&_{)&f~xaH(iF4!Iav-U8EX6cypi5 zfm!@`YN)Qq(A?3vQ2K{ERXJ-`bC~%bj;X@?!7K~+{YL*W=LjKwd}tsyq%E#?d5 zf>q=z?^HW)w%d|B-bz>>x*E?C8|r6fn%*5CUhnz1_5u6&3@esUXImTY}FZjX}n2jN>MGcvR_@5 zV+K&}rSEOSb3HkLA;46WFRk3Tb~UycI)>Q3XqVz7v z#?YVtt0_@%kLkb1D8BXL{AXP}pA@D)%Z00^%JU1hquCJ#0u`F@vux#paA7{jY#@_2 z%S)&P!Z8|17~5N6-`Plm>fZpL)Db+rZJLd@Sj(-t>m*=maO4kXjH;7Heak&Y2L08_ ztPbtIahz&dODF2ZSR*hpxX9~*iZi=wH--jfpmPv?sol=}!XclG&?BwU3#luJo*#*I zcJpoiUhMVMKgZ1AU0!LILE{XIEI(LOBK;!oW0)paHi=_Ya8~?O%6pxo5{|Jz7z$!2 z@C*kGDdcR`_6z|5j^V)Q=~rIA_Sd*@Oa_iW#9BZiy!$-g?~JF9F~K&?YB}}4X(`yR zQpPb5cu$Rl`?|DqM{7Z$q!&6ApgoT<2AHsWmDOr9V*O+($LJqS*kS^3B47M{&vI&R zBbWm8$Kzl?|FTEmLd{}Dwfa4W#~cHH!(sKVT?b8$r&bdpFf%dJcV8%l=gVoJoH7Re z%rV|a4af4rsno(T)ko*0Pffi)Xct4XixaaYke%YfaNl>av4oTKq&BAeS`GW8D2uFD z-+^Pe@4PDC=10mL+7*@D0r#;mUCuiv{T%asv`J@Tr+eDkFr3pYoBSXH=XD!Fknt-H z-TtPSX~>IjO2ec1{$QlfJ6|1R4Ygc%&oIkpljY->{qsj@(eKJ&{_jC4+Gtl|sokei zK92XEB3$D~L4#ZllQfF`3G0@#at8odw;bNNb>zh(FkgqGx1c|}G=Q|mI5cDG15sty zRo|Yd7z7;FLVn|B)7|W~(O9oyPjEL9rQ(y9G22O80K|-^x{;@ zPhb#mF5XqKmyui324d%P&Qf;U`BAurMRg3MMOf3Kv0PnOzrj_0SLAQnwT|GAR!>#7 z+Phw00FW9vQ^!XY1lk=II7R`vpQK)TH=rIrX5UAS*}riVP9FVmq7?O2L7T0F#4-2h z%CBMS&p8SQhk0EcPC_zWbI0(X%9*aEvkDR<7z3Prv`o6IYVG%3FbSKPLI)sJ3(Rjr~0E(E^p_RJ%iEQ3%G@ z#5H5bZMK$UI!-Re_u@*fB6lh?-HFgJvbT_Lx+xB3g(=6R-niKBN^w*<%T5O`j(NR# zQt>nwaf9YHV?hb6+dF` zj(xG((CI%BpN$tnJ`d~XVCqh(3zz2lX4F7o^lnr=6J>7Q30m1z%t?BmImttPl#yg1 zK6#7RgS{qW1g}-mBNxa%WY$JIP7OBseg_~_j)A+7r4#1I+NHQ0lS*$$3cr7HVytc? zUUhjnj%m7)D9dF$vmZU)$Igo4y;&QK&ZYTl{#3miVX&j`o~kcC>pxtU4kJ~ge_dSB zynV@!&N3~`&&}gIJ74qh{8c`gks0Rb^1<8Rj#Xpd6x-Y+^^)C<_sgqpG{}x)Vs6Z4 z(s$B!YfQ?i#!tP=H|FG)+d^qi_YZ@%wGico{x}kJn34;n`<~f-3OGjNZu8?jH$^Zw z#^K1S$alUbpUe_6jKhtKHjf&A7+Z@B2I5FOlQ`3Ex)Aelepzm9bxDpXIDhah2vt4B zEC>k;w(4Nb9G}us!sB)Hl*5j=`o@28yKuxoSGnY&M7cUH)ru^89#anlYa$ie-mep z!MgcS5o#bIg3-EJqfSCQiD+v)R;jL@I`HL&gEy|5ZDwbpFlILiKO_{58~t=RChNw2%;l;%3ntUFZHB2AA!3xyl_JI{opTg4 z#ye4FH6`0^`*jj^#WshvN*JTNc2?hCpwM3a14DK5yeLbZ- z^)`d$n5df!7IAdZsnSN^Gl6zt`TP0WKmWk|oGLj|Cl4oK)|o$~)jo>ls`%N+qsWiJ zc@(*wmD+{47G;zMzIGvQRy0?gAv#|Hr$wgB8^(T^&KPZ4!A$8CE&TBDvsT6@KLMK7 zl8uzKk=y|Tf2NJV$^UlMqX$kcJ+#_JZ7RtR_zPAhM>*6tSxDOaZRLL74lPGxT_SmH z$WrZ6eA*VwW`VD6VJJQ+LSOp;ywkaUpQ8_E)Gf`I1O7svSvd-y1(3qJN1>}va!NhV z5UWa`6hFu_Tr6#d;?F-YLl=aByh;B%!x)|G2Rc}~IHJyEQGA&yAA?Wc;x5(0bol|$ z2+!?|PJ*)LDk}&61z13i!j06U4aswu_rS(?lYGDTW2Rk;`=(darSYt1qIGr92IE%h zl=anwOXan=#4C`C7Im%+DQY-B_TEx2`7yZAvLMB)Jk2ef3j3EcRwBD0tGL=D=HeTLeTGw(epJMl;{=!-KpMN;m zI!fnHNy78oJlz_JB^<($+-@RIKK1)3zU^$6n6OL4ff8VC9cxbwN+<)-sUmh9?&37jD;#!ogCkNyx zOruMi8%+Z*iFiuuXdlfk$3x3Ky~oQU_rY93 zM42{~F`PG+PA=_W=P6AuSsRC20S1dja2`d`HIL-3rH#ZcE{R7ZY%Zg(&Rl>NyO_%V z%ZX$=#+c8OUo9C;qi6=A1kCBB(QGDP`uKO|f}uS%f#xcv>bWy!^@eef$h&((e>jRp zx1Ae0I0uo*$UL_RIXMO!=oj$yu#)C>Tg}8%uPC`3hmYU;Po(4!ylc+Lr}O3``AEjh zehyfoTE21G-PPtUw{>f_V5)DL#{b9J*)6wiBzyc-aFw!aEmnx#b1JzUk}wI20B8V| zWZyyLNWzK&SRiSOezv_kFLt^I{FoWwKdH?{5+`AUATT}CU%&3LCzg2h|gsWV1SQ1R*^5!nqQhPV!uF)?q$g&9N+dnU|eM;ALV91 z-l4tcIB>nDsedl&Qq39ftBoRIsA_anjpm7$23a6dH9K)&`e~TnGgSu@d+bG$1I7_! zEuTjcP}#mNg(5j70ZEZ{{$Vz_9elK(Aui@@3i(WCiZwNvL>vQC%7%TP?Pm4K<8o^r zRwj14L)%;VQmCa}3+m!`dhKFt*xpw$Oz(|2IF^tD7$b|_LGdM7J`dwtTPGZo{T{q5 zNbiD_zGQBG3&v@4kxrLh;m|8IaOzn}S@J*F~^z1Vj-V>8M5sy{R z*I11@L=O_5bzGmh(|1n{@X_*5vU8QaCV(TQ0lnbNj(&D-&S6%zPhIUuZ4FfK^TACv zlb9PW1BV%7d%+~mt?(8m_Qd=9iVn-B&}LQI#l$3!N1%vFn6@5{ZE9eWFHZxdIok1H z{y2>AjRh?>7Ntu}tS`j$o?2=_Zhs5Zx9MGM__OxIcMRiGQlsRdBZ3Jb)%}v~+jMM;mI3*}Y(y29dQ=Ft3-1&)y_u7y6>7)*a%`D$5`hf1ya2-*XuR z7~11OLgVhij1fKO*I;zvM!96xZ^7!eOp~5RVLeEU%8KzU5^=0YORe{Zqby`Kv{P8H zb%d!sG780M6Vq>96UFT|7v1lHn)f9Z=S^CV_*qkM=?eeth!YaQJ#TMDNsfOR)VxJ9 z7iz+&b7eaQ_vLv4OI1k_w>Y9V8Hk9!dZDYjlhY%AkoM{Gabn*iCidiG#&smxXC39% zO`&E~bbblcx;g!g&X2HlI=w6*vnrmF>tOmCnAYQdN&DU5YzFT1N*9uYn)s!Dsdic+ zPUn`P63&*>8SQ})uS+sr#=#=DTHYGrDva-?Vv%3db5{umx)(;uvG1%g$IQOOyAMhA z>CFcdGPbU097$n=GswwWv7-){)f=~IV&(O9_A|`uEo7rQgRs>uDjtE!@ZQ-FA>00H z=xdk5L#9u&Ma?(q!1q!y4(_!+c%8?Jdq|X3EcfKJ(Bj$Fn{r=t2Ez7Mr_eQVD{8XX zjU--=<$+m04o#_?Qs)aXgA}kIqUBIA*cZGVHvPyVN#SCdn^Rlj9)kwsePiBL`9Yw! zf{AucWpqA{J1mL2#QroU`qTj9;KBKNFxz)a_G%cLW1KqDP#<&sK*DHW62+l9+B@ba z=K3DO)bNNf#g{yMPSS~16Q zd~zEKFIvv?P%Q+HlOG{@a=Ns`0gRGtF$?It?S^PD(kE7{y*Wr*=ch>$JAN^pe7Wt0 zbRI0u?j_%nJg_!G!|8Mk(xa6$ZSjVaW?qj7O&+ReBp%uUc;>xg#T02C#YCEe}oD6;3rOaKiemCG;?&KEcLw7^{E)Jo zhb1o;v|4j>i@;=}qbmoA;m*5a9OmBb;8y=MRO|74aoxgBcX~_ixQLhW)C$UAQc;Ed z=!=81C#ebH7KO=NM2pVa!;RCzQIOJ&;ouFX6z{{lr{(~|ig~^D=EYGqpyLtAVy81y z@eoxJ7^@S)E=t2_;xr8xnGqH<;s*{=@!Y~nHxxTtBW4%FNMu|mA!2e`L}vE(B0+oz zzspUjZKRl56zMd{zFo6^=B9zU#j%*vs?-YZF|!zsBJYb>i1?GonbeFNDKEC z4}B(Ux~m3J>$oRzhjcoRX2b^MjrU7jvf1VVuDdLO>yLKhON99RfJ(z3@FA~ zFXT!hIMn5m}?p%iDIHckUdtZV}f5W&%!0NhcS#8ygkbGTCTmtrl{mz z6LD14#1rL=D2=fPa z5?z=?9Hohvj6{r!>M@WwPPp@(Q7eui#B(J>@O2q3IPM3Y=HDss9%4E%TfJ1Wd^xkz}zR9vV7V+oq9k7d&I2i9*eMEq)en2NIU&5m9<)VUon?A{ng@ z-?UHS!|zaSH+s{szN+dW1{N=!jqbb;Be~&T9v?M1T;(<$^|y;7A*g{#^QamFb8nPh zi)Dx*MOFTNlkE#@+K(oSN38%mWQaM%&rMOiZb~DRX3hT~aU9^;t9i7o@F)8L;Zsq> zqfPNk;so#z(~J4;&>VKfYw2aO*l^K~LhpJ0+NEu@y)K}7(lNf>6#Gx+mt%@CD&C8# zD*j>}VxE!TX>V&MlEFPjBlo={PiX%bK+>9roJm->k|kk85OQkTIKB!0-|bG;%Z zgN=Yl9OD;@Fn09TAyIrtCV3#1-d)hfIV_K6i0Q_0km*40(19|}A3XAmCvsOlx4v5U zrQs^?dc$)MyT1sZg{XBC2|-=Vi{|+<(v^F$dW!$*H&%uiYFun&-4wXh1Ic1GO6}n9 zcB2*&!L1H+vW+-px!@UPJmJNo?W2Zy3~weK z`5Uc$N$T(L#Y2oSj>Cw|BkR)`wb*WJ)qUT_Glm#d>@%i@m`mgsh7o`mVkGfS@^H<@ zzBV2TD6-IgGB}T~#_yDS?X$RNXwekwawpX}xoZ2O>34*4_vLF%C%N`fT+%J~QN2EF zqz*(4F;N(Px9UfSm?JC~hs{oQk4sDrj)PFoHxDrvD6(ai%U2L58Dcc>0E0k$zcg=; zQ!ZRk@?pj!>Tl_9AFaoWfx%@g*e)M*auGv}2xiC5cyE38z@XsSFcVWxw4r=W3a2F4 zLgnUAwu)dpa7sqPS{^Nf7-N9bn#YxJM(sW-lCIE$U-i(xvb);eZFBhB(=!0E` z82-!hBpA^mA!j-bgHhHpzqhUT{tvr-CtV5my`C}Co(gS|VhT{%s@ylxF|&%~aadEy z7gj@pA?5&YRh3*GT+(Fv*FdfNGVeFIFavlV95e~9pT@jjTvX?V$<|NDtRJtgsDHcx zi9t1!HyI~&*@3lo1WfvM2JX^_9U~jgBnir`4>9R?S8NWl<$F5O?IEW9RC<{Fm77IV zKGuz?pqTc{I3{^>>14F32j+rs4DoAftq)mOvoY_-lI8Zr8URQVI71-5(I3t=Bj4yt zKMl-{7$bk|oUQ8paeK3<>B!!YQ*LSsrT|yP(~~U8Q7KLxG@CO}yfMEVmuv5Lhquxg z`)p|(1_J;0&)@&}p3(T8x-S(__wa+Zf1K!KWZBx4}c}xXn{QSCW8$*DL zm!he!O=9Bjnh;dN1O^!2hbVz!1}dE@uNnf=(%@g0xdbWyQa7QtwJNccwE(ljL#POa7n_An3eLj0e*B zGznGrdv4X&nW{vhxL{lETL;1%Xh$O0@Z_YZ%8#Df@7TMPgA#0uud)TVEn4IQy#Pa# z$7khOq!ZYdl_a5VeviLBpdx`GrUvsuZp!`!m%2PoD^$FU*)l(mAUZd0>)bj<<;m1h zoP+g(pssRL)ADrd6)XLg zp+*Kv4tg2=6Bl`4arr}x7ha5sYlf(E5@6DBoM$&>xq;RJh+KD4sT0@0_@?h$4q6Scdr-jSXR{KM-(dVDqUx=r5lG#fe2@fy+ zFltEq#O~aJ^3wUTD-RXf|H-+E-d?Ih%o~c$E1gM&w`(+`5Hp7=et&E?_De4~>mlJf zwZ(6_*PaU6#~mXDpG!K&zyYRR!7lQnOaepY=;9M+?Ma}J;51_FOp4EGK4T8UsJx-)!x2QsF`06 zJfOO_tLqR$i%}9rS)Rl}PpAPyi%WV8n_{;!N>F+(fHgE-X8Ea!yjE&whaWJ*n3ZqV zBs@(Dm(K8U`cjl$dMN*0_Km_LX$%QtBNNk$YO7=y^``t}tai*UepWHP)~nUO1Otma zsXTb6qjT?ws9<=}r~hqfr7j26@>`P4$Qu48dR`r-7S+6==I!EWntG|V4jW>GF?*5K zFZ!!3o6trJYr;@1ldZhA`UG`im|;v-oJ@H4MuR*3=i(7FrF?vmP2=70YV8{#OVTbl zUp8J!%T{`e{n2(eF}_IO^`De1Q%yBH&hV!Aj} zk!KHF6T^AQfXhy@!B*#Nh7JsIT^!+Ag?Yq(Exafh@gNEQPu{7UzTO>q=p0|j0mjee zBRv_ORMmcc_4Mfq}#2Bl*nL zPIf&63?1e#w0cPh?=d70;Tgm^(9u4i~gg z z3+Su^3?K5`gP`dI2Qh;v@8zlbTl+L_H|4I}!W?2=-qqUY9D$)9MX|%i4n_~j2U*`- zM(XvdJ7y54n?v=B*7O(F23-P=&!&G{a^K1Epl>t6s9~^7L$jgq5aWbn9&E27T&BN^ zQNra-OSHQ)8W<`Rq%|9kT@N(1c8o+k6yBH9=(KIkDcRn%9mWe!t(`hIh#Q#Frn50! z3v&;`km2pPUd#U8)I-b}YDB)+Z;EQK74c!P@IFcBlT74fR_5}(P^YshdC>xX4#u#2 zF9%~itB9$>w!73rUr`-K3&VR(C|l1Q>K3=4`ca$)b+>6&^WkBJ;x2r!HVMoV{_(qi zYJ;GC8Y>bP`j(xA;~JpGZRGg?A}#L?Ut)srzFfmQT0==>!n@9adfqc3vT-AJ`OYtG?QG zt)iRP9o2UXHN>8*@0wxgkb=rMk*n6Ym9$Q`#Y)mPE)Hu|?x*L6ji2pficqX*^Xx1k zAH#!(;qNGU?qiUUy*)KG$a(tvm?SLQDCLLv`$t2ad<+rJWI|ogn|@6Cm?6BaWmP`Y zU5$zZtyMz^s$|J!K2Vi0HW-cp7QqFox1Aa20lg$v-(i2y@^z9g6&_3K|+zHN$zQm zy^qO3E<`IHn^SVB`$#aJfg0lYm=K(C-dd*w#snAS&}jRNV~nAE|JskV_?QsHnI9jcf?tYl!LgwR zw7>N+HFyEb4S>M@W~f{$1ZFtMJ_ZR@*W`c>8}qEO^C>qh?Uf29~vq(_p`)<@1=ckje>VjFAe-8nIqn8|%Hs^8sx z4}1rq$hW9vERCm+rvbMf@Tv6WlhKCA$6VsAOfS2$jHHp7dx#nX+(J6(A3wnG%)vPVmYkyD1lf8pD0L4Kvi0p|yx+D(A6mM)d zbdU{W$zV`Xz4Rc`RwG6e>9c!PW+TH^@Er;%lU+zoaB3Y zq6_x71Mo3~IG-BrrhijyTlGhYXJyM`%ZI$>3F3-5A0vq@bXSK9FWY**yn3J?JD5u3 zJ}6Og*>}BLkSQl`TX|yqRHVtOqFcZ{8v}F3p0k< z&vLip@{w7++j2>OD$_m>7}7%lm@`}y71{k23I$-ekoy>~2d2JZvQV`f=&hghF<_W1 z^2D%=y4y7-4#jR&Y>KtCy@^g#6N83#W&31|H8K42&wtuC0oCu+51rpj{p5}54L#LO z#j|fllFYV^JZe|L?x0Gh*!6r~{PaA~qlp+iOpD{rrk*;F5(9`aTh9|&{Xb{tlI14y zrSYvWs$-unxvB(xYK$aO!g^YeO53xL6e&@OK!qSP<<0a8delp(jdfhm<3_-T|EC5y zu?ZmsM8tjlzMD0~V=#+2mEu%n@^a7;id|KI@DM6S5tnjXyw{$c{)I7-n5QpN-!U+S zIP*g*7Hf8C3#XstY9nqI3hZL|us^ISNAFHmCQCKE+RKO;#BrKQWmD9{Cg!Z*6|1E) zdSzM3RMGqiK9k9G~&stCMW9Bj(8>(}i8&sG>oTlq2 zmM#}G>S6%#R(};e%Ts=)TE)g#T}zL{7QYBnhpnUVGAwbFn=Yp5XkhU0OZv*^1LKA$ zrQF4+;Y6%$+X@(8)5Uz@F#2&&{(gF`0?-Uw%ouvJfw$_<^^|@W!-dz!O4^F&x4q1y z^++pbFXCMJg(nHhsk<0D>{1^R<3VBQu*!y6fx2fDU-kH|)D!!Jf1za9#qePznRV8b zQ`tDUz@E}{TUIR$Q#D~p$^s9VF$}`qrC{aK4cnMWxaPie9+Vxd6)tu$U^q=_pN{S& zdR+_?j=#;H+-n15!aJ!{l{GDBk zv4?KyWSOrqCIzWa!tF0*j7%!=C7Y7|cw zGlZeqfp*GSrWUnY3<;BigET&>QPmAMX_8P#=l1e&<*P162-SzI&y~0%Ntm%A7$FRn zHSK#g4ldYIW!2avF*s=VE6q`MEnbJ7XYLyq4Sb5ojH_J_*VcSSz4JnEte2Q|F$K8t zS7l2#o{h%T-)It8BX>FIP{&jD{EY91+4{+1Id3ks>|zGcQ*NoW=I6gG%lfd0Hy_y` zEH)z|YZe`krIn%{=e4+Be@>VKbXW6<+M5F-yNCh6tA%v!?uO~ZZVL}cg{bA>@+Mx* zV;UoXt4NuFCWz3*)L%fA)#PNYMMnBW&zU+Zx3%#&E)zak%H)aGMYdztsPSVxg@?hvaM;)6h}amMHKZfsmN|_ojZjSl z8;zG?%#$Y|*?h|{f@^J^Ofm)3Wg=Wt8Fd>@_K8>vr= zae8Ca?^5cslvUcnxF;@CQ%3vlR9N4loJy=m(Qe-<3%Y9S6hnS~@~UPAO2>6E@TXhj zLvfH-5!EIi0P}xsp*TzfwvK9PzT}N2R&?o}Dmz9Ts?-eEs){ie7!(P;^%iTzT08PE zBS^f;?(YH#seQQ0U3_euOSrC=fO~S^ApNciCw6H3ka%=~kV; zwO`#r5XQ<8Vk+6jb8Bf%IB~zKzk6V<@ubHnp}P~+Nv+#77$t0YQ8ukF3PuY{Y0PG2 zzHSRzxbXUw;QNiHs?`o+#Bhx#CtpJ)?z zF>?4c^NE#9i>yv4wDc-metWb6&kx-3qq!?!_%IxO)s0Ea9R5cIe3&_;p4eW<%>n(s zaM{flp-=EUbpY4=8;l)JWTMV3tI9i~DyXyhK;Sx@$oPCa)TL3KZes?~4?7PowH7uT zo!Xc{^wrD`i8Rxq(Kdz;(W198Ur3+duR@sYa<~j1Vi9E}p<^b;wO7Z+q@j0=%BH#6 zNoQlQ(2d{3`DD$LTP%u=YN@r!#A}q1pkm`rYh$8tR=mngSPunFrHo^KKe*!N8!1TU zFBRK0?Jczot&O=tl+?8`ML3o3xf$cOF*7)N;7X(QxxlsD?!=#XbIV=%R2Ss3F>t|^ z&GIs}vtGDYo?$V!TpMG9-q4$RGpiTHyXYj&BD1E&-U`$#ze+14q4jWJ1>wE0&&E(; z3(00!|=dI{5_M#|e5 zISe);c@=VJX2kRfh3oeyqZeh)3$=>L*E1d*_730k#a^7$+WckktNHsddkBv#Odp~W zDI0@_1NRHJRm{1>^kH8do8Bu-A=Xw`fcwmU@qyy+!qMm&Oom7%or^g0QYBYGVvBh^{u~byK{# zcx*WK3HNDP&UeYaup!tXbiY$RKH18IvO>lpXz6|UM2#CkZ&Djmh<+HAUC-)gGo}x( z8@7D8UyY$d?{PUN$wKAfm78VoxLkSuL>c0JkB!GU4Yh++8I78?h#AA4jQ%R?3e)3B zZf@E%w+1?`RkAk54|}56s_u$T+Um#r;VQT%&3aUx#+C)<59wK|pKbm5 zN7wK-Zf9f3kkK!W^X8vQ)S^4gSjlf4_e`O71 zk)JmE(qGmW0mc(oVk<&v3Uk{SObm{a7^_U|h+DX~nyFcfm{a`n=+8>Jr0QN27(N!J z70XPnHI)Y{%6YKOT`xLWZhp9!16K^T_PjL^m8qcCs2LRnUbpPGPP~)m>L5DLCU?}8msk*Cca4Q$LjwkZ4Cn0H)CiZUm9DN(Oed{5jR`0iFdD9+Sn;4$_u1q!Y-bNMJ z7?up@N_E+rO zn+$|lH{z)_h9^g9vb~?Tm-~4Gem}VQMnc)VlS=tpFy6+->rXBku;?jRXhd-tr`^sV7NYP%c zV`B)?rQYpLIu;b9;Mt~Ihp>C6MfUl4MPKVWbcro?&S8Mk-EKSc2K-xlr7=iJteKj| z-@-H(@pGKMu|aSZcmJHiPCGUxCZD28@VTnGV(Q{H1}Bvxdv6!=oF@PLudt^7{NHO7 z>-l&alapW6li7;Y8m2O%h5+r$7sHf`J?UH+d1%dS#X#k_IGj_p@qMbAgR&u5>R5g4 zy>e{XwKxMhcY9nyKzkmzZ1xn1EZt}`QnTSPTuJ$bs!slbl+_P0OjXVw$=5OqTx^U| zE{n|z^MKh9EaX^X8eq4;7$rrkD2i1-m@qB5NfT--Ve`2p8M9Q>>%E3#tCswC*q=8KwTz9eTz} zZ0W1`F3O6DHa{O@kyG)mJWsVxTcb!hPe~-oa+gOw7@w4pFvXdS`{F<>vw1GvO|N<` zzc%een2~fR!+8~UZXAaX&@6p3P*iz2y4diR){E~|`$OZz#+YOfkwnO;${+k<&FL+y zvQ?k13TNzNu$r+vduN>G!rbIl<(C&|YWoeQCB1h_r5a$OjZw*-8;0Iw;#pH~I$!$k zq-=rfhmRr4c41;NRPUiC(#;G9OiseOP8$=H?j*3N+QaLc?@cS(bx6xX4OTm8x3p9& zlEb;l&es#LE!`CAy>D$#zemBdoSi8D_j3k z1-OVsl3XRC*i*$UWSCWYNWAq1ABf{Or}RZwkAd4fgP4DOa{KdX-9W<7W1AO?@yFIt za1l-X;iybEKlnXw*`c!JtGtJqdd3VSbt@gJg=^jw!&vj#Jg8T_+ZcIt2R&Al>gSr$ zfQ`||o;;K6ue;et@>&mg%%YPtV@nu>bi=RgGK^eF>a7%8GiuCp*7h*WKZa_%wWi`2 z%bJ#jjS0wU=u_ZEKlCsJ2`keu`RH5_4P+W&@-hFfa-ZE8y#{TJJdXY4*vc>UP+Bmx zrL!TK_4LO2efL+xW5>wj)bB6n9cmV)UhU9Z&dP|LGO6m!k&Ow+_6C49rXQEZZYQ_A z*@%sq$I$o7Hs*6RIb15kEV{?UW3ccCwDV|A1>cx4@_2_lo1jt~GmcY{)Bbu1{E{s$ zli&8iFlK-x+;to z!u=Psg)8MelYLv8C>$UW2U@8|eFw#Sp*n63;#7s#8q67t7|vvVO2m;mx)?jlk`?1& z;BXQ6Y!AY0;pg7hOE|*}gCOfeyt#`fo11M*OGB}f9kNQ(XKUIw zo}PnQ!l^&=mMhm9&zGKC7XfiFQMe?H&b#`%XUq9E=ruFB;Fm zzbLi~-JvpOeQWA2y~)J4EM>EMpG;v{2cv~g-ol?ZY^M%J3m^Pt5Y`O+%4Rpr0tXX^ z!*S2*_rq0#kKkb35ET|Vm^Q>i;Iey=+bRrAB0AQi@;^m(WI`y=ogW1HsL#ZuxB~Bgq1Lk8om_QtOe*ar}#LSoF z@??XswiFI>IT$@`9fcF+UeD#KH~a;bYBrOzIel<#FVrqq8k4ohhFh`~$@on)raJiA z!#v`!!i25lE{w9Ny1cN_Sci)0HX1||$Wk|pSBus<7*zDO6p+x7G2RC*SH9TroGedVFp&5~eb4+1Dv}%w9S#FZHRnt+j^7S0L4(g`mK7U~Qx9>P5I!BI$*z$1(!J~H z%{~L?`P^@zI~f~RY``KdP794lD*Y9wuPp}*A1?Qjq!Mzp!v`2yg;sC-SOc{L7* zM%e{FYpFGMFnl;lb4s%OL=x3$;Sa<4)bE2)E!p;~@PSozTy8CobTD`5hT*)~_GxLS zsAi~$ulqtnUkeArg~LpJ+voJw@r{ka5!9+OvNKd0YVwyb8#g(aEes0fXkKE(cQtCw zamI*YZ|;6K-UEykR;rGq$$N)w?}{VMPZyi6(Pm!|y?IIIuB8NAOrG~xxr!Pa1=e89D;)p!)qDRR8kL#+Fe@E!h6w(8UJ!HWEd=cZrWq4 zu%(*N!6@NKMmN;Vu&gmaNF~%}l-z0Qvgl6wj}!0fue$r+(q(b5a%Yr()Aj1jeydJP zzAweBwtrUS#yifZ3kvf9Bg;3&BHKpU;?u7gRy zsrvR!I;jpu|4K2A>_DNdtgL#P`SX+OG;8ux4yOH{KL6yz!l<9$ zo9gPpPD`J}fnP~t>M4E)Q-0%fx}j+H&0#b40!;d;LrB>a&1VrN{V2imMxGsqW+HCW zV93uO^aEXO&cS$JKRX}uvTr84x`pR^O{oB58=dsPw}XMcaja~fy-a?Xz4F*#xPII$ zOWy+JR2%OBX8HOurlO^G_XcBqZJ`Vd^tFz{-4GM8%S7!w!ffBn3x}S&WS7E~w0vk5 z8+9<=H~M4+xpIk7zz$P><8&XFiO&1Q817Ts=SwNfbCJ8}M;@m8yfT-n?Cet{+PDV? zvwo%aJS%d#t!3&{o2!2z7o>E~E1CMbTIq( z6jApel)rN@@>kkz&^Y7K83%<{RC<;k1HDI5&;DMv_VHD<=aJYTp^4^=zS z$~5oEco!A-N+<_IeIxZ1H~XkF8Cs>tm)Zm}q3oPetjpNUT3Q;?ix!j5sSm&|nsTr* z(U6b9JfHk(bUtt}o7blhaxPnt52vlW;ZAgVXI4w%wDdIG?9@{`ha__wFCR|88}x&+csC`9>2n2P1i&dcc;q-dSNO09hq> z_G~0vYQs2PYvtSEkijV4)fpp5_CQAEG&)rtu<2o8Hm_f-)vX8e|2aFCCB=~}4Zn(3 zIayW(JyV6Wn4JJcpaLWk0dd(0@Cdv@NYT1vM#RhXavor8cD>6N8$T{CE|-4Kv|3bI zb(@?3mtW59`_B_KJG3Hxtddi-q4gOC3SPKgwY-+LoG=BSXQyBN`6d<)h`7ss(ad#> z>$%aQdp%)DZycwbB}I$$w#3C})nfY>f&Z@Z(*ef$NM({x{*y}bsaX6JgRr9ETKN!+ z7m3;CB>2)UC>dbB&x_U#R|Qjj?G~Q{O!O@dmrmR2`+%GEapFI$-GCqF{(GB zmT$GvTz3fwX7)B*)_ALeRs)RYO~jX)#9R@QIR(=6=)DQjlNhnF8gGC>y%nQY4P{$o zb%0?#TzNIXh@Qzg!-$@76y9;gA$hNjfYz@v7wGX!@2p6 zG9DL|J_MwnI}*=T_mh``NZ$d51!XC@u*Sgpf!p?xwKXpX7!*8t{f}ANrQ|oj z$Y5~Ooe{vqpdW1fNS5e!yKI;k9Ikv|Od8rGF1=tZtTTNoFfllNuc$#>y{3yxO;gA0 zV}3C57HTvYBZAW(RwiIdkZcZ88b1ZfnuWKPc!i_!Z{cex2}@m+Tlsw4Oi}p9&qv;F z<P<*{y6VA#-2Xg?N876NmIu0OZx*4|lp%=T5H zS7Br1kkVf~efzE7w6!pKXb7-i_E6r(Qah?MDS#2gh@#9g_|vyONAVN0F5;~8|0&BI zV~H;1+|KP8x|S0bs-U36>C{x7#|aRg$1kl}!DcI~6MQYSu%j3s1B$ChCch;fi?PJv zMLYV;yM?nx{UgQ_O~C@pBN|5;;ym|JXTO&Lh7rf?g}Pvz=XS&QEYpfIFqIfmSNZdl z=;}`c%qIRR4r`)V+lD8G6h})>m^p39p#dfoqa8K8;7?RDQzj%Gr;NhI-1OixYfCl` zFrVlaw{cSoVSr&oxdx>XajnqPR-!>Ct(4suT5A_qWgo-~Ds+QE9g0gu>(i(+A&rT| zI&R1mXhZw5wxPoz;I(axBhJ{{Fnd#;#GPckmD_CGZe!?hu?%l~@|6qODkD?BK90<| zbI)4L)=>uvVPp2tl?gMdx6=DdDWeUt*qOCBWM%UO*_cHno{|@Z)YqB`|4pj+H2)af zQk1NtBRCd@QK|B7&GA^ZH__Lk7O%H4h!|yQ7Iz6O-6hr26Wc)@V#`a!!YLjRg@uN`aZ{#sOQW2TU1y?8yaE_n~z01`@` zq{dtHT&Rt?!AEf^h_hpz5-nWN{g6FbQgxT@EqO4jcZH2XLhmNBidcOVXD%vBc0UZ< z&9#sBCn#!dV_a~?_-mHze-#teTm={uTrYiZ*4;YD#)u$1@GuZaeceCAKh}T!=R6F9 zNZn3~>Prh2wGHGT`IPQeEn4>5>Z%d5F;qydAC=H5+R1vl&&G72U-0CbY}fXXp|hbE zc%x8x5(_u|?svvjY>WX%FFAG>s#bEs71S87m+b zq?%F*UgcjIPZD_~f1XhN`&9g^sSaUd;7|s`c6t0HJWi#c*f#V(%<}A?Rh*X}%F_mt zFuvG%%JW$5iIq&s==`u}kd5iWppxazx|wbpS{@$a<5s+>n5Wjc(Rr(kz{XhNk|Z(P zbwSEdj84SKHj6ton`{gk4w>+&(~D}?MYLb|zSh3K?Z?v?sRH85afzOe2uG0AlI+s14m_StPr8A{65n=9W56Nb|U zS!-jaPy$Cs9Vk70v&IBqxG-?X?!2$#61JhWA(aM}`S<^&E!(RP?}Jzxb-Z3~BK8kgo)x{SkK$SzI%B1~vD4&&Yz!A}#73)%wi{_aTR=C#+_1c&q^yU-mNN^Edq}>&9Hl_)uuTp2^(2;tuF-Yjm z{5kdar2HwF56T$0&A#;J5=x1_F$(f4K@l4>gl;141Y!5M36omgvfq)WENNqc5T&hb zLleW2gxY4OmW&3D#Kz>H)G(a5%dznEmugw0jmbe*+(&yRvmZryGNYAoa4+t%dA|_n zf7w^#vo=NsBTpDYW3TIlV_MK(-CB29p6tJI($v_e*6^TgJWL9@{E?+7d|_i~aI_wJ z4R=Qw1UKQB*Ny6Vc9a+8xgO~#r4ZB=gTW>@h$jA|sj#F4l5ETd-Vshr*K^guovKF_ z1_q>d)iin)mX(JGpCPQqUC(tU6xnfEuAZ8)Jjx8$C>b2|>yY z9c2Ojg)@m%V;!S{A=LzwC0CxsEqcTIQ5Y!x4F&|IMIXNkufwRbZew0>?D~PfScHMK z5a;6D9eL}OKk8II&GKhz zttDK)gsGbY?x@>bocIeCzW^s1!-S|v#l{rjpMT1jTIY|#6rsry$NZpi6x>`xZ?g1* zTW={YdiKGEy(|v1k_sU^YYA-(8Q%LYHS~P&TuBqPM0y`ubg+%-L$`Os^P)6YRN5Fo zT)N{sKhX9HrVqzF;pKsgQ>JaVVCZlmZgtD|^(~2c!}0C!Gp&5+YuVR-6z+(`@+V%z zX@SK3Y|J1=Zg5tM?YLbrkhrGyGQ8y4dctXmzIE5Px^n(a%@!MDiT7Mq80!&=<~qcn z;v?I3w2V{y`I}>aXg7 zQ%oZU)Oi;4GPW^`ICF=b(vZDctL19zC7K7^d_mYgO=O&za?(W$V)%S}RDmG00e3x}Nkp^%6xJ!;JoBW$n7QEoK^{-GQaM7xGbL+_SmV47~=kRBILe zswaqT%s1Zi_$d6qkWxG>E(oJZS)ukp?YdGi?YN3xSQ?YaDHE5_OH~}QmU^^}NyjKA ze{@&3BcwFb#XoJiwitpO_vY@sNxs^~5M;DodJWzG_FNkJXA`%=^X{t*!;do_ZyS;z zHijJkWNBJU>L^d+2&%9vOZL)N*#H}(jKOMUUD{s$=mNq}w)LC?tJx+VguN}7uIReHcm08_@$CXPu7ZBL4%4c z+t7;;N3t=#=u&-zyB_=DIgP1|f}3ud(FG^&Y^jf+jKF^9Pjn2n{|>rno6toNGQ_;% zus3~J2e+2emaln^VR&(s^Ve64fLP^e>|n-wYZR9s^_@oa^jEE(0yB)Ox@~)+H`lT; zyogCT8}p0a$n8Z^3Qv6;6a4rcVNB69=x>O9+n7%rkNmES2@{Fu@;G(LUbA)055W#& zwvA;_UXAEtIMMXW;NF_vxnjxQg~Dn4G-@9>7*AZXx3f2{Q)&I*ln=o7*OFxQtSDRu zW2d$FCFk+`x7bppx0`zn zW9J(h2F_iwUE>C5*%*r5I4S_zWy+(N@0GenUU@iF~p z7=*z;(;$3R83w`4bbspP+IhcW-fvM4`!u4OGp6Bot@sqi0lgz9-$cFNF#i|$BX6@( zp2Tf8qZtpTR`lApKCFf|uZ`)wB`Z0Y2V(=Xy7aI!Z;a`^#dOrTs6yp1!~CAV^u^I@ zxqWrPV{C6Ec70LC`rE)|DJwEc+lDu0@cf0P_g2=18oIhbKL>MoBbjP#MP4y~=Mf-T zs4o*^cMEY1?hd@kyW5z#8|QsLeePQmmT$#9W=+$$V!0L;H@?x`=8JSa%%{p7wVqu{QB z(EyC*je956^sWgsMe-9WW9?}6W@8fXqh#IjUyR@lvt4{9u$opm#_(>cWS3XRT2!d$ zt}ek;UU*E|o4z@ffjCa+jjUBT^@Hxo#1x))8>$jUHiqt|4>CX8QGcxbG)&)_+sxV+ zz*~5;Rk&>2HkiEgNI#wL71slUc9C#^gc%!eDWR0IT-fTZ8OOL?H1fS*b+6Ww+_y^dAVf+nsDG*a=f$43Bha&eu@GUDealhK_*-%M??2#!+zh6~ZNc zv#9A)eyoyrOZ=~rbUb$Fwk*%8u%V4vy%{gXDf3j3o?s~~L)9(AydHV+)G)(RyRECQ z8N=tJi9egsi(Q7paOIDp=1G8&y@1l3OwmEQ*vi^@;9zubMA^`DKxi3dvQ2x#)Lbc!iM7xhWVuKl(6m9?r>DS zZ8a1R9RtyK=Xv+%ej3Wr?qHm6wYig(1?tLnFvmAr%q(l{32!@G$kv}!*=JFmY+wCz za5oMaSzp}^6&wTGCsjfW*&+useM5IlwNi8Mbn{%tV76}*=cHiWQN!tAvd>LQa;mLJ zDQtHz(HE9Q^%8eBMN@tk2Ki=uOR{HeqqI3O81EzVxu9>nx9Y_DEZ!>X6w`cxIEbma zNR6ZY)=I@YnCcrY!#kHUck}sLxQDV%K+=63Wdjbz{N|CbJcbp|{Ebg}!j5UhRVNe& zPE^o9wuDye(;Y)A!1%~yn-#@oaWJMQO~tx!s$)N3PLKWfu42lAhW;pZ$<0^R-2qR( zk1)M=mt}wPRD4(EVJro@4({BICtE+XCm(}%GUC`d7Z|-8iJy|k`^?%jz8t3ShQrB) zE4`f$C(0OHLPA%;SJ|LuuRs+J#_d+5Dwwq<7}IwC@s+24wVwYQIcW!Tb?mrh`#syA zl#9k*ElT`b6vE-6L$A;y3G{(1XFdPCzljM&{WF-6<_`@eTuIh!t$I!TsA|&x8IjH|BY*WfeVD#!L591t~EPLu$ z2^g)DRll7LiX05rJ#4&4xA&Xjc?TnPS~%d-MXJ4RY8(3Wv2FI&6v%NfQMW3D?|Z0X z*@^Ip#N}q}nGyNHNw2%UwELZN0C(X%^%ku1ovuFZVBT)DWGnBgP0$!+Xw+96Ye&w| zP1M22-AVdE+(9SN5Jirs83xdQJ4WypVhTx!OL-Pc23F~TCrLM1;$ZY{CKi5=+)7l$ z=U@u2UQuICzinG}Xx}&(#xq1K98BUFM`52Y8lTPKwl!>M)5pp%)kM=AOxq*$SGg{#u%^cs!c_?Y*U^Y+2RSEgJ)*gIbG}Ay1X7pzKy*g;+Im(n^Om8||ono-c(>Sb>XZxO) zG)+Cs;8C1cO!iGqaR+69*#PA%H<}TKK7T#(%A;yqXQ;F|D(3AxUL2ZIyUHl6Bfs2e z-}CeNh5yn#G%$jp@uY)Q})Qp4+e}UlHSYk1VC` z*X$~Mm#C9rXard0?*MjkFpWo{@zGEm8p4t-`oHL>BIfW6!4^#6;rYk9NBodjzfzBo zJrkEos+nh)w2LNQ@F@PVhHmHv)~y>(Jw=`&Y7?XmChu67!t@2k?4pV}BS%QA-lY z!LZ#hso0k1d)bpyTSu6z8^%c@7JE$Ugko{DY)*{VZ5ZLE*I%dyi7;vx3deSyHBSIc z*xh+UKkO)U?>DCs^LFDb{fnn-7^3?!_8Xrx=}-GzAAsAd$aGT2 zg1|K0>XUmepP=r8YD^LXbt{QWjyFSV9_KHtq+_?S4KYk7jPredidieqW0ClzD5*7u zu>K42yOjJD2I)*8D$LLsN8uKn8;c@T&0hnzpV+n1K>a~Z+t3J5c#yq$T)e0uNlelG zF=O#lhX-ls`X_c_9ur9j^q(Be(~;)N%5&$+v)Iu5sB)e)=MD37t2o_nS^j)!2<$2? zMH~Z0C;Z`kX5BpY8kY=4=G;4CQg1&g*O;N3-`%P!A%J1I-#sNOkI}d(8ZFqb zF%x%|QeTx~^DNz=w&VNned~gSl#@5rA}GwpSt2zI$5}eCU1KON<;Af@DKr)QYs|*s z`UZ^2&1J|+^=PV?^y=N2C^n2Cx%<#>RhRD#4ee`;%T3wq)o{y1u4Xe7yU|xQ%+6Vo z_?V)TE|_|n)t6GVfOPR_L8la*509HGuw4;^Zzttx1?srAG~VNTh~QjfnvSae<&vep zJxtB{Kd27BulvX~hUW%87-1>E)U*oCH;4JT%X0OdCgg}WJrA1i)|L3U#$?^8-DBeu zD+igXqxQD|yK76!J=-W;!s2I6${CevbY7B03mW9OF=_)zuM3E8Z&mk{1X=9E<07qp2VP-v-zTdW7inGdz7D&eW}!I zvBSu!gJ6n*W5({Dj;RX}P-CR7aV!1}k#~(DJE{t&fVZ10z_?u&w8|@;R+!hAwo8wc zsjakl7jt$p?Bq- zyuVuIK8|L-w!$Zw!Z%@>P z@w;KW{&Y`Al)*RyBIHym`tNAz7`r1unsKos@%zb^a;OVBm8UvzM{D%!ViFH$6kJT+-3DRjVtm-v_#rdHVw91%GZ5*8 z#_Gvi$2eRIeYX|4424t&Xna~{&EJ3~JLC1X*zn%3=wd97toezFdi#3DQeaB(wEL-V z($fEHT#Ajp#JiZ)L-pS-hV;TWwljr}m2r5ljKh29tj9yXjUPWK<1AIyv}2mbMJ`74 zvRBd6q3GuBVkR$;5jT(+b}^D?iK1N$SV@#*nu~F}ruuO$7m&)iOMP=j;Jl{D`7;4XW=}lV z(i86@KTV{gkt}gBY$yHy#+mLvFmf?`*I2u9AwFf>Qj=g3lZDNRTnyVqvt@5&>0-`~ zY9ORfC_PEKBX}^3+>N4a5t^bdE++0KEN4GyqQhqNE=KRt<6f@+ZP7Yfb}@!WjS=L1 zr33gRH<`9FrBx+2?vHy{lA8YJ6ndzIBQ9q1_FvWBv#{pW#h_kBatVdAVEc-{pL#hp z+}lnaZppvw8Z{B{x@;7YG)9_ys$b<|R!_cI>T}*XS^I79P6t^}Ma6zseg~IApBmx9 ziftD|dYK>IQ0ItKQ(9#RK4y4Z%T3|Z<`>ux&dhutntvS@gW$*MsX+G}^(u}A#`Hdp zKKgwtjOy9-R$L3Z*Y=UU`sk>AYE&y7VC6*G#q?e}S}2!cmDym}t&mlp4O6nYCaiIm z!PMhA7vpI>iMlJB|Jytdmp)Ww`%%yrcT z7vpowp9oiE^4*KbZBidDCi(`u<4Qi=xik|tFmW-}7lflI z2$#yGSZn?6Cd$&gPBPNP%wE9PFPa{Oi#a`?TDTO(28GeQD2|it@lw^N41u;cDmmX2 z`~NZDFWv-8v0o|Fg^LM1Ib&XmQhxbC$teA)b+U6Yf;V}%ivvG&9+G%`m0YEMM{L-| zKwe7yN0qK{E@toWVYrK#yP4SSgxoUJH-Np(huEJ*!%G*Zkw46m#e*S6eA=ZmQyF=aPSqjNH)ajU~lL9>gYyCmOH$#(B{jnTWnAE(CRg-N@7 zRFqh;+O;&jquPwZnTRZztAAl9eeYtpZX9+SL%W!#TZ()w8r>Ex+`=f`BKof8Av;S6 z#_F~qsU)LDqk}$4Au=B<|-F&Mj9Jqbp8+aTxdRuG71{jt$6Q1_b#UB=Hf?D zf9qV2tCC4|rq}2&2N&FtZj_ToB) zYqW}u`{5erEIiA=n`5wwEwAKOAmdQ3>cQw|pDu>!l2s*|1{VunaaMwoJr_fDZMFE$ znaRj)ts#vrhUfk`iuH>OZk21XP0Fy^@dwl7K}%3$I?n$oUk3Zg)(dre#Ee`jz0SIk zy*>xb7xib;H^IPM6l6Bx2^WKM@;h$nWXqD>!OUDE>rl}H$nU5X+PWB-qbfRTSvC-t zM7E|e<6>rRTyi;rLTyDS!(7oYI5#aQk!xO#&kpz-qjy1(ImNEZqKs)d%ZViB<M~mJw{EG*ojjIY(TsIMA$o-Zt2cf^xc; zoqOcDfTedXhUNl)k)>MybfZkj#rPbhuQu=I`q`i4!!(`TO89}xf917vuT+gFWAWa( zmC^m75OOHU;A6gSe9UvcDx4v!wn~w;whCEV)3p_Q4^beaX0r*rcJ}XD8q+nAchsJV zHdUyF>DOWaZz}SpfKlH`Y<=o>v;f^Jhs}DQT4hziBwi+-`#TP}7{If|Gnl%wj)IoD z5Ouxh?>d#}VxUgW;i{>>sM{r>>wROg&i~m{d#MxVuBB(4T+cK4F~F%V2J9@l@h-;f zh7+H(YNL15g^c`- zuZ=sE97-Wq8|4LHux?STipF3nH5q6j>zdB)Li;Eds*detj99!G=8I9fS@gYgn1x|F zSfzo9x&_-Az^oo7VW#dOk<+ACIYIqfu`=yN;;lU`{3zq3Gyh74pyH?$31Ipz3}*ea z9P@W6MbL&0l#4k$zGJH^{&wJHbLwM$ZJf%)B2F&m?~?zBx!9d6@ib`&-S%w_>v#;b za$U^ejs554T<)r18T;#{!sfAvc!kcqmw#xUHLfxK^hJif)pN+~91LG`x>hhn) zVYK>M@$o^j^vT})j2)wSW42$Fh11mDYlZhNCi2oSNP6#r%Q4?ek-veggYp9w^!2#j zQmkKHBH6x|id8qoiq~xzrCg4yS;+fcU#d>^xC^6r!$QUjv>aTb_0D|7Oy2xh@@9Vn z28FS_;Y`7h)bLjOIu=eZ7_?%8E6O&vg&N8@EGm|bZ1FHA_D%w{Mwc1wjK@Ol(WJTe zr&Hx(OvTC@&}ntuBc-Q|$9ti_@RbE1ua3KBOH>U7V|up_iS*WdQvW>cSU)!FVqWi8 z=pGl7dw+;(16Ci*?%l|k;?R}?8YyNB@aY1X$_O0yg~N|PX7MR7wqQ)|rR$RO+#z`y zL3IoVb)w?qz1h&e(&H?QfptU=*&Xu{mP8Q&>m?=QMa?IHT`Wtjc~f>w3y(d zRtRHW9JcROTic@?Q5uhL6MoN0f06Hr2qRCf!-Tn*^z;3w-=r|)CnqW8$4RYTxf}<2 zetetg86ACT#5`Z%hqIVSta8!Pt?mV&uoeP#J+MrK7PE zhsit(Z23zvcr4dZdJ>O(kFYCXEI4R2n>shjXc_}aK7G_X-ol2_By zpVr0bUF)G!9Oxy?=X7jqYr;Uekz3@#=KgwB~=|c~bdVU)DoiiV8 zZO8E5IQXtdOU55+(;nNmDz|{s@-V>n`ro;kBk?e=mqu}rETUmDQLeUhfgQ>%YTCA- zG7t1U4C)1ZSF_HJtPX{ScPsWJwV@BzdM}LVB3PBh6Xq zo{XX}aMEOY*EXz-!ysHt$z##7+a3n;_}3p!tZ{$WiOxW25;oQi!XwPo`(}^-=L%}%RBE0DY zy&lHtK6;q>gDC4;*D*{tXZgu;jpVXE@i0nf5&85mICsy<%e9fIo&}!^<0wmepA+w2 zR6@p^4gn2W+u6o2Hn$|9tv3f&$aol|BbA+-l3a zZX%jc$lz@!)zS-3*}NwrOL>1%k47*nwIC>lhPs-tM)Kl zm-6)!l`h{t)yn1AF}$bzlyW7mJCPnlv#w}IKb?odSe-8|SeZ?_Q)z?hPBI?`X6j*v z&gW$zEnm?2+$m~Vv7<2&F;f@5^N}!?K@8N%9c{-cq+fhe925&i$DU`bqSZ|GKQTln zogenP;$=zkOn!Xp$?#y7?s$@!>3k(z+jYum54Z9&la{afBJj2qq*H&;&lh=^pv(Md zd>6)QPV6_*AG;y}vfq0OWju`5#hgOFz4@@%S@aDR2M>dEX*5#}vX#lYqykg1KMSmV zR(=g*ta5^yAH_n|an>|I{J6g|3L4y!qF~xTwUU3+nZS5m$ZAkg?_tI+6g}5R7qye~jOE8CMhXOGPYn-4cvId8y*f+1veCon9f2EdgL6MnoIDKQoiZHrWj0nW zhemlD#p9c3rd$e5@T6BZ|cAoL}yXa@WRX&KLdNV*%Rnpy?`0A-r-uG@i#Kh^YO+$F&%c zo3S^sZ&LNo4XkvLNL2M&W-dcPd&$o;kj8Mz1?ERl!Iq|_r~~KIBi7sKbwCdE}P^vJ2hujd&qhin;R!t zv!Zwj?yMC23@yb3&4D zulD2;TH6JBn1^GViiBQ_g%^`=7fImxB*~K487vY%7*GPdt8%XV9yG&vE*(p=gvG-= z+=S)TF}Ee*Fcmj0Ijfy}nuv-QqyM4M7;nNfy=r7Q=8Gh_8(y+`+HhRNEIq|E^E0y- zYgh2Vv%qrF9V3^_`BOgj_IPR~yyl-Y3%NLD#(@oH=_Y>cx5cF9xf~|xvTd=iy4ORK zmal!o-}=J{OwPsZ$67|o=3Sr(C$l)Bo&hwS)d9F&0?%_oV|xECjL{7RDHu4-*+<2X ziU7EWS-MR8Q`DC%W+!EWvAXZkTwMfJ-yNfMkI{Vopj)L%Ge$ zwQLn;?dI}z2)WUz1hclUV9xHLc$W9-07^zcgz-9GZh?9zW;`(#fF`azm-}ZRoy>KA zahHdwJLzZ9!aJg%Dj+?BX0JQ!6ki^rcY`pxp=K7-$$jR`BI$#w%Zlz`U=;5X9o-04 z$lcPJMC1b7+NgM#%8R3b8p`|e?L*SPvSBtaTV~x|!_p$}7b@sI8?V<-7kHS~>(qyO z7|rv8@Gh1Xv=}K@<5Rtc;`lj{jzr)25JvL?_DcN0sj@i4!m9&Y;){bzb658<0}DIIb+i^6ZhTeD-I4p%_ku8R zw_qz~RQRY<9m95(Xaqxd$^70K9py4LV>x@~du4M}hGT)hW>=$=kDk_v9;WT0G>Lt) zq7l<|VRFz8s5%iOChL~sPzu^V_1FVbb@DdFidVJ$ez;KOdz4IOa)VM|KeWZLWV|o2 z@!k_&VbU(3ij|9yrZEa@(X!p<(gME0bai=O&(aRBUKDKe*>Qa5B%0bY+S1_bl(nbL z=#!H?J<dXI8<{n1z=*a$R%tY?^q!5rZ!%{GiM{Sj<+mLcCG)GbuCuyfM z7uswiPmM5hr0gM>!&`*WIFAtCSl%grESHnwi05r?*6a;qu!h0rH7)!MOsv#0fC31yKp`=B<___ zSSqkAs+yI3&JRZJPOa$3BsFzu{hqi%Ea*PwVe~HBQhUvkgJNP#-^t*5879h=(EOIX zeBq?Yb_R1>DL?ftxT35$Y#Ny|ilg?@;x^}%f6WSA1=+*+-BMIXwrdU<`vH0nQ+N;2 z_|A`&iGtZXf3q#5Bc{4~n7O-@{Y+T7X-)~+nn7viN>UW#cSE-4W@)XNgvA`*L@p>$ zQq03BUVPlQjVk&^;ach4uA7a+6ds|#&LhvI3CI^Dx6?{GC8sjj|L5%dwiCydHU28T z>Xlx5NS~S6Ywz);Fb<&un8t>5a;Jb2yaIN%v6GM&IuCHpd4hSdqmm6svOo1qU(A~H zS_u3{B~_K`_f>mq#9$sJXIcPB*M&PIS*ZW4+~*eCvf%p@>)$eI%mDZfg$86!%uaj_~?JzzD2?LVeR|Auv+^bd4z*EuC&uX$AM=6EQP2>PTH}Ynl&!NPAMP9Sm@1KN>r%M513Lj&IUn_O| zbL?!dBV@)}ba6~(f9|?POdCqqNA9-fti&*(-0J18^zPCV^lvQP){kP_O>4n+Yg6|z zS(wxmR>z&;Llu6IPslKB3=_`sefmfhJLWXR1fg2{`Kpu)tamGTVg3$Qeu3Ak_R$9WvV4H6L?=4(UT56M}tlkRj_^`q4QI*BQ{s ztg0C@>169MVo302F$q0!&L&wdhL3^4ztwWvcc6qccXwPqF)A|2O*Wu%DLuq38m5eT)>2b^-O0G?xHJ zE59Z=$A-UnNg>x|d4XlU61HY8CJ29<{MIKDu;gobf0QMdaJht0j;_x)DL?g1(yJ_e z%owsvUV)6b*nXd{QWtdgcG?v!JD zg6CR4`7=sQJ|+;Iqi`7>-)<`#vGFl|IIPxZ!DVX@uKbaU$2)R$9Q@%toDQO?mqZJ@ z^|@Y-;A0qZun6aKZxBvNGDBa}F^woU8M$*Lp%=}PQJ^brP+g&|wc%qYVtti-S) z_(Utb@G+mbnDnjuL)Wr^@x)>JBxC3o&5kgX7=C+Jw$i@#`F3`Q5bpbQ`L ziYzTe{F1J_^f!HsD<*P*k*+DF&FU@$t@CytLyJimCy}u@VO}w&(_EF$I?ZeSOwz}^ z;#Ea3h8IgGg~q2^EcD5U@glPn#>XgQyBU-huQRW|(MLn;RLNc=4bk(GAoea2iVSLP zNj;(27}96$yMIEo#>d#>HK)cxnkc6>2rJiwNgx-{RvoU7DM%K`twhTcYhxU-BTuuf z;A=%NTl<5t9AXM`Ecm1D$LNE8riX-&@ki$jk7Vxw&-mJ^OY$)dNe3Bao|hXs zyS1GQ7Zk}?@)_EvJN9^JwqHfYiNMTA_Ud7;HVhd=nl2HBBpp2{d<;lZ`}tCUCR9Eq zBu~}9-_z{6;z=$;+=vixR~4L(DM^PXjZw)Z--=ycWm>+n^ENO*Imm;2k|ReFqmunC zuU@L`xs*{Ibs<`dHSl3EK-su+r1mAvcBT#a`|?pfCME}YBgkgm8??~7O1@A!=TJHa zbt>x`q_P}M3il~5^3}7eKE}teq}=`F-;_xHs{b6$&^8ofebjTD4tgFgy0kV>Oj4qf zOdk`Klk~aBC-%F?#>%r7P=M}ZUNTJP(Q*`%Wb!$7(FQ_mo%6#(ddex)84PO`#iS&W zKeWSN%*w-O`~5qZ$!wpKS7$vFj7Z-1q(#^!h{?zyB|kqldF3rKQultb6U)ZRgK^2( zR=ihx@8Ww(ZMy4OZYUu6n3%j5)zhx6e&=Ia^4EX;*S~((KKMgn#p^2F%VqW`tfj>f z=KI62a;1zx9UxN z%wrCVbZzu<(+1(fA=Pxrn4B23q?TKQWT|}=yR1P{Hx{sW5zJM}K#2Okb*-|PsvITW zEy=#D^C#QY#5`pneIaSA(hZ`hNE?9?I^O*+vw=m>F78AN_s1*AA`OP>4Tvarr%?sg;1Ecj8;Nk zT>T@hugBG~Vn@2G#**V`HmKIAK2_pRb+J7kBbMQK;?Y04{3r}r@>hziwNK(Oa4qBC z%$x+6oean`+HWe=mVC8&qEj7m$mtHLH6q@3u^ntu4aX6URQFS@aU^gO084TU9%6okD3oMkHN1Buqv+M?o`_0hekx6nPev?PCCP z7|$AA``CVL(7O6jKbBFlmbu1Q<8}VBHR@_(Nj&3CjTEQ0|J*VUa!Rwi|?AJRfVL@FBf;YiQPS`lv0u4$5&`^3)>o z>`2AYXD}_(H-6B=`z8@_9{n?*qwfG6$Fo@er`lpfrr?*4(Z=vUmE2*(GpvXAG3EHJ z;#(DYXdiai)?>aRSyB7zU2Oy#@Tw^VQy_wTD_OgttB+a7k5YK6u9XM#jpv%%bKi;! z^*TOx#BrE+WZ9vK5W0RI2Xvo;M#)2UJD<$hR7(qD=uw^d)nG`AP|(IhYrH?ax6>ls z*N$^5!O*+7zWHpf0FFL`6lkw2Pf*dTeehTsyqEsSq1n!g{HYN8J%oo2{3pxfP11_)rJ=NA%j6otg%*V(h9)elNIlHMc?pIQ9Zn{GiUKYZWT<1!MS8dhf|%8d9s9<0-l}46DGg?{cK}Noald zqAIDhcx%OL4#rV#nG~z^P9NEX9<0R^j^fp|+3vldE^zkv*n9OQDq%O@i{R{qflTRO0j_Hz%5z)&OW^0h^B_ zZ^)MH{(dB1BxU{O`Weqy@1z+rNMB9aS|3A5^aGXpa`djDaXqd#+-FQ9kWgQ9MzVbY$}9KBgCI z+Oz{HF~{TN%c^FmE@nw+`BWHCjIzBrYk_rpaF|kT6+qNPv^~W!u$T;PdSmH9YgD+8 zdBxfhXkaI!+N8bfVO%l3x$_n`?UF{!D$bHiZ}FJ(XTqA}O8swK@!}!nd;P+H3e&)V z;>rBtkf@tUhw(CkTUJ4Gh-t92%A3a;nb`%7&cG)*esrauf1l3_qGdXbZ~ zv=6u#W)oRK0Ay)PiZfU9!W~H$Sa*&kR{7zP7gP&C&ZkxoqOTJSqls+IUsPbN0)^f! zuYD8!x3M~a^i1`+Yt1dZbH0h*Al+}gn5$gdSqwt2fM*y{q`s8bV!QT)o(*Wd6}+FS zlih`|PT$Y+JLbc~_~M-IKJ6$l92U_x@3Bi8`6P_Sv?Qq*h985R@2Sc#%wAKu_0XILB&zHAZ7EBJvB!Rq=g*re zl?$E>9#03iN5@d#yfE`9zV&{mn|@1I&s$QfG;$RTLyx1C@V-?KmXsaCtmBYx`TL>W zDb;pj873bG;W%O5Aex8Tr=dlw4v(sj#Cb>8w+75SE*@xu)>b>rJF@sTIW2ORUenC5 zFZa>a#=F+z2ZnLSulXjUq()Sg>pU;0^9YH~8LrIw%flBgH`pwD&NW?3=71iHl?-Ee zW=2767oIr?$it7j+A@qm#*B1BZJ3E+1d`;dru_9auU8Ol2(;w;l=R($yyLch276>b zg*`HiJ;s3yY=dYtHRc}19$Ao#mdu+h#>vRk_Fx!$Wbw$YCd4rNc#~((=5B4gU5q^T zmFHqD7#MeCloQ*@S>CO#z%bu97Q8$7WSDP^!q`qDlHxp7(0 zz6N>r#5YYlZfyXrvB`Pe-zeYNZwH!CZF-b@x8DoS3{ibm69>2aPz*6%)s4RNvV5%; zm|==hohm#OT-)d{uE=^<(PHiac#UCZaWsvBXvx}lgo#DEl@%Q(YxlHj&u~mDQv3JS zu^$pBEMXX7{CZ2x$&cQvxyfOEaX6*)70nUD3B~Z@5pg*4WL*ok_Dwj@B&HXnA{k~G z6aK6~fKC&|ETak*jftvn5*TCrR_%%g*EFv0Zx;tJ3^4{pzTZFOZ+5<18;fD$(UA4} zcS-0>$uJBoPLq+xhTa#NcavO;UNDEqmKI~eFn&1O2)oOsS*Xh}g~+y#g>*D0Jj=W* zRTN^rZ44t$#C{`P^mmU=F1FMd*L-~#NxVO7`9bq|FnD;KQkT2b(p)#K-O-6LV7;R) zbxviBAudz#mZ+oEUu^#!Q-~9;#0nan$R=bm)?ADt2EkGeROgFZI{Q?6YR?PASu#!3 zUF|5RuU`%{$5FA$GyO3`1FVHkPQt%R_spX%cBj0%cX2bAe(qR%oV^?a${QVJMLS#( zM?1$#PGxx!^cenOI~EvLqyl?&?A$T{+yg*PuMU^kyh&)LH)(lGCxVxcsdaA{MI!V|F$Jsr zV$^!^_$X6uksrLZiDUBc-0Zw*0;$^elPO! zV3_@eu{#D5 zXGOlM^Z2@aW{_)R-351@TPUUx<3VDSY}pH};X656I%0drOk(v==Gt_@6khK_n z-ov&MRE=lsbC^pUPrbNE%MDLe*kn&SXpX~RbZi%9iG|qV0cI2N5I#`q>aRY46fzkFg{n^j-~^-=<2H?AvSk>=USE}xSiv8r z8Gpa!2d%HY@ku78eHx>69F27>Nw$LFA2vj4{gAlg6OqGH(JgYXI&V zNkIQz0PMF}EYfqppjM1rxrQ=|TvVZiY*Et?83OHV)_jn6{%d1=>uA1&NG8PUEC zm-I=iEf3zs_5Ei+;r8BYikmTd%xVWiUK_G6sV zISN|zARI^YiFS&Jxyh@ltfa5jghy$4=w0*Ye65$yGYm`i=TmRC$wiiG?gd69!>umI z(n|2O4^1#QndAk@upK9gHpJ23e3u^hd6F~@E;_;n3{ze$zK)pm{t`CtO~XWSv1fO= zRiT3UN+xF}rQhv<2eXypR$lGC70Y3;lA8K%d0Cmq!WgP_#1@#YjQK0iw2CS{V8mEu zf4qppY1}2}!!S@8OV^B__i1nTTGr`EEd%3#EBEA0@|6nt&s9}ta;a-3VCpiUzyWn2 zXBfP!g^WlS)!d&kZFzMSj_k|AyKH`zt+B~dhEdBzyz{*tv1x;_N=`}c+}YbQ;zLYZ zGU){rX?F~RdCS>En^}(TlGJz0i)b+uyd&5MIVwLeb~)O; zaMf_pnnk!e@95-Rk5of@dop3bWWJcpuDmgq?||wsltkL8vQS%kF?IPhy6ca^X`4B* zW&lPof0sU#`DieBd3P+aFbn|0mgl@)k0}KKOYw_g^s-HzFic(Eh{K+|9jB**Y0LU_ z@K_31hn<_s`mwV#jrH zzqkoIHaiSlCeqFLK3{Zdp)ib52A9btMbt@M=&Du3I9g0fPs+-$=*Ek&$}2V>MqSp5u}T?{ z)By?irm1SfW^}S+n66y%-HWwzVX!itMc;pr&c%e~%_JbweKe(vgp7mdqfQ=>Vb)Um zb;D`A@K~5knT{1(vm6tb!KO&%yb~u66I2>Fnop|ZB_`y`U`ExL!ZbsjvzoEqx71NL zg<;Kp`qBHXH?eC@F_!6YA2EgL$YEgwb0%iDO~sJ*@t@FGWf;WNc>40yo0V-9Pll(xABjAl~%vW+Lr=wQ>I43n5&^9MWij3La4^nmwJ=bT~qGF(REk+!KifXnEL1@n-N zwGTtnx=laoX-B4YzJoqSE2koV$@gV<1w$V*mPhvExXg8q#;)tYt2@GJAI4SYEBj>r zBEIja^6F#8l0B-*nuC>rjxS#>xi%hakV`jKGyFcLEEzS)62;z|UwUJoNEJd zSsraMt2E0``<6D!A!}SWa~u@^PubNqw~Z^=zrv?frf#g7np?Ydx8{kYXo;~TDk3c> zd7~x7;+iHjq-a}t--rD@`xEAmZ8xY70OY~UeMnW3VpAlD2D%&P^r3*r)N~9m@$v)# zJab|$^*YTK%g%K@#-7+2#|2mD9@~T3?oaM*eiGcVV8;!L4px8>VCJPGC<-v$(rM+8 zK$qD`YT8Tcr@ShfE{y5KoApnFI~-GXMq8Ekdzf2!kuSK*yB^zi!lgIf3NXLYA-WJ? zmL>UeZC>i2U)6RefZ-p*Z3t*)zf%zSv^yxo>_sB-Hs@-A37S%Pu(_3O|_Bdl??b7(eocw=N2&NB&|E1YM zhZHx5TF`g+obPjcp9>tKkXOY#?Q+MV#ZJ^Zr!{bJBfFEQ9)`aQ~EKz9K4 z9bjhUZL$jWRz_DFOoq&sOnw`*`M0}a1(^D{_Xc$X9=c0A_zu+`H!n)adX~TzWa%0;@JD@vZ%Z;jkT+xqb-x! zw@I@2!=%Zr|dpf}>`0J9b;-@l2pQv&Oo z;)s&Ah~rfm$9hhT#)+~?nm^Mk-C=g4cr#!Ix74>KKAU&oozj{4)>{UV+Ei(dw^(EyVm zm$iIXBE#Cn7)}$LOD5)|do8`d z9LTV(&z+p~+vCu(mSpmJIZ)lNllp3!CAjP^fO?{>B*3NU4IB_Bmi zsalupmsSBcz?{j44-f8xj=&)W>8l29Ll265w|G*os$Gj=HMQ7Sl+~e0f$5U@D~paW zMESeO87-w*VIj>ZkbR z-KO`E_i^#PxYgEs%&A-pMeKld%)p`W2v2SThs2{JI>Ovarxixqv^802UTRJt%&5%7 zu00e6Qdzgd5*^VzUW{Y^(lLLzir0P?^*Xu*m|W?H+<|QDCUON1!AHbE2r#G8-^-Gc z-81ISftd&}hq8~)2ry^T|Jl}p!;GPK!?GRpP$ic(?DLZVb0&l3tasQHV3MR?Qe-xm z{$Y~j!e7UfiWs#)%!)jpKc71sSwyY?(<47mGbLv!TxU7~=0^^-c?}$-$R^J>v}k&CBRBu9XH=j`Y~rR6;-tp1p}b0Y^Z-+7ho2pv0|9B5_2f$a$6~B z*8cNCe~bR${_&L<_BqUvRK#V~TEmnUeiK`ofO;H;X_M*O@m=pPq>l`Ay_uBHUoR+# zPEJ5;*A!rGhRqYmF0VY7M ziv31zdy506I>M3{COV={7y+g{-um%6nnmBbeuK+om1$O35)L2L2M%WAj$Dx}<%{5m z%KS`tBcoMmY4KJjHqVMlY1W1?qcNK=%+*CF zL2YD*fYowS%xjz_tMTwm#JooS%NHHBY|k#tbUg8OZ1QpMYhs$?ZBZ%F9pf`%Vq?0Y zpVKQSr;*ZZF8BwiI>7A4X#U;j?m4Z(aWZkt`Y_Nrf17I=sF}n%BpRd8TbB8OiC9f<5B*7QKOb&BE?>Epev#c8GRDBs^e*~#<hA?6PHMg1zb125;OtBATj+CP9p%%a|U zMkHfIKbSnox`EzQ@XTu*;gdtOadsa)_}{b^@w7t!ZXCX0HetjE$4{rGux9KvQ1HTZ zLx@|zJj2y(c5anq>QbMv4hnSQwwkBp?4>%r{3>noG`uf6%wF%A|KnE-p*;!f6cCER)^NCzy{J~fh&~UWFV?&O zrCRr8Wei7blC1oB;@xfRc$V63Yd@HbRPGuFw%BtjNziDkYcUTY4U_w z=`C)2AAG!e5t_I*^dnE%h<(2t#5aPg-MV;^wa%N-f$&Z9ESEKGQ--? zZAH1(<-tFw7(-S@Uj=msoMs2Up?%|!j#D?nSV2m&W%bte%GF$iH)pNy)OhIU;VssmB;L00xFu2U&B<}R2m0iq zHtlhquvkQ)7E6D*kF3~@tf8;w>a0OjUU`Pw_clp~j!8U^mX|(irV&1T_2-fQ$!qqq z9C?jb8x^T7}*q5TUMISbRo;S{qYAyEk zUgh>Cgn_@&EL-{Gs5iGT+LvQ1CQveW*EGSWx2oxl@2sJc-|6ZR$bt`ul%}{O;fP=tdYDAWt14%OU{{`G?{ycZ)}Je zGJ+qK&;}pFK}IY2xc^e>HqCHb%N_G&b>^w{_|S1hQRmO?31>!O_onCc82CFc z4o&-5G`qqe`*9b$HGNMz2f$e1q<%E}(ez#bLxVF>7U^4Ypv++4yo61me}DPHVrRuu zhm6&atk?{5wsn??5-;_lMYNhEX|!6$p&5E%81P&i>SG5DH1PcPWWkW&p%eo{foJ#g zcsXO0?>>--4RNuFCf6N3r(>bUc;ILiMb`!NkJfrx=+tt5C@6wX`+JH*L1nRwzxrk{ zfDymTgd=T_|9w6_H!Y!)KFjK-*dO+Mp3{FkTqS3`F9Z2b0uMv65eEKp)}=Oe)r!|N zf*u;t{1V$6&h9DZF^#ZDN=Y-D=JhTw8CKsm#WO7r&*}pXyf6j@M+=q9m{((=zH48+ z>{JjbFaEV>`P*wVq(%En&KFibdl;hwimU7FWp3}cvj zcYZKSX8xQ!CuYx?MJr08{Kd#)FmD{v_L*95fooCROeH^DVvb0cgEsGhdoiThz{G?O z-1W{E+Y@F@#mLs^X7P12Y#b-fET z43wcA^kaB2UFk(HKMQGAVlck=%$JWf+yG75Pn22FS1Y?>BBfQEVnBjd-5R%`?!5g6 zm$`3FcVRxo51QcgZX4AJS_6uF@))stZ4K?oAKp~bw#?^==5ONMcvnb;vIMwpHij$3 zfn2RW@i3y9`zSSsoiH(EY=RpHb{!4-KLVEp+T@E>x0>{KY7A%o>pCLFHIHTWm^a|jLDq6_n${3!>B6)A0AOmYk}xYSX9@gWWusM-S)Ezb zkCf;%daG)6SGZ_=36oW%hINyhYbAz8??i5{4HyzVsYTwYPFiDzi&r#p=aSw~LHAD! z(oj%=(a}@IPA~Jv-aK*Opec@AB>nG!QP2;v@-L8r{u1ZFKu;+C6LP;hHeEE(ZTsHG z`@3HTmtG8p9>))n85v?E^tq)|thDL675Z}gV6Utg6rDT@_S_e(!NtJhg2BoFplUgpm0RU9$;IjcprUCQEGR5uNw zXVRut3I^4zKIAX^-_1-Kqo7lv8rod~i*#f@DMmv7^QjgL(cYV5;gEBwE7>;JX0o&| z7wT-hUpK@cX`g~m)j;cP+?(7OEKSc_9(~mT)wIBI_9|NY;UGen?JyxP=go-GO#|J(e>oe$sNUtr@FTeBTvbCe^?Ciz|jre~a&i zQHE@V^WjlE3P%xT3cc*ZftOZ5hPt<3VUYCQKkjJPZkq0teIS9wKdg3hgx33*4p8-IGMbHyVt#7z7ug=VreY#e zc)C#_FVn~Y<5Y!{7op0VCYlYyt5Zf96|eomF$P&jud?E_-zsuoY_-3xT5btiFgVGy zaWtM6b)9z&)`sT?-UwBkS#gqB*b*_y5<4N~=x^KuzyL>>))+|r`DQ!{leu{{bjFoz zN^V`ZkvCdLnSN&zz6mZj-6dnKL3=)GtcS%shIFpK<-i(@fz)9VuXuu84iqCWWO}HgjWN<=Q9T!w>pv;*m`V*k4UZazM`zwV z4p+%g0T?5shr>pUkA8070GJlTq60;yrRXYus$_E*u1sKP^tUM8=k{5Y?XC_L7VbAw zivg%PnPHgpIToDBrzcSlJu!w$yH5%*SejQBtpR}bQ7|;RsMG|Gm%>2g{5cmyE^a z0F&OF-rp>0;N~$D*{xL-+!Q&|rx5O35#O);0q`Ma)~5?^9H+~f|IJV_2(V7fxf9o_ zH5j!F(>kv}+HEj6BbqNMkG!Q} zmW4~bkLfS;ifj7&V{7(DdSWOmQ3^|T3& zC1lcM5~UgU;?q7VmXEn-EXmDR&rf6DTl!&q%et|~tiuX2%e=~)3$f_*W}d$eudS1M z69Y@kxJb-cTgGVx{q#QGhRrzmTDT{^Ps#G(qlPa?P}yl;%ky!3!y)rg8tl_exC{8^8RqsKE zmW!ff4IRQ`#g?w+j!w$KIxVi2F<6^rJYO2GWabB0oP|E8C6_SJzXNNt(2H#t7inQ< zhEzTStk~k9=3>>Bpp;D`Ssu2hV>}QpV*wXhbXsw3>CvBaSjA;*H1dIae1W7alM?d^Zda8@JcD17^@PVZf*7|hSd@gioz!ddUUf2o=A?BtoXlbv` zC*QUe&I3<4kwx2K?8^(6St%lWr$tP=6^=UJ$j#gL-VzyNZfdmI$$$Rmuf3PVhn0S0 zwh6FS@({C8FDEH}6ghW;5OY&g+JX*#b?9~73Nb@9^A~aE52jQh=A%w-ASFG-I3x75CCY{ig_vg=&Vt^- zVu-1wi+0oGKP+|D5YtM1+9VWU>u}ccwN8mbOfF?osr^F^^@{pMHhI6gV4m%Vm`ysR zfuH8Z^)S$oIMQzcUG(qY0vAikjp((ld{VQ-KD*!LMNhuUoJyEzs$g*E*{f5)d)Y&X zd8bkJS~U4aZ@b=uHiejM>X)?Wya;X<(hmwS(KJ0)`Mwd_rMN3iDc-v-|2A$X#B|c> za^a=4=$5qi(-3RhF(#BQe{k|rTf>i;q;tuV=w}-9$NM|al1mCPdz8Dul*0SE?1K#S z&xVPlOtw)+zXK5mW|5|?adr@5-stq6``JxnKcR$y(uRf7QyEms4l#`sr}ZJ`k`{~T zp~& z_N9KXicBTG}2{W(}WXc|6yIayMNhtGsJw- zt}$5@}q+IB+mMrb2b-vdh8+zfF?0&9Y2OaQ&nwrY8JaWN6)41pr5<^TL zeJIA_w&;y3bj9zoJmeMj4@?yG*K_-WLoZbQS^w30D(HJGu_+H6;%NuYnjt=y*q5wN zxV);85BeA8fM);C*|{Y*j$~(eD|l*GhfC^-89QQLL1aooiMJvku~csGp#?}v<1zDUx%g|rau#7{aI*sQ06tk{O5g|nM29A`aHFeV9?W89ad%Q zd}#M--V)4s-W1zy=dPUnB*)XiyyrP8ajS|aufGp}K$s&TxMjE$HNn7V$mPelXK)lQ z0Fw8!X_V&dTD<&DGF%J2Rp1!G$Y-)?A0Hid%ikKE{RTszOxo`hP(zOxF50ms_lP&n zWTOIN!MS-@SG7~`mtYKZS(Mbvi7z$(D`NCB$>!#x%sel&YvOhxfSxQ)v9?V*@8{w9Qojlon=i|DA0`2Na z^p|7y?w*dp&SZ8Ue~V7yJZuD9kAL~oU;p&)>_WKcZXaehi!{&fc#8a(w;BupVsdk; z-yTW55WW{&3%h$N+=dPb1~sSVVNjh9eXp1ez!i8qb54=Vz}_|+2bbDJ9n32KB}xkY z(WQttDM~Ow8P~@BRRbYM3{jf>@=cYYzyYQyGyP1#M|VD9l#=k$rCHU@n^gjVEm*am&DHE6tiFTtoJHK1;&IQ*(8&0b#c476=u!GpvYlAP=MiNx`bmPMC4 z?(jPI2ja!1n!PchIAG>m!Oi@ZY zt*e?@X#rx=7&pa-Ag8~tVovgolC-sdIqq;zwGVdgx_RvcvyfL6q3ppHpb2ImlcKIw zV~oY&9%~8aAtzs4+S7gNaCwT_U8+p$@YN<{iHuo+~g0t~=v{ z|Jziu_y)!s-5A{0R@M8T{ZJgn8{?wR$$UJgMf-CQV~%mVE;^dVEHK9MCYW&?=`ATb z^%Bq+ahzy!Gcw!pEtE&W%;VRx_#1BJkznv~*>0@I;Wb}BQxLt#ItC$^MY5^tw*Reh zhHy(f4G;gZVVHajh14(s85{){+-ROh*_=6Nq!>dX%PTF`C{;yy^lUhjS00 zTWx}&$G;?0k-;Y|1_h0gK)K(3fdvKx7kc+-e7v>aOPNH>*1tXerlN(MWcfnIEQ^Sd z!DINY3+0{U%r2NyG2C-I!A#+;A}g8QA*kk%VA3!%2hQ_G716b-ej4lU*m}f#8FokB zGtWutVD#|H2C{fv`@DVJ9y@&6;E!)IU>I?hxxD?j6f=g#xn6B`RSwY335E=*bb+$YR3hXAUNC5QYmyKGE#*i<3}kY`jQEqb3Q!iu*l*hxC3u zh0p{eixgqmxrtpi3=0cvb#{opWXvSOtm0(k%7_jw6ih6p)2ZYS4xhFaDV@&E*?LyL zqgv>i88{eMOxoS9@RV~COe!AJy?&cJzLYS!$fSeg{Z^HGPxvyy{2~mvV05uFMr~{L zPqA5$m%sMCSWGU;>3wP}j;WkTv-X)JP=Yzd?8fXB!$&6O6z6rZQ}1r`0_SYQXri$2 z#qbAWDlxm8SKmB?C-OHI3?t^c-1?2m{o@$pi1I#*MvGZ2tZJhCdY8`W0kffS?M-~e zi6PuP!4%@sn0$}Ka)u^v06PqL+?X=7hR4w;WY=S59aXEfU-{@gT%2+YeMMYxvo%Ni zrNc4>FhlI1V9GFS%~Lk^g42HBqnR;ZkeE0;$_J}$sL}-kh&Iw@$!F)O;C8_3)tsNh z)m#D-h@-mr!CnD(o&{zQr}}l@mb%v?RbUD+IT-KUMu<;&KIUbx8w6ksTLSE8r(d#x zxQ9vcT6~yqpZ#%xMtl{uW<8hJ_1i!QOex+>0Te0jcm}pamZD@ZYU_r zhW&%{lWbTPl@}OTw83_6b~+02{qeci*-b7;Ll!1^GR@6lXx@auJJs zHkDC2y_zj1wtB-!8GETYfeFX+ViMK%bz{5&55)C;F-DHB7VI*(c2B|$*~@SeM_}Bs zoAMtSb=T+?7<-KCm0BNE>8Bt1pAA>)%q&!EmpKlMz^o%}O10n*$jG3Hfcl=5W@~@1Ar6M~g$zs>s za%Ha#lZ?NI5)qhUG!Ej6l__j&QVx`u3(PQ1?B=BtRr+N7%YKkhV0v+W zFs_szxf2*%T(ql~w&{n?1m+fx?Xi!Qy@T%rLyQmK7=G*QW*A<)Nw06_3m*(z{31@e zB>XP8EW9e8Uu^w9&*M5#^-rhR`>(x1Vu2yYiFtL#19<^!5HpY219?8)vA_nx#d}Y( z__Sj2{*G}+H%)jhzl>&ARMect{o@ z0;7?W+3Y4h(a1dlSztVJw~5rMYOS)W>rP=f5(l^i<{~F;vjTN{0+W&Pk79i&(J&k- zif`ki5f)`hDo^T=?n4RaY(w3KLk>k7^Gp@dYL! zGhH@SeeAvVV)kdf);m@DCN4%JnN@t=+}-Uc&_&bCoUXO}wivn#+#8ViJ+?~;VD zyg^u>%BeeLBk+P;t5@rNF7&E;E(`lRZ;bJz>VyAkaMgJ-In^?_O9Pj>4wTCX3`u4r z)Rm{-cwkvz26ChxSH^}j(_~p}SJiuGOGXwyJ^DB2h#b2gT$4gS{iH10F#U*>Dsc!6l@eus(kgn8a@|EOzzm<&O8jahZ?&9T#V>Jule!r7SliL7FsIn1|30w3)oenk(1|45 zhYTV<3OBAbHedFtwQ&h!1_KKWMuvs)1m+<}>6c++03(oTIp3%TuqpxrkCVb|-W|{7 z)V&CdKAPRJ*U0w65O$F@ftg4f-+EKD%UbOf0A~vfN!}ccC#s5`jGDlhWIT~FsmT@{hn}L1k6f7o*xd4zs56i&Ng-J6kal8E+|eIa~uOFb|2dDgq;s z$yU|HeB=2@y|^$&CCy5FD%Q%zW*uPwe&hx4NNiM9=3F1c8}z?@`WScSzX*%YO^ICU1cOH2nvhy~^+?XqlE z>Qz%+02_fF&4b=(3Vr*ZfrCQXH7}wR7@SPYAG&<5B2Lit^T+H?;Z}8%_?tUNF+I5~ z*4n}a)H&2VR-zrM+Fv4=olIBy+gKgH4bo9}@HuWOVTQa?lFGdf!98jC%Hwddg z4l6PW3{IMJuCDwNALoT&Uh>pw;igrawu@oI03{|QukYgNbtk(Q=W-c8gayk)0GgcA z?rZyV@(l^|l5%HzYYwk*%t_MJe^b3#f%!<1qB4$bP2NwUx7)56Xg>vtsmaXj4{wU4 z&Og~5!;=*gn4Y{Zo^5+iQko*Woy>MN4qLNZt?IXe+oKquyjSgZZ|jAJpC}fLG+!;R z^}D+{V`4H04+)G+j#ZS@RpUZ(?(7Pv&9yI@6r)$2)BMpi#x)Q^Af>K#<@1jMGn8}V z2T-_qAb=8pCMU@(y4qH6z1lW`iAft}DSm42c*NAC?Z|YIl<@_?Q)#~S=Y*q(qF!_c3R!mji7-J`TXnA(r z)jvQr`~q{9Ap;fzmcda0O}fWo*07n60n4+#+p(>+n^5!S7G^G&qd_ebfr-nm81SfB z-mm8t7{JW5+8tw_WbbGeRm9X~u3prJ`mF~uuo%4TG&tA}aroR9^c0xF6tz0oaD+ob z3JhUpZ$;C5ZLQ4PN|)xeW8AU8=;d|staeN{+1bS~c$pPtWz8tgJlIMrlHofQD@D{L zybGgIqWyR+yFWH;ZwQ>rGf98;^}N|Fa6uo+Ltr%Xs-;S=h}N_1w)=bimjJd|>tC&YzqDmR)qVp%6E}_3 z&7NWzNN`DDhBG(Mv@W)IWWYDwSNqDp94_RgIm4P)JH7i^cnodgf(T4)9s{JOt<~Lm zoNWM;oB^~_V3zZq>TGvR*rfdXUc;99VivG_Y*u`*dEz;ZBBFgVQ%M^2)aXL$xs(J4PVSMxCb(`(!y)CJ% zbyJYVs@p!xQhGL7fXKuv4AYpQK{%6%2VpidH0Teo)dItrp+SEDs}`8W3=M)SGc*V; zztEt7)A?L&i~WXOi+iqGaZVzk2G1Z2UjE+x2Lj`llj6k&vR}HMcq(dMtLk!8eDCjXaa@-Cxe+FhTk@$fK5SefYE@r31Ls|KB z1se(%srj_Fa6&?u!|ci#jh{hA%1%A&exM6;nIW$jlw^~zoICeU)ycqoaRRbaz#9iFP& z=D=Sh&X-V0kumxGO*7C*Qhv)jUGOt#eC&~8Hef+{m$5Ye|L^}bvudpTo;ZE7NGB6d z^hyN!Nfv8s^$v?43e0UJbKOo1Y5uN4c}#0AE~6}uZ^q{5Z`5}Gtn0u3&)(}mB{00X)Q_)q zby89OM+8ZL<2*bT)w$N{O4X4xC&)l$Ifgo~S~`ECaXb~N-HUZ?-2(Zywm1usc#j3w z)5<&<%e%~J!PNgfxEp%LI(!R^cm}p840g`dcIR!!0jl#TGnE+QyJP>)_#=N75(A!8 zbiOxc1#O7MzBRL>dWvk%->$v*P<5=t6D?E(KyVi+{5+Gq2fZnd$m zUd+GEUk~Q*J>x=R9CTbHo#15uV?)v3rjrglstycH3yFcyZw*ysIZ2aWj+z-)p5NtFoXgvjk{KI<14W0&j(zMcc8LK` zBmgBb+?j23{Z>_LC#FfdRi&=|vqfU&lN<|G`p*%r)k*vG; zv~yIOT@e@*5(Aw#ckxoDgFq-7j@8!3a(w3}&fKwZUCLFpWw5QpNN2#hl$h=ejtWGN zXns-0lEJKt#Ng(wKG>_@*~K`~l23UfB8h3uu81%uYM5GeG&O&(IOt;xFLqr(!LlJi za4T+_tKv<0eXk@YGtUHSSMm-UvPukSX3H!h^^uzD69z3HiE&Lj_Ra1=e+spye0lGK zag#gaA02GUbzD3d4@5ob{ecbqrxPU-W18uS^!C0T1~k7G&3af}Oa^*SF79WulWg@z z<8D65Ft5q7vC@n?)j1udLA}L;Va^ZFo*u1tplrDffpJdSOKwlS8QB1=Y-#4<*1>{_^_zUz`Z+Y*D5>GWPsDH}4>1wvwOGN})*`)c9^^JSndB+gk$3`(Z+T(ax1 z+Ur?HrW2KmK18W}qQU>{prqZ3Du()PCk72oj7b{nmzw0cpoKU14=A9^Kf+2%%u0?A z<@00p9(7e14BD0fQgS@c%s=T=o+ zGANfVF(HXF91;VP^ZYWpQFZb3WZuWYxJ7OG{QOZjQaes!sC8sl5zVgsBMMqFKt+Z| z;j{+Xy7@*c+8MbkgK@~;n~sr~k6dq_(S0pYm5-H-_StP~%MOr@Vve0dP5s{cg z_p3Lgm*a%VBxWW1xd-NnX`djl6cp_jHEFT zj?j-S((DbyC9b0*kh_&HRaxyADk?D!d1H*~VTl2k$wvk|y20Z3s= z3^(E-SYStHvoQrzx+HhA+7N&KthX&~mi~hX_68aLWVo=byo>r!8g?fuCLK?Zq<4KF zh|*OYk*WJ0E`OAPzK`8OIls@Z+2wFW&0f{t+J0(RVx%$6JEa+l*Vb$RcHT}>6IVsu z?4wD)_o(ZnVX|?eo=bJnf%#afPzK1xjWzQ6@ga;gPSToCr>@^&^>o~`I6f>f-8fH} zt&eHOpL-pxhW711=STIdcNV=p^Etd}qQu#9pR;paZW~wf_^a?!&P<)ylatx4+OH4=NQ`(Mb!R^sXJQs_%I^))zh!G;qR}gb11Q(gHFvlw zuDk1vxf(I=Uo}6tO;Ud~;(*CdBwrl$b}?4tYDz;T{3I7KiCcZ^BnA@0rfakl zH`G>KVmgtQqV9`mb14I{7mO$t(IgSvwbr;8m$=l=FWgOXW8NLEKdbdvu0uak$Y>eo z6($uY9D|Mz^*DpIeG&tUH*BTSm)arLfjtKEi&K$AaY?Ii)NZTQ%OBRt#n>Wk#aEJy zfU37}peCwD-y>VcMh6FpDaE{AR-27C=7J%pv-OaFdK| zl$F_{=-r!_P~wT4w{5ps1;5Z@<`!7jt%nmNnNQn|osFoNYlsxFWcqVn;*x4NC zw_yiROoD0s;zWu(2;t~3L1;h^Fg++X?VGE;7#=Kmdse#Z6`VjKF+@0R9@bn5zT?Ef zX{4#?S7VlN6fa~PO{UhXu+2FP5#DmWLO2b?qRfu{<9p1h#5AGLW5r0JR|=}#w5oPS zivdSnF-)kFb<1^w2aHL~75>iFpIqeGT-w2Z3>FS188BKnYyW84-sL#uUT>P#?oTW+ zOqevQ73tVvA`=>b-| zo7(_J0|$~#m0l* zaN3l6CK^f%2F|BZ9L)=>HPd2d-v%ZGIc;dep%RmUv-<7%&}66W>?WlWlYx2l78IHn z(2ZLhO*TFOkHl&Bw$%O~gOwnd863Cwn|e4wjhR96`rGZ*xv`3|>^#We=1`LSF339G z=*$`n&k)C}VvVWk761#d+$%bcJC<^)G~V;%4jX@3xl#3W$C zKc+LB>E@5ad3Q*B1hZzhH^QM93S4wg^`6Wu!$QJ1;7`SOF&g-D;!ruucei$KfKxYL z>Hl8`J_SR)v}s+K57kxXTsHY9%;0cmJ&BpYb9PCrzVkO7drIk|`zxbjz*>(OCX~;{ z7)fhS!~9_KW?A=`4=naA9b-Ht#Cpu;#^RamsGE`p#gAs+8+R=+B3M?N$18C)UmvIX z8Z!9MWOa$HX-2=y7HKgR>90faV2lsaOW~x@f86H}wN;k!r7@1R-f-Zw+8$$7+riWD}?a5#^WN_6>*FJqTE`<6v&@E!z?4CE( zTi>0>B;Zsh*^Vb<@AUawGaDtQ0KHOB(c}}oB=*dln}Z5BuXdaxogJRe#U2Cp#FhogteGqcengmdoAYrWBpOlG*r>ZOas41Ft%=S}!@TiYu`VH~e1MQ^^1DTqt28BFf9VzO>?1I2;PrV6up;%g~C zAH6%{dh88GMVMKRhr$rvC$^QA#+85B`%{>_Q}v1qzBpq`Z;)-{s(UjVG#L2~`qy@Q zJX+}=@7vD!2B>kmCTP<#s{03DGc-#*Y5&xT{wvWg;~C|el@h(L+^28Zw~fa2b03kp0A6! z!uVb^{&J~-bbbWX%xU%bva7b&$+w5=uzi1Rtq+XyjbwV2M@D2p*dCO^bl;pTk!Jhd zTEZCU%iFhVb7-V^Y{6;&FpRKgqo|lhX2GtL$5t5Qnnn?ZGjF~4X_J_YUUTkcg<@xa_b zY=@gmnEkZ$!!+LI7~x_?)|}Y?eEZ- z?>ipFSGtcfspXL??JXfZC8}c(bW@uh>^NfBGv+W0II6qHL&AT^V#P#Y*;S-1&t`y8 zVIWZBljLhW8yDktF*qTtFdgW^oC*VhF$aOBKl;6N-7mvU)}s7>K76z{O-u$dsQaTa zrXC$4kWQhd!pI<3_3wE2_B-?Y@a*BNi1-vUuJ!PKx?RX}$>kfn;EjCT*M@e=E?Cup zs=KaTR$WJCF)6csB4P~iXCWblp+HoKt}qgaMW6zHX3x;x4>1Us&(9<8>g$>LD{v>n zo5cBe5Bc|8SEPx{uKMOor&Ad5L*rN#2KgkzLc2X}n!&SC!KE5fdz!b1Gw=FjG^t>P!9M6SVXQ9+i^JaTK4%=mZ2#T7x>w_rL$zI3`#rawy0Q0R zOz?@#J%<9Tb9m2IHVpA`Jsh{6({=xbfTt0@&SzMSvhAD1_0{#mw(iYARhZeM-6bJk zi|+AzW%O@LAUK#1d39pfJF9 z>CSO#1sj~kxeOeI80kBW)Kyt7$qOzG8O+tLb(qYU1L`&?QkdkE$@Gx#ZtADYP(=5E z;R$PW-rw`?$AcAUCp2U{?9uY^N3&m_`x{%S0);LZL0x< z%DhW#GH$pAaOFI4%<}1cNl~0&QDK{Z)XaH0YLWi>b=^$y!z^# z6=whbBHE=qgAYAUu4mezPYP=4&A?QPfiN1z0*{RtdGc+gJ06+Z)Yp5A2aei(^XODU znp-xe1Yak(bCtq;;Ai@^0NF|NnuG);FfNeAnE6-EW8GK+(;o`UH9BHxVQby~mn8qX-q3f?xf>*|?%<_+P%%hP?mT9ILT9zSlM zWf&2}sFT8w;Cx-(bH2?@xhqTw#xKk2T+tZZe>Y@sH~ZzX-q>>{9kUkmf?>6};)t~M zdf)Ypg82Qz5EF(!LD4ABq{9(MAXX1n5~gvR;V94K!GE*(>t3LIBD8+}0Nyrat%h6J5r&|gl4mcRBl5ey9$ zQ<;9H|AR@EPChYd>P)LO zM_qYF7m|DX#7&KdN;DN_1!-UWu{EM$u8Lt+aJ1nL8FYN@*Ma!PEhq-q6y+I7NY;Op zxsL_Yfo1blM{}1~RURmihfV3@#*y$O)VKR}-8@~Ea^O_f8J_~xv(NS@%n0fwN!CHv z@ARWE9~k|X9n^tr(k&MkIlmAm*4GV3#Q($}#hl=6!-X7fTS%)^4)cPS?xT7AM20}X zxG7l@y;tg~8r`@JyA?(TN9|kta!IR(sd+%&u`b;@^D!PMZzf{coWV@s?5$mL z8o#Z!a2 zKsDP98(Ie7tS~<~t+t!it_SKpevA@+YJUV}Pu$*uFj;s|zPIhMYTpp~8*|YVh75gG z1sE;#_e4<`E)1((!;vc;Uj?}Q(4An#eZDH&RrTiY5v(wW=riIlkm!}dJ$<9wp#oeC zBK{1TqcETNbK+2?KWit$a=kExm=uw@((Mxolxe=xgkGmBQY|vTKN9QK-IJ9wOYZ2xSJy}ak9eRW?VJKG* z^-aBLmz?6Z6DkF^$qfMrTlBVBnF$ydjUtZqKuz){UXD7&xTMt5y3NOnK;^TRw%^!<$HW)5(}X z9IWlY9O9ubYeH{r-}VMvDNG)6mjtdddI-k#w`0+If6leS2;!W_|L_AHo?E3bhL~25 z)xVpkiqBIAo_DNH3?*`F<$BBMjrUw=#5t*xw!RO>9mkRE$A2UPPYzAbA;&o58F8L% z+aH^ntFcerE6s2i1{q0@YuXfQZo%U~4H#$CP3eL|ae|%C!VqKLESJs8?w>`wb`v=m zW#nF85ADg7@Ol53ZNzoM~Zn+WbuOK zik=vb9mzb>1}~Sa=5sP1WxslcJ^(kEioVD=m}j?S+Bq^%vF}7ef1JsyX_m^nTNw{j z?2x>t_hK@SO|QTZf=WFhA6S;!5KR`0D-Ay>eBvt6yBH526eGI9cNeR7@Lus*E5ez` z$H9mn4M(`IdtZ&Q{%nzl@``_^T{lKT7~cp>F}X}9=n3LRZ(~8Hm4Jdcts?R`_$s5K zFs{b7Z&AcUvt5KKjVUTUak4O7@sA%cy!eUhLyk>rZO_xJ-l0#xFE@?UX1gMT#KGKO!<65kZbc3LW8i_$I%%d#z+?XompN^Y1h}Ytm#qyMvnh&md^}X9LoI?%HBDFxyG5$$=-RMjTd2QE-lXh z?(*|OY9GGmx|1BPdS#iz$$(cRrWX@A5v&kqB=Kw;&&xY^iDIHr#FLDUxhd^WMW)JI zL911w|OiG?d1B!{}m| zrS$w_-^0glX)=rN&ckY4G0cfX>4fXr%S9?ruj>L_8lQkCKk=fGlL`E8JRXB|hn6)x zoPzJ-w8DEIfCEO?H`l@VYm`dkYFwy3z7g~$#wVRMjEW$kua0HWTcNlbj}Cgh`F|PO zd@&DMis&vI)=SJljs-nhk-NhzNd&6$S6PalV!AuBN9nl~(v-l-l)F^S3u)=8yJRpIsf%qc`;yUZ(>^vZ7a5HbE5t_E zVk$BT&l{L=JvLeE>cPr;z8O+b18));=veZ}rnAQ=4=y%LOVWl#=ZE>Oq5hqg$0+)c zNVW?K_dP&myp4)+;x0&hWG?8vMf5W-W%zWtXWY|?`;pu4?AJXVS`F)B&wGZ^FW$Ft zFkmi{%a%j4#m66XI%2)mT@hk#z5aV@S8qCcEon&SgtOfuyc zk)mdLB`Z=bH`+dDdodN zmhHBIR)%N%VW!=N-VOSiPti+tHYiL>@}6cSZ+eFl#wL@Dsraly+nVPa(mEY>Z1J?s7>27tIFN-Jb0u?wG|TvnGvn>3^x=- zNsEh2?^$nAL4BKuBoX?AIX@U%*)bh?GV<71h=eo6n*?#qYt?o2eouR>`!GC%4tWdb zqk~Pu&|S-ziM*wABhwu(50w(O820)O7Nt*7F%GH6+VI|f+z#0da%6FMRHiZ~T}Xuf znT{Cdl9?B|w2q)lq0W(sc4xX)n0urv?NDUT(!tDQR*0Fgrkn#9qmHvf3oCM9vzQj; zG>gad`1%juQ&K1MNiJpT4iz$`q0VVd$m!JSeIZo4FCr{^SL5orIJ=!^WXcaeP|Pq+ z?{pQ4y?`;e7>!&-#7XM%fL6sxZpL=EutwRhY&U0CiIY7^Y z7SvJH^wThgn2{Mx{u9|dsS(k$-y^0GWwjr!j3FUB*N~6SLrT*?Lwdd?rW6yIu)M21 zm{B~ZPU2Whq`gHL@&Ii>lD{}``TIOx6vm<5`)W_J?+`Nd1?DiZ7>l`?85xLtVS;fY zV)5nfbklu7ocK$|gV|6FE|OPv!$Sd2p?jH5+|WHn7-blpaVoO{(}pB-)*^F;0!jJ?lWGgbV~${S zFU%a-VMTD`%>FKttpdaQHM_Fn# z4()H|7+Wl-GWdO*ox)m%2vkIw7os#CowGw?ijnr#MC7!fLQZ@1-Y;%09L>p9D2?$@ z#nFW}q%lL4XSeA;iXfxU5XRO{3p~Gx!hYfd6OUX|z0fJ5Q~r3^>A~P*CW2Uuc$sGT zKyObH#Q{z>I&*VzV+4}+J3asn&&v509Dk|0C$0s0Z`U7S#xYsMWpuFBPur^@h9fTX z$lNFl5nSl@|D>JEa@)v~hF=9MA9qAc-9&dxoS0pageY3P86YLgJBTca7=Zu}K**wB zW;Qd6+0PsJ#U`@=l2rx#)t8B|!(Jdk5~!@o+m~77@5!#!439*x!zae!NQ`IBW5dBR zifHNBkubyfa7*Vmxn*H=PArb~+?8YQVUeuM6IJ_G7vx!eB}g3Vrm`o@vP|QQ^mpVpOuk66mZOk~5XY{%4qhPXeu3Z09NJaBf6p*Ri0V*R8MY~*wnZ^jBy!!5nQY`<&zg2+!$jV%vb9DpQ~1_6BW~poKgPS`WWm)iV>(4 z#S9}k|0JMYiEYw5G3M!u&vbm&Q-Y?~<7>0LnB<|ZO+*-B#~P!FwDGFsTK`_V`VTYf zRz{mF}lGwsVeCMb$w z$C=-H=on6%(~ti+SM`0-l6*$4JLZxmb_+hQv^!vDF@8#=Y7o*nIGjYGa^8;@!ZL_3 ztk^H4{LYU2&z2{TS;bF+Trdvmk6RD9_7u$fKs5y{A&EF@xMw0#&RpA4{$)B22J@?x zww+^+QKV}!YtpMpwdSrNmq9g}Fm4XOHX#mOV4`tI25X(aUyAVqJw$6g;rLF|zoLDx zVzjY-O{a~cap(T=Xf-jSJGf%6kCNc6%NfMb;~%%DB56m7DH&T~ck}}TkNQA7 zvWZpYezy;YiO1<+=-magI$GVa`C!8FR@F%&`a`>e!{w}?dB@3kcsF102T#S| zmVT(WoX;nb5tYH%WB5!;t)+Wf*9s%|?4H^9{KWYmmbsj35^3FL3{$0or_DZj~_HzBp;ObPFruk*a8eNL3Q4d?$441IiBBm30Ew0FnZj2yrO53+Mx52bj z0b`4kakd1#ZAlE(+xIYSsFw28B*|XOqisGo#wl`Jk+=LEd>T$dM#2--Wm*+oi<{oa9XGx> z&BgMX65UqLvxl+5XfU46CqcIh(!*rorjX@EW>@muepHikH2crxldKy%S_+Gy!aJF) zxm)1Nw$&?@#GuCY(_{8(pLm!jobue{Vx8veS9>qPNMXN9>LCPuYm37iA-ApE9KZ1< z2MC~^W3*yj4}UdTaYjv(z!^onMPiz;A0N+@o3-FEOgNDHtxU8&vMH>Zx=<*6B6tL3G;&@CBuo{lXfi*hst6n*-x_jmbM-| z_VV%_{V|&n>4~47W1QmEQpP)DYO%4cVq%c%*!4~u=9hKMR}{m^_&(4s#jx(F`;gVS z$lK((CXWv{yoxb77)7UYKuxzWG)SB2{*YL#ru`7{2}j;glEqiFpK6!mggtDyN>aGP zTg*09p2l1eQOH=6!KW9Gts`fRPT!aM33@+UPZ0Bi$vc@kr~ZJJ(qNA8eA?fN>7sj_ zwAFuhXhY`f_Z4_9p7lsaRla178$JnD*NfzqbV_p??-*bHhVCE2In|l~H z6wzIvRnfBDu8HB(a4*-~7JDdF6s}*<`B8b#Iqh9Cq3v+3&6}{C6^tP+3N>W()&9MX zfy8fuf3S5u9^m#MJf8ir{4lmEZF(3#Ozve8TXw5s^kSjT`kK7e?+_GOViBlC z^WnV~L&H2FE!6W&0DGNc>Z!_965QhyQ(@B2dT1xe8Sje7=FuF{Td1Tg(N3ty1eA zh7M^rPM$dic|L4S7r^?dP`w_f@q0G|)5GlH18r~D-iWdP4;@WGNz~EH;!v?KM?Mdj zHcZkO{+*8k5w;#IMxf+>B$tqFOAh;g?Aou5m?Gv6Tf<`;z1zoOIJcG)CJYRo-O||>4+s_ z`0z3-rs-Cx{G5YQW7iZ4x+m1c@h)E58Ac2v2Gc=za1rx|V!!W7J-7xWp7SG(;lP7a zrg2t1$LmAYjNDa&FSXm@=1o#%UC_K+62(O?`Ti6Gdorc-XL{pPErx|z#6`25 zF1w>9g{KKW44cODt=$RJh_n-zl75WUQly8O#DLG`7ZpI^6<_I*NPBJp-3O}eavLXJ z7<1Ec)k$0T{V}9?AG6{ZsT#~B4&vQYk#LXi`=qSmi+^Dr7MN1(u*)!+ST{{et>NW{ zt&Z_Tv60+JUypHO8W9a@AQ^0uszNEPy-g1ThOPhrW(%ECP}hRH;L4g8sy#5w7^>rV zms|#I)5SP`@{}YU&Lt)bgK)Cg#-(h+T8>aCMh%tHt0I8CX4hcO@Rs(=^fX%hc} zp_-w*y$lCytqV*Us#fv5N1n{(*0zQ@Lq`D&rVCv{j!?>T5f^f!{DBvC9XDMA6zLWi zWy*^U+ayD6-Wgqwlj=r}$-4=e(( z;`8oAqUeN?CJ5E=CV7&@QyPDl<}1M@VVJ9dcvcU{9%c!7P_OFqE!q{=J#_Zsd?9KHd?$TUyC&w7!pBYTh!!+SI+i#O@J;X5K#f~1zdiJ^XZ83c>-{VrB zlBx+oEew-anR$0Ic}=>u8VnSE6%)}exa>I)LPv@Rql3+1vbbMrg-n9N>}&%a1BIgBrya)oMcHE2&b!akL;P~dxoY>oNr#DDZfTsR zF2XRJso@f?Rz*F`8PZcL={TUTtw#wkYWN!u;V`4mm@yngpBg8z^@X4+hE-YSRi!S3el#~%|{W@`)oSd|I`95dYCDseInh_ ziS;0hSKBMbIN=xHPUv8oaPozd2U(dH2W`YUNnqx|VbWuC&?$whI|J2_u)6@u!3tJ~ zd{;*hPdjXr-Z!@x3=Bp*DVz@vWw7hs+ht&Tmv&>4P-!-ulOe5(>*6}qg z8cYI`50n?Y)Mvpu@0S0$ek|Cr-Zvh z@o29Tykx#PTpzf);{<|^Xx2z6TsfsQPn+=nFfruV|8wj!z^&&ZY9b(2WN_xN3gV3xLO!kduVVu24 za2Q~+??F{KW?qnyv(J7}Q(0s$JPiA}YMe3Thi2cA49-7frOaDj44a(eP&L}@uAIj} zpZJ}W!V!qVRNr5l5KDK0I_8MoVAyXW2H|}Ch0!HOh1Jx}l_vPt$N!QL#)yv3MgHwb z?tjV{fHs`V$6#NphQ@bLd|du+%(m8~u+qJ+6S9eebD6l8c+u;R|27#9-+}L?GE<(A zXGKdjVW@_8s?ExscBw=2RL10Ngj);S$IPB;gRnW;bd`^3J@#9&-0K&4ym{h;nzkVs zPsLGeO=e6TwKU!yo^ZC~t{t~BP7m94T*&j`rwQXu+Zj7fKU?n{M>B1VcOZR(?jbZj=K4ZzZZP)Lzzpqr z%r!)-h>g|m*&4oUy5P7kR-y3j1Jwid+-jox3*#bANqeTY!Dup=<+~G8`jG~Wq<0bW zG11q~ulbnUYbHLQMht5r7$V9G`4V?54cuPT>hAAjNbjbQWIblmFr&1XwvU0mI!${D z^meEk#`Yw+t1qS<&>`=bG02fpJ4LAp;x_lo`K>n$W@;3ZSsvnJelOzYh0hu7218jL z%Jnwoecmw8eaAdO+D`7I+$#*cv;NG-RNpAiH{=tm6?Te^cRnkqj>~PF^2pT&B{Yu- z$0WhGIJV&_ALD%0+tmemz=TX5yXXI zh54A?n^l~Ny=42AKX4Q0I1W(-y#b!cf!ZdzsN$lx&(h2U>*o z55lnC4S8inSBC~4lX}r~`Jt<()5o-4Q;gL7V?s}wJgzVs_BHcs%+ztL$vN@_#T!?7 z*^eJ1dl6~i>*3Nd&3k&&#BdTl7%bC&_0It_}Jo> z^xCz!T$54LjH_&(<%#N1&*4?LM^bBbXMQHOC__aU*`EXTZ5AxK4)$^>M)fYq(o@xf-e|$ctX^02 z%6IU3X}o5C!MYx+(|1yO&MCoO4nF4e28^a{Dv$jywHX=-z}i^oa91$NH<3)&e&8E! zOg9trd%;`2R{10{+h6#=Y{P2$kAW&U6a%A&f4g+hcZ>#9rMCI=p)-8rW61Az&XYX3 znRrl-7l|gC7}Uj3JWl9eJviw*#skvA=57g&21Y){_#EkQAJco&@lp&r#**s7xLhm< z$N+0qqxqQ2>mR@8MQ)VKX>yp%Tjad!M#=j*7h&xdn9iG2ySQY+syi^|V?yuid@@m+ zF>S!z3kH*Tv?Jz)4ZCWB7+)vtNb_%=YB#Zu*P6%hw{SfFZ{c`8#__nbxyRE+7lG-O zU<_{=C&%1-tTr<1TAdicyRfA*`ORD8<$2=w#BahWdGz=Vkqy z=<%lKw3mH?W84pMo<4^8aM;;*0ex5qM_WK{)W=NUEk`fo(7hC#nSe+x{{ zp5{Yq7rPrLb@z?&G4{vTNBbf`mp5 z|I`UJ{fl5jxc>O8rl78Fxb@T7A~lQ(3={G*_!ev1DMklx;$4y+7phg8ega@}urJfs zB(rcqbE#lla9Jee7I?v9V9uKIF)TQvH6<8sVvo7i_}Ry(;CWek%RGB|=3t(73c1Z~ zj1bO}{k|T_o>uQ&3mnsgCl9KQA!riV0N&>>QhJm4silsXCw$1s(DI_`QhmGBcvw(} zAA`EnyJ=iwuJGhS{r2l!oTw%y=AqsIY3kXU?+e#)SL@fRY}eNK4#d#!8~csEf-z$_ zN6NI|?&tL!fZ>p|~mQkFobs4COuw{aexx!%(iAPU-xc4IN_srwMXG6Pz zvSF=YsRA+{w&m%2BrgDP7=lgol-b` z$X#T#LR%k$f8XiAU3b~x82-C^oDb@D(H)sPO#elrseX8HLkm@B#;KE1tE2TX3rHqc zu7X#co&zQVzf5^zuiUX4z)LUJlG~X7gAkjK>A&vAIX)%;Coxx4+8T|4Kk+7uI%w}Q zIxz!yPi9iN%RzYv#{U+NtJ&y^yL^mi!|T>Y>OuikHxrR;E`5nQj(-OisD@E;GpJ{- zeb>(_3(k+7put=ZFkrB-k2NwLZ;WQDnZ}|bAtmi z*ho1tGPZ)aE;7@1G3^#mL))zpd`uEzI>*Q8V51w&j;`jP9LPLS!IZ`n*KUJPK?cbT zOJusR_IJz_&MSIFIxFX6i105~nE4K*&=DTROyQ-kYE?YtrK+z*$uJBV-kv+8CC93X z30`+Z+%aRwQ-mV-fMFjKhtv4b>Ivjy!Z3=TCHWoq%7?cU5W|HIBHqVbVURv02c5Xo zz9EJRe-Cf$G=}jYFLR5gI{t|?_`SL^$jE&Mc$R^Cm)8eBt_#kc}46Yh|p^T<#btB)8x#k>Bd> zA3y$Awg1>~?PXjhsY#vrm@oV)C2boAoZiG}p+Z#5b%eP>H6|*Wb8~IWBEWcIqzd7U zcZs>eC>V``unuRfYrG_-qZTY#%p58}RB`F&1Kx@uVfb(&v%Da8vmaOV(fq0Q^TD-n z*<146>nHh+-ezO1UU!|D7(pbzVm{pMrK_!v9vtd79c z;bJ0Ys&}_BxW+tpF@LyFon#wrG%Oy>9E$Xb+t?huPmB(NWrLYR!6D_C1G}_|{P>?@ zo#fs|YRZ|HN+9SPl|c|Khn;xxlJW$<6niV-K1*etqQo_Yb0TbSO`TRJMrCE z8e1GA@Bxun{%m`rb{h1kfCO+rANm40B5->f}-P6CPm1`}9JG=X`{oc;&z?5OY zPUTrw$LA!EW7?Haq9<)pv%+o;oJEso@9&xN`Igdg>KUTO9+*kAd5D-vyqpG5*T>W8 zA{9Ly-6#tS^94hTH*|vYrV3pdKL}g!oGS7Sw+%yzvXrJ(3h#B@FpPMYJ&Ogtt$0`7 zk8Z{oOI#58OL__rJHTLKyja8z9gXfg$oChFCZ>M0dT=7~O=62v_Et+H!+kEINzx50 zpZ33~s$X-|h{05J>AqlC@gZKO$Go;Cg82o*iueAI`o_xlBV6Qh_S2|N#&DvH*LF<4J=kvI!hy(q=I$}szm zDzo)H29CKzF;Ck_$cQ+UvAF(67%$J)<<5K_SQv`dyd|$+$&|FyUJNLPrfoYTabEn|=|yC2U$vIR4ZuGk_tFJuXI`?a056@!hP zQhbawCQWg9F3JELUrznyqW>vkn9+|G{w)^m`+{-Cv+ntC#n;!;GIWm*^Nh(s zjA&}Eruq7QJ!bh!@e5wt6@ACi_@h+#eTH zjUy87*n=(J#W3S6OoM@l?!vTp7Q2{av_$SMh8nG-@NpyVPT*pw@n)5-WP{3ieAo6l zR(oqHpMZD3YRxtW_S<4E7h{fJS)n#TF^}h5%sBeX;c7X#L^NtZ<6_nkr{G)*-#Cl! z0>^YMf?OO-;JA%AuaOfN{pzd}NP+T}(Aj^0Ge3 z@tK2gSlLtF?qZ_xTUqADB+u`E<6 zB3ng~)%aRmz{>MIlU2JQ%yTi#IO6Z`^ouWLOuc@hi=jqYK)g|7OxY&KP(V~|N$tGS z^L#P?IM3Eu#d;PEOg;+d_1JMuEiThsO&1f8ViHpWrk7&{E8yx~3_(5|$d6Le;jV>w z9FWLjN1o5cjAIy+NdL5y{o9lQ&?s+KU&Az6b)>CaOgJXnvN`A{ksSp{7o(2;Y$SKl zSm{tLAe-O=`G(deK!k==d9qol3=6$RIsY|xq}(2Hei*(ROC2( z2p6Gm9ErLZiL@m9TuepwZi5(tw0VaX1kyGNGg(>j@|5$pj>4Ra8OSIg>E`;Xx+>NC z!RL)fA%3YPc24-M)EA6N$oQ)!$E;0T%tU@fL(j!9vI=lkc);67D_6u*5(wZA*1X&?Uk)Gm@)u2;gxlZk6FGq_OwsQ zeehY$!@HP`9FbM^|KRO`r~IW)Y|ViZfNN=Kh)T^| z3_{-VS~x_?mC)Q4RXJ*^pXb6|%IZ8GoasUtY%4kCJMz0O6t;Tu?OIqzp6|A0zJHfz zFBNyhK1GfKRsIQckivKJfTM-~l#j%H4vmbPiy_FcIG4!uoddfVfV@pd`V50s_fb&A z#pvV5KLUeQl(H$Cx=&ELi+8ygj$DpM?UZ%Idv<0A>O!uJgVx$DH*+xzN&iTKc|y#* zUO(ev3i8GYoKzk@o*IMH+PC41s8z4V#U$h{6{k2C?aoihRzv_>mVGuKCp1tZy7->T zDX0i~Z6r7_7`c!MuX3-y$<|QL{*be{O0R;>yTxWqMeH+GZOp~Eo$XQvwWE~J*cQP<1xhm+? ztbg~xl;lLjV|m*f+Ys1yF)aD8ZML$f%Aww}>ebd~*2TnRyUeNeEM|8t7qgQzjGYR| z%qI*@dC0RrHF;poY_*pNOUDfIsXuc2pvC^{^`qaWOr3G$uF+Z6I z>)$UY#+N`#{LXiee6!&un&M)7vNr_6u;h~0kqGMaw+yXt*i^Csd4G}^gn`1UERZ*9 z>5GU{<(O}@4T5$xP5V2extMDVYf^g0SwIXnPUhqQOEG;lX2i^*Fw~M7u-0Oot83x2 zuDA5BE+Fe-cySp<%4N9U+H@T1wuwQ-c@S&o@h-*_5nS$KLNS;n5_!oA^tDwkr_4KDMpm!0C%_l)gMg6H~Mzy#tf+d9iqEZ~ZcnS>UEPf+u| z+zloZ!y;lA!C-xb#BAbZGS%F-T9;jSF^MRiZ@7rZfpRUbf{8+Bdf1$9@bYz;7DcOG zpaoGBv;E~JFU!uVjse9x;gve)Sf5E3pQ$5pw0L40rtZk;KsQ|n6T^$6j2EnbS;3&< zw}wRaFQ?PS4S!gU(ZxJsds8PVw7xlq6E!v!G#A5(^Kcwc!-B<8jmIqIaWSt*6*>8@ zR)DtWNn&I%Vs9B!ue4Qs@42jqZi^GmmO?JZ7X7c`Jov6E2D=zoOxW%ZuKoDGvx{LY z(VtV9@^7l9T#P45E%7|>xOeK8V~cC3w$Q1oQn~v7mj=bOV!-NytSp;~-9%0f-Gj#5 zVvyHb`K{rJVqg)1;4X$0Blap|gg#9TWjr*uuVMl}*NrpdyK>J#l|y$)!VDut9ofFw zJ5T@p4*}5s{m;`;;o>qH!;DiB^Bd7|QrU@)G02!!+@i(pVsO!71DIO04T6SAVob-X zui7{;RV6!I3@=i4GQBe<6UG*UL8Pt&7))I9%_~K>iCC&x-tnC=lo+u}#I~9qi!x;~ zpm>Tf$DC9l{-o69@e_7pqOkUCRu`-?-X}(;Zp_x*E(R5C`3nptT1P=M{Vr2Xz1s_B z5W9-ZE+!Byvl0V{qd595tD;cq7*mKd;bX41T+PB#lOFM6#fnt%&)rM~W)szl=7{Ei zQRb*UWDF|K4u?WZXJbkc*ABXvQjC|WKlk;Mato>0cA*MP66W8|G@b`P?t|G(`50)P z-v%>@(Dpb{m{Lr#^_J}FYt~3dv%hO{XE(I4j9K+aolW=?DXg}v1}W`fC21FfjiaqF zb;YT}2&2DVS6tS6B*UaLt)Yzu-v-H##QZ&0!MHtv`+29SiTl^OBDxq@j96CCI%|Fb zrWB+1?9KULVe|55B7I9WSM?5S#HwO)H z*1S10%4sSWL&Kx~t*s++1cYd|otsLY+AnFVgau6mE$UqiDEfED+-LoI<-9xMv8adt z7)VS5KN={NKNvqe8Eh(c#6#ws+e^_cx2ndn2LrLu-#QZX#HOm}omgTr8=Siz;( zzpPrmV$?aeS@k5~-rV>9k9IN>YpLP)L zRru7!)Zvg7h13N(XP}f(7Odh7DW3B%$IdjLlr8nMzJ*~Vv1V@t-|JdcF6I!2yx>`3 zc(0f{3}%yXE_+2OSK|y$Q6Gx6IWe*0+IKpF`ND7>(<)Z6SMiuSN6i=~9I>C2D+_mO z|6gr)#9Uz#_{Z=ltBp+q6NU1C^XPP`^);4$hl_%C?6ufma&3XcFk!f0-?MVp<09Dj z!Bd+G=Y~~gV+a>Rgj2D8=q<@zj1G>el*U|LFfw>^jk*B2m=(0eVwe}Sj=(1;!y%7C=@bP^O*CmqHDPsJW0R-nHN=bnprgLVdCn2f4z z`%Zx{DTwR4Ffy3lNu4j{QcLT#a$R=jEan8GR#%EOd*y1pU4^q)+oLQDAmPngDzg_V z!3y09X0GV#2lM6*Xf$DVi!Hv7z0h4uR*jSkboCJ8zy3b41q>%dxmS?G=}~xu84<$KkF!HX%TxCAp%)hvp>l!8B+q&f4)sfQ`RCEtkO#P_+O*X3ajFuRZM z&F$ArZ+jLFu$eF|92GI%y{Z6?xvG6%E`}h35&DNxvZp*QGmDnC!K>o6EcGSg+!1&%=mqjH1II{ z_wkRw$9Ka2r5w+zIg9Wa0o|~2hZx>lHjk}LmJwll7~fkJ+2AK77c{|t50iUyUXoyQ zXEG`YXV22j5DPYV804GDC9>|zZF(5wyAQ|x-E}<-^7W;iJk0S$rPzteoH+w$m`s!r zmZqTPnr%$s-3u3|dKehyJDp7pSw$>)?VO>{UINa;T;HtOXsuIDIWT1`PMOd$@hRyZ z>Ux;yqjaIKrVKsI^aVR{Yr@8)-jtLamCw6Y4|>!eis=F|>R0yOd9fJSo3gw-37mDi zih3B_yJy9F?nIDC-zvG5vOPAXZTji#+Al?fk8bOFk)iQw(Vm?&)zFk2f>vgL(()*5e|m)tfO#p{|F?V^$K+Z#-v^-){Kfd zo2yb~!97gqedJuq!<=5!wA~Pfcgoe!EW4zlhmpC3FE*IE75Y==BgW?Z;ZSwBU(bC` z^k;{qw^$LnaTCba$ETci%?YG8oi;FNWwQ8T(14 z@yEgfL%zkhZA{ZqXJ_Z09m5rM2(+~&JG_?#@aHj1x7Z%U*1CB%<}>EzhV9ixUPjez z@h~?hW+NrBluMzJt%_E$t@x>2jmt>lk;(YCeSSV0c7x%#q}j3KOzG>^p?m~BX%mJ{ ze#F3OQ(fayybS8@rfkC&TCU8qjq^k7_I*BurSV|-Gh^oVVL|4q=22YE90TjoQ5GZD zijlf|o)z!Hea^MaqVdq7aW1ymmWUdv=rF=9%-6-Vu<0_NYU>}*(r9qCjHOInL+2rN zNm4g{qI@Z)?`|47HKh8}DbOImz5V||Rw^HYjg*f`o2PJ2^r`yFFocJi+=` z;z$|&H#9vxO!3(U;a$Iu_b7ClV( zp)QCX2KoMCPaqG&eM8#sDJqZi=Befsk8Cn>K-j<4Ut%#?F`>RoB?CQx!K7d7qxoX1 z>UkU3UP%O;t%Xa&cCQ^V1P^n4M+KLgveG=G_{r%J_VFwY3Cj(8B4;Pw2`_=>lI9Cy zsPC3Nn=Wx@;$pgQ`eV52Q)BZm*k@M`@i68mYdxe#!&+S+y*rli#4X2$Po<2!9+rD` z06v$92T?o^zhAD!aNmc5E{ynnY&hoIk7>hyshUD(88E$Tk!N85VNH-{VF6FIyF*sK z9Se7l6GNLze+LotFd{f1SF50g#|nX5n~5Hb2->1}%m!LV;V|~kCd+|Dria^%ywL!nk&ELqTHdcxfm;)6Xgk@AP>`o z{&+M{I#%hMAZ7-aVI-fH)EzmN^IyhUS|8&1iD5z8AZW)^^8at?k0{%0a;`VF=*d=K zd{8W!nUQVKW-De0lk6pL^i5kChTCzkZf^Wpe5IutF*qpu=FyStIGltj$#H0J5rc&1 zlZm@*!%Oqr!+6p-74=&MHxHwQ{Hf1iHldbH7w|m@nn;&_YF$~8+6#B}Qc+<`5&aYHdcRfrQ28ln^ zYP&F1I4YaG+&zL7854x_Ae{vMQn}P37Q>zf$w55y67-7lFgF+^Bfr%EG0ei!+Ym(( z7Icsc7f_?Il~Gt~w8}QJHqM-cm=k=W9_K7Sp1IYV!g<^(ix}ns?;9!=o@UQm&gui; z3ys90w)J2-5OXFT1_ejKJYACVLtkPMgM!m$Sw43CIgAQUg>U4p!JsCX=4Z`YZ z50itV_UP9c3DbC2i&H(!4$f0q))9|m{e;QV$`Egh7#sBKW>@wUMPN|S=BHs=&^ihq zn205LBc`_FH=C>{>w+1sZb#KbSnR7+JC zXAA?o6<;m}i~XMq5Zg_HUXTKX0yx4{ooyoEu) zZ!3Qmj(qcLpzYl(gJ2kc*R8-p{AI;2O4O@u_)NpYJZW?G*#JL+td!mloo9f}EMJ$~GFOUHx^)s5?SmpR9_IUG%8R{p?hdzZnZ-kY zh9g8w`yK0<9?LhUJ^M1YP7MBy+lW+0mpu#cR~A3H(z)F@xxuvGRQxgV@BL%5lW^2y z#Tfe=`LVeWW8&{V+Y@S~yd;eJCA!vzu?yO8zf=Db__{Fix5y9;$iOZ zL-{pK0A^KI52P2L6;BnTHn;zf3UDVmk-8O_RXz**kU3|S20oYuf$2ax2$r3PFWi2& zhFAS0Xp29j`16`dP5*Ue41)G}e<*hB&HS~vN)CFV7EX|}qTHy_n1um6s|K)Q%Q7dS zY7f@)mW>z}6N2LT$}{SoG+W>2;2JthK^%q%Zy9xptFjK+fl0!-Sgw+$dX{2F1Rbkj zxQDUADEtwVSb^SXsi(5l(p=EuEMvw{PFKAx&ZQPdziGPwFZyOnxpz+9b|YeNUKP3= zr-uo{4)TG)!f#Ev$ogjr&Z?}}Tm}zk3QE5noCCd!j6DrAgx_Yci|{oj2m4BwuQ4_F zH5rMiD0~7{llL0)f^)WSDwfMsf^t2sgBwPAD(D(Bf_Eh6*!HJTlY^#rbd7;Q{vw;@ z@Ejy>t}Q(Tufi*bG)7Z@G@1sJNhqS@RCvR_lPqV-C*TxklKQvigSQ<2|Jm@p?9P*w zuT8!y#UgT0x$J9<6jE2z;FM~Ty}i|aL$9kEvIgjw#-hq1cq#Wh9@ z<6^L6yH~w@SovBE6)v)MDSmLBGv|!awIUR1e)1Z#g+VUn_p^MB7rl>TXwdNvt}$@< zzUR)mZ?&*6hTj+GRK8L=dX4$Q#mH&<(u>gQpM7-`*O)R){zuxmEw_zpY4}xml}T#a z?&{I9RQF&;_h9kPNljC z@d#j@zJHA~dj>F!L2WTbrAh54_=3+tmzP zQ%x?W1+S^xb;%81+Qp>cNRkJgcFy3buq~O!;WR1^%>eSt*`==xvuF#FihAqZaDLBv zKA5_LVtg>)m(;!K>CmmI7kzOtHW*g>x@{EE^xl^Tr{<(=UJOrI8TOZC2wjXAcDH0+ z6$TA`PFjM)ix_4NJ4~m`i}oG?CJv9VTP9q*X2}(|-Nm5c$EYa6Brn1!(bjT|3&v$t zlDj`0Iv7(CYaLg8BYumpF>x~+%QFO*QH=I^| zn8n2~;V7d$zS>cxy0kEQ0HKTf1X4qyc1M&IAB?=Zm?ZqrvK`Z_2+U6((}YJ~L0In6 z38(E}P0P3#B%GCdF-Pl1#ZJHwVNBYyw3#ahwn4ayJFmsG?Y^g7$&izYLrX81nWpDJY9?s;&57 zT(hECk6%vt*tFw%ni=UZ+!iGKL+n&R`9Oe>D3tYE`RyskKc@!fce4K z3Lv<+yWjO%tRC0A5xY`WD3c6xi192ODb+|W1`zX??TYp3Qe`O4epCCCb-Pm>aLt;< zpkYw6#fscV!+FAdVG<6D4ZD~ojO(V73?Xa4P`r5^wfsiRoW}$24W|bS8&EM_n#X)8KeXdMyOckDQc3d}#!j+3r!aK2M zT{nEmbTZhr^yw3;)rvQpj>bEW!2Dp?NnZB#B8S0h7vqGVSG>#Hku3R|J4gTQulsf{DX1 z1@>mtGhR35wCw=nhDkV$Kqw89hocKBzZtBEbuoKLSs&SOrXgvA?_c=$WyzI+*w7U# z_*lwsDo10l(2s+(n@7*`JG*d*S0($eDfz=8IWKzwkt*PV8peoq>TuY#unybBYES=1 zd|_f0QT90uCg#O^N6U~pv%A946C@Z+ylok&Y*Ez^E><;SahOMUdcX3SG_NOEU7G;kesyNe>y12MNI{BMoXkoyR;_EsUxR_VGqm@;xXQtnR zLB$(hm0T%B?v2C^2+Q?a>qXbw6EK}PtJnPJ&%CLJjZ+LJ#=?4HRc)@E#x>)}YCg|t z&QIi=p9uRRxpeMAXB6d^P7wvNRmr837m@mNwnA=oH^p!wNxOdJjP_tBSdrMj;*nxR zu@F|VY-dE0ZoA=FumxJAbp4@4_Ay`B8x5yv*DkPkJZ^B^9$A!pRW@y@CQ$lIA*K{Z zY@f(f@SzCmS$HCo$Gv(D7_4Y1u^=;n*Ejk~j`>7FD^_0#vpZxM#BQ~w;;XzHj3;)tbu@mp zT}*#$m{hdXow*oQ48=Fi#4}Nj#feLjX&v#$QoK&tvN1}6P;6wEQ}tAE?uzw_yj4^h zfuTg2xQ7(}u`{}}w>%=*)2#^Jzm7wJ3>aWqTFeAIAaOC2BOKsb9R zb*F3gR?Gxynefgg*6LzZ@f53(swI^19xNUm68CX2$atKddENFp6Bv&Id(=_tOoNd# z3!Lk@^RrXTl&TR7G)5N^FdxjDV|X!URr|;moo*KC2+AfnJD{oOVvw<0i0a4vuw8<= z#vqNy(KH-_?Oe<>=8F}nCwO)xH|?Ltao%#JST_P!`f^E?P9j^v+!QTD=6-Urx8XR6ZW;P zok=Zbp&9eXh$Ch1t|{=_UqUhE`0Fpfc)u$L!r6wjd|XU5N_B`s9}v|HoqgGxk#7t* zKC>NfXsQ0mQPl=rOgFMMl~xTuaa^)+L1olC(+IHiLA(u<&*DEvm~6B8sc!KoXQTWC z);VTnBXj=LOso7-DpF!DW*akJQX98i(KL54*Ep!3bojE)rDLi?jq%3(`9-Yh+)1~Z zvXG0(#)vx3$@Z(t(H12unC-?uqiqm2R}X<_e^+XySH0+ht;6A#Ki!?BFm)Hg(%rDH zz9o;z!i5UP5mVC zH1%5XCK!%VAUhPxa_`>C`YotQ-XN@t)fb%6~XY*y{Tq|M?E+!%KTR*wE^&=+_!}~Nleg`L5iYK5WSERh+Pm5)_|QHBOk{nbS|t6FunfROA!{~z zpRxswYz@J_-iC)!Ni4hJVj9vm$ksk!NwLyp=SOnq^Pm5-TJxsiX2GZhgsg-5Xj;{c zRw05>$kAQinMOYiZ0VSUtoUA-ev`|7yGIuQVnCh0vyXnY6HblrM2no{dX*t?zTCtU zRjKX}gw_pK3@^Ta6Fa_GzhCxx$4wW5i$z=QsA+_A%Y{+BTF6RI)xyFcW0;J5NBlL< zi!8bir)olEApL>q#`HStN(9?OF>?7_ip8zjJ(v6+Mm`Xujzd8E;`07VugUZSuX=dDGtLJ^)MqD1gGU#sj%=c8JYR>cpOeg`e*N95HhTU&tB@C zst%7|8IFT71Ca_3vyijZi*Wgesz^P|L0Upmo&|xljlyjNgyGzD(~Q!GB~EpH zSToS+;4JG%VEeiIL^)SYmhOr~3 z_}6mDl>vC>ShadR3^0x}<#WO4;+Su!JLG0_6b;qZEj4E5VTN()&oi+(UHb|3ehY4+ zBpi|?_At(vgy~)6n>U9AY|@!CSfo-SWqo7TxT)k zSTrr)@%36c7S6^+S5rw6`Al}h`SXAO{8#M|qb-pmPSI7So)(wgwcAyF*6KZVBQh=< z*X1d8xiB%tyvi=3I0#{W8p?2Az(5+mzpdb2q9UOR>r^U>srG@_OC!t|8JlW2v)r zXM`TEhvCZHkMsFq9T#uWiNipwZJmNnZ*{|*%ScI4gO!%U2=wr$dNS~0J5+!l79WNhXKxyW22|FX0&03GbE$D z*Z$VS6y~7IX=%84LaD^8yfZp(4TZWrj8^*1f-PTIW!locIfQx2=GUz`2jJY9G=Kgd zWt86B)ccj8ujpZhvd>t1f2-A^hnY$1C`(!COV0n<@}?QqW%V#QNj<5QPI>~J2gp*7?9&58*%+_pA)nUTJpi-1}_pa}kVp!5redu9M za&&R1G8lT~xc^MqYx{X=yy<_t>9&XI$=7gjo}~}ttFHh%gs-^*%u|wx%~z(>e0rFe zjD&I6Rb}*ED<&mh(bdbt$mA)kdD~Li@>gCShdCI`gLTYH&LpVGPQR1Qr52KT|L2zn@c^)QtG#B@D zryP%gDGI?j^Mri0w5)OSvAZfCgRw#-hsIZdG3_ zc_j<(dv5{f6zaNJmS3rH4vt-6dNL?0X;vI^T*|d#PST$j>478Y$M!K2>HG1_sUIDG z!yDn8DMR4&%c3B?J=$5uBf;3?ZA)ICGpgICHB;{hcYgZ5H~SWvn5Bm?NAh#aRI^4FdFM0KBgMGxqtSH)piITW*S2Zu9$iVrZI>i$FH*61z{W1M{D1cpw;T#7e)tP z4|9w+dF0&k^=4JC_us!C(s7cN%onS#;-jc5PDSCn#i}*?m3kO(jQRfi#Yf&e^I?f2 z57UhPMa;gb^Co5s*7fq?&4P%O^zl*5%jVR6wQq-D)Nv*}q_oiA8CGj-_>(HXs_$=@ zYRseQZ?b>0_OW89QAR{|+p?*(tOceSZ@Aoa?cM;U8U26MtJ>b)%fnRTB+C8d5aL#j z$I15twbJR)>$@eU89%g)EXL~C!FIS_+QT#>DGWX_XL31Fj>fDq(yaF|!`Lg@qYAuz zIS@XD0iz;)gKrz0x_WY z;jUbk?Z&zbSo$gQY9|}Z>K_Zn6F(OR<=#$5RkN@$l$fOHH2O4PNMI__UvF2;>GhOT z@9OU~PV_KrXdQ)9@~kPVV*q(*-NW2ro(f;NFb~J(YBA59_r9=_$b#47?HDPHe~n4Y zc<91#_K=oJc3uaJ=MJZri7$E>9^BLq>r#2Z7#NKC)02WVdl(mlsfE7WrH84(@dpWy zRHcMR&ekF`LW>w5OzJP~uB%Vj*D@W|{X#7_e8ncl;9wjDS(>HSX>n;not~x5VHSM~ zr&Hxn>-_(pM}|lCbj2Ta6r24Cw&U{3TiO-H{sPrc=WLt z&N>x;wbA{+2aWN+oR`nSK9Rx@gX=3s08c^F={%>}1S+ABOT4hY_Zm*FUWp}c%9acz za4`vZ;)-I9j?i}i(B|EZwK_ampCINFX zJ$h+0%>NZDww3^?*@{ycj2k}*KiZKEjE}ayG78Q{YLgVpyoCPDF$HMrW94BSa3V$0 z%&@$?&ffFH?fHFegYM$IldUEV$SSOW_*}BW%In zNZi=O3uAoBQjxaGO_G3~7KOlDMDR2~( zEjMDD+^7l+xvqfbVT@3EGE3TXZt7io$|UNFVdnGv%YEBC3>4xa7$-c`#>k#d$^cwA z+SFgfmmyY6u+n0T&}QLcjL4}*pCiiCZ4Vn>S)aKOnPb$-s* z;;Ru8=jUF@8DIn}^Y$tZ2jD$0EEIhpRal0ba&Z5WRVZ?AO zc9Phqw(Lq>pA9Z7NA<#z`@n3WpGQUbK{*mn-aVtwc~Vin7bS9+9M3DmY73a z6v8(&q;upYsH6W4`DG6iiAh-8gnp(RiYo}>U?9+snZrc5@@u9T>XVZ9%dJ>#dOHZu0yu^^LR3r%}5wAKqSn=+@in8%b8_M!l0u3nAt)`OQKU> z*M<6Suq4!EggFTeB?8&{E6gFD+kcl&YkFzcHR=jeiBS@yL<>?tLR&koENo)EW=%*E z?1S*s6-E>bzWZU8{|cjtRMfHN&9TMGf^YZ6f_jA!#r$|mK zfNi!U(LBn3(xkkvFpx-abjh9^U&&2hVIa{`Pj%EBSCN^EGx2`mD|-wrjtDm-(Axx=$# zaRx?+nM%~2BmEd}VLR{T3NYIKER#=HY~NC7(!{jNMs_OG#NDqdm6@pU51 zSD1dh;aq&1H4L3zVdl|a6S^UGQ{Jq2x!-jWIivjg3KNfUm<99fez3mo%0fQYn+JBn z08Szt!K$p-JM-eiwKUe<=&rHsQh0?{l>2OE-|M`QX?y!VSdC3UY@IsC_6#jjb- zDrYPfU^X<_l;6Vr#2?CkwxzJ!v;_iJIM|j*?3CI@VXN@EsTXY7Qx`kFTXlu{9p{&G zzS-_cvZg7xH^wnZ+0A1` z@qk|TV?crTd?mmAm!&!Tbow!zP9fAJ#^Mz&o+*c6?X7QH3S^j0v={>4%WOqD(%Ld0 z4#$oELVrZEXjv%s^6RiF+a$RFwPMNfNrvBU#_LRF#aD-y*0QC|MVXK$6`VM@+7R0FkTcopO=lyYY1Z7`qOjB^-(1#$$>mtvgwOM8ddHo!<2AMnbOSvDhWff*(<-e4+&0_TvE6+0#= zxE6JxEVqrW#Osef#)34n4W6;&@KNoyefVYp*X=z8b4jXoDsqND9KQOLKTYy*8GdL; zyvc%IVelYkO-@UO<*jv$=_CtoLGUJ6bx%*-a3jPJ61tK2zL`o$xcUdCk1Rx)Y3_YE z`HGlAlB)TlUWps`?c6DYxg_TNzib~}^8iCgbg6hTnnUbERi&ebF?ghswY||=B6tz@ zJya)I+$4tqURhxw75gb9gLxKNYY+2B4%OpPCQh3s+Xz-Wwj< zK>uTeNd2<^wBs0xc@bx(VuFZI>tkL>CFFaR2Q{ty$=QveAxT$vtL`E>Qd!v(@u$>lg6JtEwug4zM2;Pkwbz*c1EpQ18 zZPl{=1r_D$9~fD3!$&ZadJ2j&_H{a85@1*1!%_UWP953B$T zD`Cp(L&pV3;Lw_cJx4&>?x`Kb5)WnN?zHx_eE*e0jEN>6NNv&eqkG{nOre5IJKr2G zxMR~TZZ`I4=}yYV1h}#`?_=A1KXSAU2?Nrp0&GuA1ky{8%PwcFB3#4 z1zOh_QX)Qe59Sfwl3o(Rpu3h0(oYYqWe8yki7^5`Z`|4g62Y}+yH7s{CI&{3sN&$& zdYPt8;REuIaPh=tM{`fHb9IWQCT74xb}pp@wrJsro1>b(Vn^~&W_J?1;-9kfi{fq zU+f<4Hx2}Wq~PjGn^@X=wAE~z#IXA|O@bm3e9|V@l6E~f2$(hUF7GDW)sf6A$Xg`k zDfcv~Q=fi5cg{@4tdU_Jq1(vT`UTt@@m}(*eCqhM<%93(kB5&6 za&nlmQ}oLcdBw3AN#RiC2R)kMm@hI0ss1F(#HqujA9zLC2}xo5Fj0vGn+rT9&3T@05|E!2XZ z=;U*(R4J#HJf?rB@B685fPo((O_fYcgwKa&F$-e4b0K-6vJ!AF1S><0(?pX$Af_QI@Uc3(Euq{A4HLmFee z+kWr%Up5Yk!1@Io6wxwQ^PtI-U`a|#=8>Rjs2BEl;2p5ym_4bsQjCTlpU-gzUb}k~ zT?`jvy?NxfGTBO#I3p6qt*17RpJ+k4HqbyA^9ab);FyEuhT3v)EsBiQ=h#-kppbeU z>!4~P@=19$*#}S79Wg#+C8N2hrSoPOB9d~+GPljNU=x;FXLL>$iSqSSl8oPF4YI92HMT}n7EuPUaX|5KhhXZo?c*ph)&=B>TCvsL}-ID zsmUXk6~jZsZ9}^TQ&fO&hG8LzOvx2Qr^y~t$RRs6ZC_~moGIk4O2lxGQ&U3_z{7kH z(gfX8kRRsF=riF6%5K~J{FBdihCV3fgB-MJ=WaEYEZ!XVFWav)nAWv;9bQ}ow4?1F z+dyhd0B?WoHn?dY9#DS_lErnNgZG20ujJ*EbWBZ~cub6#j0eFl4+kWEQ=fa(j9drI0*TwZKRT|j9leXMcDX-T zv8^JE|A=I|ROY~-(7DWOYtzA`k9hO^^CBNatw#@t?M>#$^Z#=WSuwdIZSA_4(XBAW z14ec{$;djR?_gbtL0D-c;Oz=>-MyL1~+_6%*^JEiB(9`Jq%Vt<%Igt^I86HANv>{-a zM{?|v#XE-C9Xl3o@hA3B=56yfgE<% z#9Rj)S!lmL_ic;5x&x0}Z$y75E8v*sWUSJd6O^ru6w^2K?M#};x6L~WuNA|5{TVN~)6BuW^{oRO#KU%#Q!BID5#7XwQa7i(FBhn>JtHjFa$Dj@Q zgNF3k>Zs_L7MQn@RCAAAh}j$Y@$hc?U>M^zn(c-|dBX(d!NYpme&5}V(1mBv3Q4}A zK#rvFw)xC$M!!zg<6!azA5bS6ouT5wwAJR}o^v8D9cLbsI85(O$#($RtQf#iij0Ju zF~e-upWF7^euq}Qhpe$9v*@%jPlYNlXM?tbiE}d#X5-_a_nGZQV8jNmbmLnOqhq5t z^z4_loYQxg$w~Y7K7}RhS$x9TBr#uundD zFvPare~0F}3bC#$TiR)NkEdpn&Xf%CtojQ@p;y*|t4k<8=8yJw1c|61eQ@pE&yG?=o=pf7pWe%o%~xBYaY? zLGP2)YpURc2fgo;dQD!5z(;LfDSXDpNyNuCcg|3I%JI1jG1@#2ua94Y3b=}K7Dlys zARV?HWO|q)>bDE%>W?$^#*jyDi`SO8>dXQDor8h&V` zC5E%ngB~16V&IOL3?Sl#ibQUbU^wnSj+ulWJV2ptG*^=2U~TBZ17Kwqdbj{{nah&y zX^woS!_c7z5s-?UqXFjB#t8`wR|y95$xPD=k8X)w1{1T)COy&6!w0BLkq3A~Oa>5n zqHhd^!kmpv7LkS?Jitoj{P*aFm#gO%nLmL0oqf$9}@*DmMmVdiH;;3SPY@& zSPzoIHCxSlU!7U#K?oG3IWC7IigRn>GjkIaTMHf20+y+~v9K|t!Nr&WRwk2OO+z0V zfE#ee?mcjaB2AO0NkthX>s(~RcY^C}g6|Z1D*u_Qn~AET{ivyAU5~#3reDh1bZr^g z8@T?T?a}Usb)~22*LL@%4T_GD!jtZF=%E16lAD`EiGE;5?}R&mRpcKhs-ho=8Y`$Z z`USX{7QK%x6495ePt6eA>avt^-w_tAM2rKtP4oH?dvh%(OaquNN6@6u0|8j-WmAa> zwPp$b5`QyIM+iL}0FfldMjBXnBYlcl0H)Y+2S>6-+2m$@Zp$lNKVORjE&3wMr`FwiU@g)?@T6p&wv%lgu>@h}&lZz^*Hv7IU{&$*Vta&F%j zuDK6AW8~DHYc$<3C7>otcp*hHJsdcK-;k+!V$Y3sCCmh1!#gO|&E)Xm)QK!PdyL%V z#X3q3Js5y;$H0bU(|+0Rp3Gt8uw-uN^kXK#N|LcBNVAbs#s&L{EJRsnq$w7@U|?)OCQYj1t)o>iBOr^jLtoY5gu!TlRL9GOBm?XsASIg& zUkt9vW@-7P7!0u1J-Kd4mV^$Lq|@wY!klNFCT5^4Ce?ujVavlcH*0dTw7Ia=)lHZb zFl*|jggz_A1n_fSkkK=ez{fngtQWyTr74+@RVmJS$)N`jAZBMRQaPiGkGn`h(xApe z(-Bhw_z#oKb*92iWEq7Xc!0bZe8Rua1y_kCWb5D9@^F>iC||u==z$0O20%z}v+r0lIuH?f3FfP-&OThml|pHbBrOF?tc4{H{x#l4HLf ziQxTgoyXH)-Oz&yFoyRbTXVEnFfBmTXW!Y;@fa3xBzmhsqXzqa7VomxDz&_fES+vjIKma=*>haOx&^|C$GHa@vypd z&yX}hoGVKkVZ=ZcGr>>I$ZHifGZuvlY}1V0LKC6rIawv zi*W<9RF!UNe&_)Xh5%JA*xel1GQDi;k zbntmFf1ply4@=nDpsgj5J-4gY)}q6w;HL^W>tfvDM~G;!U5dyO!v>~`7m^H@H^DNM zkt`Q_Hk*iSVg5i9sk)SCRB*RE9jT`BS_YU%kV%!$oLx*Nn};44L0wcPTbxFLqX!&E zplRzm`It#iinZw#IC)omxNxf~_k?yZI@tSL$Y8E@vX<=SF#Y09P&QH22L`NPz}1&i ziW>t7R@sF)7|YDrto@J}Ng(n{;@~9a5%3_;M6=chjg0Y+VoTZK974hU5|5khfrmGm zM3_lXh+Ffjr~LV$a>qb|YN3y3C8N7xVBBTF(IjJ6%uC%AhM@j7b?^F$y3EkSB%nWN zZ8Ff@Xm~xdgmBg_Q%=)^1!Md)`w4L=v|P>4`+%z>ajw*100P=7%ZZR4PM2ErG4Vkl z#udg1yd}+Bw(zWrF*|PaWfSeJGRDvYAc%DyH)ZMKumX3eJsFA*cOYjv^xz0iUiO5^ ziqlnTIv#@{R=s@a!4NFzx?$L5?R<5NA}~1+q$cY1X}~6`^+OMqpwyK-MD$IZ$&$fE zo2g<9jnOrAYCkAmZu|D<=+om`vYISSj_fT|%1nqsL=%$-R5o)${LZNTqN*%&zdKxG zH|@h?_Z*zN=vYE{x6{3+KcC+4Jh%bwED{*4+FQQvn)Yx8GC|(joJ^7l8g%Hv4D@J( zV+zUWhB(*daJYsx5R4mOuYX|o{5Cz8F?1l-iJ8OhEpfEdd=&EHt9a22?t!!^Et*^CLlC5V&M4cF5 zk^0E(94=O}T*_dj(uGvC5K7YRmN>RYi^8zuPMaxx0_SAFLo`sdq`8#|DO`Hy+O_a8 z&w#e$rBr9c#nda~0}0h9TX?cZG0R}4dL}B&oWd*va$?p2Dl-l}M1zbo0Dc)6!h8cV z%_3_qV!A<(NjvV&Z_k#dc}eRR;G(4mU5OkV{$tQV#U@17$DiKLv5|$52Zq^;0YjmO zc|fCiQR$|PNBJ`te!vH*E1C%|%$bKqQSshYxOmu7VoDTyKL>wC^2ADRut|Ao-nkl8U12LAQC!eMyTPa|MqO7O! zA)yC$kg27pPAH2>{|nO(j*+L6!N?&wn#8Wbi75!&;4PC@vLgl`nDieSP4}Z>;(-CU zMck(Rx1slji+{;2)OK`aYGcH(gZF}D7UnE~4;GJ8uh)}H>lZxT7RhLxilxVE9q2ScJ@Xw#^%Q}_;tPF62JHo?a~cH1vMxboEL z(CwB<4$>9hVQbYB`2QWJK7-EU;qN$=u1s&IPwIcinO(kz^EA`&Na17o>Seom?(PD~ zS)bqbo2Tyh9Z%9%c#bU1(Na)dmX}rp_!`%iW}ExRcK-0PcuW>Pu=cTT(0TloI z)a`3_6Q`RHh5w6FQU3z3Arv^v;y=$_a5tgWBCOu4h0H(FKV+qsaZ|1xSkly!oZlqD z6%Jy1zuN|ju6=m^W4t&d9;Af%u!HXZR6PXSNN2b>J__g4P;dw zA(ECDaSBPvcHS79vDuMDw}wZ;q{>)c7&;O~$ua2b^FL{Tp~D$hR>$hZtvIO&w|OTDh|YrS#RW$?g7Sy-o` z%OQZJ*$w6zAJw_S=v0(QKq~|9w9)%^ZPM4c4CYtJ@9K+G1Y&RpXesX~%`qP3x(sG_ zx~aF@1C#d~N09RDeY19Ch_=?J9MdlsT1LjSF^uO`!e8TceV0M?hEd5SWn2c``yn%E z_-_Xzaj|iFBu3U^(7|wAdlXB=AK)^`U4J~!?K0@yX_!U;X6iD?U4@Amk560%z5CNI zZ+~@;*mN=mG7i-Rq>cU#AKPV+yz&hTVt+Q53$8k3x0zYu(1*d}gHU+Gm4(j>64@B- z6?7SZZq=<;lTCa7&@e2kE(6v*U_lh=h*ctX8PKi>i|mRb(o+xU$RUoM+FUM?4=?$A z7`vN@TNxG%9S#hqrR0l9>@5NVYUkNh*vTSo9PSTOxjv*V?lOSdUMXd$vf?rrTKNa1 z&GqNBZijP=v~^xZ#b~X^WdO7lWdNkZ@1)r>jK|uITm~1*87#)ciqxNFg)Q9e_*+k(h4}nQGsLNnqWjIL+SBbP-BKNjpW{iQ&;xMJXZPe~D@|ClD z410~PMO7{s!W)-?zgCebkRXuDU|-os{jRtMgI8MZF|#aUe-`85;{%R^{Knxuk`hb5vt_Ik`rn#AqJazZf!V%Gr}{@ z&{$F!teUr9%iX4_6~W7~4xw$^7_J%y;c^hnGuYJp=0a4VmMFpK)JfC+lLYj%vP`~_ zQ+c=Bnri_bN~+)W-C46i8^gg?15=l7+&(dib$W529ytFPgIE2TAm_x_8e>Ne6$ZsB zkEGENjB-=4j7D1{Tn4?$9VZyTdTQU9MHi%6BGG*r(FRv9w=~u_Dg(D zAj*E1lZ}=unEcUUf(j!uOA$vmY@rY1Gn2%>2$M+|1SjCYso%=z@O3#c={TE+ILmU| z)G$`_7Zu(viYzx+5nKkQSqVJ}H?#ppIQlxO{FxF#(|s(A&78=UbpjP=16Z8&!BY)G zqs`f6fSPf$HG)5<>^|+pUAN!v+Ryfq!F_#M5q;2_%g$pkRPzW{Gx0$7vcaHDU&y1` znTn(OIKpjs>EgldW`yXv#VFD_Mur11roI>#qdrUAlvl6 zE`#Tk@qjAdp3~#z%E3_1D3oqQ(LA)<-N8*2``u%=X?NeW;rO^qG{eH+OA(aAg0?o0 zfplg0NRJ%b?t!tGgA4*jUyA#CtCxAC4v)c?i71J3QxPc-@-~dn^oP>E1+<@cVP*JW z49@c94lfL`qJjPsdn+4Orp7=(>)f@(oydyD#P*_Bbu_>=^FD*;PsLOX*rcieV^QbnEF;3KL zi=md}KhV!}U;4Wl0gCi^2jeXXz*xy6UHdI&YNf`dA~n4+{pq0fh3QoFz+ccG=}ef6 zOa1BG&~?@9YV~G}yfiz2G31h5k1!#(MfHp;KSUdcYgwZ21-{DCiC8$|(kZ1gBPJm_ z%Q5z{RHfjOJnvvph&NV!3*#@Too$i8#efqr?dGce*lg_Wkr9>dkA9=PRR*aunQ6xf z10`Ur69XujGzmsfj);c23(f&q&n4a7)p3gZ*0rrXzcWAJ1Q z5qNl5Opo<`Yegy;w8*VOj9X0Vud8<5)Ej#QMh+`}15#nKEE1zv`aBuUpK%=YF@@1D z#fUUVQ#mZ0qYVgS5Oa}Um>$51_-^0~U_jzBOjR$V*?IN))Oz)UbuwazqP$QMPC0UB zmlJ4i*4u7FTvB(&;U34nHXPboc2iN`sP(MSyq4vBya108i{X9yRDb1!0bK^N*z@Hn zm7bB16Jr>2zgn(|XsguDPYg5`o3|>-TuDqoS@mZ4{P%y{E9QH;!FLl zHui&GapFe_=dPQz3^99}vu@XZX>`9{yC*|@^hdL*w

|_S{^Y`Y9jl^}}P`I+I!k z5kW7aqUA^jU^dqca9X&0Y}cQ=!($iW#WK)0Ae~eSY z8O5GG7F-{IwG+qyB5S@hXLt`fE=~u8)BGZqThC0Qa^r~Vx`#OJ;v{ zqidm>7c`ILE$*W^JYGYv;ASJ2XW4A%!)W)$i+-M`muA`VEe>j#ITRR>_*dY^0wXU@ z$ZeInWv?<}YU(5FZi3IG?eTPc+}Gb|Q@E3VD0T#AE4M;w^&N3|eB6`rH{QZ$>NVZ= znQ-IB4AV$`;d~kF5dAk`csF1$*sTnOtgtost}eO|V})l)aMYH~&N=NX+(laDgL=kb zJH5hRj(N%}TrsG+?PL3~HY)@kgR;N5wOMgJ23AkbvwS3TL3<3CzVv&kgTsJCctc*oMad`Grrt0xhFEacRCsRgXdS zhe0^f(C9IUetD;#>FbO?Al@sbMMvgu@wS}Jqa^h0smGv~DkK3VCmScg^cYb8Kz~si z#7Iv?)hrHgbyhoV9MgPUim{ZB$DsPH=RV*fhMbFTr z5)X7XP6+EU1OR!o%&IMa$5M5~6mUI{De>_ZZ@UWu%b!31MmK%{ghIjm1!Z8<@$H)GEb$47osbK}6Q}R4_{5{(?j|4hAw9$H;9=^7QxVupjX+Yo);F=e3*!2x!?_PZzT5$#2e84lhr@kc6 zGx^=G2`enu*u^MsgU2X@|Ki_hKl={i1CJp-$mJh->1PM(7;X7u@`IGx7VOgnvmD%Z zpSy?pkJ>qU+4568%SE*rYtQo-(t~PVI?tdiV>Qd;>3GFFKd;r?_7&-$w z&c@rY2iL$Em7yM-_dkr7w~8yH8|(U*&EWk)#7f;s-}|+JIH=QHnzLB(usH8AtOiwf zn*}Evo-@+)>G9&;v;p^FzD5)0G28~!ibcKE(v4b%MJeB08^saz^pvyNK&r@N$PSYI zhTN#6UhhBEcf0+jFW(I(2otYnIVm$G*&?lo#D{Bl@fZq(GjqNr9b)as3~_826Ch}C zORf^NsVOHfH*I{#Vp;@l$70mLeIdWBh?n8u)o`aL$)Z%ZdRqA$x@i}HHkw9xE`44( zt*8E$f%A&F6_l%e))L-2RWQCY<{O|(4$n5Ka`_DFWw{N&6!cEUZu%HTsH#%^85Sd`$B;5iUKMg??t9;IrKzD=?j$B>h$(O*wBM%w)M_h; zVPEijzN?#s9jameg+M-?N&}91Czx_Uop8`VG+K^%zEmKrDyZiotrt0U~AS%-G$@ zuAGC2$@vNlM+37RVP=LT3Z!c@l6Jz>49lBX&%M1F+6yi%6=6UHkNFGd1m zUCu?(Uqyu^KTMJ|FH3TNKjl*sKudcu;9Dm87{*WiZ+Y%x{L79;)S! zeSuLcw`k*_6;l7Q0&%d9{2eu3kD+`x?vIL(LmPkvZg%ppd7$%Seb+qesZ3nh?a88w zFqcPTzy9eJFYOt{B$OhRQ5(Y;;c<)+YdR@BGXEdt8xMwH^etg!H0K*P z$k=Q_9>X;ue1CC42uid+W6Fu@Qu<*1J{Bt6moW_5nz_6%p~MWa{&))k=EKS&#m(>n^$Lh={KOk`$eB5`+d6$PZjpf#;~ z4E@AZM(0#IFkDF7F-*=*97j{KfrFy0S~Sk#%h7_yf09%1|(h zrBCUDUIpAPoHP%$|JXin$3tk`EG&JH%&^-d?$4N7rk2qkOX^!H@6t9fOhf_5s62*w zB3eK1cRyzPo&3)>P0T%Uz|x)wA*}U{StveS4D{?DeG_4M zAedT0>CJW2hraF~hXJ z9>*S0e_Sa#?{Q8Vk0FtmH~aN%w_iUPt>Ujn;4D@|h_N)``k`I#+ub)SA*GGQjcws% z(D}nKO9;OZ(KG{8N*=>0kv1F62i40rxSyWFroUqt^_}fy+uL#NcvFs zm@wtUfo^=nb-{cS()bdc;|!czn1q6qy8Kz>e4yhTd_mkfnpB186JcXF#gN7JzUle` z$>3G7tLpo)h-?LTZ6r>?#8sH3aF4>g6J?s@I%UP!TQU?Btc0b<&`^x@`8gF)-KIk- zl@T1K$52&>>Q$xv4tJ0$+Ak9(VBG^7Xd&FQOK!~ zE-bYl^a+9Yi_p0W11imi4k<$m0`sS#^E%A0V$A`>q!sde-p-&p<<=A`&L1tLZx{3gm?O8a1zi>&bHk)2?$M?))?i%~|vI+OM* z3QEE_Q$f0R35M}v5~bt)$e8g$IhkcxEC(fPtQUT@co#WhQDp|vfcc^f)G3oObM(R) zgvm3AmEXv6Vxo-WadmQ}Wq?2xF(TXOD_VngCq@8YK%l=tyi(j$IKzMmIC{Ex1%S|g z&XhJ5MKzOqgg??bi5WL$p$zScTPMpa6MAnwCbU(WkRl*POSuxY&ue{IeCEonHP-U+ zn1bV~--2H-HO$5FE}Nx9F8#_m{zY_c{sAGPT>-1e-Q++O%wxDYV);)oEkr&W$iI0E zKS$nd6aby*;V85JZQE|oy;X0V^10nK>z(tw($)v2>NpX_pLtd_u^;0w#6sg#9hMGg zSq)x;>F&8vOT*gXjz%@O5Hw-><7!cASqN`Y#yic*e zg(*Hl`L;)<6O*h=+O0p_7cl!rE-gH)!jTn-yM5$C61!QSdYu*7Vmi}kglr3fwl3p_ z$R9+}nExZbO>d5kUHxAz-v(o)=HkKGe7aVl+@F_MP#Y4^}2rE%dyU?{@Fm4|nchmvOUk-b;@|mb*S*$*HYtu&L zFx(>`U+PbKv75H;oJs41GRoSoc0{ic-tS+g`Jk&~=wtVES8sP0dV8|`Jwp+fPDLnA zC%fU-$bqHk8rlnm;cY%xg|GlWNCOSc&aW(SaQ3&#{wRcK$6TNZjB2? z)*CIsD!3$3K~Z*9KlL7F53`DS>z&L>CQpJO6AApM9FB=_)XXr2TVBrX|Bm-BZ-2cX z+$LVOyXObc$}##34KjgJ5i$&a6!U-j2~@Rs|>_QeXle&Y|qb<|OGp1u2P_hB%x zrFm@+_dT4cco*5D;40K>;qcmiv44w`D*6$BZD}p+o_~LvB-ot)&J0)G{gEAShD#vM ztfqO>etCQT2B_($8BXx7+kdtD;gXp#`PZHkaViowWctJR~!LZ}r^j&`$ zo@w@Kk{I`}+5e_J5G&3-$K}Z7?&;Odp12El&fyHJvQC^jDBDWCVKRrw58|rlUKnpj zq?TajhRNvBKeS1%UBY35n42H5_D4MJ{^c48_D8!#UVe)nhSGdDjmaKHW2FJG^61M)a}v#(zA^_Tq@TjOIClzWpKCX{s?!m{$8?S4-@o^4HJv_JOH0?=`mU(?MW2h7aBi){s zqrDA;2>B*WdMvdG1)rBu926H8&C~zQRwf_BNu!?qO&g zJ6_9;#N~p_x12NRwLAJAdIAsFdG=_Z!6}&*4<-aTnY-~Bwo<3(yYy&vHhZ6=EQyNL zVTt#?UVUd9M?M2qTAGq3)Fs|$fJ!2*;_Q~CA@~eZDI^MSc?mK)F9=Tw8X%&{hAuvX zR*JOc>!smU_eG>N1nY^msTlSHb>fLW16%q~=L$Bd@)_RJ2ayZJsrMPwQdq9QJ7GIc znlk>Ow#8?7OY5vGZ&kXIu{Xc2?Hj{^d($3BZNS}eGyq%Grn$6DNFmIy)(q=f);oIx#>d7-8*hr<$5 ztui!6F>2{ne;GXksEllp#TBK7Qu_{Z;9*{mXB$4?R@qE?`rcgVwa@UDBB7TpE4}g= z@Y0NA$)_0`S_5#?@hnop4!Bx_n9TRB{;uaQHSRs+Gvp;}lBskq3sdOX)5NSl02ky& z84g4`dMj`#u8KO(y{=Ek`K(wC)Kor$V(KfX`&^DS1{<`GcRMP-2zSrB``y6c@EHsf zDUYwH0cdDn1ui%1U7ma9xiU7N;V-R3taoeSzDZ16s+!04cxmW14Se<)_>%iBr}qd9 zU=oqY4fF{tdTbL_dPmB$vhv<9UHbxam!w$45;k`B8Ss)x23~5{N~Nu;Q%=x|R{9KZ z$=;1cv63h1oi!9Q(U$rJ5tYcO7i=(=&tR7}TO;doZxH8egb|Dvnc>)+xO~Wz&RWb=lG^KeechitA!`ISK!w%NRj&b& z=dqhh_8GX6h(q!T^a&bzf_i3%SP5$&cH4xuBeuDlI`%oNQtqbiM`Q77TbHg2VhzKt zto{TGwUVb2A$OW#M}3=Wt56Ql2n<@PL{*!Og93!s@s9JTR5s$x<9g*b9I=EvKEqvF z%bB;zl9|%$yerx*?9Cl>mc-%MyncQ5{24CvM#BL>Jq*^^}4i%V=>THVC6!+FOi}yp7|BAC%gto{n9uN+Qbpa? z7+tQ!)zJIp-?nbg03bb0x0Oqng69`V4)EI7-AnwcWANJYmYWhr2!Z76fw z$i?KPQ$lN0!s;`;CH=ntBu>o0Jv`XZ#G z@fp67SSS)kP0vug6ot0?L}C3DmsXX^>tF-Z*T8AxX@}_3{eV~iHgQ56>BWh<@Sy$bNUMZccZo@J_A?^O|!Wz z+QTqj=|nIy0WYw0;BwV(HWsP#IT(=AxgCNiyA$2I3a;lO=Ezj23m0{nznzog)V~hr z7IBjOcIJt)%tAWFt?7bmv*xN?8snlv!dgQZ_Gi(lx`(kWTxykswr`J1tY(M(@l$i~ z+7md9I4jPRGlw97xrq~K;T_%GkRc?|E1zi>|3rp$uM3x(7$mLSVc7L6s!zT(++*!_?$P2sY$ua`wl0TO*5R}7@8!KNGvUv3WJg;NM=fooiBh%Nz1EhSx7n9 z8OLvi&;5~gxRBa|@4L4TE)CaXwo(H(lbnfh<07A-Cau+p&2P?20@s;Tox7|tK1naG zF6z*sHQaGn;8Q1wss?`7Xfoi+MiFLIrQ{}EFinXXeS~_c*z3z02bU$uJ;H3zVQM?* z?&UL}r9wLj#yXffT`)^2y!KR;Er*b%;grB6r4tEg#kGO)8KhE`t+v^y^voKGvlQ)P z^9Ax)eTJ#D*@7}KpTR4McrLtHtW8_^v+&CH0df6={ttmUx_$ynllLnZvb;{NXV**n zmT?>FI?;wncNWPA8TS~!MCOz}0Q2*`mx*l-U>;Kyfs8n&G0EMrE0Q~%*^U>$keRY| zZ7FVt^8hZ+4|*3m$zG;!6t{<{Hxp+j1~XCB?(5xQ_selm0qQe6CjF1vJvNxGv$328 zxA_cX3Hq3rr*vAhuCmN$m`Y(Gg-Ll`c8ReQg0V{R?%6~?zF0qIDD)l0crv?!`AKCi zO*(h7TmegO3YpilSU(O$O*%f)~aJbPEK4*Q3_*i&E%PW z)U#z{4a0O@v7uLF{S=>g^@^l-b}(Wwx<9zER6@~`&G%lUPACz5(38EPXN)x-FEolW zGoJ&a2J6LAp0|*R3Cb+JxK5@(K0Z_Ye3p4y)Fx{j_5iav0izt2FE`p3EO;HH`r z_)M*}IkrqDY;vYyj#8QBOC`oH5<`@<`%+ziZ?0p3c}huhxO+Q%J%oIGoZ#w2;G<}A&6eSC7`xi9XA4Z3xU%yK zu#K8a?Wf0T;oY5N0X!6X|r})MAYvJPdlm6bO8jS6E%vmD$WnLG0x40Et z*cj86MA3nh-EEBN%qdo;kLCGt$-MhW&Nsr~rCg?kihBZYVhzDjRlOa8>N_ksP*VG8 z{$Kxg{UeE4+JiL)F4dU|!$}Ii5s2f#Sh)|yaGeuVhXAEp$%wrNUnH8e*0WCAe*v3{dE2cAb+<%@R zV)f-fWwTvK%jPTo&JjCA&)KDVBoI5SnI1CZe!&Mq_z8 z$;a1*3sojF8AbXqu*sIgi(^*Pg$RPfcbL_*QVG)f_zbA2T&mR2LnE24vZ;+9lbH0_ zwQyq!7|0YZ^?xr@$+-$s@*Nctoc|1msa_jg@8|`>=V`%-&w!Vf`y*+Rn}aty{O5n0M?HA;>wo^|FtoBTf63&L z;FQ6rUlp!Q>HVbJfw4=A#1uySuuzGzvg8;{uuyrayz*MuZxh?I5go&N8dKm3p=^DI zw6v*mw8dftRaqtN-C^HY$?idE35F|G*U`0_G_^2INk7Y_H|g|uW7JMrQ7tLl<~jB1 z-w$JTn6Z>LNAY6Spkbhr_PPpytMeI-Qru`?@^HWR>Xj`U^%BHGFUR(7ckWb3H~?onlju+KKIu9PZep58S?4CjacaD5^K^!<6W4tI zleLI2HHq{DL@)}=x%G3n^or3gfH6t=?s@lWG{z1WZKN~y8B|i1*AqqoR{R!XYc<*( z&Ueg6D(iGmVd!inn1)2wLn5i274iH|X1o5UH5M+if4=F1NN?tY`HulerYuo!bJKDc z%scwnJh#VBj-YP@SoIn9QKCMIk!^(uM@v~3YK4v)ECwuYD<_#~Yge(bzi^N+0 zYqC4N&tQt=rVOR*WHzHw*z5aPJ7&!2)nQFj7G9HcLeuK(DACL+s>?k75&K72&FKG# zKUmd#*}a;cu!py&=K0d0#Qz6YiFB7rn#1mMd-*-yqGGwBDtk7W@)Of`VE4H9#N%;4 zY9H(WgagR=q5W-lJmY2j8?3DS1HxDT2G_qcZ~g`s2Qj03TpKhYvh{r&dr8B0m&qe= z>EAavL%zUO4^wv}aLR{y>=`aTF6OkTF2BUf{i*%Zem}UG5X%8)kGs3i-faJ6DEaq8 zTw^JsnWf@Z$K7MQyNts-oJ!a7R9HLSh$5y%>4!4(Ql(Ags=E9h`wNDSls!*M?W4*N>k9XH0ib`hSkEZ(jasf9$p@n@ApT zI_E5r8|XFZk(g(?dlu&qw!OFlM&_(6R@|Ibf90eQd%l#|#)@^wSGzVt+aQzB?E^_a|!*ZaSq8-1q6n@7xE% zg@7c!HSK;Mnuq7+Kb3^Kx_4;yW z7^4>>6f=eT-=S$IRCPu^H8f>Vpp&gh7SO_h`n&$H8ufr8K z&+4=iDrIdaEQ2no{olAfali!Cqj9-_7c`X z_uLUw1Qal0=$Xn$CWGcXURnC+@%n?wvcpM%uvV3oqzf30^zHuecpvUwkNpO78H8oh zW!pUIiPHys$dl04^+Q7-drL(XFiL5oh}Ty2QHn`rQou-} zsYF2m9YnyWp-D(v_maxVv~j=)q!-Q8vH8s6PXk6EEnnJ)!|rJ`Lokehtk7~`L*jT( zL|Fxk>=-cmXEB?3UAOe=-C3>Y&M2&bu8ghQOdB;=18pKWqLNG`0gIx`jzgy(vg%HK zq2Ek#9ovH$wyM0%vTu1SICj^!D2b zqSl|pumb%!dSjJhbm}qEXae%-D?D>kX^d#5X-51otuS_85T=U+&Uw&4s&mv z6_v$tIKdPLDv5wmU56Qk5z*}y? zKVQ0Cy6X{ZtZ#RZpT*Dnw+%8w)SZVU#-y7;$w~7inoL zvfZVMrPaOJ1-jA%oU(d%IPMSa+pD+SJ^lQ4cyK4rpCAJVjHWs-#KuM41&ofGy9$<5 zr!oUYG6AEermR}q-0O=x?|q97D8nc!n%NwQj1~%+f)XO zo|=04MVU7%M5$uO9>VFxc~W^o6=5OfmA9ZhuB`I`A<@q0VA1tC6f{?}0(D;s80B?h zxGLH>6RB97;GLIhouLVW1=!)EcK)*GQKTFzuge!Yvv-f}^JjO?VFb|CxGXYYgw`i# zgode#C)|cggwaJ@$S>&ZFd+#tK3(J_10-t^#LOH@vzof z#Mu&cj1Cxy^*k#~J#bm6N*{#Q5bQ$M+A11O$U+TGt5v0}6^2#RGqEw^cBy?k<={>NMm*i?jxc>HU?kKtv5mLi2n%Bk^`!TY z1=M=(OKrn4SxGFSUYnBKVX|fv1;R4wbbp`-_8EPDDPjL9CgM+K2YIdo1sEFQe@d>!rCViM7&Feaxo)UM!W)%Dj+UHqeN*(w9y( zVyy<+&w$ZKi*hBmLw=q$46DPw-tC^KrN-Fi!;%SaUS1uqUXEE;?(x{II_p(0IQe#vidp zIy|&pC9%rfF_ zz1>~YUF=vgEzAex&P%MCrnh1cx0JvCp_pIQ`IQw0!lLO9*G4Bxnz~McIj~c)Zh9>u z+XTZxY3}`Dy|g|!LN!S?3OJ4Qq7cN29a#!k9eu0fIJ=z{S+)YPb*z(4QT2Dgh@^@0 zw3)a=T*-FI>BMTWtVlxW&I+u8F0y4LNp%`7Z$702TC9Mv4%HWo$ajlQ5#uC;&#(H~ac6A8p#t(&w5V#hDb2{>Zs zBHZl;7yN(F^FCGpi5W0b=&lT3`)04#>44LpID!|q?-NYDB)T%NR;3l()7U^@={ zKGfS-B))V15^nZEIqxaRb-+lWMW|nYbB-#d)wM`rO7Ldyd<2xCg7E^Inoa zczWldv1}!+u4JP9lv3MCB0Oo=9*Mh~;v-bIZ-8R3I?xK0zzmNdO-O;gTTGpl;*v4InST7wO^mFNN zIOz;w(X_TrXZ!u@_}1_$UJ@>{$i|}nfRRdbJ3SUWP%Extw2NUuv|e467gHyB7zD<$ zX#G^#6vo0D%P(R*wt+&{wf zx!h8Rh*7mQR!q}=lTvCwAM7$%C><#(E}GS3C*(y&r8<;{oXSjK<+MIKHjY+g@O)S` ztz9?tQkZrjt5lm*qX9UY6SvbbC#;oTW`#CX>6uoi#!7Z=9~Mj}*+xuI;N9I2E2lq* z^y4M)G`J`}JWmCJI6j88)2DuweO_NBUsA+J3qg#UoDaxm(W~=(ZCQP|LY#1jC4uV(gK^uhS)maVxy}-O? zEw!q!;cU*!zQ#FTmlV*Phx|Jq>^0sW^Jd-b>Yan&dbMcQ_4@wDptxIK2H}IX3%te) zp?F!>PrHUQ+jq~md)xOs4S$2HzT@_Gv#T9l$X8{pS0X=%`o--Y{{9V4%_b8AZrC?p z&c7C(dK%3?>3@RjxR@RNb$ekbwIW*dS0UT}4xxj7#b?@g z=-BVyVYp9HjDq5}HArbL?s?DcT;_Ld6Vs+O9WaV!z1wWvh~_=!TTLsvj$+^Qa6b^? z@bw=J$03|>Mk!1T21>KU2Wh>2{)NzL)Z`r z9Pm-DgUI%tmk|Pt(g3x4uMM}y5zXT$!F*K`NaD=wiB5ui$5`s%^cv``brp=5T0}QC zUA*_~l3to!s@6ZnRV>aFlq~#zSQ*wJ9B8!L-BZ1`eky7*RUIz%vNwTn|DEaiN=bZq zQ9E?O?WuY0KWOjQ8ic_ag0Mab-0w4pV<^)}66bqabiJSSe=)VosT*CAK=)277S^|f z7~FZqtnac}d0Uq~45!JXq{Gd4_rcmKMVwo|gGP3}Od{)dSjE?Ls>zP+xa?0-{aWwZWS}%Ghh5% zma+AFXiF3A*l+dOHqvhSBYX8HRcJQ{O#+L%lX?xt%sk=5X4dg=vvF`jz4m$tlfd>q zVz^JM5$}VT1pd|vX-Qyy=h27*xP-#OzqZ7g(SQHRb3ib8dmQIcN0dU}Q)u>SbVMxa zPivIW(o7p*G)N~Psj+p=Un@!c{1*x2Z5~s^UG8DHArJ{9?v~>?Bf>kJQXql9{rc_u zUxRX6-!%d4cAMMQNh^@R*$#7N@<_Ec5(wOq1QQATZAA+%u+Fc3F39>lG|ee}(g#mG zcX}266zJ3W^~LMott()a6MZ(a??nqHoG(g`PDuivyM4S3(kARm%8e6%kwEIEn{%Cw z1Twc;8pWBx^@+LM$Bp5bC4t=?O@5dJ^U5^9uw8y@EQV<4MSbz+jrCJ3PgtgW zNL1FojCtFq7OgILSwXT8X zLABFykn#677^&;^379jE%L6XQohoRNAFHV77$)A`FdBmqTamJ(hTgmik_*LmjSJJg z%W-1*M|gL`ZC)&v@To}wu4<9M{El=K=tS_|KunU!qGaYZa_)`B2PCiLBOKKlfvMnX z$(WJCg(6u4F-vAX=>fzpy$2Q8;Cjo5O>1nsYRlcq-TVxugd5VkHk(1s8xpwSo;)ZC zr0)^u`cApnUj2jwa`$nIEUc{@)4KI4HO0?EWzIE!%Ygtr(!myo1jZ9`Ar^3U~cQ{vo28Yy9n0DI+>Z#F`F}G;)ECe*&2>3NN03mFhoHn zfxMkA^O#15me}6&;tWhVarW#{vup3ymVg5Z5Ue*>BsPI0FfE>#JtlGQSf{15Uo^qiNJ3MACS6YPoqI5s4L zMR8u>uXO17WAC^VL$?8eiqB!QpZb4)QEo6=CPB$K@ZCp9Kzn~pZS z=5Y{`NCHb+hY4KH?cv|7vCtH6y6&Em{Rl*DCM4;PR^cX^Brvt9@RX$wWLJNE;(le% zt9_d`cWuq#WUqXMiQ6Bzb6hrjE(!>NhvxQ6u-LTg{aN>RxXOnK+xi`6%=7@u1GBcv z_OU7U&C~Gez$9*yA?yer1D&HtAaYMHgD~TOL^~4tk7}&Lx+*vIFDDknr0($ND4yKa1mgi2PM_trh)3ib6{c;c+-2>w$=NCdB+$06w7m~@ zKP7>)okyT$DhXumIbD@K!ioQOLI+*Fp_u|HgNBv8pJI|WgK!Faw-^+&BZ06zi4!Ic zvzKLZbmzU!Tcbj3m@9qO2Koi8pJNnEWnuq&A0O)jrFK`4^9an;jxP@VO1re-Pwt&C zaeEx+MHyVhd07pMosz)c=2j*Y6j400fB~4e{b@NfI!V@Vg;r!YR0#SvBrvw$P6tCq z%+@Ywp2y{;;vsdsx`~0g^gY z$6Q=+Z3@${uVN~wd-qGV`6ZoBg`qWyiP=0e$4K4% zv_b>6JTA)EEoFH3gGTu2<*Pxad*IxG0~FJkFi zNq75gy|&@UB(Skz`vel$*vDLvb}fs{pGzF*8DK)6y6tWSn1Rh_-9@M8D~-o(4f4xC zJDesh8cd^DKmC*y>fJH~CR|4>iemvvqgf&bpPKG8PYZ5y)A9rTSZ^c-7tJb`1)MYXd^FZc+8g3#$$Iqs`xf=TbaamV<$m_`gC zSC;Jkvj5)DCYO}bbWoLx1nzZF%DG}pxYny; zzAQ2~PVMs+Faev@p^QrE2@*&J19|kP>pupx-&xb{Hea6a+b_*}c=N_&?3-C)oxRRE zkBQhUF=D_a){n8)&{V-3BxYfcV(KcqgC7%9v5(wgD-Os501|Kwmz4T z1j==X$|+PF%?BV*m~DN44IU%1MXskqZ!oJ91YAV>HlsVU&(8?B3KDfYNRs;_8w`=?%u7q;JyAzWu8~(v|cE*Re1Klio+z^agKf(k-y5 zPM+)a{kMnBbFkEZdwE`;IwE?60@}u=O5R=W!T5I5K*1 z`{pj_kOo0oulBVQzKn3-{XH{{aQbD@tatVLt|#I~k#Lm%BR)TkF<%fbgiv5VPqy`L z7hKh=RimS4Vzs+FeXfOD{Q~Flm}45R|J+QPdh71)mPlJDutlp7B5|FvOnr4-K2&Fm5gsu)Na! zFaUPCSvP+-t5uM_SU<;=dHwTUFn-oH*L?M+0z<{Lq3U5qpd@~JUhQ6XPM_pZz)U5Z zTSn6aN&DF9-N_pAFE;s5K*E&Thq z4YFvmZC=hTN!=Uc%5V`=bYb@OhNV-?Ip#OY4uwLmg_1u19G60Gy8d{vlQ#*4!jJUD zgnEcxwtAxqvZtnVA$p$zC+)9vB%!|@*dTFEe#EBY-b9eDY`*Sq^#K2|gbd`q-hSS2 z=bU1%{i6HEKNUkEhbYY=&Xa}Q_h9!BjGH?{Y`0I)P)Hd?+I2~-A7W7Ie+^1>NJJtO z(l?5dWiLS#3TY3$wO{Kq??F0QUgP|yFnez?*L7y34b}ne+L{%K+CTO2dEk^BWxmeW z!R~!pYvU~J#thx&;JGy6TY)dqCuoMh;^`V~*7qEK21Wa_*>AjFliht!*LjCegi-xh zdp9uJ$~}eeut62|&$9jGCjQ+r9n4ZG>hyCuPgk1(J>viAb z>?^0ozM1scGxvSW^<;|HKp3nMwwvypKJxVO#@qFF%1u-YQhlvgwr${dOnO`Q8dq74ssac!>XE3qMV`77y4h_3PY&y ziwKK$gw;`^uR4Ns{l*cV==tVLTMs2#^dP}K`qpl|2f_@E(+XZ@)wH4^?Zwk&A|XEe zzM5bdVLgDpYZhT1l`!)WMir0S&&~Eh+t|^{twKWY;C3Dxr%rgco4!@U2mk2;V=Rir zibS0BbzXgpsi^1p?PQgpO8Bv&d0C|aH|8`9(INJ$62u9oaZWS3reGRf z_i?XEkR~*sh(m)jC_$|Ri9%LlT+m<(DS6gAtE~iW!mbfhX{>+}{%>Tk9REpd zPO%bH3+K_b0m2T#P?R8JXu(O!X+&jy(iya;M(P7XtJRD3Q)qK~Q>A>6Q>BEAbP~}5 zR+E(=Ua0SrrThid86xa)qm&?GSY&F}+gN*d7bGk6nmgc`p%lClgbgP~4(&rVHxM|$ zDN{n4J)vOC(s9IHZ@4+@hp4g_BhC+9Mwj`e(tjq_jj*~Q^EoW&-A~8$(^MrSO1~iU~Y6M0O^zky zx`LqLTau$g)w2aGai}fGk)$6uF|kLl3{@Q+m00ZX0~KnJsHz05!+GKKoBJq4@Z=#nesZCwGHX4!1pyOwjZ&0~AJ zS#!gO&2}hwSArtq-E)1<$hKztSg&84ES?g|qiL0tF)4KpIr!oIi4ycKt`EDu$5~Z^ z7~(Z|V>1-;AK1l-T{NE(v=PU2srQgDztlb_%P#u^1(0{9jpWFNi-2UX5|j`lrDE%M zLfF{>^$y_L!fxMdjmJH<^k0(d#{UF31HyXwC0SZIN)SJc(j&CEw@YF5!??&2hsy5n zpIG!TTs=2|dT5{QxZlb-C_(#BZ!TT1hQ1Y+gQ9~DP)9>MVd|~17;vGZydclQtnBqM zRzlssK|pPQou^;C9qh|PbK}40cp*B(lJ-kssZqlg99&aa-;hrY?aAf6c3%E%CBA*9YHu2j zF#pCk1T179MpWZj0H{1K*@P8Dy z5A8}{zY8^g;DmoLo7j&A4K*ut(8dklhL;%zJzaHNkpX&&5)f`-rU)ioF|ydiu{alo zD>h8C6gr7#|$=oqB>f2usXaD2-%%U%g0iKN|)e#>hAfw4s5Y<}ZEEJlLiv?mrv zWEWsWC%p<4B$@5f;-cOS>7yUq4QrELm@sWuU<*7Dm-xBL(ks-w@+SwQTR87+M18%N!{zlfGuCHoikSrF8Bekw{^R04=N8qHTikFyq(@Uz0_2xFawW^* zZWl_BNUSO@w@P_uK_ziEwnZl0WCA9ZY0EdKb8za1?LI5C$E1GVH`~wk?Sq$}!Geg| zIz9%+2ml1aSPfD8@^YN{~S;DdnX9ph;r=Lw=2T5hYFm28$l5sot%ep729CdMt&wX8w z)2tNJr0|Y6tfy!XiiQ2I0cge>hd}~sr{6m0mU=maz+gqiO6#x|j6uS))u;%EWONj5 z2upJ1nUs{{4<3Y*JBBoA^JFE`R9~O=r#FkC=OXmK2~#Y!hmbRa@C zvW(CaUHPQ%jNU1}sfk@nnaqo((%xTSDEbS!(!-kot18ZYbVHhfv^oXVy;1 zW8_V!HmdcTvx~(SyZ###`GgaSMHY+n+FDiBV@|+&V2MSsX5fpMvT)VzKewCv_UZ7l zPd@(N|L*UJy|isVxBG)P9@^)}U*M}U;-}_{=#iufN%=YFmy?g=4TgqkJu67D6Jb{ z@2l{eFnhS@F!yhy%(0MSWpqZ--=r~4a?l%ti9ecz=EK7jD=Bhq%Ot}PpPGp-o#FTe zCaj*gO!eB%L-g^`$O^GIFHh(^VSPj!TZ(J{zzqgs{J5TdbB8kne&Tl>k5=2QQPNl51Uu8Zn&*z7t)SgLYT<7*goAqAACC7>ybnn zhBH_=ks8%43Kk%Ys-x)m?tAJ0aAJe(c6^z69fc>F;etk;x*chPkD$iJ1Q7mg8Yyi9)tlL*vcZx)j zU>f5k2(p`H%bXsx48OSpNq*UJ6&u(1o1i0_-H|7`Ad z&q;NT$$!Iqzp+REjw_eU))CmfVMa|bJveB`Cnp#&TG|&Ex0&_U^v*KH#{4 zI@!R}Uy+!G0k@vS82aXkb)#1zRnIp3y0dm+2;1k_Nm>Edu~&l7L;~auSwE&E9q-& z_%EXvru=jV}4a}Knlh1<&`-RfCINvF>HBzb1D(l+WZGHt#ote zdkuUw#c<d=w8I&7?aREu*lmMbS22wE%z7V4&tEZA_)JJj34z(fnts(0 z8h+``sjDn`M~h;p@x%x2m_R3`RWHa?3`@S8FJQ&Rj>Blp+SN1@@ZpdCVENirY$vX?w)Jshm4A0$9LtN8PPPxb8U(t$kWngiEC^f z4T45Ev)io8?FVLr3GwzhnO>j!afbXl#ZctSqNt;ngZAf=aqDiOgKVik9#a@3m!DS* zA>L(Jhp@yr%u@_a{?nDNTq~~VnV8)mOfRNU$x`dHP=R;cV4{3e+Q>3V>Qq_-Tnsp@x|a4LkG={!k|JA9=<3Jb8|Jx}HrBpt zcivAqN}rcfAGC-Z?r&&{tF$sGkEIyGd$sv@>pIf;r2uarBN=l7_rbLdX*(*7U!Cw5}MgyS;9-JXL{$xy4-fiJp@LQ`!4+<75`aFyFm(5p_zKjc6=` z-30RUis8Ud?cHvjF&)h*BWv!^UeRfc`RzAFPTtKr8Uf9(@9=zr&_~sI#Sq(9+jbXC z0M>@FTO`%R;HVCsgw@xbt_>k(qw4|3;wS9Tz?9D;F^}DDM`FN_nE)oWi_FXlR_H`A zl=e)_)52W~!~wJMNHg<>;oiCq&C#{g8ZF@}hUjh=M0w^KO)X}-FIM)yrC0S*48L6! z>BQxv=_o47kt-ha+t=d+QN9Q4v%~libK3QD``R8Alm{*yrm-utA_DvgH~)@EqBV7QmHu2}IVL;n6XEYfXl)bI zJAmQTV@A7q{z^IQhve>ZXaDhrU@g}7U4#=o1d9MqK(N0*zs=ZE44d7Cs5xXjEmJWB_9m@Mv4|!Cvk#cu4yLbn z$YDPq4X;>+#eQuE_uFY`k(jqG?1R#xa9x}`N6o>yyrIyxj#J+k@9KTqYd?8|8BC?? zD^C}1bn{{!dnZXU(IR7l7tCp2IUGj#d(30^I6^P`-M2Py&@q?Y##h-;EOYFf#GH20 zdYP3X^M3mmq^cFeUU%|5we}VoGuG?EE5CaKpnYB0)wN$;1xbU!HpYB)3RX-3K=X>> zs+%i=vYVKye!eMXd|F|KI@R{+9`bB7ekg{Fl&4H+uorO}WiCp6B|^lrVz}pmdXmT2 zI%b`_w7|;fD|`9bFH+RBG}y8jhLy=kPEs+%^R%#g;)-HYCJ%yX=XTXdHX|B<^;pV6 zD7VbsuNiQ%4PTES0kjht&bj#10IgcZFwR9PC`bx4ETi#Q6lwGHHQD_;5s&SDd%N+5 zKx0cA!af3j5p&MsK|tC3Je2Q%sjUv>}e9P@jW)1 zVrb_Jk`4+Ry+#B;#SqYCL6XaO`(UJ&zNSwMY!B1T-L{7$MA#^E~cZKf)2G{i(?)-^`b9p9r+BHc%D1>V1}#-BO|&<5^Y*5uv|BtFf`L~!n}X@(Bt9tZ-YBD2V>zruxogghTg8yd>Bvlq zZwGt$JRBha)KFyTH(^@&Oy`AQTsurBw=b%RPwv9QXc)A#KhuIwF)VUXs_^&>AC4gi z+;NC0Cdvw|XbVj9D^9ka=+ zw(a`IP-~+HUnNN~ymIkC?IRy9(wAGxke{j0-e72eAIP!NO-VvagAz5Sma}VtvB_U{ zgl<)@Pn$=F(Xs)<-6k+dOfc8>Bll-zq*Lzt+&oV){PL+uMMs((IkPdlyjoIdo(7i- zW|S|)Qgpnh@oNk-%I!&Qsu8^@#c;^q(_{qGk7ZVh6{VnRat~Voq0ARzviMw-nWMq^)w6Jq zW77CUr1f0f_{y8tgA@X0jjzng3@)8z9aV=hYn-~nU_dEmjrYAD`UC=SyfOcvo)-i+ zewR#iT}MeS%phNidVVFMCs#o0UW((aIltwGieKJX+@$!ud>_3RG^!7t1ioU(-O8nH$;)?F z+(`$^8;dC*!pScA$LW}1U_MSJKQ-cdc&B>fpg|oK05g-Hn@hxt2Fv8Q&KSpUiN-i^AkV)xjT#!78qQopW8PQs^{%BF3qd z^>_syGr;ZZUC6o4-oo8t4mfADm?l*fsZmXaz-5>YZYD*p!q0;ixROpv$?X{rF&KOs z$7F!STE$Sq#oc#On!9fk>EtF}M>=l~Gz1hw7|-?E9`wAFw_Y}3YYJ_2Z3-{LhY8~L_^L?;KL>RH%ndg)k08M`VK4F?I|uPU3=P}`e}4PP;i_W} zxOG+SC>{5IR}2H3T9cF}Q6^~=RdK4N7i(hXrnH0ddTx4WfKPoWy z+qLBNeuz8x*$qo`0Ls;v=1rZhDB;{`<(KxZ@GlpJ<}I6=Z>gXdj(7dVu}RyDs=a;L zyKdTpG6JS|(-9qUI*vpMFCC0Ih18ReRISE(s3?ZxO}%8Z&MUbbxegg-p%W!boV369 zdz^H^r~5CMiy@@;F(2=7sg@ePI;7o4dLz5^g^VmN9 z95W9;V4h61oE^&tXD9aqt_96^l+5s+nzug=N!PDokfrz^oQDRKarGNUf?Lbg_7V5z z7kgh(C;Q#geb~!>P;yYX0FbwTB=Zk4s9J=7Kx4;=IX9=6tcgcyPEWu(m9A6G z5T&FU9Rc!@a_T8+11E}yKbC`3=i7t5*7;J{Dnte+mF4B{s1Ovec!xp5-lr#!)QiQKxE>k z%S?30&%cGAhl{WWdzZaDk19WDMoU1MNj!;IKcFb4b+Ke)5Y6ZaWJO)r?-Jf`F;9|U z5_yC~(2Qb$SP25L_B~DD&cwjKFPo?PFPm*L*}UAjPGm#HqR7qGjIh9*_H;G5IQBBl zC!!hP`86XfU?*33baXGU)QqygGPTbd)U0BxrvL6ZT_!q26W8iNGnxb35r(w~=Gt71 zHnGr*;6N#sMkT#E&lrqAGnxZ>y%w?#R|T7A)l_x+^^BYi<`WaV^4VoFGexO-dTZUy zs%HpTW`M+N&-~QO(UoA}Npl_bVGJ#Tk<8g|?jG82yY15OG)8Ne@3xjK&Dd@HR=o21FHti?S*|MO2IJyH6t33 z8S1zcek6nHWb=D8LRKVF@ghjx$RSH zC*mBvFox(BN|x*9q+nnbD28{APObm=a1d%~xo&Y@-$39SE8tZnxe48GIDP9rk_+EpQ>0l|68TzjoN@-pvwXj?v+E6u$Dt;nK~+VZRA<%pV^~ zTl(FJ64+0#_vg5lPs@hd%Z;CtSlVEE?s9AoW5!)EH5Q8k#5hEO^J6w{2Tfw-(M^UKnI05rMGEUfJqB^I^EchHQ2!9y0ShpH7d{Te02qk@Fu{51(fTrNK#8@$@As@ z^1*u|7AZKkoGW!zG^HGGp{p6Wg8EvV8V*MOJeDXBITd!jUqV}>Fqk2OYeuHPy;e$? zv+|vHdt-TmSz1h}DWNd=Sgela3G`#Tf3}x!f9WU7-5>4#?}_-nb5v`!{l0x3*e6yl zNL#tzy(Skv*Wccm#CURU{K(&e#+TOX3%MsX5dsa3E-WrrPVjru47jin>laM4Tx8aw z>?d9NVz0`qyjR3Z2I?hQ2V*p+W~2**Tue>e07^5e1w~~e!>aVWL`JKi z7Ye!i8j)*E|MEC)?^u^$Y1TST zy4`U8Jr*RmGO1Hp@pvej(IcRpk}O4&QhR2lCj^S=YQj`0^F#?WBTCTKp;8fOEow%R zfIB6yD1oj-VILAY-B^pjZb(VIwgG)MJk_x_JUL*cF+WiSX+E~$fUkd?yP1DR2kjGRcUJfL+2m5MbZK(H2{YBO$| zSax8hty@MC8UIh(wJoQObn92qRVt~9{Ra@It6eRrWr#TiflqfbD7MCcJOVj(UT8nT zeuDqSb}s=^x1_IOG8Z$Iq|}Ynhjskcx9&%5xR0%r_AZ|X^APAxHO9A}4GI>~?;2}TwO zmSZ{s?|wKw<%H|n*bA@6Wi~V>F&TllYZRQ&Q8sX0Q~U9BD#aa+?SwMSSK%0G8r-LV zt4v-F-K)xYHzqC^a;ne1OJNju$D~YQFub-SZhQA7MTWTwJa)~F4aW^Nl%akvysy3S zR0z53gNrMU2@9;00joe>C=JB4KK;>ky+0!y#o$sIf-!0Hedit3T*f2?H~r~so&{w~ z%Z~#s$u3$8p}W-hV3@VQqO1Y^ts;DhDGDgmFe)uOyr4avcbh7Gn8r9|mf`Wyo`k1D zB4Bm`Vb)5I;R+JOK*crG1XL+F;oK>HKCa#ow~D@@1k1*J1Zf}jJsLtM)G#%HLqOGP z(TkZ0_#Gt-5BjVSaK-!te4VVSTi|t2J%*8cq24@&Yn91NK^lzx&Od%y)dSOkpt+sS{xe&OgE$$672WzlsLtl z1VlWa;uds;(_F($U{j3@C0&a@iM8LcVNc<3!^<`lmwRCJTN?YVeTT~xW(wj1 zlM|51>?tP~QxZ7b-iJc>B&^bqKOkV`8fF5gZ;#lq`bbHsVO9d|FJT1sbfAfC;F7ul zr)ssz+#04I=*`(J?-!jUrIj<+un@3|VuQab{rxA!>0H-!{(#}hBQk|dn0!KOnjAm= z^_qq||N25gc;+K;RtA(+^SY*w-r1d$c>{-k&gkyWOe$6-dGb9Hq;oid!3(wBCh&v<}OMN)coZ4t8GOk8R?Ss`_4zH&*k# z9PdYOR*9i>HMrpGTZ>%t=j>UHgv~2jFSf)!QmBNN&$(O2d3yY9ZUX}%+1mdt*CJ5) zynIgG2G03aaC*26?B(8$$A%{sahLfZu8Awq$MIuWMGx1^kX3P1mv6r7;n=;3<(+ zyB+Rg|52z*Kc53b3Y}o>3r#GU_Ab-t^D~YL!zE4jU_ADeN)IU(;4+*Qx{fwG|7B@j|^V%CSE&S`)gv zp~AE5QI4|+@b&87+L%FP%4{~cpugtGsCv!Dc*+T%{?K%JtG6^jyM0r+DW43Oy$9az z8!thEfLSw+ZtMw%8zPmQr^S=u#02wxdW+NP8Uuib>VhK&EeQUX&_SXIv9y& zv#HZ(cHUD?@q_D(;iAX!pnt<>vwlVuN;Hhd=kY)+p7q4Osqx^t zedfB`u7+zsq1qVw3*j9Gah0O1|FKgb{6Ji0;O+d)D)=z0mAGxjC*g}OUV=CqS;r&< zrxlwRj+1E_Y0=GY-yf5-#VXSl!ji$9A3dSkem_Tv(Fm10F!+Vm#E`$Qjf?7UXj~CFk-tnA*9)AK;9@ieZ}r@%q7cn*48x_>JW)OZ zCq(Xs{h7h8^1D*Nbei96O|rCP{F&bzjL6Om1pkq4a}?(_@8&m-g;sB({shN}f*Y~Z zUV8ElF{S;n9E59OeP{bz)70gh;X9hOS`CAET`HTLMvu{s4vGBYGz_~+i#>s|{4kDo ziv#r>_{FzW457)}?ov6UG$YPE%^!N>xiRfqtkgbUzOpn4++ZuB4PF~WT=7;cLpMHK zLHIq~JbgLFp_EB+6oC`1gqrFtzo0x7lxq(Y$JpWPPh)XiXb=mp;U)bbxpzT23L_Yg zg6O{g(BlNtDM@5`9u4vDzN&yIV1@Vcn52vQAA`7yggjaAl(oc$>&JLQIM4(AZz&=fHphwDk_gTBKGunM!*)bwvJOS)PUr}%HeU(qHL@3l7e*t|6bXr&927igQc zj)ti0q=zYnV*zr8xl-%kx1Pk|TOQ#Tk78S5{uut9gu763C`@t9FbXyHx3AAZ92npI zSAUZYVVDe%BBA|B_N0X~A!>ny@%gAE6fycGp9zb)UbNlqbxeAZtb7c18_(G@2h+(p zap13w+kJZ&=^Q#3Nmd=5HftOg23MVQjtlS{Z*nW)PsOu1<7f3fkNQ*hqIIwkpP~Lr zT~o^izN4 z^npyqVAkuHYAA1KDcqA~YC^sX`lS|J%nA{%;_vk5u^A$qe@wL`tUH?zSYeqRjE{H2Sjfpq z9K8ndZf^qqm6?E~u!Rg=2C;DV$3vEO30^#B^SYScgU!aaXM8?>*cYiQt=Xty87gk# zYZ4za%_U=_QO9u)D~|jn8Mg&rqEW}tkcrUkaek~C4Nd$&OYts-;=0ulEgD_WG-}~J z`|(T3+ZW@Zv2w5UG@F=WhK-ylGrZT!G#g|@(jfd}qyDr%yD;v;4aukMb#*?QsZrCz zBqrSE(BC9K{e>`t=s!D+~>@i}{XD2zHZU7O|3JwBosh>-$3ruQhMBfV6&xQetSv2Y3rT@AM-u%M4xVYqZnk-(Dt#Nd)jzgN7Qj8zrOLAz> z8e}|QhPMcXQy2ae?xu7_izlgB!`bi$Ql(pA4H?%LRFrjSue8#63e7rp{e?#rRQWc| zItD{mT%~3M z&;Cac8{vjpo$tRi+$@EXj7#y^Cc^>u)M>9gIyRPK59??d>A_86JXTHL#qJ1$w4{lf zHqL`TMZ%X|8vC|t1!>cCFs~`VGKw+S;avFZ)KESwXeiEmC?8&q`5H3CH{!Ftr^#J3 zUCgDBClW&HY9p_-kd(nHlFqX{BZiaVP(n*%DDNA~9;lM2wzUk+G+T9?4AuN<9arkH zfj1iujo!U89UJbH$YHW!4P0<}!uD!4aL{WMt%DpFXttWzq@4xZUG$ng*~Xswb`h*8 zirDkx<%L0KH*5I)GZBY>D0I-_-*s(5{&n zCN&C#zo%%4;!x;@ChSeTSXfmpoDRgbAxFV^>wk%D65}m zP-&j_N#vqR@VPo90o1J@uS$0 zH{!u9go|jDwkk8_FVGZpr8B_ee;w|2A3gt96$58F@-#NditJUCEVsJg8_k4CM8fqp zI(kjY&S1ma+Y_mO-s3&Klxag$IHuXIYiQcadZ4WdTQNcn5O*zE-(<$`qV2)|4pTH$ zmMLmCF>?P5PqW>`MVGec&7|jal2(`WYPT>mE*nfd@n5R)#$PYx7i;|iYm(XSV9?&7+^UbKl~Xmho@SkBCXcb^bbLRKYoJo43MxFOv! z9C*NORYj-rA7_{{>x8Y?wlJs3d=tI}@m9D52Txdv2J~}(p**LJo0^^K7i_j295~EG z%rzb1`>>SoQ{KYCWVtC_pP!ZYt5==l4pvG$r$3$@Q|-mIyHP|>=Y(kp#VB2CP{7gQ&tE`^Avxvg&BK)B;t4r zYc_`jM62WoQB+k&r-M20&$!~94#soy@Mp046~r%wmF!mHT4o+iRfxp|T zVA>oC(P6kj;J%-xBpf>olXkcRes`p68nV&cW%g`NjLM%Mdh;IZe<_BUI~F$Xy_fB4 zoGbz*$CM4UvBH{(yD(u+briq2=o*P|&YsygZE-@rbsXFUO8ABg;*SJ&dsjmcJqb2j zpOEBLwLNCHhLcsP09-tWukdHY3M2gG%dp6^5=S1R$WgO-#))3pPu?%D5!l~7bWl+-F9*;)c25{VbvD+9aJrE8(pVOcMO9_CvUx6E5=&N}Lg?vj(;;n@tJ}5lEwY9)gIWkK)D#y{#OLYXuBKIc)jBws z=%Obqp>2BAv!`86d*$^Je_8w_SJNXlS^GJ*w(DZyLwsxYcs`R`e&pkDw&4s(D^!&3 zXQ@j<_Gn$xAygB5VVXpZ8$Jf{GleJ*@h~a5QNlpTuie1<1zO*%fnS8D)j8RdO)QcX zC?IQVn$SToG4a z-`dO;&Zoqkiud(>C3(y&+`q58iMH6$SSl*;8D=ia?V|Ft%Sh5VG zw{V*XWg;ZP(2rk&Gyq9?hK#ta!hpA0xRc=n7s`K{KZ%1>cK^!odTewh3~sTxGEmd% z;Imlmj9FdWaD|08ME6O{)0da0t0CMwV>_5e=IBjoi{Un|gHT)<)h$VW~{ICy8du#zhwuCWK|<7ATo4{GM!g>C2XkAL$6$m_Wq# zSK+(*v(CSYdRY!`w!-4%(f?}r2Cnuj)*D!krU?a9f|i46q0c!RE>6@rLPDtP<>Fm^ z_;^pVY9-#L;<0iuzklDes)pE_UWK#pDLT|qIYFM)CWuSSwyCeWwX9 zr6iRDCMlk^xJDXu(wo1{x>={sp7vI~=Oo$@fKi(_kj|T!6@xUWq4pwJmNAtnmRt2X zX(ntA55`J&we32L zw!uO+C+K;2*Gb?6uMrhBOCwBtx6VUw+f59J!phC=eEV0{zTLs0bDU0m_&gxlw$sE#vChs`j4`5YBx)!^`1?7#TN>ni^$3tK6*q2j>p}rP2$*E!b$#ZU^Q)^*x zU4Jy2_9p`_?B&btr91?;w)2zCVt>QR!iGjd1-`vpUWS)K{k&fK$_S{xk11tgLA{5* z@gsacK~g}oVfd#wmJez1W#a!#6iusgQT$I~`QRaOwy$yEFO`f^R#++PESd$^9n1!F z0A9oaIARRNB2$)E*1R+YZd9^4RNbfsIgP<3W2EYw`96n008+!V`+Q_`gOv%El>^zr z#P05%z2u=cAK%Li|5cOVUa~=N+l%+o*cJrvXTP6N|V_Gf$m zvSUsIV~VoU(5xg>*!<*I4+3EmM@1jnX<$SRkc(o7CbyvVnVbeLORI=-IA#N0orkQq zg?J2Sov-Fh+?Fx*Ip?GPyo4TCl#^rP#z)$WsMFNY8HpnpZh~Fm(==SrCwlOSvA7_o z(3bvUC_a}_0{`=@$NB>yBEIC);KJ)G#~6moz&BVJU)Vwshje>LrsL8Nr;T~F?mzVm z{>d&87ddTQ?{-#As?)_JqT|IP*}nR@;ox*Jdt)!6>i$sN)L;=FJV&YYLp{b_jE~cw z6NU*D(o*2RX^E-0?%5Ad0ddTeXcd3i z()CWVY^|=ZW1iz4&xM(<+f!W&HX#(|!%6RgIn*B{$6D|jKHdGHmm;11`@jGFKXHqK z_1@wT#u>pzvwh-qoO+=G^`#%tB?+onu=6=Ig%5l}afL(vWSc>+w(%+(-oUlvp8piA z3Fwe=Nj&;g=fN_fJ#ONZGR)2LCeATbTm#<3DIGg{Uivw(Y_d~Q61=GiA@t_f{s^q3 zOT(L(H{cu(g10o4>`%OJ(F#v zt(O@2fyuIK)C=fguj8$tM{g;;f!@NqSAY}}Iswi%$;zxxHzeZc{>8cHo)A_`4c!;# zm&RgjSZ-j=+-Z$0&P@Y1O7?JoGPw?{^KA>FB4H~9*4XGB=G8CYrKN>oJ-?c0mljU6 zqmQ?n(4RmeQUfD|DnQ~a*8AD_=$>=ls^>4I#96YtG=0f#`p6YtZqhui)F@0E4qvhF z@#%NuyXmsbl>sqvUA%nyQGp^NKZggx5SpwK#*3D$l*=xPDz6ReGizu^6tZY3m3SO@ zR)RQM+{DpJeHepi#3&5qxa5?v!12pei`k6z=y)Co^JPuAV_VG+!*|9UGd_G6gSe<- zW`W}z$k%Ds7sXk{@sU~8P*yG@a#W%W=4hRm*W?kQpZ6Fg>*r*tK8x?@_Z7cWe{#c& zce<#JN5X*ic>R_+rcbNmMIAH}9B351E~1BhM1LsjT;M>2WA6C9NCuSaz?=)sMWQ~Q zb{aUI7eS8V093>z1L5*~6Sgl&sheZ+lk6N=CXe26oHk<5QeL zW))_~gOr)m!vObFR;P!#lgX?lT$=i_PgyO>X);H1Zxp`9(T`G1>6hyyT4$_i74_t3 zO0uVuvn-dYWzlg&6Q-{+BC)hWE$V2f#!ro>9EylES8~VjDvrcdvDgK4G|Ksu#g-T} z=p@hSlC^T#d3>mRwu8Z*$25xHJ57e?LU`Letw~pV-+6 zAC`QwG{%z$uHBcFZm6m|!qOPIZ_k;!!B#snc%CYX?~LhR(zE=!{;4d8ZxnAm(;rnj zwzC9AN4VTuMCr`QPh-@>fxhF%;o{S`Obt^8Vl0Q*jmKEtcw$`rIBd4c@G?aNW1D3- z6@dzZubV(z-8go+8(aNGffmbihojpuH%FHvf8uRhgR8#~p3ia`E(fTp`6ZUe*RWOq zJ{BqxFT1R$6>4Z$__m#zzg5-_H|j9i6%eDy_cw4ZrrZc6@mEOXk5@smFM+fO43-$vzSc4w$FzC za25)ePK-IG#i0L=Z$$abU=RrRTGlJ&2KJjL{%GXaCj40rgG~n_nAFcAz7_Pzxm?uo zlCcy#YE5s~ROwcE8XmK;=~jLOE>u=o!YjGRvRUR);AzV?MP>efw=JQ_VnTvlt7ZNl z%JVn{;0NI_ds>CJu?ReF6Ec2VFR6x1h$XRG36f4Mgejupr--3b^^1(J-+kKtR@pDB zETfjsW6Fp7kD0qSHg)?Fo^?7*EJUJDUfgcn{?LgaN zCb>!AdJ-MdCT85(YDgoHp%j5NsGk??p^s=DqgVHSH6ljaNYpVf=Dy6f8)+`9N+PkK69}DB4t)A17WpHww%th&K;EQqM zX%_g?febvOFJ^s)Y9DBH%;iR|!o0HcFd2$TzK zjJ~%_7Jh7M@WJ$hxuOs%V(?gUr$~dRbt09z0~WzqpxZv1fPsQ1@QgVAEHEYm`fJVhgGZz9&qj9j9U4P5 z%j}Hrs+y`Ije|5nmbHBSRNC#h=E|k0JfuLGyy~43$@;DQUR)${Edsw!9)x<+#R3@U zxMRDvKbFx;fxTrJY@J3j45e~Ja79&^ym56@DW`{Psrqspi0TsIaw^exM7=A4i=`;s zwBvR1q!=n(50xifv&C078NS}y7gF?B(d%=0J~6fY^fx87fvcS|C80YpnxZG(%tLiU z(zgDOks=C@&CS4NF)>j+l1lmqW0X7*hAgE#i({>UJ8~zX!LPD?KNuV4`CR#VxQN(G z-qxFYz9?3Jm|G}`nn}QI=Ex)^oNQdZZ>Ec3?5PUn<9qU1jA7^C06-V zjPv6S4ids0Oc^O?S>v~Fh}O)CW~b?yy@Bni?l*|sTfQVcp0 zVNK|YAw~2lG(+U8`p)!51X7W~%n@<&BUKY)m5>VKhNiwJ$4ZIH!8%~5kQ{vrUFAV| zVun1hFg%ye3(ecWA8{RNxulE-z_peiuZ#G-8Yg0Okhw}9qQ`0@%^WdOpa6Lkcz}jn zXHc?L7%Vi2SKs;4`QRIIEObjM(X}r#Uq%)Y#?)FQO z!KZBCPPUXkHQ$B{JVJlWz4xjPY(vv~_EX&K-HS_nJA3>xp2YDqm8rJ67fqb|fX$vr z3ftph(9h?yPz)NTZ=5l2VTBc>KQ@((+_K{Ch_1 zuqd8)a0B3BI4NnshQ@}CrDf2ZzA<8WU0#Mp1Bc6IvPD*(S4D7F_|vaO+@t|;0XkV6Yja{3IvT!ZPmY-6&v6RFT>41qZ@vQEfbm%2<60qa|`@h~~* zj>IC|68BX)vy~M-4+JOvE=tCEc}n)ErW-}xXFM@J67I7}Z;$fdP}c<^8xfv&Q;hr9 zzF#k;Z8fSXcguva;}QS)5WU6^6-aL;gs(y7S;`^wN3$Z;WZ0%Kn)ca59YVv+L*ehV zo;a-h75Iu|xr|;nD>C!UTBnLY+vSi4w|`d|c{%+4rjCG1>dq#M%{p&GQ-t~~g#kCK zXvskmg^S^zF*&(K`_oJi8lQRm_MA18-z+kR_x`6UhV#GCy4-M}T;JNg>|p4in1sfb zAa(tFT+{oBge@GRioO{8#!$LL_n`Qvd)dWU>)c_o2FwCMmj5j1o0Zg2d0z|M3oi_8 z1#(h$S1&DH&#rBU)0&W$#6D4cOpoJL&D0Z@P89ttN}>{Da*lW-mr~OPqaI9s>EI)F zf(zEvT%F)7MDqggps!nZVQ-cw!+p=*P3 zoX~{^z-cp1wUJ>iYsIF(Y4u-hEX8ADb|@wfTd$Mvm9N0P{Ma#}sGqYj>zAnRZJ4$M zyiG%-e9D25xb6hCM<*eS$j}mVkR(n(*V68sA7oUT4n`v0goEZYxJ+wO{$6 z4z42wnTjh7c)Y(#9@lS`%0QC9QRXN6&UCLXalMCFf2>YE;D~J$vY?QF>BR}>C$hP8WR3XQLLA`%2LCVz9IXUzN7^w z^j@3B)>;i*NcM+IYbJbVGGP3SR|XN} z0ZlO!u7B`XSqFh6dRnIIH`?<>VSl%EiGkDdey)%h-bb5li|l#4;sv{3m$YZ=3Rmn6 z_HMx-`LQFeJfNyRXu(P&Vmg`6hiI)9F183#zU#eDDHJ&;#gL1%F`N2La+g2Wxqwr6 zQj)RN!Ku%~wAQzTqrA7VStacK&EFn!t;=YhY2zRTOeKzZQ_L-7UKA zimzpAhz;wg5J>`e+W=QfB!ZjpERtnn@f4}M#=_y$33{ky+tBy%WMIvL+d9-hTZ5<5 z@dT0}M$P~iq}{;eSA2(>MR#IDTDvTEsexr`Ke36yt0&B8yQT424pSfPmIF8DwP)PL z)uJ8k;hNwyl8>NO$TV=;e~@(iYg(i*P7!%T+0bn5F5-P<#A!sq15k zwryhPwID&?yvD120Hw2SG#ajs!Bp(swvDTl>h_p@03TJ1xz)+ywkwIE3i8{S2!hH_l7G6YQP)rO0jy578$E|#Od}WMY*cK)M;UG zv40;gHt&j;)@fs{H&0}F*M^VFbHjWtmY~ztw2~*yu1#rl+78r(e2u=&Hu@HSMq$lU z!D-sJ&X%H!BTX3J$$j?dga9sntH4gUS(qL34MyAV`?aw=eOc+NUCon zhtpkcW+~F@Shxc9m^$lNxO3be8`{2EWxi6f*0C{70GY#xTc0SFsm9ajXd3TquOS{t zmJa^Fn1!PJwGK9|pSb4kYD#u@0p4Uj&2N{w4V=dw(UfN3wJ#aG=c_J%PUGO+l`fyM zq_O+DN)HDq@mbM87&n99gk4Qr!*TjEBF}nlOrE3FOQc+^b+3AwMmPGcMWGh-ndzry zrcrKI>1(O$VV7J=97f@m&m@P7qe&rgkD~JZYUx`$mZs*MYdN+}Mh|MEN$@kwL|qG~ zc1}=*T^mz02OsI5kycpZ8qUxuBEvjqR|tOEhIXZmGsHF1;^1i!FZX3ssCtrn7beu3 zcC=hXf2t{(UPIH^{>X0bH3WvM9Fx7osiA7mzizLI^PDHxpxzY*65S-32a=&%GRnU% zcT5_;C%Ze))V&sF3pt{xdo7Fvuh{^-w!oFlFy+>3WAB+euc~UL*TF0nxMgG^t*NEW zy?&nDCnHGKN&PW4_Q-Jx5boCr1#zp7;tkleW!yWX66L^`;cUze%)TDRQN13 z)SYE%AkL>`<9oISq*|~2dJ@zB{XxtB7UhK{`{p}cFm4ychRx1 z!=l%cqKmcUk$75kF-4~J@vum9oK;p;VWrE5`1P%94ai{OR<$*X)x6U5nYvFnjIX`_Ff|F|dL)L~!FZPuX{a-QuX*;s;X)FF zJM$(YVVtaAlKjA%0^_^GKO-icu5klRff0N;3-K;fU2`gmFE%j?l?sF9-+TVWT|Ry_ zCO_XwJJz(YnjW5wnMg(2b7L-pY2ZpT?91@nP`n+}!og*3dV=(WGhmB!^Qbdprj2Wi zDgZT8(>YVHPrgtgct!YaN?cywU&U-{54z=%kbsjUACs5py{3Ipu}F^4b#OhV`b-Do zn6&pnmWF=v1YgF|a9$j-q}Bz-R(srke3`zNtbbWoSWOcnajcOsEP?^jYYT&;pM=|y zuD=X632(Tsl{vIpxT@gv{%l>VjX&&<3@xwZ5Umd8ldOr?EKRLxe{6^iw_+5(=V=m4 z;H>>L{h&kV@FlgjKStLw@wH9RR6+g;_KZs>ph_K0igJ6z0VD)GizV;KFwy!YR(5PSj z@H!7{ohuW&g*`9*)rQ@|;ZaE8`dVjW?Jg!O&GRmSqaDJ*KAD-WYds#@v2^v}Ts0FP zxW-av!O|r~fXD*LD;sBK^Xw8cQW$o`6Rj&yk}ZsF8H@2XvxqSn>NK1cmUt5Q%mIFg zNs^kZIta~V8{cSNlTRjP9X?BWBMt^@ERocd3GAs}&ypO0PSc-$H~baDxJk>74~qrM zE7QRy=ZIS&yExr`fdtR$@PsmIH zr-H<|Uj;R(g1B0B5&z`iZTUp{DPD1eKrh`J|3`HU+{H$WnKbJl{m(+0jrfy-nX-*n z1)=4bCl7B4H{A+@kt%@Adj2VT zN%r5N9yeP<6hDm@Yi>nfvI^ydv9y0J6D4hY6LMlLi?p$(yL*oR#%GEA1g`7T0c~~N z`%ckU4t5MYItdJncqktwM`+mfZatZE+Zmx8hkmf3uBG;lz>Rgqr2ihd-@^EfTa zS#etAIC{yJxvVFg1_m-7zbtev@r@B_Hp5@WB)xiDvh!PAU8jjb;Mfj0S2&e>#7}Xq z@UqnSTTUA{ZUPRW)5fU5+Be`fYkfIYwPr5T!FsYk@=ZF81#UKcJvaU`()0A3|N5hN zZ%0#g99WZr!<+RPO=rAFx1H?wi}{@7bTv-*0z+tbc^~6}W5w^ZHva3|uJhieNP*Tv zFnQqP08~4DeNOtR;il6gV`*@qdvcbn8R#N- zw0TH$ksXhMZL_q6VGX#ykra$I>o%D)6%<06JJOnC zEHu8$ad+AgnCSHrH%5-8BE?CcpO^bwWu9|)OdSuNCh&4B%tp^k|1C7kdGYYSRe|f+ zxJu>}aR-#E6awG;1PUNUi4U0|)$0DMrqB{B z5|BYc7QKR*wagOce%%e-Elegr;zgVy)II*O9Z^{VfvS9-Jej5>^T+UTk@8#OaPjnX zh$|iE)vC=1iQqGPW&)_72nM?X${Ib1n!i9UAg)@tE9{1$Affhn$;K!ZXk#k1V^y{o z(FrbCek@!TS2k{PR&;m?UB}dP#_jTc_Mm-w7#S0L`Z=8rS8h_IO%%NB$j1?S1GCqI zBcnGJV-l)YP zoVU>J0es5Y#`i8p>APwu5-ENlizU{~9+R8}&uV=~Ks0p4_-WUF+V0leqm$LQM5C!B zd2#n~OQds`9`{BY>(uyMUEA?2kW#;WDMcU}U2L4Oc5HMpbm(5LBl-Qn%y4|e#e{}v z^f7L@j8PU11HT&g*wXK9UVrBcP)=)+G=^mUBs&A`iMip9{m;h{CutnVH^|#XySOHh zggJ3+H*v|`Sx4d1KHXlle*tMJ8Wyf;{NZ_jly7C>UE5d@)cMl`Of6Q!qBRw{;tFlt z)G_YA#=|z-SVzR;>A4VHk=P|cTx`jcbI`)U|2NB*Xm;_4GvJssyO>4A9DOTt1$-^c z4ItTHd&fOoH6KX-%{##!6!d7bkJ}Sw-?wh~#;vM!?@x?V)4;^kb-I#8)5Igis?MUo z1BNXA%A<{ZI;7q+8BF{BlVnh$X=9v3#bdX03?83H-s;(l+wk)r=~GI$b&5Km{qXlz z-l>-UD=d7X)xZGd^ROz>YGO_lMQ1e0Ve*zUNN&+;<8Golzqo^I0ux7b+{aaru2oRh zU31_FsN;Ix;7u|584d=7vUD+XSH!)?8 zy|~uCMdWTir>k4I$*&q^MIyMF;LaWz90ykLvyj}Gwx)DpTj52$d!&O4kw?3OISjA& zG0IB2Pb!3;Qo6}f>v7(2wz~?1Yec&EG^Ny5bf#DnTZ=76y10)EJfM+4v<(H{?|bZX zIgdW`7i1EB%;D!Qg>jYYxiU@_v@KtW)*7fph;YX5h@A9pnltTH)zC)JEk2k>G zJjecSa~*8A!KNI3u`s+D-t})zp#%0*7Uy28D5+x+49I6+h~H%canM(<~)wINk_%`*YU!(S38Pvz;sp6)?BDCFtE%Kz`pw zu9!eP+-uMK$52M(qG)L>yo&qX*X8Jn_s7LoYm{H7fVcZ(ILU)%EUJ*ls}|$VVeK#8 z5_%w}v&@?zUWh?5j9g;}%lD90&R)P4h;0H1pDNrp1%?y5SR9mR<1 z4`hovigAebU>c&MV-7W=K+qYJwHP83#I*`z#m~!F?cA9!>4Ue->hq)cIU(os(!_{8+6>pxeNhQzjFL>%?!~Hujgc+C+vg z?vBr4l%U&^If3zUD)dRv#<;={(nH;*0>bBpF?T~w`DMSMiP?No@?X+joBY(eQ%r2` ztu}3(J{-Cm&-XN*$j)%DC$<8gmbahFrkppy4m=McwMBUAHDv*c*M82g9Ke=>v`_(^8$$xpx z+;KaGCfyYNDpVgyBjA8ssKY1K(&md;5E>K9^Izx^WdOG7pNof%9u)D!^Sr-R+MIV$ zfLxMY#^mFU$$2N=_&9bh=>)BQDi!UE%r8_la`##}a2m zm8Reg@i@t(-2R_`{nrt4^`C$J_i;i%A>F{+V9;v92z?i==|fI}YQLu2!UevH0KeN- z5Sks|!)@fRBeH&^U+5W%Ad!+i?zS-o+_Xn=Z_3an^P&l3aeo95oYD?`+K#&@q?1G!m%=IO`P%QLKY}41N7fa7KSLSo<5h`6Zg!c!J_7~2 z1^-6(dpUp1u-RfOe!PpKH=Ryh$;HoE)v|v;Tj3EL7aZ**c$xC|!amYbH_hhvBXg$K z&9o7|-j&%C7EyGCt{=+TG!{5-P$og>I&tIcx#z{4d{topOF*;X`fnb2ft#cs?l5Jm z$|vnzb+9*8$HDID*qBfd^On>`|g-+xX5K4?m~`83zKt1uhBf; zJ~uIj)1{*ffO-wwEMD(*HE{24GOO@9l21W`YluAGWfXY@c07M+drjQ_dBkWoXV9t; zMOlVrTKDp^PjNq>)UJay*Ud`$$;77n-uuT3N~`geswCMW3GAcOTO3#SYLXZp!3_er zo=`Ma)Nj70eK5c>RU1if&~_ukU7{*->Cm3&!Hn^(+yshpVoxZ1)ri8AAY-H#Jqs&| z#f-eJ(eQe~H$6{SM^XaQo!2;N7Iwd@!sVW=AU6tE@^K%J(mHi{2blA|hV#Et=ha)AD38z?$NOft29X(_E{K}^x@&q{zK ziaFD&5}BczIkTp(?5;1y(Tcl`M|V~xg$X-mW;%|g)^ulKba0U4&{2y)2gOoRUb=@l z>1tSXLoqqt@V9@`CsTra41u-rlAqmwEax&*KtiA1B0bCKvqQg^Y~ZZ^Cc5 z{O%qwjB>S0c$`n>1_@Jqs1wDsFd()XgkxG=_%?suH#cqEa(pIhZ4U6~<#s?eYK5OX zXr5OhW4d9%X(hC%jRqJ^Gzmg3(dQA=;!4pOU<{}BVx&!sxji0_G-t$#O~c705N3`x zu^&b$`p{5W@DZ%ZDIejf*YOIcd@l(?8>43c!WfqNJB+pF9jK((~l@R7_0mx zdiS)ie(4f(DXwI}hMh_#h#f5oNrJ_W6OXywAUUzg1e0ux&V4x#7x-ReOqG6c#RA*c_~l?qf!YlW&(j zj)j$`ZP8megp9@4Xk#Ya;eor3XR$}*?LK?2$}2O#p7}=#B4VImy}O&!!H!24m;bzV zg~?=a$ZRQU%OD46H8954^hnPIepTX*H0NdEdD}P-^u>)!#5j*(b#Qgq*m#?S+d5l~ z(-1Y>7ORUJZ7O03tE&K>zI)N8@Uu#?J)GG~&(MHfN96_U}jRBuyV|pN%Dxx)P9VeZ# zN$K2|zH=)mvU9e`Zhd4*JT1qgf6m0&b{mfcbDm}RGWGmFWwsidHS4-CdnE4{+g&_G ziQ6AUxPK+%Oum2iTwRQpQj%ZTy@q0Hg#W{PT6@9T)9#Z;Ek0+z3AKbh9!)4(--hdK zHHNwvi?O2_V^VABYD2;OfYM{O=qV-?f^;kio#%*LjHXO=eGK}lSrTX`Tx9%MKxNyC zVeV(BFKinZEo;K>>;ZN!4PT0QF5D_xZ45Buo9l0a(9N$^jHq)%dN=>%SkZVr9!kEP z*kjGPG%oYYu_u|Mp%*U4Wtu&;=fl}y*mZsrd?ZLP+&4Q{`PGZ4 zOPHRva#zk*6vmOKJ2kOSTql(`Xm+3uxRGx%--VOO;L52zNpi87K~1GvxL$fh;&Pj| zTo<}HQb2U>nH4FKZ)=ZysS>f{tCNZ1u9kVUdWp7a#XS{iW6uve;1q*m$S*RQgT7*J z)$Lbpd0Q@#4ut+ISoeYG;ivS%;8~tn*xyrG3zvqRrDIb>;79KTFJ)lkk$g_TgIsgf zq`2_UeMxcBqwt!@nS<|19F*SJeGE!XWWTBJB<%{X!oc+(xy%r4AotbLB`V9y_PR*yb2olPAh#yXg{X*m*L#Dlk9Lgx2Rw7Kea40FU8!) zCy^*G$C#CoIngqrWL}Hw@zXfDZICa_b0B6@o&hnNXOh^h8Oy-Ga|3#^bhVC?@n^L= zi(|;Mv3+L#4>Q`)35z-RQz=DSu`;7VB5ei27Lu8<942W1Mv{f_uR`{irSO2;9B&#e z>?mxM0-42`nirV-c!+0IQRJQFAjN}>|!QjXPc#r?bbc5Sgnh@U`yz+ zx1K^l(^A0QZeM;9-1&L5TC1aiT;;K-i8OAWipy8|__HjEz0^Z%jWe4WMB|3xz@@}Va$nANxcA**JApWvuR)w?+AIr>Ret z`dJ2Dk~Q%VOk}SVEmN<-<}uDVlbTMM7Gsg~8S?3DE@s*qBR%sUNOa&ipW2I|ZDdY^ zg%iUwpDA239xqa)m&G$@VQn1G&!ihwGO$(`*GEcEX5(p$Q=S51IHOr5|6O+GY+NX+ zZWJb&0gieH+=f)R8=r0?pSv19mo&3}g{P!fl4P+6zLb-d;KrMrY1bPVY9R0|3rcI>EOD3Rs@o?QxEq6 z+v`n`@jJzyTPoJajQ2Gd_GtqJk!+0^M;F-MR782Y0$<#lxZCH9QlgNWVM#@9?z}zL z6^t+BQ`(HEr5`$-Q*beFBeB^@R;VN^dHnoHt6d~qkFISaFwX?Y(P!Yhtbqpz4R zd;U-~49pgIK6y{_CN8$u`SS`FCeYr_%+$7S)G)ojmnWKd^TBJs>scInj zz|Cv+^W;YNT@(Y>2ci(!q#iSGz&oXzC`QiKvDmFEjESkxZY>=T@mSd7 zvF$MKKP5HNY(|*db3sA3o%RL9eQv^-Wt-yozUmniGYOp_@*kNxBWHI@4p>VujJAfx zY_)J%hJt$Ozk3wP#U`bcyUXjrRvSB;Q#x+XiO1k%>oH`HacX6WjK&g5pV=x(oeWJ};T@13T^KKRCzGJ%Iih`G74^R2~_Ay7}wJ~3C z!u#!2-g`b9 z)Ut3f?>PGW&CRO5xe`UXg^feB^r#G(Uh|lsje9-H2pZl9w@3_SxbaHOQmNbk4@mhi zaSCr|;CU;I2dVgy?JGs27v!lYIUT<{aPHbV{!=xsSG$2NT@?hLBwBcO#Av!O=FY63 zZ`v&j*SLqHJ4fjYu{6ehF$FW}*4Ynlz4`6t&37406D+jqq7(0h$502GseCH|*b1WX zSC75jjtsjIhLG8}@>!r7p36Po=GAEhGAX~5)f;by>%mOy5_^65< zcz7+~9A#Ep?7t1f?5n0r$Zin=L(?$=W0pLv8bll7q?(ws@uOFd-f`nllX0{JY-ALG** z4H|1-%)xm8cb8}O>oyVI+?CJ<%kvbPkJ|}rC2smCh65f^onqE1M&a$@HnYp7 zA){n{`Ncqx{B&;{~!uQEI_{w3SbYB9w-S^SH3Ab>!XGmjDG7ILO zGK;*g0*+MoaUFr&o`%#hoTk)2UkkWTLxSEssxM8=`;t_M{8TmixKi}<^>-1yG#FfK z`@`sCkjpNtey0f;lk1TFuF#!+RqXR>AsD&@okvg0nr7ls$mSV3X7Tefhpve7Nkfu%E`9lP z##cqd%G3Fo%~2CHB1^--3TYp8q3D>OsU;ewL{;?YU2d2%+LZ&F484+)*II(LWviGD z&e6x~=X6UChT6t7aqot=N*M-*C6>$7%pqp1hZ+Vk;bK~xEEI2gHkx`KqmB?z9EOdv z$`TS(W{7)}0)|9kTD948GZ}8!c#;G-v|;0evh%^?Vlk`69c%V+4s|a(dzL5h_9dov zXYnfj{i=k^Jpp0NGj28mL31#Kr}uo9{+%Wj_@lNt%mMzei8*24&uD3lKY7O+yAfT-w79fEO+Zy6(Y)fs-Qt{tl z>Jvq7s$`d|tgu34+aJ+zz{RozH!OJPPXkNG=j}U~-q}EsCe|acY|D^P4!3`A6Q@pv zJIOM!&(^q4EYpGSFxlly^k)*UcfaE0cDJV^s5=xE!Ahc0wn>?ieDGR5Es;uV`M3_| z(VOMFO{~n5O%msH9kIZ*szh5ZraU_mOjsUn&-i(t{9ULoMvw8T0f`ld@!vu9Qap}f z<#f$O}&6Tl$f!&rDQ_jBT9W?v%Fx&c@G&s1 zLU%?B5A&7udv@Q&-q#26OLiXvNIGl`Thc;#pbzDk+fVkPN7CjFRX=Hf!JRkprnzeE zAnw>4eaqc@y#mn z^CW@&2DX8@iDs*Kv&{;*at`Amd^^j*8HJX&vT)gInm%NwVUj;*xAB@YfEUO(eTXZz zG5RdQJNk@F>EU(aG_Fe9#z49A#gyJl$7F8k7!LN%pIQG^TZ+1Q?%OVIzLKmf7du&P zU%$~bv+(sd*_SimdC6lJ6Y+uLW*O5EG>0!<@d$l`d zU=WwiJZnbJmZ>l&&gVco&H(pX?y;sG!;L((_`}WsLluu)+0Fom@r$ShncxgDO|kT| zI78gA(q(#7T>3v>OvsOxpQ_>9nLP@WFj!1oWlZcQ+lQlJ*~L9sU-_ht+rZq6h7nmo zo>X1xApOB6RFCwI@t5GWVQO*>dDKIBz#*&6(Nqp+fAi zA{|#}bR5j4Lw<}Vi-|Iu2kv4NaatJP7hZ`Rc3d4NGDqPx_aMP5=sA9k`OAd4*_*zT={Fe4Ki2dED*c zG>N>&&F$fn5_CzpeGHo!O~Z)H6*t*!H_Q7Kt5xt&PIo911Us7SbTzC8*vTBT00N|w ztIG&pF`mYi)Gp=xIxfLcbd8sQK8nSeO@Qb)2V&*V(U>OW4is>5U#Q>0wdu4YsUO8+YaSyMo|gPA|G8(@KzS zd`D8Ynx)H!Jw;OCSp1^DXH#ELSn1(4xnUV(KV5J4kZ}R}&up=eZ_nr|t3gP`@R-?S zCbc9R*H#Voz)IlkZv8?-TqWh`Tj*D~El7at)8kV+S z=zFT1A3mXAGsN2UVUpdyl=bVYj>)Cpuilo-WZ*zarDKa4|g->I@gb z+#?M@rKe*L^Gy#&#H#VHU`Q0#q5@LDy@0q=E0z<_z}Y{5O7%OWJM?l1WpF}LmXC~<>_tBto-o4iiH}Yp>k*&xwv0;_X*O+@N ze0Bg48fru^N{W8ng73fcP43$grHFWa7Z#)Or>gH@QqChMnD1bgC)T<8+U(vIta19| zG0k_I10J)s>pe`!%BX{c>Oo6OLciA|*f|!8J;lFnkE$|a;xXNuAv>SNpkm+J+XyP? zP`H`8Jx4)JaJprZvW?7vAe+{G?GvsIHMgMmxVU*0$(YpMz{6cgu*tZzR&f*;PA^&l zc79@w9S^k9v;+cVA`brS8#-tWTDPE4NW_aUCc{qw}G7 zvd5J1cdpvkt@pF2Gb`vBUD4lNq@ecnKwlUhm%(xW?|=VIOe(2;1NW$ZF!!tWO`HO$ zgH`Fn7_8dvWvhJ)x6T}JTh}{Av>K&M9|JmsYM)?k%qUNiVh%$l9{EU5yZr)4H5}Zo&R37v(0g)50Qt=QQ zNJKh5dR-1A@(*WOcGvjD1Dsh)l04&~!s=isVKF@Jkqw5pea~AI$@m}5H8vRH++$Ja zW(Dt>BQlUE+^Oz7d0NGWS*{xG1AOXTC}9bSmR(G|aWBM1}!n1gRr zy6CRbGXLCk0csyk!r9bKL4yvVzN3MNK8|^}KfDQDTsowGn>t2Wljfi@#z<50_;g=1 z#gz|x_E8|q zSeLMazc(CW$V9~CI``S{+Cm;`cnM6HXL^&Tw|5DLIiv6JwX()^75;9!D`jd?T-uCs`~aQqPGn^?J|dsw-QSG#Te7+1y;a;AB}j$x6I zS{)KhOUroGp0bxDui7grH(+Sv+!ZVJ{7Sc+!@}V-C4DgJ(7^#{mrdeI?z)4<>wS7l zPeB%izcSk9LvYnB1M$C0(orNN>V_U>x&jGRdOzdlhith_=uQo)-6+Wf7Mzvm?7S7k zOHT@#+;Xe%hvm@6^BvNUPY$(oRqf-v7M;uF^@Sx9z7!bsgMV6m7`2bNktW$XUS?bd zy|yXoVf$_=DODZfT~u_*rO(Mpovyof2GM_#7K&`O%BV|`K4il7RaK0h@aTy}7eFE{ zai}`xIPI_nR2`#r$mJ-Eym9%cf!PJm7!`~gOwW{HHY=07Z$vs3rB=9a*cN_(iSfSC zxu;xv!FWEJH2e9QVAPbcG&LVceg$aTh=yzZP8) z9IBieU{bgabl%inLa9I|JW%I!LSLLP2l`8NPDW!gb^j`dad5-_B>r7H8u_G%>f$2T zPx|okpz3?5OH?<4@a;XE_;k`_-Fok;9+qC1CyyCDZ4c^#rHPMG&LF?3`Y!H}Z$*g~ zCRi0Ixi6%g_sQU@632|-zVVY=@3+F5;FvI+5=0~3>}Zq3RdyS1vm-i%#ZZz7y_KDm z)D${S{y0?p(Uh$?CAj8I;DwT&hTb%+T?4*^z`8sjE>FWPJ>DN%l823##SpDomT#*= zn*EA@@rLkb@g7<3u<|Kph4b`<##v0IZ1%kU+V~N;?`oaq*-h4_cTyPQK9T%kw>b?X z;h>-f_-HzzCn0MH<-0kHD7)n|L@fbE=gu*TkI%2S2+!nKczl_)&)`ZP~_}W=ROF zvc2@kg$__V9 zeB9~Qe95LizLNDGZl(fJtKM_oK_aEl$uf=`!!Sjf>W|&+&R$D4()S6~8+~ zbyiikaB=f}VyCK3Fv`YxEm*UJL%HT4(AUAg5fWsFEPnp%m=7-9!JTG*qATqq0gf_SBYilLhGl9X9BG>lpUv5KMLJFyGkR5c9T z{cywqFigC1F5{fx4<6&YLeht8L9OB+dKKe4tEr(H(Z=t{uYqKdHuDv*9{jV7&{R_(Gf7)Rm+iUco-jH=jk?Hrv*TKoB#Q5 z#tpII88KBu(&r4bZsq{5+4JNVT|V>pHkD|Q)E#J3#YmY6-CE8Y%LHSz6}SuLvtV9a zmeojjn_^rSwZggCE)jsK_1@7;Mjyx8XkgQux`p#?T{gXGNSH%gexivXdTozeI1xLz zd8(Froc{C5A|0S zjU_PL*>t2Z)g1{;6fNeS@_kfIX%^~r^9TqiUvPh1}@>2#LjMfziS9Ii!*0pT8|RU7bUBh zB{1H^7fvKW1hH_k)z`{8k9Z^z%fk%dovIGs7H7$@*8GGz3D#g--`K%DbDg5t4P%?!pOU;a(npd>wfg4Of;K!Sl}X zrja+lTu@hbMtBQcH28VSe>8W>q>p$@+^H~O@w^Z?vFDF#7@Y^xU|vh@3A==jf{QkJ z`pC+lV{gJgk9*k?5r@hfVL(Mh>KHusJZ>e393>3=h<_Nfyajv>SJ-FN4Ek8<0VpBw zN@inx2rf%JjFP{M_5!L65(xe;+kLFfP?8|5l#u%GZ+uCWC6@Kui+r*EJn>AjC2EG{ z)txe@O9>OkLAYkXIu@dci_IQllFx>hY7cP|;Viw2H_5gQw=Pj4rbFTk;5RzcPf4!S z+n;S!vdhvHds$^1->@&7<=mRLRr52BmTh2hBr#_tFE*%ii`K23UC_jBg6G zM0JptRzrOJ`svM_$wr>7vYWUh(Wtv9&Ja_BUC=0iy3_Xz!$e1DlZaIv9e3G&JlWt# zpr37%XW_XPxpgWFoGu8{yT^F5jdK(?I|Rq9=ev{Ys&QOP-|uOQ`-lw_hD2cwxf zW&0fmSFcE*oLwkWLS4hM57hBZxKe|2hA^$3{A3}*@g>qEXzlKh{7aWsfz&F8LzmuhrQ#`M#Z%TV!i2H_}; zT$~>mv)l+vj|5NKEU9{aYpEgOU~*jycIZxUMu+)-(ynYhZKT`2imvjdzthgojJVWL zvWb}j*pB;72F0#6Nd5&%LO;QIxbskFR{>IKScUAq$xXBixm301wYFxOm3IGK>?V(A z7OQCaKfkT&iI4q_f7ppm z-xBK%8`!wH`-3P+X5;3i8oG$t7(Hz-B*yM!go@w8#`$fr!$L_YmaFK3Fc6tpP8?WbTRYXOq)id!t zwTI+|!V9SeBzO;_)3c9j<7B}Fb?Pz9-mtK)hf6Ugptxbo#?yNWi43#Rz~yI&P%Pgz zlEDcgkME!OKK~OdF{5Ie3d9uxL_u1DcIZx+DTsl2w zqlNe9vfd_f%-B)i>YEKs+hX~XwmpoSvX=@!dn(bUi5G_z*?Q)&tmerLWOy2B*6h_yucB61Z36A=vH77k-J7bf}JGN0qe_m9Cps!EKk0 zHJMISztL>CxGE_>@Kfw(XM$-Ma?V+Q&sr??m&U_jGfiA$HXAsv;_Kls-a^#tv2rw{fplmBI}g~W0H#VHjoiw!wKm2>T-{MLPZHz@>u zm`;b;?)F=F03}7LQAwSt+PbMpr+Lm~X^d3kZZ-#aK-bdWN{y59575(?>88$}+L+Dy z;^<_v>0+{qYRAiLG96o;X5J4;;^}Wzav#L%kLZR9UEGvb1K)7#ADIk3Pa4cu^+*yA zYAweE^mqqez}sZI-30OfjQza`z|ziq64EeE&<>W5daHp)VxZKM*=pkLuCs?N&6K+u z;ypaE37o7}Ps1r*=NIu*pgQ8Frtrh#rO-jC_gX0OnJue>+nR>+>4K^Gy2aySnO4L} z78eL>xUVe>BbO&)_D#5sDo&K;V$4N#CDUx#7~)~Nl{T~GXt;`y*V=LhcqBsK)u*HldI2$CXJKv*ivja*c<-qR3F{;>YYsCX1)-etnd=K5KFY>YMEb z?gV{^qQ7~l{?a)oQhH%p2GfRf(T<(-F>`0Vt!+KT8A`L=!W9`oJtZnFS+X^g!g#uo zHLaYInf+w@1N^~eyMuGn6?(j_nFe(0N8ypXwft_~_XA_ic29@t^P}HKQl%tx1kmug zn6Xx_ep@p^RD60mrG<|E3LmmV!MbWlv}g+!X3qGugC6 z=ZH?zM3yX1&35^{G_e!vOec%kaAGW`qdTQR&}?h4Fn6L;ffqW1NJ7&ca5q^ntGd9N zOKH<88dT&f?JYVO+EyUB%1JU~*{-VqVoa zSU0Aj_)QQ#A9y*=P>!pE!MXYzo7r}8p}vNVY`a(i0cWJm*gI(b&9>LUy)TzPY^Q+{ z*Xa%~C&SbNcn~WDM9I(tjI!V z5}2LosA_JaogeDTHl<*`)4?+^=iLA4SGOaR97f%NXr4?8uG1iArqjiFYCWd~iE3!g zH$kwE-efvfCSo_rmXI8tUGu{a!ypu+dwi?|8{zfH%J{X@*owOwu zWw|JBjtEyrR_M>G^8~9uRCeZbBf9S6)B1Q2Bi~8wCds(f`jr%eHjj;FLus#+bes^t zWPN_TEtZxGNkJihxiya7&@Zv8zCAxi@r+-evXn;2EUrALl}l`aDjmU%s5!lc3xA zW=xVTU9(i6r-853un;{>gei(#XCA!;-6Q`^kRr}Vjj1bWIzpYB>E!yG0DXIR*LTAr zwRFz;>1Z0b9e=mq1mXx(H_?!=jhkrn_*Ig{NQ7E|e_8?889jRSC&6)F40}5k?)$Is z1UeQTRCh9qS4XpGWDH-TK2%bkHg3eKo}x%1F8poB_kTt?E$HBO2Qg|`@{d~SJlaf5 z>!&Y=6E;~|qx5lx8R&1u?zz1(%ZGLtwz75Z3B$xaW42gGJ_*HBRHNGt!=U#%KkaEO zXf3XAT0(={oI4r8w0h#Y4NWh>)S6G&_w>l`pz&%wqN8pP6QWhUpozOY7e3#Rb6GJiGLy#dXT>XjO&_lEtPQa9S+(f{?BmsG zL+B20)f^|Px)z2{mD&cn7A~Ou6@-yExL=A#&u-LW+NK9_BXgZ2?qYH&J9_&2T1+KZ zeCjU4{6-)EBawHKxtP5M?)a_d1vGn2JWG5NkgNX``1@S!)N5%_!P=5oucc|OL?LCb zgA<7FN12+vE-tbQT9SJ%%Io=w_Mgc+{^eIdq-ZrvbW))idOgkH_H$q~;!kl<6&Pi! zU?Qi|CF=FCa=i~?LEBU@x|zf<824-P#zl>-Uy9gQlEn$^ z+v%8HXSMOoCNRe21iO4IHrbi=o|^& z@YkP5_vvy^AK4t7ZmRRQ4{)%sOb-4j50^V51AGo^bFP^^9oNU&4|zT;>Uo-+a@q@; zgzMNp6#b}Et~Y=5`VCD?uFuofe~C_a1JP}HJ?@Xy<)mrNEHxo`Y`0y4NV8i^#^ zs`BAJFaG+YxQG2t>%(zozr%3b4wE!TSutNcteNH#3s5Kh%_ILwRppgnFuB&{p0|hL zav>8`<-eJ=u*0(~>V5GzM#DTm3vSB7P8Z_qls|p;b6+|{v^xHr*5vxHo9Ue){`q>R z*2XhO)hSUj$VH)#cAiJ_H6|CWnguVnRhn!}xC>UAw4;!Qs^OLt`>DTCyiLWnU|0Cu zerHVub+uZ9GT67f;cQHyb&;<~E(x{Hh=<8o4a5Lf zK&ZbO4;?woE@y~KUPa%*(E><@^&Jx`=6in=L~`PjC=lemwm!qW*cBdZpJB7LJKv#K zpYOJ6@4Qg_$_+9#^nf^aG#i-4&i3P{ASSo{%tW!v|DI;1+k29fX0!1Q0H$eb`bVq{ zfAXJvGFj0UNF#l280Kvj0hP|Hjs*r{X(8^z^uzTN2vn-tM#t(!Nh>!e&&i`!fN5+gKW2>5N28W z35sBG2gnEO&sGQXeUSP~@-M9$J2l<@@_z>EqgcNtTR&8v#7eXZ1y*_|jNCqHn{Nw4 za9FI$IrrSj5NlzLyS!?u4`NsAC5X4A7A;$S95WV9mh5^?LCb7(w@@W;GWs}4@XYF! z(lu88J-AIK*zvXO!aa9isYi_@;kgKQ`y@2{EH78+;S|F7aK{uTkNnk3u=S1Im-tJR zdtE$m$QoS=39vjw**KK&mExN)epm7(24=b)quK>20frAvtweYfP(;NeOC>!!xY`226qC zvo*lhdN!Zl4;LaCEC$Y&5fs*706%@H3Th272ysGDpr1R+7B0MBuoRZn)Uu`=t5dHB zx`yN-pR0QLbn~>J!z~;SdN~V|N#M(L_Nw>CT<@#!t%E!_;jTn=Vc9ym!HcN?%f?>* z-9~tas_@y%&u)c-SQOXS0vD&2675s2R@p8UEVr$sx7UJXl@;968 zVa%TPjr$SufJaR zW-`=-%$3OO=iLUoi*cI6tHnMWFJam}Y%v~!9J^KS7c^RY!XAv-bb(okOuMhSCgIQM zch>u4o0!EAdfm28y^DZK4E8bXDEaZj-$b$mTnM>s4I0fQ;parc?*dUrc&=)Z%ihIq ze$$C8+zPzj^Y~ip2nuhX?!}>=(9+W0}zrx>%k~ zVA>2baFMayBixbg;SVJz-|Q0OCgF0r__0f*Smw9A_xI_^Klo4bmbRjk%jL%=n)8ZI z19t^q_=Zjc+m!3!wRL4bE?E)Zt2!-C!^9PRk+&pEoIcycDcz4U37Sp|V@5{FmWzoi z`|3FZ*%J5;NHg)EmOMKDK??5wEStmr$ZHBmiz!X{ z)Pq$NUM;Io*HJ>nm1;F3E&+^iyO!CTm~2p6U#X1+jOY{+&s< zp||{9B2_FO3p^QtIm_uh7x(2@w}ddZqDs%w#_H39?xmzS~D(sk);cJE!?h&Pfu%{dKb!zTwe@@X2v-Y43&t-_;8@zD6(M zPG+KHMrmhQJjD0+?(i5osVL(oy{fx99#FqEEMvo0I>=S?UjP;G8v4^58ocV_pk{ zE>USMoD`|_O@s(W9Uj)Qd|HA92q_&1g8$$tk>Wim)Ac1IE*6BkWlmwoJ}_AL%)=mv z4g1Ue7gZ2*l+t#IRwrW`bJ2^Y>b6f5&FuY6)r;W4you23o9cO@@${w(xi1@@fz~`|+B@MNW_lFXlv(qWI?S z06VbXe)8QZ;!zdt04E3Ym6Js`gU~^idY$rTi{nb^4IS2n{j7z1+;TxSYhkx>B9qDhpKTqnS-OLimVc2xExZoX$+_KCZb`I zY;oEWm$s=F*6^?qJ6GE==RVOWM)cpV&a)MU$`C7^2}%v~tv z6pCc(Z?QyH>hgLxby&4KJ=_;LPBwdfWQUyjD``uM-?5KhGObcP@NmbUU-JHF{;qmv zAMO`#7kD0XuW#b!+lLq5cuZ8j(bCQFH2plb#Y&%5Lw_?|IEH`n%XX*Kr$7*AvX~&S z>buyO`L^ULc@C~}eT!mAjic`1Y#-#?vONb|$ zSFZN{iUOL#7j`vlzSj}CFsocpsuavrgLWtmW%&kQM>9YW0 z=h9n32%cXyVRKTQ#&D)Sj{T+K5#yVhMO6xigmG|~M89*Pz7W7B6werzf>^!It;u3E z6eFcaQ`;J;(UK67=5F(&a42106MQ(01}>#dta;_gr!T2+6Ju^YzRESV zr7{}m-iNbiPNR#jjB}=iG?uX+igD1|zo~~~;i3Cjk&kv7CJr!1f?z{1>b#~;YbMFC z*-(I37hkOOX%|maD%&!r!7v~D`_RZv!^2$Gqh!U`=leIx(ugFa;kP=x#nG`DBR3t# zX*O{S7s3LO5Q9Pw^k?n(#y313ZbTw2rG;~vElus8F=oujEuAgq&VLqnb|$0=3iT`y zPP2`3b+>%`B-%<;dw*&W%Jd+ufa4#1*2rmgaOD>DBROI|ITYgYFCOP1g{fTk-;8i| zntgn9VQA$DqC}l8lo+kKoL86+?#iVX(G~*rYH$cdN-uY8t)_$8NTu}$9Xtq=LxO8eT6WDnoEWYg7` z_AnvDi2n#|W{nGJaa9=it6xwyEzPXJ8hhPpx)|ENj1K3$E*(rE2;X`7910SB_1=o- zp#{G8W1l>7<3Y6CDRx5$!S5q4p6oT!u&FCfmskuJ;L~*a)hv$IiGTpP}0p*{-F^a-ziWTUC% z$B^g+K9R9_ zOTE`tTgPa4sdhl(9r%XK9S;qIC2{l?X=8W)?HE7inSr_P%>X{9Rv!0JUCrNkR)-y52Z|2;I&m0FE*9$}_M8-eGF3MEc8vig( zP*-LV&ARZ7zR6K}yxNI|UHnacLhY=L9q#dPHtVx~Ws5_h%B%jo8V2&2@F?(JXs70@ zabshD=Ilb#Y9mS~q1M73-w8w#0gz;j>GGF6 z#|6jn1(n?MmAJt;AuSu^Goa%U`*?XZaxRR~r&61q(1g1>-`P-S)(m`!7>h;htct{z zQtVwbn$QeXKm`Tmq| zy@pHi2W+5v&Bg;%1U$mb{?xqc&q{)I9C93VaO!mpAdJW7NlW6ZO!aEk8=4jfnVeHH zBwEHO0C^;YaI=r_E>apD>K1h3U@iO}*aNBllqTjkbS`h%)n#EE(5$yK)v6HN$EIOOpA#V+<1iD ztXr7lcV9xkZnfS>b3r37*d>UABsAB3g~ln)qLQ5Z>dHC1#u-lU(5|EH$1cQfE6vxa zTJU%24vZPI`p#rv+^RQLalqAV)HFLb4DX8mYNL*)tq-_s8V%g&^+m+Pz1USo7R*Ky z_eXsbP5_-Jg|Z;G6v`)RVtT}3C<24fcXQeuvHdBW9&iz}gvHRg(ZY?%hQA@Bm(0*h zqm)7hH)>r*F2Ry1qcm)iA3!1d2Dl`%ajt>l%p-P}FepotQ_3q7ig4YOU0U)NhxR?~Fnetu)fN-&A_c9!~@`;VF%j&$IR?rX4dU!>;v zj|39(D=+v|2vtan7Va`dIl1>(*G+q}^+^L+FK$EmG2TMfDPIPf{lRPS;#EXkg)gfa zP*~As+{Q5w!Z1;S?~`2$W*|PTrvnBnyavpx5XQm6qZXdUgDilvg4;rqkrhJo89lNrm^S`i=dC6AI`fzH=Vhlw3^;l~UO;R**L@KTC@4HIV! zvTxMk{!bNKRSFUsCZ6A@GRhX_wi&7@lA61zXxY!!3db9HwRsTVfbWHfsh3v?nfI;RvmK zck?~R_YpFt36Hi|pmXvBX4crEEzz5b`jG!3R)R0via3M5X*i24@U`G;ylpetnM_l~aT9v*UhnwgGVLTB3e#D3pEeDg zn5(ewVmbC)U?WPiqhY%BHey$}k6zj6H*M^qkYB#u5Xfyx+QU9%^SC>zTzOyFxL4f{ z#tTl21Is(r`xHXB#a{TT1>-J1ujaNIT@*l_&1ScWF#!(gh-#f+nx%t?goOqS?YWCQ z3~}t2ZWU@*rsWjF5LE1?)*0?IC?&94HO(+y3NXZ%jF_Wy37j7p@lb*|7E5iMZQO4| zL>vkqwFkn)tBIxCmn9z@V5^YBjODcYytFX>y+LPd2vN zcxpVyg`j??U{kb_6??sn!w$7+BFtF82tQL!jkG!%lC&_Wyj_J1jP5f8R&ULNH81ZM z^_Fd!xY5k+=kLwLQT$hrQm)dV)K_oGL$-5l3MbXX5E0xrq%~> zK!}IAQ=sCx6%b()rTEcb5;i&I1Can8v!|Xl;4_jSZoc?nh>Ih7;KW<>gG?=+$iW-+ z*$afBkjh518Uxh0ck%kD7jcv5+#>;YRJUvr4lLW*q<|^?w=CVQo&l0ChQtILKJ;g80B8_*J}cjQve-hNq8RYr%>!? zxgC|3Yv)2}Hd1`p1z#173W?&-lsZ{6z+lO-lg&)Krormu-?_&+-X_VV;CNgmn;8`=(bA;ociFEAkJibE>IHZG&3$P^Fwuf<+kUS*zLA&WF*0v) z@7=i%vAkL{rR0l4Mclsfa`?Hg`CRxMWGxdWQE3!V7KcWVOu>tgWF>MC_6*hqmxb%o8d-0))*WR7nP>E-aeybd}!!kJ~Ker{Xi>p*OqZFlTkl zeqv$H$&iS^L)M=QFH+()1}6cx%v=S(3Z;}9t;J*J*5r74B`<{s?Av`zSMKok+f-AT zAr!?S%`UggW!IB5|rI%Sqh%HFCKyK z$V+i;JKA`q--Dg}>o|H;9o9l0ZTiKztPJBo9rbKun%t(ws0dD;h~n^kXiR6r@zT$m0TwBg3 zJ=ihyeVUEDThCnoL6+EGIZhJ-i!cb3M0epYCEL#QXQ= zTNqzVVu977e{0@1Ryu|{qFtNVVJKZ7kLZ#FZsq2|`gL8+fsjaQ z+Dz8>-dvcg@F66K&x-1eq6pd!!dn&6E=!Y?g-?ayZfDm=UArf*g=haxT+0aqqoJ(F zXMC}s`8;_oJl#9HGId`UVZ=*~hK1*Wr+XajupVfNFcax$`paG4dr?1F2ZLB1KAP3G zF&X0_nL`^l{8^nsQ`HA`($T5uOic<3{PmmD4%r4GbCfmGjMg#8u2N zL%5McH=_1SDdTY7#5_0R&~(Yo>Wv9Q^|AtZKRZ9?EsVK4nI`x(=}2@gfU(zai8|M1 zlg+ELk6K+!J{X36$J^Yf-(Q2kV-Chw7TXqoWe3vfk9x*rJhjBkbTRXSd8{EZmy+Uj7`Rv;|L8 zqQYAUB@r_(O8KI53lFVSf^M1THqP8t87do-Veam&kvMOu9bVjfE0!eExpIkBcAyB= z7&3FuV{6Df%<|qe75kSMeJ=DdG{2;MZPSIlg{B2y*~9jk_7gxjjv?&(d-6Z z<|GNXhOqE%B%B)Z=UQFtZ8s#=l>@J4Z+15S8UyOY(khmbo;fp4&np@ z$B9?&L&bKsHSI3qm2+>&qoW;R>6X?its4FSns`YkKHFSuF!30}cJt<_$ z*R6W|HH7fOL1sPo&W(=y%AehzE_);6S)vsl;i+YmeFnues}QNc$|(sa*Y0%0t7jiZy1>95_jVo9n5@|q+UaRldsh{AN-kJ)XehufwChy#v3rO z#d3^7c;O`_Bl*uAE6-)&>F!R5c|ZlwjZN)wMV5>rf}zQKV=RfiL&Nt>aWMHns+K;!A8hGd6Wa)FY*B zNCcxSkEcUhUI{N4BEenU`xOKiMNd-`>>gsAyO_=TfF>zJN8)*iIQD*Y-Kd=t4Vf!O zjq9A?63fNRta52OrdYm~i>*nC$Ai_qcxWUfDPIDO^&E`Q!TO)%__`U}96W_Ixf+ ztQWS7g+bno$CWQ)9KKZAM+*twj)kE@w8ylI-4v7fbidFXYWJ#l)vt2-jwL<&=gCa* zw&UoP-FU&PTjpDopT|7Gd7sI^7}+qVO2ksjQr_#NtjB2kRiw_YV6g&+k@viQywhRznJh&hJ59#c8K zq`3|%+=tOxmccEZ-ex00Chk3i@_Oj>hyW<*l=?XO_Nn43s(LW8zk<7{gD=J!vdnHmf3eQl_yxk_ z2h`5}=SDt7xlZ>^$i~Ys*o6Ln{0o6ct!1r;BApBO9XD@R(UqE}iE+{nAa@kvIH{A3 ztX+FDp@4+Bw9{gp;*{i+yS~`4IUZKV;$A>BNptY(nX^uDO!QuG6zdcx{BZu%s^h!& zGV-3?tUm4WqpTHNtpr*Poczmd+U@vC#F{#P-)dq~F%cnJ#?%om)1cqGm{CAdGBH9P zZu4tzo#b1Em&4~(hr}|@{vVibP0PZWviIN8Vl%@Z_wMat<6O38yJ(2jbW*q)07G#R zIKU%3bR!Y9`BfiMxa{z6eeu@IO5Q8`OxG}ieqaNW4IGeG5#JQ!>+Da;*-h-rA0&>E zqbl-Qb`#&GhdirhN^=kLtliX%>%$#qw{c&fMoI&yMu;lZ>zg%hRqi7VdzC`aV4Jux z%kX^~;top&(zY;ttMPT1_If;d>zMl@l*p&uS)9zvr%)1Au)4O5lbg05vP~F^2yk7T zWwmWwrRe*FR9SFf?CuG4ex;GHBWFCgO2)7b92&JXnWs6QN1;^3RvujZ9(-kRH@bIY zHSy9t!2^blX-phd{TXg$uYzgq*72d-b4cAk^AnYgiI1PW7j&teb@cK;qFG}MVD$zB#Adk7US91 zV;!a?X~8%?-i0Sy23m}VP#<~tA_0?>KZ=mXair1dU$XJ{@9X=pFeFNHcsOob%exTK zBMrJuT`!o2&j+H4l4_io_|T~+kB|u58e(6H)3ae-juGRl2`v)GL*P5oLyHf*)vBVQ zF2CzYkp}W^elMaz$M;rjN&{uG6t1zl!K1q?F;)dCB#j4QGRt}&dq2hj^Q87Esd~H! zkBiTtnHAf{P`BY`<0c8hGyr2C|LYIG`{iH%?dN~~{m=jOoB#g(-~95sU;py=zx|)T z`|F?o;vawht3UkdkH3}w0KBAUX?dGn^4BL%%BxpAxCRo^x#)~m+;g4+uA`pH7vIKkJe2zV$4SsgvQK2fhqwm6m4w2m(MJn0;j?#5$T z6t{en2T6G9@+nZ^+GRZ$e#sX*(0?V+ne1LpMKndIXye6?^4k44-rvYDy~gFVsrozd z-9nje$~@oQ^ED_6rYf)x#TS7vvFt+ZL1#LUW#9&!ix0YZV56_{Y78vG{h#=Q1cITM zD5}60zYCtIoI1utUinUImIk`b_=nvNzp1s@0Z2&qMSG4|ixbb-&Qs4Kx#GhD8ZW2+6UlTIIF zb`DAPC;u(T;HJ{i?F}w0#PJk5uT z?whQdje9*@Q#Iy8Dzh4Vkpgmg-1qB!7_HLqFL`AhoDOergLfRv8EwbwHH9h)ttzRM zj)RNpj_{z&b=Pd4IM|5&UVQRy8w2GUXLo5D9I)c9!n>rayKM~Ex^foz`R;ZUh@iaB z#&ASTV=_h1|NZa(2%o;&QP9kt{yN=`-Mo6A57%)G;c0*dmp3r8!pYt%B;JERKMr2} zAH=Fxk-kfLj z4xrivnG1ZPB#)$URRu6ox(ss|EyADN36B%`a9NlR@|**0GmN>f`3g2h${+I`%Qy)t z(I@#wRedt+d38w0`g~W1OdMltF0|YCu@lAXs zy^X1JG6ZC>(w@H;WUVBDO%ZqTuyFU(mG0&-cz({Am1^io`Bb_B<995UFVYSyp}2aR&5%@1QadNX&S1>A9qWrpvBaKaN1>MBq^SYkKT!P^qP1G*)iTDQI{4f$advYlY z_jKT%MHcXuYGulIiEd-RjcwCMpE{9ZQlq1%QcS04R+YYxixxyt5GA{GwWdwJ%K2G~ zcd{|h99Gu4i-~R7`@0|cU&CbU2kXBIcqU1im|+IE$6Q8HqbG#{bp=zyiSEUnR*5@G0~OorVg$xKOr&6*u;qI?Ci|=JzCtnz5{L#*+QT7%29{z^!B=pZwIV8= z9n_ALPh~1v&ty!8HH}4z52j#NytSM)TTcgND1`HP`_*?%)m2l~?7Ir=3pT`0}KG5nk!v@h%oEFKK<1UU?wI)tJi;ef^ z!x4;NlgUkVAN8U8Z)@>OJNObh!`$n+I0U1_SCJ^@Qx%YXG!Pd{H#uA$j$5b4M;(3a6k)$yN&WxM2vB1bhqZJvRats4 z8hyMKt0%}bFunRH$lR#{ta8}4g|LaCa9Qm-8|6Xt+o9u5q_IgLrQgK~lRWlw%$#KT-zPuW<$MHu0v(evKBUx+ zPUv)bY#}7z0xP<#-@|BPmLz^LZh#B6uejO3zvSXg8V;|X!?DchsrH?f_uE+%RscG( zW`Dad+H)3UeDkGyk0!vl`^j*0GagP3gux{vheYB2z9t^6+%a}VaMF9oX!6EN-9YmXt zIO|lDS126);tF$yI5n>9{)l`k2+IeXIQz30x?`8?A>pY_hL0=1bvN;`P`{8+(7T`Z zgZcwp-1b@MLVtkkTFwI^@tNS_0Vp^Z!5N0nwA$fQTKF(lW-2Bssby(G3>u%@&q{9E z*X5COP+A%r$7YrkvW~agjHp-8WC|2%gRL@X;jMCR3vE7|qNxW2>~fn6ht%d%kBx5b zi?JBVJ^YVx(K?Y2?czp@)N7hew8fImvuI?w1*^P727W%NFSx*Rqo~Z17tF-?ENUeLm;yP*d|0!1`Jd4-NtJ_ z^YY6P&4Go}_58Ek6CuIn$YqYoYaLi;`2hn9GmRG2vWr#tL9j+tDqD+)8`u`MtHsP_^lL$ND5|~dY4zuXS($5G?6gVPg z;v9JnzM78M#HzMP7u6B#W6)vMxMBkgw65dBAqm{*Od05Btb=P9X4yp|7`Ke!w!&Es zIRj>KZ~dDjr7%nC_PK>G+$LMa#-YRg)mGF=;_vQYV>oyEh&HR*{8xGv5A!`Nc0sV_ zZYSxTyso^{vRat1T^XR7=UN2b#Lrv0X)P0nPp0FcO;GFl z#s*xrk0}bq-0R_r=wLmCL>D=->8?BkIZOAV#jx9*UOcYjcR?vws;+<2k#;$p-m=ML zsLdEZ8Aanel2j15LgWXRg1@)#5@a8`1YM=ki@*Jlj6lo9w?#lb*2Tn-<>9hI=Qgj9 zv|HGdxa9}wccIqo76#1ZdYc>8wo8rIP=i}OPaEr15InWp7%@PcV!MK{Ff$@$#bbAI zL=<`(c9-FbieTr5Yod|QM;oov@diJN!heN-7iK39-L;{|bq@c$?4wBW3e+ByYt+F=Qg8AidA-1@S%!;s?bSv(q-3G1l^-oi@~@cl-vH!FQR0 zDMT@NCqrM`{#)&8I2~-KDDcZ%vHnTlS!27ox}rSs&F6PQ z-shAC;~c^n2pzYFp|vGYyQ`@Gg+LhG4HJ4%DliVYi52v%?#I1BJ5u#zq0)^MbF3^R$^{^oICd+xpm zPiYo4F0UEGkuYvhto&HJPNTO#PJVvPN|K%QFRfzTdJgUw+@((1?#+BUb49J^xe8?H ziKLmQ2>Trp?88X&wiH6=riUzwUwzye=YidbV@xLEk z$!Aq`%07#HQ*Wt=#>GU^4{k?o^{y;~uGPukMw_ZQs;U+!wIBQA;ybgrk1B_Z67=*L6#h}67;&*0!T z3q_3q-#%(W3|Un<3M!KEq}Vl%jr&5>?;5W`ed6y6zPdXxBwVA2J)HQ-yZT*)uRk-Y zp&C$K`6kxeExb4LM{}Q&Fv_BgQP!5Jq;uPCoUOk~iMpt=*6p?qMH-lYBo8;AOR$T# z@LjaNxIho*V@@lYb{i*TiY$q{N^)1IL`+sPh2?M1!2}V~&7GY;@v4<(Q3MhW&Ds{! z*eluj(jJrM;8wLF-uWZgZTYDbZ)%dj?)%uc!liU@X*@1c$zF2L=TiC&`0=j&@FR`H zq30!OG7-2JFWF>I&gx#>3>_7iCYuLCm9N+&yY#PVB5gLkbLSenSx(0}5K@GvW|QG) zL7F)!>|*Oby*8qz-%p4E0$Izfjf8HaHHS}cbj zG{_yhlVzpAL2oyzYP%RLQui(%ZfkD)>kMotkH?sZCZ|jhKvjZ`bpoznrKEtI z>z#H7el9UE$OkG?W%Xn*I=5xd;4srW3Jzm_x6WtcZwOL2qEeJx#Bb!=s62y?fvNW! ze7ueVT6pPb#PB$JzlOzRxiVG_E z?$n!CZ{dwJ84hjbnJ05k72T}@Wp%xSIZN3(jGp3e^yeUzn?iaQcawG4g4>nHy4cFe z=0Eud4KZ}Rhq>@ht*s)1b?J_8TUyidhitk51vJ>U|u6`kaE&2c`m*y{8@cNnauQ8Ejwjq(UO<4Bf(!js{^W-BR@M zYa)(sS`}na*KHiFX!7Z7Y(Un>xOLmbad>q$P}f}(_iN#=$o+#?%}uxQTOc|+BnB5Z ziK94Ub{9uOg)q0d+8T~sLWuH(kiAQiRQP!Zt971+?`iar*2R3JH-$%P6mZL{vT1O5Xq8fXzb~5ei=Jb@6y=A23h6G~ zt?oi;E%Sz#<)`p)v?-jYYZ0cX_Y~APxx3-`t5m&xdR+|Qb))ReP((Ab1nU<5Kkba%fK{OuNu5zR{_}@`&s0go-M1Fn|FvXV=1j*L*Zc=_uJU_0)@DhN}0x!Dj(lJr85G^H5%;zmsk# zx`l83-`qM1ivv~E;pm2k{Itq)!+WOq3B@F3z(wuAY z!TO5cn5V4*LqQc5a-aH{DC%p@yfM(>Hv5Oq)m~Ifjlkt_8GV!58$JQ%RnBu$kF}0w+wiR8 zbdTv`;12NOO%G>a)VX=n!*revu7iFH!~E{JCH!=tt}1@8-^Qe)cuo3kocFn2T$MVm zR5p8GQ9N)$U-vr-s>5ykOF~>zEK(BIar4q6kplN1KRNo)>mX9%p~dZ?=%6>|mz^KQ@6zg(-ojFJR5%ZnGiYHh z-lD403gaYWV9AOBMaO;6#=*}9=VZ`PA^J{QuLDJMB_hDz#~s+7IX4&5G1O%`qZ-jE zbF{^DbhFp3-=s{;K*v?*{BE2th>&h?NE{QAC2yS1fYWf)j5X`XYQ^b~A5=^*@*k@+ zD8g5$NMg`afWy3bF|30xvl^tzz*MC98f*YXYd1OohwNYhV%_1sQTl-4Sj^|Rb@`N- zoAkkDc1l#`iL=eL_a$UHb>6i)f#NEbpT=leE`D6y$+`fGF<@f60_iFHM zSr0?R79Y_vD-2jx+o(woZs0l?U?MRCW2g8ddyFV-r|z5zDsh)HotcM7m-Ud-xh3Q#++#qK9_B*aEkSU}YhSzhO zWvX4XOLl!z7Yw(Uk~?&DteWEn_$Juq4I1QgXIY9=++#whu|Q*7rG6w~A_yr?&(Wkv z--7MYOjRy{jgfw`Nvh3O@osO^Uw^;O-}L`UyO!m)buIfV9Gy<8;6FN~%&703r!sKi6K{s$gi&)OC_! zRa_Tgvi>*DyWTgfS^tJ5R$1<&SXBjXVmh@nn~XbyoPj^=f)!`g74*>l!!9PfazplI zOeaDr-Le|kw4N-3Rq(>gw;%mg5c=sHtSo>=w_1uamh(Q9)l&3;ykNSH({by);NY8( z`R!$ByJ;3iXz-4p{$8?d`A?=3ZTPaohg+I?(nY_vvR!X=Fdrre^I09NiMoDByO1QB zECV}ezbmgTMIXQ6-E~%CShfyN_iz{UJn_&AcaPq~cE|GrMXStWxP{R<0HEb4`u8S6 zbIVNw5#CW%WYbzunw&yK$Aac#Vl!dK$uDJBa3;3IPP40+PHo73%nNeXt|^k|oIBBu z0b_W>u49w)l5%akj;Skvn6R5wHHLr7X^rla;AjE8A-#ATBc#c7IfY@&bi9JA9a?C1 z8yAq3TY|QZ$@Ydpd`oV?mv6i&z!h2a56}5@vE5NbOpakT(XN<(tzx_4(;d!SE4zcQ zM#1*A74#XSu{N@e>}Y&rFR&79L(xm%eL!>Dz%Wxc;5$p|k=H)>n{Dv-|Am@}y#D>a zTRPo>=ZF8N_4OuM&&0H{m%N#Yxn74vB63JKg2TBWJG0-I)p6s>62-vk*bvCJns9cHyGt7=HCO}dn_I3l>C;~C!nL2% z1*+4-8aN{QyM_p@iE9(Rh#pWBPvuLAnSyevEU?U)IJI@Mmd7#Kktug&ZUIGc>NnTY zetN&6g%+&8YS+8~k-@dfgW zSvZGm*iQD`yNi(Hp3}KF#A&$K>@F?c;USE48m?`&+-{EAGk1@B{-YlxE7>^ebRu#+ z#-(%dBgQb?#1cG=JJDe6&p<{1_kybo^;!5)bZTvm>4^J)Yomv|s5zlqiqS-cPdll^mw%SiJvfgCm zu+wbgg5ldg@R*X2u>0rcUJzJ zuQb&hg*?0Dp{)koAi&s8a}>Jgg3oMY3LbHn?_)3hEgK{B4s{&)t^zqjnijxrBKMCE z)#16lQHUE+BsMcffZ9*5RI!U&?iK5mTJ0UQ88jRdy_64!+jSj~wD7s~y z-EzIs!2ZOocf{&H33A>X#Z6`r3_x+%bZGpLa)pL)>E`JRH1Q|4eQqc}$e>ES(o#_7 z_eWiGtaS%t(->%TmpSvn@u&M%?t;-mI4IVi4P-hyz0$@vL!j~mYuRmof{$X86q;sSbG^l&Ui zsq57$#>Sh`ru4kf9CeGMf|*EDKGG^&uhuX!i)5N;o>=O_=+y=eB@D=z3N}f|Go91I zQmn>P2aT zJ*nd9jR%Irb3SqIzH(&1*P}T{hPlkUg6?vcW^69+K-ow?`1;} z5|5`$4nYg)I4V4`wEMm0(lUOqAgAH*Qo%zy8Rx0!S2kYGp3Zae&;q!1{Q>(*=XuD_ zvy?PSXfCqk#(K@bI6d4rOs|oU@V7Q*7g=dWDK#Y3mB@CukX-C?8I zSet1R&HZ_2|N9@~TbI7Wwf57P{_B5CatS7X|M$QDacyYdjN6eRuL%VfiR1$X+>G_) z3Gf&UqUf1dtQ;@(%gPhf%17Swjh5R=9C1BH^LZ9jXe1$Fgjrq?StV|r-A62#h35GTJ_SCn90VENUnE%>IF_urvq z6md$D$(UdZIx9SqT|E%qh1$a!7Z`+hUa#3Q1@+u|%=5Yn57kI{t^WN9NUWy{ctsy*&v7lK!U( zgcS6s*W0S@0>{0mkD>*lLd|YM8;kam_&*(TY!43DkE2D94!3X$-4AQLx;q)$!5-MT z1YNzO=-YHYBvbETNc1H3AN()_EuL)s>~0#EyTDpSyG0SxNn(VaEAl=Uu9~T+>`;W( z>xwXj6-A<`MKA@(mW%Zf9$&q#Xs>n2M`yV03w`uQKaTx{HjVD1q=j($#TjlA&)otM zGR$PS^}5r-BCNdkf!?T8an4v5b#m^ZoIU$^jVcbxaK;l?#IBD|n9=x+s;cYB*)3^& zEc4N5DEc4pv|_MHtE5iw^H1~Z&$5Vav@v1>b+p$TI*w`c2ICgzg%)uV=_~8_)}HaP z8WslT(e>Jee&PIZ#5J_?ck6&IWE3ZZnGGLpyxR(p!m)jN8BLttP>|LQ0`Jgw;x-bA zm-qKE)0>yLJ(JkmKd#DROUW{|7H)?Iea&VK=lloWo~~|?jpU>b&>va$3HeEIA(f~> zcnfm1|G_#R70(@!W*wtwF1Sj~x{6wZKZz$_nx-Oic;+lOTiAv9O=vEyiOK(Zk)Zk1 zxMEC-biWqQSPNH4_B_r2^q;2x@XX2Ti}lsA(c5gdaNp8kv&_Fp3ixO$NQr-oIbLrX z@990HH%&!nvt!}Mx8UFa1IEcXW}ehOAUm^UjUsoG z{T3|+cGEH@+@DK^))h&;BR(}X$Xj(>fN4x-{Tt0?)0@6UZ#H)`%C^#&!#zTW1$;mRvKALtaX*Y6+pY+ZZVg zAhK;mn~qr=XfLbXMth2PFP^se8c9*hcH4OePm12|V9mpGjV~*2U!weT#-aSK3iKtS z&C=T@hC`tbWGNIkFX+&;S+su;5r&*@vrf}@mlXS&RoN<%+TghMEy`M~3Oxq8)vfynn4LnyK&vIgflvKa`J~>76PLzk8cycgIU$T+V*| zVd*_?wa35z8S}IG$SdE;(4-S_=rkizdcm_Md1D;~`7yZAojPXOdLPRqErt7DVe_QZ zz!jsaS%wPcw|q^?bCVg0K1A!i&+~|ZY;1LO45Pl_dUrb5@i*dNv-Jumx6@HHr09=q z*SOP6PFrajq8K4@l{!WPKkC-^SFSIhP{xa!PQe`3hJ9lkxSvycO95+_tYDgt1%fp@ z^$CzPUB|-YFG=}TFL+vBIjen;`?#uvbBAGv-~v6J5k!C@O<%joVKR%~JaU`|N zNS~ZkZ8||g*ujCl5;)`2DQEmSzY9jK0j);=ZRN#6ZcC%#Zz8>5)G;K*4g5Iv@?1c= z(Zsd-@4z}4O-z+_;Mq>VyV~&a>8r$iM02qtkHIP3?U5wnhi?B!ftGzIhQcKvYe#m`c^ zz+_efbC+Fky3K}zl`Yw6JdU4p#&cj%v&j^d=;i#ry4h~yo@5CWhu!qqt=65mlGK$~ zz!ESb8Os(=**Jnc6>5c_%N)`Sb(bblhGm=YS z`@1bU0i3#Ne0tMeLk~d*OOYX#+kUiXImFi%4^VP<+$zUY>+Yc0BX2?^h;mVt%N9q;8r`{FFQ>3i}o4riBSe&A~iHOUdfV!f)qB zyZC_);Fz~3@V!kw8g5#+r46YmEBACZ2FaBW6Y=H?P&$=6I3{br8Sk(bO@JA z6#X`koOW9ZJway+7DuZE<$4Gz@%H0v4t0Xh4h(`7Ix%-KAm)x<#WvPW*>v?H+L ztQK~d;1q23-9=k3Y41M1OQ&FXW-bP8DaxG7Ub&6Mk+IrxFEM>^h04J8xTWLLH_j=3 zebBfWt(`gYI_5-%*$tZXUWOE_gURy9##wt$Wy;Dj@aLW__Z#x{u4A(0xCZ*gb6o=E zb1i5$zsfrW9H?gI&y4=6m#!UfL9H+3IEy~rkZ?tjbdHQ!x0@JaP3Fs*R8@JK0o_*gf<0Jtac;aK zjeE+BUPs|`S)*rZ6&$3$+bwvODKU@ppG(nrCGoqvJ1;sDc}Uh{n85A*T)VU!W^Dn= z)n=H_?ScrD&2awlK8S`q*|U4gZlZ#12uKX3sOc_|gRF|RTG{ZL0>yROR9+%98$w7{ zvQ{12)|c?^usY`JxPVeKmRcFJ?8tc~GB2ZUy@_7mGGdnDT! zKvQ;t6)mcV!FIE|4>rpn&Fqw&8>50*y;P(~%)kJSvPU&Bm(Iw4yPC-XBxd2ZXk}|# zn7I)Kvzgt5r|6r})xLSp(Y=HsW;W(CFMB2%!}|+t4B43s3q8T8aD>`zwi^4dT_7y# zbS@@VxQIl8F$E)TrVEi~s}vk_ut#*JsfX@V6b(U&U)rf)$x}AGiZM_5j#|1?$A_e5 zX;rCnKAME2%wu%HPdr zwc!!H@m7AMov`%2RDm&y;@71Aj93J2^n4xt8ObBzQ_i_w6htApP+rj#!|xc9^Tc`p z?LLjc&s`%Em*UId6Hjttc=-9mwcCXY8M7v@110Ft82@uqfqqX82DWMT>5`xyy z4h`>9WEh_Zl?HbPALK4hxzs$L4EN-Qeso2rH4J!-h9vQ55>y_?=IXqcQuL_Z(QnGr zunp|-{6QkDa}ftV6{ny3qd{K)k@}+>^|hXVyce81a}fPPGhrrj5h{x#0LJm&1?*Ca=|Csm4+Y&Q;t zT^$fuDN>UU$3317O>mR3iWrkkCy;lMpyRubwoxHDkx_^YgBb??F$WEpR8lIO;$>ut z-bUjgb7w~GIyyLOT4v`vIK~KKVveJr;ETwUzCQ$qPrqSR6x@a>BCkIhjZZ2jPjo4* zgnN#U#<#t@bR_nU*irgtNTO&4hNvOqf+k^b_K&ff46EWBI5J#|jb<4~ms4wAX;XiF zoqTqll*g4BD2vHSE8$J38{Axc*d$|{IJ%aCm6mjQ!Xun86;oEFg)5Y9Ien$?EwW)8 ztJ20t)n+#X4v)^V%+eGLk5X{thtUw4mftJLiRt%{EGhvS=GIt+gd*N+A8(20em z>w1a#Nz*WcQaM2)O)-CyAknIHFx}47dm-JaNiK2ru5@q`%o>|+S{P(iOnj}*n}akR zhb9%L-o|b5%7f@ug<*=g%V8f@wSsfBnY3qSE2>pR=Pg`yYE_#bq0px33^UIy1941q zS^w-~|37J0lHE3vZMTAvkA2G07YVjQ5C9vCU6Pb!dj?675-f^ff`lx22eqC*tywMT zZ{fceAb|)FH%Qro%F3z}F9b&O;Kr)AGZ?uOb)*5^?r()DT8_oJV{(SJx!ofNA0?h3OPu{OtBjWMU{Nqe z({OU--8jQb%<~~9z-rxHSd*!m?6(S{$IDllAN$GLNGu*#&%MeS4Bqc9dvp^lpClfG z8EH;ilj9aeKM3DaxPUl4DdmfcV=04i&tvmkZHw8lnai%2;!@!T*4?JN{Vys?OX=re zHobiY_gg@}FFdwBIO7p5#cLUiyjy7+uy(%97e1MrmcP*T^}r+JWzgN1Cw`nS!uwns z8r+{lW0Z#DFycYI;Rzk)G$D>fEMmcdu@aL$|DHC+R~UHXeUPT`BOL6ppYY(3_-~kb z6$iIW=|55Wrv?AYt#ojidOu+jsztPZ3B}LMAK&9K7Czn(DRGt|UCLf8gc>_`E1m)K z1ex6xzlKY}cKnHdk$PQ*Wsre~`|RTi5yziR$QaFrcClqwa-ypj*zhkKZUAEjWwIoL z69!lYKM8}>&MdlpZncULL&++#=Cffo)W#jP<;~4*wN{5a+9Atl8EmcV%%7?@Di{~; zE@8ln>zQV;RvUE;WAb(2jQp{6J(ra7>QPv(0Ugfe*;xc!PFDL|>fQ z;2^4L6^Lf!RPgj=0MhPKykw1vrGVFRBBJkAp(=s9ZusJt(T7Pf9M*s1)=*KJ zUQj1EF(yZ2alco2P|B?~8-LI$NaAg5`{b}9H$L}_3i3eMoZC6pAHZYCa~^+`|4D?! zAk7Tnt8XodL%ngCFwBFJ72j%MROqqsq&O{H*aaGED41pcxBpdRsGMcO!` zj)v-^OM6o&B9Q`6f803V+{p+h9;GzYCE3$P|J_e8t@gqB#F$XzV!m;@1JWFmJT`2Q z<O~O!L8*3EA zPeQU2amiKI6(&!TmRfi14z4LY)*MR0_^Zg1*=(btH&s{%A6HKs4u2O%GE%9Lh=Zpv zACFsDO@9Taqn+i0I9t#~rUh0Pvu40$N)h5iHn24|7hN6HE-;M!32Bs?ftCpv9kq%B zk1=3yc577}863WCU$b#Gex6V7!lG#~>i0ZhlANL;R$SHEpR{|DxS_s*=)zY%(yvqvF$-$(SFdn`lk29hwg=ETo!9K0SB zva7;47DaZTEL2v^V-~<^g1ac;9+kT!-g94`tAZGZ;#I^P3(E6&JRG};&U~Q`gbKi$ z&egS7WpHAQUV!d0SQj@4lc+??Ww8DAuSFdF2v!GsV`h5d4BRz&+uS{+WT(^vlLt7o zmxSjwfa$SmUaH7Q3|`OaW3ZtIEJunitO3+XgV|&vj|xtO)>^nf@$?E;x8|4(e_-y^ zT#QLHN@8XWEvrIR|E!1ai8H^NFT@jLg-ov&{){mv6+v9Oe&eV1YH#At7y=N}QPMOx zsYq+i)mvrE&~DAgmE!Iry#kL(pjoW@luaH&(r$4VD=KVQ)Gtn8Ub_s!S1$LX+mMtH zSm6EwsJC!N7p8&h zE$q>qvN48!`F9>rLr5Fgn{`8;9|0_|&~LbIbq6yoa$N_j`%C`0Px9wJS;_fso-$*v z?l^|VvdPF<6j?>pCGX&De~)RAWx>s4I?W!F1<$1-U@4K;d{&%jNg2=9Vw)o*7goo^ z-yu~kYUUU)|g5#OEbL(p51L!u?5@>SKR8mH~h2a!Jp?!R|I{7z^P#{1rypDQ(p7Qr&Q|iw^gvEnBl~h!!t`rL2up zEzL#~*X;V={at^wyac(30c(|>+3)<+@;@Gagv+p`zCc+R6AXV^jr5gsOKD%*WwKfe ziNpm<2ld}ZvqNQZ>97qv_tn9;n)Eih&#Bhby&@@mN|Mzk_*@*0FVxicJ?Yk{?YUA0 z2ZQvtOFIiBhl9>Ryb^SLGO|!r>Ud{BFMJ4=vN+dZlJHdcGR${c+C54v@yZRtZS9_)->7}88+>q_r!J=?J7jK8cqWjZe{U{ zIr)*SV==CfdIo7qT$nMuoLK&}!0;|*Fv(4@k~JdMkpA%{G$mPh9;h26$?-ale$bDw zm?(C~(K63lL|7if{SC(7@&b1risNK_edHaI059&qAG=l;D;dR-SAuQBs_HKa^Whs#A$i><^}ewK`~vkf&=XR@I|EP4Ebn$T8@C&xXmg? zmY+w->Ygk*&Y@=G?FM`deDbaX{ZHMg=wT#mC=`I+bF+?p?(F^HPGK(ZIU5E)xAN7* z&<)ya+N|SFx^eUpZcD&j+-3tK2$c9u&4vLNusk}^H1t~^NwYUw2GG>)AwpX&*v1`r zo#;N4(W+5?H=1pOQEIGLXm+q8NiPknANAODa2LpAGO?y&D~p@Rbk6UDi%TbOlE=N5 zm}qVbgs`URu<=p0;XclDz+hU_P!=#*{nBny>jL*H_MO>+;e>c@hEf>It{vxD#7Y@Q ztAaCTC+f9U754y?tVyeZJvn^&TMlln=r7!|7+uT3q!CxQV#l6CHcZ|ErtADx2XA(t z-iy1(kgfr}8=L*AYFp#k@Xud|@it7J^P!kH6uggZ1H!ByuF|5$vQ=qU4BhpAQcBaV z;vo5DxOq&-FMZ;WiHD2Q40o;%_(cO&*-P=ikn)&iS=6 z93R_Lmc5BI9>m}U)ML|k5-)#`C4)VZl zA9sx5)iUshehKL7EjNts5<1*du?q6O920Ax>x{{_QWJOWF4iYE+}A+MG8R9@ZJDNY zE~+>#Os>O2%D}n{J5IM+8IN;O!z#&aw>cGD?GoI@OwCnzQk@F+{ooEbRSZ}mI~4wY z(?i*69LceDl5 zc&Vd#=aQHXAZrfjhfgo5$y4GQ77ZY$i4hv1>+Li#i}fN-1a{S&Cg$}!L3ub$-(X&f zDfeuaV?h-|$W9BhInM^8d>CGEHx|M6mldi%uZ_cuzn=zl91J~t^F|N+Fu2un2Tlho z$5U3hgGo!Ws5xDb-j~6+q}C^&26t!Rqt(GL(ayr2UN3t2aNMed4RXiD+yL%m?0;QM zrrB7pVqi$zEynl$V0dLnAUM9Ey7+h%Yv%%&x)u6dIv1GUmJE<^TMVS^2-tFY94ySC zQNth_v2~+WT;X_ir-J#wd4>mxAhCZ`)C)WcmciR53_e-&`xRMmkGbaRRB?s!DY!G8 znt`$T(Dmyy47vC~0^cb^F(#7lWonu1bMYMHQW!pA7K9s_{w>gqsu|Bt%V?5@cQ^E~ zWP=@?e>vqqx~=!P%^e?OAC?Zst!sl7owZOT@ohq8jMWM6p6HpB4qhh_kIP-#WIh$v z594SnJ8;kQRUB6&qu_2?T9NP8FrMTy`{^t3S2ng@`(5NR62&P~=U$YS z3b}@&HBf-!8XBpF$uk>)TJ%o)#ul#DpGEAv-$rD&p64|0E*Y!1^>nc4U(K!Q&>tZDaYpqe>{sJdA(XisvFCrk2V|i#jDJ5ONfP|sLgUtLvoN?%b54MzhFql)4tG4`-9l<`6ppSVpW&&c&udx3&)y|oY}&fPli{iLsmFk zr)IUi%AYoCc!sj0OF?$ARwq?t=p`NBz&H-$gQBNGh{LO5kPpT)PJ<0jl(XJsFhQ!4 zs$!H3_-cAJ{Ax0>?P7j)@U=~xKc@GeAt*|yAY8AF!yo-5w7&Ci>;=(A);9$QK8|uS zI@pW@c@WRVyb+$*+y(JgY_iY(cr|xEX$pXR)87sddM?g;9&H}>JZyA%{9wL_m<<7S zp*P)7=2IIx>uok|1;k+ls-@P#4{OVKj0KFT7TPie-ID=!PM@5TgX*X!Wuc(hs;DW_D=k7SRN z5dR4qklQt2qn_fMcDp#sJ9$!Q5^=dww~Lk2$%$h7;=;yZ)%WMuX}+4FTU}%A+nXRb z{YJCZaRXne)yN_?+?p?oLCK%MAKa1MNwF1X9@%I8$2Kv#|H*jvG)>#ZWJUYil-(jS zahZ~LC?qKb_@hte! zmJz%#u+}fzoTee21;=^>m$Ywc+sE8YNJZc!rpIaZ^ccmPt1cRM7xdyjOS-o^hHO%bAm}5f>J<3x4PR*? z{gn)}=;{142C4g_>1-JE=9#>qNb6N&3GC6(HH)n6fjPO=&EH~CGR@h+x{I9mZ3bJZ zx-t0|xfnIS)cqt850i#vq?X*Lbr6{^C?7)tEQc@Ief%VUZal0&X$^mb;y}@7qCUnr z&|7nJ3Ea$kQZ+nJfkVE|Ka2uU7O%CLm<-CDkP71ous?VZh@j!N0f%SDqwMrPr$AIY z|Kvl;_Otn%O=1ADnTB^^6hF|uYS+3_!*DxCBCaG{$H|?m+wdReHcCp|Mpm);FK=KJ z4pJyX<-5Z`inbQ@MeYw`=Ae2tRZ37ecv62!N#|<(^bGQs9jDbK$ z!Bdo9H1%&fHug)f5H6kh-G~Uy+QAm^FcjRBR*Djsb3CY@*u}LTKvP!8)P-v?7;rLOM{Vqm z*n3|u3)!?(>?k7_gYE$)iqGmq@TPnV*^Yitk-bwRS~)5t56{XXW?LkKx=%-Ah+Jkz zT+9YnqiF&1PKPB=r-3@x6Jl-6$$|-2VyQ~tj=`%johS|%^yYoX>ib+wnghLf^bNB5 zIxW5~+rcAft?Z4FH?-38qgG)VF%4rJJ_OI7?y-ucrqM}{I8nApy3z_6L~1TaI;4+t{hY&ZP zg>f%Zn(NKVH#!_wIk?bOL);xi!>To$Lp25YSrQ-U{#5^AO#|3*u!`1F5C7agS~)j0 zNwp1~UEy-MA%{q4m~*+L0X28Ogrk|40Rkx-Xkd_AMC-GwRq|{A&Y=lB42Sl`b5dH_ zkMwVQBRz}q*@jMzezXZWpkHEi*cIGNkcZ-mMQ-Ya$k5!gDXX}+e~)plR4#u=&0APDsKZL;CdIf44E$R>mqCF=tA`DDh-;9~I|Gsxp;~0mokLvc^6Bu< zw+$`hUPn=^1GNtlX#*M8jld;83TDJRDN$4F}@|^RmsY`MHz- zOs|eBCAulOY6`!Wu>om!o5YWEI^2|jOli?No(I1e0c|5I(AA25ySUFkMLA}>z})m@ zd#)c9ni*H{lD=|u)R#NXP?*f0L_9)-UNSZKe^46dTP2!u8CcRuQn5g z`Fp+<@tI`71x$^_si6Jrk@+6d-Q9%_4gzT`43F31QCNM!{hyIV*TQmc76Z$U?=An0 z6V%V@B)FVtwF=e=Syy)J;2@u2SRbV1vjtNpyX6_&oNx`BB86-7$ zUCaIme@L&~AJo6l5g-XffVe?Ou0>|r=imi_7+$>LzWa^^alzP~jJ;Vv%2ABV#`+~P zVKxj#;#A03&M+NnOKV}!BM1*@Z7f2D423-;W0o~90g65g49Y64a$C`uhBb<>9a9#*meI#@Bb_YWOhFf_M2@EUg4}DHXz2`2DTTD zJf#xI;+LC>Up8(=F}oYy@9SbSmW>B~OswvMUf=}t z;KEWtjX#LDd%nsLQwLT*6IXx__`U_=^uim!PL~e}|D+7PB(zpNJPuVn1N&@}y|Ovp ztBqPj9>&BDL+uU6M4;x+7k9~sC7EUWd$K7kGR%ubhtxDY%|kNpE3;(9q8J5BM@`E` zHVm$I?8iT-GZRM3B$e`YiR-UnjaB&fW44K-6o4p-p(Lg!D6(ck7{}4TTheq4ixA3@ z>7$m4>o22C9y9%Z#d6{&fbiMzv$_~DP&x*~B-&g(#b>Y|VLQ;FFdT3`43xV`ICRC* zf`b?aMjx4dIFm;BJsh7-vsJ`=vWMu$4}nzsAc(J9_m+$u&s9c&6He~Pt*3b7UNH8& zklnvU2kpZ!7+ofiwF~-yieVRgpWXj*_Oh3GeUo`l$rvMW?W*7q-pP9!y5Yp0%+H-B zCN62paXd_`Xcvi5_3ECc!{BnhczKA?RVEkPU}W6;-k;nk-tE2C@2n_)vpioJob*rUPtn_3W##_{I|mgfl7L77mpWkB#7cG{0;x$VX+DS+ z)Es=Jl)TLa81*h+{sx9(JiN#JMyNlU6cXzu%IBy5FA_9f`yE67Bfu zY^3I6OV0g16LuLr{qWh|_`u1=C#1SEhKY~YGSdOunDW>DHn{3hFK8q10#F%A7l83> zeijw)b}++cBZNa&m2|fZz1g>M@njeCILx#7tq5^&`k|}ium`!rjm{F;>{8 z7vGMxIi1muSg=3@x1%haQlrLH96fE)R}M|vwQ$eo0v=R6OeDM`xF&%KV(jXN+D6c! zT-7o(eydPvek0vqpyB6xIR88;R@cW4CJ@zbbvzsrTeg1L!S`_X5mdRH%(Z zs8ez)C;|Gcq$hM1E$PGwW2?BHwq|4N>g8YoE1vzD(Em(Xd3M!l;3uOiX|aBU9{udF zVOWBz$jRxttP6(pg3?VB7xl#v_1%12T1 z7#B53rO8qK026N;syKG^a+pU?)c0oO+w@#c^W07O1}4@c^MH&Qty(W#vwZoK_2F2h z^%<{n?M+95o1k~q$+!NO^5w>%*MFs0nT>#ner}U&m8_#PC=LGtHole{>3YM)6!nDx zL(SJfz@f2?^?(2K-~7rr7}3Y+9>c*v&I@YMaB%m~`nCg12A_B`p4=*a$Xxp3aS!j% znP0?K3?C;gKX3Y*EnKA1XerH(BvE&MOPVS!6yBPR%Hn=xT19x+(r5T_iCT=@< zw3+|K2Gc$EveWdH>MZuXrLd$|DLoMbb}DZ2>e(FBP*Xu$iJ_VVxAM85 za7`O4PYeh$9n7BWX6f^y%*LB8o~qi;7F5K;shH+$CTh!SVW4)6uC!Vb{`;E8+mdA3 zXCf_D+k{5g{7|?@N66?>u9KHItCS|$@p_f)pOkS?!ew=EKd7AXsZRoyRUb{pV&3t% z)6TcOrP`8S;xag>rD3Su2g=Q@t|V8KgPt!jFR?Lj8BRGZ!HAI>RYi4d6I?iFmX1?3 z7eytl4=%eCmW8JtoPkpm^@hVW*H`g`v0#Y_}v;Wf%BXsIZ5zE|WgPgA`9n z*xX6BOrPlG#npnHeK3&(L&AwOP^Ni0^E$jPG89B|{6BkxlQ!;m*5C#woeu6f6!uOp zQ$8-?ojj@8X_ov*-xTKOyj(6dCmrl6UD)MB(y4=F45N`#1>~7lu1=Nc5^wj^)U>}} z(NiKzUJ?`6yt$qejL3WvDy}yRdgD??(q4_@xQ5aD&KUFJGZu{8&6qYzfo! ziRLkm*6VjFCF2s{R0$!tknqym+d96}n{!SQdyU%jv znd5H`b*A{B+Zs+)&!-g&i@S-+FVa3*U~PBt)zR!HyV#{B$u2%m0Ein>;>nNF-%_zN zefg_8rgB07E8CD%t0W?+5j~vOyys1lC8Y#T@^Ro z8m6mso36zx!BtJTYry2Y8n%uZU}_t!4{6R*EVG>VuG*Yrls%3EC{0#b??MeZqQ;T{ z%V&zGOp3a?BnQ>tmkkNmWX*S4I5HhZ?@M;}DzU?|-60c~+yphh=HZ+?vt1Y>Pg0fR zdU(S)@iJPJ*V*hkyIz;S>r48p!VAmwG0REg22^UxYhn0LFW$s?moz~kdTk8Z0HI*7 zjg7iIynmlXgyKXX~nZUyF)z-e|rN(@5wN;?+aFhR)&&1 z8#f=AJ-)A_du8;KBe5SnNoThMV;U=nnUi5DAZcWU&WzSa7X!)YWW6BLB-*>{_}agU#)mc&ew2b7vxcRyb^|ZH0 zSve!~CJv5#DTLb`f)no>7$A<%ly68nQ#a!bqeI|5c?t#{l+Bq9=^GN(?DI>^H?UJN zf2dX@S3L?}0!zEuuzb}v61ZL~KW<&<_*-KH`UK-b=lczv+`NY*{p|p2K$O2i!j@3> zpMa{-J^P(B;{a*CjoB%RV5*;k%MzyjQ8aZ@SzH?jNt&D}N5{3&O(G_~g8>mALw!-b z1QpYWIN>BO(>V0l;2{~l1S#7~)79A?m9#f*GGm?!Uo$77C?522$oItOpbYjY<7cg& zijuQaYqd;F`$aaZxYEm&+Z?$peA(|`$f&Xwyd2az;nbr_W0TPB%|DMj(X7+^_)W1a zE`pv*Ncscsawuh@jMI!KnLo(E)$`+JoUuL~FUjHDkmXadVbELt%;#g^8$H=QR5NU4 z4my{G3S)mCXFU?SXC_E4hJEo<;E8OO(PNaVj#O{zg>+y+)~n7sq)wrSh)MWiOMqd-<=gm4L;@i}K{5cv$cy z%P3piz0%(&Is5RDg}fmJc0M)^Llqn%U#sbCF(FNd!AIq?`q5e)?B~@R9vUO7g3Gdw z-wxVYR3d@6vMNp+BBw}eX_kkbyVQ9|o_W2TKaUG=3R0C|!VBOgAikTUgcrierxI}T zPsOgI_ua$mp(R5KT9&NXY>NEe2IY(FdkzS-=@M{Y~m7V_bgylO5q^Exko`C z$4UXK9)hXX=9B3aaU5?ptLSOLJR!I-`tj3*EmX=$pcxI6JHajTPONzSWE*d`RV%vc z^l2>{v$TwYN&fNk!^ab@Xj*GIcw3Ir<(^(J+z#+Dq3~UN&j?4iOr>)BzTLqQzj+o@ zFEoBV`xq+p0T3pA+{bXy%d5~b&1~0dcqVgV2y)`*szJy91RE=t# z7AET87<%*OBJVXgz4GTfEo=jV{n=?_0*hanHfAg#biI;IL|sp%bQe3S1Z&(VdPj%A ztc%S-Z(2vgIllT}t=8#cKDA=XhpeEYwlzaJjHDGB4wx}HtQ4N2KdNU`*e#N7DGs&m z>6|Z<#jdi&4BRHl4?WMGeC0y{9TVTMHA<^v;zLK~W4UYHu_UyUmroqMKJky+>uB-l zEmw^H@R=1F@KV?z%iHbll~J6f+pW|;V&hzfnH{_OC?SjUp4!4lR395vLWF%Fd%sPy zw{zWI6I5ZNVLsGZNR->d87*@9xd;v6FlG3$vxg;892jmzT|`!{0$p7+7X2f#kan#H=PX5K7!bOkob zDB3O_=%;UfMEBW|i0LQ#^#friKuyWIfaf&g9PwPi9>m0ft2FchZ)ySgLC6)ce1 z^ji6@Os*%~F2sqf!sUpPnivE31_bK~XeM@S%<9On`sIU;gFBJ3V$n5ME>sJ!)H<%D zQPXAHx#QV?qnMtFe~-aj}4x4vYEna(L`xvl4PUuf&9u{r@%De4#sQMAZ~7&7mXUZDZf~J{eA~gK-h0P$l&pVI`oUwXkCy*rVdH zHa4b#5}MRnVNjRgVm8Y6UFcVyVPt7FddotK>V8&n~-q@P0!ngixNJ6tQwi>7p&B41oq7GK_ zoYFgkXJix>)WO}$yv0MheBT`OPa)u9I|aR=i;dk6feSRv$1RzI$h2 ze~O--|7*ng2AZ#9Owk}1Po^_|e|04dR_4wyx91DXn-6XTKKY~Q48iX*I_M`0 z?Wicu1^*hjN^dx^3j`W{8l!S+G*4GT4kAB>T}{PA_hdjO1ES0)gUMN-t=q*HrGJyR zwVKUIcs2Isl`8g%Dc9ApnSO}3QGYmkOp50X9Y^7lT^7yGI+1Y~c2^Q%Xkd4CO-vd+ z3PR#3!PuXKBfeh0w(W)1B{-Zi>yvO=m+0vd9Jtyo^3;1$bof~mw_exA_NaFoD1DF2 zxfDd#mXOno4js8mcCJziv-5wV_)hCOc%_^uTd|fI>m?mS$N_d;3?;jJFAH($gE&5Z z;mEkyhQI-0y@h@G%UEyoneV zX13g1EA~UVhPsL?>TG&Kg0IT#W;z{ybNVD0izjb3yeWo}H7%|)}-{g#<;rPV1z^tfAcsTVUIfbU1m;*<|nZkzOl9w@qgCEkZh z{LNOlnr`9PIw8o-u5vnHgT=5U)CHIIi9xVk z3sbm;gG*a#`~<_rY2ptMPSSC3ngv8&3=dPbUpjss-XVuRg>JNYin2$gBwVLL*twjg zo3s+nHatht-Q(;0E*KWhnc0$5okTCJhLJlLrld`L6J&td#-tXxQx&>pIVXL(c`(;( zVan_3tN#tUUED6on?Dstb zfQRXRSEJ%B71I>V=U$yPY)M#b>vy8n#TB^6EmZqMIxZJ%QqQGX2A;<-Wu3_$#4~Cc z_@?+i zSWv+et}`1exWGIAC2x>RKdIXAo_|$IKTd~?Cu3n#kv1;hCwKHv3tkWD;4-%cRxnX< z5TnMRC8{mqX3gSP>b72s5)uU7;l*YXe_jdiaA0mCf!>YDZC+40r5cO>rY^?YGdOq3 z2&onFT&R1Z<0cd{hMQrn`+g)lp~$7;*boEbE9V)twAXyC7`@ow!S|_$`;hl)<6&1P z5KxW6Bqj!X557$tFC?cE1jH{S1nRtPVqySu-Nqrf#UfC>IdsCXc#Kzu4-89+wIM!bX#KGpVL-%fUs*caSS>EU4?E&KI zcogcH&gQJfLeNq&*Y;Ek&R*a|{atS0iY-F?4sPqfBYrAUxCSwd7wKw~2;0@iUg0Gq zuHD8dTzoVv$MZJh>RkRkT9tGfmDqhsqEXwu=EHl1=C0RAiwl@7w{8 zlR+y}|B>LCjZnPyChR>pVoE8QL*4%`SB!3&Gi^o?M(Jz~57GiB& zV^gm6K6={Auy&3rspP*reU1bka*>!{bGnjlYSC&PCp%Uz-G8UEys4t|d6&nLbWrv- z@nS1FRE~j7G{~Z+IVPU)L$J8U3iZBX0qT z$+w)x{*&`#y_N)0=`stP(@#5lj9O(RRjun>bJ0f8ORzcK=bS1rjXL}|6m2Z%qf#Jx z!UuYl4yThm4H+MQ1FnZD`Q;)2fmQFy+Yem0U z!pgROcUi|$49<#eDubCp-Po!b7^BAx{`C0LujA$CV>ZJh2Z`-h%=dIU`W0qW-WF;{ zW4%vCpK9aXq4;AkKEvBG#o6c5)8e$vUt^AjtAFsvulvoG>@wpKb7q0Jgg%(>Zx2^N zHXlOP#4HHE^l<+|7S##&k%YcviSzT$C&7yB-}BK?PLOw>3vUf-ihFv|t7BML=-ewj zGxlCqhqw-q5RAq25c#YKOXJQS5@N4)8-?nlZl;<#7(sO=;}#AVp?z?&dH*-rkWDG{%&T#`X2K)@`0;iP z*MzuFh8t$Izxs@VxydC=`a^5xPA7elO~Oj|tYcglccRye6eQmVx zy-mt*^+9!)d0WMG83=Mj-*z`VIErf%g||to>{)hyb1JtEb_w(AyfH*vHL@|a2|3@PSH-N4W4#!4^raM z6ka)oj`^ElzvVK`R$i}|F*PSsvdbw=7J#0PK??s>UI}m1D58&78A!1hu9=K)=&Ns+ zniY|$j6N5?JqEB&><4Xr;68IM_y3~T`MLC5@Y>w=uh@~e9!+uwM$x&u@m}}jDr#$Q zo;_IutLuu~j@`s@2verN1=}3WfZeokEFv}^vS zwsE`Q*y8~S>s?r!Y}2wkn8Fb$D#a|55_;9{)-Zbw=~ZdQUqNqm@j*&W%J&?9_3;>g_(zlB48>+n8s@ zQ}8)C4Lo;~Jv90~L;u&Bo#gzDI5{h-U)jW2V4#ag1b(oG;P)L*hL-<=Vq_R>t#dk< zC>{N*4o<6QWC+K|zVsTp*af*rWjQ+Lvlx5Pic|95W)u7fss`Z-Afj)}o%;?A^1wh+^M$DNNnPLU3L zF1G%7q;C3DQtyt5Cm~?qX(o-CWZu`T?O2LQMrDu4u@w&9?T87|ZXc3K?8R)4W8>zG z%D;sBFj>{?w)@iOw-q4t6uYzE{0d3Q1yV|NNpCr(Ah=1ml_tu}Y3(q2$BJ=di9l_lKxaOkQ6u5ua zkGMP`>!|F#wefp%xF)sI#><4+KA)i?Nn9}<2kSLy$0XA%rN#AH2WP~@wRLS?=a(x~ zc$wUemg8pFNB{NJUvubR=GM|{3Mwo&ST8)yef84CJ;e|JQi?y;Ntxj}%FQRxYXakg z+|}XAWN<{@*t7YUPuuaD7OI1^GiFU5PlS2f*K9^xjwgNB&fb<#%=Wn8s0+-S?}X8d z6fJUt4(31rcq&~*27Jlyv+!XUN5PBtmVdRGNzr+d)VnRWUQZp8=Zmu>j!}FT^GouKy_086hBIR5!B!ikhpk?-Fn;)cpo#rczyQfT z83pn#xEA9x^Dvq8LhcgQYYMK(cej%0^@ak19r^5J+|dy&#fy5qr5LyB zFBq?NM?WFP>nNUtf<$QLWjsMG7Z zf>oL4H{J55jQ`}$3pT9bKDZ&@g_9#M>yUa6Pya&L8oe&s_{;mjD%9-PZCDkf=yemP zHL<3vn>cvA4VXE+IQvODrY6>QZhyc70nYcT>8cDj+0v(^(NS8Cr&^wcXX$lYG0t|$ zgCV@!&CHFT%b0QWy3@c7$X|pVvm(pvHXq8oKJuHS?eHD7C(H}<(Vaa~F!8Bq5>hS= zc{6;74jb=Sz(?%ZIjY9w;;O}{KNY67eZAIxYvFZx&Hr5Go&dN1nYOk)`kmYB z=sL`a;duWi-C9x;JAaY8v?PN88Ut6ee};7F6Yo2%f5u|?>M3Fb7F1Bz?~f=8`pm2N zpR2rCCuyi5zj#l+W(1^^*>kS2#UzZqod?0p;Wy|!zptc0A{YTO-5)3hU|d2@uQY1d z=wINAHEL~4_zkshqo!a-Vly=jSN^6Dtu^WxT$B(;CC8=o1sZh)L&f{OvPJ`gI)!CO z*ns}dTW1=l(ZJ(lGn8*NAx$o~K|A63OSj|vOKafveKo#CZ?y51iIZI0@W<{{^T?cQ zQo?wcc%(Q3d(a88c1(;aRKQ9#oE+ysp0ZsBW;75Q3SV?dc``h-s~x` z!)le$6b%eqnZ!8rl&Cd7;h0mHg^lpI@sS}W)7*XF_2)y!TUU!iQ_R*=xFx);V*1Ik zoO#1Q(qA40$gcOp-<{xarL#+$;k?CZgn$HW$!RdHuoH9~N28H89FMhGIM%nBrT*W2IJmjjd{9GVBFF%R{Fenh_d&Recm;p>l7wu!^EvB$`xEC*zU%u=vpW-IBowVGX31J4Ch zBxnmfi1Q{6Etm3XYqjynfa=08iQo)aJa#V5vlf0;ThZ|Bk&)Z{x8X0i!Y<_zswy|F zHf{zO9FkeNIUQU|fwej{cp0mau6nDBr$JueowT}mvQW8^U2iEej1~2PmVt>T-M&4r z$^A~TqO=<8gGVlsD)M42ql?|6{$wf!w#2zXPl2mcm%KF-cc>!vKE36%@C-E4Zm)F0 ziY{EsQPd&MFm>u}g?W@YCTL*`52#Q(itQ%0-3$a{4We0w&`h7pkilCfh)qewNouz+ zC6A|8p(?ZkvjTQ1!2D7_qe_&gE z@$m#4`BYG%omLG#-Dz-^lq>&`oJqebtB`)vP8;{&(Ag#r4k@xu+jz(H7roPIDFQdQ zZf+8eX3)?^ue*4tMRAC?u3{AjNT-gD0VNltbviok)^>x%k^^Jz zdpX2RCrh7`*eBlXf+ye6aTcyWyyujdS$X&czBHFSfuX>tpCC{Jdt%Ne-wP!%6@ZiW z#g`1a3>_0&z5dUGW(46&jFVWW5_SWoTOPbvqbJGr+}XErpDr-29UBwBy(6pDad2w- z&l9-a8aAo$U3cpkwN`N}yA2b27vak;@?(fe>BV)Mw!q{MSIr_GJ$a8;$?(j=PoS;f z$L5JQ4{?)uHc_dlEqMb>)^tenCm&Dgu}@}o6kZPOd0(h_m|kM3y{^6O?l=TfE6PF* zl!S0b+%CsTZ(9<@$WC`^j@S{nlb1syb{7YEoT=LQYgqytWP0H@V^?%K~;F{8EI>RP?mDW#ZKYe$J1*T4C>!U{iW-5+z$sq zqIwhigqJjV&<40!<{gt9biIYgOH>Tm(kaluj8SX#1xChk_NHUqki*{Q{BI_giemAJXd@it3u zx8uPESt?t1Fe3DV5TRGY7{?1vX0L|56pXa#)$wOnN#T3U?oe;Kb1-AJW3F_zb+bXXCbi5ajk8 z3@duN^-%!x4F|O*EHXV{p&JjeA0>o|7E`Reit}n5H9W~y=)bOf&0Q?%4L$qOzyEjVmyQZfGWb#GZ(qFyCmV0}36YM$S(knd@C;*Cq=q^XHFo-ka1x@QqXGQrRLm zAvO1G*Z^OMGBKJs$#^CPF-#Mo2+uDbh&JxFuSf$LZ3EN7U*BAhu1}q4 zS2uo?Nty7-_J=nUG0+BmlZ={cPk4Z?n+f8lVwBB8?mBic&B;Tsjhn8yI2gCueT>mM zC)(-q`RL-;;sk$(Jb0^^STJxh1V~ag$kk3%?xso4NvD_#V7&_t(xap2LLA8m$4!mPMJk2r}b`o7hWEGzh$K!0x?j z2!~{zOo4}E6#AY`fmzI$GnWTfSd3K4RrpBfzlX=jv@jI)6uCIw!q0IlSEv%J-o#VV zyzPOmmgMY|%UqU%OabN|tOmxcq_O<;h1(jHzrCgCV>(}%vDym!hpG?RYGXxe-i>A! zX@=>;Xp$>exa22`@n~W*!+CDFl5TY{Z#}!H%r8I(XW_r@I7^zZ_E}y0F1xqfihU=H z)bv_9*1e#lWc6_IcMz;XCb^R#d-5r@6cAE(znO=>a#-5@gV~twWe_gc{$|N$PIhc9 z1q=%~3w8}Bwgyb@I1jeV6SZ+rHGf;T>lnZW-l?si*T{m`U%tQ7CSI^n0?6$K&c~uZ z-^8Se?}Q!MP0V#U^~ezOP5$su1(&ef3bM#k`Rishy!q14kBCfssdSqTHlmjl@9Zvy z#lFu#+Fe{|xSg7nXGg~Xu(|g9GGA&8m!{M3U)mEL+s)kDtb9ovCqahstcGWv6S~@m z*$GypgX|tI#d2$%=3c*Ei|phHj4cIS7`6g)cY)h%n|SVdg^{!svwnx%>Q1UFZjthH z_e*jU*6(bce1je=%EH4}XDa`3f+rb%HvN<+gnGwCz$)GB=kpH)ygPdk&vP1tu7R&xO@=DRy$l&(oMr|*N9hNG%}4X24CpF7hrKi>L|AACZ5_=`eO*lA*%lAw4f3jRr# zsv3X$u03?^6ev)vV8POs;zH#68|*kmyiF z-g6}TmgNrA8s?vd^% z^Ti9Qie;c4xfjEmnV4AeVt5dTqlwjzA(>wjNak0%O8pVpZf*4Mf5}@YShA0h{eJ=q z*HY_M-F3h_VV+}e%X$7CDYA5sTruy<8{kM_G8+n)oc8Z>eTzkK$%i{d;x^~}aZ;cN zCeEDGC9!6UQ`5PN)m6X=EY32VZBh{b2&oM zkFq-a3Zvb!VpvF?k}0Q{3`|{g$y+rQ^J~r=0TcU2Ae?k8M*))hKhmz9xp5^s{}n{D zGgTuM-;WSz02D@iU6PV!ZiXQt2`h@wg2c>lqfK1pbz(bo)!L~Y*zr2p+Qh%*UYDc& z3qA)Vfo>3AlbVTCs_N4O8r`SQ<2&DZ4Stwr`VP~Pq%e|zJHHs-8@uF9NemZZnxAH) zp<}$Y9MAhO?7b`YjV`V@O{VWonMLlD7W9SJz%jg#FM4j-_TCux49_tpZ&K1%IiIo)_iZ_Ak*HL0;}=l& zCn_4QUT<|zA2(LhiX?$EHO?v6u$p?l!>fKuULt12K1A1cz7@lxyauB^zIg<0!*62Z>#8JAtPi}i&=T6E0?ahahf zs%8Z)l30>;Lw;onO3DRrs8f(p7)CG2@;O@h@lNmOa<~eewrSeu687dGY1}F9mfhXi zBi$HlNe@;n?BnG%k>S&q-G@BgVpCKF#$kOhZSz|4c0|>|&=C8gAFiHKa74V?hg)+w zY=Uw}0q&V$OmBuM`!{Copm{Jxu;gIZDwrFpXB#^ney)fSaz%`S_EpxZR{4>_PEo63 zI>7SifT-0pk^YhwZnzkbnq^4G-f-&KrlvG9od_GlpJUPnN{L%40CjHP4_|yG>Q{Vd z4PESdn}hq(v2X{bTaUh_zvexEoIg&bv9oS+0b?-Rg+^5eFqPDJ>S?c(`JR91Nc*xd z2AO^h*Xu>J;oL}u;7moZNfmzab)>_oG=@fH!4TuZIQ+w1Mb`7jl-2l<#+PS1O&DVZ z>&;hxs|oF<6X6zNBW}VomB(UiWwLo>vXpsL7Gp?dv2_{yq#W}?{@hVc@n(-~RGP>4)Hz?--()o`Bcm9A;-mDP04V#junhM zn*40eMheP;zAx4ecJQ@O{59TeWj$2a_*`e$?)7RLZkV#;K;xk*|0!Cow`+BHU2}zJ z+Lkml?Kdf0SbWH)rqvNMUT=bV8R4#|Ysi72POEDa6bzl!+t}Cpk;axZF~$+AbS8p1 zl<+d8Y4V>Ey4l_v%jG;5!m0^HhU#6+ko)0ITTRZgxZ}j}X{vXfHpZv~hDKJ0M) zvh-DNh9#lZXE}E!(~&AwLTM(skY7lr!4;#?b8r{_o+}09yO(9)0y+JuX?*Zs{MFHm z;`*W;!5Uw1(LK4+WZtjYuv;e2pR=->bPDWIY&Nk!e@gdU9_(Tf9Q+<#-a40)ONCT< z2ZEF3u{D^2n~Y6lc+ZS@DK4vqmLTTR%iL4s(YXAXL0X6WzvMTw5Y)tBI4CRwH0I{q zrSTyl|4QKnh*T9tGe9MNYYwMr4pAzl=XBx+Z`gasWf#hY&r@OWmpK`axSC?Dd;=V| zkJ-M?T(G*PIG|YMBkC3|BAi8AGSq@_?LQ^!$H=($X-E1+vLc!Sn+e{`=^yY5DsVy6 zUCgsm6O*ZT7}%)b5O2@P+>6QmDEJUkmcOu0JQaN7 zjL~G~^Cm1XD$2^0r@ftu>ZO6j&HBWpCpFT{IlZAUoN1XqcE&t{iwT8Uoj8WuI%$_%OZf=TE5tv<^DY0-H4z3As_HUoJE~eqw7s~mfulVkxuXr)(S-Oj_`CS)Zv(|a-2WZxDbV)e2 zBefM0&Bl*ZNr+|>o3!6ipC+2^I)-83HELtaBn=K7(EB^Ekp#k%bpyQ$hNPYj(l^_< zr2U%o2^Y=_GE@{GEJ@*@o=c8M)`&zjJ55aaqs{y^J2K!Y56EJ?G5Ea>IDNC(Y*$@r4$6(o{H1 zp~v=!tatm z7RF{o^c*|{eth(~HD|K4~A;-&J))qt|ZG~yl}9ImDw?(@o}5>`aHFC@bEdy zP4s2I;bj3G3-I%ykH#kD1t|HslVCxPV=zJC75&{Xn^?5mrmRxMdn%t5L-EdXb6O@w z+6=?+!Qc3M$fC>~T6i;DjcNzq(jr>wSVgFJzaLw?X&KY9?02VCVAdzTLpK;=~(d!GXBm?r1{8WRWW1 zlXkZTw?-DOG?S+#qp0%ZQ80koX6HLr%EWvVJIBh7=~`B9mO`|(ZQ^TAJO-4?jKT1T)V+BSx$lqi9=jmrdJ4!rH+v~gM^#7PhJcRCeJTYi@% z@?dhOiy<)A=Gf^^oouLvGZ6W+9TO)~X2FWQQ-!!lDn>nkZ{HQOoE-~i8nF-Gv9M)X zfKX*Ibc>Nq#b8axa(@JO-4VE=;Z;3YXeNxsg`Y!UwDWA@3~kbR1%+#4Vyv>@Qbz;p z%z{h(@bf0pmFRRUxLb1S08D!7&vvWW7Pw^#SxG8)s~DXADOqxFRWE(+G|U^gH|OJ&fK z!mihlMO{V7*Q^Q3p6gIS{B^t7)9I7>Lwh`b(Hzmz)pSZeVZL-N97)mh0FWr=7r708 zA4ZC@?+RS40-WBijZ<3Z>~;sodCD)|uG_&u<*c^~DFmgc;T`!|D>FF{_fHtuG4!qTzY8g$UUaoE8B zMxS{1i0`>G{r)1f!(FXuHdhA�tn-OXJLwGs{dYa$TCTDXlXYyFZc^Orph6rMSAx zmir?YzokJt0flDSn5gnZ8IStpHcl9t@!Vf*{nBzo%f_+5eouiudBf~#wj7MM9eUT~ z6P5roEf+H~m#8dJ!I1UrtBzK|#V}0qH(AL=N@BWgHD0Sj_O4S%hV-jIwS`dmZ$%zeWd_Pn9v zOuW>|S2UT>6w)wCoZ;dI%{9>k2+D$_!%15Bg)O^W3{dP5tNZ|rpWF6g@4+tDihBa3S; zvXl0&uyLpkD+u9eJgCFr{cW;HqL=Xa`^qoxV25N7#PeVgtS>B@knb_MODsv^TLH&f zg^R5ck9W0kb>t2U7lYVlL7Kvw2G1dP+DzsgJk$ZP?FtTamh3aTimBi^{P(gaYb~=b zvN>uv(0xvGMPWB^gyR6czH=rYm6f*Jn3Z&TZ44L~@LXWme!D)zESGBZ%GTslfnQ*E zG2+6RGjUpAa2J(qyop^8aJkziu9cpJOeI}dSM})G0(W6L!y2(QScvIpFfy)2eVY{h zl>B(s0GCIq*>*KKJ9va_7q?=8S!vtFNZT{ClvBZk6EN7}RO;}kjhWDrtnSch z)!=+|v+iqhv(X(q`kVvO#o2{&w2q^Rv4aqXV`9vHjV}UOO*kfI5%_Rpc^}0{etr{k z-!N@`o^p1ChFg+bZSQEZvuIf10J=CW@ruLZR&ad~SUk6m{qEZ^-Xz@g_UZDF>&nC$ zco_%L!oToVtB7In*@31?# zcBR|IAj`8X54Y8Xiv})bx21`1=wm`|8=C;o`*PbFKEyn$yjm++33`NJ87a(D`Gn>V zG!-Fn3=A0!ChWVHyhH~l6VA{+Zm0FyY8AJOL1XC4nmB*2#S6LS4-WUQX5YUDX^ zvCgDtSpMos@6GWPxHvgk-W%N2H|AnOjmyuoU`~(dTcOW+IvytkIW1ngCv0pTru|r> zq?DM41y2XAZeNzExa^n7F|1?VL(@X#bF>U1}U-*Xpb za^wvoML-+T%OYZxOg$3J!^7^@$Kx&^!nz|ewR<DKD|u^7Cu-Gn^@<2rc?>Nf20x0?js;n)6(Zt!aoi{$YqAu(6<%qzP7H<47pTTUge zd;*>vM>PD;+~_>^=kktX5gd>8CPE1a7hYTou1tGY_WjkA`!%WeqLf5d0#v(MF&jy8 zaPKGN(AWxcWsfbBuc_T^xGU3sv3sp^K22oz{VRYZfjCo&lGU`Ku4q14QHmO7V1vM`7gC`DtC5$WlSA$Gx27h-ZLf2O)l2K1xL=eP0ZM= z17ND~O*)tbB*m8VxA<0&>0%W8Ao^0qQcOZ7)`SNz@-X-sd@dEXni#C(c&r_;& zhAr{3cq>a_oZ5l9oeu18gB`WBbku5f9KH}&qhaqSPUpKfy&JD=z4Iq%XgXGg^T)I% z(c3Y*>u!virsD$maJ5$T{JLEl-p1U~J8PZW4XbejlIq}Aa1)o-Cg(oRL@aD7LQA-2 zVX)nG^86@uQ&z=r?x&ndlw?F3gKGMz-*t$L?*?md+xyC)U2uC!UVLDTLNTTwg@Mkf2@EyacvCGjF!U0nIWY8A?oP)p}FB6$_P5$d^H`Z!P% zXL*8N5-me*NK2Uzhl!I-z=qpu#a*Y5C<9BT!iNcdB~4`et76^#9B*Vfcn}X?_d4;z zZKCPHx|;{uS&VJ`sQ9Nm9Fve|pY*5jH(G*>-9*qz=}(O`&bQ4&Q@I?5_kLfRmgaP7 zn9w!+$bl+$Ugr5jX!vcwjwOrQ}UWjN#-@te~-fZ8= zO1WOeVaAW1IU2~lV%P5rHbT9I*(K;ha8Na+&Mg?H^*YWJ%zQG1Ig0(}?zn9Pi{g@o zvL&hGjophDaqwH?4JocIH=(|Nxa97BIqHnWo0!(%3?sbW#(u-V=Pc-Mc?x|r^QX5k zt?voHqb^(=c`I2b8#8H^_RA#^O{(@RM}ciFsKdQmX&5}1$}p@7y*b&Qu`dn9yA=;C` zUvjoB3w7*M3r9izUE)Ty*c(kuYH`l%H#KlJviJQ3tKy@=7>ER<88tzU0?8Z?#uvEB z{+iMApC!Y#(Qz?WeNU}z2v&i)!|=8@8QqNE6YH`V%W~DCz!g`%4EB^`u8jvBc1}20!?X?bB2~= zWqZ0|;+|VSZ@;Au`;qo6?pYHzur(KC=sX!}^X_#niBIKS$X!M=`d%6=a0xeb$QuIF z#+3(S8aA#sE3sZ0_7Ak*C2 zvIET^uIUTy*Ff)2H#M2(LAd;X)~+qLacj#?g*=qrgXJ0rLa^cWhMKu@5NuLM1wOriItMDmd0I+9%-AOQlLeN2((u^(%%wdRsd z8b)u9&8)mm#x;eHz1#@Z7Q2iqUTCw9y`PJMxLB4BY3exRe@%D6%6|xwBS`jNnoW!j z!Cp_Zi5a64Z__?ml9eza*}*R!M~MuWSG zFDB~_(NIM!kllPB7`CKDge0%fz_fO830TWzgRr*#PWBJZq zM@ZxTzZ!*jG85-8DB#gHZT?yz@X3ua&*Y(CewszcNK~(9)0UcC_Qkc>?kd+RX}Ho1 zO`#~yVk$baY+(q|Q*a+fb6-25AD?0x=i!Si-9!^8G#K)F&-b?<(Q-Y@TvGWK%V=D) zDUCY*Br~5G8JJ9^SRHQ(h3}B2GB4sJXdl~~-)IM_#7ZRr7 zHC&ghW``mh9Rmk_=dz$yFBikxI`)e|DXrbahzDisKbf|0=hmKdU%QP>4?yzM1O`rE z3?n)Wc|)gawCw$T)+oLU7SYS5mBU}WdCYX)~mr0X+dNt}9YBZUaPznSOaK7c8Zq>~5C*i4LYY<)*QF_m|IdxMv8=s_MC( zy`?TF98ZR+z$Yhw3dX|9g{Hz9Fcm&^`lDDvg-<%zxIpt*wFA`l-q%FMv+DbS`oqwV zhWxQqxJCIPth_s zEv=P~qNB|07oyF(Y)^FzylO3f<+J0Tw}j+wJJ~4+4?rB*F>oDI@g@vhJ+1m!9b8Tn zzs1Yo+J7ndqXlF00K$xKQM`Q6`acrs+Z`l9K2;r)^T_@~N5L!H-N3vGX|v4E!UfT) z_o7fLx8miCKaXFtu?}v!+W!t6Oa=3Wl|SWJfJHR4KK*CMGwC>(57QKO-|CUS?tZd% z&mU34U6R?2eRLf&b8CKcm)v3n4;cN0Ixc#s+vmx)(Zc=nPPoYQisY-0jWEjO`os(T zr)z&1$m4OIXM8akkG&H4=4tU4(ge`qVpay0VO|v+0ya@lhfh!Xw3LH+N^)1^aN3w- z{*yFioR#;iC|=x!^Q5@vFZ_F7o(H=Lo9s1xpZq9e1B}h)OjFgV#8wz7=6Ds0hAeQ= zu9tf2T(OfdVQht~CQrA^kg>)oJ#TrTDOTwwu~f`uX579TYs~$;2&)0hYy}T9M~u5W z$t%&oz2_jb7EKI^FPyBRso)^UWa{WN*QNp8SZTeKPh8OcQ2d}RTm(bDifG|n-Gxt% z%1hR`m|rDAu|Ux~YT*KL#pNJcSR5FaLxh2w!z<~2$fSemH7~-KXzg#RoJ_%0dc=-} zGiUqGT%m|^4-s3TDJ%ou(o7CNq*LfIV1K9d+!ki$&Y4fb?;FZSRCJfuoq2}C$YIDi z=TDjy2B%v8JU3A^N>+a<3e_;vnyPceJi`F$D>2{>(Q=exp5a~*W;c^u*P|+?&Q;ck zXx4DRbU-r3R7j_dq9t#&@{Tqen9_we=VQWnmj+9+?=$qd{1^Ji+Vp;Ls+lwC6Dwp| za%5{cP?pR)?@6Va4eWu^_IQi#{iWRF3HN!@Vc9+$V2sVf9E_Uvd=$43u3d(9@+ zF~oJ zIM>E;iRQ4f1pn0WV$Q^>RnqJEYzm4++OpB}obi8>A~@R^(1)TuIuE0Qb8ad)Phhxj zb}^;s#f(nA=ww?yFK#&7#+BbJ29Fo_Nf&K(uCx4xoElt_eBrJ(+42OQdaC99zbca0 z>`}OH_BB>_I9PQoT9{)Cg4dAqE$WGIG{Cp97-*c1nhZCTuSfmM(X=N<$GdrLtAYLd zJ*R@zzzh)6h5tN>;@lIpbc_!lorK=yF2ci75LqUuV%A=zup#vFoiihGwg)>{c6#w2u6jFkBb^kbx82?_uKRnXrBDF<<5b8Lx83v?|Lb?wZ_tEYGpmYB{$=7ZJ6G6DEJsorOCGf$& zA2Zd}u_JDVLoh?MY`C-)S2Ui%Yk&h#{Mqc?ZL}1YIG0xe=-GbuC<+>4`7) zC?6=`1Maz7x?M#TBk<#O_z+Vx!A@L-8`-t-MW3_$`HKf`Ye~<5#)#rlY8v}I^d{ho{K9>)t61x8*=o`j zh~m$;YZzF&fm`I2A-=G(EyJE;qDmyEAZ$fr|K6H{-M}7!SjM+L7u~UwU%q1O7S`pc zIMwVne)O*WO`EQ18RmKcWn+w7$N_HQOOlmVe9n#nCwDkelPxgawllsQb?u2}PR62Z zl9e{Hz3cI$uTAXC*PbfRJNSUUx8-C)x{Hc{I!q@NdVf%nUv4D8v+p@p4;+i68vC zb-WC-8$nu5PQ$=dGSm2$d4=GUZhVCnF#Yva{$&kLe zzbXCVbcXyV)Pzj)aC=-ODs0k9CQEp^*iW~?{XMNi_ZN9Q+`@g~jSD(O^1a8FnBO8; z@Xc3j1>02z+RTCr^I{-wZfwtUwShfwDcHIYvY|qBa~=fG(FVRRTfhal?Ve7P&*fC? z&icX$x@F)mqGjQ)!aL-0GPJ!-r`RXWjKg`7@60{!ijRwtT=VetHIlaJR`so1k>N@9 zvR~0G6cwL7pNhh-#`lS77WcZ23o1Af;pjEoX&&DOzs>TIm}xEL&tl%jw~$?$S-{<} zX(Fq{6YA)g4nuLuD!36YN1T=&ije{^=rr*UsKzsr1?JBQ=wR81Eu__?qv_p@V({ON zC0E-~z&-XA;~WEHMJ+KJkBWywM?YM`i-#+^{^_GFgPj=M5x8xb_VJ9<2ilfrz2J{I z0y9Lv6YK3**cFA9GpDO4x2ZBSjzZ{bD89Pmd?2n2AJib?(DsFH`#kz*?BBEfc6dTb zefY;_rfB@u)T@wff5KB_zC`TL_w3OP{i~Voz@@#Lx2N(ffB*5H@;nWUxULS0nINc* z`>x}aznU?B8K2dwSk9Zvj%qRsE=R2WWmtOGG#>gY_UkG+4!2Up63#EN!>hE4*eo%@ z{b8H^lTaWXZ3%Ucs}&SBGvNhHcWY1zRFhV}(gZl@yYBz`pRC2neWE4L9vxkw;&J)cf8WuGQg}@`CJvsS-cZD3Me-(1Cc>qr zbTMCgCw;g48;g5_=7HYK>WzNPQXYz_5YoU@P&C6e+ojLdV)oKE5zpz)g`Z4_V`KMR zBc~=|Vv}5cI!zLX%F_A^;mJoCj8>( zQS`WTxOWtYS$|Ic*K=V_mkKUiFT*YFQIc>mSvy-o82h2te^^U1V9$)4h@roW_10@= z*eB@4VX~~9X!*uzmtYYri@2{Ky+40Wt~ln2z3%tr6Gi@jwZ=PznaM;YRL63_DFK7L&}uE*0-|bq(p8+* z`zw%oO_A!ablmltp<`%PB5yvmCgbaZ$06f862ZvQp-po_@7D>}FJbT_ABy)wg?Co# zU}XJ=psadLV11R%E)KtIm&;%sK51gA<;3k|i9gjLj;vlYasIjLw_7#E7F6|flPL~I z-WOHSR0?dwK`=SJW@8CCF}ZTPLaSEsF4RS;riD*7iSNG0D=pQa%}p>+xEhp9kv+zh zfOh4=B9PC-dL8>02gD2YI*z0Y+#PPT&U$a}il4JycW`p`)Dg52GBsx!-B370?-8@+ zsRZ0T4(pIT?w02DdJ{)TrvG#sMVl*Q?T3q}w4tPQ!q(e3Q=vu%kSPw1+hW%c57bTBqs%-4|__)i(hg?tXwJGiTE6b9>?L_j={Z{5?v9~SQc znbL3vcbm(|rjnV7S?I7gTDKG}vgOQ0;qQ?vf%(s>Pk}}qgZadZ|K`h2)~I7*EZ}rd z1dqA2#$vF$CK`&qfjzfFqj5mrxEUs^G>~}Yilv7OyZeyL4?wJ?qGu450aki4HLt=6KCLdnP({)7IvH* z*BaCM9*W7>+LCJ|j;a{s)*ZOqFT%x|<2U)1ZgdrG)bUF+U*{unb!%Vluwmnx#MT4K z+oNeTZm#XxV{fD0T8duv+B=n0b#`|?sM4(`z6Csy?5Q`tD8nb{A6yz8uh-Ep*+9hs zkY$&~Bl}z^a!Yy(<3#|2G$4?c_q5)|?W7+IQFH_Q%RP?Q2js0R7>gu#Lz5Y9_8oHf zbk5Kt^ZfiYS*6Z0_-ltCn zIB)ndbyS+uQiyFT9}gWBQZ>(j>Z#WkbZ(P)qVUv_WI~*!1&;{_=aU z=2IYE+~*~U#0f31QR%vatI!wZK26s=^9~N5>@XVYI=o4THEVb=O#HX?jIltbIVyae z%vi^52_AjrXGW8VU>U8R{Y=eHZ#Hqa-vKddQ$?n)j<%XDj5E6!m2xXp=D1~j`t1K$ zi4p#00S97z2qv4uEDC@6*hGu%c-GJuH%Am0pF7`-dm~Z_HXL zy>^8{t;Z0gkUn%T+MsMC>Uq8C;1bw$7S6c1lf?<2WZ{D1mEKh7q$F6VJGxW1q}l~k zj^3(a@0?cuZ4k)uL92!xY-c>m=x7sxo9yXYbqva|7-gJ8Mf6q!SE~n>V;%K^haf!O zr{a}Or{k^|oN#D0G2&sLZ`^7sNG^j%U%LwLgGhS*qh9~GSa&b{fF{oGTC}iUi+{X@ zwXWPmFUQV@;=cNim-t$3Rn1}V0n}1RC#RZ}T%zE|(2lYy>~ZoS<4N*V(p=DE94~LV zt#P>w9}6dM%fRl8ca+drh|#ytrItCpB^1fZ1KyOtcOXozv@F~c z$YD`_++=bB@>1+##N;7hWtsq!_#bexw^V`+`*x*mVbT^jd){lUqZH@XA*+luCtIZdDD zbd_jRe{rgDEhD@;)x_!l{#Rl4{q04=V8y?6RlZEM())ueZ+=VuTD;~O<{gV#JW5_S z8)Bq?&;H^vkY?I*FAB8&pUSy`g2Td-VwB)w7Khq--1Rql5V8?&KlLnm9LCvfGH0o0 zDc$GA`-kRupS)vYf_shA7u6#t&Mm5@ecQcqXsW%6kB`sm8FN`l%ls}XrhIrFeEH6@ zgoz)nV?|ed>B(?kttH%{Ef0m~tK~`KaL-uxjpL@0!_+>*z!cYUF7t7?W;tYJ6suCm zpW!G2h#i;jigpd(s-@zb;{0qY`W#aQj%=*1II62@R`hlY=SUAYW7|gKCpxtCwyA(v zX3QSrOL`KO!`L=)RNIaHIeFzWW6Imn^yawyB#M$ei*L@u$Ju(%RoU+1Cg-aJol!<= zq^roefcA>{^UP10bjMHR;1*7@wu5nuRwmrQ zjR>iQafVfo-U(OXbq8x4%g-~{W*D9GvqM)T~QB>rrIr+=>)xo)&@Qa9~=9YjC0 zt7yLF0{kbI>|+U%>;^H~b(}jGe-l!p?vAf*v~l*zdwZhwK}UwTizvn^9`Hw7l-pLZ zp^)Y=+Bib7Ii!Bvc9w6Fc9~4u&Z{wMIQ)b$prK$VvHT}lEsCAZ(N$(BaNkV=5Iae- z^SLlh!8b81ypVoI`;sQcp;g~=r)8xRGQg2ddg(ay84^vKtE3d@FDg>!(uV3{w!+Db z8JgvNomts<8+N^nw6z%N7&dmXuiW!|n4$;gP>mejP%uEDn=4uAnwWTQKb@v?rl3^a z&8>H87_o6szaq_`04WW-X`OfcmK)%0p7nJ1V*j5BCVAuIVsEaazR@TYD z+ftjba9L&V8QEh%Us|-HI4I$(s4m;d&)upkn8xp!S1o^IZQQY!Wg{Ii^^`YJ$HdTm z7AGCi!S47hCzbzUQ&HsGfA@7P%$F<@Gcl^hcFCY-G`b?$(he0Z3|ymVXCj8$mbYl*MND%;g+%3tit3_;gXatSKk-${ z6^NXXj|{QD==CUSRyVYWHs&xm>_8RN6hmG_HF95IDz6wib4+TO{=-AUBz~Bje(IiTR)Ue09|&IHd=}B)Uu)w_dAx!bKUmM` zA>yZu)k%?w;Hj{48s8T3H9Q!1A6;B%{qfND?4I^zYRNVjY+RXT6rv6nNPNH90lT|T zVCWZMIwKq0DmL;LQBlgNk`#>QP-y<45{c+yu;*7g;~eq>{{G`%z0>~RfBZ)&O((hv z`eYTI30Y!BeH@|+yN+^LODU0ylsD zo^P^0f9K!y=kM~5G8HV8UQ#pdS9*TZ1h@v%XCknZyIGiU7>8>*XjoN5+`ssXyFiAA zWwYsutdn~=m1^at-hj8-I=m0K==51~A59&j)t!0pD%aCbk0_uzPK2Nb@(dW9x~~Lh zwy=mWUakK}+O;gVtu*IX!OA67jul=&60EESz<{E~iw;3bws#N-ONb~!#fxltm1R zFo0?z=#Hkn0pj5{od({62@76gztaSTO2|9MKP10JvxcX=FaB4i%4up`#&WmKX=3KX zF`3Ylna#gm8>8ECDq-R-sN>gdv|oP7%~g=Qj;_3+HxkXy-wi+5ev4KMx)w9af?N_< zK9o)y149cedZ&#)`M?jqCom1vZjZ;VHTfCTL}^Q|6UV~D4b`J>PM6_=8qvj@jKW36 zmY3~Z8)rEOJws$_w&8R7w2KLVy#fDx%sda-Xy!3zIupEA7hkVu*Q|e;zcCz+d7(4< z)L^dl3Dl|Nn0LVUQZL=DYrt{G0NxF0!)**ZeP$cat!pZpB{KaaLaecLT}=VGA4boy z!4m{)foJA6+Bo#Oiq{XzFnbhR@@(}M1;+GFirl$P%+H%O1nrMT<17qcjJJ22_=oYu z=bE_Dg|LcNGUb-^(;0<=Yho@py*WyfctJ`eaW7evH+EYZjep)n>$Y&(lr0wHRhliz zB(RfJX3@AU50hz4`!>ru%6(97yo-9*YF`@4i+i{f$?p$u2Yez3LW;Q$gmif>@j846 zluX3wL8Niumbsfv#`0Ar9>z6MMunZ4@;3!_FR1)E5eFQ3?|NkqN z2P)UG`}T~+#Ou4dsIM3d-ff@aXtn+5Z{zv%5hReEO`*aRdo+mv8GLZZvoN*WZelMn zSO)9pB!=O(IX=>>-Ou18{QjShzhRhc>-yku(O>PHl#6KIk5RAl_NYXf9>GNTKMP?OmVN?PLt8q>FK*3q!nr6c)OUZbes@+^>o?F;r z8@{i@=RjSNJXy8LySUw11trP5m;zjH>T-?Zseo7HOw%S}zFh{Yt;w0IA%OtF8E)e% zkqvHr`V(D4l9qnblsGsofa3LBR~rzo9;11@UL{lm*%xt)e;W$sW%<m4W5ZvuPdAn&pf*UGRa`u!HJ*3jewR(`qi^ABkU|`Lwy^} z6M~CL5G{ogNF}?N4mHK~4Ee;FO}?nNuRfRH*%$#(v@AA;7olZwF>eun3)kPyMQCl?) z*6)Bd%pS#spVRP#^i{Z!Sa+1YXWKZCG>I0$>M=G_%OiOl_c3Fim{JQR$BY!mAsGkr z4n75fAVGvQSQ^vFgM^bI;ECHDBg&I#9|Km%|1{z3WLTV}K4z7?br>$+OF)ImSU6c6 z3)YauV<;=UL_|{{R)CC1L`rLP4kp7S+{C-}Jlq_Qt@6Xr%(K_QTTCDOkH7x?M--5$ z^N+v&LrkKQKTC$tki*Q^@#{K%Tn8^ofd54M&?s;>?_FAh_E&FO#KNO|4n98dE2)b# z;GR5;YmSb0>U4a2&j*9tuU^TgoyNg@^^HOBaI!scvh}cVLvQ>!51dj*aj+#ZVmIu| zSh72;ng(`W1#)23G^S-Suboxbuv?C%(Hvig*(<;gp-AB#!AFZ2QLG?#wwbktv!tMY?3u(8eUbgD`0vAtBl_cf_i9 zFp*z!sBh!%WDswq`A$|8H}Bc2GaNd+6(QY(Woj88RKL7rHtr-*VhGkXLB0MeiMdG3cS(2Rr94Rv z=H~Lh8t$h)hRIrW7qefSM!~FlmH7FmC^Y=1D8ZSYG$fUN+QZoL%E@@EQODJ>x4g&p z^mQi%WF&{{O)G|ytVW}bDd5v|bo3e>IyxQ!4LU=l(ZHEdp{a#cBcIv)D>a+Y^l)hr z;zz>|UuZ9`L@6Ha$7?c==p3e)bgR+A3GUl?`JO$8bySIs+i2r^_tfX4$1yZ>8a{ty z(Yml%snzJ@!15n7FE+l?~h0JPLm>>~&zKt%f&(j7X zNfOs}|1v6*M#T+!**JZQVenZ>*g|%uu+cAWcB_P~$KvSHiu#FHqnaq${sUlB>95$u4-`H@CHWsX`8e)p_OyFvuHT?H|Te)W*x`e zlj}3OmMh-W=h}Yh~HT%QxuLju|CeF+D`K@9^HCvj( zy;DWk)HFUz@00s@Ie$*Cl0!{({%&oyTTmU`i+P0EvbV4?C3(?wYp5lw>|GaUyXoZ3Wo*NT;N|sSr1F(?46cF4 z@yUo!jSGL4M5XfYa$?amJr`<~;yb75VdA?A6JR!REVz<5E(R`GEmL!LOK?+`DD6MP z$~8^z?DA@9Bb%CzhsAkN62b2EVBm;j9{qfa7n>~^Ei1tZf0O88fgxN6tBoJ7#lcL6 z)6iXh4PWQMi%begkKA>Jk`Rkg@Xra5F~;oOwVKv^4n~ETWH=BRf4jr96fI}+Bi8mo^U=$pEPkFb#dEGW&`d^wwJ;C6F%st;w@Y(SA55{TDZpK zerNm{DYwQSIni=+%zu6-Lu~t$)`_cqg>u;o8dB5E>X#U@tyTxa8Y&#zRtHC)67NsA zfjON2GyTR489V)@7k}#$U`?T9^4YpVqNnl)(zyZ^wr zl~~~xZZ|L!T?GZ%ZgE^<;)dV$i4ghsNB~}kz4$d=6f$EcayX(Byo!l;g5^?v9!{p9 zph4SM2tqA7j5dinN$jHUL9XYV5=#=};6(R#!T35)Nz&3P;zSHC$mV#l(yD%2p5&Mg zH>&D^hykG%z9ZvBH0Djw_xYK?A^aCQjc&AgT?X%`-9;1wNQ?syXTrbjZ=>yjGfWmL zFK6qo=t490y*>6iu!zYe84T(szOwK4Eu*5)u!BXo`gs5MU+XO`3|#?_xwV1k*&W>( zy@C8F&dxr5-UtpNj^mve2~7#{B} zL!qQo6`;Jdi|N?z1n2Qm#*X@Qb7UmSel`ln8NIXz&Gbd^mS}f0$1c+?-2zr_!a4Tr z-QX?S9`u0zH$4odyZJI3_3p>xt9@m_ABtho_OJ~rh)?`TbSjt6UZ;lHqY%EAgm5i& zg^Q$9$Igr2vyFsMOMwM-n)P#uOh~4SL+TY;$Bx6*U_~>URK<1LHBFpZLD+RVxKMQT`8JnI&1&bBHSB15QRMq6(9<^Vx%A7a zwT^{7*|OMar)z5J6-te-4#Q0m7`?tyk(LSJPE@(Bw381H*Sm zhJEcyk{I^slNL%Jv^8OZ;WS+!q<2sq&EJaBPxX)mSe zJ(@pfV|Y5CyL!3G&ZX6~;gA3Nk+d}Qjr#1nrGZ0egPB%G1Kv4O!5c0!KKGe15FhpD zjBBt%mIhu?C5uj)7*1?;4o}OnaEsqzumV01ZAZL|w@)#-FJ!Mv<>w@U{qM8svuQNU z(U4*QE)sf_%Z#Nsr|NyK+*UqQ2p!vn{(~^XQr3oi# z%1eex5$bA^Cl9IVzxc>XUx1sTkoK|BPE~1~&9<6HplS;uy!@1`()R7dn60#PX zVL%FDbF3$p!P)A%bX&On?yp}MU5&yxlY!3aGQ3guk}rYMj=}2McwYIB?OH@+i%U(q zHjbYCR%H+kjGaEGFX78K%9pqpwCOE_&C^400`%;e-T(94a$<)szTn#g0 zsny)&U3gWWMTS5lVTa=SR$VEM9l!ESHLKyiHoux_V0BFskW){PH7cN!N%#NQ&7YDe zNEu^1jffMtH}N9=rUt6%aZJ^cEY;4qOR_Z|zlN)5`?P01bYjI&W(^!3orD_^O-vtc z;x1u5`k63)xhhzDE}pP5&IpS!OeH8HccGj%JzU+XtXun?5+CMbVhyn2 z?HX1vqr1K!E-Cm%yMaxdeU3BuA)MD@QLMeoKhZXEtz=o;$2Kv8`7Z#4?H0pE(K4pn z^EzH{LWwp}Irw&4Q?EK6^wozgoMbH6^R|V_Pp`*Ae%~MY1#WOA-^C#2+ud>#j->`2 z^fV@$7Z*~3AyZzD;X@Bf?`(%b4f}up_Mgn3rQG@Zuh~kX8V;#)!^PIHR{lx)ZX2Xb zY>}GK;T@}vS_D;F}T{wOQ($k7rp7&VDq`S zEslA0DMICRy4Z~^Kf8{F*%JKdB{uG(H7)r@MaelD=s&$9Z87!h7;Yv(?(cXc2yHb% zN5{s=A%`|~tOg%uHHiSBYjr)dF*@X_i&nt=Jm`{&penEEiYI|{Dh`223dzgKRgW(vX_*u|-6{rUn z*F%NjI+jVp=wbY}m^#vOJ?xI|x!_0KF}&!3Jio-x&Zm%~y?^k2^Y1IJH~^CG_#wH78k=c>CcKdVBW;u+$S=9Zm0d5tVzhxwvcra zZ{t{8f3=AoUjjL#&fB<)m){@Ks;1_IbQ(`yyMuw_#dv?-!O($Hd@t|fQl_G9z_6v3 zLal^d5RnU`FJ0s|E->O#J{ifhH>y3%ZEUtx>H=qR2RD%2Ym01!gkg}T>5IA`S=_}j z$wd$*R%p1SYcCbxIA7vNbVse}eV{f2SoImqFJoIKIk;i}gyS{Hs|c&%qw*fZZ|C8Cz)BJ-GMc`bzkWs@XzAz))>=Vla8`)auwb%$to)t%2jX z6~0HvWB*_{F>b~a&hmVWB!wHa4)$#2qFU*+d8t!tVwbsCcRIB;)`Qc4zDr~tKitc1 zTPBLLFLtn5iY5Vx)ZQ+Z;_D=eGnKdN*uDE~@ZCCo4b>IzXu4k>OSs0K*LQf{HgjrS zjEgHyMv(}H0H(kiZ485kz+7JR-)P#WH};2Yl521+uPMX9X6BBVVDyv>ET?AU=1GNZ zlSu-1o=YKm>BBCLXMSSjL>W$h;>`Mj3gViLdZNFR?Cd!;4~N96xd$|arVncgAk?YX zF=dqibbKc}|A6e+7#E^rtQ}vbKC3i}rh?}1>RH+3hn$|shG7`jSL88}1SZ~2t#~(h z+MU2GWUJ1pH*jkL6e4r#O)SJ;UYEHhEvcA^P3#eAz}|Rt?4XeN3Yi?fO{UJ^_*?I4 z4E1^!3BdJb!8f;YyTh!ID|(2wJ6+6(#=$ldP$eXSLw?1j5l+2>{pgZ(D9PgTDsAl4 zsarVD{L64Kr{2{h&h_uZusXY)^oLRtDMpe9hM@#Jl4W<5U7*pYzwv<##~ViRTku=} z6?N)1cIh<8O{ebS*de&)>mKgoRc_chjT*KnPeTn(qh7~ks(Tmx$gF7#%8ZklY1A#8 zY717u=1`a}sQwS$nz2-zA{qiyM}SsqPNRWqp1#oD@MbO>8`n3&;LhxA62t7R^Z4gG zX_VajG_XghTlhw^j!BbrxJIX8cF*pQK|(lNd_)8tFr3=UrqRO9l2CltX|yqT>ONdP ziX}h&B?n(MN3vqUff1a5)8)v87^XZ_b`y+ZOp~d+m5w*7G}B4q*mNyAd>khw(sT@& zBP;qr48?RBo+f1O42@hrU`NZXrwuVV%^G%i4m|5gGDkF%-`i6KAz!Ci*8mjG*sVm0u;-6!?DnAp#>8OG=YBq4cqoFa`ZMW~o$j|1a@tM|*?oI#GR~To(xVtCb2skMB#DU7 z)k(OK1YPJi=<2YXri1aX6_i)g!&s$VZyjYkAj-;k82JFNE3=08ug^yQb$?XEyPf{1 z*}z3sIG|*jI2{2_joHE!A2OTs#j$$yQpdp~?$B{HiBe0=-M6m#)A1e zEHGJxY=tJXGzsLR=q8`W!CVH38e-(&yq)w2Oe8V?#PJQ1J0;;ulWKx;(CuU>sF^2Z zW-da~f?0o$L_kxNL{6QsmBif}i=Qp(va8G_M&Ay`BmUW!pM@LeYxG9?g((kXLnEB8 z;v|OQua~j}wz&7-u-yF+Zs)f!VWJ6^lC~D&*bf(g@x`9#__ zs8CK491J0uE3bs#OIeryC+$j-+g7seRxtWuMOZ3!U=uY$OVMH@vyq!wiiE_pNP+>9 zmgrGM?V@IH1Aha5_$q26wUVC~Ac0H}CrRtgo?qlmfk5W%?>SIGO4=o~xV+Cayityp zi-Giy45Q+z%~@d%CVLnU&(RjAIcpxq^U|nyALl!N3n;=dOStj+jDu{JaK`EVISaFb zOY#2h2j6ZKcGs+`E_>Z(1tai`23>3T#Tt)Qi7G~^{Ki&3sip@)V+vOv;#s@Tas4!g zBMxK5ms1|{I~I<^dvj)H4HvqF;tJM6ZI9MB#xEnh2_-44QZ7iWm}V0r_p>EmY_n)5 zlflWD@h*CyZfWr|U+7o<;F%Q80DTu~AmTYraL24;jZzTPn04%7j#>09F3Myi6^9+O zfoDXE_P22b`iQP1OcFUJVI-xWO$R?0?)`F17mq_>bz!;=d}o8b;q%psZ{}HK@es`U zbdiG!m%o9gTcmixNr+(Ic_RM$es_XQ{&%H9V`}h;tcCF3g2i=rH_e(coq7q!ag0X^ z7Y*TD#M2RMx!%lq6iCug#fmt)?ODTgX&Hm>p3$N83hpfx(Lt}%x2|arH>pGzu4nYT zuN`M#jBczO`llmRBI_00+7dTzI^nBfb=3DfX8e_{)Q75K5c^Bq=6coAOy26>M-`U{ z==L3Z6*9H|K@RgMO`jCHu9OGT5IMJn_4riGJuU%c+PC`u(E z%=vflP3*-kn6pKA=%op^ihiLjFea3^tn65mKIqA~s+YBr#T&qzHw?qgR$hrwoyesS zu7&Z5ty#X;ClmYBj;VWGqR|TUd*QzZ-TK1b}>4Ww|op{GxEkW*W%pofw$+o z&?SY1P?Ey^Lc2{MFNF7++#w=q(zlr@kBW6BeG&GG;=u0=M_?NbW6&G5Y zG#E9AA3#@%Bc?{xf(ra@@ZhEEYB<8RKWD43rWR&)Mpj0}+9t)V6ONtb@EK?&%&3z0SQ{Zn+bV3$64vVr#;h5?@c;&bcfDm1n;y#aXlxD$Lnz zDs;#u?NE+aLql=*ZQyuAt58$baKBf9F>IK)f4R7!tWn1jc|H@T(ZIHL7_5Sgu&7Em z)_t&ICBCsYHl=e0x|Uoe;@yi_I;22YhV~6Q2uE&HF}Kw zyfG$EPd7%JGjZ5Lp;`#_nv1`FvlfwPwh7LWTTv9g&V}+ftObjf$EGMH9%!_%--4dI z^;c&#^VHpBPQJM@G$KZtutX<2m&v#S;Fr;iQ8iOhMki0??^+6swdDa7`RTHK*CYt%`OS zL&cna<|ZzToJqqpHKTM^+{j3@1o9o9 z6T2mE3%jVCFp_|$X1NVse#R+Ic{%hw25aE}?E`r&9u&Rl+&DMh&FIG1WYuO8!H9fp zxnWyj%YOyS{pLUaWUod$Vhi>nOXE^hibF2`W4k-|+HuW0B0zoDAIUx1B!P3uKZ9ud zRbGl`*BAVeJ+dsD_1}N|GYh5@(#Vs~cfRQT$W||lVD_A6MNvXD+6wCM;%KH-wJv|Lj7%Gs$9yjHdG zJorNN9M?w8HAXz9&9H7pvM{`1KIvs@nGgYIZbFRY&Nq~d2$3Wz>L!u*f!EM{2;Yi& zc}NJik_9wrt&C49g4n_lV8K@Mk!ZD!IpCG4S>C)Q5aRIK`82e?D)P)o>|MIJUWR87W$apY+{x>UPa;Y& zj9*wva3&v;CU&L12bl+9;~Up)$N3~-XVTSf1=n63@~Cp3!NcFu9u6$m`+DM$$;RKq zrMA0ogS)#y$~jSROEkP(;`Hw6^!Axh+C?wV!vovj_sOL^K~&Cp-Bt-FNFO@lSEmch zSmh2GUl}%!W`%#DicNUT`U!dmEEDsF+Kj)buv-!)uaLyI>Vj@tp{U=H!>}|=#fO5w zp%(nDRz+9N3xso*F12v~Z~?>#MQ9lMO;nHX<^)qG?n(+HH-mq*83T=(< zyl)v%BxUL(F?a_-yR7A4k^m&)V&CxIiZOAH{9dVuhqHATL~BAEhhL2MzmD@DC)q3U zs@kOg^DX0QqA=^5laI591AwzINkSU8rp3Jou|vGz%OJ@2!b)$!E@9l>)WvMS28+d3 z>~sQ+B>ft@giAFSd=9&W%c92)hoNwazR$VwCjLPqz?v3cyNoTzB~MeveQyO<%P!-- zsNrt@vkPzTyI46fQ27v+of;NdPnyQYDl7`o!1Ud72N1;Na* zHM!${_>&7qb-If(tS!fGYVMZRQ|^XbJhYpb_fJHKj}aGfj!aBIIldgSqu9hg57_r@ zFcHTJDdF)W;$u{G79c0joWZ4uVCuJB%**T=X^W)G#f%777g`Wj_FSdirDff}k$#18sML6&9=sI&2JqOp;a=nq_0}{cb zAtT2ShfQ7!AL;Xsy#&Xm7v*QPaQ9e`P3MF#CG?)W9=hNCU|BS9PBNN&u@bQbzwpS8_q7@yK{DJ&zmw3>IM_ z!9=_}HgG)Jiese$)!nmby9%PsoUi3g&U5BEAwAi-(JtBxla>m*|4efoaauH~8|XX{ zu@^S}!Gebb@0*fP#_ORn^A@>@+LIXwwS$p1gJJ)da78UEUnq>9htiA0Y1#|IBHPhS zP}{aKT3g1o;dc6lFhq+?3gclGC{nkHD=TUCl^-(7MaMD!#hnrk5-uksbDRpM1s#RU zr_?8LY8XSkGZnuzVutm%QMTOFD1Hk5$;lt@XE({GQBS1ugk}{Uh)a_JPQ3)5X2@nd zN1P(oV|AY1Op8;>T{o-dG+g*{{jT@*=!NvG{=~PO@nqQPw?BNpoe(Zkz5~H&V#Jpo zd_KD_uKP<9;5 z!kuyz7D6fuQJjyB+rO>}XOj^4x~FcUqajFeg%M(}vblFl*fQKsde#7IK$O4N)3fH5 zG>lj0BR03>{sq8i$1UR%b%}TtgAf;X0lTKAN9}gdZ+|9K0Dsb+bhK05ZXJUqT=Lv? zjMV&DxZ$A=(A;qw7|c=F*`+XbagBD%pLljOTG*1DbY!_LN24>ISHYGGKP4i+tayZO zV|+-HA+f<$p5M{*1dDsONNF{4M&5Nb383?8!gX=*)V;lzB3pT&%=Iy})7Yb^y5H{f zJ#RQNEce0cJD&RKJAL9rx_=nUc@j_4EpW+*j#qBr4v!R*Mtqsob6oH7uI=51uM&zS z^)%5|7!Ngg3!lPBrK*WVpk3?+t5CQRE`csPNhK{F$&rPjwhnjOHJb+61TwA0^?(GG zO}O0D1)z<5X&;QG6}&!B(eOoH4X>DMb?ydt6T|iTcbyZ>K%y8&Fxve4{|I>|cd$ta z_oyA}u4C~VUjkjIp`0+W<$11N@8`i}8SZ|?mW8o6?F6mLkDpv#hv(Oh&|F^8r^+2i zJe=tD27T8%c6rG%@Q&V%oey`{W3PK9FUJ5g+CeEH`i^mLA%&qiG*Y<#OIIiI$~K-N zn(yc%+;Tsh?zD*e!tuc4;gcB`HcDzT@l4$3K+S@T6fuz)BENdZv z%bl07emS0n-~9WBeLNfI-$0kBXJeMt-*K%x8wWqd&E}qiYvv>Ij5+V$b8+jYrXc6J zm`}tSO-AG3B@>i~Ej$m?W{qwgYB2cq8bmJzEI8tande!VN4wQ5It8Cg2GsHj%-7tL zGgt zj;j+5m~2R!k7-f^+j#WDRs$X*gn+NMAWm4Eyawhr_t5`Cmx!<5?7-j z|KvNkapwqxEs+ioSzz~wHIUbf?gh4oEQ!*wD8j|CAQ zL#n<+R->O*gzK>_w9$zyJQqI>uz>NfdR%Fo^XK_>jB=+c_GBaMBpzBslA*oLfvIYg z&ip0f*t8#g%&&YU9K2l7Vxhix+)0*#wo35nGUJ)lq@8SqactRi{9(W zFjT7`wm6T)9G@KH$IdWf&LATsCPB7Ppbo@d9&Rx@{0@h0wngM&LfFSTaWsxg8%j5c zw1v@s$ac|mO<-N_;}Xs|Sj|p|D##B^3)+tnTTSQ3y~DS~dxirgUlI}Z+t}qVn$*2i_p6%yAFZ#$S(b8 zwjw}}bT1o!qu;gi6&qtZdz-|yE_8D$4pw39q3318OxFEhjiM1|M9Prd1Tr`Q)zfN_Q9pj~WB&eyg`9_JD@O2@?kZpu70Ub4kW z2}u1C9tJV%2Aon4N_GG6EV-0J)zj1=?yt$4K6Ac&6Q0{Mj$2h%PTjAj%Wxsj{7HyE zB#ZqAhfbc8n!H*Gj|NM9uVP^tr<1JSy>%yjkB_oGu9fk4$_0^Kt&9;aJJ$n){$aQt zDX5QGDO<>CNQ4U;XN5==kKc^vL>tm$!fd@M=B8G~&o_A4hDpZ47*104Su-(933Y03 z_M2>}uYu&>%>(HWPXnZuYIPiOT=E6#xFV|QCLlrF?~y6%9O9o4Yif8R!c`c-J5y_7 zOi_Av52!l)fdPBa$wN~X!CwY+`tF<(p6z7$1&B9&gJ+|S5i&t=f zHFy#Vki1xGjFTVGi8U*@mr^kyW(D&qq)#p4Zhl%e{Fo04%o@%|9J^3I z^Hn@@8RtX;Ji{q=Gd0vFZM9jv$RXTZWjoX0wC|6!zk5so9g<(>C!W z&@0<-iNEWkDp1Fh9eSl`HnEks-K`i=LGx93N}l>j zXxvA^H0jP28sp~l+f;FH-vz3+Uc*JiuN`a9>nPgh zL>hCr2-_O07D1XOubUWv0{UHb6I0peAevHb00h_$B*0!Sh_3fI_$ z2F^@hHj*y(XyW<(OFn#4W1`QzCJQ6u?mZj$G9kCjWS71KIVeY zs7XeSf;syk&R;?Ss|0bEpDAt)A5ZGrWUxo z*4-#+Zg~*nvJlM2VrKY^N67cc{rpCy0$m5Fq8b(417Le?@zr<1RHkTG9KME$hwA{d zyb!8moj(p<)&a|}$GFnolrJ*BX3CCMW_cr#SH)Z4a#nF&w4ocVJ0Au&w9%VZK?zZK zC_%*1Xz6*@qu`C2ijMOF3PQQmL));hH(3z7H#EIwMaykWnc8)H=fiE_2mA`1_GxaW zqT%4s8huk2k7U`Mf!j&D6dT_ElXhjvZ6jNDEBLCmBP=%uaQaLD35hnRBB;rKkO)%< zL4cYhY_nF-FQPZ`_ECRtLA8a>Oprh(fRlveaD+Y_xJe9|cRcr8Ow+m2Ot!4{4++U&YecF<@_pHb%KM_aBB1)_wLBxth<*&cTpk{;DPw z`=N^g%uVD+nqh+|-Z!!!GnI;frAy0-1fC&)I{pRd_Ff3aTM3Tms?jt#Kf4S&WrX@CBr$85J5m_{a9b zx*jaj#$8hRj+`<@H|4;BGsHmoq9&%=ZlLLj>0te~T9P|D^Wboz`)gEmnd}IHL9Ggq`}1f2=XC~jZvvDoeZ$MMILw&G%Wqj02kRBc$GxMlUO_5f{6?< zQ=fMVkdJ&t6(4MbX|co+^7BJgwNXC(#c+$M1!gd3e8lvPIDoad6&lcBceRg$T|Ja>hhItHbp13-NHp|vgH# zr?uO7iP_zvbecaL2_!!%&aU0TYQdxS^^yvROimFgBy^Mj8GuFd#Ow|pjr8_m(_%fG z#IO5(O<#EICfiDuSb4=J=H;%?XR^yR2;2HWh)kxBCoWjw&oC~3$E&X&Wpu8jne9IA zaTM{zQ}Pm2NxQ1KF3Eh_1MI!QM;c(`)a*D7aecah#<53uQ`fRq*dt93-`DYiBSZ_( zfox|YV2JtoNsI@OJ=8z)&tP}&X-0%v~wMf4dw`OL1xV6t?1XH$HP zr-8rIP8QP-b2*-~!?zO&tw7ZUYz^EY?Z>hITq09D4V24daku7@jAyrG z$zcIYaz&Rb!tULjFQ+BI#eG$ivUM@i@f6qHgs;0}Vy9$Um^gIs7D3D$!at15kWWS+ z!8Y0P84zW8Oh>z78c8{5F5Y63!#>B3(iSf3HihHT7M^_vut2n>;WtXRcEZP;M?BTZ zHb$WlXbZD2DH(g(#`vjYW+cC~W5U-8G7hwdCsn+MTAHtj5f+!@OLAe|uj=6b#R7di ztb^Q4v&f3wPZ~sghfV$MbHHo;2Jc%qb%52KMB4A4Z|LApCai?k?W6CZ~(t7A{oHUwNz3-hX^n@6u&a#&5*Ou12*%&Sno6T=;J=kAf<_R>Z{t4lDq`Q(D< zSJ$5t_AkHQ!feU*)p+4iqW+*nekCBm`9d}xDYn`MK?aSRNEjT~9{o(*C60y?HM zGvVPFZhsxmE^k(N0C~0!RIFU-X9MB#AzVe-r9P1(uZwY*3;W1ECtr?p?EZEuW{lVW z3@(__OFDCm+wpA1tZk{>%_VijHo@U%1~sf9cI2|~m^(@I`V?}kkfAM7Wfo_-1TTTb$(IILVkLuDXtrR3?EEe)yRDu|9hlZRC7dc0fD z7wFAa7pr? zTRj|N-LQ~ylN6vlb}=qWl8AZg%;lb>yt%TFz}o9}K3`@S+LHZXQh12w+xw!-Rv(j1 z&e$%0NSM)&LgQ=j!0f+zWaM`|=xYX6>U;+#ib);S4qLM|>}t5M@;L%budG8cTL_aC z$@k7y#gP9x9Ig<-1s-xUUR`@eo);FEV{pOKLB=F0Ch3$RmKVZ~R>J3@ozSZFj6h-q zcP?dDpO2@X-iF<&*4Lz^B|f&TV_lxO=akjlT@Z$rCcrR9(NWIohQL zf+^&nmAd9bYee=#lb#VvU{DbYVSgFpSAQGkLlXb`&%dMp{CgJ~-?n>Y6?nS7CR=7O zt#p_5NifDxE9@}8__~C^>>fV&J z;HR=>6)R$RR2V--yx+Jcgfv^40XWsL&}?aVVCz$IOavG2*Fm`B{6_U;-6qeKzE@dk zrUNw3L$PIWsP*pFMw5ld7+{L|ip{oW#9;%Epxx38sGgGLYF=E4=Mf0}4BL~hfFH_i zw=v1EmqvfF@4ZN0UZq5w8^!_xRv77a8)seL@cG(pOcBEr`H|VPaC-BYPAReTWw6Vz z_g|7yH#hom>PS@nLT+yd~Ht!v>{_3U{sM5|AJy@T_J_mq08`4WGkViC-S?{0%&w?9ODD5Bu*kmV@m zmI7!dv+ZKL08B~S)pWvh>a9I9jx|h3W~YV6f3eW(Am@$DP8&}_IAe7>?LM}qQ5yNh zg_=0@Y;MZzbTCv3yt_^h6OK1fNuB;%ke_B}fQNvcBN$}D*yv6ZW)hRgH$L2^Pk#I{ zJ579qTzS5*?r?PmeQ4iK9dTDlx(Q%x+Zkv`fbJH?2hn}@k+X<#rXAijq}%|(6W+We zPIjf&NpPBD;@z|T_&tbsftcMb327$xa1#DPg(<&fVdrEPZl3nW{AXl%i{g6xChB&E zg@OD{nuN`chB<$+oUgJhWPY`ayNvRL~=6Lpyn%gyO;)|?s5~O2O21+ZV%T68v0A!9xfq!hnFBx-$oxN zGTS%IItE8aBv6_KKOBp!AFG?IJHP>`erB859rf|(p!FvB>F*`;D`zRXn!0(D*RH9T zH!xyd3xBnB>TlSmDw3gH2PaSK+l`nAE?(S@m+VM+-o=V40C_ckZ+0opmc0}CZJI5N zCU5Z8%npu>nB}PBEHX_^60COAvT17OKB7rbOo;qO`P?)$*d0_pH_bjC4+}gYvyZ3v z<+(}w+iGmf>3>XyYMKK~IC&>nK~HQug@pY+W2k>< zDPkdL1|wGBPT!G5qa_Sh%SFQquqJ)6`fqumNr z^bK=U&Ay3Ws@@_nNq8dCiwAL6x#8*eFeD>$Vt@@^L6XM@NzUc^cz@Kvirizt zBip-nr6G=qVWr+cOZSO`!;44+nYSXsU~gVbSk47)OtJtCT;IkpMUW%zJDBi)HDBC} z=`H)nh4WE>%FMot!M7>-!3U4lwZoZgW5IWFv&x{W3h=k2u?B72|9VDW4?3ErpsHRO zbT9=x+vRgk##q-|k;`{62x*lZl9EGTeN!gh>bJpz@IlLg+n|SmFHJy-YysTfg`I?f zhG?DoTX~#s1~`?q(m*pGr^E>_jquB*hZypzx#6LWyLmM8`OLuxH>twtZb0xcvsbj# z^t0RM)t7;d*=02k=U{@|Me>uk=eLaw-^^TLn8d)vNP#d}AL3#^xbz)f?ocyo=KLNUwsFOLLGJQa6d4(KGTR>&6*bh% z1kP}WIYV5{J{xv1OH9MQCv&J76?SsKPee0vUTr0!x0ACe+#1T2j%xQz}5y1 z$&g^gkLIE6p=PYmJ37PIinwX2$qXxV=-?4Fz}FddaH!MZ)r~qDn9%tQ-KeXXxO4Jb zSGV(9PAsjp&?6J~19@S@M@l`FI7Alyb|16<&zBfs9-taWXhhmLr zk;LT~>lPt2`@OlrMt&qM2O0XXk6nwpsNPX-bbjL_-sPOl*|dTdn>Q zcAcW{oR&&i8=ljfAYRXogsbHj2~7}{X-V@?Dx22{bN1D{=^ zFU*;bl5}0sE)H%D=Kvq__{eiWVPQc>E>5RpQA1u(w}Pn3R>Bs*`m9c4yIss~S1v+~ zTs-nBOvU?4;1@=dN7PbmJUhD>#LX}M!zZ_#0FQ)S>3{ zUo3>-Z`a=ZdgkyfAcvETS;%VBPqIbg;&8h&LlEz4xlv?sT!E*KadlX4lT8qpe^b-< z9mJb;YS0^M+m)1W`N=V7H?swtS4(vbO4^REfQN`B@tQf7TIx&Zn3`fC%~g!FOS)|u2S8Q|hdqr4^2 zK!>k5(&Wg#!s(ee{woiV7W+VX@DT=gO~W{R@N+WsT*SgB51xJ7&QtEtbr_RB8B4tA|TzS!BRt5^wKk*}BU4u=*NyhwCe6J~8MYqN7pX-XgOzh{~+e9}~f-Q@S#Q9LRn)Hb^z-*RF|FEmH5~`=w8fu8|&wKZl zX40vX?VH+O1WN;&YqDb;+#1s4t||V6Ai-%-%yX#Sqb|nIRor*GgI(kC?s+S^ausF? z)9zv;XS01*Tg0$UoZfg}7SJ~Fj7Ht=wawx0RAuen0JlA+yfLJlEGcO&yYFJct|mBa zdx)pbHL`ZL2CL=HN()q=nYM$|c?&=GcLKFn*K1RSGuRGpb8^L;2P1RT+2*Knf)}gc zqD>y3kk{Z>xYMmdakY$XOy0`6+WNwCt2_oBLX8Fvx2lJBDR*pQpeN`3d|A$iPMwMZXuV z?zs3+G5fOhpMyhDBn(USRNBJe*!SKMZQ&qs$datRa1(>1X!H8I}Ry2@sEsb|W> z;nI1xiS}`hr|$0h8ouq5Ps4(p&DY>I2&uk-j`nfJppnN&2O3JYl)2gIYp6t;VyJ_B zAPI)<)IGgLaXzZ%avKvLfF334;Fg)0|6^S$2~y2;f!lB=M&EEg1MVPwIC3R^EW3%+ z#VPH)if@f4>L@S%F|rY4#X2TV2b}jEnKPeMW+m04Lx06(vNs7jz{3J zRWKaJO{3_Qqs=fGyyi`#f9zx-391mQBzqnv zqGN(A3#uxwD_4%EeRsrL4ki}sdvp$XfnhqzLw)+c74_m7cy!*WAEBT#w!>t*h?g?q z(r$Qnkh3IT794N14#Pgj?GJvc{h2kr;BznKk?xfP>KPcpf5!Rt%oel*N4R{?>|!%x z+tQPGI?*glm*RL6-Lr6x_`4}rK6Z3a{w)*N&3AKY z#~aS+`UeG2)d)x^|C@~-HncKwh91Q^@tf#PX1OsN7A^xoTmebp8q={?WU5%FYMS#$ z&ZVqKX#w2xm?H-$q)*F-F?$_(MiFo5SRE)smQqU8Y&I2>qZIfIv)RHMWX=6(f@nm{ zW*fKjUWF^pr>t-p%%;)8W}`CeiXO(pf~>*Br~mpRHy_+Ae*G>U*b4d|&1MhN)1V;D zY%)a|=$UpdEEsv|S^Nj;k+Wvg!Q{s|chH=(?d{UVhj4yRrda+&2e(2goAk`4r-0_4 z^d(5#fLq7O>@QX#P`i4pJ?j$zDLsz4IA+;)yADWk3BRq?z@XqWMmmwaVpQTuD^KDk zhGEx|g61Odq7SX9ukkk9d_#B#p0pEO7T@)kmn7u8jYnpOi(%H4X-N%`KM7Shd9T_v z$1rL?uE~%6=~fR4msSh~A!Gd!t%X_Ua|vS2A9#w(%7VBmJb(0k!$IUlT17xL%dbDs z7|+~R^%&Cmv2OC*MqAhY{P zzj&^V&9oYGW483xXBxQ8RtKj+&d{czu`LNZ(a>5${lViIy{^y`HjVctuBU8 zhP%k{sB^feW|(aqLlCc)@mr8?kydPXu%qa>?quN3WJKX~Qi@_CN_9$yL^0D2{k2ii zcV7wh+8s=Wfa8+3iJ>u5iYl*j=iM6pl-lDt7c&(5VvWjdGhFo?uhwCZhab|XQZ%3r zuH*|`3u-v@1e$sSPfe?F_w*)?0nbUwn|e!8rVZYAut5=sB5awi<4(YHd`C{00z>no zUI|k-Oz7I)#OryGNFQ37N?-7;(JC%9y(eF|tD+;^XRPnT$0T~Hl21z7Q}3#p5Bsy* zAb4hEZY6DnvH@-+>VkLIxX({g`(S>JEL+pNf_#;8+v@5#hTbWA(p;= zM8SJ4*I>RZrqGOkJ?$txwi3D^m%>(a=bI0LC?(U0;)|MZgL4bR18JDRX`=Dk)YZfF z_*Ps4x2;btmJ|FbQYd@@tS=vKr>^GT4#_+T_OXyPal#1YMs!ohbS#H9x`zctVZ1E< z5%CgU#rcplAT5W(=NrqKUXOnWQ0!a){^-9h(oGmXY0KI{Ku7yWOTk$9F3&|DI$MQf zL_$~vx>H`3`R3p9J^o%bJXMTozL3LTTHwvh75_;)l`^Be`c{8Z#-qLSiQ()a1>ok2IWUgc|BNd^+ zOuO$w|MsnN6>Q>W1HVq6^Etd&ol`_+XSH^qqX4;nt*F*%VG5#Qv`w=|GA5BSr0%rw z5kJ_btBf0@X-1#%^wF5hDy5@fcB+X@Ivw_z%yq|L|Da$`;+QWLRxLW+2HZv`ATzq- z(F=G?@J1S{B(N|$CMGI!-$?@Q3x)#vo%gV1s}h{>&A>$ET-?`I0V#AF_?*;aZMqGdOe?arJX`cpoqH%p zdfm434|+AZ_$RQVX19YoL)j0XY10{Ju`V7ra7p7}dFjWEYtoM8b?6$3c>0r}RaXI{ z%gdwvfBB-N=vq21e37dVru4RTK1bIwFh3HikB|^lO<$&VHM=UjZ@?IKLbn+vvq5ZrWK+;YHcI8Q-Lt{`U-Kh?@+b`_)L>Q1SLL6_&; z2@j)f{PD<|mJ>||N5r%wjoSnK)?o^@X|@yuMwgmDU&O2b{@?tSVm~q9Gg~lsZwbwKW7(DY(G(IqC0dN3eMt` z&n;ADfK3aN@>ScGP1D8`?at(?G))In`r%@i>EQ0_9RmPchHsCdD#2sAm=aMjhSD?@ zIM>4eaeu!>zvV#<;%DwPFl0_$yzMn{3wu6v>wx0olW{?cqSwT40KB4J3kP~P(K_Tn z&K+a)yh`_M_S(4r^2E9BwQ)MKzNdslu%iMEYEQ?dTJ%M9tkP~=o_813F+B}c<*9F= z~*?d{)rt2xAPbJ#~F{WTvxje*DuxN zNyV`8_27{yra#|0j+{lSq+9qZSSyAJw*#U|l3oW>*~IJJT&p9@vQ+h~{YFq{@n)Y7 ziTta&HwwPGaQTu%sdjrMKCSY?UJ_o#3)a~)g?CwUXr@2>1d@M9R;=bap4uZau|p zOllHsmUL3DR&|z3ieHwi>NZ&R`}HMdM8p%wH)UkPe;Ivf-io z9G1z_@nxPw?^d$a`m5k&&+A!ix@BOxz%wA_Ru>=g$f?VDTPFU4=&PETqTY+PkC9A{ zY+4L6X5;&Bxvej<3Xmv{pU+4QSgr>hn6JX>?1q8>^EkOdk7F7{086zSxVh5M~aw{e#C9R4O+0IQ#(4SebyRX(ctKU>FhBYyg` zP=z3|J9v(c@3Pxze`fJ+jH%0Jn(I%j|NgJ_Z_#qw23BXE8y!eX;kI}XY1usmRmgbY z4$BSvI|~J=Po3f(h8wbkPGYcpj@R4YnzafOx2k{ipj=FJqB!Q>K;ZMk#nBR>B ztH(&JXjZ&=*1}E2oOry(xnYXxCmrKFUm6z5sFYGf4X0HYQ^ea}H4&_X1K0k{9RS2R z>tG+}oHsFWr~22+5v+^LIcKSOreGD2Qf1!`X}j+w;8{(dX)*;FHLacT__~U_+Z}ZI zoZEP+R9)*2b1|y|@U)nRd5H(v^K0G^x1VT{mO{9hp#Gja3f`zQ6pN#1gS78=snB_l zZp-Jfj_tdyt2KKK{j#aulZMD)J7U9*)5fC-YD|#R#u(G{r$(Ai2X{gZvxIwACvq~5 zqTZq)T{Rs8YttEk_$lPqpK63VN?cGQRUgv6hYbS5+NBj*W9b9`AcP zJ}S&mpsVKLrfAMs@5i^uXWnhJpz_Vlp|;PTXx9G}wF$S0@hCs@`6yX{G;BFut3ps@ zx-ERwYi_IC#=Tzo)}|>=x41fHq&_fAk?jc|>%0h8$GwP%oy64@Hp(6C*@dOsC7t^{ zrBCJfyE@Lnp2|462JVw}@1|++EMr$oISjn2+orA#6^#=vw*gO1m5EK)Y~VM#ot48) zD>x3<>|&NKYu8MnIrI;kG|Ha(B>%#f6(5HdGN6<5u*m4-YMgd^5hNQ$$j6t#hHf9S zO~NF2{Mho1@l`1_z8GeFj|0+igNU}P1QT%ytQhC_ah^&7-CJB39&kRNyFb(X=|FrO zgL=3@*Q}_9GEWGu`4YHsGkS|+l9rDZhZ14OjP7qN5iE*2lgpkQ*KwBvk}n>@HRtqI zZ#2f5@}Oepdsc!ME{2({4|xfWK=S?msHQ20FMufyYY8E^2-Mp*xBhHA)cpR{$QtnZ zDohlEHfB$M%z}BaTGmzJrLPXX8as%SY*FQlmUqpT7VacDXS|l+*yA*%P zE2Az<*Tcu#4wtV{wT3BPEU$^@1=xdIjlLb{mXK|U*TQ>qBLC{Oaru$dMii&zlen7( zXBa$Hqf?wE{5LI1u4L0QaKf4nyEfzn={0>fRvFwV>NC&4oNPBAi!``&>q!phBk!##8*8(v<#9gNU26$x zjiD{cW1oPc-!*UNKaic_Bp+V~dpLb-NUqqxbqDUz6g*Mo(IQGlim1l=3vm^fKXY=Z z={btQM)`+c#91niRVYIP&ruMa9AJ%qMeC1jEwZg0e>8>Gk;~tL1U3pqzitq{2GMc0 zML4{y(ZJ*O?xG+Kw)?x}Uv5fO&KfQ35`M0VMoVGu{jk@&2%^SSBxzinQ6N%TqmAqD zr;Rde=os^RK#-0sjvRamwLi3+45^UqVpiMR=P2C-g>zT>K_rDC1~WQm^anJSg#0xN zksi($9H$rPah$+D=aX0piX?eJy;cmUKZ5wPhK)NoXW5z;FPGXVPM&xk%`T)^17o>1Z;nQ<*#HKX49c=@T;CbqDYR^uuvUOxc>r8XjiZ zwN}x(f-Djz%d%zzH|v}(U$JHr^Emk7zFoUWMX{!iCxOluA88t{Uz2RJ(X8zGclMH! zd-fWN_Kh_=I1Ow$ch;zU5Qm&r-;q#*-~8{|WabK)Q`R(ecsakE%%@cuzKKahhq{{O zWX&$NOX@g~MDf?|U))9EFSf*x1;L0r?GqJBZ z3zoUIubJ7znwDaaQLx(cAeH60Z@KyUUUfxT)Al~mNXeQE`*?5BTU4HTO0j^st-ra5PVe#2p2J zp$h8CT5UYY-6sz`p)fSnrW8g6$$YVkG0UD(*3xm4$oRs~atM7nc}MNAxg8J>3Uy z;oxKaUPT5R`C2VSBD}wi9;2Yn8z(UgC@Or_Kchv4LE?2SIjm)3#6G7^pvC6jie|Pt zgf44Yn7KGHFw6Z+8*K2(We&BO_6Z5D8)8D41qs?G|=TW?>TS=kb<5t&I_9 z{wDYx#ae%xa{;8q+%yuxDMJ5Ol%^XxI3=%ldGFh8oQ|`Wn?-5KrCo39cuw1)QCH%0 z61J6Gbo8KBwbn8#(KT30hg(!qe32SxiVo$MB|W@*4l_ljrE& zUfuSEAxTH3w7D$TqVZi(K;s`lD?aEIISeRh%ah7kK4ED$1#`y{E(de8@IRQNO5%7*O5spkW$~|^%rAO6LKWtz+)zru z7HeD0lcTxLo8?GLVN{K~e#v;Ax-#XX5LK{vo{@^t73oi)y*dpXUt>McX?!Z2=`{6E zHc^v^qT~GZQ6X_m>F_B~8|$=i6CTR#bXvIQukQP_aOtk@@is>6-SS5MT(#}#h-%1$ zSVzZbgfos=r-K`eqU7T}KWD|m2IlO&57u<8uE|r+`$a3*1@U_t7#Pr|@55UNrQ@(q z_8+~tf~N{mhLI2^AKA?|tBEl9Xd9^Lqr(d;Dk_Y_#9%E0F+H+Q59hJ!j*^8FREq0w z;YI~-JS`83!lfBT>9*e7cWlgA_p^Uf`?X!n#)!;nM=>b}C?%tzAWWM`FJUw>u__yk zZygCix6e!Z|EE~Oz__xn=bw!(hRpUIzi5dSYxgx(W@ea*d}Nl;M-A)jE5}+h z!@|ztjXRp%Sksy2Ub#Goy2*p68=0k^A3)8Y^~=9)VWy3<4}|4nqEl<0J99Sg8cVgq zhVz#l=6j6Qx**)P6RGh>6hi6R2&q(BrfC}e%sG%o$hO?Doe!| zgPY7}Q_kXSzL2{2av9tn_fASTp+i;uE0}lF9nQwg9Sp>$p?V)hn+?6wBwMDTmb-)X zF9j_rpT_t`Hl>(uAg0W?q=Hm?|81=$rz1GgLnSVGI`kPYgLi3_@zI_u2om;-Sfs3; zw0%mc;$c@7!-=%)P8f=Ak}fTOU)*RXK|BusA_ zHV$X5>0M*_XW1A<=*670U%Ts%hy5}QSfsub9OKMT;8$vfWv-ttkFtS=hu?$a_sAdd z$;y5M06Wly5pXnqEY&~4zJ-cRvCux|7JNxQb?#E~ZbD!Q8Jju?A5BQ8rP zLz~keu-m?qL2YXd$iDy|`dKzM<`McCW_#ajD zF+BiDK(@am-&=bHu{Wxd=v^j?t&XWVO}eW3+A=$aZ5?;%JdyNnTR5;)!f0$;*y=d3 zlzIhY8i50$S8>mn!%`+My2+=V^g1T!l0KZSpnJeOU$0~3OBKZ2!`{+Wl`28KQCD|+ z6@w6QAA_wItYZsPTEqrU<{1%LRGS20o@Ms6-X`++>Iz>`Z?DNwYReR&QX7Z)p zMIZ3~m5l?MSAhXO7=+&X$=AFTHz1-L=d#gC6Dnw)!-co?uKf>jI6N8$WMTK-u~cRf zO`<5<2)-on#C2itB{vVQ>3)xEy0!kyyiRvzE`vZ5Kzr@}$^Wl_;OJlC#u6H%LtmV` z%fB2>2X;+U8!x>RHWtl+K?g+@Pq7Hr416mPJVLyfbC0Zm=MfEepH|{~pnZyou|5|) z{U@{c_td`roXv_ai?r7g7OT=FVU!{dv!(4wJap^o(MQ$V-9*8ejm= zB0R;Lqf^HezJ2cTPY^h{ zuuBxi_0(q=xO^I@l_t}nJf^i zEPpUrMbWIKn5_Po{Ao`YCOOWmiapaav;2H2jAtVAeHy+bC5_sr#e=8uv$lEuoJnKV zW3L|k#chtOG!?AlU2;aX1*>CQvL8P4TUl!DZn6eu4aQC-Ybg4){u*r;pA+M^0mgwf zafzGnN1+x72Zgopy{LH87It<@B-~gVw}2_b-(@l#Ync)^3hQ7-!~SmNX@m|<2Qz&A zxI`KuYaV7|NL>ld!%Pg5E*a-!mg3Z>MRR7K=xS8v4YP2qM1jg>4u;sB7tAy&81h}> z>lzh&lR-PjsMg?Bi_d|ffD0>|HE>DX3~n^{z4gO#cPOA1DFft#WYiR`J6&_MF99#o ztVUhYAhyIJ*Kz;5E3nz(&;j2gc9eX#1j`LO2WM>0Pg$!<^pXr1d40CwpM2?%Xa%o(6 zl{OG6TuenB!a3Ms!@zMCa48xV_LfgrbX*kgS^m)11XURHCd}kMm(8wXu)-k_^XY0b znvFl_O+K@NyVRFB2WAx~*-Bh8W(@~}oaj<>Db5uM)d1Y@{v8j_tYhM^V7m=g>A)r~ zz3I+|Y^a^=ILYV0VGR(0FhMi3O zwZHK;vIQ~r*B+JsIOt>y{%=&$1^(a)B^xH~{`OZ*4fivw-{sTb|vg5_@Gn?Js*tMB_zCIlSzn`U+ASS;Hey8ZlR1~G}=>**= zn_N)8L_-maox@fLiSu0GRrFanS78-A4&=iMP^IDXwqo5#Y1L+Hd?ZA@Zm z_wHw^vLe%F*k`ithIY~2XF7`Bo<+R5rd7f0XM56#BS4q9ELIi6QNJby_lbEZQ|p*k z4L26K``G%=$5*6PQ*;R|{sLA5*VfF;`w`z%1^j=RG)BPQ`_BS91m7E{$$oAFH@FL8 zw-u+!tQM}B_?ufwK`8kKmaZ@x)E0-;>A+x%b>v;AQVK@*tBfSnVROk2KL09P405qNSXGq9Navrm<5cBsJN64J;#XRZRM}RNKPOm zrz`(GwX+{kAden`C<8z3^EaOlzpl!X+7;}|@g=={h%U6@Zoc$GZQ&nY zZSI8{?c6Y0@SB+awFtR7S#LwlNQ=d6Mf?#v)piXRaa;cKgB{nYh^A?n8PrhM1lU_+eSC;G(oV0N&5JxyQe%Myo+YE zH8wGux+k)i$5Pk_jB#hP>%7t=AqA*^{o-#$9A<$u)Pf0?(|!JsfDj}CwVve>KZaNo zDxmF-j5eo^?QGNhL$>9mJ~E%)uU@SC=hdnsui z)dl2Y-A)rnV^W}@jP`W*TK zuf8COA@gd`nZs~TGu-IEx*;z6P2*5BT*+oOqvxqyi}4Bvys;DHOfLb{7xJ@I5u>`CtP#kUA$a z%4c%g*bNMpuYN>4rh*o2RjL(5F#7abRVx?{YewOUE35UfNx|h5v=DCKt)z~@sZb4< zT9tX$8V4l@3ulj0*NS^9}uc~ z%A^#Cc>JnOY~M}%g%{0_%@LC7C`jOw!i~+#rS@G5Q!Hd6g@0^nxf(#UB%*NN*w&Hi z6~7`E#T2J*57)XRvba~Z_rl$NaVRdxvwL62c)BJP<#vyLQ_DRsJe0F_@DhkGE22#k zS$MhK9aO`uxBlkItU=j~f0`pr3`QiAVoIJKz0pi_XG7;sK26KP;I$_hjx+536Xm z6q%!F5(<4~^I&H}nX@EOOhJY;ppGGkIR}mp?qG{)DwlzW%=myNrO*~_i}&X(TR+hxOX z3Z1?Cuhbef`?-Tut%{+Pziz1VSuvq>$qe9apj!<})9Vz)*i=ADK zK~flO%A(zaM|&10d-D6Z)~-VRbJMfz(L}Q^wXPR!gGcEatSN565_Ot10p_r<7}sbt zgQzHK3`1+au%S6~vyn}l<%l6IQ~z0D`ymMomE3=e@y#@KdTO?Uw&k=fU$0(Vv&%epC=}pXigxg*zBO#tcJRE{4M^<@ON6L_H@n7F^uK0Q+-l zdH75g_OFzLGqLEevjcN+8@J`W^1e|dEO#grq+?mj70TWc5M&ZQgj*Ov<|75Yi#L3u ziA${e!OJ#RO-TZ{S6&LC&IT*0VBDEY7ZTyuXWW64LNJXMrcu~;)%O{&j$H!;rzwP&AE&#K=%*}x*DeijX zv27pkD%lxsbg)gwUa7IHV0SebHk91iU2j-)X*LXO;tjk<@>G2<=MOb3%xY9ZKk%)O z`DN6;ZnJ{d<2qRTgpqcs>vI|#XjXAtqlhDnOVqHTf4v-#i#IS_#{TdZ{JdO6KDAX%8T-Xg*=#zvUZyaI)ofw-QSYmra1M(hmu3qy zpRqxjGMpcM>lO}S54?!Drnn~@g>y1^`ljZxL!Wyt+pa<<6xbzA1s2lmU1@HYUj|*) z;~zj&T+KFqyIjpTAFN|9mx4?SNg9NQ3w1uz_fx{A;Jq%DSk2{>Gx`Fpa}s3?dX3t=iG zgnbt_vI>3#!&)ZH3cfAFH)*%D6fFtCscq>P&050TZgm>xxVc;-!J8}C_%Go`GV)pm zHowX|oPnVW#SJ02jH#&O4B||`cnMvK_Cren6G6*w;f!H__r7@|sEPzgCR`opxJJ|A zkmYDg6%OJ2S?l`Va{Dw-rVgpcYHryroDL`jlIBy`4Y+j;FN(q=t~OB>*@~i8%7JF7 z>6VRo1W#9*wJL1|fz4GIKIS)YyQ1i3oB~fr!z;_y+yN1x=WBlRhI_lBpe;W>L2X5e zo6(;qK0Z3XRT2`$pLD)63BA5l3L+_rG2Ck6JnPf5`F@k2qR#^vst|yKUpwhto`hT_-h8-)mP8Av?=||>uh*K5n$%F(js_V<$j=nFJEKk zIIKUq6mma$3o~-FSDznW!Uyg)4 zq29rv>uW!Y21y0Ou^7DRu9@A}2LJotT%%h*f4KdhKd#e`7WDV@=MR%j>?!rOV0S-% zXne%r=Z~pvY5(^>KYvWFZ9XFXA%+oO@$R2L1uw{d&<#bzw_s&+F8B>Qr#g z7t3`malJZKOk-HOzc!zyc1E888ji!faGP`#Evk!tLlNXH9BwLlnFjvKOZq}c^&g2C zR8iw_9fpx+zrXlV5F0N?KM9rn-xsc(RAS_fa1w*xEY1RGuAoC{INT1i^_H6zMQee- z&*Ifv-}c-BQi((o2fYJtMaB@nle~OEWc~$l%*k8ui-V5Cod2%B;d1u-ckS6ELU zSxrMS93#?}-?z&oN|9K8pANXC&qW^uYS~Y-;pYJx4zu7j4adg*A*dg$!v3T zCbNSL7jA}mi+n;jH6sLzwPWL?!41C*DLE$XCSRYN_;O?SEMYCw-sw(#5Cp(BRL#8R%TpT1Ka&4Szt+A z5uhsZeVQsR$ig@wYvKHSneU-!B9Ijo1usDY)K22<$NdzJHqV=i9KX zgPU#-{D_KQ=yDX>h{$!tdg2(YVOHOtg|2xZk-E#>l@T zLyMVMbzbk*Q$POR!dY~1ZFq^jZB%t^5Kg;${(^LLUB?dH$J&n`B{ByB35aUdsN?D^ zdr9>EZj|PWjD~|t(w6-8@^$-OX^ zJ3qGe(&sJV<>Em2-3t8ZZ`25D|)vkQ}wNiH&TB}J;dI`z5qwpC!gnc zw5-|0&a?ZxTQ2AP)=R&i*=oXv9(V6z_|(@U6VPnqvM_Rb9>N%QzVwr4^t6SiC2eqm zxF4*SO@s>?Zu}^q>W^%!fytGAy`co3xPw~^Pos}jrpZl1L0}L>?%aFvhybGfxdG~a>|k-ejhE9VK`Jn_GA ze`0YmL2W8pldgO}q7Nym9;<@UXN8o9BvL;otz}j4*DG-ntty89-2|JbI5KdwKP4Ji zK1odhJS>C$w`vVsGlasVRt-Z&r{8zayC{%*Tat)@87OVmXG2RfdZXjAF{@T0`Du8; zmH=F1Zv5xzI_1-B)v<&8_l_^pZgaFm4IIMz^#UoY-TWQD%xc?;?ryK%a<>+T!jo?= zy_Xoeyu1|0EBcVW5_IffZb(pY62#v4wYzWVMuJ-SAxhy055Mv^FHb)8HW<3DC<9k- z;=hXhJjn(OvTK_}ag2ZEFN1>Rz~=vx$DOCq+Sk}$($gt|PV2?ekBt$@l_VjI7T}xP z-N_9tbG5P3Cg*cuSbVTtkdIFNEvfolI@nwgUSUIS9tW@7<`YL_CeZ^kl}p&T;vn0f zxy=I)IzO4~?LPgRe_jRQuwnJgql2SYaYnx!M9ETs%ew`hV7-(m_@&$DPdETf8hQJ*HsrwMQces`E1IRjgYrnd~<8_${Rj#hxq};}e|6p-&;o$u}K02La+zhY}{{6ol=>cQPnOZH(Lk zIZd8n9_hcE2bx!y+7d`rl2(D!SAF=j%c4}Zk87`uNtd|a}XA z8$ZwON=B6R60{P=6~IQ(CIhfy~9Vocx~K>+q%WFPcP10g+PVT2l zat*hI3lVpzD{~jbekl~J{_HlU2pvV#kw!Bs#muCuV@Fdl^oIl$pueg`b#+YmccItj zcCgoG&u>4|9j5-Z{P`|MRW8{4c08>k{NqxX5C?pE12c=)ZH3`tQ1W3bQ9ZdPt{z`< zj!hLd^5r$ns7?=m70+X!Z{07k8o0K2Qf@q;rWrhi8$d7lfB*R(@ii?S?nvFAwOtIS zlCdPNgRRj0bUGiNSk$r$S?GJ0;X*oBm|I_)`J0#BDZ_ImiDIZrB?;{^oEEJ6=?ue} z7i%7y@3aq^73>Q;?7Das_612U*TvZz`-)pz!Mzg+Vf01=<3-Zoc@u8`E)i*y6lT{g zcjobj@i~Ca4SJ)Alf0v}V*KBOLo6yuz0p#%cY_?8-e@cOROUhE>)^m~xTjm?3mIen zIBq7a@0jBvIHo)A+Ud){1P#CBLYLrxqX6 z&sj5vb{(Yn^lNdSY^itzXU+b#cbTsgYqF<2m`>J;b3UZ zO^^Fe&aJnY4^7RPYV?1GBkxbMSi<}l4clBC!{sg!XE?xhqMy5s{~To83p-h%w;C9M zQ)ALv4Ghy=gqtU#8MTUsaYM$Ut%3vVttM8olkoMGvO>Z3In-|aC;vGqA++>X3wN62 zd=v{m{3nzc1DEoqw%RzouErngEgc76-y*8#%a1Dvkfx8jAbtzQ(#{DeDahkCf+uQQ zO@Hunuv-(X@Ygyds>BNCo8Ic;fGqbnU7w~p?R|-U*rQiGZiKjlig?|+8GlYsB<=h> zT(0*&lI^p<-S|)ZuZUN=)x#yi%hD5k2~6>D?o;-445$O6Gf4`!YM4`Pc5}n8dr)#Q-0^fQ>m>FYg57%V6jF0z=VqFofGmB@O^rp zzVjf>D(q{Xl`=6g;WO}kFGTdWe<@>Rb&&T}$D zyJ#8u`?AKSg_N}iEh|3U+C&2`VWD}_JQ zrZ&o+0xgAm2K*5pvW%|3}s!BaFc?P(pwUMhv7@Vb!#sR%B3o9c9oOGm@nOupJN#~r&6?6sDh8Fn?Uq}fJ=!cetfj(Ex zWHf|7?7X{@uD5l}LSqdVKZ$;BwhyE&>|j)B@Yxoo$MA@gN1L;|g_wnJ_i)x|F}?Xd z^{#KP%}T1Tt*AD=Yw8&-g}bG30;0_n6LQb{m2I~Jy<7H=|G4pg<@%L}kBZr_dET7h z09jv&I3TvH6!~Hpj`K6z?P!M>^+X+n2Du^;%8v+CDg%nm$feP~CgJk=q}~d<M9p z9TT@NBz8(&@8RIvR@YFpgL{78^(!ft;O3(I)C zlHO@yjPg5mQ>TT=RjDDuUi&YPLA>EHkdUFyrQ6u_xUrwmfaUne*PNzLa=J9Vqbmke z@h`BA{^6T>kc>yCgGmk3<4Rp?k|phQaGH4Hxl{Yr)6lf*@)_%Nutk6={7x6++Ae_w z>YW~DCOOp-=h1=3)K%!L-Z5}{R#x~wI-A4k0<^m5oxY3Po=!t=rY|(YW+M)&&^u-W zkG5D7%ySJw=wE;=Ewe)y6zJC3;-OZT$L=)I;>Uf*fxzw&A zt$)Wxx8L#yTNqVuQ?aQw4DPnNT?L(6co*_lBUYVq3QGQvv<%jawP6*B;1RZQL`BI> zC_W8;p6f4z>-6S`mz6}|*3E+>54-4hOQKli{_lU*8*bAIf0Z7`pa6eIASN$3yhKUX zVxz78eEgH@(obB+ti)B$-*20*<*4s8ErcWEfS*sY6D1u_LYRbl&Go?g=Ly@8=2@O% zkPWAmFpl9kxS>``feC)1gwA!8$lHa--yVltnc*&6`C`GUq`+tuXfkf1$7mz;vhOG^ zy{f!6E@BoVy944w<$LaLs|5-18sUOQ@D|B69`5qOhfi+75gK$f@%hB?a^TX{F%skp z4>w-~6UQU+ux;WQ=GOBOfDh10VraW^-S|o^L zG*jIsE2giU8F#>Canbq$WztiOx<2FH_xh%ympj}ksE4>L&h>%I(z6t(*b9EBg=cC( ztJJe`s_K^D|Qvr>Ca&n{m8Gn~%+O{7taY{ft6IT+vdeR?xpm<2p-REClFT-;nGie%9GwV@Nmgfh#9O-x>Lj! zjQx#&*oFQl&0B4+G;6&Q7RB4m@A_miz0=HFXE@CT`Z$9<8nEIq98~j-*cM%G{83D= zU=D=AAp-J~i=4;Wq#YxtUB_c*_+q%4H)|DaQ$j7Pq;vZwPOjA$-@b({;GHsy*H=&< zd`b+e%$ z4u^liY+`8F8JERuDS)~cv?7^`!RXWJRO5O$t>P5VD|(;Ly((@moNj{|;R$Y85n7K$*)ypVAIy^I(VVg$5*ND=9!AAkj@uH`-){_h4j9V$g-Qb>pXgS48ICq zs%2x$B?wV1h6{JzVmfySH6b1i7uSIaUW z6WbWNgrav_Z@{ncHQ_&#f4aO4z0hrC%fdfD)F2X?B*npqWDvm$v>vR`ZFkC<=q zHcKijeZrhR)p-oIqGW3ML@M}U5ro1zliwFfgSdSW@>xAU|&40XlG>hB6Zm=>2g5q(^<4~DKpxZV^k|`#jksQ4Lml$E2DT=>g5XXL*(^t1$JduaS z3UU{35Cm9?p2(QMJIEbjh66xV0|C!LhF>odjhfGdi zfkTfrAwk+o``yQ9XW^3-dD0di?(343P9O8KDPGaU*}ZwhLzcakF*9VnE7Tz(pC=1X ze3-rl+nK*7KtS<0MxlY?uVdl<+ngoiV>&5BX7$sBsCLSvyYbIicxkXs6EiR8Te7!s=x9Td2!aj93{7ttWS8N z=$d3rjB<3?OfJtdMWbe((f=B*qewOKP1thQ!f5KrVj^(p6x;$8-N0Iy&FyQrTluv@ z9h^RA?zj?dur4l3-beo=MW|6u&#^8JFlvk~>tSTY1%3xJFpi@>slW^!S2F_w_0hBx z$eMkmM8SA zUZQZfPvSs(@wbH6qoXQKz|vVCcj#hk%1lfc=!K6_nl=<5*41~naFg7b*o@gY7yJ(T z2j(bxT2WUBb1?cjWpd108Y@?XVY&!@5tr0TDv#ejNxCiEi8Tn~6}S85^FHKSG}v){ z#C;h5$G#B8JcGIQX20ITUvf1}+$pz%`L(&Fsa%%YZWOnJ6LV~wQT7D+ozJDZin*2W zbh=$!@OSy?q$nfTW#Z>`yV%b#x9cQF)gODCD~HPMHGY>#$2G7$KZ@42F$xRdirb|< zLvCL&@h#ZymNjJTmG|i5O#Dr-r2(g+a6>{ zZI+{yT?IYCJc?eZV0QTPVHL_+z~z3lf`Y}I46eiM^ z-ST_0raa^0TwDXs;T{q_vcfD&DwdW~oZe-Ul7eZTDGESGWHK8_#81Wazf=x-R_pNV zTNwPTvs@&H!T#JpSwUIxWg5j9kG$+w+0-Ju_lScDvzJ>g( zFT=ViT^c-In}9ZmmEFLn5J_-h;drOiJKL{r3VCw4eb z`)+PmB3xDcuI__9&6nz_ah)~yp=sa}#&x*aXr^mvpEcW@%~=*s<&yn2)YPXGq8Y|K zEH93)f($$57fEB8Z`75||5;7WJVl#B&Lo#FYGRU^0>Jrv;EHa)&Xb$s?JSe_^CfYQ zQ+?`}TXw|&@Ux|5ZoW-C%{bZxKSPr(ynb z9ln-w9mW1CC{Qo(9$G#8dBELk84CL4;4eQc9>iT$cgbV;H*knreFy3-mmBMyFa07O zzFplG!gddSdYAw)S`MDPms5l~LmsEH5{o|nubDadUMz&)J*`A#O(5Bb#^bN}EJq$f z{ae;rEf=FeYMiNd(^VkIxd9C;lvYN&jhQNL*u-0~(P@;IR|?XNwvNk;BW7}|9Q~k7 zv(W!*v=uxz`M!^a)BB04OV((2@#u7ihcSV-^efxbQ`BYBsn~M*NRm}B|Aza0_>w

(JVe-4Z1@mOHb9Df;3sy3l*DgH*3Z1+D)eqGz@;g|(pk+zK+56AvfO0jzK zAmla{Ib~+F8E#AUhHT7_nPv|D$bARbr?eS2E92;xn9i6-JTWcLS8ctMvxbY{j=eD( zKHMrzahqXgZ8m4NnLp^_@55Y|pK5Kkj`o={6KI9Fpn_*@GMJlVE#;onr~zHb(iwUK z&xid@w6UQ#F9@pEr%idZiN%>&tZAI(dQ<&M#VylV--XJG3FR!Qwt>$<5Jc67mhShzi5;BShw`iA?l+<%qNu#Gu< z1rluH@yQ?@S2ah8DQXNA7Q5ogxI2vZC&pfQN5@b>OPc}cnr4Zrevb;U0RT=&Ul-sJJy>>fZM z%x(wgc%EL%VxO{z?*ItY(%t6 z3Dl9iLqaBuo$sY1f<({%s0;`TQQXon-fRvk>vTqNweWcC$+0D)^qHFCtHmPRWrV11 z5(d#T|J7-q$g&#ufomj@LnB$zCBw&R`I+TWb&#Av6n=uMbNU0*A7I_#F!eWG*?61ZRktGd`4(#M|O|tUZ7^Xxg~T;)QTx z({yZXq_7#g6Z}oZ`mf- z$SA$iyy7-7X%>EXzu9hr;MoWzV}FMO5MoGp$oXx^P1s0u)z%Z5V&PTV!lNgCoVU1Z`9Azx< zVKHCtq-A zMZLWGu`%Qd`v4KF>?G@{DvLBRV8@*>W_#ad=rn0!CXY)<@lDdgSB^dHaV?u}UxMVn z|GQHtAGn-mnJ<{R7RI|wQ+~wKP57+LSnuu+IaEh9Rn@r)ee~x1U3Bp^(#25%!|9jwXi)V4>=sGT3lQ3*KRlTK# zDalRwta=*jAeq{T8&Tgj-iX=^APsykPjb_aJwIApWQZb znRaQDYJ#w~rUr#9cgCH=N^@#qaP;D4vnu&=wncHd5ubNoozA69(!zyt*-yTcW=Xsf zAwZ>3o07EA@kV0X#&$4oibjfIjNd3&q#|tRi&$?i;9{M6K@gp`S{R6XU7(P5@QJJ5 zzSLxJiYD>$?U%r!6+9NXn1yXkXf;xTgF@bN7jO8+J38T|I2tAF6Nv^&G0)uv*EgjW zj^K&{KS9`5#iwdg2Zs&?3i%Di3n{}S5rdm%Ihn_Af`ngL&jO1t*a-3$aO$|G;|j~k zsbh4Sbb7*o5{ygAI=v zfGhz(iB}A&F(r?M3Af(pRzUJkOB1AFG;AW_DlT;=kZxnAgA?BYEd5&5?IBb+Hv}lBVNg4*d(r;J6=zx6L#h`rnE& zHdfbkJykdo_@fv{WzSug47_he0}hir3izwfpA^=@jXPUk`H4t zn-&t6)PV>7&sevIm@ekcEtO*hzP~%=JCujPbp(akA$lU6^aLseUKzt${9reZ?`L_4 zpSgJ2DwH;JF$FHRO5K_!Dl`y?h7(}8iotMeIJO}*RDTHFlMaot%5-ZE=5l!Zu*=N? zluvgxn7wRuk02~ns(F3wx7)^Ra)DBHJ58LmIdiePT^#-!P?vt~1#ZBN5WwcO6cfIZ zCfvl7A(P-aYvEEd^<1lst&qjPgI)MD-WneVn=On5HtgPC#fd@w`+xp(_#EdW*%<3n zv9()*KEG&u2(j`6!{P@qqe_V0WV*Pd^8O(Z!CW} ztu?WI1@$eL!pS%GF7EiCnz(@0TDXDn#O@hnxm4V>lK$ZG-QUQc&{`VIm1Gi@`VPW9LEgSL^NQp7cLE`**8ydKuJUe_${K29gI| zTw>(8_Uu{A6A-Mn*|sCM^7GIi6brXm`5*GbI5!w4OA$}*1*>&X;QiH%Z#D$3vk|l% zAF6{^Dptw{z=UbX+Z#1&JsAp~*}F8#S}u}B;;)P3DlW~-hJ(v1;7#eeYBsc<;!_5) zdiBFdAWbh!oMyv9L&Lf0c|&GQhlEUKvIMp&XKd0}b{O_Zs!F*s5uE<=CS-6kBmKv| z{5)2`kHgGD6o#?4Z;m6&VJCsntPE)-O%rZYI`Y#@MZcFk8d~pQEXwpX-pxcmz91i9zqkvNFB@@ae=mLba5Y7-85MEh&_Z) zB9s@2R*TOCqiuEiT8wmMq?(IhaGB<85xnch{`-zE)4@5HcZrQTC(4{Vv_Wx2g=qIZ z8jlZe7H4Sx@Xfy&jS6X;I65IyEjD(klehft4z6L%jGXCfi0m6px|B8;ZY3jTP{rj) zDHv%4OvGV-u?_Z}n;Ek{S37DLn+uxQ5Y=%B(}s)7jxUH`HC&v8xj?*G!^PJqQAV3} zZ1&)7-qbXD6$~puIhZj1xlbN@ zXw8eJiG7sM28x=x!p22#Kq30ejIE{uc0rpKX8AwHT(Va4+;r=uIlsJeDn*rWVca$e zR`<87_!pOZ36%XnaJ(w_-AItcH`AS;?2hzh^5(U1=(oCMB^P1XO09%o(k9jPu#VH{ zx#$1dSNs+dUF_kIQP#|p7W+ffh2TV!H`z5PZ2mY#ecdtRE(*5dA}hGcl~_Zoh7FsF zA8XZg?aFSgkhZW+YL@rC&rF<q@{>Sv}{fB#(YS=SIm=x$(D-ByC4ZFeF|w9oaU;U7G`3<>orWCjbXT21yLm8 zSUJp9{ym24l<)y<*KnvuBUQ(lm@|=wb_-Vm4!B>-zAH{n>1elg1kvYhuXfvnKYqb! zZ?`d0?hr)~T#yFs8S^Pombcx}5bh7=IRaOi<&O2)QbpR<_;O^q3fHAep>5&!6X@9a z(V7}f5jFZ{GJcf}NBdh<*6 zuczr7F%m8k6kG18=gp1mPm{hF@t*K`JVMIKt%0-gaMPRZTjI|Xf5msLEC3Czw`BLW zlBuGz$Fak~-M1+IsTL5)lF)iwzQ$QowT+-C6@HE^g;O6N@h^Y3O}AW4#Hr{PQgvjo zZM_Nwe!O%)oy0cV)W)X{ccGf35$D29 z>=C0z!L-xTaGwRyOPX~nS#Q#vq;xxNT)bhkfoO&)^;9l0Or7rUw2z`4(uF?@!qx)m z@jJgr@tugzO-Dnjb0>6LmFZlp2*dqjsOZ`>i1%GTq(yYGBR=JaGl+Nodsxy*-5PdN zM_k*h;EZm~!c^X;URJk;1OFHJ58XOOCgFMS)-leTJ+TAeGBfN75o|JDus^ssw*LPo zO@ar}p{yEwOS=tRu&&EqcQqIWFM3mfC3oNMq#wk5CB87g-=rt6K)TXy8!wlDw@N7;l_!6mvD?iC6X0bO=Y(hv^ z$HZ*n5~-0NWufjVp@$~mw@LV{>vd1fjwUpcZKOkO^EyGjwF*>vztr+Hlm2P>=gtcy`ZR3u3LBlgc@ zxZ(f%;p?f+_+Z#&*W|RVn#KtCqx`DNpReO|?;YQ2kzZIVmF|kwz!5dB1~v-NNXZEu z`z)SZ*jBS<;+Rw7r-hR(9>q*BWX2}0HxcgSXgVLv$Y?f|1HeKWD)6Ts`>W5rN#i^J zui+5xEdLDoR|u_k%C#?VRxvC*92t}#;?jyWAVe@%vq-#f^C2U{mL<;P8L9EbaP)^? z41_!7aHs7@5(E;n-`DLiSHDt&OkyB-$Oa-^vimT|ebMhq7Q}Qz$B@HBI;Lg4Ek?iy zp5tUVo_EWb(c@NlrWz~YqVj;}i3Dce_<=m0grd}8&XeJ>r%l4YOymdoa%CGts~W_p z=L_Lp{ZRA~etADbs+bLj6NQz)Od)~+lOxCRCZ2lGaFz0-AM<;)gxiqOAW9s_YT~9~ zHoNoG8$>x`Equ3w`_*c>*CaKqHf}s18aI9v^Vh*$d8!8PYP{I1m{Ryq1XpQDw)x{p zWZcp*rihY}MIe)!mA=5j^#pp%i)G=Hjc;zt!u_?*WgskqDS_|(m8gY@0%HX<+W99^R6`Oa;{AliOxjm>IVJdaZbpZ?GerbCADBOUi2bI4HP z+x=oJE6ZcZ)!mS}2)4Q4&Lv$JYLiEAKDxC%gN<(cBgQ8EtiZd#vJey38jzpo>o@Kj^SQ=Ku3UUuFfW1*C+=>#JEGqGJF8CkiAL`&9rHLPH z_v|K8`3@nt9;%ucnGzclZexYOf9D#Ph}bwwe}sXK{g13dw#vI86h|oTgD4O{6&X%N z==3MJd*0~wZ*dgd`R%-~YX;57!NJ|TC+W6S zO5GIGjyM_v=3F?9Fl@W_?O~-pU<{YP%XOSYgZU`8U8TgWW9L6u_}d-dtL*r+U8B%6 z9kJOhBa`CM3uwN+hx?>|KR&U_rJZBfHF)CFb79x9KD(%t-ELrVs;p#TUw{7P;8w^e z4QUL_B7-%6-N2Iuqkmj$oX^M)LO)7U9p@t-2RC3O(JL3``u~-CP(hNptQi-@N|JBk z9w-BTmi#nGN-L#lRC*@7YPT`w6hOG_4kl@E`uFpx;?mffuFMw%+wCq6Utc7yNx_}h zwYG^PH^4@*ElddH1go77qJK8Q0c*YYVKZ!JtDSI-{zsD3$f_*AG=+QjHjsF!F< zlZ8vtg)cnm(kH9vR>iv(5X`GAM5BmAjt zTtl52E}k9SR!yc;#}(b~gbY1Z@j7+P&U{4yom0oCz6W6>PD|)0Lzs`oop)MPmX)4;r`Kp8tt2CauD{&H2BL#NZk#4>T5pE+=J7;3UMU%&!KsXJRpWVvcaIF zxRr&+)lhNDZ5+8QL>9x1at~MxJLUf3TX3#iUU?UIX&pDA%XhqX6jsCSJBIP|(q9)O zru<>e*%eslR{mrYZ@f{EHJm724{99^YvI7heVBFpOC;vOV-{B0p{#`=&Lc*R@yg$c ztx}3Iu{KVaR2b^4joFMY>BvTz*}j5Vn?H{0nJ$X8@Bx13?q?>hbv)Ncf-(y?Erelt zrfGC>>u--;6xGZsv$0~&Dbc1Pjn4lv_^G=O`B1+@=fG$imo|dtc%G_s7{x`;Iqf|i zc=K`uR-F=xQ=ZVJWST0x5&KTP5&yaWXYJb76J?t9t#CAJ=J_XC(Ztu%P4tu9cYfwy(OZyn9%p&Ep)>e{^Z*0}V_47^Fw2ezNhI4n@^ zR^tvQg$Ba`yXn5zx~kA?)G%XeN|i$_fv!+iB}Ia9uOQ64>{bc!|IgsuP&C0!f^=3pDU=|dqxM>V#R?-RpQ_B3tO^VrBlq%F-8RxnN{Az zWY#TyPU&e4d|0belC8VD8ZIgtj7BRjGVYOgW#)Q8x*O@(B z=!FwA5x(3r+4F*khyn9mSmlR+TJ~eY3N`#h;4!^Q^7JpvJh^li|9<1Zi+#T z&qMpthsLRvr8tGVA~r8=S6rrjKgO0_SonCmmfk3XchiL@EUfI#;nj1{(=}QcJ8t?m z57*A2P=n7K&JHFXyyyc7@h-+OT{tJY56}QA?7RYt)^|Snhy12;4wjHrZ~!arX!LL; z`|SA+N5kpZG-udvrG;=oWEQxDHqXsEPZ>>GceOhlPvYmU-C>Xpc1lxe1(!`_!kt90 zu`7kWboo6rXk+)o**nW98P$;6ZnYYQ1WbfMT?z$zbMiL0_J9-PCuO9<{t25}*fBK) z5nC1#ted(nBT@To5&Pj=$rFO`4M`d~AjRtE|6ZmR2AM5F%XzBbLMi zuIbTMXS_xpaX#T5Kki-rO|w@1t=8S-zEuym?xA1Z$2HYXXK315dNxb=6q3Xtuh5I&XO@v;Lb#1h$=ucQN(gc4S}wY{ z^`2ttxGN<6RZzNV50{Rg-F@Jt7xuBfxDP$?WW-~V!=94}M$%86&o~q=lzxkLysqPr z5;#Y79mCiAL;aBwt}&ah`yo|7GI`v1o-2EA+#{vI6%BP_DFZuRR~*xILorM4;5gor zh<7AyG!%4O{DT*}L|b?FcbMOxkjSHp8*qoltR=yIU$`Cva8HH1m@o9*(I$?+_FS%< z?Vfu#_ccXExNLUsYq%ki^<<-aufV*4WB$I5HJ=H0RGgJ*Z*n;mn6A?J^WjcHNuWK^#sC;sEH1S|}}mc|it2ur8?t!!%kMlkOXV#=~P3C0)8u z?+$mI@RiF>GtVRujPSE`7MHe0Z-?x1j6|wZ_CD?sNON%DeHK27j_v92P!5x_N6>M$ zsp5$r?u@@jMkz#V7<;0xK7}^z<4Ao^v%8iAAt_Xn!9bF!5BH zs~NGO!BmNwhbG1f_a0xwE{I`{xtdf-ksq3vzV?bU_Cb--t8AAd5sU=C8r3G2X=DDR zsx8u1U?qTa_n@-9#S)ryGlr8tKWQj1-)aU8>-;)99KUJOEp;3ZxJkSy&oB})J%+i? zMX2if&Y|!!6mv0i)_3QGXpEEeB@_*@_GCUN+`ErwPcrMtvYmIL8J#`Z`aIX>NP;+h zfVrTBoQ@N}qh~f9JfEmcE0jaWo$jfY8qBiQI-;w(S1zlVfpZ`kW-*EpXls@GC##Rq zz;E+1mWLL=IV=EoZ{0QS7*yJ-j%AWi%>KEaog-NYH(XYbGbAFog*d(0f9*Bf6@hv# zB}09nXk*=G2E7{H6(K z;aWV?cg?yTOR@@f`Q1)zvRUK_HGqn36_Uo7cHIq)t5JVpHtXtC8x0_ zHEkXX;H6|qc-H71-xD3c?a~V(>5VJko@e*R7NOS0(H`A(l19wa*Y;^LagYqF{T295 z5~C&Rc}AIL*@vQsP7eUh#krab$FdruKDYP7RYh7V)p4`0IR<5lx>TBCXdq>bQrk6h<}b z*jpFoW(>}bh5~!RytjM`H;5s`iA4xvJSoq9`vWeCV_PY_I~XNFR_^W?@-)*2jQq)RV+zR`|0HMAXy86;BHVusc~*POf8QqVfvoTb8!gPW zbyc+3Xk$RzjQf0_j(a#0iL*s79}UPl-^NW-cId7(_TipJ4;Rjdc1J z2Os?tXC;n=BxQfz*~#-uq};R!=DMQkR<^xJFJ%g*)2b#&5@{M3i?ca~TRWLkfGEaEGZu6JJk7^&oU>n45qIe5DKbMPxfWM~f!`Te;uY+ITWbZ_* zgSD2s;?D2oO(=x0U0I5w;gqV)3#bs(Z!#VH*GFR0DC{_~1l&E(F8v`vBN&Unk zczPc(9j65&I^ii2bi!Qpo?i!NHmZF(A%c0Epa^c*Aax-?#33PW|E}$Kfp@Fzwc^&o z$cP~D=BFvrd6On&;3+#B_W0_93m=G}DtQrj#y*m-SEdFbsm|ZU1~wSZ(_B%qX)qjz zQVht(THX!#I(nK~k8Jv_9H}+Bbqu$t%c%tE2lOz-$SCmn)}<+#ZX8%;U#8!~SSVwX zn)&p4y#dt}6!}1nPul#tf`Dw91b{K5s&Mof3>vI!GPlh;Ofo;_i=^J0H<8U64uypF zh!{qqaEt~1m=d0(FogKoO#uv76vyMYyOqVR=9&n|^ zoOgv=80R&}Q)1b43lX8Q^lLU7nB>Zel1wf4w?)p;a(LWq;B7G?K94~2h)*$@C|4F2 zuOB`~GNR$!9Yq&oh-6H;k{_fO*D?;=jp;(Ao!o3wvYtN1`&u`4*y3gtV$Dso-46b_~6(GPJ9KX3wT zCtf`FBp?roZO_k$|yaW_a18>PbTfG&hF*J%iku-&7$05f7*|JJ-E zR2&eEZ);_5E8W(uRADD3c`SpyOrHdLI}SlMFOZ*#~f+wrYi`<8;N9qNDlej?!l4v1_N^Xf z7rN#_``Bm8ywn8K<$sDORDN#xvnv{66>nO9z(kf%OLZJwPnjitv6S{`*Z!P(mZWeu zeucqm*D(x&?=>gq?d9X0b{#X@o1PPGW1qX?yLJO}*)nS$ zEGa&(fWitn48~C7dxR+N$3Y*z-NaK;082tF1Yh%@uT9*QBVuniyy*qPAk)vIGbKw! z7foeb<##&oPNlQZZs9hZ>&~=x8}l3gU^6z==Bz(7%bCA+yNP*W7L-PaW35r%5RnWn z47i6k5mGv#q%uMRL#-CRbI4zbJ0r~bu=*!pHKw}pD$>l|=IABUX|HgbXi1z}-9({K zy)Rn-Gaiu&3ap%jvBzC!pmeSoDhh_y{300wGq4PX{{Aovisn4wN zu`d_Y$%3sthtqdIqYJ)Vd@SgiPT0?f0`RG=7>H~~;_$P!JUkRcaH6@lq2$NOZ%K*= zxrCMUpdDN#O8IE0wV4bW^;Df1ZPEo823B8j6t}w=*Fnm;4uj9!Se&GlGS|x0?&5jj zO2k-O0du?NxqEouOokJ)KeT3J_A)Z(dYW`;D+VkAmLVZzV5ZtX@J>5-3K}(aO0!dI z<2DxO)d_E`gR>*;O}m(K0e+{3YoJ7LBkTnC@>wBSF@#eM#pBc#5pIc-%B1NXVxiNS zn*-kzv1y%qTwb(x)TKTN{CB6&C)p8^8Qf>#lCO@u^6=}l8Vb&W-R|h%3RtJ3zyYV= zzQA|(hoh>J)?v6~a47twq%&lHa1Vsb3EnDT0i7;}k*1IG@}&&3liqw6=PJ74@lYtg zb$So~1TE6(;cYu5^82jj(COi3D$teE(G`>s*Ow_eIz~$TZ1#(RamTOs^jQ%@Fa_S7oeSA%k5B(dl~=L7@?b>Pz@!M7 zb8*w>2X!@oHI;Ozzq7k%6cDV5DHMfv1|hVptcj0su~eQKzI^XGVR+Q$cJ`Ti3aGRKGRJx#uT`xu~5JJt%B<}H`rHWnBy~p?htajb|e&bHTl_T8U{!lvv zk#M|DbXHQ{Cy~d+-e4VQT_#_RkCN%j++-8^YTR?F5BsJiUyK85y9mQf1mGKe*ZoOD~!h5K1U!B#85MHO(tov)%cbqUCcz<3Ehi8H3 zuJ}Ao!BXV{eC6WryF^Wr=bBBv9o~!y6Cu@p$U|mW!#*5c*VxRk;5|)VS6_xK=(UvUE z58-i;qaz$7SqSRg$g*=mwk(8ORfHRG*uOfQULfU)VuWL9^W%b+F=r!F8wLK#@%MD< z3bRgQl$h^v5!Ai%sBAlMQCgfX*_%tlK)!vA!ga+uP?O_gmm5cOzF5pF5knL|Csc03 z9#n;di4+Ef>EmJC(=eEuPcvBvd-61|&OKz1+Sng2ddkdWXIFQM8Rp71cxr>h`nauBEPoFLBJlcVX}!@qdoI3{-h%W)7!zW;U~V+l3e_ zSqFEb&3-2BnK^~;E+k>h6ge68=BC!yyHA7f+RN=o{y>;6@^LWEB9Gz*#4H|j!kD{$ zSwexi+@9KfX6|ptlck^{5B}9Zr=iXOCRq|It+$UhF{Lj(B$-QDP&GPIc%fXr8h0Bz zt0mv%0OvBeKas|@OZz5A_L^rtE9wc(2~2qCZUe0%+f#T7sH9z{r{|Rwg>RIpvNrCn z)c29BgAtdMB%mKs!N5eI{+OP-^jJ7fJ$li;Z1r)TVygeN3Dvs~3)>5y)`9Q42WUz$ zUE5e6=+izM&Pz<(a=bySVAO;iI{WI$nP<_T zP%weJ-j?D%*;d^{r9Kx?FZq`W8lKVfP0ntYv;{LPFB}nRF2qY0wj@Ual}KSqhM{4w zfv)LOeLfiK+3WuIlP)iT4_|699FDcc(4wY-QpP3`hg#kbo`WDMKZ_3~3qi#;>64az zCDvbStli{$MVS)@`#5n;F0=5TvOv~ymL+w;kf|r{;BEsL|r}&U;Um zl;x3og_8wvDLNi{AT^{_WXqC8Fk;Jd_B^aKh6>04{}6_`6yf3=n=$O_^Qmr^LIwrd zMnEmUe_;$?A`dlJeB*~@%)WbYN(zt1zV!=W+ma+s_K24fC&Ad@2h-HdxzNI!xh$dJ)S8GxUYskDEP!!EvsvD(RRk{&xZT@Xz6aVo zcn!{D<7Gjpzx|luW0)W0Q+_K@N4I<@0^M~fHpT!6E6!{dPg|UldVCt_6$j857TEyIX-cdG0LCIK9o6RSFA zz(jxx$|T6wLN$Jx4lQ%8O`gW~@U+KDha4UgPg`T*ItLM>Y8MHqleN?(SI_M`v2my} z3QZjHPH2|GhKo(N636V>lhM9tDo?Ztm46ll-g&!K%$qsOW6JQZHk<3c#GU*)GtII7 zt^8VXeEgHyx}3$stV1#Nur>=k=fbJh#B5i(Ib*ia@}&F3*85s+FUTs78H`P_xi_x= zyBKU>gs(a6>k~HZYh%`>o&l2#Yo!B-i%i-0+Me)zeFqPcKQ9G!`sv0l`tMB@=bY`l z%NOI`Z0?H~R+vKZoj%WV2+va3K^~i3Hoh5A8l67Pd>Y$wVR@=eIOfbhW7_(B|LIU? zA0W#KO5rJHS{g@NcjpNgz8`J)wvaW#yh?^O|1LqYlI!tIVahSD!a#O>aR2aCZ0pGy zP<_qNImL^u z9j6=KEZqGe)`r4P!^}%VpDmXJvq-_qmaO#{u4jg??sNR41qqCg-v}qV>w4aa8M^Rl zp{D<0ruM5)G{bG-pWO3aowCu#>_mt5*;Lr9$*`x*%x7JWRxquRJ|)0@ zI$89K)I(nAkWH4tY(uZqDjy?Esy8@hZDw6Lw!_^tL(7&!*stg8R*45BSqb~&{5=Y} z@Ce;^x7wq@h>)sJkIA#={5{C(I7Rhqc&gRgCP52$DCswGPMSUm_g- zar;Pwi3f5oe-wTyX4-QoKGKY69Vb8iy*SwS+Uv)w?B2GqLhcT(MT1|vZm>;YS~8Pr zA`jJb#Q$2w!Kyr}cq|vC@Wk**S6e0=Gnxni5)IT0C-j9!c8L7-K0ye`X(rr@HFF4W z_87(fvvBZ)DBmxIpOKUb3q>dl{$Osn{-XCgU`d*<{b zNyT4qSumuruRq!BMwp+GUN&{Omn^ney*V>%DY~64?Ax+iff0eTxoHe-yQE^cuiy1) zPsXLZzldU$sAMWUbKK@XCY_{g=h=dm?hVaC&kdK6dx+!Gs_+7LhwZ%O4HYj6n+-Si zKeB~Bw%Al-xBvS;g|~@W(?7VX-k|8*_m;uR`7J9fXtGR}!XVb=M);@y8U?#|Uh!FQ z!}7cE0E*cr+l=_h4@npEsNnpI~7eIf?7{qql?n!I>%*=K60zMW}`c?9S||oZqeZybM#8i5+5z@H!}ctN&x|+?8BM zk~91&uvWXVr>O;YRz66gNuK6y36R}AUNu=wmIwkIfaudami7hYj3Yy)Tt&!`rC9Im zzKEVgl?C4F@}tj8$eEa#K%qgPvMMtxzdy0mOPr_b(DACUXFMx5xbMM|>U&_d;(0Wr z4(PUzg~i>cAuX*jr8H#Z6i2hgpcCn-Gt8zX1$(`C+pO5uXj+{u>Nvj@t}i|AIIU6T zMXN&E<*N14Vl6LvKajOwPI2^GHs!(2y*AD&1jf@q6MdAvVs2%gLTIB6)j?R{i!$R1 zpqF2}UW# zI$34cN@A2yx*=`B&7A~SHD{}r>sK(h1YB=FlQFP(zv))1kHd+pg<)k46e8QNxm>^m z1&tdnL*{H{JRY>rp}baY#uJCtl9hMkZ+}fwM?i@A z#E6y03so%5ZprrteJI`!kJ1LhWnL*gVTYY!jx5aBR4j9AieTvt1)MCEwBjl686T<@ zso@OuG%zL>Lis(aoqjPiyUvE~D9K^&-dI4j%QG|=aZAjRTnbFBE=Sf21JYyuUX_Md zU+pp zm2n`*dt(m$QYRM{2ZthDJsKM6G>RU)L`D_&1AX3gplRNV44V4%5Q~j z!%RTYHskT3^**po$_unsc5z{3m?VVrndwUmG0m#7q~oATOSKQMr`!lzr75T&$>c?WHA(19gAwq;lref(cD}f5z0or$sW7C@CpMog_{k zs^w^Q@exrgYK1MY)PGKd&3@Psy3Jq-%#l#Ko0QG0(i#{r-+2Tr`g0UV)|bWXVJxzQ zRbE`^hJbtMJhD^~t;#*LCSini5_n3q#dVP~e-S>hW#x+fq+g6T)rvexQF!;nf7xpS z)^7T)34t3gEyjsfxa=sNj8EN5aIKQ+kT7yO;{@*KYvYd?(WKqJp)_pVV`?Y?f8 z>zor<$Ry^}bD^;s5=-Ad#EyhImbq{9a-SQP*(5kY;;1rS;{_q&L)*)b&c+=S=nRF(@iAP1xq`s{!Ha>2X+^hDb z&5!t)tPNLr`s$4Zt>foXrZXVt{oWBo`k1nvyh|@*1s!btE*R|($Ip}bxaW=MPbSk} z4~14dO{<+(o+|BfeGsmFJS|;gwq*H-hi-lo44vK{ksPh{$H%-bSzDMMSyt);aP?#K zbk!d+d~zS7xm}S&aU!SorufRM^-8dHmX~(U%Ezp39EGvm1iMi@=-pO*>ccT+5OwCW zC>)>rX6eJA6@Q;``55J;oN+WXay4%U`wloMMGYwgCESmfmC;Jf`WW%e_@9OTc`>m& zQJU7OluP5~_4$Np-65B+rDUqf7L4ZPT(`{_Q=q`!NM z*s@T=m$xDRxyZ!z^`VtNPp7D4$H%nph;0P*KE9rOqZZWljc|WSIYV+8^;4FIp1Nf` zcT@M4LabKe_DzzJ+Tfs%x!x|@lH$`y$k$07bxc>m$1Lwddpff(hX&o_`#nD#@>>T` z8;XJ5UOe^UeIWyEv04aJ5on&o8ehXP@x}q0L(5FS62GNjmfvuSVQN0jC(g6`w0hUC$DwXK z{Xx2qGRo9V0AskLo+Wrg*EdiE)L7;O5nu-wQ@4E*p{Tar!zl3{*b7g0yu=#@CT|yF zB}i<<9@0=Rk=4HLxd_)X7EIlCC$pi9P2zB_55POBSXZ~YUe{pM0UY`mzm2OGply1!{%RFA=O7nR()sb$%X4t+fYnp{(ToZmp(3Z7+7Va|FWG`%h- z&*ma9W4=Y)A~h|Aohb7$JR2Vv71RDBHD6nO`=7cI%8Gk~-M-F2<)s&{i*NtAl-sPn zaA27Bo)tSK=wPKHd<@f4I-6-4YK~PNqqU<}(sC_Tn5^xF3+tf6ZxB|eEEi0I_!y<_ z#pjTFSC=c6V!4rS0587%hcuC%d~ErZ_l}wZA5*qYF4Mx9nUa9F^o7uWzKup)h@^f>sx=c3}&Zzs$b&kZxNbMs_x6&yt z#8>^??6;?!(eFTx2!pny5a%^tnn7UmkrA6nI#yj$d#|=KlaN}?>n~eYVUk{hYVDjI!u^7UQ zWO%jbid@N-n?jvxdo#8YwPD_~rTU2a-SB?=EAR~;letkm4F_H~qO5s$-sud!{p<}+ z(80H##{>N~xF=OVoP~+kkHW?CweRIHc9mlJn9EJ_?J@Vd1^aRW^YpoeiQLCZS|{}t zTpy};>FIL$5UBTOeJiY%5vhh;gAo-lnINQ(A>BwWmzlFDz{gB(TYS+vUb?+AOz571 z0&kkyr#e1{a)0=&@(zv_2-COJW&p@E_!z^TbfR#qUkk0eomTBXJYB@fTrUDz_h-Ii z(y{--=_BaMC_d(H$71)whjoh%9X9eYSUai?JYD96?LAb?HN}XZ>q-G|bKp z`{5@SS+E>%I&4VL?44yT7~*1b7RrLux#{3GS01ii|Iy$f!U|UAOGnOmu4Eb zAzUe9A-=5;)nPA6k8js_2oc31V_2KnVL3coZm84c~L<#v?sF1w3k zr^irhn6C3xrE0kj^=n~PUJe7UVLVN2eG4B0tr2zmojkieSq!s&KWpw|uC*h6m@#4e zG-#Y3q!=*RI;6&6)QK7ke)*VgJy(E?s!UXJ0bf&`{E;N4-+;KP!=$S`fU!7X#`RIe z6&>Z7848TK_R{?2+>o#abR1p^W?mnvm&!GDF)>gd%rXp__!xNod{>uLUB!}N&JpEfbsbN3DJ#%3ks>j=zVGVJYw%JlRVvCSarG zCiiAS)vQ|2hj-dq8An%)E4|OLaRXd8v6$Y(3u>CGpxjETV>p(+(U-hPSGOdwx#VF^ zHd^NTDu9vLg!7E8H7PMO+{JJ#v2mBGR1}M1HujPM?J{bl@ZH@Y>)T=_R`$l$GB~bN z-0@zI^e{u)qx9jDU}p18V}ABenS5*dVu=Y_I>T!h!dXM@V|cb3QZtT6E+>=a&0>Of zK8(2qg83MlokVs^6Cbm(vuHSolZe^~w05nRR^J%dsNeQ|D!@KwW~2LPoJ_pLn|kq& z&)vWOW%3wHKl8!+F`WJF-`XTx`R(Vw|K%a{K8KHEeTl?i?Y(rd&yKNP*!b{z(C_gv z^%D!K@z+HV^m|~sAXh!tE+-|V;Gl}nTGlewfZ#TrgkuQzvE}vUpOGegw41`#W3fH& zH@r}-1-aZI^PO^m4%&umyaSBlcA{}Sh(CFA)jN_lUU}PI%F1>AMZX0;b2=|CiD221 z_Bq@*7cE|x(T#U}?J8%$q%JAM=*uz&bKBy;?({k6wh>I{_VaQhGDDl$c?-?`5$Xj2Fpu zy>Uf*80V!_#({6Gm>Dy>Po!S}O%8**;Xp}3c$07cu8)95DtFs#yJH!t5zsWYz6K_9 zM}x)Wc7-sUB8=va*iw2D$4h;cJ`58@H;q5SeVPis@~*9KjY)v<+;&Nhv-bxK;r6Q)odLM8F28}njUE=!&|bDMc}pDAEK=~kC2s6v zptk$mi8@sKVyx(xp=}g*bgmbeuT3V?*<_NK@w5HAF?QQXp>Oogn7^&X6z=olrW!>b3a#>qkq(`HF?Mg~ zF^=$+NI-c)YqoX^m2 z0WIf)3@OH9>zrhi@j}`8ik~ZPoNNaMW&3AsipM-J#j#SFBW8zqYX!jw?MOZr)w9}e zEhcB_xI0{Yn4rZh?ITtvjo?v;|7Q61Q?HPijM=#!#++Xp9f=e=?^dkn>=>(D{*{S z=2bz;i@GBnV8)ddD?`8|XlO#~Y=RVEsI?nU&s?eD0R$LnRV&+Au4tt`0Oy19luB#} z_HiAT1ejgLf`tJlS7Sld@}<}3EIn*g!=-MGQJOAkfa%pJTT{*yotFfdS`Bvv-(+-N zEnibcNuKWF?p$)7THA;wc=GCEGZqlnHaDI{9v)>#MN zzWW83OAVLRDZ){8ZWl4P(6|9K+aY@ie(=FO!`-5@qgfgfVCq!J5b*9Md_H*cf8f)q z07IyKA(y9@!f2e~+G;SF+Ud(FFd0SNf&Tm$NIi);>sR9)@agRS_N65lqo5g5uhRVW zRV(VB=*uWZO)u-tg#%Iv+S6lPfnmo^j$zb!@xo*iMuMT!lc>?9EsyCFVCXd7h;k!V z7Yw>QP_ESV9dLP|3DX9cJ?)F1DlO!{`>45hfT7eOKM^A5^nvZv2N+Iu8V#0rQL+H` z`9^@*)K208BLWPkcB5eudPz9<=zpC*rd=)+U_5nB%GS^N?tzKYsC$1a;q`eo8hP=) z7GPai4HWVD@An>Vc`cdeggeUqm4 ztUGS$37NYJhDtv!R1F$>w1&yGwqfZMx(OQkv^t9+gNF93Ooav)Ud1(eF-RJ-L%BT~ zX{1}RP>0)w5!2pKX%e}VqXNv7KIGETPVL19W2N(KS8WgC_5(ZLG8Q77#L>Wu#=XHf zie}VDfFyv8KaUR!70h-z@xE5XupKX$^YueprXHTB(~Cu+NH^9<~R`#q(&7x?bI~PyQo%q^8uvK|Bks$HJ_tjGU+?YjYQi03)jj+bboNPY%E+ zXlMv4cu^4E`Nmcdl?gDj`dGKgzIl%~J}K_D5@3RrbO4pCO1m({^8-w&hUMv45dH)# z6HH(c9VL^zfwK@dz<}zohj@(u)2Qw6`9b;(QMUT_SE^e(N;`fym(r>1W6DY6hGi{} zCaGAq?4~&Z=2m~CVC>dK3|p}=_E(8R1ejIr4Z1hw^ZFpXBFs9{V*a7FB7F?B{gK$^ z7cmfh3^e)KeP0(}4={AvnM|kAjE?nU!`s5JDY*u>l4trb+_vVsOPB)8lKy{)UIv&k z4WDS4H$pPZl8RThy~#IvzxPU%x5HfNjO|5!&@aXtxmqq5Xo8|ez^Zxf= z{#73jE!C;JZ8}^SEsd%9Dl_`h1{f-h!t;v4PMM1>J{bxya4P?)Nc6W1xnV3NhcT7`Na8a27#!=M~rYb!_dlV*86ME)}j8nsL z66s^`*31{RGp}EdH(t3!P%w6qaJ+2emgQpb^n2xC15BaHUpl<@Xy{kjnvsf+*+DG8 zFzO;t4@`}AIUX2ArT%;J_wVf`98;(bW3b&y7g6pq{Xsl<(2W(ts4jXg!0hQs^?NvI zf3hcNLqUDYGwMiB$NleQq{gu%CQwKGa3G=hBv1KDUjQ+K8YkCQU(T=^^QNaQP1Tp& z)PL%uu^w8|Ye{$Cbj};vw1%Vh#OqVaPd5b&oF@GJFc#TAlT)pK0F0d0#b~PW#0_a+ zH0=m5W!k3wzCPmdx`jvy43o?AM5M2RI8Wz0#vSAMioFwduw%tmAA{>@j}-LZuIox{an~LHBjG#{5c%jlLu8D;~)LxV%q!`Bd zfg=&Y0JEqu|EZ!Zi{X@F{Is3ZL9W+5X4Gxoc*@2WkA*iItg+jSNz`Ag927JFsXR?J z!B+3L^9KvC4=|(p9eFv-seVtxi~xhGGya;^d&#J7yR47H*)7n8Fu*9P418WI)&It| z?_(gf%ZnW&$q)Hv&4T>^gQyAL=GO$aarA_7)F+xvffpOcoESlE2g@|CR$i(%-Uu4H zu9BnKmyt=`_U`{!JDcUkk?ab;3RXSU;gKrL#0x+mM4?0yECP~BwS&l%m=*}I0YW9# zY8LYtUd{tJ!VzB0uKXr`5$8>i6!Ygm>aZ8x(a`~jB#=M%-n`#A`UhdWG!XT6B^M5T zjAOX;LYW316*7%j0W+qZaRq%hN6`<{rGZ>DrfoyY1#40=_~#>BJ1}JWF%jbd22QhF zY^jsK6yjNzM;TzObd<&?6*B!M>~T}%&3eCL*asaL9o;W;-i+7HMs;nvejqke{jlEQ z07Iphg&a$KX9dL=D4hmra8Q9E9C5+-)eHT8I2%cyuJhaKS+6lmnrxor&b@aBT$})< z`u(_Ni866LGc>A4m@bXVBH!pAglWI~0(g6lc@8WMEIRrWH z!Vz&>dST6THM~B3U-2&@Cw0M7@eMPx##HH5ka`RG1qw6d!BFXCCC9fMA7>d_1u$be ztQszd7)kRkWo|hh&-5Fyh50z^SY`cs+yIfwLG`?(B8W-#vukpzqWa26hZO!wyO14jOoxBQEPRr?{gUUysBi# z;a*8F@i~#N*2+0B^chTK>QM6fU^J1N5)%VVd)|>+01XF2wrGIq&U74P`lUD-{ea8N z027XQvH#7Uc`dxycyrt+WR_4&qe$d0*9n*Jkl=8osF4D!|b)zz9$hJ@2nV1S{{ zD_X*e6;1Pxgj>dbh%sJv18^QS0@DIepqYJLwN=%mHxdnjH787k-WS<+O1ZI9v4+k zCA_Ql!HE7b)VUJ!jmZ}ro?9&Ipoi()xgUcLH2!tCaRi{~!FcXZNYV)Mhw-UCc; zUKYRp@x1jqL1!aU!0=`~8+o&p9EN*s1NVxJInIDQ6B=C}W`G$^s)sxZ-MDaoAo{|Dtn^Tv=vnIb!%2Ce4yc?9Ft$=1)$OM8q75(Pw6YT69u!m^={M?N{?MT!RMN3| zvHZjb7!G|`*>HeS(KwozMIg+IhDEh_K1g*lm9$axn1A!&svZVdO%Mq_~a*k zeMhBseNtiG6FI^RFzQMD(@8qhLsblSW^xVL{m81sy;y~)iuixus$ z7eQACmeyl}6LMVTc0?GYUwJaEFJV3-;mN0aYonN@dX z7#&rhx{#~;L0Z5I^r{}~qezF|Bo61vThR1ZvwX%d9(pB{z?4_djaglzm;${NGKzc1b>NC&_A^?@?^CvG$B4n_9aZ7__(bMk4C9_hc?N6gV;Jik)p>i`9BR!9jCVS+ zHip5@K+Zs!NltQ-jP6TnP=jIiGZlsU8}h+XLnHm@WqIyhtjvdn zHTvRdFqMheJff27_%F%iVje}_CtekK$$!`X3Kq`24Ni@*^^}8Q8gvwo$HC<6GK#H~ zn_>PlqP`a`&0rY)4DU(h^q>S~?nxK|y(g(+HxAD*1UhTeZblQd=a|!&00rS6!+2-5 zQcKvBIzkn|t@qC`%yd#`Ax$;SYRSAC&edr&iEh#}qvx4nwln1=r?&ae#toS6jAzMk zP7Z8xOa`Nyzzc(MOzKcFJMlu}i{kUiTCDS;UGO4*@PxS$VdV4An$@r#1JW$8c0de& zDv2$Wc{9v;UghNvUKFmAJ$+7L*faPo!ynvZy7nTLqHU~Ei=j`El=`NCanDOpQ^$lO zB*c6tjc7UEGW~Km>)xa27-mC<)pOe!3fa#YbD&@3RLecu?&`dd>$L+RVVDU`cV*tm zDMOD_hQUz9mJ8$QV*%UER-B~^L1KB1Y@1;;^h2N!!<48}x}gBa+<$uvM>)lGD{5V| zw{1*^-coT$IDQ*W20vP!V;B=Xv|a4Avb;}eOQKW1dsjjoQJb=N_V9ue@>?*?WS(q% z6-<%N<$=wWzF-Uq-Z1epeaAm5PAx-E=!eyPsFe!TR>+f^# zB42f`t946ZnI4N^Uer9vWEd2k1tjYkq`^F%c)$LA9%cXi9}`dhE3`2*hH=qx6kJ|v zxTv|KU|4iC&b;WgJ7=`UBGw%Gqpg}#wRO7~!!Q{-7tJ$$C^?2Sxv{}x6m(wg$S~%l z^Y&=}wb=EY95GCTW@7P7-7V(O!2Bl`dSaOV{7}O=!}RCjI4)_ok7BFegs1Ujc6Myk zc61IiOnFkFLzIq}is{Y|DY`KXcv3W^tfTi*`Q{6Ob5-t?)F`N5jk|WLy<(7lJ>E|D zN)2`UZlyv`OM8IMTy+hp7E1jVY>m{2C*#k< z*%m4dKQCCzX}ZWAQ6lCtgJCcUzemadfFDXf4LNsDWZ;P!X&GiTNlv2`+le}=wZ8}s zcB!kr*lnGP3k(V+~|J*PN<7^ zx!jG^af>xZFfSRGn-!EWXBd>ch=$QTxpjOL*69kUaqyddb&mq`K@paVb^D&MAH&Eb z!PnE-j7pr%nK}T_UrCQe=aL_6bF2}7;m8T;MQxGV4#P}jzwQvjP-JsrpPVM+DAofw zOh(>Po1N=B;w^19^1@v16J$lqYdht`cx2bKZofDTNXp>3*^{mZF352|2Cn4FIs8U) zvm0k*he^q398a%Da=4miNeqLM@i0|Yy|tt3gkeZh=FiyykvvHJom#>lygv@UR(j(M z!~A48A4dA6aAHpL7a1RpOs0=vaB@5gWDvd(1c?^Q|+S#kAz;?o#c)ZmNo5R`Q#&Kh-bptC(7cHkgIHPHo)}hT+F?RgrhZ z;azPCvh%`zTnrPC6H({gm>@yJxhxuyJPS#9YLo5vIwknF=T83rRmn$OLu_2$Zw(X=YjM>57G-wiV{ zGx^Ro)5A+vYx$YaZ#7i?J}fv8HcE=!IA+2uWSEUe;!mmlc}9TO13}81>FHIF96=ZF zzKxFkSa)irG0a7#@ob(r>>F5*N9Qc+WItutXm5^~i==v}+`u`tpc#<{h9cv65}LU# zW+6vIZz7uJ#2i__5r?$Zx;wIxk2UWY6!!@)<|D@)p#Ek;WRF+eIpFM#W|)y&tSDyR zZLACrW0G?@t~oEgtKm!?Lg&Zv*QrfKdUG$toQ6+Y~n$Vh>9 zl9QdGlB!F$bXfhgb3|&Gq70e^FU2dI=NO+vSTDoyobf=-pW0-DD~iUGC&r-0lMu`T9K*hn=!uRyKK|4rj2<`5wtg@?X3;>x9OOh41(%zR3>Kz*>lnQl zc-&h)b-}+2Bw#(*qcdg4U?WuzReANW7n{pA1|08`oAhR?M}!z@oYh>39Grw+%ZFV4 z$YQrY?$iGePBHm%{%Z9>GR!#6@|HTUR=lp&*4V8x-ltg_>zyW;axB#rpf)b?T+WgK3g=?t{d9fFBQr941G*Gz(X+%IKP+bQyP zy}Vl|&c-m^7{rrM&k=gi#{5bA$m^2^G>{=;&~fH})uqQwj)3)0kKs_Y?17Fwj69~v zWu}x;BU`JLVeB!u2(|n{zYQBEw7h<o8Q4!cJ+z{(Wo-OYbSK-S4)p6EGKLwQ%LtV^IBg9JhLK0?SjRB- zSiSDZ7}TA9VDd4jh1z&CxdE;#*Eto2Am@Bdfm+%T$*1yD_7lWY^+9Z#yUP z(zpyWkil*2TvB@MD|v2Q3g_XJZ)n-GLVbO_VB}HmS`$5I!k{D7ZspVas$UML-k0fI z#to{yEa!R!i;Kb0!pyNE4#@{S`ULUiK zlab@Vz{d<@u&CwK&+U2OV~UZQt)gkFU)^IZyOtkeXjA#v`0}7$b}!@HynJ_2@-gx_ zsmi+Ir(2EdXTllx^(LB!Hz$%TYE?56avyV$A8-ZoF%{V>C*Wf`axC&{*Ou^j()|$O zWSmCds34(TjrqucEU>j;&MFi7n39}`vrBOzsA3z>_?V3Z9F>pB$lz54(j)zHoH4G& zcIByVHpe)^Kx90$cVoYYh%C3nhqwj{MjtQ5)B4T4`OQqwT%|AsIgD=ipLyEpN3}hp zwC7{2@#;RIay0dgzU)rR%%FDf_W+LfYT}*rl3F2wkKxAbNA)8&yq8>)zXxpmxvu2I zx#r?g=2`kpxH+6tN$aREZ9IA`k*v%PQhV9PaAOoE@ifZxtKq!r)B#oX_JXTUPPGi^ zcjNO6Y*p`LtdR`mm5aJUUC1x)AOd^pli7(Y%872XRDO@YWx4D$z{{gvx#Q(x3^ElI zxrce9zgSE@k_!l-KV5tG5xmszhLiJ}%b~d9ovGDtng^J5qUK{bl8$eV7)$y?Y$;=N z{&2Xr$^l9|CSg|AvW&6FuoheO-IY*!$ z5V#>KazD}!*?de&lGt{f1>@LWiZL5Gtk1pgqAZ_k{$LjueT+w@@ia@WWyFwJEpt95 zB!l8fMhYrm*>-DQZv8?GO@3UI*T)oPpR<#XY0Arjzc%~Iq!-NeP!E%ocVc_)=z8)o zMfqn5T^}QrSG<(j+)8_5Xqm%k<$-Rw%k^oDA<3*3f&X`Rt8rRvC zkJ-rUyx1+owo;*>TJ?KCBOk+(>4KN!aeUHipx+5+-7T+ouX=5-_bXsaT3%FJEs)i3 zgfsC$RE;t!_0IRwj@peFkQ|C;QPF+s+*!W~vypTyRSd0mGati|7ey}WH?>XuE?nc0 z4}{rs6qAv`Bt7QTj$zb8KvI2WA$Rb-X@%Km;`cddQYZRFUO&*W=s|ni720A3GI$Y7 z50xVP9uD$z^kyC7`oVC9M$0FzY8HBLn~!10Fqo28-~Qm%%Wf{BRPOXLrjElXJ!%^o zUjR^fl9|;(d~TCg0SRx9I-I@A{|X#yskpTZ&GY)QW#FOPQ2UqG=0vIEkT3(q9!upMYbv zz?9`IFLG)$u*MVKmy^kN@63z8PojA=jqmlv24df>9&`pSx)8&2BR_{`JBkhBZe;Rox03 z{q`}WNm_ERdbWiD%~{^XRF3T$Q<=2j?5Gq)$2!q_dk|(cm1reNyNc)B$Z(z2OiXSD z4w}x##AdYS^%E!AkTD%B(i(SEv2x7}jA*7=G_yoZe9UReY-(4j!v#AJ>tQwH>}KL! z#N$ycpZPVNqz#zJoYCx9rD#OmJS28CyyF)(=|a9S;vn5{%`pPG<|_ zn4~oI{SAYgAvr01rAJK`Mp<6HzfEDHGYV7J87(F`-!+i-G1y5sev|7L;|a?vIkdbx zQ8YRxU``9ndZJS}%ycRX4VCqIj)qpp+{TP&GKoe34Yh#m1>{%o(j<(dEclCeGmU3* zSx=_HSdY#y@);CzjXk8{VfEK@`yJx~Fc&}aPS{wx1M{5UL@skQ?}ArPGUqeKmp!~N z;dz@(Q)4&69H(;RYFat0OSvvSd3~qG_IH4DK3;FyqB-@(pl#b2M40qU7b{ULpG*1q zX0N}GInPVM*T$eVzAv`1t*gg{_z;D$6DQ^Ul=$8_hn zk<#4PYvq{ioKcIE{S5J0Z164GTcGO$9`l?ZIe)->XAtgjDXV+a$86^@{3kBCQD%|* zG4q~VosVhHFqp|-J(IWS9dl2*-bDeLwKUz6;N_*@3I)+>^%y?^rnhy*P>k73peIB zufAX112-%mBb+%u8K}w<+J3IMB_1|DVW1P11TfY4(M|*mdS-Q-@jv9IT+5%^G~TD# zc4s;J`k3`pUWC;Af7HCwZ^Zd)5XSnYJ&g}?|B#`^LEPd@$skWuIT`nFVEi+X0m1rN zX3m#I`@gK6%W~tkn#W&-t5l{=>{BOWu+DNQiIUjXtx4K$dk0I9#8@I6Ufgy+$UH|@ zvzlGtm~2r1jo1S6k4zN9B&z8c%RP3z8c&)*!0+jL2}dnP^a3RtO_@w^SA z$<3Em5$_d-JU?Vbt}xwcdc(2Y?JoM%o&?4CF!Py=!`fwYjQCDnMT3XygxAd*^~8-%1?s*^DbLw?y3(Aeva-hhF@By2F5(Y z*HZ4^tC(7IfZ5LP>M?(X2~SjV=~)E~82H?(-Pn}B!FUsfJ;UIL^6*2Z`w1hiR~Q5( z$*+^ZsFgEmIu<($Ve9~IM>kBVb?!1!`Z7ZgttW*gFL$-*$=4>k?Tj0A@uHJk<-aFq zA{FLHtnaQaq9?9ABYi35WH7GW0-skHAPskAR#q*`6vLy7e$QKE;+u2`MO|Tvv|lf^ zP;AAs-RbOYuO{4KAr6yp7OCY-J&gLwTj(qM!5j>?{0~&~bReahY{!>R=BwehAH|_M zHOKQC>XhV+bz_E<+R3Xg?8t3mbhK&B`a%eJtHQw5%;E||rM*m6v>BXQ$yZ%HGuI;X zk~E0t=|`bJjFM7$rBFY;(To`12IeNjIO$Z%japz&a?L%*%)!ljvN^bstaoCmR~Rid z^Sm){qmNe@DZN!UL$=EtnSM-@s#U_h`LdEkL3IW#F;(hfHZV<^D!+;5sxHKT?Ucc0 z4uf0w)AgZtLj&=|G%4TS9NSSu(Ou4fY0`NqKT1PmnslZP@}(ENXbk2|6oxD)<1H{? zst@ItR=E>~O1lvS43wsniOQ;Tn7L(mW4M&Ba`7tLYZWu5cjVjmME)CBjw#eExWbU> zOZLEdL0uV-4a2fSEt3_U!tCkymqKA6^;m2;P!BgV4dM{Pc@f6Y%p1lG(ly<9%z?oF; z#LB#UFrgaGCSj6zcTpVDALb~y2jP;zshnfEOpsBTia4)CNgSIo z3f4id3X*Lp_s%* zR)zuDMKU?%WB&T%nra||`@jCsWe|V;K>>oam84;qn4O7NwUhLIvhEqyLCWgi;Pnd0 zSHD;XA;Y-rw5Oh1)3|C!3QjsQHdJ=rS6)LL zjM}W_QX}^(s<_-O&LXfv8UYSr!YJft}ko7wd%QTbnWwcAolubNfeBmF2Te87F*WUTPS*jW7F`sM{~==t`Po$wm0;a)B6TZCj#a3?sEE-zndQw04CT zmP=)E^KaZL_+=Qaon_BzE~tA};UGThL#d|Qd8Q|HM0d3*VIX<8N?sIJ)4 zTswYL2Mq)xLkyF;)8dlU63tiR%QY*s6s~!GV+uFu_rr;fWSawU-iR8GInPK8+6Ir0 zvZ}m6#y7bvsdtxoz?(rthQV7T|IRRWJL9>Q3|gpvHY7T5t|a!+;>KWZoDP!KEoCk` z%;$bp+uk7>z%ZbjWIL@Kp73?sL+!wGGi^D4@I7%{TI8iz^I~sh%@`(fsZJ)EUAuy> z4D+}Y%)JfcThA(;eG+(MYh?G^k<5PqDR z1F#>g?!Gr~dYM#j%Woq0K3$G$-83|LzWii88@O?);(Vpf>oL!?7M41`--PMW>UzTW zB4yY5##LLxNw+u_!_aO}mSX?7duzS|2YEb(+1)9%scQn3KlPVcdjM_*7k!$+HkE$KJtY?xfE7OuW`@ zI~B9J-=!|jFsC~Z;@Nf}Fs3`;S)wcqBhvko{dk?H4Tg5LfF(toofD0r-A@BA`Mu_a zbCNN>`>++iY006nrgc8F39R>pdwaPhF>lQuW$&|dvVZ^KQ8eIiusQ3-SVzND^$o?& z^ms5mJZJ(t^c`B2UktOu1G%~5m2UZGF1`+8cu%#M`twG-pb8t4DQB1r{-BdE!({N7 z7cWFFVKoYdQQ+hDk?BfsHtD>v#vn=i*{W2-|X!wm0; zxUN%v`SXo64%57(PH@)SQmsVS;e*-UYnd0k-O!d{zL(O4D@o^$ET3iNMb64H>&f8F znnaViHUBuvG^N-!)y}$_5HgJUQjDk+Rz$ARx@%1p?q9WitG0WS-LtED7$$$iNiYqr zgLLkgZ0rd)rZDeXu5j<(Mg95oUyhIK@QasC&ht<;=g@3qnDd?Xh-H8Gj~&+;rhXk| zZw!;YO{0k?*=RdZc_Of3G3 zv&Gy?Uf%e(CrO=5o+{F8$gFq38#t@p=#cZ~H|7YqTch;aBYDGXPU`=Tg#kC}U8c@b zz9-p!f_!Yl1B1TvMVj23Q6P-+x~pv%rgZ_Y!Z4#dNhZgDf-wR!y8r&yuhrHIqSX8q zn8nqBR`ozz^(L&NwW@tBV$3!uGhIh(z8ovSQBn;=$T3#Cn8fNcYOy{ZA``8%3unJ&l;%={omZR476ykqmTVWBNjtE!P< z@>ZE0bNrRz4!cta{Yf&mJx7?ry-DX&_4^)zzWR+GflD)G_(ZqSAQ(_}*dX-!rXz=; zTvsy?hH+ed=qxj-lNIW&E0u#!2@9%x70)7H=`xtMJ&IY}?AHt7E+}M}#+{1IhNe#I zJhZFQ8OCzI=Z40dZf|Y~f;5lL?I2=c_fGjr^x)6JbnPF2`>?ueT`;Emw`vA3z8j0J zrmx#y8JAaOdogV~>o_9M7~c(gJ@t5=Eulh3^TjEI)CC`vaPEI zyK+8EEbO?gH}a`|&uW?hJ$gI)B*i3eqD<@{D>M-{p?^Mzmtm%NGQD_@XP34&j*(u{ zInYY5=Ii0^O|x9>2Q+JN|9%Q*BQKJv9dN?D?&ntuj;rNUaV>t|-nAIq4HpAcw9GKR zyC5BZZ(Ng#&o!qU`JR`05$BJ*wqu|eU+X4NSw%AUZmm)T7DQK9z;-_ zl3{2VC?_$@0gpM~TqIQ?GFv5wVeq$q6(J!3hLPXT326x2W@UYj96F?-7>0lEZ|;L> z;7x}k7hlOR@Ei4&vwG~nXO6*j(4Eb28K!>2zU<3s;#ev;3iVWq_CA1na(bH{uxn!? zWA7i{SlJg%50TNMS!jwO-)M2fX3YU`+b-gHIPuaXa#hh_#8*dxQod6=;@A)3e5*M~ zHip^XQ(Lg9q>NCjLKLIEly4@`aWB->#~lVIrhSw8x!_vn$=ocM?8RLp7^ZrG36F8! z-ZZsqs7wP5BfR~cTs~=oeIPgH7#wc8pMCL;TGaMb;47BEP%71?PVrT?&X$h&CB}Ad zY2n<7M$Nia3W)(;(mK$>SC+w#+1;VC&Smj7;g62b!PSdf!Id%f`uYKZ%P_usLLUNJ z*{S&WPQx^BqO4I`si$_YM+eIok5S⪼y=^8>CEB1BYAj4ovk1g*r|u(}uw;@Avc% zWfm4ME0~=}%z&B9#w!wuRY zNy{+DI~Ik^mLHUCVWRhzsx-{k!fpE?wxY^KanaGEm|>##`aZG6t{4V)CvtykT;}LJ zz%ZHHFGR!FoToqS?SgsS9};e1n9!YO%3#n0z5Z)?2;~3b9df*ll^*0=Jv5k8!7#7x z!1W%1J&SFbFfb0+tW_`cwYQo^}Eze56^rGyGz{fc6=bGnLz4zwNb-OdUk4fHe6eZ_n0@ml@9V%bd4tN(5 zY}xHTW_LeiXnYLt{(tCc`Izx-(HuS|dBZ45EqKGn5bvU=ysSeZMf=?JF~*y!KMs^) zVpdrDnA!z>i+oJ$s%7B48wMLuww5g}VkE8BQwZ`WUA11lohp(oZ51EGy5m7GyT2QU zvGoYxzC3_NZRfLHZ{l}=xbw+vlvuJpJ|=C0mrTnYm@mhzM%1%7=;1nLnS9LIlA9`* zPk1F`ruOrV@>SC`{M3j3^;r8a*9DvIsUUlExXm#)dn@3<>T0X{T)mEj- z$+mChW14nKSqsdbmaBh3*VgzQeoOMB{?5j*i_XYzfF$u6!#!-_F)LLW1+BoK-sA1)v5%42uorq$ zdFY7slc)RjC?{7Gn|32*Ax&GjAMnl0Rzpw%A9$4u-r?5FMb z#xgYzad2T_E471LAq~N8dVmQB<4O*&t zJ_cB`75}|-R?qsFPVLL`ZKn?O)ulZI?wdx$kqmMpBxMGFeN3pT2R^@`skP=6cXj5) z6W>W{-Jb8&-(K*Xm_y;7a@WZD7*2In1NoRro$zmDz7US+x_L36y2xH+wH4fYJ-*ZA zv%1m3{i9f|#H!vaK31VLLOIB>G z%$aTLVsiERAvHHL##N_$lks&M&4avG|Y}h z%d#(6d%)|Gr8w0Q|Hph_-B+;v(y*SwjeS5 zc^w~u;@8EuxAI#h*WNY%t*q+8jQL?0R6Xr|mUAyE3oguK2UDL(6j(kOhC7q&&;Vpb zRaC|x40kFAqso>$;guu^xp5&cen%Tul7ia`+=|7=famojjCz_OTNlJ{x0f;|KD+C; ze2jb!WlyQ$l&7Gc_^i#nyp#hW-0qXnNNe>g*z@d`xdn27wpUtE@#V_#NzKqeP-S z%t|ih&KbDC{O0W;RdcxPt&|8RIHw~=Ev1in&4rrtJ@M9bX6)5}%c`k-GH(rxZ=O1) z9Nyv_BRR_?H%E)WwI)91JQKbWI|rcSW5RPbQ2t+PN~HRj@tlf^Uo5wUCITG+6AXLy z!@%mf?0U?&0yYe+U;39qkZyV{&W5;^xpbvz8+`h zcl;YKx(nre%zZvY;dpWp^up1|vjVah_Z%u4`n}HQoPNJHJNEgQ{Z!9_=fV`{@iFo_ zp2yL{e0FJ7+WDC4ycUFGnlFa??9<{DTAix-%)Mc@%bvv(X_0xKtjWaL!}NX;o;0+r zQ8-!ukH8a$(!3|-h8cxE207{l;5V<8H0s$U? zu%#ZQGE3z#GRPpKGsvhj>OOgqJW2KfNQ(RN!*)-sauqfS0{gOV-@j(P2+(t5Qq8!+ zjHVlfp)50ag#pb|&G{|Qx2=+})*6;yVPvz1|Afb+_iMbu*yhllfPu|4buFqHoJGMh z^kJa=ws<<0Yyq+g@QJ(+_Ey zMS6>fD@M0k~M0tRN>+rGetas2V@(M$h^QEiQ z?qH7cyUM?>FfB>A&rQzvWwt#YF$60f$~a8nF$_`?NlK}I(yN%nPD*5|=PqMEJ?|EO zC<%~16E4zdzpt!Oz9B#?IMT`w*?m3udohvO3D2aTtbjjlva)ZFDXZjMVeB#%eu00P zUfQ&t1MlNr7WyRHfWmaRl z!sMk(MRULZSKKxY)d}qnejGn#f>-@q`TaL>q|migxAdd@;n;=!E+yqF3~dfBTg+*i zT^)>P#(dpSnZK2^WkXZ)heI9Jk6+7MVtn&k3TH6G89HLNoMeO5AC5CKu{iuc$``}E zB8=j6I-)WbEA-OaD4vPcoZemP2O&l`y_&CcYm&DO-|e_qhBXB%wNqmN<fV|N zH=-!S_DOk*17%;A8%j!cti5cnV$gF@b($ilBIqQ4EW7R)ms*Aw!=Fg*{0c*#f2!~U z^Pnew{;thRhsqQ`=i-)VAL~^usr1v_>rDOzxI^3sYubrDtyC4`qTZ?D(y_k8us;vA zeHCZpc4u8!ohL3n%X;i0dg@7qG1B2VhQrO@w|Qfl)Y)=sDl9C|Tx_qz7#>RNmD!0! zl*C)DtZ}k1JUI-GcA`8BYC$*-7V;d%#OP@TO{+poy{!I9i#+*baSi>2@h4-LG?{v# z^@;xZFi*~$xHI41jJ#mP^fiWBJsj%!C56k$IxCwe@xFBs?Fw_KgOdv*sA8x2%uBTa zkg?716{b&}KsLKDXe!PM>o%{&w%Ii2uTgu2aOKbH4%e5X_ZT-t1Pew^KP<`4zMe<7 z@&HVls=gzpN^f)Vggfs=jsv=t;grWv>C_2lQ8cq$s$F-ZpG<>s4RH6GWlh~H42b69 zjLS$|!N?(CI&_>jtLn3u+@p-nG}+0)cL$V%7vxqRwhX&GD$v$nx5{+Q|ngrbNAo??$2K)(kX!r8?m#gyt9qKfUnA z@BL~$Zi4yFuCG)@#0mUHoDRax3$nsqu@2Ep#MtT8C^a?83s8Q%lTaR zhi4YZPbUpeD@ok9e|h`vm%qGA*e~)2;y^Vu6C1KA8OA-o-CvGy%mgye!Q4xjd-@|bHIeCvzS{kbo7{5E~B!oaAQ+GW13OgU4ASy2ewGK`5%>g=W2WHMR_#P`(sb+D}l%l3~n~D%o}CKqo~RMm)Q2msT%) zqK2*+<~yBqBJcVb>zpr!3n&+19ZWT%@Av^0&bDR!Zx8X4w3g~jvAF(32-4BHXLKgBvGt%hSsz@0f8 z&juQmcFRnk%a{axPkBH2T6~y|tx;YzoqaA3flF%=-wEp}?9*AE+7yvt>hn|A$VT{Y zT2lcwKz>H^(VaDSMubI1R8sMi)+&Kv5;VE+FO>Tm>>n&9)tc5O%|=f8@h`%6Z?amL zSVcu*@&_P8{z#l_@zPu8&fte&9yG0cxx)C`9~+M`%z{!@v@28-C#P`q9{JjAG+{XO z+sZo`212LN?S&^_3m4P%y=%# zt`Z}mEJ*VeTLz<^A#dxv8ls~ZradR&wR|Pk!z7b1*;HR%zlj5*5M!THcPbX(AOBOX z^G8~azIUk}wiy0&qa=v>rl+bsi2+dRM?lmC-L$1?)0^}643nXQJs}vTLnq>dk}t&v z=r>e9F${;QA)JBcqWg^G=hoIJTRm;Ewov*u$RC4?68OHV3T@xQpy+aO?yu^nJ;p?j z{jh`Vu~#QLCt1K;#I^PmA|cPF-{0j?SUj&Cq3+URdt1tAGaFz;-Dx0fl-Djf@;JO=vBQc9 z(KN5KhSEbJU-P;U6I&jLiM7}XXLCO^hyyUph|aolb4en?bX;NVQ<&`!dy<|{B3Cov zF#qWV3vV99y1|I?Pp7R70Y40T3IlU{U&wJEOnFY~c2`;6ju%a)3Fa_Nd`79S1qCqb zDLf-jmQG@r>~wZrGu|N2#h*qc_!-7Jc^Oo~fS0ev3b5@XSVCz49Try5?&!bIf#h_HvNbq-89h-=?2|t7<6QP5tMkMq!6W zWxjvxXRn|w45Oc+Kla4d=Ec$7MG^%vJjXEmdDPH33N0j;D)_}P0lME*?Hjc&gJIm$ zo%+0Ph27AHUDTO6(9ZMN^W{E!5zoIlwtZOjB^2_f;G`liyL7Aeo-hac-KE?NQ=#JP zkpqd5&_o=r@}+P&Ctl!vyzt6L*U&4DVF+}Z7s7=*xZOsTQHJr(_gw;x1nkQ`IB~G~ zP2@7e$Y;{lpRfFq&ah`ffYIp!}P4kBbu>>+h=oqt~Np+o1r5bmJ zsZZy|HwKR|_Ze4Pv96xPd=W<%^)i#kVWpBFh~`Qn7qgy|tZNqX`Yq_#0eIurM@ame+K!!5xzpR$zM~}zHo^%v%ng|AZY44 zfovCH{_`fM%-2B-Nh!5czHfkhDS6%O_*Z&7FpPvI^kNDwtY_n!#b)eSE^lKP3-#7{ zH;IfZ9&@1X?YqmaMU6R5h*8j91ohmebAFa5JO)5xo~`J$sJDrsPw#ofiw7zwLc0+r zKb>N?$t*8PfU}J0Pk*~>i-x1)0z;tRQJR6NP~ns8hjl9$hC>gdidIe^VK_8-+1_`k zi1rZ#~|ENV%@FeNH>u63r0=rK%#A{_&UVbIRVd!(9cHDr%*&l^sm z0xQ{5ib=mcxC(tTZCX9LgPBk7Ik&Eh>WdZdtZC~`kXC;Oa2ZZ{({whN_RKNoNjcAk zbU>ky1jD%JA|oM1Sw)FqxHHc3;;5XCGQ*hn9Mx5}?h0Vl2Z}+@PwkeXi09o1mDh(U z&zp$U4pkIJo@ki*bhg<#6E64*g-VY-&GcgeBcStSWL;Qu$4Z>}+_Oe=Clp7tJQ$m( zygo=$s~a&!K|lD;#0%wJTzOVF3CUMt015KyFLa>Zt$LOXb`+}V<@G=F#4Hh z!ZCCYl|K6I;e^KKrRx`@4;knJM6g`C5yzo40&|*a6i=d?yE|(f1(ub1hoHlqb~IpG zlS+S&L70KwLky#vK~+CeYJ;$;2VU#56yuvDsgZ9_@l>T>F~fkSNo1U1Ec4(KH`cN| zw4gQIC0vZlea*}DxgYbx5p4OikaTeam%Y?0KkKpuh}#kTB{ zQoMY8Y0JKk4nJBNU+a;|FlRaAFSl^5Va_t}(_}gFlc{e_J?G}`Tbqj}YjHPmIGpo8S_ifQ-gf0{112A*-HT^_}QOqcIWlbVII5j|K3O7d!#|(7O6yL)0 z^|`%xs(zN;9E@QmOT8`Z$~_ zz|3Rz*H%0M>prgvszK0y8;;=|qjIMvWQ7vm$Gl_bW*w_CWzR!>R=8G&7n!hpOo3R8 zH^$>s+mA8UNJ6aDMYG9%QZ*9UKqJiEuIRKjsdZkS$rvKT+~Sz;>dN}#-;NK1l#X-7 z8pRM}%-3_CJs6cM83q;IcW;r}BEukJz#p>*+Vqqo88e7)-`a2A{_>B^a-Gl_JNhdd z01x-V^)TohF-#x^Sy?{iU6VcYDTC3&fUg=cHPs&m*WE3>wBw< zA*`}y|JsQ}`?W&}5xU(U7W|Nd!lCZY)n8-imHA&Un<8Grn+$LfzFp=cUxzb<%Y2}6~A2k zeu^6r7THHm-$avY-B)q$i`G9by~^Gy){j> zE=4vbERQVW+!-bE5V*##^QL>VqeA%5`T%D@n7@HxV}jBt9>q>ZnFw_@z?I!aUKX2| zrZ2t&(*iE-<-XeG>PBK?Ch|iop8A(w-I;1f$9jVt8v~KfnpUEGF)p<0Rj^3mEKa=i z_uu4k10rCFFdoG=TUI9FKO2LOx7lY-J$aPCijA?y1B1}k_bn&XB?>x8keNIjF3MYK zRXE9?IvPMMB7GHM9&(UowlNv`)hL9GsYo@BWMdjqyttD36;r@-D~`E>|NfgkQ{b|D zU-3;L=GUy^54x%Ez*;j?#tlFbq|C^TcqI zI9~Lc^L42B@6uI9;!I1Cy*LF)f+^W58i&SxTYKzN#L5PZVaw3RX2q&+yn@@TAT6^y+_$4kW#IeC5dPWaY=_fh4;r#br5wXJhK}c`ILt z(Zhh=F2oX-PX~elz$#(EveV=Noa;L35Uo6eG~z+=iVBM_}Li2Oq?*e z_U8jb;rg6r^?g-0`5N`su`!Vup0J*LOZqFP-KyRx4+a~%`31#=x;Cl_FS7;n9__Ued}`~CP2Fp8}phUTHfrZbTk-tD2!^78rCc) z(^4J)7j4&9vE5pI-#o)t;hH{b!jcu$v*`wLEj)x*ZH!^YUZkEx7`ybIvu4H1wc)lf zfhmqIao{AbmVmVffJ+jV?o!TPV)@~9?8MP>;>mUfMlPMTSO6>Q)Ro8IibL0EcVGfj zbKM5|ZXWeEZ^gvw&ZTo(JClnTj{3Ule8mtZjwad|$DFqJ_jD&x<(51auE;5M%o6`7 z(*mx?QM^p1zWR3X$(bxi&dd)Yv4M-P@k7c~$YbFmOvSR-c0^2GI_Wg_?i^Ll!Nz#y z$Icee3@S`k4)gvtW+`V~hwH;;$#LzajnPV+rLc#%%6wPwNbW*xV}$aQY7w*BkW|qo zGDa&$Q5-m7XnErsi@MZ)YVY}`l6y|tn6Nx6&6KAL<|_klk%)sn6BhGU`MtPSXvbH1 zR^-3(wL&HtPEyQTE-y&*JmAf$0d_5@<}$`Lg?08o1zfTsj*U6ZzLSD$Ic^$B1ec9z&3h6` zX?JG^%$~QM0J$tCX=8>nYAS5=VS+QvcRNa{We;2!GOJ2UjbNPfCT}*`ixpO4vsWJv z<~hGvEZ@dh=YsPmf~y}MWJKD=V5c96Z&T<<8)Kb|s(2yCz|d3g%ni=EY6S7>vK8^O z+A71;=OSA@kzLTK4r&$OHs(D)`ICjAHH?ixPtve0GRdabzYq6b$^Y8sYpKZBWbtCy zGt7i1Q)oFs40ihAjsMYK24VrZ#9gS`MD|d#&K<>1N!ug5k;lO08al4ED6*22Tft_D ziOuAx+VNa#Eo@^}6GbpFpqU73CG7ZOoh!BnIL%IN`xx%jfg^jMM<jj}tk!K8L)!N%AyYXo z8-tmL$9!wSYv-e zaSY+^#|siZ6!xI}30Mub;+vAxDFzrtdw}NLyzHqLZ&%OR(S*$*8A;aTm>yi!FRZju z6RQ~S9Pqv|)~SV+FwmK{tA-!&5G)mCW4v?A37T9D6|vbE?7XdJ*~Q@V#=0iJz`}^9 zS*g~>eCPlD%fCCxGMpR^-@cEGvQJ~mb5d0I>h>zPR8h`AjDKD`v8N=BFzoqZk@o#kjsi2r#_~3%Kf}ef75qPE=d#>5lAYmK z!Kz~>qNR?p+m1qb<0J`Eka#Nsl&Z8#ktq>F63NCzCDv-5!fQu(Hr_k@0`(|<5$8#e z6!P*z-LvS9o(U#|OJ2_H`;T0Uy=xX==yRAA;(2#$#6G$c0JJ8-3_H^B%*Wvs{*PyUqMB0oNUy#*+%yUe=Pjfs%SAbu9F;fPO;~L!kPy zO$5Z(P5Bc_AdVjQJG!c5DcgEE~h2kc7_eO|`%XcA3RGeeC@(+^!A44Xb~ zvZMGNiwy&(=rQqG{9%DQ22L*#CsyobZQDD(`^K?kS#27z7Beh|0aQ=z2}V!n^y`)~ zf%3a32J7@||AZ0L{;b(k=_#A}#{<3c_D^+L{rE3Q*HS0l+zh#3M)h{wm+~MA7{$e) z>b#&hsA;i!ayl4OUDRu$wst$UBF!OPI@B_;`NU5cIz1Pivh_N1UAV3$nc~DdwY_U+ zDq##YTCgaIqCw)X>%#!*oEKcp>B1vAF_WX z#RK!#IE_R744Y_-Z~k{Q&r~*P^XiQ)k`3b|M@x&wD8De^L&`+GY_z*LrEKRPIfqEY;lAo=(P>3nfvkXwN5xlr8 z?V#e>H=YMi%3?KBG$BSp`^UXUe=zKTKyP|F!*EJ4sDb?29Ezbc@s`PTR&K46EyVce zhevXVY0qgq9rb2Gf3fHXX-ox>>4Hs@!LlDM?9SQt;TK{El&w~EY3tdCnEtFp%lHXc zG&RRzaig=Vkkol9zcu~Xl$-lP;dNhcNUt#&Vp?>JRy4$bYBFZ2`BS)rKNIF=uHX&^b-j{1H60Gz zq|8GMpxQDO)vLRgVivS)D)l*PSW-~(awER2p`&HzDTFyu_f5nPm1Z=M)@)`TGacw@Hq2hl*M^x>BIsz9 zXH~7HntTo>f3kexCp)O>Q%$05c}dj(fkLO}>{{mfTY zUFa$u+uXp!X`fED4DCHpx~r{ zfFraa##E!-zR|#b?+f6*AnfIyYH}Vj-L~@VHF%VWLJY2+r^GnKOlw+X{LL}ZFwUA5bt-p2=}A`ACD$|4HLdPz!^CPs99H5t z^Y?h&ANM-Js;x;xbc7gH9W5f3KCtmvn?y$61M8M?ImSk;wojR+z};Dnq1F3Xw=O=1 z-Pm%G&L*=ozK?=GC2Sa_U-h>1XY+D!L%2Y<3pH`1_G~R&q3xpvSHX0VnkycIuE|X_ zeN_Jh4{;JbkgAdv_nAhi9SE@F0GNK&a@=e4B*f6`jk0Ktgf#wgUXY%zjF10_CF)fV zq9h)*%cRZWxJT4H7}rna&5^0SOqj=)?Z9D4uJMGo1j%f?Y|5?dH-*vI{v^Gus0!qc zLk!EFTOOacHQOM>#Oxyayo}6)9;32^tIW(Y%whRyEGz0OvC=6QiKo#vIlicjg?X8?6R1PeXJ>}XJ$^l!K;qurRr?qdEQmW z8e(!bStO09gGZ(-#L(T#F*@Zpx%bbkN>m+6d079B)#^=K#2566hHo6i6>sW`vm4? zCr4RUygFCNoS6dq1j796uYERg{~%^(d(>9g22eu`%3?`_5M#0|dpkdgdu!MdajE>*o#$`Dbt+uNY&(8|iP>3^VbQM;v$7BI9SfK` zr+H4rVh@>kA;u$#{PsZyGh1J!%FS=|GtN^-^CJGj^bpguf0)<{FHRqOi~(NuMeD|U@vIO7ysRiP>rLQh$^EHm z^9tXA3RBRDA=OzJK&Qqoulb6zX|ye>;p#BpXj+ya()_9_b9>Q+9ht)yH@ ziYf&Y<>{B&mmi1&FDgCT)h}+cmrZbL;dN3NHvdvbin)>-UYE^wQ>s0$@{&3s#)4^A zTFHGd$oNaHj(@dDoEjh4$8twAR>}iC?n@B0t@-g zouruiy<^dA8k_kr%>HIFbrfVn%>Leq;n1te8e-~q%#W!fK^efB*IQohahK`-0AWWlI@6}kHESuo&vRw@^DrwmXE zCBLY>c<(fA3Niny^^=yp$ktp6F#&uR-N*fFdIzS9f~nsQ`w*Wjp)r94(mc zogLIZq;WcP0G44abp3_as1(Zf8qmpY9?ux&RR+iNdj+E#dB!MjG#;2rTp@;d-!?f?EDEUU28FltyQF4gMUs8|N z0T(lB<31RUbjxSEA_mjFpO@36R=)2nhQY}1CERNM9xmueS@mwT4>P@U)*H_P7B4Q@ zUvnU43B^iH|6nbHUct+3*Pb?xOM@|A9lR2BFlA~j)y161g~!_PAb`6-6d;EZ3>005*K1} zIQ}lpQtuFh!Cx}9Wwl&?_l`SI;LG$LWaVMUkEpvqhyme8QOLutEN%RdC^Jtp$sTVdeI|>$|)(NenA8iuvK+6VUE}iOGvQ2kKeb%=$?{WeQXn-elveP8{&?1* zrygRExL*)R(CErF0okF*SJ~z4x2}WBttV6(BfFBXm>#~JjoI{T6a^ofW?g+~zg(gV zE^vdX;ogpKMXcfJ+`~@Zby3pZXbW-%U*$s>jM}~8J-p>7B9J9ndxiiK5&utl;qX0w2 zvuEXTS)6-_3F400WlRy@{lp9!)xABqzFBU98|E-94*)6zFfjZj<9k8z*S9REgT-l8 z>iIAos*{B*Dd0(MtvibRFi$*IK4@Pah;?<}R>xAVg{DpR0V_+n%7_H?O@|J4Sd^7E zK`&WJYEnyjxhKHNybxA$rr?GrJc<$Gp1S&G&x@@wS4{bU5EI2?x!P`o?%`ahl^9$F z=?!CM5Tc{6t*q2zf0J?@^b66Ra+&uHV!(K~yp8*_iQj_8c=2KwjU8_eW5jGFi*-lR z6|=-~q|TXzc*)e~ZO(1#!Xxee(;;Sy(oOitjUOfmWI=!|f-RlpitpkJ zVrtzq)^R@NMjIJa3VwU+GlnT-Z5^Ej$*tfd!!+_x?ABW6&YnXIv&bX0f#hl`yqUkp z(maI}ds>L@-@s}-d?$FTd6=b$%sPEkPgjP)<5;GJ31D{2 zIo8o`Hj}-&R6cKMeRsGd6Lq3gK|~F)*6*IPIT-iZWAo%|V*VH|NWOo{Zsgvj8W;wK zsTbB^$MaxNZ_z8;I(*Vap@7qW*7%f>%6S^&S85Q27>KH6O8LEFTV$Kp7S!Rx8`Nw3jAF2 zU3Q|}CwyJ-vh>kA3`4=wTIiApV(0p1(+!5H-{0S0kzojU67|noAm#|1|M|!UV3-4* z$UM&~RGP*x0NiW{sj}UjXT#+0i6$LVYm4mJ+r)}t7ErAX<;*l!aq${P|M8L5A{wiv@K@XcTxta-rp z{QHmp$us^Q7HA|z=>I%vikMf#VpdUfN3tHnVQk$xUZF7?MND}F4KKu6drjWS zgM&!4*%s&Qia7||t>b%e>|jb**;aogNuHAr?g3F4hJ)|qmhZi4f(+BZJxLLZ^Ok8% zaLff0j}>Sj>t@Lw*hPK%gkk-gW3ys5_<;&h)U-dot5o@{EKCQdvVPgDrLri*s)n{U z2811TVAjC~!*Uzefd*$JIbol&7zjSsmJZY|kiR^fGX70G_~5Vzwsr2-hUQ>~J!V(nS5`+1IP&{wsTQCTvH~+Icb? zrv7P;iQ!Q};jQKf`DI+^T0_d-Ein)Lz+Xi$QKq~jw8St2+!TGs(_nV5OGrI02%Egw zi!4?{XcfmMT@0Bgn*#z8f2jqJbjpNZx8t87hyf_BW zlqsVUD&6$)-nDHp0i3D#7EJjo<=eb|W=A*MaWo)NdGqIRH4l@8%i1%{`rc{6z?+64toArX8~q& z&)XH#<*TGtXy%1}c8cE_hH@vXJAMp$g`_-L=`2yq=YFVv!!VsYX451leUJ}C#TX`Z z)x-0nqvc{fH3t5~uCk)IUX^u*8QpQzkLRdjonbiFLqRhPvJ7LoheEzuO??@LbIB5U>QJG;*? zjNeYA8dmSD$%d_ASvLF&buG4cFwEQbCCOTHwHjLLw$Ay3>DvJ(T|J8WTdN*P9^%Y%G1uMO8}l)q-`^N6?Fw1P2+ z+t@~C=F?|~V>EXvzLnHF%KUjpTj_|A)`ae1;ib9hZJS zIwcJZ^Sf{R>wYNVJ=6lac14<5W z)f-fX5Ga*k826>D$Gnhx^QgppZ^G9UPWUI}f6som*JcT8_BZE?M{24iJN9an7~vHqeE zhWTBc3ZhQP=I=Z5q&zQM<$|=-UK(iLU1}K7RXd7u-E_2}%AS?O+m5r@`x>TmKQH5c ze-PmsLH*CX7p9LN~gnzi$O;Fm;=#2VV0)9b&p(%&Z@G zUmzxLDNp^ZzJ+Il!)WbA-{@vZ_`vAvl1)FfT00>sm=}O6TfD7= zs9OE<)GH9B^E}vW&R$6%>99Eqcv+?t25(cTcFeV;UTd}Pp6fZPFn_D-^>o{pp49Sd ztvYqH;M2Sy+yq9w#A;LLP(}=MyL4`;Nt_0b#3{q9?nv1g)v3C(bDOSim@Vh#Ff3em7qq&^`o4b$ zdb?l&zb?&P8gsYtAX58ED-5b8Mo|62gFYuh+Du|#4p)8MvK09fS0>JR#tJ(rfx+B~ z_V!JkG|zI!sBV-R$CNK!iJ9F&v`pF6L$tVa8<{bT?*90Xvf4ErV~cI80NHa5xYm2w zcQwhku1puh z@myQAS$!D24%Tpdvim-N!+Pv@yP_zw%V6*)r!av5+~4Ba!7!q$l7rWLYZVAEk;_!< zWhU#G#=Xm$_DU^j!K|wrwRKP@2Q=z!x%cYte+_0!^Kv*VRhXKl z?vmBR-_oRC_)fbpW6Ra!@s7ZLL)}aMJxI({0YkLWYaR@XiXvAnI_s_JVM;bh=fV6_ z7{uwEQCqJS9AHvb4Oj+W>ehUmn2tTfG?x{osM)C$$t}``SzcFiO(iEMd&iKhPTWH0EWjL%v)p(ziCE~I`e0O+bpJRD7{6E3#N1#oB}=N6 zmr`KnFx+A|!Ezf6qp_iU$w|YZE@XDh(qD_bPfU=&|RGyjf{q1SY}5HNee*y~IFBBzNt zpD^o6{ZwtCV$FfJuyy}1>`8J|N4co~TEQ?zUFm>>X6OHNf2r=YHDb-ekPu1HzUg2o`bNKYNv72iXNcVabRSaV%3`Jg>~9& z-H0AbT=k}09DbUkur)QCN2Dh7lf5xuRyCe2Rdi!@gkw0B=k>Zc$oj2wvucci)Je8g zE802>Ci2nQYWp&vm-Fe-XJ;JeF;qUp+ul}_imzGFSikj^@)5d^d=P;JD$ z0eBW>vK6)b>T#iGm>_+S0hjG_Ma=+OC(G-bz%Wo6T`jK8dgASyISAYBBo*S^Js$I< z)F8DfNms)hfbD42UAjmM%u%@Sh|hy%R&TQB8lNd*cJ%VBeO_(V!k3#(6qpvh(YIvf zd8|KVvBfYR8s>{AT?9kFLGwi_(F!!R96 zgx{MMfOAtZ97=~Zzseoy=V;3bZ`rhm3S5W0h?zDhtz}qRx+o>3O+vA|*_I9=l7eUTe=|!zY_3QH6zCaGx_% zOXzgiXcoe)kH$$Ni@YZWm0MIVMBLSzT*c zLX|dU<*|V2tXUibqS4jO2hYJD!uryKb|Nr)(6@M&?L3-_BM!H}hnX2z8eNtxalYRveR`OZ5&H6b4u; z7{}Bnn+#*~(jHgm`lUKCcZO2G`2lc>ZB-c1)xoeUH;wo7jbqgFOSh$iyGuhrdn}xB zg7F|7%&p=j?=gy9M4!z|aWDJ!n>2m;IHo%3RO~scJIhYea}vlg-5IqiipseFUNc*ujO8|d~eI0 ztv45fGkk)X_bkgL=NT=}+!HG?^o(?8ZNCt0MLvWDhlYDo~uI&b7-k*$MW zR_)BzVUBT65ZZA}eD?pyS(g z@eoW0X}e#2SMTAkgE8INHfVN(|1@VeW<&4tWlrag-nfzXn91(z>a^!LWkZh1(4|&T zRk^k^T`(9L73xKIHqss_w6NQ_Ifg*Bnn%D^qzLN%COCyv7^b7Ji&fEi*gZ6;S~9BQ z@BbZ)WxdwT*|v5R$NcAK+UD%iA;-ApyYjpo+6xJbzUaSZ;Gt- z0+Ae}nIZ`z0p3~+UXCi2IyY?`dhP)xNPa^X0mnQhJEk|(nNOubbFCFCN9r@r)DP>+6^&(nbePYi;L47bC`D>aRB#u`P6o=Dp*j-#l$eF zwtqwqkojqPY-9DUO_;s>Q0F?w0Ol8#1Ye@Wyc+kd{irE7$86@fBH4so?RMGfuo=g* zaNr9*dl*fY8vEz(h8@*}e}B07&TqlRn>1crp6A&=0NbYDeb(LdwRUr)3W+S`s-b>Z z70oZR?^#`Br(&o2zpsa8%!RQ|He)*HJ7mgqZ(`>DFuXrTVRUa^3upI9`%0*#sUm}o z@~O8Og7-k3DzPKe)0<~mZ*gsrW3-dKZs*Z^^#Tlgs=vanykW9a%)@CIEu-Y-CYq|v$1HDRywkU#xkYeV&$G3b<4{w^4a+dVnO@CRLVb1swRFWeCNvQa%rTYu zPAvhmnL=(KNlXcCR+!Noji*;OTp9c>ZDqNxR1O_asVw(<^TT>f*j`K*JC4yzAb83# zg?WTK4(IBc9I(zAFqFB_#*V>FA)76}OBl>dcI1{*dxK((W8SK4^j`xC4Hfpt181W zfEmiQT=^;y7`vRZ@gy>@#T#H%HKb*EEV{kPx&+6t)BK#Cdd@j%xlpZfZVgr+QL)2) zaBv_qH*btrMg=9Ar{uKy>i@}b3jRu--;P-j@3A|LN8{u+jRrqC!3jnx^HDB`SJsU4(`XU^t$+$c`#_N&$nrgX}$XTUK;nIy^Cmq*JOspx0jtqw;9 zhXVCMNWaI*fn&sSn3cNG#tq~#Ryod#%Dfa;lvu1!Vw}m-V_rJHfom!zBxBPfo?{wv zMs-Yms|LYxW)A9+c(1;a`ODeG!M$Br)%_+>vHF{w?%DUi|0cj0`fFD{eXFWS4fMuy z7=gT<2g79KJ0ryWBU20c_OaL>Vimb^xoeIANVd&a6?}@Agj8{KMsviIS7PpQ7BHuu z-^wL0_4wf|3UiNQ|D=DlnF4uR-#8{2lT}ybxp^_3R+7A{FZeCb{lfLyba?q_s7>Gf zop?K}wpDs?{DIOY~Vt}Dwiym%q^!)o(Hs>fwC6v<_p{l~xj1`j*70j)XZ`Jo}SjaL%{c-Vr92I z0z-|*)RE4j5A`XJUp>bxBP+IMc!nXy10Q250+~Z`SL>?|&U?ixIK~^92aJe z>Bf_7#iygZrswP6G(}JY?=cL0pXcKkb-as3G?{?bR*p%>KIMCkfk&0%wgrWURbgq? zaSS-VN3n1WJD%(&tVUyw0ml#JjhJ;DlF*5|{=Yg|A2u5IVf6I+l-0pw-LoEH-jNk* zMc!VB-#ay7j6Gf_=`^~w88?oB$5d|Xe7(*uPR4axm5bMLj6c3p59(naDe@&bRof}d z9N(uW{gSWq&UIMhn0HLOvexF{C)>u09g4yR_fcUmS=$5KCCMIt&}fz>Kbx32?|~j4 zbLTK0LyqBHbeAOOF0~k)w`1TjyUS~Gp)pfD3_G57n&U~V%4Eo=mFk_=C&1}>`)PhC z<()b!t^&%14v%K7*IVvoUNr#_Xkx6vM3PqnMadIj@#3{ozR+EVV_#Ey_~8t0(l+`X|_c$S@%zNjL5$PRo$&>SO|t-yKK-RWGN<)sa!mMg8=qAdRz2iQ6=* zpQ<3K*WaJ1&XBLat289}HMPDFyLNVEL+w+fTvzC0Mhb?>wb@i(1e-nvGLM2&m)2F* zyvA6j5OI9o`uue%jAW{D2hZp?{Y8^8=NQ3c<$Bna{u5-(VN$7lB^#G)NMXtBv;bYIy)m=PS z;YVu5mzcvO3)2^~y9^_kY$aDJm_8lMn4{oCR1>L{4%pLU%BksRD)H!z(vo@O7{SB_ zF&v|q$)+mgql4XG26Gmr%zctLvej>0@XOEU^*ywgT1xl9ta?;gwso$LNy>>{q&l;L zhe68s`?xVusZ!KNI{m`}^OQVF69Nf5X4wJ*l{zCBbt?6;*Co;8rzz`gWv<#*cp@-J zdC!))Z39v7tkJkdPvvH63$zuv1g0miRm9>?ummP1@2ghFU(+abVhGX0OwJ>bnAgH- zw2%e)c{IT~Q&HZks&n~WTHBw%tR&6CWuCQkR&zY+Q~%Yj746sWgn}-BOE$Qk1GM6SQEHGy&3aLTt)A^`}`4c_pl%Tp~%uoNdzW0!$CBd4(vEUU|#dOmgRTj%{d07rrHlGwQ7tr z`Le(0&+{zp7}@+t1D3$FX0yw(b#s^{&J4v+=AzC?LHCBrx8@x%KLDGcguyh|HE5qq zhQM^@G(Yw#*}~kOTaQac$#6ma-+uf=U_A5Wu2p2an(%OIbHsdRe+5rqNHZkojI#Ck zVF*lWMrzH~x5?99Brvn7o~nFxc0UYjvIWmm@85$F&6}!dHhHEt?KK7V-_%P~tt)D( z^9RM4*Boh7^mqjByt~+@GoB6SEM>#!4*?68Y_>?|K1T2<->dZq%!eM%vULCP1pqHMVI;Gp?bU364~Y`>{4G=-->Mglu=e&b@j?~ zW-l;1dY$c88hN%81q_agd6eGFIu=FW@( z(IuHzsSw0UJ_QCuk&m#zh^UBD&BFQjSWJqBNy@@R-NArOCe&kTex+u{i+FQCp)^VAAtIFa_zx>Ub4BcAFI51lQ`#DSS%@W;@e1 z&!`j;6&km9N5ZM~5w&-LK~Bca_YaesA9ZjP7}4a5k!fmeeK%HtwHveqhBMjhI+|Za z%oO_<7{OdFgl>_yTC)U3F6S&{whYBF#PZw@TpyZW&)LJ_SR=UJS8WxXDLHf9=|MQ7 zV5#;hHS3l|u7yyzd807QsluyAjVqbg_cXhgRV$l5XGDRK&PG@0zDe^B!$fC#z@I=x z3qzbk6?!)(7L?tXJ1+(~FOO1=?vZxrfnm-?G>H~0y*4k0b1vgwJa-NkT&J`W8Wm-9e$k1B+{$jhCxErFp+io7Xy&!zi5W8RX9u>a+NQ*a{p^yjHXW#wdMn7AA! z#9RjHI94IIS|Vm|8s>w=z;8`2FlafftEWJaHmYpB@of)wS!A-j(hmst8lHB7!W$hd27@3+!oAVexQ?4UC16eKUc-NJ-0d8=W7DCbCy#{U`4huFUM*l&lf%VudeEoz-(o@dY1L7>RlOo5X(V0m<@pG zwZM$!=eIKtC-26LB{eN%?IkF9u6;X25R6(z6S8!tb;kX{a1uWJ{eMgPZnpWyUyI@& ze+@WQN?)=dp{~?sPxYKLl3;!&oRu@O4Z9>eto!g!RS*)G+5BM@7=fA2Xd0Z(Lp*${ zz!2xz#9k!~-(;~-8}7wB;?X1!80eg4tvtoPwh)%UOeg8@hZX$<6)elbR8tZd<^)=I z0@IuaB|?I>NnDVuILv{V5=(E6>d@u@JiUGW5dt%tB2#ZrGt1l-6oEla_2;b2s?Qr@ zwSJT&Ei13|MefRk`AoH6C{-8c;{0&|*oRkfBtg-&2*GtH@%W%mt=9=pqU z7KQHZ#e3=8e1|csdAEqX;S2^fSwlU}a-~gUQ>hb%mMR_HWrvRYSmBhMtH6U|Kkv`L zXDIkY8)KU4jgf_}FHu{vvfh4-WiH9F&EK9Yun(mm5$<&tOtbvClU{)y^ONB0 zyPd^B7*C_wee8`Fd+5%To}x-v&FgWS0?F@PpdsckoPTE9O0O!X4)xw%Z-L>?MYUd^ z1q^(zEk-&QdDd1z`YqF9xMrydGo8nND3v?Uvu3Aq9&?k&H0OK0>Td#SU-qn7Qt zh;NR?O|5Mqn*(!1NysU!G)Lp}!!CPNnG>DPKV@Z})lV6@SF0^ver<#8_Q z+wNA@8(K<^*@CrnVklERos|Xd`*O`5DwE9SE=J2 zyF3LEAqpb+XaJP5Gz*cDQdl6s21zNUQ7^>D6MG3B_AHNA;*B^iK#GjV4^`GcRh3x` ziUe>Y?(4gMlrgHvcy1$RG)1*(=fu5jE%u1_7$cb^M6{r3L;K1K1xQ2V!se~aC7NRs zV`ejYY9UPfW@Bb^AjD#Kr~Ew}gPW;&KHhBOji#V5`D5_PV}SEQFDbA-iVe9bJIrzp zR7Ebcd1Ov+ymQ$x$Vn9xw}gga%|Dc3!2oAI-Hz>-VtMs!dO;GK)A882(Q%ujvRx;P zYi4q7;tCmVEyBEJp3pGH+|55>P%~4qNeVEPcMr0lPXx-j3jA71NmBLH2wKi-dsT*M>jR#U8UvhM zmJ6ylxXDFKVBQ#CKi{|X*-Lt+kLcyV{M>s25HW@-Y2@$9?LEU7<<+jTB<9{x$&N8p z`Ma`jn64Zp6LZiJlW!k%n5{gF7kt*6z`*Yq1D3xdiGjgNuFAauzr_GfHLe| z>x)rNolgJe*-Vdo-(tIK5L19DPTscPQWDeO+&E@A`6zj>IKVN}+0A$Pyzq7+j*-r& zS!`?bOgz-jC3P{Ohnr)tvrW>gvXp^u+LKZ;miWTvRk>#v9Xsb3?2PMjW%qAz40QIV zQ8-3AX%Ks}k)iv}G2D5rOel=9WW0y!BrI7j*`TSPD|^k4bO3P-Y+kEsDXY41Vo{E1 zO)7|(*Wc*sYdf{uN#StJZBjqqGhqVGhQTqc`NK^L9CMsexvg3Bq`kTo$H*pyYUXI$ zqfUO;3&+H!$b>j%PX4~L?+B(fFA^@gCi@YaOAIL_044?JnMC$YsbdYLA}Sz*5x zn%ggYNK_JN$mN*19GmAyZxIi``;g21G#pnWkYmDfthOYMhYJ!MgO<6fw0Y3G@ivY# z$uVR3-uHv1*ju>aJ#v|ckc_s=mAnVjo_UXI=63gD9M@B5mnwATN;~O3jycTBde;KV znOsV*Gnr!)Q>^YbWMTG>fbq-hL3N2p?@nU=@=n(qT@pljzUU^T*b8x~k~&V29bw=y zo)!g?N#>Za9P33>zfF2Nxf%Xf#fr8QW0q>8o!^PAG4b~_3{$qgKHKm6_Dm^`Ny?($ zJm@?5c12jRyE6_ajZbY`vBI7=@1ZJ!3NV=q}!Nda74XLxBhd zqmog6nK%s8VPvfR4%lrqf11*Km294S#|P#nCwg_K-gKtzMbJbqGuz9-#ND#VQlIYWoD{FP%Q0-(jYC5vDvqg36Mv_gsX{%n z54Uuz|GSp==3gJdLytMktCZc;O}VsOjgWhTnarEpiwe~99D`Z0HX@|YrU0ECx znMIb&$FoZ|m_`|A@_gfb%bvXIi+N`3*_nYF0LP@}%}b;5ZQZPTJ7hU#HGl6L;0ovO zd;^>z>Qi~;J&Ktk%BPc@eP)h00>_Z%z_==^G#(%8hFN3N>X}hM^6j#uG7fmGF{^n| z>S`&acmePcBr^u3{z4E{R>3mQele#_v#x${p1IKix|NgikcC#QK z$sSVcfhrsWno&BtjQ;N*|3D`J<}!==PP3xXfp#p8fz18TwF|vz%b*KwK084l_Ht;E zH0>m-<;oHB;h4*uKkKTjo%hE|n6tMd$~%%Vk$IrA!w4eBY$gqd+(`Sy(73*w?#|I1FLVoEc+9k6V-tjn+LRvVY4bzeRiTVGL|QQ$*C zOYD)TI+i!u@;a^BdL$mROW>DFSpk>PKwr+bB z5AnQR>gO2OB+0@?>g_>mAynY%0W-fn=`N9=P9n&Y-QmNPt`4&F{`QQ)&Ea(13Ii0~ z)SAeI3U*M1AG@^e5WJHy_h{?^osMGC1tsz@qn+IW;QzWDmjKRdnUhf z%wh(q5sn#56G53fC6n1n_p_h1#zbZ`9v8j^Vi0r2`5_hW*k2EeIiDQLrTq>|QCEV>r_|+uP>lm%sjOzaCm@{}deF!(7gW6l{n5OH5qe(o7RSS%Qhn ziC&t(&G;eanX-3%OkL7cul?+UP@xnHW%9M zX7zC~-lL!S-f&8e>CB6|UPkF}0Yk<}=B;sr8kVU=eP8L*N5tRPF`hY##!2Sw%oxz* z>RAORX>p8a=Fw!za*_V8x{LzM3jtR|dM>JIRh9w`x4FUtKIc7HV-JPaqi##VM`oz5EK6kCn zFIoiT**L~E`wO=i)I4CU$Lh2*X_sSY^U7SO`^}CCs(EymXY~@yr(kyTZ)>yHd6`5E zZoczGVSMx21d_6y9ON&;8VPPdi2=>5zN@$D@Aj*qab{}y)fnd9n+VVY9K)G=j0Ux& zag1da@?JJo?e^JV9`lDMx^s+XMyrDG>;0S!bC%l&IfgQGQY-G5P84BcG?No~WDZfO zAJuzJm-bsiBkiB&%Q3>44xNVyTIFF<&9$Je^;i)7OHDXk8N}OAFxnZJ+r8VUH(LEz z?RI=G%zF-W{bW{`?DFN_oFNLQw|W#gDXcnH=1c$^f-QLu8(PY5wG+BxDD<7qI!uIq z(UOV^vs%+*p_@f{@^v4~n|Xa3m=9fSbmdBda!h~DRCU@s4r&va0?m_7c-amuG5$H5 zr_c2z%Ao4Pvl zo_k!W$)ZV~CWT;KUDG!i+(e}B>>0uwW1S>ouvAZ{vy(cnorrA*Y3@>=b;O1mLm}m3ARf5Jx?e|*~!3=0-WWd44^k!QXGncB7Zkt<=)MhR#n9#!j z=Qz1a#6%QXTZjt9v>4?SyEbxh+W|1j8Ml)l*&s=iJQ}%#k6`19W zR8#K-fA?byLYaC@bE>$0ees_q%yRPGx@>cC3pUQZ6e4Cf-w8G`#wm*QP%u4EE2-Rt zgxWbKJIB$r**z(FJleP7xBDfHcA@>#+cz=r8RcW!-ZAF+M`j>!jDb>&y3(}u=JnSt zNon`Cm0}9CD?^=~oWovdDV?Dj#oX^S>% zyHM<>_taH*58$cIbqg6AraIgH!o7T@)5qPT!ATLf+HB4kjfcq8JvseHVy~leZ77#x zxN}rDO6~=V$C4uHN;(2Wyho{1J#XusB~Z3u9}Yd?AA`e0IA%b9lPkF*DTGdm#b1g2 z=C{hjOF0QSSR-ex8H^AVUYzpdaONt-YE2&EQ|sN??}Sg7j?68ejBvS>oyt>lnn&NNK>VkcHvI+fTPvD zyvM0tfzi=?G78*EjEU}NKA96QmO8jG3k-|y-6NW(DeWaaCoRp`FYQ<39{mTJ_%3Kx z(i$AS0@I>-#AXkB*=q-_RwF5=ht3} zBKrJ`CEYDB5ZWrQw#r-wIlTQo(oWp9eVibsfs<3CxHlop$X$*Kx-5{=eQ@D$K_qTG|}^ieB~o zziMyzn7~9S4YU&ZC$?GF5!_I0{p*%Tl-FHx4pbw*N0MggREuYoO~&U<#Eax{k_eClDtaeYL$l%%c8n zp5(bx+7OsIorrlhotcd$U~8B+y%gEJm^&?nK_wQ^qv1E4DOyrZkhwzTTFsj&5V6(&`;@9rmi5jN=;Sv_g>Y`+|uvGHBa#pr{11tw6rqOwEdXdHPSB?ePdWp@2~ zS;@vO%(-uX>pAA2yiw(nG9OM0kiewsK;%U{<-&{fFr0dj_!!sw)|ECRamL0|RwQm! zOJH*KbEUp)_t=}wV+qW!8eeHsf8DZ7Q3<4VS!)v_SnVhu@&`qVQTHE19SZ`pu6eqj z#OZWR3kM&&|ZU+PO4hA6SYnY-mIJ882H_I)I&ToZtHW=ic-6`66c6TS~w3PwB001 z&XP?dRmrHDvRTvgf)mBh@u0BZ2^w)1d>++>y`u;ttz*6Xs)J2X0)wsDP0o6<+5+>e z$BcaEMcKQa{U-R(t?N=3ws@bw&?@;!_icb`whmJDeJ>F!Fvm(`PMjtLfmziaxxnmd(#WM= zIVO&Y)#72-ly@(zc#suM?m4Y&y4H)S)r&?hWYg5%QPQI+DjRe7Q2VQi56Ns!;}CPv z?YF@qOwE10dFg~fJo~|n>WwUETG6FGYj=ts!CrxZ)j|E$7@=E=wVfM`uJ&TGqK8*C zJNa%EZAjS2`^K15<;HW{)^20Bz@%!lRHe3Gizl%-At&ZgXEp6Vi(>*2WwAG=_5x>0<>ls#xz>*+gC3>jU+02+VXR~Y?i#$(kZFtcGtu~Up z#baJHklDcS>V-L7KEJup^O3hZXNN$@7fWVYrQpIwVQ48?jNRG#ka4Av_<$F$5iW$ z+>)w<{c1cnyKXjWyY=pby&M`WP1OD3G8qC>tg)odE6R1!ZA;Ucy$%mgS~T@ig{m-^ zPNgv-ZtR4?)HhqC`2oMFSk}x68-sxl=2PEA#ssEQC$egND^7^>;_*;s|LJ6`=kkOP zScIYoOtH31hhnjbGuM(TY9!L&-EmxZmDS@*-6o+HfsS*5an|_Z;H;7+2qn(G*3Bxg z(|MN}Bd>WH*^vY$U9$^jPKm{%{c>o)g)B?es5S{IHjBE^@>M#GYyuOmKVAaF^sD%` zF6*YdOU{}aUh(<1Z>~1Yk?tH5_uZQa(6FT)HYJu>+q>d^xK9B z6Ri0k5=XE!t&s7b^6(|Whbi*hG2uFqTlw@Rr0Z|rm~I`*1)cxsgu;}oITObua-V+k zlk^yE9jdJ|apOSOTie-i?HUuVlPEv-!Lr%EruI5q4VqsijQ+ImJqedeFyJcUJs@)Y z)b2gSv}?Ls>2)b9#&-{L&SJJs=okm3~hO#$-Pae}HFyuO!kLj_< ze&Rt(#Z+rl4B7k|*$xI=tcBjX_W{$aB;nGg>$<*ky7ej$zhbhr zmlqZob4{m(Fy8%`O{aFR0A^i>X4`TaPcYn?pC=|P5~SDT9tN0eQiDm z^y#5>uJm%C?ZiP~IWDg1mMWad#eV9?+q8hdt-yJtc`-G<0*$Tuf6mTkxoxC7!?%K! z%dS}bEK9bfB?O>FSOh@>pd@?OA|VkY65t1b`dg(^xrJ;}Nh+zz1x$8XWH*!jTtluT zeVTu0G~SlKsi_%H&7eUN=+k}9>GwJ3yA^ro`eF3loF zU9b5qf3k+8Y9fHI?IanRml7T;Wj;z(BlUGxkR z2uHHN|Ng5aI)DGwu_I5tH?;F_^DKYDB2!GjO805A&bDGbX(IZUZ2L(9{%_<*JBN&&g4#h{0=SZW)4u%))z zIsgpE`b*&|sM#8f!&V!1!uo5*i@#>pi$uBa?$ck?;~9*_j>?yG@m$S|$7gAj&-JR_ zo&-PNXI3VB*+s_7LKVMYYIfwvSX_J9n3~-#?SpJq&{;r96=A@lj(OTEe-MO`*E;tJ zgrTU1HyEnj<>_uXRXHWn?%ryp2ii*wW^H9XfQsZTUEUuiY^igkdMR84u6QX{(>b>; zi)Ye>cYY8KcWpNu+O4CP(L=2*rx>#}roS*@J51|a5o7^1KPGIy_FQ3q#jS|2i`&~B zyVx~Nuw@ri!fIQr=Z)Bi%bMy!sKYUBdnZCX%06p*2L@{?D%^CS&jw@fV80tXVh?t0U0{NV+OoJIhwPWt zJmadu6%)0wbJTdI>L45;^F=!07XOPn^)W14ZBL4-RdJhUPgG{?wdE0$w7v*P=Bp>& zjxaxK+)yz`8;6cB)-czi_LAf=yRv*!oJ3=XoMtcH>>1+!#T#AC+t_zJHR8wgE%FU9 zdpjC>$yFF#s6PQ?wj|W83tb6zCE;Kv+T#j)jri;$+sarl~`SsldiZF z!?dI8fOISO>NFK*WDt($v?<|kr;Ht>Ac8*Wccc8jb!8f&9? zIWMep{=i>e_8~@dFvH~RtH;_5L$kXQ3%d?pbG5GuGc;R0^PF%mL9@0^ur-@tn5R7t z{I=mS%+$scu`g^;n5>-`WSFfDNW8V8Hk!-UkHbZZMM&z5&%F1oEE&TjtvkN72Ub8D zDQ~Eb!6n#U_)W1dbn!;%z@dwt7=~+ujIxNrt*4w|U3FB>VVI{~vw4zt+opW>iHugJ zpJB!}Vhu&2ItJS6x`}i`r@;CbhV~ky-#Vr_t`aU5p?I0{d*n4S49;FW6UOhR`F(b; znj{8iqb$9n^7oanhCqZNt5SCVgw-e+#%kf|Cc{9jxU$Hkpl5ZzE<$pqj>Ljv&-LwK z*O^MyZ!t{O#v+m(Tk(~jZ0dw*S_+2wS~4};@`5uF8hP%n>cQwTY3K48#%_PA?l8mP ztyUh3VdA#$ZUyD|g+fEUq;uS#aO4@rZ(|D9wgy^tDD4==a7pDgw-zX!i-V6t|&sCd&W|*vXIe(aE>QurgE$I>d@9+Obsr9{0 za1z9xmdi2|A0JU|YW1Gb6tBPTf)=nAVAgi%M}BfZb-5qY%-WUIe(gYoVFdSkX4$zS z8|>2UGDF)|zTh`}DE7s!(1c;w_R2pChi+3-w=IRG+lHZ`t2d-}3Hk`!CzAAoEg`Qy z91Aa8Yfwz?wHb$l*lnWstMgrbQyPK7Fix9@IWrpA2@9h@{bY>KQgX=T_+pYanWYD3 z#S^qfL-*Fb%)~BRgI-M|UuG{WZ8mF@8RN78pPZNcc_-mfhe0c!@bad}lgM^1)Dh5z zr&&(jan-A#)dpEzi3OsXWqWz0EZ}^w3kn)_(DrL#_pis^@`UFPJiV)T1;zf-nkiVf zk>=E5*j}~<;Qo_gxI0|8=peDt*J*?I?S30Nj$#s$KIvi&WJEf(FR=1%2`&yf|(3MvTi2U1u>&5Jl0^OcX?W8R=}w#OC}Mv~F*x&o_?A7= z6m|^ru>;$Q^;eH6ck;icEAl7rp84zU1IA`Y#r#>acI~wW^RfLRPoD{?P_M`3!&f== z8_0P6A`cl~+a53}yO#Df-@R8+O}6)X6px|VOEG$#0Bc8_n3461#EJ@93_Fh$8OCL8 zQuLdu!ZM7<_OrVgjoeg1>wH)kmyObgZMUZ=t$Eg&d1e@yy(nhXZZgQI)N#wiFgCl< ziS+4Li}k;!&qd70zMkpBz^vm&n*Crf_9Bct+loiz#oGg7|J<>YwB8G@aBK(Ox$bfr zXxJX>1;Wp@`|sPbG=^c=q11{gXT%+1Y=%MDQBl`Bd&#K!;ax5zJUwk?!aQu8(o6B; zjt|B}JBxUhYafCs*kBZ_9V+35{Pv$O>*RyjU-UC7hRN9V>aZ`yy!9g0;g}7GVyrb` z7@f7tsDYP316{Ts8{3kt{q*BW2#TBPEd@(#_3DW7rn{Ld)X!Vz2*G)`1$bj z$>)<#>K&jdK4y8f%G;YBhGB&f{jk4!11kt!FQR%~B0>&>Kpl=xUy9{YygS0hJ7zdW zVSm186T?WX>AZ_!-c_c^&PfQW4uIzPt$3s%>eYtI{)7(Q6i-@W6eF(jf>*Pe-)ZYL z##*~Ka|6jLuAggKM}{fZKF>wmltcFr^Q?9}pfdSX3#T;%8dl=Pu`On8g0P5ecKw;u^kdY>CK@HKtWWxyRs7xy=snIBWvI= z>Kd|YmbcY^15VqT7Fo=p#^QU@Uanq_k2SY7d$gjpnloa+QTzVziiAV%I8LY=#CuId z#4wf`y7rYF*%$tWhylk*co5i5pZZM)?7Y`eyOLp4H7?RwK2Mt|>;3Q1A0o74vuA_h zRX+?vLM2-V(U@A5<@-E)XxZ+iJ#;*`S%6h_UNFbntUKt4;O>@ht7LU%1u@p@SDYG= zr1|W({}GO`)lXN|e0_dDv)(v`_8<(LYhcHe1UUEN#FiC-M&U3CEzh#4Xo&b1Kk^3t zL2Iovw0Er+vZLm%N3$>`u8uWq!SifNa+jLA*j4v>1_T4JvS;0jTzX)yOyfyapLK*ET&&CN`7-gll;GLYpWp9*9lzB&Y(uu^w)lb60NWK2shhnLS%MVwJv!qM!x zl8tkOe`byI>>({HIsq+it)#erRvmAQ$Ogic z>LF~`Glz?T9XZX{trpQz?_uEi=Gl{;oW#U!#HZPv)#v3@xI)_ps*J_-ZB)#r>6>^m z6JuV)g0f7XTBTVSCUKK6@O&$Y$K+dD7vcH$P%QQDdu?A3qqrAekD3(#TAK<+aF0f@ z7Fl8J)-LJv)mS2nVes~6wZ{yjxEE143_D|Y1C49@j_P+|7Pl{!nLMK+0cE{A|5V4~ z=2_o8*K56TTnTC^BE58dESydo9JBsBq0L^VveUv|F^Lu^jN2xUg={`3d@#WH5S-NXc~gFsc(g$Z1$mb@(iqq7qX^S6HPW{!#y zF$~@IsX9(%4G4cozN50_3}d&8=kaoVJf|8w#%ygb^6i1;*nt<>JF%hm192v7F1D6j zI}XIKEd?>u9J-%qa(;%nTYn8dZ#e&sR08I2Nm9G+nCc3|lsoGcC z*D%b|vg>B|je#HdiPw7OIBhnW{GC_n8vv$i?fImb6?8}?U8}`fUEG;R55?}Jm;7k<3YfwrG9258ScI*0U!>NbXP+0gOqq3k85 zeK*6&Y()S+D2Bu}xm}(cO7vqh0)1kEPZc)lG z8oSLh^?jx$7%&x^@a44iIB{yEdLYhE~k z-e{I#EY{(RO02+}3J3rD5ByOqAbig6)$v$jky0_ztUD*5-UHh6fX+HHN}S(p!d+Ru z_h8e)Jj*B2olezd2xGG>%c+%Myi{WV49yNRD!^53QZsKTX#OQ_s{}ASd%+)h#qYDV zleBeJbO{iqWBc~-{6{|=Tm7*;5c`|V_Uwu@d>eaR&9oS1XT1YTZ5D}IyO3dccHJ7I zrknxwB3yBGo(KDi*vf`D8WaDo55;oPuE>Hhx~Dq;RT~W6s`9kM}I^siuy(yPhEGEurmZ zA3J{tG}aAVq+X4MjIFCb;Zp%`ag$D`?LJX0Ch8Mjx!rZ`>xK<{#sbTIbC1hiC52`g zVPk^!GuBUflOC=)XaGoM+gXxXyU7$lBrqr%-$W2ji+zStuJ$ zbuDoQTELm{lA54Il%pa)m&O(f{cAXDJs;|gsGQF@y?$0yYBwzVmLgzY-lz3`JPt61 z=_7j9`{(3*!SXSGI1H`*SN($bX5mj;QChzr|Q-?ho$oZ>u}lU0*KDT=%sWn;1Y&YtE(o|B_*Sce=NpG!xp z$^EL@b){+y!IS|0#x7>hWpl~h!%6o;uzZ)Y+^L#Xc3doANJPNugn<-^ZYn9py`59- z7|No@BCJ@6$e@ioHYd0N%>X~m{eZPsTe5AK)=Q}`hKD2W5$4W+!d~1XEaAg1(mlpT z8u>faqkb8~C;C+*8b8?u)MMz0$WbjrLBneAmY4zP%QI<(u8484I~KR%nRH7Visn zxMx_eVwheo)-EI@4!Wrtm%3}aUf><)|K72sAhXKl;71JSZ`&=s|)duckQ&eYXE@_ zPumdb*-_-j>m;oDy}b{ZHm5K6eQYTY*^tcl4l!VQL_JuWj)ZrJgC{odt~Yfccb9*} z3|ee^mY*C{jbam;RMGp0wWU{?tb8g-baI`ow?7CpqXM1py4EM}7*{sHZ^!$D#rn|I z_P$__y<-x3Cm7k>?nKU;D=S>C>q!`UcQuW{vvIi%!%wy`1l9HJ9UMk=U2f=XDYjc) zFN*!81|?ImtP5E$w3YOs*}Cg8>=`ReY2S@~!200s%i-cTq*Au|v}ijj?1Q0y2Ye;$ z5LYVM`I_Nfx=@51T6&!w8v1il(oWVbYVbeo5Pw@+V&l}Dsja};kH-7RPdVo75NFe` z#awyhB3^1JhuFuD_;tVjb&m`UGV!Z9!n)Os%t4s!_Tag*B8j$%u`d|#w1bg-(Jbhu z%*Yd5a>KpKQ?-ivE}-gq^e0$>WsI!ZiJ_fd-1mk*#NSj3#rm49hMDHpH+LJl7d}>6 zJ9z`Db98%yGep&1{`o~oLc zomq7nh!X~KG9MKAfiugNR=SseHHYJr)!5#3v0$gzHT;Q4nw?^n@o!7+F$ahAVV>F( zd1kU#Q;O@M`^+NGI}5MH)jQvkxwyu}Pek5gI6i3oiO1v`_Wn&<#jhEk@xqusX9g17 znTZ+jlC_()zP--4@HXEWws{l92z=J#4@X!Hcs6Ft9)yjmCdVI+@lG>H^8&@vZ?9Gx z2VIs?YRwsOTYL^l_j}CBbaP{|)YJBHR=jJsx2L-pqd`x~5K^#@!1LaBfO_34xkG%aQQHN(_8{&0$u&fiw)Q{5C@ zAAhj1oK!XuAzzC+TXr>@7o)NK!yK?5e{k?w_-jKA74Jo?R6J%c?G5Aj@DQu5p_6xf z_z`QZ9g4TV`NMOIjnBuv)&{%zj>Uc8H~y1{LC1$jSWp2b`{A(xKa7%gy7~C<6ZTDh z;+RH^$4Qx_ByGmN=%l`LisASKUJuKT4^MDag`FJK2Y%Jqla_~xg$zU=F}gcxq1 zgackK8l6Yv#W?R)ifHnnquPFZ+m*M$_|WsBE|!h;zoAu-BXPh@9eiuK=#+daJ1#cf zSo0Rx>75s=>BA~*KXLtqpPJxc;b2XQ(%NN4=#lG>0M}IIt7%p#er3~dmxFO`EnU|9 zu2Ca(lzi`5iiw{ZFk!LoR<$+a&rQa#ITD)XNce&i;Tck8kLCdE{0b+8i$Q7gY7G6l zo``~)XPxT$cWU5&&p0*Tqpo)QLUeKj#(?tbmsUw9ZE>d?z>VRup#FP{g}%I>8h~C^ ze{pni0X zl|!nu?}FQb{PvHLb;f6Tl}%=8N$c}2c9SCwoux_gL7nondIHS}CT?Le()I+yyNB(2 z5uJzXc!(T`wHlN^kx7*AVs?lp@AT=QMe#fI$F4j*Xv#NPRTounQuOBPPll!}ERphX zB-Y>cpw?{zqrOSJZ3tw&4ga6CD@$%0S+-ljSBD(8rQiUN;Qeu6;$V&@DB1EKL_!i; zB*6v=Tk;z20^VZY-&@ez!mTWl01ChazDMD^oG;vu*~c{573ZUofk~( zMiVnaR1GZ_*kP$PKph8!e39`+e}0Wzkk?v@yAWoZ8Sa+uqoFdkp;bDyhLrggUr_wjUBQ zEKp{VzdVA&2HVw5@x2CKy`-1XuP|D#eEKz+_OyF8v$?r2ar1(~_A%H7t7ENC`gT*o z^2Tncg?pPn_YGUpJtB-A!}W_$ew$n*4T8 zXCf}+VEY|M{x?d5l%t>3W(_awN0nQ%j$`~rwDeYmy8gnsVMDwlZKyUIn0<1xxX!eD z*+oJeo=M_L&EfrYG)QdLW)m|FBw02$-ucnla+Sp5)uxKA%kiRD)U{1XNbPb!lZoSu z&EYxNE9_4ut}M=O3kQAg!j<>P>{n%Q@YaEMBK}Pz+Y<8gaQpN~+AoxAS?M!jFaGu zpB6fYl&c7}CNa#a-MMTC41VqL)<>BT6EiVz)$ZN+h&5y19}|Ptp14@qr9>x{=ts_W zN7*4@HV5XxEoyW2*|_zdv*;o)ZRRYp?zRyO}xieS#_cLeC zDLiu5l4|`k5QwVUxDCpYo%oO5Z4)gL&s@mA$GNOn;`e)NSyQ#Gr#-UeI z?OGi(i&Sy8v?lg`>H2e>$w|wLX0X=8AWp*?DMk?OpTnJE-X#*MB*%QlcytXy4oK!% zQ*lE4n3< z^<7ooYFZc_IG|=|$Gayb!V+#F62FM)XG(DwL-q$Mc{$w zgD}A5V^8hNaM+i|z%U_uI-ZubpW|Y9JA1(kGrhV|yj8mFKt2C4UdBge`Q@o1H?!E8 z=1BP)pWcG`RKqyh20kg7{mzS5$L6o>A6&z|&5nR0w;LiY+^ydVtB4~=;bsyZvX5eo z>5T4OH-nJjkHZ`3D_h`|7c!%ogCaBCCWIxoa66KcN;merB;IE&l+6(nvd+E%*9oUi z_jA0B;y~$n;a@?am`XglwggP=_L)r`@1Ok0^ADm0tJyfl^3gDf=3vJ_v zFYAkYwp(3)6R^!q{RhHG+)ok$+L199J~)-Zv4e#>Qf9L=!;{*oVMzb{|Nh5z(g*Rv zR=5gUby*{vaQpN(Z$Te3rS2UdumJ*Ms zrD0+t<3K?7WU*Q;+&gaZZ)POk9}YqCa2r>bIIjmPy+7YA``j0Ga00^(me0g-&M7>( zRr>5R-IjDV%$M6RU6Df6ZUAmmZaF}T+qXOCI6vpZQC{6OXR}ICBWu8V_EI`yFwc6 z2JYzUtO8=1rB)0%8O%JIk}|l@!5bYmDO{r6z$KvsDc%P=sa9+^aUQo~ks*)^19eNK58b#W>ww7(NxA*Kkv}OFmP(g^jnbF`EFkPf~C| zQgV<#mF*VxYm+?Ki~mYAT50PHo&w7lMr|F(QoqDeyditN0PAS$*fY+~{@O#=PWE>2=I3KU>@oSu(S!LS?W&Fkk;nwf2-)6}rTRx_t=#j)OyxoqWBC zGZ03^^uCuEA&H2Jl|3k~V=@?qY%?42iPUJ{3rp2$b{q}&Kb|=~gK!pQhP$p|hSo|E zK)r==KNz*3xA0VbxCon#ijQ_dljtps@GU;v#%-4?cm{eKldVs!h4h-!+c@K51;o5u zVt42|-VRm1SC<$PwyAL7*#mKM9W$({oa|fSW-u^V3r0zG1IO6=WBXjbm{g200lejg zVdQ(9^0L%ZPlhmYck(g24ITpKaA%&z{i735HxIC!Lm9GH+ZYB|rY&WtL7%_ z4rXFwi@o$#`38?E(lD*a(7ScG{9}(j9v!E+nQk;mpXIWjCF%CMiaE-;M@&T9H^J)H zC23H+EjzWkgrNV4f((+o?-#{_@Onr;dxEC=Qs=JLXNlP7|ls ze)tcOm)HN9ZPRH=_-);xbD#E!A!VJ2sn}^Vp1#D}r7#&94s3tt<-p3f!O+OfX(5PO zP^=vdciI^GZ=CG3Y;82mylISPF8hzVXo+1D)J_X`ZC`{d&kM5P^1|`&v?ZiFqv@@! zOq|8H>3o=VmfgXmXRr(3p&C-rjO(;<-3IW3I~`n6Gcd=cQ)Nhq?Y$-Sh7QF8-Z3#j zU_TJ?OKdmZ2`qoioth~fwKi##QlzCR|;cFgMa&sC7=aJYtW+IMd! zz08x?pf0NVj)Nox937 z-e*}b^G$Dxfb7BllVvJRoHw~BSKv;;;!c7E9_LI@Z zTsotk=(CoU0q;MhBjG9^pgRo-O!`uU$1pL{-{f>M4{yqGkVM47xWcc&OMEI4@()Rl zHpB99bxvWG#4`*FcbzG7q7C~4WL`{40#AGnw%)l;o4W#NO*1NX7U`5%pT)4~BF|-mY5wn9s;Ac(*@|UPL z5jPpK+|k8v?_iSmFTwU};BCi6b_HP)4UEzsu^&y{Dvr7;j7V2qorANVa`&HU;^rU8 zYP?b^O->xBni5aaSUAI^rMys^Z%TRz_V20LkTp!7#m9XT1JWKQC9y3F7-p-Exuh#x zP*xp>$B(5QuSc8!k<_fkeQ7mtHsF%(x0*O_S{<}zwJ@Lak7u8F8lIFsmA8<4`isgJ zk4TZXd{)$IVT}95st&7zqbJE{*xqyON!>Q9g9E`1ajR22JE56pk7Gu*kAfsD18Ygk zTfh1zzaaf)6Qklr-cL^ngsR>A4zjRj`|wY&@g?W7w?8Z6H=nZtp+?%OL z*jxT~KQ=O*u~QLTq){oOVz)4b-~}6uiDGsIxTV?>KIqu{J19GBsW5InH}kgM{uIti z?(a>imp?{Y#kVs<3s;jF)c0o--NT7OK&O*qJS{@@D?Qdk78+ zaaHH+aNB5N6zMA1c&{=K+cq$8r4m<@ZQxL?eLW&SvW!uX$$ex?nHU=8Ja}(eU&*%d zc{zG}Bi~!?pQ%5aWFJauu`1PU*pgPBl?HHXn0D8RofK`J)i#y30$&2gv%FYd7@gozwKSS1L_QFD7$sM&yI#EOc%GAv>!c+`=4wG51lJ^ z?}uw53)+7Y4j_$#ubY_&QdO=fcTaezY(sWF20X=H6cAc13ss`$an6$6w;>g}EFN*GV#rY6v@_yyE24 zm8^_FIyDMtTxg>Vx8YN+hbb3;=hhCqO}Jet!{FFIH7it=v&X4pkS0{1js)%UQIp@P zOTb9QxRKM4pn)%#S552*_<-xV8$HI>_Rkf5Liav%LL!WwdP3he z2Zl6JN|8j%{{R2`pX}E<61uuwxLzO0;MVKl>1Y-3M#sTVicwyj0HB|wp*E*0DW&?b z-`=g^Qs;|7#BL2oV$CflClmKcw~jgM&M4Tv)#q)Va8{z*z?DH&>YTeO_OZv_>n~DX z-7xa^N#R`gBc;Pk2;QOnMJdxpx7ETlfNVbeV3l|v%>U>ToZycVMs~H^ZeY3_Kc<*n zp1`Tw#uwYra?;0e2g4Ld7jM}jNTPyW9Ty^+e)PgL#hWsTmuo+TWu>wwC{J(s>*(Pgz!2CQgZsb9Tn!d-gd=Q=4v}^uxn` z7g7?)9c86tZD^0ABi93Wo|U*vXEgTLp%e>E!{Cw~?pyFGuvnO^y{pK-+t6TllzB>Lluhjfn6g0;A0&8Fro;`$vwxXq^e`q?O>4Qbo-dL z;AKzZASVL$cWoTo;X(2p^N!OlYsC%VNQ#2&J7bbCmxyc8m9(#Vd1Kb@;kl&FBM17( z{*ErbaKA;AmI;YzC&6)~NnpKJ>%cX=Y~ks(cM~?*KJjL<$BDI6yAFz=yG`oW7q1T!? z^*sq+lEj5xQ*nSC1u94gXJe_QU;>fOZVVLzEae#vy{4&fHK^W=1EN5|n=mVygnI3K z(|o(PWcD!|1cxj(%&aRb?n;GQ)(1;N^;#R7c|CTaY|rU?YQJ_$+orNO4e{gV_GWm) z&g5_JAGe9! zuJg2QyxE@)N-BbL(-YH8`QVcSmfhO*I?khi9~jf|KKNUw;!Ju2V#=Tn8}59Rm4wT= zp%5phHQ_Aa&wg;&^Ge&`C7bl&gFsuHHzBH7hiGyj)Pq$Td@$<67xS?y9Y7?B@MRt z0N7kV>vrSr+79-+wO2fJOdiAd6JAhed)m?hcRmoj97oK}WJWF1M>|8gX6Kl#)lcHl z4YK0U05XFEQzm;qb-?-axZ^<-JTW!7KXMHDmp)t4Cj9Jg2kc;wJhiRKl-gg|W;oSy zE_S8aeWh)a88lyVF5sisxDGu0?}_N^bqR4J6C#2BV1^sh>h(58*l=4*N#@U_kWX>$ z+t>}NaM9LvT-I|bw8n&Sa`J*fQt#mM*oom*JYbu4AH9&-3uS@8z+`ciNmH1M6 z-NqFbb3t?mOjxQd&va{Aly<3N?HaAR#H?vCn>apiBNVtMu)u`brrGd@Y zDSZ^D*@5HBWNac^G1kmu@YmO)cu6;8T78uYOKPbk2uHo4;pPa_%{JJ0 zIaocDzz*KXnR2?`pT`K=$a_eoa2CGGjOsYx;)dHW=Snp?4qkLvhN?FV$wAms?*i|@ z*)>E+#G7(8_L$wUr=G2OS_{2lVz@W(SsG>wE{YlM%i@Df2IuVZsZhOPVE|b`roZHM zl?0#OuyK{jV(v`rt$)ZZi3A*6-E(O;n1thapO#Hcw+>J9_qF$s-)zkq2DQ5fe@E6{ zF>5HEl4cFlcvf} ze+mY(s!K?mOPd_%Y6t(`#j~$`W7p!f8Apd)6%-T1rlaL;9-@E}Dkr;%ej=T|WzH5> zOc)K`*$B4W4G(fY@4{axDvmfu68jjQr=L7iDL9($t|LGJGk5y#1FI@ zR+Z!Fa4H0M(rM9ZxYss(RUHFpN5N13R+u)efwR#SPKnmQnwuhYx!M8tJZ?RfX!?Hm z*PG&oj|bkXs<6^p6Z3YZReSlQb5;eO^4FQ4(ZsHh+aGin;*V%z2GM!=ddSe`3g4~b zXqC*?)imr_xZd{VEiT#9S{viIPDlCdYtl{njqM=bGcT3LS=kDKD6K8wYvt`v6mxF4 zgAs+`jYLXs;npq{UMgtG9!e4ag}wkFfBzt2=@hQ0`ZG&j5999YwMbW>y2EdH7VUC zPz#Cc<2V>0d>_WltKRNCVnWDD;7ICV=uDKMGZ+q(i7_{nakqC<@+;XG@T2eiC-2&L z;Mr0?D*?AVTfGw%S;jRb3Ak?_PM}mH@~LaXk`PbS_dp4SM9UuY@bd97SJ$LF{rcte$eDju z?i|G)uz&n)-6+P*XW`Q@od1;ee2T+YG6$*Kd&nU^%qR3u&CL!l%T8ls>X7No&UJ;( zD*+}B@7{Y#c3zQv$`-YNw$2ZOi>f?+A+ghvc0;_H9o|0W=NnoaUFtwMosK9co&K1N zU&wWZ=m={vi1~sk@;A^5TXTL(UK%+EBU0YIyNiE)c%!_65L%s766FClK!FqU`65TtCydR+XdUjTSN&iTrD2oIrZivq5!CA*y3k6ajP^ibQU6$F? z1ZdYmnrDlr!l4TFjPqh5O=3TI3OD34mfW^wUmBt-*0l7Cj3crqNQsVzbTuqc6f@yu z(HAnuB#>QYCHuH3`K3k#LfCx+X_RGJIAc&HjS_=#9{01q2sQixmRMH}Np6@N$X$Gh zzUJ7NwY)g$`!dYc3R7^pb{$O)5XUIIx+UeB5UIYn$TD3U^Uw!zYOr{po@rv!#Y6=+ z-dS3?ufa8a3gfiWOT+57uJNaPTVST&vhh-)&)08jI!i&QU%zd3aoriQF^|(%XE&Bq z2Z`xOlwKQO%tN{^l)9^m10YX`3zNP$QbW;vEat8#?6TWqi=kqXHO2Vy24!QXIM#m+RPlu~N4=?MK9MR#Zy7Nt3n74|a0!oM|M^y;u8n!Ki-Tq2KD$;n& z^s^|qq|1aqNnqDBj7fQv1bT&(i8b)qHPaVb5N1^#$)mfG11EiE!YkopR>|lWjSa27 zgN^wbt=@O>o)V_?2;|H9E>22mdt3=g99!{)j}S-Iyk^Ck>U%g%QTGD}I8b;K-5Js@ zv#v3;d~iQu6f(l-NW1^0d4U%0k3J8g z-I@8QdOmg=N9!Rh%Wh*E9{}U*E-pLPT?%#=^HI$6*r1c=Qj76D>?mn2aofa^V)PkJ zjT49*9oxjzTY6)`?sMD{dpNmy91>0LU^*Wk@$j$-vSnL%Np(3h+rqGozuWbOx^3e+ zhDkpEFI2rOWKG=NFWW_g|5MN=1yNVk(Xef7S&Th*IHE2e!vz}+nOx*!a~yhS*^{tB zgrByl+-)}ZwAG@oxSQv2rLE(!J@+qAs#vxr8hShR=FafOo6`i(`2=cRl0E3ZB`jzU zaB9Ghs9(A;*=~%XAy#)bGiLK~DXHn#uD5`grg`0^5De24jYW~z$H!io72}e%uHklU z6d`6UoLge6@6oEnNwPM^Nh)A{bxk_>cNPAu@MWFpBJUAffXB|_VXUL+4ST)=SPzGf zV7W2tVFubV2S8Dr@DLU`09~~hGw}lF+22*LFPGTFOMH83e(L@D9{o~b6Uu^{xIV&V z-e-@>jE*_OzbT}Ce|%708v~9TH|(-lU(C zwGmjIIT*aa9H;aIO99N5(d30W4yBy|@EFJZ6vL+^OtW1ThsZcixBv(m^Dy*iAdG)M z&GzfFcrhDb=oqlj*g(VVJRCEBX!xugj1`2~tAQ|_KfHV>hC6M{ndE*V20?inygQ~A z>$o(;OgN2MbV3c2r?^4|Dioabot+M*a><>s+aNN;X31WR_%*a%Rgq2y#~QpiHTG$? zTpPPehg{3)nt!Dj&FNtm?ZS=e^jvrtJqoTYwqdZ#@)lD^5WY~i6>rNiHI)ccXR0Oz zr1ds&qcwk-eKT&3wb_c@DQh>!!jQV$xfFYIB$kW)yI+dn!0H=w8jj^^8kwB+)svNk z!!&l>I!X>-(;phLXd#bD9C2pEaWKMS9Q=$FbkMugb*G}V9gde=^JER)=;2}qWNFvydSlo}kD7LNmQP5Zgj-C*~;qZo*0@o-&eY%>rd4q-u-bl%`R6s;D z2Ryfr!UUZ9SHlUHhhs3NFc=>xn18xIl&8QSDXi9~uVTvt$Aa*JMCwdU(JZ*GaeE-! zoSvK3(0k>=xYgW=t7nmo=pAwjyQ+ev8E|OzZEAz&f}1Um^yFKIa(zoG!{1Xw)sju2 z<|Aqv!5*(Zo|0Rv1C-G;`0n$ReTQMlo3D9nO?3lE1ghLmV%_*UNDY=WqpZxQ!@A^D zwsV_*ii#DP+t8U%AEYOgs%;Fua2b$MX@(zyqHBhp=tNDR{ zbF2Mm#du5+F3}YxyXdS-tNhd+W*_@<_?ere74EBZRouhM|ttH;qwIN8s}d@(8y zKf^j0Muj=Uy^U&u2Att{@+&hsm*F-G0s98G#l)Lj^^D&?6sK)z6^m;BmZ5lW@5WlCWHE2bbS{Orzu!ud5t+2Ol8! zmYr%$Vxg87xJMYy-!?C#)EW@km)tIU& zEAP|6fg?iB6L8-6d_Pg+_-C|GZU^&|OepzQ3?#a8s5`T*@SxYSK5~L=ALf>ybcN6) z`2LULIFJ|qC}Y$ZqGp=Y$s!og-;n7@6{#I zvAu2xBe@R4?XNuYHC>cO}(C76Ensy z(%m}x8k9qEu<{IuDF)-Jm2@w@nou$Ca-#M3N7t0B=Zd$jYdS2RfLUC9Humq!Or$Xu zYL^xHNCi~r_I1(7Fsb!O+&+fEH@J|6IR1t;H=cEkBXxJ*sY`oI!M&qvKNf2kRE$`f z0jv8W)+bEEWtzsi)&R1lNwaDS#9wuXmlr7RqfK3FKIJ!FZbt1d(^Z&MN>Kl(>}X44 zvxpramxm}qOdnrznXmiZdk1?#PdRemaF1RNv!ZwF=@ezt>*m zn@tF50&^$)fBr|NFGQxPaA+>whQX2LwB!M=+mRUbJF15=xfU)QX+p&A+BPOL%Y>+L zd#CglyD8@6q*9up2u?ga{h@1LYh8tPp9FEH{rjZ|#G*1$q)2KNv)?Uuny zC=G=>r?hGPb(H)1+L}q%!%2I%$X*L8{7XP9uZ^Pw7d%?8jk9_W=_>d})X`=C;fjXx zIv9^$Pd4gxu!RSZ8D0nDcx%i9uZyjNhP&14V{Uu&k`_*=f_$fEW3GmI5GD6#=iRfp zrfuM8 zkM`u4PJ-nTa&QD?=9~G?|16#B^5*a~oS+R3zQ@~_O|id6>nuVJuc6G=hf8#KAY=3D zzQpW!8cgVY67H92@}0c=r0zTpt}#K=g`+IoIb2-*RA;ZSEDdnuBl?a>b=ix*HB1{{2xWw8|m)Xup&LnU{*g`Y9;;OH8D2iDI_}Bs5 z<6wXZsx>^RT)3});fV3;7WUVWF(!mC)ShSCeWXY!pHax#ZzvY!*KG{sx($*#6=29e zucK*RrUN_)Nt_pM;F}3~j8=@l#s)5&^a40 zZzKoc__f)Fe!y$Kk5^;wQT-SWwso33jN2NPwcOJa_uhf(7>=b8rzNg<3SuJMXH{aE z$RaY_ZlkC5)m~0gm-BdxtxTPUwb^|p;L=L*7XWDD9~uwQN^8>amSg`WpEPfAOynW#Y3lc}51-4? z7-i8wceONK)0?cCCeGF5+HQF`vfrfENKAl}MfslGrQi1DU>xCWPx6q)T^`c7W85=> z54+-tpZFxB?2TV%!xArQOk_xi0VDb{8i#@>t9|da0Py?JnlstGR31JxntJ94V54*4=U) zq(6if`B0KSi19A`B7@159^Jy*CPplxnsyd&Dtm624PLqV%x#RrNt5t!fp7osL6QE6Uvit4N+0Jq;$|x zI8YkY^0tRnkrM~Y=S}bwEyeXk>B&+ENB(cp^yzGcJWU;OgJVCy(e9h*DcFVk>IzHg zXx{lPz1ivDyxiDRBVF=u?Q}E{!OM4Sr-$#J1${hmm#k!1K`DqK^v%gDoUf2Cy^@7S0=$oHpXX80bzpAQ$GO9{*YR-a`NBA8sF$)|K& zObacJRjM$k@eXf57)1`*GT7<>AiU#Z*ZYDs+VOC<;-V<#Y@IO)^~<|0oV%7=QSojE zbAotR4&78W^(e&~b-OserPg6cTuXjQ(9OF&U18{{YkBx15>HmZ4^oQ{G06ZoxAMJ- zA5Q1;SZttYNkAM`;(k12i7{KJCxY_2KCtCBq)Fj=7kyxz^l(thimMkmO@p1BQ<8gh z|H$TgBc3M0#>mX$zTs!vZ$!mD2@)zs3*y5rQgu2_f)AHea3jBpdMVKqI8Vrg5msg2 zsIDq591PR#lQAItu&@_rQBJ;H(;Fk71(W!NaV*43f1XBTh|2Jzc**K3LObRkQIuAu z#-vQilbe?YMoDl*Hgx04#a8-^bw!M_hIEU$6;f`-5blF31o6?vU))>XsHV z@TkwGpS<~qP28$SK~fl4eh5eD@>weM&&R_9JRfm2%B+Ccb6LFD(dtLI+aJSAKd5)| z`NtLVnmYe&dgMyYoz5~CO;Wf>D$c@VpjJ_$XVw5sa@j5RXd7f3wR*a`7vLdwgHaxP zTE8|OD9Vy#{V67Z$J!<2Ot4Z4&5H81>Q=#4!bzQfjt; z$vq8X_pFmeu`sZ%k9P;SOxh2Akmf3fV$50rUexQI-ZiGcu8BtUbp6Kb;~l+g9FX!p zd^A3lU^U)rX>tlT9bnn;#|}8IykU74)?((crGr0UJp}> z+y%RRT&=be5||_Kvp=k?xh6=)w%OO<4VtxcIm(ZZ^{(I%0NlJf^mH7&lGqDl}PIO~V!#H8M@yZoCFb}BUW(7qHX1UaoC#xZHqLi3saTiIADEh(MX-Djz3ejXU9Pt9ClIgp6sj- zWN4K?LQ}oI2$MrrSk%f@VmdglxQLztsko&S!A|XO_Y)VhVyf)PVt7ob#qyhTjGdkh zAN|k1#Fi^YW21?UePiN1cya{6GpzrzmvEbV zhsT2;S-z%=Z=brS3~)Z02Xs4A`8KicMVqg=@p|knSbOFN_|XNc72}I(L6cgGDv)<& z|JuP(g93!L37&FhZndCTA(xWFku)jh8FR00JgIR=Rn3zy4kf<+t`TYZoh$;6Xxw+(9Qug1p2%NyJU4Zi>DRALbB`d3=z^;`1sNvFx;0 z{jk_W3&l%43wz*|cp(3huk6oNRB}EOJpZfoX}=BRq1axowwua_<8FJYSo8n==Rc+X zh~i&0HW1B%Es^XwFS0F3mGkk?kk~w5ZG;Av7etoBd|A_(H@}}4<1u?QsNvCqjf~mC z`=CG*Xo`juVPY)4`hellZ(#@+#Z8UKCB&ej4sxeJ-8pTXlsu>55W{gb*}Yi9@KCGE z`W@UFlc!5+lEj2w+$iU*gJT>QGDm$AlSjP)%`2wSW(4X!imB;IeA(*lo0xjpn~a&S z?$JJGzGz6U#;KpsU+@e1nh@Bh!>{m2sxH}heH-^7m<5Nq(7d6lJsI|d8$rDK45w*l z>%*Q<5Xi{rGn_p`JHXLx_2YFf{=W=gs#yKLgU{BNfAc+;4UIc*a`*Y(zn#{BLi?_U z9ICn09~k7^@K zw4a7}_)2(I!LF3-;9Bs-I^1r8I1+YHC=0;Fq56Db)a7Ud*?1%&9BB2%r-iJDz};Gq zuaSN7oaw{nG!rfu%66Hu7*Nm6=2L1gKXGLM*}KK3_p&s;hf?vvKcmDbS-N3XnI^(@ zE|jEp?~Tuqag)AsMju&ambD!V5a5sq29JA-nSY`f>n(8HF4f+Vpt38UI# zb8gufHh96FvFyJTyt8ag-WPSB<(38z?>#u_Ps4dA$6~-CZCqg<%WaC@-Q7?8TbA$Y z3ZB<;aC)Q3Pt~|2P5QNP%f&Z-Nk5!YHZx064s)sEORe9aVBppO6Aiqndjhvxn)36@ zOKNvZn`jt)@eeJ1U0&{tgN|kJ_dctLVpPz>|B-er+im06_E$KnPOWv5rT1e9lAx@% zUXf%c&Wx5|i)~r-B}FI7H}pr;w8nROM^zuxztA|OM1mAIL^}fyycP~bg22If?!Dl~ zD`5|jk!6foiO%Xqkosu*w5B@OQL7ExgCwvOK`VTG)!J zQrpftc&m=DMk=?Z9IH`XFnO9vcTF5cIAM{P!w~_3XN7&VQ2+V=f2&KSN%|}fNjxsq zKlwBQ>*KnB>HWXN&hs-no|z3?2*nrUscOQji5e~8Qpx7CuqHNrLO4w!eW}^(wWNTa z*%-|g>s4lBuMta`HN4TMi#f|ji_IF2z)<12yeh0s!qfhkr6^+1mb0?qT?#iGnS%06rxJNe9#pXIz0*lgpv0rcc;tZyqBwq_S6GTGvq z->Dwve3psf6`Q$%yY?QRi=8W}Y#+OnrXM{#knb^a?~M-=cb60to>?YlAM2*n9{>6= zjt?07BYKj$yL9Yp%fYf(Rz%~mD?>jRZd_w=Gr8lK&nBJ)_m#TxFpW+OV@1^0SQh88 zf6B{Bs6%laEs|b;C{NEaNXP_pzW{FvhXQraIp-p;{z)3{UdIoK5M<_m7eQK|u5Jk_ z43*NY7d(19V;bChdsP6&Z!BLP)HwE5#zPy+LR;hR)TdBh9QMKfH2A%+k8n{@X%#Ao zV8n{R^S_@;+lmj3x&O8Y+A|}0zn%%<0>a^7%s!sbigTBp6vJlcXm-VNIwfaYnI>+U zw0ycRw9z!v#BA`8?9?(X4TdKh$Zg=i`s!eum`<>`$8MZ%fR)I_ABTs!xzL8!NLB-( zd(>lh-aabfg;OWN2GDe}98UOT$wumUj9~5VcC?pVg2G!LbIN-d!=Slv49Z`5fB(7v z`_C9kk9rE_<+Z1O#+32+`_B|gFP;Y~fUnWNyd=84i}4av4_Onmqd70v(O(k+3N@P; z1onL)Y)n()rpw`S__`0y8r)`X%(-(D`q|EMH1vmYk4@1uaInuk7dsIaG6ElFLT<~)k|HtF!2u@N zL2uRG)OBuYtoh+&Kz_`4Xh{XX;Pcy|m2$dCLEP(H_B##iMOKIwT8%aqr#h=6v~yCn zFM{Ha<3_&ImN^Cqj=oopJ;umA2)0tlU_QZiAA_YuJJ4$WQm3xfWN*P;vs$=tm11`8 zR-_h@)yA=(vZ*_o>L-8u@Q{8ALw=u^Ev3-!KfPx1T}`jUDGD-o&Oj!L{)g4Y>e2D; zMX*Vbp$e{a3FNf0%3WN%@a{Q#xSp5M&ShaJuRE$=Ei7~o_x2vMc*Y%LlQIG#brSe- zV_YXMOrd+MenV3LByUlvb%Y>hd)2^Mh@iC0*Xp-%4;Zmv^RcCj#kq--T|JVE8+&Dn zfqiz*S|$dIV7tBR6=-&ICa7g{+_QfrVr*?njL4GsaU75 zsihD$`|ff#K~aNBQ5+Iad3jtfAyF;1yQ->O&V-AG{H-fJ)+Z|9n;ujVY`>)>tggRt z{U`Yd8!i3;%?1xgYQ3M3rG?=?ByO^A%RP z{bkj0cJNKayK*Xw{tJR?mW4svK1XtAOQE#?EW`Fa+a5ON>l!aUN*{BlT;DdXXUk0g ze?~t`%Vm@`cW`lOx+NE!&4+44Q-zLHXS3@#=2T)-*i8-Z$mCXfq1-Afd$Bcv&r2Ol zcBiBB<}W6W>@IE?aO6c9?hpBPgINwh*|IgxH{U(``zRObvimr!U5036_t~%D588bP z7v?gP4$VHPxS`{d)U)BTzw_KlYqxam9^C7@)C*uq#?!{2D0PlapFwy`xcoPM1y@@GS# zos*)t7W@byD=)q0oJvt^WtE9E&@!h;%Jfk@6PKRu4zg{`eZ!X1aU5#OZv~F~#48p0 z+79-)%Bur-4Ik+VpH9^C%#P+(h4H6w;*e1*RKK#c=5ftn+X{EvCh9ySQN`P7%K@;*8gEEDl2HwWj>gUJ{ zo(kx{yp8kZd?CHe>C0Zhh%M`<&*tiNHTcguctYOqLVYk?@(}=r=Y1Qu^Hw5yvABt! z*?yL8+$`{^HmU$h#Z65ZEAB2L`mnOkZ*rW`SXj$+oQ3=U@!qmh_P&c4lTe!N#|-35`YXy_avB&t^7crDlM?z_P7_x~yosR1a$49a zo!s0^^Do)L_Ug$nA;WMwJu?gyv&89W&=;e_2~j@x!#!NxS0MuI^l-cxSLrx?45?Y= zM>W>=&8ML}ZSKoUZo4}gd;7hyLxscBCArVYi&X&I|vvIgj^lYyZqb)vA4GgP0(m_d-V! zM&kIiPUkHDJ`K$cZC+>2ZGrMOk<_rcCob;R_n-WT%AH?5`HkZ=_e)$Edft1l=)Gii zd`q1A#fTDWJ&V?NHXHcVAPfYT+V*Ny& zXVlog+Da348{23lVerE9VvV(Z2nc$vSfEBk*H{hBqt#Os7Jyrb(fSR>FA-VeI)!;8 zPpnY2iE@jPDArh1X+utevLZ(`6E!VEbk^9Ky*(9koI}fKx1$C%iN^o}rO|)ly~gAX z*WwUTjU>F4iThfEwlW=444TyCR@oG+hxu3szBB`JiNX&jU3gZQnoI@tdYS|sezZ1( zRDOh2J~v&Hi8TCA^5gl>FA5Rm-3(&-)x1KpKr z1PcTF>%$L3q>c*)M($o-fr3;?-qg~hksUvH6noSEaT;9LSV@YhAWhUN7HYkTor#NC z4k_NkR@j0lL(&9S0ns6w03(@Z*|*z|sUoZd9VzGS;C-JmR}c3@1eIg0jwNw@%~psP zV-h_}`z;%9V&LH*+DRk-W+(6eAoTW!RH%zvC1PZTZ6VOxBXb<*bSS=}?!tNxqhVh3 z-lcdSGtdCPrQXL!EKPq>!_M|VegKFuoHmm|L4yVfuohfgxH5&M6 zO{9f0+q!$&+Xb7T(ZaxdC<-T~+Bk^`lOIw{LknmprIxwaaVpovsG^#O?BgO)ZTGPh z)c{%F+$3iivlms@1}_%MX;&CpB{N}98(8iO%vD}*0$1&6bW%n zv7o*gSW4G5z?GL3O0$7MsK5=^Y~gU}MGf6-VM=VNYf|Qrysl}sHAs#ZL&Z|Qi<@UB zd^zB3o(}C{s+7eQo6kzWdrw38cG-Gt_H1nTQplfJ6{FyA+Uz<*w%K#u8fujy@J<>D z_r(ePM`h;~oZV)>r{UJVyaD?hV?43tNUHPmf-Nb=G=*O8!_=ioF?72cb8a$R)AYU+ zjhxfOm7L5pjbmTf$p3EK`rA07lJ7jqZ2}WxTt9BaM`C`+3Kk6aF%!gi&ZFt{+Td() z7q{EYC-L`SqvD<0v^2HP70v?Jv`n4K`Ulg=fXdd3v_+%r6FIm={fj4+up8v+G}ImG z*l-Q*rO_T5?%s%xVRm!0>bM%Y!b`X6nvNt>uDX3=ot8WQ&PP<`^vkyzxJrbr{q2K% z>2)YKQV9lzlx|{n^76tPDbvE*BWFu~IF&d5UXfx&&fUiOaG=auU5sW$x2QN3JLI)k ztBcuCD`>G+Ps8f*mU2NkRli%ko=fc$1%K2 z4Aaz~uW*wull^F}|8jcWr zkw?}Dm{#QF!5hqsUwZ+#FThS4BT^QXqp8Bv#0ECDXZIPWD!@(NbLMq z|K#MSQ}wY@mk;DUy6H%!3CzEt2uaRlcHklu`QhbgjtR2wIHRt=G`fWEu9wb+Ab?HCy6e`1(2FzA$Flq138^Gej+|j`lmCm zB9rR;O2o6%))=%U`?!tE`%SU?Ty`OMI=K2#>iux#zlg&3FC5rTzYdqu6x%1SSfiSI zOsS~L{hILwpBvZH@odf)3#oc0im%tPaIlB4mPuojXXn(*x?^k1{0q6& zj*Z#D3R&ZhgNe|z*qbDZKN}2YcI&ur5_yo_I#xs#4nVh2e-oo3Np#-F{VheC7&Z3# zZffy4E3?_V8fAX{k7DO0jmOnKY&0^yc)Oik$qxkhD=k9;|0sk^yKPMaYx$~lF!7t* z)2_TqSvD5Khz)Fc6|9A8FfSm6(zQoQkFH`IuK7) zxO?z+-VfvXq(-)dh3(_E7E16^i47fHd9lTehs6u6%WyXh1^NbJN6jb4c;BhFQQjHK z>J`$nU54{AphUH6*5O;o;i2mV##lW2!6ARYc1;XgS>ZPCnmtWqVB-aTxbgOsPCjF2 z|D?`=@q|yM5{tvG*u$f6_?%gAG^qy0*%!1W&UUR7f=A}tCfZ2HaXFpkNdZu|YBHUs zG0lwwUN;L?{31P!Y{MOEst$z4`{&48J?$}zT_UcfL0CryVLgPKNLPYH)8KY^+a>C~ z6iOo*jy>x!n=f;*ipjS#4IwAcW(tCrt$Rjfp2$H1VY>DFJ%L0{59)Xv7_rzWYm`)Y zDc*j z{?6y8$i@-OD%ZcQiNT2zOM0=)q-!@Z%|)rZ)U|QwDeI#?1$#5oDDjI{Ua*Q{kh4#! z2&(zM9uejx(Z-%ompAfCcF>v^M@tF4-8Zeo2 zx2@Oc;ljkF{P}aBIYrjN_TMsI{TvLe>W58k(^*;!>KS<{J;}ead$iZV9fNYIiw(g= zOTO2^;m``#X-^Zm1o@F(zYbTr0$#72fMLh!)sv1^S(NWwzxEi0%&+q1OhX^)%C#2m zLps*fXy(%)n@2l&ajjxtC{1Tc&%&2kIW>UDnw=w2q;40bU9J_bnEBEUfaOa;fz|uaa5H($~`s~;U=#~ z`VH)!m8hM56T3WL-IsmNWAAIIrk7Lc{26m*vw4~O*Y9BXt|UB>jeIj=BMD)=go+7_ zzNY(vZTAV?MGijse{xTt0r5_cm^{w+ZfSjeI*lgX2=rOs!TtQl%lNN9*f1{k`|FSF zxBvQse*CXLa*N<#h`smLb@Uz0?Q~hsF-^cdEhip-wXTM<%2{<*$FF&GRYEV!M&m;M z^a*S?5QD9M?`}&LLwTD9Ca&b`M?t-SYLn5~b<5hgp!1?WVO?C>H4#zZZco^onTW;? zpUP7pcSMw;C&VW+m1H=gA$_9@l zryK;{TG{K$2Q}Nc=)Ho2Xm)T{(eQSW4Z~p+aQB!UTr^bW!MZh!HnNR`)T+DaUX-R{ zObz<&t@k1y*DZ|4EzZl0{0(pWRB%&9mKu^U`?$MVAt0oI*xKeJC&u$UKR11x0uUnb z4Nu*L3@awOoY|U8H+2Isu2K9V%U+l!rgmPq`)Btht58;^w=nQAXw5Y_Zp$ju6CC%o zyf5ft)iG>B!68XSni$-MO2=NQ+Uc0uz7lR6W>xKHtECCL&j!ZG4RgppQlgDJS*NSL zKagk97%q*4SVaMa>Q5ghKS>1){%_K-)dfGTHr_!gYEzlPVzse{e$imDI=CEjE}q3o zX-i7sKy%?!tAkCw3%cIYI2D`%j=PxVZ<`5pu>zgBJ2#BI#Tb8<5ahyQMpl|GnEd6P z*0lGNsk{taZ>RK_=TA2`ef~J>QFUZkyUQjI(j!T-!BVW@lY5%9NO0!#;KeJ4f2{TCe_Hy&85M zhauA|arlpwzk3zIqfWQm4GqWWB^7NqFpSw^=ur|jDE&dIqJEwTR7}r<&$dK%1i7QTN57oyqFs-+WSf1qM%i6R)>OTcA?F%>Ku#5 zq}RRRY}yPLGF&=HCXS>d|JXJ)-3f7U?Q`VsJxUwp6BXzBf@65#t2>hyZ$e(fyBt@1 z@w%q6;PN)%Eqt3+Dy-x!8>8WU*$8(Z?&+(RC@m6&Yprk@dC~&(^K1~BPI#IXZz$2V2uW*J6 z5NI?7zI3;%DEDKS7EVM*^FketlhO&Nq%j(fraB}9ngn~&w|s6aUOpK=4L_yYPGsOQ zw+ZEAXUu(XtB0tfSujM^leCKhkBYI2o4RTZ0dH%_@=%h4cW~uU$(6%_uBA8?%p&YT9W*SS6%b|P)BbDEfyYb^F|hP{C}isT$^49x}4pwq_r(&5~i zO4pbUh}~#K1+SP2gsdU*_VU$kRO8g0dB{byM zBG%t0VLQnTOW5LC244_~l~GUo4SIM7{RsU8_r6I#NmrF5r~-CLaVA;IS#?TKRGm6M z`|N|;xm0nmcB4YH`@BBBr>b!OCnwxCT0{#<+B0y(a31ag$`n_QH8G;h9=W$ux`)ca z7A6`yXZu;07UJvSi&<|H>f+Q?#(P%v`$1eL2gi4<(M`o5&nZ?SgQ+2rj3?ny znfQ)>4EO7lWffjm?v=^%D9uzpk#l4Pv~9E?dPl|a7YrI9V%Q|Q%Ay@>FIc%w<%00n zliukXlIoJN`K7U^^^S%KK7eDRcXYfg*KrnZY85n#Q7PHOR5ou6`{|uN?k#ACSr(Hw zX!}kU-V+ORyttWM9Yc4@m>fQ{4B(01&B968VJw39$irUao2RUgS+PaT78bLs)OGEniFve4aIf%bCpG5t)Ja! zG~=Z)v)93?a>8A`DYAHu=q$LiQ?V^FR{vjyH97bIlZEHjyZP*U{%B0oESv3mxonee7Unu6qLimhOL&c9p-gp3c z3*{A!Hn0vHY4*_W=XF5z?J^ctNUsurUD_xZn1{$kEcz$1A@R_~cI!7qNqTjDQM zw~!Zv2ha&=myVQzIf|S-@xfHA%u8LB)Je4?8+292NSO8nyslnKn%kT-l619)Ysgu! zf;DCq3`Zh^Y1Gbf_jI+7%hj%CV!{0I`h%!Z`Z(H5Ue+^d!-J_iCp%k`VfMfv0PWnq%48l@(q7>BQLf_Thmc*V zk>QhBumf_&3GYgL>hfjS1nwQfP|99N0)9HfBI#-}diB<`(A9CTsBh7Itpzb}Ms_cM ziI1cb!+?W4rtMOzjt@d)fJjOTIKwPXU+aprd+A89Hm8@fht;U*Slr&;vl~}(_{o$HYJP&0|}Dy$k%rruf8q+}uXlmbiQO z`D2tH0kaiemdriCc;ZG_Qtz6W7H2pUhgx`_)oH59U>w^X7TF{ zkCOXvod`E_*Tzk-jOn-bM$6YaRO~F#b8bs?#x*|@7H@Um3D({bHWdpbnddYE&0y(3>MkBW`*QrvHdYM?42shMS3-}#Nw2VFC8 zu|Uh&B*U>0CPBXw%K3WmT zpE)skA9CxIp=n+p5J7m?RDpp-k&Njl!^J#GeO)k2^Eutde~K_oCV>sFkHO_bq0_;j zU!)J)ANwe;sEzamTwQl8_-)^s7}GsT*8hGJ zu?omq0oPIXvV%#*-7w#=U8)4PjZJ!~{thj#eyQU|PjXPTet9XOWj^DVdl>v~r|XnO z68D?vV<{tny2>g=h#;oGaBk;{{myQAK@-z4;cMa2#2@70VYAbVa-=1x95{WFFKw*p zh?jZK60wKoXn7^%{bEZBN)s*t4<7UwIrTK?Df`|Y=CVCwyYxDe9%8$fDBGmzOU+>< zUqxBnhstf7J;p>W9EX*2su=%@U^;qFLcUUgTPW4mOXGcn?bYjIl#E+ssck9mXX|*A zf2cixhAH%=hoGlp!uK=wTaTPr>?EAV8|ys-pC_>QdIs*L)M9e<3|t`{OoM4XtnN>O z|NGDXu6J1=Cd2?9VIho32I3T%7_#b_l3IpizsKwNC%L*BmsQWiwtR^*3i9HKI7nL} zyG$?m?`Fws^q9-(MlZ!^U!h;$rjjzESx6f-wywA1PUOhB{0sd~6B_zY#% z?@OArrOWju3bT56zi;5Gs1{|^H!#8+n-6^nVew0rKE$j66z}Ty2QuvK0cB)`#cH3M zZBj=GAKS!jB7!p~=4P8(6by94EeZ={Va`KvAM_>Rl}6ydZ{y0kH}I(HeMgc= zNH?2kr;MZRo&vMJbzBU}$0yyxd>3ym?b8hjG!ySiO3(yt4*JgG);Cn#rSh%bmC?n0 zp^hFT(a^+>q^(ew6av)nA$e=W&~O&Fggbwu_X_(*7IQEpWrV~s%8H~KDWTM@_4?Ee zN!1~_dBauuD$uT$bp*O`iSf-Xnu-j^mmaNAAl_$^M9DtucNftlWWHP%+n+6+GRSP0 zx7CV&QhLq(77LF%KuGNv5;lM;l56H+lD0%is(0#PN9QVwqU1Y8Ns3%IrL2K72W`tY zz-2+L!zB$Z7SCa}y^2F21jI|i2b)JZxwDpQ!RZj{9N97pj{y(qmTdl3x(xgssw!N)o+zQjq>o}oe~fn0z8H46N( z`}bdd^655O$IDIh_g{<{avR18H5vZ?YyU))X^bILh)8Xf$PeK>ru_x7s4_`>){`WB zDTszqHdXZ~6T#SM@)Ju+yZf@)@dEIWN3ZEB3m>*h_%GoX;K2^=f-7bI&QYw3Tj4dZ zM@Y3UUA$GKygx4c2T25)&W00}1+nFnLy}H78AJ+)P^NQpwD`)8#gLwtb(EFYCoh6) zpoT}jVd5Qq^_6SthMQ9vCXdbs5Axk~KK28CC_FPXL%%QsW#pLrcw9_DGppZ)vt{EG z*>=M^xWU6b{3A?S!()bnmHy$_&u)V&Znz{m93^e->2yQVSgY+tTnrbbyd@dA1(exV zKr9$8j_9KrD#OE}y@p#g=-~D?W=77->fM}psaskGROWFGHsXO((TeuCF%B$7X2l4c zY#FY0VO#C1KG5)r`iY%}uN5O9jjFyxifL8CH~@Si+B48Bs82zNW1!<^zNbo;20ffr zu*2;-+_gLQl|0s0Fw{NhTe#<4^!!J(6^9#=5a;O#|G>mP@|$?r^nr~d?B$-4HXYXo zjwFdaZjFZw9Bfy=kyVz?i5Vj(l7id@vvs;{+T8;Wmja&=Co?;k%1#b-H&x7p*`n%9 zRbmLqf2fN~TdX)+k#oN*c^;JmTSDE6G&Q_TGom$$4cm14h6kk?V(OAyko=+b-#RO1 z4|^LRbY}K(t*W^pT7w9U3fc^vlfZnlw6#YSHa887M>}Vi4KTcLWPA4eVdO>e2Vq5O z=s0D=tKQ(BTMpTn2188tNr*tb3F^)bxM4znoAMDzTniu9N! z&Z3_#X_fIPFQ${!t_`hS!TI|vSLz;n({aDK_qH9g#i%wo9BeS?+*3ZOyKLngpz zL+i%#%+d6M!_-WNa%w^j_h-6e z?!JBDw@2-^pmX5c>VWho2INzbC^WsgE6zp0(wQ-*X{)zQMR1&WohDIU#MM1Ohhr+x zA}@rA@kt!bhGyIGrBcw3@}>bz_g>AXH#22Iyisea9RBZ`fjK94=G?8{c63TvBN$@c zf8obMU*?XoUMlnSo;aAxc9wTG0n~E0(I#ESDFC@qQAxjqBr1D*&<sD>S-ryeu6kmc8pkm9fjHU7`LfsxGV!_%_Q$EIix(`byRTm zh16tHgrAmpdPi=F_jd(xUp`bE6SXj^tR<0dnV2#{x)F$F4j09oOeX^R+p_TChi1-9}bkL@=yZB=LOo7sQq5L~eSb0k0OV}E&vA7N6&4$Lu_#4x{ z#BMZjHtZgTwZnY3-N%@nt0Y|!qm5s;KCUG)XA7~HM#vV>|IA9+iL z(COiD+=5({8SS?uT#uC`P7V&tk6K(^So<9-EL`mG;7j4rEPSXy36U43j7JwuOOvXV?Rdly|}`Oo$Ve8|aR?=ZOOVi~jc+V5o9 z7CJ99AV$OkVem@-`ac%a$yc+SvxO~LsZWb*cZjXJj}Qa$%Ks-jT|G>_XKjifVZz}*-5y3(GtY%- zl5n|=$*K!TB5?uwn2cn^>T!qUl6mATw2xx@Xx%liA80P=C#DDnZd(hX4R;`E0Vlu1 zT@zDsl;19$r>q0P~Rkbd?Y^Swl>>9E1?4yV(x%NV6*bN|+)r2k?iny2A< zhjx#c7y}YK4BxSVDPvxRr^THM3S1&a))`IoS&tSz9Mc@^ws9OZ>P?OF>D` z*OqjcXJa5dcq1DV7PS3<^R^l}&%sa)bktq!$;|_sgZI`R(ZvWvE6x7Qm1BsTQ~pLr z#k$BEQTn!OB<>)18`Hb#kU{0^EVu`x6JW+tpvH}kh7Za4OrvBP+yLl2coUgILYwo} zN=>8F$ENJ)N@QVejktU$XEJcz(c-DtY?j1**p;IPxN+7v7`GOCP$75<#@E4N18kch z#xi9{rohxC<1mk()7G^&F^eb&{L{`CGQi?^b6H z92;2_%q2GeEaFWl@+e+Z^4KZ*cR~DUYHErCvMAHUoG9L;!2>Ir2ZpL+9>iI;hXX3K zG_m5IHq=WTF4$W|W8xY-#npHm>y#VehT6wF{H+CyhHBvUNkRCWammM0WPn4z&3n;M zEo}3bF@Y~W`9Ne(efD{dLAtB>(iTItF;61-lB1(qt$$bt#}J|EYN+ldeDG-!w>A%= zLcaj&GE@&Yerp-tl{77A9gfoqqp{y+j~QJRQ|e8k`y!8MAtz%&KyT~YGguoxz{4uSIX%^1shBY(|2OFU$ zrD>SP&Ho-H@vC^hXgbz+ds;{aj!Ri!v;^C|-y47*YWZ_RyTpDRgNs+}?_?~7`Aq%8 z0__b5{!nW@d?7C8cB!33t*Z4d;l1>04w%-%phVXjHx!E2v){-kXJ{ry(!Jp-&@9Z> zVy_RbyiIuxmPf>z_&BzTk@fD}zL|e*$)*r7e0?0sEI#eaEVyT{gl()v8Qbvc&|zco zR0np{7L&{*%k|R_!EXbWNNu|g=|pe`vW^`SW$3fkKa1(;W*-r#x;-&@xFGp467Nx@ z8UtQ07-$U?depQ&og0S-eh@b{On9xqL&2Ev>F!)N%TNH!itI3rC5Im9^TX%pKBq)m zBLAZx4eycb@u8Y{BfdNav{0m`!g5TzeaPwkio=a~mN>3~ zh?573<$o&2s*+^wanGCE{CN)@hao*(0wkW!Emnf>n2I?zzfC8;Nt-e#u420L>8MH_ zlUZ=&!Hlzj8qcLmTfhBv4HM_!u!XMUMo;IgweDf|C5pFdyVmp`W+Oe&LpMNxyk4Q~ zo%jF{9Z$mu!tvBioRpZp6qFpeT1ON2vAPS((gFVCn;5GM52S8sXB^0nd?&<3M6=}O z1U9zzX2s^`&*=Y2yO!*>ktMqojH>O^mYbv`eol|@m1yx-1SwgbL1c==6A18uge-Xl z-Mgq&^r%Ml7WB5z83~X;0=P-qHLCJCh$NJVjEv8X8}%RD!ZSQ;l0w%F1+FL`7{;H& z92EWV*$;iug)6{N#9A3Gd`Ty+8(5K!2a%irUcBx!ab}-I z;p!j$;o^TU2NBmD+*D_9cnPOJ04>iC((bI;MB~^{U;q z-i2TBFnpdkr0SY>xiAL$V9S4PC|G0O_Axg>^{sZ@YZGHTYP;FH*H#bnmN;YgRv!^H z&dq$xcW%bFX;4u-zJijhNgzuflXq&s5n+tfaFvY=lh?zY8hT%R#iL6a97@rZz=PJo zh=hr59`?Q{fYZ++ba3f&S5t11l3R*$t7I>EylHvmwMr}D+MRzfA>Pw~+iZTTvR5X; zuMb0!grpo~aT)AME!G=iv{3~>`$Xenmj5V z$4uhf+gR~?j1`}T=4~GOdrz9mTk~qz$4JRM@@MgFS@Iov+YX~uGY*?k>aB$ zUb2{a?kszB@Wo&2xXbr~OeN@Dt6ooJY2_?7o1mTfAQ4%^ynGkqB z<%kMzTybXjG721d!uRYq&G0Cu-MU4g(@qv~<=yeOcp|PsDW0x*2YBSCY*{TlNxOg# z{94#>k2+_`LAbc3WV|xdK1$TKSf@I)%|8bbj^PYI&clsaM8_w>)jHV@!-$Z2>D9lM6V)^QCD;n@zpJ-tZ zgMAJdw!$fEw{ZH#=+8#>>|s2;tN5JlOH8U( zmb%9~7=m}s%XKjp?ALwOb{A*$@*x}|L1=jq5tnic!o-X|TVP-nv(CEh9)<#)^B3#5 zh4~NMomw~TKBS_eadnB?qF@DTtF*L|c!Z6}5FJp*H zmv!5~lo55RW#H*!=52qZYq#Tx?aT)mVaVZMs94svFt_=M;#1qkk%$epQ5PL!(B+=wH+K?m$@9f9aWa} z&G(=%b8#otZIoZ6~%r-@G? z>K)`lcn;=??%ZzY5<68h8VB^`<&XBD=W*BK7LdJc2_=7g{_iD7JJ+}_g=6#1HGau6 z5E-2=o=O4INS!XmfZTYS(jfa><2yZEG`fqz7w=fzEbB-Qx1%3fPmXLS+Lkeayy_y5f7+`BnadZm)q8S_nwkYy1LdK362nT}9oMizuQWlM-jW zCRW+0w|Lq6G}+_$^c5bsV(>thNyf0t${>vD$qI=FA?Ml{533Z_}UZuoTzWqI8G?6ajPO0oTMFU|Nk zb&<|54ib=O)@x(1&NqKwpWN%UaeOhGnc7gFn&VMlZeiq7xHTp#&^dn03Q(W|X%v@M zbd-4k;|F1}_5xx@r(rs2LYc`CK(B)fo*AdyUw`O*!R7SVANgmZ2?n1({q=`*m=)uK z*;`>02!9giIP7pAzi++Wu4ovmAmCoN1y9?|p6a=I>ZwZ4r*C%^v$rubv^&11UZMS; z1b)RnS=a~WHyu~>i#;JB{N3H>yL=aH98}dZL~#jxH>C9W3;uz*A-pB-U-@7-?Z3f3 z$Hny%qn~b){l*K!Lfez1st)enJ#Q3qS8w3J$vO72rKm@_j-@wn-SiAkLT_O_7P{y3 z7DjuY^OK6FVxQc!cxrPkG20s(9*pe zyA(b%UlCV|i6D#-L0Az{M(B;DJOGmm8x)H~80|{Fio%HS?GC9k;X! zJclp-CW$?5<-hQIwZ<(VVQ6l*yC=;TP5j(%+8t?vi?Z-MIf1uZbCb2IjUPx9+RAT- zD$1=F?PUbC3iC&6Votb+y9;|@--*`5yP^m-BH=QQ?)@c;DjyB^G~K5`{m7cTvuQuW zO=zX#fH6gzt+&`~79mXhr$pW{%ym|0yG%?naLhqGj_2G?D{YpE$Mb!Ae-oLj5`L=s ztxb%@ykQ}W{e4}|U$-!|#KgYQ0fiHn!^6GKxmIiiX=%+q+Za&AP5OjuK!4ffRE?{@<=q)=1)DJ2Jo$vwPX|IB$!NF`CU9ro?maBIgGL+s zH~cp6W6}0sDxH)+Z5x9Hxm8@3t2ddOn^;uz%&rv1|zvCGO z*08X{p->a)&vr0Zuj_BN1dmIWz69kpoWC=br)xHTX5M+%Y+@%8ps&mpKBMQnU<-5l zO``X-Nh^OCXOJL5-n_&G?E_NEj`@ZD#9fP^o_eKJWHB!>GhLCdf8!rVxJ0u7_Fn= zXj~m;bQhn;fW3%DT54${_LpSREJ|Tti|i%#?KJ98u(P6m|D=anu?O1eRFFM z27P|;CZF|OLP6q6EzxoHuv;x05ZW(MRy-}a@>c7oT_CH4XHVRu=`(6SFAV(ZT9-K5 zb^LfUV=odLgmsO<{l5;uw65{64h6H7)y8xJ`jDtnMl&hmISO_R_*Yo=q#Qk39o)>P zyK|SQ+bLNwpV?C>32k+My8q4U;b`0R!f2c1Rpq%WeVQIF=b{pXrQ<1#Q?}d^U5x9m zLN6$5r>>y%EqI>qN&c&dS_TwyP<#`X z;@sJIdg_mHewv=rZsM_sI(c@PmI3a6Zc|wh0eTJlQvW+0`L+VlrN2g0AF8p=cDsdr zjl+)KG42tBtAHBjs8NThQuq1F7#9z>w}Z)m9@c&wY@;ZsbARj(&dT|BVe~x^^{4|U z-1%B6pXX1Qxym`KP>meHw30NYW_!$o)*r=f^%A>P4h;HsKJs)duF zHpOsv^zc!<+gRF%*80~BmG3WZRhbC&EiqVZtI z41!}dVPG`qk8JzVt`rm<+fpLY8MxA({)xY@Wepm4dtgFoy*4OFX+*|^3GVs}yU zo1 z^at~uv2jD%FNcw4LxEpYl)SkdZhY25%2(b-yDeo?vO;4nh@Ir6f3b^bICCB7giD&g z*dD<}71@@A<_yTqv1YS@ySS84D6`qb=TJ9z_<0zGajIA1sNqvCTI z=|nunKIM_^!_?~wZ5C5gE_*AkfHMLsemx3=?e>_?5fbp*r?x=BC?Le)-X4wz)jPdV z^Uq?_7fZrRY#x5+c3@fd=7rGdR`?;`KuR|je_YlrS_kvD#aurK$SHj>JpZ?qZnd;H z#t(+?=@i-{G&Jw@7m`rtsS|a>R-R@>3sG^S7Ts9PFJiGstQD7m`fPX!l?n(OO6Os8 z|6i`8B^VRP-b0VY{DlLW^x`L*q8RQIIeZmu;DvA8!j~X`mG1(b$HRf}0{)j5_$3Ek zOe~SVX)}Jq#!*#wjh{>~n$2qk#c&pn5837^@P3r2Aq$Q$Uj@6MXWU55HqL%$uu?|> zD?Lya9+&H2mdg4Z9T&l<{u9Q#*;SFU`k{Al<3Ai)Wk-_nWEAm*2A<${HSK`TG8tw8TEv~XP*VdWKmHP z&$C#2@kY2gB>3U>E~}!H4i#SlcU}(6@rN0A?Z5O#9~DC&#VSz4L{*N4vS}0kKVf$3 z7DX{}(bS&Jicg+SNSW_JndZLog%nfmya(pRpDN!+$#|3 zCM2QVe&kmnv23jtf?uobG;vXAyC?6lCmEIUk1A|6v4|Y$Q24{f>A6eQES%ZYaW>#I zh{$Z37WQ0Cd+chH{kv8Yz$jFk`;4*{^2g!1y|Kqbv-l(ip6ug z{YJw~D=I z`Ed-XG5b^d_q1TP7cJ#ew%ht*B;$J_hc4+BEs43qsS>G;{53VzrF~8H8;02^T&n1s z(QqF1u_P#crYIBth`qdzY$ZsW2|&iZmG|%(O=ujpEFu8IP3%jU%0*!5ttmzd{o; zVuVF@xO>in@;!GZcB!FY@^ZMx*EMykh+(Uo1&ob%iTX`*lkGNmuby9=WFPYP_xH6I zCJADok2RhS>=}1B=du7it#-H~hKCwtNhS$TtP`-eoKT|3yTR2`UIUW^491U^=9f1H z-yE~=ei$(CxuV9Ha?u@64b2|iP|al8=bBX!g(~@APXtOf?+vVed=>j()=EMF$XlX} zRmDnB9r&Birn=@%2bychGH`4E>HCFpQuZ{iR{L)?T{)=~W-z{qR*`1NRtuxJooMLQ zdnrN=yMe3MERj|tg(<zrieiRQh{S~W&eP15?n$#xWyS;L#>cA7c$Vxn9xK%jAY8h@g%_U)U|DGGUhIZ zBx1nhZzM!p<*t+cz6P9_N#mMuUmwcKYT*4Rq?kAlWo1?{+LCV8gN3n3Y@$#bo)cisONTst|^XJc^cVp0Ykm5*U8?I3M&~fsvTm zH&dM(oZ|pCc?DcO%km7fh_VaC8xC0WCPqg4p{QUjDxOOdM|byPq(nJsDP-VReN0{j z|I%W;@#LMt4MO}t?YviC+igEPb|d4p`^kP9HB-uW3jcAHPVBLP>KJ!LNXe)cDs;1v$_vj=mEt zy7H%EDE>DVY%7OZ!Liz}E{@Sxt{`*Ym98ipmJTl_Nw8z}iE0wXgF5Sf3Qq{0^__wJ zRel(I=l0$G_-j>xadhS|wsZ;z4)HY3v+rx(9T!KezCJi4pVAS>ZmC-~TLJz-9wWfC z&`D2AGuD-#S1`-H`f)_ppVp6NIg~^a$K%?k-qv4Uu#3WM49(rM=V!v@$NV71@94m8Mi}RpMt%4;lx`{#B^~tm* zu2znBJ25R&R$v^#^+)&ih)1QGTYm*B2ydgnUkb|NP~blvdLj|0FP+AO-4*oqk=8m8N-8DjbB9<_S=@ll6JLlX=`$8 zq?3E2k;k`>G#;t)UnVl?^xxbDOL@2! zZoMByFMd#%=~0uvZQ-FZw~0?t95L7BbDnDg0|jBqO@BPK^wC%|$0P0!47mN8$S;qF z-5-%h#7KKV9N@F#)StQ%Knuqw50q)SVHss?k$$ zo=#gX{aU4T+QOmL|8sWr%xx=K_OBqCeXf0y{lxDOBta4uNzepD$lE5?b`q;b~g?zyPU{XXb@<0-@YH`p3|LQT8lWPpAnPw z=gU8m^dU^POv_tcVWu>jge9%waZw@g3P(oQariykhGOMCuJal86eWq6Q{|g_;y>o9Smfh|tL&F;D0o$`w{Bvy)}~6sm_EZtC&bhA?414>w_H(&P%41?`1> zG_3T6wY7!AIJpPYe;po@94V1o<#2OxoS_sT7xC9kh~IC;$z z)(E(Z^ z7f>}DxZN>e;a6cTWeQgrf+L#3uQ(+cv|_`R1HZw95??tvR4NQX(IhMFv3iFpULbL- zoJcK7vkX@_Y7z0L6jk85?ZI)!AQHxE#VitjJ!*}cWuPl8So$mR=+yw)-AFN@7qJ4iK?}-YSJ?`S1ds#77YQer%QO|m0iK0|s zJ_J0cKZ-4}wEVAp#dq50u3?p8@nb}t#eX+{3FEh%UZ9(l8Wsh zi8qL}9B~a(3B0|!P{Sp(E?ctQ@^Gf1GE+xlZz3gO!jfW8?GLy`{v?q!;hnMQu$Qe= zDFEHnaL9NqKHC1AsY3&X)o=w)OpTRuWglBAHG*Qz!>M6iziK;P!!d++KhjAK4&tjik>b)m45ci4wXdq5$uuKFU>@f=2 zR?IP1hr##so*u=1@SaX$jYrxc%lK*B?O3epzjVbppp3ziG7DkTh*{{Y7tnC_YPjh3 zD~DdK3C+>io)A!Z!qfCZ%I(bgBae>R*oT*YCgSE9dBu-~1W#$*zSe|G&?7XNm}wct z?pP)dEq(hoq17uA<6;qCCYO=A3URD@>x~DNy?Q34veKS7IUG|35naD8vsN0MqK0V) z`mXI;68J^E%*HOq{6PMaB~j5Z2y7D8J%4S1^u~VRO`RWsOKTV(JISIwDVcITfT`h{ zqc@ql3)j~$6*XLR?8Zq#92`WZaYof$41?SC&b24b)cP`V#b4e>cPe2WP8w1%;$UA_y`qN!LN zf@3v`oZV0A)tGd{x3wozbLcgUT75G-q*hVT<>K-p8>J4x@$zD#PCHH}R7LZ(3b7IQ zqC58P)T?p2A!1otxXzi(NqVYj?p4rFJd4!~yHw?1JP-RsNCx#u^`j-~lj7p2GjRj+48eWe{POAY@lxg~jK&oUnrC^*?@=>y6;RTiI0k%LtQr`&hC_WnSe(l( z81sz7c40xcIZWg z1o~M}$5r1h+lYW-ls&G+(c?@UrCe9XT#@48c(M$IiF#coOn8KJ7+ze7t)*_PI?ge; zQ{P#*zOlyY6>XCV6CPm_>lmRr78SD7C*cC-&`CzBlO#H+jJ?7-DB;(T#OpU_eY09s zsE$Prc(x56UrAdp#Ll8u)rMmX-A}m-bsXjo8DXKVkMVjZ4*v@+psHi+Yt=@=6x>~J zK7Cb>D6YomfyC(edx9Cr7C?!2*H$rx#16toX-{+XGiA79+1{#|)jC#<9WLxs{m)D| z*6Yx6fmV+?4#%%QTGvsy6|cIX5Ym3HenBime*|0G@i(JNX(W8=724$m{d~40o}k$} z-j|a_$h%+|PMnGm_^Yr0uc@n3Wu>GhRL6vJBxktfuz9WH?lc(9HCWbHS0LYS@4aD#jIm?hil^E zDN8HVag0NhUwvOmP1kW)b7Ngh9QUGc6IMO=m$4;ca%Vo93%AE)0g|`EopZP1tjsl} zOH$o+tWnjA;^pSTyO>aug*pZUrn|o0YhTA+{oAP&>bMiGPxsh{`?ax3Fl@0O^!@W) zty1t7qj6J2j&D=1#?iCmd!P@bj;Vu&N%-(^*ii{GmW?tMpt?GaLS|X+D9KEunPseF ziKaQVLk=Aj0-SMDRsO!%`=f;EJ z-buDgH;I^k^?Fxkd@Gzlk90ogQU1aKJKSREFP*X_ROVWz-)P9Cpv*2xW5VSnsXle_b`})4*ufBX-Nq zWYnI2erEA)!Ms=ifi$pY0|!vuNX#QO0MM7$Yh?`_`^YtD&Dn|_`wNXWkOporycJOd z!G&aph3-K#uCT1=?1Ho)#r`t~Rj`)Q*37;7)YvuZ3twT5@a&$dPl2C%E7t0sS;M*8 z_b2weROY3)AzVSdv3Juy#rVdPROoNq%s<=bOe^X*I1fExD!2DpYE72cBs#ED$H9}Z z>$o2!3CEp?8KL@SaTiRjH!F&yN2Susg*p=Via3KC@%6-ZdptVl=I6&T-PE}wypDKo zbpUj!7Cd@pRA@X>kg9gQfq}=rgwku^uFZhZv&lW@XPk4DIQRyxFn1G%3T%x!ww631 z@Q5qki&g(HCbr__qpID0x}CvsZ4k%N6P3D59hH12E>x4`MXF9UMqP^#L4*bgGp!ir zoOPz|Py_|O=Ynpa1_o7kZKn(u-e^>mmM$cOw@5CiXqX1ZLXYgJ9XQt}wxH33-^>|{ z5xU3Ss8AT_d8!@2Vd$4h*ZtyJ_H1Sx{w>U&MOE!E&Qv`=eRxHy^~LB_iM~Lg8;3m( zT&FY75?1=co#s$geGOs}v$sQ$8W=TQqzn6p9XT8&;c^3)V;ylmOR7C%x^Tr5xh1$t z`YT|E1`gc2Nf=4e@*~PoA(lRB`<$2$fn}&bKT}WGN_!fdZb`x|i?Sst^jM*m>uq3U z^HDiHSA3U%N%aA7)}T7w(7-8#f*DcjlS=_h2P!z}etrWd83O)Ss~;AO0Yx%J&9a#- zUJWeh`<7I6154zM9Ld?I=Gz)r(BS7%*A3i=xe9lbc~`Hlh!B<=zGutG=pnmLkvjxVvZKsaM9}^5Zo8 zCXArI-f)tDXqdO03}%Uoj&lMd&llEt$nRhNo~`(~$(Ztt=L>hU=ces(BVPaXw%^$cY9| zcqDBgR?zGPxb?k>a{$Nk$rtKzrWTx0M(FwrLTl0Zgd^9 zd$Hekv9`jSxUKcaBtcC~5+rL}d3&h78=F@+z7i{(z|qAKq>icrlkikFu3O$`bqof< z`|jLRuf@#;+k3uRt%N&5uq^|-)x?p!JsGQ4ViD3jXbwnxN*w}oEWzkz+IQx;{8V7O zxAqjQaU6OZR;-D`<{1^i+-d*D59XBG8`yKpv3&!&(5%CiTn#O5)^Rq9qJv{TNjq+v zxY{}mqlYlvSc5oLe+dVbW70_}bIO`HPMkH=3-L<5bS~Y?(n?Gdhms`JDV%I>`Cr5R zcb-I)&{e&oCa%H~B_ToA^VaXgm_1y1l|bSAm_9!v%>$^3ORm%#KMiK;PvSaj;ogqL zqsGF%9YNusOQG3>pF}wH7b;PhG%T+^t+?0w-rQ9yYfT(6lfIulET}P$h@H#d)zR=H zEP_8ie9%#RO)MwoMB%sBQ(N7kIP{h@-%{R1|HwFW78Ylhp4VA^H{zHkhFYhq{Uy1V z+G?yQ5f4k?a7|3pk6RVB>+S zZhxFI7=G+y%FiZ-F#IfsMze=Ie)lYj6LnQ%?kKyf+E7d`JPNKw{JFi)l1Fpmu_Va# zI@~INm?rL)_Io$rWXHLNMaaMUMW@&~ZXbZAn+_&hw7Yrg^dS-v8m$oOfIfr6s`r6s z+V!OPZn{5<5e8jx;!0oN@^-xB^)brYiBj6-T1R>l!vXARzwgaG!zI9=?9t@pdT5}* z7S0rWy0NE$O?tTM0IZkk_QQlP4QxjXX9RjI+VO8^PTW(pREOg3DBIVZlom!Fu1Ce+OLJXfNkNlgqp0SZZ}(4 zTb{3D%J!Br5Vk6)fMpx?iJqZ=AgY7mGF%+?Y<;*`9JYrv3YX$bk~bV{zm41QD>X=3 zIL;psBJ&Fm_eGt?FzBrs79cgSudRw=JpXDxa%ol75x6Cz>-s%=tgb{%A2yAXXGvIg zM8~}RPYM5g3)kGm2Jjt89X6!~;EDFbnB0Z$(k!(`oJITfQUkKJaOxsQMFj5Ll3kr? zUh9iMslJ8N0RH|2#nF4#O1!I9MO^O(bDJVum@u{nmMv z^5l^1mM7S*dIM;dx9n+Gu(m2AFp<@cJ>NYEUsl54j3tkQ;;wi`ve9CPhSbHN4uiX_ z-&NGD<;A$|T?F35fS7QN22uYan3R~3GT}bkbK)y{n@Pr`dlPGZ@+@ z#ofQ7Fv)?$I=gENOHz8lL}m@u%ker0Nncya?7kM_jLE|CI(G$Ru!>HvRYB`)#+}n3T;Jo|YNWRY5XX0^Dw4$!KR6u_x6mVJv{3?c~NfgJ!EEG0}>c2p*RU_sWsD?KFB6 zM=n>|leJK?g=x`7?%eb3+aosB?Ui!Uv~X@<8iy(W%AO%lR}1$;ydeSK!hI2eeQo>p zwQF5}_WEAYSTFJ6vO}gk2*5hazSo<2JPn-oT;~-$>Zv- z!T__RITOnl6UCmWEL75V)5f5KFKhlMiO5=G7DrNfs8a7&?nI%RB9 zZszxpM7@m@6hGuNZexHzMXy2|Bm61pxMc~!`FJ_$N*i;ay#e&wzQX-6dfB;+tNWAS z#^V=ew2a=#_M}wsFWk zzDT7oUZ#em?HaaTWtt&v410&QjZ1wCx9j*c<~w##6m&~=Mg>GY+>6LhgmEWesIqf^ zz#QMkz;*k1!leF3rVhYNLp@k=+1R+2t3<)=Mn%tH&VzM%-S#WaYpDmCAxLRrWkxqVwPbH|rZ?tnw$ zVDkCAr$+BWY~vzymDYC~(|Q$jx3)OpQzqL|Xqo0-cWNRD)w|;I=9@X0+ZcD=%kKGY zd2@QZgDK?VosAjU+PF+U>AR;gqFPC9cd*6~!Co!7(~U{T@p?~EbAHo(={An5hg_Ux zp^j8m4-L##{q`WTjpOE@->MZ{U*4CI2%*nJGLK-zYWj$F1=RgWsP`$`NohO7S=0RW zHjeS#d#>_Dw{d`Or)x_7b%lo-ar&t!%6UFy=IKe8e(g^1D}6aox$2A#zOlL5sAHW%-|3i|Ys$avgS;*(BQ;|r?uQ5;9ul@h{nBk*lqQt# zo|JFQJ%^dOyd)BP^_Ba<@IP??J?BeyUrwCd#szU(_#WGh*mGJ{w2cGaSx5>m)*uvH zO&q7fV-^cY9gFK>)PQ?pC)TzN4o%&qWWGQ8CF&^n?cU_XR>Y*^*~msgeH$0^Z+2l2 zZp@usvU+egK|jfsCbqtfIRX|urK-R;{J>a~JKM6?C8vA8I1c`~9+ft(|Bqv~B5;oN zn=Rg&prG$cr)z-eX;wQPtG`ZsOE>E54Jxug!_mSU2Vxpt{`pXZy60m%IBI@FJ4@#S z{Lr5=7KOP0xH|D299NgdI-LrpbDKK0@6@Z|vDb?Ul^7V)ZUPb>tNu)9T{4* zfIA=HM(;XfcjBG*&ZwKbgVPL-08c=$zc;q0j(RZ$2>#T9@8C>>*lZ8<2~{)Q!4zzK z7fJ3Ubw)6@;a7SaJD6(S4TdFbPaTYV2!zGm#+J7e2FVx&-_l)p^E2_M{c9#)EJz|Y zW4W%DnbhiFNW?ULB6?eu1GIzj2>#4HqeeIw0Y#^di*nhXq%!pLzJm+!;;i_Hy2LxU z{!R$=pl2-(+b6DWF5F8mmg|NjJ`LN1lL_74M5iF=;7md_kfVd+dE!`?HJov{T$>?E zr-3<$3!pOf-W|mUBJ<$rVBN1*>9lzFc*u6ILRP2D&}rqR&YWrhzO4;yVPW{`U~c>Nz*FL92EUTsr-Kt2 zvz#m8l`rC){7hS|7<}+cHm?PZ(Y0@;C^{IOAFwFm375PXPAU%0kbP%bn?t9KyQ+kj zN_|+ug(ERa7M129Iv7dNO*l(WsS)j9!7zP-chIz$(qkPAly??mkH}4y8)7$k`FHAP zRF%j&IIZBgea|mxnCRfV!kFF5F1j*|LAcHqOMsW}ie;)LUS7ftPDcMw_G@<<+?1()bg;lN zL1=t$d=t3dRGnh1acn1#S?V0POf+8Va(x{vc0A&2CBnV=`k-xf%^B6(a14Vu*t64U-l z>FyE>_xY=Gf>`5ts}@-u-a?;aV=E(En-MtiFi+!$>C(Yu%A9aoN4a821uG^3wCs z4{a}`u6n0mVh8X}cVOC)pkn4F_P>*KN^KjkU4WCd|Kvo%F!>|-j7yA>Ki2Q(5)1DK zoT!rQLuv6M7pV&SzTgp^`Z%BJ(yuwG~kA&G!ph|Pl(}q{>O9Qtfk!ErrTlIP2jL4&DBO4 zdY}cu>dEfP7s6HCe67d_%klG-SldX2VLiZ|icS0IdLYlR*Y|{EM?%Go>~)5%z2}@H zUe`))6R~!#OiMEp+UTWQlesaBU6~j4>n{t#(z}8}SyqZC}=&RM>8fKT#5R8|fRpX$YlbKYJj2 zRO75_62w{>lkG9{k5#@|ReV6=QaIC48)Mk>?PeOX`U=7_d@=!eF?#xfw6HHIRi_oM z#YY6SOr!QgX`yk7VGX?ZcCX)*ylGw$E$zHGu7k6$@cmB2>v4Z>)YCHT$adyCdU7n} zbCDs9>|xm6seMjiNW1rpnad>82g|#DH|!GLYS;b6)b8?_x=?J3;(2|CZf|o1LQaN_ z)C@0ZpIa(X<06rKcJ$Yoszp&$)~AN5+!S|%eco)T5?0@iF>a=LzRvBfs2YnhhN~2E zYnqi%AB&!#E_`dTF-&J2Q0A2=lC^N>c{t=lV$1f7aHb*5!SZwQDr5B^?W=LmhB%ke z_cU9!g(LN8HOb}&;CmX(vOx{PsI{c09X2cyZj>x`%TbFFyKFmHX}#o|S6 znj0o`-!kZXWWhbPI+p@90>$HJnx%t@0WeuD%tF zg(u=|C5}dn_OXVE?(P1CjKhufy@9x%$5Z3Sf10c$9 zKkjHD6OpMDQ1BQA(F6VI_fibhcB8RDegDFKa}gU3!XeuO$N?wYjbk_SY9x$J=;{u; z45LpCb@lY7ZgQsiKutW(Fm(J@67g0>xflp0saV;UVy(qK3>&M>-aPFctma~UxTiP3 ze1lq5y0~2IitH&}O2cM+R2%U|icZtoKGyp|@wZMG%dOg|HJzBZ_KmUMP0u^F$Ep1i z>{a&;x!V1L>v#A1hm>3C*yG@y*({G6H5^VZ_K9=*VW(^QBF-k)JnZ+`(Bo)+yBN?; zR;e*eFWlGcLAaILFRd;YgT_W`f{TgXpaqnROQz%QZ6}i*e#ue`f-DxFM+9Vt@9r5~PcfAIlamq`$W=$CBkvGx){(!;kOx|c(bU|X1(gy;9@LiaG&+*e4~+U zgXx2d5nWpj!NrxtJCWs!vRt;>c*VuK)xOg3k(vWGDUe)T%$sQNnJnztfv>9i)7(@l>EAeJVKmW@ffPGl?{C!;J&Yhw^IV39n6lC)6oSwluu*Svss8ck5 zYHDHP;(8{?UQugZ)a3CB%uc*gnB}?ey+N7zinS@-L>{3%(I|jt%L7FEld$h$2 z9>z%B(Ij-4!`z!HboMY>V)tq-5+qFba1SpX8qb+tbd&LD!id3OkHdlC)0-#bxPm@B z+&+0qlW_x9jfcyA-P=(#8+K^5zPueh1~+Kgdl<{TE7cKX6uFop$=-m@L4+7R{v~=}wp)z`V&J@g| zco>7WmC8Nr>}{l5(!LmT-N)XZGE<$ISk@aRFEUwHMSYetuYD(cM5v6cTq`|nJY3C; z$l6H~@6ROPn)!d;1q_&`xqknGwqX05^jeI?;|C*!dDVx7v;17`D&hT!i@m$rf=49K zB?-5yfu0?*c^Kidf0v82LRj}O^EU`xJ|SDH(O@tehMqa3YSne`Pu$^BlC6@J67^bW zwiKIl@piV1}e_FLtHxX+rN1?J&K`W{IvOWNL&C20LVI9EeWDz_(Na!q@3{LEk_ zJumflq&iLQPS|ei~%n5QF&X=vITQ9v?QgoA7X*@)y=R#`Svo5KP+(A<@Tm+K;0=A7gdB{p-W{vEFRU$Hh^8 zE4G`b)P(*oYMI--Ganmc4M|{A;)jgwCRIMR`DVm*=sDgraykRIYmdS_5~>;NfKu5e zygpW|GW{;}#$F{_`WUVnO`u%rWv}0&4%X~X!p2y=&@CWXt+lC-p>3PA%g3zSccv)@ zu>(CNGea`m!)JRSZupffol}QbtiSBR@R54rIZGE6*yCd~dlzDpoWQl<6~ zcsTUa!o{mjg!eK1wuK();|eeHm6sy$<>M;thoWj9OGdkSA`)jr{NuLRsWRs=s{L3= z&&R&i)0L?pxH5iJ`Pv=?kI{gRzzv1rq&6r^0UBVI{}+53JDL&^Wzq+SV9twhPIPqg ztV3=i1=D{$)_+zDjWNfCrM7kN7RM>#YTc{jgEon^UHYd^@bj^3w3ATT;>mfY_EmC! zudT(psNAci$9s`(naHKd1^f!S^f574<5m44>OqN*A?`06$k?{Z7ca7CPE-$yeQYN+ z5Gq-ujvyLdYJU5slC1VIu)SO5E1^jE9y^D((X?tXAbn8_WAkBOj??2Bzb*yLZTr}D ziW}pnva3j4KbrFfA6KKt>QRTcdb0`QH=}T@o!l6&j`fLFY1q^Nw0vCi{iSrg z@3r*I%{Ej+m(ArbAFDeDYDtDXyZo;?D4Q1*_L%yWDyxr+yuD~z+AQoraD`my2exQ- z#qu$uH^>Az$+Ew5krkPPDl+u3m(W~oNujW3A6GvW*FoL%UdoMGgZ2pA3pC%+X^OOd zc@)PmB-HWrR6bF*wvrj=7%~jgCrN@zJ3ix>hWQRjn77mc)oWg>H`rSR$DpC#Iq7$& zWMEWq)^Hk?*^L4-$DMgRpoBC`hBpWcWPK0W5~KN{K#aU9uM-hlP^q~7F`H|IrPOCb zllYcnG|`z(O2h|y5as~ho&+@p32*6ylO~Uk^b*E$ryk zB#pW_>kfZmqFJiv_EtyYmGz5#X9r!5iqjlJ0DdrqKQt_TvWLR=c^3{XOl1#)XJ|iv z-K+?UH)FfsdU>M%fAV{6C&G1$1#4-rQ&xU*V4QkThIs{ z@4ZI$tEq$5fL&7B9nLroqVKx=DrD4|qZ{f&f^>2s08~a+EVu;gw3R1I2y-#U=1LPJVQ?r034SL?HhmYwCj zaOUD(Y*w^+WMqB6EIX|2O_YC|cf;ZD_BX+18EnG6nalsE*f9l|J{hLdA|YSf_5y5J zI+d@g!aWTz()gGnCcuEhVqD?w>pFcS?=zE?t^F|U%NhFo29u|PHa6mYS{yj` zfR@gL8}W2Nq4ljXz%0h8+=%Uop_Y*>3br;6u$~N2uL6vqx-(M3Ob)~%WYH901|-Ri zw)wgS9j)QmlEn_L=fZHOfGTfbf<5i?B({L7*89ucyc4X~T{YU^~*eRFvtS zD}9#kY!KR$+yNHn{oCOmdq7M0vB=W+EqO(r-2qnixo=zJ2#wsxZb<^Fk^R~|h-W{Juy^vD31t>EKzBY5S0P{$%)nl5Kr)VYM3tIZV41z;# z(yp8ZxTw|hE-F|yS|-Gpu*YMgn|BaNfLWoTJ_7e8_{x@uZDOZX7ob*HGD$>Z5;wr* zxJa(WuF+?W6CU8i!H3xb0d9*soqTm7Dl$2dc*&EshKipf`$uD;=tnF~gRd=f>LY%0 z!B>1N6UUFt9PR6Ig_S$(ni}}27ZnpLsd#q#FR*iqY09w$xX?JI=bpVe6SxRzf2Y(-v+&)9*jOREAR zKi501KK8322R6qYQ4{wg$g)Ra88;iAu&|s{vP4`BQvp{T!+#x@jXea5z9!rsu;Fm0 zJ+CRk0}r<)i0{?b+1nnRIDBpd-TLW~jiUbVSZy+k-5lWFH+=ah4gbb2m<27}W(Q$E z^xh+F1UN6l2X1s5IZ;S97erGVxNPDve`JUFxF)%$A>0b%xbzK0d7Xa`giP#d_+dR26c7Hu6-L^w*MHg$NbM|5IK(~ z3sfJ3{Wvy@wA4>}(I5c~0{8-dNiT)Z(MjM$dG=UxHna}G(=XW0bvi!jhr^z=Dr!l^ z(+jLz?atVohmGTp!*Px2I*qqvr+AFpPQT*LCI+*2(|jY3SO0~(C#H)urny;;qfak! z?^7abR&wU240rRR8jtbforpD=)oEn2POSxfxJwJ0r|CmmAU=ti{dA+&l6uRPXX*$FRcgL2Bzv_O@azmDv#ySLsW+OQi1OHoaL)e35MwN2jca2awp2sF zvr7z3U9~;eldmMEK4X{~c{EWg9V_UXT;=(j<7uVPv8PCjI?&s?04GwG}c z{rIfq;$p#=sjaZd;nEfre)ObXgth5cexZk{&qLPJ>$1G1o%uMF-p3r>6S5^~gNEl{ zus8k0XIO@%2jYbOct-ZDsrWD8)>4UmWi36Yf{} z^4P-3wk)?E6`nD~{IlgTbUi#zMz0U#Q#%w%`kZDh0!O+F+(RlARl2sdfrfr`*Wpc} zVyt`yJb!LvMr0(pEWs=qfPf8OY?;Z;Mm^YH)WzxhGv5i<;?d;JG{Rly@lG*O?gG;$0_QLKRsBfp5A-l1 zA5(+Ko2t7)+1;s)xIRnPX|fbnx!~N#tId-{nQd5R7hhVehW7iO%A{DnJ*H3&Q9*(F zrkE=>RU)}kNzoI-;EdL8)pReM{#*Z$+if*IDkauvG$sU3Mjmerb$;vielOnwA30q< zyz7!+%qQ*XbZ5_6`Tp;pEc4NPG##}D40I!mt!1pz*MbwBn*IglSd@n1yu{0^c(Ee? zOqgS?@)&W^Y^af6r}+!Rb0(3Q@zp6`jHTWBi*47GG%a6_>l=mlF}iFafpj6xM}kEJ+-&hPiMfy43T3--_&Rd^PYf}LeBQ@Mg2zQlOW;6g> zsPbWGT?sb{!+cY~KaNJ?y@Kq(ALL2&|D;{XcH793{S~b0*{3W$ju=j_5)(;_QxT+O zc?Xd&g~tJE4z^go(~JIz-qnwF21o*l;U=M~jgA(G1PEltc;iN4m@$b#TVtQ$=^KT{ zub->I*|&hT1NUg|oW3)iPPlujc=uzWeVZgP@95R5Ay@D2T=|itY1@(sz~4{ru~N-6 zF_$S0L&t2axoPTVDuho8vrVOU@YkWAUX7i3=1qz-Up`&)5uZ!+2*VIdHktIivjWQL zFNSr`jm&dfGCae1rv}jZE7<{mmk{L&qVS~T481fl(v}d<;-4&G5?kE8P~J@h4YzGP z*K20=#GO;zhPEjo8ySz4;dGjD*!cB${&Bt_LRVt~m){F%a=IRF&gV1BQ#@~oP@HSr zr7o&Tz9hz#M7v-bE+g?`xI+mT5@e|(=z3gJB8sj-l+6(qYzAKe^XRV$Y#zMln)FBp zgZ7j1#`rbd`0v#S9cW2hQu91#XpbhYE2M}?;wGVhHxG%Bq1=HNSAuG6$ZUILi*I+cGMSlKK6VY9xgKju0D)#wq2a)iODry&vbL^U|ybJP9QdE>bmV>%CLlX z!VlNP9d?0Oxc*$^(o<`=WMGB+d6W(-6cT%C4WkgfU*UdFSerDBsn&2Jc`)wuM)@L( zTE{Kn*WYFO(T`xe+(iGmPVInaK&|7^1kg;Vt(qi&KSkTcWdrSVfN`~jwK9*+PG!CZ z&1;3;<~A6w#V+&0?1{{8ZD9;i_e5;1XL7@I%!weY;k42RvaYI**{CX1*i;>FF6u7| zR(EM%gQ{bn`%i9A<|Xf1GDz0*H~V8rIYxX*Ofo#=OgzCq(oV6uM3k4^QVbV_9>ZuE zZ1M(7l}rSHahgRF^G!zkiTu;;3L&*PyV2j$0K|3@UK+eNUubL_`EcIFLMg!o9S zV+Xdv9@3h4n2CDRgiAWg$P zZB<^FR>w)I(XeB69cNO)x0!#5I>tvPXToLPRJzAC1GfXR-SNf$qWDTT_(c>z%GjT; zXpUdXN1I1EY6hNX1yq=3NTv@~c$<=$@WW`8#-|#q!~0B*^A)#BPvMTniKPdV;XbQN zNLL8GmCUn!2&|@=I2T!ZISv@V9m$^{eHyHzGg2VGi7j0CDZ813AGynqX4emSWE{-T z5VYQQabE}^H49H|Gk$X4xX{pKk-eHdu~Zz9#ji@9mi^H!cS#-A#S6g zL=<7hD9Lk*H_B^pc2;7wme*f;12-DuxCYnT7;a;&1MW%Cqzy5@s;hWX zOxg2l_(b*t;+V7iO|TQ$RdfmVg3UTp=OMk4Nm{e#yXek4_&cJm{#U=a-wjMY{QWhc z`p1&L$;+{pR5x{oT_VSu&W6ghNp_Udw3M7bhD&4D$Z@nInj_^gGY7HkkxV>lej2>{ zdvR(@B4lCv)wf*hQ#Wvf@N?#DPc!9`m=ZQw&c?|o;OFX24eB-EPw0*YH}JvVufl9~ zKzA@$vuyXel0>>#ixo;qJDOFRE+FaODBjPg;Xa&<4mRo%UWe!u?J38XHmRIHQ@}sd zCoj&HelFN+qtV1x@VLM4hue4Qo--P_8aoPh>u?qO^zVo8JX7%XH@-xgH#C}sjxy9-hK}c^C2obs?Q;z7p`NguZ8mf~|E6rW8`$_vt*Np( zpDjVB7!v>P4}SUp7Ue)a|m_}~|1eT18U=3WPC+oAzeO%VW z$R5v`JUZlYDxZ2oyT?8&<4Nz4O`Uu+$lACNG};AxUnHA9W+=YQPY~K*MWx78?D{?WdZUiz0r}zCZ<$ebTKY&HkI+(KTwfNydH-pH2%0Zyta%luM=Ly9l+%=eu*YtloQO6 z988*hB@b$URJ`y#KAM&3qiI#ic%DO8zEZ+hSN7^}&XG04_1fkqO@geTbtJHI9u89@ z^99GfD!gFK!`J5~#}D5^>gF8;{{Gyrkih=MMX=SMPRi2rBm-?gCtUi!{GWk%F-|a_ z%dDLvH^sRK@7Bk}uwQ@YQ$t>kn1y68@+l^W$XAF-;~zn^oAmW(_-{B|&?}#F^^f zskE6IMj$31WVQ`Gy5%yNRW3#RnK~}>_Qv5M+MIIwJe9;)MUM^Q*{+v7$=!gzb2jAu z&8KOX_4;gRe@>T?Ocb1Z;W+#B0<6^3aqk{5ccuguGaFJgIbg$lN=N)|67J=xzmIF# zUa+A`1z}vGoeZO6I=I)OiX}B&NzUqONxy~L6W1}oP|)Kj0&lk|Yuvq^h_dP!u`>3z z{yxS=h!_p_Xr=uzxlD@H)^S+CxBB;(%XYnA6^E0jU(9M_$_~$81{+Ex#{G3KL;)fA z?p9lpl)K*kA=<8dS*4|rX|z<_GiV)mJ8qr6C~t&m3l_@DNlC%MmWpRfg8fbzbeOXz z6n=2X?=jKWvos7~8#>e2jqO>}^l}^eV}D-rKfw$A&Au&4bOqN=wahbPlAB8a z`0%Za<4DOp#O)4*a44 z+e7~+_YM!|`c7ukU`~u(xIVsLz~Te0LAk=BbfxIp(E{+ejHl0Ir`YsFGE&_dyAluH zluZ&h!WZXb6&(p$5|b(>ILv-^Th|XtEa`bQp_@~dc+&qfbMLv4V#DTXv`eu!W zm${4dAJ-g$txuM)B@A2Ebev5-ST?S`;3fu3G8}^q#_U1NWMyvWNZw0nyly#?Y|8aZ zQyfCxLKdr^Q4JE>+qf~*8KfFW!VYLUuG3-J4ea7M#l5MOpPp^kFmdoH z7xCoc2KM)#M-L+&>3UA@VN`7Xv72~DJ%)QP+z8~Xb_?f6xC-uHsYG)5D_fP+23FB7 zDdD98xHs4tg zEcfEnuvhefJ3BS(NrO%0)axGw<~R+^T~BkV*TIEiNbm-nCO-WSVe}sQrLU!>RzRs! zxU;)a-*DQvgRR0QbK01Bz5)`#(XbQNz5a}DxcZqTYLfK+I2w*2?T13n%h516#-s6~ zi_;XTk13I)>=sAo#`J#9#^J2;4*Igin z;>AtIBpz~wtzqH@yeeD6!cK01n8LBJT`#GcISzg_NLu&d$W3k5Gbvm;y$w+v=b1FnuI zPmd;S*m0EcsP8?nQ~)=wf+UV>;IR7K{3v|BH)5|(Pn~OE%Dc%iY$_kU z(P((iHs!K=*{H{;)oM5#u7s+kC2+Oqrdi|S62I`~Hzjdd{|Wx4T(W^TllSnf%pM9a zt0AFmPfi3^0pU4G8Es1vJ+utwIZc;&4Hq<_u^%jV^x#6;FflOsH`!oNxm0$Z_%cl# zVOIGdO^itHU)o{69=9hSc%Qjv!Ia%&Hkpj3$yfq@u_S`8vJq8`!vg?CE@a@{>-xL9 zJ>^(~#RWH%O5r@ece=a_t{<+3Y#|6rW~Y=GKQ6-RI6La|2#@;xetRlXlaQ!nJWUv8 zfbQ|tm~GVS5I|&4Tv9|4Ox7aJV38~)LW_x&4_pH#4As|B(2IzlY=0ldb4k-}!0=Fn z0e5u$ZSHuy;WBp`^k#B+qiY%!^8*#j7S{8;bE`6oFK2 zxiuK5TK&X*78dtJ7X@*kR+*ggcp2=U#AF3~rV%;D>GeKl9yS;_s?AnztFn zo<}pTPG#S}-oTK$r);Z!=I%|LHerWXvWE%v7{6M@PGtpkU)Smq23H0bCqRuR`ReL8!i+9nlcItg=q43Jbt z-A=jyo-3OR2$dut%qP@o8Fm{(I0$wjjT_7<%e;-Q8@T_?<2O$Ybe&<)4$7F56lUvz zN~vz*iRMHkb=V)plUFt?oG)TyzKhb7B^PmU%+;AVjQ9r!$Jk<3gp_0s~F7nl9?L-HlEyS~xJE^Gzu z)X*@w30p7un|{g6#2^Vw*veIJTod^k`mcT@wcQO3lN5~JXprLe2Y2+i^BwQ_R17l! z6oPDixrD#=cIl1Fo7k!o|LvXmOkmvt_APw?6VoVG`8*aTQM2xdkeuy9KbtclDLmHI z^0(9Ijeh5s`^@)nBn{#pZM%w>lZ;I%janLx4u5OkfBDLl&Gph|9VfPFz=0X~o6J6F z)-kGSv^~8GL$|YX4Sb`DxsqlJpRf-9`Kus!qnUjIc2$tYU8YrU-^Oi$kI};a5pkn1 z+7NlvS{VvXVzZ6Ac5nij%jp>O;OzLe*%O4(6fVb1;3eP;lE4A6^?I#%Q3v!k*e+kL zu;79d(=@PSCjEg7XFEz0cO-)IszPd0kuP-(xYMHQC2g08JOGhYE(R z)x_?z1Ln^1u9^XuE#k(@@WQ>2(tunJ>v!2Xo=%33Oh5>5H_Z~iHEL{sb4QgIIQ z(O>wxh{kbbBqaPQlhNe6Q|9}(G(3*ED#tQkMaR%jn8a-9D!lb1Lo`m;;@+K#R;XoQ zE%WS60}TEqS==EHT#1&2BLW<}q|$g;NY&qKOZq&dC5o1f;p6U_`&|pJViOKre!YX; ziz?^PF>t-tdpo!Ch!xwt&i&w)lI6VIH&-~Ld0d4o;^VRfF zyWKAuQ6)6%pBIDLr)Lht>m)Rbn+@Mt-rRo+itiCa=w?&OQ(Q9xd;U%DmA#VEd!FUt z-hS|dbMsfuxRMaA*d{j(#0{f{Tgdq-P;)c^^hLyX4Y(mg3*< zGjbIg`_|EMapJ}+y5OCHL#gFWmTgN|*pA!I`WR%aV7n&4=q!HnUBoxlm@`aHqHxFP-;<}_zaLUD3@7-z?pIsI9q9dF`?8Col{h6hceL87 z#DPB^BJPE+vN^uCila(yD~6*|xHOm3F*k;kxRHw**wbO(@5J(qJygtYdQXF4QUK)K zv@J<3CftQQLKCWS$x3#$EX$KJ=6KIqzYsb$nuh8>lw_0Z}OzZ)4(e zT)R-)xE76`Q^N+It>0cRZYE6?E(1x$3;dG`m#Sex3$~uq;J&;5ah`Ahkc5i~fzJ|3 zPD00i?T28Wd?^EyEj@*Y*Ihj8BeVM$ZdXq-M%?tw3Am|jFPOdqPH(CV&%ulL#XkCR zD9c%>7Oq9Q+zY1e(%i|h@h~v+n^^+)5_L9;Txk-zi{8YS4cFqrZ4=u&N^vUbWLAQn7Z*?s>=-6= z%O6E`^K~^`0z$MATuR4X$v}&1I_|NnQftyAkvQFQ8NE4e@cqJQ@}$SnP?1S z`mRk^gJ`#%Q?QkZ7FnU&HoL=E8!r4kSZ@70+Ye(_vz&R=81{9Z{Pj9LL6UwAtSTHl zmc7p==}C8Ri#qxW4hH(nrcMSI_33)ZKIh#7&6Th(yi%U~BqOsiYI+SjQp0flBiygV zl$Kt@y{%Htb}m}SQ$I@7u3pDGqV#g@@3Tg8@dkbkJ;!mBx>0N0*Oe#ke8l8v>EJgm z+{Beg)9J;Q@p(3U=AK?};N)!KmwVxJ>P-x3PQW5p%El+Ib9VfMj(5>K*zYqTOR``K z^JSL3MM*)l?{r4jdY!lCspajuYQ{TrV;HQ`J9qixqJVhd>;)v zgIO8nv#^AU;Y;6@ryz*6a#9P->G(|8tlK!h*Xfq;UmMp#%6_noE9$wfI=UFcT-z)6iOP@ee&2jpV4*!h9 zAesg%W%Sic-!YSL(%j}Rr3LWAL+{ZrG3jZE@-i&^kY$(K8aD0lB-svj_kv$*Kc4&) zlfnM3u>C%o-)H6BCI*JMgIohTT`w_M^Z79@W(cn?b2CmxS?4Rhf(&h=MNrA%$$$r0?)nWPuu64W0@uG08tz9P5;n0P)f z#54@L{^~s`V`lZ-o>gXLnTDSLXO@|U+my!sDp)Lot5S`VL{}=3%zn}FY_(hHX2$I* z{J~E#j^f~l+l`R*WejJ1Z&ewYiRp4>_&k0~$;cOK&Z9|wVu-+O%n@3dAthc0J74rU zU&FUtm54dGEMCcGFxQ5AVjCPDroDoXXx5yMgllFU*A@!yu35*GH)t=+I*uSJxEf|1 zo12tE{pJ5jySC-FjV=2tcv9Ilw!#Z|du#v=krqWT1SMI1Ymu;ohy)anltll=`GR?z z_o?}T{MhscMch{ta!%z`;sm=1^ljhPUVFD9oV2v36xCNo3v>BbO^uE#KMH|uql0mK z34Fk(4VLFZEnad)SJ4}>#$0vllrul=Ut>Vd5yY9DviB=LJ0$K3ceRs;Q)DVvXe~NW5;L0^=2YElGnT0RLh>rDx2~yL-*40N;mStd4w0ejHlN*ZT4I(Y3 zjaB6#!(DYmZADKSx~$%cX<*aF=E8@X3k@1p6MGj^u?p8BiVG$d*+QL+CuQlF(dz@6 z)av4v6mpl5KDU#yEvQAU9qaE4vWA!ko2kr{1kGV|c zyihBa@`UtpY!zH1)&O7F!|RK$x1+gh4o6Auf8&_d`+w1-~=f=1;7R3y(JE>+_AaiP_iI6d|IXIT~FAG|hhR^}n3r)zw8{UN7AwgmYXD`u}Q(+Bnqv8dw)wOjCOo}2ius{akyJ9S9>kR z=+V=dC+k3Qm6kn8gFP28DV`l06E-C~!lFKRF_=|BbX#0KTuieS!AkB~*IURp+U7R= z$@T?f5xnizG1hQLSdxNUTigJO)cT7Yqp~E4EBK6x$U@1^Qf~DXHR~A6$Qe%RyVH?eqKy~jvQXSm@D^v9`Ql+7GI+ z2X+%TNUAZ7cGH0SAt5Yh!Tas?Gd!bjD8^uI1(q(=i(%kxwq_t|)*aq%@S2G@CTNq(nagW;; zj!OXl*|rqb1&U;{ZTB#HH?fjxeEWDP^tD6jv7~ai=Zl<_Fha*hZ!|E|#b0q_!ec)g zdKT{z6q1rciu?EE-q0IO+_Q^Z{b9H@!ngEkT<>(dla_?`Ct+{N-yVfqzq->#I+()0 zI;nW{MoR&-mnSzvbs(R`)GiJMQn&uvEB}I`$!wje?cm7fn7H2_G<&yN&HR@GDQ@zi zXN6#WW2)ESYBs*ZC-Yp&op3u}|lq1HNjv`4|c_rm|xK-bAJoEc)sS|SU zsK`-p%K>knxoYa;YxZg71Z{HUxr4&v6u4?3IWAt%&|*A)d#>8|1r9l zN&_+z*omKq_xfTLZv5x$MHxR2jRs#HmoWPzW)k<;Yq{f!Z-R}$a3vz5aH@(b$D&xf zT*v+MhMdi)qQNysd}4BqO{~Mo8I4C5cb~qG*cG3AE*~FUgEnRkb#Iiz&qgeZvX8|u zCB!b+K9Ymup3O_ir^1GYHiE%;z9E}@zTbg6cPwwBGIvz*7Vl$UMs1ksjRA%{RvWNV z1cy7=cq;v#>1e_Wl_pZkf*-j#p0~Al+lJ5nqF8R5y?qP}IH+^28aQDoPv(s;ZNThC zE%frp-CG96Q4f9jDP@-NMAYoUx2R(d%K>oj_Og+rH!S?s*8!=JO;YF+-_!+hjul{? zIp?_NO%3s8qm56Kw|XkNrny&dHZdl4G`BT7`se>Pi^o;<l>S8BUQ=yI>h*3t{#$al*Dac;GK@=R}bF=(P<)tg;x8c#z%zPKV!b6HZ|sW*F=%(+J0s^08lT=9g@ zFXUC8K8nknPx5l<%>kxL=BpR62vc53y=itZ_Gm%hL8-ao_D`fO40@bPKS4U1o0LE~ z^Q$&~MYg{8|4tvobzuj)_-^-I?(zZ{u(&%~4Xj3>1JG*Xk`;F=R_j9vTxw9}H+HLy z>z|U7@@*HaayDgl$Fy{8m0Zj?Pbrw#bUGd}X#u!j;=rxu*xHZb^^lFyv2e%nJassO8dE&tJ zdpWY* zqqP-bj#_t6TM^#CQChuiDoRvTv@KE+r@AW(GWE8laKSd>(Wh%NZw$6ME-tZreZMNZ)76>^tn)peXUH4J0Pr4=wFvMwFudRrmR+zndL(zXe*vCj2 zfGI6@gVM>-`u!J|h9}%fSAO7sHO0DUQOUaqUR$Q`1(kcA{s$un7cstM>pi7U<7CW9 zhf3a*a4`(ATh3#UTlo!p_*5P#E4X_*n!G3H>CYATkYu<4ehayq>B`ROES+K61H<3m z9@>=z@}6F8GBQ}tdQsd6Ec2!53~`(=xxV+_+aHTXjH*9eK7}n{>-dMsDAV3+M$@u2 zz0=TfpHkZ1UUW}20N(xPA=*7Zd#NA>WV-%Zx_CEXf$JmZD|e)O{x4Kur`d+v-9K~} zWh)V_^T)EI${J(;b(+)YWax6}GJMP<5l3~-X9o)+xr12{`F|3NInFS*s!G4|!+ znoTY&N1hL7I!)*~D;UtI)->m$baV{UzH{dXf#l&XCcPrOutvQ#isjdOr^m3tkiRbz zkv=x}CPcI!EW^@@3>u06&9Qu7H0NIpKDPKI3A(FH{muXf$@nGLjGcc-DrXxgx2JoV>b(YTI3-Ojdo;Vs7+Hyw zB28Z%$?CNlP_bM{C-&h$*(Cpg{&1*nJUcW8I9{Noz1~ywD*BUZ^!z`yL#qI`mdm^l ziJ+oiM~y?$Q#3)V5eDq_F=AsPjatLe-0R7WGsiW>(p1K)UMC3OQ=}iS@BPK!J8Bb_ zS{pqBpQSo8X5#z|wQ+bAs}(KPgO|df^`38B~y?^bBsi;J(jZw)LjRbbfBO2SZiaCEj@%pOkUU*E)YsWXnc6%%S`+iBF!z$* z<(uv%Vl9jia_=Ve{&9nzjH1pr!H^?h`|8rP6_(jR$5aLtZW{%ou$L0am09I(-<)g* z_ZzIJ9M=auY<>KG>|xNyZWG8=4*Hn-R~=9vD2P^*@W6QF&iR1?GmBFi$gO=+bKi~T z4olQFEtntcpyI|<5N_Yh&5DaNkz|ry!Ubn-T*fFZ$UrJzXToz)O{OC z!WZ9r{q$b{`B}lpuQLPFMLJjCv!Y)$`v*_uY`icT1}dGIc*jb$`LbK5u+w6egISm( zsX|{fuBc(DYKbEyIOgy@1gD06w0WoT$*B5I?v9G&KIi9>k5bRU6El@I2!FTs@@$*B(Z^(U2KXWb??1q5l09$3Y?wHaVVGC%CQh^wWOFGrN~!$w zztp6JIu)hA$uQ(IW%&p3=BZFDzYV3-192`^ww}{!m{b$`UiZL_K=h|QA6n~4v zQtppm-sach*Zzq(fFA|>qWvHuzo&FWOshT@tCd)kzTa%(z(wQ+gBhbH&JD{_r{p)k*~47dGqGR!l{ch0z*X;Ywb_P{ zQ2KLJ3V4$AJ@@IjUEh(} zG1%_{dExw3@()X6DFd^I8r0*cr-p+5$rZc0a^^$oB4du7YwJ@S?V-5OX9XOKhJ<&K z<2qLqou|5m9I}w4a5Ea|g9pB}$>m&!!KY)1*k@cBM#Cuyjbq9sgYeBIS3LhI@Eo@- z&7eDY=`V<9z+L!pOXNc5sq0ldlu-L8)p*yI zl@DPq@)o?wuwhJe8~azH1gCx}`)uskG;lfy=z7y^;1-GrPsp9T^q#^~yI&3k@1qOH zblCT}yd?WPW{h}eoxKwaFH+qM=cRWz&Eyqx>1<)lhz7yXl_)e1K^TfE7SxRt#8%KT z`tF`!zK(}c0G`*{MEnxbQ>e|QH4~FR<=-9C&4jP?xUt*FGq%~po%~{KCP60Uf4HUj zk;`3Dz;aN`isDC$oxi>HqNidkp5)*)#3>JuRzsX+tC)^2kQ)i!K#zOF^GZLgpzo3< zHf`pgkra!yqgYk7q0J4aDDDx#o39zde~aP0X`{qbhXscggrDI2i)gU2K%Vy+$|~rtAShN)d+Z4 z4IBk9_sbYP7CoP*k7M@f-%sOM4Q$bvav{uUFCF^i>DB=2caLIOiEoJhuf?U=8pQ^Sgh4ioYxvt*KM3O3#7fe7NO>6 zj(sj}TI36{x)yefyf@oV9_-;DYm&CJMC85m^{R@VtRD6{Y6K^(eh2T|N(`LU$2IbS zkZNo#9*7xeD1Z5%|Big2UH;srJ7|D=_3;TGPu=uMTrgORI>0ipwsS}GY=+!26hSn) z6o<4!bIpFv4h0HT=DuYpik4209ZF$b$6se-n+gJCe)Aq!k6Jia$o}i5&_X6o z^5^eh%f{V{qmam=GNJsuEn#td6yuPbb8wi`thb8T_+oUyz8ZJ)66tFGCvhT2RRw7& zK;?DT#>Q)N>=Q;d23^{pF3DLI!RM0BuyOa^(YNHN7wKkG zYA-R|Dy!<77+xu9`j5FQjsFZS7BM(o@tHYtG=6n-4r1THWKJ@u0&Y|VF5`;WkFgSq zC&P=Py*8UCT8(o|)>zf4Qn#D9UC-%~UAsBJ>v28$F?6oAE9T6|c^XY<-bNREqC)el zNM-qIoh?sFMR3XWjaYf1c1VF1Ym@9Y?qg$z(U!_4^6O!Da7oaSy3X+YIG=DU70UM# z?meT8>`n*!!(!vr@zpqR9}-3?PA^_kWjO`_+u};wNK?Z+M=M|>@NEVj>GPL zsPf$I;Vxm+R-VGVbecB>%EnYJmEyg2kKu-KAj@eh+FK=l)M)Kf>l3_~jGqQ;@jYQM z6)c^$f$f_g-hGsZ1m-8xU^w42^ZbRhp0_0lxB*9jc-!nZ32%Lp$MXv#C`#ksN$kD9 z4zGRibaUHF%H!_!6m`+!u*;lX#?*#|t|nPyoQ8r&^V%8ZZ=4d&g~V~BhTV+jcN)Lr z*~hV~rzmzOLCn|_y!fkRqAS!gNvm9r7ccrcI>tD1QrK!v%75kF)GoYWe<~wD!{OSN z@#QQ(tEU?-T!b-R%iW4xhlAX)U^pK{jG3{M<(1|NH<}4IUU2V4580*)nXpK16zo?% z?PJ)an`iy1ra{aMiRoLDbi#$)_TNU63K)MfjD?G@Zsl3`ZV%v$w64guYBZ6%4k!Tk z>?xx~HpeX#Ygn;1AK(I~56l3!6*L7Zz`Jc@&kHDi8zU5J!<71s1~#j!ohK=RueF(w zs{c#`}PZ?>CwZUw0LcxB9r6>(LAE zqflCa$qktzW2B^|=u@=~z3A!dJhmUcXoo*$oZ`eMj)%d4(Bs}@bAIV))1mYKtXeQy6+QKGt8N}0Bx*CkRG{Sbf-ei!CrU3Z}+7ff~{l7rPr36A58Lyz?dfB#x`O4Aa!sm5<8d6#kL;0u_3U#b;CC+T=17)@ooo z{AyZyyKCF0GKk?Mu1bXA`ahc{GlT|K&5J z{dngV_b${nkCQyQ;b;%%Bl=>F^H%9yxL$LEi_#=&v7H{ziM2DQ;11Mfnn$YLe`iwX ze0+sx_yx{Tz1qfTZmj7#xE%S1_+j*_g{gTJi7Ar91`C}G?}16@_U1TUR~Fq|N25G{ zVOf~e>Tdz#>s5s(Q{Fm`L~yW89XKY@7E~A)b{pe46vescHMSNGjQy;&o?dIaaIc|v(Xl1Fhr|qm*#8!$;}t!PxqHZrm0HUET(Ti+ zMnlnw?VJm**AzWm49_z(!@M6oYkhhRKiw@_I0-(YbP5}{Xuse{)Etbay$b?nP`}FV zkNrR7z!KR_l7TL0R*V``#uW6Li)nB(jB2ooE-|s{3asiSq`Wi%HsS4n8C7JBA>9G> zI_8l&L&rz5nD^t7G@xE@U}%G=Y1wlLr$rWey;WD{DMRwHQ}5c?Y@%66x-N$+qd9QO z;E#m%A1U}_GDY(a8t^1isMp&%&Ss>MgRV0fxer6l?2WGZe4WH=cp4m(AG#wuUlJq) z6eS;vB-D8Oy)hs_0^{N&gqRWPQroA4LkqF@nbPHuWpR7t3-R`17VHfqM~~$xIqiF& zzm|9+OnmEjQ)e>FoC`LhrBos@ zvds$WoPQ-@SsyK$>Tml=7Dg18BVt$tu79yql0Gg5N|L%hTA4;N52H*5_xwfXLhggx z7=9hCETBIp3qVbH^(Wv6qLdVo<-x(N;LMb%`q?vGp z$u@fZXZGtJ4KHJn(;H13a%6;c@E*~HDy?p#iBmfL*iSaxZT9sw2=nhMAK}K00)m{p z)T$-y!6bw+m~`Ie7i3lMO<(XQd9QPaxM|KO(E3|r-f$|;aZZ|FF5 z(mUk1^Eqp+qKQ+gWgoVKjl2si=!RLtsT>uV4M}2;*nVQzc0L(;pxh{1eG`X|fu?D= zxRCdf59YS8MIgFIxuU?7^v`I$!E*b_&6MXf|;l zP`d9X#&9&ry^n${{(}9}yumf#slUmc9rhGnr;#jKH8)$B6Q(4{(QGSjB)ZCPyGD=s zat9;P7a}W7I{cy&v>nZ;p!!eSx<=8812rl5-d~oT<)*?|zNFNGCct@xOTJ78Q$`$t z@#H)QFQqTv!5#+yj*$#L{C2d8v?-Th&irD4Fq6mq*UTv38=ic1Q8I1ty8FxQ{%9Jw zBGl^Ml1aaL7vOa>m}d_(G28Mb3vA+YO#~$-A^aoDTO8<3tE%7^IC_8mU>!(y7dPaT zEMwV7Xj+&Xbl|VI;fB`vJ=%o14dEy|{l&}hZLuYzCjJ(PGTWfWY;2p1gNWXU^lx61W}-N0QBM9#A~@=YKahhrp%tyUz2UKD=)?=VaWRwH zlpM%cCQV75{Gy?7<0@2`g5XqdRdICC89bf7XRC^7|4Q~ntA&}3L9V0K!j%;{3uB+8 z&EK7cr?(YRpKr->IU{2<#o@F%_#Bu0G!v^zc-^%uY?a?JF%HM^B2I+eCR|dH;;Re# zu4TDUfuMD@8SLuoN^fUY5~jL%vLbp?xOf@puCGb;h>Qy_ZKqt@e0e zSJLdba@||MRWxr)R-a~u%Q@*1KYj_qE!~ToJ(X9G3zzWBI4zyBF!|)mMt_xs`*Xhr z*WDgMO$`RY?_vDKol4@kP) znH{-$XO-GaGr_rQe0*K)$FhXtVhk^@ng8=VA2Q^pRG1AE3|s!aNx~^==q%m;;p4 zdk0fDzg&tC=1-H&=xqgJrZ*fKBI)MYL(S}FGKzLL9M+Rl#!`CDot9SqV?Ks+|connNGiLG$;FDZQOhccU#um1~${3m@Z{*-IucR@^H8xa=nm{Oyx3(g}H(va~CChVyZ5hn%!icF4ku;0oe0 zLQ)}eJ|=w|uD6lqT(h<(oqwXAc@~U9C12$;EOhA|KFYGVD_xL?%|8iz#uRZ;N+enn z7qPiJ(Fn9;SutDIvG?C~+F0y*;LqqX5}%BApXu*3gCTV(s7dMq#V3pW1#%AQt8)9m zD09Q)=i}}Jy9FzG6*h?F6}6;?kJAla{9HJ%bRKx*GK7z}AO$!}%52Eo7Q@vw;WCm3 zDhU4$@6ILreY)aaV$Ne_q0m!A0ndj^Fn7UAlrJI_0vMH783YGtln7?0IcwQHVI=P_ z1X1;xqHIZhLF#qP@@9vdIC&R`Kz>+5VMJc=u1%~*;Z35qu=gf-M6@hL$NALLpV`88 zC`tqAEv#$Z<<4gmiyW`fuEeF5mQ?DB9Gt*?u{N0dDSd89w>Mewbua)AuUiL$AdIy? z7xrroFq^HIiBp(A#i>Ly;*Y3KHR~oO7EBNLV#h4y$2f+xa3+ojlcmEM^*!b#dr=GD zZAX9*^H}Ue9n>P&JHvvX@Z{l&;5P{1>kg(7``UHxdQ6{Sj{fwFK?!j}HVe+^3`c)H zcvq&=yXy^azhKT5ngmxg{gKRrW%yapgbwafiMi)lOhK`)9VvW2*f$^(kNezyOJ!XL z1F9bVC3C9h;yNsVZ7BBAgzw*VCeI!@{{sb8oR|xDv|hY&@Ki3zl;v<6$kjWWq{6F) zm~5T_TT`>eDx7P^?eAK!4q`fsn<)IzbPyF!fBH71zvJ?H!J>2D=2l6<1Dx7{! z{C}M`iOroh62}n{;U>@|T*5ex$ot-F$z{Giz7!wF6Jxk;8W$L|nfcDV@#o%BQC0jG zsX#L6=xu{|C(9`M6@K{Z0`JS6XXPG^E7Vo6Jz5U8>5W(6I@xFvt#T>vatY^$-l^gUDN|UA zQei1pK+}yTzFJCxN;DihFKfS$NHuP7|G~0f z(8l4Cf#prLuPF zJ%ywW&eZ!ZG?Rd2bMvuIpB3qnS+ zX(gSRbW_J+TeeiCMZGFZbZovzGyMw1hN7%xJRsJ=P`ioTp^G*e-YdXL75Eh=5+riCBu%!6eX{*s^P zU`7IJ_Re7#T_5 znWba=F{AB+tudQr?7%c0BjT(@nDAyVvN`SVwVX#_={URe1IbUTqoDgdu42fOXkH*V z%{W!UzE$2OvkXN^{xK2Y^#%;l%01t}WFjTX#WHc>%dNl6QE|{MSjj)j#5=~MjlCdS z;G3)oQ$Y*&u1ObZMOIHjDm^?LEop5m`+Th2OWuPxZ3dz6H!TY@%t*1LHQ9|j%~*#k zf0-UVoXb!(r7ETWCkdQ8ehlMq9%NQv;Ul^jNotyX&9NW$$Q$Fnz)5<5;iNO!b&P#4 zA$iwT4Va`FtYso@X#5Rqh1MH5{fVL7b5^#j7X-;-SPAW2|214`DX7&}bY-v>yHL9i z0xjGlxerd-Qhv`C&exWlE?d#j;m1r4yN%uU3rr4M$1# z`9aL4a53d*cQEG44*1Z^MLZJF&NeU${A2Px{44|Y&?&?z#Y0WW#xK-y#+}mk)FegLwN%#8tYUr=;!ab5kRY~i#v2h8? z3`yiyD6mw$Sd7mwTxA1sO*3-Z91DLOE7}Abx<%j9Q|;Io<30^GOaJ%Ws@s@xF$m&F zruf$#2ZvSUZc}?_CT*l$TI}z*n9Ft4WqQHmNVkeB67F~FPrCaBD=+=5WhE2BoR<*! z;8rn^{DMv3R*fII%iLP+Z$9*H4TDh!Nz5hanVTAl60?G$b!!;Ve^E5ttzmC-NUD9j z^tYUP+Z3LwKonX2X1fe>L=t(X1h7I3 z;)XQbObkdPJ_xE1DiWCv+}SG|VRQ zV{LORUd=VMJy^>0U;kh`&-TGl`3cYh8CnP9Sy8b_6Tn}cmOk1({cQC#2DV4;E!Vp0 z25u03L4MpU$~Eq#>2R-$-f%b?I@4?@j$U7+zD;aL-0p$PvRmBkf5}N(xO<_<_Fps1 zWwYDJ?J7x1Z(>|b5c;`DAdiL*d5f;|=`bD*f6!g>E#T0{>GvZkxQt%|MsoiE{zsk_ z$Fg37m@LSXmxp@u>u&Xul@9Sx>_|Bi+9M^}hlFrypK-7vp05VE@gz`TriBNZ?P&g1 z+ek>`LMgZGZu6W_tGfPnA=h7TWGS57U4+4Mo;M(9JUpf|PNS@M0+J;QoDUz7ao z%Ji7zxYmXOQDz8St)I!_v{9J{JO)MW? z!ha>9@Hb}Z_!cIG$$a{9Cpzcw&`g+nySt->^~-GHV^v9UG85yri%}k{YGF3`1blyI=KABs@aWSpw%OB9PC7KORMH|6w!ND2!hEi zyCY=loTPEmnY`zK2_lpStH9X50mNhiA>NofUUtj{% zZ*ZyUQ@ETj!`DDFW>F$2c?!#pIRhU*MTrDn9qJU*EwIvvL%qRaf+RCc{YU zGXGABQR}Vem6N-yZs2Wv$=)(C(flMK^D@_ZCcnHkM$aBXF0YD^OHp6Ybhxe3B4m?= zx%GC5Y_41#denV6Sr!LJ`7T)&$M}_)yj6Fx_gJ1VAQ5bpKdc3elha2W=MxumY3GfT zE4uDtGWSdRxLA!U&fQ-}|H0Sj-{2r41mQ$LI8jcFP5ho_OMsUu>401h2 z;j>Jc+5v=z=nPU{D+^f^)q6;R;( z{qX;+UCVOYN|OB*tnPG2T&wv6!DZn=i56d%fMm-%NQ5L@kpu%IZPQ;cy`R;r=0kcl z_k;Qurm{c+RRB(rvS;B?IHIx$psKR+aq?uFVaS36o6CT1<(_sKLRd8q+Kl}|XE>*= z(SQ>#xc1mQAL?O*TivJi7;f{v{(2bk*Q&Znod#C${$c&J3=iBzl7FYu)HI(ASCLV< z0Lq`R({6eg_rtA+co|nnr{s@F6X3wjVf8HTkL)m&#Be&Fd7@#W>&wIO0-T5vv(G9k zYBmb~Zfrw&8V%3+vD}ldP@EDS)OsgJ@r5)-2B*n*>ce7kA&j;12mizHC-;`J-Lo5!bEt$#vm;VH zXSjm%=5FrM&2i+MEUvDOh9J(l@g~>qo$>ijM21u+TTV9cS+LRRe~X`YL9|u*cAQQZ z$6egv*qa%COiLK%UUjF3i%v%$?~GFq@@*WYM9eC0^L&nePutSug^c;dDS9a%^l`|w z<2DX!-0Tj+j&2sTsWHPk4ui`z=03h5;T4>Yhq3ao1eiM@NM zFHw$wiMD?e>abE!o;9Iy4%Kv0oMUThmBR_j??Yn{zQ03 za;XbgEDj$s76)t-bUQc*A{bOCWbN0o;QG`N+a<_f*%S zV~vt0#GBfGI|#BYXclz4xQWv!d3sZl1*+ev?9VPvU=FYREAPti)eT~5;;!04N~hby znYuv~@5n>^OtwYwxGduKRJhL?x}3paNx!2ZmBM?thifA%xf||k!NGOpGahcQBlLWA>SNu>bmRL4<7(m}30bKj+SHO2~%UeCpl> z+`#2_PcZ-Mza~S6|3_x;q#wYSlYi$2ghSz9=`Qf*iksYZu;t(<>)J3$*Ttz2@B1#L zqVZE8t+a?P4i4W3PRU`E?9;A?14d4`j33iT1Ro@|Kfna-KcCI(4lrHE1zxY|0~ za2;-sxu@bbN}g-s3w$OFqx#cbgWp}${+M^Lv0d*qlJUV9J%G~3w3M+PO@sm!%11aVz`jjA!bzqZI-Z1=cd{L)Wp*kYdic!n5=ND`ZKB$*F1ad(aD zWkMv6$KQ|^R_vWW;}UMuF)h5#)2AK(98_P+is3l(D=LX!vj)B;x`&#rChgWfPMrRc zq+b(5!EzKx)M5e~TSyrLoH2-ZPZb&x^(kx&6ZBXKu_H_2Qpf3+VaC8qrXIhy(_Q== zKgHtKKE-^WYQZkbyXj(OVH!y{w-jC>L3q7p1?!|aWGZ!k#$;)n;$KG8$VhfIX*_m{ zPsZ+_v49o`;Knj80s2a70k_1=8I~=28jn#*Z-)gp{bZ8t-6E7l;du?Bjljp{RrO*x zJfuf{N@K=v^PB0^)g|b6N$xG3a=eWSKG_z)jOM5@fqEux4?R~KX*j(ePPj~%%ly1v$m#Vl7|!1d=+6n%DIwr1`?AL{?$?R= zxvSfgJzGPr;!Q`)HnLuL;+id_G_Z`?`dp{y;@*~*Y=!~m&mpa7jH6Ye;8;rjX>XwE zbd+~0V}78046A{wY5WJ@VK#S}ZWAK)mp6{pz#vMNK81@z*{-TAl-0selr!NGtA#7U z9=KN&Z~pgxgyM>nG83i8iS#9{7XFf#)517b8;60pZ~x(5wD439prz>!{SGP_n&&;Z z9;>VAGEM~mlwzr6tEhyu8mEah&<(s$cn~ASkZEErk#yuKL0lq1xUZkZh__E z>WER4taqiA%;h{>77jE%7r{_~GaAdo=>@iWO1bX@o)XiU1yLH-06P1PCg!t@4$Fd8 z%jvgp)7P3E*>7X({&SQjb?hu$NW**^y=3KA-zB`4&Qk5SF}6VM!{+q6CUzS3u_02{ z*I^@?x=t0ir42*C9J z6b{z$fzQK5R)Saz#ud@0iml^H9Ib}DXsfcA8dlabr-?Oj9|GUucB(({im|x;$RvI% zX*SlvsJjc2$E=OfkHxnCNUJm5WEncO2>M8(Vth`Np9VYbm7F0Tj3HRtBwZ&;=PUJX@!5Tc zEze9G61k`pgP9nl{OL7ZMkUWqu25rre9M8b3S+p+PaDEvnmVHbqFpZ3DPGg<>&hT6 zfl@OUyWZ2s_?6Ef)pDr6?rADxqxg+)lg(BvZ}q(gIFy51{5U%1Z=5i<8@PkZv1XGS z@&;&AQh9c}rD;?%_9eENiVtG9aNEQSf);iQV;wIMH!+PXu(@p$*HX{<_S{upv4{J( zTvQ%l_b@@GL!AxsYq3xJ!sr`Df3?His+1BvdU$FC>2EI{d)I81M zzr0heXs3ZAiB1-XiNAmN6s|VUOG-scnJ=e_TXI& zBb_GBC0z3MEzFQPTyHn~RNho-D?N!ORe7Qw#=BCR8|7sSLEgFxjZ+*8AwIutmCn`F7*OI%1`7Fg05IN z6hUkGalzzuqv@S%_yL>O<=l#wa&V0d{QfQ`4HZyoyuBqW*&3r8d+mXv@dMbR{AB*P%jKG-eGZ@t} zuZAe!Ty7uJJC2iG!ex$qy+yaikwbO=NAi}E&T#uU7Cef!aax8@&vxp1vo_qD0Hp5P zxYyuAv|J|ND90x2VAsZVTo>FRuBNM5_U#9IqTt|%XS!a-a@Xw|9GR=*Dm)uvc3m7c zk;^9iUG$A+DF3*J!42b)afHE@EGu__Q;``a?H~MtdE+`!Dg>{qn|BAe8*iTQankT> zy^C5rk=MY;Bn8dwH8i~7=hcbV#2Mv@6C9h)7Nc>&IMxVW6LZ?|yXHlF)zNn}S@(=4u3fui zt$Uh|;es*$O=Nk+-b>; zqPO^+9w(ocY2zXqdMMAvF18*25ZB}1Zb{inU3qe0N0;=_23I{715LgAyR7f7!SXsu zZ{TWLxKP>Ssn}E9qJu^Y+Ot1he>P}#@y?Nz;h=3{KA!4%8gw*x`+#VX?m% z^Jp81K6rcw$f<$StZ-jGT00d}L!-}wK|b%2r09?(Yd?~QoBQ^2pv|n3u!hs`YnUpm zax@%QFtaiH_rLygv`?rQ_}~BfXX(nJMvv-aV~G3xuxu{Vc-(X=_YOz=xJ}OywJ5KT zdmIxxR4l-h-}ojFoygBkh7l(j&xe0lf2)#Bm1n^?j#p|BW_)?wCtqG;<2lM&yI^Nn zeL%~^g%U5ZFzQ_Do)ACo>+)SX>htYsqeh4QdKHxb-M?Q+rK*E|8@H&Kd-u$k%oHPU zpy@vAhS4D@**CeIjgR3w?2~~8ku&!EDb=JoQUjxcRAAsVFrR(RJ>uX70JX!h-euA5 zH6qRe`6kt1E(Z=aKY%kj&=3p#EWTC?{EDt8GZ`FWHL4Z4EiHvT5P1M@b9f>ryxGsdT1ps@nUwMp1cx;eb{`50(Y3 z3juuhvQ_w_tSgGM&t=;rxc&I-;=8p{`*aO^aK7DM461)Wq!>C*J27JL<1|eD4>?mq{EWj&qiuBS?(fy#9W} zwY|bz!soDlp$>wJ_gnCr*ShH>f@_2X&Pv1xlRhs};Z1iSK-hd3M3aHDAR8Y?`Hx@F^2!h3EexMB**!qbc8 zIRoX%py@Z=a-;r99*Ti~U+npmxrQO9kVPMt>{Lpasca_Pcj@`skgj7I`_p}wGI6-Q z$HM{|bxO`e_18DegPFFdx4OX89sLUBz;H<%%~&L>SRScm<`)R{cpSb|t-12nz@ZD5 zDY{A)!jZuTSD#f^-WCT)UthRZ$Vtp(rKkD2e)tlt2(K&%s~-uY;TKLw)4^>6CPU&^ zIYv}VfJ~Cak>9%sp%KQcQiUvQUJbX)1vXF9#l`5g&^IpPH87@gI2kGdO(jCZ8m$I) zs_LNST%xHV&u~10QHn~GT*_^wNbVPiz)9TJSig#)+-h|&cDGL7%@c#K0IUsH!W z^?oJ^+}!DP{~E@I^BUFJ1k%}{S>SdVd;Tym!tFv$5oA)@WJ(+@WH4Fv$>E9chQ1#d zC5jJu*KlE|LELD$3ymP$8!pk;)wEO3Cct%S{I`o<6)(|Nx}Zo9pA*qQc)OuwOy+M^ zeiYY5?4w(fKCv{%A@R&}!kJ^~Ir9K200r*~uEGk73MzbJgp=)$U`me&`gnI+&d2$i;3D8tQ8p zC}n!ptGK1{tuN7qRvUvDuD!Yc;485U8V~i_G+jjL)BZ84h~Oskr!Mi6oG9@4p)EfQ)Qlgm z=UFArR@n$#L>G!&5i}=^S4pbr+*S8ca8@qm-ot*YKyC|umwzyM5^O$vxp|O2p)7+l z?Odzhd^S#OxU>jLr9&o;n~FvY5gqcr9s|Y3?ek8S#7^}x`YtdGMR<|ML$!DtE{Up~ z94vV}j_&Li(tXND;^ zov^*sg1W%W*YRr;fy3Lev*M`_R;~Bh zZsF4OBLo$;$KcW(e08z~mD))=q;2BH!M)Iglf-{oqm-uDza8spZkUD^7pAk2y(3QDWH1VjZT+^)Frh?Y@S( zTa6WNjO7(vt;Ua2L~fO>cr~ z*s|?l6_AG?`TJ<->G>p@YA9??a;cxNLED~*X%e=-?Tl#k7%diD@5$C2Nx}ED_uF_) zdiI#Y$-s-;H7YDOc^-Hh-N%ba?afLd*Wx-RVYoK&C|QJ3I=K|4AX(hZIB!Y1e~y=l zy1-lzb55r5A{6!ZzZ-Xjok22~^+tf$=lfXXQbk)P9e3KXWuH7X2HwW&+55{?L&p(jY9Kk{7y5!!VA<~8c-gMTOY@wm`*TcIAlkYaeV^JmERdd z+XXM`i}B-CuqkX$O9%T+XY*kKD4CsvH98F(T+jL=K825Et=7>%{(Uz7G@T4s#sBCu zekoVmX<(R4DL&WH6g`f@^_GCt$Bkbc%1#rLdTJ5NB#N=|(+&T*0>`3$#wNod$B{AS z`$v>K@`L3@&wQF<)iji4!9nm6Qw6uchZpdMP7AZ34g-asLw&!NhW7Hzr_qq^1NxYND{g~M2j?>{*=`+7Om<9_6-Gp-gB^x>_{<+pq-pZuCZ-C1 zSIHNjs)v!bHU)|Jx_(O1<$_vHF9@UL9!hbt_ z69nWZ$4K53N34SM_>QJT@ib*HoJ^*tcwargHO=H`O2L-#_oL>PMLcYCI^HChvynk9 zJ0_ktC+1z!(@Xhqc#Sh1hU-3}hm}T+0ow6!-$1B_#5t}XcxL%zy! zjzjD=ak2?`a^0qbkwj%^N4MQSZ|MDq7BT;&r?NWhb}>&GwyC>a9Et|D++0Xw3BRMz zk0!#(sb&Xsd)UFbKyP;YI9PXoUZ=Fn z^7fLG=xewLOE0a%TTJfx2@ce6>SARPjGdsG+2UIO9$R-f_nhFq^hh3t#*e+x%$rwl zTeE><>X_V*n|!WhGnxoNfrII1=Dy@~G`_e1}VYfhX2H`{$&ajKevW(T+2 zVg9Z6P=t6W1f7d@o6rTipUi@qD7R@g;YS$UeH;et zpr`3YMt-5;rs0bkTPQicW)Hg_KGD3&2h-FT3-4zWq4_YI8&r&DUsL|7sc0lg3%lLi zq6@#Oa5{O5_ci1f=PN?_1gwGKU{T6VJ(bz5ki&fv?&BYEqTDp5gBxH7Y=Q9C(><+5 zv5Op>44x0i`7pPkt(ROD9W3hbNT!FCI`?t8WBew^qcgA$(b>=n8vZUWW*T5PJGW6N zL&_&RjqWvY4EqFu<4z1cd|AcG>(^`GxXK0BVy}sD{Ls|vwJ@IQ=8iB%l`Y# zqv1dJfj6!^oF*0Pgxl9uxZR0nvaNKMb zu9ZT~T*%^z?VXmE)xx9~7c7v~!idyAVj{pzhyzE{a**cuKiaNlxltuczY43Kx)EiE ze$Zdc3KFm=>&I6}a=CWc!ZuNoa3jfO_o}z^4n40itKRjS^a}t>K(xQiD@+~`kO_P# z*%h;>TNO9*Bq+%|d49h09b7ds3b%pJuYj>9mO05~+B5^hEL@lKOScTA?zeGxcoOuh^yMgUesyM zHj-ChiVS;bOtc}lepp4d_WK{-gndl+b|NCxSMcJ&r{S``G1(2<=uJ{?^2zKgSTrlq z4xs_0Twf+Gn1KC zzC}8KgEkKBf0hk{X2o^@js*=AjemaQUG(nhq}lf?(!SEQ`c=w94LUeJo4S+7ok0xC z8QQpHzYRLLtG8#*D3J2STl^SK7k`vbQH}u1=jvmO{q!Z+E)$}E8NMlAECU5_Drbxq z>s~TWYjFe0pl=2a4g=-QkodWFxjA$!#hj!yghWOnoM@*9pMB&e z9EYnF|MWH$lQ}=wG!r!%3XX^PaPLz(3A5XkQ%pt!7e$}2wTvc)5nCgEjr!p)KkNCa zMURi+L;n4Y7RF*;-Hh{l&}ieZM9l#-RMnZMFL$GjAtv?iBA0;o)vfC#B&fw$T=0=5 z)-jk-5%OIxe zxO*w=ZuBwtGI~=3+kbZK&!45VbA{EyP{6~KYieTSfbTJfU-a75)Sk`lYe5ZEw;RJ& z+ZoQbVc|mVZ{r!>Ne;et&N(CwzBa&TG8?#|>(F1*MLka7G=%`ZR)%4`dwAaXTZ#H3 zC0R~MSjA0cHgRN@Y^Q|ooRPJlT57Y+KAJ~2b&SVPqUpN?6fSjFO{8#<2sArQ1!c+^ z8_863b#u3mAq7ALXT$7Z-Tm>lKQtfif}1z_tBH)59Zcvo-<_b-a#9eCLL@k8=6$});8YP+JA=<5e@I6RULfor|lNE{4r-z;}SZ?xmLcvKD; z%cqe~g_(wag-=C6{!SbF4}OBQ+HgaLnwLx;A9v4`!6>b>!n@3%NB+7*sPJ&~($=!C zLDOMWl>k-seExeYpWs}$r)l9>aZWa7C4JD9%V}Xl%)7qR7T4umx9Q;YpLfYFHN&zl zZe~+!!IB~{?{aoIDxT-y>x)fiHb1P{P}ag-S5CMqOi?n*BChb`BX*^9C9^h`BkB}M z@#R`Xda~+zzPp-e!|B4ar79HGQQS}{cg{Mve;%;RSjWL2gFg@cc28|m9PUtW>8yMe zbu7u^s*K6;6-h$-a%WhxY36(WANtRD#VmJN_|AjHUWzPI97DiE?IfIRJ9gOdEP{;sh}zP&Mg82rm$ML%k?m?@Kk2R zZ56t_HauV{`ZU~{p0F&rL{D*7p79lXm_Vl{l4|v^emG%hSv`E1&Uw*3ZaQ=7$$eb0 z|5=(nOF=?u%&w-I;YwDKWenhF%BsDt)_#283V**3%A^kR?_s!vAccot7~3R}D!Z$e zqFrW^+8CANqEdLovaquY8mVz18>jQQHKMukeYm@r3&U}}*om*~U~Iz~@k_gbTNGin zYqu0>m*qU>hF|iMrHW0vg)@T2CM4<{@4C!*WVi59<^Ra~LYK~st#=d*&D)wDlq7?p zOh4Y=f_2%Dt(&8RnNz$yDcJ|j4Ee!Jxjc$Yf!)Eeg@Bu}ekgr_uA-BcF?YRUAP%%a zl&szRa9xVs!}P<@MY9LE&~3t1!+oSVaS+@R(Xyhq6`#n&9gvJLW{agQKbZBQJ_lxl z%@l-1_@G#dPQNLIGrvcw%|&HfxaQ!`1HWbXx68Re3JbXmR=1r# z-o*iR8l(7W^7j8x&0cdy7zg`pE#t9C*XyVvs*24~m=R}mgQf{^(6f|{cW-iq=;)YG z2BMc89Y=hIa|T4|8iG|*tj9pGJK_O_qh&`9%W8RA;#jRwxpoIYTBLxBb{OgAeUk^2jBv6hNO zqVD3=8w%C4b)-^+clj4~6dNlHw`oV{vfkoi10466(;_~G+q9PZrjWrsmXL9vH@es$ zLOM!U5$&J$w)93{Vb`ktY%YtlJ!eHt_zXChp#;e44MjIpWBnKhEA843;)mzlXZJTR z|49(S+-=tzCeHCt$FoZNC2`#tW)LVEY|>eKJgl|5!&4+T-=LqPf*$e*Fx(y<-9384 z!u%%33?tPZ2KzK&DSS&C$Iu+^+}uaePw7E6W^wvB3{B@36ExaC4V=}RP3$R3T|2~< zYxHFbQls2pe0kkV&N-i4k)ny$Q8k1^A_^tB3P|1M^^~FzPQ6dk;?~K0HXZTxjuTwW z^}qh-nTqSuOt8fNR_uP77yp3u`YHVdmn9N7;SA6W80+P~iQ^P@Dc=)UvLYk_oDuZn z`x47um>-Xa%G*K3vkceKgE$fg`?DqfF?7A5 zTW9G=kA(N~KHR?3jg_OF`Ebk(k+QE8BQd!Y*1XLYK25)&!CIKVb7C{%6x|c2>rTEr znr&S7I6Ax?*7-mMO6^mItlsS4i}8GHB%h|QXxax1sAiX8^;&T>_;8G+Im6;@_OM>& z4iObPY6bhNyIoyY7pvF7HusTQTQuGhmLE`D%O}GL!n1yk0)d}dG*P6= zNE+|?_p}C4oLgNj9i#dku0NeP62xdHu^vexEv;A~aMH>gK= zLlF1X+d8h$m_Pe#Qc>$*OOPKzoE2i2#s}49jCjM)1h`n2I0>fPK>Oyu zaD`Lehu9h$dGqO5^XRud@z;G;G<{BH!Vu29>5Oa7$;}ty76Pg}nFJF`drbTH-~T~@ z(P+!n)&*aUfB*fzMOmD^c;@z)|HReMrYICIt;3l`1UkRD{vSfIZCk;sG?^|nXJ$;8 zT@1(iBc!`m8P>#hD&YS2pZ`^g6X+eB?>~bIh^Uuw0cbQAI)vt`N$+C1OMA*{Lgl)GvH!&7 zqbpi*7#r%GcP#X%@t1YO!XT=-Xp5HICvkmDoOSRHTa6uFLOI||9ZiL^qMH_+;H(eC zuvv^lFgnBej64*WP*sHq5(e5UI>S)tN;E*XvE^s1{FekKRK@RzkV`&?B0&O#(o`8h#fh=y8l+{4X&W7BBXTheU!@jt z{FcA*-^C;u$tWTzSt0LE3%AFPY$eU=D4HR$Al`?C3*xP|6mJnlaUHU7s`)sm1dEGx zW*egm%l6!>iB^7&w;bsD%=!Z{kY)4(A% zbK%_@GyBrYjhRjp7gK%D@vwXtX5RnCU*&}#lX7IV)5PfXf>!Y8VdgwGdZ(oTwPX5r zz0<}nA--8UisFh7q=Y(c8-v%z#*ka0g7jC-8!bdpY#S0qluzvz#o#R zcc~Gw6D6U}9{KUBe;G#F^k4rF1)#dVNIp0?n2VwN6RHa zp{jzMH0Nnt%lE_fuW3*D_#xVE168-uWJ*OBi`0c5`P-iXcHn6r$S;W@-WT)e@bFv< zHzGmYJCPg9PZXKun$kHO_)U@Dbfp$N$vjY%FO!361-tNRE14-Ih4u8*(?*6_|IRpH z?p@bVtLdE%Hg3*RZ`}sm{*S@-iEm0(Gg2;(b0A}ukeO9?vjQ5UP%T{?%R7O0?DX-E z&^O$_*NCk6*xd7L`Mofara78kdzX?0O5-tW)e+c4 zoh%Je;&hjcq^Z?CX&|nCMgjMjw%QIKPUcl?)>d$kib+lJV0WqK<3g3E=bL=$1RvM(&>r*Rr*-Z6%o8lzZC~<)Nmz-leho zETb(%)ksdwAW7tk+Vp0gJk^}J)|IVE!57WuZ+0^#o3Wgzq1kab%rv=Epxs;zm*RMg zbB;E_ec-?5Jus8un2zht*4(MA5czm$PB?tu?&F|LR4RRR12-(#(d~RuY%lr9FdX8M zG63?XwlK!5zRHt}V3Uqt?lLES(cX&7;i$LLKC>0&W^C>*-Knf=Y~0(UCNtJ?um>{< z-nbc6jKr{RD-QgP89r&$sg~Oh)VL**i|zGp1BWoEp~53qp~YB?yc*AzwF4=*`(T)0A2;p#AElZ%@V@(BS(2t)2?mfgCA$rRt za5;N)|LkwHmvylb82gPXO1)>{h+XbDr1?4Na<9x|V^hi=mt6xv3cftZ%=K(+PTz)m z3KQfiw%^2HB<503@tEahQ}J5wH!-yvR1y6a#$j0gJ`N8X`H1utyni)1rLQYGlb_bN z{SMC8{Rx`O>-{cHP@i9kt@r!APZU1&2bkl=m|Z8O8s2oYNVUh!axQ(s0q#_m0Gg8A z*WKZ{RK!(zb%wFJ-;(B48Lp)CwHRgvkZTkA7S1$R8iwh8yMbxOgOUI0uS=|zg)TTMwF;6zCJov-+TgiwGs{ zKWO8Q%x9?0K^voBvk0hnczN}=Nf+^WQ$nX#cN(7&H*VR_= z(^l}mD}2F$jjsy=S+h92FTJR$@$>s@K=kXY(i%FLOf&}tP&p<2Vf9rt??-<$e-ERH zz1WN#Yem3#zLkSx#!7ohcC%kFF+31WR>F9Yc`J^&z% zFhX-7i~y?fcFZP@1A=&^*;H|DeB6{Y6<*-*Qu|>{EN&Xru}A7=>k~a6xD*C#8!P`! z;-W1;CT1J=5+ek%XHEG99+RpKif4VMD}`=$FkkMci`&d@^Rp_!R5To`+f;pAn|EVR z=G*}acENhRdwBLA_uAvX{uygQWb_1pt(nq+`#yf7mIpW1B07zI+HaqD+RX!sK`x@;eDC= z;Y*O>o#mNYn22F`2$SGR!scGw6*%+GTDW2(harz_!@6+ilDGU9)ue4qb5L{iSsQPO z+TjXd2-pQW2I(S^4(4ZVv0><*8fEo{l%biQm~%w0KCWwO3Dq zTHbw0EV4f;(G}Li*c1CL?Sq?TkxMT>z&GXRi)WajAY(q``!Sp#C-O21zf@p*jNy#k zEb!NS2^hsg|4R2$&SO}K@pnVVdKluZwuXXk9Y~1@v(KAYCir#1S z85!naV0hi`bu0yP^fdjcZZ)uGAcn@J>j~zZ)l`%bRo{*eKkb=$Ki~O#X5CT~`V4#( ziC@-g;_@WE#|f#jf7d2SM{I-pKzuqu6mwD4{EoJX+gp!ZVzH#MzL%fTYl&Q0x47ke zatX#kcy$E$;!DNq;6gcAJ8gAvu;O!sJ5~=fFL^=uGt%rAfFM?J!sqp5wf&+iYtipO zjd>MrGLU02oZ*ZuX~=8(&#gh>DUp|x=lXq>_J?ZgpEJPe zuBPoX!1b|bTxiY!=eXDLSI%zYh|X6LdU9ABv+WGyH7SNwQK?<6z~I6-`_Vp@fQXO7 zowoe-JI?vtq(vbK9Nb;ZS>BmjV)zLJ$xu{u|a?7)! zbA-#|;s^TDiTgDaAI4GlUk{nc{CKSAuk05Z0>{zPRq{aJT19iHo;4Z+UL@r3t{zlu z#kn{x49#}yhvZRw7Mf7kt7!A|8uLb`>QBTJYFE=s4g(@StYk;iz7-Y3x6$>kP7NsD z<$N?n;&}J+5(%v<4#UO_*18Pm@2sSu{Mcc*OzSoxk0Yg>vi_0OwXubN%Qdey;4SLz z`e#Cu!9S7qxi}RTE`lG?cBs06^<8FL*hx5TDLM|$4xJhlaTq7qPxvCaNOHkMfX3fm_zB#!=gCe?e?*%X*9y!E{+Ee>G4%%H@H1T3wBYX zkoOAGp1zn5Emh;0+rv5NA{F)}P1X-l12&#Gw+h5SSSsZ96-=hQ`|3^p=_Up$@pha7 zlD60Dir0?wT;T$NJ9J0Ps>}*WD4dqV z4m?syH!3xrwWx$U#L=3?zBnXnUxf@$K23Qm*=DMI+;3$}}(HsZQxv$=D!&O35rfDpW+v-5aTa-THoe zT!s40LVNBQ*L$cM_>b|{j<^yR-JRArV9SpOj z<6JOHUYiV9lEDdXf6RtcdHRK0&1|)Cp1S#Xo2?FxlQcRPW~+;5nykfDvf2JA3-oY- z&}n1QY}qXZ9x?qK0XmOA{Qd$+lImeI`lKIE;y658rU^(ZW>F0Q_y9g9?MqW{nQ)3x z(8knt+!xq~;vUn{c+5d}wb}NUCeFBp z>&~zSaC98z|GmrNCAUnQ*}hCNB;gVMo4lB9lpoXGc8@+*$|;~SujjY3kbKnHbQD}4 zo3YJy3sYV+tYo``f0cCEwmZ1|RX#3-gd!Fv4{cxon{RBYO=i=aC@S5?n{6S~#X|2W zuQ1y^j8omr9ci`)xZkBLWIg7rL-OY~_c1Tr+*Ib?!ii&-zW$!m#|dh@{vp=CX=EmG z+|O{v#oV@38l6*02;9Kp@$0lORL0*4SKFx&8Q=b~pVPSMr(Bj}VldnDVZCS=j7@OH zjCK_0dpvv2<2&At6VT-#-IBE;{Tc%+sB=D}tEjkERxO#G9_~B+o~4hRTtJL8hz4?} zj}3!UuN@fJAIW1_yk=ea$&!WHVFuJRi@W3>KJ5p#nx9)~Co?Ah{TE!;=CPljwZox9pBbT38jDYIka#=-eC2*$SN~s z7EO2ZqVGwvv4+E~)6yI+*u!>(eoe_W8{IXVXx0zwk!b z$IXr-y={3!uFOrzBVeG;<~Whj!AWS|IQW<)+r~9DaN91*`kE?`^?)q1!?i3`3<=uU z=;HP!FUgXe^YmEAwW(`!L*eu9!%pKki+&`<^L^YRc^(&@X_y$Q11!h@hgHrn3V1Ix zPPc8M_4b$-m+mEl;aac;Z_i*j6c^5Jj(i~^dHbHIx9&F?7XH0wn5c$>*NE*Nl9b0C zkvDC)3Iv2i-io9XFGX9?@Dx4#FoxM};bU{g>UMPu2y(_`b#(=CNPU&NZCo$*emZ2c z+rgR`8_8V*GuvFn$@3$BsdRG{eA*<7LvzbylP~ZjevO+L(#>uc`%azU=#zq-)$QXn z=~=JSnz$?}cuLd9IBsmpEdo9cJcKhgA2ZRN;7{ZDZkj$v+~$|oo+M5-gJ@2)eu!85 zi=#AS?Nz#yP-yFP>Vh_)7vcKkUHZoBqCRnB?;)Ry6LSmijW3HKn=GnthK_^7W+FR8 z{xGyLM(HjgcYv%KGHWzmG8}J{0(~`?#YM_|FY!w_Sf{U}=tr!m)5u4{Jug2=8$=op zmWj{f;4bqWms1%yiy)l)Y*bU!B#qIJqUV=iq#-%cF)eFlv*Gj*Zyc!D=+!k;(T+Tm z!LnLOkrplj_0)83`Qgn%3tld@-x?{0RG3WsnGy#*z3k~v%^qLae!CRLEhbI3kb=ok zpzwW4Yp#GaH<;(L@tq2=L$WGLIL#lqC~aJ|-t@7qflFip+Mw}|630k@7$iYl zfS|Vn@{B}PB%&Ofy%q*jZTQ5VjxoE~+*$aOY1v6ZPh(!RTtWU!;@7I5*V8e6?b*b{ zX0MH{jW7OkaX>_@dKNu}X`>)CB{>D?t{==s%%8grVE816;nZQ~sb^rUfOYbGx7%m~ z$y)6xh%}pvTFhP-n_N6W$1`=>t)IgV3IX(b6izAyGJCx~=JsgVZ+#s6pouJUioF5u zG@NG9eV(hWS%y7^iALuBxO@zwa|Jx3$ivAc=yg!qtv!aTxvrx1U9xqZpl)~dEQPIi zED-nH$#CSei8Ailvv3yVOwYIHbnzrbr1ki(S0w0r4psta@3|jsCO7*noCbzv8T}Ua zwHNC>VyN`Ij-#zET?vtVyWdNy9j<&wEbdV+}}S=}Nzip|gA^ z{8PFn`UVa|&aS5J#Q#dGHwl?7amh(HWZ%GfYf$slR}^}1oMV2i$vBVoRqbNN8fXe71#au3==aZ)41mbKYqy zh$-soz3(XUlBc66eHYhi?tdXUXU`F5_x>v=h1~b*BeR7|-wRZfar!e^KjymPL?qi( z@NO&yyH)|hi;h;E_T#s!C0bU&<%OnqLICcmkT z%>moDCfYPh_I-$lvWHKHzKYM4z5vtgVovjb+{^E2CTnGBzIqrcv1xkym?g2a0~p7) zA#*h(`yD~ z<*S`Ow)u8z5=kD8>G9S6c$cy+?ly0lWe*n|H9S6O;Wa!q9o_C|r^mH=Z)tJ|Edy`j z!#K-m&DTefpOuHyaX(AbFHtmgzpvnO&{1Guo{z&zhryg@^mI3Uol zVf>GF_w%mU1Wd=Je=L}Ddcm^WRJggBj+v4}@=Krh_rR*03D#Di z=V7odlPP@4ao}CtMBArmNBWcOI5I--HhE8K@}tbM2}w5A!v%-O3f7}7+>BLJE>aIC zN`QyW6i7*DMtK;+A*T~o8dFp)H(UYCQ5Xp;nw5BUG1}ed==R4mWpPbdO?6oFpk>Sm?OulJ;8lpg)Wnq%2hC^W4m=t}VIv(Xr=n!(rv>XMkRJx9T(V>a= z33P3rL9Y#<0G@&=u2LFz;gdN<7VEeknilt*i{IWfUmotOzjAK0*;CqBbSD2~yM-;p z6H3l*;i%Cpe#x8At8Y_4oQ30yc}!M$cK;;(PP_e4Dl`(snf$B8n0;*!>EgiV$1P^N zhj~PlI47oU;!Smi9$Pb!93wdAbD5%9hmC_pnOM`tG!83V zRw>0}Tln&KSrBTL8-xvFHeUP2(tq2w6*0x=j??pgdfDBr3cYK)7|77RDS}dts+3N> z=baWVlg%$6UP;=>2gXHlolG;*mFcuGYD=!KbKI(%WV7Q)iDer^A>XmFahty6%@dWp zORb#C>8MH+4(6^BhRt-07TkE8hg{cn@gjB%Y?8B|Nfv2SnyiC0+x*Rjq6F>qL20B{jpZ*|!g89KB9(Hi zcbP1vBmaxf6j-XlcsMJ3ZZy`haC?76>0A^_=Tmsa{1KZt#nEI^P5s$X)dg{uqifa>J!u4-#)m~3By_rX@OHYO z1E4DCb2~Vc9i;1D5@d63r){Go2XB-vJGYCIf#WoJ-fVfFeRaCKxC!r!bL)1oG4o}y zbVnNdXBTlcNsSF_O2h3bs9Bz)-&OoD>DTsgflLk=%@GOefZz=Q8{yaVacL0V1SYOu zVc}9RkmXdpYvL4wKk>&>6g#+_mvC&RJHStrCk!Xg#4xUtud^B>Ns_~Je3tBP zZ-5CT+|@RI6YEK(bz#nXa<`s^H_4L54&r-lbh*7Oca@DRYi%;^IFNJ>8Agul9)rw( z=8b#B{qDKAE34@P6#?+m`;4_(xaz?1hknRLn)~;{pN-u~*id=N2f!_fXAXcXB+ncG zBU_$10MsMr3}ClfxVgW+Wb`=3wP_Ab+btbunHO0SSCS-w&kD)50)^i%0T?Tv*v4_V z`I5hE|E{QLxrwwqa2RLzNuDB#%As5Zclq-s*%VJ2xSe(uuhQ+IIpkobiD6EX#XYrT zm98%C_CA%EZXhA-GM5de(Oc4Rk%&sgZuM|me8966e6HSvYmX!p3{g36DS6FglJNfN zLZ**PNKYSiyTx#uPtHJ^ziw2%&hoH|ZR*vuTMq6Ae^;!TM#88#?ho1r`C?vZ&%cK5 z_4N^V+tzgj!tZWRyD{ZZCE5*nNYw@jaeeeQRw~WqZ6wl$%j0n~ZYVggLblZETU|GB^7b{kc!>V_ zQ%wHYdKZ`0ZfFN&H1}NLmCxgj1Kuf^AK0 zG8o{3xW!~RpDwl8bji8q7qi*uwpw6h>kKD9tK}ZH?qIaQrZsjPOl3ApruSQ(q$np{ zhQ7(gaU7PuEego0eXhR~qbQ_n(wmV#6R%wXIXst!%F3QQuJ|C_Qsb0E0m*sZTmpxy zkKvc;?sr}$Cs3>$;O76ltPFM%tMF0FFU&A`u12t`--V-5S)7BSXxC{LM-3{BgikUi zPao2)*f}6zZdJ#^>4$X1BiRmT2HoWH5}tQ1jH94#U{5uF61qdq%Htf)f+!0wThE`k zIivPh9u5&j;N>7hfY%KexAhr>2aw|;a;(gu_%u`z&Mu37CR_1w7pE6byY*ZgzU+*e zCX&b2dB{D}{jNy!Na5@$StTzo9L!uk&>qeWY>vlf&aPjN)x`o*d+i5#nB^Kp%t#3L z+Xg$HmB|Zu3#6HfKJsv6rAcLaxTcNM2xRFvC2s-R)1U7o z+!@G+O~c_%D`(8O`B;}}<49><>aY^30UNWndKibGPEw1M+QuE}3{ zKGv?TWFw1YPcsaT=}^2jXMW3%7+|`rlOHj_S?-2C+E%1}>|m~ayIOp^nl5N&gU}CY zl50jso3Zy7JKAjv*WUp1sO?~Wl<;dfm+laH7#AbD_GH=&CU3VrrigDpM{7R!)l=Hh zaod_YSWBWftX1rpaCpJPhgQ0+!WCCPq=OI3m*^#0mk?S9-6Jx8kvPsF z8h6%)7Ed9nfIP$tr_;r$DQ{B2M!Bu7V@DNwIDK1odfn3@5VFd)dy^oGp5ko#TWK70 z`gn4~h~|Tj^vALR+LlBO3~Am78cQNLm^^2`BeAg*LMD#t9t!juA;gnPy*UypT(pWd&M2bjA!gT}<9erIGA3=hW?f}7ythVuemOD1c#h3o%j$pu~V z(MsHH-4<@P8vj3QSC-s5l3llgulB2mk}M7w_?bw66ib|%r1YNjhbKW2S`;9Ipq^Me z@Fx7_1$Y7ev%MZ~!S{kBCgLO^l_R>kt0VHJz#MMg@f`0dEU%cmiKDj?h}-mXkWb~n zo%jMqwA5R;_wtkjqqi{a-FUWJ^?WQwDr~SxdJCJF$5{cri@pC6bPy9h*BA2B9JsM+ z=(@C&Evwzp76~Z`FMe2S-|2z|2O!sM7DLh6DsDs?9-B|n=Ru6VU7lb4R<)0HL)n3x z+InT!jOs5j6*fjqg|E~tMV|_LR+?C^{nwwXYScxy@TdMEmt==CC+>Y-MJaU!dUgZj zUl;gTG{%UcS#Z3(mcfE06t||Zn-c5gx5K-WlinO=GA?jQ`>r~)zMH;g#d}m^(HU(_ z3-*Uc7gLi#e7^~jZ_G+srF@k}2h)U~sQi>h7o*!R0w(_{W*dzzh6Du#Ek+kNH8k0T zF0M~GeY=gWgJb-E1m4-w&+4(#!8k;+kZDwT>B~h?K+)g4H}_^6ay}G=k?Az>U*7cS%+dj-f$Ij9JKcc7r70@S}FMAxoM( z|HsECKmMP1&;b*{P~eO0jgb4)SPlH7NI*@3II3M2 z$svmpM^|bKqYQx~`k6+!^5di?@mf5HHqHb};kXm&rqC6GiMF_9I`%~|{cG5`BKZ$L zBpd!v*j&);607M32BzUEs74MzZiDG$z}4o*Rp!|={Vv|waGf%p77uJ615GZ)k`1bQ zm~xWDD&oeYoBqaTR8higDbh-fO=z=)0|fmjP6AS+$nS-F~B9FRpnsVi|kjJGZHJLU_gWAw)chKp%nj=R6Gh$c<~ zrCsd5*ic`1k3PL@vpC|?`ZfCiJ3Ic!bTmzD;~t`zx0}ZbrWHM(v|`7-cZKh?6s8mi z)|mpAJ_q|3J9wu@vmk&A=tr{!{WF|!diVG9;-`Hnd}<1uH~0(NY2!>YI>|0B!#@$_ zHeK9`srcmzx3$KXu`V#;b=rSdliITsxFKJSc3KzMTD|l?ynS3gcQ36ATxQka1+-ci znsea4CjN_3OA;<9&iQvgT)%M8cyRdF64<7+6!gnY zDkY5y+1`C=(lJr@y*)fg31lj&85jgYVTTjwcevhR0D|eXrg53#ikw z*TL;F@M-HQNN7%&IlT_H^}j%TD0^MpA>@YdyQ;I99|v#GbZJ)W;z91|CT{7E-fOF6 z%Rk1z#Al<;eej^A0Hm1_-7_&kO)h9>&z4<4K9xh|`K33!d zdvVDG?b)BVDSI}K^^neaDfU?S`}+TTFUrIvril3r>YnVm*jQ3l`-%%(fPk%a(NFD-=k>wzs|KBzKj2JCp4wARIo;2}ILj?Xln<>)@#fAfJhKagEZ< z_v5q{U)tjn z7d?T?tC&I3PZ62Q`bgL~fOW9eN8Wm}`RT8ficQ#(SM<+s+Hx)&Mg*=Tl7xd%2teXXxOhLR;EhuB71(B{ zolm=k`jX6ay!g8(c@2xFi&czA3b<6q4E z&|iD&auf25tZ~M4Ts(y5n*E#~LtDovHKQOUc2;6sNZYW!0;el&6NkFT?$RBloZ5Ml zsBK|@;Oj6*y~Kiw;lKEMCfmb0G!MN7FME3gLu=(pRi7C7Z)X5KL(*1ZHB~g&BP8!&u4yAmFBhk z82#3c)^*HZQYutMlU_U7##z3vM)+hKSDwkyl1s+^X~a~O=exjbCfC9JL=AMU?C7}T zItn?3lM=8Lng`{d+$1~q8SRnoX8B^vE_PPGyfj@KbH9H%S}k>4V14(zVH0>p&c)_c zjiDiR9CI1O-rF;&-3s@Mlm;$583#%1EfO!TYU=zi8W@rBDti8NQ$YJZ{#+CHz}*a& zi}Cb04^F=PXFAczWrZs;VMDdN@bFJCAdcTauo z1(k~K8}SjWtNOICeG(T{o+|f}u7xdu??Ss3(__P{Xzj^9F2cJE&K_4=-V?uY{}X5k z$Ud&zth*(BTs2E3`&^8*@lejE8iRWdrMt)labT^1vFTjkht z?9H0H$=3*($!XcRb+Hjifpj`Jg-u+F%onI1rLu*BjN1bu1h#v!l)9qqicP$NQ;$+h@*yJ63E? z4`(Hl`=I2XJ2vLXfR2@8;|jJc{xk5yz)SWRf#p?`3J|ddS4Cow=vf@ybDQqpw1LMp z@zp?&n|z_!);@TqXv8Dws93IfIMAt?McP zdr9~Cui8yYVocVpeUnRJJfH@Ceg6U%``Z3JC*h0IOE384m3Y}?zlE75M*~`}FiQNF ze6$14wzGr3E48a-a&62jfdgE99g`|5qznwc^*Nl!zKKh1ngo!@gjbZ`lDdCj|LbWF z9Qu@kKpeVeG{;{DPhpBuR^Bj6ewq|c_Irxh-)Xf-;_#G`WxTjul(K+*fjgKV*ldk+ z>!dHO)9omWP52Od+p4!)TO-nUa6c~n&b}aGjY!eFb*b$*r_6E)?}1Cn_*l7=vb@3rSLnYCToO8cX7HH@+T?7=y9oH7 zk*_VD1MQCf`4NNw&!m9cU-=NJAmBOVm*pkrBWSPA<^vnQB0L+0uW(lZyD!<$zM`zj zU%mSY8YY|bBc?sjJY9DwtWxeL#W^C=oo59KxU;Zb*C zasO!&Y{E{*)1|1o!#g4TVEV~3^L_7mj4HQ~Br&>KiXB6`_W%a58;=vuL&q&5+82dz zxGwP@AG!bf;IZbx!JQ=35_14=K#;%hf!ynR{&55PlYZi#F;;7O_+E~t!G_lTJ;$f_ zne3unUA5G+T-$C&%=;sT-^D}|q%Qor`%s!i0c7&-(QSCp{-!ZA2T1$vCV>XT@g2eI z@Y$+0`=Z@aumzren%ZrQ7*}GzrJ)_Hy7GW87k%!4VExjn*O>h@Wmf?dq^fRUQS9c; z;^@f_x8>9>iRd_9Q`w}pfuYLMUJ2IE)gNOhaxu`(Zkrf(K*h<)9Lu<1_m3)hSxHdf z!}^_!(KKGaYc5S$YS{$)-~asA>dzI}s5x$Nwl6vtI*ukZY9-(~6f}*D3hdB%tLoQI z2V0Bp0m5ZGI&htifYa1B8j?&`(e!a_k9Blh8^nI)_u<^#JD3aY+hjNy*wf#tH@c(a zaz{`E&q6rQQR_If$S1nhfL5u=SJ>0$R{;w}fS zm}f%;j)0uds2z#1AkZ0baDn|EB=^Q!t^BRlzbm>l9Y-owW&NgkaS}WRDSdm8wFBS# zl`L$*JnpzSIKH^L)vm9~AsLpi;eklA`_535*Qc+@Ssx$xt^%@X;fFz5(0|Af zr-`4dXv_4)XWFf|%8p%E#{?)R4tZC{{=q9V<~{}q*Gl|Or?n`A3*O~&2gm0Zy|u26 zn*!>OV^{CO54#m|dTke}BZ?}fYhZGNua@BPthn~)R2>{in>e6$GDBiBiB@w|D;|!G z*akhaG(iv3U`@yK=|sD9#b|jc1wFvWXG&lO*F&emJo*{M(Y>lQnY^A>8x0 z)6w_qEnKK~8PWGAr8{Ow<22V6 za_CN$!#*9M#rf=9k`+5oZ(T@r!BZ&84I0;j(mXxf ztK!hbS&;o%v40JLlV^1i5W}`{#ALqAhDrP|cf1t#`A|k$7q2y3+z8IhNpyuJvvK_k z@A_V)AKmGFsI~M!7_Oov689IAU>~zPH!y3=3yfJ>KtCIdMe%M37cuF8yRr1Qd)Qc#o7Y#GYEAD6cSfiE zC%Ie)F5KLIk5=zR3&-r?(ux$&AzJM%J60^@^>X@QPgqk)HJCOgL_V^wO$S?6I2vv` zxckZp-d5*l!|>@`yQKd_@p=d9T2y`{ub?2Sec4SHCq!ZWf~lw*yz?Hs*weTR-h1-P zw_eeFT?yn_7dTBc^4473%h}@n0m(khYAHb5qA-e~MzUHM{C0S@-tL}+Y;*^gn#0>` zbrhtH)dOT1xX4mIucDal`i@>YldvwZF`uLgJ-w8_NHUY@Vdj?xO3dov1lDNa=EHEj z^KSc=M4S}Q2HQBE15~kPD{#5(QR#|UHcmL^1$I3$-|;dE_6+l(pVUPWve^{;N>B~;S{S`* zNd{|F7>Kd=76DEEO1g?JiSNDUpIh!1%jW9fyd%8&JsqEfM!}t)j)No3CNMBw(Z~yb zMqFfF%f?2sW(TwTX7#Qw+h0+fJZIK z5@-0xZ62`p;C zo{cZ>U~)-E|1n9ki^GsfruO9lM~b75dyZ@Ln`mKlsafzI6 z!LO?i&x;OLc&Weah^cldhO~J5T*1+G5?w`CcpSVj4RQI$cMbT00Mkr#v9aCYaTW?9 zO03p}f$7PAcyGz(wX&&Z8(-vb$I7$s3s_erF+53KyKgFiS&=LJjyxJ$o2)Xq@uP6e zs)t)x7^w;sJP3h1;=i7Y5&{!dDmGFmI5YMQYRRra?S;c|Y+02;Aoo$RBb_FcctT*9 zaa+YF6{2u(m6CY(wqEHsy4WSV@!}xu`pgFRagR-=KW>9J@--hhPrTn;W$wdn;hYOJ zTkID0Nx?$eZCpKAe^=}_1|U#Bm3A8!LfmaXsyM^7y4vn29_ke{)@qBlbL~$p$^cqe zNRc+SSKf=SU0)Rk&L~xr^C&c!Al(djB1Vb z((lD|GuNEn7xtov2DFob*3r%M$8bSQmBZPh*rUJ_P;rbHtEsdQ7+)uf zK8gcR^1}>#|K+U$mr#v$@kF?+W%f=Uc~pOmbc_j~(FO!*ln-X;j`mI{V6DgEM~z4q z_m5*Or{fIs*WW^0cj2eZH+1WZFP3d75`wVAIG4sT;ltWb{O~E>1ZizbG0r+IS?P8U z^8r-iUbbyvuwikN;?*G!_|*&ldEc8`fZM9ezt|2Ai#t*H^u%_@ zh}3aS&0pozIR-qa?)`JLPTlo&+U`rY7VJR!}~qVgEzbzF8Rhd)5CCiftiHlGuMZ1Rrp{uK?}R9;(-Aa+|k^< z6s7%@EgY8w#*1v@A{m>m`Ecy!Lovvsl1G?CJ6Loub^GqTyxOvh10oCNTMm+ZsKWC+ z?W9Y^D}wEJsbdclx2>mgUq?7)afurm-SHXkLUAmnRk^u3TZmgRxh)RI9dOg{Q@Tv$ zvql2&0(n292VYwsRxT)REy=;PTOW!J_Mj2FgmUS`&AufSkFy`B|kz}I@6Y(I|H7@imBZ_A^v!=;Aq z_z-xhxY8_!d#Hws^wrmPWESPVwCV%LGr_y`W9&03-nuv#z95y37aogq2x<3c!3O{D z|45#_m6y=JJjWjSLE3^|H72lNrknHs`M1)FHEoTOMh`A7ia1CU*Uj43{k|AY&ojn4 z9*&h{gOCyvxxgLhAKd&?b-bxrfJkmu zN$kA`{x1YRSxj>{dJnF9Hsu{1c?Ihd&w}Ao@FJKPzGg)G^cH-S{)Vae8*%WE+UOZ= zOUBwlf)=hOoOz-5f23VYa@$Cgz6w@7c0^l4f*=XTtnes^w8V!=O0v9zB(#JPNvJ{6 zZTSQ<5pxJHW;1u_mHz|v6($QHQB?rGA}KGrBOFm#0_%~LukXusL6f}?vl_q?hmG+-g6Hmyg_iR2g6k7s6*66T7M>{NNWDlexI3 zspZJDa^Q?)zEYw9E>zU=-ao}JGWC_DYDw6H3a&oqWHs6t zn>1LhU$!#Iu%dK!YPa&x(3F@+XErh1XuVO?te2>l$ZB-48#Hr<0&YGX8$-ss=IxPs z>NGa4TA6z#C%F*n;cA(~maWxrFtei1K95H-+qd{qSL4VXG~6v-cc48p@jBF6Iy3{0 z9=hpv9m+v{=UftlYEmcW;cB!A?^)q2Hc8pLvB;srRXJ?xjKn~UTsW>R2A>1hc3qx- z*h6`%XP;p=xjt-WH3D2@b7C-x=EBCt@f=oGvw{646i2n17ACU6`mSkVT<#I~t=YzP zg-3~N5FODXS%r#zZFVtrn?E1y$k3#l+3eyJ<1iwdak2xMhOqGV5K*xTR_I!S4+9 zLK=jBYLdn!z_(>KEO@3%-4OU-oLqZz%8u*+ysbq+9_f!q&Z4VX3A2eSviyW&Sow0u z$JI1(ih{hnjNnudu&FP$*}}(TkomWg<}fwICSLLoZK6s^vi!q3*zO^J=$>Z_=fB<5 z5YAbqhD1Er@$%_q?@Ks=oSWPkC%M^cBtAP{zN4$5fh6gX$ zEwAC1-gSAwTTR?u_gBawXkzT*J743!$X6(aYU^SsJyx1N3Jw6r;E>lZe-y#;fu> zy^tsBXnVSH5P-o`K3Nxf`LMS-*!no7u{EEGK~wF*y&lX4oZnum(6U-xOq{~oGexP| zXn_QLO+U5h`zu|o!N}ukO%}oC)ncO78qPnOk1g_`n~ z&dgI@)jgL|jEXR>Hf6gireV0^fnd4;vK)^6@h}9BgH)6{7sJd6yISm- z23UQIGm6Fga_GNezVd0HeK(p7s*gOEfQoM9j6QPU<>YEU;34;_DX4jO_{`9L`11MI zn9()O ztyT{Mg(i8o$td5Y(#uYQIPi1|a+YSoycd%+@wVyL!o1*T^6u5>3%%#yVwfX*vX-L( zeCgga4MzGH+rq~w#q-Z4WZ1q*8W+QP6+e1RqmYz#pFZ@vbg4A$;I3mH(&eSeN}R!J z;7aEjN0oc-a1D$85M)u%ZLHx7E2e4ToLiRiTJZBc*}Tfemes-pmq+Y_)yC|IW%d-y z>fnY`Q_f{N7_xyc3bib&+r~8+CDBBln5244O7Dbvx$z7&v}z&FIFi zVt(M|Mx6Yws(%vOxy826$-c~c06E@#a9wBW%M%{%faYxgcp8)u2=*>;sw zf`#Q@cLWnj{9#m2L85#PwjpSeFWIk3mg@@luUxI1&4aZh8Bs6vp6nWZEEdsY%uVO& zOUx~dugu@ zw@vPE!@Dp(7SWhZs>Ph$Cj4nxMh^wyTPB0)-f26Z$;TGlqS<(iM!URZba!Us%d6a2 zDJ?gS#rCg8=lvP!TDA9qV7)3y>|R~OC0oJ^zX?hAG-y~^(iaJr)S z^Pl6@_mG}swK;G`C?E<(xkAST5KEp=(odJ#aT=N>XJD5;nFrM(Ho&|MH84PN*yErHF_Ku-l+i5aQgO_}PoI&my>Mm=i8DMIw z?K11t>->9R>2^#^!@$0glTq*=&`?eB;bDiZV`8)yTfDC0kata6a{h3s)Y9s-a5Imb z2wMcdd1c)`iY3q~X9Au=jzACNr=oDd%ZS$Lq8Q%AoAQay#zUAG=Sh^#t63OzQ+l{$ z1tiQnnl22rhzqOZ;wBa7k9e4uRG@XZ=8btB`ns$LIzC2e?AkEWd%AvpmD_cA$$!Yl z!pEq1^wpY%IikhD;F8CV)D8px{QW=jm1Dm`&~J4D%&>eDJ|&3}}pMJ3m}dEXgaIwSwRmV=&9nE$WE05`zTMO??4H_ZmuAxtut%Hl zgGkd#Kg2e1AHiv~CPi@nBx-7FoDJK=MNrPgxl~9jKgza=(WKL85x$zLp>CTPrKHgV zb_;VBg15oeqvdX5VMMcko6Y@fO)V z4b$~8;y9z|C2L;%GCyNyYKIleb})lyEe#z>V50`$y)4_s$*#JE^e{;C5R}U5Sr$gq zMf+CNmG`vQ!Nk|#oc3(&EdUp)XWLLDuS4y>=9xxOgxc#_Cu7A)2;&0k`}J5o2RF1V zo)R}na{2@b%Tl9~dY*p*oYd<1xc}V|#teyL+J{eK6h^A>G^yrs>iNMD_$GhoDGF(< zzK%VHYch{?pL+~*rEtRQIAaj{w}lej?J*oA5vc+>GayF?dm5gJw|eZ3iP6+vxV+<8 z*}?}bsdUHGw7L9rA$5~{eYdYYeqTB-d=A_j#~Y}YY4%v3$+GaQUXXT3Qzf&+$3sKi zBma!=dK%?yXJvzm3uAX9`Gc#anPWVVxtMa5q^N!AE4DCb2d~GkX3T1gHHt_dn@=O0}5U|nt&?zUb4COE}9I^DSrc*YW8#m7F?030`PbQ|( zkgG>dq5IF@|F!qZ{`vdAYfceVJD=#-ZRp(ID+UD@!8`(c@F!n!as$;cq1y7LvhY|v zIhS8tT7wbUWm&$Y@h?vzhzVS>2N17}FPd+TtJ$%xHw#?y-` zCdO&umr|xS{hD_G1k5eUH(B^ze4+ErUZe8E;#fGAjgbOQ8wdY~V}GFTKpU&{w}-GD z4V}X*N;4*1>Dd-*)WPtYA{R7YhKpK`95GE7gNtTtdd;Ssf&JZJyIU3rF^Zr1=JxH_{@+o() zZNi!A|J?E{x@u}Vu8E6tH$(OGRDY|7^A|3e3^D~_@<$$ZjUM*ZwBo_lI5^OxcYI9y zkRc?vO8og__7uO;zkdD@C-~bA;!R+G!7X>2_zKQq zUP`(qU(aBxD5WDO>Ptxx!Le24YN#^ATP7_4jKREHIDTR3$OoLRS}Q5bux zF(7@)X?@6(Dd8j}z3jGeXHMX)x@}FWZhLpf>&J3Wx{eu+#4(BEkj$Nu$0@|Hp?pGf zPRs4!XeWp^xE&j(4!|09@fsb9$GSES33C-?%w9q<*2e1WY5P=8Ik`RTkyc=5u7hI( z4lnaq$S=I>;ClBr)KJJTx9ez_|1NF~&XKQLFs|1xoHR}{6mN3eo9qu2!Fs-{@n$RTu4iEr=?Eq~%j=l%cMOw7^v&=Jl5-l2L0itZ zc(Hy-HtL@%B)b?drbn82HV!^tEni|eA@B9D1$;`Cgs0&xd%Nf4xi~VhGwxLHptKNP z16TCNDSrsXP+XWWnT|QfUoq4-e}STn#Ia8BuJV-D#F@@#N`%B?)-QB9CULCC`WdT5 z#h@S&c+5YBOCCu49zBQuS&R?-!yxL9@ivPU6am#zFw)aCbACftCChJM_g{H}@|32e zyX4dDH*r~pw@9`RaTbOvhMU+r$bz#Rgrpu-U(r*dWJn*->WIp>gUJaLQ zmMC=-@%Z^RW~GRe!jsHskd)uzVtd!4<2{?xjaN>$?=>(scJECYe)hanNhqXq?rUIb zUb3RwvB-)5IUSPW+zByF|4|Z)S7a2BrjeR+^y$WhLhf@_>?n`}$6J;S- zvjG>PffKo$KUZG$GGs43%N z47Znst}F|%G3+~ozB9@rqnr4Tns!knj^V|vPJ^6;l7Aq*$}G?TWDgs!O!tCCySiOO zY`H5suOaIS8ki!eCd?T$akTk>=NmMAoqAM=5bCJ5)-ZxD)=mJeY?IV1opo0%v-PUw*pQIDl*T$Iji>+MDZ zb4T>)RVc=p8ccY^2}YK&vVV3%lYp;x?(Bwz9T_)#&MfADVGK|vjIWETAm}U{Jg^ioIAG5ET_K?-fW;a|MS)Pt3?6cq@`%vFE)^0ZN z`#cQS@v^QPsoiW^r?Y+AO;hu>T+eO>bFa^oSd!grVTRKR|GT_2%@z)larzHVS0)H5 z3MmUy*jz*zcKq?l=qHN@dZ#nBAfK`l zk`OM{t@ubZ8h;E2Jj{(5Z7G|w@@a2&F_x!py=g%n6tkXz0&st&O1#kWhHF0d5Xzoni!s&)#_((PoZzq#-t^s4VAQOt8jP+S6T9flBa9;j~`8-+}jHg2Bl4um9u0^+bHErdinmt!Q>}#B3U_U-A-?No)kk zcJ-hcz2b*0>w-{oON^;VUDK|F;Clcx*B#MHIzt$ zaZtSO<~W$+nFUjWZPVoCU;j%F_ETg8+tu@jDJ=|r;xKt5e#ltDGEI^Zp{?ahSxnNzS4+fp zYb>aiiJAZMP*kSUwwRD!S>jd)bBbN_1z!IZZ^WT%b*)qE%vKl2m*1Q*rCD)7{OQC5 zc1y>;0BzEi?ZK6}cuk(46Jx&KuE}350AH#R)3P-U(EMx17}HD5Ly{6GSJ^oS1CdW8 zN2j?oWt(qUQ3vA#vyKuki}014d9o=URBxU{HAt*Qm@d!co9N<(lSfoJ*e&mr){1t^ z$H~YOntRd*NJgW&4}O4gMaS{;+bxFcsEW>BVswD1#D?^WgsbFRiGW=eCl6kO)t(4Y z8I3%JWzM!*II45K2sg4qwk+Itxt8^SB>YpJL#rKNCxA8@G`f=hUKexb`5|vXQSjha z_S4dpwuh^aWkxblP-R;-b}4wLZMBxFkm_NYs=CGTF)u*>YUGTJVD#Z~FuIU2HEP`& z&B1Uel@!d1bj)25^Ig&vi*sm6nWIcv@&Knmv=3~%fl;yAnk16MZ|P~gFm}6zK^irC z&~9V*^8&g zMfH6HxF{|uJ7Nbl`G5mO6eNq2@kjjVPD5iiA6s@tv*1Fi@oFW%Zv6YX{^w!DuRDWI z(kVJFt-bo4r@NiNm@S$IhYOwi`%SrMy8u4h9TRgoV^5;fIw|_wY2i*0!l&Y0->xc@ z*Gg!!)56fu>DV352eaSl=c#LBY0BO%is+dv(Z+RLZnAh?#;elr>)1HKrfZ66cX}F% zC(=qBPNq05B}=Q*!)D$z;c&9MgcP#ufpnZ6?%VkANQ;pQYoX5C=xE4z4*Xgdr>o}) zIi7c6G1SB9@FR3gw}ID%*KRnMB6K+(8SgHxMzg*%dS5+qT?-?luIYNOm*Hw<{6A~g zw%sVMZGVNQKHX!S@Rv{QV?{yD__+ChiX+18_qJ`D7i;552(s z)#AEf*t%VOqzr|GyTo=ex!lCm)}xSC?P?JfK8%S``X!d5Yj!n}p-kmDq5rgs3e-I` zPQyqlMOp)67)aUUV^&kGD|8tKo1Hq+l$o<}Cb#UhxQ6WSuSo(L$h5jCzs4~x_Dp`V zt3jCQLxrwJ?K7?rKd${`@tQS^%uezSe}>OHOm|!cfTa84`UrwpnPwe39H6#s)-krJ zr^G*%L3m8F`&#Idp6Ivt*J1%+(IqPqBF%+j4MGFeiV}IwQ z307Q!WU1gCzSD^jd>CG^J}_{n$rw{3zUOU&SA#tVzUpWx@2yEmOxC-F1lXy0uen-I zGffT6!9^#EX_*=)G*~??cJXT*5%HS#9=a9I==KMxnt^16ER1ECVIS=ZP5tH~`5?Lz z*1AVWhpD0Q>p8UU7J+ZDaD7E5>mrm(K)TN=Cx|iu8rh$+J?>z)=OjjBhfi*}d8YOI zA~EEWjZTJ8g{c=!{MlANL+SUaF~qk-g@OiaNI&$(-xQj>+*Y=UN^oti@0>>APKY1m zzB~uID7yF%E>=NeD}T9{B?RRtH(lJ>^%cD`x-rK2eq(ljVDSEw-}PsP6d~&~!@Hhd z4^E@4nua*9xPGiUb}3{oVjcJ|6gwuDH#C}$J!AG;Qfs$b%`Yg7&~V(s%Kc^dp}s{6 zC*P;R)(@8%6KvefW~pkH9D6b0I}O4RjVc8btD{j+T`nDOQp%ugT3uXUvioCi#-@jC z^pWZ9#3+`|l!k0$asUCmNAZE13ez!iA2+5ggKY9LmkB6TirQQ(a3&^c<|q zBPxsGb{KHtSq#HZq}ZzW92(z3A1C;-Pt9=al^FDA!Wd6xLs z9{4NiI%Qid_Uh-bHF3?5r*XeB2G_NiZL16t$A6`wT*+Mo)9A?Cf?o~$BS{QFFPwc} z7q=ijgqyhjGz#8>$1-2la&fV>f@NfNj2xKy>vAXoF%`GQ?-YrSWuiT=m}}ZCY+fs*S*7~%f7jEnyI6cEUZRUAu8H{MDF(li z9!TXG$Lce7ahpP;*YB0O3U(I`eGwmyk23`+cq}k zRhBHr3a%A=0-LwLQv0+WoX?)E$y!dLQ0kl?3|=xyV9tE(8`uKZKo-Fpt@uoO&2}%9 zCoy?lqqST#Q@qYF_;>9~y`G7`eJ(>Kspgb7a5`Y((eU&_EPn=A*iGKVrMwEugE#S) zx{=ASgNFEq!Up=~ha5J5-c~BNq|1f3u=6mXlVixoQbfC7@z3LOdAEH@A)A|+=Pgk zK=Dp>q)ZjyR89@=+4#f!xEbFWH@CEB4R?HNe3wD*Ols%QX(!l}VxRuVoAqaRGm+jC zx6`?qne>N3R(K9P!#M`9+$)i#QaLuTR8^|*Z{d=H=2;XN@ z*OH!Qb7k!471(aG-q8-0|L2K5z;a2~`aicucF}0?#cc5=+d&t`fz05zRMoV;Rmozzu4z}nG$!3*xy+jx1 z2CS6vDq+ntg^4*n${xmQVjaI|73JrJVboNW!mD67g6#9&N!8@=IWvt;f@8|Isy>tu zSXfhU+JwOEpOx@YLg26XJ^ti4bPz7?%ubaS*@$+Z$m66l8^Wz&_rKgHbZeN_24zaz znntQ?qACf|#hA|+SR_|-+?T9wSECSF!3wxdtd$$&>luspAz%_9?RqAOdy@i=GE%U=zb1GK}bgiaF|7=xirCd!Cos2uV zv_^k2ooTAuF2~4-K@bBYe$amsBvBrG{4SgR|36$6%4M#D7fYhAG#&T(Uj=IY77bX}#J0^$7Msgo<<@EMqqeX|sD$JqbmRu8W)15Il<48o2+_+XnBl5S*nX zqXBqN-3%S0w~QXiP$pgm4ZtN{4OcF&HQN`Wu4#xSZRbvmVV~Sk+B?bhZQRGp?uXf6 zkk>Tqwhw;7pOfx=UbAqe2)%&S!4Fhecf95>4IBb}aTf=*?sz)88y$Ru-gJC7$?aMi zjHTJpJGpqHYak{x4u8z?PIAMXuB_L-(oe|i4IH|hn&^y&a1(Qb7+JT3*P9wp`RSni zKE9(UMALr9>n)8caTphivrgZ2=8U7Uy56z#FWYy873YMvx>BUI~ zX!>#O?@p#oFiqtrl@et|km>zGKQ;}=b*-jjIN>Iy-O;j?^F{}w+N9i=aV!6z#~5cN zoYT?RhY(BY@}0i?JoAf~*w|%!HlBVr-2S~N@w{m)2B2X((=c&bI=DLE{SpN3+xA*n z9%c)-X$Bu#yFW7$$&h4p`m&}2hfkyTWw1BcW)sarvT=FbC2!a`A9y;OZ~RcIUUD*C z5=vg!t2V}OO@lXD6xoi0;_BcyFJK4cj=M|$>G;#Cch=xoflc$J9Go_j9bHHNI*rz8 z1U|yQ(%!-wLPKW__)uw(raY)WWEyT0Zp7-fW8SP`h*cgLKo?`Y;5ne491K0j3WGI- zOgJ^bn+?oAm4vsBPe-!$EN(V1qg;g(u-U}Lw>W7KA5~=eC3A3G@ZS32DlT;?)8EAU zS0yylbUk(ib-^V4432ZB!Q!ZJ&H3y;I|N$k{^XE?DJ8{-hr-Dngg=AW;AXGZ@xaRu z@KL%FXrQKZ_hU}(zoQN<772lbdiE#fXbzn}9T->QN(agcHVhQ#PO@MlDyxV{kCd zreo!)m6Uco7Ov%qzm|?mOj*2m^kXjVpJ9TWjR#|=<%GnSK4Y*(q=)}OgVR@h{icayxNi^qR0v8h$1R2vN!k>vYUaPbg=19i-HlFY zBiN`xcfj`i$5onZ=1nI4`$$CI)MR8!Qb$eaOYu`v;7xumW6>0tIG)WZv|h*}d9oOk zrxuvG_7V@l#b|ly83nJ={8`x^u8Co}=Vz-`$A=FeJB*JrLdGhGwj7Hi?@P31d8>hC zIH05yZ)y6F_80dUACe zqiSwfGJ07&1qzUd;(KE2eKGoA{=n=#id(23AE3}OEv<3`zCtqmpGbzFGz-esja7ivzn z`>b_sH*kx6g+UA%>> zbb=Z7{U9QV2I-ofWq?io$VM?qtcCe`X|)D1hh+9-$zr)W%z-w!(y?sg&KD)(=-609 zJ0(oxlFCR5(wxT~#f2{}07@9ZejP~|w3uP-p>3*bZL7|hFnWH@LPmPqKW zrKY4HGfHzZemzp5XTFILxOcBSTBEItm%(fuE|>Hp>NIv67`I#@V(T_FiZCOoL4OQB zCik;!rlZ@^NTt#;igR$^cGDdO-12T)6Pv>HU$>28^9mklw{5{6J=O2yK8p9SK-i|3 zpl%1JY^Oe1hq$xw&dYtS4uT}Ra6;nW2TrhSb?sCP59Jbgi#vhCFe|6Xxd{cJguvtSw8c$F5dT54ji+NU7Y^v zNj8wElrLP0u)>YUyd$A+_8H9v&I1nnGw*KL&#(dK;&@X-d!myb;-&_&owh99$jFWM z%hj}JXG$f7En~LvJXQF@W*aA`T|+H%&9PvSutivn39K$#8mWbTd+u9O)q3iTkJIrEu8TxMBUY^|QEgY>clOO(yiU z`?sFKUV^ox^_5R-I5r)WzYPtxUHTM9ChmjDF+rxshEnSJw0N$DLdq@E68e2c&o`jM z_mAW@4o z(pK0FRuea$9+&2~XupxXOY7j-;J$2bONElNtK8~ndi_qjyf+^8Qp)k{{!VVwZQ(*H zTfRQ~hVZ7mYqxY;}6f@_i}ki47k;VO~v)ZY+Wrf~f;q)0X;{fw`N zR;K4ii_nLtfQ`$I^`drD%(uid1 zxqP|Bn_nP&py4E*EhQuZ10E5t6{jz6ky`N-lh-V!Ul2VKW>vQTh_*AW+Y}k z!KUe@Uy5p3n_Zv_%$bRCk{~I;EKJu`_6rt{pt%3?817!uRCVs~U>5E*;d?qfuIL-( zQhLnp!i_YWt|rFqcq&*fAZHHl)%u({WR3-A>307TY<*+0TT=`u0ZQp0h692(fA43D z4oqk?#=JXk7W|T>`^lXYYRe*(nTr{OHWJCsxD*J?O{>f80bVF$9bD)GeaE(ALB|Z! zzjCg@?SIzI=5_4RIpNBVJ`C?IScgwRCc5Jdd;rhrA!L5x(0QL6g;WvEz`|L`y(MiqpqinBlO3N#ZTd;RegaTtm`%KwdCI3~k{!!ZEz>6e|wBbgY9t zJekcZi%@tMui=tJ=*YRwzh~F^H2pK@8vXL)Bu(yTNxp_o@XG;!+-bo<_v5}dWYZ+= z#Dz8yR_Y{k7i*kUjT5;}erCqYhB!5iT2;|9J2lK5U8!~4(G(^soPJLIEIUK?OFMPk zi%RJdCGmA7jpY5gPsL3Z_hSa2R z$;Qn2OADV9U5wC>bd#~9r|gSX2ANpi`12@RVQFw+6Lqmz80}-Pqq)B*;KfhIE0fw5 z3$^MItZ&!>`KeNr=-4cvGg*S;Q0nq>x!{+mSJ36S z7wRGjV=e@SQfN~VZXGidgY=VI$BN~6bGZ#naWfgP(Q!uAmTtF!dvNoLIoxexFITIi zPOc?hQy@xoTNn-^n?2qoF9zFfqnF$;d_wZU_|7@8@Mcd8uRrRsiR?I=%*3_w-CYfj z*Py3rKbN)gZjvIs+rhZoUJ$)Ri(o0E?1$Y)K8vqxD7S-wD>~98w~K2y6;2D+#QEJL zf2K2Hw?b1!bxoZ2MXSKVTVW<{$H{dJvyvsS)qnpv;#U9tCw|4ASC-+zw2+`s?i z&O4XkutT#Yg{FV`K$9_7`W9TFVOS}exBswqWyx(TOLi;xa@Y~qdL#i(UpFvHv^bfA z2LC}KB;krA^gu!uwT8Ex{_MYAP;a3#0TL*HI7LYAcoEkQzse#|sLIOm9LK>GwR=WH z+ErgSdq3fu@h| z`pN4mHntA^lQGnC%ruzxCiKN$*Dyd-rTRRc0;@KmxQhqkre>t0NUDX+hN@Xvnx!pc z);RrT+s*1hAR6Am^-DRkn};@WyC!|Wq~bOqUCql$&_*hLI2}h6%U()CE%~8tU7E_2 zT=j>b(RI)1eOLSNzNTsHF7C0s2ai2jBRGG(OkMHv>=sa)p!(CY{g&pdl_x83eW+(trK(4=81d~z@ZBrR9-7N>B zHh<+58Hr)5GY?V6gY7>7?Vt(Tm^|T7?=n2}NpTUwZ@T0U1VhS~1BMuPZuwg}+lmrA zC{y|;8vaF&wL?GN!6k5X^n(zT9I+(chs?R1UZJT#7hi~awAgJn-Y$m@mtW>CPUPO~ zlKqm7HE;pa_-VK0U=PejvN%Rw@Q3#FOmRu0afH=Bgfj0p`GaHPZdb_$H}SD3(V-2q zjnhsC#di^e>jWYG_%$s|tYbzG59v5be&w^#qzrl=i^ z$&#d7Eq6`Mew2H#EFt^ZeH zatz^PFMTGyV{a*SEi#>r+95E-26z*~?82?KvorcN~p#b|QsGyXN+^JyYT zyV7>6dX~1-z zuyco|urQ0~)SmDWOo!SyJOEbB?%*`yX*JcXV=KNi@XsPR8u^)mN}5r{Xab+|DX~j= zzE}QdXSoMx;X*vaTR!{i0sx5k1)43aoj$o9ZQPVosKlnh9o(8b_V0t-1((xfO&c?f zU7aaYviG0eXrny%H4?&&{A}BG@s7M%$G#;cp7|_@oEL) zP+Yheljl7uhP#a6mVtRIDn*_TH-C)JlLT@QgLH|(3YNpXY`Ue4d$wuwH_E*wj??cS zoy>>eijViHhlbnznx=`J*V1IOa&*dhGF?O>wCu?ddou)lyqH zI@ufE^u+FkucVxQkOO@FP01Y!wfm8bM@us?qfL2DGz;OjH_6*Iap6S;tFYC^6(y1% z?cl=U%=muZ(ShGSrMH{-W%rRL;Xx#QuX;$z?l>UUk{~;LFgx8cv2SbzcXSNMwdPQ1 z_Pizrpc=T3Ymc6wfbK*>7Ou13vyCbj-ulg7KShU{Eoc$6Ec-M=!-s5)wuI@Tg5B7z zW8KBO;ur6V(K?P*mhH*xIW$Qo_h3Mf^$_EDPe;z|TA$d*eMdYIR#)dCIm(-D=((%X zGANSnNV@^4au- zSt0p+=Wf1UM1EYdTsZY@0~?e0)VECxi8Qv)b$+SiDiV^jab_OGv>o6So0RhLK*q)vNm^9`3)+3Vu7w%h0e$>(DbK_!^s}j;-+P z7=^^VAOqvkUwdSa(qTW`(8{s z=eC1`u`xdBsdekBq|cdb&|s?!yj2kH1PN#YjKjc;!q+rD#P{{xPPrIo!nnBT)Z2F( z*f;=@?5>85OL*wI5R#Fo|Og_4D@UwoF6UwqJ|@B_*}2umxydbWtq0mCL-`z_kbtfLYc-;#RHdX zCNeP1L>xN+bnt0mVj{>G6@(@r>(qCbr8S&97jFCItkf<+RmdqtmV%n#$JA7Y<4Yy> zBYT&kj1PTxb8}CMM)v0Lwpbg&ve;ht z*DqXxRD3L`@n%mR*YiJcE;C-%0of$Xk|1!pixXkta4PEmsCS(hEnt=bAcJQJ1Wyy+LbJv)-@%y`Xl2u9cSS}!ddVVa}Hlz zD*cr(wS(=d&sQ{dCHkREgEfUQsD(GR zUc-2FxE+t>OdJx>dlRQ;_bmo0nNMdEddEx-+suP#x%HJ<5RtOY>R|L5?mV^^9_yb2 znS6RN=yjY#9Jt}X2V~m%Z|UfU#Pqnk3%JQR@ae43ZE3n;sv>n2^E9Ydno}OQn+;th z(Z<_m%{e5Cf$~d>&vX?#>9$MOs_Cu@-?pjZmZ;cO3jf3pWNsI($bVpqGkwRg4gJ+MUyNjNdex>eJp{o92yp z-NY4I@^Vkz!u~fs=WtYtT}5)XgLg(+mu`N)CYx81t~4afx4JkOZergu#p^j!v8u#S|r3 zDBYQ#&wFK%1lc?-jA~MH){GXew+5%#kRak5Lefmiu#1l3$N4wzbl^Pbr#raE)9|;9 zkS1NGj#pG1C5N%kxYD@F9s zDeIHOP&VuMVd4l|Y?y6!n_TM0R54i90cqksPg_DlO&kvcF-#Kqcq_Tt#6>4*%B6ox zPL^U0%j&VxiCP#N^$5X?hPQEg61`s+`^zye%dM{Tb%PD|5u3IGA_)s)My-zkp7Bh$ zWU^AFpJ_;plWNU1rh%KX`0;;pem8j!QfQoOHi831g7C>q34-*;T7yl~`N(Bu+W2}c z8}8tO!I-8nCZ82l-xt#758L156XYkdY8YRt^sp!=Jd|^b$fKaXclM({d(eX;NxQy zh}A&%`;)pno(XfF*yr>9{P^BsAspKv3s9fv2NNzg@ATKPw|1Fwi!&37n3}Lv+`3ogK{V{Z0M6uC z2xn`mnB%sF55E2$h2AwYf0q&ok#G~Ic=Xr_u~&EAV&N@v2{^kgp$pwx-g++y^UF@J z-I3^_V|&(?ST%*xHCvZ}{peiwt+3nl_>b>~k-vxnSfW#WWL?5p#0rq9=9O#j{_Xcc z>E&c4C^I+HgumbrY+8tNr`z0q`frhh#VnZyZk1W^9K7e^H9Q>JS^P8J>Ja9cdLgUB zeEA>CV?^2@TrOVR%|`K)SgG$WkzLOdVWX@xgU=#RnVHr!qvJ@%LNjdCw=K>|h=ZYq zz8dvsNjWu_Gt5SD`Zf$uGFwUcGbP?p>ui42ewnht1J&z8-=)xzMdsH*tZNd+#sY zrIJHF6qJwCz&~B0YaI;-o-5piPE%6eRV=K{{cZ~@ja1cLMy|h$yrK;xzHLjwJX7KE zTlSwIR61>3H$4u1d*OYsNUtiVgG<3C?u)-z(5y_;SiNx}C^%@#AZ+(s|kKs1;O*D+6Z z8oT_${>kl~xfEf^`(vCIf9-AqMPIyfht(na*KHHKzQ z_%#YKJ*D`lr<()mUhUl|7gKWZV-)cuY`_WP0#tl5A#P?pOlbGHN<~tt$J0RFYK6he zo#$>hQWKu1z!*p_-SFh9rI=VrHdVZYKg#VzA`WhXucDhAjNYEdY|?5q4BFZEUwp-K zw{C{nmaPh7CSkHPcSZlpM&c^$_`JrgB;tuMFM31$+tHWMYIU5!8MtqZ)s!}fAyNNCWyAJHR_bOTr0T|WJGpU5;Wgk4L^ z#kHD>H&A(rf>zUTl)SiUG|b|VCKqo_HMiue4gs7x~cn22%ix|{25Ti7v3p}6M~0vrc<;SwR#Q5d4cAt*KrS_5iOU6Qp8lOAqfv2e};PFPaGc-cRs8e` z^98kf2g6&RPJL+gE~Y`T==iVshp&RINV$6K=+HE{Ol-zfGSAA?TXC&FlNtnJ(Ol23 zN*AAopOL%txexU~fl9;8+8^|xk~lVyfA~Lr%MG%jxLo4OfA@p@_O-DQb1~>C(;x~t zdMmzqqmK9OD=dShK7o(@W-<=#a<;8usx>t z^)}fx+|U|u9nRe)S*|3d?-9EXt?A-IHZ+V?Ja(BCYPl`)+mciZ+c>%(21lyC(Z&Mh z9tMeEPMs4+ztP4HbZqU>VOesE(1kLe>iI9x!O5#Mag?NjY1b>`oFk<*Bt-z1eS0v~ z*&nnoXOrIL{x96HrqI8iUD?X4XP)WP>{+_l0AN5u{~?FUr8Pd(MyNFmTo83?flUl; zT=q*QW}H2wv@iS(Bk7fcrshm^QNc7M@up8988PfE+^GYO_>fm~pL;vCX5s|7r5Jv& ziAm(s@eQoc9XDJSQj7(^Nma2sT$#p2Q#FiYP~i?&Wd$T4R2wDuGGJ9 z;@FZaqf+IWS~6lc?up7e6lgTAtTE<}qxVN=f-|kQaKL#I(Une1!R}A)f!b}T?63TA z8wKz00qzym)J_{OO|T9M=A_!e#KJTET&M4R^m)5DBRCzHS!us;k*HmKO`coIz+ZT- zLU+S=lk60qUn|C*Vwl_mkWPMw>Nwrv43F4l@_|^A#+0j5HkJIh{37YNV1w4QEJZ

D^O6lJ!Homfi)!J9#X^`x zlho8s=={%um(;Qqmz(@dsKh><^3>R&giCV*cb9~5M*e5S?eWXhsu6lqirZFe)Nlp& zX@i+8E1cw?*wYv&O-Mk9B%dU$VrGPoa9GkzvPP}b_k*TM=vbjos!2$Wrux93S07Jo zvp1!`aP@$&4%rmgy-7(EZpqC_7o$)qr)e!*!CKL6)Y_P?xys^oaAa)iZWDS7dV+0U z&ubFmDkOBh29+JfJw{_16u z84gWJ&o(*jOOHX9558vdoLK^uq;XuU@4gnX0mWU^Y~#)QBU*Eg=0QZEBmqh9eT7}o z!3&eMcvl7j7_=WZWDcjaXW?pjO3 zol5u?YiT%V_DO~^np4t+32Mbj2-AKuLKFLGs{_>Cvan^ExCsgbAzCe5ds3aUM{Bhu zo0S`v?mXIj?n_c`u~>6SekO}6Ec^Z)^FNXz&R}p!02@A4j%5d%XIHbNtfBCk^I`K= z7gxs4qVO(S#sIA;Yl^U!yBIR0%9HDOlUB)}whYWbxZ3rsXD_uES{Cl!Lt}<56y*=!J>{@Ku|3})Dq$jR)*{x{wSLRolezZmm)!ItaJ-}Vg zWGvhI3=%&e+q_Zjp*HXawUSpmsg=~d0g^&OC%~D5^dxlyDViI%Jx5XHa5@!lt5d^7 zsKOm*Bqq(e^hU}B>(nsns2UWa)v4p&2Dcaho}Bga7q4UOdeTCWL4*Opp!)1IaDG7{ z)l@Y59luFBEi4XFD4mvqzhc_WAH%KUmoX{PV7Uxd#e1sL#%m4YN}V>oNl#D*oeuuR zv_jvQT<7H`^4ux7DzbXaG&vx8z-Rt?BSr5zI!@3XF(o@)47irDnJ~~Kdp3s`tUQv5 zYkSfe_z{QEWxOOSe&IhCnxu*&;p&~yDyFTw3=1uIB!L_L2gZ#zDeewSaqAdUPks(p z{@xGnG{%3p+135@ys6jEL%b}Dy^D>%Y6wot;uTT+CQA_-zxBDp^l&vv28TR{=8%h) z#K>s{4A$>pHeOx3Ld`;m{Vn{^I&-tuKz>4 z(k7dgpKyR$ye!=)Yd@MZp8A8I6kk`tF3aV2Q_`fRoC=A2z9oaC6q%S4Zao|G1^o=j zTt0ws&L#2HZk!Fyq#%A_VieGn41p?;>5I@nExm?W!jIezx}t1uM?PVP{&N(schnkw z~~vScTM0v@I+d3*!>#G|nWrZf?W*LH1v&#TP^2{$20; z*t7Qt0;MV;7Q`21@UbD)#d$~hd2G6_{AlgZHgIpVGzJVwUKnVWPKK|xCwLT0HWqA_ z+`D(UW19+~@7esdaTXR|6jusa)-J18+COAoLo+9QFZ6zgC87->jk{SrN1IIVd(Jm+ zV11KC;H@$9SHYPd%Fkjl%~=qU4VQz3d|78LkNem~3Lhemr?@pL8i9of_9J$9I=!Fw zWdpRLr_&vD`838ucTfMh@6&d|G<-i(xf_?R*kIoH}is-Myg z%uoNrwT6S~c-YGxRv5&)+pr(3{MUTvI5;k_zPrrV`Lj3%Td&og!dQ#axQBEq=kr-Uf})#Z z83d18K4!UWE{E;w6AntZtpE>J6J(HV3%huxQOZJxLo zcfnr*@lt6(tc0sBG#zJ`|BP2}bO(R>D->hX7}Lh{fUyDcW$;a=e?d(m3T&6d;ZJ2>Lkq z5d8!5SbY)EU{E{%;E~peW_Wzs1pjBneBj0-^4iISU9ZXT-@J&+n05l2J6E~sV&MAF z&y{F)ZS0mE2|9HZ{LjkjiLQfH%tfQ62_%?uX-8K<_j7_X*mW@yZGRS$vxB1nMy-w2 z+o!1XT1LI5V7$B^3bgjiz<=Ay8n9vxc_55rYm7P8Jo4^HUrPoI3&AhB4cD9WB+^?) z+Lx;&VuY%S{y!cF`>nLU$h3)~I5q2JgOWuR5SOcmI3a_GHqW}0c9I8x%6lj}y}cYd zt>Agc;8Dfh#e*u~l}M3Cnt*02Ktz`O;>s`yj|`Q)M2HzDbl4}pP|=$}W4Mjyonp-k zUaA)YN5;1E97k3D_{w3R&cE~igRGx>XO!Oi3hRdl!qJbtVjPi26tEq#n^DEZ!NcJe zd)i~0I4WI{l_v#i4mX}9>+i*fp;FsJoz49RZ8Gl3A~;1bFSVQ+bp>bDr?A;+DC1YV znvEuo-GM3qqlK@W6ZEgqRxptpE6y`5LOMr3{G}fq?t`|1dc41*SX1clwt{#(b76*K z*UZ#yIkDHbKAY8wMPl-|~v=wyXm%#(=d)HrmXLRFI zR&5vUsD&dZ4W!5I1^Lqo1}fFsn$Cve9(h0j+||Fbo50*Xw@Yo67NsZ`yhp z&(GG{>MYJb#K2IJnVVqyq^OndhGCje<$R(>)UevPl_6O%W>w#hk|#Qw$tvB>r4bak z>4)(M!^TO_zGHiaV_!Ix*Q|~4RK_v)NIb;;>hX*&vRnk$OI{2|j$t{)cXKcq!wGR} zv!UQNgOvwn6O*V_%%9oBxa*1^Y2z=u2*`-eg5P9zrWIy8<2oBc$91YF+|OngGq)(- z+rT>A`_I0k8FXj(xpV(2%6ni?E-}AbUwaWg1Y2b`lTAp?r^7^iW*WZ{MX>|IY^BxLHCmKbI5a~0L>o+@7j3lOP%AUjrY&w$}LWn z0`eE6R80rBtHJVm)4@p!g0Skil4+1ed57Wro%@4s{M9U$mPGvjx0IY%#5H-_ zaUyyV{zd*v1Q?T)=aT=7BYc)xii2>2W7#=HFq2oW*P; z1!+v0URuy;*c7_%ECrI$Me^*&v8D;~<6^wPGO)Q*O<+PIICqtUj8yOP(vO?CUfm5J zV)hj|Fk4(!Q?U!e-7CBE_`S3lOdMr8=wP#K992)((v0K94x&X~$x_C`pC`?*L$yz#2c1r;pl)7uq$1IrBJ)G>|Q}N-n6+kRg4hPMP>_}(d=8|wnF)`{u zhuy(Ux@Md_Jux^{&wn7T=|{XlD}rOTjzh=c&v+9r^DWcGWQk~(8H(z;q1kipqy_@p zz;})J7AA|L@{nPjY!lPVpR&7b%=BB`ooXxEijJ+Cqd+~Z{xKKZ_T#{xFX&geBkJF* zgEAt>gN`-99Z~RWof>8)@f^p|>fKuFtj?j#R~}p7CFR06@6M$qJ4JREMvwlFFi>l= z!b>UeeXko6K0o=R*dzXRj1;GV_xTB%$!TI6=r>-fjll;-1pwFL9p|($vtXYVfh$7F z5_nT6xX4IO0kXWSxg7b?RV*BcP4FzpZZs=g&62R3vn?DLI%+r|WKEWbITYth{solx&Vt6g5_^K+n@)4Ujas{`K+d9X@MoXF_dg%(?ewp5AgP*cHP6DbvuLplX zr@b)M`ES`cgKu*^L>4!59SmFf>*j~6Fj|eiXK~{ENUGX(F(SYzOYh>vJ7RIWv~8fK zwf!h~jy3Z}ej4hL8*gIl(x|nvt{^c*Aq^Ylq5`F==1m^sILXcx?NnElVB%rm&J6o> zyY8aF<^4=zPz{iV--M*?pwfi;hrPLa7PZ1JQoo7Yf~G z71Iqh*u|tTfKT62(y1bhG0WoAQ`#?|7rMxD@O)kw7e>{>7A6WeY;4H~G-E}zGmGPh z!9IwkUD+;OQMs>Hj9naTdT1-Xg=3#)U*0l$t@aCua(bV%&Hd2qUAVlRF6B7hK1CKya?tn%IV{CWp{#icI-s@I)GMvRyoI zyTEJ7L(*#<4B~^zT*eRm2p2TtdrisraAZq1%E)X*fW#pewGzSuPK0X%i!8O zNEw0hhHGSLL<7FI0zFT!S-(RJq1SBen_tqKF6Z&4c;1{k&TifGckJc|z+A4C`||>#on6S45SR6|bWljrETpwzy} z8RNf9zH&oQ;cPhA#8yqbgNu|8bHsYx#r31*v>-kFJ2dtrj!Q7g)dzZ`hNo__p@Z}s zJo+0yd%Ui&gQ_peMqL3cb23J)-cY31(mLt;FnS5JstupbZKI9zv%O%kJFy_E@MUjt zeLZ|R9p9m;nYPEyQ#ma(4lYo^rfj2&u@_8#l|)r0Pos;i2FO68Hw?wyf4J=%2JXqc zh~wwO=W&7C)S7Dh^_fdEuTV5uW7<1cLIk2sAdseiRzxA8vG5kF%%bTHtAXhSTvEQ_ z!@(z#2u?8h^XFtOKMJ?iI9M*Z@nybwk)Ox5vYVCh@@^E}u)89Uaj+J&P4Y0<)xTvR zkTgmteEwqhnGna+ZAQ-;<}KyoVN6M|^4~P?Y+9H*j6WN!mcC|&^XE|W*7IN?PS#`- z%F=Ml-_W!?F$8G(X)cTo#xgng!UL5YwIJge8HCnyj~<`~Ps+rwS`@Bc)vq_jvSkK>os zdq94Gc0o7!nRXSfNUM?`Q`M}eHylN`=Pv6fKEh&9q#_5KRX)-V?jE@G=TGE`bKrcr z3fG50KD}ATv=G5h=dPmdgDwJvJC#Jj5!zWmnM4zJYgXvgW)t5LCs+r~7QXPo4c=_y zbK|VIu#{`;9K-x$eCz#jm5H6>!qf{#G~AhEW8(FA!Hi5w#~G{>EZSxlqdxsCDIo9xPMitFC0Vc@S{Ov&mkMF;T6xXS}s`PPto zO{J-8)iF|Eg+3_0MH_#a*S{*kBIg^6i7enWuIV6*{8{+K(Qum4FSp5u2;CMuf>s+x zfN!^R`tsZeYISh+ra{+qxwdJwJd;GRM;^QeRaG^5OUGehZdqZXpSzWR=!3Nk%r7M9 zy5zPuaj|avFcOWpg$-w7T%7}Fmek&?F75S)>~r@0xxb}7_mvUt&lu7^e@PcZp-kfCODq>|>+PC? zyY;x;&{i}&k9{(qI9yjMQI;*Sc3oB0bM#(s*Kq{*l(%o3I z#9XROR51)vE0_gi`yp(vgE(R7@U~k9+?hwH8}#-$wj0FJUC_u(q!1#Qh8c1Pz4~?Z9AdD`*I-yR}IK!`oesird1(tT;W(wZ2>iZa_DJ zyqn7zV=02sHWf-WRW*NxFA2t@5%X2fd9*E@)-A=P_JQiG8S7x*+NwhPzPQgz7Ejy3 z$t5kp`F zk!(P`j>T{_*LFcRC@qXJixUPCF6i~kBxFx^A4@zK6?YWT{rcMXBl+RuSJh80Y!iQW zI%2ae=_zKrEWH9gz`>U67tAUoq;XVd>MH|Q|+*G3kR-A z3#4ycoMac5=T}T}r-oxIo;if{?0Tn;Vak8RFA;l`!({Uq$172vQAPoL{Nv#dGS9*& zdX4kkU#Ec;tFdI5^@TRv=1+Iv4iV9$?7=2RWS_+En#FxTie3)A)5g`QqHZR9D%^IX z&9*c^=Nw1wXzy?Z&(g@B#`PKfU^Pot`PTox|N3ujx?)0dZsK2yyDNhPDJ`~+JJt66 zB^A4{V`BJwGZr!J3K=|KKtXmaoKLv%D_KqGb8t0JfgNCvJS&Hm4*1ElK^+AN`*AO_ zg^i#qBpMGH<6iNuAh=yEx1PMLvE zTkt8FS7kr)0dQyu6yE7AJiRzpqqh{U*KyZgZ?`{zAFJ!4$p&johf_=iwKUrvIou&?JRZE%Aa;_KLp&HKmB^Ka=Zy zCLcqRP*&b=ImFrbXD_1IIF9FEg!TPZxYquPl=#1LI!f|)H_0Z~D&MpWc(&-l@Xx}H zcKxv5-P)JO2VWb_lf_qA5T_+&CWD>Bzkj#VX`w-I@*|%4^Vup`Z;Ce?3*ic@kv0jU zwPiO>6r_awmV|@|!A{&C|Ip^0XYpp?MT&W{fU}&cM6VoWX@RaGWtWw~4MD zSsEAGF-eo)3MzdzRPIIiK3!L2y$LPt{1mpwk$?;JDuI zD##_$0zU@L;C2$}c#l>w*M1x{KIz?aOe-_Fy4S9+%F4fcj{N{-+O^wJKop_Oc~{32 zO~4HAc5ywJqK#hfng%@dWCw_b@anKY*Th&{zg6$tweS^4x5tt!%Y_Wo$pW9pTO%o4 zV&HH=;LeK4($T5oRxTUuD(;#ik(I84gSi7|df{ZmmGmgiQuVfU0^+Cli$;Gw3n06=SQjC0XX6~l&j!ImGWQF+-{@e> z3NCo$Aeotvts?nwhJpreazBBk%SH!h#ZK6S|4-VrZKthd+h5Vs?qrOZ!~ODDDoH>L zh#+jod6R9~RvRO?KuMh6IS=PU`o~VK0;JMq7T|P`&d%gLlFNGh-NO`1Y)k>*Y4W)Z$xKLMck(iAUb5kF1dAl2p zEsaOzp&I+l!Bw+YiKDmM!T#D`y>9|JzGbhszry>MRZ?(onS%i|c4LDJ{~^?puI3M< z**Gg7Z8k8ZxMYP%FKl8DmOL!aX8C>k>7W8X=Y3(biBXS1fzxbhhRVo<$u!^QJx7-; z;&2T$rgv%IX89(%!BniHvH8KTRj}Ps8`Fy)KPXwCOd2;@SH1o&rt>=C@SA;%kyC`^ z=$j0;^m=S62_g1w>cv$2C?jX}({jYd6E?FxXUpJzmT%TLb;?asgLk60{HBTDitx%s z7@WOtjt};+U(t+zR(&e2A$i>442l5%X|o5GS5ug#g^PzL=xEdG{>>PnY2!#;1HdHY za9^&zoMvhmRL<<6FdaPHcI5l=1`dmV%%>T5hasmIgP78AVgWx}pruLVK0O5wl(bG^ zB8#`qn>s*-z0F}^{MvjyUA^-rZb5V=_V+`KIc2jehwlQTCIe>`{8k%_YM;a&_*|UB;XRxe zKeGjk_b{0RHI+1K+n+gifDdr%fAu64XSmPo*a2a9JQ*=x_qmCixqU|8$tZ&t^w#z)d@M#AHsy%ngp0MgTPgG$mtOlNBhj|UFfu|A4F^&TX15hD{+a69h zhL#4Yiw#*=peHN;d=n$|d=0k3~1xTc-6^W z%f=WO`wskk-PN-39gE{1`s;0ase^I$u%2|zXBOz&8hWn^1#UNRR&5%tUfwA&CQ}^h zfwdcWTIo87w@GdUu271wo7kHIhShFi9NJR&XSZ>zxQ93u+dM5v?hBG+U4{P;tRmS~ zk}lT8EypL=99xs~nlB~sTS+b1JL1VlQ20{1Etrzo4=b?yEe9&skd6#-yA}HXAP8Ip*LK(zvN;PV`y_La)?D z6*6hIjZwNX$ez)6?W=K`(AFM;&7sVsNteGu9=B*wK}CXB>b=BtQ#p0)99O&VP7`+= z+S6TKJA+=xq_BGWFs`In6%RoUcU||pk*$--5c*CF`x0l-$BLEkobRnKZY452p}>Oj zH)&~xy;3Ik&=+^1a4j!D%kU^JTYO8~!c+yU ziB9*oHosnGXHC-x2*WYQ#tw`bNT1CjJkxVRTgS$l5qb2EgL{c4LIai&1PcDWwQxS^LV}9$4_oAm*d%3;d&L9YX-t}iBMi|VOAXUU4#&(4%>bEX%PD_VRk*PAgH_< zd}LgCOg(qJ-o~;2@Zv@oEb07GUuGtv0mPJEGVK)MnQl{w4sISjo*EM3`0E}Ib9uds z#Xo2pc)iE|>WO+7C;$9(60i3))JrG4pguOdWjie{x6d%^;&Qw>t1rg~<^&QMUe_3g z@sxd=jK3M`!*h)9I1N|-j(++tTSGa}7DmoAjj6q~7oOqO7PU!D5rJo{tjfjZjs`XV zoXQt()Q^*^&S)yP9CPJ1SfhZ)h;I=Sy*^*a-jqzyJPkWC%Yzl#NB3jH!(`7~bX8Nh#hi zZJfT7T33#i?e6xA`jkTOD6)s;i>O5d zu4nw}?mqVva6^x|LA}8W9l+Y#EXnSCQe@K2-5&ng$NN^q2qBjtKn@Aw-+&nkGYQs%@V5#F#d zNZkpRx?$sD>y*e;XvvcoV6%?LCQrD*W*v{rRT%qbL(?X3 z+>L5Baa%jJX&=I>l09oSTNtKsYFkwM*c7o)r4*jOrRlmdfT|S24Ulg^NDMfVO*Nn0 zk%Caue&1_0N|ZeYaxz;yXMvVhE`eS35t|K1Y;1707`n`u*8Z_;_P48X%KW8%SFzGj zu3yg=w?Z=}!#MD_ul`H0Lo{8fU#x{|PF@&@L%tDO-e9}Ri7KX<#@^>7tSHfbvK`MxJx*MIE237`d)Jvlqi#T%VFFL7kd)$T80lt1Q^ebKJ$0S*~X= z^NaWxnIqk7<04a5s7l^~_@FejPuRiSV^zAU+r-IJf?p2RP7K~0U_4^r5H<(6tFY>Z z7|vlx_wm9E|43%N-4M92s+$9NLrIe|j5~XqNTy_CRf*sA=`fZ3Ilmy+%yIki%fa0c zUpISYni*5iS!9>tsfS9WTKeee?D(BJzAM(kxB1}`9<2)B=468CIgV@|GrZWVnw`Dfrml2HlPQES%?VH9FiJ#x zosAwVkz0$mFdrwYdE&q1tcvX}H^++-k+&=i1B{f5g_~Ya2sT=F=gihqA%cB5G%+V$ z37#+=O+B^IC*8Q-10(29g5Q^3r~J#TNInZ6^i3@t;gkjGx^;yHS~OE$&0 zwcT%FrujnYnYT5C(Z?u>g_9V*VyE_mC-K{A`p*`@Mk3R}U%g@%#1Pr{gy zA?@}(8}#OF4VEnT<8>fzuKGqT9Ev;1zbO`+37thA!Q6j;ErH|~cZH2%=T7FvCYp9l zwx2{$~xbX=bRHpHBNd*$Z2@MhdKW~J?rD6@JUrh+( zZkHffy^;?_nOs!@Palf&|1;dEr(Rr+Yj!^_lvv-hW`;S+y>WP|T%qfJD@jSZ_~?Wp zkGAjf1r~!k#bVMzM@f8VK~l;HxaD<@cCnJY9~n3FuengO&|=W3<7E3s%g&uT22r}a z9;Kd0P$+J7>NxA>?yx>pRZ$ei=DV_;mUkMsL*S!y0ld@f<6Q9}ALY)Mj?2Z#$+l?z z1vVLU8M7&q;VQbLbSl*%wvs7Baq&tTvD3nYVJCR8opuL4m%Cnu%6zXKN&Hx7<5+N*k-SfBI)5LIb^Rtc~E1=R*>X3xe{SXyhGNF7wIN&Zs zaZXzt@2BSjv}es2zrNKB`#1eT*q$|G9&G6KsgufLJ&a#0>DUfU9lP*Qxvkt?S=dEA z5#3j;(Sg=QZ5rQyg>2p=MZWuzJI@x*nSWhcRA${IE8+%AC2TyS!6)vOWr(Qc#$8;h zd1G%p8?rgo66Z@h$Ewadj)})+qPJg!0NNTBx@Afqyj#ba8T<8379bZ+(V^|uv9;CV zYKe`B(@$qMa&((`l<{gt>9Z-DX>#ygO#{aXI;yMDHZW}NcCi7h2;{n5T+Cw++t^p> z%EZ+eOH9RQ=G{I9S)!a;0hzd{0B%5$zsR}+Jk_{26U*3td{mqFrTJC-weH}o4yZ1} z;r8;G5X=16JL-rC*UD>8rA-Y&%m+?h*Boeezw8o8fpjYapRTC`(gnFch3X6KHSxI4 z_wZlhEII)(37k5D#Csb2XaZ?8F6ob(k@c$SWhb0A20 z^}3pg5!*y^K>ey@*Hn-waf*T+e9Sf}U>Fh++txyt2-vtJruwCmIhUpR$Y z#ce6n>J4zELUVc;c4s-ID^g8V-hd{?(E;_?o{3${+4%Bu?78JiLC2!?sI?bZ}zytnayL@TrIieJdd990RlUc`aq(zuPGe<3{g{b z=>_yPl2Mi#{Q6zZQ@rU-*fMBl=xjq@9B`ZjJqz)E3I$E|ugsR0IL@`*x*GI=Fub)e~AJRK;2 z4;oFZ&+W7=`KKf@ixNr?A3Af=C0h6ZdSMX9ev!X|587B{{uqRhk0QRk_V1JAHJ8C2 zwDB9hBy?2~e60%Mjk;L}9c;_5!#`n^|1w={h$q)xY1a(8I1)JFj1Rgv2rreR27OG9 z#?6Y-&0ko!C#-&k=c6mEylCKF-T)Ds=iP^(V6Q}Hxejn%Y*QP!{LepN3 zsf~MTXz)Y0$+~|*;>Jx=gO7ZIxF$9`Mcl$3j<*ej2fxa>7p8@Qy{}f=a5uSQ)~>Uc zY~va=_gCTX{3p@Gc?42O;EHM=2(RO&%xMzSY}C|WCy)O9Hi>sVAqCaS8+e#hI!D5T z&d~J=^*!F~;)08P7w(4YwApQ10w282 zrp~nSt|r!t!;7phxa1G=9*%@6ibMp_3vYYOJo?_--S_s5jiP)8*lYKQPVs?=e=dx< zyHH0jGjYr$UUipT)1fV*Zii}?ez<<7jV`oFEjN8h)i@;m!;gJ+U)Bo0t0BrbZiDGR zAIYb>z-r=8SFyt^4fRcG2h8X#SU)}bQVIS8kpQ{X zYG7sPvFUg!?pD1R-svKuT$!1~PY+T2s0`MS6z+A|4<8kL8j^vp_>z(|Sxtkkg?n)R zb+}(UsOCX&o4LgzLzE3QCWP z^Iz%o`WIvB8q>+rFmvA!r!9red`@z$#QEriq;ccg>Ltxbs{+`^5a)P@)uUdHds(i& zx~d;V7i*`me~AB?QT$F^(B(Hiz=KNT+4oYP014pu?q~EuoXz`*d1Xw4#4szUaH)jj zyWT-VNcXCIeg-&35+V1}kDtWji6mi!N*|VjC2=3sa)!5s6SmhhO)41{UZlq%q7Z*= z&}dnBUo&X-Gg}4QqXX6LEqQ20RXQ?TMuX;{p@S823_ip(+{V7Q_2XhHHT%^Lo)^S9 zF{_73s7~+>tv*f0WD~F_wIhrXM!B z@YphODu-Zl7Qt(@4e|%o#I=6S6PcJMqI#^w;+hP2>_0_9kA!a}XT`$9*o){ch_}Mo z+z1Vn^E7OH^mFYub{)^k+25DKQsBD1ttm*De)y0Wt}v}toL_2Qp=iJC2JW5$0I)&^ zlOkdnY$nYs$6*tCJxv&S z+vM>v6T!#>>@}bQFqNX8*1@(&io@+bKD3^DYnOUh)Pra6SwiZ zu4^p4H1M!BKrXvxs%p6D>=reQj`-l)7B=h0?T2k+N9LN1gin?c)#r}1?cgc!9q;aC z@VEjOt2>2NYWpWNu}v@kAX>b)+z)KV;Ow3 z)5hk%s!r~7@Q`^c+`Mnr1zqTLaJ#r|>?R_|GjF-LqJ|9m`~S0cEy-;wOLi+5IqV3_ zLGjP`1~2dxY4K-*lq}643Kr1<0bP=?q`QV*LJxZxJ$no4Ep%pq1PUNdk+wU+0}m>T z5Kxu>JjWX7+H^L!(dS342u>S!zUc4%^4Y6?*Rq~;I=Ccts>8=obd;Wj zUxu=Fx|n__9dqap+=Vvc;kLD4MOP?Hr`N(os1h{^FNOyyxp)ZUHz@<;^l*X(IA0{9 zfVn&U5_R0y^-GK~v=gQUInglT7?^?tHcayoE;`aL~(gSOuK==55T#K))1mwx*IonnXMJq~Qy= z@3QC8*qfYt?At$S^AET3iONJBtmjH1<$G~i$82wR&?P8rgm4hKe zFr0kLx}4Ls@EnTCb}tO&#h68H6_I->FNIfwVba;1D(DQBfOlCCC1vdmpN|AFI9ous zhmO-$UX3-WVQBWvKy#jxL}17Lpnpukg_ zHyOLD;IBYxbE?oZypy6Ab{VBW1X<;tBwBbNq;lqwMKDmnFPCO%yEeulE^(vsVhkH| zGRex~4t83z3e3>o(lHACss@!W@>cM6e=|gYT7ZDHMy4qX!|Oh~bM4}(Z!7WwZv2Bs z?DINPx*j8c*@LefRevAolRFBmwOf14qe|vtIA6@{65?v*pA9|k*W@kGR>9M%P;1CK zm9p0oKq1F zO5P8b3O4k_JbFP-zs?GesSvz#lj)oS?U}A!4JU>^JRmW+)sc9*8Pr*VA7dG9OIOIj z%nMUC0zAtj8^-DG{Zm0-(GJ+Jh+j0(%2$E(kcwjXtW#xulJDS|`*Zq0#SXvUAzCX_U`hZTEmBoPd z2JRB6NR8E7ID{J6GkOhoC3j1K+|JuIare+K{1Gi&V66HhI(Sy+tbsV%qHDn8%kklw z0jtQ-`iswE8igMv+|usmg2phg%B=c3%qG-MVX)hUz7g!UvH>f}TgLAX;E=fe%kVo^ zt)WOc45BBWdwz?fjU}7gxKuzCoi^ExhN36s_!T!49rE@lWeN3|SP6g=v8s!o_!E)`-T=e=;IF5s-<&bb$s1r=D8;Yha|)(}SqQhDj{O~d>wF~! zsypXInb_N`EK`w))xsY4PcIKIOQAx;!fh}5x61czw|>8ai^VY;lGz_jU0W~8e>~X6 zPx8z(ZRB9L<@WvW6t`J+9~+K-K6;>4Yu2ze98V|OZ0gGCgk}xTvYZ!lH820a;m>GK zMNYUhjzf#vxSvB%48Ho?T?NExCa;)cx5Kq3&q3)~z|`zInBYjC&josS_7R&soCljk z{xnPqZ0;p(CtJp54?~pPPbMRB!Dcu1EL(2kKh7PDx!uBcL9+`nG4!y=gOtm4A9 zYWM+lcNQ;2C-t#HYh5ZVkgb2$^vyH-$#G^`b4iRf;l@#=xoXuF^th|{?Vfegds$UV zH*j|0ENj_n;vmHI)(@ND@yVCq&p!$~`02=7Z8b5PovYsr4)Xxn$85E54zL=Mnq@FH z?QcT*(57t+BBqZfu03|`Y;6al9N=ndtAlw4f%$HAy6|;Q_c(b+2BX!%&7LYua+buM z-?u6MX7Chw;enipBT6ws`$fCX6nCqOkATjgTz)nbQc0@9JK%1#stc~bHUL$aR@a28 z?;9z)M=$2sjGShvHEHi6Nx$o0yLf%4Ew0PixKwW$Fx9wx#HQQnm^TQS1d@81oFYv1Dmlx&kNpkcgTl;eiRKIEg6aaoUh!f^Kl|I7_194=Yl~74Aq|!R>TL zK-6yIwzGVCKG|Ljj|OQ<@2id7%`+@?yMs$gIL6GS&&KTNi12HH?JTqc9juWSLnIi26hwyM*@ z>A{&F#hU&h3nM%27WRToI@%jOq=Q>jFDwN8GD{x_@QKBIGSW?bQmE*%B>v{!%S$YI zFnQ-Ai(zDIeR@491{<=KVp-h1TP!p3TI^s&k@u32Ya!9@r6N#CO(}$U*!ZvV9cKYN zXEZh^Guwg#ovAo3|1FovItkhB%iEP$0&0n?jqgXIzcVky$b#^y52By6JjDo;1)#p4 z`r$P>hn~C`UdFvqxERGESWh9gWJzeBcHAT>dK)P2c}|DipVkj6Sy*v9e#UP{ulw90 zb*J6Mm{BDJJzkCRP0p%mbvn2k_!oyLI$g{F|GN=>NB;xLJQ6oBS|hn=?C{?uk=jS@ zm^h<2^aEcTOy)9@LOBoLu^NhTPUXlz$HLBs6K`JGWtn>K1$&bV+gQDx`du5hx>WLI zvk0E!13AHtgFWjr{JM^VE%zi5oCn2^`oI74pZrH^@eeHzZRk`VHtb$1#u<;@<8A}P zxP0e7IGYF4UoyX^s~ieac}(37#?mnUmtQ*$ydE!Q#Nf%}|^r?&%FvX5N_U;I&=(5qv2$q8oM z1R8DQ%`QmRxd;v|6x@O=h)eaqtCf2Vtm&;}>2He6*4p&v?n^ld_RPI=Wl?M#NE`HDJuOJ#wjso3x(%+yX3lCTIjcQYOG|L@ zyeke+=>RCepV80a3LAxn#zdp{HNMj(Q%3aemz@FL04w-C7Q=FH6bnDAsCJS6`WO_6 z5V*P+cvYVob6C#?=5=#X2su~)_t#%=K3EC}c(oF2O_;lWyd$%%JoXqc-QC54;>GuO z+9dJ|zuv^N+sE2Z!DtR^fxUKD!RBDkIMe#kUEKF4i%(^jutb}cZiZ*_W|JH7a;1|) z>v0d(Xy`o`vVZ*CpJiDLyff_&3jN%?8jm)`$(Fu>HuE06P2u&E)ENDKB;LbdnGr|Kl>jcI9c${w4|jgPi{mqn*gtiZ;bzs_AOmFPkr6;TdojgTL7& zTgFUOAgz=RFVqaL!EP0mMyz{n2fhI7-YveZ4#u8G9{UgSTw0iHRhgc+2gm2Ywx?PE)Lw^%OeUcOY(r(A(lK@yII5den%+7Al!a~v}(de?Y2sG#}yJc)Ltho29g zECO}(E!iznnO3lU3BC7%wU*_fp1yLmyTscvFw2jP$ALmRdYfZzmrgHjrWp3$k!qFb zXB2fc-UtI4d7B6N&a(4b9?V=@2za`WKpQ(za{=sQ1N83 zah|BHdPB@ztl@A)$_TEG2zaE}61LZzW@$fECTR90wGuqgH z6}F5W&5J>roaG^j&tJ;Vf4XYshw)rxZD?^Pk4(I!oto=a=1DOzITtQB>u-o$`BE-CUK{#)UI=!&s* zT)ffS3a;Mc?1`=z*u*0cx`7QDNTKOAMsL=`7jjfGw%)??Ihg961IAtaf@#34no%=x z0Xz1y)Ptd#m^+=aGU_-rJ&pa_U?+bfqmI*oCz47=qj8!YZ9W+DaO%N@scwTdnmA-T zk#jW^eB}l7PxAXy1a4g} zf=8iYX3c10SL8dRE+nP4J>ghs<;!ohvHtkgn9$G_eSnAVpwV|8;W!iGkoHvYf`j6+ zVc^u7+aC(&nY%cb47XYul9zv3(anEr4;+S4yqegvxqU66DIV2N3`Ee+{sGBzFs zFvqS)NFBc^2OCgOaWHF&KIdiXQp=ckZn{fxPAV z!E`rIw=D>{C2(=kLXmGcT?dF07GrIaT4*2I;Pp_ z{xTLhOX245vx>uJw}lCx1#C<|cv_`!Mr7B>EzM~d3)h=BQuKNZ2U}9TDc`XLXTn7b}KHU|-yjT`vN$R6m1~yggZf&hva~~9A1n=-{{DD@&y;HN-fYvigwz)*Yp;6G3U#q z;GdiyMIDE?h3Y0_0bNFVHJTBNJ`0L^-_qYObc@crF}VkPb>UIQ-Q{#E=rpYE;^*l zF{ugGWD%^G_mtG^=&nR|700-Y8Ttp7)T-e|>@)PSrNYIA`q-*tbieC5d#hy=Xw@-V zPK9Bz>KJt1@R!eP0U4TvoVC3EaxKZ>u7s+eX<#O+-x%Mt8hHF@6vW%2=CqplCF+(T zozub23j;5g!xm_CBkG0Al5=RaF;yEAIL6sLyw$-xW#=5HUK7JhPyNjg@2K`&d{B~y zf86?g$$6}Ts$c;XvuLah*34-o=QoRAfi_UYn5iMW3tlO1dP|}beww@qhN2{&kY^uk zTV4*0FVn?7#Yb?lEQ7nh-;?N(qB@SISMjSX11;((*lm-Cfb>(I_g}cB`#~G1z*R)t znBwOYZ8;0#8RWyL65G@Vzs%nAxpW>*GnhJ-nf?vQp1HH6duS7=BbkETU3;6I){obI zq5YiYu+o~%Cb#;Ht>9Qrcfi!8i)&XOk8D$S?~a(PQdvAyJ)KTuqc115EFF_tRp~&Z zfvNTcB}GLqj%64aiHge$rEwL@!V^mfAlY(o0{pBAYRkbx$ya_9_<2sTe0&{T*gwN2 z+ci91hmERziN^sezMI{^<7apAQ)VvgCT>E$^~w2Sm0H-ii61J@~BKYoql;^UgQ$5e4Z zEZoI+?`Y*x_;@6fO?Pg7Z_9%WgM_Zw_3Y`8k(sj*R9h)G_4_{VXht4>7GBwbw zHE}%;86FZ+F!S#JvXX;9GFTM@f2LVe0TsfBYvIAfGMad^rszsLgfc@fdP~+a1YH>n zI^Ry$aqB#MU;|^+_vdDXJ|qzX=ihkzmpkEoy15TO^Pf@pcI+$#{^LGjBVT=eWYZ>x zJuYjw(I*%?li4UcV;Kk*37PQAlevhtt0c#VZak57U%$l6R-6|5 zHTh3%;6kasc5Ci9$15HUiNV4J^nr|VOD;e2O|6YNe<_l z^o8MrUojzEItfd0-NAbAu`*=LeF3W{TZKyD8@qvp*opts9$cq-EPYaEAndmG5j#ueq{CX zbT6n0t6SE@CU~~$kS?JI-q*Oa4@dkP@;Bk_u#VU~_}VOfh?#`*=qX?}%)XhJ+Rb2$ z9XcToztbq@0ARPul2-o`t<0QH`d2COBR0Z0vp}CI8;^?*gi|V2UFkvu-b{vPx$0_$g#L=vUn@79)8f?xLP9 z+(9XVkpAj&+Kx8EUL^1&>NTAH9|hZ8<$P&Vg(y#9CwF+uKbFhYu}a?$7FYH&qsyyk zso1xFYlZf2lECinch)XNJ1mW7H0w=8kMM2f$WtcT!f>3`O#>ui;sXA7GP4H4+FhsC z?pmL_g9(`lZSwE`lDEK^rLWuw1}-ywztZ!YxY28rY=h;HUtQsZkO=OB9JuaWEByfG ztMN9ZGd~|~4;9|S&u8gQ%Ocn(*;l`ZwtK3>OWqHoS%ryjdgP69eLxDgSO_b*$$Kd$cR9G=&eNmtukPSBSN)kR$tKXI%#|d)YX{$h<6=Rx zaj9s=529Dn)!Et9ZJJrG@atIKi`DWuY4_obHpGn=L;Ke)^lztug%YDM;4Z z_$J>E^F|+19{b6py)Aa*AG=piVw=mi!bzw9qwQLj8&$UKuP~~6PDI%u2@py2h^MWx zCHV;Xb!J$iY_4U{kwhK4rakSCsA>Ph9o3!ozw|HkP9#BsSSjp^jtWQAfSsUx?A(vF z*S0RLJNhdVMomAhuVQ@$qJkuZBkf;!k@uQ2Ixh2eh5#&m_(Kew0BnxJYAVAggKp&U zi1RC9?njcxs8_(Rtf?mE%R?QcG}XeG+{3=&`SUn2vv1`x&whwM%QUgAcd`w#xP)vfJfutwX6h3eyk_d!Ti^(8%E(IusIa7tn9 zjDum`Z??K}S_cDXTBHZGF5Y=TJbTJrOwuQBd4=Xv!~qX`Du-&Bt){8ihbtH@Tn>$v z#x!X^08OYh$}8N&Bl<%sWrGCEBDu~cSyKLg1D%v*Z|X) za3SqXr)iF);aav_hKulJ6>pw6oZvBuHoLmxUEo)odq;A)>?h`aJhrWI?Sll(p*gsR z;MPalM9-W;Jl9qZ; z;#JvGW!s=C%2p5ADhe~6Y>kp6ehCxOtWO1qo5sNf#|d5Ao;3_=`B_m5=sk%azR%%( z3V0qbr{P(I8@_pqD%{#8(t94Zf0`KaHC=)$8j?l6BOK~=y1mcj3}2S7QZaP2-Hz8) z3+|qq!P$7{o>g3MU3+&lO4l(_P);O8u0obrSkzQ%KBo&2{*SaOa($P)8(RfwNpQbywUB4qKri_yX zud&=GrA2n{-S-~wR?w&(&PYpQ;(bZe%NCbbzl&}2s}(2er0ufYh*_)Ef#E}g$ada3 zr$cSnNnGxDKZ-R63!lt5vA-nM!pFjGYQ-w(T}=$PJYwbI>!vaURuvckoD1Uk^KOTd z1$Z|Y-CxTRaeN@mFSF)#Py(}V{y4@V@H(T6j)611+472sVn?sM;3=DDN!w^PAM$8e zXm7u4`5ErBq{e+!jUDnKp#xE+hsvKlj#|IV67Kq-1`YKUg}2;AmRv>KYQ0@_N%?J? zVf?-6WMBy3bzlYO1H~Ji4Mv_f8H~<8i~5oa-mUmJR0X_0Fd0ybc&+d} zRk~_Oar7lI%Z8h>-*w*;5$$&|y1pn-I9Hv+oAh93^l;d_jmlFoJ>yNb*@7@DU#{ZJ z&-;juX()^?YtP3-!$>L>RYwFCsR;~ljEBXi30+5v>(#PH=j_vpR zI7l&xqj@Tn2ngy$(mwSrO~@LnDW_5p7lMD>J?a~nI{TwGVxM6Me{&N+O~#)$ic-#x zPEuQn^lj9vlzdOWPkJ2pUoQKXXUTjO9>SM%`i=StHgR{eVaz)>6m*1Ge8U{4*imoR!5u4J#m$G9?) zMh|zQ0U0Jk#dGi4XZaPA2(hR-GN^L&46XaYat|&FEvda_NJF@x^5;`*ha!G>AAYEx zN28DF-+fMgokZ1+AtZrK1~h+04>#P};XVG`+xZZ$Dys!ec(AYhpBSfTwL2uQloKm z5us*ym|bogN!j^~oER6_+pLShOYx4izLIrgU5sd{v$AWfr%Jrh$8`NxOTUP-%Tx@Y zXdmQf8ZNRsbCqE{k3z+YS0_%I%wxX4_|Yo*=N+s$-J$q~Yb2G^SRbRfWIj1FFsn_A zYmG6STR3-f^jlriG6{cs3tN{lT*cMqgDnhyX(ukB-x*o7Sw=N`|Gs{tWG!8=)x%sD ze)y30o2`{^6>>iA;w0<8LV_0VRVO#INECbQ>0>ktUj%}%&y@t9*}>WWhTwqN!IVDJ zbUCBzs%|44n097Yf=qo0zt>|YmG^gX4s-Y7a7I6r?tbMgN}?6rOoNBKRc`Hf_f&Z1 zM_yz3gV~cHK0W}hG<&!(b3Eawz|r`|s%C*r6(2|E(!0qOfbcLbUqcB$Qm<^_7_5hIeP>9e8=FLjaKOBU+Wc zt4m_2i}YKW7p|STKF*{DJ6=xb)AZo04P4jMqMLwbnz$7O%43@rrfg`^CKldnH=`@T z3b-#taIxqy9uv*9aok5}KM_asOlozTHqHQE#9OdcL+=31bTE&~m+;MwS98%WGacO7 z^*Z4?X3cXD=~ulVXg)JDXi`~r@O3zYpDM-Unwp8zU6=lp7POYB1{#s1}+u(E|vU6!^ zxDmu4xrw8{<(yWU)yF8cY4#TGxXda)+{9-(?{}LkB;Mm@muV~nElhGT95`gl-;O7j z<;2($0w)yiw`^QMb)Ln1A7{!Lr(TVc$N2%`SX>teyT$g{jg?ikc+GP0P4I>M*hIMw zCb<`jK>;)d{Q8e(-YiLJyW}jn_WOA}NeTx6iZihzyj`WU=WSSi4|XX=ktoO(`qlDq z0{pzek4V=-eYPo~ZkKk{&}@22(#BvPZF6{P{%{*r z;v9S^Ttm>vBEUs3>~c>Bp^VqOa$nL7w6^a^9)tV#$Nnl)?zbf1TMlnXw|KCvX`rL< zvwQmZS2{9er{}7@{>g%R;p0L5GKr#z5-ct8;p5!^@3Sac!CzJlHS-ZM8DvqHk!GAn z(T+BCQl*CBBy}QdWwcPPGj!y^ZNKko5q@@c^E=!ukb;! zj>>yeRJY#x;Pha+pP1k1sdDq3^Pn9449pIbtwVBam0jc0XkIFW{gwA6jg!quu%Rog z4uRrBV>8ln$0Mtjt*N#{%?H4x+u=+4{d>IswmefLY*rhW&%XnHW!sp*?1Yyns;o5IwsD8q*2dTcCi9v{cm2w_7GMY0ij)k4@Ny^Ff z9#VQ-tT7@HxXZGWhei4-FwHqOjwIvF;^CrdFWGX)ly`>XRhZCjMGEU#^acm;%~!Pk%@2&6fD^Z}RFZr_9wc@~MR%%;Mi7aN|kNPgz0{KY!a|nfLWJ5^RgdaMdx^F`k6msLjtXaT?0G zImlXhrYy+{@_U}ipr!|^#io6fcsWo373Q9bz` zjAMT1RpoavRC91O8C&k@XJPC5J-o#3z#8+v0vKB7xE9{p!;sS>uCuRV+xd<*CqFcm z=Orzo8}3M7!`0?E)#>Y9IEzp@`8wXO!N41Oqd;&=d>w;Kn;4jUy|rg0+|z}0AKzsI z&r*WZi2y$F4GcC1F1c@D7532-j?XYxzO)UU=9>%}Qq3NLZ{nbG3#;C@vHjDuD;>PQ zJ~&&f(~)$GIrs#695a_%*@_fp9@-TIdid^bUuVxcDkiqS3^_2uNt1-EjQAUA+(Js1 z@Q*#eeTy62c-HA-X72MeiQe+2mVUh219_C+_TChS!GAs#RS)YJn9!$9ITGtI^%t52 zlQ{0ql4DWhP-NDteY~thBO+-!)OioGQULq$e|mS`<@k{Eh;=Lsmpy)rNF0Y?n-vf1 z*toq_n>n>*PDNe^RHLOAH%Rp^V;u*(*v{$M>CI^lO$vkl}bjh5@B8tq>Us+U$^)OM~ zJNWupSCvfRdw?6Pt4X?7Tu(eDxDTe@unPX;QaGpUTq+lFaeneJLf#aFlg+G^-*(+u z4+@4@R}x-pwXM7T4m{Mmehj-aeG=rn2X8z3a$SyqX|7%G*1A!6|K!TjR6{td%W$P& z4hE&QAjME`DKF*&XbfDa4xp8+YhpOVDB~VeSea`RGahpTV*OV}enRoIjWP0V4vUQ$ z3Z}P%5v}Z91J@7hI$ey2<-YK26IRQNYG>TRq#+HqP1nVwF-?zq7_s+ZIsrZ^22y>x z-GWjoE9v7#w#}F{62WxaWEju3Bq){m?P0qo){|&ZCwt)CnrFKT&S)*{?p_bWNUd-D z`5<1MS1Xx1}uOllauPPe+MTG@AS zwe}beZS0FKgyl-sN->t%#i`WwY+J6?+}=SL;unCfBra=)z1}Fd@%pKP zQWRt@Tq%DU#T%Ln0g*tDW6mCwb7VaiS8W##*4e4Eismt%tb@zAC+Pw|<(K+8R}+=p z>|-;$J##5jJN@^lVYQ2c^uYL6ySTWgoyia-= z=as~Q4u6Evf?@M)ye%j?bWVz4m?TNQA7*fMLWWRLYhM2nhJiZGa3H2y*ch9H>*YhV zB5VID&MDq<7FXeQ77mcy(#Fd7;fkwhy9!{8qtG9h{ud4Yq z)x$e2`<^{Vg~r!3T-oJ%H+-J9)0Fe(^Y7*H1JWP-HZSgHO~<|+U-QSjrS(2%A%f6{ z;Uaun$KmfvFi%bu`$_oqecUB2H-u@%ZaBy5+n(TM7_Oe9P1);?X$HpF@3Ut)={pB% zl%`i@4Gc{E*~<6U42H{9xUV~VikG19j&XvNk0pYb#<1!w(%^R)SszlPLzAST+Z+Z7 z#@(?-+YMZj!33G5caf2zQx!51M z&6Gdl>Z>ZE5-i-+Dt(RV%ht_rUM9%T?D@33p3#l9GgQb=mke z-iWnb^e`@)@Lo5o=%t`TuI)En#~e#7Y;9e~l@;Jz=?2b^ws|ANY@iq6hJ1Hxy^c2A z>X$sn^gHs{BwN$IafIqv}g~dp^YJ@ZbNvilgjxha6S{+O3u- zjDJcIr`lOJppa^O`oI7BFJTM!yEsa)XBi(we@72ZF_V7Rg!^Xv@J}+XzNKsBjpm1p zj+p*CkGKs+b7Up|^Pl8E%+q419&RD#C22*y^;PT|6-fKv@)GjjOT>MhLsgbq>q{uZ z+qm|9l^rihbvK)+ksqx54Bf=t3)8oMtd-&0=BYY2eXL2#H}B}rV7VF%gUvyEe8;IU z!~p!kp^Go0RUBW~ineXxn*Wc@9EE*`dV z@o)uXSDjS{_tZX0+g1*O183*goHn50y|`0I1JH_|$Nl5vp{>3oo8Mvw7+nnDf%cry z#em26H&14UhR-`NybK)^VZm6pAxZFhbi!7(2!YYZ#er?6);QALMhwsyOj7Lj5bgL7 z!&%P%)4*g;1K=8#i|g|d?U~|Hli|=!J2S?RP^ay~4wvBrUx0K~;#QdbQa^$DO@Gx-Gu>xl>+A8t_B1sas55{2XT{crIl9&zs!dEiAc|7&A*qxBE4koWV z8uB1vOstkXWih9Yq3asfA2)G3GL994vvoPXc9oGgy&X>~wN$}ibY{_ldA!Z-X$6?Y zIxfbj%dbP$#RvoIyc!T;swDap#+==u#tKt&M3{yvF6Az#)UqYbxy)9(ocrM~BvH6! zE>`PhSTtA4pT%4PJm+mq#b+fT%WrwEL-Z=RfF#MZT#!DWr_WETFgf@E7>;BOrxVNZ z#D}qk=2)X49mEUqX$(|e{rg|ZLo|CpmL?HaIkHx^Es@N;tUN6tJL}1l`nRp)wce zK*+{V$|mIWC@!wIHgQA#URWB>g}SKT;FmEU-_;EPX0wBd8e6z4W*3L6TJ|rdF;w`) zZcftZXFRy_SQhORqAI3mKfuN8q9K!L9fhkB0$^$#d~S}_b1+kvQSks@!6X+I@3XRW zmL9}jK+|IOF;}d$h#$fS@&OiUmZ#&E*=CouE#)N{aci}S)^Ca8y*xzoc{HyCQOW_Z z_v-Zc;f@w*4j-s}xPjYvovorbf!d}Nk?^w8o=cOzqj0f#+FmQ0oJgYzh$?o1GG0A~ zNxZI&k8dkUH$`Sz7ztA}e>?X^e+;DY9@E0GS+VAonYN6u`Ka1A9Z6H(c7BhHG?P|h z7Oppn6F%gg@8RK>bX{-esUQ(-d_=?OG0YKubwr(z>o+}IgVl7ZJWLpNW zMW*+EtX)fT+enbT3RWF3ppK&d+7VcR>n0UjpHlxbOcouM|-9Drc*2T&yk;3|Lq#!9;?-M81FKdo zb1_2;>BW?E94w$~2IXQ$EU5OV0B6~B^#~BR584bsRJj)QyzS38pOdS&1or> zFnT$^?bL9wVoqCZeM#al?ZW2lHZ)V4jWr6EPqM>sW{6)G17a@(a;zTh5XV6IaZXCf zspDKT0zEheL%o>FD&=?#l6UF`(+j3$90TXk37zN|`X4XuqrZ01Hqu^YXu#W_SG5|j zoeuUEp@MM?d?Pf6TUoqY{W61bw_iB6T&6wS%a*d!!Nq0HN|LBc;;3>E)3Gs!`Ts;%izFwT zF3RO$M`RtgBkGr!g^s|5hbNk9*p7$w$j3;=V^e@;+8SInGs?^AVIufyvyB_7JZa}W zlFuxy=j#I_vMPtueG=le{g%Sh)r?H)EN^L_q;PRbe-s>T6<)*arl*<<*u06MAFhz0 z)=3_E;w}6G&MR-_tsXq=l8J8{9K7mMxjt{1(wHYrN#4fZht$&^iEYaoTjvY5$;ZRB zz0r0Z_(u=`#a-eZgE33@W^hELTZncs_xBmjDeoGBW*2i~k=2P;V)_(G!^Mc$;XT~I zTQJKV_|qXP6Y1HUVKnkQ+NS8pZNO!;aJ{iSS)P(dm$-we9!{!8&M~*!i3^vzScBg! zJ`Jp~7|4>Ciqu!BeT>Zo21lM_>~PP9iyLCf7{PAbH4ID!ILyVXu#$tB!`FADf?KW{362xBI7S6Gfb5qsg z!Ir#i@HKCeZaKX*ju*;p<3P`h?iJarlU&n+i?}o+9bEf&q50&CaLrIqmthBYI~q)ul6ck7ngrIY&crDO#cQKhdrRt?-~?Z z)$bHIuQrg)q>gr;harvk;W`izbd44sX(A!Zv&^o;L8E4`y^mtdVSf%7zE#j{KyF zHfBto^SSl1cc&FFr7(597IU9Z7W3>aO0QLt!)$VQyUmlPI)sfo{et+K=;5<|D<)I= zr2J6__wubuk_rdg&GVTUyX9`;w%~aAoN)CV#ii)JE{ri>=Vl~@i%Vli!DFmd82iIq zOc=~;ni*M2vQ3`X!NWEeF*LS6VWSBTbJXtPeg(&&ydm<_T-74d_G%vdkS}3)pQszm ztG6*iyVCFU>Nqw%4PSpmFQp|ddAeQ$ci08Bp`NMChsK8eKZ*e`4t*+P;=He5Mfy+Dxu9w6WXWtW;Z@^7E z7wN|-m-7tZ^ekG|^v45kMG8uCTbz?+B}$UlYKF>~GwP0L0E`**W3^*^-7X1iz=RTHhhS?{bY@^>7i<@FA(m8PrVPzdQp!F{;RQ|Tmy!Q^KgvU=B0 z4n+!R`4o{-dVIPnnR`bXw%+X-m^)s#X+dkYYjPo0gPTSylU4LhpS^q|zt?Au@&5ma*{QTNykQ`9 zVZN*9=WB4&HgHH*!X7Xv)kKA z)p2MTn#@T3>4d?H_3l#?yoB-llI8KcdWklAIBJ(4hw(1iJXNroC|b3_@CBYjZiY$x z_-Axv#}s4W140_AAKYvE&%g*!ae*})oG+|?9G7;H3*ZbV{5FmA%8G4%{ZWy`F8P;m zt<}@;25;ckY)fU3x@*zkxW`y^TQV{naF*iKE_HF%CA)MMakR1eVf^@cXKeGx8^Vw^ z=kx0d2@iwOebQoa;u8ft_ z&!wYbVhBmCKzk~F-5#2RS(^PQg>mGXuIRD>ECn!TdL3@UIHC(W>!!seC*SNhx16{y ze*;c*W{jyxGE(u0 z_8N@13m@n_31*2O%Wy@m@>;8l%^U4hP6SkHw+kktgMI5AXCp^8t$DB3NR*%v=~z(P z#=%Q;9YpH0@Z3$-tAHHYJig*6_mmXGdL@q-(2024Wr#LR(31{l$WH8Uh~aO(H4I|u zB2HJqR?h3bIIUtnyV#(pxUZXCoT#}G%2RNI{cQG{26YX&3JHGg-_8wPyR})gab^%e zSb4K&XgKsMu4uD|%l>eLq{(nRJEy!YCXZt%vJN~u^gkhWERofl@-Ud5X)X~=)=ij# zA(lsi7y-(*iR90p?c}s6mSHxS68yS#V2xB_`tf0M8VO;-Cw#9D! zwm+z))g(DgH*kA37i^T#f5p-Bm9@LJBuZqv*(MJU`>0Cvtet8(BvgW8ncVE89nBo| zdAMuup6FsPnq8EgeJKlf<2c*_ph7BVa7z#FB;8FZ&8VWed9+^cqMU?T9S`FRg55S+ z?KbH}zqi&V75f@9^h@`lwEX1>H#Crb`WpV`FQ3SJ`I{`(SK3H95-k;l>hWW^jvmBY zsJ&U0gla?Qf1_tHT!XDv-=kRO5e>Iit7YJ8IEiQBtv045LJbW_2m@}a)MBS`Y1pY{ zXgBHv>)_8omi%Aq8>NRE5=ai2iRBM&#%!qR28Io%YPcbZ^l(LU?#T4hSn&bcPj=vL zvrStny;{qLCS1Cm+U_NOnVXD%91KjR^jR! zlSD8&Cfq(HU!_Vo+)2}K+tP+3aU2PZ{Im*9(?%qK``gjh@ppQF&fq}Gv7lNV1wX!3 zcnt*#J{89y1L28*CI30TvHUrCN;g#;lZ6^o-b4E|vi6W+y9{Imu1)g&(VgN^Zb^CxmrH&?go zFpjT_xMf@57~3?E-g{L$BHl6Zk4wPa*S9z%4LkIij1WD@_1(ipN#_-u|Gd+{6t+dR z@R0r|(GIsk&2^gC7n?Y2#;n`POyp*8r)4-o*RyN?+KQr4T7|Fa=1vRSh*~F;eh|As z*+fUcE+s`XpAS+1k|lI9^9Ty_w=S^k#pqQ|g8Idp3{zFP7RyLB9v2ici!9YgJXHcIO| z4&WqfL{%g?P4q)4)u1s_+~iuy#~~SoE(`5E#e?u2fxVhc^-pO4T%s}AGT{af?RRs%Z7?D zP|wB-zp{x4iQ#Z_G)>kyFxNI!M`u^phv+Fu5E!hq!m^tH{Cy`X%DLTfFA28T-P2%! zX}Er%?WoebXGni-qu4!cC!VpfZRg^+kInJLa6#tZ=2&auJ!`wTviaib6&ei_aj^NF z;?VuBxy7>X2~IkuZ05aM19ur+%odgerA}vqk8FPAe)MVvrs>nVvscG}ofEpKSI3pi zr`(uc2UmoT{rNtoui7}hE;c1UhU*{>juL#mZX4_NL(?rb*q1k$U^hJ*SE8Eg26@kb z&OT>pdN`=TWM+LQJ4P4zwI0Lq^8UaVV_#Sw2mXQ$4FRDZ!<7wLV1Oqnw}DE2veY?7 zdC#fiGF53b(+Ilq>p7Q{(bMC&B&V`glJ_`Hb^F2V>r*22KZ zii5%0IG~8{Pu9VhtP|Zir7T83qdXMrV0!Ev_7cSRM{VA;{m;6;(q)Up4Gm$Emo#>l za@ohE=T>`weJ*R`uEXQ-yXDgXwr-NuL)v+*_~ITeldoFM9FoXbDcdUnb zQ$~!lv76sRjN#()qKhhB0RirvP+n(_u{z>gxPIFPE6puoZV!`ntiv!SU;Xd=VS(3# zi{a!G&7`*B1&;AlcfaM#!)2!zR3AAtY|=RY^WW>|aJ{weLi($Pw453~CYlC!>KN#m zbA8aknk@!wY_KAnW(&8G&c^W=8G5GU=`?ZE1iDYcx9^hVM#SGDvO*-%G+3pk{L8&e z*{06L;o!cTN2%>nQQzaVur~IF;#0N~Bl1o?#^;OKV0`oLOMlU4gZE|3vD4xwN=c-t z_=)G9hSP3cf>Lt281{8eq|oW&AA30i77d5nK(p2BrXWjyH=y%Cj@NtbYit~aGxh}G zj)MbS-i|g!=Ivz_^0}ak0Wx_|{@;K6r|6CT_3uB0i~R3Dg@XF`pTk7_`%ek}?g-3E zX~-ct0)N(*r|{268iM29I!P0uPLymlWtk7-VM3_>V(_IuSy&$iOmT!Dfq*kfr}eTZ%h4@G5@1uIODy(Sux;+c;7Cvv6e24Jpvm0WAZd>6A>t;A{$mj1%OYv6zr=)ziz?sz| z-RI9tnMp2iH9qz_xQFA@nG-Ne_GKlHR)4px=y;>ggop2iGZxXU;Rc9~EPs5?5k=}- z-9{Vtg^S`>Ex)U46WTSuQjAaHIOKDNc(Y;P)2!;cNFvw=t}s~K7EWlL2rs&AL+j#Q z9KVsF5|FuD(w%g{<2&%g8*Q8~&$gpXd#8<;GW2og5FeFxx`uXx#j#4Fn7`epcip~6 zrub_Yr7cZVOUdokab)F;b?#wGvO{z{)7OqPsgGxdVKenc%=xVr5?7eUNYci^BXX1b zOd9Q^UU&J^Q@sO42w-SP*~346kAsJHe6wdTs^<7 z=#tML^>8>B5!Pp zV4U;IeI#>RWm54}3WpZMm*=E92Pfr>VWclG=uNhu9DR2gVZ|KVH>C7d~ps7A}D zZ4j@5$5017$q{gKlPFwoqnE0NOQ|3}7_HaqreqY0-ENpPYP4pPkpI0)hI+K-;Xxl(9+sC7)$RmCHwwJ?eq-Lm&^O?l8=O&tn7={KhVO<7+k84 zjw@Dmi%d8jeB9FNvn9!`B`4&huGx-A(9acAK#2F1{?K*Z{eD*?60{Yrv7?i`1PmlXW?PaGulQsg3XFY zvAuiNo3P1rR$mG3)!ILq}c{YX!uV z&Ak?m+Lh_<>EVmAre51%HJyTad2LK7b4MTcwuv@+36IysJVf{mdtDr7@CRw4;#PU~ zS0W*vjT247WG!v|YJKn7m_Z5{@*cyDihcR3ZmgSdbNzCCf88(MfL`G5c8Kj%_;I1`I@s{EIduTJz2V;En22Dvv4 zV8qKN-_re-Kg@AtP^%Hqf3ksz{+z>TXmiWgp>`kA)53+%Wy%m zdl!dWEkgKi@2XZCy&pc2(`t7Pbi^@F3w!t^dVL#H{CO`f26``V}TKksv{QDeRtz zs;FAzNf4QN@?5_2oevfru-Rli5haNZCW>nSj>CeOyoA90cz%dYfOk{@5c$I6BwtIQ zNG2mchbdtM`aGo^n;75gC0oYR zJN;nW$09o<{@@yC1f6oA18+Z`;VZ$-DtuZn{MQqG)v_ri$+IM>eh&G>%djw7vzPOVsd&9xKkgUtO zPyddmE?xg`r{Y&~JMiv8KilnLT_?YwR1Y5v>`wGLlAv6*HAeIOR8Hi@RsixGiC~yPZ}O?_)9+`;k!9 z6hF`p;%D^9?^G8@4BxW(CR#o{9n{qUSJPyX&vVg<9Au)Eg4{gsPA-SZ>-H+tdyU|`|5 zOjb~l&x4D0;G^NT`_5odBvG!o_LBg5@_FE~z6nA`nJ?C610cqi;;P?+`i1>PAA#$| zmnpe>E3)VLXzcEiH9fFi7CdCE$4SZDoy#5PNeP#%XQq4;K;?8DL@$J0p?gm@sK`O1 zN^^3!36FA$mj#o;AyRk2!gtF2Y(*`QJsrpWf{M3$bC?b#Wxm+5A+6jFU+Ih?JcY+Q@d+pm48RKXc|6?gC%xc z_!P!T+1I7v)KYm|@0L7A;a2pT58o7bd868ntG&u*p%NHJMpAMc1qYA7sT|hi?qE2s zZhH)4uP|jn`?xQUH60*qGdelGAILLzGQKIB(~@T*7s5aqrdT(bvIsd?s3DP1nFk)~ z*&Wv@6(tGT0`s|WPT0M)Mx4F=cYfXMffNVf1vU-N0qngdYRI2l-G+@Xfj#`-K1jm` zqr5f&2H^0^k}CcnS}7~K9@Q0*9QVeH%En-tqWJ85Z2cHd&&O_2Zg*g$xEQ+3ndgeK zB0d&}%gGCg$;0EW$3|mht>@y>{T11g6V@k@YM<)y^l+__O_;HPhICh0lV4+qDN87@z1;Utq(kPxkcGbhxA`>pZ2ZI^f1@%|+Er zY&EjVwwv+7-Icic%9rVQIvUQt)(;k)1b0Nujk-{|$)b>mpXkuuD|NjlAu+YGRq#6y zofmD0gYAVPq=r0yfy?BTH3hkq7AW&MadIv^nOAO$IXx)i+YfP?yoEERdAQvAvvC>C z!`1nF>J(N|`_2Q)kGu|JkIAcrWBMHv9^j(1(IIq7=?Ct2F{FL^V_t2cyD6n~?B%3) zWc5xOO0t+7-lDm>a8mLh=`%&A=wrZX9`cw3DR~OZ@wl(KyAD$B3)TCHRB3hSBs#_h z{>PHSAt#g!jR$IKDdTd*ktvPDuO6d!Hkc*!LR(iQ6ykRxCV5euUdnwV3W#6S}4 zYP1HJ2zIi^^kfOWZo~?nToiXt+<7`aLnZ%|MVc$_9-9+GC|T+)xmT8~chEthUoI>G zK+@~09_wck7=5z%=}yIwvRG_N!dM&&H|uONR7M%K+S84wb(su2Q(ngO0E@YBqG&7I zCMRR3=y4;qq{wH2hR-Ni6V?dTN$&FIQ;UGGh9aUcHq{bpoUNHMU~MJV&p|5or`T(y z+Bv5a9=A|f6(j$Fy9}UwgGkFUISOf#q%k!j6rXj7is-gs9n13AzP^pNDVvhWKpXlR#}?v|I0B_9UMZX064m>a>)@%q+a4 zeH4)U>I>>!Nq1UnI^skDzuf7J^$|E=3lsO2uHyO{0OVytIQ7&fU9GDauY4Y|&Qa&d zjzgc@JJgc@Luy>;Jse6qWW-|QC7pkgxDg?yYeT3eSd@eLFp7Vgo<`+s>A1?HVcXHs z|4-;T-59oD;X2_>jU{P6p|wnI_z85I zZsBxPYZfs&jjbK;Rj?dSr?b6JihN_;#%j(^gS;t^aQ-UMYu(17x+6gVUDEu^^?i40 zvl5!9dQa+(q+3nHW_B?8c}|zoWwGjmg*7@De|0vmJit&f{^z3&DClfG+-+=nWzQz% zK+N@Bf5Se0L!8((`nW8%rR!q!aWv{fbT4cw3;qVNq&^C3CAT}&hfHf5I?lscleu*v zNLM$PA!$5tWbYd$Zueazp>OimPZD-BL9G}A-1zS%dkcAS)Z;-)rSeh(Oo)PcXPF$1 z?}t=Fw?NDoHYRKY0YSsoasSuHa6|1gUP)YAGY21SXlWQOK9-9h4mM;{iOhVN2h@Cc zIG~52GkLiFkJ(4VnYD1ro<>XnWAfbVu|u__TVkBX)?Uu+;2MTD#*x{@*j>(iH+kPg+T-Xbs$IsY)$;~0}Xpc0FgE5<2I4A#qw;%=?262?whju^Y%}o z{0i4=dNJ8nfmk0H7%kT#_&hLhgpBopC2!R)YvMZG=7`@wg2?=!Ei#a>p0=nC8%T&~ zZ0cn;6uMF&300XNkf$J^24-#dIT8xw7O&}Gk`A1|VQzWiV~20pl^WF6lFo3vo$Dk~-g17(h64VX(5aHn*X!VMxYFx;+5c$mW|WOW=N1oh-p$iO{-u7mW6tVrb1ypkv}g3?{moF0Jw9SaDf%&-r5PGvAN1RD3JtakhL|>Sy9LvQ?>dTosy(k8Hn9Fk>WodYuZP17JFm>0i6K4*me@fPhRlM3z#fadg zJDnYJrR1N6I@!~o^-92@idWN{9ykDX>As3n`G;F)*#AJ6cRF0h3<@-UvxKVy)aS+^90bzgt^`AUQ_xE4_MSsHIfBkoDG8qkX_!2y)IZao*$(WsA z@$+7`^*4jIg_lH68?qK+^K3Y7S)3#fik&8#&2923N}WrZ>p_98v{JtNUN*fin)g^48P+VJTE4Z9TkNDKW?jFzEn zCBV)g+fKqM9N?B&WgdcrPXYBHi=#|3=GAdEakncj5kKcZLf9dv(P6?kE7PRQCC$mj zn2i%e32)!mg}EFHSlC(kw972+EqB@STDX6Km8N%D)u0&;apO_{ zojM3xl8K0l;SeKkq?FTC)W(=GTg?$d8^Pu(f0BdQb(_}6?MT2b+u&pt3%r1pTDg73 z^1#HlJGf}31vMOo_Mp2_q-C7p^PYz_GN3ZE71hC<_CAwu$TY z3q8ENIq~hWdtgV|1I+M$9;U&gNIp>CKm*(?qUpz3cnvI8QHy*V{u0^;%ID#=c7xwOaQz z?IGsnZ$gmTLkt#gqatj)ty*}-wvFL^ZSq!(0{WP1=Js|esOs*lAd+ksS2@YHl!yJ! z5nUxt{@0{{Dao4RJ@B#)(f&tvQ-d2(c3?Jcu%s;dqQ=)5{crthdd6p zI9*(*Z$;trqq4ds$~k$xP2%#0_Au>(`~8aUp(EHzN5h%oBYAo%`q4|?(cF)51X7Vc zc0ESpk##csxpZaePRGCu9xTntYh&uA>5hR7Wq4gVCT2jav1hWu7#OfG^%W4Gf8_LY zfwU&h8Au{;;q!C&sF3IKbqBaa+>N%uo7k4B@)%3j1L>$5b1YordVXyy7w+_CHgg(P z!4NZ{wmH{B9O^h+pdm&V%$^x?X-nc2qx0L{=O<$?k2Ks9dR*@5ZR1-@-Yq;o?d8PS zx;~N#cWmq%_+h|_>xH0@ReF+p)H+|tZ~G$Ra$d~J)8=Mz99*IM0Wvmbxwo>1r6pu; zN7C>`uF~ADb-cH^mt=Hl1F8dd6+gVD;5fH4onFN%zBxDR_He(HW51=3yJtcb=IS`^ z($w>pNl5w`PKQ-ZP>U!)^>*yL77d*|<;DuDpdDq0_ zuVNktz22~+cEFm`5XW{+Nz<$2Kwohltd3atrGdj|{<1w4kEuJvZMGZS8h40ogCaM2 zmPOfa4;}(8TnC#cFNA5Sm*yUHF;+dlv0llx zz%+S1j0XN-9Kq{h%*-`et->M+?rGX*txvCyi47X|G98Zb=w~cjdqvHb`NFlwzNAqj zok+)C3?e%6Bvl5V<>2yk%zs)@g~E>V3{0VW%vbkJ+;6t&dk=>2BH<-7do)ieVPRO@ zJR*#0Z}WVr{8kuu0srq)DeK{cD7@>a5Y{cp{g$=76@Qb~Q3oF+^wK(-q~}Yrrhm#- z4CO*;oj&&T8Mt)CXl9GS2Ik0=A0n+|VyOK0jM~wSP|&)?rBT-&d-k7fp-pFXFslLj z+%AsK9QRDLZWm|ZY8>8$h$>N=`$W}(JSVa)>wFpp+)P;p$KwoRV%JcF1D)Vh6K zV1iDJ)-`a=wmBRxotfx}pIy}KJ*{hE;PtQfH@>1ZYpU)7YTW_m_i3}lmI}4Zuen=^ z%#^ERW4Oq*T4~HDL@BkdgRhDSH2_GQyj2u#?Wt}DdwajgOR`e__h0{`XlhTCz=@kA zj@gM`F|vh?V*TlhV(=OsJ1^ueq5fmY(!90s5f{a=KxX2V`mMqP#3f+> z{L{thW#ubj3<1^5R{TJJx=-$dZKal^_L`EO4O}v3JrD^9xft#sL-qI4@-LL3dpR0k zO++DFkT{#nSmDm9zWF4n{+*X`8F0=$iL0P>Jq+p{4<}rglw%D{j*TL;R0{K$IvFbv zUo*ILrSF@osa*_8Dt;e}Zfun(c~xGLh|@Ff+Zd8aWaFyeysD&q2g4QT$OONtmsCkd zH(-f*i4@_&{Q20IerYAuc?NFcsYqVj03!cAwl(Xc7&1)L{m*%!aEONlCq~} zDSF9KU6zLYMh> zp!mD`m`t+O8%T&{$Zc8y(tSD0qUft=a`X&br9$t+#aMCNx#cpqf}U@`+z%$MHN@se z&%{aX1_})}9`_*GK~T!HQ1#69Oi9rh>vF?wlzp{oA!X^3+v+~t=Saktv~Xj;LVN$B z27VG(SsH2!ImBe3XJg-;`mS<4_OGl1sugh(8#k8R(Y&#fncOS0r-)FkQ|Qy4B+k7j zvOM_2E)HO}*}5*?dlKF?t>?uIIG9ISC8jL^4C~gu z*2Un1%2lUHU=_11RV)>bNI~V(8~mf;C#n!J0ZlExtZ5ns*Gd}_X_}5pm>A91c9SV~ z6y})^*6||mOI_K0bPil3{fC`zy)pgQ8sAvcgL-5tkNJFBWQ;Ya=2nX||2a_pFFokct(N zR46UrA{Yg4`zK{+w{ilg7(A{{lDsBy<*@%zO$Z5#O(%k%_uRJ?|K*+hrVH{A#v$*M zIT1xMNAM1`_Ukc;A9#xDfjLwAGCY=V+h*(bz+wJ0+=AZajh8Dy5+;DP_@3u$cIlqv z42XW6-iyzG_t7JX;~)}%I2&q)TzoxvX^g6}M#^Y0yPDUZiL2VT95hmI4zbTAR~{>A zr2IRq-1BTSHnr9yiq0yp2hWN-_gSZRajXPb92KTit^g}r5*i-fpD|YC& z(~3fq^pYKsbVazMn8(@by4b~WVr&j-F5Y?enKfY)PP|*VSk3xnAFKH)v>nhiPsLSF zR$1ADZb}bV2)d3hasWEPhM_!t5}z)^JI*=jZ};$8t>3{6CucYH3q|<&{f_&AYFMqW zb}`BYB|rKS?Bc=Y-tXhca09TIj>ptH4ySa@X(xBLc_AjDa`Ce*qxqpfpU{gdD}RR} z0fB&uC@Lh0bZ;{T2B^f?~AwheR@ugsY>Q*toL?#ivEKXnyDezBg{HAxQw zbYAs7c8`j1{l(Ijc*DAmvqr!q)(xyz*;5t%*y+_w`7xgEzLf9+cL(2Eg2Hx4oEKH| zGZ$<{PPGrR6X@t7Mb z4nVY6O{3R>V01jaUJ4D~W)(GP^zj}a@m7<8;?r*vM&a*#PnLd|(Z|SlSGfPEqB(ue5H88NlvKC91dOt$4-7xS~Itk-6CGUF}dmR-mS84NE3q=_==1OmIuNn?kFh$Gf9hVWHXrgmSnn|>I z1#CVSDe7sm%WE{VSX5z>n&D!q?KT_A#hw7#!XD<0Y3``5nO%IYDnUfE+k&mxvX}La zAEM$mRb0E$;)|Fn?hbXHt)CCumTG2C!ok|&iM_$c4G&Y3fD!lc5QY$NFO}JRIkpc1 zBBq8Dr)?sOW*-}oqkx)_;kFjqC>4`w;dJ}LQ*OpnXLfTK3^j-Nl5Nn>rj0qm9A*b{ zE(Pj>W@%8$;0W43vL{RjXNeXG>y~_*kaTrgw&K!E7w=?yJW_nN&}Y_|eyGaAy11-j zk=#AKGAFt$St`Ul42?X3o-jR}KEF;@0k&kk6es;M)ivdL%)WO zTHcYRFqr+3hPOyaM|!$KlTNaU%h7X}@IiKZ(7QBuC3W>B91on_CqFph=|X5;RZO?q^?6n)sn6ScB^xE(lZ*_|#Yy?VBa zrYmu>c;8U%yf}C4?0#9e^*Bef9o>iVyCn9BUMsW1aCNElaZOZQ^0@OE;u*8!V#mpQ zdWi&dD;pYB5`1^OI*u!*o@bBmjezAE$;bHt=ruDf_X8#WmluQmoGwFlU~Dq`MP1Aq zSMVrjk}TcDt4Lo7Wep2gC65dtdDU3bR?NhuW{?A7O?>~vd>KJ#sny-Ag+0A|LZjpX z6!yQ3bF7nanHY=)o)weytd09K(5tpJBVj&v1z8(AVh%qK)Tj}ryET7Z3CYYX`%mIP zX1O?pNCc$=qd)S;)1mN#jBnRBBZ>gNmwY9L=?8HFoH1@G9Neo^t|9A7@wZB zYd8aXN;mcY=|A+V4ff*e;e2!j&)e2G?j_pX)^sU@D`z(`LEaxl&UO>CiF^>4+N}os zO#*}$h}n)3Nucgz+8Va9v&yv1TzD=Ut(xI4-__?GOtuFp}r-pNRm3dD1DmpAC_jt(>7U)wEG)g{- zQ^%@o{Ky^W_!oDb-?>Ul`CpFtzn>!GHl(*<`5L(8It#pl$#^zoH;R2Y?rA?8b(nvD z=L);06~2hmz%$2VubbA(*RBjr$kwtQg3AbDDGt`(T0vD_#GyjMI0$$ zHK&cyx7hqT7S5;IgPR;euF7C+QWQt?yu1c3r_-t7WMTO9JMWQk81~PB(r|2C_&?de zLGmjK<218^bcIwMtY~z{!TgqFm|jwW;5lAp8RIr2p4$miInU071ZSLNQx-3ao zXHjD=jd7xfk~KH&gZMc*FT6V*CMGR8hpuLF_%QiT0&vW3qk-Frs@zw%fn&Q0`oe8! zdTX80%or%?Nw@KZ849MW8B*Tku4|8bod<5WLv`)xJh|z%aRz*x63S<`h|+Kq?d7&Q zmtnVk7IF(rnYh31WalgsweeKZPjLA2b#S&s4{>)j?8zVaR<485h)(jHhVxyxEdDiY zkE@&`7w0>?^~G_b{E;w7{mZ&O^^%K5l)-=CY0ho2yF5wxwHj2&XAyy4!z4^)z&^ijVxk^3UFz2{(Bl)(OTU59DQq?#$WD&mz?HjM zyoxTy7eoGM=7o1^U}#>2ujDr>)J}+xShT7Z^*fi=a>#sYPA*>!5ADki`_P*@H-g7^xK$62j)QiHcnv>JKl5hrl1>qs{@ZANCo&7PBd2e${kGRG>q48 zWX%)$!?I5+@hg#(BF6 z_R+VoH%W2SU4QBw1FFFIHtLVM_W1kRB94XW+yRQ(cR$M<%|$ecv{_ji4AoBpOj=P%1V}~&`*)G5Td=Wfn z@r!NvR;{5KY5U<(wrVC063;yc{y4VZs^Q{~V(Lri>vJhQ0%Eq{D(_`chAFpdP3&)v zl9Uc=;b?OaTr|7odgK6Ykzc-r>5R+vs*MXO&LUiG=+mCaG){-dqXxbxIy8XfHkmJG zW4)Wr(;1J4qDWt)Ud&dpG&Cw7UQMgk(JOz5sYCd6J}C`%dg+u0bh&0gcj3>nWuzu)2dZ>jyusyUb;-DTdx_-52qQg{at zMiIHk*U>bXyszhv;cMZL`Ix=oIGa&Hm(}Z-pp?pKBK3I9yy-DO={uK&1J3`x9)|Oi_%!TfP4u=j zp8Ieliua`6XyNGv$!fbx=C8)oEqscGrYPT^2K)%QMS(wHYP9Oj8WcyNm{r##V*9Q) z&dFEKG<03VRGm?kh+O;N1X3#{^|k74OirHn?kD@FLRwG3aaeV$g@bb9_85jQRjCxj zV$kQA6Svd*R(=+DoZUL)s^Bq)g+GdWOt`|M6U#l~^~>8{?K0OCBgLxvJ0L#Pk;k|! zcO|a`mD!y)^He~BiewbhIIlAmW-b^HZiF^19&Ij*+a2R2O|zNrA0zpBoXrk~If1Kk z|F{&?H$U8A#>*s-($Ovhdwe^^v){|NA7hl#gq$CF(+}mXf=@_`e2hKo#hdU+=WUjr zIOt`${ceB828R1EV#6X~o)E>Lo_Vs#CeNR^#T3K9r7PmgtUANPEOUM66kw2C46~Gt zr#`7R(!exeHc*d&jVrF_dyTt-L2)qEY>B&C zcX5C6bU%OP%J6gzG7+!yMecFyN>h35-3-}%iHM04y&!zGu38vE@&yNlFIRymuVR{s zuZBTIhd)eqtC#Hg57{L~ce$S@)3>u?Rlc5uX)tEPhmsw&FcGk>ADau}CJ!gs$rdIP zVJ0*yRUk-w0gPcP&qP>P4h{+h>*BPl-hnF*54Rk7v;JrXd7Zc{_8rIj9dTam7Lnm6 zFUB<5MqxT%$N^r1Usw1o$_ATQjYbVh+=miO2RwjXp zvoRJ@?xWGd&E+N9h(C@$U9_h2$i1q9OdErEDsp364GRMjZ{vUCM2UYI9qi$h7gD$g zt|{WlZ&pK7qOTAdH5fKhmEkgcl@3-g$#xMxmIe(C59_&Uf0#dp!9-ne?0NyW+RBmg za3FwBw2#BA4{VlM!?Yhbqh;1G58%Y>GLf95Pd%QB)IcWJ`0Vs{E`m4upAnms5_egq ziMyQac=r@NN9!kUTZ8E!6VdcKS08%7m%$EnX<=V#XU@G{)2ibebt(c#lV})C_E?A8 zTpqXF6NZAKQR!3{14*-k>+BCVT~CSTc4zRHY#GPI^HTMLMYt>ut^34Wr5qQ(v zzH>H0$}(L{4^|i<9sHfuPC z9I#6rFZPsJ`0UNpBvt{Zydo>G&Ji=Fwc(aau+b_;~?Qa2=`*hqn$mIdKk@~YvRXM7FmpsO3u#8svPTMG|TDMKZ*wgmlA zmvQIPGbS_dQgNVLO^gG>C$H7S=)fW}ia(6uOEYdG&!$t5dZgqv)%}del<(dmTdRc; zMzrDKI^#jKS{5F@UcoDAY54NWqwyBQbYTO>cfR!^KZ?JjJiNdUOL&8pj-qx(NY#J2 z68atQ{*BTl0juSE)zXsH1_3jeJs3ZH%Su|`4UrDfbjXM`;bpy#)0d=>n34{;j=MJV zSsr-w7(YkZwJjll5i7x6zD~krJ}Rl~_kYY=HBHEsII=`W>6zxxan)WAGMXy!pw7Yi zZ>-G>wsd^7f=hHEvVvZJB8%V?e=6Gy!u8vJl~?IL_~6(sC2zqd%m(O*hoLzdj;AB; z78-f=s8U~?SQN$v$0&?=5sv&Dr`Z?7%i!`lpHw84fqve<7pw5iSVd29xIMW^Ln9^IMh3ChEwH3_}qiCNd`Txq&f)1I>%q?o^7%EYkg9~YNgw2E{-`N zs;GPqCnJJn{eGz9@xY972qG`O3*)t5S5P+I!+CCywrTkqv)&tzy8jR(n}5^2>6bvO zC3Eg;CQi)hFYdCop&Scxl5T6jY2I@Cex#EK>5UJ;uNl$+G+)h7mEU z=sa9ee+@>Ghs$|>YUoi+%OHpTf@)yNb!BP#kJiD|h^1|u150Ue{SfqxyMEw~ zhb1hj$}hlY;GPbD*6JW0h6l`NhapI6riVn}1^aQ^4~8M}K&a|~gfM5+`~JwHRFJ@I z?%wPt{}ZDTzrKprBq@x*Ty56e3n?5BjD88@bh04WqSR6>L^QofDZg5G{6-3I=jisF zm+xp1OiY_lx(RX;abb;NIgj(&76uU8-uSlf-5tVGho38VJkI4Xr_Ct(ZS)#WS&>TG zT!z7?K~u;Y!DV{6%zvtnqwoqQtL@`^RI)La2CY~6IL50ULy~7rNK)J#tA_Ce-I0Lv zXp(JKUE{@+{PsHb)`1zd>bME&RI3ca_3J*2jq!RJ7p5VpU&gxneE)@InRt{WC{bIQ zmXHcgi`B&0;Idt9InZdzY@HUr3h*WjlDB2_ZcO%%OJQEhCeB&>#r}kX(xRXGp-l}+ z?z6l(9XzNQe?wO@;Jsu=UEC`4bM$au-kfP!UJLiZ1#Vf=$?{vc8MUm5kW1ivNwH}J z^o&@YIwsouYEHIOzk)CSIa)>jg)x~4PK2m80}g8pz>k+;BnWOZ7&=C|X~Wg>UpmVtHimD&JPK&-#mPy0mmy3@vWV`mZX z*Tyg`Xu0DKD{)uH!XPC`oW-RaXik56vjMZuu8M|*e-g)CX8%n@6mv>#N=fwC=q9`9 zF-c$Ko72IXr8jfR)K`b$4mL4mO3J#)nzF-utbq13=GdURVqa`@l+Gz_Sl~UBPP2`@IAY{>2{BBXKq!ED;MZ)W3ZprBnl9E>1r#w~N@$ryG zJ6gWR>w?Nug>k)JjH7UGjO&?{r!ac`3xU=ySQb{pfH$RpE`2{%!+o1sjz zX+){MB#j~OQXnO`=@N; zm&Hts`*fpdV+2vC*em%Hw6Nz=RY&bB+;mWKGVLp0 zqeV(V^L7LG>wndMx6O79w@#fJkEY=&B+TtFS|#awNlJ;9!Bxurjw&M(UgAW{DY+rE z0=#AMsqN+|S%uuBtwa8zM<&3>V>%$pyKRm1RDGF?>Wdsm(ci&jgVE#jGLqVRwo3Mm zWTEbUV0ZkVSv%sXZ?|89w4inH@m+GG!y_H>MI~-?A%&50%XvP4Sv-oJqxdo26`~(m z5I4Viy^#@k#{W@#f8CX3G(-@~18nI~2j&NGvXlG$g*4Pzo8|oK#Q7j6T1g0x7UrJ9 zb23*O{*8cP6~H5-EWrs)m6os z8z}vqZOEkDC23^vElIxxL@w}X=Hd$ zd)RN8opixQiWU&6QcCj&+$5bJLC%~!L}^Cdjn_Z7*}sJ zcr{F4#hfkZh;ZHlY(#3GnB% zao+rndydrTH;R5okEOy4>(t&pHUy_YH%zwtq`Z^>;-t5?abXO$>^nA&nVkhc$x(=F zxgnZ76boa19P^jizh@^ z&}WXO;~;o_?}fi#BV`)}%ro0Ow^pGc`$v3e)z2_&pXtqZYq(tf)!XLQY`CVL|B{R1 zsB$PesPkN{8|`=7`Qi-5$k))ozbaf?w~puSYI^P5E1YuF+b*~91$to1)o>=?3}*cy zn|UYJt63VZxBNYi!&>u9r?PP-9-4Hjgxb;i{Vx1$xQ zm;K9)Xz};UuA*yczR=9 z-3||V;$QK0&qFVMD{@b7&o$ktKy%2VM5@lwfDb2A|NP{6HCzztPTB2P6b*)KdQAW@ z=@q;hZq6wbalAU71J{jKlx5JVKQ0d6$y-P1OG1Um?CB={iWOpKudSg4QU@62tPHs@ z{;YRly6GIiONX?GdVshn{@Ewjp{0})PLy%0Eiwl}XxQFr+Ec`{Qbwzp|d@Y0V zfK8400S37>wwLK;k_$5PPuxO};i-o-fJA8Bd~h9q9s|VPX#L8sp24=;X!W>!S1T~m z-?Zy^xFMjRCLydQ$P1^be8`r1wuZ?NDs9ikQ)q`=y@c!Jt>7}Ne-y{Cc_#rW{&zYO zY@X~zTb=fdIvCcJH60E3PoXfQ&_63L<7!f|2w3E~SUr>z_;@ZZ>}a;#!%XZx)!DfX zA~*6$jA+QabUYuw)UZD~Oad>o0~R{TJs-QjK}_S8w#I0GAaP%wfXU(>|7{%eH2G4P zxMw^WdiMv1=JdE zB};MDbEY_TJ-d$U8XpB&zKvUMO6r%sgRukNfY97@TYeos@R8T8n49$-hB2%PiMr*x z8hV}&w%Ntqj@fW-9xilm#$_-7X&p^>$v%Bdw!6Fm-gj{>*@*_BQRE`Y1u=>xpI{un zEH3<|u$HoGp);7ik2@#yJLuHvn4NMq?T>DP69u2FPPv$dS_~OIE`^n_Kfb5Ni&M+M zp#>xVX3`SSh5T|E#i?E4*4NJy&^a{|7ud*I|4GjJtluRf))moQ(p;$|E%`bYZd|Am z2>*|^Ys+mMS+ZNzhJx&tG zL%1)bjCjM8AR=oa{%8qF7U1Z7IrG_KWRB-f&V}L42JXGR9C-4k1deS5;jxr{?~CbO zq_ITb#JLI*tKg^{L?yi0*5S1sdpmmFx9m||76heV-jslsbw4~gpt&z8nKX6s${yUe z{bm(bm1+t%tSN!3)w*HLu7+vT@~y&=M;GmBA9$%G!?2jk-U*4zX1mGpp}eWFG9mFe&W;$ zK6_zLa-n%GvTXW081pQtUh-C3GJEdwRcc8{{El>0cVPw9A_-!h4i0#$BjK?_8n~sY z7=w4_!PDayzFSMFwKSZrCP98K(8F1zsuyJVqLtx9^e`rDdib#o*Mc}O)j2KQlr-wf z-Gdg#IXixDkYyiF?vlw6#heOBVve4%``rymnSK`23-i|_d{*Y+_d}R1BJn~iJ|f57 zbk*ag1l(@V8Nacwh66?XKgF3(W=xPGjx%jxN`^>Wh(LL}f%67ftG65auXHE!b`$qp zkjJ`xiNaNCjoT_tF_TyIBABr%_3)Xe)>binSH-@xC8X)1uoJ#kIdbhDJ}b!4YWHw0 zr-qhnGu#_|AGEs~0%#E`65c4ycT^K=iOEPW1=&2>D6=fdwb@aVB@4v;;xS$+(oc;)~7@Bhlbw2ASzQ*#y%su^=r5v;p|v1usN z*~D1zxs#_aqgC)ds>!%aYv6u2ZcjF{+t3ot=y=PRjBV*Yd24bFV!~tQ zMPY&$%h-r=jBzP{5brcG@ae0~CSoL6j#H&{Iy$nUG^g?!DL1y+{wy#r#FSte2%UFY zcyPeY$WR7B_(;C^6{eSyCxIDb{_t0>tiH=T9GkIkY@&>(x5_M> zd$*~8ahW^*Xl#$x50SUgQXR~ucGv8a7kdv2b@XUHRZp?O-~QG;93Tr_-2^x6UWHr|YS>lu%=rRMo-?u3idF z)qbTNjjNJo4Q83eQ_{oZD5}S$aJ7#~C1nka?;vfGCegt zT1!%ft3vGw2|N=l_B+T)$_=_odIGiuW=4 zKm8D+`p>@?$BD>OZ@^s`PzYWg!<&C)uD_F8ifb0`9kiISDEhVC2BxS(_#obG;sVFa z3xgy@c`A>Ws^Yxc#_X>Zo_n{0t2G`4Mv7l}7>^#i@uTf>wRSg~-4zfee14@-N_oZy{k&vV0^k;Zz|NJxP70;@b9_IDi|{ zZi!T4As{7zUpZgB7AB?wnzGl%zewuj_S(2JU^Ytd%V&q6*T%@<>EhlT(mut+_;LNb zw8y}=?2P^M;HQ6rjG2G2vP2wR$;K4$Nm|-->rBV;c{;S(wc~9al)!75i;AsG{ zsz9p4I@<7S?lDZc>b^wok%`G+nFMyesz>JWehVYX%%`Wrv#*SedH$C6+t|GsnWK?8 zOGtQQT8ex|t>4BCZzJ~y+0$#+FW%LD8?(zF2inrEQlxRC2+pvgDE3JVBXq6?dlBN~ zcCz2WA@;}=^|fTKyfbB)2xb?mj`sQ;tQV12(bsSo&}wxx@;8;qhMXTiENqmfLq+GE z)bD6MD0q?mE=CPGi;>AGieFOTXvmt2}Oqh#$ z(@6*y04`$2Nm@eJTpv`^mo%t5{&KZ=-2S_g~qk|NAfT4gUVC@D)r-CWSpM26*-g=sz3$3z%e`EOv3?S&)jB;kx<>}QRv3zP8g*4b-@=VD8y7;|P| zP-4|5Hn2}7gK07gXIuyN{PdXK!2RId_coPIir&Q3FKoGw!eVEBCWcJ~@Wk|X6FW2~ zaL<6w%NKiGQ9(EJe^6I;>9d-DZ|fhkYq%cVdI8G)N~V~^Q*qL^`d*F2iC>r50M z^do1M5|1v6*+;U!*uyx8lk-cT%M41A(M>$*@y^?dnq6)dm_rVa0BZWnYlU4q+0K{}D=q8I<-CEBSNN?-3I`RJH63r@ zmj0MZg|9*iM~;QCVikrrFg@AO^`p2dBBt{Cul_Ez+gviZBsVi}zCpwZelYf z`S~WchZUZH(ZCF-BR_JznYRpIHhy(+$Y@|!ZD2CRa-((8Y0pPGq-Nm(s{;==nmAp1 zP!NQrtM;)MIb$O`dk&Xz?Abh* z&^7v!L_-R29bApgxuS=~^5XfCHdy z+52ZvbF(FZ!`}|FO zOj??xyL-&7kL6u?k>cQTdxlevraGprbG;p~0MGR=ZiWB{0qv6LHcY|$pOigP^bQ51iV#;=qJ&WNg&RReL^}QeSGo=!3 z%zk~L8@OVN-}RF9n&F}_?$=L3yX%`vyu1WK8xt3d>l*+VfaP{-Mw+QtKzqk zj8MC%)T~CcfhnbG1UzB^oNp=={6C$7ir-~keBlc=+ZfA0t8I26u3g5`mlNQYIVQId z&fcO`R9vgLJR>C-zYS*RdSO!N zBFUVK?vo{Oes@J8nGN~J_Sh)-kF%34mciQWMAqi4{6ERERc7_`D`7|N5W71u?jTD7 z=Ag@k7s7#aI#hdq*x&ivaDzg>WFhEh++}H5fQm>Kz&M(H;O>rRzo=)0*yUk6gTVb$ z94(oa6)WM1&8Obi!Lz%0dp-4=R%Tf9c%Ecg4Aebk=mues?+q-Ct5r(tVQX-k?(%6Q zULqlh0?O&voYfSPIJR4^0?*%WSDwEXfC|!Y38?XgjD$!r(%b*^m)`^7=augg^t{7) zs7JKH1^$H6LBZ5A=9Z#2FZ+zkFcWLzxk=8=#S@CSei@?27N7D9m=1>F#iS_IIFCp^$lQ%#?IFA1!+IOyEbTes7G3YhZmKsju--l7~ zv^?WnB%v<$?d7mdA&X~xTUU;^+(#8Gs6tNCKT?BXfL7>Z(2N@Y*Z`_tiU#4TTWC*e@|*jhMu>EgYlI%F`o-(fg+$zs_a&`DAuy>ywK= z8+SWKVQdiJ3Ik3OAxUy#^HU6vG;?#1PXitE%9YlDhw__05b2buw|QB{V>2Xi1FZus z+Sq;d>7$naE=B_kuSb(>W&6X;KaLA0q*UJgu;`qU0B*qY#GFhzNC&}voDfBPE^mi~ zKj+j|u;7)unysS2dvxyxPhlmbfaFYE?&0p%Ep}fhKG}cDj9 z=c&zb&1karUfevAlx4eR;Hn$00}DB9McHx}SIE<6O&q#acE<`4obw+{29p_Gd1l|U z@!5M>I5Mhp`Yh}R&6J^HMDBO*^l(Q)3;!{|2(8(~v&hR8 zfpVr%@FMbNRtQ3yFm^Xf;rc0h;4Z(D7Z`m%^W?<>@Z3))bYvDI<#sYN*}19{vXV^S zai5j({@D*e8n$|$ae3Ygw!6s9KMU_+3@Cqf_rb1wHYM@+(NPxMP~WetP|Po{!Oxd0 zizA}>I6m#}5!r5i%Q&?X(aXNhV(p)$o=P9Cg((6n(PKgc*L9_kITCH-`9H?p_|xfA z{$3RN1+GaFS8)ayu&|SmhEcDiOqcGKl#TlsRK}bg$+QO?F?JZPGfp1_6xhfb=nA)) zNoHh(TT=h?l}9n$d8a$c>KF%$N^~7vGGZ~KHl+AR%(@Wh;B^d1(MQrZLy}e(V@NJ! zKGY^g&{aFQY7;YITK?|Q-xWWb+QIqcn{eYDekKFj;zk)SOVy_GYD3}%OBI6JWwJrL zRq99WVg4`fM&6z8{Vbi5RFvU%tr}jos{g`R9}?%1>Dliu_p7{%J1oQSr5r%2lFLyM zZ>k2i(#BzVj=4|`4qXCcAGu3$h+^})cGFUdDxqh9%2~BAZT!F!%^Q#2qq|qelbMmA z-V*w|4EJU=v?lJ%`iR2jym(3b!RR!k6v0*1_{Y z&9_}7=3ZB4WHc2Q4{O|4P36!wJh+=@ky^X+$&iN|gj3HPnll$#Q*m*38u@GYt=u}A ziFPr%>7&SKTD7ObNGUf+y~5wodN_G8cj;J(9OQ5J`QMX@>Jl>k8e1fpQFXa5OvqyZ ze{Om!J!o|QKR&sM`!J-iCC$VPIU}3TCW1#XH^Robo?Q>K^J8`3jaoeV{`b>^U2rs{tIy($$oHOdQFTvwP)WHwwOW&5%<}d+xW%@zSB*qe40%s;zB8-D+WK$?KI>_C4l8cpBDt>mi{oy@8o0-1 zP@=5nBmcNj9O%NnmSbcf7~&9G)6Ry{F^WLq2gx zp)MsePGK^XJXoGGThBv)EVAS6UE%;8=AZnRVzr|QOUJ06Pc zO!hFxOv-K)6cLH3l!|+XI7unr1mrXa1L}7rb4A(6o_x+j?)p7U+g2kG?DsI1t-_l2 z`#9Y~pI}`cnw!aCa7g8!!Ij6V#~DTmq=ke#KMD_S@E&FvT3Oc0T;uCXM&Qlda1$3d zia&)*W(TA!IiiVBG|7;{T1hb5#k63bn;4rZjrsd#2i_9kZuU*gsg6B|zJ;>`6h!@V z@9+HL^Z!TMwQM(vY}sF7RLi+K)1?P`tsdMJKwznCJxY@8bk49urn#2E7bIu;enWpo ze@4&xgZdXbPDp|X#17%Akv-sqAYSLS&ptkOhK6iDtI`6jfiYb*)|9m{x5zp3gtc)j zsbXIo;doh|^vDtLat=W=aYWh#;E8Hq)u{_;;%)n;s z-_k#)ym~@vfDd+^r5a$Pm&MyaSXS>m=N8oLc+sLZ&$mBK#o5)!j#B6K_2zh$z~BF;cgOC zNVE;Kgck|G)%{aASzy^4{p4X}<)CRZhO!yfTt2Y+v(HJ6UtZHF-fF?)((B{g0F|xpGb=`=N`pY#+mHSo5&z_=l!ps`_MOJERj|>g zzoZ%rz{syr+bS4@>Dey!;*;#qU%tYKsOXC$M)NUe)=U^%TVZ7vqpgZV>*J6h;Fa|o zP6M~)V0UAS?Zh?s7G*mMU}YBddk!V_=1wN3_KE#WS{k8tWjT!&ys?(k;Z$?C)bNvI z;9MKtPT0iqCnrvD2_NS)a3^Sh#d8|C^;(7H;52avkEi0BGC~kI#p9R}KnvMBP26nz zOjg=4psRrq>9nvXgpEk2-Gqnh&^=yr14<{$X=C1ks+qPi2D47K#IZln(u^KAu+~HB zU?FEHjq#!^-Mz}<3GL|5!%Xh!s7Y3TV=P=oSe+FF`p%{ z0)&@TA4uxiKJ;>Kf>d~cPiYW`YL%1_fgkY}q-pSC?R|$_po8Pm=o`8nY>B(W>4Hy+ z_vv-9k^d`v39MO=Wx_9i-q-MN6cb*!^Ehi-vFbg{y!RoNO*xd0S(Lqfi0O~uHHc3R zIEkKZ3MOHK0RgS8O^KiD=yk~wdc4Jn{^w&*jaV$;>d0P3~1t zscBQpam+=IG8Cgc{Ptk1A@n%DqmPYtXa~!v`^7iHLT7UEEBrj(##={x2|1Tb4Gzw2 zTuV~J9OfMil=IU6{qG-P`ZG+QEq0ZYxLQGeoOut&c5B$5+`*8$d<}({`D+(f@CT~v z$lW$h-DX*s$G*6SLoH6U5q5(m{``ot;5|sK>w_7wv)t(E(i**7YCmddYPI0=J3e=( zW9vd3y^&BDv-#+bEl<2R&YO4+YD^*T;F3t@a_LXYG+3r7QOK$X2zI z3R#oS0CR zfd}Y1S<`Qn-wE?r&6&sMdH94C@p>s|Fbs!NqSv`%7THxN_(ds=V^v?T$|R+lASOf3 z*|P#`68s=ip!H=^@Bm6_c)Vw6^rqgZ97BN4I|xD?lOQ1@%Wn91Eub-MliT%?%g4v` zxcBUilkaqVw%Ni&F4dJlLIlTBE8C{n%{FEQW?`CSuYs`P;_#>SgZi!>d5TM@8Ey8P z9bBwC<4YDzt&2$z{~?sxCw+E=Bv$e>>hEpTJ?bl9h`ZmZhSCcmLo2_dsXP z^0Q{_h288K8j(lol5W2vw5(i;V>bslM0uBN#C4SOJ=sl$y~Y}_Cn1j+S@SFRYeX^a zWW6)mCCv||sO_d}h^!u=0Sh)6-&$G~sG%2&7!w(4vXj|iN9P2n7LylR#I-s)qL{>4nVI8$rJMiV|#I(bg_ojmg)2AJKY ze&Zm!#V|&_P8if~Ik-0)l~e^U#gq7_+^6U@`>~7Gn$L3bTQ08AUGT|te(Zm!-kmKE z*O-Irpv5sH?Bg6kcDsS83+w2zb^~YGs!Leyb`$5NDz1oj3$xK3D_*zziq~g4dSTgm zS|z%|YPYd%zf6K`Tl)Prj%T@}u}hs`30Sdj_N~a-7#ULanO%-GIYCjfycf)Z<-F&1 zyN9vORlj1w2IkSqMDnviP=gr7&;rgJn`{p-V;b5o4vxKmd$a9fB3hqasaTOC5tpV5 z+uXoraI}-I4iN~Y)$HL`P=CvCcn7R(vd!@Ykw(wk zr1U)Q!f|FXNqxg&v)w!#-n*LK zcrKfJ)^Kz+EMlmtRbzV?M8r1{k+{){AnC_o+YH2)wal@P(P5VqRSftIMtr}V-N-o?qZMj4TAwnILI1Sr>fJ!CdF9T5kZ{%!o{3+$HtsEOMY|17lgDa zg0uuF8S}Y2np%8(^xB5n+`q(fBQzfd3^>UzvCMbs<=k;_ zefvEriXb>prmS)*V4M-RI|iEf3RAbkaSvpKRo#x^KAfR$0|!d$IE>vE1_n-& zttIRZOZJFYp^(Db!KsZJr>on>&@C_e{ynLp-4aq5f^jr-#=$QkJiX+X2NTCFd7Irf zMn!)h7SgqGJWm!D%5xN~WF@O~_qRb5pX3+2Hs&{7CfQT;m`Az09n7R%aooCwUTk?Q z+-35bm3YQVho(EgR}5QR^M`^Mk%D!Fn1{{yagt@EF-!gx$v`jfk6kQ73&J(qcc%QL z_L0Pi5gHUHXLg%Re7)L5LrFoCC^jROi;7JlB(OWbeSa0(YEjA(k_=XI;dfyiP))#e zdFCTAKrxc3C+pfBE=}nElP|$#7Kykl^_xpP4iEG)BrdL<7K=4FfHW4S3_k4K#ZzSQ zJLWMh1b8|tP~%(+4M)h-(nnyEVHf->iu01$Gw+WH42Y9LY_o3<-Zw>YU4GVD#>z3E zwJ@F2id`i5@St0x&)EuO_#^x4yU7CkHW zS6B&@6=UFN(qFamdyNKWWF0=-P9)mRolfrf{E8QayHe0lxN~ec@M|T#LSq{tITrRc z4%LxjuNI|{C*n|--o~Kx_#Y>q)D3K1=L98*v*gYEu`l;M@*mh6vQPtJ$ zbul32F51xBzJ%+*y3H$pY!ktI4L`TXu==@Al79-z=C`4^dV{!-!258KY@)S)9(HZSX}yJs?!&Wrna+u#szzlrM(T{f9cw6oc78~P5_v5fj{od38p@~e0jtIjiN%D#i~l668> zeHX_Tz=rR;IErqdDzp0>pDjs7S7pxk4atg=Qkg!-{#uP2W?;~!OX5Bu0#fB+jCAC$ z)OuULT1Wu*e&siOY&m!8!|+q6_Vh|D2*u6S%svU>)IhX)7N_e*=2zy)V^UDeN7m}DeQ~P#G>)`I>0=nY6u?zjXhg%{a4!E-fw$A6xCi&axSomC-0XW} zl+F{0!(HlA5b}LPEgLdb05=c}_jTF;r2KY9-r8*scKjT_w9tB)m z@OapR7N+j0pcc0W287gk7D*wF%Zxq}9U0gdg)<3%T@lP<&(*6)7}#ES@pc^i`fMqz zSN5QTixT$HP??M{yC~YW=(gcC0hGm{i{sD}cFi89+T!%EV>}5TcN;mU#p45p2}`&` zwA8DoG}t```|viQEY$nbHRK(H5wY3^k45FWJ@7E0R;dJKz_C$hZt`Xid_&m#ygfMZ zF}+a@708;VPAciYc0sz{)@$IWycBEUo~fK&-EixEI=}HOkKgf|=}eL=?4kG?>4eSf z4kqcHTraKJQ?lK^R>1})rEo(=vfeh&lG}Kl#9@|m;z~JO6Fwi&OJ8fhf;%JRjUcf~`O6a>Mq57U9{YonRn5nyLnrsd=cd7)& zXHr|xRk#*fi5jHK&_g-QZmoZR{5`PPcsWwXJRe+fck6efOHacV@L$vxL3k>(9wzXxUrx3p^K#V9tSV9sX>c+IS^L$jNe#`0#!>7 zL)}X~fh}i~BrjTun%S6MA6)#*_TYA^a}jkgG;J9C3{GstLJ%WM&-hZThrMFZf6Zon zj8RZYlt{;3T<>DZpi~b1u>oe*J$1(!!zhF4kOJ8GlP-=~Jbra-H2Xj_}ESS^5?vu;s>`I)OL+6`fy1O{$IlEz#1J3=kcG#S*p=lQt zPAYq^7`Syl5Xg3VI4N0=#>#g3I3^0i zbWVR@XnF#Luu+coj)PM|ADJfCK!=`NDrxXmJ(99)E-uy12cm*!vKtr4_w7$o(uTa} ziEZZ?x~aIb$JCBEPlbu7*B70>s)y?-utIV8M>;Rqj*kmm>YM_f;TDeIQga*lBBY*d zPE_3Vu7M0=-z|A179q9Vp>?}p+LyU4gK>M_w{vZ5Z@WqGV-JW^Z+oRSu9O&c4d$6z zr~N%B*Gee?2Dgi=F4#uwp>Xr%X1AjE%ESB)1#QcL1-FaQE{~GlSD3-7#q0L)BGlL; zZV!VX?)igylnU}4*F>!xq;K?LTJoaUUOk*Kz798Uvb&PkWn{TA^IN$mN%4Ec<-<-GF4W&0U=r*a8p(5TaZuHaJN)Bq$8FEW;k$>aaCg5= zC){#xZ8dtGrFypS0S(?YdJdQiQ^TllHY5K(DxYc@%w=xk#LHnOK zag5drH(P1G8#3I%$PP0;oExYfxnw;*H2rQhngeT*N4~j>f3X%0 zh=zr! zfGrAu4Rz+~7%x@BHgk3CuKutF)tGzNz<%Vl?{8o;3BtWx1M{I& zksY(~U!wSN4SL=4TG-Wdf@QefMMbjRoQcHbuMJnaZES;)H=fYAQ8vLo*gb_QNXwP< zSFbv77KTjKxME!!yNb|ob0uiFA3qeK&vDarG~85r{Hs^mdGsqzjoE163}SCIn-X5M z?@*VHJSsM`VS<>j@bYIg8xoe@I^tRz`?Jig@e@rrDfZnK11HHG@D-+kA0J(lqvhde zsJlcE;}x0nx(wqNaWH&S-COzFK)H+73294~E=$C)%|0O0xyLNYUEmiDqC^r~DW}>9 zW&Fh3OU0rPJnIk4+CRKjJ_w#~i_T`fQBTOlC*yG(XlTuU$`WUZIJ_dxUhOnkE|!}d z_@e4(!@FW|_&BT!wyG!ykJ>bfgI5krJGQCV3*f{=P}VT${H!y_k{I+zgfR#4A>ina zGg(V~yUPlM6G><+48nYibWx}#_psT}u`2AZn3~E4Vt#_MhBg~b+%mX6N4wcDF!<4# zdP?urf9888sbKSW&&QtYX~&s#nl`S=m18W-hKW0IO09mgVPQxr;$>z+xTpyly-W%t zEF6FDXLyD}zHFbAXZvgA+sV`WUhxHN-1Gi+&Adv2{5aYm~pld97!97S~*@e z1uo|)fmYaP+*7qCNfMs}S0+#L>+WDU^5duN$9v#?Gf7NsSZ$$k5n1D$eefaPlrD~D zUfFex&DFv^5Ag1G@ijW~_lI4=9C#$B&mBM)2OTSHWm9cn8aJ|!w%mX?|GdE@le(tg zsj2GNqfWexbYK%VMXV7iH&q$f@r_5ZgioxtFo?H0;bE#Kc6v2lA(5M(V2ikNDI~F- zI=-l>S~y&q?9n8_tJr+YOvAV(} zn6vj)y7Qisl!r{olscuu>PYNr{)xtJFZU~g zUGpy6XHP~fUrwa4iyA(^`u34EEPP`pDlI`sfnDnxi|b?Ou*?9ZUR%K_@1Oz zmm6{HVu|t!hB{YtTQ^k~8~)b?&P=U=ffC(>DpUkkdSWAUCX3Ci3zoU2X&1^ft1&#n z1XwTFp9wM{w?@TnqUre1r;wz(Xty~v*De~QnvQemHR2~)Q<7#50$whd4W&?lTESJ374Ac6-q2uvE@!mtu!&+WE8#jn5nQxi|k6E<{ zj^raC&sUSA?om*d31JGOI;%zTm2oB&?DM|mo0O5HVihP3=}%`5m3a$ObFmvRjMmHp zvxi5Q~)^yT!NlRk53-ksq z*DJs}&tZ^)0jH~&pf%Vm1OF{L>~hzwu3?obqwO+v9j7(%8|rOYW9X$a43om`ln|)2 zq`Ks`03Mz$fpjnvV8NV>8zDB#hT{NKK&!tBs0$vBZeX^>VFDEPGy3}6YZ;h5t{c4O z$?__`N(*-=!;4{JUfO(AE0e(fTZR7AE!?tBj@V|RxKsRvL$BNTN3vt?&4;~H$hO>O zj|tn>Fsx`QkHcmY8|eIQVN9<^QRPSYLtE4P6zVVbKW?n=y| z%UQgphLeE5{P?i+l^@Y6Iz!siFVE@G|1dnu4lLYf{b=*zpE&+YTcv5#U}GBvduH{& z^OiSBao0@&m!F?e(zLujrLM^tjo~!EMr`>6b_>DkYf1=ne`-wsq&Ulz`7#xi#KD-_ z^B1eI@Tw+en@>sv&-FaVk1rh8+$;q1dDHo@stGHXkq|y^qSt^~I4@##Diguyy2hDk zO3|A&lJq7Li{ zfnp`Cm2@z=4$EjeU4xPU|+!b}@qj6E@h)miRctMQ|Dy!erZGF3qrUM?oP{w+Z6? zXVq5|o`}us>n5VOY3VfZ*X&x$I9N{hKm{d1qFo9T>lXsG)N(NeP1Uw@oy!*j zkI;o5GM}KW;^21;SU8i%V3FC1xsuU($$2zA=8ncyT7y|empbcJ?5MVm1Fs`G>ryh! zhT<~d5*(%drM8Yt9FzGEY}fvF7q~(A9nr!iJ!;p&$CU&LM?tg=<8nNs-Nq`khI!WR zG;mNs9>!y$SZ|_Bqus#{5YYJTP6wl_(r)2DLZTRTX}S@jadPdynZ*4SQC$zvbK0_S2>wrrE?z-hcVgzd|t?oOS&y>`=3b&4L<7 znOU~@uJ+gANACNx1-Rz=F+14W?`__Auad>l-s9wkaXuPhb{uT)490Wk%t$4o487i{ zOD5wfRVFifo5MqxM3?1#XNor=;#hp{{ax^T7X(W5oBd+uWBAKR6vT-20h!Iy@=fvh zaSL+I5y@yD zd!xaE{NiiCo8?CouWtQN9E-cH`^(ouT+x?2_b9mY-^2at5Q{^h4wx`oILep(@bU0U zcFB||848$>#hd^?Z8{rI#D)82(cTZX$-h@GAx_NQ_0MK{P5{>c@H&jY3P+M$&qHRK zmISwqZW7bRG1flmd3STMnR?~UR!(0kn^MDmK^@SpDQPV+3pT;i&JRA)!Bm3YieC3S zPGw#ZGcYMGdZWwdV8H`{sS2r@z{R#%o%_JWTfGVj-DzMN?UA2nVlq1_j-qr26QvvM zj?EXJS9{KDz`23)N2{YsQU%l*P!VC@(Q$pp{dhn!WNoL3wKj-;bPVk)@VJhF8$~24 zWs`k?GpC%eOdSL3$?Hm2ItF&FDz5ZS8$%&3nEstM22;`<`>7m_mn9cEZR}M$gnDSdY{A*@n7E-qopm>{5~(BJQKg~FGsW?7 z2}CmSp}+P&_AJvo`ao_T2J$QE;uZMcYnP+Z6E)2`_KFiA{u6a ztOf5SIxgn~fezBdBr0`cb22XS$tEIsYkM}(|^#g$w%Pb69{~Y3pUMX8J`5gw z!4CD^&^gzJjniByp_(L)u-Y)a6zl?V)k{_R#Ko(A!O|rz#@zoYFw9bMMN|z_$x?9} z_99gl8;oJg6+VHbVLvM=ZF{^M&lPLTPM@SA*lJ=_e>Lr^X-WEYfGuqqEsP@`gujEy zj@fIe?^SqFCM;=vbF0wLT_k|)UXF_?isM*q226dwu@3T{$H`P!(Xk`;9!0tSCIvmo zJd&~UkG~Gl{-0Cg^yZ#I z-i{{Vi+}ugHp_)v-4UR1HzN0*1j3q5*T$Yl($anHbLjVLTv#AUp9XADS|;`-vcUbz zC%dHgtMtc3BSLCp(V_s<51{*kQPr`1d{;gP-d2evC>RQL`o=XI=g`@j>>~^ zpw!9##)oyl}C-iJA_ z&+JMP)oUuJs<=rzdX|ba#y`XVNCK*xmm6;p2Af3*IwNd6Tf@C*$Z$fZ^aS?ojk+QT z)z+|H#V5zs+Ze#-%^&Cep5o9^zn2L}&h_KZSyudTD~NmrZDUJvGZl7_-NbfKTI}81 z{0=u<`Bt}SE$&^rg(GB1BJvOmZj{|=!5{pmhNn#oT*w~m6B^KBTHhwvFyJbPKga;u@g`Aqz>Rp9Tkn#|&7p?LeAiHE9Q)5XD# zD~S!92KI3-6u3JLO#O64J(JUrw8XufYjRZeYZ*C5!>@4x1MKKH89{!MQAx`>O^mRa z99|PT$nc{AR1#&FlI-bCe5&1b@FBv!Zol<5%kRqMZ7=R*r;YtNFJwn@c64hCw$S;=mfaoj5!whlkIr4@o^g2$nmpgpd03n0NN_ zzNn0~ z)8Li?|M$NMQcU0&W~-T^+^C7~-x{ZvnwWF-&gV#u|FVL`3vbfNb3ajHOq`iO#4Ce# zF!JBI;m%7wJDOey@#->(0ApFM+Mc(W63*S9xAf4{orCFd)j zotLS9$S}9m!RS_)GG#(oDU7Y&Lyx&_M?w_u+lYB?*7$pICEW%Nb&rB~cB1#}+Fpi! z?#XTg*N9C0#mj?#r0Ed^aQJgXx=B&E;8wZ~Y$~6McKU~vpXcwAI#aG{L8IwPUGAzl z>{3HrxEfX$K$E%}4hwZ}2L4m-Ou0?mMtJJKpHd%*iI@{JaFzjXLAU)SNQ~Qdq_;|j z%DK#G>$Wk+hWBf9lkBl`NvMElbuHYn((^a_!>;mal2W5f#mFwZrEson!CN2jChrM- zrNG|La{?@N_{9G3ob_&Tb0CRC&NyC=3M{B(zd00K?gH3^>O!qx{KhFkYfUY|qImA8!+4`ei zpH5RL4OcSMNFv(}9ryRStg7rr6GL(TxI>@akaX@~tF&M9OnMbvJ(HyHBM!CU(afmc zz;>gJ+fvGNx=a*XYXg48vip%ASV5cG4YLVVHtzv8^X3IJl!;)YifzNq{v}YRY{{8b zm%owhMhEwLA@+>2ot5bBY`lv}yV7-?jYp5PM68s~L2y1)+OEoONGj^Hyvbo3?9N+L zQlMxz+~(CpSxiWBh1U*(@oC_SCCoyLRk%ePQf*+bW8$wPg{=2cF&4$7aNO;TRP;DE z1viTR_Lq^^SA|LA(hYfmEYD70sFwfw#G81eAj^E{iOJ#waMDFhSGMa#HX0LaUbZQ0 zRnxFmuOp7(S(x?0R&|^}IYCs|&6cloVnUcDz={sPfAej?&AV?WOkKGNf~_`j29<=b zyk>wbqQjAPyNY7URt=oTtVUnhY718yuzlp`%GVwaAK~}XxmDY8bnDJ$w{~*=3dww1 zHL=fFXMs&znO0$Zs1n$9jVn}@)UO_cAn}oeEGW#8dt*sOYaKH{l>h}3B!zN+v~kh{ zEK#^B!J&itu?t(ZB(w-MR?))N{{7A4yqkrxZPmtwHDaFJRvlcVa?Ptb7@u0_)g&E7 zsy3*DlXN}Bd*z8NJKS?8Ag;Nsr5PA@Td_B^Hs&^%O$oEkbLL&{>uViZ#FuBXKa|&Vz$D*QnaSdG z_;4}tQ{Is5X#}?e{0e@QO^h3eoLU3$su_Rp7d{=qJF4nSTbMHaVzArRY|Om4Z1 zpZU19zwwvHK%8=;^n=fs8Eokk4ldBFPKnqW#mBTZ-y@p^GgJ{M+rmMNw_q1Zp@Z=( z1B?_c16{{dSO7G{WH5GCG|fN25MV3Iyg7(zwr!Y z?zhb(_NTJByj3+(%;H znd4S1tg5U*$avJX?fOzI z%6KvxW1azF7d8zXq`j)3i_L_oKwvDZ*_H(V%9l-3(njPLyY9oklHk{R9X=v$8wb&#t$%ZJ*U7LH>l)JPs3dE=?#-A-=@f)u_dCrrI0 z7jm{BiW8owmN_}hVYd(C_~v29fhF0D7RKHkHrw@~x9C&eMI^q=nN>IrA@OQq4UHK&`Mz2)tXQLr$iPam@pNhA=RsL2))nTZT zM}SnPZD^8)UsA*&6UAgJ=b&wvepEw(Tu!mX5208lBxJnPSqum670X}mIY7|gzwuaI zwo*ClY?gO1+LDM{7zdj;P@d8v$p2^W$#z>evdnY7fksN*m^#I+NbwxWHw_F17^9P$zOGXwtIob|GQRsp z8lW3PJUUK>12Xntca`pIc0K{`4g4Z}w zgIc^?s^_2Y=&4a%le=@Gw97v3L9f&n-Q(&x$s>Cw`1q)5n-Tw4%BcvQoy51HS}T54 zhUZ$h5m;?-dWAEl-&YwBF$@35=3a!gd)$2~z9-(&HFyaHmY7uVl|3dw?VS(4D|yPF6hcS zGb_-$oV%^>!;R-R4@$AqY8tQTJW}@|DJGn^qhqiquEB+&x6NX1Nv^$lB7@+msZ2_A zX-sVwa3l*87p`yjOeYfi;APGkH1(4*CnWUVo#riXi7Pkdt3ATWEmj@f-Q<0!%HY4S z1-H@CkM^_ibV5y=6#e&wV3*`#?-ai{QEteks>oidYl<6B#Z}sGOw-kRXLxl?S+Q!1 z9Cxv64Th(2F>C7Zf6OtIfcbb*#?} z<|vM94lRWZ+P#ys9>a|*o7<6I7`+oN*`A8Wz}?C8!LZuxYljm{H^;iuc0%OBOz7W5JCRQOgy^=!9$m9Ix`%TN%PocwCk&%Zj7XH{6WdYRE?F*Sm$C0{xS?Jx?-BZkzv1ZZg*!U))z#G}`(gnIej0n! zY_7&pu+T_Gfx6x%$6#DN;(V)hm5dmc^i37x+LeZnrJSw;kQ@+D%&o?bfZ~;gr!e(3 zvn}zibiB%R_+*I4F5uOJIo^@*SAD#0O^bkFlq!R1w^V?G6Ag$zJyJuvCI%R}F_#@_ zZqp|<0Fh|Z>J!fw^%XiL=)RUQC4w9>~uB zXPi`@aM11760iGsh^=;1qpshZ6I^-}TH7{lrU}{o$q%0eji)5USl=od1b7pBx+)7JDlU$=an4OhEVsw z&*5k`P>JDl8oMB>K}09Wg-CglzJNpEUfWXbzqi>VG=M7`^zNuiunnGK#zk14s}JEK z@YetM+kXIViMgi#_}hOLyof|9zBk^KbRBGk)2)iyDMFj}<3$k315?B{cq;j1qDe`) zuof=^`FQqYc_m)85WV`Lyb@(DN)x})56!OeR&P7TG9zNa4#Y3RY}0TBFe2!? zw|NLaf4*Xj-KZ$$*e08a>f)auuV*l1=Fh*#X^rd#55<2@8D|W)NCxJB9jQ;Q(Lqqs z26)w8hxWx7UNwIRW~;dAcZk-ZpP;VuTh}RvKvi*VW}JUMt%LP(GvGE`Ctln@)jrid zi_62%e@|Qct0)U|gV@(rK4-`>cB?12#arcn=w9p>%0H#at0#D%;~OSvY3eE7g0Y^| z30n9l+l@TS8=d2+P>2&(y}*6TL}i|Oi8o(;@V4NVlI5S;!<&7XTHRt+@~)^o+zNuy z$T;9OQ>8um$xi|ecT3{x_=R z??BTGT%aWj{89`l2pM~a%Q*O-?<&I^UTh)kmxntgByBt@3w;o0DMY2@rR z{MWEI%3>|f8T}=Q#7P4H#n&<;Wand=Nj9(tt~&XkGrl&urYGBYEd%2@N1AJlb`&iD z!KGDaQV)ROc$#-TTKkZQwG5K&+RKw6rCdnZ0O$OPpG4etPn3@$uQ7-cB{z!S-{IEk zA(&z(JlGXS8&8?}sTVX(2v^Cq$@I=?M)8kS!y1@(w!8rzW;K|8q?6o`BKUtkK?b(x}8{kl%+Q!&zC+lc^La$M6xzP~+619id zXR{-NIquJ0sTKf_X9xfu%9=B* z#@$$vsQm@Y?ynr(MLJ{3IX&kdoY}8@c@tdPfY(B}E*{OXGGr6w>5h$+DM!s>^iRw7 zQkrLhk1&P=GnjAHJ?o~$&0s4$mLA0ap80uY4xvB69z?2;x8eFyAt_`Kyu<5TkR*B2 zDp|b*7?hPfa8Ao_LH4#c0P$kYnZZ#`I_#E14uEkZU(tr6W0V2qIsS@syp`I)=offTq|Y_Q z<6Ge}-Cco3x`06C+Uo$s-@#83uB$67h>vHYXgpj7a125~AIHb*`cp1-Jm6X}a^2QC ze3tblJ-oTjESmdqs;E)Im5m0|xx$s{Lt0t$4T#?Rdwh5LHJ&9>hR23}lI?oy8sB|= z@fnLzzd1pdACkDKtAxLl*$#|JE`2*vr#=ox%yl0dvwLP)#%_(1uHt#3huI&xhC3(+ zM-RRid-HW`h`FZg_-M@vBOm++7`F3OuJ4vl%J@^c6M7$?NTR6iGN*$UjdQ%4 z(E&aP;}XvkL6b|29xj-r%04H0PQOAUSS_j`uTO9aUIxz)%jwK3HLh{2sLMCJa3Ssx zS9**aB4MH9bg9OAdswr<@G;NdIJt%M^L6eIj1 zWk5vrvb>E?cL7)Z)+)}z@k}hJeg6dC=o>_T^de_`=0E2?vNk9+kN(XMlaHj#lTJi4 z`=)8wCtBQ?oW%KaUtmT}emX2mR}l<^`~JKC|M_44Nd)FCkIpX7e_efD&X1SBo}CfAXK^pBInG{^u5wTB2vAK#Sw=fB61~oW%tj zXw1*$(sLYbe&c@&KdUs|CcpjqYvw-($5H$u{^MvHZjbzTSWYezNLH@nD<6V%rM!7@ z5M_ztEpzK25zkYibj9_wB+6nD*aOht&Ik9ifB8-DoqJ=fPiF1l*-Tb(>L_Z-yz))P z6P??1MxKLob8DEqgp9$I4IVVYJM{|34QGV{GhF4`a-bM|qcNIIn0C=|C0O?_(NFXsiugBnO<@^z$H$%dt%~Dpj-~ zUT{4#>DqjB9UIK-A-TcKE_9G`x%HXlj$xC_`R^+iSpjk9&=4>ZJzwhX zc^8O}mTT`^`ZKv$_Ct<)<@yKxcbYH?Er;B2f^ge*Mw_FeeidAc&&;X^WcZ zOP=}#GAxp;+{zk|l%fY7KV-%6H{dphYWOHtrr=sBz^&2eUfp&`EYxk&ag~|j@N0qL zGH%IS^|4An=_B+w`o19zRJTrWCf)6vC0sHrMzU%6y<(f%Y|>0amx5#EKIDlT zYe?J{eSV6x9Z{HC@+-q}9!c;wE@P6kbz^P9FkGE}i4R}Qp(=9@su62B^dlq5%6RwU z4!Z8o><0?0AA1{LD2wMZ6TVbYaA?j9hR*dji(3}v+s3Wh$A zJ7j-w^2%Bo(O~G1Upn9~8!E$K&27Qb-&TT7CIb>Qie75FwE(%B(ja%++HaGCxEje~ z2WM%NiHQ}Zw@82uO`Al%VX*PKy9N~C4tbcvpbXDpMYj1iQa;k5D4=`FoFuRT60 zYmciyR}SscynX1ZR(8)6`|tm~T-Q3?@L@^{5xn5J+~CnA33QMJc@a|Py$7LisW&OU zGvb(U{WKuCqBbM{NCvtI^d@TJoO`BtvM8T%pt!9`U zj#LbAxO-Amc+ z1PS|Sl8n>l!egVp7P}-ukF&QZMe(`ZhS^`Maff)x*t4`r*Mli&G^iTt$KO+GB^jttmeyFI+~Q z9C~^;BhPJ`aove?tZ8X3+;Y>N0=Uh*wdk@_^P^kCz9SLBUn)Z{ZM@fvJ&~@@nfI|g zgq6-l8p%rgc^>gBTD%H|+K$M|S2X+GA!%zC{WS?c{{COTR9yxIm}6+PF!qDjNHMla zCuTXr8TkRu%8R#MaHd5+RTu=D+;ve5{s`V6udT}TD0dn=B##$l*mOoXlQGHCcLUft zn0wtjNNsVVEL|PB(Y7{d+n41$(5kHy_;Kt>T~~9cr!h%|&PV8N%h6#4jH@xyuykQ^ z9weZag4Ufl>SsMJ?&FvgRvm?!0`5+=NZlwqny;hx`rYoCNiq}oeaFq+_h|$4-dl4a z1<1vbC5jVSJ-&B_B(iX}z4D3?gmo1~1K%E))~B|3@Br22<{LTK9$qHE%C(M8x@I76 zEm(pc%sCQQQ4{4yDQ8N0*GHRX2SvtUBf3KSrQafGvzkbjC}VW|V&TX4f&aByP1rRSUi`_^q`8#?ep)eDjQC0L-tuSl|IOM#2HW_ zSR1dYlG2N7(VUB^vA10NA1%iSQ|a4SFFY_#RjyW75VX@e?@!q1;8MVml0|fd;6`D! znvVR;y+yZ*!PGrhwpj7|QsrF#wr0lE`@L_v@arkLyQI!E`tIYP)8J*-jdhFjpf(7Hsh<;jKo8A-6HtgVIWosKIEy#%;rO#1#;jvMdz0W~WB^ zT}kQ$gId5BdW?+q+Vo#fj&9gd|KG?RlC7WPRO6|nv;qmx$s#qH$k%C<)bH91UNDWO z^CDNg&)a#V>Ouq!YN8jYO5>as^|(cXbR=0_TF*??1(Sp zFnX0TPjo*CUcwgj88ivC24w~fd@#u93R`biUh69wYUZa?e+(M$-#D#$wN7f#=OS62^l)42~lx9Qt26wO-o&%hvo! zuK(IZ1foPFe0w2i;g4M!Ab7i}SwwKccFXxyJ@fH(nUlEp#{uyb8>#Sg}bX*=8#o*$t{| z+@?wA1V!P?3sjzQ?R6cz`lQ>GnKa%CosxeFm$H(8rsFI8*AC?I$mC(t8gI#xMNsCr zmXh)gdz4?Ujub}*HQMZ)NsBzoHOIzdBaM!Ip&8m2rrZZhAF;(p zv@-kZ&zsjUq7iY#Y_mBvN`|FzaAdMB-ZP@H#SYxY`_X8Uc&k7ed5IsiW86D8F`@-l z%FWmjhgx&pU>bj{y&90lyYN+5b$PQ*Q9s#;ma!4({A9^%;UOx#+&kxG?U8TZBB%5U z%jviPCr5wL`5aQ?F~bX|@sK?Xj4KO~|n#l^C=|Yj$hsInX7z z>0q`{6QFED=06rqW!BVDs^Lmi&*lR3F#c}IE&_|@=mI2%Xj}xX%B<7atCrFx4=CZ_ zX;&<*vOeg545ysO$#_R;v}r0&0Emo#0&M0%TTg3BkUgalDOB@q zpjBN5X4Wl91P?No5m+tpO-gOA~#=@?W)Hsr@!IQT-2V-?H2|u5I}%9A#ItTb)8!h2$M5iU@-vsZXqtmI}} zVS}(ey;n85Lh&bcO|rtGTOS41Dw`)+EXRx-=OUrn-n<^k5Qwm>ym_Q7u{oI5`G>IG zGiocXRtI85K?xI^qVMv4Jcr15T0;Xn%(+Wj7^93B6KY%QR0z;(ZY+NsNxjt&qz)Ib z#+GYab{U`ZqRtk}f%rVWT!@0XpCVghZA3H%T3$|$!)k~t18%8X<>WG9-TY&1R9(fn zug^RdTR~^Xb>yCiF{tZ{h9H+eg6-3PJQ6ZmMvc~3WvtsEw)%w4m^;aojD(@U74LzK z?`r!Wmk>s-zw1SMM*YaizCT;L3%@4SN-?149@TU3oDr`ZD zKdIyJwkeXcR3R8#zs}3NXNozK$8IjM;14O~n_*b?i@0oB#K-|-^|VRe1wWZFf{lUr zws_)}SU=*UUKRY1CDM@FLfL%Sx>{toNmte(-sDSPDM-bsOL?~P*3TLIVhduf^)*&!4p(K_FX`=W7n{$6-3V}w zvYIWdNSVAHJ{RintNxC7cM;(L>-IM{Dz}r(WG>|qmm8>amXy|PCWqlbBA2CPXAXkw z@a`Ne(*KYqEv|Lr&#cNXtcM-mrMrc8Gv1-~gbFg(y+Gx3go28rv%{X{cDGqIHIsT$ zWQTV;iA{qSA5JXZ=DTk@c_%ccR~o&5!j5VikJ%H)!>61IZ8g#Z`B}2ju_L| zoT7imHNX~h^)6ULRlwK?7mjH6q(vU&K&&>aqHR`bc+E#FD*P?SAT5t09{Rz0WN8&Q z5s#$gmX2BbKVlhtkB=-f71h~~PzsmHv7(WsJt=RCY!SaN~E#VL1PTo^Tgsdh2v|#KLT$m^J9{26NA2v32b%z^# zj3%qNsMEe3lB{)w(1IRZm|(t zAiKzz=TE$(e_d4;olYk@xWvmzxQ!=bxs4VYuBU^mupE}%n7r44DuZQr8T*5stV*<1 zD2YI|9S9f0`R1JDop8fB1>>^eJNom!b#cwjh<1`PuwtKUv~RdzMzFpO*nYK2JqH)fIBnlW0ZW{a_HQtS#3js6Ap#P_ z)@&+&?r+i1$-5y|(~GNXxj)rx&2QYbcjAKn(Ix<6H*@OdL@Bx7Tzk=Qgtj`w@t}(4 zvUN(y^l`Ux08~0oniFn7bXwtRzFyommDRo|KHGdOA4%h;-Chk2h|dHkoJxTvc0OA1@Nu(p)rGY4uvh@}mQ2 z6*!Y%(!*j8_VE;Iwq_r;XzbR##^U!-busE|^n5 zr~RzEgG<=?(I{-io|&XXHG7|f7dp9G|CV~b9fQG={1d5F*mCt~@1jSoL2+jxIvAqp zRAr*5R}A4ZeX<-04NiySthp)vu)iVs{0Q%yQ_ zWQKzwU3~c$zDG(~-j7eJ#X{bQ)wcNIX!|Tri6z!P)Lhbb4sZyH)~bwPppvNhH)YM zvb+%ohoa@wSy}w9>D>RKmD%?$t?R7thpyxjV~j>!$|ghEy5hh&e{r&WrxT?c08>W} zv5yKUNqheWpA7|z&urfpCY-N#?2S}FICbu{ZJax=smF)t;M}=GEzk@ZGzX`%>(45* z0eF9GR=ZF{gX`Xm{`R{Pj&N{t*2zm#RM^>K!1`C*%{Xf+oVHr~Nrz8qG2Q$G*7Tcb z8t&@+h;o+TRHl<3Zd;c5~qg_IppAU z96v03sbL2vn)piWSgy+Q1AL=rR#qpXaoU~|?x^xZEZyho<8WTanLJFU6Me!Ta6Ee# z^|Rg10~W4I7H2v*1LJ(#sOSnMrlX27&c%osf0Oq@@%z{R-0m#bU+x|@&z4VJad&pK zq^7Oy_$PdHCUuW7ZTfJy(5XK6xgnzK-~iRj?eL#u(CGcF#Yh*E^ti0NQcFB#GJD$6 z#Q`1H=4X7+Hfbe8U5?f%k5IL@EFvOnDF;DiMz3?J zOx0R0=Ep zFN2{|0gkS@cW(6(YbAYh;D~^W&c@BHP{X>^e#=$br8R@#hTxZfi@1#;?}pA5^)F~* zBM)0!T`tTaLY)#UVu?GOQ!_4R6RCm7M@kV2vXh31K@J}2(!fps$w5w{hqceCNXlyx z_xbL%Zygb7fouDsn#sjXQg6TH8!)3s?q5TLn;oSI@6;e)XoPZpOMU?tN6f!0?tXgm}*T#aY8TI=WE6c^C z8^rKZ6@#9J>)+;bJQmSA&vxalBS!?i-KV@63S+G}`wcqW00Tp=DR%}WgM}Nw_gTbT zb5UufKGT@N*F9C)@$|v0bwbUJV{6Bcky6EbySQtMd%Cp*z;Xbb2`=16M)kImVbcvq zUXgK+Q@X`nM;I5=WY9+H6U)h23Gw!!Ha}t4Ja|ya?}j5Jb6S0b8^UF7n-+_wp7f`# zG^Buw$?y5uk_(=G_0jlrKBYO=6Y<^Vn_TY@o2_Bw>QSW4x_dp`1E>DZqw=8!{fvp; z-B21yasb>FdvV?ha*(78%#?yQHF>lCVNrY`&eS~LtP@O(@Hq-)L!Xmyt4j{TMxuGc zX^RX|1@0*>ikqeqaY}6?uk5ow2Qw%O)cB#bA7}CHC0E+esD{A|I|8hrCVdSl-Jla1=HGBrRw%Wl z>Qix!h`XQ*duPoj*NO5hEVd~t%btUci8aWPQ27#EoOAkW#YeidiAEE1_7*Ee_Hroh zn3LvNhlG?m2QxwNLGQX*D#t+)V|8ez>258I@qNSU+4C_m>4Tfb?|Cm}PXr-rmHrW~M0i!|)|L`|BMqjC+=9O9M#RKcd2?SY8|_G^151sD?m2#qhQA?v_# zPgh|$0>3;bPul9bxZ2;XZC6t1Vq^l}#T(nzwj1USkV&8}hN~>(NH5}+q+G!E)nT}S zGN}^kMNgYtV?F3Ta>Q>;a!p_`B|!I@su7Rz6I@Ac?Py~y{KabXtUqi-PZCK;c_ov) z=~ylYLPhC+UJI6s#VBsQNagOi@6v6ss3*mrmC>cgECUpy-N)1gOXvJimlj*~aY1Ii zHeFDYa?|b{A5VkN8_AFr#!65ZcMRGUjDkF$*4CB-@Mdb7|Cy>RT}*o*qTS5o!DA#% z>xg%Czu(m8iu{q0{2e77MWLDOxgtm6t&-+d-7&1QujNW&HUc*<&pl3ORSauAdh%8Plbpe?VDmFL*oe-m(hxF;q^x8$7;|W-o@pnZbj7b<=s<} zP&r#86+Iv7X-tyH=WPpk+d;VMkPnJK3C7oZ+h;5Qw-;(crUnk4@#ozHU#>x9FlNiW z?NfG$jW~&CtW4+?(~gkGea5T*yx#a+OK<%}#En(&!QHJkrZgyS73$t7=ug=jbqSua zadLZ4{<0+XpZkn06Z$Tti?;jxe`k~Y{Chp7U6BU+c}ggdcr=z)%3s8X11nPNXUt{1 z%cgo5HP@!|?R{RAS2J41!|m_*Pq3ztr^)50bx?}N^DwrKUnbeusUPgwm}Z~7=^;}O z!|~+T3U0Wb>*8UooyRgda;*hrJ7Oi?3?hViW*H`t^o(;E&@QCdTH^Mt@@8LFpUJ}35F?Fe+Jq+-p6&Bz= z^}U=CA-c+LqH+WlqnsPry|Otqpx`-Jk{k(LRG*0(@U^1bD_E- z$?9|`rm2Lsgcnl`OnXq11WC5kprBg#c|AdpQOd3(LtAwqI+TJTmvU3-s_b|Y+erQvR+?}g`qk>s0Uh*(J zk)FbhutC*jH^X>^V&W0i*cKHcm-aU>)KJdRpHOP={;cXtl+mcRE;eKAfSL{%*v%DF86hH9(;JdUXOj9NU7u56VJH+xCxct3d ztg}v3>S16QN#mbiRK9z-=hcBQbZz8a^Xfee1@riMaP7s@BR|p>jJ#=q^6fqwH(jDdqP9!Q(#&Bn z!^_i`n--qcmIrrSY7L(`tFcb!iAhaiAXjs?-PO=6)fk;)HT4y3mWP`WwI`aq8=Il? z)iiQ7#~0(iWbD98^Fx~VjVnEB;9*#om>S{QN~xp_(we|UF5m33myd@#vq)_R6HXLj}iy( zf^XhbF)MMa8t>bpGZ*-Key834N(A>c7kO3EPVVzTco-k$trotO)M~SbhbrMFcT5$-|5FROGty3$|bYKjY$ zx;4Fa%|Hkb1E9Q^av|JW6U9iXOW(c1$YC(y!>Us*_=N?p6Z!UUgIZz_w@L95x7#Qf zK*SaCnf0n+YO_Z9Y>XrF^0Ulu_stm$B;scMYN@LxjMDM)rdDZ@ya^U^Q&bT*Bq6P| zW2xwtW7&^#5Y|Y-n=&I@yfs8P@S&GeQkOC3HS}P&E}2|K+$>}($~9PG&EwC6^%`sRUSPy{k{{6a=;(_jWVG33)q^!WlRTk*S!ln z>B8uV_-?5+mhmv?f%crxk7;~4)rA^zAhrx8+v6!e6X(||lv@Y0@i#@i-}pnz>({e1 zo~RLssZ?9v2P{W|%jcVApNTC`*3Z@WmQF1`z!_V*8mD$n%l1Zx2&U)7xG|RdSme=^wB^@WlFVw6G~j zUw4$K(TH8B4l_V|@h7*B*&xk|iJiqf`JWe}hcc|@54b$rggC0(dof(XyX~0@kMo|f zg1(*eyD!n^-t$QJoslNh9!409>Mb8<`F&xEvL*znnjAhR$MFe~tkIfI`W| z$4OW}+b7(mHknaArb+gzqiAb&s@_g%&fR0O{{-xh`{?mCFUnJL`EDI1FJ1RPALn=d z&wXs7D)Mo1*S~YmdHI#O;^P!AO`Wy9#9s}DO3ZI#$-_6sVw-Y{@hIH!L6+C_V^C_* z5@PzCc+#N_249Z(Y&sov*O(&eHp7Wl|B#%ynxprfm_FCTtL-f!c_*Hjb6kkvMeCpp zQq%44`0$AKci(n80$}jUKHi>wC{o%2x2Mh%CMEGF{$xGzCi)O8SpF9roIXw|`stBf zyK3~#_4B9Da`2;{tJ(%M&9VFqyzAL9H6%g(DLiWZqsV0TJ`!*B;%LfQ`yurD{0kZ8 zZ4HYYgI_K?@nbQ6ZA}y(Q#JSm(83rKA7{4sSBYLiQT9$Ji82f_ZTrbzt(of2pnxpc zkvdALlZ`0{d?x5OtXY0wZ@oCRKf^*i+xkoE+5Q>Lqn44_$Ls?9vS*dD=GVuGruLW? zT?DV((G-;Iax9kkx(|spul8@c@L^7Zua63x(DKuBe5|+FObr{iR3`FQMpSNDWu~$T zAE&pPnJVkfEy_D%6`h_t)-J{L_HnYyrvz8dtvS<3EHU$~t!YV|3G?e74#Rc@{v4t( z+qLgFLA4;akGTze;&Av>h>U!kXYuo=n~A6;8P{O za3+UTX#N5V`65~Ry7|0V+skK-&B(_oK7QGf1dGMj8%og#m~p@-u`srb^KtIYr(TkzrDfhtj>8&(DD;y*jh{JUO}AOb#u@w8 znCMNlTl*_G1Lh0tM~iI{kJl9q&P)0HkdRNpc_{yqTuyp4yL-rp>(^j{l%%MNBJ^>3 z$X_QeWhT_;!6ljT>+PMtW5bt#iF(^LRn7j6)hr*J<)5bG2lKcK^H2-*`8d_$7yQjc zr-u9`snOONWZRKHgD0~28C^g&c!sKiadTVux^R|9?EOu3JjP1PSveH%iIQu{s}Sg_ zXd6)s_7zSN`RPj{E2F6Hv!PFsqv2V|Ewy|X|0!?AyXO$|{gBX;SZN(v7(Cl^wYUAv zmOp~kT~@|tg8$ctpuRJ3Zi-ux9!&zUW;SA2eXE6bsy%+~0naTMSnL z`^1t%y(^3k8>ZHexAyK~vwY|tg#~ZBH7BfmT(T?eADLGi`iQvkw|{3)0yyvGzsJS3 z?~DyhcHEnrJ0nYL5xJXH$MCQ<)W7*VEJn0pbpVGVM7V3WPqEmSJioT60XYoI-abt( z<)D4MkF#wtb+>Gz|58$MhE2@#Upg90)$zDoS7Eo^73>h}J+$R-VDY-^eVJN+{Z*4A+}D&2 zCQ*~E$m%nc_xQ%8RaaZjkb0UAc;zoeXevHP2HS8otpAs9Jj8y&h1*`a&ow+z0$dy# zaF>*&dHyy;-v+o7L%{exPh}}fNAwZkLPt?@@yd+st$_=Trl2aSH}=6$i@3mrXHbw7 z>RM?o|;IqHe0xaTd2DaWZ6{l+5x97JsH({`dw_6kmXIAgv^{1wkr7D*=v-bNOv-@Yo3b4sf8k)qc9d#l1M&_3NIh?wSS6 z(uqy`7rV35E7wi!7#!*4hDxO8&riE;NRYnE?*i2FVMzWBEa1910UY+`3+`UAK9~t;

u7x0(o%6R3YaRhFWAGmRsTWePxg9B*wyIv`c zYZ5<<9S_K;Xrhu_wRZ#ss-neFGk)2`$r|9m7o8-cB-Q@Pqt@MN~hysATgYC%tc+3x~wEL#l)o(QTc(ujjf zG*8wK{>U~;7+`KR5`Jo=U4K@`l$Oio{E7GN&xi_8%RSL$mVa?oQB>y+M%=FM6vL*c z{4mOF?quHdEkDJe=_#Wwo|j8Xg(~78+iN>_ib=|*EKO2=HZ(m@1#VxCgz5h&s}9Lv z-%c^Oc^XaaJLh@lo8ZmzH!x6{U;au>O)<`R%C7N8(}QrL4TJlRuM8hUHTJ`95K|lr zYF%kji2ApDvW%S+-@YDHUbsqXD5rUBxY<&AI^9`oX=wEi?;)TcOdGbK($lVvx> ztpVk9$Znbc(K{lixGmt+w`!-N%ggnK!;F;u!n$@x`Yyvw0jKeq>$|FZ4Ak%RnS4?$ zo6ET(Wj-|S_+@KL<&W}qs2=&{g}wCs%~oGGEFu1upB~wfUC0#EYaOS!iQqKm5{%)Y z(*Vz5u!zgjkc*xMBeVG$Yxu7z4r5L8oUpvw0Q_nH+N~bk(3-6_ew&z|;t*CV$b?2P zl}b!8dCas*(lkCd!K(qA(G>Rvn?_{yG`JaM0dW}0CII;~&0oZ8zvct{#q=I8LqSzF z_f=L`fA^43Qw&(0=IP-~MKO1lPKzli(x+oFAuArF#ikem+HOOYj(>_VoKto<#x*8W zu~eoQzsD~dTAiu_j>9sYFbxRR&t+`7WErPB$>_y2)Rt@N(L;g;ucnQw+pfM(g!z>G?}HjHpfNqzht9aS)^3 zYTGMUW+D=15Kde?Kc5;B^ivF061uaz7BTBJl9vmKV<3$HHCkbiFP>rq68CG$GR|Iz zf~GC;in}=V6vtA;v(0h5DUN55(ibrpc{^64cV86GO>v_DF14A=%NVlDQyhz!#<|cm z3s$^~07z-d@k}v}r?TR*3{{J>mV4{>ybFYtknRVf3$iBQWme(S2zLL6-gy}M``tgOQ%pU8+` zhzXEGQtkzNP2QOG_Ij10aMUE^YL)1XzRYljnD02eaSuvjm_m$>X&0zQdA7T?CbCrp z3P&02l8_RT=}-4cLL4#RmwlI(gMaie!W4#huA+@Sv!84$^q)kZI@RnAaVz?uU{!X? zU%5bqagyVN%bs8owNoJ~T3UN%KT`@CV>rhxQ zwJqNpgt^dBa~+sSMOK6nJPE_(&488(F*+wqQeuc5VjIH<(hAR5ekzlSYklhDtGC3h z6`O82hdAgFlC�BU9)v#5kOGSz5iS?4A3u6`a+9J;=8#Jz&~ zWi@7`Dn=Z*2=g*Ii0ss0mM|G7omufM?z)+F9$<*;2)F!p@t$oyEyOICKX26J#fYT} zF;FFpKhpSmy<4;W8?{yGQg9(|N!tvxnt^fI7wndLsr{Wd=r;wV+f zj>!ir1bpPqH4-+2xNwmBPMP3hYEj(^(M*Vo@T#nu>1DjW%GEdk|iaR4l2=Sz7?inv`sT~pw27}wX_jX?;}5QBlj zoincVyIz*lu0%&x! zSbtR!9zJ5Fx@!YvSMAWo(3v)b!7_HxTzcGm(sTIi5GUSKeBhIPlNpEb39F5S+P%^u zH-#jstUuwMX+D9UupeEqk2op@J946ro%R};W9<`A!Y^xIkF+P zqzw*OuU294Rf#`XcDTk?P-SoBS9SCej+d&%8*TTz9;7qEJsSCCYbsI#H|@C&6!P}D z@!_lBO*B&Rw{)VVPdM{Vx+4ecMrUC;1uK(O-Va5QUsl8N`qyFh8fT;3jRUd#vZ6U7 z3@&qs8Am{OWodOM^$~7Y$S-RTf|hUOS}nVS955nEuQ?e6dVg>Ad4H?+gWo0x;N{G& z1rse+Y&ihCiCjc;E82Ja4U=99{vp+Xi*U%9UsliFdK3MY_(>m?BzG2Wi5PLis(V#v z_$%AVO}KxP^xG>(xTPT%^F&a9WZZ(ha_^`c2Tdj}jIPzScZ+a1T#xm&%`@wcp#xor zI~nrJioTL#pk>7`8y^IPCOTwsZmMaBJS;q(zXHvuA`gpFx1M!_$FIoCBaFBdGk$29 z^cAv~CWgCbx%?rl<@KfOm*U>!uV8WU{2xCAc&WV~CnUsEQ!4A$+sh8t5L1)#%kswY zGIGH`Iz&)J!N^QobyfB-H6P)ohxJm>(Jk-ClbF5ospxeM=wfA202AtBG`DfApY8p) zAEKC&BbUUUffY@$a-J^QgPO4vNJzz%8EPn*_!~rtByxB!*4&6 zc!daak4A5~QP44=D0NASYp|nf4`bjXE%DV1zlm`DD?OGVLh^3t!rPmjRZfaYDklwR z2>9hb)HK4(k^Fs1FBUE{7gViTXM~9(2Va8Sh4YyjguKTMl2ua|0U__CVTZXU`TS1( znw_Z^kBV>!uzqN0;1NY=Fm$x}irkb?h%kOMI$!d#OkPr1gryF}=kNKFWPiweNA_>a z)BPpzJi^HxR$M5U3Icx-?pddp3r#w`B?D7U1>8KYCPg;F=ptN29a0OlP5z-SD#qPL z61f~vT~t^|C#5N69W6&Zt4w4z^a77) zIcgIZmlG>ZBtH?(ghrWOG9O`j(~(DwxKi&)nfGP`*DUIcnA_@dNwqb!ezC1Xi)+hY zttWr$u6~t24(&aM;G#|?4Rp*=;BNd8O}4^lONthLa>IiQMpbClr>$%P@L06MTH|h| z_Pkd`758Y2xPm$|dGCl=3r~1e4Y+h8OtX;C+qFI3RDRS5cXf<@TlFaRBAkQfmrVs$Zez&L}u#{ii zmyuuYta@vmQ%{gRZ5C_6y}^SpEn;hXkue~gpkDL$BNIE@8#z6rHC91u{stdvim6A% z5#fw?wEnl2ol+D$&Ui=H6Zh2(D98viT=2_n)7g6M_}*)}WK-Du*6)MSEy{l*8Zev^ z`701#$uAR;MqFxOujuy?5sY)erZwaskUxOmovhj4AN=iZpnfnJM^qfR@@enIJigo8 z`6W+{bAmJL(c#~EMxh%wVye(yrnb$J<5QUtOncGo+J41dgfsC`nWv^|um~sRYd>&X zSDTR4v6qPJ2xr$Rf&H4ow z!t}wA(yDK5EZU>LM0`EvM#b$cqbsXQNxiugEPgtrbc7)V;*BWCu1o;t^{u}lzK+-t znBqkFba6O#JtexgfHM8aGM|nf6&4#|JOjUM=sVrT)i9VreD)n5FK@?tV7H(?6;c8* z`^oMUTgzS4`x?Aec6aN|N@c+jE#HJ3ow!hFrxr$Bh{R3}18ihRw;6ExQsfalTHcE{ zk7yw!dcbtQ4sGW|7nDZc4C3;D#oXP>tP^Gy7VG?;_w3I{yx7T&otb(2VNgbtrO9i2 zN1;*LQUkXT7a`HRzO%i8s8p8?vztVeL`qCM_h}?LElfmiIDhI~n-T7=Ddv^%H^Rb~ z^j{ICDVAWMh^D9EoHlD9twZ5GraG~S1wdKfdt9t^&n}E>3gVnjbb930biIA=K@0A2 z!^nG<{Z)5OubslOUlVzclk)fMYK)lO+t68bSy51vQVFF}rT}M)@7aDph<=ajTIyMA zT_#0R?meh!+i`VLOR_26+QLHlGng@>{uzI=m~owZ&) z`5QznbB}XB_c;YJYWA>Cb*eGv>O)pHi@wq%aVOx|Mt<*ca^;@Iy{yEyUV48pV;KE^ z|L9sXfBCdpc_!(^fz~>-+0}v$L8tfFbLN-71_$0_XXS};tyWqgJ16Ni?=nr&w7dTu zZV-3bDkSml%F3DZx+F@wOidBr-iV=#b(8GAh2O2p6IOch2O&unIFia#cK?JIy%htoRz1V9!ycc zGmKH1#kW1zTIw8NmIcB%2JXM-)G)y4R@R2(IrAZvoP2Oy zovJ+!ZXzx)eXD4ODcQHKr%6G8<%Z(yiKX^ z4gVP7hN`F03=>|>{AjzHJy_F-PL`gTHj7}YXeOF0Y6sX1msHLYy_Hf2|Cr&1m)tbU zi!?c&uG}c`Yk}dE~%RpwH4Lc?wVS`+*7lH z>)JLtC5K?`U*tE%N}J)(Kc5f27xv0=K3F}R1DHLm`8tS_XBih!e5M|<#3J@1t4}yE z!x4Y7>GU>Ya`v|P(4n;=>Y}(XeHacx)8Ml0H)k9Uw?6fiIEfBaJ&mirK8{Dv?$k3G zb8FAot)x)!sfZ7{t$;(;jV?9$h%+3y7FI?bpfybnjA6`}P%V8U1$%k3TmJTz_d)@Z z1*dnEJ>bKrDy~M0>=7n5X77woau+9@VOnTDLyt-P(cX+bHGaB&hECc?tzjS>=^Tin^mY&`H%(J-X)b4fA>Fg(d zw&5q5k#id(HQimqgDJKD9EWx1%uQl>D+G)Qy-6JV@^-lA=j>QzeK!3$rjOd@2hnwA z&N4m0Hn-u~?!?*e@=mx-`DJ_8kV$t|@Z5&@r8#?70>F!4s=k>6ZS{Hel9%~wYd+6$ zCDYuE%GxcdP8n zQl~ktT$(dFa}Q1LY&ix>%iRAFxpH6rAI`3AxpiE*{tBNaGpVstXC^-&OR}wP0)$1` z+p|-t6fD6O$CRj0k}vag{vm&uFG)8@f&fJ=PUU4^iiAi4jYeNqua0pgQkvx!qGN#> zXJ`^)Tu~Gkbmp$P$wYW+`es@@hGrUVPCmwZ(%>l{KuDZatG=%z;V z^igEQH+Z&q7ra))s$m2_zJ<0?tV>Q*=+|{L+BvO{>CCQ7w$?3f^PBDR;-NP?iq`uG zT-Fn_adP|7wY^WK0`r{39F$oX$9<>~x-yK5b86|QFa5K29DOq-#+2r9wtX|?E~!9~ z;6PNIy_ksUSPowy-Fu7+g6MQv+xTdfGY;&u$}au}1&7sNex}MMzQZSzrBd@2yNk1r zW9T2o7r*!OD#f_OBt9-pr>&41h_|Hq+~|^Xl-y#`+n2b$BQ`5tb@1zkKx3SPw40JF zk$p>&9phSun9JInuIv$gTmiv?xBqf)hpPwp=B_IjOXz>m5TjkrE7%bjBTv@tbTLl) zEq4r&uXdul7YZ{&pXeQrpONi?6UZ{gqQ}Kj*NH2y`FM;v zHQ#A}=?3F1LmI5wt;x=my4#;U#uQ=G{6amXcPCzVjDg&>Wpb)n6n@v6NUbx@0yOvI zkQQseH2ce((Fr*7T_Gv6z9vvH&VI+m@pb)Nl>Aqeve;DVj`qQ@kg1M#<*5{zU_CqACw+r&?vv|X(}zoAvLniLx@w1gHzv}JJ3}xI5b6yJzH^7 zKQJIpW);V%;;c5}{m0^?cacWvk}Ct+@N2vnP)gY$q((oRtB-N-H@ljgk_k+63_t`2 zASQf@k1W|?6-WGl4a?)_r}5b6{I|s5N4gxv#Ya@Zo;nlcVsSC%ej?HP=&ezUF(T1T zD?k2dx!|3v<$eJ#jNWDyiF3aC$X3qTf5PwkG!C0uwkW(9qZ4VOP5X6EP-3U?bYy#< zey1;NhWxzSze7+xn!0bg&)@(XmK7m1!LYqBp;|`60z;QLYY`u^G zXD2YFkvJZTbx#mfVD|T_oQQFpwp!YMMZCy2E+HszI8Nw&kZ=+h!>RPPYFQc8O$NI; z3o(M?F)ujvXw@}&xrZ`)K6b)X0@KV3{k65UqbHmU0>en@vRU}{lfYz9blKeqMbAcM zpO5=U#q9{F9tHWrYo^}p`G_lc9*BY)w36-Uq5}fcIMoujjpT8e`!=;V;W#2%CF@R* zg#w31#ghNow;^!|RG7nG7vD|!Rwbz{Hmqe<7Gu0I8RS>wUZmL1XA2xYwcqI?0e(MZ zF@}~|RV-8%SzmHSVCrdz^dCb*rES2K84fdJ^~+82xDHs^UF3+0~e4%N>&L_Mtw| zx(wdyZ^&m@)g5dnoQt4cNN1JBXnODgfm?To>B8p=3!XM0;`FjiGan>7#N_V@wf`KP z9}(uY$#kA;b1QJ3gWGJHyl#jxDb1ew;{A8VbY2#B_na|&*L5lh`N6_ih`@=I(KFYf zT01Ei1m(On&YB9JPHs$0@kyqa7gM(1Pl{2+ba<{v@VD=aYSGxKMZxn#0;0`_NPZV}6B-$)mtl zP!*P~H>Uj!yd~3d^k_;p=AMJ(tGLFRmv`lL##2;x)(dvm_1{pz*IBvwXkAHhJ){>i zeO(cOxBQgiX5fVDR|G*ULf{OaAQe}X?N|0J(+yMxDLvQNUSUqAJwh#kfyv_Hro+eJ z#tjG+GvblLm~%g;?#{o(GF*J>V1jT7mS~cPfz8^=!VGHKP1c@Y?gYmqcp?h}g97)_ zA?t5Rn?YtFo&c_BtH|4%0k~$cO4BXOTd->| zL7}*dQj=MTV#gM^!}B^D&y&UUE_@W6#zjd7Ot$Gc%P<=v?W=LJaF#o6PdzbaSFaMU z7+X2sCc{mTDkz&xOtg_p5#!Ze&PXrs*M51eKP5N|%+6MW+-QdkXo5U9+buKY`=*?? zA!5A!ISCw__iVdwPmXxVN9I>F+C?oe10}tpVHC27rfTYjKymu6w|TbGXL?VG7#j~? zx%uon5Ha1QUG9zDGwo_)M#^SLbd|A3U7h28BQb%QCQ0{h&AuQvhqW**8>hU5-X34{ z@^JLx^8zRH1v6D_^ryQUii`*D5=QTjrSZF`3d{}3FDi84qGF0gy4>fR4^%AAL=p+^ zPSq0m2wYLaFIJ=W*>o*d!EuU72RYbjcq4@t80HS7*CYALeDH+8M0`!-(dKTPh9{f7 z%s!)}e75Iuk38eTo#wzi)vvf{MieX#q)+@BNjDS<$3&ZtqHy;PoacMfYqnz6Hy4e3 zn7AVVm&*w5lNE#maEiZ*sqoZ$tYN`$?4a6HLqEH_2duzdZv2Ge{&3lsS;FLOLTB3@ z=a@rWm%tono86vFsFx}==$k(Zn?Gd3@3K#mH|fN=(fPp%ml}?>(CCie<16=jyoXrT z-M3tPZA@-HpxwDsyFMFu!M)EKV?E6_$GjnQSbSZK3tF`AjHf0|u=VscW<;wZPG>ns z#T?otvNR4bB<48iq01u~b3gTo6fXGU`8u@W{W%V})0TN7#hW-Oz)jPHDPOC)rjx9_ z!2EE2)7zS7$_W65)Ch}$JYORwFsR11p=7qVJ(rE_FDxsRSL5F>&A4B~2meL$BGM{2oHwt;KwuzHb^F0M3lCFYuu9+`_cs*A``8DhIn(3& zC+DH9VX!R!DFzH}D$&L;YumSLaTs1I&T2)^LZ#|GErng>nk_wCAU0S{D ztmH#jxelj61Saxb5-^s#V$8Ax!iT>*vde zH*G52Xgo)>Y*$?Owm*Di+il>me%17Ttw3Omqs%^6MfuV>OeBUi%JIB!nlU<27G;Qt z5BuIpj4+huV;sQrBnAhPoN|gamdNxioYZVueI+HBEH<{0cDvn@SKSSO?E=;Dlw^TqbRG) zXd69|7@#JLx2$3TZ0^U{ExYKaTM-w3)8%Nv>{n#0*@gAK3bXCaB;DX{9m44xa&9A0 z^Oyb9xn94;$cSTpTL`)~M z@l1}~L$JO#pO(U_f+$wiGMB$LV=6>dW+cYb zG;(yqQ9c)5mAFcsrY%bACIL?HaJ@L~|LFGjF>*g8uIYZvw#&@#1u8KRMz+p)i!|wx zWemTN*`9Z&hkpwWGK{)tCYR%-r}-#3gL0G_z0HC?ao*{Kp#mg=2TpF=$U;vcrNnfD zZ0#(=j#LttM^|d4rc+mICY^Qzhb$Gg$09$z?MC7QWjem-11Q$Xnezc}iF@lwQ!rq{ z%{0!w(&gqxoR$2YuDkecxCw$ifUAw^3}0o->6dB4|1!ZxlXiDot1 z%gOiQ%+kYUdKuBy(q18D?DC}&XO0>Y3cH-9+(vWFwP%NlUC<+GmU9d~(#Kc*TAB)W zv3_Yr;p~$%$FfM@IuFHVoy#hHriY$L~oGRT0z6`DN^e3^_4PwKbDlbdD+<$fmIi z^XBfwwr8`n3)<=XrKJn=OcflBmdE$v&?SgDkqI1$mKUVzUtL_U(>f`XQXHC=bb@q_ z*mfjd$XC31QEK?7`&6wMsUhHh_ zP2y;{eCJ|XcQ1aYWBrteH2joDEVjjaMds?}>=C;$=I~w>_O=heVwuFrsUP<^5RiJe zg-p0#y~Gvr@_XykpBA}G+$n%|KJyk<87#fD+sU8Q?*o?KyZ&yT&jzY+qXBw$w*Ttv zSX^Dtwk?Nh?k?}z5m@%EL+0+qpYxT%#5*$KK^a&$Tg3II+O(N987t)NzvC?FB$e#7Smq;ZUD5TcQQfIG4U*&d!%Y2jk zMQ`1$121T{uA;wdh$Oh_16`g5bC0VXlNBj|=2jdSO6Idfp0mmlTnk52ehS-muZWA4 zzGYRz;BPc+tqW#es(br{!Gz=%9=hV9VuB44wh0a>@T0s&J|3f?TMb;j;(p+i04u@8 zDrn>#p6k0=>l=4oJp{%jIHr)~wp^xlAroAIkT8&)fwY&qw!A9ARRlEV-5d^?yBlh% z#J2YJtGALEIzN2_U{;qd3-yrp@Ej+&(?fFgZT1vZ@bok6Cke)zC!1~7;t&(upds1x zd!z}bic7Xe_f>Qzm^6+q|B>_#gLX!;jcIj#ilYSgU{AJvdR4-Gov5jF73jWjW74=Z z5vGEKS%&{fxfVcpsf7bp1z3p_ZSH(vsgPQ!nn)FBC^#8zH=!b1r<9*K$_+E=L zd-hW1-|fNDYC461J4!FJ7w&`no;3tU-S<@(!=uV#Q}Oz6RK17C-ZOd?W>iz$3w=w= zQ!$pEA_x?A%>)bJSdPzi?ocDRVU*zs9FYyXXYL24#WnkV-FDIa#9&|R3O+&8@+ZB% z8wU4+(xuMxnxE5OJlthaWrwZ#imr+e=MgH5+M(rsV+OP<)5{>HuHe@Nqvdq$M!^HP z?=3MXr>10$t{$S%Y87!`0(z_)3$=1GUW{UYTPuv^u`LD0AxHG7E>oC1tYMQsalHJs z!~mbV$fSQHlzN(wk-YouAMS1_0d%;M*-j_b<*&K-d3a-t1;|$_O!}ovX^U~TOV(2K z=kBl%AO{KqlawvZ+;L~eU`}wvDM@cBIAjSzfO5F4;{UcpWh4q*Mhe=^@ zks4ntOdh-dwDTLi%IR$;zzjx0Q(ujvryX~Db@Pj{Mykjyft02e(o<=A@Fvd?ZsB�?|+tE;oDCS`4_mkBCchhushLBHT z0wq;)b$T0r@g^FRCi$`WfHcGc)coh;y=`_R>f92*Rrb@49ndDMK`f4l2~m2xu_%np zQufVxb-arEMN#B#{59^@XYz_>pOH*$+*;vY8)S&3H`7sQ?y4KSTY1Z6ubVcJ=L}bF zY~e6e>IP2pt}J%?Rd2`}c&p;xZ-I1SFck?2J(^RZHK|d@238nYrLsS_X8U|BU&(G* z^ARV#4TYO+G=@M$li9kJSA}`bv+ZlhvZijau-89EhtU4m?H3w`)^I03I~`;l=d6H z&$q(8avP(_+owIs5fdBHCl_Zj=n6yY7SpjD%@r1I(;Hh3#%LA$$$ zJTAVQW?)r?S4OEDI7Gl4eapISkNgR_!(gT*O(psIzU<(jJiY2gT=Zp(RSec#n8JqR6}xHZa>J)KDw6ih0d*=YJDpXD7< zxZ4a%y^WgutQLR#5)Q<{3{&pR;n=YtgTo2qNL5iDbe_>}X$RnmF7_E&u7y`?6$C0U z{FJmpSvU#88Jv1jZRxIUnb>nuD-0c&s`bp>iVa(5PJ6IbHxw6bk`Z_4u!#qX5+{(z z$2{)H5I4J$!Dj6-sD>;8QUdN?ES{~up)9wKzpro-sk;B(ofVh|hYqWM8$B!%5dY%1PdcRw~fnKYqQVRI;k57X;ebX}Ckb|r8xA9J*Re$WF% zVSKgq1iLWOVD_;Xm&Iq+n+#GoA?O^>+S}%69PPC;BtZ&8t{dMc1hBcWSbS;i9668g z^rZtSg+@8Gb%VK48uOo{IW7KHwyqtCjUjGyWkrnPkKemTU59UH)_7)e)5_SPyX zoT_Ejk?qg4!c!QCu51NFa6h&Xa-D6XMQKd$SHg(%B#C6QAZvWe5zxhVH)=pJ&AI3~*M8|EXbCA(8}s4xthqnjqOV@!s$t~w#QYH+CwF?3T=VLRj=rv>ki z`pt}cyByz-F;|p14a48#+#fw`>ocwR17Yg#{+KQMdW_uT93VY!RnjBv6N{}aJoTRm z#ghi-jGp#K;3{*;Tx3;t8C z2ZB^9yJ0TFSHl2dyJj!B`Sg*7_c)Ape_{J@HaFixnE!ZvEH=lz1!aeJ&OJ8I=(6wr z-eaq%Syg8ag_D38+?v6^Py9*vKhCZ$y>T1MZiP?PmFcqQ>&`a|kR@7HY>6rYlH+=V zCD>wHA{G9)ta|E&%q*avX9?L!uVipR5(FsdFq4NQ-Jc1O1TXIIx#wat{pOm)V zsIQotpMY9FR)Nbd>u2I)jKqlrHPO1$M`PUHq5kYnP>V6ePptIq)#%C^pcLb=g|Rph zUv!P7be{}U&ZwYq6Kwx7qB^aLID)N`e!}j^_sWE9F}7y06#W^p<~6ZVi^tw}fEf3k zkicZESO+YAFw0=PZp3Ar?e~ePhQ-)0#md`$&c2&@BJSQ|s}v`4dq!Unj72K8!u=Vj zW0bFdpadB0)G<$L>g~SA5o2_QI)k%_{-5oZ#@Oc3K3C2`4xyGJF6m%muElDD94B)r z)(>qa$j$)zhlRxk4` z;_nzkFq9gRg(&(Fb+;OSe_71swg=3PF>ZqJ=&63+3$40w2+Luyd~XT*niJPsjiy=t^O9yd zP9@#1Hxwnl!zYQt@jHUxdh&Ad9TdPg+xY^W81vnz{R!?w>3#|fKTv-risop(94(%l zzJwUha8jO#u2d^6xp#(K#27#jCs|=Z7th`h)8oWR*>fK70HQc~ulBO^BQs(Q0f@7` zpOqxW(}zrg_Pnn;#$$+-N`Ff_o`an)BNyWyx_P)9N9NLD!~QT@*t?0V(~T?U_Mw=i zFh(_IWln6O9obKe>&k2=(;w=eAQlHDH-0u8J98A{QgfUg2}G`0huRejtTh^s#CL`x zypqO9myRK`y@3cD!CC>h(PE4#c#O;C_3|S8ee}j$0(r)`jH(`XE0r#1o85Pj|7aKC zB4wOq2Nk|}Hx_rB#n;PgeyyMNmC99S8Lm~4yi-_UjSw-yJ5(jf%8ZEVi^SXu4-ptm z##as=Fvg*~67M5nxz2OUF&jR_HDyiP!|1Ai1~U_Jzjkek$*NO zlA1W#?23$lycTxD0^QrPi|KQW?7G}PE{-I|eSEl>+ zi|hP)Z-fF@DAb|xod{fGpp81~E{!qIi}Hh|-6KM2m3AfOQ6ZP>(a*pVW7Z7y`AfBt zntZVe+M~kR4U})v^{+dT z)E#DI1CKjBpYXRTIR^8W*N&Zx-9XQj-q5eM&cM$LE5bC~7>hCAvyD38H=YV3_!4Sh={<+yrQ5@fZ) zFkC-lQ9S81+_}19n7QUma{Gpd;mjwid~GxgckwZ~$y_=RhLfXeSNEFOmU>00MX@mJ zus}8KsktzaP=+gZEO|YMhDgzI(i!gDQ-5~h&(`6^iCDG~DNzhM{vE?vSoP7z#71II zj4&&q=nDSU1Sf2w7IkZXGjvA}TsLha3#rmlNL z;uc%qUGh?jy#xMcx45ns#f#A->ig@sv2;$uI$sD#9K__W{@gCZ6!~?TK{OZwub!S_ zZ;QN(c80yHVW;qv-HWsk=j8LYOyQW!;EKY+Lcn_LAS@L>Oube6`x=RH0LCe`yPxX-#{evc)%HF5XcnStYEi7=C^^1}jl z&u@Z%|MS1qrTpLj{2#LrisQ6W3iZb>tLVmip_!DrlWQ}HIgK;wUjGkw`f9FzM_h8M z@39emJ81@db2WtPsXx>I4%qe5$|OBtE!(g~K2YLW+oDh7tV61>2ds0gG?evH7*nin zNoR2rOl+E*PR--~d~!%0qza$MP|4<4imh!kE3gQcM75W1&lw(i-wThE>Rb*dR-0qN zJc^Cf9NjHBjU}9OES&RuPsa?K4@5mm_bJf~X!h~m)DwDbpbWDvkhA$_vo6@rj8g?% z@3B0i3}hII!;-^s-$KYcXcEJG(Kpwhg7vjqy=4Q~ouuafKBJUy{4tEzQNN*oqA4L) zdE4e{{{)`5#bj!L32w`ob?g=cUSXZx(;MC}yx3_a0(Lw!lu_YO#1C(%^d@ zM~m6LS%qa{wuscqfQREd8Z9z?>bIP+#ei_sZ`uxF)nn*-IaJJDF-~#~(fho*|H(Fe zn8HG55Eim@J}U%!uxJsjL-#Xamm#GJ=BMD1M9L`80g~^gfy5nG#1`1w$U2P`VbP>! zR3Cv7!xP$C<4xSozWx@52|AQTO|%Dlp$Ug!nhxjv2C|I#rYiiY1x&5MvNk8ta|p+hE zw@NmhrS=GC`{6OEi52AQw+=sQb{G2x1`*HnqLgx9$XugejwXGM0k7q-7fH)_-HyC#%t3Ugi@EOO_JevixZFa?rs-X0` zy>Kvx@=_C%_#SoW800dW+9f|DNw|$#o%zxaKxP<7TpQ@VCBg$M*l58=b+p?(-Z0Y1 zrP^k=O`A>C;ofBjU0c2oq~ejEzRLUPAc?`*`~Y?z%51+sh%^ntzpfoM%<-vKmP#C! z#5!P~2MD59PDHtr7qC*eN1X(&mNzqj$lhhFJ7y}(Gvw*Lk|!Q0LbnZ;;w&;p zj6Syt@~1wUnDK$MJf-lxY_N>OK(3urJgu^gy7B9GK?HQKmom<0S{ifk(3^g*RY11_ zyIcIK1xAb|K|7X8%B4hK_@i1BSXY*`k1vWBkGj4<7js)6sJ0EIR z;T@A{p}vsox2~~9ShJbA5-WgkJ>%zR3HLgf77tWAYIYyjO+aCM1=juzhaf3?1=cd zy2+D0b+Ma814to?4NHIfH^XCYS@;nC8catIvxhJ;ONLTU>UOh~=4_c2L)j)Bz4g}M z{k$8+%Ru=lqo+|bIW1bu#=&ecSt*P9)F%LEc*-o56S`0Ngpc*p1>R-$g#D^AKfTqw zt{$A>6W*fJ{#~Sr#W&URx|sFYCY%nWUQ%1TI#51a>YuQEIHiIn#yNh-6SfFX%a~ww z&Rz{b%hq1>Zq>i4EAdfoe_@Ue5XW40ZGk z4@G=Wiiad^r&@8`hQ&p?rMjHC8Y&i^Z3*GlfttH66^>i4bkl2>)8x4Gif08u!dg$= zsUBFn&vAzp7l%q`LXtwfRmI5`ERH**xG3I|l9FV*ROTLPK#u#P=yjFqO$rCz!AJ1R z@tx3{)Ue{4MNq`J_z-FEIjr*RDD6TCzrmj}PpEpw`m>PDYN!Z#l|N^$a`@t`#=BeP z)I4^h35XnYJjbm^B&}Y^ILAFlT<8L#CAjBSoa445YQnB^A7p@!VJd(`;a$fw>5B^N z(~UIiU@&jy@N_A2XNz$k60i12my*&`m;SQ1o4oiKrpI_V8e7M&yDR2?)CZ*=j?|0; zvjh_NGyPmsGM?`)p2{aTsnll1ki?sXc(&p$JBZ>+J!dX_+#DSDCbd}!-;4$G3j->q ztaQ6?ZGy5F?{*JrnN4rLo#qPY$J`vZFWtsrI3L9eJXVGa7<-J{f>xe*Epfd{HvTZ9kW%S?~cCFZH<63O8#-Yk#8&bZUN{1TDd| zbxSN6d2;2bD*I+wAST>gh)vC;nO)-ZP51<+DQHJdK6%HzMp~no>78d^0XGb(4}K7K z;+BW_b2m*%AI_42foXqy*eS=II-In8TAGWoCZV`i-Nr$iTaE^9d{KXnN0X;Tc$T^2 zn6XQnrQiRhzPvT3f@7X8Eb3x=IV!xNCU@B?4=E;!<+!Rs+cBW5r zx7(TD4a~N!l$OiMmb3#P0=7-BgPUC^^BCN(HtJPv)P15{b!&13$7uJ?VVLdrRnc!3 z<1?sR)t}X&wxSBm;T1(ubDop*T^8niVxTuqK9XzlP3(_=>9>@-`DQgr=()|;9dwFg zyf*c*O{K`q)dRZbEzNQ}Eock(J@$dJYO}k~+=FzFrCJ5F_fj4yTJYKq42HfXWtS(H zbRDK7qv4F?nwYDh!~Sh2|3U3M0ayRt%U;{FXEYSYuxL`4FPYLn*Izc7HDH%xlyf_- zRtf6NgF@jL>|Do@sRiEV4+HG$>S_)CHWho0+1uzu(1MSqa`a)AVL_mPo@Q-rt4)i9 zjGoL|XtX9GG1VehP2r(yPLZ2qgtPkn4}YkLN3HR^+Mjx3OdKh}NNEzbgE%Wzy1y{w z>g;N4&l%9h^D-FztcUwvD4cQ(g05}7rB=)`Y%eL{H5aLPCH$vLF~KnoSvf-0A@jZ@ zcA)Cu{%rE0Sv}-zZwb}p;LI&+jbX+7ie>^dS{I9MuLs%N!Zl{m(v z^6`UjTO&NIOwYjeEyJoaS}e>iVp_x~PtNALdbR_K>g1G)=PY}3WG#Z#bZy~_l8Bbh z+KV|xv+AXR9$1JJ5S}$h>YyMnK;5eR(`Aqp$Jkga4y(uB*|gf$VPC?m)-P3>CVOEn z#87}aAroY%$joU2c(Er+>&D1arrZm)%c#{;y}Cv6H1{>3cAMnb;j!p$n4 z3qcGuBc-o4ow8HfhpLKp`WesNQ^K+gzlFgxj#f*vE+wx(*Fc_niSJ&)1ScrGyMPRHk&jqCmrEqj3 zrr%YEf5FzXiGh-E26JBPnB7H>m%GV19+RjYo!(Aj5VSIz1qKsx418X+VTy~=uSc+2 z;)IdVO$cp!l=a#At&(0}4TGK4pWSc`V}_Lq(gS`~*mj`yV@HEv=&+JRB6~q91S5(6 zenl{1rESgS*qStY&$lJem%FQ;WfHWd-(U1#^I4i^?>;oC{qzHV9xbE&YwfuYV1U7; zoY-c)0VKwlDmP;iKFs)&sc>{nG4|c@U@QLDQA_+r$cnP}=qs!el!w|oZWvOjXKFix z$2rDH^1PD0>xVR>Xa_l3Ev_67k8H@2Yfbzqm@DU@^s>_NHO_migD7<@5XN(=>kT&G z-PaJuF}PFx*+r(g%5sf$^ZIYjr+ysBhHd3{LE&CYxo17)Bjz8|6mS;C*Z`Uyp^fF= zlXNG=*3+cj+a-)Q4MlMxBz|TL-Qz&C_&DRyeH7TSi?dVsJcsv>S^m-g7z3j=b3I_w zk{moNv#Z}#xl_LzA{hUu$u{K+aTWIvI~WGYPr^YH_P@dk8q}wrB^q?=`&p2z>Qr!Ck?8^vgxZE7!Hg@n$@K&dkr4%wMr?3^lb|+hd0}T@%O6` zI@k8ZD4 zCbzk|g{oKm*%SY)?x6GbYcvkcXq*+UimDf*;M>jFo_(lapuS(pt!P}sc7&emY_4#% zMF~qT+O{B@9&UvT5$f5gQ`bt!_?~@^zsN!U5Z^^GP2Qv-_%}(gXM?=L99X@G= z)10+`+nETvUaJ%>d^)mHM7%Fvq|0fs!YL-LvS><$xg0*C&PlY%B+rK9oYLxAy;R?B zb#M3w?Ve^|Et3~_Zqb>l#$%E6i^SP;)@z(t;Y0w5O#OXOPGW^Sq*uqF%rs-1VW2x7;D?t4@@_gR)2>Nnsv2Tb&8lEcePr%Qz7C99| zM)Xw$jcRhMpljRiqE`jgi;_}Ol98WistGP=fdM;eG(T_YjJ z?{*o6;IEUsti&Gq^lOZySDQUH;lmok*i}qkim@|-d5wYVbvet1RcqJjOE0ooV=($! z>R*|Q*E$Yxq!fdx*W+jr{@PxPXFxO$YlD5wLi`mb<1T^ITZmswY`eXmK;zmbHro3{ zIcYfQ1Iw>5pjrKrwuNR=t4+qY#*k)OTgr`-nOx)OsQGxN?&Tz>))+XvrlgkqFc;(Z zA_SBUdD;;OOr+wJ1n)|RsuP^cG8mC{X@3q+vt6sW=ax$Kmat>KYUSnT*+y*pbCt~v zF#)vtbD#8KjVYj;riInLt^RNbL^9qh{;e_H^DKR(`lEh1y|jVBn$`FVCU3QpPg5-i z=3rproH z%zY6X`NjEw14r@y*t@dc#&IYAf8G8R0tOh&Anmm8qo2lCVt4y$+bua>?1N%6F*l0j zmF*n;>6fG=N~EcuGxM;(E;blUH##b^cvP|O;zmv)bJJ~HQkj1)++{L9!yZEKKl}A? zs^Ej`+eWWY`UuIb#}#gEE_6kOV-4I0$5gU4iIB>?9;G%eBRlF(ruNk8^oQSulUp8k zpN+b=u`Vun>d5s?#tj<>KeC-NT6=9A$7l0kGcCSNLSn%wd%e}ibBz6QVc?4dww{cc(+<@vJ2vF_@Ble!8TS!ZAxAjaUHX>O~GnuWh}qDe5n>B zd`Y=7?$xV5kP-^o3e=1*MJB>psa+6desVNq8@sy2;u8O6CnWT^b5DDDGqGZ8FO9X3 zY+OLg4(P^IK_g49*tczu7Q-{i2>Z18Jz>jyI#auC?8>(33sw5Hs16Pr7swh@@5s{; zO?!l87am^0BT$qAUN&}I+p=gvlvJEW6Te;U<7|2h z2jA3Ja>zt4zS;)Ex()&JW}yg^Ux&6&49oI zbvpS02oBcF9eN-eMKO19zOxeq+gIvu^&seT|BHilUx#a5p`RH1BoH(@a3J=^?1Ixl zPX)>*ML4+UokQ+ywgtcp6+zYmnI=BCHhxzKv9(CgdsQ)oP9zm^TClGoJ1I;69s zhvQk(wgeV;x#6)eiL56f@LGnv#!Frk5J{>I*1XuZGPY+9vUYIJphJ0hHb)@SH`@6Q zV+wxyw6GL3`#?ieM?5(Ij9GN1qZ_Neec>j1Lt9b@%l;0b+vgKg zu)^w@DHT^usid^4Mf zJyYxyytpL1JU3huo=xZnFV^UKmIA>fpt(MT&%mYM5K zaImuCFjnRBkO>mf{f>lDj9ymh{euY`*%#8mih@HY^LCF;b9e<7q`SkMLcIB*g-Wyfm)r{+hsvI-V`$9raj*#5?soGs=o~CW^0Z%3`z>a25(>(Z$)PQG?o-IC z0ZUh)gN3s>C$T3KRO#S&HX)znXZkoeFpTqvSi{I(dgl@|7WMfZN*+nUIP>yJ%^I9Ls3bY>A>kg&XI1e?-3AUW zW#+se3^`g3u4Tq#s`r2!WJQ}f#?`YAYaDHnEPsWi*%hz%b2_{O!p{mvCG zjO2UlfndMR@~{;)vG?DOJX1!gQf00HvBI%I-(05p9z%Ek6j%l8X1bh8IQVk)+3yqa zP4vm&5ndT=l2Ne0vSOdVnM(7nu(fzagPe-aD{LZO(Jyi8%M^LOL=bbbp=nq^)c+j5Q4%$O&VYdstwr!~i7fL6a z6@K*CPO5s&YL1U=$^_i(bboXQ{mE_bCwpjzoYV851A;1Ge~hWA1+T}GT)uqrG4bynCS(hV8k&v=+66yB~vsmK)mMf=a}%5gc* z)%!-ahtd1WtS(gdObRrvcPA!Fp}32?KHSv1LO*f8Ie5*r)DBV$W{;u2bP}iafoO-YK-bMoB z4xNOlUV+u#1Uy4QN^R>lbYQIsv5DHTb&Vr1*5p2Pb=u2F+1c2Eb>{-g_wJj?PPWG3 z3Txt1*~4;;i^i=9JtqCtH*UB+oU1Bp?9Pv7Ges?|aa}C-YhHUdv$ME0Hkb(eoTL1z zU%4)nHI958xc=js7k_5o4Tkn`BEc}aE^ic&RF+klz$t#MEuIC`wFt>1g?h02c4 zrpB)o`?V1WA4VW-!5%l*YO(KYY{FkJrFTLzF0FCzg>~gzUs&U$n)KBQUWp-CP|8H> zJNRa;-?#2YZC$*^wVl`RdsT{BW6fs$9yxYnSAzt?7ySKAc7I;4A;EQmjmsULOxsqx zJk&p7gD21ZVKiZ$=N~Ko$SE*WQRLbQ>slorfT&!10|0@3DRsD@0_9nX_n=%Z7Bl_;r z@Abv~FZn4H3YO`>@7)9Ww=z4NLa|&Z)vQwUYq9dRTDxwvO4VYsQ7c(je4U@JuC7c2 ze4-3XVG_hR0zD zpR7-oAj-;Zlo1Ic0hu< zznNG0KpPTr2ll5cIZGeU!h~CCY|MlN#F#f)0`sPdd1ng8>=k&~dc_|o@$bwq{@g>t zSZa!Y00OWd%DbipBIgo{qv9PK0%O zr5Zn%QjrmC_Fz^Qj{S{zDuI34$U*2uk==y!w(HXnWVdx>vnjJaeq{E*uR6Fi$jZYY(D6$Q@;W{(|ShxK=B z>YW}AB;D%H4V=#3XEsx<|3E!9g^Wku5q z15bPH3Ag*l{Q~52L}f;>oZyjX5K8=~_~v(mE!kw*X{ps}aL&ZU)%qpY)C=85p=+9g zMkEXAed|LO)phq#Aw&^9Z+Wp3Ih#6x)~i5!mI*q=WCk~5?7ly`?^c|me29Ac@J(SV znK;C9rQXOMVn1>&E6PTZfJNoo>l0GWv8s*deg<+?B?XVR4(AAi`l|Wz`Mw2GGNswzT9dG z*{@P8U3@NYiO&Nnti@57sJ930Er}4iU5w$Kyk(jS*Mk*jeg0}kw@S!bIt#uYw;{tZ zF2a?#AmfD#X}#F03UR%pKB0p?mOTdaAj*LlDv2e>HxN}L@)tCCKe63Q4{*@O@7;hN zInhMMQuzeOEjdzVSSd&By~6ILvZ4iMh6C64MW}O<@+Q3CaxtR38dwZdK>{ybi#U5A z3>a%O#|ubwze-DaXNO(PW}~pSCqtlAvWQ_9FM`+oJRVLK`%bQ8*u^VhbQ~t`q!|Bd zByY!GTI>`Sh=zZ=GD<=WRqD*<8n{g{H*6S&HzlC~y1d_5%L5 z2{%g7y}f{L3L-JS#f*ce(j8M{gFv_x2_w}~OGS8c0bw_a@s|A~<-;cNpI{A(>sMK0 z&S>%-&&c($rH*~09NBRy)r<0FbR!HhX_n!;npQ~cPB11`9o)MkDu;#2%O^jz{9q!RCVidoS(I1pX36UaBq5esdq z@AIUM<(H%gQ`_6@$a6~3lQu?s;`(li^`woBP80WdVzTKhE>|h#+ghb2?6T}tQ|`>{ z!kw9Qt<|1)!A$jvSr2Qwv%qu1fNmwuvmQRynTQ0&0>3ODoEJq(Rz^IEIPDdDPKtd+9J z&zJb&nKNNx7i772A%^?@@dIHW%QeiGc(>-n^|*+vR^C;gDZZe3sn!q+DwoUI1ugpc z<}C>6vPUG;xJDrczWw;B*vE2Ji$31Q1);}Z*6-Oui7BhC*DJzyU9Yzk1uyPopFe1} zm3>0_Q8W8|$`{@2ujC9D(AFE;#|SsdLRP9bnu@F!H%-1A-k@|%mY9pa$@!Se#>olx z%L}eH**iJLx><^_ZZ?!{jyqcBV}0JzGC?_NYMGC+sjH>L{sPAZjV+V))P%%cZILTYh+z5F2! z1@;npi%RT)mB<=>ZED0=5 zsfLq9In^=J{HbAjVx!S2U(ypnicfL}q9h+6b7@&V`NyN@1En)y;s0YPLDAAHLf&jN zi;BFty6|ww1fJxuR-(b}2M>#VEDtNr{mJ)Ed?5KJIY!}^XKSgbYnkBPGN+ixg^4(W zk1lN5O&1nrr{q8RA4*S&m)4A=w??a|*iz$A^4vKLvE&JBSYPm}#Np%#Ux)+B!RH{N z-1_G+lK+=~%<-T1-iaK8;JAxJ`U?BV%_u_q{`MR&{*x)zMfN)_{tGcG))||DssJe4FXjxe1^_EeS;D2(?jEw40Qxlczwo*d3QRPvX9h3P#N}47`R(* z4OLQ66!;RN+p$RKRRiWUa73*R<&!^uHsM`Dbh;+wB`|{_I&B}H^-^CdFrwEncUj+4 zMzlF8k?K&0g6GSXY)yTBaY~4ozjw9z7H1oPsCq(PMcZy22GO->uEq((HE%eg?|HD> za`j-b*)h%WmtGb|9S9NmayjD#nq`GZ6%y0-qfcFv0Im&!2%QO@j9~qvRsmZb0MYx8 zlk4%TuEQV-kG<=j4uc4~ZI7)E2|cRc$1)=0j_Yq1dqTFxohc&{9<$3qJkO14Sg3G_ zf+zhhpq?_KV$P*!UY7MK>Coyxh@z9YX$=HX?qoI7+qVC~HD9*n?}_VG``}M~d_>+| zRhQBr5oyN(>~R4m9TE}v+`5UQKzihbZqBDg6rKc28IB*(^Wy#ao+)w{sj`endr3sc zHXQ^JvZ!Y1)3>v*z-!~}K_q?KUBZ{IjA(ljgs(x6>9nhYA`%~yS6;9ZzXBCR?h8Xm zm z_ZX1~7y!%kGPW$b-Dz-{N!6(!HZfzndC=?PW;kx9o|%-%Or^}u4ivGKTjKjCBobE; zhv|6k=7~MQp==PF!8el&%#>6<^ciM|6oXa1n7+J9c5??0R(ss4FC2 zT8rVW3Aze-4xvwh)fX*o^LMt2_)hj>#R{9eSy7uz0qP|%mx~7_6_bOr^?fu>}lXn$yh6R(t*r5j>x&Vkzv|rpuy@I(44b_j?(zJIq z$QkJTCUXOfDAy2QSpH&H|FS4qLww-d?_+R(YKZ7>LPE;V0e3HUbT~xol^*>TyrWqW z!Sg67HG@WEj&=?f*H%Pjy05%{COu64vH=DqeM z#ix###4Ww&^m2P*@@9AjiFm}Aa_Zu;muba_OK{VSwHg|WeW{}$ZZROQ9yuNhGbWqz zCOEP_nmPpH8Lc#mdwK?lxWny)=YyF|opr#&y$|Vuh}=6&`w0^%P6vdfePXKh z(MsCZT#_W}h|CuOue3YtX)q1wPhc~#rJL?|15x%S>chol(DPTgfoOUma-LmkElzvh zcvO^rR@HE$X{dq7JrZIUB5~0KiwJ%#93qDGBl=#r&xe!D+s24P^J7R{A-Ssc^3TSA zog?5YbQQlUe+2H210RcQ&8)es-4z*emPiL_E$lb$G-uc!62Iu zd7R3lYQ`P0jDhQW@4nuwONECTgY~;Lx1<+T2ZdS#Z>IDSGkOCu4IVqdh6&l@qPJ8x z4hA)d6PGS>RNyA!9X&GQW)^F9y7#!3PPFF}&z$j0n$R(MT2afU&s_sq|k_n*=f>_Du#6)mwK)i#PQhlp`Ws6_x z3u_@ZB8okj$_;2^Aod~4JS=ngCJO_9Sah4^|RFA4h87ZQLxJlYT{Jij# zHVpKa(lFS$x>9>K1oWTwyVi(4?v6q%H|;CpD%0NhlBKAH_)FZbl|+6{h--bLOi(_YEXKX|q6}EZ&Z&u==7YuY6bBN$^p876D0h?<`5C#4LhHHXf3w71+D*z!UGGNA3mn7MuZq z6qyUl+Ox5I?U zDU1kmRe2gJriENrO<$uIdB}=%f2|qC=2xHkp0%j zbL*|L$F4fJ6WMW;zECT~^?1zd<*)>~><;I#d*Iu{)yH?^(pk6LLuPt?VARSZbnYLW ziy*7)DPeAu6-#gzfh9+w-c1y-5|<_1qxWq%{@Iw&pYI#3X6u5;fX611%9{DN*Nb2y zQ&p5}tBvJGA59NgFBMSV+is$VIOHD;w&Zq`{<5*8_lNfSQ|)169P+{JFEU%-x*jt7 zM}3qf$^TV3Majn4-2021K>1$goJI7oCotJ^#+!2w`2v&RuE_=eMB)6(spt2QD;Vm6 zh(h4Ld&mh)s}GX^xLINk_ExLnnTm{3zc@cLLJpuOvh+OW{(2cc zY1pf}#l+n781xl}i>PxG9r5!{tO9`{j*bt28~&Q_Z+ht4d2j^cxfK zN65VUxh%HECpZrWne;eDhinnd;kyZ53~iQ_OLsTCScI%~rYLmF?#7blYwtyNqjMvI zLAlIduV>D3&kb(rN}r$kr}&e71!T;>=+wkgBmlYQ4mlzimappOI`bPyYhqqeFUbwp z8Nmi-RTd^aC~4Fa=K}jUT|X{v97gpq;#g0F{xU7-BV(WHypU8a{N3yz>{mc0KQ^xW zq}9o$bbVy;Gipj9+KO8Ub8^auY8>1xru5<2A#Ip-G3Umug0;GspXYjg1!(GP`H(g9 zNBK%bAK7|bs`YNxS5E&y9~R)w(?~Z=14|!S_jvv=Hi@ez?hEIOLUviEhphs;YaiM3 zqev-$sShS@JSE&hNV}d%t_YT>&nA0vy^}UV)raSS$Adms&>5%VL&bqa?~__z__Al! z&h>n#HPEkKG~1=>Lydv)sXySxjrXC{!1a&|w`}J_&4I<_AvRw4I;^e-GCSdi4>brL zR_ZU6DrvY@lV_{ztO5KwWcsIqnDO`DO<-Hr72VT8uYDop2A))!DzP`O)t<23c32m8 zyO1lOaT;~2^w;NGKGZn~OLL>#w+p%i;|fd~E4e3w{6Vx-OjPGX9fKP2Hg-fCV^8Jg z$FlZ>96~Re#d9x-W~cen7bg@ax%b4pu#-{kEPl4H4FiB`qnzTA4}}ee>Vybg6{s84 zqtk%wtII*1gPA%U$Y7*u)Z*DU07@OirKC`au2Rm=K(PY?f>*gv znYAC@{QAgo{3f#^w-+D>A@7SDb_?YVj7^L|ob5w(gD17ujKEqpGZpk>*EX`svR&5Joa+r0>Zpni5sUOKGZqr2(_u~1+d_$*-Ih4W-5vahi{rZ z)H0}>Xh*-=OW>{@O{4CWhLBtG^`V48&4Jwx)u4hw7{{SWRVFs$;6w3(`rNqDh~$g` z$`(9{T$&qR-|N%4sr|Y@;ezh*kk_q)w^bW_s9!J*dog2-P_3Y2{?eNY0;V*dD)~^i zU@1=<>1DFxzFknGz&M~ry48*9pe}(4qF#k!o7#P-La;D5x>PU9WN4}Q5bPI*7(f!u z*$+hq-Avv(Wi_|oYbZI8P+t3)GH|6yAIb+9hbCW`4~4QMRZeHKQ;}8AVqI2w)4k67 z5hxLG>W_VjmcQBSupkL5{^MgwfS)?fcV^0yK2!z>(}T*cdkDXo#EWD!&g$yc&W3Pi1byc5{F$GB<692P$Mtpj1h_=^4 z%tz(agKIB=vLdv=Y!;#@+4lr;{^5S5_M*IfDC|SJeqvR9SA5aPnyI=<)SfE+bg5@;T?pCl zaz62*{6*VqU^z{$D1yBGfw&bu36tsEUV`j4T(7Hrl~Ps6E)x5Y&=0e1rMzK9WAFG0 zr#E*S2il1 z!2W2ytnJw$QBMJNlc~;ra1R7R^^5NCx_)mjMyC6#iB>j3d*7vOkJ0~MRsm`IsY>5O zwUfp(Xq|fB`gCPF|NQ(9XTFI3!j=g1A&5U6#lz9qB)nW{7?Sv5Q7bA7ucyRH()gY( zdCZ5Hd!rzlA0JF`wbJj*o(jQyNlMWv6MH}!zpM2@=67MaQyGfuA({UxjpTBwVGzil zevcQ!Xc^jTkg3<>^wtezV6Q`l{-{aN#k>%XV~3FaLT~hEmC#xVQTwH)a@h5o;5bzX z-G_VeVXUQJrOzr&sRD5dyX~t$1uoqr^H){VMXu_9#plbAy&vnf-s|7lcn^a2(W?nF z$=Nc-0O9)+n04yCw%6h&Q&K`F_R0&D> zNw^rr4z<8LNyyHV{_)A2Rc$D0Zskawdq%_k`M~gswU7IaJdSWteTc!uDAZ zitnUVPnREzi-!37Z^=bU#~c(v0)C)gMBDj%iJmie3BvCKx!!4S*i^kQN^R_8f;jwe zzVJRzitUwH<2S8)Rx)YF)R1_enO#-bB|QkauVnfU;&5PiG9Lo&-T5*)ldQ~BhMc=` zlj5*d`%j4wdo?m+6BDkrx9m9I7v|90V^PPypV~5PjRV5&VV&*Jk=URJ;;N)1bmF zX6l$3M$Xs9aZp$km$?)`l+}mW`Hw19_TOV#^qoN6Rw~%FPe_?RHN6LdeMV6BE}9KS zi8t1{N%4(gczv@Cq`D~NOXVdZFGL|;>DDPFx^C-hJpqNo0~Xwp{Q9AHGw^`i8d8-*GpP67N37?S5vjLiXO3dFAX{ z7z{6|--0^%7^OoT35P6z)Uz zyDz8&pjoM4AClgQ$?nufiS{w_7eMyhuS*E+YlKQb5cZBlo=R9yfXsJXWwk=z)#wEF zw?GcOmJqA20ow~920oLe`kZAsc-eC-am7DFyy+2;jGmxwcpLJ zVD1h;#dd%4%q##@IpJ3YT_(Q#{3kmfc?j#)*Vyt@u|ryPq9`T{pj zfg#GhsM3N8NUgRpXHc+xRGYgtrhg18axXMO{IdUx&3GW$eNZ{g5aNu9PP2l6Q6`vg3tLk9Vg@q;7=UKtly%x($rzvQWfbe#_ zJJ!<++xmvR6xYn&QsbLrla!_Q&4s9TGzl5OARl7cgS)pgTg#NMA(0*br4k$RqNqm) z!q_!lbvxXH;B_osF9*Q6TPnn^iF~Zve6E2bTVue781^X3=#Nj}tTP(bhb*=-FZ8Z0 zRyubL*)$dFvR$fv-^ufcv&(L+ncH=W$!roWGjH7GHR|?Vc2|YGc1P8M?6+D~AgcYO zHfBF|i6BU86UWNTy7M8cJ!yaEI~y)TT)Qi%9AF%SV5D$-h-%YZijBS$8L~YJWVKJH zT4&`l_cufRg-^%-88?1=7&Ftpdsgu#t{(EfU8ISWpMEk7uS(h_f zvaa#M{Ka7JXjST|I56G?^4akrmtsS0;P%;1EpNUR%zQo{^4i_1lwFmtD^+@KO$g%J zgof%HC&7@Sr&}yQ5tYg0S{O()H-Lp{|U@a$V)-O7;bi)px03r}ZPWYAx@1Ui_kNl4 z@Cn4W2P9pX-9o;73~Xn|o$$U5s+P$3*~vq$J9_@iywQ;9HnDe`_;HUEmfG}(((Ec2 zwdxsES@T=$dMYJIATva7$?>r1gKn>%>-NebU8*Feg<77zae{rC{`rfsY+ znUDNhXFq_%_oK|!^JVndc2M27!{cg66g%e)AORjOy~Mn)b{rN!{(Grj1U2p04<>-z z_gL-^2jxIY0Uj|g4#YALPR-q|FV!1Xn)IgGwNR$HycD-(-oXH}+m!Jw*bhZsU{dYX zKuSjPC-`Cn{i`a>J2{jj-^YC_)KnAej6doNAf^3_c&SWCHz7a0)UUT3UjVUfV^Nx* zD0jcKuL8?#YJW(z+w^Gr$N)0h^L>6kmsvOJKKw->9j5o@ogwkpX~#<31ITBqog6G; zdj%XC*R*{)jZAK!6hJt;&gTwkt<1xfDFeu8KOMPtqyVDWqp>%o?2j6n#mUOZNjs@{ z0153$wbOLS{V7N0dKbuQPm>Y%d!b&cdCC4|TNg(r8)2_R<~>vmU1?Vb14v`{=1FqH zvLJxnp)@-_$n~ymu5_IWB(S@xSnI379rkM2cdA#a)rWP~!4{VdWo-5eWVHjWH<>Ki z_ZAuIq-xk0DV{$?%$ctXk!&Kz3U5l|!!zNiV+45Yyl&dcj%UoB`*dWui(I^`;;bib zFNKZgbrHmy>YUV<&%dAM(b<>zVj^`7BG^Ts08gNoMVbEXf6VVLYMNEEpNl1rbL0Dr z?{I1#0YtW`wYd|8Q=rcfKwLX{Gx21mshDuXs35OBt!Sex)eVEj^X5xI3=6y*$za&0i?7i6#>(UV2?f^+Zw!iDzU)aZ|oZo>2ca(&#xjSCpG*4! zu(E#AQI4yLZV14!tl9Zq#Xjtb1%iKq}HI*5MFyN9MEdk zI(Y?`;$W^jH%``?5MZx|C*QevQOtRH03mMwU#Zc+H3`UWPeq~jnh|>qAi6y=A!#nS z4}-^M*@pJ*KMh4y$ozl*%U%ls(C&CIp*m3jDek^{E|1BUCYy3g;juT32gtpl$TIb; zGWKR6bFRA)*5)5dFwKzx4IIbM@B%W8JAZuJWp|Yk?5w z?g{0!GI5KXCfwat@CYE}JqZ5AYo=)MaV`eEHyu$k=~TK+>tIFl z!JX9_z&$ZYr=-;mG&cm05dSXnjmYx~Aon6IoliuT-HXQIr>etGv~9~&A8H<%>6r{5 z^4-(>I#W%=Mpng#7k?Z#seUVV%DxJ+=;mR)9QR(laPBuW;z{(d?1a&Guk+Y(R>Gkr zhjLBbO*eG(0?2|-;*l5jCO3sl0?dJDYA?7^2>}GZ!}Q!obbHQf09o&OHwxorCf=M^Lr5aUdgwuF-B^d zvzH+QKFtN2SLH_QoU4*T+}juf?Y!iM($d6`q75N$%&-k0@*VB;US*1D{0kuM-HZC6 z)A$9zKLm(a7!sx$$bk_EoV`Wu5bLbxz2D=hd6qXiwCcyYOE2 zEBh^l6!<8Ky59Qcb_3Dxn1-)U>=kehiKgx{H#LKF_p~lfG?jn8!zX~4cYMsm;i@=e zyF18yllr^~cQ%*v_qeZsEPL6n#rpa04(ZTZ3Fgu4P8IbRyFf?);csHs^xH~gyXzr) z&T9^7@R&rF&2qiBSHW55k~AzGLxiMv-EuoHuC`!m#*p!zg|qo&G#h)NbFvFT?@^z# zI7oJzhuKpvs+qvx>|zk^?ry6#?06$4t#KBvlZA|TeVl9Dg?s)Ak?t;?;?!_9_kqx8 z-_|O=c2lCu?b);i*QhO29Rhf*!nA`6lu^lUFx7KV41*6-t{IJi#A+BAN)Na)@ z9;S{NL0~%?#c{&e9)z+-nS3Xz{IWw@WPGs2_TRiPUcAx{)oNF|1owxzl|f=9sgH|Jq)^mv6GlQpzwEarC_Q$eo5Y`Tt zD_Pfq@+?C-S7g>JptT#8kKGQC_qT>RgV;7{2J!i|Zmb}#9X9K^zIGw5JyF5-9RY9Z z$L!4G8HBZSUd}hwVe4$?jq~{*{^|3#zx>VL{l)+N<1c>r=8u2#C*OVlU;q8Xw?F&s z-~9aZpZ&|{zxO1;m#nO z{Z6hwsZoY&fZKB`yBeh1Uh(=s*g9ZCR?!NooIy1E(vP#tFm{4*FwE0%=%ju)zV$yk zTU80;Vn?!G+tZ6(en20MR&*j?_hGi@%OI&eT&QU-oqRzuO`O^k=$08W+o>o^20Ck< zVRZXR)b*+oOYQj8h_E2SeI*y{^vhwJjMm4Yg-)RRBb!-#8i;BS7kp_C#2}@e@%wdk zPT)QAz+lH*ToCCNYww zY|sTDHKJbLwm_jfHOfg*^r$}98HBl2lv%fB|7t0<4w95}AcC*Xr`{h z-@cUFzj1!^)4%%RPyg+Azy9+d{`!}nzxn&mfBW6Lsu;^uw+@Q7=XOI&2!`MIB ziw@d;8<~uNz|i7>EmuxPIs;!gw*)Qfmw*b3k?)X9K`E&e)0v(=8g~Gd&XvjP8rt%? zL)CUmHfznca^v>ZnduiJ`v-xc0;RUK0gxbfBmHl~ayI2qw@q*|qjVdR;{F}4tf=A{ zgv49>Fk>~cH4qi2dA^ZrQ}y5sg5pU;N@CzQk0_+}b_Y6xym%Z=ChB)P34vB5qQ@73 z%y`UYeWz+Bu z_$@2i0y+#~oREF^Qjc7L>Cm>Chjal&yA@VrSoq4NmtdGL{ICYI?3zKWr z-ydYj2b+d>c{0nJ$1T6RDs^#pAl|2ZfbakF=fC~MKY#x}-~I5@f9=u$Z@&N4H$VLQ zf4qf>00^C5mrrUJ(?=j1v2EC*?ubettkWF#1z(cDrE)~NuIfSgNIE}lH!l4$Fdt8D zj4~I?Eno6sxAq`#e*MJC(y9P`2HEnlAYH6oq2NK+pRHU- z@9jWSuYdp(kz{KA!L3lt76_VLY60TAxwTD+9KzdQx)qK@R5LA9SBkCgW=hL zKU6{3?sKXytPh6g1eJU~-lfLH#QBq0t<2EEg{V0(X)hnkCSvMB*8KeXUFd}I=sL^O z&>#0i2reYgvvtMqgtgGah3NT67Sm13!s(-66-`lydSeX1t<3IAL1#ZNiuKCzA()Qq zxf2%>=a-^r%x=Ff?hMW!=WUY2!VS5QDetE8ldPWgQE&+_WYx^pjqSxkh&;O(J7L2L z(Q~hmC!Yktdx!o@AA}a{h+3{|dEUvR1Oz2= z^5aXA8mSj8XRxzd`ZZu0@4|^VtJMl3efU}X_@@@D?Lw@4czK;1l*9D2HgO?h?$;~z z1PloZyO1^y*7t4k=y@gTCA&A*31rTF>W$<)?b2{&!oY>d`Q>|y#fO+Vfl^)mv@gHn zV%(hG6A8JQHXB0c!A6-&`(#DyI^qrMLJYM$SEu?ygQ$6y#L4z(Dv85kcG^R+x)3^l z$DepHm3nCBLe88{&DU-7xgI$s7qaFl;l|EDw6*=ql`PHB(uI_{PmPDIZyRFf{!%v7 zOt)uZK)}3nF-hq0(6qhTH_d))S~!TF2X)P#`^)`Y+$FqPm-9PWo4mUVdGml(_dRb8 z@6UT;blYsiIHh+XXC7o9$JZb95wKKlo9T@5PQ>4Qxj6goh!>4Oo8f`5xgfRtYROjm zAhej1rja&-1u61aZR`tYA`iv;^(&wi?A{fvs_PN3)rCm;_5;t_au~rI$3M-C3&8T% zb#aoPm`%T2$d0RsjW*cz(x||6AtN4??WriYR0+Be6u$_wJk%XpNQnFICTIIxjLjW} znD{UmgtplSDe*z^W2(_yjEt{VGb$Iii}tyY7$3@Y)s)ntQ@NdGPschJlHoU^YSz+p z=^+@NPi~H$@w$)@kEr=t#S9|Ig>3k%Rz5HLk@dAfIDE{Ty6t^sQxk9@7alaqsO;^vzfqAY zi}a)fq{eU9d@hV1L5q1Trj$pZrU!u)t7JIj)U%(!2y7OZO-k3J^^$n#_}@nh#aNu#VUr37K}Ox!Qo)_v^xeRyWRqPeI% zg>ISKF94UfEH=uc+jpYW$D+mECYxIM5ZkLqYdn^ZB=WZJbzqwaP>hkr9VlLth<`(} zvh4SaXTS+FWz%e}AzVm?2V^|@&$3*IfnR;pO%CL}W41vJlw8Pr`?E^z;`+t`5$}*R z=Q$`HaUt$~+Y0*^*JsCzSXW6 z(NWhnyJ9*gkog`Y<2>(b?`o$x$PI4WA{SO~4>I5xTP-+DZ9xz`;&l42R;MAr=t3O4 z5KU8X+8Ojwum+Yl6H-drSpt15tZ`3weVAWrzw}BA7c$_V#A>D&{J4? z#deKs@F3Qhj&JT!p1(m3&ghoRR}38t6hsTm`1m+F{eh zt-s^*q_qT_bRjG5j{_KU;I7?j_TC8or1dniPZF3In=Pa) z29hK{>}Cn_;*l))Gx!7;6~D>%S(Kh1hoHD$kofbq8KV(LLPC7Vl>6K2lkR;`eK-_8 zrVb#Hd~9?F&@zP~M4l_NUOJyBrnZcPhtR{o8TzAFP0?TWdgqP$zv_R!)h~#p&*!{g zwrn?K#C>(|*-R}CeGn9fsH?WmxMj9NAUwYeNe+ zw(o3Q1(t{|*|dB})D`Gn zKO}%8_)SPXd6P7Y-8$A; zJ9XYs)$ulsYk&A7@JB_ys6GZ}x|J=PHOlcRcB})6E+FFVKR)sTI^uYGWbXoqfzk!Hwkv147+5vV0J_>a4NYA=G`lQC92t+=nrD z66a|c2On&SF$iu)Vd`6d57OJWw4<=43ij=Id=IwSF53`ROye8wX^zw1Wr(yXz$ zN08%=g_;u<1_EN+J~gLcwUaesQ8@lZkIIt^aqXBj3-ze!LbAEFHVd-a%2rM_yJ21d zlG^@k+iv>PV!fb7Mn+&`U1E^k&L$&GS$gYz8B+*S-0g`lGv%CINO8Ykv!ZPX*Wym* zJb>)>a3NMFg!~vd0tC13?uw1K)Wit}SHVFK~&OBJ_T!9Yl62amEStSww! zNM*lMf$fvp(X2KZ64~mHaOkwhV5h?*`ZA1%#(21IUk`!<Vq>$G zki;I6V5~j>E$d4a|B{Rl<+{`ykq@*`EUybf*tb*y{}izn{xNgIki;f6yL!e}mOMQq zu_ylcn0E$|?AuGV-CI2*Ok-1l(}6iPFk%<-*vV7Td#;NyY&mIj0fpyaWe0=ShbGA+!?f06ly_UU+7nXGK+jG{$`nD z9t5bfR;T)vm_$#?--9Ie1uNT{!&e8(rXBMjPfhv^6!lp)dk;d?H^lTlAFm|#AXV*) zs$qIo)Wc1?Nw%;nn>8|A9>k|}dBK}YxwLI?9^|L}4`HVNeYAp;6)!u?R3C*~b(gHo zkXi2!=EHd@z`>CRvFR3e${JQV1Byzk&8w!Fx;yMaj5@nIcivo|UY)+RJH8(7$(@|| zA6}V!>uiEt^*Jx++up0QR+6gcILd>7^>{5PN;cO6B&@UG+>i7Dup{>_H$P;`Y+CHQ z2Z`zys30bTiVqt;+x8ZCEy-mq67(QxeXXYvZMOvr!jqA2GeVH6K38{qPjpq6d)0@+ z#94Q0`MQMGHfxR)gR>58(sKeH#Hi0JF=v}?d~coZ5Tj1is+0a~rnOwsFM*bQD}Q*g zuGaRY0v&H&wv%V8wY(FLTbJ`6DZlJN@_Iz)W-X9Ro@&2gf*kghTnSK-;6V^uz0(1E zAZuosjS#*bu-U^@mi?uq9>lOm!8i*(np+cuuUl+4e7ZT4zX4tuSD2){nYve)%jk4zaNBh>I9e0|>XW_JbWO?xYMYqdB?Rqmd*sSrag z%Y!(!inWS@q-ty%83eMGNiD4PULFLp2P3=7?Li7#v|&c&>ePHYs5 zd634Ac)e&_W$N|E9;C1%z8q3N9rBzl?*}dD5i9RxZNcL`NMqB%RMu>4r`H~Yu>Iu| z+W-Rs;pwDHCb>y{}^G^1yu)KM!X*gz&hRJ|T_E3rf?yHc;?&Nejr4ai}!~G4)hRq5pr7W%S zCd9FCSV1mcVUHCdjxEU1l^=wW?)4ynodv@r>dT^fkiO2>vxnBqz4ofjtptMCBqme# zp0;_AzrK=F;?IZb0&`o1w+8|2ILI#oKefMT?2b=&zO+wNODj}m4<;adeL+m9)3%it z&(@iO*7F}+PpE&!DRGuXp>O<<$IdRp$d41p%qDw~%8r?^Zu*eOrjru2J9V9qA8f7$ z1hQ{}3l%UCIkaFDd>Nh=B(XoJuk&c18gLEgS*zZ^Z8Wk!Qtds4^B|9%b51_mL8l|b z^MgEgzNXVh6*I)LRfjc4!zKR6S33zDnr@UFH!c7ZX_b0{31<(7+n-MJd631v3g{aq!7J_xRNz7*6uiSXHGd%B>HN6S7vcV3if^??xCq*j}|u%YkJ+Jiv$ zn9?-75zm&xXAh#-XTR_Lp_-jeqIRW9NZW8&v@-FBL2zY>{ULwd=@92&2ZjXpKoZ~a zT7eT>2p)j1AH~;J3lFL6l&g&_r_L`gML*W7Kv4Ti7GkPajy?u0^vA^=X@9;>FzCb4 zN*}1%&BWeb*@nY2Fh<#KP(k8BUVEVY7NR}BP*+&q8D9#L+J{cWxvc2KxRsAJHw*}E z4>!vBYLiYck-Aw3>p@1FdS#aU+4Q6!ntin?m5sF&EqRd4p0I-5OVc7lFguL1@FMbU zTR4QWC()=+O3s5U_IqV9=S(`ZG@65+NWC@c9z?YV?Z(d3XD_E}M|?OL^Yu&x+@-k} zKyG`&mQz_-e;&r#biOr{FKD_MbVGPsZ1+=}Y?24j?OfbQOLtQb!rR+g@RN5vjwYnH zvxci@Wwo_x*Mt1F@K>yA+U!za@CFg?kla(t@`DI>@~pgSH4%2vx~9vD%JV!(at{j1 zqN^u*Kv6IRyU$sbsh`zQsJ@#)>wdX;;_61~j%2f#YDjZuqLlTz{4vWABHmH>F;Vfr zYfVlS45pJLwfQ*^_?{%UK^pnF#aV!qcQTt58;hBTgm<#8F4t441arbiW96ciuU7m? zq^5v%F+j+Bv?+HYTh_5?)xTd0wSw7m&rHF5ccQ|Pb$cFhJ(tdntm_3Y)om>O19+vN(1chWmeCh4k-6L7WGXZmOcrgJDd? zNzw}8+iqpAVF>*~u%W@dGK}>?^s8@r5D(88`Ix4AgByrX4jY}@=P|5h-;RE^d~jqS zvXjoA>mlkqjEi^bpemdI@Ph}jaoRSnL^C5z4vU?}EyY>WSmS+&jb}+3d{9$#e+Yhf z>ZD%^wkR77j};AIuzXWKtH^oRHBcW4BmN+cFN2U2_4r{4PM^twi1|3m)ig0t9G*kRpM-?7ITWP(i4O4z^iOziUch<5KB&cb}79g|SpMYo5M;Qu0p! z0GPk8R4jX=sAeo-KnPv=Efpy$>bE5%(X)F|l){v@gS`3ZTzA>)OW**KJq3>xJwCBb z&FUC-Iz-eKqksJfW7Ahfr@N%;pg~Wo4{`GQ^GRf;#{wbpXyISA$htEckR_Kd`PJz2 zt?}o>MBei5YQLv5!*PcA_>|}Mc<%?6ZtFLNPBO&FC)GuM+!_n!e}70*@wjWiUv#NVrz0DA#|SX8+9(-kVEubg&CjJg0AFsEAD_C z`oIrk3R$cv4J=Iywo@)%WwbkxLx13F)~E#5{Xxpj=vi)FiUT((XZ9hPPRK;lbI)^4 z9lZlO>_b4EhMFaNww14z@_KQe^eH!M}dI7M>Mi~)f0Se;k!z8u_ zm8jdFKT=d3&mE2|%X!g^y2Pr;eTbvLxA8^XjoiH8=}_-PpG%aB#L_o*X8l!8&9X0pBzQ%_1(7L8&kz?J)uR!?Mc5+zeF z$|N||hm`v0$jgr%V?Z?e5LOQuWhpkKrT-s9dk|V*ayPK1l?t1La#mX>7X#~DG_Hn7 zQ^BZ`p>Adqf7t(mS}#cxES3L!HC?3-S@ypw6=Q5Jg-?AUI{0?Er)^&s4cZq5gxDui@~+H2gxBY* z$vhkywg|-52dT(5>}b3YA-hh~3djCDK(7=x<7L}mvrqwto`Qqy`nVS9E0jgG0+x%6 zSw;KRK!Wu>bZiKr+M>38b99>haJlsFJ?mQ-4S%(w*uQs|o;CLaf9dJoHw4`KK{)Ef zi~A63pI5p|(^yo~TSVvFJ1Qr;_2MAWt|Hfbs|)ny=LaT%t2JN(vUh9Rv! z5P4IgxK*w(eJOO@X@G7nQ`Xru0P*$s&o5sp^x&&E@uDkM_aU=BVxl-d$oyb@UJzNI z$)bxd`D$+XnrH2j1|-$}te%H`p~(uFeo@wj==x9@^cPlisPy+CzW&6r3x{NSJ&;_F zs5p@dYk8(3VlQeb1N9-n9&F~_xpauGzYC;Kt9sy!A!*q9CUD+aJ%V?~Zv=3=z80*? zk@;Xm8tSW{EPJ-C`7+bdgarFQec%0&dKpG)>u}5?;fdm}>LJdlU47o8f3>V92HV-` zz>OFggxS?SL(Nj4*9=naH561(VXD&wv+;m%kqTKFdfsiwv`3PrxEEA))|bH++!H73 zem7(4z_h$n8)EEpxgi^z8Z4TPhk;KYqxmW^EyJyNr<9#FQH%ChhJ+haH=(`&9qC6B zWO?1loxTXx)89zozv-VTF2TB`N9#5u*N^A9KVH@&zx4fQLxf$0`3HWdZq#5!Q(Nxx+w?j+w!_%k5Mv+9D%&>B z$ZbD-dxJrgeYNoKZd#UpGx&Tqq}T_!l!s@*)2-$GQ;Cd{o9(XvkF-4Ha@zt~ZAi8M z`RBj;|MTbnb~7tBq}s>+AP!A$5>o5&;9X0$EA?bUYJIH!6x}q1z6fT{kJs|d3rYJ@ zfz|r40`9=E+CY@vwtbtl!_I_+gqbIc7+?{G; z5}hg63yd?fA&u_4K3WO~A|>_fF~ub|q|t-rr1KF&6#Z&BEfKI?d!Uc$$)R&S4HuJ{ z`nR>HX|CZXr7!Ek^qJBPHpbIs#?KdJ@7tz)(_?}LAYJF`7c8ystA&1aAecU{GG2qG z%}i9|5B`#tu~vG?!G>`9j8psmhoLmQi!UDM4 z3-e~)=-yonJ<|mO!So9>=8sGTB^$!&?pCHeGj^Wa5KbTc5_||inHIx#`PfT_;d}d> z`KO~JzMy#xVLd&p?zJ-8HHfQ^)$Lab6<4yYvTx?E0Bc|uDZI;UXYDF68fZwcKP}_y z?*52!Th}3E)(O^~e=*U^hU|JX_o01AAi5q#(cJqm2OXvo!s`ip5tqgwwSj-rm!gwR zUY^hs)HX!clMMlrvd-sVZ9p5(7WWdjZ5bfEK2!$(|2nKb9qb6UjEvyYbq<;ofggfy!rfE>MHMwmFu#@xqhS2&rz#|2izY1`?USh7^4rY-w{Bqep8Rt`ehct_^wiaqKQ;bANHGAnh-7CkV3bbFLTd zZ3wg9Gt!Li_Lm^QKIMmcU>%J|qWQUNV;&E}>`~kdFQi){=~*M+n)tCBtN&IHGWJ}u z*7`GqTzkTlC25p6m$g1tl-wkC^#9ktPxKTIB;d!QE?k@D7}}71U+!6YypkP;eF4e$ zradZsf6S(*`~~~I+t<~w6m4^o8g-6unVH{G2b3#?F%(iwAFpnA&p=|RQ}$7 zij?UyJvi7WFAn^2Ds`s7hKzizwL&%SB<1{cJJh%Jy&*9lCH~AG&Wx`dQuA(BE}2M4 zBS~Kd3vSm)^CGx(Oa{Ad8soNXw^W<$RcdN7_p3}w4TB^V{ zgy%_!-xRGwZa&#m&(=gansr9@ldO6B>qCy-RoBzgwOOU(4MLcH{+N8e*;?d}4T1VW z&e`FW^t1@?IF~gPVfZCr(~aEnrdaY>3PS%3WFRIqpL-%yv?Tb6L!i!vApMlHri#ke zojsK{gzD$sM7@>PQ-r)6O;+C<9a4~9jEvC+wdnnbF zqkkf@1>dVod7h$?gJ_oDeyaXaP*Y=5rBz|w$Hv2eY{QiP=E6$6z#oQ-(Q3F1!!{jJ5QG1V6|pmctjz?^P5Z|~ zNylzV7j~Avf=i)EW0z!MDZJuN_e^Bd1N#VyYY#*^N~snM6CQywl}WUFD^hP3;Fzb=j4$~FYs zmA9|_?PdteHC6s;Zo2+qu)Oca-uzwoN%{Y#?sFSr?GXjF0+$gX(f+U}8Mvv;3w|q9 znznow$hK2!Tp`l-Xk{Cc?R1+I*L+Z?L4;uYHSrjUjLZUW;Z&v%gl_$Dt)8X4%sMqb zPw3lMb!Sw>L|%`vy;P67!x_lEi(M+^zFjSYn0xqE&$SCK5^twgq6Nb4bN(VI(-A!H zdR;u44N3Rad}zgTElab&oDFgJc3iNi$UNQNT`#)s z(gh^p7c8xi=9Uc^_^9XiI@Qf=h`>*Xr+816wt_^+zsFTZ>Za!J3x~VPtvW_j(SN7L z>;HLZeG2UP@#gm)OanmPz47baOdLtSnC9NpSJ{coJhdo5ygX!EFR%D6{z6!+L=ha62nh!OW)P7cQ)Raq_@i$pseKE}M zf42tY9hvfg5OKf1dsp<&w7A?l9!e@}u>gXPH5q)rNTcQl6#ePjp=&kaxfCwgs>9 zn-q(wM-5`{?u*!3{`TUdeR4a^F9yoo^6p7`HbmZeQP5W~iT&CTc>inpo-H?&z#!v( z@5jrPJEwWf{;)UlV`ZT_;$H~9-wT=rdl9{EZwH9JPpczqWF)!*W{AHRr5i=JBO~<1 z=-^+3D5!i!Q@OH^G8RPQmrSVr{8*_C)K&C`Y`nklLd#ot@#OIrD|t+oUZCF(kdqH& z`8jYhZav7yN4eU3RnDVUTNNbZhvCB@eAHKZU{@*J}~+{J`6m4^r5Qrlspd{{JiU6+FdL3TG+j+wC|2vX|-E7puUH%;FgSI;w9 zaM5~GaFC2RNGp5Mm%zE}JWVrc?#p!W^z}Lk(CsuikWf!H`e>DNofKtSC)a`O`Z##F)tVkxG_hMfi>jyY zf5G#+2bn%w;k5PJpu_!L?la~3aJ}~7K%_mEvYxMd+h5z>2e8+kpGgJnZkWodwGisj ztcFv+QIEN{6}R6X953^iD{{jcbc~m|U~gZH18^YWeqa4WW7-`Ix{qdPDQt&Pf0Bvz zP&5aE?1}P(X*%$NmwTS4tW`^OAi?gArq*OdeYoy|w7?BJ9RuttCNhd-JCItBQg(h8 znYtBQ?t%l!^(o5=Yb3HFrBQaK9}A0KnX7`I#;ByJsI^v1j<^Fsc7H)q4epR8lYo~E zS@tmL|8A`&);H>osIpzLCPB5F@$69ks(%nV-w*!NFkCEDJmrmO@93Lse%ZzUdLhkPIl+qWM`XYGby@>&~b0Ey_si<8V-YgsmHw_nF zyF55<0Zms*Q{7?0o=K3eVJ~y@d*PI2SEUKd^%y1yl?k160XwHE| zI}J5T<^E22udi&)mAh4y$}ZEjYWytN^g?}6r&3>n3*ocJ5STs8xEJL<=gb=QLiJC5 zC4^m+gC=AyIumOS#N4OVPFg{grWZ%RJWJJqr27NQc0$<#VMX($z7X>5${|pfxgiP7;>>mQXB8u+xNX4N?jc1qOW8il4q2|@OWh;HwRr6k1%!#0B~`}~Lc z@$(fqBbQ!BeTRHq@OAJZ(SuT(KaA~A$VFnIF z-YId%H}7fckJ@p^?|^KQz8d3BMPTZ+S2vyMqJupAd^Eo)IB6>(5g)Pq zpsp5u2^5FrFFdPT$x{kmZ|V~k5sO2wT|;#sB2OU=C5ykDr{X|X{>Tml^KClqB827L zlOzqKPBzwowEQ6WL;vHj_C2}3?A(iL2r8pHkdF_%(VeH?nUIQKrS)i~?$&e%vhVSk z^SA$CzeCnNB!b|*L{=jrWmTG^EC|0R>Hu>JNDRqq2a@hj)v=Uoe#O&T{v5>H#XS70 z?I%IJeHO2N)MBsy#e`4?vhE|X6HT#*5=Um)7YDNM>N;dE!Z ztMW>8vkh_hr+qb5zDzCPpzgxYhpKL~@7NZQln;2Zzl@;iSdFYh#Lnt?FJ!)JH2p`dtAknil;6^NZ51R367h3&$<;kstHd?G6J!?#%Evxi zb))C2x#H|VAb!MOd0vJGVSakhODN?FH{|9Z1AkBAHHG?3$3b%1J2h#8peq>hiDoFjOE3E-B_(Apa=gl;nwtEO!_?bNEAqj-w8*hTT zrdU@l7Q*iXo}5~v<{U`6k2noXqH})AMbTlkAnfkFoz&(3u|=>a2-)|W^uSo;g;BuI zf%JRg4*Z!FK0gPGI^3(b-+qHqo*-~Ha$ zjRRAkf`dVKk(%QVNVkt=eze?jpHdRuq>=1ExII`?QkqEUcKHzk?h9`@iG3Ovwdf6N zp`3xAB;nk*g8!%NY_=OWmOK6`ICtSQKABOHdlQ0N5Clnxp96rBN4qB3BHIGdG(hNM zUL!A%MIPg>;ulL-gQO^+@Rzgjc#f?GAfUUts=EHa@{%N&e|3Csx|m0SH!<;eIGxXe zuTC-_nsG_!41#_Th4o%@9VmpKiYzl0bOREPPzRsTLBBHy`({rSH%0w5;imFCYYtnM z29&-B=}|m!br&6|cJIr4FH&(hu%`}C-##Rs;)_VHJ=ywrWEWKSy*(F&+rIB)o^#y| zI#}brFGwPO4ktf!dT-nxmePv#tFyX!ZVZBFdE)ITKo8pv6uRFkk!_38Y;`#~7*!0_ z{`O#2aCasi$2Jb>=VDvy+(bK}x7OyPUivsSH&(2Gm&YFQWw=)h6*Gc3eB3BxC2phX znZCoW94K!O*6W-A-N==OT6e!RQ{P!=l^vV@50tqNrHMbyR#w>F+KtoCM zzR1L`-q)c674FF|-iIzm%)*B{_pyFb?-<~=ISBRc!!i?3BLBn}fV%hCd@SRdTzs$Q z#sbCf)Kbd{6DOAIvZWregL}VIo!g$av}PI@ir~GC%=M|?{5zt}ICN&`SU*M8|EX6! zU{$r{jPBw}1af%k+T~dkQ~CVwIBM zuaWG5+IsWG*UG{I8dDFd>F>o#(W_o_vjht2W4%^-Z-w9Qriy=i$VMpNgoEJ&*I}W9 z+r;loB!lb=ZQnAKqj;nVE<{;Me$ zsGv{oV<&DTL2+~VUXPh0kf^JUu{5Dsa}+!mlqpGqu06o|+lFFz-e@aJ}@^upc;NEMN#I}SK^);t>Cder@7unZulYsD2=zBE~^wdvn-$9;BC{?SMIKGDI4$Rr}K-`Q)>bzp%YLjgP;DG5LvmYe(&H$ z@8^o5hn>#0+fvx0wnuHdUtDdbefca?{n5*)-vfIA<-zA5dvOSoXZC-LeTApFc8n7~2Qs_uf4Z2JArT{RNvg zH8bQWROZ|%`QpSCW2kL)K^6W(s_2C9V+h=E=&%6))PZ{4UfzPc&Nt$TD|#9;*>FH$ zB`C+8O(}6N0}27f^IEi=20`;6^q9netF_GAC0G$q$+{bEL)-%gcXMbxffr**eX$Y%glc`lfPMg_U*`y0yb`G558~Jf_A9yBm>GG(g}`H0sPCVO9jm2<3jauM4%S+# ztyu`nv5*U8{$?TmG04e*uA531x1je1K~w?o>%-s{Zo-b=OQ#SkB{#WR3FmLIH!znO z&BC$wxB8`!9XPWiZ_OVY>Tf~~LQB%RlXBy#MdMBVs>m?h_I^7zS!2GR3w8fq@4WM+ zv zE~EvVxJ;Lf8t1IIkQQ*Bg!d{Vrb(kuJ!?!|$Pln8i8w2_TR!-6Ax2~Q97+6B7J%wP7C_*~^|gql|G`~6rREs-ffw0!MI&mC+B{!%q56N3%XOX6 z?LxKx;6G3FASSizLZ!ca)k)~{>}VH@{O7abaOusQQBdp4RP{@5{?71R;GE5z7+-KF z>FoBMK4UCU(}X|}0CnJy&+M_C3t0euYMaWQk|X?hw6f1l-gY{zp@Uj}3rznZiZb!n z_zac{c>u%mQZrVXI3+#_SZtr8mSl1L^00!yM7G9!TqwQuvB(B2Mt*zR)`jSRIPoUq zFlicG3=c@jOr~iCPHTCYFdg_Jaxo#EcKboJ3xNW+)5wu$Kf5>u%}r0)g-n5-IzCCR z;>Cq5f#JP(ai6$b!oA#V5Y)rH@w#9K9MVuOQgNi&*4`!E#VmnL+Q9C55q&uy%lz8v z8$-mvy-GJJ5!NoHlI$9XumNM)L!TXmEJI(Y6U2(YBh(O(X%tl%0Y4g^3aDjl=X`0E zP`pP5Q3K0EMA_C_+OlEcA$eesn+QM^17n4lRI>{)1Lnt_ne9CPR38QlgHllxm(vvU zi!(>`F2o9)OL)Jl%x+4pa}GAz-5H}pXo>d185i;d29#;DX{utcoZ{wiBO2oXTR^10 zAxdOjQj3PhS%VAd0q3}2B(#aQ%wH1oGGGm}3poNk^OFZc(Zx5>&7?6D9}-rNvdmPW z*MEub;6k*(C`_oBkUJ7{Az)zY8E2{98QX;jf&O&D%y)GC2uY!1V}}Qic9Z$E@$ULFu**j3C&rP1W5tbyLlk*W?T-AL^xqJAl4 z2b4Z&of-quFdq;o;O%YALwoxJ7s3SsZ)gI9evkweZ>}zZcOgh%8kp~K>buRD4TumJ ziM^s|laeEkvM8!Ndo1&3wKlU(KRUkIRyP8i_`47_U}YJ_PB^#0bnY0Z;DjII-DwCO z2#mADwgYk@SKxLs{6wDYLc+jQt#?AEj%BUX9dQU2=;fMtjUVpL{LZjfCc#V!XFy~b z$<`&gkR}jJysP@k`bcCw2&8VyQJc9Q$Pu_y1%%m9$|uKvThYFL_AuHE1SAWLsP)vW z<($>U90A*>gnkiCO!;bBH-97O8yMH3ox|@!l0YM zLSr_Y#t*^*?(ZLF?cqL3IzooPoqm1&cyL)C4U>P7iQH#>XA#YZk;f`wT}TX=g-J4} z%7XFS@#65rLkN9u;`qTVi2`Sl1UKwlfMgMw>Z3hNdp{RoCMDzu5PZ^%GH-T$L|Foe z6X@^7`rKLYs7IEN0*uZ`H z{ig=B|%r>IB(Fif3KsZ5}7&4$w~HQ(v;v>uiQokUHS&{8V5ahN z_b#r1<^L|E40wCmRv*}<0x<)0=v)@gns(E)>BT_UK;?wkqE(KW>_XIl<-iaQn|ork zxQD6Co^4&`IXG%hD?@_7z?igMqb#rfED$2_-Gqw=%2Hez%J(p`%{7EL) z65bds5C_v<5S>#T=HFf~oP^1bGhw@aF|_ol59{NJMcZ~r4Y33BzgNe~?39GSfzf1f zsZgzqHoG1mdSGFEc0szelkKaIg|!0ZYL&jtOv+!yw-9?S&6hoxZy%tfXzsx z6eDsU6(au${CWk#Z{{{39UzihDue2o4^mbh55rzHY+^H4oNkXwdnd5P;w~~rB z8qbbQfC-Z`>V+PuXZsL9J?%ox|3sGu*{Ax#MhF5W{xjo9kN)8|&)1qp01ExRGC#Rn zYb|ZEth(A-Sg*Qq`T*tsBeJ<;`lF}I$46lnCjne|y9QAJ!#kRd)X{*Aejy4V+3CG` z`u-cWYFo4E7>EOyYGU$*^Mt)KvI>8nIf>aAj7zhm`eHv|2xTs$0F1~WWSQ~V9WNul zW_2#MuU`eW8!#Kw-0?@@;wzVn{DcZ%7St-2w!pOI%fUo{LNyn$iD`ma5A*(PY-i=3o6ayj=iA# zf82NcF!Gn7c~#6bg_$~;QBAuEH~UI#GhM;Nn#&)O0lZh*!)t(-#;F9v1Vq7bIq|p+ z3(^64DrZ{kxfl&V{hIupG;1P1>a4|qhG>9@iuIc+FBdWa{BTBlC# zl7dIqx{w4AKb2{^7TJbHce)SHj_KzF&h9Mjb=4q>8F zSE)t*n?Xdt=v)AslyBmLXUw_A^($lP;OSRhh>GFHswTLrLOUYq=*Y9@70Seysx{vQ zaRQU@ZbrggRt)AsfWTN}`l?j0<>tt$?95LU&YCLk6kE;!$pOYmT1hqy3~>Q7k=gpN zbD7>>{u+=!a_LFrO?#2Y<*^_^z&^yc%Fyw17fOgt;6E`je{19hIRTN}+wyFp1k}et zbs-67<}v%-kU=4_GpV6ezAjb0J&g-N0Lv_`W|?z7vZOCrSMs`$2@q%E@U7~O+g8T| zi2%VyJt|wv@+lkNg`9v%xmN63{{#wP<-lVTds?Vy9JFQGAsE2QmtIuy;i#6GcaRc5 zWi7>CaxOlE1x!^|@=-n{1rX3;o9h=WBX=P!V669#bTAlx=kJeOicq7@^#vH#7z{gs z|M@?U#>#+}aW2LL?8HG%G@o06hyW_wq`&ad0R#jLa%nagCNRL109{fejPGnZA94c5 zYV$LZOap2cvjHyBPI+`<y{@&^bp>dbzyf)Gd?=qs}lk2Ntr z&iX+N!8lci!bE{qSIQ5ERRh-TZ1a>LlOU3rDAQ(hD;I(XZsYMqD%f~ZC?p7@dD6HQ zGA4WRYToVMD(RYq4P8hVm>(LdlP<&xP@-%Ze>lu(#5`R{7%=Ya(WcC}uh@k|fxg}= z%VlD!yt|MZ;ANZlbOO7Ix{w@T5rgLDByVGeqD7wkh{85hP8XvA{QgIw=>DKHIy0{J zg`n27RyZc(XtMYZ}%wEL}(mNb)jGm1F&~`Z!1% zPmdy#x~PwV9)XG6QaXk`#qg{j)rBB{Ff+EaiAn52slWHr1gg!GjxJRACti~H^J&v3 z=t716LgZqjUq1#4^)CVy{$@>r?!;ZF^S3?S^K%NFJ7elX(f_nKT7c(u#^r`x;ZXHI zNagE$!S;2$vWz|UYG~EZi=xb(-D6`AA0idT> z#?5+i?nSZ7wQ+SX=yQIC!3Kf)n7=)h#e2U9^0%&?Eav;6<*sIfc{IKD*toTWR=%`i z4SVj_*h(P?pqDE}!E&fRKVNXDIby_f}8_m%juu0md*t=G1#pwRGR< zLLR_OzA8?`+Jzi|?!p$J@f!k^`1{k=a{4aR_mAGF*i9jJK^Ln0$7U|?#Z$dUN*9X! zFG<_6@S8WRmqvA=7h<6wA0D30CIjCm8o-S1U`&5d3 za%;(s4b;(=p*L+96#WnM>ni0a&0VPaw>xwNvHi+e3#j_Hr89q6?Iq)tLCJp$*W z`CpB4(Jll6ER@)8m39VHE;i6Pz2y3MjQo;$C1GpqrVt5`=qH(}pX`Zo7mEKM%fJ)od%<=_6gJ^run?swS9}Ca4w47?CgM4W_l4zY9SC zNhKCGLAK7ew@O@@^LLHYTP43>EGi@h3?gqBSzFu>CgEKW{rIF)a2MhP7Lw4Wsq-(+ zpfq!q^Vc9-piezO6zH7Sg@l1+Re{Id71@pc%$qIy!xq+g7xDydm$ysjb{UStB}`T&dsvMmWJGC-Y7(SBp}*z$E{&lzVBA^>l_+fT`vLauqLfKz0?DIMStFcI+`adpL zaxGX}2&MkMrphYKrg*zh?Z2pq8>nw$7s~w;aX3}CR#ve-7Om-#ObK5x((5P5hfh%K z|5qIfsQ6!qym(8QFdVA=kz_of1R^~ zlO#*r0W$jhm&8wq3P!{HAymz|9Kngj>c87w#WLwm1#|@p4feMdEc|s_cZefG(769R zqiLRKfmPr+JbIzQ|BOBlSrlXdI3-PV+Ax}muQC~XK%VWr;tc=qvN zESPk-bT6&i1S%p|-RDd+nZU%ShJb=wuZiXppj-6HbzItb9w^U0n&HU>KvCU=Nw6q$ z;E1dnG{1lwQA0co*2%*4rOMsClYR4LG$10fYRWSOT@suH55#o{lJhIULx=ldBMZvIuJ#&ZBA346dU z&oR5XG^>n-<{)6T5g)i2O-wWgf!Fg0HBTu!e4)zjKysr=2+E{DrN{iV$m90YBw$q) zzW6^?;qcU=>*?+Z|L{2)%`mXNmn$<50z32X_t1O;A8H@Yth4T!b4DE4sjCEh*g5Ng z`WVzaXW+eq)MN+CfeDB^dT^W0!(A`3L*_>_4_H(@C%#O$qDcpwduK=r*Iq#q4iil{ z;H;o_bRkaW1^k4G*h54&^!cNUxbg3)Ad8ZIZ>kd2zpRKX&yhq z@yM;7YtZxq-mj$l!L7dWAKq-EnF#FoVVy*K-ZC7H#>Q_-mw z%|6hFw_Yfp7+l66U;p;k&;QI%UN>V_)0@Wm{Oj!DY<8~KYqMoo3ukBW!7H>;r$4P$ zgZ-vI)!$l^{#$DpZ9~`FS{pvsT8(D&Z}nGbTlzzfYkoqTOz2j?{!aFNb#Q-@pP!+$ zS4tj1#n9hSIULe>7i{t7&CjG4F2G?kUT0((r`cjdjZ8nHnu*!nk-wxi4&|5kZ{MfS zQ8##mzy&x0M^EqHzI-t_w|4(Kq_#=_Z0{4Nzx&@@^-}%0e)Ol=Ith})Z~KC8C-Fl- z2eb%g51Ye=CUGa|v2Qys-xB&m#h>?!SBgN_`#iqsbX@Q1@7kM!dLgZN` zgIg87U*#A6Fo6f(6^{V}-gjJr%3mTgutFzbG#++u?8)bW)psgW0G#lR{B#{e@pJqW znffbuG6;XqAGN}WoKvPbXK~8sw5juO1|NKWh7!UFYy9Ckx^@P`+u`nf_q@;6WHNR; zHxuV`f7o@d|6a@tB~9RhxBO%NJqYU#^o~Ubr}1M(ymj&jmDsfZPswx+anmWuHmjiQ z#LHjqs8c#K&q+!7HO%HvzHb(PO^FF_GutlPSC;3w-rqCGDV6={bs=B=M?qE#AA!?e zLkCFYKUDzjs{C&ojmBT{{}1@V<^LIMtS$sUh261bliM)K)+{ihLk6z>W}QB~e{N`o zy|T120BhhB;-hk$oF)GBPrqIM=YIJ6e>DwjOp*ubD+mC5{~N8Q(Ky)uO{4wS{{I7h zWc&YT5CBk*JzPSr@L)zBlX&@_%(HCu{`?#mC7h*a>*?3C>F?*y`k4-&ozc(UyrKVi z|NM6LHhq4Z&fY#u%c#(i?S8hesT!?bOhkE>lgE%YGhcRL1;1LK}$S5=AYS^2GKR_63s#oN`+hlS&W8J?b4j z+GD!{1DYNTNZ2Fu)s}d-ck7faeeh;tC5c5%|M=1$-{yadC64due~VR)?5Qr5HN8c= zT5ZTIOuxu?tsxg(BbRkd3e}K8jV-sUh9y@T^tS>`s4MI@tJ}9o$}V-N%nw#8@$5H4 zLlqD@7e?!t4mVx}<+U{zwI$a_O2cg_X^>lXDM8Xz!2JBgSen8}ujrQ0&gx-rm1G2#S6+4l;xJe5(+v>dub~5 za&X(HYa)hFSPu$8oNudy+G2bhQ*J=18)Q0e*_FW+IEIo@=Rk!)@ClP*$qhOdyGB^f zh)A`E3ZlE)b=C3YvfG;U)#2pw+x5BwIgVU*-^Iyd)(cm1EV*PHxpx0j4kQ;HZuA&N z;R6KqO3~yyyyrs(1u2rkPEy(c2EK{9VY*uQ5*cGCZKBFKP>!gklP)Fdt$p2JxX%Q5A%zk}&B7k4S9 zeEzpZowHyOtmbjF5#L-i)Z{Dc8U~`GDis%_DOpnmGoq=qo@1+D7$pJ-`SSJXXID6g z!g}3bi)fXE3Z*B-tmHmrq(+{l#&3?VeHZ=-e59X!JLTi5FoVJ>ws1!1B;o9d$Br$f z)xV0Dnx7vGU$$hRkZ>$LNuIF2Q^ec9hHnRJ+E17M%B{o>oBM}ZFx58{cnMq;f=GU0c*H@|}aTui)%S(m& z%+XhHwbxQUojK8L1y27M(uKk)cNx~Qoqo~3tz~gd%A*%yLt(_D1pJ9N?4~A*^OP%d zkP7zbMhL8OvFTAZjb=weTXJc`EcXsr?!`smTqeU5B(YG8wsG;hpJE0TxYypTb3gtmuDMb4YB(gHqCN zBi9zus_L@~F@OR)!#M-(go@;nfv6lO-C@nbFjSth+~LXnDF!3gE9Kjjm_?LTim4lI zF@WOQ(Ef-qRM$ofBA4V72rd*+tMVvMDHQ;U^C0Pl>P#>g-n&kLqatue&O`tp*J0y{ zh&6vygPF=24CX=H54F31t2nEz7V9VZUQv+tUBYf%q)_rhxI66kc_%4TNl|!eV*NsX zM5Sy7Z(}w~CCSH7TB?aPA~@CsuCd%`wa$twT6}^pl=RidVDk`5_40+9sD;c!;qO60 zMgh+^;6lyPjMu5c(BxawoBFJzsuW7W4)T`)Gk)b*Ke+323>E$Ae9Ho;C&33%*d6Mu zWZ^v7ji+CLqti^}6=EszVrh+)cpiqQ^0Xwy>EHt!As(C^r6Cz+OF%2%P7NWgd=rhJ z$n2VTxT5r$yx-PhHTU_{x`GkRa;lGb8i@iJ3eN`a$m0_?RE`HV%=OmB*Sxr%lDc)- zO6%VXli-e}$AyD9(Ts}*?=i(zJ|BoBhplXx5BVN7wh~ubw(WSHz+K2zVouNFS+BN| zP={z0>AI+yUN_=tFn)9%4W;9ag8`^`=G|ieDtF^_IvcsM<|6LgIiAXu_)SziMRN60 zj-zsI1BrG2pJeLVj6l~ePn9~)^*X>ol07Ai!XViD4i_=!S676%( z(YCV7;76M$l?!@>6I*9OPC5&!l?i)=dJGbgFqA)udCnN}xnfZWw$kg9Z4Ej%f^n&w zF%Oz1ZS3jL3 z_Gb_LJ=s;VZ_K)Wrb*me07*U?hV&psQs6^126AvNe8~$VIqEoSjHnMev^~5Jp3nM_ z!I@+)MGo4bo)SmDU{7x4cnX%x7O(W`Qofn)shwfB4LryBG3}@ZO=(WMBXeJokg{pf7eQIq|yp?kPSI60dHEB5~3bZZ3SNVvuIZ8rDg0dDD;xAR7z7?Mal-O$5=v zPZ6XMguviGMY02N{D1ByS_3bw#g8QcK;r+kW}^v_|CRWEz24O7f5rd*0YCro`2RA; zOTKr61#qacCMRF1=zgMqcDhH4)}MtMrooJ5M@+*!(L6c16X49?m#LM7$ym0bD&B-{ zg?fE*Pi_rTMoaC(VA&h5W7=}MU*v-&`r89w{b*aIVCMDXYO|t;sNC@q9uaa^JYrX6 zWff9KhBoSu6KnPiig!jv+XpVVmphds8)D?k@X3D&v+aDz!5U();pCF#myu#L#Td6C z9VN9-FGn}zJ!tZdQtHkiye~96=ALj%e+s~@w)4#tTSmM-?V|}a@ulh_XhhK^U z40{N(dhsu;6V`xr0e*LQmv;wX>Gq?v{0x~YqyciGm-o`}Ey!%*eXunOczQ(R2n&5* zU)ZT#9e0wlxZLtZf z+VFv@p7PWW$%#dl09v)?%3rTm{+h*X7r}D7>5lhca?Uj|rnw8F$t}6M9oICIPFLS{ z_AxNSXb?QC7yeEr?X*btyaRwHh4;b*%iPP-3%x_<wW@uEAeWlXOW>wfL?G_1i1z%C??M~}XlI}eag#*adz^NG^S0NGnB=|zu zDjOHmQ}QVs(Pjz(N0s{C!s}?!K&Tcn3!j!1ihNo-ZDgt03RAn+^Sb2IFSOwd3IV_9 zhW$=_zho7N03EFX()FR1&XPbh7{pbrr&*k!a!yB+ta~e}io7fd{AGn`mhV#yVL?NnUYK|m{+PA04Xcex9*!qgKg7m8L&6-&IR zlgX&or+uP)RXSjjTYa1DhmkkXg7u!=FLD#-)g;~>7!s6TMN%%-S*(-pZKpON<6s(u z&vXMl#!1O@pBz8k-1!-u1XeS`3$i^;Xi&{U|LzLm2J=mYlGUw9_N-5zY|d>&M_D7d;~U z`Vsh;GJ6$#giHDO&ExQq)9i8mztC_NgzrUk)qc^>P`*173tc0iAtyCgI4BMvB8f`C zz6cLdlpn6>_aZV*H(n76xrSs=*bMRTkZZ{jPcTCgNe15w=gdeM`ciWRgtA6!eLf*}4-9K5;8FVd;mBVV3l}ds#_$TnqIonVLoftGFgQba zRV>Mf3~V~2#F}V2nvx+j1w&|ZhVY$OhGeT7qO~+QoAZ^y@ZAbvR3Wo}2sS()7T?P| zup&@tzxIUzTJiekA^dF}W?^|H!#Ucu(d$|8znt-CSZ`ac7NV;=>&%Y=;?e>4N6w`V z4rnoyre&ddrvgCap0N+<*G7=>Q~|Mz-pbUj>5;6co|qTvdm%M-wEVeNZ|LMxFA0Kl z>Mw%511#ML2vG-Og;2(no)Q(tbIT|M26<<3jh|-g~3kl0uT86{-njH-6 z;U~wCK{Sv>%UxBWsQZSr8sEN&5Yp{Oxkb{bUm%04qLP!nPr}n9nn8>+Niz-Yn07Fi z9!Wd;G3_9RoUEP79gd`-?vFG?oW7_n3j2rB~d|>M8MO0qO6$%~#=&^&QwP z&1h}mydZ&#f6jID3tSU{8wblcgZjxS+}VQxnJ06o;ci4zL#^A0vTRrx^6!_r@kl)s0aq8Xs?KQzFs2gIU5hz<&qGeP!otUA-18LP!XX-c`LHe*4XDtE*JfL=6 zM}WlM#U;H}caZtmOZ$+gwvfT~knU__EQ%Yj{x*D20k&$wcIrKZo0Xa(C!-|34t@Gz z_u6Rj&1Va3rx3nG>8$l{>i%}QaUJOvgl`3NCgQyA=vIs0q@MZlhD6COKW$a1Etku^ zE1o!^vboDT+m?J}xpr0moJ*QZn7Oe5DDguiasi+y$}GcV_)ESL?~l-6Oh z#*>(M2v`7tHIhFDRnT-M7$K!9uVS{DrZ;z~ZT@^SA;f7I_o2AjeI&B_mE=IL?~-FT z3SM9}U-H|z&~r|)<8}!-$p0@hO5ahl%{;UKEy*nLEF_as1E9(A=;kx2%K-|%ELZDC zagv#M6op;Hqf`EBZdFa` za5NVNH8m(lw~?3;j2H&u44IY~7(jG|80}Zf4~CJPyqpu&);65}geFx9(UM?DolDX+ zF1DxOV_bYI<3DP9ssockiQ}(D2T4ulYx>8vAw|S?r7x@!gpJ*dJwq&1pR4 z-fs6(q40kpFo6*l@*RpRFi`1pKJ}dWJ34;;j*gGsk)3T0_J5f_B!8h^7?`HCK`G+E z*laqYKOvq3p1*i9pqe-^Z>peBhrr5PYSSwEIsw*G9K`lX1@70P{x%9eY=yD2lC@3) z8(Ab+bmWG;v!O4KuSqBvG}?y3rq$A)x2>kjgq?j{F6O1`v7*!*seT|PCwi?HbfaEK zJzH(wK%vf=Ja#tvG~i<|J4cqjL3*?1Y~#_8Y)xCUK-{V!|234hXt^=d8}@#GTimDf zhPsm_w9uYFg_h&=h+ZypYS=tzf3M1eKj*Z{!yWZZyD4xS`>Nx8W@jmb&(4<=_HXQ= zh%nyV{f&L!7Gok68>|3@W$ICOH8$-_AuDY^{$Km^j*T;DG6^j1x-zV@H|%h<9l|b5 z^vz(0afg5LvoqKrH2?vjo+`)}N-hZU2pJL8#UKhJo(sw6s`f5aPTwJak0MN)djq<& z$GQ2G8y4P47<5O{@!T9;H59h!juTlnZA$d@Q$j&CEJ_rBHETej=WHnOcGaLDuA7;N zT6Uhbfj4aQF!ZxGMj3(`+^s*%68i_stQ1L_NM5)KDFqW;#livO>O+?8g2s3n#{7Hd z-Osi0)Ys}rFZNxN!4$_~H@@copM>38{`0N)?{&zYXY)nv2$up6EtPY;8?|hOcR{324TP~{eW~eHqiwg%>^7qwG&lHM zSmE9JeVHeqZbHTKIV1@;SU-m)!eNE5E?;0K#>w|tsysKVc}L{;vT1+n`gTBxs=h(b zL-w5%&(88c2?-s0_auq}5{1e2AS0_2&7;Hw6WDisOf{ktZB^skMR_AM;$(Ckvk#%? zD@?o;5@ns}K%TF-HW~m9o9Jcw|RAr1vV%F+~;^2cf{X1W1rd1#b$44 zwyNe7shAAC?GleK{(;p4Ol}_Mi$AuBJR7xg)4{{Mivc@-n!P>>3y}zt-*o%G%&J*; zNLfWmTcp79r%6*qjad~bny&AF1r=abat+dNY<3yh^>{jQ`$Idh&b2u-HoetMxNDAm zV~X9-2FtL=Lo13%Y!JJZ<9Ouk<=4%+XKdEJidpyI?Bz?0EQq!M$c@c&)plJ5X{@Xj zNNCsn+L-mx76SmRjah#?X0=BuEG{9{N-Ls7Nqil1C%}rTzD`6ciwx0xo~R>wMu^5; zS3z_GzvGy_r1`WXfz)`*VnoC!mzRdzjEKmylzJ$EGM6-94`Vo6}IuD*%o#qN1Yn9U!cKgFiU%s zD9OxVyqw|UiJ8GGPgf#yOr=id3lH+uV#xq$&_l9U^Ea=i@j{B-EwKZ)iIloKdmfZ9 z^XwA>AkRqQfA6?1y|E_p{q=&l1-o#NvBP^2fZaAD_S0tDgcVFx;Q8j0a%YhS-|keq z)K0a7H_}qUK`{RCZ)VW9=Gl1)oT7`ZG|j@g?usWi|8|04Cs1$D%@U%DZDb|U{_EQ- zySeTRucmBS>GB{@63KFQZFk=m+ii=l{ef!*{r@r`uy0FL3G{k)WJCaE0yiNLT7J)n zfX0*;s498{S@hrnbUcRq`cNLypqcY;x@Q3o`>iIls<65PENe!@K&_MH6t z-?N3dKjqAII^sYAZv$#GRK{Xot*^2OJS7XAMH-*Lnd5LD>+;hr`?}3n|F(SEx$t90 zs3b0_<51E-d?pitgQ!Dot4T3+R>4Y477>t26XB-mi=8`m{w69Cb;gsMjc2gwJZCdD zDdE)w0m~XHGJZ7yO9eW{SB!g|Pj41Fqm0c~r&+nOVFuLMF0~+Wo=@Dt5 zGty=qB2G?>L`fPu@+~I5ws|7`dpA|ovq`eLXC5_@W&F^ItRps4)SBLk;plZQ$J*c; zK9xxue9nJW`gaAFd`@>_d^$m&%kHmya<@a5oZKZ$+}6f%yj&&eafPe?$L_Xep1&9*wkUKo6{TF0!)1KjDL;nHq|QFwSJ5Da3qxP z>hB}G!D?F%uvm6)C!Fm=*-G2M5(8VeY2E*^cS9&wYx@bWwlaPxqgE~)Veu>fyyM(m z6D=ttf-ZU3pU9UfMFozUSitTxYG8HE{?xVtuP&Vbfs$5VoS+0Oguv$!{*T|KqS{g{ zu=vuzns+IMK!&uu!s@uZL+zl;XH$=Tjo;Q!v)5N*_2}#Ds2a(cP zin&s*H%d$Sbw)p5(o3SW-XPCXvbV0j<)SkAI!N0sv{VNM*S0l(5}$UbTt<1b`3JS4 z^y`^1-VhZ_*5cH^yYu)DT!5~2q6C!`kd@~XN=W@(PzX#SxOD7uy8M0p=WLa1-XO2| z@hiP#Y&5;OzPzNCOt9+sM)5}G+7nghXxBz=y#`P^3|uR+N1baHb<%T>x%O0-_~g6R z0&0$pYGrHEVnM~$ei7I6thX1eYid=E8#lZl=x)Z%(EiG}fZdJ8?KF6rJtX_I5Uh*b zl$9x+QhZB2Q!41ho_CRG>$C1gP~=$A=xWm4{+E!3D&ME%g9esBCow4BH`3S;^J^6- zdQPB|9wY~;`u_os2r|Hji&bc3+qO99rqmCQOXB zLzO*1FZ?9fC?;%*9fG`4DYoXKR}0%V#MTT}Xkj~s*qT8Ny*4-1wovEPg?^8lXbyyb>|>h>1!&L<`?&lC@Lrv;&wMDOVA2QvFh3Ns*UTt#Ao4HqM+XYv@_`-{ zbWj3ckEf158E}ERaRwQKeXKynz}t(#KGVSU_{QD43HC8Z^ub8Sj|DLkBKz2+3~|4{ z*vC64^zq|96!w{ki)L?5Vb37YHD@r~OC$G;hzJ7xJqhf!ND>4-4!FR52<+PeQxgK} zou9tRmYt>sixdJ|u)kdV;4|ln3R4d2SqfSwsAUkf1cd;FYh=gl6Yz2(ng@A1!25{H#DOTr;iXzH;R4a>!LWr7~E9)Fmlw=&F|_GTi2Bo#Qrv z)%3yf>w=0MQcz9Xss`2a`(+F?eq3iyn5-+8Iny1Kc zKTn_L&jz3DNNX47#~xltTYhVGo8`gixrAz z;U7pxB$pVwbvVp>i7W#Vrw)#b_lqILl(Uq9A{Jiw0+N+mgYHs(@n8>%40cwWrFrb!W zD?>MMY~|>A_Gu-EuV&$I=WS8Rq!|mbJmw#GY(Bn*;rsKNBk1S`&ueeK8EL5($i8xq z*9tp*+o6u-=Fr6i=nWg{SZUvs^EcYUt+Vj8>Qzfv)N4*TM)l!z=NV>OAyLsUkd>R# z%}WttDyNzD~^Ha29srIqP|y_J`BvZ6jpbiZ3DZp zQ+KTLvN~#7!qnYSftWhOu)qv;(^)a5R;QNI`_0T+>IDR)lZJX;s1#W@&1wgE-UhPn zzG(&7_^5ysTzALx5a5R9Fm3_7I0%Q%8MJOcybRXSb$Hu=wZr^Ozjjryc45(J!?t1b zoSYceoNF644|fKG&}<~{1snDAB4Szv%L~|@oTCQNMdZNP>8*@bHocDdADw8Vax-=? z%?2)sd24`a=qO4tZ~BgM)-RvKjLo!(Hi{gc_v+@QP4LYuRonQ!R<&g#{PBeJMS!E6 z#-+l@_{>>QtE6)v99*ZtvF!lJ>^SV}I9Vr4DupDd-KXZlI*CS*?5yWl;+B|%1sC7C zuSG~qd;JB{i zT1c-uj$A4_)+VHi$Qvd-eVMO+pRW>vc34}*y3o`cf~LCD<84bPD~0u?m!~*yZO9;x z*?q8Wo60DKhxo2jD=Vt(31~t9Hf)ZiPyqJzeD-v|Tu>cVv!yO9Vr~Q}2AB;}*<|2~ zG6II+;K-#69J#l~;8uFu-&f%kif-00F;u8oMs@JssTL8B7#}=0p?WzO3wHUq`O5p) z;YPqq)PzdQW1L!QLWq-jdClqI__&k`E>B@XWwUd`pJ+luX&D>PC>%!($fN?l7xsv#&!Z zutMd4E~N*dV4LxPX4@w&Z%i1pH-JhEs9J(j2JH=;avSiUe8;1TQ^|;^{k%p^p+{tA zo!efEh$AdlSNf?a5;`HuCo`looeo(~>=UQub14qmC#W`?z|c*s7iDy`Zd$9!uN~b+ z*R4rmwa><>VCl7k1h(JK+d5irTdK*{@NLT(1(xj_WE4nPc-os8fQ8+VMJc64`;LlT z7Tc5-<#}8wruL;D6sFn>lECT~T%}>t+@VeVEfd^^>Q=!Wmrnc|fNP&QrNA=>%Qiu6 zWF}>(R18##s(q@ILcLC2#pp88s!;p<9s#PvDl)(HPtfmT)izNyX9(L3U-QYg8MLF3 za3;lTs6pwkhFECXkFY++)0pl2actJ8O(&wgf#Zg~$${CZv+pa^=jfS_IIFg+`v7FS=z=nt<7M7@%tSU*w6 z#-z~N<>fS>BO_?-#ALm zk+o+{bw9_qhB~J0)oWoJy|;eFN)>im3c+Mh>zAvnLtm%kiB3C^;c2J7>Ak86a%)B; z;sc7x6p|vhW<(+@-K8_Y)-V61#vYEug)bWLrNCSBS1(sVG>pB;h%`5+J4BpjL`pkz z&Byw-_=tLIQU=?6oNr4BG=pt!(F<60>`#W=+@2T6iXBfGtZw!v>fXs}xn4GDZS7jD z?X-5DHty|V)+d+$;C4lPYzGsnI!2CJUSl^`>Dn^e?*@FW>x>8KV%rYL#kPz`a~*H8 z-0w-2-Oc-5th~n`^v|Z(;oDu4@Hr-$i-qvu$`Uh<0gXM@Cz6Hu;0i3nW$4Y_3pqL+ zfsmm$_t|UcH}03T#NLX{9a+5ICsi)XLm6w%duo#-p(UJkvaQEmr@UDA9CkfR%Q z$sSI<1buSJr5g>0z0KopT_0BUu-^1sYpieIx8r|d! z#&ARlsk_VCRpmE=OHOj9FYYXRHSv;B($91nh+M0kkYHNKW;z{G;%es_;8}hM!OlMZ z;_TVSFT>8@YT|Xcdq%#71Q$g+jd1zsGXX}6T{B?M0N2JTWZJmrAA*kUm;pCcq6%zi!X5 z#9fE!>;ByaM>l2gssp%c_^CLV$QgkB1{tvG+?(!uC(Yg)C7c?(w+(KYl)<9Nml>>9 za~B!Ss$-RE;E#^&_@y&(dRMwixhT%ZX>qar;#iL<7r&REqelrrdR#s@bSYyg;@&;M z5$*JD(NzCUpcQjqOD|hKq=PRI)3eQBWOvk?vbP643;-@T7Q|39e*v$?eAY`1fvx!DS1XXo=(GFh(H zj5pOZo?hy3tU-myrbwZNZ+vb}@zMzzPtJ;!h^t69bqT3>dT%Nf&!bJH;4geu<1xFaEQbsh9e*@{wLt2d40hBWtijs=fk1x0+KN@6 z9xO|7=_JDfxOCi5q4R2BzU))iN0&k?2Zjn-l!$(L1q)9ZEINK?^v0k%y9{@TmmLPU z)Fm}i)Yjg1{F@54h#^Jj#t=Q&{-?N;e($Ptr5?fMg~#5|*#$153c&c9ZKGKx6tGWY zNP${)Ns)1(8AD`h*(F1UTU}bnmy6ezx7DWZdo=H)Po(7_raB|MOl9wpmU773pM4&V zP2h1A2-Dtgpnr;xrl}S*VbF$cFEP08$Nw;a-_tv)*#J}gR&5Z3?}G`vB-ZgRxVUaw zS&RSRSwDYL@~Ym67oar`#wevN_JYv*BD@oJvzm9t%Lo3Y^>Q`)t||y5V}y3}jTnhE z{Wb`pA!k5nb4a8OLdc^uBNWY}qzy)B!$HL;5oMctToGH-AhiEr#HN+DK}&mWHf`xL zD%Pn_rlo#D+wmr3TInXV7B(1EPHU}$R>@|gyd~X1)p|9%D{608p~}7b%F~tsM6m^3 zHqM@HldTLL8>NV;*ldo#^a6k01h}!svIBg+S}xWmu)rrYfF)PoGE5i5*tId6bgm0l zpnAYzv(9zF0@MK5v~yjMOsft1(Hs_Jv>LpvnNES_r5>i+tZVo2-%7xyZHy8G3}B7g z7^MiPFu9@j8VyqW*y6{Xvc z38@ot)dbk*BgG~`GbXO*tIUy%i(+fHITvW8Vu_JbM6??)*|A;jW)+y5t~BTj43>;y z`yE%Om>5$uNXKeIv3~Mz;{Fqxn>w!pj6NB!i=kx)BrjaU+x4wzzd1;;6X6l^P0j3i z-MA@ga+^c%%yXa^z@XHxQ$ zKi-b>$MJMMP?{@mFLO0enk%_{Lvy9LP|S6mCJ9-w!dqx4RWT$RN>#WG4W%jur_)es zJzGkZlBPn+lC*r_vCD8(IcfU14q0$7$1UBxsxr)4xY@Vz3qse++yt}n=(pck+`p!Z z3dM>vF&AGtNA;~DOQ4}t#pZuQsfsQAhEj1Zxa%~OTGw60u~sEgdCX95Ppo-g0+*Jy z*VjvKwBH^Qs-SFKJN4Xi;r(_Hqgq1A4bVl9GHl&yB^uZf4BW(;mq4UId{`?RvgR1` zhBSGZ9Sm7R(gsa&dnWHt5OAtZ>$LYUl-vNRIAquWJNN$mFF<)@TohMe?#Trx(@^1= z1nmUdhIaj(RYu1cdbj!MH#SdW-;)Zd2|C3zi{0Ff9(<9@(%e7hlX@OC|Gap8dwE%| zM2J=h?@?)ABfVXgvTQ6*ZwF;ZUUL7oQi%o4xpx!jZHOb;5iPs6@dC4i_3<|0O~2Us zVV8>^v!^+gttn-qw`r@*B#pE-;i0#StH~qTr$zKOcJ-K8V)s!+LN6(zI{s*dtMBwR zQ8-G;$hT-kx#S9Ef@!Wul=7IMnk$V&QB;8Ca9Crdsl>g!%2q@X9ZFY-#W{a63MQoo zmUrg#q?^2o7~-e_gJKq<2Uk$_FFfdKYC*BHo?lIyL~mB7pqWIfq!2Y`pqV+U(FjRX z3Yz(%>P9eRu%DT&FwnHNGVli0mH>xFR|eg{=t`lLwpRw;!1l_(p$V?z+AU~&j!PXf zlHxWn{RFOYW83KPvGGf@tBF3egU)uDDOpEVttN-xbH=T}w>|O7SnfORwKxAt$nCE@ zRdNyCf`;5ckoN%HYe-HnJBGG?<+L-azgN6MAFB?wLGVM*FP zGJ0E$c1}?zPqX{varyMXN6iT3xp>GC$U@`Plht*f1@oHoK>Hd0+NL0q>sTG@POo5; z98YH-lH=J0p0^jC&OHqr&nfU6bG*!a>Av4&`Dd~kJ@Bb=^z&u5c$kSxkE=UYUiY8G zrjZ<3XUn8Db7*YR)hHL-M*qiOXhiT2rZNHmSxT&O2&ng=a@!86x7 zd!(y%GAyk&DKy+1%keWTPv-{avwl3<+|S+!EHZ1vLaD1AE>1FeNq0)BvkX(KF_oA@ z6HK%|*TKB*$3zW$Ih@YrD~eb2wejq8l!w_GUU6ZX6==QR`7|!df0t9dgx)I9N)|~| zVUR^4Ze5a~xt^zU`!tEh-|RC5rXiSmQgUEO=f1GBbO|lWujx>T zh8C8jo2O1hPCRuSPtTF4;`E>9$?w~425Ke2>uIS~74O4r_2-;>!74;l=BjerQxH)i zsvU3ZO%IvaO8!;EM;A?3f~9-omlP|qjIea?l9gd`6EUKK!*Vp;tNo;CycNyRbnncQ z_n93SHKhLaWfickt+0VgOW<^TBM4{kcFrChmsvuSuH$(6cecs#v=r0L?tFF7Z5Aq3 z(VWis$D1p6Rjt4Bgs*ajea>SCqqJ49C3olxN?eAe`3}K6@#@K4h=F0HI8{epJrHjs3KpsiuimSzot_HsAUNG7ljPu%m&n7~pu zanCiBhSkRFjiv_TLNp0PZX88E`*`D9Y&icuU(cSV_p_ITozGs^Y_xt%R*OWw^$?;Z z(7%$Wr{$l&&ll{X^YJof-{;?F-{xzUC?sw*+_j7N8|Ww%il|+5$>kF(?FgTQcKBC` z=ios;@!W4Q@gzK~$A=_^2#@25=Lp0e>ixiuxmlMzXTx?6xYpRd{5f>KBA*%?94!!% zYoWw`8)$hIF+VT0!a7-|IU6QF=J)b5G6W?ZpUZ&KW*dJWLOP)eeL^2wV5H-~88p%O zPMeKs=U|PrThK^a3(0qALFp((Gr=^~D^izCKuuLgsxB(PB5NQ(Rn{ zIbv;~e@WxPVQh<(=Ol&D`pF2bFb)k=E*R|xbg?@Ee80Ec1*gyL%fZo7v%#Aa^{3?6 zDD+^8jfw`y(NRjE@tZqZ&AyL6Q32O>D`eotZUqSrCwdw5zPhgKWXQ0Moec7|X)2XlIdpKry;=ma&L)Q*vZj{pE<5JSe@hE-UHd~dy*_4dfD5#t0m%z^DZ~y?9I6W zjlI1cDUI>D6-6YC79ui~osFgjG+ZVyU_2;6DX(b-jQa4gJ* zRYS-{EG=yhPYMXFuS)h=7(|s-2{)zA*r8fpc5-?T?>s79DxqGL$iVk-&nw_?Wgvq# z)j|pyd+0J`o$Mz)Wb+o+N(a?{ZR)hTEjzO7Yvp3-9@tI4>~CCeGk-zGY`?KiFcVIV z88uVY&^3)cR15_rfr}^Wr>|_SWNH4j(&;NzHjo@i%Y!=OUn`L8hDdrR${dHyd0)D& zR*Dk=rFCp#Q*+z5IzeM7&lJjQ4As}{s^8-4(vd?Gq~b`NzWVXMU!|u^nAaV~#xGYu z>g!<{a=H)XF^(J($VWJGSRj`V0qQlgB#ra4XJ47%XuY8sx{D%l z%TzXrF%KM&7qTSzmmu6m%NKrz_?u;w|CXJs{`~T~UL~{V?r{0%V)G-L@JUeGGcsB@ z#a@fn&MEJkFLC$djgz17HX#ChB6A|&hvU9Ei@t^OEY&O=alIIOnk|y9@I^{r{JXXN zssR^t5LnH{b@}y% z;I*rn^a9q4n)Od34W(qgPn%hzbt;=FBXWG3Sz~cRn=Jtgb?&pQ%|?`__ZP<(ImPL1OG7~M5m zCmh`}E=L>P+j#Bm=;QFybp`1k%O{cCGI~nx*Q@1XeqVWXt8y?T8(#`%H(=vr_WHKk z+-)k(_%hD;Q4E5I&Ee1VrlzO)B6%f1Kw$aP!lvVOH`^A=T>zB7R)fz}w zIZC{I6RC&YoB6Z2^=k7Q+x&*eBemmVhy7Swtev;Th9i`S7H(YP_v|zV+a{Y<7 ztDBYsnXH!U<@(pleDR$Y$DJ;qwwE6-JK`H%@z0md2H=O~YvuH?1IAAO;m2%o&$Vzo zzh5o48Ah*vW0#Bjzq7CX@vz&!xvbQMa5e_gMV9CvvmeQ7PCN&?4?YJv2|fop1U?7m zsLgZi!*G1r9Zp#P?P0zw?P*a0v!XKn{T)clT{h4kG^3geYiPkyMvFO#Hm!)=rWLWFM|R>m&O*h&zsN$=}8c zfd&W?%(mFwRlY7u7h`Ps`%b+!S%e^$58kyTzp~sjKv3jRE*_Tm^M%}a_#RTS)i1sZ zc`X#zlFUp*xYxz71MT3{`gfBcd^79hCA+qe0v{J8;`U?-2uWHJ9Ke{hIGC-eK+>+7<6 z%}4!$Ie7=%Cf{eG&f+|IWnEVOaJ>9Be@eE0Bf5W>*Qj>mZL!G!uEF+X!DlQ!be_a? zbv5IP^ulbvbN{FP^XE@OTZVPd+D26(_h*=Hlf?=5#S=CT{RO*R-e{BaZ5TythumcL zz(#(L@URP3!+1NU9eDZE{;c{x=Ia@oysc);_SnbeI{C(jm4e==?{C9RaSS6kd(*qV zn>(FBHSs>@1LoKb=Ji}8ZMHPxhP4sr#$Y1YhXH@{(%+)(U&&_3h2&Kw7@O*3B>FX%z$ZQ%gCZuKcM-6n+goHv3fzu<0>Ru;{ z<$T5B)TR8sS-Wt=m(}u~yUt5W9nafPM>_{)f0 zk*%q_n0)>(g8ezrr9xA`{`RTLwVDa1Qdig9gjETENiI+olaIcf+Z>!njVZC2Zp=J8j+xoBH~@~DoOq*hd?u_ABHUO zxp&Ao7UO+uU37wg|I1#1f`@q!HaB~f)kCja2pb!e%`{V;f6R0K;dhn-E6`{m+cw)!RSi;+^9a^=1A zeXC0=(MZ{LIXm23BXq$sMM?Fdo(*T~DgR=rPcJVf;yA6`3~^Ct0v87pbAqWLPyV7F zOm@6>OJaIH(O6stdaWH9p-4=+{zS<^?D;YzwO-yGu>*BxHNK*JH~dlP2~!sP^W0OY4=jFMxGQk z9NnsZ@E<|wMj}|K1pn{F2&jZxQwi5GMd4b&f0&LsH$!f`wz}Xtq%J58a>?z#aj5pe z>)VR4rGzLgwiXqz0tv)f_5L0En&m;U&rj>sEOnA6u{_t=v!T;hU8JQ8EcIFxUArw` zv}wpRUI=Q)MC-ZR>Vi(J<>>XQ(745`*@mNnl6$|*p#PG{js9eI%T)rfKX`()3V0bmNN#l%1fFy$G>qq z87**hOpR=nV>TUDM(%d$q4O@1WsiQWpbib!KJ4sONl1Uq+{CEM)kKVqjh718WN#3CDeSEBF7o(3;(G`Y1S{2FiOX{h)vOg@1^{ z;EsoS%Gn$_XM@!ygK*b;l(49mbTu}|$~#)*))*I5vx`lHm$Iw=op@sP(!aUP-X!0q z`)sqb?IUbVC`E};zPF7x5Of&vQOmx)&7aou1-qT|Z>qop`#kf@V624#PsX$RM{)R^ zjeXa4^uSfyl;d3_*BWf1S^~VIf2Rz8>K#atG+zYkxf4DGUur|WPuwE}qqni+fu3b(AjXrP@pQi&gCoo#$ z)$G^uX~qKf^=|a>)09nSD^V|DI8WHw-Qd$5a|7!ygw~)P<_*VBb&l+Rw+U%r4hPa4 zLK+y88)=urk-F(Xv~H(6uO>0>PB3Mblx)0wNS>9fPzZD*Y&ssiy{hE^qv_awe8av9 zBNcdz|47EuToj?po-fDf?$U#D-0l+c&?&6xAe}nm|DX1V4B&`#^+#j?Tiw-ebrdSx z$f>CKnHcGW@j?+3b761x2nLsd2tEbO>99c@K1l3Pr?0U*@ZX`P|R?ay1^yPo2wwdtfvh0K3kYI}O~- zgK+vNW~0Wp7Gzr&2nWbtHd)7!6bin3k_^ zr<}UIK=*1O$R?Je2Cu6Sb$F~2wVVX4!6OIK95yvbT`eSg6X_xF$qLEbYjM(AT54T% zo9dzrLth`=rury{ZK9Jk3c5Ner-1dcmKdR{B(Ry0qJX8&j&w~ushuJ*=&*MBtH!{f zzf8N!+oQW0^_JRqGwLmWk5S!xQ2Qs>ks5;o>WF`A9RX3TLb%QvGYp!l$F6jJ&8P*i zbv2_3*hDF6;JQjt1;_djG<7{{Fq)1>4NzABiC#pyr|ni>PWyOm5H{7lUFlWbBUP^! zYu8o1Dqa)StAU#=gv#Jp^}>A?LXtK`ngBv()upIjY$=QyX#|O)Z(P)EXkng#HBHGQ+urji0gOYOkkT+vV_@6fOB^6G^QiFXi>%l}5cl7vC? z*Gw7on=vr!N1B07KW32U_O|#&q!&yhAg_|ygNWgMnJ>=8HJ3NH4j0Ow8vT4pYPIQe z8d^rUNks%9Thgyb!Hc&W^tS70`HCt$c6R>uKj-V$H+D7uJ+&~b?^+(&w;7Sp^|ErW z1NC&FMI;N=O20|)L6gXI5OAIPxLkCuXY+@S&%|}dl$e?a5usYUQqk;e82e#*L;Afa zo&F~|D04VF++K%ueh%-EmBUSE>*VQazE0T0wftdc8ufZUar~^n%u}TYFsF;ayy$nv z{jg`9-*tvlpPj9eAAe`|-z_SyMG6Zy3+1r$@3U{e_?xEqLGPk7bw4O;T9x5*^XEEn zdr=Dik6!(;quJZw5D%h4^XJj&3ffXV2WppoGGG zZg$K@7dFQ#?C}7r6=}b*r&MU!8?09NE{n^^^|lzWrdM{G44>gGEpr` zD6W-j0+cTw9-i%gcU+4oY$bzqB2-bHhSWAWwUo!mLB;WD#IeiUvoq2feRWX9<~IrI ziB7y3HUst0nMDX1^)5K*O`*;3#V8CtT4J_SLEc8 zBjx+DBRoG+NFQzAas6&T^u~AWc{X2cE^O&CQSoXz2-QPId(NaNm`$5*b^hvGsK^8j zyO}vdi_e=bpEbpeMh5Csz}x6NDum~5_{F&25t^)o%cn~p-5E;5g#pLvjC?ySsm+D_ z#pG>^Y1Be12O8dJCI#Cl8wAZ{sz^EZ^fr$pzsbxe*=khGd$mZq&b$XUi-%+TH#qCn zHxD#sy*i-woafi)yb-7lN8y>wcy&lOf{q{oX)xdUO>A==vbkmUn^@*L0W-VoR}Ev6 z@z>NU*Y|}Kd4_Uu<+7rVqhXHgIL(Z42JR2H-P(_un1>J1@Zz%yL-Y0+(gf*TAXA1j znO`LRW-`0L{tC?UPow%Ko5F&U00w3>Fdg3j)NGK~x4#tQ3?M59TVSdj2+Tx7l<^1w zawZN6kS4gk1E#4LTd@Y(5H{6@9Lh`w>Kk90I*{Wjdp>O1^96)Sf9tcS5=f)kww6(U z+a~=T?bYA5aevpg(2V-q*6HtPul}}8`&$_Z%te!odwcb_W76Nfz53fR?(h0Wqe*`| zI{n?-tG^x7{?_jpavk2^tG`{7{_gM9->z|g*Eb|h`rFm%@BUu>?V9#C4DaoT_DB(X z^|xoz--EsS+cWO(!Cw9C>Gbztum1K-`x{2EgUul@>d_|sEONQ@`!{aVzbS-SzsA)C zIB#_2_ECz{cr&kl%b$iSrI1P$ikqm=Mzo3Qzyo`M{>i_ncK?=+BGrT&sMWBET1f!S zlx*0f$0exB{vS5!e;JU8Hoy~?!Ornbxr83182+@n(?OK}+xuDH5dJFkSL_B8XO??; zR)lW+R3FhOswyF(@T!f7=*L=n_4A2}SgQ$<#u3<_EXe}eViQ`8LZrQV;)Nn~X+o({ zKr^QldA-+`2N2hy0-v2N7m2t+_j$IUssOp@2(booUzCkNW4Crb(+<$>nMRQ51u$3h z*P$RTKFO4cGJ8Nq09_(# zPN3Jj6Zq`xS|o^Z3)UlZMhh~n8P+nH=9blN-LjT>X>H2)Y84b!nx8GZ* zxo-W-p%0Cg)4CQ^aQ9J#{fMYv9;PAeKOw-)Q6PA_Uan@`wMDXxCU&v#PU}3W@*sNo zZkKKzga(u{EuvT3V>6vOrKrX;ri6ysj47v~JyQnz&XiJolNqwkz;K3?Gf>Zr!MpTk+qQW(VKkgTd;c#JJWeG%&6b3To>bwqafC z$j!}b*oJwn6VkJ<_4I}Y_O%Y)%)o|i7}z=)Xko)PEUaWOYMNLWO%6-qZM9jA8kkk7 ze6=a9U1_ahK?o=ls}VIAy98|W@mkLiQ4bk{M6+QMH5euY0XQ@o&5e#)PkU`m|BjK) z_S%~DoW}ZFr_gZLb4+KwUR$%C)6yvFwKeNG4Q9Q1(oe%#&uL*e_u86)oJKPcOed&9 z>D2z|2$O3UA^*bV(8KYujo~ zZeZ2oeQiq>yt!4Wr)U@s>?)OJL)vH`L+sx_ieg>&s)04!SFt5fYVEG&dYEdr6xCS8 zB{a+y2XY$Pi{|0JLrjWqGS2D@47~?A1GV!o+;@OWft!!=dRmU*D3|hSIMnx@z2$1D zH+lE*=(kd&^xxj@Inr-g#j*Hu#9o%GHKQ84k6*?Ff;vvnht7dgER|H%hbpQROE{07 z;=&klQ&WET&i1wx-b$9ZGDW_B<>NaetSE{`#kCQm8@ZGKl~VxskPyN^uWy76XK&vh z*IZY1#GyCbzSr%I^wAJrS0y$EUG~)-vh+uBy`i|l)47wkQ7E~l%JR^)I5dE`3P*gh zTC$rrZX&jy%NsxrjP6%DBrv)RL=RZp#$^uMtS9$|MVEpd4i=S$I%w~rdIARoZah-= z1&-i+djMc3%A5MQZ|vlk3^xY;^s=76JS9Kb#huMQZ9T5x{PpE&_KWo&W-n_h1zW-+ zI#mP2#|7r^8EjjgyQ~d???kOY){BP5n1P3Gjce^?8<-87oM%0Wd1wY8dkgXvYHc_4 z(KW+LRQ{KA0!Tk(UpFOQ#-BaU8r}UD#R9C2%ShbQqy(5v*%hI?6BkL+Y<_Npfvz+a zkKbKwRg!wX&Jl%(cV!kMj$P*;l1wE?==$4Mk(8c7gLYCn0W$W6%uRZDt1z42l?ZMY z->?Fe=`%wBCtfyB$Kq+~VMzn*B@jf9w(mkc*hpP*m)ylB@(T7ILwJ4w0P|nzW#e z?v+(R=^*7>S=?5cB7IEO+X0|E*z!9l9PBv?8=m?apyY63Pvv7nH#YwE!zcnN`y`4aPr4 zO(elmIYLsb()=ne>dx%vkNHDFy81P6ji`2OFRBr_ZVgK#Sltv0%;MQ7zhhs&%opjR zi_&imFHv)FgZa1eew2V_YuT;PdeGMS$?hhj>l@aKs5X>Ag3(Pvf^Mqc!er7^I(8#M zb@%V)PfsEX!Qqa@hr#7%_WN?hJ`8Ve9YPkc$7NX}RZb-ev}9S7$Y5280?J+%HSAx0 z>R3u?KpDbqOyJjl7Im#OUk+tNCFO0 zSyHJNfiPeiYQk)lFs%`^)9?-@N^1a>8=jP;HGawsPfF4nK9zWsRpKX=%Jw(RfOjmd0BZji-cZX?(Dw@c|)9OXGvG##55C zG(IS6JS9m>_KTFH zW4~Ol>$p2J8vlgtj3;-8m`jP$8BlJO z7%5F-9N9Z9W|Qxz;Vsle$x|vKRL-50C7+Ue$W6PxO^+^YPb~DT?S06}t324lWo1!~ z^L&>bm8PTRv$M_LE`MiVZ)W$8zxdxT(l1P|KM`4W1-ut!6^JbtMY6Qu%YPOzr2jVh zF@Iw5^7(nTcv${7B^lq^9?a|Y;ii`{ng75}f++6{xS_5^z#X!e)$-*rS*Kr7 zg6Bt|LL1GR5PY`-3=q)?<0kFBewr=T^H+6~hyC+R0nyFEdK^YS?`Kc*Z*MDBX$d15 zO&cH6ASs|dgBqOJoJ;PPi-+0jmt0^U1?R3kr;v9SZHz?s;^q^*gVXnFC+wX7otwoN zyq#))&;CZe5ZaiQ2t)4zT(r6<5k5v%ybm)tg}93=_Vs+eO89^8+>YZ1lpv@CTvB&z zNA;6&J{R@-_*B2i=l{Wy~XZs*yL%po-f{>+2~<=13WDoZA{l>-;SWD+Ae{I zZh9rfv$OuwQ|EHg`N9WTvMT?LP)`)xAjg8nIEKl)Rk=FyjCB9*X4@Ppv1kFWuOJ#Y zhRUKAIlz`OvUkVG9WX2dY*?zIwnrr>Ss;ugrKLaQ23T2%S5~(q)-CGwHRQI^6iS>J z9lqP{1z+718@c>v*oCoIOQIcEBe34W7~4He@d@{;&$vVVGW%cr=j3&^nlG8}cotEp zUQR^4@r{Y_zihbZgW49D;Z&gI4@(WuUp>zrW}Bo$1(WjrH1h0C`T?EykOQl;lnw#B zk9O|`jE|Nc0JxNhqt4*kQ^i$TSGlWZJK52oZvNR=9{J!>Yg%I~kKieg*xBV^%x)g% zi$7jw53KJvFXTJb^2%F4H$yJEaG*-aR3cyTsbKx~kgzzQvaw^7Vo^!kVO>_MOyOHr zSNtQ-ON@06Gj4T{I@1%&&Kja~e08}yV~J`935w3ip%ze%@Gho3p@pJ4y_YM?HkE3# zlB9&yXG~>AvK)XfU^esOm@EM#g+qx1I&dTM$V1%dh$RJAId3WM?%8~i^Z|wvv(^+n zwPuslnpw}?zGFWtQ45pSS7q2!sD&k)tPSu6$Sc>x`>Db!T`8wLsX*Zs*UH(U?cc@2 zDSMi|te50`k%7B|VRnGPRwZIm;FGx1zqU!;Ri*UiVz)+ILanZRN|44*`l%J zNZ}qBItCA=v5oER5rV8WI{XtrzBp8qomIB&CgR!IZL)fuv5!lxJGXa4p|2R0hzh)` zqCV6WQ6DOXIqSC$_XEbEq;!=}1?b`;)j2myzTF(8WSVYVN||MtsPL5mrk4#UC3In* zMmW-rp|`&k9$(0=zOb_)Hze$G@%l1f@xMl#0W~j37}*Z8&?-hHf74UfA#Fjjk{CjYkS@>OR-mMc{J&W`GWm;S+VhKy_)~zX5AVP*C)p)w=xG8f%F_< z8&MC*=ywdW@^5V+GuW7vZk0X?_;b02ewr2*I~)C2vX6X~a!<8UuQqTU7jBp7;TGqm$=+Hjz~@tNjpjk*`ZASw-%b?Zsc*DPG^&E%jF+R z^lSu0Fu13Se%rqkv++ge;@Yvj(WIOHcf9$ppZ?d~{_cw3_37DoH(QUMVD_6monY52 zN6$C&?H-(Ad0axEAv~+fehUP&nuN-obCwUE#-+1$w%tRGTf4eIn*4|(HH<#?@mTfoS_@Ct6 zF+`^!B!cCaagX5XSaBXN-+mX>TE#zUVhts%>XrMpkGhNo$S2m(luIN02^nAy9=qQg zP+Pda-R%?rRCD=~*cS4JXn>r3`kjxX%Gbygkb*-g`KK|556SBO?TN1{H>c<}$v@lg z=rcmYa0i`x4D5!eA~!;z%~VV|Il-ocAm_|2C#OV;l(!MwZLNx;WFY_C4Jvf*?ykCb z#Db2Csx6?KiRYSE|I-cGxhN(hTA|!4PHJR@s>p@G1^=xpW&_(|UB-V7#Lu>5Y7jbf z#?|vL{Ci-i7V!qh&xQ#)hS?aNPlK!3kK~E391`aAC_5zMgU_BXmkOMJ~;H zoQ6Q@-f_Z;xdPVb%3rAd5`N~;Oh=^Trh0|Z^wdbpK*?4MHxBhaaLu#nZb!zQa;rzs zidNmnt>>s%S&Z~uQr|$P#Cb#&WRy6KeaJxOL+(k%%#|!ZOOeEy;_v#EIvrrS&3C3p!Y-!$laikN?cSl-r_I&j=n$Ou{B> zsqQ&C;Awc2=Nwip1Lp-WM;|6e?B*zoXbh1*BE;0qqyq+;RP=U#Fb(?<6{`s(F#PsF zQU$8K?S5e@bX%9)lP{Eov<8*334|^E^S9M6ax0ZUR23D}L+ozyBOD7H0g@B2kN(Q` zsb3k50}TS{r^O8?CcvspkV65(c+LSjS#-+&h~xg<-RAS3?CfSdobpNK_M*=ok{|Q? zL_U=fY*a~A4cUx-u2-`ypa1{=Mln(*XjIWRX@?vA-Wo{4h{+0B8=DjvT$XXgf2ZC` zRiMqp8rv`)Z}^!T}kj zBXO|b0SDx>m~$Y#7%8@UD0MX9@D6klo!dVahr#JN*zce(oOjR{4osar?3nc3W4}ML z0nTn*C8GAqgqXTIK@%?%&CW`{vA`RDBS}k+t{}%ijmF&tBRF_NB8C%@OxH0&gCPVp z8fr=uj&@4=7Ks3~_=jD|!`(ub#J;PPKq|ioj*74R^J?c?;tS;4NUYj^3?k~NK?$u? z*u+860)!@e(X^z=c=jriOD-?j`0Z&u&#wU79y(PvMJY^dqa}e}Q=}Q)S%^6OARReM z7NznZaBp6d#TDuA=73SSeeHATb{ptmT046@`#!&Cr3c7YN6A`c)SgY6Rb?W0F&$*5 z!|35zua2%595g^N!O){a0(b79gaicFzq;yNe(Zet^l>=479|q+YEc{4##RX7rWxL) zn>Zcf-sBRj=jT<@6@`UB>!yGF=NJC>{&4i^WBT`WIXmwEtIzt^l+qO}N+tN2;F>#zM0TvBk!h51b5&XCX52(@!>F0c_OV?m^lT{wZ)S0J3<7PP zWr*;KYYoKaZ=IE45~{g(lh^7nZ3YX;LY2f`AX=%Tp9gv<>n=OG3(Xz`F^e)u!J)0! z2RDF(0gXeyFP>u#3=YEw2L@L-5r+luLFY~des_D_5nnlbeS3L%nkNtJ+b=eKTM#jI zTXr0!x7XVz&*C)U^z9{C{g}TlSJ}bOZoy_6+n(bqaq}zm z99#ji#knCn_!#du7xvSpz3B#?vaieT|6XsIe&L`0DwY7&&Jy4@OYTq-Dx6%HCT2jW z^qti4?&vz+5>8J0oN5b$j>-#{@Iu9>HFyO>*?4gMC4n!L; zaYrB-ApwWPHs`UZ=jt;ED*LgKwKJple7~5s#CZmA{!0!x1hq!%fYaC`j>pTTqbdP) z=@A_blE^*>gS;;Lx@TGYHI;*E9M=JzUbr`)kuux_)}G4XSVqc_<_Yfyh$85cH{2i4 z0hU4XhSAXXA) zfj?%8dk*-I+p)OZn0@UJT`TO9lS&QNwa;}%V{uos$l<;qo%l??KirOX0?C;&vi7xP^Ev1$2Wq!zidxz zQj!{^eoLgYv+?Zv;_bPcck}kAUXOf-h6+_fE*dN?KW2cZrC$IKWgklcl{b;ofFkp@ z*196Q*Z^Kj4_ka+Pnm6v-dF0wHB1Kc4q>!Qk5Oh*il*;3)T6TLwJzJ|u66nbj zW_0uOD)~KGCEVST^YgT(01=t{{3H_dLGO8u=YXnstuqpGIGyfOz-gU=k)mrU&%w~O zCLsbnv&!2V;U=g$ZVyH^K~o*~Im|oi%oDA>qt;wkN7K?9yS7t!q8aY?oD>cV{jLV6yU zPd}Ry+d;UdpBL3{FLSzgR}}TSx8~xDsVMoIHB(czYkCaQzbX#S`XRj`!tiEH67> z#?4Er^>8I#74G)ttB+qI$FnwtR1)@Ox%%UEJrgrAMMQn`6kmLQy`6I`cK5PMUSG*+ zJ!rDLCjd6<{lMdYyT%Lt0F^j%gakLQ;m?1jsDr3M{;*f$`BzFDOw9J|k}dJm>*?;q z>3UL6BUmSSDmE@ZEMM1bu$n)7msYdoB9JxG6oE#xrU*2IHANs_Wx7*8i$BFKiL3ay zAT+xOL1Rf3A%#e^)J?gGF@tm4hO9Ri;e3ZTlM2lEQX5CAmFE z*LmSWtGWMJ7}I4wI_-6(?f^tn+quJqHoqRD(f^E502nbX!1{(z$RF zS&NXRYqW7;bPOr!KQ(wX$S(uHg>e<&7jfrWeB6m$9hJdHxvIK49nnQxdXTmlxLxtD zlm6=~ZD>zcBNzHT2%_rrP+m{3UPzWV0tzu;)M4z0eC&?r_p9Yvq=4wd_Te?<7 z3^jD%okdy-#aC_A*oLd_yHq&;*U=aX$N&!gNbQmI_L;LOi8W7pFBFmg>V~p!T;R;~ z9xNa%P$f=MA)R`?S}MriK;rz3Xann~5LLYBy7HyRd!=8@nqcMILro&KEP&QY4z1QZ##p#dGidW0mR}uG6Cz|!(B~!yt zXZ+)B6q!>hDrq}Jon;|U;`lbkAbeh;ITQzctNsxsq*h-~Ramv|c!_xMJdX$W3Ts9( z&(GLxHOPw4-%WZgjdHYF)<@5)y&03C~{p)l8Bb$!<*Eb?(RPD|NvK0fqA`QNv z3Z}eDz?E$GgDI^H;88>gjLB*sXk#@{){l$XbHWC1ujDSI9MV)xN{bE?m_2%|{AO?z zmX+^E9<^b6DqZVvgn8#Dy0*RxK4xy z6>iUOhWsDFL}6H^SZTNT(nvk+1C!j?51 zb%r-epyJS>qP({hDE`>#U-TSef4P8ZYdaoz7lf9))u$Q&gQQ|BxDphDXTj$pT%)*-5q%RzL<}o8Blz!|ehcDt9HVg&p!K>pNp<+4gG+B3t zXfD_+sM2MhIBv0CrvLf2T~;MOxgITMPwe~eKP~pMT&9wLF#XenoeY`)He>2wCz z)KnBArKIGGpOc@PZu|c7qG(qXh`?_I`@6YEL8X*|(98k~YMiQ(oVO5o(UmEfXftMq4z|+$kF2bM@hdRe`3BBfqMf z03=EYy#gZYM{am87OoZx?oLF$ySCASyMEJLPO43V>BY-*M~<^8l!m>8gkbf zqY*n|eH%J$=4g&$ctC$?3rCx>(x7(~*5$n6I5Y#tLlABwH36hXAFLF%nXfiTm)%cn zoIEeZ^+~hE?0fQ@EY|GvV$LVT%TMDm^(JtWG!`kA%J~Z?BYGOih<%)l=>7c3%FUK4 z;#ck%3ZGEEM(@Mg#xa-JCFI(KJT$2xc@7~DOvk_Y|<`7V6Ei(}#Ax^=;u+uyiFV}0@abkw<%_qPnpbSFou}w5&XPdVp5+O@~d5(*xJQP|5yxz9p&5%Qm(j1ql=UMD}bo(D- z)7J#s^koTbC1z1H(l>wK;487NM_mIVglBKH7n z)eZu<*->TJ6-Ol0SHp9$sQWmt`7NO**df`s~9Nv_wwh!ITp-lIU z+J0xBZTms76;9|%C{uscd2A)D3aqUC@brz=JAU}}lB_mvDFv)L53W*TwmROXvX9XtrjWiPc)~fVCcS8TJF%aca^Ux%Bv<w?+YU^V-(On;#i zLsgMRi)y~(7HoIiY*WESU|>_HgP;rREXliCJvi`HSQ4sgfs(G%uT)Y6DR-mVe4Mv3 zIRpU;q>g8+*IdkpA&Y|0>UYJz<8BoC)>vG|60)%y%2h^4uN7j1CxlH9(*pkK^4;@& zb|K$6 zz*qD2Iw&~{tp^M^aZH_(_rNG-ZlN%r2 zAZRvIi4!{Hd?HTg>bdH$U8ii49giWy7KMEaXph5sr8_%)$3jz@U9~;@kB6jDHr3e^ zXB^#Q%Rs|_g%`+})iLJd{RY>!&@ ztPZz$yEAG>kS`I{nqd|4ZEE;R0M{Z z@pCN{huyouLF{BByA(Xxh$bYVBQ~id`D3Vcr?d6jYLPmEc@Qh011)(8Xe-E4No};P zMv7-=H>>5#Zq%{I#v)B~JiE{LjfpNqr!lsW<^B?5wMPf$(G7KjMZdG7t-F30p>VX8ualwX^78E=C===6>pV`ywMHI}fydl;4U^dR$s|bOSIW9s_ zeKQ^9MH0fxF-(_?+!bK?6%Wn8>VFWZq^j0n9e2NX^yzJ%9IPA%1=|B8SQ-ZP=`bkT zxt0sviGrr038g>*hplMhL0}Z{gTRX`#{b=pjSl!2as%=mqUvDfGZNS=QlW^MP5jas z#?Gg><6I1>{V^Fba%$Ab{qd0P{y_y@9Ak1&i5!iWHiM1wt6R`^g$XRZ6P2UpUd(Aw zLl>Q`YYA1uT-vlK`!SUw7LC&2X?Fidwp?QlyP#IxImbK@G;&Z) zIL=G41WaHysgox?#xmhBOw?Jz(8!D;O4v3k};5^*rF5f zCv3nX=W_r~9UZCxY2~k{hN7xL?|>hi-wwbpWMlrhieD+86qSNHNc;6Q+OOajp~>xJ z{afaD-2OG@hl&9nhM#A`uZKdkM{hsHSg3Aw_$e9wFXgQT^;?!BvrVa|4i09TRSjc869R9f_7XfA<5mY1w@+o@NP#1x`D0oYy4_!*)AH@ z`!HZl>(zOHyXhG zr+KpYb0#hou*0A1+GUk*8c^w@9R@X(JU=DsQQO{9*a6yKKVZ}QsIY45@0+Ll3{a|+ z;rnXzub=HD`>-VDVS)EkEW;kof%!)$qoH-+A~0`9Xk)CcriQz3v(@^wIw?iuq~zB2 z#a$Z}RwTviowg|OiX8(Bt!M!r^(S`c5Gh4+bd+e(E;`y7NySy?|A?Ib-8?y}sIogi zqm7i$&PM$Y;-}hQsMi1i#0|`@pC5#zzu;zf4iy=-c;2VP?`{vFZ1fQ2bbfi9zpkH> z)vkP34A4*v(=d%tPz4>rBF8g37wWhXaMZNnb_|2~0{Lzd0-(E&LI54`It~Fa{WT;& z+h$MZUjc(^Kwz>;?&q&!w|MLYq~{?a;G-dHKp=N~{2q07tpuO%i3BLk=NRzqC}2}~ zl;wRu{Vx$XjRhzOpn5q69DpSPz+pNL0pQ{shd}#EXhr}z#>XK5yszUBII#{ye%p2+ z`%s&M>z-H*IDyluf$O6i5|2S32u|aXX6qDth{6#^A%Mz=9+JQ?J1mJR4jqR8*pNFM zfxL+Oz(Upfk3*n+pTvy7X>_1WpnX%UL7%(zum&} z8{+P~t@sZ4wh|^F>U|6*dB%i`E-*hb6H~YNa7<3DCj}GZVR<+vrY7=mOibs?!!ZHb zMn`61I)fgLiRnysC?+1dq42m&(3#%jGBI9p9gfL+vG$(vuE3#~_?Br@;&4pfOYit7 zh4six-iue@Tkpkt^iheQBQtp~{)unD7yraZ7bqN=$-5alC@t=|Owi`~k(s;~|HMaS zUXIJee>bDpe>bBT9ppVSlXqiJ&~+-uWzu^$W2g6SyvN?V(UabLnRfz|`g&w0@5RQ# zYb}n;1f5Jc3X?ojDn6iBfc6F?Ob)0ghD;77qzhEZnH&0$~T39W^!5& zD$hENtpm={Iu@_Qq<`8uy2NB~TEC@W;-e$VN7WN}UF;E<_|BGz)jRPnf1WVy*rU_h z-csr|s&aYEHsMT88%2+NFVhoLdFX&lbY{WIiTS`zVQe~)-FeMF+Pq%iYjrsd#LjNs zR)6dk65=w+=`?3hI>)VJCJ}?m=St|}#E@1_G=lzz?@s^0y@>K;;qfuME5aR-9d@lOr|t#x4kK+rmK+<~A^H@HwmpF>0II9dmSKHcDQ zb(Z#rfz~QOb0Fx`4KA&nxC23-Zg8Os{|*eTbpYf*(5Ew`=wg&ZL+h+W4g;+flsgdg z>H0c4SzpJe>+5)^6OK3x^hhUjphf8XI>eK$KJzPSPRAgtjCV2yd1c6xG05v{`Uha( z8!>vO z1e5)dQ4mtM3x~)Z-!#TfVR(-&44>Z@?Z?^1^#CPwQ_|Vlcr@(XiJ#fo=<>Huf1%m{ ztd%9gT|m9RrCz@38hCM(^zB{Oj!&1O>{lB}Y~VIR5{=~2<+jn)*Pj;RE`l8u^sPQu zLH;k%M7~v>|D6DhHVCn+<>VzV1!%FmVWCPX+MwwtCZIso4BpfX6jhTr)SCwAdWS>3 zX@COhhXZY+c_Apev9acFYym=g1WHovQ5*+CXsd`V8TL)ztD1OZ1gbR02LMGmMh9zN z6uD>@RMXb91FF>2O5u1eJ%yk~LsT0L15_FUV^k+3@+GQytwDsMJ?(-PIs!|S=!1qj zpm`a3INi4k>U;k2K}+{tqqCXqf);DoBfe?*at@`jX-j)c_hF+%rglJ;0M%FqY!A2x#Ac|{+*Vl^eh^3W|M2jx(+=aH@e?=Ac|}AD+Vi9OF6Y6jJ7(4B)rS0c7e) zf;E=Krs+_pmNVeow3L3jH%iD-nuy)KFR|6!4SZWPhb@}JrX|<6|IwzaF50f{*<_nb z;MJ3aDLi!}xdc9J{p~}Iw=W_y8Xk)&JgxBORWIQ*eP422Pto|A=>|>UBOUnC4WY`} z#|&QlojDf+b}<}YyZS_2bP}yG5t|d?Je)3KgX&&PlV8uvx80*no+UQ<#lP4Z2l?GJ z*+C=T+Tbnquy&n4`pmZs-8}(%>5dLC*&P8LxHyMLN6zk{(R)2qW9CrkdUfxPfDS^b zM?eSLJ4Zl2!H6rNgEL;b=(o$)^=ipnmkiO#kcTJLxZz1P4%IO{IJ%FnzdHi@DO=u0 z*mMyIz`e}9kq?R@~ z>4-yh){cOFg2+J${RBR33BBd1fte{KiC-tmQP0}Nv zw>-z0&9Gt1bDSAEy0i1}EsxSs4v*eDLF}T0euAh`3B6^H+7SJu)~468&Kr%m2;GNg zjvkt=prdxzGREkww!ATVt9Cv#)4HhLwTvlxyQ>MamUsPj``v8Bar6_;u&#f~bsR@O z;X00^pKu+=(NDOJbA6NpeR!>lPUzck^plSFw!KO-bd=V61oRWeY2A~?E?ju3T^Bv8 z(J=;fIi%Ppu=05&XA2!BK9p}!LO;P8vOqt@PGkxFr0m0k?94}+^ zR%3<6=q*RAOwc2*e}X-s0)2FX6>N^~+bu^b4be}i^O5hL!lTx@qwiq-u5}yU5ztQ% zxhSC@KVFvCqPAL}<23yFGWzjz`^xAo_qz!?zJusM<6ZL_q9dTUyengdj_$@e0{Th& z-92f)qx*S|fPQ?xPV<(Y!=t0ya*lw0(h-O1(;NZ)_+F*vr9Fp7Z#RS782zOEj;_!- zJbJqxwK4ihTOM6#b8z(d1g9p-=%;LXc%RSV(c3)@YmDCNYQhv9-6?c%^x+B6^E<8w zR(SmNdkOsn(S!0m@W+oHXx_MfpuPX{E$he6C@rC%AZArYKYpB6^H%vokM}rmjvpm1 zp}Q^5aT-yhyiBoe^^d;;?mOFew|e&RGsyG%1{`~Id|OxCcF;pbst?rfW%QQ)Iy3YW z7U~I;-`Tg>hcn*vz_#Dtk^c86xlZOLM-3+@|Er~boM*N?gXxFtZ#5KPX&CZiCP`O%D)M|H7y&s%`;BRUD_5jc)MnY7%I0$&CdGYGF>-JY z-8Ur~;R$IJCDv{4JmkAGKXE7$*@;z7;&d&Mljx(Z z>gFWi5;AAe)4EUZuuV~1d1<44v}2KQy@MEv(1?VG?o2pVOL!VH!x2cFt~>HeiVie7 zj7UTWB9Z8noLYyB79jwxUepWXf40p|R39d`qBB$pg1UaZNAU zDLE{O;!dp-+KSTJ!aO$HmQIvNpoHV2kw7~r`;lNa+g!0lU9KgggKm;OR+~6zAN#;0 zN|&CUjzs_beaxxlTS!l~JS~$rnbjzf=pSrRrd$t|Z$mwqc9uyT#DHoo4a+P*#?OIR zs1d7|xpHYlFbG-Po7v-hJs0t!P)*Ef z&j`~)aVr((R$Zrm{9>UQD7vUrACxZVCIJmwYF*OcNiYW%x{F&E(-xxGWcK?rg$n~q}2=rJdiI+T4?2G z1j)|wuRGQ6vx^V^W}^rG*X82B$aj~J1HMF4a##8Hvp;GR^4e^zlGEFRo5lr?tip`t zp~``VJhCnta{att$Di5dr2!EQtG)*jcJpasK*m$M7)K=2)>v+ZjM_ps8Rg^IdNu!< zeP2D0N`%@|V44t{Jk8eg#oMz!v%}e(PZw;lXOV9d@CJe#G5w4W(u(B5D-V$gfX^SI|{d)5w05kCky_9@oqcO*YUi&MUR z7owxk4d;)WKj(|{)$-pfKD;j3V7YuxK<-d7u1~-TgoR=l}hG>GN<=E>UAA zKJ4}M+u}W$YrVDmj${#{?D@M)s3oT?R-qoOdXT$|D7bS_=b_aHx;%=nJJs)R>@3~< zRmH4o8Ku4Aa*^TJ*{WENIiknL&=Q2fh1G~95n^VZfo{nYs!$p zKr=u_c4ko3rN}}h4i50XMbb?VC1SORtd4tLjdqYCZWr%vD3uvWe0z{30wGGiyifb` zGDP)iuMNb~l&GR~7t=jN~+3yIU9Qd`#kiG;lYz2{Y&=7{}KVUup6m`9Af7U=r*$(wb@>fV9RVP{^E*w6j+hXqr`I{cm$sVQ!09Hpk*z( z>|&KHW)HKnCoVjgo^{uCd*m+5pswcwe{Hn2oA>{#9rF-+B!zwZ=DCA>Cr4(rvjIubm376J1WE;;l>60N?p&v;- zhhQ~wEDBoF@j)q|J46mip%gm~TOXfa=8K2(FXoHy zCM;UFB8^z6{rsjZ*wx5@2ud?;M&x4lY}OX2$oW1Lbc|OPF>_pWy?_~uVe(`C#B7%h z-)2uNUapet8wPaz*68f9X300PdM(=aY!7Sx`Z|A^rGYBV<|*j7s9f{WnkSFeTO+r% z#ef2JE%xNu*UTkm|Pry-8A6v43Q+vh)20NSHTwmU8UxIuEiP2Vu;AqI5hErjh zDLMU`vzM30IiH_C&eyA@0$crVbq!&o#rOFlNmgPyp3a_Mo)W4D!CLn=d42mae|z1P z?%z3-EU+!LrFu1zKN^D(I(m9aUY`@*Tp5ovx_ie$E`W`f-{$1o#lSYp#omUl#oMnd ze(9VF*Xndr?2WQcbx`{Vpuqf*06u6r5K%43n=GGZtNE)< ziUCVk6EPrqWguo~JRCIj7G3g!$61#RW~=)p8{b{ubfS>#4;00O{kw}000g}@&TQ5l z69uTe$m;rG`v1GGFMf%{59G`?Jg+A+xJIw01TN+t{!KDLq#%-Qtk@ws;I$_a@mCWj zAX{c%CXogcH!pXB&VudFgn1VOC7HqpLVJQo(3FA*+VtC(2)WBHBXSOQ7LM8?=fFMP zp9qUg^u$Nof%_^g=}{I$isT!VtG*8rVc&g?{wXmzkZntuguV%r1KG9>6J?u}g4*YY z8^wl14mSh(B6D{WKlCn?l=3L1hmznAZ{f;B4mTAF!?JCgI~@yCW@Y5hx2`%RB8Qt2 z#r)h~Jug>WbLdEwl+@v7C85t7QjsaC19~!HvzCf1lycgFc5Ap-1(`mor@g-}DTx$; zC$yc^LaTheP9E5BHTzDVWRS8tpe526^Ccp!PZy#+(rupYu;*jzV)^utQ0IcAtPX04 zOo)KkTMGl75AlWygv#dc@0M;^iEdPqDz=_r8Og(Ib%_Ytx;^|-rXb=+2lU2xH=Xxy z2A}?=<8PEX9d??(ySdgT6Z;2L84c&BMC5=fqhWGNyB27-eg8q!)zIHEnZwyXjS-!1 z$@NccT1rGtYg!_2TlC$x&}qd+L?(~3#d`T%EMv9D+hMl(jym2{;&sTWD^fSr2q@BE_WSSi zMRkY5vqNgDU{pJ55IM-A0Dzqs(e^{~6(p!&Inoj;unQSNwz*|f?FEJj#gg0%8UcTU z66SJMvdIFFquO;=R_KGEu?nT$y5!L<88nLEn?rB^VuG*H<0kmp(DvzC-9B-v+sAM9 zk`VzZWCv;W5;T|<+Jpvvr?wFTkwXd9TVHI?Q?kH@c14z$2?IXy1=f&tQ^}%quIKyR z^ke>C{{K7ickzE3FxNOgOZ-6BtL{mHcg>yn0Zqt~y=7F1p#?@P{kACC@F`A@Y%8f{ zit2if{_t!-t^A;pRB1Eukfi$8qubytE`NAFglz$ueKGHAS0uNP7<`-SV~&?O)z$d${6lVYdecG z$7Xj|WjR6y6?`5^!kU4;D|#fB=SEuQ`66QIY9m;G4NCxV)Nyx6y$XjImp(jekPE#RfI9qF}4bHo9EkfT&;uwS)=~J|-{gw?$HsAEExL z7h!_^g%GMm_~|#OCf@L71DdaedEH}U`p9XHsjDGvzNfB!w1No&^|}5Lj{-MjOO1FC zSk1|NeLtJ87PY!#p+!aBxxD(3CDd0Kqg19#{7$u79TQ&0pu*htmbmSPEFD+^&0H~j z4~q(PJQ{ZHbY9Ypvw+hOm19)miSsm}#{2oPdzAMBZfq|5YP2ic2a4E}v=@jSVvKEj z`JlaIc)%EI;!*LK0$1rpTbH7Pr7VC$D$0y4zQ!bh2K164o&^L1brnTU3h*ZNEXja&-~xSSYdo zxTK1e@p~dwD#7&rNVyigN!Eze<^xsjof3&WknoOLCO0g&VpbcZ(yuECdR2w>UW|4Nr)85-esFPiiiu%F%G=E zDI6>(XuTnJZluUR)~3{R(8-x&QYv59@!lwn9JEu_jutT|zhGc^d)c|{ihqaQ55qD4 zk)n#?B)7@p?UfJUyPc3$)U&qtnT(y#zw3@&{x30{oLV}n9r>UkOb~ZoKlI6{TFxQt zZ*L=a0}liO8gbyC_g(57xr_n~1vjN2J~yC%!V`@tXtYAHY2u(#2hAw(u|gVDGzK%Y zU9hkOW~E?c+`^GuiGU968UU8Upm*ZpUGnv6t5hFVFlxkLEUNNo6R=N3porI?^F&4j zc9dM~kk9V%{c{nj$g_bi8~l;*e<+B_Ax5?@u*~rZU?E$%0;nen8oB^6T zAjCG5k9rnZ#6mRjta8HUjEF~3;C%Oux@;rsYLteGmoI6!pmVir;oOadOK1Ge4`UCQ zy6wem;)dev7)uWfp;jrC{S)y4)ibqg>s(Iv1RQ}6rPpLTTTJvxt;hj(GaK}k9mTP5 zfhcicvY~8XA%)h0 z>R}I=a5d0QFes$XCrOYa3l)Dk1af}4V~CC)9{^eN;#@=IfUH~)xoCtID3w`16j$_y zft6bt$}GFX+Oi3r=r)4fZQK9_I13(j?|tyduPBR9lK$a&WRXzuzzKPj%nZy$FytXV z?o7r*`(j81E^-P*?At}L?}If3n%pWb;qGL^LA?TWL=DASQ7vxK^_p4(bN59((%i^M zpgH%TB=RFE?x3ePiMB_=Lw8?4&YqLk9Uz~tg}PjUR4XE{xRcS(7R;zjt`^jecN5Sl zj#6-R(e0tZQGLe4g99USaBy^Z>EPf!u#7xBI9P}t9{hwuEkGXQ;la^W-iHQ9E0YG` z^!iN-4yKO7gQNS*4-O7OO@{^#(VaSnQn)+@jdr#U4}Jn8lY_UcaE9O~nALLd{t29k z930)*b9nIMPpQR5NVNZ(=dne{BE#k~=yR|#F@JC0?7h$1bsu$%YY_)+*KziHM&KyS zduVlwP*mvf;2=DFc<|%TX(e#5@o;$X<4>ps_}+nly}&_W{qW$&Um%yjkMGBnz)v~U zyi*P}beZho!H>UWD8T!teDnS(-@Ii{Mh86G)!=_T{!lBxz2iI11^Dpz<2*mAW}{@x z!-F4xRx5!Yf0#HKjoVbk3OFlXC!;5pv~dI zj~*Pz!F?MYP(3{O(amca{AlLYu!+U7q;!+8o9@<834W4epy(C=9VG3YLK(K<0pxoi9DaFGseiW$ZS`m=X5*02OL6$2Mv6^8q?_ za&YWc+uRWQgl*nG;d`5AZ|;p7SQEG(D}mKA0kLp)Yr=XOn0B16W;0DsVczpoGB!JDITJ z%zgUV`D(dX&y$s+d}9FXY;7C5+>WAocN+euLx~17s}~ z-i;i(pI`x|Eys&~oun605@8XNjl`=_pLiI!uce-r@CiKX5IYKS$cGXe|Gb!d-VUhk zFQVT|KVEHqrXayVhYa%K>h6YW1z4FZfBcGg9K}@%z3Y~Xd*5Z6*9|=4okGbCV=mZk z&_QBn+uupUR7VX4;So`bN~5ucp-`aieym0>%5=lq9gNXOd_emFyXcQEKVFEtRHF+O zmC{{GEi`|P%I5a>=wcw)d>D)!f=>jTkgMe9eDQs~T$DYUz^7xeQ9ao)Kye}fz|JPK zAM+etIEdEJ!1%g(>ta>kS$N5^b3Sv%#ZZbKxjHq>3T$OQn! z>7DdQZv^i`jkX;#<2YU#VGM3l3q_%UK`cDpaIJ3F!2E!{YrkHFXroC zic*mUhulH8hAnYW7plzBOBIz+_L>R0&9bt@D)79#3ZE4AfAt^*4=i!Vp5pCw4OQ-m^ZX+5i?FHKL0uPHtOsH#p=+WOcYcx(#%- zoIU(G`<0I1^qyH^AGJ(%zjpT6c1GypR~@L*@!v2aLn!^aE9ax?>1{%zt6ejgRMDk4 zq^auH%OzW=Ub7w+JDZCcXB_*s&4@3t@!gpJ?ct5OVmRu98UA85TX0wSDcK#_A}AVw z>cstgj?HUCcqkyMgsECB$_tkPqomP80{dv|@UXzZS|1h|sPtihfkizmFffS+1xC3a zhXn?qlfwdoDE?uAL5$>}z~}_oVS!Ke#wgZ$2;eMz&5PO_$Mn9t3>cMtJSZ@#VslvF z_NGN0;KGMQiEMex8BOUuu$*QEn^GA!in zYhaPf_W^Kq%W_LDbV#m{29iKh49o}s;LKgu=kJlYzil|YcB#wv z&=}6(DhtUVv{+DH@l$UHMydQw0?F5SgydpsFv^BlRvR2w=tc-TqbsBpN26b> z@el9<=e2lFh~ha2LGuM-Abvc1n7@jR5ZMwkbVWg3QMH^}?8W(VJ*(&Kxai!JHXI)n z@^6suSetAdl;(6)BIjTT9FvHLE_gfwk$gJ#LNF^HlZcP%W0(-xeziO?jnj$AfD1|q z+^sEv=brW)YxDhk`o9~os3gcdwMudF1oz; zWSqdd<5ZkbJ)@IxYHE8A$q9u2PsXXKmw7-==%S~Saca6gIV2~r>OK`G?;YB4R1l~c zr~c~;U%{|2^eifyR7&I>PAI5~%E>sj-eE0pdXIhAbnSOYPVdk`@xji<$vC}3XTX1l z6R-acCth?s@MN6cp~H*Lo1Ki)`wJ4d!8@FT(Sg2`ae9YyFgkH}GEVQ%j-zvaC*$-E z7f|6lwBzCX3u3zAJG4)Y?Q1{6=y+b>W&M}{g6T0~NM4Y^LxRL0+!;M7Get+YxdEVRs zIiWo1lW}^7I*ty~oQ%^uv`^0a^T$1O1MR6ep^6PBP%{|@ICRPgd-oZjD>(|d<&P7f9TIu$2W1nNYbe7p6&E53sYy-B&W?#u1L zrSX)$% z;&&5A&x%_0tnl5$hfAE^&74l~Zv6*AP`pIu)mPlZQ~|^j_w?5+_vQ{A8To zp^l@1S|{Vwx{jCE<*s^NUgCo8;W|2(gT_P6xS+crPNg@)Q|nEsnB}|4*)DN z%rrE+3&(Lh(DJ%y^412$-ef$$=shYAknwU<9>But^Vrq6z6m~vu(pm5EYfxIkV2Ji zdvr177zFb&apgO?HW!m3dE4eG7iR{B9b;^ZCOdS2=AmA5REi9D{h%l84ta0Q zuvQv8h(^Ho(t_H#Qz;-dd|0~(ONeL{yJvtMqBWg4HeEZhjy2 znD_3VXV~^BvDzaspQ^a{ z-Zrg7h&{3H=3K`}PnuEjeTN5%aLzRq-iBrd^W zxoC{(lKY2_=p091%-q4l_EF)Yy(caQ)fe%1iVN8O%5W>!%T!=p?yv@44||XOsy7h9 z&E+P@?Ckbhe4{fS+84E1hkX5Ju7Me`l2*91BQK-UdK;Cfcxoz!lW|ijXfEzIn{y7? zLB*>6psj)|Yn@7<6JTge1sRaq`*)C*(zgD7Y? znXUeihlM>(RNNHD{~>3lk>vU$3kBpg(c}Sn`r0}f4|EOdF?qNr=CAjwWSy{!$!D6YKG^_W zHFd;B3!HZ`s7CyMr{qz}FKtDM8uAFDEXZS_dJ+0O;@SLu`MNWa^S@Gg$#ouqg}j!7 z^T=}}dLxuqr_Uo#&lVe_Cg`n<5-oI;9f6Q22d9>6&K(PIjuB(XdNOoDPu9?}A8d{e z^~g3`-5&wHaqr5|x$!nbZ#squbi;RVI)>!vI$D>b3mrYW&gbY+%jl5~da03Nny zt95{jy#|=xeMn$bzv8gK?ajxA!02$wL4l7uj!VGDwbiAa%~QQGs(yG-V07s1kiY?| zJ$YE*7k-O-$Bltxz>(KK?rjoLX zZu8OA)nt$wrm1yE^$=+r64f3&6l61H*#}a?U2Prm_-~2oB_0a$_!>J>oAb6I&(-U@ zRv`0CL@mci4r%5R)sS&skQp+}&Zr@4x!;<|(DAMzFOT#4SJr=+y{wZJG0~p`S9Bx3TqMo$0xEg_99SWV zAcs6=hz7c(!7YnTlhr(VrNpV*uQX2iBi%s!BYLu%ruQhMS5rj9FYO@ioD`)`#7HS9 zJLBLK&;{X5DF|bxq)@u!&P0>iY=shq1GIu3g>2v7wm|UPjKbYy%55uo9H$QM*k~vG zpjwbcE8hc!ejluy4ypwu3ax2DLkg}Rfob-j6pC_lC{glA6wu`*W)w#K4+5J_FRw-) zZ@RLhl%A<5uuRT^PrV$03G=LzcpkQaHr0aL5ukQVQTe z#ZeRjM+=%#2u P)Sn?kp>0Ln8_hqpg0@Ag%jI6nY1sVAc_R zw0V9U3WGyTm!c!6dl?E2`3Y_Zo#Z{_sMI{le8@?npm4Gwp?RdbxjvFb4rLTjWx?hY z)DAVw@cHhesH1T64ne^{9fg~B8s|~-sQXa{<>`EuoWkimw^E5~=R~u0 zxyts5X6y1jFDG&yH47jdbdD%dIMCwOgu+3#sx(Yfo}Lw)YPYOR;Z*8aq5zWAjzr;9 zyJebnK@K`u>lFt%sLN8KaH3$7=A}>vwT>kUCo@e2g@f1yvsO5Aj02>WN%L(sAYFFt zGshv5O0vq{O*0fENV;yI1R9-8KQy$7Qnw6kviqulMow=IU2K03O(r*uwFHCv$I%H!fu)6#opK~0$9{-sy_QlVh_}TNs=OQ7&cg0VE zlcpxHvtB2*B2{IuI zhU2>U z$sg9|>7cmip?wfF&v?5svU}Ehw)1vqZFu&2;d|E4;z)ZBZTh~0_RM*rkk7l~`Tvpj zM3-WooM*8eADyn>HO5hy=gHdBgr^U8{Z7{JN=}pOPX#G1-tm1ZDr8sZHrqvKuxa@P z`5^s(4(fpA`#5=B?zAWu?%EW22Q0Ar&&m4n*Xz0v)#IXiemDL1j*VycZ1gZ+&zB2I zI%wuxdYLN+aD?a-!n&ix!kKRIeI{g<>n=<~+b8zOd#IH5MwsZTva~NDf1H%IRR%ZC zPVWqxBCxaZ-Stf;45+i`Jyf?iYlz!=OWYFVU8uF&cI`5v=iJB=9hdbXiBUTo?483E zfGKV~Sb15kMpY!?(9M&d1ash?*x`xf zCr|iCC)M0y=g74V+BNLse9euAcfp2K^tK?C?I}4HUO64Ab(E9C&eYpuPULsFJj!0x z&*#FuG6+$51$Hreo-e-hb|v4Xs{6d1mAbD7u7WgDF3tDVP$LO^E6vS6qad42&s;SJ zv(^2Q<&!j_K^}<5OqNfx)%=w?&W`fmvD<{>j@iWrN+`PgyCn2VCiIFDif(-_gpPSz zlmw?Oq85(yb}QU=h)01Nd6oQ}mD^7A6=&l*WPc!=O-Z92K9u>SdM)5>q(m|nzGvNa zeV_jmxapqn9Sc11!>DJ6HXFx8J=0zUIuyL>j%qV6BwrroUJ>#gx+!}qw&h{Y+oYSd zOWHP@cG>xe#HnrKg=ihr47)Hs{4YK^UFBp-?hP6$P04J!W5*o$WYxZc)v)hmW*F@m z@5O4zdP7=$&@id}p@tf&WRD*N!65t~h|1vy!6?{1xMOD+*(fP7mJS3~lAMUP5?lsJz zs@G+hJD6B&>k2ieZLOd@V6q1 zo)4Yb>K7%@)P`xvlr)A)!yrz{Zk0c#@QrMk&I`$m87d`@K{i(Ha@VSfSzqVXBqnYj zCfL^LFftzT8tp9`{pf}kB~Hl_=)9A$RnT}RnT6O3r(`WO-U+1{U*GbEDX9r>z3!bY zRt9%=fQwsm!Dwzu1(%l;CE+Tuh7N=dRMnplQBgLDFFPZ}>|U_R_b2v$aZx@s{g{8R zdo%1hejvXZfa9Yve(PJ(-cvL%x|l-H=MJ$abBH~1*7p4BhBFR3D`D8#&EtIW$II-2 z-2@hUUOpsGqSHdEnN(o1W};puXrh2J`OUR1qmUQ9vwOWpuUInlqFTKu(mO~gBos8d zsk@?ZLe&DV^KHJSni5UOTODv@IzT&!9&)#viG;WAq%B)E$1V_r2Ww3bse(S5AJR@J zUD>4355fKxOEt{}GPA904+B{BVA7Zj;cZ6}?bd(&CZp3te3RBaYRk$@7PciO3@Iz7 z!_0t1X(XvT1zu<;w;LKl&25NUD7;XU3k^z55TqRusJsYN0JSPo(=kDtIH}0)IFNe` zq#;F{J55=lyPz_bovDPUL(d#ho_&&ESzyJgPQyU#Ea=(R3#Ac?X_RVf^bTmHzZEH; znd$D!^0@fVS;9IDRH|V3(kXcm25o#fW{%@o?BjBsd|NL6;O2xsH0(tpTuL<>3Pfel zop?Htt0{O-w8qW5nhUlaX{eeW06l|Ys#JZI3%YrKnMQ(l@2S)#H+bV)-eo{eeVq-% zr&8J5wY5!04y8CKn1*m1fP;NNvz|j+c1k;_o?qY<)vEbLL;OB-jfVJrCJD9pfw6+? z$do9dvXu}{N%1v&Dk;7quAqhQ=;6m$pIvKL;n>~HR_Ev)jM%EW*dzYv9xx@Rb^8(d zGW8l1M?%Kq)-AinLK0uDQLSfJ-@%Gd0tF?#L_OrMbv}(L>e#f`8VFFw@P|%)Mn@UPgz$VCCwH=kY9kqtri=9chiX$55GqY2 zR&t>#B~FEk>`Ei4DlJGGKrXU-$D4o>JTmhcG~CRQ%rjB=3<#y{m~7HXG<>~L11Ck} z)npFKo=A1)Md$U*92uQgQ>pFlYv@R9V0(3>O6+iZU7)td=-Oz~zNy~oTxLjd%t{4R zGOB8Ya$r*Dt=QZjhj!h*d>Ar1xaXjX*g$9+FXW;LsW3OekF39zdb{U~2~nO+E+mjeL~XUH-_eU#{(7%_Cw9o#c)%`(!)uqqhKYGKoC{J(277ne zMeQBVCad`~uyImQm=31{sx+`N<^(vV? zi^br5^7^`5X$V%VK*NfiqZdGqVmq!TiPYmBp5cOu*F;;*UglZmXH{_pMM8MRnVgP@ zrc~_k)I^gFpx7gj_KCWu`{wlBeVH&_G8ZMVo;_Bpt(IE4xDmfz$qbxQL=!) zpUL_>9S{!#jky`d9ox5v2SJ#;`Uc_vp@^}38jZXDW`{^rY!Wdf@eetDaS*cs-T;{Q ze)4;=N*4D?`t{Anln&%abMq1?E^_sn@hQH$`7A36@rl@flG6fd9Q)GRZt`7^Zkh9U zF6PU8@$ma{#al4A7;u_I&Ps`Aak9Aw=Hx~^`*)?5i!KJkpyLidjJls<_O%ovzfK<5 zF!?cmVzu^G($CAi@CU%`->jJn^4I+@?DA4YCi1rR^n7?QtDQbqktq&`dnnG-h|F~M z^71Iwu{X*6S^{iij-}D zy~^qR^mM;9=8$4COMfOTzNdUCuQD-`dk`)tNZoa>g|*eBgJzw0f z+4#~XyEFpsN+W?NTP$rc$KGwRfGDiMMX4H}i{c_WcQ^fAO%X*hDMu0I0%StB@0*Df zRaFAAV1V0Kxr#4VgrHs9gb9@G~bBUE)!AFn*MZa*X6uio@1^TCKi z-ryooYRsrKNYRmD6Gk_m?k?jd6h@w_n%gxgOx~Ve6Sn(B6^&7Uw4o8G-G5CQ)0ZT9 zcwHweHXdEa%(Z*fPTD>+c$(c4xnweeu&i;r1bb?ND7$e(Mp^-hKd7`m4n1d~OegWM zM~fd~5z+KWouQcydAHb8ncmM8orHfXxn2j%j1~ z9m6F4M0DJ+9$?TgOZyVqe(9n=zWjK>`1;*;oa5pACt-|lol!I?j|HoC=Z*lSFPx|~8+WKiKK24T zkBBoz7UD8O+<4i(*$R!f2FMqYo}4VE^ww%T=h;DT_zV_u)hdRbn4&)=P z$$kq%L%czQZ~S!Uo(4*ex+As<1`TtxiYo`kob3?N5#uIND0b%kBt4}%J5USY#*Bq$ zRM*3GC39xg{VHqofOW&gcWE$LscHF?`1NJQRd+Ta3m1i#%9K^y%)*gu7gk%oiy=ZV zS9TawEb>6Y-c;4gwhms-~B9UN{Daj1`3=^c(TB#_o2(_Zwh!|&iJs*3Eq;d>+mT-nO&-5<}tEfrvmnqCfis#RlTos(YInoSuV)YN6H^6@`V{5~fBbXE~ zwbnl_McDO}XZ;JET#V(;nF%p5q~_8TjtQP@Tse7k*%C=d^Ejt5ANrY7nG^WD}*E2N@Uc(vflrN9l-B zvT-AG+V1`We@~+w4`8&Mw`4_2Tn=CzYtO2$qUd0A8vyVVt?8V=AG4w-<->Gf&CI7^ z>+t;6kUasrG(>is`Vm%(zCKQ1vg9-A(h!jKs#QNZfz~B!7tl0fOW<{3SOQ)2QRs2r zq|1848hK0%A@l}PXGz1`D#3GplZLTL>7Y34n&(F4Y?4cXC9ntZ*emXuovYC8*BIWJ zW7u_|XC8CC$tkMom8bjWh@{>)wI^0wf|OD)D35>S?^znr6AI{%`?3mvlefCI7W$x1 zdrp&1zXO^9+2X!OEVRzc&pG=vOSKmp=A>k@_fj@o~)dQ;6}WND{}~g*)_Ms1I>Gm zaT&pCvT&VFl#;ivj?u_#g$WTGd^{jj$x~j=p5w0kw6XjJnNGL+_5u4%Nw}N1Sn%^& z{I6vM2BNTnt==|UHfZy_!1C8Cq`^e-$zx>wZ!teU)~tU+b&>M9aoH^F5UmK_K+zJg&pOLCbF?)CwV3-24Ksl1lJ!zNUt zcCr|27d`1}VvF_I^pfH<#o(%SvcpUB19~QmFA|(>OBIe|bC_k@PNl;mL^jB`f@=zB zk!O+-!%&_9ZM#zlhi);j0icLh=lORY0$*m&PkZ9C^;bE`w1?WWSwD8*N`fFt zg2WpBBwkD&bNRFR8Fi)SS@%2Ggso`*tOQ?n0*N&orW<|%jzU5Sq33w|cE-!Y<{-_$Gg2HCc5 zEY`A5f@=$V7UQ53DyiW*n~@SUCytYlJbZ`FhYDIqEO4EBIQhaFy(|Tp%5U~W3fx*zh-s zfHy5)xF?>bTgreY9Zma(Qt+py3VzL=hvZmF(e@6~1L^=3s3gBD)+wsR^6i{s!5p^m z*2%6XkH|1-%gRWG+J*o5**WT`=8JQSLbS8O2<$wNz;ALKmqblJoIk0XV zOZ}YdYUUi0(-dcV|CEw;*-DUC3D(qB={Z$){T59NFWZOqnXF8;PV`N* za9oPRV~EqNZHsr6c3>YRTSk2V>E^u@I%t}?FUoIqd*!0??7$6s9GoV!a=OtIHLe>Z zysE8;KS=65M{d?HA-XbrlQyuJ0`&dN^Lop9_2?C9siSP(;Oqo=!MyOT-gDM?OQG|7 zYC3G@g<3PE$Hxco*NKjUn7#P%nMTltPWbfoU|Ti6Y0%n8(rsk)^*Kab#DH~PqU={| z(V6$3<4ipH^D()WX)HG8IUtuzBU}bUOg%#J*+iTwPZRS0WZ`36mUM9duhTr=O_>FZ z0bq{8{e&3F&>&6Gg+$RoLSx><0M>dPD-C!8u51J|*P5^FfbnJ&*Hcdqdn7xk(?63v zf=dbeDz{%^bmI1~5Jt=K=b{x%w=&IfGF_8`^`ym1f8&6+*~ySy**@5FKchK)<3!(H z8Tds<4tG|kY|H>HU)r95VcEKyt~EDVyCHs0peDlh^Hk=N=iLv#=hi#Tfd06FMoUS( zkfcq}HZmVxO9i=&EeQuDR9?Q{%OxPfrO^JBEAL?4+W_Or<=HqCXWZ35KcA0ssIlFB z+j1baQ%aSQeDrEI!uA4{oXU8GofCLfB7qaX&f8Ntl%b3VlXD9g0C{ib9R#|@ehyrh zWr(;`3+n&RALPt#VX|^=H1j$%bI(NG+Qj)?WrKzs=m1kGp?2&%f@LQ9eUgr6?K)mW z`X!k7F$s4JJbWL7-`lDVBfM+oSbp57I=Z@pPZd_1Mlb$Ps$0kU5Qg9U$a7Lp9YTvt z^Fl9`$Ky;Rn*u2-Zb<0B6eC_OldW`V4%l8iIeQJ>oh`LKA2Y9#Fzlf<`=HBiyu3f| zMhsak^Q42lSTzZX&7m~+%E1NS3dxFF1eh|VCMCuxy8Jv1T^_QJh?cx)Po=V~E1JY2 z4PfcIMF-cNe8_ITiGo~b)duIAv}YMUe#C0V9}D*kYNTZH9I)Kh3PuVTlxllmpVp=MHm77*N_r zE5nDr-_D&dlW%laNU1|bYPOxbHR(pT7gQ2DGX45^?4(TATT}>_^%KAOQ*-3IT}7Q` z7j8C8ioey-kd@60+KDZgro&Mj1`)bU5b3o2D?Tk}c%6XtWT4v8(0jSgI>Gg+8p?Ev zcUdEn)Va?Yv-31oK&xYIW5?XsjIe(Xhh8JZ8B6Ix_l138;yeJNntuDE@7p^A2=1c zD{g*y4o&aqoqR0Zc{7!cfr>JcA^yY^M_hJ6naF2GfP6K6fR{V_LtUXyYAR~s=Rf>m zR@^7oltQb+cT{vn1d*4Zj_?&!34S4Hw9_G)3?ydIwbt*P)!!Ae`okr_Ze$L0S8isl z@A`I*P2|`wkVJx9+C`G|OcgJ3oM11wr2Xd?w3*p=l<4r;^wE^A+kJqiUt`K~;P?w< ziV*QnjiVUyCNxg5!9uD}W{gr)>kS4jM2AumaTPY5R6Y{F4i_b#t+^Dlop9Sdk!MDa zz-BHGxKR21~8iRVDbcV}X}Bi4O3fyH zS*6>y1Qh~SUq+h%6+Bjd28-8Xx9cKU0CZKvr959_XJ^bo7|fyH^hzw(RrxaQk5$;m zk5!oD0Ak=Pk}pzF*w2Fg0J2{QnjgwY^tK;~4&Ssm{dE0C4|3~5p%}~1rg1T5RuTkU z!XZ)5&=2Z?L=ZneEsV{vEH>+=1OhYc%+XwcCZQ#KA#V0rU{2guP^Y^YW7;}WPtS4`|KYLK`!-%x5xY}n&{#*PM{Ov!n6 zaBtBP#~*TymQ#}&d8j_#e4*E=i-*`2x_ECo-2L@bd+$jJ2VzOJ*l4+wW5YMjhBWhk zfG9G2)1aIYoB3n*=hVt=gPEph$RMen_R2HZgdAk8llCCdsE6%?0{9XiENhxx0L_fc{Q&A zg-%FN2xn(|A!leuV0zsAB#3k4kIDZ#LcJYc#7QiAI7%(pxlwDjHy$Qp4cc zr|X~0iQ^Vd0K?BdbHA(83ldRjR8B7Szt+#K`7vi4#oQN6+Dzu-a9UmQ`-i!s-(I^K z4dA~2RjK% zprrXI13XhSZrtvV$wf+@4DOyEg>z;tF=N2%Jg>H{Cy-K3u@9m-k^`0QwQ<3ED?+Jx zIs*CUPe4Ln)Tmo;H__S+4a0sC#k~!~-^)N6^fv1w2iEr6t8rF0C+}#K8XitrM#Ot* z)Rq%+5Tl)*ol$o12*)$95Xvhm1TU9KHx}zX9w2quN-je1t4=7Xu6tOdZD0quHx?Mzs<&n`OTc=gaBJLdT{f zye`91h11dRYNu3J9SQmOf1O1_yc9MWm=XH^B&Dp3x1#6bhqH^lul%?Qr}dK3z%Z*s zGr4yg-QS)#0tCie78|TYwRMvqief1k5=ED?;(iOBsLG^0>i-uR9WI?kPw74z;Be1K z(iwYUnmSWb{#NmeyW;wyC34#mv(-N#vpKj+gkhpyvu*mD{)brA{L(>n}| zmxph=YjKkp-jAa*qUqWztIU&C8yY$uo!k478D<=idm00D(aLzHoR zBgM;`6lraqqDYDqh?4!uAf&%K^(fqgz{Bv;D17peK|o1Dd1OFj2uWa3zW2HA3m}r_ zCkrwt8MZKzJ{=ot`T+Tv$oY8 zz7XHHr$vmtkE4qWc(sSnn$i)a z`kH!6{nk{(ieO@&8G`i<-!X8VHn3~rCO>_OH}1DlYUKOGAdU>|+R|9~XU+m=Y-QhC zV_#9pOvkRKfyjbcx7;_6YglN&mJ9(x2hsbR$=9PjzxFpK5vaznidYyF&~Fm_XY1#u z^Ob#yV0depx3)<9*7%&TQC&_e91qYlC;WG=3?Dx!N*%_Q`4f_TPDViK3}DDfgWZN9 ziSLAvAew&#_Q)LpW;gr<7vMzi+3P2lY8MIV`tVAwQ{C_VL}<#89;zuZIWyv38!Bp_ zbp=n%)^!F)blYykVfBVE%bp;VE1O3a|CGMo z+S5Vp)4{_>PIO!282LgPESbK<08nz-!XHN2naqVDL)lm;@A|8=*VUXE{lVjpO!3-;n?|o5qibJc zQvb9l4wpyKB4LI6QyHiV%nyeSq6GGuI!7GcJk9*u>60@7NvQUNO#Hha4>ni+y$8*P zH&~o-BZf%hYNED`TGElTZG&RefNwdT_{x_no3ExE1}p+TKYI10!>V6+W~-B@c}rbv z*%++X?> z@2qsc?oB*~`Mk@wufd>!KbeV#!mIuZcK3N_xb%MRpzleS`x&vtyyFpsYnmX95i)Cx z>|d64<-C$6ac-wvdgs7stfu!9`q*KfeYxDM!~@^p=GnC{lV!Xf)Q{roG1*eEIZ)xI zv$sY{Tp8&;brOWglhe*a095oPwo9ZSLU*<~of6v6Lm)+$_T0Qh)tbMW2MG1$46B7H z4BJV7g+Z7Sm!16sURZn99M7Qe`z2$tQEK%Lz1B#1)N&eB1qYN_mGUxvVde5dnF_JY zDP&RAXQux@*WWw+=#k>skzJNADjCRAvr~Lqg4`H}aI?9yj>om$dJF4FI+X3XOT8y@ zz_=$(CqV-z7&mG!W;6wXBcBfR&BUnJU9iBoGz+AmnVZG+-SLCh(M4VXM&@=`Hb3dT z;lZFN;P|Xl@Ttn^nQ>xewFh^8u;8Cl`IfV&V<%Vp$Iy^uQKjTRz1H}YXb0j97!P9Y zJ)OHXKeJDFq0?R)X^zY=6SFkp%UBhRQ$&3sIe9|vjjx6$&iNUj1tOi7u%k%hJ(Ryk zD^pfKt)3dw9a5_yj$mgzV{9>Y;`iS7VHZ6tw+W40B;bsnzK=i{kYQ0pSQ--WzK<%h zun?F%t{6M;cg!UxVo2<(lkHPGQN*i^-Kxud#y_=}*e5-l0E%AH2bX*CqjxIdYXcBe zMr6O^=gVTt$cNB)?P_nVrs#7+oQ0Og(BPNZ>}!Ome=!rSy}@_eB1>N*HOq*8J3fmL zu?QzSCssYD_@A|{fJvtYjl?;)jpcCDsQvd*0IZX>tyh6ne@9TEuk$>^Pz^ca`RhuPD zLy(-N=a52lNxml!I}L4SnvLL!R`a_61kd<~LOYj$cjk)ms=0s*VaJ&rznAC3WkaZg z?nsG1$R-xh<-lnZA_kkS!}P)L!ex!Pf~}V0j~W&(1sX_`IIVPKQ{1 zZs{pLU>oZB;y|Ba3keS31+QAb#aMDt>(4;=z2WM@HUfNk`bV7SCux40cI3}sIUFJ4 z47+0XaUUadDGhkTb6Y1?(RQkEI}ITr1wwvpYWDbTuJ>Bs&dtl3&w$b0x<188 z>i6(;sBn)0e#|t5&-qhC=g_5%&*~f}T=@mbJ;HG>dO&K82CCh6Nm1ez99~9@*GfRt zEV!(R{N}djzBRL#j|u%;dW$-%X3FtyIZ4>d`D@LSdIYD2{)^p+k#JNbvig%Po5t#j zeBw9-(eu6~b6!y3xU=I1vTVkv+hl&*PR+F*mwJ+dN;IE`UXAY^Up5`aIBKR@w~WNR z4mpSJOfjhnWDuf_fNI4l`dv_pLwsPs7AT0d0nBl_)-3$$^0=JCm-5gGdt)(5ZPT<6 z)8{X}?{gBrf!m|a%XO5lP;Jo6p=`aw)ogdmHJPE4*Oj0L^#+>ePc1mae|*s2cOAd$ z0)1{9BkB-390JZa`Y&0L^RlLo^jBAUZnXP%dz13!ZdC_Q7X@q07#>1*L>!o{6gQeBesw$ zvE}nNydn@CQi#L$xMW36=i>2rsfF##&%KVcXl-N(jrLREhnNB}i^&h?y?JlZ@|@Z6 zb4l%vAJa=4(xO3hYttQghBR%XGT@?g)wQpO!j?C>Hb|^bhugRi1#sh3d)kt3QpHro zWFHaOVhC7pMP+~OGkzr(C>D*ErNzy8@=+K!o_P~hEh5zVv}09=Inm4Yo5YfbH|qQn zuI_!~=-S6K_AxF7x1%c0@Aq4K`5RTmSp;%+N{NhP2euexH48+QvV*-47Q-f`?~YEn(A0}7=Nw$%vY#kqb*_RP!~20M$nK+A!eXllOUhouNF0gGRjN9EQN!W8NA zR$jzE^Fc4@tfQ6{ehTrvxo_BzRr<tB3r~54t;*?yJ$Y zb{buJyvRz5!Mm`ERvXP7#1@6$kIeci)QIRp{w_OE4k{?KTT10%wFl+KyW3JGBGlMz z@$FFpM8Hd$(q!%!cX<&#mGy<`5w(q0?e z!`HZf6+Pi#A0MZ?WvlnDMSdx~;iGEa!-2DB;{+nr@Vz&cY?wStTa<6;dRvHTx(^ke&|Y%9 zF5oC`>sNQ((K9YR^{mphUdhdK(&K*1ATPyT_(s6}^h<=26j!zKBz@zja5ENn=brB% zLE_rqG9{mtEAHjSh}0VdW^wS`xShxqd+*U}k#S5@?HIGZaqxxnoUD?E&hg7H#N+R+ zn&XINEb#bj51Cu7(od}L2_4!>MsIap|GA>KUt)#~O0{;Cs#^8e-tAg5`uZm`(yksB z1M(J3h%$5 zDj>9y30Qv?m*9&>Jr2R?Xtm=Il(4koVk*im8Ss+T*YvqGC|U^dmR#1f-+-d4P3I#I ze_z6}C0-AwOfNU(IIFyWI5O6FYyNq6)*dj#m7WwsC-zSsm)es8L4LrE}-W9}1k)tV|l7c3?t>H&EQ3zS0s1k0niq~A}!{f za*R!}-gwd>T&KZsRXEEhpisCiEnL5<%;BToqAyKz>0D zdA@Mx^U6Vu*d^AcZkZrwVg(D#`-LzaOw2Dnv)oQe>*ID{PqQTZeId^R*#Vn0h0uZD zsreO8yK33U5&@p_z}2a*KtPYr1<`dpUU-Tl8Qt zx91cIoy@zD|2j>dd(K982s90KGidmhu=zk_)n^Q*qku6t(P`6{SD!vnFm0ICJ z6awqOR8$7jxbsb~#!p-Wl|C^lkTN8KihB8)az9yYyjn|1U1T0`QZ!hV68)5m5bEbj zr*tr6Cxa2O!OM+?^uFFgmmCxHB64HT669(IctmOu`fnCd}^wqsFEt$BCxJu~rd` z8!w}O$CIMTlt7ivfhdzTKCsfl1by{oXU3KN6qdosaYwa8CQS}cZe%2==?l8|2@6AAT0g8zF&tsMHRmu?aL#gq?v5gx=WZ`Q z!g?fNf^5MNHL$OLwY*DBwrUZLMFk;VrkMe}hvaJ@er-obXYn)X^oCE?yw1`MdmjaY z>~4TAj3NS@z3e;|kr56!i}Ar|R=wB&HbeN~&RuDRmL>tj(UDtFJ88^cpvGn&ju9f+^Ct-`1$qKOVRWeX z#tUw6p7OCi(WDdhN3)`%)aR0e2L_OU$MLfRgIxR@5ny7BPqMoMh~Z1ti&IV*G%+@d z|5(UxB|Y#+yZ?b@5hm^mYrREW$&X+ zr|<7SyQcPwvbuwkUQ0$k(G8v`Kv`P2gub7iJ~-S-8$^FY&`F^oQiBRB%(4EjO=pMp zYMbMcW&5u0lJygzADfV1IKYz(#yaygOUI!5FGct{cJgm?t(e$6=P<%IW&z{jPx$~{0+8;ok*M`H)=07Z&JhvyR23nww^!v*3*Y8RA z)zL$nVY-Q`Tlq8SVNs8m&)iAyi#iQ79i;m4H6dJiq^A=qO_yRpQ~#9Q3h9ROd;8Qc z-VD1Q_4|%B0i`06gME+}dS$ik{!H8DdTgD7p}xR!o!|x^aZ7*C#Y0N6K*uMz@FWg6 z9aIFqTUi#)k0=;Sri0%!uR}#1ad(1DW^{ZXe+()ih$JD75K4_0C{{XceE8Z4g`9LU zihkN;Btf#jx&M9rSOcu~C=n|6WiIh_TT=Td=K3mzW8^8%{94@X-Eg!l9R6Imf3is~ z$`G(Bi9%(}~HM*3lQR#u5Al4yJ(P3Yju&z zeqUHbJ3O7DgWHJYI*+4X0UdbjSQw5*c*{;O(;3uQTlP)yHN6w*l$wTK|1(7+Xup+& z9ITR_S93ZI&tLe;u6jptA}@hB)UK#E6mV2lk8k8y%&s5Zn zNk^Noa;kXxoG6qDZL7}eu`?B^s=Y4LWi|4Y{>T^R>nxN7?7+XjDPqbAld~|VeeL2` zklKh)^xn@?e7)i;g6}ux83k2hTNbDmzdWuMlYW$TyyPe0*WCh^ol9~fm_>5V@rxq7WufBH_Ii$dViT5!1__<4Z%NIGi>&qDu4{vtVn{~&B&nLwV+j4IiPdeM* zn}Vn*l|b&I)=3heZx1HF&nN2AEzp_hoa2kbcT2!?f;w|D>=`K0XXdx>AU%EQ<>eo5 z-8sOQ*omPF*hYgbg9hF7F2yw$W>VND++$;weN($G>g4o& zY*qzc5Mkf4KpZS865{|;n0R2G#b@q_(Whz(ZT16cY^(I2O72gmqZx{uuDJa$|uBz5Ll#CM_+a3gc^DXT4keyLxMaQU8SPi=p zTnUIxTSI+X4D~6fL4#fUnxD@RzS}*|$->p(hL24Lwskjp(y$|UG+<|K<|px#%5_H)iCusMJr`u0DMAdnhr|Of5GL%n z#S{Kg->2$JfN9f!KCbvAT}oHDW~@EzD8V)+NDPp8QNt0u|tExLat9_ zkT`KEa`~{}$y&Me%&$$xpQft2XB*_SC9Z1HI#5pGB+NEZs7qN-U+6i~J0dnP=%+c= zzEux8SbnSZ$h&vd1^atL5Ss31|G; zYvB#BL+5uDy(wYV@~p7EGAc*6p#N?Ngnh;@rM_X}b+)(9mqTCPZ$8u%^m5t|_;b=Wf z@QFQaWyED`Q!Gk!{_SncCf>L$KcDPKugsQ}8nxJf98foF=3f2Y>V!;Vx1)G;tt7sO z00xz7f)mjqnR9ScOn50#@3&F1T)y_^-5x@>Z~Se&6$^>on@h{jx(isYQ;>p>f4-im z$T%hayDPoL_{CUF$wFZu$IfQ@{^*wF8txm$BuXUmxByFO`V!k7`10o zkL2xsI<&bdI|~9MHxD;fEfJ=|B$H=v15}FAUwO_hh^9Ys}R6!N_dvsVz;apdj zd9Eo^tQMxb{Zc0SQ<#1N@ilTYYhF)Tl?zTSk~95i_T?hkIZiH~)3(b_|D6iq4W;MQ zn)3Vh=`lF5i}adf`bS}$#~o9_3?c+UZK<4$jKb`{@f^DrYs|W{JfQwWBo+BRkZd`X zdx?Obc-a1KQJ+(NJbBIkI&k5@v;c;c|K{|Q8Pmi`MQA$v!wnOGnhcaO)AL7<=7xs` zT-)KxJ(Pyp&CK+Ufg%O7lzvEby(7I|k!54vqUL(zMEliMeF6 zh$2GG8Q@xr$dCRVkemGlF)|=Fy+k^41!-iJoZ6M9U?a?FMf3`)*t2LS6^pJX9Nr(*cnfL;D5(whwnW+Qg^My ze7+y(OU1+q0eJ9klu!k0;&WnJ%fkuPmE}ht7DeJNYDy3MEQ!a^*M+akhyrycdC>wE zgcUkWaSL6$JsH;DrzYAit(kw!yrrJ#E=gT?dwk6ZQZEiS908DSTwg*+8`{uE6dKY% z9(C^8u9L2t-Oc2XCO=V<0HdC-;kWD+S=NfL!{1L0Ua^o%lPxbsXnow4Q?8GgU9@Sw z>%c(DO58wwC$^A4ZHG_-n^cXmmDK2TpZ_{@`UC;1F1V=&ZKe-&72`%>0{>bmGiQ+k z((LBI#X_Klysbb>cm7){B4iMOFzpoJ>G6U+d0(VyzTpl!>u{L1qe z3sVJp3pdE#K!MKL327iSV1*m|?-+?Ge#h%LZcx}yK1F^_;;>^6Gt`>rX$mD_^t`u0 zls}8qaKIJtJf$u~B{X5Ql2)A~&^+Z8SPW*ISUFMGZa|XQDNctuO=i=;z(rHriUoA7 zGH+|1P_abAnQ_dt3lc}BXm|hOwOyfUVNY-O9w+`;)zg#1+M3gcg|&7zO{aSIXHi~$ zeN+N#`Sfv3s3m#-mt|YxdHw*$PZ#X0JnUMnP&zurf`v%s4?3AmLFt+n$BcExW^c8~ zSoQ6~H2K1~e%ia66?Yw!ar9|2oTl5~C1Dfe$mjjY*{j|d!AfB5tZ-9;)W~Ua67v=m zVHD~_F?;c4tV~`dtKZB?@E}#r)1F@EcMp@tzE_W{?_sjNAD<6NzfAgc)Q1sL{pc$K zLyHUy+MW6}VLv{Q^ljlTbx1=jS)rt2M60(~_Yi)qzm8118Q5O30z)%^lR?}-N^mfr zqQraxLF-e@uCkj$NVEwH3ZrhVI*0>S-+@u&RDrTyz4H>WX)h0^2xBN5=T5&0{%5ke zJaS2L5f!s;4jbUMSM?vl29S2^q@TCPe1Nrh#oB4pFpMhTM+(f|0^~29HI6?~Ja?g? zWA`jsjV{-J8rpS6vkS0mQrGdXPCI)pr7N4ChU8WlbBWGI`qNd7Gu^q8I8PK(YaFSG zZGfVr@NVMAaq#ntw+7AvU0xb}eI!*a2p`n(&xwjPV}yKNw6?C)7Jg$PF?l8ZR!~nk zRNb_>?<+wyvKQ}TULKlz{@Yo}1Z~J%)TFyWS%t8jv$mT|m>y&3Ts(zQvk0zS;lrY$ zEDm?OG`Bir%hfU1M!qzpE8Z$|XlHYndD4oCMvhJoqe5v}8F4*d(Gm?P0Mf0I31`>B z6*=9f^%)j+lR7cFe~nuo3~d!8@dyIlSx9Rtx`+D4&8`f-hkC)u#t*%Ry3rbqj+-FK zGE?aTnIQ50qv8iTL87DYT<)@Uy9GCT59h0K+Gu-jI~rstY{L1lQYrUgkl0gd7~mpC zRTs1-jh()sXMM~|BLH`@jbGQ@+Bp1j^dgS2qlXgBG^^$Bdbxd2Qo3jr94vDY`*OBZexQbz0KZNlFxmc*;%tp~LUrc7S7^qGohhja zWd{9T&m{Ge!owoJBEyswTOMtOPRz!on}@?QqVK)ht*>(`P13D#N5CjUJaf5R;)7yF z0&*5}>b&^4l$gTWoaa$z{u?T}f3xz7l(9imR2+pTLj-ex>@FM%yHC=|Pp%zXDCNdD zRK#~w%q7|f_UB;wC6VkFqM z*~_LxFhSlJg>3DgOA0s-z4hE%vi!Osn_wUf0>LChtzhj9HZ>D{P@7!`JP9{C6|_4y z*E4bBOHo1LQNqmWo^iuhovDPJ_PpT*REUX|vw9{*P0SYHq6vcy%obe!pRl0+Z^eW1 zpPZv*&x#Pj(XAt0^Y>PF5Tts?S7WyeboP@Op0|OmL(oIdM|0)r?j~>?q=Br%(~mDj zV&zruCNL(t1N|(+RpgV+aoR|s+_TLOS~pcn9thW==qFhBeZQhhe-Ecs_H#pDo@%IL`#tSJ0ygZ6tl}rjN z*Cssy1D|!%pSjO7x%}ZAqQKcVRYB(Q5qY%?qa~;>iD;UeDnx z;dVa@(qDTg|J0j$`D+^2lY`(6ht4N}a{js8f7r18@PfoVt`u@&=x$aG-`Tg`p?#%_ z;YntbfYXMxXQYfbq~y2e2RU(e@)JIm$I#xkeJ4n41bn7s^0dJL4~ z)($w@@Uh{2gp((fWd~i|7KiBmNn_)9{VF7{F@Tm+)^@~_wJGmAJ?$$CH`5e2eXN?u zRC%;U6?cryvDp`9JJo!@<=q(i&3d7U_8CE;`{nl{_kr`VSd}&{n$aAIBGy<92m8mo z@4P8@IsdX|Ol~yUh#khOV|YgG`pZIZqSkwi7b?N#tgH&<|Oi)@-7l>%w6Am z(8X}N-@Txe)7*j?MxHEEwv1O6;`{bF8Y#b_CT76s9Ud@|eqMA4$M z+g+tT*gx^q5K0r2PS?|Wq+%JPT!bxxf+WcyirHu)sdN#4kS)xDBr5*-lR{|`sYngb zD-rf^N>Y@L@ETM_2~rl+EvkYziBqx;4H2UFSt;kvFd^dn#M21mU=bmbIbIT&@Fczh zW$<8;rxYk^VMP?Mz^4<+){-~_6nGwS#gvFKTB&5l7yh#Rka_c8%pxZs(o@SUS{^YG z6`5lc13@R0VQORY*k1(cMp`D7&jjb0%^*`W4o%9gAX7N@O~0K%reN)wP#r<0-ffy5 z>_Db2teX~WK&CdVni{P@oEwe&p5kboNos&Qa2!a=%LIzE3_)SH;l-s2S-`hZeq<3$ z5A8>s!Sv971PyE(^+%dOx1q(Q5@(76z;6OcipS07fOLrp*6~Od!M3mqP$W-bI!Hyx z5FagDF!7#Mul{=2+=FQw&R~M@JF0*l=}Ej0m%L zVS!@CENX^Q3dG?O_O3Ca z22D9+N5ceJYIQeQa)Hu!nwzNoQ{WDkVwN7L73{5WCC`k3WvmTv$v$wTnFA%MwFf)z z^av?%2>Lpd^ejXXj|w1k%2n428(nXlWOmJYl35Jy&Q7eTsv5dj7sxXFezp75$}jPK z!>83>n@F+Lp{SkCB}0t{r^d47Eo!HyzU1I(RL;2kUOJOVdB0ycW64v1vdd?%(jE&WbP%2T#{vm0L`VFwKuQmR&yzV#W_k$RAS{s5L*N-9$tnq3I*tMrN-B>kns(B_r1_!UnlV*S-TFq>VJ$!(leMsPL{T6d#{aUv$K!M z`h30+oBp=dwJnR!D6eZa5~^+uow42c`&Ywn5CQB7P?23 zLd;%_{W)Jhici@pd0ws)_Okpl5jVciUbw+CAb}Qy$0GqIisO-Z7u^9IzoU^r*~f<^ zVcXlo5VnK1&`A;>#dD1;f#YwhK|AoCUJAK?(-9Bu4c%ZgZlQm89DMvON7Zfe0v$Tm z2%SH8bGPTKLkC;|elEbv?`{GMTyzy|@zNaoeEuz2b>rpB3s?8XjR1Um%*H;yGr?)7 zX9B04xAtN`8|qdQy^G_p8(;JPPr~jk|M^z@_c~ImlmC~vZ|!ay z$Flt^_|(_6YE%;6;{9?LMM<`*%~)kQiu-!y11&Q)C$i+xBjxn3AAlk$i3BzPN>0zL zP9>(X_rbxz!NKdmq5N(mz9z11+K>w!0}zKbP9rXq+g+%~>t=0+HUq@A#n&@3PUOkk)m(xwIzE9(EpSgKTbcoi4s>Nefff5yPYSQSS?7o6la7 z*PntWLfzJ}sL9#P7v*qhsyr9kTRd!T|qJmzvL%Y7G6?;mSg7RRLF3Sgl z$^Hmdds$D@|_btsk(!6l;Nxn@@oT%G6@|zQ;X8sYB_^v)od#OP*>Zh z^)fpb%2s>Xe;)Jqi?fXWZ`nyHu8X9&pqr`S^4EGOE^t;VxTXjfbYm4j^_#|S z<&R&}#j~iMpuO)c-{*3Ry*>p5evtM6E*?-9=+8XWOz20+IZp=4X#)^eDiEE}0I>1v z4WL#-;I}x9poR%TS)PW9v=Hy?dWamn-Xtjbs0QH)O#_A|UeoB+7;F)7nn(*9ITTya z2T`9!Iaow^;y#VK8V60uI8h2n4rWE0uW$1-UTjpJy0tBo+QQ+8UwP_VtQVAvf(NXk zmqDI+(dd~*xk>2A8O|6b{|TqHv?jTRQ{Enlld$At1ViRRA6Ynh*=!7-n^K=^S88 zt9#kETjp3@hv@Dw4_B&1bbUAn+@Tp7QleYLHBgC&HkwiG?1s+I!sX*C7A`GN5VX8m z1>w&;DF|9mtAGUIcqBkU*FGyKf;&7E1TB$fAaqVWP2Z9gQVLqRtbz!YBI!1VAV4Xy z4s(DaR0`V9*x6kHGM;bOKrx2QTB<-I<)D|gc|c+Xp*Oa9NJ1r{1=1Z*mpt6OLH*eE z6ssL{{i%*ihg~mf^+^P`B`A}$CHAPIMnHGEDi~t@+x5JKI#p)C%5_EyToqW+VkJe9 z4dQ#0DD*wTk_PkR0UO=tszA|!QGg-yHG2%9>7oM)45MpU29uz54+j)<@u~tdx(UW3 z?y9B-&n)a=>N(R!IG>XEe60SrP&g5HHLKb0s#6GRiMvUIVXCxDQ+qe1|-)-TeI)bw(Q8vxNz!3C^D z%TimUP}gIT?Q|OoM-e4*NsXJL2uBjPSi;($pX{NH!$U-J@$lC+UTu=iSD|bTYn`FP zT1)0i8OkJL>B!7KxEBQ|h9u6*FvR1h+iO_4-N*@RCz%xGFm#Lq!=>AAEMEaEky0|# z%D^NeF?@Gd-UwZIgCxAFtphzU%X+2aa5uXs9=bfj!wZ<>fPl4AnQj*yw8ta|si_^y zS(8u8P4Ys1Hq5w`HV&=qgg9&Sclk89oLo zHRmGNyy3MH!?o7WrAgDcOQd*RMya0AMHB|uC&PKXevt*;U3deE0+o@D97x}9aKN?w z1&3DFzI@t7?ds`!D=xdbm-6(z6qgZuCy(Qu^esivD=COSP%^=8GZP$~Xo4JC6%(w} zHZs9(GZU<_tD9iAnF-byu?coLCfI~U$pq1DIV~^f|7X0Q|4Y0Am_hwBeoPl>JKE0Y z>0-Sb&~D@Oshy3TESe`5{pIE=ozL?(8$=|sNH?3IN!y{7vdJRJ58XdN^9;f?jnucQEM|X}XDx3aE%?;f%rWnD$<9Qk@!020T4O-i5 zIixbP<&ieB+kVY%ZM2~v;2xSm*J(xhX$N&K$CHH794_@v(%0`K96sDj`qf_2?fQ~Q z9*0Azn@H@CtvZ4gby{BEw)dFYM$KW98TAocBWoV$d*MS;b<-N?o7N!_wy6Qf^J+Ad zk};vDAt;{YXi3+Q*f@)A6wXvpAlV?PI*&$M(|Qtd7A#aE$l8%Ey$-{pRhh)pX`A$% zJ-gl{rhbl1wF{Munh|r25%#5$<)AM$uoR_E<)3+B+duchwqIXbmOTBaycVbQ?&F~V zimxq81yFiT^?=xR^F1>!L>Zl>#P^QZp>{sLy`eu*W_S996`s<#5O?yU+I8yl9;qQ8@o7C>e88t+%7=VrX1=wloZNg5;gt+`pl`T` z94aPz+Jw$O)AY%AQ4oAPp)*fez5)hOGiMXNAzOtd7m?+4gH{+xjhWAe-fiWw1zxu` zxKd$*$XzA%ltHvnq!cnxc8nS+1S?OLdBBHnV=9C5(+~LYolK#=WZ4H8 z?3tS8kg7quphu8YRmabS;KPSOmBDQhxJ+3p;QaC3htGxzTjEo%MaR@RjUGg(C`Y?e z*Q*+7?m4D|PyL(Q3gR7mUb(P@b#`H(^8SsL$;DPf#d3AckbdWt!#Q5<{+IYiLi+cD zqF~g_i+&OoEfVmV{k-SE%X}pq4efH3Q2mpSgjq!xlGV86Z zE-L_r53kDg<(jpu)Ex(fQAdymGqGE%)4sE+!@rn?eneTYDl9AN9_Fv{CLxw%-VOLH zT}6G~j|09od|NNWWSu@Qz6#(_I<*4MQiqeZJcD!8;ZOp!0?rkb1@TW=w#zRI zQ>Eo)eXi4|KbLvVtZaYU=N5;~d}pV&z)o$H9yKp&35uc%#CcI$P!t(=Uepy7Mb8rD zMLm8|xq~I_cLZhSMoNE&Ulu8#n|I_?T|+(o@+7dlvdHZf__XiS7q zYj-VFa#8$*8{+srN_24$G~M&%^O5sED*nnZkDSv{gjMknHkbtWlJvjR#WU&0|DDG9 z>#)g&{v~^}K6{zvE}6Y7mh@Duua`m>P@niBt9)jypC9rbxDLZ=B zJ7S;t#ZVTDh+UK6qg#ZF2D`TJe#Y~hdVaIG51v43qMkJ&L$=gBMBNis#%Xd&dgaxHo$Puk9 z4Gl)&$a)rJ3mbyPjx4S=FZs&iLs|7{do=x>-%TA0H?d`9IXgDXmQ*-SwHttwi(DV{ z<3RhUFYkqe2~XD(ce z&MBxr5n$p@>K=E}-)Z!Axr*Oj(%E`1?%k)mYM$@{9ova3u#=s{g7$K4^zJzOOdg{6 zGX1BKgNX3HlLJnZf4a|xe;wRa={lExRvbK2bw*CuE&l(*}8w0qnI-J&aj zPy?{fSAud#)9f?97+Thf*k?g8%w`JM;84y!3yNW#SYD=Hc039ubuQr0a-32dA$Kzl zqi}@cDq0-A<+4at@tlmebVjyLPy&p)24|4@kpENqq)dg!K{bW9` z{Pu2Xrh{sk)oZ{g2k&q3;wgTdCnUQTanNpNdyG&>dFIMpdix_fJ)A&Of*fv%gM@+{8LEfU&fR4Apy%wj5&p~%=y^gSn!T6=F%7@YOmincyA`VU+&&qqymc#Ogq8fwE?o<0KI%v3i z+L#?YSg%PKub$X)oB#)%Db&G1#|ODM|CjWlusw-JA$iKiNU~UN$lEGe(*Z|70yg4L z)n`yM9OEp_cVI7nl7~NIYA|94#1X;(ha8&-(I*f6`1u)lL5>h;D%V7a9(m|3-`5); z1;}|aczsNso{}eWY*@<`8Qcc#8v!6lfWil?8K?jloH!HfX8)=jvBgFS?yQ^)U2kQ( zQTM9Q9S#PDCmamW-YCak*a8%ES%iZ^`tkPpg+1NM{w=^n_Y$O-<@=|fgWEd+L8CGE zP|YITdXu`K8>w*}wkPP|c0vOIQCsr_1Ksi5g7vioJGnc5lwc=2gAWo6o%#B8f}smB z@?M*H`IH@J_!f&CJz7Ons;48ut?JYmHk(x*a^<6~(;k%1Raf*W(j-ruMl(UKIO#dW zIn{$6io*`EJnxQIC`!~QEIeSJSe=dtx?Wjy*H)P>uW$BOX$3u?-cQrkZ4ec0$Sc2J zxDl-96)zl;Rl4Rwm@a&u_tPEuG>vFQ?+j7tsv1qh0e<}ukzCx4i1kO;zN@B)hv>jL z*U-H`+^!ZnI>~j6J{*lFq)7$PPA{K=TMHj7*-cWmmbfOL()Xw3>KhqNj>`t1?Db?s zu9wg0tWuyipNl*+uoOTtoOyBN&Hrt=gFQn~t{SN!XAd_%% zcsYD6!rrxw-|0Bz0>)YR$i?pWzEr>brYs4Z5&ud_0t3G1@nMpLXd`hHwkU~DKGXi% zeyt*k0PE{jCy*Si#5qom zrU!ga6jSZKlfgWh(Z4L%(UIMIQEPI&d8(Xn?J2mH=rU-H$iwKBEq1ZzkN@9SE(p9Y zNkIrzv^}{b4-pk7{hw_$4O0%|7+^fkWTCh>)0O%@l>CM)O*B8`aW)*KN;7 zNb6NzGz80?=OhdYZ!75>Ji^H=pw)=GSMOX)YOZ+HesYQMeF}}QhK4LIS;ag+vdP@lfhIX;M0Pb8W$*#_nY6&Xe zNl@JqC?r4^1R2|VJF((t0*onDpr2i zXDSM)=NYK;6dJI*14$5fz*7V#4OoUM*21mLq_0O6pj8n}bv@9fQn8+s+bHxcuw8Rb zo?c_sY4ZG<`ZP5KN81!ARkJENdR6N8evRrB$3ZSn6isOG%l0}mf2qT%?DEuy6&_7v zU(~#6ePwl?RJH!E(O_TM@0~`2PM)8UM%f-tqfs7cPohx@{lwP&*EW9Aw(h~NF*~J@ z^UPHn{+f(E=Q97eLom{8~Msz~19X<@< z$$)dsDo&Uq1-eA)f&PA~sKRlu;%KR>OrcE_z!LH>PUp+bSF%fBI#@iXi)2kMCWCP` z1LhvLnord-hLR<3IoCl#)&8|%cgSTm*J;Tw^DK6!)4sH;*Ud#e80KKFieS!?*MSAN@fVyk8}8HN`cg zll3J9I&yul!zlA>V#Z0jc%CQvocKyR=G-@86aBg;=$FT=S?%VkJ|J(ZbuW|+#7eeR zO{NJMo3}HqYeUxlIl3&n8mL2go^GqldZIlwtnEM=(H-#SAqx9PayQi>(P+iyBpU73 zoJ6CUnvx9BVI+wyTrdA-8_D0&xoFdxOW3@ZH6(1_#|{Wdf2v{XLzI^AgGdcux=198 zsV;S59K)B+ZDlc)7N2RLERhnvy~|=X)!_7+b4I~^d(X>itiuZ~nJCvaimUh10j1S^ zoYx^~-2HV(P8e1-dK@Kc-p#d$hEC(Ira{ttj-*UtxqgFDO>;Ku^!w_jY){hXmyP&X z3kQCP(!ZVqUcHYrf>-Yy`tW{7a(qJ19WBwL-tH4`zR^gHqDC7GwOsAMf@>!SQk1sb_9%&vGO=b$2I zu}3u>RLeRlyt!DSMuWcj`qlzt4F?)c3HH$A78RLfhth9;B&&J+CccAEvZ32mxVgHu z@Uw#s)g3pNP_Z0Tl)Cz;xd`oVnZp9w<>0FsnY`gR&}x=8SuU1jB0Rgz14d_54lLr& zmer}gE{0&$Y?#8@I)^g0*xT4yFLBN~{U(t3qp=o89|3g`io& zi3%AgL9+~B&?R$_(Ziw#$g5u)b4Aci^?^5aRK>c(vYm2(RPu;P%aF-NsSw?AqN1<~%;F+c+pu?;g5;%?3uWD$GGv z^H2xfrmxd&0#%jRnkq422A4hb)h$(t2C7=W`D@f?i-a1uYPPW(Y}Na@*+J{Md)&d7 z31MfO)PZd^^^V8)t((txT@7G04Nvuf)tp8yarH4%1gz#Vrux8YeeW6rqlmdUTQQgl z%Bq|J`9i*o!$^2w!m8&!#0i0GxQ91vZ#|c1kYJC9r8kd%PiJ((LN$c5Z@Cv$fj zb4RChD;zl&=-fV;Teeg$*7?cYe&c#aC);_TaNtZ(Z>tfv)Ax%b5$K(79`}8BG7`-p zdH5)E4Hw^^gi&iqqUGi#S@9mIM{KU-DlCWX_PRAxW(d0QVIU5}RkwfnS%j}}qH%B~ zDqB07XGwR2GdyyUUf&3ZAkbV{)ox8u!J1v$L*U19up%c;{bL`ZL>wi&!V%--$`TbWjK%L1YqbLvr1mx?eu4YXiL+iQpI zG{IJDKqmKmyKdHshC(ZHIn*ie75*K?v>&ic8RTZWdE0JC4~zvo2DL`8yUlb2pP1Og zTTS8Bnz`F0!QFime8nbK5g)CVPo{$L!l}vBfzE>hQHeg^2CWgDM2+l$Xwc>Yqn8>h zzt~uWq%iAL&-HC)BS#$Ltw~Jy56kf zIkzx80dd&M4uAE`#;vJ+3(+q zk8ARni~$U*nu#w7cBUY)Doh71Jno^!EUDwT_WJxDrKZ|0 z%$>wRKJsqa4_sTYkIN^7>)BF5SDz3bC*%^|25jR|g92t55m8uL6fpGXQtVEm82nI( zOA^A!kW0dL%EV`Ycq}GfEmN`p>IhqJdq=2e5oQ;rYHA{Y2DhRsJ2n+f4tT@)77=`3mP<5vOJ@PO3r%&FP~TpdRW@#-P~SW>n|Ei@QGpxlLn2x%@xhW zUlHc9Sa=4)XL;YGOENS>r-u1F`sPsZh*GNZc^dT8%NC6{`}~~{K8b!;r6g2e6CD!x zST}ANEsepg2HY~XkOwWlSG+Qd&qOGk^T_Hk)o!t?@Wi4RkVg_~lfcom&fvrO4VM9p zmK*|oJ(Xu0g7H*CSw7t2<}w9$;qGsu({nr`qoZG?S^$tQfah*_%@jjo1w z&WQyp_dIz0ZrapHEIgm*GI62-9l{1yxm_(+F`3?j5T8S&?<@AvfUrX7g5@EmFPby@ z^<`+diE<2@o%I#(6A19t7D#sZH=q8+Pq!ezR$B?#VNb?`@a~qs0n3M1o~C80QQ3?W z@ThiYzg%0;rqF2xHZ)$3C7Vus9>sN-n#y!2bgH6{u47UMic+V*4|H>SoCdU3XO`^h z@)@-HL_b}>&EucsOFW;G(U|m;+43nHXNh3EvkjPpce#3dN!R4B_dD`!6~89rc@;lC z@=tr%R!<3PLy`p*D_uO(zpyk`TrdYNr{rMaO+?<7s|_Ckoo$(p0y1PZLKSkm03lq` zTCASPM3a5bHEwD zDV-o3L6C3pYdZfaLaN%I-Sa^+h|tLe`_kW5zh10&d46Uu@nVt8`FSJ-Vt_uZDTWR! zaDA9HSj6+?b8}+g6*2LoKiU~KJEWz{3i_`^$-&YH&uWqGnQ|J1_-w(7q2;Y#^wonC}hH z0T?0vzFOJ0yjrR?;z-e`mQ^X9wz0BSIWhoWrY^((u!}NkGRXPh@C`Gq6~@U_((1+Q zq@7z{lswUJNY!hEH9fKaJ0oqWJ{67CrLlV`{A(^v?$65pS`=t3HI7jcH&iQ`43#$nITgyE`8gLj7L9?He9|>v-tk|4Y33PK-{wJTJ}$O)~jA-OOG-jlyHZTY(Hz483-EOaC|a+Ee=XDf{oOM_%J}!Mjz8h>^9_iN_8lb{i2P zH&i23#+T_u35XF6E$^`ft&^O!uB2E4xd>LT@l#9;kG`$=aON|eF_&FtxfFZ?h3K{AZGaT zbDiwNg`Z@!nEg>Hy$gb%_pvOqOM>lFTItaPz4pqgx{XD$kyaTU zWY&TwG#-8-Uv91iJYYRak7v0cclWk$`CK9cU5mR5yKYE-hdewlzi(UXuk;rO0vNFS zUWfTS=@H`(gIq1w8v!0TBF4w-CqL3zB5OeEeYEOphV9AdrhPdc-AJL4Ut>*RdTpz# z*ToF9Mw($dx`4>An4M@k0RtT*32C&DJQ5nJY`!g5ugrW%y4WPEZ}BVATr6Fa z;Iaa-8>w6ruk}N-LxM?VTD>m{y3uZCK8eL7%YsS7WD~DQFn@cAi76-zP6Os@ z4_h*0M=2_^agDhsS^u@l2RJNi-3*vq9RK?_DO0{)YMAH*oscPhdTON$GONuGF%@uB zLMj$-XwWGxwTS4X@LjiY6ZJp$TA^76QD!S!o43psn?10)F>9MCx1l*0>_qW8Xt3mp za=Tn^$kp~y#$ktMc{p6Ry5qZ1%j`Ix$_i&gwYrUZe)E=8t)FihB?s_CT#n26@-ewv zEjKKV9B#9`*4duYHCwT}7>~!~Dc;1t>Bs<1JU5ZyauO-Y(Cv8r#%4{OWsCmIBp2D| z_4aZ7bG=Dk<)lSlvir8KXXtmG&LEnaEO_Q8>)i7JrK&r6kU8d4Fb>1uwok&m56c|B zjYjK*Yqh~3kF^X7%UySosMVcL$@tJaDnUJj{Bb3b*T))bd~%~YnCkNlzcE4 z7?yAECT#}o)Ys|ayR^bC3ghw$e@dwBnhp({*v?}jh~3@tLaoO?@o$8!u2s0ZahI37hN|_EPM=}!;$|Py~l59UqGSMsvlQo&&1W7o+|^-exi86}lSHC*fv zH>PVC*8A>U;cK?pu)8Q2!sO&`N-F89i7qPvW!6K_H9|)~&?L;)Gh|CbJdfyg7mOJ$2 zy9R-@w*i{N7q}wZt>(jm#677`fy7h#gVmB)R`rDtNZJRjqe1E^klIC@M~BbTRNNiA z9_<+O?Rz4AN`xmt?o$1ZcVe~UbV;V;aA?RlgQ1+OR$o#j}@m zk;vG4ez}$^AEP0A@gd6^5sH=lpK#>HFLmTL*mq^O-Q&&jH9M!VNM@VmYE5+-)X!-Z zYk=~2QkUQj^o4aMXD)o@gN%i7t`8t2_KZ0r1O+UujJsVn4Fb7 zOwvh3bYG!cuu1lqnZw18yxXzSZnJE$Vel~<@_rMb0)spO742d-M+L)b4MPM`&gJ(J zGFs@U!tS$6WmgbIl7b0!*9o1D(Kg$bpe$JJq1KTVx7v-GdotN6;vakk_Z?~aCLM5k6h4#t^fxu zjMI<%v!Sp-QSKi4kzA(F@zF_B30f_-HBh2H#6WwWGwGYHVbq?8j)oV+@O>rffIQk~ z{BGN|OqaboCc@D37j;~Azj?xbOeVX3y~Haz>fQ!Xb$y}a1Y=Ft4C!}4Idp3Bvg^{4 z4!0!C-A_NZtxon%SDTHWtP;h|6V&e3UUkJHjp?C@Dxn*@^rJo?T2P>XI2qaRU8)T|C_R`k>e z{fJ5;Xn>-Qlu>#Y700N`Vo{w zoybF-$U~ioex!;(J;_5oiGF0oQ3JUKXATA2*b(G@;slnkb0!}qf}^wUd}}6)8;gmB z2&p`iQW#Z$j$Me*Gs|)UxkdS$c}Ao9WU~$SCBG3^n?Nnml<7c>a;^psVv5BGKTk%j zp+aZkat0tu5_2Ay2pQXxZl}|4-OE^Q*E~(((WK>i9Ydj}s3+}~g~&s+y&K(JlieMv z(G7oL#7ARNhGf=}2wNPI#3epjAIgBOrofW!m3eVV-5+GC6 zRgHCOZ3_IRl>yzOx&SC|8_*>(Fea?hilXJBO`5JnC!X9XzXR`Xv#;Dza3P8XUvLkN=Ku~mB*?z9MSQ+G9dsBVTlzn4QV~cktnod# zl2HRD7h`vFH*O8DrQ_WpU(u_yE0V9C(w`5iAAcit6bGs;(*RAuI)6??PbvFPDar+xlMks1E8`P`+!z)M}$kO9MjX%c)5)4MjSNp zW?%WG&~6j^O2)}z!`|+Iog9s_>?^+%+HzrE*`9)Useyh3u?zdECOcl7^u27aj#Yvi ztvD{+8F4$}S*8m&J$5Mpo_1&a*h(8a1; z4rBCdo2}w#4nMBNnUq5Btw5yV%@6t2{HYSZs((GA?-%qaMZOaKG#IfRmTBuxQ?QLh zVNlniBy1U7yD`zmkL$c=Yq4$5ZiHMNbkD=K3vAg!Z@z>;9)k6D%_iDmYY==DXs;Bf z9H$I;m_}Qia4%1`Yy5MQkjl6wlnrfYxgp!YEw^$-2pnZ=pk}qm{&M+wbeQu&C~?8( z7poQlTGr?Ay(P)hE-OLpG%8|2o(8gb>MXX80;cn^piQw;S$ds@cHkODr`4lj?d6ys z(H^ik?k}-6xCQ8D>*#H^c3gDR<%+njNq=NqzOx?=)V-EfTmSqZdUEj)eWj(}@7we* z6yo9X{%iJE_t@X$zb{lx{ZI=EzfX{t`MKL9o)gn?2h=_$pC@GOu+`1hG&&kMWwP2% zexkkKff33{vSzz#nSq)8w$)cMGrb*x6Xb)(uv`ndQqQA9z1PvSYqV+Vc?Lx^v=H$% zvLclk4sIES-u^}%S9NFOkgMp~I8O+V>n0!JVRD%oVL1_ZY&3fD2nXSW&RGs)Auqn>Kd2GrPa1S2Rmfg_YW9YX?^_pDX8qObPs3f(1lT;ZsnxtTJI(rk> z(wnY{Yo1Hx-aACD(1RJz*c}meJXqfF9;X?=m2D1i*$x6Z4ZIV^et`tx|6#{3m)pgY zRAj@fxyB(pSP41kaP6C2a*?)r+oz{A;SbS=ta~Tfyk@(YA^QdXTuo3;D%?KS>7s`S zWh&`TTK5W_xa75l#RVn#@sUzaluUBGM7wU(X1$%U20GUS40RJJ;9p%eEPOv9w2}{{SCU!kh3`U1NCH`bekX zgvIb;pd&a9;Z3iTTTWo0g9i=a1N#5P;Al2+&;oeeL)kAVLOJjr|G(pT8s|uokk#pM zCYtEIc>%c6CDGjf@slJZ>GvfWyseiD@dE)p0B{#?wu|RoJ_&O3jr)*~g0^mtlnPYbwV7+ z?Nol3Kb5Hp!BB58SGW(k7 zn?k@b1u(gh^HeOs?zHJ2hMqYDHQgIhbC3vis_Hos$*kc+B|?GypQh7w0@6>`-}~t* znQiiwh3O@!K0CX|1GUNUdgN-n$6dWNFen+5V9YH|gpsJ7#Pa$m+NP?RIs8|3e*Je#q01c`HR#yNBM&^F{BPJ6X zn#6PRa5))&J$S15b8venLgch07^`J0hOYP7&&hgCs{hc$=FoqG)*w8lXFhCZ^`N@Pr0V2WfPq+k~9A^`MKUK7m03l!5XQY zG|MdY7_T%*(a~)=>EK7QqAjb(X~B2hq@3Ar+(u(dz=)op&)n&9MzL8IDma><%X^+5 z`q{A5?rAoTF@DlO9c$+bNMm18*UwLXb{O*FmVD~OrE)sjv#=i6sFB=EKe zI*&%;JDVjGX#G9Zb@Cj~ev|YKFmnbj7vYjdR!>e36LvR*!btr(F z)2#kfL=uG-ASw<>88L1E2}PI)Acsz)P6F$=u#;WGcvggjZUqbEhnUK(rAV{d4e)wU zit}DE*>`lXq07A**dl1?;;%qr6m5D1fW3%Xxg*56SJZ_v0?`O;+xNop;z2>dNHA2_ zHp^A8KqM&c5JdWnZ6nm_RG?^WIi0d~p%nF<1Lf&LDXKTWS2{q73knyg9A*vzDJ~^d zpu(p*c!~=Ncd)cN2E{+hbX{)(2Z}2de_H7PDXt(~AT8n5w6C?b0*d64SzA|cu%Pfm zskP7nf-0*22^lt7v5bwD3~R4gpFt>9EpQ9Ds6=bJUv*BPTP`vElBZ5w93lH0NL4!y zLE5HJ?|6`^7FGf&bo+RisumE&6q+a=q^gO6AU(aotfimtA-g7iMy+Y|`**mBH&K!W zt&mwwhaFW*21%f6nzi^*x1yec1KzLn4h~HQ5U4rB!cpY`sk@J5AR7xOCJ#v6d8`5n zrv?v5-KXR9NI36#Nb25Pb&$kJ>MN)BK|#BM$|*RQJp+WGGO_^9IZztb$_5BG4NvO;`Bn@Teh))MeLzzEldu%*F^({)JYh6pc^XEaS?;I*nSg3^HOV&bl zwn_Z>blA5qj|bTqy9lOgdZ7GEwV>H0fMDU^a{%beKg0px12y0PjqWBL@{2`&8S1bD zYzykM!w(DLa{y&Otj~ch;-Eg7y3-K2zV=jsh5Ew*ZlFI^V4((Si#3s- ze5D0k5}Ed|!=Dl1e}C8=X*2+PZiN1oMN}+~FE3(i=bm@|E3pC(Er+8fra_$};h1a2 zJDiUrN5m0u>LWqt1&!pGx`uP2oD=!Qz&9Z5{fLgz8 zwlDj)eP^YPG38zv zbivIMk2Gr0KNs@R6DvT>*+(?^h=S4$3XBXnRC>raAJMH0+BAYJU5Md8>*Bef|BMkY z5U-?Ou>A7?qSn;*yPmTgi1V)5HZ;%D2;0{8?T)P8>o+u*FU#%Iv4Dc;2HWR&vrVq) zlBIx0!?!{6L=Sv}aP<^*uEO{MjoafJ(K4P9bYOc+#-2$`&{lQ@!n&it!>I~;`iwgO z?Kqz{(bcKxIQBJ0*XzSBB<>Jd3)lJMZSJTDz-1RMd~o+X;IcayLC;)5 z83k}=;%h+5?rF3~9JOYb#FPc|aoKKxe8|E9xP0ICyRU19`Tx*CyV3N9{hTIfaPR`d|2JH^HIwp5I&r1+&?QLvKw6?BNwFvBK6>F z=_i5jp1~-XwUqKbc+Gh!jph(QyWPenK^onm0R2D5@SzU0>`tF=1w7X|gB6CJ7OR5S z6?wgNmq3>$nFgjbB#DDbAAv3!3tIXpNrqfg%2o|qLUHTM7%D3-LbT2zV`=!R47sL^ zp}aN_ZhaX`qbfOw&RJwE4YQOX*Oaj|>QaE)K*lxf6Q z@_E|6Jrz-aWk^2HDWLJf|1cg51(aNvm-nOb5j{jd<5h$V0WqDS&54-;Vu0&R``GQJ zeMEQjU9{hS$m$*Qd+I`45JHc9p3AH=`@kpCg^qV=4-L{oTG@!!kQ9-C`Jkm*auR61 zKJNK+Jm^$`&>^2EbkZ|=Q$Pj^hNomO7POPVWB#P`pzv|l&Uwc+7O)LjXiCNsuP3oJ3?c~H#O{Si$L52fX% z3p5`^n{AjzckCIV_ia6(?Qp#hkv}RmNUjV67cdW_b@&j6D>S|1wjDqdksf{Qwl?Y+ z#@%Rwz78h~AB`s4T^weA{KlgS-~T5Gq7Kmus^0&53itP?_LiW%*MqFxXiYnS?k1w9 zxqp;aBrrf7&&i=yA{zGVO}u+7*J8^aMREt2IJ=ue7;ji?!)CkQKE~1hBgdfu)5u#QCbAS-0~-7G@)RA=mp7URl@(z7CZd>+x1Wr+4VQ?JprF=biCB8jo2%r5mTOP@ zG#46L-dvV-qQZvjnfo(zHce5Q@h~30`=(7c(cd&U0Z%ifoD_knR+O*S#mGTJ8I-zA z27m_cX~0A7;MqEk!E5p*S#@rr#}Li7yTjAHcuK+*eU@zT+U$?d(XKPzJRJ82_8@{$ zZL`qO#r7xxfDTV6fPYwr`%VV4$bTdH=PU3Josty!r|L{L7?6DeOB|edm6MTmIp=91 zmmidswA?{oP7b_Tq2vm~oQKZ@G+-5^3eNSD;L3q)d3%`_GG!Jv2Q$H)bc_+neP)q! zn-i7wiIJQ5Gj4M*yk@ba6&18d(MG{ zTK(vjX0fNA(Q)4kES>`%4l;dQ$25{$HgkK>&IFsU_A43;gZA>cj$hD4)_v@%! zlaWW;?1DEBkhg%lU7&x>*s>gG@=fQ%QJdJPha~?mT9p&Zrc@jU%tKQc0ii8`iUjqK zdlph$YLSeY2~{cRFWWua4Nz;le)tQ0eWpplpTj+kB}7JfPv1|SekFo^-!lTsAVgWF z@o7TTG`KW96S4*u#11^YY-tqWBCuF}cGNZ=YXE^&an1mgZFqg?X$c?bc08L6uh_0n z2M0KP;Nzrw?8VzA+C9GMK*^N!j8MRF!MUM;#qrEgP`0ddL;dNo%8IOF*V69QZM+Z9^X;12ZNA!&Qc}vgOWI(2Y zv&U5W-r6X8RM}rA+m+$#VHZ6|5>RVk4Kh(ePCFm;D*7JnqRlEor$3W5hl}YMk_SMO zx6NxO{fW_dI2!A?F!$i~b`i&=W$BNts%qCD{~VzpN)sl}^I*oBhy z|1X#Tj6ee>Y&|9b zm1tfafZ>1^^hMvqlN+31wHcOl%IDdI?X0vs7^4PbpcZYNoY}^oCga%`)XMu^OnxKm zT~*`3y}g8+qJFn2R{~rUPLW{SCauT3i*DmxBo!%CH7#S<(ikE$6N=f-)*A5X8;pTk zivuflKDcp+P}sm|;6kO1RdHo_nu9OGQy%=Do`sX)1{avvv*16|zCRH_LdGj2?+VCM z>mekYO=g_!vyB0?-B5v|=`*5Lyr63>EB%1p3AwU!r+%)Bd-3tC~m?5YUQmvzFK>c zj8r&OgisNZRk6<|6bspig`(ZQ-R^$u(+qQN*Fe)S-tZD=R2j{(F&Ul*+q5Q(&I0OR zqjmUl*uF?vI@vm?{%=E;zIZdc<9o9-&__dJIeRAbBB<%mI=5)>84aTK@ihW6qEy%` ztQ3Dt`O~coxUI|>B7^8A3^@jPCD4o^TJE0cR#NvB4d#|J5ZX-zE-W=BL;&S03fGl5 zggT(?_ToFey%^lEZ*ev*GR}%xaz1esJPXucANgl%MJ^mKKhQg;d=#b&bl$t@dzdWh zC$xK=GdAp04F&YLSs9KRg*nR#+*J0kGDTo07E zf4lH!w4M@w8M&^wn;b3_d>Cae{QV2Hs^lx??Iegl0@85i_Nse5Bt*2y4#5-}n>0(4C7 zE>1+PdJ;2)?+=6sWM57^_rvjltl(a`5*dsLUlss}#9>;mX#gEjak6J1u!c~Lf#XgJ zLZi(z1lQwik>J}OAwofL1IKWL{8tfs62XZPbCEfw*fQmaT{Ck5p!Z!c;&eR4J@Nbk z_8^3A*EWrhU5EakOAvCGSw2qvs??yOz-m~<5d-!P9Bdmnm{!FufO~+xOORf%feL1c z-GwZFZQHCWMP``Viq7J&+Ed6n*2gbsE-k3t>6*r~KmbtSAYtJ36`LLQ(@cIkrbEL` z*`owmhb^Ui`-^$>0LA$wAo`N`ms1CJRGo~O#pq|Spwc00F|X)NU+Uz>YS zkfROv0d3anu(5Ipe(tM~uWInpg9DzGd70h0rfGC$fop2W z!UE5sbnvGHAB)y0=vJ0Zaw^F+OLKm@YGzM7rIQZpO*&PyI#Z6r3N+=^Sy7yDl{ED5 zgj2`YnQj~=AQe|=J;*znZS5b|Q6xMtYR zw7H6-tjTsWP39r%XfX#~M~fkNWew)=prgS&9+b4Vf~%*!JX~0F;Ukmx#90+pwOxkO zP=$C8UOc*q3eG1;Dcaiw|SCKr&xW(!*b#ZOiep7@VGg;Uf_t z9*eZO8O_?WE25~P$X^RM49}=H+<^J@v_#$YPLxL2!Fsx)vF`vihzGBrL3Q?CfL{6a z^h%uzMQxLMC zVEbzW69a*;HcuGzj@XGGL7)rJI6at3Ewey5)(05;!=F)h)Uj{n!-DT)r^Q}!`G z_8nWm634+S1i7UicHU8Cz-nk8$sI?#?a?^rT+VXrwX0%NYoqJs&G>367#mHCo!WA)N=e+)Vw3f$aIFm8*EC{KW{-%qD8 zSk6=luI3QId&@(A$V~hS-qzDuqFiK5s8IZ;3hFM}JZz!^S`Kg9wu#9~kbkXUT23MnEO`ayipIa0YE$DsV%DF> zlMWw%8BpbeEtKg3IQqaexqsZhGsZd`0Txt&qm&OcLJ4nV_aK^MsI`lJe(K9r+49n5 z(hj74g=DggEYsvoe~r@1-hb~o-o%V8mSQwz_=Ai& zd+2A(L775TOyzBRws7pxw6=|OhuM9o36(om;N^O8MWp0bhi!S>-EVaUugDXyc~j=e zXuOhit#1CZ2H1+LDEB-dYwxJ# zd_Uo+CZ*nN=TXLw*B$0=32@=0BqGb;yCoW`U1SH?qN}mv8nxK*4e*q95SUKa;5LLa zztM)SDQF1oqKWI`6HEtvexuuH|BBV@LceJAMY4saNud9Qu9uhdu}}XY0D<27F?T(1 zZPP}l-<`tmu83%+*-ntX-v-4X2cq=`$Byy(idg9=c(6DOxZnYSDg%@X3byyVkUDTl zV5c$*9$3arl?AU$WN;Ny87z;RG`BpThd`2w%_PGjXehZcFdR$J5WZWb&bFW-e8poL z7JrrmP<8nPQPdEQF*31GIBw;{%jik^O^6ZC|0&-5n1>I@6&&^x+VDd|6JrrmaFmmY zT~R~$QiULj5KIGfRKWf02>;lV7?H1Zu z9<}(}(Qb$(EbA4np)FN^&w;Yp%W+O_gQy#@ z8`!O-^wk^?(uf*$XFFVaiN5v?SYpE#=|?C~6f4P+@dsfWWXya%E7ui$P~P4J1LHgcR%wF;dg$ zdAoZ;AWot~u_9<5$7@4tIkw}*=Nj$%P0NzAVzz5K>vJW#kw%K1d zfbK>EXf)=6akCEdQ{XErDm<%2pQ{TBVQ~5ClJtFbzB8R)g|^Oi7t0Nf8p`@APrPx# z;j8JA9fB5o1*-u2Z)VpT4eBIg)re#nk8%MiL9o(H!!J|4APWd5~rglihk-+{K3G5>z z&_6~3{oN8c&WA|gIBg|x>`{5`M{;3CL4y0+^9!SEWM8ea!#cWR%^v4&BL;So%3@eY zi2?5?wGcx)t~ay~>J6<$Z%C@?k)AC&j&o$Ug!J7iROYFichvdg<15$kqf8|`G?YPy zH9uSP2ItdNDsRW=UF{IFQEtuvT6A^7uA4mK(GWSLs(!k{WeJJ|B3(`Qx|&PW0E=$p zzHc6+$r~kHy{4=1@PeIRERs;7s6V?pztmZP^*CLGZ{_0|* z7jOR-AZc)iu@#bo(&A>9!|Q!WBS))=*RI>s{w!nvXBjnrOLQ+ z5AnF&)$dxshbVSezuN=dRe=1D90g6QZj>(KkhtD-%qQ-n#NM2E$O_A|+_b$TvvBp3 zd69p%KWMM%WE3vrMe~jHiiuppfc{L}{X36*FqlVPfaQDUc(yCy(7mc0u6`BuVzG@# zNGF9!yq?nz2$LwK@lbABYXJ+C6P&Z~C$3yl!YQBm{;kmorW3(CXPk9N)r7Ao40=BENiQTsjMjS8gp+V6vaZ4kyk!UfPa^kim1 ztgLN5(%c+NUE6%5x&>GZZS#@x=5WVqn~xMaXQ85PK2q8oMp4^*q_;Vey0#6$6744Z zL1xkXB}o_Q^V=sfPUa2bVxJu41K-TX=e9{d;gV|TniM0YACSl3HQs!utIe+h44|NS zxLRzk@ySsdc`iM>uptpbm-m4#=mSGeYBWhlVA#C$d=oFDtcKK`!RrK|GiG zo;@-{Eo8We=2T;nc)re-=?#QpzgjExMFvLBDsRo*Cr0=x!m8r; zWmtWF!!6eWe!n2(j<{{3OAGhx&mywwPIPhPuJzDer3{LkjRXIBcSAPI@!hUJ5&sjp z|BKrv0!~OxF{it>tbq6U2v(*!`a}I!=XB!!tFt;q|MmMQ$^M@Hx!WC)$#i&et`%D< z!(>huAS(eH>iHb4!~WH$C2B`k!R;Y?W`Fh?R;huh!%gDnWthbYfA3T2fa-t$Nw>)} zjmYM!lmyvM$$lhOCSGuA<|m%Xac7k~m^XbM5kA4=Fz01IMa71(bASg^S9(#6wgo29rK6gPfd(;0*=%V{vZ zPFIY>xN{?lJu43A0w9+|5h&Mok1n?Y=}~Z3$BvE=AJ`_JMH~5nclwfq>vjB`L{Fs9 zWD>lDEBfQeE7ml`Xhz;UWS}m0@oKZB>xjDxw*V4g;DfQKxF-{p=bXRd%?l~OU$pye*eK+au7c(o%@0CUU2z!xC z01LWC1iLHh2Y`{wF4Z9GkkLcSuCP!%99;H#RxWkp22G>v)ea5q|7U2oDsUEX;F;g2 z4SubyQ%Q#elb{jtTbWEf6J5%>a>Jn`G zEB$uJMKV!_5g#dV1xUbSagn|R0|63<)3`_nTUG_s&_o7Kdzh62?iByV`v^ABkg<2Q z|8WngQ%c257mfL~r?5_&Oxa?QJPyO>MPr9xM-O^Eqo+M}u?puu#0a3bDFUm_NFG0j zFN24EGGc8u(;_-6ivAK?q0sY74+1Szhb5>*Q?t({7hXsuMb^0R? z$#t*C?FdarcjpUQr@2p4&^k!x{a|X@GzK7k{7mPa1qo;@!ZuvX07?W|uE9owsu<8Q zY_i9+lXbXe1t-E4887K))R2oa@W%L4S~BV;+(TS%jStTf3cdS30zGiW7` zjpAtqc{DOFf)UTXCXI~SM=wmK^Y~nACD3slq?ZD%kwopf2-vEEM237L{Bg zQ%NGTjYMd7L9ShvlR6NN=S`4q6wtu>HGP0PSBsa8=r~2{URGWO9SCscRO> zc}DDw4`6TLlxxHuR%cRVZ_+Q?upfF}by9GoLipio5w>85B60t8(JtSaJvfM z79n9JExT=)9_NR4OtltF(IJZJFzROOwxU8GE!nndExPurs73E+EV>xnj%%B?qP-af zu9Gxrufo0KT3YdJ)z0H4%ZjHi;E8g!vgM|2xgGldHvPYzF2KOcbxNpp@_)GiMi*To z4JMXN{BRSJQTUro4icVA5L525?RE<&2KgQ%18fwGOu$vDda7Lc%E#x5_Q4dmWjP<0-jQ}kIb^sC}qt8fFsZeA;-Iv9l^F{C5tT zg_Ys!e|W&^9N#}+ts8gJ0W%Hz5BFl7D}3@m?P1ELhj9rF6fB*8XlTLEWa5o1ld!ZX zmP;?7mz)(h%Zu*_@mVpGc)+8?W%t>+c)v@6Xue&=o40xh8EE8tc1`gUiIVy1?UiLT zafgGl0Le9sg=1nC4Oj={G1PPS|BK9`1$*3Txurj6DOYQ98(i+A^#R)F>>Q&Jyt;sZ zO23TPQSD||l6{XwmKHf1h3n0175-plsjlKp)cLa5tippLwl&mdrnJ+A zRf!ciku&$Mr`z`VkOb*=^HOHDmF>NC$G%h?tEf+8`sgZynmDpPkOb_8h>RmE%7bN4 zxu8^>AGXaEN7H-204PS!;*l8!d^3P`6a9jkiOXIZ>5|z)b7!Z*L4`hZoc^x6NgzXO zcGCMfaDGQj@|vzT`NcZs?6WEn5?QF@EZ-3`byV&F$`Uv|>wcmm9dLc~KqFhVtYBwWbZXXlRi(PH~M>P)?J|ElFiZ1ae88gtg}+C>D?l zmCMYr`kBidj|o$su|E`M?^l@EQPQEHm}j}h(ePUQQ;RR1@GQ;g z6hm4d7VQ;dN*pU|rL`vk>YNFeQ*>El z800Z~*E<6oQmYansRXCJy%-J0rRIABK@k&43@G3yi&GH4+OH)nci{*%T$$w}mVskh z_r5$L!97WNn6`+l-JoPpCCQw7;c{%MR+kzirfq zRr5{oU{fp>n<#U}Yi9}P!(WoK&GN6kYgcUNBHIDxFC1zznO3oBiK|sgWy&27{S}`f zPW1HH-+6SlE;qAYx3Q@*rNM;W5yegn@;%lJ*zEs7WJ;8=)Ymmb=dNH!3jQ!^ZMACWFtgRCZ1 zw)$#lkdVcJOR|xzwPstNu!h-E%jFLcUld@fA0SE#Nl^Ob2S_r!QkKOzsFM~lLr)CH1&h0O7i@SU$f5->%4!0@z?hswGAaSU9_t>Yzw7xHYf++{C$-E zo~KEYUH4lh*^z&^;2ptx0OUS?U8R)fd%B6{FEm73(jcu-B?;B{zuqpt(WPa7SB8-N zN0_`dAhIse4V1buUWU(c5)n;z_{3;as78D~9*gKJW%jG8d|-_BG09o&=i-qdq7!rS zjojV3O%Dfo0$V;APhhks;|V6(lko&o>dAP5wb03Uf)(M(c!Hy^lko&QFe*HwjH%y} zsj{Q_NT#4%oKo*P@914{NkEzB<+%!1%{AZC(n+*=iMDHEkxBF%zQ(_!g^ZKodGGP= zM{;W6caG%L!rL6lsfCX@l2Z#SKax`m(>{{ZpVM-X>Hc0$X5RoQOLbo`({IV+ES~>} zHmvmAZT!@%Yqdjsw=dvw;kM=z@mWd3%c%LDJr+aF5uQYh`berpX%aEaqs34Q+)myb zYVpR&#ZYrjCl^D_bDdm_KW(sJqFOMIwCo%{WQKiA5DpS zF(qfCbVY)TG12U9H#n#beZaZqXwWOU`<$nD0lP)Q53Km$C<%oN-ppf1&qUm18wBMt ze|=a?89i2zZ7^h46^Of}!Q(tUcxIy9-{I1;nuF0(UI03(U3+-^GV#7PU=&u_UnY+3 zIgTcv1YWqHw7Hb9z#XNud&Y=M=%CB$lu#rp6+}X33mEn#4EvhPBh+Nw>eyU5+H&AG za!ChVQ7I*un}_T;b`q|sMt1xOm$lPFo7QT|PiY1A=|uh|O*Hwg`T0zu-q&6;UD7aEc5R1W;h|k zpJBpo$p%}N61oVJ#^bv?Y%o2|(p3^ZrR?rRJ6H`4%-u!yy7e86&zBK<|26+FavLR2 zG*(WY^Dc?9lAaBGbU)ZMIHj(2%fwxqTj;DyY0S$i|}2qZ#Qn9?+B59 z%?W)zB`mj=Q(o{XVX@1M^2+5?qSM@be6j;(!_qriuiK$ZL$cn!X4gA8Z)?rBD4B-q8$90E6PB#K^R!WqpRr-HRFy+{}+U> z)RnCw1qEREWmC0sA+Mt=?Cp4xvp6UYYn+}=d^hmP_{J5s^-z|NYd<;5c6!Q8+Wb|b zFEnT*fftPVg>s>2J>aW9RJ07Hy?j1;c=`Xg>wGn1`ompU89OXM-B!NZ_w>6@B%o93 zqIxgqQ!etSOy*BJq1y=if#zEKzWk=xA^kvkKXCAC-&?G6_eH%*f1T5a<~t3IKSJ&g zbVd8$AJfII1p@i#VY7;s#gxOMQH3eNwLm-Tfb2>}CksZ^P!H!+bf-{-6FIAY#rZ(g zWgJ;hz3ld~=<2e7ovb<{yA8qgO0lOK$h4DEr!f?z#!3&pkT_~Uic>(@S zz%Bw$!sfV_wBYjP<=fLLWTaxj(E{x<3O6sS^p^wy)maFip6DFD$r}JL&{lI2UsJ<* zAtO3F+&7Dq?I6IZ>*wh0DqKCM2k)lss6j7Q0u=eXS?DBy0dI3wFhXjyZJb z?Mau^7ZcZGncNAv7&ZJXnYAGRv4i3O%S>Aq8BnN1=9YuK%-Qwh#`n&P%$8eAa4$en3|n~T?=}Y zq!LP(f>dEf@t~09pvSv7z~n3*r0EZGVX~mf6c~$v4#jt%Dt3n|Nz|a|uR2=e0{9L? z!51(Lkxm)F_G|QFH9&`hJ9-6u0#kgYPZVYqy~aqI_fqvvz#091_5SkQZD`|h*M zqD^2OpCwjdq8Uvmmowp^RE2=1GBpG+k0~O6NlXy|MQv&b;0)iJdVSNPC>Q}5wjuUR zCWzWUt2tN`Sa0wWt~Zi+2Aw|?^v&msceJQBbxtdh9zMvEBQOj4CA1(5y;ht9$c7)C zHK;EdSE$)?bTkJ=VPE#i*j<& zrIOev1Gz$x4I`=|(*gzM|L$6ZrU#VJwu8XNWur{_3PZ(9p)!wDyP=Ze^8WeONDwdL zd75M$JN*5+iq>m#o2G2@X|>^lqHT+PP#Qm&o!QHlozQGbY&1&`R%!S&PnYC6 z+T?qEWZ+G#URNU*@pJes-jE?nHAo^pIDFM+rk7bBqCAoc1^8f!l2tH|$S|3+Y!Sgr zW;-x+43_n3{!%7yJ2l79;htikJ&^0WiL6yRt}f2UV3e0U}CjDmIeU!O*kKOuYN}Kg|8zawEC2E(pE~=3I2EY!yrKAHmaO)5c$= zR*6cM$W&>sv}I#ViIvGNiPWa3s?2rOHqS9vb3Jb{Z_-aPKtzxXM!-J@fJm-(oi$DT}=!5P=@MYF+aK1_VKle3_ev;OOcz#kGlwS$ND9XP(nf|?4tScE*+oEvS z!E9CXWyfwV<|uPS+Ds%)r}-ki1p%fEQh+vFA81#ugTNo z+k}j+ihYC26u&DjK3$R$y2Sts=)W#*BR3SEZ-y;j_}#`v?x{=}TU4-;{%g>0#DPOJ z1Pdl@=mk{6m(52e4{viYaVGyF|C_F)hjga~rJ1+Xz`E>?^7779Qw^ggaN?{xYTR8E zcipc6|rbU{0#G&1dw>u5RzG!09}wntU+d-c+iJlZQ2sW8YW^^C{U({yMLDw_T* z9;Ww1e_+7#MgVnfrR|CQfWNEnB^#gR|Me&8knux103L+tj=aE)HsxCfv+pY2y;C;d z3s~jBJPba1By>IfeleZXk96Yf!BEgc@u-P+uVT`6pGL*#X;ACougUyg8Z1gxe_gI? zdgUQIyEy2XQ0LoZHs5)?EC2FK)mlZ*Jbt@ce4X8=*6J^%R%_P@a=49#>IY6K@=~M; zYyB*~PVYn5z#}nE;XOyFT(gb8XAjd9k-$MO*iszN2nQ9kPH~bv{xy9Kl^dE`D32RC zPmSD8jIH^&$+nx=-(H^VF+jCiEC`CT->zEOj~8>%8eFDt`m1r0ke4P(HE~2<&^=*F zH!z+*P82+2QHap3wvx)L+59*0+f|T;{^fD~fphVNtbbEL-ssJ|FmNyE1356ImgS4y z{L*v15BYEOhbzbrtgKy=A9oLafNa*}C)jIz4j>&BehkM4Rd%6hO9R0~Gy`2%!A@#S zuGH5^^)>$y?ku|fqo{{QeGMyp#gR3p)Rg{9SD)ysH+$-9;Wg68;Em&!>vPUo*mTzM z_FjzzP~~j&V?JGe{UM^nmB%O4E%DC-=e)W|`<+FPq@-CjwRR~?J(tzUK(&g$ z&&5ocdgoSr*R#ZUzIS)}Xk&S(uQ_?rFY!>$H`O}7@C$6F6;HpvBn#5AfQlI5V6T@&u6 zaryC9-1bR=hY>GBCTJmBuZhBsZCI`$YIRvI9|!BQT*G{=$#UgHU6guFG-_ z3%DN3Rl~S0%QcMTx-6G%=ejJ{@I};PS>vIw;dxKBZ_G2P{6{zPH(D+|&VjFf&`Le; z|F?9fYfoNOu29-p>cRI@5;5_;pz$S*_;4d>r}SrEmfNd`)nX@NlOePg3O`SS>&874 z8C;LJ9OP?tr}kUcB)=duSmmWIufGjGcv0*fmRFo^ ztv0WI;yWGHp!EAJuiop6F`rwX4SLj6e@w4>a!j55q?Ngg@?v+(*}3l#%uVqEjx|G) z;EN|)!r5@dQ6PSMojhdYz_%g?rOIy;94Bk@8#Rmkl5<~&-xgjPwfVg|8pEjG!5$2M z+F{tBCBZYwW2^W}HvC0_qCybC&S*uZIyAjQlgl$!Z*z7Pc*`cvJI|(3Y*gXRB{wv|21X%OB6x@Zl|C%@|>8;1JB@6Py@Ma20?Y zM@@IotENMCCr%87z_dH?E%a|!S^CmQaz7(BRSLE04n$$(wJE_YZ3@+^iK^irY$qm^ z(f|?lEB#D(5od>Z-rjbIB%;~Z8O>lxIG5DG*|Es#ZaR97ne|qaW3OPBAC_PAVzDm2 zQFC{M>zX2Zj!{9U`WzQW_@MlvE8zo=aA)&lsdRnuJ*mSkv;Q4zcn`wtF{D?o9}dFq zF+^9V91g*3`_O{meNQL;w?QTklF1Kk{Y^Q+(4jX2?|b?y#gH0AGlsT)M5ljfhLlk> z?N7ceXZK=st+K(e?k+RGho1dIZ&f7wluxNX^B%0ib^zuh#eCZC7-J8U%pR8gBaA&t zT2_nsFm>udb`7~yRoOCEDST#Bi_7cFPNUz65@*&Jd}*ZGj9`cNMtBGCMtIsIKI2)k zCcXAX6gQd5VU^oow45?apeCnrT-pu~z$xQhtUac?cE&+Qwa?rn)gIM~O>_WWk0Gn+ zQye$n*>ld}&aUN*b(GcR%qw!n*c^#Q_oA%%H91q;g)6sQb!E?ukatqrGHvFh^t4{R<1@2%Qkv;~Q>UK3 zH_R#SV7-YGv%O)z-hlja2c8?#{bR5GpqQ`&&yMLHW7;2|bHVy`T(CZRpR7j2-{>#O zs%+dTwNIg!uhJctiRLh-D9^l=?;GnuPa{=7x8l%GTIHMvG;^-kX3mlOF_*5_oV6(N zB9b-c@v8bk{aFb(^k9P?)IzTgYnSmGno<;J)$c#I+J4-mhEmTCbDY|foxr2nL2tlP z(mqFe6Q4oOfM4ly4AbS>(^c{Et{ZrxoAl>y78#zZH*AoI&mV@Zp6|L~fGTR+MOD1( zFt0Rpuz984NHw%<`TQbn*u0=)$CWU{9Te=2khpSuwj!? z`}NrL2sVqk3~ZP@@ao8z3^|#yvx0fa3&hY$lxc*%3KH5c{z|bp}2>EzY;Z}?&zXd!qX0%enDU6-uJoHp> zwcJu3tR)b`Sqr){tC zr|jj0=nln~>uyK#@3&PZmuC4iMM@@v=jSdzZPxS1!jveyM@@F<1!08$&gu}WHwDO_xL#bsuDIE zWd19Aq`qA_P>fjks*$UI{7S1<8`Tz|>$wzIl1kJC(t7QEC}ASo|V zeO|yGSzKlN?3Z5U0hiR@Fk_=F-Giug&0Q@j=vIeIQ^EO}&To-GL)?lfI%R+&qM0+G zu4@oJ$fQ*d!ydBJYq4oQYiLAK{lfeyU~z$$nBwd+U!zk{K{FeQa=-PDZ60X($N4#H z@_!6_0o|b$Y44*&(E-~nv))I<@-6I)mvg)1uMfyNqwQwWv!}pti zs(fcym1y}gOaM}cFIV!_`BalH!;~3@dwmhhB-~;!@Xn9k|mZ1o}AXUW% zmR#YXF}gIU!Hjxl+#7$05;uQmEQig8o5Su=8*V(78&vA4&LN$4vnR)QPj7PD*YHwn z**mZYL&Kh_vs%mEVK?QRJu9EJmaW4ck~SqP>|NJd?hboa!ra-9-C+;ByWG`qWNUdm z?7@lQk@sh7c|5GqmGfB3t*vFxu%=ASA>4Ix+fVReH)>5;l$5dDvCNi5A(%X@g{Wgv ziC*qxuFK?MO~ths+T3C!$3H7=_q7@)6D@y7S-my+JM1QlVgwRRDZK+*NZV>Bbxb53 ze}^@ZwEP*{NIL!w>t9*(SK8>m;|)s3*D=J()_BwLby(wVTV$z*^`>L*u+|&Hp8e<@ z)_g0mXScEI*gLG{R$Ad7dlb1-1P@~e8<&5owKr(FtYHmX6sf9V6KlDwVG|p3X=NE}xvOCr*X0h|$6D@c zC|+ak>R8EICTpnQeVMc$$r`q@Et54oo?2FG*v)&h%3IG`R%`4WZ=fe@*wFR^YGFxh znXF++*Q%08c|+Msi3Hy@OzV1lQwDZj#%mbc=CW&Ja_hLO6Z&0?J2ntp%iS^Uqe@t~ zWff9_v!Y!W{%SkoIeX=&!!ElG6>xj=6%gOWe$^8%U`Pa#}$5)~QF6uyvG8$ZR5U?K-;!+;383y zhuMMy0VZP#ayxsNG9UpO)qnK|v-@S153s$QJ$#)K7+_4-7@cpk=NG9k za)1dCFs^Hm-uLIp{6*!$Z@<3m!ZgA9x@=T_-U2_DtNHiEa`kPuMH{rZn5?FMPk#I? zF6Z~Z>^AFwW>*)Y_c*Aubk=4==09QYwUB#MSDdH2YlyIGsF< zr+C1Goy#J=*r)!{0hDp>(LT9&O4-N2KYL4e`Qa93CtY@Hxq!tTBYdqK{_3l5; zo}Z`7e-l_h@Kib4+Y8Z}|G1jW$y^>AB)A~GNSBONTmE1J2+Z;CwE)56KFMKt9)|Jm z;GMZ)C$7p^*A0Yy`tb`{uGS8WZio(Wuz|6VV*@O*VIj zjnNI!7PvOIZE4Pdd0J>rFpj)H>(;}YOQJD1=pJb7;l>d+V;-Kdh?y~Dlcmj3$5D#7 zw6U(^eV~83lhs6wr}y9Hi^s*+AG8wcXNxI8ieq$@cpcXXcUrEWZRqVcsaz)iEz&*e z<%hJQo?c3gGqMp^AY1d}<4g)f>GuZXKVJMfoi}b~^RKF;XjVR8W3l+IADzoT z;-3g$Wbi4p6kRBE0sz=~Hz3#*){Z`!HyPX9`P16Qx&UY&CFj5`j22)C0pk{l6NJ9g6G zo-Uc0i#0QMK&tt?$)DDqGGHkexCy0Hd>D;y)L@<)N^PR)`vItBeGYfTboa-&$H>H% z$e!hI4PpL`OaRnBdIalfjx$d%K3FVKLz>yoe=kgCveBR2jI&I5C z_P+^4Ab^E)`fg+7X8E|B+&@mwN1v`sZ49>Eo;0v^t<)6(I17!3o-{*#>kq|exu!q< zTL2tD{lnz>`G*)xrP)`WmCxUvrvKI=LbvhFWRay%!5Kai)BWkCO)_(2jUo zC@#M&Dp|+3gg~biXr;IEctZ8o)$m*gUYx0~E_wrD+ZiCRDK)bH_*)r z^wX$KHPmp(gV{0|p)+rLxtKgiqgfS4`JT_+d3r~;oxm?&iPaFHMDzP0w~oeh>qtC% z?H0HKRidxQBj7@;1ZPiQCQ@7fl@-b+u2c$8Wl5_EFV3!~tEK$vPKs*SkSJQ23mudm zee^n4h@C~_S)SmhFE3?>Lk`ku0T$B&!VA&5zn?zJv-@hX6pe6(RhaO8T%n0O*UW@#(v008)sMoc|YW%@f;qFXB4x$7jg{i_U(lnfm^_I z2c2DBUh1004yu;BZYs{j`mb^q*5Tkng2R^|_uukh4%w%{;^FmCYklBSfus9xv;P>v zpbN4T<{w5lebg(J4EyEp+3NnA`274`J2eskn2;t2P3Xs025_5eb(ljFJkIDU1$mw|&pI^RwDaF1dD4-y}5?lPS+G*3o zQ2p- z$@4ezTDIw~-I{>1-xVo}3TM-wH@7fgO=)4o-{<4$_topNe7U!QM0Qva@{i@@X)4#~ zAAd{<<^n_Jc%%r;@N)6IoK07g<&T2K(Bt&LwZd@m_jLIpPvuV{=!VW%ix8uE8!XZQ zihmA!7vg^LFum79pyZ`Wgyt_(IXb`39v|)}E8z#OBhCh+!8m9}Kj{&X*FmlF-uLI} za^-g$SF_brT&%~v;EB-TZl#^WHGo7BDBaoQNkwF&YVT?KFq>#&GMe66=z%eFJCiJl z+c#g){Ixoo2D9QdGsLM<9SsZ4shC+d4!Ck-Q6G zs2`G~3l_!b^;vHAo)O(&15 zZ-gYswrJJmZKL3vYL3)P-kfO2)73X@8+2ALxU#KLXZ3A6d(iFdLASdH-R>TA(J_#1 zTbpiE{tq0h2HnP`{Ato~#s3&A=IZr}cv-y8AO1)7pVV~R#YK^X*Qw1kd6eef%WC=h zG@Y+XyFea8=t7&IbJ^%#erz-&qAk!1s_j6wb)&mpqpUM?fPN1hqV6smiSKD!x-Qbx zigXnEzBpTV!1q3ke$oS>A}c$6a0yP3qSyk+_WI^1!BVk#pl^$@D4pGe{K}?55bGCd3!Taoy8*ReTC6a*gbr-MMS2HX_Shkc zJpJJIpz^#!EurpI%O%iHs28yNORVpw7w|$vwPZ&q_O;8!3%DgJWr*k}lp)p9i9&r# zPXEb)&`O_&)%6`M@m|Qy3f+>qjiE;fdY`hj;_2rzW_JjxB~+Z<)^93uRc+pSX-HUm z%<&_wGV&5ur34W{l-Jn$UBbf(J8P+*8hBDwEkoDSi$lVxF|uWo6JEKx_1r=~T-Gum zT5@MWX~yZTN3X@3^sxY5oNmclfrN$QwOMPIuyDK% zJEzq0?!YO%LoN9k^@(Ze7@YC+Lj+?6bE1R5a>z3SspKRGNmq_K`0$lRiSz z_q&Y$E%x<}H`x*d3gr^7pOtA!> z)mnU-tLUJY$s+-R#!JaX;=4CQQxN@;iZN&kqU*s7&5cYf#IUKx&lk2~-%? ze0rY-lnfU0StX!igT%~E6orHiM7Q=C_vNecO-p9P0#9!;#17|g3Ov2PDTb+cb7kug zx(g-5&6O?L6l`qk)qTgW?hx(C8yH?xLuSgPya&chF+_Wi1`IF75Nu2LH|j3d)!(JW zIJzr6QRv;YvL$0BxlRy@@pAU{>vSn@7OyLnAV3poy#-{XOs*!X6O7K4EeYc(Vpgyh zdfLkl*%C)}r(!kwot3HxY0(V~FP#xuESW(0#?l!vW^5S@OJ~d(;<4V-C|fcjCY6Uz zD36#ErjQb*n9*3EC8HtSz|)?w<4tZt;MpW-a^4}8<5n4VHzSpQ;HPa^F#*TLRs_DA z!v#sm!*M4@dIA$PfgSo9GTvmM0!}(&8WQGYBGri21rTp?Pl1-i-kPwMKtyrN>>;ux zF+wdy>ChvD!u->g9;Gi^%r+d!10&IrIT}Y^LbYT@NYW(sg%-0QBht!hG3PwllAy`D z=t!C(cO!|Y{l;7~0&i4R@ETthFcnN4UQL5?qPU8afc=p-cQ`2!G-q|cW9ZRXBhbrg`&wAn}MUhsgf-@ z=TR6?+%kSV*^;8k8h#{A&hVpYGKQb!38l-dJ+;M^UUg#4t(PP$l+ONdCU(CW!`<0mYi_r$Q+%YFvTkhBk24AJ6G-r?5w5{>j zTL#}#3-t13@i|dFH(t} zJ^1ByV=aEU7`m`Y*#hXDS9*s}w`A^B<-wLP3;XOboNNj7$okTNFb4WSWvrVL)*VWQ zvTjN-%$?jQKQc_5nYYwW3@mdbC+55I>FV7aF3L@vn%$r&bBdQnrG92yRDn1PMIz3q zE-E8}PYEun!kb6E5W~xbOoNt;?GXlqCF`Or#hLZ2k0O>WIp<19c}&T_J$&%TCz732{E<-b3h2FZOui|9l7vQ zEg4AwEjdYWiGz^KMv%}gIY}TM3CNb50;F3qk`TIt_sR_zPcPk)i(2u*^3(ZEOHLI< z0TFuQ!l;!jwjr>IZE#_{N9t?zh?T%aD1-sw4s*E(1<;bct0O$XZp7XNc!aKq*t25%c zQNo%_#66$O-KNtmQNE>2pAt7`E~-qH2L%&B4sMe%TToNZtK@|N)s$5!M6{UOWK{~; zl9i*-C)PLfMkj4bD9;u%HPWCYM6kt~5mYdm+hQ)>z$pCh$Vz> zy)%~w=;0G$9G?B8nfUwEX>Az&3g=n`fql&ZCPnY;fqSx(u z3P74@3Qcng5pp8X6kKBp3Cw0iQivQ23h1y(Qi!c6fX$Pp5E2w%D0#L5^g7>5*q~Ih zCHp9qIK+7{fIIU&6Tw3sJpUPl3d@@f@RC)u; zL#cAJ-G(?9d0fyrXvt{duw3hW+mg}3bW6@ekD`R&mXDbW2%22XoNP(RJr^@4TN3lh z#mvc;gxvvS=CYQ=KE-7NkjsS{A=XF_sS#q&)*&@Qj3mgG)CjSsa>8}yF)=j2VdpVn zGQeTy!H9~~!Xi%e9-lOe@IQEce9)BaM#SOChd0)Ws7oB^efGk-NnTR2xjkW9{?)Hu z@O_uPNh7vIA703&1590O`S6-DbEfJg$w%24ZgVI1Sl<*TD#$is!p8_JZ>^i^R}Cz! zl}Us?v5suXDl_7+=yRC@JR%vXN_kTA5an}se<9`N_5&tNj&2z;Vno_0e#meu)e6y) zOG8DE5IUf~d`V3*Qi{+K_44CtdjAbI27WOQ?NdmWGkpPFE}vSQ1Qc0#yOcF0sWOXQGECeN`RvIAam*br5X)eY z*WyT=rhIh8v}sE$1C%U(-BzEaRJH~BZPS*b3yhe}@*~=|xc!c_y8ITm-;rjQ&svy;0JzX_7J$p1AeCSW@PPv0GA6J9 zTvT`H`XWnJLI7~#+bjTM6ia|eTwPx4TXRp4W$ReTG4HY|@wpevi=bJmnj^5es2$yrm% z$H2Txp3<-5eE2XqYf5DH@H?D4g$(oc;iKlPDUs39XVZH&Nqd~l@7W~Han7YDn^J}` zcLy$QY9e^b=bm3ls$^3GXFoB*?4u-?h>Z8yM@e)`*1=1>toIF`7E$KE!P6qj`Zsu5 zM7%lo`(UxIn-boQK3J^lri2lWe4p#4decAPQq%@i+;{+=CFKs+K<}Fi98Qy}wnS4d z{L1o~X#jn=8$jb%x?D|-Y4%JvXVBmsVE|t!Z2*nm{RS>~Ag6=h0?zR)_Y?hk3^>QL zY^hfQ0eUvl8Fd=IL)=3I@M%M)c=VfY5b`RESQcE0OOHy-5ioBBridus!KR2R7nu?z z-Up&7b8n({1j6ALgp5&(+VX))A?0Wc_)sO#7K`wdjsgxMJXBLU&?$hg67r^mSj60I zZbDo}1TZK(zX8#2fdLZ~o;D>`I+HAIN?Qs6ci@&rGBLi)F?$M{!c);*jlBpSlJ4yH zB6wiBtFad`X{4<8BF5lX!a|&j0wx8`v~IqIfXPrZt($NmU=r9&>t-+rnCRbW-4q4^ z3Lm(>6it_i>5$9R#Hcb())TtiO^sawo6zNMZ|t)Fgf8}SO)WFxgy@}je!?TN%Z129 zTQ}A37a@EUoZkcJeIudAc`0O5y_FVvoR>m2B^XAj<5T%0VsSzr(99YV%)*CDS#&=! zFWf^QdD3!Q`liq)p5HYRzJicTm zT%idsCSKu0Tu}*+%G44e)sPKPOgtcte0Igegl{?Gaw7x*5!(_4JW(P)N5mJ8poSMd z!_Qh0LKHBEM%j{>7_MN2Y^hf&5qp}CiRu11JTZ7lfG0~QJLkxLlj0eaw z8=^t;ocLTCN?)H;zUgok2E9-pzt+T6s1{6<)c@>O}3Qiht9j?G-;OO;s(_w4o5-nTu@0eyr!)siWX}Hhq9jNpc=+D4+{-f`T$wY$!19 zB|U}6h63Y-(o=}dDflo~UzI{;5<2=P#(D}c^Oe32fz&4!6zZ(F$VQfY8(p+raW;K` z6(Xpa4lJbAXPzYz6asS!0n8Xl$dd0_j8ecnydo%AXug1R8S6&L_k0@)c5Av*gMz(o zjr_oBlK^!qy0wJh%h}eL53@LLJ>2S@ofYz2rwWeSo<`Da$yq z*rx+n_>`nzGfK?EIju$JJ2v|?bE`<$8aDHQUbN8^EG*-Id3>cGCEsS0nAceZ1sl!B zJU-If-l2`n$2?Bb_rYohf=_<*y497#WI=(cJ*GcD1pbW$2`2Z6jzrvyTq_dxy@>qS zMsF}RoCpdwtC~rqM+}o^GfYfLB!Wa}MZ(S+NY_MSb<$#ro9Na=XmzFznfqH^ALOdD z*ylnfn3+1Yi!(1AeE5&(b~``WP_wu8LpQYP595Ej$5SjV#xNqaEpe6X+tBPJt>e#5Z2EsB_oBYL57 ztti+Fm84*^xVcwE+MPSLIj}~S2m73a&0#NM3KS3|toA!5A1Yy{*{pA-hJl`fjT0y0 zvN`DX?8vpEP{UmpSuF`J!Gqqku`x9xE)fK&p*%YcWoI>aZb$O;5?WlzM>V`rvLlXl zN0_|5G#yKo4&RFr>M(LG+#wN@+(Jje3q6|^!c-Y1DA-scHH?2r!A4VYFIIFEVw-T4 zh)MTBP_VH%VOkK9g3apVGW$|)oW|9iYbCTyi4gtrb8JMaU&C|mT5TNtS|?VULvh5E zPd)&Nn5naT5E3$Z8^8YyGDE^}nbaIF)&c3rNvu*5Y_ z&)Ri+CUB0yN#4QaJ%g^FYx76-JhRSwDfJhE zyjkxF2F$vT8Q@ZODF(Xw;rEyaNQ%Ce^S+Bpq1+C7&-V?YU_#$T=>u=?EQDQ#4O`(}7xB4&+4=V_SO~yIv&Y%}VlFP9CSRvNOVs;cN{!P_IB)}OJxrcg z(|gfs-85X!bw({QlHZ9Bi#{4^o3ECO$H(cC00$nf4Ak3zngB+OxvqXdG{n{G z)DMV;IQhN$0nrd=xmQ0R8sc>J>IYQA^-(p*kE)3S(;Q`B;;i$jeJ7q4t8dfgm&IiH z@DqU#d`hF)rBJ^RpB`7siI5+kyN;s{ykfNwYoX!ix0!W8ZJ1dX90w)VwI(ZV5xKy= zE>nAb)2N{ubzjwj`!<=+r;mjeil`pg7yUZ?fB*eWCbAsG36HlN*#-y7KEd(+JvrV^FPnkUv4I|hkuLFbUBkcL5V#ce}z!#_JQeUlaaPrH{oVO$5wP)w$v}p z*=kDdo=Yn{I@e-LejxunpWd&8v}nUoMR!rm0jF}#NU*oK1eLAYjex;mPgg4DHW9);&Jh{RQEjrO@Dix%vVwecc(A2uk#mi z_TiUbfB8vVtsY7k`GEr60{+%jo(YF&2;?noSawV_kuPEL^zu6YDteD{FO@?zyMK{0 z^2^UvzFPogIJy5*?mD79eSF+))dsCDrcaNvuisW1PlzH~a%FTtdv!9o|2BJ8950_2 z%ha*5+q?^!|7-Rz+0OKA`l2D<1MS;ODVeL~bV`%&WmD!Oe_eZ($aDJb>|wePoyqg+ zbvf08pac#QBsKy;mY6Xo$R(#hnynn=9-*Lz1;+h}Hiuxxdofs98enlYzHR)zm_Jn1 zD zXR!^{LkMWp%Y85Mf3+vHC;xo;@gj!uDEYWZLo-O8*W}`yoE$R{;ix4iM@bHn+S8`x zdjgtHzi-{G+u8K*`-wc~e0+IcPJalmk_%NsZtcNxt;uy~UuUvka`YG~t`m22YbZh$ z=&8Z$t3F9evOiphT({j_iv=>gw4{a|N#uFCP>WIgL-YsYMeaKC7t87WboQ5A|2EW_ z#j2-1nylo&wmaq|y|`6-9b_LWt4faWayoe`T3grSQOAb3?Px>d!`78(U)Yeh)wk(~ zlY`Mmo_m`9c_NQkdKNg^LD0_+J`TEg)6yPHzRvE)N?nM~@PiXMqLKZCB^tT4=X-qH zOmZct{&9Z2kSpx`X8I(Jcvi}bgl%WKC6`e;#+jorQ(5xt!RnGCQE&p+6TO`-C8giH zgWYe;X~yV!lI*CY*}ZKy#ujwYJu@?)c`s9nLISZ=`|jH*t0M6?P*z3qZ=tLT^iQs= z60g4XeLH)RM&msN6M-c|WGTiw`y{E>e0ze;Uos1=LkY8`qv*e?nf%Zl--hC9w&HZ5 z7d!bD*YDUOQSobHtby$wNI@zD`1Kc>(S^fv@;6`qb@`CX5OV6Y)*yI=1RY#YyExFHCFEsO~o z%we=4XnT;-5j2>?cta4}Q5h37n8Rd4&~}&FA=ojV!{&ydoySQ}&|nT*8-n27lrcer zIc#qT+PW@u1P$h}vmt1E3f>{uHJ-!nh9HO-GA3v+hrJC!JFk|WpursWHw3}cH)Dd_ z9Jagb&?eWj-h1o&QJAhZjXZ>X&FP%k4w~gIpz}l(-$fOOwfM?pCk;Lgfg^XotJMMe z%%P!R-GlVQN$FF&Zu!>TvcnIKi|-y=uH2)~yL;p*a6@Z+tz21-TXZ<8HiH=-hOEg5 z7rh0?&^=rHBMEtdz>zy}tVL9ya609=C3>8dyTw0_^4#DbOL=Yy9DUx8q&&Cyr&OL> zswY*RTe2rqo)-Sc3Q-IHqmCToN+QVt|Kpa7vH#JeSBCyaCN3dyOwI(G_vEgE|g6kH%9odq!iXADD)ZYxJzrk@}dh)ize_-;qQg&GK{C(`<$y9k-P_Gd@YDq^KXQ5Uh2{)8oJ6R}bvs^T1;(l`gTzM7@)Z7AD{mrmJT1NqM1OOK$QYjn?RMrFHWmamE)3s1I=g^sd9MoR>3M2yKN^} zr9%d*6v)}cRg~>Ei@1snMZ35Pjit!PRcvV4-6I{##A5Dsn?|RVre@z}-Etb~telO_ zq_axiz`=D?@^9OF1Mk~W$-iyy4LpO#ByZrmJtBD%*X}XNzpdz*c!iHi-oR;mO!5Za z<71LH@FE|cywzpgG0DHl!n3-`J0|%zS@%}AfX5{NCThp(y6}kP-)76Px@$Zp`L~_> zx7l*6E-a5p{*+q|O4pR#9kE9x&vjue^sP|8*m+2DPvn+Z1ENfJ8K7qeh{MAbU=$E7 zSyrM@*D`_Gi{;SD??r1okQ4OvX*yq>-%KYjFVm+lk3U3bwR}{GKW_9F&q)wt0g>Mm z?eK;ozu#?_hi7Wj9gLT=uhXY(u7*n5$#rU8B3FYH*7?h~37IUR<$~t_eEoB=lcVBt z{_u-RR8h%O(eePyI!6b|gAW?_{+ceQ-^J+1%WC?hIJnGFcjjrh%8Tvs}EqtR|0tsw9r;I-$LsJ$#)KKtMdCWZjF)^N*Bn-GTs*@#V*k zZw3N1(??GXTAd!z5a{QdRyW(eh^F90&4*#9cSke>?_zF1GvL|o&Tc=7+sh%*60E+~ z{q*{>BQ9oNCtqeO(NlR{=hGDh^s@OVvo#VZ0#@KCr%h`x%&ikC3q*4u(-$|?(7;?< z7azoM^r0m?FuK+@_t2b-MwbIuj9Md+rAF2Yt_#;RZtneiC0aQ<(vT3Cj7N0$h$-S^$&= zPTe@(FG|Z1<$e3Gm`{KFJ$-x>m#xljGnDUb^yBII+hYDhTur`|#NRf}YFoM-&3lTb%h9~2Xol!?EC;9)hJOD%`%6$7DwIl3+P?GY z@?|9_mdd@@LTA%-FvLYDnvU-X-)ksK-uDL|{*&VV-y8oAarv?Rs@<{+(3?@r6CfzG z1CYz&OJ1MEc(GJou!-=*SPt~CF&f2Uu@t?{KYn|iJczNIe(0uP)yyzC!!Fzu_ZkZY zeYCM?jXNI)qLmK7roT*2QL5;c)PhfwubJ?zT`WITa#nRHSewa$!C@r>RN0WdUBLN+$VzjG=gD#+%}q=M+6y@mr$Ph)qVhQz zp!~HRkEpOt4(V-pG=cPvry9HysD|EFHE>GM3sC{3%e%YQSae#~jZG~(3D>w3PM|8< zY5`-UYsTM{`&wd*)Ro5l>r(BRly>obv<5qim&t1S-*UmIv!7y;1PYEfoxw4ubFh+^RavWPiC_50e#K4K6DEo#F-}3aoKG4%e%P3sZF|T=|1K zxFM?5sBq;E*0}C=;_h(|wWo1hb}GuAn$}rJCklw8yuZUGjJ~uUXX)Fmf);>d*K$`l5g7wnzEx}nq36d>%(+WI7?yeME{z5XmW_(!2mYPv`;w=2d5f|h0m!B{(PAcUu z#9D5GeTi{WDu1zq9%LgYiFg>8(>C%KB1-oWDM(_^UT~8i74&_w?~rjDK(w;~m=Y6d zGM({2Xl*zzxX_L5zUZnG9SW-eLNA=)(^jLCk^f1nhj_6|xR zuhX)$)+eYWU}gFc{D`yeouVaL_xIDsX%_XaNnEgHm1nD91bO?)JZl!oUu?~ny%mYi zE@(dzesrkbvG!Ax*-uvoQOc}A6%`Gty~h$g6UfOm4@eF@>dDAOssHvsY6@1iPst^Y zNSw8#I0obfuaB!)<7Tl~LCQ^5Mw^jnTFIyx<(S=o;^GEG7)ri4ORO|=%x*w&wgFw` z=PpySdTQ)G5NCS#3h7-%ZHJbWxTg3n|9E;5{Z9LW=qjsS<4n6|#9czFcKTYGTV}Lb zjT;v=uK6Sr)Y#GX14C*&F;?BiMRmKcAhGH;&eZJ{)PEXD@?t4TUW_G))xL42eRJw2 z^JptcEk;FF&+6iO>|_VW^d;LR3UQP8jE7f?@0#Pc_u&6_wp^(&C6>hcin*B^elg6a zW=&R{4eu_ejU@4%r+d9g7q|BqN5g)0?T1o|6^?OiI`H^)btlv>)(+b|WQmBr-#{MZ zexHIahZA^F6X|>NaDorB$CvwWDuC~@AIeRkecm08#BjOzWA^3sMLX?UeiBp~%qG0y z@p-y@n#||_xSc+(l(X_G{pHoIIP-7M!`q+!rx?$kruU17skoU=9wh7ORg*cZP3Vr= zht*3l9__LzR1D)c_3Yv$J0IEd%G{>!JFMNqjVcOWwBR%gD4V4*WOp4mQrA>z=$17< zXcIN(XY@g|ZaV71?Dc&6ch?CD|B}=E@k8sTtNwl68`GgUI!=8Dnr;VJI)|EL-$9kt z4#4S$gNdULD+eBC;r!+ObTD?q<{`rF84ej`Hab5c63t5mQSzWTPIS2SHk9e zcGTr_YjpWB5NEwncYTvE%C_3A4U)0P@#jbRGvsFHAmNMR?Do#{yuUni!rem>ZVYC6 zi;EzAn60-4>E3~QJ?z{yy})L?VP<@5%67f(A85d9&~7=0>$jDFx8eg4zUmA-&#|GL z9FTJL=~abpGcR1~yU?X;PB-{IavGPT?sfWo{v_Lmjl&pLBX7{?xz>z?Zn91zcaRWy zaW?)YPtfXpHcPsUyhUGFInDAlD)^W?4@L|?vPB@?_11joUeJds;-tfR5RxCuk_ny@#R6C{ttiQw_IMl^x%OH-%bu zE*8tl(?Sfd?xdYC`mby8B3an@PHm{$D^X?6UN$bBEX;X0d3l-rr3U0&>AuZjl4D?d z%H{S{-GR1sod#9=zME=X_0E3lG3H2bjNPPZPg63HeBQ*PRkkue3zp;-kHJ>{Fl{h$5C@_xF0 z@Ot}8(-A6-$9aG9{rq+@lV7FD8Ex3G9)K+y-T~RL-X*qdL;(GDId&JLY9@iWu$N{vu0&5xtID`-RD*hhBkz)muiXd?jg{Ivi0gjUFJ@oS`Mri zChWT@3tRyp z8tg~i(9d&;cWQ{5{8XA=kB>8D4|(55|7@u>y0(ru(n*lZSiqh4HKcoY4b@DzLmM*q za*HIBNHU@~9G>?&HsoNSJ5A0Fgl9#jUa#Cl_;q^4++|YayimBKGdJplq4Sft88tkg zGt+jcTKh&as&P&=sz z1VuIUN-`XH-g%I4j<+4k*1Ks&+0XmC2jzO}HVj3u$GQ#c&F_Y4J*h&;CIQtb6v-Za zWnw2ts!2|@USF9g7>a6~Y$VECQ~d|Mn{u}^a%osNzwySXeo!}%E?mEsDYyX{$u}b> z&VHZ1yiC8RsT$KvjbixW@(NsRXjsAV`R1%#&gavYH1EG?4aCjl;ePTAZOkewIAFgX zE3eD6Jb@h}394OHkCE~1Nc85)S-Ui1#_Plz6Op@XGi65F#iA?EI}4TAy*oI+ZAMNb z$TB&x{B$=3xY=t_Gk#L9>2mS1c*u?gVmbXwxWAD5$C{I1oeQ}h&EU5UZKL>`J<97rC@T->YQB{qz3 zSLAy!BF@zFfyJxJ={FLi+1L5xaW?---nHo%JdC{P86D<5Gs68d`UAL z-7Zw|tyb&GCHq{tUh~*ES~JFUvC>mESX#r7&$yI~M{4qvXJZ=9zRNA{!|=PZKPIZG z*Rxu#c3kmxr4d)ewe3`Vu)Vm|@yKer{dhbCi-(!q;p6LavSrNr@?XaptNdzlwl`w| zua&JBlT6jSn%A(_JdD7V#>~Iid(dDJhl41QkFP6JEwZ^K?id*DMr>W(ML`tw$Vi(i zW$$2=-N=o2%0+V=Btf^JEY0EZ+8lPBu>}K+Z`6W;jXfTa_PB;V`)=wO^jpp*f+Xr6 zoW4t07!lXksP@al2-M9`xT7xBZhcq{JNb}AXi73HxeYF7@|f;M^7oXpDFVTX3Z^&G zw}WXH)F>tEQTpGkhbh?vG5MWM9!pT-$()`zJ8ONNJx=GVpG41# z``oX;M!qYi^ZVtG=X8v|fW58C&!MD8oTWefyqwBOdwKoxlGd$}xMIFg4~C|P# ze%O)P#)(DjK5RTvcZuiCso;bv>6UxANm8WAXEPeoy!ByDTF#F-VgFEsuR4Pupq~n9 zNOM7l#-wl6Xxq>|&@|uL&N3G-YBkuT$5TVNb;zMMnB>rnH;V5-J8Q2qx@fpJeyiJQ z3gS1OG)BEY{ zFVK^mc9N`L*TkGBpQb&2d7V$5W}-j5XsH5DS(2C5qqIgQVzg2j;=YR!Wk&0nVT5d7 zW_*H~m`i@Eej$a6P9bZN@JC_gUGE0l?VZW3QkR4L0baI?N>kf)8o^Lp-wvkhAHbJ^ zdS02#Plw?(v1OIZWYkPE88z35-85N-t!6Q3YDR|1QdOG;%`_(FW7C2ccJ0T>{hv>1 z(dn+#gkR_KKlgvC#78=;b{loF{lBz@FZ=Ux)OB0p@@4TjSxq0(9%dn*I!Nra=`0uX zAKyPdO}|dkS3qZZ6zk21ijC;X|9^ltgA{c2xNzK}hMR(hHpL9PzJIhakkCgP18s>b zcU%03t!dQ_f}?d@LRZeNasN>Hg&r58Gjvrwubyx-8SfR!cxBf;u-_Wy4)dBkXD-N? z3l7EHq4LY5%y}7e-a(iKmh@9mVT^!Bx*wS`|E}-s-jKO@F}pY z6Hd>~1M=HWA1F0IK%AwOp#NK3cY?@ErR`@CoV(G_;`fhNWM?#kc#ID25CEDAc5o=| zrqv>Q3;M`U6fjS(%hU@G|8WM}dC zIFXix7oNLeC{(0V=W(Wrt6@lVc*`Nzc=8bVmmF6uUJOhgUv6V*Jntf_JWy(BVD$L+ z%_LMS!D&xkrlUJ?Ho7|>-~B`(Ws@P>I3_L{3SFF~-?SSeiV}*QY~6&O>xsniesSH& zm#^abvLg{YH{I4n6qf^bw}=}-iZ`z&0q-1@!rz7b!TFc-ui|$pcaO?nQBdf5cADt< zvfq(kH(HLXYwE&XaBz8jnNnZsPY9+w z!jT&St)qn&XN8Y{)xLj*^nhyElODWFQu6FI#&-iL?dOuUFH+veccQD3JExDkTjKMF z9}mmPzX@z$?z7l!hz*_D5<75m-1GH9ZH&d|!9=R0$43%!J@i4Icsqf2{VW-IUX5=f z`QMp6PY_vDm25@2VY{<1Ie{wPVI#FlXtB(WGQ(VlaE4ZNb zyr9GYhP=3Y@e;)C+^rCxMQ*^$ueV8K(7N;4S@HcQ?6v$}q()epL;iO9xVWFKerSwZw)11oLTIKGkpd108YKm! z#^Caj!HSvw#o2hJQ^<}MvuG4&dnv27{X(^&x%VoSh7vqJ+>Aa9e~+7y`26vYKW6vS z&SE~F-mkXjlbk7S?<3|&C)b{&@O#eshU)AA7;ZMv8tVkfR~KMSF$U=8>lb0 zQu~k1*=gN^>J$_$6JQEg(?NJ3F`>0@XQBSgf!jso&8gIMUcH*#Hl$h@fOf4B0B#&T zFQ)Td@#fU&_`xR}T%-8+cNuU84?WUKaTGueH2V1AqeN~<8v$DTaSXR(rQPLEQf0MK z=j*f0=hkd_pXqu%kFZ>if1fzM=y$u9>EY?qc&IiGZB3~)9Ev(uaKRRC)EcpH_{f(y z;TEpT!Wnoy+SPNl7AZlm=d)XjaTXeH(~nsoN6{qR^1CV-P@1Q zrh}Rvr5{oKgX$(9vW{KvpxKc^_OIlaD=(+|8v}>WP4fHVxrviid~_;;1qNV9BIRs^ zZKbETXV&%jNv%r(R^{UGL>NH}+rP%V{{kCh18ycypcD zd~=!8%G zc_+Hl$Jg)E0;{>Vpnct8(V3H!WV)}j{pE*w6iNR(Lj#t(OKEiE`Qm(h*BD^Wl|rha zZZzoW6njpZ;Nj~seMhx(?^p2H=qFpx3AgA^#z~vo1hkx}BpAcT>34B)=emTHYsqyv z5!I3#E~odi7xiu=|F)nqkWy*^AuCkmW$ zHijx^YxRZ$P9bOVo4d_drM3OXVyUhT2b1~a>r}n3Q8A0gOvN>ss&&0pWT5Y^(-23T z8rCu}o_$q8$-_G_QV=%FlH)B{Cz0;39ymR3cdnDi-%zBG<*oYBZuACiGihWL@aBqa z8?)C!-s_swRVd$ea<|^u7V|7eq#YbJTIiI}NpGgtR2siu4@@ZO2{GZhhoIr(JN*1E zC-vXu;lSea>h*E0`u2_ilKJ8ffj_MV1Z4$x0n zW(r%&zGE}~_BvMyA%Bh2ZKnJJCZ~<#%R2IVCD)(FKc2rW7IVF*HL;ev$v_&-aDyYl zNIkiw;E-cu3m0$U+$ceK_|Bo3>a51#Jp23T_GSa@k%*QS5 z(BJtuUsNO$Xt`w5)K{~9-i*&Tb3YgT*%u?d1+Nxxl7A=y6- zGrXi5G831XS6X1~ifUgLZeiDA7v^~$dQkfrkrHQDt!wp@wGHvPciVPj_cxWTrYvia6R-gG;^e}N zlXmV+XuSaPzh7SJU6POku=AdXgMCGCe-40;;6xk%U*Qor;QAZZTl7(7 zsk!W;=SXdr+B%9|`!lkq8kV@#e{z=KvHh)BdM~3?SS0U+CBNmZon7x`l!`3vySVpZ z37@h0-H!0%`zQ*DwqQ5R+IE_rr)$gYq#db2f9va7wq2ODXwdP4PSe?K*#u_Tr>mLh zJ*w>3i}~#SMO@DBe<`)jZxUcOhrwmy`^kC7@7`rE|6d zY$6nFyoN18inEWsa&e(8@MbBl(=Q&4Sd3!%2Ct8+S>y6!DwjlaupZgwZr}q`WT3v* zHw$pHfNBO#EUH;k-wZ{R4%FBBX6TvBKz*%mhC-PJ>T5Zi_ur;+&Yu>`A6Z8Ftq1?C zGZ_9PKKEzymRuJ>68&3rhMz>9pXiGw0bouyL=rYoUyIMJ$H~LPtnBgH03cCNU$X$f z$E5#2}*@U~r$7TYBWQeJ)5z~ZcRbt$qh3ZJJlk!8=*E=Ku#JOZ9iHPf)nL2a4z zg?hCK8AC}{2I}j=0NfG-i!u=_4F6pH8LB@6Kg)lzC~#J!a4!GfKS(m`!Eo~;Do*I5 z3?_9*=SgdalLv7VIOM2l=H=j{pyqKV(x#&L9Y3i7p433EpycP(Ua?RcX$!VXLa{Ge z7sI>|0)2D1p^V2aAeIMuz&21{iw{4Zr_1qjGJi=kY>pPMt8dzDsaweE80WzO?6Y#7|Eud7?6oNDx4(28*>sfHNT}CU#SPt#Et3(2JY?Z$u&DY5!To8Ykf1A zN-7m!ReVMDp=SFLV$cHI~T1SooYGf-daSWfPKF6kVed-SkD5sJmHiH1;$yi1HC z08MTAb%j7SCGykJZ2t9eDmvdPp&V;)6c;&AUyBb5dCEs>3!W^J30?=Kk{|-8AaS&FDVw3W9D#OdoYdDJh<0e8)YtlE9%55{O*8|yqN-UU zlw~bHIlpOLb{WG({vI>$0Hi=$zcuBTJ*sK-%z{eiY~YILkV+6QLPsSOwCL0+rwG5U z!lz<&jNpfpzh;jr0{K7FAaES<<#qPBQsALTLOqVdU9eLDa6 zLFI;@{*}E7aDSl`%7%79cI{-N<{?v(0ZT-Y@qTf55!5U_JKWmra~=$L?eS4=5w0KT zWR+RMECQ~fV$2BETR}6mQ*$3QZK=v%;(~aaQc^dI#VUe8K6WjSFiW#wbOWd|82f_Tzpk!p+}29R(aB{*5HP~ zgi;rTnM!SS8fi>?L5FiUysE9nEJyAvQ*tI|yOz2SbV)7hqybeRZ)(;Xlc(&e^j9|Q zKr_~u9V3G)!0IvxeTrBnzfjJYeuR67a9F;mI1stICeW6njrHXuNH3g#Bj~M=UrWmW zYcpPF55zk`5NZxM_`F3^FkGpYM;%O&TAW2Owqc}p*A15?SL7&r3Z?!gWhj(J$R-ga z0SE%nb$~txh|Ho7-CTq@se-o!>T8k5gN#;wQ>(d1+;BCU5-%-m8}euko02zK z&IR(D-QgfIX1zDGK*Zr-wt9K}GJE;94m_OQr_Vl0=Z;o3dOl*mb$>s7yjV`2zp2p0 z^k2Qs)#Y&1Bd~xVWLT}M*4=-JmX|(~_}CkW-d~gXi}+u}=rw(VJDETHo4^KVko;Y^ z@SPg4Yk}%^P2|~#R9by>^Rx2YW!GmgR`~Wp3FGJ6#pCPKRNd8Pe-k%T^*~frmP?0o zDo>V+@}rHT<{Zg0`2Pfnx7xakY9VHS^H)yuLh7zvppFnvmm;kEUkw^ztf4 zYBYVC-7n@3ulG{KUVhe~1c-&dm8V}FkmX;dr4g?}g#hYqx?FrG<+Ow9_1;XLRJ?kX z9;$ekMJwN?Ugq6a=(*kXbdgnZCmG!Y=>vs(J@A~^QALp?RH}G|>m~mtfPex~K+Ou! zErkT^trW>GBmIknLMwLQxlx6wyDkY;v2!*%pB20~D}VG8N6}l?%7&He4oY#8!6>dX zg!@qh7Sxd_0_XLSC<5QqAu0MB52pw2yADZlbHnDi;DX{f6i?nqA3d8sB*k_smz*AY z!gNTAosF#4QlfPz_Saet-R&QeVn5!@Be3U>MDg@}JdvyxD4s~KZYiSJtpiZRJCo<^ zqI+S~A}y1RuX$@ubn$TM;R}wEFm_1B?GjM~YTFEe!&y05)0Q5%_>tKDW*Rc{R$~9_ zjvA<_GEgq6(?-G<1}bu#JA!lc+Fn5?73jOGe-Ny@QB|4N!_OtO_!+@JazCkA^)<6f z@sE<`Q--)6D=}X>n?AN~Gj}fum<_JebMu^6ZKsP5Gl)oegx6oJ?@JbQ(Ve~AFaDY? ze`tqZ%aQBh>E4&4S5=Np(`i1ig7O6eQW4xUFHGLdR zR#PFFcMrZLTPyP=JaXEi^o-G%1mb0xBn>l9g$=U7V$K-38 z3B-n_eWu8QB`coxSxqcYAD`wk<^31Uve#C_)Ov^6OVb)K)t@b=t@(=M$8}oA=Z9k= z=s1RFm?JPz!vcc)T`j{wi-;0LbSJCH^!xL4xuRW%=(?x>`hTbkpDfMSH1+KNqVv|G zYk`kX%T#?4919X#YC51rpl7rT$?;TDx6(|rB9Em<)o4FvM!;SS56i;y*trq`(=A9W6r}gn6YOk2Mh%Eo@FF}gdunLNx&Wl}rnmTaw)u4Yd&sSQe+sGpxHd%zeQc6zNq zt>MNx{&<@pxHsy2yw;{3%c0!>WwHA>Z)ERK)^Y#$i>K$wT!kLo>%&R5uwY}|fmQMN zJr$VDA$s6k-Ae-35%b%b+Fib`Z{a7X-ySfJK6J$--9^uCrjy6j^iR>c>UiZW!y70c z-CI6*f+2+ASivfd|oZnZCx-Po> z?o3y+$?nh5wRgKS5F7hP8`054_ureQ!|8JN{B63NJiesS7P}D05*|$M)!2N`tXFAU z-(8l{)OPc{UI9$_bJt8_H`F%7S)kH}zP=$#@jF4$Ux$pjN%Uf1`{iKbtlRH3!oV5d zDKoU+8jaVjX}ah^*N4jS8d+&fQ3d+OJQ z?cnj)>$qXV7yaSI?t7pvIwDr1{Yq_f;}$LPtJ&9YtGNw|y=;+AfNsykD|qXQ&!h2$Ds6DrXs55$rZ4{{fY5cU0#biK1Q)X6 zi_bT+zb4fHs%?A7L7{#5s%(RRPMX)ZL5?uK9+U0M591uTIqYJJvs+)ifslVMPjnT3 z?E~-NQQO7uEhqn3qzR-)7dNenI3X%f=5coiM)W>gn>wtaqrl>N@Gj+DQ zm2GSYpc~u$2?Pmr@E(MKg`n0VfX-)!A#m(DKn{t65HMG8MFQgQ+3K4Z--^ZS%7)mH zhYOY!ItT&ecRB!p1m+UjgFrjKuJ&S-d8a~P`nb5Ct$v8=gB?r*g<>9v21?qpAB}Er zV~<(TSpSuScO7qib8oY_H_nyz#uGMOs51UQq4!WU<)i(%u|PoxP2%^Mv>6!&6Av1>^YN&`(%c~eu0#A_lGCLlZ-9BMwds+TRBzhMaF^#MB2i z1feBz41y?1>nH@FrE)NWad%y1t}emfXY=&(+wY2zuWBw|ihoGcvhk5NEfd?r3Qaw? zq2h9!FCx~et3K-yt0}5mVj{iZHYOR??%&!<@XpsCS`ftsok>5tDqEN_#pv`S8=sEk z)`+cZS8OKJXdVmnPzWZVmplJ+H>D}zf`N;zb(*kLJY_T2vmp!ZYCE!`JNr6YO&&S& zL9{+FCNL@vkROa1sd2EeaVg3*cb#eI_m@PjUe6rjmp5 zh1Z6rxs8>s4eDG`$*gL1uE?N^27XqYo@9EjGewnJ`UyT%=t!C`{x!+Xc>-&irp9E1 z$9^rbg0*2y&0NnMfEtRHIS{p?PO+C1tva!$YrE7AMb~~V>(ec$E{iQ=O}C=8gir1k zImIB^oV@!MR`Qx+_s4vq!t5w2#-~C`F&dxrC;)hsA^~pY1~ZY$Kl|?$d0Ez}p`k0- zMWrciiZ7ED)|xt^-10LZ%9Gn_vKoC%B_#c~4WSzSsz-?1b|4|)MuRp>ZDYstt5`#A zZBUn!a8(Hv)D-Kc&=Bg3qo$vT+t&5CB@(`0MRJ_3(34A=K~BzO9Jkt#x%t=AE2zWa zx5ZS25RvK--aPE6K9$byQA9ynJ174u@ECXZvg{~gg*8no4;^Lmz56hfw>FBoe~_kJ zuv)H2cfXFfxxesG#0$PB^tjHH_^u-=WXTtfyyj;xn*7#^S$}a}{DlQODE8Nwoq_zD zs`d1pBV07&%$=Mx;Z%cp1*7hE^7u*`KRPbVO)SVo)30zLZN0%48&){W$e0zk!pi4= zzCOu4?B5pbSR7((+2OfZr(1C%b7P<8;$ommPdD7if-uU!et5z~AC38y6j+d>OXaai zSh|}HJ+e67fDWgdduQ?bb+XJVK8fDLOvMj!oP=SpmONAg%$Sqm?ECcbui5nPg78T- z#j+8t6Fnco1W}1hA7`s9-v1?ksnDJLSS{ugjwNK!4LU<75Til6^bTv=7{z_3jm!0& zwoOswcSd(xc7S-DvIRrws#7qo%)%B51&>=o0ox~o%JMwJbjMpX^zbD`Q;)z{6!hxI z90iriN>PZHuv-N57RYw`nYbHAe7>0W7t8yph&Db%!fwY(p$tWWluhu&jdAQ~8CaeM zoAQ78F$OEQExC>L*=*vlwko-`rP-pxkv4RKFgLM%SYJs?=VJQDb|x-v8`n|dQm3=P zsuSX>N6m+)86d0qP}sX;BtN0Jh8AZ9`Htio$MsckC>Iv0KB>XEpm8)(jU)Fo*tuX| zP)Df^m4c92uJ4peCR$@JjJgyhctES7j;L{2r}&Q&Z+-Z~?+kRo2u&+LRGL($$>JeIQuoZ4$fQ2b^dgN zs@bEV*w1q~c}WD8NtNPw@pL~~iC>eRI2)ydCA zlnhsbhJb+z&u7MX9r(3&(3Fb#D)4J-CvLMogIfEQp04?d4azIF4fBLTsv% z<&_@>=++sMHP;3829yGOOI@IGuGH2A)*E*CCJLeA={cc72;XRRhHtYv!#7!-;EE@s zV0@K=>XBMQRaYAF`jhZA*4c*iIxwQsPFQnBOIl6B)nxuWS+0Jt)NEF@mYVsRj>~Jh z=kOb?mZt5Bj_YjkTFQnSyoMmJLMS;hRv>X51)`^Fu0GQqE%-_l&PApgjRWH3t_r> zJvrM=tyO1JD-$)`&os2`g~w)zx9TkM3PJOw-6}6_6X#T!p81jn0R|RJy8Sjwy8R|g zx_#Ou-F}ND-9F)x*3dfcl5U@PNw-hCq(Sgp2F-=Ng&D5s!74V97sr-T(&0ZZHqoHr3VS42gc&z~yXT8oy^d4uc>DT4r^;ul^Ki+hDexud& zo8oDqPCh9czp#ARXgUoa=E_b(vB?^?I*Q+3RXun~a&*%(AMm1%W!0UAtgV{u)lst= zx&jLzks;w-D`(a3-Glkk4IV+gn8|I5{+kE)>S2!HxD zZeBFfDiZ~TND%~P*BX2sUeclR=|q~VFO%Ua0M{L_Kr>#z{?}5r8!(_&HnTy+f<$3u z7lffi1wc6}S#+reNyBaW4Xty{$4EqR2kg$1s=*Q?93v#tAi}q&8oqmn;fL0%C(Q#AeIjc zhMGIpjF*9qD^s%@D&R7=8mek0&|?l&@)kp7u$i?wWuI<(@}{?+svFd48mMWS&U&@# zezW-z!%cBmk#oa@8@nN9_rILXaJjgjzPu&aKfc!*fGqX&t0adiXEV?c5p7nBjJVA z>(3_8ArfX#z*(d$Q8-}TX>riJ1M5a&m0q@nBu_2)?AU3E&#lMF!^3Qz<=D8q7?MDh zJSa?tS}nMFdfEdQFf%jXV$5APDKaH$fi z6@Ft*wZd<_-QCrIh8{md*8suf7#&=n%)Pi86qnY;!VPHFaOMDSca{2bnVzdh=wj5R zG+L*ccFbe4JU}YqZ1)>#t>K6C?k)*5A~=->AuC<>M#C3Z!wxhlx~y}@7atZcD-6Oq zb$yk*4P&t3|AzNGUG`A!qf=3rb=&y#p{2{7RsD^LMj)_0Pk&uVo&aDyf&RK=JOKa{ z$7V8VBc;o_*Kl*zJ>j!vau;72j?As(Zr|=IfI?5NbsJRHm@SpCy>_~yOfoc;-)Hkb zRF<0SzAx>zUy~N~=4eB*c>cjrYXr&be!}{Bdj^V1@_X@xRaZStz7QWwH-(NTq*pDz zX5aPIi3U>V zYoxAzSFI(FzbncFPYK&7P2?%NG@pE(KFQ-gg;_^X5FJKZf;!TI>6wd6^;NxrT4XzG zq#t!RCHxH}ByA+JfktHalA{`Oi-Q1J_aS zgWOhf{}C@~m1r_ELzW=INL^CTlqHFoOJJoAqS=8Bb<;>1b=U6(Ml?y+NHPN0CC{k(FkXuzXWGIOS{->5WlXQRW zQu=N~xR7Jq#h1JKKJI>kMit-Mm(VHk^EBgy)7qDTtAo`Vi!(2bz+icr!NOP9RjNB9 zCCLriqT9U@-A}D6(Y?JC<6DY44pS&n^5}uH8YDVqqK~76&M#uO62GK`f`T(&$Qjl- z8HLf0s*@Dst8_iQIJ;A^2D_mj%jwf}J8M3Ya~x|CmLmil=RBbA@cWi||HtPSVbZ9OKI4-6Jbn- zsr6wTh#!`Kn)C!iJ>thDaq;C6D+2p8FpP)U0ZvCOfALPC!Ik7ErJxkR77R*pOEVCV zK=ARk1S$xPT(+t@E{RiloWvB?)M4kZ!pEpQT3E{nbzlm;$JW?VF?q zHOqnewn<-)i!JG?<>feum$-T|a7QM{+_e7n@kZRK#b!gQ#%zs#%%{t*KScUDN2^%K z5o!!QEmbHna7Ez@j$ok{uLn&+Jwd;#-aS2ko36x&(DJU`g6h($p>p()i`9zfZb6{c z_9XvJ@~l}raJMp`g_o<2BHY%DD553nY6QH-cydd&TD~l?6Sa)Yx;mGEaJ!n-1b0k5 zMYWow5uN_W?= zdgI&1$4_Hbi_uUlg6^dZaqIgPK&fXgH^gMAs%}5 zR?T44NMvJkLWv7sQ2|1i#hwM32K2p=_?+_K#)Q|az{J{Ulll|ygA@}5yY2GQWPA%0 z>y2-jqUgR(9vj`+%k$%es1>j!9|qxCs%lQ}-D>jkL)=XN`bD(aNiLLQPwENr;P#@` zxW2t`-PYhtEgOoY4Ls?XcU?vb1_hi8%EES;k=>e9ikX}9-rYICs$}tm!A&&&`n{WC zoESu=5U=UAq{OLS*`Y*<=*sRcyR##z{OU>7xQ|?uQU!%6M@CT9T}{8nEuGR%&4eD8M0wk4cGbcDI&=HY9;fqrDtDM$El(aceRxvRkh;3@TAr6)1-F&?Dvcfs za!m2{DmiK0^jo8`7~ZK5I7&s)vc28Rf%f((K5-hc(|_rZl?g1)<9nD=*{R zk~mDiOD~OqU|OgF*AaJD6b`e-cNkJPv0~g4=UFeuWH0e^?jm!sgP6mYjuxZEXqPGw zP|EC@%x{dYZ$}~sNS2tjMzq4u!TsF}tB|_rbD6T{WgNN}_%XK8Ej|;4;)X?AVLUn? zk}kPwh4jF2@sUaguKWN>F4eQ9+u6f(Av$D`l$Iu{cSF+5+$%AuMnlbcvBt=4PK!2V zur&wC(9X>*rL9AoaiHocl|0(%S7r_zEemxzTXCubA6ck5nlf&6VuTAHakRFk7EB&b z(#lSP#2XbInS^n{>B)4K)5&V~*K|9VU>wZ}jAxX_(A*ZGEZSAvTv?1~B$wr(ky_bY zC#4iNqax3&?MEqR)1@f0sLEVKiN;BgDJ=(mc;e4sXQ zGgqzdWvi3@o8lNBEW_f#kKS#tr#A=+dmouR$;B?*9gx)cQkHLLa{p~g;bDWfj5q2T zKw{gs3`yG1Sn7hHWQ5W70(Q$Ph6)y#mxL4yHhs(d(042-_p)8bu)S-+5w>@Cri`=^ zQS#qiko4As%8uotEUF5JXoW3Qsui|JiB>VTI^s=FgVgC9Q6m;tx4{TKZqZ}s`Zl5* z8!_JZ%7~=x9=n=50j$e4*iz$8X7j(*ixjCU&(m`ubsw;$xV3zkz%4DsibsC^9Y?n? zFU;MUzNf+9PX4WNJ0`+pb(CUD2}miWbVj{VW1LGv>{A|F9Z4pXOHVQ-LmBHDDhadk z>xXdriTnVBjm4Eb8%duDVARXXm)T0W-d^Q?u>LlsP0_XMlt->EZ*NKPw$noD0u2?E z=onK;C@Qw%)EH4lK+G^VC}1f8AszZLcHZv-c?byGm>M8;eNBR`HJsncHC%%I#Uuf7 zwz_xK#=4q(d8CS7YzYQIeuC}D6Glyfcdj(wCeN$IGea%tg#P+M3Z=7!)H>gr;#}Oy zKbd-YZj3KBcS%HOu9?kdYxoDsc_!{IDA#0+BY-t>tbz|nu*$wzm%xsORhdxl$$bO6 z0g93I(vGG$$01fW0}5XZl#rCUxuBu&0Y28ZVlGybijqtHgUNS-iKKdSP3= z-F!jal51(>K|!={n{MKW!Q|_VavCNY>i|^-U>1;d+s= z92jO239xbPtxXp@7MecetHmr_?hL~?xw9FDf&qnN;SmpO6RNMiYVcGGPZ^n*0z`HD zsBsg(kPxr5-2_{1RWhR_V8g*rig(R2S7CbM zqOcg{U@Q`_z(G<7+fTB$jU#CWCNNh$d_As%Bymu!108D=4k~tFg;TkJa@r^_zZQFY z|1`YY4(ho3fzXubZF!Xfa@xc42uT|BKAyfjPDCe(DOCjP5G18K1Yty~v?lNvR&W9u z2h}rJXN~imbEWU)vS{r@#8HrZBD&7-6DpJBw)h-+iX%<=So(EVi!GM5>8V*lahEUf zYKw?Y&(`(P+%}s!)g}{;%U9^+%H+Cy4L^%4mu{O)iJsahe4bXf&E_d8W_>}D+vcT= zN)qp)${IWKHCQ~z;o;^B)!4}446?$xsKiDNW16PUMTH42Vy|$?B2N(X#n z9y%$T(378DPysQhWQD{g8iB)-Y*ebcMBneCf)yD~!B%%&XK-G`rISXWIu=#_=xgKd zCN1D5NZx?wGPXFo8;-=l^<3(X1(nUvV3Ie~sD6faJSiNkZAv&EjRST%iBqckBlS56 z1WR-6Xa}gxkwqMrtNPHx+^f2$*{+tMH)Vpdl1HlZlym@3WmON8VF!H4gtS~3vE;QS zAJ}Ry8KPm4Lzhnl=_zZCXlziLxq2AT*RgSXnkvX`gWhTg*wv49d+f1BM@3)HM}i%y z8?J3P49X5ysZg@lIaD`1+in;XJg!n9V%2-yLv_Qq?S?_Y&MFlmIH;%5el-bXp8W3g zaW!dNiS-YkvLD`Wen|G}P~#ccjwhRkSVtwKzz)@o(6SqSd;`-LopLAxS*ucFX?lU3 z^8~(KCzvE&-qv~N>pAyy`K&y6Ik*FwKU7FOl=sKeC4ItCb|oU~Fy5v|7?DhVu_Bxp z&je|dGpUctIAkQR#LJ0?Qyw`7V>kd3ErOD21N95t!u8SvDnKno^b zx6>g81z-II+p8E*p3}pRiOV3QIqc!QClws(1(@gJFx@f^mD|(9iBW=}RRE&p*V8;v zMHQlS$SRMp{O|d=d#=B{02<6IDo@}6%O#2SmB@|Ha0lGXJCbcwVpW+IMiC@I}C3ewj48rjF@%5!K@-J92W~ZYn8IzL{dQE63Os?H| zrpl+`VFtYrH)ItkSwjSNm5c`M*B7dBon@B-8m~CZGtVvw!^Ng4NX##`oQBOh(-b1+ z1uLgxDpS>Z!v>2ir(v|dz)39wqe94J(>mfJ;f#f)Lcl~=G6II8qA3B)i%LqtMo_Ai zcMT>nrD8UP8GPSL4pVqjDFpUeE^)?% zQ7w(3r)wmB^}s2x(+h{D67fkUs#-Gm$P)!l9T~W3Y^{gVpjboInQ;xg@qAYZnkWN3 zK|@v0tV$U2_ydYI^3|*(Us|e0(gmD=8T6oYNi+pV&#Y;yWBPJHg4MCgv;@reM^;^Y zn0@^wy3;>q^E9byMv4NfvmmqtjF&`(B)<2+B+YI=v@}`qWNG4sxS_dr_;uRo@hGI( z8hsj#r@yKS8qcpPaopwn{ug1hKs$97D8Y@<5@nZx!5a;UQb#_^W#J74vqH;6NGh}p zrK4NN5GWI~5rA$TRaGWvs-wDfq^(TMNX)=>hlQB+PAFy-TE`T#-l@f`cSc56t4R@!?1v&9lXZr&BIYY%@QG?#$F7uc##W@30>6ZJDPSpO zz51q)LA*^)Ijc3SeF|c@mMufM06|mPXF?rJpK3@TyRjm`jYrDT0-(tmN|nY4U?Ldx z^lUU>PotM`Jf@zenRc=?1W0N|I*N&mF@0Jifes;dzOmR@S|BtzL$T{0LhO7yvFjf~ z?0i$P>mNewd^54bnb^Ff6fZ&t;^P!~6(G;S8L>Q^u}jAo`EcFC39Y=H>_uzlE*1=b zH~?lRPg4`+Y4UJNs$HZQBf*SM3Td!~x>&^IWWp>>aUljYZlaV*9!$-o!8yMee-EIv{0AS2YK9)n4OOK?ygT+_YN#sAok!uIBu%?G zA;f_h4=Om+W0hw04%$Pt=(Nz=!0h}JYAQCwHqm!2bT32@E2IRGpIwaUlvrDe+k_wy zigO_-Ugwk=x4GE;tMP#-x#z*$S+QHnf{>9Q7a<;;G8U9yn4CciMY9DHG`OXN2%g+= ziHrzd6RUv|l8caF<^s1;L5tL%Fh_%1$$&uPRFiJ7y{%x&l~ox9KOF^1`e1H|5(yWu z53@CtZ~~RCg49$f@tWM)TH^EF#qbl=7$4a0(gbVBb=AVrBX@=g%RH2K;vz0oM2n+z z?I;t3=+in0Mf$f)4Z_zDB)pW4e)@s@cNjSXpJ4E`DD7S#(#DDu{cYImYhsuql1-3ln|g};_mKS zy1P5|oZVG2{Q0|%tGjRiV70cRyKnz$)!r%GXCAEb6I`iX%Xr_aApn^7il!M(B+wzebD^u?y_Pu6YQt3rxk%G8B@e zW+ZmZYiQ%^!hY)zVrP6=SS43S>>P8kYaK%D96PaV9YX9JQ?Y9uLhKwvu{+S?`Tl_( z&-X3kJN4M+(sZD=`hClY!+qJdzAx8jXp}&QP!_JSvN*_nxoa^_hfo%-ow7K{eYtC@ zEDmyC?iwl!=DwUa>1*7R*EyfpxF4@|KCf{vUi*Ar<37B`$+yNmxUCn!$0-y2LcNnd zagpKUWP`g9syY#@n&RV>gBmmn2i{NnrIII}Lj%F<=`xT@1L1sszPsDAh#4oG_)mjI z;lLzt8XPKRpG4BUk%E<>^ysRnp8V_G_z>BhwZ z4L8iup@X7Qo%t?|cJRwLULfAV_plZScBhHV4CCXhjT#&%;yBZx1y_~qquAEgV=J*# zd1^qdM-8RK#SumnCHa@eoys}sdI^!-ut04S3D87Oc`0g}G(3LbjD;dd#D;DuZfiHX zIQ5a9qN*DyTZ*&(o%$p%fnq@v*Lg=o<1JA;nm$U318Mq^9nH;^k?Z4JR(hJHPbg|I z8wB7nIJ=y`JkOTWN)6qJ9E(ay6URZ1VHuJe z!}woasd63h2+BqmXvgkaWpI)PXb&z2%9f#s!7RTzU~>2Im?_znA2LQl;*@P^-^Ha^ zb=bR7uOcbrLKCzei^@yQbI{p`Bbrk5!U#~b(#vGVO5ejKj9xT+Z*UG495!&ZkR((k zNYUZ;2Q9o@M2o*wviHTG;)2M+?R(4;)s!72D}4GW(xL>WX2@~Qm4y!Quyt1LwhDAO zPya%%Ic8l{Fo7Haua$x#TES%M<`$WcWg^_gX)<=AueqA{@p>aEDBDX#U!?z%^8pvN zk9X%P5vl{4H03D&t{yvQ{embb=KI*3t|F2rJs;Z+NeL-rrVlILDqsI1`KqMaYWgwe zRg0dQYw2Gbx2b8mHsoT;cJr}X4ogvq4lN3Jg_VHl6CKVxFD=rYZpX|D3p6#`nR5+E zVLg^fI?D3%PuToN8PTl6Hx;VfFATP+Klp z%7jFjt8H1vTV%BBy#Ssyl;v3g5v}kR7?m7*^j^wkOAWc4k3N?o(*&V%YJxR1%BZ=) z)l+}HNt{rWe?W)>mod|T^UYCvTTKofDXX0Sdfm*O+~Ns)?tLyjrvbYbtWgMWG*!&A zZ3E7kB!UJA%)@R21SSPqn5WKULeV8obru{ZbwL%oI2VIxGZ*R4sA(ejzTw1cwBoU9lO`2sR z>y_jn?UPFd6I$ds^f#$ntU67lzq1$y*63X4z$DtU zRv_2DPQN#KIjy?N!WKi<;LNk;pD_|^1{x!==AbbWYZe+K9ctT0iFER9zs2WM_EBOK zE0|hlXRDl$S!;Ff{)!Uiel7d6%z?$?Nz7kQhV-j%A7_Iwhp~GqN;x^3m1kFefNqzx z(BkakwsCzIN9sbl+qfZ~{uhXCp8f}@77;;AQF7K#|GhAxT+}$tMD^h*HAI!$dnZD{ zBwFYV*P}+xG&xA{1#0y%E5)^6xjYL{l$RDd<=Rijddx6go!KK&gD-2#qfdHXalQ`o zkp>%>gdrN?HCD>~KzluLI*Kw*1aLMAeN*fh9T)Z3;;g0OBc`I6xWVtg4rbH@;-~dh zWH9RRC9tnfkPPyt{#%?2gM zFu8?ay628a@q@W72-+x%MMoVCn4opP1s^S&0Kn(OCIIj`u?YZ-u{QyL&xuU{;B#UV z02qaC0sx;A8(Y{d_&n4c20r&Qhk?(x%wgc`Epr(7_Q4zmzHTyyfv;7JVcLxTFoj{X zh$#%COH5%HjbaMJ=oM2KM!T58FgnH*hS4;phx#_7aEx&njbn^+7?smzRE{w_htWA* zv^=B2V-Hm$eAE;3yvDCj85vzi;{it+2@@$s1N$yvRCSSZ*u|G7`ysV*QTLBo+F zf|e%<=aFz|nHJ$?EM=gQDo8?RS=3uD0a z&I3kkuCZU=WTbfp&96sLHm(c|Uo-TupPg@yz3Z~Qk>|LFUF(r+yv_7i1n~`dsa-^D?k*d)Zn~}noERp76JOxx|pfrIYCgar7jFWvwY=#L( zjzp*yv}{~wX!63tCd1LLqu_IVYt`P?jJ?_D*o-%hu88PT%Cc$29Sg5BHgMvsH+KDy zins0QVt3eCOmR)-uv2FaQ*`SY>}Y1tWV~(Wj~y6h$HaH72JOp2kT@vA!Y(E!37Q*R zUJ|z8CgM;{qG2EoTN2hX(bvd?@f=tP2Fhk?ZP)c{9Z-m{7lT>Rq#g}i*0v<**-lZv zdQeJG?FUHQe7@K-lM3^4e{op@p|1&y=O?R*ZZ=c34r)4L*3;xxS5lopw3#DzcT@1* zFAhIPUfns`MK_zHTIW(7G3z<sA5N+m&JrQ#OgMGj5NyOp=vLR9&84K2JM#R8E zC4#Y09$%|NOFul_p`~A~O=2MK8d}!U9@eqg_c<-0G|3kJj($|@+*FQJGnt#H)(NUi z$$DlY&1$n9JDYhqh#x9IhV(^Jczd2iY4`~d9VT(A)q2o#Sv|Hi*00q+X}G!vxjQJzB$GvZ^98fBCi@FIyys*8%R4A4V^U6>H{ z%d1ACH__vJEp)0}!#rkLm7)7^J|M~z1u$s5(tT13pk`AaaB&Nj-e0 z0~Nm(ypWRa;jbvBa(n2>K?TW^YerEr{VJ|N4!i&*HPh0dh6`?6(eB>r2IStdNn=*r z5?LP0*tK*b} z-T}r@6M~Qc*|<*c^ILS=9y4AaI_pJH&1GfA=BHgIRgy+&AId*e_A!(OKR{WnGIZ+V zUpB47Yvl#%!oD-?UT=^_C7`o9WX@+!EKG|*29O_ECSBzlP#B}K^45yM-PM^K@U z-sRN?twsx=i!uX3;%wkuM@geK5Cbl3AoStGyB%6)Z^c5+84?>FibKvP5`#l=7-#~* z(6|-=t;Ub@g2b|$jpya!UaGnU)lp_IHy^RMPN#KYK^6lLSK?0UbV!`Fu4aEtulw;u z<3o2jojm-Y2(lfz9JP?&DGaLhybXqFi)uGM%oY}7LteJ8!)zgX+lE!mR2s9dnZch$ z_LGa**U6XJYV%WyKC?};L&fZrYM0MLO*=^zHkXZ+2WPfd5dl!R7|B?vZ-BKCWmhqvR#h{zYY zWuTCO8F_Uq8Mtg*$Nnw<03~FqT1c8k=0c~=a8}F(e$+J8BluA()3F$woLsA)2cIeb zs4cmF{@%E}Rt=>QKoP<=xdb)zy@%UE5jHcSOCVw}8{P6PLZ{8-^GCD_79K^AooeG@ z>YZ?ydgWnK|J!SrrsBIBiRZ_*bIAb$X{S%H<|0pAc1`6e$yzYBhUD;`>W?%lE zt?s`OFsKxt4o3X3Sc;4Bo$#6=0f}njk&t=pWB$B7svv9tY$>lFXx zIiaIx0cByk7)utu6yGnTeIc$FP~x=|sRWb|VV@z&hNc6ek|u{JL7BF13E8*xi|K6z z>j2g%Akf9x#a%=G<+|~&Zl4fWl!r`<8nO5qs=i4?)N^Tii|N%pXCBtn;vrwG1lH-4lT!FTN%mM9pc8%l2- zJ@nQwf-k_U{kkK^2kk%>i7^($RhYAdv|}b986xT(T4em5T0QWP{Cp&FDt5A;7%$K@_EtjHABi|hp1u%*;+kqmtlHd7HnF(7 z_D!P-2wG@y_WNx9$K+)thIjdA>I~N)a!PE8ZWCCzsO%&`^g1PWQOHX3Fntua5=(gB zySJDB7!$8>w+uA9x&O;`(7QW=fq#t~Niyz@ykVn18d9`O_n=%=-$~1I{nvj`vu3&> zu|Nk&1|VTHQe??vCPn>Bit^9I*{IQ<%%5k^)1Ro}HC<@w-V;)LkDJF__(`x4N#qgL zLT{IF{)rf#Un?u8G4vY>uQ9$MyP=_Py2MTCyO#8AhgMJDaW8WEp(TA&>%^3P1n3*@ z>74DsB*rLjPvo=Y$i+rX$--C94@q;;#a2ZnvkbXPuu)OKxs_d`VX#S2eYs7K5jH7G zNL~Vv(21(bQw)%>eNsjOJi*K;&A?PU!+aS7CC|finGhTJ8=$JCNhThpK zqSOX(9WNNPiPi0C5|btNMAO7%%`7n)wcW!!ELB*_$c1@WG~9`c<#ak1y@xcijRJ)V zy~^81a6*TPOiDuK(n1B*ZV81vIKtc>%|N5P$zg|zatA49kf5s6@I(SZWogwps4UG_ zFw~S5FqM-v2p%!`sGKj%VXvtv->VD?)FuB&_({Z4MePHIwj)rx_WK z8{C>JFqAggWQmD`T>mv07rF*o>AycVpIoFa^?~SiZ#;2(-aY@&9T0(H5lR-LlOnPk z&<-f#C=E?25A;S$!3=g+2k=*-2U&U~vTKYGTkuqg!1Nrv8|%?`wmYebiFlI;$nDyQJ!j5G*w3=V+=Xz-XTA|ivQfqvgG6f* zC>NK|>#plzU}uyTd{(qPp&G>aM_DqnPjN*t#^7gt0>w2@^EH!(~qI8sWF{4dRiTMd(n>ylW9 zNu{3>T2V_7DPco`F-g!Ie1HbZ)9}rSdKr2XM+W(=5K5p|;*f;k;p>ouV3Z>wbZ1AX z2?I`Q_s9e^-xj12CuIt4n8tbOg;c$bou@jN)Suj806j z2}AFWK@i@P?oH5A^EZB@7IgK&O@i{d5a2udzVRE$b(L6b-xD)p@aamkkRhw-BPVjt zDPO~ettLD|YM=|=NBPMG|#Xz5l&1_U0&u+7g*O3lfoPCOJ#UscI8NnwmDQdAe z1br6?U$|6o=*v-5_ItONN)X8yVfapFM-n#<8SHFE<-;*x>gxgF^QfqGwZ}fyWB8QE zeBj{w8`aOkGzR3g5PWviOe%qE;%Z1CVfozUhjgd)v2<3W#K_^{7ia3Tr0|hmTf|I0^V->bB=B2i^C^%&Wj3EJ z*;8lp*;3vnS~g-gQg5nmdO)kRfCaky zrUf)g2e_qIoV7hh6XxPW>9%5~-bnpakMXwt$eW~kEYLq`s>dzelc##zk}itX0Va6w zRF5%}Ra?UaQ=&57rqBuF}+2){IpiH|L--R zV&CxUWKw6xOeKLhsua89#V*zryMsa&RSONUqq0+4f*AvQ5iX*$0=pql5LokpC&d#N zsfd~M;{4PyM{l-0a|+|yqcADe-n;9ar~e(M|4BZb=ZnESm%pT8FTQqkO+`G`oUl+T zr#hVAWf0dmY}sG~~n~7Y~S^E=Z{6;6r_{1m54ZXd^$y|&yhuD24u>K)7wm#$7RIHKkhmaw% zf{md-9ppGmm(jt}b&xYHNt_oo&B69ylTOMV@q3C#>l2wxwIKPj52#(!zf$0BknL>2@^iq!Z8LAb*cmHbk(#pP~5>aOpVxOR;6zm z579~LOtCHifuHE4&Jb%znGbYQXQ62*nk+YPY}l5spPj4nTjD7ranDUo+ir4rI!5!< zwwosts^(MHwwp2&;wG~POr6@ZXIW0`K(p6<%h~I`&Ft;fKMM0rX0P{_v)6l@*#i;w zwP(+=^4Ni9um6^_*MF1QLzy({&R*Afi`m;yeT&)aTAm3GHGANYPSJv0k{CeZd}K4vJ+6q&rDp$V^XAHJ`ZsnS4okS$*8klEAT?FTgy|mexApV zbuI5y4sSlpwLDTe6_XKWo@f~R1-s2Uqg~4{xFK~izu<=A3H*X6J6ML>Su~#U`b5E@8mysHG8+0mL4Q{>|1(nI4Tyy(?@Bl3L|q~5Sx@T1!uPaAPE!c-w-q$ zI)3NK<|Rp&w;W(v)J`1lM)VN*of1?eW(TC{g1Q+A zs?t*Bg@ytCpj~drqKyfv(9(&M-5!w`c2R6qT*FYc1XY3A9XOxn7MxcrgHK}EMXgnF z`Ovg2k!@(2CG%wbS@BmCb!Y=iO8HJ4`_6^z9Ddjv*X-8G2AQ!nLGJ=9 z7_eWQdS<>B(hOg zr)tZrzcx}#VL%03mAUPrjZj8j0$iN+ z!;33%y;x1ZNNqyMSZu7sf!0GMUrc8KRdLzDxNsehWTcW4(QUR(m1PE8sL!STO$}R> zPz%)_J0ziwb1Fip8UrTeIUz~Nbf1M2UCC;Atck7?>bOT4e+?m&^|Jo>bHhaM^s(Je zkBkQF7B|~Y&;u{7Cu_UA+0A_hEf>{g-@u78`RC>MuF-E0`QH-sQNYjpp5v{De}M+p{)3JlZ~!#?07<%@$Gm*l^b#-l@>pA zNt?9=iz{omp|t`mueUq(AvyKF`I?g41mv>vxfM~Gu7K_qs`sKBAga(q%jd*;x1t+` z!cBUqv_e7_^lTx|m4YhPprMry@;jAKJaXQV*Qo^J)0{Aqo&Zy*g&aZUZqOWr)g6r! z#S*aE&g6f^=<=#}Jtj7>4V`Tvq^QN{x(Xdt|49C=>o?qsOL4YTb&;Z9ob%`x_a~O_ z+DV@{P22vZ-TS;Qh?Rae>|9R8*Sr#jm^@6LSJcz(Ee{);HTJlzxZ3yazl3|y7N18y z=F{cZADc?g6me#gG?P<;vYM@4AEu%g$=#C@hBcwMl}n=M!pe;rLgR0<`JcndgBS-i9Tdq? znjs&|52}Ha!_fK>dB`eExa8!(vdHFrfyIt3xZ$=PLvA<~IN04uX`Ec3+D~xeluo9Nx+l{{-R8+g4;CaoD5aBWqb_CdXY*MM~Vc`EZmh4%hopYM!c3k#k%fvGEACTBxigLn&}V z8$$J`$%@cE7OWkiV=txxrTPlOs!KiJ=8SDkC<<~yelw}RH5m}v_;~#09`;v21|(=H zp{xA^P};Z|Jg0eF!7Dg4P<+b%)70*F*I|gxQ3Y>9C~@}Ctd@k1vsrMyQIm^1l?{PX;=kFBGnll zT?rbK@!3+d86O?B*7Nh@RB*$@DjGVSifmkGWb#ZTMuXwi8H}8OVgK!75O*kWQHU)j z`c5LTi8~}lok8AB++j40?u!Lc-OVC9)QR(JV!E zW{D(eHcL^RSt4ojvs72mDY!Qf?D)ij&DySZLsnO!D7ZHe+UALcmdQe4J7i47vnE#! zQ6khev#reQc3tz@&a7rKp)|SNkS+9#)fAzQMD1jLWQB;yEMmZ9rB;#2tQVOyn)P0t zSuavCn|1c}DK{K#_S6cq!pZiP;q+YA)Z3=dGa1ZwtrO~&hS5-Nh}fyaZ5}{QbkVDJ zqmgD0&P;pb&JgX{15PP783j}8{M#z0J!6NP6+$z1S%cUNhIdjJ!LU|LOYNaNOdTCq zf;L>c>^e2$xR!xb;n++Qu!f2m%dCN72E%UbCh6u{ZFYAzgJJhyGZ=Q?GJ@gC+BGfG zzqLBmovexO)BpjqrO~Oitq}x`B%7Ko^3>{&3* zZd>L^r@V~l)bifcAMhF-p^#2GOtm~V^@oWyJ4}ZO#ZxMzYGKrhq>#NN@oruJT?%*=FO&F<>V0H3hXbIRQ$7rLR z=XyJf?aSs))9f)ON5$-EW`XP`H*$oMr14}gnuR#1BygOI5%EZPOWg34G*5iLC)4fT z9>fVm^n9?dQfJo0MURmsZd4mLpOSF>U_OapIJprman`x&-F`g(wKe?stN1;MoDPw9 zbi;t3tOHiv0KTpVZS@l+}lFH)Whgv_+jMG1tmbaEd)j>bp4gIquXhy=n#q`kk@o7{ePH=1TZ9b zabOTfj}MM1d(;V~?Rj+~Zz|xHp*B5OgG)<7j0n$I50>K6W0BW0JSv3pp{w0p@$JUz!c8z5jrNFa(x)JP(^~5 zVtp96paCO&1pQ6i!uIVPP83d{@A^qX%1@%D2O~xgPS11UUPscq4x`(D*-+t@@_~C5 z)Q|~ddYp=@3NIyZn+HdmM>=5u&#`*+%5@RRd6iyxVtP$WNzl?Gufwz?VNHeukhEMu zSec=7Oa)ACCu9^>ziYqdgnE9vF2zWoa(n53Xvb}4no%;~hTGc8sN|N^<=hlhzwFje zOlt!e=|oJu!4Sc~Ck=yS-QzxtM$&ba9BdemWQkOH>Dz|2rwH_&^)5eY5sQ68uW$nj zYx?a=&q^Oin~R=3b8GrnU!D~{jYuQ|bNc48D}Hr_x-I}foUNm7QgSGH$o=bL_=!X+ z2R6En%Ndy(bU7{S52y(-&|}wbFl=0mC|>P!R&1u1VHAemI5$B>N7)i;>^dz9#^U6V zkT-9AcyC^YAtO!t@X~x&Fvu5TeR$WMEdnL{>c)*i;M8eBJ}C%Jj~1>Xe$7iVpQ3M0GCTqGa~XEG3toF&qb?qCpwG8<8-OdOrc}MJuD;L*U6*kkAL5T9jr`h zu+w>*yu8f*m`xuHxx%|pMTnF{QWIZE%AW+VIvxd|dTP_ZHX_PVTO?Od`gM9!JQd{2 zgdw?|LNA6@n2$uV=Ac%T!AO5eOi;B{H-M@b&A!ejtJkIe0VhGcWT>kJA9VC{Gj&J`9y$?kN;bF|-RX zfkQG=&0^Jzxrr-7i!;}|Xv<~w^!&P-s57?Q6I=K9Q@I6BRtsve!$6i_-Ne};Lku3C>bDbwa(% z*mhCgk^+vstBgd5MuLf--o=XP*})H+$~feR!ure#$MA`TM8W}qIwZDOhoQvejX;#-R$@iTLgVezr{Y#FWso(okaFP#>;OQR^suig`m>**8>j zQVGCY$Qb}-8lyyv+2hU~KVnFF3=(F5%0Mv;r}%v~?@wM< z>u-pu;C9k7i70jV(q|xei>Ai|V2n*&?LYQybDO!ovq6xE&SE*G99ZzCPJ`McMSy*A zToy{EyNr@G7jjMxw+^3<=aBt_ms7hi0|--HDHa@N(Bdrn*PZ$ou{Lystou-tP&4Kh z(xC{UB&+oaS#cjzdcIjHvn8jRTW)3OHNWY0bmk?RG>GRG}XU| zj>AWOW6v$TA#M7OBQ8c*NuvUHB|KGaWrOEacuc1J0$xCRAmQVH3?#L$$mxI~okQ30 z%(ED{4orwNtXtqh;-UpItXpJ7;a2VZzTSV0P^_N+83vl7K98Hf=rsVhI-v_Cd(#&SE1 zoknt@A9XO=dtZ%+mwLq;uTe-iNvC`eSjEu`g@0P&o8a z*%@^lHJeSGF6|H;sT&d#rnU)OnJfwiVv5XTNifA2C~v|PcRlwuOfk-dH(`o%jlT&~ zoD<}2m^!|o$E3?s&(ZPKrY%Rz!Tt?6Vh)jSz!BpSI6X(4>);JIVw`_(q5wG8!CNpD zGntIuhAH>>ipicSCi(muF~#_d-iE2;Yw;RP9bawQGv&X>)fX|BaBp#TiP3@fP4<|W z^JBjOM<+Q-*-qT?4+yry^xlljn7cN91CHLC*&B0L#&5vU@qIj&9C3H{Z=wL2CoxfM znL3GuY0K0}>?T{LPU3a4V=94f1K)}%_(1K=n0klCT*9P1ej}#dZ>zrvvr)VaNAFIKPH{x9B~#tg#Hib;gzibK1hbo+4O6f(%$qUw z9=DnPNtCDENJS@b^VlzX?Y$JHgv<^iF)3o03Hd%uR4wLutztEcx?hOr7S1iX~I; z$C+7R>ix--=f0OK-z`V5!u#8B^iHm!HXM1*JK1=*9C4Y8-hiWbVp0}3dMDRV1&-cH z;Lw&ME}!TdaP&^h?kz{r`{U@HnB7~BV8Qpd;pm-Y*4c36!*XYD!_hkl8ZIQVKb0Sl z$b+k8>I4S?*@EY2o3OrnJe8DI=u}k^{cxXOPg zAExNNgez=0I)M#m%h7vVZqW%6B3p74ygSK0K_LlCj^0Z|{+6TYorDGzIC>}XreQme zfbDYC#ZS1A6qtHHS4 zj;}CnIeH%n+KU_=Uz994;tE&30Y~p{)=m)JY0J_3D3es+=mg2LY&m*&a&!W3pe08q zxMi~C=-tiQ5ih;!a`f)>QSk2M=mbYxTaMn{-X9!4pv#t{cek&dAlb1kNAGToxGM2) zz|s2{qaf&J9JQVIQ~qzmRLAMQn-pF}rru4MX@RNU@utr>@}>TewUJZ8K zcM=u2<>(a7F&EcE-*I|jN4!jzv+0X?oII}<&*tpL&O1||o%o%&DGD6DlVd@V zqxWIX6*zh)8Egw2h414IC5YB8Z>N2lT4W{@w`HpLZfcQjnR4CtQJZDMQR^hm3OkNY zlNQpJsrPZ+yyd9Veuu-Z9xZ<_t=-ph$6`6V;aWDmr;`bv>9VfqZc9Qp@ z2|_P72;{N+_?wE!QM15Na+q zm{H*9G{rV8rRfCeMJ*>TdN;4Y3rxlD#&jw$mAsFmL4l(a_^57D-rd&LJjshj8;)8h@s?O|bdsd7HXNO% z7K0T>?@b>iM?7xVK1wDhcr{dmsdwX1Dl+x{+!KzTCaS`csrM0= zR^;e?Borue^gc467dSdW=$S1?@65L>IeH)WxpqR7$v2wEs|^ghx+ zY&mM4z+zI(w!gFC?R{J|7dbk<9@sRqVe4d-=F=b8aQ1G3nTkxkkLnQxj!sY&$#RTN z5$0jZ(RT7jeF1p3I1qvpH04=*zHZmyoUOnKh>C~w_%TI*rzypI*P z;mA8?om9(%Zjq^zSSEH%x$oqPcgvCYe&RhgOf^rDb;xR%nx_zPBaXuS^==rRz{oY? zDC%rDdN=V*?bbT8wtIqr7?WY@I^pI8=n3px+8Thi$gi#wY>8it??jY1|E7TQu5DA$ z`+XziriH5J3oJ!<2(=+w4Hz2`YHXm)?&Z51TCLkwEKfLNoYO>IJw;f=# z4QV-}fKarFhN&hAggnz4AbQH1)me(|{)$}Ng^$vc^YsTZ~Y2$>2cz8pvVbus)zB2^~|K8PdG!%G<>27m*KkdAJnG!(o(Nbv}3!LBNq32gG zlK%y}W!us0mga^=mCR<_l;02&uBB;Vm(VmLnkKh^i*`@81JT9`%p9=>TMJnr4G0Q{ zGrM=B)d$iFGe=aA0)%w171ZWdkVGO{nh4;A1&1DA6QRm+)R<5(oRPabBn}u7-VQBJ z6GGy4-(Ar`NG677zA^|1=v2pJW_z)CS&@hphf5GLVu7fXTp@+8 zM0d8F-mf~J#O0;<*dg@LhM!HILoeZukTv-k|2>=cmy7=_%@_)!=F0)50Wie#(Cp^E zW7kU=$uwj5v#x)0F^!hwq-ajtx|C~Nh+%U$Zo-%#%>-g0@A3Eb9 z4Q=1#7gT2~7g!LYo-pUn9WW6Gq^@H&e{Jt6EIUDsA(p+&fx)s-wP3J%oTyaJu;hN% z;}lC7Dhf#`PET4uaqF!DMR(9I2b}m3=Rw!P@2)cW5tTfk$B7?d=k*yoFWRxA9nwJS zGX`3;V+?t;&B|sNEIF4#;0X7)CkRz63W&LF)-pveN{@SqP{Io&-l!-3BCJ1;dqbds zqp_Ha$8uN0kOE>Z!*_tN#`n0F_?qz_^$0BP8Ccn^5R!__<6d=Fph)+Y$2|qpxnL+L zPPjClG6E`KI=H)egm4bIVtN%U3Wteoipl~C6a-gWWCv>`f)IPMy?|LfyGma1MvfM< zdMZfil{zUCL0mqBxiMEyh$OKS*PuSuZ%P`XQd2Rj?>Iy`F+KuOmwT{aMpS)bLzH=w za2%q{gZsk~EhLlY;)wPq%IrC|D=>MJKCBJVb@>F>fu`a?7K4sx-ND?8=s{MX3DIrf zZNh~pABX7C6z` zxCsvNl3aX)O7Lhn4mB?nPQ2?nbik`nZ;ACwZT*n}x1mXzxE$(E9ZYN|o0s5UIN zzA`1UV1%BMg@Uq>2+p7_pe7!@7jS0iplpVcNSqzoEKK6p}zbOwciK zcUL93d;5XLc7~TEI_QGJBCTd0-j$Y7Nh3kRRAsJ-#9IelV3;(K^pubs9F`K&<@G5c zW37Tp>2e?5@?tqDW|?JO0TP(8Jl|7lTZ7E_G+X0eD=--!1jK6Ecz;gn^} z!&i7(Y;iXJHk)!x}_{QRGTkc`EW zxYfi-uw>CM)(-R(OPJU^%F~D5Vl5U0 zge-jx5EWVDL;t4&+Pp&;P|jE%df60)nF59`ni5R<_KS?9kx=#kZ9-Lw zEf=Qv+@B&R0>*Duedsu;Odt)zs9sY!;6$>t^-(a4(khQn6NpnqC;AZ#fT7@bC$|YE zS4WZAISx+|rtmuoMeYP}1d5hwVSkG7+_gVNW)rQT1GTWZ<=I?jN3b+C1uxF-h9lvI zlJAhRueQXthql0WjaB34n`HdF&z(kMGfN#l^w%&64FvesINOd3CXnaQb{u?qTS0OW z61UOpAVmO(+h%qj40r&Elfqq=I7<<}2(FHmN>+mLOpGd(nI)mFbA9MjSwj?uio)U4 zK@lgSuE~A)7`F`L0(Q8?vQ0%YpvR_~YsPg<#%l|lzg-^$lseMUi1@|1OJnnQ3nE>9 zwdp$II*o*Qh3~_M!cvKpUQ#rvJZciC8e;%2rS;%x9yR%wMnK;9`yHshBrMSkj$V}; zD(RFDUt-eqVKzwBth{59uS5JUw5BysS)wE52qGVM_+6-(bfBbt-GwVo+f}SJVUV%{ zOpl@^#NPbtY(AYXXY;ROGEjD9E|t!zil?63DqBk*cHFvEnmB-#Rn>Yz(M@ zg|=5^U_(k*1n^C(1d1v<0R_Y;oiY&Re+;-?zsiy5w|*srC4lcw^=M@5dH~;`R>9P9 zjCvRwz>+u$%Xqt#Q04P&;=z?#M4SJm7rp?#Gg8>aeaa*EsQ_k5 zUgPBICZI65`Q1I$a_6fM?&U*ymM!!x{Wpb!`j+7k4Ut@|8OR1j{Ywlxms8<-7j23W zq=HGjh{i)&O@lYO8+ZUOf_2ZV%-RT6GuAaWB&a>u<2r0@btjmCZEXyz36QljInE*QY^^y_kx z?GE1)c{YA{Ud-kz0tfW0h!dO_pw4d=iK*ix+HLb0W$t17p3?#Y774tSA0;Jx>z`%+_!M!AJ5Z9M||pxE_p<-!W3d) z$so{vTR1BQ!3L=iBTEKb6;EOmgUN;@#M$`MP5WcxW_;&4u{`+`O0m@i_V$*7)v#0_ zLK*f$PsO+^J=_&H5+7z?zlrYjkJ&s;Uo2X$53>c^p&r=pGF+>9?g5Rrg|iv)9Qc7@`BIdVxb^=E@T?X}^FShX!|PyFs!CmPnRS*=eA*rel23mBCZn)gn8778^L$~43*t@ zknEeu_Xgn&FOc8lHE>}jn-h>{bj2~qhwH&_hTM*HNb=lLwwES$?1*;AA%xnYBOalQ zOz$w;@Rn-0n^}EG-(j|4Y)~18zQb(8fSxtZdMBhXI2BpIAg;;UZN@{kbI~#kIsdZ6 ztN7{z&M!vO5NFvxKmY5?V)3VNV{s9Rr}R7V_hR|y%W9I=7a`UJ3{I*NcG%8wyT}e+ zV1QRcW05pAcWe2lKv}?=2^Atf-w`{ec`0h{D@DPs6b1W85xQ!s4i?|JO1P$N=ltEy z`MS=T^$q6X-m!~ZqBk(nwQAe8HjH{sC3rT5fmj@w@>ZJQ)v=+!F{Att-ZvhaKDWnI zX)$|whdWzGL^FmHsu^R8L^ig22WEdJ(8zOzM5_kkar*>CL7a6zwXPcSGxbs9V|1ba zq3FI&9*HH`;XDL7;vwC=dR>7ztU80*D7)6 z-hrXss$q5a+D;&?x1&mCf&{;wG$BPU*@#@S5jSU5ng(k&;?}Gd6+&_z&WLbSb~yK9 zT;+sdfpafvkVyBU1gqW`!QA~c0ckUT$ad|}8DBO6;-+Xza%%|2QC*T3w~cH0ukpu@ z3f`wE)kC2`j zP8k_9W9OdgaPFyH!Y)73I`Bj53rT~>* zZwlcO?)r>Xos@4p2^?5+OyRT*$0_8-sckq=&^d6M#`sf=>y|^1eJR}Jky#9v|R}c@0f(DOypVWmH_SE?Ky&Q0`W)9oVas^d8cfUy5_IEvAD~4aLzT!B;H1gFU>EnzrG&MDR)%CIYBJ`3S1cvI5JrZ?~*Q z+`8%^<0*SMkt^PtF%ci#Ll>zz#Ci*mAi`V6M+2sSa-$I`F!pJPmc8`OhsZ!FG0PD) ze(Zv&=IMyD;)fTl!R7UZxD(@>%a8h{(?fTkIlazcC_?80HF4;k3UF*19M?nd9T~we zCxR}`QX&QYq^QV)p>v)%ln#`5RUO#mIzrOe1W&1t)hEPc>Zl^EZb3ByRJli38Vb~~ zajR^rn8vP?syJ~j(&wHES$@{=&efkm`e#Ctscy5Zwy-6=-hJ1yt%Xtg-pIXQTUX66cVHUD@ZZJ z8Kc5=J%z?1N_?ONq>=^o&@FO`G|=#dJW4%upR7k*kKQ`oCDtR>~k*d|4ZV25KB!P|caGYA2R_-7B+M zM9v~DbYKq6J>xHIbi{+09*W+~F^GnY1)mZhUbsn9jDGz@-of{fmjp6^a*ou|jVP|a z4j#;$@u?J&Zl=*-5)D11ok~L)Fle4F2q2#kyU=c?e=Mgj#9R12=k1BALqj6fNwZKz z&(kYxKG2&Vea^>JfsP#DVCr*6M*RbXK8k{;xB%kc=Uh{o0fVMS-(j?!jzJ8_sJ?RC zf5i2eOT(xds76RqCmQ*k1k{Nh|FVxKDw5r5ozVpcR9(Y zJH1w0jE>>_p!S2n`4NeD`ab90ipq+#@FEfG=zd_UNSSrP`HgJxP?FvhPrC~mbsa?l z5zyQOhn!FXZYfAk3hlX!_Yo(&W|-5p8xzg26uRZGZd#k70C6o6b(7y`PLysXmN*Ix z1rJ3jGsqMomb*HLSnTwOOfXm<1wrpQq*(2^yW!OVDL$yqlobv(H(VlQzmIZ4TG3~c zW9>20AeghtVMua_^2J!;u*;NahxcNa3Ty8(J`r~(-g3;w6ZaX%h?`aAAkWl&6yQ_k zCt%s()@TZ+_z_o==hfm_Tns;vSe1wBZN^w7@Wt71IlZ5~sHAIt7`w#j3I*2`z@;=9 zFwd!iopCJ$tTPLUal+Wk4?c+$2NdHlY5#Wl;zIoTD9X9OR$B3hp9@auP>YqhPjIW@ z#|1@*O`R^MV(UYr5TLC}NJS$dT>~iiXA7eA0eL6ZN6EhJWz}=wgU2irqB`rkF?HDW z9GIx6kW6uOHwfgRndq9tF-*#s#vLIXzDrwv5`cr^Dz`W)h^`S)GbUkBoL0G8h#eH4 z)ym_uRM1$|@O=IAbqRuE9oHZ&KjVhNK=F;+4w2%5UgqS@eY!P@8O&ODZ!T|pA{*12 zk6j7~g$HIp>2tI$g#?gOY&o| z0F!J11`V)sV5H<0CtZ9<@L_~x0VlvXE_b%pc|M64L7 ziY~MN>Cna5_3dT%vL!C2f9!Umzj&QLOqVY(CSNkbXyOXdENs^!b-M?%N9hqsq)PBp z01Lb9kB%O35a{BJ8mDxSsBw=fLFEa|%s^7#kW)Fx4T8xfZQC)VGd4>w#`e?;5Cw+b zwh&(>O;M+igp{vRpal3_@a1ZR`AojatP;~1YwNaEeIJpB|*5gvjGXHLVps3+bp)601!^2rUyDA zGreriNnF~Tc-AbNb89VHQMCtFVN`Wp>qil{!2R z-qURB?5r#Ih}+q6^*VVJ*VC2Cf1n3Ne#%z2Zgma0OwsE2KvWfz3lpt}59#qL{j+mT z=uaOeC!`6(^n*F!gj#_<)Jm###**T(!Gg=4&;_P4JMoa$7 zbv`uY2AIip{;e4QJ)6s;*4L@{*dcqy?9Cd&RJWLQryFw}W?=EzVbVHQdykr~TK|9Zg-V9}WMl>AZFT)akX zaoULDhns}*0DU(Q?nJz-qV-q!^8AJ;R!t;t}NB6#39r6NXU8F zEs&U9NrPl$eT1B&TYotca=y~2JekzpSI9X^D?JMx@v%qvSwdJ0ff%P$0fJomUdSC1 z%i;WfAs0GaO(ApyP{`bp2w_nHEo$-Nj$@fo0JZ_c zB1xXaV9cNbH(W+{3C0QZ7Ay_CWv7%o{gt^(Oyq<+0meJ$aRWT&SVibJ?qCv^U&$G1 z{T`?FwWt`96WAJ%M^**BgQ)@(PM#xe<=Nzv#~mBvqC6J?DLhV^3!==!Md&qTcIBDE zWqB!E4-*Oo?D;uNaRLG|G%G?rxD-h#xhoaVAoZNWO8+W36BpC@beW~KC!m2~Z=tEs zfC#D1VsqkdKSEKr#rE`lZj6rS3c@cBGZlUnyU3=w_T0vu>sIHCU5PQe-AOszDBG|) zZ#;Zxz_z|6Iu9tuf^u)c4P=}!Q>nj!jM3d1!2`hnJVB)6(9}2NggD5AkRZziND%!- zJ8({PeV-TB5DK`ng270jza?#`cS|Mc;$3wp+IFahlqb+3fcWCYLO(+ZdZL;&)Cc$` zoIGufE3eK-@KZ~42o~Vgbtpdq-1e@!A8$$xdQY#9)9<3QSUxW@&P#1mqE3wD>EnFb zSr2l2lP}BJy$Xo^BD{v|!%9S< zGf=bfyqYd;cmRs84iEjSwlx=?+pRScqt#+L&DrQ&t5=;p6}0U^eU4E5zQXU;< z&k_usH5wSVFfd^l^{;LkqyF$8)~qBBiUFiq>8-v^m-FeW#7JC^2^V=sO~<2M8jrCl zADdb*u7j#((0ruTU`ErW6btdO^W+B7I%|BoYg~!e{71&14G+L*vEm`vg9mV~vE^Z0 zi-*8L0dD_`(X-$g z?9#-@H*WhBn3<}hh7|w_1Id$0m@a`EN-C5xyYeVZ)h zPI-C$u|y2gNlwul_(<()ICa&L^IZKUoe`;1X499nZ*C;_JoD~ILhBuGQ}o zLEZ~#U-ZQ2hT{F&4bSBtQQiTs)AOx50QBcUJ5aETs$EF7+y^}O-Tq7d8CoZ`xzB&^ zwHt$omn9o+k0J8w->2NVhvXKR1GTwT7ONQjcv(%Kbg(|i zW!-PQ1z)=zwT*Q*`*6}DHUfQLphdY~U-B&g{IJrOmg>varbsB8LfaSQl{`=Ygg|@0 zUu@>(O7&&1*`WI!zAu|i>kC~Q0%%p>}tlg4!bDE z;4s?ZYG;5`zt_GZ0X=O8Q4v==D&jCqA6-ve?a0Pqm_E9)xY|(`^_dQvPHrQ6$FbCk zSDvG5b-eBEzmF8TK8k$kxZZoWE^v+VY8;GfuQ1m2_mm>nN7++!T<^Ve7q~|CME2nN z$9%f{`a^_rFX$X%Gi>^sJaEVdQ=jAO%TA-;iG63*7<_4XLoGvn2OTO#lhx~TzH>=p zcR?cI!A5@ocoY_QHB3U=Td=-^YCK#Go1tfqh#aoNW@3*B)BAs0EcY2vShIFdY!nWA zJA0n)1&*>%ewaSa7B73D1J?IPN3mo7nm&K~vDe6;yW;)PQIPTV^m+981M zNl_;zHXdCCUAUe;!B-$fS^7QC!~n%#or225ga<`PUYH->ghdKr`69!&BZ zZsTsB1%v!9n0n%=)IiQ&QK)Pa-p-2_nP3AIScK@?H)G+1h>o?s6Mw*I<`@;9$fnOHtaHopS{@iQg*#VvdcKs z_L7A_$wF{QSpYGz2jKQ@b2qRrqud42-b<|ZwE)5Iu@zYDYXO2^cs4o&zkB&838q10 z^I?QyFK@7(Y3{;kUwu|!I&E+mrjNG6t(EY0{nb~)1?LkwCe~-T?4ERMJ5>p;kD`us zT-VffA!ioGYYr204k=32aFPzQcIr^i!bt*tTdf^VLiB}MQv39UT}joxT&unew|(gn zeTlIID6VZ!GBLLH8A#E3lz+}AtEq$#XaBr&|EJgRe-{6|^ZuvX@btY%a4(V?y-08` z7|2?^XyRTpYxJUtd%-}~>jgf@%CD^*vrQbH%s}q+g20E1cW?X_npoxh-OF>(M(F#x ze>+EIy`wQs4n|QKBq*5pHW%!UYF?U;Ca#Uo~|Ggqr*sl%Xas#TPN| zLXCX>K~kR2p)}1xKicw_TeiUhdEtB=qe;Ac<=GZCs2|O5j(`%LR3?D6)b}R5K%3}o zVpLQI?q;Xe^@@ssuOzKlD$y`hz+b^C@&e@*Dd4hADpIAaqKO4mc>(l2c|n0K>`yUb zKOd&!$PYwIdus0yM7mvJI;fkK~s% z%lqXuTC9C$Gp@pU94%hw{HhQ~I_eiCZAclK@U~@QTUH7B{t$(4!FqF)=q(4q&~>)y zCS<=)o4&IS`C}d20G))<^D;oA_^)6+vddvr0j$agaIku*qNN)7g)yCGaX#Qt_8}%} zJ&rNXiFRUtyCt5_>Eu~Q4-84>UU=UgEpzrD7Is;33l+#01^azxnIK$L9W zpv~WOMNjcbH>HrO4jDHSYAS5%d;WI*bLIaE)_*U<;H*ImB9~P&WEDEswT6DE-n=vE zAM23k`bqu;g-q{S|M2Gln*R)6O8FQvv>x$qQvQ2njjhSln)dI90bsUBNJl01GTws!x;BrqaTQTlmw`{Vc zTS7T5^k!1pY`5;nR>~_w`E_so^@@GaJGu=ezF?q{fm-T2^5&%yR zJP$S-p3r$-Jm`p8SVN2O`G(CB*3}#I8_NG7PC9>6-oh9QIQL!G#R{d8Gm#vAn>(9> zzkB1-uK`W!~#@8?J&y=%cq}VV##hpqYaa16VnDH!7^Opc`LbxRS&A&S!<<=d3%+ z$rH$^$eWueq;1r1ZvwsZo@1(nwAChqHw5bCnEB%{=Zk^%uk^PA#P9Jrd=^JeL(P}vul%6{$==AT2dRw0%7_Y-n=6>|v zPX9)>HQd|Yzu&zvMQDwzPWkStLeK4Fi2eQ%Xp289jK4DFyd%ka_P6mxD9oTx=w-41 zF~zGNMVU&Ax*i()$#c7@8iwW-yRIuk;bJq1Cm>DDo~IIf$Aq-i<;w=S%V54ul1Rok zU(uDO;S-4@+_q_m9m;VS{E?jKA6tL ztcWD@Yk76(nB<_kRaT$Y6HhC|QyJ3J_o~zK>fr6SU3FHhygIE>otHYS-GPSZdK+$- zj?ya~VV&GZ1I#<6XO&eFI1>J1Qk8Tq zg5S;o&1Qg*4?F=RdQ-sT{7i(%z(qiTkStHr$X}qTs>&~4>Pv+#P1ct>BdS~_RMZ)y zX=j+ZkDFw!N;dm|^;sZcsIcq*97{7!BiX z@Wg&@ARf9)C>HO(g-hpJ26O>l$l{Oq+2`wjl{`RsO|h+p zL&rKz2CWOnXQdF-a+l#YNcxefhN!1he#nVjLIEvWDEHoThZ5_$zZhopCX!lo7sXKC z4WZOxy1Ue*6+)rIyF`H6aJs7{LtnVSR|`R{Ka>8#l^-A)bZWyv2kB4=Ae9>eiWt(S z42$7Oj6CiVim??4;aTvu;r4YAAf4zGZT+WZu&rqBQrUnnr@m}gSM{ourA#W67gZ>A zHkz;@g-l8tiM&c9V~i+f?M$RFlBzba67gn7w1L&@V-+{}<_=`h2!)Q;!93jXeM_m{ ztLe$QM~Dif{1-~ysX3Vc;)#i;+n@ZIjtU0QNnj#PYdGbhW55&;Hv@zo+DQNntsx+& zA`c7|<4#k=V?7VcCOAi7DNNCub8kzk?YWd`d$d>4fzTmJ+B^+S66o|KBiFNFd86pi0T*u+T~nL^8a{dfnoJyl*(W&lN6Sg8~L(7AIAY1(q z+HoZ|szlI)nptauSDz1|t*OL|i?FS(S|{}65c_x6dq9ujdduSzJb%uX>Y!W@hLX7P z>A?!rb6K#GLhlMOt7@K%s9I>KHJ&DabEo*uS5qFLbs`Km7dGH7t+s(RBlQI5v9yKg z)+*f0P6lfSs8*#I%vnZeHAYbGF3o^9$;%Ek{LwPk>tfuxQ&z7y%SaHk=#_y zw^NU;3_CHJv03|X!P4Uw#fVv-g8@d6HRNCohLS?ceM%L=Mat^+h388y&p3ZI;lr6p zt5@0+*~GeHs~5}tR$=?d%_2Zfu=&Lw%&gv!PZ%j++*MOXY!&v`{0JV{eojp{S%r0$ zCKQ;R$JBwZXrS2b$yYR^#=u1pbiPnViOITRt5ANiSMp{|Ll2`QE>uWF$2k$$o6?Ag z*Z25gxlnk=$qlG0j#hWXW~n@r#zOIX8`XbipTKfA+b0YK-Wwav&&c1fePWL6uJi{* z%WC(+9+$#0c5Ub+zUj2!QF-?f(@ci8#K+fk*3SOdoX&)ta+8|brm&{igp5zf~__7x`#`}8s2R%?8D_cNq- zhlEH<%ld)_Ve~#4-`7_yPkc3CK9Z)&##G{X;%3=s0-$go9#a`c_xL zK!j}5uCWx1(Hjv;H#6x(?9gh^0$zvXiG-^pYko(Dk6fB*dmOFJ{}g_`s*sd`iJ|uh znr@;)iQ|cfpQ?PutV|6)p=>qNA8Z-AB-wN~RpjsgZi=rI-3 zYwM3wO_q@t^Fp<>I#tWYgbY5c+ElBXNUWR!2ho(VAXvX%_hbi415$AWTt+}Q1kS)F z1PqOiTr><~B0bhuv{fy4oT}H{ycWvvFUzL+r~3&$rH! zZwbYldFw0Y^=$G1YkpqFs?q-D^=*wEfg1AdPVrX8^%kkYaLkqjnf-bdEAhVy4f8v>|fy)Q8RQmbI~bR z9PQnqB352aS^X64alnf>4UY=WI3KUislfqy&V*=c9$;|INq#qUF%fI_hD+RH5xibI z+;t^V!>-tqe$8IUrME>R(_;S>Z4aNuopFRv;B`szwra2bL%Nx{YQ|>=R~Hn0af^ zTu*Yv%QPe>S%tDPQg6&RdmjxkB?@g@y6Vl)O0d@#oEjOJFej#Oc$Q}Nq=|A{!=T(z zC`>tp3N0y^!pPJpx1JC)Cv^tbpdEH3vdY>wHhC%d~&j!wnVl=K&0ZJHY-OuT(BDi0vx+xnbL_-@kqoQlhha$BWUfhnhih^4_6 z`q?vV!)(z0sNWe#gH9d&;)I&$!rs}`YFyo zRfAqVxq#|}_Sk+<@ZaDtms3IpwmwJ68PQIC5@1@R3rKj1r5pLf98Ff&YB*E>Aim#p(RY5FJa1LMBuq7Ku|yoS^Y7nCD7Hb0k|Lv(r4b_kUx zjfj1^r|>ge61yM~4N7!$DQiYJb@7duZQxQnpS$%osroLyv-RKXXisn`yJNI-wh1p% zUB)Pbc;fBnP5LNt5RR727L8t4!V}R`!ip+zQC>JYJ1J2~XM&ncpB+K%lUnr7w0cQk zN^L4C_-^k7RKA65R~^|&J24@(3F#Di-0uQHGiq?tL2~O;v4z*L&ZVNuY)jy=rVV!X zy^Qg~n|$Z-vTat+9^mqX5BpS#yhO73Nk>LJ6@(qIf8Ys5%Jcn{5;EXKTW1sclgg4V z^swylAfM!-3!?ZfMvqvLB~1H0FE`R9H2ru9kb!RpwONYt6kXPRU*5>4VmLDzm z|D>;BI26m?ecPdgdfx=(T#IJCYrD|fy%&&M+4mlnr2#gp-NhowS{hK${3NmDHYl8g zt(LGN0GG-{{WkEz%I`Y9f?IL5!^VOblzQCko;2WD%6n6hWF@~As48&!#hQ|t=GBwEtSj z0%oqSExE@pk<=DSMbWW!g;KUm?ACNB3{Pu*kDx9I$>^Jydal$Hn^C7%2Nc1bih3;W zj3GBkr0!&l-pGwC4)-`^q6rPUI!tbZZMZ>(MthHvo7`s58FHl#aC(VACf8|@DH^)> zh}2R3OGpUgDr%G9HyFB5LILeGwijd3$zdJwc~ozuVqZkfDtRoX3_XQVTd+geu$C;* zg0L6;r^1;w>+YF%h9(W_^tkwl;(df3tnn267p{UhOTXE{*3(ba^-V&%nI+yPudOh0kJxT`rj@(-|?tbzY#6aA*5)jKLb*9 z`e+!o%U^-J!T72D+>RK0H-xhr=tZ)r-HBaCWbJ`+n8Ikg(y$`o>7GPO>Euo^!TkZD zMC+S0bQ#Jmy7iYoq)qtGAP*|&2ap0MJU=qAon>n(y6VWZuK*Ug987X1u(+vQw=w2v z*c0^5npjR|OC@DitRtl4OXt-cA#`OM@*p1o$g?U|978@f3RGRFj~^j3?b4zI7yndz zB5Vp2qIIQ6Cna2^Pegwk*%-g6C&H!9?s^bx91Al0NxTH&?}lYE{5G3V&DJ49q&}F$ zJ!@>6qOLOKjCGW#Z4J?d+tHa*(iCn<#BHCs=9}W3$!Q8H+D1$b?Y*MS8bk_8A9XDN zfkkw(^4D9&ifV{zcgTxR9`-Cygp);Y+;}G@m}Uq~Fh~qr8-`Tv5!B{~V;pQ(vd(^^ zi%u3;0qdMGXh3hbb6{4$DyIDWEC~YYtiXj51nJ&*feR&wf(TfForL%15;}D{xN}Aa zbKn!Fr!G>PY6#;__~mlSQ`{@?%ni~apAlvthLP-poXY~y(Q6R9_Z zznlCN?*7_FlVPKi?jx3r6R}ya5Su^ZQ)(pGO z0K8O!z%6&F1gFlbpiI7sv%q}Q@J8m-%!|J!gozxAgK({j=`L7SFxq!r3xD2EB zYLRZHibHp>-G}kLeeWf2xO26#<+7hfUn+or;c!3S`b*^E_7oRj?sQc07JGpPs7_As z!+%|F)2;}j#Y-GUTUNLfi9ms@-@@gB+g@nuvT~zx0H{;;0kB*S0OtRgyf8J;kC4J+ z{=?^JgIZb7^(z`$fr3Hy_^9lI+Uzez3$^fOTk_;chN#wTB94e!Bw7GaH5)5s1wv_1 zvt@0h)onGUYeOcK=OQP34o$71F0_^wb=yWoZD^g`tIZ?1DiEMm>HxtnolXn^+Vcto zN>J<8U#+-DcX|BubO8m~(F|$_fSgI`j9?g$c65S)Jj>~q0l`U8tmRt}qX#0(Xy$lU z5`D=QpH&4C&_X#9t%n3O&$R@bP-0?MPAA@R@g91#$7Oql~wyR5EeLJ#{S z2JmE3x@xnUfSVAise=!>=u&o082PLByhF-ALxFsu?s6Hv zZ1@`bBb=pCOv(TA1pJ=AInmY%Oi2GpF(-bsjW^H>yeXK86<`s8My*NCuBo0|)2X|7 z_TuFth){p!AN#oqpn7X(4WN3Lvp=3M(8?d^1%k|ieGtKyt2hPUbh`KowEP0fP~(A--EPX`6KWB;@GxI1^<8A zuB|(5o>~7D?W;}K_fcE&dEYreQr^TVJ5ZY4tX|NBuVFQTEJFIG@2}q@`G5gwB-wBg zl3;7*u?}<6cmxy?yQNMMeDmj39(Nwf_nIq;h#ga>$VEUGgt0WZdX6|fH?#ZIdd?BO zym3z%Bmh70`t{#{?0)aC>+>QOiVblFm*2@`^$TXn4L_|y=J=I^DMd5_eZylODnG0o zHfiI@AMgyyhuLc;(6cy1j1AFz^7yvoXS7|$12X3K%jg8Ck0R)d0}#L4jH_KL40C<& zAD_2FA{mKtR>)gF&DIOq_?`Pmt8q8`JT9k`tZ{%ezP`Lv4_6@iD@EPr>;8=oH<7#R z8$aZwBgHKKzDp=X5cJk_VEube22b;Q5H7q3ez`WryGO{MM+lv4wt0PfeOzp21tp*} zTt2+L!e8Kz%TIwnkI~`anhFM?UarU1L`Oh0Hoow-Iy_!GGe~F>^MV^0r z+M}9p4aZmkipeJuvS4rZ^$S==jo0+FlbAwc<_`>~@x zs=9m9+y9#V^G}V{ZbM8`50{G#Ke$CMHlVFRkZgE8>?X`5U!FGWS>DeQbyL!!E_SpD zr1vy__jM7D&|f}FhT1XiYMds1o?*)P=cNaDcbvPUVrfG z;$g1s9k?42(1M;9*w8~yK@jx7o;0AM8~?x^6%#;%3sbq3{0s(3K@^B^PRGnc`F z5mYW|_pkHw4;ozXRhff=xd>*sdJ{j4T*r_3(4XZOr?aQGxeW@;{WM0wDgZXD5p8A0 zIs+mOe0cS=2wNZ&JzUOohVY5tz(-Pz#NK2v#^d8#B1U)y-RC!wj>g7JV;2+1#uFim zo6f`--I+88kN^OFPk9TdkYKN3vIYj?j+w&`TlMLspucWXlte&uyU8?tb?}tF*wR9Xl${@ zE>_On*jn3;0N;K51NVTrW&`2~P6f9->(-(T`_>DwfBRKpAK1cZZ7b!y;D}$WDT>zO zU~9fJnfY#mrM1;0u*7X)w6>iJ*S6t^9Kmt|0Zki7Nvzy}#gwEw17Izpj^R*JaBCZO ze`|Y5un(HDN8;iZlaDrJkG>x9f-tkWe`szs)}x-&ALr%Ah*Dj zG+6;!E4d9I+5nK&UT(7_n*h>U&}{$(?WVZa#BPp_c?~3dpf$JK0BSONS_8Zdpe74W zYm&DC6x#x#2HU?a0Qr>;WZRO*q1uU%;X9S40eoIi!{>-iWZ&Ci>EcDST?qUcN=&oR6fiP8V}?NRS?Vf1exz2cAgEy6DlQ-xsB%9DRq&bG#<=T zY9v3j?y-_}6Doxrq5I9;dS)k91*|Em6Uu!r2%4fgq3HL5 zq$#QsN_;PPZzd$zNhQ9w)sw!}Dm2MHY6xr4&At!{Ey!J#4zf6=?spqpr;-i=7clT` zz?@1bRGp*(gRd|qiEiKWf);qlGq6q!)G;C*@t@AhkTJ%66+_0ioAvy8eldH7%jeMi zicbEI9}Zy*MC$`s0m4@oo}zl#r8?nGsqr}43>U>y9q2Nw$y6LyrRaAGAb$qrr+_l1~wVN^LpiX z`TKE5cOhCsunmR8p>)gL$%Tw#APAzv^>`$Pd;s#kVE&KAM)`DhbJP-m>(NRtUMWoo z83si8*kfSLFd%Zm7K2Z>d;84qS`G-}-Pi&NB3Im1>cN51B#;2XYOC1-;hDp^z)o!t zU~fKIA>h*TM_rBNiX)c?Iz&|&J=`OpyoUR*u|yUf zi6huq*%xl|RT=uZ*v(&ZR6cG4*<=ieFG{!OqoO${5+srsED7xio*C{n;T`jp~FtE4yEn(1L8_5Wq8)fA45C%QwWPPuX3>hnB<^c>m5@kIo zfwvoaDvR-2;5p{XsdtNS4+i&gEhU`Jt(9><+IrFYu`=#QTPDI32N@=l?nU$=3DwaD z88+5*?}#kGB=V#a|27m zGv!7)*_q38skYhH%4d@x&=@>s2taG__rYo>tf?U28`sSJ#iaZuu*#N;w`Yw-cV?Zz zX3SA2gE%g`Lw>KQn5~>z5_Fn0e=Bs9ML4=oeHApFpTl2r6Cir4_1x?4L%NyYua@w& zL%x;u$DG~p%q>X=U4B0Bn`-Q+c@;EB2-1ZS~)0G0`TxI-7z@kOwPXJa%vMb_3 z)FXH5meMD}gYvZwS*+*0{wx`-)*BTe`)p%F;t^`RRG}~)lSOIRy()i5mvs1_qPW{% zD^U51d$|D?Y4f)82iF0XWItp1!mS8nH8&)LMeTz8OGdI`f9O<~R9%ADVB2t}@WZ}? zN_%W!91o%Ufgu+~2>NdL&V%(zzb=N)kFgGzJUi>z%VRd$@qTG z3utAlAB(3s38*_74u?9HUU|SPMe9uMvFy#kxa;+t&1AnlXk^<;2!olb_IuhT10%*mW_53M+~$GAGOD6fjd;Detd z+YU+)7X5sN7E{`Ta>1jXU2-vBkxu&b@;IBUUI52z@%L=`!GdRCvGOm1&?PO|VVd~( z?9juq_SwPB&KLM-%QG<-+81zhYj#*Z%mKT|gdJAd@zdhx<49EQpUm$cm#e4MPq69_ z%iIB#(nCbd#ZRM&=X;Ll2k;X*Ug#-kAodlf5%RXN<3%q2N#TR>pKBGhN<(?o9tk1_ zFb<@{ufjL`eTeaD_%u1MFeG34Sqi^8Yx)8FDe+~z{gRbmg4@TxUM7oQS2^Owu4Lcq?_(Kp}_okaY~n@DSZ=KsH3-#32rJUqQ44j_%$hXjQr1cPF3V`9$->4v9HplplG6D=eVW&ob->9uex}{l)|Fk+yH^ojd z)AAvmI3C}IuD_r5U$8`LXxGVm?)%H4_-sx;5fha%&uj4+yArB2+%$GiShq>!_#q7;K zGIBl5=KFG7&IXNnb2j-7WQ|R1!v-t2eegY@co_H%JhZpHB%*=TS5BtxPQ;u<=T~Yo7J@V)8)#^d) z5^1U80hkP~zmqL-pyqJU-8>$>a;A%i`AWk8-M8h}6%3pyP8bcJW&FB~ux~(EgE*2R zHX)3@lEJSxCR}-tfr)o-$c%JqGq!thCUT8G`eFjV-t@uB%z75}s|VAKyPg^8^cKtc zbTR*%90b@)*4QcRoK4(xuwqST#mzda7veAC#Blwp%5%!Z0R^M=3XJ^Mm5Lym)Bps* z70bbW1Z%GI=_8mOAINO^K*rf=NqL0DJf#5ucnjG18qpX#Q&%^uu4h^61f=pV5z$xw_i8Xy|#h|!y;&x zaTXiVz;H}>{aq~yY+LIxHlu;nECCp?2?;E{>)P`?r*{py%^77z%wX?AyaNu`qiFjiiDG;q)8`@`Eq-Dd*AoeOFjuQx%qT58OH>{HR6er1|$$+IP#5V zwTGEp(@E@wo&z5Nxx1WDm>8ECe12DvDtn(Mg}ywkv7-CTvoFV@=|JCi8v-YDRu9Bk0C^nXp$bp|O_dEC>srV58 z>S1Vwoj66s;quovnC$UEhtdR*UMLIF8TnIKWBu-}!E+RhW4~M)&7X~QvK3du7(?vz z=-xHox}09eT*M18(Hl4>^3_A%u(%ae`KJLPL@aPf1_IRc5b2i-;od+`1@oszlf>j< zuu6luR_~n~P{9P(Eg!3xxn)vh?{V?+3RW1W+AU^<#*Xr^GSamY!69D|Qn!}mY= zKSd|Y$zn02=`DZYV)$(7qB=T+>trPM0{Vj;YO1LK4GxCRi;;7JG)xQxQlL>DaGl(x zFFVa$`VO(G=#^Z~D=#qvFN`I3itW z8|>#C975b0Nmy0Y#t_AIFRgzMGgBMo_QnT@` zIZUS*Ux5q^r5Yr%p8x(xV8r)pFks*YNZMo@a3KuiWjyWPI$P(@rvKop*V9RheDd*z z(smwim;V{anrp#FiAmtIG5BoubGew2Z{ERsiU&|w5|vq`SiVGKDCf66wHa4Gh>M(L zH2=IYo{O{_O;fD{Q3F)gAPAC^jMe2Nz)tC>;?vJ+zo-3R{U1LBJ@R)=D^|! zxgLBb%xd_ypc2IVZ3k+;V%>8xWgoS(dkY8MGHo$jEU>>0O2! zsE?()H3u|}yIFc`r5m?C`)OqRCD=aXHTMi^#?OAbRfP-jdrM1}c+;&pEm$cGYHZYN z9=&tmf%0Gcm2a@xcqFH*aXEm|p{6_mbJF>`UM+u$jvekFbWvf^o7BN{RCVBVM4jpA zR@H;r;mD_fcrA9b>JGU;j~m%f+7eFLNM zBQ`~#6|YHD8y7_=CBSy)3NmrsvscgwHO5R>iw}&}E3pHsqJ&R4xK8eX#CZ05_H#}~ z>J5!>8-MqDg;rwN$rCE-q|;Ag-|dE+0=a`>S&_4p7YD0}`~7#44?%3bAgp+!8bt5Q z)W6lK;xN{&173Bo8j4WSby}$icT`lyZ!aLZkp&x8^3WzQqGDkj{;097O@O9P)@l}P zkr>Yc42j`XkTBKkuVG9L_Sobs@jW&TOZ`5Zlqt3^pkns1a!699xFlZPiE{S5Py&yokD2i_Kg+*gB)G7bafngo*#Y z740{lVIsXN1ai_OQmtlUE|QZbK`V^0e$bMGU{I?LEoUk}u&6R<%Boq)*ElLLTKSuJ zbxTQBZKk57v)%YZ)QJIpl3pmBmI&Wfqm+y{v*iPi{Oa}=BdqqRAXO`}L~d5Ajii!A zMGJWy#F`eSa&2j0p=?`Pn2NNcl`x$MhC5(VJkS1FEu}Mo>h(wvx$@1nZBAp8wph+( z9z=jo=91pydi6Xf3Hj9X>gO|GtYqZJ$I) zkCQ}5kC5C)+b8$YBP91xU5b%DWs068k%*cm5|#13!Fs*o#liSnsEg%K1{Z6y?&;sCSQ>Jw%ODa7@6NC*GJ)GYIlWVdj(}S2+!nsHd|N zU}NyFT%AT9>LKv!BH=W?`ME%8&Wrr+OF&f3Y4{1pzH_=l(ko&%u<2&Mql(KTPsm^ z93{$*phQ`FCCZMVL|Jt=7Ji z_7iF?!06Iw?ZJdi5@>7SEW-Jg;B*208VC?Y<=SV*UHc;UhF>rjMD^6u<4Q=gq|-VS z^Q2QtD0b2U>d@4D-iQ9KtH|T#sxCT4uP`5GDPhB6tew z;i!ndoqfI~%h_^8rhUZ=C^a1ExnCBS(`{{8;`rY|_JvFr>&+XlD>A$1AvOgXZAMBE zhi4@1jfRT$_|9?I<3~=CI}zoR1|m6$(v&zeswi_nR_uKjUr8f~s%Q5OQblwlacstM zSV<5&#{Kg_H}KratyqYPxT$y-DphGctiqcprV={fCXzdTcnBE|JK2ZtWH=ZMM2Qvh znNL2QW9Aoc^YV^0GsG;}lFs&$FXU3cH=c<9yWYR(nex%gDaWenOaU5Cu*Nl6&wkIJ zve{-%SfWy}TO4I7AWLxtYmH+x`@MKttd?X0qR0LCFy|%Her;ASFmWtUd1#Ep8dYBG zs5j?cJ--kTWlvu?n`TF!p*^J1jYSRkd{ z`ZXtonp=FAG%IWbUPoGCa0N2+12+ct3ELPTebtl;bT5k>=BRQ*RP|Klf!gh|`2`2_ zu&R`6!{@3hR9SFsl|x@})u+%aINGPsZ#il+=;b^cWYAYU4HD=TOzo4Yw-0KOKVReC zE_b}(t`AaT83z^Zw3kFi*&du;Vek(qE%9sL2~+YQ9dXuTHhZtCWY+R3#ofy1+Q)H5 zweM={a6AK!#g_j=0cmD{!&)dQa2Sgv8Q&J;U@Vy8eb<39t@=awHh#IO4y9bk25GfVSw0&&3X8egz!5!6>@C-9L9i%{@)AGmv!LrxO}dmcr%#mR#3@=og`` z!1EhR92kN=jboact+>h!ibA6|kW9K=%d<3AJy-uOhngq1Oo0Mv%-cj?X?Xu;AK$lg z945dpC1Mgl|MQx`_e!ho5D;1@-3XB9Hth^uU`@~4cSW4f3%w5pj!Ok0==ZDnrwKE+ zo_`wpqLvTef9D^Ol|D}n^oTZVz=T_yWPw9WG}e{%F~gL_lon$h6_t-1;rzhJ-(5~T z{=&1t43OZ9G`iOeU!Km|%@~0Ef9Br3IgMRe8~-YL|2gHX>L4jE7UdCTxaOepPhBSxc>4neC(+gxm z8zDTYb=|b7(#+*!@BSZ^RvQW?b~(l~!cs-OkHJnjb|p)Iyw$1UZcFBQx7;Mbn@W>l zSLH07$mzF&n!EC9KJYVkw!jIJV@I-JVtU`BO|&Nwet3$g`h(}0HmD&VV~eCP){YLb zCVD_q(k|k;L?)=nVgThVQBYlf5^VPyvYA0oTayXQnKo+_OZ3pB*A>N^^-DDszTA!b6p^eu#V^zs|yNMJ~A{i#dtssdbS2kuzBiYP&3T zCgNjE(!Qb8>7^qB`O{0%!$-%8I6j7LOsycBdI2|c&rZWHJ;G)FNNRJ ztH_LWVL~dh2km%N&T!t2Nv4qk$dl9SY+l8)akcq^yNecAK?_101ekV;}c!X2Jfj-AHthBiIr*jQXp0Jf!+eBaUO# z(esQL9L9oeHQOk?Q-+-*&TI@N=%O0{UF%DWPfkaKNDbQ$4d z=%Tog7Ip;iKP67@up~QRIv}xRa)VP^ZowLy(A(0{MNRbBuw{s@ksAU($+c}=0z+^m zL$f3>02LuOPRK=|!6$#z^5gZ(Dhf7f)-Zvk!?0;y$UV&2$nI{+ zvT3}xSzsi0`B;`wvQ;Oc!wmV*B1K7lJyQ=qQ4gC6w02RTVmG>0d}MUoLpj4hL09Vf zDw)tmmVi|Lnu2)AOT@C`C2tNF%!7JH@5fp>M;EE;unp;7*z&d*R+kqPe6iDbI-d!8)t-9mDf0lP}K$8R3` zHZ#zdO_V-&j91w_B^GW3`I6BEO%vrOC#iXF1~emyaBZVODm}R;S()_u(_x|@j;6u; zBZfnAn3F3g?awzPE+IkGR&)16QluR{4bX}F`N-@M$@V09W$>2lB+BZBCWt!f9jeW` zmVDFEb@UWGM0F#=h6kVQ#!F!R7$r)cF8il=vBSqEVinR|(kI~UZY)Ny(yoi);K0Yh z91G)2%zLuc$9pK>(BS)DDVv*{Un+tfQrvNMuqPH0z5MjQ>?!-Its7r^P#x5--A ztetu4bwFQ1#ELEg$Jn-bDkOD=1r`j)kKZrgxH+ zkvw6cL8;Fs?a#MTRu{TTUU;=w+CPD}NNjQi5&x6SskGutfep7AvCLsp5#(?bd8MRq zIx02W9@opaSs^RX>i`LKHEYtoruKp-5S&Wy$wTD$8+9eg^WVg;0Xx{PzbAHrjN17! zPA!Djb}XR-A^I(1D>lx?GPHX7kZTgXyCKM+5gwg1F!ofH-IiGQ!Hlyx#`7s;&&1A4YUN&A>;0EWnZ#8WEG1)1j}mzO3u#Dhn*_sJh6vzOT- zDd|K5@C>OF4T;o=BypnLG(`w zLlj-qa%Qq)MU<7XFziIVB7D>ZLy5XVbbis$tSs*&Y4)F_=>_VGA!}O4o>bfE!+YiZ$H+Df(bz{NSC zcATYB+hv=6M%A=IIL-^E?X{ z^9+u-d3rW+^9;Vcd3rW+^CH>AP1Qw4ZGQq=J2Ve>`)Kn7O#tQ@79QqV79Qs5s|E86 z4zekoTb#Eg#6~@@r))|)6-q4SoeQSEksS~zr8~{*kd`gwj#wQiu$pI?A&DW549EnvF7FZD&Tj&>;VX2BZE!@G5{MW4s$wLCTyrz!e+#2A~oqzX_`3 zBtT)Q{lSK4i#u<=4ZeSmmXP_gR40Q5{KbKZw&EC+o^cvAiTupd1l|^9C$)-6LJ{Y7 zsSO%6*?TFrgfSC)OSa6=pM}fAHrl@fheT{?P0tRTOv9&Wht-fdMcJyVEkjXS^W-SX ztC}?43C>JShLqFd2po-WDPo;(hxM6y?VMrV?trIq0FXd$zmhXDpOe*YvN9`$(Rs9L zM{@cdXdny4peuSC@_iqo{9w+N_d)93RFRI{^L7$+pm*+^(?cQ78A2h>>7fwkyrB^1 z^iYU%o=}K$hERxedMLy>Lny>KJrv?xBoyMPhC*)R?f$t%PuFCJC8*!@Jy?d2li-{o z6ylsE6yls73USU53UQ=;gXT?s-mr)x?J6{8Ebl#>BH{#xLPo5VkAW8nqO*V+`Zn=L zt$o}&?rt*Ya&q@XfMwAT3$w5xI`L~8ZTyAYqL`CRgP+Ib?j7&KzpH9ciW^*H;USZ7 z*p(hT&Cms}c^VFR*W(^+2Jk)S@nT|fN=c5eM)i^(T}|On7+E5bq7zK61v;OlCFw`L3RsZekcU1CQBMd;lq3~@B8OT`0L8SrqD+_g6K%U|z7?x! z5N86n*&7I4yHYAnDk~Nyn_bqmMK7HedJYRn@-}d*V++h8{yVnMur0L3**3c+PCOW4 zhSYB9ePNnW=^w#K7T42(8cuGKfkMU!U0CIp5ZN3(9dgYm82#!c^GEX4lR@r7-8#9Y zG;ed7^PhB~&x3-N;`Di<W@e1=}~^rsH+R!w-g_@=o(PYr`u&rPX)bf<7K$p#cT)* z+*``x|Lsz{FAo?v%i28-*YWn9z91-~YxR|7^+$KrQ*4)2bFog9DbyuCwjfyuyrwn`0;WPgvw)qLM)k!h{_vV7`MSv zP~>Oy#A!t>A%x&HgM7!0;N+LXXh5iZI}Etp*lY5-fU01H3vxY8AjoskTpJqIMyB^)2nTWU6VS^zvcai!fjR0yDaQi5cC$#EkAs#8=fZ zr7l(!hCr*N1y^YxjR;&s+x-DMe?9)?UH{VFf-fEDAqQ22U?&a_orT&5U&>B~!<70j zU;5+~ZjfUC0wbb-nd|udOANIB1;#}G)NVIesDlgi)Zh|LI=DcS4o);Pd`ElGtg|N1 z@4IM;jnz%?9&XWK6)yK%`it4&q4ltemp@q2h8O6>;Uzk8c!5qFo}&|)9>Y+r6Tf)V zd8!hv%2-Qh-NoRxe>bfKb+*Bt2E*4chx)k~CyA_D4isFbw@XNL)#;2E*@6o@pI^7} z<_W!qo5y&I3;(am?B@cs@ak_L#+yH}E4chvDV9(IkAb~tcDM7gI_&;`&*PK^7J7x! zJx*yTmPtyJkSM1pG*;lE(2x)n1sniTQQ(C_QBmNr7EaMFpcH=mM7C!7!9GCqaQVE6 zSMd|pf0mYXvlSJfC4({k;QSta8{E?$Dho9a8a5HxCfebpbEQmD^9~dQm_*y)c@rSL zMY4);$^!~EKdhpc!b_xoq8GY*wa$01{zSW<5jlw#zU}eot6HvH2r#IJGapSxw?4YU ztFjhZm3?4?K#O<+GCr*KQ65>9SlZ>lfbtMvKYj_fn`nuRm&99M87g$2mY_~UyiyK{ zVXcJ8{v@w6uO8wz^vH-*=kUN_5y0=BgKhYT)=88Y6e4IDK*(&2m)Cr39kh#|W^*+2 zCZ9%Av_O+>v<@&)GWT4KX8qgtWc0@W;{c!54gVr`s7664lh>qXJjJ(IoNE%)s8~}SY8YwJeW{FdJRY-932m>^$V8r zunN&ju-iqiAtDt-%V7J+LN_$%3DVhU?9Fkj-wx);pCHTDG`zyMY+d7EL0d32EQ4Zc zCI<`fO)6L##$th(9ViKLm5`z<|tOhJ)MV> zKR=Wn47en=-vAq3)qii|-*XxUI&Z`1MJ{>hJX;;d=70cBNDZXJ)JwAi9r~;_jn2_a zo6*k~0`^sb89l6^2GZ9#NV6u zH#{r62Ad_B=-+qya9x?e2T&7Ez7&L)%MF2Y(-<$mIR&#tH+xx19PQ`$unU=FwN9ca z9q8R9@(fAhuv4_?-=yZ_NwWJft2`o`BRas4QbW|BWlgZbYb$?y_&2)4-Zgc#%B6Ln z^xY0SQtQ&vjOarJAaTfaXkj+&_ead!R#|BSEX~TZ$A*F8L1q$7kw*j9n%;cOE^Gh| z>MfUh?3o@l6}!D#>=iTm#Yon>x&}FGV_$EPkIe6Rg|jnthMy&-hPEUNfaq#)+ajOt zvs>(gKqCItPOS<}B?3+m1=MUocOQ`$+#8^iijaB?vj@Dn$s)N`suIz4XsUvUkdj{R zu%F5TntNdurjE2uTkCX=f2Z>eI|nO^MC!U}U^*&3iP=jSKF;>rFjymkL3^c2iGCV; z4Bt{!9Ja7t{=fh5$N@tsA>v4>o(0Aqwa)nAWruFV{m*#&qrPZOLAu~LgNGImuc`oN zmtjG8y7p$iq5i;cWf8J`8DEmXLhc)ohviSc-g>0tuO`nChTb9aj@XLsnfPOWWoVTvAQo6LqzaBY_P{3+M6Pj!G>u|-NU(9qP z0E!s~d&gelPh<%ZkBl;9Ovg(Z+5%V^eRLB%RJ<%3D3An)x4~w&V${M;{b1R=KZV|_u>MJ)Iw2d>u%k>2b?YTocC_Q)`LxV*+I4=4aFkC$t0+u{}n zj7L(Ou(xzxalnSq;+DZH30RS&B)7!?JCfGeAvJb5#Q}4Y)|eF6dBp*XlGd145*XoW zjfr5(X$^dz0|C6@npWK+Rkt|Bfqka5>ZG{ND-Og2)2j1I0)fD^>O`<*ajOpQtY^JG zozQ-tPB;*vp@w^&Lg;)5(P+cH&n+t&YPjpUWkur*e>SPT#)S|KIPB^twdX=WXFu{j z=qG*9=RnBxK|kpO9)wIE@XE^c0k5n~AM}$x;6cdrK|kpO9)!sL;7=qh=r@~u;~r$&MYB4s6bg{8~{ zudtMz&{IRf1Cg>6dTJ^-Ake;E%EXw?2od~^10kNN69}CTAv0QL$!M7+qlJegGg@ZJ zXqhFWg@+_FT4u>;;X%lZmRT}dco5>r+(=mP8&^21n+b%;hX8i=(uyPy79Rpg6`4TT z353msum!s65M8}(J67_|Cf_(n0+n@$$`YjHo2~Pa1e)s*&83`<-#ADD&2@<8QciBd ziH{`ET!&~bfiUuK<-c=*M;N?`rdsr_+|~J8J3H1bOo@uW)ta3$9WDkZib-f4tBgHgf0^ z6?Ut6WT7)@g{`xz8}HT|aX}cQq21p)a6%rdPKS_Ikpms*;>)qIoc`P|%ixgCc%wc77-YD;VGIx-nqj+;% z_VIla7WOmP=ewZeaPw`njJNqIw)#mp&6hB7^aR&Kv}0ZP)}W(w<7l~!ci}ohZ8RDC z`0J=YuN0S%j|(}D-qG6ltEM45anZeHG9k>oX(>h9?Z}_)y~^uEMB|>za2(k2% zknzYTPm}eg6>%IPKn#WoS)7Ou%yKEd-W=cUKoQ2tV5aG}hKDr0MG{mYBS|b+ys z*L*nG(7mm}Og9O(EEu%8i^0sfDGvoKOEHu?w-ji>b<}JXUeIMVisi^-0c#lA_H$bv z3-HA;mZ8sGX)GvP8|g-OuIch%z~G||*2W{;Fh6PXb%ky^(7Jw7s4Mi2GO6n)mAXPN zR}5yhS}mc=n7Ed6LmmnU6Df{M@Sf*jX3Z^mD0nE@3Q#6&c--5$d?!LF@|3aQhOc4e zIlph`Jr1J4E>;l-Z$dmy|&q) z8^!*mG9;kCpGJ3)OPn0dVF`wAbE^nW89!lLhuI>;3Qf(+ke?h76I#5a~w`~FIoeX;dubWE4 z5YW9Mrl*1__5o@(55xoX=g83|6b(JGcdop-OJ2FSjW;cNx#1<)l6@^2B&;3V&KN-n zjS@!0E2b70Ti!ES;4YwAsZiVunofkK&49n3DAWhqerV{Ej{A0P&;%zTdLYkkt>ed# z8Mt&iedxY;j&-{jhlMwI%23dq<-zJPtZYF-SCuE*a2f3)`aVhWjQEHg*{{T=P+$MmKLtPxvm^1K%QY;9jZ$AM0zq=hFwyQl?UM`sp-FV@$14< zbhCe~j6`T#^HYee{OTdxKH*yQw}<7Ab+B8Kw7B(QDf7_C%>PopbfQE1p?`-P;gEfYaQne(7qH4m9I6>Fd^GY& zRDe?!x{yc8j?*`z$>jWVW}vvZRik)gd9AG;1^_W}9IjLiXq7SVpo57sx) z<_C3*Dan*$3Cw^d{OsD_E1e?B<)FDRyL~+i*W}5z$HQ_TS6(bNwB-1J1x32ZJJQ-m z4a}EP07~tM<5=lyP@r|^fTJs4|BT`deS#llA9^MqI=Yb`I1~VvlpyIJJCb$L)$76l zuh)fqNTx0ZXo6?!V7td^W!YC>{GMiYIvSq{(xC=ECcAoBA&q|nRT9SnkmVlEJ=g#8*ZchzyBA_Kh&Sy zaA~GetU;ER0(1&$Qu=f9T?JjfVN!Hm1s$-AY;;ov9eSsgiEgQ&152M8`ef`=0k(<& zz|ynny9($~&QUhHmV`NGp6B3Ik%}l_;VU7^krt)*q0Q}@sC%O?4efx>Qq=o9`GE&7 zshAem+TbAor2yIy2-eZewfsf)9fbyE=dqdEPMh-ac zk=y&5XdhC?s2{Fl)T^i4Nu@d(lueE*rO`AtFJj10F!Ev|I41k zgr1`k2*J}?_#Ceu(R_i-Y8F&bDD;?zl28i`$I^1GbIHX(Xxg8t2nICq?1Ht9p4to3 zg|Y++1&;&lsJ$T{uae>&d5B#o*mSdZy`ZaQLcxQZnTH1Vt;J|Iy1PZ#hRqj3*-k%^ zZQB-f^FSo~YqX(nLG|Yg;MP$5kXZ{Xpv>*oCyS_XiS2Swi-qNjW*bHejqgFv>m8VdNrH%Tk}QB zcB+>T>WoY))x|FOMv0Ko^}IEi;VB077roXj=@p@DJJSgZIzk|neH%Olr&^pl0rI3ZU2)D^h)?f6|;O}wpL!k+DFrS53_-iJd{4`&*dHyk5 zHuT1WvTQWl(?qlq6f7fiJT(h?;!Qjrw%cGIE|DK$y?c5`Bor*}de=(D``}Y8Lh&RF zvyGF#wuQ59fkF2qn?(PxCZfsso9i5J@hI8SY&W~;1inNrl6(_=4;NAR z6Af4Ii&1}Yhh+Bu5kFoX)(?E&GiTzY zOt5osPA1qN#4J87rY%j=xZ^*&TiemPsmA&};nbtRVz9!?#;0w3ctHbyhTCOg+)uE^ zYPw;UJfz$C%>NT>vXH2m9`%7Y5S58yV~Lw<9c?1y?G8J-sesM*HhPn0WV&Ed5>-an zUmT7R`K$_qb9P?Nfa^9e7(fwyWd;-SanwHqD+LBnMmJ>!<9F)9tb=0M!NV72q1L#V$vNFY+-JW{nb&4Si#D5JxgzmA%*E(vk&sERp9c`n zIdM}0Gu$R&tU>`w<4~KB>}JLZvZ{bYt2v#1V1@E{owcK~xYgUTmp~x5VNLVXbpcKi7V1g8h`aH%wKO z^oh)TSR`~#mxaXL5<;!%r$k%Z-X>VZPncO7`%_>fj>YbrmOo{ekUNdmIqeRi<#y6w z<*Ds;PQycp*@W0>l+NkW5K5L-q$J7b7*;jU*>@z&I$wP1qp?3gp5}^8K}N)M!MuIS z-j&wrXGQ?)(OjB`Yis9pC@>ETO}v}-Y~Xw2Hd)ycrI{;rlBYqprW)-eL-$FKUEdKp;uv3n zQTMDJmJFyrumaP3xZCg*4|2ONc6aR5MYVP4v`mAb#Q(Q>|M`qp3<%oV&1tyZJYIB8 zt5=M&lg$N^lVx*Q%XF0A$#ZI*)A8UjB2VA3kChcj7506gyV=U5^6ek1lWxzdFga)Q z)OMsyJcX{Mmf=o6-KTJL>zqT2=r8UmZ?!_B4Z7Q4jUL%rN6LLYayqX&?-5IkSHtUQR5eClVL+A7@6*@Y=L>lAKEJB%vJpu$$8JcsV3I5@%;Sz*5sJdJsh9ZF`^{+Bxi zGEhc=Q^}zDHWCGz3S6wSt_&FsbBJjqqbHolilo3d3D40$%AB;zH5A!NQ)HuGy4%zV zU9!tsvqpMkT)LIgm6$rO%j@^8EUUr^g|o)&iu=`u*k>&AfUdru#6#jB!I6i3DIT^m zkIQV|tMfSLXe#p%pJyl$IcL1^1R~mnG-S-a2EyTR8SNO`qD}b{iOclJ*d{M+Z3B5G z`h~jWlYEyrmogllC}vaOpq+KeRA>iBbW);3;xf9aM&eQ$q0$={8l);5E;Tad3LLBp zwZpvXXGO?sk^oN$>2q-U-My+gGZKY8 z!*fkvtldJf!7LIHF8Z4hu~mscZ@r&R1dTt79AM2dQ}?rLL8*mR4C*#c{x(@)Op$!M zH^@DV^YltOQf1tm<7OZD9+ApOtzK@t#;!P?Quvo7>Rco?9;LWct~v5v?I?2SrceBM z68D>>IDEeK>E=0hIcNJ|PhS*WOr?1Y2jT;%O?gcFGi=xA?=R0W{#Sk}9EhWuO>Toq z(Hq|UH@yZs9gPRbFokQj(gyK)v?bfH5=ky>cZiQ|E3Q{9ne}Qho_=-)wlafrui4cZ zoM%=oGmsbsMGEJ!+_Dse7wJrkQ&42oOq*9QTYq$ z#6Df^;w9&+_K_D3t_vIvg%2*AN1$$IJLAw}xw*i~!@HAcNnX_!O3ByHL*cP4A_d!T zEqyH`x%;9ZKzL}b&~B})-Mr;KdVMd6L{oCUlD9TwN|tFro}_EuG+CEqDNCBmHlvxn zKqhw2hzLBn2QT}0n-229W3+FluYS^1gHWE89SQ9S18qd!_&}~jp>Zo!Kl%pPc+n!? zvA%yq1Kui$B~rNcBqeev7I}q<2RSEbVUX!kZcNK8alKdoa8FQorp5L64G_L7b zZ5M9FwLb-imzUu1M4jG(-7`qST{#O_q#-k`)Wq|)W0~SbQ@fma{Uh(W52jF=aej88 zqP6EmgvyM)3-+#P?Es2z@$S$tMadX~yX8Ju6$ex5JbcHMi@0G8rZ`d9OSU(8;fuOZ zO<8YS$qZPKO`qjx-QF!ca&9jrqQXE?i9rT_BL+gxSb@R35d+cNWJ+x?YD7V1V!A8^ z;T~l&H};Uvf2@>)tT-c`zlVhvW3sx6@E zsFh@lJHef`H2y=UOk`0gpSF_TGWhSBF<`Y{=W7(>-!k?p3uXYNTJna$Q{Cm%Lc$LVw{Tbm3vv)6hj@`XqGsqAepl)p-)ScTw)%CAo|DAgkzH zXM>5Z%3TRv7&)w?qpRKFfuv_#A-8L5U9RC{h*KV3N|jL_UP|c7!%GQWd3dRzU$kYE z2d^6X1zTpQ2_3l_Ixi^7L|1Khje{TTHYuwrJC# zhRttH2DmD51#sad{R+6J&?-Ww@Dyyt7Wb4IMX|+|z=iK2SHS1&R_Qu|3$x?{G!60- zIac;qjI{)tM>Gky(aUqV4Y;{w3xbqSk~a}fUj0)lP-z!1w{5hiNp!a_<=l)0l+Lyv zk)>O-q~+o*U1?TIC*2G_EIlCk25Dr)?{?V5p?F}ixW+6FI%2dqeF1vLk=})ZMiRw^ zldw#2U~Mc@90)EHn~ql;2#%JDBinq4 z_HEl9fBH8Isw=7gSO?I8*^gbZ5(*K7nvhqAgW$;{kYw^KjGkDXX_rpe>Wqs^=_9|m zls2tW$N0!P6?>np3Wo#z&|cz;67pDUO;!PoHtB0|hE6)-2qerykA$M$HC%&KeUT&lbT+89tnh|En2WfHb7)DnQzA%%IRa=$vg z9SY~mB}nAXD<-yRC7fsjzE&@2@CAserUInkMYb|+z6pjhI#Bb8j3!1%sc-;9CNpKS zh@)jl>jsb!Su~f&MyU+ zd?#Gp^=rE8L+^5V#6ID9Qi~c(oeX>^74D zSaw!Z`SVdTIe_7x6wJwqEe6aERVgR58DQ0qQjSw%u4R6_-GqB|`!5w?fT3gxOIojy zD8SNj>P4Eckto2<@td%jC@2MZRa8*{8wrC=7)zLBBLb@eoo^fmHHzRBP5sDGKPs-B zJUIPYJu1eRBIcV9MFly~KAFjF1HDsa2dC{akL=7NH%%9kt2cs(@X^Ir5d_RU$q}R$ z$1l+JT1$WzsWY^kX8sESK}JhRkWR%&3IXP=6oDDdBqeLDU`n)tS#1SVM3B)65~Rzm zAQA#h4k?1mD_Ls=(B;q2s;%IP2r^nhf^@kRL_&nYqsf@0-bzt8Afm_*0kK6OfYswi z2lSf#)IlrFi4KJPMN(aYm}@OO0N@+I@a9(AsM!ev+%aXYIzdwPN(+cqmz@y0C?rBa zQg6AoQZu0q%y7FrY~K-io8mwomzurr_ThS0LCAJzfd-of%kXFLj(XeZ@hRk#hXP}V zU`6TgV>At3qQ}u4j0JgGcY`_cdm;=eg$2Y>Db{4xAJ0%fe8sEFGK2**?(oZBqv7ag zjCzM%v(9*W_q1W7F7@Xy(Z_+K_%)ayHj(sI%jBxY-}ps2}VDc2C<9Jw?s{ z|26ln%OxE^upjM~aV8Kq!m?5{3-SU>(8b6{u9ggwFE6|OHVoE?+$Lv3LC5?Elsry8 zteq?tZ31_Q*x2Zb{9eP89?gl1%+B=#8i)V>cd)^F@j+g+3)lfzv{@2;b60&u0+b3Y zr(vnOl}Ocy)Y)+I2mP#qXdf7vg0{8_75-Nv*}$A7s`fmucQ4q5b4Ae_k}o z0;+MrCU_$IYkTf_uOk%0mI``-37@pa#MK5#MVKGrwG4xV$i4w2sEIoZ36Z4(Nx0`C zAsCN>mYAP~h0rR%ES&R@5Dij@gmI?+(4j3o5ed^e7YSeqEhf>VI|P2{X{|W_`OW1&dl51G)jWbbDacXL< zz;GGWIjFgg<*dLFN|`gD^aR;QTk_gtdt(@I%Xbt-8hP%wRz1y-hv2J%GHL{(lk9Gi%eRD|jj z&_I;P?AKcH1W^LRQm@s#sVt!xuV^DR-A%*@%yp$oMsuAIn&n#SIgJ}nWPYo)I&owP z&1_Acqz(#}wljY=5^w$3>dI9CF6vn2Pdw&=zIJu#V*pSl2g-HY8r?0>V#p~jsH&Ep z7n9@SskbFZfXb#ZQ>LpZ}SXGlSn)sK66o3eDVsrb0zN0lSS)6)LcKoSM#0k}5Pm z45^9HX)I7+cv#gmPShfy@4#+b=d`93**RuSRY$6B09Dhjqo)BH8CD13)+?8HfkS_P zMiT9PayyFcq^54&mGLuW1* z*B(6}i|g>P3X#!A*W2LbIa*c@PkPW<(67C^@E%a$Hr)S=w?ER8xzXk+J$_n|=|jgZ z-D%gLIx9fkHxZqnXl%1xbZv^wNEQ2t4_i43?p2(qtQTwjoG4ezRPQBs} zBqID_V-e6bODe+P6ol?h(t;-XR;GY{w$UzJ#+%1rOP}sV4~JcaS0B)yn=p7JiZ{T0 zO`ei?JS_K&DQW%l($Vc!gTWv*v@%6E;xcHc{@EioZJqU_{<7sfS6sxnL%Z*}P?&6XZPxFZ=4+B>@n;*N*}4qzxjt9bbfCPf))nz~AXKe#-nA+y8WOjRHwaQjNHeOEOzI|a!$j(9%U7foZmIP~(H zhev%ta)QsoHF?5_jE#89o$O4VHh}?VsP`tesdZT8Y!kZEmSO_zu3PN#26VxqP~Pa5%R|rT;R$jQ{|vYFN!^5Qy!g>(N!|0q*`v zPsv<%xs7*3>3Fv=Oz2j~S3IjfM0>ufSm|(uZhqfJoBs(&7^H>$q7;#ZGL%R8JRYzS zAeEKp0nM!?l$-b|!j2;c1(-e+PylrLfjQB=~8uUVh8X|N_X&7&@Rn2^avbSqOmyGB{@I9b~ zw=d;#&^iVC5TE1C274%#GPK%e2l9%C{r-qOWgSbWk0cMYEa7^`0M1?%5z!U4ak+b` zbvlUtweQW)FnZYHxu>$8gQWs%W(ldYhEf5`FIm?w^NET;U@0qEO+|q~EKR9h$JOO| zO)U9UBG$4Xi%}Mvi22+iWzZG=;dU^mvRhv!A5Ac#T0cM$vNO>))#x|t2QXjzc`9NnjR#zj zMZAhgq(Z44mme6m5<;OK&3Xnp26CnvIZ8eAx6%l4F4!Rg7P{3<9~s7-?Y@su%6=l1Hfz1oXZk7e@2 zF%c~h;#d)}+YuqoScsJ+896t5Uuhp*XRd#Uz^eA>aF*lKNF-V`V`@{(_d!2P^4RYGS}B6;wc+==2;M{imo@Wk#pDl{oq2-Rvd8T*K&sU8fY2l6oaefx%eK88vD7ihJsm&i-# zbF-RUUY*mLpn6r571{koiaZ=iQ|kT#Meb@PUm8;68>Q~={sKkr>Lv2hiY!$Vg~0zw zH95xpUyrd^$lc;_6h!>b!Et^fMd%jBnJ5-Er9gtf##V)vv09k+4Ei5-q6bQ-sg zc+P7;r`x!7#IslvI^`gPYZ zLv^8x>lv!+D52UGltGlVAHC)3IF^NmlWUKK;fRp%|_Fo(T;4O}FCvXv<g8_HVC1!QLq}Jm-k1j_r>QAe?N)6L11PM7 zxMO{GPmxppHmNaf4(l{tlc$o^QAHWbObu4y8yixVG zSdIc{e^xCt^=5b+k$kMxq_PE^+@Bg|5B*qxKgGsISEb(%c>B_zRA3NFNu{xcW}>0o zfij}!jidr2T)x6W(NN~Qg1%uuPI)LlWRXtKM6-GO3lF8<0EVodrO1`)lQfrKM3rZW zl~pvp*jbym#?1xG89sB1@cM-VA!qsSAqXIx=7fAQy%abO66U4c__DN zp$a-s1p}CY@_y;hCWTS5#Ev=}3`*TtY|nVtaxT`AY`Ob2AWV*bH03)$b5fB5~4=B3_{JQi3jVikce2k%t zR+6aR05f^1zFvHU0W+Cr1B0&3&}+EekvoShB)bEJb-mYMv)c#db$7O8V#c`U&(Y=w zxwbwImd_+vcl{NaZ1KY^|CcvNpSg=S(Q;RRkj{c$6B~z5!9M&^E&x4#brWnJ5eYaS zWiklEncr8-xE2SrpqHyAlbf(}EuOSzy(ELsRr$s9&#dvPoco;U)U0LAYHOf+~r0(-vBr zEL$fsbt z3dviKbzOr3@{?d2tX9Dr`<+$`ipWo%V=|nGyvq26g7Wv#b{VfLpO=VgXHR5R&XMzg zQs=p&nb`#_7qaYZaCDV^r@#LT|33R5bF~bJ*M6^f_xFnL{uc50S10tn0yr>?xpkX{ z!HTRcbXuz(^CNn1K&;0H>54YeG7-4by;v){9oIfdLFq3BZ!g<$x5NJJ9sTV%eu!3K z-mV7c_71?Np}wAn4X~tDYh;UI1DmL7!(mtxul*MBrwvqD@J4mxfCF(-MWElS05$Qy zRsoz#DnJeVoC*M}=@o$(3ZU*{HSU2PqX*9B;Q=v=akPnAJA|tv$S8YxjXrMBdt;Eqk~M-+;!}prukqi1gPQf~XC>j?8SG!=kI=uP9k| zlY+1K)|&4RfudMB2uU>bRLdlKgRx~_xAH+!`GkN( zV>hovB6II1$%ev| z-s3Atv+#&W{O|=UZGaUjk3mM2bT~E?z8tNCClU|h>y{-G{7P~a%qN3uG!2*W_A%VH zC#&EctNhOh*D*LeM&&o-Z743<+s46THF#v(851b_KOXt5n*paFwBow$=^b1WeTsK` zRxY0-3UES#qI{A8fqZ{?D$p?rX)4fJ2?8R+1iFvskM4R#hf@x+%cL(qarzQEtw;-g zofTQ5t81bcX!#ty?83@Hxg#j#2hd)TX;A10W2&DGs6o0*K(BoXW{~Pig8-^~jax}d zbD^_LpXM5wa6e7%@t3&-7Er66Keim#Lft0WmSWtbS7jsmhfM!sI0<=~Q3cNLS zHzQ{s;{(=E5CR(Bvz{ddk*JO7TSmS*g~m}87B6q+E?NiC<{_@#?Kz5pW~5oqmSLK$ z$s8jK&%v{26_%`lM&rTs`oGcizCFK3JM4CbJ04?TqN>@a8@xDKzDraB@)KyMkNN{% z#_b~rTx&}bBwGOJ`IC<(aJq*9j2o0B>7pqFHOH#D{(MQU28Ij;l5DHf)-9npC5^6% zlhJ9=%Oc7*^+x@+R9_g?7BV&H=q?Yv*i3e(Q%&Xr$n#H;7ZQ0hA4?R;QyIE!d8`qP z;-sHQFY*|ucpDgohf*6eYIcHDr_e{_WmuH_4dM>1u}DivshHD1#TxcDFt#(FxQ{%> zQaS~IUKt@qvQ3BV-6wy9zRY^Us%I~6$r=Pugq&%BULK<@D^Ff)Fm#x_;h{r{@G1k? zxtfM!sXUYu#}26vXY7=#%B=>20HCTO0&}}#sS$vdzC_(_CO))o(4h+{*Z$3*r3)9C z7(-2;>bPod6tr}bseN5QX;UcJm*P~^PBqL0dPY7P1G1@)H*nt{m-@~)Y+E8WAv5_g7(7Idp&eAvg&Xta4e z?Do{vu5DaH7aPc(m9Tp2q+A@j3gCyh?jiafZ;3SsSMkf5WTuV3qkPjfNyA*ds9{4# z_HPbr%<2uz;_v&P!8ZJ}eig<}U-JRqsOlYd?RoHo{O4e^30F)27XldUu+4>vJEzKb zn#u^>X=%VxEzgaw>s&A|fhrn8g1CFjT&ttd>cF#%myLRUq zT}?+H(3g)oy7K#0<+2UT0x%0IEVPeZeSQKB;QF-+4dbJ0o0xU4^uPqfIwMJ0`2UO(#+Li_~p~Fr6MIW!pmhmI*nq|%T$`ODD!(KD?Jr~hq z7$YD11qZyGc&x{Kj#z*bT4jT-7Rk#DNN4MW4IVm~d`VA#v10lK2(?bE!J?~KKvzWj zkeo&5F$G*3f`uVRGY@784CZ+}8TnlcrBK<0$uzb_)<(DSKCC|hdjtoxghU?t@sd7U zK{sDOmVn--EO`ahIwGsGT=N4SSpwwn3N~To6j_;grsvRtw$mw68u-cj^x@d2G~D&~ z0?iIDwO3G%_|ReIqau?>KID|pf$BaSO_O{M)VIE40=S?S`?ld|-VkB4Miot9+gwO% zk6`OyyB~*-Q6R>HvK#kFy||&g45KgKLVb1<^;Jz0j0y$Oyw-e+S5@5D2NXcMLD$8Y zAZu+2K1n^F-xcICi)Zd3uvAEW;F&i=Q^W0W001Yy1Yo*s04VO_g zmbpScV&%Q-r$^AhL-Kt5d<8(p?w1?0>N$ZDfsrFGai$;oqy+U_lBXJ^O(0K+CZfPMYY-W|6jKJ`2vT(v1r5Rtbg`ST~+ zt#N zuLbyCDngZ-*8+kX@eU#=grK6DLY4)o2Pd zBTKe)-$}{l>kUh`bQj9W=2~2qY&oA&RyN=8vSiD-qq4FA4Q9v&0?kci^ZMI{&U1$= za)bLF4Sl2~1N1uFAd95?+lJXzHs3+9&3e6Tz*mr$hpq~rZE3bP;8u@8;Vf0IQqYws zK*xF;Q!sfHy3#dn8+tC$mhI;*qlRY_S!?GBw~}=h9(3sU6c(Bi3n)x^3JX(-1#|G7|~f;;}0EPz?%Bo^Eu*n=*w6(kyZ+ctBFj_eTZ_3D-ENmf!Qvew}| zwPUgXCef2va18;I1u&hS#DY5neeqK9b}=U5+>ppJQIgDz2Uf3=FJ2b11munZ`QyxV zhsRHFYr+sNUa3h4w_Ty|f!yNvdX6+*GHx=k8TEkd*V&rxcJK$e^GaI}$Or39oTE4)w2ek1URlNyt-^W}y!7bWBzQz#d)~e$ z>9lLNbRjvGr7Gv%)D+;MBkD}}zwORmh+lZi1laT_;@<@OXn%MN(Y?{>pjGg)k6#qT zxWJA>QOszwdx^*icDo}l#z>8o0s6E>G30!F@V}AmXq^WYc*?P{xAV6Ue(0p|26TPB2tNrn z!7fSXG;IC1C20kUvy`MszSlbFMj2evAWw`=dtz9*P6|Z~vUHH(!!9Kee!n%HwD9L= zB6P>|vgd1|#Lnyq%kH%Cf5J(zAOl)wGG)wdtv$7c6Jt??l)q3Af#KV8v-%v*QHF5* zIh=w*wRU+08D5L9;oPFjV({h{3%Z;=wS4?{b~)&_FDa+%XfzlMkY;pE-g(0USiOcm zWJvh}h3qM0)mdVR65$KceGFg zIRcbC@`7MVmlhH%@8dG%f<7)JSKjF@$dz>OAi1!=$CBkh$CW@?V;!5`Tgl4F&gGCm z(d5pS2F;C-G`ZRSD6=>pLtdBEIDsc<%Yx<Ow+@| z9=Vp;`6(^l==20*Oe}t~4R^s7FFF^7ZtC6_72zjq*-^Ny8HRtOARJ0gEh#*BjaK9e z-s7w7@ceqV?32~4AiHb5y|ueG`Qnf-?%Nyltv?1M$YwDYxq^u{+~m$BZoEZFmql2(e| zcTk(e@X1%~bK!6Nh&z)|7uE??LRk7*C|%m6k(4fWYl^~US4fh=<(ErL640T*1|)D3 z@CFD=y1=uOlrHe@n34tFooc=L9v(}&$iq{X&h_#N(z6M_V+h$&Dt3?v~$%I?|AL{$x8FZ~%{Di}57j^l=l12MjJT89*mx z8!(vj_J!EO&+A?h|F`|s;+h*McN7t4D1^~nqk+T55g_HG84Vm1t~`-X!V)I(Nw~sf z+z^I9p&KG0knef01VR_;K!N#Y#K1HF?NbgZ@g+*SH%ysLl}6H|VaXJEG+dbyP7G6? zz=`44QOa*&ifpQ_imr;mvZGDasJP*-BCn|mNyr1U7GP|=norLtwpnvS`>o$5vWaMp z0D&Dd4TJ%~hl2`O>XQH)Uuq60h?AZJc;ZA;085r=3gF3-nE{yc1bQu&XLY!G#>kx` z*p24O%k6(?^SzIwK>4*UPoSjvuZt9JqHsmZZk;fMisu}0J;5o5B~oOMxgv|Z1=yeL z+T;tK3&4$n0tNXMBzI^6YsOrT=B9F*S~P5NR#CX2FSmP#ZM+T8y33#Qpff0M{njK} z(nlMKZ5EnMOVM}c<4c)M)&UU6ltJQTOc_HS=*-H=Mk$}3(i3A5Z zOC;pyfg+{cJf_5k{ix{WG0yXV5gJG|7?a5b;a}}e8tR2Q>ZaB?@GNC65i3|`DI2${ zqlrgh(QyT?xkGYFAqJ+r0hktUYJJh)-q02KZjenW`h%AKU}_)Gx6(#m#Z>>pln7qK zDc|Gam9N<;Fqu*rv$*WFO^zSQ5dyt7z!zfign-+WWOX2T2(*Bs)*@_dxt3uI16oEx z7}P?w(EuLrPHxyT}LYScjyay5{M6jCX&;lcqc-UMov zNQ$J6F~tHprX-fHZH%CS=rFlJtW2*#^A?4c^;4m2JM(b0#!awHausbiG!IEo&Y0vv z`DTWP|A~Gau(w^icnW2j8Ilx3wd6D|lwYPF?1P{2cJ)|hT9*r@nd!G~aKoq9YwPmu zbOMLoCGX$hzgrzNJ8T|Fo~}Fv3=b;zNbKDy@aU>P9JDN}Grw;S??1>(gHqawq`6oc zM--GS*Ne836`u9(_uFtCqHEOudegeLu^{Flnj8}F05IhJOSs)rD34-&#Ve&1N%fIE z0uF*h%gR&14JZ}abbjMv0|4s@MyU0i5^CCEhC9DUTBl8(NU!E5Vs|84G89(fNXDx2 z$2mkp%YU|Ly-?|LRwnY!2226UM@zu%F0NNUzeqmu>5oh-ONd2=6Q?N9;CWF=8a9MA zowN)+gL;6W3{V5fSiy59_WH?BHvY-&=pQxh0ezc>!D=7=K(xQy&donO^lJB?Pa;;0 z^fSDX%v1;tDX2x2Nm)fwA`LY>DD9Pk;kw#}uOE9n89)UqGO)wKWDnqzl*-T?q~pK0 z9)ex?h_0ij;33+B#uCFp{c%la$=Q9HvA2o{8FEtxiBemG$06Uy@IY&34ot=-AqZX3 z_C~%|y-J=6g$L4gVl~wohcPrx6obb@_7PGy-p9B#tkLN~gGH8(-AU+VnZ&N%v=7SM zAgAj(nJxhyq;Gu^M=6;QyUR4BW>44&)ha3Vdrvsrgq1;Bb>k|>7B!Te4&|oYp>dX& z3V{3KV^3q^`cRWAG4vT~+z36@UZ^jaec+m)`XnnRI=5M!KVT08%F~&rH9n>{K{vqz zNqrfUohU}G6BkO|IeU)Q0h)!;j|h!}&Eb1Mmck?(6J8NkaG*S#<6yr#?4F~2P)g>^ zdP)gO8uKYyku=V{q%kg(H0IMgnP0;tn(T3#MC+)U0M&(Z#`rN=^atDbdbU?Ldyx-% z(+-cV9{T3Dh_5gj&eGpY`hZ)9QoE8M1M)ZIL>E-v(>) z64%2+b*yGU&{~>gm0uxEN7I-b2{~*wcuWonB)SGMfxbyGO;t=?h^Z@MLODPZOj8w8 zyFhzt7idrI0_~|?pgr{qw5NW7_S7%Xp85sa)3`u;8W(6!;{xqzoWDJLV4?+o6}*vY z;eJA5<-z@gdVAC+Bc@S?9%B3yZr3|JjqcI)`r%W#9P}3B^)?JQ=q7%O%2P=fdVF!d zjb4IEZqIHK#`hfq%8NK@b+t~rtKsN&+XyX-S>eM!+x! z3cBFVh&S-btBG_}v~;0Tx*afZM#1ziUnv~BJoFe^Rvsu0ouEjI&w%1kFgY#W2Z~z~ z(!tu>VgR5t^x$$*+U`Kbp?G9k9BMol8ZAkA9qFy*^G9^EU^Sx-Z6b!7U4SPla+rVf zURx%1q3zPY!)Q+yQXlr&JAC|awoONs$+M=D}rTmh& zx!Q&HWk0=>tG+!shmVi zqROMx-7G;mq&;~AW;FA?HZN-3g`yneXoDO0IoO7*)`emmcX(wTpmDU^#;lS_C_#sg z&APhZ>FU?zf>2;&wD}%y*R-*UL8sAXx37o?gA0eJq^@WdkfhQv`YXWWz6=1lqU40c zes@Uf9+p+S!eby|1BTHyob9(^utu6?amoXJU7@^HnS~+8xOZ5s(5G8eY*f}O<=tVr z-wv7Z-hG-~Hp}(GRK#JnRnhMn$7dm_n8mp+T;!eDkp7!Lum+$1qq&tM`A9Hyxu{?6Xm!B>+aXJ8zvf{_dpTUGm+(?P|sw zj0?+42j&gw2kL&()4a2HKKeV6nit%8xs}62@&&eFX!&X8Ry83!;Y1*rf zEEA0%UUtR9CA5Kgjag%3gZtppYz)lC$lF_dP^ZqwG13P?I^Zf^meItw%xm;&)i|}T z(QW$bD@YBy)sSE9&U)k%rA_v97qC~qZ;@eokXuHzxrvrxSYRbfVQme4o5wHx_$dS3 z2qBY>={S8YHwdSQL0A3Jv}J1+qK9xi4LkRnh_+b%k#YQZScUBV$Qd1#*8%tZB^Z6Z z#lvWhrorYZ90zacHhkM7V$kFV6^ECopU=WePLWvz1vW^6pdr_A@c1uqbGqFuw}uAH zz7pJqRv%+%2%E?3kGC45(V#8`X1;`h9#$y?Z9Gof!eIqYGX&XC9;rZFrXeJ>HP#eT z(5bfTR3XK74+eIp;OiOuy}E57B1-u zK6;AwWDyH4Q%vzPO~bZTYJFxJ&~6Z3pJ9hxtDn0QgXXWarc*{|2zQ@Q5W33NGg2QO z_%rr$g+Rnqv_Q|IADEq$;KjKaOqsi4V@?WPH?81F(PD=08#!}ALI$vAK@lELFh4Dm; zKP}I<3qGQBdA^1&#n-e_Q-Ifd=h6qM57R%s??W*|CmSs$bU5h(wqBLDQe#Uh5f(@B#!>h7;) z=syS1hU{+fD8efTEJ4@Ot9ql!m~jbAyz%zC$%$sR-%3to_J1om(VX#H z$%z7pzm=RQ&h%T!i2{hfmE3=_5f+AMei=ET!L^(DG+CnTPPWQ7!Mi+ivZ|G~flq#o zcF;=jNKh^v&G`xDX={WOmHfhUQWW`xHG;#TFxYffg7i`eH(J8t2On`fH^0&5H6*Kj zF~i)mw#A;cJj2wpwngHN?4*z9i@hANc<&)z#%nYf4vf#JReR+uJvFuDox&&(v$ZTv z(=miD|2cck+eT}#;w!C4&Pfk6=}lH7zmuGBMe-ZTiB}}QliV4`>gC7@S0ulaoNz_* zJIVc0KSY(>FZJS7$q82^zmwd5vJn=qNPZPLp-pp}tw==s21d6bZhm$pPi3wPeF2fI zLNfE)sit=Zyw(!!RwVCasMpF=%VHuY3(ROzmt9EFX^Tz+Nywf$Mu(Yr1C;ED^ie`` ze(?BKvpN%=aM8w)nY>D<-j`N=86@1x5DPsKG>Me2!f0^dJa^6uD*>;yRv|H~Tmca0V=ehK+wMK~@xCt0^zSlQ@kqIpwRWVIbSf=9wS(Yc-@9NgQzqt8~)_lCFrEov0Kr~$)c_w@f?=nPZcmI7Sq_M{^uJV z?Ke0TsuV>>JAOaKGY51oLh&~&Xe20>F1!DRRuo=&&xn?GH$|sMFX8flJDb8u&k_^j zKno`;yE$}yuVyIp%_YR)rj5yO!417kxYqNsG13!GDN@4e=YUV}7>VXwr-PEr%JMBN zJlE8`^WeQI46Q4G!M%>bOa(A_3F?zWSMp#&m2exkVD`pvzB3@BffC}-)o2|ok^5)z zyl6pRphr(JA(6Y{XpQSCTH82!V`!lV)7bVoqUDa$7#d2dl(2RhLj%)j@~YF_%bq0M zP2_aZH@aI5Db&ws|BSpv?;oDTEQ)V+WnQj1l?9#+=PljU%;7ypm6?oyne0rA9P{ms z&B%tf3)1&1Ey?#QZRk9Ff~Av`1^BB+ziE=03rx@j!^kFiLx@$<0<-`1!qtyxgN9b0 zd@gU%ez^NV@*Cc!=?}=W%=KIrnE+_Zk|sa6C!axP>m}aq(;NutV>NKCaWSCQIkeUY z8XD&rwA(>$6KDz6uGR!vgP>jaJNW?mcDIeka~?XHd7^30(i~A*9YLlCoK?NO{~voGQC40SKk)A^GQT%M5M0eZP%s( zg^j1zj!~XP7+yh?KB%>IRO;G4kcRSR5iKli4L(KDAZZLP0IpRiq@@T6dqhL>0rc&2 zwEgijjvwK{o#%YyVs-KSh(9F@C@?%jn;ITDEYLq2FC6#n4Og@u?UwOtxFtF6Ht{RX zHwNRH@R=UmC-@V%PiAe}FVwdY^oa@G#KC_hc|T?R3fqJ(mW&rRIYizjUp4wwmxYCA zS6pEVYf@NK1vcA^bFA!C3UszYN))>C_0Ndz@h|tp)k*9dqLvHyM3P^QJ%mkYD^N=M zpJ*DsMmv(~ug4T&!FPX#LQtc3;DlbG#9@7IV2xAqPdm`4U9Ap zG`E1}!f0I)w{DSJ7p|!zbQ_$^Z3v5Q3CC?9AI`StvzNC`!vvT3fC%z7;rb;`Z2G`t z-xG9PsOyPsBTsFp+cpPO0)neI#RXQW6xTR*;Qd4Z2EA@cz)V{jtZzaOPxRu4Ww1An zOVSx$h%TR5Ktu5OO_tvdO~^S9(r{~%es>aWgUxf0{_8s2gxg>rSBxc;uGJ4V*w8TY ziyjkLdWUN2Ru4+udK2x#)*a2%ygqEAB}J_#-}U<0W;!sIZf*xy59jy1lDSjY-(3a` z=n+*kxPO(=@c*5RmZx*V+<=fvhK8<&o}qQx_@^81HhYhUOpt=GWmT|_-HcqYM2DfP z&-f>e{6r*8-^!O|nbLd>+8NK0zme>YyZ2oJMq!hB{lf#T_JrSoR%Q}{(ADun*d`+V zW9J`km8uQc0nf`wNvCbA&8q=AD7&)vZ<<*(^r))2t4&iUG~) zN1JdRu*wYvkataT*gS^2=xKw^+G7;2!^a3)&&tHygVGEy3^WVZ5q8KQ4@+!o>ow?g zB#hC*=yWDCpIK0cRz(Z^*GbRE^V3@Ic8pFNuN9Jvf&VbUx{$lL=-O`>j8)Kep;Tl2 zaJ3JXM33lCtxx@yuCri#k^KIoA|6W5?7eJp%kNQ^QTV1qu#kHL>} zF(?glFW7F28RRQn4dq?F3CUbvR(8yJLubUGoY}VrWnrEMkGp-m35!sZRe3(`K^d68 zZ1AM~h!$A)V?^>Hmy1G4n8z{J@px4pYdt9M^8F-^Hv1#jDBS&7oBn&Q#3=vQA$UZS zFx-xD-&K}?Jt&9sB-lT%qNnFQXlZ)g)PN6wjj7p;8(r!_$(w0glXIku_J*=JPu{n| zI^w1b??KL79-a@k(F?Zo!K&_e^?Zqjzn!%3v|cU;`FxXTvk8`XiOe4;nGc`?&lgSn z`2v}ph+Pu0>(lr>SfTk04G)_obz?OiNPd_g_wt}?EDT_DMS0?dOeaG91O9V=(QD1I zXP%^Qogc6ljw&gJU;==r!Y4pQ&w_m}*rbdE;(=bLqKcAq9!7&UEaA#Eq0X&CgC=Cj z2V0OU9hjTzon`PqPE|ug)P`jJ6>qqeI8_S`xD7$+&~w2Q^ivHwVlcy#`6k}d3RDU{rg{b#Qp^5 zT~CcSoYb`}cif*i*toX7$knYV1DN@kGG-H5DaIhb&-qJR@F@4!_FPe}bkChvF0^BK zIk`g(+Mc_p++W$w`OA;Gl3dH4EaV1^nY~5xixgL~61>ukDHK?9%dzHCtqX$=Y@bP3 zS6AQzWc7jY-!`a;nrWF^S0wJA*})7iL2H#%C7> zZ6=q6&BIklqJC+JHQb}(-xWmu%APZ!cV5mcY^dPAH5F!R>8?~4Ji=WTMj{1YgV&Hs zlIkr}>;JmmGR1A+JK;y>Ufb>rYPjr1NIplG9I zo3=vXK&_2Y;7xnudiq{Pfq_%Y^2V{aVL>f_5@wo)IgakUyYQ8G8!}n5w@iPH z^>ay5&kg!73+BCxNRqsbH;hgEh>cDIKN0034J(`tC5cB8L?^b7A2$Eop0RnW0Y3uNwWlkXg16_2sGB9k2 z{+IwOxnlm``tjBytZW;(ec@g545hlT4WO`9DA?ZPCh&-Rq41oE1N=dY3XTXloBfK& zHMK%kJaDw~be$#wL+HxhEYzhVE5xe5 z#mQT1Xvvl)udy-A(({))^@!KbW1tA~)bUvHSvOi)C5?#qlgmTPT zDL!3#`>^DkH9NWovWLUop@J-DL9(W<4V~HIidVbti2j)VPjScyR|;9 zBMQ`SlKV@UIQF*{S+SGwl^4eW9k1gmK^X&+DeBJGD~%~>!j?_wZ@0k|Ad-{6q$@}j0@A{8Cyj;l}d0YiNVeL+1W}*#hw(QBO z{E{VcYfD0VfCNL@5fVMWcfHMh`kIbT&x$>a4p!CI`v!W3e?2q!58Kcqd^1|@*M94J zbOXJ=cb|e^9-lmVd2dpSFL-`td39E??{A3x@OVz4&X2NY80Zzgd2XEB=ZQO=zp<`1 zMi27MD13ejHtFr!D%x!5_!Bn@_i1LHiCcrp>;rUS5$*%1INBsiEL| zilYr`I0_F39Dgw!t%jr4a8SYk+k32~6EVj5B?(w^vepZOjZe0I9C%@x>G5~JM@)Od z0RxL|Ac%#s4loBNlaB@&M|lU_XMaWM1}}%iPgFu{Z&s(7T0?4x>Wcr4rJ=-YS!_#r zDs`B!FGnM1Zv85p4>^@k;jjbbynmzr*@!xTU3C9)=KqzO+Uc;}Qc;H0Rw$bTRhCbF zxFvs(&!K8)4g%!G+#_OX{{S**3m z!Z$3SY;Iqip)%mK11IIQ-FR3P8xw7rnZ8~h&y$I^%4O_rR;*e{DH%t#HQFyH8;|ah z#Poj!bgpad(!0>1iZY0Y-s!b5k6YbXX zpIOqCMll;^6NQX(nSJIo19HKdjjGL%X|VKvGE<1K=odQ6)rQCzSjN4O`K;zHTMy51uw_n3&3ZDC zCjGMax4W2c!I?;P8gaCJ2>kHAq{S%xV9io0Rbi0!{7wl2v79CHrAbJ>)^kL+BY9gcr;W*2#ukiJ2Y4Kh7GojvADv9haleS+?4+WDd? zAokYT*U!POjj(ED6_5rB3ao7>%zEBm-X^CC%|vD7uQLMl4|ol8ZWX=A^4P*HZA8w} zq<$>Z7cq!=Yf_!GqN+dUGFXg?QXJW}Gfky|CH=FgU$|w7Yp5QgE19$nMn=n=Wgh+C_QC2W+n)GV<4nyb9wm#sv3obyy~%t* z%xJrM`eU+YhY@tSFB`#Ng6%I?Ly5YqNp|oJ>z>II=+V;|X4RQW=3m2$)sJI(JBH|+QBLc{pwjGnV#QPN7;fJoO$Uz z_lbH@wMGIPzh#BU z&9dL~0l?))8Gyt72#x#2{9?k|S6iZe)_q;y1rc5F$@W$kG7IgoPOwVS+EKreeDa=I zO55|#H3>u8>SsULJyDH8Y@a$scdxq|+xeD?&MH5%8v$p2Q#%H+(5~^B4iH_C#meIC z=~j9;pp21=ZcNyf6sIbRh4!HI7>q6P?2H3s<+aeJ#DM&l+TZ8L1Yo(%uKk@XNw*gR zPFu9dV&A`y)>mw)P>d!3d4O!8h40%;>f1<3Y_@G6(!r7EWc&>!+8kX;#b=f zP{~>Gn-7f?6tO;L+2g;ms2gUm=wm}4NLeZHvqtY8m$2z>j0^*if+aEIJB#iPHuB{z86~fY#p2Vlp>b zaih{L;@?f!BUsSbvDtU>!&=N{rcHW8Rft7>X`jqCk8E}PkzAIAZ0zkv9)%IQnzGq< z^5bgaP8L0RI3$y$O&MQsu=Eyg^)k2mz|lsG<8=pq@#TVJv+sobaH%`dOGcO)sJn<- zByB@Y8-io&1b9p+EH(G_7ww`MLPl3EHv3NUI5fsv@-uZz=;-!FlB^9c)8L;Af1{EY zooM9Z?s-et4Vy=Yht)l^te&n72F>J=fy2mC`B-|Zr&ntBewpb!j3VEbQH0-t==Eb< za%T8+l!M(Xv5cNB&#s9T+_8wqCvUT%8+K!?8)g7J`)OrBc@G9a7*s0*gEuoU=sW_; zr~T&Mj}yIX8C3P^N+%xB+Y&}^s1o;^LuBQGC`Ik1tXP}>LJhL}x;;`LLmk1s7s#sC z4H;^(q_lF5JkYx#1G_mv)(T{;8!|d(VaTj#-NN{lK>IA4e+_+6tH^W!Zka$$Jpjw~ zapt0;8q*AQBo$)FbS0NDeQKaf$CBxP^?Yp_XKpTbpy>djj5UEUx1}}PbP#ivoO$sMy5S$Hg|~QRaZ(U1dd*sF>qEaGHK3CD9U^9Dighw@g6I@R8en+aS-ETYv%4DqU}5En3as7%6)2<{ zYOa=rU|}_j3hW?9P3rv^-d*i3;(!S&R5TC3&1&aCOt7SRn2S%cOtL`ADCP+PxU=C6 zz~a+j*bWRFEgr|_bfgpadVT;WXVfKM`%A8VF>P9qD5+EqpqLh|0_q4*RD0%# z^Z6VD3hL1cAndZ3QmuAbL4aZ!v;aIogQA2kE%OdEC(7>9GWmp=NF3DDbY^)tjF#a* z2TLUqvv1B~=DOlrKguW4fZJs!LC#+z%Z@Oz*hZ2gciBhK1x*9AuMTCLb@Q4;zQ?)TtIOX2_{!5;qN>8*)ab~ z9k&a+VheHK(bI-+D7fslEEQeUePSxVBeJmn1UG(N)PZW*?{z^ZD(Ph5KneR#x}g7* zz_%_b9X&>DoR;pI24?$dp8C$ZMn~~6&HYdmC=DoRrXmfuWpU+TwQg%wEFfJl`$egv z$+77wKTaWnYabWhEWrWKikOJZ)LW6s@ z?2~h4?$XGfmX47V;ZC)oBok`soy#)S1x3=3T>Klw6-AX!;`HSWhba_CI$7U)Pa(f8 zjM4Mr?JK(vtUm{*%~FZbQ8de?+e@Nk(n#29dvsUm8gpKNydt3sL-%#V1~#m=KsSTQ zOa#CDL&Az`TXaR3gy9FPW;F)ieA4YWW=}h)%D?jN8lK8461pQaURR-a?{j0EY3nT5 z7e0HSDABt2A9Cl1(Qon)#M>QN`;SL4+a);k3@V57?jky#LU2GcW^jW}>;YLk;C0{+ zXtoSb@5CR9I4|&o`Gc7)avAA;7iSQLJ(mE5IfR?IW6;n2g?me=zU_ZgWOAk?rs?(r z2Monr9D~UT7zYb^Iw=-)m0I{gp3DIQvVr28bBLbZ#t2GVRYpOqz%;gwF{sAkD-tqh zXWK0c3r`ed`K@RTK`5NTyN~zO*^BeUHJ5Y8sXRhbWMt-EzCQc$vqx>s&<`sQr>Ypp z;+@7`u%Wx))6r%mBNJuv{2T`Uee(Vz41-6OC5oFHMUjz>;`nj$;B~X|j}uMRaNq+; z_7vr}m!wEN|5(p*pvcIMaQ5;3nK-eZY+dzdzlx0B3EU`YZmuSNN0}I)lqf8F<8PMK z^Q=hs`hka%KkgsNdCplBYtV$8KH+AuKXaQX%0NnT?B7MvPwGIEAGSHx>BjnZ8wW*I zWy?YrD9s!kUXDAeG&FmzJ{}KejU;6_bPSK&TvCgQSsh{EQ7KGPqc&$*D?nk2nw#&M zB&CTod+ec)09ZaPN>L_Y0(NUaASt!7N{oDB542jDvx21h4-ASnQh+E?p6U1Ib|}oB zwX5daDB9^LMwGUr-~03*HOVc&a^1G@ucP?L1W%)Qnk0;e&fpoItcXI56<{1usIejr zg@Rxil&bbeEKxxY*mu`nyc0(+WOznhikh0iAG1S_Nwc^Ma#%b za$g(ENi-A3{k>1jddb8F zE()D4L9?Yh7g?p1@2cF)!w4oMzWGkS+b?9$3pPEO*#0_-Uvn~()rvit@pe(;M2`;1 ziHjuhl8)*?h*BeG*GBSaEM#x7p1J)xrapd$zB1~XIQ5Y_$QQHrE`6V@gD@f!SsM&_ zw4od`!7=2%Et9g)^s5x{8Xm#NzBvifK`SuCy7r?E2vpseO0MzjMB`~(=?AWOIwy3f zD3!)}Y3md6!kEeYNT-x#2egg8YYL!sGeHrBx0s?OP6SO+%t;56bR?sEG-Wbw|D}CI z)i;c2jlkOmRDHvM9x>8wJX_`8p$ow6D*0&T<|)C`G(Vj7(C(pZxlYcKp!GH?GC=XQ ziPA}BDXn_eR!-6z3f8X7>YIu7T2b0GwXISGr=G^BqMowD3lS9B2j?i^Se+iai=^eDV?XqIzt-4%?866U@ z-})r?Z@!O{ABb!ADXYmMA}rfQa_84Vpv5kyxKd7l{gC{|J%JKDyiITyc~=%Ebwxc` z5*5rcu@oO0ZByhV$R4|*MZqYx|fwom0v zun}d5q^bK*YG~3rz@gjW%U5a|tg^6`+NmzO-nEj8quU_f?LGd*w2Ur#RrBE`O|0at z*!6AG!SY1FQNN9%`zYeHL!}v$c0}Q{1frI;oO+w>lkfA|=i)m)q#hNz~Eg>giJ1+E`&~=mrjIqnBnuChE0c_{5$k!Dv6w))d`ug z_ecpa@ob|Y=V3`QOm$tSpqgYFrm2DR-?6y9Gh?ZZH0eVZsvwSDfa-1C|2v{Ze|5?j z3d~L!xr0zsWa3^dCUzHmV0m{^km|U|BZQ9N>pU;KUw-SdC}Ve!B_Zs=#45(3i#qgP z0&?N4sl+%>k-rIEc!Y!pnEbf)!)V14DzSqP4qUrhPZHwODb^__N~|`D)tDw3oZzIFX5KfbQf?` z{rebP=>`s7)Vz7L!7H1$VxxDeZ^mv{{-QZ`Bw(hXTH@0>_yxmSkdH&96U~Dk~ia*2^&P+pWhwibU?(uQAJwo$l=J$_tY$ z7)H2HT#s_u#ws=n@tnl0z6mN3Rh;y4+6O-W>_?|bCFtAc%$L0+KD>iqWiNhHO95{XVzpg`i63o3QID{k|+6|vi zOP1#-0s4JL$-(;`k-5mB0qEN$8azn=YITW*%%K5j&m|fPhX$Y}<2N#!S*PQmko27M zoi;TooTV}phCT~^lY^&o$675=9JxLIafjxI=V!ct*$G>68ioxP-ivF4k4SmZ8GAT% z9iJQiAd&j{KiM?ET2(O(;?orH{)*S^;T`?*LgGs0k%Ou)<;l&fC_Z z`!GOvyS@MVS_<};q3a#mMVfTui2QQLB3Xv6b#iygjJB1s3~76l5oY#;bsCx`a_j=a zI?mz3pKH95N_v?L>38NInjVt0jw-PmB-#u#Cl%em$_sNGn3}T){U?%Hf{!lQFob_A zgYg*KScS0Rgp?)@fUQVTWCNLpCqLkgjk1sG_@H5WhByEwboJPFut3`O{Rf$f?}Y(z z7)MtI^p;z9=h6vrKan`2fs;5lTJGGN90I^0c_c769Skb;+o#a`&DF>iNSPn{(aYL> z+a=8=ys*%HEo&;p9KFJJ-fyCTP1jc7u3s33f|B$YR|e=_HG~aIbzG3{0ck;DT0=4TmDo@{ci*IuqsiFsH;I9d|Ta zu$s|kQB3TFxkDrn(~$KhA-%wvn%GFDrnwvPll2rRP0jJ2-`uR>9d|nG>7D^qyz$%( zE&r^mozXpOybd=*vdsyxMc0TDKv&KH|4lB0gDa52V{Y(SnsXO$p9eb9&8L0n7Jd&M z;L6~R)wNJoprd=~M?PsLK5-ud8UfEvPgLMG%-;WCpMnB*5X9%;A^ZT6EEVVw&uw05 z*Ug3JzA?$vm_4=|eI%6xkBkIB`@#o-U^G<68v_D^VH9csB)BH~4E zKpt{tu*g$icmw*-c7HK^87d*$0(@Bol$LYhOZ}t%2dLLY@`EMu;M-~w@_@S926>>8 z+qvWoF-up2!Xt|0?YF}p64q<}GZsjFJ6e5vIY+}OS}fT-@qc{!C!M#I8!_K~n@263 zJ)&Gky>E#FRFC9*4q2n}mYzX{bn&T+Pu~}MQ;};DTaM6FA(edKSWxK(719|0z8!Pb z6g93RC4nulF#$^;KOyr@xG(h9;smPZC`Z{xvD9_2^+{cB=xS))%K{-5x4BM#!WzbE z09FAJ*jySxj1e{krRq?@upy=+1M za*vwJY1xOQ#>KF-P<;4E_C|pF9HDq)oHIn-Ilw zb3R`D_&*wRPQN(L+iNCA8=_8$#>A3#^dkS^ZKDw-K>nCgNeT^dCStjoIenzy!)J)D z$Xxku4!@h%iL_1!{A9{Uf@^!p+=r0BvQZ2E)63wr%>f@c6XZ;oBzg@Vlsn48yYJ#=$ z+_&g}E!NX6SvTblS+WY5@1{LUNf0Z(ymf(gd*A7dLeJYqJ8C_r9-MLKu0SNc$^dIk zjRjRSNgb~>`8%Gjh*nfhy!#(Bcm0aiZW#K-9sEc>Tc!P^N~H+x0gYH9a+yr%p*~HF zEv!!PY9ZM8e`6<+feu|h#!BwH2>8d!61N;Z4%scZ_ zf4K^mQQQ=-%2mkAG2Z?s2=}44eS)1-YU=lZip-9Oi@36p;}KUGqJ675%B=<|{NMb& zyMFQG0$Xd^eI8Fz&Q+8KY5hy$#>uW#(cP){PlNQM(czE(ijD;_ZE`z|H-o6)y4Ao+ ztk?i@!|dv=w1H`A8mk9ftPYlaG>xsO;eb873*3R_hLatjb9!B*K_?KoD}8h$uPk&e zIkBM(0#?lM- zSj0)~VCLgOD#pm)JYv;^ReMi^6bo}hs~3_xqsT9;;$HlEK{MXO`x~)Yhj=wH>OcDi zo+aJ>HIp!yzDEe-9}Mr&)qF7#3`yxRshAR!wu6Tn();@M;UB8dwNSkCwJsk>0&PG@(KGi7Ms;Snm5u#w; z8-}Dxg_*!R>y8vtAE}{7HB6o=F4)eZzqm(zyh+FA6?1N0v+(pPc=yN;;`X@v08I~@ zy-#Bc;in{n;-|#6w3y})UdjnwIdQGjS*hA9z*la8?<_5}+K98>#uLxRwfS{h;5P|~ zn$tf-6g2bi(HPa##^o&9wt|LdGRKP+s0Ij!36+h?6CxTqg?O`xelr#|>N_win zj7C~Lg;-DH@dT~{2{py&P+9Br54}g!JuL4WVIJL5(Mk#G%T|w9@`U)CyUAVp&47M` z4c>8oicF%Ex>y4KmPWvHA3MrEifY`P)rFV;h;xoX5PB^@h<}Hd>w*YL5}XNoSa@OR z;`NIp+3;y}eHAE8>8FRi1Vmof1w{eua{xH}yA=ZH=BB&NBN0D>XiG_vx;|Lpu|yUt zDB+v?geMU`pgMLbORK~wzg`uXE)Y^{HamzXEiN&*n83W9c=33UQf(LktNt zj{A@~rL^QSr)+x?RVeYk%qjV6Zj-Lfs@cmRZ`;ZJv&Ne)Gi>&rE_$|J#hJ@wb#mJA zn1O_ySoPu!WxRv)$yG{Iak90k&;uboGdV?)bCk;(S-)yt*5H;aKuyXRawN>+Zdd4o zO}QJz($g^a3Z<$Zcg8QT2Hs|aO_XToldBR^j`f;{t7<}*F~n9t_1gv_3oe{T6&cF6Y~{6DOA9d=$w`+RX1rd*+6lJDWsM}+(-+ug1&V>>LcZCwO zGeoF%lj;aog?f1TEL4s3SOiNOowE974bh4`m!_i!a$>T1vyHJl^Pzp-8$9DVbF3P@ zze-kMy!*~u`|jo!xrxdrFCk}s8o#1J_rg}NT_3`bWZ_l$*@lU$wF||8T4*-4I&$GE zJ{xO5UFp)XGxpeCHD6Ue<*P%N&om1-07XE$zw-H&9Q3%7g93Jn89Nj51N1Np{pbxT zKY1k5$)cxfhz!Lgl*r;!&%71v_qc-PB51OB zL`C(e^oB6>ejyr@)4x6kAQ-LI8bDjhz{!>16hq65XF#Q>`-V+LlCn4ZJB8>b@M?=p z&sLKPb=jzi>f35Y{3oIy9Bw7HVr!b~&A^BdYzX=Vv(e9dyQ~dMHrZfBoe@Ug~DfCZfTHRNvX0Exe2$h+y32$btNF-co?>Gks&N|79Mlyrd-C`C;vI%93%!{IZ!%=p3?c7blmZ` zo%mn(kHK#)&2-{hS;11M+G8~zbag)xdU$hiw@+xj3ASETcW;0iMo`8*F=aejBs>QP zZ@>4F*L8*fdRZDk*8nX4(e9JIg&@om7gM#5@h^)+?0Xbw|97Tf>SgA;F1BQ4fr zH5E-CcTs-k(n(N-^=KG@8E!3Nl{>$bv*G4#lTSXX%*o`|ULgF3D0kWFKo#1Y>Q-sr zU5FN|b~?5g&Qa~kV8K>a?SSoF2G-~%PD@4o>~moxNK$HwJvZB7;Wl31rZe&bTFRj_ zGbf0Kp>_tCdF1ZV;t)QbreWz&zRQAEuH5>k z`Aj;L>autV-lAYDSkADsSWF88(_jx^hu20)1}}A{TRyoJp z19jLgxf|iN1g6UFXzM*NSyKn^2M=%lK6nez)FZ{U;e8vrB6R!>?UXkS$SY;RNODHO zYZYgTzeda8!+rL`(LI`bzwjzG*@U2tgh{B+q|=4z;IGl-WBYDTIirD%fsB@u(SLD< z1C}cpZqVV5%^42%RGi|k>2PJh0T1a-csSN_tl;qMhRR^hCIIz@#soBxIn01XZlogT z3BzyE5J{+hjnL8*> zDL_i#x5M)bHh7YpQf7i+H>(;B6}7{g^tw?L3BVKg5gR}Y%@7szK%?(U<@;00N+o5f!(||AlEI@|j=P4#(yBROlRtSB6rUIP z@QZsYP<{V@q%`I0E)1^gLh4H<80J+6Qv9obq2y;N!U_!eOaT+lPxwR(X^kz(&@O&8 z3-?b^iDq!@_Otwm7C1fzp`1cF(a1G$?&sD*#fMNQUVHH$ zI(mrnE7FdZvNb3lfW3w?tI8W>|geW&e2$k;n zBq26~2P^y}1Vkb$eFes3}RbYd8xB69TX@zsVPQMD+_mxyBusp7>Qk}l9lt#EN zHcso}GMmZktCr+Kj}t=q-5THM#hMfz5M87^m8A6HfBjy7?P zmsQ@&6JTGplM!IGadp8~_wC{`9kWVc$Fvm{Y^l>Ku>M$8#UE9Z{{-4+x%^AeCQYGf zaCwIoq5WtGO@V4gw|kbmA8+oq39_#`%q@3ETM^aArd=+zfgx$OZRUa0=dXX+G93D$ zhsM#y-8O>vRr7uLcf2BA-p%J*Q_Eq3k4*#8MVx@8@R)kwb;=OeyGf6hs7uXy?P5->+Z1r!26rq8?Hg%0RG!w}@zLr?Kc=F!n!mNv+rQ3(6|dbGylO4JuJQ5rCJn znAu8aF;(J53Ns7c22UQF40OAS$!Hk~GH2*iVbOtm9L%PcFr1A{QRa+=9>ozXRY5fG z8Na3%q#|?R%!Gx5hoM~$*o-F`xC4>ObDI82vtc?}MK&ItVohPO2l&Q7n~F1|g>oc=e12L|5NtBYa#;2Q$Uc4B?+9 z+<u=HWrYAOjLg=Jy=LxMgo^Z7~@9~D8^LVPFUossVagfgBfIpYi z*;E-dklc~0e$FnNWZxwF$KXKHp?NGD>`R?x;A3kG+GW)&lO^$ONE&1#KpgO)MDpip zv2OAkP;eRFtS+gj0oNQb-{IlE{ysV+@|zbuC>hfR%23RpBSebL|5kB&fB8llvE|=J|N?0X)IMPf>^wzSOADSl%v#;J2;)R@^pfl z)-+_D%&!K_wYH{OadOv?ehvj-4}LO=ylv268?KrIvDWL%_(l*5Kzm{!y}IeuJ5h-f zG)umv!~)Ym*{>}PvxEP~H=(slAQrC@Jbh=1z~VOe7u#JhuX2Oc6lQ6lS;V{U&@|BE^t6Xlu zd8OCgWmx>%bzZSJwBWqbYwcHZ*#!gE%)a398m_4Z99s41Kn=xOaC68ELsM_h&5;?J ziUt{)GDDS<+f(V;b{>B-VWDZ@2duAIH$u>&^CdH}8UgqWx`&tTKU$C>S`eY<1+p+Qu5gI_gf*}z$lJsEV6 zaM(0B&Z^zh93DVwLR&nbE>h?406kVt{k0)w4b|$kLTA&i!dm1p9D+An=kRE}6@gM= z-HAbJG{E7gM_K;fUkBk1jmO1ub|uESqZ=wN3NxNM_@p*Ojx(0S4cba-abvsuWZ1uX z`Dr1sl;H-eMd_&2}l9~S8oXkFuTSkNM@a+&V?4w+Nu>2M+mQ- zUw>xw0Z5v8By5t4#Ie;+&u33}&vf?(E}kUJFLgRLW`3xbdBMT1Wsc4PzzEHxE?Aal z$fOFJ!`hVjqa{3%*4db+)Cn(P`p#8T?x=Lni+Fxy4o^FJ7Sprksf4N6!{61=wbIht z#@-_(IU}g(a;WkXzIVctt0gZx%zobcZuI};^uwh?t{21##YfypBTjrf=;{tM;(F1V zu1pCZfKA*!RG*A*R248pkAeUr62u zN_YYxa8aJ;E~QKG?B-gr`rfh4{v=}r#P;dxnz|cWzqnMv>|Bn)Kt;}lrMvYWlSpt~ z(I1H6%#~hGSRUa7E>}eIg7O{c{<;(kAk5ETfvR0ByjL255ENAP!i>V*ZX0?*d@P6~ z3R6NwCRWsU$&&7<8?B#>nH!ldnm(S$p_eF`>I2${(@pw_C{e~zVUd!0umx6Xs zB?_*!{qX#vpv!|4#RL2t#^G)qu@y|FQMlh$W2pux%l)6>&+y6p{BQWIyLv zFsw^eUc0Zv8k;R=?|WOa=5I}7@4HV)R;DOtBf&-)`gz?2l}y}Sd`4q4>DEz)*=zfO ziefryn2@XV1LN?+_%pH7pC%_Ij95=uZ^?Y*#h=6tgNc#_Fhvwp5rGFjJ+U=OA5ZGV zkSwf7w9K@0ne{c`iJCbBP3ufWgaZYc5sZ-iebSyXdHBNPF(1itW}B@zOzM-RrN4NE zA@kYW3gKa`o|!Wy{EG>(ncB&gnfdGn0rknfH8+T&X)?%z11o<%s%WUTXdN4JwdhSP zrM3D-=B^hAvaTF?BTocPuBJw7Jni=8Ez4G~>*h;C8GX^V7@+*3jBwC@ zog`XR9Fm!BkXieVjVu$INldFfAAKg%#q5sB7aDnN)Whf)3%m%UvP8(34&W;0f9HGg zgzYGa@jNgke@{dIkp@h+i|KzPJiuv^@EA_29K=w=nlT!xV-7_*7Kg-G(5WQtcd`+L(4jB(w2(Mm)0X>9kIt(H7~T`2fb9R0#~;~!zPsSA7` z^ioL!)dFLBH@zdfBo{`q#IM|+OpCH@w)yCe?MqTht2%&{6WxE<**M*Nzb?|C5d3+I znQyVE{ry}?9n0H)W2&!3NT;XBYF@~lhT`UBsvI@$>^{%E#M`5nZ>#ntcM}89_=tIU6oaQ6|cr2G9Yiw zld89~*!4ZPNDOPGMP9O;lE61wD8jogp`=%kCbFg$Z;`w49yNpJw;AsO>b7Td_%abH_fnXhd>@8g)8A=zRo zLZYL@-csLRr|GDwHE{*=flijMLHNt3Twyw~G;iGRB?xr9tmc%hO{Jmj5Sa5Q=~#l#25E%9hT-4X%2jAF#?(% z)*CMKMB)l*04tAs_VV)PB>X|Xxa=oEam^t*weH3y;WC%k=FE~n30h*Hv&&#sW6&B! z?xRoN@&*;j(Ya-Nj9?uTW48;}9y>&Z4M2z2E&atL_aTRsOn4jU+_~AWX%H7Q(Gqdy z$wANR9R6o=&0Ud}_vG98 zPsY}Q%e|^Vxi!$qV$AQV7Lb>Jc~IvZ^3hOgC=^GVcA zBr5*AH*U$b_w?LKlx>T?P(R%ABDIn#x5g;fKY^H^FQ$s#X@A{E;XV#`&)&~)PiD@_ zRC+DjS=}rokU$+X?gs;{L;hYdeU`qe{~^5m_+y$#GcCscjXP)zrmxxi?Y6A-9(e$F zgwyNv$(6MlwVY4HS&?`j(5Ss;X3d_7xkviqm85Wns%mI3On?8q#hUe(yJeuNQqqnx z3|v8g4QNYcDt~gkoLI<7&qZ+EKJr1$7iNFJ3=A*uIN6o@FtT97&z8E zy(64&T|VCo5_kj7ghU71oVq(UfpP=cK*wBix;?UOEf5FjY%~0rGWnIuAHlvnSaQg= zUenu|Nv7VD``wGhmqRB&xzk?h<{^yefwlykT$O**vLDjd7^#W>sfIoKRTKC6S?sUw z1D*hS=lY*y?2+`4u`7Ky=^3$v_LgNdfS&UVydpa_SlK#{m3qy zi{!8@ySv%AJV#EE1Sx7$%0whrio7Rg1|9Zy5uon+F=|cRB=agiV2h+kv6}4pNyMzu zic4dJRHoTUSr-@r-Cnz63!l_-K0w8)vNTd47Cb#%C(xfz| z2_<|!XODy|?!L63kDwVqCN*zH zF{USPh<;W>!0pzD8q(7{@@*<=2soHO)DTS_%D1ejA>g6K2UZCG?wn>=sCWr(#@Cba zU>op*O&Kws7ir4L)M(~{PfLs8ovat-6Z!kv{q?hy7<`00Ya=g?zqt_=_|rznpLXkQ zx6B@5#_BHo5zEzHFk6c%UAL{{u9_`xqwiUiPZozD*s(W@q}iR{-o<&Q2{k2kE(C6>r+y$=1D{;a=T zH?`a<0p~4uCf$zJuVOzz2GQ#c-w%PzXfq4~)`9eWNu~YW2Cl1-zo+DSY&dP+i~+e? z+N!3u&71b}OSuB}5fCiVB49TIlmP)5UIbEWfPgku>EiwEZ1tHe?e3r_g9Fz}r4Ihq zZR@|OM^HX`02tWnm65w!ICnMeM0GWa^3u$BWzh@2N3B#sT{al|TZg z;5#9auZ<1Z%67=#Q)aO2)~-*9^BmFLbLc;E1}W@+B)C9X;4zOOvAxaScjGW>+cYRY z2S4Hf-N3nCs_FBjR;hVqH29pJ3tLZW%bDoUdtFo~Y#XtG{KX7W zVzm{u^Tl*pH?|N*M`OFbnZcEd7ESYG?A#f5jnA+IK1ztiy?g4|Lyf%6pW#$i7P+YZbGKpu$JV%0A zF<6fXK+YVA39qzU1VB!Tg};x(!c#L)P|idy3&Z0z8{O|k3goM}rSWb{*-TXY6ecp# z7g4x6keAL;^;xRx{JNTmDJLk^4^= zNrvEv-XG=9HjpZEK)0O{8(lwK^Jn{&V$1^kLp4JUW#~G#-eZD?te9TZ7@7ZcS>#dn zG)NgKz>s_Yn4I7PQ|u!6K(0ygKa+)VL!4FXZXch)3+Jnm@FKRm-9CHLy((k`^Pzlv z&~WAwSx1cN;xoB*Z1Wu>2b@(k4Bt0XC=ZF0pS7~i;DKU@4?O0p1&?SsYkpK!1+E%6 zTxan3cZA^y{(IKgIru=e{Ky!ohLUCY>2=Yy_<@IJrLWXmHZMoqCYnWG7k(HqS(7aJP+Z^W9;|IaSXWDk$LFtvP$y}T)sA$xB@qiRN=5_#skMMZ4-rm8G> zWQ*G35dv9MT$*@*hsRY@59F}0#sK#lF0}C-yA-u{39k#1gJgk z?QIQi+(6h$CfLD+PKG{ZACd7*+rCNS%T(4>j@s_FIBb%{joV1oke?%y`YtdgybFVt zpJ1N!ME$*!_a@1xp%wnhXJsek+HKOcZmDbCGrOiY>6)I;4r8FF30{W{vYN(pK}IMonRn1)Sx&sfDPSCjLdg#sfN5pcd*A&|7B^;zronp<-X3N=?!w162{Bm7>w0QnL1oPzD{ZF4a-?-dk&StpLr^;;`$e9pBh8l2&LN)prF=go;F{ku@vGk^TV-;y&E)R~}S`TR+&Uj8ahK4Oo3SS~|YkVSJfnICF>vjQijY_g`R~ z?*^Q$+V zFVFZ;jzsGPUj-5hKG`EFiZ0V zSe@>!e|fIDdL}9KJ_^^r2rDDMobUAi?Oq*Op%DDbvchSUF3bu@f_JkT3>ut9Jkr<> zf5ged+-e$u6R7fHz6d;WQfWr;lY{3WJD8~cQTA;pVKgusc`Dzz zF%uI`faN#o5zGDQMnXyzrAgo{RS8c<2rjE=Ldrf7k!m<)@$#;vm6JB+l)YNYo|v+0 zby4y|CL9A-L^n{7^Ec@x|3pM;87Nzm<-V~E?GjU0JL$F0)%8A#ytNyYOz0eLgy3eu zlkag6K^{i4iICoGM!&du7t=3S;)OFY&<3G-vg;x# zEK=uglLLMH-@TV7VJ&%HC+L)$sl~@`6LhkTZR;cwB|EF+q6{5(H}sXeVNVGTo>Fl# z0XN#XLGegu|M$4x#gX9J z)`17-p31XFYaLiVCe5*$t=TL-szl!8P%&pM%di!_qqd8W7*FVd%PXOu-E{}o5?b`2 zfzd9knSD2q(4vzmrEZyz=cgwK!1~V+hPtfzID<%wvF*s%qL)0!DQkaOO6bvByNsTFB_Xa`c^`OCa(c5#$;2{+$p|%Xb8%5yc)Ll6>e$8h;IY7-;Pb8Iuw0^61 zB&Pz3ci^P6TSt>jwpKUU_r^`jFeTy%RgKQt+;U6_ZQWG!?a8*6bhgnY^$CD{scN;e zod9T3fNldB*O48l-5T-s$Gu^7Bx?meQcW2%$<~o>@gAP_d9u%RX}{qM*8DJ(kTwwN zOae)W8%T5}LL|iX;#_B{wU}71*M1nW}<9NB*YDNb*C@mTqnO1V%a=5T49on(XU-$rrwt+Tks8R&RLNx zl79Wc!-&O;M5$5Dsnn7}Ud=CVHLXL@GtB54SaQq+HL1^EV1$vVG~_AD?(nN7?^WuN z;iK$P=@DMZfvR=TE48^7@Alul-LrQrai3fbtOa%Ev<~vcnrwWdr}T+zsfdrje*yD_ zZobpkYW>k70L;L#Uh@I*B{k1!Tw$yr z@6nX*wr=TrbW4(W*mpE~p;2{Y6y#bm)_Wd4oV^_vuj+CF|$ESBwixmVUCrz3;k zM6+1-_Gurej9MhgS&-Lpxv}VfUrHv}jKJnSc3d=j!^dMG6ADwyVy zJI@^LxFQG#zP8YbXCJV1QVUiLzA&M;(nX796&3+{Fh3*(^i0DbUfVo3j3@GyxqP#T zq_L<5L1V z(dECb16paAGvuKK@c5gadF1bad6)Lc_tAuYU8TQ;*{-c3a%;z&GBg!r?EiB?&3tG+ zNr-`apa__}u+rZwmR-iZc|7-fME3jfIi*4=C96083Sq7qj(W7 z!>pdR-ZGHxTjbj>-Z5JN^M=VjSRKn)_z-9yJ($XGdNZi|!dM1UgCAp7;A+3lU%4%e zH;dyJK?{Y+@;{!UETBqzn2lyLqx4)ycA(Ckq+7 zC0LTl!XajQ(#$-eG&4^q&CKJanR&c4Gmn>M=82@4c_L|Mo=}=GtgZGnS{{W@&X}@O z{8Y=pyGQY4^3yz_{50DruMC%5yX9(1778i|w1aRV1nAKY!b1?Jlb_}Z<)?X4`H9}a zlny%+zJ@6sb|!oiQ#$NSm{GnoC|)rrEFXbeb^+biMvz3UvkVZVcUf+NY{b26o<31A zv`Jb)`VZyCu%^;%#*DkQga?+1?8Afft!}I}kw;+g&TW$A*Mf3$WKs^oByM^rFp-Hl zh(hMu_!5y=mh0Oxk+u0DT`tLTTdld=5E(rFS%=SAxL6^=$Tl&}Quf{x|6=C+;o_Br z1~6yEG6H`3$)9=Zw?h*>^YpVce0~ZS&vM5~6Be(hWb5^wEfcx{?{d`#al+oZNRTFL zHfDm$t%Y{dWa5kcPc5{W?!xDoUZ!O!Cum~@ciQ32v}L-6A!_NtXnfCf+ih}{E?0t_ zO?wbP4&@Nz!BEl^NWr}6eb5&-MJi(6RGeaLTfIcSI>{t@OS6wktK5=pqu1ieq{Tk) zZ#eB7g+*wslPJ&9*bi59+kMdgpZ{FHiwPkAF;2kT5OD1a*FB7k3v=O7GVFsvxh0aQ zchNK5U(wHsOs&gB3kg>K!1xx%iJ%=4hqKo>dnVI_KY>oyPYHWjuJ}z`NG$ee`^6;6 z?T|2gSVc+QIA+1vq4dX!i9cCgO3OlG?1~CLR(G&otqnAj|Jrv!s6oJpzC3}LJT($+UOcG5LJ3ir1i^qzsdo1&X^zt4?=^puG)I}q_nI#y z%~4YDU2{i59cl2}=C-u&NPFLJE~Bo(ye(xOg^+jIE7tVxmfSo{B0_;A5TFAbV$yqT zfaoGFO!k)MH*tZY#yLcDM^H@;4$<5ZR4|-ni&fyFw|zyjw;}OJEvmtiv##5|?34TR za^hJ;0%v{^kf4L5OT*TsVcDK84M&$o$8Dkk_7}%fSQJ*3O#{ZJ)?mpQ9Xrb91aNu4 zqA8Q`+D!vdBca<1PrDZi>#|ION@Lw_D6Gpe4SJI3(ok5JWg4#CK%^m&Wjb!LmGCi^k}XN!KLOaAgn=mL`pc zD}$Iuew~%k09OW%*Q~<&hTsGM;RiKXfgqgRb3y2}3BMmonHNw7=@bCvo%q)zts{cV zq`3&zBB3CH%Ou$J>-9oG1lN0^NupTUf?Isr4wy{1`AKBupn zDnY_fT^l{cPW_p{5yc)9Cxi#$SFVDo7+$8KOc z9(p3eQGa_7+YLTY2}!TPGRM#v#UY_66m3UG2U7-dB&!lwu$omNfCN*801`|U0$7+- zA;7v+g#hM<1_yv)l&qgK&eC^Q`8*ucu6)YA$$$RFYP zDT;#qM1&uewh985m15)Z{*tB*xmiZ{GfBgSyevUm(yk#T3neIT3zpyQY;fN)?#UU; zGfKXFEdFVA+LglNdq`jva-`v7xgqlT81R_HVmZ|&7%326Sn7@?VHKo5R=h4(ZArmA z2d@#iW~HaOcTc$;b^(o-q1c(xLE1w<3*!apr+=bqqkLF<$S>pGZ&{{IzCR4FZ~gJ? zf5}~7o92b>Ipxq$2Oaz@I9HS;!$Bwh-|LY3Th$vCs{uJ8{vG(OYHo#XLlhe_Kn;<% zCu_*EDO$3|$nWp(rpCzYXqdA+5Vu4=J4MThxaA16oJ@PXDcwJd`D>Og()Dsbj)a_j zi>c%zour84oLGf z2&TcKxH(L_)9-IHj!eUBwTLp(D|-z)==2YwFo}NciUQWR`mneOB8BiSU9Tdlb(}NL z+!mRvlU3ZJ=jSS&r^#kb?qy)e7v?v^^{vXAY(cIA$p!J^CCRIaQ(4$DEh-Fifq3Cm zGQe%{priJHIe7}uBpDlam@r1JjM;!?!R@KwT6>nF^&FpOVbR~pQDNd2jS zsm+83Z!7HAZJCqt#jWtt>>#Cg+!}gml)aGAdhv7pnw85` z(zbZT$H%*+lZcd6rEhrRZ6B=G|%g$96||-qswVvxE-ERWg3vXXdcDYTgVOv z%rnRF6mh^TbDXXs4wz$x(`hT>fEg}u=uGV6D2+OpUxw-(h6=7km)AEt)QijO+nZhx zkW2?1C=EH!y@@a9nOx+CftlZ<|KzFi=F#)Smr(;2xXT+#&Di!OOyVR;H+{P3566Ss zd!4RXXcNr*J1SZj#`tc0$t#=B(`Qy0JA9Tb8VhX(idSqZ4LqAx<Yki%uf}7phlx zelhf;ETUYm7YkP4yHS>7n^h9CvN0RA`pfy3vZdWcp*W-Ue`2caq;JybM;Axqq|stO zO828?9dVIarZ<~3h4Q$_ICJ&!9%b|NJ*t&}v0R*eGX76Y$1I9}#zHfpi=KzBsDd|t zjmfuk87<@kheF|kpC7!ioU}2r4KWq-B@4?h3NEq=aYcf~#POM`v{SGaUIjA}uu$`i zJdDTWEndVdHc|ov&Bt4yF$EgtH@NF~@srpRG;k^bG*5yCoH_tnIh(SJ%wJ!^-{CT( z%PLq!McATnf{UU|BP1`rTsyrE%lSekDX+=%c{(g-32^Bp9C8dTJPWAlQ?=NlkkN6-bLsYi^lfNilercG(*HmqXJ3cn_D{ipW$r z;W%$e0d-?T>hE>+V_aNMsiT-||Y)GzJ+R7xEhL==@k&m_30V)+|kIkCYCD5dhJB7L~LkB`W2uPDbIUnuXWV1@jj|C+O9x(Un zsAf%i(LmN8g)_>pZe7kPvt1xL**V>5&(Q9yvY3&`2XTjYkdge;WA3z;Q@f!8(Q&GpkE-#xD zaCLhhdJnmtlxwec(DTPGhaVaKvyR_+8TC!d(sV)ohY8MA7C-SEp7ocR4tf}wMM?A) zE*8R9nGUR#w+vrn@`dVjaVZ&|$l~3Bxl_aJCrN)0Iz{B3_A<=`)>D-j941GZKP@j% z@;lBViE~j0y(dhkv%-X1Zi5W}SB`_;5I%?R;erGqy)Pv3wqR9#WqU9bAY5ee>i_5*tkO5mfM_&4^t8ZTs+YnA z>A@_gVHVR4wDyu-(!If6;n>q(1xH~y_3nJnBOzN%%=sbBp4sCudzThrnegR|ZP)k* z>AGy=l4ZJHJd=FCh_UQutZA}dDj<0PiH_Kucy#wZ#|lV(6H>1c#D;^!K}-b@#%}8b=Pmj$YHhM0a-Szw-8Q64dFql99gWkFPbU`;) zA__V1a5CL6VfnR#_-&o!l0hnA(4l)1tzM!qt2Ed+&RRGpxE zu|BUzt?Gx%gk7Ji>a>S+D5{Hv@5}j)Y_-c>q&!j4I*;C0tUz6qq`9JB13;?Ne!~Jx zzyegF*fL4Dw|=c1Iu$1ApRimRT(FP2mcl-`_gRo)5nCc^-cU`A#Tc2J0ymq`1-iLD zNw8485sr0#T}7j}6jof8#ev9iQE`_X_aIns2`*qql9oUv$XgDp3)Z|kPCotpep7r$XO58hnxlR`3>Hp3 z{hf`gjmK36jRH7s12zyfY$cYP)&k|Z)vF?Ft^*XW$ZA4+n_59T{0mCC_0BF(xgki5 z468}_vljh;ETgQdvh13J)wRi2LYL^20Z9spyTF zg^yVJ`@RU@qalOC!(-)#VKsVDVc@N%bJnUHH^;0b3kn3eJuH`&&YH zn_CTAz&gPea1o8&dF*=f^Vr3^s6{`xCl8xrZGXNh+{-v@SSxOQm#Xeg7rjnwuxq{Ra{YDztJ!ro zPp{}Uas4=B<*l)uVh^csF*iK7a548#M`h^bY;ZYj(c64bc`mL~qJL7!%p|9D6RrG+ z-c-X?x_!c`5QT48Z%?r(VOtm3Zv2?l8kE}ay2xnbvkM}dS@z(uxhB_c+1*Y)C|)0E z3*%sLLl%X1e_@woclPgBBfn(_|CS+chrY8s0TptV|ATxlb*=d0@K>0e=bQT9pHvy@ zI|i`4sWa3|lJuO-ZvSq~UoLc5Kq`Pb3*+0q9n5s-LLsM2H~9VWhXju%cl+pPu?`0) zA&fc)pVy0**Kn~|p5F{-gw?2|v!KNW@ZLF;jpuc$%LVYgJdO(<*GA6;9d3}jh&ng@ zC`(xYQ~$;e+FImKG9^3mrY3pdadilJBWNEq3E+w9z)3iWjgzd*(qtUKhI`4Vys8eJ0c{>mG9Kl{sK>+5^G>2Z+`dPPhx8BWQ{{T9MgAoFu|%F+ zkiIQt!*KhDlJvxC8AGgg>^LfU$2^f*<|(LUB8I3=bm)RFF_h~>EUicGRHDVfq07C> zfhW_-#B>i9J0-ehv6IeMa&1Jy26*8AFS2p4&?&L86FQzu50H>Q$taY_|4W0udx}M< zOm5iiob~{cX*g7crLn9e-#y{CPr?Zma>*Zf$ z@E7qvNjoOsLUmlVx%i9p{OP!fm)#s6Iq(H9BGXxw=FsksivG8u4Xc@^KQ>xM>nhCN zg*2@;Dy|6E?a&aeC5BiXx#OthyJKhw4oUjQ#zRuX5Iv%RDO8;ydPEuY4;pmQTb4TA zt>GX~MmeQw@q?+w#-Ylfm<{IprOyN^My<|7`J7zx0nwWi=Olwsu^y!BCv85!OZ2gP z5c6DedP{gY)V8NEH~0c8<_DFPROjbuXI0Rf8dP2K5b~xb`ID@S5_yR(C82+k)leFJ zya@W8L(aWv7Qd|@3B4Rcb!P-$F)oA2HXBdvE=qr_Kq4m63(+&m^!_y5~9Lm5c&JC!7~kQLyzY3%^Qvc6o#Ra@WEo56j@0zH*P$%^Ol}8XD5qFIMX}Vm;TV0l9__r`IHj-{=HZh#^N%&UeK@ z2j=36Rd@msz@guXU@3+&;HC(5|BJ*T-Hhq}r(VkniX1 zGGEyZ83KFA5A-Vj!K1e-9akxJ(djq_U10Nd#(a#YSvrrFRX5`u5HQ5M4l8O%&t|&P zzC_JXsQRmCsPkl?vd~?P&KamSm-qOn4g^NYYrBp*5EvuR&;bHhPS0>`bs$tXx9hm- zK&bMt=csoLy#r8=G=R{o89G29rA3!TZ_u62eNWgy+Jps$soOD~5*CY8QD$#Iwfwr0!ALeo6 zfqdQd_)s4Y3uuC#**3~R4V%xhs-41_tpEYqkw>GWvA|HqFiOYN>xix05gCEJBN{6M zr68kpEWM66+8vP*$U9W?43M;twpcf&JlHb;1c?(}y ztb7fkF&>oOIs_LE7YM__S$2+6rUkvCsc}y;Q z^tkWc%_K-b!f_;~@N$y?zyJz!f#DIJ^+gV1Hg)O2+;oUx@LugqKN84>zEQ}%zNtYr zbd^HxcU1+`YV0}v!r0DbBp5?jhd7SjB6>w;CIVJ*urOx)MedVT7Up64{61fX#03S@ z@cD`D>`gJk`hI|Qfd8MkYimv%*VcbURl91Rr1sFk#(+6b$Ji!eCKnDSX?mvS!2!Iz zV|1iZyRF@^ZQFJ_wr$%T8y#C6+qP}1W7~E*cD~BH_c&*t@BBZ1uDaKpbKNT$$*58F z)KhD@?Lqfp;V_TAJc!3L=vaH-248F84KISVY6g|ifOF|e_D;XF zK~S?9J$U;fa^n>px@x2Hz0eV9(` zP(;t6Qd{V#_nlVOMPGwFMpviRXv{V^!|&hKokP3+s`k$szr)OGC(9zI{6j60x4hqB zgO>#%*^Ch^_bA|Z>c`0$BEcCdhZJ){UyKe{=5CT)^ zULF!Kpr3@6%!dXrCsm65M#cy5pPHdcXh4|U9Xa-}@y)n-X9W@B_?BVxjEE<--PI$~ za_P*52bm^?GGn4(L~`ZYZszSjsUdHLYVELU#<9$R2`n#DEmC2qm)b@|gLM|HKAbgB z21WSV2Yz)Ogrq1DUlzRm`{yuQ;M=s9(q$slV<{V5N45h-@AVp$;xl;OAIB6`ACu33 z0-T@UhtGh8V~@&o;<`S?bHs>`GF+ie6oC?OEv)bv=x16b}vrkKNm8~pGWo2u2wH?Zzh=1Yf)arh)w zmsoLIDb3yl+2MQ&)4Xww6GwE5)je7+WOR2Sd96RZvJp@W8t{=Vdm4use*Cse9q$iJ zUIgdpRRomTxYf;)@Hi`ysglfHhCn7xN0lcC&`_bHbd3FD&(*Or@km-jLAt65rCeQ~ ziV`cKEBJ{w9WJfAY>E>$on2_;{Hct?t{ncHT5O7$yzqKm6zVdOdlv-so4<%;Uy zkD#In&76IRX-v8k^1s<>&h8cdNomH0?=c;jt)lH9U<9jpVy3}S37jSQRB**^oo3xc zA(iuP*yK)Y6Mdm3Z#RA9>o_tQk%PD7O$EK|7B5&+@i+8QkapdAvY965lA+-=)`S#| zuXFn!I0nf4YE!i{_(4pZtXJs=;gZjQ-$y5DA9M>CF58j~OvLR<@slb4CDn2d&xZ(a|S5xY(UAK;Qa-EJH&3nD1(;8ZW<3nj36mb zOD&^N!BgK2bCy99ot$O;4t8VltTU?hz|d3+Mjn)w1yjCZjr{VYZ~V3ztOF06UvOP_ z@KUk1-5n-q+%xTrko4jfC9duAxT;Tyb)WLuZmf)@x%G;l42(E3;I4NdIt|xfYN)~* z1;|i|m6^ZoUKtJTImAnwyzUhr6|t=0dgsN)j}8N=E`V^B5apTOd!Qy;&|i(E;d(N zNJ=}!$KkZIX%H1Ic;J%xt}#xg(*2_nikWF2ePetQXTAN=bz?LpCU^WaT_mlZ!^7TVQ|tt5Qok)Xv9w@K<6PPezTiRr z%<)#gG zc=v0?^xV56`*5$00ysxWJPU=E-xd0nZ`=}*-u2D;fT7SJBznF1vi@&;53h{j4HduG zzR02ur0Yv@3!wC1|F1nW^@E-R)b!~qN+_P{#c;e-@+zgD79*PtN1ga> zukbP^YD|^h#OC^45%403uXj=t6G^?qj2LnX1I_d;c#nI7UBgk-87heDw`)$Z%Oh0Y zE>RJI@vRHee*Su}^L5#)?1BDcPvHqF4FNo>a@C|HXrjJc3Cfut6OjNCXPJE6=_1^s z|EaH?7W`x?lxbWy;qj{;+I_0wcgR)b`4Sq3%Lmyej#`4+e8Uy&*g@R6Bv{-BO1R08 zZXw>P`U7aC+BM-Q3*ky0(k%>gWrVu8qWgN%;1Jh`@Mr7W^Y7cGQ;(?}VzH55W^_jf z7k`-__1ZAl)vrk|*ll}wm(*g5oGmZj zXMnc(WkXwB4{a6F7i08K&sx({eSi$)Pfby?B!4(Xa{rk|{z$ihp?op8F0+5Mfp4U zN8`KFFv;&Cc9VC(YomRDFV<>7=}8Fe^^8#YIf z>}K)Eo?=T9mP67KVWuzmE8wW^w*vMQ{hn1}g(TDJK(4^)3j8(N$b5B}Vak4zH z`78U=IqhpxpU$`b>?)Ui0+PIreyr&$tiDd{MCi+Pcx$Dz0cP~jLGNW254C+h$NhZr z?_~YwogJ(AP1^DC90TQVZXu56)yuD-DOt7NAzjg2t4m07q`Hcp)`NHA90Aqo*-zN?vZ;l0RsCePvXcBP4X>L8K2;Cl_G>Xg$%}s&EN3 zWuM%MD#~Q%rKJ}tiG?j33W|!7hG;@@uD$c*Hdm-kX%2eU1F>kAx?p`7ejSZjHqp2$ zs&q$zx3ETho*6P-Pj+JL5i?_J*1P@=6(o?Hc+0%tkkJaCD}K?(Nc1QpuIagm$$^eLHaYq5By8{*bS~FEw=>o9cwBf zUKmrcp8=E|%qYLDng#hE*R3I zylU%`vCVlEf>8TSB0t=>VH~#%3+_O#801@5q3Cmd(9RHkrp8DmoLL9g7 z%d`T-E3&U!A|iH}W{6Xpiaa0*xZ7&)=iINo&X<=T%D)P5rAampm=mamm|qZ5*FmZZ z;#c2e5y|G#=2;;go+p!+#7>lRh1EfXTuz*Mh?gyj=0KemDZ8nj~pj1q806{e6-Rt^P4R<0x@EI>7zqy!I^ zxZ_Hi#|n5*Bgtz7P27B~)zo5LFkc4f!~dqSkDqR&sd zhbvH3L1GH4VA;#|(_j#U)_$V5zeM6!9AbpXU#(R;0tO4JqRKSDn*h{HzMp0E78G2}vXEexBI?{wMG~5t z+%AILUW~-XG_Dyx(SfKQX);wXV)w=-C6oG1TOpW6P}b@sOhM1GW}%(MZq~7?BrF@B zB*L?PX&1Vc1Z_p>fr1=AnO2eTu@vgC4g2U!Auvz@@ zZu2KGn_=K~{}EXa0$EGR8y3Vvr~tg52iX-(e8(O!vrfruR}l7JgO&d=fWBdmm{_O$ zFJHi}V6-zjpbJi>e;Pd8J!-5o8u&j`pdZ;0rQA3Set4G&f}D)Q;WB}wwI~*DiN$%~ zh@RP?0tN?LVxnNXSO`gJMudgeqbJ<4dg`PZmbysR#itnVC8Lxu91-o*31tx`<;-bT za^#*YmLida6FD|{CGjMW8p(o*%)j?`j*B626n_;wML&-8>%PRSD+DR!HqD-keXcko zzn;T!C(COd$afIRRK8tZ>DBanPWaa<-jW)F;mz5z<6f-pE<*yt8`Sjue7{ca3L*~i z!?oso919&fu!zJvCpe#yswI=)02Zq^JHUiu74mbeq-$i#3>82~>}{2&kNwje)rsX6 z8C}aT)9fIwLyOhjay+C^NfHiDn{rjEj@|g! z=8SGtXFs@t;|#?{R~Okq(DuuP=>X~xgBvsK$J!X>Km?DGuw5^}sMG(O3T=gm?>oy52wg^QdpVQ?C znUU_ItKwwyPN45&X~y!Fsk1Cx2nRABxdmB*HuZlv8R#;>ISF^=sdX-K4rIz`uouhX zS~~19b#oHInZ7A=oYfbOf$9NX%*@09hEY>K%eUO{vCIh;6Ftpb)ry3*je3lBv;-=1NC!~2Hg z20@HM;(VBlo~Yr4p~uNmmZod;ewX1Y@?Jg80YnH`ps7l@0)W$u~ncHIPmpfoC>yv;R3+4-qJey`Q0vM zQ4B;GRszmNa(2#Jp74aWY}HxtgSCa35K~jW;42!B)L-e;%LPw%da&{JHX}9f(9Y{1 zvO+H2zfR12-7HMpNG^+b;S|U=!Les%_vdDad1~_iT87$HMyQJV&;MBw@#iY$bZ9m3 z&6!8?Bzk&!qt09c?4RN^w_gKMK^>4AWJSr`mLJqkubgYXW{F0bIH_I2lFSFP(-eiS z;jfAa$}^#nbO3Yah+LMiI<#0R;e3%}g4CFvY;TLOt{6`8{Cb=Aq*KNB1s`w-*xIQE z|0X$2$;-u?8GYbS>;*ET`QSl2xGy8RB`iKoPz2>0v{F5M@DYxX=a@ zN|ThEOJDJ&$fiq=8RcnQ;|TM+h^e1dIV*FlaXeo^r}_1TUd(NJotc{Je(Jp z_KQj^kwP^5Wrh`F;H`l~letU6YsZI|qu?rt+o_q@4K$BdR_L^o(VaV-K-+2zAmsz= ztExbkJXuN<0~0l1C*PH(u(nL_8sv}@E#i@x+X4(Ie#YRd>J^;7css7_+e^CEEySKl#>_Zys>IC5h|b*jOP+2CCIZ>!so zjl@4~Rps%=IEnIWIN$zDPD8zQ%BJEf?9HnX;O2Jx!FvTMc=XqN*l$ z&2*6r{n3oMxk4_NL{dhTbqg;=Rf@a2Sr`gK0k1OEzwB?Gnf3>cynBP3`9FD_6pJO7 zo0Vkc_HdA8ZDpL&3s2%&Tq}eFat@wpVb2_eDo{`JaS6gq|N7PL*mfT}F4A%g;-Zqf zT(ia;~GtCr_bS+lJ1UTlDDHTh;8k|ChvE&{WSTFnF~7bu)123s(yD`CV>G~ zq`Q+VNBuM-xmnXf`-ovV@9th#gj2O4Bj!)SQ>L>6+d-$h@mQ1k8tREB^RsGEe7;8^ z2W9Rxf;8x!g`}c~q7|m_nZHiJ?84Sjm|On3xh( zfwtRzj~6lx4Pabk>E>^qi?$xLHK&3bbfVWpT@m5~f`(OEE>$MSFj8*VQjplKbYE1d zWVMo8S*cW>c*<*X_IJgutR+h3#hY^WBMreK{^6O_Y6Up{R ztZHTqygpQ_EoOZH!hlW_PhtGx5QKvU*}0zO<_0&*{$ul_5c?Jk*=YOo{R^U%N(*9M;>3>izsc4ca=5O6kL+(RCu4YoRtr-r3 zBe+dqKtVD}@=8u;cLK|JH~#|kvXmE&gx&sQqI2Qmc%l!JGYdvwrl*M4N{3u<#wZA> zGl9^#n7FzG625k;s8hhS3rEg3$lN~PHRTp4Y2CYhY@1sY(N9+4FNg}e;6QMXTf1gV zZteJ+ytPPBIvo@7eJGCNgemQz;}Q*gBYOj zqm-^du>IdrqUZ_|y~?a38K5X(W0#h#1v01Pv5MXSw-EVAIvXY4O2Z8=oxU&Cc5eq% zdpwIGjo(!KUasxF?uYhOd}et!`eLiR?y23@QK;EiefhB2f*!0>21 zF#p2T&`l7SSMj3yIb3;dSKF_Dfidyw19bkOdbiB8`ObDet-tZekZo>u=MnPb?j`W5 zXVVRQz6X9Q!D<|b;VTzW@JRVrm)CB>h@L(E04ctspukv6Yej!3{+q#U7i;e@==9B%()xWh5B_$&2%3qb;&-gzPQ%Ba+~)}1!uaoK=R zqsHs1hcuEP)13~gTOxmd5wT7|@ZX|@)fjW3?b^#>V%2Sc*<7q!If#skGY-FX!>UPt zvWIPWW{j)eoK#D+Jl!%BdFM5*bHu!JtNnYR^&)yt_KI#x0L2GQOc~s&?M4q5oXH<% z?kCX~y~*d#7P6}g4NkuX3(7XIEr27i@eT^Ye zEexHmR@v9k62XZ&DCqw$6V9k)DMVG#yuAP8kX!?l#;7Ley@_H6Sm#y7=GS3ssewE7 z<+%9USDDw-VRKTU{Ee#BQw;vkKbA;t_GZRCV1f!p87;yJ^&5XsP!PeSF_jDX;_Hj< zj`?Qz2CpJ*(CA48R7_QO_p(pJ9_z?dj%sYvG}AOSi^fl#xfIIBlm@(|!iwa;pjeun`$S^kY6rzI$oaW4>GTGea1!!lHNoR z<8+7yhelN%ie>Ll>(Zf}L|aHZW+Vq{F1puS7lk--_K>C`;0>AmRXz&r85IEwI8`;k z3KsF+0PS=j)?Pt@M@`u6T-6jL^179Px?Bo3amVWEkHT^}GDL7IKFM;$9C(pCGd1{a z=pBDK^Uj##tz_k1xS)p1^;)jZa))&PFklYqr6k6MRbyYfMAHOX7n>6pZLi9>&g?pi z`u*d71W~(5omp+baOwXXx&nr>PNH_(fH1rI{kC!SiA_3O;J zC7De*2oR(Cj-eX%*Rw}38d9N%rdol)h^D%lf`|gXCG;ke>O*%Yk}3^$E|TgBwl9*} z+-XBB)1GfhEYtJHlz5^rz>ru*dy5{4)TY@qIn^eO%uL%Xd^KIusM+j)50e4I|KWZQ zjgnL8(#g!u0pWU0qfhjPLF-vsCT&*fiN^`#2GfSYcRYZV4@jCPYgB=`RW1c^tNrT3 ztLOrpucBu^Vnx?#+=RYSrv-EMf7nd`TMl5e0BnMdx;6MKjUEa>jRmM-uQceu-71>{ zxtHvqt~6`_HF_ZTPM}Br5%jAo_j{yZH&6x`@wVSCaGYJgr~e6uVZXpVPOUNFEgU8b z;tMz}cGzzaGdPiMAixgw+kXBaady3b{YRJCTnN`DSGW;F$)oZ8i zKo$*WqVPZ+ECw+HFj>u!1a+|4BMH?eSHuuQ#b8OvK?-2BB*k1x;PW!|n$9gx8}y|} zHfDnJcB;XWgVA-ODB_Pve+3UE~Gr3}b%RY>NZ1SQ;U^<`_apNs8lHCcWwzQQ#YrVi=zN zH27&;&v~JA`-i;v%Y^WMts90jg<=@VD-PS4Efp-*MI;t`;UX@pwYf>QOC*3#$?+?IooUxyz9Zj!~#u1|pN?RjCxg zL8Dgsz{bsE2C`4XvX;LVz&+cVNOh$1ulZez#YfBYl}Tk#sEmG3ASTPxo&2)ybt8hK zDF#$gIJdAux00f3yr10{s+%di8uJxFu8ZEQfe7YISLJW@Bgzj43FVD1Z}sXf`j74u zthbV?YwzBx73~aOJgVQVaW+z*zLOAF<3X;6-cVMrCNi1jjUEx%zm<~MRqm;VF4cIEUR492jx#d(}E^iK7 zzGat{2BtFVo;<6IvTo<{zjmeMUSb{P@2=0TN#AzU)_=|V$6KKLo!WH6DIL%v zN{S>8scUj3Y|G3-#EyCvqI*Tt z&Vt2uq+}idy@-lE0lnary8u50vN0TJ8L*w57~rW7902JN(I6`6PyoioM8CCf z42u8|@(r_Tomi$rh!XImXiX}TTI)0+;M(sB$zft;)!f)h$Bl8=n z!imnol%b54FNEK~{08DTAiweB8_yvC+@15L-|e{0M%RVSLk)xYV#2bAeGC)+*HojBR2m z0NX555U!yrH)PdJVZfRNV59w)O$W|4fgXr`)1lY|STf;1Kc4J}a_f%Twi z1Fkp%jH>_JDEW`^-!q_v{`U+7CvDNnonxb4=yd@(kv4^4NsDGkG!>J?YHGhkD`|aF z3z!ele`#n|E!GBXqgJaYL;A?I>S+=`!|i&ShVM`WohOk6=p)KyHKWx`4=_M3(@2Bz z8%Rh1{QQO? z02ARzdou@hNIUa0tAJ_(2zhU&mkODfA&ZGZvL_9MY%tGXnM|ZR?{*Y1GQ^5hm=>Ed z5jM`QSc`cuFD-ryG1Tmg90WK0pOOG9wu34F|J1)LEdZ!WVVNujy@3D-{YKn3GQLp+ z#Aq>G^If%lW8fQ;-&p>}?l;cA@c=*}Ez4kT+}Z?Upcpi(Ff4Z29H48V%D3n_2@oUL zzr_t$MvLO#-y-(Zck-t&>_G!C85XP39G20Hgsyp*Ajwb`5qPwUdk7}0($TkA^(}(s ze2d=S;_J8g@hytxev1L%n5@e1>0`YY0sa)qs?p_|*r}|AP)2i$P6CWB5^$-WbUU%Y zVUo+h@RDEd8djYqA!EYz+bT)6RVj0f-V*l|_Z1XMhPSah@}tYxza=hEZdH{5&jJ$Z zWTP|#-~}N6(#x{-L&^frb<4U;1V-A+T$9cM;XQ@+{h2Drt#?CiN)sHIDvAM>&OZya z$<=;1!P8X1nq<5HoPJ>DB0V~OP>!IKNPLu|gL8q;r$E%pkiN`3yF)Q~o^El|aMUEj`mB4`PLBQF=wX8b=d;z>9S+X# zsJAW>sLxenlixR;^&Q9PK2Ni_VOesKWqp=Bc?HC&o#_Da)0SdD{6TwJB#_{($}+#N z=3|L%cIV0GyL)608z4TmoeqctcKijz?^~(?@i#zxUK21=Xl#^Q~L?qRjCxXJ& z8^(jiq%%zO6Du@K`x`4TP5TFFR!jg@s!9J~g$4jLn1CV8iZKAG090rg0}RY>tQh4F z(xe&%6z*zWxJ(eXVtUE4K+=!ujlc%b)GxCJ?&M#%OcJ&-df5QvX}x9GfM1QvY=JvM zm)~g~4?2K6pgRv65UI7y9=OxK^er1X@B(B_oo^X^nI&+ie25Lu#MS}OyIMzQ8a6;0 z<6B-EdH|%|zh!!TK$>|Suprk!(*)r&bB{&upR5M3?W2^iH9^{R$W6g}oQQ2e1-&Q8 zgB^JwD3cC-EXb1{aS8zB1;7oz0)kD4{wGL_9eD?EAs>MNGoA%;v7z4p)51T#s~@lpo7StN^R z8gC1%x_ri^=iBq2u?syuG%AfB!9MPsJ699zSq_bT;Crqgo?*=y-f;nN3OD%uXh#vl zp`k_v_%kPFDBTVU+yZygvq%4aQYv8Ds0}@O=Y9~ohc%xYC|mCW(~-{})o$jljuUAa z>LJv;4P0fdT>=T1;&%~kFv4b!yYuF5+Bo+H@_6VHIf}xMXdz^ zaR3o&-!-i4U%b1!?D|yDD$Rccd281;l z$*_+JsR>=iWB(x~OBBrb2R{eCr}l?j6a87PuVJ_p+7VYFPUgQwYneJuX9*Bab&{IG za~Fxd>73?Wa?i-ib_18NU^+dH;{g3oQub!lYd0XhvrmfS$~1V{r9J6?#uAk=V@8lm z7K}7c2y4CS9Xp3m!UZb=T#X)Cv!F4eJ*Do>_S@A1-i_j)yJ*@rBEF`-Y9xTyhQ>3< zZnvL8Z`wKyTrB3f5Y8>`NGQst(#e%{f;;6kCS67`S{jR!t$MNRg}ZZGf+C7Z>Ac9B z4rf&in+Nq7wSdJx8;gc5pfV5UlewCTsz9ijZNqzVn;OyZwQj+>ipB(`yK|daVfCcn z!KzH<{X3ls$zB3x1HcJ-|=}9++xL? z0)_orEPMHAPhxHF0*^mv)Xsj62_;ztwjM`7W!+?@q_~9Lj2g0CBUoJG2}2BTczJDG zKaDnfZ3g`{>fjw532}KAqc8{htVqlZrc+mR#IH?Oas=Nx2sp5|sJ%Mk)%Ayffkl(G zqi`7SG#<{mhdp$Z`!qq?AnOaZEY%kC?%D)?m66NR^ z&RrWbD2q_cz-Y&8JzXQ=7mZZpG2w0SS~QPFg$p~VgaT3Idsrw!Mb4#`r6XOV&`uEs z9>n=YRL7UrjEaoHXi7t(n0Qs#FU17pYpzQ>7de!OS}J64ff;El{U@^UJ(l_?TzGcEWSFKvK7=BE;2F7t0C!gonnp|>DYh}%$M zELd4tF`z&eM>58HGMgXxA?{2Pe}wfNA?_F{b7W52PNb=Qm|%N#B(z2&it0t8g-)aI z(UniThy>wP4P53KC9K4mU}wUV7$wR@@xkvB=%f3p80Qheuiy&|V|hyN813CK;Q|{6 z(fWQ&hz9dPq#R6pq4!lPM`Syf|595Wrb2NRoI2N9i+SEJOqdeB5$c~QK=N!z%PKG^ z+uDVdt{+M7RWjVqGL(GO0?}}`M5AC4uQw=k$(kS?3y4$mWNsh@Jt8FlcS)8}lp#eX z-iegLj^e5ah7Y8nvt&H0MB#$1MlR_qZ4f$Pj7KAZ5}v~%=Anvx&F%d`{kfEmDv2qe zyQ7sr3}H;^F>~DCTGOZ;f_4E7_+XRUl+wHXxWBYsIb_aU>a(yk$JzrIO^#3~QrIzC zjWY<64qg&d_PqJcio4lz(^Uue2mIKjB;>Ekf@+^FiY6GciMrGMD;XWu?N4a8tpVe( zh^#yI(7{57>S7B=l#a=o{^)F4K{Iix9nu(xrrseKW$?@ck395N_qM-&36I3fX-n=% zP+BV-zePNr!?`RTq43$ih{1RSQ{oLDj6G6^M8#UB!xW(lyMm zgK;H66;*C?Lh3s^CBlfpGbKS*QlyI8P+LxQJW$I;(9NW3M#$UujKqjl$3))Iz?8M} z3kXaBGALBWFjYhfu0{FlHhe@jKHYp~_vOUg@xKlKEIfQd;o9>qE_{QoUyu=wIilcB zv~I0kAbsNJeg|uz6-*9b!JQ=6^Dp20;1gxAK)fm#k$uUp0@CHk{_SF(Ft_;=q}}SG z5@FU@fFaD#z6P)0<<%wUU2zY3lh+mB2RuXd*{?cqbD+i`RCaswEF4vm2xEL&!7m9^ zZ$MW8|Bi)n=J0@Kp|{%-KO{X280*SZ@c9y$|pfZaLk$Dvp#F~bmnU#oS7sm zyB_Ez!RiPpkKVkD{5!BV!7GO0A@ZG%na#IxqIX5>ADfU}&`akAPMnvA$U+jfoX-mA zybv#FvtQ0$&Cx`Ha|la-Ytvlqv(zC-)?3q%q)=+QH~2cwuBq0(!^@A*Rk9MuaNTlQ z!I5I~`4=pGuaNu$x;p8l3RuOgw#D(Kz>{EeI<*VeOj({jW z`E4xS_q@w#I&vx9k;yd~4FRH5qA}95;>*`h9Vb9PGk(Mjl9>_8c$W$ zF=e7s2|Q5l_2c0w1%XaO>&<6qtbv^uG`|)po?B@m*JMg)O%xi(Ek_34dh&FqYjKoXp`HguP*gZ(P z^;oX?uZq$jnc8ac)^#8L7Vyc!X8({$o5y^j9??jm>{2+rsJD~rJDW^ohg?Va)UdtW zmrck*(DFV53$ywsJVW9An2o(%Nuc@Gk})>Xi~=jk3uF+N99x zm|DDDb{quZTR#VYsn!{0J@LTY2M#JYcB*9Pq|Jo1IOuCa!DpRXSIy%c8YuV&m3DRF zG-H7;A+DVxR{~ThksxC1o`d7a_Vf7(W#=&8?qQ+V2~}p9FMl} zDu?MLYT=q|Vn*Ryy*in`{4+m%IwI_Aro@1e&F|vQ-+#H9C1Yd=_ggb-(`E$+D(-*w z?49x?a{s`G7Me4VKa)kn5frjvbWDbMhbd;R?R^z#2)<+EFg5LsWyG06Pe{AQT_2H7 z(WrJmL@yIS9wJi0;_TA;5Fz!8DTz5s_wR-a*hFZA%n!9!Z=|5DWn9HD-&J(20t=7U zh$bHiBYAwWeY!^w_(apb4E;goQl&Pum{Mkn%_UJRBfi`~)t>g}y~fAL z1Z{0C7WLoeEM)@dkXkJ2X^ffEh$(tUJ<*uIB0VpLivn>(zP)();!q;I2<{*m$uur> zGqpWDQBn{pimu&L=-~4^ex=YoUXFv9G{#r41QN2Gamg3hHR=+115saMD{iVRQTPEJ zIXr$!!k;`?P}2C}wYCI*nF}Y0h|y0Hic-p2LP<6Ubl)w+0R-8b)kqZw>EkX5;CP;# z9?y}Xeq3yc=ZT|nBVI%tWaffXXZC-!wYbx@hZIA;2bEuX7~a|jUEGkqV&^@Wg+E%Noy1EuHtE~7_x6Q-4O|=hn%sUm&9hfhhyt z1EJ)R@k=`-!GH^MmZ4_%V`V5Y-daAniDNR2V}$q%zDXZl7lY621>K_f71^KVYVfRx zW6fQY|f2ljW3!N4DSPt`Z0Z!EvR@EUCYH&VoUzNqp zr~vuNum?2$Dth{-d}vcq6`aOm1CoYp`fv4wAnvxkv9|Od~4BIyz1f?(K>+!iaog+5H+JOY(k8zt?3ZwLu?YsP#9teVXy`>c+xX8E+ zmJw0oq3?959?N3*_yvxeSj_F>&S`pEU1N7)c*{vnW1#?VU+vi#I%8& zJ?~IZO?(7iK{@sYN;yMvH%z{OV6n0c%+8nYA*Mct^CAFVa=U1uo0llgvQfU&^sIv; z4ALyRQ5;C$Plme=&{0M64GgE|@qY$iRKH3p;?Jhku}pfrM@|sVAK0>H{LvwRYpxh{ z0(s5D9i_#RHE)@krCc4UprG%K=EJB0hTt*s*43N-edMv`PaBbUJb2zU192oHgnZ@c zd`=e@OY<)@QoY3Rb_|xb`P$Ej9y(n7-h|+F{W_HMNN?>Op7gqSJ*ThcCYvQMH#Aja z^HaLAWDJCU^b`X}xPM&t4`1@C;N00+l7#;;9e4LWDU*h@f5d_n$X<-62eI4`Qab9q z=4&p_s(!Xd-VfEqP!XbVkc6zam-*wpsE0ld>0%QII$qb@ZUm^_j<#bsN?B%JFkbTA z7$kI%p^(_YO#PT)(z5ce_K`VH{V4FnfNO6F;I;$rFn8~i1zCO%$bt%?m5;?ovO@Ox z-jY1Mg~7rKrxf4b8|9wOeqQ;!!3czp6(JLX zV4l@6XTqFh9w(5MPRC%Ll@g3MQXW;iJ1!6$E6~E1#$ayQST(tdf=M1|19j^NM^Fkr z*v#?=i=FFg7eB+L`z*t;IGUOzeSf@{C!`}zX$rSgh^!-W&*mG{UblXKAkBv=#@rwYf+74qs2F5u>Ajp8*C z4A0ECvqQ1+;e{ueQC$p%6)v6L&UuDE*T3<1KR&%Xyy#6@X5?V$oz-0R5Y`h#lAWBc z5*_*)l^t8P5JTl8=L7hDPFO`xCT?gRdv^GQvBw<3N?`D?bzNQ6vHJS_k@U_l)xNPD z?X$o>cDTTr62xHEIM$;N_&tnP&-F&S>wwcEHsL7Mo=Y(Ga`8LMG+cD13j?G6-j;oK z+P(#0DNLiD^v(n=I79gU@}o{@{j?XNPrzt zsJ&bZ&zCbMyp)!B#}wOI3o}F%)*l7;G734hb7akqx`wJQ@6RCJ5FN2wRh7?@5yU@6?qI zEE2F?lx3hU&<=wx_+?5$r5jqP6A=^*JSthVc@dI-skFT# zL0j5hj(%f$s{pSKz~`W#JSx?MWEGhqt<3Jdf4Kuj%-!F`M+k_Tl=}&oDTU3PgfuAz z@*`s)O`c0o*@Wtx_=vSanTcgKHjw&S#gBCeBiP+Yt(lRVpCwjwqS*T^B8{BeV@ZxF zNvlnl(BCr;9fb8G?JOV`C`Q`a(Djv5iFY2j6>+JRSb@BrT1%>jOo56aNrOpI>jWc9 zHag^>JAHHIdD9besPMA-f;-AdTQTu6`oM0aaobKj==-%NQRZEiTgoSd9tT;K|4{o% z@iJ8jT0qmHoRnVwL9Y{k*gLultq;$G((npAY;91viE^GL23$mSyItQ<`^1JZjY$ejH_0 z<8sm=2XR}^*)bMoT!@*~d#*Jw{s4WTc6eXB`VN<&qnYq~Pj&)i=@)TpD&;F}*j$t{ z;j4ZdwOvga|DR5p&+zeBQ@GP{j;AAEg3H$oyS8mG>|XV=;lB_c+>pv7A1C=cukZ&h zj~K9H@Jk!hF4~B3_j*RGKVV+| z_+qv+uOCLKt&-qQVx#wKLY*e4z%%$7yp$2+Cd?ID)2#G>$Sx$hOf=$q`*ExA&{A^_ zVZB>aWPj6LQc6_&X9Q-8U>D>s{Si6GBvw8uE$l(e#@&jEB%S-t=8k3Nm%0r8U2n(l z`CV(CGX^nHxKqKS6c$ZS;}-Xf@j&ZHV<`*T$k9`mFVCJB{QO)}-7eCh#$N(WiTe{u zonb87Plq3e`-dS?5EHF8!j-Mt(XFV+4vu@_IJ#3BP-PVHeyF1o*{t}1;Dkub*a@>6 z%PI#`c9^VwM1L)C8P=V+!K};nIpctTY6nF(A{o} zh{qh(u*TOT5Mu2e=EV?3M_6uG;FR~o9VPN7<=Tx)wH~8*A}xuH96qD4fSu8$h#V#v zv#@AJ>d(dQ0^CRd21Tg}J5^tx6~WwT{4Yf_IDuN4Aa;dGbF)=gTn>*xoNHwl&82!+ zKFD7&A6XBU96p7THVae4u3&Q)ZMm@_*Q=y%7nfe?)a`yANz=Q-Ab@W(2?q~a` z@7M9Kn^@dwdugHO23p$7o9Ea=u%qQjEZ3vEZZ7VR}B+sY`MiC6RKWlnj~Yzr{E&zGy-PuSZL_- zdTO}8){v+wgPQ0I_2{J&oW1F_pZBu5lWHW16`QCjaZ>Ekdg^AfANEfu4ExRvqkdH# zmCCi_BKNV@!=%qhAfMULU*()x3*EgCEw3!HgR;mHlplXoMQ=c%Jbh#Pw=gz8f>W~Odr%!NQLw~hIBNy+rnJpk$QBo8U1{tU zD9Ba|#gb(WoKWjXhrypV-&5K4QPEpfZx!bBd^$V@*>SbqEKEN_5nyWxwG>d?l2Z1cNrT?-UuNR^8tNxtgfXwe@TFFB=i6c z1WB(!<6u*5I_j?0(d-UU5Rieu=Pu_?VkE$VTjC?(OfP-cj|(Q>Z!r$j>gfU#atet+ z>D6LG(z_hZXx<=<@Z}}k@t0^0OwIXe1cQW~Du!Vg-HSk|c5IDYfby0?T}khd_b;)H~?0cv}*@s~Ukc-q;9~xBo1PAgnq5*>A)L zA>v7N2w@pTs58CGrvX z_#?+-LxDGt*y}8Kc8l;N3}7Zatxm5l;MoAaWotaQ!OC`V{$aDD}|-zT86NUoX-6^ zcsQ?g3geN`fiyg)R7U!IdBXFR`2$Eb(t4PPFT~DAuk)_ zP~d`fV z-D#1$dPjpt1d>)1?6rgw1*DLj!v|Tuiq{-QF)uzBqyF52hLlJ}QiqO^uIlO@<%XD)>H?XP@iw&LRk1Ghu9(Xk-x5%(Ye+3w5ui~6K&7sJ zSjDR!?28T1drMTZo+#b=3!u!axp^<+lb?4cz6Pe-kZ`}0Z?dpxmOX}EEk0=+PLY#o z8IJrx)T)VNzKfp2-Qzp*R$KBUF?srUpkjjzJqHn3O2v@K7cqoSqJ~~`tSOu-juzEuO;0>90 zR9}(0`6hM?IU!83G62HjF2@bRDc*|=| z>n=Ovc}JhK0Emx-N=Y~3R`)V`C8?si;6>{h-khJ{LZ$)$9-_;S8*@hAcpA3jK{UDiQb&hVks+R?-V5r0gLJY%Ngd-duGyWuNW=zRq=q4As%j3tCZR_oRUP+Eb$N>hbOv7Ui3n58hOO{ zViK&LNLlW~`%8#)rKhr@ss^P1kVN7D7gkOhXmn{nh)95wNQRRDw`>NSgbtMfr_g=6 zLf~@V2Z@cw14mA0MkNVA112Gwgn(6&nG!07lIR8;aQc)Ui=QG`%#yBJ=h5A2HKGg& z{V!E7MWUl!qg=+7Mf7~<*>xG^%LMDpf*wc4xdi>%j0fR*jdDeb+1$ksdYF^ABdO$| z?%HAnwE$LRb=sH`T9bEtUYI>9v+l`wj##YCDy(~Ah3{b2cc!9rFEIjzS#0{m+8t(B zA1#S=6$a~Z^gZlvw?B|aGR6li<`TM{a%&LS>BEvb)Q93uBNnrw1%baxPFl>~l|a}- z30W%w!ZZ})a$(^=NvRDPAoYj70OZYhdyA`m^q~`H8AwmUIV%FhH4RmAEP6__D}zAj z3PCuXDQ$^!HxmLr327?VD^=#+6RTGz!kz1*D{)s9O`?ohJ;j(`UZH8YWjV-?2y&4q30EE$fxikj(F%P5W<$ab6-~giXm+SXeh57QPgBi$ zcBq8#RSZ$P$)d%HC9;$#jMC0NpLdqmI|>l-#moj`q(DxY9kM|1>^A|V?(~Zv8Vq`L zfn)xZBXP>0F`hZ$YUu{Eixddr8;=Vir(>88DN-?ryBqizj_x+!)pZFJD)d-e^^sU= zfC)%L(aL-*4FHAsdC{Q17Qk8frO+a_MhF(K zBb!B7=Ft~=8VQqfwz$oHcGY4ier{rNBa7&D^FSU0ULVk5TmA~Rt0Xe5EmO)zF7`fH zGD!@l9*eTnO-Q3F>_(Lc=UFD@>O25hT+v9bEAbPcspM;ckS}uYsIsW1t2Y0Fb3+`n z_nTG3e85@qg)H)Tz@=~)$}T5U>OHB@6q8}{ShtGCbEJ3Tv(5#%VfP1lDewdG7k@1N zsT-#%NJAHS)9&)WA=e#Ek?Oh{%jZGGEcFiGzZ3K6&bnBxm;mO}@5@h!$>5QD`K@(4 zrqrc*Aw0F`CnSK3ZHC z5z+SOm(w2AnR}FS6TT-m=`66rb@AoVnCFS^^!&v5q`K9F?xU-VrxwA zH^*YivydC6qdP`5vYT|AbXoyk_(;2diFP5fES){~@b1dH+^V>_ds?YyyqB`XSspuR z^i-gO z+82-YQuv^Y2P}P&J6WQO!Ih<(4(r6xD?K)W|0f;-qVg_(!!0+~>BQ@YCV}6rVp)RqgM2ms;N+t5NuEhIyG>vpIxib}&6`rRtbi@M@ zREASmWk-IG40Syu-`E; zS*B1B)xb8rcnG`-9bp}06hmDMa=_dlolynzQP_9n9E~kq%PyxvDc-{D(8b*Acd%W0 z8GqkV$s1}{=@W-yr{p8Hya5gDI|*z@16qjr<@4CrvF)CTV4h`E7(598gta$o1 z1!hws_{vc04EqCmgq7Yusf$%ksVH8R4Z>iF1;N}|RM;CdP||xt3KVx+lps~v7EDNj z`y$1zd@@*ymxfb*i!gBt?GXW#a&CWS7)oe`mmZvME^1j?S@gCPX;W;;9H#aHoc{*s zO~pb5p*M-Vp|EMo$Ymayyc4xx>%OL0W^{Z`lb$y&_t3pl_r*;bzVugouY*H#en=D! zX_~v_JD>Hq%RKZcyxb_SZMrhA4ziY;#j0a0_jVZ-pUiuZEPQse`0}ML#V!B?_$t=7 zbn3nuN*$~7k3<$K1xM{Q#m2#WOq2?w_Tp(`KqQ~`Yzl|Wqhz9~pHAu4o1&>Q?~c*# zJtZ$?kq%AnUy>4`iRIgWjn;=w#8k<&r}HE#z*E8S-#Q#d_w1+hsF);l78Mi!JwHKA zx##?3UKgcdO5XGH?+VW&VBv{>G6$Z|bEKYHV;g&76%(9N0p8}0C+7%cto-w~%)x5! zi1KfO-_$Wh7=E+p8#=1|2K17zCkiV7+GBchPis+lrLXA?>pb&EMJD&c9vfM$cm5oy zhveAFxndp}$wvi+C*CdDzM5FQ|2n)*$4;?hF~qCz=5){Cyxr!rCX@D3VC^x_W1DcF z3glzUU5}T0>5_^qezfhm))r{sH901-sHr#as3;p)ca1)JM+GTm6aXNHjSXc(7ZOAb zz0##vIMPxJLe1DD4XT_~)C^Q^RHg(Jj>^;oDjcQp7oE}U7Tpe+=N$@gC`{Ab2t#2T zKI|rL*@)Q)t=(gxMg!S*T9_lz)@2qEeB6D}+Qk+TbiB-d3c7~wxCo#Vz3f5-*~n!V zD#-emUZ{W@xi29$sugxjL$_Z<@Kx9`4PAo~Kqqt`ri`$u`!He>vEr_2>S~M#ND+XI z+z=78_$YP8o6%u(4G&+=WDZDMicA2i%nDQ$jZA$rxi-5|Tt0@&I4pjhVU*_VX zROzL@_{Bv@y6M2$dK$OvHNXp9{L8YC_ZIh8N6%aGODL;E7QK;2yB!75h5cgrF_xn%p0Y%}mS=l!Cz53l=ecy2`Fus-8G5&F${-bmaMoU#y=2Z{P4+TLgQD|VH)pWjltC&ynXIpN zGX~xAyY{Lpu8XMf-0k!I77g7?{40;-+kA6+SfDzr(m+%UHD|DhVVOYCWguvr+x7ww zu>2fd&d5W-7}=D(S|Wd`8d5xXH*mDBPUmr{lfM~qJrWTvn2Dr2%jKCkx?<%z;pNPxV0VZB z!aOraQz#Q0n-k(=!n1ueg*D4^j0S)~k&IGdIeC(+b-=rGrWaO{S7o&hcvo`uu6fRb z{4!q>l*>az!{pbH*cu)1ZcCnzzUUf-YLBFZt>!S13zIa(QOvpJKU3 zV+8O{$n!-P>Pk$Jp2qctMmoC+^EJLpCggXnK}qwAD@Ut z=(7D8)Q&W|5_28FpB8|h;U*KHed?YJ+2agN$>_Q)8}`@-LrqH=*!^ZFLxOMfi?rMZ zR7|`<%GG;Nx$;tSqSL|;nlkK+=N)yg)aPpT@4V;r0XDlF8Q3+iFiD~eKf;>nuF&z`Z z;!d^Y#51iIfbmqn7x;TW+B~kq1UKaX63+rnOvlrtvBfm4FML%~uP=oeNGE`=aP%oz zEc~7rz3wr^ns zqM&+80rdw**9TN#y!yyZhuB~+l#V}Vy-i5P!aL1Y!!j4f;(3`iRiJBnm9gC7(1+i%=X=og8FrMyWL66JVK~NNMC;OkX%WR4%#9!1E z5$5fo<=G+d+*u%qJEt|Em*<-sSr9Z+37QjvkF7dr-Qg?2-_aeaCN!}oGyzR$Q#2vp zz^>RGM#6)^%O9bkRQQHv(z8_R@7|3#>y~=K1UDpihi7 z9wMR93XVeI0+m&sV22+2q#mn<-H?1YHb0Ocw@y5v@V<03!Q=0~(o(DB0r1pj);ZT^ zDXjDK>$BqqceQ)6daZ)f$`i@%#S_eZMd^ggfL;Qm_767%Y{$` zEWe@vhzFa8S=MhQJQ(}{fG&?#*0dBx%Rl^>(rAa=Q;bn|gt8*E3>M-^6{^(xj6;dH zZz(}}t~MJ=Jm{-cdFfzSx(%sydlGL|bC{mqi+$_qx%XljGMI)&qQ0v*nqM~i;q0Nr zW3ig-gRbC%^q3}wrF8lv2|3LWxnq$j7eRoYv80kl7o!b%iekG#CMJN^*gD?6(1(T2 z5td#cN2}X?zOlx;D>@CJFT9hh45o zjj2&w+PvdIRR~3&wo>$Ii)S{SKp#b{3SL8~37X{r?p~ok{o&j&i$@IoQy0DA1Js!x z81wJU3C=5qBbd@HLxo-#|9#zJxVA}`rjlJ6DBO&hX1WxQ^#C0yk~av`u90bCD7de`SSuz!oUAMHe*5OoxlxNW@|OkQGN!o$ITwC3L#%R?QWqcm-r7Ajb{_) zSd{is7qVMwg3Gr$lG5We8@zY$))9v(BFUP7na@y>+w^)TzJ<=-^t4X>p0O`=YCyKT zc$WqeeNqKfbqnh$6$ZjM2iVN}EjZ`8Y7EZNChmJk-txiKbQ{_N8>&()$>t_*oDZxp zVg8`l6$v+>-O9|;9NY5`j|z>U$4&(3i^GOqU#8BSfTP;xrdgiPnh;UGe6uSMZD6*F zj3h0NVq?}U@nV5S_l~}Rgkocuex+d$$eQ{_pknIh;=&k_yKl29E*xfJO}cfo?zby2vnppy%yF_{^Zr zaf9Oz&`$w6&}|`XcXSlx{_+uhiFVH)|Z5j(m^-d@S~6#armyMa`nj+d@2{i$6f_Q}nXhK0jlnHM*Q}De|UN zIZi2&Z5SkrPHA&@x#LixjaNrD9EyggF#g#j+C&{-|4>r|0!TXQ<)0ypaz+8j<78;72Xp~GL_ph%`mn89m8w= zJBHW#w+yeavDg?>tqav;r81pk2^8$2ExOfIU3G4_yv+Xb9y09kEAw)qU3^0(t+&f# zh1bgQJ~$@{kvEpf0|NJ0@^&`i;a9l(5hO>^3)51JJw0-Ysfte_g8+9r)SQAH&pY$$ zuPjOwZ3N#lp;9lNh73VfNMp{O5*~9)mU(V(RbpQLjid=hL&C|N{%uGMzI8-Ha?`W_ z)zy2Sy4@25G9!s+T4-8~R3dm?PRx@5VQE>{SadZ5L8-JS2m~zJ3J|V?_4m#``a2W^ z!!-?U^bJeE;dZwQ(QFeULx21$#Ukr1DwP|+|Kp09D*OvO*2?>Bh(8Y;4hlr>v9vLW zuwz!Cyb^A-G=68Ah^NzO$XXh<29R+@&hJH*x%`!GmwR5RxYWiSe1yM3KUH*zl7BpU z>0i6uM|!3Z6{6Y}M8~{AoAi-X=$dW*+vq!JO* zxiWMgT}O{k$bSjR!=u}W@YEa*7#xA?W+r0J&aUCxZDLl!}TOMgh zPJg@I3+$9U{#FbYj6aQgYc%lL?OV~EoyXhKqDb)iM5GGgSuh1ae|2S-4#FlmrXG=mf!AWAoXE^8U*L_v6{LpC)unJ{Rk4r)pXq%&| zWTQ%SX@{mu1%XTLvK+v~@shtXh85CgzY3$D%wtTi?lDG`f58!N(L({e0}TzVlx5x! zSdOOZQOtBHNiPml+F?n<*2;Qo2pc!j@_VrH^Owy0NlC_&pmr&%nwtzHz^<6QMbedo zcN!HFH*KmqCU`?p(eV6SVrX)H3#0D%@G>AOBN82*)7w46X0XUP0jNNDa__eR;R%x8 z288DwZ5N1ye@1Y<#%>o@BEpHWVP!^`%1ts9V?4E0gU|OAEYsnFSfYHzLTE<-IgbwX z9w|YpA=lovBv@ZJh>bA$+}cH4Jn}%j#?K^LtFjikLex} z)%3@d;WlLDo!l=9@k(c|4XPta&=+&UD&fcw!+P{v#II(``7Nlhn%S5~H^n(DQ8xt* z8`n)CflZ+dnaJUuimSmfQ?fCu>4Z4qw2fhAx-_&s@?P>@*ORcidE=xWb3snrr|DZC z++!H;cymntynozOAkP)dy$pN);(|E&Du+lxmdT;*IX$$o%GxnNa8Hd=ASNdea!wg4 zHm>fjHbD5?MwT;RNYKDEwLl8KE2Hu-|o-@OJAa=YOBA^l_{maRv{!E=99#Q`KWsFZXSPT_YDhfrD`l_@Vr zrWK~Li>eW(HI|zs(_9j={O}6;P-x8LhqVSXp0BP^W<0&tB(omRl&{S!cgIOuzGm00 z?Bb7kEOU;BDspD-n%(a7bW%UR@$HioMFIl`8-RZ$z@lQ!Eu;Hoqv#f(4^=^J6P!M)fH&x;b!y z;*Kna4ZbHOh<^glv)-H!9vJGoG)YL1qf)>Dz{xwKivf zvxB_r9IVlWH@NaHujUIsDJF$p0!()M9nD_iQesz2^6tU?7LiiF3^qEj3{K=9ft|N`X}+wkeze;EK>a1s8MWZEy{$J&lUn;e<_t;?XvbNf`G$&;}aXb!kr!nCT6E9V_>qU0;@H|S06 zgtj3)6ud*3q05rwT6KmkO_JMjv*MWQylfXe|J)mk#8KNBnYPn7dbB{cklSQ3UYexy z;nkBo5xe`qq##<6bgJM_FI#hc@r#w=FchaOcl+8n~i z9iH_E%;7R+!dhhN z(K|_r`0cSIy-Ctzt1CR2X)2BI;pR=|`KX_CbanlA1uk5xHpj)N$OD?01z}>@l5(4O zDMEjHJBD3_m$SxOhL}i3l)D_crG8DCY8C1{H=Dt-?&V0DJh6a3Kz@j)`Q3;EoQEy) z`@s7LxB+Kj0q&DAvfkO|Xu2!R~vo zVvQz8xaDcy;F;lIw0OyQW;?K>h(QgCLzkRsTahZI0u-LhB9_ z;b6ueG{A+k$;k%|aN%49ARjcqh4ZF8h6f-Hkt0dSDPEsrR04ZwnylY&IxHAsk@#bUjV=&>o+KE3vSKehjP&S^7 z%AMgn;)y?KpfkMn)iaJv{y^6eCSHRX=jlHDLG2#d91TJ~5Y%n>Q_fW555#G4rW1c4 zPK)!dDgHp57Uu~+{DCknoj3Nn_}J^bvDd}Np7+u+{y>zL2VHi!4c0&2cTtG8-@mW7 z!2=36kJtof5CV3?ZS;cI{Vb*8v8fEf3m=(7roVm-58Lg5D|Ck7(*Q9!+mav$#&8pK z;^b`J!)=z{?OrDT#ac1R7sJ2iknMG$D`oDq*Tcr^x8>98<{{kOsek2ty~O4w4}!m4 z=t~>5nGD%CSY#WG)RU6WDP$Z(&x5;`O^+69IpLhJ;k~_;gS+ z1?u=CIzf&1{7;JJ(%3_u9ChXl5cL;y_@r4>It0$El`ASBD2zmm6Hp zzH1!44WqaD===R{=8CPovajb@LqyLn>*zK*yywq?EEN3N)=wNsnMD4s9r84$WfP6L zKM54{eY->7@ehmSQd8^Jn+|4+Gcxn&EnI(pjgxuChqKqvO`xHFJ(`ZDS7;foo;KU{ z_VFE`QO;a{7SLXE?}{JWz{d;ctLrVw40=GDD`zqFmOk>|_lNKqxwCTr9B5$H0l8u5 zZl9lDH_<8}mx}fu%MhI8Jk*Cmn#1Xr4n7ZQo#ovz*Q;-^`SN4jXuwiH}_{G1iX7Gwse7(&SSJDw%KttMdALeb-K5qJ>jgP zU9?Ao=rKA(f0JO!bFjvH;u)WsM}xDiI{@I2zkD9yrIyn4-FU2)b)x)6o|+c zFZ}>dN3wU4W&i1{eLNouSk~*>9Wt^tPR#)=F47#3yCThjQ>aLDV9yIQhdjX|&Fc*v zWT1#NuQzm%t4*Lel-4EETwv%1_#ApU4BlWm#~jyV@+ss^pwmVdQ}4{QEOSuRL0Uxx zbRDud48rvq{VT+>y@Mu$xrR-L&X+U@VF-aESDm+OaJA^3%dAqc^zyX_Tk|JOg^&-+-#J(kQ-BqCAt{C{*UOee@zF_ zzhw=XfPF>d2zAUn-n1EH#tu|ak;?{M6ihW{Pbd};;As_Ln`(T2-uWWI6e{Z@#q@^9 zG_UOI^)#__qC>EWUbzFDXDcDRSZuF$!OK&02qoA;kqrU1*&CM&eBPh^T1zm7qHPk4 zzmWc->+NpO>NONLXUWSi+Z{1=9+)(xPcs5ED~enJ%1w!10akT{pa^-2kf_+Z63awj z^t#IUors1RvIjcn2upv2g+B)4;T3O7M| zG>(@bOJ&)dF}qFgYtcB8doDod`cN{~UDvcVy`v~7=8|1WksCj~AvciTsC}xpYoF>e zmLWt(UhA;vl+`hmKPr9hq;h}~J8E#qAIU0c`uJqjgHN_}W))0;JTunOORs7NFsQY= zv}@^m7RknSd@N$U*WLD|AYvI>o`wL-YZOH=!F)Bs_rm=^f2AaY0Nx~a2L3n>kni`4 z*Ucu}CB>3=_YukDB4Op^E*gU}aHc8~C9IAY`#`!-@_&Kut$HFY3K~i;U=kO^4NNSP z^w-xP81WZpO3m2KXxsHdZMb=|4!fSB91|@>Numo=)jA~k_i7jY{rCEvzS5{nba^IU zw~rBn1GM7OT>vIPp9s|ofZ^tp;S`N(;S(n~j5Oj_^&T&MW}Ef*q75&DjXN4Qj^eADjYWk$O9yy8`m=9sFXHfUxDt1(P^WLei+aL z4Gb0%Ba*T3!{=zTCGTuWFzQ3WGae(A!{}7T$*wRV=)zesqBD6Gr$}=T3OO=Zup-TL z4p6DK8XOEGwPZ{SDu&DAa6K1hV1pUlECwFR9;#(AYE;^Qnxww8feI2-ls2GBW(;cV z6#9~+d=4CkF|treZfInM={Ggj;tco4AMM)*fh~g&+lSE#`P=V@&xXl@RcBF%_8s)| zv4ky$Waah2Bi!7a@Ho{QdJc6FfeP&GUP*+iLnsfmKoVVy!^d#*K!>KtNR3N3KBK0g zv+X?+T5*cJ_^8UL#&YpLRApLiD>IbRg%mD4@{Pgc&uA29RK;c&*k9G{b`j!@O$Luq z{aJuHSYTwwA4ch8SBpVc=?w7aEGnfM-vg-342^Pn(ujX`8^_l_pF;L@^g}S4Hyxjt zAo~P@X`DxEF?NB~bE2DsHWT2VdR-<~3Lk-ml;@KrR+EdJEZ5zMQO*M(;;zm!8oY0U zb+q|`e=(oXee;+Rymn4Rvn5I=14T$gClQLjNw}ji9m?2Ma7q$q$l2Wv^eZ|%CEL+u zI27sZfm-1#_NRjRq)b1985CL}_{k>pU&7!=xSKz1H(~7IS>Tmd>W@EXaVU2Oa%IYL zC6VQy+w~Srq942MI9acs(+^qUWpxO-XirxW6L*%tsxiQK36BKbJEUSGOt~a~s#HRK z3rK@?@9-%?v5}9*VjXterwGgWxp&o3k+)f4aJyt|@|BzLCf+`x+vp+OUM7_~$VFS{ z^#K^Qk;0ZBs{T`Lt<7HH)S;~F&QiQgjVTVnWKLQmew_V$J@7Tf*$ee)qUj@I;W5Dk{5H!=#@e$#Zb ztIIHNXG}DmjEUq>m_5iYksb;ndhpzBq#ky>5Yl&31jGW8^SQ%{tP-x zEFJotr409GCLzx~R>5o3>-NNP@MM-04&PH_B)$y)2FJng5HTnV0enYDb}@GFVvHY2 zif7~!QWrEVW}{-tw%?LZ!~uZit{NE(bdkGcNKbP;AtUuHj_-B@2WAOm&T@qC*nHWN zQl12d3>Z^kH8K!qo;~8FgSCw%n9qs6Q0QUsJmaIK3g)EBt;p}h!Xvf> zrh7L>-rGyKJIEkuW(dY%@Nfu!pbSw}IMAWK2Ashy0VIJ#0~`PqaNre!BoP?U0aI#; zB*&BGE#7uru0F>H+w>{D0hl-`0bw*FtNCoirR(Qn z;++?gEQ2((etNA6OzV&twP+LW9^a9oXSOL9gP!>}45((Xj2*Pw{)~S&zf}$1flVy+_&rp?^7ZqG!pu9eEECx#+_~V-39Q@mlDycnLJ0 z<2dZ)t$)~s!85v><7Jv|r`Tt>dQ(XNPX<^stCS5)0!zP{ZJl6APS&JcsxShlsnK{y z1j`1W9S2jahsM#*@P88<4qH7Q;Gimb&43X(QQAf-(Y$U$=l%E>@#EHa27h*JCo>tr zdQTGkhjGQ)_+V)WslpQk8@kO{4T2U!==>=GqM@@?83ccI9zpb*pNx1(((mKYAvC02 z&LPC{2?-cr2(ktYQvDjGHVOxhVP=YtuxrLz%tez@XBbAdd?go1-O@YfB}7)&OuaE$ zQ*z^F6%Wq!Abzf%{9PD>(Uj~sV(1uv>}q6PeoOvI%Ad1>WlCEStvv6V;Vq>tJyOId zrc{)+wo4HVW$z@vcQOMhxyQ|c+5Gw~!W3J~jTmL$NQ4_)%W7+D`NX>BQZ7MkDm+<$ zC>*LR!D%W`SAZiIv@2t3C}LF}BB|(A8COHmE6UW7NLKvQG@XNksrk4?0TU;NaRkw{ zi@X3r)Ll+N(~P_Pe44~u=W5CI)Q~T%0H>l~Ol`}{Pym;AF_1?6fkXbaL@_nA+y$F` z{MKr!*xcad@VaAaHX7(g&fEpi^4{%R6xZ!vQj{`GJ!Nu;2~CR%?!>1qn#lAOh9lfV70ANWC5Z0iL!*J zF^imv2Qpr zmW;8i{JUMVLUt)sfj>cH$X`q`O3o>}%U`}AqrzRJum-j}6P>4n!`~$^z;#3gO6dtkM^oN#K>oJ|{e_y1RrP`Avs|14LId zdD-pp1JN8Hevg?SN#$2}lVX0XTqPPmyDq;aCLzqPCy+hI<%emAGqj=G>7pI%(kp1% zHorI4rJZbm^DCx=Q^GUj6la@h1M=YPJ&Ro_pr=Bwg4BXg(03|x5tlKUj>6r&^)Pk* z^EG&2o`uSYTm^b?xe-M15lxSeXvxVDDXL|25S|1-xeeVKLf6CO`^X<8&5N26Fkft1 zCQN(FEi)tU406>v(_pcNmjDR8VA&i%{Ilz?{l#cN#h1!d`h(Q7{%AZ}ens9oTpf1X zO|;sdwNArg(7DEoqipD&Qpx++9PpH+&F8@`Sg-L~CDA4Z6+l0vRQzxk1t1N;s7h&k z4&U#$cqO9M@p?Oh7T~E(X-&4T`;bXU1Lh`P5OL=ES({{Sflus`-=_JoesBoaYx45g zB3y;h&k}@;9AFfa-%65$OcnCm)DT*RJ8T0T;yJr;gZp*(fkPO21&;hSHpeCC>cA8% zXP>{$a(e@fHV?0u>O1x2bpxQ}&*qL>ZejvW+}YRJ(kncAkH%xSNWcOJe3^}hr{?eE znf7918))p@3`R2-kFif_mre!rnDuhrQS~l*AcpS#CD>%PYBobKG8~CFeowW8q#ez0YXrjXk_jFuC1JvGov|$eBeZn#O7!D-7jXOJFsnfVY_S~MDdTxaSGob#o3e0Yj(4vd!mO@HKH2SqW@+- zpDi%uZJ8>h$UZw?9N+moLSuh~ZhWUaG>{Db?2LSG!7@;cE+lnFcv42wD{ngTZWjHU z#S9H^7I>ZbOXp^I<@CKNx_Z99E)oP~^0hO;BQu*K|9yW5pZDdyKoWVfJ#4WV5TO6~ z4|Iv}qIJ*O3hd;`93LPI^vw$%*Wq7`_Q2MS+neay)h<~5U{e6BBuv33vi;lV;A#CD z&?$gNh>1&H`?7E^u7_?1YXmwC9ePyv^KxXXy%o9tb9+T=u7l~Ni{NLtVKf6qZy2nx zEyrjF6~_#I{b00$B0lpwTUE?rLr801&!%|KyR+#O@7~$MznompmW$bxY~RvKg>>$4 zwD6ZDk$4o-XOtinJe)0VZ+x`ye2)m~a$`sZe|07fmPU9RXZx)zmmv*|&9^y0Ub5DV zE~J*eIE%SIpL>HcT1XM$rJTsebBK`sA!F>8#gGE2o4$AL+>T~Ml;IIQ&P$200%;1@ zn=VJ=@#tofHxkPiM|grFHAu5e9BhlNN-{Dc|OMbBT?q1sZ_y(jW?#8 z%2e<;6GWSNv3-%JeB?NM`)bi&agyCp4;QV=m7vBu&%_0J``1k|#N7Ew&COHX>&>u|? zky!&$etb$hR}zO+3y0nq4$#cv;Fw|Q_Xo0@oglZBHT)6(Tho#M`V#IsR~o5Fj(=1I z-=M8E-55lr4n$y18w03D>}!rf9kn#DbNjX0DAdtL!yNm1qX6GlqQe;ddCY*rlA)86 z4QiE98m zXtmuCf7NzZjJK+gcix+NkiT5j)3Y{s`JrzqT{H=wwR3(!m56C5da5ki<#VDZBu z4vmAC!}f*63tTQ8EVM7xOI>_&6j`+ZumBYT<^|nfA#`PcgEvY0w3`gcucy!%iG`;f$_ki(?+n zSthcfLc!2KZ=C7UVJ8r&VC<8mB9@y#kfh8?9 zFh73jjYr-Bji$rdVuCyL=Z)thk~^M?HSz=GEpJFNzyHbkR3r@vpV@SV{MqNvqhb>< zYu;Nd9Fo$OyEakEZqxdSDp8M9@5H*(Pg+fFN#T`@MhU9`L{CbVjhY$c*`oExoTOEAY|G?V02tPe?jgqYZtmAbZEh zhN6qr`8c@W?nr0Oj~cp`9(SQy2xN7x5w<(fw=dBqPKx`BMn!j_qmv(D>|NqC=(vxn@_q&5_=NdQSejL7}+; zDg4ghp}(=>VTV#Bmu(<(vX|B4Q)Cq`@FC^p*cU&4~#>eLi)1t*N-Ma%6v za24)Erh`uq98!HxbWu{$x(!f&k&}kMbQaW|3#l-7?A^{TKRff;XS&zIfV7uCiZ9}p zN(dMRq^m~L=`1-Lohu6iQc_sREFG73A=-e{l^Z?>Z=Df7I+s~PdTJ7^PRGJ>XCb{b zo)gLXBbKZ`$}R^3bQp#^Y=Itqn`dlINHHzLUGR>(Sv*BjEin_)QKXm)HiloGh*~%w zGZRut{`>R&cFp#dn~+j+I!i3x9*P!Sc?2Mx^fh=6egx#QOJ1{`N@Y;ULHem5ZTE*@ zm#DY{hD8p4|Ak_un4o)b_dpKjprvL)JN=)po5%h3d-3YM3GMK~;PcrCoUwy8_&iug zhoV|9`BzM6uRA}97mB*SSAbxDNJDXb|mxpgG>3AwJxeR;2}P^Kpo0hH~1mz<9tG9}J&g@L46^ z2eF%Lf7U!!SPtkib6qU{vDQ+%9o;sNvvAK#LY&Azp}7K?0Za!fJz1c02h)LS*`MgR zcYT-)6l>0t@nJI1UHcQ6;q0n|j|?y==$V)^QcIW;R1NM#Y1!w@JX8zqM8=4hkTJQ( z(gq|4g~-py4MgZcPmrI{yAz=Y~yu`UiXEliEMb4OvQi4lPf|{Wb3P)B@7QT!)AwQPqgCC!~u>? z{9sdba9EHbHVzI4azCkqZi5XbRcr~_U&A2Ut)8Ow1CU~1flk2f`VbH^zb{VR)PfATe+F^6v^6m}GE2H-_E?Zj z=f~#r>-rEq$7z9O{*Za+yC<5jok0SE%bcSc^7ZPEE=rNAS zv5KVGko0oa>nKw}OrM4gNwDka5MYH^REOvv>B|p$Uy`q5Xv^%9P(n7cGk8* z4^^-Wpa_l)$)!PrcQi>5+7_2y50XOH;jeXgIG}m3`av?bJrYKL*+u*CjD|qsMqF?X zx$9T*dJLKbo8a-xgLxtYSgNx z`GNegW+*1Qz!r40i9RHmrIbil4^pE3VHX_Y{QcCNqp7}XqP?|`MN$S^#|FQ*}YQ8cm~NI6`E+t^AyvZf59 z1Df*K5L)9#IptkmosKG?!IzGe9?Zy1XOcDb{&%>$^xneV3R5lWP6s?HU`U5>U2FhJ zqPq?$Wib>o0{Lws^` z6R+HDxn7wAo*A$u@%R)(=Yhcj6gS+Qhk+e1`DnWf4|pr}gR`Xz37G!+HNQOzpoFeI z0jw`fM?-IfO7~OGvL_4^C4XNfZzH#z<01D!J@FUSGzXUb_Ym^hqaReDe|{PiGv8kf}G;8y8_HA1)h zAbNn^o_(-lM!3d`ar?&hRrQnPZ#)-Z@nhA{yEgiUr(%QcrAbyJKwWGI2u(<&2UOu&7lE2gch zM;^rb9Y!IEj&5B+`q1+kq!TKw2Lr*$g|c)(>QX}l*kO2xR9mHtP)C&*BgnT0F_7s5 zEZOXyP8%uFO{PHpL5R9k7hnO}qsa+NkTfjc7^J1ZLq5!;XC2pd(`scgji0g7yZflMdBXOQjkblZY-0hPd@D+3!cXZyqBuoP+KM@bi-2FO2} z<3)vk#!{k(IxsPlr9monqHjLAL9u&%?x-JAs=JIaxiQEh4XSGj=>l#M4$#fYBVmn- znL!ZpQRfJHeBy?X4ME;Cq= zYwAc4EhY}5J)k3<`)HSSi_sd;fq%XRn*&)>DB7IwlnJ{(fWkXbWOoNpYH@d5aE<|G zk}=ohx&!Eq6Ge7+0IhIr?#^d&m;h;0Aj*Vg!Uk@9d^tO})tyX7X}$fBP3)PU4frtN?bV<>su|a zZw7VFHln+9n8dOIc#57qzS0LzZ%hVB)eQ~l-K%>%I9u0C3tc>h4{4N{1QwH62>QO= zq51Y#xck5ZmR06cENGR1z($+z(Iz6*ZqabCxb&t->0T0?D9*->(_IW*AC4EDKmFnS z2=ZbP{zUHE2MLTW$Fao0cuz3?Nib%9dWFDD3nXKVQ3g&NlkI{QsMxsunT^}|piQa( z;&}GzPGl8KgG!!KaZLGz#e;=^lvSgIikgD3avs-FpG;p4&LsT%?_d*00ZU~>VKh|- zsfcFS5E`BXS^&-Me3U>T^YcdnhzwS4JCeD)+#@Wo;?N$u%3>p?JYHut&|RI$LtF$&VCdh&MNbl?M(=a*&i6CrqCgH2^grHX2*z zHXKT-Haa3$_@e2O9s9gI3xkSU{5)B6^yV|#^JIde!0mZ^m>KA0b;v58Iy_F)6kvib z)J{BsN__N~j$B0ac6|ebRY-K@V6=C(AH#Z^UM!PRvGk zDT5e{G;$E1VFT3{+J!%p3wsWC9%YP$9;TZ@zhd*!c=^XxW-j!t-9R55noWbGGQ>Z4) zpObxs+r#|f#Hu76FPDeMF#R~`Q>>&uK}(sFKE+7uV-hP{sY8w_%wUlD##2*<#O29u zzsQ@aA7VMA+QKe!g>o+91qYb;IOEyy6M zvA1GGYKn*sNF{h=;MADYA^_DW9~rT%+)W2A4^RHU$T^llcueTLNMokfkPg^Z?s&^< ze9Rkm#`BIkm*A__SOY0vQ}0Hd$$dv?zH_X>GAY8WhaJtA>#|)#tmTIq)nKzw8 zbuY)drQda85|g*<84ONa@&Eh3|KIo3dKYi63-OSbjI=*~*eZJqXcHu8{@$$M}cMie*2cBC3wtv|D z6kdF=-v_|1x~wc1Yz25qK5Juz?SvjO8T504^&4PP+^nsQN#5{%MTRH(~a=!aI^$ z_;}In35IdW$+Up zb5`W(k3)1Ht;ypV^G;jY_BD#pb^ z`eV*@tt5ABa>=QeNcT9&ExyjKm7SU?#>A?Rnu9k5-TD7(lJXr4K;0@^T)Ry6$ zCz^0$n!gV+y3p_PR0e|usYgg2(I5{SlH>b@I~+cJh)?mO{si^c!9$o7FQu<-jpI%; zbUk0|EV*`wfqy(9O<^*YBlIMFOy9848F})%&N5?QAVQr=+|szWd$XCjYIJ6dPhEk< zWNEOJ&%yhX4o`0xUOB0X6Jh^-kdrhmHA~YfE_`w;P%Jfz-b=9L{O|4M)!iR|Am!A_ zKD~3u>d~#sdU4=SrgX|YCK{4-an*6Lp4=zmDk;3p>#TTG`FD2q zdY-3}cHJcv1#rVoh_2KeTikm_FF7WrscU(mOp=I>xDu7o$rjSFBdIel`a3S(`3GHE zW5$%V1P^Z$V9>?XHFPaHZiKgF&GauxWe|MaNUr-r#~m7WP19k^tx@cmqT^y(w``0mO%}&ZL(5Kb^5My`ff_~9rA0lsnPpxt56a5V(BpdDO|4+d71FMAb3p5Q3s%+ zO~YlyFqyl1e>rSXxFH449vEar3LI0(K16$nE-2SabjeUY?qa8TE{K>7^a^y!VP>E} zD=~W}&w;GAyD;v~_r#@7pF&JqpuF*U97Sm01*#e|=yFCLw2#V!X+s|eorFgpJc=d} zKuY9KXprELD2Fs>oIt~xN}D!RmiRbvBBdmvbsotQ8YF=LDT6L&gaj%X=Ly#w9>D*f ztEXEWk#gY81n+mj54oml$gx24_MrQ{E{5E-0+phtjHVul!~Gc>Y}6uA+4P& zE6K^QP?R@=HY~WQLU3{-4tfV&p6F&t4+#da45#iq3F?3#&n+7o!SYI_eMMa;uBCxO z*H9GAWHbaNYTOWAeWA9sIZRcR!PMq3B@NMT`+ELjR@UAb0tQen%iMMFX#h$ibNg_P zyrC*xYTlPSgpxh|U(sRp)EV_vdRr5e(WRo@^eG<-6{gkbZK1jar)sT?wt#HOm9J$q z7OPxKYdlb)C!o^G#^@R!^e$AAB>S@efcEiBFsK3jIF+KF5_-B2J)mpHy335FfYivB zY%aEj9#nMQ(dBY6at6gF(2I(0^c)^`w6{(B(0hu@@GaP*N%*|oy)$3*?weVTG_Z5; z=8Ay^{v0{0Rfu(BaMP`Du5!poB#jBJ==2P$dbQOPbb_lEu$MkJW4{? zi~%!18%}pjOb9Gvg#j^Ky4&-*zqL=hKX$T87j&zXgz4Rfw%s;)sjSMZ%&M$R&_UK? z+*tm7@(vyga)S=x9Bjz+15Z^)hWO7zc`Q#A6XF&w*p)@`&mghB3Qo#TZeY!!Ty+SH~C; zy&F55i4&F1pG-O&42VbgHP;&f?FQ>?A*^`IH)u9nVd^4g|0Zwmug(wJeRxkF>JFa< zcAn_~Q4>Wp>(DFBi zqHLC{cGRT1hj5z4|e027tL-8wW8QYjm1$>N4U82(+O}<_#P3*lYVfMBZG5OITK0TgU`lsDGcjXilLd*drBqM}MhJaWJh8b*l7PH>Sh=*RP zuATSnooY-2Ys$kWKvVf*I(#OHp>W56EHXwzYv(2zelwl+X{+sGtV-$9QDAjvu{vA& z05ud1S@`*~e=&B%$70y&Mb6Oo4lcWH`tB{l%cqU&98UY-q=XSD!rv<8zNNwr5Z*mg zJL9amsl_o$tk(!dsnF$u<7y-NJaF6t0Fe$%_mSa9c8gEr!8*hDHalmzJSO|#=A9I* zOFX?9{z0$1a-kj88{SxXYdR_X=C?stc)DQug1jGfEul##f9fn>-)SH=mwzK&i-QWW zLVwIvlI*Ab_sMxCs<84_&cZvAE-WdRSg+1@>#n({-!UQV9SU_|X@WPfuB!7%gMOF8 z?^5_(wZq?s-z9s(qm-|>irt}JN}b%KAORvHlHyDNl+9ltqzs$ziI201*yL+Tvlg2Y zsuH#ipAa-nRpr!rwt9t1A-A#B0=tdr9X}IEQ3m(_utcFbV08COFtvN~FIpS)=r4UR zKdQ*_s9 z0IUuA(51=1NE3An>w!LXydMyT58mn17Z_olS?nm&ewxhl^stjmSgwpxZ~Nl!H?UPM z4|$T!Al(B!hmn-Fx*!6f-$8Zv?hp7!lpuMIy@`nub*-$^Vc}<{AV}E6*W}CA`|j=! z)I|6%#5@5yH}ka2!cH8f&e45$Hcpg4*LM~^J2!bRlyeY*h-iXpjM5UQo{sufV`vdp zrD5!TzlHE6jS~w;MzHxiWZ*t~P9Z;->jPeszj4t;hj~0;78d^dfjs^@4TCv3#$8g6 z^Xy`-&b<$zrI+`QEY#NQU1xI)3_zY7W_0e{?H*j095vkBtPjgqmp1)8fGY<-J1 zvrt`{$_gra2=7X_Y!HFR99UKmRobR@Fq<{(Ow!Es4toc-?Cd0UFw@oh;jPzsN4tX= zFHpbJb_GCb5X_v|;HG+kie)Kbwqxus->6G3Sm5JAT$x);9Za>Y_XTUvKounwRpdp4 zYWZmgb2IRk5acAMDuW?#iA=1Qknv~<6QwO_ec@ixys@Cjo%G2`2eTJ!JTKmUlc$cF zjNNYSvE&)by9YDJy94WB)}!wQMyCL(!p)hnU!4wwhMLr32MI2#y|a5|ePU1Rj3#0h zY2vLw|J}SD>tNPs;6RkbTC}EhCW`~JPQeQnScnDZ=Qig4SP&GtFKhotj-HL#oG0H~ zX866^`=?zV3ubrzIC;xA+NT5^xGe{>*u-q-=+)o4zdOq}y6>jJQA@>=iH@%&9AI|p zX)+9#t-B@WQyLI6R!?-^-^mfBjF~QD<$_0*1HsJJ9SGaru3*1_(27~g>|(*p)-c)^ z=;bbWiJKz$FiupE$(n&DxTX;o)3~hncSeCFQd=V+VaO!LHOxeBHfA|T&eD4Ui*Y_0 z%8nznn!1Xaj?Tak*u9%~SWb@4AA}wrbB?NP%z#e)w|Ad(-0k7jBNO+{^~l5R!)+P? zW=cC_a7&y$I788p0>?2jsJRnu8?&e;M5?d;%S#bhaNdY!_;)S(cN+P=cndJDoe`1Z zxIL$z0mdep)8Dn|-_vlIB_24iCo*%GQxD7(_qMQ}SgL}%_IF|OSOy+9!(jc_-iiW_ z9Plw=L&#z1qT#48rKJXW`(PI{%2RJcuRi&}m@V#j&T0!$8QVq=G?fSjQGf%prflhL z+(K`vi`r0UeR2=}OFDS#qH!vFVjK8A(b`W#qh8<7BR%qlNn&LlgWQz-U@=o_I@=}K z?lb^qJsZl{@rgkxd_0`?dx2$RKtcWoS^ZV`SmKZ<(aSDuf7qcv1J$eI?6AflQ z=w^Cwwi#}7zHJxN;GtlBG40On(4MA&F#Ub-wmUyXHpe%nzO zvG;f251lp}5P|?Z+}3$^vcuOzRF_%se~t~(keDKa)jhl)1X!AR#!*+ue*?XZw^ROQ zi6)}SbHMl>wx94!CEk|u^RJ1hemmZN<#=1}^@k>+3Vwn)fLTa~!J3F^bl>?78>YMQ zmj3qnw4@0%17~}BahAsu^Okb*L~oOW(*Ou>X3okD;S<4i8WS4kEyL_W%ra{dwkW1_ zQs1}k9-_>6N&v%c8U;3<$q_tkGG-OOIO|fY#EQV9D$e`=& zC-2)OnaU$_BNKK(Ilq;q#?!6RgfFuCsTe6%l_y530#da)QVlyXjgd-U$cJ2S~a`n;}UW^O#~>(bAkghr(#YU!OugKgLk{&sa(fX7cJJ7?+Ac+i++z$>Jl zc3Bnxf#6~JN@Hr88uDGa6*-uYOrQcxpIHgdHIeAyJ_jRmYlUE>j}Hqm%4m?mWF6)e zgy-DkktJUi;Zo2vquwL^yGVlO+>@jLX$EGm@mPoxuc7fs|6UiTiU(FSk!B2$D(Scz zdgGOSVHKglA5NUnbZx5$T&oD4;DQY*i%!ApEIrVp*%l^Ew={2`(t4-h0WMIZu--J!;mM za!Xgi4%;Rh2ez_4J?jQ%JTu<#v|emt?@lQK2G4#1Ccrx&P3?i+f4Z9@giRGof;pp+ z3Q(xn^bH<{?yRAfqPlO;Fw zW5EZqfBRH}CuAePfG0KjSZ$u*S8+MGYxBfF%0J3u5n+dR8E?>jDzvj~s{!(qSRpYW zVGVgpL#;PtoCdiOfc;0C%X|Sb!~rWO*6;I3A^W~6!5qLpRf1`g3Z^aS7FR*9S_Nwu z*`zKY3@ax3V8LIxgD>CaR3qCH;;(qSiqJ zjF?(Sp2w*qmr_!yQBpok$u_ajBBo@UQkZgtN-<3V^S$r9=OC>$<57lQvVv8}9gQC? z2s!q>o+b(s2OhBpDR`L!kG=d(!mEYws)9ZH-uuhR&e^~9dWFCmI(PuK({16-fOZ+6 zq!&ZBu@}dTUpC$zL|7b&x3Pol42EKvx3O>_gF)e7z-BFtp?Kcf*an!y(B#Si+lew5 zIC8+Oas~rO4%mK?!N8FNmO+@nAagaajkT-DVBp9>sU`=Cfg=Z{njB=V9=9={Hi1D= zxpKgw%?t*P95DYigMlLlEV|5KD3*hP?h=5(1#pgSG0JR<8>nP4aG657!8$GmE?dQJ zF!{y6WmE445-S8YvBt##@RPzJY?hgSfNd%q*j72LE*HaEWpm6{$&=1o=@xcWnu0H0 z=N5LDo`Nr4@i#!L(gyg%-~X(#bsHd1 zxMttN&P&q>I5KEfl7YfC`c|`&3>2=-x61S{KmaPplL6{{rVwyspjDCqMZl2(>b|BB zaAZ(sM?zhaxiY}IHKY-6WYDT+4P>qiu>N~#1jRDwl-WZ`R5@E-r_7W{v}0v4Y`1i) zefrBN9&)#Irv=bfF=**N3!r8(Xz4Ed^jD`@3|hL!0;paDinl|fpxU4iPA`L#@X4o6lN%Q%-D$UfBrJfT{s zNIlnPe)uD-H2YP<;-U*%p4NYT$B!p6I@vH>}0D28@_GRC+jWrP1t+Km}Kjr zWtcL92}PfE26(=9Bsu-KGYK8uBk3(WZ0Dt7NoGlm zR?7(2moR|obi%iKMZ0t>uzv=+%m&WNTT+=$W_>{h`HkX%e`D%@pk-breMN7nnFWVE z?0Xyzr;i1zOvg6udw0J)tuwF2q6++l5OZ39g?2fOiy36d1*Hg@E%bqt^GvI;z=uRK zpOWdTw_LLR->iUY5k9Ml^%My4jpwA93Dk77#)xw`uHB(~%v1r&j3~-u!#X0&=!8bo zxXhYv9lQ7Za`ZON(uXO}Z&11s+I$_WAIA!EOx*o-N* ze6fy*fF)w-^eF%@9gut_@I9``3&RcpI^r6~;@#AJDB-O6DpU=9^z zEOn?TI2B}HxP(g7nXs^FiKb)MxPJf`D`#QQecR7492b$n>gSAUyOTsQim*vhwEusD z4*-TxiJU)q6vEA>rNl`S*Q82rW+SVq8p%DVVDroKW2zB9s5exfADG#VzkMgV+7zu} z;`MR3SqJl6gFP&vzCL@CxA!&O4peZiz^hDh8+|IzbK#zzV_FBR7cdQB4pw8NHq)c= zVTscNz5Y>3oebQPH7}(#Xw7J*QQHu3~xW8 z^@YLJF|?+bUJ8rzQeb_8Z_Q6Ui5Ibo73uyUt0v`jKzl;cw-Q{g>u`$|{{ASpw6#D1 zw_Nu*&#A11S(Lhno$_A7sVs{$$$jC$Zd8#QMQ;Y&sOTfvOSqYVw1A)JH+kEH82gyN z*qR!~wfWOkO+>gW5n!42$_@CUG-Op$xoq)J2V(~_ug6hdnUShO4wmvAd*u-hdR1H7 zia0CNwrZSF#$@tc4tcu{YshQ5daSj?Nikzp7D~vNElH6ZWnV{TLrVi>jiIH}eRU1L z^>-y)NMh7eM8hlISLZ^p#xq+2N3JEu+O(=UYmy{|J?T42ssB-pt3;tqs#Kl;Ghid_TwN=u%)0(aDJxf#3PiK%=xo1e}fUxw^e zoyG)v*I8fGVOi6IXv!vaSc=?~zzrk@*AL9|XOxD2mHC_R-2E|dsqQdmwGMOFvGy6} zc;c(USZRP!anT7ZMLadRnCRI2T6L!PDn3oU<;M?0iufxFL#p$)cQ+pVY}`fDtYB=` zQWET~*k#ilG8@deeidbruA?j*CY#NVD-G85s5*nN_Y1P3#1|eHyKhO}uvD@S3lHp} zc9kh^Ux!P}-!9!d`R+Wmc^SD&CPnv zE?@h7QP!ojUSJWhl8ex_(g?VsQh>da;=sJIXsm);ag!D}sCXJ%#9rxf=l?5v?Q2Qz zPLZVVQhue?Fmz|G%1<>a3r$G~?W1g&R}&UY<&=gwBpc_j=?nMQM!6qw=B;zhi7e(V zyZ_5I*y~O)|ppBeo0-j^iq|z%an*UhGwyM#=n`m5VpVU=d6lR^v4@MF! zX;))OrYt>g{4RyHFMN#Nl=UCuUc^L+l!%<6Kt;7^w!cjZm z$TG2%_BtLlAWFGjH968EC6v%cj5RpwnFB)Waj|k-U@J2#s%97mzlv*xT=%$R&WiZo z6&%crtbx@tYI7)|FPn6>?j}duHK0eI>P-j_qNG_4%@Af~qQ`-et;Sgt366p&i<5+QYJaRcDE`L&p|>M^b~Qu0|_BiR>s*NFOB{zk%209^Q`ru2RsQVD3tx z9Ai%6GB@;(?!x!qs&Qv^qv^boQU5Afj{{@Qyzm|CbTz*dG+DkUH>xOZete2-7MS-< z^enLAMC;9NXQ71oEg%ytP+ zMoW(JcJwPH$SBr${`&(hh1n#JFE8HGjl9ViCUPdJV>$obupY{erO=J=KfGPta^tv; zeiiP`sZ4FumZ)FPoh<((+qR>L(~0ZM#g^Mqr&aApIkMf8^wn1FE9@KXo9vS;sef4{ zD9Q3%rDtRTA0ZF`0gxnk)It0QfR!}r>9eavC=BWZ>vU${Xm3pQA^>kW2R7(=v4 zO5!^89AK$v47$~G0A>q=YAw*2j8>q!RE%lWMsslq_o zXmOcCoeuN8pck{UjKt>zh)Yx zyHQLtozIFQ=<4nc0bP9=>GiFtO)KX$sH$ko$~jQi_l&(q=Rk#1eCI*!S*pPGIcGy1 zqMnXXbet~ zp_5|I1b6EaSt_*KrU&~_TDDve@+6og1=-2Ml`Mmv1C{3Nu-<*@aFx;vLlr8sZm4BaT>1=lX;;dO6qNl`HQ^bE)?OhXwixPUne zuIosKWvp3P+lCZH)yWW)7tiv|&cc=~9M{c|8yC(>hgT&=IIowbhX^He5ZQy-HS*R6 zFL?HzllI_iM794(I5~$}wgH|D;$maFA3cozL$aTE%HBNIsFb$gZ9%;_mQ3377*V>QM$n!&QMP;LbV`2^ zi%0Mgo!Z@Sswv1~b^%I$K3b0q6Q5t5b0jtONa%d=}nI=wXWY5^x1=3Fl}+&x!!1f_s`&l@&(%yGoV^$^5Em2HIA0 zs|2@lb_D$-%_gSBIya!1ml4%*Oi=`D7N3@v%OBV3M;Kn+w&h!@Z^cJUwXAP3@WGj* zj`$P?z9v;IxD89!6_us6WS;TJF^(XEYb$&f=xPz4h}Q8ugA7aM*oy90vi^)kvJHmF zcX7M8EB&ZhZI+1&-l{1?rDKAs+_9KqYu28VBPyS$4i_2VZ>F-onK(0%;~1LRL9DW1 zS1p8tZf!7R#pRrbAu4 zj-PDF(6ZSXBuTYV81Csi%X6^yudo!Wu9-ZnbayGWZx3So#= zRyYaoY;JhRf@{KiQo5^x4vF{FqcuieZj=(0eLKuK*C8fhNe@cRTcehZ-7f>9aS@F4 zyv_WGoK(JX<7DfIfdLshtG_Gcg{vqc$PK)BZHJI0I>EdPS`ze9x@EXag&|rf^i}I| z&jpZD$Ey~OH|QkHa!3RRi(Mebp%N}ar7jLkRJE{#s3xbd#5Dq}F;dzhFMlSIrU~vG zTiK3_3T`B9QT^1^&L&NK(p3?H7)O$iexiG zvxXH@47!IQ#%nGp9>My^;Z`}2NjgR)Z-@(;kBp(BVALr9(lQ3(9x28I28L|?0#k*+ zN?G`e=|{Q8WC%upg3%X^BE)?x*JyyU&6wlm!j^`-bFSd}%Me=-(+1YtuFZp~XdX0X zna+webLKOOyRrSimdx9!fb*S}YMv^FPqb(SmX^wHMnf#!Fah6ecHgAE|I0f`y>>zk z8`)N=W;%Q0A**$*YQpvwZ1MoDT8?x1>CKfJA zaHxJOoZ}}&$9iR&r){b&=d`WjEHT$3yvc%4>rsehl>J#Aiqg2qOfJ;~;dE!anVeX6 zrt#@4*c>QyyxH@D{77uy1Kp_(w-eAn1&^9>gNS)S%0OBt=zPL3;z}@%k7D} zj7zG{bgwVQ#J@#riC z^4T4*;$E?qA~TU`Y>t&iW(qbqL1YhD;WA_gtjZ@@yA;;`rdf_v?-Ofrl8XhWdfSyf8r7KW|u~oE~>O6knd)O{6(`?5O?OFA8}it0oh2Z$51_ zw6msOc$;4Y3)Pxo!^GZBUsyHVh9Q~5EGhk9IBQ)xEU!* zWwoUK?|=W_fBlb|^r8z4YXPdr9}VH0u>e$~jFHM{p)+B9g4xE^0i#?uMQVCXW^&_B zJTIG7&vJ0KUX*ORYXiFa?C*AT*Id!+pwOmB&~m62_lglFKG-C8z^97vahI?voSoJH zv&$pMSPp_UbdX7PnQA22FFM$GoD$$<3LyCuw$yWgBtM{27?)!=C7!`bvl)!*c2a}w zB#h}x;Ju^q4T&c))K{0`HX*L8Or(A#uZF2uB;b_0CKbHJbsogT!qG?)z@aFBZLS~K;HVp5*$M(G}RA`;QSYB*GZ7ifyZl5qzdWor+s8jOQs?J?ku zc(8z}^oL^)bt7I)-N*lEsR0H<0|4XFm>s%$3~A9EshY_R`{0PIgYzr*(7LvITav5j%AC2U+-R!`D}2AHI80xJQlO<$b{nt7&KX74W#H zKCrfhC=lJyDk}kPd1)J)=mIsitggC%g_qL9eUtHVm?>*!x27VC?;Wph8s<^SoU@Yc z%F!+1%`vCjkxN$+o?L{MUrJcpQkxz{!0ziCita%pB5v2jH=PR3yQ9amw52H6H;Mtj z|7Y#k1Lk)oOyHxIX!CeW)S}E`yG$4*c)FUIOkmU?lXwY(u}qw#ViP$%F3>dc55N9x z6uzVB-7;CwnAnuj&(rpcVd^R$C(H5O{R!WR8?NIcx{j2K6Mniz^TYF}Dgg%|K!9$& z-HyB(y@k<+Rz6N%&P*3DH}Acl;qDk$O;!g&<;9~{7Hx?j{2;j{r%H1S0CIN6uaY`O zk0Y`ki9+)J?YJrs8xqKa_aoZ8q6csLJqUN<%SSAfnoR5wKx4KGzixJDbqvaMZiDR! ziFC;hh03!z*2phh&YOUDa_8%ztmE`fL+KF4hgX%25QioZ3~*>=$~ubt=NFGf*3u!U zPjksqWxZ-4OO4@GiW5NctIao$psCAxl4>CYgTA~b%1kV_CUaf~+(7ZVr75h}6|fVp z%$@ss+KNp6W8ZQ>3cC9F3DqvY%4l27pjjHOzCMLM#@i>YEj@)qf@#;PM z8#H_UdQ*AdQ6UH)LHM@+VDWX-B-u4`03S4da{lwU|Ei)vviAL2pJ@dhU~!t!;k*eH z>$5i%)~l287?>CncM)!Xe0i(BX#nC{_*-HLq|aXP><1^WCH5ruYAlA17aTUn2z_4B z-y!>cf!-2#5=KmF7PJETy!t2of#fd!m?QEhF8$Cjo+{PqFaNOpUL^|Y;@$SJ+520D z8Vn&XeMdve(Wl2x=;6CZ?JZ%y+XT=1Dh(S_;mOi|n0&68M#pYoN$$x9B%>WiK3P(X z=T!obH@2UDZh`}udDM;8rmZthc!Q2?OuWMOK;6OW-d><@WcrWYwWKKTX_}lv68NMX zlBbwe zZ4|z4UKoyTtfy;dNX6ZSBaPSOC+OZI?){tpa*Q@#cOII$Gdnr)bN)D9(V?-4LnR_Y zoL&vQB7)fLs!_-_!YW488t*uCq0pMrRXB7tj0ZHk&84k?#~D$9*lYS5zC`T782tl{ z2R55Lblgcs-q1Ue$Flfy(%*FZp16T*aCh0@2C~83WurDguXaZdpHG*O?~Go<8sOas zdGdp6WV`9#ZTt^3_FsIW=&|id%*QdHse}jr)r-=zk~!P}+fBI{DK{hIW}L+hu%Nlt zV!r6c{GA051R>Grn8a8)QFnIou;w;2LwakpwA4CwNU1Pbf>_9+aggE&X<_Xq<@;%928 zoFXaDEnp_8VjX9Vv#XNpK(v?*rS@4*Nkik&1RP9Nj_pwLcN_l$Esnc`|LqvW9}c7r zZ5vxJ3Sv@DjpBVx&X|wo^(_j616M$r34D%(f#Zl+MBXNf|7S@Xx3M-dc^Vp!s-UJ@ zwvdV?=ldoIyj`JK!Q1gLxH}%mA4q1FKz(T*TrrS>rICL?cCgunFGx(*h8Fo0wWTHw zC;q#Q|IysR*aFa+mAW%4b7z*;hB~nRq9P$`q!{hwG16egS5w7TGsUMjy{6RTPni+=^UP~wOUM+8bGaNINo;07s(H}Q^7HWe2hN$j0NhiYDyxw`0qCU z2U~C}|CLP4P2h#cJz8yE-w2?8pqp^Vo_AyDR;^gaaH?ZC(=mLaW25l2n359Lv0zk* zU9WkKs$J)ZOjn_P4N82qR%>x<`%j~5f_b8uGSaNBmPt3jf(seO<9u!L#-X8Cf%+x9$iRAGXF)?-_c*OAXk6<)r}O z!`r5oekn@rcz!$(iQLA z``LaWN%%n9^xTtW>N$L%o@-adYMQ*EGl(AhpvfrX%E(x7ctG1jT}`%rXJ!Mzv@D?t zwI;hXrJ`sFax#L9cqO4iX6R2Z+S7z*^RYmE-fkuHSYg~W>t@1NGP_t+Vh+YR9H2g9 zG6ucr01_KUw-I~`qgS->Uc=~v!xL(tCZp1u4ygrCs6=nOwkhFyx~goWvlO^y#WQT1 zpyJqQ@N)HpS*;AgVum$zzoPvC0(PJ=joH;oEF5-pZ2usiycu86!p3}SrF{&p-Lo&Tzy!M6=JpY)O6I_@Rh6g#@u7HOWlQ~%!6|2s@`P2uG)+5uf zuq@}X0WFMf$aXfHHM&yv-stVfWL4m2tQ>oZ==C_TdZ>c9NI5?)0uOSCS)3ggft%)I z7H7vr;9<#by$Vn^wMB4Io=Y4)@K8AQvQs{^_)BaN#!WcF5g(_9mT+v!Ll^lGMzK7z zc{;wP=lwf$3ruUDqKkYAqqHqz+|a*3Mf{XC*S`R)TlpGYwt!lGD?huIOE9_|%1=OWo>6d2g#TsYb+R&Qub~#z0nR`2;+jOe0L;E${ z+s}4omqfj%bAq9+{Y~`Kr(2%(2eeA}bL~%FPg@kBBQ<7g`kZ`P@~OY2ZI!Xjc=V#; zf23c-UEeZlni(H>YZXoP%S5Ay*N-;QM-g;VX4CA`&%D5kHgwa8fEU#JM|t5Mc^R<$ z=w9$dgEOb%M&V1ed3}v1(Y?3#_hK#v#Zp2%n#E-*e)4MJxeBHFLUgbO4SjxTRvY zrq5CF&9VG=jj%4i+Q_9PoGg*B_yP}11@|7rY^)NS^qVid&Hfm9bc6!6QWYpgMCmJr zS6&{CzdRr}{ELiXb$ol0KbK0mP`h3ZnHmF#>%i_IbO-vK^4Y=i0ZibI{w zC+oze^J$s_n&i31Au5mxSY=Nr^9ciVEdgSyD`IU31?96feU5HOm^AexZ!iyom#^Vp z%&iN29y)j`#LS`3(fA|Sy!zY9Ad+Ip?j?-KKj_1i_phTDY(;aJ5Cp9sea>g-k|1QV z^S1QvAb-1uzl<(hp#13b)?))1f_te5L-IVfh|=oKE3X1+d*;WMxNl+<>9+W*#fDyk z`CFqt2dEOT*U7$c+>>9|>fVSBahUEDGqmeH?$D8_yRo?6>3rs2PvJ~(!q0|}S zL!Q?Mq~IiJk^1{Yi0ZqFk#i)=g;)PqQuxdsiy*+3fILSSmm;JC@j`8M-GmZrF$1+e zMxs0QA$A+!5NbCj{D+1zsP0%w4EJF55p2)US_3S6%+~Zd32Sq~-cOS_?rrD2ixkw5 z4e+bc=g8Fd$T@}nD@*HW6=Mlh1Fo(!zMJ3PCqyOxM zO+{jA@Ise9kB_XEvfNrZF?pK50QrE(>2pf^5FS3>DC*d?#^mF4(zlH$1817B+R*1o z!Ztq6r72A?AxWR3(PsPOZMO-$IFrt|HPCrOlVcRVd7FTCLlaQ;3pHmauP52di3}Y2 zGoRco@$?}(jP2y~oC$O;1eM5cN9I!fJc&u#kSjx~a=Uz>Kgdtoi4Ps4-*4v=$s{L@ zp+9fJSC2ONq5o&@YP-|cmGxiIr@PX1N`ehG=A$u?atefEl5%!dSC&KE)VBn4cuCXq z>yISAU>oVNOz6J%!|rZU>zUDLG&7P$Bm3@~kOr)0&1f{-1-^*$0A1vgA~ zzJEdgrknilA4&4tT4(Zs80KeAsPDbKgirp9h)Bb49%*n>&nIBQvPIidJ4i*2k{~4}6h$z?{w1JaQ(CnB57c|RtDApTI zhF?-JY{6c>9$%8X!sO}3M`&oH@^&=1A&cDR-l90%eRP!9o7wJhiL-uW#p>`Ffh}|% zkE~Uu={EgUQo~MDfg=|^*IWCVqzy&EHS*PGo=>tC0OR%a!W@;aTn}p zLqA^&vCuq6?-vio*W0z56Gu*yCa<_%Wby_S$Xt41(>~%43Pgs zdMiF^g?g~GeI&JpgR+Ku6B-4wN82|(neN%zh%h? zs{zYf?fg{~-L1TMJ1#C{m)E4^O$8yyFj)QE{w`2$#l{aMCVrh<8_jF->TfOyAFm^? zo#1FNlkGZq_PB?WmoCl%ZPQ<+78f zkrB8^sv=smDG)7M*r6WLrP+z1r4bC6e7g45d?VeSQ=9FV)BsWkw5Gbx)@N}poG*uv!Z|t-+b&l**WjiW0hb7?TB9gCoU>ZG?x9spDQjpyy3jQYkdhKr( zEM5D$&?<`Dv<49S^k#U~udzP$y=|sL$y|(5O>c&IWbDT0E^&X;wf&2rATVtkX8@sv z%-o^tATk(m*Ifuq5&#%pMF8v@Ap{DHro*{BDr%ysI&sLv+w7P-9|kW03lpx0>#f&6 z=!!4nsq=_vo%EHi)fhKRpU!&X<_g=j3=|jI`==mu7XdrAD;C9V8Mw$e%hCfQm>dj= z3(WVr1DkBu;qsDf33cpYv2hX{qk0ccx5jRerpHU2pw`VC8L}e9TXDc}z=wt2DZZA$ zk8;reC(Ve1$gp;%Gpn^4^@dF`_@XqLK!Yj$DN66!NY%B8ZHT{TNxGA)?(d1iB(iFGX|~BDe!$< zoph@QIE`jQda=jLDxH`hER+`Y;>-j~=AfxZ+MS=^IpB|ZThbleNJy2;O_PrhBoszd zK$W6dW?(FC6$Jz<5<)pq6klU+jW|bJj=UZuORokho@xoC>mPD z28*9`$;@6BOOE}w#ivbLErc*wt-`y3JGdDqcX!y6LPwj*Ewqae3oXtc4D##O7JMPi zdkyxYL#0+%VS{HJ>^9*WnGeZWle7k7o^4Hr!OoXJ0AqQx*!k=jiz#8ad}0~!{lUbQ z00HwD13BY{HJ=NPXC~fuOB$DN5@g`-r{O0FKj^5_8EeLTentOhQhx4ZQBCIGBv4?G zobk9}WIzUkfeZ!M3yNZ7QSKxdXrt;NWKASwFoI?s|2-QFgh!!yiz?M+2 zF6h5B`9K@dcpG%QKZxnHl;~8D1PbF1fVw&$y3!B>4rn+qHX9W%fokV4D~uRQaLr*F z6)=IN%VAc~eRP8(#_aF;RZ?f%Z!utg310ZXSq8P-4h}f0ttuh~CNK}Gte|apwJ#5< ztWa%O&(<014C#It{Cgif4Q?p>Hxi|<1#YP!d9!*s!$s?9=VI+nZ7*9Y^p^d={jr1UAf65CF5mw%9V}@GBX|Ak;{K-O=b) z)?C1=DrCwf`$5JZh%ZvG+#RINe!VO4IyQ_24zQEKO*sU5^%TC4@&4tJdX}`#odi+E>~;ILq_v85`zu&eeS@23HZ0Yh zBE5Zb2ISW5l&i0bakCkkOMk5ZckFylCXqTL(Lc(@UB$jm?Lk*T&?=TSG1G^;wxuFc zv9hy`_x(Gae+hgvDaC;3pyM#Ldn0m@e=8_vSRzQ2E}5bZse!!U^>b@FalFM3zkGyH z%H#ofM1i|gd!&G;Vt{X)p-nDsRyBTmDza@X^WgV?p0m zAu6g>esCuCgiZqgk=^o+?;O*Gp^QTn!$%E3Z|ZPEKm&&`WHBLo-}6ldicDZ4WNHLz zGrJob0-}=zHv}{|;VBtU-p-T3tC&It?{pk70y>k;A&l}hhcgJO(PjVEB^PvY>nDRz zYMIdGw-lPf_G8>~KowIb32Mk|yukks7Wg)-fvn{8ROu+iqaL-3OR7_y{Z;~ltYD&` zQ>L8U=cjjd*$#!jdJb0p2UUhutm0pTi6R_2`#&rjCUiZ+Zy7&ty!8*}vm}>|Q(OaB z-*|&&HmAOtIfjw#NE8hf5sOjSgOrmI1Svl+pYh^G;rfw1Sa{H;i(%)p47B`kn}JU6 zZpq}w?`^Os+0wG%J<0;2${v{wYa|x{?WdPuRRY%rHux|WZ0|vGAuvVimnR!gB&c*B z4^qYY-7g=fa$0vvQ>kBm;Lqgkb|Lsq zIiQ9F0q28`+wHeEa-aAyJvvl;jw%_jwHz;t@F?H6?xRXz04piR zAB@NrH;MOcjxtIuSny)C`tAM5zW{Mmy{XkkWlPxZr?+9RSNPOG`sAN`e;E{3(`_?3 z+W}t79k~2;hWq5&?=o2Z{3gKx#`e?AjJ1?BM29%pXJsVK(U9BJTg%oa2LzP7KfUP> zI=8N*C3-(_vK?s>%kMxthS9SH(hwkGPu^U25T$?usI2CPSmj6`@Z$2+hGG~hN^UDzM2 z66`jf#LHsgoC6GS2yx$PzB7__2`vU`FD|Ypg?!YsDLQV5Qt8X*4LW5=nJ3#|^-N_e zS7LO$aDe&u-g`nIzyvhk^h@LV(|`E0#=DR-39rh>yD4x52TWiWa*9XAOxD5k^KZgJ z5eXPD5fsciGLj#o>vl88mY7R)k`S{OKcE$LSYiawS;7}4bUrIS5`)b&xbsFF2cjA>dh-{LF%cU^#4yohu_LpxkYXd&Byj?*>7c<|hq z;%R2}9>e3~Q!z{WeG(?x+&dK$YS4+8Xy@)!Otg)6Dkj>nI}sDlNVC$6M2nt|zx)}j z3g1UOzy(U*=&}z;TB|g<^h)lhzPH@@Kgo19v^1;!O$?6C5;?eDC$H26)w3i<&cLoj z1#K^KDrOeHYad^QjGdy2On)7e_5)MF!zagwlk01l+6p3BqflT>im-@MYuIk`qM zH}rZ<&l7+J?tTQ+T&}nLus>W;KJ$j$M(^)d+R5#piie-PUq4xW0%?`LPE`327XqD( z&6Yl!!^)f;RDyS~dfIr&5w@sMUZ<(BCG^#Q?5(K3Sg;zQb#l#4ewldLx}T@N7bBJf zDlqdIRJ|f9s$73SZB#@>yE1eUoS;<31rY}e~(DT0IQmyi8l0rfNjg>hh=Pxjo$GYuz14biNnLEDm5%g@c1V-M#jm65$3GcBd- z@k>o3-qqt3oraq|wN``C%^_etmg50D&g*PgMwHiSIOy!E0zq=|^?F3(8ulD%a7;svX^Ju7n^0`kyYQnkqwLA^mu_EgHuU`Q zI1@6<%#@HpODII9URNiB-+TDtxXrqurV<(~@%zQG%|<)3$AK!$9}q$G|HT>i?Urd& zg#;#pLYj5GdDV{oXf+kF(KZNen16WVx4;$0Zxz9pdgH}hz9BA*^~6sey8bqJUV#G7 z4hrM{syV_ZTe>KAu{Zw0%f3}{95Qv|7rQjHb#G6d8vBAYYfOPj^u7mOYV+*t_%?=c z-Iv0njmZdJr%vKzcy!nl!8hte(@(}nJDw4~N%75-@li#l2)|XQF8fq`9R`;SpDkB1 z;z^8FLS!&dqysEPOs7HgtLBwO5?Vgr8%YS6bk(dxsZ?L}yuKEDq(%eE6r3_?g|{E zjmDEXwwi=hp?@d4rPf`~TlbSDBf5AN6VataVo9jlu~L7c7yQXdJu3AodcmulLN!t}?Tc8|g#4BoxD)x!nZ?pp>I|QKXk&(1E2{O(kzVDT(@C6LrCeIp zTaHUQ#jc84Z(eb|SJ6dFsEcKR@###YYS}nXfG6f3?Zuvneso z7d5TW0d!6NOdZf0=ZUw){Qr3c(v2Md=T#tdU;kYEn~?waDbSxZgK-BencY6CCRtXQ zn><5Dba6+{s!|q8L^)SS8fqP>qFZIlQ2IrV>tkA1s=FhWg(Q#*Rxm2Y!P z5P=Jb5$Q@y3VL*alK@+1XO$wx17B}A$t>)GSg4E&FaARRM;GesdP`EhmGpzh<3T&( z!ESHkv_<$1Y$*?JbdPQl6_7ptEMoFw%vBY(fOq-3*!pA2r5~w61C=FFB$jA|Zkn-1 z1kYS0?(J^FGVE{CehS22uK(ril#K#KP#lQVW+n+SDr#HK;Ne4eT7~vGgp;NHkqpCM ztita1pqQeL8F{~kri}C|$)I^=`4216KCk?Tr^>&1Uinv%fpcd0JM(50;^!RzO8mqT zaLzjdKnh@qHg6o>IcLRiM5KHf?D3>VJM&7UXongsNh521<#Sua0UBOq4)i+d?&H_O zE75QM5edj=mxzP&OP~V%)}PUV;dE4mg+C#J3Jm-iEntsxcw4_VtHQ|nC2;~9)*qFJ zQ$aiN;^=(>IpPCl);k;T_fhg*H%+cZT+R{}?_J;9?!3)6(&&;|xCw(N%F{I5ADv_N z04JZnhMVORPsd~p>0d67FV%EWUSBs@1>|}Y?$?Dj@g4z6Q;F(2G@}b|A%DsAihLOw z)Q}~Q7TkBo>`v=vtxi9>>W(eZ5AOVGd^5Xsze!jCtJQ=B+Z{Nh_YxN}zt0l#Ww2oP zLkt@g5OSi@>+If0j*g5BSYVw(M%o>a9j+p!nk5EqqojlgIL-_{LT?|?t=Sd-SzC+S#$E+rN!b5HTV~S$G=$qH~*HTiz`EHT|`W28b4u zLM9QB{^Z)u*3paSFO@~7@3@*SSF|?DoQ^tT9(9CiaY~_kYY*?t2lh=D({D*Xu1d;xhQsIbY5`9D>rhj_?nh)Pm+}sZs;PoErQo2{nlk4d88|3) z5h=~B8=;T9U^Vr>CwCJlF8y`yp;^Cv_CX<#PJ~ zCltyFQ;>~+kj=vvw?C0l0ggaLK+*|?GQ(AXrP>bjdp4WE)9O$x78Q%F)q&2Gn*4NV zMOKXQ{_ttyJfN`!X8(3c&CPb#bmP=!~Rz;S< ze9gI88OxtrB^;xIi#bOqpul|KgUkuq<*`&Uv6Q6&=26~8%EVFPKx`C1RipsSu#KXp zoKcfeDYI&JdGrK2qF~c(6hVosfm~kLqS+{xDhvsG)@R}^ezGU&y!DP%dZ;@7AhtT4 z*n^IA0YqFU2vTfRd#G@U>n|u7Vs{EnqJ676GMk@2n=Ossk$Xj*9PV-X?36-%nGnDw#f_)^p->(=4kPk(X?Z++Fli8cvz+=oaeaW@C-T|_ zdGr*mmQ14!;}?984Ac!{8D>=(Xm>c?LQI8iqMO5+@&gpH#@;-;oJcnV^z3`qbCkKa z^;f}eeOiTC8Vc{m2l2%;I7VmmWAb62cV+T|0)_%b(d1Bo$)YH_6bd?~pc~)QLd|h~ghb5S(nC2~r201l|6o!NV_UMiR)G_u?P&XBsi0 zjvJo_PYjLba%eYJqz@A>mF|qkX+RE1ZhHpO}Eqb~KA<%H7A4@=BUFe1c1Zr#gu>=HI zB2kEz7y^yG8U0w;sK^db1aZegIoBwHDMrAGFj_(cl=o~#KUP4Bk~0c=_&f{42PYvo zg-BSdE$tkAlZS)?y)S~-wf8eSnKI^56bgFiZE48hOc0jq&qYT71+N+15Bv6vHH#zn zW3-#@1DZUPRW355Ff7YxI#Kj6EK3-P>zRj8j0aW*HH^+itm<3y{FigYuWsn}GvkpZ z@?q$KP?mm{^}<7lYtU?2aSaT#Uz0~wt`;qIVznvMP7x;tj@N=t8Y5(GiKe&AL0m)Ku4eqmkROBxdgvi$UkSxDd=NY_suj=NPKqT9nI1!eEm2Bg$Jx<*NVCXltr9bzW}5A9ag6 zY9%X5tenziZD^;V3Z~9(OR~?vQ)6d0sI6mkCxHfw9Hgg!9Eb9gfX*G)ELM_}0A`g@ zQZ7q@az&Rq9X%OZTZq;e@d_5PqArKQ$p-e=_MU1 znCOFuYhAL~(9|_N493KPM|KW3Im?-q%7GK6_2~w|0acG-T}xFtq&914MtgYiU&~om zHVbqr&15kmEVRz>mO(?xJhcREZJkB#xL$6nIB8linR*d7oG&eUr{v8z|9z5L2}sPE z7aCSOJ~S|zf?2abWAe~z7@9gc|CP0;%#knH`?5NWv#)6`GDaGW;ZtG@&6N;2mUBa$ zG-j8svODiHdO)phK@Vwjj`Z{y53Xn!+StDFMZ{<3bgSh2L1+QO8A-nF+Jd%gvosqq z;I?4fD*8?Y=cDC()R}7vj^P@>1_B~t$4O6b@hCJwSk5{{{))|6v=RYu9MjK>1aw{} zG*sLS^mAT)_|4Es^k#J9O)*VH38lqyl3}ag(P4Y*ZoW4T{vS_f*b->iqv_}6ds;`( z3LRc6@G*5kQ|J|%LO(afCBB^1hZB-W4)I*0BjM<)cm0$V)!wNp8v{Sg=-J(zykig$ zSEL!Ua+ZD+a)kZ)EJhO}H zGfNqVDgxlZ4HfnjFLIu5UT&zih_Z%_XKH??sWg&t6epU@ka@p?iej`EoRKSvSFWb+ zo4=v=!+K-wYa=|d3w84=(ann6kOB*7Rx)K|tsvS)QwPeWqQ%7>x`Nm9-hvG={KHHU z9o>Q)?Y@&v?VMAtABy+zbo2yh@yn-~zjN1z^S6fyMp*r3ADw)U-QCeA3*^NziWn6| zh)TV8dRmhIXxG`ODwd9tTh9HXN2Wuif7%DHp3+_BiY9(6y39K7O+rFFr$JoDrOtxr zz$FAdPSrJTPoWv!U;YZKcWvYo?j#`bf(~tPKHkkt znpbHbtO&&*+kJI-2X`O1>s7GLl}Ka)%hh$pX4^8Ar`rWhF#9dag>@B1`ldGpvm?_$ z9ogA?Q5w^vAM-8+8*022g3c$M>4;Yf`0u3Dno|mldQ$40QwnTzl2ZT8mO>Hf#{SQJ zFfQIOHsYXkmJRIhc;Du#%D)%q@wDtowLKi)rTspd{ zHhNB`XcN5{wl^#H=xrKzCz>}oTMk`hw&$~8^^=Z0PQPo~$c+AQiD5X$={w{~Mw2AG z$2+zkX++u8^sbjFY@$J9uiuEx^$thwXff4z7&k#9_y5*)wb5!dRqYaL@cdS=kWt<; zHP}^&Jv*LutSjLre2u!>`^Uqn_!!kP(OvNQchDskAWD`b@BpTcY`9#opfT&9}EiitT{@M%1q&F)||8R5_YGbn~$f`e( zGW2cl#C!0b8A@%zPy+tu&D(d~)z4g+Xul06a~{nn_Ee$Y$(9wogF3wW^clc*dm>5? zJMtk{KJx4ACfGC^FLXmwEhTb`!bf+vj?KYAt_%}L`Mz-vKa{<<3W#=ob6~;Bg#-Is zcn_Drwe&VJ&cxr;vv8vkb*0Jj(R~Z{O7b|B_|V7S;nRapY$+(^5m!nU3cdEYJ#9~i z;QR5ja=6}K2f2>u#9Q+)onnuC96dv@SN}cv2S0o^LOf=F<#FIpKN*mZmGNnF^uH%B znnySHMN@Z1gSiuX;L}qi z)@70l2)G6`CQJV01nNb3Jnp@%S2!ED(30AId-K;We{pPCpzzY&`}9d%el=`a5*Hem zHH?Lv?s%UIPx(5?3GTmmJ8$nYysQp#asHk-%Ka|eA{}HJ zy8r2>-9lyT?oPx%KA!gU-6-|?+#So;>qKL=siQGJ9=+0V7rOBDUjZ>+gQ*IOEwCM z1X4hW!V|H9&=RTu6sC@d4_IQ4;(48U0f3RoMn;DIv zS;%eS1h33(-7f04L(e%qdzm-#jM>RS10~$c*|~>YfRbC%_H@q69aK1mgyXOqlG!?n zj1`~wgns|lTl+32gi0Fte3LbKnQ7?2f0PuaT*c9?#_e_|`g(Sq?4Y)1Wec$!xYsya z-rpFKrG38xc8N%@wm8Inm0>} z1AzkhM-Y}l2Itl4hyVJ2%Hvd1Kaqy-0Y!TGid&Ij4UQS;2z%akJ*h5Ep_MVJDzc6BY z(Lr3(X@QgMxa@2(9yO@Z{PNIcMO(9AN}N0I!T*C+`8Xu$^e%7s&H*lwrN5ukzy; z0gMj8v%vGgv8LoM+y7PL>AiTM=1l%#1hvkTn?iNA|t&4}^;IVL%DOI}4P>c{u4@H(ViAK&ylj*l?IYOOt>c^?iw4-0gI%t^XP>aETR2%rwhg!nP&t*=&*6(y&p&Sx$mzdON6{TGWWe7 z{KGe8PK+CIn`o-g@D8ayjV?_UQ}CpK!DRHbr~!=j-~@~@Zgs){S1+aEB$m*e zQR>efhsMfo7>1dgUZ=AGJPq8# zaTRR8aiGD%u&L`e%{tg%bCRsE2(~s3!+ckO2EHAot=FNA5&#X)`X0^iZ?r1#Ao4_{ zl^WE+i(rav)xidrKL$i86(G^Q$YDiDFjW4T&%0G1L0_AnUcG(Q+M~qa32sAEn~l3= zZ+;PQL;m!av=DH79paO2q0Hvt|0+}gT++%^p(=ZDzH`REX;xtlu5Z<9R4}?P8p$@O zJUAHM)inXaCZ%*-nKQ`uT~){6UMag*c+$|o$T6T-C0L_do#&a>t3n!G_N2&Gb!6Zj zfW9G*4?Kjr>Xxyt)w?yyD_VP;ql>rY`!>3zIP(tv#t)-=aGp_gV5+=ZclYw=M{rW+ z{>I%EBBq=ZUS8)QV_zF>4bPnp{X(cWTCvNWd&XKVfwVLnG4zgpp{G2}Ja=>Setrwl zHI+rMipLO4RTV@gU0if{4aC6=*@RDbpLqf?Ysjiitg?b1PP~oe%o$a zQ6`!6HG1-UHeta94Y^Dd&1^^AjI3=MQ@XfOo~GT=Hx8J9S`5}mg&}&HPP;rbWFJ!0 z;^o-Wbj||;KHO>AYwPsXFU%KfT&qz^VD^iL6eKV(38Y>U5;+gFx>hOW0dFCNCfTlF z8c&09TLQhhmQkIoQ`PkFkU3XDNQ-(P$u|MKsHa}W`cHrfZ659nd2s?b30wnFXhQ;2>brZ+p0 zrSXy|cU|jz69L&BC_}lLj~z`Nh9iqWE|e=<|D-%E{18y-8ECzk@xz@0?G6L&#f<&NRMqr)hP6QhA0_!zwC{Qn@QW!@; zPM}dzVC^B|S5!VAu)_L`ID%tg6OE28|)Cx^6|rj3G?gwy=c(yTTM!OO3#$Foj9l z6s|CyJz)rwwkK?1(3a$dnKiopq^W7zqD-TiHTr%mZ6@DpL|WxmOQgv+n+Y$-$VoHh zrPUbNRGL0$%;ZP52?O}ZN#pbqOVA@a#Dpot%BLejFcd<>9edR9r)wpwy-fs0c`VNicUEzNQf}IsY-_5x1DxRtI;p#(XfnoXTCzv{Izd zUU*efIYMGBovnc;vOR+K8rUuJ4Qhath{S!Lnb!evXu)gn5*#L`rc(}T#9{93-^d3Q zXw*|hLPM)dqfWoQ(9rABz!R=4jb>dMcqW#mVb-NlXWU+BwCd8RW%JK8+BIni7P4X* zMtZo%#8Zqk2?B|2u6VcGha zj)xMoNYVKJP?lMHBC%BcZ`$$3-k(42jy}35Poj43x3uPMT@vWJg(L~RHVKqUN~+UX zMruN>!NjgVnQ0#|nc4LxGp+t)*8YGwwe=x1YR{>y`lhY@0gYmQfHv&<+Azy%1KwO1 z+!2u)6-j?@EaW#2v|`VPN6%8C5-*Bw@u;b-G?2pXr7jPws-RJS?OjEoOq1eYQu z88ttEQRkytP5Y=;>wJ`sv=7oz`@>qT^-+vIOh;xFMjg@as8(`!w8PqdbI=WCEF`R4 zJJ~#l9_RHVGd`eOa>OJ4vN`TuZuRmC#|g(uuqm;l!lqGO^AU~rruGk|kk3_ml-HHI;2A`lJT-!`?}N`l=+AN~Mxir6&gAlUmf9FN9<> zs3wGCwc1T2fzJpSSF@cPGv$Ry=Z!kLQ7h$>n_c}9W|u1-dKc43JZxM}6%W0wQ5Ema z9Ljo6BAX*yId#3Uwm96mAc+%UK1qAKbRlHT?KW&6M;M9Mq9TlSF=5Ucfvjgtjxch~ zRG+H!>~8+O|VW~OinA+Q2jg&1&i3F$Gz68jYa)Oto(V? zUOVSTFS*K-R1LFg$O0Z`AOERxIwu0J%;UWHiYl8kH|DBr{t?edk-6RAEo|hw{`fk( zMlE|gWuN&dR>^Y`Euhdd>SXM(}YXEgXiofY}cIylBEm^gO!Q(bs)|L=d(zG8frek-0CoU{a>C^VM zQLXa1Go3l}T8;^n(0;KEHoHNz4wKyD6}miY5SNZ+H;aq2vbr{zqdvu(_(`Bsx@7^rS1OQ(Kg zxb+MuywpnuD!=L6I0x=zw2fbD%^v1mh{`74IEMYkQq(+fi47a2C1J$vBwd++7?_cS z*g(X<5+uYXA_jqhgt!BUJCZhcK$~r3z$h{OUO)%VViP)xM@M@>HoB%JAOx#RN~rS) zZD_)nr1S>@Ld=oE#wk@IgxN7sIkA!6&bHY8;MyOI@6x1JMR{ZL z6#kBuRV_AQZT8j6&j73}CR&*W!AohF`gMD6rmK>sp>Y~U+t7b`H@a3^KnxTtBQ~w} zqktInW{G$qpa#=EqZW$|rhY*y;0&KGGHSXsFNtB=VgN~(mjKAsk6^WW43@vhk7&F8 z6V$4amp~;$A(u)r98ILMP2Mo{yEFt5t|L0X*n%8y z>vg#)NVXm$EuGHXu4Q&T0VU{@j8Z@dv@<0%L@ZHp>XcGI2;9q*up?p#PH9t0OGF96 z*BK?B5M_H!2yM}jpoJi#6cEa^z!vonitlBVd_qIkN<*XtDD!7VDIk>Ux+!8Q)pe6k zh!O@SgdJVL61h?tC7%%0V@SKl7O+GW7cxo#p{!#K(Il~C9cu_C3EB#zde;*WO6N#V zAS?33XDnr>hz@W}=mccIW>GRt$PQSngpNTxK zOLT{lBWlSilrWzG@+@ehwVkYdAuOy`fh1S{cqkxnBgvY_S_#Co zj>R;=6|piRPf9~1r4&?aF3NM>J7g*@Wo`CaNpz>W;`GK}Di6 zN&%s4j5;EZ#FZ&jhwqWV$B;8kXy2g%By<8YFpi8&6R`uMn9vEx&~ifCAY_M@6GkT> z1Kuwq6SzGZx+kB|@yXB&2G%Jec4&v6(22-0JK%PPhdg335y+L-XFuc5YYpvDSjzI5qv34I7t|tfDB1Vmogzc)G3UPPljrE%#60lS9TM5 z`3qAw+i5k*UATPRM*DXG2vz(^=W=re4_4MXUEbeDe44hTB(^5(UbK z<0=sffwRgcv;{>Z`)@LtxV2y*s+}-%k|^Qd$I-!FBCFGe*50uftX4uOAVmiM%lt>Q zjKa-ctXc;g(b_OcCkyW|?501Wv~1(-kWzwShr(+e=*6_>y?+p^l^bNvLn zfB`OY38t>10x&S2$}+WEig;ihDB%sJj=a0jQeHq!X72SQUIwej*Ijb7z5Nj^MY@4j z`4Xf~++g`r1cE%(QWFProlIGIk9T=fkrP`|GjBfdd;tVl9?B5OF~Rj9e0+VDiv{k~ z3Z_yr0GnXNtxnprQI*@fZSX{Hq87DJ`DsRtI5pcnR4{pPKeA2oBUnePcL6ofP)bex zTucsB$e{GspKk^RpA<#RZU*-{Bh^Ku+3KYm*_9tdLlMmb9JylupVaCxAzWA!ri42Q zpM&K)VgFDEH<2$=6S{_q7N)~p8iyIDxTZI$I%}|wnltZG2kM&rp&98P=D~!<+iF!X z5qy5@(=@VM>F`2WBbMZ9W__GZTJDrgWA@o&9BiNJU6e^;0?X;__rYctEy+Z~OGF9n zs9iejO2C0Nqu-i7Tz`p%QOlYAP10uFt27Jcp<~@==qkemuk|n#)qb(_Yj~!W-SYL? zunrO*oLr5Z*2vJNEzj2{D&3It?YQmClWh-VUBlx$4WHQcHRo6S9uTjiQ}w%z_u*q4 z|DraXe47q>T{>aEi{wz!0ez|3o#@h2p;D@F9mz0T8u_h#IQHcEXz1u5N7I$jdJ-+M zl@z(xuFp#ws?lF_u+QAnMsx26Oou^kMG>9!Ko(NbaB zsL>*La^-~~GeTNhvt|$60rsFe9=7Xx`weZ^`N(L@56C7C1n`mjD#%t7WOQ-O4>vou z0TJJOvmJ#~iQD)oSh1};VHLKia7-5F`n#)Ow~KycHTj5B+!quu0lHRZqMyYC><`LJ zj8mAPyV36I^|56PNdLY{gYKTsZvVIPdE{9`gabc=BoYk+I=UeB@2Sh) zZL*+u9s*G{+y{KLmNR_2ieFtQCEx~He*Zn~)9>lGUg>5v7sf)jN+^ugeIw2d71F04 zO2BmZEF+Pror2-EQ5-NW6C5qUxuy*i0pwda>bayx6S{$0S_Y*CtY=$vagE8;Z!uD` z4x$Zb^Hy*K3t)n-r(Gy*I?vORb?Xr}Z9sQscgP@Iy}pIwy=TD|?1K^(M#3WL9BC7b zqb6t`h?j`*lc)mumj2+oQ1tqCz28RLb;M4kqcUz?v$s2|^D5lPRlEsF{DbP*=KU`b zZ&@driqlIr6D-;E0uh1)z?K1A!gx^_uxKVQy(BqKup%l`4~22Zp63zG=$WtxdjW-B z=hFS)6B}}Wpa_N@+zzg%Q&$lO-TLwsF@OrbskR4Yrfb|eD6?FX&Ory)s+|MWQMGf> z*0*uz^e&`1y$fhg?{v-Sq8E3AXh*w+I!?iM^-jJ7+YQ@}R7=Vqoojc~7jv487K*zE z&31bho$`17qUG=bhTx)56`)@QfNt;4Xh*%+@@|N^vGF!(P7No$Mgk9Ly$-p(pN7Kz z%`wm$AWzd3LD12<&%P%f{Z9=GmdkQ=1 zdGHcF4Wm`ay8@9Rbkz{5q$r4V8?0Dq%jM7GC*Jvt=hBTgn|K{o2Xt}FVq$kxqc_9G|S(nA5E zhh6j>a}Tq7gX|;?#U}DRKeuC-y68vmU2}{cx{;7$umYew4ERR>^>?%nf7J+5rm#qt z^SNt1q?gL(-o5rg<3qrA$e-EwWN}Z99v(Z$&U@?ERrn^fgN~jB3DKjuw=8GgDBS4T zMEf?2R`K5a&IN;4dHbv2DfBkatm0KtcQm;!k*47wL7L=FfC{>YhZ@#%=kZ}tFslTs zr?^QUGyn%n0|HOG141KhDM1@2$&DT~B5=9f9q2o3Lb{4<==x3W+>qU(ZeM4A(Tk*_ zWc28Xu0JnB za7l~=DV??BO|*}WPIwBy%e2eAbwv1iUkm;rB2-V<)tv0r$_`J%>ao?`KP9@t9|q% zOJhlrL!;zLMPdXFy~grvE$IjU%06cwC-TOBsN@~1eciF!P2^TH`e)0Xb@6#(mkce4 z#{#jLT{R+7u6bXwtW8${o?z%XlSD9`t>Y!-R9nfpLYy`|5+TkVbSTJ{24$rCPlX0Cf=>twoGD{bn9?vDyczSh<3V90hbvy&mw^xy0NE< zdY;MPak{wm;K7xkW*Y^i+Qa=nhz7f)QvO@~w z6MudG;!GxF@w$DC6VIRm;iBtZ-dp(mejH*PAew1RTNH{$hutk4H-GHIx{LZZS5x=yuj3H$0P0b+j9I_GyzZmTbA`@BQNH^y z%Th-DDLU5Cuj47@q0sbTFn`)czeDx_vPPAj19Z_0I#54o0%CB8P!M-{#Df7!j#T2@ zGOABxJqxt=<~8^eMk+~LJu458f+g7Vle?4m+3`$TV8kDYfOdzEGMf+chY7%`nP>lG zf1|&!+wB?q3ANRuKG8o||3yB3s683N5;SifUjmlH@I(=S8_-My`(zP-f6zz-c47BK z5zyIP6A_G)2LgGUsv@{0UAVcqnGk2}HWA?hy5N>{;S>=rFc5BOAg~DV%;YB0x;lFY z!QNq#EB$|1EeuZxRBy{bLrE6|;N&X%!k<|kz4*KdSMd5q%GEVG+DTkdykDiQhMX&~ z)<+x+eMH@KAreRaCS#SMmm8pWOJAt-g#`+f_-ZHe1yfy#udTorShQoEu+fMeSqeI0 zz`YTnS6a|1eWA`57PC;|+dh#mSS6MCS_*s{@j&L#I%>cWRhpBTi0Rjkp^>Tg^{d=Y zfEDD3jc$pXU~_D16P-)2%OlX$4<9$-3F5>up03f=PT`57g$nJoWjx^n{3^bQ#z;F} ziH16;V#&uYX_;l{nU!1q?%lIj*_X*O%BiQNjy>Y1O=Xk zlxLHrwF_1sjkkU_S=+kD##k>tZ^E^SZR2n?q+HRSxWYk1UKbiCXs!u;5Y^7@*0lyq zJ(rvMsF%34Q)Oz*4L#8na_h7uipUab#>Rus z6YWhE4Ax0J(ShRmMpD4@ymnfcrvXo%@;$yK59%4kLC!&V%YfIy`QX(6f|W#aETv!) z6+zkC$Y(6)&h!DzQs^05rDv?8p0PERaHlPgaoI|dK7j}dF)k$$RKjcm5t?@~Uj*Ac zRRlDrl|<-fA}GY21rnUA3f*&60eWXjB3QWyJ^fS>&eg_T1fy%7D#E$in2XS%KFoRMxu%WJ&;=<`RT*mP45{~yhFQ6VByr)Jumu;W z)Z0nf3bug`4o%cK%$a3TR+I)xac#95!z0tcgTGE<0}Yud&F&m+7;l-;5I~_7kjl#& zz53cE8bh=gQfNVwmGRM?sFJyKd}4fPv*(Bc7^USQ$zLJHfM*3c#%I5uiUOXL7mzUM zQHEr>?6NC}YRF33lOwA^B7;zYWGMobAW;sa0`lv4hSq)^$0LtXRCUi%^C>(ROQ+^X z98i>{Q&Pv9+1$h8DXCxyMp-^34V(`o;wdRzfg+O*B|c#F#jbK&<^AV1dP$kw3`9ioe_{oyDX;3@@rzV0no(aSC@<;M{7cG~E=sN>H(Z&0b6 z!2w8nQA4KE@fYj|iI2aJ1#W&0#loNnDv@cl4PJh-%pb>RLuH)IYqSPgHmY_P6*uK$ zldA`r zjv#5Pd06QAgCB+4Z9sPAO4Bv!ToUvG!=*FGHmigv3y1GHALrSs6K-qw%$+u}T7&Qx zD@QSio})cos?ro9_4@A=BA-*h#~v)4mab_UxxX1+f4&)#Y5erMs>ci*4OZ)px66=j z)$(+{95bY)gW1J(aQZE_?P=+=!<+srKTF-HI~wZQ(J&a3u-+Y7nwO+#3r~b;xDSf7 z#M8yBrH$xsXFhw+RfR(XWK6=~2Qce8dPU%@ljlLlL?{sr9fLhpq&<&WnvTXa&<4bv zbq`6056NhVB-reu|I~h;va?|^=>3-@NB*~)_ZMn@St+Q`goo~ORPYQ9;vpmQ>6P|NK$48YyOJHMB0!!0zt?TZ#Ho>F{v@F$8=< zz#v+qHz|aq9Sowdtmv31$HZRy0kf3Q`EXWLg@bwhCyq;Q^Otv}^9M2s9?4=nXgT9~ z4KCm0p{eTL&9n3b{_D%jN>sV5KtnUknYzTgpVM8VzmJ!{e#WacSww4=cd;MW{fq-5 zI@*|xW=XDv7CTTgsI#)BtzJc&U;M&v1tyyD^O71lQE$HI|ZPj(LkcGZEgfwb9 zSPSiv=kd?~=k4m6(?**0Uzw{dQsrMP#M*xSVf(*`@n}^p&QgSUg+_{H8P+jee(p=N zl~E&4TaKC(n=WJkNRM=C@!BW<6mUq61B7n}6{T$)o32=Yf2q>-64?5Iok5Dpe9F`r@?bZ-l> zLJ>DSC{&{0=)JgS4jnRwLOSkqfvw*n(pzKB(F#;mJtnr++JZxjykHq;fG`3xzcLMK zL~OqmTV`amsNWbro3ACYf-pSuOHU5YZ@@YT19<`j}4z<-2%c$SN(w}?3Z2w3;$8B!I+9dX2 z%Sw_;V(|Ae&~5J`CaY-_|2s_q{Omj5NvY3813%!fY0J;(#1OVQYQ<3L z#1FPbYR8W|K(q^|U?pQBBW|NUTw<`-H4>wJKSx}oR#CYaRv^bY7s9M1;udSh<7v-= z5!RC2u7@n|sHV3#>9Hpw7V}s&6}{1Ob3x|rH{WC7zHgyz{H;VCc`prg!?IY{Z?+`c zQoni)R!V2h$)b2(&1$To8c*~@(^)CpDJ0?y)YzVT|?$)?dYUpH5+Q)a>Ho+77~$ z$HYFR2h91pls_;=rlD@{!{}?BJW-?hA#~!hcextX9HS*@Y5O*P=l6B-#Bscfh-fKJ z+{ANx`;`@$EEJaG_!cu@bW}_ny>yZjCQ(ef?r~?3;6;f|_c0x@=fyp7Y8SmRTJ+4| z)wPM`?+YZb*j=n|AL+cXTdmbtgC6_n)f=!>Q!@5;(;b(rmmiDt=oxE{?|os_LZ`MH zl!vOLoqFlHRIj}+B&-2hZ1t)c=+I)lGN+x*0-U@xcX5gdJy|Y(JDHpf=;dDGL!hSJ7!BoTfN$qnc@zgNP3meO*opVxj$|0!w=9weWPJ z|3?p%vY^PKNY+2xVpe07pCS*EveW}~f4+vFb;DX`7puW)CW_!rJ@0v6XPTN~vde%3 zmhke-uF^s#BSxo{sK%ocn?&j2m2Ov`pC1=9{hvBuZLFiN_OAcrpMtM!k$s}jJF=u! z!|};GQ}g}f^*vP_KV2Wl=cRjg*wy_LTQ-=DS7M1gCYH7s@9kd>&I5#rs}t7`j^vXY zIAreZ=#p9SzQ@U!xMJ$H{kzShX+jj%Qs*6e;^k&P};y3&x)GB~!`;#bbMFk>Tm zgz~jtOxEp`E)8Glp7yBUaS(t`6cDtD%s~K7+aiL#ArDIq2(V#GAiRNqZMh0Qc2Li0r(nA3g0+!4o2=}>wQ&?Fy&b1I4a;&_td^vmA~&KrM$gAdd||=pCp9GB`l! zJ*XWT4+y;rMTrcRKhwZUEr|nAP?X7iu|IkKnb4sKl1v^>_O2FW+_dOwPxkf{5M@fu z{=ng2G%UMCjIt9lg+Woi7ju}xtm}86F$&qm^N_0=&ax&Xor45swjN30A%R!39!cgQ zp)B(VDU5W)CLagJ?6Pt_D8kg_z;sx-YGBa$@RJ*P6{_a}Gj?!D=sZBlhs>bP`!zql z22tKeC37l)g!y50kN~NLaA^`=D@a((GJ#Y@`AU-P9XG*`0}b@yjnFWo@-k@TP}lZb z&yR8|OGJ_DXNbE{vhU-5i($lru+$*phbLQ3*YFG)cc*0EUk;6YJPdl!85+4PK6(2u ztWj_{k51MtxQGC+P}m2<4Zf8Kl8i#IM!TNjzP$8Fk7Z_m;LwBFi0OHR)h=0j8(~-~ z0-4<}tuXu-o~`RTg4A)!`tuFJSvloIN3E{MWPYc|{UW_63Td3Y4y;h}N6Kn&CD(Df z-yZFK2VN?;$C(W)EH`77cy-|d+}SCYepp_pJfbdKfa9RVr9767Pe=t3mz2{`sT&XC z1ndLX+tB^*#odEcx9fut3dMWuW zpBye6F?rfJs)&KSp}Ktvj_x+QJ@$=vE zga?Wjqr61w^Atr{I50o~V;H*m2i~4Hd|(fD%P=WqNRY3h1T0TycdK5!UOVPTFw)q*l zhu71QL*4xFf@-F0M&7(!u(1;`cnKYmLcf6UI48kZ+ovmg^e}liLHbe9A_1r#oAe&c z`A1R;NtaeKbZ3B`-PopA6QG@-liQ!<5ArEjdV$k#YAm9F)tnx7SgE!w;KD;eahtjQ zd^o)jD}U`g+)w{g!iY|1aFUJ9`kMa7E~iDgVqyO=GWI=tx3z;Kxizj?ZN>wOTKd<9 z6aBsR?L!d$Zyn1K+`^5~yRd@EbCzE04OR|IjYagVm(H`zo^pXgLXYH6`^fs{Qk5#w zATEFXG09rRrTq_?LX-+FcE!pjP4fudS@+~gps^n+vv z0=sWJUZnTepl{8|OT%2(@mCcUm=10EFV!*mWRa$aof9C{uJ@SiW;K&UbYVT@qV})p zAA{(me)LFvsh&JwbtrFO(qas-lyp2(TAM0&86t{DFhu%;_KSxksSN_sA2>u7!irMi z6r3e?2UjLbo0(|D`r#gn1)uWRLHbc*9jU-0_hx?R`d5gpI7GP=yP`Y4mmhErMc5;U zj4r~Ko0O7jZLE{9@?Z+sN5`=Uu-^$#ZQ8!*56Cb-c%|jw<)$~1{otDZ-S0RFj4sv? zWf-TYjkM9*nUUVDJYq30GS}8-?J^^)s6;E{Lw^uWRCs;9ahCc`D#Csc3oPT=L3zXU z*s}Froq}2WA7WnxB_k}#A=V{S4o$zGkMD)M%~~1^>Zx_G(k~{g+LAbx1V`jh0|PKe zE!9%P(wvN%^=puYmoOibgV4Y~LJ0Py5+xZxo8im6;md7?FY|^!hS$Wy2PccudQxN{ zMx+Xl6m9KHW=bd*Dbe}j{?*A;jLVrpO}(GrZsf3hE9T{^7vEL&dET) zdy;?wSSFB}GsO}7DowK?U)5`{Vp zNV#x8JT~111de|xr?o>j1*77^&7)j6h8%J?v2m(+bUWYA(w&2Fd#rIo=OBTR#vrZe zT1#b1uf1N9g9YciWEz|Z6fOhcn3~RJcuR^UEkGpTaxE@Mr1!%7V1Z*Fd5-~vtFpnh z6AJ{WGpMk1(`zZmCkF!J&mluw?x4*}V{~X0F zNx7;{9)<6D_nDQ%im$^kPhs>r2h=2WcFv(xFNcD)*c~{k0u7(25n%hoaD&&q{gZnio`OUt z@qvme^RwbSf3lKsL?En6Q`p@wzRJaJ?rm!=8I)17ri0qq$C{8FrHj_zi3Ya$@&B^= z`Qw=`TjuqKM<1jgr5#s+78Wr{FZb`whxRN`_8wqSa$P7Wrf6-ydfp*4l%j|lyOWD< zbd43*ir_>~)?0f|_01|##Ssmpu8dk|*IyU(XB={H;L4L1ms1559G%<#cW1xPN2jK~ zcY3YHRh4lIi$PT<{Snpa&l;W1olU}jM77-iA=+wAEKjdR9ijucs#@laB&%`gYc?ap z>C<&UQ0ONHmSvPrqN+@nv#JyLtkbm!fUT~z1grZM6+jf5_|lJp z_tP`dv%&(xx_|l=HK+^E19kbxHL@6KSQd6DZ!OE3n%m#vN@nvbITA<~#&jPHU%coF zNLbq8FZb9*I&hr5NV?I>OF=q^>P%Y^Z(u9Oc;ykJl_y$t@Pcy#+v~=7anaKV^hzWl zE?#dKRWy}`eiMgihwuc@ju+_}x-dMS9TG&%$K#Rae!`nKVAaRG2N#VK*emHyki#X} zUeE-Ms&Tf4j@o#JCBlu9$756tr=!vY7cyt@_2qCx&BpzSK0$7rIF$<}!bCERVw0J5 z7&}Wz`?9=5P5O_5Q85p>%lkBHoVP^gE}+2GR1~t4xp4yn-4U=V=Vn;GWQJ9|!dUDV zSxLJlw42t?tK(Flb``P0pX;9)`ONa0Ug(kN9}YA)nWoSnM=Ak=eV0QZ`isH~p>%#+ zutRIaLl&D-EMpNxhD?0mOtB{3r{J5<8!sDI-k~#sFA4_c^#^ab3cl_@70V}mOs|JuW zEZ`gBV-Z#(y3{@`!IU)_!~+vdx-$zvFjF?cl8}O|uXTp9n(%=J696<{no~I}oqH<} zmE=B;z`4g0Lrx^UNjA-z39HTZdQ&^bAxb8rh-*#PtaXW`MQTb&D)gs==AY6~ZI$(&gG-WY2eCCcfJ1~VNN=hMswz(Bnm~V2EYFznM7JC% zzN%i+KW{n?WKg+I@n%M(_n_0+5QW)#bG^JRjt2IZnD`D=UvlR?yW0{~^xBKas+`=h z@29QCp94(x$w5+>;Vn!^Pdj`IJB~zOr`a_XS6e0l>O;V|-EAoJC}+i>t3}EKE;Wnk;s8#&~KO5 z>`#+e)F9kDk!4{@*K4V|4#t=UbQ8008D?MPVUk{-{xLNd<&j6|GCF&+Zz($c)68Xs zX4pNM?hVgT9bP&&91c)^W(?LrlUCRYl%9Tjtx)_d|FdDL6)0+ZIFv)8Jq6yL6`a)$ z_Woz!7Be?gWcl3de^(;oHM@}-TQ9J7!OHm_7kTNEjZE_0^q7}cRzxx#lU@>#&t9z$ zb-aeKr2NWIL^^e%s8!NkVtRFiZue!f-u`5nkp+Ys^a_VLcSmPSu8HyUV86Iq5~bk< z)hoU?krJ2+?4h`k6#9cuWy!|fyN7d_66l-<M7-lmVuvfZ+ z0UNn1*x)@Mz_2yg--`hS`+H$Q!2SrO?Jb#1qXrG@k5E^t1_+c+x6vNm;?0(7-kOF0 z9v0e?-{O6&p~7`5XL4t5h;CXXnsCgzh;(-oF4WVFCW*q`k{T2u2Lq^V1*4edHHMjL z?#t`mePm@bIsF1CeR3oNGTgr$T>bP^%!s_FhcvO2m6@WU{T`teYl4l(s6>M0*w1v+ z$ZxgFJH137%QFCZ^oyTI-;3NlQME*i3S^hk`g2G@`cZ5E!%hS|bkd8y*(@o&D5#n= z=nsi>HCT^7bl{9~``U7rMMdqx6C9pf^Hju}VF#Y5!bKy`TXvgBkg1(yth9L-u5X#$ zh^yM2D=HiMd$kGmt^Hlvgj_N2piS@q9HBJ7^x3I56&#lvt^rPEo-oUlD{Kv)#tEwB z!+b7XxPSvOT>g?#b!7)4F_7J`)3ZWJY)x!BJ}Z=<*2t>cNb zpbjuiY`Q+HOIHfU%Iwp@BRJVSI# zqb<9RBOJYDMd|(w(H)Vt?7EKd@|9)Y)m$81zP!vYu@|)q&y>rNB-Y#a0};8*Ca&-3 zr=3j(l30lVWC&m>$`E9P0ABSBpc#l&CMcPj&I|@k8gyHnq1!8#>=!X$xqtR)=eB2ssyi@Ng~@sotA=U2EzR3S zyihjA!^u7zox{N{CJ5C90>>!7aBiPjw5k}0tYjFCCrLaFY#eiK)8|m3G*4|)OjXrU z>~D5Bcsn=v#*O^xQLGNPP6>VQ{q=MxEP1J68BSC8>HgXrHle`tP=X>iq4bfvG(=I> z)8--dQ9vYy;a(PuL1Y=7g_8O0Hwr^{yrw4QbY@14D2+YIDT>;N(r-ec^DBcfp%-mo z>U^b5UKCWV>Cs^g8j?=o(p51=ZJ@VC3yx{CiFyf)Hm}Y6JRr-te!ZFN;T4moQ&8&Y z$-zXbGM5H}zAzxYrG71m%Kwo0>`t)OhQK~A!GGZ3qf%UB7Jv_{bJK-wb$Whwc5%Ce z($mY}z#(;Mvea183p-B;OW!+sTW=o*^O*E44-`tfGY3SG zZ@OtOcqbWNsHYtOVThGwk&GG6ED8{p^sE(pL&^(ihY`B>A6NQ+&d%-&HN(%)C5*-RNNNqJ+=%I!*;h{5o4lmJJ!wt5+b9BfbNuz)! z2Iz#27;tb=p6cunyq^4AQ=&o*u-RdEqWcH0#gGvvpWncCEj}HyB>tDF#eXM~s8zDY zV6VX0W}~f%b~<{oOqD)7rrE+k)wP8%8&mbVW^xqi(bj!OO>Ou8O21EbY_wm_SSM9a zhnY2h!WFvYgs+IP?G4BDx+wYBu-g1T(d8zh9FxU0N6h#2k^k52YYrq0l?mw128E7 z>I?n4yILU8RdH z$yG}wi8&9`Fvhi3W?izfZkb0ww4^8i>au{K`I`X(BiRfP4DM!ta^0#%qsVnLSwMCH zMGUAK2SAGf&i&+}$IbgL4p4nSuj1HPShd!)@4pWBB-`B4%QTSdeAz{5t)mDnZ zAZ-O%?RoTlcjG;FZs*sfLYe6XZ8dUCT@@5VZ`qu_Dk=uNTw2UD1;v0j%h3k_6UPtN-sVTCVAk_N_ps?0+ZR3Z zTtQIzbIP~79ozhpC?wTrXzQ0GB_{fta`{NUUHO~ke&vP!eqB~SgG6s8Dda-|v&%rO za2bW32oIgR3~e)qXQp^J!Ov(DMj}8kgHS*<2dJiimwp%tL%Zjv~#ypW<%pqJ3K)+JZLdDiEQ8K3qnt z21A=&958BKzwfzN_)U3cipZ@&zZs7OK}W-TkOdrt{JK!zT(c4on2`dYR)GU*zJQ}k z31-0>%Lc&7XrFlDbM(JmmD>sytUV59+T*G~E9_7{Ya0j;*!OJ=ry|)hTiLb6MBTM{Z3D^ZKRvZWhG$mNyF`)R>V#59Vji9NB}p?7yioIs@!t$?R;F0sOR^EqB`2Fbi;MDiw{AT zr9v^E38y>u*TbEx@n^vqt8JiF;ML`P!Rcv+DX}?xd|f_g!S1sScHX=0JYW_uQ^_J! z>LW15DoEHN=-AhYa^71ElTVYoYP>j^6;c4FUs4L~Tx}$UorQ~PRpI2U^o0xhuW@{6 zFOUMg^vVOOvQ4a>sAZZhNb+h;l1Tn%6PJGRQ%NDXqi{`L-oxOnR3be(LJ_g2HXZb- zFx03&(GkZUndLT??!AI24qqU(;{c-^!A5DWd?+iuZ z7BkRogsH7}`LQC7<&hGsyhsVqe0?1_o|n<;iA*)+Vruu5S~WC4k4dI1T}8NGlc_G2 znBS19it2FC>s}7Y;>ONpSANqI3ifVJJ=r++;wCHGHzW%hLbYURDF?g> z)UHmH^MSgkB@DWp)}m7C3xW((%UaRSO}(Bl==xxbTB$Ec%aMv|rGMTt>j{IB$F`^y zIYFe&VN?56QP;{_mq~k})db~;k2Y@W5~0J&p&$Goi_%S9!pD{OyAb||7xR&#WiB?@ zL!S;AmcibYTo`Ik1aQ!Mlt4m9BcNvHhtAE2`}ptm?V(2Wyua z)F||#9JOZZwG~Fe265NGtnMEP;)&Gh$Ccxs$5~lfGMtrF#UVz1o;2~vyT}Ss>Q7{Wz#0aHJesz*|d$dMTui&wC(rI+D(fh&&YE&QMP3*HzZcH zcAZ&i+PsR^uBw&B8tbhz)|+drx6)W|tg+s5{*&;Ic$}@8SJpS;5w|ju8F4KmskfZ} zT4>vD{*&+nd7LeqR?-XP5VvgFgt%tYwwwQ2Xxnc7qyOmjo3@=%&N!PW+p?A$5*sb& zzkbu^HCoPp{l*%%od23@+;aYt)L4_)LZXX}i-BkhNju%!uw>TTDJW;;j&7s zw`Eu>YwVP|+V)gYS9#xD*47G3xk#tfdg~Uho=Lf^EftoWU3k=OTey0D;j*??Sk4H@ zY#}k8-axdEq@6C(B$_J+%d=vKF*&T(pvmx%ppQpL6M8wf57KL8?X?>8?X}m++Sj2+ zkz1wdS;+T>{OCcWeC>DpY9oFbQzg^)nYC)r`D6@-1bu8fn$Ukl=j)Z|YgGP6bUwPq zRL!RRAJF-F>`IRmKe)D?;Ppv=pm#6mKYSO?sGi$&!M&vn!H}38`&~Lub@|hWfu3j| zPDGUMg`o&^Kv8=S^C1NolmL3@Ch~k4_~Fuzqjt^wt?zA?FU0o4-Nq-;_hamo+=1=c zzvedi<92Mj_lrM1m8ddjAKY8GRt9Q+I8^@ak#DYT>RR`2VujD%#!I3*ETb^=mvJBj z^oF>PLMkj4OyGm~J0^WVaV|>`=}9Fz$NxRD=EU(I_s=K64eUP5ZMyQ=EpK+y+F~Il z0`DZS0|iJ{LhvSmJ7j+^lrvH0q{Vz>h(amQl35dh5q!004UvB)TEsxNHz!o%pMJ37 z+*HPSk6yemq-~z2d@2=;g*H_b@^(Jev)dNsQJgEkJ$#hjCh4Mm$s#5>%l-dndmdjJ zIk~Kh$Y4qcK*lnG)g~L&By$UwRZ_Y$b`W>LoV1I?Rr*v%0Q7d?RDcJ*0CbYLV1B|y zGF|coaJpy+-TPrctsK|H=KxMS2YTaE0wrh32OYQ6MTGKl=s=4J=vt70))DFU(3o!2 zsw%S{QHQU2T{dBBQ<=5-@Z&S7j(M_7$8>G`N-eq%=qok(TDRUQA4-E~N2?WcaPBV2 z|F9cy*G0z!#zq}Q%l&o}uq?N6nAId?A{8ZkW*6y7K-p{$6tq{~#@`h^n<09L z$*o3liT82pNb=8h+g@E!{<&_e))nO+>$d62MOGB|1MNy*QQFuQ_XF)pS(KV~#r;6L zQWgc-mA(ZY*2S3YZDI_}3A&S_^fWX#S`&6k3MJ}Sde)ON7{HI(n zyQRQun9VF#hnzH2qK8bgya_WP)`gL&it=Nl3oC*}C|5UhgmjeLC%|3l(n1oI^| z8-Er9yg0~A+CN3-0EEtrPJs9r=%~?M9#x9xhAU?>W@}La6d1sHs2GJRCI$i{ z^+cw*gG2&Vok#kz_n!DjC{Fa&U+!60oI`Zk^h9f0K8kW-FwKI$wI8u-4M&;yasAWZMEY)9jk#z&%Wo->|blhH#lOvwo5 ziTM#w|Ec(WG!M-8kK0$4%fWdMy)`xd#iHm4mbz z5IGx%-~A1X%I|&RLgC!31*pZw3&LQ(76NS#A047Ip*$OW@G2e{QC+0F%EdCfFtaaP z{kg-rVD*=Q*bdD6ftQdOh-;(QK<>)h?t*3cDh4@oZ!NB3?g&L*&frGg4>CtSvTh zi&|p?x2ZKY@Tyv41Fx$!Hh4?Z8XH{EZ;g%ZE*p7wuiM?m_tr5AyZcy3lJG0oEnoQ9 zX!bmgYM0FH9$E5d;v*I|z6{HWeuYgX#a8$r=~T4|odTaq?q`aFBcaEZXTI~oC$<}N z6>WE9h@h~-4zr6cnFQOVzhb!=qWzW(_geuNo)FwRaslId=zOwpT9uk{fKYibV3<-c zsS4A&8Zga;dFgcE9mKs0gP%TK?Zjy!$u1&y^I@Wc!0pV~6|@Z?%kG9RUbyt1YLgGE zeJ7#Ok!~twSnW)G1WUDdC1i1C)}*?!sy!_s!8H0so#=@d($y@>@>We&-7SP<H}L_YS22_h+sbeoN89X358~%&}of)r%UGe ze$e4q2{o{80OzNQQO>YgXk#-qk#S zdkW{VJl0(SXvLaMfTr-#P$=xm2{hU~5bKH>hpLJ|!Lbj%i!2)4)lGYly@{wJ`^X>L z19*oZMObXS@85%Er7-9bU#eOY6GwsZaB-T#RvDFsu%N5Avh@SStZwdfXOW$_%4DWE zV8blMY3ng}(0|zZ;Wl_&`7)m20N!EE){0GFLED`S&n5(B)qapanb=ZLFmp!L4DHXS zV<{HHsbtA5F6NF5=t!5?6BWCvvHeWr5jyDbRb9Ni6twEDiM~1<~=Q`@=Ho^mP(?7cl*|Th;!tWiX_YX z5!w&>;!f_^^}EBC$_=%AJNAL7?ox}-Jqf~S4% zJw>TxQU@9`&GstVKOOSbaMnC2iq=Ek!Sy~|?deQ0&O0*zc0h^00vI#}#V~3KhkUyq z{apk@nUk)))y8{29W82>=LkI!U+g!J5xZWbiZ#h_P_=%3^^cF552@^l&DMQp_mU52 z%Lt}b3Z@_hkzhJsFc)6qu!ddb!ky56S?}>z(QCZ+A4a7sW{w7LVnsi_`Kw3mT&YZE zr%+ahi6$t7E>}%-K_T>df1>;4<@K>3%4?7mBzM#<@CKQVZV9mAz4pSw<+L;V#S5Re zFZ)mYduk3$aOD&)y*O!ND@%vBgD2{ns$bCBR@GwNWnt|38IAog`dKt-I-2;Lz@y6U z0?vE~a|w-TA#WRaY)SAGzmO|t8FPBb>?S7kF?!?B_K*d>^&cMtYI~1Hxb(is>7lzE zpy$eMLb?T$wWP{zSv5)Pi}|a*6%DX#;)s9 ztE`@DkH3#AlHBWpZ`K!9BY*Rm(AICv)GcPtn^<=4cnE{{E5ScX4a$_>tQlI?_8(*? zXJ002N1f6-Q5F{Y_T}M{)z70_zIpQZry7ESUio2yPE_V8dUUDAR>e?Av$E#Qk7+jr zo;)xnmJ91cnAA!p^<$XK|F>R0(2>s->!jK9kK@WR+~``Gg0GLVEH>vSXVXn&ZFc0r z=yyBz%(WJuXXLN(Xw2=dj)E36A6emy>9i8i?p*WH`*7J|#@809430xSW`rVl#o9&d zU`b~C6W&h$(8ua{!yZKa`ckb`H1A~0~m$!YT244UJdJ}`W z(HTsS!c6wt9lO1Ie6k{f1XrF8klK`o_@@XGTqv-VE`y{$E*}&{RM+S_lV)_(`DiLA zi7qSAlDfDgxQb-WI@avk>Wm(`bP#TS{0!)LB$_%T&eXXkj<@s3B>E|Cwk%L7{V0o; z0|%WnA30;6bgW^auHyRu zy}_29v>fDnv?2HLjEI)z4Er(!uA)V zpkEQ;BTJv+vy+S}0{R^h1A5M!F-WMOigiHyOBsVH!C(p*ked}Zc4s(r+s#agSqvG<4F_Y2_i*RL*-1 zNr4wxMXH@QYE2DpP*joj&KotTrZlYHBoBMD+Ep6XZj$A^S>?ig&kD}wb=!QfBzep0 zlNyc2i{5U$7>(u>^*}mk)TTzGQL48arADKQCO*NV}VAy0ftFZnXvV#B1_3>q0FoprN4s9?*l5wrpq?6tp>0 zLE3nLDrgU-g0$&SG5`5V4GhJ21v7DPFC|wZT3P%a+^ZA9Qzd%3(W_&{dDNhfU}~*b z%a-%FL95BBE!lV+YS2sN)Rye5r`*uSR;XRa((;&_H+C(vz@u*7*0shdhq-xE*D^~S z>Q>{rRZF)T*6mul)u?XO(yaz{jh3!zRd?dbZc7}cwF zQ*Ll1CON>2bFEo7S6YqkBsBke-F$?@MP+5h=lGkd-)58_=o^ppYTrvr{idV6+6$7R zZ#v?uT_LI3Z#?RiR-^vd`I?S=rPatk@;4s+@L4Yqz*+_0SKju8+^Zj81K@Mrx>7VA zifY5o$dv+jN%Rh6vGKy~(hr~V$$&UdV*2oEtG|g@9!_q#SY7tJSlz4lSAX+Yu<^N% z!cF)Z$6btX7lpStr$U%%9C8?6z>c2So9x{?adZ~(1HRfl093 zM1Ex>4$?l1-p0n`fIkFamfi6Et?=yuvIN$nw~U0DKb!$dmHcnZnSCyP9lfTsU;Oa- zX-}@a;CavPVUKO%_*>dkg14FfW$tQ|8^@9CRS^4Q!j1{MMC!xR?k|d@WmQ?S+LEi? zT~RSX+iaWDGU=kE?sEOw*uBMGXKu15S%9Qui2@#&Fx}pX=$LNXc=-S%5}6>7*(=J; zv|#lRp);ZY!aV%0Xbsk|NRL%iKiRqhBv!Bj3)q}&zP#1rWef{3Q+W>_oa91i%|*?^uBjGaotJwelokhIdT+h^aTy9 z(d-J6^qonT2eR=&{GX-31x}>~*UoU83S8hURv$ueCoR_i38QJkrp0tnn)EP(D_vUp-Ba4}INiD@1;^5v(e z0Hc!Knai_Y|9f$nky+h`|9H8e-%x-8TcZb6=xPV~|5{L60g6I;EvQ2KQ8suzXiEW# zqHir|TLFrWy0xGk1t<#CwV)>oP+$Savp%<{vUVpum~6*AV^jVgyKnPEwz5a=IDb_D zg2^=l1apu9dh9d{+7t)kFF?RvW1k1bkrF896IW_zQQm?<8azGRCOk$fyMVn- zAz~O^&6CA~b04@i`{LSP6%a5I+CW(B%hW1Cz;Yk!>bK`fe7|^J=*vEFyo{1<9{L!AP+v@{@qmZwu$vjw!7+jY5sn;(?2t8ujO1I`+jEd^f z3K--{UdXh=!Pzu^7YQ-=s3wnWdYm55cj-IGbDsuJPY)vc-zpO=D{$iEv8-=*fNOFY z@E|s3mnW=LiEq=qg>vF;xU6xmS?8ot0z#q0S#ZPM?<_ynzEU~ODyJdmB9&P~|$X^MP}sc0n|+t+IO#!FdL&yGTkDKgO#D%tQsQ zG`v#?K#w!B_O=Rt7Z2Uucat;{YfQ3W9hAb1@09l<``=EBK8$W>6Xu`$?(FhnJangQ zINp6g-bdzd^6>MQiv0gwX?TYKto=mO9cbw zd}vQUh)9lzhzbYMJB!LOmi>|naKMohK?V^G#F}Gg?46!F(=#e2aC!KIP|-k)IGqef zR5%bfiVC(wG~kzAIa&Ej5*!F1CqGlWigu0>cL|7Szyb^=bU0KVcGSP3s!0;qEWkP4JfT7m=Tq+=?&*Mv2;8sf&%>EZH33bqXa|$4e^l=@^0CJQZ+$#0 z*{}OPXgVB^F9w&x8B^41=B=}?v^!|>vJ-H=VTrnJ!-4o)6~su8vFP>VQC;h(;yw?CR*(Ox&;IsZJz13n;^PRTyR3IHkotE_Iyt1mf~9 zDuETo34IqCtfC(e$%>t=g6~nh6!jpd;bSD8-mh+je=PCyO6V0n3Qm_n>ZQSb61TdQ zs+YOYf1UHt!{g5KQq*+L4viMlAkRgI5T}lJwZC*-*!*bodI+5)%fb0F;lIf8v9}u^L}G7SB=NS7p2RPkwy5(kVx86? zPkcVG#cq)6l=y^uNFav}kKdgfy023gIgf`Zmo|kJaM-t7N=1mRmb()vdQoy2g6H*Qn?$_`4~RHiU!JYL1i? z1aTPm|A62ttVCVmoPrq+=W1o9qNUl(Bo`P}Ky;@;c02MF4ugz=X7!jb06Vpe0eygt z9R-&2+H@H$jdP%+Ro50M<0=7s{9RV2w14lqGF!Tjv3=DjM5(A1mAY)))1abzo8g>~o1CL{~t#_~5gMt>_QINvF#!rxO(5xOa4q%g(anQI4m;=>IkP*;$2?_#+PJ)bp z#!1i7QBNZL=IA0=Kd9c-ay=uN$6eHtC)Xu+@8&N^)kFI2-h&ozxWTo-A zivm^3N3vT$^teg_{+g&t#z3=DOc;QWM#exBQy~V_h)O1&KEKBCluW!Pp3;e@L{l>H zngy>AU#lxDqos+Zl(g!K8)Td`krbS%>T#4zvL=ptkI~RYQSYKS`i);jtNz_pMozQy zzb`pMOHkw9FJqGN(FlDBqrCZct8i^E=0$F@cV)zMcDFuaDpnc> ze|QsTlcu;xwWmBH=+jkKj{iogA>*e}-FN4wQQf-uVbzrpGg6#dRaXx73@bd5sfQufUm3LuZ)9qtR^o+{o6H`PbROL7X7%tJpv53fzLowu>!bLex{tHz zgnbcB-G}JutE&BC^P>eBlN}6P>xd8k^^rdtR)4F0KMC7uGkFgbK^bCG`v? zp~9|mNe#6mO$OIA*h>+)m+Hp1a<9yHHlC`VA zv|-B5to=Ic7n{1%;ksB1`yvwEIFIe7+dFAVp*ua~uJGU9%39%khvK)pd0~B&y2y|2 z!ew-uJZ8DaO6}IB2lRiqDes_&VG9%+qKuRCB)DT|Tsi&>_M( z*o1&#e{xzRJfS@OMNm`*_6Lw_DD_%O3ekuy$K zO{hS@mDH=Ebm7>HEJdcQm)2krIj(zj=|=uU(G+}9%9@q^mzS2n6S#DJ?v1G$g5&V4 zVOb(dsn?JGjN;AFrZ&ZvkMeank56G5X0=mR%P79*?a$p(^Q;d(+$6%0Gmz&wD-}t2 zK?55BK(iERKqCQ~tv~}G-2hrsfd(ugKx-+`fU5`4+6pw_odL9t0uAgG0PRGIW+D6F z%$I4f4_A}`VvYh4*$g>iMlg`;Fsx?=@#I<+qx%X(Lyf*sXtZUh(KiZ>whT4;MxoK@vogd}Xf!Iw z4e=Bjjf$s3JcUN1is%qeq0y+$ImFx5=u?!nGyiTS$}Sc`{i4)14})y%!TCqyq07Ud zNt)dA=;|@JnTMNG0+p-0g}vDPs7fB->hjouKXycbc1VznRux%tiy|4VKf2_pO0>R% zZR4r5ji$1KysTR`k7rJm-7=a>l4#|S>Ss{HpAlkvy+md)xHY|Ax+MKiFe1oOqRrDz7+ zi>%ph)$CJL8sYQb2BHdHl0Ig&T#D)l>rY-Kob|Uj_;pHN-+Zg_W_pXS%5JA3AfG%@ z2Ky#H13nz*s`xHYrjO!%*6hf= z7?s-O->a-H`c&$TST{eO@U0Is>%&J&_QA<-pzj}_h8NdEM^&7Nx2>>VH>0q1)3HBj zDS*J1Cj)Z7cT_;dbT#Z^y7*qBD-E;{&JNb=#q~Pua>#m}M(Kf+MkXq3S5c;Q+_PsS zq2Mb>RiVw}Zi^-qd@QLd^yIkHr3nS!R4NZ|`?%SmNd-@e)KbIwJbT5I%N`j{E%-!D z6HT7rF8cgW5>1|FWax+kPM+*8s=`@a_UMXFHc>K&TxpV<$22YL>Wa-(mfSfeDVc>n z;8v7;I-E>R*O!Gp`5MTlE;0*!BsP#wU1=7&(Mp$3UTqe7tx1(nUvgIC_2zY3JaOH@ zPoM_kD=j|$qbgycQv4u{!!)|xta_Ea3XYJfr6JRUS+aPDZUT1cwi}HXcbxx+(uYHz zjHN^1ov48Jr?*RW2ECIPZ)NIx*$*^Ms8lZ1sBX(Ol}RSOG$6(LaA0#(ObAX$prVP_EFMXx=^}FkZUsB45gC6c~)grrb`9KVM?hR zk$&@dN?$)cs*}AhldQ!(s(ZaJQ>IH6I{9?cIGNwEzp=~c_CZ`RccZwtq#FIs29Gyq z{C940%=+Onjl!D+`?OP+)wf|W*KeyRO~d(uU51M=NN*q5dFc@c2grv6U-!FB(wMpD z{t^E(X>%Li4cav4f2L>-Ovq02zsuTNZ5xQcj^k4QkIoJ_L~T4`VhqT4?)D; z$lvC{WBJ;2xy~~OtKf&ttOony&Xd($e;)h@)2|8$VB}_&RS5!21!r*}vMU{V-eDCi z8}-O;95ik222}z={o+8KR#hO>JKG{K0!CH5qOP5CE4c9J>$Q!O18j&|#G&Cah`Xg&!glt7R_4*>)eh7)jX}wmYQK;&* z-J@Ce(|V0aqu6EWJZknsig}^)cpFun zP3Z;uZHWE8po987Sl9>Ag)>{};wr=g9VdzJb#nPOQ9jrn3G%Z`WG3AQDoqlfn|^xt z!Cq)E`%P;1!L1{c*>6(24|ZUK*(Y}&Y`iA3PwhTR211aZU12onKDr-35}$j5ySYL<@G4B!9#wo@mhYr(Bp*ep73H6uot+zR zyq(w2ej(p*=S6`jg@EbS+j+h9DdZdOy(s)M(EzIbL1CYf22c%92YeSW(E#cIoPc=K zNCT(?fS#sN2$*ibCpBq+@eYihs!<4-Zo%li8b!YG9*nNt8`%KjE`+Y&8!bVid~|V| z)_?sr+(ef<3Sn(U1dTEX_gCrs`OhS|+rJOiLRWD=2lGF;sN}b$NQb=J4qXKMC5Z2r zKf-lN=FL4!k(*kQM1X@;@OOVb8_t{|n?;i}X*af>!pNao6`@WVrE6jZf(5T)O0l%+(ypz@M8Nu>cJTwq8|^*>ToZaFGnf}P+u~QoQY_p03#mNc%!hj+nORolhpM}Fy=p>hn(NB3N;@$@xMh)lGwrImu{EaEpbD6JN-;) zjFDlz`2Jgx-m!5ICr_dv%(i7Mp;S0L9YwLYuRHqPa(5fUZ1mGhHi~Z3gwwy}iXTU} zCDD08bYWM4q7B*Y%ery)jPM2oYJVA|WRg2bUHNu8PjEw6NeesVG z-;fq7b{)mS%ed!w%WyuA?!}`F-D>Qhz0dg`1$Rky!FzXfPw>U?WiSuoT{$PnmiE&i zifd&hJs#)SjR${*!r>JS|Fp zpKt8GMNvU6Hb2TOwPPVKQY)r- z9haS+?fhJvrAgioVMZ12$Zh!@Sr<9RLy!Hm3gTt-ZN)p{ zlp0oWrSjH`BT=U5sMQ!L5Wq0+AlPMy9vZTB?9+edTW6LEbM1cUD*yOBbbjLobH4M7 z=li>D(BMy#d3497%U~JG>krA_>Gd{Mx~dqAFHLXkjJ>bSK5qY8re+7{AFV?b;$rio zT;DDD?)$Y;oFe3FcPc&UQAlA2vxz0v()495Wo?8vcN>ahLead$26=Jk&++$Y|1fP| zCma;_%tVZ^>(g(!Z{qni55T2voKr+Y4yu5Wy;j``9$o?yd12>ro{H1#|^0j~br#Pg|Wls$9DXv2wfH1WmXF!%brjK{uApB|$4`))Adpvdej{4I=__|Ne`RiW&B z=9N@3KT>PL`!uqRO0-ZQ5noe@7Q09&n*3=M-tviLKSwDKrWXsw?cz#UJ>{ZvE1cT; zBffoK9u3af`OMGq9X~2SfEDE+9SDL#((BV}>EiCAi0?BuVbf?H-6rv#O82b_{mxgf z>R_Ue_ONVQT|M$0@n$s-_Ku!(B{?~Gt}iXbZ>=i(YrT)o!u*kcIq+w`d-h^D_vCx) z^Ft&*jM6AsFuT!dvV5>yKCinY?V|IWVH_umVv5{k?}Wz9pZ$yTM>UI6KGMPBnGID< z7n>gy`!Kh&72rg6H*q$4D8ublqa@|jGv}lwRS87Z_N_>PkV8wVRWm8%j{nSe&!zYl zFi4Zt)4^F1-+$u&9Lg+@>mZ*ex_?+c2Fr57XV+PKX829_?Cv&j#X7S7I3k z&M@1$k4p_Ji2ON7Z<5^)IUe%-e+d`Mk|*sU?|hVG$NmrE`-05&m5?fYx){x7Y+5=v ze`$!m9>9h`v$BRwRYPzXlQnFs8Um*@YuHgVL`N<~9~CXpIpexzDGYpRs~aHER?!p$ zp;=Q~+4L0LW)V%#ywUK3H(}1|E=r^jwpN$A4d%!9Q5i00fL?3|hx~i4%Pk%S`;4GrVBKv0G|WoNA%Vev>Z$eI|9v z&FVbNt74R|KlwIPiQ55_+THKcJ8SKRtzFT3_|2*~WcEfI3Q|7IL`O#BW z>ANww`CzvPH!LqG8ZNUXD?@)FS}!^Z@2r)p(gDymV1sRv9n35-+Qamn_ChgI0wUs9Q;28Z@zoaALg5 z#$&G+$HFlctJn-QE4^^$_G%E%4nL zKxe&!z5Dh?7BKURn=LqyppA5Nqh&eoSB{6{K!P^Lag~;&ZJw{r@#)=Tjw{i*Ur}WU zq<|Y}=0k7Ezj9vl*-I)ca#$-^Py*F+@9E7tiG^<&%q-n+y zeYfVu$9kf8m?sha_>)LDdrc`oCru$nw>9N}4QLAr0sCMCD5?T*pIseHK%e4Zz{sx( zrh|tsWVV)6G;j{yzPN*f{_LsZXziUZWFd_P*W)&O*B{|wFg`e{8(DHA`|b72?$CaC zm+dopeDyD9*Ez5)Oc8QV>H=560J3%ZapYlxN$1}NSD)_G*~x>m7r12~M9I)44d80e z$pc5i)AAukpWIi*Y*As6-ra_R15N{C8{mm=y=vX7kxQ zI%sXF@SA|R&l|u!x&SCyizTzr&pM)k?jTg@An3D>WMDxcROv9>vyN!U@Q8>G11*b1 zE6{jQmb0;$Thc0_u>~)2mdoX+Po`dDdA}sz5cvlW#E(CT1OycTlc7rfOTo;-`q}zH za)AECm7_|P??MzD3}u#Xcl@dZZ^r zCfsL)hsboc&n~w*c^1$XT9`%DE9$cV%xX`~N)R=>63_x7R$Z#*9P!6!YjKuLjV`Lq@{V z8uRt7G-DrNCzuBxc&y>^S%eJhUcCwXy#CXF;ME2m=L3_k^=@U}3=OrE;Q#O#0r!D1 z2CUIuO=htUmGlP=Qz!s5z$E|StmzXVIkN|z_7ni47QI;tZrx;kXw$!5PQexP&^@Z? zjZ6pO+w|P3^uumv^Jb&bst<};5FW0E#8;@W)ATheyoy03%i(>$p zqZxeOdl%kPrbwJX^XA0`jTwCB$tv%~th~%CUZ1MWp_-1S8AR92oU{0gvn}yi9KiW# z*48Y2G&etc-)W>$fn(_a%*bNAxn~D0-2?TQ-d(rB8)OAnN*Z*{HFb_pr~c{WUvmDU z12FqQ;0nJz9Wq4(4%;{O#BS4u!P*zCxH$A00>8KcIpU7oH|N{ld2wm9Q1H$obW&Gv zUTTCcyCyWFGdFtQN90FnKH!uGl#?uQEssaG=psU ze&PIh^|48O!AH1;FMOcfDv#aS%VR4=7yANwgQh5 zZFg}-vhZk5c5Y~7%Z&zBfs{sr47|-MR$!6xc-Zwj7%cBb{jHE8w3xXK!~3dzu!yDL zTu_fCA$WfiUEZX3-DW5&!b6!28`1HsG#bx5QH=(*@)r(j3XJ|V z>2oJYi+qa5GGMtyXo+eBFd0M)4#ZHG;`U0k3&PB`B;@^!ey#u=^={1w6x9L4RE5Q% z*3y_wyyJ_4X2DNop2DC9xT{5Vd&8xhmlE6FmM0iJ*=Jm&1C+hH8==~}w zI&jz{E{{}t_$r6kzM%@gtgju1l zaG^4meIvA(@OG;TOLmh^l;s?mKR7+ZE@L5X283BuR77gb0(*~2-8dY({Z;j`tCjbe zUy)XA=t5!2OXl*QjhQ257@dI%`4dl<_)yv{^YnD|PWekh(-ye# zTfWk;x9b5JM`!>3CuyCz$$BQ8;h*eu8(7c<>hf_m-f-^cELDI?7)f=w?k^q-vZk3r z$!5waXtEGc?)8AR`ZSAF=-G-={6kI!huFH8oi=uvm^kp!8A(CYv9f3V|zJUcF7WQUijK` z5(T)>f0!zBs~o`wjQVWNQeh3z@3XZW05RRt&^5g3|4|GH9gA8fO?5D3fj)_szB2SW z5;TrB4$TnDNu*55!Xa~xcVvn65+>#@YpFUiG)Echv6bw-*-qQ(LLN`{VRs^ZG#4jX z_%aCYX;3mdGHo1*86ie03OAjbnbNFHbQ|)LeV`-daoI=moy=K17&1gdv50)S+Hd{* z^Ut5si zWExhHWvF474(XL!xjQbklq=A1ds9oWv4?zWci z{>44`X`!Is*1u2bH3R*5ulo z);ParibR$ldeYCEtuAcZ+ z2OY>P_VtuGS}7p{K7?A2NVgV|+c(HtuNDz#15l5Mq1>Abr3M+;53v@RIsMJS{qs-f z=pD(=6x^l_qioO~P z4&Mo&2ctS!{PG}y6Sh$wXV8i;WN`jsS+&Sg>jh1ncZX9R*psmG7g~NiGmUPSg8&^= zc{`5*U>QrC;=qc-zGJ?`zkgJOEYF;7_YV#fkgKv1R2Liq>&^UpqA9-3XYbWducVR) ze*DR=fl4gP{4oqu3wuCeH|m0WFF~%jfNKR**3p9%l2O7HSlGp=W6S21F5oGMh*~+; zHvRmu0V$+xfNlZ(y|aBeI8WXdS+4Ir9m)S}U)W*K$fEu+Nk|pkVMb3j1UNowjqbkO zeagHXp{U^2pzl5JKmX>rJNMumkGahdDIAQHP8T}KShhW++(~Fl8+GdVnT36f(t}K5 zjKTrwK$}bB?D-cbjt9t{5h-dP3cDGTCF8_-aodx5>KboxI$Z(}rvFL4s;tC`aEi$+ z%!g^zO`_daX3ws4z_iHYm4yc0`GEH6<6>GY(50+E(az?`YR^aQE}B2nYDth7k4lGM^7vP=z<1siD{}`%e=l&WGn|actglGYa>FSM=p!hsNz#g2IQN*c1TBCP zfT%T`oaj-+p?8+%Sk;1ao{B(Mq#$WM7~ zq}Nf!bR(b#J$Bv;CpyW1hF2b$4-MQhD^~P;E~hMDqyh>o7!M6)UimuJiZDeg2dqV- zUO-m>*!rwkJcyWM+^EpHEeDHQ?51dWan9r$muNLj6i5+JMkqtEdm_$B1u}Gu-`UkHH z!1d^GLa!YbDmuI0k-;esT#lyZBV1e_eDfwLzt1TT&WEhL2JwgX!>RHd`OwH+&t(aH z_k4Qm_)1Iy*;J)>Aqg1h_@Dv|&}-K7o+t{?t$*|OyRAdC;yQcp&ja;vxW}n?f)YSb z9+)gpmkR=@CJUl*K&nl%g%BMmjY-5~OdxbD7nA5fPvI@EN3}&Psjdxm^2$| zylpBz`S{MB)n+*+vPUqq=q?-+&@)UE`sx-tg$dqx2wp|x06}Nb4Cu2c612b}2;<}H zm6JF;Mv)~QI$NI%+nD^Ks3aCD=@k~0F{lJmRMAxf4Ijsx!Sn$IrX2~OB$-nZI@t?K zVopiuWN{so6k}hiL#l|vqH1YTmD6zG8!D`%MugsDjWkoCZ1|RnbYl90=(&^Jk$eiq zk3WfAfQdtQpj$^{LhtqI1UOF>R=^X|-Hy7?r2U$5hqe?X7+8u9Fj%Z6U0LbHj_oOg zvQ$|cm%X(ddWoe{ThYP-r+TwZzb#9{&2oXl;MZ(ah#R~6v#hPlMVlt|IK5uHEm?`g zP76HI(Y{{^qfR^E{B|=ss5LV+SsDaI5?D+3{GAjo2u(=R2JAsdk%q*IQKY}zo?c(c zzst0R3$z8;$D2?IHMOm&DZu_wdg{=8L@YU?06ltM)22n+t5Q_~Ca=GDb}n_ZcF*lm zp=L(j6X`myuDe5)bA5VdK9cE7R7qLDt~(rr$-H+o){XgPeGA{kh%5PxEYP-XbMN>* zPg1r6$Q@{dR#$q^=J-%jvOj5?CG8JwST;j6eL7?N@d!|BHG`=+Am}Z-G|j-s&uqf>RRz5)oB$=QNUFJUzDxM)kE?S{kW$Z zR+j@7#)hV+-F5E@^Xf<%a9CBF*O(ZjCpJwdRG5Zos8B-u_T7{!G22nA@zZd)x9#@y zoAO%?vBcqaAH6Uo#!>ya{g5G(RzrtDiH3tF#Sb_#ug))%)TXq3WffW)M=t;Nf39Bi zo?y!9S(U-$twC~3%SqkF(lX(!0iCKE*0jA@nB#HU4@H$VXchf1Ga`q0_k8lxkruS9 zz#^JhM+L7YThc$~|T6ZLv(NA7XO`|pGZ=q}_##G|oTAz9Zn2|c{JboHN# z{z?KuNBJLsrZG!q59feF9w^53PnU(9^xrm9K_w~%T{U9I%RMrV{tu$Ep?eIr_9@<2gSxu4?k``G$yn9+W!mE4 zM=~hLK&9fA7dnm5Q>tVrhvj|uvi%nhjr+|U-I=q@?}L*8+yNH$=19?k4$iE{G6>2I zawQe^@d%d8_$9Eo7OYwZt1wt*gvDVsNsMiXNc}D6&Y5%zR|vjS3a{jpk(1$<3Mp$y zJ*S%LLgX?bS~dN{QSxL9xA*+mT`pNv1!ot!0waarE-dUK3Mfju98!qrY6-B%-fC^i zI%=64tPmUX2?c>(mP@0&&OE%xf2Q-{KLaQZmVsKodB@cn&DRTr(>~W_GJ(@#ahY-z znO$i5{L5ql)8AhsQw5g^e@%O;H)_vHGH=wL6=nYIW2Jke@mZx0b^i-v#r!YGv~M&% z=~ZZpCRVr}z00Qx;^o_k$7IH=CVnvJ0cXtR;%9;QwpOlj{P$a7SyE$17zJ=pDU)f> zHf^jUBG*2$Po;7P;ZcYsK_2F1a);~obUnXcZ18X5eJdrrfk{pY7wuUxHu_P|8Z@w3 z)A>-BN}D$+47h{8jWAW0Ln{S3k(COQP5S*=+=1=GsV{Xh4-4T=3bb{wt z#$Cb_SLX@c*w*KnB&O6;Amr>;msqZG>vC&g?*x?gYd}n^L9Br-eB58o4q-zxs-UT9 z|Ad^ompkVUiD|O|>A%m?)M59xTACUJA;-bGow5DPPxM&g;vc;OIQws4;Og@MZm^q82K6a5Sd5vn9Gud9XWzHZ>*acO$^X(6 zlE+hJGO|+p_>AgDQqjRXdhL{w#HHg#OT~_+A!F^HNwWlhGDB_LcEyMr&DngCx0aj_m)pIei; zT)5-ar`KdkFSUR5X*HSIMa*7ZW{T3_%+i)6oiUrTV3{J0;!M;gCtPIpQ^165?-2dN ze1G)=W!)$H+2@5leOQql;AZQ3-(7?y+^wuYt;unf$!*%&izK}fpBt~(I*r=2)727f zTCldgPg{-3&De`W1IYhxU~}m|AD;h3$eL}M0=SCU2Ie#+R^^E;zvR*)5t_)QbN3^E zMdHG+Y?|lFNL&N772Y*KvCOg=Tu3JO@~%iGm<7F3JxS}yobDM5{x}qu8Yy@>AIf@J zEk8!Bp_qV!c&RYC)2kw?%vx0vrGvTSna>0r z?`{1ISfFFeghH|`8m=_8g8&Af1u&3rML?DfjW}zPz&X4AX@6y|qC0o*yrVtMTF4R# zIzExG%|u2dL_le3sXivR%-lb>yD6*S+h1 zluxI{P9pWdw+I&Q&OE#BOE#Z<9)xLE?tx)r5g65A{$UNZ2Uco$KK-~n7kW_jR4Cb$ zVVd?5jqe|5vbWuJd&ws&qX>Zs(VzfVnjvd!J+x)rKm&V)9|YPb3j9BFSKFL6vaJ8ge7e`ET>^SVd=wJKoPbS` zLVVWcx+Q~R>jaPw;KbQqe`oZDBs7mk;3T_M8{2|;x~He7yJs}heHuKnn5q0#<5cER zfq{&7s_-YGqoI{L>Y3;@){}vEFS71<22N#fwBzI0jx2;;A#o%?G zC2I@W;enW0b585SK+L9HU0ClFzCkqJWFUgtAlkri~uLHhqor;gI z9Ubsb?tq}tKNVlh>N`X}(J8{pGC9M44h1pee>#Orm_Uh{q7jWOD}uGQU}$-XmYd_Z zp->n6oKK<7UNZt!_F9|*&eY?-0SQYWd}dDVJg;+!_9?O`olgY-*ABBCu`k4>$XenC zEGC46fh(XynWSa8tr}WOW)pbkus`X)hKeBTa+f2LE^*{jWU3hZ>R zbNp98i|SO}Iw{d9x(uryI=C!4=v0aYM@|>iDKW+bbxMpgpi|j!)5ygrYLvim8}(x$ zD{@<6yB#x!{tCE61(|YKiG8lY60pn^p(UrbIfWCQLFhH(xPv%05-l8A;fmGKNlu8bj&!SatM_Q5-&w`@K zuEwj0i6Y)gei_1v1uB!=Y-peATWqm-Wl~K^z~S<0uG4b=BD}SqYS2eE`s3nL1dJH&sx_@slg}@1V-7Qbc|-BF%TK$Q*gm3=bSkQ zmvsnBUP3GESn?w)iajE)o-N9n%3VTN$PRSm#D(VR$W7b_ti(|0&k>!5{SlH|x~Mp# zKR~ex{W+r3tUoBNWwg^`r9Q3LmpToW>Q>?mIQDK$for!VPDZYmMYfJDjVu7I2^!*I zJO;&_);R$tgLwVbPzE*ed4!xryg6(bIY}r|U)RAl(B|5RIw4b*b`AF;bFm7x;heAE zBeSxQr^vjRSCMK$om6cm$I=laAlFU$&-Rc_&ClL`@w5ydqYOv1Gf65UK5kv4%y37O zscBU;m*I5^*8Jlq(~g$_EHl#9i;nN&?NJ$Cg~&i7jc5Q`vu7N2)S?5FNstSrK`6GM zVpxL%($s3>)s!rBZlkALF6rs7P2Y@Abb(jE6kVx9r_rqvy`52Mfcvtk$|;-?9SrK` z9HlC&PRnv<5;ab09c5LNGJZXfj!$8%>qiK`49J0+#9T&I7M2a*wL#rHw5w;JZq;r3 z*rt>ie<>~9l=SbF)_3<|ye`+$X8i`Fizt+BIyg&02{k;3h)< z-o6}N-f)Qw1bT2&+lB9KIy8ht!-X?ej zHxX=jdm_4`_wh*AX`{H4Fjey8W2;y%jHJNLF>qVvO^GoGdiCk{!N33?* z!$a{-MUEO!q$0I1l-in4O%L-Bz-37?Uo|bANSOCq?c5myv>GX@@-5Q9q`W+ zzOq}6J-R3H&l3oth4L|>*2LdF`rDJ~bz#v-O0U0q@vqGrhxF$TvCLNg`aZ5!GxRqS zd6kpll;HmZe$xZOIdOWES9x_TXp4tQtrY7xwYU!HR?TjdkqjAe|?Utlz3iW@xIIees z^~)-{PR9WU^CknAPXtG=fD&-|WX_SL%D_+M+z^ntdn)IKfXv-fIY%4&saQ_t93>aX zz)$47SFh)~W|cTkO&JHVmR*V{H$nu5ATmUy5h5zrmLjSR5c>jh?3HI-4Pw02Wd zmpxmb9bb*6%>-5u^I*GYH9xNB6Hd_}t)rqs#z}#iVE=<<9dN@f#RyByBR*7FMJhTr z9rxj77X{d(tX^dF#^IY(#6xSip}%(huf=kyamCW2m1HoqVV z;qSK|Z}Wt;j@1pWwQTRlKHPXo&DrA;f?B7KwtHNEyY(msxy_>Tf>z6tCRQ)|33vZT z!*#hnQhi#4>vd_LfVM(>5lQnO?_p|_D#br=42AIpo5S^)tj|1dYf zI?|3pcgxd>fe1wNm#ZK4yx(#-EkOs8mTtaf)__ybY86C9#2tSfEW!;-kr2iyC*GG( zME0b%VPc9rw@}qyQ(%E&M>&*!AMcm%OD&TK9$qk^Axzkw-ja)5RFCUj6@;dv(Kqyk zB5UMs9?XV=`>OT^OwdEy8@kTgM^$?0?>rF9L{C>U5c)d@1kHO2($&@f>ySHlODDb} zN6F4fhX;lEp-}CvuEk)A+@^o(>iiEL7zj!z*n|O@FI#F%5eP8yN#~TTbCjF7e+mx` z#2^t`H^I`?PkffZrPgAers%av;#<^2=cB569K*j5^IVa++(9 z`OKW$Cu+k1#99LYB@Q6g8~`YD0I?PUK&2WGz58XuCm#UW@AWc7Z+tNzM}~bYLjcH; zVIRv70CHrAPIE+qqUHugC3dY0(Mb*r$dMts&Up;jn&u%nQnczc5kPX}h)$RsI}rh0 zM7JU^AV-eq>ccT0?R331qRS3-kQ_OpV-pc%PQf!HvGu?4#CTaJMjjqVikEd#CA{YGhQl{S z&o+JRwsd=+I0QNQX&gS3d73RL$3lNgs?-lgu8985=_5MD!(yc#jq)AuoA>B*;{=Lv z+>2(ovFGebB!0wIQj|@Vb-&lip|&S;9>W#7-WWRJxs&lsAM)4+#wx*7c`Z{N&p3ry zNKQZlF1Rroyjh!~k&Cg*6;ukTr6pov>B0k~GwTs!@<1H6ns0zEgZQC{KBd-E(oZ0v zG$NtM%}MlR;Jc4V{E>8HC_*DOt*VUT#T<>qvW`Y0;%F+*v{n#+`~7c2K&%HWak{hj zw#4i;LKoB1GuRiHspk;@G2~kifQu>~0l5(Yu&$~cVVUdvE8xwaJpv|Li|`4M+x^yG z`%UPG*^84q0?P}WPC)7;1f-4xR!j#1%98X~-j3a5Ngp<$Av7PF)5wJ#@c8P1MignN zEv45@XsEG^VAq=(5EJvxd}2})VzSU&STjljz?_ySfATg=8c!#ZQoScn0g}xLrIYlN{U!`bF6^G6 zc3L{KIOML+)^2@Mm7??IPyY6S-Fv?0bsHsT&ggvLGH)U46EBx1yq55YTGX<7v)jt{ zH>7Sa4Ux}419LHL`3I*d7^SS~WM17E9|^JKZl@(5*0__~7H=_X!4o0!F%l03Zitm( zMu?%zpJ&_tQWpdaJals5J_VbvQ*TLJxzl!Kxmt}61O+vMPmq418Pr_7Jp0@DllJJ= zB5t^Q3LZQjdAQ+nOo}Hq<@{dIE=;_~P2iEg6rQuSp!+%WoJ?-pl5B7=P$XW&(5o${ zg^bS;gvG%?OXD2IDC!Dx)*KuZHy`8JTpX~IU&7HMHNq zi#zp}%!g*~fHf7t_kczDAF8`=LwDjDT}>)6K81{f2};qTt@jMgpgx{LwLgrxfCG3> z&R^|4>xtEjs%|V4XjC^vSKnl%(-|C2qf(@WzuSdd4iea4nRxqc@JjCDP7p`dNSprK zzolXH{mpzI{SchBQ6~Hvg=sTK(Lw%%DYz8m%h3-7?zvmlhY2x7Oddw^4;p9totfBrH}0V;5m4H@-|e3M{=au-=cIc3-38f`B^Hctm*KM<~+*BPAy5Xqfpe^g2J|(Vqomxv|MTc}odNSM4PL#)f4NF*Bm)L=c*@4qX8ATK5eqDUxUcGli@KiYiRdL={2+Qo0Bb(m`YcGP0uAWrbe zp4cn{<&5EdF;-Cf=j>cd#K} zURbu`#PY{!;=Y!U;<&Hd1+H~CE#5EJRXCDkI)0Sa(YoOZD40c~e+ z+QFi@tin)bJE<=511o;ojxt@3+DEBe4>)ib(mcX;+cpsdU`0{|AZTY$G`d;7?Dka& z=yL$@$SQe$3is5bhA+=6pBQ8t)dvM&U@X-lm|718mYp<`D4@~5F`NqBZj>q9K2AEX z>jnxf|N5~A!z@fIwG)`FRv6C1SK``}H1X~vT)wRQN+g)CjUnCKMo2?vf?#w(n1R%0 z>8r#4TD+xcmZQ0Hq33X^IJo=CDFKx(;TR5)SN0J zuPJaBIm#-pIWS-eWr@=iy$>n$nOp^rPc*3d5^RDf%}1PBrZVME9v>KmOel@8jUIA) zf4RhomSp+mir#~(u^9_tz5P+R-lZNLG<#mKUBJ@!mx)COV!g6iQrb>cL!9!7HdHtb zHJCH;%4VOFGP|;Y0-r0F+)M^T^GGU6x=mc2D)Z*`rWATQW~q6^a<_+;7wl7VXRh{7 zzIR_}-bK`%Cx7!d{h#X2D%^f~S&@IgJhHeqm(Yo2zN3o+e-%Ej{ms4m^EelJkmaJNmIz&11dBozu(9_LMoX7$Ly+8Ex#NOr_HDE_oQ!PK z;$#!+UJlSk&XnyH73S_?--VY#YqJQ~AbS@BNX7w8!_W53kR23YWp&aTDAGL#2Zh57 zNG<`%JRtODnaz=Ix6R_~{~@`*d~#u1m#uD>hHnd>?K8hCpm*U;*^Y*{{?}}!a^wn( zj)A5STiC2PW6PSR3k~#sO;)-+v(IS=HrWQRdw;WJB?XeS(y{+zr_Q2Hw@NRX!&bm8 z0$Gw&ja+)WeO9ob8U%$AR4o4CFh!K#q?RcZHk9y+8PRnz3&TB`(w=jWfyF8z=h6gZ z8&tK7qeB%%c*kc+*SzhILKo`T2ch0cg3gjE$mwe`1?}2l8sx&na`U zik|o3a~;L5)k!aoplm#K6j}KN7Lb1pe|Tijl_iy2hkO4a3|VymayMb;#ih=D4Lbw1 zf0>*z=%B1kb?i(nsWqJ4+{_0&g2;EAXE?O8B+I3CzKp@!lDDvE`dJePlN6mt`dRa+ zjt7BhrB@6-aGVVpI9mhGnq_s|)lWKc>wTKj1L4m}PEUN~ni`3>Qc4ayI9UD`f=0)m zO871f2iM+;OuUWv=qC$l%ssl>f66eT#ivCX+6J32tKrzXCecxzJJ{9HA(` zNhl%$I3;$}Dth=cW0MP`Bfpm