From 6d579368af231c9eda080353a7ad5dec7fe98db6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Mart=C3=AD?= Date: Fri, 25 Sep 2015 22:00:24 -0700 Subject: [PATCH] Start using gradle-witness Fixes #429. --- F-Droid/build.gradle | 21 +++ build.gradle | 1 + extern/gradle-witness/LICENSE | 19 +++ extern/gradle-witness/README.md | 127 ++++++++++++++++++ extern/gradle-witness/build.gradle | 10 ++ .../witness/WitnessPlugin.groovy | 64 +++++++++ .../gradle-plugins/witness.properties | 1 + libs/gradle-witness.jar | Bin 0 -> 20130 bytes libs/gradle-witness.txt | 6 + 9 files changed, 249 insertions(+) create mode 100644 extern/gradle-witness/LICENSE create mode 100644 extern/gradle-witness/README.md create mode 100644 extern/gradle-witness/build.gradle create mode 100644 extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy create mode 100644 extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties create mode 100644 libs/gradle-witness.jar create mode 100644 libs/gradle-witness.txt diff --git a/F-Droid/build.gradle b/F-Droid/build.gradle index d3d334330..499a3d509 100644 --- a/F-Droid/build.gradle +++ b/F-Droid/build.gradle @@ -1,4 +1,5 @@ apply plugin: 'com.android.application' +apply plugin: 'witness' if (!hasProperty('sourceDeps')) { repositories { @@ -84,6 +85,26 @@ if (!hasProperty('sourceDeps')) { } } +// Only do the libraries imported from maven repositories. Our own libraries +// (like privileged-api-lib) and the prebuilt jars already checked into the +// source code don't need to be here. +dependencyVerification { + verify = [ + 'com.android.support:support-v4:c62f0d025dafa86f423f48df9185b0d89496adbc5f6a9be5a7c394d84cf91423', + 'com.android.support:appcompat-v7:9a2355537c2f01cf0b95523605c18606b8d824017e6e94a05c77b0cfc8f21c96', + 'com.android.support:support-annotations:104f353b53d5dd8d64b2f77eece4b37f6b961de9732eb6b706395e91033ec70a', + 'org.thoughtcrime.ssl.pinning:AndroidPinning:afa1d74e699257fa75cb109ff29bac50726ef269c6e306bdeffe8223cee06ef4', + 'com.nostra13.universalimageloader:universal-image-loader:b99382c5536c7325ef8dc0a0fe9a6cad803cf3488942bea7e1cca4db3e5dec43', + 'com.google.zxing:core:b4d82452e7a6bf6ec2698904b332431717ed8f9a850224f295aec89de80f2259', + 'eu.chainfire:libsuperuser:507f5f9703a7578406e672a96ff038fd8aeefd6e2fcb14dd0daba796239d6eaf', + 'cc.mvdan.accesspoint:library:dc89a085d6bc40381078b8dd7776b12bde0dbaf8ffbcddb17ec4ebc3edecc7ba', + 'info.guardianproject.netcipher:netcipher:a8eef6c3bf190e360c44c9364044b8050f0d387418acdae8d7ec78bd105a32a6', + 'com.madgag.spongycastle:pkix:0d9cca6991f68eb373cfad309d5268c9fc38db5efb5fe00dcccf5c973af1eca1', + 'com.madgag.spongycastle:prov:b8c3fec3a59aac1aa04ccf4dad7179351e54ef7672f53f508151b614c131398a', + 'com.madgag.spongycastle:core:8d6240b974b0aca4d3da9c7dd44d42339d8a374358aca5fc98e50a995764511f', + 'commons-net:commons-net:b35ad597f17a6f221575df2f729a9de8f70390509e047680771e713bad713fb9', + ] +} task binaryDeps(type: Copy, dependsOn: ':F-Droid:prepareReleaseDependencies') { enabled = project.hasProperty('sourceDeps') diff --git a/build.gradle b/build.gradle index 42e0c832d..583db1576 100644 --- a/build.gradle +++ b/build.gradle @@ -4,5 +4,6 @@ buildscript { } dependencies { classpath 'com.android.tools.build:gradle:1.3.1' + classpath files('libs/gradle-witness.jar') } } diff --git a/extern/gradle-witness/LICENSE b/extern/gradle-witness/LICENSE new file mode 100644 index 000000000..9323adadf --- /dev/null +++ b/extern/gradle-witness/LICENSE @@ -0,0 +1,19 @@ +Copyright (c) 2014 Open Whisper Systems + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/extern/gradle-witness/README.md b/extern/gradle-witness/README.md new file mode 100644 index 000000000..3fd82675d --- /dev/null +++ b/extern/gradle-witness/README.md @@ -0,0 +1,127 @@ +# Gradle Witness + +A gradle plugin that enables static verification for remote dependencies. + +Build systems like gradle and maven allow one to specify dependencies for versioned artifacts. An +Android project might list dependencies like this: + + dependency { + compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar' + compile 'com.android.support:support-v4:19.0.1' + compile 'com.google.android.gcm:gcm-client:1.0.2' + compile 'se.emilsjolander:stickylistheaders:2.2.0' + } + +This allows the sample Android project to very easily make use of versioned third party libraries like +[ActionBarSherlock](http://actionbarsherlock.com/), or [StickyListHeaders](https://github.com/emilsjolander/StickyListHeaders). +During the build process, gradle will automatically retrieve the libraries from the configured +maven repositories and incorporate them into the build. This makes it easy to manage dependencies +without having to check jars into a project's source tree. + +## Dependency Problems + +A "published" maven/gradle artifact [looks like this](https://github.com/WhisperSystems/maven/tree/master/gson/releases/org/whispersystems/gson/2.2.4): + + gson-2.2.4.jar + gson-2.2.4.jar.md5 + gson-2.2.4.jar.sha1 + gson-2.2.4.pom + gson-2.2.4.pom.md5 + gson-2.2.4.pom.sha1 + +In the remote directory, the artifact consists of a POM file and a jar or aar, along with md5sum and +sha1sum hash values for those files. + +When gradle retrieves the artifact, it will also retrieve the md5sum and sha1sums to verify that +they match the calculated md5sum and sha1sum of the retrieved files. The problem, obviously, is +that if someone is able to compromise the remote maven repository and change the jar/aar for a +dependency to include some malicious functionality, they could just as easily change the md5sum +and sha1sum values the repository advertises as well. + +## The Witness Solution + +This gradle plugin simply allows the author of a project to statically specify the sha256sum of +the dependencies that it uses. For our dependency example above, `gradle-witness` would allow +the project to specify: + + dependency { + compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar' + compile 'com.android.support:support-v4:19.0.1' + compile 'com.google.android.gcm:gcm-client:1.0.2' + compile 'se.emilsjolander:stickylistheaders:2.2.0' + } + + dependencyVerification { + verify = [ + 'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819', + 'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585', + 'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca', + 'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6', + ] + } + +The `dependency` definition is the same, but `gradle-witness` allows one to also specify a +`dependencyVerification` definition as well. That definition should include a single list called +`verify` with elements in the format of `group_id:name:sha256sum`. + +At this point, running `gradle build` will first verify that all of the listed dependencies have +the specified sha256sums. If there's a mismatch, the build is aborted. If the remote repository +is later compromised, an attacker won't be able to undetectably modify these artifacts. + +## Using Witness + +Unfortunately, it doesn't make sense to publish `gradle-witness` as an artifact, since that +creates a bootstrapping problem. To use `gradle-witness`, the jar needs to be built and included +in your project: + + $ git clone https://github.com/WhisperSystems/gradle-witness.git + $ cd gradle-witness + $ gradle build + $ cp build/libs/gradle-witness.jar /path/to/your/project/libs/gradle-witness.jar + +Then in your project's `build.gradle`, the buildscript needs to add a `gradle-witness` dependency. +It might look something like: + + buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath 'com.android.tools.build:gradle:0.9.+' + classpath files('libs/gradle-witness.jar') + } + } + + apply plugin: 'witness' + +At this point you can use `gradle-witness` in your project. If you're feeling "trusting on first +use," you can have `gradle-witness` calculate the sha256sum for all your project's dependencies +(and transitive dependencies!) for you: + + $ gradle -q calculateChecksums + +This will print the full `dependencyVerification` definition to include in the project's `build.gradle`. +For a project that has a dependency definition like: + + dependency { + compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar' + compile 'com.android.support:support-v4:19.0.1' + compile 'com.google.android.gcm:gcm-client:1.0.2' + compile 'se.emilsjolander:stickylistheaders:2.2.0' + } + +Running `gradle -q calculateChecksums` will print: + + dependencyVerification { + verify = [ + 'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819', + 'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585', + 'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca', + 'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6', + ] + } + +...which you can then include directly below the `dependency` definition in the project's `build.gradle`. + +And that's it! From then on, running a standard `gradle build` will verify the integrity of +the project's dependencies. diff --git a/extern/gradle-witness/build.gradle b/extern/gradle-witness/build.gradle new file mode 100644 index 000000000..988a3bfcb --- /dev/null +++ b/extern/gradle-witness/build.gradle @@ -0,0 +1,10 @@ +apply plugin: 'groovy' + +dependencies { + compile gradleApi() + compile localGroovy() +} + +sourceCompatibility = '1.7' +targetCompatibility = '1.7' + diff --git a/extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy b/extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy new file mode 100644 index 000000000..eb9123d7c --- /dev/null +++ b/extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy @@ -0,0 +1,64 @@ +package org.whispersystems.witness + +import org.gradle.api.InvalidUserDataException +import org.gradle.api.Plugin +import org.gradle.api.Project +import org.gradle.api.artifacts.ResolvedArtifact + +import java.security.MessageDigest + +class WitnessPluginExtension { + List verify +} + +class WitnessPlugin implements Plugin { + + static String calculateSha256(file) { + MessageDigest md = MessageDigest.getInstance("SHA-256"); + file.eachByte 4096, {bytes, size -> + md.update(bytes, 0, size); + } + return md.digest().collect {String.format "%02x", it}.join(); + } + + void apply(Project project) { + project.extensions.create("dependencyVerification", WitnessPluginExtension) + project.afterEvaluate { + project.dependencyVerification.verify.each { + assertion -> + List parts = assertion.tokenize(":") + String group = parts.get(0) + String name = parts.get(1) + String hash = parts.get(2) + + ResolvedArtifact dependency = project.configurations.compile.resolvedConfiguration.resolvedArtifacts.find { + return it.name.equals(name) && it.moduleVersion.id.group.equals(group) + } + + println "Verifying " + group + ":" + name + + if (dependency == null) { + throw new InvalidUserDataException("No dependency for integrity assertion found: " + group + ":" + name) + } + + if (!hash.equals(calculateSha256(dependency.file))) { + throw new InvalidUserDataException("Checksum failed for " + assertion) + } + } + } + + project.task('calculateChecksums') << { + println "dependencyVerification {" + println " verify = [" + + project.configurations.compile.resolvedConfiguration.resolvedArtifacts.each { + dep -> + println " '" + dep.moduleVersion.id.group+ ":" + dep.name + ":" + calculateSha256(dep.file) + "'," + } + + println " ]" + println "}" + } + } +} + diff --git a/extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties b/extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties new file mode 100644 index 000000000..dae767f67 --- /dev/null +++ b/extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties @@ -0,0 +1 @@ +implementation-class=org.whispersystems.witness.WitnessPlugin diff --git a/libs/gradle-witness.jar b/libs/gradle-witness.jar new file mode 100644 index 0000000000000000000000000000000000000000..f68e2338f31407fbd78c93762f06e10b76a14bed GIT binary patch literal 20130 zcmb??Wo#bJmZt64F*7qW^J|WonVFfH9ph_eikX?2nVFfHDdw0qqq%pr->fv!Xt$(l z^^bF^y46xWa84^oe*=dB0fB-7sjcP`2l+d|{^Rm@K>wYxqAG&)l5%2<-#`@p5m^5d z>>BrP0QTRB_J0P-3d%`}i7Klw$co*|PEN>3(=*J$OViU#PtG(bF)gz09_=52{g=i5 z=Kt?q!T;XdJDLAq8~&d$sQ-#_x3F|}Fm-bFbapYdb^dQt{^MEyW7+?b;%@0;XX^Za zr#hfKNJKz^fDrwCH_rb)RsBDgP_S_|x3m-Wa51%WwzRinFt#ytb}mwfc1K-7|I8-$ zwqf>!|3~>~PnYG@ry~K9jMfSN-HpA{r zN*e-2I~a+|Hc$4MTzA1`=Tlg2;ms`G#QX5q@v6A}@zzzx^VZSS!k6zpHHhvDqHt(= zQNQv*M0PT}uNLPaG#_sf7PjWfK*6#XAWND$?ZX_7tAN%@48*upfLc~+uQ5q7BvdXl z=>Q0VIIx~nT%NeF{3&?9mZ!$bHa)jucgM0QGoGGM82TryjLn?t%t2%>+HM`@6lg+q zm)%%+(Un#>juhcA=*UhSE6v4cqrG@&l75NQ=@6fK7*fYP&on#G8^f|FI|?*Oz)mMQ z(tyMR8>7R;Wle(SvXVg6Ot>(%px(g7y|`RwPKk$pAg0bpX2sWTc5$8mDQ-S;%<$VR zH9;|o2b;Gq1sNIM;-N2c39bT+dhIlR{;bq!)SFF~B$g+Leq?iN%(QjLA@jv`ACV_; zizK~vIh2NtmCYepk@d$n@|pA?dUPLDM^?MN`U{cD-f?a(t(jf+(+BK!63$F$G&%uH z1hUgcFex)7K5|HItY%2kqK7b?^aM#)@ncFE_lbUbplqb*L2glnJ4ptH!$>AsBNZ42 zb1nwGi&>vB>?5Ie*aUZ>8X-r1wBd=-ar7D8l{t!KNMvk9Idpg3IkYdxlu2*#3FD;Jm41N zaaY6A#(q7m5w70efSQfDhA}=Z`CMx{*7(CAo9r}J5L~#^PUU-q3eDGb2!F>fS4k*j zp1G;`%Y5D`2~-x-O(9*8#Kt84R5h70;QaP&Yq6Xp<$S$=7aXm0TgAk8`Au1A=}lxS zLNdkcJww@|dgjvN*w)Nf=?Ju$*>8Z+0*A0XFD0pyL#|zAjF)JJU0v%+YE|erUB)XJ zT|@_vAiO_F!u0n3YOz*O&2+V7`wVz{Q!L}PnVfU=*~{lz63OkG70mszF%h?h*f&nh zz+I&hpue$-9D<7V@uePCYD!ToF>=k&g%2QxS=te~94h?z-~iB9yS{`C3Y{=_^jl*S zt#TJIBVE_2<5@wu{q!Dys7xUYPc674Jo>)t$jl*81WJ2Yx|q0Nu?bS&i3sBZ~+;n%2>w% ze&U?YRd7PJ9}v@I6|I77M%(0gJyY4Vn$mkx@9W?LgkbvYLDkxH& z9bun?g~k3r->&890iTlwG|>?uF?N|;_T`{3Mh&WNiRY3wUhjF!-&HSk`x6)^>f^U5 zf2N$wY2}bpPYxK}hOH9m_Hh9duD%U$X+GSPMUo3vEpj666F8BAgIv7hrZcH~Sg8+p z1m|eS#Lr5OeqnD4C@hDc zPZk}tzl%cb>AS(Qqi04ar?}wf^87Jnit@%TTU4=0h{Z9f%u$MiF_PAr$v%l#E5PzH zDVTqu6an`hj=ACda^DFx1^uP(>w)pJz^RdCj!=;riZr44_HCBwD~}~FHvFXwl-j!I zE#FEmaso1`F>2!!sxyg(9qBau53It?!MBvx{y_<3juk+Q_B=DkU}Vg_fC(fZ(WbLiyh-f- zHNvXW8w2Kc;+V#!nufvotMy3}W2%JbPO5$^M=ykL@R1RA1-4O;3E}~%+IQ9d0H>r? zVP}{lroy(QWvzqF0pfwfdxE#c!G?Z+Rco*g-4_p1^GbZM*()Kx@0BxgDWC|4SLgZ} zM=RhdzsqeyZ*IeFM4Ry|sqyNXoSLB}eA<3h{}IYc7^0KnCxSR>)kjJ}!BSWiiV0IwI+=I4(C}JxJ@e7UXem_+s5d#Bd!2 zy2Q1no}ZgzwCdq*2HtGfRGa@;MNEJ5%y<{{8Koyd1R%dU%(+PVU=TWw5{?8h9LgU> z&Lg5Xc~2rO1~1R-vyxvSZajR4L1t7WZuHxt<3C~Y*au$XWY=#k=)pQnXJS_SiDD2mdzCjL~5i3ud(K&sYI(Xb8w6yXQS>0GA zx#2}`+srnftwF<^3Yf|6fv~Vr8{ubu`+$ye+Jo>DRDfjff*Iw5njA6fH{;2o!oj@; z@vfCGyvca56?PfQBSbP8$DBUMDK|IWN%1J zkgYqgARvGK(jtcc0loQ8R#T-3?SZ<2{Fy`VZCZz=4HiV4$xI~O95RI5`@_hFso9hW zncdamoNiu9FHU{@dVIIha-EGYVf)#)_$;~5(f=h(SZIO5a^cOcXWMqYSoY>ESN7zJ zc%m7Ogr4wHyNi?cCdZTY-YkXk^S)OYgrnZ>`%f)tpd1{Pm)P=y;Z_{v<1F-$f~hVd ze)DipnT?Vn1QYOrWTcRoIw@h%g-{*mb`Glr$v-mWeSb4cc`{>7Xxe@J7tnw#y`Vwj}1PZPHVkLj+0C{ys3yx_eKTP z66hb!nG!ScO-T)LO^KZ=or@NYqbduJ*b{IZ2~T`gnH$G4r!+I z(@z*XsQ}3Ki@2Ks_@^`N^YeDt_M@Da%=)cRMocY(({>%JxMynb7D$UV?oL&1bZJEO zxbhsK5hhBIln2afXQ0NlRiZ&xg=csuOGF2Fl<6K422om`+oB4`5acsnXU+U6%Axh6*Jv%tWONRc zy3-SOfcwiPv|=VB0w+D6LR)Gqqpx;SXZA=#O*zUiu=GMn$xc0?UhcCt8-by{rYRo0 zLvd!-Ly`goiLB^_ZD1L!lp$&%8)Yu6*wf-iSl+A9hPZKh0<#+;E=!3;v^2KxGB_Kn zhf#tZo)jU@^eCLV4px{eKZK*rAO&Los!U(<&+?T~XwAeWtTJi6meROK+2@VpJ~f*Y zvywsuKGDT89H#`*Ey-bm1SQSaAAxzpJ86jh6eMWs`!tAddC7+Eb#_WC0t1qNjLRCc zmk!N9(c(HHxYH#BvuwAXJZ59M;B<$=X`VKp@0@QADQNd%l|FMf)uj5w!pHUFtOXDp zgb6!6hz@OC;CHD0d@)&S^g3fLW1d_UUm%ls4TPLe@9Xl+ z;Uo2TD!1@#L*FLJ4s9a9>vLUTfU;KnAuwbrB&i7SFds0Y!j77moKU8eTeFKen)OfN zC&rhJzfY`X86Th?FP?aJ)-`?XdWV~M39`#i?^gkf(GI6yBF1GC4>g2~#A=L@B=2sO zdF7XL0D7CsN>VY0>jUgeF7Xs6k*~QdN6Y1Gz}RBMbIDZS?=sT4L%S7!EC&%^9yx8k zD+;Dec}i^f`8;LVpxg=}+U*-sn9vE&>GG%MS^o6PSR6v%Dpg+0dvI*4 z_7uZuwhzqD5BB*Z^tom@c8)h$2;P|#kABP2Ui~3%Ce6))8-NZ~bGxh7nSjT|aDgqG zvX9(9U3+gNlvy_Y2dsg_ZluCv-H*L3+7z-K2swZE%}QI1G?wFub?~FX&cBVedhHh0 zMw@A-6QkxpLQlT0L@J0ia3)36Iw7Ty#-MNU?ySCV#?IH#d__7>8t?U27M4+K@vn^= zC6^QNXO7OSi$?@0kmC<_c%ON&o@$VnK)YrD7v@vNSBo-@2ieWg8{pxYwbfJ6V#&7K zk~31d&KJr37VNh$+`Xq^n)(R@tR9=QsvqI7_)7{QIx`|k%{#xHJKB)SJlJ(Hh-0pn z>&x_-TNz_F8|EGK=0zVLRvq|BZUkV+dePg#ORO)k0Lek%?$oK9KIPAeLgri1FGBy$ zcRt^_ggqsvq%dfi=>aN&!fj&eleTHm@)=mqQDKi?k-Xw0k3R7m+4OcWzr=5;8SWR% zB9%*W;#jf{72%Ry>&|S)e)IZqcPX%CF%{bxA;%uDZU*s7Uw4qEu)N_T$KJ`6fag$p zDsRTK^*r~CW_8f&%k$f-CF?)!O25D~nNg>oHTD1EE@42{A6R)^=M;I_J=*ZCh_YG@ z>Sr~-L07bu^;H)^`R226To6dtq9^h`Ep+Ei(^s<4 z_?w}K~$JVcbcZgXHs!+$MaDW`14RO&VE#i+Bas}|Ge2L^2cD0 zWA^$d!ETlfgkp(Qw18(u#uRB=JsR#VeM-huNf01KO@&kY2ZSVD)_&R0RJmkc z>l$BsTI_Ze{gw@KlVQEGZIQsIq(8o0#56rP++ru=VGfvu@`K#lp>jy0#> zu|liZ%`YdTF3wGb6gg{eULtCJyoYr*@J(N-3?c@utkov8GgGSDwXOusDOK*=*Zsuw zwO)v@ySbxk^{RN<-@e+i)R$BGaT#7|Azj=h3~IVYO)q`?HJOa13>M#E z!W)} h{`#3yTF`APNhtT#u8zt8nD4&WOtbAgNi`WC=VJgg^HgY)VA`+Ro1{lc$ zu81g^Yl!YigGb#ICmXUZ$FciZrz)!mmiyfjYcw49qYKBNy8d$5>O-WTaRkVs$SABuD!HBG z1NIKN=Nyyb2=0UFy;vBr#+qbI z5y^b;0iSPm?R&Sr$L@iA4`|^Nq9`l7PTLx}2-ddHu}aBPv{m2Ex>x zpN=+MkY8lYdK&`3lx*OD;7yD}Zad7uDqr{$zkPU1p&=YT>ZwxzM#q4leemaFFs_&* zd!5{_0yM>(wNgypOp>)+%)#r4!v_?>F?}0!9Z&_dKF%R&m_3XH2=Kho`=cs}#P!b2 zB1(%K9+t_57Dx1WdS0u_EnMt6SNh#~R;_(MOK9hm zJu_Jn?hyj4a1|Prkv@xT*wB3K4b0gKg;P_7vA(pmPFhA*E$usgWAs#9|CA2u{l{O* zs=&>ynxB$BS9JQLHDZsvb!d6ljhm#pPcLRe8|Bwvm2Y(e)delQ*u?bypKhg_i2`2+ zuc$qaiKL=Nn|L-6T|}=xQqqV~2kZwPL8b>jCRZFRpHE_);R<&xoQYe~#dI5X+9?iQ z5cW-u@c#M?y%;eSh8-2ls(7uAoej&$Covc?Q(Sl%&H#=BT|CIEKX#oX+mBe9K@0Y| zy5136x8Gj9w7Zv*HfqM!?WHy-#I-TMO08}>GFkyUUNGf6UF7cl_*f$&Vsd-c61R?Y zyA21eHH=O;?hxXRW`im<15q^zd51UE3kKvgUiwOe`q*Ig{h~Rr8W4??njf85ljBbrZI97}eQ6mxcw8ezLsa-)(r3iSXW2fbJhA z`d1X;JG{~MkO+)}?x*f#7N4Jbx3%Qm$@?DKa-Bok$WThF(fg1w%L0?(HOPh zJ%EXyL--IWH!iau@Q^TcUkjR_nA0I3)bXMR_A581uO=8u0KVJ~q(sz*zdCy~0>sv4Psy zsxWR`1yLjWS|Hs7XX#zt657C4fTPS=zgN|;~M!?oqA)$874aG_|#ChndYkY^I`oUj&Iup{tM!tQeo`kjtTG` z1Ox#A1VrM0AQi~;jSX##U2P0qOqDGRS=c%Bjcx3mU7bvs|7DG;ovEX$qkVOeF*#x( zfiWa0)#U?0#7eaxY)u=I{FjNs){6&jp$ZHsveIf-*L@o*n%=hkPTdzV>ax`YmYn}^ zdaiGCV)tY4Y3yZ=WjtSZ^>lRYWc7T#e#nEw?wJEQ7No=|M_hQO=)Kq7URv?97V(2N z++3L6yxEc^&&6zol$Et8inw|Ci#cw#6K9o*v+6t&!G{&H8)cl0xYL!QO&a;UN&04H zi9pz#gJa9EdCny@u?OZxJRg`iTSYO%op2!F(4`&RO;oY^D;`yZ;ta1??6I3ejLjFJ z*)R6u_gHnDwazhYhw!C26X;<~(3oF_#j!XBF~nV?Vx1y!aqJDLs+#bZ=9-?8tTwiW zOUIDHkD`-ei=iYrqb=l89*RT)=^mO{YZKu@s@n5-Ah8jS@0e%g{A$j>V~txSZd$4< zm$hEs3a1n)?WYg8mi&G@Rt-=}u9xKJu91+`2z_MnS?#U$RpnoTr=k)siUJ`}Qiw`m zFZ^H1Q0ifF}ps$z&s*7j?s zGtfxoyh3SaexbftY~AA>hv_d(tiwkxpYFG8*}ElcA!Acul_@QQ6ZmWU@o#pm22+Y~ zxDnA5AoF13+*Bl>q?dh9$Nf56Vqf{1h!50V)fLGU;;b_8Sl?55@UO}#z)5C=dXCjR zF67Q6>3NE*L~%reK3QkQAWu~CpzADbL+rSKe7poffSJiAnkkj*a;f8-QXfCo8lKNO zvtVS;O+Uorn;{-3xECrke^nY z8iJAAYm7?t;IIaqlm~(v?eBW_QHiW1TD50@m241TsAwxy&>yXxi`pTnu-V0M!(LVz zfa?THukfyx7wHVEGr`H;R?4~es5JoUwo#ts*r1gFO-?eNDhgI|*iEB+|K)nW9o2S$TU-U&Z7y3>h?Q`A5-8GRcvYrKqb_TVrN2^-O;L;s>QVgvD^5C@n zh4zW2+9=xv#7tINzUKh-TTq5k4?;o~-g=@{^Y(mvpT>zvEYhqLQqT-9*QHgA5AWT z=O6omdqXZk&!)qnZAVvVr~;Pe-b;MLj>NxlQm#{>H&u64drvXKKpIQEfkPzJKq*jHuDjUK70e6FSZ-z?o>t@y$m z(OT1&z~@%5*4Ob~(U%%ZYo2HF%J#UQFbuwPO7`CLFaFS}D94jQfAVBf_1Fw~jad$9 zM9l?smo$MrG2$oWplDhAR7dcNGXZz;#At6y1M7^T{6>&#k8GfcP)i4?aSVF=V;tiL zLf+K3GZJXzH!rYo&$xw z-}SgwNXA_8N+w@m&VYk#r4gi1&yr+2#ejVY3+vG^aiJ<=R(?h?m;G>Cw~e@4p=Ck` zuhFw`++R2_uOutC`%#o~J5$*n9p>yl5MwfUy{??`3cf&|KD zJDMowL-|I zw2LNtr|PF%fbq*umT~H~k^B7iPjtF!ta0Rk00FW4Yi9j_K_`}fqtl!6Uv&DkLs_e> z#6rz$Qj6rUfRbQSdjqLL=_3KH%+r#xZMU)OKd;ZYwiEeNe=|ZjzoW?WBLUc>)ZcLY!wLGU4Ooh!8Dndzy>ZsblfwFhk$KrF= z%z?FRyc93I19lGn1O4PkPfaTCYbh#nYCsq;?d$i$6AR{`;v0F2xI0P zXk%I6Poq$I(tUP=rXsg^!h=Nsmdu&2ugk=mEYXT%C-2R|xHKH|FnibVyaKAIKRIae z3FLrJcdfuGCUiO~`l;6hhq%o%zLYNXp$Rzg9BOV9FG=a9Dv5}H6ZQFOFUsm#Obb5*PXJ*ACJ`^SPjAk?b| ziX4-ODD&%h`1g$N^uR;_`2l+8xWl_8F`Y%To~w9@E(6(g@*)knUjGFgk7$Vf{^|}( zO_e4sR)1|2r-N3XoJ(`!js17{o-DUShZw=N+gbbNg)(}%C)=K%=!Xt^!%$+ryWFY} zm~rTk_ThoW82U;T2gRd~0P^-`)-v|y%THOhQI%qYQw!rH`GiR%Ipr8V;9AsHrRf9B>1+Df|{<+v4Lb5uoEl|0PGI(FocmK?j zeiRLjiF9;MWrCk4EciJCn46Q4G94EF7!YMm#d7H_g+*S9_ERbm3_ghESW(FV{RSr8 z6j-g6d>X(ArI}?IdJcKK+91Dz%d{T8M*^XTnoWl7rA(i>w$H4qD65UapYI(s&soIa z1c6Y_VxwS*??DGJ^~^u<^qeeDD^lEOF8#1$d0-2W)vRW8ls-^Z+(NNq9@V4giP74d z8YuDm@Qso;p*vV8?qxSQa>kZ!m2F@Z&qKN2&R^A0wAGbq#=awZ{@p%SVikG6iQwio zPqbhsQ@*sT&7i@qePG;9$!`@w8)Bo-K(9e=)#;e%hwriN0Lhm$3AF`c3pHZGOzyuL zyBdPkWjZIOlEsp>KrTMRcy__oUkK__S>R2xB~S}Ix$#IHRe!h?Tvc9;#2lOws_^xQ zpB}Uls1j-{X2$z5g&Y@mLsB{x;33c9N0oi~1#t$YcI%JOPhi1W7QnCxKMVecZ??vA zOY8=!{T99oz4qs6T&o1&92*A?4jwhIS7B6ve@e}9as<)yMe4`wNDb*2s1jY^!RU7h zQqcMM2O7P|P(LBIt{7HYcSnw$FQksaYwlsQ`)7ydpXdj)dM4mx(FN1u5)xS9O_7pl zyRLKE8upZCsFwuAHy#XPj%5reL0_1fBc?Y=D8dUQ09l1NaQ~#3=fN5@4)9X>ZvjDi zeq%~LPn>w^MD5Pcjfm{dBtgbq|F}6%0xnINS_SnT<7yOz41vhn8 z$**DReyk_m{3t`XgmJRVFuKoRf2R@84MZ3mB1~R2IPh1_4N|p z)sm*0mJjSE2)dG`oO7;^3|`xtO9pv$L@9)Z23Gg$gAVuZj<5H(5q*&6eRZI2adHei z;&~fgi&IGERH##(;TDGn118ToKceYx%PlC%B^wT92`g;Y)Rq@D=%_pr+qB~|A-V#b zGmVN4(!8)dz0##gG(wg8wqKN{NATK&`*q(ocT=qH7Z<~gfa99W9BtxQB=?W|C-sqzmqeP}#=s?rEG)27QZ=3tT;S8+t0WR$( z*DCgcV<-G!|1qTKH?d(zmO^RH=+z{;tkeX_`PrrM-WcX2whN%$jp-_Gc#evEMRixu zM~pr{?Wf+-6AK-5N!wPr84L8*G5ue`FbW^Pe(>4tS!zv|L;AXU*hc{&tw>JlZwkkL z|64LwJ-`ZEuu`EG$`tnWffP*uN!N$q%o+4iwosNgT76yMW)ym3Sw}4?H8{;_q2|1G&6YB}W%?EXbO%T%Ng92`tWis^ z7~MUd5aP46fq-%Y=JBDet9vXr{$PqdKoHAWxpb&E3IFL-1~EEsxMP^B{e-nwKy=$ za9&YU%w;+`d`pZHiZgCC(U_Up%v$;_2_7`O!*UJ{n84gaww8wgA!F_WQRQ$X-5wlZ?E9@^?K%A*}BP1b}+6shb-=c+?!!N+(FwO z368{3uS2ny#eGOxX=U;QSR-2dtb-B@WI(s;=i}R6MCu3trS4Xy29yL`=!Y&#dcE4O^DGL8153~wV$dWaj$|62y z?tOgE#NgZ@}H#yoQ*+B?)K^x7|rMBda}@TwMroD&%y zOC;{{(X`f+9~NJL?Dmk4>LPz*Nk_1X2Rhla%FN|91lR0oGx?JJQ69yl6lhGEKPp#C5Jv zKlC}3NLhAw(F58tW}JD}CHF%Gf=v;Ci(CoenGp~Z)gT=rw0Lw??dAlnA|iYtye7id zNNh5vfm)B6*gr^~eXCXSeay<@MIMcN>@k(Xp_vgaEM{*BSw6GdjqgrP-u)2gp{Fi* zSh3SD62WC#%mUBeO>WnR5Z^cSy;!D8fOdVHhbqybxf6|WH@~Dd01f6r$mDe){so-j z5m`z?x9G^_jD z;^_0Y!|y-Z9{-!>z<+f3k?H>vo&F6|?EexD>d*#gOW2=!^<#7sV1`2Zv_n7~_BFEV z>IfVXh<@}naJB%n%IL(cH4_uohUv-gL0aAx+TIma=w2-ZUAR9a<7gV2=GWhvL%Xcy zt#1aD&YsOEC}H74n7+C_Z+?FHPNB{Syi@tZ-gWlEOk7Lb+;C=g+VKd-R3HMvuYlI) zF^Q*7KRJ(Ke1V!91xNR7dD$-0PB6`Wd#n3K5JI{2GtHHKc_MPGZzxrt;ekp4Vv+*3 zrVoBqyJTQ=9R}^g{@EH88SPbVUS{uNX}y8eHZ%7%P&$9UV9JT;6te5InsnrLGuszk z*K?0y+w-2e`K}nM1l<0fTxPITo*M}_U?oKq)*i{(OSW4w7t#qD{*UT=Oh+tjsYJZ&LDz)Qv4LVO402Lrn1QX}$F%ff#Gl45}Yy0k2KI?X=0) zY&yOnw$^M$_0^x}`}Gh6lBhexenyuh^ok+pP*M)*y=|-sWq!_R$zh^M{n(0=eVdw{ zA7BA-(l^kJ#d2JS7ENt@YJE#r9Ermv!(iuifl!mz@w^`^Nr5RpjZH`9GQ~&I>+zpabopUELs+=>~&gz zJW;|jUdzNe&iDdMYNiH&@j7C{jh`WmD4>uH71iq#Tq@)2+&5uu2yR)BUVWC+1fu+6 zoniqxPT~|r2d583hho-;Bt&O?qb4mavu`8oBjrj8ei?!X=CrG{Mzh4)`Q&Fwb*wlv z!$>`p)~(U;@q;o1EqHkZMKoBkfhseB9&b&I0s6AUMUsR9ji5vz3-ma-0+~S_wdsCc z%o2Lj{db$Bq-wNZln0ho*LIEcW`R6tqLgM6FQ+K2`$^6wHgzJPk$rd(i|pAjik%`- z$o&`rvL#C9G1`8GL)9_4xQytfsqGJIS`;Oejh*qcHY=l6mMeSkBjfPrY3O}1fvJ+H z(+NZ*eKyefQFl}AwkDycz3EIWlh&5)%Ym|PjSs)ushuhxmnl=zG#?}D!ux-}M* zouXVoPghU9uxQF-KVl!$hbr*x&M@b;wN%jut>dt7gMkxGHXhpDG zR?BNOqem) zNL59~(dnlysO-UK2#oCBFBm_pKIK-H2>aa(rDnp374}Mn^h4~S8HW|RgjcTU)Rap= zQns#o@By>YT>nBd+Iz&cQQ4)zT;x8d2X~M)Oeo^)ndz zLYS*Ybu9B--si4*nVTHGRt~>!BX&;5XPAKKE!`(?)uBA|mOiP+_n*eRjq{@QOxh1) zW>Xv{%I69G=S6VJH&k#B=WeyEp~>`JRk{<9H}P^61|^T|z|ijXqy_{}rsOyJ7|1z} zM8cG8j`koN9D%{H9=yB=lvlof0^Infu$~rUewCZ7F`5#DeN`jSJ%N{I=%P-DK`}=! zXR7U4KwyaMlxbbP$BeKB8tujQm9Nr!B9k0O?->A_1$&W2b$QEZPBoqL{=E_-)NuD7kK6i;9W%Np1$?LDG z?JZW@%!LMvY^YmL?Scm$AsyUoqP(UOeEeI33$a>)qx|Bv@TKwoOk$XDFyFV;N`NET z00-cIO@H^oZxfw7Bt+UeoZ2{&*jS<&PEF=v%d%Z+Rk%1onWgfm5w(1WGc8}Pt3 zDa1QYrPwG4%hjtqP~Rg;zs0-jQ1nZ}HH09CxmLO5fRKez^ZZh$IR!mWjVvIO7(=@R zjQjI|UMn)Pkdt8Ak8BBc*6h(^moC8#s~~+p=gW4#xsz4gPa`?k)kpfZ&-L?!iqj_@ zo%nLF+W&am|F{h<z ze-m4sQ3(;L`raS|vPOZBSf_@7Or|V{!bV*{dNt24=2q*GDX-Wspmrt55;6T86T0Sk zxfv24al6zn?Uv%PBABy6pR#jlpfkF}c)v~@e4qZw3jI-~=MhS+x}>h#8ARSrQF@>B zrO&}%FXSAgi+#4(4)KXU<~8{3wm`VE_LFH*@!jMDl(#8F{il@lTtUw-qa6rwCiT8V zbi;QPc}Va?GOCZFg!>zyGUV+f#-Afb(w8^ESViowY@_=*>fct6Yv zZoCJ`ss1>_CDSIKZM>QD;wuciZc8tRqX&aX@Znmk(YmX-yQDHr;j$+KQK6(fNvQcN zJi=udJDSZSG`bnAy)xg;{g~ss&B<^U;5o^wI=DEN+lTou%0Ao?SBEaEEbuY>LD5zP z7K;!IFz#w^J$TF&lm`6$r-(nFkj1f(A!tWSqg2x<1K!j1deX6Q5^ zXnuRTDl{n*xlnh2*D}?KuIg_@o)Zy8MTJ)lNNzA+2LnKNQ1OYeH}oRHu~f=E%q&rE zioi4(w?uJV8irw+^hclIOrSg|^JR!$W4m24+xC+6=!k=lGH&_NQ$5KJJCCxUaaTz< z8=0-T`QTn7nv=OCKDtajdR>CthgsrL!$Fdl%|<)X0tR24!L&J4RjWtS=}6T*p@ zoOx*~kMvI055lsNC~FhsYG`bN;v^!;6X=CUtf8rwaFFSfZPgq`-t3?C;aD(n85#Aq zJs`m3aXV_{Eh-Dv##Rf%0fZVGOC~0nRT+S^!@+YwsA^D4!4An8l|g9sGkKb54diCp z%hM^;8=j%-^(k&r4ESS%%qXZDm=D*L9GZi24&>{ED1(z7H$`Bw>%(^-rsC8dK>Bb|nxVRErVj4a?&6w~OX3gOMxl8A#U;-|uUP>MKh?iQdrDgga3F^b)&xP=WY60{$ZD z@+>@ZJFN`fg$gcUX)#|uG2c9Jr~{Vt+a|QRnu6lI{l)z6y_U>6*qG^OoX;n|l-5bf z@8r|9Sp{V0wWr8u3&#vrV-U=7e2Qx5$TKkhf24X+MImxO9ZNNiekw;O7*IF%;G8JF zars8i>JpZ8`@yhRnT`z?C$?G$TYJiSvb=p;UQQyc4sViTPk1S>ibu#nLj2|LWvJ$KXE5&T-2|C)B#u@R=UijfeTbKku;sKU?Cj zx`aEUdwMPGL4y|ejY@in7+wm?7V8O)$-0!e#Y&i!ys&f$IdoTMtSt}s;V$F}nY0I> zjYhuwM%y8>qPnRtIEIs*Bzj_q(0F4+Hno96ZkfXlD18aDK?%hq8M}`^L@J{J;?7}` zG=)e!j!BvyG;6T7Sdj)$cBjXUwWyj`VJ%jP4!F<)}4N4R!%koa<`uCIXo;fo}spmQC6N*ht*yCazdFu@2^W7_j(3d8;L0sl{| z)SuC>LWTqZ!9x6h^7q;P5QN}FWYZ+Hb&(YVIq?5Uut&Qj2 zuTgVzceCrw5%(J(*3Yk%oOjG#1fTKR5l88?G3JR1hm{IXe!^###1wnynTbrOZSjev z1k;w2XsIHdi44<`iguq8u;E!9Cw%k#6lz>I>O^=mv_b6lV66q}TjqjuQz7aWtG8vq z4Bj4xJA4l2u{s-5BVBzny+(hWR`pMq1UUG4abSirS6%fXP6*2k7CNo-qN|+q!p#++ zT5yQwdl5<$(`J%3)=*IAsIFZ`XKG&A);;_VOM~ga{hzD+fw*Z=vEfM5c~dSoGrg2$ z+E-pntVx#IP%O2}CYy>;Z&tT%h*fEPOR=3uRgO4#gz3!gt>?U!ba|AI-C`)I#nZ6vXrtFSgbx}`JXwPGDEADp!a zK)h8x1Bi0A!geXzacfQ}yyGr=w>e@5v16_wn;kW2t|Xkpl-(*G&02><%rGRGiJz#f0a+C4TAlhXe*>`LsjJ-J@*VoZs7cw{{IN#&u#BriEy&bvZ5pM_sm7yF~>S=H?kV-sh*o zq*wwVltTi*jKrvaXHpIfh1BSVa)K>vt)o17Y`P?&@glba!cpx?`++S=mFdH zX}Ur1;zIzMfPGJO_SVrzXn7{|_^(36vlh|lA?3hU+>NQB$}Yf+SD02qvWt;A;Z?pwIHj2`k(-mX4q9m2e%VUov(BN})4-p((jJ7R`K&=xB6R23ip z*uRbncycQe{3X0t^tj=opFHP)Xqz+%zD2A?G>3+&PLwN&-Y9Z|S&PwrxzJq{s4MC;Ws&EW z?lpo`qWa^4j^lxBK1=uSPYu@c!q&pvU(6g$9GR^|jFha4#be;Lpe?&dU49Gha! z`xkD1BE}dEdF2X3F7v_}$NX2R&Bq1}QoGxDs_fgMsvI*<=UWs{s@tZYt{J*Avhg1- z3s0`EAH-MLqPHhj359i?At1#T&MZyL9d1lFDbXJin*+FPxz6FnrqTFO-BGXyz0S;R z`NMDs;shth+rGm%Lhdys9=j9A>Ls0}IHn!5)!Iw^s#UoCmhcm4z|bR9vS79?yMH1C z;bO$h@wYP`EZs<&tvjO9hq%rRHL0Cpo63<3Np-Tt&`%NJ#q4Iy%7p96IZH6}T8+<5O& zd;G4D$K=B`kd9z+MhUD$01xAQ@NVj_A!DZ$sn}7b%&GBn5Vw-YsXwR#mcAJ_Ef?~N z8&v|rR|p?mR_^DF3f?WBC`}(q6yjHzLPoU;d$#qz$5=m>h1te0D!Ng&NtzO%7b-lWWupPCBn{>` z@~f=M!a($MYkrQXT*L5Vk&`h_?;gw)=6(P3#-vgQb{Qws1>lcgQz?ytrc$cf6A*%o z#)sOAgs8FqFU534oW?-ZzrwT)?*FM=!S-)G%K5Kyh1!`rs_Ne^Tn^LX1xx4!B~fq~ z@buzp?^-W2+DCZUBw=U1H_|<`;2{ z*NzEJJ2=A9;ba!)&9?jV(Z}mEV-M(RFd_CjJr622F7t1$t?Aekd|x&~Y*swwnG@2` zh?`FvV&h){h3ONfBZ*qeaf$M5X4MX{wJ zK7$4Iu*Jqv=kW|%i?&O1%0;NEaPX{y)r8W4iSk#Umb7Lpp}TsFvopFZRytOt{H;DBvc$nW&f#8! zL=+zQ1qU})wp7LZD6MaBkzm+cd+C&L;`S}J$-Kz$&2Y);{mvC)51#q4GWcZ9=W|4P zV3DSDfh2vQ9augHZU1YN6~+GFw{%!`O?7S4;@fxCD$iUgVM|@-%46!OxA{k;rzHoU z1iPqANYR7G3%Z(Fd9M22TOWBuYM*+6LQ%lk4S8{S0s=`9C${e{S$==piJ0^lHwjbI zjH6aX9nYSf*k;Y`zjIAz0`v2&6PfnK9#LDj?1&>TyV1?_szCvx&g9xLUzgeO#Z^-X0XZEfw6pIpzP~mIsnk3pVcxF9+_Sk(|a7 zowg##De%mn%}2Qww1`zEiSb`&U%oobMs2b1ZT`MH)|{8qu1C4?KN6C2Sr44*4-J0xKAq!U=1Z=M4##<$Hbnf`-BjF@ zv-5MDf^uWC5Z{A`N{=V4GU8j=|^(jIDiHp`XRJ z#I!qdDo-+AruYhmT-_J5ZG!m3#1%@#+?IlDOXp1#Dx9KZmbH{CvbNzCN2Gqzlo!6G zA>xUm-2U1ro+U{xy?L3!A5|7!cAIuVS9l)s z+@rI&AvxxEFi-bs(H8B`Cd+Gkla`3>-I4f@`7!UFNZ+pguF2ky+1Mnmv7EkPaa>U3 zWn?tdy`?%{(Pi>an|i(%x*e+i(UADl_mJIb)w`>ge~)A}zM6SkthBLTVpf{r>&|3&@XX5G~JeyCL zGq1}1@ULv=l8Ehl=SIC+e(PeK>GN7|&eaLozw8dHzBl<^TT|TnPe2q?j z+o4lk84;O_(p7C&zlikpS6H=%SNrT1u1lANa{o%c);5rJ(O#HS7N3~v&1qk|z1R4D zlv7}@*vH*>rtdav%zihwLHd%%DyHRLZF3IgU7wKu^Jv38yIHl*e}=IBZl92{zrnUn z{?^5ZlGhz&Ec%~aNVQoIGN)Z)mdpJku3wHvuTNIIKljLigg-*RqVISel-_g}svB>3-`^V?Ak8J2(DiE~$;|Avxsq_u@ zOLW37bxzpiB&m4g$)TxwF;5R&)#KT*A=1*xU_}b&HVw6dx?X(=vy+7Htg`6Tbi5*I zmy=eWjo5VuHYiQQdN8+v^K` z9$lTc+QQPqJzjmbv;D)jlJl~5G+HsL|53VkP_jR9ibTKxhBd_WRaA^`M1cT6pw958%-&D9Q(((eu#NTBoDuc~EakpP!v|RdfW@QZU zR3Szt5oX+{83Ek^1Og0i9YHkQE9lzL&o%-n27x7wnm`h+4e6vKbQ3_TVaF(e4m5%Q zki}&{CTOVvJ{_RrjUWJ|V-}E!WpM&N13-rzK>)~rvp^;m17JrVp&NvL^byRcC5;@6 zcnv~XCV_Sk61pYm2M{1Ec@A8YfycEdmO$Dt=w_quSVEXBBu2d1g!V6?+lsyt9bxMR z87kNcU6+n-EBYEsgsnbGq}YnOrUiSrqOX`i*!4<-e7j%`Qt0{_bPu9W$RI3bFs6c~ zFx#QiGw8OX4{;%E*RdkocIbc?x?Sike1u&yfyEWESpsc&5_)?d-BOSxu!0Iyyh8w} y)DQ%2r+^oAXoWqxDd>eg%$y~So_I{bEcyeyS%F;~Pzf!-Z~(Zg;|yp^2Lk}oHi