keylime-config-6.3.0-150400.2.5 >  A bwMp9|9 *ۍ˫>"C3O"_%ާ,Ƌ7$f2%J{2qoWUS`o$p8DS1 ʠ}zY$ەtOQfRoEu;ՂfR&Ѳгwe}~9-Hi!D2rr"l$ {?.j# eAq+Kq^Gv EǵmY}S1=zxZ/ @IBU]7498d6f608605ddbfbcb114d6020aab9dcbf481e63a2edaeca6c02a51e91cff80034238b8424efe8bed472d9f521980d9ea76723obwMp9|»Ts 4 I p4g+ ,yH|z>(ͬv0h{ M~~V7 H}Ӄёt_4 u"9WmO6?՞VfrBڑwKX#1rkfM9`t!;EmtNgFPfkԭZ Ojcg$ {y$v`h5zdCrπۂ|;tnj/s=xQt ϊ~ 2$t6qJ}+-5-(_'!q~&ol>p;M?Md " A #FLTX Z \ `  (89(:kFKGKHKIKXKYK\K]K^KbKcLdLeLfLlLuMvM zM-M@MDMJMCkeylime-config6.3.0150400.2.5Configuration file for keylimeSubpackage of keylime for the shared configuration file of the agent and the server components.bwLsheep66niSUSE Linux Enterprise 15SUSE LLC Apache-2.0 AND MIThttps://www.suse.com/Unspecifiedhttps://github.com/keylime/keylimelinuxnoarchnibwL50f6f085eb90bcd885ccdd4a2df328fa180674fbd2e7889495817eb78736999arootrootkeylime-6.3.0-150400.2.5.src.rpmconfig(keylime-config)keylime-config    config(keylime-config)python3-keylimerpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)6.3.0-150400.2.56.3.03.0.4-14.6.0-14.0-15.2-14.14.3b a@a@aaq@aq@aaa@a@acaC1`` @`i@````aplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.com- Change back agent_uuid to hostname - Set tpm_hash_alg to sha256 by default - Update version.diff patch to point to the correct version number - Fix issue with Tornado, when multiple workers are started * Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)- Drop patches beacuse merged upstream: * 0001-Drop-dataclasses-module-usage.patch * 0001-config-support-merge-multiple-config-files.patch * 0001-ca-support-back-old-cyptography-API.patch - Update to version v6.3.0: * Coordinated update to fix: + bsc#1193997 (CVE-2022-23948) + bsc#1193998 (CVE-2021-43310) + bsc#1194000 (CVE-2022-23949) + bsc#1194002 (CVE-2022-23950) + bsc#1194004 (CVE-2022-23951) + bsc#1194005 (CVE-2022-23952) * secure_mount: add umount function * secure_mount: use /proc/self/mountinfo * Validate user ID in all public interfaces * validators: add uuid and agent_id validators * validators: create validators module * revocation_notifier: move zmq socket to /var/run/keylime * Update API version from 1.0 to 2.0 * tpm: do not compress quote with zlib by default * verifier: persist AK and mTLS certificate to DB * verifier: use "supported_version" for agent connections * tenant: add support for "supported_version" option for the verifier * api_version: add the option for basic validation * verifier: add supported_version field to DB and API * agent: add /version to REST API * verifier, tenant: allow agents to not use mTLS * tenant, verifier: allow manual configuration of agent mTLS * tests: migrate to mTLS * tenant: connect to the agent via mTLS * verifier: connect to the agent via mTLS * tornado_requests: handle SSLError * web_util: add mTLS context generation for agent * agent: Enable mTLS for agent REST API * crypto: add helper function for creating self signed certs * registrar: Allow the agent to registrar with a mTLS certificate * request_client: add workaround for handling certificates * request_client: add the option to ignore hostname validation * Better docs and errors about IMA hash mismatches * tests: use JSON instead Python string for IMA tests * verifier: use json.loads(..) instead of ast.literal_eval(..) * Adding Nuvoton certificate for a post 2020 TPM device. The EK cert of the device directs to the following download site: 'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 1111.cer' (yes, including the spaces) * Improve revocation notifier IP description in keylime.conf * tornado_requests: set Content-Type header correctly for JSON * tenant: post U key to agent with correct Content-Type header * Explicitly set permissions on new keylime.conf files installed * tpm_main: close file descriptor for aik handle * verifier: do not call finish() twice * agent: fix payload execution * tests: add initial tests for web_util module * config, web_util: move get_restful_params(..) to web_util * verifier: Also retry on HTTP 500 status code * agent: improve startup and shutdown * registrar: cleanup start function * web_util: move echo_json_response(..) out of config.py * verifier: fix failure generation for V key * tornado_requests: cleanup TornadoResponse class * web_util, verifier: move mTLS SSLContext generation into separate module * ca: support back old cyptography API * Fix test branch reference in packit.yaml * ci: disable DeprecationWarning from pylint in tox * Enable new test in Packit CI * tenant: fix reactivate command * config: support merge multiple config files * ci: use only fedora-stable for packit * elchecking: harden example policy against event type manipulation * elchecking: add new tests * tests: fix stdout formatting for agent and verifier * Drop dataclasses module usage * revocation notifier: handle shutdown of process gracefully * verifier: handle SIGINT and SIGTERM correctly * ima_emulator: fix IMA hash validation and add more options * ima_ast: fix handling ToMToU errors * Remove leftovers of TPM 1.2 support * agent: improved validation for post function * agent: better validation for mask and nonce * config: add function to validate hex strings * agent: keys/verify check if challenge was provided * tpm_main: do not append /usr/local/{bin,lib} to default env * db: only set length on Text type if supported * json: do not make sqlalchemy a hard requirement * Enable functional testing with Packit CI * ima_emulator: specify sys.argv as the named parameter argv in main() * elchecking example policy: make it work with Fedora 34 * elchecking example policy: initrd* might be also called initramfs* * scripts: add mb_refstate generator for example policy * config: change tpm_hash_alg to SHA1 by default * parse_mb_bootlog: specify the used hash algorithm used for PCRs * agent: add warning that on kernels <5.10 IMA only works with SHA1 * tpm: explicitly pass hash alg to sim_extend(..) * ima emulator: use IMA AST and support multiple hash algorithms * tests: update IMA allowlist version number * ima: add option 'log_hash_alg' to IMA allowlist * ima: remove hard requirement for SHA1 PCR 10 * algorithms: extend Hash class to simplify computing hash values * config, tpm_main: explicitly handle YAML load errors * config: private_key must be set to -private.pem not -public.pem * agent: add UUID option environment * agent: drop openstack uuid option- Set /var/lib/keylime under the same permissions expected by the code- Add 0001-config-support-merge-multiple-config-files.patch This will allow the merge of config files in /usr/etc and /etc. - Move the configuration file to /usr/etc in new distributions - Add 0001-ca-support-back-old-cyptography-API.patch This is only required for SLE, but the API is compatible with new versions- Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6- Fix cfssl bcond logic in Tumbleweed / SLE- Update to version v6.2.1: * Another addition to gitignore * Update .gitignore with more Keylime-specific files * json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy * ima_ast: check if the PCR is the same as in the config * Fix permissions issue on volume mount in run_local.sh * Make run_local.sh use a local copy of the repo * Small updates to GOVERNANCE.md * Move cargo-tarpaulin install to separate command * config: drop registrar_* TLS options in [registrar] section * Fix missing && in Dockerfile * Remove simplejson from scripts and docs * Replace simplejson with built-in json module * Add rust-keylime container dependencies * config: fix getboolean with fallback * Clean up CI scripts and rewrite run_local.sh * ima: for ToMToU errors skip template content validation * ima: Use a set of entry numbers and file offsets to remember multiple positions * Rename CONTRIBUTORS.md to CONTRIBUTING.md * Update GOVERNANCE.md to match MAINTAINERS.md rename * Update MAINTAINERS * Update README: remove Gitter, Travis CI * ca: Use UTC when setting certificate validity * Tenant commands return json * scripts: Allow passing a base policy to create_policy tool * ima: Handle the case of ima-sig with a path with spaces in them * add length to string object * scripts: Implement create_policy to create the JSON allowlist from files * ima: Also add a sha256 default boot_aggregate hash with 64 '0's * ima: Use seek() to get to the last known last entry * ima: Extend allowlist to be able to handle generic ima-buf entries * ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings' * ima: Populate verifier keyrings with keys taken from ima-buf log line * ima: Remove methods from ImaKeyring that are now in ImaKeyrings * ima: Start passing ima_keyrings through APIs replacing ima_keyring * Extend AgentAttestState with ima_keyrings field and use it * ima: Implement ImaKeyrings class to support multiple keyrings * verifier: Extend verifier DB to persist learned keyrings * Fix a couple of pylint errors * ima: Fix spurious attestation failures * ima: make ToMToU errors not a failure by default * Simple fix for tenant error message printout. * pylint: Fix errors related to R1714 * pylint: Suppress C0201, C0209 and W0602 newly reported errors * installer: do not install tpm2-abrmd * tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd * verifier: add option to send revocation messages via webhook- Fix keylime configuration file attributes- Requires python-psutil - Disable automatic execution of the payload by default - Use ramdom UUID by default- Introduce a bcond for cfssl detection- Drop cfssl if we are not in openSUSE- Update to version 6.2.0: * Fix bug #757 where revoc cert was treated as text * Code improvement: removal of extra dependencies in measured boot attestation (#755) * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines. * tenant: show severity level and last event id in status * verifier: move to new failure architecture * pcr validation: move to new failure architecture * measured boot: move to new failure architecture * ima: move to new failure architecture * failure: add infrastructure to tag and collect revocation events in Keylime * Simulating use of SSLContext.minimum_version on ssl v3.6 * verifier: fix minor typos * Add tests for ca_impl_cfssl and ca_util * Replace M2Crypto with python-cryptography * tenant: status now shows if a agent was added to the registrar * tenant: open file to send utf-8 encoded * Correct some comments about and remove vestige in MB policy * fixing a small bug that resulted in malformed refstates not failing MBA * agent: ensure that EK is in PEM format when used as uuid * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734) * ci: build and publish container images * codestyle: fix W0612 and R1735 pylint errors * codestyle: fix W1514 pylint error * systemd: Add KillSignal=SIGINT to keylime_agent.service * One-liner to set the minimum version of TLS to v1.2 * pylint fix * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py * Refactor keylime_logging module * ima: Implement ima-buf validator and validate keys on keyrings (#725) * Remove Python 2 leftovers * Additional fix for the processing of "tpm_policy" * ima: Return an empty allowlist rather than a plain empty list * verifier: convert (v)tpm_policy in DB from string to JSONPickleType * verifier: Create AgentAttestState objects from entries in the db * verifier: Persist the IMA attestation state after running the log verification * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries * verifier: Skip attestation one time if agent's boottime changed * test: Add test case simulating iterative attestation * verifier: Delete an AgentAttestState when deleting an agent * ima: Remember the number of lines successfully processed and last IMA PCR value(s) * ima: Reset the attestation if processing the measurement list fails * debug: Show line number when PCR match occurs * verifier: Extend AgentAttestState with state of the IMA PCR * Consult the AgentAttestState for the next measurement list entry * Introduce an AgentAttestState class for passing state through the APIs * verifier: Request IMA log at entry 0 for now * agent: Get boottime and transfer to verifier * agent: Add support for optional IMA log offset parameter * tests: Add a unit test for the IMA function and run it * agent: Move IMA measurement list reading function to ima.py * Add default verifier-check value * Use tox for pylint * Use Fedora 34 as base image for CI container * Run ci jobs only when needed * config: merge convert and list_convert into the same function * Versioned APIs * Refacator of check_pcrs to parse then validate (#716) * Automatically calculates the boot_aggregate from the measured boot log. (#713) * Set default UUID as lowercase (#699) * tenant: do_cvdelete wait until 404 * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON * ima: Convert pcrval to bytes to increase efficiency * tests: extend ima tests for signature validation and exclude lists * Allow agents to specify a contact ip address and port for the tenant and CV (#690) * verifer: Fix signature and allowlist evaluation bahavior change * ima: Fix runtime error due to wrong datatype * tenant: add the option to specify the registrar ip and port * measured_boot: drop process_refstate * check_pcrs: match PCR if no mb_refstate is provided * ci: make run_local.sh work with newer docker versions * Fixing pylint errors (#698) * tests: add IMA test where validation should be ignored * ima: Use ima_ast for parsing and validation * tests: Add test for ima AST parser * ima: Introducing a AST for parsing and validation * Make stalebot a bit nicer * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier * Flush all sessions from TPM device (#682) * multiple named verifiers sharing a single database * webapp: fix tls certs paths (#659) * Corrects markdown to have proper rendering (#673) * ima_file_signatures: Extract keyidv2 from x509 certs * installer: Add '-r' option to cp to copy directory (issue #671) * config: Add optional fallback parameter to get() * agent: Fix the usage of dmidecode during the agent startup (issue #664) * agent: Rename allowlist to ima_allowlist in keylime.conf * Fix decoding error in user_data_encrypt * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list * Addresses issue #660 (database path while running local tests) (#665) * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string * tests: Move unittests into files with suffix _test.py * Fixes and improvements for database configuration (#654) * Add signature verification support for local and remote IMA signature verification keys (#597) * install: Remove TPM 1.2 support from installer and bundeling scripts * CI/CD: Remove tpm1.2 testing support * Remove duplicated calls to verifier * Remove adding entropy to system rng * Cleanup and fix error case in encryptAIK (#648) * Move measured boot related code into functions to make check_pcrs readable (#642) * Move code related to tpm2_checkquote into its own function (#639) * scripts: Cleanup shell script formatting * installer.sh: Do not delete the local copy of the certificates. * Fix user_data_encrypt to UTF8 decode before print * tpm_abstract: Fix adding of entropy * codestyle: Ignore R1732 implemented by pylint >=2.8.0 * a fix for letting JSON encoding bytes correctly * Adding back reglist to the list of commands that don't need a -t argument * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624) * Addresses #436 (#611) * Fixes #620 * Include PCR16 in the quote only when needed * Close leaking file descriptors (#622) * installer.sh: Add missing spaces when efivar is added * More ima_emulator_adapter cleanups (#616) * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build * Remove more commented code in ca_util.py * installer: Only install efi library on x86_64 systems * Create allowlist table and basic API support * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build * WIP: Some cleanups (#612) * Remove _cLime.c * config: Document the measured boot PCRs and what is using them * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies" * ima_emulator_adapater: Remove unnecessary global statement * webapp: Fix private key and certificate path (issue #604) * Add support for keylime_webapp service to read intervals from keylime.conf- Update to Keylime 6.1.1 + keylime_tenant add crash with TypeError: Object of type 'bytes' is not JSON serializable + Whenever Keylime agent starts and cannot contact the registrar, it fails and quits without flushing create EK handles + keylime_tenant -c reglist now requires a "-t" parameter for no reason + Duplicated API calls to verifier in webapp backend + Installer deletes tpm_cert_store files + agent_uuid set to dmidecode crashes Keylime + Copying of tpm_cert_store fails during installation + If the PCR belong to a measured boot list, it is not validated + keylime_tenant --c update fails with a race condition - Drop patches already present in the new version + webapp-fix-tls-certs-paths.patch + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch + tenant-do_cvdelete-wait-until-404.patch- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command- Adjust the default revocation notifier binding IP - Default to CFSSL in keylime.conf- Add config-libefivars.diff to adjust the path of the library- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch (gh#keylime/keylime!695) - Recommends CFSSL in the registrar (actually should be the CA) - Change default value for require_ek_cert to False - Reorder the patches to separate upstream fixes from openSUSE ones- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659) - Recommend dmidecode for the agent - Require libtss2-tcti-{device0,tabrmd0} to use abrmd service - Add keylime.conf.diff patch to change the default config file - Add keylime.xml for firewalld service definition- Update to version 6.1.0: * Update python cryptography lib to v3.3.2 * installer.sh improvments * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py * Fourth and final PR to address #491 (#580) * scripts: Also use pylint-3 if pylint is not installed * agent: Fix the checking for a specific error returned by tpm2_quote * Allowlist verification - Enhancement #16 * Forgot to remove the original, more crude solution (which caused pylint errors) * New and improved code to fix issue #582 * Consistent formatting for logging stringssheep66 16519856156.3.0-150400.2.56.3.0-150400.2.5keylime.conf/etc/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:SLE-15-SP4:GA/standard/9fb227d2fc93577df922805553027a1b-keylimecpioxz5noarch-suse-linuxASCII text, with very long lines}{lՃutf-83400c15490a996bca7ac50c3961e3a5a8283e75c4a8084c1c1da795ef62c0f30?P7zXZ !t/ok] crvay:/³YnҔgV2]A JKg%1j# OX3Ntë29SطB'$n6+S;7" et,e@Mw׳GK1,oa)޹9wV}P&$&Q^,Y-ƖlE=N8S3;Y70G`IİkjI:JK1yOG눓 OD'7%-Sߵ MyYmeCOcܲe0r"{8M{[(iAo yi!ȥ_;M9ix LS$LΔDsmA[LWeW'"jR].sBF ?2ϝs̕xba?t̶9S6N; ʆ>1o߸=K7ݛw. l uK I143`] {LLG_o"9}l[ij# XZ%OTWNWpua $~p\b!ϞT[tk(j7OV:o8SHm]YX%*̩S/v= Cqi5,1J+,S=Dr veMCȳJ$mnfa^gԍ{n2)Br9xeS̅+.+>hfW/}GbJ(L}=[+fRY&,_6h?3nk*P:%\Nul4 f<]zph)[ ǎ]tn}@j)?BEY1!B 3W^&K&8z#xRC30*,`@}U%2 " *#fqj?/(E89!2%T焠%`EӨ ,a?OQrISLCQ2u;r0%wJwOtKu9YR$kB}sz>74'zbY3b$5xT_7f?=9_+ !2z2N6ș~6xG|Fd@lDt'm\ M1&O;"QDaoQ.ʀ^(@nَQ039x,< ) AA2ŀt֬&rE52}0#)uU)҄dNɍr㓸ԆA~*@{4Y(muzևE>SY~ѰB'ur8_oKgt?)9 ^H{T1nOkѸ1ٯ!*AtWV(a^!N&{߽^O3̪^3'zahw{-=)~HZ2^^L8fQBc TS1x!TǪV(L, `rb2vsJ2Mvc+w?”b E© Yfɛhl꣎&RaЗ ݗ݊DY/WxgY-l8syB/[ II= bPlՒ?DU 4cbФ@ZOz3\nȺn8^}V2:Z8zƛmXע+V^<?hbƸᭃTcBmN􅢒%c?l$cYE]<ۊeMWwK|(B)Ѯ薲 **S_Q7HIʃo pZV_TƘ Ц4FRgN=;*P?\ XWN"d fTA[#u2p7,j<ܘްq (j1xp,jqGWb( ~oق נRkpᆨ;|x_Jۉ'&[WPF>PV'GLXE!.tE*ᡰZ\}A?e0"WPg!{{V csU\EM'-J)O}U[i 6Sk=q>bK}6Q%eۈmi-hy)F"/xfms< QE"~@phV&X m Jnt EA$>bP̆ "ȴX$*["rrPoj)WfbL<v!Gр%;2ҩ7q#TX;4R "]?MU\ۭr8Qx lqЮ'q=8 %dfo+1Qfid}+Mbݥyc.wZ^hc${2H% 1fNPo3I S:^>"\ŗO˵'viGDh3gW!ɊKi{~fTM\}V \*Xs=% 91k^MΔGF}&@g38VS '&_VFojb?V*e,`y8K~ŗ R^'t AW~/i"?{gf%<]Yf*eD҃7aen_+ϒӎ1:zh"RRqkYbN:| ԎbZL \nTZ oqH"i|j1UXߐ^Lva.SXEJm#͸E IIXDUvѐ-=)B * ooihKN΅JVF+G4/XW'zk3y%,+'?ҐfYSMQb ٦WH헳ܕZ' v1H3~K^o䨰&#鶙p(^ +>!%FwF"Q$kz3W 3`&;0g\+@/o6%HrM_'v OGo HhMTb;VacXIPA?=>\LȞ:ZCE&X[XD ~颽Ll;/q8|@بƚlC1~_c~߇_o~+IS__߄7J9VHdpnnNb]:xLi4xgKC}v%^sMXu$X{H9ddž Y'xT$% 7'eyr؈xIs`־D gET[o{C]rs_L3;ufn b7 ]چv\hh"'p3b'nq>Z̈@=| I}Ȏw7ߪ m-u4ڎG;庴տ]JƊ}, 8yiXE]8y-E=1(s.ح` ->S~Bh({rCEfq8\pw`~LRe#"5\¬{єHX!Gf}ϣدdhtN'C%I|?_{9Z V^-mڬ?A>̏NɊΔ]2=]Ƭ.=rk\zֵ)`,[P;}dJgLJ%v'|h@ d%Qe)!B< 7y3ckT-R3vk-BR)Ȼ,Tsƃl1dT H0qs[XNS8:dE"mBH#'=>:ϕ6 qtc.4vMj'}G'`;l:oр)je ˰SJ'S:CXϺ3:K([pӔ0v?4Eɼ!'g 50 KVT%oӈaϰa3ItznMLF7{\n5ԏkJLK"'_CV.:V9ޑs]$ ~Uye7O÷ܟ4B$%`a}3fX'#9`6e?jM~\;:uy6rbp?c+Dg $*72 ` vss?(H4(v>G];{T.I6+ghi@27Kiј{8bH-7H ie1j 4&'uYEȺ ^k~mE}-G.Z~苬/wGr0 4۾~Ⱥ9j0XG_D~uVm\HD0p՜f RRܢt0F1UlPꇏ^TLY'4Eh>U+p!q+4 CGTEK{{6xHOdPF]/3 $u]})H\[vdj]N%iDJ:h9GX '-'c&MG5Yo,RZVe&(Dnf"F\ݲahb1ScʊigA-KQf**=#)vsO 2c Fz>6I=|L5B.F_g?US|)2|-`1@Vڿ^CS|xz[D8*W]/DEv׮5&h<ʞն[?B0RBGj'xxf’%u!GI?n2d,|I9> <kxP8%8w{Q3qT^eeCH#'r qK$Iuy3TAbm%</[k؉CA6j>qf4Ӯۢwr; ]_mt.%Zug]3y"20 w=8_AY疜#5 22*й&HS/17g0[ys>a7 i*tTuf##_V &Oo-& +! )X{ K9,TI=Q*Oտ/ toBkr)[*#޼'u4D# Nj nL꠬"n7!24)}NJ-=2u/>NGo]"GK={fP9d0~{ Z}:=N9l+6M7Ǵ+*+6>H1YJk+b{x"=ЫllvmqKyp_#ҍ4_6uOVWKR,1'%ƕ:sj#hjxÍЛT孤ȣ8̾Hؚ~":Ֆ̞tHАVBc9mHs3뇍<8_φ .:bx{w(1C Wgf],]E+ϮTeQP,-y~.Zgu{T1ȣ0&tuL :E,RC'i|lz ˯\:q{;\ث |z6 d81[pVi0 Og{}DizS.&9~).~5g[1BOIފM SjS+PTP>]9*IpDa*?9JpN A}RdJH(o#R-s5Ho+cwx*p+^7tvԌu:TLf`hC_^TL&S7pΧ;vjh>Fu 7SSQve'β_+: P,ۭH}7wަ~ )whj0]b$ ҈{>w<'zDٌ]$R`ߝ<UBsP`Ҽ~幩}i츁OnĖJ]1Hj*'ϗrۮ9_h0<*=oF.*?^MG ;IWP"8Y6n7xBm=&27fh$?$o>*a$>ޑPET!YǓv|f){#:+R߭EHؘGmA#Oʁ<|^ۦ6Cg;EoE9a4%rl2 EU^V@:TW"%Egb'Qj^ļQTD}N8!g{MJysƉn.X`@ y !_*5Mw{6a|-=X+JFsE:ƎkEal5sGQt"m - f2.=;PSNJ 4 wdR@ϽPDɌPdB`JxM#w*Ozul;j|*4'X 3N}\Lrp AezW"* N1m' wY9LAoP0oR;Tzwۯ?.}jM0(>əKiMK}\v