bubblewrap-0.7.0-150500.1.1 >  A c޳p9|%]ysRK24?tr..[\k_] LSMe[Nzn da zUVKk|:$WȎ|Vg PY웫Bv_ J #%2d\HزekQ`SLꧧuI}M:bkQ羽 70oqϏFv p>P?Pd   N2D Zp   P  *p,(89\: ;FIGJHJLIJXJYJ\J]J^K bLcMOdMeMfMlMuMvNwOxOyP0 zP`PpPtPzPCbubblewrap0.7.0150500.1.1Core execution tool for unprivileged containersBubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged containers that works as a setuid binary on kernels without user namespaces.cs390zp32ˊSUSE Linux Enterprise 15SUSE LLC LGPL-2.0-or-laterhttps://www.suse.com/Productivity/Securityhttps://github.com/containers/bubblewraplinuxs390x7"= Rc'AA큤A큤A큤A큤cccccb6ccaWΞrccWYce7155935751bd993d6b782e9ee5937a4e073dfcc1b510cc5f6a0d28ea43254a75841973c78b2a1035c3457b372e16d45d6541b6fbad436857c1cfc8070dee1ec3d24b91752cc015a140d69d627d6098e95e9dbbfdc1f08e6e0dc173d4e32f0efd7ce88ff6014f184097f7527d406c14ba163d71bc93e31e95d784ae19c2b103f571dbc8beb5a43236dd4142345ad74c6a536027820747ac9f6eea86925c236108fd08d3d6db04338dd4ac9b710b14b23a21162154359c6ef5cf16810802eed6636ffef204bdc877c55718ba5509e049135426a913c53a34fed3590e197f61904b7993225104d90ddd8024fd838faf300bea5e83d91203eab98e29512acebd69c10333bae89d15c61f046bf7f9af5d0af40517daa9501d1370d46440acd094681rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootbubblewrap-0.7.0-150500.1.1.src.rpmbubblewrapbubblewrap(s390-64)@@@@@@@@@@@@    libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.16)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libc.so.6(GLIBC_2.8)(64bit)libc.so.6(GLIBC_2.9)(64bit)libcap.so.2()(64bit)libselinux.so.1()(64bit)libselinux.so.1(LIBSELINUX_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3c@bb!@aHw^@]\Q\h[;@[IZVYdY@Y_wY&@X @XS@XW֘WWdmueller@suse.comdimstar@opensuse.orgsebix+novell.com@sebix.atbjorn.lie@gmail.comsebix+novell.com@sebix.atbjorn.lie@gmail.comalarrosa@suse.comsebix+novell.com@sebix.atalarrosa@suse.comsebix+novell.com@sebix.atsebix+novell.com@sebix.atsebix+novell.com@sebix.atsebix+novell.com@sebix.atsebix+novell.com@sebix.atsebix+novell.com@sebix.atsebix+novell.com@sebix.atsebix+novell.com@sebix.atwalters@verbum.orgklember@redhat.comignatenko@redhat.comwalters@verbum.org- update to v0.7.0: * --size option controls the size of a subsequent --tmpfs (#509) * Better error messages if a mount operation fails (#472) * Better error message if creating the new user namespace fails with ENOSPC (#487) * When building as a Meson subproject, a RUNPATH can be set on the executable to make it easier to bundle its libcap dependency * Fix test failures when running as uid 0 but with limited capabilities (#510) * Use POSIX command -v in preference to non-standard which (#527) * Fix a copy/paste error in --help (#531)- Update to version 0.6.2: + New features in Meson build: - Auto-detect whether the man page can be generated. - -Dbwrapdir=... changes the installation directory (useful when being used as a subproject). - -Dtests=false disables unit tests. + Bug fixes: - Add --add-seccomp-fd to shell completions - Document --add-seccomp-fd, --json-status-fd and --share-net in the man page - Add attributes to silence various compiler warnings - Allow compilation of tests with musl on mips architectures - Allow compilation with older glibc - Disable sanitizers for a test helper whose seccomp profile breaks the instrumentation - Disable AddressSanitizer leak detection where it interferes with unit testing- Update to 0.6.1: - Add a release checklist - completions: Make zsh completion non-executable The Autotools build system installed it with 0644 permissions because it's listed as DATA, but the Meson build system installs executable files as executable by default. zsh completions don't need to be executable to work, and this one doesn't have the `#!` marker that should start an executable script. - update to 0.6.0: - meson: Improve compatibility with Meson 0.49 That version doesn't allow more than two arguments for define_variable. - Disable test-specifying-pidns.sh under 'meson dist' while I investigate This test is hanging when run under 'meson dist' for some reason, but not when run under 'meson test', and not locally, only in the Github Workflow-based CI. Disable it for now. - meson: Actually build and run the tests - tests: Fix compiler warnings for unused arguments - meson: Run test scripts from $srcdir - meson: Make G_TEST_SRCDIR, G_TEST_BUILDDIR match Autotools - meson: Run the Python test script with Python, not bash The python build option can be used to swap to a different interpreter, for environments like the Steam Runtime where the python3 executable in the PATH is extremely old but there is a better interpreter available. This is treated as non-optional, because Meson is written in Python, so the situation where there is no Python interpreter at build-time shouldn't arise. - meson: Build the try-syscall helper - meson: Build tests with equivalent of -I$(top_srcdir) -I$(top_builddir) - meson.build: Remove unnecessary check for sh - Add a Meson build system This allows bwrap to be built as a subproject in larger Meson projects. When built as a subproject, we install into the --libexecdir and require a program prefix to be specified: for example, Flatpak would use program_prefix=flatpak- to get /usr/libexec/flatpak-bwrap. Verified to be backwards-compatible as far as Meson 0.49.0 (Debian 9 backports). Loosely based on previous work by Jussi Pakkanen (see #133). Differences between the Autotools and Meson builds: The Meson build requires a version of libcap that has pkg-config metadata (introduced in libcap 2.23, in 2013). The Meson build has no equivalent of --with-priv-mode=setuid. On distributions like Debian <= 10 and RHEL <= 7 that require a setuid bwrap executable, the sysadmin or distribution packaging will need to set the correct permissions on the bwrap executable; Debian already did this via packaging rather than the upstream build system. The Meson build supports being used as a subproject, and there is CI for this. It automatically disables shell completions and man pages, moves the bubblewrap executable to ${libexecdir}, and renames the bubblewrap executable according to a program_prefix option that the caller must specify (for example, Flatpak would use - Dprogram_prefix=flatpak- to get /usr/libexec/flatpak-bwrap). See the tests/use-as-subproject/ directory for an example. - Use HEAD to refer to other projects' default branches in documentation This makes the URL independent of the name they have chosen for their default branches. - workflows: Update for rename of default branch to main - tests: Exercise seccomp filters - Allow loading more than one seccomp program This will allow Flatpak to combine an allow-list (default-deny) of known system calls with a deny-list (default-allow) of system calls that are undesired. Resolves: https://github.com/containers/bubblewrap/issues/453 - Generalize linked lists of LockFile and SetupOp I'm about to add a third linked list, for seccomp programs, which would seem like too much duplication. - Handle argc == 0 better Unfortunately it's possible for argc to be 0, so error out pretty early on in that case. I don't think this is a security issue in this case. - Fix typo - Remove trailing whitespace - Fix spelling - bash: Fix shellcheck warnings - bash: Invoke bash using /usr/bin/env - bubblewrap: Avoid a -Wjump-misses-init false-positive When building with -Wjump-misses-init as part of a larger project, gcc reports that we jump past initialization of cover_proc_dirs. This is technically true, but we only use this variable in the case where it's initialized, so that's harmless. However, we can avoid this altogether by making the array static and constant, which allows it to be moved from initialized data to read-only data. - bind-mount: Be more const-correct When compiled with -Wwrite-strings as part of a larger project, gcc and clang both warn that we're assigning a string constant to a mutable struct member. There's actually no reason why it should be mutable, so make it const. - die_with_error: Save errno sooner We need to save errno immediately, otherwise it could be overwritten by a failing library call somewhere in the implementation of fprintf. - main: Warn when non-repeatable options are repeated A user might reasonably expect that `bwrap --seccomp 3 --seccomp 4 ...` would load seccomp programs from both fds 3 and 4, but in fact it only loads the program from fd 4. Helps: https://github.com/containers/bubblewrap/issues/453 Resolves: https://github.com/containers/bubblewrap/issues/454 - utils: Add warn() - Add SPDX-License-Identifier for files that already specify license This is a step towards REUSE compliance. Third-party files that we do not otherwise edit (git.mk, m4/attributes.m4) are excluded here. - tests: Use preferred spelling for SPDX license identifiers - Remove obsolete .travis.yml We no longer use Travis-CI. - Remove obsolete papr CI We no longer use this.- Update to version 0.5.0: + New features: - --chmod changes permissions - --clearenv unsets every environment variable (except PWD) - --perms sets permissions for one subsequent --bind-data, - -dir, --file, --ro-bind-data or --tmpfs + Other enhancements: - Better diagnostics when a --bind or other bind-mount fails - zsh tab-completion - Better test coverage + Bug fixes: - Use Python 3 for tests and examples - Mount points for non-directories are created with permissions - r--r--r-- instead of -rw-rw-rw- - Don't remount items in /proc read-only if already EROFS, required to run under Docker - Allow mounting an non-directory over an existing non-directory, e.g. --bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log - Silence kernel messages for our bind-mounts - Make sure pkg-config is checked for, regardless of build options - Improve ability to bind-mount directories on case-insensitive filesystems - Fix -Wshadow warnings - Fix deprecation warnings with newer SELinux - Add new subpackage bubblewrap-zsh-completion- Update to version 0.4.1: * retcode: fix return code with syncfd and no event_fd * Ensure we're always clearing the cap bounding set * tests: Update output patterns for libcap >= 2.29 * Don't rely on geteuid() to know when to switch back from setuid root * Don't support --userns2 in setuid mode * fixes CVE-2020-5291 * fixes bsc#1168291- Update to version 0.4.0: + The biggest feature in this release is the support for joining existing user and pid namespaces. This doesn't work in the setuid mode (at the moment). + Other changes: - Stores namespace info in status json. - In setuid mode pid 1 is now marked dumpable. - Now builds with musl libc.- Use /bin/bash instead of /usr/bin/bash in SLE12- Update to version 0.3.3: - This release is the same as 0.3.2 but the version number in configure.ac was accidentally still set to 0.3.1 - Update to version 0.3.2: - fixes boo#1136958 / CVE-2019-12439 This release fixes a mostly theoretical security issue in unusual/broken setups where `$XDG_RUNTIME_DIR` is unset. There are some other smaller fixes, as well as an addition to the JSON API that allows reading the inner process exit code, separately from the `bwrap` exit code. - Print "Out of memory" on stderr, not stdout - bwrap: add option json-status-fd to show child exit code - bwrap: Report COMMAND exit code in json-status-fd - man page: Describe --chdir, not nonexistent --cwd - Don't create our own temporary mount point for pivot_root - Make lockdata long enough on 32-bit with 64-bit file pointers.- update to version 0.3.1: * New feature in this release is --bind-try (as well as --dev-bind-try and --ro-bind-try) which works like the regular versions if the source exists, but does nothing if it doesn't exist. * The mount type for the root tmpfs was also changed to "tmpfs" instead of being empty, as the later could cause problems with some programs when parsing the mountinfo files in /proc.- update to version 0.3.0: * The biggest feature from this release is that bwrap now supports being invoked recursively (from other container runtimes such as Docker/podman/runc as well as bwrap itself) when user namespaces are enabled, and the outer container manager allows it (Docker's default seccomp policy doesn't). * This is useful for testing scenarios; for example a project uses Kubernetes for its CI, but inside build the project wants to run each unit test in their own pid namespace, without going out and creating a new pod for every single unit test. * Similarly, rpm-ostree compose tree uses bwrap internally for scripts, and we want to support running rpm-ostree inside a container as well. * Another feature is bwrap now supports -- to terminate argument parsing. To detect availablity of this, you could parse bwrap --version.- update to version 0.2.1: * All the demos are included * bugfixes for the demo files * There was an issue with mkdir when running bubblewrap on an NFS filesystem that has been fixed, so flatpak now works on NFS shares. * Some leaks have been fixed, including a file descriptor leak.- update to version 0.2.0 - bwrap now automatically detects the new user namespace restrictions in Red Hat Enterprise Linux 7.4: bubblewrap: check for max_user_namespaces == 0. - The most notable features are new arguments --as-pid1, and - -cap-add/--cap-drop. These were added for running systemd (or in general a "full" init system) inside bubblewrap. But the capability options are also useful for unprivileged callers to potentially retain capbilities inside the sandbox (for example CAP_NET_ADMIN), when user namespaces are enabled. Conversely, privileged callers (uid 0) can conversely drop capabilities (without user namespaces). Contributed by Giuseppe Scrivano. - With --dev, add /dev/fd and /dev/core symlinks which should improve compatibility with older software.- add group- fix build macro with rpm < 4.12 (non-Factory currently)- update to version 0.1.8 - New --die-with-parent which is based on the Linux prctl(PR_SET_PDEATHSIG) API. - smaller bugfixes- upgrade to upstream version 0.1.7 - note that this package was *never* affected by CVE-2017-5226 as it was introduced in version 0.1.6 - upstream changelog of version 0.1.7: This release backs out the change in 0.1.6 which unconditionally called setsid() in order to fix a security issue with TIOCSTI, aka CVE-2017-522. That change caused some behavioural issues that are hard to work with in some cases. For instance, it makes shell job control not work for the bwrap command. Instead there is now a new option --new-session which works like 0.1.6. It is recommended that you use this if possible, but if not we recommended that you neutralize this some other way, for instance using SECCOMP, which is what flatpak does: https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4 In order to make it easy to create maximally safe sandboxes we have also added a new commandline switch called --unshare-all. It unshares all possible namespaces and is currently equivalent with: - -unshare-user-try --unshare-ipc --unshare-pid --unshare-net - -unshare-uts --unshare-cgroup-try However, the intent is that as new namespaces are added to the kernel they will be added to this list. Additionally, if --share-net is specified the network namespace is not unshared. This release also has some bugfixes: bwrap reaps (unexpected) children that are inherited from the parent, something which can happen if bwrap is part of a shell pipeline. bwrap clears the capability bounding set. The permitted capabilities was already empty, and use of PR_NO_NEW_PRIVS should make it impossible to increase the capabilities, but more layers of protection is better. The seccomp filter is now installed at the very end of bwrap, which means the requirement of the filter is minimal. Any bwrap seccomp filter must at least allow: execve, waitpid and write Alexander Larsson (7): Handle inherited children dying Clear capability bounding set Make the call to setsid() optional, with --new-session demos/bubblewrap-shell.sh: Unshare all namespaces Call setsid() and setexeccon() befor forking the init monitor Install seccomp filter at the very end Bump version to 0.1.7 Colin Walters (6): Release 0.1.6 man: Correct namespace user -> mount demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs Release 0.1.6 ci: Combine ASAN and UBSAN Add --unshare-all and --share-net - upstream changelog for 0.1.6: This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is far from the only program that has this issue, and I think the best fix is probably in the kernel to support disabling this ioctl. Programs can also work around this by calling setsid() on their own in an exec handler before doing an exevp("bwrap"). - upstream changelog for 0.1.5: This is a bugfix release, here are the major changes: Running bubblewrap as root now works again Various fixes for the testsuite Use same default compiler warnings as ostree Handle errors resolving symlinks during bind mounts Alexander Larsson (2): bind-mount: Check for errors in realpath() Bump version to 0.1.5 Colin Walters (6): Don't call capset() unless we need to Only --unshare-user automatically if we're not root ci: Modernize a bit, add f25-ubsan README.md: Update with better one liner and more information utils: Add __attribute__((printf)) to die() build: Sync default warning -> error set from ostree Simon McVittie (4): test-run: be a bash script test-run: don't assume we are uid 1000 Adapt tests so they can be run against installed binaries Fix incorrect nesting of backticks when finding a FUSE mount- upgrade to upstream version 0.1.4 - Build also for Leap 42.2- New upstream version- Update to 0.1.2- Trivial fixes in packaging- Initial packages390zp32 1674764055 0.7.0-150500.1.10.7.0-150500.1.1 bwrapbash-completioncompletionsbwrapbubblewrapREADME.mddemosbubblewrap-shell.shflatpak-run.shflatpak.bpfuserns-block-fd.pybubblewrapCOPYINGbwrap.1.gz/usr/bin//usr/share//usr/share/bash-completion//usr/share/bash-completion/completions//usr/share/doc/packages//usr/share/doc/packages/bubblewrap//usr/share/doc/packages/bubblewrap/demos//usr/share/licenses//usr/share/licenses/bubblewrap//usr/share/man/man1/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:SLE-15-SP5:GA/standard/cec62e13d095ee152e473a00b5338661-bubblewrapcpioxz5s390x-suse-linuxELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=649bfd9976983b68ee139bafaa48c2a8c88b4ab5, for GNU/Linux 3.2.0, strippeddirectoryASCII textASCII text, with very long linesBourne-Again shell script, ASCII text executablePython script, ASCII text executabletroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix) R RRRRRRRRR R RDžlwuYutf-8c1ecc633afc86b3a75c3e37f9a55cbb7ae6137af4b1c948878162455e0e196bb? 7zXZ !t/s] crv9w^[[X枝kRؚz$qCn=!νA"_7#yXiߨ1ר\jIq|ިR`p|hvތG9Njxt%X.)V-i*n=Wc4 r2B`lTmW:-r۾/XLvY@?2-W/PQq,7J>m.ib@8I_9l6 O4Ù^fvDOv~%'@{fs޶:Pz@{@}!`k$ɩD'd}5\]IsV~gUa)̎6BsSP4A4LItf2&֢ 㙫Bgo| a`f͠mՖC :9屄:+Ty@r N= y[B0ZVe^V9aCtbOx Э@^d?~!KG!!27uK mnſP" pfNIɶr8"|/X[vs) 2D=x&h.!kXPz{:gJB? ̮-&_IUU *= Ǘ ZNA.rŭ_9#$PL6鷎LnKO fBd> 3Ve~p@Bt_x??Zdh*<'4jrwGOъN;i]Ы"N=ômQs,ߦl4y/W󣙨#+IVT.X1`ۙ(GzK,rGrq$6[ 9Uo: Εy?r87kJI0 VXc&8 {q&Aif죉RKA(ǃ@2;$=p^% s*u˄:eJl'_85 [i(c7 V<@9h` ʞS 㡞4s)@G@F4nPyXx6ñ#vBsTwD@ ^GH43p/3'=8O-5[ OН [ 0̗P#RO<V(niHQ M^Q&u"]w>o\#;W1[OhkB_}-rKp%#o]v1V]PtTJ HnQ.LH"7cr,^XRMgw򏸜Ϙj%h&Lז50U 5:?9!=_S؀vX)P wʎt›^_@ȍ #(}' _R$U֜S;Bq{S>N-@t F n")^yDR' Q',eLjJ  S+7!ylڤqwpG-_םlh}1~a9ρ_Q$&=>Oh|qavV1e1tcʖ'8Q* H'M푤}ֳ̺S|$P̫S 8"!Ym9jbKmd?&( qaIX*<׀U j{ jsȑ&oS9xg{`C\=τzTaTr[NK V~Oԥ%+[Ѵ<YGI/N_#*K4vIв<9t= @ ϻI5:v_oWFX>u+&ftrD&K'Sd %8#]y/BG-juSiǬܔcҗ?{fp)|!a C礃 kUH5nT Sb\AP`#ЩZc{Z8B5Iu: N#f #Jn[{C\ Mxe%7fVtu8R1Yb^<vqGBȁ/&f״N/ؒUzHŲ `N_22Em X({6@vcO~'hMp[<[8`]a8yWJ֢!I<2pC EzCxI2\w%=honTx߳*('! QL'8+ Ugچ 1lzfR(ZMR༪`y[k%!.ul,Y΀c:]S<}$|4n]jbpbQLDS: Ŕhb\?qס-S^ .ŅZ$B_Wh6:ɸtl8Up?5݌COA NOT^lNɜI"QocY a]G) 9r+3N@@yaw*{{aL;fd/HUsڛUQ'd+#x#$(')7ȫ.cgz{KJ-۲VKKWmղ<OiuˊD'WԧI=m0ڦ^-"aU,5]QuamtŬU8pV~0>I?OÁԸO³/Ok\w\nz$䟲}L\Ml*ӡXXK>h,$l_ 4."IWt JwcK]'Z}iތ LKEz>XK0,~mgOs> i_zkXvɓԦ̘QmYKOR]\%gY9 :w\ ۳PwZ}F}>Cb^{ Z2-NG}O1 F4g^xd3#|94Q-%ǶS_M QDjMSP-x7V*~w֋=" (ѨrJe:P&zR&AttII见͖|j+m!}GIFĶ'v &@I!K*/5vV 5m'ڸU$$PWDr`B2<nL]!k?VlPͥ7jcP0|CDhHPn⩦jy"EME7kRIG Tj9 "} 3~-.hc)4.z@vE !9;g&+3T&IiR?h*:+B'^2${=j։O^|O%d } фsrfט3?l.,zTaz`DA&yuKY)T i7Mmu|>ru@qC 0RR3C>'ǻs,j~48' 2Bp> V+ 'MDBcQ-8ə&6esrr/Bղ2(eEu_q&锄'8r\*{B\#%FtV!_^N2rՌ`ΪQRP\vZqUEC'&h}J>lVhDhk) S>,4Xu6uhӝJkPao:VN8p[[D~`,} p%Ɯ1؄ѣW#9{~dn^$;C'mBm;9P:}ݸFj_ۼԭɄ0GX_q1ލnςė:H +Fx ;&':νrww1 Lfb۟ےWf( f`9c fP#7ӵa\x׳mKZeUx]gbNRY#6M9TAcjn[r_Ik Ёy4=@˪>|٢WېO'at_q K{>Ј ?bh$F ִ1t|ߡvpxxu=L[b[{Uכ3Zs!9XnRFEmm-{˦) }Fw":53RQE~pX,Apq8(;Ytg 45 H=o$P0Gw]aN.%IufMy>?uE@v8ڬ;\@sA4fl`@4_]ǵtLc~& :" }!J(,U`h,U .svOq+T0teq5N TT8 C@T (รYN RBG8>.G`hvg],ƿA@#чKV'ՙ;"9`U!4D$y1ٺ޸jlB{[֥d!Q8- 'm342O~p1Z)Z/8wlf k_=$Otof 0쨵U+ Qp"h#-I$:J#I6Dv FsHe>Srpi<dE!f\WaGncɗqK9s&<E+\ z",zk0cźs:]?-%|;^Upn56GŘYb3\):'obZ<%'w%>oXUj, Zu{f)вiIo'B}5fF2629De⻻Ԭ+xe 1,brn-QcC[o2.X W+Y}+ $B9JʒBިag#w{9apS[0m<e\RzOzoڭi(OHG&gag:wenDI~0FJOor"G1Z^ {ʔEX|Z=NN!;8bEeԜA_El*+ ywʞDZ Tup3>Sќ$!Iyj82F"`ĢGioBљ65]YR)6¶;m-@FE,4.!MiT|Xfc uBwW+34b_J}g;?\]9Ah_7V{w\&*q5A(fp}\"Bݕ@:#K7ߑw# ^!RN5t6{%Nwg}H7M$dz%}DGTf5sbƮ8s 92-~M|%5YFveiE8a"am?վNۇxN\f^f<ħ{&6I JT{DxGys5f "!#k´onݓNАG_%׆sq<^qY1KNLF;vES+Ǻ-(>9C5X&~kcBacT6\春Mbh[ULDKZ^wyčn I\A5}Ŧc[-'D' l̘qg8P=ݢm-2i6{ǭD@CS Ds'y)w hj^2u9Ocu:?bxR+hJ"Y919۬ y}ͭZcIBLއn-Q{EW,'ZW> cS^vC=59[_@e !O%bZG`ƽW^ݥPPMW[Np=XIY ȹ7Žl?\5pר٦ vսȞњs7Ƿo[GbK{[֗JթL8~4+̏jȯ$њZ E {hz']yzeڳ)Jگ̈́˛짗A8˕I(='JKSFk`CN5++P[}WaT%h .%g&b-1q0? ֜@Ps0^sfEQj}$÷:lg^NAECfm,&$UOZ`Ys-P7 WZW ENr"U y}x!|ȸFޜ6 zZޚWkȻu*񖬞mr8c% zw$ϊ6 4 1zg ]GS؈sT6e$6U EJ \m$AER5Ŭycdr#QKEp,nonJ*,,t=$d6WY@8<&>IЭU%i)w6&Fލb`>O%lI68ވVbdڔ̹ݓUqVѲMFݘ ſC@ yM[4m5: :<֡\HU&ۭk22=CI_%$$awT-_@.TY r+]߳T;kKB]o\E]P< )Ϣ{=z.XcnFwKc!k\_ Yj?E?)11Ku C%:M~Z5^e5 [o|>Co_H^';Xh9)~˾Xq٘a #g zu -kV(b,3K$X,篕ɩaI{z\FD8O> |yvAZ̵ y痋'.44/Hchs A35"8zB #c;Ƨ^NpjeToD:W$rΕgC0qe)les=ga [4YKaMt%]t&/~>m(g7$@ΐEp (/`(#ȸLs rZ'mѓD]]3fw.I5RgPi9"{~&Tm٢EcJŷPC5&\ȕVm]3ɩgHhi Z[UIr4l8JД9Cs `>yW^,?Tw2 Cڷܲ0hb[)3oU~Α'׋hh@N-*{\1ΰA$gb8n#xc42"NY"mק|)g 7M6D0^=s̅iyS0~[WȺNoſB$+%jhmߴσ j 3ͩBflWB珤*$SҺsN u@V:Y,s ADtp΂AkogEDhɳN;?/;D%vtvŜX5/"  qcZ>\ U۱T(2NC}N[l.b ,9 _/ aglI 'T-oc Qfƴi9 ٵɇ dHگlAÉPwk~ wphPkH81knr @*2 GRl1wP-gu e:)$YO$%"@uű韑R(檨:O?l_R ח+QoE^e,\ 8kQnQ1U Mm]El7̚}g_XAcN'EZ)q?pO詎hLAmmIZ)t+l3. 䡄R+’$0ESCg Je]7)"a MXޗl+4)=+AcEEU[*a@7Q Ů0jdv\: s-{7>[7l?Nmq ͘o"_^P" . ~MFsWQ 9!oDV.5Yk_YJ}!2in3F4,;j DvIgo[sy^!./a=Jvx JG+Sݗ.q)s߷ga6=<±;W4F$(\T;yf>v%]*qNk~</MDžP ӕrnɱ.TezdWich=teUÛ(nߏLąrԷK4wn<%"h3K^aO4IU鳣ݍ*% ?1|+I`KLn2'0ZH}Tg=z&ż{1YW|\eO=ODuj"*QgS\eiϡ("-_3+7}+IGmeSiTf<~\ӻ=v-B$e 2$;Cl YKSrfRE~l42~_@( Ŕ^Qpׇfqsx|{`|1[ Py 覅CN=A 9*/ Вf:[b XGkÍ<),\8)K,4`zVCY!tdKZ))󯴠n<̏|3M>tɠT_NN[&=1as>MoRg⣃ތˤrTSe%ڊX/~=-bM%kgrd+@]y/F8cte&0 wօ~yLc GXLu4@͂nɗtj=~rê/ɉr3k%RugUBu)hԫ n^_|-eU3rÂ:q;޶An38Ve!Ѽ8Bv)(0IPutˎJkK)rË*L.Q߄+v4HOt|rpE,X:^r(ZظJӐ UH1U+1eGG-exyLCQQd`_7AWI驺.80Q^`r/ mGy=E0eO0ktuBzK|]Y\a&ْ.xT,1N4Ó^Ѥw?b[T( q`(CD{*fn4T86V_tccd1(h +[V ~=H)ڇz;%>7 ]Pwe=8Z-5RII" Zg+ĊD)7 B*bg+]iѲv=K(t:Yk^թNΌ&IN!}ߠiK3g%HrSbCB^"pxzN!C<;7LHcq"oTq[@Z$;3LBobu:Aʧؐ<W#xg}pZk%9⚬#JMBxDSȢIA+=)jv׵@RNj T=Y0m)uHfFs CeRCIvjQQ_c&?՟ {n@S-ܚ @e?^Ugd6s}M[kjm/ ZkChF>f60K#)x8?Lv}אy%zPbEU7<*fQ~ړQ71, ġNnUِ|G[8%L%OH-,qC#p9>&(ʚnmel 7ilR0L5I5F&ɡia"OץN\W_B';i~gq~12kn NkxGEĮ)vI\Yt(*7ȵˤx_7vp3VWXZ-w=t*4XDpD.&@'X+(aT|rcLEH썿c_\wU= ?l疩Vm+U334@_AB?37)3L9]4ky !~>+|i@\^&sN)A{L0y" p&9M`RdN/8yL4{o3^|]pA)ח+wj?SyvMGP} ls*K[Ҩ$H>{˜9י Ihl!H[Ԁ":X'LSbHFz)0 p/c /D)F0֟l7^sN0+ 9B)p u''5t.M3UZ=>*oOs3*G}<o^v(V>)89E\$ҩtс=e<`Q@dd#mgnu%TS&fZ;$dz9+ڻʗDm5+*iqUb'˚cjCwy'hgQy_X\F ke{% 5^ 3ui'+nwY˸$=jX^{ny[l7]@1`m,C{;F}$Lgⲣk&Yx5MʼQ_+@Δ׋ V՗N(m3a;H0!Zc8P3YtdЮu@K9w`J% .q䟿)N9W"c*{M(fZδ;S]{xe|S|Oc`b;T g9um33ķqKs& !,;e2v&Yf+"by^( d 9s{8}v1wzr蛪:UEw(_7 j=sqTPNO6hMJ٨j7eszm 7sev}@![_*I}xxY#?NB[t5B~ S@rDoj6+R/Cxw:rԫ&chm^g VJ"Rϑ%ᏬsĺZ(غvڳ*F%jii] "9cσ:YDX)E?~_~w] HA?0S2}$V+fP,u^3di| ,̛_EoBm'Z *upTSZ?y\仜xolPӠ=`tI rSnh5T8DcL" P91iWߡ6CH~f Q|fJو~TM!y 212] 0 hg?pba&rHj&6ISz4d}{fܪ4}qvŻ~ 3\1a=g#0,'T6tXXE^QtJdWF|3,LEH$n,(姠!-4ÖZTF'E19S$ %?*;IQA2N ݘ;¸ Ύ&84`ug~:7gj(E ZT)Ǫ <  E6yZ{p&ӷX8RfekA$!8#^}-QC HUG@TWl?\üRgKiϙ)u{_[E]ahEyПlx= QND%愨YskrVna;* pL߹y Lsj^?cSvdZO)6Nƍ-oB9zpdUR›:׹Dd5{*0n>m&ĕ'jDAaIs!Vௌ M8yd<Ա.tBݽ6[08($9>7|J=ܭQ۔+:$0qL 1p]j6VzP?^}}GF%}svU>Uп.Wp ?hd; AV&z'~ yd5YJ3?ZipN2H # pp{ȧs1::'[f(Yx.;bh|# {b}H >%icut#;8By۝ϖ +(p\~-.mt-O!8`97$6HeBuڝhk9M ?JJOei-Iujc_k8YQa]iW[=x˛٠*LQpH5mjƔ V;oW):hj)7ygsoQ+"rz}=TnJ:m9Cx:u !{'^#)Ҩ)_F<_ u(蟯\;>:LqBmEĪ+ /@2jzEeNiN$*ۖQEE58;m:$`N-ؖȈF傪 F|Ň x㱖K\H:ݢ:(-M'U  Qjءfi&dA ~p}˵q0Z XQ!gxZx"/xGaFǎK{ݹKlo Imqvc ^n rYqւ[uh^`N{:,t$l/=lPlҚ\ .HiyI4YB\K]O[ V_N;׽D3}QSG+,kx בOFs`&TO&z=$x;؈,Ŗ{a-Rs,wXUjx48G# =DMwȮҗ8ѽ[$k8pyh #&ǽQtw琜-b .gE|}Іiv?8[$xlYvD 7 4c ڙ[/ ^2u%/S֭ ȅ{({>J'p;^V#1wT_KBzwyMB^%xxLh]@#dqmؔ蜇E*-͊o-F*3aܭĠo(~p E&o\<+3G-O_.SvhyyNdLYiVvA|(|=PV;zv݁rf~QS&F9й\*?1P{"Cc CժTGW [R)戍cKBi*n+7y1-Ə-ԃ6D "''ќ)Y)-6|Re5J&YՈy{cȢ 0lxzPOM AI\)uݞ<ӭnty$#%F6Cfny_| TlʇaW0l %b@UoFS1:` .Khn40[eoz>/]|p\u|o0rL.mޫArXܣAkhXQDL^ ڼu>+hH$ʚkr~A.N˓8(&l2 i%~]Uj"q/A? Axy@w=k3g0A$ T,“dXs w@n(ps 5*I%j~[K"5so~g"Ic콃T29LM Z-  *=@r 3jՈq񔁗 3o.y0aQc,օA9 )4 ~M9e_.8 4zbsJ APgP)c/:[f6rhBGu}=;h |-6soPf ˴?!S>-2 ܶ:9Uh)z?D.D;H!R@ˊh74nE-I, &eBbl+˳S_` ЧꐟY~y7u ɨͨvq|,cS`ʳ 'XXvENkG?EQ6"6;XX٫U4٪}4? 6z0\YV@v;/x/&&[ts#b$-@9~81CAlԩZָkIӮ! or8Ϳ)hiD7B-,;N398, 2*p{QO8dʯX=_ J(+KkkIkݎoi|i0)1{`hO'e'ȟO'i5kIz83P*c9 qje9Ǫôgq5o}0]hVJh$Ծǚ5ow"5tNsZߤsY?.jkFvOJ" 9֛Ty`8t}>O (,.bo A)*["xB'VHG1t 0ɼ9n3'Y+Ii63gfNjD]!wf|[nÑkjh% SYW#Xz󝂑dՄ&uysEr, {rū(YlCY=?#R.WkyD&4W ;FD\a0o.ֆ2ٔwiKM`Kym0c= 2>fbIÉIcE&'{nvwΞUXFwhs[፻/sso f4|14t7)`ALJGnK^ 5T&jjq|Ƥp̩c[^n~J"A.|H7.6:§2~K?k mR_ <-_ak؜֔Ƣuuyګ 0z݊z8˹e\=moVfg\[B)WeNT%V4(tQ8uZfcx\2"Nt"=}9;L}I) .,Y^d.|.R-_}%zAБCMļDL ;ƾȸ)=~`9ute3R5s\T=\KYr&Hbo]\t#E(!Cg!Lj߳B沗; MuS}5 uw29'e|;acroֹmL!+b+e"nA 6_S‘Ureu00w|Zc 6\AG-=}-X3fôlͽJ*yk&3)#_M.u~MR߱] OES̬`WO)Ea[SH:dMG5CL-IPD䤤ŸaS6Tn:? b0_flhӱw"w(Q*AeRj[sg(o9Bwz(mߗO5,kcE8T$LOi>&džm A:g6Mpx"=ʴ^W9J6 x-Dё=kʛ+\ pp9 rk &CXTq֟ǎ.8#Ut1>~m E*j|5҆.ܽ L3ab*;UT8&4ˆIw}lɗeu4VyE]P84Gn4k7TY"j-Qi׊Pf;^g1)CIjcL+TL.Uv/}vS9T$.N(7LQNId"1)|phkd 8I <=2x.Xw.5"AP|>sn^UU|6x2&: 4W=ױ:K=Vmd]Ѯ 1`QشAKSz"'1mS &6.9z:y繎ܩ3NbzL]dH 6k3b8͠բLn=vrl $2g">%pQSƕLd>N[K"QB%_ܠ9-6PU΀㤡:@ޞb(ZW㮵z8TD;˓"ܧ݈^x\қQH8tҍ+YDG-!8oBm#J^kzF^!&nkCe劸ljK+GD4pM&-LҚOEW%;rnS iG.;qlj#|?EPřb+ R{ e _"Z8 SƶPh#T* ^b"?/݈aHv7 (DUgG[NF2 :ԮfP<Bpy6:^1mxAGϮ MSU+[o[h˹7N'RVB`i\v|hogq"lIEeUf1v7ϭ/9bJ"cbk垺-K|%(T?]ٕ]C(R0.#,Y?JO,Ŷ$[!u_uegc@-ptk+gtgQ!mYPO\8ޔ-C00=oXKz^Vu:y% cBY kM/&TbW +W_f4DsF!G<_Hc}-K/XXefNAYD ٿwzu7%n_cӍB11}ˋ%-eRiURv*uTqS[MiASCŹ>QA+c؈0|̨n &@ šmQ|BOV\PIC.1 偲5}ܑ)s `Xą"?GoB8ybOh+ȅ5 &!AS/hcXPgbG/2O6S ĺF?w&& ±37,\O;ɁVG>F! Ʃ@U<3&) E鸢(!5pC^HTXEX:q?PIxQg9ep+b'P] TjZ&^'c{IEi7Ws#z*ۓBb,dZ%w s~_C-bwFqKk1OnDcf\֘9arq`}HK7j9&{lrC% qu=6$(8'YRnu\B!7t6j7;vyI_~fjhpB|ӏ 9J:<ȅp nLΎ*P "oYCgV)~TV@I,'q?9 Dp.Lę*pD(/2jJ޿E'?8_aE.Hr <',WQ-3[cc,=u7 $\lwԷc?Em/"emó555(-N/`0K{iFSzswckrH\ rnv{P0)Z7P[$WMBF"֏A,9VE9cQ\ƗGŎNU>G6%ְHx]AX#y7+[{Or(Ǯi-T؊· m.}aWE݉.bN,Ϲ<:"r\ {V¤BO]J\הE@q(K9 SXX9|7Hh_~*`l@F*JtJ8lޱ;vn+YE_}ĉ300~q6;N h(@{wJ{h2o%Zq5鍷֕)PR9'_C ]>}51ank1p7K9g$VÅ&dFP^ 6V c6``Q4] \9|*XvŕI-h햮\B?\A캇SUmTm6azm?g٩+yhb BA[T6dbE ]}p=DI% tMi91ϒK/^:߀kH<ɻh EB#A"<8YV(óu.ܴ:AK}tpu-|*b,E4MycPZr:>1w mydž8!m:.#] w::1 2e'qdǚբC@txyét`}w|E "4U\kE*_ Bڞ, )e<Z|5,+8 T@fҏ[=G M3Xp|CiLCL B0W%\66.6CfZ/*9y9Ti X(NMeb 6K0`9iN.ggLi3界ſ!Ia2`{S{vlYdT g|m/76 _3GliedA'B#6úE\0)K^=ܾ.ͧ:dLYO=@Z&^Ue@j$j0^)QxZ-5cgľ XDl3'utH%CWxp4¸Ť!6D$evȟE W+Kqey ;=DbEYe,!N~`rq̊Rl-4|@:W(/U2)mR3.NtUkM JNH8UգWci@JJ_.ZGI[Ɔq*.^6X1%K l͵EV*C9XB&SԏڍH,A-qlxn $_]xrW`(]qRQK)" R";&[ou>wgWFrz fw*RD2#a^[xitc5@sM.9<"";vm:<,#\B~02wQKR灶<,FijͩRp526OToe蔀DbG`]Z! {mCI]ϢZSNв*kDܱϨ{Y'9('`Te,P?n1n9 kul5'vKK{,`'oT_x1 ,iq7o1AM_[6(!\LϨ.$nQ1$l{X td;-M~rXU.Ɇy`ٴ"k̘Z2U!xQ0H pv;]ޥ`ّ]TjVRR'?$Gș~Z FU+hp&s(:H.5FWթm "k%H`Q-71V'J&ru)P]z:I Ų6,,/s4 a%Y i4KW?&hPlI yQ,_:kxULNrEc/R9iX CNyE+t5m⸠WֵkR*uIQ-^5L?^ %;r8.WzEPawݹ>Hcx6wfPSLvkœ''8,dx9lf]_ 1X!~9D%6/Lѳ5s"ŲPnRfEu Ѻ|NN7~Xnknѡ/H %0!?Im=FeBAN^f-R?Q4dcѢ\N<'ʫQ܏jJ%[8r%aW'[Ppp$~*%d.R 5~2Y*o+AB^x ϬOmhT5S~?NbVB!\Zm(ڪ)-üooD4H:gDht`xb1iI4ר݅=h}~jI5Ǵ 2ʎ?7!$k4N8a>_ҬѤ Y(?k4 dy mw=Q죚[8Jϭ=gzg!j E< J ,ᖫ ip!ڽRQjF$ĆQ|kG-뗡Ǒ>>VZ. ,m7i FAk84E<}0W/w89hHP0HX ɭ'x[I.rv?±؛$D/-1h#o -Y1Oy^7_؟C$+zUVzm﷚`< K[Tom?XP ےKceՐǕE},qEJH>c4]vDB[sl~ Dھ# bKRѻʍ&z8@Q{Vیu􆶲 &j3Y#QI3<Q G_yvYT%(P)&xJ/F2hI,^dl\HgSԋV}!Sszc٫Wsy_V׎*'yt{3o$KU&ARp:"рkg.pq!?`-M?4QՎѨTņ7Kdk^-H{~Ї&^Mŏ?jr*[7Rϋ}눕?eS?RsR3]"׍9܍>1B3tA1F½/dNZ*'SlGS5#X} /fH!eCUR;yyc2$&ɹ {{8ɿi5LΠ(׋Ck ;TG/NDp^\RSP?=4!Rr`}Bp"bXhll9O,T<r}6 !s~4Ƽ#si޸2ClBHK0:\#xPg' VyR ]g 9ZHZGK6[6P:۵snk~g#I2ӌ΄Owux"ʭ3Y<>}tAݲ1[:밊 z%T^M.pdjJ`N0;cK:3 òq%*f/A^u5[ze=RnI\{LZ(=#%@CKbXRVQrΑ^NЌ$q62Om 37(0;gSu 9 xw &BmO}3KMy0J}+;CzTPrm#_m\Ku.km/bo 3/\h XѪG؊u`';Cj'<}X@yufΡ'cROӒ?ךQEÎ&]UӟJǧtW ?m._pG,xgQ昃̣,JpcdOfIWbNhxf^ڌHVctbU*Y'NrCijrex*g%o464 YTj/ ?_Do28yΣ &Q9m|1C=2Fyk_:A -,h2~Z(>G/š?Rd}Jӊθ$~TCwa ׁXݪizaǝ7-:h0~i3/Wf9a?; _㏶z%v4-f0+"q4G0T%o9T@`L|?QW6CʘI16"YkthA':diU)|jsc ~ -RzvnvvA!:w \ Hc=9S^#[SxC?nD\l41 tD跆֑Ow4d8GMxiLaE=VeUUJ~ͯI%z /S70Uujhtb~_[.3غoɀo(ur<#;T7"#w 0z_H>+j3j.2AY_z',Yד25Ys0PR_|o)h L!hJ>x?rc":7 V?n9x_vGkcڥpX`cE%@L"m^fef HK7h6!uBPũ ;Gd=&6jnKV]еAEk7 ߊz<6:>G>L1vBRޓ~ӀОlBQI)Wv4~k|'y娤qfSoݱĦr:|Oxhh/KMkE@+]MۙB|v{wѱtYCwA- ?˅ߪVVݖSͼ4&;^gt 'sEպ#IOQ?Lk%9J,]B2u/ ݼ ;O"5m*/,p)3R"n,%^}'kOˁԳJݺbF;zNT)zB-0yMpV9Oք8c %"9xo5 LV{Ul6镭(̋(Cbp$3uLq/NO5` ~ ~̧M^i+Y9hGʥyj.Hyg,WyYrpir@*^Ѥ510j1?D1v:X*)nFa,Wpao ^B1#.V*c`$kz5\à>wԈZ !bStO?Hw_2毂Msg"swBG5 n?tpLJ^q*Md?bw*F(UO` zxT_%Gtc!)ȝ/U+pƀ?]Xe F5lGѭ_n5$+,swUĉD!^ MnQ=O6]НvB.2HĩˌؒI"I\S%w\C;yu#6ɁNHYh,yGx `:Z_uc+G0'ʮ0Ni1<@<]h!V1Pw1aV8)2 Iy>cR3/)<ÎCEI.t\#.Lȥ c\P h}LxagܻQ&'J^=ϫ\6 w͍$;T'@!Bk %7^[qa=Gx>yD_JQs"<%oh;0揻cviủv%sa9btqk6| M}c;ebP.+2Țu ;f<7NjRǤ43.bWۓ1TvCžnm_zB\-mPK?~MCoێĎqK,qQOHx/΂xj0==ySWCLUiNG 1~t2X"ZϞ>#ޯ6?u|F2sNg5YklۋVPE)% B\ւXA,.F( N MbeZ룆yjlR3LVs_?y(Ł$St|^4M50M^s{XZnyWʗ'5}jB· GQ-{TF'fM.|"i#I,j1k)h}8Hrkudna]=GMdJp{麇_P,_l䫱#%^XG]%W^Nfw | HmhEO$:\ X(v}i2<]jl|:5&S:Ccutq-4tP7L$[:P [&*cM %>4Vg1["L2-sKܚK5h]p遏[0%J{;ШM"([jLj.MqOSW |~zx{rAlɩ4(œLAUQ[:>CCf8J3vLT˨Դ'uhEF)C)JGzsgC-3o1C4GcG9hH!O acba%I);a[WCO5"8I難{Fz0?dgtfGۥ`N^+?YN:`DEЭ 9JڸΏ!QXkm݈5ֲ~ĜszOE~{TkF:&l{K8+ňj\=/+uHiqwQ%Yyy"JHmnLY X" =.;Ц-2799G17"bb%y%/2G黈QIsUt{} :zӞbSf(;6hxŴKQ^̢ _.Bh8qH,o* u D->*q~c*K %=օ8`:%3uC6.O@ :nR;[/Kb=RY0J:ꩮ@FmV-V F(%#-Ι1ZT†4{BR#U{"D1BK&X uUeEpͦϹ<15 IUsגJv 5rUp&Gvj-ϐtfͥLWdpELЮLXśʂCA賒qN޸ũؿX|z*"?JLaWHRpk8 ПÑڄnYbT4^!ח/yӑb<0"`(.KKFv敻[nW-DUQ&@O:@2~PHQG'\}縄nC)Y_RM7 =ىLE69ԇ(ҵwInX|Cl=w]k=hV3S>^5Q>%P64ʣa9xKIؚe JUꈦķ&6UCD,߮n57ǫOguoWD6C/"X_#38Aؾp-6罻J>g&͝(|9JXWSl ĴDAetOs?ʵ[hX@6JS`vsȘb|RtG(@ˀ>ew43CkwIś< fGhQa. q8Og0RGNnǑ7D[8J {<󙖪!`IwXfA ijR] )nR'm{Me?G ZxC֧H$^&;0 QM6ӜX쪳 /6^nFCq+vGD@4((f-6E & -gS'.>XYj0xWS # &Rv0m?f>D$Hhu |IF" McVzSD~ara fk,nZXK_g31geug $&(jT# [H>O"vűyVrNMwk:C+mIyG>*>O@uRrQZʮocJKM][;>4%DNLt5G(|?-cTV|E,. +ϑb4D=Y j1:'3邕oǮ+|/]+\T9a(8X/6͉z3zaO7qBczw򲨦 9jdINOE46ɩd/ 9]*0&JU@P4k}B<'b.K>l:7F4áJzҎv?_0{B蚝$&_G&~􈘷tfR*HlA`7k846R! RX!*ńHklZf(8o3 "veN5%*HfLCn7൉}&`obPw:?Oܟct!<>NpbQ{h ,~)4eө>ٽ/~oq tKbmArt^6?y}^BI !SG>%ö YZ