From 401d5a9b652d1d2349bf2acdc8080bf64ea06029 Mon Sep 17 00:00:00 2001 From: Marcela Melara Date: Wed, 1 Nov 2023 16:40:49 -0700 Subject: [PATCH 1/4] Add JSON pretty printing to select scai-gen commands, mkdir -p the output directory on any file write Signed-off-by: Marcela Melara --- scai-gen/cmd/assert.go | 7 ++++++- scai-gen/cmd/rd.go | 22 ++++++++++++---------- scai-gen/cmd/report.go | 15 ++++++++++++++- scai-gen/cmd/root.go | 5 ++++- scai-gen/cmd/sigstore.go | 5 +++++ scai-gen/fileio/common.go | 17 +++++++++++++++++ scai-gen/fileio/dsse.go | 5 +++++ scai-gen/fileio/pb.go | 16 ++++++++++++++-- 8 files changed, 77 insertions(+), 15 deletions(-) create mode 100644 scai-gen/fileio/common.go diff --git a/scai-gen/cmd/assert.go b/scai-gen/cmd/assert.go index 4a4afb6..08f1a65 100644 --- a/scai-gen/cmd/assert.go +++ b/scai-gen/cmd/assert.go @@ -60,6 +60,11 @@ func init() { } func genAttrAssertion(_ *cobra.Command, args []string) error { + // want to make sure the AttributeAssertion is a JSON file + if !fileio.HasJSONExt(outFile) { + return fmt.Errorf("expected a .json extension for the generated SCAI AttributeAssertion file %s", outFile) + } + attribute := args[0] var target *ita.ResourceDescriptor @@ -101,5 +106,5 @@ func genAttrAssertion(_ *cobra.Command, args []string) error { return fmt.Errorf("invalid SCAI attribute assertion: %w", err) } - return fileio.WritePbToFile(aa, outFile) + return fileio.WritePbToFile(aa, outFile, false) } diff --git a/scai-gen/cmd/rd.go b/scai-gen/cmd/rd.go index 8252a1e..85aa909 100644 --- a/scai-gen/cmd/rd.go +++ b/scai-gen/cmd/rd.go @@ -75,14 +75,6 @@ func init() { "The URI of the resource", ) - rdFileCmd.Flags().BoolVarP( - &withContent, - "content", - "c", - false, - "Flag to include the content of the file", - ) - rdFileCmd.Flags().StringVarP( &downloadLocation, "download-location", @@ -165,6 +157,11 @@ func readAnnotations(filename string) (*structpb.Struct, error) { } func genRdFromFile(_ *cobra.Command, args []string) error { + // want to make sure the ResourceDescriptor is a JSON file + if !fileio.HasJSONExt(outFile) { + return fmt.Errorf("expected a .json extension for the generated ResourceDescriptor file %s", outFile) + } + filename := args[0] fileBytes, err := os.ReadFile(filename) if err != nil { @@ -203,10 +200,15 @@ func genRdFromFile(_ *cobra.Command, args []string) error { return fmt.Errorf("invalid resource descriptor: %w", err) } - return fileio.WritePbToFile(rd, outFile) + return fileio.WritePbToFile(rd, outFile, false) } func genRdForRemote(_ *cobra.Command, args []string) error { + // want to make sure the ResourceDescriptor is a JSON file + if !fileio.HasJSONExt(outFile) { + return fmt.Errorf("expected a .json extension for the generated ResourceDescriptor file %s", outFile) + } + remoteURI := args[0] digestSet := make(map[string]string) @@ -240,5 +242,5 @@ func genRdForRemote(_ *cobra.Command, args []string) error { return fmt.Errorf("invalid resource descriptor: %w", err) } - return fileio.WritePbToFile(rd, outFile) + return fileio.WritePbToFile(rd, outFile, false) } diff --git a/scai-gen/cmd/report.go b/scai-gen/cmd/report.go index 024f179..f05b27a 100644 --- a/scai-gen/cmd/report.go +++ b/scai-gen/cmd/report.go @@ -50,9 +50,22 @@ func init() { "", "The filename of the JSON-encoded producer resource descriptor", ) + + reportCmd.Flags().BoolVarP( + &prettyPrint, + "pretty-print", + "y", + false, + "Flag to JSON pretty-print the generated Report", + ) } func genAttrReport(_ *cobra.Command, args []string) error { + // want to make sure the Report is a JSON file + if !fileio.HasJSONExt(outFile) { + return fmt.Errorf("expected a .json extension for the generated in-toto Statement file %s", outFile) + } + attrAsserts := make([]*scai.AttributeAssertion, 0, len(args)) for _, attrAssertPath := range args { aa := &scai.AttributeAssertion{} @@ -117,5 +130,5 @@ func genAttrReport(_ *cobra.Command, args []string) error { return fmt.Errorf("invalid in-toto Statement: %w", err) } - return fileio.WritePbToFile(statement, outFile) + return fileio.WritePbToFile(statement, outFile, prettyPrint) } diff --git a/scai-gen/cmd/root.go b/scai-gen/cmd/root.go index 0b14aed..f606a75 100644 --- a/scai-gen/cmd/root.go +++ b/scai-gen/cmd/root.go @@ -12,7 +12,10 @@ var rootCmd = &cobra.Command{ Short: "A CLI tool for generating/checking SCAI metadata", } -var outFile string +var ( + outFile string + prettyPrint bool +) func init() { rootCmd.AddCommand(rdCmd) diff --git a/scai-gen/cmd/sigstore.go b/scai-gen/cmd/sigstore.go index 3a891a3..89a4f70 100644 --- a/scai-gen/cmd/sigstore.go +++ b/scai-gen/cmd/sigstore.go @@ -73,6 +73,11 @@ func getNewFulcioSigner(ctx context.Context) (*fulcio.Signer, error) { func signWithSigstore(cmd *cobra.Command, args []string) error { fmt.Println("EXPERIMENTAL FEATURE. DO NOT USE IN PRODUCTION.") + // want to make sure the DSSE is a JSON file + if !fileio.HasJSONExt(outFile) { + return fmt.Errorf("expected a .json extension for the generated DSSE file %s", outFile) + } + statementFile := args[0] statement := &ita.Statement{} err := fileio.ReadPbFromFile(statementFile, statement) diff --git a/scai-gen/fileio/common.go b/scai-gen/fileio/common.go new file mode 100644 index 0000000..9fa27de --- /dev/null +++ b/scai-gen/fileio/common.go @@ -0,0 +1,17 @@ +package fileio + +import ( + "os" + "path/filepath" + "strings" +) + +func HasJSONExt(filename string) bool { + return strings.HasSuffix(filename, ".json") +} + +func CreateOutDir(filename string) error { + outDir := filepath.Dir(filename) + + return os.MkdirAll(outDir, 0644) +} diff --git a/scai-gen/fileio/dsse.go b/scai-gen/fileio/dsse.go index c7d1a31..f1a59db 100644 --- a/scai-gen/fileio/dsse.go +++ b/scai-gen/fileio/dsse.go @@ -44,5 +44,10 @@ func ReadStatementFromDSSEFile(path string) (*ita.Statement, error) { } func WriteDSSEToFile(envBytes []byte, outFile string) error { + // ensure the out directory exists + if err := CreateOutDir(outFile); err != nil { + return fmt.Errorf("error creating output directory for file %s: %w", outFile, err) + } + return os.WriteFile(outFile, envBytes, 0644) //nolint:gosec } diff --git a/scai-gen/fileio/pb.go b/scai-gen/fileio/pb.go index 11b37b5..0cf650e 100644 --- a/scai-gen/fileio/pb.go +++ b/scai-gen/fileio/pb.go @@ -8,12 +8,24 @@ import ( "google.golang.org/protobuf/proto" ) -func WritePbToFile(pb proto.Message, outFile string) error { - pbBytes, err := protojson.Marshal(pb) +func WritePbToFile(pb proto.Message, outFile string, pretty bool) error { + opt := &protojson.MarshalOptions{} + if pretty { + opt.Multiline = true + opt.Indent = " " + opt.EmitUnpopulated = false + } + + pbBytes, err := opt.Marshal(pb) if err != nil { return err } + // ensure the out directory exists + if err = CreateOutDir(outFile); err != nil { + return fmt.Errorf("error creating output directory for file %s: %w", outFile, err) + } + return os.WriteFile(outFile, pbBytes, 0644) //nolint:gosec } From 16b4353458e827b6ee91d583e4a0003d49306168 Mon Sep 17 00:00:00 2001 From: Marcela Melara Date: Wed, 1 Nov 2023 16:49:06 -0700 Subject: [PATCH 2/4] Expand scai-gen opts for better legibility Signed-off-by: Marcela Melara --- .github/actions/scai-gen-assert/action.yml | 6 +++--- .github/actions/scai-gen-rd/action.yml | 6 ++---- .github/actions/scai-gen-report/action.yml | 4 +--- .github/actions/scai-gen-sigstore/action.yml | 3 +-- 4 files changed, 7 insertions(+), 12 deletions(-) diff --git a/.github/actions/scai-gen-assert/action.yml b/.github/actions/scai-gen-assert/action.yml index 54deff8..036ad4b 100644 --- a/.github/actions/scai-gen-assert/action.yml +++ b/.github/actions/scai-gen-assert/action.yml @@ -43,7 +43,8 @@ runs: - name: Generate ResourceDescriptor for evidence id: gen-rd - uses: ./.github/actions/scai-gen-rd + # change to v0.2 tag when released + uses: in-toto/scai-demos/.github/actions/scai-gen-rd@main with: name: "${{ inputs.evidence-file }}" path: "${{ inputs.evidence-path }}" @@ -54,6 +55,5 @@ runs: id: scai-gen-assert shell: bash run: | - mkdir -p ${{ inputs.assertion-path }} - scai-gen assert -e ${{ steps.gen-rd.outputs.file-rd-name }} -o ${{ inputs.assertion-path }}/${{ inputs.assertion-name }} ${{ inputs.attribute}} + scai-gen assert --evidence ${{ steps.gen-rd.outputs.file-rd-name }} --out-file ${{ inputs.assertion-path }}/${{ inputs.assertion-name }} ${{ inputs.attribute}} echo "assertion-name=${{ inputs.assertion-path }}/${{ inputs.assertion-name }}" >> "$GITHUB_OUTPUT" diff --git a/.github/actions/scai-gen-rd/action.yml b/.github/actions/scai-gen-rd/action.yml index 57fbdde..9404fa0 100644 --- a/.github/actions/scai-gen-rd/action.yml +++ b/.github/actions/scai-gen-rd/action.yml @@ -54,8 +54,7 @@ runs: if: ${{ inputs.is-file == 'true' }} shell: bash run: | - mkdir -p ${{ inputs.rd-path }} - scai-gen rd file -n ${{ inputs.name }} -l ${{ inputs.location }} -t ${{ inputs.media-type }} -o ${{ inputs.rd-path }}/${{ inputs.rd-name }} ${{ inputs.path }}/${{ inputs.name }} + scai-gen rd file --name ${{ inputs.name }} --download-location ${{ inputs.location }} --media-type ${{ inputs.media-type }} --out-file ${{ inputs.rd-path }}/${{ inputs.rd-name }} ${{ inputs.path }}/${{ inputs.name }} echo "rd-name=${{ inputs.rd-path }}/${{ inputs.rd-name }}" >> "$GITHUB_OUTPUT" - name: Run scai-gen rd remote @@ -63,6 +62,5 @@ runs: if: ${{ inputs.is-file == 'false' }} shell: bash run: | - mkdir -p ${{ inputs.rd-path }} - scai-gen rd remote -n ${{ inputs.name }} -d ${{ inputs.digest }} -g ${{ inputs.hash-alg }} -o ${{ inputs.rd-path }}/${{ inputs.rd-name }} ${{ inputs.uri }} + scai-gen rd remote --name ${{ inputs.name }} --digest ${{ inputs.digest }} --hash-alg ${{ inputs.hash-alg }} --out-file ${{ inputs.rd-path }}/${{ inputs.rd-name }} ${{ inputs.uri }} echo "rd-name=${{ inputs.rd-path }}/${{ inputs.rd-name }}" >> "$GITHUB_OUTPUT" diff --git a/.github/actions/scai-gen-report/action.yml b/.github/actions/scai-gen-report/action.yml index 0ce78f1..ed32aad 100644 --- a/.github/actions/scai-gen-report/action.yml +++ b/.github/actions/scai-gen-report/action.yml @@ -27,10 +27,8 @@ runs: id: scai-gen-report shell: bash run: | - mkdir -p ${{ inputs.report-path }} - scai-gen report -s ${{ inputs.subject }} -o ${{ inputs.report-path }}/${{ inputs.report-name }} ${{ inputs.attr-assertions }} + scai-gen report --subject ${{ inputs.subject }} --out-file ${{ inputs.report-path }}/${{ inputs.report-name }} --pretty-print ${{ inputs.attr-assertions }} echo "report-name=${{ inputs.report-path }}/${{ inputs.report-name }}" >> "$GITHUB_OUTPUT" - ls ${{ inputs.report-path }} - name: Upload the signed SCAI AttributeReport id: upload-assert diff --git a/.github/actions/scai-gen-sigstore/action.yml b/.github/actions/scai-gen-sigstore/action.yml index cbfb91d..27d0a1d 100644 --- a/.github/actions/scai-gen-sigstore/action.yml +++ b/.github/actions/scai-gen-sigstore/action.yml @@ -32,8 +32,7 @@ runs: id: sign shell: bash run: | - mkdir -p ${{ inputs.attestation-path }} - scai-gen sigstore -o ${{ inputs.attestation-path}}/${{ inputs.attestation-name }} ${{ inputs.statement-path }}/${{ inputs.statement-name }} + scai-gen sigstore --out-file ${{ inputs.attestation-path}}/${{ inputs.attestation-name }} ${{ inputs.statement-path }}/${{ inputs.statement-name }} echo "attestation-name=${{ inputs.attestation-path }}/${{ inputs.attestation-name }}" >> "$GITHUB_OUTPUT" - name: Save the signed in-toto Attestation From 420c494f10bc0d662e1a0ba94e4ffa3d350dba8e Mon Sep 17 00:00:00 2001 From: Marcela Melara Date: Wed, 1 Nov 2023 17:24:57 -0700 Subject: [PATCH 3/4] Add KubeCon NA '23 doc Signed-off-by: Marcela Melara --- README.md | 6 +++- docs/images/scai-kubeconNA23-demo.png | Bin 0 -> 53772 bytes docs/kubecon-na-23.md | 45 ++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 docs/images/scai-kubeconNA23-demo.png create mode 100644 docs/kubecon-na-23.md diff --git a/README.md b/README.md index 8421a2d..eb5b137 100644 --- a/README.md +++ b/README.md @@ -32,15 +32,19 @@ for Python and Go environments. We encourage you to gain a basic understanding of the [SCAI specification] before using the scai-generator CLI tools in this repo. +For a full demo of how to use the Go [scai-gen](scai-gen/) tools, read our +[KubeCon NA '23 doc]. + ## Disclaimer While the tools in this repo are conformant to the [in-toto Attestation Framework], they do not generate **authenticated** SCAI attestations. The example use cases in this repo are only provided for -illustrative purposes. +illustrative purposes, and should not be used in production. [in-toto Attestation Framework]: https://github.com/in-toto/attestation/tree/main/spec [intro doc]: docs/intro.md +[KubeCon NA '23]: docs/kubecon-na-23.md [usage doc]: docs/usage.md [SCAI specification]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md [SCAI spec doc]: https://arxiv.org/pdf/2210.05813.pdf diff --git a/docs/images/scai-kubeconNA23-demo.png b/docs/images/scai-kubeconNA23-demo.png new file mode 100644 index 0000000000000000000000000000000000000000..bf8a3f8f8c92cf54381a0320af35af6f25e21375 GIT binary patch literal 53772 zcmY&=byOA6+P6wKNJvX}cjo~P-CZIL(%lNudFTe=&?ViVgfs{ox}+PVq~ROxz3(62 zTDn|=u9?|;_I{pUZ6noGoUL}uiZ4{ zq+V5zlkNi-@Ya&blCNIX#-lx$ApqAX&R~7FSFbR8Uw*$Ha4NNU^=k5)JV;W@+vF$* z;WNqhY?x}DL-W##L-WarN~czS=*D=Fo=bRiyRlK=^2$myUJ0H8T7yJvTYLM6C-<`m zJvXhfPU6hbiO&g!vK3d7JYUA`>S^{x?&nRaFf+pc{*sNP-+Q$G-$j^Nva`}3qW}BL zzr)ZxQyIi8JQ=X)i)&=ruzeDsE?&khDo$>e2LY_u!WC{my;(_&O- z(gHgp7z8_xs8Qm%Y7IIpH7W8rt+J8ueM-4HY#v^0%(9p%S8n^XJANtprpBNVugtJH zlgH6WlbEk^{iHs)EBEDzE$KhFfj5ZJzzlZmi(ow8&2!WGQ>9-o?|B5){i*#;N)X?? z(M~(HTw4?Bx=o{-udTH{AjG3D8%Djq->&_G5}n^+k&T4k(L-jHZ)NUR?2?wm-FH)X zenycu@^Y^M_~~2E;ra_$s$Bq!pbyf3VeXcM~FcY0dCXF5Q;5%zgM`n-MZT~gEw5zwyax|%cPtMOKkI)reS53 z(a?Bnd3}dKB@DZwl>7;a#9rPb0MTrZPYUR^7#kF|My~e!Rc+sP1lw` zgSFL*bO?B$o*GVbb(Y5a^R>0i4;mJCm$c_gPTZC&ZLFCEg3ce11oxp`Q*9mrjHas~ z;3LUOCOC&jd#$}JsThq{`{}CUk5x+90zvE-Nd<`1X_h0iwoz6bgvpp>#I~7qzgP$x zSxh=)r@8ijV^lIlP^%T&VoWDk@4nH}`E@DveDU>UFBa<$3h!_Wl&1O?;V8euk9G zA_(6XxU1|F$Cv-!9+}E~&h)vs2{g#)D;Gu6=z3XZ|2w}8R+d!U`PctTS~95q-1Q&| zXN@EwnxmUKU9 z&!@*bR;E=BDay{oRj>8qVB+lxz1rX?Zo5O9s5lC!F1eJ`de01(*9mF{uYHD6PMaRW z`+y6skZ-7T%*Y_B7_pT$-XukKQ6nKQ$B$*1z=&^uz`yJtv*fqM%7#>4%V%A)9Wulf z6zMj`zl#*P7p(K>?EIzRE@%~JTbmo}J}vm_*IN}<8a8W_q*G%yJE^9vwD*>!JtKFV zCnhFtp?1(H?^f#9N5N`Lm7PFvIR1pC&ZMBdr#t)V(X8ev{OI-$>LK#J&Hi`qSq8|L z6cM1n(;@u-EjzM|p99_EMfsEhA6)8Cx!-HBU#~Pb&UQhf6E657UVk-DVH#rko5@>I#EP}pfFg&4lP=)%^mMOu&8HY@vE^df|M@kU5yUIP z(Fqvl7RLW7R1c-yzeRiMtzN94r6dCRzAC?K0xstde!AW>+WaHk&n66-C2Wa47drbF zsJ_S&TNseJT660CsiHFXz2AB=EAN9wbvDz^Hg|1NZ9IX&8auYE>+P>~S2gLstnZHl z|C`ni9D=uhLQJn@k4b;Ke)yfQGF75VVk}!uQ_KwgXl4CbBS9@K{P*E(RqIi^6LZxq zb?|jBRuWGSxPg-yju5opI7d!BKsqh0$%g^#nt9IuE>GHIBJR{->%7<$_O2WI_%hV$ zbh-B{#>BkkWsHg44_w9=s$5*ID)B7ndp>hb4gvdfHC4r?I+c1Vvay*bswec;xq=e0dM}%DzE*Y@SQBCDJ@aiICCtmkL-(i8OlyI{W~v5O6*^a2H=BO; zPJ*epoQ3$3E@Rtoi>M9c#?}sINM?NM{jRMvDs=Gm8|{+XJgwrka9Rr~g&IR%cGc1U z>g3xu4rp|$CJd&5f+~l{bV}*naukgYOA?sk9TiRFghK9>N_kx%&r`Ms_febt?Vg9* zibhj%+jLRihGgHX^5NkWl7>JIjji>T$Z6~8;>JqjVBqfL|J$=Jm^dxKwEU+APl(-1 zKlfuyhZ7(pk-_w1wZxtuCO*b4S|SZdcTzl_x2zS)p?R!9*%JPt2Rcwp4$>*x*~ND$ zq`dXW044xO^uL>uT165WvT?KGg}XJa+S};az!wqYJyWW#f4Jn2n^Z}hJ%HO{!>0G$ zpfI}Aw-M&9YzHqt2k*`ZY3Fk|P|Ok12?weP4)gzRhDn)t1r$i$m2+U9+g$t|EvAW# z+=e=>@zr@ATU8BFht|`454dN;_xN3*%Pg;=0vlXSWi@-J2BNUy1kt%{@c(VQG34X*FC&9Ic>4jWW2iAX}i|-<$momAMV5_9SuTk{R$IN?ZZu*kk7~! z`t@~D9PqZXvX{2sVB0tzN-EV1Kyms@UgL6IZ|HfvSoN_u`SFEp z=8=n%a)CLHv#`i~K-P8DCxoZqdeyJ+%2eVKgM3-;{%)pH zUncDZ^9Y(VzSO`l^-+$wHrr`FpY0SJu21u(>W%#Kjm+k%&+R=>&to3Ji_tGkf58JZ z%1LGGRfb+RiilJ6IR4usX_}I=P`SSYT+6HAXj2MUq#eZI7|VFllD`wQ}s#CPxBmJ z6vm3a|Be{%PugpQ|EwNVF&eD;9@=M-jl2e+=V8K0{Q=xGZ4S zWs`hw{`vfBZd2>iZFLS|0nmRmfHHt}?e<_|67)##U_$QTYel13%rZMspk3ixJzu@U ziXn}AJt0QI{NA6#U}xM|od!n(afJ z+nucKyTh6^U`ZTqs*2r$o>@^N2v-B|kA3ZDD>IrKE~S#~790ARk_#vSuzYzq*94xz zbE$#OukijD`lqO#*W&LAflTGJ_n@oIXSI%{OcYynyp@;0*bJ@*u!64 z-L0w^Ap{tJ6IuSVO{nAj&-&kSng2o;e7f1}q@Ap{ou<3(e!dqM+>GJoxx3!Y3-Yz^ zBcrKFtDg`vbb>Mgz43H4Gf1!1waCb8#lv+c!+Q9zrkhPwu!$M z@YYb$_C_@O?4$qnidP$(LBu?-jVqJ4@a6Duot#D9Nh#BOXYXrW zD9g)>&&>_BfBM@?b9*_>S?7J0DI$XkbV&v7|J2*_R~{eJj6E|t9?nNJy8L~dY%fUz zZ`J{b+C79LNBWI1_x`v!50yKgpi(}G&X-#B?6muNc3Vu?>%<-D2F^o}FlTMyG-=o@r1J~8wFbooR(UIE+?1GLb04oD4RcX?rU#0=Vpd`CT#2;{{ajiay zMv@76*OcFr;dXb~4>VxQ3xh7|c-pR6YC zN#^6En7^mbaZi+8%JtbHT4-YZq@dpFx-H5W#cI&-+Y+MozS(g_2a7EZ45#dq0dV2HVz^@J6e~Bq09tD8^SZ+Y)F(9GUPe87Qc5 zvZh!$i$Jf_EEE<0Uxcj2tH|#%Br?=FjX}>(enpsXZ6APfUj`m8Ha2=>Z}(z}!(fv=Z>2zCR0xJDe>*Bk@dAEEd=|d^EzKKnF~+~9 zC23M`rEH88`gq%q+Jh;LQ=q-@)9-MyFtnHj^Ziq^-@|H@25MQpfJZS@E4f_z**JW+ zcg^K|EA)JXeY%0N4QQqRElO5kegEUexqndg6QJs3mivtH&UsG^X4p;_m%XB#a$oh? zwH>CIY;Rr*T=J70cRya#rnXPddlh1IFpi2^V9dzK=$nU3J=qb>)&{QbI9D)EC4rhI zzG<~oY*FX^7?V5&25Vl)5bP(xaLxr~;T%Z9u-;cM-TDJt+8_-H#`pFobwIsYZ`hsS z?ZBIdD(|?pyDyu6#YZ+?o$0i?(hBb7kFO>Mg?RSs0d#c?D4&UwmTnp=1mOA;*Ua4BVuTlbGn@O>XF$o=VA(17a6wm9z=a zAwslD)l@VzlR9V@q|50>Vf=|DID~?32H$#OwbQTSHGm)HZN6TwcR!=C zwMc}LULV5B3J>LR$pl@YZ0~vPk{u_`%wTUif~bOFv>IM=7I@zbYD`3pC!Qi-QL*3z zzccav#wS!#UE4yTTrZzwP`x*LN64Y`jojhsA?2iSK7}awB!arFbu9&M;g ziK{CRMw0%HhShL3Gdxfq1-ru>AIXS#F_$n=3lP6xhD=kWREhSOw*IG~>BbN9>D2qV@ z-AJaaz;<#V6O6c}1)Kg*Bdob1gyvoX+FNHwm@Oq(+*7Kd_*NHzr1B_gBwN2r`b4N?fv6lxk z8gFsYRM0*4r?h;p9g8rAalAeY&~Po3s$Zo~NqL9$-JN^{j5%F+B{NdpJ5^?v ztwO_6m2tcLY|Zn4+Q18}dV8PJ18|-Qw9=v8E!sK+3Hi^9Er=Mz-th|WVULtuoax`j z6Ntr?ENu9H-WLaA_YzKN*^0f-AdgG{%3GK0xj$IhsM#?ZwFd^9U()(89K1JFuDTqB z4{%pjVGeL4o$roxP?vH06RXi&%^K5E)A1-DK9BH2<*1FO2B4_uaz1RQnGQG3nN;Au zkFfIdT9!M@Q>HdMKQEj)zHM;-0JEAnE2H4 zQ|I++(*ATw`y0FZCWsAyE@nYfe{)lbKzc5Cp{HH3{#w$VVynq0X4)BPSrq-U~KC0NKvYFT&!*e_ui87UfU0h%4P!KlnMuv8NAzX^sY`Bq!XI38Z0iEaS` zn3mF3s7+IepkVOMtfA9YYBC$P6Ho!0QQ@eZ8w~OX-Z!VR8kXBcBi_BDqo?iNhzsW!Rx-|y8{f3FWN~Ii> zl3AEv$*&+UwGt)z#g^E5ZCCSxVD#JE%V6c&ihfg#b~6fd0RT)q?|)}%(}@q~M}^=# zt<1mg=4yxqg`=wG2rt#C$~5v^u=JCe0{Sn_gvdoq6c+K z9zGy$HZQwI%jSMK+vxXwc!BSWjrNCUxRBuGCQ|_Wn#96zL|`H^Qc0KedHxzeyD!;y zZUNuL4wvZ{5=6-!BQKK)dk!*|WK$u%_y1mvq#^DT#BDYDo2UJSZD}5%;yxAgs0>hq zc1y2y1@InEIZ>DH+`S&~hzG-y;nf)m(O&K8(7 zv`dz0`m|7hLk1$CLg17dn*oO8A<8S>)ecAr7*}G=OxhfSg8`y&UUrSx!E&T7Uol1Y zJ;Kv31&_Y>E`Rw)Xlz<2i&6DR6^o4>tbhFe8$6UuBMG!fF%bV@^9IKwo2i5EQ z=1y>*vCH&#GYsC(-^e-n_uA!5yJxEoWmsW1! z+75<#TNZ%aCKhmKGfV-eF$E`2O*0H%({Uap+~QCrH5k4q&_`Sr3ZZD=c>K|{hQxWj zXkT-TA35T9557^Rc#06a!%p!#C@ZlTPGvbJ=_yg_} z-BSz!XBt{*CmT_J%nn?~c;$wALhX&z@56<@SRs{Vz#%qx1;yXDcYnE4M-zEpu>F8| z>v-J#{Isg^B4I?!{6(imt?qvEZT%CBwzcB5Hq#*Jh~8j+yl;_=i7g$$IE9FWNm|NZ z@DahXTg4(SfU@b~(cD`KgwA2LejlC=xFiuBXTM0ey#M~`>@!wL&`>C+was~Yic}zg zoh9iE*Mg#o;IR5w%qy>v!~39}Ml=<=HPsMtiH<}}1-y%fX_e_~uPJ$Y{PY&X1{=ui zT)^L-NJ9B??o>3JLnwIGBb6Z1k>Q>WmVj4DNzB85tn60#vqFPb|KCzgPG$w*obg+^ zAORZ7Tm)+p-^K34b?OUPF#^m3S-b=~0;1y&&Ppo@C>?b}qZ!TX zV2F*j)3VAc4@+52U9D-Fw1})wRKPS!Npc^u(G16lA{ADb{5Nuj`-O#p(8Bs^DMChK zCE$7`(>3Z9^~S(`?--YOLa;(IP~fS;pdU4w)8DD9wZLBrs}X!P@&qh_LD7MesZ`8` zjGwUToSne%_Q4Em%-;r`uG>AVjOTA`e`IgU_tHzfK%2xDXru0YHKS|qn~oLIR~RqW zHhV_ z6Ao?wd&ah$uB;bg(Hs<)w@Jq&8%s9XUYR@auQD1x?s?#S5Ddnj=hXe^sVZdas1_|Z zOjD3?Er;s@PlR*X@mY_G_A1x!WD-od!Rhvub5(+3Af!tXjC@4R_zylYR>u&)Y>&_oMmw$H%J_P1R$1heg=hhzn26UlMBC46zsQk(S8b-I0(pm{lYU z9i;3(jZ*mOOa0d4^;!+DD=4G7{X|F~P@QJeJ&qS={B-6=w*dX*_dS&UEksi9)}oml zX<)KY&fXYX78^9r*6~*=_MjG%I~5p(Q79G_>X&PvnAj~^O&2SB1pRm_%QNo|^rZ=o z+bju7cISD%DPtz(u}S#Xcp=$f)hJrb@*>W4iG745%S|cZ2w2cuR;(_+)Z9YMu^N(LvJz88oes$X~ zN>c!=CxyN~^eP0gn?L-IN6|?kSgUe}i`d$rDGnb=cl;d}kHc9b-%A_HphsRgz)`D9 zD}~+)#*T)g@3X%c5q7hc8u>VSfu{amIKC}&FUuG7vV742`mZrAa-r1N5+AciWQm3t z2tB6KBHW`AagKzNNmxv~_Ps4YScil8sCVxst@t8Vg63M{e_}z3Uu3s_EDAL+eW4ZR zdMJg|cgt#Z^Jfq-^>zFvojMDZ1*v#KIT-Ct?#Pc>B+fp+kA87OYq@i@J?W{b#Y^h( zg8{jRXbg6{VDp_D>`ua(zohS1Ng!QdA&&!^SQ7r#izjf3v_PU*IC$%-Fm%o;KMr}j z^Q}W{k(2S+M$2hHGqZ0HBM)W&T7BT7oxyIHrlk&~_3o;oeXX}kqsB!0TA1*+uK@gN zChvk=(FNLo+p$h^wXmMBcvUdaYbrRPgyh(yqLRlYkBsAnd;Pp*j=zV&MN2oZrpS3r15j z5%7Rd5|n_cV8Ea*PL&_Hd7U^2@b&Glxa6ra(K>#Ls03e^v~|gf9yfKWml<&B$Gs-p zDzw#T>FLX<0Rw)FmbR!swsy8^X(RVpEa^q#|96bA*_4?9z|awycVw079nGtE`qSJ2 zU>up7$+~Y=V?C;|CA&1XzhU-?I-g!D3P%!tZ$vPlp=sDx?p?{mCIy+N&T+(SSdV4$ z3cc>_Zi!2^aM_*i@F6=j`C0FO>kGJag_*6eYGaufRRCxRAzSAo@d+0b;$TF~BZ{&z zd8QLS$7Q+~asYU@j^85N&$n@Txa2HcmRnkx_+Fb0v;mG>*_p!CL0MbJcgmIY%(?f0 zH$M$O0`KGc-(I}oc>gbmf3b)!;*K5&hhW8g1Qc-xu+;IO(dX{)lQ4G1LwEd~8oqoc5Y{>o5G$?c%a00ig znq`N9jLB7}2awC)`!rvS(~rhR2(`_W=?8EI3_g;>2;v`JA@%hpqcjAFmAL5f1Ao?(ic+HB)h zv&G^DK!1|){_AhkVj4(v+-yWMowK$43DzKzANaeKX}_8mW&m_Mkmi>LA)p}HP!JUf~FQ}HF6ga|BJ;9Sbh>1 zM%Z2woyONEtd{~nT&G&9=6eozeK3!|-5G$Zwplp=1|9UjQHL>V77ya8ickWTyd&Ft zBXW`YdxI1Pu}Z3di50ygxJNR9*TDcVcs`YNZYaC~oxJ$Ls2zacI0Q%`fMZoX?E%8& z43Jk{W97DD(WX}|NcJc1|M?n;ltTRJ#ypoA3N#;?*cVj_7@P#&c2)Cgq9S{z7Rg8& z0yyI(-XVBUda@`+!CacwyAFhE5bK_wj-y0kId%4G!)-)QT5_2VfMux*NcI`141LRz zNFIqmI%n`J%Eio9=-rQk>dxq|JI|mTTxM5KxwuV!UPCT-)Et`Kw>G)(&}u3_rPSltl?v*f%w;@ zA^PhSK_=Ho3k!=u5~mJIw0CUD71eDD z_65UKJnv6oWsyS0iK(rDk2<_&k?@+y7$i*!r>j*^%aOK&uvW*F*%mOXl41o7;BC9g z*qJKR7DWm=Pyh}-G%lmTHlHB=DxwV#p|q#Dfrt*J9QlIr5{(7zr|2l4b?j}C?mod_ z1^fMg0Rho{Vay-@0P^Mx+5>>Ac7Zu8{61f69{xgRgeYB4T6Yz0&t;tIaN>Vcza+Ra zdj#BeH1ItkY3H)Bc7rJNmy_;txgjp7qDSXb3Y6Um9~TQ`$UKIiyTDL=ZXd7px!m{k zGK9TCi93GVbeeWI5zj~;0TKfP5w}$;suuiO0_9`lq>oF;kEK?(lKX|+KmYlTsw^_o zgZ$_$R8IT*`*vn3NqWRzo#wwwBH4{n$%)m_NY*a_V*fBOObQ@WP`SEGpr3RGfM;7y zvB@ystAqVd7n-V~MTZf0w@c1`fB@s}Ln9rIIdeRm!dxPn7AJBJ_5nC`XCqaf|G9kJ zA-z&M1z;IX&Q+OqcXa?6l+{d*HUEoPbYdQG+FTV$F2-(W9~{xi54WeqmGhGpW7m~5 zBG=_CD&ssn+oybRmK^Axmw0u(IQkHrxaA)mJ_rhmBTkDDkHJv&%Y^Hh3e58KM|Tnq%FFGyvY^vcsT z(Qi!W)rG-uZp#vp0#rw<-ka8dyPH8nmpYBO3;mP}hzi6hG?ut7%^rs;0eJwLV)=Ke zlm~oMUBH0E;x^<&r#`7g&V|t5EVAg=fu0^NRDq;bx8-7kEtmB;seYG#D-a)2@jPAa zlvYyDDsW*(iVLYICn&FZ_bi6RUjdlLg1=xL9tIe_H)%$htY7qM|&c{J= zPkN*Y%EE72QJW=xK7kqI9c<{VT zd{(2Mi1;1jnuz~gMyFG|hS|Pk_ju0bI!QL{&Ndo}S(yhZC2mCWpg4U1i>-jOnX4Y- zc`HYA7XF^@pj!m+i|mo6cq4gKvYPa|9z6^AyyTFlh=YIaq}Tpdp)~QnSr0ds4EXMM zl+!^Al)bZX6cK7Wurd)4lJN&9>usGE&=h5)FwpCP1dF!hq!FP0X zy_WR>p1(_nNZ-FvZ>~!RJnnII_<9U3G4p2PdYGXV`!?v|Y`~-7YeWkUS#}U7>+O1Y z_jXAhoqa6He!K+g77*KNK*a1N$Y!=4)uTcqsGNQBs?c$OnYj7LuWuPC2au^ZA!3xb z_Eg28@{@|<*uf@oAcgwEqQ|90FP;_itHXUyW}Q#&6ZXi{KGoml(uJ6AI1DJy=NoL# zlqD?t0n4(yN+^N}$ei>65uF&L46%T=j>msXOcY?=n3!>VJY-QvTiZ)I7EZ4R?qs3~h5#YxPt}Uwqh*?L@npwn zHc+e2ce0!g0^rFZGGBdMdc1Z^TH{2n{M3pou@{alg}?1*>EH`Oi>U8mtF%|;G++e{ zLHV`g!8-?{I%jFMunCmm`F<)AudvYfG-+5v`^KR0J%WU`6y>cHi**0|0W!wHho{(i zN!YsB?Sges%SVea;?!5Wb30@9_MjTKUAk)L@}lt+s2iKX*WZRUZ|tXw9e|9fr&qiC zLalk4Ul)C&7*r~b+z+a)Q=VK(RjH6-fgb}KSU-uZMZ*}u!reqA1y=mIscBRn2oe_TgEQlXZmO)|88K$qMQEV z!}&>jA|65M!A1SiM@kfwo%z+$yTMY-rd=RcP@0{jkATgOvYn-T0^b#Bj3 zB>M2Zpk^C8^2}jCW^u1;A#U&wkdCo9fc10PPDugPF(+yeT&`8N74-{!#mk~ELH6Xb zy;nX7aZfq3&xvjT2o{t#!r+iFFH-?zX)#v4LaE=%Ds5Gzm?lUvWjVBiu751HTE}hd zX)VCCr@@?>Mx62%8mOR_S(K8Nsy(8(lI*HcYqUD?1z7SylA>g9c7R!B&@f9QGTj4G z2#TR7jD~>!y1KZrp6xcSei0ro{xolRj&+OU4YktvAs+bPU8QUU=&`fjA5MZlQ}ZVI zLXT$aMGxh3uBI0w5YLV5E-1+1S0e-|ecat8imTA)7PVE}w-Q(59!kt5%C%8#7A+l} ze^FVwo!6n`M|HEIw$aN&&QYkWz0igPSKu^+d85dPTzZ#V-L`Lc^X3{h#&d-I6k{Kx z6t`Hr~Yc_sV%hY0{ zC$rN@U~3#!JZ-}-QjP`b?)8fm16t3K86Yg514d@~#U|hzH$H2L{E(mkatLw4Cjy=M zO-^ejp{6dMLx|s$1M0yYVSOS1D6~&^Y5sy8ipH^l)aEx{XYF#WNrs|4PkFq!i9Ab@ z_b$rB*l#c$Tek_S8b=&OJE5x-IM|~_cjQ;FXqCw{;j{h4N#Yu<|5H? z*~$!zBZVs(i_2aX{Btr5GLirAD~9MC z@bxQv62ytj@JJ&%=yPurWMgg&$5iSHjau`8xRy-6PAoBFVruF}WCtpcu@S`o6u9MZ zu|r0@ZCG!WRP5=R=OOqdy;q<}Hg=flpr=_YKongUd`h!DExIxws^rThIUv|x`OlIE zo!VYao4NTURXw_Sg#V&>s7BFixJS9VbYxhGf&_VaMj5m14ZAv~lZiYck5Zzn_OK#H z7%mh=L|U>%ZGhKyiiTG+QVyG?MZ;B{OvKx{w#Z@X-Uo9Dl6&HaZ5x)o>|g(PIh z)qJN!e)us#bpCVe^QUDT*x(8)oJ^eiz(p7KQb#XDJS|Ge1Sdg=k#c{n@3Gl+TwQeB z1Z^&SYhC^Itz#22=?bUSZd;tuk}1?w6W9A}9LVZ7Iv|DNx9k&#_8u*aY(L$Hx9wgd z_{Hd=k{Iw&%pbtYs5}mJrg?q?GD-ywTD<*Cd8LQ{S!P%U35;(#E-VIEpy>I(9CsFt z&-W`?&(A6yxB^xj7w|*Ak0=ET$Jj!2RN`zQH1v(iDRI2a;9Ca6mGmFXo7hEu08QYf zP5K$saeaMO=+i(-hKnwe<5I~q8@;mJ;*}(j%+v$5HdU)D#p;GlY z*dew`B*+d#yg!fXg=EAHY6nQU+NI@dRp6O)2eva$$qJp%#N>Zc#(Eab(skR4siqXH zR8}jevwY^?f#>t>qK=Qp9K5kSL75c2HlF9E*}X&tUn$T&x2qeNaiLt$9elbSCkY+- zyB;(mjTKNFml5hQBL`E@((Ml9wS|=y%kH#50wYK05Lt^5vU$pU;*=Ws(F>32%$uo$ z*p}FwRF_yx$CfBZnk@EiXu3J9%1t;KB3S6x{N3~iM|f`nhTX0=GYyYO4nWs>?$f)qDw&W6pb6ov2LEze{j zz9}+xG}dHe=IW13R9T)8qXwISHC_l7_a~nlO34%GQbqC8)VPOf5cJ^!QESy(ej}5) z$mJM0?kCpYe?8i)x(wa`72VWCYXEjC~ z8yrh2$mOWX?}$@fd&JmNgI*5N3$^Vd`(e^zObXHY5BAr$J|=2!aYj{BRz%T((H-n zMYhXpPr62to261!>So8g^$Q*R=MFJnMA{myK0%o>?);S0LO=5P(~8WUrJ7YWL0K-1 zhOi9Os2DGF7$1(yORTD;Aj8Z}5M|$7XCUZ0{uSD4<32o6;v%fB&@Un9(&1i4_h>OiicEIYfk- z-~$!yRRDRbalq9K5II$9RLPHomeDd#- zzw+Fuv$B_3Xm%iM5b6;4oIF}Zg`nj+%HB6^03bI4^Mn)f+ z39Jh29)~SsLl9UaG8j;79rrmhJ=RdeQ*JAN+O#1)c`BT zpp+LG{iq3sjKK^{TbA>O50bDC9mUOwZne>Zp*bEua)U|^vHi0kDLalU5agNEQiL}G z81sr7_)xT%@gdqw0XRaid9ZA-{AsPr*iTS4Hy)#xq4PJ?e?GhF{Go4*%U*PYO-Ng3 zl`M%zNjYKFgL&|$a^lwS;*_l)bSY5Nkf^CLS)a1Bw_2KQ%I#7cU7$D$L?4xDrfsM) zpL$1~I*Nl0?vdA8fG)di5k6v4L>3UKHUXjlyR57MFM&h9%&hz00y$Daj{P(5IfSvz zlkc3LD3h46H}#Pqy0zJ*gY8X0VV9q z_eb>yH&HFr<)8ZAf&O57gLc@uZq!=W!_2pTk;Eq*)`;t{wI4YXaao98XHQA?zi;&V z)&1=q(EL=5TXWjF zOHO99jVM~?+YOqQ-XS2ffrvNra`xk%NSIsNo_Pi!NOH7;EtaqGV~)64U7Bf9 z?ybX@rZSAt)=IW@8134%3n<7QY6r-ZU@$Gw61@P8hhBK}lQev$h!5HqRc`85CA&*~q* zRFwVtAI}EfFAjE6qywfzcF@!9`A?+xd%IwZVDey=_|z0;-Qj%65DP##WBPs5u9VIp zId|q|(BWOXdaVz{K*-hOIHciSdjk@>LTg`Cva0T_i!JWfy@F_q{wVy_#hxOaI!kpx@Po>CBc?z#*vhL4m@of1CDYJ1sp#OQWPgBiW0|)$?(4^$9uFH1`v55)-aGu* z-`{NcAdDaanN1$2qE=5JZsINu6{m7dPnkePbcKb@)R>wgdBHr*9wcev2H)KeSI55Y z!BLN-CgK$yAoI#bCDOo(q^NTm)fA95q2^Cl4mhl8wiwSATupqK1hmH3A2^oMER#W4 zNw{|G1qd#_{}!wd{l4j(8Ii$cM$Hbn7sn`D4J>8IuV^!5G?dOID`nn| zOLP@FI5+_cyjS4*^~~~ZA&I8Js`abq$#4DLV(sCPNQcBC(@xZdVvV{E(-2T=xg5S= zP#)7%fn8|lFD5~V5#`SnK6zi5JZ$JFTd$s)CYt{=)mR^dtNbVB<4Zo-Rs$4M@P&cM ziY!CYNKL#~CZ>1;(5xegy(yaZO1uCOyFx8Pz@+);K)QbweT@x+XH8luE_D(KyX?7PA8&F2E;ljtpzL(f{$Gc6pH*pf`N`L zw~w^~G;@LY3E_b#gE2E^yGjQqcYK&bn{tA#+RvYPDhNz=q}MO98zuD{c^^7$^>`)i zp!1B?r9WtsA}Of)kwtnLn4KMsn;nh6q#*#Fn1De0G;M=>?$^M31F1YQ_VZb|jSm0t z!Heby5x0=Rdj7WNtUjOhpp6dS=E3&(h>LCew|5tEDAoE*_cN^QY3}kVaKv;9DG^}u z-dUlPU{|gBC|Be7VOOa`ys{i4Haoy~Ep-*NHSEmRI!E8CGnexP&pKiarLqwJUDzwZ zlg`8&Pn?XxX46=Zng2Y9D;58fMCTEG&%|dN-@`*>BZ9g?=CwLMm0_T9aL^{Fhjj;{ zXb3hK@FTvX{s7_<6}HHb?#i#mG@zdak$+x$NStBDNoRR+$~X< zEmiL|%;LXUy7`EIW}vnY)&IGxn(65BU9~eGrhu|rz`nr1>5p$2Wova1m|TE`;+`MPMianThV^rQX7>l=}8hNL%mp0MwB9qnOTtU;}S^^*5 z$+G<`kp3spCWv4hTYn1^w4;*h8Wf-UHBTJ!=RRKHPpBcy-zkTUj_Y)qr?XhnQqx8@DjV&asl_MUEEW~U@|{iDDUR(Bu4ruW z$O*3i3blC`&;|IujXE%nVJhJNPl#o-T;qr-=wE0xmP!hGx0_@QGI_|OX(?bc8>c}z znkOa~*!tQo*5cC%U;M!KQ#F^s=hl<)dckeVX+*2F$y~6tTCUt^kyqPsKZh>OOEpQQ zkxAk9Ye&2|A?EY}?1r9)HWL8TD zT?4zg7OI!%>$?$2ZwH^`u4|W!Z6aZT8jHJ##UdzlT#U#OgSjF*Fz7?}oHXusCaUx>=XqRTf9A;&Rv5Q=o0w(f;^jVqSC%40mwCM`(qnP+D~Hl!coYTxLy;?$ zy#A#SRtwzDyzHp#a_@(3!)8ZfoG65;iW5LniLLBs226-HA<17;yKy$_FFsK60joIuP{TCK4Z>U|mIO8mhG7y;;u}CBc{VNBihwW1_Bh za4hDCIFO(G_3fx$#j(wTv{ds1XzX+J%Q1K?wC)8&7^An>Drh0MdB}UJpSwRzAhLWY zh!Q*D@c285zjmX62GzS>fTuEn_v|At1-$&T@!C)A-+XnBqa`Nubxmv29ABw8PN|wz zI)+EPT{H0yzRB~S7%+Iqdd2BLxXBteQEx$Xulj8Q@d(a&GR!#SXb;zC4$b2yb0MJx z;i+9TuI!wqQ>>;6@VxX225NWvxYY4q9aBAc=};>y2;2#q7wooeJmXa+Oy99E)x2h5 z_^8*wXE_Ne&qr(u_LbbL-Galx`^2qJwEfNj!9jl&q9+)sCCFC7hAo;Xu24inkXCHk zn~JB>s+>}=z(k9b|LnKGOJQ_uqu?~E0mhLh!Dp&1#v+QY%xZtC@JQZ;RQ_iKB!S=c zV_q3@zn>D~+`NtTI^oL($fb%|Z4 zmh%x5zF8SDtK_Ww6H;s;{Hld2PbF|CKR1FNytB|?PUA^#ttr(Y;)wBUTSvYnT#OFG zfP@C?W1Pv7HdLER0ZS{}1sgV8hIl!5PM_HGnvFn1X?J*=vpHUwac(VGn4i%X%NHIi zYB8wT(5o#j?qT2rQI`9W->)-#j%r0`M0<6%Zmga8UXllMho%<$8_zb9-MElDb29P% zdMuO32@zVYf#O|!ds~)hlQALG=_Xq9(w#uABU@s&bl2gpZdA_9eu7I;`mt|!xk z1cz9R9QQT~anqdoF+ay<@L7*mq!n#8Me02#$Px26f39$Ls|0T-ms&n6LgMJ!Zy%(R z_6WKUn^WBA7A}IkR=jWsqTVxx`WXpI!xP?&Boscc95<`-L2=~##L3_L3&+Xg|hSx%r;?)vm zrjeR2d3NS#xmfF*M4Fs47&zLHTj~&ckHc@d?D^JljbC5Z6VzU54?%ee9lIS zW|SP4Q;avFD#P#cp%od~{vkLDYUk`)Kh}Nq>a__u8??&!N0@;!~ z3;3)g!R#{&S7}M6T{1<5pOj*zHkh4!;hbk871XU9FfuBwa&N)Bs(<&aU#-hCXZk}! z>ogN}H`jrAD$hr*(BS3p{T-MnwB$-GJo<1Mw`BscP!0R#g`{h|rU`8aah)%G_;>*UDrv~2p*~ZgqaUE6h#`KHGktTee9`U8*x~5@hV6ZBIkMwIjz(_AXAvfSAE z<|EOp{e*ONn^jh(r-!Tf9x?%=*Af|hE{@a0<1^FBeyZ)>jPxBF z-qd$BabN@@WU;n=aB(3*pJ&Xt;$GOpA_4f+vDg}N=r3aU;v9l*^^gd;ZK;5`@Y1f zN3^wdg~Oj~O2PE%_b0GHE-L+8)cLo}W^XT}h$%q$K%0R&imKvujD;*t_2iYA&CncA z(ok%ku-zWA`>RkT#Ijd8n=$iShMTPJvyO4!E4mfGMaqi(#;deNy7jhEH2Z5+S6kdI z8PGt^5~=q#~{P08bALg5;|883YjAMetL-Tw7-q@0L zJ6E10NM~f@Bw#vbvbLY(GY6CFc$m{4FMa|WD{^Er2%xJb>sf|V>qVksB^=*%E4qcj zB_6@xpSLyQZN6Hem?4&C!GI`QxGo1%38Y1eOIBq1xp6df%^NZ9rKD5>b$ zcS6&JO0>Tc##SiTH8(8CPkH$3o2&EvsE$I>tpsf-m-}cTN1H+RW`2p`w`r0uPrRxy^38(e>s_3^2U91o%rTDPK_CvN@?qw zeH;6z!!nimyoUwZPSUoXE+SrpsM@&GZ&h^jPS^vk=nuRg^8;}{^v|fgG$1YCK#CQ$ zpF%4i2RLAypP2#R6sFpp+UMMt^6-aoMv*%Vw09ma;F{aWCgpP_ogzr;xT1&XXjc+i z5#ISQ^lC;Ong4 zl?hA|1e!O%pXAm*Hq)+2H$-BY8KrQ(OG8Fg6QBQ*PxGnyT zIhDrGxhiGF`gL^^O_DU=E}3l&(ID5yQrsQsji!oPx^PquPO_7KmnV>m-H4!aLdI;F?@wZ!f&4oT2 ziN+_~S;SdCr|4MjnvS}ftvH%?zp^ZqRt|=bLhFoaSLgAw>t_ZwdtIiNV{p~WFF*2a z_U@8QEF=DDu!yo&wy9=ouaql$ixupLfv3?3c*j(0))^qCR3PxXnWAkh14w zX-iQo{J=yeFg3{!QA#c!d6trelR&i&+HTr@*P`b(sy!OI!eY(TH^zzY?)b8DtQ|1@w|-9vhl(s8a9L#+Bf7(;f10K^YmzRU1B#m)0-2FBAb3_ zdY&%^HcBGy+J!6LK_DtV9XqL^W3vWzoa(jA$M{Z)zg#AugTKquH=|HC``x7RJy43i z_vIk-3%;@|wy2y`y*x{DX|i@=b#zzI{#BOG^0~8+U1h>CzEe$l+~IvcgyeE|zs_nr zg^5{^AK!@C?Pt+SK}_lc}56X=i!=@P>izAMwN~?^|7lJ;GWNn-z)~@ohAn%%mE>?S^Pu1c`UYwzau;yic9MOR zh3Mh8T0*%p8~pn0UyiFsi&@&$bVQiZ_uF6lPUyb?HG=#9`8Wc+)`5eOyzzXcwI-7z z$1@<-g47==JZCYaB}Q|_qW0qVs_R5~j@gsB_`}BAOZaE@ql>7H;oXeu>YtP-7u3SG>gEy0>U!&=1X`%?W|fGVIN& zyr6x^kNz&U{E(!Z(iLbs8skFuzHb(?Ydo~a3bp<1#J=2SxRiYc)907v{>v%#?yrzk zi19&3sRp#4<2i+nd+InEtf!Uk{dQlh!B)^G>(BVWrdbg5lq7{Qq{4LdO_`pwizja? zRy1|M0p0C+=s%9&``_~|B*Q%DB#!4i##`+Ur1DD-e?hQ1$F9g<{vAkGeWmOMU%)Pq zIHvPoXItTWTxo^fQeH1HmtLfPM9K4OFff@PTmx!~*MG4hJJLfmg=RkB zh(}a2mk9iwWXL*-G?|899w)bS>AxOuT(`kcM*D$Ih*`+B_d45oqsK7+!BPa518SIZ z<9HDya>%`go7R{}W!QvJsjBb=1u@2kr!hyy5l||hT+8{ z9iO|Lq~1F$@Qx1i`pBVGmR^=TU0FBe#Z=Y%vugpT(o??4%X6A28sU8(JFNqe%*y54 zP<={fYu-BfiKvE(#FzKou-euwt2%vA+Fpw8Z#W(2HdczZwb+hgc8TOt!4g{R@8dSx zCtZMszp_+(e*Yu%U)^E$(x*^x-#Jc%}$IL;_z-wHU5I zPG(D3MS!ZAXqYw8jceE~Zez5ib?CpeD$2T#fX2|X_@~6YKctJhk~gy1CD9r)P!2!D zPaTn>S*h`Jly-fO2-gkXen%pc-vREaHwjFNv2L}^IK-sGbkBA2Rc`6EACXhX&Y8!o z{k^i%YOB;2xw#$DWTSY`&G@ErO@;TL9CLbvY?^ys+0;xf=YF`ppOIWEx7E@}aV}zf z8Y6F9r$bGWzIxW-n4yKgCU}i)dqDOHIKosb)CxZ$^*zybK+w1}5zn$((M;lktbJy(?-+p&7jx3W<^P26S0 zBav^Q`qhZno+*sk814L$2PXPgvr5q4PDrS%aK6MCD$@ zqowK!9MZ(fH%;*7i5u=%R3-0CDD^C;|e-+F!=di`W zI6Q{mnW$dp8xsFQaL%qpcT%_TgZ2W@CT~}R3j)UywHwn#P6L$3e*Vjf+IZ$9%O#xc zy27OY(4qz&tlWp4RgL7pW3iM~28Y=Um+xkaY6UOK-w3jQ-a}x49fenZhDuVAi88@(V-juG{^(U7{XzL;(VxK29lQBPw))S9v=ljLJ+K+96#NB@ zn~bMGF=2`njaqKhpjEiE-q3F2LenS`+>Kz0r3sH~j%th1p713ULC9fNwm-jME`D!! zH;S6=0^60r!&1Q=MN4s`kTC7`*yKazFj?Z*mM|6}+1yLU7s*(k#WU~)Mt@1_Ys@SA z%t=NQW6n(p`i?G(uA92=_sJ9KXAUM>$ratM&zO17NRFH)^wqo76wVqOr^l-j55Vrl3=_7W9CCV62}wuph`aTaKdpgK4e+ z)>ob{h*z3S&DPr^@l8KM?horqjH082YVr1~otXao(m->b=zS}Zx!w0}5n;Q)tr}VU z`g79;H-}Fb$?>x>=QKN(cj;NH9wZPVlMl`-oq_mVYdG6r#5BF;tZSj3HpfQ^f^kz#&sAz4 zokk!8jgzsRDyV)44D4~_DiDwZm7 z>CzU#ZE?kfzKc}HsPLyTKN_zaYBsWAf;jM%8>eO7bH4u)YwSBFfHe1ga@&;Vs zV5En?JGO6e-oc*bLz=D4gP}+ud3cG}#{N?pTx;WCq-c*8Kp_~6;osw6i85!n^tl-< z?Y(__osDVO=+Lh75jRuD2n9Z!O}FlITn`MHWNH&91`6=f4Fu5+8_9HrSEXFy(q}(o z0ylA`YOl{js(_rT(LwzEi{05;=LY^TYcNlExG{gLkBAVB@0vSG5gzeMlO`BG_`c{+ z8Rjn))hsI#iN%CO@xRMNCQlAj%Wj-5Q!B;vkTW|~o>5^;NjMI^@;IX*jnq-agbln+B2zr}YthDt+>xGgsMMVM z)=)H%p3j;^AtNio-{NR+)nr$X^oSia8BWZWYd$FcW2SQ`%BCa2r%cZNYNmqpGfY5{ zgN5WbI=JZbnLx&?^`Y*%24pazt*IZvzpmOR?a%-Yg+ zGm=v{s(|m#z9p6KnFUvgT;=DOWsKof!{g!Um`%Qp^B;HX*bEB%wHZYMOObt?ud}U_ zwb^u~pB1r&59TP9SWH};xKUT>&`GJ;XV5ViA zZZT?ge0mNIx38(ce^Vc}W2501xDtF~sV~BXlUOdV8(9y-a2z>{!cH;iH&;w?Jg(A6 z`dfXnath0hrYFdWW_ix5{=ra;t>nF{HwTMiO`eqCTe@}6^zN@w0CRx1RB3*I|?jk?ckf{eSKGr(%|Q4Itlx z_cI$v%oLiqj}mz-S;SVqmbJjk6T+ogU2!?FcqM|e5_-*H}~X|&1lqb{7I-f`xmr1j6Su%K7#ME)E@ znk}dfTXR##zj0s#dtgw?%lR=#ai6kR5`Mo7bw|}1+4A}P*c5SHc#Hy-DZJP@tdZ@@ zWnK|(CTIdLcS;BHS(U6wfZ{n){C8SzL7rcX5{g0LT=leHP7*Re%~eCY?0_3xHgJd zmxwA<&q#8jZ5XhinyI{e)%lep%VcJ$&IhHl)aj$iYDHExFM1>Djkj+As6~7CF zn&PJA{KHgOjJuh+3?pxczM&SEJqsz=sS4bi%d&`7TjRbL#8RAxo`kBnIK^YSnK$T_ zV=niJ)4raFIWlX1I(6BUazZg;dHGu2dNAe_tsE=1vGB`*L}rV#`%KmZ%z(+}L^R)>=^9QQq_KNzp^yLlhHS>$ z2;AcS06WrRA=GQjHt7PdvRrugDnkg^&*h^Hu9R@FosKS?g z=nl6YDLubr4xs%i$(9mb3hqs)k1J!lU*t#h7{^KJ5#(mXShVTb<~6w)KX%!`OXtPl zgAW$VT#hs#yzgYD?OtDW(p`rPQpIncQt1kSPewAY0_|lPG;)6ssOPLmsF-OWDa@;G z^|eRi-953=Ql}|m=T+~7qS|-zmn>=Oh6L#G&9?7FLa|BgMijI{E*m_ouU+a%Yv@_p zmGpd7wS=sK|Gkvx43b>YeZf-MuAcqxx|%swP#pqCzfBdgRT!e;-Uu#>GiZNT*d|_L zzGP@um}Ry9XfWVFFhg3S!Jz61;HDm6_Z|-(_AK=ULCT0HlV8AOqh!XDY0b3D>u{Tk zcN;io<;GrMBvvd4%2DyvC_q{Z;6*R<^)X;RH^=>NC03tVe-%o4gLt`95QbSyk!da< zs0BYoL%8)a(s(o?Ps=)6WR)OH1Kx18<84^uY2-@n%XR`kWlKr&u81^&34bRf@&)U5@!Fl6Qz(vwSdBFch4g3qEe@Qv~CS>D`j;j$|H(*i=Z4lH^N40Um!EvoPN zc*Hs{GB4b*{00!#lA+KTt)}>zLzVim{2c1GMp*nSv=(ZY1 zUB`KyrSFPY;ypBgP17gVTC~#2=1@~u2@vzpy-td$m@g7=Ls$hO<(K{k@tKW?e1Vx_ z3V1$&lV2y|?^J=|>i4>@xy!UsZi=Em3SI)!IRICrSC)Fe^2~F+d`$Yo)PRU1Vux?& zWF|p-dK~4n)pp`#UDN#{V3T)Mevh$o!Fp2FF&dsZMPKPlMC5Pb`}IJ*C$2~5=GtxE z*?7X;T-?NN-093`s6j!-vq-!yQ6L}}`A4t;KJz1ec;RYqs|BKXo6_4s0e6!@min+-lje$+Y6vS5xn5?Z>Cc6J zi}b5nW2u07ZkFJqY|k8)FI!(TcHwQGJp#H3MVo9ATD*%>cYN^_PjkB2j$HA5GEjcPNx0tT4JH;Ee^e}mZFoS*gBH!jonCUH=O>*o4Tdq8;!dbjk{6d=l} z`2l=DIY=O9S2$#n+P{6Amcem2R0CGWo^rX=lUJb}= zp=FM4MUBRM#NUYR{yf9~``ZPLJ3n>%m);}AtfWlkI&FB_6r?2Z^+w}!GrTY|aAN+u z{T7P;fSl@g3-HA@z$pPZz+17hnLh#fdoCtRHD8F!2QtoU@t^0SsjtHw8%tr&q!I`) z=ue5Cza*;vNm?lINcS4AN0CSALmL)?LQT}(ylmjtR$teXc1U;9gI2dbt|dlzu5>^Q z2RTIrN_l7CqpQ9OH1a-x%Sj{vGfuofFwuh;s8QP}H&V(hVqOOz*OBxmy3G)3vwiZ) zZBx?K;pYH6XlxG)KUa)dKb*v%Us;+6f3$k>4PsV}a@c`6@d2sFs;#?i3d!w(gVLWV zBHy_`N>f%U$tSv=FOKTEl}jA|K0|kg8pCjv0>OCCrvKqLM>?)B8|{-BRDK5_PxA;^ z)H0nKdi9=|L|oV}>X{D&_$ps-g49OQ3-@P)s5`dVi{D0BJ83I$&9m6kn92H>I_WVG z3`qSimS}g5lqB97rB_*C(5DYMgMJ+9J*Yz_A*od_uot0s$KRM*e18Ch5+09UmPPi&T2 z0kF5d0}ba-bgQ-Gl9jN<4ro=mm`0%`l&_m3cb@#i=w09nX#{Wv6*I8Eac=@zX$fyB zbm~obB(#!-%1X2Z5PWL{jrptx@4`6ODKlGFO)U10IJKB4bf(he9qOOgWTu^O2)*jr z7&|3v@~OE$uSXX2qm$zooPo5Aq=6t<8Wdfq!Isnpjh=qd#50+^c7_5NM~KGElDg~r z?v6UxzPlHsMZNMji*S8S8=jTeQ@*^@Awa&*<7vczG;e=-UY>^Ck zm7&R>VAZEcRkrJLBNKQPPj$Add>RkOSBxvhuQ&llw74L^bRmzXN7T)92$$W$b${|d zwn@fCJ^w*s9z+N5d~=CYfCnQ`p0R*rC`oA%R ziBnOc7QjF{NLU4)I+{|uL7sWqJ?!ltWa=Ox^P;<}nr^wF8dj3s^71*{@W7^{q1{?W zv7#RR%QjYu^D>c;_m;?#o%Hm~B2>XVpZx5;n#xPg+|T&QJWU$4C95a^em)4GPagYS zj8V8Ib$`CN+D&A$(SYoHm1blE>g9#vAyx=LWf_lhQvs~9Tsqa5A zZ!L{9Y#Xo+tQz+J^wVZF<=y`}(O89Kh$mjT;Hy<8MXQQa-Uj+BK7xQ{>uTf*$%~p| z+}Ajzv1~-L ziJ+3-@#Cj5TRbI_SeWU<9=_O?mXgSUHClGqiZ~6wAsaF-$K1NbkrcbNd)V@q0#Q!^ zc4D?{Tvw3*`v35J!Fri}PSuaa9JZtGjrVDCT=< zWY45N7=xvLnkP2&BY>-QuG~+R`Z7gcukwKva)x4ufyXmqO6y41;#0%ms#?<60p{Jn z+#%Hp#S}C++z1Pf*Wn~dr#ejG7(=`(*v&`c3)Ypy0s&*9n;!={Bn`r25)1v=QKM9N zLnTorc>9XIItoDY&aX#CN;z3Owb#KxP&DtGH?E%Woco;7B>~pbi#KmUgu2}zAf8NK zO#?A<;vPUND#(o7;{%g1=iaeS&H7t}D}?q8RRp29=e1xZc1y8ju|DZJ=;0v8W(Z2J z8YFfTFzEH;gjUdLq4ZK!nv3$85b|yyraETg;ftL4HE|4MR?zy!n}(>q|D_Mb^mo2xp#k~m@w^z zc?R~fO0#7_kczA+m0|xH6E<^-*c93vcI8CR_eu2YnCaGj2v^mFalb^#*Uvfc2#Ks! zYf$E*m{{Cy|2irCX|u`UkX+wiR7F#w@$G-eLxoxuh6S!|$sf3^9ZNSmZp~>FbxRcP z5G|i<#2w5lehv(%0?uR{f{(BNUPL~bOu>XG4u_ScRERLL&yQJSruVIW4b#*m3cgA6 zoNmSKi>=StfSTkhd5c;Vewt4!lGZp;8b_YVUf%i{ed)4ya~k`Y(Vr<*h$oe6jLl$~RIP|)_8Rd8YyO*fk9 zD+8>}LFZHOh3hN0{9Caj9sT;G!6g3yIK5eXi~k6#49$J?>vqjP zbmm!mkm7|%3K-1p+XFn7cRLQLGMnibg&WN@<8R^0Z&Ae_2+a>6pCty>^;C| zHjq#q&Efk0J&3=w(Z?8fh67Y+MepS$gS8S4pxUdqDriW}g8cszO|!+lyE8kBQ>0(7 z`T#bkOIn9){VTVJ*-0Nx6?MPQ$jXC7~MWUqP9(nbJndO z#E-OybAz>h8UwcS^q?e6>9WyJZ3iyBP;NZKF19L&c#`&Acf)cOd+-_J9W~$ZFZQnc zvK#8DJg2q+_yB-BauTy!3U_iH+#!XzNU7^j;^j7KwS) zW5a%M3}1VBgS~5c0AefXaqd07a(U*7o7oY-y-t|srJrW`TdVlMEV}1kHZTad@-zX2 zl#$|70!{J(IbM|T`BdI6zoYS^h5QU2UggoTBhVhf9f=CuiLt6TBN3u1ge+qJH zw<11yYr5pC2$G+`vw|40;qv<7Dg(5ZrEjA-t{;Q~{}YUJ6`OX`?WPn3u@qRSS1*Rg z<1=h?pyEZKyTj1{pw3wwj94Og`W>pA)qfDZ>W{FmntJ33*%EP&_>%fZAOXiqtM^Mi zOywJpT@)QKzci_~yn3Er_J=L)rK??l;;Z5#m@9_d=xhmb3gve-sE^}S=zYSj31l}U zi=-Au0gG3bE@JV+RR2w*gF?(3!>x{QSX~X@eo-DS&{oZK+HZ0g4)VK$Xyl@*_;7Wl zpy>zF30{gA&87i~ycOU2))>u#>GXtidal+>@e~eh(p8irfpm?DU`E0>X#+ktmU(^r z1x<&tWSnj{TRLxuEA?bPFWJ3DD-6m)#v$cIn|F$RF~>wn;D_?x3>SGGLquH2D8+Lj zTg+}$V7Vy<)^B@nqbhhy}fJwe5Zq{oN>ZHJAncliv!o+a3%&o5f#@HE#~ z!zUoP4j6}4TM&}SLdcr&(*{C6FcQ?7s79FnCa6>rcTZ1e+Dwp$WrlD35ePE%as5l- zmXpQtLd`N=G3$ulJ73Yh_%Yr6BpUzamKNJ$S0XaOuRS)rR1oC*4}k2-d*P42ivRhk zY~x_+xcx2=b}bUKu~my5af=q~rIrX#1Q&uE@>=@LxD&khoJnz{YUc^6$;OW>yZ z7`-2TZcp^`SQ^5ch{(4}W8cHNCF82oBSRST2kxGi(5KW&cRvk;C3A(Uol@&$JI>zhNF@-y} zt|tabs2)z*&y7*hUS(_ivyx5eR*X<6;zD!jj!o7tv?59zdU(zxvBYtkf#5hFc=tKQYb4O3G>2rBP_DkB z6~-YHt=3i~*K=>dPIJ@Lj7zl(nL&ve*wFVS{A z7D^ z9^XqrZ>2=b(^Sk%oq`cEcYM(Tc z-Ht02y}XxJ7~__AMu7%KUi1ygbEV`py!|L$M=gz~DNpXeaKoW59=$&@Hsz&2T#Mmg z9P4rRY8gjU=IO53LOb-K3tVrXlrnNstF63vb*XswuagW(zLC3MlxRQqid5>&FFZ@v zl8cB}D%YE~VcyJy@~9RxIxTW{?q(Ycc*vR>DS^xyXryuRyZ}r@JGNTI&$66b=}PQq zsnwlU#--VFd%YkYjB?p`NTyh(I%#H!!a$l=N8>(%7tj+8k#-y*d0qp=Qov+WMM1ENJbLxhI%Hfy{Bj}6 z4f&$!6+Ov01+iDpo-J_B5^4zxzpI87v~H32AgEFuu0|=EIREGsG?vL@77H=d$S=Hc zRjxsCEeCTgd}jXs+dYcTy*wvCS<@5X=e zKx%N{3C{u3VTlQ&|72*@&$M`uF?9)@nQP@{(KCaj@4Q!dC|)^KWkT(UWHlZ*Zp5^JePKX(b1 z%n~ob)>3J}!m2(y&9qq%8_`f}SfX(Jq`7)%&w;t?gAaXJ&pQ#6);tc<9EH5s!w?5hVOyB>4k%<51oGth|BzG5f zA&Q`S%V^r<^bpqa@%{B7#NI5!5y8b_AoDra5(}rN^@fpMYP^b?^D0sLVGX6rP1;se zwB^o6gz7x&N~>X34BS!vGNQ67+G9r`-7XZBC0Q^eybSB0n^V2263_tT3suh`K(yQa z!qG67`F$;54R4S`8KS_o2^zO{pNg)eRshK5l+Bt{GV(&kC>l!}P|PcCw~Oh`zj?K^ zaf=_6-AqNL_3*wr`S^LUPoF^nRS3uatC^3EI=+Kx;H!wRH^y7AsnGWK zI)8d=*U8g=kcjfxx_1nUwuY;kepsro?O5&vOPGehPhNA-`&lZI7JpgcfUxqjz0&v3 zs+7udOdOit@5ZKnD$_UnRwNX=MqgA>X@^p@GAnI+cAcu2tMoX!kg3+Gdj^z(I&&eM@}P+TL0E&2%tY zPzEuNy(_>|v7&Qanx^-?6JnFQT}P+?j(|d;STze=0_1h?w$>zxaTkTauz4(ns-_6- z=UU}5E9ImdKhBf+<7i{4-PPPx=@9W3A$jR{bcDt7raA;a<6C%;E9o0wDO@83MQ z0w1i?xdhD-;h&&*&h!MO5pF?2!3r^{vXjOYB4cw^UwE&QMUILiJe@;COI&n~Q=+lw z{=q#5!rbX&+%Y3khf}pPT)W%CO@A*4(y&)+nx-|BJ>`n;b77_#EomHQh_kgue;O@FZIGDx-DiT}5CzVUmW1R%-!9lifC&*a zJ=<<*mDRq*>mePCkBcLifks8min23^>GcM9*ZIo8ejhKY2X44G8Fc&9CDcCg!aze! zW;v2wt@B!k<`Z*sxy2!)E1f#OtFYQ1)M+;PNKMvAQ(2{uwq$W6^6;9&gnk(#QI7z9$VM`*-AwQ|KfO^8gz6$n z;;84Nb@g!!av6(IQL%=^59o)vwZ8o$T2B(e5wf+p{+ggNzq=i&4b~X;&Uk7LxJo$) zC0P)nUOCuWK7w5RWj2@+CT@;C-%e>61&ZH{vDV#Z7%UB785{__-UZnJnXR<6!KBk; zqxlkhMvB`9blOb^NR~zbt^&WN9sGS=w=A)XoAo6+#9f8*eXmf}5O$*+c>O5TV`<6E zZV(xn9w)Xm>~@s$RL!*ae3Dp)2pUrvZugC)C(EM7pP^WHa~vu5%KoRP>H$?#R?O4G zaQyC*ZMa@&k*NxtWmLUWGiT#G=;U|k1igT?<>9?Zi+GcmF^nxf`9B7B%U?h!=L2>`QLrj|!5QKf1khXLNwlk9So4?u zx??^C<{js%EVj9oFDAK0@ZGy zJmj7@ZlY7ugEyRn3F^JYzFcQ4>>7`UMVRJE7YHgbRN-W!*lZk7taGr}gQFkhhoA8` zgGFUP_>EN~SD-|22<%};T)bb{nJ-G8>Ma}}L06#7)87G}4Ovg~Fb-q_e|h&OB(lR| zeWBb1=q&Q7-Rjhw#_b)xEojq{Uj`${%(NnK>-0T`;Bf)Cm{!gkHL(uMr&#HVBRB`h zkEG&}7u6=}cB6lD$0W%<0~Mv z0zXY2(447y*hHgx^0vuiURU4Y{N=0w2&CvHLrLW|C7lSO*1-g~^P=dV zU0r#3O9&+Wl{}?-hnfas!LpF zmOGM1qm%TEQwP4$E_v!lsWxn`Xs>v?+!x&aKURv9kwFlEs@{>WJ@K7g9e(3B!fgRH zQzoxM?q|~9%O~paX(0+dCfM3FdAyHw1Z{aPr$Qfp(Rjajqo|l>{H{|@4tP)2D=SE# z0|3M!)sjms8PpHFt(^ZJ&O<$W4=nzRDx<=>756@Z{+PF4?r<+F0IfJppykn3X`>Th zOLl=4`;+UFzT~%_j;+Z~5{su$+&%i~t6W@!|ev@#aURI?WTyw|xv`xJHgH zlKx5~{{jE2X#l7T17861g-7%XFY@!q*9_-r2~SmV_UbQDHwh7b0Mqf^?S{{)3!m*I zsp&h?TZEhi5X072g*<5lRkONJC8ChsC*lqtA0NClk$V;`9z+BEzOjk{<4cgl+2j++ z>B(L78KOXa$i-&xXOc&%l!XLo3J}KEjIBuJEu@D5;Z{E6&r?><_k3foz~Lkst;gik zf$883I3NTKZb8!Mnpfg-N_3yH^I{0Y1`dOW!A1}gy4Z%}qDK=+YGjU|ygUk2-kA%l z^G^(~e1N%jP7^=tkV*W0s47>-x}7q2VnB=jJM`a8sF;P+dOc3*ArQ*uGBt~z4jr(n zJKRNQ3!U!~C{QmRi&6_zXL7|7JuK8@0jEZZrB2Y_uWC1=KoYx-0S)vD)ybueQnj|c3Eez_WS z0ct{t79;3ntR}9rv$J5g!2=&SHcy!l;5<7#wS|trUJ$YCOy{xE`@CNls1EJ|yzAC1 zL?mC-+9$F|EvSPHjIoGA57i0)7zRv8-v0#HfpDbxR>1}h3S}yCJjvfGQKH0gCGM1@ zAEupB13K-0YV-J?8VvS455ET$PzT4_fh11sEDb7A5UYJ(!zTn;vIS{$^86N=zXix) zi_tj*pC{Gwgy$fUV)1m_*2|)(fVsV(v?QSwU|4RZIVPoeKO&&OAjMA3YrN$RbRJ_@)e~H$EA1qV z?jkI!Tu?<6m}q0nk9cgr00Y-%=0*iT!hEb?R&n^m?3wbbOO`d zq5TLz9@DdUfx7uDP-Gj0aQ!Nwo4bMhraF9N)lL?MZ9RL8d7r>^o#iw%JRsP$TWuqD}ekTa3+*gtJo2F^zY4E)PW>X z`ou>KaGa){t#=1HVbGwS=VGVPXVO%CV2C>H7PduQd?~&9D9OoR9Q^w|wjX+cq{CmN z`e5kN%y4u(GHT7-q0O^zl@4Ow`hOq(+gHV;uUajm!9+QRhLbZPFOL}! zUVyUg%nbEch78_@43~562?8|uterP*0~C>5iZouc#>3SK#qB7E*CSJ zCSAk6CFp#4l5Q|gd0huJ37g;BJKim!S~1A7eqFhxN;muBk7ofw-&@in#ZGU*EYP{f z0*=1OK6OJHMYPvC!@6uuHaKh$C553{^^4(zw1t=UiH_aQh#7e?IYu_OXq_@dE3g~_ zRG*D>9w^_R<4+>{e!Qp`E-_@#pOmun6;$u-L=^v72k+(gOMJpHD+_tJ15eIRZ*h|a zB}jygm}KSYJtD$y0j{s6f@|(z2Akkk3fJy{^>@`JKt4vx1;RQr2fJIP(~FZiChy)CH7xqH#izvdwN z+HL3jsq{~e&J!WrcZ|%=PX*9+VSIGSMW027VJXshexz?dQMK|T^f2;#SA?yYCqf-b}$UB8lFC@~*{xx}m&p z1);a50KiUaq1bC%>#^$64iX(ZKhkDm@JQ!%I zioVTll)HZOEF8+nJ3+&?0W)Mlm&{Dv>y!PDCz_2F7nyjMjrz~objN!_{@IQHE9$Gm zs_dGt1wm4}K{};NKndwa0fUlmloV-@K6FZnpn!2qIF_3P^XuZ|>*)uIuwJ z9(_3HKKtxFduGj=wTLEb`s5dJt%>)A`}ul&OlST{DNi|kT`-rE`@V2gE>Av# z-jW4<(A@?|YyW^->_fq5&ZQjry*FPes&$4R7sHqu%^NXL1+KsnW4fY_Rl9HcaM*oM;^|3qlmARIN}qjey}83m!Duuppj7|O}bh%94OBk6KhLQ zA}dK5j23MmFnaf>+$nQGsOotamtxWbL1r<;dAMqkp`bo@CguHlJC;I(^zkC;xz?Pd z-UCrXlvIPwR0`jdPnU_cy@#*yg!qaS3XXp@4tiX3@ZIRVL*;5(5F&BiTBMKBrh)1E za<~#%a=|Sz|Hlb2^p;t^hR-6r7xZ3i7j*6F*sSn+%Dbx3@fmr0`D}0% zXPHJ&(ck6cCM0s`eVL%^qf0Gd`Z6P*=*=8qDBgD{B;V!4l4+RC5@R-LWiHLFDV*4A*m>J6 zG(J}=F5u&Diz|`axYnGA1NCheAyY*%=Eb8HQoq&|-{tS`3_R6v_4A^vS@p`4^CQhg z)io(r^6IXc`0Ml(P%cVqR>vG&HM`eOY5q^<@;L55HR`c%d3b@GDU*&w!rZl9*AN;x zBBH11w7+-gvR+e%=s)`M6eVhoe%I+y#};CoV%o`DH8o!x z!B8zNkY!U8mu_zTok=6!qRB=*M#aaOxJ$vJL zHsLg7g1))}eY*IcvGngBFlkNI7E{09Zy`_bZ(r5+PkhK)#*^TT^-jcsABDYR<@h5% zrm794Tzw@mzq|X&J7w0C<(D-gDUxY6IWf3)x##d63tDhJda;BwzMW6cQ%rV7;wopkYjc=;y`t2wZrfnxSNw`rsW)!T#?>o%Fp zmsH8Z_hjoiIS6!oSKMuq>6{n$baPaDt-lhy``fA*X=P;VOuQi1*^WWvd3LV)#O!P0 zxHKP0-m}xANjJ0JIw^suF6n}mb}4dV`8TD5i1#a$z17Aes11vQVCM*mh9o+M(tDR$ zeDOv_Ie~+L`hGg@cJj?@(#$w6e||lNkePInl`heak2>rOQLfB{K~?YQIvEV6O~Sc< z!9RHR35@O|EMIch1n2UBIw|2VLoMwYjl`3?H7_=%^kr;XIUT-plO@Td)LNhurX}mfBnm^=K)6i0$P?8Z}8)~3g{rW zrmW>>-}Ss#DSfr)W7=$gNk27dlm@=gxHrtvt@=6o^U~8ZVJkD(?{A%#-F`%=BN9{Z zf<-eBf zs2#*f=1Bui{-|J{<5u#u*XzXl=QVj^o2}l&3gwxM^y`?Ne>M+ zaoIY_*``@K^~=peHx{4}-b*Jl4wRm~4dHLMS+Nivsl;QZI z1S**&NSqJo|MXGYWX??i)ZpC+k_rQG!j)y!q%sW*81b@w+veE6_> zKo@=wy1aY)%w_=~9kTIq&qn78`WIs(@MRqFq>k+lZs= zA?FM6R9ETgug_jf`@`%;=D(kXt6pL>V7s@Rm!E(8vvvP)XNihiN&SIAJt5*E3rRF! zF;Z3Ft|bnY-G0`bc*)qrs`qPhBb%CQ-{$)aE5raDb4Lu5kz2@z>v73cRylns`TCbH zl@`QxJZ0F%-J#f5L)#WV>1t?@g>Ol(xQzD`QMcnIuruFNF!f`0J53j4{eyTbKhR}$ z3^?Ea)yQnB5a6rg#N31Vbg+o29{+qjeXjRrkdp90UwotrMpU{&fX}cZicIP1=M3LN z6#mI1sZ{i>AW9r!hsM#DryCMR4q>YASg#My$k@dWZDh~%fpEbmQJRZ`ktau+aemu} zTa(jwEonqnWS(AvQ;v0wpJSO+w$tK4pSbe3db4Eq0*)MVLT!TFr>*XB(JA0nG-8-2 z))n7Wc*RICpSZdU|5avFUJO1(j_1f1;$oI(!{HB9dKjqOj>URjs|d%kPE>x^V`5f4 z70L0W8XF3ViDqQc(iN#G6Mnhll+M3bQ#{Czj}J1aPpQs^nS;Zo@=64|IHcyjZ8mW0 zYWAq3qe?Rk1O>j!USS?Pr?sO_3$w%u2*_Uh+PTLfz91=AIpXS$E_2x z4&{amaJ?xcCB#Ide8Sg~et7S;x=8#Zea_+1saRX3E#4KW2|&OCw-H17Z|2LTkd>z?1NunaNeE{S*^Z zcz)!|(ddp+Hx|}Mgd^$GC@}dP6mjjZ6Mwm{wB0(>=`p(#ky-gp?{&d#Q4Dcgm)t)Q zPFo4IBW{0eeC&IwwU?9%Dfp`O6@zO`twmP{RxM~+6*~j`*51a6&tq>=AGgi~z`Tju zluT#pPs=gH?qWIy-9sbFGXQ14Fg0-WTY-Rtd1eW;ZXcZO99w>=zxN`WF#pj=pYs4mBGgE7Q6eoR>mbjBrP}BUkJ#c*ar}05X zP*EfbkG}udD*$pol4lr#Vkq{Vdg~4m*Gu2n1R}QF*{q9Px@;N24p!>eR~M)9XF4OB z%C*!_&544E@d$G1#6tI^pWf?X|6F%*kgFVb@i;GYF#LgCpFOh)1Eq+6Ttev}YnI|f zOhqJ)WUvFy(jS!%i*?RjOyRZ@mJpgmG!w7j{)*6>I~x$^ax28d|5`l?HTv^59rO}f6fF_qHS?37l*HaYf9@I}%^nKfgQ zOdloT0@z@=0#W<{nj9{+s8OE&{CCXEd==tjaG7zJNRmX|8cr9VndLhMIgYjR(a!QH zG?L!HM$t*c2g>KGvd9UkL}n6dM`?qFq=6%o)RSKLQ=ae6n;HNW>uo}0-!dAfvCg+B zuV39dDO%X~(ww?2abe4z=p6Rvjw($b;xUeZxk@bQ5`S7WBk@m{B#!{~Ta|V(V!1B5 zd*L+z!tNzpsYdZD+!&dw#Qx%mt|jmNgQ&;AbIIVBTSNXJLjZ&EWFr*|4^!c~i}tQe z0K-Mr*)vbSe>cvf1VtmB4nF0ZPafq^a2IxRqOwBkU>fV+eT~u(6YBv#-Q+U}lKU3xwdbGZw+y@@4 z9CmyK+uGIEmoLqA?4K}m*#|0rBE3p|Voz;_b!}DQ#!*RP)2bU z$hO5!;12sW09bgvnb|)lRG-7z3WPN%pAC0CRZvxtFm$$m)S~ft=OTZ;Hf(Mg+MO~ra znQpN)S3D`Xw=V|IEvQm!hT>JpPTn5l!Tb%nFjv=TVKp&@H59#efx3lFL+jWosULd} znfhEQvDD%uA%nEhpw!s;4}&JHQQ+}BEYSR7eQ8CgAoX!0`6g9O@atRaW#%r9eB72? zTc}DiUCj(O$6J`h&2Nu@y5NZwXhSS{RbcDgETt|^W`Q#a>$7WuL07tah`)E;>C+0$!C zur5EA3lyCzi|BK}vAr37q-KtOExVT&-jNQNkdWH@+ z`e71^IU910tiN+2YgRuViizer zix@z-d0{+y-NLFv1==jdhKg%uSc9w)5kN)9XW@^RFh?(aS_TfZF|&gCoCMCF7(j>T zaCv6&t8}C3P5E07jLl9XNIAUYF0PMzsi*J^z17uc>Xi2M!faMdQlb-Ar*Zq+r!8n- zFA`lRXL3vHK_(&dbL$59fvG)0y)*>(4(G-Td(}H0xrDB_ps`RIj%?vT}NLu+omYo-?T{C+ui786SwU~^#Z{Xgt9+R8WHuNrAD!ey+yS>-e{ZTR}s zdv@%{@G#wDqm@QP{HLnJ1^R87z+&jpKrWE?7Q53uP9|xaaHEy+ud8D3J6NB5b9uHTqXop|Hvqd! zfF#s^dgM;U3z;6%UIW02x$(Gq#ieHc`+ouaOYCQ#Lr0sgc&1qHe+PAqkbF%V8rG3T zHbMV<@cCUslDY5~FqDSO+0V`@AicvSBugzn1khIkBuI*%)FCJmj~C>uZ(ufM+{ZFm z3Hj=mAniY-C+9)z-Xj@9C=k=tn_uPL#Y-OmYU~n5$gm-GA~s%(Tr&?J94}C1B_$^> z78%zYFbH?Zo*gAkKpLDHDHz0+@Zi&fZfYP<9WFBv*`hQqk3a|9>I1ZfFK_!B?}AY& zbyQn(}TNaLnC-dt}M*w-S^dtllV)u&hm()S)uh`ess&rGMO*=a78ub|Be^d!X2=P zlVY!$_Ac~=VPzp`V;7={!u}xh#m&E$y#bqpHt%3g2nxwl#Do0tTifv==svx(z#k^! zVqyAS&gcna&B$!rkIiM6{wtEE0FSu@@YGrHJ`=a)QoQ$Ux{y16M1O`nv{qUSA+RGe zgYD#6-e+ky%?tGIKl?Oxs7U!FFAEpwWE?6nG@^^pFdgdr4$PsC4+~SKJ2!(DINpmdZaR$4d~wpCZQ=snx%RP#$Q_)|yI5<% z-WD+i8=mv^eM5!w1X7OTyy&1%2kE5x(4SdRsuojvF6W4H-)M`htY0=!G)lQn?2I;v z#Qz5ELM9^5-YGotK|2`SuQyj}ZD-RY{5w>q4*Tix{vCliQL(#M!u`hZ_&(f!r&oxv z>NrApgGLVxq4!7l{D}+j;z-GyC`S4~sTA+Clro)5$U$Zu=&|f8G)Gf$s2f?P2QDx> z4M9MQuDF^{prGKa2h>d%9RE>3NLx0)7WvP&)DnkUUJ=LxUoV2Q66dv{lt2Gn$F zIdCad7gra2S2kt1xKtZYF^q{&i2XR<;L6eXbljFpw)FS~22RNv$!TC7NJ}qex-CX< zWR1D`Cij&&UGNPFfT4sRpWF>76#A>1&WY4`5!>2@i?UYRpyYORgXROedAuQt|2 z*y?*(#MeF(jh+tnJ|#)~;XTz1RFZY1|n+hq9Y>b^`iIbc!J`aZm zfotixg(vn|ln;Ba;A4d5I?~4aS-+>utaU`PV`iG%s8;fGRDQtj8@}VSagNS#{T}f2 zS%{_;)B1(R&OOC!=5x8ba6ZTUudy*h)S;u_Npw=$v%t`PXe#*UnL#A>H{d&cM3*iw zbqo>u{10!=|4N15=?mW5Z5ly-Ls)$`^8Q_bE#QKb?t>@0;uZJCfUfNBwa^jsklZFL zS#-zcH-E~2^D)u5=_OgQv0J~WD~v_1x*m|mR9J_-ByyD`Q>9VT5};KyzAZM4e{}te z<8K4ES;IJ?{1P zh#WXpaKj&$`tUYZhGXY5@1nHJT&*NN#>?MPgG z-Ce|L&wv{vPmJDuM7#Ee=2hyD#2+UBzSxt>(P03N2X5C-J};*7cB$XT(m8DT zpRSA5tX1@iWGG7)^KTSj0!yXpfgUu~J!t0SD~}bE#zJ>6vn0JLN*HcGx7A3=A4`GW z<+oayugV32Zi|%`9#RrU>6{$bglX%T z{w=WTO>qU%Uk`Z27dEQ8&ZIlfi7B4bi~1Sqq5KW+5J6l?L`(V;?H-+YowPhH|9na2 zQqaYQ?4|^+q_+%$^+RXev`l4!O&dMOmW(5j;4h^$okbxW9e|{>gtN-gdgSFV6NB!Q1o;EICO#i{fK~?kizc>XSf}rqf#f%v%xYRl}M#z@?<*nHd!gL@GYp0?%vL`nbnGYI4^26ABjQB~Lk)A$JKA__Ej zsgdF1k8u|<(}XYI+;qP?9=OhBvZunVju!EKf91!L$!RAaJ!+Y$>8w)IS^=ei@V9HH z!;_fiw)A9Y^)UuH*98K9H2C?D`~ETssLyvIpqJG1ksVInOEGjD>V5?oiZU3We(pT@ z?+)_j(fn))Iq}T$Oxb^p>{d?69o8*Saxs7NCjgSe%2=$c*4K@{- zTpO%h|l1$l=b2?mfE` z*3)K8;fiZes(c?p4)7H_W~GeJtTO z8+OaIO0$*@Y`~x)pYNuqgVRg zeQUt^TcE-QSUeMjiT-H{dua-D$#NzdjtWC7GIsT^A#&{u_VPCtkuGR>)3RMvi*WYm zATleCjLvDnFuoP+P866TMKo24MBtetwLK)p}@z(jCrwc z95K_tqSB+va~_i4Gs{xo*Zil3+B(*jRxo+t-UKgYMSg~ZF!vzHlp@_Bfk(0^(y6Ue zIa(!cGjx7hfrKW>paxUWe37oylHDR+XBqBn%=2MBBJvs8847w2>VqWM7oh#|{woehrH(kWIY24hh1gR&_l*7UWG>Szdps-9Ist z!zvw_LN~{rTq~KdIeg0yK>U$U57k5IiDfVtFNgEnf#X>j_?ms_9op4vp6bz_W^kLi z!ou~EKL$}ijxcSyw5DFP=to~2e}B>(z21s4alUB?j6+-*1%^Xn|9AIQ_{$VdsuSiT zu-ktAf>+BE@;iBcj0}Y~^rH9?6uf?e4lW#IlEqtN_D|E=_~(5LZ>SG^z~Pxw)pRQ8 zyZjc@8PUrrj)`yw4sB@+hL*v|S@>SK1fG9`J03=r_=a{UD)U*q~Ftf$$!{rh1UPRQ~V}atm^Y z1&cQD!f`bNle8T$pzDPyav9{ZTZzUYm8XX$IQQd{k<&blW3DX!wzv!#N1*v_eZ7U> z+9d;Y@5guicX2tTt^3lLO6w0YMimUy8j1Pg+r(_y7@32?xF?B;iSxWru5{6OKY-V0 z*fRWL|7u!1oaoOkCc}K3ArupJ#Zb=WgbVgS!-UV~jeE+gM6# zhiRW7oM6O}vG&FKO(5m`XN%rOpgBS8+pxS~5;6-T>Ic};7yB$Pr|tpo7kS7dF;E9f zw)>Ia4He`XFBiS-<5r1v#IZHG-DRP}?$OoW!iR!Z0R70+t~=n59enN1P4{_Li3E>AZrIOL-|M+Js#X`Q8TbAl~Qa zd;7pPEecu?JKyTMWu90dZkqTHD67d>48HdbF&X_U&}Ef>3lVqr@_o}7v|xL(R?5AZ-QGD2;)GIal=4x4Cct5;&>eqsmsiM^FOs9h~d zYHL$)`Uv|K-V5WyCq!)y`c1%ah7)5f@LYCTaoSg~>uuCTLlFjJ@3V>?0X4$v^9v|= zbrT*Y^BSS({h_x=BV|-(8dxQATYyyp`kn5+p|jjvXHc^2zywAQ5+Q-;zn?;*YB>x0MdL zSVlBb{7xs1*^XDd&lqFcQ$vrUpd8R){Lq`JG_ zEY}c)XsxNZ;^olDYFc1%KHr!c2Zs4}1Wp~5Ck+3*54gM-y$`MyI)mW!{+aCMg~f1_ z@3wM1gV^w^vw)<;#5yVJFzpAX&jGkncx)C-O%}8Sy!ym5d^Q)Z09d#M@2BlPR`{MU zpFB?Wos$@zKM?X`b&w6 zFi2YN z_D8`)a{Fq@+q5QR7Hv3JnGo4?GVELC(72V>-VFqBW7JURXl<%SH#gj=Zad5u!gj{Z z_}|$vNfIfo2njY5EXcg&gz!vS1?Gv_3z*wY7X9qKtK+EgSKb1YF+|J!Jz(v!7b6we zWmF83pz@t@;t7h-p6Ym6n~j&otLI4B%-cxr1wNzY?8%c zU9kNM#9gN0gD55%D-iDjuJp0qoXA6uNm<_2wIZ?(u|K`1@fT%7rKE~MTn*7fO3Va9 ziLVudTj%Ilj6R9tpG=8fc}~^iR?gqw`7oOmLSjZaLz}neTHT{%Ctsd5Iqkt{TPjoy zGln{6@w|$s;dp%2cR#;_`wY$op(GrijBw4HmS(|hn+TPB=*~5v@}{C&66;9jig<(&W9g4eM+Ay+eB?J{%m61SsxDl*7M^Qx^NzpSksa!K~BohEQd7#U8L``gmz zWFruSxeW@`ub0SBfb;c2Ud#h_ZEEl63n6K*`wVlSF$YX1KsC=f6qaE(N9pBlyXMU< zNHfP5FjjSSh7rdJ)N%Jc&^)<11DcRK@Y#LTca%V5Wf59IzcQNVLuM{Pohjd<6#DGn zGhfD##K1)04nnhcg}#{~pznL+QGHh#xyB5c(~#_K-@IA* zE3PagDjA%so_$^!1&qP6ZEpjzcX`nT3Qyq#9(~OC&zrl{WX8}yfN{;S<`2d3%7^Sa zHm_VD8`4d{(xSmBeD;f!|BgO# zSk$!~7QQu&mh%Y)kYN~JC_}_9haiKhm`wCcS_W8%`qj?w5LJ;!1Lnz)<^Lg;zNN!K zd@oOi>>BLG8ie<4@0H0Q-hhmFDE>QxAbPT z%jK)m%8DMb1p_F4e*m_wY{*pl2nn|I?BW5$b9)*qv+4&(P2)YBd-=rQb|@$GZ#QM< zS{j1G%Pcpmkr8b#DPyg~s6p}ZSVfI%)r)>rgh~$r%1J0&8JFZzopf%|5On(t9jM+Dl6oFn zt_;7w?W0&sC;T3>8>w2*5f<`vVqLRpG&ViQbErjHyJA${Dd!0k2C!fJ;)PMf>=Zo zqJ2kM9Yk?|uOau{?Pt_GS2=_u3kPqn^8B}QW@LN`%n4+}psH2C$!L!4Z#fjlj=u6i zf%?4iK>)SghlHHLdv{{Uq7xG2Wonl{d<^0zJGZsa{|lk&r-)*XO|;Hc*E28_4*4%Q3@d%F!tP+wsBRxKMw-(f#LfQ-o$z4Xd#ODoO> zAke>zc7o<1`t&{~lw|OpGqdW8n1qEBP-BKSrwmUBN+@6&lHbaW!lul^Yq%dxmh4YP zOcbebgE%%_kx2np12si)w$7xZ*TIcqv|mqpR?7WU$qor ze(i!Y*)e>7>T+`T$*ht>`qP_^+>eUl;U4_xqW(eaO{GFR7;b`!4GIPk?D=lXMdHcH zHm%XLB-Cx6-7S^oK@q=&a1>@1vdt1T`yq>&-d7v-@~$5GJQ3PrtJ~SLX3AHyuV<1U zc<(JU0TvpoBCrJb76M@%jda zayJ3+j_s!IMfODWu%>Y*W}cN!oH&e=BlXrI#IT3Tn*S(s1DAO9%I@ZCr01|pj0|b( zQfl&MnNih%tr}5NU?Fr`Cm5`|6WNBL;F0{f=raFCCZIthQ{1JrWkc`n>{0bXtS+}D z^3(taG%bqO|FO-u0QOQ3SP@tPAIOJ#VDXw(zQSggX9i@dxKc*VTO8ZvF z-XpU1+FxybM|P-lAg|7O@jjdB84Yer(SQIlnu$w1ENZ9S^mN3~ss8=v2PnQqMv06E z7?JT3F0MLHV0w6jLt88Q#_i|vy90Ob!NmO)ZcC_$;9c%9&Z~6#!ZBO~;4l%2qm_!F z7D{i0J=C?~!7>ob^P%}g8%7K@NaU4aR$_gB&EH)KEc=V(ntt>x(bw{@x)ZrBQ3K%Qv-`w5Tx z3$IXDGUHSgdTlvh{Gy*pW^G}A)?ZyoOxn zHOG5F7Xt$M3`hGgpRsub^M(WUOw|ldd_h25_yI&{vIA`5* zh;M_N15U}}5!LL}ICRq?O{S7CBd!y_>Y^Md$T14&gAT%ngy|gbEbGCsFqP>i9>3X; zmX#zj$#z{t(+P0f%lObC7@DnjMA{}*Uv1w~fQI|S>D(MFi}ESsOPKMG2SKkHpGvX4 z_;tv4ii~P>N`rX~Dmm}FQ1)-Xdf-f3IL>_kjTUnk8&)0AlS?D* zOB&w<=ErnXfU((kU&1tom-ctVC&7fCapTJQ3;N9BK}MtEjSXFyUA^S|Z@uf40tJDVIiLOy#DgsYh(KMhNrXJKz&2@mx0?hjhoUwjW*eC2h%f$=^;ej z7^MEFL>L?IRh!uo2U)k4>7eGQ1rS(p(aqOzNl#Cw7!0AB>yQdMaui}Ev3dB#{-FnS zYz*(@5TuHiP=W#aEp>v@ZfjImG}e40SLB<7gt-)c6UWWM`|sq&R-e8$I)p^g+&pDp zWleTeVRXq_`t(9I-2`fSpG&Ci`g^)XNyVhqa1{~g+p#ZAa076Z7XVL{4=dDVM?5I< zY&sg_uvpxkZ=m+OK!NPXkJwg7r|i$kxgS*?zzJQaXPE4aN%&PKL&NZE3X0G6=|N~@TWU(2@l3=+-zuriR4g=%tR*A zFk+6y-0bmhq&t;Ie|RuMlzXi|Thw9nh=fh;2sjVnywg>7KROQo{p>Y%8Y^o~z4@>Q ztED659rPTL>w+M)Lgn7QLpTovsq;%fB;N}3+zmwG8P>@_wtEhjNei2k#e#u|SxZP6 z8wcp4m$|?NFVQkvW>4GTr1^B|$0);u8 z*OBnB6+XxqCi-BaliA8bInW&39`fL$wl{#2;uWPZ$)UhlB{vS25Vpw;agY+Q=uBEQ z5s@wmuXaUGsRjB_+P+|rr;5?-1va7|d_>s?XE5tsL+eyGgo!S=MlOfCB*3Y|2$Yd< zWW(mE@MXh2(2Pdg5d0*_0(%UzTb>yi6R!dQ+?gxD*{+x0khR>l?T4t-wC~~7=3sR* zvzO}T0LS*PlOza(@)Y;aBpw02j!toxR!iSx^2k|ly_~j--^|yk1e%1j6DP8X@QtJ* z+PQBEpvCiSJt4B;3PBOV12ik1KsND(3jLCyV~QN()EYmUZJHJfHu@zmHhz&Z*i~FN z%xn)&SZ1NO|5fs=TUF%>3GphIoFttKat8<(lEi^y+ra#=xh$*FqvCorJm&3bJ?w~e z7Fp0tbCR`O>%G7WT2M2(;XW-+5zRkZt3o35?{7POW4f@-->&(zU)xLx)Q@CI3W+wQ zou(xLZoeaD-iC6HS;Ugf;7R5+95rVPCE8{ROl9oqQv810FjB?+l9cUGupkXAJ?%Y z7(jcmH9^KezAFI*;8Dunwg^(q#ru!KUq7v|=(zf*0RN2`>(r+pz0#5rz%&r+w@}jU(oPco zig*Z1!(V6qN+77SbkcklqlzjC6EJF znoL(mM`sFp+N&@izE-A)&7|O>jLt86-%>Q)T8A3Xf&|_K`Tw440gs4;a#5JB3u=r@I_()mrD3o52zNl{VRs4qOx}n z2r;{NbKYK@TLn}#f&>Zr%)LbF5*Imam$J7)IPj_pBtZhQSL#97;?ZTy{N&~7%w@}T zOJGJ36mrg>(cnE+!GXEI$q&sOM@WcLw%ttLu3dGXKt$;v+#<;7&wCa^y4Xwv*VHad z?j9K+pFp(*6nFk0$`RZ<8k*lMVkJ5txJa(?rUBh*QZq|(+{)6j8Vqf|k!p!IKP-!*GVYf;?!XOCBB-}h&LtD@|uZ7h6_FDJ+tH;LWgR;#o z2T$NWcd(JHgx5Xwa?IY=MM=T9=0xtg^5&p)LoR489ZFv#q<^|#_}My!TnBD~Fi=EQ z$y&=HyLk!8=#<@uH-CFlcpd!oFu8P$K^&ow@D6mz9)Ehk2`gQMN>%gG{A-u*-#4J16AMN?uZnC;<!s$HczWrt3PE?n?4GX?)C27CL|mZK@&eKBsTyoC|Nd4M5w8%K z3uXLd(%5hcuwSdO%>q4)^R#=iusRFBe;{9Xe>!k*@MxTGVW!MXe#}q+8a}SHVvf&+ zt^2xuwm>7ynmOJe5W5cM<9`&JG)|v5hqrr=ms=>4Qln&BsDSt-wHgjx&DPO(4YLr^ zo;6H=e^pioxm+z!@5RjD*6I^*}}F79j3omiHZ5VE}@h;fzk0$b$tXezxY&G zf}46_1yK8~i@v_Tvi4Ju;WJ};B^YUDC7K;mFAU?2y;s;AoMsy8^%ro_DXX%id}{ALufAJ3#zGWrt;&s$OjNt+)7^SH zwy|zu)%Hc0nds35Ob_WWR9!PPfs9o=KKqK0dAMkUjYG``35DJu#v?jHb#~{ zU7XaxSQ%UIeD_i$+bA!Q`X6{o3O*}8>7q}Pr1GfuI8oLW2t^~!o!moLnt$~6ln`1~ z7o>KCeI@nF&4r68SPGL)EhB*Jwh}JjT1}sazj!rOe=&Ed3ueriZgP$hrY>osFQXc~! zfDZj8zq6O+8EVq@tbE()w72BRH;uO)I!XMio(-k+nCG! zv8$KQALM9}?4gnWlymL`EZ9?=k$xmPaJF&9O zK|)S^_qfaxWCRBLVFa$Ia9qYjh@`!WsbL4*EZkI1ToIWBEP=eV#C!kW2IRwEHz$;jS(;N9IJINBy4-N34QS=@^C(EHaV<$Qvl~Xf%L`j=`_5-($Ziy z!-3^C^v_RWCQam*e@8O3wE-BkFSiXG+l34h&!^sLqVgkQ+efGgQnCRDl7WFHKgO|^ zX&#Wyu$UwaNq8nxT~qbKyg62KM`Z>!KW%`${ihfiAD&U5E3BWl{cUexKP0^Q_k0->*LJ0#jG*A| zc2Rrr=~3}N0Do!u+OaxcEy(s+@=Oh4$n|0|b3fgdCUW|^0abTPN>Q5f1j@$PBCW3jxiDVc) zHObe%A=HDmQq~l3Ytzx0sOPP5T%M_F!tzUM+5;62%l|98kANm3% zQVfHPwDPB8b-tRmo-3xROi|1wZ^})j+UkX>{Dq9nhnk-y3lZqqlvyic%zro9QfVI4 zLl3kXtF0S9ifu4=?k=#7_ z1gZDTZ-KD0c@i!HsYJM%uc6lSc$C|K2HE#2NtLi8aJjYrGic7FC@7(VZ|HB4U<=1t zs`VE05eZ^qP`l-j!4rgV;+N$MxxF-sORYR`P$!G zcGuhb*9pg1i6Tbm=s?vfLZT>2BZ$Q)lt>@)L?ZMk7_fDss9zH(3@t=UX_zv-7MV%mU*LcEaX;Uw?ko?fhA!|3k-MAyLlcMVd=4f7LdUT;(jgfezdFE=(${ zONb$-gs;4M2K|r{I{UXg^myFhx~aer*O0To0V6z9Y&D}`;Le(>`a8$41#_uBPNPcI z&G_H5ObJU2>BxkO2kWV@M3>4){~2$_${KqK!ZEer$eOmw&LKJx;etX$6yKZ?MPSQl zwQzB9rKCr%>GjRF2ibxwD&b*Q1{>t8sQIgpsv*;GBSfRbLyy%+t$r{Kowv~gfDb3! z;8d(j%)^ggZKgyBF{&-m1>cu%ypN9SoKCJG$`NM?Of@Ak8UHO(K1F<{sW!JJU=g|> z6I4{~tfP=(aO-v)Lv8#)giMN4lh8xA{zBNzan~#O zYBS8EIt&J55#FNIHQy^+PQb^0tZk%f)lMph&Oa9~8+}{0JX9`S+XB>)%*L5Mk3lKF zZkhQ8PU=#I>?eT3=L(BReGCjT`hA&}nY)I&BS^N9q#rfk3w#5!(5`e#>!5VcJ0+Kv z2khE7IJyP(RLu@2HIJFNSD>%z$d^?Ve%I1a?EE%iju-cba&UT~wxU67GTwfYOL=g8NO)O1l8#w7P4h40l+T)QzY%ypt)VpLP+aSwX1 z+&)TgUvX}4{tB15U6QeFUC}~b3H2=d2C%W_w50YQe8zy94hcAseDE0Pj;R1f{>@Td zudTBkDM*ka)u^)_VlI3lW;e{LJ{ojS@?v{C?BRUAstyHDklyA&)s>I`E7zFI;ke@@ zb2NQ;)3T(uwF9AsB1P67M$$^4QhxL+_IWdz08+R7hL7?a8jB<)Z)9Nn#T~K%F*6UK zbNqJ&|Mz(!D{LvWISsTr)Ti#K+SQeg09-eJ38fO{*Z)2-JnYSiS#s^JXw_>U&xt*f z_4OKjkLlfa{`(*yM2eL9TLf}2$>WIg1cbMrwyQyoZJ&Mz?jPj$6={)wzWKQ1siG!K z0qKx>lX(1ZDai;en~@w4c?$C&9?$>%h^-AG`~Uy1F|z*mGIC^inWq7kSN{>by;V4W P1^%ciYAKY+nFjqIq*ILk literal 0 HcmV?d00001 diff --git a/docs/kubecon-na-23.md b/docs/kubecon-na-23.md new file mode 100644 index 0000000..0a0a7e0 --- /dev/null +++ b/docs/kubecon-na-23.md @@ -0,0 +1,45 @@ +# KubeCon NA '23 Demo + +As part of the [in-toto Maintainer Track talk] at KubeCon NA '23, we present +a demo of the in-toto Attestation Framework, SCAI, and the in-toto Attestation +Verifier. + +## Demo Setup + +The overall flow implemented in the demo is as follows: + +in-toto demo flow + +This demo setup is implemented using the [scai-gen GitHub Actions] in a Docker +container build [demo workflow] for the Hyperledger Labs Private Data Objects +project. + +### Generated Attestations + +This demo generates the follow _authenticated_ in-toto attestations: + +* [SLSA Provenance] attestation for the container build +* [SCAI Attribute Report] attestation for additional integrity metadata about +the build + +These two attestations are signed using cosign OIDC-based keyless signing, +and uploaded to the public Rekor log. + +### Additional Tools + +This demo makes use of the following additional tools: + +* in-toto [attestation-verifier] +* [Anchore SBOM generator] GitHub Action +* [SLSA generic Provenance generator] GitHub Action +* [strace] Linux syscall tracer + +[Anchore SBOM generator]: https://github.com/anchore/sbom-action +[attestation-verifier]: https://github.com/in-toto/attestation-verifier +[demo workflow]: https://github.com/marcelamelara/private-data-objects/blob/kubeconNA23-intoto-demo/.github/workflows/kubeconNA23-intoto-demo.yml +[in-toto Maintainer Track talk]: https://kccncna2023.sched.com/event/1R2mx +[SLSA generic Provenance generator]: https://github.com/slsa-framework/slsa-github-generator +[SLSA Provenance]: https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md +[SCAI Attribute Report]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md +[scai-gen GitHub Actions]: https://github.com/in-toto/scai-demos/tree/main/.github/actions +[strace]: https://strace.io/ From 49d5ea6e6f44655d55ccf8dc2984f6808e718079 Mon Sep 17 00:00:00 2001 From: Marcela Melara Date: Thu, 2 Nov 2023 09:42:42 -0700 Subject: [PATCH 4/4] Use CNCF-approved event name Signed-off-by: Marcela Melara --- README.md | 4 ++-- ...conNA23-demo.png => intoto-kccncna2023-demo.png} | Bin docs/{kubecon-na-23.md => kccncna2023.md} | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) rename docs/images/{scai-kubeconNA23-demo.png => intoto-kccncna2023-demo.png} (100%) rename docs/{kubecon-na-23.md => kccncna2023.md} (79%) diff --git a/README.md b/README.md index eb5b137..9e6f2fa 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ We encourage you to gain a basic understanding of the [SCAI specification] before using the scai-generator CLI tools in this repo. For a full demo of how to use the Go [scai-gen](scai-gen/) tools, read our -[KubeCon NA '23 doc]. +[KubeCon + CloudNativeCon NA '23 doc]. ## Disclaimer @@ -44,7 +44,7 @@ illustrative purposes, and should not be used in production. [in-toto Attestation Framework]: https://github.com/in-toto/attestation/tree/main/spec [intro doc]: docs/intro.md -[KubeCon NA '23]: docs/kubecon-na-23.md +[KubeCon + CloudNativeCon NA '23]: docs/kccncna2023.md [usage doc]: docs/usage.md [SCAI specification]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md [SCAI spec doc]: https://arxiv.org/pdf/2210.05813.pdf diff --git a/docs/images/scai-kubeconNA23-demo.png b/docs/images/intoto-kccncna2023-demo.png similarity index 100% rename from docs/images/scai-kubeconNA23-demo.png rename to docs/images/intoto-kccncna2023-demo.png diff --git a/docs/kubecon-na-23.md b/docs/kccncna2023.md similarity index 79% rename from docs/kubecon-na-23.md rename to docs/kccncna2023.md index 0a0a7e0..8eaaed1 100644 --- a/docs/kubecon-na-23.md +++ b/docs/kccncna2023.md @@ -1,14 +1,14 @@ -# KubeCon NA '23 Demo +# KubeCon + CloudNativeCon NA '23 Demo -As part of the [in-toto Maintainer Track talk] at KubeCon NA '23, we present -a demo of the in-toto Attestation Framework, SCAI, and the in-toto Attestation -Verifier. +As part of the [in-toto Maintainer Track talk] at KubeCon + CloudNativeCon NA +'23, we present a demo of the in-toto Attestation Framework, SCAI, and the +in-toto Attestation Verifier. ## Demo Setup The overall flow implemented in the demo is as follows: -in-toto demo flow +in-toto demo flow This demo setup is implemented using the [scai-gen GitHub Actions] in a Docker container build [demo workflow] for the Hyperledger Labs Private Data Objects @@ -36,7 +36,7 @@ This demo makes use of the following additional tools: [Anchore SBOM generator]: https://github.com/anchore/sbom-action [attestation-verifier]: https://github.com/in-toto/attestation-verifier -[demo workflow]: https://github.com/marcelamelara/private-data-objects/blob/kubeconNA23-intoto-demo/.github/workflows/kubeconNA23-intoto-demo.yml +[demo workflow]: https://github.com/marcelamelara/private-data-objects/blob/intoto-kccncna2023-demo/.github/workflows/intoto-kccncna2023-demo.yml [in-toto Maintainer Track talk]: https://kccncna2023.sched.com/event/1R2mx [SLSA generic Provenance generator]: https://github.com/slsa-framework/slsa-github-generator [SLSA Provenance]: https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md