crypto-policies-scripts-20230920.570ea89-150600.3.3.1<>,Tg p9|&XuS1S4mRa7y&7r$XؽANڨ1m<7SHNmgZ}_{ ޺]sÇp3<31NmK d'SNx^6E6_{Q1Ybw[{vT7M8䖼C$ Z(jogz2},P-t*PDiƤB%zQ̤!¤(s-Vt8Lyꚯ/4ByJiśA뗿>CS?Sd+ 8 _( >_6|6 6 T6 ,6 6 666 D64 X  (88@9:FDGD6HE6IF\6XFYF\F6]G6^K_ bMVcMdNeNfNlNuN6vOwQ<6xR6yRzSSSWS`SdStSxS|SSCcrypto-policies-scripts20230920.570ea89150600.3.3.1Tool to switch between crypto policiesThis package provides a tool update-crypto-policies, which applies the policies provided by the crypto-policies package. These can be either the pre-built policies from the base package or custom policies defined in simple policy definition files. The package also provides a tool fips-mode-setup, which can be used to enable or disable the system FIPS mode.g h01-ch4c*%SUSE Linux Enterprise 15SUSE LLC LGPL-2.1-or-laterhttps://www.suse.com/Productivity/Networking/Securityhttps://gitlab.com/redhat-crypto/fedora-crypto-policieslinuxnoarchAWS,[B2G<IT o sU9!u# (U/k!7Z:AA큤A큤A큤A큤A큤A큤A큤큤g g e g g g g e g e g g g g e gg e g g g g g g e e e e g gg g g g g g g g g g g e e e e e e ggge g g g 10ddabec37e763480bcd544f648da77c44f7a6b8381e6467b5a136d2462747a7bfb0bdb095e6b1cdbeca4be2ed1b03bb7d9424c4020a46e7cd68a32160a6189f6addb83218c406dc7f789cd90b7f230feac4938419570cff45d9f0ae00710dd357ed66106a661d46e0ca53eb7268cbc5722d2cefbc38d8211801e9697987b4c7a24ba9cf38df7b87821f2f1c11a08407e2fd2c510dc8e7bcd0f79b1e9577b4679d86f5c7b39e3f5cccc995689848bb2673becd15689273efdfe7f07974c83504401e0a6bac35a9f506f80475c7b1bbbb909cfc732c157b660d26c7bb7111e07c9d0820bc57d1ce4477916ffe6226077fa20cb9e54bcbaadc23afe62a2f9297ab398f3ef6bf84821949cec505b249f11deade3f9f4e4fb311800ca96826a749e57bd32bca6441716e9961d6978baf205b3b546a6add61e323cce9fd8265390260408d51945c1b6e1cfa95748e1834693f3060351315ab4015ad8a97e68f40b1e4444b988051a22e25607e13dede952fcdbd3399927bb1bea270ec08f7a262d0c50fb780dae62ad275c76855277255693573603b125e8fd316c217ba99969df98cc9f19df1ce4e7bc7af298365a1245bfa8aa1e32a7719149542bb40054b0f10557bba47dde5308e136f835d6c8a844d9706188e2969477d15fe629cd2cd9d7c78519b936d8551163117f459658e6a617d4446154f92eeba66b071d20e7fecae52dcba60a792e62e882f1e57ee4d54d4c62453b3fa5304b60cad0db48c0eefc2d915174b4806ff60398a994266a8b447339291f11e842526ba2c83b04e5ce8f383b270384e11867a2d932f49a9eaa785c435314c51257ec25963eeb76198ac02a2b604380985c865e148d6091dc11fb82b99c2730706b25414c7c7a45b08b0ede8fddc5cf9fae69bda28d611ac5aa5bee6bc1903e328506dc7826cdd6ae37bde42aa7a3b3fd79089d6a2e89382ab730165db06aeb6e2b56f538df8d40a15f86a6a02ae5f8c1e12d3560c94486d0af13a5ea6bfde9565f876558e50c2e49da58ade698ded0489cd93fbbd5e0b20901bf8de79d85f45424f8cbb3765801cc4de96baafbc885eed18f2288f2db93c5493dc3b39690c93f461a649b5e110ce83683f43f2f5ce680f81b60d1307beea19079cd3aa669a59fc2f2cfe7c596bba50c4fab3ad5dbef569911c0b24b3fce1544edecbbb7669a148c510c963b5c0dedc418b8ddd8b12275ef88f9fa136796d7c4a09b9b0009e08276141680f4d846bee859b11c19c35eec32475466b6a0d7cc7c3271bb26e2a65cb869cc23f2eafe13637abda8f7f423382cd9124f63e50c808520f47369da33a3dce3c46762da6b10e7e580f9abec771bbfaf7c4659f3b0102ca0ca8728f017beb7406ccecac870bb81e4354c5028dbe19d98d3d4c5a4da47c7a45e5cb9b47e44675ba1cfde23c424c706f82a90bb6b7fdf25add1c0431240c4fc4bc750a624996d5a5e8d0aad162fb73a7684609461078f3c438130085493a49ac06d3f7a42e89bcdcb3a2c12cd42ecb902c30c42a7b489730b2ed63585735c6de6197b6b1b58974f121e5b0ffb8f9a53f4418b55a7aac44aa155f76e0e4fa6a02975918117b1bb267ccbe5aa4124b72384c92459e451431b3e76b0916d5381c584af433bdf414a9e6a4cf464aa4faad72e606b429ecbdb3c3659052539f117325cbcf4d25b92a99e1356df8170102f808ec39032dd789b9b5701d06bd03248ca3123b57ba449e696647b9381c3d7e4e0fee1135bc9ba911077d30ace3c374671d0738e52d03c6bd65781dfa29215c90ab2a99e72be95d89c2b2c46bf783eb3908b275939e110155a84b716b8cc1908d223c7b4ed2d8085affea8c4de60021bc4b89ea456ead2bdb713c055ff00bff0238e04e67c0f4a1eff6fa8a0480f3e69dd02eb151304a036ab189ab4174662b175014af99d2b749bd8276adcf4579a71411b7c028031e0c68d13702b7ef19bced7e8967c8f9d38bcfdf2ecc265245d88138c46444bee5883a14fb2c7d520af6c0078eaeca399e889653394e5016ad57333c55a9a2cb0ed4ae2e7538700ffea5b7089brootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootcrypto-policies-20230920.570ea89-150600.3.3.1.src.rpmcrypto-policies-scripts@ @@    /bin/bash/bin/sh/usr/bin/python3/usr/bin/shcrypto-policiesrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20230920.570ea89-150600.3.3.13.0.4-14.6.0-14.0-15.2-14.14.3ge@e eG@ddd8d@doMdm@dX@dX@cʂ@aMaM`7@`7@`6?`-@`"y@`!'`!'`3@`>`>` l` l` l__#scabrero@suse.depmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.commeissner@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comdimstar@opensuse.orgpmonreal@suse.compmonreal@suse.compmonreal@suse.comdimstar@opensuse.orgpmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comvcizek@suse.com- krb5: disallow aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 kerberos encryption types from RFC3961 in FIPS mode, as its key derivation function is not certified; (jsc#PED-12018); - Update AD-SUPPORT and add AD-SUPPORT-LEGACY subpolicies; (jsc#PED-12018); The AD-SUPPORT subpolicy will enable the aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 encryption types necessary for AD. The Kerberos libraries will tell OpenSSL provider to bypass FIPS restrictions when loading the KRB5KDF module. The AD-SUPPORT-LEGACY will allow the use of RC4 encryption types in environments where either accounts or trusted domains objects were not yet migrated to AES. - Add patch 0008-policies-modules-update-AD-SUPPORT-add-AD-SUP.patch- nss: Skip the NSS policy check if the mozilla-nss-tools package is not installed. This avoids adding more dependencies in ring0. * Add crypto-policies-nss.patch [bsc#1211301]- Update to version 20230920.570ea89: * fips-mode-setup: more thorough --disable, still unsupported * FIPS:OSPP: tighten beyond reason for OSPP 4.3 * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS) * gnutls: prepare for tls-session-hash option coming * nss: prepare for TLS-REQUIRE-EMS option coming * NO-ENFORCE-EMS: add subpolicy * FIPS: set __ems = ENFORCE * cryptopolicies: add enums and __ems tri-state * docs: replace `FIPS 140-2` with just `FIPS 140` * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE * cryptopolicies: add comments on dunder options * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check * BSI: start a BSI TR 02102 policy [jsc#PED-4933] * Rebase patches: - crypto-policies-policygenerators.patch - crypto-policies-revert-rh-allow-sha1-signatures.patch - crypto-policies-FIPS.patch- Conditionally recommend the crypto-policies-scripts package when python is not installed in the system [bsc#1215201]- Tests: Fix pylint versioning for TW and fix the parsing of the policygenerators to account for the commented lines correctly. * Add crypto-policies-pylint.patch * Rebase crypto-policies-policygenerators.patch- FIPS: Adapt the fips-mode-setup script to use the pbl command from the perl-Bootloader package to replace grubby. Add a note for transactional systems [jsc#PED-5041]. * Rebase crypto-policies-FIPS.patch- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933) derived from NEXT.pol- Update to version 20230614.5f3458e: * policies: impose old OpenSSL groups order for all back-ends * Rebase patches: - crypto-policies-revert-rh-allow-sha1-signatures.patch - crypto-policies-supported.patch- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup and fips-finish-install commands, add also the man pages. The required FIPS modules are left to be installed by the user. * Rebase crypto-policies-FIPS.patch- Revert a breaking change that introduces the config option rh-allow-sha1-signatures that is unkown to OpenSSL and fails on startup. We will consider adding this option to openssl. * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 * Add crypto-policies-revert-rh-allow-sha1-signatures.patch- Update the update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. [bsc#1209998] * Add crypto-policies-supported.patch- Update to version 20230420.3d08ae7: * openssl, alg_lists: add brainpool support * openssl: set Groups explicitly * codespell: ignore aNULL * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 * sequoia: add separate rpm-sequoia backend * crypto-policies.7: state upfront that FUTURE is not so interoperable * Makefile: update for asciidoc 10 * Skip not needed LibreswanGenerator and SequoiaGenerator: - Add crypto-policies-policygenerators.patch * Remove crypto-policies-test_supported_modules_only.patch * Rebase crypto-policies-no-build-manpages.patch- Update to version 20221214.a4c31a3: * bind: expand the list of disableable algorithms * libssh: Add support for openssh fido keys * .gitlab-ci.yml: install krb5-devel for krb5-config * sequoia: check using sequoia-policy-config-check * sequoia: introduce new back-end * Makefile: support overriding asciidoc executable name * openssh: make none and auto explicit and different * openssh: autodetect and allow forcing RequiredRSASize presence/name * openssh: remove _pre_8_5_ssh * pylintrc: update * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... * Makefile: exclude built manpages from codespell * add openssh HostbasedAcceptedAlgorithms * openssh: add RSAMinSize option following min_rsa_size * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" * docs: add customization recommendation * tests/java: fix java.security.disableSystemPropertiesFile=true * policies: add FEDORA38 and TEST-FEDORA39 * bind: control ED25519/ED448 * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 * .gitlab-ci.yml: skip pylint (bz2069837) * openssh: add support for sntrup761x25519-sha512@openssh.com * fips-mode-setup: fix one unrelated check to intended state * fips-mode-setup, fips-finish-install: abandon /etc/system-fips * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT * fips-mode-setup: catch more inconsistencies, clarify --check * fips-mode-setup: improve handling FIPS plus subpolicies * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 * gnutls: enable SHAKE, needed for Ed448 * gnutls: use allowlisting * openssl: add newlines at the end of the output * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* * fips-mode-setup, fips-finish-install: call zipl more often * Add crypto-policies-rpmlintrc file to avoid files-duplicate, zero-length and non-conffile-in-etc warnings. * Rebase patches: - crypto-policies-FIPS.patch - crypto-policies-no-build-manpages.patch * Update README.SUSE- Remove the scripts and documentation regarding fips-finish-install and test-fips-setup * Add crypto-policies-FIPS.patch- Update to version 20210917.c9d86d1: * openssl: fix disabling ChaCha20 * pacify pylint 2.11: use format strings * pacify pylint 2.11: specify explicit encoding * fix minor things found by new pylint * update-crypto-policies: --check against regenerated * update-crypto-policies: fix --check's walking order * policygenerators/gnutls: revert disabling DTLS0.9... * policygenerators/java: add javasystem backend * LEGACY: bump 1023 key size to 1024 * cryptopolicies: fix 'and' in deprecation warnings * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 * nss: hopefully the last fix for nss sigalgs check * cryptopolicies: Python 3.10 compatibility * nss: postponing check + testing at least something * Rename 'policy modules' to 'subpolicies' * validation.rules: fix a missing word in error * cryptopolicies: raise errors right after warnings * update-crypto-policies: capitalize warnings * cryptopolicies: syntax-precheck scope errors * .gitlab-ci.yml, Makefile: enable codespell * all: fix several typos * docs: don't leave zero TLS/DTLS protocols on * openssl: separate TLS/DTLS MinProtocol/MaxProtocol * alg_lists: order protocols new-to-old for consistency * alg_lists: max_{d,}tls_version * update-crypto-policies: fix pregenerated + local.d * openssh: allow validation with pre-8.5 * .gitlab-ci.yml: run commit-range against upstream * openssh: Use the new name for PubkeyAcceptedKeyTypes * sha1_in_dnssec: deprecate * .gitlab-ci.yml: test commit ranges * FIPS:OSPP: sign = -*-SHA2-224 * scoped policies: documentation update * scoped policies: use new features to the fullest... * scoped policies: rewrite + minimal policy changes * scoped policies: rewrite preparations * nss: postponing the version check again, to 3.64 - Remove patches fixed upstream: crypto-policies-typos.patch - Rebase: crypto-policies-test_supported_modules_only.patch - Merge crypto-policies-asciidoc.patch into crypto-policies-no-build-manpages.patch- Update to version 20210225.05203d2: * Disable DTLS0.9 protocol in the DEFAULT policy. * policies/FIPS: insignificant reformatting * policygenerators/libssh: respect ssh_certs * policies/modules/OSPP: tighten to follow RHEL 8 * crypto-policies(7): drop not-reenableable comment * follow up on disabling RC4- Remove not needed scripts: fips-finish-install fips-mode-setup- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938] * The minimum DTLS protocol version in the DEFAULT and FUTURE policies is DTLS1.2. * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e- Update to version 20210213.5c710c0: [bsc#1180938] * setup_directories(): perform safer creation of directories * save_config(): avoid re-opening output file for each iteration * save_config(): break after first match to avoid unnecessary stat() calls * CryptoPolicy.parse(): actually stop parsing line on syntax error * ProfileConfig.parse_string(): correctly extended subpolicies * Exclude RC4 from LEGACY * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT * code style: fix 'not in' membership testing * pylintrc: tighten up a bit * formatting: avoid long lines * formatting: use f-strings instead of format() * formatting: reformat all python code with autopep8 * nss: postponing the version check again, to 3.61 * Revert "Unfortunately we have to keep ignoring the openssh check for sk-"- Use tar_scm service, not obs_scm: With crypto-policies entering Ring0 (distro bootstrap) we want to be sure to keep the buildtime deps as low as possible. - Add python3-base BuildRequires: previously, OBS' tar service pulled this in for us.- Add a BuildIgnore for crypto-policies- Use gzip instead of xz in obscpio and sources- Do not build the manpages to avoid build cycles - Add crypto-policies-no-build-manpages.patch- Convert to use a proper git source _service: + To update, one just needs to update the commit/revision in the _service file and run `osc service dr`. + The version of the package is defined by the commit date of the revision, followed by the abbreviated git hash (The same revision used before results thus in a downgrade to 20210118, but as this is a alltime new package, this is acceptable.- Update to git version 20210127 * Bump Python requirement to 3.6 * Output sigalgs required by nss >=3.59 * Do not require bind during build * Break build cycles with openssl and gnutls- Update to git version 20210118 * Output sigalgs required by nss >=3.59 * Bump Python requirement to 3.6 * Kerberos 5: Fix policy generator to account for macs * Add AES-192 support (non-TLS scenarios) * Add documentation of the --check option- Fix the man pages generation - Add crypto-policies-asciidoc.patch- Test only supported modules - Add crypto-policies-test_supported_modules_only.patch- Add crypto-policies-typos.patch to fix some typos- Initial packaging, git version 20200918 (jsc#SLE-15832)h01-ch4c 1737624521  !"#$%&'()*+,-./012345620230920.570ea89-150600.3.3.1  fips-finish-installfips-mode-setupupdate-crypto-policiespython__pycache__build-crypto-policies.cpython-36.pycupdate-crypto-policies.cpython-36.pycbuild-crypto-policies.pycryptopolicies__init__.py__pycache____init__.cpython-36.pycalg_lists.cpython-36.pyccryptopolicies.cpython-36.pycalg_lists.pycryptopolicies.pyvalidation__init__.py__pycache____init__.cpython-36.pycalg_lists.cpython-36.pycgeneral.cpython-36.pycrules.cpython-36.pycscope.cpython-36.pycalg_lists.pygeneral.pyrules.pyscope.pypolicygenerators__init__.py__pycache____init__.cpython-36.pycbind.cpython-36.pycconfiggenerator.cpython-36.pycgnutls.cpython-36.pycjava.cpython-36.pyckrb5.cpython-36.pyclibssh.cpython-36.pycnss.cpython-36.pycopenssh.cpython-36.pycopenssl.cpython-36.pycbind.pyconfiggenerator.pygnutls.pyjava.pykrb5.pylibssh.pynss.pyopenssh.pyopenssl.pyupdate-crypto-policies.pyfips-finish-install.8.gzfips-mode-setup.8.gzupdate-crypto-policies.8.gz/usr/bin//usr/share/crypto-policies//usr/share/crypto-policies/python//usr/share/crypto-policies/python/__pycache__//usr/share/crypto-policies/python/cryptopolicies//usr/share/crypto-policies/python/cryptopolicies/__pycache__//usr/share/crypto-policies/python/cryptopolicies/validation//usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__//usr/share/crypto-policies/python/policygenerators//usr/share/crypto-policies/python/policygenerators/__pycache__//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:37150/SUSE_SLE-15-SP6_Update/0664cca0ebd60151c1284b522f8e5c59-crypto-policies.SUSE_SLE-15-SP6_Updatedrpmxz5noarch-suse-linuxBourne-Again shell script, ASCII text executablea /usr/bin/sh script, ASCII text executabledirectorypython 3.6 byte-compiledPython script, UTF-8 Unicode text executablePython script, ASCII text executabletroff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)RRRRRhD۴zG^\䀲/usr/bin/update-crypto-policies --no-check >/dev/null 2>/dev/null || :/bin/shperl-Bootloaderutf-8a5ae84bf3fcfa6b0f235d10be025e43033c2a539c41fa7a70f3619ce032e0fc8?7zXZ !t/E]"k%8*6l"3ג_ib}k5+ =Vs~d {C%YYc۶Qرs&Vkd=QazGNNk&E:8<R)opW}F]νJ~ ;nD[3@!(JOdJɨ82hٌXWe0{QǡZd5' Jw,"ƥp}# >_sM0F| (|PUSxi-#`yL~xG>-@NpĶ̡a[ޕtuݓsTv 8]˗A8-n3VA_0m,j]V#  mLO`&j[K,M ػᥥc9Eپ{b";Kڗ%[*}dڕxH56H1a2@Pe;dQ;M~=ј6<#=;a ¿hU_a`D͔>ća, v?)Q*cw0H.p3x<L&L~=i<]+Ҧ,/h6rB{Cf0l\IZdy?7iϼďTf4o}~7忶a:d DnTot8JL뷱[^_#&Vx ;gxжBе˂cȃOC;KEoOAZ(DZ?M fFw?"C MJG{@pۢE)ndol&j@ @%NYfdnr5+/ɪ`|˝1iVR6];fNTE!{Sc)lk$8MW4D[NVvq)Q:#r?\_5*F⯺CYK(L/ĕw?l) Be=;E~ڢa*y Oeb悼"tŪLFaM "rK%dfRpSbK:w(܅`C(0'|dtֺOwr2y_8rrMq϶-y]bY#nZcwb]d4i-}ͷ|*jVp;Ȟ̉5 [O IjZUW')Gws47ayftEa٬ɋ޿!%Tm?[=x>m{㝴hbh'{WOvpNvSZbPicsvW%P*= r6a @;6`푽9{LiEg*BsI*)ȡp4,),n <%!&db\)TƦ33 +]?pÙUcyݠ"q,וFAu=4#lˌgu%l|gn|17Dl~HC.mσfT`O f bE*U|Z@? .LTT&ch~[Haڐ;g/B"4`~>7)| UWtj.&dôAvHF-fȊ9LM©DTҲa$DeސuV{:,,/Ҩ)0UQ>[bDr}At!3 q`j#*ăԝqzk^lͣ*yehY-?ŠF)oq9Ntž{޾jd!.&𜣶fDF<G$b%Pk4j%| W(EYE3ū,LGlʊ7V%{qܝ1n>YnȜ(<-[KyHӡ7'[=bQM%^& W?ef uzͩ>J?W\æ$n7w^W|&C?LA F9JAfɴo^ǭ/"(kd $SEZP4v:Dnɻocg[/O,,D$D/"<-(=gK]eGa%wըtORK4= * r/8H Unhtstl;[dOo:PyK0 ~`+-n-RL=pE8;h03a^U.(6![z*|  K;֕.M8 }bx]4&:Nf*={Yxv:$wV> Ao6xϓO5$ACA{g{̼ѧiJpq>ƑTy~S &C>fU77PrPzHդ7`=(,; 0vA$Z!ŸÐ$ o-oe4\TG uGiEX fSԡ=k]i|]XN@)o=?aCyYLTgGv*rͽqIڴ $3U^/$ lſrW0Ks]%;J 2QhѪˈ" ΊKd _FbP^;[V \ZP+n>C:F>)._UP}Q$ cՊ%Մs/ /:PXn9b$@ A<\12R.Pht[af,Q?.)&8߮Ve"f7s6vU@tmeBUe7'*ύ';?d]T_.yÅǜPe1{Vݘi8ߊКt@Ui)tE^6~Q9iT+>NQ9ElޤsT3% cq&ȻoUɫit Lg(i[Y# Rh\GN1}qZ/uAFhX[`@"<.1poIOA)T G0)Xtn[H^y`„gwHCu)h!m'Nmf!;h?(H۾.-0Bٮ xrHpO\@|mEּdh?4} Ht(D\.x*tW/i6elA$I<ȖP &e6T(̇fC}ݔȪj$Oȱ0^)sQdDďUE"PFo1Z+rz\bNY9Z ȧ6Ԉ12@1ۮʛ>> ( % hs9oK/:NI"i2nB]팭1C4,]3|j?v0!gx3C>Pvk.u{ckuD~J. զ`?9HiV~`q]G$IZQXbTb|ʴ9~9XLTx9i1D,i60ЀDWղ ې 2*+s+9gL6N_* !XFE _qk{ğ2n<= ' S?5T;iϛKHK;(RuŌ-?ThbzX]җŽ:ܒ/l[cu6ѭ;FϛQ|74D=͟ʉ"iMT,BLg7-QwCoфu[+9\ 2I+ʅ]2?NV;SVD:m}; |_UҎ$̊PCfЉ _8tf'>a^mQbz2zvdol2|0tYurݹ Ne欈ɽ+VAqygy ]$7Vwu.zutgfJ=,^ G[JGv뾇 8mG5'PmAVןbJ]:?ϡ!Ee09U 0<7){VZ#`b* ^5z.! p ">gnĔi OeH,OC 3ǃGmdRj.zcB†>ֶۥI2!aQQЏn !!A0KѬ{ $@7_UEu{b[{R{n]¡E Rҹ,= RBQ1'pO\*y0dig~tu,J"9'77ƭFJۢ+Rb6m19{f7-h^}GgdtH'؛jIkdD3Ko` '&z9?]YhUPat7Lro $?hg((%Ac"TFL%ԺziȡzԱ-B.MP˔nrI7>qk1rˬ1lcq|-AORiMF ph!+"{JI7,X3cR{nf (]vk3mqQ0!5/ }뙪Yz9WN'D*mf njpaMYxѳT^-žPlgcr%A"rju^mj\=5p9c``$C*eޱ.Ԏᧅs/"|~.?.|H^#aӸ%A\s+9# Gn\/ĔOH*X24G^*фz̴l? qC1ybjk"ӯstK\ ہK5eϐ[Z1P? J~Q L*qǢ>bHwYC1 T%*BN \׆/ w;HXj[ E!g=r$h"R 2]KZ@urڗNoƃ)gL?('aO N:*rr/4Ȕ"0}XԫdN^uDt`sCDA;85[Mј/E'1a,1)/b?f {lJ'69E-̨1.Y'r$Lc΂c_JkTX:yH'cI(evyFl b JiW|TUGXo.`>>#oJÇ%1$9?2;QIPS_s7eLL;9;;gHg#GWCJ6mo c?=_ۯ:3UT,lB XWˇV v:d aUb{D N1$;j2z1qo(k=LD1fvl_ Y2Ϯ|w!& ]㤧[-:AL+d) m.X(h!G\ 6Tr8XcZ}5??m *BʠE ôG\d I>~/Թ5I;Y-SE㾗_>huwלYNOJ_1=!ݹ;ILlMeoh ey!zJpxtM|_9zZsM cP(q7 Bw0!}lɋXt@Q_SPSLH?rwQ x>p>Tu+T8I@7ܡ|}J)uv<ݯF"k"`s.j/hyjS2E@}zQUG ˧l1< L%󡎓s Dٓ䔒/[^iX)H=؟Aew6 ۾^0a}ۍ*)0hِv3$Kjnӟ\vv5z餫/Rluev!)a9l_T "pF.22%]>@na's:0J Ⱥ /r=b9iUГ8⧪$!y2sl U~-9$Iҁ WK .A7hEe|k^Te!uU&tܨ5pjaYҘa4v@c lF/& o0oUqeūN~ ޯˇ[Б!j^ ,Rdz59Ҫ:M^%&X6j ]9`Ы3m𝮮O| K&趞ȿyT9^=/l-?(.vX.G{n XNZ*Er mWctix@4 XTZ[׹]W[FZ=l8qu@3f2zyi~цC=]te!ȩ,:Y\,,tBCel#?BCnHBOm7NY6YVA"Ot>2_vna?qn8b/F1n &W1N\1S ?[c9^qXTz,+AbN,fO`SrDu͹]8; GG5t&cim^eMkȫTީ q7}m[8){ (q:U]zjNdq%_QYzuCTS3L9ۯч^\U5`'ZRsUI~v$UWJЁ$4) w,As*]Vd8Ƌ-2oi}Qė k&@,&<~}ǡ64Pg:xX4τwhpoĊ@p7@#5/Q[juhbûoߥB3QBڣRQ T@nFAV|.W!!92D]] DT3M~rޒjĤ>A+ֆtj]sJ ӥUƞJCZQYa,tȪդ;Ӧʹ@;`+qU3 NcF;bWb@q3c* @ݶQRe$,x)[6 )m|nyn Q!7hWn)4&Yk0x#'AIh* .FſNT|E FOvT_=,@|D8z;dMM0k5& BeK(2?ޠǮDLr>4B~QKy\Ҋ!$ȴ߂nm{{Qk2YdM5)ك-݈YJ==IY5=ɳNy^wL܂y27>r1 DW5fdbDe#:)k"[)LޝOH*<wLYRz["!n߈$Od@f Sk㕖nVjTף_ջD5nYTՐ1@gb w!=_qd W Kqq~5]sfhTSߴQv 5sB&ߪ|Äpe֢%Iil R~QuPK*`~FׇO*EY40 lN[o߻Z;)W5޺C20Q/"h7hL9BPdыm9Wfr'uX= >1?, 0N\_)\:×Uą#:}ixW1q{kj퍿BH,eNlVgaZE̲B{cnj){c)/Rل!&B: F,YT%2*Z:wX^¬UrU#P lH^EcSaEL+\=;w)øDuX#N >-iD,wn1}v~V8O^ޱgC@4m>wB}=y=iX͞?MI@]Dk6C熸qC&y`I[} r}WNDu~4ž\5;c\yׇ`s_9z&@'SI@Y>KO>Ogi<{A8iRg2a}Z?Ƚ˸ݔt2/}K[yS2+8BzpZ`uy H$8:;aPZ%6Kez$3}ӯ_VrAQ)qo2N)Ɋ>P)jc42'(^GJO")2JOi܊SFpuj:P6u֠IΝ v@Owa7D+[a6Zɔ!`jNyc-"718O.bA]T/,"/e{N4RW҄|w$ |da*O ɝ Ti4@he&|,tVm 8 {,eо᪴yG?"fQS@@Z&%-7p2Yρ:|7Ns#u!*7pR  |I-$l$p28h?TX)=O%.duJC)tkbV:'r*SרNY+m8A<{׸kx ,I3&Ūҩɸ@ tQ@ ~)`bnv Zc@A?fn, @$0|&7V ᜫ|{T@] nm%4I[._I:>a lh?S: `ł 0F%)pЁ6vPr Wjvj@W[\04f-o,$4t1\Q4e4Xӿ<~jͯ !!>yjZW]^ ?R0[#|OiMSf ;ָ]sG*ZJYfHP)K TL$Id) 4[.!DeV%-Ds*V~n4z+@24βYC,Y2z}H2i+~Gκϩj\Sס;,'Y{0 JBg}уϾ1U1P}@*A,k݌6&0[@3cqo/3b$`)њL5OAx4>:ioDFEdY(|%ֿyH6U:K]?Ie_A`r&thY$#v|^ipKeٜV֦I$j CKQc#ߒ )eB%.[c-lڱi>c Eؿ?a7JV}7E1;W(õ'kcc}fM%0x{G^Ub<:EQHؙx@1#8糱-k? eW:v)၇kum{= A/^_c_|\ ߝ9K? K6A]-el[ac;%&Ȗo+`|n"gGF3O/7cZY(x}N!jHRxp0Ǐki:υ $-6q7} b\2Ai[3?xIz=BF9A{QԼ@P⑑rUJ\%-粒bFti<|8HS ,ʩfah_8chcp)zB`BґZfnbO)LH'VȎZy(tW4eEj!8F{a4.҅=7M(ۗP\ N=~B!s?CLJO:~^3 6)ld%#uUp嗯A , Ĥv#J_8a7^xPq]fE)? ]c<AwcIX_Y=j#b)|N_hZоw""XoĻ@(=o|c D/,bTg]^-aጴ #Lg}v8-If]㘺O?.xYOju&BP$*ST 5ȶǓNj36tf D0| ;I8# \Z_43; g|Inh#!iB–Vz{FSmGk9Rj.^/Q-F/OA+YOaG!s Z9!&p]9-ǰFE'Wrz7L=܍Ur0:)xsc'¸ySH1jdyY:ÉDSo ]ǯʥ!O)M+ 2M @^S8 |֪݌bf P)5CU s1=K ;`~; ,xM7P,)]n~x+fF4_A1;kN"~ @LnW|](qw&I,^Nԓ/eD/ޒ7>u! cF_484HKG`lz/ E;M?(C~c/3vAjQDzD6zT] oW*Wg4-KNI1嗆OJϭ<#{lF/3&(>ꦭ~Hˀ.83+{ZLlbxR>1of<(n _v<2~7u @X7eR]č\F5Y|DPblՎ4 ߺGHbcxip> &&*b$O4]l-COT MV8*,dy$!kb)[UFpFHsGM}p _IoHV_G|U5h9F> fi6yףѰ`Ȫ3NP#ҦW ;Hx},0}BNyjELm^6aiʲxOGyNVph](LkT.2m-3{x)<_Hѷk:b~lGnZ2Hݢ 4 "S=m8/T:ex u$[صmaڑR^a!s%/1Kfa̟,~/&TA jRTMyT=chb%JRzEX-ҴQ,bD@I}]AكX"K-IeN56.<39p\ˑqС(Iwyy Ǽ=P:PA3ezvus۶bqi$2g*mPplqgȣZ7̹9X)K1ΌF;^SaV.Mߞ(p0PhCQS[#cl~5-!XXBć(&.|m3 l5ms+ б'%e6?j;:wWVp -u['$"b%6&/X "|?MT* [V+AqTiF`3xc{Ba? a|G#FuYeZ㋢F=Tw`el &ig}CET+(,=isH9o+~V qO"P1΀j{F-J&λ r+ءqMyůbw}I*f.ᱪ!=@9f툶Ld:7tLNn%ueo;| ?G[ (<dÅ{Xx]"=PCH*/(z}hBg`%[$.DzfA 8:g@2/ )?IlH̷#߿Lt&^rbK 4NJe/wz)Ӆt}[O0?89kUQ6*Nu;sZ;gGL`1>-aKxg<(B"N2R/ڥ!hVM(d4~rkK;D\Cc"mm |Cܻ^M8[WcފKR2x,wvO+31mIt# vלzv_h }ߐ <(V0յi?N6C51aTTk&ncE4o1AhG&%Q:~ E/rL*+mDkd`⟈[Ս+m0Mu?+9-@j=xJ}f{Wm R:?o7޻a/DN1X^etqf >49N/v4X8hkHWBP'\o ,x36Et&R^"U '긓kI⾩Ykw{f F,bc)_")aA 7G+52ʘJU>b@Oхʘ|GEn;2< |e?F `TRVǎ24Q[iCo{5S( rFS0m^bq.Yw{%y9׺P~!Z_;?rQO}}1)uA-.U t䒄U)>2 Ucx<}Gz± q&B9@Sן.zIM*s HRrhW$@>Aiրk}᝕0./$=}M.e]/fzaciscV!h*wR0&oh|36 I=5RK c!h=bk"3\ca6 D,**YR'']g&D N?g k c~LJi[`'狸Icv,$ȚXQBص]YEZAE(L&y4OTОM.)CfX} 7NLX*3KTkNwxIy6b,$o{hh!d@h#ڻ&Q]:GRDp佝Igh Ix0*Y+!e#,:ވ+塖#ƟP?it~ zuEe*J^-A b_Yp.xR`v>gSgם\1 [qƭ " YZ