From 270e774804ad6b01977cb919f083e54d88dbe32d Mon Sep 17 00:00:00 2001 From: JimFuller-RedHat Date: Fri, 24 Jan 2025 14:37:22 +0100 Subject: [PATCH] adr for external references --- docs/adrs/00003-external-references.md | 404 +++++++++++++++++++++++++ docs/adrs/product-component-sbom.png | Bin 0 -> 26119 bytes 2 files changed, 404 insertions(+) create mode 100644 docs/adrs/00003-external-references.md create mode 100644 docs/adrs/product-component-sbom.png diff --git a/docs/adrs/00003-external-references.md b/docs/adrs/00003-external-references.md new file mode 100644 index 000000000..4a773d78e --- /dev/null +++ b/docs/adrs/00003-external-references.md @@ -0,0 +1,404 @@ +# 00003. References to external SBOMs + +Date: 2025-01-24 + +## Status +DRAFT + +## Context + +Having the ability of an SBOM to cross reference to other SBOM + +![Multiple sboms](product-component-sbom.png) + +Is not just a feature for managing complex distributions of SBOMs but also allows the extension of authority of an originating SBOM +to apply additive approach reusing information from other SBOMs. + +### SPDX +For SPDX, external documents are listed in the externalDocumentRefs element. + +```json +{ + "SPDXID": "SPDXRef-DOCUMENT", + "SPDXVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "documentNamespace": "http://spdx.org/spdxdocs/example-sbom-1.0", + "documentName": "Example SBOM", + "packages": [ + { + "name": "PackageA", + "SPDXID": "SPDXRef-PackageA", + "versionInfo": "3.8.1", + "originator": "Organization: JUnit", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://example.org", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "CPL-1.0", + "copyrightText": "UNSPECIFIED", + "summary": "", + "description": "" + } + ], + "externalDocumentRefs": [ + { + "externalDocumentRef": "SPDXRef-OtherPackages", + "spdxDocument" : "http://spdx.org/spdxdocs/another-sbom-1.0", + "documentName": "Another SBOM", + "checksum" : { + "algorithm" : "SHA1", + "checksumValue" : "f2d13e3f9deeef2e3aefdc216f5c4ebb0eb4b152" + }, + "documentVersion": "1.0", + "comment": "PackageB is defined in this external SBOM." + } + ], + "relationships": [ + { + "RelationshipType": "DEPENDS_ON", + "RelatedSpdxElement": "SPDXRef-OtherPackages:SPDXRef-PackageB", + "SpdxElement": "SPDXRef-PackageA" + } + ] +} +``` +This SBOM asserts a relationship to a package in another SBOM ( _SPDXRef-PackageA_ **DEPENDS_ON** _SPDXRef-OtherPackages:SPDXRef-PackageB_) - which should not be considered bi-directional eg the 'authority' of +this SBOM is germane to the original SBOM. + +A few other spdx `externalDocumentRefs` examples: +* https://github.com/spdx/spdx-examples/blob/7173f3148dc8a0fdf9397e676611b1e3cd116c66/software/example14/spdx2.3/examplemaven-0.0.1-enriched.spdx.json#L17 +* https://github.com/spdx/spdx-examples/blob/master/software/example7/spdx2.2/example7-bin.spdx.json + +Using the following properties of spdx SBOM: +- **externalDocumentRef**: brings in components from external namespace +- **spdxDocument**: concat with SPDXID is addressing mechanism +- **checksum**: external document's Checksum/digest/hash ensuring unique match + +We should be able to provide an unambiguous internal mapping from with which to locate and relate a package in an external SBOM. + +When a checksum is not directly embedded in the `externalDocumentRef` we can assist the heuristic by using an externally generated checksum. + +### CycloneDX + +In cyclonedx, the main mechanism for cross referencing against an external SBOM is the use of `bom-link`: +```json +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "version": 1, + "metadata": { + "timestamp": "2025-01-27T08:24:31Z", + "tools": [ + { + "vendor": "Example Vendor", + "name": "Example Tool", + "version": "1.0.0" + } + ], + "authors": [ + { + "name": "Jim Fuller", + "email": "jim.fuller@example.com" + } + ], + "component": { + "type": "application", + "name": "Example Application", + "version": "1.0.0", + "bom-ref": "application-1.0.0" + } + }, + "components": [ + { + "type": "library", + "name": "Example Application", + "version": "2.0.0", + "bom-ref": "app-2.0.0", + } + ], + "dependencies": [ + { + "ref": "app-2.0.0", + "dependsOn": [ + "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79/1.6#acme-application-1.0.0" + ] + } + ], + "externalReferences": [ + { + "type": "spdx", + "url": "https://example.org/other-sbom.json", + }, + ], +} +``` +The bom-link: + + `urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79/1.6#acme-application-1.0.0` + +refers to the external sbom (eg. "https://example.org/other-sbom.json") which maps to serialNumber and version and component (with bom-ref). +```json +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "acme-application-1.0.0", + "type": "application", + "name": "Acme Application", + "version": "1.0.0", + }, +``` + +When a checksum is not directly embedded in the SBOM we can assist the heuristic by using an externally generated checksum. + +More information on SBOM linking with cyclonedx https://github.com/CycloneDX/guides/blob/68981da38d86487bc2e24532484e6a8128eea65f/SBOM/en/0x52-Linking.md + +### Red Hat specific + +There are some Red Hat specific scenarios, using cyclonedx, where we would like to establish a multi sbom relationship based on denotion of +**evidence.identity**. + +```json +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "version": 1, + "serialNumber": "urn:uuid:337d9115-4e7c-4e76-b389-51f7aed6eba8", + "metadata": { + "component": { + "type": "operating-system", + "name": "Red Hat Enterprise Linux", + "version": "9.2 EUS", + "supplier": { + "name": "Red Hat", + "url": [ + "https://www.redhat.com" + ] + }, + "evidence": { + "identity": [ + { + "field": "cpe", + "concludedValue": "cpe:/a:redhat:rhel_eus:9.2::appstream" + }, + { + "field": "cpe", + "concludedValue": "cpe:/a:redhat:rhel_eus:9.2::baseos" + } + ] + } + }, + "timestamp": "2006-08-14T02:34:56Z", + "tools": [ + { + "name": "example tool", + "version": "1.2.3" + } + ] + }, + "components": [ + { + "type": "operating-system", + "name": "Red Hat Enterprise Linux", + "version": "9.2 EUS", + "supplier": { + "name": "Red Hat", + "url": [ + "https://www.redhat.com" + ] + }, + "evidence": { + "identity": [ + { + "field": "cpe", + "concludedValue": "cpe:/a:redhat:rhel_eus:9.2::appstream" + }, + { + "field": "cpe", + "concludedValue": "cpe:/a:redhat:rhel_eus:9.2::baseos" + } + ] + } + }, + { + "type": "library", + "name": "openssl", + "version": "3.0.7-18.el9_2", + "purl": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src", + "bom-ref": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src", + "supplier": { + "name": "Red Hat", + "url": [ + "https://www.redhat.com" + ] + }, + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "31b5079268339cff7ba65a0aee77930560c5adef4b1b3f8f5927a43ee468dag0" + } + ], + "evidence": { + "identity": [ + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-eus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-s390x-baseos-eus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-eus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-i686-baseos-eus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-eus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-aus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-s390x-baseos-aus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-aus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-i686-baseos-aus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-aus-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-e4s-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-s390x-baseos-e4s-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-e4s-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-i686-baseos-e4s-source-rpms" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-e4s-source-rpms" + } + ] + } + } + ] +} +``` +Though this would be not a dependency relationship (eg. `CONTAINS`) but a `PACKAGE_OF` relationship which means we cannot directly use cyclonedx `bom-link`. + +Where a purl is defined in `evidence.identity` will establish a reference to the component SBOM + +```json +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:6873e671-5b39-f541-0fa3-1a69b79a5892", + "version": 1, + "components": [ + { + "type": "library", + "supplier": { + "name": "Red Hat", + "url": [ + "https://www.redhat.com" + ] + }, + "name": "openssl", + "version": "3.0.7-18.el9_2", + "bom-ref": "openssl-3.0.7-18.el9_2", + "description": "The OpenSSL toolkit provides support for secure communications between\nmachines. OpenSSL includes a certificate management tool and shared\nlibraries which provide various cryptographic algorithms and\nprotocols.", + "licenses": [ + { + "expression": "Apache-2.0" + } + ], + "purl": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src", + "evidence": { + "identity": [ + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src" + }, + { + "field": "purl", + "concludedValue": "pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src&foo=bar" + } + ] + }, +``` + +We should use the same internal mapping as we do other external references, for example: + + `urn:uuid:6873e671-5b39-f541-0fa3-1a69b79a5892/1#openssl-3.0.7-18.el9_2` + +Would be used to create an external reference. + +If `bom-ref` does not exist we can assist heuristic by generating an implicit `bom-ref`. + +### Handling errors and asynchronous ingestion + +When we ingest an SBOM that refers to another SBOM - we establish the potential for a relationship. + +It is only at 'query time' when we try to resolve the relationship - if an external SBOM does not +exist (eg. never ingested, error, etc) then we should raise an appropriate error. + +## Decision + +Implement **sbom_external_node** table +- documentNampace (url) +- document version +- Checksum/digest/hash +- conflated reference + +Then a node, in `sbom_node` table, can use the conflated reference: + + _pkg:rpm/redhat/openssl@3.0.7-18.el9_2?arch=src_ **PACKAGES** _https://example.org/other-sbom.json#openssl-3.0.7-18.el9_2_ + +to establish relationship where right_node_id is a symbolic link. + +## Alternative approaches + +* drop FK +* amend current table + +## Consequences + +* Linking between sboms assumes both sboms are the same format +* Having a general locator on any package/component in an SBOM useful for engineers wanting to know 'where' a package is +* chain of product-x.y.z->component-1.2.3->component-blue-5.6.7->VULNERABLE(component-red.987) +* do changes to the document must result in a new namespace in known sbom producer systems ? +* package_relates_to_package should have been named node_relates_to_node ;) +* reverse relationships are out of scope +* The UX should over time start using the api/v2/analysis endpoints \ No newline at end of file diff --git a/docs/adrs/product-component-sbom.png b/docs/adrs/product-component-sbom.png new file mode 100644 index 0000000000000000000000000000000000000000..4cd489cbcc9ed746ff23d19886797f4ce3fccebd GIT binary patch literal 26119 zcmeFZbySpH+cr)K4$TmPG&6*Rz#t&qFo=Svl+qzehjdAIj39_~DBaTCLxa+tBHcN} z??UhUe&6SL-ru*@_uu!e_03wW#mp6Z?{lB~+~?lMaqQry$_fOycX83s&OAQT;}WzOI{YJ6O-J0#0(6ezyCu(@xm)A~A?cmTKw}Ye9cMFRmkX;<0NW_wr8B* zE1W>W8(z6a-15g_lKRe|bNpTbVPm#oGA-_=5k~+4Dl@>WOz*=<{@l$|hKz%XsH-Xn z36Di%Q2O%V_LJzr4W|t)s6}BLVjyvetgXhe`%`Hm0g zM@o=ujne_6a=v)cst$2G68uK0@a`H(4BKFyTUQy}=9A)W0z9d6(F11>L^tC=g z=1z197^dKNcRUy9uBP58o}d^*6pzi;h`|(_BecH_3Zs(uDM?q5uF=jRrlir|lpnO0 zdyUI|Y2SCn$9H2jB=eseVhyQ?W14D}B!XyWh`iqaz~Sb(xeONpE>nVxAN;m#bvQzw zQyzmV{C5Xf89^yS5t8yoH~oZ|q6BpqLZgO$cjvOeKaU~kYi$pNzjA*H7|R=$ZAd&@ z+G4GC*}!f{k{~ZqEA+mo#&xcv?eRLJn&4ZN^cMB!aq6;&@!DfH_FzottaLkWp~|1C z!+x^v`D@RTL~Q53it*g6ZRZ>GGPWM}$Pf=Wq9eDK=sJ<;m!4aw-#y-N;4Ph_jI7M? z*ip~cE@Yq08$nC)9HJ%IsEcel3+Y&MG`Tj0C!ky2b!tK^1@b!dL&JWd)Do>igOUyZ zY1dhaV8WPWfrgpUW@Sc+eY>Y06u;#9fkvTDN61l66pWLZJvJxISn)#+d?|ayMItH@eMp?t*dbKsA$To!~V{|;?*SzP7(`NP@$1((7qJ~eGp79@jR$5@}J&b z&QiW`qS+}g^wr@w$#_(c`|EqIh*|x4?D<<`tv(U@kq)IV?2J4-#2b}`t=tC!3xg%T zzl6SV?Ema7ie-J0APC~m8Y=c zhDVu7^2Dp5%8cis_nkM&orcFecs*}dY)$&abUkNM`kH@gIi?;)4FkE@FSmAjOfB}F z{V>zNZ(DYa)a|7a!&&?BItUB`OV3OlKbzt;T6pj{L4?Y>Zl6Wqs)COEk%n|i#AS(D ztKA{hEFOK`53*J6q*m@%qlT?51>+S)eCOet;aJU}VM{pK(Rn)cXzv;Mf>Vp?NroVT z-NbAe`GGXgQ^(s{p;tQ1U5>}&ii}gQ5#MQNR%*@Aq{L=I)Sd4gE_})5T zC$>?(WucL1!SR&Kxa$-7+V@OB$1H>bFho4fcE`PM`rt)&K?54iH9q=9m^7+brMF?Uo25 zp=Gs1bkho%{NN>Q73o5Y>hKvC><^e0^rP4C%PpICTODdgf}Fxa@N%nJ7R<`0BJvoB zln;6W+;Iiz5raJ>E>z3iXnL`uFRWisU0w^`CV!+Bw*R9GanWpqt$&tZzCLGC?{&;M zv8S3*vA%?%X15r3mM}8b^*znWe6-A~k)}Nkvc-%W7iO2hY)&E74&#QHf3+~fHX7PL zJ2hHMfk(3!d{&H#53{m#&D{~Y+L>b)uekaqBPV_KfqZbcfM|GC;Hm+A>2+9hOR$7c zI2MRWXs3CC`$z4`w&Bdrk@0G4ocp@fK?PHS3sZ=>oE3P)D)gbeblx_7E@^?KL`EW( z?!}SM!;-DA5I;y~(>*C|5IT z=RtGe(aT)O+RWs!^ayUzB+jZLDXZEl9e&E`EziW7$CqwJX){qAukL?)Gyc-UA{6V4 zS^NwI`Ze`dKc*hCN`R~;5U}&hz7CpQ$1hN)go5)759Qj>#Vq(eC-caGjtWnNp) zcaDEMbs`6S?5?x8o=q9M2ojR$Q}0Ql8Bi?d5`6TDfl>HqCl#ah=gG{}(+XLa2kX0Z zrS(y?*6KwW6(t6>PJ3Eo14iL~j`gq7%+546QBV6#oih~qH+9@(<(h{`6?ngm**IwY zxbwKZq1BDI=6cNY)PnIl4y0N03Yg=qwPk|u`fuVC(scD!ZdteJu|{M!%6QRAdf5WOzztOYi(cru$eG0 zGWSHwQTX+|bGi1T*Ci%j&wg$tXx1FFmcMh_Oa+-aW_GUX4DY{)Z;z#N=(L}p1odm> zmr^iBC|lNtO_}cG?hyW-{;yQ^WL-aG%roOQW*3edK@`rtw5utV8g#tTA*gIpXOt6N zrnt^=ANZ5FnLwdVW9~gL69h71(e{)6>S?3<3YM`}>9>{6Emh?RtC_M}xT_ptgnhyj zl}4lKYoD$UX!u_-A{Z1-(lJdyc*69USh0 z_HmZK2!9y{GgOP_`h8y(A|2`V?L~7x8PRqS_fB+D&3o%`v;&Lg(SJdosgy)$ncz-i z!eY>`GG}mb{N&T_8JWX%1`Cl!8c*)ECNP4r!?29boM?x>b^?mNlH4v%_d(7mjmBjmf|5$dnBy0FnqIx@!(`tZm^Pu;8RHCJ+kYIMLt zZOOs#<0_h_?q~?T>o?R3f5|+$zPfwwGPe_sMtES z>?&kq&6uc=Q6|*==8jHCHxr5JwWY9a;WDh)AIf^2-+wO(9;F{8RX-i5eF+z5Rb8}T zX?DaY#~Q?=g5@0*mR=}C%pOvWl9~$?JlnHb*mrU8Nz^V-#E^|x5Bqe;eC`Qj=nn3Y zzN)%#I@a?Goa<;+AmVk~bT8)u@^rhKw9hNVuRKA+Xi(#FB;WS2dcI!BghX#kqAlK* z-lDU3e6Pi|sK>{1T5cSF7I#59iN{*G4Ha8i^l64`kKVkmt44zOA#9Cp%OZO zcfRSRdOx1sar089FFA(u*-H;jDJE9GYNj$MnC6zSO}q&WmQTfHHutvmh1`(jBF>tAPC6_}bG5d^^zRCr$(P(^pLi=tQ3$saZN zoy=LKGc6o-^KWXLpiDMihNbYT-;z5MW*$*HurnP124H_>w6oUUj4(OK?z-ZH@0&v(XTK*=0Q-i{8(I6Whtvz24!kOgUgNRvh~DHe>h}oAJEF+hak^ z2XBMV6Sd!`A5zPexb|c7Z)_+-$&fl|Tb~_YR6>*#RFbc7j3iLlJLNgPk#{TPkK)X; z2ZZ`5kl!`qS1J@*(%04(@9cZPmhQ({(vF)1oj2gc^&4GQIIK%k_cIyHXE$gHq3#@& z1HA?;G?JgcapbrGT;%mstzK(|TFpEs+M5&#f78fWE`ng#>4fkRpX|&%?@`LaPw~cO z=E&9ZFZ2~oGeyl-IqlHNKcV{?%h+{hRwC!4{ZX;MH99)cgvE1t*&tiHBE+?bK?A|C ziX8Dg;&MN?ZDd>B-D@*h{k^(jX}wA9>Bkj8mXsb~Z1VW!HPGy+KT{f_HjW!P1-tKM&aGTZ!nC4O_M9c~kWNTvT@uKn5; zAEWK^eE$`=d`3csX8hgdTD%m^luI(R|Kvba$r$~6$C=njd9^iq|C&4fKy4-k!@Xs)Oo=A1RAB0MgOWsKjl_cU#F_m zM4H~NSTUL#+Vs*=b}febrL+`=0exyq(jh5YYVpXYr}}>{+aB89Lp$yHrLZUzJBOS3 zeE~V9h-dQ|6WkgTgmqYzP3=3QxdKVU{yck}b&H)0?gh%1d`s(@B@g%+1;jh718%b@ zjb_vP`vqgTnL`UilfkS?;YiAMh#<#lH zcPU}u#XG;>F-Q#JUaz;g5;7{ss2va&Q-3Q9h2mr2epw0z&64d6`n29jjyMks@>>QK zAU{sN9~!V+`+eF?7{fF{CLOkGJ z;6K7JtOI*N@N)4uSCZ+D4;s|5?8N$4-4nap-)EvvOkxij`c)VwR7xAaxnf-oNFI8aa3^O1xwDi}9TICA9StGesl>$b z^o0={e13}v&5COGTfgZo!_TRvP#!QoU@x41s^YmV+ro=CUwrq46YSK%;qdAO+HTSI ztNjDyiTk|YFs`*F9bGVQ-TWVdnH?I#o1; z+8^(tFOq>2Nnauu!GEcNBXxOnV*)NXuVHRsZfgR9KiLHa6b3FQ;cyh$ztqs7w4hJuFs`Hzb+T8 zbc@f-%&n4A&4N-PTl>FuHa+a$Xx{$5sz_T&ZHEbw()*XuwWWqBfe1cF!GGHeyK6pKIJ{ri9bBtiC?O{&G)Xlx%SFguGsu z-&Cd5!k{-MJXTa_pPX$z8Z|P;1HPCmYP<>ow)QffBnV{dHHu@T>lCN_-mi5g2I=8b zzTf%!L}t6r1@TZ3oG9T$C?g*sI}xV~JGXt%+p^QBaQ5h9)IIy3lsonvnTnL+&OAT4 zbV6F%L&Odo8h}-Gk&aB3dO`8h$=paqKwuz5tJIiM+=>R)uZ2A&eG<)b?4=UL!-z|M&&SFGl@8xqRBf1zV_N9`qV(%@NWo11o^N-8pmlDBEu6DpC?}s%X{>%PeK(9TlG(nS-BIPAB*6R=P3>U)Q~;hG7%X)2(cHaDihl zPa)?HI}v2}o-g|M#@k+u^L{%&HG1%N;(OHPU3$;C(p$xvPb;MTO}87&QOBBR2Ll5a zsBhKw85acx&{K(Eze1hbTzaTpgZr=10_qS7F0=}dclSD!lg#KJ z-`DzfyHy;8zfoze&=N(QL9ZlJr;&kObF>loeWknI*{eMFg;aVJF`37n+#!|dcot+K z<77@@{lVM8or3`c+k+RD<|&0bwref79-nWE$Q4o^!*E(g$wFa!0pBS!vH>-`j zJi0Sm^c-idKOs<>5R-+E>g;UwHZE=p>rAc0fl=4NL-XU!)6=ebUY0PdYaj;}C^s9C z4kV-7m#4bA=p} ziiNU;){&UTUvn9O=MXkb9wA&|vlgt2I%i%_ok~KJ?zqlR_nt>R(1IOVuMQ-)TPFw_ z4FE_?hB7Ta9dCF{K9a!EqFaBJql8Y z>2}=aUGKKHzEPC16U7Km5-7L}M^>!#rRdFA1w4-D+3n$0U08|ZeY>gom`Z|9tMqmI zAg|Hzm@I4MSheLV{L6KYZ`Zpr7oNNGe0ob9e4x@uRa(nf`KpgLe?$3;jkE*g}5E^eM((XFS?Df{N@IU z>lcx&pSq&Aq#%*kf*A@+!;ROuQ=5ZdLeCrKDy`HMSg)@(xGgkmDbDaHzTsGQ#&YfT ztdFdp37YRMvPDLg!J{%h*|oV|m71tFjA}4R(WO*8Nm#7J#7VbE@tcjrqsYz}l-3QD zK^?U=vZ|!-=N094vMYYita3PDsqwnt%^k`1ZkVZA@aNPTbQ@&gf6i9sdnA5}CWboE zsN~JG)+^`k#HWu4B%;ffN^+ll{d8wmv&1-9825gPTY);)QO>P0(>&$}`$8_WYB}lz zkjAqPx(5=y34tJ^j_j3C809yyljXhfM$^c8?m&X?8C3d%l0_S1q%jee%fnaQUs)jFC{y~lqz#cv+4 z$gH%OK}gH9kXOWWlwduK;HUa^vNcIweX#NzGfJYu^11JilILHuS0wZZX|k_4Ql_q^ ztk<&*mSVYvO3XF*cZnK3UipVxTu+VUWhgXynxVcv`SiZN)-eZtX(jZ|-hL=|u2dL) zfTvcpGYr zz3R@oIoQ*Uc`DxY)9`De9IxEV!!l&Ir{7HGehlHGs=DCu690L1!3V3~#aMrl_cgW_ zX*5x)3gI75;jw4go~`z+==+@G0a5y49L4P`rnUGEb!>UKIZiTzI(nWGjqWch4trCe zSq=N#jhH`~l?ip+8a5J5RUjfyDdm*GW`w!@D0wBw5C72Yk1uQ-A0XPeY)b_LVkaMH zzpTqXSGDZ5S;};^y@K4&EKHn9oH~I90A6}#|GL+i#gInvP0!Na*{>lpNw$HFRvg0l zjkiBGi%hACyBea4^~wxyQQX&yAj^4{=J=8Q)5YZpJ0X;PB@ySWVPmW)?;)Zou2VC1 zoL0#BDVI>4KlX)$o^cM)#+Q6}X#T9S&{f-5qK84XL8C#14l;2K=7lwV zM6Uh#f+u{k?vMTC^ZXJ8SCp8>{Ui4$a+yp_4MK~wT!3Ot&g_>p56tS$zPi%(e}>(n9xKvVfEwJ3 z{IaP)HQ!UJ>asncRVqshbzWMD8_MwVI(mpaQ1Vppy8fYJmVo=ZKVLUNMj^7JMlJ6J z=cc&hV~@hF+MUIAn8~ma2aY3@JIC4gzuBGq$f0)ocD%`(@o)EXNAh!+(vC%T<_l^ZMpliVawx=@5TCvD$E6f9@Og>i zw%~gNJB@)qbo&{0xkoSJUM0+Qxn`P@rjey=CXl7IF}jX&+!;@c@auWT80@!`rP8@c z@AV=j8Zr*%dA{0f%kdi@IC;b%rziZA1Hogy{^Fw4>?7{>CnUlFm}(LFkTP%c3QOM+ zGqoY^GF?04m)K!;WG{~!v-R>~LvSW=V8s^aLkh=I`MosV8_(smOAJ3%+c4TK_ZKv% zB#YQB>$W_`_9oh%t0bBA5g>Y{g!3BJP)!N$a-4elRJZ zOn^Z$=Q!(sv3>VstCH<$c9ihb1Fa%m&HWy3b};n*@?K@m)6ClxMK8a2I(2V!9t%_O zbEvgcz5N0BXCsH;=6Kp`LVx!<%j>Jovg(mMqg6ex3F|UBU+nCuY{a=3H-e$))s&EV zDb3?#YUW2D_syVwb9E6DdX5S(NwLZmuaK2JFAI7R&;BcZ71^`9qF0`#dI$5{n6l!o z?)2!*6j*`cV!2z+)I&RC6PHy7{3TX9(J5mSV{PA_L`;!RjkO&Lb)rJ9_+e#VKDrmR z6>xBq=lYy;3rZp4aNC5VcO&a+OEwY?;Hl(MjoQKd4Sc(|@N6EhT7v!aB|mjoy6U4J zqg7=cIDVeh8P@Eor0i`|>`dg|ETJXnGAc2EBR>)8fTt2=4@Z z{FU3A$Y$RRe90Af5&rsT_e0f~=8DJHJ)g~}GV!#2LIBG?WkE1J{{e%Om?|ed^9rh< z7tfESuG1+>KF5Sw@X^3h<0RgdZnjrMXp6@(^Vtn+#}ar*7-5&LB1u-V;?^AFKNqRy zd=S$#?uxlk9R-6bGRB6wV8roaF6W_?;~oM{SGKwwQ61rTBGe6k{sQJy1SCy4024(71qYYh1fPKKGIBSo=Y9;x9enm zIJu*|zn;Ebkj~ewcuXL>EU+A8n9CYhA59fe&1ahH9VL2IX*E;I4T+BA)~m^kc;7u~ zsYSTtTrDbOcn=fq!nrJNv8tA@)j)I5h$8&)v(Fxth@}+)F@W+xBQ!qmeS}BF6UNI; zl{#6+bgI7ghW46rYG=pV`v(L}#ul87zyTgSA5mp-c z&*bE!<7Vqenv{`CP^H>s-niy;d}7Ph3M9#!i5>6~%=se(RT163Vl=e!LuJJLx+9z# z9uNECfigj3=TjO=c@B=UOMvZ$bAgT3l`!-g`VpK`(OTg6q2fIt)Yrb`C;w4_NiP7y zBTi)SKA&MnY3Y`g4l5u%V^>jaT4lqYAC=&fu`^vu!Y0QS{8e%ADCXFGk*7>j$$a~X z6*=mKiNaoT{f&qfpNcO&(yt$$6VT?q_FlePc^}b>g?FZz>}FS-<>HIY2Hr9x0Pn#P z*bxi}Gm#=`@ohfiAmPTIgjMKtl^sb+Wq!`lm@yg1hcr9V5>u@cJ@0ZZc{sp5zheo^ zq|(63bGomk*iAL7Ugp&|7AfQkT51^kJ~8!4UdzfgLQHq@gF5X4sydNN;n9B;gM_ zU5S(!mOQwuoQr@(KRr1b8!A_!cYx;T_I+N*ntx`}v)CBTI&w0>Bo&*2oS&uu**Or! z-@j8T;IUb3aQb#exI9yGw0`m`wOik0yvf_Fg25GvbhQY^5(=rf$VwUh9=L`_G4ACG z!qKu~#LTOb_rdq$P|HbYLdqZi!0AiK%Xll$0E^bAHtr&U2Xj#ib#tTOv3F$YGrN{v zRvRl?OxC~Rq6Kz4!Vqb=i+CY6|b12UWXXFgjmksE4ioe!sIKvD-`aGL~K>b`b?+vI=Y{< z5}9>{hZo8E^s0C1KW*uABzzwgiihNkqVbRGd=atUQw@{u$IR7D^AVk}~;Ah2RIq9s?g1wFYq;=0_2c5#Fj7K%G zb4g&Mig>K*2c^9>aHNu-LZlP`i3zdqC!Sw6p`)rD>rt`Y+A{}ekK+hs0fM3D2}>k( zVC>dpnqT5C(Kk`T-&r>1SC(r9o+RX=XW+A&#D7S<-nD8CC;=MLT$>*l8+~R>Q1m$X zQBYL~mX>`&r6f9k8KV-Pg>k*d$7f$&{6fNLs3$zNthq5CQ|kp|F_Q39sn9>L{voe} zp+=|S0NXuWGt*~O%AWPy;{UcjDAgB$BVoC^95$`w7BvqJxcruh>*4TA~ zGEslqeKMDq5mK5di%m*f>(q(B#NqKgd_&Gw8p8=>NL4XB(aiXz@8puHVef%72>{@t zyu%Z#HYly7m190i4YBe0~ni7m!58?RCBW#ZLR1W^w=;IYf3HG7<+I})|k5bQ5+{< z%p3>?|G3&V(i1o0q8Oo}ckl%s^+nnaq#Mj3#HcN;{n|0)BWI4!BV^d8-hhYOrdo?^ z8ff3|g1|re)<>S-v5cC3wRbR}TKI-#VYbe}+`*@6y0Oi>cXM1^Rz$K z?7}5#q-&^@MzxIsv@aaj`RMiC^u{?t6>U$?HZsuLA7AAC{ z#nq`1D!4ylN06ZsVjgbEhhYa*QnvaCiGv|y2b8do zt9e^17V7oR!dLQ4Gh%Qe!no(dJ$|%$k5`wrA4#{2=NT0GmLt;>A8;)@W~qG6#8#9Z zHM5@jrl{lHx_A3aevt$K)$;lF+ne@hdsi*-pLyH^`_WVy$cfq&X_1-6OxL9%_D$ly%p2YjWMbbXtK)5*q~u*-h&;HXl1kD~H9Dufix1 zO6uKe7Jj{GU17d;g8o}Z4#o#vpDl$JIXAYLMVCD-;%Z~OSM>r3CvYOcF?KWVQ$i%L z=S)42^hOPzUU{VBIPyC|^<RYEqAMzirHoAG$?px$*w8^34EikF}-3`kNv1Ewh|J|cUHaJW*2NYbtVd|2xUDA zoMu&V?l0TMt-Rl#j0PNA!2xjE)iR{pTV#InRyY|m%?dv^qwZ$=ovi@^l1nl9<&*5T zoUQP6sN_mH%bm|rbIkiFHRShixg&Xbo#V$PqI7m8AR%O_O+QTxyT*2Wk5bQm>GHj2 z*?GV=CF^}u<1Yk*5?O+PWeAYrX5DE+RpE9J>kXzEdo`7m;ka--_=a0A%c3Iw!R4Cbn3}_q0cbR16+j4n zxrAZy83Oyu)j>Ym{#?NR=@=zwk_Rl>^zV2GFId~?1}51>`**~p6K)fZNF{(YV}@aQ z{2S`f%rEaF5Qas>13qm37c}<&$bw`YmXdERoE*AX?1+`lU&(NQu`ocsb#C-d^k^D8 zn))T84KsG?41?=4DB@bqrX1E(?+5WONF<*^ju&V$M!(ywE=MU ze{`8&mSYl#r_&cVHH`fB=mLX;>2G8G4>xwEOQe_xJ+*m%B0o{NBaxK0du$mRh@hDE zI6V~7!j`njJW0v;(+U3rrs@JUR(UJeEjt^E)u|O?aW5ZEzFt2?F{GmX8hXn5KUSXy zJl!1syHo%3ecp(9!aqpve>y-D+y>{jn;e9iL$Pk5F-pzqd}XVo*tThSA|%6|Y?kb%rm|TQ&4oXjw$M#f?>^8cKmt#rj1Ji z1G8##GtP7VOS8L`TyL! ztSvw*i3W>Ag zD%t{nfr(>WP3XR}HOwXCZ1_zh#&T7+#&PBm=u^zTdxmyj1PCzqTPd2dE33OKZ+(9| z{?(jfJ{29M2zA*%6>=ke(hq&u{P&2o4fSicUtL6{cs`rE*pax_zuKJ8thb<2x0nv{ zV`Ll<6`BtBld5+!TKU=cImP%7I+_A7jtXDC{~^3X;evT8s-AsqW;=zEIJoam7d0a7 zlFYd^^e9$(X6U@#HikmdmB3pcvS7y&aq{J(sFe$PmNx?>NcrzU++sA8GEf2}U$4P5 zkmjFB>mz$tf%J-VJ<84Uz?f3V*XOq^Fq-h7yH7l^H9>ur|L>79$}e z^Aq>Qaian0OqRC-YYT;HTCMLdN*68$NW{zI|U zv|@Hx;j^xIJpvYz=V4S-ATrk9Y=s-C$loyPyeAYH+yg*{Eh0x7GPB~Z2MTpgEe~Gf zQ}N>hn90BzY3mGWTvAdr!=%&p=Hao6@^1#rzf}!|usNNV%GU!{U|8@JM$B%FTtEDH zSo>+F4J-Ic#09M6b=tgU34~C9&1+Zg)4gfeM zfG2N$5ae*(Crp1Et%(q-rru$fy$`(TUuytRQE2~!2LL^;dX28UR`+UHVX5>FWkVlY<@=l1af6QwayDJD@;SLG zS={+i5V>@)1*H3i)lD zQp|_Z^H_gRB{y;Aw|oChtda74jJTl}@ScjjM!!#4^#q6xAz_y;|9z2yC?3F=eqd9( z|H}J?az!ZOzgy#wQa#j^w_^!togpJ*`22T9t_M*W?^im@s+E-&zAim58C>juSK@*;;i@>KA3ft z;jXh4&XjMPX987D-cX@60|c#=H%T<*q%cYNFEdMw>Xj=9-nNA61=l|K-bQ_ve%N19 zs^L}AEF!7cker#x*LEt}5Jt|nki>pMQa4HLc&}uS8p-w<_-%p;Ca;$}5{f4P#V3PR zkQ&%RvHW0p@U={k>)1J137YxXSkBQD;!GqOhIO3mc7AHh(o8S}@jf(>g+^V41z~;H zqtfc!m}x|GZ=*3tU-z*F^Kc9=Wefh6OZ~;{ktEFBa;Va#UsHHZz2e6zMo8GRLUGcK zc!oK4Bv$lH)7wXw;E}P;Pk^2!e(|syEF528*O`-nGaTa)E9!4}Sy458yw*s>2-_zC zvaZd37AbXTUG|S9=LrlNTYGxd>E&-2RPS7AX#X(${^S-iM4U~kLU?nnQ)!=al(Mwa zuJZ0^&DzjB_2vDpfQ;@`Rk6dE^>Ur{zJpvjm_GC1{iZ{Ug^itt8Vl8)t8XCV7=F=7j0<XkCRa7pZuW5 z%#kjD6H}s2sy0T&=8rEsojx?-#*FS7?UbPjrdVjCGjOzktKEu9Lcd|$v68rK#?$nU zQLfnVJjF~DcW(AHn#lVi1J^9p5bQ84f62cIUj19Zpb`+^&)|_ftUL3NDgCqw&fo>) z$m-gV=Gy=_j|8COxrQo1DH$8d;q3tbbe|v$Yu^cw1OQ>sl&c982w8T;{f5zwR`of* z$`GB9`rDKAPvr2$MdBj}UNKG+t#1WK5;?M9q4?}Ap3V1EOI(bn)3{J$K$>`lEst?_ zBV(Kfwl)w9C8?|+KPEJ=Ipt}{0eaJ%tJNT>e}SZ3_|zd<6CIw7%Blym!um>3y?Q5C zlTcEnqPn``<90G^H)6qw|oQWQPZ9OYS|wm>Hp3R z{(4oR*8(~fb8q+GDe8mpc^o0Xs`r02L#AuUtghqB8b1><-aCD5CM#P5=qwun)fC71 zV+_QQ`#Eh~a8Pf0Po}_a+}ka2^x+5Rk;5BPDmEv&Sn`!gi$_x|b}Y8%#Kt+FK8q+Q z5bek>E(e4<+n~}SPNbK$Tb7%V>dagiKJ}=d1QdBA>m5@HvJO8_II3LM3F-NmVC3=` z@rob97?IlEh}23z5^HO<%73KCl!3*JD;sd6Y_dN1@g%h6aba+!Q z!oJ>fN_NQKL@8{(4IhiiE~OI?n;Hu^tPe{)eM(Hh^>X=$zCg+s`!*3#=l3s4H+Rd* z&bHk2h5P{g&2$y-eVrOVwLEp(Mp6>QfFa-kRFt43VTYDju2;qOtIFF>fDl;gMmvlN zF<5L1{v_pJvP7@GwF#nn5l8lw);I8WMzT3r9gHb-)H3> zNE9Nyg-3B%y#;{*lDt3f8CTX%hMC}o+~MA~pHeUelK$U?50uEYEO$i%TezT40k7lc(ZxlNW=kKiU%Sj$r^8rdQ(O#oFN2QuK#%&5S6!c|6K%N$s5Y`pDF^k z?*W?R8#VbpK-^6~y&0rHhn~^MW2j!-^z8p7#U#JVQch|KA?HX2xLAD&f$!g=4d-d> z#1D+*YmvtDnR;5CP$B4k_Qw0Zs z9=<+M0GnoU>dzupCO~o+^sCx&cV6m&<>ZSW;`2>@aQba5w}O}DJo-&&9s+(rn}GQb zr=!t3OHFzVXNYJ%5w9sJ6$kqJ8w{n(tvAYM-gKJSNuge2gy5VzDR3Zw@`>D=H*B6) zXQqUYgWmmQA9p+646bq5Sg#|Oh2HeNWWISiu-hI6j5J#bk~Pi>{Z%0;SwLw{OoDFq z)ngnS7TFFvicL}0Af)q+ z58(jgx@EH5e5BDvUz$vU#y4pdi=-XkvLS+XMCc*{o#^9FSq~dRHSVYPWzpwSC-WK- zeqesGeJR3QGCwHkXQE=Um@??$R3y<6$@~(=yqei#3 zBJn4lrWtEUDd67m!(T83ZO?X}L|?r-e|e5F#KOT|I(lZk?xw)<@#|AqW`9a=rbLq4 z&8Y*?)c2Y8y+`V;q1x3hAS2HU@FlfZa1&aCcUmnNN+4a4``!q>gU{Ju)YRBm2 zQylI*K8;2+B2~p`!7N0_aeX6w66W05@mL`VD57mfDVvrm4?ae@h&K4OA?`LPgcN8i zNKU&U(o0bL!GenX71I>QTLha4hS!Al42_-x-HEl>@YZp#VYH|@8!T42D@oQCh_SG= zUx=t`xGPp5R{Sn2v!3mBKW5_W^}FK`#O@~}C{!s0E2nHX$wyJolu)Owe(Gc-i3f}% z1#C|G=WKxfKl9{1#ZCEt{s(4fV1{fc z!x;ZsnK8@(Gp#ic3F3+W;@(DC>qDa|fpG8`h*rR<1VG6^m_@z<+=vB;2LSgLn7yfi zKd%3(4={V*WE#J#b7lmcj;IQ!SHItOL_HS8|6Cx3`waX&^O1RrfG}3#&EUP=uzdor6w!bl4Q{bAUO@M) zaNH~8ZUo6N_^XCUK=3^GgLUXM8XF!9rRx6Z4niOhfCBS`a@38?OufLeMd4Qog-*hJ zs4gTqI4y6iDAl-+>CKNSUtBCu7NEpis((o^2q~0}<-1l8p3GCx~TJ+BL!0Rf}J**?eE{fuEi zisrOMg1SU*HBQuF*OadXPmZjgPM5_Z=BM}6R&B3GWsbUx*PBHZ44L4B3L?;eXf#VI_k8MN$%g`Zy&rPpe zdmMTe=Fb~P-nSq)s}Wxa!B}>(Wj&@T+4ruz1`^w{=uc!agu_ST;<8n5kFYlcL}y(! zmqaV5o`j!k*1jcw22}~Z5!bDSsllmYAIWuwzY?@r-jOk@V0y?#S=Q03rU2TRuJ;`k z`@964%K!)D)-50W4c3F=fpaP#Ke>~9U6g(@EGj?r@g>b}?y0k;n8M)!q`93{RC+n+ zJ!|$^Jb)4uIADUzaeFF)PNs%IHT@|+qmdQJktLCDks@E$kfc2G07o zqi2{mf>=T8IoW356cCef{G&-)-Zdo}VOO*Tl7%XljR4&6rY1>I_tU4h-Zd&??kR_# z?5=w2{1VP4{r*)s%Syqj(Q8%e7;=Ue*C*3Rl9D?Xec>53&~*|FoR+Y#QmXbs7AfWJ zT25`KAIG?EkBZ!s3oU#yVy+Pj>e>lxo@soV;6WKuua50F_ZbpA{#ac;-pN7EB=%D8*c^C5YRW9)^J0~8!_X-{?|ncd!4 zYOow(aDP*@Kq+9r7Ljy{_dHyqV*clQ zD_M||wMf0a_NwMjBA$r5WKR-AKpT~pK0A%NsZ43Q36*;rEtY2Q%io;2_ny72xV$p@ ztQd3;EMS4UmEt);+sHMsVn6Uw-sf6DdgY`$Ljxu5TwvEnnWDGlRw@5E<}FWZkNy!q zy@PoG)2)!jC8FyrCWEeZ`r@-diQ(0dy3cnC#NUJhI&y=VSbj=D4}8zh71~^Lh>6xO zKQz+xXIsn!(k8BFI}1PJ*j#-Vs+-t!;EZno3zaUv7#d2QsU5E|&ibqt4KMbu*g|U! zwlp2SRCCV?3&98ux;dRB{Od@`o9|!;5in?ky*{F_z%83f>TGhSqyKrM3P3e|_{s{} z$mgt#5l?$Fhg`6O9WCThvjxSbeG8QI!Q>lphF1gjya#zg$3-qhPiViH@AKxyc-?B( z<#>Na>M1!(b5`tvk`McI${g!nEA3&q>P@T4qat;4_|hs}yHSbw@+*udI>KlEpZaPofqzxLdnHQ^ye0$62n>JsFlXn}+oD z@<9(9(|o;RIf5ED!mSW~d(ZN@Nc>6WL6Zv0p5s1BLFe>Kdq6KsE>q)`^LiC}b3TN* zUIi zzxJ3|hGT57RJHpK-QTJmCbd0ftygn`U1<%zRP?X2LcYN?+W9SU;A z@3SC(24=+{pJeF)igtaKhR`gJkG3s$yvX&@sJ}*vO=+V2X_nr0T4U-TBPHvN6_uQ= zXBI7cvTY!!c7DgNum_eV37`jn{xy5pJ|c#Y?2A8 zeT(gB2Y3U@rCI*g#l$KmRN~Bi3X>tB^z$efSD=U%`-f72>V4azJ7=I|YCA>YRqu4O z8M&xaLfHe3>b?d&eQzSg=I8VodW1u}nmx9QdR%n2^BqfgENe+j;ZlCp=KCj%P?~a@ zp%*WwWuoL#sTBrcGv=zKc=fc|Gr!jHMVNBCvsQ299mfR&7uy&1lZY`@F&0{K%D&=O9hnQ*|bVm+Sa^5FE7{awn zIBB-PO*)PxFE>`$IiJ#d2|m=eS(rKdfk|BC_!TEcI)KA#{eG^h(;~NsX4ot~#ge9T zBr=REh4ps#5k+xWTk_-z7q*NI_Dyb5jmZ3Dcd}HdNQI9)P(p^YzoF4{z6!ymR z!y97>9|l5pM;Zq;blqD^-jI?Lq+*!J@wjzojAY|wB4oHjUfU5}xAjtxW$PBF9kcpl zLdh#^eIg?q{ahH!TGcK|si-Y@;Iw0SFFgxL(5w>x)W1U$SMJB`TY^AFV@g`2G#6)%jO zQj6u(%WpDZGaCQoFVHoA=soWt0>tm0t<+;X@`2&NcD^@G;0tZLNBIz4`eBRmNf&lxg}T+DL%;O*t7aS|SJ zno^$)u#RNhEa%Lt-3(I5tcn~*p0zwop466 z1=Ve-U!+bBeM#icZ%;wyza+u*H^}P#xt;OavB$zKz-gR}; zq&ji*n%0}f?fts`zYh%4`PeiG6Ae8c7pqiR))hPu)JBq54}UC>aUg-*X-XA~#u!I*$U{2IJbcHL1}FUEl_q=$k ziXr{f!+D{G@JCTg&-&AD0i`MO$)-Lb)uVKO!9GEex_5FG-L98ynHHx(Q91VA#sjJpgLkKwElM{#i zkNla(SUNz~1EP=^o&A^3>(Hy-j*}W~brtftVt~u7j?_#7gqKZ1dbBxeLFKCP%_FMql*FYM#pvgkLfmNI#6EFA z{Sb&e!}ER8i<#t>Pw*(HCsA;QXX^H=#y~39Pj$2RLExCs zuw2TWHc`TU^wgN*P$mX3uuu?8;)W!PyTai?1Jkr-jwm`5WArmn;=}Eu7Og;?H&vR| z@ba0+4+?HHWN)n@g3P^7Cm-y153-6;cx*_ZowOzhvv$^DNg!t^p_ z(y?n=uPT|wU*m*gL~D{>`mJ{K6tA_+R*Bvh6~FY0{RHNaQlL&eWvu$fG%3bnl*9O; zHPd(~$47hmy6a<=kN2!j!hWroHtBMWLv4I8hdjreJ84_@3_>b7O%(XcdkXg zx^hpQ9E#%Mc!LP_M;Mw%#xB?I>7)kL^%|tCD=A#TlYQWW2d`_AhR`@#K8T}H9(LUM zvgz5>36dT-;X~4*mE9|^-PBA6Zr^mfU{%bEb?sMAxO8sA!$OMQ*M5Z}V1BR3$@|OD z?24kA|G@Wf*B@mG+iHRG2aB02qKonY8V9K@i}HCW_!$HVkM0X}8RA|}oD1^)WR`45 z+%gTfd53G^$ZALe6PdNC7onepOOwsfcB?3Ywe5^Po7@(`0f{?BbGo+_YbGy2#2sJ0Ia(zQ{^GFNmZ+{DbP7d-KXe8qv{ z@o0si2=X)qWkqHzT{!ygV>ELtIzkNvmjKg3how_RHJ*pPJP(TqyAeS?t%`!2K)@Oz zfS6HHRGAcuIfV@#{@2Ulu%O37e#YcF;kU6~P^MN5X7iE2isumN zEQk;^8q9<j2_>e4qJ!qpL0e!L!tO+nBhG_0Qce$52#E+2 zMw~y5?V`pipfVNzV+Q%o88z+Nqe*$NYg93x$tKuxw~syE^RDpGmSM7|)KsGXvzn99 zZDyVXuu`R#vksBlmO-`#{er{(AL+;T-1S5^;`Y2JFB?d}zFnTpiVML{SgYGfImJ$A zL4{IIfh%1J52ITS)GS`oMlU>#6SO0%A<($f;s+*q@NMtW(d@8O#S$CS&F0op`S9!%$+bo1W$u9Dw>H6 zdU>v-%|)=X+7ltX_Fyv8<QMcZ}1YSXGwW5RK zy2G*KP-wzaClM}0x(O>JrG1WyjwS=K?=YVOllBAo^}y&UJC`$qK5*M5YYet z8G^3cR`|VP(*436f@Fvc8w`L6@JobO1i2%v^6xI_i70}@3S{a2O hviAmarZAj z{-Gfyg7H?ViIyGQ-H&gvAx>K>cj-6%G`!>o*@-f(%N%S*e{rUGR?j%~ZV{mBl{n_J z*e)5^>w&ckAK2}j{JS;P5V85a6N!sCi%#EWvuKemHhC3W+4`kzHAP@=cbqQckesW^ zoE3;|e|`UGG*RTwZMbm(7N6{yH52!Z;?>>P&&3$7%#C^xvaVTQ;;t%|7Uq&(8zOhU z&|St<<;j2B{WimeSHd&5;@;vZ2%8aSk+7F4ieu__StaUzr^6`-6LnOBA}-d2zHL@t zH93{fZAdbSU*4?ROv=ouE9(P%7T(>FM}0-Z-$D3iQv^BKZy+b$!=RU0O4a=Y)v7(= zt_>X@HOi8-;vETMPn+uJqK9(0=c4Kozo>AJ;IHIOS$vbfeM}F{FyGtP+TzU9VfU#O z$v$+cm0PDB^&t4L>`Wz}2pIR+H6|o=?&4K67%ZgD&_mBAZ^EZ=KU+07Lfl5&2s6>v z-=?y3aLf#UX4(sB^`5&UJbur?*nf9@(L@~P&wkG;H^7XwtYlG)`L)f0azl+tzWPm5 zox6KEn_cnGvrMsF%|}IAo*vytNZ9)vHfWTG#YkgZCnXBIs?ZOJW{EVXg;^zfhsSV&G#7%%sFl0nrI-?eo*8PKeF1aaX z=hvD&{fiZP8M=GLb1wa{OM;aDWwV@o251XY)pssryewZq+wPX-f?C5uw}sl`_vJ9h z2G8y0_Cqz)4Sflic9lq%^5n_Gx!2w7ul6+EfIjd=*i@87r6X4=MgTs{%(3Bxuv&@k z4@kE?da@W$U&G0((!gf~)8;sbiml4^Nmh~c3$qG%;L)ZS_ zi2ZL_TCiF?r3u&Y++&FL2RoB1GV@tvAqi!`o_#uQl)TrkTxl)EKi75ZV93IaFqhzB z?Ib<8t&wv)oO68t&}C8mCqkIZRXV=tyd9PaLIb3DH{=%0`D#wIiDuhy>gm_5UAV%(zpQa@<7ns?2)nm5OSe4BYqtpj zr}6XSvl|z~L)gQ9yLj%qb(&FU5a+`a(Z0aA!BRI{au}eJbkN?Om@r&#WEjrmdZ2{} z%>5k$)ah>sX`l|~GozkSuyEChTKw$E&wmzc&6hYPb+7E*DDSJpfhY4ejZIJ5wJYMR zq?3>q{-U?9d7r7z)>a} z(evYGGj9E1oS`X4cj)9BUnQJ%O@ohN-r){+OzmOhAD8<*79ysC5{o5=pFofRPY-x> zM5mGtI>7N~gGCU1M+MZa0Qhg)AMwjY#0D>g{O$t&%M(;4#Zmt0z#=BBZBX5-Lf{xh z>s?%bEA1$w_w3MkO09tX9Zp*P%Jp8YtswK`>Nm?aMhyDtoDhnabMo^Jw_-JBt?chc zfT`QGM?rvhxsVs=rLPl?g-kayBzz?Y``i3C`IR3NCAgrGbGy|eF8KKm`Wud{>g^J# zKfcKaVq<-u31hCiyv;2=u1L!nF{@UT1+Gy+z_EE>QT7*YjE+l1Znc{COhCPS@Qca^ z0z$HTWYLTl1_NxgtLL=UU7$(y-~lHPNZ>;>@kIee{5!yE1S7s4JPwdst@(t{CIby- z_t>AK_-klSQsP%r@%sx#usgdf=EN2o_SUf?5Aofu7Any~?d5!-6=(#fI4*f-bgl{(d{is}`Cx uuOZ8UBR<51F~<nLjMc#y)W7T literal 0 HcmV?d00001