crypto-policies-scripts-20230920.570ea89-150600.3.6.5<>,̉g;;p9|$ g9vl*9w٦op72vZp778 ψOM.a /\DsxZdeO.r%.(S2ʖs:ܯd`x^RLsV&K{pfW'p$]s;4㟹Dt b?p۰G;`J=BF6,O3c ݆ >w(IV_( L'ZWQQՎKPyo?>CT,?Td+ 8 _( >_6|6 6 T6 ,6 6 666 D64 X  (88@9:FDGE6HE6IF6XFYF\G 6]G6^K bMcNSdNeNfNlNuN6vOwQ6xRh6yS@zSTSdSSSSSSSTCcrypto-policies-scripts20230920.570ea89150600.3.6.5Tool to switch between crypto policiesThis package provides a tool update-crypto-policies, which applies the policies provided by the crypto-policies package. These can be either the pre-built policies from the base package or custom policies defined in simple policy definition files. The package also provides a tool fips-mode-setup, which can be used to enable or disable the system FIPS mode.g;;h01-ch4c*%SUSE Linux Enterprise 15SUSE LLC LGPL-2.1-or-laterhttps://www.suse.com/Productivity/Networking/Securityhttps://gitlab.com/redhat-crypto/fedora-crypto-policieslinuxnoarchAWS,[B2G<IT o sU9!u# (U/k!7Z:AA큤A큤A큤A큤A큤A큤A큤큤g;8g;8e g;9g;9g;9g;9e g;9e g;9g;9g;9g;9e g@g;9e g;9g;9g;9g;9g;9g;9e e e e g;9g@g;9g;9g;9g;9g;9g;9g;9g;9g;9g;9g;9e e e e e e g@g@g@e g;9g;9g;910ddabec37e763480bcd544f648da77c44f7a6b8381e6467b5a136d2462747a7bfb0bdb095e6b1cdbeca4be2ed1b03bb7d9424c4020a46e7cd68a32160a6189f6addb83218c406dc7f789cd90b7f230feac4938419570cff45d9f0ae00710dd357ed66106a661d46e0ca53eb7268cbc5722d2cefbc38d8211801e9697987b4c7a24ba9cf38df7b87821f2f1c11a08407e2fd2c510dc8e7bcd0f79b1e9577b4679d86f5c7b39e3f5cccc995689848bb2673becd15689273efdfe7f07974c83504401e0a6bac35a9f506f80475c7b1bbbb909cfc732c157b660d26c7bb7111e07c9d0820bc57d1ce4477916ffe6226077fa20cb9e54bcbaadc23afe62a2f9297ab398f3ef6bf84821949cec505b249f11deade3f9f4e4fb311800ca96826a749e51d1e4fe44029dd71054310317de8028de4f09e17158d36c4e98c30d2472214e4408d51945c1b6e1cfa95748e1834693f3060351315ab4015ad8a97e68f40b1e4444b988051a22e25607e13dede952fcdbd3399927bb1bea270ec08f7a262d0c50fb780dae62ad275c76855277255693573603b125e8fd316c217ba99969df98cc9f19df1ce4e7bc7af298365a1245bfa8aa1e32a7719149542bb40054b0f10557bba47dde5308e136f835d6c8a844d9706188e2969477d15fe629cd2cd9d7c78519b936d8551163117f459658e6a617d4446154f92eeba66b071d20e7fecae52dcba60a792e62e882f1e57ee4d54d4c62453b3fa5304b60cad0db48c0eefc2d915174b4806ff60398a994266a8b447339291f11e842526ba2c83b04e5ce8f383b270384e11867a2d932f49a9eaa785c435314c51257ec25963eeb76198ac02a2b604380985c865e148d6091dc11fb82b99c2730706b25414c7c7a45b08b0ede8fddc5cf9fae69bda28d611ac5aa5bee6bc1903e328506dc7826cdd6ae37bde42aa7a3b3fd79089d6a2e89382ab730165db06aeb6e2b56f538df8d40a15f86a6a02ae5f8c1e12d3560c94486d0af13a5ea6bfde9565f876558e50c2e49da58ade0c68f419dbbd3cc3328575b3e08569ee2a8ee647fd5478a4eae88434e44e1809afbc885eed18f2288f2db93c5493dc3b39690c93f461a649b5e110ce83683f43f2f5ce680f81b60d1307beea19079cd3aa669a59fc2f2cfe7c596bba50c4fab3ad5dbef569911c0b24b3fce1544edecbbb7669a148c510c963b5c0dedc418b8ddd8b12275ef88f9fa136796d7c4a09b9b0009e08276141680f4d846bee859b11c19c35eec32475466b6a0d7cc7c3271bb26e2a65cb869cc23f2eafe13637abda8f7f423382cd9124f63e50c808520f47369da33a3dce3c46762da6b10e7e580f1903cfdf8e17195970200c940f46d67a960f4a89719a35ab7ca842b8dd3252a675d7bdd0767844283d52f30a5d382b65a271bf0ace02215843447ed935bd484cfa8a27d4717242faddd58d7e439bcd5e434cc55cdb2671312a7254789fb7f8124609461078f3c438130085493a49ac06d3f7a42e89bcdcb3a2c12cd42ecb902c30c42a7b489730b2ed63585735c6de6197b6b1b58974f121e5b0ffb8f9a53f4418b55a7aac44aa155f76e0e4fa6a02975918117b1bb267ccbe5aa4124b72384c92459e451431b3e76b0916d5381c584af433bdf414a9e6a4cf464aa4faad72e606b429ecbdb3c3659052539f117325cbcf4d25b92a99e1356df8170102f808ec39032dd789b9b5701d06bd03248ca3123b57ba449e696647b9381c3d7e4e0fee1135bc9ba911077d30ace3c374671d0738e52d03c6bd65781dfa29215c90ab2a99e72be95d89c2b2c46bf783eb3908b275939e110155a84b716b8cc1908d223c7b4ed2d8085affea8c4de60021bc4b89ea456ead2bdb713c055ff00bff0238e04e67c0f4a1eff6fa8a0480f3e69dd02eb151304a036ab189ab4174662b175014af99d2b749bd8276adcf4579a71411b7c028031e0c68d13702b7ef19bced7e8967c8f9d38bcfdf2ecc265245d88138c46444bee5883a14fb2c7d520af6c0078eaeca399e889653394e5016ad57333c55a9a2cb0ed4ae2e7538700ffea5b7089brootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootcrypto-policies-20230920.570ea89-150600.3.6.5.src.rpmcrypto-policies-scripts@ @@    /bin/bash/bin/sh/usr/bin/python3/usr/bin/shcrypto-policiesrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20230920.570ea89-150600.3.6.53.0.4-14.6.0-14.0-15.2-14.14.3g@ge@e eG@ddd8d@doMdm@dX@dX@cʂ@aMaM`7@`7@`6?`-@`"y@`!'`!'`3@`>`>` l` l` l__#pmonreal@suse.comscabrero@suse.depmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.commeissner@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comdimstar@opensuse.orgpmonreal@suse.compmonreal@suse.compmonreal@suse.comdimstar@opensuse.orgpmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comvcizek@suse.com- Remove dangling symlink for the libreswan config [bsc#1236858]- krb5: disallow aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 kerberos encryption types from RFC3961 in FIPS mode, as its key derivation function is not certified; (jsc#PED-12018); - Update AD-SUPPORT and add AD-SUPPORT-LEGACY subpolicies; (jsc#PED-12018); The AD-SUPPORT subpolicy will enable the aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 encryption types necessary for AD. The Kerberos libraries will tell OpenSSL provider to bypass FIPS restrictions when loading the KRB5KDF module. The AD-SUPPORT-LEGACY will allow the use of RC4 encryption types in environments where either accounts or trusted domains objects were not yet migrated to AES. - Add patch 0008-policies-modules-update-AD-SUPPORT-add-AD-SUP.patch- nss: Skip the NSS policy check if the mozilla-nss-tools package is not installed. This avoids adding more dependencies in ring0. * Add crypto-policies-nss.patch [bsc#1211301]- Update to version 20230920.570ea89: * fips-mode-setup: more thorough --disable, still unsupported * FIPS:OSPP: tighten beyond reason for OSPP 4.3 * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS) * gnutls: prepare for tls-session-hash option coming * nss: prepare for TLS-REQUIRE-EMS option coming * NO-ENFORCE-EMS: add subpolicy * FIPS: set __ems = ENFORCE * cryptopolicies: add enums and __ems tri-state * docs: replace `FIPS 140-2` with just `FIPS 140` * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE * cryptopolicies: add comments on dunder options * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check * BSI: start a BSI TR 02102 policy [jsc#PED-4933] * Rebase patches: - crypto-policies-policygenerators.patch - crypto-policies-revert-rh-allow-sha1-signatures.patch - crypto-policies-FIPS.patch- Conditionally recommend the crypto-policies-scripts package when python is not installed in the system [bsc#1215201]- Tests: Fix pylint versioning for TW and fix the parsing of the policygenerators to account for the commented lines correctly. * Add crypto-policies-pylint.patch * Rebase crypto-policies-policygenerators.patch- FIPS: Adapt the fips-mode-setup script to use the pbl command from the perl-Bootloader package to replace grubby. Add a note for transactional systems [jsc#PED-5041]. * Rebase crypto-policies-FIPS.patch- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933) derived from NEXT.pol- Update to version 20230614.5f3458e: * policies: impose old OpenSSL groups order for all back-ends * Rebase patches: - crypto-policies-revert-rh-allow-sha1-signatures.patch - crypto-policies-supported.patch- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup and fips-finish-install commands, add also the man pages. The required FIPS modules are left to be installed by the user. * Rebase crypto-policies-FIPS.patch- Revert a breaking change that introduces the config option rh-allow-sha1-signatures that is unkown to OpenSSL and fails on startup. We will consider adding this option to openssl. * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 * Add crypto-policies-revert-rh-allow-sha1-signatures.patch- Update the update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. [bsc#1209998] * Add crypto-policies-supported.patch- Update to version 20230420.3d08ae7: * openssl, alg_lists: add brainpool support * openssl: set Groups explicitly * codespell: ignore aNULL * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 * sequoia: add separate rpm-sequoia backend * crypto-policies.7: state upfront that FUTURE is not so interoperable * Makefile: update for asciidoc 10 * Skip not needed LibreswanGenerator and SequoiaGenerator: - Add crypto-policies-policygenerators.patch * Remove crypto-policies-test_supported_modules_only.patch * Rebase crypto-policies-no-build-manpages.patch- Update to version 20221214.a4c31a3: * bind: expand the list of disableable algorithms * libssh: Add support for openssh fido keys * .gitlab-ci.yml: install krb5-devel for krb5-config * sequoia: check using sequoia-policy-config-check * sequoia: introduce new back-end * Makefile: support overriding asciidoc executable name * openssh: make none and auto explicit and different * openssh: autodetect and allow forcing RequiredRSASize presence/name * openssh: remove _pre_8_5_ssh * pylintrc: update * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... * Makefile: exclude built manpages from codespell * add openssh HostbasedAcceptedAlgorithms * openssh: add RSAMinSize option following min_rsa_size * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" * docs: add customization recommendation * tests/java: fix java.security.disableSystemPropertiesFile=true * policies: add FEDORA38 and TEST-FEDORA39 * bind: control ED25519/ED448 * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 * .gitlab-ci.yml: skip pylint (bz2069837) * openssh: add support for sntrup761x25519-sha512@openssh.com * fips-mode-setup: fix one unrelated check to intended state * fips-mode-setup, fips-finish-install: abandon /etc/system-fips * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT * fips-mode-setup: catch more inconsistencies, clarify --check * fips-mode-setup: improve handling FIPS plus subpolicies * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 * gnutls: enable SHAKE, needed for Ed448 * gnutls: use allowlisting * openssl: add newlines at the end of the output * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* * fips-mode-setup, fips-finish-install: call zipl more often * Add crypto-policies-rpmlintrc file to avoid files-duplicate, zero-length and non-conffile-in-etc warnings. * Rebase patches: - crypto-policies-FIPS.patch - crypto-policies-no-build-manpages.patch * Update README.SUSE- Remove the scripts and documentation regarding fips-finish-install and test-fips-setup * Add crypto-policies-FIPS.patch- Update to version 20210917.c9d86d1: * openssl: fix disabling ChaCha20 * pacify pylint 2.11: use format strings * pacify pylint 2.11: specify explicit encoding * fix minor things found by new pylint * update-crypto-policies: --check against regenerated * update-crypto-policies: fix --check's walking order * policygenerators/gnutls: revert disabling DTLS0.9... * policygenerators/java: add javasystem backend * LEGACY: bump 1023 key size to 1024 * cryptopolicies: fix 'and' in deprecation warnings * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 * nss: hopefully the last fix for nss sigalgs check * cryptopolicies: Python 3.10 compatibility * nss: postponing check + testing at least something * Rename 'policy modules' to 'subpolicies' * validation.rules: fix a missing word in error * cryptopolicies: raise errors right after warnings * update-crypto-policies: capitalize warnings * cryptopolicies: syntax-precheck scope errors * .gitlab-ci.yml, Makefile: enable codespell * all: fix several typos * docs: don't leave zero TLS/DTLS protocols on * openssl: separate TLS/DTLS MinProtocol/MaxProtocol * alg_lists: order protocols new-to-old for consistency * alg_lists: max_{d,}tls_version * update-crypto-policies: fix pregenerated + local.d * openssh: allow validation with pre-8.5 * .gitlab-ci.yml: run commit-range against upstream * openssh: Use the new name for PubkeyAcceptedKeyTypes * sha1_in_dnssec: deprecate * .gitlab-ci.yml: test commit ranges * FIPS:OSPP: sign = -*-SHA2-224 * scoped policies: documentation update * scoped policies: use new features to the fullest... * scoped policies: rewrite + minimal policy changes * scoped policies: rewrite preparations * nss: postponing the version check again, to 3.64 - Remove patches fixed upstream: crypto-policies-typos.patch - Rebase: crypto-policies-test_supported_modules_only.patch - Merge crypto-policies-asciidoc.patch into crypto-policies-no-build-manpages.patch- Update to version 20210225.05203d2: * Disable DTLS0.9 protocol in the DEFAULT policy. * policies/FIPS: insignificant reformatting * policygenerators/libssh: respect ssh_certs * policies/modules/OSPP: tighten to follow RHEL 8 * crypto-policies(7): drop not-reenableable comment * follow up on disabling RC4- Remove not needed scripts: fips-finish-install fips-mode-setup- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938] * The minimum DTLS protocol version in the DEFAULT and FUTURE policies is DTLS1.2. * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e- Update to version 20210213.5c710c0: [bsc#1180938] * setup_directories(): perform safer creation of directories * save_config(): avoid re-opening output file for each iteration * save_config(): break after first match to avoid unnecessary stat() calls * CryptoPolicy.parse(): actually stop parsing line on syntax error * ProfileConfig.parse_string(): correctly extended subpolicies * Exclude RC4 from LEGACY * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT * code style: fix 'not in' membership testing * pylintrc: tighten up a bit * formatting: avoid long lines * formatting: use f-strings instead of format() * formatting: reformat all python code with autopep8 * nss: postponing the version check again, to 3.61 * Revert "Unfortunately we have to keep ignoring the openssh check for sk-"- Use tar_scm service, not obs_scm: With crypto-policies entering Ring0 (distro bootstrap) we want to be sure to keep the buildtime deps as low as possible. - Add python3-base BuildRequires: previously, OBS' tar service pulled this in for us.- Add a BuildIgnore for crypto-policies- Use gzip instead of xz in obscpio and sources- Do not build the manpages to avoid build cycles - Add crypto-policies-no-build-manpages.patch- Convert to use a proper git source _service: + To update, one just needs to update the commit/revision in the _service file and run `osc service dr`. + The version of the package is defined by the commit date of the revision, followed by the abbreviated git hash (The same revision used before results thus in a downgrade to 20210118, but as this is a alltime new package, this is acceptable.- Update to git version 20210127 * Bump Python requirement to 3.6 * Output sigalgs required by nss >=3.59 * Do not require bind during build * Break build cycles with openssl and gnutls- Update to git version 20210118 * Output sigalgs required by nss >=3.59 * Bump Python requirement to 3.6 * Kerberos 5: Fix policy generator to account for macs * Add AES-192 support (non-TLS scenarios) * Add documentation of the --check option- Fix the man pages generation - Add crypto-policies-asciidoc.patch- Test only supported modules - Add crypto-policies-test_supported_modules_only.patch- Add crypto-policies-typos.patch to fix some typos- Initial packaging, git version 20200918 (jsc#SLE-15832)h01-ch4c 1739471675  !"#$%&'()*+,-./012345620230920.570ea89-150600.3.6.5  fips-finish-installfips-mode-setupupdate-crypto-policiespython__pycache__build-crypto-policies.cpython-36.pycupdate-crypto-policies.cpython-36.pycbuild-crypto-policies.pycryptopolicies__init__.py__pycache____init__.cpython-36.pycalg_lists.cpython-36.pyccryptopolicies.cpython-36.pycalg_lists.pycryptopolicies.pyvalidation__init__.py__pycache____init__.cpython-36.pycalg_lists.cpython-36.pycgeneral.cpython-36.pycrules.cpython-36.pycscope.cpython-36.pycalg_lists.pygeneral.pyrules.pyscope.pypolicygenerators__init__.py__pycache____init__.cpython-36.pycbind.cpython-36.pycconfiggenerator.cpython-36.pycgnutls.cpython-36.pycjava.cpython-36.pyckrb5.cpython-36.pyclibssh.cpython-36.pycnss.cpython-36.pycopenssh.cpython-36.pycopenssl.cpython-36.pycbind.pyconfiggenerator.pygnutls.pyjava.pykrb5.pylibssh.pynss.pyopenssh.pyopenssl.pyupdate-crypto-policies.pyfips-finish-install.8.gzfips-mode-setup.8.gzupdate-crypto-policies.8.gz/usr/bin//usr/share/crypto-policies//usr/share/crypto-policies/python//usr/share/crypto-policies/python/__pycache__//usr/share/crypto-policies/python/cryptopolicies//usr/share/crypto-policies/python/cryptopolicies/__pycache__//usr/share/crypto-policies/python/cryptopolicies/validation//usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__//usr/share/crypto-policies/python/policygenerators//usr/share/crypto-policies/python/policygenerators/__pycache__//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:37510/SUSE_SLE-15-SP6_Update/b4b39ed0519d7d4036ed6b4d9675970c-crypto-policies.SUSE_SLE-15-SP6_Updatedrpmxz5noarch-suse-linuxBourne-Again shell script, ASCII text executablea /usr/bin/sh script, ASCII text executabledirectorypython 3.6 byte-compiledPython script, UTF-8 Unicode text executablePython script, ASCII text executabletroff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)RRRRR"8͢ b+/usr/bin/update-crypto-policies --no-check >/dev/null 2>/dev/null || :/bin/shperl-Bootloaderutf-8c628ecb2d25cae4fa82593ce032e5929c58cca15cae0a77cf89cff0dee6d076b?7zXZ !t/F]"k%8*6l"3ג_ib}k5+ =Vs~d {C%YYc۶Qرs&Vx<3 z{%j,KH]JUփ_zh'Smĝx#c m=*$Ӳ bHBJFzFVI<9Y̍wJUeR|=pã>$VoW s^-3C[S (a>p(gOoqK%yZꊠr skݳ[kLjUk(Q1c׵vW5GT^O 85Gwҋ+zfE˷Z ?l;>#S$wD0j(ǰOU^gS~:FC$W -;]wdp+CI`:bo?ݑJs^Yd~x3Y7"DT ӃZ5l_]@dMgSSUbW0؅FNķOh6C*2ᕤn$"g[eӥ2qm{|s >f;%_#1Z$&]dTQOu! gC.A-x1870ƶiKXVėR0@B,&C].:TFi!4MG@\Gr޿tu<ő҈sT*`wX˘2>#U/ǫh9íώA]+^M(Dd9= :$"Hui Bh}cTjˢ/AKA,|Ҡm\mm7v3(6E|]7I Rژa"rf!5߶/^4j%56~6]VVPP90>*ܰeOe|-S`J k|;q'{yiE򞆬^Ívsh+L0OIǪ,[R|aܷ<ͷQkg fsVDZ&Mg~wFhTS\Oպ"!TlyG@j`Q7/"vÙcyKG᪈z?7,z:\#w&`L չPNj+wsVD6fvh5scu`ΔSztsz?#emd ;1./k! t}eqZLl@f!z ʪY=( 'ɱ9{գ>io˻|]";[T3e&kp0ϚclY}eW#@si9vΧĽ3@ݞ V#CVCtVFH#~ bBy,=ޥ"sLrE+W#v3Lhز~}sz/P'L]UE^>(Λ ;QvUN P ׿4ٹFM~|_^v+nW cr0#W%{> "D|2wĬxVڦ}Ѷ64/p7=c~ۖypwU2YPZjӂ6a\@xM{E$Y "QtV&A@ mt{yPįIC^V:w !A.0 V$?uR.ըX`bkl({ʃ6fx?}Aĭ;.Lr4։&'H ?Krی5D qͮ! aVN"WFE\oh#YVDQ$mYĬ"j \YtP|{|EշxffK81%,Tbnodf̈́X1o<z$oɑ#I6ԸKwBvZŇT)E ғA.'(K0ғ}/"G:BzE'rub 5w"#lrZ:YPobY#;_3(Br-5o0nw] k'甃QZMVk*'0- eyh[Qe}S؎=.dd[ ɼ׬BD^O/~0I&%DKdDCZh kM^9'OVʜEMGt}`F1m]uҒ L`9A5-I\BpsШ4kݮaOq$tړnv[3J4HT^|` >>m%Bñ =y?#Gq&,>cIkt:LŐLh&e?klC*ɫS;b7EM?`v)ks<|&=Bϊnkn&8W 4M!uÚl$B;Ze6.l;=v.B“l}턕ݼw1 sP`a7S3'xguO?5'zpÈMv*kfyo6~F$KOyGA^(>8- q%noI%umW2.d#BsҗGX@@Ui<>YY~Nn0geZrGp[[q d|iy:-7|'Wu ooP(Z+)߃4/t{/D:[ U:.[ؚ&hCǓə7y$Ei)?'}N>7>R5YS0!RlA. T`sfa|N}]L[{^[ܟ71XRx;ww8  5àb2T~mLS{ P+#LUDlDu>lօm00_8ꯛj%HV%/ę#P:$㙹\`}:̈́RKs:L#%)v}[IǗ䐆oPJIgf&ڲY_-j9t8[yӉ7{(&9&?(-eMm;u4 9fԡ7ج3 8{dHʬMVEn>G,^؈xA,|ZUAfolbuo2%cN_'2M 5|qwA1&GU-H]]Qƍ3o;_ ,W^4JٕO{UR-Fb92ɾ8yUh2ner&k L %{O&YU܌B ΐh-bu#Tbh[J<,輷3Hؼz8jAV ښhl*sa&3UO1@El%V _[2<Ա]R Wޢ%7c]i AFP3 St;tzHCv7{3=H1M>13Es`AǑPXU%sS9SZlé9QMGdX S(>C-NQn{'Z lj$Ӂ]9NSDN:ԁ ـXō"Wp;T0Z}\e`}300WXWhb&ylg!gb3f*Q'|`J`v$Š8\m;Ok/j/)iثSgv5Ö"b7RTĶyӶ\ gw(֑gE 0g=h&z %zژ`(8]iR7T1cpbtavt6 3ntQؾr[k)x2ǩFD* C;v/{$O6!b4ŭw[ Z>_r:* nHNbt}NH8HP8y J28N6!hTO6iӠH%;w &mkvŜ#Ag/N9ch8$@id0Q'3VIU\G#(cH'#Iτqtd)[&"h |6kݒz8#%E׃{Y&7 Efo| X8>: =F9೎X;G#;[eiE=olۺL TMf>;S:x|a؆__mBZ_\jǾVon}86=pBʅoXD.eK{y"U516rf~U9BG(7|ϚK~?.=Ϊ5hn^ p)%\IcI A"s9A-"Qaאb d1cK(Hv8nA%fLx~LBjlYeϮg %1+nwK0ZMkFOu];fT]}}VuA$VˠG\gHϺy*u@٣ eO#>,H*b>)~RYYiXbһvjppkDЭFs3EzIl2_/OFDv" Z}nji:Oz`V L~ 䎝3o*d_?%z2,ΎsU"[%ܦ7 632rlbޝ Y)t0q#nVNZ-Z,i~/:r;3mSEFpx:w$P:|9߄i>QV._3+Z[Ww[G8敇@Io5:ށH QDCjë 8%prJQl6Q:fd-+D!i |%',oQo7NŴyҒh^0YU47϶r'&ౚ t%4LZ-LkCT.JIgbErbVϘMߜB^ *]{8Ӥ1ۊc޴Ɔ >'bty '1 qm: ~;CFS!+y}UV`h~ڵt$̖а!\.Cs@! bj\Sojm@܆?w[_:tSI,M,\|C=ž<|=ltS5ԇiۨ-R4izxtauodxO.[¥} 3/3/S4Rkh#H vSZ7: ToZ|SfiO/ C#ӝ\dW/6_Yɀ_P\Ъ :*Ai`r|b]]Fsz,X°YE?JZ;$;Rs(MB\;etCvY4,UأzWN ] 3C93On٘gnܑ:޿0UO^9rI\k>KZ&יR 1(deƃzXn;)i^4Hu'gtwmwGdAuqZKkVأg{y֍XG.r֖ٺI9Jp<޹P-l(#ďio3.k[nb~>6[ Уl$iRWEXr1l܅r X=Ӛ^#p$>Ko+Z0)g}-׵'TlϺ ~M83dwdip}nfkjڝ"[5>("#ܳXF(@0VE4—+=vI~*U|,9y88F{v(RKqGb#m@D0euKV3@1^Q۸u/5R{3¢1_2! Mݽvv,(quWIҀ[nMN~tͶr$UhI{ %35q?5&d0:x  FIsZubJgY# IވмE*hwgk#k5}O,_z) Àh$?-st==)ډ3DI[*Q$p$A(03~\TSgOX7<-MۅMi:a.8B0pX8D혖eCgfez!KK6U4X&kA/l0NyE(A4ct`SrjvG8|}qr`aiR/3bc=жg0юn ~[e%%an=jE 3%YY)4;A=UI_"Ἲ)t|"(H;b}?R\3p~\$U-y|=FI[KE>Ny_(B?EnxmƋ%[~1 쀩ߧ.@=9Ken,1H 'Sm_& ~Roj^ws$L;:|G,͌)me'7J'͚}8bCKt|Miן蒐6NcnR\wJ'#|T 1$yN?6N0/Z5~ѪՅit؁#.Ui&71|'ĒaMg V[sKY%9I☹m_A kd ՚ aٔ('Ƞg'm7bne F- /1EK-,R\Z!ߢN'o6TI4țvvH$h]Tn1A?iNio>͝]A5HTN#D=?uE"<,"Ib&; W*Y5_Fmb;h,Qe&wU6BתJ`8$3Uz_\}X8E@{SџcZUw[wrZӕiOEq3n`{eEx2 mKts_\,l"Vbf(H;¡RKw)ʙ|59 7rEI4οE(H .*bђ?'HfB'DZ`WQV"!dARL3]Sa^"ZXrƶǁx~>[̱ͅ<:?DAٍoݜf &t۾#'HOEc,5 ϘɍddK[{$ Mc@<[-rO=g[>KYié&Cgncw^X7y!n#$4:/| /,2 Ӫ+EvÊM,cGX0T!Os桟fM]Mn9X>FàK}@Le4-(\L16B̛kψ>zu0Iֈ¼O QFį3q%nW@S| oDJ@3&uHn(˜%yŊrB-7TDtOU*~XKq5S|"SBgޒE8xqښJ{% 4 !u%?C"}!ɿJI\f&F)êgx2BtiҤ,ⷍo|6q+#f}A8\'EݐS o|faF^)Q$PVbM^ v sdK0K!PGb(j4?:Ay!jfU-Gl4PybfRʆ,/"hi%*#+@ZaQ v1|{wg0kq=Jz=EDT?.*a[ϠC 'ڏ(/4c2Y:T/PX 5:C7Q?%$TQ7:RਞDzl;jmܛќLzms1^G =&#yz3@w]-)p;v}]0+;:= X]6V9<`?o8C(ʀځ]X)F=na`c+Ez'hOl&M@_; o|lcjw, 4#ˀŞ/Hr։f"pQdD2",,?D?w+>rsʘXj~E StίmuHXX`4<0z2;L3 Dmuh ̄ j.l znu =L@N#9KNl؊5EGź4!\s ΨCӸMKZ%_=A;@Z8%=j}U` g{ͽ Ƶsy]bF|i?Bt>TUQf;vv%Rڋr|7a(9})?KE{Q01DeNO8LNH׊Pcp &͠z=O ){C."ψ\<-Q9Iko˘Dfj,!5κ]{tL <^iXBG] ROmtȡDHL4GQEDPC&6˄xLn g`N,\D|}t&!![*u@N[iu4ل7h4 pӄ&YPax1$z]z !M 5/ 4%촌7# 0vB+Oi^UB?@)C{IF$04]८:c=~2$hߤ_ۣ%]urᏙUvYE\WBGdyt -0Z;u6SsIE?c0N)vz_&p~W_vg-@Gj- MOPM&Ex75}  %kMȼ.)*'1vǛC>tFha#{}VZZCTX8 D͇,{5g茢"8''m 3/W #zW%)7:bcvT'obه7: 8"Cv52E VPþJu,}-3#/2ӇM#40G',#,~ K C%o+fMp(yw(i۠5p\IꡣD$IB MϙOMA睏õnA- ʢߢOJ`R¤a 4.\ ,O0 U)oe OĒ``}DmFiRx-wz '?#X,^E'5YA| RgWZ&j%d^W!B}n-c-A'l>6I^a)-4_H4zhQ~ʯZCX\QLDCm W}5=xpB8+#▏C3Z7l<.utIĘHq\'qG YseHw+0"h=Dz 2,Y_`.ihu\(Bdb+ F)pORf6_:ߨi9:!lUi }TdB(0hK>#rN#l$Su=Ty(K8 e/TV?-5Tn@KɫQi"<úL }o8(U9%(" s #$0[>H?DVPkLҠJ_IYJt,ѲĊ[(p&CgGGCA $apHڍɤ/oW+?KsD{I,r{:L QWW{ɫyYx`)OH- #AbLcOFs`q˩1NB#Aj$LX SL l'h3 s܅XjjvSv L8|fv9TbZř0L<|^bN70KaGQtcܠe6;|MۃaacЫp(z]b[RSs^V]B bl9A 9cA-.f\uCm47^ $s}x'JX( BJ㓓o^N_=ҿ>R* f`[#0$*tO"Do:dM)a { 00g!La\0+@>|@s~C NCxW7n{Oԅo^v]v&&2V ?/KfKA$ Qc5A8Rq~v|?ڭq^$^h1kj1@bvC..$AXg&@Z@D3N̴KLVG$aזR~ ^ > nJ[qʲ 1[|HY#9Q ^T^}? ^ x||}۫t#J:9c5"=Ƥ#¾Lҭ϶ YZ